--- Day changed Thu Jan 01 2009 00:36 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 01:54 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has quit ["GG. X_X"] 02:42 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:13 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 04:36 -!- gfather [n=g@77.241.65.48] has joined ##openvpn 04:36 < gfather> haappy new yeaaaaaaaar :) 04:55 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has joined ##openvpn 04:56 < mRCUTEO> happey new ya 05:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 05:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:12 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has quit [] 06:28 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 07:05 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Remote closed the connection] 07:40 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:28 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 08:56 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 09:08 < ecrist> fwiw, the named.root file has been updated (newest revision is 12/12/2008) in which they've added an AAAA record for L.ROOT-SERVERS.NET. 09:23 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: Pagautas 09:24 -!- Netsplit over, joins: Pagautas 09:34 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 11:32 -!- Mahmoud [n=foo@unaffiliated/mahmoud] has joined ##openvpn 11:32 < Mahmoud> any freely available vpn setup that uses openvpn? 11:34 < Mahmoud> i recall one available, but can't get its correct name 11:38 < reiffert> "setup"? 11:38 < Mahmoud> a free vpn provider 11:39 < reiffert> "any freely available vpn a free vpn provider that uses openvpn"? 11:39 < reiffert> sorry, but I dont get you. 11:39 < Mahmoud> hmmmm 11:40 < Mahmoud> similar to free shared web hosting providers. there are some vpn providers 11:40 < Mahmoud> i want a vpn provider that uses openvpn's client to connect to it 11:40 < Mahmoud> there is one, pretty sure, but forgot its name 11:41 < reiffert> I have no idea which free shared web hosting provider offers vpn access. 11:41 < Mahmoud> aghh 11:41 < Mahmoud> this is not what i asked 11:41 < Mahmoud> what i want is only a free vpn provideer (i don't care about websites) 11:57 < reiffert> still no idea 12:58 < ebf0> Mahmoud: I get you, but I dont know of any 13:04 -!- Balzac21 [n=hoebag@76-10-176-231.dsl.teksavvy.com] has joined ##openvpn 13:04 < Balzac21> Hi. I have openvpn going and I've set my iptables right so that all traffic is properly in nat. On my end (vista) it still won't tunnel properly and won't connect to the internet 13:27 -!- Balzac21 [n=hoebag@76-10-176-231.dsl.teksavvy.com] has quit [Connection timed out] 14:38 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 15:13 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 15:33 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 60 (Operation timed out)] 15:55 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Connection timed out] 16:26 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 16:28 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 16:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:17 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 17:19 -!- mepholic [n=mepholic@209.17.190.90] has quit ["Leaving"] 17:24 -!- mepholic [n=mepholic@209.17.190.90] has joined ##openvpn 17:29 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 18:15 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 18:20 -!- Determinist [n=lior@unaffiliated/determinist] has quit ["Leaving..."] 18:20 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 18:35 -!- gfather [n=g@77.241.65.48] has quit [Read error: 110 (Connection timed out)] 18:55 -!- Mahmoud [n=foo@unaffiliated/mahmoud] has quit [Remote closed the connection] 18:55 -!- Mahmoud [n=foo@unaffiliated/mahmoud] has joined ##openvpn 19:02 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 19:12 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 20:10 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 21:04 -!- solj [n=solj@layer9.ices.utexas.edu] has joined ##openvpn 21:04 < solj> !menu 21:04 < vpnHelper> solj: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 21:05 < solj> hi, i'm having some trouble with getting certain keys to work 21:06 < solj> i have some client keys working, but others that were generated the same way are not 21:06 < solj> i'm getting a generic TLS timeout message on the client 21:08 < krzie> !logs 21:08 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 21:08 < krzie> on one that doesnt work 21:14 < solj> krzie: k, i'll get back to you in a bit 21:14 -!- solj [n=solj@layer9.ices.utexas.edu] has left ##openvpn [] 21:19 -!- Skiz_ [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has joined ##openvpn 21:37 < krzie> lol 22:05 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has joined ##openvpn 22:11 < tjz> any malaysian on streamyx? 22:12 -!- Skiz_ [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has quit [Remote closed the connection] 22:15 -!- Skiz [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has joined ##openvpn 22:18 < Skiz> so I have a tunnel set up between my mac and a remote debian system running openvpn which I can connect to fine. My issue is the masquerading (I think..) I'm trying to set my default route so that all of my traffic is sent through the tunnel by default, but it seems that I can make connections to only the server itself and the nat doesnt work. http://pastie.org/private/thqkl7syh02xd3n7mpbyw is some configs and specs. Any ideas would be 22:26 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 22:29 -!- Skiz [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 22:29 -!- Skiz_ [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has joined ##openvpn 22:30 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 22:32 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 22:33 < tjz> hey !!! 22:33 < mRCUTEO> hiya tjz 22:33 < mRCUTEO> hehe 22:33 < tjz> haha 22:33 < tjz> Happy new year 22:33 < tjz> :) 22:33 < mRCUTEO> happy new year to you too :D 22:35 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has quit [Client Quit] 22:45 -!- ropetin_ [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 22:47 < Skiz_> so I changed my dns push to the same address as the vpn end tun0 ip, I have bind running, and I can now do lookups, but cannot connect to any (even though my default route is still my standard wifi here at the house. there is also now a 0/1 route with my tun0 gateway which bewilders me. 22:47 < Skiz_> yet I'm still on irc :S 22:47 -!- Skiz_ is now known as Skiz 22:49 -!- Skiz [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 22:49 -!- Skiz_ [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has joined ##openvpn 22:49 < Skiz_> so I changed my dns push to the same address as the vpn end tun0 ip, I have bind running, and I can now do lookups, but cannot connect to any (even though my default route is still my standard wifi here at the house. there is also now a 0/1 route with my tun0 gateway which bewilders me and everything starts getting dropped. 22:56 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Connection timed out] 23:05 -!- Skiz_ [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has quit [Read error: 60 (Operation timed out)] 23:07 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 23:08 -!- ropetin_ is now known as ropetin 23:09 -!- Skiz [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has joined ##openvpn 23:18 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: justdave, AndyML, Mahmoud, disco-, hiptobecubic, Skiz, bigjohnto, mepholic, smk, Solver, (+14 more, use /NETSPLIT to show all of them) 23:21 -!- Netsplit over, joins: Skiz, ropetin, Mahmoud, mepholic, troy-, justdave, phlax, imbezol, Solver, jpalmer (+5 more) 23:26 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: justdave, AndyML, Mahmoud, disco-, Skiz, mepholic, Solver, phlax, dogmeat, jabular, (+5 more, use /NETSPLIT to show all of them) 23:28 -!- Netsplit over, joins: Skiz, ropetin, Mahmoud, mepholic, troy-, justdave, phlax, imbezol, Solver, jpalmer (+5 more) 23:28 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:28 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has joined ##openvpn 23:28 -!- hiptobecubic [n=john@c-68-56-198-177.hsd1.fl.comcast.net] has joined ##openvpn 23:28 -!- int [n=quassel@wikia/int] has joined ##openvpn 23:28 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has joined ##openvpn 23:28 -!- dvl [n=nnnnnnnn@pdpc/supporter/professional/dvl] has joined ##openvpn 23:28 -!- HardDisk_WP [n=Marco@wikipedia/harddisk] has joined ##openvpn 23:28 -!- thefish [n=thefish@unaffiliated/thefish] has joined ##openvpn 23:28 -!- smk [n=scott@cobra.httpd.org] has joined ##openvpn 23:31 -!- Mahmoud [n=foo@unaffiliated/mahmoud] has quit [Remote closed the connection] 23:34 -!- Skiz_ [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has joined ##openvpn 23:39 < tjz> omg 23:39 < tjz> what happen 23:39 < dvl> a net split. 23:40 < tjz> hmm 23:40 < dvl> followed by a rejoin 23:40 < tjz> do you know why i can't auto join #openvpn ? 23:40 < tjz> under "perform" 23:40 < tjz> in irc client 23:40 < dvl> I don't even know what IRC client you are using. 23:41 < dvl> Normally, there is a field for channels you want to join. 23:49 < Skiz_> try it with 2 #'s 23:49 -!- Skiz [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has quit [Read error: 110 (Connection timed out)] 23:56 -!- Skiz_ [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has quit [Read error: 131 (Connection reset by peer)] 23:56 -!- Skiz [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has joined ##openvpn --- Day changed Fri Jan 02 2009 00:10 < tjz> welcome back 00:10 < tjz> hehe 00:11 < tjz> let me try with 2 #'s 00:11 < tjz> brb 00:11 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has quit ["GG. X_X"] 00:11 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has joined ##openvpn 00:11 < tjz> doesn't auto join to openvpn 00:26 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 00:27 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has quit [Client Quit] 00:31 < krzee> tjz 00:32 < krzee> your client needs to auth to nickserv before joining 00:32 < krzee> mine can do that auto 00:32 < krzee> but im using xchat aqua for osx 00:41 -!- Skiz [n=Skiz@c-98-225-24-249.hsd1.wa.comcast.net] has quit [Read error: 110 (Connection timed out)] 00:51 < tjz> i have auto auth setup under "option" > "perform" for my mirc 00:51 < tjz> :( 00:51 < tjz> it works for another irc network 00:51 < tjz> not this 00:51 < tjz> :( 00:51 < tjz> :) 01:25 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 01:29 < tjz> welcome 01:50 < ropetin> Hi-de-ho all 01:51 < krzee> tjz 01:51 < krzee> just cause it auto-auths doesnt mean it waits for the auth to be successful to join channels 01:51 < krzee> wassup rope 01:52 < ropetin> Meh, just trying to get motivated for work krzee, how're you? 01:53 < tjz> lol rope 01:53 < tjz> doesn't make sense.. 01:53 < ropetin> tjz: what doesn't? 01:54 < tjz> i run the auth first before the auto join to openvpn channel 01:54 < ropetin> Which client? 01:54 < tjz> i am using mirc client 01:55 < ropetin> How're you doing the authentication? Do you have it configured in the server config or are you running it as a post connection command? (I may be confused, haven't used mIRC for long time) 01:57 < tjz> lol 01:57 < tjz> what i did is "/msg NickServ identify xxx" 01:57 < tjz> to auth 01:58 < tjz> under connect > option > perform 01:58 < tjz> when on connect 01:58 < tjz> hmm 01:58 < tjz> actually.. 01:59 < tjz> not really important 01:59 < tjz> just ranting 01:59 < tjz> :P 01:59 < ropetin> Hehhe, ok 01:59 < ropetin> I'd recommend using irssi, works like a champ :D 02:06 < tjz> x_x 02:06 < tjz> <- on windows xp 02:18 < tjz> :P 02:20 < ropetin> Luckily they have a version for Windows :) 02:21 < ropetin> Nicely packaged in an .exe, right on the home page 02:29 < ropetin> Meh, Mutt is driving me nuts 02:52 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 03:01 -!- DigitallyStoned [i=digitall@191.sub-75-203-176.myvzw.com] has joined ##openvpn 03:01 < DigitallyStoned> !route 03:01 < vpnHelper> DigitallyStoned: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 03:02 < DigitallyStoned> ok i have a weird problem with routing 03:02 < DigitallyStoned> is anyone descent at it? 03:03 < ropetin> Depends what the problem is :) 03:03 < DigitallyStoned> ok i have pfsense with openvpn setup 03:03 < DigitallyStoned> it connects fine 03:03 < DigitallyStoned> my default lan is on a 10.0.0.0/16 and my VPN is on a 10.0.2.0/26 03:04 < DigitallyStoned> i can ping 10.0.0.1 *default gateway* and hit the box, i can hit 10.0.0.2 and get its interface 03:04 < DigitallyStoned> 10.0.0.3 thru 10.0.0.255 i cannot see 03:04 < DigitallyStoned> i have a push "route 10.0.0.0 255.255.0.0" setup for my vpn config 03:04 < DigitallyStoned> dns and all works 03:04 < DigitallyStoned> just cant access via telnet or http any device above 3 03:05 < DigitallyStoned> really weird 03:05 < ropetin> You have forwarding set up on the vpn server? 03:06 < DigitallyStoned> when you say forwarding youre talking about the local lan pool correct right? for a remote vpn connection? 03:07 < ropetin> Well let me take step back, what OS is your vpn server? 03:07 < DigitallyStoned> its running on pfsense 03:07 < DigitallyStoned> so openbsd 03:07 < DigitallyStoned> and i have my default lan rules set for any 03:07 < DigitallyStoned> so any tcp/udp connection is accepted 03:07 < DigitallyStoned> i can ping both 10.0.0.1 and 10.0.0.2 via vpn 03:08 < ropetin> Hmmm, no experience with any bsd, but on Linux if I want to connect to something 'beyond' the VPN server I have to set an iptables masquerade rule to forward the traffic, as well as make sure ip forwarding is enabled 03:08 < DigitallyStoned> yeah thats all enabled on the box 03:08 < DigitallyStoned> nat rules are in place 03:09 < ropetin> .1 and .2 are interfaces on the server? 03:09 < DigitallyStoned> no 03:09 < DigitallyStoned> .1 is the server 03:09 < DigitallyStoned> .2 is a remote power boot device connected to the switch at .3 03:09 < DigitallyStoned> its a cisco switch 03:09 < ropetin> Weird then that you can get to that but nothing else 03:09 < DigitallyStoned> yeah thats what i thought 03:09 < DigitallyStoned> the route locally on this machine shows 10.0.0.0 network 255.255.0.0 using interface 10.0.2.5 03:09 < ropetin> Hmmm, only thing I can say is double check your netmasks are correct, other than that, I'm stumped 03:09 < DigitallyStoned> which is right 03:10 < ropetin> Well one thing, your netmasks overlap, correct? 03:10 < ropetin> Is that intentional? 03:10 < DigitallyStoned> do they? 03:10 < DigitallyStoned> oh shit youre right 03:11 < DigitallyStoned> shoulda been 10.2 03:11 < DigitallyStoned> crap 03:11 < DigitallyStoned> let me change that 03:11 < DigitallyStoned> hold 1 03:11 < ropetin> :D 03:11 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 03:12 < DigitallyStoned> haha 03:12 < DigitallyStoned> holy shit 03:12 < DigitallyStoned> my fault 03:12 < DigitallyStoned> i screwed that one up 03:12 < ropetin> It worked? 03:13 < DigitallyStoned> yeah 03:13 < DigitallyStoned> i screwed that u 03:13 < DigitallyStoned> up 03:13 < DigitallyStoned> 10.2.0.0 was supposed to be the net not 10.0.2.0 03:14 < ropetin> Excellent 03:14 < DigitallyStoned> heh 03:14 < DigitallyStoned> thanks for pointing that out else idda been scratching my head all day 03:15 < ropetin> NP, I'm good at catching the easy sutff :) 03:15 < DigitallyStoned> its what i get for playing halo 2 all the time 03:15 < DigitallyStoned> youd like the setup i made here though 03:16 < DigitallyStoned> i had like 100 cat5 cables running all over my house to a few different routers 03:16 < DigitallyStoned> now its all meshed 03:16 < DigitallyStoned> on an A channel 03:16 < ropetin> Just for fun? 03:16 < DigitallyStoned> no i finally intergrated my hardware 03:16 < DigitallyStoned> i have 2 50mb circuits coming in 03:16 < DigitallyStoned> i used pfsense to multiwan them 03:17 < DigitallyStoned> i tried it on centos and it halfassed worked 03:17 < DigitallyStoned> pfsense is totally worth dedicating one old server to it 03:17 < ropetin> In your house? 03:17 < DigitallyStoned> yeah 03:17 < ropetin> You're either in Japan, Korea, or just really rich, right? 03:18 < DigitallyStoned> Alabama 03:18 < DigitallyStoned> and no not rich 03:19 < DigitallyStoned> can i set a secondary remote server in my ovpn file? 03:19 < ropetin> What service gives you 50mb? And what's the upstream rate like? 03:19 < ropetin> Secondary as a backup? Or just a second one? 03:19 < DigitallyStoned> as a backup 03:19 < DigitallyStoned> upstream is only 4mb 03:20 < ropetin> Never done that, but you have the option of multiple servers yes 03:21 < ropetin> But it will only connect to one at a time, unless you put them in their own config file 03:21 < DigitallyStoned> happen to know the syntax? 03:21 < DigitallyStoned> well i dont need more than 1 03:21 < DigitallyStoned> its the saem server, just 2 different IPs 03:22 < ropetin> I think it's the same format, you just put them below each other. It tries the first, if that fails, it tries the second 03:22 < ropetin> !man 03:22 < vpnHelper> ropetin: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 03:23 < DigitallyStoned> blah ill have to figure out how to make openvpn bind to the 2nd interface on the server 03:25 < ropetin> :D 03:27 < DigitallyStoned> i think i just need to add the port to the opt1 interface 03:27 < DigitallyStoned> we will see 03:28 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 03:30 < DigitallyStoned> yep 03:30 < DigitallyStoned> thats all i have to do 03:30 < DigitallyStoned> sweet 03:33 -!- DigitallyStoned [i=digitall@191.sub-75-203-176.myvzw.com] has quit [] 03:53 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 03:57 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Remote closed the connection] 04:34 < bsdbandit> i have installed openvpn 2.0.9 on openbsd 4.4 and when trying to start openvpn it just hangs here is my log file http://pastebin.com/m3a4b1dce 04:34 < bsdbandit> can someone help me out 04:34 < reiffert> Moin! 04:44 < bsdbandit> what do you think it could be 04:44 < bsdbandit> ? 04:48 -!- mRCUTEO [n=IRCLUNAT@118.101.177.69] has joined ##openvpn 04:48 < mRCUTEO> hey krzee u there ? :) 04:52 < krzee> hey 04:52 < krzee> moin reif 04:53 < krzee> !factoids search bsd 04:53 < vpnHelper> krzee: 'bsdnat', 'freebsd', 'fbsdbridge', and 'fbsdjail' 04:53 < bsdbandit> i have installed openvpn 2.0.9 on openbsd 4.4 and when trying to start openvpn it just hangs here is my log file http://pastebin.com/m3a4b1dce 04:53 < mRCUTEO> can ou help me correct my english sentence just one :) . here it is: 04:53 < krzee> mRCUTEO, yes 04:53 < mRCUTEO> New students intake registration now until 8 January 2009 04:53 < krzee> bsdbandit, 04:53 < krzee> !configs 04:53 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 04:54 < bsdbandit> !configs 04:54 < vpnHelper> bsdbandit: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 04:54 < krzee> mRCUTEO, i need context, can you show me the surrounding text in pastebin? 04:54 < mRCUTEO> okay hold on 04:56 < mRCUTEO> its just 2 sentences actually 04:56 < mRCUTEO> an announcment 04:56 < mRCUTEO> http://pastebin.com/m4c8bca50 04:57 < mRCUTEO> the announcement looks a lil error 04:57 < mRCUTEO> frament(consider revising) error in ms word 04:57 < krzee> New students may begin intake registration now until 8 January 2009. 04:57 < krzee> ya, you needed a helping verb 04:57 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 60 (Operation timed out)] 04:58 < mRCUTEO> aha thats sounds better 04:58 < mRCUTEO> :) thanks 04:58 < krzee> np =] 05:01 < mRCUTEO> New students begin intake registration now until 8 January 2009 ? Will this sounds okay too krzee? 05:02 < ropetin> mRCUTEO: are you trying to say that new students CAN begin registration between now and 8th, or WILL? 05:02 < krzee> in other words you want to get rid of the word may 05:03 < krzee> may is another word for can, and i believe one of them belong in the sentence for the reason ropetin is saying 05:03 < krzee> may is more formal, which is why i chose it 05:04 < mRCUTEO> im trying to say the new student intake registration day is today until 8th 05:04 < krzee> you are trying to say they can register between now and the 8th 05:05 < mRCUTEO> yes 05:05 < mRCUTEO> the new intake student 05:05 < mRCUTEO> cn register now until 8th.. 05:05 < mRCUTEO> New student intake registration begins now until 8 January 2009 <-- how about this one 05:05 < mRCUTEO> is the student in plural or sinmgular 05:06 < krzee> if you dont want to use what i said, why ask me? 05:06 < krzee> singular in this tense 05:06 < mRCUTEO> no, u give me the ight word actually the word begin in the sentence 05:06 < mRCUTEO> *right 05:07 < mRCUTEO> but my sentence still jumble up 05:07 < reiffert> Register or die until Jan 8. 05:07 < mRCUTEO> :P 05:07 < krzee> New students must register between now and Jan 8 05:07 < krzee> is prolly more correct 05:07 < mRCUTEO> aha thats more like it 05:07 < reiffert> Dont register until Jan 8 and I have a nice time without you! 05:07 < mRCUTEO> yeah thats more simple 05:08 < mRCUTEO> New students must register between now and Jan 8 <-- this one better 05:08 < mRCUTEO> :) 05:08 < krzee> i like reif's 05:08 < mRCUTEO> thanks 05:08 < krzee> register or die 05:08 < krzee> lol 05:08 < mRCUTEO> :) 05:08 < reiffert> New students must register next door/floor, so I can bring my money home 05:08 < krzee> register by jan 8th or you will be a failure 05:08 < mRCUTEO> hehe 05:08 < reiffert> or fail 05:09 < krzee> epic fail for those who do not register by jan 8th 05:10 < mRCUTEO> english words are very tricky 05:10 < mRCUTEO> :) 05:10 < krzee> especially irc based 05:10 < krzee> haha 05:10 < mRCUTEO> haha :D 05:10 < krzee> irc has its own slang 05:11 < mRCUTEO> my oh my 05:11 < krzee> its lulz to say epid faily on irc 05:11 < krzee> epic fail 05:12 < krzee> if you say lulz or epid fail in real life, people will just look at you funny 05:12 < mRCUTEO> ehehe 05:12 < mRCUTEO> yeah very very tricky 05:12 * mRCUTEO dont even know how to speak fluent english in daily life 05:12 < mRCUTEO> lol.. 05:13 < krzee> you do fine on irc 05:13 * mRCUTEO too much billingual 05:13 < mRCUTEO> i speak mostly in chinese language and spanish.. so sometimes its hard to intereprate it in english 05:13 < krzee> my spanish is getting much better 05:14 < mRCUTEO> oh good :) 05:14 < krzee> ive been in a spanish speaking country going on 2 yrs 05:14 < reiffert> buenas nodches 05:14 < reiffert> buenas tardes 05:14 < krzee> quiero nochos 05:14 < krzee> nachos 05:14 < reiffert> commo estas? 05:14 < mRCUTEO> my spanish is philippine spanish 05:14 < krzee> but they speak tagalog 05:14 < mRCUTEO> yes mix with spanish 05:14 < mRCUTEO> tagalug and spanish mixing 05:14 < krzee> sip sippin mo yun titiko 05:15 < krzee> i only know how to say it, not spell it 05:15 < mRCUTEO> you know how to speak tagalug too? 05:15 < krzee> a friend taught me that yrs ago 05:15 < krzee> nope 05:15 < krzee> thats all i know 05:15 < mRCUTEO> oh.. 05:15 < mRCUTEO> :) 05:15 < krzee> did it seem right? 05:16 < krzee> all i know in german is plutz and moin 05:16 < mRCUTEO> it sounds like suloh 05:16 < mRCUTEO> *sulog 05:16 < krzee> oh and sitzen 05:16 < mRCUTEO> i dont know any german language hehe 05:16 < krzee> reif does 05:16 < mRCUTEO> but my language main is chinese 05:17 < reiffert> krzee: plutz? 05:17 < krzee> primary language 05:17 < krzee> plutz = lay down 05:17 < reiffert> krzee: platz 05:17 < krzee> my mom sometimes trains her dogs in german 05:17 < krzee> ahh 05:17 < reiffert> so your german neighbour got a dog? 05:17 < mRCUTEO> oh :) 05:17 < krzee> nope, its from mama 05:17 < krzee> she trains search and rescue dogs 05:17 < krzee> to find lost people 05:17 < mRCUTEO> :) 05:18 < reiffert> krzee: ah but why the german lang then? 05:18 < krzee> german commands are more harsh sounding 05:18 < mRCUTEO> your mum a german? 05:18 < krzee> plus nobody else giving commands to their dogs can confuse a new dog 05:18 < krzee> nope, mom is italian but from usa 05:18 < mRCUTEO> ic 05:18 < reiffert> A friend is lawyer, he's from czech republic. He's got a danish mastiff and all the boy knows is czech language.... 05:19 < mRCUTEO> hehe 05:19 < krzee> i think my german neighbor is moving out =/ 05:19 < krzee> which sucks cause hes cool 05:19 < mRCUTEO> :-) 05:20 < mRCUTEO> do you have chinese people living in your area? 05:20 < krzee> nope 05:20 < krzee> i seen like 5 asians the whole time i been here 05:20 < mRCUTEO> ic where they from? 05:20 < krzee> which sucks, i love asian women 05:20 < reiffert> I guess asian people are under 1% here. 05:20 < krzee> mRCUTEO, no idea, only saw them 05:21 < mRCUTEO> oh... 1% really in which area is that? 05:21 < krzee> under 1% here too 05:21 < krzee> caribbean 05:21 < mRCUTEO> ic 05:21 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 05:21 < reiffert> mRCUTEO: center of germany, mainz, next to frankfurt 05:22 * mRCUTEO checking google maps :D 05:22 < reiffert> http://maps.google.de/maps?f=q&hl=de&geocode=&q=mainz&sll=51.151786,10.415039&sspn=13.468074,28.300781&ie=UTF8&ll=50.035974,8.261719&spn=13.788082,28.300781&t=h&z=5 05:22 < vpnHelper> Title: Google Maps (at maps.google.de) 05:22 < mRCUTEO> aha 05:22 < mRCUTEO> :) 05:24 < mRCUTEO> very big city 05:24 < mRCUTEO> beautiful cities too.. 05:25 < mRCUTEO> in my country i can only see trees, hills, small buildings, ruins and jungles.. 05:25 < reiffert> I'm living countryside in a small village 05:25 < mRCUTEO> reiffert: u know where is borneo? 05:25 < reiffert> mRCUTEO: something with the apes? 05:26 < reiffert> next to Malaysia 05:26 < mRCUTEO> yes, just as i expected you're going to say that :) 05:26 < krzee> mRCUTEO, that sounds like a nice place 05:26 < mRCUTEO> thats my home 05:26 < mRCUTEO> i live here in borneo.. 05:27 < mRCUTEO> and nobody will believe if i said i'm now online using a T-1 line on a tree house.. 05:27 < mRCUTEO> :) 05:27 < krzee> hahahah 05:27 < reiffert> Ah, Borneo is the whole Island? 05:27 < mRCUTEO> ripleys believe it or not :) 05:27 < krzee> badass 05:27 < mRCUTEO> yes 05:27 < mRCUTEO> im in north borneo the most primitive among all the areas.. 05:28 < mRCUTEO> you see anaconda, beast, giant spider,, crocodiles.. 05:28 < reiffert> 16 inhabitants per square km 05:28 < mRCUTEO> but i get used to the environment alreeady.. 05:29 < mRCUTEO> tjz is my neighbour a sea away from borneo 05:30 < mRCUTEO> tjz from singapore which is more modernized country than borneo.. 05:30 < mRCUTEO> borneo is primitive and wild.. 05:31 < mRCUTEO> i wish i could go to europe someday... or USA maybe someday.. 05:33 < mRCUTEO> most people thought that the natives in borneo are cannibals.. yes our ancestors are cannibal and our friends are some cannibals too but we still surfing the net using ADSL or T-1 line or DS3 from the tree house :D 05:34 < mRCUTEO> ripleys believe it or not :) 05:34 < krzee> ever tried human? 05:34 < krzee> i prolly would if it were being served in a place i was at and it was normal there 05:34 < krzee> im curious how it is 05:35 < mRCUTEO> human meat taste like chicken actually... 05:35 < mRCUTEO> if you cook it well it taste like roasted lamb 05:35 < krzee> ahh 05:35 < mRCUTEO> my friend cook his half-dead neighbour once.. and serve to us .. 05:36 < mRCUTEO> well in borneo there is one tradition here 05:36 < mRCUTEO> when they serve you human flesh you must consume it.. 05:36 < mRCUTEO> otherwise you show unrespect to them .. 05:36 < krzee> ahh 05:36 < mRCUTEO> and they will cutthroat you.. 05:37 < krzee> but what if the serve you chicken? 05:37 < mRCUTEO> well tell them i prefer KFC 05:37 < mRCUTEO> lol.. 05:37 < mRCUTEO> and they will ask you buy them a barrel of roasted KFC 05:38 < mRCUTEO> ;lol.. 05:38 < krzee> hahah 05:38 < mRCUTEO> nah.. things are different already around here.. :) 05:38 < mRCUTEO> mostly head hunters are working executive nowadays 05:38 < mRCUTEO> they cannibals and cuthroat stuff is now a legend in borneo :) 05:40 < mRCUTEO> only those who live deep in the trackless forest i think still do cannibals stuff 05:40 < mRCUTEO> i dunno, im a stranger in my own country really :P 05:52 < mRCUTEO> krzee: is your mother tongue is english ? 05:56 * mRCUTEO brb 05:56 -!- mRCUTEO [n=IRCLUNAT@118.101.177.69] has quit [] 05:59 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has joined ##openvpn 06:14 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has quit [Read error: 60 (Operation timed out)] 08:12 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 09:33 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 10:46 -!- ITguru [n=ITguru@5ac10611.bb.sky.com] has joined ##openvpn 10:47 < ITguru> what can cause a client to keep dropping its connection, and restarting every 5 seconds 10:47 < ecrist> a bad network connection, a firewall not keeping 'state' on udp sessions. 10:50 * ITguru goes to check if it's udp .... 10:50 < ITguru> ecrist, no, it's tcp 10:50 < ecrist> !tcp 10:50 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 10:52 < ITguru> ecrist, about 50% of my clients are behind proxies/firewalls that prevent udp connections 10:56 < ITguru> and it is still working fine for other clients 10:58 < ecrist> so, just one client is having a problem? 11:01 < ITguru> yes - mine! 11:02 < ecrist> how many clients? 11:02 < ITguru> i've tried on three diffrent computers, one linux, one, mac, and one windows - the only thing they have in common is the wireless connection they use 11:03 < ITguru> and the connection keeps restarting one each platform 11:04 < ecrist> have you tried with the same computer on a different connection? 11:04 < ITguru> ecrist, no - i was just thinking that 11:04 < ecrist> I think you're running into the problem discussed in the link above. 11:06 < ITguru> i've used this connections for weeks, wierd that it's just started 11:06 < ITguru> but I'll try to check from a diffrent connection 11:31 -!- kim0 [n=kimoz@unaffiliated/kim0] has joined ##openvpn 11:32 < kim0> Hi .. I am an "openvpn client" to 2 different VPNs using openvpn same port 1194 .. it connects to one .. but the second says the port is busy !??! 11:32 < kim0> Why does a client need to open a server port 11:35 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 11:37 -!- ITguru [n=ITguru@5ac10611.bb.sky.com] has quit [Read error: 110 (Connection timed out)] 11:41 -!- itguru [n=ITguru@5ad4bfc4.bb.sky.com] has joined ##openvpn 11:42 < itguru> how can i get an openvpn client session to output stuff to a log file, so I can find the reason for the disconnections? 11:43 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has quit ["GG. X_X"] 11:44 -!- itguru [n=ITguru@5ad4bfc4.bb.sky.com] has quit [Remote closed the connection] 11:44 < kim0> itguru: openvpn --config file.con 11:57 -!- kim0 [n=kimoz@unaffiliated/kim0] has left ##openvpn ["Konversation terminated!"] 12:32 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 14:00 -!- thefish [n=thefish@unaffiliated/thefish] has quit [Read error: 104 (Connection reset by peer)] 15:03 -!- heemboi [n=raw@cpe-76-188-26-41.neo.res.rr.com] has joined ##openvpn 15:04 -!- heemboi [n=raw@cpe-76-188-26-41.neo.res.rr.com] has quit [Client Quit] 15:05 -!- heemboi [n=raw@cpe-76-188-26-41.neo.res.rr.com] has joined ##openvpn 15:06 < heemboi> can anyone help with iptables? 15:06 < krzee> !iptables 15:06 < vpnHelper> krzee: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 15:07 < krzee> !linfw 15:07 < vpnHelper> krzee: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 15:07 < krzee> oh they are same, lol 15:08 -!- xattack [i=xattack@132.248.108.239] has quit [] 15:11 < heemboi> I want only two ips on my internal network to access the vpn 15:12 < krzee> heemboi, the vpn is outside the LAN, right? 15:12 < heemboi> right 15:12 < krzee> theres an easier way 15:12 < krzee> just break routing 15:12 < krzee> connect a client from inside the LAN 15:12 < krzee> then do NOT add the route back to vpn to the router 15:12 < krzee> only to the other machine in the lan 15:12 < krzee> other than that, follow !route 15:12 < krzee> !route 15:12 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 15:13 < krzee> where we deviate from the plan there is the FINAL step: "adding routes outside of openvpn" 15:13 < heemboi> i don't want any clients configured to connect to the vpn 15:13 < krzee> you will choose not to add it to the default gateway, but to the individual machines, so the vpn cannot access any machine you did not give a route back to 15:13 < heemboi> im using a router as a client 15:13 < krzee> welp, have fun with iptables then 15:13 < krzee> heh 15:13 < krzee> bbl, getting food 15:13 < heemboi> lol 15:14 < heemboi> i know, i've read a fre docs 15:14 < heemboi> and my head is hurting 15:14 < heemboi> few* 15:15 < heemboi> im using this script 15:15 < heemboi> http://www.dd-wrt.com/wiki/index.php/VPNC 15:15 < vpnHelper> Title: VPNC - DD-WRT Wiki (at www.dd-wrt.com) 15:16 < heemboi> iptables -A FORWARD -o tun0 -j ACCEPT 15:16 < heemboi> iptables -A FORWARD -i tun0 -j ACCEPT 15:16 < heemboi> iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE 15:16 < heemboi> is what i added 15:16 < heemboi> now all the clients can access the vpn 15:17 < heemboi> i only want two ips to access the vpn 15:17 < heemboi> i bet iptables can do it, i just cant figure it out :\ 15:36 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 16:13 -!- heemboi [n=raw@cpe-76-188-26-41.neo.res.rr.com] has quit [Read error: 110 (Connection timed out)] 17:22 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 17:42 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 17:42 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 18:27 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 18:47 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 18:48 < mRCUTEO> hiya all 18:50 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 110 (Connection timed out)] 18:53 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [] 19:24 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Success] 19:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 19:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 20:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 20:35 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 20:36 -!- aia [n=aia@unaffiliated/aia] has quit [Client Quit] 20:37 -!- mepholic [n=mepholic@209.17.190.90] has quit ["Leaving"] 20:42 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has joined ##openvpn 20:43 * tjz swim in 20:52 < tjz> !help http proxy 20:52 < vpnHelper> tjz: Error: There is no command "http proxy". 20:52 < tjz> !help proxy 20:52 < vpnHelper> tjz: Error: There is no command "proxy". 20:52 < tjz> !proxy 20:52 < vpnHelper> tjz: Error: "proxy" is not a valid command. 20:52 < tjz> !http 20:52 < vpnHelper> tjz: Error: "http" is not a valid command. 20:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 20:57 < tjz> hmm 20:57 < tjz> i change from udp to tcp for my openvpn 20:57 < tjz> trying to get http proxy to work 21:01 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 21:06 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 21:08 < tjz> to use http proxy, we will just change protocal from "udp" to "tcp" on both server & client 21:08 < tjz> anything else need to add? 21:09 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 21:14 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has quit [Connection timed out] 21:20 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 21:21 < tjz> Hi rope~ 21:22 < ropetin> Evenin' 21:25 < tjz> Have you try using openvpn w/ http proxy? 21:26 < ropetin> No, in fact I've actively avoided it. Are you having problems? 21:26 < tjz> i haven't try configure one before 21:26 < tjz> i went to change protocol from udp to tcp 21:26 < tjz> that is what i change 21:27 < tjz> why do you avoid it? 21:29 < ropetin> Extra steps cause extra problems I guess 21:30 < tjz> x_x 21:32 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Connection timed out] 22:21 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 22:49 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 23:00 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 60 (Operation timed out)] 23:13 < tjz> hey jeff --- Day changed Sat Jan 03 2009 00:03 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 02:28 -!- xs7 [n=xs7@84.255.141.67] has joined ##openvpn 02:29 < xs7> where to connect to use openvpn ? 02:38 < tjz> openvpn.net 02:38 < tjz> get a openvpn gui 02:54 < xs7> I have openvpn installed but donno where is it in the menus ? 03:12 < tjz> openvpn gui? 03:23 -!- xs7 [n=xs7@84.255.141.67] has quit [Read error: 110 (Connection timed out)] 04:39 -!- prxtien [n=pro@ppp121-45-145-36.lns11.adl6.internode.on.net] has joined ##openvpn 04:53 -!- prxtien [n=pro@ppp121-45-145-36.lns11.adl6.internode.on.net] has quit ["Leaving"] 05:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:10 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: krzee, troy- 05:11 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 05:11 -!- Netsplit over, joins: troy- 05:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 05:45 -!- pa [n=pa@unaffiliated/pa] has quit [Remote closed the connection] 05:52 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 06:17 -!- phlax [n=phlax@87-194-204-173.bethere.co.uk] has quit ["Leaving."] 06:23 -!- xs7 [n=xs7@77.69.132.211] has joined ##openvpn 06:25 < xs7> vpn , how ? I need to create a vpn connection. 06:26 < xs7> Fedroa 10, need vpn to a free server. openvpn installed but donno how to access it !! 06:51 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 07:12 -!- xs7 [n=xs7@77.69.132.211] has quit ["Leaving"] 09:06 -!- Determinist [n=lior@unaffiliated/determinist] has quit ["Leaving..."] 09:47 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 10:53 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 11:28 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Read error: 54 (Connection reset by peer)] 11:34 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has joined ##openvpn 11:35 < mRCUTEO> !menu 11:35 < vpnHelper> mRCUTEO: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 11:35 < mRCUTEO> :D 11:35 -!- mRCUTEO [n=IRCLUNAT@96.9.131.182] has quit [Client Quit] 12:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 12:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 13:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 13:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:48 -!- desrt [i=desrt@ubuntu/member/desrt] has left ##openvpn [] 14:14 -!- ikevin [n=kevin@ANancy-256-1-136-9.w90-33.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 14:15 -!- ikevin [n=kevin@ANancy-256-1-41-4.w90-26.abo.wanadoo.fr] has joined ##openvpn 15:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 16:49 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 18:27 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 18:56 < reiffert> Moin 19:06 < krzie> moin 19:12 < reiffert> happy new year 19:15 < krzie> same to you 19:16 < reiffert> did hunting after presents for all of your girls work out? 19:16 < krzie> yup 19:16 < krzie> ogot them all my favc perfume/lotions 19:17 < krzie> got them all my fav perfume/lotions 19:17 < krzie> i figure theres a few benefits to that 19:17 < krzie> i cant forget who got what, and ill always smell the same no matter who im with 19:18 < reiffert> Allright, Lizzy s going to get Fannys perfume, Fanny's deserving Pam's lotion, Pam's going to get ... 19:18 < krzie> haha 19:18 < reiffert> hehe 19:18 < krzie> they all got victorias secret love spell 19:18 < reiffert> Hopefully they all love it "O) 19:18 < reiffert> :) 19:18 < krzie> hehe yup 19:18 < krzie> they should after they see what ill do to them when they wear it 19:18 < krzie> i LOVE that shit 19:19 < reiffert> hehe 19:21 < reiffert> I'm trunk, going to get some illuminations 19:21 < krzie> huh? 19:21 < reiffert> trunk -> bed 19:21 < reiffert> bed -> dreaming -> illumination 19:21 < krzie> ahhh 19:21 < reiffert> bed -> wakeup -> world domination 19:22 < krzie> hahah 19:22 < krzie> pinky and the brain style? 19:22 < reiffert> nahhh, more the insane way .. 19:23 < reiffert> inventing a wheel that everybody needs, saving me one cent per habitant 19:25 < krzie> ive always wondered why people say they dont want to re-invent the wheel 19:25 < krzie> the wheel has been re-invented many times 19:25 < krzie> improved upon and whatnot 19:28 < reiffert> profit doesnt sound too well for reinventing the wheel, does it? 19:29 -!- cj [n=cjac@66.152.65.2] has joined ##openvpn 19:29 < cj> moo 19:29 < reiffert> bar 19:29 < reiffert> and goodnight 19:30 < cj> how do I tell openvpn to keep trying to establish connection when it fails? 19:30 < cj> (windows, if that matters) 19:31 < cj> when the system starts, the wireless interface isn't reliable. it eventually comes up, but by then, openvpn has given up 19:32 < krzie> !man 19:32 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 19:32 < krzie> 1sec 19:32 < krzie> its something with retry in it 19:33 < reiffert> Set n to "infinite" to retry indefinitely. 19:33 < cj> thanks. I'll look through tfm, then 19:33 < krzie> --connect-retry n 19:33 < krzie> For --proto tcp-client, take n as the number of seconds to wait between connection retries (default=5). 19:33 < krzie> hopefully you arent using tcp tho 19:33 < krzie> By default, --resolv-retry infinite is enabled. You can disable by setting n=0. 19:33 < cj> no :) 19:33 < krzie> hopefully you didnt override that either 19:34 < krzie> you prolly want 19:35 < krzie> --persist-tun, --persist-key 19:35 < krzie> but it looks like for udp it should be retrying forever unless you overrode it 19:35 < krzie> !configs 19:35 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 19:36 -!- ropetin_ [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 19:37 < krzie> nite reif 19:38 < cj> krzie: it retries resolving the hostname, not establishing the link 19:38 < cj> but with no default route, it seems to not work 19:39 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 104 (Connection reset by peer)] 19:39 < krzie> !configs 19:39 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 19:50 -!- gleblanc [n=chatzill@75.108.33.75] has joined ##openvpn 19:50 < gleblanc> Howdy folks 19:50 -!- ropetin_ [n=ropetin@pdpc/supporter/student/ropetin] has quit [Remote closed the connection] 19:51 < gleblanc> I've got the following trying to generate keys on my OpenVPN server 19:51 < gleblanc> http://geeks.pastebin.com/d2ea2d112 19:53 < gleblanc> I'm not sure where it's getting /usr/local/ssl/openssl.conf 19:53 < gleblanc> Nor what path it is that it's not finding 19:53 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 19:53 < krzie> you edited and loaded vars.bat right? 19:54 < krzie> looks like you're using unix scripts in windows 19:55 < gleblanc> Yes, I have 19:55 < gleblanc> They're .bat files 19:55 < gleblanc> Here's the contents of build-key 19:56 < gleblanc> http://geeks.pastebin.com/d6cc620f6 19:56 < gleblanc> If I do a wee bit of editing, I can do the following, which still seems not right 19:57 < gleblanc> P:\Program Files (x86)\OpenVPN\easy-rsa>openssl req -days 3650 -nodes -new -keyout %KEY_DIR%\Athens.key -out %KEY_DIR%\Athens.csr -config %KEY_CONFIG% 19:57 < gleblanc> WARNING: can't open config file: /usr/local/ssl/openssl.cnf 19:57 < krzie> show me the contents of vars.bat 19:58 < gleblanc> http://geeks.pastebin.com/d7457fe92 19:58 < gleblanc> I changed some capitalization to make it easier to read 19:59 < krzie> type echo %KEY_CONFIG% 20:00 < gleblanc> P:\Program Files (x86)\OpenVPN\easy-rsa>echo %KEY_CONFIG% 20:00 < gleblanc> openssl.cnf 20:01 < krzie> weird 20:01 < krzie> echo %HOME% 20:02 < gleblanc> ooh, that's fuxed 20:02 < krzie> then check echo %ProgramFiles% 20:02 < gleblanc> P:\Program Files (x86)\OpenVPN\easy-rsa>echo %HOME% 20:02 < gleblanc> C:\Program Files\OpenVPN\easy-rsa 20:02 < gleblanc> I looked at it twice before, and just now caught it 20:02 < krzie> which is likely where your problem is 20:03 < krzie> so in vars.bat modify set HOME line 20:03 < gleblanc> Can I just hard-code it? 20:04 < krzie> yup 20:04 < krzie> with ""'s 20:04 < krzie> to handle the spaces 20:04 < krzie> so like 20:04 < krzie> %ProgramFiles% 20:04 < krzie> err 20:04 < krzie> set HOME=%ProgramFiles%\OpenVPN\easy-rsa 20:04 < krzie> should be 20:04 < gleblanc> Don't need to double-escape the \ or anything? 20:04 < krzie> set HOME="P:\Program Files (x86)\OpenVPN\easy-rsa" 20:05 < krzie> does vars.bat currently escape the \'s? 20:05 < krzie> theres your answer for that... 20:06 < gleblanc> That doesn't cut the mustard, apparently 20:06 < krzie> works for me... 20:06 < gleblanc> Well, I still get the warning about being unable to locate /usr/local/ssl/openssl.conf 20:06 < krzie> C:\Documents and Settings\Administrator>set HOME="P:\Program Files (x86)\OpenVPN 20:06 < krzie> \easy-rsa" 20:06 < krzie> C:\Documents and Settings\Administrator>echo %HOME% 20:06 < krzie> "P:\Program Files (x86)\OpenVPN\easy-rsa" 20:07 < krzie> you re-ran vars.bat, right? 20:08 < krzie> then checked that %HOME% looks right? 20:08 < gleblanc> yes 20:08 * gleblanc turns echo on 20:09 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 20:10 < gleblanc> Here's the command with echo on 20:10 < gleblanc> http://geeks.pastebin.com/d262fd81 20:11 < gleblanc> (sorry about the funky line-wraps, cmd.exe isn't very smart) 20:11 < krzie> ya 20:11 < krzie> justr make KEY_CONFIG a full path 20:12 < gleblanc> I'd not mind, but it also says "unable to write 'random state'" 20:12 < krzie> its not reading your openssl.conf so everything after that is irrelevant for now 20:13 < gleblanc> ah 20:14 < gleblanc> http://geeks.pastebin.com/d3866d28e 20:14 < gleblanc> Still behaves the same 20:15 < krzie> paste me the contents of openssl.conf 20:20 < gleblanc> http://geeks.pastebin.com/d3cec0b04 20:21 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 20:28 < krzie> i dunno man 20:28 < krzie> you even caught me at a random lucky time im actually on a windows machine 20:29 < krzie> but i have no clue where its getting /usr/local/ssl/openssl.cnf from 20:29 < gleblanc> Hooray for Windows Smoking Crack! 20:30 < gleblanc> Thanks for your help, I'm sure I'll beat it in to submission eventually 20:30 < krzie> if you have a unix box handy you may have an easier time 20:30 < krzie> np 20:30 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has joined ##openvpn 20:31 < gleblanc> I might give it a try on a 32-bit windows box 20:32 < gleblanc> The linux box handy is so old I'm scared to change anything 20:39 -!- RoFLKOPTr [n=nnscript@c-76-102-188-76.hsd1.ca.comcast.net] has joined ##openvpn 20:39 < RoFLKOPTr> Windows 7? 20:40 < RoFLKOPTr> it refuses to load the TAP driver due to "known incompatibilities" 20:40 < RoFLKOPTr> The only info I can find about the error says to get a driver that's compatible with my OS. 20:41 < RoFLKOPTr> anybody know of any registry hacks or anything that work in Vista that I could try in 7? 20:47 -!- mepholic [n=mepholic@209.17.190.90] has joined ##openvpn 20:47 < mepholic> guysd 20:47 < mepholic> how do you get openvpn to work on windows 7 pre-beta 20:47 < mepholic> help plz 20:47 < mepholic> >:3 20:55 < RoFLKOPTr> mepholic i already asked 20:55 < RoFLKOPTr> way 2 b late 20:56 < mepholic> o 20:56 < RoFLKOPTr> late 21:06 < krzie> ive never even heard of windows 7 21:06 < krzie> you should prolly take that one to the mail list 21:06 < krzie> !mail 21:06 < vpnHelper> krzie: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 21:07 < dvl> !crl 21:07 < vpnHelper> dvl: Error: "crl" is not a valid command. 21:07 < dvl> vpnHelper: what good are ya? 21:07 < vpnHelper> dvl: Error: "what" is not a valid command. 21:08 < dvl> !revoke 21:08 < RoFLKOPTr> lol 21:08 < vpnHelper> dvl: Error: "revoke" is not a valid command. 21:09 < dvl> slow too... 21:14 < ropetin> Windows 7? People are already expecting software to work with a pre-release OS?! 21:15 < ropetin> Try the Vista directions I guess 21:15 < ropetin> Evnin' by the way 21:18 < RoFLKOPTr> Well... it's not like I'm coming in here bitching about the fact that it's not working. 21:18 < ropetin> :D 21:19 < ropetin> Which is good 21:19 < ropetin> Are you running Windows 7 as your primary OS? 21:20 < RoFLKOPTr> I understand that this is a pre-release OS, but so far, anything that's worked for Vista (drivers or otherwise) have worked perfectly in 7... and I think the TAP drivers would, too, if it weren't for 7 being all "drr i refuse to load this driver due to known incompatibilities" 21:20 < RoFLKOPTr> yes, I am... I know it's not the best idea, lol, but 7 broke my Vista installation when I was trying to install it on my other hard drive 21:20 < ropetin> Ahh, so they explicitly deny you from using the driver now, rather than giving you the option? 21:21 < ropetin> Hehhe, ok 21:21 < RoFLKOPTr> only for the TAP driver 21:21 < RoFLKOPTr> for soem reason 21:21 < ropetin> Mean MS! 21:21 < RoFLKOPTr> all other drivers gave me the option 21:21 < RoFLKOPTr> but this one refuses to load 21:21 < ropetin> That sucks 21:21 < RoFLKOPTr> yeah 21:21 * ropetin offers to loan RoFLKOPTr an Ubuntu CD... 21:21 < ropetin> ;) 21:22 < ropetin> I hear it works out of the box in Linux... 21:22 < RoFLKOPTr> >:[ 21:22 < RoFLKOPTr> lol 21:22 < ropetin> But I say that as I type away on my Windows laptop 21:23 < ropetin> (although I am SSHd into my Linux server, so that makes up for it) 21:23 * RoFLKOPTr h8 linux for home use 21:23 < RoFLKOPTr> Wine and Cedega suck 21:23 < RoFLKOPTr> and I'm a gamer 21:23 < ropetin> RoFLKOPTr: I guess it depends what 'home use' is 21:23 < RoFLKOPTr> so, no Linux on my computer 21:23 < RoFLKOPTr> lol 21:23 < RoFLKOPTr> yeah 21:23 < ropetin> Yeah, if you like PC gaming, Windows is the way to go 21:23 < RoFLKOPTr> I guess 21:24 < ropetin> If Microsoft ever realease Flight Simulator for Linux I'd never use Windows again 21:24 < RoFLKOPTr> lmao 21:24 < RoFLKOPTr> which is why they will never do that 21:24 < ropetin> I'm only slightly into the game, but some of the people I've spoken to online are obsessed with it 21:25 < ropetin> Way worse than WoW players 21:25 < ropetin> It's scary some times 21:25 < RoFLKOPTr> lol 21:25 < RoFLKOPTr> I enjoy flight sims... don't see how they could be as obsessing as MMOs though... 21:25 < ropetin> They spend $10,000 on insane spec PCs, 3 huge monitors, real flight controls, just so they can pretend to fly a plane 21:26 < RoFLKOPTr> I HAVE AN IDEA 21:26 < RoFLKOPTr> GO BUY A PLANE 21:26 < ropetin> :D 21:26 < RoFLKOPTr> for the amount of time and money they put into those huge rigs, they might as well 21:26 < ropetin> Well it would certainly buy a few lessons, thats for sure 21:26 < RoFLKOPTr> lol 21:28 < RoFLKOPTr> a private license usually costs about $30k after it's all said and done 21:28 < RoFLKOPTr> with all the hours of instruction and soloing 21:28 < RoFLKOPTr> and then money for tests and such 21:28 < ropetin> Not too bad then 21:29 < ropetin> Considering 21:29 < RoFLKOPTr> considering you can make a real career that pays a lot of money out of it 21:29 < RoFLKOPTr> lol 21:29 < ropetin> I'll get my check book 21:30 < ropetin> My understanding is most (all?) commercial pilots get their training in the military, it's teh only way they can get enough flight hours in multi-engined jets 21:30 < RoFLKOPTr> though that $30k is for people who do it in 3 weeks and are flying for hours every day 21:31 < RoFLKOPTr> it costs an extra $10-20k if you only go for a few hours a week just because you don't get as much practice... ends up taking you longer to get a hold of it 21:31 < RoFLKOPTr> yeah, most commercial pilots came out of the military... free training on the best equipment in the world 21:31 < RoFLKOPTr> lol 21:32 < RoFLKOPTr> plus, if they've been flying military jets for a living for 10 years, that's all they know how to do anymore 21:35 < dvl> can the crl.pem file be empty? It seems not. 21:36 < ropetin> Nope, if you're using it, it needs something in it 21:37 < dvl> So you have to revoke something first. How odd. 21:48 < ecrist> dvl - yes and no 21:48 < krzee> just comment it out til you need something revoked 21:48 < krzee> kinda makes sense to me... 21:48 < ecrist> you can generate an empty file, but it has to be signed. 21:49 < ecrist> ssl-admin should be able to do it for you, otherwise let me find the command. 21:49 < krzee> ahh, that i didnt know =] 21:49 < dvl> ecrist: hold, not that important. I can get away without it until I need to do it. 21:51 < ecrist> openssl ca -gencrl -out crl.pem -config openssl_config 21:51 < ecrist> and, it *is* in the latest version of ssl-admin. ;) 21:51 * ecrist is out for the night. 21:52 < ecrist> going to write how-to for Mac OS X HFS+ disk quotas 21:53 < krzee> gnite ecrist 21:54 < tjz> nite ecrist 21:56 < dvl> trying 21:58 < dvl> can't find my openssl_config 22:01 < dvl> installing /usr/ports/security/ssl-admin 22:02 -!- apo [n=apo@pD9E7F2AC.dip.t-dialin.net] has joined ##openvpn 22:02 < apo> Hi \o 22:02 < apo> !route 22:02 < vpnHelper> apo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 22:11 * apo stares. I think I won't bother... 22:13 < krzee> vpns are advanced networking, you're expected to know some about networking and be willing to read docs to set one up 22:17 < apo> krzee: But I don't think I can tell my cheap router to change its routing tables ;) 22:18 < krzee> how many computers on the lan behind the cheap router? 22:19 < apo> 10 or so. But since I'm pretty much just playing around here, I'm too lazy to add the routes to every box. 22:19 < krzee> cool *shrug* 22:19 < apo> Indeed 22:19 < krzee> up to you 22:22 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 22:26 -!- krzee [n=k@unaffiliated/krzee] has quit ["Leaving"] 23:17 < ecrist> dvl - the openssl.cnf you used with easy-rsa 23:18 < mepholic> ok 23:18 < mepholic> this is bad 23:18 < mepholic> i've resorted to pen and paper to keep teack of my vpn 23:19 < mepholic> any body know of ant good programs that you can easily make a map of a network with? 23:19 < ecrist> dia on linux/bsd 23:19 < ecrist> omnigraffle for mac 23:20 < mepholic> forgot about dia 23:20 < mepholic> :< 23:20 < mepholic> thanks 23:22 < ecrist> np 23:24 < mepholic> ahahhaha 23:24 < mepholic> this is perfect 23:24 < mepholic> thanks 23:30 < ecrist> np 23:32 < cj> srsly --- Day changed Sun Jan 04 2009 00:06 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 00:25 -!- oc80z [i=oc80z@89.46.100.91] has joined ##openvpn 01:35 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:09 -!- RoFLKOPTr [n=nnscript@c-76-102-188-76.hsd1.ca.comcast.net] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 02:58 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 03:25 -!- apo [n=apo@pD9E7F2AC.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 04:23 -!- mRCUTEO [n=info@124.82.101.32] has joined ##openvpn 04:24 -!- mRCUTEO [n=info@124.82.101.32] has quit [Client Quit] 04:25 -!- mRCUTEO [n=info@96.9.131.183] has joined ##openvpn 04:28 -!- mRCUTEO [n=info@96.9.131.183] has quit [Client Quit] 04:54 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 05:43 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 05:45 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 05:48 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 07:01 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:10 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 08:33 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:51 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has quit ["GG. X_X"] 09:31 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Remote closed the connection] 09:42 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has joined ##openvpn 09:42 < tjz> any reason why we should change from "tun" to "tap"? 09:43 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 09:44 < smerz> Can i throw a stuipid question out there: Is a dual core 2ghz cpu with 2 gb ram sufficient to move 100mbps? 09:48 < reiffert> The stupid answer is: maybe. 09:49 < smerz> :D 09:50 < smerz> if anyone has plenty of users on their openvpn server and would like to share cpu/mem usage compared to network throughput i'd appreciate it 09:50 < reiffert> plenty? 09:51 < smerz> well 09:51 < smerz> make it 10 for a small sized server and 400 for a big one 09:52 < smerz> im really just looking for hardware spec that can handle 100mb/s 09:52 < reiffert> Sounds interesting, I hope someone on that channel runs such a setup 09:53 < reiffert> You can try the mailing list as well 09:54 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 09:55 < smerz> i dropped a message out there already. i got a small detail mixed up :-) but hopefully someone can help me out yeh 10:25 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 10:28 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 10:42 < gleblanc> Can anybody build-key using 2.1rc15 on Windows? 10:44 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 10:45 < gleblanc> I can't get it to run properly, on any machine I've tried so far 10:49 < smerz> hmm it works sweet on linux 10:54 -!- smerz [n=daniel@smerz.demon.nl] has quit ["good night folks"] 10:55 < gleblanc> It complains that it can't find /usr/local/ssl/openssl.cnf 10:56 < gleblanc> Actually, it does that on any build-* script 11:20 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 11:40 -!- tjz [n=tjz@bb116-15-93-7.singnet.com.sg] has quit ["GG. X_X"] 12:00 < gleblanc> How about this error? 12:01 < gleblanc> 4088:error:0200107B:system library:fopen:Unknown error:.\crypto\bio\bss_file.c:1 12:01 < gleblanc> 26:fopen('"c:\Program Files\OpenVPN\easy-rsa\openssl.cnf"','rb') 12:29 -!- gleblanc_ [n=chatzill@75.108.33.75] has joined ##openvpn 12:47 -!- gleblanc [n=chatzill@75.108.33.75] has quit [Read error: 110 (Connection timed out)] 13:23 -!- gleblanc_ [n=chatzill@75.108.33.75] has quit [Read error: 110 (Connection timed out)] 13:45 -!- HardDisk_WP [n=Marco@wikipedia/harddisk] has quit ["Caught sigterm, terminating..."] 13:50 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: mcp, cj, justdave, AndyML, disco-, hiptobecubic, pa, smk, Typone, Solver, (+14 more, use /NETSPLIT to show all of them) 13:52 -!- Netsplit over, joins: Determinist, roentgen, krzee, cj, ikevin, pa, troy-, smk, dvl, int (+14 more) 14:05 -!- oc80z [i=oc80z@89.46.100.91] has quit [Remote closed the connection] 14:41 -!- Irssi: ##openvpn: Total of 39 nicks [0 ops, 0 halfops, 0 voices, 39 normal] 15:17 < mepholic> Is there a way I could do sort of like 15:17 < mepholic> eh 15:18 < mepholic> meshed routing with openvpn? 15:18 < mepholic> kind of complex 15:18 < mepholic> but so like 15:19 < mepholic> traffic in the vpn is peer to peer instead of going through the vpn server 15:19 < mepholic> so all the vpn server really does is sits there and kind of 15:19 < mepholic> holds everything togeather 15:31 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:34 -!- zigovr3 [n=zig@sju13-4-88-161-83-90.fbx.proxad.net] has quit ["Client exiting"] 15:40 < Tykling> you'll need a tunnel between the peers that should talk directly to eachother, I have a fully meshed openvpn net but it requires everyone to have tunnels to everyone else, and so there are as many vpn servers as there are peers 16:05 -!- gleblanc [n=chatzill@75.108.33.75] has joined ##openvpn 16:09 -!- gleblanc_ [n=chatzill@75.108.33.75] has joined ##openvpn 16:26 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 16:27 -!- gleblanc [n=chatzill@75.108.33.75] has quit [Read error: 110 (Connection timed out)] 16:32 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Read error: 110 (Connection timed out)] 16:33 < mepholic> oh god lol 16:47 -!- smerz [n=daniel@smerz.demon.nl] has quit [Read error: 110 (Connection timed out)] 16:53 -!- hiptobecubic is now known as hiptobobcubic 16:55 -!- hiptobobcubic is now known as hiptobecubic 17:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 18:31 -!- gleblanc_ [n=chatzill@75.108.33.75] has quit [Read error: 104 (Connection reset by peer)] 18:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 19:10 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 19:13 < krzie> !tcp 19:13 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 19:33 < hiptobecubic> mepholic, why? 19:35 < mepholic> hiptobecubic, lets say 19:35 < mepholic> we have some users that are in michigan 19:35 < mepholic> and some users that are in brazil 19:35 < mepholic> and some users that are in germany 19:35 < krzie> i missed the orig question 19:35 < mepholic> the vpn server is in chicago 19:36 < mepholic> germany to chicago to brazil isnt very practical 19:36 < hiptobecubic> mepholic, ah. 19:36 < mepholic> or brazil to chicago and back to brazil 19:36 < krzie> the best thing for that i can think of is to have a server in each location, and link them together to make 1 seemless vpn 19:36 < mepholic> thats about 500ms 19:36 < hiptobecubic> krzee, ++ 19:36 < hiptobecubic> krzie, 19:37 < krzie> (im both) 19:37 < mepholic> krzie, i'm getting an EU server soon 19:37 < mepholic> the ping between the eu server and the chicago server is like 19:37 < mepholic> 80ms i think 19:37 < mepholic> so nice and fast 19:38 < krzie> wow, thats amazing pin for intercontinental 19:38 < krzie> ping 19:38 < mepholic> yeah 19:45 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 20:14 < mepholic> ok, one of my users just formatted his computer and lost his key 20:15 < mepholic> i should revoke that certificate, correct? 20:15 < mepholic> also, can i use the same common name again? 20:16 < krzie> if it wasnt comprimised you dont need to revoke 20:17 < krzie> and yes you can reuse the cn 20:18 -!- RoFLKOPTr [n=RoFLKOPT@c-76-102-188-76.hsd1.ca.comcast.net] has joined ##openvpn 20:18 < RoFLKOPTr> why hello thar 20:19 < RoFLKOPTr> just thought I'd let you guys know that the problems I was having with Windows 7 is due to my idiocy 20:19 < mepholic> lol'd 20:19 < RoFLKOPTr> I was trying to install the old (like, 1.x something) beta GUI from that third-party site 20:19 < mepholic> ok RoFLKOPTr we're good 20:19 < RoFLKOPTr> so it had V8 TAP drivers instead of V9 20:20 < mepholic> use the samne cn 20:20 < RoFLKOPTr> k 20:21 < RoFLKOPTr> anyways, if anybody else comes in here asking about a "This version of OpenVPN does not work with Windows." error from the beta installer, tell them to run it as admin and in compatibility mode for Vista. 20:32 < krzie> ahh thx 20:33 < RoFLKOPTr> lol 20:55 -!- Inside [n=nowhere@unaffiliated/inside] has joined ##openvpn 20:55 -!- Inside [n=nowhere@unaffiliated/inside] has left ##openvpn [] 21:03 -!- Jason404 [n=eggbean@host86-133-220-249.range86-133.btcentralplus.com] has joined ##openvpn 21:05 < Jason404> if there is no Vista support Windows 7? 21:07 < RoFLKOPTr> o wait 21:07 < Jason404> no, Windows Server 2008 21:07 < RoFLKOPTr> 2008 server 21:07 < RoFLKOPTr> yeah 21:07 < RoFLKOPTr> k 21:08 < Jason404> i suppose if it works on Vista, it will work on 2008? 21:08 < Jason404> like drivers 21:08 < RoFLKOPTr> well, I'm using 2.1rc15 on Windows 7... just had to run the installer in compatibility mode for Vista 21:08 < RoFLKOPTr> so 21:08 < Jason404> same new TCP/IP stack etc 21:08 < RoFLKOPTr> theoretically, it should work on 2008 the same way 21:09 < Jason404> ah cool. thanks RoFLKOPTr 21:09 < Jason404> is that RC15 very stable? 21:09 < Jason404> any idea when final comes out? 21:09 < RoFLKOPTr> well... I've only been using it today, lol. Haven't really put it through anything rigorous 21:09 < RoFLKOPTr> but it's working so far 21:09 < Jason404> ok 21:09 < RoFLKOPTr> and nobody I know of has had any issues 21:11 -!- Jason404 [n=eggbean@host86-133-220-249.range86-133.btcentralplus.com] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 21:26 < krzie> AW_BOT exit 21:26 < krzie> !exit 21:26 < vpnHelper> krzie: Error: "exit" is not a valid command. 21:35 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 21:37 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 21:39 -!- Jason404 [n=eggbean@host86-133-220-249.range86-133.btcentralplus.com] has joined ##openvpn 21:56 < krzie> !sample 21:56 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 21:56 < krzie> ok... 21:58 < onats> hello 21:58 < onats> happy new year 22:03 -!- RoFLKOPTr [n=RoFLKOPT@c-76-102-188-76.hsd1.ca.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 22:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 22:27 -!- lzhang [n=lzhang@rrcs-67-78-33-170.sw.biz.rr.com] has joined ##openvpn 22:27 < lzhang> hello 22:27 < lzhang> right now my vpn is connecting via 2 interfaces, I just need it to connect on tun0 22:28 < lzhang> I don't have much knowledge of networking, can someone give me a hint on how to disable vpn on one of the interfaces? 22:48 < lzhang> nvm I got it working thanks guys 22:48 -!- lzhang [n=lzhang@rrcs-67-78-33-170.sw.biz.rr.com] has left ##openvpn [] --- Day changed Mon Jan 05 2009 00:13 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 02:06 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 02:27 < reiffert> snow. tons of snow. 02:50 < mepholic> Mon Jan 05 02:52:53 2009 us=234000 Cannot load certificate file xt0rt.crt: error:0906B06B:PEM routines:PEM_get_EVP_CIPHER_INFO:not proc type: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib 02:50 < mepholic> uh what 02:50 < mepholic> this is windows btw 02:52 < krzee> !configs 02:52 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 02:52 < mepholic> this same config has worked with 12 other clients 02:53 < krzee> check time/date on both machines 02:53 < mepholic> why ._. 02:55 < mepholic> -xt0rt- TIME Mon Jan 05 02:57:50 02:55 < mepholic> Mon Jan 5 02:55:01 CST 2009 02:55 < mepholic> him vs server time 02:55 < mepholic> its not like this is kerberos 02:55 < mepholic> :< 02:55 < krzee> time matters 02:55 < mepholic> how much? 02:55 < mepholic> also, wh 02:55 < mepholic> y 02:56 < krzee> im watching a movie 02:56 < krzee> google that 02:56 < krzee> !configs 02:56 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 02:56 < krzee> bbl, will check back to see the configs 03:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:15 -!- xs7 [n=xs7@84.255.188.196] has joined ##openvpn 03:20 < xs7> I installed openvpn, but donno if there is any GUI for it ? where ? 03:21 -!- krzee is now known as AW_BOT 03:24 -!- AW_BOT is now known as krzee 03:26 < reiffert> :) 03:29 < simplechat> xs7, there is 03:29 < xs7> simplechat: cannot find it in KDE 03:29 < krzee> xs7, what do you want from an openvpn gui? 03:29 < simplechat> its probably not in kde 03:30 < xs7> let me explain, I need to get around my ISP who blocks some of the sites for political and relgious reasons 03:30 < krzee> and how would a gui help that? 03:30 < xs7> so I need a vpn connection to somewhere where I can browse the web !! 03:31 < xs7> krzee: how would I activate the vpn and use it anyway ? 03:31 < krzee> well, if you wanted a single click solution... 03:32 < krzee> you could make a shell script which simply is a 1 liner that runs openvpn 03:32 < krzee> the make it a clickable script 03:32 < krzee> and put it on the desktop 03:32 < krzee> you click it, vpn starts, close the window, it closes 03:32 < krzee> since thats all a gui could do, it led me to ask exactly what you would want from a gui 03:32 < krzee> thats what i do in osx even tho there IS a gui available 03:32 < krzee> using the gui just never made sense to me 03:33 * krzee heads back to the movie 03:35 < xs7> krzee: I need a clickable solution as you said to make it easy for me 03:35 < krzee> welp, thats how 03:36 < xs7> krzee: how would I use vpn for certain activities ie accessing the web without making it active and directed to certain vpn server 03:36 < krzee> you lost me at: "without making it active and directed to certain vpn server" 03:37 < xs7> krzee: how can I start using vpn ? 03:37 < krzee> are you saying "how do i run openvpn?" 03:37 < xs7> krzee: yes 03:37 < krzee> wow 03:37 < krzee> read the docs 03:37 < krzee> !howto 03:38 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 03:38 < krzee> !sample 03:38 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 03:38 < krzee> !def1 03:38 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 03:38 < krzee> !nat 03:38 < vpnHelper> krzee: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding 03:38 < krzee> thats everything you need to know 03:38 < krzee> if you do the reading 03:41 -!- onats [n=15172@unaffiliated/onats] has quit ["Leaving."] 03:43 < reiffert> I'd start using the howto. 03:43 < krzee> i agree 03:43 < krzee> use the order i provided 03:43 < krzee> the order was no accident 03:46 < reiffert> .oO Howto looks too complicated, I use the next link 03:47 < krzee> lol 03:47 < krzee> reiffert, the people who say that might as well go do something else... vpns are advanced networking 03:48 -!- kaii [n=kai@ciphron.de] has joined ##openvpn 03:48 < krzee> but ya, sadly thats so common 03:48 < kaii> nice topic, hehe :) 03:49 < reiffert> krzee: Windows got some nice one klick solutions ... 03:49 < Jason404> would openvpn make connections like RDP any slower, compared to direct connection? 03:49 < krzee> yes 03:49 < krzee> but not from openvpn 03:49 < krzee> from the fact you're on the inet 03:49 < Jason404> ?? 03:49 < krzee> vs direct connection 03:50 < Jason404> i meant directasin without vpn, with RDP port forwarded 03:50 < kaii> shortly after a "TLS: soft reset" (which is re-keying, happening every hour "uper connection) i getthe "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" 03:50 < Jason404> i did not mean direct as in LAN kreg 03:50 < Jason404> oops krzee 03:51 < reiffert> krzee: well actually the one click windows solution worked so well, it made me switch to openvpn :) 03:51 < krzee> well no, it wont be much different then 03:51 < Jason404> Hamanchi? 03:51 < krzee> reiffert, lol 03:51 < Jason404> really,same speed?? 03:51 < Jason404> cool 03:51 < krzee> reiffert, i click a shell script, it runs in a window 03:51 < krzee> i close the window, closes the connection 03:51 < krzee> how much more 1 click does it get? 03:52 < krzee> i forget exactly how to make the clickable script in X, but in osX you just name the script .command 03:52 < krzee> like openvpn.comman 03:52 < krzee> d 03:52 < reiffert> krzee: it's the 3 millions clicks before it starts running 03:53 < reiffert> krzee: not for me, but it looks as for the guy who was asking 03:54 < krzee> werd 03:54 < krzee> to me its just like.. 03:54 < krzee> a gui to start and stop a program 03:54 < krzee> bleh 03:54 < reiffert> same here, copy config from host a to b, adjust a line, done 03:54 < krzee> gui should be for stuff where you need options, no? 03:54 < krzee> like what would you even make that gui look like? 03:55 < krzee> design the look for that one, lol 03:55 < reiffert> krzee: look, I totally agree to your position. I run fvwm2 with no clickable icon on the screen. 03:55 < krzee> yup, my only box running X runs hackedbox 03:55 < krzee> the lightest X i could find 03:55 < krzee> with just 2 terminal windows and some stats 03:56 < reiffert> I stopped somewhere between comfortable and fast, twm has had chances .. years ago. 03:57 < reiffert> Someone told me to have a look on Ion .. 03:57 < krzee> dunno what that is but if its cool tell me about it sometime 03:57 < krzee> im headed back the my movie 03:57 < krzee> bluerayrips for the win 04:00 < reiffert> some porn I guess :) 04:03 < reiffert> Ah, Fbsd 7.1 came out tonight .. so unixporn on blueray 04:04 < krzee> ooo 04:04 < krzee> ill hafta update the box after watching mission impossible 2 04:04 < krzee> (sorry, not porn) 04:04 < krzee> im only still here cause i had to get a link for someone 04:04 < krzee> http://best.online.docus.googlepages.com/ 04:04 < vpnHelper> Title: best.online.docus - Best Online Documentaries (at best.online.docus.googlepages.com) 04:04 < krzee> you may like it to 04:04 < krzee> too 04:05 < krzee> grabbed it for him for this: 04:05 < krzee> [06:05] technology - other - missing secrets of nikoli tesla 04:06 < reiffert> Last one I saw was "bbc - planet earth" 04:06 < krzee> LOVE THAT 04:06 < krzee> i have that HDrip here 04:06 < krzee> RULES 04:06 < krzee> shit im still here 04:07 < reiffert> Ow, online! 04:07 * krzee puts down the laptop 04:08 < reiffert> good luck :) 04:18 -!- xs7 [n=xs7@84.255.188.196] has quit ["Leaving"] 04:31 -!- tjz [n=tjz@bb116-15-44-41.singnet.com.sg] has joined ##openvpn 04:37 -!- stefanlsd [n=stefan@ubuntu/member/stefanlsd] has joined ##openvpn 04:38 < stefanlsd> Hi. Would anyone be able to point me in the right direction with openssl. I have followed the openvpn howto from the wiki. The certificates were valid for 365 days, and I would like to renew them. The command I have requires the CA's private key (.pem) - which I dont seem to have (although i must somewhere) - any ideas? 04:53 < reiffert> The ca private key is named ca.key 04:54 < kaii> stefanlsd: there is no way to re-sign (re-new) your certificates without the CA's private key (ca.key) 04:54 < reiffert> When referring to the howto, did you mean 04:54 < reiffert> !howto 04:54 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 04:54 < reiffert> ? 04:54 < kaii> stefanlsd: only other option is to create a new CA and new keys/certificates for your clients (a complete new set) 04:55 < stefanlsd> reiffert: yeah. i was using that howto to gen the keys the first time. 04:55 < stefanlsd> reiffert, kaii - i do have the ca.key file... 04:55 < stefanlsd> im using this command to try renew 04:56 < stefanlsd> openssl ca -extensions client_cert -cert ca.key -keyfile server.key -out server.crt -days 365 -infiles server.csr 04:56 < stefanlsd> i did gen a new csr 04:57 < kaii> you dont need -keyfile server.key if you already have a CSR 04:59 < stefanlsd> kaii: aah. k. thanks. seems to be working better now. if i can just remember the passphrase i'll be set 05:02 < reiffert> Try the empty password. 05:03 < stefanlsd> Enter pass phrase for ./demoCA/private/cakey.pem: 05:03 < stefanlsd> 3349:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:849:You must type in 4 to 8191 characters 05:03 < stefanlsd> is this asking for the right key? 05:03 < stefanlsd> this isnt my pem im guessing... (or does openssl just use this one by default)? 05:03 < reiffert> have a look into your openssl.cnf file 05:06 < stefanlsd> reiffert: yeah. openssl.cnf points there... isnt ca.key the private key it should be using? 05:07 < reiffert> I'd hand the openssl.cnf file to the openssl command. The openssl.cnf file that you were using when following the howto. 05:09 < stefanlsd> yeah. i think i just ran ./build-ca (i suspect it would of used /etc/openssl.cnf) 05:10 < stefanlsd> reiffert: ooh. that uses pkitool which uses the openssl.cnf in the easy-rsa dir 05:27 < stefanlsd> last one - :Expecting: TRUSTED CERTIFICATE. failing this, im just gonna redo it. hopefully with some more understanding what im doing 05:44 -!- Jason404 [n=eggbean@host86-133-220-249.range86-133.btcentralplus.com] has quit [Read error: 110 (Connection timed out)] 06:01 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 06:04 -!- mepholic [n=mepholic@209.17.190.90] has quit [Read error: 60 (Operation timed out)] 06:09 < krzee> !learn ask as http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help 06:09 < vpnHelper> krzee: Joo got it. 06:10 < reiffert> krzee: short night eh? :p 06:10 < krzee> haha 06:10 < krzee> just finished tonights movie 06:10 < krzee> gunna passout soon since its 8am 06:10 < krzee> hows the snow treatin ya? 06:11 < reiffert> http://www.taunus.info/de/neues/webcam/ 06:11 < vpnHelper> Title: www.taunus.info: Webcam (at www.taunus.info) 06:11 < reiffert> Press Zoom 06:11 < krzee> damn 06:11 < krzee> serious snow 06:11 < krzee> go out ans wave to the cam 06:12 < krzee> s/ans/and/ 06:13 < reiffert> That webcam's sitting on the highest mountain around ... love to ride my bike there in summer 06:14 < reiffert> still looking for a webcam next to me 06:15 < reiffert> http://biebrich.fuhs.de/rheincam.shtml 06:15 < vpnHelper> Title: Biebrich am Rhein - RheinCam Webcam - Foto-CD Reihe von Howard Fuhs (at biebrich.fuhs.de) 06:15 < reiffert> http://www.hr-online.de/website/fernsehen/sendungen/webcam_popup.jsp?number=3 06:16 < vpnHelper> Title: hr-online: Webcam (at www.hr-online.de) 06:32 < stefanlsd> i gave up btw. just redid the keys 06:32 < krzee> you use *nix stefanlsd ? 06:32 < stefanlsd> krzee: yeah 06:32 < krzee> check out ssl-admin and you should be able to avoid that in the future 06:33 < krzee> !ssl-admin 06:33 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 06:33 < krzee> it may be in gentoo now too 06:33 < krzee> it was submitted awhile back to portage 06:34 < stefanlsd> krzee: mm. using ubuntu. dont see it in my repo. i can probably work on getting it into universe if u like... 06:34 < krzee> check it out from svn 06:35 < krzee> if it works good, that would be cool 06:35 < stefanlsd> yeah. option 6 is exactly what i wanted :) 06:35 < krzee> if it does not, let me know 06:35 < stefanlsd> krzee: kk. thanks. will check it out 06:35 < krzee> i did the porting of the install to linux, i did a crappy job (used a ./configure script instead of a proper Makefile) but it should work nicely 06:36 < krzee> right on =] 06:36 < krzee> oh and if im not here let ecrist know, hes the real author 06:37 < krzee> we both use freebsd but i like his tool so much i figured it would be cool to wrap up an install for the linux folks 06:37 < krzee> since theres more of you guys and all ;) 06:37 < reiffert> any webcam from your place around? 06:37 < krzee> reiffert, nah man im just glad theres actually internet here 06:37 < krzee> but its a sunny morning 06:37 < reiffert> stefanlsd: so some debian maintainer has to catch it first so it finally makes it into ubuntu, eh? :p 06:38 < reiffert> krzee: gimme a google maps of your place 06:38 < krzee> oh i didnt catch your spoof, you're a member of the ubuntu team 06:38 < krzee> coolness 06:38 < krzee> google hasnt mapped my area 06:38 < krzee> at all 06:38 < stefanlsd> reiffert: heh. we could get it into ubuntu first via revu.ubuntuwire.com 06:39 < stefanlsd> but actually yeah, preferred is it goes into debian first 06:39 < reiffert> krzee: just do it 06:39 < krzee> do what? map out the island for google? 06:40 < reiffert> yeah 06:40 < krzee> hah 06:40 < reiffert> So I can fetch a webcam for myself then 06:40 < krzee> if you have skype i can put my cam out the window for ya 06:40 < krzee> but ill hafta put on pants first 06:41 < krzee> bleh, after a reboot that is 06:41 < krzee> my macbook likes to pretend it doesnt have a webcam anymore 06:41 < reiffert> no skype around 06:42 < krzee> convince me sometime that isnt 9am and ill use my sony cam to vid outside for ya 06:42 < krzee> and avi it up 06:42 < reiffert> :) 06:42 < krzee> 9am + no sleep = not getting up for that 06:42 < reiffert> I guess any day will do for your weather, eh? 06:42 < krzee> basically 06:42 < krzee> this is tourist season 06:42 < krzee> middle of sumer is known to have some hurricanes 06:43 < krzee> but from now til like late march is sweet 06:43 < reiffert> Ah, that sounds more like smth for me 06:43 < krzee> in feb in heading down to brazil / peru... it'll be the middle of summer there 06:43 < krzee> one day ill be a seasonal bum 06:43 < krzee> moving with the summer 06:44 < krzee> (maybe not bum, but yanno what i mean) 06:45 < reiffert> crazy man 06:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:51 < krzee> !random 06:51 < vpnHelper> krzee: "tcp": Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html; "tls-verify": seems to be broken in 2.1rc9 and working in 2.1rc8 https://bugzilla.redhat.com/show_bug.cgi?id=458600; "iporder": OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client- 06:51 < vpnHelper> krzee: connect script generated file for static IP (first choice). 06:52 < krzee> heh random is going 2 at a time 06:52 < krzee> my bot takes after me ;] 06:52 < krzee> !ask 06:52 < vpnHelper> krzee: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/, or (#3) http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help 06:55 < krzee> (stealing that factoid for a new bot i made for another channel) 06:56 < krzee> !search bsd 06:56 < vpnHelper> krzee: There were no matching configuration variables. 07:02 < krzee> !factoids search --regexp m/^bsd/ 07:02 < vpnHelper> krzee: "bsdnat" is http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html 07:02 < krzee> hehe cool 07:12 < ecrist> good morning, folks 07:12 < krzee> mornin ecrist 07:12 < krzee> stefanlsd is checking out ssl-admin and if it loads up fine on his ubuntu hes gunna submit it to their package system 07:12 < ecrist> sweet 07:13 < krzee> yup 07:13 < krzee> seems had he been using it from the start he could have avoided the problem he ran into to (option 6) 07:19 < ecrist> what is option 6? 07:19 < krzee> he wanted to renew his certs which expired after his 365 days 07:20 < krzee> i think he may have been missing his ca.key or something 07:20 < krzee> i came in too late 07:20 < krzee> he decided to generate new certs by the time i came in, which is how he learned of ssl-admin 07:21 < ecrist> ah 07:21 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 07:21 < ecrist> renewing/resigning is not much different from creating new, anyways. simply the benefit of not needing to generate the CSR/key pair is all. 07:24 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Read error: 60 (Operation timed out)] 07:28 < stefanlsd> ecrist: after resigning (like renew) - do u still need to copy the keys to the client? 07:28 < krzee> yes 07:28 < krzee> err no not the keys 07:29 < ecrist> not the keys, but the certificates, yes 07:29 < krzee> in fact the keys dont ever need to leave the client 07:29 < krzee> but the certs 07:29 < krzee> its entirely possible for a client to make a key / csr themselves 07:29 < stefanlsd> mm. k. wanted to avoid having to copy anything to clients. (laptops running around) 07:29 < krzee> then they send you the csr, you sign it and give them the cert 07:29 < ecrist> in reality, that should be done by the client, but it's not practical for a VPN setup 07:30 < stefanlsd> yeah. i got lots of non technical users 07:30 < ecrist> stefanlsd: use CRLs and give your keys a 3650 day expiry 07:30 < ecrist> that way, you're only renewing every 10 years. 07:30 < stefanlsd> so then i would just publish keys i want to revoke. 07:30 < ecrist> and you can still revoke old/bad/lost certificates. 07:31 < krzee> agreed 07:32 < krzee> early expiration is useful for temps or consultants (if you dont feel like adding them all to the CRL) 07:32 < stefanlsd> kk. thanks. will look into it 07:32 < krzee> but otherwise a nice long expiration date is useful 07:41 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 07:56 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 07:59 -!- geaaru [n=geaaru@host34-217-dynamic.1-79-r.retail.telecomitalia.it] has joined ##openvpn 08:00 < geaaru> how can i drop by client side push with default gw param when i connect to a vpn server? 08:00 < geaaru> thanks in advance 08:06 < ecrist> sure 08:06 < ecrist> your server needs to have proper support for it, though (NAT/routing) 08:08 < krzee> !def1 08:08 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 08:08 < krzee> !nat 08:08 < vpnHelper> krzee: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding 08:24 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:25 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Read error: 113 (No route to host)] 08:30 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 08:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 08:37 < c64zottel> what could cause an running connection to aboard suddenly? i can see how the connection get established, making and ssh connection, and watch just: watch ls 08:38 < c64zottel> is it for functioning necessary to use time-synconisation? 08:39 < c64zottel> the fw on the openvpn server, doesn't respond pings, may that be the problem? 08:39 * ecrist reads 08:40 < c64zottel> http://pastebin.com/m584afd10 08:40 < ecrist> so, you're able to connect, but the session ins terminated at some point? 08:40 < c64zottel> this is the output with verb 3 08:40 < c64zottel> ecrist: jepp 08:41 < c64zottel> maybe, one minute later 08:41 < ecrist> tcp or upd? 08:41 < ecrist> udp 08:41 < c64zottel> udp 08:41 < c64zottel> http://pastebin.com/m775410e1 08:42 < c64zottel> the client config 08:42 < c64zottel> can it caused by the router? 08:42 < c64zottel> i forwarded 1194 08:45 < ecrist> what's your keepalive on your server config? 08:45 < c64zottel> i guess the default 08:46 < ecrist> don't guess, please 08:46 < c64zottel> ok 08:46 < c64zottel> i try to find out 08:47 < c64zottel> be back in a min. 08:49 < c64zottel> ok 08:49 < c64zottel> http://pastebin.com/m46dd44fa 08:49 < c64zottel> eepalive 10 60 08:50 < c64zottel> is that the problem? 08:51 < ecrist> try 10 120 08:51 < c64zottel> ok 08:54 < geaaru> i'm back... but --redirect-gateway is a flag for server side? 08:56 < ecrist> generally, yes 08:56 < geaaru> ah ok, because i want leave redirect-gateway flag on server side ... but from client i want ignoring command. how can i do that? 08:57 < ecrist> I don't know of an ignoring command. 08:57 < geaaru> :'( however, thanks for reply 08:58 < ecrist> you could have an up script which deletes the 0.0.0.0/1 route 08:59 < geaaru> ah ok... 09:02 < geaaru> thank you very much 09:08 < ecrist> np 09:10 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Read error: 113 (No route to host)] 09:11 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 09:11 < c64zottel> changed nothing 09:11 < c64zottel> i tried also 600 1200 09:12 < c64zottel> and restarted via /etc/init.d/openvpn restart 09:12 < c64zottel> but, is it a normal icmp ping? because the server drops ping 09:30 -!- stefanlsd [n=stefan@ubuntu/member/stefanlsd] has quit ["Leaving"] 09:43 < geaaru> i tried to insert up command on my conf file but i have this error: 09:43 < geaaru> openvpn_execve: external program may not be called due to setting of --script-security level 09:43 < geaaru> Mon Jan 5 16:25:46 2009 script failed: external program fork failed 09:58 < dvl> geaaru: what's the output of ls -l of that script? 09:58 -!- tjz [n=tjz@bb116-15-44-41.singnet.com.sg] has quit ["GG. X_X"] 09:59 < geaaru> maybe i have understand ... i need add to openvpn command line param --script-security 2 09:59 < geaaru> (script is executable however :) ) 10:05 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 10:07 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Read error: 60 (Operation timed out)] 10:08 -!- c64zottel [n=hans@cust.static.84-253-47-240.cybernet.ch] has joined ##openvpn 10:17 -!- c64zottel [n=hans@cust.static.84-253-47-240.cybernet.ch] has quit [Read error: 60 (Operation timed out)] 10:18 < geaaru> and i also founded that must be use route-up command to rewrite routing rules because up command is called before routing command called by server vpn rules 10:18 < geaaru> thanks at all for support 10:22 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 10:22 < plaerzen> morning irc 10:27 -!- c64zottel [n=hans@cust.static.84-253-47-240.cybernet.ch] has joined ##openvpn 10:46 -!- c64zottel [n=hans@cust.static.84-253-47-240.cybernet.ch] has quit [Read error: 110 (Connection timed out)] 11:01 < ecrist> good morning plaerzen 11:07 < plaerzen> hey ecris 11:07 < plaerzen> ecrist, 11:07 < plaerzen> hi 11:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:04 < plaerzen> ecrist, how was your christmas / new year ? 12:18 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:33 < ecrist> plaerzen: good. went to a nice little new years party - we played some rock band and drank a lot. 12:33 < ecrist> you? 12:34 < plaerzen> amazing, some old friends from school came down to visit and we didn't drink that much - but we did other things. 12:34 < plaerzen> partied, etc. 12:35 < plaerzen> Re-united with this girl I used to date (to the climbing gym.... we both rock climb) a while back and went for ethiopian this past weekend. 12:35 < plaerzen> (she actually works there) 12:35 < plaerzen> (the gym) 12:35 < plaerzen> overall, amazing 2 weeks. 12:42 < ecrist> cool 12:56 -!- oc80z [i=oc80z@89.46.100.91] has joined ##openvpn 13:52 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has joined ##openvpn 13:56 -!- acidchild [i=ash@208.92.235.204] has joined ##openvpn 13:56 < acidchild> root@dubstep:~# openvpn /etc/openvpn/openvpn.conf 13:56 < acidchild> File size limit exceeded 13:56 < acidchild> root@dubstep:~# 13:56 < acidchild> my OpenVPN just started doing this :-( 13:57 < acidchild> worked fine before the reboot, i raised the file limit using ulimit to 4096 from 1024. still no luck. 13:57 < acidchild> very little on Google :-( 13:58 < acidchild> OpenVPN 2.0.9 i486-slackware-linux [SSL] [LZO] [EPOLL] built on Jun 11 2007 14:03 < acidchild> I've worked it out, thank you, my log file was full :-) 14:03 < ecrist> was going to say - check your log file. 14:03 < ecrist> ;) 14:04 * acidchild sets up a log rotation. 14:04 < acidchild> open("/var/log/openvpn.log", O_WRONLY|O_CREAT|O_APPEND, 0600) = 4 14:04 < acidchild> open("/etc/localtime", O_RDONLY) = 3 14:04 < acidchild> --- SIGXFSZ (File size limit exceeded) @ 0 (0) --- 14:04 < acidchild> that gave it away :-P 14:09 < acidchild> ecrist: lol turning down the verbos level might help :P 14:09 < acidchild> root@dubstep:/etc/openvpn# cat /var/log/openvpn.log |wc -l 14:09 < acidchild> 48728 14:09 < acidchild> since i deleted it two minutes ago 14:17 < ecrist> a little? 14:21 < acidchild> just a lil bit :-P 14:28 -!- mRCUTEO [n=info@124.82.101.3] has joined ##openvpn 14:36 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:41 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has left ##openvpn ["Leaving."] 14:44 -!- Keizer [n=keizer@216.45.246.60] has joined ##openvpn 14:45 -!- hiptobecubic [n=john@c-68-56-198-177.hsd1.fl.comcast.net] has quit [Connection timed out] 14:53 -!- mRCUTEO [n=info@124.82.101.3] has quit [] 14:53 -!- hiptobecubic [n=john@c-68-56-141-130.hsd1.fl.comcast.net] has joined ##openvpn 15:02 -!- acidchild [i=ash@208.92.235.204] has quit ["BRB"] 15:16 < Keizer> Anyone here use OpenVPN on OpenBSD? 15:17 < Keizer> crypto ipsec transform-set ipcom esp-3des esp-md5-hmac 15:32 -!- Plecebo [n=larry@c-67-170-22-144.hsd1.wa.comcast.net] has joined ##openvpn 15:34 < Plecebo> I have openvpn server installed on my Windows Server box and I am able to connect via Terminal Services Client on my Ubuntu box. The trouble is that the connection only lasts for 30 seconds or so before it stops and I have to disconnect/reconnect. Any ideas where to start troubleshooting or what the problem might be? 15:38 < xattack> openvpn on openbsd here! 15:45 < Plecebo> would I be better off setting up openvpn on my ubuntu firewall then using remoting into the server for admin duties? 15:47 -!- xattack [i=xattack@132.248.108.239] has quit [] 16:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 16:32 < krzie> Anyone here use OpenVPN on OpenBSD? 16:32 < krzie> it shouldnt really be diff than openvpn on other os, whats the problem... 17:07 * ecrist thinks someone's building an IPSEC tunnel on Cisco hardware 17:16 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:44 -!- geaaru [n=geaaru@host34-217-dynamic.1-79-r.retail.telecomitalia.it] has quit ["Leaving"] 18:11 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 18:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 18:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 18:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 19:21 -!- oc80z [i=oc80z@89.46.100.91] has quit [Remote closed the connection] 20:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 20:36 -!- Solver [n=robert@CPE00a0c96b79ba-CM001cea35fd4e.cpe.net.cable.rogers.com] has quit ["Lost terminal"] 21:17 < krzie> http://msdn.microsoft.com/en-us/library/ms972827.aspx 21:17 < krzie> look at the referenced directory in one of the dialog boxes 21:17 < krzie> lol 21:17 < vpnHelper> Title: Browsing the Web and Reading E-mail Safely as an Administrator (at msdn.microsoft.com) 21:31 -!- chairuou [n=chairuou@unaffiliated/chairuou] has joined ##openvpn 22:37 -!- Plecebo [n=larry@c-67-170-22-144.hsd1.wa.comcast.net] has quit [Remote closed the connection] 22:54 -!- Plecebo [n=larry@c-67-170-22-144.hsd1.wa.comcast.net] has joined ##openvpn 22:55 < Plecebo> when you are connected to a server do you need to use a special code to close the connection? 22:57 < krzee> no, you just close the openvpn process 22:57 < krzee> trust me, it will disconnect 22:57 < krzee> hehe 22:57 < Plecebo> LOL well that is good to know 22:58 < Plecebo> if I do that and attempt to re-connect it will not let me... any reason you can think of why 22:58 < krzee> persist-tun 22:58 < krzee> persist-key 22:58 < krzee> something like that maybe 22:58 < krzee> something like that maybe 22:58 < Plecebo> it tries to connect, and it doesn't give an error but it gets part of the way and just sits there 22:58 < krzee> !sample 22:58 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 22:58 < krzee> check those out 22:59 < reiffert> resolv.conf 22:59 < reiffert> and moin 23:00 < Plecebo> I do have the persist options present in my config, and server I think (cant actually connect at the moment) 23:00 < reiffert> Plecebo: change the remote host line into remote ip and try again 23:00 < krzee> omin reif 23:01 < Plecebo> reiffert: ok i'll give that a try 23:01 < reiffert> YAJ! -22 C 23:02 < reiffert> (-7.6 F) 23:05 < Plecebo> putting the IP in the config gives the same result :( Here is the output from my client http://pastebin.com/m40a627c8 23:07 < reiffert> increase verbosity to level 6 23:10 < Plecebo> here it is at verbosity 6 http://pastebin.com/m5682c3c1 23:12 < reiffert> beats me, never seen that 23:13 < Plecebo> LOL OK 23:13 < Plecebo> well thanks for trying :) 23:16 < krzee> show server log 23:20 < reiffert> ah, is it still alive? 23:20 < reiffert> I'm still sleeping ... 23:28 -!- Jason404 [n=eggbean@host86-133-220-249.range86-133.btcentralplus.com] has joined ##openvpn --- Day changed Tue Jan 06 2009 00:28 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 01:46 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 01:58 -!- Jason404 [n=eggbean@host86-133-220-249.range86-133.btcentralplus.com] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 02:08 -!- gfather [n=user@94.249.23.94] has joined ##openvpn 02:08 < gfather> hello guys 02:19 < gfather> krzee , hay man , can you send me the ur pae about routing ? 02:20 < gfather> can you send me your url about routing 02:29 -!- tjz [n=tjz@bb116-15-44-41.singnet.com.sg] has joined ##openvpn 02:58 -!- gfather is now known as gfather[a] 03:47 -!- chairuou [n=chairuou@unaffiliated/chairuou] has quit ["Leaving"] 04:31 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:38 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 04:38 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 04:44 < krzee> gfather[a], just type !route 04:45 < krzee> (as seen in the topic) 04:45 < gfather[a]> !route 04:45 < vpnHelper> gfather[a]: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 04:45 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 04:45 < gfather[a]> thanks ;) 04:46 < krzee> np =] 04:47 -!- hiptobecubic [n=john@c-68-56-141-130.hsd1.fl.comcast.net] has quit [Read error: 110 (Connection timed out)] 04:52 < gfather[a]> krzee one thing i dont understand is the iroute 04:52 < gfather[a]> should i do iroute for every client ? 04:54 < gfather[a]> ah or only the client should tell whats the lan behind him with i route 04:54 < gfather[a]> right 05:34 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 05:40 < krzee> !iroute 05:40 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 06:02 < gfather[a]> cools ., 06:02 < gfather[a]> ill do some testign and stuff :) 06:03 < gfather[a]> make sure i understand every thing , 06:03 < gfather[a]> and by the way , the pic is very good for explaining 06:04 < krzee> thx =] 06:05 < gfather[a]> :D 06:08 < gfather[a]> krzee how stuff gonna work whith ipv6 and that nat is gonna be gone ? 06:09 < krzee> that wouldnt change anything other than no nat 06:09 < gfather[a]> lool 06:09 < gfather[a]> so is the latest build of openvpn compatable with ipv6 06:10 < krzee> no 06:10 < gfather[a]> i see 07:10 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 07:11 -!- smerz [n=daniel@smerz.demon.nl] has quit [Client Quit] 07:12 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 07:31 < ecrist> good morning, folks 07:37 < gfather[a]> hello ecrist 07:38 -!- disposable [i=disposab@blackhole.sk] has joined ##openvpn 07:40 < disposable> i've installed openvpn on a linux server and two windows clients. i can ping the server from each client, each client from the server but a client cannot ping the other one. i don't seem to have any errors in logs. what am i missing? 07:45 < disposable> this is how my server is configured http://pastebin.com/d1a1b8bb 07:58 < disposable> !route 07:58 < vpnHelper> disposable: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 07:58 < disposable> !menu 07:58 < vpnHelper> disposable: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 07:58 -!- Tykling [i=tykling@gibfest.dk] has quit [Read error: 110 (Connection timed out)] 08:04 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 08:16 < ecrist> disposable: do you have client-to-client enabled in your config? 08:17 < disposable> ecrist: i was just about to try that :) from the !route hint 08:19 < disposable> and now it works :) 08:21 -!- nardul [n=kse@212.37.141.188] has joined ##openvpn 08:21 < nardul> oi 08:22 < nardul> Does anyone know anything about openvpn-gui under windows? I'm trying to start it as a service, but i can't make it start the connections. 08:24 < tjz> it is an application used to connect to your vpn server 08:25 < disposable> nardul: i am testing it at the moment. 08:25 < nardul> disposable, Thanks. I can't seem to make it run. It's a virtual machine running some backup stuff. And i want it to run without logging in. 08:26 < disposable> control panel, admin tools, services, openvpn - rightclick and make it start automatically. that's what i did 08:27 < nardul> disposable, But the tunnel doesn't start. Atleast i can't make it. 08:27 < ecrist> nardul: do you have the config and certficates? 08:27 < disposable> it takes windows a minute or so to initialise the LANs if you don't log in. what does your log say? (use pastebin) 08:27 < nardul> Yers 08:27 -!- gfather[a] [n=user@94.249.23.94] has quit [Read error: 110 (Connection timed out)] 08:27 < nardul> yes* 08:28 < disposable> check the server's log as well to see if it's even trying to communicate 08:28 < nardul> disposable, Checkign 08:31 < nardul> This is a windows server 2003, i don't know if that matters. 08:31 < nardul> Anyways i can't check right now, my boss wants it to work _right now_ 08:31 < nardul> So i'll just run manually untill i have time to check 08:31 * nardul curses 08:32 < disposable> :) 08:32 < disposable> wow you have a benevolent boss... mine wants things to work yesterday 08:34 < nardul> I have about a 1000 things running at once. 08:34 < nardul> It's awesome (frowney face) 08:34 < nardul> It would be sooo much easier with ini scripts. 08:34 < nardul> inint* 08:34 < nardul> init* 09:08 -!- chairuou [n=chairuou@unaffiliated/chairuou] has joined ##openvpn 09:08 < chairuou> !route 09:08 < vpnHelper> chairuou: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 09:09 < chairuou> !menu 09:09 < vpnHelper> chairuou: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 09:09 < chairuou> !menu * 09:09 < vpnHelper> chairuou: Error: "menu" is not a valid command. 09:09 < chairuou> !menu search * 09:09 < vpnHelper> chairuou: Error: "menu" is not a valid command. 09:14 -!- nardul [n=kse@212.37.141.188] has quit ["Leaving"] 09:28 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:41 < ropetin> !factoids search * 09:41 < vpnHelper> ropetin: More than 100 keys matched that query; please narrow your query. 09:41 < ropetin> try that chairuou 09:41 < chairuou> ropetin, thanks 09:42 < chairuou> !factoids search revoke client certificate 09:42 < vpnHelper> chairuou: No keys matched that query. 09:42 < chairuou> !factoids search revoke 09:42 < vpnHelper> chairuou: No keys matched that query. 09:59 -!- mRCUTEO [n=info@96.9.131.183] has joined ##openvpn 10:00 < mRCUTEO> hiya all 10:00 < mRCUTEO> hiya kreg 10:00 < mRCUTEO> kreg 10:00 < mRCUTEO> hiya krzee 10:00 < mRCUTEO> :P 10:03 -!- mRCUTEO [n=info@96.9.131.183] has quit [Client Quit] 10:06 < ecrist> chairuou: you need a CRL 10:06 < ecrist> that can be done with openssl, through easy-rsa or the more elite ssl-admin 10:08 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 10:08 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 10:08 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Client Quit] 10:09 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 10:09 < chairuou> ecrist, can you explain more 10:13 < ecrist> you need to use openssl to generate a CRL with the revoked certificates 10:13 < ecrist> read the howto - I believe it's mentioned in there. 10:15 < chairuou> ah ok 10:15 < chairuou> got the point 10:16 < chairuou> thanks 10:30 -!- tjz [n=tjz@bb116-15-44-41.singnet.com.sg] has quit ["I want to sleep."] 11:11 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Connection timed out] 11:11 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:04 -!- Max007 [n=Max@modemcable089.194-21-96.mc.videotron.ca] has joined ##openvpn 12:05 < Max007> !route 12:05 < vpnHelper> Max007: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 12:05 < Max007> Hi can someone help me with this problem: http://ubuntuforums.org/showthread.php?p=6504733#post6504733 12:05 < vpnHelper> Title: [ubuntu] Problem with OpenVPN / Route - Ubuntu Forums (at ubuntuforums.org) 12:09 -!- chairuou [n=chairuou@unaffiliated/chairuou] has quit [Read error: 110 (Connection timed out)] 12:23 < Max007> no one ? :( 12:32 < dvl> Max007: yes. Exactly. We all hate Ubuntu. ;) 12:33 < dvl> sounds like firewall rules not letting in the ping or the reply, or both. That's my guess without looking at it closely. 12:45 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 13:31 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 13:37 -!- rorx [n=rory@cypher.TrueStep.com] has joined ##openvpn 13:37 < rorx> is it possible for VPN clients to talk to each other when the server uses a multiclient tun setup? 13:38 < rorx> !menu 13:38 < vpnHelper> rorx: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 13:39 < rorx> !route 13:39 < vpnHelper> rorx: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 13:42 < ecrist> rorx: yes 13:44 < rorx> ecrist: hmm, should it do it by default, or is that a question of additional routing? I noticed that the client was not routing the request for a fellow VPN client through the VPN interface, so I manually added a network route of the network which all the VPN clients use, and I can see the request getting the the servers tun0 interface, but no response.. so I think I either need to add more routes on the server or the VPN server config needs some chang 13:44 < rorx> es? 13:46 < rorx> for example, the server does not have a network route for the network that the VPN clients use, so maybe that's what I'm missing? I just see a host route to one of the addresses in the tun0 interface. 13:47 < rorx> so far I've only been using this VPN setup to allow VPN clients to reach a LAN that the VPN server is attached to, and that works fine. Even LAN nodes can reach any VPN client.. and now I have a reason to try and connect to another VPN client instead, and that's what's failing. 13:52 < ecrist> client-to-client 13:52 < ecrist> in your config 13:52 < ecrist> it's in the howto 13:52 < rorx> ecrist: ah, I see, so by default it doesn't allow this eh? 13:53 < rorx> thank you. 13:53 < rorx> indeed, that seems to be the case. 13:55 < ecrist> it's in the howto and man pages. 13:56 < rorx> sure is, I missed it earlier. 14:00 -!- Determinist_ [n=lior@unaffiliated/determinist] has joined ##openvpn 14:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:11 -!- Determinist_ [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 14:28 -!- Max007 [n=Max@modemcable089.194-21-96.mc.videotron.ca] has quit ["leaving"] 14:33 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:40 -!- xattack [i=xattack@132.248.108.239] has quit [] 15:00 < Keizer> Does anyone know if there is a document on how to create a subnet to subnet vpn tunnel on OpenBSD 15:06 < ecrist> !route 15:06 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 15:07 < ecrist> Keizer: ^^^^ 15:09 < Keizer> I looked at that doc 15:09 < Keizer> I need the getting started doc 15:10 < Keizer> I looked at that page 15:10 < Keizer> I'm trying to find the one that tells me to setup the Key Infrastructure 15:11 < Keizer> And I don't have iroute on OpenBSD 15:14 < reiffert> !howto 15:14 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:15 < dvl> probably safe for most work places: http://www.cbsnews.com/video/watch/?id=4632991n 15:15 < vpnHelper> Title: A Meal To Die For Video - CBSNews.com (at www.cbsnews.com) 15:28 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 15:28 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 15:37 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:01 < ecrist> oh 16:01 < ecrist> !freebsd 16:01 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 16:10 < ecrist> I want that restaurant here. 16:10 < ecrist> Keizer: ^^^^ 16:13 < Keizer> !openbsd 16:13 < vpnHelper> Keizer: Error: "openbsd" is not a valid command. 16:35 < ecrist> Keizer: read the freebsd page, it should apply to openbsd 16:40 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 16:41 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 16:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 17:09 -!- int [n=quassel@wikia/int] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 17:12 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:21 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Connection timed out] 17:46 < dvl> Anything on the website /etc about the rash of idiocy regarding MD5 collisions and certificates? 18:02 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 110 (Connection timed out)] 18:36 < krzie> idiocy? 18:40 < dvl> krzie : people over-reacting, wondering how to protect themselves, what to do, without really understanding the attack. 18:40 < krzie> ahh 18:40 < dvl> It's still pretty damn hard to achieve, if not impossible. 18:40 < krzie> nope nothing that i know of on the site 18:41 < krzie> thats true, even the people who did it with a huge cluster of game systems said it takes them like 6months 18:41 < dvl> Might help doubters understand the possible risks with OpenVPN. 18:41 < dvl> Using a priviate CA, I can't see any attack vector. 18:41 < krzie> and targetting a vpn would be insane cause you need to target the CA 18:42 < dvl> Easier to send in a burglar to steal the computer. 18:42 < krzie> lol, much easier 19:49 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 20:39 -!- tjz [n=tjz@bb116-15-44-41.singnet.com.sg] has joined ##openvpn 20:39 * tjz swim in 22:11 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Nick collision from services.] 22:13 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN --- Day changed Wed Jan 07 2009 00:06 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 00:07 < muh2000> hi 00:07 < muh2000> :( @ "openvpn[5978]: ******* WARNING *******: '(null)' is a known vulnerable key. See 'man openvpn-vulnkey' for details." 00:07 < muh2000> but i checked the keys with openvpn-vulnkey and it said all fine. 02:02 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 02:33 < simplechat> hey 02:33 < simplechat> any bsd users around? 02:33 < simplechat> muh2000, i'd regen 02:33 < simplechat> to be saf 02:33 < simplechat> *safe 02:34 < muh2000> hmmm ok. :) 02:35 < reiffert> simplechat: plenty of bsd users here. 02:35 < simplechat> reiffert, any with any advice as to how to install openvpn on a bsd? 02:36 < simplechat> atm i have a natted bsd host and i'd like to join it onto an existing openvpn net 02:36 < reiffert> !howto 02:36 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:36 < simplechat> does it have one for the bsds? 02:36 < reiffert> yep. 02:36 < simplechat> also any advice you'd give for an openbsd user? 02:37 < reiffert> such as? 02:37 < simplechat> i don't know, tutorials that will fail 02:38 < simplechat> things to watch out for, common mistakes & that 02:38 < simplechat> things that might trip up a noob 02:38 < reiffert> You seem to refuse the help I was giving you, so what should I help you any further? 02:38 < simplechat> explain? 02:38 < simplechat> i'm reading through that tutorial now 02:39 < simplechat> i was just wondering if there was anything else i should look out for 02:50 < simplechat> reiffert, not to sound too much like a noob, but after installing openvpn 2.1 there is no /etc/openvpn directory. Shouldn't there be one? 03:10 < muh2000> open vpn doc is one of the better docs for oss. (for a basic working setup) 03:50 -!- chairuou [n=chairuou@unaffiliated/chairuou] has joined ##openvpn 04:49 -!- chairuou [n=chairuou@unaffiliated/chairuou] has quit ["Leaving"] 05:25 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: rorx, disco-, jabular, dogmeat, cj 05:26 -!- rorx [n=rory@cypher.TrueStep.com] has joined ##openvpn 05:26 -!- Netsplit over, joins: cj 05:26 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 05:26 -!- Netsplit over, joins: jabular, disco- 05:53 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:59 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 06:01 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:42 -!- jrgp [n=joe@catatonic.jrgp.us] has joined ##openvpn 06:42 < jrgp> is it possible to tunnel windows filesharing through openvpn? 07:16 < cpm> http://openssl.org/news/secadv_20090107.txt 07:27 < reiffert> jrgp: yes. 07:28 < simplechat> jrgp, yep 07:28 < simplechat> just make sure that you allow ports 139 through your vpn 07:29 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 07:30 -!- dazo [n=dazo@nat/redhat/x-ce30629ea8d73e82] has joined ##openvpn 07:31 < reiffert> simplechat is on BSD and wonders why there is no /etc/openvpn instead of /usr/local/etc/openvpn? sigh. 07:31 < reiffert> How fast did I learn, lemme estimate, within the first 30 seconds? 07:31 < ecrist> lol 07:33 < ecrist> msg chanserv help set 07:33 < ecrist> grr 07:33 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 07:34 -!- mode/##openvpn [+o ecrist] by ChanServ 07:35 -!- ecrist changed the topic of ##openvpn to: Potential server verification exploit. See http://openssl.org/news/secadv_20090107.txt for more information. || HowTo: http://openvpn.net/howto 07:35 -!- mode/##openvpn [-o ecrist] by ecrist 07:45 < dazo> anyone know if OpenVPN really is vulnerable to the latest OpenSSL CVE? 07:46 < dazo> according to the recommendations from OpenSSL: "Projects and products using OpenSSL should audit any use of the routine EVP_VerifyFinal() to ensure that the return code is being correctly handled." 07:47 < dazo> I can't find any part in the OpenVPN code using this function at all ... well, there are 2 in debug/valgrind-supress ... but that's not relevant :) 08:09 < dazo> I've skimmed quickly through the code a little bit better now .... I see that SSL_CTX_set_verify is used, which calls a callback ... OpenVPN do not directly use EVP_VerifyFinal() 08:10 < dazo> From my point of view OpenVPN seems to be safe from this bug ... BUT! It might be that there are parts which is called internally in OpenSSL which is buggy, so OpenVPN might be indirectly hit ... but upgrading OpenSSL should solve this 08:12 < dazo> I also had a quick look in the OpenSSL code ... but it wasn't easy to catch when the verify_callback() function in OpenVPN would be called, as SSL_CTX_set_verify() just prepares the callback ... and might be called at any later point 08:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Connection timed out] 08:53 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 09:11 < reiffert> ecrist: Would someone mind setting the channel -t so that all users can change the topic (until it gets exploited)? 09:13 < ecrist> I supposed. 09:13 < ecrist> suppose* 09:14 -!- mode/##openvpn [+o ecrist] by ChanServ 09:14 -!- mode/##openvpn [-t] by ecrist 09:14 -!- mode/##openvpn [-o ecrist] by ecrist 09:15 < ecrist> there ya go, reiffert 09:19 < kaii> i'm confused with the Ports system ... i have an openbsd 4.3 based appliance, which has python2.4 on disk. 09:21 < ecrist> ok... 09:22 < reiffert> Thanks 09:22 < reiffert> dazo: isn't the openssl cve about the md5 issue? 09:23 < reiffert> dazo: eeks, it is not. 09:23 < dazo> reiffert: nope :) I was thinking about the one announced today .... but not completely official 09:26 -!- tjz [n=tjz@bb116-15-44-41.singnet.com.sg] has quit ["I want to sleep."] 09:26 < kaii> can somebody please tell me where the value of the variable "MODPY_VERSION" comes from when i build for example "py-mysql" from ports? 09:27 < kaii> it wants to build for 2.5, but i have 2.4 and really want to stick with that. 09:27 < ecrist> kaii, this isn't #openbsd 09:27 < kaii> oh darn. 09:27 < kaii> ^^ 09:27 < kaii> lol 09:27 < kaii> was just a window away 09:28 * ecrist cries. 09:28 < ecrist> I lost over 4GB of pr0n. :( 09:29 < dazo> reiffert: from what I could see OpenVPN should not be vulnerable .... the only thing which could be done is to make things even tighter is in ssl.c:654 - change if (!preverify_ok) to if (preverify_ok != 1) .... but the docs for SSL_CTX_set_verify says that only 0 or 1 is to be expected, so unless OpenSSL returns something wrong, this is not needed 09:34 < ecrist> reiffert: do you want me to lose the +r, too? 09:34 < ecrist> it's been discussed before 09:34 < reiffert> ecrist: +r is for registered users only, is it? 09:35 < reiffert> ecrist: what was the intentional event that was happening for setting the channel +r? 09:36 < ecrist> reiffert: nothing specific, when I built the chan, just threw it in to keep spam down 09:36 < ecrist> I'm not opposed to dropping it, though 09:40 < reiffert> so why ask me in the first place 09:40 < ecrist> well, you had an opinion on the +t... 09:46 < reiffert> on IRCnet we keep spam low setting the channel to be secret, +s 09:46 < reiffert> What's +c about? 09:47 < ecrist> prevents CTCP to the channel 09:48 < reiffert> Ah well .. then keep it like it is, until next time I ask :) 09:48 < reiffert> Why did we give up #openvpn btw? 09:49 < ecrist> spam and lack of mgmt - network ops wouldn't give me the channel, but they were willing to forward it for me, to here. 09:49 < ecrist> that was back in August of last year, though 09:51 < ecrist> no ops and lots of channel flooding going on 10:01 < reiffert> Intresting, totally missed that. 10:01 < reiffert> that period of time 10:42 < ecrist> it was an experience. 10:43 < ecrist> if you wouldn't/couldn't help someone, they'd just flood the channel for an hour 10:47 -!- Max007 [n=Max@modemcable089.194-21-96.mc.videotron.ca] has joined ##openvpn 10:48 < Max007> Hi 10:48 < Max007> where can I find a good documentation on how to join 2 networks with openvpn ? 10:51 -!- nardul [n=kse@212.37.141.188] has joined ##openvpn 10:51 < nardul> Evening 10:51 < nardul> I was here a few days ago about the openvpn service not starting tunnels on windows server 2003 10:51 < nardul> can anyone help me with that? 10:53 < dazo> Max007: are you familiar with OpenVPN at all? 10:54 * dazo just want to avoid giving some clues which is far too basic :) 10:56 < ecrist> Max007: the howto 10:56 < ecrist> or see the following 10:56 < ecrist> !route 10:56 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 11:01 < nardul> So noone knows about windows server 2003 and openvpn? 11:06 < ecrist> not I - we have a couple clients running windows XP, but that's all we use windows for 11:06 < ecrist> and even those are going away in the next 6 months 11:08 < nardul> Good lord i wish i could say the same. 11:08 < nardul> Apparently it works in windows xp, but not on server 2003 11:08 < ecrist> going all mac for our client work stations, all our servers (ALL) run FreeBSD 11:08 < nardul> Which i sort of need it to do 11:09 < nardul> We run a bit of everything. 11:09 < nardul> Some clients want windows though. 11:09 < nardul> And blackberry requires windows 11:09 < ecrist> ah, see our *clients* are staff - they use what we tell them to use. 11:10 < ecrist> we're telling them to use macs. :) Tunnelblick FTW 11:10 < ecrist> nardul: what do you mean, blackberry requires windows? 11:10 < nardul> ecrist, blackberry enterprise server 11:11 < ecrist> I don't know what BES has to do with OpenVPN 11:12 < ecrist> nardul: I've no experience with OpenVPN running under Windows Server 2003, sorry. 11:12 < nardul> Nothing per se. But domino needing a connection to another domino does. 11:12 < ecrist> ah, see that's information I didn't have. 11:13 < ecrist> what problem are you running in to? 11:13 < nardul> I know :) 11:14 < ecrist> what problem are you running in to? 11:14 < ecrist> what problem are you running in to? 11:14 < nardul> My server runs BES and a Domino replicator. The BES is supposed to connect to the domino replicator, and the replicator copies mails over openvpn. I can make openvpn run, no problem, the only problem is, i have to log in to make it run. 11:15 < nardul> I can't make the openvpn service start the connections 11:17 < Max007> dazo: yes i am 11:17 < Max007> My vpn is up 11:18 < Max007> the client can ping the server 11:18 < dazo> Max007: which OS? 11:18 < Max007> but the server can't ping the client 11:18 < Max007> dazo: linux, ubunut 11:18 < dazo> Max007: okey ... have you set up routing properly on both sides of the network? 11:18 < Max007> yes.. i guess 11:19 < Max007> look 11:19 < Max007> routing table for the client 11:19 < Max007> 192.168.0.0 10.10.10.5 255.255.255.128 UG 0 0 0 tun0 11:19 < Max007> 192.168.2.0 * 255.255.255.0 U 0 0 0 eth0 11:19 < Max007> for the server: 11:19 < Max007> 192.168.0.0 * 255.255.255.128 U 0 0 0 eth0 11:19 < Max007> 192.168.2.0 10.10.10.2 255.255.255.0 UG 0 0 0 tun0 11:19 < Max007> client's lan is 192.168.0.0/24 11:20 < ecrist> Max007: did you see the link I pointed you to? 11:20 < Max007> nop 11:20 < Max007> client's lan is 192.168.0.0/24 11:20 < Max007> ecrist: yes 11:21 < dazo> Max007: if you do: cat /proc/sys/net/ipv4/ip_forward .... do you get "1" as result? ... if yes, then it is only firewalling (iptables) to check in addition the link ecrist sent 11:21 < dazo> Max007: whats your VPN network addresses? 11:21 < Max007> server's lan is 192.168.0.0/255.255.255.128 11:21 < Max007> dazo: vpn network is 10.10.10.0/24 11:22 < Max007> there's no iptables rules 11:22 < Max007> # cat /proc/sys/net/ipv4/ip_forward 11:22 < Max007> 1 11:22 < dazo> Max007: I presume you use 192.168.2.0/24 for client and 192.168.0.0/24 for server 11:22 < Max007> 192.168.0.0/25 for the server 11:22 < dazo> actually, /25 I mean :-P 11:23 < Max007> # iptables -L 11:23 < Max007> Chain INPUT (policy ACCEPT) 11:23 < Max007> target prot opt source destination 11:23 < Max007> Chain FORWARD (policy ACCEPT) 11:23 < Max007> target prot opt source destination 11:23 < Max007> Chain OUTPUT (policy ACCEPT) 11:23 < Max007> target prot opt source destination 11:23 < Max007> # iptables -t nat -L 11:23 < Max007> Chain PREROUTING (policy ACCEPT) 11:23 < Max007> target prot opt source destination 11:23 < Max007> Chain POSTROUTING (policy ACCEPT) 11:23 < Max007> target prot opt source destination 11:23 < ecrist> Max007: stop 11:23 < Max007> Chain OUTPUT (policy ACCEPT) 11:23 < Max007> target prot opt source destination 11:23 < dazo> Max007: seems very good 11:23 < Max007> on both the client and the server 11:23 < ecrist> don't paste more than 5 lines in here, please 11:23 < ecrist> use pastebin.com 11:24 < Max007> ecrist: sorry :/ 11:24 < dazo> Max007: the server eth0 is 192.168.0.1? 11:24 < Max007> .125 11:24 < ecrist> nardul: do you get errors when trying to run as a service? 11:24 < dazo> Max007: okey ... if you ping that IP on the client, do you get any answer? 11:24 < Max007> yes 11:25 < nardul> ecrist, Logs say nothing at all 11:25 < dazo> Max007: and vice versa ... can you on the server ping the eth0 interface of the client? 11:25 < ecrist> and it just doesn't start up? 11:26 < ecrist> but you can start it manually? 11:26 < Max007> dazo: nop I can't ping 192.168.2.19 from the server 11:26 < dazo> Max007: .19 is the eth0 of the client? ... okey, then you have some routing issues ... do you have tcpdump available? 11:26 < nardul> ecrist, It doesn't start, and yes, i can start it manually. I've got to go no. I got off 2.5 hours agop 11:27 < nardul> I'll be back tomorrow 11:27 < nardul> laters 11:27 -!- nardul [n=kse@212.37.141.188] has quit ["Leaving"] 11:27 < dazo> Max007: Run tcpdump -n -i tun0 on the server ... and then run ping on the server in another session 11:27 < Max007> dazo: yes 192.168.2.19 is eth0 on the client 11:28 < Max007> i ping the client from the server ? 11:28 < dazo> Max007: yes 11:28 < Max007> http://pastebin.com/m5c7185de 11:28 < dazo> Max007: another nice to know thing .... tun0 ip address of client is 10.10.10.2 ... and 10.10.10.5 on the server? 11:29 < Max007> tcpdump run on the server 11:29 < Max007> server: 11:29 < Max007> tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.10.10.1 P-t-P:10.10.10.2 Mask:255.255.255.255 11:29 < Max007> client: 11:29 < Max007> inet addr:10.10.10.6 P-t-P:10.10.10.5 Mask:255.255.255.255 11:30 < dazo> Max007: as I thought .... okey ... traffic from the server hits the VPN tunnel, but never comes back ... so it gets stuck somewhere 11:31 < dazo> Max007: what confuses me though is that you seem to have two different p-t-p links .... and these two do not talk together, 11:31 < ecrist> pardon me for interrupting, Max007, are you having a problem getting two VPN clients to talk? 11:31 < dazo> Max007: I usually use tap devices instead of tun devices ... but the theory behind should be pretty much the same when it comes to TCP/IP routing 11:31 < Max007> ecrist: the client can talk to the server but the server can't talk to the client 11:32 < ecrist> that doesn't even make sense. 11:32 < ecrist> what's your test? 11:33 < Max007> ping, ssh connection 11:33 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 11:33 < Max007> client to server everything is ok 11:33 < dazo> Max007: ecrist: I believe it is a routing issue since he have two link layers here .... 10.10.10.1-10.10.10.2 on the server .... and :10.10.10.6-10.10.10.5 on the client 11:33 < ecrist> to the VPN client IP? 11:33 < Max007> lan ip 11:34 < ecrist> so, not the IP the vpn server gave the client? 11:34 < dazo> ecrist: does VPN server give IP on tun-connections? (not tap) 11:34 < ecrist> yes 11:35 < dazo> oki ... didn't know :) 11:35 < ecrist> Max007: pastbin.com your configs, please 11:35 < ecrist> both server and client 11:35 < dazo> Max007: what's your ifconfig lines in the config files you are using? 11:35 < dazo> (openvpn) 11:36 < Max007> dazo, ecrist: hold on 11:37 < dazo> Max007: do we stress you? :-P 11:37 < Max007> dazo: not at all :P 11:37 < Max007> I was on the phone 11:37 < dazo> Max007: :) 11:37 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:37 < rubydiamond> Hi people getting error 11:37 < rubydiamond> Error parsing PKCS#12 11:37 < rubydiamond> dont know why 11:38 < dazo> rubydiamond: to you have openssl command available? 11:38 < rubydiamond> what is that 11:38 < Max007> http://pastebin.com/m268ce9c5 11:38 < dazo> rubydiamond: which OS are you on? 11:38 < rubydiamond> dazo: MacOSX leopard 11:38 < rubydiamond> OpenSSL> exit 11:38 < rubydiamond> it is 11:38 < ecrist> rubydiamond: pastebin your logs, please 11:39 < rubydiamond> ok 11:39 < dazo> rubydiamond: try openssl pkcs12 -in ... if that fails, you most probably have a corrupt cert file 11:39 < ecrist> Max007: a couple notes on your config: 11:39 < ecrist> 1) your push of 192.68.0.0/25 is going to break remote LANs 11:40 < Max007> ecrist: why is that &? 11:40 < ecrist> 2) you generally don't need IPP and client-config-dir in the same config, but it won't hurt anything. 11:40 < rubydiamond> ecrist: http://pastie.org/private/t4mlfqyhjstmhudtqqvwa 11:41 < ecrist> Max007: because, for example, my LAN at home is 192.168.0.0/24 - if I were to connect to your VPN, I couldn't route to my LAN, which is going to drop my connection to the VPN. 11:41 < ecrist> viscious cycle 11:41 < dazo> rubydiamond: "Error: private key password verification failed" ... did you use the correct password? 11:42 < rubydiamond> dazo: yes.. looks like 11:42 < Max007> ecrist: remote lan and local lan are not the same 11:42 < Max007> ecrist: on the server's side it's 192.168.0.0/25 and on the client's side it's 192.168.2.0/24 11:42 < ecrist> so, you don't have users connecting to this VPN from home? 11:42 < dazo> ecrist: I don't follow you now .... for me this seems sensible 11:43 < rubydiamond> smk: what is the solution 11:43 < Max007> ecrist: it's not a roadwarrior vpn. I only want to join both networks together 11:43 < ecrist> ok, just be aware if that changes down the road. 11:44 < dazo> rubydiamond: what did you get when using the openssl pkcs12 -in ? ... did you get a certificate out ... or an error? 11:44 < ecrist> what is the LAN subnet for the remote (client) end? 11:44 < Max007> 192.168.2.0/24 11:44 < rubydiamond> dazo http://pasternak.superalloy.nl/pastes/1218 11:45 < dazo> rubydiamond: you need to get the correct password for you certificate file .... with the password you use now, you cannot decrypt the certficate inside the pkcs12 file 11:45 < ecrist> ok, so you need a couple things. You need an iroute in a client-config for the VPN client, for the 192.168.2.0/24 networks 11:45 < ecrist> s/s$// 11:46 < dazo> rubydiamond: and if not, then the file is corrupt and you need to get a new pkcs12 file 11:46 < ecrist> second, you need your lan machines on either end to be pointing the appropriate subnet to the respective OpenVPN system 11:46 < rubydiamond> dazo: okay trying 11:47 < Max007> ecrist: I'm not sure I understand 11:47 < dazo> Max007: is the OpenVPN server and client also the default gw for you computers? 11:47 < ecrist> Max007: see below: 11:47 < ecrist> !iroute 11:47 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 11:47 < Max007> dazo: yes 11:48 < ecrist> if you read !route, you'll get a better idea 11:48 < dazo> ecrist: since openvpn sits on the default gw .... isn't it enough that the computers in the network points at their local default gw? 11:48 < ecrist> yep 11:49 * dazo thought so as well 11:49 < ecrist> that's plenty - but that's not the case in all circumstances. 11:49 < ecrist> our network at my office, for example, as our OpenVPN server on a different host than the default gateways 11:49 < Max007> right now there's no computer on the LANs .. it's a test environement 11:49 < Max007> there's only the server and the client 11:49 < dazo> ecrist: yeah! and that makes sense 11:50 < ecrist> Max007: you need to setup the iroute on the server side in the client-config-dir, and all should be well, barring firewall problems. 11:50 * dazo catches -SIGWIFE ... need to go .... good luck Max007 ... I'm sure you'll solve it soon :) 11:51 * dazo might catch up later today 11:51 < Max007> dazo: bye, thanks for your help 11:51 < dazo> dazo: no prob :) 11:51 < Max007> !ccd 11:51 < vpnHelper> Max007: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 11:52 < Max007> !route 11:52 < vpnHelper> Max007: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 11:52 < ecrist> Max007: about half way down that page, you'll find the iroute bits 11:54 < Max007> # cat /etc/openvpn/ccd/testeux 11:54 < Max007> iroute 192.168.2.0 255.255.255.0 11:55 < Max007> like that &? 11:55 < ecrist> yep 11:55 < Max007> ok 11:55 < Max007> let's testing it 11:56 < Max007> YES 11:56 < Max007> it works 11:56 < Max007> but I don't understand why 11:56 < Max007> lol 11:57 < ecrist> because the openvpn process intercepts routing for the kernel to the tap/tun device 11:57 < ecrist> without the iroute, openvpn isn't aware of how to route the subnet for your testeux client, so it drops the packets. 11:57 < rubydiamond> WARNING: file 'Anil.p12' is group or others accessible 11:57 < Max007> ok 11:58 < Max007> thank a lot dude ! 11:58 < rubydiamond> I see this for my certificate file 11:58 < ecrist> np 11:58 < Max007> i'm on this problem since before xmas 11:58 < ecrist> rubydiamond: fix your permissions. 11:58 < Max007> -=4~-^-^,< 11:58 < Max007> oops 11:58 < ecrist> Max007: you finally found the right place. 11:58 < rubydiamond> ecrist: dazo... what should be the permissions 11:58 < Max007> yep 11:58 < ecrist> rubydiamond: chmod 600 Anil.p12 11:58 < ecrist> erm 11:58 < ecrist> no 11:59 < ecrist> chmod 500 Anil.p12 11:59 < ecrist> nope, 600 was right 11:59 < ecrist> that's the same as chmod u=rw,go= 12:03 < rubydiamond> hmm 12:03 < rubydiamond> http://pastie.org/private/hbo0u2hc2xmtufe1sbfkg 12:05 < rubydiamond> ecrist: is file permissions correct now 12:05 < ecrist> yep 12:05 < rubydiamond> but now. its asking me username and password. 12:05 < rubydiamond> it was asking me paraphrase still 12:05 < rubydiamond> till now 12:06 < ecrist> your Anil-TO-IPCop.ovpn file should be chown anildigital:staff 12:06 < Max007> gotta go 12:06 < Max007> thanks again ecrist 12:06 < ecrist> np 12:06 -!- Max007 [n=Max@modemcable089.194-21-96.mc.videotron.ca] has quit ["leaving"] 12:07 < rubydiamond> ecrist: it started askin me username and password 12:08 < rubydiamond> it was asking me paraphrase before 12:08 < rubydiamond> how do I use command line for it 12:08 < rubydiamond> http://pasternak.superalloy.nl/pastes/1220 12:09 < ecrist> what are you trying to do? 12:10 < rubydiamond> ecrist: I want to connect to openvpn 12:10 < rubydiamond> I am using mac.. tunnelblick 12:10 < rubydiamond> I used to connect before using tiger. 12:11 < rubydiamond> now I am trying to setyp my leopard with openvpn 12:12 < rubydiamond> ecrist: any idea.. why is it failing 12:16 < ecrist> ok, why are you running openssl command? 12:20 < rubydiamond> dazo: rubydiamond: try openssl pkcs12 -in ... if that fails, you most probably have a corrupt cert file 12:20 < rubydiamond> ecrist: I figured out .. 12:20 < rubydiamond> that I was entering wrong password 12:21 < rubydiamond> but my openvpn client is asking me for username and passowrd 12:21 < rubydiamond> instead of paraphrase 12:21 < rubydiamond> how to I connect using command line 12:22 < ecrist> sudo openvpn --config 12:26 < rubydiamond> dazo: and ecrist I can do openssl pkcs12 -in Anil.p12 12:26 < rubydiamond> with my password 12:26 < rubydiamond> but .. I am not able to validate with openvpn with my password 12:27 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:28 < rubydiamond> okay restaring my machine 12:28 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 12:31 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 12:34 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:35 < rubydiamond> $ sudo openvpn --config Anil-TO-IPCop.ovpn 12:35 < rubydiamond> Unrecognized option or missing parameter(s) in Anil-TO-IPCop.ovpn:3: client 12:36 < ecrist> did you post your client config? 12:37 < rubydiamond> hi 12:37 < rubydiamond> help 12:37 < ecrist> did you post your client config? 12:49 < rubydiamond> friends Unrecognized option or missing parameter(s) in Anil-TO-IPCop.ovpn:6: pkcs12 12:49 < rubydiamond> ecrist: okay 12:50 < rubydiamond> ecrist: https://gist.github.com/e814278a78e160b97c14 12:50 < vpnHelper> Title: gist: e814278a78e160b97c14 GitHub (at gist.github.com) 12:51 < rubydiamond> ecrist: what is wrong.. 12:51 < ecrist> did you follow some howto to set this up? 12:51 < rubydiamond> the same file previously used to work correctly 12:52 < rubydiamond> ecrist: I just want to connect to my office vpn nw 12:53 < rubydiamond> I used to do that earlier 12:54 < ecrist> can you pastebin your entire log, please? 12:56 < ecrist> nm - i'm outta time. bbl 12:56 < rubydiamond> hmm okie 13:07 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:08 -!- AndyML [n=quassel@pool-72-78-117-135.phlapa.fios.verizon.net] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 13:08 -!- AndyML [n=quassel@pool-72-78-117-135.phlapa.fios.verizon.net] has joined ##openvpn 13:18 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 13:21 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 13:21 < dvl> !ca 13:21 < vpnHelper> dvl: Error: "ca" is not a valid command. 13:23 < rubydiamond> the current --script-security setting may allow this configuration to call user-defined scripts 13:23 < rubydiamond> getting this error 13:24 < rubydiamond> vpnHelper: getting this error 13:24 < rubydiamond> https://gist.github.com/0d992e63377ab4e3ebe2 13:24 < vpnHelper> rubydiamond: Error: "getting" is not a valid command. 13:24 < vpnHelper> Title: gist: 0d992e63377ab4e3ebe2 GitHub (at gist.github.com) 13:24 < rubydiamond> dazo: you there? 13:24 < rubydiamond> https://gist.github.com/0d992e63377ab4e3ebe2 13:24 < vpnHelper> Title: gist: 0d992e63377ab4e3ebe2 GitHub (at gist.github.com) 13:29 -!- Keizer [n=keizer@216.45.246.60] has quit ["WeeChat 0.2.6"] 13:29 -!- Keizer [n=keizer@216.45.246.60] has joined ##openvpn 13:38 < krzee> !mitm 13:38 < vpnHelper> krzee: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 13:39 < krzee> !servercert 13:39 < vpnHelper> krzee: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mtim 13:39 < krzee> lol @ my typo 13:39 < krzee> !forget servercert 2 13:39 < vpnHelper> krzee: Joo got it. 13:39 < krzee> !learn servercert as this will help with !mitm 13:39 < vpnHelper> krzee: Joo got it. 13:40 < krzee> what is Anil.p12 ? 13:45 < rubydiamond> krzee: where do you got it 13:45 < rubydiamond> its mine 13:45 < rubydiamond> krzee: hey 13:45 < rubydiamond> how do I check which comps are running in my nw 13:45 < rubydiamond> 192.168.104.* 13:46 < krzee> nw? 13:46 < krzee> i didnt say who owns the fi;e Anil.p12 13:46 < krzee> i said what is it 13:46 < rubydiamond> krzee: its certificate 13:46 < rubydiamond> name 13:46 < krzee> i know whose it is 13:46 < rubydiamond> mine 13:47 < krzee> check its file permissions / location 14:17 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["kthxbai"] 14:17 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit ["leaving"] 14:18 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 14:22 * ecrist considers registering for an openvpn group/cloak 14:39 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:41 < Keizer> Can I do a 3des encr with md5 hash subnet to subnet vpn tunnel with OpenVPN? 15:01 < ecrist> that sounds like IPsec, so no 15:26 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:33 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 15:57 -!- cyberjames [n=james@unaffiliated/cyberjames] has quit [Remote closed the connection] 16:02 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has joined ##openvpn 16:11 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 16:23 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has joined ##openvpn 16:33 -!- AndyML is now known as AwayML 16:35 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has quit [Read error: 131 (Connection reset by peer)] 16:37 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has joined ##openvpn 16:40 -!- xattack [n=xattack@lidsol.fi-b.unam.mx] has quit [Read error: 131 (Connection reset by peer)] 16:51 -!- AwayML is now known as AndyML 17:07 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 17:14 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 17:41 -!- DamZ [n=damz@drupal.org/user/22211/view] has joined ##openvpn 17:42 -!- DamZ [n=damz@drupal.org/user/22211/view] has left ##openvpn [] 20:33 -!- rorx [n=rory@cypher.TrueStep.com] has quit ["Signing off.."] 21:15 -!- kreg [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 104 (Connection reset by peer)] 21:49 -!- Irssi: ##openvpn: Total of 35 nicks [0 ops, 0 halfops, 0 voices, 35 normal] 21:49 < krzie> http://politicalticker.blogs.cnn.com/2009/01/07/porn-industry-seeks-federal-bailout/ 21:49 < vpnHelper> Title: CNN Political Ticker: All politics, all the time Blog Archive - Porn industry seeks federal bailout - Blogs from CNN.com (at politicalticker.blogs.cnn.com) 21:51 < ecrist> way too funny 21:53 < ecrist> g'night 21:54 < krzie> nite 22:13 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has left ##openvpn ["Konversation terminated!"] 22:16 -!- tjz [n=tjz@bb116-15-64-133.singnet.com.sg] has joined ##openvpn 22:19 < tjz> Use of OpenSSL as an SSL/TLS client when connecting to a server whose 22:19 < tjz> certificate uses an RSA key is NOT affected. 22:19 < tjz> hmm... 22:20 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 23:00 -!- intralanman [n=lanman@99-196-39-200.cust.wildblue.net] has joined ##openvpn 23:23 -!- intralanman [n=lanman@99-196-39-200.cust.wildblue.net] has quit ["You call it ADD, I call it multitasking"] --- Day changed Thu Jan 08 2009 00:57 -!- onats [n=15172@unaffiliated/onats] has quit [Read error: 104 (Connection reset by peer)] 01:05 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 01:38 -!- nardul [n=kse@212.37.141.188] has joined ##openvpn 01:38 < nardul> Morning 01:42 -!- Keizer [n=keizer@216.45.246.60] has quit ["WeeChat 0.2.6"] 01:45 < reiffert> moin 01:46 < krzee> moin 02:07 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 02:09 < nardul> Moin ??? Are you from germany or denmark? 02:11 < tjz> hey jeff 02:11 < tjz> hey everyone 02:11 < tjz> morning, everyone 02:13 < nardul> Morning 02:13 < nardul> Would anyone happen to know anythin about the openvpn service on windows server 2003? In short, it doesn't start the tunnels, i have to log in to make them run. 02:26 < krzee> sure the service starts it as admin? 02:27 < krzee> (i have never used openvpn on windows as a service) 02:47 < tjz> Rockets from Lebanon strike Israel 02:47 < tjz> OMG!! 02:48 < tjz> http://edition.cnn.com/2009/WORLD/meast/01/08/israel.rockets/index.html 02:48 < vpnHelper> Title: 'Unknown group' in Lebanon launches rockets at Israel - CNN.com (at edition.cnn.com) 03:09 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:11 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 03:24 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 03:46 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit ["Ctrl-C at console."] 03:47 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 03:56 -!- dazo [n=dazo@nat/redhat/x-ce30629ea8d73e82] has quit ["Leaving"] 04:16 -!- ikevin [n=kevin@ANancy-256-1-41-4.w90-26.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 04:16 -!- ikevin [n=kevin@ANancy-256-1-10-23.w90-13.abo.wanadoo.fr] has joined ##openvpn 04:20 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 04:45 -!- dazo [n=dazo@nat/redhat/x-1b4298a37737dcd7] has joined ##openvpn 04:52 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:27 -!- Determinist [n=lior@unaffiliated/determinist] has quit ["Leaving..."] 05:28 -!- stmaher [n=stephen@mateus.province5.tv] has joined ##openvpn 05:28 < stmaher> Hello everyone.. 05:28 < stmaher> I have a linux server and client.. 05:29 < stmaher> I have a ca.crt and ta.key genereated ont eh server already.. Is it ok to copy them to the client and use those rather than regenerating them again? 05:29 < stmaher> many thanks 05:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:32 < stmaher> Hi roentgen 05:33 < roentgen> Hi 05:33 -!- trifler [i=trifler@farva.bsnet.se] has joined ##openvpn 05:34 < stmaher> roentgen I know you just arrived but was wondering if you could answer my question plase 05:34 < stmaher> I have a linux server and client.. I have a ca.crt and ta.key genereated ont eh server already.. Is it ok to copy them to the client and use those rather than regenerating them 05:34 < stmaher> again? 05:47 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 06:01 < dazo> stmaher: It would not make sense to regenerate ta.key ... that's a static key, and therefore needs to be identical on all places 06:02 < dazo> stmaher: when copying this key, you should make sure it is copied over a secure channel .... ie. encrypted transfer over the net (ftps, scp, sftp) or via a physical medium which you can observe (flash memory or similar) 06:02 < stmaher> thanks dazo! 06:02 < dazo> stmaher: the ca.crt is nothing secret, and can be globally available, even as a download from a web site if you want 06:03 < stmaher> cool thanks 06:03 < dazo> stmaher: just be sure not to share the ca.key anywhere ;-) 06:03 < dazo> stmaher: np! 06:08 -!- dazo [n=dazo@nat/redhat/x-1b4298a37737dcd7] has quit ["Leaving"] 06:08 -!- dazo [n=dazo@nat/redhat/x-9b92f7f7f5391fc8] has joined ##openvpn 06:34 < krzee> !factoids search 06:34 < vpnHelper> krzee: (factoids search [] [--values] [--{regexp} ] [ ...]) -- Searches the keyspace for keys matching . If --regexp is given, it associated value is taken as a regexp and matched against the keys. If --values is given, search the value space instead of the keyspace. 06:34 < krzee> !factoids search --values [ 06:34 < vpnHelper> krzee: Error: Missing "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 06:34 < krzee> !factoids search --values "[" 06:34 < vpnHelper> krzee: No keys matched that query. 06:34 < krzee> !factoids search --values "*[*" 06:35 < vpnHelper> krzee: No keys matched that query. 06:35 < krzee> !factoids search --values " 06:35 < vpnHelper> krzee: Error: No closing quotation 06:35 < krzee> !factoids search --values """ 06:35 < vpnHelper> krzee: Error: No closing quotation 06:35 < krzee> !factoids search --values "" 06:35 < vpnHelper> krzee: More than 100 keys matched that query; please narrow your query. 06:36 < krzee> !factoids search --values "'" 06:36 < vpnHelper> krzee: 'bridge', 'ask', 'push-reset', 'tap', 'iporder', 'menu', 'chooseip', 'iroute', 'noenc', 'all', 'fbsdbridge', 'bridge-fw', 'configs', and 'pushdns' 06:36 < krzee> cat pushdns 06:36 < krzee> !pushdns 06:36 < vpnHelper> krzee: "pushdns" is (#1) push \"dhcp-option DNS a.b.c.d\" (remove the \'s) to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 06:36 < ecrist> morning, folks 06:36 < krzee> mornin eric 06:38 < krzee> yanno what i love 06:39 < krzee> still being up in time for mcdonalds breakfast 06:40 < ecrist> lol 07:25 < tjz> lol 07:26 < tjz> do they have this mega mcmuffin over there? 07:27 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Ex-Chat"] 07:33 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 08:02 < krzee> neg 08:09 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 08:18 -!- lilalinux is now known as lilaunix 08:35 -!- nardul [n=kse@212.37.141.188] has quit ["Leaving"] 08:46 < tjz> lol 09:42 -!- stmaher [n=stephen@mateus.province5.tv] has quit ["My damn controlling terminal disappeared!"] 09:57 -!- resc [n=tgs@galileo.psych.indiana.edu] has joined ##openvpn 09:58 < resc> hi, i was wondering if the windows version of OpenVPN uses OpenSSL (which has a new man in the middle attack) 10:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 10:01 < resc> ah, yeah, it does 10:03 < ecrist> resc, there was a user in here yesterday who looked into the code and said the exploitable function isn't used with openvpn 10:03 < resc> oh, nice 10:04 < resc> thank you 10:04 < ecrist> np 10:05 < dazo> ecrist: resc: I think I'm that guilty user :-P ... Another person also asked about in the mailing list, so I responded with my point of view there as well 10:06 < resc> cool, i'll look that up 10:06 < dazo> resc: The CVE mentions explicit EVP_VerifyFinal() ... which OpenVPN do not use at all 10:06 < resc> yeah 10:07 < dazo> resc: but of course, it uses some other techniques and uses some other OpenSSL library functions with callbacks to OpenVPN functions ... but I didn't manage to see any obvious things even here 10:08 < resc> sounds good 10:08 < resc> thanks for looking 10:09 < dazo> resc: np! :) 10:09 < ecrist> dazo, would you mind writing something up, somewhere, that I can link to? 10:09 < ecrist> if you need a place, secure-computing.net/wiki/ 10:10 < dazo> ecrist: not all, would be a pleasure ... I believe you mostly can copy-paste from the mail to the mailing list ... I'll find the link to it 10:10 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:11 < dazo> ecrist: https://sourceforge.net/mailarchive/message.php?msg_name=4965B51E.5080409%40topphemmelig.net 10:11 < vpnHelper> Title: SourceForge.net: OpenVPN: (at sourceforge.net) 10:12 < ecrist> tx 10:12 < dazo> ecrist: I see I was more brief than I thought I was ... I'll give you some more from the chat yesterday if you want/need it 10:13 < ecrist> I've got logs. 10:13 < ecrist> !irclogs 10:13 < vpnHelper> ecrist: "irclogs" is http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.) 10:13 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 10:14 < dazo> ecrist: cool! :) no worries then! :) ... If you need more details, don't hesitate to ping me 10:14 < ecrist> sure 10:40 -!- resc [n=tgs@galileo.psych.indiana.edu] has quit ["Leaving"] 11:03 -!- tjz [n=tjz@bb116-15-64-133.singnet.com.sg] has quit ["I want to sleep."] 12:07 -!- lilaunix is now known as lilalinux 12:10 -!- ponyofdeath [n=vladi@206-169-1-36.static.twtelecom.net] has joined ##openvpn 12:11 -!- cj [n=cjac@66.152.65.2] has quit [Read error: 110 (Connection timed out)] 12:14 < ponyofdeath> hi, im getting "http://pastebin.com/m275a4f2f" those errors after a tunnel times out and tries to reconnect? 12:38 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 13:01 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 13:02 -!- lilalinux is now known as lilaunix 13:16 < krzee> !learn foo as "bar \"baz [qux]\"" 13:16 < vpnHelper> krzee: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 13:16 < krzee> !learn foo as "bar \"baz [qux]\"" 13:16 < vpnHelper> krzee: Joo got it. 13:17 < krzee> !foo 13:17 < vpnHelper> krzee: "foo" is bar "baz [qux]" 13:17 < krzee> !forget foo 13:17 < vpnHelper> krzee: Joo got it. 13:18 < krzee> !forget pushdns * 13:18 < vpnHelper> krzee: Joo got it. 13:19 < krzee> !learn pushdns as "push \"dhcp-option DNS a.b.c.d\" (remove the \'s) to push dns to the client" 13:19 < vpnHelper> krzee: Joo got it. 13:19 < krzee> !pushdns 13:19 < vpnHelper> krzee: "pushdns" is push "dhcp-option DNS a.b.c.d" (remove the 's) to push dns to the client 13:19 < krzee> hah! 13:19 < krzee> !forget pushdns * 13:19 < vpnHelper> krzee: Joo got it. 13:19 < krzee> !learn pushdns as "push \"dhcp-option DNS a.b.c.d\" to push dns to the client" 13:19 < vpnHelper> krzee: Joo got it. 13:19 < krzee> !learn pushdns as http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 13:19 < vpnHelper> krzee: Joo got it. 13:19 < krzee> !pushdns 13:19 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 13:21 < krzee> !ssl-admin 13:21 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 13:24 < krzee> hrm 13:24 < krzee> no sed -i in NetBSD 13:34 < ecrist> ack 13:41 < krzee> [15:41] basically sed -i is everywhere but here 13:41 < krzee> [15:41] so i will file the PR 13:41 < krzee> [15:42] * ober has quit (Remote closed the connection) 13:41 < krzee> [15:42] i remember i once discovered the same 13:41 < krzee> [15:42] * ober (i=ober@mauthesis.com) has joined #netbsd 13:41 < krzee> [15:42] being told the same i'm telling krzee atm 13:41 < krzee> [15:42] :-) 13:41 < krzee> [15:43] what, to write it out to a temp file and delete it? 13:41 < krzee> [15:43] s/discovered/reported/ 13:41 < krzee> [15:43] yes 13:41 < krzee> [15:43] * syamajala has quit ("Leaving...") 13:41 < krzee> [15:43] well, thats ugly and unacceptable as an answer 13:41 < krzee> [15:43] since the rest of the world got it right 13:42 < krzee> [15:44] hey, there's no sed in windows so rest of the world doesn't even have a clue 13:42 < krzee> [15:44] lol touche 13:42 < krzee> [15:44] i havnt used windows in a long time 13:42 < krzee> [15:44] Nodsu: good point! 13:42 < krzee> [15:45] should i look for ipconfig instead of ifconfig as well? ;] 13:42 < krzee> [15:45] yes 13:49 < krzee> bleh, i need to look into making the Makefile correctly 13:50 < krzee> that will undo the need for that bs 13:59 -!- justdave [n=dave@unaffiliated/justdave] has quit [Read error: 113 (No route to host)] 14:00 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 14:10 < krzee> cat Makefile | sed -ne 's+VARETC+/usr/local/etc+g;wMakefile' 14:10 < krzee> booya 14:17 < krzee> bleh except for SEDCMD 14:17 < krzee> i could hack around that in shell script too, but its losing its point 14:17 < krzee> easier to learn howto use a proper Makefile at this point 14:17 < krzee> or at least cleaner 14:19 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:37 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["kthxbai"] 15:05 -!- xattack [i=xattack@132.248.108.239] has quit [] 15:58 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:09 -!- Keizer [n=keizer@216.45.246.60] has joined ##openvpn 17:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 17:11 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 17:55 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 17:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:57 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["Changing server"] 17:59 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 18:01 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has quit [] 18:03 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Client Quit] 18:03 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 18:07 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 18:24 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has quit [] 18:37 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 18:53 -!- lilaunix is now known as lilalinux 19:22 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 104 (Connection reset by peer)] 19:23 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 19:26 -!- alami [i=alami@unaffiliated/alami] has joined ##openvpn 19:28 < alami> i have openbsd and i want to create vpn server (PPTP) 19:28 < alami> to allow windows user to connect to my openbsd box 19:29 < alami> and the other side to connect from open bsd to a windows vnp server 19:29 < alami> is that possible with openvpn? 19:29 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 19:39 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Remote closed the connection] 19:49 < dvl> alami: a VPN server running PPTP? 19:50 < dvl> this help? http://openvpn.net/archive/openvpn-users/2007-10/msg00077.html 19:50 < vpnHelper> Title: Re: [Openvpn-users] OpenVPN over PPTP on Vista (at openvpn.net) 20:02 < alami> thanks 20:03 < alami> i will see if i can do it 20:03 < alami> because i don't know wich one i will use :) 20:06 -!- justdave [n=dave@unaffiliated/justdave] has quit [Read error: 104 (Connection reset by peer)] 20:06 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 20:09 -!- tjz [n=tjz@bb116-15-45-14.singnet.com.sg] has joined ##openvpn 20:24 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 20:34 * tjz swim in 22:09 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 22:14 < krzee> !forum 22:14 < vpnHelper> krzee: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 22:39 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 22:42 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 23:32 < krzee> !factoids search win 23:32 < vpnHelper> krzee: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', and 'wintaphide' 23:32 < krzee> !win_noadmin 23:32 < vpnHelper> krzee: "win_noadmin" is http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows 23:33 < krzee> !learn ipv6 as http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_OpenVPN_Tunnelbroker.php?lang=en to learn how to setup openvpn to be an ipv6 tunnel broker 23:33 < vpnHelper> krzee: Joo got it. 23:38 -!- rellik [n=rellik@adsl-75-12-152-129.dsl.stlsmo.sbcglobal.net] has joined ##openvpn --- Day changed Fri Jan 09 2009 00:01 -!- rellik [n=rellik@adsl-75-12-152-129.dsl.stlsmo.sbcglobal.net] has quit [Remote closed the connection] 00:47 -!- mRCUTEO [n=info@58.26.212.3] has joined ##openvpn 00:53 -!- mRCUTEO [n=info@58.26.212.3] has quit [] 01:05 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 60 (Operation timed out)] 01:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:56 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 02:05 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 02:11 < krzee> !configs 02:11 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 02:11 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: reiffert, mcp, kaii, Typone 02:11 -!- Netsplit over, joins: kaii, mcp, reiffert, Typone 02:13 -!- disposable [i=disposab@blackhole.sk] has quit [Remote closed the connection] 02:13 -!- jabular [n=jabular@82-32-104-27.cable.ubr02.hawk.blueyonder.co.uk] has quit [Read error: 104 (Connection reset by peer)] 02:19 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 02:42 < dazo> alami: I just saw your question regarding VPN server and PPTP 02:43 < dazo> alami: not sure if I understood you correctly, but it looked somehow like you want to setup a PPTP server for Windows clients, is that correct? 02:44 < dazo> alami: if that is correct, then you'll need another server than OpenVPN, unfortunately. PPTP uses a different protocol than OpenVPN 02:47 < dazo> alami: if you really want PPTP, you'll need to implement pptp-server, poptop or something like that .... I'm not a PPTP user at all, so I don't know much about it 02:48 < dazo> alami: but I would rather recommend you to implement OpenVPN on the client side too, the OpenVPN GUI for Windows is pretty good and easy for people who barely understand Word and Outlook 02:49 < dazo> alami: for the other way around ... you'll need to find a PPTP client for your BSD distro ... that's probably easier to set up :) 03:01 -!- lilalinux is now known as lilaunix 03:18 -!- kwek [n=kwek@155.Red-88-20-89.staticIP.rima-tde.net] has joined ##openvpn 03:41 -!- lilaunix is now known as lilalinux 03:42 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 03:50 < krzee> dazo, good advice 03:58 < dazo> krzee: well, of course, being in the openvpn channel, it was just my brief objective point of view :-P 03:58 < krzee> ;] 04:15 < tjz> bring alami to the pptp irc channel 04:15 < tjz> :P 04:17 < krzee> openvpn > pptp 04:17 < dazo> nahh ... dunno if I like that .... I'd prefer pptp > openvpn ;) 04:19 < krzee> ild rather trust my encryption to openssl with hmac sigs than to a ms proprietary protocol 04:19 < krzee> which has been known to have security issues 04:20 < dazo> ahh ... well, I meant to convert people from pptp > openvpn .... not running openvpn inside a pptp tunnel ... 04:20 < krzee> nope, completely diff protocols 04:20 < dazo> I'd prefer pptp inside a openvpn tunnel, if I'd have to do it like that 04:20 < dazo> yeah 04:20 < krzee> pptp cant hook up to ipsec cant hook up to openvpn 04:21 < dazo> but if you establish a openvpn tunnel between to endpoints (net-to-net)... and then clients on each side establish a pptp tunnel, over the openvpn tunnel ... 04:22 < dazo> :s/over/through/ 04:23 < dazo> but it basically do not give you much more security at all ... pptp is still full of MS errors and security weaknesses 04:23 < dazo> you only limit the chance for other people to snap up the pptp from the outside 04:23 < krzee> ? 04:23 < krzee> why setup a pptp tunnel over a openvpn tunnel? 04:24 < krzee> what goal would that achieve? 04:24 < dazo> just for fun? :-P 04:24 < krzee> *shrug* ok 04:25 < dazo> well, it might be some systems insists on sending data through pptp ... or that some management level persons in a bigger company insists on pptp between sites 04:25 < krzee> #1, like what 04:25 < krzee> #2, then your solution goes against that 04:27 < dazo> well, the management level can see that "Hey, we're using pptp" ... and you won't get kicked when somebody tries to crack public pptp traffic, as it is already secured ... sometimes, sys-admins have to do such dirty tricks to make protect her/himself against wacky management 04:28 < dazo> but I'm not a windows guy .... I don't know much about it which apps/systems who really would insist on pptp ... but in the Windows world, you'll never which traps you'll find 04:30 < krzee> openvpn works based on routing 04:30 < krzee> andthing that works using tcpip works fine 04:30 < krzee> when using tap, anything that travels over ethernet works fine 04:31 < krzee> if you have management that doesnt care about security, thats another thing 04:31 < dazo> true ... but what if the software insists on a specific feature found in the pptp device? 04:31 < krzee> i wouldnt work in a place like that 04:31 < krzee> dazo, show me the software or it doesnt exist 04:32 < krzee> both are methods of tunneling IP traffic 04:34 < dazo> krzee: as I mentioned, I'm not a windows guy, neither a pptp user (even though I tested it once from Linux against a dd-wrt router, and switched to openvpn) ... I'm just in general pessimist when it comes to expect things from software developers, especially closed source software, as you never really know what kind of crazy expectations and assumptions they can make 04:34 < krzee> they send to an ip 04:34 < krzee> pptp or openvpn handles the dirty stuff behind the scenes 04:35 < krzee> that is the nature of a vpn, nothing to do with who codes what 3rd party software 04:35 < krzee> ! 04:35 < krzee> !vpn 04:35 < vpnHelper> krzee: "vpn" is http://openvpn.net/index.php/documentation/faq.html#tunnel-principal 04:35 < dazo> yeah, if it is cleanly written software ... but badly written software might even want to talk directly through a specific interface, and not bind to a specific IP address 04:35 < krzee> *shrug* 04:36 < krzee> this conversation is pointless 04:36 < dazo> :) 04:36 < krzee> software doesnt point to a device to send traffic to 04:36 < krzee> the kernel does via routing table 04:36 < krzee> im gunna do something productive, bbl 04:36 < dazo> sure! 04:38 < dazo> but I'm thinking about a listening service ... that can be bound to a particular interface, independent of what the IP address is ... promisc mode of the interface, is one approach (which tcpdump uses btw) 04:38 < dazo> it's more ways to set up a connection and also a listening service with socket bind ... and someone might even go deeper in the stack, wanting to talk directly to the interface 04:40 < dazo> a far fetch example from this discussion, but one I know a little bit more about ... Infiniband interfaces are completely different than normal eth interfaces, and it even needs an additional tcp/ip stack to work with ip addresses ... and applications may access this hardware more directly to achieve higher throughput, but they need then to cover of the OSI layers to make this work 04:42 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Remote closed the connection] 04:42 < dazo> but if you configure a IB device with the tcp/ip stack, it works almost like a normal eth interface ... and some software use both tcp/ip and some direct hardware access to achieve a simpler implementation, but still have some of the powers of IB, like RDMA 04:51 < krzee> you have ventured far from anything using pptp or openvpn, and i have a feeling you need to learn more on the topic 04:58 < dazo> I think the main difference in our arguments are that you take it for granted that everything works through kernel API which then talks to the hardware interface, in a standardised way - true, this is the case for mostly used software ... but I take nothing for granted, it will always be an exception somewhere, somehow ... but it do not need to be a mainstream application 04:59 < dazo> but indeed, breaking with the standardised way of performing communication breaks interoperability immediately 05:03 < krzee> ok so stay with pptp in case you one day encounter that exception 05:04 < krzee> [07:02] but indeed, breaking with the standardised way of performing communication breaks interoperability immediately 05:04 < krzee> your argument is that there might be a program that breaks the standardised way of performing communication 05:04 < krzee> so you will use pptp instead of something better 05:05 < krzee> and i say, go for it 05:05 < krzee> doesnt matter to me what you use 05:05 < krzee> but that SURE doesnt make pptp > openvpn 05:05 < dazo> agreed! 05:06 < krzee> didnt this start from: 05:06 < krzee> [06:20] nahh ... dunno if I like that .... I'd prefer pptp > openvpn ;) 05:06 < dazo> the thing I see now, is that I misunderstood your '> ... I thought you meant '>' as through ... not better than 05:06 < krzee> > is greater than 05:06 < krzee> < is less than 05:06 < krzee> ahh 05:07 < dazo> yeah, in this setting I completely agrees with you ... openvpn is superior than pptp! that's no discussion! :) 05:08 < krzee> werd 05:16 < krzee> lol reiffert 05:16 < krzee> yes i should sleep 05:16 < krzee> but im migrating my mailserver to netbsd 05:16 < krzee> and its my first time using netbsd 05:16 < krzee> pretty nice os tho, and not very diff than freebsd 06:09 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:13 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 110 (Connection timed out)] 07:31 -!- kungfupanda [i=kungfupa@c-4833e155.368-1-64736c10.cust.bredbandsbolaget.se] has joined ##openvpn 07:31 < kungfupanda> Oh! 07:31 < kungfupanda> There is a channel for it! 07:31 < ecrist> ? 07:31 < kungfupanda> For OpenVPN. 07:32 < kungfupanda> My main question is this: If I make some company set up a box that I point my domain name to, will my server that receives all the traffic think that it's actually hosting clients directly? 07:32 < kungfupanda> As in: Will Apache etc. see many different IP addresses or just one (the proxy)? 07:38 < reiffert> Both is possible. 07:40 < kungfupanda> Ah. 07:40 < kungfupanda> Does it depend on my setup or their setup? 07:41 < kungfupanda> Please, for the love of God, tell me it depends on MY setup... 07:41 < kungfupanda> Because I want it to be 100% transparent. To trick my server into thinking that it's public. 07:41 * ecrist doesn't understand the question 07:42 < kungfupanda> I mean... 07:42 < kungfupanda> How can I put it any simpler? :S 07:42 < reiffert> It depends on routing on your client and on your server. 07:45 < kungfupanda> "my client"? 07:45 < kungfupanda> Does that mean the "proxy"? 07:45 < reiffert> "I have no idea about your setup" 07:45 < dazo> kungfupanda: do you want SSL encryption to your Apache server (https) ... or do you want VPN (encrypted network tunnel) connection between two site's network? 07:45 < kungfupanda> Cloude -> SomeBox -> My server. 07:46 < kungfupanda> dazo: My Web site has both HTTP and HTTPS traffic. I want this to work transparently. 07:46 < kungfupanda> And I want encryption between the proxy and the server. 07:47 < dazo> kungfupanda: its unclear for me, maybe the others as well, what you try to solve .... where is the proxy located? 07:49 < dazo> how to rephrase the question ..... 07:49 < dazo> kungfupanda: Are you providing some services a customer wants, and you want that network traffic to be encrypted via a VPN network? 07:50 * dazo is doing things stupidly simply now, to see if I understand things better ... 07:52 < kungfupanda> Well... 07:52 < kungfupanda> I am trying to find somebody who can provide DDoS protection. 07:52 < kungfupanda> And NOT use a Web proxy due to many problems associated with those. 07:52 < kungfupanda> Unfortunately, these "real" tunnels seem to be much more expensive. 07:54 < reiffert> ? 07:54 < kungfupanda> What is unclear? 07:54 < dazo> your task you want to solve 07:54 < reiffert> Everything after "Well..." 07:55 < reiffert> brb, postal office 07:55 < dazo> Let's start really basic ... 07:55 < kungfupanda> Trying to keep a Web server from going down due to DDoS, by having a "proxy" that washes the traffic and tunnels back and forth only "good" packets. 07:56 < dazo> aha ... now it is a little bit clearer 07:56 < dazo> so you will have a proxy server, being public somewhere else, which you want to contact your own web server? 07:56 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 07:56 < kungfupanda> Yes. 07:56 < kungfupanda> Exactly. 07:56 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Client Quit] 07:57 < dazo> And this proxy server is remote, and you have your web server locally? 07:57 < kungfupanda> Yes. 07:57 < dazo> Now, things are clearer :) 07:57 < kungfupanda> Good! :) 07:57 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 07:57 < kungfupanda> Unfortunately, it costs a fortune from misc. companies. 07:58 < dazo> first of all ... the proxy server will need to have it's own SSL certificates for providing https traffic to your encrypted traffic in the public 07:58 < kungfupanda> Why is that, if every bit of data goes through me? 07:58 < kungfupanda> Won't the people see their server as mine? 07:58 < dazo> You can simply divide this in to two parts ... you have the front/public part of the proxy ... and the backend of the proxy 07:59 < dazo> the frontend of the proxy will be the one receiving all http/https requests and answering them as a normal web server does 07:59 < kungfupanda> Well, of course. 07:59 < dazo> the backend of the proxy will act a client towards your webserver 08:00 < dazo> which means that the proxy will break the end-to-end encryption between the browser and your web server 08:00 < kungfupanda> If it's a tunnel, it won't communicate with Apache... but with my server on some special tunnel port... 08:00 < dazo> aha, I thought you wanted to have a proxy server which browsers hit first 08:01 < kungfupanda> Nope. 08:01 < kungfupanda> 100% transparent. 08:01 < kungfupanda> A dumb A <-> B tunnel except they have some sort of firewall which drops (most) bad packets. 08:01 < dazo> okey, you just want a redirect from another IP address from to your own network 08:01 < kungfupanda> So they never see the "secret" server (because then they would DDoS it directly). 08:01 < dazo> but this will not provide any better DDoS protection ... 08:02 < kungfupanda> It will if they do sort out the identified bad packets. 08:02 < kungfupanda> Which I cannot do technically because my pipe is too narrow. 08:02 < dazo> because if they then do a new host lookup and find the new IP address of your webserver, they will hit that one ... and you will just get the attack via the VPN instead, or not? 08:03 < kungfupanda> What are you talking about? 08:03 < kungfupanda> The domain name points to their IP address. 08:03 < kungfupanda> Not mine. 08:03 < kungfupanda> And that box communicates with my box via OpenVPN... 08:03 -!- mRCUTEO [n=info@96.9.131.183] has joined ##openvpn 08:03 < kungfupanda> So nobody ever sees it. 08:04 < mRCUTEO> hey hey :D 08:04 < dazo> exactly ... and since you want it transparent, the traffic will go from that site from the public Internet and into the VPN and then hit your web server again 08:04 < kungfupanda> Not sure what your point is... 08:05 < dazo> Okay ... say that www.example.com is the hostname of your web server 08:06 < kungfupanda> It has no hostname... 08:06 < dazo> www.example.com have for example 1.1.1.1 as IP address today 08:06 < kungfupanda> Only an IP address. 08:06 < kungfupanda> Well, it has right now. 08:06 < kungfupanda> But it won't have. 08:06 < kungfupanda> And if it has a hostname, it will be non-public. 08:07 < dazo> how will people surf your web server then? Are you distributing an IP address to all those you want to see your contents? 08:07 < kungfupanda> WTF?! 08:07 < kungfupanda> The domain name points to the IP address by the person/company that hosts the proxy. 08:07 < kungfupanda> It washes the traffic. 08:07 < kungfupanda> Sends it back and forth between my server in a tunnel. 08:07 < kungfupanda> What is unclear about this set-up? 08:08 < dazo> because already here, you have a proxy server, which you said you didn't have .... 08:08 < kungfupanda> No... that's the imagined setup... 08:08 < kungfupanda> That I am talking about. 08:08 < kungfupanda> Right now, it's just a Web server directly. Which is down due to DDoS. 08:09 < dazo> Exactly ... let's start from this point, shall we? 08:09 < kungfupanda> Okay? 08:10 < dazo> and your webserver have a hostname (hostname + domainname ... whereas 'www' is a hostname + domain name, f.ex. 'example.com' => www.example.com) ... or am I wrong now? 08:10 < kungfupanda> No, you're not wrong. 08:10 < dazo> good 08:10 < kungfupanda> I just don't see the point of talking about this current, bad setup. 08:11 < dazo> Because I want to get things clear the whole way through ... I've lost you several times already ... 08:12 * dazo is thinking 08:13 < dazo> okey ... your hostname will point at your new proxy server ... 08:13 < kungfupanda> Yes... 08:14 < dazo> you will, correctly assumed, need to establish a VPN between the proxy and your web server .... but to make things work, the proxy need then to use route the traffic via the VPN tunnel 08:14 < kungfupanda> I don't see what else it would do. 08:14 < dazo> this routing will need to be done on the proxy server 08:14 < kungfupanda> Since it's a proxy. 08:15 < dazo> but the thing is ... where you put your openvpn server .... will you run that on your web server? 08:15 < dazo> (this will make things a little bit simpler, regarding to routing) 08:15 < kungfupanda> The same box runs the OpenVPN server, of course. 08:15 < kungfupanda> It's just one box. 08:16 < kungfupanda> Web server. 08:16 < dazo> very good! 08:16 < kungfupanda> Now with OpenVPN. 08:16 < dazo> yes 08:16 < dazo> perfect 08:16 < kungfupanda> I have never used a tunnel which is why I am asking. I have only used a Web proxy which had many problems. 08:16 < kungfupanda> Such as no encryption, no way to detect HTTPS, etc. 08:16 < dazo> so when openvpn is running on both sides, you will have a VPN IP address, the proxy server will need to use your VPN IP address of your server side, being the web server 08:17 < kungfupanda> I suppose so. 08:17 < dazo> but since you have a proxy server which does in fact do the filtering of DDoS and so on ... this proxy server will do the decryption, and the traffic will again be encrypted from the proxy and to your web server 08:18 < kungfupanda> Why would it do the decryption? 08:18 < kungfupanda> You mean it cannot tell what kind of traffic is SSL traffic? 08:18 < dazo> because the proxy server will answer your queries 08:18 < dazo> Well, I've only experience with mod_proxy in Apache, and this is how that one works 08:19 < kungfupanda> Urgh... 08:19 < dazo> but again, this can also add encryption on the public side (https) on traffic which is not encrypted on the back side (http) 08:19 < kungfupanda> That sounds like a Web proxy. 08:20 < dazo> yeah 08:20 < kungfupanda> Which is what I don't want... 08:22 < dazo> The "proxy" as you call it which you want to use ... I presume it's a company providing this ... is this a public service of this company? 08:23 < kungfupanda> I won't be able to afford it from a big company, so I am asking random people if they can do this for me. 08:23 < dazo> will you provide that box? 08:23 < kungfupanda> ... what? 08:24 < dazo> sorry ... that came out too quickly 08:25 < dazo> you will have a box somewhere which will be the entry point for the traffic .... where the DDoS protection will be .... or how do you imagine this to work? 08:25 < dazo> I'm only interested in knowing about the remote side now ... 08:25 < kungfupanda> Yes! That's the proxy! 08:25 -!- mRCUTEO [n=info@96.9.131.183] has quit [] 08:26 < kungfupanda> Which will only be a dumb slave, except for its firewall capabilities. 08:26 < dazo> who will set up that box? who will provide it? you? 08:26 < kungfupanda> If I did it, why would I need to do this? 08:26 < kungfupanda> Somebody else will provide it. 08:26 < kungfupanda> Or a company, but I can't afford from them. 08:27 < dazo> which means you will need to do quite some configuration in firewall rules on that box to make things as transparent as you want 08:27 < kungfupanda> Eh... 08:27 < kungfupanda> Why? 08:28 < dazo> since you want a port forwarding and not a proxy ... this is in Linux (and most probably BSD as well, others may correct me if I'm wrong) done by the kernel .... in Linux iptables' NAT setup 08:29 < kungfupanda> I use FreeBSD. 08:29 < kungfupanda> I get worried when you say "port forwarding". 08:30 -!- lilalinux is now known as LilaMac 08:30 < dazo> so you will need to provide a config file for a openvpn client ... then tell them to redirect all traffic from your new public IP address to the VPN IP address of your openvpn server 08:30 < dazo> well, redirect is the wrong term 08:31 < dazo> you must ask for port forwarding, with NAT from the public IP address to your VPN server side IP on the ports you want to make public available from that IP address .... so far, I've understood you need port 80 and port 443 08:32 < dazo> the other solution, is to use a web proxy, which you do not want ... but then you will avoid playing with NAT and port forwarding 08:33 < ecrist> kungfupanda: what's wrong with port forwarding on FreeBSD? 08:34 < dazo> ecrist: he will not be in charge of the box which needs to do the port forwarding 08:34 < ecrist> lol 08:34 * ecrist wonders where people come up with these crazy network setups 08:34 < ecrist> and it dawns on my why some websites are so fragile 08:35 < dazo> yep 08:37 < kungfupanda> What? 08:39 < dazo> the more complex the setup is to reach a web server, the more fragile it is .... if one part of the chain fails, the web server is unavailable 08:39 < kungfupanda> This isn't complex... 08:39 < kungfupanda> Or shouldn't be... 08:40 < dazo> it is much more complex than to have a box inside a DMZ locally 08:40 < dazo> because here you have a remote site receiving traffic and sending it to your web server via a VPN tunnel ... that is considerably much more complex 08:40 < kungfupanda> If I had the fat pipe and firewall, I wouldn't need this. 08:41 < dazo> but why not just setup a firewall in front of your web server? what kind of DDoS attack are you having issues with now? 08:42 < kungfupanda> BECAUSE MY PIPE IS VERY LIMITED AND I DO NOT HAVE A FIREWALL! GAAAAAAH! 08:42 < ecrist> RAAWWR! 08:42 < dazo> but why not just setup a firewall in front of your web server? ... you can set up this one! 08:42 < ecrist> LOUD NOISES 08:43 < dazo> lol 08:43 < kungfupanda> What the hell? 08:43 < dazo> I ask this question, being completely serious! 08:43 < ecrist> kungfupanda: unless you're running a warez site, or something simliar, I don't know what sort of DDoS you're expecting. 08:46 -!- kungfupanda [i=kungfupa@c-4833e155.368-1-64736c10.cust.bredbandsbolaget.se] has left ##openvpn [] 08:47 < dazo> heh 08:47 < dazo> touche? 08:47 < ecrist> lol 08:47 < dazo> or just too tough question? 08:47 < ecrist> /mode +b stupid_fuckers@* 08:47 < dazo> heh 08:47 * dazo wasted too much time on this nonsense 08:51 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 08:53 < dazo> hmmmm 08:54 * dazo notices kungfupanda's ID .... 08:55 < dazo> I know bredbandbolaget.se didn't provide less than 100Mbit when they did setups in Norway .... and his "PIPE IS VERY LIMITED" .... oh man! That gotta be a popular blog! 08:57 < ecrist> I've run a moderately used site for over 10 years with no DDoS problems. 08:58 < dazo> I've experienced one DDoS attack since I began working with such things back in 98 08:59 < dazo> and the service which got DDoSed was a payment site ... so that was pretty heavy ... but except for that, it's been smooth :) 08:59 < ecrist> heh, I was the first 768k/768k DSL customer in Minneapolis back in August of 1998 - it was *really* easy for me to DoS dial-up users. 09:00 < ecrist> that was back when a simple ping flood would work 09:00 < reiffert> glad I stopped reading after 3 lines. 09:00 < dazo> heh 09:01 < dazo> reiffert: you didn't loose much .... except for the last 10 lines of entertainment, perhaps :-P 09:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:35 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 09:49 -!- kungfupanda [i=kungfupa@c-4833e155.368-1-64736c10.cust.bredbandsbolaget.se] has joined ##openvpn 09:50 < kungfupanda> Does anyone in here run an ISP or work at one? I would really need somebody for remote DDoS protection through an OpenVPN tunnel for my Web server. 09:52 < ecrist> kungfupanda: are you seriously running into DDoS problems? 09:52 < ecrist> why not get a $5/mo hosted website from godaddy or something? 09:53 < kungfupanda> ... 09:53 < kungfupanda> Quiet, troll. 09:53 < ecrist> fuck off 09:53 < dvl> OpenVPN will not protect you from DDoS. 09:53 < dvl> kungfupanda: well, that's one way to get advice. piss people off. 09:54 -!- mode/##openvpn [+o ecrist] by ChanServ 09:54 -!- kungfupanda [i=kungfupa@c-4833e155.368-1-64736c10.cust.bredbandsbolaget.se] has left ##openvpn [] 09:54 < dvl> thank you. 09:54 < dazo> dvl: he wants to have a box beside another network which can take the DDoS traffic ... and filter it ... so that he can sit and enjoy only the "proper" traffic ... 09:54 < dazo> :s/beside/behind/ 09:54 -!- mode/##openvpn [+b *!*@*.cust.bredbandsbolaget.se] by ecrist 09:55 -!- mode/##openvpn [-o ecrist] by ecrist 09:55 * dazo makes a note ... don't make ecrist angry ..... 09:55 < dvl> dazo: Yep, I understand that bit 09:55 < ecrist> nah, I'm a gentle teddy bear 09:55 < dazo> heh :) 09:56 < ecrist> just remember bears have big fangs. ;) 09:56 < dazo> dvl: well, probably a script kiddie which pissed some other people off .... and it's payback time 09:56 < ecrist> not as if this is the worst room to get a +b for. ~40 users 09:56 < ecrist> not like ##freebsd or #ubuntu 09:57 < dazo> hehe ... true enough :) 09:57 < ecrist> dazo: that's kind of what I was thinking. 09:57 < ecrist> our banlist is short, though 09:59 -!- alami [i=alami@unaffiliated/alami] has quit [Remote closed the connection] 10:19 -!- LilaMac is now known as lilalinux 10:21 -!- lilalinux is now known as LilaMac 11:06 -!- JochenA [i=jochen@pdpc/supporter/student/JochenA] has joined ##openvpn 11:24 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 11:25 -!- dazo is now known as dazoafk 11:26 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:33 -!- ropetin_ [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 11:36 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 110 (Connection timed out)] 11:50 -!- kwek [n=kwek@155.Red-88-20-89.staticIP.rima-tde.net] has quit ["Ex-Chat"] 11:54 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:55 < rubydiamond> How to run openvpn daemon 11:55 < rubydiamond> specially on gentoo machine 11:58 < ecrist> rubydiamond: read the howto 11:58 < ecrist> for the 100th time 11:58 < dvl> !howto 11:58 < vpnHelper> dvl: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:58 < dvl> rubydiamond: see above line 11:58 < rubydiamond> okie 11:58 < dvl> *pat* *pat* 11:58 < rubydiamond> but .. what is the command to run daemon.. 11:58 < rubydiamond> I just wanted that urgently 11:59 < dvl> rubydiamond: No idea 11:59 < rubydiamond> is informing my boss at office 11:59 < dvl> rubydiamond: I'd have to read the howto.... 11:59 < rubydiamond> I am at home 11:59 < dvl> rubydiamond: great. I'm at work. 11:59 * dvl waves 11:59 * rubydiamond need to solve a production issue 12:00 < dvl> Great. Still can't help you. I've never used Gentoo. 12:00 < dvl> On FreeBSD, it's /usr/local/etc/rc.d/openvpn start 12:00 < dvl> or perhaps forcestart depending on how you have /etc/rc.conf configured. 12:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:08 < Keizer> Damn I wish ipsec had an irc channel 12:11 < rubydiamond> Hi people 12:11 < rubydiamond> getting this error 12:11 < rubydiamond> https://gist.github.com/6d021d4b50951babb534 12:11 < vpnHelper> Title: gist: 6d021d4b50951babb534 GitHub (at gist.github.com) 12:13 < rubydiamond> ecrist: do you know what is this error 12:15 < rubydiamond> ecrist: help 12:18 < rubydiamond> can anybody here tell 12:18 < rubydiamond> what is the error https://gist.github.com/6d021d4b50951babb534 12:18 < vpnHelper> Title: gist: 6d021d4b50951babb534 GitHub (at gist.github.com) 12:44 < dvl> I see no error. 12:44 < dvl> I see warnings. 12:45 < rubydiamond> dvl: ? 12:49 < rubydiamond> ecrist: ? 12:49 < rubydiamond> dazoafk: ? 12:50 < rubydiamond> is this channel living? 12:51 < rubydiamond> dvl: ? 12:57 < reiffert> rubydiamond: STOP THIS! 12:57 < rubydiamond> reiffert: i am asking quesions for last some days 12:58 < reiffert> no, you are spamming. 12:58 < rubydiamond> this channel is not that much active 12:58 < reiffert> while asking questions try to read the answers. 13:03 < dvl> rubydiamond: there are no errors at that URL. There are warnings. Do you have a question? 13:03 < rubydiamond> dvl: but I am not able to connect.. 13:03 < rubydiamond> it keeps in connecting status 13:05 < reiffert> !logs 13:05 < vpnHelper> reiffert: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 13:05 < reiffert> !configs 13:05 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:20 < ecrist> ? 13:26 < reiffert> ! 13:27 < ecrist> Keizer: I'd try to help you here, but I'm on my way out. 13:28 * ecrist fairly OK at IPsec on cisco hardware 13:30 -!- LilaMac is now known as LilaLinux 13:41 < Keizer> Sauce 13:41 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:42 < reiffert> why didnt he give us more details? 13:53 < dvl> reiffert: he sounds newb, quite. 14:06 < krzee> he asked for help days ago 14:06 < krzee> never posted his configs 14:06 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 14:06 < krzee> or his server log 14:06 < krzee> *shrug* 14:10 -!- Determinist [n=lior@unaffiliated/determinist] has quit [Client Quit] 14:11 -!- Determinist [n=lior@unaffiliated/determinist] has joined ##openvpn 14:14 -!- Determinist [n=lior@unaffiliated/determinist] has left ##openvpn ["Leaving..."] 14:15 -!- ponyofdeath [n=vladi@206-169-1-36.static.twtelecom.net] has quit ["Lost terminal"] 14:19 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:32 -!- dazo [n=David@r10ln174.net.upc.cz] has joined ##openvpn 14:52 -!- dazo [n=David@r10ln174.net.upc.cz] has quit [Read error: 60 (Operation timed out)] 14:53 -!- dazo [n=David@r10ln174.net.upc.cz] has joined ##openvpn 16:31 < dazo> Does anyone here know how it is with the Posix compliance in openbsd? ... I'm especially interested in Posix Message Queue and Posix Semaphores ... 16:31 -!- chris_hat_irc [n=chris@v1465.vanager.de] has joined ##openvpn 16:34 < chris_hat_irc> hi all. I am trying to use ekiga (sip client for gnome) through my own vpn. When I start the client, I can connect but can not telephone. I get the following error and they recommend, that I do port forwarding (http://wiki.ekiga.org/index.php/Enable_port_forwarding_manually). My question is, whether the problem was caused by the vpn and how I can forward these ports? iptables? 16:34 < vpnHelper> Title: Enable port forwarding manually - Ekiga (at wiki.ekiga.org) 16:35 < chris_hat_irc> I configured my vpn like recommended in the official openvpn wiki: http://wiki.openvpn.eu/index.php/Konfiguration_eines_Internetgateways using TCP 16:36 < vpnHelper> Title: Konfiguration eines Internetgateways - OpenVPN Wiki (at wiki.openvpn.eu) 16:36 * dazo notices he was on the wrong open* channel ..... 16:37 < chris_hat_irc> ah sry, not the offical openvpn wiki, but here you find my configuration 16:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:21 -!- chris_hat_irc [n=chris@v1465.vanager.de] has quit [Read error: 113 (No route to host)] 17:57 -!- zzattack [i=zzattack@v217153.vpn.tue.nl] has joined ##openvpn 18:11 < zzattack> i'm trying to find out if it's really necessary to change my entire network to use a different ip range, both locations i plan om working from work on a 192.168.1.0/24 range, will this definitely result in problems? 18:17 -!- zzattack [i=zzattack@v217153.vpn.tue.nl] has quit [Nick collision from services.] 18:17 -!- zzattack [n=zzattack@cp440184-a.dbsch1.nb.home.nl] has joined ##openvpn 18:17 -!- dazo [n=David@r10ln174.net.upc.cz] has quit ["Leaving"] 18:35 < krzee> zzattack, yes and no 18:35 < krzee> theres another way, but its NOT the right way 18:36 < krzee> its setting up a ugly NAT 18:37 < krzee> just change the netblock 18:43 -!- LilaLinux is now known as lilalinux 18:43 < zzattack> can you tell me more about tihs ugly way? 18:44 < zzattack> it's quite a hassle changing the netblock 18:56 -!- worch [n=worch@battletoad.com] has joined ##openvpn 19:09 < dvl> zzattack: how many hosts in each location? 19:10 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 19:10 < zzattack> about 15 19:10 < worch> I want to connect a couple LANs together with openvpn such that from any lan I'm able to access any other device via its hostname. How should go about this? Can this be done without using ethernet bridging? The only way I see how to do this is to bridge everything to create a single ethernet, and then have a single DHCP and DNS server. Is it possible to do this with routing? 19:12 < worch> If the vpn uses routing, can the hostnames to ip mappings be pushed to other lans somehow? 19:12 < worch> to the lans' dns servers, that is 19:16 < dvl> zzattack: do the ip addresses collide? 19:16 < dvl> distinct? 19:18 < Tykling> worch if you decide on an internal dns structure like host1.site1.mylan.local etc. then you make a fully routed vpn and setup dns servers on each lan to slave the others zones 19:19 < dvl> Tykling: that sounds relatively simple. 19:19 < Tykling> it is 19:19 < dvl> I mean, even *I* understood it. 19:21 < Tykling> I am using it with five mates to setup a vpn between all of us, works like a charm 19:22 -!- ropetin_ is now known as ropetin 19:23 < dvl> Tykling: so everyone trusts every I take it? 19:23 < Tykling> yes, all personal friends :) 19:24 < Tykling> a few of us with fat links at home so we can stream movies from eachother and so on, very cool 19:24 < dvl> My use of OpenVPN stemmed from frustration with a dynamic IP address. I have servers out there which I need to check on (nagios, etc) and having my address at home change periodically, made that and things like backups more difficult. The VPN solves all that. 19:25 < Tykling> right, clever 19:25 < dvl> And here, at the GFs, I have complete access to all the boxes at home, directly, with ssh gateway, ssh next box, etc. 19:28 < Tykling> :) 19:32 < dvl> I no longer have to run stunnel. Don't have to update my firewall rules on three servers for any IP address change at home. 19:35 -!- zzattack [n=zzattack@cp440184-a.dbsch1.nb.home.nl] has quit [Read error: 110 (Connection timed out)] 19:43 < worch> what dns daemons do you guys use or recommend to set up the dns structure as you mentioned, Tykling? I haven't had any experience setting up dns server outside of basic stuff on cheap routers. 19:43 < dvl> worch: I use bind 19:44 < Tykling> I use bind 19:44 < Tykling> :) 19:44 < worch> thanks :] 20:18 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 20:24 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 20:41 -!- JochenA [i=jochen@pdpc/supporter/student/JochenA] has quit ["Client exiting"] 20:47 < tjz> anyone around 22:30 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 22:55 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 22:58 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Client Quit] 23:34 -!- Ricoshady [n=steve@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 23:35 < tjz> anyone tried running multiple instances of openvpn ,each with unique public ip, on the same server? --- Day changed Sat Jan 10 2009 00:07 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 00:08 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has left ##openvpn ["Leaving..."] 00:14 -!- Ricoshady [n=steve@cpe-76-171-208-102.socal.res.rr.com] has quit [] 00:31 < simplechat> tjz, i'm sure somebody has 00:32 < tjz> need to find out how is it going 00:51 < reiffert> !local 00:51 < vpnHelper> reiffert: "local" is a flag for --redirect gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless. 00:51 < reiffert> forget that 00:52 < reiffert> --local host 00:53 < reiffert> Local host name or IP address for bind. If specified, OpenVPN 00:53 < reiffert> will bind to this address only. If unspecified, OpenVPN will 00:53 < reiffert> bind to all interfaces. 00:55 < tjz> cool 00:56 < tjz> is that setup in server.conf ? 00:56 < reiffert> Yes. 00:57 < tjz> hmm 00:58 < tjz> is this this? 00:58 < tjz> # Which local IP address should OpenVPN 00:58 < tjz> # listen on? (optional) 01:02 < reiffert> I see 2 lines of comments, so I guess not. 01:02 < tjz> and.. 01:02 < tjz> ;local a.b.c.d 01:03 < reiffert> Looks more like it 01:03 < tjz> cool 01:10 < ecrist> grr 01:10 < ecrist> what do I need to change Fn+Down-arrow to to equal pg-down 01:10 * ecrist is too lazy to pull out his own machine, where it's all re-mapped 01:10 < tjz> sound complicated .. 01:10 < tjz> lol 01:11 < ecrist> naw 01:11 < ecrist> just can't remember 01:11 < ecrist> ok, got it 01:12 < ecrist> got it 01:13 < ecrist> page-up should be mapped to [esc]5~ and page-dwon should be [esc]6~ ([esc] shows up as \033) 01:13 * ecrist puts it in the SCN wiki 01:13 < reiffert> ecrist: within X app's, Console, xterm ... where? 01:15 < ecrist> Terminal.app 01:15 < ecrist> 10.5 Terminal.app > iTerm 01:16 < reiffert> well, fn+up/down arrows is page up/down by default for me 01:16 < ecrist> 10.[1234] Terminal.app < * 01:16 < tjz> reiffert: doesn't work. it still show the server public ip 01:16 < tjz> not another unique IP i assign to the server.conf file 01:16 < reiffert> !configs 01:16 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 01:16 < ecrist> hrm, no, not in irssi and some other Terminal apps. 01:17 < ecrist> I guess, not as transmitted across an ssh session. 01:17 < reiffert> ecrist: then it's shift+fn + up/down 01:17 < reiffert> ecrist: that got nothing to do with ssh but with terminal settings :) 01:17 < reiffert> terminal as in tty 01:20 < ecrist> reiffert: reiffert the shift+fn+up/down does work, that shouldn't really be the way it works 01:21 < ecrist> adding shift to key combo is too much, imho. 01:21 < ecrist> my powerbook G4 show up/down as secondary pg_up/pg_dwn, so I map thing accordingly. 01:21 < ecrist> only makes sense. 01:22 < ecrist> if you have use, http://www.secure-computing.net/wiki/index.php/Mac_OS_X --feel free to add things my retarded ass could use. ;) 01:22 < vpnHelper> Title: Mac OS X - Secure Computing Wiki (at www.secure-computing.net) 01:25 < ecrist> tjz: what're you having problems with tonight? 01:26 < reiffert> Going to help a girl setting up the kitchen, bbl 01:26 < ecrist> l8r reiffert 01:43 * ecrist gloats 01:44 < ecrist> I like seeing folks like McGraw-Hill use my website as a reference. 01:44 < ecrist> I think i've probably got one of the most complete OpenLDAP authentication HowTo's on the Net. 01:52 < ecrist> ping krzee 01:53 < ecrist> can you email me information for the folks who are building various linux packages for ssl-admin? 01:53 < ecrist> it's about time I make the package a bit more official and create a real page for it and market it as such. 02:07 -!- jrgp [n=joe@catatonic.jrgp.us] has quit [Read error: 60 (Operation timed out)] 02:18 -!- lilalinux is now known as LilaLinux 02:23 < tjz> ecrist:.. 02:23 < tjz> have you tried tried running multiple instances of openvpn ,each with unique public ip, on the same server? 03:50 < tjz> anyone tried running multiple instances of openvpn ,each with unique public ip, on the same server? 03:54 < ecrist> tjz: yes 03:54 < ecrist> and it works fine. 03:55 < tjz> hmmm 03:55 < tjz> care to guide me.. 03:55 < tjz> what extra steps to configure.. 03:56 < ecrist> well, I'd need to know what you have/haven't done 03:57 < tjz> i got a working openvpn 03:57 < tjz> now...trying to setup another instance of openvpn having it's own unique IP public 03:57 < tjz> :) 03:57 < ecrist> ok 03:58 < tjz> wonder how to configure the 2nd instance to use the new unique public IP 03:59 < ecrist> need to know if the current is grabbing all addresses (*.*) or specific? 04:00 < tjz> hmmm... 04:00 < tjz> current one is grabbing all address 04:00 < ecrist> first, fix that 04:01 < tjz> ok.. 04:01 < tjz> how to we configure the 1st instance to use a specific ip? 04:01 < tjz> is it under "local a.b.c.d" 04:01 < ecrist> yes 04:02 < ecrist> and that's all you need for the second, as well (aside from certificates/etc) 04:03 < tjz> i actually did an experiment 04:05 < tjz> a.b.c.d is my public IP.. 1.2.3.4 is the secondary IP that i recently added to the server.. 04:05 < tjz> i try configure my 1st instance to use the secondary IP.. 04:05 < tjz> local 1.2.3.4 04:06 < ecrist> ok... 04:07 < tjz> when i conntacted to my openvpn.. 04:07 < tjz> my public IP shown up as a.b.c.d 04:07 < ecrist> that's different. 04:08 < tjz> any idea what i did wrong? 04:08 < ecrist> when you connect to OpenVPN, any connection from that machine out to the internet will show the IP of the primary interface. You can change this using policy-based routing, through iptables/pf/etc. 04:08 < tjz> ok.. 04:08 < ecrist> lemme draw a diagram 04:09 < tjz> we don't have to setup "local" afterall... 04:09 < ecrist> um, for different instances of openvpn, you do. 04:10 < tjz> i think we can just change the udp port for different instances.. 04:14 < ecrist> that's another option... 04:15 < ecrist> my example was http://skitch.com/ecrist/by2pq/untitled 04:15 < vpnHelper> Title: Skitch.com > ecrist > Untitled (at skitch.com) 04:16 < ecrist> in that, although there are three IPs to the internet, only the default will really be used, unless a source address is explicitly used, or policy-based routing is used. 04:33 < tjz> wow 04:33 < tjz> did you draw that ? 04:33 < ecrist> yes - OmniGraffle Pro FTW 04:34 < tjz> OMG!!! 04:34 < tjz> very nicely drawn 04:34 < ecrist> if by draw you mean drag/drop. ;) 04:34 < tjz> LOL 04:34 < tjz> so easy? 04:34 < tjz> lol 04:34 < ecrist> yeah 04:34 < ecrist> you can download trial 04:35 < ecrist> like $199 for Pro version. 04:35 < ecrist> I've got 1 or 2 versions old at this point. 04:36 < tjz> ok 04:36 < tjz> about your drawing.. 04:36 < tjz> the route is start from "client" 04:36 < tjz> right? 04:36 < tjz> or from "internet"? 04:36 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:37 < ecrist> well, client connects to firewall via OpenVPN - gets private/vpn IP address. 04:37 < ecrist> NAT on firewall applies IP address to private IP on outgoing connections. 04:37 < ecrist> by default, vpn client will get default IP address. 04:37 < ecrist> *but* that can be fixed with proper rules on firewall 04:38 < tjz> ah 04:38 < tjz> yayyyayaya 04:38 < tjz> is that the correct way to distiribute the ip.. 04:38 < ecrist> yes 04:40 < tjz> ok.. 04:40 < tjz> do you know how? 04:40 < tjz> hehe 04:41 < ecrist> of course 04:41 < tjz> OmniGraffle Pro is for mac.. 04:41 < tjz> x_x 04:41 < ecrist> and I'm willing to point you in the right direction so you can learn how 04:41 < ecrist> yep 04:41 < ecrist> Mac, FTW 04:41 < tjz> <-- win xp 04:41 < tjz> same as jeff 04:41 < tjz> jeff is using mac too 04:41 < ecrist> yep 04:41 < tjz> x_x 04:41 < tjz> two mac fans here 04:41 < tjz> hehehe 04:41 < ecrist> I don't even have a system I own using windows 04:42 < ecrist> 100% of work/home machines are Mac (5%) and FreeBSD (95%) 04:42 < ecrist> Mac = pretty FreeBSD 04:42 < ecrist> ;) 04:42 < tjz> lol 04:44 < tjz> teach me how to route using iptables.. 04:44 < tjz> x_x 04:46 < ecrist> cant' do that, unfortunately. not a linux guy 04:46 < tjz> lol 04:47 < ecrist> switch to FreeBSD and I can work circles. I've never even seen a man page for iptables. 04:49 < tjz> lol 04:49 < tjz> x_x 04:49 < tjz> i gonna have a quick dinner 04:49 < tjz> brb 04:50 < ecrist> I'm gonna have a quick night of sleep. 04:50 < ecrist> g'night. 04:50 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 04:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:06 < tjz> nite ecrist 05:23 -!- mRCUTEO [n=info@96.9.131.183] has joined ##openvpn 05:24 < mRCUTEO> hiya all 05:24 < mRCUTEO> hiya krzee :D 05:25 < tjz> yoooooooooooooooooooooooooooo 05:25 < tjz> LOL 05:25 < mRCUTEO> y0 tjz 05:25 < mRCUTEO> howya doin dude :D 05:25 < mRCUTEO> happy new ya man 05:26 < tjz> hehe 05:26 < tjz> happy new year 05:27 < mRCUTEO> :D 05:27 < tjz> Have you run two instances of openvpn on the same server (each with own public IP) before? 05:27 < mRCUTEO> yes thousand of times :) 05:27 < mRCUTEO> i play with NATs too 05:27 < mRCUTEO> :D 05:28 < mRCUTEO> i even run multiple clients in 1 server 05:28 < mRCUTEO> openvpn = everything possible :D 05:28 < mRCUTEO> thats why i like openvpn more than PPTP 05:28 < mRCUTEO> :D 05:28 < tjz> wa 05:28 < tjz> power 05:29 < tjz> how to configure each openvpn instance to use specific IP? 05:29 < mRCUTEO> the client or server? 05:29 < tjz> the server 05:29 < tjz> two instances of openvpn with their own unique public IP 05:30 < mRCUTEO> yerp 05:30 < mRCUTEO> you have to compile it on different folder 05:31 < mRCUTEO> and set the local IP to be different one 05:31 < mRCUTEO> you can also use SNAT at the iptables 05:31 < tjz> i tried using the "local a.b.c.d" 05:31 < tjz> a.b.c.d is the secondary ip 05:32 < tjz> but it still show the primary server ip.. 05:32 < mRCUTEO> do you have two differnet folders compiled? 05:32 < tjz> hmm 05:32 < tjz> i actually did an experiment 05:32 < mRCUTEO> do you have two differnet folders compiled? eth0:2 ? 05:32 < tjz> hmm 05:32 < tjz> where to include the eth0:2.. 05:32 < mRCUTEO> if you run the from the same folder then you have to SNAT 05:33 < tjz> the secondary ip is using eth0:2 05:33 < tjz> from what i see 05:33 < mRCUTEO> create a new tap 05:33 < mRCUTEO> dev tap2 05:33 < mRCUTEO> set to config --: dev tap2 05:33 < tjz> ok 05:33 < mRCUTEO> and then set NAT to SNAT the tap local ip to a unique public IP 05:34 < mRCUTEO> iptables -t nat -A POSTROUTING -s -j SNAT --to-source 05:34 < mRCUTEO> save firewall and restart 05:34 < mRCUTEO> you're done :) 05:35 < mRCUTEO> and dont forget to run another instance from the same folder too :D 05:35 -!- error404notfound [n=shoaibi@58-65-160-128.nayatel.pk] has joined ##openvpn 05:35 < mRCUTEO> but i prefered to create another folder so it doesnt get mix up.. 05:35 < tjz> ya 05:35 < tjz> i want to create another folder.. 05:35 < mRCUTEO> and dont forget to run another instance from the same folder too :D (must have 2 differnt config file) 05:35 < tjz> not so confusing 05:35 < mRCUTEO> or for convinient use 2 different config server file 05:36 < mRCUTEO> create server.conf and server2.conf 05:36 < mRCUTEO> one set to: dev tap 05:36 < error404notfound> I have openvpn configured on one machine and I copied the same config to another to get it on vpn as well. But the buddy who owns the server said that its not a good approach, atleast I should change the key on second client. any idea what that is ? :p 05:36 < mRCUTEO> and 2nd server set to :dev tap2 05:36 < tjz> i think it is better to create another folder 05:36 < tjz> won't get confuse.. 05:37 < mRCUTEO> okie tjz :) 05:37 < tjz> x_x 05:37 < tjz> hehe 05:37 < tjz> do we still need iptables -t nat -A POSTROUTING -s -j SNAT --to-source ? 05:37 < mRCUTEO> error404notfound it doesnt make any different actually .. the same key is copied to the new machine with same security 05:38 < mRCUTEO> yes tjz 05:38 < mRCUTEO> the new server will be using tap2 05:38 < tjz> ok.. 05:38 < tjz> i will try 05:38 < mRCUTEO> so you have to configure an IP for tap2 05:38 < tjz> err 05:38 < mRCUTEO> and then use SNAT to source it to oublic ip 05:38 < error404notfound> mRCUTEO: so what do I change regarding certificates that nothing needs to be changed on server and both clients work? coz right now vpn works on only one client... 05:39 < tjz> how to configure an Ip for tap2? 05:39 < mRCUTEO> tjzL: server 10.8.0.0 255.255.255.0 05:40 < tjz> ohh 05:40 < tjz> you mean confifgure the lan ip.. 05:40 < tjz> hehe 05:40 < mRCUTEO> ah yes the key 05:40 < tjz> ok, let me try 05:40 < mRCUTEO> error404notfound: you need to create a new key if you change client 05:41 < error404notfound> mRCUTEO: hmmm, is this available on openvpn howto? 05:41 < tjz> talking about the key.. how to stop the previous client to use your openvpn again? 05:41 < mRCUTEO> tjz: try to kill it :) 05:42 < tjz> let's say we are using "client1".. , we go to re-generate a new ca for "client1"? 05:42 < mRCUTEO> tjz: since its using a new dev tap2 it will not interfere the the another client 05:42 < tjz> on the server side.. 05:42 < mRCUTEO> ic 05:42 < mRCUTEO> yes u may generate or just use the same ca.. from my experience it works both 05:43 < tjz> ok 05:43 < tjz> i will try also 05:43 < tjz> hehe 05:43 < mRCUTEO> :D 05:45 < mRCUTEO> error404notfound: try build-key csr file from the NEW client, upload it to the server .. build a key again in the server and get the .crt file and .ca from the server and copy it to your client. 05:45 < mRCUTEO> configured your .conf according to created key and crt file.. 05:46 < mRCUTEO> im sure there is a howto from the website 05:46 < error404notfound> mRCUTEO: if you could provide me a link I would be really greatful, I don't know this black magic stuff :P 05:46 < mRCUTEO> hold on let me google a little 05:46 < mRCUTEO> :) 05:47 -!- mRCUTEO [n=info@96.9.131.183] has left ##openvpn [] 05:47 -!- mRCUTEO [n=info@96.9.131.183] has joined ##openvpn 05:49 < mRCUTEO> error404notfound: http://www.throx.net/2008/04/13/openvpn-and-centos-5-installation-and-configuration-guide/ 05:49 < vpnHelper> Title: OpenVPN and CentOS 5 Installation and Configuration Guide | Throx Blog (at www.throx.net) 05:49 < mRCUTEO> :) 05:49 < mRCUTEO> hope this help 05:49 < mRCUTEO> where u from error404notfound? 05:49 < tjz> .pk is from pakistan? 05:49 < error404notfound> mRCUTEO: thaaaaaaaaaaanks :D 05:50 < error404notfound> tjz: yup 05:50 < error404notfound> mRCUTEO: as tjz said... 05:50 < mRCUTEO> ic :) 05:50 < tjz> ^_^ 05:50 < error404notfound> tjz knows /whois :P 05:51 < mRCUTEO> hehe haha huhu :D 05:51 < tjz> LOL 05:52 < error404notfound> okay guys, thanks, I will be doing some reading then... 05:52 < mRCUTEO> okay dokay enjoy reading 05:56 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 05:58 -!- mRCUTEO [n=info@96.9.131.183] has left ##openvpn [] 05:58 -!- mRCUTEO [n=info@96.9.131.183] has joined ##openvpn 06:00 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: smk, dvl, tjz 06:00 -!- Netsplit over, joins: tjz, dvl, smk 06:01 < tjz> my a$$ got split 06:02 < tjz> LOL 06:02 < mRCUTEO> haha 06:02 < tjz> if i set: server 10.8.0.0 255.255.255.0 06:02 < tjz> i will get a random lan IP for my openvpn.. 06:02 < tjz> am i right? 06:02 < mRCUTEO> yerp 06:03 < mRCUTEO> use a /29 06:03 < mRCUTEO> opps 06:03 < mRCUTEO> use /24 on the SNAT 06:03 < mRCUTEO> so it will source all the /24 IPs to the public IP 06:04 < mRCUTEO> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 64.235.47.2 06:04 < mRCUTEO> something like this 06:04 < mRCUTEO> and 1st openvp ip 10.8.0.0 255.255.255.0 06:04 < tjz> ok 06:04 < mRCUTEO> and 2nd openvp ip 10.9.0.0 255.255.255.0 06:04 < mRCUTEO> iptables -t nat -A POSTROUTING -s 10.9.0.0/24 -j SNAT --to-source 64.235.47.3 06:04 < mRCUTEO> something like this 06:04 < tjz> ok 06:04 < tjz> got it 06:04 < mRCUTEO> :D 06:04 < tjz> i will try now 06:06 -!- mRCUTEO [n=info@96.9.131.183] has left ##openvpn [] 06:06 -!- mRCUTEO [n=info@96.9.131.183] has joined ##openvpn 06:22 < tjz> mRCUTEO : do you know what is the command to flush all the iptables rules? 06:23 < mRCUTEO> yerp 06:23 < mRCUTEO> iptables -t filter -F; iptables -t nat -F; iptables -t mangle -F 06:25 < tjz> thx 06:26 < tjz> hmm 06:26 < tjz> do you know what is the reason for this problem? 06:26 < tjz> read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 06:27 < mRCUTEO> hmm maybe port colission 06:27 < mRCUTEO> not sure 06:27 < mRCUTEO> its from the server? 06:27 < tjz> ah 06:27 < tjz> i found out 06:27 < mRCUTEO> whats the prob? 06:32 -!- mRCUTEO [n=info@96.9.131.183] has left ##openvpn [] 06:32 -!- mRCUTEO [n=info@96.9.131.183] has joined ##openvpn 06:39 -!- mRCUTEO [n=info@96.9.131.183] has quit [] 06:41 -!- LilaLinux is now known as lilalinux 06:46 -!- tjz [n=tjz@bb116-15-45-14.singnet.com.sg] has quit [Connection timed out] 06:48 -!- tjz [n=tjz@bb116-15-45-14.singnet.com.sg] has joined ##openvpn 07:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:52 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:21 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 08:28 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 08:29 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 08:32 -!- error404notfound [n=shoaibi@58-65-160-128.nayatel.pk] has quit [Read error: 131 (Connection reset by peer)] 08:36 -!- lilalinux is now known as LilaLinux 08:43 -!- mode/##openvpn [-r] by ChanServ 09:13 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 10:11 -!- bootlaces [n=david@83.228.22.19] has joined ##openvpn 10:13 * bootlaces humbly asks for some help to do with routing, I'm trying to sort it out, but need some last bits of the puzzle 10:13 < bootlaces> I've read the FAQs (as far as I can understand), but still can't seem to ping into the network I'm joining via the vpn 10:14 < bootlaces> If someone can spare some moments to help, I would appreciate it. 10:17 < krzee> !route 10:17 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 10:17 < krzee> check that out, should answer any questions about joining LANs 10:18 * bootlaces thanks krzee from the bottom of his cockles :) 10:18 < krzee> hehe np 10:19 < ecrist> I gave my wife something this morning from the bottom of my cockles... 10:20 < krzee> how is the wifey 10:21 < ecrist> doing great - starting to get out of the whole morning-sickness thing 10:21 < krzee> nice 10:23 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 10:24 < bootlaces> Hmm, still no joy. 10:25 < bootlaces> Can I paste in my routes from the client and server and the server.conf to pastebin for someone to have a look? 10:25 < krzee> !configs 10:25 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:25 < krzee> !logs 10:25 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 10:26 < krzee> disclaimer, if the answer is clearly spelled in !route i may simply just say that 10:26 < krzee> cause people often skim over it instead of reading to understand 10:40 < bootlaces> Okay, I've done it : http://www.pastebin.ca/1305195 10:40 < bootlaces> If I've omitted anything, please do say 10:41 < bootlaces> and yes, if I've missed it from !route, then please do just say that and I'll scratch my "cockles" for some more :) 10:42 < krzee> ahh 10:42 < krzee> your problem is they are on the same network 10:42 < krzee> both on 192.168.1.X 10:42 < krzee> one side must be changes 10:42 < krzee> changed 10:42 < bootlaces> which "they" are on the same network? 10:42 < bootlaces> the openvpn box and the rest of the network? 10:43 < bootlaces> (not the client, surely (don't call me surely...))? 10:43 < krzee> server and client are using ips on same networks 10:43 < krzee> as in, both use 192.168.1.x locally 10:43 -!- AndyML is now known as AwayML 10:43 < krzee> right? 10:43 < bootlaces> looking and thinking 10:44 < krzee> oh sorry, im wrong there 10:44 < bootlaces> How come the client has an ip address of 172....x 10:44 < krzee> 1 Client on subnet 172.16.167.0/24 (ubuntu 8.10 - all patched up) 10:44 < krzee> 10:44 < krzee> 1 Server on subnet 192.168.1.0/24 (ubuntu 8.10 - all patched up) 10:44 < krzee> i missed that 10:44 < krzee> hehe 10:44 < bootlaces> *phew* :) 10:45 < bootlaces> If I look at the client route when vpn'ed 10:45 < krzee> ohh 10:45 < krzee> is the server the router for its network? 10:45 < bootlaces> it seems to tell me that all traffic for 192.168.1.x goes to 10.0.0.5 10:45 < bootlaces> no, the server is just a box on a network 10:45 < bootlaces> the router is an adsl router 10:46 < krzee> see the bottom of !route 10:46 < krzee> below the picture 10:46 < bootlaces> looking 10:46 < bootlaces> reading 10:49 < bootlaces> Don't follow. The openvpn server has an ip of 192.168.1.2, the df gw is 192.168.1.1 (the adsl router). The openvpn isn't on any other subnet (192.168.2.x) so, surely the openvpn server should "know" about other 192.168.1.x machines on its work? 10:50 < bootlaces> In the example below the picture, the server is on a different subnet 10:51 < bootlaces> s/work/network 10:53 < krzee> umm 10:53 < krzee> in both examples the server is on lan 192.168.2.x 10:53 < krzee> it is .2.10 in bottom 10:53 < krzee> anyways 10:53 < krzee> do you want a lan behind client, or just client to connect to server lan? 10:54 < bootlaces> just want my client to connect into the remote lan and see all the machines in there. 10:55 < krzee> then the remote lan must have a route to the VPN network 10:55 < krzee> easiest added to the router if supported 10:55 < bootlaces> ah, are you saying the remote lan (the 192.168.1.x) must be able to route back to 10.0.0.x? 10:56 < krzee> yes 10:56 < bootlaces> I see 10:56 < bootlaces> yes, that makes sense now 10:56 < krzee> for the reason explained at bottom of !route 10:57 < bootlaces> Can't do it in the router, so will have to use iroute on the openvpn server to do this? 10:58 < krzee> you totally did not read !route 10:58 < krzee> !iroute 10:58 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 10:58 < bootlaces> You are right, I skimmed over it 10:58 < bootlaces> I should pay more attention in future 10:58 < bootlaces> You are right to chastise me 10:58 < krzee> why do people always do that!? 10:58 < krzee> you arent alone 10:58 < bootlaces> laziness 10:59 < krzee> most people skim it then ask the questions that it explained 10:59 < bootlaces> people (including myself) are inherently lazy 10:59 < krzee> you dont realize that to understand something is MUCH lazier than asking everytime you need to do something? 11:00 < bootlaces> Part of human nature I think. Perhaps we like to ask a real person from time to time rather than reading a technical document. Sometimes we can arrive at an answer quicker 11:00 < krzee> not in the long run 11:00 < bootlaces> (unless you are some type of AI) :) 11:00 < bootlaces> Well, I do *appreciate* your effort and I'm very sorry for upsetting you. It must be very fustrating for you 11:00 < krzee> and you will find that in most help channels, when you are pointed to a doc with your answer, and you fail to read it, that you will have a hard time getting further help 11:01 < krzee> im not upset 11:01 < krzee> and you're welcome =] 11:01 < krzee> here on the internet we do prefer to help those who are willing to help themselves tho 11:01 < krzee> im always willing to just set stuff up for people, but i would have to charge for that 11:03 < bootlaces> Naturally 11:03 < bootlaces> Time is a precious commodity 11:03 < bootlaces> and you have wasters like me taking your time 11:03 < krzee> haha no worries man 11:03 < krzee> where are you from? i like how you talk 11:04 < bootlaces> I'm from a lot of places. I've been coloured by my adventures in life. I wouldn't like to say I'm from "one" place, for that is very limiting. 11:05 < bootlaces> I'm a person of the world if you like. 11:05 < krzee> right on 11:05 < krzee> anyways 11:05 < krzee> you asked for the alternative way 11:06 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 11:06 < krzee> no its not iroute 11:06 < krzee> its the 2nd to last line in !route 11:06 < bootlaces> krzee, I'll try to figure the rest out now - for it's better to waste my time than yours :) I'll let you know (eventually) when I figure it out 11:06 < krzee> when you read docs, think about how long they took to write 11:06 < troy-> how long will an openvpn client retry connection for? 11:07 < krzee> troy-, forever unless you tell it otherwise 11:07 < bootlaces> Your time + the accumulative time of those who have come before you. 11:07 < troy-> krzee, i wish it was still trying :/ 11:07 < troy-> gotz no packets on interface tun0 11:07 < krzee> the time spent reading docs is NOTHING compared to the time spent writing them 11:08 < krzee> packets dont happen on tun0 till a connection is made 11:08 * bootlaces has been suitabily slapped on the wrists (but bring more on if you want) and will now go into the corner and sob quietly 11:08 < bootlaces> *sob *sob *sob 11:09 < krzee> lol 11:09 < krzee> troy-, 11:09 < krzee> !configs 11:09 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:09 < krzee> !logs 11:09 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 11:10 < troy-> krzee, i cant access the client, its behind nat 11:10 < troy-> there is nothing wrong with the running-config 11:10 < krzee> welp, this isnt the right time to ask for help then 11:10 < troy-> yeah.. i need someone to console it and reinitialize 11:23 -!- jrgp [n=joe@catatonic.jrgp.us] has joined ##openvpn 11:29 < bootlaces> In the router, I can define static routes. I've put this in (destination ip) 10.0.0.0 (netmask) 255.0.0.0 (gateway ip) 192.168.1.2 [<-- ip of the openvpn server] and lastly 0 (metric) 11:30 < bootlaces> so, I'm telling my adsl router that if it gets an ip request from 10.0.0.0/8, it should pass them to 192.168.1.2 11:30 < bootlaces> sounds about route? 11:30 < bootlaces> tee hee (right) 11:35 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 11:37 < krzee> you need to tell your router: 11:38 < krzee> that if it gets a request FOR 10.0.0.0 255.255.255.0 11:38 -!- tjz [n=tjz@bb116-15-45-14.singnet.com.sg] has quit ["I want to sleep."] 11:38 < krzee> (no reason for /8, your vpn is only /24) 11:38 < krzee> to pass it to .1.2 (like you said) 11:39 < krzee> main difference being, you said from, but hopefully meant for 11:39 < krzee> since its its truely from, you should just let the packets go to their destination 11:40 < krzee> if its 12:17 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 12:18 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 13:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:11 -!- bmolloy [n=bmolloy@cpe-70-115-198-13.satx.res.rr.com] has joined ##openvpn 13:12 < bmolloy> Hey guys, 13:12 < bmolloy> Has anyone seen a problem with the ovpn service crashing on xp pro due to msvcrt.dll? 13:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:51 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: smk, dvl 13:52 -!- Netsplit over, joins: dvl, smk 14:02 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 14:07 -!- bootlaces [n=david@83.228.22.19] has quit [] 14:35 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:26 -!- Keizer [n=keizer@216.45.246.60] has quit [Read error: 110 (Connection timed out)] 15:38 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 16:06 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 16:17 -!- my_math_stinks [n=charles@24-176-96-248.dhcp.jcsn.tn.charter.com] has joined ##openvpn 16:17 -!- my_math_stinks [n=charles@24-176-96-248.dhcp.jcsn.tn.charter.com] has left ##openvpn [] 16:17 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 16:17 -!- smerz_ [n=daniel@smerz.demon.nl] has joined ##openvpn 16:18 -!- smerz_ [n=daniel@smerz.demon.nl] has quit [Client Quit] 16:29 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 16:43 -!- smerz [n=daniel@smerz.demon.nl] has quit [Read error: 104 (Connection reset by peer)] 17:04 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 17:34 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 17:49 -!- AwayML is now known as AndyML 19:21 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has joined ##openvpn 19:26 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has quit [Remote closed the connection] 19:42 -!- sauce [i=sauce@ool-18be2518.dyn.optonline.net] has joined ##openvpn 19:42 -!- sauce [i=sauce@ool-18be2518.dyn.optonline.net] has left ##openvpn ["openvpn"] 19:42 -!- sauce [i=sauce@ool-18be2518.dyn.optonline.net] has joined ##openvpn 19:42 < sauce> hey everyone, can anyone point me in the right direction on traffic shaping vpn traffic ? 19:43 < sauce> err, shaping vpn traffic sounds better 19:43 -!- sauce is now known as samoshit 19:48 < dvl> I would shape the traffic using third party tools, not OpenVPN. 20:15 -!- Solarbaby [n=solarbab@adsl-69-225-143-100.dsl.irvnca.pacbell.net] has joined ##openvpn 20:20 < Solarbaby> \ufeffyet again I think im over my head here on some configuration settings.. so heres the question.. On a Linksys Router i was able to use a configuration window called Advanced Routing, which let me enter my OpenVPN destination LAN IP, Sub Mask, Default Gateway.. it has something to do with using the Tap interface.. now that I'm on OpenWrt I'm not sure what to do with this info.. maybe DnsMasq? 20:38 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 20:51 < Solarbaby> I guess im not asking an easy question to answer 20:51 < Solarbaby> Im pretty confused myself 20:58 < dvl> Solarbaby: it is Saturday night.... few people around. Try the mailing list. 20:58 < Solarbaby> good advice 20:58 < Solarbaby> i dont have a life 20:58 < Solarbaby> im so close but so far 21:07 < simplechat> dvl, its sunday morning 21:07 < simplechat> lol 21:07 < simplechat> Solarbaby, whats the issue? 21:07 < Solarbaby> Hello Simplechat 21:07 < Solarbaby> Thanks for getting back to me 21:07 < simplechat> hey 21:07 < simplechat> ? 21:07 < simplechat> sorry 21:07 < simplechat> i've been stuck with my own issues for awhile 21:08 < simplechat> whatsup :) 21:08 < Solarbaby> Im going to try to restate the question, did you read what I alredy asked up top? 21:08 < simplechat> nah, i wasn't there 21:08 < Solarbaby> ok 21:08 < Solarbaby> \ufeffyet again I think im over my head here on some configuration settings.. so heres the question.. On a Linksys Router i was able to use a configuration window called Advanced Routing, which let me enter my OpenVPN destination LAN IP, Sub Mask, Default Gateway.. it has something to do with using the Tap interface.. now that I'm on OpenWrt I'm not sure what to do with this info.. maybe DnsMasq? 21:10 < Solarbaby> so its setting up a virtual network for the tap interface 21:10 < Solarbaby> I have no idea how to do that with out that Linksys firmware 21:16 < simplechat> hmmm. 21:17 < simplechat> so atm your on Openwrt and your not sure how to set up a vpn? 21:17 < simplechat> is that the issue? 21:18 < Solarbaby> Yes and No.. I have setup OpenVPN on the same router.. and it seems to work.. But I am also setting up OpenVPN on a Nslu2, which is inside the home network under the router 21:19 < Solarbaby> I need to make sure that my install on the Nslu2 is working properly.. and to do that I need the router to not only forward the port, which I've asked it to do.. but it also has to create that virtual network cause thats the way things are setup to work 21:19 < Solarbaby> I can show you the document I followed for the Linksys firmware if that helps 21:22 < Solarbaby> http://www.itsatechworld.com/2006/01/29/how-to-configure-openvpn/ 21:22 < vpnHelper> Title: Its A Tech World | How to configure OpenVPN (at www.itsatechworld.com) 21:22 < Solarbaby> down where it sez configuring the router 21:41 < Solarbaby> tuff one isn't it? 21:41 < Solarbaby> sorry 21:48 < simplechat> sorry, back 21:48 < simplechat> Solarbaby, i've never done that 21:52 -!- tjz [n=tjz@bb116-15-45-14.singnet.com.sg] has joined ##openvpn 21:58 < Solarbaby> yeah its a bit specific 22:44 < samoshit> anyone have any docs on shaping VPN traffic ? 22:48 < krzee> its the same as shaping any other traffic if you use firewall 22:48 < krzee> or you can play with --shaper in 2.1, which is pretty new 22:52 < samoshit> awesome 23:01 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 23:01 -!- Solarbab1 [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has joined ##openvpn 23:10 -!- Solarbaby [n=solarbab@adsl-69-225-143-100.dsl.irvnca.pacbell.net] has quit [Read error: 145 (Connection timed out)] 23:10 -!- Solarbab1 is now known as Solarbaby 23:13 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 23:13 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:18 -!- samoshit [i=sauce@ool-18be2518.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 23:34 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 23:39 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 23:40 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Client Quit] 23:41 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn --- Day changed Sun Jan 11 2009 00:01 < ropetin> Hey guys, whats up in here tonight? 00:04 < Solarbaby> ropetin: one of thee days intead of being the guy who has always tried to make openvpn work, i'll actually get to use it 00:04 < Solarbaby> ropetin: i must be pretty close by now 00:04 < ropetin> Hehehe, what's your issue now? 00:04 * ropetin just reinstalled earlier and had it working in about 20 minutes... 00:05 < Solarbaby> I sorta had it working before I rebooted my client 00:06 < Solarbaby> it connected.. it said it had a hard time establishing a security of some sort, and defaulted to using ssl something rather 00:06 < Solarbaby> anyways after a reboot of the client it just reads UDPv4 [ECONNREFUSED]; connection refused (code=111) 00:09 < Solarbaby> I'm not sure there will ever be a day that im done trying to make this work, and get to use it.. haha 00:09 < Solarbaby> i feel like an idiot 00:09 < Solarbaby> they just need to make this work for people like me 00:10 < ropetin> Not at all! 00:10 < ropetin> It's all a learning experience isn't it? 00:11 < ropetin> What does teh server say? 00:12 < Solarbaby> the openvpn-status.log is no help at all.. it never gets updated 00:14 < ropetin> And you've restarted the service on teh server? 00:15 < Solarbaby> i'll double check now 00:16 < Solarbaby> yes same exact error 00:16 < Solarbaby> you got yours working in 20 min huh? I envy you 00:16 < ropetin> Presumably if nothing is even getting to the server, it's a firewall or connectivity issue? 00:16 < Solarbaby> even a reinstall in 20 min would be a blessing 00:16 < ropetin> Heheheh 00:17 < ropetin> If it makes you feel any better the server I reinstalled has now died on me, for a totally unrelated hardware reason 00:17 < Solarbaby> not at all 00:17 < Solarbaby> you have no idea how hard i've worked 00:18 < Solarbaby> i just dont understand this.. im going to post my configs on pastebin.ca 00:19 < ropetin> OK 00:28 < krzee> --log file 00:29 < Solarbaby> http://pastebin.ca/1305759 00:29 < Solarbaby> ropetin: sorry about that wait 00:29 < ropetin> No wories :D 00:30 < ropetin> worries even 00:31 < Solarbaby> OpenVPN is setup on a device inside my under the firewall 00:31 < ropetin> Which makes me think it's a connectivity issue or firewall issue 00:32 < ropetin> Do you have the appropriate port forwarded, NATd or whatever? 00:32 < Solarbaby> I've asked the router to foward port 1194 and I executed route add -net 192.168.10.0 netmask 255.255.255.252 gw 192.168.1.1 dev br0 on my openwrt router 00:33 < Solarbaby> maybe theres a firewall problem on the server.. its also running openwrt 00:34 < krzee> why dev tap? 00:34 < Solarbaby> I can't answer that 00:34 < Solarbaby> I dont understand anything 00:34 < krzee> use dev tun 00:34 < krzee> (on both) 00:34 < Solarbaby> Ok 00:34 < ropetin> Also, did you port forward udp or just tcp? 00:35 < krzee> tap encapsulates using ethernet frames, tun with IP traffic 00:37 < krzee> know that your server will need ip forwarding enabled, and NAT setup too 00:37 < krzee> are those 2 boxes on the same LAN? 00:37 < Solarbaby> yes 00:37 < krzee> k 00:37 < krzee> the pushing dns thing... 00:37 < krzee> !pushdns 00:38 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 00:38 < Solarbaby> Thanks 00:38 < krzee> np 00:38 < krzee> !logs 00:38 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 00:39 < Solarbaby> for one thing.. the servers firewall was accepting tcp 1194 00:39 < krzee> ahh good call ropetin 00:40 < Solarbaby> problem is still the same error 00:40 < ropetin> :D 00:40 < Solarbaby> hmmmm 00:40 < krzee> !logs 00:40 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 00:41 < Solarbaby> Ok 00:41 < Solarbaby> the server never makes a log file though.. 00:41 < krzee> sure it does 00:41 < Solarbaby> verb 6 00:41 < Solarbaby> syslog 00:41 < krzee> you told it to goto syslog 00:42 < krzee> check /var/log/messages 00:42 < Solarbaby> in var i have lastlog but not syslog 00:42 < krzee> syslog is the app that handles system logging 00:42 < Solarbaby> OpenWrt is so fucking crazy I can't find any syslog 00:42 < krzee> which you told openvpn to send its logs to 00:42 < krzee> ohh 00:43 < krzee> !router 00:43 < vpnHelper> krzee: "router" is if you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them 00:43 < Solarbaby> thanks but I knew that 00:43 < krzee> unless ropetin happens to know how, you need to find out how to turn on logging 00:43 < Solarbaby> it logs other stuff.. 00:43 < krzee> #openwrt would know im sure 00:44 < krzee> 2 other easy ways actually 00:44 < krzee> remove syslog line 00:44 < Solarbaby> ok 00:44 < krzee> replace it with log 00:44 < krzee> other way is just start openvpn in the foreground 00:45 < krzee> dont forget to turn logging off when we're done 00:45 < krzee> cause your router cant log long before running out of filesystem 00:47 < ropetin> Sorry, I was getting annoyed by someone in anothe room. What'd I miss? 00:47 < ropetin> Not logging to syslog? 00:47 < krzee> hes on openwrt 00:49 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 00:49 < Solarbaby> just a few minutes 00:49 < krzee> on route 00:50 < krzee> whats vpn_gateway 3 00:50 -!- ropetin is now known as mclovin 00:50 -!- mclovin is now known as ropetin 00:50 < krzee> it should route through the vpn gateway without that 00:50 < krzee> kclovin! 00:51 < krzee> mclovin! 00:51 < ropetin> :D 00:51 < ropetin> Was checking if it's registered ;D 00:51 < krzee> also feel free to remove cipher BF-CBC 00:52 < krzee> since thats blowfish, the default 00:52 < Solarbaby> alright 00:59 < Solarbaby> http://pastebin.ca/1305774 00:59 < Solarbaby> that was from my client 01:00 < krzee> !learn mail http://thread.gmane.org/gmane.network.openvpn.user/ for the openvpn-user archives 01:00 < vpnHelper> krzee: Invalid arguments for learn. 01:00 < krzee> !learn mail as http://thread.gmane.org/gmane.network.openvpn.user/ for the openvpn-user archives 01:00 < vpnHelper> krzee: Joo got it. 01:01 < Solarbaby> the server doesn't seem to be logging anything 01:04 < Solarbaby> Oh I found the server.log it was in /etc/init.d 01:04 < Solarbaby> weird 01:04 < ropetin> :D 01:06 < Solarbaby> http://pastebin.ca/1305779 01:07 < Solarbaby> thats the server log.. there isn't much to it though cause for some reason the client isn't scrolling the screen with information like it used too 01:07 < Solarbaby> rebooting the client 01:15 < Solarbaby> maybe now that im using tun instead of tap.. it might be kicking me off the wireless network 01:15 < Solarbaby> or maybe its because I added the log file in the client 01:15 < Solarbaby> im just not sure 01:17 < krzee> the wifi is a lower level 01:18 < krzee> ya i want the log to include the client trying to connect.. 01:21 < Solarbaby> I dont know why the client just sits there now.. it used to actually do things 01:21 < Solarbaby> im changing back to tap 01:21 < krzee> post the new config 01:22 < krzee> tap is for tunneling ethernet frames 01:22 < krzee> you only need to tunnel ip if you're just securing your wireless 01:23 < krzee> unless you are using a protocol that needs that over the vpn, it is a waste of overhead 01:24 < krzee> and when using routed with tap the only reason ive seen could be for broadcasts 01:27 < krzee> because ethernet frames work based on mac address, so without using routed you would use bridged, then youd be bridging the layer2 (talks by MACs) from each side to other 01:27 < krzee> aka, you dont want tap ;] 01:27 < Solarbaby> my ip changed 01:27 < Solarbaby> my internet ip changed 01:27 < krzee> that'll do it 01:27 < krzee> use dyndns for that if you like 01:27 < krzee> then you can connect based on hostname 01:27 < Solarbaby> i just need to get the script working 01:30 < krzee> what script... 01:30 < Solarbaby> dyndns script 01:30 < krzee> o 01:33 < Solarbaby> its still just sitting there 01:33 < Solarbaby> somehow i broke it 01:33 < krzee> look at logs... 01:34 < krzee> just sits trying to connect? 01:34 < Solarbaby> the server log looks identical as what I posted you 20 min ago 01:34 < Solarbaby> yeah 01:34 < krzee> if so, either firewall or port forwarding problem 01:34 < Solarbaby> well not idental it sez tun0 opened 01:35 < Solarbaby> ok 01:35 < Solarbaby> Firewall 01:35 < krzee> client is trying to connect i assume... 01:37 < Solarbaby> i think so but it used to scroll the screen with stuff 01:37 < Solarbaby> now it doesn't say a damn thing at all 01:37 < Solarbaby> this is a huge nightmare.. Im so very lost 01:44 < Solarbaby> Im sorry.. I just dont know what to do anymore 01:44 < Solarbaby> I broke it 01:51 < Solarbaby> im sorry.. i can't get any further 01:51 < Solarbaby> this sucks.. this current config took me 2 weeks to get this far.. only to completely die 01:54 < krzee> have you read the howto or just googled? 01:55 < Solarbaby> I dont understand alot of what I read 01:56 < Solarbaby> the mini howtos seemed easier because they know you haven't gone to school to learn networking 01:56 < Solarbaby> which of course I am in that category.. everything is another language 01:56 < krzee> so you're setting up an advanced networking component hoping to find a page that will let you follow their steps instead of trying to learn the topic 01:58 < Solarbaby> 2 weeks.. I didn't try for a single second.. come on.. I've been bleeding this 01:58 < krzee> mini-howto's arent the way 01:59 < Solarbaby> you sometimes forget what that howto looks to someone who doesn't understand how to read it 01:59 < krzee> try bridging instead maybe 01:59 < krzee> no i remember 01:59 < krzee> thing is, vpns are advanced networking, so to learn them you need to learn about the stuff around them too 01:59 < krzee> for exampe 02:00 < krzee> example 02:00 < krzee> you'll need NAT configured 02:00 < krzee> so client is a wifi client, server is the wireless router, you are securing the wireless over openvpn and not allowing inet over the standard wireless? 02:02 < Solarbaby> I think something happend on my client 02:02 < krzee> check its connecting to the right ip / port / proto 02:20 < Solarbaby> what should I type on the client to make it log? 02:21 < Solarbaby> log client.log just makes it choke 02:33 < Solarbaby> forget it 02:36 < Solarbaby> 4 1/2 hours later I think i've repaired the damage up until the point that we started talking.. so now all I have to do is get back to the original problem I had before all this 02:36 < Solarbaby> yay 02:36 < Solarbaby> and thats why it took me 2 weeks to get this far 02:36 < Solarbaby> im talking 8 hours a day 2 weeks 02:36 < Solarbaby> yeah im some kinda idiot 02:44 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit ["Leaving"] 02:44 < krzee> no you're just learning a lot at once 02:45 < krzee> what did you change to 'repair the damage'? 02:48 < Solarbaby> I think i corrupted the client.conf by adding the log 02:49 < krzee> !man 02:49 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 02:49 < krzee> use a full path 02:49 < Solarbaby> ok 02:49 < krzee> reference for commands: manpage 02:52 < Solarbaby> so now i gotta figure out why im getting the connection refused 03:04 -!- Solarbaby [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has quit [Read error: 104 (Connection reset by peer)] 03:04 -!- Solarbaby [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has joined ##openvpn 03:04 < Solarbaby> rebooted my router 03:05 < krzee> ya you wont need to add any routes to it 03:05 < Solarbaby> ok 03:06 < Solarbaby> well im plagued with connection refused code 111 03:06 < krzee> firewall 03:06 < Solarbaby> i tried 03:06 < Solarbaby> i added a port forward 03:06 < krzee> well 03:07 < krzee> on same lan shouldnt need port forward 03:07 < krzee> that was unknown back when we said that 03:07 < krzee> (vpn is much more common on seperate lans) 03:07 < Solarbaby> as far as I know.. if its going to penetrate my routers firewall and then go to the nslu2 which has openvpn installed to it.. it needs a port forward 03:08 < krzee> isnt the server on the router? 03:08 < Solarbaby> no 03:08 < Solarbaby> it was 03:08 < Solarbaby> it is.. but that one is disabled 03:08 < krzee> but dude 03:08 < krzee> thats the problem 03:08 < krzee> you have 2 seperate lans 03:09 < krzee> your traffic wont just simply jump across them 03:09 < krzee> or does it normally? 03:09 < krzee> can you ping the vpn server box...? 03:09 < Solarbaby> i could try 03:10 < krzee> why are you using openvpn...? 03:10 < krzee> i figured to secure your wifi 03:10 < Solarbaby> ping 192.168.10.0 Destintion unreachable 03:10 < krzee> but if its not going to router... thats not it 03:10 < krzee> ya man, thats your problem 03:11 < krzee> you're trying to connect to something you cant connect to 03:11 < krzee> (part of networking unrelated to a vpn) 03:12 < Solarbaby> ok my router is 192.168.1.1 255.255.255.0 right? then i created a route Destination LAN Ip 192.168.10.0 255.255.255.252 with a default gateway of 192.168.1.1 03:12 < Solarbaby> and I think I have to keep on typing in route everytime i reboot my router 03:13 < Solarbaby> i'll create a script for that 03:13 < krzee> isnt 192.168.10.0 the vpn network? 03:13 < Solarbaby> YEs 03:13 < krzee> what good will that route do you? you cant even make the connection 03:13 < krzee> those ips dont exist til the vpn is running 03:14 < Solarbaby> oh 03:14 < Solarbaby> that makes sense 03:14 < krzee> and those packets will be encapsulated over traffic flowing same as your ping did 03:14 < krzee> !vpn 03:14 < vpnHelper> krzee: "vpn" is http://openvpn.net/index.php/documentation/faq.html#tunnel-principal 03:14 < krzee> that is the idea of what a vpn is 03:15 < krzee> what is your real goal? 03:15 < Solarbaby> file sharing and the ability to be able to goto a coffee shop and use their unsecure wifi to connect to my secure network and do private web and network stuff 03:16 < Solarbaby> i want to use samba over my vpn 03:17 < krzee> hehe 03:18 < krzee> we shoulda started with that 03:18 < Solarbaby> sorry 03:18 < krzee> ok the port forwarding will be correct 03:18 < krzee> but not for what you're doing now 03:18 < krzee> for now, get yourself on the same lan 03:19 < Solarbaby> alright 03:19 < krzee> so if router is 192.168.1.1, be on that network 03:19 < krzee> that is why you have the local flag 03:19 < krzee> when you go remote, you must remove local from redirect-gateway 03:19 < krzee> !local 03:19 < Solarbaby> so i should just tell my router to accept port 1194 and do nothing with it? 03:19 < vpnHelper> krzee: "local" is a flag for --redirect gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless. 03:19 < krzee> you tell your router to send it to the openvpn server 03:20 < Solarbaby> thats what I did 03:20 < krzee> but that wouldnt solve your old problem 03:20 < krzee> thats for when you goto the coffee shop 03:20 < krzee> for now (testing im guessing) 03:20 < krzee> get on the same lan 03:20 < Solarbaby> it was forwarding port 1194 to the real network address of the openvpn server 03:21 < krzee> the ONLY thing you change to go out in the wild when done testing is remove local from redirect-gateway 03:21 < krzee> but you must get on same network if you wanna be working with 1 router 03:21 < krzee> you mentioned samba 03:22 < krzee> you mean windows filesharing or samba running on linux/bsd? 03:23 < Solarbaby> mostly i'll have samba running on the same device as the openvpn 03:23 < krzee> nice 03:23 < Solarbaby> on the other side in the wild sometimes samba will connect sometimes windows xp 03:24 < krzee> k, well if you can handle doing it by ip you save yourself some trouble 03:24 < krzee> other option is to run wins 03:24 < krzee> which is a 1-liner in samba 03:24 < Solarbaby> cool 03:24 < krzee> well with that few machines, 3rd option exists 03:24 < krzee> windows has a hostfile, as does linux 03:25 < krzee> you just enter it in there, host -> ip 03:25 < krzee> then you dont need to bother bridging 03:25 < Solarbaby> i removed push dredirect-gateway local def1 but i still get the same error 03:25 < krzee> no no 03:25 < krzee> whyd you remove that? 03:25 < Solarbaby> I thought you told me too 03:25 < krzee> take the client machine 03:26 < krzee> put it on the 192.168.1.x network 03:26 < krzee> if that means plugging it in, do that 03:26 < krzee> until you are on that network, everything else is pointless 03:26 < Solarbaby> ok 03:26 < Solarbaby> i'll setup the client on a computer thats plugged in 03:28 < krzee> k 03:38 < Solarbaby> okay everything is setup on a computer locally 03:39 < Solarbaby> same error 03:40 < krzee> it can ping now...? 03:40 < Solarbaby> what address shall I ping? 03:41 < krzee> what address is the computer running the server on? 03:41 < krzee> LAN address 03:41 < Solarbaby> 192.168.1.77 03:41 < krzee> ping that 03:41 < Solarbaby> that pings 03:42 < krzee> change your remote statement in the config 03:43 < Solarbaby> same error 03:44 < Solarbaby> Sun Jan 11 01:46:35 2009 us=294530 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 03:44 < Solarbaby> Sun Jan 11 01:46:35 2009 us=294561 UDPv4 READ [-1] from [undef]: DATA UNDEF len=-1 03:44 < krzee> show me the configs now 03:44 < Solarbaby> ok 03:47 < Solarbaby> http://pastebin.ca/1305826 03:49 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 03:49 < krzee> comment out the route 03:49 < krzee> and delete the #route 192.168.10.0 line 03:50 < krzee> what is the ip of the client machine? 03:53 < Solarbaby> 192.168.1.179 03:55 < Solarbaby> same error 04:01 -!- Solarbaby [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has quit [Read error: 60 (Operation timed out)] 04:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 04:17 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 05:05 -!- Solarbaby [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has joined ##openvpn 05:05 < Solarbaby> krzee: it took me about an hour to figure out why after a reboot I couldn't get back onto the internet 05:05 < Solarbaby> krzee: i had to uninsall openvpn to do it 05:06 < krzee> you were connected? 05:06 < Solarbaby> krzee: i dunno how much patience I have left, but i surely appreciate yours 05:07 < Solarbaby> yeah 05:07 < krzee> cause that is what should happen when you got connected 05:07 < krzee> until you setup NAT 05:07 < Solarbaby> i was connected with no internet 05:07 < krzee> yup 05:07 < krzee> your router does NAT for 192.168.1.1 05:07 < krzee> so you have inet from that ip 05:07 < krzee> but when you come in from starbucks, or test like this 05:07 < krzee> you are using 192.168.10.x 05:08 < Solarbaby> ok 05:08 < krzee> and that network needs a NAT just like .1.x has 05:08 < krzee> !nat 05:08 < vpnHelper> krzee: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding 05:08 < krzee> #1 and #3 05:09 < Solarbaby> ok i reinsalled openvpn 05:09 < Solarbaby> i still have the same config file 05:09 < Solarbaby> lets go to town 05:09 < krzee> you didnt have to uninstall 05:09 < krzee> you just had to kill the process 05:09 < krzee> lol 05:10 < Solarbaby> I didn't know how to boot up.. deleted most of my networking 05:10 < Solarbaby> i tar'd the stuff i deleted though 05:10 < krzee> haha 05:10 < Solarbaby> seriously i need some real hand holding here 05:12 < Solarbaby> where are we at? 05:13 < krzee> you're teaching yourself how to setup a NAT in linux 05:13 < krzee> !linnat 05:13 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 05:13 < Solarbaby> You are about to delve into the fascinating (and sometimes horrid) world of NAT: Network Address Translation, and 05:14 < Solarbaby> do you realise it sez welcome and horrid 05:14 < Solarbaby> thats scary 05:14 < Solarbaby> *cry* 05:14 < krzee> bbl 05:14 < krzee> happy reading 05:14 < Solarbaby> thanks for everything 05:14 < Solarbaby> ok 05:14 < krzee> np 05:23 < Solarbaby> this is too complex 05:23 < Solarbaby> i'll never understand nat 05:23 < Solarbaby> i just want to make this work 05:24 < Solarbaby> i curse technolagy 05:25 < Solarbaby> fuck this is only pissing me off 05:26 < Solarbaby> i dont want to mangle packets I want a vpn 05:27 < Solarbaby> i guess i'll look for more walkthoughs 05:27 < Solarbaby> this sucks 05:28 < Solarbaby> krzee: this shit doesn't make sense to me 05:33 < Solarbaby> i dont understand 05:35 < Solarbaby> ropetin: i've moved like 2 minutes in 8 hours, but are you still here? 05:35 < Solarbaby> ropetin: now that i've deleted whta i want to do with openvpn it connects.. but now what? 06:14 -!- Solarbaby [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has quit [Read error: 110 (Connection timed out)] 06:15 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has joined ##openvpn 06:16 < mlaci> hey guys! i've created an openvpn tunnel and it seems to work. the log says: "Initialization Sequence Completed", but i cannot ping through the tunnel. what could be the problem? 06:19 -!- Solarbaby [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has joined ##openvpn 06:24 -!- Solarbaby [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has quit [Client Quit] 06:51 < reiffert> !def 06:51 < vpnHelper> reiffert: Error: "def" is not a valid command. 06:51 < reiffert> !def1 06:51 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 06:51 < reiffert> !logs 06:51 < vpnHelper> reiffert: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 06:51 < reiffert> !confgs 06:51 < vpnHelper> reiffert: Error: "confgs" is not a valid command. 06:51 < reiffert> !configs 06:51 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:17 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 07:51 -!- oc80z [n=oc80z@quad.efnet.pe] has joined ##openvpn 08:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:42 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 08:45 < ecrist> reiffert: something specific you're looking for? 08:48 -!- my_math_stinks [n=charles@24-176-96-248.dhcp.jcsn.tn.charter.com] has joined ##openvpn 08:49 < ecrist> you're early. ;) 08:49 < my_math_stinks> Making sure things worked as expected 08:51 < my_math_stinks> Thanks for taking the time to do this! 08:51 < ecrist> np 08:51 < ecrist> pw? 08:52 < my_math_stinks> Hope you will understand that as a ... seasoned? ... couputer user I am pretty darn security conscious; and since our friendship is brand new, I will take president Reagan's advice from the nuclear disarmament treaty with the USSR: "Trust but Verify". 08:52 < my_math_stinks> So that I will have a record, and be able to learn something from watching what you do, could you please do: script ~/eric_ssh.txt immediately after you log in to your home directory? I will tail -f that file. 08:52 < ecrist> certainly 08:53 < my_math_stinks> is this a private enough channel to give you the login info AND pw? 08:53 < ecrist> no. I've login info - just need pw 08:53 < ecrist> this is a public room. 08:53 < my_math_stinks> OK, ip has not changed, password: ericcrist 08:54 < ecrist> my_math_stinks: there is no script in ~/eric_ssh.txt 08:55 < ecrist> is that script in *your* home dir? 08:55 < my_math_stinks> run the command "script eric_ssh.txt" that will create the file. 08:57 < ecrist> ok, 1 sec 08:57 < my_math_stinks> OK, I see you ran it and then exited. Don't exit till you're done. I'll see everything you do that way. 08:58 < my_math_stinks> Why do you need to connect to kenny.secure-computing.net 08:58 < ecrist> getting my .cshrc file for my environment 08:58 < my_math_stinks> ok, allowed 08:59 < ecrist> ok, got all that 09:00 < ecrist> no, refresh my memory, what user's directory are you looking at? 09:00 < ecrist> randi? 09:00 < my_math_stinks> yes, and why do you need to be logged in to 2 terminal sessions? :) 09:01 < ecrist> never used script, also doing a tail -f (I'm learning, too) :) 09:01 < ecrist> looks similar to the old 'watch' command, but not quite as powerful. 09:02 < my_math_stinks> it's useful in this situation so that I can watch in real time, and have a hard record. 09:02 < my_math_stinks> I can also see as you log in and out. 09:04 < ecrist> ok. looks like there's a difference of about 300MB between du -kd1 and repquota 09:04 < my_math_stinks> hmmm.2.34 and 2.37 interestingly close? 09:04 < ecrist> hrm. let's take this to a private room 09:04 < my_math_stinks> invite me 09:05 < my_math_stinks> need a "room key"? 09:06 < my_math_stinks> room is password protected 09:06 < ecrist> look at my command history - sent you message there. 09:06 < my_math_stinks> got it, invite again 09:37 -!- my_math_stinks [n=charles@24-176-96-248.dhcp.jcsn.tn.charter.com] has quit [] 09:42 < mlaci> hi guys! i got this: "bad source address from client [10.8.0.2], packet dropped". i'm in pretty desperate and need some help 09:42 < ecrist> if you google "OpenVPN 'bad source address from client' 09:42 < ecrist> " 09:42 < ecrist> you'll get a ton of hits... 09:42 < ecrist> try reading 09:42 < ecrist> !route 09:42 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 09:42 < ecrist> that link ^^^ 09:43 < ecrist> you'll find an explaination of that error there. 09:44 -!- ecrist changed the topic of ##openvpn to: Check your firewall first. || We need !configs and/or !logs || HowTo: http://openvpn.net/howto 09:44 -!- zzattack [n=zzattack@cp440184-a.dbsch1.nb.home.nl] has joined ##openvpn 09:48 < mlaci> ecrist, i'm reading for more than two hours, but cannot figure out the exact solution 09:49 < ecrist> did you read the link vpnHelper posted above? 09:49 < mlaci> ecrist, i'm just reading it, sorry. give me some minutes 10:12 -!- AndyML is now known as AwayML 10:27 -!- phretor [n=phretor@host202-23-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 10:27 < phretor> hi 10:29 < phretor> I get tons of errors when I use easy-rsa scripts - http://pastie.org/358032 - could you please give help me on this? 10:36 < ecrist> phretor: what OS? 10:36 < phretor> ecrist: ubuntu server 10:37 < ecrist> what shell? 10:37 < phretor> ecrist: bash 10:40 < ecrist> well, easy-rsa sucks 10:40 -!- wormdrink [i=c2ed8e06@gateway/web/ajax/mibbit.com/x-903c80a6518af861] has joined ##openvpn 10:42 < wormdrink> hi 10:42 < wormdrink> im having some trouble connecting to vpn from behind firewall 10:42 < wormdrink> behind http proxy rather 10:42 < wormdrink> keep getting: Sun Jan 11 18:44:02 2009 us=959388 TCPv4_CLIENT link local: [undef] Sun Jan 11 18:44:02 2009 us=959473 TCPv4_CLIENT link remote: 153.88.253.11:8080 Sun Jan 11 18:44:53 2009 us=33897 Connection reset, restarting [0] Sun Jan 11 18:44:53 2009 us=34254 TCP/UDP: Closing socket Sun Jan 11 18:44:53 2009 us=34439 SIGUSR1[soft,connection-reset] received, process restarting Sun Jan 11 18:44:53 2009 us=34532 Restart 10:42 < ecrist> phretor: I don't have packages for ubuntu yet, but with a little effort, you can use ssl-admin 10:42 < ecrist> !ssl-admin 10:42 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 10:43 -!- tjz [n=tjz@bb116-15-45-14.singnet.com.sg] has quit ["I want to sleep."] 10:44 < ecrist> wormdrink: I don't know how you're going to use an http proxy to connect. I don't think it's supported 10:45 < wormdrink> im pretty sure it is 10:46 < wormdrink> # If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] 10:46 < ecrist> have you looked at http://openvpn.net/index.php/documentation/howto.html#http 10:46 < vpnHelper> Title: HOWTO (at openvpn.net) 11:11 -!- zzattack2 [n=zzattack@cp440184-a.dbsch1.nb.home.nl] has joined ##openvpn 11:13 -!- zzattack [n=zzattack@cp440184-a.dbsch1.nb.home.nl] has quit [Read error: 131 (Connection reset by peer)] 11:13 -!- zzattack [n=zzattack@cp440184-a.dbsch1.nb.home.nl] has joined ##openvpn 11:15 < zzattack> phretor: did you try using the 1.0 scripts? 11:15 < phretor> zzattack: why should I? 11:15 < zzattack> are you using that debian etch guide? 11:23 -!- Semmi [n=basti@e178220139.adsl.alicedsl.de] has joined ##openvpn 11:24 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 11:24 < Semmi> hello, i have problem. i can't create a server key 11:29 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 60 (Operation timed out)] 11:29 < Semmi> i want to generate a certificate & key for a server, but i only got a message 11:30 < Semmi> that i "Finally, you can run this tool (pkitool) to build certificates/keys." 11:30 -!- zzattack2 [n=zzattack@cp440184-a.dbsch1.nb.home.nl] has quit [Read error: 110 (Connection timed out)] 11:39 -!- phretor [n=phretor@host202-23-dynamic.25-79-r.retail.telecomitalia.it] has left ##openvpn [] 11:43 -!- zzattack [n=zzattack@cp440184-a.dbsch1.nb.home.nl] has quit [Read error: 60 (Operation timed out)] 12:04 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 12:21 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 12:22 < mlaci> ecrist, thank you very much for the pointer to the wiki article about the setting up iroutes, it's working like a charm. i'd like to configure my server to forward packets to its lan. how can i do it? 12:26 < mlaci> /proc/sys/net/ipv4/ip_forward is set to 1 and forwarding doesn't work 12:35 < mlaci> looks like the server tries to forward the packets, but the server resides in a bigger network interconnected by routers and there's no answer coming back 12:35 < mlaci> am i missing something? 12:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 12:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:37 < mlaci> ah, i think i should masquerade the packets, or something like that 12:46 -!- wormdrink [i=c2ed8e06@gateway/web/ajax/mibbit.com/x-903c80a6518af861] has quit ["http://www.mibbit.com ajax IRC Client"] 12:59 -!- aia [n=aia@unaffiliated/aia] has quit ["Bye"] 13:02 -!- Semmi [n=basti@e178220139.adsl.alicedsl.de] has quit [Read error: 54 (Connection reset by peer)] 13:08 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 13:08 < eliasp> hi 13:10 < eliasp> how do i change the IP of the server node? by default it gets 10.8.0.1/24 assigned (server 10.8.0.0 255.255.255.0) ... i want it to be 10.8.0.2/24 ... tried 'ifconfig 10.8.0.2 255.255.255.0' but it seems i was wrong... still got 10.8.0.1/24 ... 13:13 < krzee> why .2? 13:13 < krzee> and see this: 13:13 < krzee> !/30 13:13 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 13:14 < krzee> AND 13:14 < eliasp> because the usage of .1 would require heavy changes of the client configs due to network restructuring... just something i want to prevent ATM 13:14 < krzee> server statement expands to have ifconfig already in it 13:14 < krzee> see !man for details 13:15 < krzee> the avoidance of .1 would require heavy changes as well 13:15 < eliasp> but just on the server.... 13:15 < krzee> and you need to use an address from a /30 unless you use !topology 13:15 < eliasp> there's nowhere a reference to 10.8.0.1 in the client-config... 13:16 < eliasp> uhm, i don't really understand why this shouldn't be easily possible... will read the link above for some clarification.. thx ... seems i have to find a completely different way for this... 13:17 < krzee> ya that link will show why no server or client can use .2 13:17 < krzee> unless you use: 13:17 < krzee> !topology 13:17 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 13:17 < eliasp> ok, it doesnt need to be .2 .. could be anything else, just not .1 ;-) 13:17 < eliasp> k, thx 13:17 < krzee> see: 13:17 < krzee> !man 13:17 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 13:17 < krzee> and rebuild the server statement 13:18 < krzee> server expands to be a bunch of other statements 13:18 < krzee> rebuild it replacing ifconfig with what you want 13:19 < eliasp> yeah, read this part of the manpage already about the expanded 'server' option... going to re-read it... 13:59 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 14:04 -!- bmolloy [n=bmolloy@cpe-70-115-198-13.satx.res.rr.com] has quit [Read error: 113 (No route to host)] 14:35 -!- int [n=quassel@wikia/int] has joined ##openvpn 14:39 -!- AwayML is now known as AndyML 15:10 -!- laggo [n=user@c-67-188-111-124.hsd1.ca.comcast.net] has joined ##openvpn 15:11 -!- LilaLinux is now known as lilalinux 15:13 < laggo> i've set up the vpn with close to default configs and i can ping the server across the tunnel. i'm having trouble with routing all client traffic through the server with redirect-gateway and iptables masquerade. is there some linux tool to diagnose whats happening with the packets (are they being received/forwarded by the server etc) 15:24 -!- disposable [i=disposab@blackhole.sk] has joined ##openvpn 15:27 < disposable> ls 15:27 < disposable> oops 15:42 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 15:59 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Connection timed out] 16:09 < disposable> i have a network 192.168.3.0/24 on which i have an openvpn server with tap device providing network 192.168.111.0/24. the server is configured like this: http://pastebin.com/d29031923 Problem is that I can ping the server from the client using both 192.168.111.1 and 192.168.3.118 address, but nothing else on the 192.168.3.0 network. what am i missing? 16:10 < disposable> i have issued "echo 1 > /proc/sys/net/ipv4/ip_forward" on te server, but it did not help 16:22 < disposable> pretty please? 16:29 < laggo> blah 16:29 -!- laggo [n=user@c-67-188-111-124.hsd1.ca.comcast.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.5/2008120122]"] 16:40 < mlaci> guys, what's the best way to implement some hostname resolution mechanism that work with openvpn? 16:47 < krzie> huh? 16:47 < krzie> i dont get the question 16:49 < krzie> disposable: 3 things, 16:49 < krzie> # 16:49 < krzie> push "route 192.168.3.0 255.255.255.0" 16:49 < krzie> # 16:49 < krzie> route 192.168.3.0 255.255.255.0 16:49 < krzie> that never makes sense 16:49 < krzie> see !route 16:50 < krzie> odds are you are missing the routes outside of openvpn 16:50 < krzie> 2) you are using tcp, unless you have a reason to you should not be 16:50 < krzie> see this: 16:50 < krzie> !tcp 16:50 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 16:57 < disposable> krzie: thanks 17:06 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 17:07 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 17:11 < krzie> 3) you are using tap, but not bridging... there are few reasons to do this and unless you know why you are doing it you prolly want dev tun 17:12 < krzie> also, if you are using user/group you want some persist options 17:12 < bsdbandit> im running openvpn 2.0.9 on openbsd 4.4 but when trying to start openvpn it just hangs before trying to open up the tun0 interface how would i go about solving this issue 17:12 < bsdbandit> ? 17:12 < krzie> persist-key 17:12 < krzie> persist-tun 17:13 < disposable> krzie: looks like i have much more reading to do than i thought 17:13 < krzie> bsdbandit, sure you have tuntap in the kernel? 17:55 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] 17:55 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 54 (Connection reset by peer)] 18:25 < reiffert> Hah, migrating a web n mailserver to my system within 30 minutes onthefly. 18:29 < krzie> nice 18:30 < krzie> i grabbed a fbsd vps for $84/yr last night 18:30 < krzie> was too good to pass up 18:31 < reiffert> how much hdd? 18:34 < reiffert> Need 100GB Backup Space with ssh+rsync and cryptfs. 18:35 < krzie> for the 84/yr only 5gb 18:37 < reiffert> good night, job's done here 18:37 < krzie> more than i need tho 18:37 < krzie> gnite reif 18:43 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 18:55 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has quit [Remote closed the connection] 19:03 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: smk, dvl 19:03 -!- Netsplit over, joins: dvl, smk 20:14 -!- Solarbaby [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has joined ##openvpn 20:16 < Solarbaby> krzee: Hello 20:29 -!- jrgp [n=joe@catatonic.jrgp.us] has quit [Network is unreachable] 20:32 < krzie> hey 20:39 -!- eliasp [n=quassel@78.43.213.203] has quit [Remote closed the connection] 20:43 < Solarbaby> krzie: I ended up having a shitfit after you left... i guess my temper got the best of me 20:43 -!- jrgp [n=joe@catatonic.jrgp.us] has joined ##openvpn 20:43 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 20:45 < krzie> lol 20:46 < Solarbaby> fortunately nobody was around to comment on any of it 20:46 < krzie> dont expect to read some walkthrough and magically understand networking 20:47 < Solarbaby> Im not sure I want to understand it, I want it to work 20:47 < Solarbaby> my network can't be so different then a few hundred million other networks 20:47 < krzie> what you ere trying when you started was impossible 20:47 < Solarbaby> its 2 config files.. and a few entries into your firewall and router 20:48 < Solarbaby> I appreciate you clearing that up 20:48 < Solarbaby> thanks 20:48 < krzie> yes, but what goes in those entries and configs differs based on your goal, and requires some knowledge of networking 20:48 < Solarbaby> nod 20:48 < Solarbaby> would you mind walking me through the rest of it? 20:49 < krzie> walking through, prolly 20:49 < krzie> but ill point to what to read if i know what you need to read 20:49 < krzie> last i saw you got it to connect fine 20:49 < Solarbaby> a little hand holding is required with my limited knowledge.. but im alot less impatient after a good nights sleep 20:49 < krzie> comment out the redirect-gateway line for now 20:49 < Solarbaby> ok 20:49 < Solarbaby> shall I re post the configs? 20:49 < krzie> ill help, but wont do it for you, if yanno what i mean 20:50 < krzie> well first comment the redirect-gateway line 20:50 < Solarbaby> Yeah.. I preffer you do it for me.. heeh.. 20:50 < Solarbaby> but any help is good 20:50 < krzie> (put a # in front of it) 20:50 < krzie> sure ill do it for you 20:50 < krzie> but ill charge $ for that 20:50 < Solarbaby> im tempted to pay 20:50 < Solarbaby> not that i have any money 20:50 < krzie> its better to learn 20:51 < Solarbaby> i agree.. i always prefer seeing something that works, then breaking it 20:51 < Solarbaby> see why it worked 20:51 < krzie> you learn more from breaking stuff and fixing it 20:51 < krzie> than from following some walkthrough off google 20:51 < Solarbaby> yeah 20:51 < Solarbaby> thats true.. apprently i've learned very little all this time 20:52 < krzie> to understand basically everything about ANY line in an openvpn config 20:52 < krzie> all you need is this: 20:52 < krzie> !man 20:52 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 20:52 < krzie> so anyways... 20:52 < krzie> comment the line i said to 20:52 < krzie> then stop both instances of openvpn 20:52 < krzie> then start the server 20:53 < krzie> then start the client 20:53 < krzie> tell me if it connects... 20:54 < Solarbaby> ok 20:55 < Solarbaby> it didn't stay connected 20:55 < Solarbaby> ill post the logs 20:58 < Solarbaby> http://pastebin.ca/1306234 21:02 < Solarbaby> http://pastebin.ca/1306238 21:11 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has joined ##openvpn 21:12 < tjz> Hello everyone~ 21:13 -!- steveoooooooo [n=steve@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 21:13 < Solarbaby> Hello tjz 21:14 < tjz> hey solarbaby 21:14 < tjz> did you manage to get your openvpn working? 21:14 < Solarbaby> tjz: not yet.. krzie has been helping me but its slow going 21:15 < steveoooooooo> im trying to setup a bridged openvpn setup, what interface do I bridge? the vpn is accepting connections on the internet, but the VPN should operate on 192.168 or 10. network... do I need to add a local net first, and bridge that? 21:15 < tjz> are you running a server or vps? 21:15 < Solarbaby> he managed to fix some issues that he told me will not work because they were totally wrong 21:15 < Solarbaby> im running openvpn on a linksys nslu2 21:15 < Solarbaby> running openwrt as an operating system 21:15 < Solarbaby> and the client is running on ubuntu 21:16 < steveoooooooo> Solarbaby, how does openwrt work? 21:16 < Solarbaby> steveoooooooo: it may just be the single most fustrating project i've ever taken on 21:17 < steveoooooooo> : ) 21:17 < Solarbaby> openwrt itself comes pretty close.. 21:17 < tjz> never use openwrt OS before 21:17 < steveoooooooo> im trying to get openvpn to work 21:17 < tjz> x_x 21:17 < steveoooooooo> im not sure how Im supose to bridge my adapters 21:18 < Solarbaby> its not bad if you dont want to play with it much.. but I had to get usb working and samba, and some other things.. including openvpn which is still unsolved 21:18 < ecrist> evening, bitches 21:18 < Solarbaby> Hello ecrist 21:18 < steveoooooooo> eth0 is the internet, so what do I bridge br0 to? 21:18 < ecrist> eth0 and tap0 21:19 < ecrist> erm 21:19 < ecrist> tap0 and whatever interface is your LAN 21:19 < ecrist> usually 21:20 < steveoooooooo> so if the only adapter I have in the machine is for the inet, I need to craete a vitual 10.* network first, then bridge tap0 to that? 21:20 < ecrist> wait 21:20 < ecrist> why are you doing a bridge network? 21:20 < ecrist> you're just trying to tunnel internet traffic? 21:21 < steveoooooooo> maybe I dont need one. I have a server, I'd like to be able to connect to it so it acts like a machine on my local net so I can use samba 21:21 < steveoooooooo> maybe I just need openvpn on the server and no bridge 21:22 < ecrist> samba... can be done over bridge or tun. I would recommend tun (easier to set up) 21:23 < ecrist> you'd have to access the share via IP or hostname, and it wouldn't be browsable, though. 21:23 < Solarbaby> good advice 21:23 < steveoooooooo> ecrist, no problem there 21:23 < Solarbaby> thats no fun 21:23 < ecrist> tun also makes things a tad easier to firewall, should the need arise. 21:23 < steveoooooooo> so if the server is running openvpn and I connect, the server will have a local net ip? 21:24 < Solarbaby> krzie: did my log files do you in? 21:25 < ecrist> the server will have a VPN-local net IP. 21:25 < ecrist> and as long as samba is listening to IN_ADDR_ANY, you're good to go 21:26 < Solarbaby> ecrist: you seem like the chief of the channel 21:26 < ecrist> ?? 21:26 < ecrist> lol 21:26 < ecrist> thanks. 21:26 < Solarbaby> ecrist: you just really sound like you know whats going on 21:27 < Solarbaby> ecrist: i might very well be the worst uneducated fool to setup openvpn yet 21:27 < Solarbaby> North and South here 21:27 < Solarbaby> hehe 21:28 < ecrist> steveoooooooo: if you follow the howto, or read through !freebsd (ignore OS-specific parts) you should be on the right path. 21:28 < ecrist> Solarbaby: what's your issue, before I go pay my wife some attention? 21:29 < Solarbaby> ecrist: It could take you all night.. im a beginner to neworking so just getting a basic vpn that shares my internet connection when im away from home, and my samba file shares is what i need.. 21:30 < ecrist> Solarbaby: read !freebsd, and !route 21:30 < Solarbaby> the samba server and the openvpn server are on the same openwrt device 21:30 < ecrist> that should get you down the right path. 21:30 < ecrist> if you're still having problems, hit me up between 0700 and 1500 CST 21:30 < Solarbaby> is it possibly over my head? 21:30 < ecrist> naw 21:30 < Solarbaby> I'll behere 21:30 < ecrist> !freebsd 21:30 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 21:30 < ecrist> !route 21:30 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 21:30 < Solarbaby> Thank You! 21:30 < Solarbaby> I'll look it over and see if i can figure anything out 21:31 < ecrist> I wrote OpenVPN Server and krzee wrote Routing - ask us if you don't understandsomething. 21:31 < ecrist> g'night 21:31 < Solarbaby> G'night 21:56 < Solarbaby> I dont understand why ecrist didn't include a client.conf to go with his server.conf 21:56 < Solarbaby> in his howto 22:04 < Solarbaby> he's gotta push route in his server.conf and I dont have one.. I have no idea if I need that 22:19 < dvl> Solarbaby: http://www.freebsddiary.org (my stuff) may have client conf. 22:19 < vpnHelper> Title: The FreeBSD Diary (at www.freebsddiary.org) 22:19 < Solarbaby> Thanks! 22:20 < dvl> np 22:20 < dvl> using it here and now 22:20 < Solarbaby> I've been trying to make this work for weeks 22:20 < Solarbaby> its really really sad 22:22 < dvl> http://www.freebsddiary.org/openvpn-routed.php 22:22 < vpnHelper> Title: The FreeBSD Diary -- OpenVPN - creating a routed VPN (at www.freebsddiary.org) 22:23 < dvl> Now, what I'd do differently is have openvpn run not as nobody, but as a specialized user. 22:23 < Solarbaby> I liked that you gave credit to ecrist and krzie 22:23 < dvl> This would be a nice exercise I think. 22:23 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 22:23 < dvl> Thanks 22:24 < Ricoshady> do I need to create the tap interface dev, or is that created for me? 22:24 < Solarbaby> you need to have the library 22:24 < dvl> For you I think. You'll see. What OS are you using? 22:24 < dvl> For FreeBSD: kldload if_tap.ko 22:24 -!- AndyML is now known as AwayML 22:25 < dvl> or if_tap_load="YES" in /boot/loader.conf 22:27 < Ricoshady> what library? im using debian 22:27 < Solarbaby> I dont know what im talking about 22:28 < dvl> Solarbaby: try it without doing anything special, then you'll know. 22:28 < Solarbaby> dvl: maybe I should just use the config files you posted in here 22:28 < dvl> Solarbaby: if you're doing the same thing I am... 22:28 < Solarbaby> you've got things like client to client I dont have that in mine 22:28 < Solarbaby> your cetificates are in a different directory but thats easy to fix 22:29 < dvl> Yep. 22:29 < Solarbaby> you know i've read that generating the certs was the hardest part, but for me that was the easiest.. I did that in 1 day.. and everythign else in 2 weeks and I got not even a inch further 22:29 < Solarbaby> hehe 22:30 < Solarbaby> its really really sad 22:30 < Ricoshady> does anyone know how to create the tap device in linux? 22:30 < Ricoshady> debian 22:31 < dvl> Solarbaby: I've followed those directions for a few client machines now. 22:31 < dvl> Ricoshady: my sympathies. Sorry about Debian. ;) 22:50 < Ricoshady> what is the difference between tap and tun devices? 22:54 < Solarbaby> dvl: i dont have a group nobody on this openwrt system 22:54 < Solarbaby> Ricoshady: tun is better for alot of things.. like samba 22:54 < dvl> Solarbaby: interesting dilema 22:54 < dvl> and spelling. 22:54 < Solarbaby> Ricoshady: also Tun is more secure 22:55 < Solarbaby> dvl: hey look at me.. I answered a question right 22:56 < Solarbaby> TLS Error: cannot locate HMAC in incoming packet from 192.168.1.220:33078 22:56 < Solarbaby> how do you like that bag of worms? 22:57 < Solarbaby> as far as the nobody group.. I just edited that out.. 22:57 < Solarbaby> i'll work more on that part later 23:02 < Solarbaby> dvl: I still get the same errors with yours as I was getting with mine.. read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 23:05 < Solarbaby> dvl: i didn't notice any sections in your writing about firewalls or port forward 23:10 < dvl> Solarbaby: Sounds like there is nothing listening on that port. 23:17 < Solarbaby> Hmmm 23:19 < Solarbaby> it looks like its not making it through my routers firewall 23:19 < Solarbaby> OpenWrt is my router and firewall 23:20 < Solarbaby> I thought I knew what I was doing.. but obviously not 23:37 < Ricoshady> ive got a VPN up and running, the VPN stays open, but I loose ssh connections, any idea 23:37 < Ricoshady> they connect, just disconnects quickly there after 23:38 < Ricoshady> and does the client require the dos window? 23:38 < Ricoshady> id rather not have to keep that going 23:39 < Ricoshady> actually it looks like for whatever reason, the VPN closed the connetion and reopened 23:40 < Ricoshady> every few minutes the VPN resets 23:47 < Ricoshady> I even got samba to work over the VPN, but they VPN still resets every 2-5 minutes, killing all open connections 23:56 -!- Solarbaby [n=solarbab@ppp-69-233-0-193.dsl.irvnca.pacbell.net] has quit [Read error: 110 (Connection timed out)] --- Day changed Mon Jan 12 2009 00:04 -!- Solarbaby [n=solarbab@ppp-69-232-181-87.dsl.irvnca.pacbell.net] has joined ##openvpn 00:05 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 00:05 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:07 -!- gdfgdfgdfgdfg [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 00:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:34 -!- Solarbaby [n=solarbab@ppp-69-232-181-87.dsl.irvnca.pacbell.net] has quit [Read error: 110 (Connection timed out)] 00:34 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 110 (Connection timed out)] 01:17 < gdfgdfgdfgdfg> anyone know why the VPN cuts out every so often, seemingly randonly? it comes back up, but stuff like ssh dies out because the connection is dropped 01:34 < krzee> have a keep-alive? 01:34 < krzee> using tcp? 01:34 < gdfgdfgdfgdfg> what kind of keep-alive? 01:34 < krzee> any abnormal links involved? 01:34 < krzee> !man 01:34 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 01:34 < krzee> see --keepalive 01:35 < gdfgdfgdfgdfg> no abnoral links that I know of, one tun connection 01:35 < krzee> i mean like satelite or anything like that 01:35 < gdfgdfgdfgdfg> ohh, no cable 01:36 < gdfgdfgdfgdfg> other than this issue, the VPN is working GREAT! 01:37 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 01:40 < krzee> --keepalive n m 01:40 < krzee> A helper directive designed to simplify the expression of --ping and --ping-restart in server mode configurations. 01:40 < krzee> For example, --keepalive 10 60 expands as follows: 01:40 < krzee> 01:40 < krzee> if mode server: 01:40 < krzee> ping 10 01:40 < krzee> ping-restart 120 01:40 < krzee> push "ping 10" 01:40 < krzee> push "ping-restart 60" 01:40 < krzee> else 01:40 < krzee> ping 10 01:40 < krzee> ping-restart 60 02:01 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:33 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 60 (Operation timed out)] 02:35 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 02:39 -!- dazoafk is now known as dazo 02:45 < krzee> !ssl-admin 02:45 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 02:46 < krzee> ecrist, 02:46 < krzee> [root@nfs /usr/ports/security/ssl-admin]# make 02:46 < krzee> ===> Vulnerability check disabled, database not found 02:46 < krzee> => ssl-admin-1.0.tar.gz doesn't seem to exist in /usr/ports/distfiles/. 02:46 < krzee> => Attempting to fetch from ftp://ftp.secure-computing.net/pub/FreeBSD/ports/. 02:46 < krzee> fetch: ftp://ftp.secure-computing.net/pub/FreeBSD/ports/ssl-admin-1.0.tar.gz: No route to host 02:52 -!- gdfgdfgdfgdfg [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 110 (Connection timed out)] 03:02 < krzee> the file doesnt exist in that dir 03:04 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has quit [Read error: 145 (Connection timed out)] 03:35 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 03:41 < krzee> also ecrist, the svn ssl-admin is spitting errors at my freebsd 7 03:41 < krzee> with perl 5.8.8_1 03:41 < krzee> [root@nfs ~]# ssl-admin 03:41 < krzee> "my" variable $yn masks earlier declaration in same scope at /usr/local/bin/ssl-admin line 366. 03:41 < krzee> "my" variable $yn masks earlier declaration in same scope at /usr/local/bin/ssl-admin line 409. 03:41 < krzee> "my" variable $yn masks earlier declaration in same scope at /usr/local/bin/ssl-admin line 477. 03:41 < krzee> syntax error at /usr/local/bin/ssl-admin line 199, near "$? else" 03:41 < krzee> Execution of /usr/local/bin/ssl-admin aborted due to compilation errors. 03:44 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 03:48 -!- krzee changed the topic of ##openvpn to: Check your firewall first. || We need !configs and/or !logs || HowTo: http://openvpn.net/howto manual: http://openvpn.net/man || LANs behind openvpn? see !route || Don't ask to ask, just ask, then wait. 04:00 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 04:11 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 110 (Connection timed out)] 04:44 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:55 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has joined ##openvpn --- Log closed Mon Jan 12 05:01:43 2009 --- Log opened Mon Jan 12 08:09:20 2009 08:09 -!- ecrist_ [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 08:09 -!- Irssi: ##openvpn: Total of 43 nicks [0 ops, 0 halfops, 0 voices, 43 normal] 08:09 -!- Irssi: Join to ##openvpn was synced in 17 secs 08:09 < ecrist> user-keys, yes 08:09 < ecrist> ssl-admin 08:09 < ecrist> !ssl-admin 08:09 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 08:09 -!- ecrist [n=r00t@mtka.claimlynx.com] has quit ["Leaving"] 08:10 -!- You're now known as ecrist 08:15 < krzee> ecrist, umm, but its not working 08:15 < krzee> the link takes you to trac, svn gives a broken version, ports doesnt have it 08:19 -!- zheng [n=zheng@58.33.126.221] has quit [Read error: 104 (Connection reset by peer)] 08:22 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Read error: 104 (Connection reset by peer)] 08:22 -!- harpal [n=Harpal@122.169.108.195] has joined ##openvpn 08:23 < harpal> Hey is it Ok, to use certificates generated without openvpn's certificate generation method? Does it accepts it? 08:24 < krzee> openvpn's cert generation method? 08:24 < krzee> it just uses openssl to make certs 08:24 < krzee> easy-rsa and ssl-admin are both just frontends for running a series of openssl commands 08:25 < harpal> krzee: Ya, But I have created certificates in OpenSwan an IPSEC VPN. 08:25 < harpal> In that I have use Opelssl 08:25 < harpal> *openssl 08:25 < krzee> ipsec uses normal ssl certs for connecting? 08:26 < krzee> im thinking no 08:26 < harpal> krzee: no, It has CA authority and certs with password 08:26 < harpal> also selft-signed certs available 08:26 < krzee> sounds like thats normal ssl certs 08:26 < krzee> *shrug* maybe then 08:27 < krzee> i can garuntee that the clients / server will not interconnect to openvpn tho 08:27 < krzee> whether or not you can re-use the certs, i have no idea 08:27 < krzee> i dont use ipsec 08:28 < harpal> krzee: I think I have to test it and Lets see what happen :D 08:28 < krzee> you doing that so you dont need to re-deploy certs to all your clients? 08:30 < harpal> krzee: nope, dont re-create certs seperately for IPSEC and openvpn 08:30 < ecrist> oh, expect svn to be broken at any given time 08:30 < krzee> ecrist, but theres no tgz download 08:30 < ecrist> that's why I'm hoping, this week, to have a few various bundled releases. 08:30 < krzee> ahh 08:30 < ecrist> for the tgz 08:31 < krzee> new mods? 08:31 < ecrist> krzee - side affect of me having a day job, starting a small business, baby on the way, and remodeling my house. 08:31 < krzee> wow bro 08:31 < krzee> busy man 08:32 < ecrist> oh, and I'm still a reserve sheriff's deputy on the side of all that. 08:32 < ecrist> damn, I think I need to cut back. 08:32 < krzee> your biz all in person or you do anything online? 08:32 < ecrist> biz is all in person. security systems, cameras, that sort of thing 08:32 < ecrist> that's really my 'trade' is low-voltage wiring. 08:33 < krzee> werd 08:33 < ecrist> I managed to sucker my current employer into thinking I knew what I was doing behind a keyboard. 08:33 < krzee> we woulda done good as a team 08:33 < ecrist> aye 08:33 < krzee> i did phone systems and networks, never did the cabling or phys security 08:34 < krzee> although im fully capable of re-keying locks 08:34 < krzee> with a master key for the building 08:34 < krzee> and a grand-master for multiple buildings 08:34 < krzee> (i taught a locksmith some unix, he taught me how to key locks) 08:35 -!- grndslm [n=grndslm@24-119-80-142.cpe.cableone.net] has joined ##openvpn 08:35 < ecrist> ah, I did that for a while - you familiar with Best locks? 08:35 -!- grndslm [n=grndslm@24-119-80-142.cpe.cableone.net] has left ##openvpn ["Leaving"] 08:35 < krzee> neg 08:36 < ecrist> I worked for them in their electronic access control division (worked for IR, too (owns Schlage)) - learned how to pin and combinate locks there 08:36 < krzee> ahh nice 08:36 < ecrist> learned how to pick and defeat locks there, too. 08:36 < krzee> schlage is good 08:36 < krzee> ya i taught myself that one 08:36 < krzee> i keep picks with me 08:37 < ecrist> taught my father-in-law over christmas how to defeat most padlocks with a piece of aluminum cut from a pop can. 08:37 < ecrist> he was stunned. 08:37 < krzee> http://www.lockpicks.com/browseproducts/Dyno-KWIK-Pick.html 08:37 < vpnHelper> Title: Dyno KWIK Pick (at www.lockpicks.com) 08:37 < ecrist> took me longer to cut the aluminum than to defeat the lock. 08:37 < krzee> thats what i keep on me 08:37 < krzee> ya 08:37 < krzee> done that 08:37 < krzee> but i actually bought pre-made picks of the same nature 08:38 < ecrist> it looks more bad-ass to mcguyver it. ;) 08:38 < krzee> the kind you just push in through the top, same method 08:38 < ecrist> yep 08:39 < krzee> haha thats true 08:39 < krzee> i had to pick my old house with paper clips 2x 08:39 < ecrist> doesn't work on the 'American' locks I was issued in the Army, or my 'Best' locks. 08:39 < krzee> locked myself out and didnt have my kwik pick yet 08:39 < krzee> so my picks were in the house 08:39 < krzee> schlage is pick resistant too cause of the bottom 08:39 < krzee> but you can bump it easy enough 08:39 < ecrist> lol 08:40 < krzee> bumping looks pretty mcguyverish too 08:40 < krzee> you know the technique im referring to? 08:41 < ecrist> when I worked for IR, I made a couple 040404 and 4040404 keys - our mech guy didn't realize why for a few minutes 08:41 < krzee> lol 08:41 < krzee> ok ya you know it 08:41 < krzee> lol 08:41 < ecrist> I've never been able to pick a Medecco lock, though 08:43 < krzee> well ya 08:43 < krzee> youd need to hack the rfid too 08:43 < krzee> which can and has been done 08:43 < krzee> but shit, it aint easy 08:43 < krzee> its more of POC 08:44 < krzee> whoa 08:44 < krzee> http://blog.wired.com/27bstroke6/2008/08/medeco-locks-cr.html 08:44 < vpnHelper> Title: Researchers Crack Medeco High-Security Locks With Plastic Keys | Threat Level from Wired.com (at blog.wired.com) 08:45 < ecrist> hrm 08:45 < ecrist> now, EAC systems I can crack. 08:46 < ecrist> ah, see, that still doesn't work on the Schlage high-security locks. 08:47 < ecrist> they have a second set of pins set at a 45* angle - keys have to be laser-cut. 08:47 < ecrist> |/ - like so 08:47 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 09:00 < krzee> always 45 degrees? 09:01 < krzee> sounds still bumpable if always 45 09:03 -!- kyrix [n=ashley@93-82-5-0.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 09:03 -!- kyrix [n=ashley@91-115-183-128.adsl.highway.telekom.at] has joined ##openvpn 09:06 < ecrist> krzee: if you're on a freebsd system, why are you using the svn version, rather than ports? 09:07 < krzee> [10:18] the link takes you to trac, svn gives a broken version, ports doesnt have it 09:07 < krzee> [04:49] => ssl-admin-1.0.tar.gz doesn't seem to exist in /usr/ports/distfiles/. 09:07 < krzee> [04:49] => Attempting to fetch from ftp://ftp.secure-computing.net/pub/FreeBSD/ports/. 09:07 < krzee> [04:49] fetch: ftp://ftp.secure-computing.net/pub/FreeBSD/ports/ssl-admin-1.0.tar.gz: No route to host 09:07 < krzee> because ports cant get it 09:07 < krzee> and i cant put the tgz in distfiles, cause theres no tgz 09:09 < ecrist> oh, ports can get it now... 09:10 < ecrist> my FTP was broken, cause of my internet bill not being paid (truck seat gobbled it up last week) 09:10 < ecrist> it's paid now, after a friendly reminder from the disconnect fairy 09:10 < krzee> ahh nice 09:11 < krzee> => ssl-admin-1.0.tar.gz doesn't seem to exist in /usr/ports/distfiles/. 09:11 < krzee> => Attempting to fetch from ftp://ftp.secure-computing.net/pub/FreeBSD/ports/. 09:11 < krzee> fetch: ftp://ftp.secure-computing.net/pub/FreeBSD/ports/ssl-admin-1.0.tar.gz: No route to host 09:11 < krzee> => Attempting to fetch from ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/. 09:11 < krzee> fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/ssl-admin-1.0.tar.gz: File unavailable (e.g., file not found, no access) 09:11 < krzee> => Couldn't fetch it - please try to retrieve this 09:12 < krzee> => port manually into /usr/ports/distfiles/ and try again. 09:12 < krzee> btw, i was able to get into your ftp manually last night 09:12 < krzee> the file wasnt there 09:12 < krzee> well i think it was yours, it was late 09:12 < ecrist> fuck 09:12 < ecrist> lemme look 09:12 < krzee> oh no wasnt yours 09:13 < krzee> i still cant get in your ftp 09:13 < krzee> it was fbsd.org that didnt have it 09:14 < ecrist> there 09:14 < krzee> just tested your ftp from chicago and san diego 09:14 < krzee> no dice 09:15 < krzee> oh 09:15 < krzee> there it goes 09:15 < ecrist> my ftp daemon was listening to the old IP address 09:15 < krzee> ahh 09:15 < ecrist> must have missed it a couple weeks ago when I had to change ip space 09:15 < krzee> hehe done that before 09:17 < krzee> cool, bbiaf 09:17 < krzee> headed to the dentist 09:17 < krzee> while it generates my 4096bit keys 09:20 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 09:20 < krzee> Generating a 4096 bit RSA private key 09:20 < krzee> ....................................................++ 09:20 < krzee> ....................................................++ 09:20 < krzee> writing new private key to 'hash.key' 09:20 < krzee> that does NOT feel right 09:24 < ecrist> let me look at the source 09:24 < ecrist> that's not me. 09:24 < ecrist> that openssl - so if there's an error, it there. 09:26 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has joined ##openvpn 09:26 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 09:26 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 131 (Connection reset by peer)] 09:29 -!- harpal [n=Harpal@122.169.108.195] has quit [Read error: 104 (Connection reset by peer)] 09:31 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 09:31 < ecrist> morning, plaerzen 09:31 < plaerzen> morning ecrist and the rest of ovpn 09:45 < tjz> tjz.ovpn enabled 09:45 < tjz> what's up? 09:45 * tjz connected... 09:46 < tjz> yes sir.. 09:48 < ecrist> sup? 09:51 -!- c64zotte1 [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 10:00 < krzee> ya 10:00 < krzee> thats definatly openssl 10:00 < krzee> but i disagree about the no error thing 10:01 < krzee> there is no way this weak-ass box made a 4096 key that fast 10:04 < krzee> mornin plaerzen 10:08 -!- c64zottel [n=hans@cust.static.84-253-47-240.cybernet.ch] has quit [Read error: 110 (Connection timed out)] 10:10 -!- oc80z [n=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 10:19 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:20 < rubydiamond> Hi people 10:20 < rubydiamond> dazo: 10:20 < rubydiamond> Mon 01/12/09 09:53 PM: expected peer address: 61.8.142.106:11668 (allow this incoming source address/port by removing --remote or adding --float) 10:20 < rubydiamond> getting above error 10:20 < rubydiamond> ecrist: ^ 10:20 < krzee> same address, right? 10:21 < krzee> the peer really is at 61.8.142.106...? 10:21 < rubydiamond> hmm 10:21 < rubydiamond> krzee: dont know 10:21 < krzee> how dont you know? 10:21 -!- oc80z [n=oc80z@quad.efnet.pe] has joined ##openvpn 10:21 < rubydiamond> krzee: oslo.mangospring.net 10:21 < rubydiamond> its this 10:22 < krzee> ok ya thats same ip 10:22 < krzee> add float 10:22 < krzee> !man 10:22 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 10:22 < krzee> --float 10:22 < krzee> Allow remote peer to change its IP address and/or port number, such as due to DHCP (this is the default if --remote is not used). --float when specified with --remote allows an OpenVPN session to initially connect to a peer at a known address, however if packets arrive from a new address and pass all authentication tests, the new address will take control of the session. This is useful when you are connecting to a peer which holds a dynamic address s 10:22 < krzee> uch as a dial-in user or DHCP client. 10:22 < krzee> Essentially, --float tells OpenVPN to accept authenticated packets from any address, not only the address which was specified in the --remote option. 10:23 < rubydiamond> krzee: what exact line should I add? 10:23 -!- oc80z [n=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 10:23 < krzee> float 10:24 < rubydiamond> krzee: check pm 10:24 < krzee> why pm? 10:24 < krzee> add the word float 10:25 < rubydiamond> okay 10:25 < krzee> [12:28] *!rubydiam@unaffiliated/rubydiamond* added to ignore list. 10:25 < krzee> dont do that again 10:25 < krzee> !pastebin 10:25 < vpnHelper> krzee: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 10:25 < krzee> if you need to paste your config, do it that way 10:26 < rubydiamond> hmm 10:26 < rubydiamond> okay 10:27 < ecrist> you've been told that before, iirc 10:27 < rubydiamond> krzee: https://gist.github.com/768317f51404e11d5cf9 10:27 < vpnHelper> Title: gist: 768317f51404e11d5cf9 GitHub (at gist.github.com) 10:27 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 10:28 < krzee> [12:26] krzee: what exact line should I add? 10:28 < rubydiamond> krzee: nothing happens.. it stops there 10:28 < krzee> [12:27] float 10:28 < rubydiamond> sorry krzee 10:29 < krzee> hrm 10:29 < krzee> odd that youd get that error now 10:29 < krzee> did you kill openvpn and start it again? 10:29 < rubydiamond> krzee: on server? 10:29 < krzee> maybe forgot to put 1 side back up 10:30 < krzee> put float in whatever config was complaining 10:30 < krzee> kill both sides 10:30 < krzee> start server 10:30 < krzee> start client 10:30 < rubydiamond> krzee: I cannot kill the server side 10:30 < rubydiamond> its in my office 10:30 -!- kyrix [n=ashley@91-115-183-128.adsl.highway.telekom.at] has quit ["Leaving"] 10:30 < krzee> it was client complaining? 10:31 < rubydiamond> krzee: yes 10:31 < krzee> ok 10:31 < krzee> add float 10:31 < krzee> kill client start client 10:31 < krzee> oh, do you have redirect-gateway in your config? 10:32 < rubydiamond> krzee: it stops here https://gist.github.com/768317f51404e11d5cf9 10:32 < vpnHelper> Title: gist: 768317f51404e11d5cf9 GitHub (at gist.github.com) 10:32 < krzee> no it doesnt 10:32 < krzee> it pauses there 10:32 < krzee> [12:34] oh, do you have redirect-gateway in your config? 10:33 < rubydiamond> krzee: here is my config https://gist.github.com/6d4cf59a469f1b6d47cd 10:33 < vpnHelper> Title: gist: 6d4cf59a469f1b6d47cd GitHub (at gist.github.com) 10:33 < rubydiamond> krzee: is there any redirect-gateway? 10:35 < rubydiamond> krzee: ? 10:35 -!- suprsonic [n=supr@97-87-2-183.dhcp.mdsn.wi.charter.com] has joined ##openvpn 10:36 < suprsonic> can I specify a subnet when creating a site to site vpn with ifconfig ? 10:38 -!- kyrix [n=ashley@91-115-183-128.adsl.highway.telekom.at] has joined ##openvpn 10:38 < rubydiamond> krzee: could you please help 10:40 -!- oc80z [n=oc80z@quad.efnet.pe] has joined ##openvpn 10:41 -!- oc80z [n=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 10:41 < krzee> rubydiamond, it would be in the server config 10:42 < krzee> suprsonic, a subnet? 10:42 < rubydiamond> krzee: oh sad 10:42 < suprsonic> yes 10:42 < krzee> for what use suprsonic 10:42 < suprsonic> site to site vpn 10:42 < suprsonic> right now I have two tunnel devices 10:42 < krzee> the subnet would be for what use 10:42 < suprsonic> each assigned a /24 range from what I can tell 10:43 < suprsonic> so like tun0 = 192.168.1.0/24 and tun1 = 192.168.2.0/24 10:43 < krzee> no, and what would be the point? 10:43 -!- oc80z [n=oc80z@quad.efnet.pe] has joined ##openvpn 10:43 -!- AwayML is now known as AndyML 10:43 < suprsonic> so I don't blow a whole /24 subnet 10:43 < krzee> umm, i dont get it 10:44 < suprsonic> would prefer to subnet into /30 subnets 10:44 < krzee> you're talkin bout blowing 2 of them 10:44 < krzee> a site to site only uses 2 ips 10:44 < krzee> nothing but the 2 ips 10:44 < krzee> the /30 stuff is for server/client 10:45 < krzee> you're talkin point to point, only 2 ips, no /24's 10:45 < suprsonic> okay 10:45 < suprsonic> so ar eyou saying I can do this 10:45 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:45 < suprsonic> tun0 = 192.168.0.1-2, tun1 = 192.168.0.3-4? 10:46 < krzee> # 10.1.0.1 is our local VPN endpoint 10:46 < krzee> # 10.1.0.2 is our remote VPN endpoint 10:46 < krzee> ifconfig 10.1.0.1 10.1.0.2 10:46 < krzee> (from the manual) 10:46 < krzee> (also in openvpn.net/examples.html 10:46 < krzee> ) 10:47 < suprsonic> tun0 = 192.168.0.1-2, tun1 = 192.168.0.3-4? 10:47 < suprsonic> are you saying I can do that? 10:47 < krzee> 2 tuns on same machine? 10:47 < suprsonic> yes 10:47 < krzee> lets say tun0 connects to box1 10:48 < krzee> tun0 would be 0.1 10:48 < suprsonic> agreed 10:48 < krzee> box1 would have a tun with 0.2 10:48 < krzee> lets say tun1 connects to box2 10:48 < suprsonic> agreed 10:48 < krzee> tun0 would be 0.3 10:48 < krzee> box2 would have a tun with 0.4 10:48 < krzee> oops 10:48 < suprsonic> oh 10:48 < krzee> tun1 would be 0.3 10:48 < krzee> box2 would have a tun with 0.4 10:48 < suprsonic> yeah 10:48 < suprsonic> okay 10:49 < krzee> dev tun 10:49 < krzee> remote mypeer.mydomain 10:49 < krzee> ifconfig 10.1.0.1 10.1.0.2 10:49 < krzee> secret static.key 10:49 < krzee> thats an entire config 10:50 < suprsonic> keepalive? 10:50 < suprsonic> hehehhe 10:50 < krzee> other side would be the same, but remote to other box and ifconfig reversed 10:50 < krzee> ya keepalive is a good thing to add 10:50 < krzee> im just giving you the simplest example from the manual 10:50 < krzee> On may: 10:50 < krzee> openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 5 --secret key 10:50 < krzee> On june: 10:50 < krzee> openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 5 --secret key 10:51 < suprsonic> thanks for the help! 10:51 < krzee> yw 10:57 -!- kyrix [n=ashley@91-115-183-128.adsl.highway.telekom.at] has quit ["Leaving"] 10:58 < krzee> !servercert 10:58 < vpnHelper> krzee: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mitm 11:11 -!- kyrix [n=ashley@91-115-183-128.adsl.highway.telekom.at] has joined ##openvpn 11:11 < suprsonic> krzee so can ospf be used between links? 11:13 -!- grndslm [n=grndslm@24-119-80-142.cpe.cableone.net] has joined ##openvpn 11:13 -!- grndslm [n=grndslm@24-119-80-142.cpe.cableone.net] has left ##openvpn ["Leaving"] 11:20 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 11:21 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Connection timed out] 11:22 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 11:34 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:36 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has quit ["Spare me some sleep, please."] 11:36 -!- kyrix [n=ashley@91-115-183-128.adsl.highway.telekom.at] has quit [Connection timed out] 11:36 -!- kyrix [n=ashley@93-82-15-151.adsl.highway.telekom.at] has joined ##openvpn 11:45 < kyrix> inet addr:10.8.142.6 P-t-P:10.8.142.5 Mask:255.255.255.255 that does the p-t-p address stand for? 11:45 < kyrix> is that the server ip, or the client ip in the tunnel? 11:47 < kyrix> and when i set push route ... to allow access to the servers network, its set the gw to 10.8.142.5, but the server is 10.8.142.1, any ideas where i am messing up? 11:48 * dazo thought p-t-p links had 255.255.255.252 as netmask .... maybe he remembers wrong 11:51 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 11:52 -!- c64zotte1 [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit ["Leaving."] 11:56 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: mcp, Typone 11:56 -!- Netsplit over, joins: mcp, Typone 11:57 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: mcp, Typone 11:58 -!- Netsplit over, joins: mcp 11:59 -!- Typone [n=nitsme@195.197.184.87] has joined ##openvpn 12:07 -!- kyrix [n=ashley@93-82-15-151.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 12:11 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has quit [] 12:11 -!- vladi [n=vladi@206-169-1-36.static.twtelecom.net] has joined ##openvpn 12:12 < vladi> hi, i have multiple openvpn clients on the same machine whats the proper way to enable the management interface? 12:14 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 12:19 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:21 -!- dazo is now known as dazoafk 12:23 < xattack> hello guys , does any buddy has been succesfull to compile openvpn in windows , since rc13 and with the prebuilds ? 12:25 -!- suprsonic [n=supr@97-87-2-183.dhcp.mdsn.wi.charter.com] has left ##openvpn [] 12:30 -!- AndyML is now known as AwayML 12:40 -!- jeiworth_ [n=jeiworth@189.163.173.75] has joined ##openvpn 12:41 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 12:42 -!- int [n=quassel@wikia/int] has quit [Remote closed the connection] 12:44 < jeiworth_> hi @ll, i am currently implementing openvpn on ubuntu as testsystem for a company and so far everything seems to be working ok :-) anyway, it might be that i will have to traing somebody to manage the sevrer (primarily creating and distributing client-keys and installing and configuring openvpn on windows xp and vista boxes) so i am looking for a decent gui for the openvpn server. i am a bit worried about the links provided on the openvpn site since 12:44 < jeiworth_> they all seem to be quite old and no longer maintained, the webmin plugin might be a solution but webmin is no longer in the official repos of ubuntu, but then again neither are any of the guis... anyone got any tipps or recommendations? 12:45 -!- jeiworth_ is now known as jeiworth 12:48 -!- int [n=quassel@wikia/int] has joined ##openvpn 12:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:49 < jeiworth> !route 12:49 < vpnHelper> jeiworth: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 13:13 -!- jrgp [n=joe@catatonic.jrgp.us] has quit [Read error: 60 (Operation timed out)] 13:31 < reiffert> xattack: at least one guy ... 13:32 < reiffert> jeiworth: see that pic on openvpn.net? http://openvpn.net/images/webgui-screenshot.png 13:34 < jeiworth> hi reiffert, yep 13:36 < jeiworth> which one is that? 13:37 < reiffert> openvpn web gui 13:41 < jeiworth> reiffert: ok, is that built in? on openvpn.net i only find information about how to set up the management interface and when i go to the gui-link it only lists me external tools 13:41 < jeiworth> :-/ 13:43 < reiffert> it's not built in. 13:49 < jeiworth> well, thats what i thought, i already found it and latest version is 0.3 beta from september 2005 13:50 < reiffert> It's working quite well. 13:51 < reiffert> so why should one develop a working thing? 13:51 < reiffert> rename it to 1.0.0.0.__FINAL__.0.0.0? 13:52 < reiffert> after all the whole PKI stuff is some shell scripts, building and signing and key deployment is a three step thing. 13:52 < jeiworth> hehe ok, my concern here is more in the direction wether the webgui from 2005 supports all features of openvpn 2.1, that is all ;) 13:53 < xattack> reiffert : thks man , and do you know if he has some feedback about this work , or in this "system" ( I mean ms WIN) 13:54 < xattack> ;) 13:55 < reiffert> jeiworth: it supports PKI, thats all. 13:56 < reiffert> xattack: all I know is one can download the binary images from openvpn.net, did you try the mailinglist/author yet? 13:58 < xattack> not yet tried that , i have the binary prebuilds and the mingw environment , and when i tried to compile it , just fail !! 13:58 -!- phretor [n=phretor@host179-156-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn 13:58 < phretor> hello 13:59 < phretor> I am having troubles using bridge-start/stop scripts 13:59 < xattack> well , not like that , something in the cryptoapi.c and wincrypt.h points an derror , but just in Win systems in all *nixes this works fine 14:00 < reiffert> Last time I tried myself on win32, I stopped after 2 hours with winsuck() switching to cygwin where everything looks fine again. 14:01 < jeiworth> reiffert: kk thanks, will give it a try 14:03 < phretor> this is my network scheme: Internet <---> DSL <----> [WAN:router:LAN 192.168.1.0/24] <---> [eth0(192.168.1.55):openvpn-server:tap0,br0] and this is the server config file: http://pastie.org/358935 14:03 < xattack> reiffert: thanks , jajaja im gonna still try this , I were succesfull to compile version 2.1_rc7 with MSVC express but not 2.1_rc13 with mingw and prebuilds 14:05 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 110 (Connection timed out)] 14:05 < phretor> here is the bridge-start http://pastie.org/358936 script 14:06 < phretor> is it correct that the script attempt to assign eth0's address to br0? 14:06 -!- int [n=quassel@wikia/int] has quit [Remote closed the connection] 14:08 < phretor> any suggestion? 14:15 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [] 14:16 -!- phretor [n=phretor@host179-156-dynamic.21-79-r.retail.telecomitalia.it] has quit [] 14:17 -!- int [n=quassel@wikia/int] has joined ##openvpn 14:17 < reiffert> xattack: rite, msvc express, should have mentioned that before 14:17 < xattack> ? 14:18 < reiffert> xattack: it exists, downloadable at m$.com 14:19 < xattack> yes , i have it installed in this computer , but as far as i have read the new compiling method is just with mingw , not msvc or any other , am I right ? 14:32 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:39 < reiffert> xattack: I have no idea. 14:49 < xattack> reiffert : ok thanks , im still looking for the solution for this , see ya later 14:49 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 15:35 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has joined ##openvpn 15:44 < krzie> sup reif 15:59 -!- jrgp [n=joe@catatonic.jrgp.us] has joined ##openvpn 17:06 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:51 -!- Ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 17:51 < Ricoshady> are there any special things I can do to help optimize, stablize openvpn and samba? 17:53 < krzie> well 17:54 < krzie> if using tun, wins server helps 17:54 < krzie> if using tap, switching to tun and running wins 17:54 < krzie> (to have less overhead) 17:55 < krzie> if using tcp, going to udp will help big time 17:55 < krzie> and checking your MTU could help if its not optimal 17:56 < krzie> if you wanna know how or why for any of those, say so 18:36 < Ricoshady> what does the wins server do? basically, its a little choppy, its comes up, but if the vpn fails, and restarts, the share doesnt always pop back up right away 18:36 < Ricoshady> im on udp 18:37 < Ricoshady> using tun 18:37 < Ricoshady> not sure abut MTU, set to default whatever that would be 18:40 < krzie> Ricoshady wins is not part of openvpn 18:40 < krzie> but it may help you a bunch 18:40 < krzie> you could think of it as DNS for netbios 18:41 < krzie> and since samba is made to be a layer2 protocol, when you use it as layer3 you should run samba 18:41 < krzie> it should help them pop back up 18:41 < krzie> !mtu 18:41 < vpnHelper> krzie: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 18:41 < krzie> #2 is easiest way 18:46 < Ricoshady> dont mind giving it a try, what wins server do you recomend, linux? 18:46 < Ricoshady> do I need to configure samba to use the wins server? or how does it work? 18:46 < krzie> its a 1 line addition to your samba config 18:46 < krzie> samba is the wins server 18:47 < Ricoshady> wait, so i dont need to install anything? how do I turn on the wins server? 18:47 < krzie> nothing extra to install 18:48 < krzie> by adding a line to samba config 18:48 < Ricoshady> whats the line 18:48 < krzie> http://oreilly.com/catalog/samba/chapter/book/ch07_03.html 18:48 < vpnHelper> Title: [Chapter 7] 7.3 Name Resolution with Samba (at oreilly.com) 18:48 < krzie> ive never used samba 18:48 < krzie> but thats all you should need to know 18:49 < krzie> you cant use bcast 18:49 < krzie> but the other 3 methods should be fine 18:49 < krzie> lmhosts / hosts are static files 18:50 < krzie> wins option is dynamic 18:50 < Ricoshady> trying it out 18:50 < krzie> 7.3.3 Setting Up Samba as a WINS Server 19:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 19:52 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 19:58 -!- vladi [n=vladi@206-169-1-36.static.twtelecom.net] has quit ["Lost terminal"] 19:58 -!- Ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 110 (Connection timed out)] 20:05 -!- tjz [n=tjz@121.7.98.165] has joined ##openvpn 20:06 < tjz> wow 20:06 < tjz> my auto join works for openvpn channel now 20:06 < tjz> no idea what kind of changes is make on the irc server.. 20:11 < ecrist> evening, bitches 20:11 < krzie> tjz, all depends if your nickserv auths before trying to join 20:12 < krzie> may get lucky somtimes if your client doesnt have the option to wait 20:12 < ecrist> I removed the +r from the channel 20:12 < krzie> ahhh 20:12 < krzie> that woulkd do it too 20:12 < krzie> hehe 20:14 < tjz> eric!! 20:14 < tjz> no wonder it works now! 20:14 < tjz> hahahaha 20:15 < ecrist> we don't like you though, so.... 20:15 < krzie> lol 20:15 < tjz> x_x 20:15 < tjz> :( 20:15 -!- mode/##openvpn [+r] by ChanServ 20:15 < tjz> oh no 20:15 < krzie> poor tjz 20:15 < tjz> :P 20:15 < tjz> i have to do extra work 20:15 < tjz> like eg. type /join openvpn manually 20:15 < tjz> hehehehe 20:16 -!- mode/##openvpn [+o ecrist] by ChanServ 20:16 -!- mode/##openvpn [-r] by ecrist 20:16 -!- mode/##openvpn [-o ecrist] by ecrist 20:17 -!- mode/##openvpn [+o tjz] by ChanServ 20:17 -!- mode/##openvpn [+o krzie] by ChanServ 20:17 <@tjz> x_x 20:17 -!- mode/##openvpn [-o tjz] by krzie 20:17 < tjz> op is abusing the channel bot 20:17 -!- mode/##openvpn [-o krzie] by krzie 20:17 < krzie> hehe 20:17 < tjz> lol 20:18 < krzie> <-- bored 20:18 -!- mode/##openvpn [+o ecrist] by ChanServ 20:18 -!- krzie was kicked from ##openvpn by ecrist [ecrist] 20:18 -!- mode/##openvpn [-o ecrist] by ecrist 20:19 < ecrist> lol 20:19 < simplechat> what? 20:20 -!- simple_bot [n=betabot@betacorp.net] has joined ##openvpn 20:20 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##openvpn 20:20 < tjz> oh man 20:21 < ecrist> <-- bored 20:21 < tjz> lol 20:21 < tjz> not another one 20:21 < tjz> lol 20:21 < tjz> <-- i'm alittle bored 20:21 < tjz> LOL 20:21 < ecrist> why is there another bot in here? 20:21 < krzie> another bot? 20:22 < tjz> don't think we have another bot.. 20:22 < tjz> chanserv is the only one around.. 20:22 < tjz> oh 20:22 < krzie> not true tjz 20:22 < tjz> we have brother vpnHelper 20:22 < tjz> ehhehe 20:22 < krzie> yup 20:22 < tjz> !help sex 20:22 < vpnHelper> tjz: Error: There is no command "sex". 20:22 < tjz> lol 20:22 < krzie> oh simple_bot 20:22 < krzie> hrm 20:23 < krzie> ... CTCP VERSION reply from simple_bot: xchat 2.8.4 Linux 2.6.27.9-73.fc9.i686 20:23 < krzie> [i686/2.39GHz/SMP] 20:23 < krzie> seems to just be the name 20:23 < simple_bot> what are you doing? 20:23 < simple_bot> krzee, ? 20:23 < krzie> trying to figure out if you were a bot, lol 20:24 < tjz> LOL 20:24 < simple_bot> of cource i'm not a bot 20:24 < tjz> omg 20:24 < simplechat> i'm just bounced 20:24 < ecrist> your nick would imply otherwise 20:24 -!- simple_bot is now known as simple_not_a_bot 20:24 < krzie> im sure you can see how the name would throw me off 20:24 < simple_not_a_bot> better? 20:24 < krzie> hahaha 20:24 < ecrist> much better 20:24 < tjz> sexual abuse the simple_bot 20:24 < tjz> hehehehe 20:24 < simple_not_a_bot> tjz, computer says no 20:24 < tjz> LOL 20:24 < simple_not_a_bot> :) 20:25 < simple_not_a_bot> ..... 20:25 -!- simple_not_a_bot [n=betabot@betacorp.net] has left ##openvpn ["Leaving"] 20:25 < ecrist> aw 20:25 < ecrist> he must not have liked my /ctcp simple_not_a_bot in_teh_butt 20:59 -!- Plecebo [n=larry@c-67-170-22-144.hsd1.wa.comcast.net] has quit ["Ex-Chat"] 20:59 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Remote closed the connection] 21:04 < krzie> sq 4595 21:04 < krzie> #4595: * krzee penetrates tdc's network * tdc is scared of krzee 21:04 < krzie> krzee stop haxing tdc haxing!? im 21:04 < krzie> having sexual relations with his network 21:04 < tjz> LOL!!! 21:04 * tjz rolling around.. LOL 21:04 < krzie> hehehe 22:41 -!- hackmykack2345 [n=neil@122.169.104.151] has joined ##openvpn 22:42 < hackmykack2345> hi Guys 22:43 < hackmykack2345> needed some help trying to connect to an openvpn server from multiple clients using the same key 22:43 < hackmykack2345> was wondering if that is even possible 22:44 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 22:49 < dvl> Why would you want duplicate keys? 22:49 < dvl> What is the problem? 22:49 < hackmykack2345> dvl: Hey dvl .. thnx for replying !!! 22:49 -!- tjz [n=tjz@121.7.98.165] has quit [Read error: 110 (Connection timed out)] 22:50 < hackmykack2345> dvl: i wanted multiple people to connect to my openvpn server 22:51 < hackmykack2345> dvl: should I just start multiple instances of openvpn with separate conf and key files? 22:51 < hackmykack2345> dvl: or is there an easier method ? 23:00 -!- Solarbaby [n=solarbab@adsl-69-228-2-165.dsl.irvnca.pacbell.net] has joined ##openvpn 23:00 < dvl> hackmykack2345: create one openvpn server, to which multiple clients can connect. 23:00 < Solarbaby> dvl: ready for round 2? 23:00 < dvl> http://www.freebsddiary.org has how I did it. 23:00 < vpnHelper> Title: The FreeBSD Diary (at www.freebsddiary.org) 23:00 < dvl> Solarbaby: no, I'm ready for bed. 23:00 < Solarbaby> heheh I dont blame ya 23:00 < Solarbaby> I changed my router since the last time we spoke 23:01 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 23:01 < Solarbaby> dvl: thanks for the help the other day 23:03 < hackmykack2345> dvl: so the CA way is the way to go then ? 23:03 < hackmykack2345> dvl: shall read up on your link .. thnx so much for the help 23:04 < hackmykack2345> dvl: have a great evening / night 23:17 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 148 (No route to host)] 23:33 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn --- Day changed Tue Jan 13 2009 00:11 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 110 (Connection timed out)] 00:11 -!- hackmykack2345 [n=neil@122.169.104.151] has left ##openvpn ["Leaving"] 00:30 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has joined ##openvpn 00:32 -!- Ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 00:33 < Ricoshady> in examples I read, after the vpn is up, they add a route... im not sure what this is for... the example added a route or 10.0.1.0, but I change the ip address to 10.108.42.1, so what route should I add and what is its purpose? 00:40 < Ricoshady> also, when I build the keys after a make-clean, are the keys going to be different if I put in same values when building te certs? 00:44 < krzee> same values for what 00:49 < Ricoshady> the cert values, common name, etc 00:49 < Ricoshady> or does build-dh create unique keys each time 00:50 < Ricoshady> im just wondering, if someone got hold of the keys, youd want to generate new ones, wanted to know if I went thru the same process, would the keys come out the same 00:53 < Ricoshady> also, what if I want to create new client keys after I went thru the whole process 01:05 -!- Jorj [n=dfdsfsf@vpnc036.ugent.be] has joined ##openvpn 01:05 < Jorj> !route 01:05 < vpnHelper> Jorj: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 01:10 < Jorj> I'm just starting to learn some things about openvpn and have a small question, the most configs I have seen seem to assume a local ip of the server. But I'm trying to configure the setup: internet on client is provided via cisco vpn, but I want to use an openvpn tunnel to access internet locations via a VPS, where the openvpn server should be hosted. 01:12 < krzee> the cisco vpn is totally seperate? 01:12 < Jorj> My VPS doesn't have a local ip though, only an external one, setting one in the config doesn't work. But I have I can already connect to the openVPN on the VPS. But I can't ping the virtual ip of the server (10.10.10.1 according to the ifconfig), neither can I access internet locations only accessable via the VPS. I know this is probably some firewall/routing problem, but I would appreciate any general guidelines. 01:12 < krzee> or you are hoping to hook openvpn up to cisco? 01:13 < Jorj> It should be configured such that all the internet is then routed via the openvpn. 01:13 < Jorj> Yes, I'm in a local network where the internet is provided through VPN. 01:13 < krzee> ok 01:13 < Jorj> (that cisco vpn). 01:13 < krzee> on the vps 01:13 < krzee> you put the ip it has 01:13 < krzee> if that is inet routable, so be it 01:14 < Ricoshady> does anyone ave suggestions on the server/client keys? what if after I've run build-dh I need more client keys? 01:14 < krzee> whatever local address it can bind to 01:14 < krzee> Ricoshady, make them...? 01:14 < krzee> [02:54] im just wondering, if someone got hold of the keys, youd want to generate new ones, wanted to know if I went thru the same process, would the keys come out the same 01:15 < Jorj> krzee: Do you mean setting the local var in the server.conf, to the internet ip? 01:15 < Jorj> I'm not really experienced, sorry. :-) 01:15 < krzee> if that is the ip in ifconfig, yes 01:15 < Jorj> Well, I tried that, but I couldn't start the server. 01:16 < krzee> then you prolly have another problem, are you looking at your logs? 01:16 < Jorj> And I couldn't find an error. 01:16 < Jorj> Hm yeah, I tried looking in messages, where I could see other openvpn related error messages, but none showed up. 01:17 < krzee> Ricoshady, you would add the compromised keys to your CRL 01:17 < krzee> and build more keys 01:17 < krzee> as long as the ca.key is not compromised, your vpn is safe 01:17 < krzee> Jorj, 01:17 < krzee> !logs 01:17 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 01:17 < Jorj> Found the error. :P 01:17 < krzee> !configs 01:17 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 01:17 < krzee> ahh 01:17 < krzee> ill bbiad 01:17 < krzee> ill bbiaf 01:18 < krzee> getting smokes 01:18 < Jorj> Thanks for the help already. :-) 01:18 < Ricoshady> so I can continue to create more client keys without runnng build-dh? 01:18 < Ricoshady> im not sure what he CRL is 01:23 < Ricoshady> how do I put client keys in the CRL? 01:26 < Jorj> krzee: I have restarted the VPS openvpn-server with the local parameter set to the external/internet ip. The ip address of the tun adapter is 10.10.10.1 and the ip of the connected client is 10.10.10.6. I still can't ping the 10.10.10.1 (VPS virtual ip) from the client (or the other way around). I think I have to get this figured out before I have to add the route parameters, right? Since the routing will go through the virtual ip? : 01:27 < Jorj> 10.10.10.6 -> 10.10.10.1 -> "local": internet ip 01:33 < dazoafk> Ricoshady: you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) ... that will create the CRL file for you 01:33 -!- dazoafk is now known as dazo 01:34 < dazo> Ricoshady: CRL = Certificate Revocation List ... contains certificates which has been revoked, and if a client tries to connect with a certificate which has been revoked (listed in the CRL), the user will be denied access immediately 01:34 -!- rodpod [i=rod@hick.org] has joined ##openvpn 01:37 < krzee> Jorj, if you have no errors, your problem could be that you have your inet over a vpn 01:38 < krzee> having not tested that myself, i cant say 01:39 < Jorj> Well, it's annoying that I don't have another connection to test, bleh. But in theory it should work I think. 01:41 < Jorj> It's so weird that I can't ping the connected client from the VPS... 01:41 < Jorj> client-to-client is enabled too. 01:44 < krzee> client-to-client has nothing to do with that 01:44 < krzee> if its not your firewall, its your vpn breaking the routing 01:44 < krzee> in fact it makes sense that the vpn would break the routing 01:45 < krzee> since openvpn reaches the vpn via routing table, which would break your cisco vpn connection even if it worked 01:45 < krzee> which would keep it from working even then 01:45 < krzee> since you have no inet without that 01:45 < krzee> so ya, my vote says it wont happen 01:46 < Jorj> Ha, yeah, could be. :P Problem is, my inet is filtered by the cisco vpn. I even had to run the openvpn at tcp instead of udp, because the cisco firewall blocks most udp connections. 01:47 < Jorj> But it also blocks certain websites and in general most ports, disabling online gaming and other uses the internet was intented for (;)). :P 01:48 < Jorj> I thought, I'll tunnel all that traffic so I can play a game, or just access unrestricted internet. 01:48 < krzee> socks 01:48 -!- gdfgdfgdfgdfg [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 01:48 < krzee> or ssh tunnels 01:48 < Jorj> Yeah, but not for games, unless using a special program to let the game use the proxy? 01:49 < Jorj> Because I can't config socks/proxy for most games. 01:49 < krzee> i use proxifier to tunnel anything that uses tcp/ip through socks 01:49 < Jorj> Oh really, I tried proxifier actually. 01:49 < Jorj> I'll set up a simple socks proxy via ssh and try that, thanks. 01:49 < krzee> np 01:49 < krzee> note, this isnt a help channel for that, so i wish you good luck with it 01:50 < Jorj> Yes, I know, but you helped anyway. Thanks. :-) 01:51 < krzee> np 01:52 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 01:52 < krzee> also 01:52 < krzee> if those games communicate over lan normally (layer2) socks wont help you 01:52 < Ricoshady> dazo, thanks... so after I create the CRL, do I need to put something in the config? and copy the CRL somewhere? 01:53 < krzee> !man 01:53 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 01:53 < dazo> Ricoshady: 10 points! 01:53 < dazo> !crl 01:53 < vpnHelper> dazo: Error: "crl" is not a valid command. 01:53 < dazo> darn 01:53 * dazo wanted to be clever :-P 01:53 < krzee> --crl-verify crl 01:53 < krzee> Check peer certificate against the file crl in PEM format. 01:53 < krzee> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. 01:53 < krzee> Suppose you had a PKI consisting of a CA, root certificate, and a number of client certificates. Suppose a laptop computer containing a client key and certificate was stolen. By adding the stolen certificate to the CRL file, you could reject any connection which attempts to use it, while preserving the overall integrity of the PKI. 01:53 < krzee> The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised. 01:53 < krzee> dazo, good call tho 01:54 < dazo> :) 01:54 < krzee> !learn crl as --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised. 01:54 < vpnHelper> krzee: Joo got it. 01:55 < krzee> !learn crl as you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) that will create the CRL file for you. ssl-admin will also build a crl for you 01:55 < vpnHelper> krzee: Joo got it. 01:56 < Ricoshady> so revoke-full it will add to the CRL file, and I just make sure openvpn knows about it 01:56 < Ricoshady> knows where the current CRL file is I mean 01:56 < reiffert> !local 01:56 < vpnHelper> reiffert: "local" is a flag for --redirect gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless. 01:56 < krzee> rup reif 01:57 < reiffert> moin 01:57 < Ricoshady> I assume I need all the original key information as well 01:57 < dazo> Ricoshady: yup ... no more magic than that 01:57 < reiffert> But local is something different, --local 01:57 < Jorj> krzee: (this is somewhat ontopic) I still can't really comprehend why the traffic would still be blocked. I mean, I can setup a SSH connection, route encrypted/non-filtered traffic through there, so in theory it should be perfectly possible to route all traffic from a game through the tunnel and back, no? 01:57 < krzee> !forget local 01:57 < vpnHelper> krzee: Joo got it. 01:57 < dazo> Ricoshady: it's the CA which will create the CRL ... so the CA knows about the cert, yes 01:57 < krzee> reiffert, but nobody has ever had a question about --local before 01:57 < krzee> before tonight 01:57 < krzee> much more useful as is 01:58 < krzee> !learn local as a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless. 01:58 < vpnHelper> krzee: Joo got it. 01:58 < krzee> but without my typo ;] 01:58 < Ricoshady> will the easy-rsa directory work anywhere? would rather move it from the examples directory 01:58 < reiffert> yep 01:58 < Jorj> Ricoshady: yeah. 01:59 < krzee> --local is the ip to bind to, the only way to be confused by that is if you bypass ALL docs and just try walkthroughs 01:59 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:02 < dazo> Ricoshady: Have a look in the vars file inside the easy-rsa directory ... you can change the EASY_RSA variable to wherever your would like it ... and the same goes for the KEY_DIR as well 02:03 < dazo> you'll need to source this file (source ./vars) anyway whenever you call any of the scripts in this directory 02:04 < dazo> Ricoshady: you can also try to write "make" in that dir ... and you'll get a simple install instructions 02:05 < krzee> hah i never noticed there was a Makefile 02:05 < Ricoshady> thanks guys, seems to be working well, cool stuff... 02:05 < krzee> dazo, ever tried ssl-admin? 02:06 < dazo> krzee: nope ... I've been using tinyca one place where I wanted to be gui-lazy, though :-P 02:06 < krzee> haha werd 02:06 < krzee> this is the in-between 02:06 < dazo> krzee: ssl-admin .... any url? ... sounds interesting 02:06 < Ricoshady> can I route my vpn server address 10.? to the local net 192.? 02:07 < krzee> menu driven text based interface 02:07 < krzee> !ssl-admin 02:07 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 02:07 < Ricoshady> so I can ping other pcs 02:07 < dazo> TUI :-P 02:07 < krzee> there was an issue in svn this morning with r35 02:07 < krzee> but ports version worked fine 02:07 < krzee> but i told ecrist and he may have fixed it 02:08 < krzee> Ricoshady, 02:08 < krzee> !route 02:08 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 02:09 < krzee> ssl-admin is written in perl, and is the lazy text-based cert manager 02:10 < dazo> krzee: :) ... I'll have a look into that one, seems better ... 02:10 < krzee> right on 02:10 < krzee> what os do you use? 02:10 * dazo this reminds me to set up a proper off-line box for a proper CA 02:10 < dazo> krzee: Linux .... mostly Gentoo and Fedora 02:11 * dazo is scrapping Ubuntu soooon 02:11 < krzee> ahh cool, lemme know if ssl-admin is in emerge yet 02:11 * dazo is looking fwd to dhat 02:11 * dazo checks portage 02:11 < dazo> krzee: can't say I see ssl-admin in any obvious places, though :( 02:12 < dazo> emerge/portage - that is 02:12 < krzee> emerge --search ssl-admin 02:13 < dazo> as I said, not in any obvious places ;-) 02:13 < dazo> anyone volunteered for putting it into portage? 02:13 < Ricoshady> pretty impressed so far with openvpn! its cool 02:14 < dazo> Ricoshady: you can have a look at http://www.eurephia.net/ ... and you'll see even cooler things you can do with openvpn :-P 02:14 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) 02:14 < krzee> dazo, well someone submitted it for me 02:15 < Ricoshady> cool I was wondering about username/passwords actually 02:15 < dazo> krzee: ahh ... goodie, then it'll show up at some point for sure :) 02:15 < krzee> cause I wrote the ./configure script that would setup the Makefile to install it for linux 02:15 < Ricoshady> is there a windows client that doesnt just open a dos window? 02:15 < Jorj> Openvpn gui. 02:15 < Jorj> www.openvpn.net 02:15 < krzee> but they didnt like that i used a configure script because it is better done by a proper Makefile 02:16 < dazo> Ricoshady: yeah ... you're using openvpn server on Windows? ... hmmm ... not sure how well eurephia will play then :( 02:16 < krzee> which is true, i just havnt gotten to it 02:16 < dazo> Jorj: Ricoshady: ... if you'll take the official openvpn from http://openvpn.net/ for windows, openvpn gui is included here, at least for the 2.1RC releases 02:16 < vpnHelper> Title: Welcome to OpenVPN (at openvpn.net) 02:17 -!- gdfgdfgdfgdfg [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 145 (Connection timed out)] 02:18 < Ricoshady> i have openvpn gui, but it just opens little icon in the tray that doesnt have any options when I right click, like "about" 02:18 < dazo> krzee: http://bugs.gentoo.org/250611 02:18 < vpnHelper> Title: Gentoo Bug 250611 - [NEW EBUILD] net-misc/ssl-admin (at bugs.gentoo.org) 02:19 < Jorj> You have to paste the configuration files in the openvpn/config folder. 02:19 < dazo> Ricoshady: you haven't configured openvpn-gui correctly ... you'll need to place config files in a special folder and using the .ovpn extension 02:20 < Ricoshady> yea, i just found the readme, sorry for the dumb question 02:20 < dazo> Ricoshady: you'll also find the config folder via the Start menu as well .... start -> Programs -> openvpn ...something, don't remember now 02:21 < Ricoshady> any performance difference between dos window and gui? 02:23 < Ricoshady> damn eurephia looks cool 02:24 < Ricoshady> how easy to get going? 02:24 < dazo> Ricoshady: shouldn't be ... it's different processes, and I don't expect writing to log pipe from openvpn should make openvpn lag ... that'd be pretty lame 02:25 < dazo> Ricoshady: well, it's only tested on linux, that can be a downside .... I've never heard anyone trying it on Windows ... but if you have a linux box being a openvpn server, it shouldn't be too difficult 02:26 < dazo> Ricoshady: but be aware, it's beta still ... and the security regarding password hashing is pretty lame at the moment .... but I'm working on improving that nowadays 02:26 < Ricoshady> my vpnserver box is debian 02:27 < dazo> Ricoshady: have a look at the wiki, and you'll have the hard way to set it up ... the admin utils are able to help you out with some simple things when you first have added the first user manually into the database 02:27 < dazo> Ricoshady: debian should be no prob 02:28 < Ricoshady> the custom firewall rules are cool 02:28 * dazo hopes nobody here minds the eurephia discussion on ##openvpn .... 02:28 < dazo> Ricoshady: yeah, I'm using that pretty much as well, and it works like a charm :) 02:29 < Ricoshady> one other question on openvpn... in the server config config I use "ifconfig sip cip" what if I have multiple clients? 02:29 < dazo> Ricoshady: I have a setup with 3 different network segments ... and my users get only access to computers on the segment they are authorised for 02:29 < dazo> Ricoshady: you should probably use server-pool ... if I remember correctly 02:29 * dazo checks a config file 02:30 < dazo> Ricoshady: I'm using dev-type tap ... so I'm not using tun, first of all .... and then I'm using "ifconfig-pool" to have a fake DHCP server for the openvpn connections 02:32 < Ricoshady> does tun only allow one connection? 02:32 < Ricoshady> can I see your config? 02:32 < dazo> Ricoshady: Probably not, but I think it is more config work ... 02:32 < dazo> Ricoshady: sure .... just a sec 02:33 < Ricoshady> and why did you pick tap? does it require any extra work to use tap? 02:35 < dazo> Ricoshady: http://pastebin.com/d68527bbc 02:36 < dazo> Ricoshady: just because I like to be low-level on the interface .... I was also playing with some bridging, and it's just become my "default" setup, kind of 02:37 < dazo> Ricoshady: what this config do not do, is to prepare the vpn0 interface (I've also renamed the tap interface) .... so that's done via my distro's own network startup script ... but that could most probably also set up by using --server 02:41 < Ricoshady> i wonder tho, my tun0 device states both ips, the sip and cip, makes me think it only handle one connection 02:47 * dazo don't remember the gory details now ... too long ago since last time he tried tun devices 02:48 < dazo> Ricoshady: ahh! I think I also used tap to enable Windows clients ... I believe that it was some issues with Windows and tun devices ... but don't remember if this was just misinterpretation or if it was as reality 02:48 * dazo got it working with tap, and didn't think more about it 02:49 < Ricoshady> i like the keepaline and push statements in your config, im using em now 02:50 < Ricoshady> man this is the shit 02:51 * dazo wonders if shit == gold in this context :-P 02:53 * Ricoshady nods 02:55 < Ricoshady> if you put up a VPN on a port like 80, and routed inet traffic on the client thru the VPN, you could circumvent outgoing restictions in office firewalls huh? 02:56 < Ricoshady> assuming they didnt block my VPN 02:56 < Jorj> If you read some of my questions, I was trying the same thing. 02:56 < Ricoshady> i think its possible 02:56 < dazo> Ricoshady: yup, that is possible .... 02:56 < Jorj> Here: udp mostly blocked, all >1024 ports and I'm trying to play a game via my own openvpn on my vps. 02:57 * dazo is considering to test that to avoid his mobile company to overcharge non-port-80 traffic ..... 02:57 < Jorj> But for some weird reason I couldn't get the client and server to see eachother, but I also think it should be possible. Thing is, I'm also in a VPN with those restrictions. 02:57 < dazo> Ricoshady: for that to work ... you'll need 80/tcp .... 02:58 < Ricoshady> yea 03:00 < Ricoshady> does openvpn gui need to be installed? or does it just execute in its directory? I was think i could put it and the client keys on a USB drive. 03:00 < Ricoshady> actually thats probably a bad idea 03:00 * dazo dunno 03:00 < Ricoshady> i wouldnt want to run it on any random computer 03:00 < dazo> Ricoshady: if the USB is encrypted somehow ... or if you use pkcs12 with passwords, you'll be safer though 03:00 < reiffert> Ricoshady: or protect the keys with a password. 03:01 < Ricoshady> reiffert, how does that work? 03:01 < reiffert> !howto 03:01 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 03:01 < dazo> Ricoshady: I use pkcs12 mostly ... because in one file you'll find all certificates and needed keys ... and they are password encrypted 03:02 < reiffert> Ricoshady: If you would like to password-protect your client keys, substitute the build-key-pass script. 03:02 < dazo> Ricoshady: which I consider safe enough, as I'll have time to revoke certificates and blacklist them in eurephia if they are lost 03:02 < Ricoshady> reiffert, then what happens, when the vpn connects it asks for a password? 03:03 < reiffert> Ricoshady: yeah 03:03 < dazo> Ricoshady: but some of my other users are not too happy ... having username and 2 passwords (user account + certificate) to remember .... but they usually get over it after a little while 03:03 < dazo> Ricoshady: yeah, even before bringing up the connection to your server 03:03 < reiffert> You protect the use of the client key by a password 03:04 < reiffert> it's an openssl thing 03:04 < Ricoshady> what about reconnects? 03:05 < reiffert> What about them? 03:05 < Ricoshady> will it ask for the password again? 03:05 < reiffert> no. 03:05 < Ricoshady> just when you initally start the vpn 03:05 < dazo> Ricoshady: yeah 03:05 < Ricoshady> let me try 03:06 < reiffert> .oO It's all in the howto 03:08 < Jorj> Ricoshady: do you use a vps as your openvpn server? Just out of interest. 03:11 < Ricoshady> vps? 03:11 < Ricoshady> hell yea, password worked just fine 03:11 < Jorj> Virtual private server, but nvm. :-) 03:11 < Ricoshady> the I build the dh file, sometimes it takes forever, other it barely craetes a line of computing 03:13 < Ricoshady> you know what I mean? it says... this will take a long time... somettimes it does, other its really quick, should I be worried if its quick? 03:13 < dazo> Ricoshady: depends on how much random data which needs to be collected ... sometimes it takes a while to seed the RNG ... doing some disk access (find /, f.ex) may help 03:13 < dazo> Ricoshady: if the RNG is full of random data ... it can go quicker ... but if it needs to collect data, it'll go slower 03:14 < Ricoshady> man this is working great 03:14 < Ricoshady> better than I expected 03:15 < dazo> Ricoshady: nah ... you're using open source product, not microsoft product .... of course it works better than expected :-P 03:15 < thewolf> Hey, evening people 03:16 < Ricoshady> im all about opensource 03:16 < dazo> :) 03:16 < thewolf> I've got a problem: I can't ping my server (10.1.0.1) from my client (10.1.0.2), are there any common causes for this other than user (my) stupidity? 03:17 < reiffert> firewall, firewall, firewall. 03:17 < thewolf> This is my server config: http://pastie.org/359420 03:17 < thewolf> hmm 03:18 < thewolf> firewalls suck 03:18 < reiffert> and topology 03:19 < reiffert> http://netzdeponie.de/download/fun/movies/BegehbarerSchrank.avi 03:21 < dazo> :D 03:24 < Ricoshady> what does the gui change password feature do? 03:24 < reiffert> Guess. 03:25 < thewolf> reiffert: since I can't change my local firewall atm, would it be safe to run it on another port that I know is open? 03:25 < Ricoshady> reiffert, funny but what password? the cert password? 03:25 < Ricoshady> i dont have any other password 03:25 < krzee> lol reiffert 03:25 < krzee> Ricoshady, it changes the password you could set on your cert when making the cert 03:25 < krzee> as opposed to any password you could have on the vpn 03:26 < Ricoshady> oh, it changes the cert password, ok 03:26 < Ricoshady> sorry 03:27 < dazo> Ricoshady: yeah, only cert passwords ... it's not possible to change any other passwords from the client, afaik (like user-auth passwords) 03:40 -!- l11 [n=l@verhau.de] has joined ##openvpn 03:41 < Ricoshady> can I make a key only last so long? 03:42 < reiffert> || so long or | | so long? 03:47 < Ricoshady> can I make it so a cert expires 03:47 < l11> reiffert: hi 03:47 < reiffert> Yes, you can 03:47 < reiffert> l11: ! 03:48 < l11> reiffert: fritzbox firmware updaten :) or your mac will be slowed by it. 03:48 < reiffert> wtf? 03:49 < dazo> Ricoshady: expiry is set when creating the certs 04:12 -!- Jorj [n=dfdsfsf@vpnc036.ugent.be] has quit [] 04:13 < reiffert> http://research.microsoft.com/en-us/um/redmond/projects/songsmith/videos/EveryoneHasASongInside.mov 04:13 < reiffert> ms using a macbook? 04:17 < l11> part 1 of embrace and extend 04:27 -!- kyrix [n=ashley@93-82-8-240.adsl.highway.telekom.at] has joined ##openvpn 04:35 < dazo> reiffert: you know these new Intel based boxes now runs Vista .... we're soon to enter phase 2 of the EEE ... 04:52 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 113 (No route to host)] 04:53 -!- prxtien [n=pro@115.131.201.161] has joined ##openvpn 04:53 < prxtien> hey all 04:54 < prxtien> im looking at increased key sizes, does anyone know the performance impact on going from 1024 > 2048 > 4096bit certificates, and also performance decrease by increased dh key strength 04:54 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 05:03 < reiffert> I remember one guy unable to create a 4096 dh 05:04 < reiffert> some weeks ago. 05:04 < reiffert> prxtien: If you find something out, please let me know, sounds intresting. 05:04 < prxtien> well dh i was thinking of going from 1024 to 2048... and moving to maybe 2048 or 4096bit rsa certificates 05:05 < prxtien> dh 2048 took about 15 minutes on a tiny via c7 based server 05:05 < prxtien> on anything gutsy, less than 5 minutes youd think 05:31 -!- worch [n=worch@battletoad.com] has quit [Read error: 131 (Connection reset by peer)] 05:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:50 -!- worch [i=worch@battletoad.com] has joined ##openvpn 06:20 -!- kyrix [n=ashley@93-82-8-240.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 06:20 -!- kyrix [n=ashley@93-82-8-240.adsl.highway.telekom.at] has joined ##openvpn 06:24 -!- prxtien [n=pro@115.131.201.161] has quit [Read error: 60 (Operation timed out)] 06:51 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 07:06 -!- zheng [n=zheng@58.33.126.221] has joined ##openvpn 07:27 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 113 (No route to host)] 07:28 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 07:47 -!- Ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 60 (Operation timed out)] 07:56 -!- kyrix [n=ashley@93-82-8-240.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 07:57 -!- kyrix [n=ashley@93-82-8-240.adsl.highway.telekom.at] has joined ##openvpn 08:00 -!- zheng [n=zheng@58.33.126.221] has quit ["Leaving"] 08:13 -!- worch [i=worch@battletoad.com] has quit [Read error: 113 (No route to host)] 08:32 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has joined ##openvpn 08:42 < ecrist> who told me what? 08:45 < ecrist> oh, krzee, haven't fixed it yet. won't get to it until later this week. 09:13 -!- kyrix [n=ashley@93-82-8-240.adsl.highway.telekom.at] has quit ["Leaving"] 09:41 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 09:41 < plaerzen> morning ovpn'ers 09:44 -!- oc80z [n=oc80z@quad.efnet.pe] has quit [Connection reset by peer] 09:44 -!- grndslm [n=grndslm@24-119-80-142.cpe.cableone.net] has joined ##openvpn 09:48 -!- grndslm [n=grndslm@24-119-80-142.cpe.cableone.net] has left ##openvpn ["Leaving"] 09:52 < ecrist> howdy plaerzen 09:54 < plaerzen> ecrist, how you doing ? 10:12 < ecrist> good, so far. it's early yet 10:19 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 10:23 -!- c64zottel [n=hans@cust.static.84-253-47-240.cybernet.ch] has joined ##openvpn 10:23 < c64zottel> \ufeffmay i get trouble when i open a OpenVPN net with 10.10.254.0/24 when the whole network has 10.10.0.0/16? 10:26 < ecrist> yes 10:26 < ecrist> not even 'may,' you 'will' get in trouble 10:26 < c64zottel> ecrist: hm 10:27 < c64zottel> i knew it 10:27 < c64zottel> cause, i can't differentiate between them, when they get routed? right? 10:27 < dazo> c64zottel: does the VPN net really have to be within the 10.10.0/16? 10:28 < c64zottel> the server hast 2 nic's, one local net 10.10/16 and the internet 10:28 < dazo> c64zottel: well, it's almost impossible to get correct routing with overlapping nets ... even though, in theory it might work, but I think that will require much more work on all clients 10:28 < c64zottel> and i want connect from the net, sure 10:28 < ecrist> c64zottel: see !1918 10:28 < c64zottel> hm, but, how can i understand? 10:28 < ecrist> choose another range 10:29 < c64zottel> !1918 10:29 < vpnHelper> c64zottel: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 10:29 < dazo> c64zottel: yeah ... but I meant the VPN config .... 10:29 < dazo> c64zottel: choose an available segment listed above 10:30 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 10:30 < c64zottel> dazo: i will, but why do i get trouble? 10:31 < c64zottel> ecrist: thanks 10:31 < c64zottel> i read that, but i can't get a clue why it is so important 10:31 < dazo> c64zottel: because the routing from clients will get confused where the traffic should go 10:32 < c64zottel> dazo: but it's clear, in both cases it's routed to the ovpn, i could see the incoming icmp's over the tun0 10:33 < dazo> c64zottel: make it easier for your self, and avoid overlapping network segments .... and the really big troubles will come the day when a computer on your LAN grabs an IP in the 10.10.254.0/24 range ... then traffic from this box will go fine out of your network, but when going in, it will be routed to the VPN interface instead 10:33 < dazo> c64zottel: if you want to make the network transparent over the VPN .... you're probably looking for bridging 10:34 < ecrist> c64zottel: if it works for you, then why are you asking questions? 10:34 < c64zottel> dazo: i appreciate you advice, and i will follow, but i like to know what why .) 10:34 < c64zottel> maybe i need just more experiece 10:35 < c64zottel> ecrist: first, 6 sense, and second, there was a case with two routes, 10.10.254/24 and 10.10/16 wish made trouble, just with the route 10.10/16 it worked 10:35 < dazo> c64zottel: it's just kind of an unwritten rule .... keep your network segments clean, don't overlap segments, avoid several segments on the same physical network ... all to avoid network errors, even though it might work fine, but that's not given 10:36 < c64zottel> dazo: i read about bridging and so on... 10:36 < c64zottel> dazo: ecrist: thank you 10:37 < dazo> c64zottel: if you do not have a route for 10.10.254/24 sending traffic to your VPN tunnel .... I'm not sure your tunnel will work properly ... maybe it will work until the openvpn server, but most probably not beyond that box 10:39 < c64zottel> dazo, it will use the 10.10/16 route 10:39 < ecrist> c64zottel: if it works for you, fine, but, the odds are it's *not* going to work due to the overlapping route, unless your LAN is /16, but is further subnetted from there. 10:39 < c64zottel> ecrist: i got it, thanks 10:40 < dazo> c64zottel: say you have this on your openvpn box: eth0 on 10.10.0.1/16 ..... you have your tun0/tap0 on 10.10.254.1/24 .... (more to come) 10:41 < dazo> c64zottel: one VPN client, say 10.10.254.10 tries to connect to 10.10.0.40, which is on the eth0 side .... the packet goes fine all the way and reaches the server 10:43 < dazo> c64zottel: the server responds back to 10.10.254.10 ... but since that IP address is within the 10.10.0.0/16 network ... the result package from server will never leave the 10.10.0/16 network .... and it gets lost, since nobody is answering it ... but this packet should have been routed through the 10.10.0.1 gateway 10:44 < dazo> c64zottel: so it will work, if all boxes on the 10.10.0.0/16 has a route which says .... 10.10.254.0/24 must use the gateway 10.10.0.1 ... but unless that route exists, it will not work 10:46 < c64zottel> dazo that was great! 10:46 < c64zottel> thank you very much 10:46 < jeiworth> dazo: that is interesting and might as well solve a problem i have, but where do i need to set that oute? only on the openvpn-server or on all clients? 10:46 < dazo> c64zottel: but of course, I have now not touched much what happens if you then in your LAN gets a computer with the 10.10.254/24 address .... then the chaos is complete, because all boxes which have the route via 10.10.0.1 will go out on the VPN tunnel instead 10:46 * cpm boggles, , , but but but, 10.10.254/25 can't see 10.10.0.1 10:47 < cpm> 10.10.254/24 rather 10:47 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has quit ["Spare me some sleep, please."] 10:47 < dazo> jeiworth: all clients would need to have this route ... default gateway will not work, since the networks overlap, you must explicit set the route on all boxes 10:48 < dazo> cpm: that's very true! But I thought that if a client computer on the LAN got an address which is in the 10.10.254/24 range, but with the /16 mask ... then it will see the 10.10.0.1 10:49 * dazo was thinking a scenario with a DHCP server with a /16 netmask on the dynamic IPs ... then this can happen more easily 10:51 < c64zottel> cpm: why? if the client has a route like 10.10/16? 10:51 < dazo> but as I said earlier ... such a topology is not even worth to consider ... because it will definitely create more troubles than what it solves in reality ... and it is a ticking bomb to have overlapping networks on different segments 10:52 < dazo> c64zottel: I think cpm was seeing a problem if the client on LAN had an IP address in 10.10.254/24 segment with a /24 netmask ... in this scenario, the client would not be able to see 10.10.0.1 at all 10:52 < c64zottel> dazo: is it not possible to avoid that via NAT? 10:53 < ecrist> c64zottel: just change your damn ip range 10:53 < ecrist> christ 10:53 < c64zottel> dazo true 10:53 < c64zottel> ecrist: i do, i promise .) 10:53 < c64zottel> but it's intressting 10:53 < ecrist> no, it's not, really 10:54 < dazo> c64zottel: I don't think so ... change the IP range ... that's my advice, don't try to hack around overlapping ranges ... it will for sure stop working some how one day ... and it will not be too easy to correct it later on with routing setup everywhere 10:54 < c64zottel> as i said, i do 10:54 * dazo is happy :) 10:54 < c64zottel> thanks a lot 10:54 < c64zottel> me too :D 10:54 < dazo> you're very welcome! 10:54 < c64zottel> thx 11:05 -!- c64zottel [n=hans@cust.static.84-253-47-240.cybernet.ch] has quit ["Leaving."] 11:09 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:16 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:22 -!- kyrix [n=ashley@91-115-27-154.adsl.highway.telekom.at] has joined ##openvpn 11:24 < kyrix> hi, i am trying to set up a routerd site to site vpn using debian etch/lenny. the vpn is working, but still can't ping the other networks 11:24 < kyrix> files: network data:http://pastebin.com/m302adf57 11:24 < kyrix> server.conf: http://pastebin.com/d7954076a 11:24 < kyrix> client conf: http://pastebin.com/d16c72eec 11:25 < kyrix> and i have set up iroute.168.7.0 255.255.255.0 file in ccd 11:26 < kyrix> ip fowarding is activated on both machines 11:27 < kyrix> but still no luck. anybody have any ideas? 11:29 < kyrix> !route 11:30 < vpnHelper> kyrix: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 11:42 < kyrix> !configs 11:42 < vpnHelper> kyrix: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:44 < ecrist> kyrix: read the route entry above. 11:44 < kyrix> i did 11:45 < kyrix> i had already done everything 11:45 < ecrist> including iroute? 11:45 < kyrix> yup, that in the ccd file right? 11:45 < ecrist> and reconfiguring the gateways to redirect for the new VPN subnet? 11:45 < kyrix> yup 11:45 < ecrist> they you should ahve a working setup 11:45 < kyrix> hopefully correctly. 11:46 < kyrix> is there anything else i have to do on a linux box besides enabling ip foward? 11:47 < kyrix> i can ping 192.168.1.7 (the ip of my server) from the client. when i use push route. but no other machine. hold on, ill check the router 11:48 < kyrix> network: 10.8.142.0 netmask: 255.255.255.255 gw: 192.168.1.7 11:49 < kyrix> this is what i need on the router right? 12:07 < krzee> [13:29] and i have set up iroute.168.7.0 255.255.255.0 file in ccd 12:07 < krzee> the line doesnt look like that, right...? 12:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:08 < kyrix> iroute 192.168.7.0 255.255.255.0 12:09 < krzee> ok 12:11 < krzee> so .7.0 is behind client 12:11 < krzee> .1.0 is behind server 12:11 < krzee> [13:52] network: 10.8.142.0 netmask: 255.255.255.255 gw: 192.168.1.7 12:12 < krzee> netmask should be 255.255.255.0 12:12 < krzee> also, you should have another entry for 192.168.7.0 12:12 < krzee> then on client side, entries for 192.168.1.0 and 10.8.142.0 12:15 < kyrix> i have the the 192.168.7.0, but dont understand the 255.255.255.0 12:15 < krzee> thats a netmask 12:15 < kyrix> if i ifconfig tun0 i have inet addr:10.8.142.6 P-t-P:10.8.142.5 Mask:255.255.255.255 12:15 < krzee> an ip means nothing without the netmask 12:16 < krzee> that is true, but you may have clients in server 10.8.142.0 255.255.255.0 12:16 < kyrix> oh 12:16 < krzee> you want to have a route to all of them 12:17 < kyrix> i need both then? 12:17 < kyrix> ah it works 12:18 < kyrix> that was it..... thx 12:18 < krzee> np 12:18 < kyrix> i was taking the value from ifconfig instead of the config file. 12:18 < krzee> its not really the value from either 12:18 < krzee> its just knowing what you need routed 12:19 < kyrix> well, it works in one direction well now. ill play with that on the other side for a while 12:20 < kyrix> its taken me two weeks to get to here :/ 12:20 < kyrix> thanks again! 12:20 < krzee> np 12:20 < krzee> ya 1 direction cause you only added on 1 router 12:20 < krzee> gotta go do this: 12:20 < krzee> on client side, entries for 192.168.1.0 and 10.8.142.0 in its router 12:20 < krzee> both with 255.255.255.0 12:29 -!- Dryanta [i=dryanta@66.252.23.192] has joined ##openvpn 12:30 < Dryanta> ok guys openvpn problem AGAIN 12:30 < Dryanta> another situation where nothing changed and it broke 12:31 < Dryanta> process is running on both machines and i cant ping from one side of the tunnel to the other 12:31 < krzee> !logs 12:31 < krzee> ... 12:31 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 12:32 < krzee> and by 1 side to other 12:32 < krzee> you mean like client cant ping 10.8.0.1 12:32 < krzee> and server cant ping 10.8.0.6 12:32 < krzee> or from 1 lan to other 12:32 < Dryanta> again i run peer to peer 12:32 < krzee> o 12:32 < krzee> i wont be memorizing that 12:32 < Dryanta> and cant ping 10.0.0.1/2 12:32 < krzee> you'll hafta say it every time :-p 12:32 < Dryanta> its only come up liek 20 times :P 12:33 < krzee> could a machine have rebooted and reset firewall rules? 12:33 < krzee> it will come up another 20 if you dont mention it when you have a new question :-p 12:33 < Dryanta> the machine rebooted, firewall rules are the same 12:35 < Dryanta> does log really have to be at 6? 12:36 < krzee> i you want it to be useful for me 12:37 < dazo> krzee: if he sets log level to 0 ... you can just say that logs look good, and there are no problems :-P 12:37 < krzee> hahah 12:37 < krzee> tru 12:42 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 12:43 < Dryanta> http://pastebin.ca/1307418 12:50 < Dryanta> well? lol 13:01 * ecrist punches someone's mother in the boob 13:03 < dvl> why? 13:04 < Dryanta> no love i guess 13:04 < Dryanta> /topic #openvpn post logs, we wont look at them.... kthxbai 13:08 -!- setveoooooooo [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 13:09 < ecrist> dvl: because I'm bored, and I was hoping, like a 5 year-old child, to get a rise out of people. 13:10 < dazo> ecrist: your attack was not controversial enough 13:10 < Dryanta> lol 13:12 < krzee> ./topic #openvpn post logs, we will look at them when we feel like it.... kthxbai 13:13 < krzee> Dryanta, log from other side... 13:14 < krzee> we've done this enough times that if i come back 30min after asking for logs from both sides, there should prolly be logs from both sides 13:15 * krzee goes away for another X minutes 13:16 < Dryanta> http://pastebin.ca/1307441 13:16 < krzee> you stopped it too soon 13:16 < krzee> 1 second of logfile isnt very useful 13:16 < krzee> not a single entry past 11:12:46 13:17 < krzee> see how the first had like 2 minutes of logfile, error came 1.5 minutes into it 13:17 < krzee> that was useful 13:18 < ecrist> /mode Dryanta +douche_bag 13:18 * krzee wonders out loud if its harder to help a tech or a noob 13:19 < Dryanta> http://pastebin.ca/1307445 13:19 * ecrist elaborates that it's hardest to teach a noob that thinks their a tech. 13:19 < krzee> lol 13:19 < krzee> touche 13:20 < ecrist> s/their/they are/ 13:21 < krzee> ok, now ping from .1 to .2, show me logs from both sides at verb 6] 13:22 * ecrist punches dazo's mom in the dick 13:22 < ecrist> controversial enough? 13:22 < ecrist> :P 13:22 < krzee> hah 13:22 * dazo saw the attempt ... and that he missed big time and hurt his arm in broken window 13:23 < krzee> he missed your moms dick? 13:23 * krzee ponders 13:24 < krzee> both sides are writing to the tunnel, but barely reading 13:24 < krzee> but there is SOME reading 13:24 < krzee> which leads me away from firewall 13:24 < dazo> krzee: I think ecrist is just sexually frustrated .... 13:25 < krzee> dazo, i dont think so, his wife is pregnant and i hear preg women get seriously needy in that dept 13:25 < krzee> i think hes just bored 13:25 < dazo> krzee: well, I rest my case .... if he got a pregnant wife and bored at the same time .... it's not much she wants from him :-P 13:26 < Dryanta> is it this? Tue Jan 13 11:16:48 2009 us=504956 Inactivity timeout (--ping-restart), restarting 13:26 < krzee> dazo, work 13:26 < krzee> lol 13:26 < krzee> Dryanta, no, its whats causing that 13:27 < krzee> its something outside of openvpn 13:27 * dazo tries too :-P 13:27 < krzee> dazo, i mean hes at work 13:27 < krzee> hence, bored 13:27 < Dryanta> what do you mean outside of openvpn? 13:27 < krzee> umm 13:27 < krzee> like the link or something to do with the server 13:27 < dazo> krzee: don't you guys use openvpn and have home office? .... man! I thought you were serious about openvpn ..... :-P 13:27 < krzee> hows their ping/traceroute outside of ovpn 13:28 < Dryanta> what do you mean? 13:28 < krzee> dazo, im sure hes linked to his home network right now 13:28 < Dryanta> form pub ip to pub ip? 13:28 < krzee> Dryanta, yes 13:28 < dazo> krzee: hah! Accepted ;-) 13:30 < Dryanta> i cant traceroute because a router in between does not wantt to cooperate 13:30 < Dryanta> but ping is fine 13:30 < krzee> no packet loss on a large amount of pings? 13:30 < krzee> no large jitter? 13:31 < Dryanta> nope 13:31 < krzee> then im not sure what it is 13:31 < krzee> but i know its not part of openvpn thats the problem 13:31 < krzee> as long as the other config is = just ips reversed like you said 13:32 < krzee> you using a stateful firewall? 13:32 < krzee> one that keeps UDP state? 13:32 < krzee> (attempts to) 13:32 < Dryanta> ya it keeps state 13:32 < krzee> bypass that by just allowing * from each side to other 13:32 < krzee> see if that helps ya 13:33 < Dryanta> they both allow * to each other 13:34 < krzee> before any statefulness? 13:34 < krzee> packets ARE getting through 13:34 < krzee> but not all packets 13:34 < krzee> some are being dropped somewhere 13:34 < Dryanta> the hwole firewall ruleset is keep state 13:34 < krzee> well, over-ride that 13:34 < krzee> or dont 13:34 < krzee> *shrug* 13:35 < krzee> im just grasping at what it could be 13:35 < krzee> SOMETHING is stopping some but not all packets from getting through 13:35 < krzee> it could have just been a lucky guess you have a stateful firewall, that i will admit to 13:35 < krzee> i dunno what the problem is, but it could be that 13:36 < krzee> UDP keepstate is not perfect 13:36 < krzee> dont believe me, see if it works on tcp 13:36 < krzee> without changing a thing in the firewall 13:36 < krzee> but remember if you keep it there you have this problem: 13:36 < krzee> !tcp 13:36 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 13:38 < Dryanta> it didnt work with tcp last time i tried i think 13:40 -!- Ricoshady [n=dfsdfs@cpe-76-171-208-102.socal.res.rr.com] has quit [Connection timed out] 13:46 -!- aaasdasdasd [n=guest@195.24.76.252] has joined ##openvpn 13:47 < aaasdasdasd> hello world! How to configure openvpn so it will start script before starting tunnel? 13:47 < krzee> --up 13:48 < krzee> runs right after opening tunnel 13:48 < krzee> before connecting iirc 13:48 < krzee> !man 13:48 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 13:48 < krzee> lets see 13:48 < krzee> by opening tunnel i meant interface 13:48 -!- aaasdasdasd is now known as NinetendoWee 13:49 < krzee> NinetendoWee, what would your script do? 13:49 < NinetendoWee> And how about BEFORE tunnel? Because i have special route for my vpn server that deletes when vpn disconnects :( 13:50 < krzee> before would be a wrapper script 13:50 < krzee> a script that runs your command, then starts openvpn 13:50 < krzee> which you run to start openvpn 13:51 < NinetendoWee> it become inconsistent :(( some scripts are events from vpn client, some - wrappers. 13:51 < krzee> huh? 13:51 < NinetendoWee> if route is down - it just tryes to connect server forewer. what to do? 13:51 < krzee> you are saying you need to make a special route to reach the vpn server, right? 13:52 < krzee> and manually you add the route then start openvpn, and it works...? 13:52 < NinetendoWee> yes 13:52 < krzee> but you want to automate it 13:52 < krzee> #!/bin/sh 13:52 < NinetendoWee> yes, because when vpn disconnects accidentally - it removes this route automatically 13:52 < krzee> route command 13:52 < krzee> openvpn command 13:53 < NinetendoWee> so then i have to use up script because i have to set right default route 13:54 < NinetendoWee> how to make it exit on disconnect? 13:55 * ecrist cheers 13:55 < krzee> --ping-exit n 13:55 < krzee> should do that 13:55 < ecrist> I've got my FreeBSD file server running pam_ldap for authentication, and sudo, samba, afp all using ldap, too 13:56 < NinetendoWee> thank you for help 13:56 -!- NinetendoWee [n=guest@195.24.76.252] has quit ["Ex-Chat"] 13:58 < krzee> nice ecrist 14:01 < ecrist> someday, I might know what I'm doing 14:16 -!- jeiworth [n=jeiworth@189.163.173.75] has quit [Remote closed the connection] 14:18 -!- jeiworth [n=jeiworth@189.163.173.75] has joined ##openvpn 14:21 < ecrist> krzee: if you have the need: http://www.secure-computing.net/wiki/index.php/Apple_File_Sharing 14:21 < vpnHelper> Title: Apple File Sharing - Secure Computing Wiki (at www.secure-computing.net) 14:27 -!- psai` [n=Psai@91.91.252.105] has joined ##openvpn 14:27 < psai`> hi 14:27 < ecrist> hi 14:28 < psai`> is there a way to push redirect gateway only for some clients and not for all ? 14:30 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:33 < ecrist> you bet 14:33 < ecrist> you need to set up client-config-dirs 14:33 < ecrist> read the man page or howto on that 14:33 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["kthxbai"] 14:34 < psai`> ok that's all i wanted to know :) 14:34 < ecrist> :D 14:34 < psai`> thank you i'll try this 14:56 -!- dazo is now known as dazoafk 15:10 -!- FarrisG [n=FarrisG@pool-71-123-163-107.dllstx.dsl-w.verizon.net] has joined ##openvpn 15:16 < FarrisG> Having an odd issue. I've done tons of openvpn setups, but have always done it with an internal and external nic. Trying to do it with one NIC, and it's working fine, except that after a couple of hours of being up, suddenly both my eth0 and br0 have the same IP address and the OpenVPN box can't access the outside world, only internal addresses. Confs are here: http://pastebin.ca/1307528 15:16 < FarrisG> !route 15:16 < vpnHelper> FarrisG: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 15:16 -!- psai` [n=Psai@91.91.252.105] has quit ["thanks !"] 15:18 < FarrisG> Any idea what could be causing it? 16:01 -!- jrgp [n=joe@catatonic.jrgp.us] has quit [Read error: 60 (Operation timed out)] 16:07 -!- jrgp [n=joe@catatonic.jrgp.us] has joined ##openvpn 16:09 -!- jrgp [n=joe@catatonic.jrgp.us] has quit [Client Quit] 16:31 < jeiworth> FarrisG: this is my first openvpn installation and many thanks to your bridge script i finally found my error after half a day search :) 16:55 < ecrist> which bridge script? 16:57 < krzie> to both of you 16:57 < krzie> what exactly do you need that requires bridging? 16:57 * krzie grins at ecrist 17:12 -!- kyrix [n=ashley@91-115-27-154.adsl.highway.telekom.at] has quit [Remote closed the connection] 17:41 < krzie> !servercret 17:41 < vpnHelper> krzie: Error: "servercret" is not a valid command. 17:41 < krzie> !servercert 17:41 < vpnHelper> krzie: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mitm 18:23 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 20:41 -!- setveoooooooo [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 110 (Connection timed out)] 20:52 < ecrist> why are you grinning at me? 20:57 < ecrist> o.O 20:57 < ecrist> 39 hits today on my site from nat-pool-brq.redhat.com 21:08 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has joined ##openvpn 21:10 * ecrist loves getting IPv6 hits to his sites 21:13 < ecrist> meh, so many hostnames in awstats - hard to know which are IPv6. don't want to write regex for IPv6 addresses 21:14 < tjz> hmmm 21:14 < ecrist> wouldn't bee *too* difficult 21:14 < tjz> they are switching to IPv6 because we are running out of ip for IPv4? 21:15 < ecrist> that and a few more features which are a bit more low-level 21:15 < ecrist> I've been supporting IPv6 on my network for about 3 years 21:16 < tjz> hmm 21:16 < tjz> why IPv6.. 21:17 < tjz> will the IP address look any different? 21:17 < ecrist> what do you mean? 21:17 < ecrist> you really don't know? 21:17 < tjz> never go and read up 21:17 < tjz> hehe 21:17 < ecrist> you should 21:17 < ecrist> like the DTV transition, it *is* eventually coming 21:18 < ecrist> DTV was supposed to come back in 2000 21:18 < ecrist> only 9 years late 21:18 < ecrist> 21:19 < ecrist> I've had about 15 or 20 hits to my main site this month from IPv6 addresses 21:20 < ecrist> 23 users have downloaded ssl-admin via IPv6 21:20 < ecrist> just this month 21:23 < ecrist> grr 21:24 < tjz> hmm 21:24 < ecrist> lots of latency on my wireless tonight 21:24 < tjz> what is sl-admin? 21:24 < tjz> ssl-admin.. 21:24 < ecrist> ssl-admin 21:24 < tjz> hehe 21:24 < ecrist> it's a script I wrote in perl because easy-rsa sucks some serious donkey balls 21:24 < tjz> lol 21:24 < tjz> haha 21:24 < ecrist> it's a menu-driven text-based SSL certificate manager 21:26 < tjz> cool 21:26 < tjz> will the IP address of IPv6 look any different ? 21:27 < ecrist> right now, it's strictly menu-driven, but if I either 1) find time or 2) get some *rich* interested parties, I'm going to build command line options, bulk generation, and LDAP certificate support 21:27 < ecrist> yes 21:27 < ecrist> IPv4 is 32-bit, in dotted-decimal notation 21:27 < tjz> how different.. 21:28 < ecrist> IPv6 is 128-bit, in quad-hexidecimal notation 21:28 < tjz> omg 21:28 < tjz> enough to support more IP 21:28 < tjz> how does quad-hexidecimal notation look like? 21:28 < tjz> eg. ? 21:28 < ecrist> for example, my website, www.secure-computing.net has the following two address (IPv4 and IPv6) 21:28 < ecrist> www.secure-computing.net is an alias for kenny.secure-computing.net. 21:28 < ecrist> kenny.secure-computing.net has address 173.8.118.210 21:28 < ecrist> kenny.secure-computing.net has IPv6 address 2001:470:1f11:463::210 21:29 < tjz> coooooooooooooooool 21:30 < tjz> any web-tool to check the IPv6 address of kenny.secure-computing.net ? 21:30 < tjz> or linux command to do that? 21:30 < ecrist> read http://www.secure-computing.net/wiki/index.php/IPv6 and see if it helps at all 21:30 < vpnHelper> Title: IPv6 on FreeBSD 6.2 - Secure Computing Wiki (at www.secure-computing.net) 21:30 < ecrist> tjz, what do you mean? 21:30 < krzie> if your linux is ipv6 enabled host will tell you 21:30 < tjz> you know a noob asking noob question 21:31 < tjz> bear with me 21:31 < tjz> :P 21:31 < krzie> www.secure-computing.net is an alias for kenny.secure-computing.net. 21:31 < krzie> kenny.secure-computing.net has address 173.8.118.210 21:31 < krzie> kenny.secure-computing.net has IPv6 address 2001:470:1f11:463::210 21:31 < krzie> that was /exec -o host www.secure-computing.net 21:32 < ecrist> IPv6 addresses are stored in DNS as AAAA records, whereas IPv4 records are stored as A records 21:32 < tjz> cool 21:32 < ecrist> you can check (whether your host is IPv6-enabled or not) for an IPv6 record with the dig command 21:32 < ecrist> dig -t AAAA 21:33 < ecrist> running both IPv4 and IPv6 is known as dual-stack 21:33 < krzie> ya i was actually wrong 21:33 < krzie> this box isnt ipv6 enabled 21:33 < krzie> its in the kernel, but i dont have an ipv6 tgunnel 21:33 < krzie> tunnel 21:34 < ecrist> until last month, I had native IPv6 to my ISP 21:34 < tjz> cool 21:34 < krzie> ya i had native long ago too 21:34 < ecrist> then I realized my ISP was run by a bunch of douche-bags 21:34 < krzie> a nice small dsl company in the bay area, CA 21:35 < ecrist> like my old ISP (a nice, small, ISP in Minneapolis, MN 21:35 < tjz> nothing wrong with a small isp 21:35 < ecrist> unless they're jewish 21:35 < tjz> as long as they are on the ball 21:35 < tjz> lol 21:36 < ecrist> I dropped ipHouse when they gave my colo (2 full racks) a $400/mo *surcharge* in the middle of a contract 21:36 < ecrist> they got around the contract by calling it a surcharge 21:36 < ecrist> that's pretty bullshit, IMHO 21:36 < krzie> umm 21:36 < krzie> illegal sounding 21:37 < tjz> why the subcharge? 21:37 < tjz> is it bandwidth overage? 21:37 < krzie> cause they needed $ im sure 21:38 < ecrist> I think you're on the 'money', krzie 21:38 < ecrist> but, they called it an electrical surcharge 21:38 < ecrist> it would cost us more to litigate than to pay to the end of our contract 21:58 -!- Solarbab1 [n=solarbab@adsl-69-228-3-122.dsl.irvnca.pacbell.net] has joined ##openvpn 22:02 -!- AwayML is now known as AndyML 22:02 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 22:16 -!- Solarbaby [n=solarbab@adsl-69-228-2-165.dsl.irvnca.pacbell.net] has quit [Read error: 110 (Connection timed out)] 22:20 -!- AndyML [n=quassel@pool-72-78-117-135.phlapa.fios.verizon.net] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 23:01 -!- mepholic [n=mepholic@star.emokid.nu] has joined ##openvpn 23:01 < mepholic> ok 23:01 < mepholic> openvpn on an ircd shell 23:01 < mepholic> possible? 23:05 -!- mepholic [n=mepholic@star.emokid.nu] has quit [Remote closed the connection] 23:06 -!- mepholic [n=mepholic@209.17.190.90] has joined ##openvpn 23:19 < Solarbab1> mepholic: you want to run a irc client or server on openwrt? 23:30 -!- mepholic [n=mepholic@209.17.190.90] has quit [Remote closed the connection] 23:33 -!- Solarbab1 [n=solarbab@adsl-69-228-3-122.dsl.irvnca.pacbell.net] has quit [Remote closed the connection] --- Day changed Wed Jan 14 2009 00:00 -!- hiptobecubic [n=john@nat072.wireless.miami.edu] has joined ##openvpn 00:02 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 00:02 < hiptobecubic> I'm trying to setup a vpn with ethernet bridging. I'm not able to physically access the machine that is going to be the server, but when i bridge eth0 and tap0, i can no longer use ssh, effectively orphaning the server. 00:02 < hiptobecubic> what can i do? 00:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:16 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 00:24 -!- FarrisG [n=FarrisG@pool-71-123-163-107.dllstx.dsl-w.verizon.net] has left ##openvpn [] 00:25 < hiptobecubic> If anyone is around, i'd love a hint here. 00:35 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 01:05 -!- dazoafk is now known as dazo 01:35 -!- steveoooo [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 01:35 < steveoooo> if I change the password on a cert that I did not enter a passphrase in, will it enable a password? or does the cert have to have a passphrase frmo the beginning 01:36 < dazo> steveoooo: not sure ... but I believe you would enable the password actually 01:37 < dazo> hiptobecubic: how have you configured your bridge? 01:37 < steveoooo> can you explain the difference between tun and tap? 01:39 < dazo> steveoooo: oh .... well, tun is using point-to-point tunnelling, which means that it is bound to TCP/IP traffic .... while tap is going lower down in the OSI stack, so it is actually more a virtual network interface where all traffic is to the interface is routed via openvpn 01:40 < dazo> steveoooo: so, if you want to do bridging, use IPv6 or IPX or other non-TCP/IP (IPv4) traffic, you simply must use tap 01:40 * dazo looks for a better explanation 01:42 < dazo> http://en.wikipedia.org/wiki/TUN/TAP ... 01:42 < vpnHelper> Title: TUN/TAP - Wikipedia, the free encyclopedia (at en.wikipedia.org) 01:43 < dazo> steveoooo: if you just google "tun or tap" ... you'll get more info, but the wikipedia actually says the same as all the google findings 01:43 -!- hiptobecubic [n=john@nat072.wireless.miami.edu] has quit [Read error: 110 (Connection timed out)] 01:45 < dazo> steveoooo: you can also have a look here: http://openvpn.net/index.php/documentation/faq.html#bridge2 01:45 < vpnHelper> Title: FAQ (at openvpn.net) 01:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:48 < steveoooo> ill take a look 01:48 < steveoooo> does tap require any extra configuration outside the openvpn configs? 01:48 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:53 < dazo> steveoooo: No, not really ... well, I'm not sure on the server side. I've only used Gentoo on the server side lately and I have preconfigured the tap0 interface before starting openvpn in some network scripts there 01:53 < dazo> steveoooo: but I think that the device needs to be setup before starting the openvpn daemon .... just remembered that I also do bridging on my openwrt based router 01:54 < steveoooo> what are you running openwrt on? 01:55 < steveoooo> (how do you like it?) 01:55 < dazo> steveoooo: but that could be to setup the bridge before starting openvpn, not sure .... anyway, you can create the tap device by calling: openvpn --mktun --dev tap0 --dev-type tap ... 01:55 < dazo> steveoooo: I'm running it on a Linksys WRT54GL ... nice little box, even though I'd like more flash on the box :-P 01:56 < steveoooo> thats funny, same exact one I have, but running the default software... which sucks... I was running ddwrt but I found some weird firewall rules in the iptables so I dumped it. 01:56 < steveoooo> I have the same exact one I mean 01:57 < dazo> steveoooo: that was exactly the same reason I scrapped ddwrt as well .... and I made some noise about it in the forums ... but they didn't seem to take my point regarding being open about it and tell clearly what to do to remove these rules 01:58 < dazo> steveoooo: I'm using the X-Wrt version of openwrt ... which gives you a simple but powerful webgui as well, which makes configuration a lot easier .... highly recommended! 01:58 < steveoooo> yea, i didnt post anything, but after that I dropped it. it was weird tho, is some versions they werent there, but in the openvpn version it was, so I couldnt trust it 01:59 < steveoooo> do you have a link? 01:59 * dazo looks it up 01:59 < dazo> http://x-wrt.org/ 01:59 < vpnHelper> Title: Web interface for OpenWrt and more - X-Wrt.org (at x-wrt.org) 01:59 < steveoooo> I remember going to frys in order to find the right linksys to fuck up 02:01 < dazo> steveoooo: what's neat about this one, is that it's not much applications installed by default ... but you can install the needed pieces on the fly via a click in the webgui, so when you want to configure software which is not installed, you can click install ... it gets installed and you can continue the configuration 02:02 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:05 < steveoooo> nice 02:05 < steveoooo> maybe ill flash it right now 02:05 < steveoooo> if you trusted ddwrt, which would you use 02:06 < dazo> I'm running the 0.9 (whiterussian) release .... but I see that they've started stabilising the Kamikaze versions (devel versions), so it might come a new x-wrt soon 02:07 < dazo> well .... ddwrt is easy to configure and gives a lot of things without even needing to think about going into a shell on the box ... so ddwrt is probably more easy to setup and configure 02:07 < krzee> !security 02:07 < vpnHelper> krzee: "security" is "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 02:07 < krzee> (for something else) 02:08 < dazo> while x-wrt is more kind of detailed in configuration ... and you have much more power to safely do changes via the shell and web, as the web will not freak out or overwrite changes done via shell 02:09 < dazo> so I feel that x-wrt is much more flexible than ddwrt 02:09 < steveoooo> cool 02:10 < dazo> and another thing .... the iptables setup in x-wrt is really basic and easy to understand immediately, no strange chains or strange loops ... it's really transparent compared to ddwrt 02:10 < steveoooo> hmm, i dont see a pre built image for my router wrt54gl1.1 02:10 < dazo> huh? strange .... 02:10 < dazo> I'm pretty sure I also have the gl1.1 02:11 < steveoooo> whiterussian? or kamakaze 02:12 < dazo> I'm using whiterussian now 02:12 < dazo> http://downloads.x-wrt.org/xwrt/firmware_images/whiterussian/0.9/milestone-3-rc2/default/openwrt-wrt54g-squashfs.bin 02:12 < steveoooo> (have you used any cellphone wireless computer cards ?) 02:12 < steveoooo> thanks 02:13 < steveoooo> rc2 hrm. 02:14 < dazo> steveoooo: nope ... not cards ... I've only used USB and Bluetooth to my SE-K800i ... and that works like a charm for me (using UMTS or GPRS) 02:15 < dazo> steveoooo: that rc2 is the latest one of whiterussian ... and it was released august 2007, so it's getting old .... but on the other hand ... it's very stable .... 02:16 < dazo> steveoooo: and there are update functionality via the web-gui as well .... so they have released some updates which I could install after installing it 02:17 < dazo> oh, that was just updating of the webgui, I see now 02:17 < dazo> but you have some ipkg tools as well 02:20 < steveoooo> cool 02:20 < steveoooo> im going to flash it right now 02:21 < dazo> :) 02:21 < steveoooo> is a lot smaller than wwdrt 02:21 < dazo> yeah, but when you install openvpn and other goodies and needed parts .... it's easy to fill it up :-P 02:23 < steveoooo> ill be back, hopefully 02:23 < dazo> heh ... good luck! 02:23 < steveoooo> I have another router in the closet if anything goes wrong 02:23 < steveoooo> heh 02:24 < steveoooo> id be intereted on how the .bin files are compiled to work on the linksys routers 02:26 < dazo> steveoooo: quite simple ... cross compiled for the CPU platform ... and then things are put into a filesystem file (mounted as a loopback file probably) and then a this filesystem is "converted" to the proper format the device needs it ... then this file is written directly to the flash 02:27 < steveoooo> im a coder but ive never compiled for a hardware device other than pic chips 02:27 < steveoooo> and this little linux based computer I have 02:27 < dazo> I think I remember I read a little bit about it on the openwrt wiki .... 02:31 -!- steveoooo [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 02:36 -!- steveoooo [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 02:36 < steveoooo> should I reset to default settings? 02:37 < steveoooo> dazo, are you running the openvpn on the router? 02:37 < dazo> steveoooo: yup 02:37 < steveoooo> hmm, cool and build all the keys on the server? 02:37 < steveoooo> built 02:38 < steveoooo> thru ssh? 02:38 < dazo> steveoooo: yes ... You need to have the keys prepared somewhere else 02:39 < steveoooo> i c 02:39 < dazo> steveoooo: I'm using certificates in addition to static.key .... so I created the needed certs and keys on another box and used ssh and scp to get them into the router 02:39 < steveoooo> got it 02:39 < steveoooo> im using certs too 02:39 < steveoooo> not a static.key tho 02:40 < dazo> steveoooo: I use all security features available, as a default in my setups :) 02:40 < steveoooo> i dont even know what im not securing : ) 02:40 < steveoooo> ingorance is bliss 02:40 < dazo> Actually, I've stored config files, cert files and so on the nvram of the router ... not on the "filesystem" 02:41 < steveoooo> nvram? 02:41 < Dryanta> non volatile ram 02:41 < steveoooo> is it a mounted device? 02:41 < dazo> yeah .... kind of the "config" memory ... you'll have a nvram command ... 02:41 < dazo> nvram show .... will give you a lot of config settings 02:42 < dazo> and I used such hack as: nvram set ="`cat `" ... to store a file here .... 02:42 < dazo> but you must remember to do nvram commit .... to really save it nvram 02:43 < dazo> (I would not try this on a binary file though ........) 02:43 < steveoooo> nice, like how it shows that changes are being made! 02:43 < dazo> so I have my own openvpn_start.sh script .... which then pulls down all needed files from nvram and saves them under /tmp/openvpn .... and then openvpn is started from here 02:44 < steveoooo> i c, does the router do most of that for you? 02:45 < dazo> steveoooo: http://pastebin.com/d3e502198 02:45 < dazo> steveoooo: nope ... I hacked this myself .... as the webif only supports openvpn client, not server 02:46 < steveoooo> i c 02:47 < dazo> the pastbin contents, I've saved under /etc/openvpn_start.sh .... and then if you do this, nvram set ="`cat `" ... for all your openvpn files .... this should work pretty quickly for you 02:47 < steveoooo> ill get that going tomorrow 02:47 < dazo> :) 02:47 < steveoooo> pretty damn cool tho 02:47 < steveoooo> and your vpn network is in the same subnet as lan? 02:48 < steveoooo> with the brige? 02:48 < dazo> just one remark .... no not use nvram commit to much .... as such writes will exhaust the nvram over time ..... but if you do it once a day, somebody calculated that the nvram would last at least 5 years 02:48 < dazo> yes, I did it this way 02:48 < dazo> I 02:48 < dazo> I've also separated wlan and lan ... so that they have different network segments as well .... and vpn is on the lan range, not wlan 02:51 < steveoooo> why use nvram 02:52 < dazo> to avoid using space on the jffs2 filesystem, which is used by applications and ipkg .... and /tmp is a ram disk, so only temporarily 02:53 < dazo> and it was a lot of space available in nvram for these config files 02:53 < krzee> steveoooo, leaves less trace 02:53 < dazo> with my current config ... I have used about 9kb out of 32kb available in nvram 02:54 < steveoooo> backup your router and let me see it : ) 02:54 < steveoooo> just kidding 02:54 < dazo> heh ... sorry, don't trust you that much yet ;-) 02:56 < steveoooo> geez man all paranoid and shit 02:56 < steveoooo> heh 02:56 * dazo wonders if it would be possible to encrypt the openvpn config stored in nvram .... yeah, I know you would need to enter a password when starting openvpn 02:57 < krzee> instead of encrypting the config encrypt the cert keys 02:57 < dazo> btw! It's really easy to fill up your filesystem ... so be careful! really careful! or else you might in worst case need to reflash the device again 02:57 < dazo> krzee: yeah, I meant that .... for me keys are an important part of the config ;-) 02:57 -!- hiptobecubic [n=john@nat072.wireless.miami.edu] has joined ##openvpn 02:58 < krzee> when making the certs you can set a pass on them, easy-rsa its something like make-cert-pass 02:58 < krzee> ssl-admin asks when you make any keys 02:59 < dazo> krzee: that's true ... 02:59 * dazo haven't woken up yet today ... 02:59 < dazo> maybe I could even use pkcs12 certs .... to have all in one file as well 03:31 -!- Dryanta [i=dryanta@66.252.23.192] has quit ["Changing server"] 03:33 -!- zug|work [n=zug_work@94-193-129-8.zone7.bethere.co.uk] has joined ##openvpn 04:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 04:26 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 04:29 < steveoooo> dazo, help me out tomorrow configuring all this shit 04:29 < steveoooo> that would be cool 04:30 < dazo> steveoooo: I'll try .... I'll be travelling somewhat tomorrow, leaving the office around 13:00 UTC ... so I might have it hectic, but in the evening it might be more easy again 04:30 < steveoooo> what do you do? 04:40 < steveoooo> night 05:32 -!- steveoooo [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 05:58 -!- zug|work [n=zug_work@94-193-129-8.zone7.bethere.co.uk] has quit [Read error: 60 (Operation timed out)] 06:00 -!- zug|work [n=zug_work@88.211.97.126] has joined ##openvpn 06:14 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:15 -!- zug_|work [n=zug_work@94-193-129-8.zone7.bethere.co.uk] has joined ##openvpn 06:22 -!- zug|work [n=zug_work@88.211.97.126] has quit [Read error: 60 (Operation timed out)] 06:51 -!- Naicamine [n=bjones@96-35-60-139.dhcp.stls.mo.charter.com] has joined ##openvpn 06:53 < Naicamine> how can i get to my VPN server if it is on a dynamic address? 06:55 < Naicamine> is there a way i can get a free domain name and a free service that will point a domain name to a dynamic ip? 07:08 -!- Naicamine [n=bjones@96-35-60-139.dhcp.stls.mo.charter.com] has quit ["Leaving."] 07:38 -!- AukeF [n=folkerts@fury.science.uva.nl] has joined ##openvpn 07:39 -!- hiptobecubic [n=john@nat072.wireless.miami.edu] has quit [Read error: 110 (Connection timed out)] 07:41 < AukeF> Hi! I have an openvpn tap device (openvpn --mktun --dev tap0) bridged with my physical device (eth0). The tap device is used a the stub for Qemu's virtual network card, and has no IP on my host OS. This setup works; however, tcpdumping shows that not all traffic present on the eth0 device is also visible on my tap device. I think this is odd, given that they are bridged. Am I missing something? 07:41 < AukeF> (also, if this is not the right channel, my apologies, and please point me in the right direction) 07:42 -!- dvl [n=nnnnnnnn@pdpc/supporter/professional/dvl] has quit [Excess Flood] 07:43 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:43 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:43 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:44 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:44 < reiffert> AukeF: a bridge doesnt mean that all traffic passes both interfaces. 07:44 < reiffert> AukeF: routing still works and delivers packets to what interface matches best 07:44 < AukeF> aha 07:44 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:44 < reiffert> AukeF: a bridge allows to have broadcast/multicast packets to appear on both interfaces. 07:44 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:45 < AukeF> my understanding was that a packet that arrives on port1 is automagically duplicated on port2 07:45 < reiffert> AukeF: please check your understanding. 07:45 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:45 -!- dvl [n=nnnnnnnn@pdpc/supporter/professional/dvl] has quit [Excess Flood] 07:46 < reiffert> http://en.wikipedia.org/wiki/Network_bridge 07:46 < vpnHelper> Title: Network bridge - Wikipedia, the free encyclopedia (at en.wikipedia.org) 07:46 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:46 < reiffert> dvl: mind fixing your irc client please? 07:47 -!- dvl [n=nnnnnnnn@pdpc/supporter/professional/dvl] has quit [Excess Flood] 07:47 < reiffert> ecrist: r u around? 07:47 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:47 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:48 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:48 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:49 < reiffert> krzee: r u around? 07:49 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:49 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:50 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:50 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:51 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:51 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:52 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:52 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:52 < reiffert> dvl: 07:52 < AukeF> hm. it looks like /proc/sys/net/bridge/bridge-nf-* are getting in the way 07:52 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:52 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:53 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:53 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:54 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:54 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:55 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:55 < reiffert> sigh 07:55 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:55 < reiffert> dvl: 07:56 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:56 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:57 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:57 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:58 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:58 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:58 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:58 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:59 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:59 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 08:00 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 08:00 < dazo> dvl you got probs! 08:00 < dazo> dvl: please correct your client 08:01 < reiffert> Doubt he's reading that 08:01 -!- dvl [n=nnnnnnnn@pdpc/supporter/professional/dvl] has quit [Excess Flood] 08:01 < dazo> well ... on my screen, I saw you managed to catch him right after he "quit" ... so I hoped I could be quick enough now 08:02 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 08:03 < reiffert> brb kochen 08:06 < reiffert> dvl: u there? 08:27 < ecrist> reiffert: I'm around 08:27 < ecrist> what's up? 08:29 < reiffert> ecrist: how can I ban dvl so that he can fix his client meanwhile? 08:29 < ecrist> you just frustrated with the join/quits? 08:29 < ecrist> you can ignore those event from him, if you'd like 08:29 < ecrist> /ignore dvn JOINS PARTS QUIT 08:30 < reiffert> rite. 08:30 < reiffert> so everybody please type this, whatever your client understands. 08:31 < ecrist> if it starts up again, I can ban him, too 08:31 < ecrist> s/dvn/dvl/ 08:31 -!- nn [n=irc@fucked.your.mom.in.the.basement.of.nn2.us] has joined ##openvpn 08:33 -!- nikk^ [n=nikk@p54ADD682.dip.t-dialin.net] has joined ##openvpn 08:34 < nn> hello all, i'm leaving tomorrow to a place i must connect home from, through a horribly draconian firewall which limits my usage to ports 80 (inspected to actually be HTTP) and 443, the network i want to connect to uses 10.0.0.0/8 - is there a way to make openvpn clients fall within 10.0.0.0 or should i just use 192.168.0.0/16 and bridging of eth1 (internal lan) and the openvpn interface? 08:35 < nn> it would be much simpler for my life if i could make the vpn fall under the 10.0.0.0/8 but not too sure how the routing would work out for that 08:35 -!- brewmaster_ [n=brewmast@dsl-216-221-35-73.aei.ca] has joined ##openvpn 08:36 < dazo> nn: don't try to overlap network segments ... don't think about it ... it'll backfire sooner or later and you'll just be frustrated about how it almost works 08:37 < dazo> !1918 08:37 < vpnHelper> dazo: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 08:38 < dazo> nn: you also don't need to bridge anything, routing is usually more than enough, as long as your network and firewall at your server side have a sensible firewall setup 08:38 < brewmaster_> this might be a silly question, but can an openvpn server share samba folders over the vpn? or do I need to run a separate openvpn client process? 08:39 < nn> dazo: im just wondering if it might be better off to adjust the routing on the router to use smaller subnets for the wireless, servers, vpn, etc then have the actual clients refer to the wider /8 subnet 08:39 < brewmaster_> using bridged network btw 08:39 < nn> dazo: ive got quite a few machines on the home side that will not play happy with 192.168.0.0/16 *and* 10.0.0.0/8 addresses trying to talk to them 08:40 < dazo> brewmaster_: if you use tap device, samba should not be any problems at all .... if you do bridging, it'll save you for some routing issues connected to browsing shares and servers 08:40 < nikk^> Hi! Could you please help me to "translate" this route into "linux": route add 192.168.2.0 mask 255.255.255.0 10.8.0.14 metric 1 ? 08:40 < nikk^> 192.168.2.0 is the Remote Lan, 10.8.0.14 is the VPN-IP of the Remote Client 08:41 < dazo> nn: as long as you have a default gateway at "home" ...which will have a route to your VPN segment, your VPN segment can have whatever IP address you want 08:41 < brewmaster_> dazo, ok. i'm running the server on a debian machine, i connected to the network from an xp box and an ubuntu box, they can both see each other but not the debian machine 08:41 < brewmaster_> i can't even ping the debian server 08:41 < dazo> brewmaster_: does the debian box also have samba running? 08:41 < brewmaster_> yes 08:42 < dazo> brewmaster_: ahh ... check your iptables on debian ... that might be the issue here 08:42 < nn> dazo: for example: networking kit on 10.1.0.0/16, servers on 10.2.0.0/16, 100mbit clients on 10.3.0.0/16, wlan on 10.4.0.0/16, and vpn say 10.5.0.0/16 08:42 < dazo> nikk^: route add -n 192.167.2.0 netmask 255.255.255.0 gw 10.8.0.14 metric 1 ... just a wild guess 08:42 < nn> since ive got about 500 machines on the network 08:43 < brewmaster_> dazo, just to be clear: i don't need to run a separate client process on the server? 08:44 < brewmaster_> dazo, yeah, i think i gotta open up the tap device in iptables 08:44 < dazo> brewmaster_: no, that's usually not needed .... you might want to explore DNS options in openvpn config .... to push correct WINS server to VPN clients ... that way they will know where to look up for window machines 08:44 < dazo> brewmaster_: that's most probably right 08:46 < dazo> brewmaster_: in some very few settings, it might be that you want to have a "resolver" running on the gateway for sending netbios broadcasts between the net-segments ... but that was usually not needed after WINS came ... so if you have a WINS server, point all your clients to that one, and it should be working 08:47 < dazo> nn: yeah, that sounds sensible ... and your openvpn server needs to have routes to all these networks ... and also correct firewall settings, and then it should work pretty easy 08:47 < nikk^> thanks dazo. will this route use 10.8.0.14 as gateway? 08:47 < nn> dazo: thanks 08:47 < nn> thankfully i have access to some wifi not on my network to test with, back in a bit :) 08:48 < dazo> nikk^: it will route the 192.168.2.0/24 network through that gateway 08:48 < dazo> nikk^: even though, this doesn't sound like the right way to do it .... but I might be wrong 08:49 -!- jeiworth [n=jeiworth@189.163.173.75] has quit [Read error: 104 (Connection reset by peer)] 08:50 < dazo> nikk^: it just depends on where you set this route ... if it is on a client, it is correct ... if it is on a gateway/router ... then it should be another IP address of the gateway, most likely 08:50 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Read error: 54 (Connection reset by peer)] 08:51 < nikk^> hm, problem is: ping remote client -> server lan = possible, ping from server lan -> vpnip remote client = possible, server lan -> client lan ip doesn't work 08:52 < nikk^> ping vpn server -> client lan ip also doesn't work 08:52 < dazo> nikk^: do you have access to tcpdump on your openvpn server? and default gateways (if it is not the same as openvpn server)? 08:53 < nikk^> it is the same, wrt router, but no tcpdump 08:53 < dazo> nikk^: I suggest using tcpdump on openvpn server on the different network interfaces .... and then do a ping ... then you'll see where the traffic goes ... if you see only echo request and not echo response, the package went in another direction 08:54 < dazo> aha 08:54 < dazo> which firmware? 08:54 < brewmaster_> dazo, not sure if i need to change my iptables: i don't have a firewall and am behind a router 08:55 < nikk^> it is dd wrt, but with optware openvpn server 08:56 < nikk^> DD-WRT v24-sp1 (08/19/08) std 08:57 < dazo> nikk^: Yeah, I know that one .... okey ... ddwrt uses bridging as default, as far as I remember 08:57 < nikk^> i use routing atm 08:57 < dazo> nikk^: can you post config ? (pastebin) 08:57 < nikk^> one moment please 08:58 < dazo> brewmaster_: are you running openvpn on your default gateway? 08:58 < dazo> brewmaster_: if you are, you need to make sure that nothing is blocking the traffic .... try to use tcpdump ... it'll help you see where the traffic goes or not 08:59 < dazo> nikk^: you are using that ddwrt box as a gateway to your giant 500+ computers network? 08:59 < dazo> s/to/for/ 09:01 < nikk^> 3 clients atm :) 09:01 < nikk^> http://pastebin.com/m2487b3a1 09:01 < dazo> nikk^: then I must have misunderstood you ... the gigant network you talked about .... how does this fit into the picture? 09:02 < nikk^> gigant network? 09:02 < dazo> nikk^: sorry! I mixed you with nn ..... to many chats in parallel :-P 09:02 < brewmaster_> dazo, not sure, what do you mean by default gateway? 09:02 < nn> heh 09:03 < nikk^> no problem dazo :) 09:03 < nn> rearranging and terrorizing my network presently 09:03 < nn> I is scared 09:03 < dazo> brewmaster_: default gateway is the box which sends all traffic which is not local (ie. Internet traffic) to larger networks 09:04 < dazo> nikk^: you have some things which don't match .... have a look here: http://pastebin.com/m6c3cb0f2 ... those highlighted lines must speak to the same network ranges 09:05 < dazo> nikk^: one of the routes needs to be your LAN/WLAN at home ... and the other one is the VPN 09:06 < dazo> nikk^: what's your IP range "at home"? 09:06 < nikk^> 192.168.88.0 09:06 < nikk^> remote site 192.168.2.0 09:07 < dazo> remote site is where you connect from? 09:08 * dazo begins to think if iroute might be the correct solution here 09:08 < dazo> !iroute 09:08 < vpnHelper> dazo: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 09:08 < dazo> nikk^: ^^^ 09:10 < brewmaster_> dazo, that would be my d-link router 09:11 < nikk^> i am on the lan site behind the vpn server/ wrt, remote site is a friend of mine which can connect into vpn network and into lan, behind the vpn server 09:11 < brewmaster_> dazo, openvpn is running on my debian machine behind that router 09:11 < nikk^> he can connect to an ftp behind the vpn server 09:11 < dazo> brewmaster_: so your openvpn server is just a "client" on the inside of the openvpn server? (dlink doing portforwarding for you) 09:12 < nikk^> i can not ping his lan adress, not from client and not from server 09:12 < brewmaster_> dazo, i think so 09:12 < dazo> yeah, that sounds like this issue with iroute, iirc .... krzee or ecrist might now more about this actually .... 09:13 * dazo does a try 09:13 < dazo> !route 09:13 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 09:13 < dazo> nikk^: ^^ 09:17 < dazo> brewmaster_: okey ... then I'm guessing you need to setup something in either the DHCP server config which adds a route to your VPN network going via the IP address of the debian box (the physical interface, not the VPN interface) 09:17 < dazo> brewmaster_: or you will need to go on all your clients in your internal network and add this route manually 09:18 < brewmaster_> dazo, yeah, i think i have that part working: i can connect from the outside world to the openvpn server without any issues, i just can't ping / access shared folders on the server once connected. 09:18 < brewmaster_> client to clients works for pinging / sharing files 09:19 < brewmaster_> here's my ifconfig output on the server: http://pastebin.ca/1308074 09:19 < dazo> brewmaster_: clients, here I meant those boxes internally on your network, controlled by your d-link box 09:19 < dazo> brewmaster_: only here ... I would say you can try with that box with the SMB shares first 09:23 < brewmaster_> dazo, shouldn't the server list the openvpn address (which should be 10.8.0.4) when i run ifconfig? 09:26 < dazo> brewmaster_: the openvpn box (debian) needs to have the route for both your VPN net and the physical network 09:26 < nikk^> thanks dazo 09:27 < dazo> brewmaster_: but you clients on the d-link network needs to know that they must contact your openvpn server to reach the VPN net .... or else the traffic will go to the default gw (your d-link router) and out on the internet 09:27 < dazo> nikk^: np! 09:29 < dazo> brewmaster_: so that's why I said this about the routing ... when the clients contact your openvpn (debian) box, this box will then know the rest of the route 09:37 -!- brewmaster [n=brewmast@dsl-216-221-35-73.aei.ca] has joined ##openvpn 09:43 < brewmaster> dazo, ok, thanks for the help, so how do i tell, say, a linux client to send all 10.8.0.0/24 traffic to my debian machine (192.168.0.103)? 09:43 < dazo> brewmaster: route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.0.103 09:45 -!- brewmaster_ [n=brewmast@dsl-216-221-35-73.aei.ca] has quit [Read error: 145 (Connection timed out)] 09:45 -!- brewmaster [n=brewmast@dsl-216-221-35-73.aei.ca] has quit ["Leaving"] 09:45 -!- brewmaster [n=brewmast@dsl-216-221-35-73.aei.ca] has joined ##openvpn 09:45 < ecrist> dazo, you should stick around, then I can just watch. :) 09:46 < dazo> ecrist: heh .... well, I'll step down when you get bored then :-P 09:46 < dazo> s/when/before/ 09:46 < brewmaster> dazo, thanks, what about the openvpn server? how will it know the rest of the route? 09:47 < dazo> brewmaster: you can check the route table on that box .... (/sbin/route -n) .... here it should list up all routes and you can see if it has your local network and your VPN network ... if that's done ... it should be set 09:49 < brewmaster> hmm, no mention of tap0 or 10.8.x.x ... 09:52 < dazo> brewmaster: then it is time to dig into you openvpn config files 09:56 < brewmaster> dazo, what about "clients" that aren't on the LAN? do I need to have a route command? 09:56 < brewmaster> i'm SSH to an outside box, and it has "10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0" in the route -n 09:57 < brewmaster> which looks correct (though I know nothing ;) 09:58 < dazo> brewmaster: hmmm .... all clients on "your" network (inside the d-link) which you want to have access to your VPN (or which you want to connect to via the VPN) must know about this route 09:58 -!- rarn [n=rarn@38.104.189.110] has joined ##openvpn 09:58 < brewmaster> dazo, yeah, that's no problem, but what about the outside world? 09:58 < dazo> brewmaster: that "outside box" .... if that is not inside your d-link network, it should not be needed at all 09:59 < brewmaster> ok 09:59 < dazo> but for that box to reach your d-link network ... you would need to setup an OpenVPN tunnel ... and then the correct route should appear here 09:59 < dazo> brewmaster: I think you might find a better description here on routing .... 09:59 < dazo> !route 09:59 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 10:00 * dazo needs to run ... back in some hours 10:01 -!- dazo is now known as dazoafk 10:04 -!- orbisvicis [n=orbisvic@207-172-176-168.c3-0.smt-ubr1.atw-smt.pa.cable.rcn.com] has joined ##openvpn 10:04 < orbisvicis> to start a client: i do sudo openvpn client.opvn and to kill a client ^C 10:05 < orbisvicis> is there a softer/better way to shutdown openvpn ? 10:05 < l11> orbisvicis: you'd usually use the scripts in /etc/init.d 10:06 < l11> like /etc/init.d/openvpn start and /etc/init.d/openvpn stop 10:06 -!- nikk^ [n=nikk@p54ADD682.dip.t-dialin.net] has quit ["I-n-v-i-s-i-o-n 3.0 (March '08)"] 10:07 < l11> (assuming the client config has been put where it can be found w/o extra arguments) 10:09 < nn> next round of network hell and overhaul comes in rebuilding my lost setup of ldap and kerberos... meh 10:17 -!- nn [n=irc@fucked.your.mom.in.the.basement.of.nn2.us] has quit ["leaving"] 10:17 -!- ecrist changed the topic of ##openvpn to: Check your firewall first. || We need !configs and !logs || HowTo: http://openvpn.net/howto Manual: http://openvpn.net/man || LANs behind OpenVPN? See !route || Don't ask to ask, just ask; then wait. 10:24 -!- rarn [n=rarn@38.104.189.110] has quit [] 10:30 -!- nn [n=irc@fucked.your.mom.in.the.basement.of.nn2.us] has joined ##openvpn 10:30 -!- nn [n=irc@fucked.your.mom.in.the.basement.of.nn2.us] has quit [Client Quit] 10:31 -!- nn [n=irc@fucked.your.mom.in.the.basement.of.nn2.us] has joined ##openvpn 10:31 < nn> oops 10:31 < nn> well.. for some reason, things are mostly working, except im getting the wrong IP 10:52 < orbisvicis> eh i guess its not a big deal ... i dont have any openvpn init scripts, but I took a look at one at one and it stops openvpnv by killing 10:54 < nn> probably with SIGTERM, no? 10:55 < ecrist> nn - that's how programs get killed in the unix world 10:57 < nn> ecrist: yes i know 10:57 * nn looks at iptables with the we about to fight look... 10:58 * ecrist looks at chanserv with the 'me about to win' look... 10:58 < ecrist> :P 10:59 < ecrist> regardless, the comment should have been directed to orbisvicis, not you, nn 11:03 < orbisvicis> what sigterm is ^C, 15 ? 11:05 < orbisvicis> or 9 11:05 < nn> im thinking SIGINT or SIGQUIT 11:06 < ecrist> SIGINT, iirc 11:09 < ecrist> --- Log closed Wed Jan 14 11:09:22 2009 --- Log opened Wed Jan 14 12:09:05 2009 12:09 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 12:09 -!- Irssi: ##openvpn: Total of 42 nicks [0 ops, 0 halfops, 0 voices, 42 normal] 12:09 -!- Irssi: Join to ##openvpn was synced in 1 secs 12:09 < ecrist> ugh 12:13 < reiffert> mahdi_ja: hi 12:13 < reiffert> mahdi_ja: You can have openvpn play the role of a vpn server, yes. 12:13 < reiffert> mahdi_ja: it has nothing to do with a domain controller, nor will openvpn replace a windows domain controller. 12:14 -!- jaysonsantos [n=jayson@189.102.240.246] has joined ##openvpn 12:18 < mahdi_ja> reiffert: in my company at this time use domain controller and i want use vpn server for operating independent reason. 12:19 < jaysonsantos> !route 12:19 < vpnHelper> jaysonsantos: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 12:19 < reiffert> mahdi_ja: sorry, I dont understand you. 12:20 < jaysonsantos> Hello people, I'm trying to connect via ssh from client to the vpn server and when (i think) i receive binary data, my connection stay frozed 12:20 < jaysonsantos> Maybe that is a route config ? 12:21 < mahdi_ja> reiffert: i am sorry my english is weak.i want know i can do task of windows domain controller with open vpn(create vpn server). 12:22 < reiffert> Who was that guy from that man-eating ape-island? 12:22 < reiffert> mahdi_ja: If I understand you right, a Windows Domain Controller can act as a VPN Server? 12:22 < mahdi_ja> reiffert: yes. 12:23 < reiffert> mahdi_ja: I see. Well Windows VPN is using L2TP or PPTP, right? 12:25 < mahdi_ja> yes this is true.i can use pptp in linux same windows. 12:26 < reiffert> mahdi_ja: openvpn is totally different and not compatible with l2tp not pptp. 12:26 < reiffert> mahdi_ja: but(!) openvpn runs on windows as well. 12:30 < mahdi_ja> yes,i know it.in a lot of company for restrict user to use a special application use domain controller. for example a user member of office1 domain can use office1 application an printer shared in this office an so on.i want know i can do this limitation with create a vpn server . 12:31 < reiffert> "this" as in share permissions and rights with the help of openvpn among domain users? 12:33 < mahdi_ja> reiffert: no,i want replace domain server and use openvpn for do task of domain controller. 12:34 < reiffert> mahdi_ja: sorry, but openvpn is a vpn server and not a domain controller. 12:34 < reiffert> !howto 12:34 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:37 < mahdi_ja> reiffert: thank you. 12:38 < reiffert> welcome 12:43 -!- meshuga [i=meshuga@lenin.ww88.org] has joined ##openvpn 12:43 < meshuga> !route 12:43 < vpnHelper> meshuga: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 12:51 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 13:21 -!- mahdi_ja [n=mahdi@80.191.138.7] has left ##openvpn [] 13:23 -!- Toinou_ [n=toinou@roo49-1-82-245-55-94.fbx.proxad.net] has joined ##openvpn 13:23 < Toinou_> hello 13:23 < ecrist> howdy 13:23 < Toinou_> Someone speak french or not? 13:24 < ecrist> probably not 13:24 < meshuga> so i'm having a problem where openvpn is only routing traffic to a few machines over the vpn. i am using /24's and only a few machines route 13:24 < ecrist> I understand and can speak very little, but we can try 13:24 < meshuga> all machines are pingable from each respective openvpn machine 13:24 < Toinou_> ecrist: ok thank 13:24 < ecrist> meshuga: see the channel topic 13:24 < meshuga> and i have turned off all firewalls and whatnot 13:25 < meshuga> ecrist: ya, i'm just doing static keys, and ccd shouldnt matter cuz some do pass 13:25 < Toinou_> I have problem to connect a client to my server 13:25 < ecrist> both of you, !configs and !logs 13:25 < ecrist> !configs 13:25 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:25 < ecrist> !logs 13:25 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 13:28 < Toinou_> Someone to help me to understand the error? 13:29 < ecrist> Toinou_: I need to see your log files, please? 13:30 < ecrist> we need to know what's not working and what your configuration is 13:30 < Toinou_> ecrist: which log files? 13:30 < meshuga> http://pastebin.com/m31f953f7 13:31 < meshuga> ecrist: there, I got the logs and the config in there 13:31 < meshuga> what i am doing is super simple 13:31 < meshuga> just trying to do a simple bi directional routed vpn 13:37 < ecrist> meshuga: you can't put a push "route" statement in a client config 13:37 < ecrist> you need to create a ccd, iirc 13:37 < ecrist> and set an iroute 13:37 -!- nn [n=irc@white.powder.nn2.us] has joined ##openvpn 13:37 < nn> how would i create a place-holder crl? 13:38 < ecrist> nn, let me get you the command 13:38 < ecrist> openssl ca -gencrl -out $crl -config $config 13:39 < nn> ahh thanks 13:39 < ecrist> $crl is the file name for the crl and $config is the openssl.conf file 13:39 < nn> i searched around the howto but windows is being hatefu 13:39 < nn> gotcha, thanks 13:39 < ecrist> that's not in the howto, iirc 13:39 < nn> next experiment will be making openvpn feed off ldap for certs ;) 13:40 < ecrist> let me know how that goes, and what you end up doing. 13:43 < nn> will do 13:43 < nn> i heavily use ldap+pkcs11 stuff here ;) 13:44 < meshuga> ecrist: well, then i cant use static keys and need to do tls and stuff like that. i've done this before with static keys 13:44 < meshuga> years ago 13:44 < meshuga> i dont care if i manually have to setup route lines 13:44 < meshuga> the odd part is, its only routing half of the traffic 13:45 < ecrist> I'm looking into the docs, but I'm sure it's the client lan that's not being routed, right? 13:45 < ecrist> oh, you can put iroute in the server conf, since static keys only have one client 13:46 < meshuga> here i'll go back to my config using just linux boxes (instead of the routers, which i ultimately want it to go on) 13:46 < meshuga> basically i have 192.168.0.x that has a dozen machines on it, and i can only ping like 4 of them thru the tunnel 13:47 < ecrist> ok, tcpdump may tell you where things are being dropped 13:47 < ecrist> if you can ping some machines, then the vpn portion is working 13:48 < nn> oie. windows 7 is having issues :( 13:49 < nn> it does not like the route stuff 13:50 < ecrist> windows 7 is in beta - expect spotty results 13:50 < Toinou_> ecrist: sorry to disturb you but i did know which files log you need to help me? 13:50 < nn> its working well except not liking the route set stuff ;) 13:50 < meshuga> http://pastebin.com/m7fe8195 13:50 < nn> it appears i may have remote the route push stuff and manually caress the routing table 13:50 < ecrist> Toinou_: are you running openvpn via the command line, or via init.d? 13:51 < meshuga> i ran 'arp' on the machine which .0.1 is connected too running openvpn, and then tried to ping the hosts from the other side of the tunnel 13:51 < nn> remove 13:51 < meshuga> and only half of them respond. no firewalls or anything blocking it 13:51 < meshuga> pasting in tcpdump now 13:51 < Toinou_> ecrist: command line 13:52 < ecrist> ok, I need to see all the output that comes on the command line. 13:52 < ecrist> first, though, I need to know your problem. 13:52 < Toinou_> ecrist: I can't connect to the server!! 13:52 < meshuga> tcpdump doesnt say where anything is dropped 13:52 < meshuga> i just pasted that into the same pastebin, at the top 13:53 < ecrist> Toinou_: ok 13:53 < ecrist> is it a server you made, or a company server? 13:53 < meshuga> its like .0.1 isnt responding for certain machines to forward traffic from 13:53 < meshuga> which doesnt make sense 13:53 < Toinou_> ecrist: it a server i made, it for a project 13:54 < ecrist> Toinou_: read the following link, and let me know if everything is setup correctly: 13:54 < ecrist> !freebsd 13:54 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 13:55 < Toinou_> ecrist: toinou@toinou-portable:/etc/openvpn$ cd /etc/openvpn && sudo openvpn client.conf 13:55 < Toinou_> Wed Jan 14 18:51:19 2009 OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 15 2008 13:55 < Toinou_> Wed Jan 14 18:51:19 2009 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 13:55 < Toinou_> Wed Jan 14 18:51:19 2009 Cannot load certificate file client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_C 13:55 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 13:55 < ecrist> Toinou_: don't paste here, please 13:55 < ecrist> pastebin.com 13:55 < ecrist> ok, did you make a certificate? 13:55 < ecrist> meshuga: looks like some clients may not know how to route back to the vPN 13:56 < Toinou_> ecrist: sorry, i'm a noob!!! 13:56 < ecrist> ok!!!!1!1!! 13:58 < meshuga> ecrist: shouldnt the default gateway handle all of that? 13:58 < Toinou_> ecrist: I do 3 certificate : 1 it's the CA, 1 it's the server certificate and the last is the client certificate 13:58 < meshuga> oh, so i should change the subnet mask for them to 255.255.0.0 13:59 < ecrist> sorry folks, I've gotta get back to work. 13:59 < meshuga> thanks for your help man 14:00 -!- brewmaster [n=brewmast@dsl-216-221-35-73.aei.ca] has quit ["Leaving"] 14:21 -!- bandini [n=bandini@host9-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 14:38 -!- Toinou_ [n=toinou@roo49-1-82-245-55-94.fbx.proxad.net] has quit ["Ex-Chat"] 14:45 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:07 -!- imbezol [i=imbezol@igloo.bigfiber.net] has left ##openvpn [] 15:17 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 15:20 < j_bsdxinu> hi, using FreeBSD VPN installed, when i run build-ca i get error: you must define KEY_DIR 15:32 < ecrist> j_bsdxinu: use ssl-admin instead 15:33 < ecrist> /usr/ports/security/ssl-admin 15:33 < ecrist> easy-rsa blows balls 15:33 < j_bsdxinu> i will try that 15:37 < j_bsdxinu> thanks 15:37 < ecrist> if you have questions, I"m the author 15:40 -!- andrer [n=andrer@200.130.18.1] has joined ##openvpn 15:40 < andrer> is there a way to use those usb security dongles (rsa keys) with openvpn? 15:41 < ecrist> yes and no 15:41 < andrer> ecrist: i can choose which answer I want? :) jk 15:41 < ecrist> you can write secondary authentication scripts for OpenVPN, usually for LDAP/etc. Just write one of those. 15:42 < andrer> but there is nothing built in... ok 15:45 -!- El_Presidente [i=Martin@p5798F41E.dip.t-dialin.net] has joined ##openvpn 15:46 < El_Presidente> hello, i want to allow my cousin to surf over my box, so i established a server on my pc the vpn tunnel gets up but we cant set the default route 15:46 < El_Presidente> because his pc says the following 15:46 < El_Presidente> unable to redirect default gateway -- Cannot read current default gateway from system 15:47 < El_Presidente> he is online with an umts stick 15:48 < ecrist> google that error 15:50 < El_Presidente> i did ... 15:51 < El_Presidente> but i didnt find any suitable information for a windows pc ... 15:51 < El_Presidente> since my cousin uses windows 15:52 < ecrist> sorry, I've no idea 15:52 < El_Presidente> okay 16:04 < j_bsdxinu> ecrist, you are the author of ssl-admin? 16:04 < reiffert> El_Presidente: 16:04 < reiffert> !defl 16:04 < vpnHelper> reiffert: Error: "defl" is not a valid command. 16:04 < reiffert> !def1 16:04 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 16:05 < ecrist> j_bsdxinu: yes 16:05 < j_bsdxinu> ohh ok, thanks 16:06 < El_Presidente> reiffert, aha 16:06 < reiffert> !man 16:06 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:06 < reiffert> !howto 16:06 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:06 < reiffert> also check 16:06 < reiffert> !topology 16:06 < vpnHelper> reiffert: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 16:07 < reiffert> some intresting thing about windows and /30 subnet. 16:07 < El_Presidente> reiffert, i know ty ;) 16:07 < reiffert> however, adding def1 should fix the thing 16:07 < El_Presidente> you mean redirect-gateway def1 ... 16:07 < El_Presidente> ? 16:08 < reiffert> El_Presidente: I mean ... RTFM! 16:08 < El_Presidente> :D 16:08 -!- andrer [n=andrer@200.130.18.1] has quit ["Lost terminal"] 16:22 < krzie> lol 16:23 < El_Presidente> cu 16:23 -!- El_Presidente [i=Martin@p5798F41E.dip.t-dialin.net] has quit ["Verlassend"] 16:27 < reiffert> You give em a hand, you point them to the right paragraph in the docs and all you get is "cu". And that's "lol"? Well. 16:28 < krzie> haha 16:28 < krzie> my lol was that he knew def1 goes with redirect-gateway and he couldnt just look at in in in the manual which you had linked him to 16:31 < j_bsdxinu> ecrist, i am kind of new what is this for? S) Create new Signed Server certificate. 16:31 < krzie> umm 16:32 < krzie> its for creating a new server cert, and signing it 16:32 < krzie> i dont know how to say it better 16:32 < reiffert> Add "Self-" in front of Signed. 16:33 < ecrist> no 16:33 < ecrist> reiffert: it's not a CA certificate, it's a server certificate 16:33 < j_bsdxinu> so for openVPN i create one? 16:33 < krzie> doesnt have to be self-signed 16:33 < reiffert> Oh, rite! 16:33 < reiffert> it's ca signed 16:34 < reiffert> krzie: remember that guy from korea with the T1 flat on a tree? 16:34 < krzie> tjz, right? 16:34 < krzie> or mrcuteo...? 16:34 < reiffert> Well .. I dont remember his nick ... 16:34 < krzie> i think twas tjz 16:34 < krzie> but ya 16:35 < reiffert> Which is what I'm looking for :) 16:35 < reiffert> l11: u there? 16:35 < krzie> ahh 16:35 < krzie> i think its tjz, but COULD be mrcuteo 16:35 < l11> reiffert: pong 16:35 < reiffert> May I introduce you? 16:35 < l11> female? 16:35 < l11> :D 16:36 < reiffert> Channel, say hi to l11, he's lesbian :) 16:36 < krzie> lol no 16:36 < krzie> sup l11 16:36 < krzie> im a dike trapped in a mans body 16:36 < l11> quoting marvin? 16:37 < l11> i suppose reiffert has a reason to introduce us. we just need to find out why 16:37 < reiffert> Hm, the no special reason reason! 16:38 < l11> he says that all the time 16:38 < krzie> 1lgot any problems with your vpn? 16:38 < l11> ehm .. no, not in particular. 16:39 < l11> doesn't run in the most efficient way but that's not the fault of openvpn 16:40 < l11> reiffert and you are online buddies? 16:41 < reiffert> I am online buddies? if so, how many? 16:41 < reiffert> body count! 16:43 < l11> he's dangerous. i remember when i happened to be in the same place, he almost subjected me to a radioactive particle beam. luckily there was 30 inches of lead in between :) 16:44 < reiffert> That was me, u sure? Maybe ran out of alc that time? 16:45 < l11> maybe it was because you *didn't* :P 16:46 < reiffert> Well, maybe that big electron beam which is everything but a radioactive particle beam and we may start discussing "particle" here :) 16:47 < reiffert> l11 is dangerous as well, dont get to him too close, he probably will ocnvert you into another forth zombie! 16:47 < reiffert> dont get too close to him sounds more english than vice versa 16:47 < l11> well, if throwing in a detector hamster fills the air with stench of roast meet it doesn't really matter whether it's electron beam or not (or the nature of particles) 16:47 < l11> meat 16:48 < l11> *fizzle* 17:04 < reiffert> krzie: did you record some movie of your naked girls yet^w^w^w^w beach sunrise yet? 17:04 < krzie> nah man im down to one girl for now 17:08 < reiffert> Lemme guess, wrong (=no) christmas presents? 17:09 < krzie> nah i think i fucked up by actually getting them gifts 17:10 < reiffert> which of them did you keep? 17:11 < krzie> my favorite 17:11 < krzie> #1 17:16 -!- cylix [n=frederic@occm-15.static.grp1-rng1.tnmmrl.infoave.net] has joined ##openvpn 17:19 < reiffert> Good night (Gute Nacht in German) 17:19 < reiffert> Spoken like Goote Nucht 17:20 < reiffert> l11: krzie like to learn some german words for impressing his german neighbour 17:23 < l11> me too 17:26 -!- l11 is now known as Bushmills 17:28 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 18:05 < cylix> So I setup a vpn and it really isn't working. Yes there is no firewall and it does connect with no errors on log lvl 3. Configs here: http://solace.info/dump 18:05 < vpnHelper> Title: Index of /dump/ (at solace.info) 18:06 < cylix> oops flood apparently 18:06 < cylix> sorry 18:06 < cylix> Anyway. I was just saying I setup a vpn. 18:06 < cylix> client and server connect. 18:07 < cylix> no errors in logs. 18:07 < cylix> yet I can only ping local devices. 18:07 < cylix> configs and logs at http://solace.info/dump 18:07 < vpnHelper> Title: Index of /dump/ (at solace.info) 18:09 < cylix> every thing is exactly like the example configs except the remote ip of course and tcp not udp. Though I did try udp. 18:11 < cylix> Ah the server is on a one to one nat I should mention also. So it does have an external ip. 18:12 * cylix quits talking to himself... 18:12 < ecrist> give me a couple minuts to look, sheesh 18:12 < cylix> ecrist, thanks so much. 18:12 < cylix> :-) 18:14 < cylix> ah just renamed all files on webserver so they pull with correct mime type. Please reload directory. 18:15 < ecrist> ok, no errors in logs, as you said. what do you mean, you can only ping local devices? 18:16 < cylix> so the tun device on the client has the ip 10.254.1.6 18:16 < cylix> that I can ping from the client 18:16 < cylix> same with server. I can ping 10.254.1.1 18:16 < cylix> nothing else. 18:16 < ecrist> can you ping, from the client, to 10.254.1.1? 18:16 < cylix> no 18:16 < cylix> only from server. 18:16 < cylix> nothing is crossing the bridge. 18:17 < ecrist> sounds like a firewall issue. 18:17 < cylix> let me ask this then. does the client need an external ip? 18:18 < cylix> because I run and have tested the firewalls on bothsides and that is not an issue. 18:18 -!- AukeF [n=folkerts@fury.science.uva.nl] has quit [Read error: 145 (Connection timed out)] 18:18 < ecrist> no, the client doesn't need an external IP 18:18 < ecrist> what are you trying to ping from the client, the internet? 18:19 < cylix> I just want to ping the server over the bridge. so 10.254.1.1 18:19 < cylix> That would prove it was working. 18:19 < ecrist> ok, still sounds like a firewall issue 18:20 < cylix> would you like to look at my firewall also? :-) 18:20 < ecrist> nope 18:20 < cylix> There is none except on the cisco 2811 I have doing a 1 to 1 nat for the server. 18:20 < ecrist> I would recommend you take down your firewall for testing 18:20 < cylix> ok I'll try that. 18:21 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has quit ["Leaving"] 18:22 < cylix> I was just supprised it could still be a firewall issue after the initial connection succeeds. 18:23 < ecrist> firewall on the server, as all vpn traffic will be encrypted and encapsulation 18:23 < ecrist> encapsulated* 18:23 < cylix> There is no firewall on the server. 100% disabled. 18:24 < ecrist> traceroute 10.254.1.1 from the client 18:27 < cylix> ok now thats weird. 18:27 < cylix> traceroute: unknown host 10.254.1.1 18:27 < ecrist> o.O 18:27 < cylix> routing table is just what I uploaded though. 18:27 < cylix> so it should at least get to the ppp tunnel. 18:27 < cylix> or at least the tun device. 18:30 < cylix> ok so with log lvl 5 started on the terminal. I at least see WR apear for every ping I send. 18:31 < ecrist> log level 6 show anything more? 18:31 < ecrist> tcpdump show the packets hitting the server? 18:31 < cylix> So it is getting to the tunnel at somepoint. Not getting anthing back though. 18:31 < cylix> I will check that now. lvl 6 then dump 18:34 < cylix> ok so it sends the ping then I get "TUN READ [84]" but no ping responce. setuping dump now. 18:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 18:46 < cylix> wow ok getting wireshark for windows. 18:47 < cylix> from the dump taken on the tun device on the client side though. It looks like all pings go out but none come back. 18:47 < ecrist> what do you see from a dump on the server side? 18:48 < cylix> I still working on that. just finished my wireshark download. one min. 18:52 < cylix> hmm well they are coming in on the server side but not going out. 18:52 < cylix> I guess this means the problem is on the server somewere. 18:53 < cylix> yes interesting. when I ping from the server it doesn't go accross the link. 18:53 < cylix> when I ping from the client it goes accross the link but the server isn't sending back. 18:54 < cylix> got to be a server config issue now what could it be... lol. Your right I would say firewall if I had one... 18:54 < ecrist> you're sure there's no firewall on the server? 18:57 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 18:57 < cylix> Well I'm checking again. :-) 19:00 < ecrist> I'm out for the night, I think. 19:01 < cylix> Well I do want to say a big thank you for your help. :-) 19:01 < cylix> Good night. 19:15 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 19:26 -!- jaysonsantos [n=jayson@189.102.240.246] has quit [Remote closed the connection] 19:49 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has left ##openvpn ["Leaving"] 19:52 < cylix> akk got it!!! 19:54 < cylix> Well if anyone else was reading and has had this problem please turn OFF the windows "routing and remote acess". 19:57 * cylix Dances a little jig 20:00 < krzie> where do they turn it off? 20:00 < krzie> in services? 20:01 < cylix> well you could. I just went to the administrative tools and disabled it on the server from there. It does shut down the service though. 20:01 < krzie> where in administrative tools? 20:02 < cylix> routing and remote access. 20:02 < krzie> !learn winroute as you may need to turn off "routing and remote acess" in administrative tools - routing and remote access 20:02 < cylix> Thats the name of the menu entry. 20:02 < vpnHelper> krzie: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 20:02 < krzie> !learn winroute as you may need to turn off "routing and remote acess" in administrative tools - routing and remote access 20:02 < vpnHelper> krzie: Joo got it. 20:02 < krzie> thanx 20:04 < cylix> so did you log it for a faq or something whats that vpnHelper about? 20:04 < krzie> !winroute 20:04 < vpnHelper> krzie: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 20:05 < cylix> Ah I see cool. 20:05 < krzie> !factoids search win 20:05 < vpnHelper> krzie: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', and 'wintaphide' 20:05 < krzie> !wintaphide 20:05 < vpnHelper> krzie: "wintaphide" is (#1) in regedit find HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318} then Look through each sub-key for one with a DriverDesc = TAP-Win32Adapter V8 . Set Characteristics = 0x89, or (#2) To show again, set it to 0x81 20:05 < krzie> all kinds of info on that bot 20:05 < krzie> so us helpers can be lazy ;] 20:05 < krzie> also has stuff like this: 20:05 < krzie> !pastebin 20:05 < vpnHelper> krzie: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 20:05 < krzie> !logs 20:05 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 20:05 < krzie> !configs 20:05 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 20:06 < krzie> or my personal favorite... 20:06 < krzie> !insanity 20:06 < vpnHelper> krzie: "insanity" is doing the same thing over and over expecting different results 20:06 < cylix> LOL 20:06 < cylix> Being lazy is always a good plan when possible. :-) 20:09 < krzie> efficiently lazy as i like to call it =] 20:10 < cylix> Seems like your way is straight out of some unix books I read. 20:10 * cylix Likes unix. 20:10 < krzie> ya 20:10 < krzie> its how i thought before i got into unix 20:10 < krzie> but its a reason me and unix get along well ;] 20:13 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has joined ##openvpn 20:46 -!- cylix [n=frederic@occm-15.static.grp1-rng1.tnmmrl.infoave.net] has quit ["got to run"] 21:16 -!- error404notfound [n=shoaibi@static-host202-147-161-50.link.net.pk] has joined ##openvpn 21:16 < error404notfound> while creating certificates for openvpn using openssl, should I set passphrases on keys? 21:16 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Remote closed the connection] 21:26 -!- bender[a] [n=OWinNOW@64.208.90.82] has joined ##openvpn 21:26 -!- bender[a] is now known as bender183 21:29 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Read error: 110 (Connection timed out)] 21:31 < ecrist> evening, bitches 21:31 < ecrist> error404notfound: personal preference 21:32 < ecrist> there's an added security to having a passphrase on the certificate key, but it's usually lost as people put the passphrase into a text file for automating startup/shutdown of the tunnel 21:33 < meshuga> msg drmctchr hey whats up? 21:33 < meshuga> er 21:38 -!- error404notfound [n=shoaibi@static-host202-147-161-50.link.net.pk] has quit [Connection timed out] 21:38 < ecrist> wow, nmap 4.76 is really fast compared to older version 21:38 < ecrist> s 21:45 < krzie> agreed 21:46 < ecrist> I'm considering adwords for my wiki 21:47 -!- error404notfound [n=shoaibi@static-host202-147-161-50.link.net.pk] has joined ##openvpn 21:47 < ecrist> ~88 unique ips/day, with ~466 page loads/day 21:48 < ecrist> 91039 page loads last year. not too high, but enough to maybe get me a hit. 21:49 < krzie> good idea 21:49 < krzie> but maybe you could leave it off the openvpn wiki 21:50 < krzie> since we're basically making it the unofficial (possibly official if that dude ever responds again) wiki 21:52 < ecrist> not a for sure thing at this point, but if I did it, I think it would be site-wide 21:53 -!- error404notfound [n=shoaibi@static-host202-147-161-50.link.net.pk] has quit [Read error: 104 (Connection reset by peer)] 21:54 < ecrist> I could pull a dick move and advertise my site with google for OpenVPN. lol 22:00 < krzie> haha 22:05 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 22:09 < ecrist> what is your objection to ads on the openvpn pages? 22:10 < ecrist> I don't think we're going to hear back from francis 22:11 < ecrist> 2.5% of my hits this month came from a search engine query 'openvpn routing' 22:23 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 22:25 < krzie> nice! 22:26 < krzie> people hitting my writeup 22:26 < krzie> =] 22:26 < ecrist> yep 22:26 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 22:26 < krzie> i guess if they were small an unobtrusive i dont have an objection, but i just like the idea of giving help without advertisements 22:27 < krzie> plus ads would take away some of the posibility of getting random others contributing i think 22:27 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 22:27 < krzie> but so far it seems to be us contributing to that and the forum anyways 22:28 < ecrist> yep 22:28 < ecrist> I haven't seen him in a while 22:28 < krzie> him? 22:28 < ecrist> guy doing the forum 22:29 < krzie> oh dougy 22:29 < krzie> ya hes MIA 22:30 < ecrist> !tcp 22:30 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 22:35 < ecrist> ~319 page loads/day for ovpnforum.com 22:35 < ecrist> 40 unique visitors/day 22:35 -!- bender183 [n=OWinNOW@unaffiliated/bender183] has quit [Remote closed the connection] 22:36 < ecrist> don't have logging turned up on that domain, will have to do so tonight 22:36 < ecrist> I'm out - l8r krzie 22:37 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 22:50 < krzie> later 23:13 -!- error404notfound [n=shoaibi@58-65-160-128.nayatel.pk] has joined ##openvpn 23:18 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Read error: 113 (No route to host)] 23:38 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 23:55 -!- o[80 [n=oc80z@quad.efnet.pe] has joined ##openvpn --- Day changed Thu Jan 15 2009 00:33 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 00:50 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 00:54 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 00:59 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 01:24 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 01:57 -!- dazoafk is now known as dazo 02:12 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:49 -!- metbsd [n=AXT@unaffiliated/metbsd] has joined ##openvpn 02:50 < metbsd> when i create server.crt, it's all empty 02:50 < metbsd> help needed 02:50 < reiffert> !howto 02:51 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:51 < reiffert> it? all in there 02:51 < metbsd> i used that howto, but the files index.txt, client.crt server.crt, are all empty with 0 size 02:51 < metbsd> is it normal? 02:56 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: dogmeat, disposable, disco-, zug_|work 02:56 -!- Netsplit over, joins: disposable 02:56 -!- zug|work [n=zug_work@94-193-129-8.zone7.bethere.co.uk] has joined ##openvpn 02:57 -!- Netsplit over, joins: disco- 02:57 < metbsd> where do i define common name? 02:57 < metbsd> in vars 02:57 < metbsd> i\u1e3f doing stuff all wrong 02:57 < metbsd> cuz i don know where to specify common name in vars 02:58 < reiffert> quoting the howto: 02:58 < reiffert> Note that in the above sequence, most queried parameters were defaulted to the values set in the vars or vars.bat files. The only parameter which must be explicitly entered is the Common Name. In the example above, I used "OpenVPN-CA". 02:58 < metbsd> oh explicitly entered! 02:58 < reiffert> oh, it? all in the howto! 03:00 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 03:28 -!- metbsd [n=AXT@unaffiliated/metbsd] has left ##openvpn [] 03:38 -!- zug_|work [n=zug_work@88.211.97.126] has joined ##openvpn 03:46 -!- zug|work [n=zug_work@94-193-129-8.zone7.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] 03:56 -!- polaru_ [n=polaru@93.113.192.70] has joined ##openvpn 03:57 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 104 (Connection reset by peer)] 03:59 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 04:00 -!- ikevin_ [n=kevin@ANancy-256-1-68-250.w90-26.abo.wanadoo.fr] has joined ##openvpn 04:04 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Read error: 60 (Operation timed out)] 04:06 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 04:07 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 110 (Connection timed out)] 04:16 -!- ikevin [n=kevin@ANancy-256-1-10-23.w90-13.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 04:31 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit ["leaving"] 04:33 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 04:51 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 04:57 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Read error: 110 (Connection timed out)] 05:01 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 05:23 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [""I'll see you on the dark side of the moon...""] 05:29 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:37 -!- zug|work [n=zug_work@88.211.97.126] has joined ##openvpn 06:48 -!- zug_|work [n=zug_work@88.211.97.126] has quit [Read error: 110 (Connection timed out)] 06:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 07:24 * ecrist wants to punch someone 07:26 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 07:27 < robert_> !route 07:27 < vpnHelper> robert_: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 07:30 -!- dazo is now known as dazoafk 07:40 -!- c64zottel [n=hans@62.12.218.111] has joined ##openvpn 07:49 -!- dazoafk [n=dazo@nat/redhat/x-9b92f7f7f5391fc8] has quit ["Leaving"] 07:53 -!- polaru_ [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 07:53 -!- polaru_ [n=polaru@93.113.192.70] has joined ##openvpn 08:15 -!- c64zottel [n=hans@62.12.218.111] has quit [Read error: 60 (Operation timed out)] 08:16 -!- c64zottel [n=hans@62.12.218.111] has joined ##openvpn 08:27 -!- mndo [n=mndo@a81-84-7-145.cpe.netcabo.pt] has joined ##openvpn 08:27 < mndo> !route 08:27 < vpnHelper> mndo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 08:30 < c64zottel> !water 08:30 < vpnHelper> c64zottel: Error: "water" is not a valid command. 08:32 < ecrist> what are you hoping to find with !water? 08:35 < tjz> lol 08:41 -!- fialar [n=v@spoon.pkl.net] has joined ##openvpn 08:53 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 08:56 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 08:57 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 09:00 < aar0n> !route 09:00 < vpnHelper> aar0n: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 09:04 -!- mart_ian [n=mart_ian@pool-173-49-80-4.phlapa.fios.verizon.net] has joined ##openvpn 09:18 -!- c64zottel [n=hans@62.12.218.111] has left ##openvpn [] 09:20 < mart_ian> hi folks. i have a situation that's got me scratching my head. i have a server (A) and a remote client (B) that is behind a firewall. i havea two more clients (C & D laptops) that come and go. i want laptop C to be able to connect to any box on A's local net and B's local net. I want laptop D to only connect to A's local net. right now, i have everything going, except, i can't seem to prevent D from seeing B (and ... 09:20 < mart_ian> ... its local net). i have tried a variety of iptables rules on A and B, but nothing seems to reliably block D from B without blocking C (and A). any ideas on how to do this? 09:21 < fialar> A doesn't see traffic between B and C? 09:22 < ecrist> mart_ian: you need to set this up in one of two ways: 09:22 < mart_ian> i can't seem to get tcpdump/tshark to admit anything's going on. 09:22 < mart_ian> (on server A) 09:23 < ecrist> assign C an IP in a range that can see both networks via a push for each subnet or 09:23 < ecrist> use a firewall on the OpenVPN machine to restrict the access for specific clients 09:23 < fialar> ecrist: I think he's trying the latter 09:23 < fialar> machine A is the server, right? 09:23 < mart_ian> right. 09:23 < fialar> tcpdump running on machine A doesn't see traffic between B and C? 09:24 < mart_ian> correct. 09:24 < fialar> weird. 09:24 < fialar> does tcpdump not listen on tun0 properly in linux? 09:24 < mart_ian> ecrist: i was attempting your second idea, but can't seem to find the right foo to make it work. 09:26 < ecrist> do it in a couple steps. 09:26 < ecrist> 1) does the connection between A and B work flawlessly? 09:26 < mart_ian> yes 09:27 < ecrist> 2) does the connection between A, B, and C work flawlessly? 09:27 < mart_ian> yes 09:27 < ecrist> ok, so you must have client-to-client enabled within your server config, good. 09:27 < mart_ian> yes. 09:27 < ecrist> now, what OS are you running on the server? 09:28 < mart_ian> linux on all 09:28 < ecrist> the clients don't matter 09:28 < mart_ian> ok 09:28 < ecrist> I'm not going to be able to help you with firewall specifics, but you need to assign static IPs to your VPN clients (IPP is OK) and create a rule to block traffic on tun0 from D to B 09:29 < mart_ian> that's what i (thought i) did. 09:29 < ecrist> OpenVPN was written to allow kernel hooks into the tun driver, which would allow firewalls to operate correctly. 09:29 < mart_ian> but it didn't seem to block anything. 09:30 < mart_ian> when i run tcpdump on A, it doesn't seem to notice the traffic from D to B, even though it necessarily should be going through tun0 09:30 < ecrist> what interface are you watching traffic on? 09:30 < mart_ian> i've tried them all. 09:30 < fialar> tcpdump -i tun0 -n 09:30 < mart_ian> as well as tcpdump -n 09:33 < fialar> ecrist: OpenVPN uses star topography right? All traffic between clients has to pass through the server? 09:37 < ecrist> yes 09:40 < fialar> hmm tcpdump on openbsd works listening to tun1 (what I have openvpn running on) 09:40 < fialar> ecrist: what IPs would mart_ian have to block? 09:41 < fialar> because each client has its own /30 09:42 < ecrist> the client IPs - the rest don't matter 09:42 -!- error404notfound [n=shoaibi@58-65-160-128.nayatel.pk] has quit [Read error: 145 (Connection timed out)] 09:42 < fialar> not the P-t-Ps? 09:42 < fialar> ok 09:42 < fialar> mart_ian: might want to turn logging on those FORWARD rules 09:45 < fialar> I'd test here but can only connect one client to the openvpn server here 09:46 < mart_ian> i have FORWARD policy set to DROP with no exceptions. it's still passing through. 09:47 < fialar> I connected a client, then pinged .1 and got: 15:50:00.861173 10.0.51.6 > 10.0.51.1: icmp: echo request (DF) 09:47 < fialar> so that works 09:47 < fialar> that's tcpdump listening on tun1 09:50 < fialar> mart_ian: if you ping .1, does tcpdump on server A see it? 09:51 < mart_ian> from D? 09:52 < mart_ian> from D, it sees it on tun0 09:53 < mart_ian> that is, pinging from D, watching on A:tun0 09:54 < fialar> D pinging A (A= .1) 09:54 < fialar> ah ok 10:36 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has joined ##openvpn 10:41 -!- tjz [n=tjz@bb121-7-98-165.singnet.com.sg] has quit ["Spare me some sleep, please."] 10:44 < ecrist> mart_ian: I think I figured out your problem 10:45 < ecrist> you're using linux 10:45 < mart_ian> that's usually my solution... 10:45 < ecrist> FreeBSD FTW 10:45 < mart_ian> not really an option. 10:48 < ecrist> why not? 10:49 < ecrist> I'm not actually suggesting you need to change your OS, keep in mind. 10:49 < ecrist> just making at dig at Linux's fail 10:49 < mart_ian> O_o 11:01 < ecrist> o.O 11:01 < ecrist> \o/ 11:25 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 11:29 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:30 -!- error404notfound [n=shoaibi@static-host202-147-161-50.link.net.pk] has joined ##openvpn 11:33 < error404notfound> can someone tell me what's going wrong here: http://pastebin.com/m409260be 11:33 < ecrist> it's not able to verify the certificate 11:35 -!- nicon [i=n@tiberium.net.pl] has joined ##openvpn 11:35 < error404notfound> ecrist: both certificates were generated using the same ca 11:35 < nicon> Hi all 11:36 < nicon> I've got problem. I have server (on debian => openvpn) in one place and client (wrt54gl with tomato) in second place 11:36 < nicon> Everythings works almost fine... 11:37 < nicon> The problem is that I can't see computers in group at windowses in second place. 11:37 < nicon> I can "join" 'em only by typing the name of server by hand (for eg: \\name-of-computer) 11:37 < ecrist> error404notfound: probably a problem with the certificate generation or file format 11:38 < nicon> What did I make bad? 11:38 < ecrist> nicon, you need bridging rather than routed, and it's more complicated to set up 11:38 < error404notfound> anyone know of an easy method to this all openssl stuff? 11:38 < nicon> ecrist: it is seted to bridge 11:38 < nicon> not to route. 11:39 < ecrist> you local LAN and remote LAN need to use the same IP space 11:39 < nicon> ecrist: and yes, it use the same IP space (192.168.10.*) 11:39 < nicon> the srv is 192.168.10.1, the client is 192.168.10.2 11:40 < nicon> And it's in the same work group. 11:41 < nicon> I want computers from first place be viewed in second place and in retreat 11:41 < nicon> (in work group computers) 11:57 < nicon> Any idea? 12:08 -!- error404notfoun1 [n=shoaibi@static-host202-147-161-50.link.net.pk] has joined ##openvpn 12:11 -!- error404notfound [n=shoaibi@static-host202-147-161-50.link.net.pk] has quit [Read error: 60 (Operation timed out)] 12:11 -!- error404notfoun2 [n=shoaibi@static-host202-147-161-50.link.net.pk] has joined ##openvpn 12:14 -!- error404notfoun1 [n=shoaibi@static-host202-147-161-50.link.net.pk] has quit [Read error: 60 (Operation timed out)] 12:15 -!- error404notfound [n=shoaibi@static-host202-147-161-50.link.net.pk] has joined ##openvpn 12:20 < fialar> hey ecrist 12:20 < fialar> guess what? 12:20 < ecrist> what? 12:20 < fialar> openvpn bypasses iptables firewall on linux 12:20 < fialar> I just did some tests 12:20 < ecrist> lol 12:20 < fialar> my FORWARD policy is set to DROP 12:20 < fialar> yet vpn traffic is passed 12:20 < fialar> weird 12:20 < fialar> this doesnt happen on openbsd 12:20 < fialar> pf stops that stuff cold 12:20 < ecrist> or freebsd 12:20 < fialar> unless you let it in 12:21 * mart_ian whacks openvpn with a bsd slice 12:21 < mart_ian> *sigh* 12:21 < ecrist> must be how the linux kernel orders filtering 12:21 < fialar> wow.. talk about gaping network security hole 12:29 -!- error404notfoun2 [n=shoaibi@static-host202-147-161-50.link.net.pk] has quit [Success] 12:30 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:34 < ecrist> wonder if it's something that changed in the linux kernel recently 12:34 -!- error404notfound [n=shoaibi@static-host202-147-161-50.link.net.pk] has quit [Connection timed out] 12:36 < fialar> ecrist: with the insane kernel development model they got going these days, I wouldn't be surprised 12:36 * fialar preferred 2.4/2.5 separate branch type development.. at least back then things were more stable 12:36 < fialar> biggest mistake Linus ever did was merge stable and development (or -stable/-release and -current) 12:46 -!- polaru_ [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:56 < ecrist> that, among other things, is why I'm not a linux user 12:58 < fialar> I'd run openbsd on this asus eee, but no support for wireless yet. 12:58 < fialar> damn atheros chipset 13:07 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:08 < nicon> no1 will help me? :P 13:16 -!- rodpod [i=rod@hick.org] has quit [Read error: 113 (No route to host)] 13:23 -!- silver_hook [n=matija@lk.84.20.246.165.dc.cable.static.lj-kabel.net] has joined ##openvpn 13:23 -!- nicon [i=n@tiberium.net.pl] has left ##openvpn [] 13:25 < silver_hook> Hullo. I'm wondering what supposedly makes Hamachi superior to OpenVPN. 13:37 < cpm> didn't know it was. 13:38 < cpm> hamachi, closed ransomware, openvpn, , well, , , open. 13:38 < cpm> wasn't aware there was a comparison. 14:01 < silver_hook> Avahi/Zero-conf? 14:01 < silver_hook> P2P? 14:02 < silver_hook> I'm new to VPN, but I'd rather not use a closed-source application to handle such things... 14:05 -!- mndo [n=mndo@a81-84-7-145.cpe.netcabo.pt] has quit [Read error: 110 (Connection timed out)] 14:14 -!- nemo [i=nemo@c-76-21-160-106.hsd1.md.comcast.net] has joined ##openvpn 14:15 < nemo> Say folks. Does anyone know if it is feasible to setup Aventail w/ openvpn? 14:22 < nemo> hm. my bet is "no" on openvpn, from reading. 14:25 < ecrist> I don't know what Aventail is 14:27 < nemo> VPN solution, owned by SonicWall 14:27 < nemo> to their credit, they have a linux client 14:28 < nemo> I'd just like to integrate it with NetworkManager instead of using their client 14:28 < nemo> so far, haven't had much like w/ either nm-vpnc or nm-openvpn - just poking at various config params. 14:36 < ecrist> oh, no, OpenVPN is only compatible with OpenVPN 14:39 < nemo> got that impression from fact that it seemed to require a cert :) 14:39 < nemo> thnx. 14:39 -!- nemo [i=nemo@c-76-21-160-106.hsd1.md.comcast.net] has left ##openvpn [] 14:40 < silver_hook> Alright. I'm still trying to figure out what added value of Hamachi should be over OpenVPN... Could it be the P2P and Zero-conf/Avahi support? 14:42 < ecrist> silver_hook: the advantage is marketing 14:42 < ecrist> that's all 14:42 < silver_hook> ecrist: Makes sense ;) Just as Skype over SIP :P 14:42 -!- mart_ian [n=mart_ian@pool-173-49-80-4.phlapa.fios.verizon.net] has left ##openvpn [] 14:42 < ecrist> right 14:43 < silver_hook> Is there a HOWTO somewhere where how I can make a tunnel for filesharing with some other box? 14:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:03 < Bushmills> silver_hook: when you have setup openvpn to connect with another box, you *have* a tunnel. what kind of services you run over the tunnel, the tunnel doesn't care. 15:04 < Bushmills> i suppose you want to look into some sort of routing-howto 15:04 < silver_hook> Bushmills: So, basically the VPN just makes a tunnel and both boxes still need to run appropriate daemons and services? 15:05 < silver_hook> And VPN only makes sense, when one box is otherwise not directly accessible? 15:06 < Bushmills> silver_hook: that is correct 15:06 < Bushmills> first statement is. 15:06 < Bushmills> second is debatable 15:06 -!- Bausparfuchs [n=jochen@88.134.230.128] has joined ##openvpn 15:08 < silver_hook> Bushmills: What would say for for using VPN even when both boxen can communicate directly? 15:09 < Bushmills> elimination of man in the middle 15:10 < Bushmills> imagine using plaintext password on one machine from the other. 15:11 < silver_hook> Mhm... 15:11 < silver_hook> Where does then Avahi and P2P come in then? 15:12 < Bushmills> no idea. you tell me. 15:13 < Bausparfuchs> hi @all have a problem to set up a vpn cnnection via openvpn (actually with the networkmanager-vpn plugin of gnome) The problem is to undestand the different "connection types" and the files i have to create or specify in the gui. The only information that i got from my university for the vpn are a group passwort, a server address, a group name and a username + password. Additionally the connection is a "ipsec over tcp" connection. The TCP 15:13 < Bausparfuchs> Connection i can switch on in the options, but now i dont know which connection tyoe i have to choose and which file(s) i have to write 15:15 < Bushmills> Bausparfuchs: are you supposed to connect to an openvpn server? 15:16 < Bausparfuchs> Bushmills: no, i dont think so, the university provides only the cisco client for windows but the linux-version makes some trouble on my pc so i decided to try openvpn 15:17 < Bushmills> if there's no openvpn on the other end, you can't connect to it with openvpn on your box. 15:17 < silver_hook> Bushmills: I dunno. That's what I wonder about Hamachi ...it's supposed to be a Zeroconfig VPN and with some P2P stuff in between. 15:18 < Bushmills> try to connect with wolfenstein castle 15:18 < Bushmills> i guess the chances of success are comparable 15:19 < silver_hook> But, if I understand correctly so far ...it's just a VPN. Although I have no idea what Zeroconfig/Avahi and P2P have to do with VPN... 15:20 < Bushmills> silver_hook: "VPN" is a generic name. like "computer", but you appreciate that there are different kinds of (incompatible) computers? same with VPNs 15:21 < silver_hook> OK ...makes sense so far. 15:21 < silver_hook> Like with P2P there's many networks or with IP telehones, right? 15:21 < Bausparfuchs> Bushmills: oh so ovenvpn only works with openvpn. that was new to me. thanks 15:22 < Bausparfuchs> then i have to fall back with vpnc and hope it will work 15:22 < Bushmills> silver_hook: there's probably more types of VPN than there are of ip phones... 15:22 < silver_hook> And they're mostly incompatible? 15:23 < Bushmills> yes. that's more the rules than the exception. 15:23 < Bushmills> rule 15:24 -!- Bausparfuchs [n=jochen@88.134.230.128] has left ##openvpn ["Konversation terminated!"] 15:26 < silver_hook> OK. So far I understood that it's practical to have a tunnel when the other box is behind NAT or there are proxies in between. But what other middle man are you talking about? 15:27 < Bushmills> silver_hook: middle man as in eavesdropper 15:31 < silver_hook> Bushmills: Aha. What about TOR then in such cases? 15:33 < Bushmills> tor uses a different architecture. it has a different purpose too, that is, hiding the relation between origin and destination. 15:34 < Bushmills> openvpn doesn't hide the relation between server and client. but it obscures the nature and contents of traffic 15:35 < silver_hook> I know what TOR is for, but wonder why I'd use (Open)VPN instead for more security. 15:36 < silver_hook> Bushmills: Well, I think I understand things a lot better now, thanks :) 15:37 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 15:37 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 15:37 < Bushmills> you might have control over both ends of the connection, but not over the the path in between. that's where openvpn is more suited than tor. 15:39 < Bushmills> other uses are, you might want to connect to a mobile device, not matter where it connected. with openvpn, you can reach that device on a static ip address. 15:40 < silver_hook> Bushmills: Mhm, makes sense all of it so far.. 15:40 < Bushmills> and many folks love that connections over openvpn stay alive even if the physical connection was dis- and reconnected 15:42 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 15:42 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 15:42 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Read error: 104 (Connection reset by peer)] 15:42 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 15:52 < silver_hook> That also sounds pretty cool :] 15:53 < silver_hook> I think I'm packed with info for now ;) 15:57 < silver_hook> Thanks, Bushmills! Right now I don't seem to have dire need of VPN, but at least now I know enough to know when I will and where to look at then :) 16:09 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Read error: 104 (Connection reset by peer)] 16:09 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 16:10 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 16:10 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 16:13 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 16:13 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 16:13 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Read error: 104 (Connection reset by peer)] 16:13 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 16:16 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 16:16 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 16:20 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 16:21 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 16:22 -!- silver_hook [n=matija@lk.84.20.246.165.dc.cable.static.lj-kabel.net] has quit ["studying law..."] 16:24 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 16:27 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 16:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 17:03 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 18:13 -!- setveoooooooo [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 19:35 -!- simplechat_ [n=simplech@unaffiliated/simplechat] has joined ##openvpn 19:39 -!- simplechat_ [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 19:41 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Read error: 113 (No route to host)] 19:44 -!- simplechat_ [n=simplech@unaffiliated/simplechat] has joined ##openvpn 19:45 -!- cylix [n=frederic@occm-15.static.grp1-rng1.tnmmrl.infoave.net] has joined ##openvpn 19:52 -!- setveoooooooo [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 19:55 < ecrist> what's with all the dropped connections? sheesh 19:58 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 20:09 -!- rodpod [i=rod@hick.org] has joined ##openvpn 20:09 -!- deltaray2 [n=deltaray@1.79.244.66.sdsl.sta.smithvilledsl.net] has joined ##openvpn 20:12 < deltaray2> I am deploying some servers on different networks, but would like to have them use a private and secure network of their own to talk to each other in addition to having public IPs. Is openvpn the right solution for that or should I be looking at something else? 20:21 < reiffert> openvpn is your thing 20:21 < reiffert> !howto 20:21 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 20:22 < deltaray2> thank you 20:22 < deltaray2> I guess I think of VPN as something that home clients use to connect to work, but I suppose that's not much different than a server connecting into a larger network. 20:24 < reiffert> You can have a bridged and a routed setup 20:25 < deltaray2> Ok, so openvpn does either one? I thought it only did routing. 20:25 < deltaray2> I'm still reading through the FAQ 20:25 < reiffert> Welcome! 20:25 < reiffert> I'm off to bed, it's 03:30 here 20:31 < ecrist> deltaray2: what OS? 20:32 < ecrist> deltaray2: I suppose, regardless of OS, check out the following: 20:32 < ecrist> !freebsd 20:32 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 20:44 < cylix> Weird, Well I just found the source of my problems from yesterday. 20:44 < cylix> On windows 2003. when I get the vpn up it doesn't work. 20:44 < ecrist> firewall? 20:45 < cylix> nope 20:45 < cylix> it was routing 20:45 < cylix> the table was http://solace.info/dump/server.route.txt 20:45 < cylix> it needed one more entry 20:45 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 20:46 < cylix> that being 10.254.1.0 dest network 255.255.255.0 gateway 10.254.1.2 20:46 < cylix> I'm not sure why it wasn't put there by open vpn if its needed. 20:47 < cylix> windows routing put it there when I started it BUT didn't put it back after a reboot so it quit working. :-( 20:47 < cylix> It had me running circles. 20:49 < cylix> adding it as a static route seems to fix it with the reboot problem though. 20:50 < j_bsdxinu> ecrist, i installed openVPN and ssl-admin, i figure how to create client/signed certs, But how do a create a Server cert/signed? 20:53 < ecrist> there should be a menu option 21:09 < cylix> so is there an official mailing list for openvpn anymore? 21:10 < j_bsdxinu> ecrist, i get an error when selecting S) 21:10 < j_bsdxinu> Error Loading extension section server 21:15 < deltaray2> ecrist, CentOS Linux among others 21:17 < deltaray2> Actually, that howto will be useful because I do have one customer that uses FreeBSD. 21:17 < deltaray2> thanks 21:18 < j_bsdxinu> I am using FreeBSD 21:20 < j_bsdxinu> ecrist, There was an error during openssl execution. Please look for error messages above. at /sbin/ssl-admin line 226, <> line 4. 21:25 -!- metbsd [n=AXT@unaffiliated/metbsd] has joined ##openvpn 21:25 < metbsd> hi need help about openvpn 21:25 < metbsd> if i want to connect two clients from two diff networks, what to put in server? 21:30 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has quit ["Leaving"] 21:32 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 21:34 < j_bsdxinu> ecrist, this is what i get :( when using S) ... Error Loading extension section server 21:35 < j_bsdxinu> ecrist, There was an error during openssl execution. Please look for error messages above. at /sbin/ssl-admin line 2 21:40 < ecrist> j_bsdxinu: I'll look into the error tomorrow. I'll let you know what comes of it. 21:40 < ecrist> cylix: yes, there is. 21:40 < ecrist> it's farily active, as I understand. 21:40 < ecrist> there's also a fairly new forum, ovpnforum.com 21:41 < ecrist> metbsd: client-to-client 21:41 < ecrist> g'night all 21:42 < j_bsdxinu> ok, thanks 21:48 < metbsd> vpn is so damn complicated 22:01 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has quit ["Leaving"] 22:10 < metbsd> where do i put key file in windows openvpn? 22:15 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: pa, rodpod, ebf0, metbsd 22:15 -!- Netsplit over, joins: rodpod, pa, ebf0 22:16 -!- Netsplit over, joins: metbsd 22:17 < cylix> metbsd, where ever you have specified in the server or client config. 22:17 < cylix> se the ca, key, and cert options in your config. 22:20 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: pa, rodpod, ebf0 22:21 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: metbsd 22:22 -!- Netsplit over, joins: rodpod, pa, ebf0 22:46 -!- deltaray2 [n=deltaray@1.79.244.66.sdsl.sta.smithvilledsl.net] has left ##openvpn ["Leaving"] 23:31 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 23:39 -!- cylix [n=frederic@occm-15.static.grp1-rng1.tnmmrl.infoave.net] has quit [Remote closed the connection] --- Day changed Fri Jan 16 2009 00:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:55 < ricoshady> im using openvpn in openwrt and im having a cocnnection problem. the client hooks up to the server but then the handshake fails. 00:58 < ricoshady> http://pastebin.com/m33e95fd7 00:58 < ricoshady> client config 00:59 < ricoshady> i mean the first is the server config 01:01 < ricoshady> client config: http://pastebin.com/m57f3c4ff 01:03 < ricoshady> server error output http://pastebin.com/m1530bd2a 01:14 < ricoshady> any ideas? im using keys built and test on another server/client pair 01:14 < ricoshady> cause I cant build them on my server 01:46 < ricoshady> very similar to what this person is experiencing 01:46 < ricoshady> http://forum.openwrt.org/viewtopic.php?id=4925 01:47 < vpnHelper> Title: OpenWrt / OpenVPN Problem (at forum.openwrt.org) 02:06 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:00 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 03:00 < joelsolanki> Hi room 03:01 < joelsolanki> when i start openvpn service on my server it gets IP 10.8.0.1 with subnet 255.255.255.252 03:01 < joelsolanki> and on client machine it gets ip 10.8.0.6 with subnet 255.255.255.252 03:01 < joelsolanki> so when i ping from client to server or vice versa i cant ping 03:01 < joelsolanki> is this subnet mask problem ? 03:03 < joelsolanki> by the way this is on windows machines 03:28 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 03:34 -!- fialar [n=v@spoon.pkl.net] has left ##openvpn [] 04:13 < Bushmills> joelsolanki, yes. try 255.255.255.248 04:25 -!- worch [i=worch@battletoad.com] has joined ##openvpn 04:25 < worch> !route 04:25 < vpnHelper> worch: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 04:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 04:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:46 < worch> to my vpn server, two clients connect, which are my laptop and my home router. I've the router's subnet routed so that I can connect to other clients in my router's LAN from my laptop or server. Now when I'm home, my laptop is _also_ a client on my router's LAN in addition to my vpn. This is causing some problems, which I'm unsure how to resolve. For example, when I'm at home and I try to ping my laptop (as a client on the router via the ip on the router's 04:47 < worch> The result is that the server receives a packet from the laptop with a source ip that it does not expect, so it is dropped. How should I fix this? 04:48 -!- mndo [n=mndo@a81-84-7-145.cpe.netcabo.pt] has joined ##openvpn 04:48 < worch> It took me about half a day to figure out why things were acting so strangely :p 04:52 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:04 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 06:54 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 08:11 < ecrist> good morning, bitches 08:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 08:14 * j_bsdxinu celebrates as ecrist is here :) 08:14 < ecrist> uh oh 08:17 * j_bsdxinu is now disappointed uh oh does not sound good 08:27 -!- simplechat_ [n=simplech@unaffiliated/simplechat] has quit ["Leaving"] 08:31 -!- ebf0- [n=ebf0@87.238.45.168] has joined ##openvpn 08:40 -!- ebf0 [n=ebf0@87.238.45.168] has quit [Read error: 113 (No route to host)] 08:40 -!- ebf0- is now known as ebf0 09:04 -!- S7 [n=yury@84.108.50.0] has joined ##openvpn 09:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 09:11 < S7> Hello, I can't get the openvpn client connect to the server, getting: us=21651 TLS Error: Unroutable control packet received from 84.108.127.43:1194 (si=3 op=P_CONTROL_V1) repeatadly 09:11 < S7> server: http://pastebin.com/m5759f6f7 (OpenVPN 2.1_rc15 amd64-portbld-freebsd7.1 [SSL] [LZO2] built on Jan 16 2009) client: http://pastebin.com/m59afd697(OpenVPN GUI 1.0.3) clocks seemes to be synched, openssl returns cert is ok 09:19 < ecrist> j_bsdxinu: why're you excited I'm here? 09:20 < ecrist> S7: what does google tell you about the error? 09:20 < S7> sync the clock. 09:20 < S7> it synced ;\ 09:24 < ecrist> S7: read this thread: http://osdir.com/ml/network.openvpn.user/2003-09/msg00010.html 09:25 < vpnHelper> Title: Re: TLS handshake failed?: msg#00010 network.openvpn.user (at osdir.com) 09:39 < j_bsdxinu> ecrist, im having problems creating a Server cert with ssl-admin :( -- i get this when sel menu S) 09:39 < j_bsdxinu> Error Loading extension section server 09:39 < j_bsdxinu> There was an error during openssl execution. Please look for error messages above. at /sbin/ssl-admin line 226, <> line 3. 09:39 < ecrist> ok, let me look into it now. 09:40 < S7> ecrist, thanks 09:40 < S7> but it wasn't that 09:40 < S7> i've added 09:40 < S7> duplicate-cn and now it works 09:40 < ecrist> ah, see you left out important details. 09:40 < ecrist> mainly, you've got multiple clients sharing the same certificate 09:41 < nn> uhoh 09:41 < S7> well, i have one client 09:41 < S7> and one server 09:41 < S7> i don't know how it related 09:41 < S7> i've also had the server cert 09:41 < S7> as a client cert 09:41 < S7> fixed that now too 09:42 < S7> actualy that was the main problem 09:42 < S7> but just when i've added duplicate-cn i've seen the real error 09:42 < S7> before that just had that Unrouted stuff 09:42 < S7> after i've added duplicate-cn it told me the cert is wrong 09:43 < ecrist> my guess is your certificate setup is borked. 09:43 < ecrist> but, glad you got it working 09:44 < S7> i had troubles with the scripts, since they in bash, so i've made them manualy, maybe got something broken in the way 09:45 < ecrist> you on linux? 09:45 < S7> fbsd 09:45 < ecrist> ah, use ssl-admin 09:45 < S7> or i just could've install bash and save me the troubles =) 09:45 < ecrist> /usr/ports/security/ssl-admin 09:46 < ecrist> there's a problem with it, as j_bsdxinu has alluded to, which I'm working on now 09:46 < S7> i'll try that out, making certs by hand is kinda annoying 09:46 < ecrist> aye 09:47 < ecrist> I wrote ssl-admin - features/problems, let me know 09:49 < j_bsdxinu> yes i am using FreeBSD too. S7 even after i installed bash in fbsd then try their ez cert, it still did not work thats why i use ssl-admin 09:49 < ecrist> that's why I wrote ssl-adin 09:52 < ecrist> one of these days, I need to re-write this script. 09:52 < S7> j_bsdxinu, u can for now use sh 09:52 < ecrist> it currently uses system function to call the openssl program directly, whereas is should be using the perl SSL library 09:54 < S7> cd ~/easy-rsa/2.0/ ; mkdir ./keys/ ; touch ./keys/index.txt ; echo 01 > ./keys/serial ; sh ; . vars ; ./pkitool --initca ; ./pkitool --server server 09:55 < S7> it's very akward, but somehow worked at the end 09:57 < ecrist> ah, openssl.cnf is missing some things in the current port 09:58 < ecrist> I'll make available an updated version shortly and submit a pr to get the port updated. 10:00 < j_bsdxinu> S7, so thats how you can make it work with 'sh' 10:01 < ecrist> q 10:03 -!- rodpod [i=rod@hick.org] has quit [Remote closed the connection] 10:05 < ecrist> j_bsdxinu: fixed the problem. 10:06 < ecrist> I'll submit the PR shortly (takes a few days to update a port in freebsd repo), but you can download the one file that needs to be fixed at ftp://ftp.secure-computing.net/pub/ssl-admin/openssl.conf 10:06 < ecrist> put that file in /usr/local/etc/ssl-admin 10:06 < j_bsdxinu> ok, great thank you so much 10:07 < ecrist> np 10:15 < ecrist> krzie: hit me when you're around. I'm going to be working on some ssl-admin things today. Namely, build scripts for various OSes and some generic packaging. 10:32 -!- elventear [n=elventea@216-243-176-160.static.iphouse.net] has joined ##openvpn 10:42 -!- S7 [n=yury@84.108.50.0] has quit [] 10:52 -!- ashley_ [n=ashley@91-115-176-44.adsl.highway.telekom.at] has joined ##openvpn 10:52 < ashley_> !route 10:52 < vpnHelper> ashley_: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 11:08 < ecrist> krzie: your Makefile breaks in freebsd ports build 11:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:43 < j_bsdxinu> ecrist, http://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/index.html 11:43 < vpnHelper> Title: FreeBSD Porter's Handbook (at www.freebsd.org) 11:43 < j_bsdxinu> may be of some interest to you 11:45 -!- elventear [n=elventea@216-243-176-160.static.iphouse.net] has left ##openvpn [] 11:53 -!- tjz [n=tjz@bb121-6-91-11.singnet.com.sg] has joined ##openvpn 12:04 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:04 < ecrist> j_bsdxinu: yeah, been there many times. 12:09 -!- ashley_ [n=ashley@91-115-176-44.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 12:10 -!- ashley_ [n=ashley@91-115-176-44.adsl.highway.telekom.at] has joined ##openvpn 12:11 -!- kpoman [n=kpoman@200.181.12.180] has joined ##openvpn 12:11 < kpoman> hello to all guys ! 12:12 < kpoman> I am having a very strange problem on a particular linux box openvpn client, but with exactly the same conf on windows it works out of the box. 12:12 < kpoman> On linux, it tries many times to connect, giving TLS HMAC authentication errors (a random amount of times) then connects 12:12 < kpoman> and stays connected 12:15 < kpoman> I get this: TLS Error: incoming packet authentication failed from 12:15 < kpoman> then Fatal TLS error (check_tls_errors_co), restarting 12:15 < kpoman> and this: SIGUSR1[soft,tls-error] received, client-instance restarting 12:16 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has joined ##openvpn 12:16 < bigjohnto> can you have openvpn gui execute a batch script after it completes the connection to a vpn process? 12:17 < kpoman> can someone help me please ? I recompiled openssl, openvpn, both sides, same version of all, and still get it. The problem is sometimes it connects really fast (first try) and others it tries during more than one hour 12:19 < ecrist> bigjohnto: that's a function of OpenVPN, yes. 12:19 < ecrist> the GUI isn't what does it, it's the main binary 12:19 < ecrist> this is defined with --up and --down in your config file 12:20 < ecrist> see the howto for more information 12:23 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 12:30 < bigjohnto> ecrist thanks :) 12:30 < tjz> any idea beside port 1194 udp ..what other port should i open in my firewall? 12:32 < j_bsdxinu> ecrist, i created a serv cert thanks, by the way at first i try to change all indexes to 01 so it will restart the count but fail each time. once i deleted and re-installed ssl-admin it worked correctly 12:32 < ecrist> um, you don't want to re-start the index counter. 12:33 < j_bsdxinu> yes, i figure that the hard way :( 12:33 < ecrist> if you do that, and re-use the same certificate, you have duplicate certificate IDs out there, and it's impossible to discretely revoke them. 12:35 < j_bsdxinu> ok, good thing i had only created two which are now deleted from clients then recreated with the new install ;) 12:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:44 < ecrist> j_bsdxinu: it's going to be a bit before I send fbsd pr. 12:44 < ecrist> I've got some major ports building fun to read up on 12:47 < kpoman> any idea about my problem ? 12:47 < kpoman> thank you ! 13:02 < ecrist> kpoman: I need logs, please 13:07 -!- Kobaz [n=kobaz@its.kobaz.net] has joined ##openvpn 13:08 < Kobaz> okay, so what's the proper subnetting for routed (tun) clients 13:08 < Kobaz> i see in the faq that each client gets a /30 13:09 < Kobaz> but with all my setups so far i've only left space for 2 ips per client (the client ip and the server endpoint ip) 13:10 < Kobaz> like 10.1.2.1 is the server, and then i would do "ifconfig-push 10.1.2.3 10.1.2.4" on each client 13:10 < Kobaz> is that proper 13:11 < ecrist> no 13:11 < ecrist> a /30 has 4 ips, not 2 13:15 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 13:21 -!- rubydiamond [n=rubydiam@123.236.183.158] has joined ##openvpn 13:22 -!- El_Presidente [i=Martin@p5798F5A5.dip.t-dialin.net] has joined ##openvpn 13:22 < El_Presidente> hello 13:22 -!- tjz [n=tjz@bb121-6-91-11.singnet.com.sg] has quit ["Spare me some sleep, please."] 13:24 < El_Presidente> i have a problem setting up my vpn properly i have my pc 192.168.178.23 my router 192.168.178.1 and my cousins pc that should be allowed to surf on my internet, my pc should be the vpn server since i use a fritzbox and dont want to flash it with an openvpn firmware 13:24 < El_Presidente> this is my server config 13:24 < El_Presidente> http://pastebin.ca/1310252 13:25 < El_Presidente> and here comes my client config 13:25 < El_Presidente> http://pastebin.ca/1310273 13:25 < El_Presidente> the vpn connection builds up 13:25 < El_Presidente> but i cant ping him or he cant ping me nor surf 13:25 < El_Presidente> any suggestions? 13:25 < ecrist> 1) do you have client-to-client? 13:26 < El_Presidente> do i need that if my local pc is just the server ? 13:26 < El_Presidente> and there is just one client 13:26 < ecrist> if you want VPN clients to ping eachother, you need it 13:26 < ecrist> and, for the vpn clients to get access to the internet, you need to have a properly configured NAT 13:27 < El_Presidente> okay ... 13:27 < El_Presidente> 1. to client-to-client 13:27 < El_Presidente> server config? 13:28 < ecrist> yep 13:28 < El_Presidente> okay done 13:28 < El_Presidente> so now to the nat 13:28 < El_Presidente> what do i need to do there 13:29 < El_Presidente> i openend port 10000 on my router for my pc to enable the vpn connection 13:29 < El_Presidente> what else do i need 13:29 < ecrist> openvpn doesn't do NAT. for that, you need another piece of software. your gateway may be able to handle that for you. 13:30 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 13:30 < ecrist> if I were you, i'd setup a bridged VPN, rather than routed, and assign IPs from your lan subnet 13:30 < El_Presidente> what gateway? 13:30 < ecrist> then your NAT setup is already done 13:30 < El_Presidente> isnt my config bridged? 13:30 < El_Presidente> because it says that i bridge tap0 with eth0 13:30 < ecrist> oh, yeah it is. 13:31 < ecrist> why are you 'push route 0.0.0.0 0.0.0.0 192.168.178.1'? 13:31 < El_Presidente> dont i need that? 13:31 < ecrist> for what? 13:31 < El_Presidente> 192.168.178.1 is my router to get my pc to internet 13:32 < ecrist> does your setup work? 13:32 < El_Presidente> what setup? 13:32 < ecrist> nevermind 13:32 * ecrist goes away 13:32 < El_Presidente> :( 13:32 < El_Presidente> well my pc is 192.168.178.23 13:33 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:35 < reiffert> El_Presidente: 13:35 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 13:35 < reiffert> server.config. remove # 13:35 < reiffert> push "route 0.0.0.0 0.0.0.0 192.168.178.1" 13:35 < El_Presidente> i did that now 13:36 < reiffert> El_Presidente: please show us the script that set's up your bridge 13:36 < El_Presidente> you mean myroute.cmd ? 13:37 < reiffert> You are using dev tap which is for using a bridged setup. Show us how the bridge get's setup on the server side please. 13:37 < El_Presidente> you want the server config? 13:37 < El_Presidente> http://pastebin.ca/1310252 13:37 < reiffert> Your server config is at http://pastebin.ca/1310252 13:38 < El_Presidente> yes ... 13:38 < reiffert> Why are you using "dev tap"? 13:38 < El_Presidente> well i thought its right 13:38 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Client Quit] 13:39 < reiffert> El_Presidente: please step back to http://openvpn.net/index.php/documentation/howto.html and reread the parts that are talking about tun vs. tap 13:39 < vpnHelper> Title: HOWTO (at openvpn.net) 13:39 < El_Presidente> kk 13:39 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 13:40 < reiffert> El_Presidente: and if you still think that ethernet bridging is best for you, follow the "Ethernet bridging" link 13:40 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Client Quit] 13:40 < reiffert> Also check out http://openvpn.net/index.php/documentation/faq.html#bridge1 13:40 < vpnHelper> Title: FAQ (at openvpn.net) 13:41 < reiffert> That faq brings up the differences between routing and bridging. 13:48 -!- Nucular [n=Martin@p5798F5A5.dip.t-dialin.net] has joined ##openvpn 13:55 -!- El_Presidente [i=Martin@p5798F5A5.dip.t-dialin.net] has quit [Nick collision from services.] 13:55 -!- Nucular is now known as El_Presidente 13:55 < El_Presidente> ok back 13:56 < El_Presidente> reiffert, you were right i forgot to bridge both connections on my pc 13:56 < El_Presidente> now i did 13:57 < El_Presidente> but now i get an error when i try to start the server 13:57 < El_Presidente> Fri Jan 16 20:58:22 2009 NOTE: could not get adapter index for {D0A9BA3A-874F-48 13:57 < El_Presidente> 65-8ACD-6DAB95ECC17C} 13:58 < reiffert> the bridging takes place on the server side. 13:59 < El_Presidente> yes 14:00 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:01 < El_Presidente> i bridged my tap0 with my lan connection to my router 14:01 < El_Presidente> thats right reiffert ? 14:02 < reiffert> Was it explained like this in the howto? 14:02 < El_Presidente> yes 14:02 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:02 < reiffert> sounds like windows, try a reboot. 14:03 < El_Presidente> kk 14:03 < reiffert> and remove the redirect-gateway for a while from the server config. 14:04 < reiffert> You can add that later 14:06 < El_Presidente> ok 14:07 < El_Presidente> its really strange that the tap device doesnt go up 14:07 < El_Presidente> brb 14:07 -!- El_Presidente [n=Martin@p5798F5A5.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 14:10 < kpoman> hey guys 14:10 < kpoman> someone knows about HMAC tls problems authenticating ? 14:11 < kpoman> please, need help, is been 1 week trying to diagnose 14:11 < kpoman> recompiling tls, etc... 14:12 -!- El_Presidente [i=Martin@p5798F5A5.dip.t-dialin.net] has joined ##openvpn 14:12 < El_Presidente> reiffert, same error 14:13 < reiffert> once again pls 14:14 < kpoman> I have the same bug as this guy had: http://openvpn.net/archive/openvpn-users/2005-04/msg00455.html 14:14 < krzee> !hmac 14:14 < vpnHelper> Title: [Openvpn-users] Just another "Authenticate/Decrypt packet error: packet HMAC authentication failed" (at openvpn.net) 14:14 < vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 14:14 < vpnHelper> krzee: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 14:14 < kpoman> please need somehelp 14:14 < krzee> comment tls-auth to prove it is the real problem or not 14:15 < El_Presidente> reiffert, what once again? 14:15 < reiffert> Paste the error message, maybe someone else already knows about it 14:17 < El_Presidente> ok 14:17 < El_Presidente> it seems openvpn doesnt find the tap device 14:17 < El_Presidente> Fri Jan 16 21:15:44 2009 TAP-WIN32 device [tap-bridge] opened: \\.\Global\{D0A9B 14:17 < El_Presidente> A3A-874F-4865-8ACD-6DAB95ECC17C}.tap 14:17 < El_Presidente> Fri Jan 16 21:15:44 2009 NOTE: could not get adapter index for {D0A9BA3A-874F-48 14:17 < El_Presidente> 65-8ACD-6DAB95ECC17C} 14:19 -!- kpoman [n=kpoman@200.181.12.180] has quit ["Lost terminal"] 14:19 < reiffert> give that a try: Delete the bridge, remove all tap adapters with the help of those shell scripts that came with openvpn (delinterface.bat or similar, have a look in the bin directory), uninstall openvpn and install openvpn once again. 14:19 -!- ashley_ [n=ashley@91-115-176-44.adsl.highway.telekom.at] has quit ["Leaving"] 14:20 < El_Presidente> reiffert, i think its because the tap device is not in my "ipconfig" anymore 14:20 < El_Presidente> it just shows the bridge 14:21 -!- kpoman [n=kpoman@200.181.12.180] has joined ##openvpn 14:21 < kpoman> krzie: thanks ! I commented tls-auth etc... it works well without tls-auth. However it works well on windows with tls-auth, but not on linux 14:22 < kpoman> I mean the client 14:22 < kpoman> i got all the time HMAC auth errors 14:34 < ecrist> hrm, krzee, you done any upgrades from fbsd 6.3 to 7.1? 14:34 < ecrist> I've got one system now, out of 7 upgraded, that coredumps sshd after the upgrade. 14:43 < krzee> nope 14:44 < krzee> i never upgrade across major versions 14:44 < krzee> ever since fbsd4 14:44 < krzee> i still have that stuck in my head 14:44 < krzee> even tho its much easier than it was from 4 to 5 14:44 < ecrist> 4 to 5 was easy, imho. it was 5 to 6 that blew 14:45 < krzee> either way, nope, i just reinstall 14:46 < krzee> same with osx / windows even 14:46 < krzee> major version upgrades are my excuse for a format 14:48 < bigjohnto> ok something really weird, i have a batch script that runs when openvpn connects, this batch script finds the vpn ip and then sets a variable with that ip address.... what is weird is that whether from the cmd prompt or from the batch script, if the vpn is up and running, the setx command hangs..... once i disconnect the vpn session and the lan connection for the vpn shows as "cable disconnected" the setx command works perfectly.. 14:49 < El_Presidente> reiffert, i think the problem is gone now 14:49 < reiffert> El_Presidente: how is that? 14:49 < El_Presidente> i told the tap adapter that its always connected 14:50 < El_Presidente> now i get the connection up 14:50 < reiffert> Ah, so back to ...? 14:50 < El_Presidente> but my cousin has to leave now so i will continue tommorrow 14:50 < reiffert> :) 14:50 < El_Presidente> did you found any other errors i should know? 14:51 < reiffert> Not that I know of any.. 14:52 < El_Presidente> ok ty 14:53 < reiffert> welcome 15:28 -!- mndo [n=mndo@a81-84-7-145.cpe.netcabo.pt] has quit [Read error: 110 (Connection timed out)] 15:28 < bigjohnto> ok why does my batch script run before the connection is up? 15:29 < bigjohnto> i have at the end of the config file up script.bat 15:30 -!- rawDawg [n=raw@cpe-76-188-26-41.neo.res.rr.com] has joined ##openvpn 15:30 < rawDawg> is it possible to use a linksys router as a site to site endpoint with this server? 15:37 < reiffert> Yes it is possible, but you will have to exchange the default linksys firmware by openwrt 15:37 < reiffert> #openwrt 15:39 < ecrist> yes 15:39 < ecrist> DD-WRT 15:40 < ecrist> like reiffert said 15:45 -!- heirrook [n=heirrook@71-83-35-243.dhcp.dlth.mn.charter.com] has joined ##openvpn 15:48 < heirrook> I have been stumbling over a problem for some time now and am looking for advice. I have an openvpn server setup that is on a seperate server behind my wan gateway. The wan gateway controls the 192.168.22.0/24 subnet. My machine my vpn server is on has an ip of 192.168.22.138. The vpn server uses 192.168.10.0/24 for its subnet. 15:49 < heirrook> Currently I am sitting at an ip from subnet of 24.158.0.0/255.255.0.0. 15:49 < heirrook> I can connect just fine to my vpn, I can ping machines fine on 192.168.22.0/24. I can browse the internet fine. 15:50 < heirrook> BUT, I am trying to make it so the hosts.allow config file on a machine on the 192.168.22.0/24 only allows machines from 192.168.10.0/24 15:51 < heirrook> The only thing the hosts.allow will accept, is my current location ip (24.158.) even though i am on my vpn. 15:52 < heirrook> It seems routing is fine because I can ping the 192.168.22.0/24 machines 15:58 < heirrook> I know when I at least browse the internet throught the vpn and go to "whatismyip.com" I get the ip I should the wan gateway on the 192.168.22.0/24 has. Here is my server config file http://pastebin.com/d40840316 16:09 -!- heirrook [n=heirrook@71-83-35-243.dhcp.dlth.mn.charter.com] has quit ["Leaving"] 16:13 < El_Presidente> reiffert, still here? 16:14 -!- heirrook [n=heirrook@71-83-35-243.dhcp.dlth.mn.charter.com] has joined ##openvpn 16:15 < reiffert> El_Presidente: no 16:15 < El_Presidente> ;) 16:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 16:19 < El_Presidente> im trying with an other pc right now 16:19 < El_Presidente> the bridge seems to work 16:19 < El_Presidente> iam able to ping to the pc 16:19 < El_Presidente> but internet isnt routed over my pc 16:20 < reiffert> !def1 16:20 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 16:21 < El_Presidente> thats what i have reiffert 16:21 < reiffert> !configs 16:21 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:21 < reiffert> please add ipconfig /all from both, server and client 16:21 < El_Presidente> okay 16:21 < reiffert> as well as route -n print 16:21 < El_Presidente> ok 16:21 < reiffert> (or netstat -nr) 16:23 < El_Presidente> http://pastebin.ca/1310402 server.config 16:24 < reiffert> # 16:24 < reiffert> proto tcp-server 16:24 < El_Presidente> yes ... 16:24 < reiffert> wtf? 16:24 < El_Presidente> shall i use udp? 16:25 < reiffert> either udp or tcp, but not tcp-server 16:25 < El_Presidente> true 16:25 < El_Presidente> i mixed up the line 16:26 < El_Presidente> http://pastebin.ca/1310406 16:26 < El_Presidente> client 16:26 < reiffert> just remove "-server" 16:26 < El_Presidente> yes 16:27 < reiffert> I have no idea how "local" will influence what you are trying to achieve. 16:27 < El_Presidente> i just tested that 16:27 < El_Presidente> if it helps 16:29 < El_Presidente> im getting the routes on my friends pc 16:30 < reiffert> Then be sure to remove local. 16:30 < El_Presidente> i did 16:33 -!- kpoman [n=kpoman@200.181.12.180] has quit ["Lost terminal"] 16:36 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 16:38 < El_Presidente> okay here is the route 16:38 < El_Presidente> http://pastebin.ca/1310415 16:38 < El_Presidente> he cant surf right now 16:39 -!- heirrook [n=heirrook@71-83-35-243.dhcp.dlth.mn.charter.com] has left ##openvpn ["Leaving"] 16:39 -!- heirrook [i=zmctech@24-158-23-135.static.dlth.mn.charter.com] has joined ##openvpn 16:40 < El_Presidente> but it seems he is routed to my pc 16:42 < El_Presidente> reiffert, what else do you need? 16:43 < reiffert> get wireshark, let it run on your PC's and have some pinging 16:44 < reiffert> off to bed, n8 16:44 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 131 (Connection reset by peer)] 16:45 < El_Presidente> n8n8 17:09 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 17:10 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has quit ["Leaving"] 17:13 -!- rodpod [i=rod@hick.org] has joined ##openvpn 17:25 -!- El_Presidente [i=Martin@p5798F5A5.dip.t-dialin.net] has quit ["Verlassend"] 17:38 -!- mndo [n=mndo@81.84.221.128] has joined ##openvpn 17:41 * ecrist ponders +b for El_presidente 18:09 -!- zmctech_ [i=zmctech@24-158-23-135.static.dlth.mn.charter.com] has joined ##openvpn 18:11 -!- heirrook [i=zmctech@24-158-23-135.static.dlth.mn.charter.com] has quit [Read error: 110 (Connection timed out)] 18:12 -!- zmctech_ [i=zmctech@24-158-23-135.static.dlth.mn.charter.com] has left ##openvpn ["Leaving"] 18:32 < rawDawg> reiffert or ecrist: i have dd-wrt vpn installed 18:33 < rawDawg> how do i configure a site to site vpn between openvpn and dd-wrt? 19:10 -!- zheng [n=zheng@58.33.126.221] has joined ##openvpn 19:14 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 19:30 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:03 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Connection timed out] 20:03 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 20:22 -!- Kobaz [n=kobaz@its.kobaz.net] has left ##openvpn [] 21:32 < rawDawg> bbl 21:33 -!- rawDawg [n=raw@cpe-76-188-26-41.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.21 :: www.esnation.com )"] 22:01 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 22:07 -!- zheng [n=zheng@58.33.126.221] has quit ["Leaving"] 22:11 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has quit ["Leaving"] 23:13 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn --- Day changed Sat Jan 17 2009 00:09 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 00:11 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 01:00 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 01:33 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 02:03 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 03:34 -!- gallatin [n=gallatin@dslb-092-073-119-118.pools.arcor-ip.net] has joined ##OpenVPN 04:03 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 60 (Operation timed out)] 04:15 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 06:06 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 145 (Connection timed out)] 06:18 -!- gallatin [n=gallatin@dslb-092-073-119-118.pools.arcor-ip.net] has quit ["Client exiting"] 06:35 -!- rawDawg [n=raw@cpe-76-188-26-41.neo.res.rr.com] has joined ##openvpn 07:12 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: troy- 07:12 -!- Netsplit over, joins: troy- 07:12 -!- troy- [n=troy@worldnet.tauri.ca] has left ##openvpn [] 07:12 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 07:56 -!- S7 [n=yury@84.108.50.0] has joined ##openvpn 08:20 -!- mndo [n=mndo@81.84.221.128] has quit [Connection timed out] 08:40 -!- S7 [n=yury@84.108.50.0] has quit [] 08:47 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 10:30 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 10:40 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] 10:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:00 -!- o[80 [n=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 11:11 -!- int [n=quassel@wikia/int] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 11:24 -!- uncorq [n=corq@214.139.204.68.cfl.res.rr.com] has joined ##openvpn 11:28 < rawDawg> i want to set up multiple site to site vpns, one end point being openvpn server, the others will all be dd-wrt routers 11:28 < ecrist> sounds fun 11:28 < rawDawg> possible? 11:33 < ecrist> sure, why not? 12:02 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has quit [Read error: 60 (Operation timed out)] 12:06 -!- hkais [n=dpalic@p50816DE3.dip.t-dialin.net] has joined ##openvpn 12:06 -!- hkais [n=dpalic@p50816DE3.dip.t-dialin.net] has left ##openvpn [] 12:08 -!- intralanman [n=lanman@99-196-39-200.cust.wildblue.net] has joined ##openvpn 12:18 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 12:37 -!- j_bsdxinu [n=jperez@ool-4579c388.dyn.optonline.net] has left ##openvpn ["Leaving"] 12:43 -!- uncorq [n=corq@214.139.204.68.cfl.res.rr.com] has quit [Read error: 110 (Connection timed out)] 13:04 -!- robert_ [n=hellspaw@objectx/robert] has quit [Remote closed the connection] 13:07 -!- intralanman [n=lanman@99-196-39-200.cust.wildblue.net] has quit [Read error: 104 (Connection reset by peer)] 13:10 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 13:13 -!- pkemx [n=pkemx@62.24.239.184] has joined ##openvpn 13:19 < pkemx> hello 13:20 < pkemx> I'm trying to install OpenVPN on Fedora but am having trouble understanding all the different terminology 13:20 < pkemx> Currently I'm getting the error: 13:20 < pkemx> Cannot load certificate file /etc/openvpn/keys/mfed.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib 13:23 < pkemx> when using `service openvpn start` 13:30 < pkemx> !route 13:30 < vpnHelper> pkemx: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 13:31 -!- intralanman [n=lanman@va-71-0-84-19.dyn.embarqhsd.net] has joined ##openvpn 13:47 -!- nn [n=irc@white.powder.nn2.us] has left ##openvpn [] 13:55 -!- pkemx [n=pkemx@62.24.239.184] has quit [Read error: 60 (Operation timed out)] 14:02 -!- pkemx [n=pkemx@62.24.239.184] has joined ##openvpn 14:09 -!- pkemx [n=pkemx@62.24.239.184] has quit [] 14:42 -!- hiptobecubic [n=john@nateres205.tel.miami.edu] has joined ##openvpn 14:43 < hiptobecubic> Can someone explain to me the theory behind the last routing step on the openvpn static key mini howto? I don't understand what's going on there. 14:43 < hiptobecubic> !route 14:43 < vpnHelper> hiptobecubic: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 14:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:09 < hiptobecubic> but does that work with a static vpn? i just tried 'pushing' and i didn't see a change in my routing table on the client 15:50 -!- rawDawg [n=raw@cpe-76-188-26-41.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.21 :: www.esnation.com )"] 16:46 -!- o[80 [n=oc80z@quad.efnet.pe] has joined ##openvpn 17:03 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: troy- 17:03 -!- Netsplit over, joins: troy-, troy- 17:04 -!- troy- [n=troy@worldnet.tauri.ca] has left ##openvpn [] 17:04 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 17:07 -!- [aaron] [i=Aaron@74-130-89-132.dhcp.insightbb.com] has joined ##openvpn 17:10 -!- intralanman [n=lanman@va-71-0-84-19.dyn.embarqhsd.net] has quit [Read error: 110 (Connection timed out)] 17:43 -!- Maguila [n=Tu_Padre@189.173.115.160] has joined ##openvpn 17:49 -!- Maguila [n=Tu_Padre@189.173.115.160] has left ##openvpn [] 17:50 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 17:59 < reiffert> moin 18:04 < ecrist> hey, reiffert 18:05 < ecrist> freebsd is kicking my ass today 18:05 < ecrist> lost my entire saturday to system upgrade problems 18:05 * ecrist is standing in a data center as he types this. 18:05 < ecrist> :( 18:08 < reiffert> Moin ecrist, how r u? 18:09 < reiffert> FBSD Upgrade problems? How's that? 18:10 < ecrist> have a host that didn't upgrade right, about ready to punt and reinstall the whole thing 18:11 < ecrist> it won't even boot 18:11 < ecrist> and this isn't my first rodeo 18:13 < reiffert> "didnt upgrade right" .. ? 18:15 < ecrist> did a source upgrade for a system, jails won't start, PAM stack is fubar. 18:15 < ecrist> I've done 10 out of 35 upgrades so far. 8 went smooth. the last two, PAM stack won't use LDAP correctly, and one of the two, just flat out won't boot into multi-user. 18:20 < [aaron]> eww! bsd! 18:21 < reiffert> PAM foobar sounds nice 18:22 < reiffert> what about it? 18:22 < ecrist> /mode +b [aaron] 18:23 < [aaron]> :) 18:24 < [aaron]> what version are you running? 18:28 < ecrist> 6.3 on some servers, 7.0 or 7.1 on most 18:28 < ecrist> couple old ones around on 4.11 18:31 < [aaron]> :/ 18:31 < [aaron]> best of luck with the upgrades mang. 18:34 < [aaron]> not a bsd person, but i know that i hate upgrades of any sort. 18:36 < reiffert> I like Debian for Upgrade just working! 18:40 < [aaron]> heh, I AM a deb guy :) 18:40 < [aaron]> and it works perdy well 19:06 -!- simplechat_ [n=simplech@unaffiliated/simplechat] has joined ##openvpn 19:13 -!- simplechat_ [n=simplech@unaffiliated/simplechat] has quit ["Leaving"] 19:13 -!- intralanman [n=lanman@99-196-39-200.cust.wildblue.net] has joined ##openvpn 19:41 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 19:47 -!- intralanman [n=lanman@99-196-39-200.cust.wildblue.net] has quit ["You call it ADD, I call it multitasking"] 20:13 -!- Alien_Freak [n=user@38.106.150.41] has joined ##openvpn 21:19 -!- tjz [n=tjz@bb121-6-91-11.singnet.com.sg] has joined ##openvpn 21:21 -!- Alien_Freak [n=user@38.106.150.41] has left ##openvpn [] 22:20 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit ["leaving"] 22:20 -!- tarbo2 [n=me@pool-96-235-18-120.pitbpa.fios.verizon.net] has joined ##openvpn 22:20 -!- tarbo2 is now known as Guest64229 22:21 -!- Guest64229 [n=me@pool-96-235-18-120.pitbpa.fios.verizon.net] has quit [Client Quit] 22:22 -!- tarbo2 [n=me@pool-96-235-18-120.pitbpa.fios.verizon.net] has joined ##openvpn 23:56 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] --- Day changed Sun Jan 18 2009 00:11 -!- [aaron] [i=Aaron@74-130-89-132.dhcp.insightbb.com] has quit ["Leaving"] 00:31 -!- tjz [n=tjz@bb121-6-91-11.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 00:48 -!- kreg_lt [n=kreg@69-92-68-145.cpe.cableone.net] has joined ##openvpn 00:49 < kreg_lt> trying to get a hang of push "dhcp-option DNS x.x.x.x" 00:49 < kreg_lt> when my windows clients connect (tap) they conenct fine with all the routes 00:49 < kreg_lt> they even get the dns ip assigned 00:50 < kreg_lt> but their initial dns query uses the primary dns they already had. 00:51 < kreg_lt> names don't resolve with the internal intranet 01:20 -!- kreg_lt [n=kreg@69-92-68-145.cpe.cableone.net] has quit ["Leaving"] 01:28 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 01:52 -!- tjz [n=tjz@bb220-255-204-36.singnet.com.sg] has joined ##openvpn 02:28 -!- tjz [n=tjz@bb220-255-204-36.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 02:37 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:53 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 04:08 -!- tjz [n=tjz@bb220-255-204-36.singnet.com.sg] has joined ##openvpn 04:13 < krzee> !factoids search win 04:13 < vpnHelper> krzee: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', and 'wintaphide' 04:16 < krzee> !/30 04:16 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 04:16 < krzee> !topology 04:16 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 04:30 -!- tjz [n=tjz@bb220-255-204-36.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 06:09 -!- tjz [n=tjz@bb116-14-182-127.singnet.com.sg] has joined ##openvpn 06:29 < reiffert> ![!] 06:29 < vpnHelper> reiffert: Error: "!" is not a valid command. 06:30 < reiffert> ![[!]] 06:30 < vpnHelper> reiffert: Error: "!" is not a valid command. 06:30 < reiffert> ![][][][!] 06:30 < vpnHelper> reiffert: Error: "!" is not a valid command. 06:30 < reiffert> ![!][!][!][!] 06:30 < vpnHelper> reiffert: Error: "!" is not a valid command. 06:30 < reiffert> ![?][!][!][!] 06:30 < vpnHelper> reiffert: Error: "?" is not a valid command. 06:31 < reiffert> ![[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!] 06:31 < vpnHelper> reiffert: Error: Missing "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 06:31 < reiffert> ![[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]] 06:31 < vpnHelper> reiffert: Error: Missing "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 06:31 < reiffert> ![[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]] 06:31 < vpnHelper> reiffert: Error: Spurious "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 06:31 < reiffert> ![[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]] 06:31 < vpnHelper> reiffert: Error: Spurious "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 06:31 < reiffert> ![[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]] 06:31 < vpnHelper> reiffert: Error: Missing "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 06:31 < reiffert> ![[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]] 06:31 < vpnHelper> reiffert: Error: Missing "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 06:31 < reiffert> ![[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]] 06:31 < vpnHelper> reiffert: Error: You've attempted more nesting than is currently allowed on this bot. 06:31 < reiffert> !"[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]" 06:31 < vpnHelper> reiffert: Error: "[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[!]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]" is not a valid command. 07:25 < tjz> .... 07:27 -!- tjz [n=tjz@bb116-14-182-127.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 08:13 -!- tjz [n=tjz@bb116-14-182-127.singnet.com.sg] has joined ##openvpn 08:15 < ecrist> reiffert: wtf? 08:18 < tjz> lol 08:19 < tjz> he screw up the bot 08:19 < tjz> actually.. 08:19 < tjz> sexually abuse the bot 08:19 < tjz> :P 08:19 < tjz> lol 08:53 -!- o[80 [n=oc80z@quad.efnet.pe] has quit [] 08:56 -!- hiptobecubic^ [n=john@nateres205.tel.miami.edu] has joined ##openvpn 08:57 -!- hiptobecubic [n=john@nateres205.tel.miami.edu] has quit [Read error: 104 (Connection reset by peer)] 09:17 -!- tjz [n=tjz@bb116-14-182-127.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 11:21 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has joined ##openvpn 12:18 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 12:58 -!- o[80 [n=oc80z@quad.efnet.pe] has joined ##openvpn 13:29 -!- Dougy [n=doug@64-18-159-195.ip.justedge.net] has joined ##openvpn 13:29 < Dougy> hey kids 13:29 < Dougy> !form 13:29 < vpnHelper> Dougy: Error: "form" is not a valid command. 13:29 < Dougy> !forum 13:29 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 13:32 < krzee> lol reiffert 13:47 < Dougy> hey hey 13:52 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 13:56 < reiffert> ![[[ 13:56 < vpnHelper> reiffert: Error: Missing "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 14:01 < Dougy> sup reiffert 14:01 < reiffert> ![!] 14:01 < vpnHelper> reiffert: Error: "!" is not a valid command. 14:01 < reiffert> ![form] 14:01 < vpnHelper> reiffert: Error: "form" is not a valid command. 14:01 < reiffert> ![forum] 14:01 < vpnHelper> reiffert: Error: ""forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com" is not a valid command. 14:02 < reiffert> "is not a valid command"? 14:07 < krzee> hehe 14:07 < krzee> well 14:07 < krzee> the output of !forum is what went in to the new command 14:07 < krzee> example: 14:07 < krzee> !learn test1 as this is a test 14:07 < vpnHelper> krzee: Joo got it. 14:08 < krzee> !learn test2 as [test1] for reiffert 14:08 < vpnHelper> krzee: Joo got it. 14:08 < krzee> !test2 14:08 < vpnHelper> krzee: "test2" is "test1" is this is a test for reiffert 14:08 < krzee> !forget test1 14:08 < vpnHelper> krzee: Joo got it. 14:08 < krzee> !forget test2 14:08 < vpnHelper> krzee: Joo got it. 14:20 < Dougy> hmm 14:20 < Dougy> freebsd is pissin me off today 14:39 < reiffert> ![freebsd] 14:39 < vpnHelper> reiffert: Error: ""freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server" is not a valid command. 15:09 -!- hiptobecubic^ is now known as hiptobecubic 16:00 -!- lonel [i=r0ny@203.206.208.204] has joined ##openvpn 16:03 < lonel> hi,is it possible to have openvpn configured without certificate authentication? 16:03 < lonel> like user/pass? 16:05 * plaerzen 's office is a sauna 16:21 < Bushmills> strange place to pick for an office. imagine one wants to hip to the kitchen for a tea - will you have to dress first? 16:21 < lonel> hey 16:22 < lonel> you guys aware of any metods to avoid cert authentication in the client? 16:22 < lonel> *methods 16:22 < Bushmills> hm.. not connecting to the server is one. 16:31 < Dougy> lol 16:55 -!- Dougy [n=doug@64-18-159-195.ip.justedge.net] has quit [] 17:16 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 17:17 -!- smerz [n=daniel@smerz.demon.nl] has quit [Client Quit] 17:24 -!- andrew867 [n=Andrew@stjhnf0122w-142163129037.pppoe-dynamic.nl.aliant.net] has joined ##openvpn 17:25 < andrew867> hi all, I'm having a bit of trouble configuring openvpn. I want to create a bidirectional VPN, right now I have it setup and it is working like this: 17:26 < andrew867> my machine/network (server 192.168.0.0/24) ---- NAT --- INTERNET ---- NAT ---- other machine/network (client, 10.0.0.0/24) 17:26 < andrew867> he can ping and access anything on my network but how would we be able to set it up so I can access his network too 17:26 < andrew867> just then I though maybe the client-client setup might work 17:27 -!- thewolf is now known as Groktopus 17:30 -!- Groktopus is now known as thewofle 17:30 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 17:31 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 17:35 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 17:35 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 17:40 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 17:50 -!- andrew867 [n=Andrew@stjhnf0122w-142163129037.pppoe-dynamic.nl.aliant.net] has quit ["Leaving"] 18:06 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 18:15 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 18:32 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 18:45 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 18:47 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 18:50 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has quit [Remote closed the connection] 18:51 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has quit [] 19:02 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 19:05 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 19:22 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 21:02 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 22:39 -!- cylix [n=frederic@occm-15.static.grp1-rng1.tnmmrl.infoave.net] has joined ##openvpn 22:41 < cylix> so does anyone know. Is is reasonable to assume a deticated openvpn server could serve 100 clients at an average of 30Mbits/sec per client. 22:41 < cylix> oh wow that was so wrong. 22:41 < cylix> I mean 3Kbits/sec 22:41 < cylix> Aak, 30Kbits/sec 23:09 -!- Phase [n=Phase@unaffiliated/phase] has joined ##openvpn 23:12 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:40 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 23:54 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn --- Day changed Mon Jan 19 2009 00:00 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 00:12 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 00:25 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 00:26 -!- cyberjames [n=james@unaffiliated/cyberjames] has joined ##openvpn 00:42 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 00:43 < cyberjames> Hi everyone. I have this kind of network setup {http://rootshell.be/~james/network/networksetup.jpg}. Is it possible to make openVPN to run on different network segment like 192.168.2.0/24 under in one ethernet interface card only and all connected clients be able to reach the 192.168.1.0/24? 00:44 < cyberjames> !route 00:44 < vpnHelper> cyberjames: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 00:44 < cyberjames> !configs 00:44 < vpnHelper> cyberjames: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 00:57 -!- cylix [n=frederic@occm-15.static.grp1-rng1.tnmmrl.infoave.net] has quit ["good night"] 01:00 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 01:16 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 01:20 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 01:32 -!- Phase [n=Phase@unaffiliated/phase] has quit [Read error: 104 (Connection reset by peer)] 01:33 -!- Phase [n=Phase@unaffiliated/phase] has joined ##openvpn 01:33 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 110 (Connection timed out)] 01:34 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 01:38 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 02:02 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:15 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 02:17 < lonel> hi 02:17 < lonel> is it possible to asetup openvpn without certificates in the client side? 02:19 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 02:20 < hiptobecubic> lonel, static key? 02:20 < hiptobecubic> but then you can only have one client i think 02:20 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 02:22 < lonel> hiptobecubic: so multiple clients are not possible with ovpn 02:22 < lonel> using simple user/pass? 02:23 < hiptobecubic> lonel, no. but it's pretty easy to set up. 02:23 < hiptobecubic> !static-key 02:23 < vpnHelper> hiptobecubic: Error: "static-key" is not a valid command. 02:23 < hiptobecubic> !static 02:23 < vpnHelper> hiptobecubic: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 02:23 < hiptobecubic> hmmm 02:23 < hiptobecubic> !howto 02:23 < vpnHelper> hiptobecubic: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:24 < hiptobecubic> lonel, http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html 02:24 < vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 02:51 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 03:00 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 03:07 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 03:07 < c64zottel> hello 03:07 < c64zottel> tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 03:07 < c64zottel> inet addr:10.23.0.1 P-t-P:10.23.0.2 Mask:255.255.255.255 03:07 < c64zottel> what is the meaning of P-t-P:10.23.0.1 ? 03:07 < c64zottel> aehm: 10.23.0.2 03:07 < c64zottel> i know, 0.1 is my server 03:07 < c64zottel> when i connect, via ovpn, i get a random ip-address from a pool, so what does P-t-P:10.23.0.2 stand for? 03:16 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 03:36 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 03:52 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 03:55 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 04:01 < c64zottel> dumdidum 04:11 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 04:15 -!- dazo [n=dazo@nat/redhat/x-b537f1a7f630183a] has joined ##openvpn 04:15 -!- Tykling [i=tykling@gibfest.dk] has quit [Remote closed the connection] 04:27 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 04:30 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 04:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:00 -!- tjz [n=tjz@bb116-14-182-127.singnet.com.sg] has joined ##openvpn 05:07 -!- svoop [n=svoop@80.121.221.87.dynamic.jazztel.es] has joined ##openvpn 05:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:09 < svoop> is it possible to use openvpn to connect to a sonicwall vpn (ipsec/ike)? i'd go for opens/wan, but the hosting provider doesn't allow anything but userspace tools. 05:10 < dazo> svoop: nope ... openvpn can only talk to openvpn :( 05:10 < svoop> dazo: hmmm, too bad 05:11 < dazo> svoop: I know ... but it's using it's own protocol ... but that's why it's easier to implement and use compared to ipsec/openswan/etc 05:12 < svoop> dazo: ic. well, the only alternative i see is vpnc, maybe i have more luck there :-) 05:13 < dazo> svoop: hmmm ... I think you will hit the same with vpnc, just that's using Cisco's proprietary protocol .... but here I might be wrong, as I don't know much about vpnc 05:15 < svoop> dazo: gosh, i start to hate these virtuozzo servers. it's so limiting if you can't even use kernel modules on guest servers - and many providers are reluctant to help. on my gentoo box, i'd have the vpn up and running with opens/wan in minutes :-( 05:17 < dazo> svoop: Well, the biggest difference between ipsec/openswan ... is that it requires kernel modules, as that implementation needs to do things in kernel space to work .... while openvpn use user space only, which is (IMHO) why openvpn is safer and simpler ... and when you chroot and make openvpn run as a unprivileged user, you'll have a very different security layer, compared to those products depending on running code in kernel space 05:19 < svoop> dazo: it seems like quite a difference, though, that opens/wan does talk to hardware vpn endpoints while openvpn doesn't 05:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:22 < dazo> svoop: I don't know all the gory details about ipsec ... except that it really need to have parts in kernel space .... which freaks me out, as if a bug appears or a security breach ... you'll be in a pretty bad shape ... that's why I do like that openvpn can rely on user space (even though it do need the tun/tap module to create the virtual interface) 05:22 * dazo needs to go for lunch .... back in an hour 05:39 -!- Tykling [i=tykling@gibfest.dk] has joined ##openvpn 05:40 -!- Tykling [i=tykling@gibfest.dk] has left ##openvpn [] 05:53 -!- c64zotte1 [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 05:59 -!- c64zotte2 [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 06:05 * dazo is back 06:08 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Read error: 113 (No route to host)] 06:13 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:13 -!- c64zotte1 [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Read error: 113 (No route to host)] 07:10 < ecrist> morning, bitches 07:10 < c64zotte2> ecrist: nice to here that from e-crist 07:11 < ecrist> don't know what that means. 07:12 < c64zotte2> ah, i am thinking alway on christ, when i read your name 07:14 < reiffert> moin ecrist little suck0r! 07:17 -!- svoop [n=svoop@80.121.221.87.dynamic.jazztel.es] has left ##openvpn [] 07:28 < ecrist> I'm a nice guy, c64zotte2, but I'm not *that* nice 07:31 < c64zotte2> damn, i thought i could ask you a favor... like lottery numbers for next week 07:32 < ecrist> sure 3, 6, 422 07:32 < ecrist> good luck 07:34 < c64zotte2> ok, now i believe it, cause lottery has 6 numbers plus a special one 07:55 -!- kaii_ [n=kai@ciphron.de] has joined ##openvpn 07:55 -!- kaii [n=kai@ciphron.de] has quit [Read error: 104 (Connection reset by peer)] 08:07 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:47 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 08:48 < robert_> can I override my settings in my server's openvpn.conf by specifying a client configuration file? 08:49 < ecrist> um, maybe 08:49 < ecrist> what are you trying to override? 08:49 < robert_> the address it assigns you 08:49 < ecrist> no 08:49 < ecrist> you can't do that 08:50 < robert_> yeah, it's assigning me a 10.2 address when it should be assigning me a 10.4 address 08:50 -!- doke [n=me@84-73-166-158.dclient.hispeed.ch] has joined ##openvpn 08:50 < ecrist> well, fix it on the server 08:51 < doke> hello people 08:51 < ecrist> hello other people 08:51 < robert_> that was why I asked "can you override the address openvpn assigns you when you connect by specifying said override inside the client-specific config?" 08:51 < doke> Any howto on authenticating openvpn client via username / password? I can't use ca authentication no more because some of my client can not adjust their time via ntp... therefore ca doesn't work 08:52 < robert_> okay 08:52 < ecrist> robert_: ah, you mean from on the server - yes, you can do whatever you want. though, it needs to be routable 08:52 < robert_> yeah 08:52 < robert_> can I assign you different dhcp subnets by specifying said proper configuration parameters? 08:53 < robert_> e.g. two people connect to my server 08:53 < robert_> one gets a 10.3 address, and the other, a 10.4 address 08:53 < ecrist> doke, you are *required* to use ssl certs with OpenVPN if you have more than a server and one client 08:53 < ecrist> robert_: sure 08:53 < ecrist> it's covered in the howto 08:53 < ecrist> !hotwo 08:53 < vpnHelper> ecrist: Error: "hotwo" is not a valid command. 08:53 < ecrist> !howto 08:53 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:53 < doke> thanks a lot ecrist 08:53 < robert_> I'm triyng, but it's not working 08:53 < robert_> oh 08:54 < robert_> can I "ifconfig-push 10.8.1.1 10.8.1.0" ? 08:55 < ecrist> um, no 08:56 < robert_> how do I make the server assign two people different dhcp subnets? 08:56 < dazo> doke: you might want to have a look at http://www.eurephia.net/ as well 08:56 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) 08:56 < ecrist> robert_: look at the howto 08:56 < ecrist> what you're asking is covered there. 08:58 < ecrist> dazo: nice link 08:58 < dazo> ecrist: my little side project ... a work in progress :) 08:59 < robert_> ecrist, "Configuring client-specific rules and access policies" only covers static addresses, and "Pushing DHCP options to clients" doesn't cover dhcp ip assignment from openvpn itself 08:59 < ecrist> dazo: LDAP support? 09:00 < ecrist> what you're asking, if I understand correctly, cannot be done 09:00 < robert_> for him, or for me? 09:00 < ecrist> you'd have to run multiple OpenVPN servers, varying the port 09:00 < dazo> ecrist: hmmm ... not at the moment ... but I see why not, I have had that thought as well ... but I'm not big friends with LDAP yet 09:00 < ecrist> you, robert_ 09:01 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:01 < ecrist> dazo: I'm a friend of LDAP, if you need some input 09:01 < robert_> so it's static or nothing 09:01 < ecrist> robert_: in your case, probably, unless you went bridged and did something with a DHCP server on the host system 09:02 < ecrist> dazo: added a link to http://www.secure-computing.net/wiki/index.php/OpenVPN 09:02 < vpnHelper> Title: OpenVPN - Secure Computing Wiki (at www.secure-computing.net) 09:02 < dazo> ecrist: I'm not sure how big difference it will be to "twist" the SQL queries over to LDAP queries ... that's probably the biggest challenge 09:02 < ecrist> dazo: LDAP != SQL, they are very different beasts 09:03 < dazo> ecrist: thanks for the link! .... but eurephia is spelled with "small e" ;-) 09:03 < robert_> heh 09:03 < robert_> euphoria's a strange language :P 09:03 < ecrist> dazo, fixed 09:04 < dazo> ecrist: I know ... that's why it needs quite some tuning here ... but as the db-driver in eurephia do not take queries but rather "commands" of what to check, it should be possible to write a separate LDAP driver 09:04 < dazo> ecrist: thanks! :) 09:06 < ecrist> why'd you have to patch OpenVPN? 09:07 < dazo> ecrist: because I map user accounts (username / passwords) against a specific SSL certificate .... and to do that in a safe manner, I use the SHA1 fingerprint in the certificate ... and that's not provided as default 09:07 < ecrist> why can't you use the CN? 09:08 < dazo> ecrist: actually, it uses CN, O, emailAddr and fingerprint .... 09:08 < ecrist> !static 09:08 < vpnHelper> ecrist: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 09:08 < ecrist> !static-key 09:08 < vpnHelper> ecrist: Error: "static-key" is not a valid command. 09:09 < ecrist> !lears static-key as http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html 09:09 < vpnHelper> ecrist: Error: "lears" is not a valid command. 09:09 < ecrist> !learn static-key as http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html 09:09 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 09:09 < ecrist> GRR 09:09 < ecrist> krzee: fix my access to the bot, please 09:09 < reiffert> ![greee] 09:09 < vpnHelper> reiffert: Error: "greee" is not a valid command. 09:09 < reiffert> ![static] 09:09 < vpnHelper> reiffert: Error: ""static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client" is not a valid command. 09:09 < reiffert> !["static"] 09:09 < vpnHelper> reiffert: Error: ""static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client" is not a valid command. 09:10 < reiffert> ![!static] 09:10 < vpnHelper> reiffert: Error: "!static" is not a valid command. 09:10 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 09:18 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 60 (Operation timed out)] 09:19 < plaerzen> morning irc 09:19 < ecrist> heya, plaerzen 09:19 < plaerzen> how was the weekend? 09:19 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:20 < ecrist> doke: take a look at http://openvpn.net/index.php/documentation/manuals/openvpn-21.html, search for client-cert-not-required on that page 09:20 < vpnHelper> Title: OpenVPN 2.1 (at openvpn.net) 09:24 < ecrist> dazo: looking briefly at the code in 2.0.6, it appears as though the key fingerprint, and other data, is available for client certificates upon connection. 09:25 < dazo> ecrist: In 2.0.6? .... yeah, it is there ... but not passed over to the plugin .... so my patch takes the fingerprint and passes it over to the plugin via environment variable 09:26 < dazo> ecrist: I've seen there's been some changes lately to the environment variables in rc15 ... but I have not dug to deep here yet ... if it has come in, this patch will not be needed 09:26 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 09:27 < dazo> ecrist: anyway, I've done this now strictly 2.1 .... as the names on some env. variables have changed since 2.0 09:28 * dazo hopes there are no old references to 2.0 left 09:36 -!- Phase [n=Phase@unaffiliated/phase] has quit [] 09:38 < krzie> !man 09:38 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 09:38 < krzie> ecrist lazier link to the manuals ;] 09:38 < krzie> and good morning 09:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:45 < reiffert> reiffert: !man 09:48 < plaerzen> g'morning krzie 09:49 < reiffert> vpnHelper: !man 09:49 < vpnHelper> reiffert: Error: "!man" is not a valid command. 09:49 < reiffert> That bot's driving me crazy!# 09:49 < reiffert> !learn bot as vpnHelper sucks0rs! 09:49 < vpnHelper> reiffert: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 09:49 < reiffert> !factoids.learn foo as bar 09:49 < vpnHelper> reiffert: Error: "factoids.learn" is not a valid command. 09:50 < krzie> vpnHelper man 09:50 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 09:50 < krzie> dont need ! when you adress him by name 09:50 < reiffert> vpnHelper: [man] 09:50 < vpnHelper> reiffert: Error: ""man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend!" is not a valid command. 09:50 < reiffert> :p 09:51 < krzie> !learn reiffert as wo[man] 09:51 < vpnHelper> krzie: Joo got it. 09:51 < krzie> !rei 09:51 < vpnHelper> krzie: Error: "rei" is not a valid command. 09:51 < krzie> !reiffert 09:51 < vpnHelper> krzie: "reiffert" is wo "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 09:51 < krzie> lol 09:52 < krzie> !forget reiffert 09:52 < vpnHelper> krzie: Joo got it. 09:53 < reiffert> Allright, so how's that grep command using []'s again? 09:53 < reiffert> !configs 09:53 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:54 < krzie> its not 09:54 < krzie> i got around that 09:54 < reiffert> grep -vE '^[#;]' 09:54 < reiffert> jay, how's that? 09:54 < krzie> right 09:54 < krzie> by making the regex not use [] 09:55 < krzie> it can to simplify it, but doesnt need to 09:55 -!- W0rmFood [n=wormfood@219.134.136.50] has joined ##openvpn 09:56 < reiffert> Ah well, but using []'s would make so much fun if the bot would allow so. 09:56 < W0rmFood> it is openvpn, or x-wrt that is making it a god damn pain in my ass to forward ports? 09:56 < krzie> openvpn cant have anything to do with that 09:56 < reiffert> W0rmFood: this is #openwrt, so please go to #x-wrt or #dd-wrt 09:56 < W0rmFood> I don't run dd-wrt 09:56 < reiffert> Well then it's your fault. 09:57 < krzie> this is #openwrt? 09:57 < dazo> reiffert: is this #openwrt .... I need to rejoin #openvpn 09:57 < reiffert> krzie: it's not? 09:57 < W0rmFood> god damn. wrong channel 09:57 < W0rmFood> I do use openvpn 09:57 < W0rmFood> but I don't have problems with it ;) 09:57 < reiffert> and your openvpn question is? 09:57 < krzie> he was asking if it was openvpn's fault 09:58 < krzie> right answer is no 09:58 < W0rmFood> no 09:58 < W0rmFood> I said wrong channel 09:58 < reiffert> Yeah, this is #openwrt! 09:58 < reiffert> Like I said, wrong channel. 09:58 < krzie> if this is #openwrt i need to reconfigure my bot 09:58 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: jpalmer 09:58 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 09:58 * dazo is getting confused 09:59 < reiffert> The plan starts working... 09:59 < plaerzen> SA's aren't too bright. 09:59 * dazo wonders who that one was aimed at ...... 09:59 < reiffert> bright SAturdays? 09:59 * plaerzen nods. 10:00 < reiffert> Well, it's Wednesday! 10:00 < krzie> lol 10:00 < krzie> if its wednesday i need to reconfigure my calendar 10:00 < plaerzen> I thought it was hanukah 10:00 * krzie reconfigures his life 10:00 < reiffert> A Hanumag? 10:01 < plaerzen> Is the hanumag responsible for my routing of bad packets? 10:01 < reiffert> plaerzen: doh!!! It's already march, hanukah is over! 10:02 < reiffert> http://en.wikipedia.org/wiki/Hanomag 10:02 < vpnHelper> Title: Hanomag - Wikipedia, the free encyclopedia (at en.wikipedia.org) 10:02 * dazo wonder if my clock is correct? 10:03 -!- pegasos-rider [n=pegasos-@79.143.9.142] has joined ##openvpn 10:03 < reiffert> W0rmFood: it's all pegasos-rider's fault! 10:04 < plaerzen> lol. Silliness, back to troubleshooting groupware. 10:04 < reiffert> egroupware? 10:04 < plaerzen> communigate 10:04 < W0rmFood> no, it is my fault 10:04 < W0rmFood> I'm a fuckup 10:05 < reiffert> plaerzen: use their support? 10:06 < plaerzen> reiffert, I could. But it's a simple problem. Someone just isnt receiving mail from a whitelisted (mailwatch) sender. Probably just accidentally deleted it or something 10:06 < reiffert> Ignore him. 10:06 < reiffert> Problem solved. 10:07 < ecrist> building PR now for ssl-admin updates 10:07 < plaerzen> just uninstall outlook. Problem solved. 10:07 < reiffert> And implement and reinvent the shared file folders of egroupware and/or horde for me. 10:08 < reiffert> Ah, a brand new porsche museum in Stuttgart! 10:09 -!- pegasos-rider [n=pegasos-@79.143.9.142] has quit [Excess Flood] 10:10 -!- pegasos-rider [n=pegasos-@79.143.9.142] has joined ##openvpn 10:11 < lonel> hi i asked this before 10:12 < reiffert> And our previous answer was? 10:12 < lonel> like ovpn can accept client logings using user/pass except for certificates 10:12 < lonel> reiffert: :) 10:12 < lonel> answer was kind of no 10:12 < lonel> reiffert: is that possible? 10:12 < reiffert> lonel: Your questions does not parse, please explain. 10:13 < ecrist> lonel: you where in here as someone else, right? 10:13 < ecrist> doke: take a look at http://openvpn.net/index.php/documentation/manuals/openvpn-21.html, search for client-cert-not-required on that page 10:13 < vpnHelper> Title: OpenVPN 2.1 (at openvpn.net) 10:13 < lonel> reiffert: normally what we do is ,issue the client cert to clients to login ,instead of that using user/pass 10:13 < lonel> ecrist: aah ok,let em look that 10:13 < lonel> ecrist: no i didnt 10:13 < lonel> same nick only 10:14 < pegasos-rider> Could somebody prompt if message digest algorithm change has affect before TLS handshare is done? 10:14 < reiffert> ecrist: intresting mind you have ... parsing stopped for me after the 2nd word. 10:14 < dazo> lonel: you want to only have username/password auth without SSL certs? 10:15 < lonel> exactly 10:16 < dazo> lonel: you can use static key ... and probably the auth-pam module .... that should give you that feature ... 10:16 < lonel> dazo: cool,so can i use ldap as well 10:16 < lonel> ? 10:17 < dazo> lonel: if you find a ldap auth-plugin for openvpn, yes 10:17 < ecrist> there's one in freebsd ports 10:17 < lonel> oh cool 10:17 < lonel> this world is nice 10:17 < lonel> :) 10:17 < ecrist> there's an auth-pam module you can use, part of the openvpn distribution in sample-scripts directory - if your ldap is authenticated through PAM 10:17 < reiffert> Gimme that drugs! 10:18 < dazo> lonel: but on the other side ..... I would recommend you to reconsider not using SSL key/certs ... 10:18 < lonel> dazo: i use it myself for years,and i never bothered to look for any other authentications 10:18 < lonel> but this client wants that :) 10:19 < dazo> lonel: well, it's more prune for getting hacked if the static key file gets "stolen" 10:19 < lonel> yeah :( 10:21 < dazo> lonel: and if noticed ... it'll be quite a job to distribute new static keys .... Well, if you're client only have 2 users it's not so risky, as its easy to have the overview .... but if he got 30-40 users or more, it'll be a nightmare 10:22 < reiffert> dazo: Take a look at openvpn web gui, I can klick and get a working config, all required keys together in a zip file and there you go 10:23 * dazo do not use Windoze .......... 10:23 < reiffert> That zip and config part got to be implemented yourself, but it's worth it. 10:23 < reiffert> dazo: tar or whatever you like 10:24 < dazo> reiffert: I don't follow you at all .... are you talking about redistributing keys? 10:25 < reiffert> dazo: yep 10:25 < dazo> reiffert: if you are .... anyway, it'll just be more hassle than to just revoke one SSL certificate and create a new one 10:25 -!- W0rmFood is now known as WormFood 10:25 < reiffert> when you click "revoke" the cert is added to the crl (cert revoke list) automatically 10:26 < reiffert> dazo: when you click "new cert" you enter some details like common name, after that you can click "zip" and get a working config file together with all the required keys that a client will need 10:26 < dazo> reiffert: the VPN connection will be useless for all other users in the time before get distributed new static.key to all users 10:26 < ecrist> reiffert: that's the kind of stuff ssl-admin does. 10:26 < reiffert> ecrist: have a look at openvpn web gui 10:27 < reiffert> dazo: pardon, one static key for 40 users? 10:27 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 10:27 < reiffert> ecrist: it would be nice to combine ssl admin with openvpnwebgui 10:27 < dazo> reiffert: that was what lonel was asking about (but he didn't mention # of users) 10:28 < reiffert> Allright! 10:29 < dazo> reiffert: I'm paranoid enough .... I'm using openvpn over udp with static key, SSL certs and user/pwd authentication 10:36 -!- W0rmF00d [n=wormfood@219.133.100.202] has joined ##openvpn 10:41 < krzie> reiffert, agreed 10:41 < krzie> a nice lil lan-only web based gui with all ssl-admin features would be pretty cool 10:42 < dazo> krzee: ssl-admin is perl, isn't it? .... embedded web server in Perl maybe? 10:44 < reiffert> php 10:44 < reiffert> at least what openvpn web gui need 10:44 < reiffert> s 10:51 -!- WormFood [n=wormfood@219.134.136.50] has quit [Read error: 110 (Connection timed out)] 10:55 -!- W0rmF00d [n=wormfood@219.133.100.202] has quit [Read error: 113 (No route to host)] 11:00 -!- tjz [n=tjz@bb116-14-182-127.singnet.com.sg] has quit [Connection timed out] 11:05 < reiffert> Anyone living in the .us who can give me a fast proxy for http://www.fox.com/fod/play.php?sh=twentyfour 11:05 < vpnHelper> Title: FOX on Demand (at www.fox.com) 11:05 < reiffert> ? 11:07 < ecrist> sorry, not I 11:09 < cyberjames> strange, the client is not properly assigned subnet mask and default gateway under windows xp... 11:09 < cyberjames> !route 11:09 < vpnHelper> cyberjames: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 11:21 -!- assasukasse [n=assasuka@host-84-222-247-236.cust-adsl.tiscali.it] has joined ##openvpn 11:21 < assasukasse> hello everyone, i am having some issues in starting openvpn 11:21 < assasukasse> i get this error: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib 11:23 < krzie> dazo, yup its perl 11:24 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 104 (Connection reset by peer)] 11:25 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:26 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has joined ##openvpn 11:26 < bigjohnto> anyone know how to stop a batch script from popping up the cmd window when starting openvpn connection? myconn_up.bat 11:26 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has joined ##openvpn 11:27 -!- dazo is now known as dazo_gone 11:38 < SgtPepperKSU> Is there any word on whether there will be a 2.1rc16? Or is 2.1 final expected next? 11:38 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 11:38 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 11:39 < ecrist> I don't know, sorry. 11:39 < ecrist> assasukasse: looks like your SSL certificate doesn't exist. 11:39 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 11:46 < reiffert> SgtPepperKSU: check the mailinglist archives for that ... 11:47 < reiffert> SgtPepperKSU: (there will be another rc) 11:50 -!- c64zotte2 [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Client Quit] 11:51 < assasukasse> ecrist: i fixed i dunno why it was not generated the first time..strange 11:54 < bigjohnto> anyone on that cmd window issue? 11:55 < ecrist> bigjohnto: google that. 11:56 < ecrist> it's not really an openvpn question, more a windows scripting question 11:57 < cyberjames> !config 11:57 < vpnHelper> cyberjames: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 11:57 < cyberjames> !config server.conf 11:57 < vpnHelper> cyberjames: Error: 'supybot.server.conf' is not a valid configuration variable. 11:57 < cyberjames> !config server 11:57 < vpnHelper> cyberjames: Error: 'supybot.server' is not a valid configuration variable. 11:58 < ecrist> !configs 11:58 < cyberjames> !configs 11:58 < vpnHelper> cyberjames: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:58 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:58 < bigjohnto> ecrist alright, thanks anywho 12:06 < reiffert> !config time 12:06 < vpnHelper> reiffert: Error: 'supybot.time' is not a valid configuration variable. 12:06 < reiffert> !config autoreconnect 12:06 < vpnHelper> reiffert: Error: 'supybot.autoreconnect' is not a valid configuration variable. 12:06 < reiffert> !config auto* 12:06 < vpnHelper> reiffert: Error: 'supybot.auto*' is not a valid configuration variable. 12:07 < reiffert> vpnHelper: help supybot 12:07 < vpnHelper> reiffert: Error: There is no command "supybot". 12:09 < lonel> whu user/pass type auth using open vpn is vulnerable,?ssh is also user/pass? 12:09 < lonel> *why 12:10 < reiffert> lonel: says who? 12:12 < lonel> reiffert: 12:12 < lonel> < dazo> lonel: and if noticed ... it'll be quite a job to distribute new 12:12 < lonel> static keys .... Well, if you're client only have 2 users it's 12:12 < lonel> not so risky, as its easy to have the overview .... but if he got 12:12 < lonel> 30-40 users or more, it'll be a nightmare 12:12 < lonel> sorry for that 12:14 < reiffert> dazo_gone: ? 12:15 < lonel> hehe 12:16 < lonel> actually what hemeant? 12:16 < lonel> *he meant 12:16 < lonel> in open vpn are we not going to use a user/pass manually..rather it is stored ina key file 12:16 < lonel> ? 12:16 < reiffert> no 12:16 < lonel> i am talking about --client-cert-not-required 12:17 < lonel> reiffert: ? 12:17 < reiffert> I have no idea bout that, sorry 12:21 < bigjohnto> alright, i specify --route-up "C:\program files\mydir\script.bat" 12:21 < bigjohnto> but it only tries to execute c:\program, and leaves the rest how come? 12:23 -!- assasukasse [n=assasuka@host-84-222-247-236.cust-adsl.tiscali.it] has left ##openvpn ["I \u2665 Debian"] 12:39 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 110 (Connection timed out)] 12:45 < ecrist> lonel: what's your question about that options? 12:45 < ecrist> bigjohnto: you need to escpape the space in program files 12:46 < ecrist> so, do C:\\program\ files\\mydir\\script.bat" 12:46 < ecrist> or, "C:\PROGRAM~1\mydir\script.bat" 12:46 < ecrist> again, non-openvpn stuff 12:47 < lonel> ecrist: why it is unsecure if i am using login/pass..its pretty same with that of ssh if it uses keybd auth? 12:49 < ecrist> it's less secure than user/pass+certs 12:49 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:02 < lonel> cwhich one 13:10 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has left ##openvpn ["Leaving."] 13:13 < ecrist> lonel: just user/pass authentication is less secure than user/pass with certs 13:30 -!- doke_ [n=me@84-73-166-158.dclient.hispeed.ch] has joined ##openvpn 13:40 -!- doke [n=me@84-73-166-158.dclient.hispeed.ch] has quit [Read error: 110 (Connection timed out)] 14:10 -!- xattack [i=xattack@132.248.108.239] has quit [Read error: 104 (Connection reset by peer)] 14:11 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 14:11 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 14:14 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:16 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 14:17 -!- suprsonic [n=supr@97-87-2-183.dhcp.mdsn.wi.charter.com] has joined ##openvpn 14:19 < suprsonic> push "route " should push a route to the client correct? 14:22 -!- xattack [i=xattack@132.248.108.239] has quit [] 14:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:49 -!- kaii_ [n=kai@ciphron.de] has left ##openvpn [] 14:49 -!- kaii [n=kai@ciphron.de] has joined ##openvpn 14:52 < kaii> what could be the reason for a random failure in key RE-negotation (Symptom: key negotiation failed to occur within 60 seconds)? 14:52 < kaii> it fails 1/3 or 1/2 of the time .. (default: 3600 sec re-neg time) 14:52 < kaii> the tunnel works fine for an hour or two, then key re-neg fails and a SOFT RESET occurs 14:53 < kaii> OpenVPN 2.0.9 i386-unknown-openbsd4.3 14:53 < kaii> ^^ 14:56 < ecrist> krzie/others: I've submitted a PR for freebsd/ssl-admin 14:56 < ecrist> update to current version in SVN 15:26 -!- test [n=test@h697179-171.picriverisp.net] has joined ##openvpn 15:26 < test> anyone know if you can push a metric value with openvpn to a windows machine? 15:27 < reiffert> You cant. What you can do is have a client connect batch file do whatever it takes on the client side. 15:27 < test> k 15:28 < suprsonic> what about pushing a route? 15:28 < test> when mobile machine connects to internal network the metric forces the traffic through vpn.. it's still quick but a lot of encryption and forwarding for nothing 15:28 < reiffert> suprsonic: what about it? 15:28 < suprsonic> link is up, but server didn't put a route to the client 15:28 < suprsonic> push 15:28 < test> openvpn rocks 15:29 < test> but what stops someone from stealing the certs off the computer and throwing it on another? 15:29 < reiffert> suprsonic: are your sentences related to test? 15:29 < suprsonic> nah, new one 15:29 < reiffert> test: the cert password. 15:29 < suprsonic> push "route " should push a route to the client correct? 15:29 < reiffert> test: 15:29 < reiffert> !howto 15:29 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:29 < test> i tried that but how do you auto vpn with openvpn service? 15:30 < reiffert> suprsonic: amazingly yeah! 15:30 < suprsonic> netstat -r on the client system doesn't yield a new route. 15:30 < reiffert> test: what is it you want, security or encryption or both? 15:30 < test> for domain machines I like to have openvpn running when the system boots.. 15:30 < suprsonic> its a tunnel 15:31 < reiffert> suprsonic: have fun: 15:31 < reiffert> !configs 15:31 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:31 < reiffert> !logs 15:31 < vpnHelper> reiffert: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 15:31 < reiffert> I'm off for TV 15:32 < test> encryption is security for me.. just need to be aware that stolen certs might occur 15:35 < test> the traffic is layer 2 and have mac addresses in the frames? 15:35 < test> even though you can spoof a mac can you build an acl based on mac addresses? 15:40 < suprsonic> oddly enough the documentation is correct, but my scenerio is still wrong. 15:43 < test> what are you trying to do 15:44 < test> are you bridging? 15:44 < suprsonic> just a simple tunnel between server and client 15:45 < suprsonic> client connection isn't applying the push route from the server. 15:48 < test> check the log to make sure the connection was successful 15:49 < suprsonic> oh its sucessuful, I can ping the other side 15:49 < suprsonic> can ssh too 15:49 < test> and if you add the route manually it works? 15:49 < suprsonic> yes 15:49 < test> check your versions 15:49 < test> the windows version is the same as the linux version? 15:49 < suprsonic> all freebsd 15:49 < test> oh 15:49 < suprsonic> freebsd to freebsd 15:50 < test> the route command maybe differs than 15:50 < suprsonic> ah 15:50 < test> google "openvpn push freebsd problem" 15:50 < test> or something 15:51 < test> might be a problem because of that if-up scripting architecture in linux distro's 15:52 < test> when the interface goes up a bunch of scripts run in linux 15:55 < suprsonic> I can add the route to the client config 15:55 < suprsonic> but apparently I can't push it from the server 15:55 < suprsonic> odd 16:09 < test> not enough of a pro to tell you why 16:09 < test> just started using openvpn the other day between debian and windows 16:09 < test> gotta go 16:09 -!- test [n=test@h697179-171.picriverisp.net] has left ##openvpn [] 16:32 < dvl> suprsonic: http://www.freebsddiary.org has the docs I wrote for getting my stuff running. Sample configurations. 16:32 < vpnHelper> Title: The FreeBSD Diary (at www.freebsddiary.org) 16:32 -!- thewofle is now known as thewolf 16:33 < suprsonic> you the owner of freebsddiary.org? 16:35 < dvl> Yes 16:37 < suprsonic> well, I personally want to thank you for providing me with a wealth of information on FreeBSD. You've been a great resource for me. 16:37 < dvl> Thank you. Send $. Thanks. ;) 16:38 < dvl> Some of it is getting dated (for older versions), but I still use some of the articles on a regular basis, such as /makeworld-script.php 16:38 < suprsonic> have you seen growth in the community based off of hits on the website? 16:39 < dvl> http://www.freebsddiary.org/stats/ 16:39 < vpnHelper> Title: Usage Statistics for freebsddiary.org - Last 12 Months (at www.freebsddiary.org) 16:39 < dvl> I'm not sure if I have stats for previous years easily to hand. 16:39 < dvl> Oh yes: http://www.freebsddiary.org/stats/usage_200201.html 16:39 < vpnHelper> Title: Usage Statistics for freebsddiary.org - January 2002 (at www.freebsddiary.org) 16:40 < dvl> hits per day in 2002 was 9127 16:40 < dvl> in 2009, it's 23515 16:40 < suprsonic> awesome 16:40 < suprsonic> donations coming in? 16:41 < dvl> freshports.org 114475 in 2009 16:41 < suprsonic> oh you host freshports also? 16:42 < suprsonic> I looked at your openvpn post and its exactly what Im doing, but apparently Im still doing something wrong. 16:42 < dvl> In 2003 for freshports, it was 40258 16:42 < suprsonic> cause the route isn't showing up. 16:42 < dvl> suprsonic: Yes, I wrote FreshPorts. 16:42 < dvl> Few donations come in. :) 16:43 < dvl> The ad revenue generates enough cash to pay for gasoline. 16:43 < suprsonic> rofl 16:44 < suprsonic> I even placed the push at the end of the config like you have it in case that was the cause. 16:44 < dvl> restarted? 16:44 < suprsonic> yup 16:44 < dvl> Dunno 16:47 < suprsonic> it must have to do with it being a point to point tunnel 16:47 -!- Andry [n=na@host233-16-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 16:53 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 16:59 < dvl> Try my entire config. 17:05 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has joined ##openvpn 17:22 -!- suprsonic [n=supr@97-87-2-183.dhcp.mdsn.wi.charter.com] has quit [] 17:33 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 17:53 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has quit [Read error: 131 (Connection reset by peer)] 17:55 -!- eliasp [n=quassel@78.43.213.203] has quit [Remote closed the connection] 17:58 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 18:01 -!- eliasp [n=quassel@78.43.213.203] has quit [Read error: 113 (No route to host)] 18:02 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 18:14 -!- test [n=test@S0106002129d2ee33.ls.shawcable.net] has joined ##openvpn 18:15 < test> anyone else get bad source ip address errors with just a peer to peer setup? 18:28 -!- test [n=test@S0106002129d2ee33.ls.shawcable.net] has left ##openvpn [] 18:39 -!- d0wNsYs [n=d0wNsYs@c-98-219-111-129.hsd1.fl.comcast.net] has joined ##openvpn 18:40 < d0wNsYs> can anyone answer a quick question? 18:41 < d0wNsYs> Options error: --server and --secret cannot be used together (you must use SSL/TLS keys) 18:41 < d0wNsYs> get that when trying to start openvpn 18:46 < krzie> !sample 18:46 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 18:48 < krzie> thats how you use --server 18:49 < krzie> --secret is for a ptp setup where you use ifconfig on both sides 19:07 < d0wNsYs> so when i make the shared.key i shouldnt use the --secret option 19:28 -!- tomfmason [n=tom@unaffiliated/tomfmason] has joined ##openvpn 19:35 < tomfmason> I am trying to forward all client connections through the server and am having some issues. My configs are http://pastebin.com/m7672da21 . I can connect to the vpn server fine but if I try to change the default gateway on the client I lose my main connection. 19:49 -!- rodpod [i=rod@hick.org] has quit [Remote closed the connection] 20:22 -!- o[80 [n=oc80z@quad.efnet.pe] has quit [] 20:23 -!- Clearwolf [i=48567912@gateway/web/ajax/mibbit.com/x-302e5b312dc5bddf] has joined ##openvpn 20:24 -!- Clearwolf [i=48567912@gateway/web/ajax/mibbit.com/x-302e5b312dc5bddf] has left ##openvpn [] 20:43 -!- d0wNsYs [n=d0wNsYs@c-98-219-111-129.hsd1.fl.comcast.net] has quit ["Leaving"] 20:49 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 21:15 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has joined ##openvpn 21:26 * cyberjames strange... After restarting the openvpn service, the host xen can't able to reach from the guest system. 21:31 < cyberjames> !logs 21:31 < vpnHelper> cyberjames: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 21:40 -!- lfaraone [n=LukeFara@ubuntu/member/lfaraone] has joined ##openvpn 21:41 < lfaraone> Hi, I built a open VPN tunnel and am able to connect, now how cna I route all of my outbound traffic throug the tunnel rather than unencrypted via the normal eth0? 21:43 < tomfmason> ifarone: push "redirect-gateway def1" 21:44 < tomfmason> on the server and redirect-gateway on the client 21:45 < tomfmason> I am a complete newb so I would keep that in mind if you follow any of my advice :P 21:46 < tomfmason> I am trying to do the same thing and the issue I am having now is DNS not being pushed to clients 21:49 < lfaraone> tomfmason: I'm thinking this is a routes problem. Maybe I should respeficy: I'm trying to create a route to do that. 21:53 -!- rodpod [i=rod@hick.org] has joined ##openvpn 21:54 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 21:56 < tomfmason> lfaraone not sure if it will help any but here is my simple client/server config http://pastebin.com/m1748ea66 . It connects to the vpn fine and sets the default gateway/route but I still haven't quite figured out how to get dns working 21:58 < tomfmason> figure out, even 22:00 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] 22:01 -!- lonel [i=r0ny@203.206.208.204] has left ##openvpn [] 22:18 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has quit ["Ex-Chat"] 22:23 < tomfmason> anyone awake that can give a few suggestions as to what I may be doing wrong? My config is http://pastebin.com/m5d7b50fe. I am not seeing any errors anywhere but I am not able to resolve anything. I have the output from tcpdump in that paste as well. 22:23 < krzie> !pushdns 22:23 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 22:27 < tomfmason> krzie: I have push "dhcp-option DNS 205.234.170.215" on the server but ipconfig /all on the windows box doesn't show the dns address. Would clearing the cache solve that? 22:27 < krzie> see the link in #2 22:33 < ecrist> evening, bitches 22:33 < krzie> sup man 22:33 < krzie> <-- tired 22:33 < ecrist> me too. going to bed soon 22:33 < ecrist> http://www.freebsd.org/cgi/query-pr.cgi?pr=130754 22:33 < vpnHelper> Title: ports/130754: update to security/ssl-admin (at www.freebsd.org) 22:36 < krzie> nice 22:36 < tomfmason> I don't get it. It appears that the request(when looking at tcpdump) is being sent but I never get a reply to my pings on the client. 22:36 < krzie> and does the client see pings coming in? 22:36 < tomfmason> That link suggests that I need to clear the cache. I did that but stil no change 22:37 < krzie> (tcpdump or R's if using verb 6) 22:37 < krzie> also, first part of topic is a strong possibility 22:37 < krzie> do the pings work by ip? 22:38 < tomfmason> I can't ping the client from the server but I can ping the server from the client. All other pings from the client time out 22:39 < krzie> firewall 22:41 < krzie> (on the client it sounds like) 23:07 < tomfmason> krzie: you were correct. Well, that was part of the problem. I had the incorrect subnet mask in iptables on the server as well. 23:07 < tomfmason> It is still not setting the dns on the client but I did it manually and it works fine 23:10 < tomfmason> is just push "dhcp-option DNS 205.234.170.215" on the server enough or do I need something on the client side as well? 23:51 -!- lonel [i=r0ny@203.206.208.204] has joined ##openvpn 23:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 23:57 < lonel> hi got a doubt 23:57 < lonel> my internal network is in the range 192.168.1.0/24 23:57 < lonel> got ovpn server inside 23:58 < lonel> so when a client connects from outside..does he will be assigned by an ip in the range 192.168.1.0/24? 23:58 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn --- Day changed Tue Jan 20 2009 00:04 < lonel> krzee: any idea about tun/bridge interface? 00:23 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 00:24 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:24 < krzee> lonel, tun isnt bridge 00:24 < krzee> tun is for routed 00:31 < lonel> krzee: thanks 00:31 < lonel> thsi is my question 00:31 < lonel> my internal network is in the range 192.168.1.0/24 00:32 < lonel> so when a client connects from outside..does he will be assigned an ip in 192.168.1.0/24? 00:32 < lonel> i am using tun interface? 00:50 -!- WormFood [n=wormfood@58.60.118.83] has joined ##openvpn 00:50 < krzee> !howto 00:50 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 00:51 < krzee> im really tired so im not gunna walk you through it much 00:51 < krzee> but reading the howto will greatly help you 00:51 < krzee> !man 00:51 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 00:51 < krzee> manual is GREAT reference 00:52 < krzee> short answer, client should get a lan ip private to the vpn (sample configs use 10.8.0.0/24) 00:52 < krzee> !sample 00:52 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 00:52 < krzee> theres some samples from me 00:52 < krzee> and if you plan on connecting a lan on any side of the vpn to communicate through the vpn see this: 00:52 < krzee> !route 00:52 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 00:52 < krzee> goodnight =] 00:56 < reiffert> Moin moin 01:03 < lonel> krzee: thanks 01:03 < lonel> let em read all those 01:08 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 01:33 -!- WormFood [n=wormfood@58.60.118.83] has left ##openvpn ["Leaving"] 01:33 < lonel> hi 01:33 < lonel> my internal network ,which is running ovpn server is 192.168.64.0/24 01:40 < lonel> and the clients network is in 192.168.1.0/24 01:40 < lonel> and this is my ovpn config 01:40 < lonel> server 192.168.0.0 255.255.255.0 01:40 < lonel> push "route 192.168.64.0 255.255.255.0" 01:40 < lonel> push "route 192.168.1.0 255.255.255.0" 01:40 < lonel> route 192.168.1.0 255.255.255.0 01:41 < krzee> !route 01:42 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 01:42 < krzee> i made a detailed writeup with everything you need to know for that goal 01:42 < krzee> reiffert, moin 01:42 < lonel> krzee: yeah i tried the same 01:42 < lonel> let em check 01:42 < krzee> also 01:43 < krzee> you dont wanna use 192.168.0.0 most likely 01:43 < krzee> unless there will never be mobile clients 01:43 < krzee> cause thats such a common subnet 01:44 -!- dazo_gone is now known as dazo 01:45 < lonel> krzee: do i need to mention iroute in client config 01:45 < lonel> ? 01:45 < krzee> dont skim my writeup 01:45 < krzee> read it fully 01:46 < krzee> !forget route 01:46 < vpnHelper> krzee: Joo got it. 01:46 < krzee> !learn route as http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 01:46 < vpnHelper> krzee: Joo got it. 01:51 < lonel> krzee: working on it 01:56 < lonel> krzee: 01:56 < lonel> Tue Jan 20 08:58:08 2009 vais/69.93.37.142:2807 SENT CONTROL [vais]: 'PUSH_REPLY,route 192.168.64.0 255.255.255.0,route 192.168.1.0 255.255.255.0,route 192.168.0.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.0.10 192.168.0.9' (status=1) 01:56 < lonel> looks like the route added 01:56 < krzee> you wont have users connecting from other lans? 01:57 < krzee> like possibly a laptop? 01:57 < krzee> (out roaming around for example...) 01:57 < lonel> yes the server i am working on is a remote one 01:57 < krzee> i see you are connecting 2 lans... 01:57 < lonel> oh my bad 01:57 < krzee> will you also connect from outside of them? 01:58 < krzee> or just connecting them 01:58 < lonel> krzee: sec,i will be back 01:58 < krzee> [03:46] also 01:58 < krzee> [03:46] you dont wanna use 192.168.0.0 most likely 01:58 < krzee> [03:47] unless there will never be mobile clients 01:58 < krzee> [03:47] cause thats such a common subnet 01:59 < lonel> sure i will change it 01:59 < krzee> if you ever try to connect from a lan using 192.168.0.0 you will not be able to connect to the vpn right 01:59 < krzee> it would break routing 01:59 < lonel> i will look into it,and i made a mistake in push,my server subnet is not 192.168.64.0/24 01:59 < lonel> it is 192.168.168.0/24 01:59 < lonel> i am changing it,and gonna connect again 02:02 < lonel> MULTI: bad source address from client [192.168.1.2], packet dropped 02:02 < lonel> i guess i am on the track now 02:02 < lonel> :) 02:02 < krzee> ya except i think you didnt fully read my doc still 02:02 < lonel> You will need client-config-dir /path/to/ccd/ in your server config file to enable ccd entries. ccd entries are basically included into server.conf, but only for the specified client. You put commands in ccd/client-common-name, and they are only included when the client's common-name matches the name of the file in ccd/. 02:02 < lonel> where is that? 02:03 < krzee> whereever you make it... 02:03 < lonel> in the client or server? 02:03 < lonel> let me figure it :) 02:03 < krzee> IT SAS 02:03 < krzee> SAYS 02:03 < krzee> second sentance 02:04 < krzee> well, first sentence rather 02:05 < lonel> client-config-dir 02:05 < lonel> what is ccd then? 02:05 < krzee> !man 02:05 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 02:05 < krzee> look at --client-config-dir 02:06 < lonel> sec 02:09 < lonel> oh in the server di i need to create a directory,in that it should contain a file with cn as that of the client? 02:09 < lonel> and need to specify iroute their? 02:09 < lonel> do i* 02:09 < krzee> right 02:12 < lonel> krzee: i got an issue here.i am using pam auth here 02:12 < lonel> not certificates 02:12 < lonel> so how should i know the name of the client network 02:12 < krzee> in manual see --username-as-commonname 02:12 < lonel> or it dosent matter 02:13 < lonel> ok already got that in my config)copied from somewhere) ;) 02:14 < lonel> krzee: one mre question 02:14 < lonel> my user is lonel 02:14 < lonel> i created a directory lonel 02:14 < lonel> and i created a file called lonel.conf 02:14 < lonel> and put iroute 192.168.1.0 255.255.255.0 02:14 < krzee> You will need client-config-dir /path/to/ccd/ in your server config file to enable ccd entries. ccd entries are basically included into server.conf, but only for the specified client. You put commands in ccd/client-common-name, and they are only included when the client's common-name matches the name of the file in ccd/. 02:14 < krzee> In this example lets assume the client owning the network 192.168.1.0 has a common-name of client1. In ccd/client1 He should have the following: 02:15 < lonel> ok :) 02:15 < krzee> i took a lot of time making that doc nice, i hate when people just skim it 02:16 < krzee> instead of reading to understand 02:17 < lonel> krzee: true 02:17 < lonel> sorry for that 02:17 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:19 < lonel> krzee: still cant ping 02:19 < lonel> but no errors 02:20 < lonel> SENT CONTROL [lonel]: 'PUSH_REPLY,route 192.168.168.0 255.255.255.0,route 192.168.0.1,topology net30,ping 10,ping-restart 120,ifconfig 192.168.0.10 192.168.0.9' (status=1) 02:20 < krzee> what cant you ping 02:20 < lonel> got a web server 02:20 < lonel> in 192.168.168.0/24 02:20 < lonel> on .90 02:20 < krzee> READ MY WHOLE DOC 02:20 < krzee> im leaving 02:20 < krzee> goodnight 02:21 < lonel> so that will help me? 02:21 < krzee> nothing can help you if you are unwilling to read 02:21 < krzee> pay someone to set it up for you maybe 02:22 < lonel> ok got it 02:22 < lonel> ROUTES TO ADD OUTSIDE OF OPENVPN 02:22 < lonel> :)p 02:24 < lonel> krzee: 02:24 < lonel> If this needs clarification ask me about it and I will update this page after discovering how to make it clearer. 02:24 < lonel> :) 02:24 < lonel> help me 02:24 < lonel> b/w changing the ip from 192.168.0.0 02:28 < lonel> krzee: the annoying work-around would be to add the route to every box on the LAN, in which case step 3 above would work. 02:29 < lonel> soif i add a route to default gateway,,that would work? 02:49 < lonel> ok i need to add a route in the router 02:49 < lonel> to the tunnel's ip 02:56 -!- zug|work [n=zug_work@88.211.97.126] has quit [Read error: 110 (Connection timed out)] 04:04 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 04:14 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 04:25 -!- assasukasse [n=assasuka@host-84-222-247-236.cust-adsl.tiscali.it] has joined ##openvpn 04:25 -!- doke_ [n=me@84-73-166-158.dclient.hispeed.ch] has quit [Read error: 113 (No route to host)] 04:26 < assasukasse> hi everyone, i wish to know if is possible to assign a fixed ip to a certain client (ie 10.8.0.2 to my client1, 10.8.0.3 to my client 2 and so on) so that it is RESERVED to that client 05:13 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:20 < assasukasse> anyone? 05:27 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 06:13 -!- SURFkees [n=kees@x229.flex.surfnet.nl] has joined ##openvpn 06:13 < SURFkees> Anyone know what's the cause of this: "WARNING: Bad encapsulated packet length from peer (17474), which must be > 0 and <= 1576" 06:20 < assasukasse> hi everyone, i wish to know if is possible to assign a fixed ip to a certain client (ie 10.8.0.2 to my client1, 10.8.0.3 to my client 2 and so on) so that it is RESERVED to that client 06:32 < pegasos-rider> assasukasse: use client-config-dir to specify directory of client-specific configurations, and specify ifconfig-push client_IP peer_IP for each client there 06:32 < assasukasse> pegasos-rider: do u have a guide for that? 06:33 < pegasos-rider> Indeed I do, it's openvpn(8) manual page :) 06:51 < assasukasse> pegasos-rider: i can't find on the website how to get the manual (page 8) 06:56 < pegasos-rider> If you're on some POSIX system, man 8 openvpn will help you :) Otherwise check web site one more time :) 06:57 < pegasos-rider> And by the way, 8 means section of the manual page, not page of some manual, search for client-config-dir and ifconfig-push there instead 06:58 -!- nadley_ [n=nadley@roo49-1-82-245-55-94.fbx.proxad.net] has joined ##openvpn 06:58 < dazo> assasukasse: google: man openvpn .... it usually gives a clear hit 07:18 < ecrist> SURFkees: look into the howto and/or man pages and read up on MTU 07:18 < ecrist> oh, and good morning, bitches 07:40 < assasukasse> well i found i have to make a ccd directory and put a file with the name of the machine i want to edit.. 07:40 < assasukasse> is not very clear in the examples i found 07:41 < ecrist> have you read the howto? 07:41 < assasukasse> ecrist: yesser 07:41 < ecrist> it states *exactly* what you have to do. 07:41 < assasukasse> i configurated everything tru the howto 07:41 < ecrist> so this isn't any 'not very clear' if you read that 07:42 < assasukasse> ecrist: i was reading this part Expanding the scope of the VPN to include additional machines on either the client or server subnet. 07:44 < assasukasse> however i can't find exactly what i need, i found alot about connecting to networks behind the client and such 07:49 < ecrist> :\ 07:49 < ecrist> search the how to for the section called "Configuring client-specific rules and access policies" 07:50 < ecrist> don't know how much more obvious it needs to be 07:52 < assasukasse> ecrist: assuming i have to give the client 1 always the same ip 10.8.0.2. i create a dir /etc/openvpn/ccd and a file inside the dir called client1 and put ifconfig-push 10.8.0.2 10.8.0.1 (where 10.8.0.1 is my server virtual ip?) 07:52 < ecrist> assasukasse: did you read the section I mentioned? 07:52 < assasukasse> ecrist: yes 07:52 < assasukasse> that's why i am questioning u 07:52 < ecrist> ok, then you know the answer to your question is no 07:53 < assasukasse> cuz it says: Each pair of ifconfig-push addresses represent the virtual client and server IP endpoints. 07:53 < ecrist> correct 07:53 < ecrist> but the addresses you mention aren't correct 07:53 < ecrist> they list out a bunch of examples. 07:53 < ecrist> right in that section 07:54 < ecrist> each /30 uses 4 IPs, not just two 07:57 < lonel> hey 07:57 < assasukasse> oh i got..so i put ifconfig-push 10.8.0.1 10.8.0.2 and this causes client 1 to take ip 10.8.0.2 07:58 < lonel> hey any one know the name of bridge module in the linux? 07:58 < lonel> add bridge failed: Package not installed 07:58 < assasukasse> and ifconfig-push 10.8.0.5 10.8.0.6 would cause client1 to take ip 10.8.0.5? and what about server. from the client side will still be 10.8.0.1? 07:58 < lonel> i guess in my machine bridge is compiled as module 07:58 < ecrist> lonel, sorry, no, I use a *real* OS. ;) 07:58 < lonel> which one? 07:59 < lonel> :) 07:59 < ecrist> FreeBSD, lonel 07:59 < ecrist> assasukasse: the 'server' end of the ip addressing is only virtual. the server's IP really remains at .1, but for a /30, you need an endpoint for the PPP connection. 08:00 < assasukasse> ecrist: thanks, i just should first learn what is a /30 :D i will try to find smth on the net 08:01 < ecrist> good luck 08:02 < assasukasse> ecrist: so openvpn is a ppp vpn? is not smth like the ones integrated in the routers (cisco, zyxel)? 08:04 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 08:04 < ecrist> assasukasse: no 08:06 < SURFkees> ecrist, I took a look at the tun-mtu option and defined it at both my client and server the same way. Still no luck 08:06 < ecrist> krzee is the expert here, ask him 08:06 < assasukasse> thanks ecrist one last question, is it possible to route all my port 110 25 and 119 tru my server to make it look like it was originating from it? so i can check email from the client wherever i am 08:10 < SURFkees> krzee, any idea? 08:19 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:23 -!- lfaraone [n=LukeFara@ubuntu/member/lfaraone] has left ##openvpn [] 08:26 -!- pegasos-rider [n=pegasos-@79.143.9.142] has quit [Remote closed the connection] 08:39 < ecrist> assasukasse: sure 08:49 < dazo> lonel: I thing the bridging tool is called bridge-utils-*.tar.gz .... and the kernel module I believe is bridge.ko 08:52 < dazo> s/thing/think/ 08:57 < lonel> dazo: worked :) 08:57 < lonel> dazo: when i am starting vridge-start script through ssh console 08:57 < lonel> everything is locked up 08:58 < lonel> and need to reboot teh machine again to make it access thru ssh 08:58 < dazo> lonel: whoops 08:58 < lonel> iptables permissions? 08:59 < dazo> dazo: well ... if I do a wild guess ... I believe it could be that kernel gets confused reg. to the routing between the interfaces and which interfaces sshd is listening to ... but I've never tried to start up bridging via ssh 08:59 * dazo goes to a meeting now ... back in an hour 08:59 < lonel> ok 08:59 < lonel> :) 09:03 -!- MMN-o [n=mmn@barjack.com] has joined ##openvpn 09:03 < MMN-o> !route 09:03 < vpnHelper> MMN-o: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 09:04 < dazo> lonel: not sure if you've seen this one ... but you might find this one interesting .... http://www.linux.com/base/ldp/howto/BRIDGE-STP-HOWTO/index.html (now I'm really going for meeting) 09:04 < vpnHelper> Title: Linux.com :: Everything Linux and Open Source (at www.linux.com) 09:05 < lonel> dazo: thx 09:25 -!- o[80 [n=oc80z@quad.efnet.pe] has joined ##openvpn 09:31 < MMN-o> I'm having a curious problem with iptables (I think). I'm forwarding traffic from two external IPs to each internal VPN network on two separate physical machines 09:32 < MMN-o> from what I can tell the two separate machines (arti and gurk) have the same configurations with same openvpn version - but one is Debian (testing) and one is Ubuntu (intrepid server) 09:32 < MMN-o> Urr. gurk is debian lenny, and arti is ubuntu intrepid. 09:33 < MMN-o> [gateway] -> OpenVPN -> arti, gurk 09:34 < MMN-o> arti works fine, with iptables rerouting gateway:8080 to arti-on-vpn:80 09:34 < ecrist> I'd help, if I could, but not a linux guy, sorry. 09:35 < MMN-o> gurk doesn't. Traffic seems to stop at the gateway, but I can access it _from_ the gateway (using vpn IP) 09:36 < MMN-o> ip_forward is off on both arti and gurk, and neither have iptables rules, and they both listen (lighttpd) on 0.0.0:80 and 0.0.0.0:8080 respectively 09:37 < dazo> MMN-o: hold on about an hour, and I'll see if can help you out (I'm in a phone meeting now) 09:37 < MMN-o> the gateway has identical setups (ordinary NAT) with iptables for them, except the external IP. (which are eth0 aliases eth:2 and eth:3 respectively) 09:37 < MMN-o> dazo: Sure. 09:38 < MMN-o> TUN interfaces by the way 09:38 < MMN-o> Either gurk doesn't accept the traffic through tun0, or gateway doesn't forward correctly. I'm gonna check (again) for overlapping iptables rules 09:44 -!- nadley_ [n=nadley@roo49-1-82-245-55-94.fbx.proxad.net] has quit [Remote closed the connection] 09:48 < MMN-o> Hm, I found a legacy change that caused gurk not to function. redirect-gateway wasn't activated 09:49 < MMN-o> I'm curious over which route settings I'd have to set to enable this without redirect-gateway 09:50 < MMN-o> Right now I have to move myself physically to another computer which abruptly got disconnected. (openvpn client seems to stop/crash when server is stopped?) 09:55 -!- BoomSie [n=gideon@82-168-207-134.ip.telfort.nl] has joined ##openvpn 10:08 < dazo> MMN-o: would you mind showing your iptables rules on pastebin (or PM if really needed) ... you replace your public IP addresses with something else (public_1, public_2, etc) 10:08 < dazo> MMN-o: and the same with the route -n 10:09 < dazo> MMN-o: please dump the iptables via the iptables-save command ... easier to parse for me 10:24 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 110 (Connection timed out)] 10:26 < krzee> [10:10] krzee is the expert here, ask him 10:26 < krzee> lol 10:26 < krzee> ecrist, tired? 10:30 < SURFkees> :) 10:31 < krzee> whats the question? 10:32 < SURFkees> MTU problems 10:32 < krzee> lonel, why are you using bridge now? 10:33 < SURFkees> I'll show you a snippet of the logs 10:33 < krzee> SURFkees, did you try --mtutest? 10:33 < krzee> !mtu 10:33 < vpnHelper> krzee: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 10:33 < krzee> --mtu-test i mean 10:34 < SURFkees> I'll give that a shot. The thing is, I've never had problems with MTU's on this line 10:34 < krzee> then why are you changing it? 10:35 < SURFkees> I'm receiving this error on my client: 10:35 < SURFkees> WARNING: Bad encapsulated packet length from peer (17474), which must be > 0 and <= 1576 10:35 < SURFkees> which then suggests it has something to do with the MTU 10:35 < krzee> !configs 10:35 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:36 < krzee> put mtu-test in the client config 10:36 < krzee> then connect 10:36 < krzee> then post configs 10:38 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:46 < SURFkees> is mtu-test still useful if I'm running a tcp-server/tcp-client config? 10:48 < krzee> yes, but why would you use tcp? 10:48 < krzee> !tcp 10:48 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 10:48 < krzee> if you're talking about playing with mtu, you should first use --mtu-test 10:48 < krzee> http://www.latimes.com/news/nationworld/nation/la-na-airline-felonies20-2009jan20,0,5468299.story 10:48 < vpnHelper> Title: In-flight confrontations can lead to terrorism charges - Los Angeles Times (at www.latimes.com) 10:49 < SURFkees> DEBUG /usr/sbin/openvpn --config /var/lib/surfids/openvpn.conf --mtu-test --dev tap0 --writepid /var/lib/surfids/tunnel.pid 10:49 < SURFkees> ERROR /usr/sbin/openvpn died with error code 1, see log for details 10:49 < krzee> omg you're using tap AND tcp? 10:49 < krzee> lol 10:50 < krzee> you hate a good connection or something? 10:50 < krzee> !factoids search tun 10:50 < vpnHelper> krzee: "mactuntap" is http://tuntaposx.sourceforge.net/ for osX tuntap drivers 10:50 < krzee> hrm 10:50 < krzee> !factoids search bridge 10:50 < vpnHelper> krzee: 'bridge', 'bridge-dhcp', 'fbsdbridge', and 'bridge-fw' 10:51 < SURFkees> Well, I know I need to use tcp, but what's wrong with tap? 10:52 < krzee> !learn tunortap as you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 10:52 < vpnHelper> krzee: Joo got it. 10:52 < krzee> tap encapsulates ethernet frames over ip 10:52 < SURFkees> Yep, which is what I want 10:52 < krzee> you have a reason for doing that? 10:52 < SURFkees> analyzing layer 2 attacks 10:53 < krzee> gimme an idea of your goal...? 10:53 < SURFkees> we use openvpn to connect our sensors to our server where the detection stuff is located 10:53 < krzee> you plan on detecting arp poisoning from remote instead of locally? 10:53 < SURFkees> basically, a distributed honeypot, in short 10:54 < ecrist> krzee: aye. getting support-burnout, I think 10:54 < SURFkees> yea 10:54 < krzee> haha 10:54 < krzee> ecrist, understandable 10:54 < ecrist> considering ##openvpn hiatus 10:54 < krzee> i was DEFINATELY there yesterday 10:54 < krzee> im gunna be on online hiatus for a little 10:55 < krzee> im headed to usa, brazil, peru 10:56 < krzee> SURFkees, ok so you do want tap 10:56 < krzee> likely not tcp 10:56 < lonel> krzee: hi,i dont have the passowrd for the router to add a ststic route to it 10:56 < krzee> and have you done mtu-test yet, and posted configs to me yet? 10:56 < krzee> lonel, LOL 10:57 < lonel> :) 10:57 < krzee> reset it 10:57 < SURFkees> it doesn't want to let me do the mtu-test 10:57 < SURFkees> Options error: --mtu-test only makes sense with --proto udp 10:57 < lonel> krzee: so no other go? 10:57 < krzee> SURFkees, didnt i already say you should be using udp? 10:57 < lonel> else need to manually add routing table as per the doc :) 10:57 < SURFkees> http://pastebin.com/m58192235 10:57 < krzee> good job lonel, you actually read the doc this time 10:58 < krzee> i noticed that after i stopped answering questions you started answering them yourself, i thought that could have been from actually reading that doc i spent so much time on 10:58 < lonel> thanks lol :) 10:58 < lonel> krzee: need help 10:59 < krzee> reset your routers pw 10:59 < krzee> and do it the right way instead of trying to use a bridge cause you dont know your routers password 11:00 < krzee> you were finished with the openvpn setup, but decided to start over because of a missing router pw 11:00 < krzee> LOL 11:00 < lonel> hehe :( 11:00 < krzee> go back to how it was after i helped you last night 11:00 < krzee> then reset the router pw (and write it down this time) 11:01 < lonel> because 70 people are working under it 11:01 < lonel> its arouter/modem 11:01 < lonel> dont know teh isp pss as well 11:01 < krzee> theres no way you're the head tech at a company with ~70 people 11:02 < lonel> i am a fighter 11:02 < lonel> :) 11:02 < krzee> like boxing? 11:02 < lonel> kind of..boxing with nterwebs 11:02 < krzee> umm 11:02 < lonel> i know a lot of things,but dont know nothing 11:02 < krzee> whatever thats supposed to mean 11:03 < lonel> i hate reading rtfm 11:03 < plaerzen> ... 11:03 < lonel> oaabama 11:03 < lonel> well krzee 11:03 < lonel> http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html#linuxscript 11:03 < krzee> good luck lonel 11:03 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 11:03 < lonel> thanks 11:03 < krzee> you ran out of krzee-help last night 11:04 < krzee> wassup plaerzen 11:04 < lonel> when i execute bridge-start..all my network goes down? 11:04 < lonel> need to reboot he machine to make it right 11:04 < krzee> you shouldnt be bridging anyways 11:04 < plaerzen> krzee, the usual. Trying to see if we should use CX4 or glass for our new backbone. 11:04 < krzee> mmmmm glass 11:05 < plaerzen> it's only a 10M run though, glass might be overkill 11:05 < krzee> oh 11:05 < ecrist> but, once it's in, you can upgrade speed easy 11:05 < krzee> how much bw? chance of needing more bw in future? 11:05 < plaerzen> yeah. I've heard some people have had issues with CX4 too. 11:05 < krzee> doh ecrist stole my train of thought ;] 11:06 < plaerzen> 10gbit 11:07 < plaerzen> and it's like a 3G price difference... 11:07 < krzee> thats all? 11:07 < plaerzen> roughly 11:07 < krzee> even after the endpoints for the fiber? 11:08 < plaerzen> they're just modules in our procurves 11:08 < krzee> then dude 11:08 < krzee> worth it! 11:08 < plaerzen> lol I need some more measurable metrics to justify it 11:09 < plaerzen> "krzee off IRC said do it!" 11:09 < krzee> copper you may need to dig it up one day to replace with faster 11:09 < krzee> fiber once its there its there forever 11:09 < plaerzen> I am leaning towards glass though too, for that reason. 11:09 < krzee> (assuming we're talking dark) 11:10 < ecrist> krzee: copper doesn't get 'faster' 11:10 < krzee> when you say krzee said 11:10 < krzee> your boss might say OMG YOU KNOW HIM!? 11:10 < plaerzen> lol 11:10 < krzee> ecrist, ok, to put in more copper 11:10 < ecrist> the only thing that may need to occur is putting heavier-guage wiring in, whereas fibre is fibre 11:11 < ecrist> where copper is < fibre is in throughput capabilities over a distance 11:11 < plaerzen> yeah, I know that part. But it's only 10m between two procurves 11:11 < ecrist> you can push high bandwidth over fibre for hundreds of KM before repeaters are needed, copper not so much 11:11 < krzee> fiber has other benefits 11:11 < plaerzen> even if we buy another floor, we can use one of the procurves as a bridge 11:11 < krzee> but you already know them 11:12 < ecrist> plaerzen: 10 meters? 11:12 < krzee> miles 11:12 < plaerzen> meters 11:12 < ecrist> oh, do fiber 11:12 < krzee> WHAT!? 11:12 < krzee> lol 11:12 < plaerzen> :P 11:12 < plaerzen> yep 11:12 < ecrist> meters? do copper 11:12 < krzee> ya i was way off 11:13 < krzee> 3g price diff for a 10 meter run 11:13 < krzee> screw that 11:13 < ecrist> don't mess with fibre unless you're going between places in a large building, or between buildings 11:13 < ecrist> and, there's nothing to 'dig up' 11:13 < ecrist> lol 11:13 < krzee> totally 11:13 < plaerzen> yeah we have a core drilled in the cement in our new building between the two server rooms 11:14 < ecrist> distance? 11:14 < plaerzen> on top of each other 11:14 < ecrist> wire-run distance, not crow-fly distance 11:14 < plaerzen> 10meters, tops 11:14 * krzee dumps the core 11:14 < ecrist> oh, copper 11:14 < ecrist> don't fuck with fibre for that 11:14 < krzee> i now agree, coper 11:14 < krzee> copper 11:14 < krzee> i totally thought that was 10 miles 11:14 < plaerzen> yeah, sorry 11:14 < krzee> ie: digging and whatnot 11:15 < krzee> and the other side benefit i like of fiber is lost too 11:15 < ecrist> anymore more than a few hundred yards, you need to do fibre for real connectivity 11:15 < lonel> krzee: any idea why my network goes down..when i start the bridge interface? 11:15 < krzee> (cant tap a fiber line) 11:15 * plaerzen nods. 11:15 < krzee> lonel, 11:15 < krzee> [13:07] you ran out of krzee-help last night 11:15 < lonel> one more chance lol 11:16 < krzee> you're not even doing it right 11:16 < krzee> you shouldnt even be bridging 11:16 < krzee> which i said 2 or 3 times already 11:16 < plaerzen> Well, I need to do a little more digging. I have heard people have connectivity issues with CX4 on even short distances. (not as short as ours, but we have to have 100% confidence it will be ok here) 11:17 < SURFkees> Thanks for the help so far, krzee. I'll look into it some more myself tomorrow :) 11:17 < krzee> SURFkees, np, you prolly wanna lose all mtu related stuff in the config 11:17 < krzee> and frag stuff 11:17 < krzee> but since you still didnt post configs i can help more 11:17 < ecrist> plaerzen: any *real* switch can do port trunking, just run 2 or 3 of those connections and trunk the ports 11:18 < krzee> SURFkees, plus you want udp 11:18 < SURFkees> I did krzee, but my time is up now. I'll check again tomorrow 11:18 < plaerzen> ecrist, oh, we have some real switches. 11:18 < krzee> right on SURFkees 11:18 < lonel> why udb? 11:18 * krzee pictures plaerzen in a low rider with hydrolics when he says that 11:18 < ecrist> !tcp 11:18 < lonel> udp even 11:18 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 11:19 -!- SURFkees [n=kees@x229.flex.surfnet.nl] has quit ["Leaving"] 11:19 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:19 < lonel> ecrist: krzee: any idea why my network goes down..when i start the 11:19 < lonel> bridge interface? 11:19 < lonel> :P 11:19 -!- mode/##openvpn [+o lonel] by ChanServ 11:19 < krzee> oh surfkees did post his configs 11:19 < krzee> i missed it 11:19 <@lonel> thanks 11:20 < ecrist> bastard 11:20 < krzee> oh noes 11:20 < krzee> dont ban me! 11:20 <@lonel> more powers more responsibility 11:20 <@lonel> i know that 11:20 <@lonel> hehe 11:20 < ecrist> /kick lonel 11:20 < ecrist> 11:20 -!- ##openvpn You need to be a channel operator to do that 11:20 < ecrist> :( 11:20 -!- mode/##openvpn [+o ecrist] by lonel 11:20 < krzee> hehe 11:21 <@ecrist> /kick lonel muahahah! 11:21 -!- mode/##openvpn [-o ecrist] by ecrist 11:21 -!- mode/##openvpn [-o lonel] by ChanServ 11:21 < lonel> /mode +v krzee 11:22 < krzee> /devoice krzee 11:22 < ecrist> hah, I was getting +o and you only got +V 11:22 * ecrist > krzee 11:22 < krzee> lol 11:22 * ecrist does a dance. 11:22 < krzee> good point! 11:22 < ecrist> back to work for me. 11:23 < krzee> ecrist, how long til the 3 wise men visit? 11:23 < ecrist> o.O 11:23 < lonel> !help bridgekillsinterface 11:23 < vpnHelper> lonel: Error: There is no command "bridgekillsinterface". 11:23 < lonel> :) 11:24 < krzee> !dontusebridgeforthe5thtime 11:24 < vpnHelper> krzee: Error: "dontusebridgeforthe5thtime" is not a valid command. 11:24 < lonel> ok let me do some googling 11:24 < lonel> thank :P 11:24 < lonel> s 11:24 < krzee> google this: 11:24 < krzee> DONT USE BRIDGE 11:27 < lonel> hehe ok 11:30 < lonel> krzee: why router vpn >> bridged? 11:30 < lonel> s/router/routed 11:30 < krzee> less overhead, easier to setup 11:30 < lonel> apart from that? 11:30 < krzee> you're talking about using ethernet frames over ip just because you forgot the password to your router 11:31 < krzee> you should have the password anyways 11:31 < krzee> fix the real problem 11:31 < krzee> you will have a faster vpn with tun 11:31 < lonel> i see 11:32 < lonel> i will look towards it 11:32 < krzee> !tunortap 11:32 < vpnHelper> krzee: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 11:34 < lonel> oh tap is under layer 2,and tun is using layer3 11:34 < krzee> someone skipped the howto that i linked him to 11:34 < krzee> (shocking) 11:35 < lonel> o_o 11:36 < krzee> but yes 11:36 < krzee> tap is layer2 tun is 3 11:36 < lonel> so ip over ip is tehbest? 11:36 < lonel> the best 11:36 < lonel> tahn frames over ip? 11:36 < krzee> better than ethernet over ip when you arent tunneling layer2 protocols 11:36 < krzee> for obvious reasons 11:37 < lonel> alright 11:38 < lonel> i will do the stuff related with it using the router after office time 11:38 < lonel> krzee: thanks very much for your time :) 11:38 < lonel> laters 11:38 -!- lonel [i=r0ny@203.206.208.204] has left ##openvpn [] 11:39 < krzee> for the record, i started off nice to him 11:47 < assasukasse> is there any GUI for controlling openvpn? like adding or removing clients and settings options 11:47 < dazo> assasukasse: which OS? 11:47 < assasukasse> linux 11:47 < dazo> assasukasse: Do you use NetworkManager? 11:47 < krzee> !ubuntu 11:47 < vpnHelper> krzee: "ubuntu" is dont use network manager! 11:47 < krzee> hehe 11:47 < dazo> assasukasse: there are some plugins for that 11:48 < assasukasse> no i don't use ubuntu nor network manager 11:48 < krzee> theres some php web based gui app 11:48 < krzee> and theres ssl-admin 11:48 < dazo> krzee: Ubuntu used NetworkManager since 7.10 (Gutsy Gibbon) at least .... but I uninstalled it because it was crappy 11:48 < krzee> as for settings, i dont think so 11:48 < assasukasse> im on debian lenny 11:49 < krzee> adding clients = ssl certs 11:49 < assasukasse> uhm... 11:49 < krzee> ssl-admin is nice 11:49 < assasukasse> only for adding clients.. 11:49 < krzee> !ssl-admin 11:49 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 11:49 < bigjohnto> any way to see currently connected VPN users? 11:49 < krzee> management interface 11:50 < krzee> i have no idea how, but it can 11:50 < dazo> bigjohnto: krzee: If you have configured management interface in OpenVPN ... you can basically telnet to the address:port you set up .... and call the "help" command .... I believe connections is found by the "status" command 11:51 < krzee> right on 11:51 < krzee> ill play with that some day 11:51 < assasukasse> oh yea i tried the telnet one 11:52 < assasukasse> well, in short openvpn works really well, but i find it not really easy to configure..might be cuz i am not strong in routing stuff 11:52 < dazo> assasukasse: routing can be tricky ... but you can't blame that on OpenVPN unfortunately ;-) 11:52 < krzee> having a problem configuring something specific? 11:54 < assasukasse> actually yes, i am using ssh to tunnel my email and smtp and nntp connection from work to my home server..and it works..but is bothersome, i wish i could simply do with openvpn (just set up a rule on my client to forward port 25 110 119) 11:54 < assasukasse> i fiddled a couple of hours in the config 11:54 < assasukasse> but i am missing smth 11:54 < bigjohnto> krzee, dazo, maybe i should i wrote a script and logged openvpn connections but i would like something more clean 11:54 < krzee> bigjohnto, you could make a web interface to the management interface 11:55 < krzee> in fact the management interface was designed to be used by scripts / external apps 11:55 < bigjohnto> right on 11:55 < krzee> less designed to be used by hand 11:55 < bigjohnto> i guess i got myself a project 11:55 < krzee> assasukasse, im thankful openvpn doesnt handle that stuff 11:55 < dazo> bigjohnto: what's your requirements regarding the security? ... if you want to use both SSL certs and username/password ... you can use the eurephia auth module, which do session logging also to a database (SQLite for the moment) 11:55 < krzee> it lets the os handle things that belong to the os 11:56 < bigjohnto> dazo, can you customize it? add to it? 11:56 < krzee> and port based routing doesnt really exist, but can be hacked up through firewall rules prolly 11:56 < dazo> bigjohnto: http://www.eurephia.net/ 11:56 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) 11:56 < bigjohnto> thanks you have been wonderful 11:56 < dazo> bigjohnto: depends on what you mean with customize 11:56 < krzee> assasukasse, email/smtp/nntp are on the same box? 11:56 < bigjohnto> dazo, own scripts etc.. etc.. 11:57 < bigjohnto> nothing major 11:57 < bigjohnto> i'll play around with it, guess thats the best way to find out 11:57 < assasukasse> krzee: my email provider is pretty bothersome..if i don't connect from my home dsl it doesn't let me send or check email... 11:57 < assasukasse> if i want to check from work i need to tunnel the connection to home 11:57 < krzee> assasukasse, just add routes 11:58 < krzee> route ip netmask 11:58 < krzee> in the config that is on the machine that needs the route added 11:58 < assasukasse> krzee: but route can be limited for ports? 11:58 < krzee> no 11:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:58 < krzee> for ips 11:58 < krzee> it just adds a route the the kernel routing table 11:58 < krzee> you gunna connect to the mail server for something other than mail? 11:58 < assasukasse> nop 11:59 < assasukasse> sending and fetching 11:59 < krzee> then why do you care about the port? 11:59 < krzee> just route to the ip over the vpn 11:59 < dazo> bigjohnto: no, the eurephia do not add anything like that .... sounds more like you just want to investigate the --tls-verify or similar hooks 11:59 < dazo> bigjohnto: --learn-address is another hook 12:01 < bigjohnto> dazo thanks :) 12:01 < dazo> bigjohnto: np 12:08 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:12 -!- gnashi [n=gabriel@S0106001346fb1579.vc.shawcable.net] has joined ##openvpn 12:14 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 12:16 < gnashi> hello... I have my VPN running just fine - bridging server, linux client - unfortunately it seems that my client's default gateway is being overridden on connect by default. Config is http://pastebin.com/d42806d9c 12:17 < gnashi> I just want the client to have a route to the VPN subnet and to use the VPN's DNS. 12:24 -!- thx2000 [n=efaccou@netblock-75-79-22-139.dslextreme.com] has joined ##openvpn 12:25 < thx2000> Can anyone recomend a download for an OpenVPN GUI that works w/ Vista x64? I've tried just about every version I can find, and they all try to install v8 of the TAP-Win32 driver which I can't get working. 12:27 < gnashi> thx2000: I've had the same problem. No solution yet that I've found. 12:31 < thx2000> I've got it working on one machine...but I installed it a year ago and can't remember what the heck I did 12:31 < thx2000> Definitely don't remember it being this tricky 12:32 < gnashi> hmm. 12:35 -!- gnashi [n=gabriel@S0106001346fb1579.vc.shawcable.net] has quit ["Ex-Chat"] 12:54 -!- rodpod [i=rod@hick.org] has quit [Remote closed the connection] 13:05 -!- thx2000 [n=efaccou@netblock-75-79-22-139.dslextreme.com] has left ##openvpn [] 13:49 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: kaii 14:06 -!- Netsplit over, joins: kaii 14:17 -!- fbond [n=fab@pool-64-223-124-145.burl.east.verizon.net] has joined ##openvpn 14:18 < fbond> Hi. With certificate-based auth, the OpenVPN server does not allow the same client to connect twice. Will it allow this if I use username & password auth? 14:18 < fbond> I'd like to use the same credentials from multiple machines. 14:24 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 14:25 < ecrist> fbond: read the how to 14:25 < ecrist> you *can* allow multiple connections from a single certificate with the duplicate-cn option, but it's not recommended for security reasons. 14:26 < fbond> ecrist: Ah, okay, thanks. 14:28 < fbond> ecrist: That topic doesn't seem to be covered in the howto, but I assume I can simply turn that on and continue using cert-based auth, right? Does this break ifconfig-pool-persist? 14:34 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:34 < fbond> Nevermind, I see http://openvpn.net/archive/openvpn-users/2005-02/msg00231.html. 14:34 < fbond> Thanks! 14:49 < bigjohnto> :) finished my perl script to email FAILED and Initiated vpn access sessions :) w00t w00t :P 14:59 -!- xattack [i=xattack@132.248.108.239] has quit [] 15:11 < reiffert> Using status file_ 15:11 < reiffert> ? 15:12 < ecrist> fbond: yes, it will break ifconfig-pool-persist 15:16 < bigjohnto> reiffert, nope just regular old open handlers and regular expressions 15:25 < reiffert> handler on what file? 15:25 < reiffert> syslog? 15:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:26 < bigjohnto> reiffert, openvpn.log 15:26 < bigjohnto> i have it doing the logging for openvpn service 15:27 < reiffert> Ah, great! 15:27 < bigjohnto> this is in in ther server.conf file --> log-append /var/log/openvpn.log 15:28 < bigjohnto> so basically the crond perl script checks every week and then sends of an email and rotates it, 4 rotations 15:29 -!- assasukasse [n=assasuka@host-84-222-247-236.cust-adsl.tiscali.it] has quit ["I \u2665 Debian"] 15:31 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 15:32 -!- Andry [n=na@host233-16-dynamic.25-79-r.retail.telecomitalia.it] has quit [Read error: 104 (Connection reset by peer)] 15:43 < ecrist> bigjohnto: why not do it more often than once per week? do it real time. 15:50 -!- hiptobecubic [n=john@nateres205.tel.miami.edu] has quit [Read error: 145 (Connection timed out)] 16:53 -!- BoomSie [n=gideon@82-168-207-134.ip.telfort.nl] has quit [Remote closed the connection] 17:07 < bigjohnto> ecrist, ????? via cron? 17:14 < ecrist> what we do at my office is have a perl script which is tail -f the log file, sends notices for failures and keeps a small web applet we've got updated with current connections, etc. for the web applet, we compare current/incoming connection information against the status file to flush out any stale connection data 17:16 < bigjohnto> ah 17:16 < bigjohnto> yea thats a good idea too 17:16 < ecrist> krzee: PR13075 (http://www.freebsd.org/cgi/query-pr.cgi?pr=130754) committed 17:16 < vpnHelper> Title: ports/130754: update to security/ssl-admin (at www.freebsd.org) 17:16 < bigjohnto> but there are only 3 people who vpn here, so that would be overkill :) 17:16 < ecrist> we only have 12 17:17 < bigjohnto> heh guess security would be awesome with that 17:17 < bigjohnto> well thanks, I really appreciate that 17:18 < bigjohnto> I will modify my script to do that, not to many people share ideas these days 17:18 < bigjohnto> maybe make a perlmodule or something for people to use for it 17:18 < ecrist> there you go 17:19 < ecrist> I"m out - time for some beer. 17:19 < bigjohnto> thanks, and have fun 17:27 < krzie> Severity:serious 17:27 < krzie> it was a good update, but serious? 17:42 -!- Bushmills1 [n=nl@verhau.de] has joined ##openvpn 17:48 -!- Bushmills [n=l@verhau.de] has quit [Nick collision from services.] 17:48 -!- Bushmills1 is now known as Bushmills 18:00 -!- jrk [n=jrk@unaffiliated/jrk] has joined ##openvpn 18:00 < jrk> hi 18:01 < jrk> if I want to have certificate usable only by clients connecting using openvpn I assume that following certificate parameters should be enough to enforce it? 18:01 < jrk> X509v3 Basic Constraints: critical 18:01 < jrk> CA:FALSE 18:01 < jrk> X509v3 Key Usage: critical 18:01 < jrk> Digital Signature 18:01 < jrk> X509v3 Extended Key Usage: critical 18:01 < jrk> TLS Web Client Authentication 18:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 18:06 -!- thewolf is now known as Supotcog 18:07 -!- Supotcog is now known as elongatednipple 18:08 -!- elongatednipple is now known as friedtoe 18:08 -!- friedtoe is now known as sorryiamaknob 18:11 -!- sorryiamaknob is now known as thewolf 18:25 < krzie> anyone here use facebook? 18:25 < krzie> looking to get 5 people to install a FB app my friend made so it can get approved 18:25 < krzie> jrk no idea 19:32 < ecrist> i do 19:33 < ecrist> krzie: just create 5 accounts with throw-away emails 19:49 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 19:53 < krzie> http://apps.facebook.com/my_files/ 19:53 < vpnHelper> Title: Login | Facebook (at apps.facebook.com) 19:58 < ecrist> what personal data does it pull? 19:58 < ecrist> who is patrick boden? 19:58 < ecrist> sounds familiar 20:13 < krzie> not sure, for all i know it could be my friends name 20:13 < ecrist> lol. requires signup on their site, so I opted out 20:15 < krzie> lol 20:17 < ecrist> krzie: ssl-admin is at 1.0.1 in ports tree now 20:18 < krzie> ya i saw =] 20:19 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has joined ##openvpn 20:20 -!- DPA [n=DPA@89.124.68.18] has joined ##openvpn 20:21 < ecrist> my next big commit I think is going to be to migrate to ssl perl library 20:21 < ecrist> get rid of some of the system calls 20:22 < krzie> ahh nice 20:23 < krzie> why do you depend on zip? 20:37 < ecrist> because of the zip function 20:38 < krzie> lol, right 20:38 < krzie> but how bout tar for no DEPs? 20:38 < ecrist> because windows doesn't do tar 20:38 < ecrist> and, like it or not, there are lots of windows clients out there 20:38 < krzie> oh ya windows 20:38 < krzie> does it do zip by default? 20:38 < ecrist> yep 20:39 < krzie> (i guess so or you wouldnt have said anything bout tar) 20:39 < ecrist> 'splorer can do that 20:39 < krzie> ahh 20:39 < ecrist> it can't zip file up, but it can unzip them, like I unzipped your mom last night. 20:39 < krzie> heh 20:39 < krzie> dude my moms kinda old 20:39 < ecrist> old == experienced 20:40 < ecrist> ;) 20:40 < ecrist> I've had a few. can ya tell 20:40 < krzie> so it was good? 20:40 < ecrist> oh yeah. 20:40 < krzie> lol ya 20:40 < krzie> but its all in fun ;] 20:41 < krzie> besides i was with mrs crist while you were with my mom, so i figure its a fair trade 20:41 < krzie> kinda like swinging, but a lil diff 20:41 < ecrist> of course. gonna read the kid a story and wrestle with my dogs for a bit. 20:41 < ecrist> krzie: did she wear the gimp ball for ya? 20:41 < ecrist> sheh said she was gonna. 20:41 < krzie> nah but she liked the new vibe cockring 20:42 < ecrist> oh, and your ma said that it's OK with her if the four of us get together, she mentioned something about 'my boy's been in there once before, so nothing too new' or something like that 20:42 < krzie> ya i was in there for like 9mo 20:42 < ecrist> seriously, my ol' lady *LOVES* the vibe cock rings 20:43 < krzie> ya my #1 loves it too 20:43 < krzie> is it wrong i use it with others too? 20:43 < ecrist> of course not 20:43 < krzie> werd 20:43 < ecrist> we share here, so why shouldn't others? 20:44 < ecrist> well, I'm off. tomorrow, man. going to work some serious on ssl-admin in the next couple weeks. 20:44 < krzie> right on, gnite 20:44 < ecrist> a php/perl front end (html) has been suggested. 20:44 < krzie> ooo 20:44 < krzie> would be dope 20:44 < krzie> dunno if ild use it, but it would be liked by many 20:44 < ecrist> gonna get rid of the system() calls, first 20:45 < ecrist> then, maybe for 2.0 20:45 < ecrist> it would be nice to implement a secure certificate file transfer via the ssl-admin package 20:45 < krzie> hrm, its doable 20:45 < ecrist> but, dunno 20:45 < ecrist> more to talk about. 20:45 < ecrist> l8r 20:45 < krzie> peace 20:52 -!- DPA [n=DPA@89.124.68.18] has quit ["Leaving"] 21:01 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has quit ["Ex-Chat"] 21:16 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 21:32 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 21:50 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 22:53 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:52 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 23:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] --- Day changed Wed Jan 21 2009 00:17 -!- robert_ [n=hellspaw@objectx/robert] has quit [Read error: 104 (Connection reset by peer)] 00:17 -!- robert__ [n=hellspaw@r-butler.net] has joined ##openvpn 00:55 < reiffert> Moin 00:57 -!- lonel [i=r0ny@203.206.208.204] has joined ##openvpn 00:58 < lonel> hi 00:58 < lonel> any one around? 00:59 < lonel> looking for some one to test the ovpn setup i ahd here 00:59 < lonel> no burden of certicicate based login 00:59 < lonel> just user/pass 01:11 -!- robert__ [n=hellspaw@r-butler.net] has quit [Client Quit] 01:18 -!- neeku [n=neeku@89.165.69.15] has joined ##openvpn 01:31 -!- neeku_ [n=neeku@89.165.65.9] has joined ##openvpn 01:39 < neeku_> hi 01:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:40 < neeku_> i want to use openvpn as a client, so that i can connect to a specified server. what should i do in suse 11.1 for this? 01:40 -!- neeku [n=neeku@89.165.69.15] has quit [Nick collision from services.] 01:40 -!- neeku_ is now known as neeku 01:42 < dazo> neeku: First a really dumb question - You do know you need openvpn on both sides? One on your client side and one on your your network/server you want to connect to 01:44 < neeku> dazo: i'm not an expert. in windows i just created a connection, a vpn connection to do this, but in linux i don't know how to do that 01:44 < dazo> neeku: aha ... so you already got a working connection in Windows, is that correctly understood? 01:44 < neeku> dazo: the server is a vpn one and i have the IP and username and password to connect to that 01:45 < dazo> neeku: and you used OpenVPN in Windows as well? 01:45 < neeku> dazo: no, because i could do it just with creating a connection from the network manager 01:45 < dazo> openvpn clients will only work against openvpn servers 01:46 < dazo> neeku: usually you need more than just a username/pwd and IP to get openvpn working ... you usually need some kind of static encryption key and/or SSL certificates in addition to config 01:47 < dazo> neeku: what kind of VPN server are you connecting to? 01:47 < neeku> dazo: well... then let me ask another question. i've got a VPN account (as i mentioned the username , password and the IP). now what should i do in order to connect to that? 01:47 < neeku> dazo: um... i don't really know! just use it to change the IP 01:48 < dazo> neeku: well, I need to know what kind of VPN server you are connecting to ... because if the server you are connecting to is not an OpenVPN server .... the openvpn client will not work, that's guaranteed 01:49 < neeku> oh... 01:49 < dazo> neeku: but if you did create a connection in Windows without installing any programs, just doing network setup with VPN ... I'm guessing you'll need to use the PPTP protocol .... and there are some other Linux clients (which I don't know much about) which supports the PPTP protocol .... 01:49 < neeku> then i should ask this from my friend. i really can't understand these VPN issues... :-S 01:50 < neeku> dazo: don't you know the names? 01:50 < dazo> neeku: http://pptpclient.sourceforge.net/ ... this is a simple PPTP client which I would guess is available via the Yast2 software install 01:50 < vpnHelper> Title: PPTP Client (at pptpclient.sourceforge.net) 01:52 < neeku> thanks dazo :) i hope i can do this 01:53 < dazo> neeku: I don't know much about PPTP ... I've tried it once ... and that was 4-5 years ago ... PPTP is not as good or secure as openvpn, and I've been controlling both server and client side, so I could therefor decide what I wanted to use ... but if you only are a client user, go ahead and try this, it might work for you then :) 01:53 < reiffert> neeku: in Windows, did you choose "Automatic", "L2TP" or "PPTP"? 01:54 * dazo didn't think about IPsec ... doesn't that also require certificates to be installed? 01:54 < neeku> reiffert: let me check it in vbox and tell you 01:54 < neeku> i think automatic 01:55 * neeku is checking... 01:57 < neeku> reiffert: there's no such a thing. i go to new connection creation part, then create a VPN account, i enter the IP and then the username and password. that's it! 01:57 < neeku> oh yes, that's automatic in ptions tab i checked reiffert 01:58 < dazo> sounds like pptp to me ... but I can be pretty much wrong 01:59 < neeku> ok, then let me confirm it with my friend tonight and then come back here 02:05 < dazo> neeku: well, you can try to install pptpclient in your SuSE distro and try to configure it ... if it works, it'll work most probably almost out of the box immediately 02:06 < dazo> neeku: which suse version are you running? 02:06 < neeku> hmm... ok, i'll try that 02:06 < neeku> 11.1 02:08 < dazo> neeku: http://www.l4l.be/docs/server/network/pptpclient.php (in Dutch, but you might manage to catch the different commands being run here and see the screen shots) 02:08 < vpnHelper> Title: PPtP client onder OpenSUSE 11.1 (at www.l4l.be) 02:08 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:09 < dazo> neeku: even better ... google translated: http://translate.google.cz/translate?hl=en&sl=nl&u=http://www.l4l.be/docs/server/network/pptpclient.php&sa=X&oi=translate&resnum=10&ct=result&prev=/search%3Fq%3Dpptpclient%2Bopensuse%2B11.1%26num%3D100%26hl%3Den%26sa%3DG 02:09 < vpnHelper> Title: Translated version of http://www.l4l.be/docs/server/network/pptpclient.php (at translate.google.cz) 02:09 < neeku> oh thanks a lot dazo :) 02:09 < dazo> what you can't find on google isn't worth finding ;-) 02:42 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 02:42 < joelsolanki> Hi friends 02:42 < joelsolanki> i have a running vpn server. and clients are also connecting. 02:42 < joelsolanki> but on one machine which is out of my physical and remote reach is creating problem. 02:43 < joelsolanki> it says TLS Error: TLS object -> incoming plaintext read error on the client machine. 02:43 < joelsolanki> the same vpn clients files is working on my test linux machine which any problem. it is connecting vpn server 02:43 < joelsolanki> what could be the problem ? 02:43 < joelsolanki> unfortunately i dont have physical or remote access to this machine:( 02:45 < joelsolanki> any hints plz 02:46 < joelsolanki> on server side it give below message 02:46 < joelsolanki> Jan 21 08:49:27 lake ovpn-lake[29693]: 59.180.149.206:50707 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity 02:48 -!- jrk [n=jrk@unaffiliated/jrk] has left ##openvpn [] 02:51 < joelsolanki> anybody please ? 02:51 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 02:55 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 04:34 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 60 (Operation timed out)] 04:37 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 04:48 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 05:30 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has joined ##openvpn 05:39 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has quit ["Ex-Chat"] 05:47 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 05:54 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 06:03 -!- neeku [n=neeku@89.165.65.9] has quit [Read error: 104 (Connection reset by peer)] 06:05 < MMN-o> dazo: Regarding my problem yesterday. 'redirect-gateway def1' on gurk enables through-VPN service routing, but disables anything incoming from the LAN 06:06 < MMN-o> dazo: While 'redirect-gateway' only on gurk acts the same as before but also kills existing connections (of course) 06:07 < MMN-o> dazo: And leaving it out alltogether simply leaves me with (what I suspect) trying to route the intra-VPN connection through my default (LAN) gateway on gurk. 06:08 < MMN-o> Just mentioning that it's probably not the existing iptables rules at least. However, maybe that's what I have to use to have both VPN and LAN services enabled, or a smart 'route' line. 06:09 < MMN-o> Though I'll most likely be off for the rest of today. 06:11 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [] 06:11 < dazo> MMN-o: hmmm ... have you also looked into the use of iroute? ... that might be what you need as well 06:12 < dazo> instead of a route option to the client 06:12 < dazo> IIRC ... krzee knows much more about such routing issues 06:26 < MMN-o> I thought iroute was to specify which subnets a client routes to. 06:26 < MMN-o> But perhaps 'iroute [gurk LAN]' and then have the gateway --to-destination [gurk LAN IP]? 06:26 < MMN-o> Hm, I'll look into it and experiment. 06:28 < dazo> MMN-o: you are right ... and I might not have the complete overview over your network setup .... this might my problem now 07:20 < ecrist> good morning, bitches 07:32 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:05 -!- MMN-o [n=mmn@barjack.com] has quit ["leaving"] 08:05 -!- MMN-o [n=mmn@barjack.com] has joined ##openvpn 08:20 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 09:00 -!- nadley_ [n=nadley@roo49-1-82-245-55-94.fbx.proxad.net] has joined ##openvpn 09:00 < nadley_> hi 09:01 < nadley_> I would like to know how to connect multiple client to a vpn server with a static key share 09:02 < nadley_> actualy I can connect 1 client to the vpn server 09:02 < nadley_> but If i want to connect another client I can 09:03 < nadley_> can't 09:08 < dazo> nadley_: http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html ... this should get you started 09:08 < vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 09:19 < nadley_> dazo: thx for the link but I have use it and it explain just how to connect 1 client to the server 09:19 < nadley_> I don't know how to configure the server to allow multiple connection 09:21 < dazo> nadley_: that's easy .... replace the ifconfig in the server config with ifconfig-pool .... and remove the ifconfig from the client config ... that should be all 09:22 < nadley_> oki oki 09:22 < nadley_> thanks 09:22 < dazo> nadley_: np! 09:22 -!- Toinou_ [n=Toinou@roo49-1-82-245-55-94.fbx.proxad.net] has joined ##openvpn 09:23 < nadley_> juste for precision : in client config i have to add "pull" ? 09:23 < dazo> nadley_: no, not at all nothing at all ... just take away the ifconfig line 09:24 < nadley_> oki thx 09:24 < dazo> nadley_: the client will then get the IP automatically from the openvpn server 09:24 < nadley_> oki I try it know 09:24 < dazo> nadley_: On second thought .... you will still need the ifconfig in the server config as well ... my fault 09:25 < nadley_> could you give me an example please 09:25 < nadley_> because I'm a little bit lost now 09:26 < dazo> nadley_: ifconfig 10.8.0.1 255.255.255.0 09:26 < dazo> nadley_: ifconfig-pool 10.8.0.10 10.8.0.100 255.255.255.0 09:26 < dazo> nadley_: as an example for your server config 09:27 < nadley_> oki thx 09:28 < dazo> np 09:28 -!- Toinou_ [n=Toinou@roo49-1-82-245-55-94.fbx.proxad.net] has quit ["Quitte"] 09:29 < ecrist> dazo: you plan on hanging out in this chan often? 09:30 < dazo> ecrist: it's not carved into stone .... but I see no reason why not to hang out here, not at least as long as I'm actively developing eurephia 09:30 < dazo> ecrist: am I too noisy? ;-) 09:30 < ecrist> pm? 09:33 < nadley_> dazo: when I do the modification and restart the server it failed 09:34 < dazo> nadley_: can you add verb 4 to your config and have a look here? And then maybe put the log data to pastebin? 09:34 < dazo> !pastebin 09:34 < vpnHelper> dazo: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 09:36 < nadley_> dazo : I can't pastbin but I have look on the log file and the error is : ifconfig-pool require mode server 09:37 < nadley_> but when I add mode server another error occurs : " mode server require tls" 09:37 < dazo> nadley_: ahh ... sorry .... just add that into your server config .... mode server 09:37 * dazo is surprised .... 09:37 < dazo> nadley_: I honestly thought it was possible to configure server mode without tls .... 09:37 < nadley_> I hope so 09:38 < ecrist> I don't believe it is possible. 09:39 < dazo> nadley_: I'm sorry, but I think you then need to bite into the TLS apple :( 09:39 < dazo> nadley_: it's not that hard .... and ecrist / krzee have this perl script called ssl-admin which can help you out doing that more easily 09:40 < nadley_> is it just a tls key or a with certificat ? 09:41 < ecrist> nadley_: see http://openvpn.net/archive/openvpn-users/2006-11/msg00030.html for more information 09:41 < vpnHelper> Title: [Openvpn-users] static key mini howto works, but client/server doesn't. version 2.0.9 (at openvpn.net) 09:41 < dazo> nadley_: you'll need 3 files .... a CA certificate, a server key and a server certificate .... the server certificate must be signed by the same CA which signed the CA certificate 09:42 < nadley_> and with a share key there is no other solution 09:44 -!- Toinou [n=Toinou@roo49-1-82-245-55-94.fbx.proxad.net] has joined ##openvpn 09:45 < dazo> nadley_: nope, seems so :( 09:46 < nadley_> oki so what I have to do ? 09:51 < dazo> ecrist: is ssl-admin available as a package for download? 09:52 < nadley_> dazo: with a tls server each client needs his own certificate and key ? 09:53 < dazo> nadley_: for the best security, yes ... but it's not a must ... you can use the same certs and key files on all clients 09:53 < dazo> nadley_: it basically runs down to the wanted security level you want 09:54 < ecrist> dazo, not at this time. I don't have any linux systems to test/build packages. 09:54 < dazo> ecrist: pitty ... okey ... then entering SVN mode :-P 09:55 < nadley_> oki dazo i'll test it 09:55 < dazo> nadley_: you'll need SVN installed now .... and then you can run: svn co https://www.secure-computing.net/svn 09:55 < vpnHelper> Title: svn - Revision 38: / (at www.secure-computing.net) 09:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:00 < ecrist> dazo, it is in freebsd ports tree 10:01 < dazo> ecrist: hmm ... didn't know ... I'm Linux :-P .... and I believe nadley_ is too? 10:01 < ecrist> yeah, i'll work on it 10:02 < dazo> ecrist: too bad it wasn't just to copy ssl-admin out into bin ... bec of the sed'ing 10:03 < dazo> ecrist: there's a typo in the Makefile ..... SEDCMD -> $SEDCMD ? 10:06 < ecrist> lemme look into it, but I don't think so. 10:06 < ecrist> a lot of what's in svn right now is setup for programatic builds 10:06 < ecrist> dazo: Makefile in the root? 10:07 * dazo double checks 10:07 < dazo> ecrist: yes 10:10 < dazo> ecrist: are some more issues as well :-P 10:11 < dazo> nadley_: The good util ssl-admin .... is not in the very best shape right now unfortunately .... 10:12 < ecrist> dazo: it's in great shape, just needs to be configured for linux 10:12 < nadley_> dazo: I'm using the tools include with openvpn 10:13 < dazo> ecrist: you'll need to check in this fix ;-) http://pastebin.com/d55f92f02 10:15 < ecrist> dazo: a bit embarrassing, but svn isn't always current. that fix is already due to be committed. 10:15 < dazo> ecrist: :) 10:15 < ecrist> done. 10:16 < ecrist> re: Makefile - you're seeing an artifact from the FreeBSD ports build process, which hasn't cleanly been merged with our attempts at making the install process more linux friendly. 10:16 < ecrist> a lot of big changes coming for ssl-admin in the next couple weeks. 10:17 < ecrist> I'm going to 1) build a tarball which can be configured, made, and make installed on linux systems 10:17 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:18 < ecrist> depend management is where I'm uncertain, so I'm going to simply look for perl, and look in common places for the Crypt:SSLeay library. 10:18 < ecrist> not using SSLeay yet, but that's the second big change. getting rid of all the backticks and system() calls, in favor of better perl built-ins 10:19 < ecrist> so, now that I'm at 1.0.1, I'm working on cleaning things up for install, will still be 1.0.x, and 1.1 is going to eliminate those other nasties 10:20 < dazo> ecrist: I oversaw the ./configure script ... when I ran that ... it was very fine! 10:20 < ecrist> that's all krzee's handy work. 10:20 < dazo> heh :) 10:20 < ecrist> oh, last I heard, gentoo was working on a package for ssl-admin, too 10:20 < ecrist> be back in a while 10:20 < dazo> yeah, I've heard that ... I'd love that, as my servers are Gentoo based 10:21 * dazo needs to go shopping and then home .... might get online a little bit later 10:38 -!- randra [n=sleepkno@gw.riosulense.com.br] has joined ##openvpn 10:40 -!- randra [n=sleepkno@gw.riosulense.com.br] has quit [Client Quit] 10:59 < plaerzen> morning folks 11:19 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:24 < nadley_> dazo: I have configure my openvpn server to use TLS but when I connect an other client it disconnect the other 11:47 -!- NK` [i=niko@minithins.net] has joined ##openvpn 11:47 < NK`> hi 11:47 < NK`> is it possible to have several client using the same crt ? 11:54 < cpm> think about it. 11:54 < cpm> in other words, sure, kinda defeats the purpose, but you can, just not at the same time. 11:55 < cpm> certificates identify hosts 11:55 < cpm> that's their job. 11:55 < cpm> folks do it though, or at least, that's what I've read. 12:00 < NK`> ok fine that the answer I'll like to heard :) 12:08 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:35 -!- ikevin_ [n=kevin@ANancy-256-1-68-250.w90-26.abo.wanadoo.fr] has quit [Read error: 113 (No route to host)] 12:46 -!- ozirus [n=caliskan@81.214.150.105] has joined ##openvpn 12:50 -!- ikevin [n=kevin@ANancy-256-1-68-250.w90-26.abo.wanadoo.fr] has joined ##openvpn 12:50 < ozirus> is it possible to limit openvpn connection with a time period? i'm trying integrate openvpn to a rezarvation system. people will book the remote 'lan' and vpn to it. vpn disconnect when time exceeds 12:52 -!- ozirus1 [n=caliskan@81.214.150.105] has joined ##openvpn 12:58 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 13:02 -!- ozirus7 [n=caliskan@81.214.150.105] has joined ##openvpn 13:04 -!- ozirus7 [n=caliskan@81.214.150.105] has left ##openvpn [] 13:05 -!- ozirus7 [n=caliskan@81.214.150.105] has joined ##openvpn 13:10 -!- ozirus7 [n=caliskan@81.214.150.105] has quit [] 13:13 * plaerzen just got a new server. 13:13 * plaerzen dances. 14:03 < ecrist> plaerzen: gratz 14:07 < plaerzen> ah, thanks. 14:12 < ecrist> what kind of server, and for what? 14:15 < plaerzen> hp DL380: 1(2)P quad core 2.66 ghz, 4(8)dimm 6 gb, 3x72G 15k sas raid 5, 4 gig-e ports - windows 2008 server and communigate groupware 14:16 < plaerzen> esx server with 1 initial guest vm (for win2k8 server) 14:16 < ecrist> sweet 14:17 < ecrist> ozirus1: yes, simply build an SSL certificate, which will expire at the time required, and write a script which checks for connected clients and reboots them at their expiry 14:18 < plaerzen> yeah, it's a cool little machine. downloading esx server right now. 14:23 < ecrist> we got a new server back in November for our backups. I love that box. 14:24 < ecrist> uber fast, lots of storage 14:34 < ecrist> plaerzen: you prefer HP to Dell? 14:34 < plaerzen> So far, it seems ok. All our other servers are dell and they seem meh. 14:34 < ecrist> meh? 14:34 < plaerzen> One of them even randomly pops a drive out of raid on reboot 14:35 < ecrist> weird 14:35 < plaerzen> They're OK. But we haven't ran this hp server yet. The front panel is more informative, that's for sure. 14:35 < ecrist> I've got lots of Dell, love them. We explored HP for this last purchase, but their online pricing sucks, so I didn't bother. 14:35 < plaerzen> We just have a vendor we use. 14:36 < ecrist> ah 14:36 < plaerzen> I call them and say "Get us a quote on a HP DL380 with the following specs - blah blah - But use your judgement, if something has a better price point, get that instead" 14:36 < plaerzen> And we get decent deals. 14:53 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 15:36 -!- Toinou [n=Toinou@roo49-1-82-245-55-94.fbx.proxad.net] has quit ["Quitte"] 15:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:45 -!- ozirus1 [n=caliskan@81.214.150.105] has quit [] 16:45 -!- ozirus [n=caliskan@81.214.150.105] has quit [] 16:52 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has left ##openvpn [] 16:57 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 16:57 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 17:05 -!- SanityInAnarchy [n=Sanity@76-76-225-199.lisco.net] has joined ##openvpn 17:10 < SanityInAnarchy> It typically takes anywhere from 10 to 30 minutes to establish a connection. Usually hangs after "Initial packet from ", then retries after tls-timeout, until I get lucky and it works. 17:11 < SanityInAnarchy> What settings should I look at? I know this particular network is slow and unreliable, however, this is the norm, even over very fast connections. 17:13 < krzie> check out #2 17:13 < krzie> !mtutest 17:13 < vpnHelper> krzie: Error: "mtutest" is not a valid command. 17:13 < krzie> err 17:13 < krzie> !mtu 17:13 < vpnHelper> krzie: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 17:14 < SanityInAnarchy> MTU on which interface? I know the VPN itself is using 1500. 17:16 < SanityInAnarchy> I'm not on Windows. 17:16 < krzie> #2 17:16 < krzie> (#2) 17:16 < krzie> you can just use --mtu-test on the client as well 17:17 < SanityInAnarchy> If this is the issue, would the actual connection be slower? 17:18 < krzie> wanna argue or test it? 17:18 < krzie> seems like a waste of time to talk about it instead of trying it 17:18 < SanityInAnarchy> No, I want to understand it. 17:18 < krzie> well test it, then understand based on results of test 17:19 < krzie> im not saying it IS your problem 17:19 < krzie> im saying test it 17:19 < krzie> and since testing it requires 1 line addition to 1 config, i dont see why you wouldnt 17:20 < SanityInAnarchy> Probably worth testing anyway -- I just found something 17:20 < SanityInAnarchy> I'd set tls-timeout absurdly high. 17:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:25 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:25 < SanityInAnarchy> Empirical MTU test completed [Tried,Actual] local->remote=[1541,1541] remote->local=[1541,1541] 17:26 < krzie> ok so thats good 17:26 < krzie> did the thing you found help you? 17:26 < krzie> if not, 17:26 < krzie> !configs 17:26 < SanityInAnarchy> Yes. 17:26 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 17:26 < krzie> oh ok cool 17:26 < SanityInAnarchy> I had tls-timeout 120 17:26 < SanityInAnarchy> I'm not really sure what I was thinking 17:27 < SanityInAnarchy> The MTU test looks useful, though. Is the idea that the tunnel MTU should be <= the actual MTU? 17:34 < krzie> its for settings internal to openvpn 17:35 < krzie> --mtu / --fragment stuff 17:35 < krzie> but with yours dont adjust that 17:35 < SanityInAnarchy> Ah. 17:35 < krzie> becomes useful over ppp / sat links and whatnot 17:35 < SanityInAnarchy> That's probably why I had this setting, actually -- I had borrowed a satellite connection 17:36 < krzie> i dont think the tls-timeout woulda helped much on the sat connection, mtu and frag woulda prolly been more useful 17:36 < krzie> but *think* is the main word there 17:38 < SanityInAnarchy> Well, I think the idea was that 2 seconds was nowhere near enough time to complete the tls auth 17:38 < SanityInAnarchy> Nor the default 60 seconds enough time for the handshake 17:38 < SanityInAnarchy> In both cases, it worked, more or less, once I had a connection 17:41 < krzie> well the important part is problem solved ;] 17:43 < SanityInAnarchy> Yep. Actually switched over to it already... 17:43 < SanityInAnarchy> I like to run a screen'd irssi on the server 17:48 -!- SanityInAnarchy [n=Sanity@76-76-225-199.lisco.net] has quit ["leaving"] 18:03 -!- intralanman [n=lanman@99-196-39-200.cust.wildblue.net] has joined ##openvpn 18:34 -!- nadley_ [n=nadley@roo49-1-82-245-55-94.fbx.proxad.net] has quit [Remote closed the connection] 18:49 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: troy-, pa, dazo, ebf0, jpalmer, kaii 18:49 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: smk, dogmeat, Bushmills 18:49 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: intralanman, krzie, vpnHelper, cyberjames, Pagautas, tarbo2, ikevin, o[80, trifler 18:49 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: mcp, meshuga, lilalinux, deever, tomfmason, worch, thewolf, eliasp, kala, reiffert, (+4 more, use /NETSPLIT to show all of them) 18:49 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: MMN-o, justdave, disco-, disposable, Typone, lonel, krzee 18:50 -!- Netsplit over, joins: smk 18:50 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 18:50 -!- Netsplit over, joins: troy-, MMN-o, krzee, disco- 18:51 -!- Netsplit over, joins: dazo, ebf0, pa 18:51 -!- Netsplit over, joins: kaii, reiffert 18:51 -!- Netsplit over, joins: intralanman, vpnHelper, ikevin, Bushmills, fbond, o[80, tomfmason, eliasp, cyberjames, tarbo2 (+10 more) 18:51 -!- deever [n=deever@static.172.68.46.78.clients.your-server.de] has joined ##openvpn 18:51 -!- Netsplit over, joins: lilalinux, kala 18:51 -!- Netsplit over, joins: disposable 18:53 < reiffert> Wow, I was on ##openvpn when not beeing identified to the nickservice... 18:55 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 18:59 -!- lonel [i=r0ny@203.206.208.204] has joined ##openvpn 18:59 < Bushmills> 'morning reiffert 19:00 < reiffert> hello Bushmills ! 19:05 < ecrist> good evening, bitches 19:06 -!- Typone [n=nnitsme@195.197.184.87] has joined ##openvpn 19:20 < dvl> openvpn++ 19:24 -!- test [n=test@S0106002129d2ee33.ls.shawcable.net] has joined ##openvpn 19:24 < test> is there a way to have a different cipher for clients? 19:24 < test> client1 has blowfish, client2 is cipher none? 19:36 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has joined ##openvpn 19:39 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has quit [Client Quit] 19:39 < dvl> test: well, where is cipher chosen? 19:42 < krzee> i dont think its possible 19:43 < krzee> but --client-config-dir shows that --config can be used in a ccd entry 19:43 < krzee> so thats your only chance, to have a seperate config to include for diff clients, not use --cipher in server.conf, and use --cipher in the --config file thats in the ccd entry 19:44 < krzee> never tried it, if you make it work report that back 19:46 < test> cipher doesn't work in the client directive 19:46 < test> bummer 19:49 < dvl> ouch 19:51 < lonel> hi 19:59 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has joined ##openvpn 20:15 -!- test [n=test@S0106002129d2ee33.ls.shawcable.net] has quit [] 20:41 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has quit ["Ex-Chat"] 20:47 -!- NBrepresent [n=perry@bas1-toronto09-1279621145.dsl.bell.ca] has joined ##openvpn 20:48 < NBrepresent> hey, how can i tell whether a connection from the openvpn cli client to the server is successful? I'm trying to ping boxes on my work network but not getting anything. The status messages after I ran the command to connect all sounded pretty positive... " Initialization Sequence Completed" etc. 20:49 < dvl> NBrepresent: follow the logs 20:50 < NBrepresent> where is the logs dir? i looked in /etc/openvpn 20:51 < dvl> on decent systems, /var/log 20:52 < NBrepresent> no openvpn log in /var/log 20:57 < krzee> i didnt say in the ccd file 20:57 < krzee> i said in the included --config that you put in the ccd entry 20:58 < krzee> but prolly same deal 20:59 -!- lonel [i=r0ny@203.206.208.204] has left ##openvpn [] 21:03 < NBrepresent> It looks like this is the problem: http://paste2.org/p/133706 . Permissions? 21:29 -!- phobik [n=phobik@cpe-76-186-113-30.tx.res.rr.com] has joined ##openvpn 21:30 < phobik> i'm having trouble on my openvpn 2.0 setup that when connecting as a client from windows my route works fine but when using linux or mac my servers do not know how to route back to my client machine 21:43 -!- intralanman [n=lanman@99-196-39-200.cust.wildblue.net] has quit ["You call it ADD, I call it multitasking"] 21:49 -!- NBrepresent [n=perry@bas1-toronto09-1279621145.dsl.bell.ca] has left ##openvpn [] 23:14 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:31 -!- thewolf is now known as ehtwolf 23:31 -!- ehtwolf is now known as thewolf 23:58 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 23:59 < mRCUTEO> hiya ecrist --- Day changed Thu Jan 22 2009 00:05 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has quit [] 00:11 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 00:26 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:34 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 00:57 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:01 -!- MMN-o [n=mmn@barjack.com] has quit [Read error: 110 (Connection timed out)] 01:17 -!- nsar [n=nsar@121.1.18.241] has joined ##openvpn 01:18 < nsar> hello 01:18 < nsar> what do you mean We prefer to help those who help themselves? 01:18 < nsar> to help my self? 01:24 < krzee> like when someone says "hey read this" 01:25 < krzee> then 2 minutes later you ask another question that was clearly explained in the link you were given 01:25 < krzee> thats a good example of not helping yourself 01:26 < nsar> ok 01:27 < nsar> what i want to ask is that the provider had closed completly access as a server to my machine if i put for example an ftp server no body will be able to reach it so the solution is as a client to connect to openvpn server ? 01:29 -!- luck00 [n=luck00@86.122.10.202] has joined ##openvpn 01:30 < krzee> if you can reach the openvpn server, you can default route over the vpn server to reach anything the vpn server can 01:30 < krzee> but the vpn server will need to NAT the internal vpn ips to its external ip 01:30 < krzee> using iptables or whatever your OS uses 01:33 < luck00> hi all 01:33 < luck00> i have a little problem 01:33 < luck00> i try to make a vpn tunel site to site over two routers 01:34 < luck00> on one router i have vpn ip-s 10.8.0.1 10.8.0.2 and on the other one 10.8.0.6 10.8.0.5 01:34 < luck00> is that ok? 01:35 < luck00> or i need 10.8.0.1 10.8.0.2 and on the other one 10.8.0.2 10.8.0.1 01:35 < luck00> i can ping computers behind server but cannot ping computers behind client 01:38 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:41 -!- o[80 is now known as oc80z 01:43 < nsar> luck00 did you setup the route correctly ? 01:44 < luck00> i have ping over peer to peer connection on both ways 01:44 < luck00> so the tunnel it is ok 01:44 < nsar> me i had this problem and somehow i solve it with routing software 01:44 < luck00> i think the problem it is on the server 01:45 < luck00> the packets are not routed right 01:45 < nsar> pass a route thru a point-to-point connection /32 mask? 01:46 < nsar> linux is the os? 01:47 < nsar> sorry on the clients what is the os? 01:49 < krzee> [03:39] or i need 10.8.0.1 10.8.0.2 and on the other one 10.8.0.2 10.8.0.1 01:49 < krzee> correct 01:49 < krzee> [03:39] i can ping computers behind server but cannot ping computers behind client 01:49 < krzee> either ipforwarding or firewall 01:50 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 01:50 < luck00> linux on both sides 02:08 < reiffert> oin 02:14 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:23 -!- nsar [n=nsar@121.1.18.241] has left ##openvpn [] 02:45 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 02:45 < lolipop> !route 02:45 < vpnHelper> lolipop: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 02:46 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 02:46 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has joined ##openvpn 02:49 < ykut_johny> hi 02:50 < ykut_johny> having problem to establish connection from this scenario pcA(10.0.9.1)->openvpn-clientA(10.99.99.10) --->openvpn-server(10.99.99.1)---pcB(10.0.7.5). pcA can ping pcB, but pcB can't ping pcA. 02:52 < lolipop> !route 02:52 < vpnHelper> lolipop: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 03:00 < ykut_johny> lolipop: indeed i read it before.. 03:01 < lolipop> lol.....i just want to get the url.... sorry 03:01 < ykut_johny> lolipop: i have configure my ccd/myclient1 (on openvpn server ) to have iroute .. 03:01 < ykut_johny> lolipop: no worries man..:) 03:02 < lolipop> u ping by using eth0 ip or tap or tun ip ? 03:02 < ykut_johny> lolipop: it used to works this morning, and i just change the server vpn to client-vpn by just copying the whole config from server vpn..and somehow, it's not working..:(... 03:03 < lolipop> check firewall ? 03:03 < lolipop> maybe ur firewall is blocking ur ICMP request 03:03 < ykut_johny> lolipop: i did check firewall..and on pf i pass in/out all for tun0..and nothing about block rules 03:04 < lolipop> now ur openvpn-server cant ping openvpn client? 03:04 < lolipop> but they r connected? 03:05 < ykut_johny> lolipop: if from pcA i can ping to pcB..so firewall is not blocking any icmp...:) 03:05 < ykut_johny> lolipop: seem like openvpn server didn't know how to forward the traffic back 03:05 < lolipop> when pcB ping on pcA, firewall on pcA might block :P 03:05 < lolipop> oh 03:06 < lolipop> u r trying to ping the lan behind openvpn server? 03:06 < ykut_johny> lolipop: yupe...openvpn-serber can't ping openvp client.. 03:06 < ykut_johny> lolipop: from openvpn client to openvpn server it just working 03:06 < ykut_johny> lolipop: i'm suspecting something todo with routing table on openvpn's server..but didnt have any clues.. 03:07 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: kaii 03:07 < ykut_johny> lolipop: from client behind openvpn client, i managed to ping client behind openvpn server... 03:07 -!- Netsplit over, joins: kaii 03:08 < lolipop> oh, i'm not pro in openvpn, but maybe u can show me your config 03:10 < ykut_johny> lolipop: but, from openvpn server i just can't ping client behind openvpn client 03:10 < ykut_johny> lolipop: which config do want.?..server eh..? 03:20 < dazo> ykut_johny: you most probably need to have a look at the "iroute" statement .... please read this link _carefully_ 03:20 < dazo> !route 03:20 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 03:21 < dazo> ykut_johny: you will find more info about iroute here ... and in the man pages of openvpn 03:21 < ykut_johny> dazo: indeed...the iroute was configure correclly.. 03:21 < ykut_johny> dazo: i was reading it before...:)..and thanks for the pointer.:) 03:22 < dazo> ykut_johny: what kind of OS is on the client? Firewall allows traffic in that direction? 03:22 < ykut_johny> openbsd 3.9 for openvpn server and openbsd 4.2 for openvpn client 03:22 < ykut_johny> and firewall is PF for both end 03:23 < dazo> ykut_johny: okey ... I'm not familiar with *bsd ... but I believe ecrist and krzee knows much more about that platform 03:23 * dazo is Linux user 03:24 < ykut_johny> dazo: :)..kewl 03:24 < dazo> ykut_johny: just a few checks .... can you ping the VPN interface on the client from your server? And if yes, can you ping the eth interface on the client from the server? 03:25 < ykut_johny> dazo: i can see traffic is coming from siteA to siteB on openvpn server machine..but i notice that openvpn server didn't know how to forward the packet to siteB 03:26 < dazo> ykut_johny: sounds like you're also missing a route on the server side then .... do you have a "normal" route defining the clients network on your VPN server? 03:27 < ykut_johny> dazo: yes..since from siteA to openvpn server i got reply from openvpn server 03:28 < dazo> ykut_johny: I'm suggesting this the other way around .... that you are on the server .... and try to ping the client ... to see if the packages gets lost or comes back 03:29 < dazo> ykut_johny: have you tried tcpdump on the client (siteB, afaiu) ... to see if the ping traffic goes back to the VPN tunnel? 03:29 < dazo> tcpdump -n -i 03:33 < ykut_johny> dazo: nothing.. 03:33 < dazo> ykut_johny: you did not see any traffic whatsoever on the client when pinging it from the server? 03:34 < ykut_johny> dazo: seem like openvpn server didn't know how to forward the traffic... 03:34 < dazo> ykut_johny: check the routing table on the server .... I'm sure it's just a minor mistake in the routing on the server side 03:34 < ykut_johny> dazo: but if i ping the ip addresses given by vpn network , it reached to the client 03:35 < dazo> ykut_johny: that means that the server know the route for the VPN tunnel .... but not the clients network behind the VPN tunnel 03:35 < ykut_johny> dazo: seem like it... 03:37 < dazo> ykut_johny: I'm pretty sure it's in either the routing or firewall rules on the server ... that's usually the biggest bummers which is easy to commit ... if struggling, please pastebin your configs and routing table .... it'll be easier to look at it then 03:38 < ykut_johny> dazo:indeed..i'm thinking maybe some routing or my dumbass skill on firewalling is the issues..:) 03:39 < dazo> ykut_johny: is it an option for you to take down/turn off/open up completely the firewalling for a few minutes and try the ping test again? 03:40 < dazo> just to get indication if it is firewall and/or routing issue 03:40 < ykut_johny> dazo: yeah..will try to..:).but prefer not to for now..:) 03:40 < dazo> np! :) 03:41 < lolipop> last time my case is cant ping from lan behind client to lan behind server, but i used NAT masquerade to solve it 03:41 < lolipop> kakaka 03:42 -!- luck00 [n=luck00@86.122.10.202] has quit ["Leaving"] 03:43 < ykut_johny> lolipop: hehe..:D.. 04:00 -!- ikevin_ [n=kevin@ANancy-256-1-121-180.w90-33.abo.wanadoo.fr] has joined ##openvpn 04:06 -!- ikevin [n=kevin@ANancy-256-1-68-250.w90-26.abo.wanadoo.fr] has quit [Read error: 145 (Connection timed out)] 04:09 -!- MMN-o [n=mmn@barjack.com] has joined ##openvpn 04:36 < ykut_johny> MULTI: bad source address from client [10.0.11.102], packet dropped ...either than problem with iroute, what is the other posibilities that can cause this problem..? 04:41 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 04:51 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 04:54 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 05:08 -!- _markh_ [n=chatzill@fentech.gotadsl.co.uk] has joined ##openvpn 05:11 < _markh_> I'm setting up a VPN server. How can I get the server to allow some 'clients' to connect using certificates only and others to require certificates AND a user password. I know how to do both but not how to specify for each cleint. I've tried placing the line 05:11 < _markh_> plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn 05:11 < _markh_> in /etc/ccd/openvpn/mark (where 'mark' is the name of the user's pv) but it seems to be ignored... 05:13 < dazo> _markh_: I don't think this is possible ... you'll need to have two different openvpn processes running with a different config file and ports 05:15 < _markh_> dazo: I'd already figured that was a solution, but it adds complexity beacuse of ipaddresses/routes etc. 05:17 < dazo> _markh_: yeah, I know ... but I haven't seen anything in the config docs that it is possible to have different authentication schemes for user connections 05:17 < dazo> :( 05:19 < _markh_> Shame because I have a couple of servers that need to connect, plus a bunch of users. The users will auth using one time passwords but the servers can't ... :( 05:19 < _markh_> Oh well... 05:41 -!- NK` [i=niko@minithins.net] has left ##openvpn [] 05:59 < krzee> [05:38] dazo: but if i ping the ip addresses given by vpn network , it reached to the client 05:59 < krzee> just realized 05:59 < krzee> thats right 05:59 < krzee> actually wait, i may be wrong 05:59 < krzee> was thinking it could have to do with it being ptp 05:59 < krzee> but im not sure 05:59 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 06:02 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 06:02 < joelsolanki> Hi all. 06:03 < joelsolanki> i have setup vpn on windows xp. and enabled the ipenablerouter to 1 with regedit in winxp 06:04 < joelsolanki> but i am not able to access the lan. 06:04 < joelsolanki> any hints plz ? 06:04 < joelsolanki> this configuration was working but change is of just a vpn server hardware thats it. 06:05 < joelsolanki> problem is xp is not forwarding it. 06:11 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 06:13 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 06:22 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:32 < dazo> krzie: yeah, the whole ptp thing confuses me ... because his end-points on both sides had completely different IP addresses (.1/.2 on server and .9/.10 on client) ... and server could ping client end point and vice versa ... 06:53 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 06:53 < joelsolanki> !route 06:53 < vpnHelper> joelsolanki: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 07:04 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 07:06 < joelsolanki> !configs 07:06 < vpnHelper> joelsolanki: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:06 < joelsolanki> Hi all. i have below config 07:07 < joelsolanki> winxp-vpnclient --> openvpn-server ---> lan 07:07 < joelsolanki> i want have winxp communicate with my lan. 07:08 < joelsolanki> so winxp(10.8.0.6) -> openvpn-server(10.8.0.1) --> lan ip range is 192.168.0.0/24 07:08 < joelsolanki> i read the http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 07:08 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 07:08 < joelsolanki> so i just need to add this line to openserver server.conf push "route 192.168.1.0 255.255.255.0" 07:09 < joelsolanki> sorry " route 192.168.0.0 255.255.255.0 " 07:09 < joelsolanki> is this correct ? 07:09 < joelsolanki> that should make the trick ? 07:10 -!- Gray9Mar_ [i=surf___@gateway/tor/session] has joined ##openvpn 07:13 < joelsolanki> anybody please? 07:14 < ecrist> good morning, bitches 07:15 < Gray9Mar_> hi. i have lots of "ERROR: Random number generator cannot obtain entropy for PRNG" lines in my openvpn log. openvpn seems to work anyways. but shows no log lines except the prng error. does anyone have an idea whats wrong here? 07:15 < ecrist> joelsolanki: yes, that's correct. 07:15 < ecrist> ***BUT, you're probably going to run in to problems, if the LAN where the winxp system is uses the same IP range as the remote VPN LAN 07:16 < joelsolanki> ok cool. let me test it then :) 07:16 < ecrist> Gray9Mar_: what does google say about the error? 07:16 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 07:18 < Gray9Mar_> 4 links to crypto.c from openvpn source 07:18 < Gray9Mar_> which i doesnt understand 07:18 < ecrist> what version are you running? 07:19 < Gray9Mar_> OpenVPN 2.0.7 i686-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Nov 11 2008 07:19 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 07:19 < ecrist> ok, run something more current, first. 2.0.9 is out for 2.0, and 2.1 is up to RC15 07:20 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Client Quit] 07:22 < Gray9Mar_> k, will try that right now 07:22 < Gray9Mar_> btw i wonder why 2.0.7 is gentoo default 07:23 < ecrist> no idea 07:46 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:05 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 08:45 < dazo> Gray9Mar_: I'm running 2.1_rc15 without any problems on Gentoo 08:45 < dazo> that is - rc15 in production 08:46 < dazo> Gray9Mar_: I don't think Gentoo maintainers give openvpn too much love and care ..... or they are just too picky about getting things QAed first 08:47 * dazo might be able to dig up a openvpn-2.1_rc15 ebuild file .... if Gray9Mar_ is interested 08:49 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:08 < _markh_> I have two openvpn servers running on a host - one implememnting 10.8.0.0/24 and the other 10.9.0.0/24 . How do I allow systems authenticated to 10.8.0.0 to communicate with systems authenticated to 10.9.0.0/24 ? 09:13 < MMN-o> I'd probably use "push route 10.8.0.0/24" (in server config) to the 10.9 net, and vice versa 09:13 < MMN-o> I'd also check: 09:13 < MMN-o> !route 09:13 < vpnHelper> MMN-o: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 09:14 < MMN-o> which cleared stuff up for me at least. 09:14 < ecrist> _markh_: you need to push the routing. 09:15 < MMN-o> _markh_: Syntax error on my push line, look up the quoting. 09:26 -!- patrik [n=patrik@cust-IP-10.data.tre.se] has joined ##openvpn 09:27 < patrik> Hi, I'm having some trouble with my tun tunnel. client can ping server, server can ping client, but client cant ping computers on the servers subnet. ip_forward is set to 1. 09:28 < patrik> the subnet lan computers receive data from the vpn client but whey the try to respond they get unreachable host. 09:30 < ecrist> !route 09:30 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 09:30 < ecrist> read that, patrik 09:30 < ecrist> your lan is missing the route to your vpn subnet 09:30 < patrik> ok, thanks 09:41 < patrik> ecrist: I have the client on the same subnet as the servers subnet, is this a bad thing? Since I only want to have one vpn client I didn't wanna make a complete subnet for it. 09:43 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 09:47 < ecrist> patrik: yes, it's bad 09:48 < patrik> ecrist: ok I'll put it on a separate subnet then 09:52 -!- phobik [n=phobik@cpe-76-186-113-30.tx.res.rr.com] has quit ["Leaving"] 09:58 < plaerzen> morning irc 10:11 < ecrist> heya plaerzen 10:20 < plaerzen> ecrist, So. Tell me a story? 10:20 < ecrist> o.O 10:22 < plaerzen> ok, fine. 10:48 -!- BoomSie [n=gideon@dw772421126.amsterdam-tc.dataweb.net] has quit [Remote closed the connection] 10:55 -!- mk101mx [n=mgarciav@148.233.37.38] has joined ##openvpn 10:56 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:10 < patrik> ecrist: Cool, I got it working, thanks! 11:11 < ecrist> no problem 11:11 -!- patrik [n=patrik@cust-IP-10.data.tre.se] has quit ["Ex-Chat"] 11:40 < _markh_> still struggling with the routing for 2 openvpn servers on my host implementing 10.1.0.0/24 and 10.2.0.0/24. I've pushed 10.1.0.0./24 onto the client that connects to 10.2.0.0/24 and vice-versa. the routing tables on the clients look good - http://pastebin.com/d5cfb0436. And the routing table on the server looks OK too - http://pastebin.com/m4309f153 11:40 < _markh_> Do I need to tell the server to link the two (I have client-to-client set). !route isn;t quite discussing my scenario I think so I don;'t think I need iroutes ??? 11:41 < dazo> _markh_: are the network on your server side accessing the network behind your openvpn client? 11:43 < _markh_> dazo: No 11:43 < _markh_> Just the openvpn client itself 11:43 < dazo> _markh_: then you are right, iroute is not needed .... and the client should be able to see both ways 11:44 < dazo> _markh_: are you using ptp (tun interface) or tap devices? 11:44 < _markh_> dazo: tun 11:45 * dazo wonders why everyone using tun ends up with routing issues .... ;-) 11:46 < dazo> _markh_: I'm not so strong at tun, unfortunately .... most of the networks I've setup have used tap ... but of course you'll need to choose what's right for you 11:46 * dazo needs to setup a test network with tun to get more experience here 11:47 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:47 < _markh_> dazo: but tap isn't so good for WAN's I think as there's more traffic? 11:48 < _markh_> Summarizing I have A (10.1.0.6) <-> (10.1.0.1) OVPN (10.2.0.1) <-> B(10.2.0.6) 11:48 < _markh_> And I need a to talk to B 11:48 < dazo> _markh_: maybe ... I'm using it over GPRS without any big problems .... but true, I haven't tried tun yet 11:50 < _markh_> dazo: I'll enable some debugging and see what I can learn... 11:50 < dazo> _markh_: good luck :) 11:51 * dazo needs to go home and get some dinner 11:52 -!- rubydiam_ [n=rubydiam@123.236.183.184] has joined ##openvpn 11:52 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 104 (Connection reset by peer)] 11:53 -!- rubydiam_ is now known as rubydiamond 12:05 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has joined ##openvpn 12:06 < lclimber> hello guys, is there an existing stable project installing a opnvpn client on a pda? 12:11 < lclimber> sorry, let me refraze, is there an existing stable project for installing a opnvpn client on a pda? 12:24 < _markh_> dazo: Needed the following 12:24 < _markh_> # echo 1 > /proc/sys/net/ipv4/ip_forward 12:24 < _markh_> # iptables -A FORWARD -i tun+ -j ACCEPT 12:24 < _markh_> # iptables -A INPUT -i tun+ -j ACCEPT 12:24 < _markh_> All in the HOWTO ... ;) 12:27 -!- rodpod [i=rod@hick.org] has joined ##openvpn 12:37 -!- rodpod [i=rod@hick.org] has quit [Success] 12:39 < reiffert> lclimber: to help you rephrase: Did anyone port openvpn for PDA which has the following Processor architecure: 12:39 < reiffert> lclimber: you may want to ask that on the mailinglists. 12:40 < lclimber> well thanx reiffert, i am looking on the mail archives 12:40 < reiffert> Looking is ok .. asking is better :) 12:43 < lclimber> you are right, i found some posts of people with the solution, thanx for your advices 12:58 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has quit [Remote closed the connection] 13:28 -!- joelsolanki [i=joelsola@123.237.172.68] has joined ##openvpn 13:28 < joelsolanki> Hi friends 13:29 < ecrist> howdy 13:29 < joelsolanki> i have a working vpn server 13:29 < joelsolanki> :) 13:29 < ecrist> congrats 13:29 < joelsolanki> there are 2 clients connected to it. 13:29 < joelsolanki> i can ping client1(10.8.0.6) and client2(10.8.0.10) from vpn server 13:30 < joelsolanki> but client1 cant ping client2 and vice versa 13:30 < ecrist> in the server, add client-to-client 13:30 < joelsolanki> hmm. let me do that 13:36 < joelsolanki> that worked :) 13:36 < joelsolanki> tahnks ecrist 13:36 < joelsolanki> thanks 13:37 -!- joelsolanki [i=joelsola@123.237.172.68] has quit [] 13:42 -!- mk101mx [n=mgarciav@148.233.37.38] has left ##openvpn [] 13:54 -!- rubydiamond [n=rubydiam@123.236.183.184] has quit [Read error: 104 (Connection reset by peer)] 13:54 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 14:05 -!- int [n=quassel@wikia/int] has joined ##openvpn 14:09 -!- aar0n is now known as aar0n_ 14:09 -!- aar0n_ is now known as aar0n_sleeping 14:32 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has joined ##openvpn 14:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:45 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 15:38 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:54 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has joined ##openvpn 15:54 < bigjohnto> how does openvpn know to give the same ip address to a specific user each time they log in? ipp.txt has different ip's for that user so i know its not ipp.txt 15:56 < bigjohnto> even though i have ipconfig-per on and shows file as ipp.txt 16:00 < ecrist> bigjohnto: ipp.txt, or client configs 16:01 < bigjohnto> nothing in the client side configs 16:01 < bigjohnto> and ipp.txt has a complete different ip then what i am getting 16:01 < ecrist> why does it matter? 16:01 < bigjohnto> ecrist just curious really, how it shows one thing in ipp.txt but gives something different 16:01 -!- grendal_prime [n=grendal_@71.154.139.61] has joined ##openvpn 16:01 < ecrist> I'm guessing you have two clients connected with the same certificate 16:02 < bigjohnto> nope, each client has their own cert 16:02 < bigjohnto> and i for sure am using my own cert 16:02 < bigjohnto> my ip .15 ipp.txt shows .8 16:02 < bigjohnto> weird :) 16:05 < grendal_prime> I have an openvpn server setup works great..but i need for one box to connect witha static ip address. I was told that i can setup the client to just use a specific address when it connects...i cant find an example of a static ip client config though? 16:05 < ecrist> grendal_prime: there are lots of examples out there. 16:06 < ecrist> try the openvpn howto 16:06 < ecrist> !howto 16:06 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:06 < grendal_prime> im looking at it now.. 16:06 < ecrist> trust me, it's there. 16:06 * bigjohnto sees ipp.txt was last accessed with last vpn'd user but still wonders why ip's are wrong.... 16:07 * ecrist goes out to shovel his driveway. 16:09 < grendal_prime> i still cant find anything 16:10 < ecrist> if I find it, can I ask a chan op to ban you? 16:12 < grendal_prime> ? 16:12 < grendal_prime> wtf 16:12 < grendal_prime> ? 16:12 < ecrist> ? 16:12 < grendal_prime> sure ask one...i mean i would hope they wouldnt do it.. 16:12 < grendal_prime> now im affraid to ask anything. 16:13 < bigjohnto> ifconfig-push 10.8.2.1 10.8.2.2 16:13 < bigjohnto> i think 16:13 < ecrist> what you want is at http://openvpn.net/howto.html#policy 16:13 < grendal_prime> by the way ive looked for some time before i camehere... 16:13 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 16:13 < bigjohnto> change to what you want 16:13 < grendal_prime> thats to push one from the server.. 16:13 < bigjohnto> ah 16:13 < ecrist> grendal_prime: it's a bad idea to statically assign yourself an IP from the client side. 16:14 < ecrist> 1) your math will be off and you'll clobber the tunnel server endpoint, or similar 16:14 < ecrist> 2) the OpenVPN server may clobber you while assigning an IP to another client 16:15 < grendal_prime> hmm so i do need to push it from the server then. 16:15 * ecrist really goes and really shovels his driveway now. 16:15 < bigjohnto> or ipp.txt for that users cert 16:15 < bigjohnto> ecrist shouldn't that work? 16:16 < grendal_prime> well that was my other question can i just reserve an ip for a certain cert? 16:16 < bigjohnto> in ipp.txt 16:16 < bigjohnto> certname,ip 16:16 < bigjohnto> its "supposed" to work, but isn't for me anyways 16:17 < grendal_prime> well...thats for a disconnect...and reconnect i think... 16:17 < bigjohnto> grendal yea, but it sitll is completely wrong :) 16:18 < bigjohnto> for me that is 16:18 < grendal_prime> i mean...it seems to me that iti does get the same ipaddress assigend..but my thinking is that is not written in stone, and i dont want there to be a problem 16:18 < grendal_prime> I just wish there was a reservaction file somewhere. 16:22 < bigjohnto> & my ipp.txt for some reason has multiple ip's for the same cert "user" 16:22 < bigjohnto> how dumb 16:29 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has left ##openvpn ["Leaving."] 16:32 < grendal_prime> thats ok i just looked in mine...there is nothing listed in it 16:33 < grendal_prime> what does it normally look like...syntax wize... certname=10.8.0.5 something like that? 16:33 < ecrist> grendal_prime: I pointed you to the link in the howto 16:33 < grendal_prime> yes ecrist thank you 16:33 < ecrist> the reservation is with the client config 16:34 < bigjohnto> certname,10.8.0.5 16:34 < bigjohnto> ecrist, if i have bob,10.8.0.5 and on the next line bob,10.8.0.10 .... what would cause that? 16:35 < bigjohnto> openvpn service maintains the ipp.txt file 16:36 < ecrist> bigjohnto: see http://openvpn.net/howto.html#policy - the IPs your assigning in ipp.txt don't line up with proper /30 subnets 16:36 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 16:36 < grendal_prime> i just thought it was odd that the ipp.txt file on my server...has nothing in it..and im pretty sure the server.conf specifys that it is to keep track of that info.. and yes im quite certain that there are clients connected 16:37 < grendal_prime> ecrist...there is no ccd dir on my openvpn installation, I can create that and point the server to that correct? 16:37 < ecrist> yes 16:38 < grendal_prime> and then i just create the files withen there just the same way it is illustrated there..i dont have to worry about setting up iptables rules in my case..not that i can see anyway. 16:38 < grendal_prime> ill test in in the vm test enviro first.. 16:49 -!- Plouj [n=Plouj@red.cs.yorku.ca] has joined ##openvpn 16:49 < Plouj> hi 16:50 < Plouj> can you guys recommend to me any easy to use and maintain Free/OpenSource Software storage+vpn complete "solutions"? I'm looking for something like opennas or freenas but with vpn manageability built in. 17:00 < grendal_prime> ya i keep getting assigend something else 17:00 < grendal_prime> following the #policy 17:01 < grendal_prime> well actually im following the config in the test server enviro that i have. It actually had some comments that explained how to do this (the production server didnt) 17:02 -!- Hyphenex [n=scott@203.219.38.207] has joined ##openvpn 17:02 < grendal_prime> but the match up with the howto.html file.. but i still cant get it to assign a specific ip address. Im using the common name of the client. I tried the cert name as well and got nothing with it. 17:02 < Hyphenex> Hey, is there a way to set up 'quota' limits for users? 17:02 < ecrist> for bandwidth? 17:06 < Hyphenex> yeah 17:06 < Hyphenex> say, if we were to create a VPN on a uni network for peeps on campus to join 17:06 < Hyphenex> but we don't want them stealing all our downloads 17:06 < Hyphenex> so we set up a 'quota' 17:06 < reiffert> Hyphenex: the manpage knows it all. 17:07 < reiffert> Hyphenex: for openvpn-2.1 17:09 < Hyphenex> reiffert: is that speed or amount limit? 17:11 < reiffert> Hyphenex: the very first 4 words explain it. 17:12 < Hyphenex> reiffert: I'm lost, where exactly am I looking? 17:13 < reiffert> Hyphenex: at a computer monitor, maybe a LCD. 17:13 < reiffert> !man 17:13 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 17:16 < Hyphenex> reiffert: yeah, I mean where abouts in the manual 17:17 < dvl> Hyphenex: look for shaper 17:17 < reiffert> DOH! 17:17 < dvl> Hyphenex: FWIW, I searched for bandwidth 17:17 < reiffert> dvl: I was about to teach him that easy step, now you told him for nothing. 17:17 < dvl> reiffert: if you want to teach, you have to give hints. 17:18 < dvl> My hint was what to search for: bandwidth. Yeah, I know I gave him the keyword. 17:18 < reiffert> dvl: he already knows for what he is searching, namely: bandwidth. 17:18 < Hyphenex> Shaper is kind of what I want, but not exactly, I mean, in Australia we buy 20GB of data, we want to split that up between users 17:19 < dvl> Hyphenex: well, perhaps you need to do this outside of OpenVPN 17:19 < Plouj> is there any package/application/whatever that can simplify my OpenVPN setup/maintenance if I'm only planning to have 1 or 2 clients? 17:19 < reiffert> Hyphenex: the status log also records the amount of bytes transferred on a per user basis. 17:19 < Hyphenex> oahh, have the OS do it? any hints dvl? 17:19 < Hyphenex> reiffert: I think there is a webmin module 17:20 < dvl> Plouj: I have 3 or 4 clients... I read this: http://www.freebsddiary.org/openvpn-routed.php 17:20 < vpnHelper> Title: The FreeBSD Diary -- OpenVPN - creating a routed VPN (at www.freebsddiary.org) 17:20 < Plouj> I'm on a tight budget, so paying a professional would probably cost more than buying some proprietary user-friendly solution. 17:20 < reiffert> Hyphenex: you can easily read that file on a regular basis and calculate if a particular user is allowed to transfer another byte. 17:20 < Plouj> dvl: the things is I don't know much about iptables, nor about the details of tunneling/routing. 17:20 < dvl> Hyphenex: I am not a mind reader, I have no idea what OS you are using. :) But if you were using a real OS, it would have some kind of traffic shaper in it. I would use pf. Not available outside BSD 17:21 < dvl> Plouj: I know nothing about iptables either. That's some kind of linux-specific thing isn't it? ;) 17:21 < Hyphenex> dvl: Thanks, I'll look up installing pf on openBSD... or would netBSD be better? 17:21 < Plouj> dvl: yeah, I guess it is. 17:22 < dvl> Plouj: the URL I gave you has nothing to do with iptables, I promise. :) 17:22 < dvl> Hyphenex: FreeBSD would be my recommendation. 17:22 < Plouj> humm 17:25 < grendal_prime> ok got it working 17:26 < grendal_prime> sooo now that it is pushing that ip address for that cert, it will not assign another box that ip address correct? 17:26 < grendal_prime> ecrist: that question was for you 17:50 < Plouj> the ssh -w option is only for tunnelling (in other words Windows shared folders won't be accessible over such a VPN), right? 17:50 < Plouj> can OpenVPN easy be setup to allow clients to connect only through ssh? 17:54 -!- Jason404 [n=eggbean@host86-157-144-35.range86-157.btcentralplus.com] has joined ##openvpn 17:55 < Jason404> are there any issues with running OpenVPN in a virtual machine on the LAN? 17:55 < Jason404> is it ok to use a VM? 17:55 < Jason404> any possible problems with doing that? 18:00 < dvl> Jason404: tried it? 18:00 < Jason404> no, not yet 18:00 < Jason404> i just want to know if it worth doing it first 18:01 < Jason404> and I might not be able to see any possible issues until it is too late if there were any 18:05 < Jason404> like there could be an issue with routing, I imagine, with the host 18:07 < dvl> Dunno, no idea. 18:08 < Jason404> I suppose I'll have to just try it 18:08 < Jason404> I have not used OpenVPN before. 18:09 < dvl> Everyone's a virgin at one time. 18:11 < Jason404> how long did it take you to get to grips with it? is it hard to configure? 18:11 < dvl> I have 3 or 4 clients... I read this: http://www.freebsddiary.org/openvpn-routed.php 18:11 < vpnHelper> Title: The FreeBSD Diary -- OpenVPN - creating a routed VPN (at www.freebsddiary.org) 18:11 < dvl> That should get you going easily. but we'll see. 18:11 < Jason404> cheers dvl 18:12 < Jason404> what's that link about vpnHelper? 18:12 < Jason404> is vpnHelper a bot? 18:12 < dvl> yes 18:12 < Jason404> ok 18:13 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has joined ##openvpn 18:15 < Plouj> I wish there was a bot which would setup openvpn for me 18:15 < dvl> It's called a consultant 18:15 < dvl> They cost 18:15 < Plouj> yeah 18:16 < Plouj> too bad they would probably cost more than some windows based vpn thingy 18:16 < Plouj> and since I'm setting up VPN for a friend, he would probably choose the windows based solution because of price 18:16 < Plouj> and because he'd be able to configure it (at least to some extent) 18:19 < Jason404> maybe he should try Hamachi. you cant get much simpler than that 18:20 < Plouj> yeah, that's an option 18:23 < Plouj> dvl: I guess iptables was a wrong example in my earlier statement. 18:24 < Plouj> dvl: I meant that I don't really have time to figure out all of the deep details of tunneling/bridging. This seems like it has some useful diagrams: http://openmaniak.com/openvpn.php , but how useful would they be when something goes wrong? 18:24 < reiffert> Plouj: how much time you got? 18:25 < dvl> Plouj: I just handed you a step-by-step set of instructions. :) 18:25 < dvl> Plouj: are you saying you're a pillock? ;) 18:25 < Plouj> dvl: I know. Thank you. I'll read it when it comes time to try openvpn. 18:25 < dvl> Plouj: I have 3 or 4 clients... I read this: http://www.freebsddiary.org/openvpn-routed.php 18:25 < vpnHelper> Title: The FreeBSD Diary -- OpenVPN - creating a routed VPN (at www.freebsddiary.org) 18:25 < dvl> Plouj: OK, then stop yer whining. :) 18:25 < Plouj> reiffert: Lets say one week not counting occasional monthly checkups that I would have to do (I guess). 18:26 < reiffert> Plouj: just follow the official openvpn howto then. 18:26 < Jason404> pillock. you in the UK as well? 18:26 < reiffert> It's a matter of 2-3 hours. 18:26 < Plouj> heh 18:26 < dvl> Jason404: No, I am merely multi-vocabulary. 18:26 < Jason404> ic 18:26 < dvl> reiffert: No, not the how-to. Way TMI. 18:27 < reiffert> dvl: I'm sure as hell. 18:27 < Plouj> reiffert: maybe for someone who does IT for a living. 18:27 < Jason404> yeah, the official webiste has made it seem pretty daunting to me, and I'm a hardcore power user 18:27 < Jason404> ;P 18:27 < reiffert> Plouj: I guess you didnt read further than the caption? 18:28 < Plouj> I recall trying to setup openvpn for myself 2 years ago. Although I spent more than 3 hours, I couldn't figure out what I was doing wrong so it didn't work. 18:28 < dvl> Jason404: ditto. Been writing docs for 11 years... lots of info in there. 18:28 < Plouj> I just read this: "This HOWTO assumes that readers possess a prior understanding of basic networking concepts such as IP addresses, DNS names, netmasks, subnets, IP routing, routers, network interfaces, LANs, gateways, and firewall rules." 18:29 < dvl> What new people need is a simple step by step practical example to get them going. Lower the barrier to entry. Keep It Simpl. 18:29 < dvl> +e 18:29 < Plouj> IP routing, and firewall rules I wouldn't know without reading tutorials 18:29 < dvl> While the HOWTO contains many great pieces of information, it is far TMI for an OpenVPN novice. 18:29 < Plouj> dvl: not really, I think the problem (don't take this as a criticism) is that there is a lot of choice (eg bridging/tunneling). 18:30 < dvl> Once you get up and running with a simple setup, then you can move to other stuff. 18:30 < dvl> Plouj: that is what I mean. 18:30 < Plouj> dvl: if all I had to do was enter a password and choose a subnet address, that would be easy. 18:30 < Plouj> plus, you would know that if something's broken is because the software is malfuncioning 18:30 < Plouj> or the VPN setup that it provides isn't suitable for your usage 18:31 < Plouj> that's how I imagine it 18:31 < Plouj> (when I compare OpenVPN to hamachi) 18:33 < Plouj> makes sense? 18:35 < Plouj> I found this: http://en.wikipedia.org/wiki/Socialvpn 18:35 < vpnHelper> Title: Socialvpn - Wikipedia, the free encyclopedia (at en.wikipedia.org) 18:35 < Plouj> which is sort of what I'm looking for in terms of easy setup 18:35 < Plouj> but not tied to a social network, heh... 18:37 < Jason404> i'm behind NAT. does this make things more difficult, apart from having to forward port(s)? 18:37 < Jason404> (with openvpn) 18:38 < Jason404> dvl: you behind NAT 18:38 < Jason404> ? 18:38 < Plouj> humm: http://www.vmware.com/appliances/directory/822 18:38 < vpnHelper> Title: PhoneHome - an openVPN appliance | Virtual Appliance Marketplace (at www.vmware.com) 18:39 < Plouj> and some more: http://www.rpath.org/search?type=Products&search=openvpn 18:39 < vpnHelper> Title: rBuilder Online - Search Results (at www.rpath.org) 18:43 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has quit ["Ex-Chat"] 18:48 < dvl> Jason404: I am behind NAT, but the OpenVPN server is not. 18:48 < Jason404> will being totally behind NAT be a problem for me? 18:49 < Jason404> surely there would be no problem with the port(s) forwarded to OpenVPN? 18:51 < grendal_prime> im trying ssh-copy-id to ...well do what i does..i keep getting an error about "no identities found" if created the keys wiith ssh-keygen. what the hell am i doing wrong? 18:57 < grendal_prime> nevermind i figured it out...thanks anyway 19:01 < grendal_prime> Jason404: you are behind a nat (the client?) if the client is behind a nat than no..thats the whole point...the server behind a nat then yes you will need to forward ports. 1194 i think is the only one though. 19:03 < Jason404> cheers. forwarding ports is no problem. i was just wondering if there would be any further complications. 19:07 < ecrist> Jason404: shoud be no other problems. 19:08 < Jason404> cool 19:23 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 19:23 -!- mRCUTEO is now known as John 19:23 -!- John is now known as mRCUTEO 19:27 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has joined ##openvpn 19:27 < mRCUTEO> !configs 19:27 < vpnHelper> mRCUTEO: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 19:30 -!- grendal_prime [n=grendal_@71.154.139.61] has quit [Remote closed the connection] 19:31 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has quit [] 19:53 -!- ykut_johny1 [n=ykut_joh@mitsa.org.my] has joined ##openvpn 19:59 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 20:00 -!- ykut_johny1 [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 20:00 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has joined ##openvpn 20:12 -!- int [n=quassel@wikia/int] has quit [Excess Flood] 20:12 -!- int [n=quassel@wikia/int] has joined ##openvpn 20:30 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has joined ##openvpn 20:31 -!- random_675 [n=gund@c-24-60-202-3.hsd1.ma.comcast.net] has left ##openvpn ["Ex-Chat"] 20:52 -!- Gray9Mar_ [i=surf___@gateway/tor/x-f308901d65b6993a] has quit [Remote closed the connection] 20:58 -!- Gray9Mar [i=surf___@gateway/tor/x-97088d7eb17c601f] has joined ##openvpn 22:31 -!- muxpux [n=muxpux@soup.capital-today.net] has joined ##openvpn 22:35 -!- littlerock [n=littlero@219.236.170.71] has joined ##openvpn 22:37 < littlerock> can I connect to openvpn server without installing third-party software in windows XP ? 22:39 < muxpux> openvpn client 22:41 < littlerock> muxpux: can I use software in windows instead of installing openvpn, is it possible 22:49 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 22:49 < ricoshady> hey dazo, you around? 22:49 < ricoshady> im working on my open-wrt openvpn config 22:59 < cyberjames> littlerock: if you can do that, let me know too :) 23:22 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:27 < ricoshady> anyone know what this mean? http://pastebin.com/m29641edb 23:33 < littlerock> I need to issue CA, KEYs etc to openvpn clients, how to disable a *specific* user in openvpn ? 23:49 < ricoshady> revoke the key you gave to whichever client you want to stop --- Day changed Fri Jan 23 2009 00:18 < littlerock> ok I will try 00:48 < ricoshady> im trying to get my server to dish out ips, im using --ifconfig-pool in the server config, but when I connect the client doesnt get an ip and I get the error " no --ifconfig-pool netmask parameter is available to push to" 01:05 < ricoshady> how do I get the client to automatically get one of the ips from the ifconfig-pool option?? 01:30 < ricoshady> shit, now this is a DEAD fucking room 01:33 < ykut_johny> dazo: i managed to get it working for my vpn yesterday. what i did was, changing the openvpn server to latest version and and the old version 2.0.6 to become client and whoola, everyhing working just fine..:) 01:48 < ricoshady> ykut_johny, are you using ifconfig-pool? 01:49 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:50 < ricoshady> anyone know how to configure openvpn? 01:50 < ricoshady> i have a question with ifconfig-pool 01:51 < krzee> whats the question 01:51 < ricoshady> the client connects but does not aquire an ip from the openvpn server 01:51 < ricoshady> im using ifconfig-pool 01:52 < ricoshady> I got it working with server ip netmask, but I want to use same ip for the local net and vpn 01:52 < krzee> !configs 01:52 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 01:52 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 01:52 < onats> hi guys, 01:52 < onats> on an ubuntu system, where does the easy-rsa directory get installed into? 01:52 < onats> i installed openvpn using package manager 01:53 < krzee> find / -name easy-rsa 01:53 < onats> ty 01:53 < ricoshady> http://pastebin.com/m1b6be7cf 01:53 < ricoshady> thats my server config 01:54 < ricoshady> does the vpn server need to be a different ip and subnet from the lan interface? 01:54 < krzee> ricoshady, why dev tap? 01:54 < krzee> ricoshady, yes 01:54 < ricoshady> its bridged 01:54 < ricoshady> so it has to be on a complely different subnet too? 01:54 < krzee> umm 01:55 < krzee> you use --server-bridge to bridge 01:55 < krzee> --server-bridge gateway netmask pool-start-IP pool-end-IP 01:55 < ricoshady> well with tun, it seemed I could only connect one client at a time 01:55 < krzee> no, you can connect many with tun 01:55 < krzee> why are you bridging? 01:56 < ricoshady> with tun tho, my interface came up, it maps one ip to the other 01:56 < ricoshady> tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 01:56 < ricoshady> inet addr:10.108.42.1 P-t-P:10.108.42.2 Mask:255.255.255.255 01:57 < ykut_johny> ricoshady: yeah..i did disable it and reenable it as well..seem like openvpn cache the routing 01:57 < ricoshady> 42.1 => 42.2 01:57 < ricoshady> or is that just because I didnt craete a pool 01:59 < krzee> ricoshady, thats normal 01:59 < krzee> !/30 01:59 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 02:00 < krzee> ricoshady, 02:00 < krzee> !tunortap 02:00 < vpnHelper> krzee: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 02:02 < krzee> onats, np 02:04 < onats> krzee, when maintaining multiple vpn networks ( i need to generate some client keys once in a while), do you just keep copies of their key directory individually? 02:04 < krzee> yes, you may also find ssl-admin useful 02:04 < krzee> !ssl-admin 02:04 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 02:04 < ricoshady> how do I create my tun device 02:05 < krzee> ricoshady, if you have tuntap loaded in kernel (which you do) it should be made on demand 02:05 < krzee> but you can make it stay with --mktun 02:05 < krzee> openvpn --mktun will create it for good 02:06 < krzee> if you are in windows, it will just work 02:06 < krzee> tap driver does tun mode 02:06 < ricoshady> ic, this is pretty cool, so once I have the VPN up, on the other subnet, I'll need to route traffic to the lan 02:06 < krzee> !route 02:06 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 02:08 < ricoshady> that is weird, from the VPN, I cant ping the client 02:09 < ricoshady> isnt that becase of the tun interface? 02:09 < krzee> are both sides using tun? 02:10 < ricoshady> yup 02:10 < krzee> repost server conf pls 02:12 < ricoshady> http://pastebin.com/m2b8754d server 02:12 < ricoshady> client http://pastebin.com/mc9bbab7 02:12 < krzee> remove tls-server 02:13 < krzee> and 02:13 < krzee> grep -vE '^#|^;' client.conf 02:13 < krzee> then repost client pls 02:16 < ricoshady> the windows client is windows 02:16 < ricoshady> duh, the client is windows 02:16 < krzee> ok, well remove comments 02:16 < ricoshady> i dont have grep 02:17 < krzee> oh nm you can leave --tls-server in there 02:17 < ricoshady> http://pastebin.com/m60230ab8 02:17 < krzee> my bad, was thinking tcp-server 02:18 < krzee> these machines are on the same lan? 02:19 < krzee> if you have --tls-server the client should have --tls-client 02:20 < ricoshady> yes, same lan 02:20 < krzee> why? 02:20 < krzee> securing wifi? 02:20 < ricoshady> testing 02:21 < krzee> you wont be able to test lan related stuffs 02:21 < krzee> like the stuff in !route 02:21 < krzee> if you have an external box somewhere you can test with that tho 02:21 < ricoshady> k 02:21 < krzee> when it works you use that config on your laptop 02:21 < krzee> doesnt matter what os 02:22 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 02:33 < krzee> ricoshady, do they connect or give an error? 02:42 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 02:53 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: krzie, trifler, tarbo2, Pagautas, bigjohnto, ikevin_, vpnHelper, Bushmills 02:53 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: mcp, meshuga, lilalinux, deever, disposable, tomfmason, worch, thewolf, cyberjames, eliasp, (+6 more, use /NETSPLIT to show all of them) 02:55 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:55 -!- Netsplit over, joins: bigjohnto, ikevin_, disposable, vpnHelper, Bushmills, fbond, oc80z, tomfmason, eliasp, cyberjames (+11 more) 02:55 -!- deever [n=deever@static.172.68.46.78.clients.your-server.de] has joined ##openvpn 02:55 -!- Netsplit over, joins: lilalinux, kala 03:13 -!- aar0n_sleeping [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 03:22 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 03:43 -!- _markh_ [n=chatzill@fentech.gotadsl.co.uk] has quit ["ChatZilla 0.9.83 [Firefox 3.0.5/2008120122]"] 03:44 -!- littlerock [n=littlero@219.236.170.71] has left ##openvpn [] 03:50 -!- Hyphenex [n=scott@203.219.38.207] has quit [Read error: 104 (Connection reset by peer)] 03:50 -!- ledoktre [n=ledoktre@67.224.62.214] has joined ##openvpn 03:50 < ledoktre> good morning. Anyone got time for a quickie? 03:52 < ledoktre> question is : my openvpn-status.log file is not accurately reflecting the connection status of my client pc. it says it is still connected, yet when I check on the client side, it is no longer connected. I wanted to write a script to monitor the connection, and run a script once it is disconnected, however this is going to be difficult, if I cannot seem to get the status log file to update. Any thoughts? 03:56 < dazo> ledoktre: which openvpn version are you using? 04:08 -!- meturaf [i=meshuga@lenin.ww88.org] has joined ##openvpn 04:08 -!- meshuga [i=meshuga@lenin.ww88.org] has quit [Read error: 104 (Connection reset by peer)] 04:35 -!- rio_ [n=rio@89-149-209-78.internetserviceteam.com] has joined ##openvpn 04:35 < rio_> hi, a question: how can i change IFCONFIG_POOL_MAX variable value in ovpn 2.0.9? 04:35 < rio_> i need to use a /B class range 04:37 < rio_> do i have to recompile ovpn modifying pool.h? 04:40 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Read error: 104 (Connection reset by peer)] 04:51 < dazo> rio_: I vaguely remember this being discussed in the openvpn-devel mailing list last autumn ... maybe check that? 04:52 < rio_> dazo thanks for reply but is not a problem, i just modified pool.h and recompiled :) 04:52 < dazo> http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel 04:52 < vpnHelper> Title: SourceForge.net: OpenVPN: openvpn-devel (at sourceforge.net) 04:53 < dazo> rio_: cool ... well, I remember some developers was wondering about this limitation as well .... but I don't remember if it was "just that easy"(tm) ... or if it would backfire somehow somewhere else 04:54 < rio_> btw i think it should be overwritable with some ovpn.conf var 04:55 * dazo think he found the mail thread .... reading .... 04:55 < dazo> http://sourceforge.net/mailarchive/forum.php?thread_name=44e5dffd0806200615r65f02642hc7fd04d35d2b2a89%40mail.gmail.com&forum_name=openvpn-devel 04:55 < vpnHelper> Title: SourceForge.net: OpenVPN: openvpn-devel (at sourceforge.net) 04:55 < dazo> no clear conclusion .... except you have the same findings .... 04:56 < dazo> rio_: would you mind sending this question also to openvpn-devel mailing list? .... you may add your patch as well, would be nice to get this clarified why this limit exists 04:57 < rio_> well, i could do such thing but i'm a bit overloaded nowadays 04:58 < rio_> i'm not subscribed to maillist aswell :D 04:59 < dazo> rio_: ahh ... I see ... but you had problems with nets bigger than /24 or /16? ... because up to /16 should be supported ... btw, which version are you running? 04:59 < rio_> now 2.1 rc15 04:59 < dazo> rio_: and you had that limitation also in rc15? 05:00 < rio_> tbh i don't know, i modified pool.h before compiling 05:01 < rio_> so now works but pool.h was already modified 05:01 < dazo> rio_: oki ... I see 05:01 < rio_> and i need more that 254 subnets, this is the reason i need a B class 05:01 < rio_> (potentially more than 254) 05:02 < dazo> #define IFCONFIG_POOL_MIN_NETBITS 16 << default in rc15 05:03 < rio_> i think it does not matter 05:03 < dazo> rio_: I follow ... well, I have no problems catching that ... even though, it's quite a lot of nets for a VPN tunnel ;-) 05:03 < rio_> :P 05:03 < dazo> rio_: just out of curiosity .... what change did you do? 05:04 < dazo> the #define I pointed at? 05:05 < rio_> hm 05:05 < rio_> just a sec 05:06 < rio_> in /usr/src/openvpn-2.1_rc15/pool.h @ #define IFCONFIG_POOL_MAX 65536 05:06 < rio_> changed in #define IFCONFIG_POOL_MAX 16777216 05:07 < dazo> hmmm ... interesting .... you opened for more IP addresses then actually ... 05:07 < rio_> yes, i opened for 256*256*256 ip address, a B range 05:08 < rio_> it should be simply overwritable using a conf that, if exists, change this value 05:08 < dazo> that's an A range isn't it? As here you have /8 bit mask .... 05:08 < reiffert> yep 05:09 < rio_> yes, sry 05:09 < rio_> A range 05:09 < rio_> 65536 was already a B range 05:09 < rio_> :P 05:09 < dazo> okey! Then I understand ... but I would still expect that you also would need to change the POOL_MIN_NETBITS as well to 8 ... 05:09 < rio_> dazo i didn't change thats tbh, but it works... 05:10 * dazo not sure if it will always work that nicely 05:10 < dazo> but that depends where the check against IFCONFIG_POOL_MIN_NETBITS is done 05:11 < rio_> dazo im going to update IFCONFIG_POOL_MIN_NETBITS too 05:12 < rio_> hm 05:12 < rio_> dazo var is IFCONFIG_POOL_MIN_NETBITS 05:12 < rio_> MIN 05:12 < rio_> strange, should be named "max" 05:12 < rio_> no, is ok min :P 05:12 < dazo> no, MIN is correct .... minimum 8 bits 05:13 < dazo> :) 05:13 < rio_> ye ye, is ok 05:13 < rio_> modified and compiled 05:14 < rio_> it works as well as before 05:22 < krzee> ledoktre, why use status file to see if its connected? 05:22 < krzee> maybe ping would be a better option 05:23 < krzee> or better yet, if that script is going to reconnect it, use a keepalive instead 05:25 < krzee> and classful networking went out in the mid 90's guys 05:26 < krzee> /8 /16 /24 :-p 05:26 < krzee> s/networking/subnetting 05:26 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 05:27 < krzee> also, if you need that many ips, you should be using: 05:27 < krzee> !topology 05:27 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 05:28 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 05:28 < joelsolanki> Hi friends 05:28 < joelsolanki> i have been struggling from last 2 days to fix a openvpn client at remote location. 05:28 < joelsolanki> the system is ubuntu 05:28 < krzee> [02:57] rio_: cool ... well, I remember some developers was wondering about this limitation as well .... but I don't remember if it was "just that easy"(tm) ... or if it would backfire somehow somewhere else 05:28 < joelsolanki> and while connecting to openvpn server i am getting this errors 05:29 < joelsolanki> Jan 23 11:21:03 lake ovpn-lake[29693]: 59.180.130.198:46677 TLS Error: TLS handshake failed 05:29 < joelsolanki> Jan 23 11:21:04 lake ovpn-lake[29693]: 59.180.130.198:44463 write UDPv4 [ECONNREFUSED]: Connection refused (code=111) 05:29 < dazo> krzee: yes? 05:29 < krzee> dazo, the internal routing of stuff in openvpn can start to melt with that gue of clients 05:29 < joelsolanki> Jan 23 11:21:04 lake ovpn-lake[29693]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 05:29 < joelsolanki> Jan 23 11:21:03 lake ovpn-lake[29693]: 59.180.130.198:46677 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 05:29 < krzee> s/gue/huge/ 05:29 < krzee> joelsolanki, you have access to both sides? 05:30 < joelsolanki> i checked on windows system using openvpn and it got connected but in ubuntu linux it gives this trouble. 05:30 < rio_> krzee interesting but now i'm ok 05:30 < joelsolanki> i have access to vpn server. 05:30 < dazo> krzee: yeah, but I'm ignorant to mention that fact ... as I would expect a person setting up this really would not expect it to work flawlessly .... with theoretically 16mill clients ... 05:30 < joelsolanki> i dont have control over vpn client. but a guy is there who gives me the output of any command we asked him. 05:31 < joelsolanki> if it was local system it would be easy to fix. 05:31 < joelsolanki> iptables is not installed so firewall is not an issue 05:31 < joelsolanki> even i checked /selinux/enforce that file also doesnt exist. 05:31 < joelsolanki> so i am doubting what is creating problem 05:31 < dazo> krzee: anyway .... if you get openvpn running with more than 4-500 simultaneously clients on one openvpn server process with a decent throughput ... I would consider it to be a miracle 05:31 < joelsolanki> i can get the logs of openvpn if you want 05:32 < krzee> !configs 05:32 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 05:32 < krzee> !logs 05:32 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 05:32 < krzee> with those we may get an idea 05:32 < joelsolanki> hmm let me do that 05:33 < krzee> also give a shot at 1 run on he client with mtu-test in the config 05:33 < krzee> just to rule out mtu issues 05:33 < joelsolanki> ahh how to do that 05:33 < joelsolanki> ? 05:33 < krzee> dazo, agreed, but the amount of ips he wanted to allocate made me think he didnt think the same 05:34 < krzee> how to do what? 05:34 < krzee> how to add the line mtu-test into the client config? 05:34 < krzee> umm, with a text editor i guess 05:34 < krzee> ubuntu comes with nano i believe 05:35 < krzee> should have vi as well 05:35 < joelsolanki> oh ok. i just need to add mtu-test 05:35 < joelsolanki> hold let me have it done and see 05:35 < krzee> oh i shoulda said with --mtu-test to be clearer 05:35 < joelsolanki> ok :) 05:36 < krzee> i just made it to west coast so its really 7:40am for me right now, lol 05:36 < krzee> jet lag and all 05:36 < dazo> krzee: true .... but I expected it to be some kind of subnetting included ... to spread things out .... and to make OpenVPN work with multiple segments over a range larger than /16 can provide, you'd need to patch it ... but I do not say I understand the need for it 05:37 < krzee> if thats what he was aiming for, each process should give a diff subnet and push routes for the others 05:37 < krzee> and any with lans behind go on a seperate one so they can get same 05:38 < krzee> then each client that may connect to others get blocks 05:38 < krzee> so it can try next, next, next til one is cool 05:38 < krzee> and each server gets max-clients statement 05:38 < krzee> then it just works (tm) 05:49 < krzee> dazo, know what i mean? 05:57 -!- Gray9Mar [i=surf___@gateway/tor/x-97088d7eb17c601f] has quit [Remote closed the connection] 05:57 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 05:57 -!- Gray9Mar [i=surf___@gateway/tor/x-fcbf8d33a0e756f7] has joined ##openvpn 05:59 < muxpux> hi krzee 06:00 < muxpux> <--lonel 06:23 -!- Super_Cat_Frog [n=bob@87-194-183-38.bethere.co.uk] has joined ##openvpn 06:29 < Super_Cat_Frog> hi - i have openvpn running on a server, with seperate physical network interfaces for internal and external. We're having strange network problems which the people in the data center are blaming on us having multiple default routes 06:30 < Super_Cat_Frog> sounds reasonable to me - i'm not a networking guy, but when i remove either of the default routes, the vpn fails to route traffic 06:30 < Super_Cat_Frog> any ideas? 06:31 < dazo> krzee: Yes, I do ... and I agree :) 06:33 < dazo> krzee: but we can tell him how to do it when he comes back to us, crying, because openvpn collapses because of his infrastructure :-P 06:40 < Super_Cat_Frog> is there anything i should read / google for to find some more info ? 06:40 < Super_Cat_Frog> the people in the data centre are worried it will cause traffic to loop 06:48 -!- polaru_ [n=polaru@193.33.154.198] has joined ##openvpn 06:49 -!- oc80z [n=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 06:51 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:02 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 110 (Connection timed out)] 07:12 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 07:20 < Super_Cat_Frog> ah, i'm a tard 07:20 < Super_Cat_Frog> there is only one default gateway, and its working, strange 07:20 -!- Super_Cat_Frog [n=bob@87-194-183-38.bethere.co.uk] has left ##openvpn ["Konversation terminated!"] 07:25 -!- rio_ [n=rio@89-149-209-78.internetserviceteam.com] has left ##openvpn ["aloha"] 07:30 < plaerzen> morning irc 07:45 -!- Plouj [n=Plouj@red.cs.yorku.ca] has quit ["bah, red going down for UPS replacement.................."] 07:49 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 07:56 -!- ozirus [n=caliskan@81.214.150.105] has joined ##openvpn 07:59 < ozirus> is it possibile to limit vpn connection with time? say, i want to integrate openvpn server with a rezarvation system and users will book the remote lan and connect to it via vpn. when time expires, openvpn server kills the client connection? 08:03 < dazo> ozirus: not out of the box .... but .... it is possible to write such a plug-in for OpenVPN 08:08 < dazo> ozirus: another approach ... is to write an own connection checker, which uses the management interface of the openvpn-2.1 series 08:32 -!- ozirus [n=caliskan@81.214.150.105] has quit [] 08:52 < ecrist> good morning, bitches 08:59 < plaerzen> hey ecrist 08:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:59 < plaerzen> ecrist, tell me a story please. 09:02 < reiffert> Once upon a time I was born when my parents were on a journey. 09:03 < reiffert> They stood on a potato acre, which wasnt one of ours, which was irrelevant to me as of then. 09:15 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has joined ##openvpn 09:15 < prxtien> hey all 09:15 < prxtien> im running an openvpn instance as privledged user openvpn:openvpn, tunnel works fine on start, but on restart, tunnel fails with SIOCSIFMTU: Operation not permitted 09:15 < plaerzen> reiffert, I like your story 09:22 < prxtien> !configs 09:22 < vpnHelper> prxtien: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:25 -!- polaru__ [n=polaru@93.113.192.70] has joined ##openvpn 09:27 < ecrist> prxtien: the proper way to do that is to run as root, allowing openvpn to su down to an *un*privileged user, such as openvpn 09:27 < prxtien> yes 09:27 < prxtien> thats what i am doing mate 09:27 < prxtien> but when i -HUP it for example 09:27 < prxtien> it crashes out 09:37 -!- polaru_ [n=polaru@193.33.154.198] has quit [Read error: 110 (Connection timed out)] 09:40 < Jason404> does anybody run OpenVPN in a virtual machine? 09:43 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:48 < ecrist> Jason404: lots of people 09:48 < ecrist> what problems are you having? 09:49 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 104 (Connection reset by peer)] 09:49 < Jason404> ecrist: none. I was just wondering if there were any potential problems with doing that. Like the routing to the host machine would be fine etc..? 09:49 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:50 < Jason404> ecrist: ...and when using virtual NICs and stuff 09:51 < Jason404> i am new to OpenVPN, so I have not actually set it up yet. 09:51 < Jason404> if there were problems regarding VMs, it woudl be better yo know now, other than trying to figure out why its not working, being new to this 10:10 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 104 (Connection reset by peer)] 10:11 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:17 < MMN-o> Jason404: A NIC that's visible as a "real" NIC (emulated by the host) will work as a real NIC. 10:18 < Jason404> MMN-o: so no issues with virtual NICs? cool thanks 10:35 < dazo> Jason404: just make sure that your firewalling and routing on all your network routers are correct ... and it should work like a charm .... and tcpdump or wireshark will be your best debugging friend 10:37 < Jason404> dazo: okay thanks. I'll make a note of those 10:38 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has quit [Read error: 110 (Connection timed out)] 10:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:42 -!- kreg [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 10:42 -!- RUS [n=Mirc@88.214.199.147] has joined ##openvpn 10:42 < RUS> hi all 10:48 < RUS> i have installed openvpn on my server. trying to use build-ca script and see error: you must define KEY_DIR 10:48 < RUS> how i can define it ? 10:50 < dazo> RUS: have you remembered to edit the ./vars file .... and done: source ./vars ? 10:51 < RUS> no. not yet. 10:51 < RUS> i must edit ./vars file ? 10:51 < dazo> RUS: that's needed to make those scripts work 10:51 < dazo> RUS: and you do need to source that file first 10:52 < RUS> it mus be edited before ./make and ./install ? 10:53 < dazo> RUS: no, just edit it .... do: source ./vars ... in your shell (or . ./vars in some shells) ... and then try ./build-ca 10:53 < RUS> ok , thanks. will try now 11:09 < RUS> i have edited my ./vars file, but when i start ./clean-all i see error again. 11:09 < RUS> all scripts /etc/openvpn/easy-rsa 11:09 < RUS> key dir /etc/openvpn/keys 11:09 < RUS> ./vars file have a string: 11:09 < RUS> xport D=`/etc/openvpn` 11:09 < RUS> but doesn't work. 11:10 < RUS> maybe 11:10 < RUS> when i try ../vars i see premission denied 11:11 < RUS> no 11:13 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 11:16 < dazo> RUS: you must do vars ... | . ./vars | 11:17 < dazo> RUS: can you please pastebin your ./vars file .... and the errors you get? 11:17 < dazo> RUS: I believe there is also a README file in that dir ... I presume you've looked at that one as well 11:18 < RUS> ../vars is not correct. i have vars file in easy-rsa dir 11:18 < RUS> and i try ./vars then ./clean-all 11:19 < dazo> RUS: ... I do not say /vars .... I say /vars .... do you see the difference? 11:20 < dazo> (in some shells {filename} means the same as: source {filename}) 11:20 < RUS> yes 11:20 < RUS> will try 11:20 < RUS> . ./vars 11:20 < RUS> -bash: /etc/openvpn/easy-rsa/: is a directory 11:20 < RUS> NOTE: when you run ./clean-all, I will be doing a rm -rf on /keys 11:22 < RUS> good 11:22 < RUS> that's work after source ./vars 11:22 < RUS> what it mean source ./vars ? 11:24 < dazo> RUS: that means to read and parse and execute the given file, and export all exported variables into the current shell .... man bash might give you a more comprehensive explanation of the 'source' command 11:24 < RUS> thanks dazo 11:26 < dazo> RUS: but I believe you still have something not correct in that ./vars file .... it should give a better response than that on the path to /keys .... unless you tweaked your output here 11:27 < RUS> maybe :)_ 11:27 < RUS> but ./clean-all work well 11:27 < RUS> and i have new error 11:27 < RUS> ./build-ca 11:27 < dazo> RUS: okey ... you might now find your key storage on /keys .... on your filesystem 11:27 < RUS> yes 11:28 < RUS> well. there is 2 files 11:28 < RUS> dir 11:28 < RUS> index.txt serial 11:28 < dazo> yes? 11:29 < RUS> yes 11:29 < RUS> and i have new error after ./build-ca 11:29 < RUS> error on line -1 of /openssl.cnf 11:29 < RUS> No such file or directory:bss_file. 11:29 < RUS> much more errors :) 11:29 < dazo> exactly ... as I anticipated .... you have wrong path on KEY_CONFIG in the vars file 11:30 < RUS> hm... 11:30 < RUS> what's wrong there ? 11:30 < dazo> RUS: from the README file .... (please!! read that one) 11:30 < dazo> 3. Set KEY_DIR to point to a directory which will 11:30 < dazo> contain all keys, certificates, etc. This 11:30 < dazo> directory need not exist, and if it does, 11:30 < dazo> it will be deleted with rm -rf, so BE 11:30 < dazo> CAREFUL how you set KEY_DIR. 11:31 < RUS> ok. i go to read 11:31 < RUS> it 11:32 < dazo> sorry ... I mixed point 2 and point 3 .... point 2 covers the error you see ... but still, read all of it ... and you'll be safe 11:38 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 11:42 -!- polaru__ [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:43 -!- ido-- [n=wtf@212.199.189.65] has joined ##openvpn 11:43 < ecrist> afternoon, bitches 11:44 < ido--> i have a client connected to a server, which has a server 10.10.10.0 255.255.255.0 11:44 < ido--> how can i connect to a different network over that link ? 11:44 < ido--> eg, 192.168.0.X 11:45 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:45 < ecrist> ido--: !route 11:46 < ido--> yeah, but you could be more specific 11:46 < ido--> if its not too much trouble 11:46 < ido--> i've man'd route already 11:49 < dazo> ido--: that's not the man page .... 11:49 < dazo> !route 11:49 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 11:49 < ido--> you know what i mean 11:50 < dazo> ido--: it's all about setting up the correct routes .... and if the server side of openvpn wants to access the network behind the client, the clients needs to set iroute ... 11:50 < dazo> ido--: and then it is firewalling ... that's basically all the magic 11:53 < ido--> hrm. 11:53 -!- RUS [n=Mirc@88.214.199.147] has quit [Read error: 113 (No route to host)] 11:53 < ido--> i'm a bit confused about the route 11:53 < ido--> sec 11:53 < ido--> iroute 11:54 < dazo> ido--: see it from the client side .... the client receives a lot of routes .... and then it gets the iroute ... (read it as "I route") ... which means the client will route the given net through the tunnel on request 11:59 < ido--> cool. itworked. thanks 11:59 < ido--> oh wait. it didnt 12:00 < dazo> heh 12:23 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:23 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 12:27 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:32 < ido--> back. wasn't here 12:33 < ido--> the server sits on a 192.168 lan 12:33 < ido--> and i've added the push command to its conf 12:33 < ido--> the client now routes to 192.168 network. and i can access the server via its 192 ip 12:33 < ido--> however it wont ping other nodes on the network 12:34 < ido--> the proc>>ip_forward is set to 1 12:34 < ido--> what else should i do ? 12:34 < ecrist> ido--: your other machines need to be able to route the VPN subnet back to the VPN server. 12:35 < ido--> oh. right 12:35 < ido--> its not done via masquarading 12:35 < ido--> how do i do that ? 12:35 < ecrist> well, one of two ways 12:35 < ecrist> 1) have your openvpn box be your network gateway (easiest) 12:36 < ecrist> 2) add a static route to your LAN machines for the VPN subnet, routing to the OpenVPN box. 12:36 < ido--> can i add a route net 10.10.x to the openvpn server on the default gateway of the 192.168 network ? 12:36 -!- prufrocks [n=prufrock@CPE001cb3abac8e-CM001e6b227c70.cpe.net.cable.rogers.com] has joined ##openvpn 12:38 < prufrocks> if i'm trying to configure both openvpn and ipsec/l2tp on my server, would each have to provide ip addresses in a different subnet? 12:38 < ecrist> prufrocks: you're missing a lot of data there. 12:38 < prufrocks> ? 12:42 < dazo> ido--: you may try to do that ... but I cannot guarantee that it'll work, I've struggled with that one earlier in life (could be my inexperience at that point, of course).... setting up static routes on those boxes which you want to route that net to, is probably quicker and easier 12:43 < dazo> ido--: or, try static routes first ... and see that it works ... then you can try the other approach, to see if that works for you as well 12:43 < dazo> ido--: and as always .... if you have tcpdump and/or wireshare .... they'll help to see if the routing goes right or not by looking at the different nets you have available 12:44 < ecrist> ido--: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_tcpip_pro_addstaticroute.mspx?mfr=true 12:54 -!- prufrocks [n=prufrock@CPE001cb3abac8e-CM001e6b227c70.cpe.net.cable.rogers.com] has quit [] 12:59 < ido--> dazo, that routing thingy worked. 12:59 < ido--> another question though 12:59 < ido--> running tcpdump on the server shows me this 12:59 < ido--> 21:55:48.206748 IP 10.10.10.6.47429 > HOME.12345: UDP, length 14 12:59 < ido--> 21:55:48.206829 IP HOME > 10.10.10.6: ICMP HOME udp port 12345 unreachable, length 50 12:59 < ido--> that ip is the clients ip 13:00 < dazo> ido--: what do you have on port 12345? 13:00 < ido--> hrm. not sure 13:00 < dazo> ido--: or ... which port do you use for openvpn ? 13:00 < ido--> the server was originally on 12345 13:00 < ido--> then moved it to port 80 13:01 < dazo> ido--: and the 10.10.10.* net is your VPN channel? 13:01 < dazo> ido--: and HOME is the public address of your server at home? 13:01 < ido--> oh wait 13:01 < ido--> sorry, the server is on 12345 13:01 < ido--> its being port forwarded from 80 to 12345 13:02 < ido--> because the server is behind firewall. 13:02 < ido--> HOME is the ovpn server name 13:03 < dazo> ido--: ahh ... which IP range do you use for VPN and at home? 13:03 < dazo> (inside the fw) 13:04 < ido--> 192 13:04 < ido--> 192.168.x 13:11 < ido--> dazo ? 13:12 < dazo> ido--: I don't follow this .... you use 192.168.x at home ... and your VPN tunnel is 10.10.10.x ? 13:12 < ido--> yes 13:13 < dazo> ido--: then I don't understand that traffic at all .... which interface where you listening to when you did that tcpdump? eth0 or tun0/tap0 13:13 < ido--> listening on tun0 on the server 13:14 < ido--> i get this: http://www.pastebin.ca/1316218 13:14 < dazo> ido--: that makes more sense .... then I woud check the netstat on your VPN client ... to see which program which tries to connect to your server on port 12345 via the tunnel 13:15 < ido--> 3 types of traffic (what i pasted goes in a loop..) 13:15 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Read error: 113 (No route to host)] 13:16 < ido--> the traffic on port udp 9442 13:16 < dazo> ido--: yeah ... multicast traffic is one thing, and can be ignores mostly ... and that covers to of the patterns I see 13:16 < ido--> multicast 13:16 < dazo> ido--: are you sure your tunnel works right now? 13:16 < ido--> my tunnel does work.. 13:17 < dazo> ido--: do you use --redirect-gateway ? 13:17 < ido--> whats that multicast traffic used for ? who is generating it ? 13:17 < ido--> whats --redirect-gateway ? 13:17 < ido--> I'm not using it 13:18 < dazo> multicast traffic is kind of traffic to all available clients ... and can be used for service broadcast ... like pulseaudio server, ssh services, VNC etc ... to tell other boxes that these services are availabe .... in Linux, it's mostly avahi/msDNS which makes use of this 13:18 < ido--> oh wait 13:18 < ido--> its multicast that comes from the server.. 13:18 < ido--> hrm. i need to block this 13:18 < ecrist> ljkjksadfladfsjklas;df 13:18 < ido--> no iptables installed. ugh. 13:18 < ido--> ok 13:18 < dazo> ecrist: something is wrong with your rot13 scramber 13:18 < ido--> i'll deal with that later 13:19 < dazo> ido--: if you don't need such service broadcast ... you can stop the avahi service on the server 13:19 < ido--> back to the port 12345 thingy 13:19 < ido--> openvpn runs on port 12345 tcp, not udp 13:19 < ecrist> ick 13:20 < ecrist> tcp vpn 13:20 < ecrist> why not port 1194? 13:20 < ido--> going through a http proxy.. 13:20 < ido--> they allow only port 80 13:20 < ido--> and 443 13:20 < dazo> thats interesting .... just another reason to check netstat on your VPN client ... to see what kind of programs which is responsible for that 13:21 < dazo> ecrist: I hope you figured he does port forwarding on his router from 80 -> 12345 13:21 < dazo> ido--: but you can use 1194 on the inside without any problem 13:21 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 13:22 < ido--> no hrm 13:23 < ido--> hrm 13:23 < ido--> ok, found out what it was 13:23 < ido--> old instances of openvpn, before i changed config 13:24 < ido--> can i make openvpn run only once ? (so i wont be able to make two instances likei had now) 13:30 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 13:46 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:51 < dazo> ido--: well, afaik, there are no such limitations possibility 13:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:08 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] --- Log closed Fri Jan 23 14:32:40 2009 --- Log opened Fri Jan 23 14:55:43 2009 14:55 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 14:55 -!- Irssi: ##openvpn: Total of 48 nicks [0 ops, 0 halfops, 0 voices, 48 normal] 14:55 -!- Irssi: Join to ##openvpn was synced in 0 secs 14:57 < ricoshady> i have a route that sends all 192.168.109.0 traffic to the tun ptp device 192.168.109.2, but i cant ping the client 14:57 < ricoshady> here are my routes 14:58 < ricoshady> http://pastebin.com/m4f30a8c1 15:02 -!- xattack [i=xattack@132.248.108.239] has quit [] 15:05 -!- sparkymakry [n=mark@200.32.232.82] has joined ##openvpn 15:07 < sparkymakry> hi everyone 15:07 < sparkymakry> can someone help me with some setup problems? 15:08 < sparkymakry> I am having problems receiving pings from the server computer.. 15:10 < sparkymakry> 15:13:01.148724 IP cleint_IP > server_IP: icmp 64: echo request seq 333 15:10 < sparkymakry> 15:13:01.258164 IP server_IP > client_IP: icmp 64: echo reply seq 333 15:10 < sparkymakry> that is a tcpdump from the client that I'm pinging from to the server. 15:11 < sparkymakry> it says that there was a reply, but ping says no reply 15:11 < sparkymakry> I have the vpn up and working, but just suddenly the connection died. 15:13 < sparkymakry> hello??? anyone here?? 15:15 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has joined ##openvpn 15:17 < _Sam--> hey ive been running openvpn for about 3 years now....im currently running 2.0.9. recently, every few days VPN connections from outside our lan become terribly slow (not related to bandwidth or server resources) and im having a hard time getting them back to speed. what has worked has been restarting openvpn on the server, and letting the clients sit for like 10 minutes.... 15:17 < _Sam--> i cant continue to do that -- my employees are hating me now already.....any help in tracking down the problem would be appreciated. ive already used all the standard tools like logging, tcpdump, checked firewwalls, etc etc etc. 15:17 < _Sam--> like i said, its been running fine for 3 years, until the past month. 15:18 < ecrist> something changed 15:18 < _Sam--> i wish that were the case, sincerely. 15:18 < _Sam--> what has changed in that time, has been that we've added a few more remote clients. 15:18 < _Sam--> but as i stated, im positive its not bandwidth reltaed. 15:19 < _Sam--> or resources related. 15:19 < ecrist> how many clients, total? 15:19 < _Sam--> actively connected to VPN or certs issued? 15:20 < ecrist> actively connected 15:20 < _Sam--> small number, maybe 10 MAX. 15:20 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 15:20 < ecrist> the 'sitting for 10 minutes' thing doesn't make sense. 15:21 < ecrist> udp? 15:21 < _Sam--> yes, udp. 15:21 < ecrist> you live in Canada? 15:21 < _Sam--> no i dont, im close to philadelphia, USA 15:21 < ecrist> sounds like bandwidth throttling. 15:21 < _Sam--> its not. ive taken down the entire firewall. 15:21 < _Sam--> no shaping or rules. 15:22 < ecrist> on the ISP side, not yours 15:22 < _Sam--> if that were the case, then it would still be fast when i go over the internal network to the external VPN port....but that is slow too. 15:22 < _Sam--> LAN--> WAN port 15:22 < _Sam--> not on internet, differnet NIC, same box. 15:22 < ecrist> udp is used for bittorrent, different ports, but it's become common for ISPs to send RST packets to throttle down connections. 15:23 < ecrist> _Sam--: then you may have a hardware problem with your VPN server 15:23 < _Sam--> other connections out the same NIC, non VPN, work at full speed fine. 15:23 < _Sam--> its definitely related explicitly and specifically to my openvpn. 15:23 < _Sam--> but i cant figure out how or why. 15:23 < ecrist> then something changed. 15:23 < ecrist> code doesn't just 'stop working' 15:24 < _Sam--> my config hadnt changed since like late 07. the server itself was also compiled in 2007. 15:24 < _Sam--> so while i appreciate your theory, i respectfully disagree. 15:24 < ecrist> so, upgrade to 2.1rc15 and see if that fixes your problem. 15:25 < sparkymakry> I have very little experience, but had similar one - ended up that my wireless link was unstable, and openVPN is much more sensitive to out of sequence packets 15:25 < _Sam--> i may do that. id be more intersted in trying any solutions or answers that may fix my current problem. id be willing to pay, because its that important, and because ive done all the diagnostics i can do. 15:25 < ecrist> and, regardless what you think, code doesn't just stop working. something else is the culprit. maybe you updated a linked library, or you've got an intermittent memory problem. 15:26 < ecrist> _Sam--: either 1) try a different piece of hardware, or 2) try 2.1rc15 15:26 < _Sam--> k. ive alrady swapped out the switch that NIC is connected to. 15:26 < ecrist> no, try a different server 15:27 < _Sam--> yeah i could also do that, im sure. but that would require reconfiguring all my clients. 15:27 < ecrist> no it wouldn't 15:27 < _Sam--> i guess not, now that i think. 15:27 < ecrist> you seem unwilling to accept my knowledgable advice... 15:27 < _Sam--> i would have to reconfigure the clients to connect to the new host. 15:27 < ecrist> no you wouldn't 15:27 < _Sam--> unless i did some port forwarding on the old host 15:28 < _Sam--> tell me what you're thinking 15:28 < ecrist> put the new host in place of the old one 15:28 < ecrist> pretty simple concept 15:28 < _Sam--> oh if you are talking about replacing our production server...thats not feasible. its expensive, reliable, and relatively new. 15:28 < _Sam--> i was talking about moving the openvpn service to a diff. server 15:29 < ecrist> during tcpdump, did you see any rejects on your end? what did you see? 15:29 < _Sam--> no rejects, nothing funny...just a LONG delay between for example when i would click on http items, and when data would start moving either on screen or via tcpdump. 15:30 < ecrist> ok, so to rule in/out openvpn server process, move it to another host. 15:31 < _Sam--> yeah i already have openvpn server setup on another box. but tell me exactly what i am trying to see or determine. i already know that if i connect to this other vpn server, that my data works fine. 15:31 < _Sam--> same version of openvpn. 15:31 < _Sam--> same client and server configs. 15:32 < ecrist> we'll you seem convinced it's the openvpn process. 15:32 < ecrist> change it. 15:32 < _Sam--> alright. in order to update to the RC15 version, no changes to any configs? 15:33 < ecrist> nope 15:33 < _Sam--> thank you very sincerely for your time and knowledge. though i seem like a know it all attitude, its very much appreciated. 15:33 < ecrist> uh huh 15:34 < sparkymakry> ecrist, did you read my messages before? 15:34 < sparkymakry> about 15:34 < sparkymakry> [15:16] 15:13:01.148724 IP cleint_IP > server_IP: icmp 64: echo request seq 333 15:34 < sparkymakry> [15:16] 15:13:01.258164 IP server_IP > client_IP: icmp 64: echo reply seq 333 15:34 < sparkymakry> [15:17] that is a tcpdump from the client that I'm pinging from to the server. 15:35 < ecrist> sparkymakry: what's your problem? 15:35 < sparkymakry> I know this is not specifically openvpn, or can you direct my to another channel? 15:35 < sparkymakry> that's the output of tcpdump, but ping still says no response 15:35 < sparkymakry> vpn will not connect 15:36 < ecrist> !logs 15:36 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 15:36 < sparkymakry> messages log? 15:36 < sparkymakry> i'm a newb to linux 15:36 < ecrist> openvpn log files 15:36 < sparkymakry> OK, will try get that.. 15:37 < sparkymakry> thanks 15:37 < _Sam--> ecrist : if making from source (my last bin was a debian package)....a simple configure with no options will make what i need? 15:37 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has joined ##openvpn 15:37 < ecrist> should, yes 15:37 < ricoshady> how come when I flashed the router with openvpn it didnt reset everything? 15:37 < _Sam--> krzie: i dont know what options the debian package may have used. 15:37 < _Sam--> damn nick completion. 15:37 < _Sam--> thanks. 15:38 < ecrist> ricoshady: no idea what you're talking about 15:38 -!- ricoshady [n=sdads@cpe-76-171-208-102.socal.res.rr.com] has left ##openvpn [] 15:38 < _Sam--> sounds like WRT54 question 15:38 < ecrist> I know, wanted him to say that. 15:38 < ecrist> so I could tell hime to join another channel 15:38 < _Sam--> fair enough, tough love! 15:41 -!- sparkymakry [n=mark@200.32.232.82] has quit [Read error: 104 (Connection reset by peer)] 15:41 * ecrist goes away 15:42 -!- sparkymakry [n=mark@200.32.232.82] has joined ##openvpn 15:48 < _Sam--> ecrist : feel free to throw a 'told ya so' out there. i put the new openvpn bin in place, and same thing. however, if i let the clients sit for 10 minutes, they will come back fast! 15:51 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 16:24 < ecrist> _Sam--: I'm guessing either ISP bandwidth throttling, or hardware/memory issue. 16:27 < sparkymakry> Does this mean that there is traffic between vpn? 16:27 < sparkymakry> Fri Jan 23 16:24:34 2009 us=628069 UDPv4 WRITE [116] to server_IP:1194: DATA len=116 16:27 < sparkymakry> Fri Jan 23 16:25:20 2009 us=742595 TUN READ [74] 16:27 < sparkymakry> Fri Jan 23 16:25:20 2009 us=742917 UDPv4 WRITE [116] to server_IP:1194: DATA len=116 16:27 < sparkymakry> Fri Jan 23 16:25:34 2009 us=623274 TUN READ [74] 16:27 < sparkymakry> Fri Jan 23 16:25:34 2009 us=623520 UDPv4 WRITE [116] to server_IP:1194: DATA len=116 16:28 < ecrist> can you ping the VPN server? are there any firewalls in between the client and vpn server? 16:28 < sparkymakry> actually I can't even ping the vpn ip addresses 16:28 < ecrist> start there. 16:28 < sparkymakry> there is a firewall, but 1194 is open, and also pings give replies 16:29 < sparkymakry> actually pings do not give replies from a to b 16:29 < sparkymakry> but I'm at location c, and I can nicely ping a and b 16:29 < ecrist> read !route 16:31 < sparkymakry> the problem I have is not vpn related at all 16:32 < sparkymakry> I don't know where else to post this though, -- if you can direct me to another channel 16:32 < ecrist> read !route 16:32 < sparkymakry> server side 16:32 < sparkymakry> 192.168.111.2 * 255.255.255.255 UH 0 0 0 tun0 16:32 < sparkymakry> 200.32.230.32 * 255.255.255.248 U 0 0 0 eth0 16:32 < sparkymakry> 192.168.2.0 * 255.255.255.0 U 0 0 0 tun0 16:32 < sparkymakry> 192.168.0.0 * 255.255.255.0 U 0 0 0 eth1 16:32 < sparkymakry> default span-access-dsl 0.0.0.0 UG 0 0 0 eth0 16:33 < ecrist> sparkymakry: did you go read the link available in !route? 16:33 < sparkymakry> client side 16:33 < sparkymakry> sorry, I don't know what you mean 16:33 < ecrist> !route 16:33 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 16:33 < ecrist> follow that link, read it 16:34 < sparkymakry> but I can't even ping from a to b public to public ip address 16:34 < sparkymakry> so it's before vpn problems 16:34 < ecrist> then you have other issues 16:35 < ecrist> this isn't ##fix-all-my-network-issues 16:36 -!- easymac [i=uminac@users.easymac.org] has joined ##openvpn 16:36 < sparkymakry> I know. 16:37 < sparkymakry> I'm just totally stumped as to what I can do 16:37 < sparkymakry> will look for other chanel maybe 16:37 < easymac> hey guys, i've got an issue with assigning static ips to clients, error says i'm misusing the ifconfig-push command. i've tried ifconfig-push ip subnet and i've tried ifconfig-push ip router-ip 16:37 < easymac> the error remains with both 16:38 < easymac> Options error: Unrecognized option or missing parameter(s) in ccd/uminac:1: ipconfig-push (2.0.6) 16:39 < _Sam--> ecrist :thank you again for all of your time and wisdom. you have finally convinced me of that which you first said -- it aint openvpn or its binary. thanks again. 16:39 < ecrist> first, upgrade to 2.0.9, next read the howto page, read the section on controlling access based on cn 16:39 < ecrist> _Sam--: np 16:43 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has left ##openvpn [] 16:45 < easymac> oh, 2.0.9 is required? why the hell is the FreeBSD port so far behind? 16:45 < easymac> heh 16:45 < ecrist> easymac: 2.0.9 isn't required, but it's recommended 16:45 < ecrist> 2.0.6 on freebsd works OK. 16:45 < ecrist> and, if you're on FreeBSD, read my writeup 16:45 < ecrist> !freebsd 16:45 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 16:45 < easymac> yea, it works fine.. and i've read the howtos 16:47 < easymac> cool, i'll give that a read, but it doesn't appear to show an example of what i'm trying to do, only what i've successfully done. i do like your ssl admin thing though 16:47 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has joined ##openvpn 16:47 < easymac> that looks nifty 16:48 < _Sam--> ecrist : i asked #apache this same thing, but being as that you are all-knowing, i figure its worth a shot.... 16:48 < _Sam--> hey all im having an unusual problem where apache is terribly slow over a single interface , our VPN ip. the box has maybe 3-4 different ips that apache listens on...wan, lan, vpn, etc....but only the VPN apache connections are terribly slow to return data.... 16:48 < _Sam--> we've been running both the same vpn and apache versions for quite some time, and this problem has just arisen recently, with no changes in any config, hardware, or server software. 16:49 < ecrist> could it be faulty hardware? (and, I'm not all-knowing) 16:49 < _Sam--> if it were hardware or memory, one would expect to see symptoms arising in other places besides just the one thing. 16:50 < _Sam--> not saying that you're not correct, just seems that it would manifest itself in more ways. 16:50 < ecrist> seems to me it's arisen in both VPN and apache. 16:50 < easymac> heh 16:50 < _Sam--> i think more accurately, it seems to be EITHER vpn OR apache. and in my research and testing, i have proven its not VPN. 16:50 < _Sam--> i can move data from vpn host to vpn host just fine. 16:50 < _Sam--> just only when i try over http , no go. 16:51 < _Sam--> the same box, http over non-vpn -- same content, same pages...loads faster than fast. 16:51 < _Sam--> http over vpn...same content, same box, same apache, same pages....slower than slow. 16:52 < ecrist> _Sam--: in that case, during the request, watch the filesystem. 16:52 < ecrist> you could be running into raid errors, or other problems. 16:52 < _Sam--> it does run hardware raid, but there is nothing shown or reported as wrong in any logs. 16:52 < _Sam--> and its reading the SAME DATA....whehter over vpn or non vpn 16:53 < _Sam--> but when it reads the files over vpn http...SLOW 16:53 < _Sam--> so that last theory of yours doesnt seem to hold. 16:53 < _Sam--> if it were filesystem...anytime the file was needed to be accessed, a problem would occur. 16:53 < _Sam--> im accessing it fine over non vpn. 16:53 < ecrist> _Sam--: check your MTU, then. 16:54 < ecrist> there's a config option in OpenVPN, --test-mtu or something 16:54 < ecrist> !mtu 16:54 < vpnHelper> ecrist: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 16:54 < _Sam--> ive already done much testing with many of those parameters: #tun-mtu 1500 16:54 < _Sam--> #tun-mtu-extra 32 16:54 < _Sam--> #fragment 1450 16:54 < _Sam--> #mssfix 1450 16:55 < _Sam--> no apparent effect. 16:58 < _Sam--> i could tell you even more stuff that would only confuse and cloud things further. its really frustrating and confusing. 17:05 -!- zoredache [n=zoredach@pdpc/supporter/professional/zoredache] has joined ##openvpn 17:08 < zoredache> are there any things I should watch out for when I am trying to run 2 openvpn server daemons with different settings on a single machine? 17:11 < zoredache> for example, can I share the subnet that I have provided on my 'server 10.n.n.n' between two daemons? 17:13 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 17:14 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has joined ##openvpn 17:26 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has quit ["Leaving"] 17:44 -!- sparkymakry [n=mark@200.32.232.82] has quit [Remote closed the connection] 17:46 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 17:48 -!- ricoshady [n=sdads@cpe-76-171-211-32.socal.res.rr.com] has joined ##openvpn 17:54 -!- bigjohnto is now known as bigjohnto_away 18:01 -!- thei0s [n=G0D@stud247204.studentenheim.uni-tuebingen.de] has joined ##openvpn 18:05 < thei0s> hi, can someone point me to the openvpn protocol specification? 18:08 < thei0s> (the udp and tcp version, because there seems to be an incompatible difference that disallows simply "forwarding/redirecting" tcp packets to udp) 18:14 < zoredache> how would you forward something from tcp to udp.... 18:19 < thei0s> listen on tcp and send everything over a udp socket and vice versa 18:28 < ricoshady> so I finally got my vpn up, I can ping the server from client, and client from server.the vpn is on 10.4.4.0 and my local lan is 10.4.5.0. the vpn is also the gateway for the lan 18:28 < ricoshady> how do I connect them? 18:28 < ricoshady> so I can ping my local lan from the vpn client 18:30 < zoredache> !route 18:30 < vpnHelper> zoredache: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 18:32 < ricoshady> i know ive read that im still having problems... 18:32 < ricoshady> cause that is more complicated than I need I think 18:39 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 18:40 < ricoshady> im pushing the route to the client saying route all lan traffic thru the vpn... do I need anything else cause i still cant get thru 18:43 < zoredache> it doesn't seem like you should need anything more... But then i don't really know 18:46 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has quit [Read error: 104 (Connection reset by peer)] 19:04 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 19:04 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 19:04 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 19:09 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 19:26 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 131 (Connection reset by peer)] 19:26 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 19:26 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 19:31 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 19:32 < ecrist> thei0s: you can't do that 19:33 < thei0s> am.. I can, but the openvpn ignores such packets (no replys) :) 19:34 < thei0s> therefore I am asking if there exists a document with the openvpn protcol specification that I could look at to see if it is really not compatible or I just need to manipulate the contents a little to make it work 19:41 < ecrist> check the mailing list 19:57 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:02 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 20:15 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:15 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 20:15 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:20 -!- Gray9Mar_ [i=surf___@gateway/tor/x-612f0b46517ee086] has joined ##openvpn 20:20 -!- Gray9Mar [i=surf___@gateway/tor/x-fcbf8d33a0e756f7] has quit [Remote closed the connection] 20:20 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 20:31 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:31 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 20:31 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:36 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 20:40 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has joined ##openvpn 20:46 -!- thei0s [n=G0D@stud247204.studentenheim.uni-tuebingen.de] has quit ["Leaving."] 20:49 -!- ricoshady [n=sdads@cpe-76-171-211-32.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 20:52 -!- Gray9Mar_ [i=surf___@gateway/tor/x-612f0b46517ee086] has quit [Remote closed the connection] 20:59 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit ["leaving"] 21:17 -!- ledoktre [n=ledoktre@67.224.62.214] has quit [] 21:17 -!- Gray9Mar [i=surf___@gateway/tor/x-eaa4803bcbd3ac27] has joined ##openvpn 21:57 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has quit ["[BX] Reserve your copy of BitchX-1.1-final for the Atari 2600 today!"] 22:01 -!- onats [n=onats@122.53.131.243] has joined ##openvpn 22:03 < onats> !sampleconfig 22:03 < vpnHelper> onats: Error: "sampleconfig" is not a valid command. 22:03 < onats> !configs 22:03 < vpnHelper> onats: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 22:04 < onats> what's the shortcut for krzie's sampleconfig again? 23:05 -!- ricoshady [n=sdads@cpe-76-171-211-32.socal.res.rr.com] has joined ##openvpn 23:06 < ricoshady> can someone here help me with firewalls/routing? 23:07 < ricoshady> i cant get my vpn client to talk to the local lan. 23:17 < ricoshady> basically the vpn clients are on 10.4.4.0 and the local lan is 10.4.5.0. I puhed a route to the client in order to move traffic from the lan to vpn 23:35 -!- Seb [n=Seb@untangle/dev/seb] has joined ##openvpn 23:35 < Seb> hi fellows 23:36 < Seb> so, if my client is doing "redirect-gateway def1", but also dropping privileges, then I can't expect to have the static route removed form my routing table after I stop openvpn ? 23:37 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has quit [Read error: 110 (Connection timed out)] --- Day changed Sat Jan 24 2009 00:12 -!- tjz [n=tjz@bb121-7-99-38.singnet.com.sg] has joined ##openvpn 00:15 -!- ricoshady [n=sdads@cpe-76-171-211-32.socal.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 00:18 * tjz swim in 00:55 -!- iamamoron [n=Miranda@210.238.181.187] has joined ##openvpn 00:55 < iamamoron> hi there 00:55 < iamamoron> ho can i migrate all my certs in my new server? 00:55 < iamamoron> any ideaS? 00:58 < iamamoron> ? 02:27 < tjz> is there a newsletter which give us immediate update when there is a new beta/release 02:50 < onats> youreamoron, you can just copy the certs right? 03:32 -!- gallatin [n=gallatin@dslb-092-072-072-233.pools.arcor-ip.net] has joined ##OpenVPN 03:37 -!- Jason404 [n=eggbean@host86-157-144-35.range86-157.btcentralplus.com] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 03:44 -!- mcp [n=mcp@wolk-project.de] has quit ["ZNC - http://znc.sourceforge.net"] 04:08 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 145 (Connection timed out)] 04:23 -!- iamamoron [n=Miranda@210.238.181.187] has quit [Read error: 54 (Connection reset by peer)] 04:42 -!- ricoshady [n=sdads@cpe-76-171-211-32.socal.res.rr.com] has joined ##openvpn 04:42 < ricoshady> hello 05:10 -!- altus-dominus [n=altus-do@87-194-76-27.bethere.co.uk] has joined ##openvpn 05:10 < altus-dominus> hey guys 05:11 < altus-dominus> I been having some issues with openvpn recently, when i run openvpn --config myfile.ovpn i get this eror msg 05:11 < altus-dominus> Sat Jan 24 10:36:03 2009 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 15 2008 05:11 < altus-dominus> Sat Jan 24 10:36:03 2009 Error opening file lwadmin.p12 (OpenSSL) 05:11 < altus-dominus> Sat Jan 24 10:36:03 2009 Exiting 05:11 < altus-dominus> any ideas ? 05:47 -!- Gray9Mar [i=surf___@gateway/tor/x-eaa4803bcbd3ac27] has quit [Remote closed the connection] 05:54 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:59 -!- Gray9Mar [i=surf___@gateway/tor/x-df17f843eaf70aab] has joined ##openvpn 06:09 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 06:09 -!- Gray9Mar [i=surf___@gateway/tor/x-df17f843eaf70aab] has quit [Remote closed the connection] 06:17 -!- Gray9Mar [i=surf___@gateway/tor/x-8f3f538ae12f59ed] has joined ##openvpn 06:36 -!- gallatin [n=gallatin@dslb-092-072-072-233.pools.arcor-ip.net] has quit [Read error: 104 (Connection reset by peer)] 07:27 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has joined ##openvpn 07:44 -!- ricoshady [n=sdads@cpe-76-171-211-32.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 09:28 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 10:16 -!- Jason404 [n=eggbean@host86-157-144-35.range86-157.btcentralplus.com] has joined ##openvpn 10:17 < Jason404> i am having problems in making an SSL cert 10:17 < Jason404> been follwing these intructions; 10:17 < Jason404> http://www.freebsddiary.org/openvpn-easy-rsa.php 10:17 < vpnHelper> Title: The FreeBSD Diary -- Creating your own Certificate Authority (at www.freebsddiary.org) 10:18 < Jason404> but i am using WIndows x64, so I had to change the HOME directory in the vars batch file 10:18 < Jason404> then I ran vars 10:18 < Jason404> no feedback 10:19 < Jason404> ah, i just realised that I did not run it in the CD 10:24 < Jason404> no, still an error 10:24 < Jason404> about openssl.cnf not being found in usr 10:25 < Jason404> but it does not say anything about making that file before running build-ca 10:25 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has quit [Read error: 110 (Connection timed out)] 10:25 < Jason404> is there a similar step by step available anywhere for Windows? 10:26 -!- ozirus [n=Furkan@81.214.150.105] has joined ##openvpn 10:32 -!- ozirus [n=Furkan@81.214.150.105] has quit ["Kopete 0.12.7 : http://kopete.kde.org"] 10:37 < Jason404> oh what?? Is OpenVPN even supprted on Win x64 ??? 10:39 -!- joelsolanki [i=joelsola@123.237.173.217] has joined ##openvpn 10:42 -!- joelsolanki [i=joelsola@123.237.173.217] has quit [Client Quit] 10:43 -!- joel-reachxnetwo [i=joelsola@123.237.173.217] has joined ##openvpn 10:44 -!- joel-reachxnetwo [i=joelsola@123.237.173.217] has left ##openvpn [] 10:44 -!- joelsolanki [i=joelsola@123.237.173.217] has joined ##openvpn 10:44 -!- muxpux [n=muxpux@soup.capital-today.net] has quit ["Lost terminal"] 10:53 < Jason404> ok. i found this: http://www.runpcrun.com/howtoopenvpn 10:53 < vpnHelper> Title: OpenVPN Windows HowTo | IT Support London - runPCrun (at www.runpcrun.com) 10:54 < Jason404> you could ave told me about that earlier bot 10:54 < Jason404> what is the point of this bot if it just shows you links you have just mentioned? 10:57 < jpalmer> Jason404: too many people on IRC toss random links out, with no explanation of what it is. the bot grabs the title, so you can determine if it's of interest. 10:58 < Jason404> ah ok. maes sense 10:58 < jpalmer> example: I IRC from work, and don't follow random links, because I don't want porn, or objectionable material popping up. 10:58 < Jason404> of course 10:59 < Jason404> http://www.google.com 10:59 < vpnHelper> Title: Google (at www.google.com) 10:59 < Jason404> ic. it works with any link 11:01 -!- joelsolanki [i=joelsola@123.237.173.217] has quit [] 11:22 < ecrist> Jason404: that bot doesn't just tell you page titles for links 11:22 < ecrist> it's got shortcuts to various information we have to shell out to nearly everyone that joins this channel 11:23 < Jason404> ic. i have onnly seen it gove link titles, and I thought it was working on keywords that it found in the URLs 11:24 < Jason404> and then gives out the exact same link by coincedence 11:24 < Jason404> that link I found makes setting up openvpn a lot easier 11:25 < Jason404> uses the GUI 11:41 -!- joelsolanki [i=joelsola@123.237.173.217] has joined ##openvpn 11:41 < joelsolanki> !route 11:41 < vpnHelper> joelsolanki: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 11:43 -!- Dopefish [i=dopefish@unaffiliated/imk] has joined ##openvpn 11:49 -!- Dopefish [i=dopefish@unaffiliated/imk] has left ##openvpn [] 11:50 -!- Seb [n=Seb@untangle/dev/seb] has left ##openvpn [] 11:53 -!- joelsolanki [i=joelsola@123.237.173.217] has quit [] 12:00 -!- sasimo [n=simonovi@dslb-084-058-191-003.pools.arcor-ip.net] has joined ##openvpn 12:01 < sasimo> hello 12:01 < sasimo> do know someone if the openvpn also can comunicate with a nortel router directly? 12:08 -!- sasimo [n=simonovi@dslb-084-058-191-003.pools.arcor-ip.net] has left ##openvpn [] 13:32 -!- Jason404 [n=eggbean@host86-157-144-35.range86-157.btcentralplus.com] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 13:45 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 14:00 -!- tjz [n=tjz@bb121-7-99-38.singnet.com.sg] has quit ["Spare me some sleep, please."] 14:37 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:51 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 17:07 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 17:37 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 17:51 -!- Bushmills [n=nl@verhau.de] has quit [Read error: 60 (Operation timed out)] 17:52 -!- Bushmills [n=nnl@verhau.de] has joined ##openvpn 19:01 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has joined ##openvpn 19:33 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 19:39 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 20:09 -!- MRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 20:10 -!- MRCUTEO is now known as mRCUTEO 20:12 -!- sasimo [n=simonovi@dslb-084-058-147-101.pools.arcor-ip.net] has joined ##openvpn 20:12 < mRCUTEO> hiya all 20:12 < mRCUTEO> happy chinese new year 20:13 < sasimo> hy everyone. in the listings it is only the answer that openvpn can set up a preshared key. have i an optin to set self a preshared key what will be then made in the key file? 20:13 < onats> kiong hi huat chai! 20:14 < mRCUTEO> :) onats 20:19 < sasimo> someone alive? 20:29 -!- sasimo [n=simonovi@dslb-084-058-147-101.pools.arcor-ip.net] has left ##openvpn [] 20:41 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [Read error: 110 (Connection timed out)] 20:41 -!- sasimo [n=simonovi@dslb-084-058-147-101.pools.arcor-ip.net] has joined ##openvpn 20:42 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has quit [Read error: 110 (Connection timed out)] 20:51 -!- Gray9Mar_ [i=surf___@gateway/tor/x-ae0c356c0091c7fa] has joined ##openvpn 20:52 -!- Gray9Mar [i=surf___@gateway/tor/x-8f3f538ae12f59ed] has quit [Remote closed the connection] 20:56 -!- onats_ [n=onats@122.53.136.244] has joined ##openvpn 20:59 -!- blk_ice [n=devnull@bas8-montreal02-1096627565.dsl.bell.ca] has quit [] 20:59 < dvl> your mom! 21:04 -!- sasimo [n=simonovi@dslb-084-058-147-101.pools.arcor-ip.net] has left ##openvpn [] 21:18 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 21:41 -!- zoredache [n=zoredach@pdpc/supporter/professional/zoredache] has quit [Read error: 104 (Connection reset by peer)] 21:41 -!- zoredache [n=zoredach@pdpc/supporter/professional/zoredache] has joined ##openvpn 22:15 -!- zoredache_ [n=zoredach@pdpc/supporter/professional/zoredache] has joined ##openvpn 22:26 -!- zoredache [n=zoredach@pdpc/supporter/professional/zoredache] has quit [Read error: 110 (Connection timed out)] 22:47 -!- zoredache [n=zoredach@pdpc/supporter/professional/zoredache] has joined ##openvpn 22:48 -!- zoredache_ [n=zoredach@pdpc/supporter/professional/zoredache] has quit [Read error: 104 (Connection reset by peer)] 22:59 < reiffert> no, your mom! 23:24 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 23:24 < joelsolanki> HI all 23:24 < joelsolanki> how much openvpn will support traffic 23:25 < joelsolanki> i want to know is it possible to have 10 Mbps traffic to be passing thru openvpn server and openvpn client ? 23:25 < joelsolanki> for us bandwidth is not an issue but will openvpn accept 10 mbps traffic without any problem ? 23:26 < joelsolanki> any suggestions / recommendation ? 23:33 -!- frankS2 [n=frank@ti500720a080-4450.bb.online.no] has joined ##openvpn 23:33 < frankS2> Sun Jan 25 06:35:42 2009 VERIFY ERROR: depth=1, error=certificate is not yet valid 23:33 < frankS2> anyone know how i can fix this? 23:41 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 23:46 < onats_> !dbf 23:46 < vpnHelper> onats_: Error: "dbf" is not a valid command. 23:56 < frankS2> Certificate is to be certified until Jan 23 05:59:51 2019 GMT (3650 days) 23:56 < frankS2> WTF! 23:56 < frankS2> i want it certified now --- Day changed Sun Jan 25 2009 00:03 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has joined ##openvpn 01:00 -!- tjz [n=tjz@bb121-7-99-38.singnet.com.sg] has joined ##openvpn 02:42 < MMN-o> frankS2: You will have to sign a new one, 02:43 < MMN-o> But "until" means that it will _be_ certified including now _until_ that date. 02:44 < MMN-o> ...urr. I hope. I'm not sure on the exact terminology of openssl's messages 02:45 < MMN-o> In either case, openssl can print certificate sign- and expiration date 02:45 < MMN-o> frankS2: But most important, double-check your local time. Preferrably keep it synchronized with ntp. 02:48 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 02:50 < MMN-o> Anyway, counting 2019-01-23 minus 3650 days would be correct (jan 25 2009) according to your log timestamp 03:18 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has quit [Read error: 110 (Connection timed out)] 03:23 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 03:35 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:48 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has joined ##openvpn 05:20 -!- MMN-o [n=mmn@barjack.com] has quit [Read error: 104 (Connection reset by peer)] 05:21 -!- MMN-o [n=mmn@barjack.com] has joined ##openvpn 05:21 < MMN-o> bah 05:33 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has quit [Read error: 110 (Connection timed out)] 06:35 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 06:43 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 07:47 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 08:53 < tjz> anyone using mac os w/ tunnelblick to connect to openvpn server? 08:58 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 09:01 < tjz> anyone using mac os w/ tunnelblick to connect to openvpn server? 09:03 < aar0n> tjz: yeah 09:03 < tjz> Hello aaron 09:04 < aar0n> tjz: hi 09:04 < tjz> we will copy the .ca and the .ovpn files to library > openvpn 09:04 < tjz> and we are ready to connect , right? 09:05 < aar0n> .ovpn files are for the windows client, tunnelblick will use them also ... 09:06 < aar0n> you will also need the cs the dhXXXX.pem 09:06 < aar0n> cs == ca (sry) 09:06 < aar0n> and of course the certificate 09:06 < tjz> ok 09:06 < tjz> look good 09:07 < tjz> i have the same files copy to config directory for windows xp system 09:07 < tjz> works fine. 09:07 < aar0n> tjz: also be sure that the file path in the .conf or .ovpn is relative to the config file 09:07 < tjz> ah 09:07 < tjz> you are right, aaron 09:07 < tjz> what is the path for mac os? 09:08 < tjz> i am using ca "C:\\Program Files\\OpenVPN\\config\\ca.crt" for windows xp 09:08 < aar0n> tjz: tunnelblick will use the path of the .ovpn | .conf file as a relative base ... 09:08 < tjz> oh 09:08 < tjz> so.. 09:08 < tjz> i will use: 09:08 < tjz> ca ca.crt 09:08 < tjz> am i right? 09:08 < aar0n> yes if the ca and the conf are both in ~/Library/openvpn/ 09:08 < tjz> ok 09:08 < tjz> let me try 09:09 < tjz> should i put : 09:09 < tjz> ca "ca.crt" 09:09 < tjz> or 09:09 < tjz> ca ca.crt 09:09 < aar0n> that doesnt matter 09:09 < tjz> ok 09:10 < aar0n> but its generaly a good idea to put the certs and the ca in a subfolder so that you have something like ca SUBFOLDER/ca.crt in the conf, that comes in handy if you have more than one openvpn server to connect to and need to add more ca.crt files to the directory 09:12 < tjz> ok 09:23 -!- altus-dominus [n=altus-do@87-194-76-27.bethere.co.uk] has left ##openvpn ["Leaving"] 09:50 -!- aar0n is now known as aar0n_away 10:02 -!- El_Presidente [i=Martin@p5798F46F.dip.t-dialin.net] has joined ##openvpn 10:02 < El_Presidente> hi 10:09 < ecrist> hi 10:11 < El_Presidente> ecrist, you remember my vpn problems? i set up a linux system 10:11 < El_Presidente> with an openvpn server on the router 10:12 < El_Presidente> server config: http://pastebin.com/m1b310221 10:12 < El_Presidente> firewall script: http://pastebin.com/m3977f879 10:12 < ecrist> El_Presidente: I don't remember your specific problems, though I think I remember you. 10:13 < El_Presidente> kk 10:13 < El_Presidente> tcpdump: http://pastebin.com/m67ce1b88 10:13 < El_Presidente> right now my vpn clients dont get an ip address from my local dhcp server 10:14 < El_Presidente> dhcpd config 10:14 < El_Presidente> http://pastebin.com/m39951496 10:14 < El_Presidente> the tunnel seems to be up 10:15 < ecrist> ok, what's your problem? 10:16 < El_Presidente> 1st the vpn clients dont get an IP adress 10:17 < ecrist> why are you using tcp? 10:17 < El_Presidente> shall i use udp? 10:18 < ecrist> it is ideal. I'm sure you've been told that before. 10:18 < El_Presidente> well they told me that its not important 10:18 < ecrist> also, what makes you think, from looking at your server config, your clients would get an IP? 10:18 < ecrist> who told you that? 10:18 < ecrist> that has never been said in here, by anyone knowledgable. 10:18 < El_Presidente> someone here in the chat 10:19 < ecrist> !tcp 10:19 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 10:19 < El_Presidente> okay ty 10:19 < ecrist> to my other question, why do you think you should be getting an IP on the VPN? 10:19 < El_Presidente> i followed the howto for bridging 10:20 < El_Presidente> http://openvpn.net/faq.html#bridge-addressing 10:20 < vpnHelper> Title: OpenVPN FAQ (at openvpn.net) 10:20 < ecrist> well, the line that would assign an IP to vpn clients is commented out in the config you posted. 10:20 < El_Presidente> and did the second variant 10:20 < El_Presidente> because first did not work 10:20 < El_Presidente> and i find the second variant more appealing 10:21 < ecrist> what's more appealing? 10:22 < El_Presidente> that my local dhcp distributed the ip addresses 10:22 < El_Presidente> to the vpn 10:22 < ecrist> you want to use your LAN dhcp server 10:22 < ecrist> OK 10:22 < El_Presidente> yes 10:22 < ecrist> do you have your bridge built? 10:23 < El_Presidente> yes 10:23 < El_Presidente> with bridge-start 10:23 < El_Presidente> i changed the script according to my needs 10:23 -!- joelsolanki [i=joelsola@123.237.173.217] has joined ##openvpn 10:23 < joelsolanki> Hi friends 10:23 < joelsolanki> hey ecrist :) 10:24 < joelsolanki> how are you ? 10:24 < El_Presidente> hello joelsolanki 10:24 < joelsolanki> Hi E1 10:24 < joelsolanki> just wanted to know can i have a vpn client to connect to 2 different vpn server. vpn clien is windows based sysem. 10:24 < joelsolanki> system 10:25 < El_Presidente> joelsolanki, create 2 tap devices 10:25 < El_Presidente> and 2 client configs 10:25 < joelsolanki> ok so same openvpn installation will take care of 2 client configs right ? 10:26 < El_Presidente> ecrist, http://pastebin.com/m50e9104 bridge-start 10:27 < ecrist> sorry, gotta go. 10:28 < El_Presidente> okay ty 10:28 -!- onats_ [n=onats@122.53.136.244] has quit [Remote closed the connection] 10:30 -!- aar0n_away is now known as aar0n 10:33 -!- tjz [n=tjz@bb121-7-99-38.singnet.com.sg] has quit ["Spare me some sleep, please."] 11:22 -!- joelsolanki [i=joelsola@123.237.173.217] has left ##openvpn [] 11:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:52 -!- mcp [n=mcp@wolk-project.de] has quit [Remote closed the connection] 11:52 -!- Irssi: ##openvpn: Total of 47 nicks [0 ops, 0 halfops, 0 voices, 47 normal] 11:53 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 11:59 -!- emcepe [n=mcp@wolk-project.de] has joined ##openvpn 11:59 -!- mcp [n=mcp@wolk-project.de] has quit [Read error: 104 (Connection reset by peer)] 12:00 -!- emcepe is now known as mcp 12:07 -!- deh [n=deh@pool-96-228-140-131.tampfl.fios.verizon.net] has joined ##openvpn 12:18 -!- deh_ [n=deh@pool-96-228-140-131.tampfl.fios.verizon.net] has joined ##openvpn 12:18 -!- deh_ [n=deh@pool-96-228-140-131.tampfl.fios.verizon.net] has quit ["Konversation terminated!"] 12:30 -!- ozirus [n=Furkan@81.214.150.105] has joined ##openvpn 12:41 < ozirus> how can i provide an "vpn connection time expire" thing. say, our client book the vpn connection for 1 hour and when 1 hour finishes, server kill the client's vpn connection. (ps: i'm trying to create an e-learning system) 12:44 -!- RUS [n=Mirc@88.214.199.147] has joined ##openvpn 12:58 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 12:59 < El_Presidente> i still have a problem with the assigning of the default gateway in my openvpn client 12:59 < El_Presidente> http://pastebin.com/m29c1a193 13:00 < El_Presidente> server config: http://pastebin.com/m1b310221 13:00 < El_Presidente> client : http://pastebin.com/m4b763acc 13:00 < El_Presidente> any suggestions? 13:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:17 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has joined ##openvpn 13:19 < _Sam--> hi, i have 2 hosts, A (openvpn server) and B (windows openvpngui). they are connected over WAN (public internet). when pinging/mtr/traceroute/whatever from either host in either direction OUTSIDE the vpn, there is no packet loss, latency or connectionquality issue of any kind. when i do the same test to the vpn ip of both hosts, i end up with major packet loss and latency as soon as data starts to move over the vpn connection 13:20 < RUS> !configs 13:20 < vpnHelper> RUS: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:21 < _Sam--> thank you...just a min or two. 13:23 < ecrist> _Sam--: did you rule out hardware problems? 13:24 < _Sam--> ecrist : no i havent. 13:24 < _Sam--> but the prblems are only occurring, over the vpn. 13:24 < _Sam--> here is the server 13:24 < _Sam--> port 1194 13:24 < _Sam--> proto udp 13:24 < _Sam--> dev tap 13:24 < _Sam--> ca /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.crt 13:24 < _Sam--> cert /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/server.crt 13:24 < _Sam--> key /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/server.key 13:24 < _Sam--> dh dh1024.pem 13:24 < _Sam--> ifconfig-pool-persist ipp.txt 13:24 < _Sam--> server-bridge 10.8.0.50 255.255.255.0 10.8.0.51 10.8.0.100 13:24 < ecrist> _Sam--: pastebin 13:24 < _Sam--> client-to-client 13:24 < _Sam--> keepalive 10 120 13:24 < _Sam--> comp-lzo 13:24 < _Sam--> persist-key 13:24 < _Sam--> status openvpn-status.log 13:24 -!- mode/##openvpn [+o ecrist] by ChanServ 13:24 < _Sam--> log-append openvpn.log 13:24 -!- mode/##openvpn [+b *!*n=sam@*.kneedraggers.com] by ecrist 13:25 -!- mode/##openvpn [-o ecrist] by ecrist 13:25 < RUS> hi all 13:25 < RUS> what i doing wrong ? do it with HOWTO installation guide. but have error. 13:25 < RUS> openvpn /etc/openvpn/server.conf Sat Jan 24 15:55:01 2009 OpenVPN 2.0.9 i686-pc-linux [SSL] [LZO] [EPOLL] built on Jan 22 2009 13:25 < RUS> Sat Jan 24 15:55:01 2009 Diffie-Hellman initialized with 1024 bit key 13:25 < RUS> Sat Jan 24 15:55:01 2009 Cannot load certificate file /etc/openvpn/easy-rsa/keys/server.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib 13:25 < RUS> Sat Jan 24 15:55:01 2009 Exiting 13:26 < ecrist> RUS: pastebin, please 13:26 < RUS> bin ? 13:26 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has left ##openvpn [] 13:26 < ecrist> RUS pastebin.com 13:26 < RUS> hm nice. wait plz 13:27 < RUS> http://pastebin.com/m10a97cb 13:27 < ecrist> but, it doesn't matter, as your server.crt file doesn't exist, or is in an incorrect format 13:27 < RUS> ecrist that file is ecsist. 13:27 < RUS> exist 13:27 < RUS> maybe its now PEM _ LIB ? 13:27 < RUS> where i can find and install it ? 13:28 < RUS> now = no 13:28 -!- mode/##openvpn [+o ecrist] by ChanServ 13:28 -!- mode/##openvpn [-b *!*n=sam@*.kneedraggers.com] by ecrist 13:28 -!- mode/##openvpn [-o ecrist] by ecrist 13:28 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has joined ##openvpn 13:28 < _Sam--> sincere apologies to every for my mistake. im not a retard, just sometimes. 13:28 < ecrist> RUS, read through the following document, see if there are steps you missed. 13:28 < ecrist> !freebsd 13:28 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 13:29 < RUS> !freebsd 13:29 < vpnHelper> RUS: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 13:29 < RUS> !centos 13:29 < vpnHelper> RUS: Error: "centos" is not a valid command. 13:29 < ecrist> RUS, read the link under freebsd. 13:29 < _Sam--> this is my current server.conf http://pastebin.com/me2786ae 13:30 < ecrist> it only mildly OS-specific 13:30 < ecrist> _Sam--: as I mentioned the other day, either you have a hardware/processor problem, or you have an ISP who's throttling your udp connections 13:30 < ecrist> why are you messing with mtu? 13:31 < _Sam--> because i was seeing if it had any noticeable difference if i tried adjusting it. 13:31 < _Sam--> it did seem to help a little. 13:31 < ecrist> have you looked at the mtu testing built in to openvpn? 13:31 < ecrist> !mtu 13:31 < vpnHelper> ecrist: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 13:32 < _Sam--> if i could also give just a few more details , if i traceroute/ping/mtr to hother hosts on the vpn i dont have packet loss, and data flows fine. but to the one particular host which is the vpn server, packet loss occurs. 13:33 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 13:33 < ecrist> so, pings between clients aren't affected? 13:33 < ecrist> or one client? 13:34 < _Sam--> ecrist : the former. pings, data, packet loss, all perfect between and among all other hosts on the vpn, except for if one of those hosts is the vpn server. 13:36 < _Sam--> i dunno. i have to think you are correct and maybe i am just seeing anomolies in the external network out of my control. but it just doesnt seem it. 13:36 < _Sam--> like you said, isp throttling UDP, prob. 13:37 < _Sam--> its odd that they would do that to our connection after having the same conenctivity with them for 4 years, and having had the vpn fine for the last 2.5 13:37 < ecrist> udp throttling is a recent addition to ISP networks. 13:38 < _Sam--> that amkes sens, cause i remember some network disruption in december when their router was down, at least the one we connect to. matybe they upgraded. 13:38 < ecrist> have you tried switching to TCP, to see if it mitigates your problem? 13:39 < _Sam--> no i havent...but i might do that now. if it does in fact fix it, what is the easiest way to fix the configs of the remote clients? 13:40 < ecrist> ship a new config to your clients and have them install it. 13:40 < ecrist> read !tcp for more info on TCP, though 13:40 < El_Presidente> ecrist, wb 13:40 < _Sam--> yeah. put it on our external site, have them grab it...could be worse. 13:40 < _Sam--> !tcp 13:40 < vpnHelper> _Sam--: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 13:42 < _Sam--> thank you again for mostly your patience with me, and also your advice, as always. 13:42 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [] 13:47 < _Sam--> you are RIGHT again. the vpn packet loss and latency only happens between certain routes, and certain ISPs. 13:49 < _Sam--> do some people run 2 different servers listening on both tcp and udp at the same time? 13:49 < ecrist> it can be done, I don't know of anyone who's doing it. 13:50 < _Sam--> while i may sound a bit crazy, i spent a lot of time tracking down this particular problem. it would be cool to maybe compile a list of known throttlers. 13:50 < _Sam--> in my case, its verizon fios. 13:51 < _Sam--> i have to do some more reserach to confirm 100% its them. 13:56 < _Sam--> might you have any suggestion for if i wanted to run another process listening on TCP just to test with, so i dont have to disrut the other actively connected folks? will it complain that its already running? 13:56 < ecrist> different protocal, shouldn't complain. 14:01 < El_Presidente> ecrist, can you please take a look at my second post? 14:02 < El_Presidente> i still have a problem with the assigning of the default gateway in my openvpn client 14:02 < El_Presidente> http://pastebin.com/m29c1a193 14:02 < El_Presidente> server config: http://pastebin.com/m1b310221 14:02 < El_Presidente> client : http://pastebin.com/m4b763acc 14:02 < El_Presidente> i was able to get dhcp working 14:03 < ecrist> El_Presidente: did you read the logfile? 14:03 < ecrist> it tells you what you're missing... 14:04 < ecrist> Sun Jan 25 17:20:06 2009 NOTE: unable to redirect default gateway -- VPN gateway parameter (--route-gateway or --ifconfig) is missing 14:05 -!- frankS2 [n=frank@ti500720a080-4450.bb.online.no] has quit [Read error: 145 (Connection timed out)] 14:24 -!- frankS2 [n=frank@ti500720a080-1584.bb.online.no] has joined ##openvpn 14:26 < El_Presidente> ecrist, yes but i supply it ... 14:26 < El_Presidente> in the server config 14:26 < El_Presidente> push " redirect gateway def1 14:26 < El_Presidente> " 14:27 < El_Presidente> ecrist, and i followed the howtos and they say just the 2 options are needed 14:28 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:30 < El_Presidente> ecrist, http://openvpn.net/index.php/documentation/howto.html#redirect 14:30 < vpnHelper> Title: HOWTO (at openvpn.net) 14:36 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 14:42 < ecrist> El_Presidente: look up --route-gateway in the howto 14:43 < El_Presidente> i did 14:43 < ecrist> go here: http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html 14:43 < vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net) 14:43 < ecrist> search the page for --route-gateway 14:44 * ecrist goes away 14:45 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 14:54 -!- RUS [n=Mirc@88.214.199.147] has quit ["Miranda IM! Smaller, Faster, Easier. http://miranda-im.org"] 15:41 -!- ozirus [n=Furkan@81.214.150.105] has left ##openvpn ["Kopete 0.12.7 : http://kopete.kde.org"] 16:01 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 16:02 -!- Plecebo [n=larry@64.62.119.142] has joined ##openvpn 16:05 < Plecebo> I'm using bridge mode and am having trouble pinging other computers on my local network from my client. 16:06 < Plecebo> example: vpn server ip: 192.168.16.55 non vpn machine ip: 192.168.16.5 vpn client ip: 192.168.16.200 16:07 < Plecebo> from the client I can not ping 192.168.16.5 16:07 < Plecebo> I'm connecting ok though (or so the status messages indicate) 16:14 < _Sam--> ecrist : thanks again. tcp is 0% packet loss, all fine. but i wouldnt go so far to say its definitely verizon fios hassling the UDP, im not sure exactly who. 16:14 < _Sam--> but its definitely something UDP related. 16:15 < _Sam--> maybe with this economy, more torrents flowin. dunno! 16:35 < deh> Noob at openvpn. I can ping my server via a client on another machine on the lan; a friend can ping via internet from his house. However, when one pings it appears to lock out the other, and we can't ping each other. Does this make sense? 16:40 < _Sam--> i really dont know much about that kind of stuff, but it might be that both you and your friend are using the same certificate, and maybe even are assigned the same vpn ip....and the vpn server may not know how to route the packets. 16:40 < _Sam--> like i said, i dont know alot, though. 16:42 < deh> Sam: The certificates are definitely different, but it does look like they are being assigned the same vpn ip. Not sure how to correct the latter. 16:43 < _Sam--> well, i believei t would depend on your config, whether you are bridging or not. 16:43 < _Sam--> but there's a setting to assign IPs, and which to assign. 16:46 < deh> Sam: It is set up for routing, i.e. tun 16:47 < _Sam--> well, you would either have some line like this: server 10.8.0.0 255.255.255.0 16:47 < _Sam--> or, server-bridge 10.8.0.50 255.255.255.0 10.8.0.51 10.8.0.100 16:47 < _Sam--> but prob. not both. 16:47 < _Sam--> therein are the ips for assignment 16:53 < deh> Sam: Thanks for the thoughts. I have to break for dinner. Here is my line in the server config file 'server 10.143.15.0 255.255.255.0'. Maybe it has to do with my connecting to the server from the lan. 16:54 < _Sam--> there are also some settings that tell it to remember your ip based on certificate, and assign it to you again. 17:01 -!- zoredache_ [n=zoredach@c-76-121-86-209.hsd1.wa.comcast.net] has joined ##openvpn 17:01 -!- zoredache [n=zoredach@pdpc/supporter/professional/zoredache] has quit [Read error: 104 (Connection reset by peer)] 17:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 17:24 -!- El_Presidente [i=Martin@p5798F46F.dip.t-dialin.net] has quit ["Verlassend"] 17:47 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 18:08 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has quit ["BitchX: the ONLY three day cure!"] 18:09 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 18:16 -!- frankS2 [n=frank@ti500720a080-1584.bb.online.no] has quit [Connection timed out] 18:23 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has joined ##openvpn 18:38 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 18:40 -!- deh [n=deh@pool-96-228-140-131.tampfl.fios.verizon.net] has quit ["Leaving"] 18:49 -!- frankS2 [n=frank@ti500720a080-1584.bb.online.no] has joined ##openvpn 18:54 < frankS2> Sun Jan 25 19:58:00 2009 WARNING: potential route subnet conflict between local LAN [10.0.0.0/255.255.255.0] and remote VPN [10.0.0.0/255.255.255.0] 18:54 < frankS2> what does this mean? 19:32 < aar0n> frankS2: that your physical local lan network addresses / netmask might colide with the vpn's internet network addresses / netmask 19:34 < frankS2> aar0n, thank you - I have another question for you if thats ok 19:34 < frankS2> aar0n, when i connect to my VPN (tun0 gets up good with ip address and all (192.168.0.5, gw is 192.168.0.1) i am not able to ping 192.168.0.1 19:35 < frankS2> 192.168.0.0/24 is VPN 19:35 < frankS2> Internal network is 10.0.0.0/24 19:36 < aar0n> frankS2: mhh the gateway shouldn't be 192.168.0.1 unless you realy want this ... have you checked iptables on the servers tun0 interface ? 19:37 < aar0n> it must accept INPUT and OUTPUT of traffic 19:37 < frankS2> it should work.. i run pfsense 19:37 < frankS2> with the vpn pacakge 19:37 < frankS2> and i followed the manual of pfsense 19:37 < aar0n> frankS2: i don't know it ... maybe you find a pfsense irc channel 19:38 < aar0n> frankS2: the openvpn howto on openvpn.org is also a good resource 19:39 < frankS2> aar0n, ok thank you 20:10 -!- QuiescentW [n=Quiescen@c-68-56-237-254.hsd1.fl.comcast.net] has joined ##openvpn 20:11 < QuiescentW> i'm having problems with openvpn. once i get connected to my server i can't get on the internet locally 20:12 < QuiescentW> until i bring tap0 down 20:12 < aar0n> QuiescentW: make sure that the networks do no overlap 20:13 < QuiescentW> my local network is 192.168.1.0 and the openvpn server is on network 192.168.56.0 20:18 < QuiescentW> hmm 20:18 < QuiescentW> something is completely borked 20:18 < QuiescentW> even after it's disconnected now i can't get online 20:18 < QuiescentW> well 20:18 < QuiescentW> i can't resolve any ips 20:19 < aar0n> make sure the netmask is both 24 bit 20:19 < aar0n> eg. 255.255.255.0 20:22 < QuiescentW> they are 20:22 < aar0n> are you pushing any routes dns server or other options in the ccd or config file 20:23 < QuiescentW> do i need this bridge no 20:23 < QuiescentW> ... i mean, no 20:24 < QuiescentW> do i need this server-bridge line in here if I just use brctl to add tap0 to the lan bridge on my openvpn server? 20:25 < QuiescentW> i manually added tap0 on the server into a bridge and when i connect with the client i get a dhcp address outside the range of what is defined with server-bridge in the config file 20:25 < QuiescentW> i tried with that line commented out and not 20:26 < QuiescentW> still i get the same thing where i can't access the internet once i'm connected 20:26 < QuiescentW> i'll pastebin my configs 20:30 < QuiescentW> server: http://pastebin.com/f7c63ddbf client: http://pastebin.com/f3d2bac7c 20:30 < QuiescentW> the server is running on openwrt, i've been manually adding tap0 to the br-lan bridge 20:31 < QuiescentW> then connecting the client 20:31 < QuiescentW> and doing sudo ifconfig tap0 up; sudo dhclient tap0 20:31 < QuiescentW> then my internet breaks 20:31 < QuiescentW> the firewall on the server is completely off and it's connected directly to a modem 20:32 < QuiescentW> and i can't ping my local gateway or the gateway over the vpn 20:34 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 20:39 < aar0n> QuiescentW: sry, would love to help ... but i'm to tired right now ... i'm going to bed 20:40 < QuiescentW> thanks anyway 20:48 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has quit ["Read error: Connection reset by peer"] 20:51 -!- Gray9Mar [i=surf___@gateway/tor/x-d77b429510f9d885] has joined ##openvpn 21:00 -!- frankS2 [n=frank@ti500720a080-1584.bb.online.no] has quit [Read error: 60 (Operation timed out)] 21:01 -!- Gray9Mar_ [i=surf___@gateway/tor/x-ae0c356c0091c7fa] has quit [Remote closed the connection] 21:01 -!- frankS2 [n=frank@ti500720a080-0043.bb.online.no] has joined ##openvpn 21:38 -!- Plecebo [n=larry@64.62.119.142] has quit [Remote closed the connection] 21:57 -!- easymac [i=uminac@users.easymac.org] has left ##openvpn [] 22:19 -!- zoredache_ is now known as zoredache 22:55 < QuiescentW> does openvpn run the bridge-start and bridge-stop scripts or do i need to do that manually? 22:57 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 22:58 < onats> hi 23:59 -!- QuiescentW [n=Quiescen@c-68-56-237-254.hsd1.fl.comcast.net] has quit ["Leaving"] --- Day changed Mon Jan 26 2009 00:08 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 00:08 < joelsolanki> hey guys 00:08 < joelsolanki> can tcpwrappers gives trouble for connecting openvpn from client machine 00:08 < joelsolanki> my friend has ubuntu 8.0.4 and but vpn is not working 00:09 < joelsolanki> read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 00:09 < joelsolanki> this error i recieve on server side. 00:09 < joelsolanki> but the same keys work on windows xp 00:09 < joelsolanki> and even on other linux machine 00:09 < joelsolanki> so does /etc/hosts.allow come in picture for openvpn connecting ? 01:05 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 02:13 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:19 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Read error: 101 (Network is unreachable)] 02:21 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 02:21 < joelsolanki> hello anybody around? 02:22 < joelsolanki> from last 3 to 4 days my friend is facing problem in openvpn on ubuntu 8.0.4 02:22 < joelsolanki> so for checking perfectly i installed ubuntu 8.0.4 on my test machine. 02:22 < joelsolanki> installed openvpn and kept the keys and stuff but i also see it is not working. 02:23 < reiffert> joelsolanki: answer is no, /etc/hosts.allow on the client machine is not responsible. 02:23 < joelsolanki> yes it doesnt seem to be tcp wrappers issue. 02:23 < joelsolanki> it is something different. 02:24 < joelsolanki> ca.cert client.conf joel_vista.cert joel_vista.csr joel_vista.key files are working on my redhat and debian os 02:24 < joelsolanki> but today i installed ubuntu 8.0.4 and copied all this files and started openvpn but it gives error. 02:24 < reiffert> !iptables 02:24 < vpnHelper> reiffert: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 02:25 < joelsolanki> iptables input,output,forward are all set to ACCEPT as default policy 02:25 < joelsolanki> so no firewall 02:25 < joelsolanki> let me pastebin the output in verb 6 02:26 < reiffert> ACCEPT and empty? 02:26 < joelsolanki> yes all is set to ACCEPT and there is no firewall rules 02:27 < joelsolanki> http://pastebin.ca/1318393 02:27 < joelsolanki> this the output of client machine 02:28 < joelsolanki> this is the output of server machine http://pastebin.ca/1318394 02:28 < joelsolanki> see if you find something. 02:30 < reiffert> You mixed up the certificate stuff. See 02:30 < reiffert> !howto 02:30 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:30 < joelsolanki> can you explain me ? 02:30 < reiffert> !configs 02:30 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 02:31 < joelsolanki> ok 1 sec 02:31 < joelsolanki> http://pastebin.ca/1318395 02:31 < joelsolanki> this is the client config 02:32 < joelsolanki> on my vpn server there are already 4 to 5 users connected. 02:32 -!- zoredache [n=zoredach@pdpc/supporter/professional/zoredache] has left ##openvpn [] 02:32 < joelsolanki> maybe i have missed something on client config 02:34 < joelsolanki> this same files. ca.cert, client.conf, joel_vista.cert, joel_vista.csr, joel_vista.key i kept on debian OS before and it connected. same with fedora 5 02:34 < joelsolanki> but on ubuntu 8.0.4 it didnt worked. 02:34 < joelsolanki> not able to understand what is causing problem. 02:35 < joelsolanki> reiffert: still do you think it is certificate stuff ? 02:36 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 02:37 < joelsolanki> reiffert: you there ? 03:07 < cyberjames> /wi/wind6 03:07 < cyberjames> ops 03:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:53 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 05:02 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] 05:21 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 05:22 < c64zottel> hello, 05:22 < c64zottel> is it possible, that the user get automatically a ticket from a kerberos server, when he logged in via OpenVPN? 05:25 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 06:08 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 06:11 < dazo> c64zottel: I don't know ... but it's an interesting approach .... if you have user/auth authentication enabled in OpenVPN ... you could probably manage to write a script which does the authentication and then issues a request for a ticket ... BUT ... I don't think it will work, since that ticket will only be valid on the OpenVPN server, it will not be "exported" to the client, afaik 06:12 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [Client Quit] 06:24 -!- brain0 [n=brain0@archlinux/developer/brain0] has joined ##openvpn 06:24 < brain0> hi 06:24 < brain0> what ways are there to reduce openvpn server memory usage? 06:25 -!- skx [i=skx@unaffiliated/skx] has joined ##openvpn 06:26 < brain0> with one connected client, it uses almost 7MB of memory, which is pretty much if you have 16MB memory 06:27 < brain0> will the memory usage be reduced with --max-clients 1 or with --mode p2p instead of --mode server? (and will I be able to use push-directives in --mode p2p?) 06:27 < skx> Hello, I would like to set up openvpn tunnel to a computer at home, which does not have public ip address (nor can I forward any ports). However I can create an ssh tunnel to the appropriate port -- can openvpn work in this configuration? 06:29 < brain0> this is my configuration: http://pastebin.com/d503bb027 but I only connect rarely and only with one client, so if there is anything I can do to reduce memory usage, I'd really appreciate it :) 06:29 < dazo> skx: yes, OpenVPN can work as long as you can get access to it via Internet 06:29 < skx> dazo, and ssh tunnel will do? 06:30 < dazo> skx: How is it that you can ssh to the box? if you can SSH to your box ... it's the same for openvpn, just different port numbers 06:30 < skx> it's called reverse ssh tunnel iirc 06:30 < skx> I can ssh to the box by routing this connection through another machine 06:30 < dazo> skx: ahh ... that explains 06:31 < dazo> skx: I've not tried openvpn over ssh tunnel .... it requires openvpn to be in TCP mode ... in theory this should work .... but how well it will work, regarding throughput, I have no idea 06:32 < skx> ok, thanks, will try that then 06:33 < dazo> skx: be aware that you might need to have a closer look on the MTU parameters for this to work as well ... you might need to decrease the MTU values to make it work as well 06:33 < skx> MTU and tcp modce 06:33 < skx> ok 06:33 < skx> I'll probably be back anyway 06:34 < dazo> skx: and since you have the traffic encrypted via SSH first ... I would probably consider not to use encryption in OpenVPN, or a weak one, to avoid CPU time spent on trying to encrypt and compress encrypted data 06:34 < dazo> skx: but if you are paranoid and want to be 100% the data transfer is safe .... use double layer encryption too :) 06:35 < skx> but only traffic between the routing machine and my home box is encrypted 06:35 < dazo> skx: oh true ... good point 06:35 < skx> traffic from my laptop to the routing machine would be in plain text 06:35 < dazo> skx: I thought that this ssh server was on a local network of yours 06:56 < c64zottel> dazo, thx, at least now i know that i understand the stuff right 06:57 < dazo> c64zottel: np! :) 07:02 < c64zottel> but its possible to run a script if openvpn authenticated successfully, so this could be the script to authenticate against kerberos, but, how can i distribute the credentials to it? 07:06 < dazo> c64zottel: well, I was only thinking about the server side ... I don't know how this could work on the client side ... if you use something like --up scripts or similar 07:06 < ecrist> morning, bitches 07:07 < c64zottel> mornich christ 07:07 * ecrist looks around for christ 07:07 * dazo do not acknowledge ecrist as christ .... not before I've seen some miracles .... 07:08 < dazo> c64zottel: but I don't think there are any mechanisms in krb to distribute the credentials .... but I don't know krb so well 07:08 < c64zottel> dazo, right 07:08 < c64zottel> morning, main-bitch 07:11 < ecrist> dazo, I can turn wine into pee... 07:11 < dazo> ecrist: heh ... so can I :-P 07:46 -!- Sir_J [n=Sir_J@86.57.159.207] has joined ##openvpn 07:51 < plaerzen> morning irc 07:55 < ecrist> good morning, plaerzen 07:56 < plaerzen> how was your weekend? 07:56 < ecrist> cold. 07:56 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: Pagautas 07:56 < ecrist> played a lot of rock band and sat around the house. 07:56 -!- Netsplit over, joins: Pagautas 07:57 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 08:11 < plaerzen> ecrist, yeah, it's been cold here too. 08:12 < plaerzen> ecrist, But, up here, if you hate the cold, you're living in the wrong city. I woke the sun on sunday morning with my cajoling. 08:24 -!- brain0 [n=brain0@archlinux/developer/brain0] has quit ["leaving"] 08:35 -!- Sir_J_ [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 08:35 -!- Sir_J [n=Sir_J@86.57.159.207] has quit [Read error: 131 (Connection reset by peer)] 08:38 < ecrist> plaerzen: where's 'up here'? 08:39 < plaerzen> calgary, canada 08:39 < plaerzen> ecrist, 08:55 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 09:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:56 < ecrist> lol: http://www.i-hacked.com/content/view/274/1/ 09:57 < vpnHelper> Title: I-Hacked.com Taking Advantage Of Technology - Inside Programmable Road Signs (at www.i-hacked.com) 09:57 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 10:04 -!- muxpux [n=muxpux@soup.capital-today.net] has joined ##openvpn 10:04 < muxpux> hi..this is my network support 10:04 < muxpux> like 10:05 < muxpux> we have a router/modem 10:05 < muxpux> under it got a server dmzed 10:05 < muxpux> openvpn server running on it 10:07 < muxpux> so the server got private i[ 10:07 < muxpux> ip 10:07 < muxpux> so can i use bridged vpn on that server 10:07 < muxpux> ? 10:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:23 < ecrist> sure, why not? 10:28 -!- frankS2 [n=frank@ti500720a080-0043.bb.online.no] has quit [Read error: 60 (Operation timed out)] 10:30 -!- mmcgrath [n=mmcgrath@mmcgrath.net] has joined ##openvpn 10:30 < mmcgrath> I've got a client that keeps reconnecting to our vpn server. When I ping it (via vpn) it gets about 50% packet loss over time. When I ping it directly (not over vpn) I get 0% packet loss. 10:30 < mmcgrath> the logs on both servers don't really show much but I am seeing: 10:30 < mmcgrath> SIGUSR1[soft,ping-restart] received, process restarting 10:31 < mmcgrath> which almost, to me anyway, implies that something is restarting vpn. 10:31 < ecrist> mmcgrath: tcp or udp? 10:31 < mmcgrath> udp 10:31 < mmcgrath> I used iperf to test udp traffic between the two. I didn't see any errors though it wasn't as fast as I'd thought. 10:31 < dazo> mmcgrath: could it be some mtu issues? 10:32 < mmcgrath> It could be. I've got lots of servers on this LAN (both the client and server are on a LAN) but this is the only host I'm seeing it on. 10:32 < dazo> mmcgrath: which versions (openvpn) are you using on server and client? 10:33 < mmcgrath> openvpn-2.1-0.29.rc15.el5 10:33 < mmcgrath> both 10:33 < mmcgrath> one other thing I've considered is that another host accidently has this hosts certs and is trying to connect as it. 10:33 < dazo> mmcgrath: that should be very fine ... I'm running a similar setup myself, without issues ... even though I haven't benchmarked it yet ... as it seems to be reliable enough 10:34 < mmcgrath> but I thought that would show up in the server logs. 10:34 < dazo> mmcgrath: yeah, that should pop up in logs 10:34 < dazo> mmcgrath: tls enabled? ... or only shared static.key? 10:35 < mmcgrath> tls 10:35 < mmcgrath> is the "SIGUSR1[soft,ping-restart]" entirely generated by openvpn? 10:36 < dazo> mmcgrath: this is really odd ... I'd try a few different mtu values .... to see if that could be the reason 10:36 < mmcgrath> k 10:36 < dazo> mmcgrath: yeah, SIGUSR1 is internally in the openvpn process .... unless you have a third-party application doing kill -USR1 .... or something playing with the management interface, if that's enabled 10:38 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Read error: 110 (Connection timed out)] 10:39 < mmcgrath> OH! 10:39 < mmcgrath> interesting. 10:39 * dazo gets curious now ... 10:39 < mmcgrath> I missed it earlier. I have two tun devices up right now, tun0 and tun1. Both with the vpn IP address. 10:39 * mmcgrath wonders why both of those are up. 10:40 < dazo> both with the same IP addresses? 10:40 < mmcgrath> yeah, its almost as if two openvpn procs are running 10:40 < mmcgrath> and yes, right now two of them actually are running. Most curious. 10:41 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has joined ##openvpn 10:42 < dazo> mmcgrath: that can cause such "ping-restart" requests yes ... if the one of the processes don't get the expected response in time 10:43 < mmcgrath> Yeah, it looks like one is just up and running (from like 3 weeks ago or so) and the other one keeps restarting. 10:43 < mmcgrath> I ended up killing the old one and everything is fine now. I'm trying to go through my logs to see what might have caused it. 10:49 -!- Gray9Mar_ [i=surf___@gateway/tor/x-78139b99659002fc] has joined ##openvpn 11:19 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:20 -!- Sir_J_ [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit ["Leaving"] 11:35 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 11:39 -!- Gray9Mar [i=surf___@gateway/tor/x-d77b429510f9d885] has quit [Remote closed the connection] 11:46 -!- Gray9Mar_ [i=surf___@gateway/tor/x-78139b99659002fc] has quit [Remote closed the connection] 11:48 -!- Gray9Mar [i=surf___@gateway/tor/x-67a3d6bd480f8baf] has joined ##openvpn 11:48 -!- joelsolanki [i=joelsola@123.237.173.217] has joined ##openvpn 11:48 < joelsolanki> Good morning guys 11:49 < joelsolanki> i have a strange problem in openvpn. 11:49 < joelsolanki> .key .csr .cert ca.cert all are working well on redhat and debian linux 11:49 < joelsolanki> but all same stuffs on ubuntu 8.0.4 is giving error 11:50 < joelsolanki> let me pastebin the client output of syslog. 11:51 < joelsolanki> http://pastebin.ca/1318736 11:51 < dazo> joelsolanki: the problem is not openvpn ... it's ubuntu :-P 11:51 < joelsolanki> that is what i thought. but i just really dont know how to figure it out. 11:52 < joelsolanki> i have tried my best to solve but no luck. 11:52 < joelsolanki> iptables firewall is OFF. tcpwrappers is OFF. 11:52 < dazo> joelsolanki: install Fedora? :-P 11:52 < joelsolanki> there is no other vpn software on ubuntu too. 11:52 < joelsolanki> naah. i cant do that :( 11:52 < dazo> joelsolanki: well seriously .... the problem is here: VERIFY X509NAME ERROR: /CN=lakefront.countersnipe.com, must be lakefront.countersnipe.com 11:53 < joelsolanki> what is that problem ? 11:53 < dazo> joelsolanki: it's a mismatch between certificate and expected hostname .... are you using tls-verify? 11:54 < dazo> joelsolanki: sorry ... tls-remote 11:54 < joelsolanki> yes this is client.conf http://pastebin.ca/1318739 11:54 < joelsolanki> and it seems it is set perfect in client.conf. take a look at pastebin abov 11:54 < joelsolanki> above 11:56 < dazo> joelsolanki: okey ... I'm guessing the Subject field in your certificate have become screwed up somehow .... Try to create a new certificate ... it's failing on the certificate validation 11:57 < dazo> joelsolanki: the log you sent ... was that from server or client? 11:57 < joelsolanki> log is from client 11:57 < joelsolanki> man i created more than 4 certificate. all are failing. 11:58 < joelsolanki> :) 11:58 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Success] 11:58 < dazo> joelsolanki: aha .... okey ... which openvpn and openssl version are you using? 11:58 < joelsolanki> let me check 12:01 < dazo> joelsolanki: also check one thing with your certificate .... can you share the result of this command line? -> openssl x509 -noout -subject -in {certfile} 12:01 < dazo> Just to check that the cert looks reasonable 12:02 < joelsolanki> openssl Version: 0.9.8g-4ubuntu3 12:02 < joelsolanki> openvpn Version: 2.1~rc7-1ubuntu3 12:03 < joelsolanki> ok let me see 12:03 < dazo> joelsolanki: both your client cert and the ca.cert 12:04 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has quit ["Leaving."] 12:04 < joelsolanki> client is subject= /CN=delhi 12:04 < joelsolanki> server is subject= /CN=CounterSnipe openvpn CA 12:04 -!- boneybastard [n=bny@81-235-226-119-no91.tbcn.telia.com] has joined ##openvpn 12:05 < dazo> joelsolanki: and what about the ca.cert ? 12:05 < dazo> joelsolanki: it should be 3 certificates ... client, server and ca 12:05 < boneybastard> Keep getting Connection Refused (code=111) 12:05 < boneybastard> http://paste.debian.net/26965/ 12:05 < joelsolanki> honeybastard: same with me :) 12:06 < boneybastard> thought it was the firewall at first but the ports are forwarded, outgoing udp is allowed 12:06 < boneybastard> and tun0 accepts traffic 12:06 < boneybastard> joelsolanki any success ? 12:06 < aar0n> hi 12:06 < aar0n> i have a strange problem 12:07 < joelsolanki> i gave you client and ca.cert 12:07 < joelsolanki> i m looking for server file. dazo 12:07 < dazo> joelsolanki: just take the ca.cert which you point at in the client config 12:07 < joelsolanki> dazo: what would be file name 12:08 < joelsolanki> oh k 12:08 < aar0n> i have 2 openwrt routers one running an openvpn server one is running a openvpn client ... they both brigde tap0 to the bridge ... until recently this setup gave both networks a transparent connection - but know i can only ping from one site of the network to the other ... the other way around the icmp packets never find the destination 12:08 < joelsolanki> subject= /CN=CounterSnipe openvpn CA 12:08 < joelsolanki> dazo: same results 12:09 < dazo> boneybastard: for me it seems like you might block outgoing traffic on your server .... missing a -m state --state RELATED,ESTABLISHED -j ACCEPT rule in output? 12:09 < dazo> joelsolanki: that' the problem .... openvpn expects lakefront.countersnipe.com ... not CounterSnipe openvpn CA .... 12:09 < boneybastard> hm, its going over udp which is stateless 12:10 < boneybastard> -m state --state RELATED, ESTABLISHED still needed? 12:11 < dazo> joelsolanki: I'm afraid to say, that you most probably should try to setup your CA once again .... create CA key and cert, then create server.key and server.crt ... and then client.key and client.crt .... common_name on server and client must be their hostnames .... common_name for CA can be whatever else 12:12 < joelsolanki> dazo: how come it works in redhat and debian ? 12:12 < joelsolanki> ok 12:12 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 12:12 < dazo> boneybastard: I would expect so, yes .... and if that's not the case .... the traffic is blocked on the client .... again, typical state issue 12:12 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 12:13 < boneybastard> ill snoop around a little, thanks for the help dazo 12:13 < dazo> joelsolanki: that's a good question ... you can try that openssl command on those boxes as well and see what they say .... because I would actually expect this to fail as well 12:13 < dazo> boneybastard: np! 12:13 < joelsolanki> ok let me check 12:14 < joelsolanki> it says same result subject= /CN=CounterSnipe openvpn CA 12:14 < joelsolanki> then it should fail on redhat too 12:14 < dazo> and your client config also says tls-remote? 12:14 < joelsolanki> you want to see the log of redhat ? 12:14 < joelsolanki> yes 12:14 < dazo> please 12:15 < dazo> and config 12:15 < joelsolanki> ok let me do 12:15 < dazo> this is really odd ... 12:17 < joelsolanki> http://pastebin.ca/1318749 12:17 < joelsolanki> take a look 12:19 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 12:19 < joelsolanki> sorry verb 6 is not active. let me do and send you logs again 12:20 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 12:21 -!- donavan [n=donavan@centos/slackers/donavan] has joined ##openvpn 12:21 < donavan> !route 12:21 < vpnHelper> donavan: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 12:21 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 60 (Operation timed out)] 12:22 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Client Quit] 12:22 < joelsolanki> Jan 26 23:50:25 joel openvpn[19531]: VERIFY OK: depth=1, /CN=CounterSnipe_openvpn_CA 12:22 < joelsolanki> Jan 26 23:50:25 joel openvpn[19531]: VERIFY X509NAME OK: /CN=lakefront.countersnipe.com 12:22 < joelsolanki> Jan 26 23:50:25 joel openvpn[19531]: VERIFY OK: depth=0, /CN=lakefront.countersnipe.com 12:22 < joelsolanki> this shows in client 12:22 < boneybastard> dazo nah, -m state --state ESTABLISHED,RELATED -j ACCEPT didnt do the job ;( 12:22 < dazo> joelsolanki: ahh ... I might have missed one thing in the client log .... 12:23 * dazo double checks 12:23 < joelsolanki> what ? 12:24 < dazo> joelsolanki: okey ... you are using the same certificate for server and ca on your server most probably ... or you have a mixture here ... 12:25 < dazo> joelsolanki: and most probably you have managed to flip certs around so it is correct on your RH boxes 12:25 < joelsolanki> ok 12:25 < joelsolanki> it even works on windows xp 12:25 < dazo> joelsolanki: make sure that the ca.cert file is the same on all boxes ... and named as ca.cert ..... the server.cert should be unique/different from ca.cert on ... and only on the server 12:26 < dazo> joelsolanki: and the clients should only have ca.cert and it's own client.cert 12:26 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:26 < joelsolanki> yes thats what it is 12:26 < dazo> joelsolanki: you have perfect match on the ca.cert in Ubuntu as well .... but it fails on the validating the server cert 12:26 < joelsolanki> this is not the single box. 12:27 * dazo don't follow 12:27 < dazo> not single box? 12:27 < joelsolanki> my friend was having problem on ubuntu 8.0.4 so i thought he might be doing mistake but then i installed ubuntu on my test machine but it happend same to me so i was shokcked 12:27 < dazo> this gets even more fun 12:27 < joelsolanki> :) 12:28 < joelsolanki> do you use ubuntu ? 12:28 < dazo> joelsolanki: where and when have you created the certificates? On ubuntu/debian ? 12:28 < joelsolanki> debian 12:28 < dazo> joelsolanki: unfortunately, I have one ubuntu box .... will upgrade it when I get time to Fedora 10 12:29 < dazo> joelsolanki: was that before or after this nasty openssl exploit last year? 12:29 < joelsolanki> i think before 12:29 < dazo> joelsolanki: that might be the reason .... you have a vulnerable SSL certificate in that case .... and ubuntu and newer debian clients have checks for this .... 12:30 < joelsolanki> ahh but i installed debian 4 also and it worked on it. 12:30 < dazo> joelsolanki: the openssl bug corrupted the random generator .... so you can easily create a "fake" certificate which will easily be replaced 12:30 < joelsolanki> hmm 12:30 < dazo> debian 4 ... how old/new is that one? 12:31 < joelsolanki> i downloaded before 1 onth 12:31 < joelsolanki> month 12:31 < dazo> that box is safe .... but your ssl certs might be at risk 12:32 < joelsolanki> will upgrading openssl fix the problem ? 12:32 < dazo> I know ubuntu have hacked the openssl library afterhand ... if the certificate is one of x number of known hashes, it will reject any usage of that one 12:32 < joelsolanki> oh 12:32 < dazo> joelsolanki: openssl is fixed .... but your certificates might have the wrong hashes .... 12:32 < joelsolanki> hmm 12:33 < dazo> I might be wrong again here ... but I just have seen such issues as well 12:33 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has joined ##openvpn 12:33 < joelsolanki> i understand 12:33 * dazo had generated ssl certs on ubuntu with this error and needed recreate a lot of certificates and ssh keys 12:40 -!- bny [n=bny@81-235-226-119-no91.tbcn.telia.com] has joined ##openvpn 12:43 -!- Irssi: ##openvpn: Total of 50 nicks [0 ops, 0 halfops, 0 voices, 50 normal] 12:44 -!- Gray9Mar [i=surf___@gateway/tor/x-67a3d6bd480f8baf] has quit [Remote closed the connection] 12:46 -!- Gray9Mar [i=surf___@gateway/tor/x-1d2bf26543040c15] has joined ##openvpn 12:46 -!- boneybastard [n=bny@81-235-226-119-no91.tbcn.telia.com] has quit [Read error: 104 (Connection reset by peer)] 12:47 -!- joelsolanki [i=joelsola@123.237.173.217] has quit [] 13:17 < bny> is there any openvpn switch i can use to specify with outgoing IPaddress it should use? 13:20 < dazo> bny: nafaik :( ... it will listen to all interfaces (server mode) and it will take the suitable one in client mode, depending on IP address 13:20 < bny> crap :E 13:21 < bny> i have 2 external IPs on the same ethernet port 13:21 < dazo> bny: you can probably hack this around with some NAT rules .... 13:21 < bny> clients connect to one of the IPs but get replies from the other IP, hence dropping the packets 13:21 < bny> yea i can probably SNAT outgoing frattic on port 1194 13:22 < dazo> bny: that sounds like misconfig of the DNAT actually .... 13:22 < dazo> bny: using iptables? 13:24 < bny> yup 13:24 < bny> hm are u sure that snat isnt supposed the be used? 13:26 < bny> dazo wanna help me define the rules? 13:26 < dazo> bny: if you are doing port natting on your firewall/entry point ... you'll need to use DNAT in the PREROUTING chain .... --to-destination : 13:26 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 13:26 < bny> only been using iptables for a week or so :( 13:26 < dazo> bny: np! :) 13:26 < bny> sweet :) 13:27 < dazo> bny: you seem to do pretty well, if this tricky thing is what you're fighting against now :) 13:27 < bny> hehe yea it took quite a while to figure it out i must say 13:28 < dazo> bny: well, but when you've gone through that ... the rest will go like a breeze :) 13:28 < bny> check this out: iptables -t nat -A PREROUTING -p udp -d $MIP (one of the ext interfaces) --dport 1194 -j DNAT --to 192.168.200.1:1194 13:28 < bny> looks ok? 13:29 < dazo> bny: at first sight, this looks very fine .... I can double check it against some of my rules 13:30 < dazo> bny: yeah, looks right :) 13:30 < bny> cool, ill try it then :) 13:31 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 13:33 -!- whits_ [n=jim@209-20-87-215.slicehost.net] has joined ##openvpn 13:34 < bny> nop, that wasnt enough 13:34 < dazo> bny: are you doing MASQUERADING ? 13:34 < bny> i need the clients to think that the packets are coming from $WIP and not $MIP 13:34 < bny> yea i MASQUERADE the local nets 13:35 < dazo> bny: would you mind sharing a iptables-save on pastebin? 13:35 < dazo> just replace your public IP addresses with something we can understand is public 13:35 < bny> hm, i rather paste portions of the file if its ok 13:35 < bny> some info in it that i dont want disclosed :( 13:36 < dazo> bny: sure! ... and it's the NAT table which is interesting 13:36 < dazo> bny: I just need to see enough to understand why things are getting out wrong 13:37 < bny> think i figured it out, sec 13:37 < dazo> dazo: I only use DNAT in PREROUTING .... and -o -j MASQUERADE in the POSTROUTING table ... and that works like a charm 13:39 < bny> i dont want to masq the whole interface though :P 13:39 < bny> i just need one of the nets to masq on 1194 13:39 < bny> the port that is 13:40 < dazo> bny: aha ... then you need SNAT in addition on the POSTROUTING .... before any masq rules 13:41 * dazo did that some years ago ... don't remember completely now .... 13:41 * dazo tries to remember 13:41 < bny> its kinda tricky 13:42 < bny> does the -s switch only accept host/subnet? 13:44 < bny> it would be pretty solid if you could do iptables -t nat -A POSTROUTING -s IP:port -o $WIF (ext int) -j SNAT --to $WIP (ext IP) 13:44 < dazo> bny: -s is only --source address 13:44 < bny> instead of -s host/subnet 13:44 < bny> yea i know thats the tricky part i want to work around 13:45 < bny> instead of source address i just want the rule to apply when a certain rule is used 13:45 < dazo> bny: but you do that .... with --sport / --dport .... that's more flexible 13:45 < bny> aha! 13:47 < bny> wanan show me an example rule? 13:47 < dazo> bny: misunderstand me correctly please .... you need -s/-d for host/subnet .... and --sport/--dport for ports 13:48 * dazo tries to find some SNAT examples 13:49 < bny> :P 13:49 < ecrist> bny: you can specify what address openvpn listens to. 13:49 < bny> what i want to do is that all traffic going from $MIP:1194 to appear as $WIP:1194 13:49 < bny> only on that particular port 13:50 < dazo> but isn't this what you are achieving already? 13:50 < ecrist> bny, that won't work. 13:50 < bny> why not? :( 13:50 < dazo> bny: are $MIP and $WIP both public facing IP addresses? 13:51 < bny> yea 13:51 < dazo> bny: why do you want to do this? 13:51 * dazo suddenly saw a light 13:51 < bny> they go inside the same physical interface 13:51 < bny> and that messes up openvpn 13:51 < bny> traffic coming on on $WIP and leaving on $MIP 13:52 < dazo> bny: aha! It's one physical interface with two IP addresses? ip aliases? 13:52 < bny> yes! :) 13:52 < bny> that results in no client beeing able to connect 13:53 < dazo> bny: openvpn will never send traffic out on the "wrong" ip address .... if it gets traffic in on $WIP it will send out on $WIP ... unless there are some NAT rules which changes this behaviour 13:53 < ecrist> bny: with TCP, you can't set all outgoing traffic as 1194 if your openvpn instance is listening to 1194 13:54 < bny> its udp :) 13:54 < ecrist> ok, you can't do it with udp, either 13:54 < dazo> bny: one more question .... openvpn is running on the same box as your firewall? Or a separate box? 13:54 < bny> same box 13:54 < ecrist> unless openvpn is listening on udp, and your port mapping is for tcp 13:54 < bny> WIP and MIP are only ipaddreses both coming in on WIF 13:55 < bny> ip aliasing 13:55 < bny> hm i dont follow? 13:55 < dazo> bny: WIF ... what is that? ... the physical interface? 13:55 < bny> yea 13:56 < dazo> bny: so WIP is the IP address of WIF .... and MIP is the IP address of WIF:1 ... (or similar)? 13:56 < bny> yea 13:56 * dazo just needs to be sure now 13:57 < dazo> bny: bring up that DNAT rule once more .... 13:57 < dazo> bny: We need to tweak this one 13:58 < bny> iptables -t nat -A PREROUTING -p udp -d $MIP --dport 1194 -j DNAT --to 192.168.200.1:1194 13:58 < dazo> bny: 192.168.200 ... which network is this? an internal one? 13:58 < bny> yea the gateway 13:58 < bny> should i set it to the external ip? 13:59 < bny> $WIP that is 13:59 < dazo> gateway? ... no it should be the IP address to where openvpn listens .... try localhost 13:59 < bny> oh my bad, its the box where vpn listens 13:59 < dazo> dazo: but it might be that this needs to be supported by a SNAT rule ... but that's not often 13:59 < dazo> yeah 14:02 < bny> any clues? 14:03 -!- QuiescentW [n=Quiescen@c-71-203-12-201.hsd1.fl.comcast.net] has joined ##openvpn 14:03 < dazo> bny: did you try the DNAT rule and just chaning 192 addr to 127.0.0.1? 14:04 < QuiescentW> can someone help me configure openvpn on openwrt. i'm having problems. I have the firewall on my router opened all the way up and when i connect i get an IP address but it cuts all my internet connection off and i can't even ping any of the remote computers 14:04 < ecrist> QuiescentW: your' probably using a conflicting IP range on the vpn subnet and/or your using redirect-gateway without proper NAT on the server end. 14:04 < ecrist> try reading through the following: 14:05 < ecrist> !route 14:05 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 14:05 < QuiescentW> i'm using ethernet bridging and the remote LAN subnet is different 14:05 < bny> dazo yea same problem 14:06 < dazo> bny: a possible attempt on SNAT ..... iptables -t nat -I POSTROUTING -p udp -s 127.0.0.1 --dport 1194 -o $WIF --to-source $MIP 14:06 < dazo> bny: but you need to experiment with the --to-source .... --to-source $MIP:1024-65535 ... might be another attempt 14:10 < dazo> QuiescentW: be aware that openwrt uses bridging as default .... and you might want to bridge tap0 to br0, where you have your internal network 14:10 < QuiescentW> i have tap0 bridged with br-lan which has all the eth adapters except wan in them 14:11 < QuiescentW> let me get my configs on pastebin if someone will please look at them for me 14:12 < bny> nah still same 14:12 < dazo> QuiescentW: I needed to do /usr/sbin/openvpn --mktun --dev tap0 --dev-type tap ... and then /sbin/ifconfig tap0 0.0.0.0 promisc up ... and then brctl addif br0 tap0 before I could start openvpn 14:12 < bny> can you try to explain what that rule does dazo? :) 14:12 < dazo> bny: the SNAT rule? 14:12 < bny> yea 14:13 < QuiescentW> i' 14:13 < QuiescentW> i'll try that 14:14 < dazo> bny: it takes all UDP packages coming from 127.0.0.1 with destination port 1194 going out on the $WIF interface and rewrites the source address to $MIP with a dynamic port ranges as source port 14:15 < bny> kk 14:15 < bny> adn the DNAT rules we wrote before is still needed? 14:15 < dazo> bny: yes ... because that does almost the "opposite" 14:16 < dazo> bny: the DNAT rule takes the packages to $MIP at destination port 1194 and rewrite destination to localhost:1194 14:17 < dazo> and then the kernel takes this package and sends it through the routing layer in the network 14:17 < dazo> while SNAT rules are picked up after the kernel have done the package routing 14:18 < dazo> so DNAT is the first pass from outside to inside .... and SNAT is the last pass from inside to outside 14:19 < bny> hm still swrong ip when i do tcpdump :( 14:19 -!- QWonder [n=Quiescen@pool-71-122-68-221.tampfl.dsl-w.verizon.net] has joined ##openvpn 14:20 < dazo> bny: I'm worried I'm not able to help you completely out ... since I don't know if you have any other conflicting rules in your chains 14:22 < bny> yea its ok 14:22 < bny> ill dig into it tomorrow 14:22 < bny> thanks a lot for your help though 14:22 < dazo> bny: np! :) 14:22 < bny> amma head out for a while, cya 14:23 < bny> been working with this darn setup for several hours 14:24 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 14:24 < QWonder> i'm getting this: 'private key password verification failed'... i'm using PKI but no passwords anywhere 14:25 < dazo> QWonder: you have some issues with your private key ... that's for sure ... try to remove the password with some openssl commands (don't remember them now) 14:26 < QWonder> i'm just going to delete all my config and pki files and start over 14:27 < QWonder> i must have done something wrong 14:34 -!- QuiescentW [n=Quiescen@c-71-203-12-201.hsd1.fl.comcast.net] has quit [Read error: 113 (No route to host)] 14:38 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has left ##openvpn ["Leaving."] 14:41 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:45 -!- xattack [i=xattack@132.248.108.239] has quit [] 15:00 -!- brain0 [n=brain0@archlinux/developer/brain0] has joined ##openvpn 15:01 < brain0> hi. I was here before but nobody answered :) ... I want to know if I can reduce the memory usage of openvpn. this is my configuration: http://pastebin.com/d503bb027 ... I only need support for one client, will p2p mode use less memory? any other tricks? 15:27 -!- nullboy [n=nullboy@unaffiliated/nullboy] has joined ##openvpn 15:28 < nullboy> hey is the 'extra' challenge password something that should be set or should not be set? 15:28 < nullboy> what are the ramifications of not setting it? 15:28 < nullboy> this is during the build-key-server 15:30 < skx> I have openvpn server on freebsd using tap, how can I change MTU? 16:10 < ecrist> evening, bitches 16:29 < ecrist> skx: 16:29 < ecrist> !howto 16:29 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:35 < nullboy> lol 16:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 17:13 -!- QWToo [n=Quiescen@c-71-203-12-201.hsd1.fl.comcast.net] has joined ##openvpn 17:35 -!- QWonder [n=Quiescen@pool-71-122-68-221.tampfl.dsl-w.verizon.net] has quit [Read error: 110 (Connection timed out)] 17:49 -!- brain0 [n=brain0@archlinux/developer/brain0] has left ##openvpn [] 18:05 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 18:08 < plaerzen> !plaerzen 18:08 < vpnHelper> plaerzen: Error: "plaerzen" is not a valid command. 18:08 < plaerzen> :( 19:07 -!- mcp [n=mcp@wolk-project.de] has quit [Read error: 104 (Connection reset by peer)] 19:08 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 21:01 -!- Gray9Mar [i=surf___@gateway/tor/x-1d2bf26543040c15] has quit [Remote closed the connection] 21:01 -!- needo [n=needo@superhero.org] has joined ##openvpn 21:02 < needo> I am attempting to setup OpenVPN 2.0.9 on CentOS 5. However when I connect to the VPN I get assigned the address .6 and my gateway is .5. Shouldn't it be .1? 21:06 < ecrist> needo: no, it shouldn't. 21:06 < ecrist> the addressing you're seeing is correct 21:07 < muxpux> hi,i am doing bridge-mode vpn,so inorder access the machines on the same network of teh server,do i need to add extra push route or something? 21:07 < needo> ecrist: Why? Should I be able to ping .5? 21:08 < ecrist> needo: tun mode of OpenVPN assigns a series of /30 subnets (one for each client). Internally, OpenVPN responds for it's end of the /30 PPP link, but doesn't actually assign the address to its interface 21:08 < ecrist> no, you shouldn't be able to ping .5 21:09 < needo> Thanks. 21:09 < ecrist> muxpux: you need to make certain that your LAN on the OpenVPN server side is assigning IPs to the vpn clients, or that the OpenVPN instance is assigning address from the same range as what's available on the LAN 21:11 < muxpux> ecrist: yeah suppose the dhcp in my network is 192.168.1.0/24 21:11 < needo> Now its time to futz with the iptables. Woohoo. :) 21:12 < muxpux> and in ovpn ,if i give arange from .128 - .254,thats okay? 21:12 < ecrist> yep 21:13 < muxpux> alright :) 21:14 < muxpux> ecrist: one more q 21:14 < muxpux> push "redirect-gateway" 21:14 < ecrist> should be push "redirect-gateway def1" iirc 21:14 < muxpux> will redirect the gateway as well,and enables all web browsing of the client through server? 21:14 < muxpux> def1? 21:14 < ecrist> aye 21:14 < ecrist> read the manual 21:14 < muxpux> ok :) 21:41 < needo> I am having a really hard time getting my iptables right. I want everything that comes in through the VPN (tun0) to have access to the Internet via eth1. 21:42 -!- mepholic [n=mepholic@209.17.190.90] has joined ##openvpn 21:42 < mepholic> ok 21:43 -!- nullboy [n=nullboy@unaffiliated/nullboy] has quit [Read error: 104 (Connection reset by peer)] 21:43 < mepholic> is there a way to have a client or server use 2 tap interfaces 21:43 -!- nullboy [n=nullboy@unaffiliated/nullboy] has joined ##openvpn 21:44 < mepholic> i don't mean virtual interfaces like tap0:0 21:44 < mepholic> unless you can bridge that and still be able to use tap0 on the host 21:45 < mepholic> my issue is that i have an openvpn server running on the host computer of an openvz vps node 21:46 < mepholic> and i need to bridge a vps's ethernet adaptor to an openvpn adaptor 22:03 -!- needo [n=needo@superhero.org] has left ##openvpn [] 22:15 -!- mepholic [n=mepholic@209.17.190.90] has quit [Remote closed the connection] 22:16 -!- mepholic [n=mepholic@209.17.190.90] has joined ##openvpn 22:27 -!- cyberjames [n=james@unaffiliated/cyberjames] has quit ["leaving"] 22:46 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 22:46 < onats> hi guys 22:46 < onats> i have a question. if i have 2 site to site routers connected via vpn, i have to create /ccd/ entries for the router/clients right? 22:47 < onats> for a remote worker client, which gets an ip of say 10.0.66.x, what do i need to do in order for me to be able to ping devices behind the other routers? 22:47 < onats> i mean other clients? 22:47 < onats> krzie are you there? 22:54 -!- grendal_prime [n=grendal_@71.154.139.61] has joined ##openvpn 22:54 < grendal_prime> hey guys. 22:56 < grendal_prime> I have a situation where we have several openvpn servers with several CA's and we have been looking for a way to sort of cluster them together so we have one server with the certs and keys. We already have a way of backing that up off site. However i have contrived a way of connecting several other servers to the primay server to use the keys on that server. This way we only have to create credentials in one loaction. 22:58 < grendal_prime> Ive tested it and it works. Im just wondering if there is a product out there that already does this...or if there is some sort of configureation that i overlooked for doing this sort of thing? 23:03 -!- QWToo [n=Quiescen@c-71-203-12-201.hsd1.fl.comcast.net] has quit [Read error: 113 (No route to host)] 23:05 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: muxpux, dogmeat 23:05 -!- Netsplit over, joins: muxpux 23:05 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: muxpux, justdave, meturaf 23:05 -!- meshuga [i=meshuga@65.23.153.3] has joined ##openvpn 23:05 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: mcp, Typone 23:05 -!- QWToo [n=Quiescen@pool-71-122-68-221.tampfl.dsl-w.verizon.net] has joined ##openvpn 23:06 -!- Netsplit over, joins: mcp 23:06 < QWToo> alright, i have this crap working 23:06 < QWToo> the problem was 23:06 < QWToo> i guess 23:06 < QWToo> i was bringing up tap0 on the client and then running dhclient 23:07 < QWToo> and it was supplying a gateway 23:07 < QWToo> or something 23:07 < QWToo> and breaking my internet 23:07 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: whits_, QWToo, roentgen, smk 23:07 -!- whits [n=jim@jim.505.ru] has joined ##openvpn 23:07 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: MMN-o, whits 23:07 -!- smk_ [n=scott@cobra.httpd.org] has joined ##openvpn --- Log closed Mon Jan 26 23:07:53 2009 --- Log opened Mon Jan 26 23:09:13 2009 23:09 -!- ecrist [n=ecrist@173.8.118.220] has joined ##openvpn 23:09 -!- Irssi: ##openvpn: Total of 43 nicks [0 ops, 0 halfops, 0 voices, 43 normal] 23:09 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: int, disco-, grendal_prime 23:09 -!- Irssi: Join to ##openvpn was synced in 14 secs 23:09 -!- WHATEVER [n=evaldo@207.192.75.23] has joined ##openvpn 23:09 -!- Netsplit over, joins: grendal_prime 23:09 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: reiffert, kaii 23:09 -!- kaii_ [n=kai@ciphron.de] has joined ##openvpn 23:09 -!- Netsplit over, joins: int 23:09 < grendal_prime> QWToo: ? not sure what you mean....you cant push them a gateway? 23:10 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: disposable, kaii_, mcp, donavan, MMN-o 23:10 -!- disposab1e [i=disposab@blackhole.sk] has joined ##openvpn 23:10 -!- mcp [n=mcp@78.46.210.50] has joined ##openvpn 23:10 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: int, aar0n, onats 23:10 < QWToo> they don't need a gateway 23:11 < QWToo> i don't really know how this works 23:11 < QWToo> what happens is that the clients connect 23:11 -!- Netsplit over, joins: MMN-o 23:11 < QWToo> and their default internet gateway is changed to a different address 23:11 < QWToo> then they can't get online 23:11 < QWToo> because the gateway is an address in a different network 23:11 < QWToo> somewhere else 23:11 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: disposab1e, krzie, trifler, ikevin_, MMN-o, smk_ 23:12 -!- Netsplit over, joins: trifler 23:12 < grendal_prime> ok wait wait..i think you are thinking about this wrong 23:12 -!- munga` [n=munga@81.194.35.9] has joined ##openvpn 23:12 -!- Netsplit over, joins: MMN-o 23:12 -!- krzie [i=krzee@66.11.114.210] has joined ##OpenVPN 23:12 < grendal_prime> the vpn is to connect you to the vpnserver..if you want to route out past that, you need to set up the vpn server for routing. if you want to use the vpn as a sort of gateway to the internet. 23:12 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 23:13 < QWToo> no 23:13 < QWToo> i don't want to use it as a gateway 23:13 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: tarbo2, bigjohnto_away, mmcgrath_, plaerzen 23:13 < QWToo> the problem was 23:13 < grendal_prime> ok so what your saying is when you connect your client no longer uses its configured gateway.. 23:13 < QWToo> yeah 23:13 < QWToo> i was using dhclient on the tap adapter 23:13 < grendal_prime> ok that is a setting ithink you have to set up in windows. 23:14 < QWToo> and it changes the default gateway to the address in the other network, which it can't get to without going through my local gateway. in turn my internet is broken 23:14 < QWToo> no 23:14 < QWToo> it's all linux 23:14 < grendal_prime> like set default gateway or something like that...i dont use windows...in any capacity at all so im not sure.. 23:14 < QWToo> i did until maybe six months ago 23:14 < grendal_prime> ok 23:14 < QWToo> so i'm pretty new to all this 23:15 < grendal_prime> so when your linux client connects it looses its default gateway? 23:15 -!- nullboy [n=nullboy@97-94-107-72.static.mtpk.ca.charter.com] has joined ##openvpn 23:15 -!- Netsplit over, joins: tarbo2 23:16 < QWToo> yeah 23:16 < QWToo> it changes to the default gateway of the openvpn server 23:16 < grendal_prime> thats pretty odd...now i do know when i connect to my work openvpn, i get a...its like a confused state every now and again...but it usually figures it out in a min. 23:16 < QWToo> i mean, when my linux client connects the tap0 adapter is down 23:16 < QWToo> i don't have a startup script yet 23:16 < grendal_prime> ya see i dont use tap devices with linux 23:17 -!- ebf0 [n=ebf0@87.238.45.168] has joined ##openvpn 23:17 < QWToo> so i was doing this: sudo ifconfig tap0 up; sudo dhclient tap0; 23:17 -!- whits [n=jim@jim.505.ru] has joined ##openvpn 23:17 -!- disco- [i=disco@discomb0bulated.com] has joined ##openvpn 23:17 < QWToo> and dhclient was changing the default gateway address 23:17 -!- smk [n=scott@64.90.184.122] has joined ##openvpn 23:17 -!- int [n=quassel@wikia/int] has joined ##openvpn 23:17 < QWToo> on the local machine to an address that isn't on this network 23:17 < QWToo> heh 23:17 < grendal_prime> sounds like yoru server is pushing a route that may be messing with that 23:18 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 23:18 < QWToo> i don't know 23:18 -!- bigjohnto_away [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has joined ##openvpn 23:18 < grendal_prime> you using ubuntu? 23:18 < QWToo> nothing should be routed 23:18 < QWToo> yeah 23:18 < grendal_prime> do you have controle of the server? 23:18 < QWToo> i don't think anything should be routed 23:18 < QWToo> yeah 23:18 -!- ikevin_ [n=kevin@90.33.40.180] has joined ##openvpn 23:18 < QWToo> it's right here 23:18 < QWToo> it's all bridged 23:18 < QWToo> because i didn't know how to do the routing 23:19 < grendal_prime> did you do the quicksetup illustrated on the openvpn.net site? 23:19 < QWToo> i used some bridged howto on the openwrt site 23:19 < grendal_prime> the reason i ask is that has proven to be pretty failproof and..well it does not illustrate using the tap device. 23:19 < QWToo> which is what the server is running on 23:19 < grendal_prime> o 23:19 < grendal_prime> so you need it to be bridged? 23:20 < QWToo> at least i've figured out what's wrong 23:20 < QWToo> i dont' need it bridged 23:20 -!- muxpux [n=muxpux@soup.capital-today.net] has joined ##openvpn 23:20 < QWToo> i just didn't want to deal with setting up routes 23:20 -!- disposable [i=disposab@92.240.234.34] has joined ##openvpn 23:20 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 23:20 < QWToo> and i have all the machines i want accessible to the vpn clients in their own vlan 23:20 < grendal_prime> ya...you should try that howto..it sets up what your looking for i think...and...well it should work for openwrt as well. 23:21 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 23:21 < grendal_prime> http://openvpn.net/index.php/documentation/howto.html#quick 23:21 < vpnHelper> Title: HOWTO (at openvpn.net) 23:21 < grendal_prime> its never failed... 23:21 < grendal_prime> well its never failed me anyway 23:21 < grendal_prime> i got to roll good luck 23:21 -!- grendal_prime [n=grendal_@71.154.139.61] has quit [Remote closed the connection] 23:21 -!- donavan [n=donavan@centos/slackers/donavan] has joined ##openvpn 23:23 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: whits, deever, thewolf, trifler, worch, dazo, bny, donavan, skx, eliasp, (+5 more, use /NETSPLIT to show all of them) 23:23 -!- MMN_o [n=mmn@barjack.com] has joined ##openvpn 23:23 -!- whits_ [n=jim@jim.505.ru] has joined ##openvpn 23:23 -!- udk [i=evaldo@freenode/staff/udontknow] has joined ##openvpn 23:23 -!- Netsplit over, joins: huslu 23:23 -!- dazo [n=dazo@nat/redhat/x-ec6c25d10518a59b] has joined ##openvpn 23:23 -!- boney [n=bny@81-235-226-119-no91.tbcn.telia.com] has joined ##openvpn 23:23 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 23:24 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: whits_, nullboy, int, skx, munga`, mepholic, QWToo, troy-, plaerzen, boney, (+18 more, use /NETSPLIT to show all of them) 23:25 -!- QWToo [n=Quiescen@71.122.68.221] has joined ##openvpn --- Log closed Mon Jan 26 23:28:20 2009 --- Log opened Mon Jan 26 23:28:31 2009 23:28 -!- ecrist [n=ecrist@173.8.118.220] has joined ##openvpn 23:28 -!- Irssi: ##openvpn: Total of 29 nicks [0 ops, 0 halfops, 0 voices, 29 normal] 23:28 -!- fbond [n=fab@pool-64-223-124-145.burl.east.verizon.net] has joined ##openvpn 23:28 -!- Irssi: Join to ##openvpn was synced in 13 secs 23:28 -!- QWToo [n=Quiescen@pool-71-122-68-221.tampfl.dsl-w.verizon.net] has joined ##openvpn 23:29 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 23:29 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 23:30 -!- jpalmer [n=jpalmer@fl-209-26-20-205.sta.embarqhsd.net] has joined ##openvpn 23:31 -!- Typone [n=nnnnitsm@195.197.184.87] has joined ##openvpn 23:31 -!- donavan [n=donavan@centos/slackers/donavan] has joined ##openvpn 23:33 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has joined ##openvpn 23:33 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 23:33 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: skx 23:33 -!- deever [n=deever@static.172.68.46.78.clients.your-server.de] has joined ##openvpn 23:33 < muxpux> hi 23:33 -!- meshuga [i=meshuga@lenin.ww88.org] has joined ##openvpn 23:33 -!- Netsplit over, joins: skx 23:33 < muxpux> my ovpn-bridge is up and fine 23:33 < muxpux> now i need to route all the internet traffic 23:34 < muxpux> since my vpn is bridge ,there is no need for me to do nating in the linux machine right? 23:34 -!- mmcgrath [n=mmcgrath@mmcgrath.net] has joined ##openvpn 23:37 -!- lilalinux [i=e-trolle@fellatio.deswahnsinns.de] has joined ##openvpn 23:37 -!- tomfmason [n=tom@tomfmason.net] has joined ##openvpn 23:38 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has joined ##openvpn 23:38 -!- disposable [i=disposab@blackhole.sk] has joined ##openvpn 23:55 -!- Gray9Mar [i=surf___@gateway/tor/session] has quit [Nick collision from Idoru.] 23:56 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn --- Day changed Tue Jan 27 2009 00:07 -!- nullboy [n=nullboy@unaffiliated/nullboy] has quit ["life in the rear view mirror"] 01:20 -!- nullboy [n=nullboy@unaffiliated/nullboy] has joined ##openvpn 01:22 < nullboy> hello, i'm using wireshark on a client system that is connected to an openvpn server. the client and the server are on the same lan and i have used push "redirect-gateway local def1" in the server's config but i can see DNS queries being leaked in wireshark 01:55 -!- nullboy [n=nullboy@unaffiliated/nullboy] has quit ["life in the rear view mirror"] 01:58 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:58 -!- lilalinux [i=e-trolle@fellatio.deswahnsinns.de] has left ##openvpn ["Leaving"] 03:17 -!- bigjohnto_away [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has quit [Read error: 110 (Connection timed out)] 03:22 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 03:22 < muxpux> hey 03:22 < muxpux> ovpn is pptp or l2tp ? 03:23 < floyd_n_milan> neither 03:23 < floyd_n_milan> ssl 03:24 < muxpux> alright 03:55 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 03:59 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 04:06 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 04:06 < joelsolanki> Hi dazo 04:06 < joelsolanki> https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/265058 04:06 < vpnHelper> Title: Bug #265058 in openvpn (Ubuntu): "[SRU] openvpn2.1~rc7 fails to pick up the CN of certificates" (at bugs.launchpad.net) 04:09 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 04:38 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 04:46 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 04:47 -!- udk [i=evaldo@freenode/staff/udontknow] has quit ["leaving"] 05:01 < muxpux> hi 05:02 < muxpux> is it possible to make mac osx 10.5 as a n openvpn client? 05:27 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:28 < whits_> 1:32 -!- ERROR Closing Link: [85.91.225.194] Z:Lined (Transitive external IP range - InetC) 05:28 < whits_> oops 05:28 * dazo is not sure if "duuhh" ... is a proper answer 05:28 < dazo> muxpux: sure ... that's just to use a client configuration file instead of a config which prepares the openvpn process to act like a server 05:58 < muxpux> dazo:/win 10 05:58 < muxpux> hehe 05:58 < muxpux> dazo: i mean ,ovpn port of mac is also there? 06:14 < ecrist> muxpux: google code for tunnelblick 06:14 < ecrist> you know, that question is easily answered by a google search 06:46 < muxpux> yeah 06:46 < muxpux> i sen that name 06:46 < muxpux> seen 06:46 < muxpux> thought like a3rd part product 06:50 -!- innni1 [n=andre@92.2.28.116] has joined ##openvpn 06:51 < innni1> can people at home behind local routers create a VPN 06:52 < innni1> for example create a VPN so that three people can play a game 06:53 < dazo> innni1: Without going deep ... yes, that's the main purpose of VPN, to create a virtual private network 06:54 < innni1> dazo: even though each local box has a dynamic IP? 06:54 < dazo> innni1: I presume that you mean that there are 3 different persons, sitting behind each their router 06:54 < innni1> yes 06:55 < innni1> this is the normal setup too, I assume 06:55 < dazo> innni1: yes ... but in this case, I would recommend to also sign up for a dyndns/dynalis/etc service ...so you do have a hostname to a dynamic ip address 06:55 < dazo> innni1: the reason I asked was because it sounded like they were behind the same router ... which would make the use of VPN pretty unneeded ;-) 06:56 < innni1> good call 06:57 < dazo> innni1: one of these three locations needs to provide the openvpn server somehow ... the two others connect to the server as clients ... and if you enable client-to-client in the openvpn config, those clients can also see eachother on the VPN 06:57 < dazo> innni1: pretty basic setup, actually 06:58 < innni1> I am in UK, got a mate in Siberia :) 06:58 < dazo> innni1: even this is not a problem :) 06:58 < innni1> I wanna do the VPN more than any game really 06:59 < dazo> heh 06:59 < dazo> good approach! 06:59 < dazo> ;) 06:59 < innni1> maybe today 06:59 < innni1> I have done the crypto stuff 07:00 < innni1> need to create the config files 07:00 < dazo> innni1: have a close look at the different docs available for openvpn ... howto's etc ... it's not that difficult 07:00 < dazo> !howto 07:00 < vpnHelper> dazo: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:01 < dazo> innni1: and you will be pretty good if you manage this without trampling into routing issues .... :-P 07:01 < innni1> I expect I will have issues 07:03 < dazo> innni1: routing is not difficult ... if you have a little bit overview over how basic networking routing works .... mostly it is just minor details, not reading docs/howto's well enough, rushing into things without making sure all those small and gory details are right 07:03 < innni1> what does a \ufeffsign up for a dyndns/dynalis/etc get me 07:03 < innni1> presumably the missing link in my thinking as to how this all works 07:04 < dazo> innni1: it gives you a hostname .... f.ex. mybox.dyndns.org .... and you will have a client running on your box, which will then update this DNS record whenever your IP changes 07:04 < dazo> innni1: and it's only needed for the server 07:04 < dazo> innni1: but you might want to have a look into the --float option in openvpn as well 07:04 < innni1> what you are saying will take time to sink in 07:04 < innni1> I am probably 80% savvy 07:05 < innni1> maybe 70% 07:05 < dazo> innni1: just don't rush :) Take your time and let it sink in .... then it'll work, I'm sure 07:05 < innni1> :D 07:05 < dazo> "Nothing is impossible, it just take a little bit longer time" 07:06 < innni1> I will have to teach my 0% savvy friend all this too :D Gonna be fun 07:08 < dazo> innni1: no, not really ... if you manage to setup a good server config ... you can just send him key files and configuration .... and then he just unpack this in a directory and starts openvpn as root .... and that's all 07:09 < dazo> innni1: the key is if you manage to provide a good client config file for her/him or not 07:10 < dazo> innni1: which OS are you deploying this on? what do you and the others use? 07:10 < innni1> we are both ubuntu boys 07:11 < dazo> innni1: okey .... be aware of some issues with openvpn on ubuntu and certificates ..... https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/265058 07:12 < vpnHelper> Title: Bug #265058 in openvpn (Ubuntu): "[SRU] openvpn2.1~rc7 fails to pick up the CN of certificates" (at bugs.launchpad.net) 07:14 -!- bender183 [n=OWinNOW@unaffiliated/bender183] has joined ##openvpn 07:15 < innni1> dazo: thanks. Anything else I should know? 07:17 < dazo> innni1: grab a lot of what ever you like to drink when hacking on your computer ... maybe add some snacks .... relax and have fun digging into the wonderful world of openvpn! :) 07:17 < bender183> hey guys 07:17 < innni1> i got food and drink stocks 07:17 < innni1> hi bender 07:18 < bender183> hows it going? 07:20 < innni1> i am cool thank bender :) u? 07:22 < bender183> not too bad, worked out this morning.....im always happier when i work out in the mornings :> 07:23 < bender183> anyways i have an issue with openvpn....i have no knowledge of openvpn, and ive been franticaly rtfm'n ....the client can ping the openvpn server but the server cant ping the client side 07:23 < ecrist> good morning, bitches 07:23 < bender183> here are the pastebins 07:23 < innni1> people say to me "do you work out" :) I never done any exercise in my life 07:23 < bender183> server = http://pastebin.com/m4ed98aa 07:23 < bender183> client = http://pastebin.com/m2b31c2ab 07:23 < bender183> server logs = http://pastebin.com/m375bc965 07:24 < innni1> <- this slut is no bitch 07:24 < ecrist> bender183: client can ping server IP, but server can't ping client IP? 07:24 < bender183> you know they say that working out makes your iq higher' 07:24 < bender183> yes 07:24 < ecrist> that doesn't make sense. 07:24 < bender183> i know ... 07:24 < ecrist> have you checked the firewall on the client side? 07:25 < bender183> yes i have ... 07:25 < bender183> outbound is set to accept 07:25 < bender183> errr 07:25 < bender183> wait 07:25 < bender183> hold on 07:25 < bender183> hehe 07:25 < bender183> i hope thats the problem ;D 07:26 * ecrist points to the chan topic 07:26 < bender183> yes i know ... 07:26 < bender183> but if you take a look at the logs 07:27 < bender183> that i pasted 07:27 < bender183> *cough* 07:27 < bender183> you can see they are speaking to each other 07:27 < ecrist> right, but you're talking about two different things. 07:27 < ecrist> most firewalls allow outgoing connections without problem 07:27 < dazo> bender183: yeah ... but firewalling also means firewalling on the VPN net as well ...... 07:28 < ecrist> that would be the case on your VPN client. 07:28 < ecrist> however, my guess is that your client is blocking incoming (unsolicited) ICMP packets. 07:28 < ecrist> ICMP = Ping 07:28 * dazo seconds that 07:28 < bender183> interesting 07:28 < bender183> i think you may of nailed it 07:29 < bender183> and you did 07:30 < bender183> gratzi 07:30 < ecrist> np 07:30 < bender183> now i can finally finish up my nagios install :> 07:31 < bender183> well i always could, i was just checking the tunnel the incorrect way 07:31 < bender183> hehe 07:33 < ecrist> with nagios, I've found pings are the best method to test openvpn tunnels 07:33 < bender183> my friend suggested check_tcp 07:33 < bender183> but i could see why you would say that 07:33 < ecrist> could do some parsing of the openvpn-status log, but there's potential for stale files 07:33 < ecrist> bender183: anyone who knows better, who can, runs OpenVPN over udp 07:34 < bender183> ohhhhhh 07:34 < bender183> i wish you could tell that to my middle earth former co-worker 07:35 < ecrist> !tcp 07:35 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 07:35 < ecrist> point him there ^^^ 07:35 < bender183> it makes sense 07:36 < ecrist> to sum it up, problems with the tcp window size 07:36 < bender183> interesting 07:36 < ecrist> 5lbs of shit in a 5lb bag that's already filled with 1lb of shit. 07:38 < dazo> ecrist: nice link! 07:38 < ecrist> that was krzee's find 07:38 < bender183> seems like this dude didnt make any iptables rules to allow the vpn to pass through other clients either 08:11 -!- ebf0 [n=ebf0@87.238.45.168] has quit ["Caught signal 11, Segmentation fault"] 08:11 < ecrist> um, a program doesn't catch a sig 11. 08:11 < ecrist> the kernel catches sig 11 08:11 -!- ebf0 [n=ebf0@87.238.45.168] has joined ##openvpn 08:12 -!- ebf0 [n=ebf0@87.238.45.168] has quit [Client Quit] 08:13 -!- ebf0 [n=ebf0@87.238.45.168] has joined ##openvpn 08:17 < ecrist> ebf0: make up your mind 08:19 -!- bender183 [n=OWinNOW@unaffiliated/bender183] has quit [Read error: 104 (Connection reset by peer)] 08:20 -!- ebf0 [n=ebf0@87.238.45.168] has quit ["Caught signal 11, Segmentation fault"] 08:21 -!- ebf0 [n=ebf0@87.238.45.168] has joined ##openvpn 08:22 < ecrist> ebf0: stop the join/part 08:33 -!- ebf0 [n=ebf0@87.238.45.168] has quit ["Caught signal 11, Segmentation fault"] 08:35 -!- ebf0 [n=ebf0@87.238.45.168] has joined ##openvpn 08:35 -!- ebf0 [n=ebf0@87.238.45.168] has quit [Client Quit] 08:35 -!- ebf0 [n=ebf0@87.238.45.168] has joined ##openvpn 08:37 < ecrist> /kick ebf0 08:37 -!- Federico2 [n=Fede@193.200.193.239] has joined ##openvpn 08:37 < Federico2> hi guys 08:38 < ebf0> ey... dont 08:38 < ebf0> I got the ppl to stop :) 08:38 < Federico2> is in normal that I cannot ping the VPN endpoints on the virtual interfaces (tun0)? 08:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:39 < ebf0> found a nice error in ircproxy... might even be sploitable :) 08:55 -!- innni1 [n=andre@92.2.28.116] has quit ["Leaving."] 09:03 -!- QWToo [n=Quiescen@pool-71-122-68-221.tampfl.dsl-w.verizon.net] has quit [Read error: 60 (Operation timed out)] 09:03 < dvl> ebf0: dircproxy? 09:05 < dvl> ircproxy seems to be a generic name, not a particular applicatoin. 09:06 < ecrist> Federico2: yes 09:07 < muxpux> hi 09:07 < muxpux> i am getting Bad LZO decompression header byte: 42 09:07 < muxpux> what that means 09:07 < muxpux> i am trying to connect from a mac machine using viscosity 09:08 < muxpux> any ideas? 09:09 < ecrist> wtf is viscosity 09:09 < muxpux> client for mac 09:09 * ecrist looks it up 09:09 < ecrist> the recommended mac client here is Tunnelblick, not heard of Viscosity 09:12 < ecrist> Tunnelblick is free 09:15 -!- QWToo [n=Quiescen@c-71-203-12-201.hsd1.fl.comcast.net] has joined ##openvpn 09:15 < ebf0> dvl: http://www.night-light.net/ircproxy/ 09:15 < vpnHelper> Title: Night Light IRC Proxy "Bouncer" (ircproxy) (at www.night-light.net) 09:16 < ecrist> muxpux: that's a pretty smooth looking client 09:17 * ecrist wonders if he can weasle a free copy of viscosity from the dev... 09:17 < ecrist> weasel* 09:25 < muxpux> heeh 09:25 < muxpux> ecrist: i am using tunnelblick 09:25 < muxpux> now 09:25 < ecrist> $9 after 30 days 09:25 < muxpux> it says an error 09:25 < muxpux> like this ca_cert can only be specified in tls mode 09:26 < muxpux> so do we have any options' 09:26 < ecrist> muxpux, need to see your client config. both viscosity and tunnelblick are simply front-end parsers for the standard config file and openvpn binary 09:27 < muxpux> ecrist: the same configs works for win/linux machines 09:27 < muxpux> i mean the client config 09:28 < muxpux> sec i will paste 09:29 < muxpux> http://pastebin.com/m2ccbf4fc 09:30 < ecrist> looking 09:31 < muxpux> thanks :) 09:31 < ecrist> and your logfiles, please? 09:32 < muxpux> Tue Jan 27 16:35:12 2009 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 09:32 < muxpux> in client it said ca_cert can only be specified in tls mode 09:33 < muxpux> thinking like is it an issue with my client settings 09:33 < muxpux> works perfectly with linux and windows 09:34 < ecrist> same error in viscosity and tunnelblick? 09:35 < muxpux> viscosity was connecting,getting an ip etc 09:35 < muxpux> but didnt able ping anything 09:35 < muxpux> and the serevr is in vpn-bridge mode 09:35 < muxpux> able to* 09:37 < plaerzen> morning guys 09:38 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:38 < ecrist> hey plaerzen 09:39 < ecrist> muxpux: can you paste your logfiles, please? 09:41 < muxpux> ecrist: nothing much 09:41 < muxpux> Tue Jan 27 16:35:12 2009 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 09:41 < muxpux> thats it 09:42 < ecrist> muxpux, if you're not going to pastebin your entire log file from tunnelblick, I'm not going to be able to help you. 09:42 < ecrist> if you knew what you were looking for, you wouldn't be asking here. 09:42 < ecrist> also, what version of tunnelblick? 09:42 < muxpux> ecrist: sec 09:48 < muxpux> ecrist: cant see any logs in tunnelblick 09:48 < muxpux> :( 09:49 < ecrist> if you select Details from the drop-down menu, you'll see the logs. 09:58 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:58 -!- MMN_o [n=mmn@barjack.com] has quit [Read error: 110 (Connection timed out)] 10:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:18 * ecrist gives up 10:18 < muxpux> ecrist: 10:19 < muxpux> i was working with a client who was with his osx(you know whats that means),finally gives up atm trying with macosx client 10:19 < muxpux> i am sorry 10:30 < ecrist> muxpux: don't really bother me. 10:30 < ecrist> for your edification, if you need it, I just wrote the following: http://www.secure-computing.net/wiki/index.php/Tunnelblick 10:30 < vpnHelper> Title: Tunnelblick - Secure Computing Wiki (at www.secure-computing.net) 10:32 -!- MMN-o [n=mmn@barjack.com] has joined ##openvpn 10:51 -!- randra [n=sleepkno@200.215.81.98] has joined ##openvpn 10:56 -!- skx [i=skx@217.17.32.190] has quit ["changing servers"] 11:04 -!- rwaite [n=fieldyca@rrcs-74-218-125-86.central.biz.rr.com] has joined ##openvpn 11:05 < rwaite> hi everyone, i'm trying to setup openvpn on windows to connect my work lan with my home lan and i'm way past confused at this point 11:06 -!- randra [n=sleepkno@200.215.81.98] has quit ["tra"] 11:07 < rwaite> !route 11:07 < vpnHelper> rwaite: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 11:08 * rwaite off to read 11:11 < muxpux> ecrist: nice odc thanks 11:15 < muxpux> doc 11:15 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 11:34 < rwaite> http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing << 11:34 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 11:34 < rwaite> in this document, when they say "2 client with lans behind them" 11:35 < rwaite> are those two clients assumed to be the routers for their respective lans? 11:35 < ecrist> rwaite: basically, yes. 11:36 < ecrist> but, with some advanced networking and routing, they don't have to be the gateways for those lans. 11:36 < rwaite> so if i had a machine behind a soho router, i'd need to enable some sort of routing on the soho? 11:36 < rwaite> well, my main issue is the openvpn server and the openvpn client are both behind a soho router on their networks 11:37 < dazo> rwaite: In this case, the usual approach is to put up the route on each the machine which should be reachable on the inside ... if setting up the routing in the soho router doesn't work 11:38 < rwaite> so make some sort of batch file to setup the routes. that would work. would i also need to enable routing on the client, too, then, for that to work? 11:39 < rwaite> this is a windows machine, fyi. (i think im in a bit over my head here, i need to learn how this routing works exactly) 11:39 * rwaite smacks face. hold up, i missed the 'routes to add outside of openvpn' section 11:40 < dazo> rwaite: look at it like this: A user on your "openvpn server side" with IP address 172.16.10.50 (example) accesses 192.168.10.10 (example) which is routed via the VPN (10.8.0.1) ... the package reaches 192.166.10.10 ... and it responds to it ... but since it do not know about the 172.16.10.* network, it will send this traffic to the default gateway instead of your openvpn client router 11:42 < rwaite> i see, so the default gateway must know to send traffic for the client network back to the vpn 11:44 < rwaite> so i think i am thinking of this wrong - what i really want is two servers that act as clients to each other. 11:44 < dazo> rwaite: yeah, but to reroute traffic through another router on the same network as the package came from (192.168.10.*) might cause the package to get dropped by the default router .... that's why it's clever to set up this route explicit on the "servers" on the openvpn client side as well 11:45 < dazo> rwaite: and in the openvpn world ..... that's doable with openvpn server on one side and openvpn client on the other side 11:46 < rwaite> dazo: but if i want the machines on the server side to also be able to reach the machines on the client's side, too? 11:46 < dazo> rwaite: what makes it difficult for you now, is that you do not have the openvpn client as a router between your internal network and your default gateway 11:46 < rwaite> hmm. 11:47 < dazo> rwaite: when the openvpn client (server too actually) is located as a "normal" box, on the internal network ... all clients usually do need to have explicit routes to the other network, which points at the openvpn box in the local network 11:49 < rwaite> ok ok. but then it seems (and i think the doc says to) that i should be able to add a route to the other network to the soho router/gateway, which points at the local client (server) 11:50 < rwaite> as long as the two networks are different (192.168.1.0 vs 192.168.2.0) this should work 11:51 < rwaite> i think a big part of what i was misunderstanding too was i wasnt aware of the purpose of the "vpn network" (the 10. one) 11:51 < dazo> rwaite: if that works, you're lucky :) ... but I know some routers rejects such routes .... some routers do not know how to handle the traffic when the next router is on the same network as the package came from 11:51 < rwaite> oh i see, that's what you meant before 11:52 < rwaite> the easiest setup, then, would be openbsd as the gateway with openvpn on it on both sides :) 11:52 < rwaite> which i wish i could do, but alas, im the only one here who would spring for a homemade router 11:52 < dazo> rwaite: that's right :) 11:53 < rwaite> well thank you, i think i know enough now to read thru all the documentation without scratching my head every 5 seconds 11:54 < dazo> rwaite: well .... you can always aim for such Linksys router or similar ones, which can run openwrt or x-wrt or similar Linux based firmwares .... I'm using x-wrt as a openvpn server to "phone home" myself 11:54 < rwaite> oh they come with openvpn on them? 11:54 < dazo> rwaite: but the more usual part is to use such routers as a client against another server 11:55 < dazo> rwaite: yeah, well, you install this x-wrt firmware .... go to web admin, click on openvpn and it ask you if you want to install it 11:55 < dazo> rwaite: when that's done .... it's configure time 11:55 < rwaite> our router here has dd-wrt, but i dont see anything about openvpn. maybe i will check out x-wrt 11:56 < dazo> rwaite: dd-wrt have it's own vpn enabled one as well .... but I stopped using dd-wrt when I found some iptables/firewall rules which opened it up from some hard coded IP addresses 11:57 < dazo> rwaite: then I went over to x-wrt .... and I'm a happy camper 11:57 < rwaite> my dream would be to get a soekris device and get something setup on it 11:58 < dazo> nice one 11:59 < dazo> rwaite: any idea what these boxes costs? 11:59 < rwaite> it depends on what is included, the one i was looking at before had 4 ethernet ports and was around ~280 with the enclosure 11:59 < rwaite> us $ 12:00 < dazo> rwaite: that's not too bad 12:00 < rwaite> not at all, and considering what it can do. you can put linux, freebsd, or openbsd that i know of. probably more 12:00 * dazo would like such one with eSATA or Firewire interface as well 12:02 < dazo> (to be released 2009) "net6501, a faster and more advanced mainboard, up to 1.5 Ghz CPU, 2 Gbyte DRAM, 4 Gigabit Ethernet ports and PCI Express expansion." 12:02 < dazo> PCI Express expansion .... my dream might come true .... 12:02 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:07 < rwaite> heh, that thing is beefier than my old workstation i used to run xp on 12:07 < dazo> heh 12:07 < dazo> I just noticed that even the old 5501 got traditional PCI slot as well .... 12:08 < dazo> maybe my dream is closer than I thought .... 12:12 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 12:16 < rwaite> thanks for all the help 12:16 -!- rwaite [n=fieldyca@rrcs-74-218-125-86.central.biz.rr.com] has quit ["Leaving"] 12:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:24 -!- joelsolanki [i=joelsola@124.125.148.121] has joined ##openvpn 12:24 < joelsolanki> dazo: HI 12:24 < joelsolanki> my problem got fixed by installing the lastest version from openvpn.net 12:24 < joelsolanki> there was a bug in openvpn package for ubuntu 8.0.4 12:25 -!- joelsolanki [i=joelsola@124.125.148.121] has quit [Client Quit] 12:28 < krzee> !wz 92109 12:28 < vpnHelper> krzee: Error: "wz" is not a valid command. 12:28 < krzee> !weather 92109 12:28 < vpnHelper> krzee: The current temperature in San Diego, West Mission Valley, San Diego, California is 56.7F (10:29 AM PST on January 27, 2009). Conditions: Scattered Clouds. Humidity: 58%. Dew Point: 42.8F. Pressure: 30.38 in 1028.7 hPa (Rising). 12:29 < dazo> krzee: cool ... support for for non-us areas as well? 12:30 < krzee> no idea, welcome to try 12:31 < dazo> !weather Brno 12:31 < vpnHelper> dazo: The current temperature in Brno / Turany, Czech Republic is 33.8F (7:00 PM CET on January 27, 2009). Conditions: Mist. Humidity: 80%. Dew Point: 32.0F. Pressure: 29.92 in 1013 hPa (Rising). 12:31 < dazo> !weather Dehli 12:31 < vpnHelper> dazo: Error: HTTP Error 500: Server Error 12:32 < dazo> !weather CPH 12:32 < vpnHelper> dazo: The current temperature in Copenhagen, Denmark is 35.6F (7:20 PM CET on January 27, 2009). Conditions: Overcast. Humidity: 75%. Dew Point: 28.4F. Windchill: 32.0F. Pressure: 30.06 in 1018 hPa (Steady). 12:32 < dazo> !weather HKG 12:32 < vpnHelper> dazo: The current temperature in Victoria Peak, Hong Kong, Hong Kong is 49.8F (2:36 AM HKT on January 28, 2009). Conditions: Mostly Cloudy. Humidity: 92%. Dew Point: 48.2F. Windchill: 50.0F. Pressure: 29.93 in 1013.4 hPa (Steady). 12:32 < dazo> krzee: it takes airport codes .... perfect! :-P 12:34 < krzee> =] 12:45 -!- lvtn [n=azambuja@189.32.146.89] has joined ##openvpn 12:48 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 12:57 -!- casa0816 [n=casa@dslb-092-075-089-008.pools.arcor-ip.net] has joined ##openvpn 13:11 < krzee> !weather 92109 13:11 < vpnHelper> krzee: The current temperature in San Diego, West Mission Valley, San Diego, California is 59.0F (11:14 AM PST on January 27, 2009). Conditions: Mostly Cloudy. Humidity: 45%. Dew Point: 37.4F. Pressure: 30.36 in 1028.0 hPa (Rising). 13:20 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has joined ##openvpn 13:21 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has quit [Remote closed the connection] 13:25 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has joined ##openvpn 13:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 14:03 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has quit [Read error: 104 (Connection reset by peer)] 14:04 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has joined ##openvpn 14:21 < huslu> !weather TLN 14:21 < vpnHelper> huslu: The current temperature in Hyeres, France is 46.4F (9:00 PM CET on January 27, 2009). Conditions: Clear. Humidity: 53%. Dew Point: 30.2F. Windchill: 42.8F. Pressure: 29.65 in 1004 hPa (Steady). 14:21 < huslu> !weather TLL 14:21 < vpnHelper> huslu: The current temperature in Tallinn, City center, Estonia is 32.5F (10:15 PM EET on January 27, 2009). Conditions: Overcast. Humidity: 90%. Dew Point: 30.2F. Windchill: 32.0F. Pressure: 29.97 in 1014.8 hPa (Steady). 14:21 < ecrist> krzee: did you fix my perms on the bot? 14:22 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:22 < huslu> too bad it doesn't give temperatures in celsius 14:23 < ecrist> nobody that matters uses celcius 14:23 < ecrist> celsius even 14:23 < ecrist> see? it's not even important enough to spell correctly 14:27 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has joined ##openvpn 14:29 < techqbert> I was using a wireless router earlier. Now I'm using ethernet hooked up right up to the cable modem. I can nmap my VPN server, mount shares, but no longer can I ls those shares, SSH to the box, or go to http://x.x.x.x:8080 What do you think is going on? Does OpenVPN require a NAT? Is the ISP blocking certain packets? 14:31 < techqbert> As well, scp no longer works to the network even when not on the 10 subnet, just WAN. What the hell? 14:32 < techqbert> Yet filezilla can move the files, even on the same 32 port for WAN. 14:33 * ecrist is lost 14:34 < ecrist> you don't give us any real details, so nobody can help you. 14:34 < techqbert> ecrist: might I need to supply. I'm just as bankrupt for ideas. 14:34 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has quit ["!@#$*$ NO CARRIER"] 14:35 < techqbert> What might I need to supply? * 14:37 * ecrist points to channel topic 14:40 < techqbert> !route 14:40 < vpnHelper> techqbert: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 14:41 < techqbert> Ecrist: thanks for the help. I have no firewall and I need not set up lans behind openvpn. 14:42 < ecrist> ah, but you missed the 'We need !configs and !logs' part? 14:43 < techqbert> !configs 14:43 < vpnHelper> techqbert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:45 < techqbert> ecrist: may I ask you a simple question before I embark on gathering logs and config files. Should an openvpn VPN work regardless of whether the VPN client is behind a router or hooked directly to the ethernet port of the router? 15:03 < ecrist> yep 15:04 < ecrist> gotta go. bbl8r 15:14 -!- boney [n=bny@81-235-226-119-no91.tbcn.telia.com] has quit [Nick collision from services.] 15:14 < techqbert> Hey guys I went from wireless LAN to direct ethernet to router on my client side and now my machine won't access NFS shares on the VPN, or go to VPN web sites. I can only ping. 15:14 -!- boneybastard [n=bny@81-235-226-119-no91.tbcn.telia.com] has joined ##openvpn 15:14 -!- casa0816 [n=casa@dslb-092-075-089-008.pools.arcor-ip.net] has quit [] 15:21 -!- bsdbandit [n=chuckban@wsip-70-169-130-78.hr.hr.cox.net] has joined ##openvpn 15:25 -!- bsdbandit [n=chuckban@wsip-70-169-130-78.hr.hr.cox.net] has quit [Client Quit] 15:39 -!- neverblue [n=jezus@unaffiliated/neverblue] has joined ##openvpn 15:39 < neverblue> get out! 15:39 < neverblue> you guys have your own channel :D 15:40 < neverblue> but, the question is, is anyone around to answer questions 15:41 < neverblue> when I edit my .conf.ovpn file, in Wordpad, then save it, i lose associations with the .ovpn extension to openvpn 15:42 < neverblue> how can I repair this ? 16:58 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:25 -!- mepholic [n=mepholic@209.17.190.90] has joined ##openvpn 17:33 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: aar0n 17:37 -!- Netsplit over, joins: aar0n 17:40 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: aar0n 17:40 -!- Netsplit over, joins: aar0n 18:15 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 18:29 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has joined ##openvpn 18:29 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has quit [Client Quit] 18:29 < hardwire> any idea how to assign static ip's (pushed) per client? 18:30 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 18:31 < hardwire> other than using DHCP 18:32 < hardwire> ah 18:32 < hardwire> client-config-dir 18:32 < hardwire> woota 19:31 -!- deever [n=deever@static.172.68.46.78.clients.your-server.de] has quit [Read error: 60 (Operation timed out)] 19:31 -!- deever [n=deever@static.172.68.46.78.clients.your-server.de] has joined ##openvpn 19:51 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 20:09 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:27 < ecrist> evening, fuckers 20:29 < muxpux> hi 20:29 < muxpux> lol 20:50 < ecrist> neverblue: what do you mean that you lose associateions with the .ovpn exension? 23:35 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn --- Day changed Wed Jan 28 2009 00:59 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has quit [Read error: 60 (Operation timed out)] 01:36 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has joined ##openvpn 01:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:47 -!- techqber1 [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has joined ##openvpn 01:54 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has quit [Read error: 110 (Connection timed out)] 02:14 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:18 -!- casa0816 [n=casa@193.197.157.150] has joined ##openvpn 02:18 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has joined ##openvpn 02:20 < QWToo> neverblue, right click the ovpn and click open with -> custom -> then select or browse for openvpn and make sure you tick the "always open with this program" checkbox and click okay 02:21 < QWToo> your associations should stay with openvpn unless you follow that process with wordpad 02:29 -!- nullboy [n=nullboy@unaffiliated/nullboy] has joined ##openvpn 02:29 < nullboy> !route 02:29 < vpnHelper> nullboy: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 02:36 < QWToo> just bridge 02:38 < Rawplayer> so why is there an iptables exampe in the freebsd openvpn ports?:) 02:38 < Rawplayer> *example 02:41 < nullboy> QWToo: was that for me? bridging over routing? 02:42 < QWToo> yeah 02:42 < QWToo> cause screw iptables 02:43 < nullboy> so routing method done properly would require nat, is that correct? 02:44 < QWToo> i don't really know anything about networking 02:44 < nullboy> does this directive apply to bridge mode as well as route mode? push "redirect-gateway local def1" 02:44 < QWToo> stop being an ass 02:45 < nullboy> wtf? 02:45 < QWToo> oh, nevermind then 02:45 < QWToo> sorry 02:45 < Rawplayer> nullboy: which bridging you can make 2 seperate locations into one broadcast domain 02:45 < QWToo> my point was that i don't know anything about networking 02:45 < QWToo> but that i didn't have to 02:46 < QWToo> because there isn't much to configure if you use briding 02:46 < nullboy> Rawplayer: the problem I'm having with route mode is that the vpn server is on the same lan as the vpn client so some things are leaking out into the lan that should be in the tunnel 02:46 < nullboy> i think it's a route issue 02:46 < QWToo> oh yeah, you can't bridge if you do that 02:47 < nullboy> i can kill the real subnet's default gw but if you kill the route to the real subnet's network everything dies 02:47 < Rawplayer> nullboy: draw your setup 02:47 < nullboy> k 02:47 < Rawplayer> nullboy: is the client getting his IP from dhcp? 02:47 < Rawplayer> you can also handout /30 netmasks 02:47 < nullboy> clkient gets real subnet's ip from dhcp and also gets vpn ip from vpn dhcp 02:48 < Rawplayer> ok, what should the client do in his "real" subnet 02:49 < nullboy> let me get all artsy 03:04 < nullboy> http://home.pacbell.net/morticus/openvpn.diar.1.jpg 03:05 < Rawplayer> nullboy: so what are you trying to achieve? 03:06 < Rawplayer> remind that you need to explain something who does not know how your network looks like.. 03:06 < Rawplayer> + to someone 03:06 < nullboy> what is not explained in that? did you read the box? 03:07 < nullboy> why are some packets being leaked into the real lan? 03:07 < Rawplayer> nullboy: vpn ip's should not reach interl ip's from real subnet? 03:08 < nullboy> dns, icmp echo req/reply, some aim traffic, that should be using the vpn is hitting the real lan plaintext 03:08 < nullboy> http goes down it though 03:08 < Rawplayer> nullboy: the reason is that your real ip is direct connected 03:09 < Rawplayer> that is preferred instead of using the vpn connection 03:09 < nullboy> i understand that part but if you kill the real route you loose vpn connectivity 03:09 < nullboy> so how can i really force everything down the vpn? 03:09 < Rawplayer> nullboy: setup /30 dhcp entries 03:10 < nullboy> where? on the vpn or the lan? 03:10 < Rawplayer> then you have 2 usable ip's in your subnet 03:10 < Rawplayer> 1 for the lan client 03:10 < Rawplayer> 1 for the other end 03:10 < nullboy> then use host routes? 03:10 < Rawplayer> and then firewall the routing between the subnets on your router 03:11 < Rawplayer> then it works fine 03:11 < nullboy> got it thanks 03:11 < Rawplayer> because you can only reach two ip's when you are not connected to the vpn 03:11 < Rawplayer> instead of the whole subnet 03:12 < nullboy> wait... 03:12 < nullboy> you mean turn the whole physical lan into a a /30? 03:12 < nullboy> this is a diagram showing a particular situation that includes a whole LAN 03:12 < nullboy> not just 3 devices 03:14 < nullboy> i think moving the vpn server to the border router would be better 03:14 < Rawplayer> nullboy: you want to reach the other lan clients over the vpn right? 03:14 < Rawplayer> instead of direcT? 03:15 < nullboy> i don't think you and me are on the same channel here 03:16 < nullboy> i'll mess with the /30 thing though 03:17 -!- nullboy [n=nullboy@unaffiliated/nullboy] has quit ["battery died"] 03:17 < Rawplayer> nullboy: that is what i mean with " remind that you need to explain something who does not know how your network looks like.." 03:17 < Rawplayer> what a ass 03:30 -!- mahdi_ja [n=chatzill@212.50.230.204] has joined ##openvpn 03:31 < mahdi_ja> hi all. 03:31 < mahdi_ja> can i use openvpn for share internet connection. 03:35 < dazo> mahdi_ja: ehhh .... not sure what you really are asking about now 03:37 < mahdi_ja> dazo: i have one server and i have one internet connection.if create a vpn server in my system and another user connect to this,they can use internet. 03:39 < dazo> mahdi_ja: openvpn will not change things for other users ... depending on how you setup openvpn and how your openvpn server is located in your network, your clients might get access to the VPN network itself too, but the basic Internet communication for other users should not break if things are done properly 03:46 < mahdi_ja> dazo: i have a system with windows 2003 server with 2 nic card one connect to lan an other to the adls modem.user with vpn connect to this and use internet( i share internet).i want change this server to linux and openvpn .can i do it with openvon 03:47 < dazo> mahdi_ja: sounds like a good approach ... yes, you can! :) in fact, this is a very common configuration 03:48 < mahdi_ja> dazo: do you have any resource for this ? 03:49 < dazo> mahdi_ja: what kind of experiences do you have with topics like Linux, networking, iptables and VPN? 03:49 * dazo just needs to know this to find good resources 03:50 < mahdi_ja> in linux and vpn and network good but iptable no. 03:51 < dazo> mahdi_ja: that sounds good! ... iptables is not difficult. I would then recommend you to just setup a default setup, install iptables, but make sure it is completely open in the beginning ... 03:51 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 03:51 * dazo looks for resources 03:52 < onats> !iroute 03:52 < vpnHelper> onats: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 03:52 < onats> !ccd 03:52 < vpnHelper> onats: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 03:52 < onats> !route 03:52 < vpnHelper> onats: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 03:52 < mahdi_ja> dazo: thank you. 03:53 < dazo> mahdi_ja: np! ... any experience with openvpn? 03:54 < mahdi_ja> dazo: i read this now reading this book:OpenVPN 03:54 < mahdi_ja> Building and Integrating Virtual Private 03:54 < dazo> mahdi_ja: I haven't read it myself ... but I believe that can be a good starting point 03:55 < mahdi_ja> dazo: it is simple and useful. 03:57 < mahdi_ja> dazo: have a nice day,bye.\ 03:57 < dazo> mahdi_ja: I'm not done 03:57 < dazo> mahdi_ja: I'm still looking for your info 04:00 < mahdi_ja> dazo: in "Linux Networking Cookbook" chapter 9 there is a good tutorial for creating vpn network with open vpn.step by step. i read this,and it is very usefull. 04:01 < dazo> mahdi_ja: nice .... does it also cover iptables? 04:01 < mahdi_ja> dazo: yes. 04:01 < dazo> mahdi_ja: then you have all you need already 04:02 * dazo stops searching 04:03 < mahdi_ja> dazo: i test this and i disturb you again. 04:04 < dazo> mahdi_ja: sure! :) 04:04 < mahdi_ja> dazo: thank you my firend 04:05 < mahdi_ja> dazo: thank you my friend i see you again. 04:05 < dazo> mahdi_ja: np 04:05 -!- mahdi_ja [n=chatzill@212.50.230.204] has quit ["ChatZilla 0.9.84 [Firefox 3.0.5/2008120122]"] 04:10 < onats> anyone up? 04:11 < onats> i'm having issues on a windows XP box.. route is not working. 04:11 < onats> The route addition failed: Either the interface index is wrong or the gateway does not lie on the same network as the interface. Check the IP address table for the machine 04:11 < onats> krzie are you tehre? 04:15 < dazo> onats: have you studied the --ip-win32 argument? 04:15 < dazo> onats: and --route-method 04:16 < onats> dazo, not familiar with those two 04:16 < onats> yet 04:16 < onats> can you enlighten me? 04:16 < onats> im just having issues with a windows xp client 04:16 < onats> with the exact same configurations, on a win2k3 server box, it connects properly 04:16 < onats> !ip-win32 04:16 < vpnHelper> onats: Error: "ip-win32" is not a valid command. 04:17 < dazo> those sets how openvpn will interact with the IP layer in Windows ... which is different in the different windows versions 04:17 < dazo> !man 04:17 < vpnHelper> dazo: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 04:17 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has quit [Remote closed the connection] 04:18 < dazo> onats: but it can also be that the TAP device is wrongly created, or you have some mismatch between tap indexes and the available tap devices 04:18 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has joined ##openvpn 04:18 < onats> dazo, but i installed openvpn using the installer with openvpngui 04:18 < dazo> onats: I believe --show-adapters can help you figure out that 04:19 < dazo> onats: yeah, but that's not for sure it always works perfect ..... 04:20 < onats> oh boy 04:20 < onats> the problem is the client device isnt in front of me... gahh... 04:20 -!- neverblue [n=jezus@unaffiliated/neverblue] has quit [Read error: 110 (Connection timed out)] 04:21 < onats> dazo, what information can i derive from show adapters? 04:21 < onats> should i reinstall the application then? 04:21 < onats> or recreate the tap drivers? 04:21 < dazo> onats: I don't remember, just reading man pages and throwing out ideas .... 04:21 < dazo> onats: I'd create to recreate tap devices ..... 04:22 * dazo checking on a winxp box now .... to see if he sees something clever 04:23 -!- ohzie [n=ohzie@24.174.3.123] has joined ##openvpn 04:24 * dazo sees that --show-adapters gave less info than anticipated 04:24 < ohzie> If I /etc/init.d/openvpn start and I get a fail on the startup, is there anywhere more detailed than 'error' so that I know what I'm supposed to fix? 04:24 < ohzie> Even asking a question about it, I have to know why it's failing first. :P 04:24 < onats> i think you can set verbosity of logs and a log file in the config? 04:24 < onats> #status /tmp/openvpn-status.log #log /tmp/openvpn.log 04:25 < onats> add those to your config file 04:25 < onats> without the comment outs of course 04:25 < ohzie> Well my problem is I don't know where it's putting this error. All I see is "* Autostarting VPN 'server' ..............................[fail]" 04:25 < ohzie> [shell] 04:25 < onats> also set "verb 9" 04:26 < ohzie> Do you know where the default log is? 04:27 < onats> my best bet is to specify a log file 04:28 < ohzie> and that's just " log /path/to/log.file" 04:28 < ohzie> ? 04:28 < onats> yeah 04:28 < onats> but you have to set a verbosity level too 04:28 < dazo> ohzie: default is system logger if openvpn is started as a daemon .... console if not 04:28 < onats> oh that im not sure.. basta thats how i use the log file.. 04:29 < dazo> verb 9 is very verbose ..... you might catch alot with verb between 4-6 04:29 < ohzie> Yeah log /path/to/file.name doesn't work 04:29 < ohzie> Anyone else know how I can find or specify a log file? I don't know where 'system logger' would be 04:29 < ohzie> like where I'd read that stuff. 04:30 < dazo> ohzie: which OS? 04:30 < ohzie> ubuntu 04:30 < dazo> ohzie: /var/log/messages most probably 04:31 < dazo> ohzie: if you do ls -ltr /var/log .... in the bottom of this list, you will always find the last changed files 04:31 < ohzie> There's a lot of stuff there, but nothing from openvpn 04:32 < dazo> ohzie: grep openvpn /var/log/* ? 04:33 < ohzie> I found it 04:33 < ohzie> It was putting them in daemon.log 04:33 < ohzie> What a fucking jerk program 04:33 < dazo> onats: you may also check out --show-net ... that gave some info about adapters and their indexes as well 04:33 < ohzie> Okay that's weird "Unrecognized option or missing parameter(s) 04:33 < onats> which is a jerk program? openvpn? 04:33 < onats> heheh 04:34 < ohzie> Yes. 04:34 < ohzie> Okay so if it says server.conf:2 04:34 < ohzie> that means line 2, right? 04:34 < dazo> ohzie: I would guess so, yes 04:35 < ohzie> And now I know what the problem was 04:35 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 04:36 < ohzie> The dick who wrote this sample from his home network used a rich text editor like word. Everything is capitalized properly, at the beginning of a new line. Every single config option in the config file. 04:37 * dazo would never trust people who use rich text editors for writing config files ....... 04:37 < dazo> that's like using canons for fishing 04:40 < ohzie> Or a metal spatula in a nonstick pan 04:40 < ohzie> Thanks for the help, I couldn't have figured it out without you. :D 04:43 * dazo shrugs 05:21 -!- neverblue [n=jezus@S0106001a706142cc.gv.shawcable.net] has joined ##openvpn 05:27 -!- indra [i=c40c2d63@gateway/web/ajax/mibbit.com/x-b83f9aec7fa0b7cc] has joined ##openvpn 05:27 -!- gfolkert [n=greg@c-71-205-63-67.hsd1.mi.comcast.net] has joined ##openvpn 05:28 < indra> hi all 05:28 < indra> I installed openvpn in my debian and and configured everything 05:28 < indra> everything is working fine 05:29 < indra> I am using 192.168.53.111 as my vpn server, 05:29 < gfolkert> !route 05:29 < vpnHelper> gfolkert: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 05:29 < indra> now, i want another ip address in 52 domain, like 192.168.52.111 also to act as the vpn server 05:29 < indra> juts adding a eth1:1 to the 52.111 ip is not working 05:29 < indra> is there anything else to be configures 05:30 < indra> configured to work with multiple ip address as vpn server 05:33 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 05:43 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [Read error: 104 (Connection reset by peer)] 05:48 -!- tjz [n=tjz@bb121-7-62-110.singnet.com.sg] has joined ##openvpn 05:49 < tjz> Hello 05:49 < Rawplayer> hi 05:51 -!- indra [i=c40c2d63@gateway/web/ajax/mibbit.com/x-b83f9aec7fa0b7cc] has quit ["http://www.mibbit.com ajax IRC Client"] 05:54 -!- gfolkert [n=greg@c-71-205-63-67.hsd1.mi.comcast.net] has left ##openvpn [] 05:54 < tjz> i am getting this error on windows vista system: 05:54 < tjz> openvpn route gateway is not reachable on any active network 05:57 < aar0n> !weather 05:57 < vpnHelper> aar0n: (weather ) -- Returns the approximate weather conditions for a given city. 05:57 < aar0n> !weather braunschweig 05:57 < Rawplayer> !weather 05:57 < vpnHelper> aar0n: Error: HTTP Error 500: Server Error 05:57 < vpnHelper> Rawplayer: (weather ) -- Returns the approximate weather conditions for a given city. 05:57 < Rawplayer> only for us? 05:57 < aar0n> !weather germany 05:57 < vpnHelper> aar0n: Error: HTTP Error 500: Server Error 05:57 < Rawplayer> !weather netherlands 05:57 < vpnHelper> Rawplayer: Error: HTTP Error 500: Server Error 05:57 < aar0n> lame! 05:58 * Rawplayer nullroutes vpnHelper 05:58 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:23 < dazo> !weather FRA 06:23 < vpnHelper> dazo: The current temperature in Mrfelden-Walldorf, Germany is 39.4F (1:00 PM CET on January 28, 2009). Conditions: Scattered Clouds. Humidity: 73%. Dew Point: 32.0F. Windchill: 33.8F. Pressure: 30.04 in 1017.2 hPa (Steady). 06:23 < dazo> Rawplayer: ^ ^ ^ .... try airport codes .... 06:30 < ecrist> good morning, bitches 06:31 < tjz> good morning 06:31 < tjz> haha 06:44 < tjz> happy chinese new year~~~~~~~~~~ 06:56 -!- casa0816 [n=casa@193.197.157.150] has quit ["Verlassend"] 07:04 < tjz> anyone into starcraft? 07:07 -!- dvl [n=nnnnnnnn@pdpc/supporter/professional/dvl] has quit [Excess Flood] 07:08 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:08 -!- dvl [n=nnnnnnnn@pdpc/supporter/professional/dvl] has quit [Excess Flood] 07:09 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:09 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:10 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:10 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:11 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:11 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:12 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 07:12 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 07:13 < ecrist> dvl, what sort of nastiness are you up to? 07:19 < dvl> ecrist: what were you seeing? 07:19 < ecrist> 07:11 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has quit [Excess Flood] 07:20 < dvl> ecrist: Oh, that was dueling IRC sessions. On on each laptop. 07:20 < ecrist> ah 07:20 < dvl> each one trying to get control of the BNC 07:20 < ecrist> BNC? 07:20 < dvl> And I did not notice it. 07:20 < dvl> I call it a BNC, don't know why. 07:20 < ecrist> the mask? 07:21 < dvl> mask? 07:21 * ecrist is confused 07:21 < dvl> http://www.gotbnc.com/ 07:21 < dvl> Call it a proxy, that holds my connection when I close my IRC client. 07:22 < ecrist> ah 07:22 < ecrist> I have a solution for that, irssi and screen on one of my servers. 07:22 < dvl> Advantages: logs while I'm away.... keeps my nick.. 07:23 < dvl> ecrist: That would work. But I use xchat in a gui. And my solution will with with any IRC client. It is client agnostic. 07:23 < dvl> I do like screen though. 07:23 < dvl> It also means if the kiddies want to flood me, they'll flood my server, not my home connection, or the office, etc. 07:24 < ecrist> I like xchat, but the aqua version hasn't been updated in quite a while, and I've found irssi is more than sufficient. 07:24 < dvl> I prefer mIRC, but it's not available on all my OS now. 07:25 < ecrist> ick 07:25 < dvl> On the topic of cars? Who said cars. 07:25 * cpm wonders why one would get themselves in a place where 'the kiddies want to flood me' was a real possibility. 07:25 < dvl> Considering buying a new Subaru (would be my 3rd). drove an Outback XT Limited last night. 07:25 < dvl> cpm: Kids acting up in a channel, you kick them out... etc 07:25 < ecrist> where did the car topic come from? 07:26 < cpm> 3rd in how long? 07:26 < dvl> cpm: I've been flooded for having the nick 'dvl' 07:26 < ecrist> my wife has a 2000 2.5RS 07:26 < dvl> cpm: current car is a 2001 Legacy wagon. Bought it new. 07:26 < dvl> cpm: before that, was a '91 used Wagon, sold it because I moved across the pacific. 07:26 < dvl> ecrist: It didn't. ;) 07:28 < mRCUTEO> hiya tjz 07:28 < dvl> cpm: the wife's car, is that a Legacy? what? I do not know it. 07:28 < mRCUTEO> :D 07:28 < ecrist> dvl, are you on drugs? 07:29 < cpm> dvl, well, I sure like subies, I've got just under $300K on my legacy outback. Not sure I'd buy another one, don't care for the new ones so much. but I'll hate it if this one ever goes. She's been fighting off the rust so far, as long as she doesn't get rust, I'll keep fixing her. 07:31 < dvl> ecrist: no, why do you ask? :) 07:31 < dvl> cpm: Mine has 100k miles just now. 07:31 < cpm> what year? 07:32 < cpm> '01? 07:32 < cpm> yer good to go! 07:32 < dvl> cpm: I wanted to upgrade, newer features. That's all. Plus, needs new tires, making some new sounds from the rear. And I have the cash now. 07:32 < ecrist> my wife's next car is going to be an STi 07:32 < dvl> cpm: yes, very reliable car. May see if one of my friends wants it. 07:32 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [] 07:33 < dvl> Heard aobut them. 07:33 < dvl> ecrist: It's too small for me. I do a bit of mountain biking, so I need the room to carry the bike in the back if there's salt on the roads, and room for gear on longer trips. 07:36 < dvl> ecrist: I just started my caffeine drip... does that count as drugs? 07:40 < ecrist> prehaps. ;) 07:42 -!- Guest96894 [n=Anon472@86.99.102.197] has joined ##openvpn 07:42 < Guest96894> general ssl question (not related to openssl) 07:42 < Guest96894> i generated a CSR in IIS win 2k3. and have a cert signed from my provider 07:43 < ecrist> ok 07:43 < Guest96894> but, between that period, i deleted the pending request 07:44 < Guest96894> so, now, i'm afraid the CSR also includes a private key?? 07:44 < ecrist> what do you mean? 07:44 < Guest96894> it's all in IIS, u familiar with it? 07:44 < ecrist> with a CSR, you generate the request, as well as a matching key. 07:44 < ecrist> the signed certificate is worthless without the key 07:44 < Guest96894> matching key == private? 07:44 < ecrist> yep 07:44 < Guest96894> well, i went into that interface and clicked on "Delete pending request" 07:45 < ecrist> well, sounds like you deleted the key 07:45 < Guest96894> ways to retreive it? 07:46 < ecrist> none that I know of. 07:46 < ecrist> I'm not familar with the IIS certificate tools, so would be hard to help you there. 07:46 < ecrist> recover it from the backups I'm sure you're making... 07:46 < Guest96894> i think you are right that it's deleted 07:46 < Guest96894> nah, no backup for this i'm damn sure 07:46 < Guest96894> so i need to have another CSR again? 07:46 < ecrist> first mistake, there. ;) 07:47 < ecrist> yep 07:47 < Guest96894> 1st mistake, production environment!! 07:47 < Guest96894> 2nd point: do CAs provide resigning a request without considring it as a totally new request? 07:47 < Guest96894> i don't want to pay twice! 07:47 < ecrist> yes, they should support you. I know godaddy does. 07:48 < ecrist> just tell them you need to rekey your certificate. 07:48 < ecrist> they revoke the current one and will issue you a new one. everything in the CSR needs to be the same, aside from your private key (same CN, etc) 07:48 < Guest96894> alright.. 07:49 < Guest96894> thsi is releifing!! 07:49 < Guest96894> the director is involved.. 07:49 * dazo hopes Guest96894 is having a cooperative CA ... 07:49 < Guest96894> dazo: nah, sadly... 07:50 < Guest96894> there is no reason why we don't have 07:50 < ecrist> really, it's Guest96894's fault to begin with for not having backups. 07:50 < Guest96894> yeah... 07:50 < Guest96894> it's my stupid mistake 07:50 < dvl> Guest96894: For backups, I recommend http://www.bacula.org/ 07:50 < vpnHelper> Title: Bacula, the Open Source, Enterprise ready, Network Backup Tool for Linux, Unix, and Windows (at www.bacula.org) 07:51 < dazo> Guest96894: dvl: http://www.boxbackup.org/ << my recommendation ;-) 07:51 < vpnHelper> Title: Box Backup (at www.boxbackup.org) 07:52 < dazo> (not as heavy and enterprisey as bacula ... even though bacula is good as well) 07:52 < dvl> dazo: I use Bacula to backup my systems at home and abroad. Just me, nobody else. No enterprise here. 07:53 < dazo> dvl: mm ... well, I do the same with boxbackup ... but the footprint of boxbackup is much smaller .... and a lot easier to setup 07:54 < Guest96894> dazo: i'm using windows 07:54 -!- MMN-o [n=mmn@barjack.com] has quit [Read error: 110 (Connection timed out)] 07:54 < dazo> Guest96894: I'm sorry for you 07:54 < Guest96894> this is funny 07:55 < dazo> ;-) 07:55 < Guest96894> i'm sad about this case 07:55 < Guest96894> sighhhh :( 07:55 < Guest96894> wondering what message to deliver to my boss hehehehe 07:55 < Guest96894> "i deleted private key, sorry" 07:55 < dazo> dvl: and the feature I like is that it have some kind of file/directory based raid solution embedded ... so it spreads the backup data on the storage server over three directories ... and can then easily be rsynced to 3 different locations and your backup data will not be compromised if one part is lost 07:56 < dazo> Guest96894: you can ALWAYS blame it on bad security in Windows :-P 07:56 < Guest96894> dazo: oh man... he is PRO windows!! 07:56 < Guest96894> dazo: he makes fun out of me when talking of open source stuff 07:56 < dazo> Guest96894: now I really, sincerely feels sorry for you 07:56 < Guest96894> dazo: he calls stupid complixity "unix-like stuff" 07:56 < dvl> dazo: I don't understand why that's in your backup solution and not in your filesystem solutoin. 07:56 -!- Shadowcat [n=Shadowca@static-213-115-110-250.sme.bredbandsbolaget.se] has joined ##openvpn 07:57 < Shadowcat> how long does it usually take to generate dh parameters? 07:57 < dazo> dvl: off-site backup .... to do that in an secure way 07:57 < Guest96894> dazo: i didn't know that windows deletes private key when CSR is deleted!!!!! 07:57 < Guest96894> private key is different than CSR >_< - what i know 07:58 * dazo never deletes things if I do not need to delete it 07:58 < Shadowcat> dazo: rm -rf / ;) 07:58 < Guest96894> dazo: there was a need. iis was down, and to bring back the self signed cert i had to delete it 07:58 < Guest96894> dazo: thanks to window's narrow minded gui! 07:58 < Shadowcat> why are you using the GUI if you're managing a windows server? 07:58 < dazo> Guest96894: yeah ... I use to move files away to another directory 07:59 < Guest96894> dazo: it's locatioin is not in a directory i guess 07:59 < Guest96894> dazo: i should have used mmc to back it up 07:59 < dazo> Guest96894: aha ... well, I'm not pro-windows ..... you probably noticed :-P 07:59 < Shadowcat> Guest96894: and what's wrong with Windows Explorer? 07:59 < Shadowcat> if it's a key file just copy the file 07:59 < Shadowcat> not very hard 07:59 < Guest96894> Shadowcat: i'm talking about IIS 07:59 < dazo> Shadowcat: it's a key in the certificate register 08:00 < Shadowcat> regedit 08:00 < Shadowcat> :) 08:00 < Guest96894> regedit is ugly 08:00 < Shadowcat> regedit works 08:00 < Guest96894> but ugly and creepy hidden below stuff 08:00 < Guest96894> stuff like i don't know 08:00 < Guest96894> i hope, just hope, my CA will rekey it :( 08:00 < Shadowcat> ok..... so export the entire tree 08:01 < Shadowcat> it's very hard to miss something if you export the entire tree 08:01 < Guest96894> i have no luck 08:01 < Guest96894> see you tomorrow 08:01 < Guest96894> bye 08:01 -!- Guest96894 [n=Anon472@86.99.102.197] has quit ["leaving"] 08:01 < Shadowcat> it'll give you a 100mb txt file, but it'll be there 08:01 < Shadowcat> ... 08:02 < ecrist> what will be there? 08:09 < dvl> pr0n 08:09 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:13 -!- MMN-o [n=mmn@barjack.com] has joined ##openvpn 08:28 < tjz> hahahaha 08:37 < dvl> ASCII pr0n 08:38 < tjz> oh 08:38 < tjz> hahaha 08:39 < cpm> 100mb acsii porn file? 08:39 < cpm> need a hi speed dot matrix with a good tractor feed to print. 08:41 < ecrist> and triplicate tractor-feed forms. 08:42 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has quit [Remote closed the connection] 08:43 < tjz> hAHAHHAHA!! 08:49 -!- kyrix [n=ashley@91-115-25-56.adsl.highway.telekom.at] has joined ##openvpn 09:04 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 113 (No route to host)] 09:09 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 09:30 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:39 -!- frankS2 [n=frank@ti500720a080-7457.bb.online.no] has joined ##openvpn 09:39 < frankS2> /usr/share/doc/openvpn/examples/easy-rsa/2.0/whichopensslcnf where can i get this file? its not there 09:40 < frankS2> all the other files are there except whichopensslcnf 09:40 < frankS2> (openbsd) 09:42 < kyrix> well i dont know in openbsd 09:43 < kyrix> http://www.netfrag.org/cgi-bin/dwww/usr/share/doc/openvpn/examples/easy-rsa/2.0/whichopensslcnf 09:43 < vpnHelper> Title: /usr/share/doc/openvpn/examples/easy-rsa/2.0/whichopensslcnf (at www.netfrag.org) 09:43 < kyrix> probably similar to that one 10:07 -!- tjz [n=tjz@bb121-7-62-110.singnet.com.sg] has quit ["Spare me some sleep, please."] 10:12 -!- kyrix [n=ashley@91-115-25-56.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 10:19 -!- Shadowcat [n=Shadowca@static-213-115-110-250.sme.bredbandsbolaget.se] has quit [Read error: 131 (Connection reset by peer)] 10:31 < fbond> Hi, I am assisting someone remotely who is running OpenVPN 2 on a Windows server with the firewall disabled. We are unable to connect to the OpenVPN server at all (Connection refused). We are using port 443 (at his request), and `nc [ip address] 443` gives Connection Refused. Directly on the server, `telnet localhost 443` also gives Connection Refused. Any ideas? 10:32 < krzee> windows firewall 10:33 < krzee> also 10:33 < krzee> it may not be listening on localhost depending on config 10:33 < krzee> !configs 10:33 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:33 < dazo> fbond: check with netstat .... if you have something listening on port 443 10:35 < fbond> dazo: Um, does Windows have netstat? 10:35 < dazo> fbond: well, I believe I've used that on winxp .... yes 10:35 < fbond> krzee: I've been told that Windows firewall is disabled. 10:35 * dazo don't have windows access right now ... so he can't check 10:36 < fbond> !configs 10:36 < vpnHelper> fbond: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:36 < fbond> Oh, right. 10:36 < fbond> Where do I paste? 10:37 < dazo> !pastebin 10:37 < vpnHelper> dazo: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 10:37 < krzee> pls remove comments 10:40 < fbond> http://www.pastebin.ca/1320751 10:40 < fbond> That's the server config. 10:40 < fbond> I'm not even using a client yet since I can't connect to the port. 10:41 < fbond> Microsoft Windows [Version 5.2.3790] 10:44 < neverblue> QWToo it doesn't 10:45 < neverblue> QWToo: the extension association, done that way, associates which 'editor' the .ovpn will use. My issue is that the context menu doesnt have the 'Use OpenVPN with this config' 10:45 < neverblue> so it is a bit different 10:46 < krzee> netstat -a 10:46 < krzee> do you see * 443 UDP LISTEN ? 10:46 < krzee> something like that 10:46 < krzee> (no windows here to see exact) 10:47 < krzee> !winfw 10:47 < vpnHelper> krzee: Error: "winfw" is not a valid command. 10:47 < krzee> !factoids search win 10:47 < vpnHelper> krzee: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', and 'wintaphide' 10:47 < krzee> hrm 10:47 < fbond> krzee: Yep, waiting for a response on that... 10:52 < krzee> also, i dont think nc uses udp by default 10:57 -!- lvtn [n=azambuja@189.32.146.89] has left ##openvpn [] 11:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:30 < fbond> krzee: Agh, my fault. 11:31 < fbond> I was using udp but then testing with telnet/nc over TCP. His firewall, meanwhile, was only port-forwarding TCP. 11:31 < fbond> krzee: Is there a good reason to prefer UDP? 11:31 < krzee> yes 11:31 < krzee> !tcp 11:31 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 11:34 -!- Cope [n=stephen@87-194-125-249.bethere.co.uk] has joined ##openvpn 11:35 < Cope> !route 11:35 < vpnHelper> Cope: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 11:36 < Cope> hmm 11:36 < Cope> ok - if I have a user with a home network on 192.168.0.1/24 and an office network on the same subnet, how can I route packets reliably between the 2 networks? 11:37 < krzee> by changing one of the subnets 11:37 < Cope> surely on home.lan if I try to hit 192.168.0.31, it won't know which subnet to use? 11:37 < Cope> krzee: is tehre no other way? 11:37 < dazo> Cope: nope 11:37 < Cope> bugger 11:37 < krzee> theres another way involving nat, but its the wrong way 11:37 < krzee> and i wont help with it 11:38 < krzee> just change 1 side 11:38 -!- zepr0m [n=edji@pub1.heig-vd.ch] has joined ##openvpn 11:38 -!- zepr0m [n=edji@pub1.heig-vd.ch] has left ##openvpn [] 11:38 -!- zepr0m [n=edji@pub1.heig-vd.ch] has joined ##openvpn 11:38 -!- zepr0m [n=edji@pub1.heig-vd.ch] has left ##openvpn [] 11:38 -!- zepr0m [n=edji@pub1.heig-vd.ch] has joined ##openvpn 11:38 -!- zepr0m [n=edji@pub1.heig-vd.ch] has left ##openvpn [] 11:39 -!- zepr0m [n=edji@pub1.heig-vd.ch] has joined ##openvpn 11:39 -!- zepr0m [n=edji@pub1.heig-vd.ch] has left ##openvpn [] 11:47 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:48 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 11:55 -!- frankS2 [n=frank@ti500720a080-7457.bb.online.no] has quit [Remote closed the connection] 12:04 < fbond> krzee: Can using TCP cause immediate connection reset after authentication? 12:05 < fbond> krzee: I don't see auth errors in the server log... 12:09 < krzee> verb 6 12:09 < krzee> !logs 12:09 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 12:13 < fbond> I think I have verb 8 right now, acceptable? 12:13 < fbond> krzee: Getting new logs is a round trip to my remote friend... 12:14 < krzee> thats why i never help people who cant access both sides themselves 12:14 < krzee> but im making an exception cause im bored til my friend gets here to pick me up 12:14 < krzee> which is soon now 12:18 < fbond> krzee: Thanks... 12:20 < krzee> np 12:21 < fbond> krzee: http://www.pastebin.ca/1320851 12:23 < krzee> try to disable all packet filtering in firewalls for that port udp 12:23 < ecrist> will someone make a vpn for me on my network? 12:23 < ecrist> and can you set the rules on my firewall to suppor the new vpn? 12:24 < fbond> krzee: We're using TCP right now... 12:24 < krzee> !tcp 12:24 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 12:24 < fbond> krzee: Yes, I was wondering if this problem can be caused by using TCP... 12:24 < fbond> krzee: Do you think that that is the cause? 12:25 < krzee> no 12:25 < krzee> unless your firewall is playing with packets 12:25 < krzee> im not used to verb 8 logs 12:25 -!- kyrix [n=ashley@91-115-28-71.adsl.highway.telekom.at] has joined ##openvpn 12:26 < fbond> I don't think the firewall is doing any packet filtering on that port. 12:26 < krzee> friends here 12:26 < fbond> Ack, okay. 12:26 < fbond> Thanks for your help. 12:26 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 12:26 < kyrix> !route 12:26 < vpnHelper> kyrix: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 12:27 < kyrix> i always forget this link 12:30 * dazo wonders if vpnHelper is becoming a public bookmark storage :-P 12:30 * dazo goes home 12:48 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 12:53 -!- fbond [n=fab@pool-64-223-124-145.burl.east.verizon.net] has left ##openvpn [] 13:01 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 13:01 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 13:01 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 13:06 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 13:08 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 13:11 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 13:14 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 13:16 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 13:16 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 13:19 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:21 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 13:22 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:26 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Connection reset by peer] 13:31 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 13:31 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 13:36 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 13:40 -!- kyrix [n=ashley@91-115-28-71.adsl.highway.telekom.at] has quit ["Leaving"] 13:40 -!- kyrix [n=ashley@91-115-28-71.adsl.highway.telekom.at] has joined ##openvpn 13:42 < krzee> !weather 92109 13:42 < vpnHelper> krzee: The current temperature in San Diego, West Mission Valley, San Diego, California is 61.5F (11:44 AM PST on January 28, 2009). Conditions: Partly Cloudy. Humidity: 40%. Dew Point: 37.4F. Pressure: 30.23 in 1023.6 hPa (Falling). 13:42 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 13:42 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 13:42 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 13:47 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 13:47 < kyrix> oh boy, ashley is getting mad at krzee 13:48 < kyrix> !weather a-1150 13:48 < vpnHelper> kyrix: Error: HTTP Error 500: Server Error 13:48 < kyrix> didnt expect it to work 13:48 < kyrix> ;) 13:48 < reiffert> !weather netherlands 13:48 < vpnHelper> reiffert: Error: HTTP Error 500: Server Error 13:49 < kyrix> !weather austria 13:49 < vpnHelper> kyrix: Error: HTTP Error 500: Server Error 13:49 < kyrix> !weather AT 13:49 < vpnHelper> kyrix: Error: HTTP Error 500: Server Error 13:49 < kyrix> doesnt matter, its far worse than in san diego 13:52 < reiffert> :) 13:57 -!- worch [i=worch@battletoad.com] has quit [Remote closed the connection] 13:57 -!- worch [i=worch@battletoad.com] has joined ##openvpn 14:00 < krzee> airport code works 14:01 -!- troy- [n=troy@worldnet.tauri.ca] has quit [SendQ exceeded] 14:01 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 14:02 < kyrix> hehe 14:03 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 14:05 < ecrist> will someone make a vpn for me on my network? 14:05 < ecrist> and can you set the rules on my firewall to suppor the new vpn? 14:06 < krzee> wassup eric 14:06 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 14:06 < ecrist> sup krzee 14:07 < krzee> not much man 14:07 < krzee> im gunna head into florida to send out those servers 14:08 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 14:08 < ecrist> sweet. 14:10 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has joined ##openvpn 14:10 < bigjohnto> on my windows xp box, i have openvpn setup and config sets.... i also have it on a laptop... the laptop works fine and resolves the hostname on the desktop which is also windows xp... it gives Cannot resolve hostname.... i can ping the host but for some reason something is blocking it.... any ideas? 14:11 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 14:14 -!- kreg is now known as Kreg-Work 14:20 < bigjohnto> norton internet security seems to be the issue 14:20 < bigjohnto> any specific rules to be placed ? 14:22 < kyrix> sorry, dont use norton security, dont use windows. but try checking if there is something where you can allow opening outgoing "ports" 14:22 < bigjohnto> kyrix, 1194? 14:22 < kyrix> well, yes. but outgoing. 14:22 < kyrix> and try just turning it off and seeing if it works 14:23 < kyrix> ah hold on... 14:23 < kyrix> the desktop cant even resolve the hostname. 14:24 < bigjohnto> kyrix, desktop can, but openvpn can't when internet security is on... if i disable it, it works, but i want to see if i can with it enabled.... 14:24 < bigjohnto> 1194 outgoing doesn't seem to have resolved it.... is there a binary "/bin" on the openvpngui that does the resolving? 14:25 < kyrix> cant help you really with the windows port 14:25 < kyrix> i could probably barely help you with the linux port ;) 14:25 < bigjohnto> np 14:26 < kyrix> isnt there a list of apps trying to get out? or try adding all the apps under openvpn to the whitelist of your firewall 14:26 < bigjohnto> ok thanks, away for abit while i try 14:29 -!- kyrix [n=ashley@91-115-28-71.adsl.highway.telekom.at] has quit ["Leaving"] 14:38 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:46 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 14:46 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 14:46 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 14:51 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 14:54 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 14:56 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 15:13 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 15:16 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 15:16 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 15:50 -!- kaii [n=kai@ciphron.de] has left ##openvpn [] 15:50 -!- kaii [n=kai@ciphron.de] has joined ##openvpn 15:55 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 16:00 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 16:10 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has quit [Read error: 104 (Connection reset by peer)] 16:11 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has joined ##openvpn 16:20 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 16:25 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has quit [Read error: 54 (Connection reset by peer)] 16:26 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 16:26 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 16:26 < neverblue> guys, having an issue with using OpenVPN in Vista. Is there any common resolutions to fix issues (I have the latest release of OpenVPN installed) 16:26 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 16:36 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 16:37 < reiffert> neverblue: start by reading logs. 17:00 -!- ocuevas [n=ocuevas@h-67-100-58-85.snvacaid.covad.net] has joined ##openvpn 17:00 -!- ocuevas [n=ocuevas@h-67-100-58-85.snvacaid.covad.net] has quit [Client Quit] 17:01 -!- ocuevas [n=ocuevas@h-67-100-58-85.snvacaid.covad.net] has joined ##openvpn 17:02 < ocuevas> hello 17:02 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 17:02 < ocuevas> hello 17:03 < ocuevas> Does anybody know what's the best way to revoke a vpn user? 17:04 < reiffert> revoke the certificate. 17:07 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 17:07 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 17:09 -!- bigjohnto [n=bigjohnt@S01060018396f59b3.cg.shawcable.net] has quit [] 17:12 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 17:13 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 17:14 < ocuevas> yeah but from the pfsense we don't have the certs on it. 17:14 < ocuevas> how do I create a pem clr list is maybe a better question 17:15 < reiffert> !howto 17:15 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:17 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 17:24 < plaerzen> ugh. 17:28 < ecrist> oh, that command should be in 17:28 < ecrist> !crl 17:28 < vpnHelper> ecrist: "crl" is (#1) --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with 17:28 < vpnHelper> ecrist: openvpn) that will create the CRL file for you. ssl-admin will also build a crl for you 17:28 < ecrist> grr 17:28 < ecrist> krzie: fix my damn bot perms 17:28 < ecrist> lemme get the command for you 17:29 < ecrist> openssl ca -gencrl -out CRL.pem -config openssl.cnf 17:30 < reiffert> why not read it up in the howto? 17:31 < ecrist> reiffert: not everyone uses ssl-admin or easy-rsa. 17:31 < reiffert> ecrist: can we assume that everyone uses openvpn that comes to that channel? 17:32 < ecrist> nope 17:32 < ecrist> we get a fair amount of traffic here on general SSL stuff 17:32 < reiffert> ecrist: can we assume further that the official openvpn howto will be valid for all openvpn users that ask questions about openvpn on ##openvpn? 17:32 < ecrist> get up on the wrong side of the bed today, reiffert? 17:33 < reiffert> ecrist: cant remember, just like every other day I guess. 17:37 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 17:38 < reiffert> ecrist: maybe it's that I like much more a general approach than a particular solution. The general approach here might help the guys solve a whole bunch of problems alltogether... 17:39 < reiffert> at once 17:42 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 17:46 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 17:47 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 17:49 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 17:52 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 17:55 < ecrist> ouch, my wiki is a bit out of date. 17:56 < ecrist> I think I'll update it tomorrow. 17:56 < dvl> slacker 17:56 < dvl> sitting around on IRC all day.... 17:56 < ecrist> MediaWiki 1.10.0, current is 1.13.1 17:57 < ecrist> that cuts deep, dvl 17:58 < dvl> ecrist: I can see the sadness in your face. 17:58 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 17:59 < dvl> That said, my openvpn is running flawlessly. 18:03 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 18:03 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 18:08 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 18:11 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 18:13 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 18:28 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 18:28 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 18:28 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 18:33 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 18:40 -!- ocuevas [n=ocuevas@h-67-100-58-85.snvacaid.covad.net] has quit ["Leaving"] 19:04 -!- c64zottel [n=hans@p5B1780C8.dip0.t-ipconnect.de] has joined ##openvpn 19:21 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 19:22 -!- muxpux [n=muxpux@soup.capital-today.net] has left ##openvpn [] 19:30 -!- shadowhywind [n=shadowhy@adsl-69-212-64-136.dsl.milwwi.sbcglobal.net] has joined ##openvpn 19:30 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 19:30 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 19:30 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 19:31 < shadowhywind> hay all, i just installed the openvpn plugin for knetworkmanager, in my config I have it setup to route all my traffic throught the vpn, Can i still do that with the knetworkmanager - openvpn? 19:35 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 19:59 -!- sputnick [n=sputnick@unaffiliated/sputnick] has joined ##openvpn 19:59 < sputnick> hi there 20:09 -!- c64zottel [n=hans@p5B1780C8.dip0.t-ipconnect.de] has left ##openvpn [] 20:11 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Client Quit] 20:28 -!- sputnick [n=sputnick@unaffiliated/sputnick] has left ##openvpn ["bip...bip...bip...krssh!...beep...beep...beep"] 20:32 -!- aia [n=aia@unaffiliated/aia] has joined ##openvpn 20:50 -!- frankS2 [n=frank@ti500720a080-7457.bb.online.no] has joined ##openvpn 20:53 -!- WebGuest [n=WebGuest@S01060014d1348305.ed.shawcable.net] has joined ##openvpn 20:54 -!- shadowhywind [n=shadowhy@adsl-69-212-64-136.dsl.milwwi.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 20:55 < WebGuest> anyone know openvpn well? 20:56 -!- tjz [n=tjz@bb121-7-62-110.singnet.com.sg] has joined ##openvpn 20:57 < tjz> yes, sir! reporting in!! 20:57 -!- WebGuest [n=WebGuest@S01060014d1348305.ed.shawcable.net] has quit [Remote closed the connection] 20:57 -!- krethan [n=krethan@S01060014d1348305.ed.shawcable.net] has joined ##openvpn 20:59 < krethan> i want the server part to see the client's computers 20:59 < krethan> how do i do that 21:02 -!- krethan [n=krethan@S01060014d1348305.ed.shawcable.net] has quit [Client Quit] 21:25 -!- ykut_johny1 [n=ykut_joh@mitsa.org.my] has joined ##openvpn 21:27 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 21:50 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has joined ##openvpn 21:50 < prxtien> hey all, does anyone have binaries for powerpc 21:50 < prxtien> i need a binary for a dreambox ;) 21:50 < ecrist> prxtien: there are some out there. 21:50 < ecrist> go to Tunnelblick website (use google to find) and download an old copy of their program. 21:51 < ecrist> actually, a new copy may work, as well. 21:51 < prxtien> i just cant compile it 21:51 < prxtien> no space to compile on this system 21:51 < ecrist> follow my directions above, you should be fine 21:51 < prxtien> /dev/root 3.9M 3.9M 0 100% / 21:51 < prxtien> /dev/mtdblock/1 2.8M 900.0k 1.9M 32% /var 21:52 * ecrist goes to bed. 21:52 < prxtien> okay 22:13 < frankS2> http://pastebin.com/m7985a474 <-- hello i am having problems with that clients connected to the server can not assign the internal network, this is my config file anyone that could help me? :) 22:27 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has joined ##openvpn 22:30 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has left ##openvpn [] 22:35 -!- neverblue [n=jezus@unaffiliated/neverblue] has quit [Read error: 60 (Operation timed out)] 22:44 -!- grendal_prime [n=grendal_@71.154.139.61] has joined ##openvpn 22:44 < grendal_prime> im looking for info on usning one CA for several open vpn servers. 22:45 < grendal_prime> this is probably a simple thing to do..but im unable to locate anything that sounds like what im trying to do. 22:45 < grendal_prime> basically we want one ca where we generate all the certs and keys and the other vpn servers to use those keys and certs. Is this possible with openvpn2.0 ? 22:46 < grendal_prime> we dont want to have to replicate the credentials to the other servers. 22:46 < grendal_prime> does that make any sence? 23:09 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:49 -!- grendal_prime [n=grendal_@71.154.139.61] has quit [Remote closed the connection] --- Day changed Thu Jan 29 2009 00:00 -!- ykut_johny1 [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 00:00 -!- MMN-o [n=mmn@barjack.com] has quit [Read error: 60 (Operation timed out)] 00:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:38 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 00:46 -!- MMN-o [n=mmn@barjack.com] has joined ##openvpn 01:04 < reiffert> moin 01:29 -!- zheng [n=zheng@218.82.136.169] has joined ##openvpn 01:37 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 01:41 < tjz> i sense a chinese.. 02:23 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:47 -!- zheng [n=zheng@218.82.136.169] has quit ["Leaving"] 02:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:05 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:41 -!- c64zottel [n=hans@p5B179038.dip0.t-ipconnect.de] has joined ##openvpn 03:48 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 03:55 -!- techqber1 [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has quit [Read error: 113 (No route to host)] 03:58 -!- nobody999 [n=bla@89.246.131.77] has joined ##openvpn 04:06 < nobody999> hi 04:06 < nobody999> I'm trying to establish a vpn roadwarrior connection. 04:06 < nobody999> the client is a windows vista machine and the server is a linux machine. 04:06 < nobody999> Both machines are behind a router. 04:06 < nobody999> The openvpn client tells me that the connection is established but a ping from client to server doesn't give an answer. 04:06 < nobody999> I think I have a routing problem. 04:06 < nobody999> Is ther someone who can help me? 04:10 -!- randra [n=sleepkno@gw.riosulense.com.br] has joined ##openvpn 04:12 < nobody999> my routing tables --->http://pastebin.com/d5a3b20bf 04:13 -!- deever [n=deever@static.172.68.46.78.clients.your-server.de] has quit [Read error: 60 (Operation timed out)] 04:13 -!- kaii [n=kai@ciphron.de] has quit [Read error: 60 (Operation timed out)] 04:14 -!- kaii [n=kai@ciphron.de] has joined ##openvpn 04:15 < dazo> nobody999: do you have some configs as well? 04:16 -!- ikevin_ [n=kevin@ANancy-256-1-121-180.w90-33.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 04:16 -!- ikevin_ [n=kevin@ANancy-256-1-35-230.w90-26.abo.wanadoo.fr] has joined ##openvpn 04:16 < dazo> nobody999: at first glance, it looks like you are missing a ' push "route " ' statement in your server config .... I can't say I see any routing being pushed to your internal network behind the server on your client 04:18 < nobody999> can you tell me how the route should look like? 04:19 < dazo> nobody999: I would presume .... route 192.168.0.0 255.255.255.0 04:23 < nobody999> my server.conf -->http://pastebin.com/d5881fb3c 04:24 < nobody999> you think the route 192.168.0.0 is wrong? 04:25 < dazo> nobody999: seems you have the route here .... did you modify the config before posting it? .... this route should show up in your windows box .... 04:25 < dazo> nobody999: are you running openvpn with privileges? It needs administrator (or maybe networking is enough) privileges to be able to add that route on your client 04:26 < dazo> nobody999: check your log files carefully for errors .... use verb 3 in client config to find most obvious failures 04:27 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 04:28 -!- mcp [n=mcp@wolk-project.de] has quit [Read error: 110 (Connection timed out)] 04:29 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Read error: 110 (Connection timed out)] 04:30 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 04:31 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:33 < nobody999> I didn't modify the configs 04:34 < nobody999> openvpn is running as root 04:34 < nobody999> and I have verb 3 in client conf but I don't see an error:( 04:36 < dazo> nobody999: but is openvpn running with admin privileges on your windows box? 04:36 -!- kaii [n=kai@ciphron.de] has quit [Remote closed the connection] 04:37 -!- kaii [n=kai@ciphron.de] has joined ##openvpn 04:37 < nobody999> yes it is 04:37 < nobody999> client logfile --->http://pastebin.com/d54278110 04:37 * dazo needs to catch a tram in 5 min 04:38 < dazo> client log looks fine .... it claims to have the route setup OK .... 04:38 * dazo don't understand why it do not show up with the route command 04:39 < nobody999> are you sure there is a route missing? 04:39 < dazo> nobody999: I'm so so so sorry! I see the route now .... 04:39 < dazo> 192.168.0.0 255.255.255.0 10.8.0.5 10.8.0.6 31 04:39 < nobody999> :) 04:40 * dazo is blind 04:40 < dazo> but needs to run now 04:40 < nobody999> but I get no answer when i send a ping 04:40 < nobody999> iptables on server is disables 04:41 < nobody999> on windows firewall is also disables 04:41 < nobody999> disabled 04:42 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 05:03 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 05:54 -!- frankS2 [n=frank@ti500720a080-7457.bb.online.no] has quit [Remote closed the connection] 06:17 -!- c64zottel [n=hans@p5B179038.dip0.t-ipconnect.de] has quit ["Leaving."] 06:47 -!- metbsd [n=AXT@unaffiliated/metbsd] has joined ##openvpn 06:47 < metbsd> this channel is my last hope.. 06:48 < metbsd> my client can connect from nic1 1.2.3.4/255.255.255.0, but cannot ping 5.6.7.8/255.255.255.192 06:48 < metbsd> how should i config them 06:51 < reiffert> so you have a working openvpn setup, means client connects to server? 06:51 < metbsd> yes 06:51 < metbsd> this pc has two nics, two networks 06:51 < metbsd> 1.2.3.4/255.255.255.0 is where client connect openvpn 06:51 < reiffert> all you want is to have the client get routing information like: send all the stuff that belongs to 5.6.7.8/6 directly over the openvpn 'wire'? 06:52 < metbsd> 5.6.7.8/255.255.255.192 is at nic2 06:52 < metbsd> i need this client to ping 5.6.7.1/255.255.255.192 06:52 < reiffert> nic2 of what host? 06:53 < metbsd> nic1 and nic2 are on same pc 06:53 < reiffert> server or client? 06:53 < metbsd> server 06:53 < metbsd> nic1 and nic2 are on same server 06:53 < reiffert> have push "route 5.6.7.0 255.255.255.192" in your server config 06:53 < reiffert> push "route 5.6.7.0 255.255.255.192" 06:53 < metbsd> yes did that 06:53 < reiffert> great. 06:54 < metbsd> it's wrong? 06:54 < reiffert> no. 06:55 < metbsd> what should i put for 'server' 06:55 < reiffert> sorry? 06:55 < metbsd> for the option "server ...." 06:55 < reiffert> 13:55 < reiffert> so you have a working openvpn setup, means client connects to server? 06:55 < reiffert> 13:55 < metbsd> yes 06:55 < reiffert> dont change anything but add a single line: 06:55 < reiffert> 13:58 < reiffert> push "route 5.6.7.0 255.255.255.192" 06:56 < reiffert> the option "server ..." does not change. 06:56 < metbsd> ok 06:57 < reiffert> restart openvpn, reconnect the client, paste the complete routing table of the client 06:57 < reiffert> to pastebin.ca 06:58 < metbsd> ok 07:00 < metbsd> nic1 for internet: 192.168.1.118/255.255.255.0 07:00 < metbsd> nic1 for internet vpn client: 192.168.1.118/255.255.255.0 07:00 < ecrist> good morning, chicken fuckers! 07:00 < metbsd> nic2 for LAN: 10.100.1.8/255.255.255.192 07:02 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has joined ##openvpn 07:02 < metbsd> reiffert: can you plz help me 07:02 < reiffert> 14:01 < reiffert> restart openvpn, reconnect the client, paste the complete routing table of the client 07:02 < reiffert> 14:02 < metbsd> ok 07:02 < reiffert> 14:02 < reiffert> to pastebin.ca 07:02 < reiffert> still waiting for that. 07:03 < metbsd> ok it's coming 07:03 < metbsd> thanks for help 07:05 < metbsd> http://pastebin.ca/1321713 07:06 < metbsd> plz help me out 07:06 < reiffert> Let's fix the conversational problems first: 07:07 < reiffert> a "routing table" is what you get by entering the command: netstat -nr 07:07 < reiffert> what you got me is the openvpn logfile 07:07 < metbsd> ok 07:07 < metbsd> wait plz 07:08 < metbsd> i'm on windows.. 07:08 < metbsd> ok asking client to send it over 07:09 < reiffert> !configs 07:09 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:09 < reiffert> gonna need that as well. 07:12 -!- aia [n=aia@unaffiliated/aia] has quit [Read error: 60 (Operation timed out)] 07:13 < metbsd> http://pastebin.ca/1321720 server/client conf file 07:15 < reiffert> looks ok, but we still need the clients routing table. 07:16 < reiffert> open a dosbox (start->run->cmd enter), type netstat -nr 07:17 < reiffert> the client logfile would be nice to have as well 07:18 < metbsd> ok 07:19 < metbsd> http://pastebin.ca/1321725 netstat 07:21 < reiffert> As we can see from line 14, the push "route 10.100.1.0 255.255.255.192" worked. 07:22 < metbsd> but he cannot ping 10.100.1.1 from nic2(10.100.1.8/255.255.255.192) 07:22 -!- nobody999 [n=bla@89.246.131.77] has quit [] 07:22 < reiffert> does ping 10.100.1.8 work? 07:22 < reiffert> on the client 07:23 < metbsd> yes 07:23 < reiffert> whats the default gateway of the 10.100.1.0/26 net? 07:24 < metbsd> empty 07:24 < metbsd> i didn't set it 07:24 < metbsd> wait 07:24 < metbsd> i set it 07:24 < metbsd> 10.100.1.1 07:24 < reiffert> how should 10.100.1.1 know where to send packets to that should get outside of 10.100.1.0/26 then? 07:25 < reiffert> ah, so 10.100.1.1 is the default gw for that net? 07:25 < metbsd> for nic2, 10.100.1.8/255.255.255.192 as netmask, and default gateway is 10.100.1.1 07:25 < metbsd> yes 07:25 < reiffert> what kind of operating system is running on 10.100.1.1? 07:25 < metbsd> linux 07:25 < metbsd> redhat 07:25 < reiffert> great. go to that computer and add a route: 07:26 < metbsd> ok 07:26 < reiffert> route add -net 10.100.2.0 255.255.255.0 gw 10.100.1.8 07:26 < reiffert> wait 07:27 < reiffert> route add -net 10.100.2.0/24 gw 10.100.1.8 07:28 < reiffert> then from the commandline of 10.100.1.1 type: ping 10.100.2.5 07:30 < metbsd> it works 07:30 < metbsd> but why though 07:30 < reiffert> look: 07:31 < reiffert> packets that come from the client have the source IP 10.100.2.5, right? 07:31 < metbsd> yes 07:32 < reiffert> they come to the openvpn server. the server knows: ah, the destiantion PC, 10.100.1.1 is on NIC2, so I pass the packet to that interface 07:32 < reiffert> the packet reaches 10.100.1.1 who then sends a ping reply to 10.100.2.5, which he knows can be reached at 10.100.1.8 07:33 < metbsd> i see 07:33 < metbsd> thanks alot man 07:34 < reiffert> when you send a ping packet to 10.100.1.200, that machine will send the ping reply packet to 10.100.1.1 who tells the 10.100.1.200 machine: hey dude, the 10.100.2.0 net can be reached on 10.100.1.8, and 10.100.1.200 will follow that 07:34 < metbsd> oh, 07:34 < reiffert> oh? 07:34 < metbsd> and after that? 07:35 < reiffert> machine 10.100.1.200 will send the ping reply to 10.100.1.8 which is your openvpn server, which sends the packet to the openvpn client. 07:35 < metbsd> ah 07:35 < reiffert> cool, eh? 07:36 < metbsd> yah, networking is ,, fantastic 07:36 < metbsd> how do you get so good 07:36 < reiffert> I call that basic concepts of networking. 07:36 < metbsd> ok thanks man 07:36 < metbsd> i'm vpn newbie 07:37 < metbsd> i don't know how it works 07:37 < metbsd> good night 07:37 < reiffert> welcome 07:37 -!- metbsd [n=AXT@unaffiliated/metbsd] has left ##openvpn [] 07:58 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 08:11 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:16 -!- c64zottel [n=hans@141.37.33.125] has joined ##openvpn 08:21 -!- c64zottel [n=hans@141.37.33.125] has quit [Client Quit] 08:21 -!- aurel42 [n=aurel@p57923313.dip.t-dialin.net] has joined ##openvpn 08:21 < aurel42> Ah, that's nice. 08:21 < aurel42> !route 08:21 < vpnHelper> aurel42: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 08:24 -!- c64zottel [n=hans@141.37.33.125] has joined ##openvpn 08:25 < aurel42> That doesn't seem to help. 08:25 < ecrist> aurel42: we need more information to help you. 08:26 < aurel42> I'm trying to tunnel a routed network (non-RFC 1918), I'd like to know whether OpenVPN has special provisions for handling the default route. 08:26 < ecrist> I don't know what you're asking, specifically. 08:26 < reiffert> !redirect 08:26 < vpnHelper> reiffert: Error: "redirect" is not a valid command. 08:26 < aurel42> In a perfect world, it would set up a new default route when establishing the tunnel, and revert to the "old" default route when the tunnel went down. 08:27 < ecrist> there is a lot of information on the howto on setting default routes 08:27 < aurel42> Uhm. Lemme go back there. 08:27 < reiffert> aurel42: check out the manpage, --redirect-gateway with option def1 in particular. 08:27 < ecrist> aurel42: that topic is covered well on the howto 08:27 < aurel42> reiffert: thanks, I'll look in the howto specifically for --redirect-gateway 08:28 < aurel42> I mainly checked the FAQ and the man page and was looking for a term like "default route" ;) 08:28 < reiffert> aurel42: which leads you to --redirect-gateway def1 08:28 < reiffert> at least for my 2.1 manpage. 08:29 < aurel42> Now that I know what I was looking for, I can clearly see it's there. 08:29 < aurel42> I bet you won't believe me that it wasn't, before. :D 08:30 < reiffert> selfadjusting manpage, nice one 08:31 < ecrist> I hate when that happens. 08:31 < aurel42> 0.0.0.0/1 - what a neat trick, I would've never thought of that. 08:32 < reiffert> ecrist: it happens when I read C library manpages and after that look at example code. 08:33 < aurel42> Well, if it works, I'm probably going to timeout now. 08:36 -!- aurel42 [n=aurel@p57923313.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)] 08:43 < reiffert> outtiming is one thing ... 08:43 < reiffert> not coming back the other ... 08:43 < ecrist> hehe 08:54 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 08:54 -!- nobody999 [n=bla@89.246.131.77] has joined ##openvpn 08:56 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [Client Quit] 09:03 -!- Bushmills [n=nnnl@verhau.de] has left ##openvpn ["Leaving."] 09:09 < nobody999> hi 09:09 < nobody999> I have a established roadwarrior connection. 09:09 < nobody999> if the roadwarrior send a ping to the vpn server or another client on the server side I get an answer. 09:09 < nobody999> But if I try to access a website nothing happens.Only websites on the vpn server can be accessed, but not on the other machines in the same subnet. 09:09 < nobody999> how can that be? 09:14 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has quit [Read error: 60 (Operation timed out)] 09:23 < ecrist> nobody999: you need to setup a proper default route, and NAT from the VPN server out to the internet for VPN clients. 09:27 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has joined ##openvpn 09:28 < nobody999> I think i have:) 09:28 < nobody999> and a ping is working to all machines 09:28 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has joined ##openvpn 09:29 < nobody999> but I have no access via http to the router for example 09:30 < ecrist> I'd check your firewall, then. 09:40 < nobody999> oh I see the firewall tells me "LAN-side SYN Flood" 09:44 < nobody999> ok it was the IP Flood Detection 09:44 < nobody999> thanks:) 09:46 -!- clustermagnet [n=vasiliy@ec2-75-101-158-130.compute-1.amazonaws.com] has joined ##openvpn 09:46 < clustermagnet> gents, question :) 09:46 < clustermagnet> i've been using openvpn for quite some time, for small tasks 09:47 < clustermagnet> im about to roll out a bigger VPN network, and need your advise 09:47 < clustermagnet> lets say there is an office, with a NAS, exporting CIFS and NFS... 09:47 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has joined ##openvpn 09:47 < clustermagnet> lets say that network is 10.10.10.20/24 09:47 < ecrist> nobody999: np. Our chan topic is usually accurate... 09:47 < clustermagnet> if you have road warrior VPN clients and macbook pros running openvpn clients 09:48 < clustermagnet> can they easily mount to these cifs/nfs exports via openvpn? :) 09:48 < ecrist> clustermagnet: yes, but I'd recommend soft mounts for NFS 09:48 < clustermagnet> ecrist: awesome :) 09:48 < clustermagnet> ecrist: the tunnel configuration on the clients.... should it be TUN or TAP? 09:48 < ecrist> hard mounts, if the connection goes down, will hang the client machine. 09:49 < ecrist> clustermagnet: I recommend TUN, unless you have a legit reason for needing TAP. 09:49 < clustermagnet> ecrist: perfect 09:49 < ecrist> i.e. a non-IP protocol 09:49 < ecrist> like NetBIOS 09:49 < clustermagnet> ecrist: i'm having issues now with NFS, thats why i asked :( 09:49 < clustermagnet> ecrist: thanks :) 09:49 < ecrist> clustermagnet: i'd recommend against NFS shares over a VPN 09:49 < clustermagnet> ecrist: do you mind looking into my current issue as well? :) 09:49 < ecrist> use something more fault tolerant 09:50 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:50 < clustermagnet> right now, I have a VPN server, im hosting it az an instance on EC2 :) 09:50 < clustermagnet> so there are 2 clients connecting, one from home, other from office 09:50 < clustermagnet> home client has an NFS server with some music 09:50 < clustermagnet> i'd love to mount the same export in the office 09:50 < clustermagnet> ]thats not working :( 09:52 -!- nobody999 [n=bla@89.246.131.77] has quit [] 09:52 < ecrist> clustermagnet: why not use MacFUSE or something similar? 09:52 -!- Gorkhaan [n=Administ@87.229.108.75] has joined ##openvpn 09:53 < ecrist> absolves the need for a VPN all together, really. 09:53 < ecrist> complicated != better 09:53 < clustermagnet> ecrist: macfuse, as in ssh mounts? 09:54 < clustermagnet> ecrist: now, there is a larger task, reason why it has to be NFS 09:54 < clustermagnet> essentically the NAS is configured to export the same files via CIFS and NFS :) 09:54 < clustermagnet> thats why i have to stick to NFS 09:54 < clustermagnet> in anycase, do you know why i cant mount up NFS in such fashion? :) 09:54 < ecrist> nope 09:55 < clustermagnet> ecrist: you sure i can mount up NFS/CIFS with road warriors then? 09:55 < ecrist> don't know why you couldn't. 09:55 < ecrist> I do it here on occasion 10:00 < clustermagnet> ecrist: do you mount NFS or CIFS, or both 10:01 < ecrist> NFS 10:02 * dazo uses CIFS over VPN from time to time as well 10:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:05 < clustermagnet> dazo: ecrist thanks guys 10:08 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has quit [Remote closed the connection] 10:13 < reiffert> well, CIFS was designed to play a role in LANs. 10:19 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 10:37 -!- randra [n=sleepkno@gw.riosulense.com.br] has quit [Read error: 104 (Connection reset by peer)] 10:41 < dvl> anyone seen a traffic shaper for LInux that limits incoming bandwidth? Say so your client doesn't upload more than 100KB/s for example. 10:41 < dvl> I'm *told* they exist only for outgoing connections. 10:41 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 10:45 < reiffert> dvl: so it is. 10:46 < reiffert> dvl: there is some igress shaping concept but it doesnt work well as part of IP. http://lartc.org for better understanding. 10:46 < vpnHelper> Title: Linux advanced Routing & Traffic Control HOWTO (at lartc.org) 10:46 < reiffert> damn, thats linux. 10:47 < ecrist> dvl: pf can limit in both directions, works best with a bridging gateway with in inbound and outbound NIC 10:47 < ecrist> I've got a wiki page on it, let me find it 10:47 < dvl> reiffert: some people keep asking for traffic management as part of Bacula. Most devs say no, we won't do it. 10:47 < ecrist> http://www.secure-computing.net/wiki/index.php/Traffic_Shaping_with_pf/ALTQ 10:47 < vpnHelper> Title: Traffic Shaping with pf/ALTQ - Secure Computing Wiki (at www.secure-computing.net) 10:47 < dvl> ecrist: Yes, to pf, I know that solution, but this guy needs linux. 10:48 < ecrist> oh, linux FTL 10:48 < reiffert> dvl: http://lartc.org/howto/lartc.adv-qdisc.ingress.html 10:48 < vpnHelper> Title: Ingress qdisc (at lartc.org) 10:48 < ecrist> dvl, you could probably hack something together with a gif interface and limit traffic between eth0 and the gif 10:48 < reiffert> dvl: there is nice and working approach: have a real interface and a virtual one. The ingress on the real interface is egress heading to the virtual one, and that one can be shaped. 10:49 < reiffert> dvl: was doing this once, let me get some details. 10:49 < ecrist> hah reiffert! I beat you to it. 10:49 * ecrist > reiffert (today anyway) 10:49 < dvl> reiffert: nice. 10:50 < reiffert> dvl: it called imq 10:50 < reiffert> http://snap.reifferscheid.org/imq.sh.txt 10:51 < reiffert> well thats what's left in my projects/ folder, I remember it was working :) 10:52 < reiffert> and here is more about it http://lartc.org/howto/lartc.imq.html 10:52 < vpnHelper> Title: The Intermediate queueing device (IMQ) (at lartc.org) 10:52 < reiffert> ecrist: time to show up now. 10:53 * ecrist slinks away 10:54 < reiffert> dvl: I remember I had to try several kernel versions until I got a working module ... 10:54 < reiffert> dvl: back in 2.6.1x times. 10:57 -!- c64zottel [n=hans@141.37.33.125] has left ##openvpn [] 11:01 < ecrist> dvl: bacula doesn't have a means to throttle backup bandwidth? 11:11 < dvl> ecrist: correct, by design. 11:22 -!- MMN-o [n=mmn@barjack.com] has quit [Read error: 60 (Operation timed out)] 11:22 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 11:23 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 11:24 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 11:25 -!- MMN-o [n=mmn@barjack.com] has joined ##openvpn 11:43 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 11:54 -!- tjz [n=tjz@bb121-7-62-110.singnet.com.sg] has quit ["Spare me some sleep, please."] 12:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:01 < ecrist> dvl, seems like a missing feature to me. 12:01 < ecrist> it uses rsync and similar protocols, doesn't it? 12:07 < dvl> ecrist: it does not. 12:29 -!- xattack [i=xattack@132.248.108.239] has quit [] 12:37 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 12:39 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:43 -!- dgodfather [n=dgodfath@bzq-79-179-78-211.red.bezeqint.net] has joined ##openvpn 12:43 < dgodfather> Hi to all 12:44 < ecrist> dvl, seems like a missing feature to me. 12:44 < dgodfather> i can't succeed configuring my openvpn i dont know why anymore. i read the articles and followed it 12:44 < ecrist> what articles? 12:45 < dgodfather> still can't. when i tried to use a tap interface and bridge it, it failed mostly because of the bridging itself 12:45 < dgodfather> ecrist, sorry bad choise of words, meant the tutorial in openvpn site 12:46 < dgodfather> and when trying to work with tun, i get the new network for the vpn connection but cant even ping between hosts with that address 12:46 < dgodfather> can you please help me, it's very important and please guide me with what ever you need for that 12:46 < dgodfather> i will supply all relevant files and configurations i have 12:47 < dgodfather> except the .key .crt files etc :) 12:47 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:47 < ecrist> read channel topic 12:47 < dgodfather> i waisted my whole day on that and still it doesn't work 12:47 < dgodfather> yeh i see you need configs and logs 12:48 < dgodfather> where are the logs? 12:48 < ecrist> ::gran:: 12:48 < ecrist> !logs 12:48 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 12:48 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 12:48 < ecrist> !configs 12:48 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:48 < dgodfather> i am exactly now pasting the .conf files 12:48 < dgodfather> OK that will take a few 12:49 < dgodfather> Linux debian 2.6.26-1-amd64 12:49 -!- xattack [n=xattack@132.248.108.239] has joined ##openvpn 12:52 < dgodfather> ecrist, server.conf -> http://pastebin.com/m4b287db3 12:55 < ecrist> dgodfather, with tun, were you able to get a working VPN, where the client could connect to and ping the VPN server? 12:56 < dgodfather> nope 12:56 < dgodfather> it can't even ping the server 12:56 < dgodfather> sending the client config 12:56 < dgodfather> clinet config -> http://pastebin.com/m6740ba0e 12:57 < dgodfather> though i got to say it doesn't feel to good exposing the whole structure of my vpn 12:57 < ecrist> lol, you're nothing special 12:57 < ecrist> you're not revealing anything that couldn't be found out in other ways 12:57 < dgodfather> yeh i know and yet many people just like to ruin other peoples lives for fun 12:58 < dgodfather> true, that is because i am trying not to :) 12:58 < ecrist> first problem, dev needs to match between client and server 12:58 < ecrist> your client config show tap, server config tun 12:58 < dgodfather> they are both dev tun 12:58 < dgodfather> ohhhhh well it was changed now 12:58 < dgodfather> sec let me check again 12:58 < ecrist> well, then pastebin.com changed it on you 12:59 < dgodfather> nope, i changed it trying to make things work from one form to the other 13:00 < dgodfather> last time i forgot to return it, non the less still i cant ping the server 13:00 < dgodfather> by the way the debian is for the server 13:00 < ecrist> now, you could have changed the remote address to not reveal that. ;) 13:00 < dgodfather> the client is on windows 13:00 -!- c64zottel [n=hans@p5B179038.dip0.t-ipconnect.de] has joined ##openvpn 13:00 < ecrist> I gathered that part. 13:00 < dgodfather> ohhhhhhh shit 13:00 < dgodfather> well i will change that 13:00 < ecrist> too late 13:01 < dgodfather> ecrist, well you are kind of making me worrie 13:01 < ecrist> lol 13:01 -!- Gorkhaan [n=Administ@87.229.108.75] has quit [Read error: 110 (Connection timed out)] 13:01 < dgodfather> well how can i make my vpn work? 13:02 < ecrist> dgodfather: with the client config set to tun, your client should be able to connect, if the local statement in your server config and your server-side firewall are setup correctly 13:02 < ecrist> why do you have local ? 13:02 < dgodfather> what do you mean my local statement? 13:02 < dgodfather> ohhhhhh just because i tried that too. 13:02 < ecrist> line one of your server.conf: local 192.168.2.100 13:02 < dgodfather> remove it? 13:03 < ecrist> yes 13:03 < ecrist> and restart openvpn on the server 13:04 < dgodfather> OK, still no ping 13:04 < ecrist> hang on. I didn't tell you to connect yet, did I? 13:05 < dgodfather> no you didn't 13:05 < dgodfather> disconnected 13:05 < ecrist> after a restart, is openvpn on the server listening to the public IP of the server? 13:06 < dgodfather> well i am behind a router so i guess it should be listening to the router address? 13:06 < dgodfather> and how do i establish if that is the case? 13:08 < dgodfather> ecrist, are you here? 13:09 < ecrist> dgodfather: yes, I'm here, but I have a job that pays me to be somewhere else, too. be patient 13:09 < dgodfather> it's OK, i am waiting just didn't know where you went 13:09 < ecrist> dgodfather: is your openvpn server on a machine physically behind your LAN gateway? 13:10 < dgodfather> yes 13:11 < ecrist> ok, do you have a proper port-forwarding rule setup on your internet gateway to redirect udp port 1194 to your openvpn server? 13:12 < dgodfather> yes 13:13 < dgodfather> other wise the client will not have been able to successfully connect 13:22 -!- Federico2 [n=Fede@193.200.193.239] has quit ["Leaving"] 13:25 < ecrist> you didn't tell me it successfully connected. 13:27 < dgodfather> yes i did, i said it's connected only it doesn't ping the server 13:27 < dgodfather> and the server can't ping it as well 13:28 < ecrist> 13:04 < dgodfather> OK, still no ping 13:28 < dgodfather> yep no ping 13:28 < dgodfather> what do i do to make it work 13:28 < dgodfather> ? 13:28 < ecrist> I need to see you client logs 13:28 < dgodfather> where can i find them? 13:29 < ecrist> !logs 13:29 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 13:29 < dgodfather> yes well it doesn't really give me the location does it?! 13:29 < dgodfather> but i found them 13:30 < dgodfather> it's in the logs directory of the installation in windows 13:33 < dgodfather> ecrist, http://pastebin.com/m3963e177 13:34 < ecrist> dgodfather: is that a recent log? 13:34 < ecrist> says 6:55AM today 13:35 < ecrist> not sure what timezone you're in 13:35 < dgodfather> sec 13:35 < dgodfather> im fromisrael 13:36 < ecrist> ok 13:37 < dgodfather> i will send another one which i think is the correct one 13:37 < dgodfather> sorry for the hassle 13:37 -!- Cope [n=stephen@87-194-125-249.bethere.co.uk] has left ##openvpn [] 13:37 < dgodfather> http://pastebin.com/m27b473b8 13:38 < ecrist> still shows you using a tap device 13:38 < ecrist> thought we were doing tun here. 13:39 -!- blako [n=chatzill@S010600105a1788d6.cg.shawcable.net] has joined ##openvpn 13:39 < dgodfather> wait i changed it. you now what, i am deletng all log files reconnecting and sending you the log 13:40 < ecrist> I'm sorry, but I've gotta get back to some of my own work. I'll be on still in about an hour, if you wait, otherwise someone else can help you. 13:40 < dgodfather> well i will be here in an hour then thank you 13:40 < dgodfather> unless some else want's to help me? 13:48 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has quit ["leaving"] 13:54 < krzee> whats the problem? 13:54 < krzee> if it doesnt take long ill help 13:54 < krzee> (im on vacation) 13:55 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has joined ##openvpn 13:55 < krzee> looks like you cant connect, or can connect but no ping 13:55 < krzee> (from a quick scroll-up) 13:56 < krzee> dgodfather 13:58 < dgodfather> krzee, YES SORRY 13:58 < dgodfather> krzee, yes i connect but no ping 14:00 < dgodfather> it's very important to me cause it's for school stuff. i want any remote connection to my pc to be secure and heard openvpn is very much so 14:00 < dgodfather> but i can't succeed in making it work for me. not tun nor tap configuration 14:00 < dgodfather> krzee, are you still here? 14:03 -!- QWToo [n=Quiescen@c-71-203-12-201.hsd1.fl.comcast.net] has quit [Remote closed the connection] 14:18 < krzee> !logs 14:18 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 14:18 < krzee> !configs 14:18 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:19 < krzee> so the goal is to access files on your home server while outside the house 14:19 < krzee> possibly to upload homework, that sort of thing... 14:20 -!- xattack [n=xattack@132.248.108.239] has quit [] 14:23 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Remote closed the connection] 14:47 -!- MTecknology [n=MTecknol@unaffiliated/mtecknology] has joined ##openvpn 14:47 < MTecknology> anybody have experience setting up ovpn on pfsense? 14:57 < krzee> MTecknology, isnt pfsense just freebsd bundled with some tools and a web gui? 14:59 -!- boneybastard [n=bny@81-235-226-119-no91.tbcn.telia.com] has quit [] 15:01 < dgodfather> krzee, hi, 15:02 < ecrist> krzee: yes. 15:02 < ecrist> MTecknology: see here: 15:02 < ecrist> !freebsd 15:02 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 15:02 < dgodfather> krzee, not only, i need to give access to a friend to my network 15:02 < dgodfather> ecrist, hi 15:02 < dgodfather> would you like to help me now? 15:03 < dgodfather> ecrist, keep on going where we stopped 15:04 < ecrist> dgodfather: switch your server and client back over to tun 15:04 < dgodfather> ecrist, they are in tun 15:04 < dgodfather> i can send the latest log 15:04 < ecrist> you've got about 10 mins before I go out to the living room and grab a beer. 15:04 < ecrist> please do so 15:05 < dgodfather> client log ->http://pastebin.com/m686a6c80 15:05 < ecrist> ok, from the client, you should be able to ping 10.8.0.1 15:06 < dgodfather> ecrist, well i can't 15:06 < ecrist> then the server has a firewall, blocking the traffic 15:06 < dgodfather> i get request timed out 15:07 < ecrist> on the server, what are the contents of openvpn-status.log? 15:07 < dgodfather> i will delete all firewall rules 15:08 < dgodfather> http://pastebin.com/m76b7a3f 15:09 < ecrist> ok, without the firewall rules, does ping work? 15:10 < dgodfather> well b4 it didn't now it does 15:10 < dgodfather> that's good but that is not all 15:10 < ecrist> ok, now what? 15:10 < dgodfather> my lan has different ip 15:10 < krzee> hah now he posts those 15:11 < krzee> i was waiting for !logs !configs for awhile 15:11 < dgodfather> i want my server address processes to be available to someone connected from the vpn 15:11 < ecrist> krzee: it's been an up-hill battle 15:11 < dgodfather> say my ip is 192.168.2.100 15:11 < krzee> i see 15:11 < dgodfather> my vpn ip is 10.8.0.1 15:11 < krzee> dgodfather, 15:11 < krzee> !route 15:11 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 15:12 < krzee> or is the server process on the same machine? 15:12 < dgodfather> it is on the same machine 15:12 < dgodfather> on the server of the ovpn 15:12 < ecrist> dgodfather: the server running openvpn is the system with the files you want to share, right? 15:13 < dgodfather> yes 15:13 < ecrist> then you don't need to worry about the other network 15:13 < dgodfather> and processes i want to share access to 15:13 < krzee> push a route 15:13 < ecrist> if they're all on the vpn server, then that's all you need. 15:14 < krzee> then you will be able to access it by lan ip of vpn server over the vpn 15:14 < dgodfather> now isn't it better and more correct to use tap and bridging? 15:14 < ecrist> dgodfather: not if everything you want to share is on the vpn server 15:14 < krzee> negative 15:14 < krzee> !tunortap 15:14 < vpnHelper> krzee: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 15:14 < ecrist> tap is for ethernet protocols, tun is for IP protocols 15:14 < dgodfather> i will be able to use the 192.168.2.100 from the 10.8.0.6 client? 15:14 < ecrist> NO 15:14 < ecrist> use 10.8.0.1 15:14 < krzee> if you push a route 15:15 < dgodfather> wait if i push a route i can use 192.168.2.100 and if not i can use 10.8.0.1 only but it's the same result? 15:15 < krzee> if the route is pushed, i think he can access either interface, more correct is to access 10.8.0.6 15:16 < krzee> assuming firewall allows and ip_forward is enabled 15:16 -!- MTecknology [n=MTecknol@unaffiliated/mtecknology] has left ##openvpn [""http://profarius.com/""] 15:16 < dgodfather> but a push is towards the client not other way around isn't it? 15:16 < krzee> right, the client needs the route to server's lan ips 15:16 < krzee> so the server pushs the route to the client 15:17 < krzee> as if you were going to access the lan behind the vpn server 15:17 < dgodfather> so the server pushes the route to the client, and the client can now use the 192.168.2.100 to access the server 15:18 < dgodfather> great thank you guys 15:18 < dgodfather> you where a big help 15:18 < krzee> np 15:19 -!- dgodfather [n=dgodfath@bzq-79-179-78-211.red.bezeqint.net] has quit ["Leaving"] 15:20 < ecrist> *bang* *bang* 15:21 * ecrist drinks beer 15:29 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has joined ##openvpn 15:29 < Rawplayer> !bridge 15:29 < vpnHelper> Rawplayer: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything 15:29 < vpnHelper> Rawplayer: where the protocol uses MAC addresses instead of IP addresses. 15:29 < Rawplayer> !alive 15:29 < vpnHelper> Rawplayer: Error: "alive" is not a valid command. 15:29 < Rawplayer> hey, i have freebsd with openvpn(works fine) 15:30 < Rawplayer> but for some reason i wont get the default gw pushed 15:30 < Rawplayer> the thing is, the tap0 interface and a fysical interface are in bridge1 15:30 < krzee> you're bridging? 15:30 < krzee> ya you dont push gateway like that in bridge mode 15:30 < Rawplayer> the only ip i have used is on bridge1 15:31 < krzee> why are you using bridge? 15:31 < Rawplayer> to connect my wifi network to my wired network 15:31 < Rawplayer> and to use windows networking on a nice way 15:31 < Rawplayer> but that is not the point 15:32 < Rawplayer> how can i get a gateway on my client? 15:32 < krzee> hah 15:32 < krzee> bridging in same lan with openvpn? 15:32 < Rawplayer> yes 15:33 < krzee> using same ips as wired lan? 15:33 < Rawplayer> yes, the same subnet 15:33 < krzee> err same subnet 15:34 < Rawplayer> i was thinking about setting up a normal dhcp server instead of using the dhcp from openvpn 15:34 < krzee> then you shouldnt need to push any gateway 15:34 < Rawplayer> krzee: sure i do, how can i otherwise get on the internet 15:34 < Rawplayer> with my clients 15:34 < krzee> let it get its ip from the lan dhcp server 15:37 < krzee> http://openvpn.net/index.php/documentation/install.html?start=1#dhcp 15:37 < vpnHelper> Title: Installation (Win32) - Page 2 (at openvpn.net) 15:37 < krzee> Notes -- Setting TAP-Win32 address/subnet automatically via DHCP 15:39 < Rawplayer> krzee: so the push default-gateway is only for routed mode? 15:39 < krzee> im not very familiar with bridging, havnt done it in a long time, but you should be able to add a route with bridged mode too 15:39 < krzee> you would just use the route command on the client 15:41 < krzee> you would just use something like route 0.0.0.0 192.168.2.1 15:52 -!- infinity_ [i=brendon@saleen.netcal.com] has joined ##openvpn 16:25 -!- c64zottel [n=hans@p5B179038.dip0.t-ipconnect.de] has quit ["Leaving."] 16:41 -!- renic [n=notneces@adsl-69-226-96-61.dsl.skt2ca.pacbell.net] has joined ##openvpn 16:42 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 17:08 -!- MrTelephone [n=test@S0106002129d2ee33.ls.shawcable.net] has joined ##openvpn 17:09 < MrTelephone> anyone have trouble with windows machines losing openvpn connection and when it tries to reauthenticate it is using the default gateway of the stale TAP32 adaptor? 17:12 < infinity_> can someone help get around this error? 17:12 < infinity_> http://pastebin.com/m12f4bada 17:21 -!- tomfmason [n=tom@unaffiliated/tomfmason] has quit [Read error: 110 (Connection timed out)] 17:30 -!- MrTelephone [n=test@S0106002129d2ee33.ls.shawcable.net] has quit [Read error: 60 (Operation timed out)] 17:34 -!- thewolf [n=rowan@67.207.129.26] has left ##openvpn ["WeeChat 0.2.6"] 17:46 -!- test [n=test@S0106002129d2ee33.ls.shawcable.net] has joined ##openvpn 18:33 -!- test [n=test@S0106002129d2ee33.ls.shawcable.net] has quit [Read error: 110 (Connection timed out)] 18:44 -!- renic_ [n=notneces@66-208-213-195.ubr01b.glst3401.nj.hfc.comcastbusiness.net] has joined ##openvpn 18:46 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has quit [Read error: 113 (No route to host)] 18:47 -!- renic [n=notneces@adsl-69-226-96-61.dsl.skt2ca.pacbell.net] has quit [Read error: 110 (Connection timed out)] 19:09 -!- renic [n=notneces@adsl-69-226-96-61.dsl.skt2ca.pacbell.net] has joined ##openvpn 19:09 -!- renic [n=notneces@adsl-69-226-96-61.dsl.skt2ca.pacbell.net] has quit [Client Quit] 19:10 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: jfkw 19:10 -!- Netsplit over, joins: jfkw 19:15 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 19:18 -!- renic_ [n=notneces@66-208-213-195.ubr01b.glst3401.nj.hfc.comcastbusiness.net] has quit [Read error: 110 (Connection timed out)] 19:20 < ecrist> infinity_: it looks like ou've got an invalid server certificate. 19:48 < mepholic> guess wat dshocker comin' 19:52 < dvl> eh? 19:52 -!- Huza [n=kvirc@78.96.46.99] has joined ##openvpn 20:10 < infinity_> ecrist: i got past that 20:10 < infinity_> ecrist: finally... and now i can't ping through the openvpn server 20:11 < infinity_> i can ping the lan interface, but not other computers. not sure what the problem is yet 20:11 < infinity_> i checked ip_forward and i added a route the the shitty netopia. 20:34 -!- tjz [n=tjz@bb121-7-62-110.singnet.com.sg] has joined ##openvpn 20:42 < infinity_> think i got it 20:44 -!- mepholic_ [n=mepholic@209.17.190.90] has joined ##openvpn 20:56 -!- mepholic [n=mepholic@209.17.190.90] has quit [Remote closed the connection] 20:56 < krzee> infinity_, 20:56 < krzee> !route 20:56 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 21:04 -!- rickb|server [i=rickb@cpe-24-166-74-28.neo.res.rr.com] has joined ##openvpn 21:04 -!- blako [n=chatzill@S010600105a1788d6.cg.shawcable.net] has quit [Read error: 54 (Connection reset by peer)] 21:05 < rickb|server> Hello, I am trying to create a new vpn server, I don't know the port for management and there was nothing in the documentation about it. I need that to give webmin control over clients. Any ideas? 21:06 -!- rickb|server [i=rickb@cpe-24-166-74-28.neo.res.rr.com] has quit [Client Quit] 21:11 < infinity_> any idea how to do netbios DNS without doing bridge mode 21:29 < krzee> infinity_, WINS 21:29 < krzee> which i recommend over bridging 21:31 < infinity_> krzee: ack. i don't have a wins server 21:32 < infinity_> maybe i'll just do hosts file 21:32 < infinity_> anyway, once i disconnect, when i reconnect, i can't ping through the vpn. i have to reboot the winXP box (vpn client) 21:33 < krzee> linux samba server? 21:34 < infinity_> krzee: yea. possibly. 21:34 < krzee> has wins server built in 21:34 < infinity_> anyway. any idea whats up with this stale vpn connection 21:35 < infinity_> i just rebooted the xp box. going to see if i can ping 21:36 < infinity_> when it doesn't work, it takes a long time for the client ot get an IP 21:36 < infinity_> yup. doesn't work. very strange. 21:38 < infinity_> oh weird. the vpn client said it gave me an ip, but ipconfig says 0.0.0.0 21:42 < infinity_> thats weird. my a bucnh of automatic services aren't running on my windows client 21:43 < infinity_> strange 21:43 < infinity_> works now :) wonder if its SP3 related 21:52 < ecrist> windows is the debil 21:53 -!- ykut_johny1 [n=ykut_joh@op.niser.org.my] has joined ##openvpn 21:59 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 22:01 -!- ykut_johny1 [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 22:06 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 22:21 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: jfkw 22:21 -!- Netsplit over, joins: jfkw 22:40 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has joined ##openvpn 22:43 < ecrist> oh, and evening fuckers 22:47 -!- mRCUTEO [i=info@58.26.212.3] has joined ##openvpn 22:47 < mRCUTEO> hiya all :D 22:48 -!- mRCUTEO [i=info@58.26.212.3] has quit [Client Quit] 23:05 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has joined ##openvpn 23:06 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has left ##openvpn [] 23:06 -!- rmull [n=rmull@acsx02.bu.edu] has joined ##openvpn 23:07 < rmull> Hi gents, I see the crowd hasn't changed much :D 23:08 < tjz> darn 23:08 < tjz> yea 23:09 < tjz> 50% of them should be robots 23:09 < tjz> oh, and evening fuckers <-- LOL 23:09 < rmull> I used to be around these parts a lot during the summer 23:10 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:20 < ecrist> yeah you did. 23:20 < ecrist> how goes, rmull? 23:24 < rmull> ecrist: yoyo! 23:24 < rmull> It goes well. 23:24 < rmull> Busy busy with school. 23:24 < rmull> How about yourself? 23:27 -!- prxtien [n=proleone@ppp121-45-69-101.lns10.adl6.internode.on.net] has quit [Read error: 110 (Connection timed out)] 23:35 < ecrist> busy busy with work, and life in general 23:36 < ecrist> omw to bed now. been working on a server OS upgrade since 9PM 23:36 < ecrist> FreeBSD 6.3->7.1, + 9 jails to update 23:36 < ecrist> mergemaster can be a bitch 23:38 < ecrist> well, g'night folks 23:38 < ecrist> see you tomorrow 23:40 < rmull> Have a good one 23:40 < rmull> I'm off to hit the hay too. 23:45 -!- mepholic_ is now known as mepholic --- Day changed Fri Jan 30 2009 00:10 -!- mepholic [n=mepholic@209.17.190.90] has quit ["Leaving"] 00:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:43 -!- tjz [n=tjz@bb121-7-62-110.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 00:48 -!- metbsd [n=AXT@unaffiliated/metbsd] has joined ##openvpn 00:49 < metbsd> reiffert: hi 00:49 < metbsd> can you explain to me again about yesterday problem? 00:51 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has quit [Remote closed the connection] 01:03 -!- metbsd [n=AXT@unaffiliated/metbsd] has left ##openvpn [] 01:15 < huslu> i'm seeing that ovpn for the --up script doesn't pass correct 'remote_1' variable 01:16 < huslu> both 'local_1' and 'remote_1' are the same (but they shouldn't as configuration defines them different) 01:16 < huslu> known bug? 01:22 < krzee> ive never seen those, you got them from the manual? 01:22 < krzee> !man 01:22 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 01:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:52 < reiffert> moin 01:53 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:43 -!- Huza [n=kvirc@78.96.46.99] has quit ["When two people dream the same dream, it ceases to be an illusion. KVIrc 3.4.2 Shiny http://www.kvirc.net"] 03:32 -!- c64zottel [n=hans@p5B17AD50.dip0.t-ipconnect.de] has joined ##openvpn 04:08 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 04:15 -!- whits_ [n=jim@jim.505.ru] has quit ["leaving"] 04:16 -!- ScribbleJ [n=sj@c-67-172-6-141.hsd1.il.comcast.net] has joined ##openvpn 04:17 < ScribbleJ> Hey folks, been using openvpn forever, love it to death. This is not absolutely an openvpn question - I set up a new openvpn server, but found I could not connect with --float because it responds on udp 1024 instead of 1194. Any ideas why? 04:21 < ScribbleJ> I'm sorry, could not connect /without/ --float. tcpdump on server indicates the packets goout as port 1024; not like a firewall in-between is munging them. 05:20 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 06:03 -!- int [n=quassel@int.matrixtelecom.net] has quit [SendQ exceeded] 06:25 -!- int [n=quassel@wikia/int] has joined ##openvpn 06:37 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 06:39 < c64zottel> hello 06:40 < c64zottel> i have some trouble reaching the servers wins-server through openvpn 06:41 < c64zottel> i found some information about it, but is there a detailed tutorial around the internet? 06:43 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:49 -!- zheng [n=zheng@218.82.136.169] has joined ##openvpn 06:57 < ecrist> morning, bitches 07:02 < c64zottel> mornig ecrist 07:19 -!- toretore [n=toretore@114.66.72-86.rev.gaoland.net] has joined ##openvpn 07:51 < ecrist> man, I LOVE CARP (Common Address Redundancy Protocol) 07:51 < ecrist> instant failover support 07:51 < ecrist> zero downtime 07:55 -!- zheng_ [n=zheng@218.82.143.81] has joined ##openvpn 07:59 -!- zheng [n=zheng@218.82.136.169] has quit [Read error: 60 (Operation timed out)] 08:47 -!- Some_ux [n=chatzill@bzq-79-176-16-20.red.bezeqint.net] has joined ##openvpn 08:47 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Remote closed the connection] 08:48 -!- Some_ux [n=chatzill@bzq-79-176-16-20.red.bezeqint.net] has quit ["ChatZilla 0.9.83 [Firefox 3.0.1/2008070208]"] 09:14 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has joined ##openvpn 09:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:24 < reiffert> c64zottel: reaching by ping ip works? 10:25 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:27 < c64zottel> reiffert: thx, i solved it 10:27 < reiffert> what was it? Config of WINSS? 10:28 < c64zottel> i think a couple of thinks, first the config, then there are few master-browsers in the lan, and i can just see them 10:28 < c64zottel> and broadcastings are not routed 10:28 < c64zottel> but, another question 10:28 < reiffert> broadcast relay, comes with pptp 10:29 < c64zottel> how can i configure a for my smbtree to use a special wins-server only? 10:29 < reiffert> it's part of a dhcp option. 10:29 < reiffert> option netbios-name-servers ip-address [, ip-address...]; 10:30 < reiffert> The NetBIOS name server (NBNS) option specifies a list of RFC 10:30 < reiffert> 1001/1002 NBNS name servers listed in order of preference. NetBIOS 10:30 < reiffert> Name Service is currently more commonly referred to as WINS. WINS 10:30 < reiffert> servers can be specified using the netbios-name-servers option. 10:30 < reiffert> or to speak in openvpn: 10:30 < c64zottel> i am just using linux 10:30 < reiffert> --dhcp-option WINS addr 10:30 < c64zottel> the option is pushed 10:30 < c64zottel> but how can i use it under linux? 10:30 < reiffert> set it in a file 10:30 < reiffert> have smb.conf include that file 10:30 < reiffert> ; wins server = w.x.y.z 10:31 < c64zottel> i did that 10:31 < reiffert> have a shell script write the setting into that file 10:31 < reiffert> done 10:31 < c64zottel> but its not working 10:31 < reiffert> it's not working aint no error message. 10:31 < c64zottel> ok, i will check it 10:31 < reiffert> be sure to run a broadcast relay. 10:33 < c64zottel> its not working, i can see via tshark that the msg reaches the server 10:34 < c64zottel> and that is all what the server responses: 4525.613222 10.23.0.1 -> 10.23.0.2 NBNS Name query response unknown 10:34 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has joined ##openvpn 10:35 < c64zottel> may that be a problem with the firewall? ... but when i shut down, the local wins-server here, i can smbtree over the ovpn without problems 10:36 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 10:40 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 10:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:51 < ecrist> fyi, I'm taking my website down for a few minutes to upgrade freebsd 6.3 to 7.1 10:54 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:02 < ecrist> ugh 11:02 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has quit [Connection timed out] 11:03 -!- kyrix [n=ashley@93-82-8-27.adsl.highway.telekom.at] has joined ##openvpn 11:11 -!- penrod[1] [n=penrod@S010600105a1788d6.cg.shawcable.net] has joined ##openvpn 11:24 -!- kyrix [n=ashley@93-82-8-27.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 11:30 -!- hellham [n=Larson50@adsl-69-226-96-61.dsl.skt2ca.pacbell.net] has joined ##openvpn 11:32 < hellham> good morning all, im new to openvpn, what is the best new user tutorial for both unix/linux and wondows? for someone who knows very little? thank you 11:40 -!- hellham [n=Larson50@adsl-69-226-96-61.dsl.skt2ca.pacbell.net] has quit ["thanks for your time"] 11:47 < c64zottel> i have written in my config file push "dhcp-option WINS 10.23.0.1" 11:47 < c64zottel> whereas 10.23.0.1 is my openvpn-tunnel end to server, its a routed tap device 11:47 < c64zottel> but it has no effect on windows 11:47 < ecrist> but, is your openvpn-tunnel server also a WINS server? 11:47 < c64zottel> i guess its because there is a master-browser around here 11:47 < c64zottel> ecrist: it is 11:49 < c64zottel> is there a way to enter the wins server manually 11:49 < c64zottel> question-mark 11:54 < c64zottel> ok, i found it 11:54 < c64zottel> but now it is just showing the network. openvpn 11:55 < c64zottel> which is the domain of my ovpn-server 11:55 < c64zottel> and the domains behind the ovpn server are still hidden 12:11 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:11 -!- xattack [i=xattack@132.248.108.239] has quit [Client Quit] 12:18 < ikarius> oops. I just blowed up my home linux server's networking. guess I won't get openvpn properly set up today 12:18 < ikarius> ... damn me for misconfiguring bridging. 12:22 < ikarius> and for not reading the docs completely before editing /etc/network/interfaces 12:23 < ikarius> ok, so I've got a question about OpenVPN in the meantime 12:23 < ikarius> if I set up bridging/tap.... will clients automatically get IPs from the DHCP server on the subnet? 12:26 < dazo> ikarius: VPN clients no ... local clients yes 12:27 < ikarius> ok, so then I'd need to set the openvpn up to operate as a DHCP server? 12:27 < ikarius> to the VPN clients? 12:29 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:30 < dazo> ikarius: if you use ifconfig-pool or whatever the right option is again ... you'll have that automatically 12:30 < ikarius> ah, ok 12:31 < dazo> ikarius: openvpn will be the DHCP "server" for VPN clients only .... and the real DHCP server on your local net just needs to be told to stay away from the IP range you've given to openvpn 12:31 < ikarius> ok 12:32 < ikarius> I'll just double check the bootp range set on the DHCP server and set something different for the ovpn DHCP range 12:33 < ikarius> also... there's no reasonable way to set up DNS so that if I'm on some local network, which has a local DNS server, when I connect to ovpn, I use a DNS server across the VPN *only* for a particular domain, is there? 12:34 < ikarius> ... I think that's not configurable with out-of-the-box DNS resolver libraries on most OSes 12:35 < dazo> ikarius: nope, nafaik 12:37 < ikarius> k. that's what I thought. It's suboptimal, but it's rather a limitation of the OSes. To work around it the ovpn client would need to pretend to be a DNS server, look at requests, and forward them to the desired DNS server 12:37 < ikarius> and you probably aren't interested in building that functionality into the ovpn client 12:42 < ScribbleJ> Hey, any tips/ideas/pointers on why my Openvpn UDP server responds with a source port of 1024 rather than 1194 (causing my clients to require --float to succesfully connect)? port option in server config is 1194 as expected. 12:43 < ScribbleJ> I confirmed via tcpdump it's happening on the server machine itself; not like a device in-between the client and server that nats the ports. 12:57 -!- mmcgrath [n=mmcgrath@mmcgrath.net] has left ##openvpn [] 13:00 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 13:41 < c64zottel> everytime when i try to resolve netbios names i get: 13:41 < c64zottel> name_query failed to find name SOMENAME 13:41 < c64zottel> does it look like a routing problem or more a problem with the samba proxy server? 13:42 < ecrist> c64zottel: this isn't #NetBIOS 13:42 < ecrist> sorry 13:42 < c64zottel> true 13:43 < c64zottel> but there is no netbios... 13:44 < ecrist> 13:41 < c64zottel> everytime when i try to resolve netbios names i get: 13:45 < ecrist> just don't want you to be like others and become a PITA when we don't know/don't care to answer your netbios questions. 13:46 < c64zottel> i meant, there is no channel, i thought it is maybe a routing problem und OpenVPN, but ok, i try #samba 13:48 -!- ohzie [n=ohzie@24.174.3.123] has quit [Read error: 110 (Connection timed out)] 13:48 -!- ohzie [n=ohzie@24.174.3.123] has joined ##openvpn 14:13 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 14:14 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 14:18 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [Client Quit] 14:26 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [] 14:34 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 131 (Connection reset by peer)] 14:36 < dazo> ecrist: pm 14:40 -!- dazo [n=dazo@nat/redhat/x-5b79a3572794935f] has quit ["Leaving"] 16:00 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 16:02 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: worch, c64zottel, ScribbleJ, temba 16:02 -!- Netsplit over, joins: temba, ScribbleJ, c64zottel, worch 16:13 -!- Kreg-Work is now known as soberbit 16:17 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Connection timed out] 16:22 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 16:41 < krzee> !route 16:41 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 16:47 < krzee> !factoids search wins 16:47 < vpnHelper> krzee: No keys matched that query. 16:47 < krzee> !factoids search lin 16:47 < vpnHelper> krzee: 'linipforward', 'linnat', 'linfw', and 'lintrafaccnt' 16:47 < krzee> !samba 16:47 < vpnHelper> krzee: "samba" is (#1) http://openvpn.net/faq#samba-routing for using samba with a routed tun, or use NETBIOS with a bridge, or (#2) http://www.openvpn.net/howto#samba if you run samba on linux and use tun mode 16:50 < krzee> !learn shorewall as http://www.shorewall.net/OPENVPN.html to see about running OpenVPN on Shorewall firewalls. 16:50 < vpnHelper> krzee: Joo got it. 16:52 < krzee> !learn wins as http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 16:52 < vpnHelper> krzee: Joo got it. 16:57 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has quit [] 17:00 -!- Janos [n=cramos@190.10.52.104] has joined ##openvpn 17:01 < Janos> hey there, anyone knows if it's possible to assign static ip address using ifconfig-push and client-config-dir directives in a bridged openvpn enviroment, the example only mentions tun servers and i can't get it to work 17:10 < Janos> or any other way to assign a static ip addres in a openvpn bridged enviroment 17:14 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 17:23 < krzee> why are you bridging? 17:27 < reiffert> because routing is boring. 17:28 < Janos> nvm i found the problem, ifconfig-push and client-config-dir do work you just have to add the client directive to the client file so it pulls the config from the server :) 17:28 < krzee> actually, pull 17:28 < krzee> which is implied along with other stuff by client 17:28 < Janos> i'm bridging because i want my vpn user to be on the same network as my internal network 17:29 < Janos> yeah pull not pulls, syntax error :P 17:30 < krzee> you're using layer2 protocols over the vpn (besides netbios for windows shares)? 17:31 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 17:32 < Janos> pretty much every windows software use broadcast to do everything ( go figure ) so yeah that's the reason, besides, why not ?, it works great, i do use tun for lan to lan vpns though 17:34 < krzee> umm 17:34 < krzee> windows needs broadcasts for normal stuff other than NetBios? 17:34 < Janos> so most of the time i have bridged server for users and a routed server for remote offices 17:35 < krzee> interesting 17:35 -!- c64zottel [n=hans@p5B17AD50.dip0.t-ipconnect.de] has quit ["Leaving."] 17:35 < krzee> thats extra overhead that you likely dont need to use 17:35 < krzee> but you sound comfortable with it 17:35 < krzee> and sounds like you know how to use it well 17:36 < reiffert> moin 17:36 < reiffert> hi krzee 17:36 < krzee> remember you open your network up to layer2 vulns over the bridges when you design your network 17:36 < krzee> wassup reiffert! 17:36 < krzee> moin moin 17:36 < reiffert> yeah, moin moin! 17:36 < reiffert> how is life? 17:39 < Janos> well yeah i've been using ovpn for a long time so i know my way around, and yes you might have a point that there is no need to use bridged mode, but i'm pretty sure a lot of things will stop working on the MS world, so i guess i'll give it a try and let you know the details :) 17:39 < krzee> nah main thing is just NetBios 17:39 < krzee> which you use WINS for 17:39 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has joined ##openvpn 17:39 < krzee> the broadcasts is how windows deals with not having a WINS server to contact 17:39 < Janos> yeah but most of the time you don't even have a wins server 17:39 < krzee> reiffert, very good 17:40 < reiffert> krzee is right. 17:40 < krzee> Janos, right, but you save overhead by having one 17:40 < krzee> and if you use samba, it is SIMPLE 17:40 < krzee> !wins 17:40 < vpnHelper> krzee: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 17:40 < reiffert> there is broadcast relay 17:40 < reiffert> it's a software 17:40 < reiffert> it comes with pptp 17:40 < krzee> that too 17:40 < krzee> although quite often just WINS is good enough for your avg people 17:41 < reiffert> !learn broadcast-relay as it's a software that comes with pptp. use it when needing wins/samba and/or broadcasts. 17:41 < vpnHelper> reiffert: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 17:41 < reiffert> fuck u 17:41 < krzee> in fact i know of people that recommend using WINS even if bridging 17:42 < krzee> !learn broadcast-relay as a software that comes with pptp. use it in tun mode when needing broadcasts, and WINS isnt enough. 17:42 < vpnHelper> krzee: Joo got it. 17:47 < Janos> krzee: i agree if you are the one that designed the whole network things would be very nice, i have a samba running as DC with an LDAP backend replicated to other 5 remote samba servers, centralized auth for proxy, mail, windows and linux logons, wins server (sadly it can't be replicated yet), dns, dhcp, ddns and much more :). But most of the time people don't know what they are doing and are afraid to change anything so telling them that you will have to 17:47 < Janos> add a netbios-name-servers option to their dhcp server scares them to hell 17:48 < Janos> that assuming they have a dhcp server :) 17:49 < Janos> so the simple vpn server project that cost $x ends up costing $xxx cuz you had to redesign their whole network 17:50 < krzee> once you are vpn'ed in you should be able to make that change :-p 17:52 < Janos> lol yeah well like i said i'll give it a try and let you know the details 17:55 < Janos> later thanks for the help 17:55 -!- Janos [n=cramos@190.10.52.104] has quit ["Ex-Chat"] 18:04 < reiffert> you are typing way too fast for mee... 18:04 < reiffert> ah, he quit. next. 18:07 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 18:08 < reiffert> next 18:40 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 18:45 -!- downhill_ [n=downhill@unaffiliated/err0r] has joined ##openvpn 18:48 < downhill_> Why would dropping the permissions after the daemon starts (config options "user nobody" and "group nogroup") on a Debian host cause me to get the error MULTI: bad source address from client ... packet dropped? 18:49 < downhill_> And actually, everything works fine on the LAN-side if I use an IP of .6, instead of the configured .21. Anybody have any idea what might be going on? 18:50 < downhill_> (that's with the permissions dropped. not dropping them allows everything to work as it should) 18:51 < reiffert> downhill_: the prior got nothing to do with dropping permissions. 18:52 < downhill_> but it doesn't happen when I don't drop permissions. 18:52 < downhill_> please elaborate. 18:53 < reiffert> sorry, gone to bed. 18:54 < downhill_> >.< 19:00 -!- toretore [n=toretore@114.66.72-86.rev.gaoland.net] has quit ["Ex-Chat"] 19:04 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has quit [Remote closed the connection] 19:28 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 19:37 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 60 (Operation timed out)] 20:06 -!- zheng_ [n=zheng@218.82.143.81] has quit ["Leaving"] 20:43 < ScribbleJ> Hah 20:43 < ScribbleJ> Downhill, I suspect you are having the same issue as me. 20:43 < ScribbleJ> Well, more or less. 20:43 < ScribbleJ> YOu are using UDP, not TCP. 20:44 < ScribbleJ> YOu need to take a look at your network traffic - while you are trying to connect to .21, the replies are coming from another address than that, I bet, and your client wants to reject them because it's not where they hsould be coming from 20:45 < ScribbleJ> If it's not another IP, I bet it's an odd source port (I had the first problem, now I moved on to the second, personally) 20:49 < downhill_> ScribbleJ; TCP 20:50 < downhill_> I'm using TCP, and yeah, I can take a more in-depth look, but it still doesn't explain why dropping the privs causes this. 20:51 < downhill_> uncommenting "user nobody" and "group nogroup" makes it happen, commenting them fixes it. you can't possibly tell me it's unrelated :) 20:51 < ScribbleJ> Haaa, suppose I can't 20:51 < ScribbleJ> I wonder if that would solve my problem. 20:52 < ScribbleJ> I'm stumped - I'm using UDP and right now if I connect, let's say clientip:clientsource -> vpnserver:1194 I'd expect the traffic back to look like vpnserver:1194 -> clientip:clientsource 20:52 < ScribbleJ> But it does /not/ the traffic back all has a source port of 1024. 20:53 < downhill_> interesting 20:53 < downhill_> at this very moment I can't look, but thanks for the tip :) 20:53 * downhill_ scribbles a note 21:27 -!- [intra]lanman [n=Raymond@99-196-39-200.cust.wildblue.net] has joined ##openvpn 21:29 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 22:19 -!- ikarius [n=ross@216.27.182.3] has joined ##openvpn 23:49 -!- ohzie [n=ohzie@24.174.3.123] has quit ["Leaving"] --- Day changed Sat Jan 31 2009 00:01 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 00:04 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has quit [Remote closed the connection] 02:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:23 -!- c64zottel [n=hans@p5B178936.dip0.t-ipconnect.de] has joined ##openvpn 03:47 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 04:00 < ropetin> Evenin'! 04:01 < downhill_> heya 04:02 < ropetin> How's it going in here lately? It's been FOREVER since I manged to get on IRC 04:25 -!- bandini [n=bandini@host64-111-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn 04:33 -!- MMN-o [n=mmn@barjack.com] has quit [Read error: 145 (Connection timed out)] 04:36 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 04:36 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 05:04 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 05:45 -!- skx [i=skx@unaffiliated/skx] has quit ["changing servers"] 05:48 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 06:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 07:29 -!- zheng [n=zheng@218.82.143.81] has joined ##openvpn 07:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:45 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has joined ##openvpn 07:46 -!- zheng [n=zheng@218.82.143.81] has quit ["Leaving"] 08:06 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 08:14 < ecrist> fuckers 08:17 -!- tjz [n=tjz@bb121-7-62-110.singnet.com.sg] has joined ##openvpn 08:17 < tjz> hi 08:22 < tjz> Hello 08:22 < tjz> anyone... 09:14 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 09:31 -!- bsdbandit [n=chuckban@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 10:09 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:17 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 10:25 -!- tjz [n=tjz@bb121-7-62-110.singnet.com.sg] has quit ["Spare me some sleep, please."] 11:42 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 11:49 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: tarbo2, infinity_ 11:51 -!- Netsplit over, joins: infinity_ 11:52 -!- Netsplit over, joins: tarbo2 12:00 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:26 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn --- Log closed Sat Jan 31 13:04:12 2009 --- Log opened Sat Jan 31 18:54:15 2009 18:54 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 18:54 -!- Irssi: ##openvpn: Total of 43 nicks [0 ops, 0 halfops, 0 voices, 43 normal] 18:54 -!- Irssi: Join to ##openvpn was synced in 1 secs 19:08 < ecrist> fuckers --- Log closed Sat Jan 31 19:44:41 2009 --- Log opened Sat Jan 31 22:27:41 2009 22:27 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 22:27 -!- Irssi: ##openvpn: Total of 44 nicks [0 ops, 0 halfops, 0 voices, 44 normal] 22:27 -!- Irssi: Join to ##openvpn was synced in 1 secs 22:46 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 22:47 -!- troy- [n=troy@worldnet.tauri.ca] has quit [Read error: 60 (Operation timed out)] --- Day changed Sun Feb 01 2009 00:15 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 01:09 -!- ScribbleJ [n=sj@c-67-172-6-141.hsd1.il.comcast.net] has quit ["Terminated with extreme prejudice - dircproxy 1.0.5"] 01:39 -!- ikarius [n=ross@216.27.182.3] has left ##openvpn [] 02:42 -!- c64zottel [n=hans@p5B17A516.dip0.t-ipconnect.de] has joined ##openvpn 02:56 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has quit ["leaving"] 03:00 -!- rubydiam_ [n=rubydiam@123.236.183.30] has joined ##openvpn 03:15 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 03:47 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 60 (Operation timed out)] 03:50 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 04:39 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 04:56 -!- rubydiam_ [n=rubydiam@123.236.183.30] has quit [Read error: 110 (Connection timed out)] 05:30 -!- renic [n=notneces@adsl-69-225-46-108.dsl.skt2ca.pacbell.net] has quit [Read error: 110 (Connection timed out)] 07:12 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has joined ##openvpn 07:26 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 07:36 -!- cb22 [n=cb22@moinmoin/developer/federico] has joined ##openvpn 07:37 -!- countd [n=quassel@unaffiliated/countd] has joined ##openvpn 07:39 < cb22> Hi, is it possible to get two VPNs connecting to the same server to speak to each other? 07:40 < cb22> As in -> (server) <- . VPN 1 can ping server, and the same for VPN 2, but they cannot ping each other, even though I think i've got all the routes needed 07:44 < ecrist> yep 07:45 -!- countd [n=quassel@unaffiliated/countd] has quit ["http://quassel-irc.org - Chat comfortably. Anywhere."] 07:46 -!- countd [n=countd@cpc3-lewi3-0-0-cust928.bmly.cable.ntl.com] has joined ##openvpn 08:20 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 08:46 -!- c64zottel [n=hans@p5B17A516.dip0.t-ipconnect.de] has quit ["Leaving."] 09:09 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has joined ##openvpn 09:16 -!- tjz [n=tjz@bb116-15-71-110.singnet.com.sg] has quit ["Spare me some sleep, please."] 09:27 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 09:42 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 10:34 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 10:49 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:50 -!- smk_ [n=scott@cobra.httpd.org] has joined ##openvpn 10:50 -!- smk [n=scott@cobra.httpd.org] has quit [Read error: 104 (Connection reset by peer)] 11:06 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has quit [Read error: 54 (Connection reset by peer)] 11:06 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has joined ##openvpn 11:09 -!- Rawplayer [n=kevin@cp108757-a.landg1.lb.home.nl] has left ##openvpn [] 11:56 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 12:24 -!- c64zottel [n=hans@141.37.33.125] has joined ##openvpn 12:27 -!- eddieb [n=eddieb@eddieb.xs4all.nl] has joined ##openvpn 12:28 -!- eddieb [n=eddieb@unaffiliated/eddieb] has left ##openvpn ["Leaving"] 12:42 -!- countd [n=countd@unaffiliated/countd] has quit [Read error: 104 (Connection reset by peer)] 13:29 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has quit [Remote closed the connection] 13:43 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 13:45 -!- c64zottel [n=hans@141.37.33.125] has quit ["Leaving."] 14:06 -!- ikevin_ [n=kevin@ANancy-256-1-35-230.w90-26.abo.wanadoo.fr] has quit [Read error: 104 (Connection reset by peer)] 14:08 -!- ikevin [n=kevin@ANancy-256-1-35-230.w90-26.abo.wanadoo.fr] has joined ##openvpn 14:09 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 14:20 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 14:43 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 15:06 -!- Irssi: ##openvpn: Total of 40 nicks [0 ops, 0 halfops, 0 voices, 40 normal] 15:08 -!- Spockz|servert [n=spockz@71pc198.sshunet.nl] has joined ##openvpn 15:09 < Spockz|servert> I tried the introduction setup on a OS X machine and I am now at the point of testing the install 15:09 < Spockz|servert> but as soon as I connect I get these errors: 15:10 < Spockz|servert> http://spockz.pastebin.com/m261e532c 15:10 < Spockz|servert> Does anyone know what this means? 15:12 < Spockz|servert> those errors are server-side 15:26 < disco-> Hi all, the shaper option in OpenVPN seems to have no effect when I put it in a ccd file. Is it ok to do this, and if so, any ideas why it isn't working? 15:45 < ecrist> Spockz|servert: you need to run as root 15:46 < Spockz|servert> ecrist: I do, sudo, but I run bridged. 15:46 < ecrist> disco-: I don't generally use the shaper in OpenVPN. we could help more if you provided logs. 15:46 < ecrist> the vpn client, as well as the scripts for the bridging, need to be run as root. 15:46 < disco-> ok ecrist, I'll see if I can get anything relevant 15:47 < Spockz|servert> ecrist: ah, the bridge-start/stop scripts don't work on OS X :( 15:47 < ecrist> disco-: I'm leaving for a superbowl party, so I won't be around now, until late tonight. 15:48 < disco-> ecrist: Ah ok, have fun :) 15:49 < ecrist> Spockz|servert: why not? 15:49 < ecrist> they should. OS X uses FreeBSD user-land. 15:49 < ecrist> write some that *do* work. 15:49 < Spockz|servert> ecrist: brctl: command not found 15:51 < ecrist> ::sigh:: 15:51 < Spockz|servert> *grin* 15:51 < ecrist> Spockz|servert: what bridging scripts are you using? 15:51 < Spockz|servert> ecrist: the ones from the sample dir 15:51 < ecrist> write your own, that use the proper tools. 15:53 < Spockz|servert> the problem is that I don't know which tools those are 16:05 < ecrist> Mac OS X is the server? 16:08 < Spockz|servert> ecrist: yes 16:09 < Spockz|servert> I tried ifconfig tap0 bonddev en0 but that fails. And I read in the man pages that it would render en0 useless 16:12 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 16:39 < Spockz|servert> ecrist: I can't find a method to bridge the connections. Do you have any hints? 16:41 -!- Spockz [n=info@71pc198.sshunet.nl] has joined ##openvpn 16:50 -!- renic [n=notneces@adsl-69-225-46-108.dsl.skt2ca.pacbell.net] has joined ##openvpn 16:53 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 16:53 -!- rmull [n=rmull@acsx02.bu.edu] has quit ["leaving"] 17:11 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 17:53 -!- Spockz [n=info@71pc198.sshunet.nl] has quit [] 18:10 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 18:25 -!- renic [n=notneces@adsl-69-225-46-108.dsl.skt2ca.pacbell.net] has quit [Read error: 110 (Connection timed out)] 18:40 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 19:12 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 19:18 -!- renic [n=notneces@adsl-69-225-46-108.dsl.skt2ca.pacbell.net] has joined ##openvpn 19:25 -!- renic [n=notneces@adsl-69-225-46-108.dsl.skt2ca.pacbell.net] has quit [] 19:58 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 20:20 -!- phr0st_e [n=phr0st@76.252.191.193] has joined ##openvpn 20:25 < phr0st_e> am currently using openvpn 2.x on current version of ubuntu, bridged connection, with one interface. When I make the vpn connection, I get a "no route to host" (error code 64 and 65). I can no longer ping the server once the connection is made. I think it's because I only have one interface. I'm trying to set up an alias ip, but it's not coming up at boot. Any ideas? 20:42 < dvl> that indicates to me there is no route. netstat -nr will show you. 20:49 < phr0st_e> that makes sense, what would a good route look like? here's my netstat -rn: 20:51 < phr0st_e> default 192.168.2.1 UGSc 23 640 en1 20:51 < phr0st_e> 127 127.0.0.1 UCS 0 0 lo0 20:51 < phr0st_e> 127.0.0.1 127.0.0.1 UH 2 170 lo0 20:51 < phr0st_e> 155.79.11/24 link#9 UC 1 0 tap0 20:51 < phr0st_e> 155.79.11.19 link#9 UHRLW 1 24 tap0 13 20:51 < phr0st_e> 169.254 link#6 UCS 0 0 en1 20:51 < phr0st_e> 172.16.80/24 link#7 UC 1 0 vmnet8 20:51 < phr0st_e> 172.16.80.255 link#7 UHLWb 1 4 vmnet8 20:51 < phr0st_e> 192.168.2 link#6 UCS 8 0 en1 20:51 < phr0st_e> 192.168.2.1 0:0:c0:87:7:eb UHLW 15 65 en1 1155 20:51 < phr0st_e> 192.168.2.3 0:c0:4f:14:1:de UHLW 24 415 en1 1154 20:51 < phr0st_e> 192.168.2.20 0:b:db:70:45:e7 UHLW 1 1007 en1 928 20:51 < phr0st_e> 192.168.2.32 0:d:93:64:99:2e UHLW 0 11 en1 1098 20:51 < phr0st_e> 192.168.2.143 127.0.0.1 UHS 0 0 lo0 20:51 < phr0st_e> 192.168.2.173 0:1a:e9:83:9f:19 UHLW 0 0 en1 716 20:51 < phr0st_e> 192.168.2.255 link#6 UHLWb 2 27 en1 20:51 < phr0st_e> 192.168.187 link#8 UC 1 0 vmnet1 20:51 < phr0st_e> 192.168.187.255 link#8 UHLWb 1 4 vmnet1 20:51 < phr0st_e> where I'm currently at home behind 129.168.2.x 20:52 < phr0st_e> and my server has a single IP address of 155.79.11.19 21:02 < phr0st_e> just curious...would this be more likely to work if I throw in a second nic? 21:32 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has joined ##openvpn 21:44 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 113 (No route to host)] 21:59 < dvl> phr0st_e: 2nd nic not required. 22:00 < dvl> routing shows your server is on tap0, so that should work. What is the output of ifconfig tap0 ? 22:00 < dvl> I bet it is 155.79.11.19 22:01 < dvl> But that's supposed to be the server you say. It appears to be local, not remote. 22:19 < phr0st_e> tap0 Link encap:Ethernet HWaddr 9a:a6:e2:8c:f1:b8 22:19 < phr0st_e> inet6 addr: fe80::98a6:e2ff:fe8c:f1b8/64 Scope:Link 22:19 < phr0st_e> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 22:19 < phr0st_e> RX packets:0 errors:0 dropped:0 overruns:0 frame:0 22:19 < phr0st_e> TX packets:1240 errors:0 dropped:2 overruns:0 carrier:0 22:19 < phr0st_e> collisions:0 txqueuelen:100 22:19 < phr0st_e> RX bytes:0 (0.0 B) TX bytes:100173 (100.1 KB) 22:23 < phr0st_e> yeah...tap0 has no ip address 22:24 < phr0st_e> the netstat -rn from above was from my workstation (that negeotiated a vpn session) 22:24 < phr0st_e> netstat -rn on my server looks like this: 22:25 < phr0st_e> 155.79.11.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 22:25 < phr0st_e> 0.0.0.0 155.79.11.254 0.0.0.0 UG 0 0 0 br0 22:25 < phr0st_e> ifconfig on my server looks like this: 22:26 < phr0st_e> br0 Link encap:Ethernet HWaddr 00:11:43:bd:b8:e1 22:26 < phr0st_e> inet addr:155.79.11.19 Bcast:129.79.11.255 Mask:255.255.255.0 22:26 < phr0st_e> inet6 addr: 2001:18e8:2:11:211:43ff:febd:b8e1/64 Scope:Global 22:26 < phr0st_e> inet6 addr: fe80::211:43ff:febd:b8e1/64 Scope:Link 22:26 < phr0st_e> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 22:26 < phr0st_e> RX packets:2299 errors:0 dropped:0 overruns:0 frame:0 22:26 < phr0st_e> TX packets:1051 errors:0 dropped:0 overruns:0 carrier:0 22:26 < phr0st_e> collisions:0 txqueuelen:0 22:26 < phr0st_e> RX bytes:254738 (254.7 KB) TX bytes:188688 (188.6 KB) 22:26 < phr0st_e> eth0 Link encap:Ethernet HWaddr 00:11:43:bd:b8:e1 22:26 -!- phr0st_e [n=phr0st@76.252.191.193] has quit [Excess Flood] 22:26 -!- phr0st_e [n=phr0st@adsl-76-252-191-193.dsl.bltnin.sbcglobal.net] has joined ##openvpn 22:27 < phr0st_e> member:phr0st_e 22:27 < phr0st_e> : 22:27 < phr0st_e> tap0 Link encap:Ethernet HWaddr 9a:a6:e2:8c:f1:b8 22:27 < phr0st_e> [ 22:27 < phr0st_e> 11:24pm 22:27 < phr0st_e> ] 22:27 < phr0st_e> member:phr0st_e 22:27 < phr0st_e> : 22:27 < phr0st_e> inet6 addr: fe80::98a6:e2ff:fe8c:f1b8/64 Scope:Link 22:27 < phr0st_e> [ 22:27 < phr0st_e> 11:24pm 22:27 < phr0st_e> ] 22:27 < phr0st_e> member:phr0st_e 22:27 < phr0st_e> : 22:27 < phr0st_e> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 22:27 < phr0st_e> [ 22:27 < phr0st_e> 11:24pm 22:27 < phr0st_e> ] 22:27 < phr0st_e> member:phr0st_e 22:27 < phr0st_e> : 22:27 < phr0st_e> RX packets:0 errors:0 dropped:0 overruns:0 frame:0 22:27 < phr0st_e> [ 22:27 < phr0st_e> 11:24pm 22:27 < phr0st_e> ] 22:28 < phr0st_e> member:phr0st_e 22:28 < phr0st_e> : 22:28 < phr0st_e> TX packets:1240 errors:0 dropped:2 overruns:0 carrier:0 22:28 < phr0st_e> [ 22:28 < phr0st_e> 11:24pm 22:28 < phr0st_e> ] 22:28 < phr0st_e> member:phr0st_e 22:28 < phr0st_e> : 22:28 < phr0st_e> collisions:0 txqueuelen:100 22:28 < phr0st_e> [ 22:28 < phr0st_e> 11:24pm 22:28 < phr0st_e> ] 22:28 < phr0st_e> member:phr0st_e 22:28 < phr0st_e> : 22:28 < phr0st_e> RX bytes:0 (0.0 TX bytes:100173 (100.1 KB) 22:28 < phr0st_e> [ 22:28 < phr0st_e> 11:28pm 22:28 < phr0st_e> ] 22:28 < phr0st_e> member:phr0st_e 22:28 < phr0st_e> : 22:28 < phr0st_e> yeah...tap0 has no ip address 22:28 < phr0st_e> [ 22:28 < phr0st_e> 11:29pm 22:28 < phr0st_e> ] 22:28 < phr0st_e> member:phr0st_e 22:28 < phr0st_e> : 22:28 < phr0st_e> the netstat -rn from above was from my workstation (that negeotiated a vpn session) 22:28 < phr0st_e> [ 22:28 < phr0st_e> 11:29pm 22:28 < phr0st_e> ] 22:29 < phr0st_e> member:phr0st_e 22:29 < phr0st_e> : 22:29 < phr0st_e> netstat -rn on my server looks like this: 22:29 < phr0st_e> [ 22:29 < phr0st_e> 11:29pm 22:29 < phr0st_e> ] 22:29 < phr0st_e> member:phr0st_e 22:29 < phr0st_e> : 22:29 < phr0st_e> 155.79.11.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 22:29 < phr0st_e> [ 22:29 < phr0st_e> 11:29pm 22:29 < phr0st_e> ] 22:29 < phr0st_e> member:phr0st_e 22:29 < phr0st_e> : 22:29 < phr0st_e> 0.0.0.0 155.79.11.254 0.0.0.0 UG 0 0 0 br0 22:29 < phr0st_e> [ 22:29 < phr0st_e> 11:30pm 22:29 -!- mode/##openvpn [+o ecrist] by ChanServ 22:29 < phr0st_e> ] 22:29 < phr0st_e> member:phr0st_e 22:29 -!- phr0st_e was kicked from ##openvpn by ecrist [ecrist] 22:30 <@ecrist> dvl he been doing that long 22:30 <@ecrist> ? 22:33 -!- mode/##openvpn [+b *!*@adsl-76-252-191-193.dsl.bltnin.sbcglobal.net] by ecrist 22:33 -!- mode/##openvpn [-o ecrist] by ecrist 22:33 < ecrist> g'night 22:52 < dvl> ecrist: no, just once. 23:15 < ykut_johny> !route 23:15 < vpnHelper> ykut_johny: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 23:33 < ecrist> dvl, sorry I wasn't around to kick him out when he started it. --- Day changed Mon Feb 02 2009 00:05 -!- renic [n=notneces@adsl-69-225-46-108.dsl.skt2ca.pacbell.net] has joined ##openvpn 00:06 < renic> having issues getting the gui client to work in VISTAx64 - any advice? this is my current problem: 00:06 < renic> Sun Feb 01 22:08:14 2009 CreateFile failed on TAP device: \\.\Global\{5BFF639A-C56D-4CC1-96EB-3BE76AD88045}.tap 00:06 < renic> Sun Feb 01 22:08:14 2009 All TAP-Win32 adapters on this system are currently in use. 00:06 < renic> Sun Feb 01 22:08:14 2009 Exiting 00:07 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 00:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:32 -!- renic [n=notneces@adsl-69-225-46-108.dsl.skt2ca.pacbell.net] has quit ["i upgraded to the release candidate, and it fixed the problem"] 00:49 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 02:01 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:41 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has joined ##openvpn 03:07 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has quit ["leaving"] 03:24 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 04:22 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has quit [Read error: 104 (Connection reset by peer)] 04:30 -!- kyrix [n=ashley@91-115-18-74.adsl.highway.telekom.at] has joined ##openvpn 04:38 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has joined ##openvpn 04:50 -!- jolelion [n=geoffroy@213-245-150-69.rev.numericable.fr] has joined ##openvpn 04:50 < jolelion> hello 04:52 < jolelion> I don't understand the differences between "server/client mode" and "p2p mode"? 04:53 < jolelion> and I didn't find answer on the openvpn Website. Does anyone can help me? 04:57 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has quit ["Leaving."] 05:10 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:23 -!- cb22 [n=cb22@moinmoin/developer/federico] has quit [Read error: 104 (Connection reset by peer)] 05:23 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has joined ##openvpn 05:29 < kyrix> jolelion: p2p means peer 2 peer. you will probably want server/client mode, what do u want to do 05:43 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has joined ##openvpn 05:49 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has quit [Read error: 104 (Connection reset by peer)] 05:51 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has joined ##openvpn 05:56 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 05:59 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 06:28 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has quit [Read error: 104 (Connection reset by peer)] 06:33 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has joined ##openvpn 06:40 -!- zheng [n=zheng@218.82.143.81] has joined ##openvpn 06:59 < jolelion> kyrix: the vpn-clients need to talk together 07:14 < ecrist> morning, bitches 07:14 < reiffert> $100/kiss each. 07:23 < ecrist> o.O 07:28 < ecrist> http://www.explosm.net/comics/1543/ 07:28 < vpnHelper> Title: Comics - Explosm.net (at www.explosm.net) 07:33 -!- kyrix [n=ashley@91-115-18-74.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 07:47 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has quit [Read error: 104 (Connection reset by peer)] 07:57 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has joined ##openvpn 07:59 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:07 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has quit [Connection reset by peer] 08:08 -!- kyrix [n=ashley@91-115-18-74.adsl.highway.telekom.at] has joined ##openvpn 08:14 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has joined ##openvpn 08:16 -!- zheng [n=zheng@218.82.143.81] has quit ["Leaving"] 08:22 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 08:41 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has quit [Connection reset by peer] 08:50 -!- dim [n=Dimitri@83.167.62.196] has joined ##openvpn 08:53 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has joined ##openvpn 09:32 < ecrist> it's too quiet in here. 09:37 < kyrix> the weather in Vienna is .... :) 09:38 < kyrix> on the other hand, it means the openvpn networks out there are working fine probably :) 09:39 -!- Tophat [n=Tophat@fpal5-a01.peop.tds.net] has joined ##openvpn 09:43 < ecrist> very true 09:44 -!- jolelion [n=geoffroy@213-245-150-69.rev.numericable.fr] has quit ["leaving"] 09:49 -!- Tophat [n=Tophat@fpal5-a01.peop.tds.net] has left ##openvpn ["Leaving"] 09:58 -!- kyrix [n=ashley@91-115-18-74.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 09:58 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has joined ##openvpn 09:58 -!- kyrix [n=ashley@93-82-1-29.adsl.highway.telekom.at] has joined ##openvpn 09:59 < ikarius> hey, looking for some help. I've installed openvpn on my unbuntu 8.0.4 server edition, and I'm trying to set up the PKI stuff. I'm following the how-to on the openvpn site, but when generating keys, a couple things appear to be going wrong 10:00 < ikarius> the scripts are complaining about "index.txt" not existing, and no server.crt file gets generated. It appears to generate server.key just fine though 10:01 < ikarius> I've tried using the build-key-server script, as well as the pkitool script 10:03 < reiffert> then you probably missed sourcing vars.bar. 10:03 < ikarius> nope, did that 10:03 < ikarius> and verified via the "env" command that it set appropriate variables 10:04 < reiffert> or missed init-config. 10:04 < reiffert> that index file missing sounds like you are using a different openssl.cnf file other than the one that ships with easy-rsa. 10:05 < ikarius> init-config? 10:06 < ikarius> init-ca is shown in the instructions and the usage for pkitool, but not init-config 10:06 < reiffert> !howto 10:06 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:07 < reiffert> "Generate the master Certificate Authority (CA) certificate & key" 10:08 < ikarius> init-config didn't come in the openvpn package distributed for ubunty 10:09 < ikarius> ubuntu even 10:09 < ikarius> the instructions indicate it's just supposed to copy the config files into the right places 10:09 < ikarius> but... openssl.cnf, it appears I'm not getting that correctly 10:09 < ikarius> let me dig into that bit 10:11 < ikarius> no, I'm getting the openssl.cnf distributed with openvpn 10:11 < reiffert> export KEY_DIR="$EASY_RSA/keys" 10:12 < ikarius> that's already there 10:12 < reiffert> find that in your vars file? 10:12 < reiffert> cause 10:12 < reiffert> openssl.cnf: 10:12 < reiffert> dir = $ENV::KEY_DIR # Where everything is kept 10:12 < reiffert> database = $dir/index.txt # database index file. 10:12 < ikarius> yes, those lines are in the openssl.cnf I have 10:12 < reiffert> However, follow the howto again please and paste what you get from the beginning and we'll see. 10:13 < reiffert> outforasmoke 10:13 < ikarius> how critical should init-config be? 10:13 < reiffert> forget init-config. 10:13 < ikarius> ok 10:13 < ikarius> I'll restart and paste 10:14 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 10:16 < ikarius> AH. found the problem. 10:16 < ikarius> I did not run clean-all to begin with. That initializes index.txt and serial 10:17 < reiffert> welcome 10:18 < ikarius> I skipped it because I'd done a "mkdir" on keys, so I didn't think anything needed to be deleted... 10:18 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:18 < ikarius> the name is slightly misleading; I expect "clean" to simply remove any traces of a previous config...but thank you 10:22 -!- kyrix [n=ashley@93-82-1-29.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 10:23 -!- kyrix [n=ashley@93-82-1-29.adsl.highway.telekom.at] has joined ##openvpn 10:25 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 10:29 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has quit [Read error: 104 (Connection reset by peer)] 10:31 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:33 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 10:38 -!- Federico2 [n=Fede@193.200.193.239] has joined ##openvpn 10:38 < Federico2> hi guys 10:39 -!- wonko [n=wonko@wiggum.4amlunch.net] has joined ##openvpn 10:39 < wonko> ugh, i think i'm missing something stupid silly 10:41 -!- kyrix [n=ashley@93-82-1-29.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 10:41 < ecrist> what's that? 10:48 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has joined ##openvpn 10:55 < plaerzen> hello irc 11:05 -!- kyrix [n=ashley@91-115-31-134.adsl.highway.telekom.at] has joined ##openvpn 11:06 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has left ##openvpn [] 11:10 < wonko> ecrist: hey there 11:10 < wonko> i'm trying to do a basic two private networks behind both client and server vpn end-nodes 11:10 < wonko> and it's just not behaving at all 11:12 < wonko> all the routing table entries point to the IP on the "near" side of the vpn tunnel, but i can't ping/ssh/anything to that IP, I need to go against the IP on the "far" side of the tunnel, which works 11:12 < wonko> but i can't set my routing tables to use that 11:16 < ecrist> !configs 11:16 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:16 < wonko> ah, yes, that would likely help. :) 11:19 < Federico2> guys 11:19 < Federico2> afaik there is no simple way to let an unprivileged user create and deploy certificate files for openvpn clients 11:20 < Federico2> I'm writing something to invoke easy-rsa, build a certificate, package it in a zip file as well as configuration file, openvpn installer, guide... 11:20 < Federico2> am I reinventing the wheel?bd 11:20 < ecrist> yes 11:20 < ecrist> !ssl-admin 11:20 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 11:22 < ecrist> Federico2: the documentation on the site isn't that great for ssl-admin 11:22 < ecrist> that does a lot of what you're asking 11:22 < Federico2> so I reinvented the wheel.... 11:23 < ikarius> hmm. is there a particular verbosity level where I should see DHCP requests come from a client? 11:23 < Federico2> thanks a lot 11:23 < ikarius> I *think* I have DHCP configured properly on the server side, but the client is always getting 169.254.8.126, which I think is a private "fallback" IP 11:24 < ikarius> if I can set the verbosity to see DHCP requests, and no DHCP request shows up, I'll know my problem is client-side 11:25 < wonko> http://sial.org/pbot/34850 11:25 < vpnHelper> Title: Paste #34850 from "wonko" at 147.140.233.16 (at sial.org) 11:27 < ecrist> Federico2: that project is on-going, and in active development, so if there's something you'd like to see, feel free to request it or contribute it. 11:28 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 11:29 < Federico2> ecrist, I wrote something more specific for a different use case 11:30 < Federico2> I want an unprivileged user to be able to create certificates and deploy a .zip file containing the openvpn installer as well 11:31 < Federico2> ssl-admin is almost there - it could be tweaked a bit to prevent the user to tweak with other parameters 11:32 < Federico2> uh... it's run by root! 11:35 < Federico2> crazy 11:37 < ecrist> ssl-admin, in it's current inception, is root-only, but it's a very minor tweak to change that 11:37 < ecrist> could be easily geared toward checking for a specific group membership 11:37 < ecrist> my point for pointing it out is, it's *almost* what you need. 11:37 < ecrist> just have to add in the remaining bits 11:38 < Federico2> I already wrote mine - so right now I'll use it - but it's a pity not to have a complete solution 11:38 < ecrist> ok 11:38 < Federico2> minor tweak? 11:38 < ecrist> aye 11:39 < Federico2> there could be a lot to change if you want to run it without root privs 11:40 < wonko> ecrist: get a change to look at my paste? 11:41 < ecrist> wonko, looking now 11:41 < ecrist> wonko, no 11:42 < ecrist> chmod -R a+rwx ssl-admin/* 11:42 < ecrist> and one line in the code, iirc 11:45 < ecrist> wonko: I'm guessing your firewall for ping failures. 11:45 < ecrist> client should be able to ping 172.20.1.1 11:47 -!- kyrix [n=ashley@91-115-31-134.adsl.highway.telekom.at] has quit [Read error: 60 (Operation timed out)] 11:47 < ecrist> it can ping .6 because that's it's own address. 11:49 < wonko> the client can't ping .6, it can only ping .1 (dunkirk is the client) 11:49 -!- dim [n=Dimitri@83.167.62.196] has quit [Remote closed the connection] 11:50 < wonko> firewall is disabled 11:59 < ecrist> so it *can* ping .1? 11:59 < ecrist> PING 172.20.1.1 (172.20.1.1): 56 data bytes 11:59 < ecrist> --- 172.20.1.1 ping statistics --- 11:59 < ecrist> 2 packets transmitted, 0 packets received, 100.0% packet loss 11:59 < ecrist> your notes seem to indicate otherwise 12:00 < wonko> that's from the server 12:00 < wonko> if you look down at the bottom of the paste 12:01 < wonko> the last ping is the ping from the client to 172.20.1.1 12:01 < ecrist> oh, ok. 12:03 -!- Kuyatzu [n=Miranda@p57BC61EC.dip.t-dialin.net] has joined ##openvpn 12:03 -!- kyrix [n=ashley@91-115-186-194.adsl.highway.telekom.at] has joined ##openvpn 12:04 -!- Kuyatzu [n=Miranda@p57BC61EC.dip.t-dialin.net] has left ##openvpn [] 12:07 < Federico2> bye 12:07 < ecrist> wonko: you're not going to be able to ping the .5 or the .2 ips 12:07 < ecrist> just FYI 12:07 < wonko> yeah, but i should be able to ping the .1 and .6 from both ends 12:08 < ecrist> to recap here, the client *can* ping 172.20.1.1, and can the server ping 172.20.1.6? 12:08 < wonko> the part that really confuses me is that i can ping the IP on the *remote* machine 12:08 < ecrist> doesn't appear to 12:08 < wonko> the client can ping .1 (which is on the server) and the server can ping .6 (which is on the client) 12:08 < ecrist> ok, but they can't ping themselves? 12:08 < wonko> nope 12:09 < ecrist> weird, should be able to. let's just pretend they can. 12:09 < ecrist> can they ping the remote networks, then? 12:09 < wonko> no since the routes for those networks point to the local IPs 12:12 < ecrist> the the VPN client can't ping itself? 12:12 < ecrist> that doesn't make sense. 12:13 < wonko> i know 12:14 < wonko> that's why I was hoping I was doing something stupid in the config files. :) 12:15 < wonko> and to top it off, (in an unrelated project) the F5 load balancers have decided to start kicking my ass today as well 12:15 < wonko> it's *gotta* be monday 12:15 < wonko> ;) 12:21 < ecrist> lol 12:21 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: bandini, dvl 12:21 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: mcp, justdave, clustermagnet, meshuga, disco-, rubydiamond, pa, skx, disposable, aar0n, (+22 more, use /NETSPLIT to show all of them) 12:22 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: donavan, Federico2, krzie, kaii, dogmeat, munga, cpm, huslu, troy-, techqbert 12:26 < ecrist> 12:41 -!- kyrix [n=ashley@93-82-4-238.adsl.highway.telekom.at] has joined ##openvpn 12:41 -!- Netsplit over, joins: dogmeat, wonko, Federico2, plaerzen, jpalmer, rubydiamond, aar0n, ikarius, cb22, [intra]lanman (+33 more) 12:47 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: mcp, donavan, Federico2, justdave, krzie, clustermagnet, meshuga, disco-, rubydiamond, pa, (+34 more, use /NETSPLIT to show all of them) 12:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:58 -!- Netsplit over, joins: kyrix, dogmeat, wonko, Federico2, plaerzen, jpalmer, rubydiamond, aar0n, ikarius, cb22 (+34 more) 13:03 -!- worch [i=worch@battletoad.com] has quit [Remote closed the connection] --- Log closed Mon Feb 02 13:04:19 2009 --- Log opened Mon Feb 02 13:04:22 2009 13:04 -!- ecrist_ [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 13:04 -!- Irssi: ##openvpn: Total of 49 nicks [0 ops, 0 halfops, 0 voices, 49 normal] 13:04 -!- Irssi: Join to ##openvpn was synced in 19 secs 13:04 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has quit [Nick collision from services.] 13:04 -!- You're now known as ecrist 13:06 -!- worch [i=worch@battletoad.com] has quit [Remote closed the connection] 13:25 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:40 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has joined ##openvpn 13:50 < wonko> hmmm, i seem to have stumped you 13:50 < wonko> i wish that meant I won 13:50 < wonko> ;) 13:52 < ecrist> sorry 13:52 < wonko> it's ok 13:52 < wonko> i'm just being a dick. :) 14:06 < ecrist> you're good at it. 14:09 < wonko> i know 14:09 < wonko> ;) 14:09 < plaerzen> ecrist, what is openvpn ? 14:11 < ecrist> plaerzen: it's this thing you put in your mom's butt. 14:13 < ecrist> rather, a thing *I* put in your mom's butt. 14:13 -!- mode/##openvpn [+o ecrist] by ChanServ 14:13 -!- ecrist was kicked from ##openvpn by ecrist [quit talking about plaerzen's mom!] --- Log closed Mon Feb 02 14:13:49 2009 --- Log opened Mon Feb 02 14:13:57 2009 14:13 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 14:13 -!- Irssi: ##openvpn: Total of 47 nicks [0 ops, 0 halfops, 0 voices, 47 normal] 14:13 -!- Irssi: Join to ##openvpn was synced in 1 secs 14:14 < ecrist> sorry about that 14:14 < plaerzen> lol 14:15 < ecrist> w00t, my writeup for disk quotas on os x got a mention on macosxhints.com 15:00 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 16:01 -!- c64zotte1 [n=hans@p5B17AEA4.dip0.t-ipconnect.de] has joined ##openvpn 16:04 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has left ##openvpn [] 16:04 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has joined ##openvpn 16:06 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has left ##openvpn [] 16:11 -!- Spockz|servert [n=spockz@71pc198.sshunet.nl] has quit [Read error: 60 (Operation timed out)] 17:01 -!- c64zotte1 [n=hans@p5B17AEA4.dip0.t-ipconnect.de] has quit ["Leaving."] 17:17 -!- Spockz|servert [n=spockz@71pc198.sshunet.nl] has joined ##openvpn 17:29 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Connection timed out] 17:34 -!- ScribbleJ [n=sj@c-67-172-6-141.hsd1.il.comcast.net] has joined ##openvpn 17:36 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 17:38 < ScribbleJ> This is driving me bananas... openvpn on debian etch, server set for udp, 'port' and 'lport' both set to 1194; it always sends it's traffic as lport 1024 though. 17:38 < ScribbleJ> Any ideas what I did/should do? 17:44 < ScribbleJ> openvpn is clearly /listening/ on 1194. iptables has no rules that are related. netcat will happily let me send traffic with sport of 1024, but 1194 I can't since it's bound for openvpn 17:46 -!- cj [n=cjac@66.152.65.2] has joined ##openvpn 17:46 < cj> hey all 17:46 < cj> I need some help setting up a mitm proxy 17:47 < cj> I want to pcap an ssmtp session I'm initiating. I'd like to set up a proxy on localhost which talks to smtp.foo.com:ssmtp and listens on localhost:smtp 17:48 < cj> I'll have mutt use smtps://user:pass@localhost:25/ at which point I can `tcpdump -i lo -w session.pcap port 25` 17:48 < cj> anyone know of a tool I can do the listening on? 17:49 < cj> stunnel seems to do the opposite 17:49 < krzee> umm, ssh i think 17:50 < cj> oooh 17:50 < krzee> but definately not openvpn 17:50 < ikarius> ssh and port forwarding should be able to do what you want, but unless you're running as root, you'll probably need to set it to listen on a port higher than 1024 17:50 < cj> well, I'm asking here 'cuz folks have domain experience, not because I'd use openvpn. sorry for being OT :) 17:51 < krzee> ikarius, im not sure about all os, but in fbsd you can give a diff user access to open a lower port 17:51 < krzee> cj, np 17:51 < ikarius> krzee: I think you're right, but I think you need root to grant that access in the first place.... I think. 17:52 < krzee> oh yes 17:52 < krzee> well depends 17:52 < krzee> you need root to grant the access, but after that the user doesnt need to start as root then drop privs 17:52 < ikarius> disclaimer: I am not liable if my half-remembered tips cause your computer to eat your family dog and light the house on fire 17:52 < krzee> hahah 17:53 < krzee> ya that goes for me too 17:53 < cj> okay, so -L 127.0.0.1:25:smtp.foo.com:465 would forward the port without tls... 17:53 < ScribbleJ> cj, are you trying for an mitm proxy, or do you just want to decrpyt and read the ssl traffic? 17:53 < cj> how do I add the tls encapsulation? 17:53 < cj> ScribbleJ: the latter 17:54 < ScribbleJ> cj, I'll tell you what I'd do, just pcap the traffic with tcpdump as normal, then read the log into wireshark which I beleive has an option to decrpyt and ssl strem provided the key 17:54 < ecrist> rawr 17:54 < cj> okay. where do I get the client key for mutt? :) 17:55 < krzee> wassup eric 17:55 < ScribbleJ> Got me, I was expecting you had the server key. :) 17:55 < ecrist> sup krzee 17:55 < krzee> lol 17:55 < krzee> not much man 17:55 < krzee> getting ready to leave vegas 17:55 < cj> ha. if I use stunnel, I do! Thanks :) 17:55 < krzee> headed to the bay area 17:58 < krzee> ecrist, howd ya like the superbowl? 18:03 < plaerzen> oh shit. I missed the superbowl. 18:04 < krzee> lol 18:08 < cj> ScribbleJ: do you happen to know what arguments to use to specify the ssl key? 18:08 * cj asks #wireshark 18:09 < ScribbleJ> cj, I don't, but earlier when I googled wireshark decrypt ssl, the first guide that came up had some nice pictures of where to put it in the gui. 18:09 < cj> cool beans 18:09 < cj> oh, wait... I was hoping for tshark 18:09 < cj> anyway, I'll copy the ssl key to the windows box... 18:10 < ScribbleJ> Yeah, I typically use tcpdump then wireshark, can't help with tshark. 18:10 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 18:18 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 18:24 -!- grendal_prime [n=grendal_@71.154.139.61] has joined ##openvpn 18:26 < grendal_prime> ok we have several of these machines now really digging them...however the window it guys are iffy because they have no tool to really monitor what is happening and who is loged in. I have showed them the terminal based tools but they are not very inpressed(windows guys) Sooo is there some sort of windows openvpn management utill? Web based would be fine. I looked at the webmin tool but openvpn has to be installed with the webmin tool and 18:26 < grendal_prime> besides it doesnt offer much more than the terminal. 18:41 < ecrist> ::yawn:: 18:41 < ecrist> grendal_prime: afaik, there's nothing at this time. 18:42 < ecrist> feel free to write one, though 18:50 -!- kyrix [n=ashley@93-82-4-238.adsl.highway.telekom.at] has quit [Remote closed the connection] 19:00 -!- penrod[1] [n=penrod@S010600105a1788d6.cg.shawcable.net] has joined ##openvpn 19:17 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 19:51 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has quit [] 19:55 < grendal_prime> well..like i say there is the webmin module....unfortunatly the way that it works is somewhat, disfunctional for existing openvpn installations. 19:56 < grendal_prime> in fact it breaks existing connections. 19:57 < grendal_prime> the entire server because it rewrites the server.conf. 20:37 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:42 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 20:49 -!- tjz [n=tjz@bb121-7-26-157.singnet.com.sg] has joined ##openvpn 20:50 * tjz reporting in, sir! 20:53 -!- wonko [n=wonko@wiggum.4amlunch.net] has left ##openvpn [] 21:03 < tjz> is it possible to auto generate the .ca ,crt with a click /command? 21:13 < grendal_prime> click command? 21:14 < grendal_prime> like with a mouse type deal? 21:15 -!- grendal_prime [n=grendal_@71.154.139.61] has quit [Remote closed the connection] 21:29 < tjz> in centos server.. 21:34 < tjz> i don't have to hit "enter" manually.. 21:37 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 21:48 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has quit ["Lost terminal"] 21:49 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 22:09 -!- ikarius [n=ross@216.27.182.3] has joined ##openvpn 22:15 -!- smk_ is now known as smk 22:16 -!- davidm [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has joined ##openvpn 22:16 -!- davidm [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has quit [Client Quit] 22:20 -!- ykut_johny1 [n=ykut_joh@mitsa.org.my] has joined ##openvpn 22:22 -!- ykut_johny1 [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 22:25 -!- ykut_johny1 [n=ykut_joh@mitsa.org.my] has joined ##openvpn 22:28 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 22:45 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 22:50 < ikarius> freaking FINALLY 22:51 < ikarius> man, it took a lot of digging to come up with the right way to configure Ubuntu to do a bridged OpenVPN 22:52 < ikarius> http://openvpn.pastebin.com/m50d387de - interfaces file 22:54 < ikarius> then some scripts to add tap devices to the bridge when openvpn needs them 22:59 < ikarius> there were a lot of obsolete instruction sets.... which did not work --- Day changed Tue Feb 03 2009 00:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:39 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has quit ["leaving"] 00:52 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:01 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 01:04 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:04 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Client Quit] 01:14 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 01:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 01:39 < reiffert> moin 02:24 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 02:25 -!- MehdiAK [n=Mehdiak@94.101.188.97] has joined ##openvpn 02:26 -!- MehdiAK is now known as Inil 02:29 < Inil> i want use ldap authentication in openvpn but plugin can't connect ldap server and i have password error? 02:29 < Inil> encryption type must be change 02:29 < Inil> on ldap authentication plugin?! 02:32 < Inil> any idea? 02:34 < reiffert> you could use pam authentication and have pam do the ldap stuff, I guess you already have pam_ldap auth on your system? 02:47 < Inil> reiffert: document or manual ? :) 02:54 < reiffert> pam_ldap or openvpn->pam? 02:55 < reiffert> /openvpn-2.1~rc11/plugin$ ls auth-pam/ 02:55 < reiffert> Makefile README auth-pam.c pamdl.c pamdl.h 02:58 -!- Natilous [i=d9dbf418@gateway/web/ajax/mibbit.com/x-b90fc6b3825fe6e1] has joined ##openvpn 02:58 < Natilous> Hi Inil ... 02:58 < Natilous> Hi reiffert 03:00 < Inil> reiffert: i have ldap server &it's OK! , and i want run openvpn server that use ldap for Authentication & installed openvpn-uth-ldap plugins and want use it but have problems! 03:00 < Inil> hi Natilous :) 03:01 < reiffert> Inil: You already said that. 03:01 < Natilous> reiffert: the plugin can't bind with ldap. 03:02 < reiffert> Natilous: my proposal was: 03:02 < reiffert> have pam do the ldap stuff and use the pam auth that comes with openvpn. 03:02 < reiffert> Natilous: as my question was: I guess you already have pam_ldap auth on your system? 03:03 < reiffert> Natilous: which add ldap auth to pam. 03:03 < Natilous> reiffert: are you hve a document to explain how can I do ? 03:03 < Natilous> I don't know .. ldap admin not here right now. 03:04 < reiffert> pam_ldap pam_auth_ldap 03:04 < reiffert> common packagename on various unix distriubtions. 03:05 < reiffert> you'll need the ldap admin and a guy who cares about the pam stuff. 03:05 < reiffert> you running a unix server dont you? 03:06 < Natilous> reiffert: If we have pam_ldap,what we should do to use it ! 03:07 -!- Llama [n=bogdan@84.201.239.103] has joined ##openvpn 03:07 < Llama> hello 03:07 < Natilous> reiffert: we haven't pam_ldap , our sever use auth_ldap 03:08 < reiffert> Natilous: openvpn source code, plugin directoy, auth-pam directory. 03:08 < Llama> I need custon firewall settings for each openvpn client. How could I implement this using openvpn on linux ? 03:08 < reiffert> well whatever, you dont seem seem to refuse to answer my questions. have fun. 03:09 < Natilous> reiffert: we use this configuration on /openvpn/server.conf to use ldap authentications: "plugin /usr/local/lib/openvpn-auth-ldap.so "/etc/openvpn/config"" 03:10 < Natilous> please give me a sample user information on ldap directory to work with openldap. 03:10 < reiffert> Natilous: question: are you running unix(linux etc)? 03:11 < Natilous> sure. openvpn (debian) , ldap-server (redhat) 03:12 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 03:13 < reiffert> Natilous: does the debian system use pam? 03:13 < Natilous> reiffert: no we don't use pam. 03:13 < reiffert> ls /etc/pam.d/ 03:14 < Natilous> reiffert: yes . but we don't have /etc/pam.d/openvpn 03:14 < reiffert> Natilous: does the debian system authenticate against your ldap server? 03:14 < reiffert> for ssh, login etc 03:15 < Natilous> ls /etc/pam.d/ contain these: atd chfn chsh common-account common-auth common-password common-session cron login newrole other passwd run_init sshd su 03:15 < reiffert> ls /etc/*ldap* 03:16 < Natilous> ls /etc/ldap/ : ldap.conf sasl2 schema slapd.conf slapd.conf.gforge-new 03:16 < reiffert> Natilous: my proposal is: configure pam to authenticate against your ldap server 03:16 < reiffert> Natilous: after that, let openvpn authenticate against pam. 03:17 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:20 < reiffert> Natilous: you approach: use openvpn-auth-ldap. "It is not working" is a very bad starting point. Come up with something useful. 03:20 -!- ghahremani [i=d9dbf418@gateway/web/ajax/mibbit.com/x-96316112d2f31d1f] has joined ##openvpn 03:21 < ghahremani> reiffert: Tanks for your help .. I'm Natilous. but disconnected from Internet. 03:21 < ghahremani> reiffert: Have a naci time .. 03:21 -!- Natilous [i=d9dbf418@gateway/web/ajax/mibbit.com/x-b90fc6b3825fe6e1] has quit ["http://www.mibbit.com ajax IRC Client"] 03:21 -!- ghahremani [i=d9dbf418@gateway/web/ajax/mibbit.com/x-96316112d2f31d1f] has left ##openvpn [] 03:23 < reiffert> nazi with z, idiots. 03:34 -!- Inil [n=Mehdiak@94.101.188.97] has left ##openvpn [] 04:14 -!- c64zottel [n=hans@p5B17AD32.dip0.t-ipconnect.de] has joined ##openvpn 04:20 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 04:20 < T0aD> lo all 04:21 < T0aD> I have some issues with my vpns using openvpn 04:23 < T0aD> sometimes my internet connection restarts (dont know exactly why) and it sometimes (not at every lost of internet connection) makes some VPN link to fail. they dont seem to be able to communicate anymore, until I change the remote port on the client and server's configurations. 04:24 < T0aD> Im thinking its maybe linked to my cheap router (edimax br6104k) but really I have no idea, no firewall between them except for the router (doing nat), the openvpn is using tun/udp and the ISP has no filter on UDP according to what they say 04:25 < T0aD> !configs 04:25 < vpnHelper> T0aD: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 04:30 < T0aD> http://bin.cakephp.org/view/666050690 04:30 < vpnHelper> Title: CakeBin : Pastes (at bin.cakephp.org) 04:30 < T0aD> here you go 04:32 * T0aD lights a candle and prays his voice will be heard 04:32 < T0aD> otherwise Ill just sc*** it and buy another router :) 04:43 -!- krzie_ [i=krzee@joogot.noskills.net] has joined ##OpenVPN 04:44 -!- Netsplit wolfe.freenode.net <-> irc.freenode.net quits: krzie, munga, ScribbleJ, troy-, huslu, donavan, techqbert, kaii 04:45 -!- Netsplit over, joins: ScribbleJ, troy-, techqbert, kaii, huslu, donavan, munga 04:47 < kala> T0aD: if you restart your router, does the connection succeed? 04:49 < T0aD> kala, I didnt try that 05:55 -!- ykut_johny1 [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 06:07 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 110 (Connection timed out)] 06:08 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 06:25 -!- Spockz|servert [n=spockz@71pc198.sshunet.nl] has quit ["Leaving"] 06:26 -!- xAFFE [i=tim@charlie333.server4you.de] has joined ##openvpn 06:27 < xAFFE> !route 06:27 < vpnHelper> xAFFE: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 06:27 < xAFFE> hi folks 06:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:04 < xAFFE> thanks, that solved my problem :) 07:28 -!- RUS [n=Mirc@88.214.199.147] has joined ##openvpn 07:28 < RUS> hi anybody 07:30 -!- cpm [n=Chip@wgw1.avitecture.net] has joined ##openvpn 07:30 < ecrist> hi 07:31 < tjz> Hello 07:45 -!- c64zottel [n=hans@p5B17AD32.dip0.t-ipconnect.de] has quit ["Leaving."] 07:48 -!- c64zottel [n=hans@p5B17AD32.dip0.t-ipconnect.de] has joined ##openvpn 08:12 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:17 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 08:31 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 08:51 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [] 08:53 -!- cb22 [n=cb22@moinmoin/developer/federico] has quit [Success] 08:53 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has joined ##openvpn 08:58 -!- mauro_ [n=mauro@213-156-44-184.ip.fastwebnet.it] has joined ##openvpn 09:03 -!- mcp [n=mcp@wolk-project.de] has quit [Read error: 60 (Operation timed out)] 09:06 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 09:13 < tjz> must we really run ". ./vars" ? 09:14 < tjz> can we run the full path ? eg. /root/openvp-r4/easy-rsa/2.0/vars 09:14 < dvl> Why ask? Just try. :) 09:18 < tjz> i want to socialise more 09:18 < tjz> hahah 09:42 < reiffert> You source the file. 09:45 < ecrist> tjz: the first dot sources the file, as reiffert said 09:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:48 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 09:48 < plaerzen> morning irc 09:49 < ecrist> morning plaerzen 09:50 < plaerzen> how's it going? Do you know anything about routing ecrist (I am so tired I find myself trying to tab-complete dictionary words today) 09:53 < ecrist> plaerzen: yes, I know a bit about routing 09:54 -!- dako [n=dako@193.93.114.245] has joined ##openvpn 09:55 < dako> hi all 09:56 < ecrist> howdy 09:58 < dako> i find the best to link one virtual interface (eth1:0) to anotner nat 09:58 < dako> like server-nat-----olsr wireless network-----router 10:00 < dako> i have also one tun between "server" and "router" 10:00 < dako> my problem is tath i need to atribute a second public ip to "server" 10:01 < ecrist> ? 10:01 < ecrist> I'm confused 10:01 < dako> so i create eth1:1 with second public ip (no problem) to the router 10:02 < dako> and now i need to say tun0 in "server" is relied to eth1:1 10:03 < dako> tath my only one problem 10:04 < dako> to attribute public ip to server 10:05 < dako> the first public ip on the "router" is already in use ( on eth1 ) 10:06 < dako> https://193.93.114.245/rc/vpn.png 10:07 < tjz> reiffert, do you mean searching for the "vars" file? 10:17 -!- Llama [n=bogdan@84.201.239.103] has quit [Read error: 104 (Connection reset by peer)] 10:17 < ecrist> tjz, you need to source the file. 10:17 < ecrist> that's what the first dot does in ". ./vars" 10:18 < ecrist> . ./vars doesn't work if your shell is csh, though 10:18 < ecrist> man source for more information 10:22 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:23 < tjz> ok 10:23 < tjz> thanks 10:25 < dako> ecrist: maybe with this new schema https://193.93.114.245/rc/vpn1.png 10:28 -!- c64zottel [n=hans@p5B17AD32.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 10:30 -!- c64zottel [n=hans@p5B17AD32.dip0.t-ipconnect.de] has joined ##openvpn 10:33 < dako> maye i take the second public ip to tun0 with openvpn option ? 10:33 < dako> it is possible? 10:33 -!- c64zottel [n=hans@p5B17AD32.dip0.t-ipconnect.de] has quit [Read error: 104 (Connection reset by peer)] 10:35 -!- c64zottel [n=hans@p5B17AD32.dip0.t-ipconnect.de] has joined ##openvpn 10:42 -!- c64zotte1 [n=hans@p5B17AD32.dip0.t-ipconnect.de] has joined ##openvpn 10:45 -!- c64zotte1 [n=hans@p5B17AD32.dip0.t-ipconnect.de] has quit [Read error: 104 (Connection reset by peer)] 10:46 < reiffert> tjz: no, I mean "Sourcing a file", see man bash, paragraph: source filename [arguments] 10:47 -!- c64zotte1 [n=hans@p5B17AD32.dip0.t-ipconnect.de] has joined ##openvpn 10:49 -!- ikarius [n=ross@216.27.182.3] has quit [] 10:52 < reiffert> tjz: the alias for source is a dot "." 10:57 -!- c64zottel [n=hans@p5B17AD32.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 11:09 -!- mndo [n=mndo@a83-132-150-111.cpe.netcabo.pt] has joined ##openvpn 11:09 < mndo> !configs 11:09 < vpnHelper> mndo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:09 < mndo> !logs 11:09 < vpnHelper> mndo: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 11:10 < mndo> !route 11:10 < vpnHelper> mndo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 11:26 < tjz> thx v 11:26 < tjz> thx reiffert 11:26 < tjz> :P 11:27 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has joined ##openvpn 11:29 -!- c64zotte1 [n=hans@p5B17AD32.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 11:36 -!- mauro_ [n=mauro@213-156-44-184.ip.fastwebnet.it] has quit ["Ex-Chat"] 11:52 -!- RUS [n=Mirc@88.214.199.147] has quit [Read error: 113 (No route to host)] 11:54 -!- tjz [n=tjz@bb121-7-26-157.singnet.com.sg] has quit ["Spare me some sleep, please."] 11:55 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:57 -!- fsckedagain [n=fsckedag@71.154.139.61] has joined ##openvpn 11:58 < fsckedagain> ok 11:58 < fsckedagain> everything on my bridge is connecting to one port, so none of my clients can connect to anything. 11:58 < fsckedagain> Anybody have an idea how to troubleshoot this? 12:02 -!- fsckedagain [n=fsckedag@71.154.139.61] has left ##openvpn ["Leaving"] 12:12 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:30 < ikarius> well, I finally got openvpn bridged working properly to my server at home. Finding the "right" way to configure bridged on ubuntu server edition was rather difficult, as the first several instruction sets I found were obsolete and/or incorrect 12:31 < ikarius> so, now that I got it working, I updated the Ubuntu Wiki with a nicer up-to-date set of instructions- https://help.ubuntu.com/community/OpenVPN 12:31 < vpnHelper> Title: OpenVPN - Community Ubuntu Documentation (at help.ubuntu.com) 12:32 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 12:35 -!- xAFFE [i=tim@charlie333.server4you.de] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 12:36 -!- cj [n=cjac@66.152.65.2] has quit [Remote closed the connection] 12:39 < reiffert> ikarius: please have it link the official openvpn howto, that comes with all the stuff about briding and scripts. 12:39 < ikarius> reiffert: hokay, I can do that 12:41 -!- alexkuebo [n=alexkueb@p548BE2EB.dip.t-dialin.net] has joined ##openvpn 12:42 < alexkuebo> I am using auth-user-pass-verify via-env, but there is no $password for my script available 12:42 < alexkuebo> $username is there 12:42 < reiffert> ikarius: 12:42 < reiffert> !howto 12:42 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:44 < ikarius> yes, I read that in detail 12:44 < ikarius> it's instructions on setting up bridging on linux were a bit sparse 12:45 -!- nschembr [n=nschembr@c-71-58-111-133.hsd1.pa.comcast.net] has joined ##openvpn 12:46 < nschembr> hello I need help with default routing issue 12:47 < ikarius> ok, link to the official openvpn howto added. It's at the bottom of the page with the other links. 12:47 < nschembr> I have one server and two modems 12:47 < nschembr> Can I balance the traffic 12:48 < nschembr> I've tested two servers and two openvpn. one for each modem 12:49 < nschembr> this works well but has added extra hardware 12:49 < alexkuebo> I think script-security will solve my problem 12:49 < nschembr> the modems act as a firewall 12:50 < nschembr> I have a port fw rule to the server. 12:50 < nschembr> the returning udp packet allways go's out the same modem. 12:51 < nschembr> Can you have two default routes? 12:53 < ikarius> the setup I ended up using on Ubuntu sets it up so at boot, a bridge device "br0" is brought up with a static IP and eth0 is added as it's only member. When OpenVPN needs a tap interface, it has scripts which add the tap interface to the bridge and set eth0 to promiscuous mode. When tap interfaces are no longer needed, it removes them from the bridge and removes promiscuous mode from eth0. 13:00 < nschembr> ikarius: was your last comment form me? 13:01 < ikarius> nschembr: nope. 13:01 < nschembr> Thank you for your time, I'll keep digging :) 13:01 -!- alexkuebo [n=alexkueb@p548BE2EB.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 13:01 < reiffert> nschembr: linux? 13:01 < ikarius> nschembr: as to your question, load-balancing is hard to do- and generally can't be done by routing. You'll probably need to look at bonding to do load-balancing 13:02 < nschembr> reiffert: yes I run openvpn on linux. It has worked well for years. 13:03 < reiffert> nschembr: lartc.org 13:03 < reiffert> dive in link 13:03 < nschembr> comcast will not bind the modems 13:03 < ikarius> nschember: you *may* be able to use bonding on linux to bind devices at a higher level 13:08 < nschembr> ikarius I only have access to one side of the network I'm not bridging between two server with static ip address. 13:09 < nschembr> If I have two nic's in the server can I have two default routes 13:09 < nschembr> one for each subnet 13:10 < ikarius> nschembr: you can, but routing generally will pick one and use it. the various routing schemes generally don't do load-balancing, even if they see two routes 13:11 < reiffert> lartc.org 13:14 < nschembr> what about iptables. can Iptables see the source port and send the packet to modem A 13:24 < nschembr> reiffert I looking over the lartc.org info. I'm not sure what I should focus on.:) 13:26 -!- xattack [i=xattack@132.248.108.239] has quit [] 13:26 < nschembr> thank you for your help, I'll keep digging. 13:30 -!- nschembr [n=nschembr@c-71-58-111-133.hsd1.pa.comcast.net] has quit ["leaving"] 13:31 -!- nschembr [n=nschembr@c-71-58-111-133.hsd1.pa.comcast.net] has joined ##openvpn 13:31 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:36 -!- c64zottel [n=hans@p5B17AD32.dip0.t-ipconnect.de] has joined ##openvpn 13:42 < ecrist> heya, krzee 14:01 < krzee> hey 14:01 < krzee> im sitting in the brazillian consulate 14:01 < krzee> waiting to apply for a visa 14:02 < krzee> this is gunna take FOREVER 14:02 < krzee> glad i brought the laptop in 14:03 -!- disco- [i=disco@discomb0bulated.com] has quit [Remote closed the connection] 14:05 -!- disco- [n=disco@discomb0bulated.com] has joined ##openvpn 14:09 -!- mndo [n=mndo@a83-132-150-111.cpe.netcabo.pt] has quit [Read error: 60 (Operation timed out)] 14:09 -!- disco- [n=disco@discomb0bulated.com] has quit [Remote closed the connection] 14:11 -!- disco- [i=manje@discomb0bulated.com] has joined ##openvpn 14:13 < ScribbleJ> That reminds me of the joke, headline says "Three Brazillian Soldiers Killed in Conflict" - GW Bush says, "Wow... three brazillion, that's a lot." 14:18 -!- disco- [i=manje@discomb0bulated.com] has quit [Remote closed the connection] 14:20 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 14:35 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has joined ##openvpn 14:44 -!- disco- [n=disco@89.145.121.14] has joined ##openvpn 14:44 -!- disco- is now known as disco 14:44 -!- disco is now known as disco- 14:50 -!- disco- [n=disco@89.145.121.14] has quit [Remote closed the connection] 14:51 -!- disco- [n=disco@89.145.121.14] has joined ##openvpn 14:58 -!- disco- [n=disco@89.145.121.14] has quit [Remote closed the connection] 14:59 -!- disco- [n=disco@89.145.121.14] has joined ##openvpn 15:05 -!- traceroute [n=tracerou@200-40.5-85.cust.bluewin.ch] has joined ##openvpn 15:06 < traceroute> Hi 15:12 < cb22> is it possible to specify the UDP port that the openvpn client recieves responeses on? 15:12 -!- traceroute [n=tracerou@200-40.5-85.cust.bluewin.ch] has quit [Client Quit] 15:15 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:31 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 15:32 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 15:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:35 < ScribbleJ> cb22, lport, rport 15:39 < cb22> ScribbleJ, thanks 15:45 -!- disco- [n=disco@89.145.121.14] has quit [Remote closed the connection] 15:46 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 15:54 -!- disco- [n=disco@andromeda.h4xed.com] has quit [Remote closed the connection] 15:55 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 15:57 -!- disco- [n=disco@andromeda.h4xed.com] has quit [Remote closed the connection] 15:59 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 16:00 -!- disco- [n=disco@andromeda.h4xed.com] has quit [Remote closed the connection] 16:01 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 17:01 -!- mndo [n=mndo@a83-132-0-144.cpe.netcabo.pt] has joined ##openvpn 17:49 -!- c64zottel [n=hans@p5B17AD32.dip0.t-ipconnect.de] has left ##openvpn [] 17:53 -!- nschembr is now known as nschembr-food 18:49 -!- mndo [n=mndo@a83-132-0-144.cpe.netcabo.pt] has quit [Read error: 110 (Connection timed out)] 19:39 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has quit [] 19:53 -!- nschembr-food is now known as nschembr 20:16 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Connection timed out] 20:24 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 21:02 -!- nschembr [n=nschembr@c-71-58-111-133.hsd1.pa.comcast.net] has quit ["leaving"] 21:03 -!- Criggie [i=foobar@203-97-119-201.cable.telstraclear.net] has joined ##openvpn 21:03 < Criggie> Hi all - I'm speccing some firewalls for a custy... How much CPU do you reckon 300 simultaneous active openvpn sessions will use? 21:17 -!- ikarius [n=ross@216.27.182.3] has joined ##openvpn 21:24 -!- ScribbleJ [n=sj@c-67-172-6-141.hsd1.il.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 21:24 -!- ScribbleJ [n=nsj@c-67-172-6-141.hsd1.il.comcast.net] has joined ##openvpn 21:34 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has quit [Remote closed the connection] 21:36 < jpalmer> Criggie: depends on how much traffic is going over the link. if it's 300 idle connections, a p2 400 could handle it. 21:47 < Criggie> jpalmer: yeah - 21:47 < Criggie> customers tend to lie^Wexaggerate requirements 21:47 < Criggie> I'm thinking a spanked up dual quad will be massive overkill 23:26 < Criggie> thanks jpalmer 23:26 -!- Criggie [i=foobar@203-97-119-201.cable.telstraclear.net] has left ##openvpn [] 23:32 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 23:33 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] --- Day changed Wed Feb 04 2009 00:19 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has joined ##openvpn 00:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:32 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 00:49 < reiffert> moin 00:58 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 01:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:00 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:46 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 02:48 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:56 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 02:58 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:03 -!- ribasushi [n=rabbit@dslb-084-063-082-094.pools.arcor-ip.net] has joined ##openvpn 03:03 < ribasushi> hi 03:04 < ribasushi> the -crldays setting to openssl - will OpenVPN consult it at all? I just made a CRL and it says Next Update: Mar 6 09:05:03 2009 GMT 03:04 < ribasushi> will openvpn refuse to use this CRL after this day? 03:04 -!- diazepam1 [n=trent@121.216.118.172] has joined ##openvpn 03:05 < diazepam1> hi all i have openvpn running but i am finding that it only accepts one user at a time - assigned the same ip address to every new user that logs in any suggestions 03:16 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 03:16 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:29 -!- diazepam1 [n=trent@121.216.118.172] has left ##openvpn [] 04:12 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 04:25 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 04:26 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 04:53 -!- skx [i=skx@unaffiliated/skx] has quit ["changing servers"] 04:54 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 05:05 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has joined ##openvpn 05:15 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has quit [Remote closed the connection] 05:15 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has joined ##openvpn 05:19 -!- kaii [n=kai@ciphron.de] has quit [Remote closed the connection] 05:20 -!- kaii [n=kai@ciphron.de] has joined ##openvpn 05:56 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:09 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 06:29 -!- cb22 [n=cb22@moinmoin/developer/federico] has quit [Read error: 104 (Connection reset by peer)] 06:29 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has joined ##openvpn 06:31 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 06:32 < sigius> Is it possible to configure openvpn (temporarily) such that it skips authentication and accepts all incoming connections ? 06:46 < sigius> Is it possible to configure openvpn (temporarily) such that it skips authentication and accepts all incoming connections ? (sorry for repeating myself, was offline for a bit) 07:02 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has quit [Connection reset by peer] 07:24 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has joined ##openvpn 07:40 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 08:01 -!- daktari90 [n=Forensic@p57B5F84F.dip.t-dialin.net] has joined ##openvpn 08:04 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has quit [Remote closed the connection] 08:14 -!- daktari90 [n=Forensic@p57B5F84F.dip.t-dialin.net] has left ##openvpn ["Leaving."] 08:18 < ecrist> sigius: no 08:33 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 08:40 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 09:06 < sigius> Ok, thanks for clearing that up. Is it then possible to have the openvpn server disregard the period in which a key is valid ? 09:06 < sigius> and connect anyway 09:08 < ecrist> no 09:08 < ecrist> you can set the date on the server back, to allow authentication from expired certificates, I think. 09:10 < reiffert> and on the client in parallel. 09:11 < sigius> reiffert, how does it matter what the time on the client is ? 09:12 < reiffert> I think openssl will check this and compare(). 09:13 < sigius> reiffert, so if client has a key valid since 2009 and the client thinks its 1990 then ssl will be trying to set up a connection to the ovpn server ? 09:14 < sigius> Sorry, then ssl will NOT be trying to set up a connection to the ovpn server ? 09:14 < sigius> is what I meant to say 09:14 < reiffert> sigius: it will be trying but it might fail. 09:14 < ecrist> sigius: how about you tell us what you're trying to accomplish? 09:16 < sigius> Well, I have a remote client that is not connecting. From the server side I can see it trying but somehow the connection is not created. 09:16 < reiffert> Thats where logfiles help. 09:16 < ecrist> ah, so, rather than fucking with all the other stuff, why don't you share those logs with us 09:16 < ecrist> perhaps we can tell you what *is* broken? 09:17 < sigius> just a sec. 09:17 < reiffert> !logs 09:17 < vpnHelper> reiffert: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 09:19 < reiffert> oh and !configs 09:19 < reiffert> !configs 09:19 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:23 < sigius> My log (verb 4) is at http://pastebin.com/m37a3cf81 . Weird thing is that I just discovered that (3 hours late) it did succesfully make a connection. 09:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:24 < sigius> Not sure what the difference is with earlier attempts (nothing changed on my side) !? 09:24 < reiffert> let me buy a crystal ball. 09:27 < reiffert> crystall balls are sold out ... 09:27 < sigius> reiffert, thats ok, ill come back and bother you when its automagically broken again. 09:27 < sigius> im sure this will come back and haunt me but for now thanks, reiffert , ecrist 09:28 < reiffert> no logfile, no fix. 09:30 < sigius> reiffert, you did notice i pasted my logfile earlier ? http://pastebin.com/m37a3cf81 09:30 < reiffert> sigius: no. verbose level 6? 09:30 < reiffert> client log? 09:34 -!- cb22__ [n=cb22@dsl-245-160-54.telkomadsl.co.za] has joined ##openvpn 09:36 < sigius> reiffert, the one I posted is at level 4. I have an old log one at verb 9 , but no client log (as the client is a small embedded device that has no space to keep logs. WIll that do ? 09:37 < reiffert> the more the better. level 6 is enough. 09:38 < reiffert> What does the embedded device think about time, does it know the current time? How about storing the logfile on a remote filesystem like e.g. nfs? 09:46 < sigius> reiffert : http://pastebin.com/d52652100 line 2 list the ip of the device trying to connect, all lines are related to this device (i.e. no other connection are logged in this particular sample) 09:48 < sigius> reiffert, right after boot it goes out on the internet and find the time using ntp_client. One theory of mine was that this steps fails and consequently the login fails. 09:49 < sigius> login--->connection to the openvpnserver 09:50 < sigius> reiffert, about log, log is only usefull when connection fails (and nfs is unreachable) but maybe I should indeed consider a small rotating logfile 09:52 -!- cb22 [n=cb22@dsl-245-160-54.telkomadsl.co.za] has quit [Read error: 110 (Connection timed out)] 10:16 -!- cb22 [n=cb22@dsl-245-136-200.telkomadsl.co.za] has joined ##openvpn 10:25 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:28 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 10:29 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:33 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 10:33 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:34 -!- cb22__ [n=cb22@dsl-245-160-54.telkomadsl.co.za] has quit [Read error: 110 (Connection timed out)] 10:37 < sigius> reiffert, anything that jumps out from the log ? 10:46 -!- ikarius [n=ross@216.27.182.3] has quit [] 10:46 < ecrist> ew, NFS over vpn? 10:50 < reiffert> ecrist: nfs to get a logfile out of an embedded device. 10:51 < reiffert> sigius: please give us a log level 6 logfile of the openvpn server. 10:51 < reiffert> !logs 10:51 < vpnHelper> reiffert: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 10:53 -!- cb22 [n=cb22@dsl-245-136-200.telkomadsl.co.za] has quit [Read error: 104 (Connection reset by peer)] 10:55 < sigius> sorry I only have the level 9 pasted above ( http://pastebin.com/d52652100 ) . I can not reproduce the problem to create a level 6 currently 10:57 -!- Roman123 [n=Roman123@xchg.fiss-oeaw.at] has joined ##openvpn 10:57 < reiffert> sigius: I cant see a single line on log 9 that says: error or fail 11:04 < reiffert> or warn 11:05 < reiffert> sigius: I'd probably stop openvpn on the client, set the time to 1970, start the openvpn client and have it watch fail to connect. 11:08 -!- Roman123 [n=Roman123@xchg.fiss-oeaw.at] has quit ["Leaving"] 11:14 < sigius> reiffert, good point, I checked and there isnt a error fail or warn in the larger file either (of which I pastebinned an excerpt), wierd. Your experiment makes a lot of sense but the problem is I can only connect to the client ... over ovpn. Anyway have to be off, thanks a lot for your help 11:14 < reiffert> no rs232? 11:15 < sigius> no its really is remote i.e. somewhere else 11:15 < reiffert> badbadbad. 11:15 < reiffert> lemme know how the story continues. 11:15 < sigius> sure, eventually I'll get to the bottom of it. 11:16 < sigius> thanks again 11:16 < sigius> cya 11:24 -!- Kobaz [n=kobaz@its.kobaz.net] has joined ##openvpn 11:25 < Kobaz> VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=US/ST=NY/L=New_York/O=org/CN=org_ca/emailAddress=admin@foo 11:25 < Kobaz> i keep getting that 11:25 < Kobaz> i've generated countless certificates for other systems and everything works fine 11:25 < Kobaz> now it's complaining it's self signed? 11:28 < ScribbleJ> Is it self-signed, or did you sign it with a ca like is proper? 11:29 -!- kyrix [n=ashley@93-82-12-202.adsl.highway.telekom.at] has joined ##openvpn 11:30 < Kobaz> it's been signed by a ca, that i created with build-ca in easy-tsa 11:31 < Kobaz> easy-rsa 11:31 < ScribbleJ> Well, that's about how I always do it too without a problem. 11:32 < Kobaz> yeap 11:32 < Kobaz> haven't had a problem until now 11:32 < Kobaz> i'm using a new easy-rsa 11:32 < ScribbleJ> Ah, I still use the old one 11:32 -!- ribasushi [n=rabbit@dslb-084-063-082-094.pools.arcor-ip.net] has quit [Read error: 104 (Connection reset by peer)] 11:32 < Kobaz> i think the new one is broken 11:39 < Kobaz> yeah 11:39 < Kobaz> i regenerated the keys with easy-rsa 1.0 11:39 < Kobaz> and now everything works 11:39 < Kobaz> grrr 11:39 < Kobaz> wasted 2 hours on this pos 11:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:41 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has joined ##openvpn 11:51 < Kobaz> hmm 11:51 < Kobaz> so easy-rsa 2.0 does work 11:51 < Kobaz> you can't use the default CN it gives you for the CA cert 11:51 < Kobaz> otherwise openvpn will complain it's self signed 11:51 < Kobaz> even though it isn't 12:01 < reiffert> Kobaz: did you try to change the CN of the server cert? 12:03 < reiffert> Kobaz: please show us the exact place in the official howto where you did change foo to bar. Thanks. 12:03 -!- wonko [n=wonko@wiggum.4amlunch.net] has joined ##openvpn 12:04 < wonko> is there some sort of silly secret to running OpenVPN with OpenBSD as both tunnel endpoints that I'm completely unaware of? 12:04 < wonko> i've got this working between OpenBSD <-> Solaris and Windows <-> Linux 12:04 < wonko> but i can't make OpenBSD <-> OpenBSD work 12:04 -!- ashley_ [n=ashley@91-115-180-110.adsl.highway.telekom.at] has joined ##openvpn 12:04 < reiffert> wonko: a firewall. 12:05 < wonko> the only firewall between the boxes is one way, the client can contact the server 12:06 < reiffert> wonko: "does not work" doesnt look like a good start here, try to track down the prob, thanks. 12:06 -!- kyrix [n=ashley@93-82-12-202.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 12:12 < ecrist> wonko, having seen your logs and configs the other day, I'm guessing firewall, as well. 12:15 < reiffert> ecrist: we should add the bot a user -> [ problem ] -> various notes table to be able to keep track of what's already done and what is not. 12:16 -!- ashley_ [n=ashley@91-115-180-110.adsl.highway.telekom.at] has quit ["Leaving"] 12:17 < Kobaz> reiffert: ? 12:18 < Kobaz> reiffert: i changed the CN of the CA cert to be empty, and now openvpn doesn't complain about self signed anymore 12:19 < ecrist> reiffert: aye 12:19 < ecrist> I don't control the bot, that's krzee 12:19 < ecrist> he locked me out of it, because I tought the bot to say krzee's mom was hot or something 12:19 < ecrist> :( 12:20 < ecrist> next time I see him, I'll bring it up. 12:20 < ecrist> if there isn't a module, I'll try to get one written for it. 12:21 < reiffert> ecrist: krzees mom is hot? 12:21 < reiffert> send pixx 12:21 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:21 < ecrist> I was assuming. Many moms are of the hot variety. 12:22 < ecrist> one nice thing about moms, you know they put out. ;) 12:22 < reiffert> :) 12:22 < reiffert> my dict's giving me 3.000 explanations for "to put out" ... 12:32 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:34 -!- aar0n is now known as aar0n-san 12:40 < wonko> ecrist: yeah, but which firewall? the one on the openbsd machines? 12:43 < wonko> ecrist: i removed all the routing stuff from the openvpn configs 12:43 < wonko> so it's just the bare vpn tunnel 12:43 < ecrist> ok 12:45 < wonko> i can still ping the remote end of the tunnel, but not the local end of the tunnel 12:46 < ecrist> have you used google to see if it's a bug in the openbsd networking stack? 12:46 < wonko> i've used google to search on openvpn and openbsd and haven't come up with anything that gives me any place to look 12:52 < wonko> do you see anything in this guy's server config file that might jump out at you for things i might want to look at? I don't want to just randomly start cramming options into the config 12:52 < wonko> http://daemonforums.org/showthread.php?t=527 12:57 < wonko> and i find no reason for this to not work 12:57 < wonko> bah 12:58 -!- xattack [i=xattack@132.248.108.239] has quit [] 13:00 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 13:00 -!- xattack [i=xattack@132.248.108.239] has quit [Read error: 104 (Connection reset by peer)] 13:07 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 13:08 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 13:08 < ecrist> wonko: looking 13:09 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 13:12 < ecrist> wonko: I don't know. Only used openbsd once, and very briefly, since freebsd got pf shortly after 13:16 < wonko> well, if i pretend that OpenVPN works just right, put the routing rules back into the config and point boxes to the openbsd boxes as gateways it just works 13:16 < wonko> even though i don't understand why 13:16 < wonko> at this point, i don't really care 13:16 < wonko> ;) 13:19 < wonko> except that if I re-configure it to daemonize and restart things it doesn't actually work 13:19 < wonko> gah 13:25 < wonko> and this is what I see in the log on the server (but only when pinging from the network behind the client) 13:25 < wonko> Feb 4 14:28:42 sanrep-dbsi openvpn[25300]: dunkirk.scott.tju.edu/10.160.12.13:26886 MULTI: bad source address from client [172.30.1.204], packet dropped 13:25 < wonko> hmmm 13:26 < wonko> google says iroute 13:26 < wonko> but that's setup 13:26 < wonko> foo 13:26 < wonko> hmmm 13:27 < wonko> i bet i know what it is 13:27 < wonko> but, meeting time! 13:33 -!- xattack [i=xattack@132.248.108.239] has quit [] 13:34 -!- protocols [n=protocol@ip-88-153-196-33.unitymediagroup.de] has joined ##openvpn 13:35 -!- rubydiamond is now known as intelligent 13:39 < wonko> ah ha! 13:39 < wonko> i was right! 13:40 < wonko> it had no idea where my ccd directory was 13:40 < wonko> i needed an absolute path in the config file 13:40 < wonko> and that was it the whole time 13:40 < wonko> grrrr 13:43 < reiffert> sounds like it was his firewall. 13:44 < ecrist> yep 13:47 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:47 -!- intelligent [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:51 < reiffert> krzee: I've heared that your mom looks very hot and is in bed with aliens? 13:54 < krzee> lol 13:54 < krzee> howd you know? 14:14 < ecrist> krzee, we're looking for a module for the bot so we can link certain users with their problem. 14:14 < ecrist> to track whether they've been helped or not 14:14 < ecrist> reiffert's idea 14:14 < krzee> ahh, like a ticketing system 14:14 < krzee> they have one in #freeswitch 14:26 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:37 -!- kyrix [n=ashley@91-115-180-110.adsl.highway.telekom.at] has joined ##openvpn 14:38 < krzee> i dont know if supybot actually has that or not 14:38 < krzee> that might be a good idea for another bot, one that can post to some sort of administration website or something for example 14:52 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 15:18 < Kobaz> any idea why when in windows, i connect to a pptp vpn using the built in windows vpn connection, it will start blocking openvpn traffic 15:20 -!- dako1 [n=dako@16.192-64-87.adsl-dyn.isp.belgacom.be] has joined ##openvpn 15:36 -!- dako [n=dako@193.93.114.245] has quit [Read error: 113 (No route to host)] 16:03 < wonko> is it possible to run openvpn without any cipher at all? 16:06 < Kobaz> i think so 16:08 < ScribbleJ> Kobaz, routing? Same destination networks? 16:19 < Kobaz> nope, networks completely different 16:19 < Kobaz> openvpn is 10.3.2.0 and pptp is 192.168.24.0 16:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 16:26 < ecrist> Kobaz: it's probably got to do with your routing tables 16:27 < ecrist> wonko: what do you mean by 'without any cipher at all?' 16:27 < wonko> plaintext, no encryption on the tunnel 16:27 < ecrist> no, it's not 16:27 < ecrist> if you're going to do that, run pptp 16:27 < wonko> ok, so the default blowfish is going to be my best performer then? 16:28 < ecrist> more than likely 16:28 < wonko> GRE 16:28 < wonko> can't use IPSEC or GRE 16:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:42 < skx> I am using routed openvpn to redirect traffic through a remote server. This server has multiple ip addresses, how to make it use only one for openvpn? I know how to change the listening address, what about other? 17:18 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 60 (Operation timed out)] 17:29 -!- ScribbleJ [n=nsj@c-67-172-6-141.hsd1.il.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 17:30 -!- ScribbleJ [n=nnsj@c-67-172-6-141.hsd1.il.comcast.net] has joined ##openvpn 17:45 < kyrix> listening address makes it only use that ip/port 17:53 -!- ScribbleJ [n=nnsj@c-67-172-6-141.hsd1.il.comcast.net] has quit ["Terminated with extreme prejudice - dircproxy 1.0.5"] 18:00 -!- ikevin [n=kevin@ANancy-256-1-35-230.w90-26.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 18:00 -!- ikevin [n=kevin@ANancy-256-1-30-107.w90-26.abo.wanadoo.fr] has joined ##openvpn 18:14 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 18:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 19:24 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has quit [] 19:45 -!- kyrix [n=ashley@91-115-180-110.adsl.highway.telekom.at] has quit [Read error: 60 (Operation timed out)] 19:50 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 20:19 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Connection timed out] 20:26 -!- ikarius [n=ross@216.27.182.3] has joined ##openvpn 20:45 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 21:26 -!- dako [n=dako@243.192-67-87.adsl-dyn.isp.belgacom.be] has joined ##openvpn 21:27 -!- dako1 [n=dako@16.192-64-87.adsl-dyn.isp.belgacom.be] has quit [Read error: 110 (Connection timed out)] 22:19 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 22:52 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 23:27 -!- protocols [n=protocol@ip-88-153-196-33.unitymediagroup.de] has quit ["Leaving"] 23:34 -!- ikevin [n=kevin@ANancy-256-1-30-107.w90-26.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 23:35 < reiffert> http://www.youtube.com/watch?v=9isKnDiJNPk 23:35 < vpnHelper> Title: YouTube - Cloning passport card RFIDs in bulk for under $250 (at www.youtube.com) 23:45 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [] 23:58 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn --- Day changed Thu Feb 05 2009 00:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:06 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 01:06 < lolipop> I have problem setting up openvpn with ldap 01:13 -!- upb [i=cmpxchg@closet-core1.ge1-0s3.cust1000158.rev.prq.se] has joined ##openvpn 01:13 < upb> hi, i have a q, what could be wrong when the settings read from client config dir do not depend o nthe CN in client cert? 01:13 < upb> example http://rafb.net/p/76ts7f83.html 01:14 < vpnHelper> Title: Nopaste - No description (at rafb.net) 01:20 < upb> :( 02:01 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:15 < upb> anyone alive ? 02:53 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 02:59 -!- tjz [n=tjz@bb121-7-26-199.singnet.com.sg] has joined ##openvpn 02:59 < tjz> reporting in, sir!! 03:09 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:19 < upb> what could be wrong when the settings read from client config dir do not depend o nthe CN in client cert? 03:19 < upb> http://rafb.net/p/76ts7f83.html 03:19 < vpnHelper> Title: Nopaste - No description (at rafb.net) 03:59 -!- aar0n-san [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 04:08 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 04:13 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Remote closed the connection] 04:14 -!- jolelion [n=geoffroy@213-245-150-69.rev.numericable.fr] has joined ##openvpn 04:14 < jolelion> hello everybody 04:15 < jolelion> I'm trying to use the "up" options to update the resolv.conf on my debian , when I restart I get the following error : openvpn_execve: external program may not be called due to setting of --script-security level 04:16 < jolelion> what should I do ? 04:37 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 04:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 04:43 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 110 (Connection timed out)] 04:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:56 < jolelion> I fund the options that enable the script "script-security 2 execve" but still my resolv.conf is not updated when I restart openvpn, any idea ? 05:17 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:28 < upb> jolelion: put some debug in the script 05:59 -!- RUS [n=Mirc@88.214.199.147] has joined ##openvpn 05:59 < RUS> hi everybody 06:01 < tjz> hi 06:04 < reiffert> jolelion: quote: < jolelion> I'm trying to use the "up" options to update the resolv.conf 06:04 < reiffert> jolelion: how? 06:05 < jolelion> in the client.conf : up /etc/openvpn/update-resolv-conf 06:06 < reiffert> pl paste that script to pastebin.ca 06:07 < reiffert> upb: what is it you are trying to accomplish? 06:11 < reiffert> jolelion: whatever goes wrong, it's that /etc/openvpn/update-resolv-conf script which is doing bad. 06:18 < jolelion> I think yes 06:19 -!- kyrix [n=ashley@93-82-8-27.adsl.highway.telekom.at] has joined ##openvpn 06:42 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 07:14 < ecrist> good morning, fuckers 07:14 < ecrist> I laugh at you all as I'm on vacation for the next four days, and you need to go work. 07:14 < ecrist> muahahaha! 07:16 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 07:25 -!- tjz [n=tjz@bb121-7-26-199.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 07:43 -!- TB-Master [n=toni@pD9505392.dip0.t-ipconnect.de] has joined ##openvpn 07:45 -!- kyrix [n=ashley@93-82-8-27.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 07:45 -!- eliasp [n=quassel@78.43.213.203] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 07:45 -!- kyrix [n=ashley@93-82-8-27.adsl.highway.telekom.at] has joined ##openvpn 07:48 -!- ikarius [n=ross@216.27.182.3] has quit [] 08:00 -!- c64zottel [n=hans@141.37.33.125] has joined ##openvpn 08:16 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 08:19 -!- jolelion [n=geoffroy@213-245-150-69.rev.numericable.fr] has quit ["leaving"] 08:21 -!- dako1 [n=dako@91.177.118.147] has joined ##openvpn 08:22 -!- dako [n=dako@243.192-67-87.adsl-dyn.isp.belgacom.be] has quit [Read error: 110 (Connection timed out)] 08:24 -!- intralanman [n=Raymond@va-67-76-163-209.sta.embarqhsd.net] has joined ##openvpn 08:33 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has joined ##openvpn 08:40 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:40 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 110 (Connection timed out)] 09:04 -!- tjz [n=tjz@bb121-7-26-199.singnet.com.sg] has joined ##openvpn 09:10 < upb> reiffert: you still here _ 09:10 < upb> ? 09:10 < upb> i'm trying to use per client configuration 09:10 < upb> using the 'ccd'/'client config dir' 09:11 < upb> but openvpn server doesnt take the CN from the client cert as the 'ccd' 09:11 < ecrist> yes it does 09:11 < ecrist> you might have things configured wrong 09:12 < ecrist> you need an option in your server config, client-config-dir, which defines a directory where client configs exist 09:12 < upb> what might be configured wrong ? 09:12 < upb> bash-3.1# grep client-config-dir /etc/openvpn/static.conf 09:12 < upb> client-config-dir /etc/openvpn/ccd 09:12 < ecrist> then, you need a file within that directory, named the same as the client CN in their certificate, with their vpn options 09:12 < ecrist> looks right 09:12 < ecrist> now, what's in there? 09:13 < upb> -rwx------ 1 openvpn openvpn 38 2009-02-05 09:16 /etc/openvpn/ccd/t43 09:13 < ecrist> ok, and is that user's CN in their certificate t43? 09:14 < upb> client side: 09:14 < upb> C:\Program Files\OpenVPN\config>openssl x509 -inform PEM -noout -text -in t43.crt 09:14 < upb> Certificate: 09:14 < upb> .... 09:14 < upb> Subject: CN=t43 09:14 -!- RUS [n=Mirc@88.214.199.147] has quit ["Miranda IM! Smaller, Faster, Easier. http://miranda-im.org"] 09:14 < upb> server log: 09:15 < upb> http://rafb.net/p/oX4hBG17.html 09:15 < vpnHelper> Title: Nopaste - No description (at rafb.net) 09:17 < ecrist> I see a line, directly above that, for a different user, looks like the same IP 09:18 < upb> what do you mean above that 09:18 < upb> first line ? 09:18 < ecrist> aye 09:18 -!- bandini [n=bandini@host64-111-dynamic.44-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 09:18 < upb> heh, thats the cert chain root 09:19 < upb> the first two lines are basically openssl's verify hook output or smth, standard stuff 09:19 < ecrist> can I see the entire connection log? 09:19 < upb> but im wondering why the CN doesnt make it to the ccd line 09:19 < upb> ok sec 09:20 < upb> http://rafb.net/p/OEplKS24.html 09:20 < vpnHelper> Title: Nopaste - \nopenvpn stuff (at rafb.net) 09:23 < ecrist> it appears that there's something broken with the certificate 09:24 < ecrist> it's missing data 09:24 < ecrist> Thu Feb 5 17:22:21 2009 us=221194 217.159.232.50:1274 [] Peer Connection Initiated with 217.159.232.50:127 09:24 < upb> but which fields? 09:24 < ecrist> that line, the CN should be between the square brackets 09:25 < ecrist> your client certificates should have all the fields your server certificate does, C, ST, L, O 09:25 < upb> hmm ? 09:25 < ecrist> actually, with my setup, I've just got C, ST, and O 09:25 < upb> why's that 09:25 < ecrist> City, State, Organization, and I'm getting matches. 09:26 < ecrist> not sure, I haven't looked into the openvpn source. 09:26 < upb> if it is so, thats a really fucked up scheme because openvpn verifies it ok 09:26 < upb> but i'll try 09:26 < ecrist> it would appear that the openssl routines (the VERIFY OK part) is working, but openvpn's logic can't parse the CN without the other fields. 09:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:28 -!- bandini [n=bandini@host154-104-dynamic.45-79-r.retail.telecomitalia.it] has joined ##openvpn 09:29 < ecrist> well, I'm out. COD4 is calling me 09:30 < upb> OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/t43 09:30 < upb> and it is indeed so 09:30 < upb> thanks for the hint, i would not have thought of that, ever :D 09:30 < ecrist> np 09:32 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 09:33 -!- intralanman [n=Raymond@va-67-76-163-209.sta.embarqhsd.net] has quit [Read error: 60 (Operation timed out)] 09:35 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 09:39 -!- Tonik [n=tonik@89.208.9.66] has joined ##openvpn 09:51 < upb> bug found & fixed ;P 09:52 < upb> makes me a bit suspiscious about the rest of the crypto code there tho :/ 10:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:38 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 10:38 < xanthus> hi all 10:41 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:42 < xanthus> I have 4 vpns with 2 o 4 nodes each, all is working well. There is a thing I couldn't get to work, all the machines set the REMOTEHOST variable when connecting with telnet to the other nodes except the machines where Openvpn is running. In that case the REMOTEHOST variable is set with the hostname of the remote lan's router. Is there a fix for that? 10:43 < xanthus> Example: A -> B -> vpn <- C - D when A connects with C or D the REMOTEHOST is set to A, when B connects with C or D the REMOTEHOST is set to C 10:53 < reiffert> REMOTEHOST is set where exactly? bash environment after loggin in? 10:53 < reiffert> logging in with telnet? 10:54 < xanthus> yep 10:54 < reiffert> sounds like you are doing double nat then. 10:54 < xanthus> is set by telnet after logging in 10:55 < xanthus> reiffert: how is that? 10:55 < reiffert> after logging in, when you enter the command 'who', what remote IP do you get, lan router? 10:55 < reiffert> xanthus: how is that? Man I my crystall ball is broken, I dont know *anything* about yout topology! 10:57 < xanthus> sorry reiffert, i didn't meant it, i wanted to ask something like "Do you mean i am doing nat twice?" (I'm not a native english speaker) 10:58 < reiffert> xanthus: I have no clue if you *are doing* nat in both directions, but when your openvpn server *thinks that you are connecting from the lan gateway* it sounds like it. 10:58 < xanthus> the remote ip is the ip of the lan remote router 10:59 < tjz> bb guys 10:59 < tjz> love you all 11:00 < tjz> i am not gay 11:00 < tjz> lol 11:00 -!- tjz [n=tjz@bb121-7-26-199.singnet.com.sg] has quit ["Spare me some sleep, please."] 11:04 < T0aD> that was pretty gay 11:07 -!- ikevin [n=kevin@ANancy-256-1-32-201.w90-26.abo.wanadoo.fr] has joined ##openvpn 11:10 < xanthus> thanks very much reiffert 11:10 < xanthus> it was the problem 11:26 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit ["Leaving"] 11:32 -!- kyrix [n=ashley@93-82-8-27.adsl.highway.telekom.at] has quit [Read error: 54 (Connection reset by peer)] 11:37 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 11:41 -!- Cisien [n=e@208.79.15.102] has joined ##openvpn 11:41 < Cisien> Does OpenVPN GUI work with windows 7 beta? 11:41 < reiffert> there was some bla bla on the mailinglists about that. check them. 11:43 < Cisien> not quite sure how to view the mailing lists without first being part of the mailing list. 11:45 < reiffert> start a browser, go to google and enter: openvpn mailing lists 11:45 < Cisien> ok 11:46 < reiffert> there are two of em, openvpn-users and openvpn-devel, you'd better check both. 11:50 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has left ##openvpn [] 11:55 < Cisien> i got it installed, it's just not connecting. I have the firewall disabled. and am using the latest windows binary release. Any ideas? 12:14 < Cisien> ok, maybe it's just really slow to connect - i let it sit, it connected, but didn't apply any routes - access denied, so i'm trying with admin privs now. 12:15 < Cisien> tls key negotiation failed to occur within 120 seconds 12:16 < Cisien> satellite link, sometimes it's just stupid slow :P 12:24 -!- Cisien [n=e@208.79.15.102] has quit [] 12:24 -!- Cisien [n=e@208.79.15.102] has joined ##openvpn 12:29 -!- Cisien [n=e@208.79.15.102] has quit [Client Quit] 12:29 -!- Cisien [n=e@vps.exoronet.net] has joined ##openvpn 12:29 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 12:30 < Cisien> it connected this time, however, it failed to set the IP address on the TAP interface, After I set the address manually, it worked. 12:34 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:43 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 12:44 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:44 -!- c64zottel [n=hans@141.37.33.125] has left ##openvpn [] 13:44 -!- Cisien [n=e@vps.exoronet.net] has quit [Read error: 60 (Operation timed out)] 13:51 -!- xattack [i=xattack@132.248.108.239] has quit [Remote closed the connection] 14:35 -!- kyrix [n=ashley@93-82-13-205.adsl.highway.telekom.at] has joined ##openvpn 15:17 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:23 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 15:24 < plaerzen> hello there 15:35 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 15:35 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has left ##openvpn [] 16:16 -!- kyrix [n=ashley@93-82-13-205.adsl.highway.telekom.at] has quit [Remote closed the connection] 16:27 -!- tranceparance [n=trancepa@unaffiliated/tranceparance] has joined ##openvpn 16:34 -!- kim0 [n=kimoz@unaffiliated/kim0] has joined ##openvpn 16:49 -!- xattack [n=xattack@rompope.fi-b.unam.mx] has joined ##openvpn 17:02 -!- bneff [n=bneff@12.44.178.253] has joined ##openvpn 17:13 -!- kim0 [n=kimoz@unaffiliated/kim0] has left ##openvpn ["Konversation terminated!"] 17:19 -!- tranceparance [n=trancepa@unaffiliated/tranceparance] has left ##openvpn ["http://getsatisfaction.com/boxee/topics/add_more_canadian_content"] 17:36 -!- qmr [n=user@208.119.128.251] has joined ##openvpn 17:36 < qmr> Hi hi 17:36 < qmr> I have absolutely no idea what I'm doing 17:36 < qmr> http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html Trying to follow that 17:36 < vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 17:37 < qmr> the server is debian linux, and the laptop I'm on is windows xp using openvpn gui 17:37 < qmr> I get message "Thu Feb 05 18:36:31 2009 TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use (WSAEADDRINUSE)" when I Try to connect from windows 17:37 < qmr> my config files are pretty much what the example says to create .. 17:39 -!- xattack [n=xattack@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 17:50 < qmr> anybody? 17:51 -!- xattack [n=xattack@rompope.fi-b.unam.mx] has joined ##openvpn 17:53 < bneff> qm: what is the ip of your primary interface? 17:56 < qmr> bneff lolwut 17:56 < qmr> Primary interface? 17:56 < qmr> my LAN connection on the windows? 17:56 < bneff> yes 17:56 < qmr> 192.168.1.122 17:57 < bneff> what did you configure yoru server.conf with?? the ifconfig line? 17:57 < qmr> exactly like the link says 17:57 < bneff> ok 10.8 17:57 < qmr> ifconfig 10.8.0.1 10.8.0.2 18:00 < bneff> and you've tried turning off the firewall? 18:02 < qmr> Yes 18:02 < qmr> firewall is off 18:03 < qmr> Thu Feb 05 19:08:11 2009 TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use (WSAEADDRINUSE) 18:04 < bneff> on your windows box..if you do a netstat -a do you see something using port 1194? 18:05 < qmr> hm 18:05 < qmr> yes 18:05 < bneff> theres a starting point anyways 18:06 < bneff> either another instance of openvpn running or a diff app all together 18:06 < qmr> Shouldn't be any apps using it 18:06 < bneff> you can try adding the "nobind" option to client config ..openvpn will just pick a port to bind to 18:07 < qmr> zomg 18:07 < bneff> of you do netstat -aon it will print out the process id that is using it...then you can check the process in task manager 18:07 < qmr> YELLOW COMPUTERS 18:07 < qmr> BWUWAHHAHAHAHAHAHAHHAHA 18:09 -!- xattack [n=xattack@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 18:10 < qmr> http://pastebin.ca/1328509 18:17 < qmr> woot ! 18:17 < qmr> I got it to work 18:17 < qmr> http://lifeboat.com/images/frankenstein.jpg 18:21 -!- Tonik [n=tonik@89.208.9.66] has quit [Read error: 110 (Connection timed out)] 18:28 -!- Tonik [n=tonik@89.208.9.87] has joined ##openvpn 18:46 -!- TB-Master [n=toni@pD9505392.dip0.t-ipconnect.de] has quit [Remote closed the connection] 18:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 19:02 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has quit [] 19:05 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has joined ##openvpn 19:11 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 19:18 -!- Tonik [n=tonik@89.208.9.87] has quit [] 19:19 -!- qmr [n=user@208.119.128.251] has quit ["Leaving"] 19:55 -!- ikarius [n=ross@216.27.182.3] has joined ##openvpn 20:09 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 20:25 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 21:20 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Connection timed out] 22:02 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 22:03 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 22:10 < clustermagnet> guys, to speed up NFS performance over openvpn... i think there are some mtu tags that can be specified... in openvpn.conf on the server 22:10 < clustermagnet> can someone suggest where i should look? :) 22:10 < clustermagnet> thanks 22:11 < clustermagnet> link-mtu 1456 22:11 < clustermagnet> mssfix 1412 22:11 < clustermagnet> is this correct? 22:17 < clustermagnet> yeh, its not helping :( 22:17 < clustermagnet> NFS performance is still quite slov over openvpn :( 22:17 < clustermagnet> it takes 30 seconds to list a large directory 22:18 < clustermagnet> :( 22:27 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:06 -!- Tonik [n=tonik@89.208.9.130] has joined ##openvpn 23:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 23:39 -!- justdave [n=dave@unaffiliated/justdave] has quit ["console received shutdown notice: kernel upgrade in progress"] 23:53 -!- Deiz [n=swh@unaffiliated/deiz] has joined ##openvpn 23:54 -!- clincher [n=clincher@pool-96-240-0-32.nwrknj.fios.verizon.net] has joined ##openvpn --- Day changed Fri Feb 06 2009 00:00 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 00:11 < Deiz> I'm utterly stumped; how do I route all my traffic (Other than traffic to the OpenVPN server's IP) through the VPN? 00:11 < Deiz> Making tun0 the default with route and specifying one exception (for the server) results in nothing but communication with the server working. 00:12 -!- justdave [n=dave@unaffiliated/justdave] has quit ["Reconnecting"] 00:12 -!- justdave [n=dave@unaffiliated/justdave] has joined ##openvpn 00:15 -!- Tonik_ [n=tonik@89.208.26.215] has joined ##openvpn 00:15 -!- Tonik [n=tonik@89.208.9.130] has quit [Read error: 104 (Connection reset by peer)] 00:18 -!- krzie [n=k@unaffiliated/krzee] has joined ##openvpn 00:22 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:52 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 00:53 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 00:57 < upb> Deiz: then youre doing smth very wrong 00:57 < upb> you ned to setup source routing 00:58 < upb> becase technically your host is multihomed (it doesnt matter that the other interface is a tun device) 01:02 -!- krzie [n=k@unaffiliated/krzee] has quit ["Leaving"] 01:33 < reiffert> moin 01:34 < reiffert> Deiz: --redirect-gateway def1 01:50 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 02:21 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:36 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has joined ##openvpn 02:50 -!- penrod[1] [n=penrod@S010600105a1788d6.cg.shawcable.net] has quit [Read error: 113 (No route to host)] 02:57 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 02:58 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 03:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:36 -!- c64zottel [n=hans@p5B17B2F5.dip0.t-ipconnect.de] has joined ##openvpn 03:43 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:59 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 03:59 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Client Quit] 03:59 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 04:08 -!- worch_ [i=worch@battletoad.com] has quit [Read error: 60 (Operation timed out)] 04:08 -!- worch [i=worch@battletoad.com] has joined ##openvpn 04:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 04:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:22 -!- c64zottel [n=hans@p5B17B2F5.dip0.t-ipconnect.de] has left ##openvpn [] 04:30 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Remote closed the connection] 04:52 -!- aroedl [n=aroedl@brln-4db900a5.pool.einsundeins.de] has joined ##openvpn 04:53 -!- aroedl [n=aroedl@brln-4db900a5.pool.einsundeins.de] has left ##openvpn ["http://howflow.com/"] 04:56 -!- bogdan_ [n=bogdan@84.201.239.103] has joined ##openvpn 05:07 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 05:34 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 113 (No route to host)] 05:36 -!- tjz [n=tjz@bb121-7-26-199.singnet.com.sg] has joined ##openvpn 05:44 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 05:59 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 05:59 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has left ##openvpn [] 06:00 -!- c64zottel [n=hans@141.37.33.125] has joined ##openvpn 06:13 -!- tjz [n=tjz@bb121-7-26-199.singnet.com.sg] has quit ["Spare me some sleep, please."] 06:20 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has quit [Remote closed the connection] 06:41 -!- bogdan_ [n=bogdan@84.201.239.103] has quit [Read error: 60 (Operation timed out)] 07:16 -!- Gnutoo [n=gnutoo@host221-133-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 07:16 < Gnutoo> hello, I've this error: Fri Feb 6 14:19:48 2009 192.168.1.107:40839 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned what should I do? 07:19 < ecrist> um, make a certificate 07:20 -!- yash [n=chatzill@123.237.86.142] has joined ##openvpn 07:21 < yash> hi, can anyone tell me if vpn using openvpn is better or vpn using stunnel is better or am I just being a nood and both are the same? 07:22 < yash> anyone there??? 07:22 < Gnutoo> ecrist, I have one and it's valid 07:23 < Gnutoo> yash, don't know sorry 07:23 < yash> thanks gnutoo, atleast someone responded :-) 07:24 < Gnutoo> I've theses certs: ca.crt openvpn-asterisk-105.crt openvpn-asterisk-105.csr openvpn-asterisk-105.key sip.conf 07:25 < Gnutoo> mabe that's because of remote-cert-tls server 07:29 < Gnutoo> I find the reason...i removed the crl-verify /etc/openvpn/sip-keys/crl.pem line 07:39 < Gnutoo> why do I have Fri Feb 6 14:43:17 2009 us=799095 /sbin/ifconfig tun1 10.0.0.6 pointopoint 10.0.0.5 mtu 1500 instead Fri Feb 6 14:43:17 2009 us=799095 /sbin/ifconfig tun1 10.0.0.6 pointopoint 10.0.0.1 mtu 1500 ? 07:46 < reiffert> yash: openvpn and stunnel are two totally different concepts. 07:46 < reiffert> yash: there is no "better". 07:47 < yash> reiffert: Thank you. Can one setup VPN using stunnel? 07:47 < yash> Can one setup a virtual private network (without SSL)? 07:47 < reiffert> yash: yes (but whatever that means). 07:47 < reiffert> yash: yes again. 07:48 < yash> can you please point me in the right direction? Google isnt that helpful :-) 07:48 < reiffert> no. 07:48 < yash> ok reiffert, thank you 07:49 < reiffert> sorry pal, my crystal ball is broken and very dislike getting pieces out of everybodys nose. 07:49 < reiffert> so either come up with an openvpn specific question or tell us what you want and wait for someone to reply. 07:52 < Gnutoo> reiffert, hello, i've the wrong pointopoint...how do I handle this? 07:53 < Gnutoo> reiffert, I've Fri Feb 6 14:57:10 2009 us=353763 /sbin/ifconfig tun1 10.0.0.6 pointopoint 10.0.0.5 mtu 1500 and i'd like to have 10.0.0.1 instead of 10.0.0.5 07:54 < Gnutoo> reiffert, I've also push "route-gateway 10.0.0.1" on the server 07:56 < reiffert> Gnutoo: read up the manpage, look for what the --server line expands to and have a look for --topology. 07:56 < Gnutoo> reiffert, ok thanks 08:00 < Gnutoo> reiffert, thanks a lot I changed the topology for p2p and it magically worked!!! 08:08 -!- Gnutoo [n=gnutoo@host221-133-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 08:12 < ecrist> I hate people that don't give the entire log, and expect an answer 08:13 < ecrist> then, when they figure it out (with full logs available), they act like they're smarter/better than anyone else in here. 08:23 < c64zottel> thats called: information hiding, and a normal procedure in our sad world... 08:25 < reiffert> ecrist: pointing to someone in particular? 08:25 < ecrist> Gnutoo 08:25 < reiffert> well, those 3 lines I was reading from him sounded enough for me. 08:26 < ecrist> I was referring to his first CRL problem. 08:26 < ecrist> I told him the certificate didn't exist, which really *was* the answer, but I didn't know which certificate didn't exist. 08:28 < reiffert> Personally I dislike getting pieces of information from people. It makes me asking a lot of questions just to get another piece of the cake. 08:38 -!- yash [n=chatzill@123.237.86.142] has quit ["ChatZilla 0.9.84 [Firefox 3.0.6/2009011913]"] 08:59 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 09:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 09:20 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 09:25 -!- fralev [i=8d25217d@gateway/web/ajax/mibbit.com/x-915b3c4ee6a6a7c4] has joined ##openvpn 09:26 -!- c64zottel [n=hans@141.37.33.125] has left ##openvpn [] 10:09 -!- fralev [i=8d25217d@gateway/web/ajax/mibbit.com/x-915b3c4ee6a6a7c4] has quit ["http://www.mibbit.com ajax IRC Client"] 10:10 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 10:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:37 -!- lolipop [n=soontak@122.197.95.219.jb02-home.tm.net.my] has joined ##openvpn 10:51 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 10:59 < plaerzen> g'morning irc 11:00 < krzee> wassup =] 11:00 < plaerzen> not much, just setting up a few users, messing around with some new HP metal. 11:01 < plaerzen> foosball in 25 minutes 11:01 < plaerzen> wassap with you? 11:08 -!- ikarius [n=ross@216.27.182.3] has quit [] 11:23 < krzee> visiting northern cali 11:23 < krzee> smokin bud and chillen =] 11:23 < Kobaz> rollin with the homies 11:32 < ecrist> aww 11:32 < ecrist> bring some bud up here, hang with me. 11:33 < krzee> =/ im packed with places to go and i dont cross state lines with bud 11:34 < krzee> dont need to give them a reason to not let me go home 11:35 -!- clustermagnet [n=vasiliy@ec2-75-101-158-130.compute-1.amazonaws.com] has left ##openvpn [] 11:35 -!- clustermagnet [n=vasiliy@ec2-75-101-158-130.compute-1.amazonaws.com] has joined ##openvpn 11:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 11:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:21 -!- dako [n=dako@91.177.118.147] has joined ##openvpn 12:21 -!- dako1 [n=dako@91.177.118.147] has quit [Read error: 113 (No route to host)] 12:25 < Deiz> Hrm 12:25 < Deiz> Got redirect-gateway def1 going, but I'm unsure of how to get the traffic onto the internet. 12:27 < Deiz> Server has two interfaces, eth0 and ppp0. The latter being the only one that's connected to the internet. 12:27 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 12:27 < Deiz> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ppp0 -j MASQUERADE seems to not work 12:28 < wonko> hmmm, my tunnel performance blows, great! 12:28 < upb> lol, is source in postrouting even allowed ?:PP 12:29 < reiffert> Deiz: netfilter.org 12:30 < reiffert> Deiz: documentation 12:30 < reiffert> Deiz: nat 12:30 < reiffert> Deiz: http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html 12:30 < vpnHelper> Title: Linux 2.4 NAT HOWTO (at netfilter.org) 12:30 < reiffert> Deiz: # 4.1 I just want masquerading! Help! 12:33 < Deiz> reiffert: Thanks a lot. 12:33 < Deiz> I was missing the last bit. 12:34 < plaerzen> krzee, sounds like relax. 12:35 -!- clincher [n=clincher@pool-96-240-0-32.nwrknj.fios.verizon.net] has left ##openvpn ["Leaving"] 12:37 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has joined ##openvpn 12:41 -!- Federico2 [n=Fede@193.200.193.239] has quit ["Leaving"] 12:51 -!- dako [n=dako@91.177.118.147] has quit [Read error: 113 (No route to host)] 12:52 -!- GreenCult [n=greencul@200.48.85.18] has joined ##openvpn 13:20 -!- dako [n=dako@193.93.114.250] has joined ##openvpn 13:26 -!- dako1 [n=dako@193.93.114.250] has joined ##openvpn 13:26 -!- dako [n=dako@193.93.114.250] has quit [Read error: 104 (Connection reset by peer)] 13:40 -!- dako2 [n=dako@193.93.114.250] has joined ##openvpn 13:40 -!- dako1 [n=dako@193.93.114.250] has quit [Read error: 104 (Connection reset by peer)] 13:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 14:36 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [No route to host] 15:04 -!- traceroute [n=tracerou@200-40.5-85.cust.bluewin.ch] has joined ##openvpn 15:10 -!- traceroute [n=tracerou@200-40.5-85.cust.bluewin.ch] has quit [Client Quit] 15:17 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 15:17 -!- xattack [i=xattack@132.248.108.239] has quit [Read error: 104 (Connection reset by peer)] 16:10 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:22 < Deiz> Hmm. 16:22 < Deiz> I have NAT, redirect-gateway1 working... Sometimes. 16:23 < Deiz> The server passes the proper things to the client's route, but for the duration of the idle timeout, ipv4 forwarding doesn't work 16:23 < Deiz> After it times out and re-establishes, forwarding works. 16:23 < Deiz> Seems to be 100% repeatable 16:24 < reiffert> what do you expect to happen instead? 16:24 < Deiz> I'd expect forwarding to work after the initial connection. 16:24 < Deiz> Why should it have to time out before it works? 16:25 < reiffert> allright, time to get some cleanup here. Explain your following statements: 16:25 < reiffert> duration of the idle timeout, 16:25 < reiffert> idle timeout 16:25 < reiffert> ipv4 forwarding: from where to where 16:25 < reiffert> show us your setup 16:25 < reiffert> re-establishes? 16:25 < reiffert> works? 16:25 < Deiz> Heh. 16:25 < reiffert> repeatable? 16:26 < reiffert> and last: 16:26 < reiffert> "it" from your last sentence. 16:26 < reiffert> and "initial connection" of course. 16:29 < Deiz> http://pastebin.ca/1329445 16:29 < Deiz> That's the output from the client. 16:29 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 16:30 < Deiz> I was only able to make use of ipv4 forwarding (From the client to the server, then NATed onto the internet) after the ping-restart at 17:25:41 16:30 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 16:32 < reiffert> check out the manpage, persist-tun 16:33 < reiffert> and/or adjust the restart timeings. 16:38 -!- Netsplit wolfe.freenode.net <-> irc.freenode.net quits: upb 16:39 -!- Netsplit over, joins: upb 16:42 < Deiz> reiffert: But what causes this? 16:43 < Deiz> I have persist-tun and persist-key enabled in my conf 17:06 -!- penrod[1] [n=penrod@S010600105a1788d6.cg.shawcable.net] has joined ##openvpn 18:31 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Read error: 60 (Operation timed out)] 18:34 -!- T0aD [n=nnnnnnnn@217.73.17.12] has joined ##openvpn 18:37 < sigius> Q: not really related to openvpn but maybe someone here knows: if I do a 'ssh target reboot' the target does reboot but subsequently the ssh connection hangs (sometimes). ssh only returns when the target comes back up again. How can I reboot AND have ssh return ? (btw there is no screen on the target and also I prefer not to have to write a dedicated target side script for this) 18:43 < krzee> reboot & 18:43 < krzee> in single or double quotes prolly 18:44 -!- GreenCult [n=greencul@200.48.85.18] has quit [] 18:44 < sigius> i'll try that 18:47 -!- Tonik_ [n=tonik@89.208.26.215] has quit [] 18:47 * dvl figures this is good, but perhaps NSFW: http://www.youtube.com/watch?v=DtfMxL2VTJQ 18:47 < vpnHelper> Title: YouTube - Broadcast Yourself. (at www.youtube.com) 18:48 * dvl figures this is good, but perhaps NSFW: http://www.youtube.com/watch?v=DtfMxL2VTJQ 18:48 * dvl figures this is good, but perhaps NSFW: http://www.youtube.com/watch?v=DtfMxL2VTJQ 18:48 < vpnHelper> Title: YouTube - Broadcast Yourself. (at www.youtube.com) 18:48 * dvl apologizes for the repeat 18:49 < krzee> haha 19:05 -!- deibhaid [n=deib@75-175-125-225.ptld.qwest.net] has joined ##openvpn 19:05 < deibhaid> hello 19:06 < deibhaid> !configs 19:06 < vpnHelper> deibhaid: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 19:14 -!- MRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 19:14 -!- MRCUTEO is now known as mRCUTEO 19:14 < mRCUTEO> hiya all 19:15 < deibhaid> hello 19:15 < deibhaid> !route 19:15 < vpnHelper> deibhaid: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 19:17 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [Client Quit] 19:29 -!- deibhaid [n=deib@75-175-125-225.ptld.qwest.net] has quit ["This computer has gone to sleep"] 19:34 -!- lolipop [n=soontak@122.197.95.219.jb02-home.tm.net.my] has quit [Remote closed the connection] 19:37 -!- jacktow [n=mike@124-171-47-1.dyn.iinet.net.au] has joined ##openvpn 19:39 < jacktow> as i understand it, openvpn for windows requires the TAP driver to be installed and its service to be up. is there a way to remove this dependency? 19:49 -!- T0aD [n=nnnnnnnn@217.73.17.12] has quit [Remote closed the connection] 19:50 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 19:53 -!- donavan [n=donavan@centos/slackers/donavan] has quit [Read error: 110 (Connection timed out)] 19:55 -!- ikarius [n=ross@71-6-95-123.static-ip.telepacific.net] has quit [] 19:58 -!- donavan [n=donavan@centos/slackers/donavan] has joined ##openvpn 19:58 -!- deibhaid [n=deib@c-24-21-193-128.hsd1.or.comcast.net] has joined ##openvpn 19:59 -!- krzee [n=k@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 20:13 -!- donavan [n=donavan@centos/slackers/donavan] has quit [Connection reset by peer] 20:14 -!- donavan [n=donavan@centos/slackers/donavan] has joined ##openvpn 20:20 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:46 -!- ikarius [n=ross@216.27.182.3] has joined ##openvpn 20:56 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Connection timed out] 21:45 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 22:43 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 22:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 22:48 -!- Mood [n=Mood@unaffiliated/mood] has joined ##openvpn 22:48 < Mood> is it possible to connect to a VPN inside a firewall? 22:48 < Mood> i need to test it, so i want to connect via openVPN from a LAN machine to the server. is that possible? 22:52 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 23:00 < ropetin> Mood: if you can access the VPN server I don't see why not. You mean you and the server are both on the same side of the firewall? 23:02 < Mood> ropetin: yes, my vpn server is running on machine1, my vpn client on machine 2, both on the inside of a firewall LAN. are there any special features or exceptions i need to be aware of? (e.g. ssh, ftp, http) 23:03 < ropetin> Nope, don't think so 23:03 < ropetin> Give it a go, if something doesn't work, let us know and we'll figure it out 23:04 < Mood> ropetin: :-) ok 23:08 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 23:19 -!- jacktow [n=mike@124-171-47-1.dyn.iinet.net.au] has quit ["Leaving."] 23:47 -!- Mood [n=Mood@unaffiliated/mood] has quit [Read error: 60 (Operation timed out)] 23:51 -!- lolipop [n=soontak@122.197.95.219.jb02-home.tm.net.my] has joined ##openvpn --- Day changed Sat Feb 07 2009 00:04 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 00:08 -!- tjz [n=tjz@bb121-7-26-199.singnet.com.sg] has joined ##openvpn 00:08 < tjz> i have a question.. 00:10 < ropetin> OK... 00:14 < tjz> hehe 00:14 < tjz> i have sort it out 00:14 < tjz> :P 00:15 < lolipop> yo tjz 00:25 < tjz> hey 00:26 < tjz> actually trying to find you also :P 00:36 -!- Mood [n=Mood@unaffiliated/mood] has joined ##openvpn 00:37 < Mood> help! 00:37 < Mood> i tried installing openvpn, now my ubuntu fails to boot :-( gets stuck at Now Configuring Network Interfaces... 00:38 < ropetin> If you let it sit there for a couple of minutes does it eventually time out? 00:38 < ropetin> Or what happens if you try and change to a different TTY? Do you have a login prompt? 00:38 < Mood> i never get a login prompt. it fails ... i waited for about 15 minutes. that's not normal :-( 00:46 < ropetin> Nope. So try doing Ctrl+Alt+F1, F2, F3 etc to see if you can get a prompt 00:49 < Mood> i'm going to try cleaning out my /etc/init.d/ 00:57 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 01:11 -!- Mood [n=Mood@unaffiliated/mood] has quit ["Leaving"] 01:12 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 01:13 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 01:26 -!- Mood [n=Mood@unaffiliated/mood] has joined ##openvpn 01:48 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 01:51 -!- lolipop [n=soontak@122.197.95.219.jb02-home.tm.net.my] has quit [Read error: 104 (Connection reset by peer)] 01:54 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Excess Flood] 01:55 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 01:56 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 02:03 -!- Mood [n=Mood@unaffiliated/mood] has quit ["Leaving"] 02:12 -!- ikarius [n=ross@216.27.182.3] has left ##openvpn [] 02:16 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 02:49 -!- c64zottel [n=hans@p5B17A6B4.dip0.t-ipconnect.de] has joined ##openvpn 02:57 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 03:06 -!- dako2 [n=dako@193.93.114.250] has quit [Read error: 60 (Operation timed out)] 03:31 < reiffert> idiot. 03:33 < ropetin> Who? 03:38 -!- c64zottel [n=hans@p5B17A6B4.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 03:42 -!- c64zottel [n=hans@p5B17A6B4.dip0.t-ipconnect.de] has joined ##openvpn 03:43 -!- julius [n=julius@p57B25432.dip.t-dialin.net] has joined ##openvpn 03:43 < julius> hello 03:45 < julius> hehe - problem solved 03:46 -!- Mood [n=Mood@unaffiliated/mood] has joined ##openvpn 03:47 < Mood> ropetin: still awake? 03:50 < ropetin> Yup! 03:52 < Mood> ropetin: it was not a problem with openvpn 03:53 < Mood> ropetin: it was a problem with the way i configured /etc/network/interfaces 03:54 < ropetin> :D OK 03:54 < ropetin> That's good to know 03:54 < Mood> ropetin: uptime on my server was a week, but early on i had edited /etc/network/interfaces (long story). it was deceptive since it was essentially a broken interfaces file, but my services were already running in the bg despite /etc/init.d/networking restart 03:54 < ropetin> Ah hah! 03:55 < Mood> ropetin: so when i did a hard reboot, surprise, my system blew up and never booted 03:55 < Mood> ropetin: took a long a$$ while to isolate, first booting from live CD, mounting drives, chrooting, uninstalling openvpn, etc. etc etc ad nauseum 03:56 < ropetin> Well at least it was a learning experience 03:56 < julius> hehe 03:56 < Mood> ropetin: yeah i was almost about to pass a negative verdict on linux and reformat!!! :-s 03:56 < ropetin> Noooooooooooooo :D 03:57 < Mood> so, i will only install openvpn using a better writeup. the "official" one on ubuntu.com sucks b4llz 03:59 < ropetin> Go to the source, OpenVPN.net 04:00 < Mood> ropetin: good call 04:02 < reiffert> ropetin: Modd. 04:03 < ropetin> reiffert: OK.... 04:03 < reiffert> Mood: next time boot by init=/bin/bash 04:03 < ropetin> :D 04:04 < Mood> reiffert: not sure how to do that 04:04 < reiffert> it's a kernel parameter. Your bootloader will call the kernel with that parameter. 04:04 < reiffert> So edit the bootloader startup line by editing it while in grub. 04:04 < reiffert> e for edit 04:04 < reiffert> select, edit, b for boot. 04:05 < Mood> reiffert: very convenient. 04:06 < reiffert> you end up at a prompt, your shell. you manually have to remount / rewriteable, but thats it. 04:06 < Mood> reiffert: so it'll just boot w/o any network settings or anything? kind of like 'safe mode' w/o any X? just a commandline? 04:06 < reiffert> mount -o remount,rw / 04:06 < reiffert> just plain shell. 04:06 < julius> Mood: kind of - but it's pretty easy to set up networking 04:07 < Mood> reiffert: cool 04:07 < julius> `dhclient eth0` should do the job :) 04:07 < Mood> julius: just /etc/init.d/networking restart i guess? 04:07 < Mood> julius: ahh, ok 04:07 < julius> that's even better - yes 04:07 < reiffert> julius: it's not *that* easy when your init script just hangs in the forest during startup and decides to stay there. 04:08 < julius> I meant setting it up when you've booted using init=/bin/bash 04:09 < reiffert> julius: it won't work. 04:09 < julius> without modules or why? 04:09 < reiffert> julius: recent linux distros come up with whatsoever automatism fuckoff like udev, hal and whatnot, so dhclient will not work. 04:09 < julius> oh - kay 04:11 < reiffert> udev is the first thing I remove after bootstrap. 04:11 < reiffert> and initrd. I hate both of em. 04:11 < julius> so you're booting directly or using initramfs? 04:13 < reiffert> I dont like loading kernel modules just for accessing my hardware. I compile a static kernel (even without any module if possible, the module loader routines are b0rked sometimes) 04:13 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 04:13 < reiffert> julius: so yes, booting a kernel that knows how to access the harddrive and it's network card andsoon 04:13 < julius> cool 04:13 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 04:14 < reiffert> julius: without an initial ramdisk that need to load modules for that 04:14 * julius doesn't like modules very much either 04:18 < julius> but most uf the time I'm using the kernel provided by the distribution's package management 04:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:44 < Mood> does openvpn work well w/ ubuntu? 04:45 < reiffert> y 04:47 < Mood> do you do bridging? or routing? 04:47 < julius> okay - accessing an openvpn server through a pfsense gateway is awesome :) 04:47 * julius does routing 04:47 < Mood> julius: what distro you running? 04:48 < reiffert> Mood: both 04:48 < julius> Mood: debian etch/stable on the server 04:48 < julius> pfsense uses freebsd afaik 04:48 < Mood> i don't need any special configuration for IPv4 if i want to use routing w/ ubuntu/debian? 04:49 < julius> do you want two hosts to be able to communicate? 04:50 < Mood> julius: erm.. i want several clients to communicate with a server... not sure about 'hosts' 04:51 < reiffert> Mood: look, redhat and suse do both use RPM as package manager. 04:51 < reiffert> Mood: do you think redhat and suse have anything in common? 04:51 < Mood> i only used redhat about 8 years ago on a 486 machine :-s 04:52 < Mood> so i wouldn't know 04:52 < Mood> i take it redhat and suse are quite different? 04:52 < reiffert> right. 04:53 < reiffert> So if using ubuntu, dont call it debian and vice versa. 04:53 < reiffert> They both use the same package manager, and THATS IT! 04:53 < Mood> heh, understood :-P 05:06 < Mood> are vpnc and pptp commercial products? like $? 05:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:18 < reiffert> n 05:23 < reiffert> o 05:30 < Mood> ty 05:40 -!- c64zottel [n=hans@p5B17A6B4.dip0.t-ipconnect.de] has quit [Read error: 104 (Connection reset by peer)] 05:41 -!- c64zottel [n=hans@p5B17A6B4.dip0.t-ipconnect.de] has joined ##openvpn 05:50 < upb> haha 05:50 < upb> you can use pptp from-to linux also 05:50 < reiffert> y 06:00 < Mood> so when using vpn, it's recommended to choose LAN subnet IPs that are NOT 192.168.x.x? Egh. 06:00 < julius> 10.0.0.0/8 is way cooler :) 06:04 < upb> huh wtf P 06:04 < upb> why would you think that mood 06:09 < Mood> openvpn.net->Numbering private subnets->"For example..." http://openvpn.net/index.php/documentation/howto.html#numbering 06:09 < vpnHelper> Title: HOWTO (at openvpn.net) 06:10 < Mood> "The best solution is to avoid using 10.0.0.0/24 or 192.168.0.0/24 as private LAN network addresses. Instead, use something that has a lower probability of being used in a WiFi cafe, airport, or hotel where you might expect to connect from remotely." 06:10 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 06:10 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has left ##openvpn [] 06:34 < reiffert> Mood: 06:34 < reiffert> !howto 06:34 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 06:34 * Mood erms 06:47 -!- xanthus1 [n=marcelor@r190-134-34-214.dialup.adsl.anteldata.net.uy] has joined ##openvpn 06:55 -!- xanthus1 [n=marcelor@r190-134-34-214.dialup.adsl.anteldata.net.uy] has left ##openvpn [] 06:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:18 -!- Sypher|NL [n=no@unaffiliated/syphernl/x-737232] has joined ##openvpn 07:19 < Sypher|NL> Hi folks, I've set up a VPN (tun) and I can connect to it. But I cannot get my gateway to work. I'd like to use the internet over my VPN tunnel instead of direct (security reasons).... At one point I got 10.8.0.5 as gateway but i am unable to ping it while i can ping 10.8.0.1 07:32 < reiffert> --redirect-gateway def1 07:32 < Sypher|NL> may I ask what the def1 is doing exactly? 07:33 < Sypher|NL> i had the push redirect-gateway in my server config, but without def1 07:33 < reiffert> !man 07:33 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 07:33 < reiffert> check it in the manpage. 07:34 < Sypher|NL> i've been there 07:39 -!- Tonik [n=tonik@89.208.26.215] has joined ##openvpn 07:40 -!- Sypher|NL [n=no@unaffiliated/syphernl/x-737232] has quit [] 07:43 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:51 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 08:16 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 08:17 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Read error: 60 (Operation timed out)] 08:19 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:22 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 08:23 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has joined ##openvpn 08:23 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 08:34 -!- c64zottel [n=hans@p5B17A6B4.dip0.t-ipconnect.de] has left ##openvpn [] 08:46 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has quit [Read error: 104 (Connection reset by peer)] 08:51 -!- deibhaid [n=deib@c-24-21-193-128.hsd1.or.comcast.net] has quit ["This computer has gone to sleep"] 09:00 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 09:28 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has quit [Read error: 110 (Connection timed out)] 09:40 -!- Tonik_ [n=tonik@89.208.26.33] has joined ##openvpn 09:45 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 09:45 -!- Tonik [n=tonik@89.208.26.215] has quit [Read error: 113 (No route to host)] 10:06 < tjz> any idea having problem getting openvpn to work on vista? 10:06 < tjz> it still show the local isp even after connected.. 10:33 < Kobaz> it works on vista 10:34 < reiffert> tjz: "it still show the local isp" != helpful 10:38 -!- angryuser__ [n=gdobrovo@LPuteaux-151-42-35-99.w193-251.abo.wanadoo.fr] has joined ##openvpn 10:39 -!- c64zottel [n=hans@62-12-248-160.pool.cyberlink.ch] has joined ##openvpn 10:41 < angryuser__> hello, can someone help me ? i am trying to build a openvpn package for centos 2.1 rc15 and the rpmbuild -tb gives me following error http://pastebin.ca/1329978 thank you for help 10:42 < tjz> reiffert, yea.. 10:42 < tjz> did a traceroute to yahoo after connected 10:42 < tjz> his vista still show he is tracing from his ISP 10:45 < Kobaz> it depends how the server is set up 10:45 < Kobaz> if you aren't using redirect-gateway, then your regular internet traffic will route through your isp 11:14 < tjz> i am using redirect.. 11:20 < tjz> good nite, guys 11:20 -!- tjz [n=tjz@bb121-7-26-199.singnet.com.sg] has quit ["Spare me some sleep, please."] 12:18 -!- deibhaid [n=deib@c-24-21-193-128.hsd1.or.comcast.net] has joined ##openvpn 12:19 -!- Tonik_ [n=tonik@89.208.26.33] has quit [Read error: 104 (Connection reset by peer)] 12:29 -!- Tonik [n=tonik@89.208.26.103] has joined ##openvpn 12:57 < deibhaid> !man 12:57 < vpnHelper> deibhaid: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 13:18 -!- julius [n=julius@p57B25432.dip.t-dialin.net] has quit ["Wirf mir mal das grosse Messer r"uber"] 13:26 < deibhaid> Hey everyone. I've been lurking here for a day or so and read the man and howto. I have setup up a vpn from a openvz node that's part of a remote lan. Our client computers connect fine to the lan with our private ip's being 10.8.0.* initially we couldn't ping the vpn server, but upon adding push "route 10.0.2.0 255.255.255.0" that was rectified. the issue now is that we cannot ping outside of the vlan. tcpdump shows that packet 13:26 < deibhaid> s are being sent, but they never pass the vpn server to access other computer in the vpn server's private network. 13:47 < upb> outside the vlan_ 13:48 < upb> what does a vlan have to do with this 13:48 < deibhaid> I am referring to the openvpn as a vln 13:48 < deibhaid> sorry I meant the vpn 13:49 < upb> do you have a device on the lan you could use for monitoring_ 13:49 < upb> see whether the packets really get to the lan 13:50 < upb> and does tcpdump show packets being sent out of the lan interface? 13:50 < deibhaid> yeah I will show you. hold on one sec 13:52 < deibhaid> here is tcpdump showing two different ip's 13:52 < deibhaid> .141 is the vpn server 13:52 < deibhaid> and .140 is another computer in the vpn's lan 13:53 < deibhaid> 11:56:23.533493 IP 10.8.0.6 > 10.0.2.240: ICMP echo request, id 7455, seq 52, length 64 13:53 < deibhaid> 11:56:28.131743 IP 10.8.0.6 > 10.0.2.241: ICMP echo request, id 8479, seq 0, length 64 13:53 < deibhaid> 11:56:28.179122 IP 10.0.2.241 > 10.8.0.6: ICMP echo reply, id 8479, seq 0, length 64 13:53 < deibhaid> 11:56:29.134768 IP 10.8.0.6 > 10.0.2.241: ICMP echo request, id 8479, seq 1, length 64 13:54 < deibhaid> sorry 240 and 241 13:54 < deibhaid> 240 just requests and receives no reply 13:56 < deibhaid> Feb 7 23:00:42 beck openvpn[19645]: air/ *.21.193.128:59743 UDPv4 READ [125] from *.21.193.128:59743: P_DATA_V1 kid=0 DATA len=124 13:56 < deibhaid> Feb 7 23:00:42 beck openvpn[19645]: air/ *.21.193.128:59743 TUN WRITE [84] 13:56 < deibhaid> Feb 7 23:00:42 beck openvpn[19645]: air/ *.21.193.128:59743 TUN READ [84] 13:56 < deibhaid> Feb 7 23:00:42 beck openvpn[19645]: air/ *.21.193.128:59743 UDPv4 WRITE [125] to *.21.193.128:59743: P_DATA_V1 kid=0 DATA len=124 13:56 < deibhaid> that is for packets that go through to the vpn server 13:57 < deibhaid> with .241 13:58 < deibhaid> from /var/log/messages of the vpn server 13:58 < deibhaid> whether we have a device for monitoring or now, I am not sure about that. lemme check 14:03 < deibhaid> in addition to that we tried setting up routing tables 14:06 < deibhaid> and the vpn servers' tcpdump is: 14:06 < deibhaid> 23:11:52.823928 IP 10.8.0.6 > 10.0.2.240: ICMP echo request, id 19487, seq 18, length 64 14:06 < deibhaid> 23:11:53.823651 IP 10.8.0.6 > 10.0.2.240: ICMP echo request, id 19487, seq 19, length 64 14:38 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 14:47 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 14:54 -!- deibhaid [n=deib@c-24-21-193-128.hsd1.or.comcast.net] has quit ["Leaving"] 14:55 -!- deibhaid [n=deib@c-24-21-193-128.hsd1.or.comcast.net] has joined ##openvpn 15:00 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:08 -!- Mood [n=Mood@unaffiliated/mood] has quit [Read error: 110 (Connection timed out)] 15:55 -!- ikevin [n=kevin@ANancy-256-1-32-201.w90-26.abo.wanadoo.fr] has quit [Remote closed the connection] 15:57 -!- undertakingyou [n=will@undertakingyou.dsl.xmission.com] has joined ##openvpn 15:57 -!- ikevin [n=kevin@ANancy-256-1-32-201.w90-26.abo.wanadoo.fr] has joined ##openvpn 16:00 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 16:26 -!- c64zottel [n=hans@62-12-248-160.pool.cyberlink.ch] has quit ["Leaving."] 17:09 -!- djc [n=djc@xavamedia.nl] has joined ##openvpn 17:09 < djc> has anyone tried to run openvpn on Android? 17:10 -!- c64zottel [n=hans@62-12-248-160.pool.cyberlink.ch] has joined ##openvpn 17:21 -!- c64zottel [n=hans@62-12-248-160.pool.cyberlink.ch] has quit ["Leaving."] 17:47 -!- ikevin [n=kevin@ANancy-256-1-32-201.w90-26.abo.wanadoo.fr] has quit [Remote closed the connection] 17:50 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 17:50 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has left ##openvpn [] 17:51 -!- ikevin [n=kevin@ANancy-256-1-32-201.w90-26.abo.wanadoo.fr] has joined ##openvpn 18:54 < krzee> djc, main thing you'll need is tuntap drivers for it 19:27 -!- Tonik [n=tonik@89.208.26.103] has quit [] 20:09 < reiffert> moin 20:20 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 20:24 -!- Tonik [n=tonik@89.208.26.103] has joined ##openvpn 20:52 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 20:53 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 20:56 -!- xanthus1 [n=marcelor@r190-64-186-172.dialup.adsl.anteldata.net.uy] has joined ##openvpn 20:56 -!- xanthus1 [n=marcelor@r190-64-186-172.dialup.adsl.anteldata.net.uy] has left ##openvpn [] 21:08 -!- JasonWoof [n=jasonwoo@unaffiliated/herkamire] has joined ##openvpn 21:09 < JasonWoof> I'm only indirectly connected to my firewall/router (linux box). I'm running an openvpn server on the computer between me and the router, so I can connect to the router box through the tun0 openvpn device 21:09 < JasonWoof> so this computer, and my router are clients on the openvpn network 21:10 < JasonWoof> I'd like to rout all my internet traffic through openvpn to my router (set it as my default route) 21:10 < JasonWoof> I tried this, and get no response 21:11 < JasonWoof> I carefully updated my iptables rules on the router to make sure it'll route for the openvpn network 21:15 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 21:15 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has left ##openvpn [] 21:25 -!- donavan [n=donavan@centos/slackers/donavan] has quit [Read error: 101 (Network is unreachable)] 21:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 22:07 -!- donavan [n=donavan@centos/slackers/donavan] has joined ##openvpn 22:16 -!- Phoenixfire159 [n=Phoenixf@c-71-199-107-166.hsd1.pa.comcast.net] has joined ##openvpn 22:18 < Phoenixfire159> Hi, I am three VPS servers on the same physical network (along with a number of other untrusted servers), I want to make sure all communication between my three VPS servers are encrypted, most services include some sort of SSL/TLS mode that does this automatically, but some things such as rsync and glusterfs don't support this 22:18 < Phoenixfire159> Is OpenVPN the right tool for this job? 22:18 < Phoenixfire159> I was thinking of setting up a VPN across all three machines 22:23 -!- donavan [n=donavan@centos/slackers/donavan] has quit [Read error: 54 (Connection reset by peer)] 22:33 -!- Tonik [n=tonik@89.208.26.103] has quit [] 23:31 -!- Natilous [i=d9dbf418@gateway/web/ajax/mibbit.com/x-29af80bb53b5cf1a] has joined ##openvpn 23:32 < Natilous> reiffert: ping 23:33 < Natilous> reiffert: I want to Limit users bound wide with OpenVPN. Is it possible ? 23:34 < Natilous> reiffert: If yes can you help me ?! 23:34 < Natilous> Any one can help me ? 23:39 -!- Natilous [i=d9dbf418@gateway/web/ajax/mibbit.com/x-29af80bb53b5cf1a] has quit ["http://www.mibbit.com ajax IRC Client"] 23:49 -!- Phoenixfire159 [n=Phoenixf@c-71-199-107-166.hsd1.pa.comcast.net] has quit [Connection timed out] 23:51 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 23:52 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has left ##openvpn [] 23:53 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 23:53 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has left ##openvpn [] --- Day changed Sun Feb 08 2009 00:36 -!- JasonWoof [n=jasonwoo@unaffiliated/herkamire] has left ##openvpn [] 00:44 -!- diegoviola [n=diego@adsl-135-112.click.com.py] has joined ##openvpn 01:09 -!- jfkw [n=jtk@cpe-24-59-60-35.twcny.res.rr.com] has quit [Remote closed the connection] 02:21 -!- diegoviola [n=diego@adsl-135-112.click.com.py] has quit [Connection timed out] 02:22 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 02:38 -!- ikevin_ [n=kevin@ANancy-256-1-53-94.w90-26.abo.wanadoo.fr] has joined ##openvpn 02:48 -!- deibhaid [n=deib@c-24-21-193-128.hsd1.or.comcast.net] has quit ["Leaving"] 02:53 -!- ikevin [n=kevin@ANancy-256-1-32-201.w90-26.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 03:10 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:18 -!- Kobaz [n=kobaz@its.kobaz.net] has quit [Remote closed the connection] 03:18 -!- Kobaz [n=kobaz@its.kobaz.net] has joined ##openvpn 04:01 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 04:02 < upb> is there a openvpn trac somewhere? 04:02 < upb> erm i mean svn server 04:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:22 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:34 < reiffert> upb: why? 05:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:35 < upb> to check who changed a certain line 06:49 -!- Tonik [n=tonik@89.208.26.103] has joined ##openvpn 08:13 -!- tjz [n=tjz@bb121-7-26-199.singnet.com.sg] has joined ##openvpn 08:15 -!- Tonik [n=tonik@89.208.26.103] has quit [] 09:04 -!- invalder [n=invalder@85.17.224.166] has joined ##openvpn 09:04 < invalder> !route 09:04 < vpnHelper> invalder: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 09:30 < upb> reiffert: so? 09:36 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 09:38 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 09:44 -!- JasonWoof [n=jasonwoo@unaffiliated/herkamire] has joined ##openvpn 09:47 < JasonWoof> one of the clients on my vpn is set up with NAT/ip-forwarding on it's real ethernet port. I'd like to access the internet through that client (set it as my default route (route add default gw foo)). [how] can I do this? 09:51 -!- invalder [n=invalder@85.17.224.166] has quit ["bb"] 09:53 < upb> by using ip route add default x.x.x.x 09:54 < upb> hmm but 09:54 < upb> you dont have direct connectivity to that ip 09:55 < upb> when you traceroute to that ip, does it show as first hop? 09:55 < upb> if yes you can do it by route add default x.x.x.x dev yourtunneldev 10:00 < JasonWoof> traceroute to the router (vpn) ip shows one hop 10:01 < JasonWoof> but when I set it to default, and traceroute anything on the internet I get nothing 10:01 < upb> no i mean the host you want to set as default gw 10:01 -!- tjz [n=tjz@bb121-7-26-199.singnet.com.sg] has quit ["bbl"] 10:01 < JasonWoof> the "router" is what I want to use as the default gw 10:01 < upb> hmm then i misunderstood your setup 10:02 < upb> 'one of the clients on my vpn is set up with NAT/ip-forwarding on it's real ethernet port. ' 10:02 < upb> and its connected to the vpn ? 10:02 < JasonWoof> router (vpn client) <-vpn-> intemmediary (svn server) <-vpn-> laptop 10:03 < JasonWoof> laptop is on VPN, but has no direct internet 10:03 < JasonWoof> I want laptop to get internet through router 10:03 < JasonWoof> router is on the internet, and sharing via iptables/NAT 10:03 < upb> i see 10:03 < upb> s/svn/vpn/ right? 10:03 < JasonWoof> yes, sorry 10:03 < JasonWoof> tma: too many acronyms :) 10:03 < upb> hmm okay 10:04 < upb> and if you set the routers vpn ip as default gw on laptop, what happens ? 10:04 < JasonWoof> I haven't read up on bridging. right now I've got vpn set up in "routing" mode 10:04 < upb> yes thats right 10:04 < JasonWoof> nothing 10:04 < JasonWoof> I can still ping the routers vpn address, but don't get anything back from internet 10:04 < upb> what do you mean nothing, tcpdump on the vpn server 10:05 < upb> on the vpn interface 10:05 < JasonWoof> tracerouting internet IPs doesn't even show the routers vpn ip as a hop 10:05 < JasonWoof> damn, wish I thought of that. thanks. I'll play with tcpdump and report back 10:05 < upb> to see if the packets reach out of openvpn and into the kernel 10:05 < upb> yes 10:08 -!- diegoviola [n=diego@adsl-135-112.click.com.py] has joined ##openvpn 10:10 < JasonWoof> ok, tcpdump on router of vpn device shows no activity when I try to access internet ip from laptop (tried ping and telnet) 10:10 < JasonWoof> trying traceroute 10:10 < JasonWoof> ... 10:10 < upb> oh i just remembered something 10:11 < upb> you cant do that 10:11 < JasonWoof> ok, traceroute on laptop to ip on the internet shows no activity in tcpdump (on router) 10:11 < upb> because openvpn has a list of cidr masks that are beyound each client 10:11 < upb> and i dont think you can configure openvpn so it thinks the entire internet 0.0.0.0/0 is beyound 'router' 10:11 < upb> otherwise it will drop the packets going from internet to 'laptop' 10:12 < JasonWoof> it's dropping packets from laptop to internet 10:12 < upb> and probably the other way too 10:12 < upb> :/ 10:12 < JasonWoof> yeah, probably 10:12 < upb> but you can try to convince openvpn 10:12 < upb> sec 10:13 < upb> setup ccd so that 'router' has iroute 0.0.0.0 0.0.0.0 10:18 < JasonWoof> crap, out of time. Thank you so much for your help! I'll save what you said and come back to it later (hopefully later today) 10:18 < JasonWoof> have to read up on ccd 10:19 < JasonWoof> also it occured to me that I might be able to get the vpn server to be on router, and connect to it through an ssh tunnel (ssh -L) 10:20 < JasonWoof> I saw in a sample config file for openvpn an easy way to get the vpn server forward packets to the internet with the help of iptables 10:20 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 10:20 < JasonWoof> anyway, I better stop talking, gotta go 10:20 < eagle> hmm what could be wrong if, if im connected with openvpn client <--> server running openvpn, but i can only ping the server not the network? like 192.168.0.55 can i ping (which is the vpn server) but can cant ping .1 thats the gw on the network for example 10:21 -!- JasonWoof [n=jasonwoo@unaffiliated/herkamire] has quit ["Leaving."] 10:21 < eagle> i dont think its any thing wrong with the openvpn config, but could fw problems or something =/ 10:23 < diegoviola> hi, i'm new to openvpn, i need to set up a tunnel between me and my server, so that i can by-pass some sip blockage, how can i do this? 10:30 -!- Phoenixfire159 [n=Phoenixf@c-71-199-107-166.hsd1.pa.comcast.net] has joined ##openvpn 12:01 -!- Dougy [n=doug@64-18-159-195.ip.justedge.net] has joined ##openvpn 12:01 < Dougy> ecrist: ping 12:02 < Dougy> http://www.ovpnforum.com/ | http://www.ovpnforum.com/wiki/index.php/Main_Page 12:02 < vpnHelper> Title: Secure Computing Networks (at www.ovpnforum.com) 12:02 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 12:04 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 12:07 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Read error: 104 (Connection reset by peer)] 12:07 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 12:10 -!- trifler [i=trifler@farva.bsnet.se] has left ##openvpn [] 12:36 < reiffert> Hi 12:42 < Dougy> heya 12:47 -!- Mood [n=Mood@unaffiliated/mood] has joined ##openvpn 12:53 -!- bandini [n=bandini@host154-104-dynamic.45-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 13:01 < skx> Hello, I have a server with multiple ip addresses, I would like set up openvpn server there acting as a proxy and provide users witth an option to use four different addresses. What is the simplest solution here? Four instances of openvpn server each with different outgoing address? Communication between clients is not a priority. 13:45 -!- wonko [n=wonko@wiggum.4amlunch.net] has quit [Read error: 110 (Connection timed out)] 13:59 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 14:00 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 14:31 -!- traceroute [n=tracerou@200-40.5-85.cust.bluewin.ch] has joined ##openvpn 14:34 -!- El_Presidente [i=Martin@p5798F4D7.dip.t-dialin.net] has joined ##openvpn 14:34 < El_Presidente> hello 14:35 < El_Presidente> some time ago i set up an openvpn server / client to surf over my home network 14:35 < El_Presidente> but im not very satisfied with the speed 14:35 < El_Presidente> i have 5mbit upstream on my site at home 14:35 < El_Presidente> but mostly i get just around 500kbit 14:36 < El_Presidente> http://pastebin.com/m5f6671d8 thats my server config 14:38 < El_Presidente> thats my client 14:38 < El_Presidente> http://pastebin.com/m66305de6 14:41 -!- traceroute [n=tracerou@200-40.5-85.cust.bluewin.ch] has left ##openvpn [] 14:49 -!- Nucular [i=Martin@p5798E717.dip.t-dialin.net] has joined ##openvpn 14:51 < reiffert> El_Presidente: get rid of the comp lzo. any reason using bridged tap0 setup and not routed tun? 14:51 -!- Nucular [i=Martin@p5798E717.dip.t-dialin.net] has quit [Read error: 54 (Connection reset by peer)] 14:52 < reiffert> El_Presidente: what about inbetween stuff like routers, anything doing QoS or similar? 14:55 -!- Nucular [i=Martin@p5798E717.dip.t-dialin.net] has joined ##openvpn 14:56 -!- El_Presidente [i=Martin@p5798F4D7.dip.t-dialin.net] has quit [Nick collision from services.] 14:56 -!- Nucular is now known as El_Presidente 15:02 < diegoviola> where is the openvpn config file? 15:02 < diegoviola> usually 15:03 < diegoviola> i'm new to it 15:03 < El_Presidente> reiffert, because i want to play games on it also 15:04 < El_Presidente> windows or linux? 15:04 < El_Presidente> linux /etc/openvpn/ 15:04 < diegoviola> linux 15:04 < diegoviola> it's empty 15:05 < El_Presidente> put your config the 15:05 < El_Presidente> xyz.conf 15:05 < El_Presidente> and it gets executed on boot 15:11 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:14 < El_Presidente> reiffert, i removed comp-lzo 15:14 < El_Presidente> no changes 15:16 < diegoviola> ok my tun0 device is up 16:04 < reiffert> El_Presidente: how are you measuring bandwidth? 16:05 -!- krzee [n=k@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 16:05 < reiffert> El_Presidente: I'd advise using ftp or http. Please transfer a 1MB file by ftp/http and show us the result. 16:06 < reiffert> El_Presidente: then stop the openvpn tunnel and transfer the same file again between those two computers. 16:10 < El_Presidente> yes thats how i use it 16:10 < El_Presidente> i use ftp 16:10 < El_Presidente> without the tunnel i have about 4,5mbit 16:11 < El_Presidente> with the tunnel i have between 40kbit and 500kbit 16:11 < reiffert> come up with evidence. 16:12 < El_Presidente> what do you expect? 16:13 < reiffert> something wget puts out 16:13 < reiffert> !mtu 16:13 < vpnHelper> reiffert: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 16:13 < El_Presidente> i tested many settings 16:13 < El_Presidente> the mtu test gives strange results 16:13 < reiffert> ? 16:14 < El_Presidente> [22:08:48] y-chromosome: Sun Feb 08 22:07:34 2009 NOTE: Empirical MTU test completed [Tried,Actual] local 16:14 < El_Presidente> ->remote=[1573,1573] remote->local=[1573,1573] 16:14 < reiffert> Just for the fun of it ... 16:15 < reiffert> try setting http://help.expedient.com/broadband/mtu_ping_test.shtml 16:15 < vpnHelper> Title: MTU Ping Test (at help.expedient.com) 16:15 < reiffert> doh 16:15 < reiffert> try setting --tun-mtu 1500 --fragment 1300 --mssfix 16:15 < sigius> El_Presidente, did you try 'cipher none' ? If you dont need the encryption that might make a difference. 16:15 < El_Presidente> this helped nothing 16:16 < El_Presidente> i wouldnt have asked here if i had not tested that 16:16 < reiffert> El_Presidente: and please come up with some values a bandwidth measurement tool like wget puts out. 16:16 < El_Presidente> i used filezilla for measurement 16:16 < El_Presidente> and unfortunately i did not save the logs of it 16:17 < El_Presidente> it will take some time to do the tests again since i dont have a test person at the moment 16:18 < reiffert> what does it take for you, a http server with a file is enough for you? 16:18 < El_Presidente> i dont have a client that can use my tunnel ... 16:18 < El_Presidente> because he is afk 16:18 < El_Presidente> who needs it 16:18 < reiffert> I see. 16:19 < reiffert> I#d reask on the mailinglists meanwhile 16:21 -!- d0wn [n=nnscript@unaffiliated/d0wn] has joined ##openvpn 16:22 < reiffert> February 13th, UNIX Time Will Reach 1234567890 16:22 < El_Presidente> ;) 16:29 < d0wn> Which OpenVPN rpm should I choose for CentOS 4.7? http://dag.wieers.com/rpm/packages/openvpn/ 16:29 < vpnHelper> Title: DAG: openvpn RPM packages for Red Hat, CentOS and Fedora (at dag.wieers.com) 16:30 < El_Presidente> isnt there a package in the centos repo? 16:31 < d0wn> No 16:31 < d0wn> I tried yum install openvpn, and there wasn't anything 16:37 < El_Presidente> i would use the RHEL 4 package 16:39 < reiffert> d0wn: "there wasnt anything" = no icon to click or no openvpn binary in /usr/sbin/? 16:41 < d0wn> reiffert: there was no openvpn package in the centos repo is what i meant 16:54 < ecrist> Dougy: pong 16:56 < Dougy> hey 16:56 < Dougy> ecrist 16:56 < Dougy> what happened to the forum 16:56 < ecrist> sup? 16:56 < ecrist> nothing, should still be there. 16:56 * ecrist looks 16:56 < Dougy> its gone 16:56 < Dougy> www.ovpnforum.com 16:56 < ecrist> oh, it's not gone, I changed the IP, and you've not been around to update it. 16:57 < Dougy> you have my email dood 16:57 < Dougy> lol 16:57 -!- Dougy [n=doug@64-18-159-195.ip.justedge.net] has quit [] 17:26 -!- kyrix [n=ashley@93-82-15-136.adsl.highway.telekom.at] has joined ##openvpn 17:36 -!- kyrix [n=ashley@93-82-15-136.adsl.highway.telekom.at] has quit ["Leaving"] 18:16 -!- El_Presidente [i=Martin@p5798E717.dip.t-dialin.net] has quit ["Verlassend"] 18:23 -!- d0wn [n=nnscript@unaffiliated/d0wn] has quit [Connection reset by peer] 18:23 -!- d0wn [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 18:34 -!- d0wn [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has quit [Remote closed the connection] 18:34 -!- d0wn [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 18:35 -!- d0wn_ [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 18:42 -!- d0wn [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has quit [Read error: 60 (Operation timed out)] 18:45 -!- d0wn_ [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has quit [Remote closed the connection] 18:45 -!- d0wn [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 18:55 -!- d0wn [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has quit [Remote closed the connection] 18:55 -!- d0wn [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 18:56 -!- d0wn_ [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 19:03 -!- d0wn [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has quit [Read error: 60 (Operation timed out)] 19:04 -!- d0wn_ [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has quit [Read error: 60 (Operation timed out)] 20:06 -!- d0wn_ [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 20:16 -!- d0wn_ [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has quit [Remote closed the connection] 20:16 -!- d0wn [n=nnscript@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 20:51 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 20:53 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:11 -!- Phoenixfire159 [n=Phoenixf@c-71-199-107-166.hsd1.pa.comcast.net] has quit [Connection timed out] 21:24 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has joined ##openvpn 21:50 < diegoviola> is there a way to connect to a L2TP tunnel on linux? 22:02 -!- Phoenixfire159 [n=Phoenixf@c-71-199-107-166.hsd1.pa.comcast.net] has joined ##openvpn 22:17 -!- diegovio1a [n=diego@pool-71-180-154-80.tampfl.fios.verizon.net] has joined ##openvpn 22:30 -!- diegoviola [n=diego@adsl-135-112.click.com.py] has quit [Read error: 110 (Connection timed out)] 22:32 -!- diegovio1a is now known as diegoviola 23:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 23:58 -!- diegoviola [n=diego@pool-71-180-154-80.tampfl.fios.verizon.net] has quit [Read error: 60 (Operation timed out)] 23:58 -!- diegovio1a [n=diego@adsl-135-112.click.com.py] has joined ##openvpn --- Day changed Mon Feb 09 2009 00:05 -!- tjz [n=tjz@bb121-7-64-245.singnet.com.sg] has joined ##openvpn 00:05 < tjz> Hello~ 00:05 < tjz> where is jeff.. 00:05 < tjz> never heard from him these days 00:14 -!- Phoenixfire159 [n=Phoenixf@c-71-199-107-166.hsd1.pa.comcast.net] has quit [Connection timed out] 00:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:01 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:05 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 02:17 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 02:21 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 02:51 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:22 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 03:22 -!- krzee [i=nobody@hemp.ircpimps.org] has joined ##openvpn 03:27 -!- aar0n [n=aaron@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 03:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 03:50 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 03:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:06 -!- Sypher|NL [n=Sypher@unaffiliated/syphernl/x-737232] has joined ##openvpn 04:06 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 113 (No route to host)] 04:06 -!- vasco [n=vasco@83.145.69.198] has joined ##openvpn 04:07 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 04:07 < Sypher|NL> hi Guys, I've setup a OpenVPN tunnel and my client recieves a gateway (10.8.0.5) but i'm unable to ping it, but I can ping 10.8.0.1 and all the other network nodes (i have a route in place) 04:07 < vasco> hello, i have a Internet provider routers in front of a firewall with 2 branch, one to the lan and the other to the DMZ. We need to setup a vpn, where i have to install the vpn routers? the lan? 04:22 < reiffert> Sypher|NL: check the manpage, especially --topology and what --server line expands to. 04:22 -!- vasco is now known as PrMoriarty 04:22 -!- PrMoriarty is now known as vasco 04:22 -!- vasco is now known as PrMoriarty 04:23 < reiffert> PrMoriarty: nickchanges enough now? 04:23 < reiffert> PrMoriarty: http://en.wikipedia.org/wiki/Demilitarized_zone_(computing) 04:23 < reiffert> PrMoriarty: 04:23 < reiffert> Services that belong in the DMZ 04:23 < reiffert> Generally, any service that is being provided to users in an external network should be placed in the DMZ. 04:25 < Sypher|NL> reiffert, i should switch from net30 to subnet? 04:27 < reiffert> Sypher|NL: whatever fits your needs. 04:27 < reiffert> Sypher|NL: you where asking "why is something like it is" and I gave you the place to read about the reasons. 04:33 -!- Sypher_ [n=Sypher@s5590f00b.adsl.wanadoo.nl] has joined ##openvpn 04:33 < Sypher_> reiffert, it sort of worked 04:34 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:35 < reiffert> krzee: . 04:36 < reiffert> krzee: u there? 04:37 -!- Sypher` [n=Sypher@145.89.206.88] has joined ##openvpn 04:37 -!- Sypher` [n=Sypher@145.89.206.88] has quit [Client Quit] 04:38 < reiffert> krzee: any idea what else to do here? http://pastebin.ca/1331501 04:52 -!- Sypher|NL [n=Sypher@unaffiliated/syphernl/x-737232] has quit [Read error: 110 (Connection timed out)] 04:54 -!- Sypher_ [n=Sypher@s5590f00b.adsl.wanadoo.nl] has quit [Read error: 110 (Connection timed out)] 05:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 05:04 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 05:17 < krzee> well 05:17 < krzee> he says he used filezilla for measurement 05:17 < krzee> that could mean he was measuring d/l speed from that site both times 05:18 < krzee> whereas he should be measuring xfer between the 2 endpoints with/without enc 05:20 < djc> krzee: (re porting to Android) well, it's just a Linux kernel 05:20 < djc> so that shouldn't be too hard, right? 05:21 < krzee> theoretically 05:21 < krzee> iphone is just darwin on a ppc, but we still dont have tuntap for it 05:24 < reiffert> krzee: yeah, that is what I was going to ask as soon as he finds a client 05:24 < reiffert> krzee: but anything else that might help? 05:25 < krzee> !noenc 05:25 < vpnHelper> krzee: "noenc" is if you're going to disable encryption, you might as well build a GRE tunnel 05:25 < krzee> oops 05:25 < krzee> !man 05:25 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 05:26 < krzee> hrm 05:27 < krzee> cipher none like you said... but when ive heard of that being the issue it usually came with high cpu loads 05:27 < krzee> mtu looks like hes good there 05:28 < krzee> lzo best to keep on if he has the cpu to spare and no issues of running low on cpu 05:28 < krzee> lzo by default is in adaptive mode 05:28 < krzee> so it uses random samples of traffic to decide how efficient the compression is being, compresses more or less based on that 05:28 < reiffert> I was running into small delys using lzo, so I decided to disable it. 05:29 < reiffert> untypeable when working remote. 05:29 < krzee> interesting 05:30 < reiffert> wll, however, let's asume his bandwidth results dont change .. what else might it be, QoS somewhere inbetween? 05:30 < reiffert> I'm loosing characters the whole day, damnit! 05:31 < krzee> well 05:31 < krzee> assuming he is getting his #'s from direct connections from each endpoint 05:31 < krzee> and not speeds to some site 05:31 < krzee> no, not qos between 05:32 < reiffert> sure. 05:32 < reiffert> he's using port 15000 udp. 05:32 < krzee> oh 05:32 < krzee> hrm 05:32 < reiffert> next step is make him use port 53 udp 05:32 < krzee> could be filtered based on torrent traffic 05:32 < krzee> torrents use tcp tho... dont they 05:33 < krzee> ya 53 may be better 05:33 < reiffert> Thought both. 05:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:23 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:35 -!- ikevin_ [n=kevin@ANancy-256-1-53-94.w90-26.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 06:39 < tjz> hi jeff =) 06:39 < tjz> nice to see you here again 06:39 < tjz> =) 06:39 < krzee> hey =] 06:40 < krzee> thx 06:40 < krzee> im on vacation in usa 06:40 < krzee> so not online much 06:40 < tjz> i thought so too... must be went for holiday 06:40 < tjz> :P 06:40 < tjz> haha 06:40 < tjz> =) 06:40 < tjz> how was your trip? 06:40 < krzee> its been fun 06:41 < krzee> good weed and white vagina 06:41 < krzee> lol 06:41 < tjz> omg 06:41 < tjz> nice 06:41 < tjz> :P 06:41 < tjz> ^_^ 06:42 < tjz> i will try visit usa one day 06:42 < tjz> =) 06:43 < krzee> =] 06:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has left ##openvpn [] 06:43 < krzee> hows your vpn been? 06:44 -!- djc [n=djc@xavamedia.nl] has left ##openvpn [] 06:45 < tjz> doing quite good 06:45 < tjz> i manage to run multiple instances of vpn 06:45 < tjz> and apply snat iptables rules to route different lan 06:45 < tjz> =) 06:46 < krzee> nice 06:47 -!- vasco [n=vasco@83.145.69.198] has joined ##openvpn 06:47 < vasco> hello 06:48 < vasco> don t blame me, but i a really simple network (1 lan, 1dmz) how many network card needed for a openvpn server? 06:48 < vasco> *in a really* 06:51 < vasco> !route 06:51 < vpnHelper> vasco: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 06:52 < krzee> 1 nic 06:52 < reiffert> even 1 nic is too much to have a openvpn server. imagine virtual machines. however. 06:53 < PrMoriarty> reiffert, lol ok 06:53 < krzee> haha tru 06:53 < PrMoriarty> krzee, thank you 06:53 < krzee> even a virtual nic is enough 06:53 < PrMoriarty> in fact it s the same problem 06:53 < PrMoriarty> buy a router vpn or build one with openvpn on linux box 06:54 < PrMoriarty> a network enginneer told me to put the vpn server on the lan... 06:54 < PrMoriarty> another told me to never did it and put it in the DMZ 06:56 < reiffert> I was quoting wikipedia. 06:56 < reiffert> public services => DMZ 06:57 < reiffert> PrMoriarty: it really depends on what you are trying to accomplish. 06:57 < reiffert> PrMoriarty: to keep all options open, I'd set it up on the router itself. 06:58 < reiffert> (Just to give you another idea) 07:04 < reiffert> PrMoriarty: did you allready decide wether you want routed or bridged? 07:10 < vasco> reiffert, routed for lan ressource 07:10 < reiffert> vasco: who are you? 07:11 < reiffert> ah, same IP. 07:11 < reiffert> vasco: for having broadcasts I'd go for a bridged setup. 07:12 < PrMoriarty> reiffert, ok i have to read more then for know what is the meaning of bridged setup 07:12 -!- vasco [n=vasco@83.145.69.198] has quit [] 07:12 < angryuser__> i have a basic question about values for each server, if i generate ca.crt with the "Organizational Unit Name (eg, section) []:IT" do i need all clients of that ca.crt to be in that organisation unit ? 07:12 < reiffert> vasco: do you control the central router? Because it will need additional static routes when using ( routed setup && (central router != openvpn server)) 07:13 < angryuser__> or i can specify different Unit name for each client ? 07:13 < PrMoriarty> reiffert, ok i understand more, the central router is the firewall for the moment 07:13 < reiffert> PrMoriarty: what kind of OS is running on the central router? 07:14 < PrMoriarty> reiffert, central routers is a firewall based on non free frimware i think, or a unix light version 07:14 < reiffert> which one? 07:14 < PrMoriarty> reiffert, watchguard 07:14 < reiffert> allright, so we forget about installing openvpn onto that for now 07:14 < PrMoriarty> reiffert, and it s dosent have vpn option 07:15 < reiffert> can you add static routes to it?> 07:15 < PrMoriarty> reiffert, yes i can 07:15 < reiffert> then you might go with a routed setup. 07:16 < reiffert> what kind of services do you like to share with openvpn clients? 07:16 < krzee> [05:16] vasco: for having broadcasts I'd go for a bridged setup. 07:16 < krzee> broadcasts will work on routed setup over tap device 07:16 < PrMoriarty> reiffert, pop3, fileserver access 07:16 < reiffert> krzee: we all know how much fun it is with our sweet little friend from redmond, dont we? 07:16 < krzee> for allowing broadcast traffic without all layer2 stuff 07:16 < krzee> haha ya 07:16 < reiffert> PrMoriarty: mac os x clients? 07:17 < PrMoriarty> reiffert, windows 07:17 < reiffert> PrMoriarty: I'd probably use bridged setup, but it's harder to setup. 07:17 < krzee> windows filesharing? 07:18 < reiffert> PrMoriarty: cause you can browse in the network neighbourhood just like if you were plugged into the company network. 07:18 < krzee> as would using wins 07:18 < reiffert> krzee: theoretically: yes. 07:18 < reiffert> krzee: practically: it's a mess. 07:19 < reiffert> PrMoriarty: openvpn server OS? 07:19 < PrMoriarty> reiffert, debian 07:19 < PrMoriarty> reiffert, i mean linux 2.6 07:19 < reiffert> OS is linux, distributor is debian, but good. 07:20 < reiffert> I'd start with a routed setup and when clients == happy stop 07:20 < reiffert> if happy!=clients 07:20 < reiffert> bridged++; 07:20 < PrMoriarty> lol 07:20 < PrMoriarty> but 07:20 < reiffert> !howto 07:20 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:20 < reiffert> just do everything like the howto does. 07:20 < PrMoriarty> if i buy a routers vpn it will works with routed setup no? 07:20 < reiffert> and you get finished within the hour. 07:21 < reiffert> "Buy a routers vpn" == ? 07:23 < PrMoriarty> reiffert, for example this one http://www.compufirst.com/catalogue/catProductForm.asp?mscssid={78523E45-C3BC-4CE8-9A1E-376B6CEDAC0D}&displayHeader=no&isPopup=y&idProduct=2005761 07:23 < vpnHelper> Title: Routeurs Cisco Solutions Filaires RV082-EU (at www.compufirst.com) 07:25 < reiffert> PrMoriarty: cisco routers = no openvpn 07:25 < reiffert> means: openvpn does not run on cisco routers 07:25 < reiffert> means: you can install openvpn on a dedicated machin in your network, just like you can do now. 07:26 < reiffert> RV082: 07:26 < reiffert> IPSec VPN Tunnel, 07:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Success] 07:30 < PrMoriarty> reiffert, thank you for your help going to install an openvpn right now 07:30 < PrMoriarty> may be latter 07:30 < reiffert> PrMoriarty: !howto 07:31 < reiffert> !howto 07:31 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:32 < reiffert> PrMoriarty: debian etch or debian lenny? 07:33 < reiffert> PrMoriarty: I'd recommend debian/lenny. Got a recent version of openvpn. 07:34 < PrMoriarty> reiffert,lenny of course 07:35 < PrMoriarty> reiffert, for the brigged setup it s 1 nic right? 07:35 < reiffert> yes. 07:35 < reiffert> tap (virtual adapter that openvpn creates) 07:35 < PrMoriarty> reiffert, not same meaning of brigged nic 07:35 < reiffert> eth0 (the NIC) 07:35 < reiffert> bound together as 07:35 < reiffert> br0 07:35 < reiffert> the bridge interface 07:35 < PrMoriarty> reiffert, ok 07:35 < reiffert> carrying the IP address of the former eth0 07:35 < reiffert> howto. 07:39 -!- ikevin [n=kevin@ANancy-256-1-117-17.w90-33.abo.wanadoo.fr] has joined ##openvpn 07:43 -!- ikevin_ [n=kevin@ANancy-256-1-83-247.w90-26.abo.wanadoo.fr] has joined ##openvpn 07:51 < ecrist> morning, folks 07:52 < krzee> mornin 07:53 < reiffert> moin 07:55 < tjz> morning, bastard 07:55 < tjz> lol 07:56 -!- ikevin [n=kevin@ANancy-256-1-117-17.w90-33.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 07:58 < tjz> just kidding 07:58 < tjz> :) 08:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:32 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has joined ##openvpn 08:32 -!- d0wn [n=nnscript@unaffiliated/d0wn] has quit [Read error: 110 (Connection timed out)] 08:42 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 08:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection reset by peer] 08:54 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:06 -!- jolelion [n=geoffroy@dec69-1-82-232-12-72.fbx.proxad.net] has joined ##openvpn 09:06 < jolelion> hello 09:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:09 < ecrist> howdy 09:09 -!- JasonWoof [n=jasonwoo@unaffiliated/herkamire] has joined ##openvpn 09:09 < jolelion> I have a problem with the up script "update-resolv-conf", when I use it at home I have both the dns server of the VPN and from my provider in resolv.conf, but when I use it at work I have only the VPN DNS server, howo fix that? 09:10 < JasonWoof> ok, I've got openvpn server running on my linux-router(nat) box, and I'm using "push default-route" to get my internet access through it, which is awesome 09:11 < JasonWoof> I'd like help getting a port forwarded to my openvpn client. I set this up on iptables on the router (the computer running openvpn server), but I think openvpn is blocking it 09:12 < jolelion> for information, at work I have put a router which declare itself as a dns server in the dhcp options 09:12 < JasonWoof> also when I run traceroute on the router, telling it to trace to the openvpn ip for my computer (a client on the openvpn network) It shows one hop, but with the !X flag, which according to the manual means "administratively prohibited" 09:12 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit ["Leaving"] 09:15 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 09:17 < ecrist> jolelion: I have no idea how to fix your problem. 09:20 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit ["Leaving"] 09:22 -!- [intra]lanman [n=Raymond@va-67-76-163-209.sta.embarqhsd.net] has joined ##openvpn 09:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:37 < jolelion> ecrist: thanks anyway 09:37 -!- jolelion [n=geoffroy@dec69-1-82-232-12-72.fbx.proxad.net] has quit ["leaving"] 09:45 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Remote closed the connection] 09:52 < ecrist> JasonWoof: sounds like your firewall is restricting ICMP packets 09:53 < JasonWoof> ecrist: a firewall in openvpn? or the one I have in the kernel/iptables? 09:56 < ecrist> there is no firewall 'in' openvpn. 09:57 < ecrist> I'm referring to the kernel/iptables one. 10:00 < JasonWoof> hmmm.... don't think so, because all my iptables rules have "prot = all" except the rule to forward port xxxx to my vpn client ip 10:00 < JasonWoof> but I'm just guessing... 10:01 < ecrist> 'administratively prohibited' means the packets are being rejected. 10:03 < JasonWoof> k 10:04 < JasonWoof> but the traceroute worked... it gave the hop time 10:04 < JasonWoof> I'm confused 10:04 < JasonWoof> maybe you can help me with something else, which might actually be the problem 10:04 < JasonWoof> when I connect openvpn (both on my laptop, and on the router/openvpn-server) I get routes I don't like 10:05 < JasonWoof> when I type "route" I get some weird setup where there's a fake odd-numbered gateway in the openvpn ip range 10:05 < JasonWoof> I don't know why that is there, and I can't "route del" it 10:06 < JasonWoof> to get internet through my openvpn server I have to add my own routes, like: 10:06 < JasonWoof> route add -host 10.8.0.1 dev tun0 10:06 < JasonWoof> route add default gw 10.8.0.1 dev tun0 10:07 < JasonWoof> this works, so it seems to me that I can directly access 10.8.0.1, and I don't need the silly "gateway" address of 10.8.0.5, though I can't seem to get rid of .5 10:08 < JasonWoof> on my router (the openvpn server) there is very similar weirdness 10:09 < JasonWoof> I can delete one of the routes that appears when openvpn is started up, but not the one that says there's a gateway for the "local" vpn network. And I can add a route to go directly to my openvpn client ip for my laptop, without using a gateway, and that route works (I can ping, ssh, etc) 10:09 < JasonWoof> only things that don't work or forwarding packets from my external ethernet into openvpn, and traceroute has that funny "!X" 10:13 < ecrist> JasonWoof: that's needed. 10:13 < ecrist> it's not fake, or weird, 10:13 < JasonWoof> what's it needed for? 10:13 < ecrist> it may be unfamiliar to you, but it's got to do with how openvpn deals with PPTP tunnels 10:13 < ecrist> !/30 10:13 < vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 10:13 < JasonWoof> I seem to be able to connect just fine when I route add around it 10:14 < ecrist> read that link for more information 10:14 < JasonWoof> thanks 10:16 < JasonWoof> still seems weird to me... but now I understand, and can turn it off 10:17 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 10:17 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 10:35 -!- bneff [n=bneff@12.44.178.253] has quit [Read error: 60 (Operation timed out)] 10:38 -!- Phoenixfire159 [n=Phoenixf@c-71-199-107-166.hsd1.pa.comcast.net] has joined ##openvpn 10:39 < tjz> Good nite, guys~ 10:41 < ecrist> l8r 10:49 -!- bneff [n=bneff@12.44.178.253] has joined ##openvpn 10:56 < tjz> sorry 10:56 < tjz> i will be gone now 10:56 < tjz> :P 10:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:59 < tjz> going off 10:59 < tjz> good nite 11:00 -!- tjz [n=tjz@bb121-7-64-245.singnet.com.sg] has quit ["bbl"] 11:02 -!- Phoenixfire159 [n=Phoenixf@c-71-199-107-166.hsd1.pa.comcast.net] has quit [Connection timed out] 11:03 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:12 < JasonWoof> I figured out the reason why my port forwarding wasn't working: my client had some iptables filters (thanks again fedora... grrr) which if I read them correctly say that it only accepts incoming connections for ssh 11:15 -!- bneff [n=bneff@12.44.178.253] has quit [Read error: 110 (Connection timed out)] 11:23 -!- angryuser__ [n=gdobrovo@LPuteaux-151-42-35-99.w193-251.abo.wanadoo.fr] has quit ["Ex-Chat"] 11:26 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 11:32 -!- deibhaid [n=deib@75-175-125-225.ptld.qwest.net] has joined ##openvpn 11:34 < deibhaid> Good Morning. Does anyone have experience routing from an (openvz node + openvpn server) to other computers on the lan? 11:42 < PrMoriarty> how can i get the binary server-bridge? 11:43 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 11:43 < PrMoriarty> i am on a debian system i installed openvpn but couldn t find the binary server-bridge....? 11:47 < ecrist> PrMoriarty: not sure what you're looking for. 11:49 < PrMoriarty> ecrist, making a bridge 11:49 < PrMoriarty> ecrist, follow the tutorial i want to use the bridged method 11:49 < ecrist> right, you just need the openvpn binary, and a shell script which bridges your tap0 and ethernet interfaces 11:50 < ecrist> I think there's a copy of a shell script within the source for openvpn, but not certain 11:51 < PrMoriarty> ecrist, how many times for setup a standard vpn server ? 11:51 < PrMoriarty> ecrist, i mean your record? 11:51 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 11:52 < ecrist> more than once 11:55 < PrMoriarty> think everybody has his skills 11:56 < PrMoriarty> openvpn looks like strange machine a little afraid by this service 11:57 < ecrist> PrMoriarty: I don't understand you. 12:00 < deibhaid> sorry about the pm. ecrist 12:01 -!- PrMoriarty [n=vasco@83.145.69.198] has left ##openvpn [] 12:35 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:36 -!- xattack [i=xattack@132.248.108.239] has quit [Client Quit] 12:37 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:49 -!- c64zottel [n=hans@141.37.33.125] has joined ##openvpn 12:49 -!- c64zottel [n=hans@141.37.33.125] has left ##openvpn [] 12:57 -!- Phoenixfire159 [n=Phoenixf@c-71-199-107-166.hsd1.pa.comcast.net] has joined ##openvpn 13:04 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 13:31 -!- xattack [i=xattack@132.248.108.239] has quit [] 13:58 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has joined ##openvpn 13:59 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has quit [Client Quit] 13:59 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has joined ##openvpn 14:12 -!- Netsplit wolfe.freenode.net <-> irc.freenode.net quits: eagle, upb 14:12 -!- Netsplit over, joins: eagle, upb 14:18 -!- meturaf [i=meshuga@lenin.ww88.org] has joined ##openvpn 14:29 -!- meshuga [i=meshuga@lenin.ww88.org] has quit [Read error: 110 (Connection timed out)] 14:37 -!- Netsplit wolfe.freenode.net <-> irc.freenode.net quits: int, deibhaid, undertakingyou, Phoenixfire159, plaerzen, clustermagnet, ikevin_, disposable, penrod[1] 14:38 -!- Netsplit over, joins: Phoenixfire159, plaerzen, deibhaid, ikevin_, undertakingyou, penrod[1], clustermagnet, int, disposable 14:41 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has quit [Remote closed the connection] 14:42 -!- disposable [i=disposab@blackhole.sk] has quit [Remote closed the connection] 14:42 -!- disposable [i=disposab@blackhole.sk] has joined ##openvpn 14:51 -!- diegovio1a [n=diego@adsl-135-112.click.com.py] has quit ["leaving"] 14:52 -!- Phoenixfire159 [n=Phoenixf@c-71-199-107-166.hsd1.pa.comcast.net] has quit [] 14:52 -!- Phoenixfire159 [n=Phoenixf@c-71-199-107-166.hsd1.pa.comcast.net] has joined ##openvpn 15:05 -!- Netsplit wolfe.freenode.net <-> irc.freenode.net quits: int, deibhaid, undertakingyou, plaerzen, clustermagnet, ikevin_, penrod[1] 15:06 -!- Netsplit over, joins: plaerzen, deibhaid, ikevin_, undertakingyou, penrod[1], clustermagnet, int 15:22 < plaerzen> what was that? 15:25 < plaerzen> ah 15:31 -!- deibhaid [n=deib@75-175-125-225.ptld.qwest.net] has quit ["Leaving"] 16:10 -!- Phoenixfire159 [n=Phoenixf@c-71-199-107-166.hsd1.pa.comcast.net] has left ##openvpn [] 16:22 -!- JasonWoof [n=jasonwoo@unaffiliated/herkamire] has left ##openvpn [] 16:51 -!- Mood [n=Mood@unaffiliated/mood] has left ##openvpn ["Leaving"] 17:15 -!- dblick [n=blick@freiburg.gs.washington.edu] has joined ##openvpn 17:18 < dblick> Is there any reason I need iptables -A INPUT -i tun+ -J ACCEPT in my iptables config on an OpenVPN server, unless I _want_ to give every computer on the VPN access to every port on the server? 17:30 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Connection timed out] 17:32 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:47 < dvl> Here we go, unemployement again. 17:49 < dblick> dvl, what industry are you in? 17:50 < dvl> Good question. http://www.freebsddiary.org/dan_langille.php 17:50 < vpnHelper> Title: Resume of Dan Langille (at www.freebsddiary.org) 18:11 -!- dblick [n=blick@freiburg.gs.washington.edu] has quit ["leaving"] 19:48 -!- tjz [n=tjz@bb121-7-64-245.singnet.com.sg] has joined ##openvpn 19:48 -!- tjz [n=tjz@bb121-7-64-245.singnet.com.sg] has quit [Remote closed the connection] 19:49 -!- tjz [n=tjz@bb121-7-64-245.singnet.com.sg] has joined ##openvpn 19:53 < tjz> Hello guys 19:53 < tjz> Good morning 19:53 < tjz> =) 20:12 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has joined ##openvpn 20:13 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 20:28 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 21:25 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 21:48 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 21:49 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 22:01 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:27 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:32 -!- dan__t [n=dant@vpn.withparity.net] has joined ##openvpn 23:33 < dan__t> 'morning. 23:33 < dan__t> !route 23:33 < vpnHelper> dan__t: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 23:35 < tjz> I am getting this error on the client side: 23:35 < tjz> Mon Feb 09 23:58:45 2009 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 23:35 < tjz> Mon Feb 09 23:58:45 2009 TLS Error: TLS handshake failed 23:35 < tjz> what does it mean? 23:35 < dan__t> Same thing for me heh 23:35 < tjz> oh?? 23:35 < tjz> lol 23:35 < dan__t> from what I understand, an issue with connectivity between the client and the server. 23:35 < dan__t> As to what exactly, I'm not yet sure. 23:35 < tjz> when i connect from another computer, it works. =) 23:35 < tjz> something is wrong with this computer 23:36 < dan__t> Yea... I've had the exact same setup working in the past. 23:43 < tjz> what system are you using (the one having problem) ? 23:44 < dan__t> Fedora, talking to a CentOS machine, openvpn 2.1.0.29 on both 23:44 < dan__t> Don't think that matters though. 23:45 < dan__t> I do, however, suspect this router. 23:49 < dan__t> Bingo. 23:57 < tjz> cool 23:57 < tjz> i will try that --- Day changed Tue Feb 10 2009 00:02 < dan__t> Using TCP over UDP 00:02 < dan__t> What kind of router? 00:03 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit ["Leaving"] 00:04 < tjz> did you switch to tcp to fix the problem? 00:05 < dan__t> yeah. 00:05 < dan__t> I read once something about Linksys routers butchering it. 00:05 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 00:05 < tjz> hmm 00:05 < tjz> ok.. 00:06 < tjz> so weird 00:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:09 < dan__t> what kind of router? 00:10 < tjz> hmm 00:10 < tjz> linksys too 00:10 < tjz> lol 00:14 < dan__t> ok, works fine now. 00:16 < dan__t> Awesome. 00:16 < tjz> using tcp? 00:17 < dan__t> Yeah. 00:17 < dan__t> I just got the routing working... needed ip forwarding and some POSTROUTING NAT rules on the server. 00:17 < dan__t> Appears that NetworkManager doesn't like my settings, either. 00:19 < tjz> hmm 00:20 < tjz> isn't that server end issue? 00:20 < dan__t> What? 00:25 < tjz> nvm 00:25 < tjz> :P 00:38 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has quit [Remote closed the connection] 00:39 < tjz> openvpn doesn't work in a school network? 00:40 < tjz> it is showing the same IP for my friend in school.. 00:40 < dan__t> Which IP would that be? 00:40 < dan__t> And why wouldn't it? 00:42 < tjz> his school's network.. 00:43 < tjz> it is still showing his school ip 00:43 < dan__t> In what context? 00:43 < dan__t> from whatismyip.com, from his ethernet adapter, what? 00:46 < tjz> quite hard to explain... 00:46 < tjz> it is a school network.. :( 00:47 < dan__t> no its not. i just asked two possible places 00:47 < dan__t> Its not like OpenVPN is going to magically change your IP. 00:49 < tjz> he is using windows vista 64 bit.. 00:51 < dan__t> So? 00:51 < dan__t> *where* is it showing his school IP? 00:55 < tjz> whatismyip 01:00 < dan__t> Read up on redirect-gateway 01:09 < tjz> i have that configure on the server side.. 01:12 < dan__t> Did you restart openvpn? 01:19 < lolipop> Hello, i'm using openvpn 2.09 with auth-ldap 2.0.3, when i try to connect from client with this command: ./openvpn --config openvpn.vong --auth-user-pass , my openvpn server will die with this error msg: libraries/liblber/encode.c:288: ber_put_ostring: Assertion `str != ((void *)0)' failed 01:53 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 01:58 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:24 < reiffert> lolipop: sounds like an auth ldap issue. do they have a mailinglist? 02:35 < lolipop> i just create an issue on their site 03:55 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 03:57 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 04:41 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Remote closed the connection] 04:54 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 06:11 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 06:11 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 06:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:32 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 06:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 07:05 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:07 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:17 -!- c64zottel [n=hans@141.37.33.125] has joined ##openvpn 07:29 < ecrist> I'm in a bad mood today. 07:30 < reiffert> get a fuck then 07:36 < ecrist> yeah, someone uploaded a spam-sending script to my webserver. 07:36 < ecrist> haven't figured out how they got it on the system yet, but will figure it out soon. 07:38 < reiffert> last week I was investigating such a thing on a friends rootserver. They were uploading some irc bouncers. I was joining the irc channels they were sitting in and blaming the guys there :) 07:41 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 07:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:44 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 07:45 < vincas> Did 2.1 change the virtual address in the openvpn-status to look something like a mac address? What is that 6 bytes ? I can't arpping it from my bridge host, and I don't see what IPs clients currently have. 07:52 -!- Some_ux [n=chatzill@bzq-79-176-50-148.red.bezeqint.net] has joined ##openvpn 07:52 < Some_ux> hi 07:52 < Some_ux> I don't even know hjow to explain my problem :) 07:52 < Some_ux> how 07:53 < Some_ux> ok, I'll try: I have linux box running VMmware and openVPN server 07:53 < Some_ux> I am able to establish a connection to the openVPN server 07:54 < Some_ux> but, I can't reach the virtual machines on that server 07:54 < Some_ux> I know it's routing issue 07:55 < Some_ux> probably the packets don't know how to route back to the exterior interface 07:55 < Some_ux> which in my case is ppp0 07:55 -!- c64zottel [n=hans@141.37.33.125] has left ##openvpn [] 07:57 < Some_ux> Oh, the openVPN server is also the router 07:57 < Some_ux> which i rigged to uber paranoid firewall 07:57 < Some_ux> So i can't even run pings to figure what went wrong 07:59 < Some_ux> hmm, though, in theory, since openVPN is tunneled, it should not effect pings 08:03 < tjz> TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 08:03 < tjz> what does this mean on the client side? 08:03 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:09 < Some_ux> ugh, nested tunneling + vmware = routing headache 08:11 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 08:17 < Some_ux> should i firewall tun0 packets ? 08:18 < reiffert> Some_ux: should you? 08:18 < Some_ux> I don't know, Is tun0 trusted ? 08:18 < Some_ux> on the vpn server side 08:18 < reiffert> Some_ux: openvpn cares about who can connect and who cannot. 08:19 < Some_ux> I need to understand what tun0 is 08:19 < reiffert> tun0 is a device. 08:20 < Some_ux> does this device listen on all available interfaces ? 08:20 < reiffert> packets run through it. 08:20 < vincas> Some_ux: it is an interface 08:20 < reiffert> Some_ux: tun0 __IS__ an interface. 08:20 < Some_ux> who connects to this interface ? 08:21 < reiffert> Some_ux: noone. 08:21 < Some_ux> then why does it exist ? 08:21 < reiffert> well. when openvpn clients talk to your server over the tunnel, they get to tun0. 08:22 < Some_ux> So can i assume tun0 is secure ? 08:23 < reiffert> Depends on the rest of your setup. 08:27 < Some_ux> well, the openvpn server is a router, it connects via dialup. the ppp0 interface is firewalled, but set to allow openvpn traffic 08:27 < Some_ux> does that make tun0 secure ? 08:28 < reiffert> no. 08:30 < reiffert> In normal situations customers or clients run openvpn clients and you never know whats running on their computers. 08:30 < Some_ux> I assume all clients are reliable 08:31 < Some_ux> them being me and all 08:31 < Some_ux> :P 08:31 < reiffert> better shoot yourself then. 08:38 < Some_ux> ugh, I made ipchains. now i can't find heads and tails in them 08:42 < reiffert> ancient kernel dude. 08:43 < Some_ux> i mean iptable chains 08:43 < cpm> ipchains? 08:44 < Some_ux> well you can create use chains 08:44 < Some_ux> user 08:44 < Some_ux> like iptables -N my_silly_tcpchain 09:06 < Some_ux> If I have a router with two interfaces (eth0 and ppp0), can i treat the tun0 device, as tough it was another internal "eth0" device ? 09:11 < ecrist> Some_ux: yes 09:12 < Some_ux> if i understand correctly, the tun0 device is as though, by some magical means i have another network device on my machine which plugs directly to machines on the remote network ? 09:14 < Some_ux> following this rationale, the same firewall rules which apply on the real physical internal interface of the router, should apply on the tun0 device (that is assuming the remote network is trusted) 09:18 < ecrist> Some_ux: we're not here to help you decide network policy 09:19 < Some_ux> my questions are purely functional, that is, understanding the operation of the tun0 device in openvpn 09:21 < ecrist> Some_ux: it's not that difficult to understand 09:22 < ecrist> it's a virtual interface used to route VPN packets 09:22 < ecrist> man tun 09:22 < ecrist> not specific to OpenVPN 09:22 < Some_ux> no man page for tun 09:22 < Some_ux> :P 09:23 < Some_ux> but i think i got it 09:31 < reiffert> dude, it's the endpoint of the vpn on your side. 09:32 < reiffert> just like ppp0 is the endpoint of your provider on your side 09:32 < reiffert> or just like eth0 is the endpoint of your LAN on your side. 09:34 < Some_ux> My concern was whether this interface is behind ppp0 09:35 < Some_ux> but clearly it is the tunnel endpoint 09:35 < Some_ux> hence the name tun 09:35 < Some_ux> since it is the tunnel endpoint, it must be behind the tunnel provider (in this case ppp0) 09:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:41 < reiffert> Some_ux: it is on your computer. just like ppp0 and eth0 are. 09:43 -!- undertakingyou [n=will@undertakingyou.dsl.xmission.com] has quit [Remote closed the connection] 10:03 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 10:05 < Some_ux> thanks 10:05 -!- Some_ux [n=chatzill@bzq-79-176-50-148.red.bezeqint.net] has quit ["ChatZilla 0.9.83 [Firefox 3.0.1/2008070208]"] --- Log closed Tue Feb 10 10:11:31 2009 --- Log opened Tue Feb 10 10:40:48 2009 10:40 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 10:40 -!- Irssi: ##openvpn: Total of 50 nicks [0 ops, 0 halfops, 0 voices, 50 normal] 10:40 -!- Irssi: Join to ##openvpn was synced in 0 secs 10:46 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Connection timed out] 10:54 < reiffert> ecrist: 10:54 < reiffert> 17:31 < diegoviola> is there a way to configure openvpn without certs, but with user/pass instead? 10:54 < reiffert> 17:34 < reiffert> diegoviola: yep. 10:54 < reiffert> ecrist: is that right? 10:54 < reiffert> 17:35 < reiffert> diegoviola: but dont have any encryption then. 11:06 < plaerzen> hi 11:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:19 -!- tjz [n=tjz@bb121-7-64-245.singnet.com.sg] has quit ["bbl"] 11:21 < ecrist> reiffert: I believe so. 11:49 < dan__t> Hello. 11:49 < dan__t> So I've got a handful of subnets which I don't want going through OpenVPN. I've never been fantastic with routing. Should these routes be told to the client, by the server, to not be included in the VPN? 12:03 < upb> hum, no ? 12:03 < upb> the client should have routes to those networks 12:03 < upb> how else would they work without the vpn being connected 12:07 -!- teratoma [n=teratoma@i.dont.get.mad.i.get.stabby.net] has joined ##openvpn 12:07 < teratoma> my openvpn clients immediately disconnect when i define a client-connect script on the server 12:07 < teratoma> my client-connect script is "exit 0" 12:07 < teratoma> any ideas? 12:10 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:12 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 12:13 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:18 < ecrist> teratoma: you should be able to figure that out. 12:21 -!- bneff [n=bneff@12.44.178.253] has joined ##openvpn 12:22 -!- bneff [n=bneff@12.44.178.253] has quit [Client Quit] 12:23 -!- bneff [n=bneff@12.44.178.253] has joined ##openvpn 12:26 < reiffert> dan__t: think about clients setting routes manually. 12:26 < teratoma> ecrist: i tried! any ideas ? 12:26 < reiffert> dan__t: after that they can reach those subnets you dont want to be accessible. 12:27 < reiffert> dan__t: so what comes in mind is firewalling to prevent that. 12:28 < reiffert> teratoma: anything else other than "exit 0"? 12:28 < teratoma> reiffert: entire contents of script is "exit 0" 12:28 < reiffert> teratoma: how about #!/bin/bash 12:28 < reiffert> and how about making that script chmod a+x 12:31 < teratoma> reiffert: i did. http://pastebin.com/m709e1775 13:00 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 13:07 < reiffert> teratoma: do you think AUTH: Received AUTH_FAILED control message 13:07 < reiffert> teratoma: is relevant? 13:09 < teratoma> reiffert: probably. when I do not have the client-connect in my server.conf , it works fine. do you see my confusion ? 13:10 < reiffert> teratoma: yeah 13:10 < reiffert> increase the verb level to 6 13:13 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:18 < teratoma> setting script-security 2 fixed it 13:19 < reiffert> !script-security 13:19 < vpnHelper> reiffert: Error: "script-security" is not a valid command. 13:19 < reiffert> !learn script-security as may be relevant when using --client-connect and various other scripts 13:19 < vpnHelper> reiffert: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 13:19 < reiffert> ![learn] script-security as may be relevant when using --client-connect and various other scripts 13:19 < vpnHelper> reiffert: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 13:19 < reiffert> !die 13:19 < vpnHelper> reiffert: Error: "die" is not a valid command. 13:20 < reiffert> !part 13:20 < vpnHelper> reiffert: Error: You don't have the admin capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 13:20 < reiffert> !leave 13:20 < vpnHelper> reiffert: Error: "leave" is not a valid command. 13:20 < reiffert> !whoami 13:20 < vpnHelper> reiffert: I don't recognize you. 13:20 < reiffert> !w 13:20 < vpnHelper> reiffert: Error: "w" is not a valid command. 13:24 -!- Netsplit niven.freenode.net <-> irc.freenode.net quits: diegoviola, teratoma, roentgen, eagle, upb 13:24 -!- Netsplit over, joins: roentgen, diegoviola, eagle, upb 13:28 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 13:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:47 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 14:02 -!- xattack [i=xattack@132.248.108.239] has quit [] 14:04 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 54 (Connection reset by peer)] 14:05 -!- fbond [n=fab@pool-64-223-124-145.burl.east.verizon.net] has joined ##openvpn 14:06 < fbond> Does --username-as-common-name, work with --client-config-dir (if username is foo, does the config file foo get used)? 14:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 14:32 < reiffert> fbond: how about you just try it out? 14:33 < fbond> reiffert: I was hoping someone might know already and save me the time. 14:35 < reiffert> creating a new cert: 1 minute, trying it out: 1 minute 14:35 < reiffert> time wasted on ##openvpn: 3 minutes. 14:37 < reiffert> skip the time for creating a new cert. use an existing one. 14:38 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:42 < fbond> reiffert: That's assuming I have a server set up that I can play with. 14:42 < fbond> reiffert: I'd also have to figure out how to write an auth script. 14:42 < fbond> reiffert: We're talking about more than a few minutes here. 14:45 < reiffert> fbond: If I answer your initial question with "yes", will you setup a server to play with? 14:45 < reiffert> and if I answer with "no", will you believe me and write an authentication scheme without trying it out for yourself? 14:49 -!- logiclrd [i=logiclrd@S0106000103208fb2.wp.shawcable.net] has joined ##openvpn 14:49 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has joined ##openvpn 14:50 < logiclrd> I have a couple of machines at a remote location connecting in to a VPN that get disconnected if I transfer too much data through the VPN 14:50 < fbond> reiffert: I wouldn't use --auth-user-pass-verify if --uername-as-common-name doesn't select a client configuration file. 14:50 < fbond> Anyway, I've looked at the source and I think it would probably work. 14:50 < logiclrd> it's most apparent with a VNC connection -- if I do things that result in a lot of data transfer, like displaying a JPEG image on the remote end and letting VNC send it, more often than not, it doesn't make it to the end of the image 14:50 < logiclrd> my initial instinct was to blame VNC, but when this happens, the OpenVPN link has actually gone down -- I can't ping the remote host for a few minutes 14:51 < fbond> logiclrd: Are you using TCP or UDP? 14:51 < logiclrd> fbond: TCP 14:51 < fbond> logiclrd: Try UDP. 14:51 < logiclrd> okay -- can you explain why? 14:52 < fbond> logiclrd: http://sites.inka.de/~W1011/devel/tcp-tcp.html 14:52 < vpnHelper> Title: Why TCP Over TCP Is A Bad Idea (at sites.inka.de) 14:52 < logiclrd> thanks :-) 14:52 < fbond> logiclrd: I've been told by folks that know more about OpenVPN than I do that using TCP is bound to lead to problems. 14:52 < fbond> logiclrd: No problem. 14:54 -!- Evilliksass [n=admin@64-71-25-50.static.wiline.com] has joined ##openvpn 15:01 < Evilliksass> I am trying to configure openvpn to work with a shared key however it is telling me that the key "does not appear to be valid" what exactly does openvpn look for in a shared key? 15:05 < Evilliksass> nevermind I got it 15:24 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 15:26 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 15:41 < logiclrd> fbond -- hmm, it didn't fix it :-( it just happened again, using UDP this time 15:41 < logiclrd> I think I'll keep it on UDP, though; seems a lot snappier somehow :-) 15:45 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has joined ##openvpn 15:48 -!- mcp [n=mcp@wolk-project.de] has quit [Read error: 104 (Connection reset by peer)] 15:48 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 16:27 -!- diegovio1a [n=diego@pool-96-228-248-100.tampfl.fios.verizon.net] has joined ##openvpn 16:41 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:43 -!- diegoviola [n=diego@adsl-140-108.click.com.py] has quit [Read error: 110 (Connection timed out)] 16:44 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has left ##openvpn ["Leaving."] 16:45 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has quit ["!@#$*$ NO CARRIER"] 16:55 -!- diegovio1a [n=diego@pool-96-228-248-100.tampfl.fios.verizon.net] has quit [Read error: 60 (Operation timed out)] 16:55 -!- diegoviola [n=diego@pool-96-228-248-100.tampfl.fios.verizon.net] has joined ##openvpn 17:19 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 17:19 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 17:40 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 17:40 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 17:49 -!- intralanman is now known as [intra]lanman 17:52 -!- munga [n=munga@81.194.35.9] has quit [Read error: 110 (Connection timed out)] 18:26 < vincas> can anyone tell me what the mac-address-like things are in openvpn-status.log that are there instead of the client IPs ? I'm not sure if it's like this because I'm using 2.1 or if it's because I have a bridge set up 18:27 < dan__t> So I've got a handful of subnets which I don't want going through OpenVPN. I've never been fantastic with routing. Should these routes be told to the client, by the server, to not be included in the VPN? How does that work? 18:51 -!- hackel [n=hackel@94-193-57-167.zone7.bethere.co.uk] has joined ##openvpn 19:06 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 19:19 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 19:44 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Connection timed out] 19:48 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 19:48 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 19:53 -!- diegovio1a [n=diego@adsl-140-108.click.com.py] has joined ##openvpn 19:53 -!- diegoviola [n=diego@pool-96-228-248-100.tampfl.fios.verizon.net] has quit [Read error: 60 (Operation timed out)] 19:54 -!- hackel [n=hackel@94-193-57-167.zone7.bethere.co.uk] has quit [Read error: 104 (Connection reset by peer)] 19:54 -!- hackel [n=hackel@94-193-57-167.zone7.bethere.co.uk] has joined ##openvpn 19:54 < hackel> Can anyone point me to a good (current) guide for setting up a simple VPN link to a linux server to secure a wifi connection? I can get a link up, but no nat and I just keep pulling my hair out over this... 19:54 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 19:54 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 19:59 -!- diegovio1a [n=diego@adsl-140-108.click.com.py] has quit [Remote closed the connection] 20:00 -!- diegoviola [n=diego@adsl-140-108.click.com.py] has joined ##openvpn 20:06 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 20:06 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 20:07 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:16 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 20:18 -!- diegoviola [n=diego@adsl-140-108.click.com.py] has quit ["Reconnecting"] 20:19 -!- diegoviola [n=diego@adsl-140-108.click.com.py] has joined ##openvpn 20:19 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 20:30 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 20:33 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 21:02 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 21:11 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 21:19 -!- wayner [n=wayner@202.6.120.43] has joined ##openvpn 21:20 -!- wayner [n=wayner@202.6.120.43] has quit [Read error: 54 (Connection reset by peer)] 21:29 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 23:03 -!- Netsplit niven.freenode.net <-> irc.freenode.net quits: upb, lolipop 23:03 -!- Netsplit over, joins: lolipop, upb 23:19 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:33 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has joined ##openvpn 23:33 -!- diegovio1a [n=diego@pool-96-228-248-100.tampfl.fios.verizon.net] has joined ##openvpn 23:35 -!- diegoviola [n=diego@adsl-140-108.click.com.py] has quit [Read error: 104 (Connection reset by peer)] 23:37 -!- diegoviola [n=diego@adsl-140-108.click.com.py] has joined ##openvpn 23:41 -!- diegovio1a [n=diego@pool-96-228-248-100.tampfl.fios.verizon.net] has quit [Read error: 60 (Operation timed out)] 23:43 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 23:49 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn --- Day changed Wed Feb 11 2009 00:07 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 00:20 -!- diegoviola [n=diego@adsl-140-108.click.com.py] has quit [Read error: 110 (Connection timed out)] 00:21 -!- ScribbleJ [n=nnsj@c-67-172-6-141.hsd1.il.comcast.net] has joined ##openvpn 00:21 < ScribbleJ> !route 00:21 < vpnHelper> ScribbleJ: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 00:47 -!- int [n=quassel@wikia/int] has quit [Read error: 113 (No route to host)] 00:54 < ScribbleJ> Nice having that in the topic. 00:54 < ScribbleJ> I guess it colved my problem. 00:55 < ScribbleJ> solved. 01:10 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has quit [Read error: 110 (Connection timed out)] 01:58 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:02 -!- int [n=quassel@wikia/int] has joined ##openvpn 02:04 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit [Read error: 104 (Connection reset by peer)] 02:05 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 02:18 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Read error: 104 (Connection reset by peer)] 02:18 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 02:20 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:21 < reiffert> hackel: 4.1 nat howto netfilter.org "Help! I just want masquerading" 02:50 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Read error: 60 (Operation timed out)] 02:54 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Read error: 54 (Connection reset by peer)] 02:54 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 03:03 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has joined ##openvpn 03:04 -!- T0aD [n=nnnnnnnn@217.73.17.12] has joined ##openvpn 03:04 -!- T0aD [n=nnnnnnnn@217.73.17.12] has quit [Client Quit] 03:05 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 03:07 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has joined ##openvpn 03:24 -!- int [n=quassel@wikia/int] has quit [Read error: 110 (Connection timed out)] 03:26 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 03:31 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 03:44 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 60 (Operation timed out)] 03:52 -!- int [n=quassel@wikia/int] has joined ##openvpn 03:58 -!- int [n=quassel@wikia/int] has quit [Read error: 113 (No route to host)] 04:00 -!- int [n=quassel@wikia/int] has joined ##openvpn 04:00 -!- int [n=quassel@wikia/int] has quit [Client Quit] 04:00 -!- lionel [n=lionel@ip-185.net-89-3-221.rev.numericable.fr] has joined ##openvpn 04:00 -!- int [n=quassel@wikia/int] has joined ##openvpn 04:00 < lionel> Hi all 04:01 < lionel> I'm trying to connect a net behind an OpenVPN client 04:01 < lionel> I did not want to mask the network behind the client. So I needed to add the route for the client on the vpn server 04:01 < lionel> and I'm getting an error: 04:01 < lionel> ip r a 192.168.92.0/24 via 10.5.0.185 dev tun0 04:01 < lionel> RTNETLINK answers: No such process 04:10 -!- c64zottel [n=hans@p5B17B42C.dip0.t-ipconnect.de] has joined ##openvpn 04:12 -!- c64zottel [n=hans@p5B17B42C.dip0.t-ipconnect.de] has left ##openvpn [] 04:17 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Read error: 104 (Connection reset by peer)] 04:18 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 04:21 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 04:22 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 04:30 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit ["Ik ga weg"] 04:32 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:37 -!- ykut_johny [n=ykut_joh@mitsa.org.my] has quit [Remote closed the connection] 04:48 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Read error: 104 (Connection reset by peer)] 04:48 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 05:07 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 05:14 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 60 (Operation timed out)] 06:27 -!- c64zottel [n=hans@141.37.33.125] has joined ##openvpn 06:28 -!- c64zottel [n=hans@141.37.33.125] has left ##openvpn [] 06:42 -!- jolelion [n=geoffroy@dec69-1-82-232-12-72.fbx.proxad.net] has joined ##openvpn 06:42 < jolelion> hello 06:46 < jolelion> I would like to build user's certificates in a program that do some others things, so in the batch mode and not in the interact mode, does anyone as some examples? 06:51 < hackel> reiffert, thanks, but unfortunately that was the *first* thing I tried. Something else isn't working. 06:56 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:01 < ecrist> jolelion: what do you mean? 07:06 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has quit [] 07:09 < jolelion> ecrist: I would like to write a script that create the certificates for a user and in the same time write the ccd file associated to the user and some others things 07:10 < jolelion> so I need to be able to create the certificates in batch mode 07:10 -!- nexxer [n=nex@unaffiliated/nexxer] has joined ##openvpn 07:13 < nexxer> hello, will a machine in 2.1 with proto tcp-client be able to connect to one with 2.1 in proto tcp-server? 07:15 < ecrist> jolelion: see ssl-admin. it will build certificates, but not yet in batch mode. 07:15 < ecrist> !ssl-admin 07:15 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 07:17 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 07:19 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:24 < jolelion> ecrist: ssl-admin is not what I need but thanks anyway 07:25 < ecrist> jolelion: what is it you're looking for, then? 07:29 < jolelion> example scripts to generate automatically (not in interact mode) certificates for a user and also automatically sign them and commit them 07:30 < ecrist> jolelion: it's not that difficult to do. 07:31 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 07:39 -!- icu [n=me@67.202.107.157] has joined ##openvpn 07:41 < icu> i want to transport hd content via openvpn. any hints for a "lowest overhead" configuration? 07:43 < jolelion> ecrist: maybe not , I just want some example scripts 07:45 < reiffert> icu: "hd content"? 07:45 < icu> HD Movie Streaming 07:45 < reiffert> icu: streaming udp/tcp? 07:47 < icu> TCP (mostly) 07:48 < reiffert> openvpn settings to use: proto udp 07:48 < reiffert> openvpn settings to read after: --mtu* mss* 07:49 < icu> thanks 07:50 < reiffert> welcome 07:50 -!- cpm_ is now known as cpm 07:54 < ecrist> jolelion, those examples are going to be anything. if you know how to write a script, you shouldn't have any problems. 07:54 < jolelion> ecrist: ok thanks 07:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:31 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 08:35 -!- nexxer [n=nex@unaffiliated/nexxer] has quit [Read error: 113 (No route to host)] 08:39 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 08:47 -!- icu [n=me@67.202.107.157] has quit [Read error: 110 (Connection timed out)] 08:49 -!- nexxer [n=nex@unaffiliated/nexxer] has joined ##openvpn 09:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:51 -!- troy- [n=troy@worldnet.tauri.ca] has quit [Read error: 110 (Connection timed out)] 10:13 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has joined ##openvpn 10:21 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 10:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:41 -!- soberbit [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 60 (Operation timed out)] 10:47 -!- soberbit [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 11:27 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:32 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit ["Leaving"] 11:33 -!- plaerzen [n=carpe@174.0.97.175] has joined ##openvpn 11:34 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 11:35 < plaerzen> hai 11:47 -!- PiousMinion [n=clay@7-167.106-97.tampabay.res.rr.com] has joined ##openvpn 11:51 -!- french [i=a0248ba1@gateway/web/ajax/mibbit.com/x-91718264f508429e] has joined ##openvpn 11:51 < PiousMinion> when I run "./build-key-server server" and it asks for "A challenge password []:".... where/when will this password be asked for? 11:52 < french> Hi i have a vpn on a fedora 9 machine (10.0.0.22), i also have a virtural machine on teh fedora machine (10.0.0.44), i am vpn to the fedora machine (10.0.0.22), i then am able to pull up any lan webpages on the 10.0.0.22 but not on the 10.0.0.44; is there a reason for that? is there any way to pull up the lan pages ont he 10.0.0.44? 11:54 < plaerzen> !route 11:54 < vpnHelper> plaerzen: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 11:59 < Kobaz> PiousMinion: any time the key is used 12:00 < french> anyone? 12:02 < plaerzen> !route french 12:02 < vpnHelper> plaerzen: Error: "route" is not a valid command. 12:03 < french> any docs? how do i use it? 12:03 < ecrist> PiousMinion: every time OpenVPN is started 12:03 < ecrist> french: 12:03 < ecrist> !route 12:03 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 12:04 < french> thanks i'll look it over 12:04 -!- french [i=a0248ba1@gateway/web/ajax/mibbit.com/x-91718264f508429e] has quit ["http://www.mibbit.com ajax IRC Client"] 12:04 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 12:05 < PiousMinion> ecrist: on the server side, yes? client won't need this pasword? 12:08 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has left ##openvpn [] 12:15 < ecrist> right 12:15 < ecrist> unless you set a challenge password for client certificates, too 12:16 < ecrist> you *can* leave it blank. 12:19 < PiousMinion> on both server and client? 12:28 < PiousMinion> the howto doesn't cover this. Doesn't even mention a password let alone implications of not setting one. :/ 12:32 < ScribbleJ> I'm not sure about the howto, but in general that's not really an openvpn question. 12:32 < ScribbleJ> I'm not saying stop asking, I'm just trying to explain why it's probably not covered. 12:32 < ScribbleJ> IT's more of a general ssl/pki question. 12:33 < PiousMinion> That is true, but other than here, what other channel would you suggest I ask in? I'm new to this. 12:37 -!- Error_X [n=Errorx@6.84-234-140.customer.lyse.net] has joined ##openvpn 12:37 < Error_X> Hi! What is best to use? tap or tun when I have a router -> server ? 12:38 < Error_X> !configs 12:38 < vpnHelper> Error_X: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:38 < Error_X> !route 12:39 < vpnHelper> Error_X: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 12:39 < PiousMinion> Error_X: I think this should help you more. --> http://openvpn.net/index.php/documentation/howto.html#vpntype 12:40 < vpnHelper> Title: HOWTO (at openvpn.net) 12:42 < Error_X> Thanks, one more question.. am I able to route all inet traffic from clients via the server's internet? 12:43 < Error_X> gonna set it up because I work offshore where they use proxy and im only able to use the web. 12:43 < PiousMinion> Error_X: I'm depending on that functionality, but haven't gotten to that point yet. 12:43 < Error_X> Ok 12:43 * PiousMinion is an openvpn newb. :P 12:44 < Error_X> Same here... just started :s 12:44 < Error_X> Linux? 12:44 < PiousMinion> aye 12:44 < Error_X> same 12:45 < PiousMinion> So I'm sitting at the "A challenge password []:" prompt and not sure what the implications of not setting a password would be. :/ 12:45 < ScribbleJ> Error_X, there's a simple option for that; did you read the same configs? 12:46 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 110 (Connection timed out)] 12:46 < ScribbleJ> See 'redirect-gateway' 12:46 < ScribbleJ> Er 12:46 < ScribbleJ> same = sample, I can't type... 12:47 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 12:48 < Error_X> =) 12:49 -!- nexxer [n=nex@unaffiliated/nexxer] has left ##openvpn [] 12:50 < ScribbleJ> PiousMinion, if you do not set a challenge password, and someone gets access to your key file, it's game over, man. 12:50 < ScribbleJ> Er, my mistake 12:50 < ScribbleJ> That's the passphrase on the key 12:50 < ScribbleJ> :) 12:53 < ScribbleJ> The challenge password is pretty useless, I wouldn't worry about it. It's good for controlling who can revoke a cert but that's basically controlled by who's got access to your ca/server configs anyhow. 12:55 < PiousMinion> thanks. :) 12:55 -!- jfkw [n=jtk@cpe-74-74-158-219.rochester.res.rr.com] has joined ##openvpn 12:55 < ecrist> ScribbleJ: I'd hardly call it useless. 12:56 < PiousMinion> useful for client I suppose, but what use is it on server end? 12:56 < ScribbleJ> ecrist, I suppose it depends on how complex your PKI is... it's mostly useless in small PKI just being used for openvpn and adminned by one dude. 12:56 < ScribbleJ> ecrist, unless I'm missing something - please correct me. 12:57 < ecrist> ScribbleJ: in a 'single-dude' setup, there's little benefit, as long as the server is hardened. without a challenge password, it's trivial to create another VPN certificate and get into the network at one's leisure, however. 12:57 < ecrist> I recommend challenge passwords for root CA certificates, generally not for client certificates. 12:57 < ecrist> in VPN setups, anyways 12:58 < ecrist> from there, however, I would recommend a multi-factor authentication scheme on the server side (user/pass + certificate), which prevents some abuses of an unprotected certificate/key pair, if they're compromised. 12:59 < PiousMinion> ok, now to figure out how to undo what I did. 13:00 < Kobaz> rm -rf 13:00 < PiousMinion> path = ? 13:01 < Kobaz> heh, that was a joke 13:01 < ScribbleJ> ecrist, I must not know enough about this. What's the vector for an easy attack by not using a challenge password? They still need to get access to your keystore, and you've got a passphrase on the keys themselves. 13:02 < Kobaz> i always thought that if you got haxored you would have bigger problems than your vpn server key being out in the open 13:02 < ScribbleJ> And if we can assume the attacker can get access to your keystore, we might as well worry about whether they can just log into the openvpn machine and switch out the configs entirerly. 13:03 < ecrist> there are varying degrees of being compromised. 13:04 < ecrist> many people fail to put proper restrictions and permissions on the SSL certificates and keys. in this case, rooting a box is not needed. 13:05 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:05 < ScribbleJ> Well, this is true. But again, if we have to assume an admin incompetent enough to basically give his keys away, we might as well worry about whether he puts telnet on the wan interface. PLus, the keys themselves /still/ have the passphrase on them. 13:05 < ScribbleJ> I'm just not seeing the attack vector based on the challenge password. 13:06 < ScribbleJ> He might, what, revoke all your certs then -seperately, mind you- hack your openvpn server and put in the updated CRL? Then you'd be DOSed? 13:06 < ScribbleJ> He still couldn't give himself access though. 13:07 < ScribbleJ> Well, I mean - except once he got to the point of being able to put in the CRL, anything goes, of course. 13:07 < ecrist> if he can build a CRL, he can sign a certificate. 13:08 < ecrist> s/a c/a new c/ 13:08 < ScribbleJ> But I'm supposing he can't do either without the passphrase to your ca. 13:09 < ScribbleJ> Which is a seperate entity from a challenge password. 13:09 < Error_X> Huh, when I start openvpn the server loses its primary ethernet connection 13:09 < PiousMinion> Howto says to copy "ALL" files in the keys folder to the client machine. Can this be right? 13:09 < ScribbleJ> The /server/ does? That sounds odd. 13:10 < ScribbleJ> PiousMinion, that doesn't sound right... I'll read it. 13:10 < Error_X> the server do get a IP address from the router, but I cant ping any computers on the physical network or the internett 13:10 < PiousMinion> ScribbleJ: http://openvpn.net/index.php/documentation/howto.html#pki 13:10 < vpnHelper> Title: HOWTO (at openvpn.net) 13:10 < Error_X> as soon as I do 'openvpn stop' the internet/lan works again 13:10 < ScribbleJ> Error_X, you probably screwed up your routing somehow. 13:11 < Error_X> probably 13:11 < Error_X> My physical network uses; 10.0.0.0/24,, and I set up the VPN to use: 192.168.10.0/24 13:11 < ScribbleJ> PiousMinion, I'm not seeing where it says that. I see a nice graph that shows what needs to be copied where. 13:12 < PiousMinion> ScribbleJ: right after "Key Files" underneath the table that shows the different files and their prupose. 13:13 < PiousMinion> "The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files over a secure channel." 13:13 < ScribbleJ> It means copy allt he files listed as needed to the machines listed as needing them. 13:14 < ScribbleJ> Follow the table, it makes it clear (I think) 13:14 -!- french [i=a0248ba1@gateway/web/ajax/mibbit.com/x-8ae1c2a1b26bcdd5] has joined ##openvpn 13:14 < PiousMinion> kk 13:14 < ScribbleJ> Error_X, well, that's obviously no conflict on it's own. 13:16 < french> ok i was on earlier and sent to iroute man pages, anyways, i have a vpn on Server A (10.0.0.22), when i vpn onto Server A, i also want to go to a few lan pages on Server B (10.0.0.44) so 13:17 < french> i added http://pastebin.com/d3f83149b to my conf 13:17 < french> then i created a client1 in /etc/openvpn/ccd/ 13:17 < french> and put iroute 10.0.0.44 255.255.255.0 in it 13:18 < french> however when i restart openvpn service i get this error 13:18 < french> RTNETLINK answers: Invalid argument 13:18 < ScribbleJ> french, 10.0.0.44 255.255.255.0 and 10.0.0.22 255.255.255.0 are the same address. 13:18 < french> what do you mean? 13:18 < Kobaz> same address? 13:18 < Kobaz> those aren't the same 13:18 < french> machine a is 10.0.0.22 and machine b is 10.0.0.44. 13:19 < ScribbleJ> It's going to set up the same /24 route for both of those route lines, is it not? 13:19 < Kobaz> no 13:19 < french> well i was just tring to copy it from http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing but now i am all confused 13:19 < ScribbleJ> OK, I'll be quiet then. 13:19 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 13:19 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 13:20 < french> so any ideas? 13:21 < ScribbleJ> I'd suggest using a netmask of 255.255.255.255 for a route of a single host, but I also would trust anyone else here before myself. 13:22 < french> so would that just change machine b address to push "route 10.0.0.44 255.255.255.225" or both a and b? 13:22 < ScribbleJ> Hrm 13:22 -!- Error_X^ [n=Errorx@6.84-234-140.customer.lyse.net] has joined ##openvpn 13:23 < ScribbleJ> Rereading your problem, I'm not sure if it's openvpn you need to mess with. You are setting up openvpn to give you access to the client's networks, but you really want something behind the server. 13:24 < french> what i have is server A with openvpn installed, then i have server B on a virtaul machine on Server A; when i VPN i want to be able to access both Server A and Server B lan webpages 13:24 < Kobaz> can't you just use ethernet bridging between the host and the guest 13:25 < Kobaz> or are you specifically testing openvpn 13:25 < french> i believe it has one; if so how do i tell, client it fedora 10 13:25 < ScribbleJ> ? 13:25 < french> 9 13:25 < french> using vmware 13:26 < Kobaz> if i understand what you wrote, you have one machine 13:26 < Kobaz> and you're using openvpn to connect from the host to the guest vm 13:27 < french> the vmware is set up to bridge the connect to the physical network 13:28 < ScribbleJ> If it is bridging the the physical network; are you usingtap or tun in openvpn? 13:28 < Error_X^> !configs 13:28 < vpnHelper> Error_X^: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:28 < Kobaz> sounds like tap, since he's using /24's 13:29 < ScribbleJ> Kobaz, no, he's got openvpn server on his host,a nd when he connect to it (from the outide world) he wants to hit the vms too. 13:29 < Kobaz> ah 13:29 < ScribbleJ> I use /24s on tun all day long. :) 13:29 < french> ScribbleJ that is correct 13:29 < ScribbleJ> So french, tap or tun? 13:29 < Kobaz> ScribbleJ: tun gives each client a /31 13:30 < french> i have no idea 13:30 < Error_X^> http://pastebin.com/m52fe7b5 <- when I start openvpn with this config file the server disconnects from the local network.. it "drops" out, but I can still access the internet pages that has already been accessed before. 13:30 < ScribbleJ> Kobaz, ? his client only needs a /31 - it's his server that needs to provvide a /24. And the !route doc tell you all about how to get a client ot provide a /24 13:30 < french> here is server config http://pastebin.com/d1896a53e 13:31 < ScribbleJ> french, my guess is you are using tun, and you need to enable forwarding in your kernel and set up approriate firewall rules. 13:31 < Kobaz> what do you mean: provide a /24 13:31 < ScribbleJ> Ah, let's see. 13:31 < ScribbleJ> Kobaz - access to a /24 network at the client side? 13:31 < Kobaz> you mean allow routing to the /24 behind the client? 13:31 < Kobaz> yeah 13:31 < french> i'm lost 13:31 < ScribbleJ> Don't worry, french, I think Kobaz and I are just arguing about nothing. :) 13:31 < Kobaz> i wouldn't call that providing a /24... you're not assigning ips out of it... anywaysa 13:31 < Kobaz> heh 13:32 < ScribbleJ> french, it's tun, so I'm right 13:32 < Kobaz> i jumped in late, so i dont know what he's using 13:33 < ScribbleJ> french have you encable forwarding in your kernel, an set up appropriate permissions to allow forwarding of traffic from your LAN/VMs to the VPN tun adaptor? 13:33 < Kobaz> okay, so the server has a 10.0.0.0/24 behind it 13:33 < ScribbleJ> french, wht is output of 'sysctl net.ipv4.ip_forward 13:33 < ScribbleJ> Yeah, although 'behind' in this case means 'inside', it's the same thing. 13:34 < french> net.ipv4.ip_forward = 1 13:34 < ScribbleJ> And traffic from that /24 is bridged into his LAN. 13:34 -!- Error_X [n=Errorx@6.84-234-140.customer.lyse.net] has quit [Read error: 110 (Connection timed out)] 13:34 < Kobaz> you need to NAT it then 13:34 < ScribbleJ> OK, that's good french.... it sounds like it might just be a routing issue then - is the machine that is the HOST the GATEWAY for the VM? 13:34 < ScribbleJ> I'mt hinking you're right, Kobaz, just htought I'd ask first. 13:34 < Kobaz> the vpn server is going to be the nat gateway for the network behind/inside the server 13:35 < ScribbleJ> Or i a machine o your LAN a gateway for the VM? 13:35 < french> that is machine A which has machine b on a vms 13:35 < ScribbleJ> Machine A is machine B's gateway, french? Are you sure? 13:35 < Kobaz> /sbin/iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE 13:35 < ScribbleJ> If it was, this sounds like it would be working. Do you have iptables rules? Can you pastebin 'iptables -L -v -n' ? 13:36 < french> give me nothing /sbin/iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE 13:36 < Kobaz> it means it worked 13:36 < ScribbleJ> Getting traffic through both ways means it worked. 13:36 < ScribbleJ> Try it and see. 13:36 < Kobaz> i assume tun0 is your tunnel device 13:36 < french> http://pastebin.com/d12e8723c 13:36 < ScribbleJ> I was going to check his config first, but you can shotgun a solution. 13:37 < Kobaz> ScribbleJ: it means the kernel accepted the firewall rule (meaning the command itself worked) 13:37 < ScribbleJ> Kobaz, right. 13:37 < Kobaz> heh 13:37 < Kobaz> anyways 13:37 < Kobaz> try pinging some stuff 13:37 < ScribbleJ> According to what he said, he shouldn't need the NAT, Kobaz, so something is missing still. 13:38 < Kobaz> you need to nat, since openvpn will not nat on it's own 13:38 < ScribbleJ> If Machine A is MAchine B's gatewya and he's pushing the /24 ROUTE in openvpn already, and his patebin of the iptables command I listed shows forwarding enabled, the NAT is just a waste. 13:38 < ScribbleJ> Right, but no nat is necessary ince the routes are known both ways. 13:38 < Kobaz> forwarding won't do anything without turning on nat 13:38 < ScribbleJ> nd the server is his gateway. 13:38 < ScribbleJ> Wrong. 13:38 < ScribbleJ> I use it without nat on my nets. 13:39 < ScribbleJ> Again, if the routes are known, the ip space does not overlap, and the openvpn machine is the server, nat is just extra cruft you do not need, and breaks comms one-way, in fact, that'll break it the way he wants to go without port forwarding, no? 13:40 < Kobaz> he'll be able to go into the lan net and back out 13:40 < french> is this really that difficult? 13:40 < Kobaz> no 13:40 < Kobaz> hehe 13:40 < ScribbleJ> I see the missing peice too. 13:40 < ScribbleJ> You said your vmwaer guest is bridged to lan 13:41 < french> yes 13:41 < ScribbleJ> But you said the guest uses the host as it's gateway 13:41 < ScribbleJ> It's possible to do both but very weird, are you sure? 13:41 < french> i might not, i prob useing the firewall as the gateway 13:41 < Kobaz> the guest should be using the router as the gw 13:41 < Kobaz> yeah 13:41 < ScribbleJ> Heh, that's the second time I asked are you sure! 13:41 < ScribbleJ> This is critical information! 13:42 < french> yes i am sure 13:42 < ScribbleJ> I predict if you change it to use the host as it's gateway things will 'work' but you may find other thing 'break' and you may find that Kobaz's MASQ line means you can still only get to the host, ot the guest. 13:42 < Kobaz> okay well, you can axe the nat rule and continue futzing: /sbin/iptables -t nat -D POSTROUTING -o tun1 -j MASQUERADE 13:42 < Kobaz> tun0 rather 13:42 < ScribbleJ> Without the MASQ line, and witht he gest using host as it's gateway, all shoudl work as you expect. 13:43 < Kobaz> make that: /sbin/iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE 13:43 < french> ok 13:43 < ScribbleJ> The only probably problem is tht your guest is configured via dhcp on the LAN and will continue to want the use the LAN gateway, not your host OS as the gateway, yes? 13:43 < Kobaz> i haven't set up a bidirectional route with openvpn before, so i generally use nat 13:43 < ScribbleJ> It is possible to fix this but it gets into a bit more complicated routing. 13:44 < ScribbleJ> Kobaz, if the only tool you have is a hammer... :P 13:44 < french> no static 13:44 < Kobaz> heh 13:44 < ScribbleJ> french, well, you might get by you know better than I do the implications of changing your default gateway on the LAN for the guest. 13:44 < french> both machines are static 13:44 < Kobaz> ScribbleJ: then you're going to have a large collection of hammers 13:44 < ScribbleJ> Kobaz, hahah. 13:44 < Error_X^> Hmm, why does the server lose all local connections when I start openvpn? (I can access the internet but not ping the router/local machines). http://pastebin.com/mccdfb38 13:44 < french> so what do i need to do 13:45 < Kobaz> Error_X^: subnet conflicts? 13:45 < Error_X^> Kobaz: Is it? 13:45 < ScribbleJ> French, if I were in your shoes, I would a) set guest OS to use host IP as it's gateway b) make sure guest still works this way. c) remove MASQ line Kobaz suggested. d) restart openvpn server. e) Enjoy your networking. 13:45 < Kobaz> server 192.168.0.0 255.255.255.0 13:45 < Kobaz> Error_X^: what's your local lan subnet 13:45 < Error_X^> local is 10.0.0.0 255.255.255.0 13:46 < Kobaz> oh okay 13:46 < ScribbleJ> Remove this line: route 10.0.0.0 255.255.255.0 13:46 < Kobaz> paste your routing table after openvpn is started 13:47 < Error_X^> huh... it worked now.. I still hear my mp3 playing from the server tho 13:47 < Error_X^> after I removed route 10.0.0.0 255.255.255.0 13:47 < Error_X^> I set up routing table in my linksys router 13:47 < ScribbleJ> I do not understand the problem anymore. mp3? 13:47 < Kobaz> Error_X^: every computer with an ip stack has a routing table 13:48 < Error_X^> ScribbleJ: Yes, streaming from my server? 13:48 < ScribbleJ> Error_X^, ok, what about it? 13:48 < Error_X^> locally 13:48 < ScribbleJ> Error_X^, how? 13:48 < Error_X^> so when I started openvpn,, it stopped... all local connection to the server stopped 13:48 < ScribbleJ> OK, but now it works? 13:49 < Error_X^> after I removed route 10.0.0.0 255.255.255.0 13:49 < ScribbleJ> Good, OK 13:49 < Error_X^> so now Im gonna try to connect with a client 13:49 < ScribbleJ> So problem solved, right? 13:49 < Kobaz> Error_X^: route 10.0.0.0 255.255.255.0... that's telling the openvpn server that the 10.x route is going to be handled by openvpn 13:49 < PiousMinion> In the openvpn ethernet bridging howto it says "configure the DHCP server on the LAN to also grant IP address leases to VPN clients.", but how would my lan dhcp server know if it was a vpn or a real client? 13:49 < ScribbleJ> I think he wanted to push-route that route. 13:49 < ScribbleJ> That'll be his next problem. 13:49 < Kobaz> hehe 13:49 < Error_X^> its not easy ^^ 13:49 < ScribbleJ> PiousMinion, if you are using bridging, it cannot tell the difference. 13:50 < Kobaz> Error_X^: you want the 10.x route going straight out your network card instead 13:50 < french> thank it now works 13:50 < PiousMinion> ScribbleJ: I didn't think so, but the howto says I should configure it anyway. lol 13:50 < Error_X^> Kobaz: yes 13:50 < Kobaz> Error_X^: problem solved... 13:50 < ScribbleJ> PiousMinion, I think it's just trying to say, "Make ure your DHCP is gunna handle this, too," or something. 13:50 < ScribbleJ> I dunno. 13:50 < Error_X^> ok.. I will fire up my mobile broadband and try to connect :) 13:51 < Kobaz> okay, back to breaking my own stuff 13:51 < ScribbleJ> I take that back. Does bridging decrease the TTL? 13:51 < ecrist> weird 13:51 < ScribbleJ> Elephino. 13:51 < Kobaz> ScribbleJ: i wouldn't think so 13:52 < ScribbleJ> Me neither, Kobaz. 13:52 < ScribbleJ> But I seldom use it. 13:52 < ScribbleJ> And never had ocassion to wonder. 13:52 < ecrist> for some reason, checkpoint firewalls need a host mask of 0.0.0.1 in cisco access-lists for a match to occur. 13:52 < Kobaz> ScribbleJ: and ttl is going to be set by the originator anyway 13:52 < ScribbleJ> Kobaz, right, my thought was, if his DHCP TTL is set to 1.... 13:52 < Kobaz> ScribbleJ: oh you mean, does it count as a hop 13:52 < ScribbleJ> Kobaz, on the DHCP server 13:52 < ScribbleJ> Kobaz, but yes, and I'm sure it has to be routed for that, then. 13:53 -!- Error_X^ [n=Errorx@6.84-234-140.customer.lyse.net] has quit [] 13:53 < Kobaz> you don't want dhcp going over the bridged vpn anyway 13:53 < Kobaz> probably cause all kinds of problems with clients maintaining a connection... you want local dhcp from where you're at 13:54 < ScribbleJ> I could think of a config where you would, but ... not one I'd find int he real world. 13:54 -!- french [i=a0248ba1@gateway/web/ajax/mibbit.com/x-8ae1c2a1b26bcdd5] has left ##openvpn [] 13:55 < Kobaz> ...back to really breaking stuff 13:55 -!- Error_X [n=fdfskodf@6.84-234-140.customer.lyse.net] has joined ##openvpn 14:13 < PiousMinion> Ok, so if I run this "bridge-start" script from the howto... how much of a chance is there that it will break my network connection and I will have to drive 5 miles to the server for physical access? lol 14:14 < ScribbleJ> I'd say you should count on it... 14:14 < ScribbleJ> And 5 miles? NICE. Yer lucky, walk over. 14:15 < PiousMinion> Did I mention this comp has no keyboard, mouse, or monitor? O.o 14:15 < ScribbleJ> Crash cart! 14:15 < PiousMinion> I'll just call 911 and explain the emergency. I'm sure they'll understand. rofl 14:16 < ecrist> PiousMinion: there's a low probability it will break network connectivity for the server, unless you're messing with the firewall, which is seldom recommended OTW 14:16 < PiousMinion> I hope you're right. here goes. 14:17 < PiousMinion> ok, yeah. That server is offline. lol 14:17 < ecrist> I don't actually know what I'm doing, I'm just here to give people a hard time. :D 14:17 < ScribbleJ> I love to say "I told you so;" if only I had the opportunity. 14:18 < PiousMinion> nothing important on that server. It's just a test server when I need something to be remote. 14:18 < PiousMinion> poo 14:18 < ScribbleJ> Like... now? 14:18 < PiousMinion> exactly 14:19 < PiousMinion> Even if I was to test the server on this end..... how the hell am I supposed to test it if I can't physically be in two places at once? heh 14:20 < PiousMinion> I guess I should have tested it on something important so it would get fixed quickly and then claim it wasn't me. :P 14:22 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 14:24 < PiousMinion> So why would this bridge script not do what it's supposed to do and just kill the network connection? 14:27 < ecrist> PiousMinion: we can't actually know what you did without more detail than, 'I ran this script' 14:27 < ecrist> what script, how did you run it, etc. 14:27 -!- PiousMinion1 [n=clay@7-167.106-97.tampabay.res.rr.com] has joined ##openvpn 14:30 < PiousMinion1> Strange. I'm able to ssh in from the lan side, but not remote, even though IP is the same. 14:30 < PiousMinion1> lan IP is the same is what I mean to say. 14:32 -!- PiousMinion [n=clay@7-167.106-97.tampabay.res.rr.com] has quit [Read error: 60 (Operation timed out)] 14:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:37 < PiousMinion1> scratch that. I ran bridge-stop and now it's double broke. 14:38 < PiousMinion1> man, whoever wrote the example script needs to have their head examined. lol 14:39 < Error_X> do I need to copy the crt files over to the client? 14:39 < PiousMinion1> Error_X: some of them, not all. 14:40 < PiousMinion1> scroll down to the "Key Files" section. --> http://openvpn.net/index.php/documentation/howto.html#pki 14:40 < vpnHelper> Title: HOWTO (at openvpn.net) 14:42 < Error_X> cant find the file to create client files :s 14:42 < Error_X> build-client1 14:44 < PiousMinion1> /usr/share/doc/openvpn... something 14:47 < PiousMinion1> I could tell you exactly if I didn't just kill my server... twice. lol 14:48 < ScribbleJ> My only gripe is that most of the docs I've seen act like bridged should be preferred to routed when I feel it's the opposite. 14:49 < ecrist> routed is preferred. lots of docs were written around getting netBIOS working on windows networks, though 14:50 < PiousMinion1> All I care about is routing all traffic on the client through the vpn and being able to access all things on the lan as if I was local. 14:51 < Error_X> If I use 'secret', do I have to use a secure channel then? 14:51 < ecrist> well now, define *all* 14:51 < PiousMinion1> ecrist: which all? I used two of them. :P 14:52 < ecrist> either of them. Let's concentrate on the first 14:52 < ecrist> are you referring to ethernet traffic or IP traffic? 14:53 < PiousMinion1> I assume IP traffic. idk what the difference in the end result would be. 14:53 < ecrist> windows file sharing? 14:54 < PiousMinion1> that will be needed, yes, but I think I can call via IP as \\IP\share 14:54 < ecrist> right 14:54 < PiousMinion1> correct if wrong 14:54 < PiousMinion1> k 15:00 < Error_X> Ok, this encrypting thing is very confusing. 15:00 -!- ykut_johny [n=ykut_joh@www.mitsa.org.my] has quit [Remote closed the connection] 15:05 -!- Netsplit niven.freenode.net <-> irc.freenode.net quits: eagle 15:10 < PiousMinion1> at first, yeah 15:13 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 15:13 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [SendQ exceeded] 15:13 < Error_X> PiousMinion1: But its for our own safety I guess ;) 15:13 -!- xanthus1 [n=marcelor@r190-134-197-61.dialup.adsl.anteldata.net.uy] has joined ##openvpn 15:13 < PiousMinion1> of course. 15:19 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 15:30 -!- xanthus1 [n=marcelor@r190-134-197-61.dialup.adsl.anteldata.net.uy] has left ##openvpn [] 15:31 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:32 < Error_X> bleh.. I just get connection failed.. the port is forwarded and everything 15:32 < Error_X> using TCP 15:38 < Error_X> it wotn even connect locally 15:38 < Error_X> but the service is up and running 15:39 -!- Error_X [n=fdfskodf@6.84-234-140.customer.lyse.net] has quit [Remote closed the connection] 15:47 -!- BasketCase_EEE [n=kmk@154.198.175.24.cfl.res.rr.com] has joined ##openvpn 15:48 < BasketCase_EEE> if I want to setup OpenVPN tunnels for my laptop from my wireless lan or from the internet (2 different NICs) would I need to run two different instances of OpenVPN with two different private subnets or would I put both in the same config? 16:04 < reiffert> one config per daemon 16:04 < reiffert> you might want two different setups here. 16:05 < reiffert> it's no matter of 2 different NICs. 16:06 < reiffert> e.g. wireless lan openvpn server might need --local option 16:06 < BasketCase_EEE> so, I would have 2 config files, 2 openvpn pids, and 2 private subnets? 16:06 < reiffert> sorry, forget my last sentence. bullshit. 16:07 < BasketCase_EEE> I am routing not bridging if that matters 16:07 < reiffert> just head on for one server, one pid and one config file and one subnet 16:07 < reiffert> and if it doesnt work, clone() the setup. 16:09 < BasketCase_EEE> that sounds kinda like what I tried. It didn't work but I haven't had time to work on it much yet 16:11 -!- french1 [n=french3@c-76-123-215-242.hsd1.tn.comcast.net] has joined ##openvpn 16:11 < french1> i have a question, for openvpn client on windows is their a way to have it auto start when windows comes up? 16:12 < reiffert> french1: 16:12 < reiffert> !howto 16:12 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:14 < french1> will taht still have me prompt for a passwrod? 16:15 -!- straterra [n=straterr@2001:470:8a81:0:0:0:0:2] has joined ##openvpn 16:15 < straterra> How long does a dixie hellman file take to generate, most of the time? I have a 2.8GHz core 2 based Xeon..and its beeng going for about 45 minutes 16:18 -!- Error_X^ [n=Errorx@6.84-234-140.customer.lyse.net] has joined ##openvpn 16:18 -!- BasketCase_EEE [n=kmk@154.198.175.24.cfl.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 16:19 < Error_X^> Heya! When I connect to the OpenVPN server I get the address: 10.8.0.6 (and it says dhcp server: 10.8.0.5, but I cant ping either dhcp or server which is 10.8.0.1 in tun0 according to ifconfig). the internet on the client is also lost until I disconnect..... http://pastebin.com/m1fd0bcfa (Server config) 16:24 < reiffert> straterra: some seconds. 16:24 < reiffert> Error_X^: read up what the server line expands to and read up the topology setting. 16:26 < Error_X^> what? 16:27 < reiffert> Error_X^: what exactly is it you do not understand in my sentence? 16:29 < reiffert> Error_X^: and remove line 24 and 27 from your server config file. 16:29 < reiffert> ah, and read up about option def1 for redirect-gateway. 16:29 < Error_X^> Ok 16:30 < Error_X^> but why should I remove push "route 10.0.0.0....."? isnt that used to access the "real" LAN behind the VPN? 16:31 < reiffert> remove it for now. 16:32 < Error_X^> ok 16:34 < reiffert> note: when using your openvpn server as redirect-gateway it already knows how to handle packets to 10.0.0.0 as it is member of that subnet. 16:37 < Error_X^> reiffert: yes, I got access to the LAN now :) . the only thing now is to get the "internet tunnelling" thing to work 16:38 < reiffert> !def1 16:38 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 16:40 < Error_X^> !man 16:40 < vpnHelper> Error_X^: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:42 < Error_X^> but I can route internet traffic by using tcp and tun, right? 16:43 < reiffert> yep 16:43 < reiffert> paste your server config again pls 16:45 -!- BasketCase_EEE [n=kmk@154.198.175.24.cfl.res.rr.com] has joined ##openvpn 16:50 < Error_X^> http://pastebin.com/m4bf00302 <- server 16:51 -!- BasketCase_EEE [n=kmk@154.198.175.24.cfl.res.rr.com] has left ##openvpn ["Client exiting"] 16:51 < Error_X^> I have also added a "Advanced routing" in my linksys WRT54G router 16:51 < Error_X^> Dest. LAN IP: 10.8.0.0 || Subnetmask: 255.255.255.128..... Default Gateway: 10.0.0.100 (The openVPN server).... Interface: LAN & Wireless 16:55 < reiffert> # 16:55 < reiffert> push "redirect-gateway" 16:55 < reiffert> change that to 16:55 < reiffert> push "redirect-gateway def1" 16:56 < Error_X^> tried it 17:02 < french1> how do i get the vpn to same the username and password info so i never have to enter it? 17:03 < Error_X^> reiffert: cant even ping the server's VPN address 17:04 < Error_X^> reiffert: I can 17:04 < Error_X^> had to renew... but still cant acceess the other computers 17:21 -!- Error_X^ [n=Errorx@6.84-234-140.customer.lyse.net] has quit [] 17:33 -!- french1 [n=french3@c-76-123-215-242.hsd1.tn.comcast.net] has quit ["Leaving"] 17:37 -!- bneff [n=bneff@12.44.178.253] has quit [Read error: 110 (Connection timed out)] 17:39 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Connection timed out] 18:14 -!- french1 [n=french3@c-76-123-215-242.hsd1.tn.comcast.net] has joined ##openvpn 18:15 < french1> is thir something i can add to my client openvpn conf the .ovpn file, to have it remember username and password? 18:19 -!- jfkw [n=jtk@cpe-74-74-158-219.rochester.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 18:40 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 18:48 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 19:08 -!- emcepe [n=mcp@wolk-project.de] has joined ##openvpn 19:09 -!- mcp [n=mcp@wolk-project.de] has quit [Read error: 104 (Connection reset by peer)] 19:09 -!- emcepe is now known as mcp 19:14 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 19:14 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has left ##openvpn [] 19:16 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 19:37 < french1> is thir something i can add to my client openvpn conf the .ovpn file, to have it remember username and password? 19:37 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 19:37 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 20:00 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:18 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has quit [Read error: 110 (Connection timed out)] 20:27 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 20:52 < ecrist> evening, folks 20:59 -!- french [n=french3@c-76-123-215-242.hsd1.tn.comcast.net] has joined ##openvpn 21:06 < ecrist> french: it's covered in the howto, iirc 21:08 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 21:08 -!- intralanman [n=Raymond@99-196-39-200.cust.wildblue.net] has joined ##openvpn 21:13 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 21:13 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has left ##openvpn [] 21:14 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 21:15 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has left ##openvpn [] 21:15 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has joined ##openvpn 21:15 -!- xanthus [n=marcelor@fedora-es/irc/xanthus] has left ##openvpn [] 21:16 -!- french1 [n=french3@c-76-123-215-242.hsd1.tn.comcast.net] has quit [Read error: 110 (Connection timed out)] 21:37 -!- french [n=french3@c-76-123-215-242.hsd1.tn.comcast.net] has quit ["Leaving"] 22:11 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has joined ##openvpn 22:18 -!- lionel [n=lionel@ip-185.net-89-3-221.rev.numericable.fr] has quit [Read error: 101 (Network is unreachable)] 22:20 < vincas_> Why is there something that looks like a mac address under virtual address in my openvpn-status.log ? Is this due to my having a bridging setup ? 22:20 < vincas_> It was an IP address before, and now it's a maclike thing that I can't arp-ping 22:27 < vincas_> every reference I see to it has IP addresses 22:35 -!- vincas [n=vincas@216.25.249.228] has joined ##openvpn 22:50 -!- intralanman [n=Raymond@99-196-39-200.cust.wildblue.net] has quit ["Leaving"] 22:51 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 110 (Connection timed out)] 22:52 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 22:58 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 23:20 -!- tjz [n=tjz@bb121-7-22-236.singnet.com.sg] has joined ##openvpn 23:21 * tjz wink 23:29 < ropetin> Cheeky! 23:48 < tjz> lol 23:48 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 23:50 -!- vincas__ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 23:50 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 23:59 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has quit ["[BX] I'm out like a light..."] --- Day changed Thu Feb 12 2009 00:02 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 00:02 -!- vincas__ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 00:03 -!- vincas__ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 00:03 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 00:04 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 00:04 -!- vincas__ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 00:04 -!- vincas [n=vincas@216.25.249.228] has quit [Read error: 110 (Connection timed out)] 00:05 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 00:05 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 00:07 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 54 (Connection reset by peer)] 00:07 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 00:10 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 00:10 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 54 (Connection reset by peer)] 00:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:30 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 00:30 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 00:34 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 00:34 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 54 (Connection reset by peer)] 00:34 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 00:37 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 00:37 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 00:42 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 00:42 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 01:15 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has joined ##openvpn 01:15 -!- vincas_ [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 01:35 -!- lkthomas_ [n=lkthomas@218.189.198.146] has joined ##openvpn 01:35 < lkthomas_> hey guys 01:35 < lkthomas_> if I setup an openvpn server 01:35 < lkthomas_> how does windows xp user connect to this server ? 01:38 < reiffert> openvpn client 01:44 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 01:45 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 01:53 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 01:53 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 02:00 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:24 -!- clusterm1gnet [n=vasiliy@ec2-75-101-158-130.compute-1.amazonaws.com] has joined ##openvpn 02:33 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 02:37 -!- clustermagnet [n=vasiliy@ec2-75-101-158-130.compute-1.amazonaws.com] has quit [Read error: 110 (Connection timed out)] 02:42 -!- techqber1 [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has joined ##openvpn 02:44 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has quit [Read error: 110 (Connection timed out)] 02:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:46 < lkthomas_> uys 02:46 < lkthomas_> guys 02:46 < lkthomas_> if I want user to use same IP subnet as LAN user 02:47 < lkthomas_> I should use bridge mode, right ? 03:08 < ropetin> lkthomas_: I'll ask the silly question; why do you want to use the same subnet? 03:08 < ropetin> (I'm slow tonight!) 03:09 < lkthomas_> ropetin, because it is now it works, we don't want NAT as we got tons of fileserver need to access from same subnet 03:18 < ropetin> Hmmm, ok... 03:18 < lkthomas_> is there have any method to use openvpn via web interface ? 03:19 < ropetin> I think webmin has a module for openvpn 03:20 < lkthomas_> nono 03:20 < lkthomas_> I don't mean to config 03:20 < lkthomas_> I mean, client side 03:21 < ropetin> Windows? 03:21 < ropetin> And yes, bridge mode will allow you to do what you wan 03:21 < ropetin> t 03:22 < ropetin> There is OpenVPN GUI for Windows, it's pretty good and allows me to use the same config file from my Linux box 03:23 < lkthomas_> you know F5 network ? 03:23 < lkthomas_> they offer activeX as windows client 03:25 < reiffert> 10:24 < lkthomas_> is there have any method to use openvpn via web interface ? 03:25 < reiffert> wtf? 03:25 < reiffert> no, there is not. 03:25 < lkthomas_> F5 SSL VPN client is based on activeX control application 03:26 < reiffert> sounds like activex browser only. Dont have such a thing. 03:26 < lkthomas_> hmm 03:27 -!- tjz is now known as tjz|dinner 03:32 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 113 (No route to host)] 03:33 < reiffert> lkthomas_: and from the browser window, what can you do there? 03:34 < lkthomas_> run the ssl vpn client 03:35 < reiffert> and then what happens, the browser adds an virtual interface? 03:35 < lkthomas_> good question 03:35 < lkthomas_> it might be a good time to read F5 docs :) 03:35 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 03:35 < reiffert> sounds as you need admin rights for that. 03:35 < lkthomas_> that IS F5 SSL VPN selling point 03:35 < reiffert> lkthomas_: and this IS ##openvpn. 03:35 -!- skx [i=skx@unaffiliated/skx] has quit ["changing servers"] 03:35 < lkthomas_> I mean, in compare with F5 03:36 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 03:41 < ropetin> :D 03:47 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:53 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 04:05 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Read error: 113 (No route to host)] 04:07 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 04:08 -!- paruchuri [n=qvantel@61.16.248.242] has quit [Client Quit] 04:17 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 04:19 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Read error: 104 (Connection reset by peer)] 04:24 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 04:39 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 04:43 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 04:44 < mRCUTEO> hiya all 04:51 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [] 04:57 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Remote closed the connection] 04:58 -!- tjz|dinner is now known as jz 04:58 -!- jz is now known as tjz 04:59 -!- techqber1 [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has quit [Read error: 110 (Connection timed out)] 05:31 -!- kyrix [n=ashley@mail.ic-vienna.at] has joined ##openvpn 05:56 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 05:57 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 05:57 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:12 -!- vincas_ [n=vincas@216.25.249.228] has joined ##openvpn 07:29 -!- vincas [n=vincas@c-71-62-46-200.hsd1.va.comcast.net] has quit [Read error: 110 (Connection timed out)] 07:37 -!- whaletales [n=Paul@5ad19f2e.bb.sky.com] has joined ##openvpn 07:38 -!- PiousMinion1 is now known as PiousMinion 07:45 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 07:47 -!- whaletales is now known as aptanet 08:01 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 08:05 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 08:08 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:13 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 08:17 < jolelion> hello 08:19 < jolelion> I can't find in the pkitool file if the optional company name of the certificates is setable ? 08:19 -!- kyrix [n=ashley@mail.ic-vienna.at] has quit [Remote closed the connection] 08:19 < jolelion> I mean in the same way as "export KEY_ORG='mycompany' " 08:25 < reiffert> Then have a look in the openssl.cnf file 08:35 < jolelion> reiffert: there is only one line in the openssl.conf file : "unstructuredName = An optional company name" 08:36 < jolelion> and no KEY_xxxx associated 08:41 -!- vincas_ [n=vincas@216.25.249.228] has quit [Read error: 60 (Operation timed out)] 08:41 < ecrist> jolelion: you were talking yesterday about writing a script. If you can write a script, read through the easy-rsa scripts and modify them to your needs. 08:41 < reiffert> jolelion: feel free to do so. 08:41 < ecrist> we're not here to do your research for you. 08:41 < reiffert> s,to do so,to add one, 08:42 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 08:42 < reiffert> :) 08:51 < straterra> Is Dixie Hellman generated using any kind of cpu/disk entropy? 08:55 < reiffert> yes. 08:55 < reiffert> oh well. 08:55 < reiffert> system entropy. 08:55 < straterra> diffie^ 08:55 < reiffert> your kernel decides a source for that. 08:55 < straterra> so..ramping CPU load won't help it go faster o.O 08:56 < reiffert> and it may be that keyboard/mouse is used, or disk usage (rarly) 08:56 < reiffert> how many bits you are toasting on diffie hellman? 08:56 < straterra> well..i hope kb/mouse isn't..cause neither are hooked up 08:56 < straterra> 4096 08:56 < straterra> I'm using the easy-rsa scripts 08:56 < reiffert> 1024 bits should be doable in 5 sec, 4kbit lasts many many many days. 08:57 < reiffert> straterra: easy rsa is using openssl. 08:57 < straterra> 4096 took about an hour to generate last night 08:57 < reiffert> ah, so get some randomness to your kernel then. 08:57 < straterra> cat /dev/urandom > /dev/null? 08:58 < straterra> lol 09:00 < reiffert> it's not trivial. have a look into your kernel docs. 09:00 < reiffert> and openssl docs of course. 09:09 < ScribbleJ> Uh 09:09 < ScribbleJ> Seriously, can't you just cat LARGE_FILE > /dev/urandom ? 09:09 < ScribbleJ> It's /supposed/ to work. 09:09 < straterra> finished 09:12 < ScribbleJ> So how "many many days" was that? 09:12 < straterra> lets see.. 09:13 < straterra> about 15 minutes o.O 09:13 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 09:13 < ScribbleJ> So roughly .01 days. 09:14 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 09:14 < straterra> yesterday it took an hour..so..hmm.. 09:14 < ScribbleJ> yeah, entropy being what it is. 09:14 < ScribbleJ> Just keep in mind for next time - 09:14 < ScribbleJ> You really /can/ pipe a large file into random to increase entropy 09:15 -!- jfkw [n=jtk@cpe-74-74-158-219.rochester.res.rr.com] has joined ##openvpn 09:15 < straterra> Will do 09:15 < ScribbleJ> Or you can do what I do; knock everything in your room to the floor. It doesn't help generate ny keys, but it /does/ increase the overall entropy of the system.... 09:15 < ScribbleJ> Where 'the system' includes my room anyhow. 09:15 < straterra> heh 09:18 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 09:20 < straterra> hmm... iroute in a clients ccd file didn't push a route :/ 09:20 -!- tjz [n=tjz@bb121-7-22-236.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 09:21 < straterra> Oh well..I'm going to handle all of that on the client's bridge interface anyway 09:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:28 < ScribbleJ> Push a route to a clients network to other clients? 09:28 < ScribbleJ> I don't think you'll get it to work unless you have the openvpn config right; openvpn /is/ involved in that routing. 09:30 < ecrist> straterra: iroute doesn't push the route... 09:32 < straterra> Alright..I got it set up how I need to..complete with ipv6 09:33 < ecrist> fwiw, openvpn doesn't do ipv6 at this time.. 09:33 < straterra> I have ipv6 working over several openvpn tunnels 09:33 < ecrist> ah, didn't know what you meant, entirely. 09:33 < straterra> ipv6 works as long as you use tap and not tun 09:58 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 10:27 -!- sfafg [i=a0248bc9@gateway/web/ajax/mibbit.com/x-824f36ba9ecca206] has joined ##openvpn 10:27 < sfafg> on the windows openvpn client, is it possible to add username inside that config and password, so that you do not have to enter it everything you want it to start? 10:28 -!- tjz|dinner [n=tjz@bb116-15-193-230.singnet.com.sg] has joined ##openvpn 10:28 -!- tjz|dinner is now known as tjz 10:35 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:41 * ecrist shoots his boss. 10:44 -!- intralanman [n=Raymond@va-67-76-163-209.sta.embarqhsd.net] has joined ##openvpn 10:49 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 60 (Operation timed out)] 10:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:10 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 60 (Operation timed out)] 11:12 -!- french [i=a024fe2b@gateway/web/ajax/mibbit.com/x-b0c5dc30e55d8603] has joined ##openvpn 11:20 -!- tjz [n=tjz@bb116-15-193-230.singnet.com.sg] has quit ["bbl"] 11:29 -!- seldon [i=seldon@gateway/gpg-tor/key-0x02E0DA25] has joined ##openvpn 11:38 < jolelion> when I generate a certificate, openssl ask for a password . Is this password the same as the one ask by the "--pass" option of pkitool? 11:39 -!- max06 [n=max06@unaffiliated/max06] has joined ##openvpn 11:40 -!- french [i=a024fe2b@gateway/web/ajax/mibbit.com/x-b0c5dc30e55d8603] has quit ["http://www.mibbit.com ajax IRC Client"] 11:41 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:47 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 11:52 -!- tjz|dinner [n=tjz@bb116-15-193-230.singnet.com.sg] has joined ##openvpn 11:53 < tjz|dinner> i am getting this error.. 11:53 < tjz|dinner> Unable to connect because your certificate is not yet valid. Check that your system time is correct 11:55 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:06 < seldon> Check that your system time is correct. The system that made and/or signed the certificate has a system time after that of the system that's trying to use it. 12:07 < seldon> So essentially, openvpn sees a certificate at 6 o'clock that says it's been made or signed at 8 o' clock, thinks it's broken (which it is) and rejects it. 12:07 < tjz|dinner> the system time that create the cert is... Thu Feb 12 20:16:55 UTC 2009 12:08 < seldon> Which is off by thee minutes. 12:08 < seldon> *three 12:08 < tjz|dinner> hmm 12:09 < seldon> You probably just have to wait three minutes, assuming the client system's time is correct. 12:09 < seldon> Also, consider using an ntp server 12:10 < tjz|dinner> ok 12:10 < tjz|dinner> 2 hours earlier, i guess 12:11 < seldon> Oh, UTC. Yeah, you're lagging two hours. 12:12 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:13 < tjz|dinner> let me try 12:14 < max06> hi... i'm using debian lenny and i installed the openvpn package provided in the debian-repos... 12:14 < max06> I changed the neccesary settings in the server.conf 12:14 < tjz|dinner> Thu Feb 12 18:19:33 UTC 2009 12:14 < tjz|dinner> ok 12:15 < tjz|dinner> look good 12:15 < tjz|dinner> gonna try 12:15 < max06> and I created the zertificates 12:15 < max06> when I want to start the server with "openvpn /etc/openvpn/server.conf" it says Options error: --server directive network/netmask combination is invalid 12:16 < max06> the line in the file: server 10.8.0.1 255.255.255.0 12:19 < max06> http://rafb.net/p/ToNNv614.html 12:19 < vpnHelper> Title: Nopaste - No description (at rafb.net) 12:20 < seldon> I am guessing that the option expects the network to have zeroes in the variable part of the netmask. 12:20 < seldon> i.e., 10.8.0.0 255.255.255.0 should work 12:20 < ScribbleJ> Yeah, no '1' 12:20 < ScribbleJ> Hangonthough 12:20 < ScribbleJ> Oh, no I'm just confused. 12:20 < ScribbleJ> Heh 12:20 < max06> nice... one problem less...^^ 12:20 < ScribbleJ> That's yerproblem. 12:22 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:22 -!- xattack [i=xattack@132.248.108.239] has quit [Client Quit] 12:24 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:43 < seldon> What exactly do the numbers in "Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]" mean? 12:45 < ScribbleJ> Well, the first one is clearly labeled "L". 12:45 < ScribbleJ> <- not helpful. 12:46 < ScribbleJ> I'm kidding. You could tell the first one is the link-layer MTU, the second is probably data-layer (i.e. MTU over your tunnel), the first = the second when you add in the EF... 12:47 < sfafg> on the windows openvpn client, is it possible to add username inside that config and password, so that you do not have to enter it everything you want it to start? 12:47 < ScribbleJ> Er, and overhead? Hrm. 12:47 < ecrist> ScribbleJ: L - EF != D 12:48 < ScribbleJ> ecrist, I know, I fail at math. 12:49 -!- sfafg [i=a0248bc9@gateway/web/ajax/mibbit.com/x-824f36ba9ecca206] has quit ["http://www.mibbit.com ajax IRC Client"] 12:50 -!- tjz|dinner [n=tjz@bb116-15-193-230.singnet.com.sg] has quit ["bbl"] 12:50 < seldon> Hmm. Link MTU should be 1492 ('swhat the ISP dishes out). I kinda figured D would be the data mtu, because it's the only number that fits. The tun interface is configured to mtu 1500, though. 12:53 < ScribbleJ> I got nothin. I should learnt o shut up when I don't know; it just makes me look like a tool. 12:53 < seldon> I get the impression you'd manage that even if you knew. ;) 12:54 < ScribbleJ> Ow. 12:54 < ScribbleJ> The truth /does/ hurt. 12:55 -!- skx [i=skx@unaffiliated/skx] has quit [Read error: 104 (Connection reset by peer)] 12:55 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 12:56 -!- davidj2 [n=david@cpe-075-181-132-163.carolina.res.rr.com] has joined ##openvpn 12:57 -!- kyrix [n=ashley@91-115-191-81.adsl.highway.telekom.at] has joined ##openvpn 12:57 < seldon> AF might have something to do with QoS, I (wildly) guess. But I have nothing about the rest. 12:58 -!- icebrew54 [i=proxy@static-71-117-242-28.ptldor.dsl-w.verizon.net] has joined ##openvpn 12:58 < icebrew54> does anyone have experience with SIP/openvpn? 12:59 < ecrist> icebrew54: what do you need to know? 12:59 < ScribbleJ> He's getting horrible call quality, and I suspect he should turn off compression. 13:00 < icebrew54> I'm running into a challenge, and would want to ask "what areas" to troubleshoot in this process....so far I'm going to look into compression, asterisk codec, and MTU 13:00 < ScribbleJ> I'm not psychic, I'm in #asterisk. :) 13:00 < icebrew54> call quality was very flaky this morning and we believe it could be a setting in our openvpn 13:00 < ecrist> icebrew54: does your problem go away outside OpenVPN (across bare IP)? 13:01 < icebrew54> ecrist: over our ipsec tunnel it is perfect quality, and over regular IP it is as well 13:01 < seldon> My crystal ball tells me that ssh works and sip doesn't, and that your firewall doesn't let icmp fragmentation-needed packets through. 13:02 -!- mode/##openvpn [+o seldon] by ChanServ 13:02 < ecrist> finally, someone who knows something. 13:02 <@seldon> Eh? 13:03 -!- mode/##openvpn [-o seldon] by ChanServ 13:05 < seldon> Well, I ran into the same problem when I started using openvpn. Took me ages to figure out, too. Of course, I was a lot greener then. 13:12 < ScribbleJ> I tried running Skinny over openvpn once, but failed horribly... but it was me -- I couldn't figure out how to route that stuff. 13:13 < ScribbleJ> We moved to SIP since then, I shoudl try again. 13:16 < seldon> On that note, my configuration is a bit archaic and overly complex; I run one tun interface for every remote site, so I should probably update it to use the server directive. Problem is, there's a windows client among them, so I expect problems with the limitations of the win32/tap driver. 13:18 < seldon> There's no hidden, secret way to make it work with subnets larger than four hosts, is there? 13:18 < ScribbleJ> Wow, that must be archaic... I've been using openvpn happily for > 6 years and I've never heard of doing it that way. 13:19 < seldon> I started back with...1.5, I think it was. 13:19 < ScribbleJ> Well, I'll say this much, seldon - I run a pretty 'complex' config with some subnets exposed behind /clients/ and some behind the server, all /24 and some windows /clients/ connect all day without problems. 13:20 < ScribbleJ> I'm using tun though, you said tun right? 13:20 < ScribbleJ> I'm routing everything - running openvpn on my firewalls. 13:20 < seldon> Yeah, tun. The windows driver only accepts /30 subnets. 13:21 < ScribbleJ> Hrm... I've only second-hand experience with the windows clients; some of the guys in my office run windows. 13:21 < ScribbleJ> But they have never had a problem accessing resources over the vpn, I didn't do anything special. 13:21 < ScribbleJ> vpn(s) I should say. 13:27 < seldon> Well, it's a pretty small setup I have, but with each new client, the firewall grows and grows. 13:28 < seldon> *shrug* I'll just set it up with the server directive for the linux clients and see if I can work in the windows client afterwards. 13:28 < ScribbleJ> Yeah... the only change I have to make on a per-client basis is allowing acess to the firewall from their IP; we use IP-based blocking of clients in aaddition to everything else. 13:29 -!- xattack [i=xattack@132.248.108.239] has quit [] 13:31 < ecrist> seldon: I think you may be confused. a tad 13:32 < ecrist> until 2.1, all tun clients are assigned addresses with /30 subnet 13:32 < ecrist> there's some subnetting foo going on in 2.1 that allows things to work differently. 13:32 < ecrist> what version of OpenVPN are you using now? 13:33 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:33 < seldon> 2.1 rc11 13:34 < ecrist> and what are the clients using? 13:34 < seldon> The windows client uses 2.0.9, if I'm not mistaken, and I keep the linux clients as updated as the server. 13:34 < ecrist> then you can use the --server directive without issue 13:35 < seldon> However, the config for the first connection hasn't changed since the beginning, and it's still using 192.168.23.1 and .100 13:39 < seldon> Well, that is good to know. I just don't understand how, if the windows tun/tap driver supports only very small subnets. 13:45 < seldon> But I'll figure that out tomorrow, now I need some sleep. See you guys around! 13:45 -!- seldon [i=seldon@gateway/gpg-tor/key-0x02E0DA25] has quit ["Conspiracy theorists are planted by the government."] 14:04 -!- davidj2_ [n=david@cpe-075-181-132-163.carolina.res.rr.com] has joined ##openvpn 14:14 -!- davidj2 [n=david@cpe-075-181-132-163.carolina.res.rr.com] has quit [Read error: 110 (Connection timed out)] 14:17 -!- max06_ [n=max06@agsb-4d048cfa.pool.mediaWays.net] has joined ##openvpn 14:28 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:32 -!- max06 [n=max06@unaffiliated/max06] has quit [Connection timed out] 14:45 -!- max06_ is now known as max06 14:45 -!- MaoaM [n=MaoaM@86.56.2.106] has joined ##openvpn 14:45 < max06> hi again... my vpn-server is running fine 14:45 < MaoaM> hi :) 14:45 < ecrist> gratz 14:46 < max06> I could connect 2 linux-clients without problems 14:46 < max06> I tried the same with MaoaM but he can't ping any other client on the net 14:46 < max06> He's using the openvpn-package for windows 14:46 < max06> any ideas? 14:49 < kyrix> its probably something with: routers, configuration files, firewall apps. ;) 14:50 < MaoaM> the firewall shouldn't be the problem, for testing it is switched off. 14:50 < kyrix> not sure if i left anything out. its hard to tell without more info. 14:50 < max06> the server is a root-server with static ip, no firewall 14:51 < max06> i gave him the same config-file i used for the linux-clients 14:51 < max06> the server-console says he's connected 14:51 < max06> he got the ip 14:51 < kyrix> what does the route table output? 14:52 < max06> 172.16.0.2 * 255.255.255.255 UH 0 0 0 tun0 14:52 < max06> 172.16.0.0 172.16.0.2 255.255.255.0 UG 0 0 0 tun0 14:52 < kyrix> no pasting here plz :) 14:52 < max06> not more than 2 lines :) 14:53 < kyrix> im not sure in here. but in most irc channels, not even two lines 14:53 < max06> ok, next time 14:53 < ecrist> you're welcome to paste up to five lines here. 14:53 < max06> thanks ecrist :) 14:53 < reiffert> 21:55 < kyrix> its probably something with: routers, configuration files, firewall apps. ;) 14:53 < reiffert> 21:55 < MaoaM> the firewall shouldn't be the problem, for testing it is switched off. 14:53 < reiffert> 21:56 < kyrix> not sure if i left anything out. its hard to tell without more info. 14:53 < reiffert> 21:56 < max06> the server is a root-server with static ip, no firewall 14:54 < reiffert> 21:56 < max06> i gave him the same config-file i used for the linux-clients 14:54 < kyrix> 5 lines? ;) 14:54 < reiffert> How long will I have to wait for another 5 lines? 14:55 < max06> I think 5 pasted lines won't be the solution ;) 14:55 * ecrist wonders if reiffert actually has to *try* at being an ass, or if it comes naturally. 14:55 < reiffert> max06: I didnt even ask a question yet! 14:55 < ecrist> :P 14:55 < reiffert> ecrist: my sweet little pony. 14:56 < max06> (sry... reiffert, sorry, mein englisch is nich so das wahre...) 14:56 < ecrist> max06: you probably need client-to-client in the server config file 14:56 < max06> ecrist, the connection with 2 linux-clients works fine? 14:57 < ecrist> so, you've got one server and two linux clients, and the two clients can ping eachother? 14:57 < max06> yes 14:57 < reiffert> ecrist: what makes me a little bit sad is, that you didnt make a decision yet :) 14:58 < ecrist> reiffert: I'll treat it like I treat such questions from my kid - ignore it. 14:59 < ecrist> !configs 14:59 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:59 < reiffert> ecrist: yeah, and the fun goes on, lemme pick another 5 lines. 14:59 < max06> k... moment 15:03 < max06> server.conf: http://rafb.net/p/Nnf56529.html 15:03 < vpnHelper> Title: Nopaste - server.conf (at rafb.net) 15:05 < max06> client.conf: http://rafb.net/p/2XHjQQ51.html 15:05 < vpnHelper> Title: Nopaste - client.conf (at rafb.net) 15:05 < max06> OpenVPN 2.0.9 on windows Vista --- Log opened Thu Feb 12 15:05:36 2009 15:05 -!- ecrist_ [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 15:05 -!- Irssi: ##openvpn: Total of 60 nicks [0 ops, 0 halfops, 0 voices, 60 normal] 15:05 -!- ecrist_ [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 15:05 -!- Irssi: Join to ##openvpn was synced in 1 secs 15:05 -!- mode/##openvpn [+o-o ecrist ecrist] by ChanServ 15:05 < max06> server: OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008 15:05 -!- mode/##openvpn [+o-o ecrist ecrist] by ChanServ 15:05 < max06> server: OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008 15:06 < max06> same version on the linux-client 15:06 < max06> same version on the linux-client 15:06 < kyrix> can you post the connection log of the windows client 15:06 < kyrix> can you post the connection log of the windows client 15:06 < max06> I think, I got all 15:06 < max06> I think, I got all 15:06 < max06> kyrix, moment 15:06 < max06> kyrix, moment 15:10 < MaoaM> connection log of the windows client: http://rafb.net/p/CWAZqy10.html 15:10 < MaoaM> connection log of the windows client: http://rafb.net/p/CWAZqy10.html 15:10 < vpnHelper> Title: Nopaste - OpenVPN 2.0.9 - Windows Vista: connection log (at rafb.net) 15:10 < vpnHelper> Title: Nopaste - OpenVPN 2.0.9 - Windows Vista: connection log (at rafb.net) 15:11 < kyrix> hmmm... 15:11 < kyrix> hmmm... 15:12 < kyrix> why use 2.0.9 if your server is 2.1 15:12 < kyrix> why use 2.0.9 if your server is 2.1 15:12 < kyrix> just asking, i have absolutely no idea on windows 15:12 < kyrix> just asking, i have absolutely no idea on windows --- Log closed Thu Feb 12 15:12:18 2009 15:12 -!- ecrist_ [n=ecrist@mr.garrison.secure-computing.net] has quit ["Lost terminal"] 15:12 < kyrix> but as you see on line 40, there is something in the configuration that does not work 15:12 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:12 < MaoaM> well, it's exactly the version i downloaded on openvpn.net. didn't know that there is a newer one? 15:13 < max06> i'm using the version provided in the debian/ubuntu-repositories :) 15:13 < kyrix> http://openvpn.net/index.php/downloads.html 15:13 < vpnHelper> Title: Downloads (at openvpn.net) 15:13 < kyrix> look at the whole page 15:13 < kyrix> you'll see several versions 15:14 < MaoaM> usually i don't use release candidates, so i ignored this. but this time i'll give it a try. ;) 15:14 < kyrix> and on line 52, you have a zugriff verweigert 15:14 < max06> ah, vista... 15:15 < max06> maoam, try it in an administrator-shell :) 15:15 < MaoaM> didn't see that line. :o 15:15 < max06> mee too 15:16 < kyrix> you just looked at the last one huh? ;) 15:16 < MaoaM> ehr, well.. ;D 15:16 < max06> working? 15:16 < MaoaM> moment please 15:16 -!- davidj2_ [n=david@cpe-075-181-132-163.carolina.res.rr.com] has quit [Read error: 110 (Connection timed out)] 15:16 < max06> :) 15:16 < max06> I hope... 15:17 < kyrix> either that or different versions is my bet atm 15:19 -!- straterra [n=straterr@2001:470:8a81:0:0:0:0:2] has quit [Read error: 60 (Operation timed out)] 15:19 < kyrix> yeah, googling that line pretty much gives you the solution: http://openvpn.net/archive/openvpn-users/2007-10/msg00033.html 15:19 < vpnHelper> Title: Re: [Openvpn-users] OpenVPN client on Vista (at openvpn.net) 15:20 < kyrix> so maybe running as adminstrator doesnt work, you might have to find the right rights ;) but thats vista, no idea 15:20 < reiffert> http://i33.tinypic.com/20ksw89.gif 15:21 < max06> kyrix, trying it :) 15:21 < max06> it wouldn't be a big problem if it wont work 15:21 < max06> at the moment it's only for testing 15:22 < kyrix> reiffert: very funny 15:24 < kyrix> have to go, good luck 15:24 < max06> thanks 4 help :) 15:24 -!- davidj2 [n=david@cpe-075-181-132-163.carolina.res.rr.com] has joined ##openvpn 15:27 -!- kyrix [n=ashley@91-115-191-81.adsl.highway.telekom.at] has quit ["Leaving"] 15:33 -!- d0wn [n=d0wn@unaffiliated/d0wn] has joined ##openvpn 15:33 < d0wn> I'm receiving a weird error on my client's end. I'm new to OpenVPN, so I'm not too sure how to handle this 15:33 < d0wn> ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct. [if_index=26] 15:33 < d0wn> My client is running Windows Vista, btw 15:34 < d0wn> !logs 15:34 < vpnHelper> d0wn: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 15:34 < d0wn> !configs 15:34 < vpnHelper> d0wn: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:34 < max06> d0wn, try the latest RC 15:35 < max06> I have the same problem at the moment 15:35 < MaoaM> we're just about to solve it. 15:36 < max06> right :) 15:36 < d0wn> max06: i'm using OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar 8 2007 15:36 < max06> yes, we too 15:36 < max06> on debian, but the same built 15:37 < d0wn> Whoops. my bad. i thought i had the latest build 15:37 < max06> no 15:37 < max06> the server is ok 15:37 < max06> it's a problem with vista 15:37 < d0wn> oh okay 15:37 < d0wn> ohh 15:37 < d0wn> my bad 15:37 < max06> the damn UAC...^^ 15:37 < d0wn> I have UAC disabled 15:37 < max06> yes 15:37 < max06> in addition you need the latest RC 15:38 < max06> (told google to me...) 15:38 < MaoaM> ... or any version since rc4? 15:38 < d0wn> alright, one second while i download it 15:38 < max06> MaoaM, told google :D 15:39 < d0wn> will my keys and configs stay the same, or should I make backups? 15:39 < max06> they won't change 15:39 < d0wn> Okay, just checking 15:40 -!- davidj2 [n=david@cpe-075-181-132-163.carolina.res.rr.com] has quit ["Ex-Chat"] 15:40 < d0wn> I felt so ashamed earlier when I couldn't figure out why the TAP driver wouldn't install, and I found out that I was clicking the "Do not install driver" instead of "Install anyways" 15:41 < MaoaM> :D 15:41 < max06> but you found the fault :) 15:41 < d0wn> Haha, yes, I did. I was about to join here and ask for assistance with it 15:42 -!- penrod[1] [n=penrod@S010600105a1788d6.cg.shawcable.net] has quit ["Wow! What a great client! Bersirc 2.2 [ http://www.bersirc.org/ - Open Source IRC ]"] 15:42 < max06> the first time i tried openvpn 15:42 < max06> I found a script named bridge-start 15:43 < max06> i will never execute this script again! 15:43 < MaoaM> what happened? 15:44 < d0wn> I used to get BSOD when I bridged connections over Windows. it was terrible 15:44 < max06> I needed to write a ticket for a manual restart of the server....^^ 15:46 < d0wn> Hmm.. Something is up with my dh1024.pem. Once I stopped my OpenVPN server, and tried to restart it, it's giving me errors that the file doesn't exist 15:46 < MaoaM> freezed up the whole server? 15:47 < d0wn> Weird, nevermind, the server started this time 15:48 < max06> ok, the latest built works perfect 15:49 < d0wn> That error is gone for me aswell now, however, my ip does not appear to be changing at all, so I don't believe that my traffic is hitting the VPN at all 15:50 < max06> your external ip? 15:50 < d0wn> yes 15:50 < max06> I you followed the instructions in the howto 15:50 < d0wn> I'm assuming that this is an error in my configuration 15:50 < d0wn> Yes, I did 15:50 < max06> you won't surf in the internet 15:50 < d0wn> Ah 15:50 < max06> through the vpn 15:51 < max06> It's like a LAN-Party 15:51 < max06> without internet 15:51 < d0wn> how would I go about setting it up so that my traffic goes through the vpn? 15:51 < max06> only the connected clients can see the server (and if enabled) the other clients 15:51 < max06> hm, there are some parts in the howto 15:52 < max06> but i never used it 15:52 < max06> It wouldn't be as fast as with your normal home connection 15:52 < MaoaM> have to go now. thanks for your help. :) 15:52 -!- MaoaM [n=MaoaM@86.56.2.106] has left ##openvpn [] 15:52 < max06> even if the server is connected with 100mbit 15:52 < d0wn> I'm only using it for when I'm on unencrypted wifi hotspots 15:53 < max06> ah, yes 15:53 < max06> good idea 15:53 < max06> hm... moment 15:54 < max06> http://openvpn.net/index.php/documentation/howto.html#redirect 15:54 < vpnHelper> Title: HOWTO (at openvpn.net) 15:54 < max06> that would be the right 15:55 < d0wn> Ah, tthank you for that 15:55 < max06> np 15:55 < max06> i'll have to leave now 15:56 < max06> cya 15:56 -!- max06 [n=max06@agsb-4d048cfa.pool.mediaWays.net] has left ##openvpn ["Verlassend"] 16:00 < d0wn> Could anyone assist me with that? I see where it says to put 16:00 < d0wn> push "redirect-gateway def1" into the configruation, however, is def1 supposed to be substituted with something? 16:15 < d0wn> Hmm, nevermind 16:39 -!- kyrix [n=ashley@91-115-191-81.adsl.highway.telekom.at] has joined ##openvpn 17:23 -!- Evilliksass [n=admin@64-71-25-50.static.wiline.com] has left ##openvpn [] 17:36 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 17:50 -!- straterra [n=straterr@projectstfu.com] has joined ##openvpn 18:51 -!- nsar [n=nsar@121.1.18.241] has joined ##openvpn 18:52 < nsar> hello 18:52 < nsar> i have a strange problem 18:53 < nsar> i am trying to establish connection with a multipoint server connection but in the stderr output will always show me point to point connection 18:53 < nsar> what is wrong? 18:53 < nsar> for both of the clients will connect will be p-t-p 18:56 -!- nsar [n=nsar@121.1.18.241] has quit [Client Quit] 18:56 -!- tranceparance [n=trancepa@unaffiliated/tranceparance] has joined ##openvpn 18:57 < tranceparance> hello there... is it possible to connect to multiple VPNs at the same time in Linux? 19:06 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has joined ##openvpn 19:54 -!- icebrew54 [i=proxy@static-71-117-242-28.ptldor.dsl-w.verizon.net] has quit [Remote closed the connection] 20:52 -!- tranceparance [n=trancepa@unaffiliated/tranceparance] has quit ["I'll be back :-)"] 20:52 -!- kyrix [n=ashley@91-115-191-81.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 20:53 -!- kyrix [n=ashley@93-82-10-119.adsl.highway.telekom.at] has joined ##openvpn 21:06 -!- intralanman [n=Raymond@va-67-76-163-209.sta.embarqhsd.net] has quit [Connection timed out] 21:08 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 21:26 -!- lkthomas_ [n=lkthomas@218.189.198.146] has quit ["Leaving"] 21:36 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 21:42 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 22:05 -!- tjz [n=tjz@bb116-15-193-230.singnet.com.sg] has joined ##openvpn 22:06 * tjz ding dong 22:13 -!- fpletzv6 [n=fpletz@2001:470:c041:feed:dead:beef:cafe:42] has joined ##openvpn 22:16 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 22:21 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 22:37 -!- d0wn [n=d0wn@unaffiliated/d0wn] has quit [Read error: 110 (Connection timed out)] 22:37 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 22:53 -!- jfkw [n=jtk@cpe-74-74-158-219.rochester.res.rr.com] has quit ["leaving"] 23:34 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:43 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 23:44 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:49 < tjz> hmm 23:49 < tjz> example 23:50 < tjz> about MULTI: bad source address from client problem 23:50 < tjz> one computer is 10.67.133.150 23:50 < tjz> another computer is 192.x.x.x.x 23:50 < tjz> i know we can fix this by setting up "client1" in ccd directory.. 23:51 < tjz> client1 is the ovpn conf file we use here.. 23:51 < tjz> can we like auto-detect what lan the computer connecting from , is using? 23:56 < tjz> To explicitly allow packets from 10.YYY.YYY.YYY, you need to use 23:56 < tjz> --iroute/-client-config-dir. 23:56 < tjz> what do you mean by that? --- Day changed Fri Feb 13 2009 00:00 -!- d0wn [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 00:02 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 00:02 < oc80z> sup. 00:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:58 -!- Thorashh [n=Andreas@e176010008.adsl.alicedsl.de] has joined ##openvpn 01:04 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 01:04 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:22 -!- krzie [i=nobody@unaffiliated/krzee] has quit [Connection reset by peer] 01:39 -!- Thorashh [n=Andreas@e176010008.adsl.alicedsl.de] has quit [] 01:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:05 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:11 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 02:22 -!- Netsplit niven.freenode.net <-> irc.freenode.net quits: hardwire 02:23 -!- Netsplit over, joins: hardwire 02:27 < lolipop> Which is better, tun or tap 02:28 -!- kyrix [n=ashley@93-82-10-119.adsl.highway.telekom.at] has quit [Remote closed the connection] 02:37 < reiffert> lolipop: it#s covered in the faq and in the howto. 02:53 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 02:53 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 03:02 -!- ykut_johny [n=ykut_joh@op.niser.org.my] has quit [Remote closed the connection] 03:31 < ScribbleJ> I'd say prefer tun unless you know you need tap for some reason. 03:33 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Remote closed the connection] 03:33 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 04:42 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:43 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 05:05 -!- Error_X [n=Error_X@77.241.102.86] has joined ##openvpn 05:05 < Error_X> Hi! Why can't I ping 10.0.0.100 from a client? Also the client loses its real Internet connection.. http://pastebin.com/m6c711db9 05:06 < reiffert> because you didnt add "def1" to redirect-gateway, told you twice before. 05:07 < Error_X> huh, you're good at remember ppl :p 05:08 < Error_X> still doesnt work 05:08 < reiffert> paste routing table of client. 05:09 < Error_X> hm 05:09 < Error_X> of the client? 05:09 < reiffert> no, of the client. 05:09 < Error_X> I havent set up a routing table for any client. 05:10 < reiffert> JUST DO IT!" 05:10 < Error_X> uhm, how? ^^ 05:10 < reiffert> netstat -n -r 05:11 < Error_X> http://pastebin.com/m777ec1ed 05:12 < reiffert> Without starting openvpn, how does the client get to 10.0.0.100? 05:13 < Error_X> openvpn is open and connected 05:13 < Error_X> when I did the netstat command 05:13 < reiffert> yes, I see that. 05:13 < reiffert> Try to answer my question. 05:14 < Error_X> The client cant connect to 10.0.0.100 without starting openvpn 05:14 < Error_X> because 10.0.0.100 is @ home 05:14 < Error_X> 192.x.x.x is at work (Where I am now) 05:14 < reiffert> why are you using local 10.0.0.100 in openvpn server config? 05:14 < Error_X> because it should bind to the local address? 05:15 < reiffert> allright, add to server.conf: 05:15 < reiffert> push "route 10.0.0.0 255.255.255.128" or whatever is your netmask. 05:16 < Error_X> thats it? 05:16 < reiffert> you tell me. 05:16 < reiffert> btw, what data are you transferring over the tunnel, mostly tcp or udp data? 05:17 -!- Error_X^ [n=Error_X@77.241.102.86] has joined ##openvpn 05:17 < Error_X^> shit, gets disconnected when I stay connected too long at the VPN. 05:18 < reiffert> 12:21 < Error_X> thats it? 05:18 < reiffert> 12:21 < reiffert> you tell me. 05:18 < reiffert> 12:22 < reiffert> btw, what data are you transferring over the tunnel, mostly tcp or udp data? 05:18 < Error_X^> tcp data 05:19 < reiffert> then change proto to udp 05:19 < reiffert> http://sites.inka.de/~W1011/devel/tcp-tcp.html 05:19 < vpnHelper> Title: Why TCP Over TCP Is A Bad Idea (at sites.inka.de) 05:19 < Error_X^> can't.... because I have to connect to the VPN via proxy when Im offshore 05:19 < Error_X^> and as I understood, you cant proxy via udp 05:19 < reiffert> use port udp/53, it will work. 05:20 < reiffert> (directly and without proxy) 05:20 < Error_X^> ok. 05:20 < Error_X^> why port 53? 05:20 < reiffert> DNS. 05:21 < Error_X^> you want me to set openvpn to port 53? That port is already used by bind 05:21 < reiffert> however, did route "push ..." fix your problem? 05:21 < Error_X^> no 05:21 < reiffert> Then paste firewall settings of your server. 05:22 -!- Error_X [n=Error_X@77.241.102.86] has quit [Read error: 60 (Operation timed out)] 05:22 < Error_X^> its a router,, but hold on 05:23 < reiffert> OS? 05:24 < reiffert> brb, out for a smoke 05:25 < Error_X^> Linux 05:25 < Error_X^> http://pastebin.com/m63bf25fb 05:28 < tjz> anyway to fix MULTI: bad source address from client problem ? 05:28 < tjz> for roadrunner who surf around cafe 05:29 < cpm> what's the netblock of the destination lan? 05:30 < reiffert> Error_X^: paste: iptables -L -v -n 05:31 < reiffert> Error_X^: and run tcpdump -n -i tun0 proto ICMP 05:31 < reiffert> Error_X^: then do on the client: ping -t 10.0.0.100 05:31 < reiffert> see the icmp ping packets arriving with tcpdump? 05:33 < Error_X^> nope 05:33 < Error_X^> 0 packets captured 05:33 < Error_X^> 0 packets received by filter 05:33 < Error_X^> 0 packets dropped by kernel 05:33 < reiffert> remove the push "route 10.0.0.0 255.255.255.128" from the server.config 05:34 < reiffert> reconnect 05:34 < reiffert> let tcpdump run 05:34 < reiffert> and let the ping run as well 05:35 < Error_X^> still nothing... 05:35 < reiffert> start wireshark on the client, do you see the packets on the right adapter_ 05:35 < reiffert> ? 05:36 < Error_X^> 2 sec.. need to download it first 05:40 < Error_X^> yes: 14 4.204937 10.8.0.6 10.0.0.100 ICMP Echo (ping) request 05:44 < Error_X^> strange... 05:46 < reiffert> allright 05:46 < reiffert> tel justasec 05:50 -!- fbond [n=fab@pool-64-223-124-145.burl.east.verizon.net] has left ##openvpn [] 05:54 < reiffert> Error_X^: allright 05:54 < reiffert> So Packets leave your client. 05:55 < reiffert> But dont arrive on the server side. 05:55 < reiffert> paste the complete firewall. 05:55 < reiffert> iptables -t filter -L -v -n 05:55 < reiffert> iptables -t nat -L -v -n 05:55 < reiffert> iptables -t raw -L -v -n 05:55 < reiffert> iptables -t mangle -L -v -n 05:59 < Error_X^> http://pastebin.com/m6f801724 06:02 < reiffert> paste: ifconfig -a 06:03 < reiffert> paste: cat /proc/sys/net/ipv4/ip_forward 06:03 < Error_X^> http://pastebin.com/m53d17523 06:03 < Error_X^> ip_forward returns: 0 06:04 < reiffert> echo 1 > /proc/sys/net/ipv4/ip_forward 06:04 < reiffert> run tcpdump -n -i tun0 06:04 < reiffert> and let the client do a ping -t 10.8.0.1 06:05 < reiffert> or 10.0.0.100 06:11 < reiffert> you dont say something, means that it works. 06:11 -!- kyrix [n=ashley@93-82-7-185.adsl.highway.telekom.at] has joined ##openvpn 06:15 < Error_X^> nope 06:15 < Error_X^> :-/ 06:16 < reiffert> paste server and client config again 06:16 < reiffert> wait. 06:16 < reiffert> can you ping anything else from the client? 06:22 < Error_X^> nope, not even internet 06:22 < Error_X^> well, I can ping myself 06:22 < Error_X^> 10.8.0.6 ( The address I am given) 06:23 < reiffert> allright, change verbose level to 6 and paste client and server log 06:23 < Error_X^> Sure thing. 06:24 < Error_X^> will be disconnected.. 06:24 < Error_X^> brb 06:26 -!- Error_X [n=Error_X@77.241.102.86] has joined ##openvpn 06:30 -!- Error_X^ [n=Error_X@77.241.102.86] has quit [Read error: 60 (Operation timed out)] 06:31 < Error_X> http://pastebin.com/m6b17f9c4 <- server log 06:32 < Error_X> http://pastebin.com/m214a174c <- client log 06:36 < reiffert> paste current config files. 06:42 < Error_X> http://pastebin.com/m7808525d <- client 06:43 < Error_X> http://pastebin.com/m7d3321b7 <- server 06:44 < reiffert> ok. server change: 06:44 < reiffert> # 06:44 < reiffert> server 10.8.0.0 255.255.255.128 06:45 < reiffert> to 06:45 < reiffert> server 10.8.0.0 255.255.255.255 06:45 < reiffert> wrong 06:45 < reiffert> change to server 10.8.0.0 255.255.255.0 06:45 < reiffert> comp-lzo no 06:46 < reiffert> remove both lines: 06:46 < reiffert> # 06:46 < reiffert> push "route 10.0.0.0 255.255.255.128" 06:46 < reiffert> # 06:46 < reiffert> push "redirect-gateway def1" 06:46 < reiffert> change proto to udp, JUST FOR NOW. 06:46 < reiffert> you fucked up the client config 06:46 < reiffert> # 06:46 < reiffert> # Windows needs the TAP-Win32 adapter name 06:46 < reiffert> # 06:46 < reiffert> # from the Network Connections panel 06:46 < reiffert> # 06:46 < reiffert> # if you have more than one. On XP SP2, 06:46 < reiffert> # 06:46 < reiffert> # you may need to disable the firewall 06:46 < reiffert> # 06:46 < reiffert> # for the TAP adapter. 06:47 < reiffert> and comp-lzo no as well 06:47 < reiffert> why not get back to the howto for an example working config and change it from there, once it's working? 06:50 < Error_X> hey! I can ping the server on 10.8.0.1 06:50 < Error_X> and also access the samba server on it 06:50 < Error_X> did the changes you told me 06:51 < Error_X> now I need to get contact with the rest of my home network ^^ 06:56 < reiffert> just change one thing at a time. 06:57 < Error_X> true 06:57 -!- Error_X [n=Error_X@77.241.102.86] has left ##openvpn [] 06:57 -!- Error_X [n=Error_X@77.241.102.86] has joined ##openvpn 07:03 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:10 -!- sterna [n=jype@91.185.195.204] has joined ##openvpn 07:10 < sterna> hi 07:11 < sterna> one of my users has problems, allegedly since updating his xpsp3 windows 07:11 < sterna> have there been any reports of windows tun/tap driver issues? 07:11 < sterna> tcpdump shows he receives packets on the tap driver, but userspace apps seem not to get them 07:12 < sterna> i.e. ping timeouts, but if he puts wireshark on his tap interface, he can see both icmp requests and replies 07:12 < sterna> his firewalls are disabled, i think 07:14 < reiffert> http://openvpn.net/index.php/documentation/change-log/changelog-21.html 07:14 < vpnHelper> Title: 2.1 Change Log (at openvpn.net) 07:15 < reiffert> openvpn for windows comes with some .bat files. you can have them uninstall all interfaces and add a new one. try that. 07:15 < ecrist> good morning, bitches 07:17 < reiffert> moin ecrist 07:17 < sterna> thanks 07:24 < kyrix> thanks too :) 07:26 -!- Error_X [n=Error_X@77.241.102.86] has quit [] 07:28 -!- kyrix [n=ashley@93-82-7-185.adsl.highway.telekom.at] has quit ["Leaving"] 07:59 -!- [gnubie] [n=[gnubie]@119.56.59.7] has joined ##openvpn 07:59 * [gnubie] waves 07:59 < [gnubie]> is there a good java openvpn client? 08:00 < reiffert> this is #openvpn and there is not. 08:02 < [gnubie]> reiffert: yes, i know this is #openvpn .. i am looking for a good java openvpn client that is for openvpn 08:03 < reiffert> there is none. 08:04 < [gnubie]> i see.. thanks.. ;) 08:09 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 08:37 -!- [gnubie] [n=[gnubie]@119.56.59.7] has quit ["Leaving"] 08:41 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 08:56 < tjz> any solution to fix MULTI: bad source address from client problem ? (in event where the user is logging from different location) 09:12 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has joined ##openvpn 09:36 < ecrist> tjz: what does google say about that error? 10:02 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 10:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:35 -!- spiderr [n=cfowler@mail.viovio.com] has joined ##openvpn 10:36 -!- spiderr [n=cfowler@mail.viovio.com] has left ##openvpn [] 10:36 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:37 < tjz> :( 10:37 < tjz> keep asking me to add them in ccd/ 10:37 < tjz> there is so many lan IP.. 10:37 < ecrist> ask krzee, he's the expert 10:37 < tjz> can't expect me to add them.. 10:38 * tjz was hoping for mr jeff 10:38 < tjz> lol 10:38 < krzee> hah 10:38 < tjz> omg 10:38 < tjz> now he is here 10:38 < tjz> lol 10:39 < tjz> krzee.. 10:39 < tjz> any solution to fix MULTI: bad source address from client problem ? (in event where the user is logging from different location eg. different computer lan ip) 10:40 < krzee> paste the real line 10:40 < krzee> i wanna know what the ip it reports is 10:42 < krzee> ie: is it the clients real ip, is it a machine on the lan, etc 10:43 < tjz> the machine on the lan 10:43 < tjz> MULTI: bad source address from client [10.0.1.199], packet dropped 10:44 < krzee> and 10.0.1.199 is another machine on the lan that you want routing through the vpn? 10:44 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 10:45 < tjz> nope 10:46 -!- v0lksman [n=shayne@ottawa-hs-64-26-169-151.s-ip.magma.ca] has joined ##openvpn 10:46 < tjz> previously, i had this in my "ccd" directory 10:46 < tjz> iroute 192.168.1.0 255.255.255.0 10:46 < tjz> to fix the MULTI problem 10:47 -!- Matt___ [n=chatzill@rrcs-71-40-233-125.sw.biz.rr.com] has joined ##openvpn 10:48 < v0lksman> hey all...I setup a site to site VPN and everything works. However my problem is xfer over the VPN is dog slow. It's not a connection issue cause scp over ssh between the same networks over the public net works fast..just over VPN...any pointers on what to look for? 10:49 < Matt___> ping. hello. i have the misfortune of running XP here. i have set up a VPN, i can ping 10.8.0.1, but i can't establish a connection using the M$ vpn client 10:49 < Matt___> any pointers? 10:50 < krzee> tjz, WHO is 10.0.1.199 ?? 10:50 < v0lksman> Matt___: are you using OpenVPN Gui for the client? 10:50 < krzee> v0lksman, hows the cpu / io on the box during slow xfer? 10:50 < Matt___> no, but i have it available. 10:51 < v0lksman> krzee: non-existant on both sides (both being linux boxes with load average 0) 10:51 < krzee> v0lksman, try using no encryption (cipher none) just to see if it speeds up 10:51 < v0lksman> Matt___: I setup using the Gui and had no issues...worked great 10:51 < krzee> not perm solution, but for tracking down the issue 10:51 < v0lksman> krzee: cool..will try... 10:51 < krzee> Matt___, MS vpn client is for MS vpns 10:52 < krzee> Matt___, you need to use openvpn on the xp box 10:52 < Matt___> ok. i am brand-new to vpn btw. i always use ip-restricted ssh for remote access myself 10:52 < Matt___> my boss has decided he needs remote access, so vpn seemed like the way to go 10:53 < krzee> yup 10:54 < Matt___> so, if you don't mind indulging my ignorance, how would this work - he wants to be able to browse our office network as though he was onsite 10:54 < krzee> like windows shares? 10:55 < Matt___> i suppose so yes 10:55 < Matt___> i am NOT an IT guy - i'm a friggin chemical engineer who programs lol; this is all new to me 10:56 < krzee> running on linux with samba or windows? 10:56 < krzee> umm 10:56 < Matt___> windows 10:56 < krzee> you dont have an IT guy? 10:56 < Matt___> nope. we're a small outfit 10:56 < krzee> vpns are advanced networking 10:57 < Matt___> well it'll be an uphill battle thn 10:57 < krzee> cool 10:57 < Matt___> what else is new!? 10:57 < krzee> with some reading you should be fine 10:57 < Matt___> yeah RTFM is my motto 10:57 < krzee> you will want to use bridged mode 10:57 < krzee> imo its harder to setup 10:57 < krzee> but it will let him see windows shares with no magic 11:01 < Matt___> well, the problem i appear to be having now is that when i try to start the client, it says it can't resolve the server - i think i may have misentered the servername, but i don't see where the servername is declared anywhere - is there a place where i can verify the server name or do i have to throw everythign away and go through the cfg process again? 11:03 < krzee> !configs 11:03 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:08 < v0lksman> krzee: cipher none doesn't seem to make any difference...I'm going to try fragmenting...it seems like it just hangs after a while on large file xfers (small ones <1k xfer fine) 11:09 < krzee> ahh 11:09 < krzee> !mtu 11:09 < vpnHelper> krzee: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 11:09 < krzee> use #2 11:09 < krzee> see if it suggests a diff mtu 11:14 < tjz> krzee, 10.0.1.199 is another user.. 11:15 -!- sterna [n=jype@91.185.195.204] has left ##openvpn [] 11:15 < tjz> from another computer connecting to the vpn server 11:17 < krzee> tjz, if its directly connected to the vpn and giving that error, and owns 10.0.1.199 personally, i think its messed up NAT rules 11:18 < v0lksman> interesting...with --mtu-test is says its starting the test and to wait...then about 2minutes later the connection recycles itself... 11:19 < tjz> hmm 11:19 < krzee> v0lksman, heh never heard of that happening 11:19 -!- Matt___ [n=chatzill@rrcs-71-40-233-125.sw.biz.rr.com] has quit [Read error: 104 (Connection reset by peer)] 11:20 < v0lksman> yeah this is bizar 11:20 < krzee> v0lksman, you are using udp right? 11:20 < v0lksman> yep 11:20 -!- Matt___ [n=chatzill@rrcs-71-40-233-125.sw.biz.rr.com] has joined ##openvpn 11:20 < krzee> and tun 11:20 < v0lksman> tap 11:21 < tjz> krzee, the problem is similar as describe here: http://openvpn.net/archive/openvpn-users/2007-07/msg00184.html 11:21 < vpnHelper> Title: Re: [Openvpn-users] MULTI: bad source address from client [217.164.246.54], packet dropped (at openvpn.net) 11:23 < krzee> i think he prolly had a NAT issue too 11:23 < krzee> ive seen that error a bunch of times, but heres why... 11:24 < krzee> the client is sending packets to tun0 endpoint while using src address of eth0 11:24 < krzee> which to me points me straight to a NAT issue 11:26 < v0lksman> krzee: I used this when I was building my configs...is it outdated by chance? 11:26 < v0lksman> http://www.thebakershome.net/openvpn_tutorial?page=1 11:26 < vpnHelper> Title: How to Install Openvpn | The Bakers Homepage (at www.thebakershome.net) 11:27 < krzee> why are you bridging? 11:27 < tjz> krzee, how to solve it? ^_^ 11:28 < krzee> tjz, check firewall rules and fix 11:28 < v0lksman> krzee: just seemed easier than routing 11:28 < tjz> hmm 11:29 < krzee> v0lksman, using any layer2 traffic over vpn? 11:29 -!- Matt___ [n=chatzill@rrcs-71-40-233-125.sw.biz.rr.com] has quit ["ChatZilla 0.9.84 [Firefox 3.0.6/2009011913]"] 11:29 < v0lksman> don't think so...not at this time 11:29 < krzee> !tunortap 11:29 < vpnHelper> krzee: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 11:30 < v0lksman> hrm... 11:31 < tjz> it's 1.36am 11:31 < tjz> will be back later 11:31 < tjz> :P 11:31 -!- tjz [n=tjz@bb116-15-193-230.singnet.com.sg] has quit ["bbl"] 11:32 < plaerzen> hi guize 11:33 -!- jacktow [n=mike@124-171-47-1.dyn.iinet.net.au] has joined ##openvpn 11:33 -!- mode/##openvpn [+o krzee] by ChanServ 11:34 -!- mode/##openvpn [-b *!*@*.cust.bredbandsbolaget.se] by krzee 11:34 -!- mode/##openvpn [-o krzee] by ChanServ 11:34 < jacktow> why is installing the TAP driver on windows an option in the installation, if it's required for openvpn to run? 11:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:45 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:47 < v0lksman> krzee: so I switched to a routed connection. haven't setup any routes yet but just as a test I sent a file to 10.8.0.1 and the same behavior. looks like it's xfering but there is no traffic... 11:47 < v0lksman> but I can load a web site sitting on 10.8.0.1 11:48 < krzee> no traffic or slow? 11:48 < v0lksman> well it's slow then dies out 11:48 < v0lksman> mtu reports 1557 not really sure what that means though... 11:48 < v0lksman> I assume that is more than enough? 11:49 < v0lksman> sorry...its just slow...just saw some bits going through 11:49 < krzee> that means default is good 11:50 < krzee> for MTU 11:52 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 11:56 < v0lksman> http://dpaste.com/120254/ my configs if you can see anything out of place.. 11:58 < krzee> and top shows mostly free cpu when the xfer is slow? 11:58 < v0lksman> yep...server side is virtually 0 11:59 < krzee> thats a nice config 11:59 < krzee> check client side too tho 11:59 -!- jacktow [n=mike@124-171-47-1.dyn.iinet.net.au] has left ##openvpn [] 12:00 < krzee> as far as your config goes 12:00 < v0lksman> client side is a pretty beefy dual core...even hat though is running 0.2 average 12:00 < krzee> you are doing everything right 12:00 < v0lksman> krzee...well that's a good start... ;) wonder if it's the stupid provider DPI crap 12:00 < krzee> im not interested in load avgs, just spikes during xfer 12:00 -!- d0wn_ [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 12:01 < v0lksman> krzee: no spikes either.. 12:02 < krzee> hrm 12:02 < krzee> anything in firewall? 12:02 < krzee> QOS maybe? 12:02 < v0lksman> nope...no QOS 12:03 < v0lksman> anything else I may not know about in standard Linksys routers mebbe? 12:03 < v0lksman> that's all there is on both sides really 12:03 < krzee> nah once you make the connection its just AES traffic that the routers pass 12:04 < krzee> and no change with cipher none? 12:04 < v0lksman> nope...made no difference 12:04 < krzee> you got me dude 12:04 < krzee> maybe someone else has an idea 12:04 < krzee> OH 12:05 < krzee> see what happens if you change both to TCP 12:05 < krzee> thats the only diff between your test with and without vpn, maybe your provider is rate limiting UDP for some stupid reason 12:05 < v0lksman> yeah I think I tried that this morning and it just timed out...can try again...gimme a sec...trying a different port (known trick with one of the providers in use here) 12:06 < v0lksman> it's possible...one side has a limited connection but I was under the impression they didn't touch this traffic...could be wrong though 12:11 < krzee> you dont WANT tcp 12:11 < krzee> but sometimes you need it 12:11 < krzee> !tcp 12:11 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 12:11 < krzee> thats what you should know before using tcp 12:12 -!- d0wn [n=d0wn@unaffiliated/d0wn] has quit [Connection timed out] 12:14 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit ["Leaving"] 12:22 -!- xattack [i=xattack@132.248.214.65] has joined ##openvpn 12:22 < v0lksman> !route 12:22 < vpnHelper> v0lksman: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 12:23 -!- xattack [i=xattack@132.248.214.65] has left ##openvpn [] 12:23 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 12:33 < v0lksman> what is ccd? 12:34 < v0lksman> sry...still reading.. ;) 12:36 -!- xattack [n=xattack@rompope.fi-b.unam.mx] has joined ##openvpn 12:42 < reiffert> !ccd 12:42 < vpnHelper> reiffert: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 12:47 < v0lksman> ok...the routing example provided by the bot is a little more than I want...I don't need all my clients to talk to each other...they just need access to the remote LAN...is there a simplified version of that doc for that? 12:57 -!- xattack [n=xattack@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 13:01 < krzee> the point is to understand what every command in the doc does 13:01 < v0lksman> arg...sorry folks.. I added a push "route" command with the IP range of the LAN behind the server. when I connect I still can't ping anything in that LAN... 13:01 < krzee> and use that to your needs 13:01 < v0lksman> krzee: yah I had skimmed a little..but I've re-read a couple times now and think I got it 13:01 < krzee> gotta go, bbl 13:02 < v0lksman> l8s 13:02 < krzee> if lan is behind server you need a push route only 13:02 < krzee> but 13:02 < krzee> if openvpn is not on the router for that lan 13:02 < krzee> you would also need a route added to the router or every box that needs to communicate over the vpn 13:02 < krzee> as described at bottom 13:03 < krzee> adios 13:03 < v0lksman> thanks dude 13:03 < krzee> np 13:06 -!- d0wn_ is now known as d0wn 13:18 < v0lksman> !mtu 13:18 < vpnHelper> v0lksman: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 13:25 < v0lksman> anyone know the difference between "fragment" and link-mtu? 13:25 < reiffert> --fragment max 13:25 < reiffert> Enable internal datagram fragmentation so that no UDP datagrams 13:25 < reiffert> are sent which are larger than max bytes. 13:26 < reiffert> --link-mtu n 13:26 < reiffert> Sets an upper bound on the size of UDP packets which are sent 13:26 < reiffert> between OpenVPN peers. 13:26 < v0lksman> right...so really what is the difference...they both limit the size of the UDP packet... 13:27 < reiffert> head your eyes to the manpage, read what comes next at --fragment. 13:35 < v0lksman> well I'm baffled...my setup works with fragment 1400...as soon as I add mssfix it breaks again...link-mtu also breaks it... 13:42 -!- firecrotch [n=nick@207-67-115-235.static.twtelecom.net] has joined ##openvpn 13:43 -!- gallatin [n=gallatin@dslb-092-073-253-015.pools.arcor-ip.net] has joined ##OpenVPN 13:44 < firecrotch> I've tried searching and have come up with nothing that I can figure out with regards to this: How can I set the subnet mask on the client when using tun mode? 13:45 < ecrist> firecrotch: you can't, really. 13:45 < ecrist> why do you want to? 13:47 < firecrotch> I basically want all of the remote machines that I (will) have to be on separate subnets per state 13:48 < ecrist> the howto discusses such things. 13:48 < firecrotch> so that for example, all of my machines in Wisconsin are on one subnet, Illinois on another, etc 13:48 < ecrist> they use a different example, admins and non-admins 13:51 < firecrotch> I had read somewhere that openvpn 2.1 has a subnet-topology config option that would do what I want but I can't find any docs on that 13:51 < ecrist> !betaman 13:51 < vpnHelper> ecrist: "betaman" is http://www.openvpn.net/man-beta.html 13:52 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has joined ##openvpn 13:52 < firecrotch> thanks 13:55 < firecrotch> Hmmmm, it looks to me as if using tap would work out easier for my situation, but are there any caveats to using tap instead of tun ? 13:56 < ecrist> tap is a bigger pain to set up, and unless you're doing ethernet protocol stuff, tun is the correct protocol 13:57 < firecrotch> ecrist: thanks 13:57 < straterra> I only use tun 13:58 < straterra> err, rap 13:58 < straterra> TAP..grr 14:08 < firecrotch> do I have to use tap if I need the client computers to access other computers on the server's subnet? 14:09 < ecrist> no 14:18 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 14:20 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:22 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has left ##openvpn ["Leaving."] 14:41 -!- firecrotch [n=nick@207-67-115-235.static.twtelecom.net] has left ##openvpn [] 14:47 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:53 -!- fbond [n=fab@pool-64-223-124-145.burl.east.verizon.net] has joined ##openvpn 15:19 -!- PiousMinion [n=clay@7-167.106-97.tampabay.res.rr.com] has quit ["Leaving."] 15:45 -!- hiptobecubic [n=john@nat072.wireless.miami.edu] has joined ##openvpn 15:45 -!- gallatin [n=gallatin@dslb-092-073-253-015.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)] 15:47 < hiptobecubic> My vpn has stopped managing to connect. I'm not sure what's up. Here are some logs. server: http://rafb.net/p/u1vZm696.html Client: http://rafb.net/p/O8CW2758.html 15:47 < vpnHelper> Title: Nopaste - # tail /var/log/messages; (at rafb.net) 15:48 < krzee> !logs 15:48 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 15:48 < krzee> verb 6 16:00 < ecrist> moo 16:03 < krzee> i went to a thai coffee shop 16:03 < krzee> thai chicks serving coffee in lingere 16:03 < krzee> was dopeness 16:04 < reiffert> http://en.wikipedia.org/wiki/Lingerie that? 16:04 < vpnHelper> Title: Lingerie - Wikipedia, the free encyclopedia (at en.wikipedia.org) 16:04 -!- zapp [n=zapp@fuji05.math.uni-bielefeld.de] has joined ##openvpn 16:05 -!- zapp [n=zapp@fuji05.math.uni-bielefeld.de] has quit [Client Quit] 16:06 < reiffert> Drinking coffee from lingeries sounds a bit strange. 16:10 < krzee> the girls were in it 16:10 < krzee> lol 16:13 < reiffert> "were" .. and gave you all they have had! 16:15 < krzee> hahah 16:15 < krzee> woulda been nice 16:52 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit ["Leaving"] 17:28 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 17:28 < reiffert> /bin/sh: figlet: command not found 17:35 -!- hiptobecubic [n=john@nat072.wireless.miami.edu] has quit [Read error: 110 (Connection timed out)] 17:49 -!- constantine [n=constant@70.91.232.102] has joined ##openvpn 17:50 < constantine> hi, I'm installing open vpn on intrepid and it says cisco compatible vpn as the only available option 17:50 < constantine> how do I know if this is right for my connection? 17:50 < reiffert> openvpn != cisco vpn compat. 17:52 < constantine> and where do I get the settings for the vpn connection? 17:54 < constantine> you don't say! lol 18:00 < constantine> is there a way to set this up to work with any found signal 18:01 < reiffert> dude I have no idea about what you are talking. 18:02 < constantine> this is openvpn? 18:02 < reiffert> no, this is openvpn. 18:03 < constantine> meaning? 18:03 < ScribbleJ> Wow, all I need is a waiter to deliver me a flaming phonebook now. This is surreal. 18:03 < reiffert> ScribbleJ: wtf? 18:04 < ScribbleJ> openvpn has nothing to do at all with 'cisco compatible vpn' - if you see an option like that, whatever you are asking about is not openvpn. 18:04 < constantine> I installed it but can't find it anywhere 18:04 < constantine> the forums said it would be under network manager but the only thing there is what I described 18:04 < constantine> OPENVPN that is 18:04 < ScribbleJ> Did you try looking for e.g. /bin/openvpn, /sbin/openvpn, /etc/opevpn, or asking your package manage where it was installed? 18:05 < ScribbleJ> I do not use Redhat, but I am /certain/ it's package management has a way to tell you where package files were installed. 18:05 < reiffert> ScribbleJ: flaming phonebook sounds like Cohen brothers or Tarantino...? 18:06 < reiffert> /usr/sbin/openvpn 18:06 < ScribbleJ> reiffert, actually, I think it was Picasso, but I heard the quote originally from an untrustworthy source, so not sure. 18:07 < ScribbleJ> No 18:07 < ScribbleJ> Dali 18:07 < ScribbleJ> My bad. 18:07 < ScribbleJ> "Salvador Dali used to complain that there wasn't enough surrealism in the world. He said it was a shame that when you went to a restaurant and ordered a nice piece of fish the waiter never brought you a flaming phone book." 18:07 < constantine> I'm in synaptic but I'm new and I've never done this 18:07 < reiffert> hehehe 18:07 < constantine> what kind of file am I looking for? 18:08 < ScribbleJ> OH 18:08 < ScribbleJ> HAhahaa 18:08 < reiffert> constantine: you are looking after a strategy. something to follow after. something with a goal. 18:08 < ScribbleJ> Constantine, I suck, I know ubuntu well 18:08 < ScribbleJ> Dunno why I thought you were on Redhat. 18:08 < ScribbleJ> I always use it from the comandline, though, so dunno about helping with your clicky problem. 18:09 < ScribbleJ> You shoudl be able to configure your .conf file in /etc/openvpn/ and then the system will be configured by default to connect tot he vpn at boot. 18:09 < ScribbleJ> Or if you do not want that, put it elsewhere and start manually with e.g. 'sudo openvpn ~/myvpns/client.conf' 18:10 < ScribbleJ> Or, if you want to know the Ubuntu Way, ask in #ubuntu or something I guess. Heh 18:11 < constantine> heh is right 18:11 -!- constantine [n=constant@70.91.232.102] has left ##openvpn ["Leaving"] 18:12 < ScribbleJ> Was he being a dick? I'm never sure. 18:14 < reiffert> next problem will be: To who should he/she connect to ... 18:15 < reiffert> 00:57 < constantine> and where do I get the settings for the vpn connection? 18:15 < ScribbleJ> OH boy 18:16 < ScribbleJ> Interestingly enough I have a neato 'configure vpn' button on my ubuntu desktop, but it does nothing. 18:17 < reiffert> I run fvwm2, I dont do buttons. 18:17 < ScribbleJ> Oh, probably because I'm not letting Ubuntu Network Manager manage my network. Shame on me. Oh well. 18:17 < ScribbleJ> I did xfce4 for a long time but I started using Gnome lately since it just seems like you have to to get 'stuff' to be supported in Ubuntu. 18:18 < reiffert> really? Time to get something new then... 18:18 < ScribbleJ> Yeah, maybe it's just me, I can't think of any particulars. 18:19 < reiffert> What stuff are you onto, anything you cant do by typing some letters in a terminal window? 18:19 < ScribbleJ> Hahaha, no, 18:19 < ScribbleJ> I suppose my only gripe has been with gui config tools. 18:19 < ScribbleJ> They are mainly tied into gconf for Ubuntu... 18:19 < ScribbleJ> And not well supported then in 'xubuntu' 18:20 < ScribbleJ> But I tend to use the commandline for everything so I can't even think what it was that pissed me off enough to change. 18:20 < ScribbleJ> Maybe it was whn I was fucking with compiz, that I'm not even using anymore. 18:21 < reiffert> Last time gnome I tried to get a Wireless LAN working automatically at a girls notebook. 18:21 < reiffert> I decided to stop fscking with the ubuntu/gnome and put some lines into networking/interfaces file. 18:22 < ScribbleJ> Yeah, seems like the way to go. Debian set things up well, Ubuntu's friendliness sometimes is its own greatest weakness. 18:23 < reiffert> I like OS X. 18:23 < ScribbleJ> My girlfriend came with an OSX notebook, and I've played with it a little and liked how it is a GNU-type system underneath. 18:24 < ScribbleJ> But my total experience consists of pretty much setting up openvpn on it. Heh. 18:24 < reiffert> ah well, apple took gnu source and modified it, so it's a strange mix of BSD and apple. 18:25 < reiffert> But all the GUI stuff *just works* and even when playing remotely, you can do everything even without the GUI. 18:25 < ScribbleJ> Well, that's how an OS should be, I suppose. 18:26 < ScribbleJ> Now if only it didn't require expensive proprietary hardware. :( 18:27 < reiffert> yeah, but it's worth it, got mine for coding a hylafax java client :) 18:27 < ScribbleJ> Oh, interesting. 18:28 < ScribbleJ> There's so many cool projects out there, it's impossible to keep up. 18:29 < ScribbleJ> I've been knee-deep in code from CMU lately, their speech synthesis and speech recognition stuff, it's great fun toys. 19:47 -!- [intra]lanman [n=Raymond@freeswitch/developer/intralanman] has quit [Connection timed out] 19:54 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 20:20 -!- tjz [n=tjz@bb121-7-13-94.singnet.com.sg] has joined ##openvpn 21:14 -!- seldon [i=seldon@gateway/gpg-tor/key-0x02E0DA25] has joined ##openvpn 21:30 -!- hiptobecubic [n=john@nat072.wireless.miami.edu] has joined ##openvpn 21:33 -!- seldon [i=seldon@gateway/gpg-tor/key-0x02E0DA25] has quit [Remote closed the connection] 21:56 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 22:02 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 22:39 -!- Netsplit niven.freenode.net <-> irc.freenode.net quits: pa, clusterm1gnet, disco-, reiffert, hackel, dan__t, worch, Typone 22:39 -!- Netsplit niven.freenode.net <-> irc.freenode.net quits: T0aD, fpletzv6, smk, straterra, kaii 22:39 -!- Netsplit over, joins: clusterm1gnet, pa, hackel, dan__t, worch, disco-, reiffert, Typone 22:40 -!- Netsplit over, joins: fpletzv6, straterra, T0aD, kaii, smk 22:40 -!- hiptobecubic [n=john@nat072.wireless.miami.edu] has quit [Operation timed out] 22:42 * tjz 's a$$ got split 22:51 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 23:07 -!- blaxthos [n=blaxthos@64.94.108.181] has joined ##openvpn 23:07 < blaxthos> !route 23:07 < vpnHelper> blaxthos: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 23:08 < blaxthos> anyone have hefty lan <-> openvpn <-> cisco asa experience/skill ? 23:08 -!- tjz [n=tjz@bb121-7-13-94.singnet.com.sg] has quit ["bbl"] 23:25 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] --- Day changed Sat Feb 14 2009 00:36 -!- straterra [n=straterr@projectstfu.com] has quit ["Lost terminal"] 00:36 -!- straterra [n=straterr@projectstfu.com] has joined ##openvpn 00:42 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 00:42 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 00:45 -!- straterra [n=straterr@projectstfu.com] has quit ["Lost terminal"] 00:45 -!- straterra [n=straterr@projectstfu.com] has joined ##openvpn 00:50 -!- straterra [n=straterr@projectstfu.com] has quit [Client Quit] 00:50 -!- straterra [n=straterr@projectstfu.com] has joined ##openvpn 02:14 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 02:14 -!- oc80z [i=oc80z@root.servergirl.net] has joined ##openvpn 02:18 -!- Deesl [n=deesl@unaffiliated/deesl] has joined ##openvpn 02:18 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has joined ##openvpn 02:18 < lavren> If I have a vpn router on my lan and my friend has one and we want to do a site-to-site VPN do I have to have my ns-sert-type as a client? 02:19 < lavren> if there are any gotchas with any of that in general let me know, but I think I have everything right 02:19 < lavren> one as the client? 02:19 < Deesl> who initiates the connection? 02:19 < lavren> He already has his setup if that's what you mean 02:20 < Deesl> nopes 02:20 < Deesl> who *starts* the handshake? 02:20 < lavren> he sent me his config (which I'm slightly modifying) 02:20 < lavren> I guess I will be then 02:20 < Deesl> ok so you should be the client 02:20 < lavren> I've done this before along time ago, but not with this awesomely convenient software 02:20 < Deesl> and ns-sert should be client for you 02:20 < lavren> right, ok. 02:20 < lavren> ok cool 02:21 < lavren> oh crap 02:22 < lavren> I think I have to recompile my kernel with support for what is it tun? 02:22 < lavren> I forget 02:22 < lavren> client 02:22 < lavren> dev tun 02:22 < lavren> proto udp 02:22 < lavren> 02:22 < lavren> remote 98.232.30.11 1194 02:22 < lavren> resolv-retry infinite 02:22 < lavren> route 192.168.0.0 255.255.255.0 02:22 < lavren> nobind 02:22 < lavren> daemon 02:22 < lavren> 02:22 < lavren> comp-lzo 02:22 < lavren> 02:22 < lavren> user nobody 02:22 < lavren> group nobody 02:22 < lavren> 02:22 < lavren> persist-key 02:22 < lavren> persist-tun 02:22 < lavren> keepalive 10 60 02:22 < lavren> ping-timer-rem 02:22 < lavren> 02:22 < lavren> ca /etc/openvpn/keys/ca.crt 02:22 < lavren> cert /etc/openvpn/keys/client1.crt 02:23 < lavren> key /etc/openvpn/keys/client1.key 02:23 < lavren> 02:23 < lavren> ns-cert-type server 02:23 < lavren> 02:23 < lavren> oops shit 02:23 < lavren> sorry 02:23 < lavren> I'm so tired 02:23 < lavren> out of it, my apologies 02:23 < lavren> I was going to copy =) 02:25 < lavren> oh this isn't going to work properly, I need to get a hub behind my VPN router and use it as a gateway for the computers behind it (which they are currently on the same subnet as the VPN router which in turn is behind my primary router) 02:26 < lavren> if my VPN router and his VPN router are connected to eachother will they be able to access eachother by NFS? I suppose not since they really aren't the virtual network but rather the link 02:26 -!- oc80z [i=oc80z@root.servergirl.net] has quit [Remote closed the connection] 02:28 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 02:42 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 02:46 -!- countd_ [n=countd@unaffiliated/countd] has joined ##openvpn 02:57 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has quit [Read error: 110 (Connection timed out)] 03:39 -!- c64zottel [n=hans@p5B1799FB.dip0.t-ipconnect.de] has joined ##openvpn 04:13 -!- carpe_ [n=carpe@174.0.97.175] has joined ##openvpn 04:15 -!- plaerzen [n=carpe@174.0.97.175] has quit [Read error: 110 (Connection timed out)] 04:16 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:26 < reiffert> http://hardware.slashdot.org/article.pl?sid=09/02/13/2337258 04:26 < vpnHelper> Title: Slashdot | Long-Term Performance Analysis of Intel SSDs (at hardware.slashdot.org) 05:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:26 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 05:37 -!- countd_ [n=countd@unaffiliated/countd] has quit [Remote closed the connection] 06:39 -!- hackel [n=hackel@94-193-57-167.zone7.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] 07:01 -!- mcp [n=mcp@wolk-project.de] has quit [Remote closed the connection] 07:41 -!- bandini [n=bandini@host108-210-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 07:50 -!- Netsplit niven.freenode.net <-> irc.freenode.net quits: meturaf, c64zottel, v0lksman, ScribbleJ, dvl 07:51 -!- Netsplit over, joins: c64zottel, v0lksman, ScribbleJ, meturaf, dvl 08:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:01 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 08:06 -!- Deesl [n=deesl@unaffiliated/deesl] has quit [] 08:09 -!- countd_ [n=countd@unaffiliated/countd] has joined ##openvpn 08:13 -!- countd_ [n=countd@unaffiliated/countd] has quit [Client Quit] 08:14 -!- countd [n=countd@unaffiliated/countd] has joined ##openvpn 08:24 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 08:54 < stephenh> hi, i'm trying to push default route to clients, 08:54 < stephenh> but i keep getting bad source address from client, packet dropped 09:09 -!- dvl [n=nnnnnnnn@pdpc/supporter/professional/dvl] has quit [Read error: 110 (Connection timed out)] 10:09 -!- straterra [n=straterr@projectstfu.com] has left ##openvpn [] 10:29 -!- vincas [n=vincas@216.25.249.228] has joined ##openvpn 10:30 < vincas> Hi, I was wondering why the virtual addresses in openvpn-status.log (apparently) when openvpn is in bridging mode appear to be some kind of MAC address. How does it come by this, and why is it not the IP address issued to the client ? 10:31 < vincas> I'm using openvpn 2.1 10:40 -!- countd [n=countd@unaffiliated/countd] has quit ["http://quassel-irc.org - Chat comfortably. Anywhere."] 10:44 < reiffert> vincas: because ethernet frames are adressing mac addresses. 10:49 < vincas> reiffert: But I can't arping those mac addresses...of course, if I arping the IP addresses of the clients, it returns those macs....does openvpn generate these macs ? 10:54 < reiffert> yep. 10:55 < reiffert> They should start with 00:FF IIRC 10:56 < vincas> reiffert: Cool, thank you! :) 10:59 < vincas> Odd...I have one that starts with 0a:e0 11:02 < reiffert> http://openvpn.net/index.php/documentation/install.html?start=1 11:02 < vpnHelper> Title: Installation (Win32) - Page 2 (at openvpn.net) 11:02 < reiffert> read 11:02 < reiffert> Notes -- Setting TAP-Win32 address/subnet automatically via DHCP 11:02 < reiffert> bbl, gone for girls 11:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:10 -!- dvl [n=nnnnnnnn@nyi.unixathome.org] has joined ##openvpn 12:05 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 12:06 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Read error: 104 (Connection reset by peer)] 12:07 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 12:51 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:43 -!- c64zottel [n=hans@p5B1799FB.dip0.t-ipconnect.de] has quit ["Leaving."] 14:09 < ecrist> afternoon, fuckers 14:17 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:19 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Client Quit] 14:21 -!- beaver74 [n=Helmut@unaffiliated/beaver74] has joined ##openvpn 14:23 < beaver74> hey, it is possible to connect clients over openvpn without this system having static ip adresses? 14:23 < ecrist> what is *this* system? 14:23 < beaver74> the involved to end-point of this tunnel 14:24 < ecrist> ah, sure, using a dynamic DNS of some sort. 14:25 < beaver74> there 2 router, and there have dynamic ips, connecting them over OpenVPN. This is possible with or without DDNS? 14:25 < ecrist> for reconnections, they'll likely need dynamic dns 14:25 < beaver74> ah, ok.. 14:26 < beaver74> if there is a third machine, running the server side, and having a static ip, can help to solve this? 14:27 < ecrist> yep 14:27 < beaver74> wow, nice... 14:27 < ecrist> then there's no need for DDNS 14:27 < beaver74> k, thx, ecrist 14:28 < beaver74> because on of that two machine without the third will act as that server?, is that right? 14:28 < beaver74> -on +one 14:29 < ecrist> the static IP system would be server to both the dynamic ip systems 14:29 < beaver74> ok 14:30 < beaver74> thx again, bye 14:30 -!- beaver74 [n=Helmut@unaffiliated/beaver74] has left ##openvpn ["Verlassend"] 14:33 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:33 < ecrist> facebook should change their name to 'Hook up with old girlfriends.' 14:34 < krzee> hah 14:34 -!- Qantouri1c [n=Qantouri@d54C49D91.access.telenet.be] has joined ##openvpn 14:35 < Qantouri1c> VPN-server with road wariors ... possible withpreshared key ? or only TLS ? 14:44 < Qantouri1c> Do road wariors needs a resovable DNS ? 14:46 < Qantouri1c> nvm 14:46 < Qantouri1c> client: key :p 14:46 < Qantouri1c> whoot :p 15:03 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 16:04 -!- fbond [n=fab@pool-64-223-124-145.burl.east.verizon.net] has left ##openvpn [] 17:09 -!- upb [i=cmpxchg@closet-core1.ge1-0s3.cust1000158.rev.prq.se] has left ##openvpn [] 17:15 -!- mepholic [n=mepholic@star.emokid.nu] has joined ##openvpn 17:16 < mepholic> I've been reading about how in a bridged openvpn setup, you shouldn't assign a default gateway 17:16 < mepholic> this is because you'll lose connection to the openvpn server, right? 17:16 < mepholic> eh 17:16 < mepholic> via dhcp 18:01 < Qantouri1c> mepholic: depends on how smart / stupid the client os is 18:01 < Qantouri1c> will it take the newly suggested gateway or not ? 18:02 < Qantouri1c> (often this can also be configured) 18:02 -!- Qantouri1c [n=Qantouri@d54C49D91.access.telenet.be] has quit ["night"] 18:19 -!- carpe_ [n=carpe@174.0.97.175] has quit [Connection timed out] 18:20 -!- carpe_ [n=carpe@174.0.97.175] has joined ##openvpn 18:30 -!- v0lksman [n=shayne@ottawa-hs-64-26-169-151.s-ip.magma.ca] has left ##openvpn ["cheerio"] 18:42 -!- zheng [n=zheng@218.82.143.81] has joined ##openvpn 19:01 -!- carpe_ [n=carpe@174.0.97.175] has quit [Connection timed out] 19:02 -!- carpe_ [n=carpe@174.0.97.175] has joined ##openvpn 19:03 -!- zheng [n=zheng@218.82.143.81] has quit ["Leaving"] 21:06 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 22:02 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 22:43 -!- tjz [n=tjz@bb116-15-75-97.singnet.com.sg] has joined ##openvpn 23:20 -!- dmb [n=dmb@unaffiliated/dmb] has joined ##openvpn 23:20 < dmb> hey 23:20 < dmb> what does read UDPv4 [ECONNREFUSED]: Connection refused (code=111) mean? 23:22 < Kobaz> something is blocking the packets 23:22 < Kobaz> probably firewalling 23:23 < dmb> the client end shouldn't matter right? 23:25 < dmb> Kobaz, is there a way to use openvpn without udp? 23:32 < dmb> hmm, i don't think thats a good idea (tcp in tcp) 23:39 < Kobaz> it works very well 23:39 < Kobaz> udp is the recommended protocol 23:41 -!- tjz [n=tjz@bb116-15-75-97.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] --- Log closed Sun Feb 15 00:36:51 2009 --- Log opened Sun Feb 15 00:37:13 2009 00:37 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 00:37 -!- Irssi: ##openvpn: Total of 50 nicks [0 ops, 0 halfops, 0 voices, 50 normal] 00:37 -!- Irssi: Join to ##openvpn was synced in 23 secs --- Log closed Sun Feb 15 00:55:16 2009 --- Log opened Sun Feb 15 10:41:26 2009 10:41 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 10:41 -!- Irssi: ##openvpn: Total of 53 nicks [0 ops, 0 halfops, 0 voices, 53 normal] 10:41 -!- Irssi: Join to ##openvpn was synced in 1 secs 11:10 -!- tjz [n=tjz@bb116-15-157-37.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 11:13 -!- p4ch0 [n=p4ch0@190.69.224.12] has joined ##openvpn 11:14 -!- p4ch0 [n=p4ch0@190.69.224.12] has quit ["Saliendo"] 11:47 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 11:48 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 12:08 -!- Qantouri1c [n=Qantouri@d54C49D91.access.telenet.be] has joined ##openvpn 12:08 -!- Qantourisc [n=Qantouri@d54C49D91.access.telenet.be] has quit [Read error: 104 (Connection reset by peer)] 12:19 -!- mipshelpme [n=mips@host146-242-dynamic.43-79-r.retail.telecomitalia.it] has joined ##openvpn 12:19 < mipshelpme> hello! 12:19 < mipshelpme> someone can help me with a openvpn mistery? 12:23 < mipshelpme> I've a mips sustem, with busybox 1.00 + kernel 2.6.8.1 , but in my openvpn 2.1 rc15 no --mktun and the other options that I can see in other system with kernel 2.4+ it's available. It's normal? 12:31 < reiffert> mipshelpme: tell us more about your system please. 12:33 < mipshelpme> thanks 12:35 < mipshelpme> mips system, with busybox 1.00 and minimal kernel 2.6.8.1 12:35 < mipshelpme> I rebuild kernel adding tun module 12:36 < mipshelpme> with busybox command cat /dev/net/tun it tell me "error: file descriptor in bad state" 12:36 < reiffert> Is it some kind of openwrt? 12:36 < mipshelpme> but if I use tun test source code it works correctly 12:37 < mipshelpme> it's the kernel of a router 12:37 < mipshelpme> dg834 12:38 < reiffert> And does your kernel and the openvpn belong to some kind of openwrt or dd-wrt or something similar? 12:38 < mipshelpme> I think 12:38 < mipshelpme> but not sure 12:39 < reiffert> I cant tell you anything related to kernel, hardware and busybox. Whats your openvpn question again please? 12:39 < mipshelpme> yes 12:39 < mipshelpme> the question is 12:40 < mipshelpme> that I understand why 12:40 < mipshelpme> in kernel 2.6.8.1 12:40 < mipshelpme> muy openvpn 12:41 < mipshelpme> in my openvpn I can't found the --mkdev option and the other options 12:41 < mipshelpme> available with 2.4+ kernel 12:42 < reiffert> there is no --mkdev in openvpn. 12:42 < mipshelpme> --mktun 12:42 < mipshelpme> sorry --mktun 12:42 < reiffert> Again, I cant tell you anything related to kernel versions. 12:43 < reiffert> Nor can I tell you why some software contains foo or bar, that someone was compiling. 12:43 < reiffert> Did you compile openvpn for yourself? 12:43 < mipshelpme> yes 12:44 < mipshelpme> by myself 12:44 < reiffert> Well, then check and diff the config.logs for each version 12:44 < mipshelpme> what can I found in particular in config.logs 12:46 < reiffert> Maybe something that your build environment was deciding not to compile in, because something was missing in your build environment. 12:47 < mipshelpme> oh yes 12:47 < mipshelpme> I look now 12:47 < reiffert> As you say, one openvpn version "does not have" the --mktun option 12:48 < mipshelpme> reiffert: my openvpn is 2.1rc_15 12:49 < mipshelpme> and kernel 2.6.8.1 12:50 < mipshelpme> I forgot tell you : when I run "insmod /lib/modules/tun.ko" the system make for me automatically the /dev/net/tun device 12:51 < ecrist> this would appear to be a kernel issue, and not one related directly to openvpn 12:51 < mipshelpme> oh 12:51 < mipshelpme> do you know some irc channel for kernel linux? 12:52 < ecrist> #linux 12:52 < mipshelpme> THANKS 13:04 < mipshelpme> how can I make tap0 , without --mktun option ? 13:07 < reiffert> mipshelpme: what happens when you enter openvpn --mktun tap0? 13:07 < mipshelpme> I haven the --mktun option 13:07 < mipshelpme> I haven't the --mktun option 13:07 < reiffert> answer my question. 13:09 < mipshelpme> "unrecognized option or missing parameter(s) in [CMD-LINE]:1: mktun (2.1_rc15) 13:09 < mipshelpme> I look the log file I and found 2 "error" message 13:09 < mipshelpme> error: size of array `test_array' is negative 13:09 < mipshelpme> error: invalid application of `sizeof' to incomplete type `conftest.c' 13:10 < reiffert> check options.c 13:10 < mipshelpme> conftest.c:84: error: invalid application of `sizeof' to incomplete type `conftest.c' 13:10 < reiffert> #ifdef TUNSETPERSIST 13:10 < reiffert> else if (streq (p[0], "mktun")) 13:10 < reiffert> #endif 13:10 < reiffert> then check why it thinks you dont have TUNSETPERSIST 13:11 < mepholic> is there a way to set a range that openvpn assigns the tap interfaces mac address in? (in the config) 13:11 < mepholic> doesnt matter if it is client or server side 13:12 < reiffert> did you read what I was writing? 13:12 < mepholic> :< 13:12 < mepholic> me? 13:12 < mipshelpme> reif: for me? yes .. and looking for the confeste.c 13:12 < mipshelpme> reif: for me? yes .. and looking for the conftest.c 13:12 < reiffert> ah, sorry, were mixing up nicknames. 13:13 -!- mipshelpme is now known as MIPS 13:13 < MIPS> :) 13:13 < reiffert> mepholic: a range of mac addresses, whats that going to be? 13:14 < ScribbleJ> Not exactly an openvpn question.... I'm trying to test transfer speeds on two networks using scp over openvpn, except how can I easily make a large garbage file to try transferring? reading /dev/random takes too long. 13:14 < mepholic> reiffert, I want top be able to tell the clients, "use a mac address in THIS range" 13:14 < mepholic> like 13:14 < mepholic> 00:0E:44 13:14 < mepholic> for example 13:14 < mepholic> and it would randomize the last 3 octets 13:14 < mepholic> or whatever :3 13:15 < reiffert> mepholic: yeah, check the source. 13:15 < reiffert> mepholic: the tap driver source that comes with the tapdriver. Kernel for != windows and tap-win32 directory for win32. 13:15 < ScribbleJ> n/m, used /dev/urandom to pull some, then just duplicated that over and over. 13:16 < mepholic> so i'd have to give my clients a custom version? 13:16 < mepholic> ugh 13:16 < reiffert> mepholic: win32? 13:16 < mepholic> reiffert, i have win32 and linux clients 13:16 < mepholic> and mac 13:16 < mepholic> lolol 13:17 < mepholic> and uh 13:17 < mepholic> freebsd 13:17 < reiffert> mepholic: have fun then. linux = matter of kernel, mac = matter of kernel module, win = matter of tap-win32 directoy source. have fun. 13:17 * mepholic waits for somebody with BeOS or VAX to come along 13:18 < mepholic> wait, does openvpn even support those? 13:18 < MIPS> reif: ..uhm... I can't find the conftest.c ! It's a openvpn file? 13:18 * Qantouri1c concludes his SLT connection is oks .... but the pipe doesn't work :p no connection on the other end :p 13:18 < Qantouri1c> what connection type tap/tun is recommended ? 13:20 < MIPS> oh, another error 13:20 < mepholic> Qantouri1c, what are you going to use the vpn for? 13:20 < MIPS> conftest.c:14:28: ac_nonexistent.h: No such file or directory 13:20 < Qantouri1c> mepholic: MS-exchange, file share 13:20 < mepholic> heh 13:20 < mepholic> i'd use tap 13:20 < reiffert> MIPS: checkout the configure file. 13:20 < Qantouri1c> mepholic: me too :p 13:20 < mepholic> tun doesn't allow network broadcasts 13:21 < mepholic> (which is annoying) 13:21 < Qantouri1c> mepholic: soooo 13:21 < Qantouri1c> mepholic: brctl addbr test 13:21 < Qantouri1c> mepholic: brctl addif test eth1 13:21 < Qantouri1c> mepholic: like that ? 13:21 < mepholic> well 13:21 < MIPS> reif: what does it mean "checkout" configure file 13:21 < mepholic> on each client machine, you don't need a bridge 13:22 < reiffert> MIPS: open it, read it, understand it. 13:22 < Qantouri1c> mepholic: cause last time i tried i couldn't get it working (probalby issues with my iptables settings, it uses nic ... 13:22 < ScribbleJ> Ok, I have the dumb, now. I have tested the speeds I am getting, and I top out around 150KB/sec. Is this about right for a T1? 13:22 < mepholic> Qantouri1c, my tap setup uses no bridges at all 13:22 < Qantouri1c> mepholic: how does -i / -o nic work on bridges ? 13:22 < MIPS> reif : ah ok (sorry my english not so good) 13:22 < Qantouri1c> mepholic: ow ? 13:22 < mepholic> well 13:22 < Qantouri1c> mepholic: that's possible ? 13:22 < Qantouri1c> NICE 13:22 < mepholic> yes 13:22 < mepholic> i actually have a bridge on my desktop 13:23 < mepholic> going to a vlan on my switch 13:23 < mepholic> so i can plug other computers into the vlan, and they will be directly on the vpn 13:23 < Qantouri1c> mepholic: so tap is connected to a eth device ? like a real tap ? 13:23 < mepholic> kinda hard to explain 13:23 < mepholic> but 13:23 < mepholic> my server is at FDC in chicago 13:23 < mepholic> unmetered datacenter 13:23 < ScribbleJ> FirstData? 13:23 < Qantouri1c> mepholic: ooooo :p 13:24 < mepholic> and clients connect to it 13:24 < mepholic> and share files, play lan game, whatever 13:24 < mepholic> lol 13:24 < Qantouri1c> mepholic: nice :p 13:24 < mepholic> yeah 13:24 < reiffert> ecrist: I cant find TUNSETPERSIST in the Makefile, nor configure, wtf? 13:24 < mepholic> i'm working on dhcp right now 13:24 < mepholic> isc dhcpd is being retarded 13:24 * Qantouri1c now tries to learn how to use taps 13:25 < Qantouri1c> mepholic: my dhcp is easy to setup :p 13:25 < mepholic> windows? 13:25 < Qantouri1c> mepholic: linux 13:25 < mepholic> ah 13:25 < mepholic> are you using isc? 13:25 < Qantouri1c> mepholic: yea, hwat's the iseu ? 13:25 < mepholic> well 13:25 < Qantouri1c> mepholic: are are you suing some exotic setup ? 13:26 < mepholic> no not really 13:26 < mepholic> what it is doing 13:26 < mepholic> is assigning the last ip in my specified range first 13:26 < mepholic> well, ranges 13:26 < Qantouri1c> mepholic: !?! 13:26 < mepholic> i don't know 13:26 < Qantouri1c> mepholic: also, i never took notise of the ip, 13:26 < mepholic> here, i'll show you my config 13:26 < mepholic> huh? 13:26 < Qantouri1c> mepholic: i mean, an ip addres is one right ? 13:26 < mepholic> wat 13:27 < Qantouri1c> why do you even care which one he assings ? 13:27 < Qantouri1c> for all i care, he can use random :p 13:27 < mepholic> Qantouri1c, well 13:27 < mepholic> it is frusterating 13:27 < mepholic> i like things to be in order 13:28 < Qantouri1c> aaa 13:28 * Qantouri1c digs the speccs 13:29 < reiffert> mepholic: 13:29 < reiffert> MIPS: 13:29 < reiffert> grep TUNSETPERSIST /usr/include/linux/if_tun.h 13:29 < reiffert> #define TUNSETPERSIST _IOW('T', 203, int) 13:29 < mepholic> lol 13:29 < mepholic> Qantouri1c, i havn' 13:29 < mepholic> t tried more then 1 dhcp client 13:29 < mepholic> i dont even know if it works 13:30 < mepholic> the config seems basic 13:31 < reiffert> MIPS: do you understand whats going on? 13:32 < MIPS> :( 13:33 < Qantouri1c> mepholic: i find no indication (at first glimps) of the ip assignemnt order 13:33 < MIPS> I cant find the conftest.c 13:33 < mepholic> huh 13:33 < reiffert> MIPS: 13:34 < reiffert> MIPS: do you know the meaning of a COMPILE TIME MACRO like #ifdef TUNSETPERSIST? 13:34 < MIPS> no 13:34 < MIPS> :( 13:34 < MIPS> what does it mean 13:35 < reiffert> MIPS: during the preprocessor stage, before compiling, the preprocessor creates the source files for the compilation stage 13:35 < MIPS> yes 13:35 < reiffert> MIPS: when the preprocessor thinks TUNSETPERSIST is set, then it will take that code and it will get compiled 13:35 < reiffert> MIPS: and when the preprocessor doesnt think so, the code does not get compiled. 13:35 < MIPS> oh 13:36 < reiffert> MIPS: now, for your case, we already KNOW that TUNSETPERSIST was not set during preprocessor phase. 13:36 < reiffert> still follow me? 13:36 < MIPS> I think yes 13:36 < reiffert> MIPS: On a normal system TUNSETPERSIST gets set in the file /usr/include/linux/if_tun.h 13:37 < reiffert> MIPS: that means, that during the compilation of your openvpn, TUNSETPERSIST was not found in /usr/include/linux/if_tun.h 13:38 < reiffert> MIPS: which means: Check both: kernel-source/include/if_tun.h and /usr/include/linux/if_tun.h for TUNSETPERSIST 13:38 < reiffert> MIPS: and recompile and make all those openvpn source files include that file which contains TUNSETPERSIST. 13:38 < MIPS> #define TUNSETPERSIST _IOW('T', 203, int) 13:39 < reiffert> which file? 13:39 < MIPS> this is my kernel 13:39 < MIPS> "/opt/routerkernel/include/linux/if_tun.h" 13:40 < reiffert> well, then have openvpn include that file during compilation. 13:40 < MIPS> "/opt/routerkernel is the kernel I using in crosso compile 13:40 < reiffert> and problems fixed. 13:40 < MIPS> how can I include that file? 13:41 < reiffert> dude you are messing around with crosscompilation and you dont know anything about compilers? 13:41 < MIPS> yes, but I don't unndersta I if use that file or include in #innclude 13:42 < reiffert> like all places do it in .c files. 13:42 < MIPS> in .c files , I must "#include" that if_tun.h ? 13:42 < reiffert> right. 13:43 < MIPS> ok 13:43 < MIPS> but In which .c file? how can I know , which .c I must to change? 13:43 < reiffert> sigh. 13:43 < reiffert> do you know grep? 13:43 < MIPS> yes 13:44 < MIPS> ohhh 13:44 < reiffert> grep -l if_tun.h *.c *.h */*.c */*.h 13:44 < MIPS> yes 13:44 < MIPS> THANKS 13:44 < MIPS> try now 13:46 < Qantouri1c> How to control where tap's get "connected" to ? 13:46 < reiffert> read the howto 13:46 < reiffert> and the faq 13:47 < Qantouri1c> rgr 13:49 < MIPS> reif: I found reference in syshead.h , in particular : 13:49 < MIPS> #include 13:50 < MIPS> #include 13:50 < reiffert> congrats. 13:50 < MIPS> I need to change every? 13:50 < reiffert> MIPS: dunno, if unsure say YES. 13:51 < MIPS> I try .. 13:51 < reiffert> the 1st one should be enough 13:51 < MIPS> ah ok 13:52 < reiffert> and check in config.h for 13:52 < MIPS> ok 13:52 < reiffert> #define HAVE_LINUX_IF_TUN_H 1 13:52 < MIPS> config.h in openvpn . it's tight? 13:52 < MIPS> right? 13:52 < reiffert> y 13:53 < MIPS> thks .. i'm working 13:56 < MIPS> syshead.h it's changed, now check config.h 13:58 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 13:58 < reiffert> MIPS: ah well, an alternative approach might be: 13:59 < reiffert> configure --includedir=/opt/routerkernel/include 13:59 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 13:59 < reiffert> and probably the better way. 13:59 < MIPS> I try it 14:00 < MIPS> can't find the config.h , only config.h.in :( 14:00 < MIPS> why? 14:00 < reiffert> because you didnt run configure yet 14:00 < MIPS> uhm 14:00 < MIPS> I thinked yes 14:00 < MIPS> retry 14:00 < reiffert> together with --includedir=/opt/routerkernel/include 14:00 < MIPS> with the --includedir too 14:02 -!- jolelion [n=geoffroy@dec69-1-82-232-12-72.fbx.proxad.net] has left ##openvpn [] 14:03 < MIPS> config.h now exist :) 14:04 < MIPS> and it's ok 14:04 < MIPS> like you tell me 14:04 < MIPS> now check the log file 14:05 < reiffert> just run make 14:05 < MIPS> conftest.c:14:28: ac_nonexistent.h: No such file or directory 14:05 < reiffert> forget about it. nonexistent = non existent 14:05 < MIPS> ok 14:05 < MIPS> conftest.c:84: error: invalid application of `sizeof' to incomplete type `conftest.c' 14:06 < reiffert> hit 14:06 < reiffert> m 14:06 < reiffert> a 14:06 < reiffert> k 14:06 < reiffert> e 14:06 < MIPS> s.o.r.r.y 14:06 < MIPS> try 14:08 < MIPS> .. openvpn-2.1_rc15-build/missing --run automake-1.9 --foreign 14:08 < MIPS> openvpn-2.1_rc15-build/missing --run autoheader 14:09 < MIPS> openvpn-2.1_rc15-build/missing: line 52: aclocal-1.9: command not found 14:09 < MIPS> WARNING: `aclocal-1.9' is missing on your system. You should only need it if 14:09 < MIPS> ?? 14:09 < MIPS> I need to install some packages for mips? 14:09 < MIPS> other packages 14:10 < MIPS> the same openvpn versione I compiled for my ubuntu, without problem 14:21 < MIPS> reif : can you tell me the exact parameter to compile openvpn for mips? 14:22 < MIPS> I'm using ./configure --host=mips CC="mygcccompiler" 14:22 < MIPS> it's correct using --host? 14:39 -!- penrod [n=penrod@S010600105a1788d6.cg.shawcable.net] has joined ##openvpn 14:47 -!- MIPS^ [n=mips@87.18.247.226] has joined ##openvpn 14:48 < MIPS^> :( 14:51 < MIPS^> reif? 14:55 -!- MIPS [n=mips@host146-242-dynamic.43-79-r.retail.telecomitalia.it] has quit [Connection timed out] 14:59 < MIPS^> reif? 15:00 < MIPS^> reif? 15:03 < MIPS^> :( 15:05 < reiffert> start reading the fucking docs that come with the build environment. 15:06 < MIPS^> ? 15:06 < reiffert> What you will find in there is how to compile software. 15:07 < MIPS^> it's a custom environmen ,no docmentation 15:10 < MIPS^> I installed all packages, but messages don't change 15:15 < MIPS^> someone can help me? 15:25 < MIPS^> where can I find documentation about compiling openvpn on mips 15:28 < krzee> you even have tuntap for it? 15:29 < MIPS^> tun.ko, for kernel 2.8.6.1 15:32 < MIPS^> compiled 15:40 < reiffert> better ask how to compile with a cross compiler environment. 15:41 * krzee cross compiles tom 15:42 < krzee> (no i dont know what that meant either) 15:46 -!- dmb [n=dmb@unaffiliated/dmb] has quit [Read error: 104 (Connection reset by peer)] 15:57 < MIPS^> my problem is that I'm a microsoft programmer, I know microsoft , and so I hate microsoft. I'm newbie in this linux world, and looking for infomation it's no simple 15:57 < MIPS^> for me 15:57 < MIPS^> and my english it's no so good 15:58 < MIPS^> I can't move in this world , like in microsoft world 15:59 < reiffert> tom crosscompiles to intruction 1111000000001111 which means: beerandthensleep which gets fetched and executed in just one clock cycle. 16:05 < MIPS^> when I run 'openvpn --dev-node /dev/net/tun --dev tap0 --proto udp' system tell me : 16:05 < krzee> !howto 16:05 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:06 < MIPS^> '.... read TUN/TAP : file descriptor in bad state (code=81)' 16:06 < krzee> usually dont need --dev-node 16:06 < MIPS^> :( 16:07 < MIPS^> I try without it 16:07 < krzee> why using tap instead of tun? 16:07 < krzee> and it would be --dev tap not tap0 16:07 < krzee> read these: 16:07 < krzee> !howto 16:07 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:07 < krzee> !man 16:07 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:07 < krzee> read docs 16:07 < krzee> you said you're newer to the linux/unix world 16:08 < krzee> how things are learned in that world is reading docs 16:08 < krzee> man pages > * 16:09 < MIPS^> I readed, and maked a linux system on i386 16:09 < MIPS^> it works 16:10 < MIPS^> with openvpn 16:10 < MIPS^> but in mips, it appears little different 16:11 < MIPS^> I'm newbie, and I know that some I make some error 16:11 < MIPS^> but I need to start somewhere 16:16 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [Read error: 54 (Connection reset by peer)] 16:27 < MIPS^> conftest.c:84: error: invalid application of `sizeof' to incomplete type `conftest.c' 16:27 < MIPS^> :(( 16:27 < krzee> im thinking you wont get a lot of help with porting oenvpn to MIPS here 16:27 < krzee> ild help if i knew that stuff 16:28 < reiffert> porting already got done e.g. in openwrt and similar. 16:28 < reiffert> mips el? 16:28 < MIPS^> can u exaplain better? 16:29 < MIPS^> I need openvpn on my router 16:29 < krzee> oh mips is what they use in those linksys routers? 16:29 < reiffert> yep 16:29 < MIPS^> without changing the entire firmware 16:30 < krzee> i see 16:30 < reiffert> http://downloads.openwrt.org/kamikaze/packages/mipsel/openvpn_2.0.9-2_mipsel.ipk 16:30 < reiffert> ipk is a tarfile iirc 16:30 < MIPS^> ? what is this 16:30 < MIPS^> let's see 16:30 < krzee> lol 16:31 < reiffert> zucker:~/usr/sbin ute$ file openvpn 16:31 < reiffert> openvpn: ELF 32-bit LSB executable, MIPS, version 1 (SYSV), dynamically linked (uses shared libs), corrupted section header size 16:31 < MIPS^> .ipk ? 16:32 < reiffert> openwrt comes with a build environment for mipsel and openvpn sources, so all you need is to build openwrt from sources and you get all you want, dude. 16:32 < reiffert> ipk = .tar.gz 16:32 < MIPS^> ah ok 16:32 < reiffert> http://forum.openwrt.org/viewtopic.php?id=9180 16:32 < vpnHelper> Title: OpenWrt / [howto] Building OpenWrt Kamikaze from source (at forum.openwrt.org) 16:33 < reiffert> following that howto will get you a working openvpn for mipsel 16:33 < MIPS^> wow! this is the binary!? 16:33 < reiffert> yes. 16:36 < MIPS^> :) try now 16:36 < MIPS^> may be connection drop down 16:38 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["Lost terminal"] 16:38 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 16:44 < reiffert> MIPS^: btw, your english is pretty well for an italian :) 16:50 -!- Qantouri1c [n=Qantouri@d54C49D91.access.telenet.be] has quit ["night"] 16:51 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 16:57 -!- MIPS [n=mips@87.18.247.92] has joined ##openvpn 17:08 -!- MIPS^ [n=mips@87.18.247.226] has quit [Read error: 110 (Connection timed out)] 17:09 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 17:10 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 17:11 -!- MIPS [n=mips@87.18.247.92] has quit [Read error: 60 (Operation timed out)] 17:12 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Read error: 110 (Connection timed out)] 17:15 -!- MIPS [n=mips@host118-195-dynamic.16-87-r.retail.telecomitalia.it] has joined ##openvpn 17:16 < MIPS> reif : I'm? Italian? Noooooo 17:16 < MIPS> ;) 17:24 -!- mcp [n=mcp@wolk-project.de] has quit [Connection reset by peer] 17:24 -!- emcepe [n=mcp@wolk-project.de] has joined ##openvpn 17:25 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 17:25 -!- emcepe [n=mcp@wolk-project.de] has quit [Read error: 104 (Connection reset by peer)] 17:41 -!- MIPS [n=mips@host118-195-dynamic.16-87-r.retail.telecomitalia.it] has quit [Success] 17:49 -!- MIPS [n=mips@87.18.244.220] has joined ##openvpn 17:56 -!- ScribbleJ [n=nnsj@c-67-172-6-141.hsd1.il.comcast.net] has left ##openvpn ["Leaving"] 18:07 -!- MIPS [n=mips@87.18.244.220] has quit [Read error: 60 (Operation timed out)] 18:08 -!- MIPS [n=mips@87.18.244.209] has joined ##openvpn 18:13 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 60 (Operation timed out)] 18:15 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 18:53 -!- MIPS [n=mips@87.18.244.209] has quit [Connection timed out] 18:53 -!- MIPS [n=mips@87.18.247.131] has joined ##openvpn 18:54 -!- Improv [n=pgunn@pool-70-17-171-106.pitt.east.verizon.net] has joined ##openvpn 18:58 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 18:59 -!- Improv [n=pgunn@pool-70-17-171-106.pitt.east.verizon.net] has quit ["ircII EPIC4-2.6 -- Are we there yet?"] 18:59 < MIPS> it's late for me, boys thanks for all, it's possibile I back next times :) 19:00 < MIPS> Good night , or have a nice day! 19:00 < MIPS> bye 19:00 -!- MIPS [n=mips@87.18.247.131] has quit [] 19:00 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 19:03 -!- eric1234 [n=vic@pool-141-158-125-57.pitt.east.verizon.net] has joined ##openvpn 19:06 -!- Improv [n=pgunn@pool-70-17-171-106.pitt.east.verizon.net] has joined ##openvpn 19:08 < Improv> Note that there is a line length limit in IRC 19:08 < Improv> Oops 19:09 < eric1234> Hi, I am using openVpn on Mac OSX, it recently stopped connecting (possibly due to an system update). when I launch the server it says "Cannot allocate TUN/TAP dev dynamically" anyone have an idea what the problem is? 19:19 -!- eric1234 [n=vic@pool-141-158-125-57.pitt.east.verizon.net] has quit [] 19:19 -!- Improv [n=pgunn@pool-70-17-171-106.pitt.east.verizon.net] has quit ["ircII EPIC4-2.6 -- Are we there yet?"] 20:21 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 20:44 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 21:28 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 21:36 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Remote closed the connection] 21:36 -!- eagle [n=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 21:47 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 21:54 -!- tjz [n=tjz@bb116-15-157-37.singnet.com.sg] has joined ##openvpn 21:54 * tjz roll in 21:56 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 21:56 -!- eagle [n=eagle@ar.en.elak.jultomte.net] has quit [Read error: 110 (Connection timed out)] 21:59 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 22:22 -!- tjz is now known as tjz|lunch 22:30 < mepholic> SUP GUYS 22:43 < dvl> lovely 23:01 -!- d0wn [n=d0wn@unaffiliated/d0wn] has quit ["Changing server"] 23:01 -!- d0wn [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 23:04 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Read error: 104 (Connection reset by peer)] 23:04 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 23:05 -!- d0wn [n=d0wn@unaffiliated/d0wn] has quit [Client Quit] 23:08 -!- d0wn [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 23:09 -!- d0wn [n=d0wn@unaffiliated/d0wn] has quit [Client Quit] 23:10 -!- d0wn [n=d0wn@unaffiliated/d0wn] has joined ##openvpn 23:20 -!- troy_ [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 23:24 -!- troy_ [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Client Quit] 23:47 -!- tjz|lunch is now known as tjz --- Day changed Mon Feb 16 2009 00:00 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 00:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:45 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Remote closed the connection] 01:45 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 02:00 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:02 -!- Error_X^ [n=Errorx@6.84-234-140.customer.lyse.net] has joined ##openvpn 02:08 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has joined ##openvpn 02:09 < Error_X^> reiffert: Hey :p would you help me with sharing the openvpn server's Internet connection to clients? 02:25 -!- Error_X^ [n=Errorx@6.84-234-140.customer.lyse.net] has quit [] 03:15 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 03:36 -!- TB-Master [n=toni@pD9505C38.dip0.t-ipconnect.de] has joined ##openvpn 04:04 < reiffert> no. 04:29 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:41 < krzee> lol 04:41 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Remote closed the connection] 04:47 < reiffert> he tends to be resistant against all proposals. 05:39 -!- dtcrshr [n=datacrus@200.145.121.55] has joined ##openvpn 05:41 < dtcrshr> hi folks! im having an issue with openvpn. I got one building with a normal adsl access, and my vpn server will be on the hq, wich have a proprietary link, with valid ip and so on. How do i set on the other side to work with the same ips from the internet link, and the inner network? 05:41 < ecrist> see this: 05:41 < ecrist> !route 05:41 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 05:51 < dtcrshr> thanks! 05:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:05 -!- hads [n=hads@argon.nice.net.nz] has joined ##openvpn 06:05 < hads> !route 06:05 < vpnHelper> hads: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 06:34 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 06:57 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 07:00 < reiffert> dtcrshr: an alternative way is using a bridged setup, see !howto 07:16 < dtcrshr> !howto 07:16 < vpnHelper> dtcrshr: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:42 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 07:57 -!- ikevin_ [n=kevin@ANancy-256-1-83-247.w90-26.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 07:58 -!- ikevin_ [n=kevin@ANancy-256-1-69-35.w90-26.abo.wanadoo.fr] has joined ##openvpn 07:58 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 08:00 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 08:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 08:41 < ecrist> Boats and Hos 08:42 < c64zottel> hi, is it possible to get XDMCP broadcast over the vpn? 08:43 < ecrist> what is XDMCP 08:43 < c64zottel> the X-window protocol 08:43 < ecrist> sure 08:43 < c64zottel> how? 08:44 < ecrist> well, let's start with this. Do yo have a VPN setup? 08:44 < krzee> what kind of traffic is it? 08:44 < c64zottel> without bridging 08:44 < krzee> is it broadcast or is it layer2? 08:44 < c64zottel> open vpn is running 08:45 < ecrist> krzee: http://en.wikipedia.org/wiki/X_display_manager 08:45 < vpnHelper> Title: X display manager - Wikipedia, the free encyclopedia (at en.wikipedia.org) 08:45 < ecrist> c64zottel: for what you're doing, using SSH with x-forwarding would be sufficient 08:46 < c64zottel> there are a lot of X-servers here 08:46 < c64zottel> and its not possible to give them direct access to the internet 08:46 < ecrist> the x-server runs on the client workstation. 08:47 < ecrist> the short answer, is yes, you can run XDMCP over OpenVPN 08:47 < ecrist> we're not the ones to help you setup XDMCP, however. 08:47 < c64zottel> its like this: exceed tries to find x-server and is sending xmdcp-broadcasts to the net 08:48 < c64zottel> the servers answers with ther ip-addresses, and a list will appear, which the user can choose from 08:48 < c64zottel> and can connect to a x-server 08:49 < krzee> ahh 08:49 < krzee> use tap 08:49 < c64zottel> i guess, you can compare it with samba 08:49 < krzee> but not bridging 08:49 < c64zottel> i have tap 08:49 < c64zottel> without bridging 08:49 < krzee> doesnt work? 08:49 < c64zottel> it doesn't 08:49 < krzee> ok then its not ip broadcasts, it is ethernet broadcasts 08:50 < krzee> so you need bridging 08:50 < c64zottel> hm 08:50 < c64zottel> how can i see the difference between ip/ethernet broadcasts? 08:50 < krzee> which would be the same answer for samba 08:50 < krzee> its an entirely different layer of traffic 08:50 < krzee> ethernet is layer2 08:50 < krzee> ip is layer3 08:51 < c64zottel> ok, then i understand 08:51 < c64zottel> thank you 08:51 < krzee> np 09:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:25 -!- uchimata [n=uchimata@HSI-KBW-085-216-051-127.hsi.kabelbw.de] has joined ##openvpn 09:26 < uchimata> Hi, is there a possibility to run more than one "config" at startup? e.g. openvpn.conf, openvpn2.conf etc? - running FreeBSD 09:27 -!- mcp [n=mcp@wolk-project.de] has left ##openvpn [] 09:27 < uchimata> - or is this even default behaviour, using all *.conf? ;-) 09:29 -!- mcp [n=mcp@wolk-project.de] has joined ##openvpn 09:29 -!- mcp [n=mcp@wolk-project.de] has left ##openvpn [] 09:36 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 09:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 09:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:18 -!- MIPS [n=mips@host157-61-static.63-88-b.business.telecomitalia.it] has joined ##openvpn 10:20 < uchimata> hm k got it 10:34 -!- Roman123 [n=Roman123@bmt-beigelb.isas.tuwien.ac.at] has joined ##openvpn 10:36 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 10:37 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 10:42 < tjz> with openvpn, we couldn't keep track of the activities in the tunnel to a log? 10:43 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has left ##openvpn [] 11:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:30 < uchimata> tjz: do you want to log all tunnel traffic? 11:30 < ecrist> tjz, sure you can 11:30 < ecrist> tcpdump is your friend. 11:35 -!- datac [n=crsgms@189-112-248-049.static.ctbcnetsuper.com.br] has joined ##openvpn 11:36 < datac> hi fellas! iv got a tunnel stabilished, but one address i must see through the tunne, is also public. iv checkd the howtos about push "gateway, and push "ip mask, but it didnt work... 11:37 < datac> how do i force on the client to search for some range of addresses, to be on the tunnel? 11:38 < MIPS> during openvpn compilation I read "checking for struct tun_pi... no" 11:38 < MIPS> what does it mean 11:39 < uchimata> datac: the push commands for additional routes should work 11:41 -!- datac [n=crsgms@189-112-248-049.static.ctbcnetsuper.com.br] has quit [Read error: 54 (Connection reset by peer)] 11:48 -!- datac [n=crsgms@189-112-248-049.static.ctbcnetsuper.com.br] has joined ##openvpn 11:48 < datac> i think im messing with the ip addresses.. 11:48 < reiffert> MIPS: check the configure file. 11:48 < datac> is there a way to see this rules, when the vpn is running? 11:48 < krzee> MIPS, didnt reif give you the precompile for mips proc? 11:48 < datac> like tcpdump or sort of? 11:49 < krzee> datac, tcpdump works... 11:49 < krzee> just use the vpn interface 11:49 < datac> tcpdump -i tun0 11:49 < datac> ? 11:49 < uchimata> datac: what rules? the pushed routes? 11:49 < datac> yesh 11:49 < datac> to se if they are really active 11:50 < uchimata> datac: route -n / route print 11:50 < uchimata> datac: os? 11:50 < datac> im using a linus build up firewall, wich gots open vpn as an addon. im installed and configured it on both pcs, the server and the cliend. 11:50 < datac> its 2.5.36.2 kernel 11:50 < uchimata> datac: alright, so route -n will show you all routes 11:50 < datac> a coyote, sort of linux from scratch, just a few apps 11:51 < datac> yes 11:51 < uchimata> datac: so you can see whether you're routes have been pushed? 11:51 < datac> im using the defaults form the openvpn how to, 10.8.0.1 and so on 11:51 < datac> im on the client right now 11:52 < datac> i got a rule like this - 10.8.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 11:52 < datac> and 192.168.10.0 10.8.0.1 255.255.255.0 ug 0 0 0 tun0 11:52 < datac> the only one i read from the tunnels. 11:52 < uchimata> so all traffic to 192.168.10.0/24 would be sent through the tunnel 11:53 < datac> hmmm 11:53 < datac> il try to add the route by the route add command 11:53 < uchimata> ? 11:53 < datac> i think the push are not working, since the address i need to reach throught the tunnel, can also be reach bu the internet 11:53 < datac> so here on the client when i traceroute that server ip the path its from the internet connection 11:54 < uchimata> datac: when a route is set, always the most specific route will be choosen 11:54 < uchimata> datac: so a route which comnes from openvpn that says "go to host x via ip y" would be more specific than your default gw 11:54 < datac> i think ill have to do that here. ill try 11:54 < datac> yes 11:55 < datac> makes sense 11:55 < krzee> datac 11:55 < krzee> !configs 11:55 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:55 < uchimata> great point krzee ;) 11:55 < datac> im on this for so much time, just to got the tunnel up that my brains are running out 11:59 < datac> the server side, gots the internet access from a proprietary link, wich gots the same address from the lan network 12:00 < datac> is that an issue that wont work? 12:00 < krzee> datac 12:04 < datac> yes 12:04 < reiffert> get some basic networking knowledge. 12:04 < datac> thanks 12:04 -!- MIPS [n=mips@host157-61-static.63-88-b.business.telecomitalia.it] has quit [] 12:04 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:05 < krzee> !configs 12:05 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:10 < reiffert> datac: are you going to paste them? 12:10 < krzee> i dont think he wants help 12:11 < reiffert> let's raise a playdoll from datac. 12:17 < datac> sorry, the server its pretty far away 12:17 < datac> im managing its pastebin to paste here 12:17 < datac> wait a sec 12:17 < datac> sorry for my huge ignorance 12:17 < datac> and the bad english 12:26 -!- tjz [n=tjz@bb116-15-157-37.singnet.com.sg] has quit ["bbl"] 12:31 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:34 -!- datac [n=crsgms@189-112-248-049.static.ctbcnetsuper.com.br] has quit [Read error: 104 (Connection reset by peer)] 12:35 -!- Roman123 [n=Roman123@bmt-beigelb.isas.tuwien.ac.at] has quit ["Leaving"] 12:46 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 13:12 -!- pkrumins [i=nhl@unaffiliated/pkrumins] has joined ##openvpn 13:12 < pkrumins> hi guys, i am having trouble with openvpn not updating my /etc/resolv.conf file. 13:12 < pkrumins> can't quite find info if i need to specify some config option when i start it 13:12 < pkrumins> or it should do it automatically 13:13 < krzee> !pushdns 13:13 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 13:20 -!- Roman123 [n=Roman123@128.131.70.150] has joined ##openvpn 13:21 < dtcrshr> [krzee]: it worked! 13:21 < dtcrshr> thansk you all for the tips 13:21 < dtcrshr> i was changing the ips on the push route 13:21 < dtcrshr> and i needed to add the push "gateway 13:23 -!- dtcrshr [n=datacrus@200.145.121.55] has quit [Read error: 104 (Connection reset by peer)] 13:28 < pkrumins> okay, i managed to get it working 13:28 < pkrumins> but now the problem is that my original resolv.conf gets overwritten 13:28 < pkrumins> that is kinda fina 13:28 < pkrumins> that is kinda fine 13:29 < pkrumins> but i would expect it to be restored when openvpn shuts down 13:29 < pkrumins> but it does not 13:29 < pkrumins> it just erases it 13:29 < pkrumins> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) 13:29 < pkrumins> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN 13:29 < pkrumins> here is what it leaves. 13:29 < pkrumins> "DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN" huh 13:31 -!- xattack [i=xattack@132.248.108.239] has quit [Read error: 110 (Connection timed out)] 13:35 < Roman123> Hi! I guess I have a similar problem than thousands of other OpenVPN users before. :-( The connection between client (configuration http://128.131.71.10/openvpn_client ) and server (configuration http://128.131.71.10/openvpn_server) is established without any error but I'm not able to send any traffic through the tunnel, i.e., no ping etc. :-( My OpenVPN is on a OpenWRT machine (8.09RC2) and my client is situated at a vmware setup running Windows XP 13:35 < Roman123> (host machine is gentoo linux). route print gives 128.131.71.10/shot.png Thank you for any suggestions to get rid of the problem. 13:36 < pkrumins> craaaaaaaaap 13:36 < pkrumins> i'm crapping my pants now. 13:36 < pkrumins> any ideas how to get openvpn to restore the dns 13:36 < pkrumins> once it goes down 13:37 < Roman123> Bye, yeah I know it is pretty perverted to run the OpenVPN client from a XP virtual machine over a bridged interface over Gentoo but I guess that's not the problem. ;-) 13:38 < Roman123> btw, the windows firewall is disabled. I've checked that. 13:38 < Roman123> s/Bye/Btw 13:39 < pkrumins> resolved. 13:39 < pkrumins> i changed 'down' part of /etc/openvpn/resolv-update-up scirpt 13:40 < pkrumins> adn added echo "nameserver my_shit" > /etc/resov.conf 13:40 < pkrumins> now it works! 13:43 < Roman123> oops, sorry http://128.131.71.10/shot.png 13:43 -!- pkrumins [i=nhl@unaffiliated/pkrumins] has left ##openvpn [] 13:45 < Roman123> argh, sorry wrong urls http://128.131.71.10/default/openvpn_client ; http://128.131.71.10/default/openvpn_server ; 128.131.71.10/default/shot.png -> sorry, the firewall here does not allow to access this webserver but now it should work. 14:00 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 14:01 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:08 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 14:08 < Roman123> No expert available with a tricky suggestion what I can try to solve the problem? :-( 14:09 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 14:17 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has joined ##openvpn 14:35 < reiffert> Roman123: and your problem is? 14:36 < reiffert> bbl, bed 14:38 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has quit ["!@#$*$ NO CARRIER"] 14:38 < Roman123> reiffert: still there? 14:39 < Roman123> reiffert: Hi! I guess I have a similar problem than thousands of other OpenVPN users before. :-( The connection between client (configuration http://128.131.71.10/openvpn_client ) and server (configuration http://128.131.71.10/openvpn_server) is established without any error but I'm not able to send any traffic through the tunnel, i.e., no ping etc. :-( My OpenVPN is on a OpenWRT machine (8.09RC2) and my client is situated at a vmware setup running 14:39 < Roman123> Windows XP 14:39 < Roman123> (host machine is gentoo linux). route print gives 128.131.71.10/shot.png Thank you for any suggestions to get rid of the problem. 15:44 -!- davidm [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has joined ##openvpn 15:44 -!- davidm [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has left ##openvpn [] 15:46 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 15:48 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has joined ##openvpn 16:10 -!- Roman123 [n=Roman123@128.131.70.150] has quit ["Leaving"] 16:33 -!- mrcerulean [n=chris@ppp-71-137-137-7.dsl.sndg02.pacbell.net] has joined ##openvpn 16:36 < mrcerulean> I have OpenVPN server running on CentOS 5.2 and the client running on Vista. I get a connection and an IP address, but no traffic between the two systems. 16:36 < mrcerulean> On the Windows side, the log says: Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv ) 16:36 < vpnHelper> Title: OpenVPN FAQ (at openvpn.net) 16:37 < mrcerulean> The FAQ suggests that the DHCP server needs to be running on the Windows client... 16:38 < mrcerulean> Sorry. The DHCP client service is running. How do I disable the TAP firewall in Vista? 16:39 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 16:40 < mrcerulean> OK. 16:40 < mrcerulean> Figured that out. :) 16:41 < mrcerulean> When I restart the connection, I get the same error. 16:42 < mrcerulean> I've disabled the firewall on the TAP device and verified that the DHCP Client service is running. 16:50 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has quit ["!@#$*$ NO CARRIER"] 17:31 -!- rubymonk [i=55ab9159@gateway/web/ajax/mibbit.com/x-5bdddcaf020cfe8a] has joined ##openvpn 17:31 < rubymonk> Hello everyone 17:31 < rubymonk> :) 17:31 < rubymonk> I'm trying to understand some things about how openvpn works... well, especially it's relationship with openssl 17:33 < rubymonk> well, first of all, for future reference, I've been following the how to, which leads to the creation of a PKI and a CA 17:33 < rubymonk> The first thing I don't get is... I didn't see in the whole process any public key 17:33 < rubymonk> so, I'm wondering where it/they is/are 17:33 < rubymonk> anyone please ? 17:36 < rubymonk> Is my question unclear ? 17:42 < mrcerulean> The client keys are generated by the master cert authority. 17:42 < mrcerulean> As are the server keys. 17:43 < mrcerulean> The root cert goes on the server + all clients. 17:43 < mrcerulean> Then the client key cert goes on the client. 17:43 < mrcerulean> When the client connects, the client and server keys are exchanged and verified by the root ca key. 17:44 < mrcerulean> Once that's done, keys are set on both ends. 17:44 < mrcerulean> There is no public key, per se. 17:45 < mrcerulean> If you're doing it by accepting self generated keys from the client, then the client must also generate a cert signing request that has to be fullfilled. 17:45 < mrcerulean> Because the generation is happening under complete server control, there is no need for "public key" in this transaction. 17:46 < mrcerulean> Think of it as cert exchange rather than key exchange and it becomes a little clearer. 17:47 < rubymonk> Yes, I think I get the fact public keys are not necesary since both parts already have the cert 17:47 < rubymonk> correct ? 17:48 < rubymonk> the public key would be necessary to get the cert 17:48 < mrcerulean> That's simplified,, but basically yes. 17:48 < rubymonk> ok 17:49 < rubymonk> now on this config... 17:49 < rubymonk> both sides have a private key 17:49 < rubymonk> and this puzzles me a bit 17:49 < rubymonk> the public key was supposed to tell how to crypt 17:49 < rubymonk> and the private how to decrypt 17:50 < rubymonk> if I understood what I've read about SSL 17:50 < mrcerulean> I think you're confusing public key crypto like PGP and SSL. 17:50 < mrcerulean> SSL is cert based, so no public key is required. 17:51 < mrcerulean> Step back from OpenVPN and see how it goes at a higher level: 17:51 < mrcerulean> I am a CA. 17:51 < mrcerulean> I can issue certs. 17:51 < rubymonk> ok 17:51 < mrcerulean> Before I do, I have to verify you. 17:51 < mrcerulean> So, you send me a request for a cert. 17:51 < mrcerulean> That request has, embedded within, identification that's unique to you. 17:52 < mrcerulean> I use that identification and generate a cert, which I then send to you. 17:52 < mrcerulean> The cert I send you is based on a few factors: my own root cert, my server cert, your csr. 17:52 < rubymonk> I send you a csr and you send back a crt 17:52 < mrcerulean> Yes. 17:52 < rubymonk> (file) 17:52 < rubymonk> :) 17:52 < rubymonk> ok 17:53 < mrcerulean> Now, when you present that cert to me in the future, I can verify it's valid. 17:53 < mrcerulean> By comparing it with my root cert and my server cert. 17:53 < rubymonk> using your private key ? 17:53 < rubymonk> ah 17:53 < rubymonk> ok 17:53 < mrcerulean> Again, stop thinking about public/private keys. 17:53 < mrcerulean> :) 17:53 < mrcerulean> Think only in terms of certs. 17:53 < rubymonk> hehe, ok, sorry 17:54 < mrcerulean> There are analogs there, but really the process is a little different. 17:54 < rubymonk> ok, so with the cert, you are able to tell I am who I tell I am 17:55 < rubymonk> but if someone steals me my cert ? 17:55 < mrcerulean> The point is, once the cert validity is verified, I can now open a channel between the two devices and start encrypting traffic using any method available, including public/private keys which are generated and exchanged in real tme. 17:55 < mrcerulean> If someone steals your cert, you're in trouble. :) 17:55 < rubymonk> ok :) 17:55 < mrcerulean> That's why you can password protect the cert. Then you have two-factor auth: something you have and something you know (cert/password). 17:57 -!- mepholic [n=mepholic@star.emokid.nu] has quit [Client Quit] 17:57 < hads> And you can revoke 17:58 < mrcerulean> Yes. If you find a cert's been stolen, you can revoke the cert and it will no longer work. 17:58 < rubymonk> In the howto, there a small table if you scroll a bit to the top at this url http://openvpn.net/index.php/documentation/howto.html#config 17:58 < vpnHelper> Title: HOWTO (at openvpn.net) 17:59 < rubymonk> and it tells the certs are not secret... 17:59 < rubymonk> is it an error or a case in which the certs are not supposed to be secret? 18:00 < mrcerulean> The certs are not secret, but the keys are. 18:00 < mrcerulean> The certs are, in essence, public keys. 18:00 < mrcerulean> The keys are private keys. 18:00 < rubymonk> ok 18:01 * hads has a little cry about working with someone else's network setup 18:01 < rubymonk> but if the cert is so public... it doesn't really matters if someone steals my cert, does it ? 18:01 < rubymonk> (Sorry to be a pain) :) 18:02 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [Connection timed out] 18:03 < mrcerulean> It only matters if they get both the cert and the key. 18:03 < rubymonk> oh, ok 18:03 < rubymonk> :) 18:03 < rubymonk> I got it now 18:04 < rubymonk> hum... 18:05 < rubymonk> Yes, I think I fully got it, clients also need a private key because they send datas, so those datas are crypted with the private key and the cert tells how to decrypt to the server... 18:05 < rubymonk> right ? 18:05 < mrcerulean> Close enough. 18:05 < rubymonk> hehe 18:06 < rubymonk> ok, I won't get further today or I'll mix things up 18:06 < mrcerulean> But the cert and key is only used to negotiate the connection. At that point, a completely different crypto mechanism can take over. 18:06 < rubymonk> Thanks a lot mrcerulean :) 18:06 < rubymonk> yes, a symetric one since asymetric is too slow 18:07 < rubymonk> it's only used to share a key for them to communicate 18:07 < rubymonk> as I got it :P 18:07 < rubymonk> s/as/as far/ 18:16 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 18:16 < hads> I can't figure out why remote clients can only ping the OpenVPN host and the default gateway. There is a static route on the default gateway and LAN hosts can ping remote OpenVPN clients. 18:20 -!- mrcerulean [n=chris@ppp-71-137-137-7.dsl.sndg02.pacbell.net] has left ##openvpn [] 18:29 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Read error: 110 (Connection timed out)] 18:31 -!- carpe_ [n=carpe@174.0.97.175] has quit [Read error: 113 (No route to host)] 18:45 -!- justdave [n=dave@unaffiliated/justdave] has left ##openvpn [] 19:03 -!- rubymonk [i=55ab9159@gateway/web/ajax/mibbit.com/x-5bdddcaf020cfe8a] has quit ["http://www.mibbit.com ajax IRC Client"] 19:05 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 19:51 -!- TB-Master [n=toni@pD9505C38.dip0.t-ipconnect.de] has quit [Read error: 113 (No route to host)] 19:57 -!- kaii [n=kai@ciphron.de] has quit [Read error: 60 (Operation timed out)] 19:59 -!- kaii [n=kai@ciphron.de] has joined ##openvpn 20:09 -!- kaii_ [n=kai@ciphron.de] has joined ##openvpn 20:12 -!- kaii [n=kai@ciphron.de] has quit [Read error: 104 (Connection reset by peer)] 20:34 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 20:36 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 20:39 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [Read error: 54 (Connection reset by peer)] 20:40 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 22:24 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has joined ##openvpn 23:04 -!- penrod [n=penrod@S010600105a1788d6.cg.shawcable.net] has quit ["Quick! Kill your client! Bersirc 2.2 is here! [ http://www.bersirc.org/ - Open Source IRC ]"] 23:06 -!- Haris1 [n=Haris@unaffiliated/haris] has joined ##openvpn 23:06 < Haris1> Hello people, folks, everyone, all 23:06 < Haris1> Does openvpn support ipsec over udp based vpn? 23:06 < Haris1> Can we create or simulate ipsec over udp based vpn with openvpn ? 23:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 23:48 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn --- Day changed Tue Feb 17 2009 00:17 -!- tjz|lunch is now known as tjz 00:25 < krzee> no 00:40 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 00:53 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has quit [Read error: 60 (Operation timed out)] 01:09 -!- int [n=quassel@wikia/int] has quit [Remote closed the connection] 01:14 -!- int [n=quassel@wikia/int] has joined ##openvpn 01:30 < Haris1> no? 01:31 < Haris1> Which protocols/technologies does openvpn support? 01:34 < uchimata> Haris1: ssl 01:36 < Haris1> just ssl ? 01:38 < uchimata> what else do you need? ;-)) 01:40 < Haris1> there's l2tp based vpn 01:40 < Haris1> ipsec over udp based 01:40 < Haris1> I need to simulate the problem we are facing in ipsec over udp based vpn 01:40 < Haris1> to find the cause or a better option to use 01:41 < uchimata> there are also free ipsec implementations like freeswan? 01:45 < Haris1> I thought freeswan was something like quagga 02:07 < reiffert> Haris1: openvpn supports openvpn 02:07 < reiffert> Haris1: openvpn does not l2tp or pptp or cisco vpn or freeswan or similar. 02:11 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:16 -!- nardul [n=kse@212.37.141.188] has joined ##openvpn 02:17 < nardul> Morning. Is there a way to make the client push it's local route? 02:25 < reiffert> is it static? 02:28 < nardul> Yes 02:30 < reiffert> multiple lines of push "route netaddress netmask" 02:30 < nardul> In the client config? 02:30 < reiffert> server config 02:31 < nardul> No can do. I need the routes from the client on the server 02:31 < reiffert> Oh, that way. There is no way. 02:31 < nardul> Ok, i'll add it manually to the server then. Darned. 02:36 -!- c64zottel [n=hans@p5B17AE90.dip0.t-ipconnect.de] has joined ##openvpn 02:39 -!- c64zottel [n=hans@p5B17AE90.dip0.t-ipconnect.de] has quit [Client Quit] 03:33 -!- Roman123 [n=Roman123@128.131.70.150] has joined ##openvpn 03:41 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 04:40 -!- Roman123 [n=Roman123@128.131.70.150] has quit ["Leaving"] 04:53 -!- TB-Master [n=toni@pD9505BB9.dip0.t-ipconnect.de] has joined ##openvpn 05:04 -!- c64zottel [n=hans@p5B17AE90.dip0.t-ipconnect.de] has joined ##openvpn 05:06 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Remote closed the connection] 05:07 -!- disposable [i=disposab@blackhole.sk] has quit [Read error: 104 (Connection reset by peer)] 05:07 -!- disposable [i=disposab@blackhole.sk] has joined ##openvpn 05:18 -!- TB-Master [n=toni@pD9505BB9.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 05:22 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 05:34 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 05:35 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 05:51 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:52 -!- Haris1 [n=Haris@unaffiliated/haris] has left ##openvpn ["Time to jet!"] 06:26 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 06:27 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 06:28 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 06:31 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 06:36 -!- Roman123 [n=Roman123@128.131.70.150] has joined ##openvpn 06:40 < Roman123> When I start openvpn, in my logfiles the message "TUN/TAP device tap0 opened" appear but I have only a tap1 interface! If I remove the interface, add a new one with the name tap0, and restart openvpn, then the message "TUN/TAP device tap1 opened" appears. Is this ok? 06:41 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 06:42 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 06:46 < ecrist> Roman123: does the vpn work? 06:47 < Roman123> ecrist: no :-( 06:47 < Roman123> That's the problem. 06:48 < Roman123> The tunnel can be established but no traffic goes through the tunnel. 06:49 < Roman123> For example, I can't ping from the client side to the network on the remote side. I'm pretty sure it is no firewall issue. At the moment I'm taking a look at the openvpn FAQ. Hopefully, it helps. 06:49 < ecrist> can you post your config? 06:49 < ecrist> via pastebin.com 06:50 < Roman123> ecrist: sure. Thank you very much for the help. This drives me nuts for about one day now and I'm starting to be very frustrated. 06:52 < Roman123> ecrist: my server config http://pastebin.com/m3a96fad0 06:52 < ecrist> is this a linux server? 06:52 < Roman123> ecrist: openwrt 06:52 < Roman123> that's linux 06:52 < Roman123> "small scale linux" :) 06:52 < ecrist> yeah, they're a bit different animal, though. 06:53 < Roman123> it's my router 06:53 < ecrist> try changing option dev tap to option dev tap0, and make sure you have no tap devices 06:53 < ecrist> it *should* create a tap0 device, or fail, rather than using a random interface. 06:54 < Roman123> ok, I'll try. Give me a moment 06:55 < Roman123> ecrist: my client side http://pastebin.com/m45123f19 06:56 < ecrist> you're having problems with the server, right? 06:57 < Roman123> ecrist: I'm not sure where the problem is located. 06:58 < Roman123> The tunnel is built (without any error in the logfiles) but then I cannot ping from the client to the server side and vice versa. 06:58 < ecrist> the problem you described above, was that client or server? 06:58 < Roman123> server 06:58 < Roman123> ecrist: I made the change tap -> tap1 06:59 < ecrist> when the tunnel comes up, it uses that interface then, right? 06:59 < Roman123> how can I check that. 06:59 < Roman123> let me post my log file 07:01 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 07:02 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 07:03 < Roman123> ecrist: http://pastebin.com/m453ebc08 07:03 < Roman123> ^^^ the log entries on the server side 07:04 < Roman123> imho they look fine 07:06 < Roman123> http://pastebin.com/m461e1ecf <- log on the client side 07:07 < Roman123> At least, my routes on the client side http://pastebin.com/m4a9ed96 07:10 -!- tjz [n=tjz@bb116-15-157-37.singnet.com.sg] has quit ["bbl"] 07:12 < ecrist> any reason you're using tap rather than tun? 07:12 < nardul> How would i add a route to the server, so it can send packages to the initiating clients network? 07:13 < ecrist> nardul, see here: 07:13 < nardul> Assuming the client has routing enabled, ofcourse. 07:13 < ecrist> !route 07:13 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 07:13 < Roman123> ecrist: well, I guess tap is the better choice for me. 07:13 < ecrist> Roman123: why? 07:14 < ecrist> one problem I think you're going to run into is using a common 1918 address space for your VPN. It's going to conflict with the majority of home and hotspot gateways. 07:15 < ecrist> see here for some other options: 07:15 < Roman123> ecrist: I like that my openvpn client receives an ip from the remote network and not its own subnet ip. 07:15 < ecrist> !1918 07:15 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 07:22 < Roman123> ecrist: so, you would recommend utilizing tun instead of tap? 07:30 < ecrist> Roman123: unless you're doing ethernet protocols, tun is much easier to setup 07:35 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [Read error: 54 (Connection reset by peer)] 07:38 -!- hdfdisk [n=Phoenix@116.10.199.46] has joined ##openvpn 07:38 < hdfdisk> Hi All 07:39 < hdfdisk> Is there any Developer here? 07:41 -!- hdfdisk [n=Phoenix@116.10.199.46] has left ##openvpn [] 07:42 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Read error: 104 (Connection reset by peer)] 07:42 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 07:43 -!- Bjar [n=Bjar@64.55.144.11] has joined ##openvpn 07:44 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 07:44 -!- zheng [n=zheng@218.82.143.81] has joined ##openvpn 07:46 < Bjar> Ok, I'm a person from China, If there is any developer can help me, we got a really big problem because the Chinese-Great Firewall is Trying to "Stole" The VPN/HTTPS Connection to a monitored server. Which the Government will be able to control the secure Connections, They are already on the action, and It will deploy in all this country before long. We need someone help us, as fast as it can. Sending this message I'm also taking risk, so don't be strange if I 07:46 -!- Bjar [n=Bjar@64.55.144.11] has left ##openvpn [] 07:59 < Roman123> ^^^ that was the end of Bjar :-P 08:00 < reiffert> he's still on freenode. 08:01 < ecrist> I think that was meant to be a funny 08:02 < Roman123> yes in a sarcastic manner, although such things taking place in china are not funny 08:08 -!- zheng [n=zheng@218.82.143.81] has quit ["Leaving"] 08:13 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 08:17 -!- Spockz|irssi [n=alessand@71pc198.sshunet.nl] has joined ##openvpn 08:18 < Spockz|irssi> I have a openvpn server running, but when I connect to it the server authenticates itself with it's local IP. Not the vpn IP. 08:20 < Spockz|irssi> UDPv4 link remote: 192.168.13.18:1194 08:20 < Spockz|irssi> should that point to the public interface ip or the vpn ip? 08:21 < uchimata> Spockz|irssi: you cannot connect to the server using its vpn ip 08:22 < Spockz|irssi> uchimata: I suspected that, so I do remote public_ip 08:25 < Spockz|irssi> trying with tcp, and it times out 08:30 < Spockz|irssi> hmm, 08:30 < Spockz|irssi> now I'm getting connection refused. 08:31 < Spockz|irssi> and there is no firewall installed on the server 08:31 -!- rubydiamond [n=rubydiam@123.236.183.202] has joined ##openvpn 08:33 < Spockz|irssi> uchimata: where can I find the server side log of openvpn? I only see a /var/log/openvpn-status.log 08:34 < uchimata> Spockz|irssi: there's a config option to specify the logfile 08:34 < uchimata> !configs Spockz|irssi 08:34 < vpnHelper> uchimata: Error: "configs" is not a valid command. 08:34 < uchimata> !config Spockz|irssi 08:34 < vpnHelper> uchimata: Error: 'supybot.Spockz|irssi' is not a valid configuration variable. 08:34 < uchimata> !config ,Spockz|irssi 08:34 < Spockz|irssi> erh.. 08:34 < vpnHelper> uchimata: Error: 'supybot.,Spockz|irssi' is not a valid configuration variable. 08:34 < Spockz|irssi> it's in syslog I see in the conf file 08:34 < uchimata> hm... ;) 08:34 < uchimata> you can pastebin your config files for further support 08:35 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Client Quit] 08:36 < Spockz|irssi> ah found it 08:36 < Spockz|irssi> I was referring to a crl file that doesn't exist 08:42 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 08:45 -!- sjhstorm [n=sjhstorm@123.98.164.216] has joined ##openvpn 08:47 < ecrist> Spockz|irssi: you can create an empty crl, and sign it with your CA certificate. 08:54 -!- T0aD [n=nnnnnnnn@217.73.17.12] has joined ##openvpn 08:55 -!- Spockz|irssi [n=alessand@71pc198.sshunet.nl] has quit ["Lost terminal"] 09:03 -!- c64zottel [n=hans@p5B17AE90.dip0.t-ipconnect.de] has quit ["Leaving."] 09:04 -!- T0aD [n=nnnnnnnn@217.73.17.12] has quit [Remote closed the connection] 09:18 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 09:26 -!- sjhstorm [n=sjhstorm@123.98.164.216] has quit ["Ex-Chat"] 09:29 -!- nardul [n=kse@212.37.141.188] has quit ["Leaving"] 09:32 -!- Kobaz [n=kobaz@its.kobaz.net] has left ##openvpn [] 09:47 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 09:48 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 10:01 < Roman123> ecrist: with tun everything seems to work fine. 10:09 < ecrist> Roman123: you were probably missing the bridging script to bridge your interfaces 10:10 < Roman123> ecrist: no, I did "openvpn --mktun --dev tap0 ; brctl addif br-lan tap0" 10:11 < ecrist> well, glad it's all working. 10:11 < Roman123> "brctl show" depicts then tap0 10:13 < Roman123> ecrist: anyway, thank you very much. Now, I just have to figure out how to utilize client_config_dir to assign certain ip addresses to certain clients. 10:13 < Roman123> But that can't be difficult 10:14 < ecrist> really easy 10:14 < ecrist> !freebsd 10:14 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 10:14 < ecrist> that's got a section on it, os-agnostic 10:15 < ecrist> and it's covered in the howto 10:15 < ecrist> !howto 10:15 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:16 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 10:20 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 10:28 < Roman123> From the configuration example can be obtained: "option client_config_dir ccd" and then add this line to ccd/Thelonious: ifconfig-push "10.9.0.1 10.9.0.2" 10:28 < Roman123> What is the function of the second ip (10.9.0.2)? 10:29 -!- MIPS [n=mips@host157-61-static.63-88-b.business.telecomitalia.it] has joined ##openvpn 10:29 < Roman123> The first one is supposed to be assigned to Thelonious but I don't understand why is there a second one. 10:29 < MIPS> HELLO! 10:30 < ecrist> hello 10:30 < ecrist> Roman123: they're all /30 subnets 10:30 < ecrist> !/30 10:30 < vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 10:32 -!- plaerzen [n=carpe@174.0.97.175] has joined ##openvpn 10:33 < MIPS> I run a server with "openvpn --dev tap0 --dev-node /dev/net/tun --proto udp" 10:33 < MIPS> can u tell me wich client.opvn options I need too use 10:33 < MIPS> ? 10:33 < MIPS> thanks 10:33 < MIPS> or tell me where I can read documentation for client connection without security options 10:35 < ecrist> MIPS: I'd suggest a read through the man page 10:35 < ecrist> !man 10:35 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 10:35 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 10:35 < MIPS> look here 10:51 -!- rubydiamond [n=rubydiam@123.236.183.202] has joined ##openvpn 10:55 < MIPS> I look http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html#lbAV at the section Example 1: A simple tunnel without security but on server I can read 10:55 < vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net) 10:56 < MIPS> Connection Refused 10:56 < MIPS> Code=146 10:56 < MIPS> :( 10:57 -!- dan__t [n=dant@vpn.withparity.net] has quit [Remote closed the connection] 10:57 < MIPS> on client log I see "Local Options hash (VER=V4): '46e399f1'" and "Expected Remote Options hash (VER=V4): '46e399f1'" 10:58 -!- dan__t [n=dant@ns1.hitb.net] has joined ##openvpn 10:58 < MIPS> what does it mean 10:58 < MIPS> my openvpn server has built without security options 10:58 -!- TB-Master [n=toni@pD9505BB9.dip0.t-ipconnect.de] has joined ##openvpn 10:59 -!- dan__t [n=dant@ns1.hitb.net] has left ##openvpn ["Leaving"] 11:01 -!- french [i=a024ebdf@gateway/web/ajax/mibbit.com/x-42bc28bf398fa060] has joined ##openvpn 11:02 < french> i am trying to vpn to my server, it was working just fine now i am getting this error WARNING: No server certificate verification method has been enabled. what exactly does that mean? 11:07 < french> actually here is teh problem http://pastebin.com/d1b2b16ed any ideas? i am tryign to connect two to different vpn servers each givin the same error, and i have tired more than one client 11:24 -!- Roman123 [n=Roman123@128.131.70.150] has quit ["Leaving"] 11:29 < ecrist> french, that's not a fatal error 11:30 < ecrist> and, if you're going to post a log file, post the whole thing 11:45 < reiffert> Uh, bad bad bad 11:45 < reiffert> http://lists.grok.org.uk/pipermail/full-disclosure/2009-February/067954.html 11:45 < vpnHelper> Title: [Full-disclosure] FreeBSD zeroday (at lists.grok.org.uk) 11:46 < ecrist> yeah, if you're a retard still running telnetd 11:48 < reiffert> ecrist: quoting an admin I was working under, some years ago: "We have a fully switched net, the authentication is encrypted, I still run telnet across the LAN" 11:49 < ecrist> like I said, if you're a retard. :) 11:50 < ecrist> telnet, in general, is more broken than a cheerleader after a victory in a high school football game. 11:50 < reiffert> :) 11:51 < ecrist> the *only* thing we have running telnet on my network at the office is an old Cisco router, which we're not going to upgrade, as it will be gone soon. and we only allow telnet from the next-hop freebsd system, which is connected to via console or ssh 11:53 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 11:54 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 12:03 < french> ok here is my entire client log, http://pastebin.com/d1c0f7c8e it will not allow me to connect, it worked fine a few days ago 12:05 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 12:06 -!- MIPS [n=mips@host157-61-static.63-88-b.business.telecomitalia.it] has quit [] 12:18 < ecrist> french: would need to see logs from the other side as to why handshake is failing. 12:20 < french> ecrist can you tell me where the log file is located? fedora 9? 12:21 < ecrist> os means nothing, really. I have no idea. it'll be defined in the config of the other system 12:34 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:37 -!- french [i=a024ebdf@gateway/web/ajax/mibbit.com/x-42bc28bf398fa060] has left ##openvpn [] 12:40 -!- Waldgichtel [n=toni@pD9505BB9.dip0.t-ipconnect.de] has joined ##openvpn 12:45 -!- toni__ [n=toni@pD9505BB9.dip0.t-ipconnect.de] has joined ##openvpn 12:51 -!- TB-Master [n=toni@pD9505BB9.dip0.t-ipconnect.de] has quit [Read error: 113 (No route to host)] 13:00 -!- Waldgichtel [n=toni@pD9505BB9.dip0.t-ipconnect.de] has quit [Read error: 113 (No route to host)] 13:32 -!- jfkw [n=jtk@cpe-74-74-158-219.rochester.res.rr.com] has joined ##openvpn 13:44 -!- c64zottel [n=hans@p5B17AE90.dip0.t-ipconnect.de] has joined ##openvpn 13:44 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 13:48 -!- oc80z [n=oc80z@quad.efnet.pe] has joined ##openvpn 14:36 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:41 -!- Waldgichtel [n=toni@pD9505BB9.dip0.t-ipconnect.de] has joined ##openvpn 14:45 -!- toni__ [n=toni@pD9505BB9.dip0.t-ipconnect.de] has quit [No route to host] 14:51 < plaerzen> so. Hello #ovpn 15:34 -!- penrod [n=penrod@S010600105a1788d6.cg.shawcable.net] has joined ##openvpn 15:35 -!- toni__ [n=toni@pD9505BB9.dip0.t-ipconnect.de] has joined ##openvpn 15:37 -!- Waldgichtel [n=toni@pD9505BB9.dip0.t-ipconnect.de] has quit [Read error: 113 (No route to host)] 16:14 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has quit [Read error: 110 (Connection timed out)] 16:20 -!- c64zottel [n=hans@p5B17AE90.dip0.t-ipconnect.de] has quit ["Leaving."] 16:27 < penrod> greetings , anybody here ? 17:11 < d0wn> Could anyone assist me with this? http://openvpn.net/index.php/documentation/howto.html#redirect 17:11 < vpnHelper> Title: HOWTO (at openvpn.net) 17:12 < d0wn> I'm having trouble with it. I've got it set up as said in that howto, however, nothing will load, at all 17:17 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 17:53 -!- jfkw [n=jtk@cpe-74-74-158-219.rochester.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 17:53 -!- jfkw [n=jtk@cpe-74-74-158-219.rochester.res.rr.com] has joined ##openvpn 17:54 -!- jfkw [n=jtk@cpe-74-74-158-219.rochester.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 17:58 -!- jfkw [n=jtk@cpe-74-74-158-219.rochester.res.rr.com] has joined ##openvpn 19:09 -!- d0wn_ [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 19:20 -!- d0wn [n=d0wn@unaffiliated/d0wn] has quit [Read error: 110 (Connection timed out)] 19:33 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [No route to host] 19:56 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 20:10 -!- toni__ [n=toni@pD9505BB9.dip0.t-ipconnect.de] has quit [Read error: 113 (No route to host)] 20:21 -!- jfkw [n=jtk@cpe-74-74-158-219.rochester.res.rr.com] has quit ["leaving"] 20:39 -!- Netsplit lem.freenode.net <-> irc.freenode.net quits: krzee 20:40 -!- Netsplit over, joins: krzee 20:42 -!- _skx [i=skx@217.17.32.190] has joined ##openvpn 20:43 -!- skx [i=skx@unaffiliated/skx] has quit [Read error: 110 (Connection timed out)] 20:50 -!- mottz [n=mottz@cpe-76-172-44-55.socal.res.rr.com] has joined ##openvpn 20:52 < mottz> has anyone written a tool to package windows clients w/ configs and keys for simple clent install? 21:27 -!- mottz [n=mottz@cpe-76-172-44-55.socal.res.rr.com] has quit ["Leaving"] 21:43 -!- d0wn_ is now known as d0wn 21:43 -!- int [n=quassel@wikia/int] has quit [SendQ exceeded] 21:44 -!- int [n=quassel@wikia/int] has joined ##openvpn 21:54 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 22:17 -!- citrusfruitsnack [n=citrusfr@pcp045757pcs.pcv.reshall.calpoly.edu] has joined ##openvpn 22:18 < citrusfruitsnack> Hello, I have set up openvpn correctly between my vista laptop and my fedora system at home. everything works and i can transfer files fine (samba), except for the fact that windows explorer.exe hangs for at least 10 seconds when navigating the samba shares and when trying to transfer files 22:18 < citrusfruitsnack> transfering files and navigating the directories works fine using the windows command line, but explorer always freezes up 22:19 < citrusfruitsnack> does anyone else know of this problem? 22:22 < citrusfruitsnack> i tried modifying the tun-mtu and fragment sizes a little but i can't seam to fix this 22:34 < citrusfruitsnack> like i just tried using ftp and everything works great in terms of file transfers and stuff, but if i try to browse file shares with explorer it jsut freezes 22:35 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 22:37 < ecrist> evening, folks 22:37 < citrusfruitsnack> hi ecrist 22:40 < ecrist> citrusfruitsnack: you could try switching to tap, see if that helps at all. 22:41 < citrusfruitsnack> hmm i need to look into it. im not quite show how routing works different than tun, and what the implications/why i should need it 22:42 < citrusfruitsnack> what does tap do that tun doesnt? 22:58 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 23:04 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:22 -!- penrod [n=penrod@S010600105a1788d6.cg.shawcable.net] has quit [Read error: 60 (Operation timed out)] 23:29 < krzee> tunnels ethernet traffic 23:29 < krzee> tun can only tunnel ip traffic 23:44 < citrusfruitsnack> so like what's an example of ethernet traffic that's different from ip traffic --- Day changed Wed Feb 18 2009 00:39 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 00:48 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:52 -!- citrusfruitsnack [n=citrusfr@pcp045757pcs.pcv.reshall.calpoly.edu] has quit ["Leaving"] 00:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:23 -!- surf_ [i=surf@gateway/tor/x-7a74ac1d3535f694] has joined ##openvpn 01:28 -!- c64zottel [n=hans@p5B17A9AF.dip0.t-ipconnect.de] has joined ##openvpn 01:55 -!- Burps [n=Burps@82.40.65-86.rev.gaoland.net] has joined ##openvpn 01:55 < Burps> hi everyone 01:57 < Burps> I have an old ovpn server A, that I want to physically replace with a brand news server B. Is it possible to migrate without having to connect on each client ? Right now, when I shutdown server A, the clients dont reconnect by themselves on server B 01:59 < uchimata> Burps: if it runs the same config and ip 02:05 < Burps> the config is based on dns... shold this be the problem ? 02:06 < Burps> apparently, when trying to reconnect, the client makes a nex DNS request 02:07 < Burps> *new 02:07 < Burps> so the IP is different... but the DNS is still the same 02:59 -!- QWonder [n=QW@c-71-203-15-133.hsd1.fl.comcast.net] has joined ##openvpn 02:59 -!- QWonder [n=QW@c-71-203-15-133.hsd1.fl.comcast.net] has left ##openvpn ["Leaving"] 03:09 -!- int [n=quassel@wikia/int] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 03:38 -!- Netsplit lem.freenode.net <-> irc.freenode.net quits: eagle, T0aD, c64zottel, clusterm1gnet, Burps, blaxthos, d0wn, disco-, pa, paruchuri, (+21 more, use /NETSPLIT to show all of them) 03:48 -!- Netsplit over, joins: eagle, reiffert 03:49 -!- Netsplit over, joins: T0aD, bandini, fpletzv6, smk 03:49 -!- Netsplit over, joins: paruchuri, hardwire, d0wn, vpnHelper 03:50 -!- Netsplit over, joins: surf_, krzee, troy-, logiclrd, dogmeat 03:50 -!- Netsplit over, joins: dvl, stephenh, blaxthos, clusterm1gnet, pa, worch, disco-, Typone, [intra]lanman 03:51 -!- Netsplit over, joins: c64zottel, jpalmer, kaii_, hads, huslu, meturaf 03:51 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has joined ##openvpn 03:52 -!- tjz|lunch is now known as tjz 03:53 < tjz> darn. why am i always having lunch.. 03:53 < tjz> anyone what is the most efficient way to track bandwidth for multiple ip addresses? 04:04 < uchimata> to track or to limit? 04:05 -!- toni__ [n=toni@pD95040A2.dip0.t-ipconnect.de] has joined ##openvpn 04:20 -!- surf_ is now known as suirf80 04:20 -!- suirf80 is now known as surf80 05:07 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:09 -!- Burps [n=Burps@82.40.65-86.rev.gaoland.net] has joined ##openvpn 05:10 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 05:11 < Burps> hi, new question : when creatinga new openvpn cert, I would like to give the "challenge password" as an argument to my script : is there an option to pass it to "openssl req " after that ? 05:31 -!- surf80 is now known as surf6869 06:27 -!- zhou_rock [n=zhou@61.151.242.254] has joined ##openvpn 06:28 < zhou_rock> how to install openvpn on smartphone? 06:29 < zhou_rock> for windows mobile 06:32 < zhou_rock> :D,bye 06:32 -!- zhou_rock [n=zhou@61.151.242.254] has left ##openvpn [] 06:36 -!- _skx is now known as skx 06:42 -!- bsund [n=bsund@213.180.77.55] has joined ##openvpn 06:56 < ecrist> tjz: cacti and a polling script 06:57 < ecrist> lol, zhou_rock waited 4 minutes for an answer. 07:12 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 07:18 < reiffert> http://netzdeponie.de/download/fun/pics/if-bankers-were.jpg 07:18 -!- Waldgichtel [n=toni@pD95067FC.dip0.t-ipconnect.de] has joined ##openvpn 07:27 -!- toni__ [n=toni@pD95040A2.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 07:36 -!- nardul [n=kse@212.37.141.188] has joined ##openvpn 07:41 < nardul> Who's the routing a routing master here? :) 07:44 < ecrist> nardul, what's your problem? 07:46 < nardul> We have a server, and a client. The client can connect to the server no problem, the client can ping the servers ip addresses. However the client can't ping network addresses on the servers network. 07:46 < nardul> Now, i have done "echo 1 > /proc/sys bla bla bla". So it should be able to forward. 07:47 < nardul> The machine on the server network does have a return path that is set correctly. 07:47 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 07:50 < nardul> However, from my workstation machine. I can ping the network on the other side of the client, through the VPN. However, i cannot ping the openvpn virtual network. 07:52 < ecrist> nardul: see here: 07:52 < ecrist> !route 07:52 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 07:52 < ecrist> see if that helps 07:53 < nardul> Thanks, you pasted that same link yesterday, and it did help me alot. However, i seem to have problems reaching the openvpn virtual network. I don't think it's a routing problem. 07:58 < ecrist> oh 07:59 < ecrist> well, the lan on the vpn server side needs to have routes for the VPN 07:59 < ecrist> this is often accomplished 'automagically' by having your openvpn server running on your default gateway 07:59 < ecrist> otherwise, you should be able to put a static route on the default gateway pointing a route for the VPN subnet to the vpn server. 08:09 < nardul> I found the problem. The silly thing was ofcourse a misconfigured route on my part. Thanks alot, it helped ecrist! 08:09 < ecrist> np 08:11 -!- diazepam1 [n=trent@220-244-78-68.static.tpgi.com.au] has joined ##openvpn 08:13 < diazepam1> hi guys can anyone help me with this one http://paste2.org/p/149579 08:16 < ecrist> diazepam1: is this a new problem on a working VPN, or an initial setup? 08:16 < diazepam1> it was working 08:16 < diazepam1> for about 30 min 08:17 < diazepam1> but i had tls off 08:17 < diazepam1> i have 4 other servers running this 08:17 < ecrist> at first look, it appears to be a problem with your SSL certificates, but I don't know what the problem is, sorry. 08:17 < diazepam1> and are rock solid 08:17 < diazepam1> okay 08:18 < diazepam1> everything else looks okay 08:18 < diazepam1> ? 08:18 < ecrist> is that the server or client log? 08:18 < ecrist> looks like client 08:18 < diazepam1> client 08:19 < ecrist> what does the server log show? 08:19 < diazepam1> http://paste2.org/p/149586 08:20 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 08:21 < ecrist> I don't know. I'd have to point you to the mailing list for this one. 08:22 < diazepam1> can i ask 08:22 < diazepam1> the line tls-auth ta.key 1 08:22 < diazepam1> what does the '1' mean 08:22 < diazepam1> ? 08:22 < diazepam1> ?that its active 08:25 < ecrist> not sure 08:26 < reiffert> diazepam1: found this line in th official openvpn howto? I guess not. 08:26 < diazepam1> which line 08:28 < reiffert> diazepam1: see the manpage for about what the '1' means. 08:28 < reiffert> especially Data Channel Encryption Options: 08:29 < diazepam1> ahhh okay 08:29 < diazepam1> i think i might go back and wipe all my keys 08:29 < diazepam1> start again 08:29 < diazepam1> thanks guys for the quick responses 08:29 < diazepam1> you rock! 08:29 < diazepam1> night 08:30 -!- diazepam1 [n=trent@220-244-78-68.static.tpgi.com.au] has left ##openvpn [] 08:33 -!- surf6869 [i=surf@gateway/tor/x-7a74ac1d3535f694] has quit [Remote closed the connection] 08:41 < Burps> when I create a certificate for a client, how can I specify, during the "openssl req...." command, the PEM passphrase, as an argument to this command ? 08:42 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 08:51 < ecrist> you need to store that in a file. this is covered in the man page 08:52 < Burps> and I give it as argument with "-pass file:MyPassFile" ? right ? 08:52 < Burps> or passin ? or passout ? 08:53 < Burps> I can't clearly understand how that works, a little hit would be appreciated :) 08:53 < Burps> hint* 08:54 < ecrist> !man 08:54 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 08:54 < ecrist> or, if you're running 2.1 08:54 < ecrist> !betaman 08:54 < vpnHelper> ecrist: "betaman" is http://www.openvpn.net/man-beta.html 09:09 -!- nardul [n=kse@212.37.141.188] has quit ["Leaving"] 09:12 < Burps> ecrist: sorry, I can't find the solution in the link you gave me.... I already read the openssl man, but I still can't understand 09:15 < Burps> my colleague doesn't want it, but I think i'm going to do this with "expect".... 09:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:41 < tjz> SSH used how many bit? 09:41 < tjz> may i know.. 09:41 < tjz> =) 09:48 < reiffert> may you read the ssh source to know ... 09:51 < tjz> hehehehe 10:03 -!- mindbendr [n=neveraga@82.196.231.29] has joined ##openvpn 10:03 < mindbendr> hi, my openvpn server is trying to give the same ip to the clients which results the clients disconnected 10:03 < mindbendr> here is my openvpn cfg http://pastebin.com/m3cdf545a 10:04 < mindbendr> any ideas why does this occur 10:19 < sigius> mindbendr, not sure yet, but what is the 'float' for ? 10:19 < sigius> i.e. what does it do? 10:20 < mindbendr> sigius: man pages says "Allow remote peer to change its IP address and/or port number, such as due to DHCP (this is the default if --remote is not used)" 10:20 < mindbendr> -float when specified with --remote allows an OpenVPN session to initially connect to a peer at a known address, however if packets arrive from a new address and pass all authentication tests, the new address will take control of the session. This is useful when you are connecting to a peer which holds a dynamic address such as a dial-in user or DHCP client. 10:20 < mindbendr> ssentially, --float tells OpenVPN to accept authenticated packets from any address, not only the address which was specified in the --remote option. 10:21 < sigius> mindbendr: right, got it 10:22 < sigius> mindbendr, btw by 'the same ip' you mean a fixed ip for each client ? 10:22 < mindbendr> sigius: no 10:23 < mindbendr> sigius: whoever tries to connect gets 172.16.0.134 as the ip 10:23 < mindbendr> so if a user is already connected 10:23 < mindbendr> the otherone gets disconnected 10:24 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has left ##openvpn ["Leaving"] 10:26 < sigius> mindbendr, and does each client have its own key or are they sharing the same one ? 10:27 < mindbendr> sigius: generated by easy-rsa individually 10:27 < mindbendr> i've put the same `common name` when i'm generating them 10:27 < mindbendr> so assuming it's not wrong 10:29 < sigius> mindbendr, Sorry, I keep having trrouble with the word 'same' :). same as what ? 10:30 < mindbendr> when i was generating the certificates 10:30 < mindbendr> I've put `gate.local` as the common name to all of them 10:30 < mindbendr> am i mistaken by doing that? 10:30 < sigius> As far as I know the ovpn server identiefies the client by there 'common name' 10:31 < mindbendr> so it must be the same on all the certs? 10:31 < sigius> so the ovpnserver would not see a difference between clients in your setup 10:31 < mindbendr> hmm 10:31 < mindbendr> why is it called `common name` then 10:31 < mindbendr> if they are not gonna be common ;) 10:32 < sigius> good point, theres bound to be a very good reason but I dont know it 10:32 < sigius> anyway they should differ 10:33 < mindbendr> are you sure 10:33 < mindbendr> Common Name (eg, your name or your server's hostname) []: 10:33 < mindbendr> if I'm gonna put my server's hostanem 10:33 < mindbendr> it would be the same for all, wouldn't it 10:34 < sigius> Yes, im sure. altough I'm having trouble refuting your logic :) 10:34 < mindbendr> right :) 10:34 < sigius> let me check the manpage 10:35 < mindbendr> found this 10:35 < mindbendr> Always use a unique common name for each client. C:\Program Files\OpenVPN\easy-rsa>build-key.bat client1 Loading 'screen' into random state - done ... 10:36 -!- kyrix [n=ashley@91-115-185-140.adsl.highway.telekom.at] has joined ##openvpn 10:37 < sigius> Right, Im reading something similar in ovpns howto: 10:38 < sigius> Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client1", "client2", or "client3". Always use a unique common name for each client. 10:40 < sigius> Q: In the manpage I read on using ipp.txt that "Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use --ifconfig-push". 10:40 < sigius> Now I dont like the overhead of using ifconfig-push. Is there away to make the ip addresses list in ipp.txt mandatory ? 10:42 < sigius> Btw: Indeed I've seen other ip addresses (then in ipp.txt) being given out, and only when reseting ovpn server did the client get the ipp.txt address again 10:47 < mindbendr> yeah 10:47 < mindbendr> but stupidity is 10:47 < mindbendr> when you want to generate a cert 10:48 < mindbendr> it says `Common Name (eg, your name or your server's hostname) []:` 10:48 < mindbendr> as it's called COMMON and it says SERVER's HOSTNAME 10:48 < mindbendr> i thought they supposed to be the same! 10:48 < sigius> mindbendr, very misleading, i have to agree. 10:50 < mindbendr> i assume the thing is 10:51 < mindbendr> they provide the same binaries for generating the key for the server and for the client 10:51 < mindbendr> in linux, that's the reason 10:57 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 10:59 -!- Burps [n=Burps@82.40.65-86.rev.gaoland.net] has quit ["Leaving"] 11:00 < sigius> Anyone any ideas on this : In the manpage I read on using ipp.txt that "Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, use --ifconfig-push". 11:01 < sigius> Now I dont like the overhead of using ifconfig-push. Is there away to make the ip addresses list in ipp.txt mandatory ? 11:03 < reiffert> ccd and ifconfig-push 11:06 < sigius> Yes, but is there another way ? using ipp.txt is suits me lots better 11:06 < reiffert> edit the source code. 11:11 < sigius> hmm, yes .. well 11:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:25 -!- vcs [i=vcs@alien.jinxshells.com] has joined ##openvpn 11:25 < vcs> Hi, is it possible to assign an OpenVPN server an address other than .1? 11:28 < reiffert> vcs: yes. 11:29 < vcs> I have googled but Have not had any luck, and I have tried doing i in the same way as I would a client to no avail. What is the easiest way to acomplish this without editing source code? 11:30 < reiffert> read the manpage. especially what the server line expands to and follow commands from there. 11:36 < ecrist> sigius: no, short answer is no 11:37 < ecrist> you *could* create a perl script which tails ipp.txt, and auto-creates ccd entries on the fly 11:37 < ecrist> but you'd have to know perl, or another scripting language 11:42 < reiffert> ecrist: thats wrong. the short answer is: it depends. 11:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:42 < ecrist> reiffert: depends on what? 11:42 < reiffert> ecrist: i'm sorry, thought you were replying to vcs. 11:43 < ecrist> oh 11:43 * ecrist puts on dunce cap anyway 11:43 -!- jreb__ [n=jreb@r47h141.dixie-net.com] has joined ##openvpn 11:43 -!- jreb__ [n=jreb@r47h141.dixie-net.com] has left ##openvpn ["Leaving"] 11:46 < sigius> ecrist, ok thanks, i think editing the code (and doing it again after an ovpn update) would be more appealing even 11:47 < ecrist> I would disagree with you. the script would be about 10 lines, and would be compatible with future versions. 11:48 < vcs> reiffert, I am trying to set OpenVPN up with a Class B netmask, however 11:48 < vcs> woops, that was supposed to be in my terminal :| 11:48 < ecrist> vcs, the netmask is irrelivant 11:48 < ecrist> I know I spelled that wrong 11:48 < sigius> ecrist: 'on the fly' means triggered by what exactly ? 11:49 < ecrist> new entries in ipp.txt 11:49 < ecrist> see 'man tail' for information on how tail works. 11:50 -!- mindbendr [n=neveraga@82.196.231.29] has quit ["leaving"] 11:52 < sigius> ecrist, are you suggesting to keep a tail running on ipp.txt such that whenever I go and add a line the corresponding cdd entry is made (by the perl script) 11:52 < vcs> I keep getting route: netmask doesn't match route address. My boss is INSISTENT that I use 255.255.0.0 as a netmask. Shouldnt 10.2.2.103 be as valid a route address as any(ifconfig 10.2.2.102 10.2.2.103,ifconfig-pool 10.2.2.105 102.2.2.254,route 10.2.2.0 255.255.0.0, push "route 10.2.2.102")? I don't even understand what the point of that is given we are going to have less than 5 people on this. 11:52 < ecrist> sigius: yes. 11:53 < ecrist> ipp.txt isn't really supposed to be for you to edit, entries are added by the openvpn process automatically. 11:55 < vcs> AHh fixed it, never mind 11:55 * vcs slaps himself 11:56 < sigius> ecrist, I'm not sure the man page says :If seconds = 0 (in --ifconfig-pool-persist file [seconds]), file will be treated as read-only. This is useful if you would like to treat file as a configuration file. 11:57 < ecrist> regardless, the script would auto-create the ccd entries. 12:00 < sigius> ecrist, ok thanks, i'll give that a try (once I get these ccd approach working in the first place) 12:00 < sigius> these -> that 12:00 < vcs> I have ifconfig-pool 10.2.0.1 10.2.255.255, ifconfig 10.2.2.102 10.2.2.103 but for some reason my first client IP is 10.2.2.106 12:01 < vcs> do clients have to come explicitely AFTER the gateway when automatically being assigned an address? 12:17 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:39 < ecrist> sigius: what isn't working with ccd? 13:00 < vcs> wow, ethernet bridging just fixed ALL of my problems. 13:06 < krzee> vcs 13:06 < krzee> !/30 13:06 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 13:08 -!- toni__ [n=toni@pD9506BD1.dip0.t-ipconnect.de] has joined ##openvpn 13:12 -!- kyrix [n=ashley@91-115-185-140.adsl.highway.telekom.at] has quit [Read error: 60 (Operation timed out)] 13:25 -!- Waldgichtel [n=toni@pD95067FC.dip0.t-ipconnect.de] has quit [Read error: 101 (Network is unreachable)] 13:26 < krzee> [09:57] ecrist, are you suggesting to keep a tail running on ipp.txt such that whenever I go and add a line the corresponding cdd entry is made (by the perl script) 13:26 < krzee> ipp.txt makes no garuntee it will be obeyed 13:26 < krzee> its more like a suggestion 13:27 -!- kyrix [n=ashley@91-115-185-140.adsl.highway.telekom.at] has joined ##openvpn 13:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:51 < sigius> krzee, I know, that was my problem. until recently I always saw the suggestion being followed, but not anymore 13:54 < vcs> hmmm... I run: "iptables -t nat -A PREROUTING -p tcp -i tun0 -d 10.2.2.102 --dport 5002 -j DNAT --to 10.2.1.212:5001" and then "iptables -A FOWARD -p tcp -i tun0 -d 10.2.1.212 --dport 5001 -j ACCEPT" but for some reason traffic is not flowing. i can connect to 5001 on 10.2.1.212 just fine, but still not able to connect to 10.2.2.102 on port 5001. 10.2.1.212 is accessible on eth0, and 10.2.2.102 is accesible from tun0.\ 13:54 < vcs> 5001* for dport 13:55 < vcs> I get a connection refused when telnetting into port 5001 13:55 < vcs> is there anything special I need to do with the tun device? 13:57 < krzee> nah but its only accessible to vpn clients 13:58 < krzee> im no iptables expert 13:58 < krzee> but finding someone who is would be your fastest way to an answer 13:58 < krzee> since thats not an openvpn question at all 13:58 < vcs> well I mean i am sure it is a pretty common use of openvpn to access an external service in a controlled manner 14:04 -!- tjz [n=tjz@bb116-15-157-37.singnet.com.sg] has quit ["bbl"] 14:06 -!- kyrix [n=ashley@91-115-185-140.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 14:06 -!- kyrix [n=ashley@91-115-185-140.adsl.highway.telekom.at] has joined ##openvpn 14:07 < sigius> Come to think of it, what would make a lot of sense is, if openvpn where to consult the hostfile when giving out ip addresses to connecting clients 14:07 < ecrist> sigius: that would not make sense. 14:08 < ecrist> I can understand your point of view, but openvpn configuration can be much more complicated than a single IP. 14:09 < krzee> !factoids search ip 14:09 < vpnHelper> krzee: 'tls-cipher', 'iporder', 'winipforward', '2.1-winpass-script', 'chooseip', 'iptables', 'linipforward', 'ipp', and 'ipv6' 14:09 < krzee> !iporder 14:09 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice). 14:10 < ecrist> krzee: done touring the Americas, or just sitting in another consulate? 14:10 < sigius> ecrist, this way I add a CommonName to my host table, the client (with that CN) connects and gets the ip address in the hosfile. Once connecting is made I can do a 'ping CommonName'. Handy. minimal administration effort 14:10 < krzee> im in southern california right now 14:10 < krzee> headed to peru any day 14:11 < sigius> ecrist, makes sense to me 14:11 < ecrist> sigius: while I understand what you're saying, it's over-simplified. 14:11 < krzee> sigius, --client-connect script can add to /etc/hosts for you if you want it to 14:11 < krzee> and i dont want me existing hostfile to mess up connecting clients because a name was double chosen 14:12 < sigius> krzee, thanks i'll check that out 14:12 < krzee> sigius, when i typed !iporder it was for you 14:12 < krzee> !iporder 14:12 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice). 14:12 < krzee> that is, in order, how openvpn assigns IPs 14:12 < sigius> krzee, ok didnt get that. thanks 14:12 < krzee> np 14:13 < krzee> !man 14:13 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 14:13 < krzee> for more info 14:27 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:36 -!- dscastro [n=diego@unaffiliated/dscastro] has joined ##openvpn 14:36 < dscastro> morning all 14:36 < dscastro> evening 14:37 < ecrist> howdy 14:37 < dscastro> can i set opvn for multiclients and each clients gets same LAN ip? 14:38 < ecrist> not sure I follow, but PAT would be the answer. 14:39 < dscastro> ecrist, have you ever does it? 14:39 < ecrist> yep 14:39 < ecrist> it's not supported in OpenVPN, it's a firewall/router issue 14:39 < ecrist> each VPN client would really have their own IP 14:40 < dscastro> ecrist, and must be different of lan, right? 14:40 < ecrist> yes 14:41 < dscastro> well.. have you same doc for do this? 14:41 < ecrist> no, you would setup OpenVPN normally, and then setup PAT/NAT on the router between the VPN and the LAN 14:42 < dscastro> ok, 14:42 < dscastro> how i setup for multiple clients? 14:43 < ecrist> have you read the howto? 14:44 < dscastro> i'm reading now! 14:44 < ecrist> ok! 14:44 < krzee> !! 14:44 < vpnHelper> krzee: Error: "!" is not a valid command. 14:45 < krzee> lol 14:47 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 15:07 -!- fpletzv6_ [n=fpletz@2001:470:c041:feed:dead:beef:cafe:42] has joined ##openvpn 15:07 -!- fpletzv6 [n=fpletz@2001:470:c041:feed:dead:beef:cafe:42] has quit [Read error: 54 (Connection reset by peer)] 15:13 -!- dscastro [n=diego@unaffiliated/dscastro] has quit [Remote closed the connection] 15:42 -!- plaerzen [n=carpe@174.0.97.175] has quit [Remote closed the connection] 16:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 16:25 -!- d0wn_ [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 16:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:36 -!- d0wn [n=d0wn@unaffiliated/d0wn] has quit [Connection timed out] 16:36 -!- d0wn_ is now known as d0wn 16:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 16:49 < sigius> hmm, it seems client-config-dir scripts and client-connect scripts are treated differently; ifconfig-push does not work in a client-connect script. 16:55 < sigius> also a client-connect script understands things like $common_name and a ccd script doesnt 16:58 < sigius> ok, think i got it .... 16:59 -!- kyrix [n=ashley@91-115-185-140.adsl.highway.telekom.at] has quit ["Leaving"] 17:10 < sigius> So, turns out I can use the hostfile /etc/hosts directly: my client-connect script is one line "echo 'ifconfig-push $common_name 10.8.0.1' > $1" . $common_name is then matched against the hostfile. 18:00 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has joined ##openvpn 18:02 < diazepam> hey guys, just a quickie. I have a tap tcp vpnserver working nicely, however it only allows one person to connect at any time even though i have specified a range of addresses .161 -> 191. The person to log on always gets the address .161 and kicks any other connected users. Any ideas? 18:04 < diazepam> server.conf http://paste2.org/p/149885 18:06 < diazepam> client conf http://paste2.org/p/149886 18:17 < diazepam> wont somebody love me? 18:20 < diazepam> okay everyone is busy. Be back later tonight. =) 18:20 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has left ##openvpn [] 18:53 -!- c64zottel [n=hans@p5B17A9AF.dip0.t-ipconnect.de] has quit [Read error: 104 (Connection reset by peer)] 19:15 -!- toni__ [n=toni@pD9506BD1.dip0.t-ipconnect.de] has quit ["Verlassend"] 19:53 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 20:03 -!- dmb [n=dmb@unaffiliated/dmb] has joined ##openvpn 20:11 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 20:16 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 20:17 -!- dmb_ [n=dmb@74.214.115.252] has joined ##openvpn 20:18 -!- dmb [n=dmb@unaffiliated/dmb] has quit ["Leaving"] 20:27 -!- dmb_ is now known as dmb 20:47 -!- LumberCartel [n=IceChat7@24.86.160.252] has joined ##openvpn 20:48 < LumberCartel> Hello folks. I'm using OpenVPN v2.1 on the server, and I'm trying to connect a client. The client gets an IP address, but is unable to ping the server or anything on the network on the server side. The server is unable to ping the client. 20:48 < LumberCartel> The server is NetBSD 4 and it acts as a gateway. 20:49 < LumberCartel> Where should I look for OpenVPN configuration tips when the OpenVPN server is on the gateway, with packet forwarding enabled? 20:49 < LumberCartel> Thanks in advance. 20:55 < onats> howdy 21:01 < LumberCartel> Hello onats. 21:03 < onats> !configs 21:03 < vpnHelper> onats: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 21:03 < onats> !sample-config 21:04 < vpnHelper> onats: Error: "sample-config" is not a valid command. 21:04 < onats> !sample 21:04 < vpnHelper> onats: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 21:04 < onats> there you go 21:11 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 21:38 < dmb> if you are connecting to an openvpn server, is there a way on the linux client side to use that openvpn's internet connection? 21:45 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 21:58 -!- LumberCartel [n=IceChat7@24.86.160.252] has quit ["Go Team Venture!"] 22:36 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 23:10 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 23:20 < onats> yes 23:33 -!- paruchuri [n=qvantel@61.16.248.242] has joined ##openvpn 23:38 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] --- Day changed Thu Feb 19 2009 00:24 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 00:40 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 110 (Connection timed out)] 01:01 -!- paruchuri [n=qvantel@61.16.248.242] has quit ["Ex-Chat"] 01:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:37 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:40 < reiffert> moin 02:14 -!- Ox41464b [n=satria@unaffiliated/Ox41464b] has joined ##openvpn 02:15 < Ox41464b> Im looking for Easy-To-Install/Config OpenVPN for Server and Client side, its there any suggestion ? 02:15 < reiffert> !howto 02:15 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:17 < Ox41464b> reiffert, yes its great... and confusing.. I've tried it before with my LAN-PC, and ended with i must physical reboot (on Windows) 03:07 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:33 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:41 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Connection reset by peer] 03:42 -!- mikkel_ is now known as mikkel 03:53 -!- fpletzv6_ is now known as fpletzv6 04:29 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 04:29 -!- Roman123 [n=Roman123@xchg.fiss-oeaw.at] has joined ##openvpn 04:30 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 04:41 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 04:44 < Roman123> After I disconnect my client from the openvpn server (connect and disconnect work smoothly, no error messages), the openvpn logfile of the server is filled up with read "UDPv4 [ECONNREFUSED]: Connection refused (code=146)". Is this a bug? 04:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:55 -!- mindbendr [n=neveraga@host86-133-198-234.range86-133.btcentralplus.com] has joined ##openvpn 04:55 < mindbendr> hi I can't make openvpn working with UDP, it works fine with TCP protocol 04:56 < mindbendr> i can see there are some stuff coming in and going out on UDP port via tcpdump 04:56 < mindbendr> but it can't get to TLS handshaking etc 04:58 < mindbendr> any ideas? 05:26 -!- mindbendr [n=neveraga@host86-133-198-234.range86-133.btcentralplus.com] has quit ["leaving"] 05:42 -!- Ox41464b [n=satria@unaffiliated/Ox41464b] has quit [] 06:09 -!- oc80z [n=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 06:51 -!- zertyuio [n=chatzill@bgl93-3-82-230-208-124.fbx.proxad.net] has joined ##openvpn 07:15 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 07:18 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [Read error: 104 (Connection reset by peer)] 07:25 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 07:44 -!- Spabby [n=G@host-84-9-136-140.dslgb.com] has joined ##openvpn 07:52 < Spabby> hi there my client is timing out despite the settings appearing to be correct, I have pasted my configs and the log here, any advice would be gratefully received! 07:52 < Spabby> http://pastebin.com/m6c8a62ea 07:56 < Spabby> does the keep-alive setting need to be set in both client and server config? 07:58 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 08:20 < reiffert> Spabby: when did it stop working? 08:22 < reiffert> Spabby: are both machines on 192.168.0.0 net? 08:28 < Spabby> hi 08:29 < Spabby> it stops after about 3-4 minutes I think 08:29 < Spabby> and yes both machines are on 192.168.0.x/24 08:29 < Spabby> in the wild they will be connecting over internet link 08:29 < reiffert> does it work for those 3-4 minutes? Can you proove the packets to travel over the enrcpted tunnel? 08:30 < Spabby> yep, I am posting to a mysql database over the tunnel 08:30 < Spabby> it works when it reconnects as well 08:30 < Spabby> but I can see that the control pings are not getting returned by the client (I think) 08:32 < reiffert> Change comp-lzo zo comp-lzo no on both configs, then have both configs a keepalive 10 60 08:32 < reiffert> s, zo , to , 08:32 < Spabby> chamge comp-lzo to comp-lzo no 08:32 < reiffert> 2yep 08:35 < Spabby> no difference :( 08:36 -!- T0aD [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 08:38 -!- T0aD [n=nnnnnnnn@lescigales.org] has joined ##openvpn 08:40 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 08:40 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 08:44 -!- T0aD [n=nnnnnnnn@lescigales.org] has left ##openvpn [] 08:44 -!- Spabby [n=G@host-84-9-136-140.dslgb.com] has left ##openvpn [] 09:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:24 -!- plaerzen [n=carpe@174.0.97.175] has joined ##openvpn 09:31 < ecrist> howdy, plaerzen 09:37 < plaerzen> hey ecrist 09:37 < plaerzen> how's it going ? 09:38 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 09:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:51 -!- El_Presidente [i=Martin@p5798E9BE.dip.t-dialin.net] has joined ##openvpn 09:51 < El_Presidente> hello 09:52 < El_Presidente> reiffert, may i ask you *again* about my vpn problems; here is the config : http://pastebin.com/m58dce922 09:53 < El_Presidente> i always get this error : http://pastebin.com/m4d695112 09:53 < El_Presidente> also the performance is crappy if i set route-gateway 09:53 < El_Presidente> i get just 15kb/s 10:14 -!- MIPS [n=mips@host157-61-static.63-88-b.business.telecomitalia.it] has joined ##openvpn 10:17 < MIPS> hello. my /dev/net/tun device permissions are like these 'crw-r-----' but I think the correct values are 'crw-r--r--' It's true? What kind of problem I may encunter using openvpn in my situation? 10:18 < ecrist> MIPS: crw------- is the permissions for my interfaces on FreeBSD. 10:18 < ecrist> why ar you looking at that? 10:25 -!- Omache [n=teastep@2002:ce7c:92b4:1:21b:24ff:fecb:2bcc] has joined ##openvpn 10:25 < MIPS> linux kernel 2.6.8.1 10:26 -!- Omache [n=teastep@2002:ce7c:92b4:1:21b:24ff:fecb:2bcc] has left ##openvpn ["Leaving"] 10:26 < MIPS> and it's true that the correct value is 'crw-r--r--' ? 10:34 -!- c64zottel [n=hans@p5B17B27E.dip0.t-ipconnect.de] has joined ##openvpn 10:34 -!- c64zottel [n=hans@p5B17B27E.dip0.t-ipconnect.de] has left ##openvpn [] 10:35 < MIPS> I asked this because in my openserver side I can read anythink RX packets:0 TX packets: 553 10:36 < MIPS> and using verb 9 I read in openvpn server 10:36 < MIPS> something like 10:36 < MIPS> Thu Feb 19 16:33:55 2009 us=330829 UDPv4 read returned -1 10:37 < MIPS> Thu Feb 19 16:33:55 2009 us=330829 read UDPv4 [ECONNREFUSED]: Connection refused 10:37 < MIPS> (code=146) 10:37 < MIPS> :( 10:39 -!- toddoon_ [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 10:40 < toddoon_> can someone help me to configure my client? 10:40 < toddoon_> Options error: Unrecognized option or missing parameter(s) in /etc/openvpn/client.conf:4: ---BEGIN (2.1_rc11) i have this 10:43 < toddoon_> ok no problem in fact 10:44 < El_Presidente> take a look in line 4 ... 10:44 < MIPS> can someone help me? 10:44 < toddoon_> ok i fix the solution thx 10:44 < toddoon_> *problem 10:48 < Roman123> Enabled Common name is "James_Band" /etc/openvpn/clients/James_Band 10:48 < Roman123> oops 10:48 < Roman123> Sorry, too fast. 10:49 < Roman123> I like to assign certain IP's to certain client, which should be possible by means of the client_config_dir directive, right? 10:52 < Roman123> So I put option client_config_dir /etc/openvpn/clients in my server's openvpn config file. Additionally, I put a file called James_Band into /etc/openvpn/clients with the content "ifconfig-push 10.168.1.198 10.168.1.199". The IP range in the openvpn network is ' option server "10.168.1.0 255.255.255.0" '. 10:53 < Roman123> After restarting the server, an connecting with the client featuring "James_Band" in the common name still assigns a wrong IP (10.168.1.6 instead as 10.168.1.198) 10:54 < Roman123> I guess I've missed just a small thing. 10:54 < Roman123> Any ideas how get rid of that? 10:58 -!- toddoon_ [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit ["Ex-Chat"] 11:08 -!- toddoon_ [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 11:09 < toddoon_> hi could help me, i can ping tje vpn server 10.3.0.8 but i don't anybody 11:09 < toddoon_> *see 11:10 < Roman123> toddoon_: sorry, I don't understand in particular your problem. 11:10 < Roman123> you can ping from the client side the server? 11:10 < toddoon_> yes i am the client and i can ping the server 11:10 < Roman123> and you like to see? 11:11 < toddoon_> yes 11:11 < Roman123> other clients? 11:11 < toddoon_> yes 11:11 < Roman123> or what? 11:11 < Roman123> do you use tun or tap? 11:11 < toddoon_> no i will others clients 11:11 < toddoon_> i have an interface named tap0 11:12 < Roman123> you will others clients? <-- this means? 11:12 < toddoon_> sorry, i would *see 11:13 < Roman123> Perhaps try to put "option client_to_client 1" in your server config. 11:13 < Roman123> I guess that should help 11:14 < Roman123> IMHO that's disabled per default 11:14 < toddoon_> ok thx i will try 11:14 < Roman123> good luck :) 11:16 < Roman123> No ideas about my "client_config_dir" problem? :-( 11:18 < toddoon_> Roman123: it tell me: Options error: Unrecognized option or missing parameter(s) in /etc/openvpn/client.conf:5: option (2.1_rc11) 11:20 < Roman123> toddoon_: what did you put exactly in your config file (which line)? 11:21 < toddoon_> Roman123: line 5: option client_to_client 1 11:22 < Roman123> weird, then I have no idea. 11:22 < Roman123> toddoon_: which version of openvpn do you run? 11:22 < Roman123> and on which os? 11:22 < toddoon_> OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 15 2008 11:22 < toddoon_> Developed by James Yonan 11:22 < toddoon_> Copyright (C) 2002-2008 Telethra, Inc. 11:22 < toddoon_> g 11:22 < toddoon_> *ubuntu 11:23 < Roman123> toddoon_: sorry I have to leave. But try to google for "option client_to_client 1" 11:23 < toddoon_> Roman123: ok thx :D 11:24 < Roman123> toddoon_: i guess you're on the right way with this option. 11:24 < Roman123> bye 11:24 -!- Roman123 [n=Roman123@xchg.fiss-oeaw.at] has quit ["Leaving"] 11:47 -!- Netsplit lem.freenode.net <-> irc.freenode.net quits: eagle, toddoon_, clusterm1gnet, vcs, blaxthos, disco-, pa, krzie_, skx, disposable, (+39 more, use /NETSPLIT to show all of them) 11:47 -!- Irssi: ##openvpn: Total of 2 nicks [0 ops, 0 halfops, 0 voices, 2 normal] 11:49 -!- Netsplit over, joins: toddoon_, MIPS, El_Presidente, roentgen, plaerzen, [intra]lanman, pa, zertyuio, cpm, mikkel (+10 more) 11:49 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 11:49 -!- Netsplit over, joins: Typone, disco-, worch, clusterm1gnet, blaxthos, stephenh, dvl 11:49 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has joined ##openvpn 11:49 -!- Netsplit over, joins: logiclrd, troy-, vpnHelper, hardwire, smk, bandini, reiffert, eagle, skx, disposable (+10 more) 11:54 -!- MIPS [n=mips@host157-61-static.63-88-b.business.telecomitalia.it] has quit [] 11:58 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:00 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [SendQ exceeded] 12:00 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:07 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 12:11 -!- toddoon_ [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit ["Ex-Chat"] 13:08 -!- zertyuio [n=chatzill@bgl93-3-82-230-208-124.fbx.proxad.net] has left ##openvpn [] 13:11 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:11 < krzee> ecrist, server sent 13:11 < krzee> (im in orlando, just sent it) 13:12 < ecrist> damn, about time 13:12 < krzee> i hope you dont mind i sent 2 boxes, i cant take the other on the airplane 13:12 < krzee> maybe i can have you send it to the next place for me when it comes time if you dont mind 13:12 < ecrist> shouldn't be an issue. 13:12 < krzee> nice, thaqnx 13:12 < ecrist> np 13:13 < reiffert> Call the police, they are smuggling drug sniffing dogs! 13:14 < krzee> do they have dog sniffing dogs to find the drug sniffing dogs? 13:14 < ecrist> nope, they have cats for that. 13:14 < ecrist> lol 13:15 < krzee> hah 13:15 < krzee> my plane to cali is about to board 13:16 < krzee> im going going 13:16 < krzee> back back 13:16 < krzee> to cali cali 13:16 < ecrist> travel much? sheesh 13:16 < krzee> heh 13:16 < krzee> tomorrow i go to peru 13:17 < krzee> i just had to stop here quick to ship those servers 13:17 < krzee> i hella want the guys sister now too 13:17 < krzee> shes way hot and cool too 13:17 < ecrist> I want a piece! 13:18 < krzee> ill save your spot in line behind me 13:19 < ecrist> a'ight 13:23 < ecrist> krzee: am I putting both those boxes online, or just one? 13:24 < krzee> ones missing a HD 13:26 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 13:34 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 13:41 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 13:41 < reiffert> sounds like get a HD and get it online :) 13:41 < ecrist> heh 13:41 < ecrist> I *do* have a couple 250GB drives... 13:42 < ecrist> 'what, I only remember getting one box. where'd my new server come from, oh, I just picked it up somewhere...' 13:44 < Roman123> I like to assign certain IPs to certain clients, which should be possible by means of the client_config_dir directive. So I put the option "client_config_dir /etc/openvpn/clients" in my server's openvpn configuration file. Additionally, I put a file called James_Band with the content "ifconfig-push 10.168.1.198 10.168.1.199" into /etc/openvpn/clients. The IP range in the openvpn network is defined by ' option server "10.168.1.0 255.255.255.0" '. A 13:44 < Roman123> fter restarting the server, a connecting with the client featuring "James_Band" in the common name still assigns a wrong IP (10.168.1.6 instead of 10.168.1.198). I guess I've missed just a small thing to get this working. Any ideas how get rid of that? 14:03 -!- zertyuio [n=chatzill@bgl93-3-82-230-208-124.fbx.proxad.net] has joined ##openvpn 14:03 < zertyuio> hi there 14:03 < zertyuio> where i can find openvpn for wm6 ? 14:03 < zertyuio> windows mobile 6 14:03 < ecrist> zertyuio: no idea. try google 14:04 < zertyuio> i have allaready tried 14:04 < zertyuio> there is only version wm5 14:04 < zertyuio> is it existe ? 14:04 < ecrist> Roman123: we'd need your client and server logs to help you 14:05 < ecrist> zertyuio: don't know. it's not an overly-popular topic. 14:05 < zertyuio> sorry 14:05 < zertyuio> my question is 14:05 < zertyuio> is there any openvpn version for WM6 ? 14:05 < zertyuio> or is it only designed to be use only WM5 ? 14:06 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 14:08 < zertyuio> hello 14:09 < ecrist> hello 14:10 < zertyuio> yes 14:10 < zertyuio> is there any version of openvpn for windows mobile 6 please ? 14:10 < zertyuio> i still searching using google can't find an download for WM6 14:12 < zertyuio> anyoene can help plz .;? 14:19 -!- plaerzen [n=carpe@174.0.97.175] has quit [Remote closed the connection] 14:22 < zertyuio> hello 14:23 < zertyuio> what s wrong with my question ? 14:25 -!- plaerzen [n=carpe@174.0.97.175] has joined ##openvpn 14:31 < zertyuio> hello 14:39 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:00 < zertyuio> hello 15:00 < zertyuio> is htere anyone here ? 15:02 < ecrist> yes 15:02 < zertyuio> you 15:03 < ecrist> me? 15:03 < zertyuio> so plz ask 15:03 < zertyuio> my auystion 15:03 < ecrist> I don't know the answer to your question. 15:03 < zertyuio> ok 15:03 < ecrist> My guess is that nobody here knows, otherwise they would have answered. 15:04 < zertyuio> ok let me 15:04 < zertyuio> is to possible to compile from source code 15:04 < zertyuio> for windows mobile 6 plateforme ? 15:05 < zertyuio> i m asking to you ecrist 15:05 < ecrist> I'd try to compile and see what happens. 15:06 < zertyuio> ok take your tiem 15:06 < ecrist> no. *you* try. I'm not going to 15:07 < zertyuio> ok leave it 15:08 < zertyuio> an other question what openvpn can do 15:08 < zertyuio> ??? 15:08 < zertyuio> sorry i m totally new 15:08 < ecrist> see the website 15:08 < zertyuio> yes i read 15:09 < zertyuio> i got a question 15:09 < zertyuio> it says to install on server and client the openvpns software 15:09 < zertyuio> once after installing 15:10 < zertyuio> it says the server openvpn send an ip to client 15:10 < zertyuio> am i right ? 15:10 < zertyuio> kind of dns server 15:10 < zertyuio> am i right ? ecrist 15:12 < zertyuio> yoou take time that is not good 15:12 < zertyuio> telll me quick 15:13 < zertyuio> are you an old bold 15:13 < zertyuio> ??$ 15:13 < ecrist> zertyuio: go away 15:13 < ecrist> don't PM me, either. 15:14 -!- mode/##openvpn [+o ecrist] by ChanServ 15:14 -!- mode/##openvpn [+b *!*=chatzill@*.fbx.proxad.net] by ecrist 15:14 -!- zertyuio was kicked from ##openvpn by ecrist [ecrist] 15:14 -!- mode/##openvpn [-o ecrist] by ecrist 15:15 < ecrist> lol, he PMs me and calls me a big pussy 15:15 < ecrist> in french, 15:15 < ecrist> or spanish, can't tell for certain 15:15 < ecrist> french 15:15 < reiffert> ecrist: and he is right. 15:15 < reiffert> isnt he? 15:16 < ecrist> well, you are what you eat 15:16 < ecrist> not that I eat 'big pussy', just big quantities 15:16 < reiffert> :) 15:19 < El_Presidente> *sigh* 15:19 < ecrist> my french is rusty. he called me 'big dog' and some other words I can't translate (even google isn't helping) 15:19 < ecrist> I confused chiene and chat 15:19 < El_Presidente> ecrist, i usually use latin ;) 15:19 < ecrist> lol 15:19 < El_Presidente> like *stultus es* 15:19 < El_Presidente> or *asinus es* 15:19 < El_Presidente> first means you are an idiot 15:20 < El_Presidente> and second you are a donkey 15:20 < El_Presidente> and the best is noone understands it ;) 15:20 < ecrist> I wish I was educated like that. 15:20 < ecrist> at best, I know enough french/spanish to misinterpret better than many. 15:21 < El_Presidente> well but i guess you are far more talented with VPN than me ;) 15:21 < El_Presidente> that brings me to my BIG problem ... 15:22 < ecrist> I'm a newb, masquerading as a guru. 15:22 < El_Presidente> ^^ 15:22 < El_Presidente> then i think i should ask reiffert ;) 15:23 < El_Presidente> reiffert, may i pm you? because you are also german and maybe im able to explain my problems better in german ... 15:24 < ecrist> El_Presidente: you may use german in here, if you'd like. 15:24 < El_Presidente> ty 15:24 < ecrist> we generally shy away from it, but you're here often enough. 15:24 < El_Presidente> well i usually try to use english here 15:24 < El_Presidente> because if i just talk about my problem in german noone else will understand 15:24 < ecrist> El_Presidente: what is your problem? 15:25 < El_Presidente> well i bridged my routers local interface with openvpn 15:25 < El_Presidente> so i can surf via my local dsl and use my local shares from university 15:25 < ecrist> ok 15:26 < ecrist> on the server, or the client? 15:26 < ecrist> when I see 'local,' I assume client. 15:26 < El_Presidente> well the tunnel works 15:26 < El_Presidente> also the surfing 15:26 < El_Presidente> but surfing is horrible slow 15:27 < El_Presidente> e.g. my notebook is 192.168.0.235 15:27 < El_Presidente> my router is 192.168.0.1 15:27 < El_Presidente> if i download something from my routers ftp 15:27 < El_Presidente> i get about 500kb/s 15:27 < El_Presidente> thats nearly 90% of my upstream to internet 15:27 < El_Presidente> thats ok 15:27 < ecrist> ok 15:27 < El_Presidente> but if i try to download something from a webserver like kernel.org 15:27 < El_Presidente> i just get 100kb/s 15:28 < ecrist> that sounds about right, maybe a little slower than it should be, but when you're downloading from another site, you're generally using double the bandwidth on the server end. 15:28 < El_Presidente> no 15:28 < ecrist> because you're using your internet connection twice. 15:28 < El_Presidente> i have VDSL 15:29 < El_Presidente> my local downstream is 2.5mb/s 15:29 < El_Presidente> the upstream is 600kb/s 15:29 < El_Presidente> so i download it via my downstream and send it through my upstream to the notebook 15:29 < El_Presidente> if i see this correct 15:29 < El_Presidente> ? 15:30 < El_Presidente> i really have no clue what i can do 15:30 < ecrist> to a degree. i don't know the exact math, but there's overhead for ack packets, etc. try playing with the MTU, there's a --test-mtu or similar. 15:30 < El_Presidente> hmm yes but shouldnt i have the same problems from local files then? 15:30 < ecrist> El_Presidente: the speed is going to vary greatly on the fragmentation. 15:30 < El_Presidente> if it is a mtu problem? 15:31 < El_Presidente> as i said if i send from 192.168.0.1 > tunnel > 192.168.0.235 i get 520kb/s 15:31 < ecrist> not neccessarily 15:31 < El_Presidente> but if i download kernel.org > dsl > 192.168.0.1 > tunnel > .... 15:32 < El_Presidente> hmm okay 15:32 < ecrist> the problem is, kernel.org sends a certain sized packet, which may get fragmented based on the MTU for the tunnel. 15:32 < El_Presidente> so what would you recommend? 15:32 < ecrist> when connecting to the VPN server, the server knows the MTU, so sets the packet size accordingly, the first time. 15:32 < ecrist> no re-fragmentation. 15:33 < ecrist> krzee is better with this part than I 15:33 < ecrist> !mtu 15:33 < vpnHelper> ecrist: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 15:33 < ecrist> try that, see if it cleans up your connection. 15:33 < ecrist> otherwise, reiffert may know more than I. 15:35 < El_Presidente> okay ty 15:37 < reiffert> El_Presidente: no 15:37 < reiffert> (pm) 15:38 < reiffert> ecrist: I had some years french in school, I may translate... 15:38 < ecrist> 15:13 what enculer ? 15:38 < ecrist> 15:13 nicke ta race 15:38 < ecrist> 15:13 gros chiene ^ 15:39 < reiffert> enculer is n asshole 15:40 < reiffert> nick ta means : fuck your ... and race probably is in english 15:40 < reiffert> chienne is a bitch 15:41 < ecrist> you studied french better than I in school, then. ;) 15:42 < reiffert> I've been to france with 3 school-exchanges, twice on holiday andsoon 15:43 < reiffert> I really really love them, they are totally crazy. 15:43 < reiffert> (all of them, no exception) 15:44 < ecrist> lol 16:13 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 16:15 -!- matadon [n=matadon@173.8.157.70] has joined ##openvpn 16:17 < matadon> Stupid question, but can the same OpenVPN daemon (OpenVPN 2.1 on Linux) be used as both a server and client, or do I need to run a second daemon? 16:21 < El_Presidente> i think all you need is a second config file in /etc/openvpn 16:22 < El_Presidente> and then try to restart your daemon 16:25 < reiffert> matadon: checkout 16:25 < reiffert> !howto 16:25 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:25 < reiffert> matadon: that is, one daemon as server and one openvpn as vlient. 16:46 < matadon> Thanks; I got it sorted. 16:46 -!- matadon [n=matadon@173.8.157.70] has quit [] 17:21 -!- zheng [n=zheng@218.82.139.88] has joined ##openvpn 17:30 -!- ubunt [i=52e6d07c@gateway/web/ajax/mibbit.com/x-959e30bfc9bfde07] has joined ##openvpn 17:31 < ubunt> hi 17:31 < ubunt> is there anyone here ? 17:36 -!- ubunt [i=52e6d07c@gateway/web/ajax/mibbit.com/x-959e30bfc9bfde07] has left ##openvpn [] 18:00 -!- zheng [n=zheng@218.82.139.88] has quit ["Leaving"] 18:14 < El_Presidente> reiffert, i used mtu-test tool for windows and i always get different results 18:15 < El_Presidente> it seems everytime i press test i get a different value 18:15 < El_Presidente> also the mtu-test of openvpn shows something else 18:35 -!- El_Presidente [i=Martin@p5798E9BE.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 19:09 -!- bandini [n=bandini@host108-210-dynamic.25-79-r.retail.telecomitalia.it] has quit [Read error: 60 (Operation timed out)] 19:10 -!- bandini [n=bandini@host108-210-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 19:23 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 110 (Connection timed out)] 19:25 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 19:32 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:50 -!- pg1054 [n=pg1054@unaffiliated/pg1054] has joined ##openvpn 20:53 < pg1054> Is there a current mailing list? @ "http://openvpn.net/index.php/mailing-lists.html" latest archive seems to be thru 02/2008 ... 20:59 -!- endeavormac [n=endeavor@unaffiliated/endeavormac] has joined ##openvpn 21:05 < ecrist> pg1054: yes, there is current activity. openvpn sites are pretty broken, for the most part. 21:06 < pg1054> ecrist: ah. _is_ there an uptodate archive _anywhere_? nabble, gmane, etc etc? 21:06 < pg1054> would like to peruse to not ask my/an alread-answered question .... 21:11 -!- pg1054 [n=pg1054@unaffiliated/pg1054] has quit [] 21:17 -!- endeavormac [n=endeavor@unaffiliated/endeavormac] has quit [Read error: 104 (Connection reset by peer)] 21:24 -!- endeavormac [n=endeavor@unaffiliated/endeavormac] has joined ##openvpn 21:25 < endeavormac> i have host server and host client. host client is connecting to host server and using "redirect-gateway def1" to route all it's traffic through the tunnel. I can get so far as pinging the eth0 interface on the server, but i can't go further than that. does anyone have any ideas? 21:27 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [Connection timed out] 21:40 -!- endeavormac [n=endeavor@unaffiliated/endeavormac] has quit ["Leaving"] 22:12 -!- steven_ [n=steven@pool-71-179-97-206.bltmmd.fios.verizon.net] has joined ##openvpn 22:12 < steven_> hi 22:12 -!- steven_ is now known as fuse_kt 22:13 -!- fuse_kt is now known as fuse_ly 22:13 < fuse_ly> ack 22:15 -!- fuse_ly [n=steven@pool-71-179-97-206.bltmmd.fios.verizon.net] has quit [Client Quit] 22:18 -!- dmb [n=dmb@unaffiliated/dmb] has quit [Remote closed the connection] 23:04 -!- fruitsnack [n=citrusfr@pcp045757pcs.pcv.reshall.calpoly.edu] has joined ##openvpn 23:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 23:08 < fruitsnack> hello, i am trying to set up openvpn in the bridged interface. i use "openvpn --mktun --dev tap0" to make the tap device, and then "brctl adbr testbridge; brctl addif mybridge tap0; brctl addif mybridge eth0 23:08 < fruitsnack> after bridging eth0 to the bridge i just made, the internet immediately disconnects 23:08 < fruitsnack> by that i mean the ssh session is dropped and i have to restart my server before i can connect again 23:09 < fruitsnack> i dont understand why this is the case or how to fix it 23:18 < fruitsnack> i suspect i need to add a route for the new bridge device 23:18 < fruitsnack> so i did "route add default gw 192.168.1.1 dev mybridge 23:18 < fruitsnack> but it still doesn't work 23:20 < fruitsnack> !route 23:20 < vpnHelper> fruitsnack: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT --- Day changed Fri Feb 20 2009 00:28 -!- fruitsnack [n=citrusfr@pcp045757pcs.pcv.reshall.calpoly.edu] has quit [Read error: 110 (Connection timed out)] 01:07 < reiffert> he was close. 01:19 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 02:04 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:05 -!- bombayvdmo [n=victor@adsl190-28-180-112.epm.net.co] has joined ##openvpn 02:05 < bombayvdmo> Hi 02:06 < bombayvdmo> i gets this error when openvpn try reconnect "RESOLVE: Cannot resolve host address: kaworu.dyndns.org: [TRY_AGAIN] A temporary error occurred on an authoritative name server." 02:08 < bombayvdmo> i uses: keepalive 1 5 02:08 < bombayvdmo> inactive 3600 02:08 < bombayvdmo> user nobody 02:08 < bombayvdmo> persist-key persist-tun resolv-retry infinite 02:19 -!- bombayvdmo [n=victor@adsl190-28-180-112.epm.net.co] has left ##openvpn [] 02:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:07 -!- c64zottel [n=hans@p5B17AED7.dip0.t-ipconnect.de] has joined ##openvpn --- Log closed Fri Feb 20 03:20:14 2009 --- Log opened Fri Feb 20 03:20:18 2009 03:20 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 03:20 -!- Irssi: ##openvpn: Total of 44 nicks [0 ops, 0 halfops, 0 voices, 44 normal] 03:20 -!- Irssi: Join to ##openvpn was synced in 18 secs 03:56 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has joined ##openvpn 03:57 < diazepam> hey anyone know much about using the ta.key option 03:57 < diazepam> when i set it I have heaps of trouble getting the vpn to work 03:57 < diazepam> connecting is slower 03:57 < diazepam> but when i disable ta.key things work flawlessly 03:58 < diazepam> second question is there a way of selectively forcing client traffic through the vpn 03:58 < diazepam> ? 03:58 < diazepam> or is this a global on/off thing 03:59 < diazepam> currently i have it set for all traffic on clients to route via the vpn -> remote network -> remote network gateway -> internet 03:59 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 04:00 < toddoon> could somebody tell me how do i configure my client.conf with client_to_client? 04:01 < uchimata> toddoon: this is a server-side config option 04:01 < diazepam> yeah client_to_client is really the only thing you need in your conf 04:03 < toddoon> uchimata: it is a serverdide option, somebody tell about it in my client.conf yesterday 04:03 < toddoon> so i don't need it diazepam? 04:04 < toddoon> in fact my problem is thar i am running ubuntu with openvpn client and i want to connect to a openvpn server with auth. On windows it works well but not on ubuntu :( 04:08 < toddoon> in a tutorial i find a good info, it say to check if ls | grep tun return something, for me it returns someting but the problem is that don't use interface tun but tap interface 04:15 -!- Roman123 [n=Roman123@xchg.fiss-oeaw.at] has joined ##openvpn 04:15 < toddoon> nobody can help me? 04:17 < uchimata> toddoon: you must provide log- and configfiles for futher help 04:17 < toddoon> uchimata: ok 04:19 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has joined ##openvpn 04:19 < toddoon> uchimata: can you tell me where is the log? 04:23 < Roman123> On my OpenWRT router featuring OpenVPN some weird things happen when I disconnect my client (OpenVPN GUI under Windows XP). Before everything works fine, i.e., I can connect transfer data, etc. everything is perfect. After I disconnect the client, the messages "openvpn(starnet)[1571]: read UDPv4 [ECONNREFUSED]: Connection refused (code=146)" appear every 10 seconds in the server logfile. 04:24 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has quit [Read error: 113 (No route to host)] 04:24 < toddoon> http://pastebin.com/m5dfff082 can you help me for debug i give my conf and the output of openvpn 04:30 < Roman123> toddoon: I missed the statement of your problem. Can you repost, please... 04:30 < toddoon> in fact my problem is thar i am running ubuntu with openvpn client and i want to connect to a openvpn server with auth. On windows it works well but not on ubuntu :( 04:31 < Roman123> toddoon: Which OpenVPN client/interface do you use in Ubuntu? The network manager stuff? 04:32 < Roman123> Because nw is a buggy crap :-P 04:32 < Roman123> nw manager 04:33 < toddoon> Roman123: no, i use the conf files i have posted and then i run the openvpn in command line 04:33 < Roman123> ah, ok 04:34 < Roman123> toddoon: Are you running a firewall on you Ubuntu box? 04:34 < Roman123> s/you/sour 04:34 < Roman123> s/you/your 04:35 < toddoon> Roman123: i have ufw but i disabled it 04:35 < Roman123> hmm 04:37 < Roman123> toddoon: I have no particular idea but I can suggest what I would try (step-by-step). 04:37 < toddoon> i have some problem with my connection in ubuntu, for example i have to reload dhclient each time i connect to my computer, perhaps there is a problem in /etc/interfaces? 04:38 < toddoon> how do you defined a tap interface in /etc/interfaces? 04:39 < Roman123> toddoon: sorry, I don't use Ubuntu. I'm running Gentoo. 04:39 < toddoon> Roman123: ok 04:41 < Roman123> toddoon: Well, I would try to connect by means of your Windows client and save the config file as example how it should look like if it works (increase the verbosity level on the server and on the client side). 04:42 < toddoon> Roman123: it's a good idea i will diff files output 04:42 < Roman123> yes 04:42 < Roman123> I would try that 04:43 < Roman123> Perhaps you'll see where the problem appears. 04:59 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:04 < sigius> Q: I want to set up a 'open' openvpn server (i.e. with 'auth none' and 'cipher none'), but still I want to protect the server the openvpn server is running on. How would I do this ? Ofcourse I am using the chroot option so as to have openvpn running in a jail, but am I doing enough with that ? f.e. Is it not posible still to route a network connection through the openvpn server ? 05:08 < reiffert> dropping perms to nobody:nogroup and additional firewalling. 05:16 < sigius> reiffert, Ok so I need the additional firewalling ? Is there not some openvpn option I can use so that there will be no routing (outside of the vpn-subnet obviously) from the servers endpoint ? 05:25 < reiffert> imagine such a feature is broken in a version, do you want to rely on that or have security? 05:26 < reiffert> (I dont know wether routing networks works for unknown networks, but I guess it will when client computers add route's manually and if the openvpnserver routes packets back) 05:26 < reiffert> (However, if the latter is not applicable, it still can be used for spoofing packets) 05:28 < reiffert> And I really dont know if openvpn comes with such an option, a fast manpage check doesnt look like it. 05:28 < reiffert> I'd say try it out but run a firewall on the openvpn server machine. 05:32 < sigius> reiffert: well im already sort of relying on openvpn to be safe, but I see your point. I think i will follow your suggestion and add the firewall policy (in iptables in my case). 05:35 < reiffert> iptables -I FORWARD -s 10.8.0.0/24 -i tun0 -j ACCEPT 05:35 < reiffert> iptables -I FORWARD -d 10.8.0.0/24 -o tun0 -j ACCEPT 05:35 < reiffert> or whatever. 05:45 < reiffert> and when protecting your localnet, something like iptables -I FORWARD -s 10.8.0.0/24 -i tun0 -o whatever -j ACCEPT 05:45 < reiffert> where whatever is not your localnet 05:45 -!- Typone [n=nnnnitsm@195.197.184.87] has quit [Read error: 110 (Connection timed out)] 05:51 -!- mib_wwjin9 [i=52e6d07c@gateway/web/ajax/mibbit.com/x-110ec4e2899f2caa] has joined ##openvpn 05:51 < mib_wwjin9> hi 05:51 < mib_wwjin9> there 05:51 < mib_wwjin9> is there anyone here ? 05:54 < reiffert> no, all gone. 05:55 < mib_wwjin9> hi reiffert 05:56 < mib_wwjin9> i want to bypass a proxy server so i openvpn 05:56 < mib_wwjin9> i want to bypass a proxy server so i find openvpn 05:57 < mib_wwjin9> what it exactly do ? 05:58 < mib_wwjin9> hello is there anyone here ? 05:58 < reiffert> depends on your proxy and the whole setup that you are behind. 05:59 < mib_wwjin9> sorry can you plz explicite ? 05:59 < mib_wwjin9> sorry can you plz be explicite ? 05:59 < mib_wwjin9> what i have to check ? 05:59 < sigius> reiffert:thanks for these iptables lines 05:59 < reiffert> mib_wwjin9: what proxy software are you running? 06:00 < mib_wwjin9> i don't know 06:00 < reiffert> mib_wwjin9: why do you think there is a proxy server in front of you? 06:00 < mib_wwjin9> what it exactly do ? 06:00 < mib_wwjin9> openvpn what can do for me ? 06:01 < reiffert> it maybe. 06:01 < mib_wwjin9> because that block some of the port 06:01 < reiffert> a proxy does not block a port. a firewall does blocking ports. 06:02 < reiffert> ok, so you want to bypass a firewall with the help of openvpn? 06:02 < mib_wwjin9> yes 06:02 < mib_wwjin9> correct 06:03 < reiffert> Then do this: Install an openvpn server outside of your network 06:03 < reiffert> Install an openvpn client inside your network. 06:03 < mib_wwjin9> then 06:03 < reiffert> Then find a port so that the client can talk to the server. Most probably udp/53 will work. 06:03 < reiffert> Then you are done. 06:04 < mib_wwjin9> thx a lot first 06:04 < reiffert> !howto 06:04 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 06:04 < mib_wwjin9> yes that"s what i read too on a tutorial 06:05 < reiffert> follow that howto. 06:05 < mib_wwjin9> thx 06:05 < mib_wwjin9> yes that"s what i read too on a tutorial 06:05 < mib_wwjin9> i want to make me sure 06:05 < mib_wwjin9> one thing i don't understand 06:06 < mib_wwjin9> once i finish settings on the server and the client 06:06 < mib_wwjin9> side 06:06 -!- Typone [n=nnnnnits@195.197.184.87] has joined ##openvpn 06:06 < mib_wwjin9> once client connect to my openvpn server 06:07 < mib_wwjin9> what will be me ip ? 06:07 < mib_wwjin9> is it the same as i got before 06:07 < mib_wwjin9> or it will change ? 06:07 < reiffert> your client will have two network cards. One real network and one virtual card (openvpn adapter) 06:07 < reiffert> ip address of real network card does not change. 06:08 < mib_wwjin9> i want to do this 06:08 < mib_wwjin9> because the proxy server block the voip port 06:09 < mib_wwjin9> if i have done openvpn settings on both side 06:09 < mib_wwjin9> will it work ? 06:09 < mib_wwjin9> ok tell me 06:10 < reiffert> sigh. sigh. sigh. 06:10 < mib_wwjin9> if i have to network card one phycall and 06:10 < mib_wwjin9> if i have to network card one physicall and 06:10 < mib_wwjin9> the other one virtual 06:11 < mib_wwjin9> how the connection will work ? 06:11 < reiffert> The virtual network card is talking to the openvpn server which is outside your network. 06:11 < mib_wwjin9> yes 06:11 < reiffert> phone calls will travel along that path and packets. 06:11 < mib_wwjin9> then how the connection work , 06:12 < mib_wwjin9> i m totally sorry 06:12 < mib_wwjin9> be explicite plz 06:13 < mib_wwjin9> if i done both settings how the internet connexion will work ? 06:14 < mib_wwjin9> is it using through the physical network card or the virtual 06:14 < mib_wwjin9> ???? 06:16 < mib_wwjin9> hello r u still there reiffert ? 06:17 < mib_wwjin9> i dont knwo if you understand my question 06:17 < mib_wwjin9> tell me if not 06:20 -!- mib_wwjin9 [i=52e6d07c@gateway/web/ajax/mibbit.com/x-110ec4e2899f2caa] has quit ["http://www.mibbit.com ajax IRC Client"] 06:25 < sigius> mib_wwjing: If its just the routing of the voip connection youre interested in just use a ssh tunnel instead of openvpn 06:26 < sigius> away from keyboard 06:26 < sigius> and back again after noticing mib_wwjing had already left 06:28 < reiffert> wow, thats the most nervous and impatient I've ever seen. 06:29 < sigius> lol 06:29 < reiffert> He can use pppd as well and so on. 06:29 < reiffert> Well whatever. 06:30 < reiffert> Ah, he was from paris. 06:30 < reiffert> 82.230.208.124 06:30 < sigius> right, or pppd over ssh, i was using when still behind a corporate proxy myslef 06:30 < reiffert> == 52e6d07c 06:30 < reiffert> http://www.utrace.de/?query=82.230.208.124 06:30 < vpnHelper> Title: 82.230.208.124 - IP-Adresse - utrace - IP-Adressen und Domainnamen lokalisieren (at www.utrace.de) 06:31 < sigius> I would guess he's from china and using some onion router 06:31 < reiffert> Yeah, I thought so too, but 'from france' matches perferctly as well :) 06:32 < sigius> :) 06:32 < reiffert> 13:01 [free2] -!- ircname : bgl93-3-82-230-208-124.fbx.proxad.net 06:32 < reiffert> hmmmm. 06:33 -!- reiffert2 [i=54a9e523@gateway/web/ajax/mibbit.com/x-2bb8b9740dd47aba] has joined ##openvpn 06:33 < reiffert2> :) 06:33 < reiffert> 13:39 [free2] -!- ircname : p54A9E523.dip.t-dialin.net 06:33 < reiffert> thats my host. 06:33 -!- reiffert2 [i=54a9e523@gateway/web/ajax/mibbit.com/x-2bb8b9740dd47aba] has quit [Client Quit] 07:17 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit [Read error: 113 (No route to host)] 07:34 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 07:35 < toddoon> Fri Feb 20 14:33:38 2009 us=356499 WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 10.3.0.0 255.255.255.0' what does it means? 07:36 -!- fpletzv6 [n=fpletz@2001:470:c041:feed:dead:beef:cafe:42] has quit [Read error: 60 (Operation timed out)] 07:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:11 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 08:27 < ecrist> rawr 08:27 < ecrist> my voip provider is pissing me off. 08:38 -!- firecrotch [n=nick@207-67-115-235.static.twtelecom.net] has joined ##openvpn 08:38 < ecrist> firecrotch: you a red-head? 08:38 < ecrist> or a 'ginger' as they call them? 08:38 < firecrotch> yep :) 08:39 < firecrotch> though lately it's been turning more brown-ish 08:39 < ecrist> wasn't sure if that was it, or if your last partner gave you something the presented itself with a burning sensation. 08:39 < firecrotch> lol 08:48 < firecrotch> my client machines are not able to reach each other, despite having client-to-client in the server config file, can't figure out why.... configs and routing tables: http://pastebin.ca/1342906 08:57 < Roman123> I have a short question about > option keepalive "10 120" < . Does this also affect a client which is disconnected by hand, i.e., if the user cancels the connection between client and server? 08:59 < ecrist> w00t! pastebin.ca fixed their routing! I can use them again! 09:00 < ecrist> firecrotch: I'd recommend redacting your server IP in the future. 09:01 < ecrist> firecrotch: have you verified that the firewalss aren't blocking the traffic? 09:01 < ecrist> Roman123: no 09:02 -!- incorrect [n=fw1@mail.taptu.com] has joined ##openvpn 09:02 < firecrotch> ecrist: firewalls are definitely not blocking the traffic over the VPN... I can connect from the server to all the clients with no problem 09:02 < incorrect> i am struggling to set the DNS entry when connected, 09:03 < ecrist> firecrotch: client-to-client should allow such traffic 09:03 < Roman123> ecrist: I'm asking because if I enable it and disconnect the client from the server, then messages like "UDPv4 [ECONNREFUSED]: Connection refused (code=146)" appear every 10 seconds in my server logfile. 09:03 < ecrist> is there a firewall on the server that would be blocking the traffic? 09:03 < Roman123> Removing > option keepalive "10 120" < disables these log entries. 09:03 < ecrist> Roman123: if you shutdown the server, the clients may still try connecting. 09:03 < ecrist> you can't stop that. 09:04 < Roman123> no 09:04 < Roman123> the other way 09:04 < Roman123> I shutdown the connection from the client side. 09:04 < ecrist> that will time out 09:05 < ecrist> but, with a proper shutdown of OpenVPN, the server should stop trying to talk. 09:05 < Roman123> ecrist: ok, then perhaps this is a bug in the openvpn client under windows xp. 09:06 < ecrist> could be. 09:06 < ecrist> really, the messages are harmless. 09:06 < ecrist> if you've got an IDS triggering on those logs, I'd filter them out. 09:06 < Roman123> I'm pretty sure. Jippiee, that's the first time for a long time that the bug sits not in front of the screen :-P 09:08 < firecrotch> ecrist: nope 09:09 < ecrist> firecrotch: did you restart openvpn after adding client-to-client? 09:09 < firecrotch> yep, openvpn has been restarted several times since then 09:10 < ecrist> and you can't ping from one client to another? 09:11 < firecrotch> that's correct 09:11 < ecrist> I would still say firewall. 09:12 < ecrist> let me review your config agin 09:12 < ecrist> again* 09:13 < ecrist> hrm, everything looks OK. 09:14 < ecrist> the 10.x network doesn't interfere with any of the client subnets, does it? 09:14 < firecrotch> nope, they're all on class C's 09:15 < ecrist> no, I mean, is one of your clients using the 10.0.0.0/24 subnet on their home LAN? 09:16 < firecrotch> no, all the clients are on 192.168.x.x/16 subnets on their home LANs 09:17 < ecrist> firecrotch: is there any firewall at all running on the OpenVPN server? 09:20 < Roman123> I like to assign certain IPs to certain clients, which should be possible by means of the client_config_dir directive. So I put the option "client_config_dir /etc/openvpn/clients" in my server's openvpn configuration file (see http://pastebin.com/d64fd6be2). Additionally, I put a file called James_Band with the content "ifconfig-push 10.168.1.198 10.168.1.199" into /etc/openvpn/clients. The IP range in the openvpn network is defined by > option s 09:20 < Roman123> erver "10.168.1.0 255.255.255.0" <. After restarting the server, a connecting with the client (see config http://pastebin.com/d55847890) featuring "James_Band" in the common name still assigns a wrong IP (10.168.1.6 instead of 10.168.1.198). I guess I've missed just a small thing to get this working. Any ideas how to fix that? 09:21 < ecrist> Roman123: can you pastebin your logs from both the client AND server? 09:22 < Roman123> yes 09:25 < ecrist> Roman123: I asked you for your logs yesterday, and you never gave them to me. :\ 09:26 < Roman123> ecrist: yes, because I was at home this time and I'm not able to open a vpn connection from my home to my home :) 09:26 < Roman123> now I'm at work 09:27 < plaerzen> g'morning irc 09:29 < Roman123> ecrist: server-log http://pastebin.com/d6e41458d | client-log: http://pastebin.com/d5d7c0b83 09:35 < reiffert> moin plaerzen 09:35 -!- bsund [n=bsund@213.180.77.55] has quit ["leaving"] 09:36 < firecrotch> ecrist: no firewall on the server. or rather, iptables is set up to accept everything :) 09:37 < ecrist> firecrotch: try disabling the firewall entirely and see if your problem goes away. 09:37 < ecrist> Roman123: looking now. 09:39 < ecrist> Roman123: it's appears to be due to mismatching data in the Root and Client certificates. 09:39 < Roman123> ecrist: I'm so sorry. I have to leave now but will be back in an hour (from my pc at home). 09:40 < Roman123> ecrist: thanks. I'll have a look at that and "I'll be back". :-) 09:40 < Roman123> brb 09:40 -!- Roman123 [n=Roman123@xchg.fiss-oeaw.at] has quit ["Leaving"] 09:40 < plaerzen> moin reiffert - that's german, hey ? 09:44 < firecrotch> ecrist: firewall disabled and still having problems 09:44 < ecrist> firecrotch: what version of OpenVPN? 09:46 < firecrotch> ecrist: 2.1 09:46 < ecrist> latest rc? 09:47 < firecrotch> rc11 09:47 < firecrotch> not sure if thats the latest 09:47 < ecrist> iirc, rc15 is latest. try upgrading and see if it fixes your issue 09:49 < firecrotch> I'd prefer not to do that, rc11 is the version in the Ubuntu repository and I'd like to stick to that 09:50 < ecrist> at the risk of sounding rude, I'm not going to support out-of-date RCs 09:51 < firecrotch> not rude at all, ecrist. Thanks for all of your help 09:52 -!- incorrect [n=fw1@mail.taptu.com] has quit [Remote closed the connection] 09:56 < ecrist> firecrotch: why are you using tcp, rather than udp? 09:58 < firecrotch> ecrist: because that's what was specified on the page that I was using to set up everything? I assume from that statement that I should be using udp instead? 09:58 < ecrist> I don't want to say 'should,' but udp is a better transport for VPN traffic than tcp 09:58 < ecrist> !tcp 09:58 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 09:59 < ecrist> read that for more information 09:59 < ecrist> just an observation. 09:59 < firecrotch> will do 10:02 -!- firecrotch [n=nick@207-67-115-235.static.twtelecom.net] has left ##openvpn [] 10:45 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has quit ["bbl"] 10:53 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 10:53 < Roman123> Hi! 10:53 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit ["Ex-Chat"] 10:55 < plaerzen> Hi! 11:06 -!- syere [n=sitrii@204.10.20.30] has joined ##openvpn 11:07 < syere> Hello all. Can someone kindly point me to a how-to for integrating openvpn on a linux box with my active directory? I can't seem to find one on the site 11:07 < syere> or google 11:08 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 11:13 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit ["Ex-Chat"] 11:21 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit [Read error: 104 (Connection reset by peer)] 11:21 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 11:27 < ecrist> AD ~= LDAP 11:27 < ecrist> there is an ldap-auth script out there, if you look in google 11:35 -!- bsund [n=bsund@unaffiliated/bsund] has joined ##openvpn 11:35 < bsund> http://pastebin.com/m6c64d36c 11:35 < bsund> Why? :) 11:39 < syere> ecrist, there is, but it is a VB script. as far as i know, linux doesnt like vb 11:40 < syere> its why i included my OS in my question 11:48 < ecrist> syere: it's not a VB script, the one I'm referring to. 11:48 < ecrist> getting smart with me means I won't help you. 11:48 < syere> ecrist, that was not being smart. i was stating. i apologize if it came off as such 11:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:49 < ecrist> syere: np, if my 7 year old were to say that to me, he'd be standing in the corner for 7 minutes. :) 11:49 < ecrist> bsund: the error tells you the problem. 11:49 < ecrist> your network address is not valid for that netmask 11:50 < syere> ecrist, do you remember the name of the script? i keep pulling up the amigo4life guy 11:51 < ecrist> syere: all I know is there is a freebsd port for ldap-auth 11:51 < ecrist> let me google for you 11:52 < ecrist> here's a good one: http://www.experts-exchange.com/Networking/Linux_Networking/Q_24083389.html 11:52 < vpnHelper> Title: Endian Firewall - OpenVPN authentication against Active Directory : OpenVPN EFW Endian Active Directory (at www.experts-exchange.com) 11:52 < syere> ecrist, sadness, not open information :( 11:53 < ecrist> syere: google 'openvpn ldap auth script' and you come up with a TON of links 11:53 < syere> thanks 11:53 < syere> didnt htink about calling it a auth script 11:57 -!- syere [n=sitrii@204.10.20.30] has quit [Remote closed the connection] 12:10 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 12:17 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:22 -!- c64zottel [n=hans@p5B17AED7.dip0.t-ipconnect.de] has left ##openvpn [] 13:33 -!- plaerzen [n=carpe@174.0.97.175] has quit [Remote closed the connection] 13:33 -!- plaerzen [n=carpe@174.0.97.175] has joined ##openvpn 14:09 < d0wn> Is anyone familiar with using redirect-gateway? I'm having issues with ti 14:12 < d0wn> It just doesn't want to load anything. I've followed the information in the HowTo, but it's still now working 14:16 < d0wn> ..and now my openvpn won't work at all 14:16 < d0wn> bash: openvpn: command not found 14:27 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 14:54 -!- El_Presidente [i=Martin@p5798EAFB.dip.t-dialin.net] has joined ##openvpn 14:54 < El_Presidente> hi 14:55 < reiffert> you are using port 15000 IIRC, right? 14:55 < El_Presidente> yes 14:55 < El_Presidente> i measued the mtu right now 14:55 < El_Presidente> Empirical MTU test completed [Tried,Actual] local 14:55 < El_Presidente> ->remote=[1573,1573] remote->local=[1573,1573] 14:56 < reiffert> I was talking to some guys recently about your problem 14:56 < El_Presidente> thank you for your help 14:56 < reiffert> our only idea is, that your isp or someone is using QoS on that port. 14:56 < reiffert> Change that to port udp/53 just for an additional test. 14:56 < El_Presidente> hmm i also testes port 10000 14:57 < El_Presidente> i have a question ... i have an ftp on my router 192.168.0.1 14:57 < El_Presidente> if my cousin downloads from there he gets 500kb/s 14:57 < reiffert> El_Presidente: however, try udp/53 14:57 < El_Presidente> ok 14:59 -!- achilles [n=achilles@62.90.142.153] has joined ##openvpn 15:00 < El_Presidente> well it tells me that udp53 is already in use 15:00 < El_Presidente> and please listen to what i wrote right before 15:01 < El_Presidente> if he downloads from my lokal ftp through the tunnel i get 500kb/s 15:01 < achilles> hello, I'm connecting to my server via ssh, and now connected p-t-p openvpn , tun device, I can ping my server through the tunnel, but not any other server on the remote side, any help ? 15:01 < achilles> ip_forward is enabled 15:01 < El_Presidente> if he downloads from a webserver he gets just 100kb/s 15:11 < El_Presidente> reiffert, still here? 15:11 < achilles> any help guys ? 15:12 < El_Presidente> i suggest you to take a look in the howtos 15:16 < achilles> El_Presidente, thank you, I did, it's supposed to when I add "push "redirect-gateway def1" 15:16 < achilles> what is def1 ? 15:17 < El_Presidente> with that value you dont overwrite the gateway 15:18 < achilles> is it the IP of the server then ? 15:18 < El_Presidente> there is a good explanation in the manual 15:31 -!- mib_q2jb2c [i=52e6d07c@gateway/web/ajax/mibbit.com/x-1232b568ba292e61] has joined ##openvpn 15:31 < mib_q2jb2c> hi 15:31 < mib_q2jb2c> there 15:31 < mib_q2jb2c> is there anyone here ? 15:32 -!- mib_q2jb2c [i=52e6d07c@gateway/web/ajax/mibbit.com/x-1232b568ba292e61] has quit [Client Quit] 15:38 -!- ikevin_ [n=kevin@ANancy-256-1-69-35.w90-26.abo.wanadoo.fr] has left ##openvpn ["Quitte"] 16:19 < El_Presidente> good night 16:19 -!- El_Presidente [i=Martin@p5798EAFB.dip.t-dialin.net] has quit ["Verlassend"] 17:39 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Connection timed out] 18:07 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 18:16 -!- bandini [n=bandini@host108-210-dynamic.25-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 19:51 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has quit [Read error: 110 (Connection timed out)] 20:00 -!- nemysis [n=nemysis@87-232.1-85.cust.bluewin.ch] has joined ##openvpn 20:05 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has joined ##openvpn 20:44 -!- eidolon [n=dbs@c-71-233-124-122.hsd1.ma.comcast.net] has joined ##openvpn 20:46 < eidolon> hi folks - i'm trying to configure nm-openvpn to talk to our openvpn server. seems to conncct (I get a "Connect - reply received") - but then there's a long pause after UDPv4 link remote: (ip address), and then i get 'vpn connection timeout exceeded' 20:46 < eidolon> i can telnet to the openvpn port on the target machine. 21:08 < eidolon> doh. they're set up for tcp, i was using udp 21:22 < d0wn> I'm confused about something 21:22 < d0wn> does redirect-gateway go in the server's config, or the client's? 22:10 -!- [intra]lanman [n=intralan@freeswitch/developer/intralanman] has left ##openvpn ["Leaving"] 22:15 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has joined ##openvpn 23:37 -!- Deiz [n=swh@unaffiliated/deiz] has left ##openvpn ["Leaving"] 23:40 -!- appletizer [i=user@82-32-123-8.cable.ubr04.hawk.blueyonder.co.uk] has joined ##openvpn 23:41 -!- appletizer [i=user@82-32-123-8.cable.ubr04.hawk.blueyonder.co.uk] has left ##openvpn [] 23:43 -!- davidm [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has joined ##openvpn 23:44 -!- davidm [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has left ##openvpn [] --- Day changed Sat Feb 21 2009 00:37 -!- nemysis [n=nemysis@87-232.1-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 00:37 -!- nemysis [n=nemysis@87-232.1-85.cust.bluewin.ch] has joined ##openvpn 01:24 -!- davidm_ [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has joined ##openvpn 01:24 -!- davidm_ [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has left ##openvpn [] 01:28 -!- davidm777 [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has joined ##openvpn 01:28 -!- davidm777 [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has left ##openvpn [] 02:26 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has joined ##openvpn 02:26 < diazepam> hi all - anyone here using the ta.key option? 02:32 < diazepam> its giving me grief. Some systems it works and others it causes soft-reset errors 02:32 < diazepam> i have to disable it in the server.conf to get the vpn working 02:32 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has left ##openvpn [] 02:33 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has joined ##openvpn 02:34 < diazepam> anyone 02:34 < diazepam> do people thiink ta.key is necessary security feature? 02:42 -!- dogmeat [n=Bob@unaffiliated/dogmeat] has quit [Remote closed the connection] 03:14 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has quit [Read error: 113 (No route to host)] 03:23 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has joined ##openvpn 03:23 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has quit [Read error: 104 (Connection reset by peer)] 04:11 -!- carpe_ [n=carpe@174.0.97.175] has joined ##openvpn 04:14 -!- plaerzen [n=carpe@174.0.97.175] has quit [Read error: 110 (Connection timed out)] 04:26 -!- achilles [n=achilles@62.90.142.153] has quit [Read error: 110 (Connection timed out)] 05:26 -!- achilles [n=achilles@62.90.143.124] has joined ##openvpn 06:54 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 07:04 -!- El_Presidente [i=Martin@p5798EDD6.dip.t-dialin.net] has joined ##openvpn 07:04 < El_Presidente> hello 07:05 < El_Presidente> reiffert, does this looks typical for a MTU problem? 07:05 < El_Presidente> http://pastebin.com/mfa65b69 07:05 < El_Presidente> i have a HUGE DROP of packages @ tap0 07:05 < El_Presidente> i tested it with netio 07:29 < reiffert> Note: the maximum value is 1492. 07:29 < reiffert> so testing for 2k+ package sizes is irrelevant. 07:30 < reiffert> El_Presidente: what I really like to know is: 07:31 < reiffert> Write down an ASCII SChematics of the components that take part. 07:31 < reiffert> Also write down the link speed (up and down) of everything. 07:31 < reiffert> further: do a direct download with wget (some big file, 20MB) and paste the bandwidth results wget puts out. 07:31 < reiffert> then do the same when beeing connected with openvpn. 07:32 < reiffert> in both directions, that make 4 wget bandwidth outputs. 07:33 < El_Presidente> okay 07:39 < reiffert> or take 1MB file 07:39 < El_Presidente> i will do an ascii chart 07:41 < reiffert> I'm working on a different screen, I check back from time to time. 07:46 < El_Presidente> kk 07:57 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 08:02 -!- countd [n=countd@unaffiliated/countd] has joined ##openvpn 08:51 < tjz|lunch> does openvpn works on windows 2008 server? 08:51 < reiffert> tjz|lunch: y 08:54 < tjz|lunch> want to install on windows 2003 or 2008 server =) 09:17 -!- countd [n=countd@unaffiliated/countd] has quit [Read error: 104 (Connection reset by peer)] 09:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:36 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:38 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 09:45 -!- c64zottel [n=hans@p5B17B154.dip0.t-ipconnect.de] has joined ##openvpn 09:45 -!- c64zottel [n=hans@p5B17B154.dip0.t-ipconnect.de] has left ##openvpn [] 09:46 < reiffert> tjz|lunch: y = yes 09:47 < tjz|lunch> oh 09:47 < tjz|lunch> i mistaken as ... 09:47 < tjz|lunch> y = why 09:48 < tjz|lunch> -_- 09:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 09:49 < reiffert> El_Presidente: how far did you get? 09:49 < El_Presidente> i dont have someone to test it again yet 09:49 < El_Presidente> just made the chart 09:50 < reiffert> hm, k, I'm off for doing extensive party. 09:51 < El_Presidente> sure 09:51 < El_Presidente> have fun ^ 09:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:16 -!- bombayvdmo [n=victor@adsl190-28-146-47.epm.net.co] has joined ##openvpn 10:16 < bombayvdmo> Hi 10:16 < bombayvdmo> OpenVPN trying to reconnect show this message "Sat Feb 21 16:09:36 2009 RESOLVE: Cannot resolve host address: mysite.dyndns.org: [TRY_AGAIN] A temporary error occurred on an authoritative name server." 10:21 < bombayvdmo> i want open restart connection if this lost 10:21 < bombayvdmo> openvpn 10:31 -!- bombayvdmo [n=victor@adsl190-28-146-47.epm.net.co] has left ##openvpn [] 10:34 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 10:37 -!- tjz|lunch is now known as tjz 10:39 < tjz> hmm 10:39 < tjz> let's say i have two servers.. one setup in a DC. another server in an office .. can i print document using the IP printer method? 10:53 -!- eidolon [n=dbs@c-71-233-124-122.hsd1.ma.comcast.net] has quit [Read error: 110 (Connection timed out)] 11:04 -!- uchimata [n=uchimata@HSI-KBW-085-216-051-127.hsi.kabelbw.de] has left ##openvpn [] 11:24 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit ["Ik ga weg"] 11:45 -!- El_Presidente [i=Martin@p5798EDD6.dip.t-dialin.net] has quit ["Verlassend"] 12:01 -!- tjz [n=tjz@bb116-15-157-37.singnet.com.sg] has quit ["bbl"] 12:07 -!- uchimata [n=uchimata@HSI-KBW-085-216-051-127.hsi.kabelbw.de] has joined ##openvpn 12:26 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 12:27 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:38 -!- achilles [n=achilles@62.90.143.124] has quit [No route to host] 12:38 -!- achilles [n=achilles@62.90.14.205] has joined ##openvpn 12:41 -!- eidolon [n=dbs@host156.237.51.209.conversent.net] has joined ##openvpn 12:42 -!- Lede [n=lede@85.148.228.92] has joined ##openvpn 12:42 < Lede> hello 12:42 < Lede> does double NAT break VPN? 12:45 < Lede> !route 12:45 < vpnHelper> Lede: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 12:50 -!- achilles [n=achilles@62.90.14.205] has quit [Read error: 104 (Connection reset by peer)] 13:15 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:26 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:27 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 13:36 -!- eidolon [n=dbs@host156.237.51.209.conversent.net] has quit ["Leaving."] 13:41 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 14:28 -!- constantine [n=constant@70.91.232.102] has joined ##openvpn 14:28 < constantine> wow there's an openvpn channel! yes! 14:28 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Remote closed the connection] 14:28 < constantine> hi, which VPN prgram for intrepid would you suggest for accessing an unsecured wifi zone like a coffee house? 14:30 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Connection reset by peer] 14:39 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has joined ##openvpn 14:40 < diazepam> is there any way of selectively forcing client traffic via the vpn - currently i have my vpns set so all of the clients traffic (including web browsing) tunnels via the vpn. I would like the option of picking and choosing which clients do this and which clients dont 14:41 < constantine> how do I setup openvpn for ubuntu intrepid? 14:43 < diazepam> constantine - thats a broad question 14:43 < diazepam> constantine - wanna narrow it down 14:44 < constantine> diazepam: what info do you need, I'd be happy to give 14:45 < constantine> diazepam - I connect to numerous hotspots throughout my city...ie routers...my box is setup to pick up the strongest signal and use it. I am trying to create a tunnel so that there is some degree of security. 14:46 < diazepam> okay ill send you some info 15:06 -!- constantine [n=constant@70.91.232.102] has left ##openvpn ["Leaving"] 15:27 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 15:36 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 15:36 -!- diazepam [n=trent@123-243-192-216.static.tpgi.com.au] has left ##openvpn [] 15:45 -!- Qantourisc [n=Qantouri@d54C49D91.access.telenet.be] has joined ##openvpn 15:45 < Qantourisc> I think i must have missed something 15:45 < Qantourisc> right faq first 15:52 < Qantourisc> nope 15:52 < Qantourisc> ok i starten openvpn 15:52 < Qantourisc> bridged the tap0 15:52 < Qantourisc> but i cannot seem to ping it using that bridge 15:52 < Qantourisc> what did i miss please ? 15:53 < Qantourisc> aa wait 15:53 < Qantourisc> it's also filted ? 15:53 * Qantourisc tries 15:54 < Qantourisc> nope that's not it 15:55 < Qantourisc> the DHCP is not travelling over the bridge 15:55 < Qantourisc> the dhcp requests enter 15:56 < Qantourisc> and my dhcp server replies 15:56 < Qantourisc> but client doesn't seem to receive it 15:56 < Qantourisc> is there anything openvpn is blocking ? 15:58 < Qantourisc> i quess ill use the server-bridge then that's also ok 16:06 < Qantourisc> hmm that's not helping either 16:08 < Qantourisc> there is squad moving over the bridge 16:08 < Qantourisc> no dhcp, no ping with static configuration northin 16:08 < Qantourisc> suggestions ? 16:40 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 16:52 < Qantourisc> closed but not yet there 16:57 -!- eidolon [n=dbs@c-71-233-124-122.hsd1.ma.comcast.net] has joined ##openvpn 16:59 < Qantourisc> ok soemthin in my iuptables 16:59 -!- ElCheapo [n=elcheapo@d137-186-179-195.abhsia.telus.net] has joined ##openvpn 17:00 -!- elcheapo_ [n=elcheapo@d137-186-179-195.abhsia.telus.net] has joined ##openvpn 17:03 -!- El-Cheapo [n=elcheapo@d137-186-179-195.abhsia.telus.net] has joined ##openvpn 17:05 -!- ElCheapo1 [n=elcheapo@d137-186-179-195.abhsia.telus.net] has joined ##openvpn 17:17 -!- ElCheapo [n=elcheapo@d137-186-179-195.abhsia.telus.net] has quit [Connection timed out] 17:18 -!- elcheapo_ [n=elcheapo@d137-186-179-195.abhsia.telus.net] has quit [Connection timed out] 17:18 < Qantourisc> whoot working 17:19 -!- Qantourisc [n=Qantouri@d54C49D91.access.telenet.be] has quit ["openvpn works ... let's call it a day"] 17:20 -!- El-Cheapo [n=elcheapo@d137-186-179-195.abhsia.telus.net] has quit [Connection timed out] 17:22 -!- ElCheapo1 [n=elcheapo@d137-186-179-195.abhsia.telus.net] has quit [Connection timed out] 17:37 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 17:46 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 17:47 -!- countd [n=countd@unaffiliated/countd] has joined ##openvpn 18:06 < onats> howdy 18:07 < krzee> hola 18:08 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 18:28 < reiffert> http://musicovery.com/ 18:28 < vpnHelper> Title: Musicovery : interactive webRadio (at musicovery.com) 18:32 -!- eidolon [n=dbs@c-71-233-124-122.hsd1.ma.comcast.net] has left ##openvpn [] 19:07 -!- countd [n=countd@unaffiliated/countd] has quit [Read error: 104 (Connection reset by peer)] 19:21 -!- cultureulterior [n=cultureu@94.191.156.10.bredband.tre.se] has joined ##openvpn 19:30 -!- bsund [n=bsund@unaffiliated/bsund] has left ##openvpn [] 19:34 < cultureulterior> So, anyway, I just rented a US vps with two public ip addresses. I'd like to use the other one for my laptop via proxy arp. I would do this by connecting through openvpn tun connecting to the one, then getting the other one assigned to the tun interface on my laptop. Does this make sense? 19:36 < cultureulterior> The point of this being to give my laptop a real ip address, something it doesn't now have, as it is behind a nat. 19:38 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 20:27 -!- cultureulterior [n=cultureu@94.191.156.10.bredband.tre.se] has left ##openvpn [] 22:33 -!- nemysis [n=nemysis@87-232.1-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 22:33 -!- nemysis [n=nemysis@99-63.3-85.cust.bluewin.ch] has joined ##openvpn 22:59 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 23:01 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] --- Day changed Sun Feb 22 2009 00:05 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 00:06 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 00:12 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Read error: 104 (Connection reset by peer)] 00:12 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 01:13 -!- Solver [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has joined ##openvpn 01:13 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:14 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 60 (Operation timed out)] 01:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 01:28 -!- Solver [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has quit [Remote closed the connection] 01:28 -!- Solver [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has joined ##openvpn 01:55 -!- zheng [n=zheng@218.82.139.88] has joined ##openvpn 02:01 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 02:30 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [Read error: 110 (Connection timed out)] 02:45 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 03:04 -!- zheng [n=zheng@218.82.139.88] has quit ["Leaving"] 03:04 < reiffert> moin 03:15 < Lede> ello 04:03 -!- uchimata [n=uchimata@HSI-KBW-085-216-051-127.hsi.kabelbw.de] has quit ["ride..."] 05:06 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has joined ##openvpn 05:11 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 05:15 -!- countd [n=countd@unaffiliated/countd] has joined ##openvpn 05:18 -!- countd [n=countd@unaffiliated/countd] has quit [Remote closed the connection] 05:22 < tjz|lunch> anyone used pmacct to track multiple IP's bandwidth before? 06:21 -!- Haris_ [i=Haris@119.152.49.108] has joined ##openvpn 06:21 < Haris_> Hello people 06:22 < Haris_> What's the 'significant' difference between tcp or udp based pvn ? 06:22 < Haris_> vpn+ 06:22 < Haris_> ammount of traffic? ammount of processing envolved? ammount of bandwidth envolved 06:22 < Haris_> security ? 06:33 < sigius> Haris_, In the howto it says: While OpenVPN allows either the TCP or UDP protocol to be used as the VPN carrier connection, the UDP protocol will provide better protection against DoS attacks and port scanning than TCP 06:33 < sigius> benefit of tcp on the other hand is it still works through a proxy 06:34 < sigius> I think the better protection, when using udp, is acheived by using 'tls-auth' 06:37 < sigius> Q: wireshark (a.k.a ethereal) is not decoding my openvpn traffic. Does anyone now of a wireshark decode plugin to use for this purpose ? 06:48 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 07:24 -!- nemysis [n=nemysis@99-63.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 07:24 -!- nemysis [n=nemysis@81-241.0-85.cust.bluewin.ch] has joined ##openvpn 07:26 < Haris_> does bridging ethernet connection with tap connection mean linking them together as one ? 07:26 < Haris_> linking them together and making them as one ? 07:27 < Haris_> will openvpn work if I don't give a ssl cert? 08:12 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has joined ##openvpn 08:16 < Haris_> I have set cert and key in server.conf. I don't have a ca. Do I need to set a ca on server and client ? 08:29 < sigius> Haris_, All of thats is in the howto (http://openvpn.net/index.php/documentation/howto.html) (A:indeed you do) 08:29 < vpnHelper> Title: HOWTO (at openvpn.net) 08:29 < Haris_> I know 08:29 -!- kaii_ is now known as kaii 08:33 < Haris_> I'm getting this -> Sun Feb 22 20:35:09 2009 us=688618 Error: private key password verification failed 08:34 < Haris_> I made the ssl cert as per -> http://www.akadia.com/services/ssh_test_certificate.html 08:34 < vpnHelper> Title: How to create a self-signed Certificate (at www.akadia.com) 08:34 < Haris_> I removed the pass phrase 08:34 < Haris_> why does it need to confirm a password? 08:34 < Haris_> Sun Feb 22 20:35:09 2009 us=688554 Cannot load private key file /usr/local/etc/openvpn/openvpn.key: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch 08:34 < Haris_> what does this mean ? I configured wrong private key file against the cert? 08:40 < Haris_> damned 08:40 < Haris_> now the client cert verify failed 08:41 < Haris_> Sun Feb 22 19:50:23 2009 us=471057 VERIFY ERROR: depth=0, error=self signed certificate: certificate-details-follows-here 08:41 < Haris_> what does this mean ? It doesn't allow self generated ssl cert? 08:42 < Haris_> I generated a cert at the server and copied that exact cert at the client 08:42 < Haris_> or was this the problem? 08:44 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has quit [] 08:49 < Haris_> ok, I used the wrong Common name 09:03 < Haris_> Should the cert on server and client be different ? 09:03 < Haris_> for client1, client2, client3 ? 09:04 < Haris_> I am here -> http://openvpn.net/howto.html#mitm 09:04 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 09:04 < Haris_> I can't figure out the problem 09:04 < Haris_> http://pastie.org/396654 09:05 < Haris_> this is the log 09:05 < Haris_> I manually generated the self signed certs' 09:08 -!- El_Presidente [i=Martin@p5798F09A.dip.t-dialin.net] has joined ##openvpn 09:08 < Haris_> on windows, after I ran openvpn client once, I can't delete a config file, after I have exited from it 09:09 < Haris_> I checked the client, its not running, neither is openvpn's service 09:09 < El_Presidente> reiffert, i set up a openvpn on my webserver just to avoid bandwidth issues, i was able to download directly though the tunnel from my webserver with 2,5mbyte/s but if i download e.g. from uni-erlangen.de through the tunnel i just get 300kb/s 09:10 < El_Presidente> if i download without the tunnel from uni-erlangen.de i get the full 2.8mb/s 09:10 < El_Presidente> is there general such a huge penalty when routing web traffic ? 09:14 < Haris_> Options error: Unrecognized option or missing parameter(s) in /usr/local/etc/openvpn/openvpn.conf:307: remote-cert-tls (2.0.6) 09:14 < Haris_> Use --help for more information. 09:14 < Haris_> doesn't make sense 09:14 < Haris_> according to http://openvpn.net/index.php/documentation/howto.html#mitm 09:14 < vpnHelper> Title: HOWTO (at openvpn.net) 09:15 < Haris_> I have to put it there 09:18 < Haris_> :o 09:25 -!- skx [i=skx@unaffiliated/skx] has quit ["changing servers"] 09:29 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 09:34 -!- ser [n=ser@sergiusz.pawlowicz.name] has joined ##openvpn 09:34 < ser> hello, is it possible to run openvpn as a client for one connection and a server for another in static key mode? 09:49 < El_Presidente> Haris_, you need ns-cert-type server instead of the other one ... 09:49 < El_Presidente> since you use 2.0.6 09:49 < El_Presidente> read the howto! 09:49 < Haris_> I am 09:49 < Haris_> what I'm doing is, I'm manually generating the certs/keys 09:49 < El_Presidente> replace remote-cert-tls with ns-cert-type server 09:49 < Haris_> and the howto is built around doing it with pre-existing example scripts from openvpn 09:50 < Haris_> I'km getting cert verificatoin errors 09:54 < Haris_> why does the cleanall script delete the key_dir ? 09:56 < El_Presidente> cleanall means cleanall ... 09:57 -!- Haris_ is now known as Haris 10:08 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has quit ["bbl"] 10:16 -!- bsdbandit [n=bwell@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 10:46 -!- bandini [n=bandini@host199-27-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 11:04 -!- ser [n=ser@sergiusz.pawlowicz.name] has left ##openvpn [] 11:14 -!- Lede [n=lede@85.148.228.92] has quit [Read error: 113 (No route to host)] 11:38 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:43 -!- Netsplit bartol.freenode.net <-> irc.freenode.net quits: clusterm1gnet, bsdbandit, vcs, d0wn, blaxthos, disco-, rubydiamond, pa, Haris, worch, (+15 more, use /NETSPLIT to show all of them) 11:43 -!- Netsplit bartol.freenode.net <-> irc.freenode.net quits: eagle, nemysis, krzie_, skx, disposable, smk, Typone, infinity_, sigius, kala, (+4 more, use /NETSPLIT to show all of them) 11:46 -!- Netsplit over, joins: rubydiamond, bandini 11:46 -!- bsdbandit [n=bwell@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 11:46 -!- Netsplit over, joins: skx, El_Presidente, nemysis, Haris, ropetin, Solver, roentgen_, eagle, Typone, pa (+6 more) 11:46 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 11:46 -!- Netsplit over, joins: disco-, worch, clusterm1gnet, blaxthos, stephenh, dvl, logiclrd, troy-, vpnHelper, hardwire (+9 more) 11:47 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has joined ##openvpn 11:49 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has quit [Client Quit] 11:52 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has joined ##openvpn 12:01 -!- pg1054 [n=pg1054@unaffiliated/pg1054] has joined ##openvpn 12:02 -!- bsdbandit [n=bwell@wsip-24-249-123-207.hr.hr.cox.net] has quit ["Lost terminal"] 12:05 < pg1054> is there a required/recommended relationship between server/client key bit depth (e.g., i'm using 2048-bit rsa) and the bit-depth of the "DH Paramaters" key file? I.e., must *should?) I use 2048-bit dhparam as well? 12:43 -!- pg1054 [n=pg1054@unaffiliated/pg1054] has quit [] 13:02 -!- Baneo [n=hi2u@sophus.tiendaofertas.com] has joined ##openvpn 13:05 < Baneo> people can connect to my server, however can't browse atall once it's open 13:05 < Baneo> any ideas? 13:13 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has quit [Remote closed the connection] 13:15 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 13:19 -!- mib_e1owaj [i=52e6d07c@gateway/web/ajax/mibbit.com/x-72cde72297aa254d] has joined ##openvpn 13:19 < mib_e1owaj> hi 13:19 < mib_e1owaj> there 13:19 < mib_e1owaj> is there anyone here ? 13:20 < mib_e1owaj> i try to install openvpn on my ubuntu pc it don't want to install 13:23 < mib_e1owaj> by doing this command $ . ./vars it give this message NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys 13:24 < mib_e1owaj> is it normal ? 13:25 < mib_e1owaj> hellog 13:25 < mib_e1owaj> is teher anyone here ? 13:31 < Haris> yes 13:31 < Haris> this is normal 13:32 < mib_e1owaj> hi haris 13:32 < mib_e1owaj> thx for your participation 13:33 < mib_e1owaj> then 13:33 < mib_e1owaj> running this command i got this error 13:34 < mib_e1owaj> desktop:/usr/share/doc/openvpn/examples/easy-rsa/2.0$ sudo ./clean-all Please source the vars script first (i.e. "source ./vars") Make sure you have edited it to reflect your configuration. 13:34 < mib_e1owaj> what i have to do exactly ? 13:34 < mib_e1owaj> or can i skip this error ? 13:35 < Haris> it wants you to look at the vars file 13:35 < Haris> for any modifications you might want to make 13:35 < Haris> its ignore-able 13:36 < mib_e1owaj> so i can i ignor this error ? 13:36 < mib_e1owaj> is it ? 13:37 < Haris> yes 13:37 < Haris> not sure what source vars means 13:38 < mib_e1owaj> -desktop:/usr/share/doc/openvpn/examples/easy-rsa/2.0$ sudo ./build-ca Please edit the vars script to reflect your configuration, then source it with "source ./vars". Next, to start with a fresh PKI configuration and to delete any previous certificates and keys, run "./clean-all". Finally, you can run this tool (pkitool) to build certificates/keys. 13:38 < mib_e1owaj> can i ignore this 13:38 < mib_e1owaj> tooo 13:40 < mib_e1owaj> can i skip this one too ? 13:40 < mib_e1owaj> hello plz 13:46 < Haris> try going through them 13:47 < mib_e1owaj> sorrry 13:47 < mib_e1owaj> can i ignore this error or not 13:47 < mib_e1owaj> ? 13:47 < Haris> Nope, you can't 13:48 < mib_e1owaj> what i have to ? 13:48 < mib_e1owaj> to solve this error ? 13:48 < mib_e1owaj> plz 13:48 < Haris> read the instructions and do as it says, lol 13:49 < mib_e1owaj> http://pastebin.ubuntu.com/121539/ 13:49 < mib_e1owaj> this is the vars file actual configuration 13:50 < Haris> have you run the command -> source ./vars ? 13:50 < Haris> if not, run it 13:51 < Haris> then run ./clean-all 13:52 < mib_e1owaj> source ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys 13:52 < mib_e1owaj> $ sudo ./clean-all Please source the vars script first (i.e. "source ./vars") Make sure you have edited it to reflect your configuration. 13:52 < mib_e1owaj> it gives exaclty the same message 13:55 < Haris> if you have run those commands, you can ignore this message 13:55 < Haris> its programmed to be displayed that way 13:56 < mib_e1owaj> ok 13:56 < mib_e1owaj> thx 14:00 -!- mib_e1owaj [i=52e6d07c@gateway/web/ajax/mibbit.com/x-72cde72297aa254d] has quit ["http://www.mibbit.com ajax IRC Client"] 14:00 -!- rdw200169 [n=randy@cpe-68-174-88-54.nyc.res.rr.com] has joined ##openvpn 14:07 < Haris> where is db_fetch_cell() supposed to be ? 14:07 -!- rubydiam_ [n=rubydiam@123.236.183.130] has joined ##openvpn 14:24 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Connection timed out] 14:57 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has quit [] 14:57 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has joined ##openvpn 15:04 < Baneo> hey - any experts willing to take a look at something? I'll pay if need be. I can accept connections however no traffic seems to be routing through atall 15:06 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 15:11 < Baneo> anyone atall? :] 15:11 < krzee> ? 15:12 < Baneo> i've got some problems with openvpn - i think it's the iptables, basically people can connect to the vpn 15:13 < Baneo> however no traffic is being routed, i.e they can't use the net 15:14 < krzee> you have redirect-gateway def1, ip forwarding enabled, NAT setup? 15:16 < Baneo> yeah - i've checked all i know - it's beyond me i think 15:16 < Baneo> i've searched around on google etc - of course 15:16 < Baneo> yet to find an answer or some sort of pointer 15:16 < Baneo> i'd be willing to pay for someone's time to take a look? it would be greatly appreicated 15:17 < Baneo> i think it's something to do with iptables 15:18 < Baneo> i'm trying to add rules to forward traffic but it's not changing anything 15:23 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 15:23 -!- krzee [i=nobody@hemp.ircpimps.org] has joined ##openvpn 15:24 < Baneo> krzee: anychance of you taking a look?! 15:24 < krzee> !iptables 15:24 < vpnHelper> krzee: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 15:24 < krzee> =] 15:24 < krzee> !linnat 15:24 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 15:26 < krzee> there ya go =] 15:27 -!- krzee [i=nobody@hemp.ircpimps.org] has quit [Client Quit] 15:27 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 15:31 < Baneo> it acts like i'd adding 15:31 < Baneo> but when i show the rule list, it isn't 15:35 < Baneo> krzee: can you take a look? i'll pay for your time 15:36 < krzee> im not much of a linux guy 15:36 < krzee> but go ahead and pastebin it 15:54 < Baneo> krzee: http://pastebin.com/m27ba66cc 15:55 < krzee> heh 15:55 < krzee> you def have a problem 15:55 < krzee> ask a linux channel 15:55 < krzee> when the rules actually add, you should have better luck 15:55 < Baneo> does it seem fine otherwise? 15:55 < krzee> umm 15:56 < krzee> only thing i can say that 1 way or other for is ip forwarding 15:56 < krzee> you showed me firewall and ip forwarding 15:56 < krzee> firewall is problem 15:56 < krzee> other than that i saw nothing 15:58 < krzee> if you post your configs (with no comments) i can answer that 16:06 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 16:11 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 16:23 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has quit [] 16:39 < reiffert> krzee: carnival? 16:42 < krzee> nah didnt make it to brazil 16:42 < krzee> but im in peru 16:42 < krzee> and its AWESOME here 16:43 < reiffert> Doh, after 10 years of no carnival I've made it into the next bigger city today, tons of alcohol, tons of pretty girls, many friends and my pride. Tomorrow'll be the same thing again .. 16:46 < reiffert> Hope I get her join home very soon... 16:46 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 16:46 < krzee> where are you? 16:47 < reiffert> krzee: http://maps.google.de/maps?f=q&source=s_q&hl=de&geocode=&q=Klein-Winternheim&sll=51.151786,10.415039&sspn=13.27051,27.333984&ie=UTF8&ll=49.945476,8.211594&spn=0.212537,0.427094&t=h&z=11 16:47 < vpnHelper> Title: Google Maps (at maps.google.de) 16:47 < reiffert> n you? 16:47 < krzee> Lima, Peru 16:48 -!- felix__ [n=felix@static-87-79-236-180.netcologne.de] has joined ##openvpn 16:48 < reiffert> gimme some link 16:48 < Roman123> I have a question about the "every hour disconnect" of openvpn (http://openvpn.net/archive/openvpn-users/2006-12/msg00189.html). Does this disconnect also take place if data is transfered over the tunnel at this time? 16:48 < vpnHelper> Title: Re: [Openvpn-users] OpenVPN, One Time Password, Disconnect every hour. (at openvpn.net) 16:49 < Roman123> or does it only take place if the tunnel is in idle state? 16:50 < reiffert> krzee: just showing my girl where you've been and where you're going to .. would be nice to have something clickable... 16:52 < reiffert> ok, we've found lima. 16:53 < krzee> Roman123, mine never disconnects, just re-keys 16:54 < Roman123> krzee: hmm, thanks for the response. This re-key activity takes place every hour? 16:55 < krzee> yes 16:56 < Roman123> ah, ok. I guess this "TLS: tls_process: killed expiring key" and "TLS: soft reset sec=0 bytes=38324/0 pkts=719/0" etc. 16:56 < Roman123> is the re-keying section in the openvpn log. 16:57 < krzee> yup 16:57 < krzee> does it kill xfers? 16:58 < Roman123> Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #284 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings 16:58 < Roman123> I'm not sure what this is. 16:58 < krzee> you on wireless? 16:58 < Roman123> krzee: maybe, ^^^ 16:59 < krzee> see what it told you to 16:59 < krzee> !man 16:59 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:59 < Roman123> No, I connect two lans 17:01 < Roman123> krzee: Currently I'm taking a look at the postings on google about his message. 17:01 < Roman123> this 17:09 < reiffert> krzee: still with me? 17:09 < reiffert> krzee: check out http://musicovery.com/ 17:09 < vpnHelper> Title: Musicovery : interactive webRadio (at musicovery.com) 17:09 < krzee> for 2 min 17:09 < krzee> battery dying 17:09 < krzee> and im out by the pool 17:09 < reiffert> krzee: must see! 17:09 < krzee> link saved 17:09 < reiffert> Must listen too. 17:10 < reiffert> spent last night with it, omg. 17:12 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 17:19 < sigius> Q: wireshark (a.k.a ethereal) is not decoding my openvpn traffic. Does anyone now of a wireshark dissector (decode plugin) to use for this purpose ? 17:22 < reiffert> sigius: OS? 17:28 < sigius> linux (debian) 17:34 < reiffert> running tcpdump -n -i tun0 works for you? 17:34 -!- bsdbandit [n=bwell@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 17:51 -!- nemysis [n=nemysis@81-241.0-85.cust.bluewin.ch] has quit [Remote closed the connection] 17:52 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 18:18 < sigius> reiffert, sorry for the delay, had a bit of distraction here. Yes I can capture the traffic but it is being present as plain 'UDP'. I'd like wireshark to dissect the traffic as openvpn/ssl traffic 18:21 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has joined ##openvpn 18:40 -!- bsdbandit [n=bwell@wsip-24-249-123-207.hr.hr.cox.net] has quit ["Lost terminal"] 18:51 -!- rubydiam_ [n=rubydiam@123.236.183.130] has quit [Read error: 104 (Connection reset by peer)] 18:52 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 19:33 -!- El_Presidente [i=Martin@p5798F09A.dip.t-dialin.net] has quit ["Verlassend"] 19:42 -!- metbsd [n=AXT@unaffiliated/metbsd] has joined ##openvpn 19:43 < metbsd> is there good book about vpn? i find it confusing 19:50 -!- oc80x [i=oc80z@quad.efnet.pe] has joined ##openvpn 20:14 -!- felix__ [n=felix@static-87-79-236-180.netcologne.de] has quit ["leaving"] 20:16 -!- metbsd [n=AXT@unaffiliated/metbsd] has quit [Read error: 104 (Connection reset by peer)] 20:17 -!- metbsd [n=AXT@unaffiliated/metbsd] has joined ##openvpn 20:19 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 20:20 < eliasp> hi 20:21 < eliasp> i have a strange problem on one of our hosts... nearly all the time, the OpenVPN connection stalls and the openvpn.log on this client is filled with lines like this: Mon Feb 23 03:19:23 2009 read UDPv4 [EHOSTUNREACH]: No route to host (code=113) 20:21 < eliasp> it is a OpenVPN specific issue, as at the same time, it's no problem at all accessing the client directly via SSH... only via OpenVPN it stalls 20:22 < eliasp> i've issued a 'traceroute' to the OpenVPN server while the connection was stuck... it worked fine... 20:23 < eliasp> has anyone ever seen such a behavior before? there's also a bug in the Gentoo bugtracker where i've added my case as comment #8 http://bugs.gentoo.org/223033 20:23 < vpnHelper> Title: Gentoo Bug 223033 - net-misc/openvpn - VPN traffic disrupts networking in a strange way (at bugs.gentoo.org) 20:27 -!- metbsd [n=AXT@unaffiliated/metbsd] has left ##openvpn [] 20:39 -!- Baneo [n=hi2u@sophus.tiendaofertas.com] has quit [Client Quit] 20:59 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 60 (Operation timed out)] 21:05 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 21:20 -!- bsdbandit [n=bwell@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 21:27 -!- rubydiam_ [n=rubydiam@123.236.183.74] has joined ##openvpn 21:33 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 21:49 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 21:49 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has joined ##openvpn 21:55 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 21:56 -!- rubydiam_ [n=rubydiam@123.236.183.74] has quit [Read error: 110 (Connection timed out)] 22:04 -!- rubydiam_ [n=rubydiam@123.236.183.74] has joined ##openvpn 22:13 -!- rubydiam_ [n=rubydiam@123.236.183.74] has quit ["Leaving..."] 22:21 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 22:22 -!- dmb [n=dmb@unaffiliated/dmb] has joined ##openvpn 22:23 < dmb> ok, i need some help with iroute stuff 22:23 < dmb> basically, i set my openvpn server up to have all traffic, including the internet go through it 22:24 < dmb> the localip for the client is 192.168.1.174 22:24 < dmb> vpn ip is the normal 10.8.0.1 22:25 < dmb> i have iroute 192.168.1.0 255.255.255.0 for client1 22:25 < dmb> yet it still keeps printing out tons of Mon Feb 23 04:26:58 2009 client1/74.214.115.252:42519 MULTI: bad source address from client [192.168.1.174], packet dropped 22:25 < dmb> along with Mon Feb 23 04:27:00 2009 client1/74.214.115.252:42519 Replay-window backtrack occurred [1] 's 22:26 < dmb> can someone tell me what i'm doing wrong? 22:31 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has quit [] 22:38 < oc80x> sup 22:38 < oc80x> not quite sure, hang on and we can help 22:38 < oc80x> brb. 22:38 < dmb> ok 22:38 < dmb> is there a way i can tell if iroute is working? 22:38 < dmb> i don't see to see it in verbose mode 22:58 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has joined ##openvpn 23:15 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has quit [] 23:17 -!- oc80x [i=oc80z@quad.efnet.pe] has quit [] 23:56 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has quit [] --- Day changed Mon Feb 23 2009 00:04 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 00:59 -!- Netsplit bartol.freenode.net <-> irc.freenode.net quits: soberbit, disposable 00:59 -!- Netsplit over, joins: disposable, soberbit 01:57 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:03 -!- dazo [n=dazo@nat/redhat/x-294cdbb7902a7605] has joined ##openvpn 02:14 -!- mazzachre [n=mazzachr@194.152.38.14] has joined ##openvpn 02:17 -!- jave [n=user@79.138.130.132.bredband.tre.se] has joined ##openvpn 02:17 < jave> hello 02:17 < jave> I'm having difficult getting an openvpn conneection working 02:18 < jave> we have a suse openvpn 2.0 server, and 2.1 clients. is this a problem? 02:19 < dazo> jave: that should normally work fine ... but it might be a good approach to upgrade to the latest 2.1 on the server as well 02:19 * dazo have been running openvpn-2.1rc15 since it was released without any issues 02:19 < jave> dazo: ok, but I'm not sure there are any 2.1pkgs for opensuse 02:20 < jave> also I get this warning: WARNING: No server certificate verification method has been enabled 02:20 < jave> is this critical? 02:20 < mazzachre> I have setup openvpn on a box with a public ip address, I can connect to it, and it forwards and routes to the local network (Have tested via traceroute from my own linux workstation. However my coworkers running windows and outlook cannot connect outlook to the exchange server via vpn. 02:21 < dazo> jave: that might be a problem ... I would try to sort out that one .... tls-remote might be the option you'll need to look at 02:21 < dazo> jave: are you running opensuse or Novell SLES/SLED? 02:21 < mazzachre> I get that warning also. What does it mean? 02:22 < jave> dazo: opensuse on the server. fedora on one client, vista on another client 02:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:23 < dazo> mazzachre: that error means that it has not been enabled any methods for double checking that the server you are connecting to is validated ... hostname used against hostname (common name) used in the certificate match checking 02:25 < dazo> jave: I would dig around a little bit to find some 2.1 packages ... I'm pretty sure that's available, even though most probably not in the stable repos .... and if not, compiling openvpn is quite easy, and it do not depend on much which you most probably already have installed on your box already .... openvpn is actually a small piece of software 02:25 < mazzachre> dazo: Uhm... I don't understand... How to fix? 02:25 < dazo> mazzachre: --tls-remote 02:26 < mazzachre> dazo: In config file? (I use init scripts on linux and openvpn gui on windows) 02:27 < dazo> mazzachre: yes, in config .... tls-remote would be the config file option 02:30 < mazzachre> If I set that, do I need to generate new keys etc? And If I set it in server, does all clients need to add it immidiatly to be able to connect? 02:31 < dazo> mazzachre: the argument you give here must match the CN field of the server certificate, that's all 02:31 < dazo> mazzachre: usually that should be the hostname of your server 02:33 < mazzachre> argument to what? should tls-remote have an argument? 02:34 < jave> like : tls-remote nwise 02:34 < jave> but I still get: WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page). 02:34 < mazzachre> ok 02:34 < jave> and: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 02:36 < dazo> jave: yeah, that next warning is pretty much annoying ... that comes automatically whenever you use tls-remote ... that's just an informative warning, as a lot of users have over time misunderstood the concept of tls-remote 02:36 < jave> dazo: ok thanks 02:36 < jave> is there a simple way of ensuring that the server is actually running? like "nc host 1194" or something 02:37 < dazo> jave: you could always check with netstat ... f.ex. run as root: netstat -lnptu | grep openvpn 02:37 < mazzachre> ah remote 02:38 < jave> dazo: yes but atm I dont have a shell on the server 02:38 < jave> will have later when I arrive at work 02:38 < mazzachre> you can always try to telnet to the port... if you get a connection, it is running 02:38 < mazzachre> So, no one have windows clients trying to connect to shared drives and exchange over an openvpn connection? 02:39 < dazo> jave: the TLS key negotiation failed .... that can be depending on some bugs in openvpn versions ... I think it was an issue in one of the versions between 2.1rc10-13 ... but it can also mean that static keys (if you use that in addition) is wrong 02:39 < jave> dazo: no static keys 02:40 < jave> 2.1 rc15 on this client 02:40 < jave> but ill try to upgrade the server then 02:40 < dazo> mazzachre: I've done that with Samba (Linux) and Windows clients ... no problem ... but you'll need to check up the firewall settings ... you might want to set up a WINS server and give details about WINS in "push" statements for DHCP parameters in openvpn config 02:41 < dazo> jave: check that you also have the same cipher settings on both client and server ... that can also give the same error 02:41 < dazo> jave: +1 for upgrade ... no big danger here 02:42 < dazo> mazzachre: have a look at --dhcp-option in the documentation 02:44 < mazzachre> dazo: Does it matter that the shares are on a AD network? 02:45 < dazo> mazzachre: yes, that could be ... but I'm not a MS/AD/Windows expert so I do not know anything about any gory details 02:45 < mazzachre> dazo: I forward anything that comes in on tun0 to the network behind the server. And I can traceroute from my linux machine to anything on the internal network... 02:47 < dazo> mazzachre: well, traceroute is one thing ... have you tried tcpdump on the openvpn server ... on your internal network and on your vpn network on that box? If you see SMB/CIFS/Exchange traffic passing ... then it's most probably something on the Windoze server 02:47 < dazo> mazzachre: if you see traffic hitting your win server but no reply ... then it's either firewalling on that server and/or routing issues 02:48 < dazo> mazzachre: if you see traffic going out from your win server on the internal net but not hitting the vpn network ... then it is firewalling/routing on your vpn box 02:49 < mazzachre> Will the vpn connected machines ip address be the address of the tun device? (eg 172.16.0.x) 02:50 < dazo> mazzachre: the ip address which will be used on your internal network from vpn clients, will be the VPN client IP address which it is given, yes 02:52 < mazzachre> So, (repeating to know I understood this correctly) my vpn servers lan address is 192.168.7.125, the tun addresses are 172.16.0.x, the exchange server is on 10.0.0.0/8 network (I push route 192.168.7.0/24 and 10.0.0.0/8 in config). So, my client will have eg address 172.16.0.25 on the local network? Or it have 192.168.7.125 (Servers ip) 02:57 < mazzachre> Ahh.. look in firewall.. All is SNAT to 192.168.7.125 so it should be the the address of the server... 03:00 < dazo> mazzachre: I'm not sure I would recommend you to SNAT the VPN tunnel traffic ... if you really want VPN clients to be a part of the local network (as a locally connected client) I would rather consider bridging 03:01 < dazo> mazzachre: it might work fine normally with SNAT ... but with proprietary Microsoft protocols and mostly "Microsoft concealed standards" on the protocol level, you'll never know how that really will work out in reality 03:05 -!- jave` [n=user@h-131-104.A184.priv.bahnhof.se] has joined ##openvpn 03:14 < mazzachre> So.. I should set openvpn up as bridging? 03:14 < mazzachre> How does that work? 03:23 < dazo> mazzachre: quick basics ... you'll create a bridge with brctl and add the tun/tap devices here and the eth interface of your internal network ... the br0 interface will have the proper IP address and that's the interface to be used in firewall rules etc ... all traffic going to one of the interfaces in the bridge will then distributed accordingly to the other devices as well 03:23 < dazo> mazzachre: http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 03:23 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 03:24 < dazo> mazzachre: http://www.linux.org/docs/ldp/howto/Bridge+Firewall.html 03:24 < vpnHelper> Title: Linux Online - Linux Bridge+Firewall Mini-HOWTO version 1.2.0 (at www.linux.org) 03:25 < dazo> never mind this one ... that was pretty much outdated 03:28 -!- jave [n=user@79.138.130.132.bredband.tre.se] has quit [Read error: 110 (Connection timed out)] 03:30 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Read error: 54 (Connection reset by peer)] 03:30 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 03:31 < dazo> mazzachre: this one seems to be more updated: http://www.linuxfoundation.org/en/Net:Bridge 03:31 < vpnHelper> Title: Net:Bridge - The Linux Foundation (at www.linuxfoundation.org) 03:32 < dazo> mazzachre: you don't need to look at STP/Spanning Tree Protocol .... that's for a different usages than what you need now 03:42 < mazzachre> ok.. thx... will take a look.. 03:48 < jave`> dazo: now I got the connection working by upgrading the server! 03:48 < jave`> Thanks 03:48 < dazo> jave`: no prob :) 03:48 < dazo> jave`: good to hear it works now :) 03:50 < jave`> another question: I want to connect to a network called 10.0.75.X, but ive rigged openvpn to have a net like 10.8.0.X. what is the best way to configure the net? routing? something more clever? 03:53 < dazo> jave`: I'd recommend routing 03:54 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 03:54 < jave`> dazo: you can have the server send out routes to the clients right? 03:55 < dazo> jave`: yeah .... push "route " 03:55 < jave`> Thanks 04:01 < mazzachre> I HATE EXCHANGE!!! 04:01 < mazzachre> sry... just had to shout 04:01 * hads nods 04:02 < mazzachre> And it seems correct... it is not possible to use SNAT on openvpn to connect clients with outlook to an exchange server :s 04:02 < mazzachre> Why oh why? :( 04:05 < mazzachre> Everything else is working... why not this? 04:10 < dazo> mazzachre: because Microsoft did not know what it means to follow standards earlier ... but they slowly seems to begin to understand it now .... it just took them 5-6 Windows releases to understand why it's clever to follow standards 04:11 < hads> I tried to setup OpenVPN on a Windows network the other day, it wasn't fun, still not had a chance to look at why it's not working. 04:11 < mazzachre> dazo: I don't think they have gotten around to it yet... They are just mourning that they can't control the internet... planning how to mangle the standards so they can... 04:11 < dazo> mazzachre: well, things seems to change now with IE8, if what I read about it really is true .... 04:12 < dazo> mazzachre: but it'll probably take a while for Exchange, as the competition here is not so strong as in the browser marked 04:12 < mazzachre> They should just scrap IE and fix windows, office and exchange... 04:13 < dazo> mazzachre: I dare you to tell that to Steve Balmer ... face to face .... 04:13 < dazo> look out for flying chairs ....... 04:21 < mazzachre> If I could get a face to face meeting with Steve Balmer I would tell him that... I would tell him how he could turn M$ from one of the most hated companies in the world into one of the most loved... And still make loads of money... 04:21 < mazzachre> But I can't get a face to face meeting with him... and he would probably not listen to the chief developper of some minor european company anyways... 04:25 < mazzachre> Hmm... So, I should setup a bridging interface for all our "road warrior" machines? And one for our Miami office (So people there, while at work, should not start their vpn)? 04:25 < jave`> dazo: I put in a route like this: push "route 10.0.75.1 255.255.255.255" 04:25 < mazzachre> That takes some ip addresses... (looks at LAN) 04:25 < jave`> then I enabled ip_forward in the server 04:25 < jave`> it doesnt work, did I miss someting? 04:26 < mazzachre> jave`: you need to enable forwarding in the kernel and from iptables... and if you are routing, you need to nat or masquarade it 04:26 < dazo> jave`: try running the openvpn on the client with verb 4 .... that should give you something more .... are the client running as root? 04:26 < dazo> mazzachre: nope ... you don't need to nat or masq 04:26 < jave`> this is a collegues vista client 04:27 < jave`> but I can try from my fedora laptop 04:27 < dazo> jave`: make sure it's running with Admin privileges 04:27 < jave`> yes I believe it is running as admin 04:27 < mazzachre> dazo: Before I nat'ed the trafic from tun to eth, I could not contact anything on the lan side of the server... 04:28 < hads> You need routing 04:28 < dazo> jave`: pay close attention to the logs with verb 4 ... it usually gives clear hints 04:29 < dazo> mazzachre: hads is correct ... you need to set up sensible routes, that's all 04:30 < hads> e.g. On the default gateway 04:34 < mazzachre> I don't quite follow... In my case... what would be the way to go? (sorry for being a newb on networking) We have a local network 192.168.7.0/24 where the vpn server sits. It is connected to another local network (10.0.0.0/24) where the exchange, PDC, DNS, WINS, etc. servers sit. We have an office in Miami that needs to connect to the 192.168.7.0/24 network via vpn (over public internet) and should have access to the exchange servers etc. We also 04:34 < mazzachre> have machines that are not stationary to any of these networks and should connect via public internet... 04:34 -!- c64zottel [n=hans@p5B17B3D0.dip0.t-ipconnect.de] has joined ##openvpn 04:37 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 04:37 < mazzachre> I should set aside a range of ip's on local LAN (192.168.7.0/24) for bridged vpn connections and setup all clients (that are not stationary) to use bridged vpn, and setup a default route in Miami for 192.168.7.0/24 and 10.0.0.0/8 to go through a vpn connected router there? And default to global internet? 04:39 < mazzachre> When I look in my openvpn log, I get alot of "bad source address from client [172.20.0.15], packet dropped" (clients lan ip), why do I get those? 05:00 -!- metbsd [n=AXT@unaffiliated/metbsd] has joined ##openvpn 05:00 < metbsd> i'm wondering, how do i get bridge to work in openvpn 05:01 < metbsd> what does server-bridge mean 05:04 -!- metbsd [n=AXT@unaffiliated/metbsd] has left ##openvpn [] 05:06 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 05:06 < mRCUTEO> !route 05:06 < vpnHelper> mRCUTEO: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 05:08 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [] 05:13 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [] 05:29 < mazzachre> So... If I don't have access to edit the routing tables of the default gw of my lan, I must use bridging because I cannot setup the correct routes? 05:29 < mazzachre> (or can I do nat/masq of any and all packages comming from tun+ in the server? Would that even work?) 05:41 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:46 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has joined ##openvpn 05:46 -!- jave`` [n=user@79.138.130.132.bredband.tre.se] has joined ##openvpn 05:47 -!- jerrypozer [n=jerrypoz@modemcable132.159-56-74.mc.videotron.ca] has quit [Client Quit] 05:47 -!- jave` [n=user@h-131-104.A184.priv.bahnhof.se] has quit [Read error: 60 (Operation timed out)] 06:17 -!- lkthomas [n=lkthomas@218.189.198.146] has joined ##openvpn 06:17 < lkthomas> hey guys 06:17 < lkthomas> http://www.debian-administration.org/articles/35 06:17 < vpnHelper> Title: Joining Networks with OpenVPN (at www.debian-administration.org) 06:17 < lkthomas> this guide seems not involve any encryption ? 06:30 < dazo> lkthomas: I've just given it a very briefly and quick look ... as long as no cipher options are given to OpenVPN, it will default to blowfish encryption, IIRC 06:31 < lkthomas> I see 06:31 < lkthomas> I don't care what the encryption type it is using 06:31 < lkthomas> I just need it to be encrypt :) 06:31 < lkthomas> dazo, I could also specify the encryption type, right ? 06:32 < dazo> lkthomas: that's right, again by using the cipher option 06:32 < dazo> lkthomas: to see which are available, you can call openvpn --show-ciphers .... that will give you a list 06:33 < lkthomas> ok, one more question, what if those networks which is not run by this openvpn gateway? maybe I just need to use route add to add those routes to my openvpn router ? 06:33 < dazo> but you probably should care what kind of encryption you're using .... that will define how easily it will be to crack the encryption 06:33 < dazo> lkthomas: sounds about right .... have a look at 06:33 < dazo> !route 06:33 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 06:42 < lkthomas> thanks man 06:46 < mazzachre> When setting up bridging, should I remove the starting of the eth device from system startup? Or can eth0 be started by the system and then linked to the tap devices in a bridge? 06:52 < dazo> mazzachre: you should probably stop eth from startup ... or reconfigure it so that the init script sets the interface up as a part in a bridge 06:52 < dazo> mazzachre: which distro? 06:53 < mazzachre> Using gentoo 06:55 < dazo> mazzachre: The distro I know best ... but I don't really recall how to do it now ... have a look at the different examples in /etc/conf.d/net.example 06:58 < dazo> mazzachre: most probably, you'll need to have a look for something like bridge_br0="eth0" 07:01 < dazo> mazzachre: http://www.pastebin.ca/1344881 .... just a wild shot in the dark ... I believe you would need something like this in your /etc/conf.d/net file 07:01 < dazo> http://www.pastebin.ca/1344884 .... fixed some typos 07:10 < mazzachre> dazo: ok.. so I should not use the "bridging-start" script mentions on the openvpn site? 07:10 < mazzachre> but use the bridging setup in gentoo baselayout 07:11 < dazo> mazzachre: if you use the gentoo baselayout setup I pastebin'ed (with your local adoptations) ... I think that might work somehow better 07:11 < dazo> mazzachre: try tweaking and using the baselayout config instead of adding extra scripts ... makes it easier to maintain for you afterwords 07:12 < mazzachre> dazo: Sure... 07:12 < mazzachre> Uhm... all the things... are they supposed to be like that, or should I change them? 07:13 < dazo> mazzachre: are you looking at http://www.pastebin.ca/1344884 ? 07:13 < mazzachre> ya 07:13 < mazzachre> bridge_add_="br0" 07:13 < mazzachre> Should it be exactly like that? Or am I supposed to change something there? 07:13 < dazo> ahh ... sorry :) yeah, you need to change that to your VPN interface 07:14 < dazo> bridge_add_tap0="br0" ... if you're using tap0 .... 07:14 < mazzachre> so... it should say.. bridge_add_tap0="br0"? 07:14 < dazo> yeah 07:15 < dazo> and then config_tap0=( "null" ) later on 07:15 < mazzachre> ok... How do I know what tap device(s) I am using? I would suppose I only use tap0? Or should I have 1 pr. bridged connection? (16 for my 150 - 165 setup) 07:16 < dazo> mazzachre: you'll need one per openvpn server/client process .... and you can define that explicit in the openvpn config with "dev tap0" 07:17 < mazzachre> I have only 1 openvpn started... I will connect 16 other lans to it (basically mostly clients... 1 other complete lan) 07:18 < dazo> so you will have 16 clients connecting to you 1 openvpn server? ... in this case, you'll only need 1 tap device 07:18 < dazo> on the server 07:19 < mazzachre> fine 07:20 < mazzachre> And yes... I will have 16 clients to 1 server... With bridging it should work to have the clients talk to an exchange server right? (Everything else seems to work perfectly... only exchange is a problem... 07:22 < dazo> mazzachre: I can't guarantee anything, as it also depends on how the clients will interact ... but basically, if they are "single" clients using VPN as a tap into the internal network only (not routing network from the client side in addition), I would say this would look very transparent .... in reality, Exchange will believe the VPN client is a local computer on the LAN 07:22 * mazzachre wonders if there is a way to setup an CalDAV server to talk to exchange so we could have std. tools and still use the conference room booking system that uses exchange... 07:24 < mazzachre> Ya... that is what I want... now I am not quite sure if I can do the same with our Miami office (Our main office is in Copenhagen, Denmark) To let the entire network connect brigded to our network and run everything smoothly? 07:27 < mazzachre> In my current conf.d/net I have routes_eth0=( "default gw 192.168.7.1" ) Should I setup routes_br0 to the same now? 07:27 < dazo> mazzachre: I've never tried that .... might be a bigger challenge ... but on the other hand ... if the openvpn client is setup also as a bridge between VPN and eth ... even dhcp requests would go over the link 07:28 < dazo> mazzachre: yeah, you'll need to change that 07:28 < dazo> mazzachre: are your company in Copenhagen located in Rodovre? 07:30 < mazzachre> No, it is located on Holmen 07:31 < dazo> mazzachre: just curious ... worked for a company located in Rodovre some years ago, and they also had a Miami office :-P 07:32 < mazzachre> nice... Quite alot of small Danish companies are expanding to the Americas... and locate in Miami, because it gives access to US as well as caribian... 07:32 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Leaving"] 07:33 < mazzachre> (And there are nice beaches in Miami.. which we all suspect is the reason our CEO spends so much time over there :D) 07:33 < ecrist> probably not the beaches so much as who's at the beaches... 07:34 < dazo> mazzachre: I see ... well, if you would have worked for that company I was working for earlier, I'm not sure I would be willing to help you much more ... :-P 07:34 < dazo> ecrist: +1 07:36 < mazzachre> dazo: oh... ya... I have a few of those from my past... not wanting to work together with those ever again... 07:36 < mazzachre> ecrist: probably... ya 07:55 < mazzachre> dazo: What net.* init.d scripts should I have? And which should be in default runlevel? 07:56 < mazzachre> dazo: It is not working now ofcause because only eth0 is started (with null config) 07:56 < dazo> mazzachre: good question ... I would say you need to link net to net.br0 ... and net.br0 needs to be in the runlevel as well as net.eth0 07:57 < mazzachre> dazo: what about net.tap0? 07:57 < dazo> ln -s net.lo net.br0 ... is probably the correct one 07:57 -!- vasco [n=vasco@nat/mandriva/x-2d1b2f7e781d6776] has joined ##openvpn 07:58 < dazo> in gentoo you probably want to link /etc/init.d/openvpn to /etc/init.d/openvpn.tap0 ... and place your config under /etc/openvpn/tap0.conf .... and openvpn.tap0 would need to be in the runlevel as well 07:59 < dazo> you might need to investigate if you need a line in the /etc/conf.d/net under the depend_br0() part which says need openvpn.tap0 08:00 < dazo> mazzachre: maybe even .... that you need to change bridge_br0="eth0" to also include tap0, and then removing the bridge_add_tap0="br0" line 08:01 < dazo> I've never tried bridging in gentoo ... so you'll have to try what works for you 08:01 < mazzachre> I just use the openvpn.conf (only vpn connection on this machine) 08:01 < vasco> hello i have 1 general quarter + 2 far away site, what is the components needed for let this 2 site access the general quarter network on a different subnet for example ? 08:02 < vasco> we just have simple routeurs between each site 08:04 < dazo> mazzachre: that might work as well .... But to make it explicit and clear, I would probably rename the config file and link up the openvpn.tap0 as well ... then it is much clearer how things are set up, and you'll have the basics ready if you need another openvpn process as well 08:05 < mazzachre> ok... well.. server started up, and there is net... 08:05 < dazo> brctl show gives sensible results? 08:06 < mazzachre> no... 08:06 < mazzachre> br0 only contain eth0 08:07 < dazo> mazzachre: hmm ... it should containt tap0 too ... you'll probably need to tweak the net config then, to add the "need openvpn" and then add tap0 into the bridge_br0 line 08:07 < dazo> (and removing the bridge_add_tap0 line) 08:07 < mazzachre> I try with bridge_br0="eth0 tap0" 08:07 < dazo> mm 08:08 < mazzachre> network interface top0 does not exists... Should I start openvpn first? 08:08 < dazo> yeah .... you most probably need to add in the depend_br0() part of the config "need openvpn" 08:09 < mazzachre> should I need openvpn net.eth0 net.tap0 or only openvpn or how? 08:09 < dazo> I would guess you would need net.eth0 and openvpn 08:11 < mazzachre> that seems to work so far... (ntp have some issues because I have edited files in the future when it was not started last time :D) 08:12 < dazo> heh 08:12 < mazzachre> Now br0 have eth0 and tap0 as devices... 08:12 < dazo> then you're set :) 08:12 < mazzachre> sigh... 08:12 < mazzachre> Then to configure the clients... 08:13 < dazo> one thing to notice .... your dhcp config needs to stay away from the ip range you've setup in the openvpn config .... to avoid collisions 08:13 < mazzachre> What should I do about those (The do have config that worked with routed tun) now they should use dev tap0 what else should be changed? 08:13 < mazzachre> And DHCP is taken care of... dhcp only handles 2-100, server is 125, vpn addresses are 150-165 08:13 < dazo> mazzachre: I would just try to change that ... if you pastebin a config example, I'll have a quick look 08:14 < dazo> mazzachre: perfect ... then you won't have collisions 08:15 < mazzachre> http://dpaste.com/80/ (before change to tap) 08:15 < mazzachre> Should I use tap or tap0? 08:20 < mazzachre> Seems that I can connect and get an address on the network... problem is that I am already on tyhe network and cannot test if I can do everything through the new tap0 interface... What about routing? Should I push the routing I had before? 192.168.7.0/24 and 10.0.0.0/8 in config? Or how do I make client do the right thing? (use vpn for this net and public internet for rest?) 08:22 < dazo> mazzachre: good question ... I would guess tap0 08:22 < dazo> You will need to push routing as well 08:22 < mazzachre> Ah.. seems to be the same... 08:23 < dazo> if tap0 is already in use on the client, you may change to tap1 .... maybe just "tap" will dynamically take what's available 08:23 < mazzachre> Ya... it seems to with with dev tap 08:24 < mazzachre> Trying now with the full config... and a windows client (which was the problem in the first place...) 08:25 < mazzachre> damned... I have now spent the entire day trying to get these windows machines to tank to an exchange server when not in the office... sigh... someone go back in time and make sure windows never gets to be the std. os... 08:25 < dazo> that's why MS consultants are needed and make a lot of money .... like Accenture f.ex .... 08:27 < mazzachre> Could someone not make a NICE client to use OWA protocol? Would that be so hard? 08:28 -!- jimgrow_ [n=sebastin@gw243.carlson.com] has joined ##openvpn 08:30 < dazo> mazzachre: well ... you have evolution in Linux and the the Exchange implementation .... but evolution is not too great in reality 08:34 < mazzachre> ya 08:36 < mazzachre> But the OWA protocol should be nicer to the network afaik? And should be routeable etc. (Since it is basically rpc over http) 08:36 < mazzachre> I am not aware how fast it is though? 08:36 < dazo> mazzachre: that's true ... but it's somehow limited in some of the features too, afaik ... like push-mail .... 08:37 < mazzachre> Ya... ofcause it will have to be... since you can't push using http 08:38 < mazzachre> So it will have to be polled.. 08:38 < dazo> mm 08:38 < mazzachre> should I add -A FORWARD -i tap0 -j ACCEPT to my firewall? (Have added -i br0 so far) 08:39 < mazzachre> (Outlook still cannot connect to exchange) 08:39 < dazo> mazzachre: no, that should not be needed .... br0 should be sufficient 08:40 < dazo> you may try to use tcpdump on the br0 and tap0 interfaces, as well as eth0 ... to make sure you see the traffic going correctly 08:42 < mazzachre> Uhm,,, we use udp as protocol... 08:43 < dazo> hmm ... doesn't tcpdump also dump udp traffic? I believe it does 08:44 < ecrist> yes, it does. 08:45 < dazo> ecrist: thx :) 08:46 < mazzachre> ok... emerging tcpdump 08:46 < mazzachre> (not something I have used before...) 08:46 < mazzachre> What should i do? 08:47 < dazo> mazzachre: tcpdump -i -n .... this will give you a brief overview over which ip addresses talking to eachother on which ports 08:47 < dazo> mazzachre: if you want to narrow it down to a specific IP address, you may do it like this: tcpdump -i -n host 08:49 < mazzachre> Uhm... how do I debug a user on vpn trying to talk to an exchange server? :) 08:49 < dazo> on the openvpn server ... you can first try to run tcpdump on the br0 interface 08:52 < mazzachre> Doing that... what am I looking for? Alot is going on there... 08:53 < dazo> okey ... try to narrowing it down to only the VPN clients IP address ... using the host argument in addition 08:53 < mazzachre> uhm... -n what? 08:53 < dazo> if you know the port number .... you can also add: and port 08:54 < dazo> -n is to avoid dns resolving of IP addresses, which causes even more traffic 08:54 < dazo> tcpdump -i br0 -n host and port 08:57 -!- jave`` [n=user@79.138.130.132.bredband.tre.se] has quit [Read error: 113 (No route to host)] 08:58 < dazo> you should here see if the client sends a request to the server ... and if the server responds to that request 08:58 < dazo> but make sure that the IP range of the IP addresses the VPN clients now get are in the same network range as the internal network 09:00 < mazzachre> ok... seems to have found at least 1 problem... outlook refuses to accept an ip as server address... resolves it and finds a server name, that points to a different ip when not connected to the internal dns (when outside on public internet)... how clever is that!!! 09:01 < mazzachre> they are... LAN is 192.168.7.0/24 and vpn bridged addresses are 192.168.7.150-192.168.6.165 09:03 < dazo> mazzachre: IP addresses is correct ... but I think you've found your problem :) 09:03 < mazzachre> ya 09:04 < dazo> mazzachre: you might need to have a look at the dhcp-options ... to push your internal DNS ... but for Windows clients ... you'll need to do some more tweaks .... I'll find the link regarding this for you as well 09:04 < mazzachre> outlook raaaaawks... "Hey lets NOT let the user deside the exchange server to connect to..." 09:04 < mazzachre> so far I have added the internal address to the hosts file in windows... 09:05 < mazzachre> "It is much better if we here at microsoft desides what mails you shodul read..." 09:05 < mazzachre> Someone invent me a time machine and let me go back and stop the forming of microsoft.... PLZ!!! 09:07 < dazo> http://support.microsoft.com/kb/311218 09:07 < vpnHelper> Title: Cannot Change the Binding Order for Remote Access Connections (at support.microsoft.com) 09:07 < dazo> mazzachre: ^^^ .... Tweaks needed to make dhcp-options work when sending DNS server to use 09:08 < dazo> mazzachre: In Vista, I don't believe this is needed .... but for all before Vista, it's needed :( 09:09 < mazzachre> as said... can I not just use the hosts file? 09:12 < ecrist> good morning, fuckers. 09:13 < mazzachre> morning? It is 16:19 09:13 < dazo> mazzachre: ecrist has a screwed view of when the morning starts .... such late sleepers :-P 09:13 < mazzachre> :D 09:16 < ecrist> dazo, I've been trolling since 6:30am (~3 hours) 09:16 < ecrist> realized I forgot my 'good morning, fuckers' today 09:16 < dazo> ecrist: hah :) ...well 3 hours ago, is still in the afternoon for some of us :-P 09:17 -!- mazzachre [n=mazzachr@194.152.38.14] has quit [Read error: 104 (Connection reset by peer)] 09:17 -!- mazzachre [n=mazzachr@194.152.38.14] has joined ##openvpn 09:19 < mazzachre> How should I make openvpn push the dns config? 09:26 -!- bsdbandit [n=bwell@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] 09:26 -!- carpe_ is now known as plaerzen 09:31 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 110 (Connection timed out)] 09:31 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 09:31 < mazzachre> omg... that seems to work... at least a little bit... 09:38 < dazo> cool! 09:39 < dazo> mazzachre: if you didn't figure it out regarding pushing dns ...... have a look at the --dhcp-options in the man pages 09:42 < mazzachre> Ya 09:42 < mazzachre> I figured it out.. and it seems to be working now... 09:43 < mazzachre> However I have a problem with starting the server... It does not wait for openvpn to startup... So it fails in starting up br0 at boot time... 09:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:43 < mazzachre> Which again causes apache, samba, winbind, tomcat etc. to fail starting up.. 09:44 < mazzachre> So right now I have bricked the server :s 09:44 < mazzachre> Also it refuses to shutdown cleanly 09:46 < mazzachre> When it is started up (failing most of the highlevel services) openvpn is started up however... so I can manually start net.br0, samba and everything with the init scripts... 09:51 < ecrist> mazzachre: use an --up script for bridging the interfaces, or some other method. 09:51 < ecrist> the rc scripts generally have a methed which allows for requirements. 09:52 < mazzachre> I have setup requirements... it seems some timeout value or missing wait does it... 09:54 < mazzachre> trying to reboot server again... 09:55 < mazzachre> It does not want to shutdown either... 10:00 -!- bombayvdmo1 [n=victor@adsl190-28-199-78.epm.net.co] has joined ##openvpn 10:00 < bombayvdmo1> hi 10:00 < bombayvdmo1> if openvpn connection fail this no resolve correctly the remote server and display in log file : "Mon Feb 23 15:47:25 2009 RESOLVE: Cannot resolve host address: thenameserver.domain.com: [TRY_AGAIN] A temporary error occurred on an authoritative name server." 10:02 < ecrist> bombayvdmo1: what's your question? 10:04 < mazzachre> hmm... perhaps I didn't need to do all this bridging anyways? :s and could have done everything with that dhcp option thingie... 10:04 < mazzachre> fuck windows and outlook... 10:05 < bombayvdmo1> ecrist: i want openvpn restore or reconnect in connection fail 10:06 < bombayvdmo1> ecrist: but, if connection fail, openvpn not resolve the name of openvpn server 10:07 < bombayvdmo1> ecrist: my current solution is restart the openvpn client manually 10:09 < mazzachre> bombayvdmo1: You can use tcp... with udp, the client or the server can never know if either one disconnects uncleanly 10:11 < bombayvdmo1> ecrist: proto tcp in server and client 10:11 -!- vasco [n=vasco@nat/mandriva/x-2d1b2f7e781d6776] has quit [Remote closed the connection] 10:14 < dazo> mazzachre: regarding booting and init scripts .... it might be you'll need to create something for net.tap0 to make it work, as long as depend_br0() do not seem to work .... you can also try to start openvpn directly in the depend_br0() block, that might be a hack around it 10:14 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:15 < bombayvdmo1> ecrist: client config file http://fpaste.org/paste/4284 10:36 -!- mazzachre [n=mazzachr@194.152.38.14] has quit [Remote closed the connection] 10:41 -!- bombayvdmo1 [n=victor@adsl190-28-199-78.epm.net.co] has left ##openvpn [] 10:43 -!- skarab [n=skarab@bb-87-80-113-141.ukonline.co.uk] has joined ##openvpn 10:44 -!- Trueblood [n=chatzill@c-98-245-17-136.hsd1.co.comcast.net] has joined ##openvpn 10:45 < Trueblood> !logs 10:45 < vpnHelper> Trueblood: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 10:47 < skarab> Is it possible yet to have two ifconfig client pools? 10:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:51 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 11:06 < Trueblood> What is the configuration directive that will cause connects and disconnects to appear via syslog, particularly with the CN from the certificate? 11:06 < Trueblood> ...is it a -verb thing? 11:18 -!- polaru [n=polaru@93.113.192.70] has quit [Connection reset by peer] 11:48 < Trueblood> ...ah, it's a "head up my butt" thing... the "daemon" config is the magic. 11:48 -!- Trueblood [n=chatzill@c-98-245-17-136.hsd1.co.comcast.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.6/2009011913]"] 11:48 -!- bandini [n=bandini@host199-27-dynamic.20-79-r.retail.telecomitalia.it] has quit [Read error: 60 (Operation timed out)] 11:48 -!- bandini [n=bandini@host199-27-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 12:10 -!- skarab [n=skarab@bb-87-80-113-141.ukonline.co.uk] has left ##openvpn [] 12:38 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has quit ["bbl"] 13:51 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 14:14 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 14:24 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit [Read error: 104 (Connection reset by peer)] 14:39 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:41 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 15:24 -!- clusterm1gnet is now known as clustermagnet 15:59 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit [Read error: 113 (No route to host)] 16:16 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 16:19 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit [Read error: 104 (Connection reset by peer)] 16:31 -!- c64zottel [n=hans@p5B17B3D0.dip0.t-ipconnect.de] has quit ["Leaving."] 16:41 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 17:03 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 17:12 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 17:12 -!- xattack [n=xattack@rompope.fi-b.unam.mx] has joined ##openvpn 17:16 -!- d0wn [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has quit [Read error: 60 (Operation timed out)] 17:19 -!- d0wn [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 17:25 -!- jimgrow_ [n=sebastin@gw243.carlson.com] has quit ["Ex-Chat"] 18:07 -!- xattack [n=xattack@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 19:39 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Remote closed the connection] 19:39 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 20:00 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 20:43 -!- dcestari [n=dcestari@190.142.113.2] has joined ##openvpn 20:43 < dcestari> hello everybody 20:44 < dcestari> I'm having an error "TLS Error: TLS handshake failed" 20:50 < dcestari> anyone? 20:57 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 21:05 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 21:11 -!- dcestari [n=dcestari@190.142.113.2] has quit [] 21:43 -!- lkthomas [n=lkthomas@218.189.198.146] has quit ["Leaving"] 21:55 -!- malibu [n=malibu@S0106001310429722.wp.shawcable.net] has joined ##openvpn 22:05 < malibu> Hi there.. I can't connect to openvpn set up on a PC in my home... I'm trying to get it to work over TCP 21, so I can get out of my work. 22:05 < malibu> I get the TLS auth did not occur in 60 seconds messages 22:06 < malibu> Should this be able to work over TCP/21? 22:09 < malibu> I know my server is listening.. I see the listener go away when I stop it, etc 22:09 < malibu> my firewall is open.. 22:10 < malibu> my keys are right.. i've gone through the process twice 22:10 < malibu> I can't imagine what this could be 22:11 < malibu> I get connection established, but then the connection resets 22:12 < malibu> I get TLS handshake failed in the openvpn log 22:30 < jpalmer> and this is why my computers don't have internet connectivity at my workplace, other than via an HTTP proxy. 22:36 -!- malib1 [n=malibu@S010600904b29e5eb.wp.shawcable.net] has joined ##openvpn 22:39 -!- malib2 [n=malibu@S0106001310429722.wp.shawcable.net] has joined ##openvpn 22:40 < malib2> people are basically trusted where I work. 22:41 < malib2> By the way... For some reason it works on TCP/1194, UDP/1194, TCP/23, UDP/23, UDP/21 but not TCP/21!! 22:41 < malib2> Anyway I think TCP/23 should do the trick 22:53 -!- malibu [n=malibu@S0106001310429722.wp.shawcable.net] has quit [No route to host] 22:54 -!- malib1 [n=malibu@S010600904b29e5eb.wp.shawcable.net] has quit [Read error: 110 (Connection timed out)] 23:03 -!- malib2 [n=malibu@S0106001310429722.wp.shawcable.net] has quit [Read error: 113 (No route to host)] 23:06 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 23:20 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Leaving"] 23:48 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has joined ##openvpn --- Day changed Tue Feb 24 2009 00:12 -!- lkthomas [n=lkthomas@218.189.198.146] has joined ##openvpn 00:12 < lkthomas> hey guys 00:12 < lkthomas> do I have to had two interface for openvpn to operate ? 00:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:33 < hads> No 00:41 < lkthomas> hads, so I could just use alias interface to get it working ? 01:29 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has joined ##openvpn 01:40 < mRCUTEO> !configs 01:40 < vpnHelper> mRCUTEO: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 01:43 < hads> That expression would be better as '^#|^;|^$' 01:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:55 -!- mRCUTEO [i=info@r0x.dave.ksh2008-sarawak.com] has quit [] 01:58 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:01 < krzee> umm no 02:01 < krzee> it would be better as ^[#;] 02:02 < reiffert> Put in some optional whitespaces. 02:08 < hads> krzee: Umm no, I was referring to the blank line issue. 02:11 -!- KWhat4 [n=kwhat@cpe-76-167-224-45.socal.res.rr.com] has joined ##openvpn 02:12 < dazo> lkthomas: why do you think you need two interfaces? 02:15 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 02:15 < kexman> hi there 02:15 < kexman> i managed to lock out mysel from my openvpn :) 02:15 < kexman> hehe 02:15 < kexman> i think its trying to redirect my connection trough the vpn ... which i dont want 02:16 < dazo> sounds less clever 02:16 < kexman> can i somehow tell the openvpn client not to get the routes ? 02:16 < dazo> kexman: have a look if you use redirect-gateway somewhere 02:16 < kexman> and just have routes to reach the vpn network ? 02:16 < kexman> dazo: well i cant connect to the openvpn server :) 02:17 < kexman> redirect-gateway local def1,route-gateway 192.168.5.1 02:17 < kexman> this is from the local openvpn.log (client) 02:17 < kexman> after connecting 02:17 < kexman> can i somehow ignore that ? 02:17 < dazo> kexman: hmm ... okey, so that is pushed from the server? 02:18 < kexman> yepp ... and until i cant get past this i cant remove that ... since i have no connection to the server :) 02:18 < kexman> i was thinking about manually deleting routes .... 02:18 < kexman> would that work ? 02:18 < KWhat4> why is open vpn so effing complicated to setup 02:18 < dazo> kexman: that should work ... restore your old routes 02:18 < kexman> dazo: but i dont know what routes i need :) 02:18 < kexman> hehehe 02:19 < dazo> kexman: you might want to create a dummy script and then use the --iproute option, then this script will be called instead of the route command ... but you'll anyway then need to setup a route back to your internal network over the VPN 02:19 < kexman> dazo: http://rafb.net/p/ZHeQ9846.html 02:19 < vpnHelper> Title: Nopaste - No description (at rafb.net) 02:20 < kexman> what do i need of that second routing table ... just to be able to connect to 192.168.5.1 02:20 < dazo> kexman: if you disconnect openvpn, you can dump the route table ... then you see what you need .... start the connection .... and then do a new route dump, then you'll see what you need to change to make it work ... most probably you just need to restore the original default gateway 02:20 < hads> KWhat4: It's not 02:21 < kexman> yeah well now i have two defaults :) hehehe 02:21 < kexman> dazo: that paste has a disconnected route -n and connected one 02:21 < dazo> kexman: you'll need to delete the default route on line 16 in your pastebin 02:21 < KWhat4> hads: im looking at about 6 different keys 02:22 < lkthomas> actually 02:22 < lkthomas> I am doing some testing 02:22 < lkthomas> can I just use alias interface to try tunnel and route two subnet between two box ? 02:23 < dazo> lkthomas: I still don't understand what you try to achieve .... 02:24 < kexman> dazo: yes but how to do that ? 02:24 < kexman> Tue Feb 24 10:27:59 2009 write UDPv4 []: Network is unreachable (code=101) 02:25 < dazo> kexman: route del default gateway 192.168.5.1 tap0 ? 02:25 < dazo> maybe it was route del default gw .... instead of gateway 02:26 < dazo> kexman: anyway the route on line 17 also looks completely weird 02:26 < KWhat4> open vpn use tcp or udp 02:26 < dazo> KWhat4: default is 1194/udp ... but it depends on your config files 02:28 < kexman> dazo: how could i delete that line ? route del 128.0.0.0 gateway 192.168.5.1 ? 02:28 < dazo> kexman: something like that 02:28 < hads> The OpenVPN docs are really very good. 02:28 < dazo> kexman: you might need to add netmask 128.0.0.0 02:29 < lkthomas> dazo, I am trying to tunnel between two public network box 02:29 < lkthomas> these two box only have one interface 02:29 < lkthomas> and VPN is to tunnel private subnet 02:30 < kexman> dazo: route del default gateway 192.168.5.1 netmask 128.0.0.0 02:30 < lkthomas> so can I just create alias interface for private subnet ? 02:30 < kexman> this is how it worked 02:30 < dazo> lkthomas: are you doing some virtualisation of some kind ... since you have 2 boxes and only one interface? 02:30 < kexman> but i cant delete the line with the 128.0 starting :) 02:30 < dazo> kexman: never mind that route now ... you might be able to access your things now .... 02:31 < kexman> yeah i think i am already can .. gonna try 02:31 < dazo> kexman: that last route probably needs to be corrected in either server or client config file 02:31 < kexman> still i need to learn how to properly delete / add routes 02:31 < dazo> kexman: man route 02:31 < kexman> :) yepp 02:31 < kexman> dazo: its working 02:31 < kexman> thanks alot 02:31 < dazo> kexman: np! 02:32 < lkthomas> dazo, yep 02:32 < lkthomas> usually each box contain two interface 02:32 < dazo> lkthomas: aha ... then you might already have a bridge setup .... or? 02:33 < lkthomas> bridge? no 02:33 < dazo> lkthomas: are we talking physical or virtual interfaces? 02:33 < lkthomas> actually 02:33 < hads> You'd have lo of course. 02:33 < lkthomas> let me explain this 02:33 < dazo> lkthomas: and are you inside the guest .... or on the virt-host? 02:33 < lkthomas> our current network using 172.18.2.x subnet in this office 02:33 < dazo> (dom0 in Xen terminology) 02:34 < lkthomas> another branch is running 10.1.1.x and 10.1.9.x, they are running IPSEC 02:34 < kexman> dazo: you know what the problem was ? :) i removed that line form the confing by commenting it :) (the line with redirect-gateway) but the problem was that i didnt restarted the server 02:34 < lkthomas> and they got their own VPN router as well 02:34 < kexman> also #push "redirect-gateway def1" 02:34 < kexman> that should work flawlessly :) 02:34 < lkthomas> now, I want to add a new VPN for a new subnet, let's say 10.99.99.x using openvpn simple tunneling 02:35 < dazo> kexman: sounds like it's gonna work now for you 02:36 < kexman> yepp works fine now 02:36 < dazo> lkthomas: in this setting .... the tun/tap interface which openvpn will use ... will have the 10.99.99.x address ... and you don't need any new "extra" interfaces ... all you need is routing then 02:36 < kexman> 86.123.235.212 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0 02:37 < lkthomas> sorry, one more adding, we would like to use subnet 172.18.2.x that could reach 10.99.99.x as well 02:37 < dazo> kexman: you're pretty brave ... sharing public IP addresses ;-) ... might want to DoS you now :-P 02:38 < dazo> lkthomas: again, all which is needed is routing (and firewall rules, if that's in use on internal addresses) 02:39 < lkthomas> dazo, if I use openvpn --remote 02:40 < lkthomas> --ifconfig 10.99.99.2 10.99.99.3 ? 02:41 < dazo> lkthomas: yes? That seems reasonable .... but you might want to add --route 172.18.2.0 255.255.255.0 10.99.99.2 (or 3, depending on if you are client or server) 02:42 < dazo> lkthomas: and also to add extra route for each network segment you want to setup 02:42 < dazo> lkthomas: it might be you'll find more info here: 02:42 < dazo> !route 02:42 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 02:42 < lkthomas> yes, just add those route to proper gateway 02:44 < dazo> lkthomas: yeah, that's all :) ... then everything should basically be setup 02:44 < lkthomas> how is the performance compare with IPSEC like this? 02:44 < lkthomas> seems super easy ? 02:45 < dazo> lkthomas: I don't have any IPSEC experience, so I don't know .... I just know that openvpn is super-light compared to the IPSEC implementation ... and configuration of openvpn is pretty much straight forward if you read the docs and give yourself time to try out things 02:45 < dazo> lkthomas: but openvpn is super easy :) 02:46 < lkthomas> actually 02:46 < lkthomas> the problem is that our sonicwall does not support openvpn 02:47 -!- KWhat4 [n=kwhat@cpe-76-167-224-45.socal.res.rr.com] has quit ["Leaving."] 02:47 < dazo> lkthomas: that's a problem ... but you do know that you need openvpn on both sides to make it work? openvpn do not support any other protocols .... 02:47 < lkthomas> yes I know 02:47 -!- bandinia [n=bandini@79.20.21.198] has joined ##openvpn 02:48 < kexman> dazo: if you want to .... 02:48 < dazo> lkthomas: good :) Just wanted to be really sure .... still a lot of users who are surprised by that :) 02:48 < lkthomas> dazo, if I use --remote method to connect both side, is there have any protocol to help to connect between two side when it is disconnected ? 02:48 < dazo> kexman: nah ... not today .... need to get back to work again .... but can I save the IP? Is it a static IP address of yours? :-P 02:50 < kexman> dazo: not mine :) not static :) 02:50 < lkthomas> dazo, I got a question about routing 02:50 < lkthomas> assume I got two side 02:50 < lkthomas> A and B 02:50 < dazo> lkthomas: Not sure I follow .... but you can have several --remote ... and it goes round robin (iirc) to several hosts until i gets a connection .... you also have keepalive to help out on disconnect issues 02:50 < lkthomas> from A to B is faster than from B to A 02:50 < lkthomas> does openvpn know how to pick the best connection route ? 02:51 < dazo> kexman: hmmm ... okey, I'd better trace you down in another way then :-P 02:51 < kexman> hehe :) 02:51 < dazo> lkthomas: openvpn do not care about that .... you'll need to use the metric option in the route command to control that 02:52 < kexman> go to http://www.ukprivateinvestigators.com/ :) 02:52 < vpnHelper> Title: UK Private Investigators and Detectives, Matrimonial Surveillance, Relationship Investigations, Missing Persons, Background Reports, Surveillance, The UK Private Investigators and Detectives (at www.ukprivateinvestigators.com) 02:52 < lkthomas> dazo, where could I find those docs ? 02:52 < lkthomas> route command on openvpn or what ? 02:53 < dazo> lkthomas: openvpn only gives you a virtual network interface (tun or tap device, depending on config) ... and encrypts the traffic between two end points .... the rest is default TCP/IP networking, just that some (or all) traffic is routed via this virtual interface 02:54 < lkthomas> looks like I need to write some script to deal with this 02:54 < lkthomas> maybe ping return will help a bit 02:55 < dazo> lkthomas: that would be the route command which handles the metric settings 02:55 < lkthomas> dazo, I got another question 02:55 < lkthomas> remember 10.99.99.x ? 02:55 < dazo> lkthomas: yeah? 02:56 < lkthomas> that remote network need to use internet connection as well 02:56 < lkthomas> so openvpn server have to enable NAT too 02:56 < lkthomas> any docs tell me how to work this out ? 02:57 < dazo> lkthomas: I again are not sure what you ask .... openvpn will work perfectly well, also under NAT 02:57 < lkthomas> ok, the remote network is look like that 02:57 < lkthomas> the whole subnet machine running 10.99.99.x 02:57 < lkthomas> only one connection is there 02:58 -!- Netsplit over, joins: krzie_ 02:58 -!- Netsplit bartol.freenode.net <-> irc.freenode.net quits: kala 02:58 < lkthomas> 1. they need to connect to 172.18.2.x subnet 02:58 < lkthomas> 2. they need to use NAT as well 02:58 < dazo> lkthomas: this is still to vague for me to understand ... 02:58 < lkthomas> you know you could direct all traffic to VPN right ? 02:59 < lkthomas> we just want to direct proper traffic to VPN tunnel 02:59 < lkthomas> everything else should run as NAT 02:59 < dazo> lkthomas: yes, that is possible .... so if that is what you want, then you need to do masquerading on the openvpn server for traffic coming from the tun/tap device and going out "to the world" 03:00 < dazo> lkthomas: ahh ... okey ... now I follow 03:00 < lkthomas> so what should I do? any docs showing how to deal with this ? 03:00 < dazo> lkthomas: this is actually the default ... if you do not use --redirect-gateway .... it will work like this ... you just then need to add --route for each network segment you want to route via the VPN tunnel 03:01 < dazo> lkthomas: please read this link: 03:01 < dazo> !route 03:01 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 03:01 < lkthomas> ok :) 03:01 < dazo> lkthomas: this example might be a little bit more advanced .... but it gives you the basics for how routing works as well 03:01 -!- bandini [n=bandini@host199-27-dynamic.20-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 03:02 < lkthomas> I print it out but feel so tired to read it last night 03:04 < lkthomas> dazo, thanks for helping 03:04 < lkthomas> leaving soon 03:04 < dazo> lkthomas: no prob 03:04 < lkthomas> talk to you later 03:12 < lkthomas> dazo, you still there ? 03:13 < lkthomas> I still have some problem 03:14 < lkthomas> dazo, are you still around ? 03:18 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 03:40 -!- MrY [n=mry@c-24-6-251-111.hsd1.ca.comcast.net] has joined ##openvpn 03:40 < MrY> hi all 03:40 < lkthomas> ? 03:40 -!- MrY [n=mry@c-24-6-251-111.hsd1.ca.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 03:41 -!- MrY [n=mry@c-24-6-251-111.hsd1.ca.comcast.net] has joined ##openvpn 03:41 < MrY> I installed openvpn for linux box as client, i can not find "init-config" script anywhere? any idea? 03:43 < lkthomas> no idea, I just trying to use it to connect as P2P 03:43 -!- MrY [n=mry@c-24-6-251-111.hsd1.ca.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 03:43 < lkthomas> brb 03:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 04:20 -!- arturob [n=bandini@host27-110-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn 04:25 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 04:33 -!- bandinia [n=bandini@79.20.21.198] has quit [Read error: 110 (Connection timed out)] 05:06 -!- lolipop [n=ice_crea@219.94.54.133] has quit [Remote closed the connection] 05:24 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:35 -!- reallove [n=dan@unaffiliated/reallove] has joined ##openvpn 05:35 < reallove> !route 05:35 < vpnHelper> reallove: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 05:47 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 05:53 -!- Haris_ [i=Haris@119.152.5.87] has joined ##openvpn 05:55 -!- dar_ [n=dar@fwnctech.nctech.fr] has joined ##openvpn 05:55 < dar_> elo 05:55 < kexman> i have an openvpn problem :) 05:55 < dar_> since i have updated my ubuntu i can't connect to my work vpn 05:55 < kexman> i have several eth's and some bridges 05:55 < dar_> it sais that the key is vulnerable and block me from conencting to the server 05:55 < kexman> and two subnets 05:55 < dar_> is tehre a way to force it ? 05:56 < kexman> i have 5.0 network and 10.0 network 05:56 < kexman> im connected to 5.0 via openvpn 05:56 < kexman> when connected normally to 5.0 i can ping 10.2 but when im connected from openvpn i cant connect 10.2 05:56 < kexman> why is this ? 05:57 < dar_> kexman: in conf if my memory is good you have to create a text file containing the list of subnet you want to be able to conenct something like ipp.txt 05:58 < kexman> dar_: aaaa :) i tought i can connect wherever my openvpn server can 05:59 < kexman> aaa right 05:59 < kexman> wait i dont have a route to 10.0 on my laptop ... and it would go through the default gw which doesnt know where to get 10.0 from 05:59 < kexman> ahaaa 05:59 < kexman> dar_: thankx 06:00 < dar_> so noone could help me for my problem 06:00 < dar_> ? 06:00 < dar_> :) 06:00 < dar_> i just want to be able to force connection even if my key is blacklisted 06:00 < kexman> no clue there sorry 06:00 < dar_> and what is strange is 06:01 < dar_> Tue Feb 24 13:05:46 2009 ERROR: '/etc/openvpn/keys/client1.key' is a known vulnerable key. See 'man openssl-vulnkey' for details. 06:01 < dar_> # openvpn-vulnkey /etc/openvpn/keys/client1.key 06:01 < dar_> Not blacklisted: ff3c85c94e7367ace91e048b35d6326e /etc/openvpn/keys/client1.key 06:01 < dar_> ???? 06:01 < dar_> i can't understand at this point 06:09 < dar_> kexman: are you here 06:09 < dar_> ??? 06:12 -!- Haris [i=Haris@unaffiliated/haris] has quit [Read error: 110 (Connection timed out)] 06:12 < reallove> hello . I have configured an openvpn server as in here :http://pastebin.com/d1aaa3a8a . The openvpn.up script is http://pastebin.com/m73924f61 .The client ,from linux,has this configuration : http://pastebin.com/d684ce247 .From the server,I can ping the client (ie,192.168.168.2) , but viceversa,not . From the client I can only arping the server and see the ARP entry . 06:13 < reallove> where should I look for a solution ? thank you 06:23 < kexman> dar_: yes 06:23 < kexman> i didnt yet started managing keys with openvpn 06:35 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 06:38 < mRCUTEO> i need ya now ohhhh more than words can i say.. i need u now ooh.. i've gotta find a way.. i need you now.. ohh before i lose my mind .. i need u now.. 06:47 -!- c64zottel [n=hans@p5B17B102.dip0.t-ipconnect.de] has joined ##openvpn 07:01 < dar_> kexman: the right option is ccd... 07:01 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [] 07:10 < dazo> dar_: you'll need to checkout the people at #ubuntu or some similar things .... the openssl-vulnkey is something they and/or debian came up with 07:11 < dazo> after their rather famous openssl bug 07:11 -!- reallove [n=dan@unaffiliated/reallove] has left ##openvpn [] 07:11 < dazo> kexman: for your networks issues, regarding routing .... pay a close look at 07:11 < dazo> !route 07:11 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 07:15 < eliasp> i have a strange issue on 2 of my OpenVPN clients.... the connection is actually unusable as most of the time it is stuck and the log is filled with lines like this: read UDPv4 [EHOSTUNREACH]: No route to host (code=113) 07:16 < eliasp> the affected clients are KVM VMs on a remote server... a connection without OpenVPN (direct SSH access) works quite fine... OpenVPN on the physical server is working fine too... just the VMs are affected ;-/ 07:16 < dazo> eliasp: sounds like you have an incomplete redirect-gateway configuration .... try removing anything related to that, and it might work ... or else you might have some strange route settings in either client or server (as push route) 07:17 * dazo presumes you did manage to get the openvpn connection up'n'running before it fails with that error 07:17 < eliasp> dazo: it's exact the same configuration as it was used on all other clients in the OpenVPN network (~15 clients) ... it works fine on all of them... 07:17 < dar_> is there any risk to generate openvpn with 4096 bits ? 07:17 < dar_> what are the side effects of a such action ? 07:18 < dazo> dar_: nope ... depending on the hardware, re-keying might go a little bit slower ... but that's a quite decent key size 07:19 < dar_> dazo: but i m talking about cpu ressource when you use it, and is it slowing the traffic much more than with 1024/2048 ? 07:19 < dazo> dar_: the public/private keys (which uses 4Kbit keys) are only used during key negotiating between the client and server and happens over the control channel 07:20 < dar_> dazo: so it wont get slowly than before (except at connection time) if i have well understand 07:20 < dazo> dar_: when client/server agrees on a key ... they use the encryption scheme defined by --cipher .... which can be up to max 256bit keys 07:20 < dar_> ha ok only 256 ??? 07:21 < dar_> dazo: it s not a strong encryption isn't it ? 07:21 < eliasp> dazo: the connection is established... i can log in via SSH but then it is randomly stuck.... 07:21 < dazo> dar_: that's the maximum, since the data channel uses symetric encryption 07:21 < dar_> just for information ipsec for sample can do more encryption or no ? 07:22 < dazo> dar_: the public/private keys are only used to initiate that encryption. And since you do have the public key widely known, the key size must be much higher 07:22 < dazo> dar_: I believe I heard that 128bit key for symetric encryption was comparable to 4096bit asymetrical encryption 07:23 < dar_> ha ok! 07:23 < dar_> :) 07:23 < dar_> thanks for that informations ;) 07:24 < dazo> dar_: anyway ... 256bit symetrical encryption is considered strong these days .... 64 bit and below is considered weak .... 128 is debatable 07:25 < dazo> dar_: anyway ... the performance loss on using 4Kbit asymetric keys will only be during key-exchange for client/server to agree on the next key being used for the symmetric encryption of the data channel (your network traffic) 07:25 < dar_> so doing VoIP through an openvpn configured like taht (with 4096 public/priv) and 256 bits can be realy secure 07:25 < dazo> dar_: np! 07:25 < dazo> dar_: yes, it can :) 07:25 < dar_> just another question 07:25 < dar_> by default is it 256 with openvpn ? 07:26 < dazo> dar_: I definitely would not discourage such config :) 07:26 < dar_> :D 07:27 < dazo> dar_: I'm not sure, to be honest .... I believe it is blowfish encryption which is used as default, but I don't remember the default key size 07:27 < dazo> dar_: have a look at --cipher in the docs 07:27 < dazo> (and --keysize) 07:27 < dar_> thks i m going to check :) 07:30 < dazo> eliasp: if your connection suddenly drops after having established the link .... it really sounds like you're messing with the default gateway somehow ... or that you have some IP address collisions 07:30 < dazo> eliasp: esp. if the configs work other places 07:31 < dar_> ;cipher AES-256-CBC # AES :D 07:31 < dazo> dar_: just remember to remove that ; in the beginning of the line ;-) 07:32 < dar_> eys :) 07:32 < dar_> i realy love openvpn 07:32 < dar_> simple and robust! 07:32 < dazo> dar_: you're darn right ;-) 07:33 < eliasp> dazo: hmm, but if i had problems with my default gateway every other connection like SSH (outside of OpenVPN) would have issues too, wouldn't it? 07:33 < eliasp> dazo: an IP collision was my first thought too... this would mean my OpenVPN server hands out the same IP twice... i'll double-check that but i'm pretty sure that's not the case... 07:34 < dazo> eliasp: I might have misunderstood you ... but I thought you said also the SSH link broke ... 07:34 < eliasp> uhm, sorry... i was probably a little bit unclear... the SSH link is broken inside of OpenVPN, outside works just fine.... 07:35 < dazo> eliasp: hmmm ... which versions are you running on server and client? 07:36 < eliasp> dazo: 2.0.7 on all of them 07:36 < eliasp> that's the latest "stable" package provided by Gentoo 07:37 < dazo> eliasp: heh ... well, Gentoo is really not updated at all .... anyway, I can recommend 2.1_rc15 - I'm running that on Gentoo, and it's been running stable since it was released 07:38 < eliasp> dazo: yeah, running 2.1_rc15 on some windoze clients too... i'll give 2.1_rc15 a try... let's see what happens then... 07:38 < dazo> eliasp: I would probably try to upgrade to 2.1_rc15 ... I might be able to provide you with a partially working ebuild file 07:38 < dazo> if interested 07:39 < eliasp> dazo: there's an ebuild for 2.1_rc15 in portage... it's just keyworded... 07:39 < dazo> eliasp: ahh ... they're getting forward :) It was missing when I did the upgrade :-) 07:39 < eliasp> hehe 07:40 < eliasp> dazo: someone else reported the same problem on b.g.o: http://bugs.gentoo.org/show_bug.cgi?id=223033 i've added my case as comment#8 07:40 < vpnHelper> Title: Gentoo Bug 223033 - net-misc/openvpn - VPN traffic disrupts networking in a strange way (at bugs.gentoo.org) 07:45 < eliasp> ok, running 2.1_rc15 on one of them now.... let's see how it works... 07:45 < dazo> eliasp: yeah, I even think I heard some Ubuntu guy complaining about something similar .... it begins to refresh in my head now ... 07:46 < eliasp> yehaw... no stuck connection so far ;-) 07:49 < eliasp> wow, cool... the new 2.1_rc15 ebuild provides now even support for pushing DNS etc. by default... roy marples wrote an up.sh script for gentoo which uses net-dns/openresolv ... 07:49 < dazo> eliasp: anyway ... I can warmly recommend 2.1_rc15 for production .... it is just as stable as it should be for production enviroment 07:50 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:51 < eliasp> dazo: yes, i think i'll test it for some hours now on this 2 problematic clients and if there aren't any further issues, i'll upgrade the whole network... as some windows user complained about having connection problems sometimes... maybe this is related to the 2.0.7 server too... 07:51 * dazo believes so 07:51 * dazo runs into a meeting for some hours 07:52 < eliasp> dazo: in the past i had problems when upgrading the server... not all clients didn't automatically reconnect... so i've lost the connection to them... is there any config param which helps with this issue? 07:52 < eliasp> dazo: ok, have fun in the meeting 07:52 < eliasp> dazo: thx for your help! 08:01 -!- andylockran [n=andylock@genesis.zrmt.com] has joined ##openvpn 08:01 < andylockran> hey gutys 08:01 * ecrist looks around for gutys 08:01 < andylockran> can I run two openvpn servers on port 1194 - if connect with certA then use config A, and certB config B ? 08:01 < andylockran> ecrist: s/gutys/guys/ 08:02 < ecrist> ah. :P 08:02 < ecrist> andylockran: no 08:02 < andylockran> ecrist: ok - so new server diff port ? 08:02 < ecrist> unless they're on different IPs. 08:02 < ecrist> either a different port, or another IP 08:03 < andylockran> ok, ta 08:05 < eliasp> maybe it works if you run one of them in udp and one of them in tcp mode... don't know if this makes it possible using the same port twice... 08:05 < ecrist> eliasp: yes, you could run one tcp and one udp, but tcp is not recommended. 08:05 < ecrist> !tcp 08:05 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 08:05 < eliasp> ok ;) 08:07 < dar_> dazo: i have the following message on a client WARN: could not open database for 4096 bits. Skipped 08:07 < dar_> dazo: byt it connects normally 08:07 -!- Roman123 [n=Roman123@xchg.fiss-oeaw.at] has joined ##openvpn 08:08 < dar_> oups forget it it is just openssl-blacklist that has never seen taht :) 08:15 < dar_> i just wanted to know why my ipp is incorrect ? 08:24 < dar_> elo 08:25 < ecrist> dar_: what do you mean your ipp is incorrect? 08:25 < dar_> it doesn't contain the "true" ip of the client 08:25 < dar_> ip are decremented with -2 08:26 < ecrist> what you're likely seeing is the network address for the /30 that's assigned to a given client 08:26 < ecrist> ipp listing +1 is the server's endpoing, ipp +2 is client IP, ipp +3 is broadcast 08:27 < dar_> so for sample my server is 10.0.0.1 08:27 < dar_> but the first client start at 10.0.0.6 (real ip) 08:27 < dar_> how can i make it start at 10.0.0.2 08:27 < dar_> ? 08:28 < ecrist> you're running 2.1_rc15, right? 08:28 < ecrist> !topology 08:28 < vpnHelper> ecrist: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 08:30 < dar_> heuuuuuu 08:31 < dar_> OpenVPN 2.0.9 08:31 < ecrist> dar_: in that case, you cannot change the behavior 08:31 < dar_> :( 08:31 < ecrist> all clients, and the server, need to be 2.1 08:31 < dar_> ok 08:31 < ecrist> why does it matter? 08:31 < dar_> another question :) 08:32 < dar_> do you know any tools (like VOIP) for making direct phone call IP to IP (or perhaps with conference mode) to use it thorough openvpn 08:36 < ecrist> dar_: you can use anything across the VPN. You could set up a VOIP server for use on your VPN, if you'd like. 08:36 < ecrist> otherwise, use something like Team Speak for simple voice comms 08:36 < dar_> thanks :) 08:37 < eliasp> dar_: if you wan't a real SIP server, take a look at Asterisk 08:37 < eliasp> dar_: it works with all the usual SIP clients/softphones 08:38 < ecrist> if krzee were here, he'd recommend Freeswitch 08:40 < dar_> :) 08:43 < eliasp> oh, never heard of freeswitch... looks nice... ;-) 08:44 < ecrist> iirc, it's a start-over by one of the original devs of asterisk. 08:44 < ecrist> he claims to do right where asterisk went wrong 08:46 < eliasp> a pity we just set up an Asterisk here... if i had known Freeswitch before this would have been a nice option.... 08:55 < dar_> i can't find any valuable doc for setting up an asterisk server on ly for an Intranet (no output connection to third server) for VoIP only 08:56 < ecrist> dar_: look harder. really, just follow any document on setting up a VOIP server, and don't set up the outside lines. 08:56 -!- andylockran [n=andylock@genesis.zrmt.com] has left ##openvpn [] 08:56 < ecrist> regardless, that's a question for another forum, say #asterisk or #freeswitch 08:57 < dar_> ;) 09:03 -!- disposable [i=disposab@blackhole.sk] has left ##openvpn [] 09:05 -!- Roman123 [n=Roman123@xchg.fiss-oeaw.at] has quit [Read error: 113 (No route to host)] 09:52 -!- mkultras [n=scotth@unaffiliated/mkultras] has joined ##openvpn 10:02 < eliasp> dazo: uhm, after having the openvpn connection running for a while using 2.1_rc15 i got this problem again... read UDPv4 [EHOSTUNREACH]: No route to host (code=113) 10:02 < dazo> eliasp: hmmm ... are you running 2.1_rc15 on both client and server? 10:04 < eliasp> dazo: ah, good idea... i should try to upgrade the server first... 10:05 < eliasp> dazo: do you know how to make the clients reconnect automatically when the server is restarted?? last time i restarted the server i couldn't reach some of the clients anymore... 10:06 < ecrist> eliasp: that error has to do with your internet connection, not OpenVPN 10:06 < ecrist> look in the man page fore resolv-retry 10:07 < eliasp> ecrist: the EHOSTUNREACH error? 10:07 < eliasp> ecrist: ah, ok.. thx 10:07 < ecrist> eliasp: yep 10:07 < dazo> eliasp: not quite sure, to be honest ... there are some options which is suppose to help out here (ping, ping-retry, keepalive, iirc) but I'm not sure that's the solution 10:07 < dazo> eliasp: ecrist might be closer to something, actually 10:07 < eliasp> ecrist: i don't think it's an problem of the internet connection... don't know if you read the description of this issue earlier... i'll give a short overview again... 10:09 < eliasp> i have several openvpn clients, all using the same config... all of them, except 2 work fine.. the two ones causing problems are KVM VMs on a root-server... when connecting to these clients via OpenVPN the connection is most of the time stuck and the log is filled with this EHOSTUNREACH messages... while the SSH connection via OpenVPN is stuck, everything else works fine by not using OpenVPN (connecting directly via SSH to the external IP of this host) 10:10 < eliasp> so the problem occurs only for OpenVPN itself... the network "outside" of OpenVPN keeps working fine.... 10:10 < ecrist> so, connecting to the *real* IP works, but not the VPN ip? 10:11 < ecrist> post the log file for one of the clients having a problem 10:11 < eliasp> ecrist: exactly... but the strange thing is... connecting works (mostly) but then it keeps hanging for long periods... works again for some seconds... hangs again... and so on... 10:11 < eliasp> ecrist: ok 10:12 < eliasp> ecrist: http://dpaste.com/883/ 10:13 < eliasp> do you think this could be related to KVMs virtio network driver? when KVM tries to keep the VMs tsc in sync with the host, the timer of the virtio network driver isn't really in sync or so...? 10:16 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 10:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:19 < ecrist> eliasp: are these the only two systems on the virtio systems? 10:20 < eliasp> ecrist: yes, all other systems are virtualized using VMware Server 1.x or are bare metal systems... 10:20 < eliasp> ah, you've asked whether there are further systems on the KVM host... no, only these 2 are running on this host... 10:21 < eliasp> i made sure they have unique MAC and IP adresses... also the IPs assigned by OpenVPN are unique... so it isn't a address duplicate issue... 10:22 < ecrist> eliasp: there are some google results which indicate either 1) bad network cabling and/or 2) failing DNS 10:27 -!- arturob [n=bandini@host27-110-dynamic.44-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 10:28 < eliasp> ecrist: i think neither nor... as the connection is all the time stable on the physical host-server... or even to the VMs when connecting directly to their IP... 10:28 < ecrist> in that case, I'd point a big finger to your virtual machines. 10:29 < eliasp> ecrist: yes, looks like KVM or KVM's virtio driver is the bad guy in this case ;-( 10:30 < ecrist> interesting: http://beta.openvpn.net/images/pdf/openvpn_access_server_system_admin_guide.pdf 10:32 < ecrist> I really dread open source programs that go commercial 10:43 < dazo> eliasp: keep in mind that KVM is fairly new, so is virtio ... so it might be some kernel bugs here which is not found or fixed yet 10:43 < eliasp> dazo: yes, i'm just trying e1000 as network driver instead of virtio... if the problem doesn't occur anymore i'll file a bug at the KVM bugtracker 10:44 < dazo> eliasp: sounds good 10:46 < eliasp> argh, it happened again using the e1000 driver... 10:48 < dazo> ecrist: seems like Yonan is slowing down the open source part of openvpn ... to make it commercial now ... which might explain why 2.1 have been in beta for almost 2 years 10:51 * dazo heads home ... 10:51 < dazo> c'yall tomorrow 11:00 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 11:15 < eliasp> mDuff: don't know, never used TCP for OpenVPN http://sites.inka.de/~bigred/devel/tcp-tcp.html 11:15 < vpnHelper> Title: Why TCP Over TCP Is A Bad Idea (at sites.inka.de) 11:15 < eliasp> oups, wrong chan ;) 11:20 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has quit ["bbl"] 11:26 < eliasp> where do i find mailinglist information? http://openvpn.net/mail.html is a 404 ;-( 11:28 < eliasp> ah, found it https://lists.sourceforge.net/lists/listinfo/openvpn-users 11:28 < vpnHelper> Title: Openvpn-users Info Page (at lists.sourceforge.net) 11:29 -!- DarKnesS_WolF [n=wolf@unaffiliated/sherif] has joined ##openvpn 11:30 < DarKnesS_WolF> where i can find the docs. to create openvpn server which supports Keys and username / password ? 11:47 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit ["Ex-Chat"] 12:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:21 -!- c64zottel [n=hans@p5B17B102.dip0.t-ipconnect.de] has quit ["Leaving."] 12:40 < krzee> [06:43] dar_: if you wan't a real SIP server, take a look at Asterisk 12:41 < krzee> ya if you want a sip server that will crush itself under any real load =[ 12:41 < krzee> we used to actually get more performance by loading multiple virtual machines with asterisk 12:41 < krzee> which is sad 12:41 < krzee> but it did start things off, which is coolness 12:42 < krzee> http://www.freeswitch.org/node/117 12:42 < vpnHelper> Title: How does FreeSWITCH compare to Asterisk? | FreeSWITCH (at www.freeswitch.org) 12:42 < krzee> that is written by the man who made a lot of how asterisk does things, and he happens to be the leader of freeswitch dev 12:47 < krzee> DarKnesS_WolF, 1 sec 12:47 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:47 < krzee> !factoids search pass 12:47 < vpnHelper> krzee: 'winpass' and '2.1-winpass-script' 12:47 < krzee> !factoids search auth 12:47 < vpnHelper> krzee: "tls-auth" is The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. see !secure for how 12:47 < krzee> hrm 12:48 < krzee> !man 12:48 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 12:50 < krzee> !learn password as please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs 12:50 < vpnHelper> krzee: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 12:50 < krzee> !learn password as please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs 12:50 < vpnHelper> krzee: Joo got it. 12:52 < krzee> !learn password as or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required 12:52 < vpnHelper> krzee: Joo got it. 12:53 < krzee> !learn password as and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 12:53 < vpnHelper> krzee: Joo got it. 12:53 < krzee> there you go DarKnesS_WolF 12:53 < krzee> !password 12:53 < vpnHelper> krzee: Error: That operation cannot be done in a channel. 12:53 < krzee> aww damn, that was built in =[ 12:54 < krzee> !learn authpass as please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs 12:54 < vpnHelper> krzee: Joo got it. 12:54 < krzee> !learn authpass as or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required 12:54 < vpnHelper> krzee: Joo got it. 12:54 < krzee> !learn authpass as and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 12:54 < vpnHelper> krzee: Joo got it. 12:54 < krzee> DarKnesS_WolF, here it is: 12:54 < krzee> !authpass 12:54 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 12:55 < krzee> sorry about all the scroll, but that new entry should help you 12:59 < DarKnesS_WolF> krzee: sorry didn't get it ? 12:59 < krzee> !authpass 12:59 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 13:00 < krzee> see #1 13:00 < DarKnesS_WolF> krzee: perfect thx man :) 13:00 < krzee> np =] 13:01 < krzee> and to read the manual... 13:01 < krzee> !man 13:01 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 13:08 -!- mib_3cwjc4 [i=52e6d07c@gateway/web/ajax/mibbit.com/x-7d7374ee086b22cb] has joined ##openvpn 13:08 < mib_3cwjc4> hi there 13:09 < mib_3cwjc4> i install openvpn on my ubuntu 13:09 < mib_3cwjc4> sudo openvpn /etc/openvpn/server.conf 13:09 < mib_3cwjc4> by running that command i got this error 13:09 < mib_3cwjc4> : 13:10 < mib_3cwjc4> Tue Feb 24 20:00:54 2009 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 15 2008 Tue Feb 24 20:00:54 2009 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet. Tue Feb 24 20:00:54 2009 Cannot open d 13:10 < mib_3cwjc4> is it normal ? 13:10 < mib_3cwjc4> your help will be welcome 13:12 < mib_3cwjc4> lesenc ???, 13:12 < mib_3cwjc4> isthereanyone here ? 13:12 < mib_3cwjc4> ::::::::::::::::===============::::::::::::::::::::::: 13:13 -!- Haris_ [i=Haris@119.152.5.87] has left ##openvpn ["Time to jet!"] 13:14 -!- mib_3cwjc4 [i=52e6d07c@gateway/web/ajax/mibbit.com/x-7d7374ee086b22cb] has left ##openvpn [] 13:18 < ecrist> wow, impatient much? 13:21 -!- mib_t9d9g5 [i=52e6d07c@gateway/web/ajax/mibbit.com/x-620ff7191356f9e9] has joined ##openvpn 13:21 < mib_t9d9g5> hello 13:21 < mib_t9d9g5> is there anyone here ? 13:22 < ecrist> yes 13:24 < mib_t9d9g5> hi 13:24 < mib_t9d9g5> ecrist: 13:24 < ecrist> mib_t9d9g5: 13:24 < mib_t9d9g5> i try to install ubuntu 13:25 < ecrist> were you the one who was just in here? 13:25 < mib_t9d9g5> i try to install openvpn on my ubuntu 13:25 < mib_t9d9g5> sorry 13:25 < mib_t9d9g5> ?? 13:26 < ecrist> what is your problem? 13:26 -!- mode/##openvpn [+o ecrist] by ChanServ 13:26 -!- mode/##openvpn [-o ecrist] by ecrist 13:26 < ecrist> stupid script 13:26 < mib_t9d9g5> i try to install openvpn on my ubuntu 13:27 < mib_t9d9g5> after the installation at the configuration stage 13:27 < mib_t9d9g5> openvpn server 13:27 < mib_t9d9g5> can't run 13:27 < ecrist> why not? 13:27 < mib_t9d9g5> so i want to reinstall 13:27 < ecrist> why can't it run? 13:27 < ecrist> no need to reinstall 13:27 < mib_t9d9g5> everything from a to z with someone online 13:28 < mib_t9d9g5> i just delete every config settings 13:28 < ecrist> ok, have you read the howto? 13:28 < mib_t9d9g5> yes 13:28 < mib_t9d9g5> i read 13:28 < ecrist> that tells you everything you need to know to setup a VPN 13:28 < mib_t9d9g5> w8 i tell the error what i got 13:28 < ecrist> ok 13:28 < mib_t9d9g5> w8 i tell u the error what i got 13:30 * ecrist waits 13:30 < mib_t9d9g5> plz wait 13:30 < mib_t9d9g5> i m doing from a to z 13:38 < mib_t9d9g5> sudo ./clean-all 13:38 < mib_t9d9g5> by doing this i got this error 13:38 < mib_t9d9g5> NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/openvpn/2.0/keys 13:40 < ecrist> ok 13:40 < ecrist> what's your actual question? 13:40 < ecrist> I'm not willing to walk through an entire install/config with you, when there are docs out there to do itfor you. 13:40 < ecrist> hell, I've written some of those docs. 13:40 < ecrist> : 13:41 < mib_t9d9g5> sorry i totally sorry 13:41 < mib_t9d9g5> when is the first 13:41 < mib_t9d9g5> time 13:42 < mib_t9d9g5> you can't understand where is the probleme 13:42 < mib_t9d9g5> no one around me know the probleme 13:42 < ecrist> mib_t9d9g5: there is no problem that isn't explained in the documentation. 13:42 < ecrist> or in the errors themselves. 13:42 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 13:43 < Roman123> Hi! 13:43 < ecrist> howdy 13:44 < mib_t9d9g5> ok 13:44 < mib_t9d9g5> thx 13:47 < Roman123> Today, I was playing around with openvpn and two routers in our company network (in combination with different static route setups). So I managed it to confuse our manageable switches and lock/break our whole network connection. oops :-) 13:49 < Roman123> We had to reboot all three switches to fix the problem. 13:51 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:51 < ecrist> way to go. 13:51 < Roman123> For me it was a funny situation because I had no idea why this happened. For my colleagues it was not that funny. 13:52 < ecrist> if I was the admin there, you probably wouldn't be there any longer. :) 14:02 < Roman123> ecrist: well, it is not that easy. The admins are my friends and I'm their boss... :-) 14:09 < Roman123> How should a typical routing table look like when using openvpn in tap-mode? Mine look (at the client side) like this http://pastebin.com/d2c4e2b31 14:10 < Roman123> On the server side it looks like this http://pastebin.com/d248411b7 14:14 < Roman123> It is a pity that I was still not able to set up a working tap-based tunnel between two routers in order to connect two LANs. The tun-based approach goes off without a hitch. 14:30 < DarKnesS_WolF> krzee: thx also i find using a plugin module much more safe http://openvpn.net/index.php/documentation/howto.html#auth 14:30 < vpnHelper> Title: HOWTO (at openvpn.net) 15:02 -!- DarKnesS_WolF [n=wolf@unaffiliated/sherif] has quit [Remote closed the connection] 15:03 -!- DarKnesS_WolF [n=wolf@196.218.202.242] has joined ##openvpn 15:07 -!- DarKnesS_WolF [n=wolf@196.218.202.242] has quit [Client Quit] 15:19 < ecrist> Roman123: what problems are you having? 15:19 < ecrist> iirc, you were not bridging the interfaces after the tunnel was up. 15:25 < Roman123> ecrist: what do you mean after the tunnel was up? 15:25 < ecrist> you must actually bridge the tap and ethernet devices in the kernel. 15:26 < Roman123> ecrist: I execute "openvpn --mktun --dev tap0 ; brctl addif br-lan tap0 ; ifconfig tap00.0.0.0 promisc up" on the server as well as on the client. 15:27 < Roman123> tap0 0.0.0.0 15:27 < ecrist> well, first, s/;/&&/ in your command 15:27 < ecrist> and, why are you assigning 0.0.0.0 to your tap device? 15:28 < Roman123> ecrist: because I've seen that in a lot of tutorials. 15:28 < ecrist> which? 15:28 < Roman123> ecrist: Usually I execute these commands not in one line. 15:29 < Roman123> ecrist: e.g., http://wiki.openwrt.org/OpenVPNHowTo 15:29 < vpnHelper> Title: OpenVPNHowTo - OpenWrt (at wiki.openwrt.org) 15:29 < ecrist> have you followed the howto on openvpn? 15:30 < Roman123> ecrist: this one? http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 15:30 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 15:30 < ecrist> aye 15:32 < Roman123> ecrist: ifconfig $t 0.0.0.0 promisc up is also in this tutorial 15:32 < Roman123> the sample script 15:34 < Roman123> sorry for this maybe stupid question: The router has already a predefined bridge called br-lan. Do I have to break this bridge before and then assemble it again containing tap0? 15:36 < ecrist> Roman123: why are you setting up a bridge? from the logs, it would appear tun is your solution 15:37 < Roman123> Because I skipped this step. I just used "openvpn --mktun --dev tap0", then "brctl addif br-lan tap0", and at least "ifconfig tap 0.0.0.0 promisc up". At http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html this is done sequentially. 15:37 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 15:37 < Roman123> ecrist: well, tun works. 15:37 < Roman123> I like to connect two lans. 15:37 < ecrist> tun works, right? 15:37 < ecrist> !route 15:37 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 15:38 < Roman123> being able to send things such as wake-on lan packets, etc. 15:38 < ecrist> read that 15:38 < Roman123> ecrist: tun works 15:38 < Roman123> I've tried 15:41 -!- mib_t9d9g5 [i=52e6d07c@gateway/web/ajax/mibbit.com/x-620ff7191356f9e9] has quit ["http://www.mibbit.com ajax IRC Client"] 15:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:50 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:50 -!- mib_t9d9g5 [i=52e6d07c@gateway/web/ajax/mibbit.com/x-ba402ab9f1cfd70e] has joined ##openvpn 15:50 < mib_t9d9g5> hi ecrist --- Log closed Tue Feb 24 15:55:30 2009 --- Log opened Tue Feb 24 16:06:37 2009 16:06 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 16:06 -!- Irssi: ##openvpn: Total of 46 nicks [0 ops, 0 halfops, 0 voices, 46 normal] 16:06 -!- Irssi: Join to ##openvpn was synced in 0 secs 16:09 < ecrist> foo 16:09 < ecrist> I need to reconfigure my network. 16:10 < ecrist> but first, com COD 16:17 < mib_t9d9g5> eh 16:17 < mib_t9d9g5> hello 16:17 < mib_t9d9g5> i place dh1024.pem 16:18 < mib_t9d9g5> in /etc/openvp/keys folder 16:18 < mib_t9d9g5> by running this sudo openvpn server.conf 16:18 < mib_t9d9g5> i got this error : 16:19 < mib_t9d9g5> Tue Feb 24 22:59:24 2009 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 15 2008 Tue Feb 24 22:59:24 2009 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet. Tue Feb 24 22:59:24 2009 Cannot open d 16:19 < mib_t9d9g5> whonoz ? 16:19 < mib_t9d9g5> plz 16:21 -!- mib_t9d9g5 [i=52e6d07c@gateway/web/ajax/mibbit.com/x-ba402ab9f1cfd70e] has quit ["http://www.mibbit.com ajax IRC Client"] 16:21 < Roman123> ecrist: The subnets on both sides of the lan (to be connected over openvpn) have to be the same in the bridging mode and I should assure that no ip address is assigned to the bridging interfaces (on the server as well as on the client)? <- someone told me that. 16:23 < Roman123> is that true? 17:02 < reiffert> moin 17:02 < reiffert> Roman123: when bridging, the two bridges itself should be assigned an IP address as well. 17:03 < reiffert> Roman123: theoretically bridges dont necessessarily need an IP assigned, but when not assigning an IP address to the bridges, openvpn cant connect from the client to the server. 17:04 < reiffert> as this connection uses IP. 17:05 < reiffert> ecrist: playing Call of Duty? 17:05 < Roman123> reiffert: ok, this behavior can be observed here. The tap0 interface on the client gets an ip assigned while the tap0 interface on the server remains without one. 17:05 < reiffert> 23:16 < ecrist> but first, com COD 17:06 < reiffert> Roman123: you normally assign them statically on both sides. 17:06 < reiffert> Roman123: oh, please note: 17:06 < reiffert> you bridge the tap0 interface with your eth0 interface to a new interface, the bridge interface, br0 for linux. 17:06 < reiffert> br0 needs to have an IP address on both sides. 17:07 < reiffert> tap0 and eth0 DONT have one (on both sides= 17:07 < Roman123> yes 17:07 < Roman123> hmm 17:07 < Roman123> br0 have ip addresses on both side 17:07 < reiffert> hamburg:~# brctl show 17:07 < reiffert> bridge name bridge id STP enabled interfaces 17:07 < reiffert> br0 8000.0002b302faf7 no eth1 tap0 17:07 < reiffert> hamburg:~# ifconfig br0 17:07 < reiffert> br0 Link encap:Ethernet HWaddr 00:02:B3:02:FA:F7 inet addr:192.168.0.64 Bcast:192.168.0.255 Mask:255.255.255.0 17:07 < Roman123> but tap0 has only one on the client side but none on the server side 17:07 < reiffert> tap1 Link encap:Ethernet HWaddr 00:FF:09:D9:91:38 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 17:08 < reiffert> eth1 Link encap:Ethernet HWaddr 00:02:B3:02:FA:F7 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 17:08 < reiffert> Roman123: then you did it wrong. 17:08 < Roman123> I guess the ip address on the client side is assigned by the "server-bridge" config option. 17:09 < reiffert> Roman123: wait, lemme rephrase. 17:09 < Roman123> option server_bridge "192.168.1.1 255.255.255.0 192.168.1.200 192.168.1.254" 17:09 < Roman123> 192.168.1.200 is assigned to tap0 on the client side 17:09 < reiffert> Roman123: is there a LAN behind the openvpn client? 17:09 < Roman123> yes 17:10 < Roman123> I connect two routers over openvpn 17:10 < reiffert> should this LAN behind the client, talk to the LAN behind the server? 17:10 < Roman123> well, I'm trying to :) 17:10 < Roman123> yes 17:10 < reiffert> should this LAN behind the client, talk to the LAN behind the server? 17:10 < reiffert> and does it work? 17:10 < Roman123> yes 17:10 < Roman123> now it works 17:10 < reiffert> allright. I still advise you to bridge tap0 and eth0 on the CLIENT as well to br0 17:11 < Roman123> in the tun mode as well as in the tap mode 17:11 < Roman123> I'll try if really everything works. 17:11 < Roman123> Then I'll put a howto on openwrt 17:11 < Roman123> perhaps the whole setup is useful for someone else. 17:12 < reiffert> !howto 17:12 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:12 < reiffert> it's all in there. 17:12 < reiffert> Roman123: however, I strongly suggest, that you create a br0 bridge on the client 17:12 < Roman123> reiffert: but nothing openwrt related 17:12 < reiffert> Roman123: and assign the dynamic IP to that br0 in a --up script 17:14 < reiffert> Roman123: if I'm right, the openvpn client now has two IPs, right? 17:14 < reiffert> Roman123: one for eth0 and one for tap0? 17:14 < Roman123> well, I use "openvpn --mktun --dev tap0", "brctl addif br-lan tap0", and " ifconfig tap0 0.0.0.0 promisc up" to initialize the interface tap0 and assign it to br-lan on both sides. 17:14 < Roman123> reiffert: yes 17:14 < Roman123> you're right 17:14 < reiffert> Roman123: but why using two IPs when one is enough? 17:14 < Roman123> one is this default gw for the lan 17:14 < Roman123> reiffert: I did not do anything ;) 17:15 < Roman123> The ip is assigned by the server 17:15 < Roman123> when the client connects, the server provides the address "192.168.1.200" (taken from option server_bridge). 17:16 < reiffert> whats the IP of eth0? 17:16 < Roman123> As far as I understand 17:16 < reiffert> (on client side) 17:16 < Roman123> client side (lan): br-lan = 192.168.51.2 17:17 < Roman123> server side (lan): br-lan = 192.168.51.1 17:17 < Roman123> bridge name bridge id STP enabled interfaces 17:17 < Roman123> br-lan 8000.0022153271c5 no eth0.0 17:17 < Roman123> tap0 17:17 < reiffert> and why are you using the .1.200 stuff then? 17:17 < Roman123> ^^^ my brctl show 17:18 < Roman123> reiffert: probably because I do not really know what I'm doing. I have just taken it from the howtos, e.g. http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 17:18 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 17:19 < reiffert> Roman123: ok, look: 17:19 < reiffert> server_bridge "192.168.51.1 255.255.255.0 192.168.51.2 192.168.51.3" 17:19 < reiffert> on the client do: 17:19 < reiffert> create a file named /usr/local/sbin/openvpn_client_up.sh 17:19 < reiffert> #!/bin/bash 17:20 < reiffert> device=$1 17:20 < reiffert> mtu=$2 17:20 < reiffert> mru=$3 17:20 < reiffert> ip=$4 17:20 < reiffert> mask=$5 17:20 < reiffert> cmd=$6 17:20 < reiffert> ifconfig $device 0.0.0.0 promisc up 17:20 < reiffert> brctl addif br0 $device 17:20 < reiffert> ifconfig br0 $ip up 17:20 < reiffert> in openvpn client conf add: 17:21 < reiffert> up /usr/local/sbin/openvpn_client_up.sh 17:21 < reiffert> ifconfig-noexec 17:21 < reiffert> what it does is: 17:21 < reiffert> when openvpn client is NOT connected: 17:21 < reiffert> you have a bridge br0 with IP 192.168.51.2 17:21 < reiffert> bound to the bridge: eth0 17:21 < reiffert> when openvpn connects: 17:21 < reiffert> it adds tap0 with 0.0.0.0 promisc up to that bridge 17:22 < reiffert> donee. 17:22 < reiffert> going to bed, have fun. 17:22 < Roman123> reiffert: thanks 17:22 < Roman123> good night 17:22 < reiffert> so your client always has 192.168.51.2 17:23 < reiffert> when client is connected and when its not. 17:23 < Roman123> I'm also on the way to bed. 17:24 < reiffert> as far as I remember openwrts' openvpn lacks some features when not using squashfs ... 17:24 < reiffert> related to storing keys in nvram 17:24 < reiffert> however, night 17:27 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 17:50 -!- xattack [n=xattack@rompope.fi-b.unam.mx] has joined ##openvpn 17:50 -!- xattack [n=xattack@rompope.fi-b.unam.mx] has left ##openvpn [] 19:01 < lkthomas> dazo, you there ? 19:16 < ecrist> reiffert: yes, got Modern Warfare and World at War 19:26 < d0wn> Is anyone familiar with using the redirect-gateway in OpenVPN configuration? 19:27 < ecrist> yup 19:28 < d0wn> how is it supposed to be done? is redirect-gateway supposed to be put into the client configuration, or into the server? 19:29 < ecrist> client config 19:29 < ecrist> it should be: 19:29 < ecrist> redirect-gateway def 1 19:29 < ecrist> iirc 19:29 < ecrist> s/def 1/def1/ 19:29 < d0wn> what does def 1 mean, though? 19:29 < d0wn> Hmm 19:30 < ecrist> !man 19:30 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 19:30 < ecrist> go there, search the page for reirect-gateway 19:30 < ecrist> should find two matches. read through the first. 19:30 < ecrist> def1 -- Use this flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway. 19:35 < d0wn> Ah, thank you ecrist. now, I read on the howto that I may have to do some work with the dns queries on the server. do I need to run a DNS server on my OpenVPN server? 19:35 < ecrist> no, but you need to make one available to your clients somehow. 19:36 < d0wn> I was thinking about using the OpenDNS servers 19:36 < ecrist> often, that's accomplished by running a server on the vpn server, or somewhere nearby. 19:36 < ecrist> but, I'm off to play more CoD 19:36 < ecrist> l8r 19:37 < d0wn> thanks for your help. you were the first to help me out with this 20:07 -!- ftp3 [n=none@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has joined ##openvpn 20:09 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has joined ##openvpn 20:24 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:43 -!- KWhat4 [n=kwhat@cpe-76-167-224-45.socal.res.rr.com] has joined ##openvpn 20:44 < KWhat4> What happens if both lans have the same ip range? 20:44 * KWhat4 waits 20:45 < hads> Things don't work 20:45 < KWhat4> hads is there a resolution to that issue besides fix one of the networks 20:46 < hads> http://openvpn.net/index.php/documentation/howto.html#numbering 20:46 < vpnHelper> Title: HOWTO (at openvpn.net) 20:54 -!- lkthomas_ [n=lkthomas@218.189.198.146] has joined ##openvpn 20:55 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 20:55 < Dougy> hey ya'll 20:55 < Dougy> ecrist: ding 21:09 -!- lkthomas [n=lkthomas@218.189.198.146] has quit [Read error: 110 (Connection timed out)] 21:19 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 21:22 < ftp3> i want to setup a vpn between my home network and my work computer and my roving laptops. I wanted to install openvpn in our datacenter, and then have everything connect to it and share.. is this possible? (seems like what Hamachi does)... 21:42 -!- lkthomas_ [n=lkthomas@218.189.198.146] has quit [Read error: 104 (Connection reset by peer)] 21:51 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 21:51 < onats> hello 21:51 < onats> offtopic question, but what's the best text/background color combination which gives least strain to the eyes? black on white? or green on black? 21:54 -!- Dougy changed the topic of ##openvpn to: Check your firewall first. ||| We need !configs and !logs ||| HowTo: http://openvpn.net/howto Manual: http://openvpn.net/man ||| LANs behind OpenVPN? See !route ||| Don't ask to ask, just ask; then wait. 21:55 -!- ChanServ changed the topic of ##openvpn to: Check your firewall first. || We need !configs and !logs || HowTo: http://openvpn.net/howto Manual: http://openvpn.net/man || LANs behind OpenVPN? See !route || Don't ask to ask, just ask; then wait. 21:55 -!- mode/##openvpn [+t-o Dougy] by ChanServ 21:55 < Dougy> pffsh 21:55 < Dougy> t 21:57 < tjz|lunch> hey dougy!!! 21:58 < tjz|lunch> so long never see you 21:58 < ftp3> any thoughts on my question? 21:59 < Dougy> yo yo 21:59 < Dougy> sup 22:00 < Dougy> tjz|lunch: whats going on 22:03 < Dougy> bed 22:03 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 22:03 -!- toodles53 [n=citrusfr@pcp045821pcs.pcv.reshall.calpoly.edu] has joined ##openvpn 22:05 < toodles53> Hello, i Have a question i am hoping someone can help me with. When the vpn server shuts down or otherwise loses connectivity, the vpn clients dont "notice" for quite some time 22:05 < toodles53> on the clients, the connection appears to be just fine and doesnt actually sever for a few mintues 22:05 < toodles53> how can i hasten this? 22:13 < toodles53> should i increase the ping frequency or something 22:16 -!- digerati1337 [n=noone@zms-laptop.rit.edu] has joined ##openvpn 22:17 < digerati1337> !configs 22:17 < vpnHelper> digerati1337: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 22:18 -!- toodles53 [n=citrusfr@pcp045821pcs.pcv.reshall.calpoly.edu] has quit [Read error: 104 (Connection reset by peer)] 22:32 < digerati1337> does anything special have to be done on a windows client to have it pull dhcp address through the vpn? 22:35 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 22:46 -!- digerati1337 [n=noone@zms-laptop.rit.edu] has quit [] 22:57 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has joined ##openvpn 22:57 < lavren> hello 22:57 < lavren> When I go to do "openvpn openvpn.conf" it immediately returns, and I don't see a tun device in ifconfig. Should I be manually setting up this tun device? 23:01 < hads> Anyone heard of DNS traffic getting through/back from client to a server behind the OpenVPN host but no other traffic? 23:45 -!- onats [n=15172@unaffiliated/onats] has quit ["Leaving."] 23:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] --- Day changed Wed Feb 25 2009 00:11 < hads> Here's a paste of DNS getting through but not ping; http://paste.pocoo.org/show/105282/ where 10.88 is OpenVPN client and 192.168 is the LAN behind the OpenVPN server. 00:11 < hads> That 192.168.1.3 box behind the OpenVPN server can also ping the 10.88 OpenVPN client. 00:12 < hads> The OpenVPN server can ping the LAN and VPN clients. 00:13 < hads> and dumping packets on the OpenVPN server's eth0 interface shows the packets coming in from the client but nothing responding from the LAN (except DNS). 00:13 < hads> Hmm perhaps the DNS is coming from the default gateway. 00:15 < hads> Nope, it's not. 00:18 < hads> Confusing. 00:43 -!- roentgen [n=HaRT@79.117.16.67] has joined ##openvpn 00:56 -!- KWhat4 [n=kwhat@cpe-76-167-224-45.socal.res.rr.com] has quit ["Leaving."] 01:22 -!- lkthomas [n=lkthomas@218.189.198.146] has joined ##openvpn 01:22 < lkthomas> hey guys 01:22 < lkthomas> dazo, you there ? 01:37 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:04 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 02:12 < krzee> whats up 02:12 < krzee> hads, 02:13 < krzee> [21:07] Anyone heard of DNS traffic getting through/back from client to a server behind the OpenVPN host but no other traffic? 02:13 < krzee> if you remove "behind the openvpn host", yes 02:13 < krzee> hotels, airports, coffee shops 02:13 < hads> heh 02:13 < krzee> without removing that, no 02:13 < hads> Na, this is from my home network 02:13 < krzee> sounds like a firewall issue 02:14 * krzee points to 1st part of topic 02:14 < krzee> lkthomas, 02:14 < krzee> lkthomas, !ask 02:14 < hads> It does doesn't it. iptables is all accept though 02:14 < krzee> !ask 02:14 < vpnHelper> krzee: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/, or (#3) http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help 02:14 < krzee> hads, 02:14 < krzee> !config 02:14 < vpnHelper> krzee: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 02:14 < krzee> !configs 02:14 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 02:14 < krzee> ignore the first one 02:17 < hads> krzee: http://paste.pocoo.org/show/105288/ 02:17 < hads> Let me know if you want any other info, I'm a little stuck currently. 02:18 < hads> So any ideas would be fantastic :) 02:18 < krzee> cool 02:19 < krzee> im kinda drunk. on vacation in peru and had 5 pisco sours 02:19 < krzee> but i will look =] 02:20 < hads> heh, don't waste time playing with configs then, head to the bar :) 02:20 < krzee> nah im back from there 02:23 < krzee> ill be slow tho, talkin to a brazilian model i found while i been out here 02:24 < krzee> which takes precedence as im sure you understand 02:24 < hads> Nice :) 02:26 < krzee> 192.168.1.x is a network behind the server? 02:26 < hads> Yeah 02:26 < hads> I'm waiting on them to change that 02:26 < krzee> cool 02:26 < krzee> interesting that dns works 02:27 < krzee> !pushdns 02:27 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 02:27 < hads> It's in there 02:28 < lkthomas> couple of question, 1. if I use openvpn --remote to connect between two side of network, how does it sure that another side of network isn't come from hacker ? 02:29 < hads> Though it doesn't make a difference whether it is or not, I'm testing everything by IP at this stage. 02:29 < krzee> did you see #2? 02:29 < lkthomas> 2. how should I suppose to put command line option into config file ? 02:30 < krzee> lkthomas, i do not understand #1 02:30 < krzee> and #2 depends on when 02:31 < hads> krzee: Yeah, read through it, resolv.conf is updated, but like I said I'm doing things by IP currently anyway 02:31 < krzee> ok 02:31 < krzee> so you connect, and cant ping the server from the client, or client from server? 02:31 < krzee> what ips are you trying? 02:32 < hads> I connnect, I can ping the server and the remote default gateway from the client. I can ping the client from anywhere on the remote LAN. 02:32 < hads> But I can't ping anything else on the remote LAN form the client. 02:32 < krzee> what LAN ip is the client on? 02:33 < hads> 10.77.0.0/24 02:33 < hads> I can trace on the eth0 of the server and see http://paste.pocoo.org/show/105282/ 02:33 < hads> Which is really weird to me. 02:33 < krzee> ohhh 02:33 < krzee> check this out 02:34 < krzee> the server is not on the router for 192.168.1.x, right? 02:34 < hads> Correct 02:34 < krzee> what lan ip is the server on? 02:34 < hads> 192.168.1.7 02:35 < krzee> lan router needs to know that for 10.77.0.0/24 it must route traffic to 192.168.1.7 02:35 < hads> Static route on the default gateway (192.168.1.1) goes to 192.168.1.7 for 10.88.0.0/24 02:35 < hads> 10.77 aswell? That's my LAN here. 02:35 < lkthomas> openvpn --remote domain.com --dev tun1 --ifconfig... 02:36 < lkthomas> I could connect two side of network by using this simple command 02:36 < lkthomas> right ? krzee 02:37 < krzee> hads, i never saw .77 02:37 < krzee> lkthomas, see the manual, it has simple examples twords the bottom 02:37 < krzee> !man 02:37 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 02:38 < hads> Arg sorry, I possibly misunderstood your last question. Let me restate the facts. 02:38 < krzee> plus im drunk 02:38 < hads> Remote LAN is 192.168.1.0/24, default router is .1 OpenVPN server is .7; OpenVPN subnet is 10.88.0.0/24, client connects and receives .6 02:39 < hads> Static route on the default gateway (192.168.1.1) goes to 192.168.1.7 for 10.88.0.0/24 02:40 < hads> I've set this up a few times before without trouble. I was ready to blame the remote default gateway for being a crappy router but this DNS thing getting through is weird. 02:40 < hads> That and the remote LAN can ping connected OpenVPN clients. 02:41 < krzee> why do you believe dns is going over the vpn? 02:41 < lkthomas> krzee, can you give me some hints instead of asking me read the whole library ? 02:41 < hads> Becase I can see the packets when dumping with tshark on the remote VPN host. 02:41 < krzee> lkthomas, no, read the examples 02:42 < krzee> you see them one way in what you pasted 02:42 < lkthomas> openvpn.net is dead ? 02:42 < krzee> the machine gets the pings 02:42 < hads> krzee: The DNS is responding, the ping isn't 02:42 < krzee> but tries to respond to the packets at the 10.88. address 02:42 < krzee> but had no route 02:42 < krzee> so dropped them 02:43 < krzee> forget the dns unless you are willing to accept firewall issue 02:43 < hads> In that trace the DNS requests got a response all the way back to the client. 02:43 < hads> On the remote LAN I can ping OpenVPN clients successfully, let me get a trace. 02:45 < hads> http://paste.pocoo.org/show/105289/ 02:45 < krzee> then you have firewall problems 02:46 < hads> http://paste.pocoo.org/show/105290/ 02:46 < krzee> could be on the client... 02:47 < krzee> lkthomas, ya... sucks for you, try man openvpn 02:47 < krzee> yanno, like normal man pages ;] 02:48 < lkthomas> I think use --secret key will be better for point to point connection 02:48 < hads> Both are default accept with no rules, no firewall. 02:48 < krzee> ip forwarding on on the server? 02:48 < hads> Yup 02:49 < krzee> then you are pointing twords a firewall issue i think 02:49 < krzee> but im too drunk for it 02:49 < krzee> sorry 02:49 < krzee> im gunna go now, gnite 02:49 < hads> No worries at all, thanks for trying 02:49 < krzee> np 02:49 < hads> Have a good vacation :) 02:49 < krzee> thanx, its been awesome =] 02:50 < hads> I wish there was router there I could hack into rather than a Netgear POS 02:52 < lkthomas> hmm 02:52 < lkthomas> tun interface does not have to be on same subnet on both side, right ? 02:53 < krzee> cant be 02:53 < krzee> well 02:53 < c64zottel> hello 02:53 < krzee> tun if sets itself 02:53 < krzee> from within openvpn 02:53 < krzee> so dont worry bout that 02:53 < krzee> !/30 02:53 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 02:54 < c64zottel> i am at the end of my study and i have to do a work about 5 month, and i thought it might be a nice idea to write a OpenVPN - Management System 02:55 < lkthomas> krzee, are you talking to me ? 02:55 < c64zottel> and now i am thinking about the features and like to ask, if someone has some ideas 02:55 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 02:57 < krzee> c64zottel, learn it, use it, write it, ask for ideas... if you're already on last step then wait 02:57 < krzee> cause im gunna passout 02:57 < c64zottel> i have something like: monitoring: debugging errors, find bottle necks, key/user-management: key creation/delivering, 02:58 < krzee> lkthomas, yes 02:58 < krzee> nite all 02:58 < c64zottel> krzee: what do you mean? 02:59 < c64zottel> i have to present a small paper tomorrow, i can't wait that long 02:59 < hads> Maybe you left it a little late to decide :) 03:00 < krzee> hads is right, goodnight 03:02 < lkthomas> tun if set itself ? 03:02 < lkthomas> ..... 03:02 < lkthomas> anyone else could give me some hints on my question ? 03:08 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 04:14 -!- logiclrd [i=logiclrd@S0106000103208fb2.wp.shawcable.net] has quit [Read error: 110 (Connection timed out)] 04:21 < dazo> lkthomas: In the beginning you do not need to worry about which IP's the tun interface has or not ... the only time you need to think about that is when you're debugging the routing ... openvpn takes care of setting up IP addresses of the tun interface .... check out the man pages for openvpn and look for Example 1 in the end of the man page, here there are some examples which should get you started 04:22 < dazo> lkthomas: regarding putting command line options into a config file .... take all the options into a file, with one option and its related argument on each line ... and remove all leading -- ... that's all 04:24 < dazo> lkthomas: when you get example 1 and 2 working (and possibly 3) ... you can begin to look at --route option ... this will then begin to allow you to route traffic from one side of the network to the other network via your VPN 04:26 < dazo> (btw. www.openvpn.net seems to be down ... might want to google for info and maybe use google cache to catch info only available there) 04:38 < lkthomas> yes 04:38 < lkthomas> thanks for your explain 04:48 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 04:53 -!- kyrix [n=ashley@91-115-30-176.adsl.highway.telekom.at] has joined ##openvpn 04:55 -!- plaerzen [n=carpe@174.0.97.175] has quit [Read error: 110 (Connection timed out)] 05:20 -!- A[D]minS^Work [n=Whisky@41.196.212.25] has joined ##openvpn 05:21 < A[D]minS^Work> !route 05:21 < vpnHelper> A[D]minS^Work: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 05:24 < A[D]minS^Work> openvpn.net down? 05:25 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:26 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 54 (Connection reset by peer)] 05:44 < c64zottel> dazo, could you explain me what krzee told me at 10:03:59? does this mean he already working on something? 05:51 < lkthomas> this is funny 05:51 < lkthomas> eth0 = 172.18.2.56 05:51 < lkthomas> tun1 = 172.18.2.57 05:51 < lkthomas> p2p = 10.99.99.1 05:52 < lkthomas> traceroute from 172.18.2.x network to 10.99.99.1, holding @ 172.18.2.56 05:52 < lkthomas> anyone have idea why ? 05:52 < c64zottel> lkthomas: routing problem? 05:53 < c64zottel> i found tshark very useful for such stuff 05:54 < lkthomas> I did use route 10.99.99.0 255.255.255.0 172.18.2.56 05:54 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 05:56 -!- nachox [n=imarambi@200.68.83.121] has joined ##openvpn 05:56 < lkthomas> nevermind 05:57 < lkthomas> found the problem now, thanks 05:59 < nachox> guys, i have a network where my openvpn server is behing a firewall that is nating vpn connections to it while also having a dhcp server, i need my openvpn connected computers to get ip addresses from that dhcp server and be able to ping other computers in the same lan the openvpn server is in, is that even possible? 06:04 < tjz|lunch> openvpn.net seem to be down 06:04 < tjz|lunch> any other mirror? 06:10 < dazo> c64zottel: I think he might think about ssl-admin ... http://www.secure-computing.net/wiki/index.php/Ssl-admin ... maybe something else 06:10 < vpnHelper> Title: Ssl-admin - Secure Computing Wiki (at www.secure-computing.net) 06:11 < dazo> c64zottel: I also have been working on some management for OpenVPN, adding user/password auth in addition ... http://www.eurephia.net/ 06:11 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) 06:12 < dazo> lkthomas: if you have these IP addr conflicts ... you have clearly done something wrong 06:12 < lkthomas> well, I am working on vmware virtual switch now 06:13 < dazo> lkthomas: tun devices should not have an IP address which is in the same network segment as the other interfaces 06:13 < lkthomas> I think I got it working 06:13 < lkthomas> I could ping to 10.99.99.1 on 172 subnet 06:14 < dazo> lkthomas: well ... I'm not to optimistic ... but I've never played with networking in vmware 06:15 < lkthomas> it sucks 06:15 < lkthomas> we are using esxi to do testing 06:15 < lkthomas> but that virtual switch sucks 06:15 < lkthomas> you will need to have a physical switch to deal with vlan 06:16 * dazo have also never played with VLAN in real life even ... so he have no clues 06:16 < c64zottel> dazo: thank you 06:16 < lkthomas> heh 06:16 < c64zottel> what happend with you project? still working on it? 06:16 < dazo> c64zottel: yeah, I am ... just had too much work to manage it in my spare time 06:17 < dazo> c64zottel: And I've also had 3 weeks holiday too in between 06:18 < c64zottel> dazo i believe that, that would be my advantage, i get payed for it, and it would be released as OS 06:18 < lkthomas> dazo, does openvpn default using udp ? 06:18 < dazo> lkthomas: yes 06:18 < c64zottel> i just have to convince the big boss here... 06:18 < dazo> c64zottel: released as OS? .... as in Operating System? 06:18 < lkthomas> I think include secret option will avoid hacker to connect 06:18 < c64zottel> dazo, open source 06:18 < c64zottel> gpl 06:18 < dazo> c64zottel: ahh ... sorry .... 06:19 * dazo is still in holiday mode :-P 06:19 < c64zottel> dazo: maybe i could fiddle an Operating System with it 06:19 < dazo> c64zottel: heh 06:19 < c64zottel> lik virtual private operating system 06:20 < dazo> c64zottel: if eurephia matches your goal ... then you are very much welcomed to help out 06:20 < c64zottel> dazo: that could be a small problem, its for my university 06:20 < dazo> c64zottel: why's that? 06:21 < c64zottel> dazo: i am near the end of my study, so, its my final work 06:21 < lkthomas> virtual private super private privatized private privately private OS ? 06:22 < lkthomas> can we wrap AES-2048 bit ten times on this connection ? :) 06:22 < c64zottel> dazo: if i would continue you project, the professor can not see, which part is from me, which not 06:23 < c64zottel> dazo: but probably i will steal some ideas of you, may you have some screen shots? 06:23 < dazo> c64zottel: aha ... I see :) Well, there are parts which has not been started on in this project .... I'm thinking about a web-gui for admin, written in C, probably using libmicrohttpd .... 06:23 < dazo> c64zottel: right now, it's all command line 06:24 < c64zottel> dazo: ah, ok, i already have a gui in mind, but written with ruby on rails + spring 06:24 < dazo> c64zottel: the main focus so far has been to get the authentication and IP blocking working properly ... I began on the cli admin at the end of last year 06:26 < dazo> c64zottel: the reason I want to have it in C with libmicrohttpd is to make it possible to fire up the admin interface on whatever device without requiring a web-server with php/python/ruby/whatever ... maybe even embeddable devices like WRT54GL and that kind of things 06:27 < c64zottel> dazo: good point 06:27 < dazo> c64zottel: I'm also thinking about to make the authentication happening against a separate process (not in the openvpn plug-in) so that can be chrooted as locked down as well ... and the communication between the plug-in and the auth-process would go over TCP/IP or Unix socket 06:27 < dazo> c64zottel: which then also gives another flexibility ... the core authentication can happen on a separate box from the openvpn server itself 06:28 < A[D]minS^Work> is there any GUI to configure OpenVPN? 06:29 -!- dazo [n=dazo@nat/redhat/x-294cdbb7902a7605] has left ##openvpn ["Leaving"] 06:29 -!- dazo [n=dazo@nat/redhat/x-294cdbb7902a7605] has joined ##openvpn 06:29 < c64zottel> but how sound that: there is a big server with all the configs and a fat web-gui, if you change something, the config is delivered to the appropriate device, like a WRT54GL 06:30 < lkthomas> hmm 06:30 < lkthomas> guys 06:30 < lkthomas> something more interesting 06:30 < dazo> A[D]minS^Work: not afaik ... might find something in Webmin or IPCop or things like that ... but nothing really well known "side-product" ... but I believe OpenVPN team will come with something commercial soon 06:30 < lkthomas> my openvpn server running tun1 = 10.99.99.1 06:31 < lkthomas> eth0 = public IP address 06:31 < lkthomas> I got a windows which is connecting to same switch as openvpn server 06:31 < c64zottel> A[D]minS^Work: i guess zero shell has something 06:31 < lkthomas> it can't ping 10.99.99.1 06:31 < lkthomas> but when I do arp -a 06:31 < lkthomas> it shows the MAC address which is same as eth0 06:31 < lkthomas> should I create eth1 with another MAC address ? 06:32 < dazo> c64zottel: well, that's more distributed config management ... it's plenty of such tools .... like ZENWorks, Red Hat Network ... 06:32 < A[D]minS^Work> ok dazo thx 06:33 < lkthomas> dazo, any idea ? 06:33 < dazo> lkthomas: quite honestly ... nope ... because I'm pretty sure you've done something incredibly wrong in the openvpn config ... 06:33 < lkthomas> how so ? 06:34 -!- Tophat [n=Tophat@fpal5-a01.peop.tds.net] has joined ##openvpn 06:34 < dazo> lkthomas: from what you said earlier ... that tun0 had an IP address of your local network 06:35 < lkthomas> local network means ? 06:35 < dazo> lkthomas: 172.16.whatever you had 06:35 < lkthomas> so no ip addreess suppose to assign to tun ? 06:35 < c64zottel> dazo: probably that is the right headline, but zenworks, re hat network has nothing to do with openVPN 06:36 < lkthomas> how does the routing goes then ?! 06:36 < dazo> c64zottel: nope, but they do config distribution 06:36 < dazo> lkthomas: have you read the docs? ... --route 06:37 < lkthomas> so tun should contain no subnet which is own by two network ? 06:38 < lkthomas> something like 10.90.1.1 and 10.90.1.2 ? 06:38 < dazo> lkthomas: yes 06:38 < dazo> lkthomas: you obviously have not read Example 1 carefully enough in the docs 06:40 < lkthomas> openvpn is down 06:40 < lkthomas> web site I mean 06:41 < dazo> lkthomas: have you head about Google? .... and Google caching? 06:42 < lkthomas> try that yourself, cache is not work either 06:42 < dazo> lkthomas: hint: google for "man openvpn" 06:44 < lkthomas> hmm 06:44 < lkthomas> I still got one more question to go 06:44 < dazo> lkthomas: http://www.linuxjournal.com/article/7949 <<--- might help you further 06:44 < vpnHelper> Title: Meet OpenVPN (at www.linuxjournal.com) 06:44 < lkthomas> what is other clients default gateway on 10.99.99.x if tun does not use any 99.x subnet IP ? 06:45 < dazo> lkthomas: http://74.125.77.132/search?q=cache:t8n4XSY_Td0J:openvpn.net/index.php/documentation/manuals/openvpn-21.html+man+openvpn&hl=en&gl=cz&strip=1 06:45 < vpnHelper> Title: OpenVPN 2.1 (at 74.125.77.132) 06:45 < dazo> lkthomas: you should not alter the default gateway of any of these boxes in this phase 06:47 < dazo> lkthomas: http://web.archive.org/web/20080208172912/http://openvpn.net/man.html 06:47 -!- nachox [n=imarambi@200.68.83.121] has quit ["Saliendo"] 06:48 < dazo> lkthomas: http://web.archive.org/web/20080202063403/openvpn.net/man-beta.html (if you're using OpenVPN 2.1 series) 06:49 < lkthomas> so you are telling me that I suppose to use NAT and create 10.99.99.1 gw on openvpn box as default gateway which have nothing related with vpn at all ? 06:50 < dazo> lkthomas: no, you do not need NAT 06:50 < dazo> lkthomas: you need --route 06:51 < lkthomas> I think you are misunderstanding about what I am trying to do 06:51 < lkthomas> I got a broadband, a switch and a openvpn box 06:51 < lkthomas> broadband only got one ip 06:51 < dazo> lkthomas: --route will only add additional routing which then will route the given networks via the openvpn tunnel 06:51 < lkthomas> I know 06:51 < lkthomas> nothing related with route 06:52 < lkthomas> if tun isn't act as default gateway 06:52 < lkthomas> it should be something else which act as gateway then ? 06:52 < dazo> lkthomas: the default route should not be altered 06:52 < lkthomas> IT DOES NOT HAVE ANY DEFAULT ROUTE, ddamn 06:52 < lkthomas> don't you get it ? 06:53 < lkthomas> it does not have default gateway exists in that network 06:53 < dazo> lkthomas: are your box online at all? ... because if you are ... it has to have a default route 06:53 < lkthomas> broadband default route, yes 06:53 < lkthomas> but that does not work without NAT if I got client machine behind 06:53 < dazo> lkthomas: exactly! and that route shall not be changed in anyway 06:54 < lkthomas> my question is that how does my clients which behind openvpn could access to internet and the subnet which I have tunneled 06:54 < dazo> lkthomas: NATing is needed only to give the network on the inside of this box internet access 06:54 < lkthomas> there is nothing left 06:55 < dazo> lkthomas: then you need to look more carefully at --redirect-gateway 06:55 < lkthomas> one windows xp box, and openvpn box 06:55 < lkthomas> windows xp is using private IP 06:56 < dazo> lkthomas: how does that box then get on the internet? 06:56 < lkthomas> openvpn box is connected to physical switch, the switch is connecting to broadband 06:56 < lkthomas> it can't dude 06:56 < dazo> lkthomas: so you are setting up a internal openvpn infrastructure so that this box can get Internet via the VPN? 06:57 < lkthomas> yes, and when it is access tunneled subnet, use tun 06:57 < dazo> lkthomas: then you need to look up --redirect-gateway in the docs 06:58 < lkthomas> OH god 06:58 < lkthomas> I don't want to tunnel all traffic to VPN 06:59 < lkthomas> I think 06:59 < dazo> lkthomas: in that case ... you need --route on the client (or --push "route ...." on the server) 06:59 < lkthomas> on openvpn box, first of all I should doing NAT 06:59 < lkthomas> then, turn on vpn tunnel 06:59 * dazo gives up 06:59 < lkthomas> and use route to add it to routing table 06:59 < lkthomas> here is the normal situation 07:00 < lkthomas> Subnet A --- tunnel ip A ==== tunnel ip B --- Subnet B 07:00 < lkthomas> where, tunnel IP is not belongs to any subnet at all 07:00 < lkthomas> but the current situation is : 07:01 < lkthomas> nothing ??? --- Tunnel IP A ==== tunnel IP B --- subnet b 07:01 -!- imachine [n=imachine@2002:8110:8acb:0:0:0:0:1] has joined ##openvpn 07:01 < lkthomas> there is no subnet on A side man 07:01 < imachine> !configs 07:01 < vpnHelper> imachine: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:01 < lkthomas> dazo, are you with me now ? 07:01 < imachine> would I find answers on the howtos and wikis how I could assign static ips to my tunX clients? 07:02 < imachine> right now, they get random ips. 07:02 < ecrist> meh 07:02 < dazo> lkthomas: in what I can understand from you now .... You just need --route on the client side 07:02 < imachine> I've looked a bit, but not really hard. 07:02 -!- Tophat [n=Tophat@fpal5-a01.peop.tds.net] has left ##openvpn ["Leaving"] 07:02 < dazo> lkthomas: you do not need to NAT anything 07:03 -!- Tophat [n=Tophat@fpal5-a01.peop.tds.net] has joined ##openvpn 07:03 < Tophat> any idea when the website will be back up ? 07:03 < lkthomas> god 07:03 < tjz|lunch> :( 07:03 < tjz|lunch> why the long downtime 07:03 < dazo> lkthomas: but if your openvpn server is not acting as the default gateway in the server side of the physical network ... your default gateway needs to know where to route your WinXP box networks network via your openvpn server 07:03 < lkthomas> so what should I assign for my windows xp box ? 07:04 < lkthomas> YES 07:04 < lkthomas> that's what I said 07:04 < lkthomas> I need NAT 07:04 * dazo is talking to a f**king wall! 07:04 < dazo> lkthomas: please stay off me ... I have work to do now 07:05 < Tophat> whats the latest and greatest newest version number? 07:05 < ecrist> Tophat: which site? 07:05 < ecrist> openvpn? 07:05 < Tophat> ecrist - openvpn.net 07:05 < ecrist> no idea. soory 07:05 < ecrist> latest version (release) is 2.0.9 07:05 < ecrist> latest latest RC is 2.1_rc15 07:05 < lkthomas> okok dazo , thanks to helping me tho 07:06 < ecrist> 2.1 is very stable at this point, I've been running it as a client for some time now. 07:06 < imachine> I have another issue as well, my clients seem to not reconnect properly. they just drop and never connect again.. it's rubbish. I've removed the persist-* lines from configs, but it still has issues. 07:06 < ecrist> it would appear beta.openvpn.net is still online, www.openvpn.net is offline. 07:07 < imachine> any ideas how that might be sorted out ? 07:07 < dazo> Tophat: I've been running 2.1_rc15 since it was released ... it's rock solid for me 07:07 < ecrist> Tophat: look to beta.openvpn.net for the website 07:07 < ecrist> it's online and should have everything you're looking for. 07:09 < imachine> another question might be, what's the least memory consuming and cpu consuming way to connect over openvpn, currently I employed certificates, but the devices I use as clients are pretty weak machines, mips based 200MHz routers with 8MB of ram. 07:09 < imachine> (or 16) 07:10 < ecrist> I would still recommend certificates. 07:10 < imachine> would using static keys help on memory consumption? I've dropped comp-lzo as well, for the purpose of cpu consumption. 07:10 < lkthomas> dazo, actually, from what I could see, you usually got another NAT router to take care NAT network, and openvpn server just for tunnel, am I correct ? 07:10 < imachine> okay. 07:10 < imachine> ecrist, does comp-lzo make a huge cpu boost, in my conditions? 07:10 < imachine> or is it worth keeping? 07:10 < ecrist> it depends on what you're transmitting over the vpn 07:11 < imachine> realtime > throughput 07:11 < imachine> well, ~1-2Mbps tops. 07:11 < ecrist> if you're transmitting media, it doesn't make sense, as it's usually compressed already 07:11 < imachine> it's database access to a firebird server. 07:11 < imachine> so sql queries and pictures over the sql queries. 07:11 < ecrist> if you're transmitting text, it'll save bandwidth, but eat cpu cycles 07:12 < imachine> okay, I'll drop it ;] 07:12 < lkthomas> brb, thanks 07:15 < imachine> ecrist, where could I read about assigning static ips to tun-based vpn clients? 07:15 < imachine> the webpage is down, but I could take it off of google's "save the internet to a harddisk" service thing. 07:15 < imachine> "local copy" they call it ;] 07:17 < ecrist> looking, imachine 07:18 < ecrist> http://beta.openvpn.net/index.php/open-source/documentation/howto.html#policy 07:18 < vpnHelper> Title: HOWTO (at beta.openvpn.net) 07:18 < imachine> cheers 07:22 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Leaving"] 07:45 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 07:52 < imachine> ecrist, damn 07:52 < imachine> I get now proper addressing, but I can't do client-to-client 07:52 < imachine> furthermore, I can't access the clients from my server either :) 07:53 < dazo> imachine: have a look at: 07:53 < dazo> !route 07:53 < imachine> (even the ones I know that are working) 07:53 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 07:53 < imachine> dazo, I've only added the ccd client config. 07:53 < imachine> dazo, would pushing client ips require adding routes? 07:54 < dazo> imachine: might be needed ... but you might need to use --iroute in some cases 07:54 < imachine> they're all in teh same subnet tho 07:55 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit ["Ex-Chat"] 07:55 < imachine> if I don't use ccd, I can access the clients no probs. 07:57 < imachine> I've added iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -d 10.8.0.0/24 -j ACCEPT this line on teh server 07:58 < imachine> (which looks silly btw, bt my iptables knowledge is weak) 07:58 < imachine> it makes no difference nonetheless 07:58 < imachine> I still can't ping the machines... 07:59 < imachine> 10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 08:00 < imachine> this is how route looks like on a client machine. 08:00 < imachine> looks good to me... 08:02 < dazo> imachine: it sure seems to look fine enough ... I'm sorry I don't have too much time now helping you out further ... I'll try to come back later 08:02 < imachine> dazo, much appreciated. 08:03 < imachine> dazo, I've turned off ccd/ which pushed ips to clients, and I can ping them again and client-to-client works as expected :) 08:03 < imachine> so I'm guessing with pushing ips to clients I need to add something to it ;] 08:03 < dazo> imachine: very strange that ccd should make that happen 08:04 -!- sirlog [n=malutzke@f053021112.adsl.alicedsl.de] has joined ##openvpn 08:05 < imachine> ifconfig-push 10.8.0.5 10.8.0.6 08:05 < imachine> this is what I have in ccd/client-file 08:05 < imachine> (on the client side, the addresses work fine, and I can access the vpn server. just not other clients) 08:05 < dazo> imachine: just a brief thought .... could it be that client-to-client do not work in tun mode? that you need tap mode? ... or topology subnet? 08:12 < ecrist> no 08:13 < ecrist> client-to-client works in tun mode 08:14 < sirlog> Hi@all, 08:14 < sirlog> primary I wanted to connect our PPC to the company. Because of the logs now I'm trieing it with another PC. So I've got a Open VPN Server and a Client. I have forwarded TCP and UDP (Port 1194) to the OpenVPN server and added the iptable entries. I just generated a static key and have written a config. But when I try to connect to the server I get the following error message: 08:14 < sirlog> Wed Feb 25 15:12:06 2009 us=801837 Attempting to establish TCP connection with 78.53.21.112:1194 08:14 < sirlog> Wed Feb 25 15:12:08 2009 us=202351 TCP: connect to :1194 failed, will try again in 5 seconds 08:14 < sirlog> Can anybody help me please. This problem is going to make me crazy. Thanks a lot. If you need further configurations just tell me. 08:15 < ecrist> sirlog: it's a problem with your firewall. something's not forwarded, or is being blocked. 08:15 < ecrist> not an openvpn-specific problem. 08:16 < sirlog> hmm but it's the same when I try it with the internal IP address 08:16 < imachine> dazo, nope, works just right. both with ccd and without, I use tun mode. 08:16 < imachine> dazo, only with ccd, issues arise:) 08:17 < imachine> oh, and I use tcp mode, if that's any differnet. 08:17 < imachine> ;] 08:17 -!- logiclrd [i=logiclrd@S0106000103208fb2.wp.shawcable.net] has joined ##openvpn 08:18 < sirlog> yes I tried it again with the internal IP address and I get the same error message 08:18 -!- thefish [n=thefish@80-235-156-245.cable.ubr23.newt.blueyonder.co.uk] has joined ##openvpn 08:23 < sirlog> So I thougt it is enough when I add: 08:23 < sirlog> iptables -A INPUT -p tcp --dport 1194 -j ACCEPT 08:23 < sirlog> iptables -A OUTPUT -p tcp --dport 1194 -j ACCEPT 08:23 < sirlog> iptables -A INPUT -i tap+-j ACCEPT 08:23 < sirlog> iptables -A FORWARD -i tap+-j ACCEPT 08:23 < sirlog> Am I wrong? 08:25 -!- elshaa [n=elshaa@o.es6.aedgency.net] has joined ##openvpn 08:25 < elshaa> hi 08:26 < ecrist> sirlog: don't know. I don't know iptables, and don't run linux 08:26 < elshaa> I'm having a problem with openvpn2.1-0.29.rc15.el5.x86_64configured with tap0. When starting openvpn 08:26 < elshaa> sorry 08:27 < elshaa> when starting openvpn, the tap0 interface is not created. 08:27 < elshaa> I do have an interface configuration for tap0, so it's not started at boot time 08:28 < elshaa> I have an other server using the same type of configuration, and tap0 is created when openvpn starts... 08:28 < sirlog> Thanks ecrist. Does anyone else have an idea? 08:29 < c64zottel> how does cisco's vpn works? routing or bridging? 08:34 -!- kyrix [n=ashley@91-115-30-176.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 08:34 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Connection reset by peer] 08:34 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 08:35 -!- kyrix [n=ashley@93-82-10-71.adsl.highway.telekom.at] has joined ##openvpn 08:36 -!- brutuz [n=brutuz@ip67-88-58-242.z58-88-67.customer.algx.net] has joined ##openvpn 08:37 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 08:37 < brutuz> hi all i was wondering what happens when --keepalive 10 30 was set... 08:37 -!- Tophat [n=Tophat@fpal5-a01.peop.tds.net] has left ##openvpn ["Leaving"] 08:37 < brutuz> i was reading through it i got the first parameter.. "10" 08:38 < brutuz> it will send ping after 10 secs of no traffic.. 08:38 < brutuz> but i got lost on "30" the 2nd parameter.. 08:38 < brutuz> is this similar to dead timers? 08:45 -!- A[D]minS^Work [n=Whisky@41.196.212.25] has quit [Read error: 60 (Operation timed out)] 08:54 -!- kyrix [n=ashley@93-82-10-71.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 08:55 -!- lkthomas_ [n=lkthomas@203.145.92.78] has joined ##openvpn 08:55 < lkthomas_> Hi all 08:56 < lkthomas_> Anyone still alive? 08:57 -!- lkthomas_ [n=lkthomas@203.145.92.78] has quit [Client Quit] 08:58 -!- lkthomas_ [n=lkthomas@203.145.92.78] has joined ##openvpn 08:59 -!- lkthomas_ [n=lkthomas@203.145.92.78] has quit [Client Quit] 09:00 -!- lkthomas_ [n=lkthomas@203.145.92.78] has joined ##openvpn 09:14 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:25 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Remote closed the connection] 09:26 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 09:28 -!- lkthomas_ [n=lkthomas@203.145.92.78] has quit ["Rooms o iPhone IRC Client o http://rooms.derflash.de"] 09:28 -!- dmb [n=dmb@unaffiliated/dmb] has quit [Read error: 110 (Connection timed out)] 09:31 -!- dmb [n=dmb@unaffiliated/dmb] has joined ##openvpn 09:39 -!- sirlog [n=malutzke@f053021112.adsl.alicedsl.de] has quit [Remote closed the connection] 09:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:57 -!- Zeti [n=gs@e180019244.adsl.alicedsl.de] has joined ##openvpn 09:58 < Zeti> hi folks 09:58 < Zeti> running my openvpn is fine, but using /etc/init.d/openvpn start fails 09:58 < Zeti> my server.conf is in /etc/openvpn 09:58 < Zeti> does it need anything else? 10:00 < Zeti> !logs 10:00 < vpnHelper> Zeti: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 10:17 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit ["Leaving."] 10:26 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has quit ["bbl"] 10:30 -!- thefish [n=thefish@unaffiliated/thefish] has quit [Read error: 104 (Connection reset by peer)] 11:13 -!- downhill_ [n=downhill@unaffiliated/err0r] has joined ##openvpn 11:18 -!- Zeti [n=gs@e180019244.adsl.alicedsl.de] has quit ["Verlassend"] 11:48 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:49 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has joined ##openvpn 11:54 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit [Remote closed the connection] 12:12 -!- soberbit [n=kreg@208-98-188-95.directcom.com] has quit [Connection timed out] 12:12 -!- soberbit [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 12:15 -!- downhill_ [n=downhill@unaffiliated/err0r] has left ##openvpn ["Leaving."] 12:16 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 12:17 -!- downhill_ [n=downhill@unaffiliated/err0r] has joined ##openvpn 12:29 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has quit ["ircII EPIC4-2.6 -- Are we there yet?"] 12:40 -!- nemysis [n=nemysis@190-247.0-85.cust.bluewin.ch] has joined ##openvpn 12:40 -!- nemysis [n=nemysis@190-247.0-85.cust.bluewin.ch] has quit [Remote closed the connection] 12:42 -!- nemysis [n=nemysis@190-247.0-85.cust.bluewin.ch] has joined ##openvpn 12:51 -!- sigmonsays [n=sig@ip65-46-255-194.z255-46-65.customer.algx.net] has joined ##openvpn 12:51 < sigmonsays> Hiyah 12:52 < sigmonsays> Anyone know how to run a iptables firewall script on post-connect for vpn clients? 12:54 -!- Tophat [n=Tophat@fpal5-a01.peop.tds.net] has joined ##openvpn 12:55 < Tophat> If i use openvpn in a business do i only need to apply for commercial licensing if i make changes to the code and keep them to myself? 13:05 < ftp3> anyone have any ideas on my question yet? 13:25 < mkultras> sigmonsays: if you use kvpnc to connect it has a place to enter in commands to run after connect 13:25 < mkultras> you could put the iptables lines in there 13:25 -!- downhill_ [n=downhill@unaffiliated/err0r] has quit [Remote closed the connection] 13:26 < sigmonsays> mkultras, interesting.. i'll have to check that out 13:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:56 -!- Tophat [n=Tophat@fpal5-a01.peop.tds.net] has quit [Read error: 110 (Connection timed out)] 14:36 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:56 < sigius> ftp3: repeating the question might help 15:19 -!- sentronbarby [n=vildent@chello080108035065.3.11.vie.surfer.at] has joined ##openvpn 15:21 < sentronbarby> hello 15:42 < sigius> ... 15:53 -!- Kamilion [n=chatzill@204-16-153-84-static.ipnetworksinc.net] has joined ##openvpn 15:55 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 15:55 < Roman123> hiho 15:56 < Kamilion> Howdy. I'm trying to get saved passwords to work on 2.1_rc15 with a windows build... After reading the HOWTO and the windows Build instructions, it tells me to edit makefile.32 to add my lzo and openssl paths... But I can't find makefile.32. Then I'm told to make a change in config-win32.h and define ENABLE_PASSWORD_SAVE, but grepping the file for PASSWORD turns up nothing. 15:58 < Kamilion> Where do I go from here? I can't find ANY .32 files whatsoever. 16:06 < Kamilion> The backstory: I've got a standalone 866Mhz compaq box running XP, with special idiotic java-based HP Laserjet 2840 scanner drivers. The only problem is, it's in another room, is headless, and connects to our wifi. I've found several 'solutions' like using AutoHotKey or AutoitV3 to fake user interaction, but since the machine is headless, GUI interaction is a no-no. 16:19 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 110 (Connection timed out)] 16:20 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 16:40 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 16:48 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit [Read error: 113 (No route to host)] 16:49 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 16:59 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit [Read error: 113 (No route to host)] 17:00 -!- christophe_ [n=christop@kotnet-149.kulnet.kuleuven.be] has joined ##openvpn 17:08 < christophe_> hello, i have a problem with openvpn, it always start reconnecting. This is my serverlog: http://pastebin.com/m5ace7ba4 , my clientlog: http://pastebin.com/m1360bf43 and finally my conf-file: http://pastebin.com/m7a502521 17:08 < christophe_> Is here someone he can find my problem? 17:09 < christophe_> These 2 lines seems weird: 17:09 < christophe_> # 17:09 < christophe_> Thu Feb 26 00:02:50 2009 Local Options hash (VER=V4): '69109d17' 17:09 < christophe_> # 17:09 < christophe_> Thu Feb 26 00:02:50 2009 Expected Remote Options hash (VER=V4): 'c0103fa8' 17:19 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 17:21 -!- Kamilion [n=chatzill@204-16-153-84-static.ipnetworksinc.net] has quit ["AIEEEEEEEEEEEEEEEeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee"] 17:22 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 17:27 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit [Client Quit] 18:15 -!- christophe_ [n=christop@kotnet-149.kulnet.kuleuven.be] has quit [Remote closed the connection] 18:19 -!- kim0 [n=kimoz@unaffiliated/kim0] has joined ##openvpn 18:20 < kim0> Hi everyone... My openvpn server is getting a UDP connection request .. it is replying .. but that reply packet is not reaching the initial connector 18:21 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 18:46 < ftp3> i want to setup a vpn between my home network and my work computer and my roving laptops. I wanted to install openvpn in our datacenter, and then have everything connect to it and share.. is this possible? (seems like what Hamachi does)... 19:01 -!- ixs [i=andreas@lacht.ueber.gattinnen-im-netz.de] has joined ##openvpn 19:01 < ixs> evening. 19:02 < ixs> i have a openvpn2.1rc15 installation here and an interesting problem. 19:02 < ixs> when a client is disconnecting and quickly reconnecting, the client-disconnect script is not called. 19:02 < ixs> is that considered normal behavious? 19:04 -!- kyrix [n=ashley@91-115-189-239.adsl.highway.telekom.at] has joined ##openvpn 19:13 -!- kim0 [n=kimoz@unaffiliated/kim0] has left ##openvpn ["Konversation terminated!"] 19:34 < ecrist> ixs, could be 19:34 < ecrist> depends on how quickly, could be a bug, as well. 19:35 < ecrist> I'd write the mailing list, if I were you. 19:48 < ixs> ecrist: I'll delegate that job. thx. Gotta look into it a bit more. sometimes the script is called, sometimes it isn't. 19:48 < ixs> looks somewhat racing conditionish... 19:48 < ixs> but off to bed now. 19:48 -!- ixs [i=andreas@lacht.ueber.gattinnen-im-netz.de] has left ##openvpn ["l8rs"] 20:15 < dvl> Finally had cause to use a CRL today. http://openvpn.net/index.php/documentation/howto.html#revoke 20:15 < vpnHelper> Title: HOWTO (at openvpn.net) 20:15 < dvl> I no longer work for my previous employer. That Macbook I used had a cert on it for my VPN. Gone. 20:17 < dvl> ecrist: when you're back, see above. FYI 21:12 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Read error: 104 (Connection reset by peer)] 21:18 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 21:50 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 21:58 -!- MrY [n=mry@67-207-118-99.static.wiline.com] has joined ##openvpn 21:58 < MrY> is there a way to get openvpn to use certificate on usbkey like etoken usbkey or ikey etc? 22:11 -!- Feltenix [n=Tanstaaf@adsl-074-166-075-102.sip.asm.bellsouth.net] has joined ##openvpn 22:12 < Feltenix> is there a way to tie an openvpn key to a user account? 22:26 -!- MrY [n=mry@67-207-118-99.static.wiline.com] has quit [Read error: 110 (Connection timed out)] 22:52 -!- kyrix [n=ashley@91-115-189-239.adsl.highway.telekom.at] has quit ["Leaving"] 23:10 -!- krzee [n=k@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 23:10 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Connection timed out] 23:11 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 23:12 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 23:48 -!- sentronbarby [n=vildent@chello080108035065.3.11.vie.surfer.at] has quit ["Verlassend"] --- Day changed Thu Feb 26 2009 00:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:46 < dazo> sigmonsays: I saw your question about running iptables script on post-connect of VPN clients .... checkout http://www.eurephia.net/ 00:46 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) --- Log closed Thu Feb 26 00:59:12 2009 --- Log opened Thu Feb 26 06:38:17 2009 06:38 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 06:38 -!- Irssi: ##openvpn: Total of 57 nicks [0 ops, 0 halfops, 0 voices, 57 normal] 06:38 -!- Irssi: Join to ##openvpn was synced in 1 secs 08:05 -!- dar_ [n=dar@fwnctech.nctech.fr] has quit [Read error: 104 (Connection reset by peer)] 08:22 < ecrist> why must I lag? 08:24 < imachine> life 08:24 < imachine> it goes in circles and lags. 08:24 < imachine> anyway, is openvpn memleakish ? 08:24 < imachine> should I restart it once a month if I run a server? 08:25 < imachine> 2.0.9 08:25 < imachine> low mem conditions ;) 08:25 < imachine> Mem: 14304 13440 864 0 424 08:26 < imachine> 864k free 08:26 < imachine> I also see that nonetheless, using static keys consumes less memory than using certs. 08:27 < ecrist> imachine: shouldn't have problems 08:27 < ecrist> I've got a server that's got about 200 days uptime, currently 08:28 < imachine> so I guess I'll concider using static keys, despite lesser security or so. 08:28 < imachine> ecrist, okay. probably the rest of the software will be more problem causing. 08:28 < imachine> :) 08:28 < imachine> yeah but you have swap probably 08:28 < imachine> and you probably have more than 800k memory free ;) 08:28 * imachine runs OpenWRT on Linksys WRT54GL routers. 08:28 < imachine> + openvpn to certain locations from that. 08:29 < imachine> (it seems to work pretty smooth, sans comp-lzo) 08:32 < Roman123> imachine: I run openvpn on five openwrt boxes without any (memory) problem 08:32 < imachine> cool! 08:32 < imachine> the wrt54gl has only 16megs 08:32 < imachine> dhcp, vpn client, vpn server... 08:32 < imachine> well, we'll see. 08:32 < Roman123> that's why I prefer the asus wl-500gp 08:33 < Roman123> very cool stuff 08:33 < imachine> I'm not sure I can get hold of those here. 08:33 < imachine> I'd rather use ALIX 08:33 < imachine> 600MHz and small format, standard board. 08:33 < imachine> I think it's via. 08:33 < imachine> but, for now, I got these WRTs since they're easy to obtain. 08:33 < imachine> alix, I'd have to order in etc. 08:33 < Roman123> imachine: yeah, but the price of one asus is 70Euro. 08:34 < Roman123> imachine: how expensive is it? 08:34 < imachine> the alix? 08:34 < Roman123> yes 08:34 < imachine> about 100 euro 08:34 < imachine> let me check 08:35 < imachine> http://www.interprojekt.pl/wiki/Wiki.jsp?page=ALIX-BOARD-6b2 08:35 < vpnHelper> Title: InterProjekt Wiki :: PC Engines :: PC Engines ALIX.6B2 Geode LX800 500MHz 256MB RAM :: InterProjekt (at www.interprojekt.pl) 08:35 < imachine> about 120 euros. 08:36 < imachine> http://www.pluscom.pl/index.php?m=66 you can get them cheaper. but you should look in your own country ofcourse :) 08:36 < vpnHelper> Title: ALIX - PLUSCOM (at www.pluscom.pl) 08:37 < imachine> ofcourse, with 120 euro you just get the board. 08:37 < imachine> +20 for a mpci wifi card and about 10 for psu 08:37 < imachine> +10 for case. 08:37 < imachine> it's still worth it tho I guess... not sure if they include flash too. 08:38 < imachine> so a small flash card might be required. still, it's a decent board. if you're not the one paying for it, I hear it's worth it. tho to be honest, I haven't had my hands on them personally. 08:38 < Roman123> imachine: looks nice, but I prefer ready-to-go solutions such as wrt-54gl or asus wl-500gp. 08:38 < imachine> yea 08:38 < imachine> alix you need to play with. 08:38 < imachine> but they're powerful. 08:38 < imachine> what's the asus got ? 08:38 < Roman123> yes 08:39 -!- fgqsg [i=52e6d07c@gateway/web/ajax/mibbit.com/x-e5e4a0ec5c18150e] has joined ##openvpn 08:39 < fgqsg> hi there 08:39 < imachine> cpu/ram/flash size? 08:39 < imachine> su 08:39 < imachine> p 08:39 < fgqsg> i try to configure openvpn on my ubuntu pc it display this error 08:40 < Roman123> 266 MHz/32MB/16MB 08:40 < Roman123> That's more than enough 08:40 < imachine> yeah. 08:40 < imachine> 32mb is nice. 08:40 < imachine> WRT54GS 08:40 < fgqsg> sudo openvpn /etc/openvpn/server.conf Thu Feb 26 15:38:11 2009 OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 15 2008 Thu Feb 26 15:38:11 2009 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet. Thu F 08:40 < imachine> nice too 08:40 < fgqsg> can anyone help 08:41 < Roman123> fgqsg: well, change your subnet address to something else? 08:42 < Roman123> I don't get the problem 08:42 < fgqsg> what i have to change , 08:43 < Roman123> your ip range. 08:43 < Roman123> At the moment you use 192.168.0.0/24 or 192.168.1.0/24, right? 08:43 < Roman123> for your local subnet 08:45 < Roman123> fgqsg: how may computers do you run in your subnet? 08:45 < Roman123> s/may/many 08:50 < fgqsg> sorry for the delay 08:50 < fgqsg> for the moment there are 3 pc 08:50 < fgqsg> in my subnet roman123 08:51 < Roman123> fgqsg: ok, and their ip addresses are? 08:51 < fgqsg> 192.168.0.1 08:51 < fgqsg> 192.168.0.3 08:51 < fgqsg> 192.168.0.10 08:51 < fgqsg> these are my subnet ip s 08:51 < Roman123> btw, do you have the permission to change their ip addresses? e.g., are you the admin / is it your network? 08:52 < Roman123> for example, use instead 08:53 < Roman123> 10.1.2.1, 10.1.2.3, and 10.1.2.10 08:53 < Roman123> or 192.168.25.1, 192.168.25.3, 192.168.35.10 08:53 < fgqsg> no 08:54 < fgqsg> i dont think 08:54 < Roman123> anything else then 192.168.0.x 08:54 < fgqsg> i live in france 08:54 < imachine> man doing vpns over gprs/3g is madness. 08:54 < fgqsg> i got freebox 08:54 < imachine> slows. 08:55 < imachine> okay gotta go. lates! 08:55 < fgqsg> i dont think is possible 08:55 < Roman123> why? 08:56 < Roman123> everything is possible, you live in france and not in china ;) 08:57 < fgqsg> lol 08:57 < fgqsg> wait 08:57 < fgqsg> i check if i can change my subnet to 10.1.2.1 08:58 < Roman123> fgqsg: which openvpn mode do you use tun or tap? 08:58 < fgqsg> tap 08:59 < Roman123> ok, do you really want tap? 08:59 < Roman123> or need tap? 08:59 < fgqsg> no really 09:00 < fgqsg> give me the easiest solution 09:00 < Roman123> fgqsg: ok, then use tun 09:00 < fgqsg> thats enough 09:00 < Roman123> fgqsg: for you it is tun, then 09:00 < fgqsg> how do i change settings to tun , 09:01 < Roman123> in your config files replace tap by tun 09:01 < fgqsg> server;conf file , 09:01 < fgqsg> is it , 09:01 < Roman123> also on the client 09:01 < fgqsg> ok 09:02 < Roman123> fgqsg: which linux distribution do you run? 09:02 < Roman123> ubuntu? 09:03 < fgqsg> yes 09:03 < fgqsg> ubuntu 09:03 < fgqsg> i use ubuntu 09:04 < fgqsg> i can change setting to 192.168.25.1, 192.168.25.3, 192.168.35.10 09:04 < dazo> fgqsg: it's some known issues with Ubuntu and some of the openvpn version distributed .... you probably would like to compile from source to be sure .... 09:04 * dazo will try to find the link 09:06 < Roman123> fgqsg: I'm looking for an ubuntu step-by-step howto on google for you. 09:06 < Roman123> one moment 09:08 < Roman123> fgqsg: http://ubuntuforums.org/showthread.php?t=239219 <-- looks solid for ubuntu 09:08 < vpnHelper> Title: setup openVPN server? - Ubuntu Forums (at ubuntuforums.org) 09:08 < Roman123> it utilizes a tun-mode for the openvpn server 09:09 < Roman123> the howto is quite old but it should still work 09:09 < Roman123> important is the sample configuration file 09:10 < Roman123> fgqsg: good luck 09:10 -!- plaerzen [n=carpe@vip4.tundraeng.com] has joined ##openvpn 09:10 < ecrist> moin plaerzen 09:10 < plaerzen> moin 09:10 < fgqsg> thx roman123 09:10 < plaerzen> how is everything ecrist ? 09:11 < fgqsg> so if i understand it correctly 09:11 < fgqsg> i have to restart all my setting from a to z 09:11 < fgqsg> is it , 09:12 < fgqsg> r u still ther , 09:13 < fgqsg> roman123 09:13 < Roman123> fgqsg: http://openvpn.net/index.php/documentation/howto.html <-- take a look at this 09:13 < vpnHelper> Title: HOWTO (at openvpn.net) 09:13 < Roman123> it is well written 09:13 < Roman123> and easy to understand 09:14 < fgqsg> well 09:14 < fgqsg> i just follow how to document of ubuntu-fr 09:15 < fgqsg> i download from apt-get install 09:15 < fgqsg> openvpn 09:15 < fgqsg> why do you ask to change my sub net adrress to 192.168.25.x , ,,,, 09:15 < fgqsg> why i have to change to that adress 09:16 < Roman123> fgqsg: you don't have to change it at all! 09:16 < Roman123> this is just a warning 09:16 < ecrist> plaerzen: looks like I'm having a girl. 09:16 < ecrist> well, we, my wife is the one *having* the baby. 09:17 < fgqsg> so you ask me to change only the server id . 09:17 < Roman123> if you utilize the bridged (tap) mode, then maybe you run into problems if you connect from outside (road with a subnet 192.168.0.x) to your private network (192.168.0.x) 09:17 < fgqsg> is it ,. 09:17 < Roman123> clear? 09:18 < fgqsg> yes 09:18 < Roman123> for example, imagine you're on holiday and at an internet cafe 09:19 < Roman123> they have a private network 192.168.0.x 09:19 < fgqsg> yes 09:19 < Roman123> you connect your notebook to their private network and connect to your network using openvpn 09:19 < Roman123> bang 09:20 < Roman123> then you connect two private networks with 192.168.0.x 09:20 < Roman123> this can but must not be a problem 09:20 -!- cbt [n=cbt@75.150.49.162] has joined ##openvpn 09:21 < fgqsg> ok 09:21 < fgqsg> understand 09:21 < Roman123> so you have two options 09:21 < Roman123> 1. change your lan/private subnet at home and stay with the tap-mode 09:21 < Roman123> 2. switch to the tun mode 09:22 -!- Balazs [n=chatzill@81.183.224.187] has joined ##openvpn 09:22 < Roman123> http://openvpn.net/index.php/documentation/howto.html <- there is a good section about what's the difference between tun or tap. Please read it and then decide with is better for you 09:22 < vpnHelper> Title: HOWTO (at openvpn.net) 09:22 < Roman123> fgqsg: ^^ 09:22 < Roman123> ok? 09:23 -!- tzanger [n=tzanger@gromit.mixdown.ca] has joined ##openvpn 09:23 < Roman123> s/with/which 09:23 < fgqsg> ok 09:23 < Roman123> ecrist: congrats 09:23 < tzanger> good morning. I'm trying to get my client configuration to do the equivalent of "push dhcp-option xxx" -- the server side isn't doing it, and I'm getting kind of tired of updating resolv.conf manually. 09:24 < Roman123> ecrist: girls are easier to handle until they hit puberty 09:24 < tzanger> is it possible to use something equivalent to "push "dhcp-option DNS 1.2.3.4"" in the client configuration file and have it set foregin_dhcp_x correctly (so the supplied resolvconf scripts work) ? 09:24 < Roman123> ecrist: because this will also hit you too ;-P 09:25 -!- fxcs [n=fxcs@p578b5976.dip0.t-ipconnect.de] has quit [] 09:25 < dazo> tzanger: In the *nix world you need to do something with some --up scripts to make it work properly .... I've not dug into this, so I'm not quite sure what's really needed 09:26 < dazo> tzanger: but involving the resolvconf package (for most Linux distros) is usually a starting point from what I've read 09:26 < Roman123> ecrist: replace the last "hit" by "influence" because that word matches better 09:26 < tzanger> dazo: damn... it's too bad the client.conf files didn't accept the push command; it'd "just work" then 09:26 < tzanger> dazo: yes, resolvconf is there, and there is already support for doing this through the foreign_option_x environment variables 09:26 < tzanger> dazo: alternatively, is it possible to set environment variables in the client.conf file? 09:26 < dazo> tzanger: I know ... but updating /etc/resolv.conf .... that's really tricky business, when you want it done "The right way(tm)" 09:27 < tzanger> dazo: even more reason to try to use the already-supplied scripts :-) 09:27 < dazo> tzanger: not sure 09:28 < Balazs> Dear all! I read the how tos, but my openvpn server is not working well... anybody made a very detailed doc about that? 09:29 < fgqsg> it wass taking to undertstand 09:29 < ecrist> Balazs: there are lots of them out there. 09:29 < fgqsg> but at final i understand 09:29 < fgqsg> thx a lot roman123 09:31 < Balazs> ecrist: I tried on ubuntu and on debian 5.... the last one looks a little bit better but not good enough. Do you have any experience in pptp vpn? 09:31 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has quit [] 09:32 < ecrist> Balazs: I've a fair amount of experience with OpenVPN 09:33 < Roman123> fgqsg: no problem 09:34 -!- fgqsg [i=52e6d07c@gateway/web/ajax/mibbit.com/x-e5e4a0ec5c18150e] has quit ["http://www.mibbit.com ajax IRC Client"] 09:35 -!- mib_z3d3li [i=ad0876dd@gateway/web/ajax/mibbit.com/x-37311b75bff43eee] has joined ##openvpn 09:35 < ecrist> what's with all the mibbit clients, lately? 09:36 < mib_z3d3li> fuck you 09:36 < ecrist> o.O 09:36 < ecrist> that hurts. :( 09:37 < mib_z3d3li> anyone know if mibbit logs conversations? 09:37 < mib_z3d3li> this is actually a pretty neat irc client. 09:37 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 09:38 < Roman123> Balazs: Hi! Take a look at your sentence/question again. You have written that your server is not working well and then asked if there is anybody who has mad a detailed doc about that. 09:39 -!- mib_z3d3li [i=ad0876dd@gateway/web/ajax/mibbit.com/x-37311b75bff43eee] has quit [Client Quit] 09:40 * dazo don't want to try mibbit .... irc sessions seems to last too short for his taste 09:40 < Roman123> Balazs: I'm pretty sure that there is no one who wrote a detailed doc about your non-working server. ;-) 09:40 < Roman123> Balazs: where is the problem in detail. What does not work? Please pastebin some logs- 09:41 < Roman123> and perhaps someone can help you 09:43 < Balazs> Roman123: you're right. ;) 09:43 < Balazs> Roman123: I installed ubuntu 8.04 and 8.10 and now debian 5.0 09:44 < Roman123> ok 09:44 < Balazs> as I saw in the documents when I installing the module it will ask to create a tun/tap adapter.... it is strange, but I think it is not created... I created manually. 09:45 < Balazs> I am using webmin to create the CA, server and client keys. 09:45 < Roman123> Balazs: ok, the kernel module is loaded? 09:46 < Balazs> once on ubuntu I could connect and got an IP but unable to ping the other subnet 09:46 < Roman123> Balazs: ok, do you run a firewall? 09:46 < Balazs> yes, I checked in the webmin, that is running. 09:46 < Roman123> perhaps the firewall blocks 09:46 < Balazs> the firewall rule is: enable all. 09:47 < Balazs> no restrictions. 09:47 < Roman123> which mode do you use (tun or tap)? 09:47 < Balazs> I prefer openvpn but I thought that maybe the pptp will be easier for me but same happened... unable to ping. 09:48 < Roman123> sorry for the hard words but pptp is crap ;-) 09:48 < Roman123> stay with openvpn or ipsec 09:48 < Balazs> It is interesting, because as I heard I have to use tap on Windows XP, so tap, but tun could be better. 09:49 < Roman123> try tun, IMHO it is much more easier to setup 09:50 < Roman123> Balazs: http://openvpn.net/index.php/documentation/howto.html <- there is a good section about what's the difference between tun or tap. Please read it and then decide with is better for you 09:50 < vpnHelper> Title: HOWTO (at openvpn.net) 09:50 < Roman123> s/with/which 09:51 < Balazs> I red it, that's the point why I'd like to stay at TUN. 09:51 * Roman123 should avoid to copy-and-paste sentences without correcting typos :) 09:51 < Roman123> Balazs: ok, then change tap to tun 09:52 < Balazs> IMHO like a webmin what can manage the installation and setup or like openvpn what contains the openvpn functionalities? 09:53 < plaerzen> ecrist, Congrats! 09:53 < Roman123> you do not need webmin. you just need two config files. 09:53 < Roman123> one on the server and one on the client side. 09:54 < Roman123> webmin just complicates the problem. 09:55 < Roman123> take the example script from the openvpn website, change the ip's and the location & name of the certs and, assuming your firewall is not blocking the connection, everything should work fine 09:55 < Roman123> Balazs: ^^^ 09:57 -!- Balazs_ [n=chatzill@81.183.224.187] has joined ##openvpn 09:59 < Balazs_> Roman123: I am back.... so please tell me to use tun under XP am I have to do something or the simple openvpn will solve everything? 09:59 < Balazs_> may I ask yo uby mail or only here? 10:01 < Roman123> Balazs: tun should work in xp out of the box once you've installed the openvpn client and have enabled tun in the client config file. 10:02 < Balazs_> it looks easy. tomorrow I will try it. Will you be here tomorrow? 10:02 < Roman123> TAP-WIN32 Adapter V8 is just the name of the network adapter in windows xp 10:02 < Balazs_> OK. 10:02 < Roman123> Balazs: sorry, tomorrow I'm on holiday 10:03 < Balazs_> you are lucky. :) 10:03 < Balazs_> can I reach you by mail or just only here? 10:03 < Roman123> Just ask here 10:03 < Roman123> here are tons of experts 10:03 < dazo> Balazs_: please, let the man have some holiday in peace ;-) 10:03 < Roman123> I'm also not an expert 10:03 < Balazs_> okay, have a nice holiday I will ask you later. 10:04 < Roman123> I'm just trying to help as far as I can. 10:05 < Balazs_> thank you. 10:05 < Balazs_> what about IMHO? 10:06 < Roman123> in my humble opinion 10:07 < Balazs_> lol 10:08 < Balazs_> bye and see you next time. 10:08 -!- Balazs_ [n=chatzill@81.183.224.187] has quit ["ChatZilla 0.9.84 [Firefox 3.0.6/2009011913]"] 10:09 < Roman123> I don't understand why people claim that IPSEC is so hard to setup. 10:10 < ecrist> Roman123: it is fairly complicated to grasp 10:10 < Roman123> Yesterday, I managed it to fire up an IPSEC tunnel between two routers. It took about 20 minutes to configure racoon. 10:10 < Roman123> and that was all 10:11 -!- Balazs [n=chatzill@81.183.224.187] has quit [Read error: 110 (Connection timed out)] 10:11 < ecrist> doesn't mean it's not complicated. 10:12 < Roman123> and this was my first IPSEC time. ;-) 10:12 < ecrist> you're obviously superior to mortals 10:12 < Roman123> nope, definitely not 10:14 < Roman123> Usually, I spend hours on very simple thing ;-) 10:15 < ecrist> it only takes me about 2 mins to config an IPSec tunnel between cisco routers. 10:15 < ecrist> :) 10:15 < Roman123> the version of racoon, which is included in openwrt 8.09, seems a bit buggy. 10:15 < Roman123> cisco vpn does not count 10:15 < ecrist> Roman123: why not? 10:18 < Roman123> the ones I've seen feature that ipsec cisco stuff which was very easy to configure. 10:18 < ecrist> Roman123: I'm not talking about a web interface, either. 10:18 < Roman123> ahh, ok 10:18 < ecrist> and, if you've never done cisco IPSec, you have not right to speak on the matter. 10:19 < Roman123> the ipsec tunnel offers one very nice thing. It can be built up from both sides of the tunnel. 10:19 < Roman123> I guess that's not possible by means of openvpn, or is it? 10:20 < Roman123> just a ping establishes the tunnel 10:20 < ecrist> right, which means the tunnel is only *up* during use. 10:21 < Roman123> you can configure it to stay up 10:22 < Roman123> until one side is disconnected from the net or racoon is shut down 10:23 < Roman123> reboot the router and start racoon followed by a ping in a start script 10:26 < Roman123> have to go 10:26 < Roman123> ecrist: bye 10:27 < Roman123> cu later 10:27 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:29 -!- Roman123 [n=Roman123@128.131.70.150] has quit ["Leaving"] 10:46 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 10:50 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:53 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:04 < plaerzen> I don't think I like that guy 11:19 < ecrist> which one, Roman123? 11:26 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has left ##openvpn [] 11:27 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit ["Ex-Chat"] 11:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:44 < plaerzen> ecrist, yeah 11:49 < ecrist> ditto 11:50 < plaerzen> Who says things like "If I'm retarded, and I can set up IPSEC in 20 minutes... what does that make you, who (although I never bothered to ask or converse in any way) probably can't do it in that time?" 11:52 < jpalmer> I think he clearly admitted that he wasn new to IPSEC, and as such, probably doesn't know all the intricacies involved in anything more than a basic configuration. 11:52 < jpalmer> s/wasn/was/ 11:52 < ecrist> yeah, kind of gathered that from him. 11:53 < ecrist> what sort of annoyed me is that he's here for help, but he's offering help, and criticising others, as if he's an expert 11:53 < ecrist> I'm sick, so sooner or later, he'll piss me off. :) 11:53 < jpalmer> you know what they say about arrogance and ignorance ;) 11:53 < ecrist> lol 11:55 < jpalmer> once he does something a little more involved than a basic setup, he'll likely gain a little respect for the difficulty level people talk about. until then, he's a little on the ignorant side, and a lot on the arrogant side. experience will (hopefully) humble him. 11:56 -!- MgGuGu [n=chatzill@cm195.epsilon28.maxonline.com.sg] has joined ##openvpn 12:00 < krzee> hehe 12:00 < krzee> whats up gentlemen 12:00 < krzee> sorry to hear you're sick eric 12:00 < ecrist> howdy krzee 12:01 < krzee> i am shitting ever 15 minutes, i think i drank the water or something 12:01 < krzee> so i know how ya feel 12:01 -!- ftp3 [n=none@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has left ##openvpn [] 12:01 < ecrist> lol, hey, did you send that package fedex? 12:01 < krzee> sure did 12:01 < krzee> so i guess it arrived? 12:02 < ecrist> ok, they tried to deliver yesterday, I was at the ultrasound for the new baby yesterday, so they should try to redeliver it today 12:02 < krzee> or they tried and nobody was home 12:02 < krzee> ahh right on 12:02 < ecrist> 80-90% it's a girl. 12:02 < krzee> everything normal with the baby? 12:02 < krzee> ahh cool 12:02 < ecrist> all is well. 12:02 < krzee> good to hear 12:03 * krzee will follow the north star when the baby is born 12:03 < ecrist> afk for a bit - gotta make a samich 12:03 < krzee> with 2 other guys and gifts 12:07 < ecrist> lol 12:19 < MgGuGu> Hi .. I'm having a problem to get connected to an openVpn server from client .. i'm getting the "TLS key nego failed to occur in 60 sec" msg .. 12:19 < MgGuGu> I've check'd iptables n firewalls on client side also .. 12:19 < MgGuGu> as far as i know .. all firewalls allowing 1194 12:23 < MgGuGu> this is my server.conf 12:23 < MgGuGu> http://pastebin.com/m2edd9054 12:23 < MgGuGu> i'm trying to get ethernet bridging 12:25 < MgGuGu> here is my client.conf 12:25 < MgGuGu> http://pastebin.com/maf488cc 12:43 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 104 (Connection reset by peer)] 12:45 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 13:38 -!- higuita [n=higuita@2001:b18:400f:0:211:d8ff:fe82:b10e] has joined ##openvpn 13:39 < higuita> anyone have any tip how to use openvpn in windows vista, without administrative rights? 13:39 < higuita> i spent all day trying to workaround it, but vista is a bitch! 13:41 < krzee> it MUST have admin 13:41 < krzee> it must add routes... 13:41 < krzee> !factoids search win 13:41 < vpnHelper> krzee: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', 'wintaphide', and 'wins' 13:41 < krzee> !win_noadmin 13:41 < vpnHelper> krzee: "win_noadmin" is http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows 13:42 < krzee> but you can try that 13:42 < krzee> ;] 13:42 < krzee> (forgot about that) 13:42 < krzee> MgGuGu, why do you want bridging? 13:46 < krzee> !tunortap 13:46 < vpnHelper> krzee: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 13:48 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 13:49 < Roman123> Hi! 14:01 < ecrist> krzee: back at home? 14:02 < Roman123> hi ecrist 14:21 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 14:28 -!- cbt [n=cbt@75.150.49.162] has quit ["Leaving"] 14:35 < krzee> ecrist, nah still in peru 14:36 -!- qkf [n=void@cpc3-whit2-0-0-cust661.cdif.cable.ntl.com] has joined ##openvpn 14:40 < qkf> hello i hope somebody can help - http://rafb.net/p/zMReYU99.html 14:40 < vpnHelper> Title: Nopaste - No description (at rafb.net) 14:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:44 < qkf> i do not seem to be able to have more than one remote computer connected to my OpenVPN server - once one machine has a connection the OpenVPN server stops listening for new connections until it is restarted 14:45 < higuita> krzee: let me explain better, in XP, the runas trick works fine, but in vista the UAC blocks the admin rigths even with the runas 14:49 < higuita> qkf: try to increase the debug log to see why it stop working... or in despair, strace the openvpn process :) 14:50 < qkf> i will try the former :) 15:00 < qkf> no clues 15:01 < Roman123> How can I ensure that an openvpn tunnel always stays up (if there is a network connection between server and client). I've tried the following things: 1. Disconnect the cable from the server -> wait 20 seconds -> reconnect cable -> connection comes up again. :-) 2. restart the server -> it takes about two minutes until the connection is up again. I guess that's the keep alive "10 120" option. Is it a good idea to reduce the value 120? Or could tha 15:01 < qkf> with verbosity at 10 i can see the socket listener start 15:01 < Roman123> t cause problems? 15:16 -!- demoncyber_ [n=marco@200.18.3.253] has joined ##openvpn 15:27 < higuita> Roman123: IMHO, there is no problem at all, its mostly a fine tune that each user must test on its network and usage 15:27 < Roman123> ok, then I'll reduce the value to 60 15:28 < Roman123> which should be fine for me 15:28 < higuita> test it with various values and use the one that works better... just remember that reconnect costs time, so you dont want to reconnect without need 15:34 < Roman123> In order to achieve a continuous tunnel should I enable persist-tun and persist-key? 15:35 < Roman123> I saw on the manpage: "The persist options will try to avoid accessing certain resources on restart that may no longer be accessible because of the privilege downgrade." 15:35 < Roman123> and "Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart restarts. SIGUSR1 is a restart signal similar to SIGHUP, but which offers finer-grained control over reset options." 15:36 < Roman123> well, I don't understand what this means in detail. 15:37 < Roman123> On the one hand, is it faster to close and reopen the TUN/TAP device, i.e., disable persist-tun 15:38 < Roman123> ? 15:38 < Roman123> ^^^ when the line is disconnected 15:47 < soberbit> any reason a TUN interface can not listen on tcp instead of udp? 15:51 < higuita> soberbit: that is a config option 15:52 < soberbit> "proto tcp" only proper syntax for a TAP ? 15:52 < higuita> udp you simulate a real connection, a lost udp package is "connection noise" and the vpn tcp/ip will recover 15:53 < soberbit> my reason for trying it as tcp is kinda dumb 15:53 < soberbit> i do understand what you mean though. 15:53 < higuita> but in tcp that noise will be retransmited, wasting bandwitdh, because the vpn tcp/ip will still retransmit the lost package, the out of order package will be dropped as dupe 15:53 < soberbit> thought it might be neat if netstat showed my various openvpn services for our TUN interfaces, as tcp. Then i would be able to see remote IP addresses in netstat. 15:54 < higuita> tcp is very useful for testing the firewalls rules and connections, after that, just switch to udp 15:54 < higuita> tcp is also useful for proxies :) 15:55 < higuita> soberbit: openvpn can create a log file that shows the current local/remote ip for all active connections 15:55 < higuita> its updated each minute IIRC 15:57 < higuita> Roman123: dont know what is faster, never tested that... 15:57 < Roman123> higuita: with faster, I mean reconnects 15:57 < higuita> again, better to a test yourself, but i suspect that will not make big difference 15:58 < higuita> persist-tun persist-key should be faster, as it will save a few steps, but i dont know if they bring other problems 16:00 < Roman123> higuita: thanks 16:13 < soberbit> i'm trying to make use of the openvpn commands, isntead of a full "service openvpn restart" everytime i make a change to just one of the interfaces 16:14 < soberbit> but i'm having a hard time putting it together with the man page 16:14 < soberbit> just trying to make changes to one of the .confs, and restart just the one tun 16:14 < soberbit> openvpn --rmtun --dev tun3.conf 16:14 < soberbit> however it's still listed in ifconfig 16:15 < krzee> tun3.conf? 16:16 < krzee> did you read the manual for --rmtun? 16:16 < krzee> !man 16:16 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:16 < krzee> [16:53] any reason a TUN interface can not listen on tcp instead of udp? 16:17 < soberbit> i just said i was having troulbe putting it together with the man page 16:20 < soberbit> how do you restart a tun without restarting the whole openvpn service for all tuns? 16:26 < krzee> tcp works for tun or tap, but should be avoided if possible 16:26 < krzee> !tcp 16:26 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 16:26 < krzee> umm, openvpn config 16:26 < krzee> will only start that config 16:26 < krzee> you in windows im taking it? 16:27 < krzee> first you need to kill the process that is already running tho 16:28 -!- plaerzen [n=carpe@vip4.tundraeng.com] has quit [Remote closed the connection] 16:30 < krzee> Roman123, are you useing user/group statements in your config? 16:34 < ecrist> krzee: Roman123 has no good reason I recall for needing tap. 16:37 < Roman123> krzee: no 16:38 < krzee> Roman123, then it doesnt matter if you use persist options 16:38 < krzee> [16:41] I saw on the manpage: "The persist options will try to avoid accessing certain resources on restart that may no longer be accessible because of the privilege downgrade." 16:38 < krzee> thats what its telling you 16:38 < soberbit> openvpn tun3.conf wants to start the config. i need to shut down tun3 first 16:38 < krzee> and Roman123 if you dont need tap, use tun 16:39 < krzee> soberbit, so then kill the process of openvpn that is running tun3 16:39 < Roman123> krzee: I need tap, don't know if it is a good reason ;-) 16:39 < krzee> why do you need tap? 16:39 < soberbit> krzee: that's what i'm trying to put together using the man page 16:39 < soberbit> openvpn --rmtun --dev tun3.conf 16:39 < Roman123> I like to send wake-on-lan requests 16:40 < krzee> soberbit, you dont know how to kill a process on your operating system? 16:40 < soberbit> obviously my syntax is wrong because it said it's in use 16:40 < krzee> soberbit, you wont kill it from using openvpn 16:40 < soberbit> you want me to run a kill command outside of openvpn?? 16:40 < krzee> no shit 16:40 < soberbit> why not just let openvpn do it 16:40 < krzee> cause thats not how it works 16:40 < krzee> did you even read rmtun in manpage?> 16:40 < soberbit> a deamon doesn't know how to shut down one of it's own configs? 16:41 < krzee> openvpn [ --mktun ] [ --rmtun ] [ --dev tunX | tapX ] [ --dev-type device-type ] [ --dev-node node ] 16:41 < krzee> do you see a place for config there? 16:41 < soberbit> yes, that is what i read. i'm trying the --rmtun 16:41 < krzee> dude 16:41 < soberbit> rtfm you too 16:41 < krzee> me? 16:42 < krzee> LOL 16:42 < krzee> listen to me or dont 16:42 < krzee> it dont matter to me 16:42 < krzee> but im telling you the truth 16:42 < krzee> rmtun is only to remove a non-in-use interface that you made persistent with --mktun 16:43 * ecrist looks around for a banhammer 16:43 < krzee> and ive read that manual more times than you want to know 16:43 -!- ilreds [i=57108019@gateway/web/ajax/mibbit.com/x-48c3eecb80a284b6] has joined ##openvpn 16:43 < ilreds> hi to all 16:43 < krzee> ya ecrist, im not feeling too good, my hammer is sitting right next to me 16:43 < krzee> haha 16:43 < ecrist> lol 16:43 < soberbit> i'm not telling you to read the man 16:43 < soberbit> i'm asking questions about the man 16:44 < krzee> you in windows or a unix? 16:44 < soberbit> linux 16:44 < krzee> then kill -9 that shit 16:44 < ilreds> i need to deploy an openvpn server into a subnet, clients must obtain an ip of same subnet: bridging is the unique solution? 16:44 < soberbit> i know 16:45 * ecrist goes outside. 16:45 < soberbit> of all the thigns i've built, i've never had a deamon not know how to turn itself off 16:45 < soberbit> so fine, i'll pull the power cord. 16:45 < krzee> hahahah 16:45 < krzee> you must be pretty new then 16:45 < soberbit> to openvpn, yes 16:45 < krzee> cause normally apps come with some sort of wrapper for that, and dont support it from within 16:45 < krzee> example, apache doesnt turn it self off 16:46 < krzee> nor does qmail 16:46 < soberbit> service httpd stop 16:46 < krzee> thats NOT apache 16:46 < krzee> thats a wrapper 16:46 < soberbit> read the init scripts, it's not just forcing a kill 16:46 < krzee> kill -9 `ps auxww|grep tun3|awk '{print $2}'` 16:49 -!- christophe_ [n=christop@kotnet-149.kulnet.kuleuven.be] has joined ##openvpn 16:49 < krzee> and im sure you could make openvpn work with service 16:49 < krzee> if you set it up right for that 16:49 < krzee> but it for sure wont do that itself unless someone made it part of a custom package for your OS 16:49 < soberbit> so far i've only used openvpn with service 16:50 < krzee> service reads from /etc/init.d i believe 16:50 < christophe_> hey, openvpn always start a new tun-interface. is there a way to close the old one or to prevent this of happening? 16:50 < soberbit> it's a centos 3rd party package 16:50 < krzee> soberbit, so if you use service command it kills all? 16:50 < soberbit> tosses in some scripts in /etc/openvpn and sets up in init 16:50 < soberbit> ya 16:50 < krzee> ok then kill -9 16:50 < krzee> btw 16:50 < soberbit> i wanted to just learn how to do one tun. kill -9 will work fine. just never approached it like that 16:50 < krzee> none of those apps know how to shut themselves down 16:50 < krzee> thats something built in to you OS 16:50 < krzee> NOT into the apps 16:51 < soberbit> you're right 16:52 < krzee> christophe_, thats odd, what os? 16:52 < christophe_> ubuntu 8.10 16:52 < krzee> !configs 16:52 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:52 -!- stephenh [i=stephenh@69.30.200.88] has quit [Remote closed the connection] 16:52 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 16:53 < christophe_> this is my client.conf http://pastebin.com/m7a502521 16:53 < krzee> christophe_, 16:53 < christophe_> client log http://pastebin.com/m1360bf43 16:53 < krzee> read what my bot told you 16:53 < krzee> !configs 16:53 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:53 < krzee> read the whole thing 16:53 < christophe_> sorry :) 16:54 < soberbit> being the guru you are, don't suppose you have any insight on the xp clients not taking a dns push. ? 16:54 < krzee> yes 16:54 < krzee> !pushdns 16:54 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 16:54 < krzee> #2 16:54 < soberbit> var/log/messages says the dns push is going out towards them. employees can even see the dns added to their tap32 interface 16:54 < soberbit> just doesn't work 16:55 < krzee> READ #2 16:55 < soberbit> if they manually add the dns to their real interface, works 16:55 < krzee> *sigh* 16:55 < soberbit> #2 didn't print to the chan 16:55 < krzee> bullshit 16:55 < krzee> !pushdns 16:55 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 16:55 < christophe_> the client.cong again: http://pastebin.com/m30f94fe2 16:55 < krzee> #2 16:56 < krzee> christophe_, and thats the client making a new tun device every time you start it? 16:56 < soberbit> http://pastebin.com/d9b46cd9 16:56 < krzee> soberbit, 16:56 < christophe_> krzee, yes it is the only conf-file on this hosot 16:56 < christophe_> host 16:56 < krzee> (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 16:56 < vpnHelper> Title: Gmane Loom (at thread.gmane.org) 16:56 < soberbit> awesome, thanks 16:56 < krzee> if you actually read youd have seen that 16:56 < krzee> its in your pastebin 2x 16:57 < soberbit> oh i thought the line #2 was a line from the bot 16:57 < soberbit> my bad 16:57 < krzee> christophe_, for 1 thing, if you can get off using tcp you should 16:57 < krzee> !tcp 16:57 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 16:57 < krzee> as for making a new device every time, very odd 16:58 < krzee> christophe_, can you pastebin ifconfig? 16:58 < krzee> and ps auxww|grep openvpn 16:58 < christophe_> krzee, i believe this is a company policy so i'm afraid this is not for the near future :s 16:58 < krzee> christophe_, are you running openvpn multiple times by chance? 16:59 < krzee> christophe_, gotchya, thats the only time its cool to use tcp 16:59 < soberbit> wow i'm really off today. i should go home and sleep for a change. 16:59 < krzee> sometimes you just cant get around it 16:59 < soberbit> fuck me 16:59 < christophe_> krzee the ifconfig http://pastebin.com/m2397f46a 16:59 < christophe_> no i only start it once at a time 16:59 < krzee> and ps auxww|grep openvpn 17:00 -!- stephenh [i=stephenh@69.30.200.88] has quit [Remote closed the connection] 17:00 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 17:01 < christophe_> krzee, sorry ity was the wrong ifconfig http://pastebin.com/m53b7da93 17:01 < christophe_> previous was the server ifconfig 17:01 < krzee> server runs 3 openvpns? 17:01 < christophe_> yeah we have 3 vpn connections 17:01 < krzee> and if this is client, you only have 1 interface 17:01 < krzee> so looks like no problem 17:02 < krzee> maybe you were just confused for a min 17:02 < christophe_> yeah, but i cant close this one 17:02 < krzee> kill -9 `ps auxww|grep tun3|awk '{print $2}'` 17:02 < krzee> err 17:02 < christophe_> it always restarts because there is already a tun-interface 17:02 < krzee> kill -9 `ps auxww|grep openvpn|awk '{print $2}'` 17:02 < christophe_> k 17:03 < krzee> you just kill the process to stop openvpn 17:03 < krzee> as i was just telling soberbit before you came in 17:03 < christophe_> kill: No such process 17:03 < krzee> ps auxww|grep openvpn 17:03 < soberbit> lol 17:04 < krzee> is it even running? 17:04 < krzee> RX packets:0 errors:0 dropped:0 overruns:0 frame:0 17:04 < krzee> TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 17:04 < christophe_> not now 17:04 < krzee> im thinking not 17:04 < krzee> ok then what is your goal dude? 17:04 -!- ilreds [i=57108019@gateway/web/ajax/mibbit.com/x-48c3eecb80a284b6] has quit ["http://www.mibbit.com ajax IRC Client"] 17:04 < christophe_> i start it again, but it keeps restarting! 17:05 < christophe_> so it has no point of keep it running i belive 17:05 < krzee> what do you mean 17:05 < krzee> how bout this 17:05 < krzee> !logs 17:05 < Roman123> anyone here who uses openwrt? 17:05 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 17:05 < krzee> !configs 17:05 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 17:05 < krzee> i already have your client config 17:05 < christophe_> it tells Initialization Sequence Completed and after this it does: Connection reset, restarting [0] 17:05 < soberbit> all i'm getting form the article is just telling the employee to run the command in the command line. which is doable.... i'll test it out with them tomorrow. 17:06 < krzee> soberbit, you can tell openvpn to run a script as well 17:06 < soberbit> oh 17:06 < soberbit> gosh, i'm not sure i know how to script in xp/vista 17:06 < krzee> in fact theres hooks to run scripts in a few diff times of a ovpn connection 17:06 < krzee> batch files 17:06 < krzee> or vbs 17:06 < krzee> a batch file would just be the command-line entry 17:06 < soberbit> called from their client.ovpn file? 17:07 < krzee> if you can type it at command-line you can script it 17:07 < krzee> yes 17:07 < krzee> look for every instance of script in the manual 17:07 < krzee> theres a lot of them 17:07 < soberbit> and it would be pretty generic and harmless even if i ever did stop pushing dns. 17:07 < krzee> of course 17:07 < soberbit> point is, i'm trying to leave employees with rather generic configs, so i don't have to update them all the time 17:07 < krzee> welp 17:07 < krzee> its a windows problem 17:07 < soberbit> heh 17:07 < krzee> not openvpn one 17:07 < soberbit> ya 17:08 < christophe_> krzee, i get it working by doing ifconfig tun0 destroy; openvpn --config client.conf 17:08 < soberbit> oddly tough, some employees it works (me) and some it doesn't. 17:08 < soberbit> so here i am trying to recreat the prob, and i can't. 17:08 < krzee> christophe_, then it works?? 17:08 < christophe_> it doesn't restart like before 17:08 < soberbit> i have xp on a macbook to test what it's like to be them when needed. 17:08 < christophe_> the first command gives a warning but thats all 17:08 < krzee> soberbit, no idea, i dont use windows 17:09 < krzee> christophe_, you can also remove a device from within openvpn, openvpn --rmtun --dev tun0 17:09 < christophe_> good to know, maybe more safe also :) 17:09 < krzee> should be the same ild think 17:10 < krzee> christophe_, can you re-create the problem now?> 17:10 < krzee> like by killing and restarting openvpn 17:10 < krzee> if so we shouldnt consider it fixed yet 17:10 < krzee> if not... *shrug* 17:10 < christophe_> krzee, no :s very strange 17:11 < krzee> heh 17:11 < krzee> cool tho 17:11 < christophe_> but np for me, as long as it stays like this you don't hear me complain :) 17:11 < christophe_> thanks for the help and advice krzee 17:13 < krzee> np =] 17:27 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Read error: 111 (Connection refused)] 17:30 -!- christophe_ [n=christop@kotnet-149.kulnet.kuleuven.be] has quit ["Leaving"] 18:22 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 18:23 -!- XATRIX [n=linux@steping-filter.volia.net] has joined ##openvpn 18:24 < XATRIX> hi...i've got a question.....i have a ~38Mbit asynchron. channel, and the second side has 2Mbit line 18:24 < XATRIX> why when i connect to other side 18:25 -!- tzanger [n=tzanger@gromit.mixdown.ca] has left ##openvpn [] 18:25 < XATRIX> my whole bandwith inside the tunnel is over ~4-5KB\s...? 18:25 < vcs> are you using UDP and compression? 18:25 < XATRIX> i'm using ssh X11 forwarding, and it's very very slow 18:26 < XATRIX> why it's not using the whole or a half bandwith ? 18:26 < XATRIX> i don't know about UDP compression 18:26 < XATRIX> how can i find out ? 18:27 < vcs> could you pastebin your configuration file for your server? 18:27 < vcs> If i can look through it I may be able to help you more 18:27 < XATRIX> ok..i need a sec 18:29 < XATRIX> http://rafb.net/p/iPsqRF66.html 18:29 < vpnHelper> Title: Nopaste - No description (at rafb.net) 18:29 < XATRIX> i guess that's it 18:33 < XATRIX> so 18:34 < XATRIX> vcs> 18:35 < XATRIX> any idea ? 18:35 < vcs> ahh sorry, i was ordering pizza 18:35 < vcs> let me take a look :P 18:35 < vcs> I HIGHLY recomend changing the line "proto tcp" to "proto udp" 18:36 < vcs> change it in the client configuration as well 18:36 < vcs> and then try X11 fowarding 18:36 < vcs> that should make a HUGE difference 18:38 < krzee> !tcp 18:38 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 18:38 < XATRIX> vcs> emm..i'm not a server administrator..i'm just a client... 18:38 < vcs> yes, but you must change directive so it knows to connect on UDP not tcp 18:38 < vcs> otherwise it will try to connect on the wrong protocool 18:41 < XATRIX> emm... 18:41 < XATRIX> how can i change the directive if i'm not a root 18:41 < vcs> OHH I see... 18:41 < XATRIX> and i'm not a system administrator.. 18:41 < vcs> who is the admit? 18:42 < XATRIX> he woun't be glad to hear about it ;) 18:42 < vcs> Either he has no clue what he is doing 18:42 < vcs> or he is limmited to only TCP for some reason 18:42 < vcs> complain to him... you deserve an answer. 18:43 < vcs> i gotta pick up pizza, kill your admin. later. 18:43 < XATRIX> ok....i will 18:43 < XATRIX> so there's no other way to increase the speed NOW ? 18:59 -!- dmb [n=dmb@unaffiliated/dmb] has quit ["Leaving"] 18:59 -!- nemysis [n=nemysis@190-247.0-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 18:59 -!- XATRIX [n=linux@steping-filter.volia.net] has quit ["buying software is against our policy! :) || \u0410\u0445 \u0441\u0442\u0440\u0430\u043d\u0430 \u043c\u043e\u044f \u0440\u043e\u0434\u043d\u0430\u044f! \u041c\u0438\u0440 \u0437\u0430\u0433\u0430\u0434\u043e\u043a \u0438 \u0447\u0443\u0434\u0435\u0441. \u0413\u0434] 19:12 -!- MgGuGu [n=chatzill@cm195.epsilon28.maxonline.com.sg] has left ##openvpn [] 19:12 < vcs> No. 19:12 < vcs> kill your admin. 19:15 < vcs> it fails to amaze me how many people setup OpenVPN over TCP... 19:15 < vcs> and expect high performance 19:16 -!- nemysis [n=nemysis@80-233.0-85.cust.bluewin.ch] has joined ##openvpn 19:18 -!- nemysis [n=nemysis@80-233.0-85.cust.bluewin.ch] has quit ["I am off"] 19:18 -!- nemysis [n=nemysis@80-233.0-85.cust.bluewin.ch] has joined ##openvpn 19:54 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Read error: 110 (Connection timed out)] 19:58 -!- hardwire is now known as forbidden_fruit 19:58 -!- forbidden_fruit is now known as hardwire 20:30 -!- SpiritedBB [n=Spirited@208.50.100.19] has joined ##openvpn 20:44 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 20:45 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 20:58 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 21:04 -!- skx [i=skx@unaffiliated/skx] has quit [Read error: 104 (Connection reset by peer)] 21:05 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 21:14 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 21:15 -!- vanchuck [n=dave@S0106001c2512a7bc.vn.shawcable.net] has joined ##openvpn 21:19 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 21:20 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 21:27 < vanchuck> hey all-- I'm trying to set up an openvpn bridge. Everything is set up except that the bridge-start script messes up my network configuration because I have multiple IP address on eth0 (ie, eth0:0, eth0:1, etc...). After running the script, ifconfig only shows 'eth0' 21:27 < vanchuck> any clues on how to get around that? 21:36 < dvl> I would expect tap0, not eth0, but I suspect you're using DVL. 21:36 < dvl> Sorry, my humour. Damn Vulnerable Linux. 21:36 < dvl> Google it. ;) 21:36 < vanchuck> hehehe 21:37 < vanchuck> I actually just made some progress by assigning the bridge to eth0:x rather than eth0-- now openvpn is running without messing up other ips 21:37 < vanchuck> but now it's saying destination net unreadble when I connect.. back to google :-) 21:38 < dvl> sounds like routing? 21:44 < vanchuck> yeah, I can't ping any of the hosts on the server/destination's network while connected (but its fine when vpn disabled) 21:56 < hads> Try using multiple ips on an interface rather than old eth0:n? 22:07 < vanchuck> re: WARNING: --remote address [xx.yy.zz.148] conflicts with --ifconfig subnet [xx.yy.zz.158, 255.255.255.240] -- local and remote addresses cannot be inside of the --ifconfig subnet. (silence this warning with --ifconfig-nowarn) 22:07 < vanchuck> can I change the server-bridge subnet to something besides the 'actual' 22:07 < vanchuck> ... bridge (br0) subnet 22:22 -!- Netsplit anthony.freenode.net <-> irc.freenode.net quits: krzee, lavren, pa, roentgen, kexman, clustermagnet, krzie_, dazo, smk, disco-, (+5 more, use /NETSPLIT to show all of them) 22:23 -!- Netsplit over, joins: demoncyber_, roentgen 22:23 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 22:23 -!- Netsplit over, joins: brutuz, dazo, lavren, krzie_, dvl, blaxthos, clustermagnet, worch, disco- 22:24 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 22:24 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 22:24 -!- smk [n=scott@cobra.httpd.org] has joined ##openvpn 22:39 -!- vanchuck [n=dave@S0106001c2512a7bc.vn.shawcable.net] has left ##openvpn [] 23:23 -!- krzee [n=k@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 23:44 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn --- Day changed Fri Feb 27 2009 00:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:03 -!- c64zottel [n=hans@p5B17B248.dip0.t-ipconnect.de] has joined ##openvpn 01:26 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has left ##openvpn [] 01:26 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has joined ##openvpn 01:27 < lavren> what's with openssl crypto headers not found ? what package do I need? I have ssl 01:32 < krzee> you have openssl? 01:33 < lavren> yes 01:33 < lavren> hmm and I have the crypto shared libs, but I'm not actually seeing the headers 01:34 < lavren> wonder what package I need, don't see any that might match 01:34 < krzee> what os? 01:34 < lavren> debian linux 01:34 < lavren> I have openvpn setup on gentoo and ubuntu ok, but I need to get it on this machine, shouldn't be a problem 01:34 < lavren> I just am stuck here atm 01:38 < lavren> hmm I think I see a package that will work, ssl lib 01:38 < lavren> dev stuff 01:38 < lavren> devlib 01:39 < lavren> that did it 01:39 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:40 < lavren> any openvpn developers in here? 01:40 < krzee> nope 01:40 < krzee> we're just helpers 01:40 < lavren> ah.. too bad. 01:40 < lavren> well its good you guys are right 01:40 < lavren> me and a friend got a site-to-site going recently 01:41 < lavren> but I';m moving my VPN router to this server, almost setup 01:41 < lavren> 2 mins from now hopefully ilt will be running 01:42 < krzee> ive never done a ptp setup 01:42 < krzee> i always use server 01:42 < krzee> but thats just cause of my needs 01:42 < krzee> thats something i really like bout openvpn, it fits many diff needs 01:44 -!- Perun [n=perun@2001:6f8:1316:1234:216:3eff:fe07:3160] has joined ##openvpn 01:44 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 01:44 < Perun> hi all 01:45 < Perun> do I need to use certificates if I want to use bridge mode with openvpn? 01:46 < dazo> Perun: You don't need to, you can use static keys ... but I recommend you to use both certs and static keys, for highest security 01:51 < dazo> Perun: of course you can skip everything which is related to keys too, but then you probably don't need VPN, as all traffic will go unencrypted between the openvpn nodes 01:55 < krzee> Perun, 01:55 < krzee> first, why do you want bridge mode? 01:56 < krzee> !tunortap 01:56 < vpnHelper> krzee: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 01:56 < krzee> dazo, certs are only for auth, not for the encryption itself 01:56 < dazo> krzee: that's very right 01:57 < dazo> krzee: I was unclear about that 01:57 < krzee> one can choose to use PAM or something of that sort for auth if they choose, but keeping certs in the mix is still recommended for security 01:57 < krzee> !factoids search auth 01:57 < vpnHelper> krzee: 'tls-auth' and 'authpass' 01:57 < Perun> krzee: dont want to use routes 01:57 < krzee> !authpass 01:57 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 01:57 < krzee> Perun, why? 01:57 < krzee> bridging is harder than routing, if thats what you're thinking... 01:57 < Perun> krzee: ist simpler to configure :) and my hosts behind the one endpoint should 'see' the road warrior 01:58 < krzee> no, its not 01:58 < Perun> and want to use dhcp 01:58 < krzee> and for "see" 01:58 < krzee> !route 01:58 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 01:58 < krzee> its less simple to configure 01:58 < krzee> and pushing the servers lan to the client is SIMPLE 01:58 < krzee> its just a push route 01:58 < krzee> a single line entry in the server config 01:58 < dazo> The "advantage" I see with bridging, is that it can look like that the VPN client is physically located on the local network 01:59 < krzee> thats a disadvantage 01:59 < krzee> cause then you are open to layer2 attacks 01:59 < Perun> krzee: hmm and on each host in lan I need a special route for the tunnel or not? 01:59 * krzee arp poisons you over the bridge 01:59 < krzee> negative 01:59 < krzee> you add the route to the router 01:59 < dazo> krzee: yeah, if you consider the traffic, I agree 02:00 < krzee> the only advantage to bridging is when you need NON smb layer2 traffic 02:00 < Perun> krzee: the endpoint of tunnel isnt the default gw 02:00 < krzee> Perun, which is why i said you add the route to the router 02:00 < krzee> aka add the route to the default gateway 02:00 < Perun> aa 02:01 < Perun> and what about ip? I cant use an lan ip on my roadwarrior 02:01 < krzee> it would be a VPN lan ip, seperate lan than the servers lan, but able to communicate just fine 02:01 < krzee> common is to use 10.8.0.x 02:02 < krzee> as to never have a conflict in addressing 02:29 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 02:44 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 02:44 < Roman123> #openwrt 02:44 < Roman123> oops 03:00 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit [Read error: 60 (Operation timed out)] 03:15 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 03:28 -!- MgGuGu [n=chatzill@cm195.epsilon28.maxonline.com.sg] has joined ##openvpn 03:34 < MgGuGu> how do I check the iptables rules applied for the VPN conection between each client ?? 03:34 < MgGuGu> i want to know which ports are opened up between clients 03:38 < dazo> MgGuGu: iptables only configures the firewalling .... you cannot see which clients are connected or not or how 03:38 < dazo> MgGuGu: to do that, you probably need to look at the connection tracking in Linux 03:39 < dazo> MgGuGu: cat /proc/net/ip_conntrack 03:40 < dazo> dazo: but if you do not use connection tracking, I doubt you'll see much here 03:41 < dazo> MgGuGu: but to dump you iptables config .... use iptables -vxnL ... that'll list out all your entries 03:42 < MgGuGu> ok 03:42 < MgGuGu> thx 03:42 < MgGuGu> i'll try now 03:44 < MgGuGu> erm .. this is my iptables output 03:44 < MgGuGu> http://pastebin.com/d2bf4af15 03:44 < MgGuGu> it seeems everythin from br0 tap0 tun0 are accepted 03:44 < MgGuGu> and forwarded 03:46 < dazo> MgGuGu: technically speaking ... you do not have any firewalling ... this is completely open, in all kind of ways, how I see it 03:46 < MgGuGu> ya .. 03:46 < MgGuGu> i have been using it . 03:46 < MgGuGu> for cross-home file transfer 03:46 < MgGuGu> private web server browsing 03:46 < MgGuGu> now my friends wanna play DoTa on it 03:47 < dazo> well, there's not one single DROP or REJECT rule here ... and default policy is ACCEPT ... this is not firewalling at all, it lets the traffic through, even if you flush all your rules in the filter table 03:47 < MgGuGu> it seems that they can't see the game created on one VPN client from another VPN client 03:47 < dazo> MgGuGu: I'm guessing you have a routing issue instead 03:47 -!- lkthomas [n=lkthomas@218.189.198.146] has quit ["Leaving"] 03:48 < MgGuGu> dazo: such as ? 03:49 < dazo> MgGuGu: such as routing not working, perhaps? ... have you tried to ping from the VPN clients towards your game server? 03:49 < MgGuGu> ya 03:50 < MgGuGu> the way they setup game is 03:50 < dazo> MgGuGu: which protocol does the game server use? 03:50 < MgGuGu> someone host n everyone else joins 03:50 < dazo> MgGuGu: TCP/IP? 03:50 < MgGuGu> ya 03:50 < MgGuGu> erm .. what else can it use ? 03:50 < MgGuGu> i'm not sure 03:51 < dazo> MgGuGu: well, I haven't had time for network games at all (unfortunately) for a decade or so .... but back then you also had games using the IPX protocol ... but actually when I think about it now, I'd guess 99.9999% of the net-games today uses TCP/IP 03:52 < MgGuGu> ya 03:52 < MgGuGu> i just checked 03:52 < MgGuGu> TCP 6112 03:52 < dazo> that's proof enough 03:52 < MgGuGu> UDP 6112 03:52 < MgGuGu> ya 03:52 < MgGuGu> hmm 03:53 < MgGuGu> this sounds seriously strange for it 03:53 < MgGuGu> coz it works for everything else 03:53 < MgGuGu> haha 03:53 < MgGuGu> this is 1st time trying to play a game over vpn 03:53 < dazo> MgGuGu: you'll probably need to do some checking with tcpdump on your VPN server ... tcpdump will dump the network traffic on the given network interface (incl. tun/tap devices) ... and then you can see if you get traffic in and/or out from your game client 03:55 < MgGuGu> this is my client conf -> http://pastebin.com/m2c8c778e 03:55 < MgGuGu> just for ref 03:55 < MgGuGu> server conf -> http://pastebin.com/m16ef3465 03:55 < MgGuGu> ok 03:55 < MgGuGu> i'll try 03:56 -!- kexman [i=kexman@unaffiliated/kexman] has left ##openvpn [] 03:58 < dazo> MgGuGu: you do not push any routes from the server, nor do you configure any routes on the client .... I'd recommend setting up a 'push "route x.x.x.x n.n.n.n"' in your server config 03:59 < MgGuGu> so it'll be like ? 03:59 < dazo> MgGuGu: where x.x.x.x and n.n.n.n are the IP address and netmask of the network where your game server is 03:59 < MgGuGu> oh .. 03:59 < MgGuGu> so .. now my vpn server has a public IP .. 04:00 < MgGuGu> and i have 3 remote locations 04:00 < MgGuGu> my home n friends home 04:00 < dazo> MgGuGu: if your internal network interface is configured with 192.168.0.50/255.255.255.0 .... it should say: push "route 192.168.0.50 255.255.255.0" 04:00 < MgGuGu> oh .. 04:00 < MgGuGu> so i now configureed 04:00 < MgGuGu> tap0 with 192.168.8.131 04:00 < MgGuGu> so 04:00 < MgGuGu> it;ll look sth like 04:01 < MgGuGu> push "route 192,168.8.0 255.255.255.0" 04:01 < dazo> MgGuGu: aha ... if your server only have one public IP ... why do you need to send the game traffic over VPN? 04:01 < MgGuGu> oops 04:01 < MgGuGu> wat do u mean by that ? 04:01 < MgGuGu> i have a web server running on that machine 04:02 < dazo> MgGuGu: you should not change the route of the IP addresses for tun/tap devices, openvpn takes care of those routes for you 04:02 < dazo> MgGuGu: ahh, I see 04:03 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:03 < dazo> MgGuGu: well, then you'll need to setup something a little bit more tricky ... since you do not have a private network behind your openvpn server ... you'll most probably need to redirect all internet traffic from your vpn client via your openvpn server 04:03 < dazo> MgGuGu: actually ..... that won't work even 04:03 < MgGuGu> i'm not sure 04:03 < MgGuGu> ok . 04:03 < MgGuGu> my server has 04:04 < MgGuGu> is a multi-homed server 04:04 < MgGuGu> one public 04:04 < MgGuGu> one private 04:04 < MgGuGu> private conencts to all db servers n stuff 04:04 < dazo> MgGuGu: okey ... and the public and private have different IP addresses, I presume? And the private one do *not* have a public IP address? 04:04 < MgGuGu> eth0 (67.xx.xx.xx) and eth1 (192.168.8.4) 04:04 < MgGuGu> yup 04:05 < dazo> MgGuGu: perfect! 04:05 < MgGuGu> :) 04:05 < MgGuGu> so 04:05 < MgGuGu> i have a bridge over the ethernet 04:05 < dazo> MgGuGu: okey, then you can go back to push route :) 04:05 < MgGuGu> oh .. 04:05 < MgGuGu> ok 04:05 < dazo> MgGuGu: you can then do it like this: push route 192.168.8.4 255.255.255.255 04:06 < dazo> MgGuGu: I presume your game server is located on that IP address 04:07 < MgGuGu> oh. 04:07 < MgGuGu> a little bit of misunderstandgin here i think 04:07 < MgGuGu> coz there's no particular game server 04:07 < MgGuGu> the game is in 04:07 < MgGuGu> ad hoc style 04:07 < MgGuGu> someone on the network setup 04:08 < MgGuGu> then i think it'll broadcast itself 04:08 < MgGuGu> lookin for other ppl to join 04:08 < MgGuGu> so now .. in my view .. the vpn server have to route that boradcast over to other vpn clients 04:08 < dazo> MgGuGu: aha ... that changes a lot more 04:09 < MgGuGu> hehe . this is getting interestng 04:09 < MgGuGu> :D 04:09 < dazo> MgGuGu: I've never done anything like that, as the broadcasting can be a bit complex sometimes ... and I'm not experienced at all with broadcast routing 04:10 < MgGuGu> eekz ... 04:10 < MgGuGu> any lead for me to read thru ?? 04:10 < dazo> MgGuGu: maybe some others on this channel have done this and can help you out better 04:10 < MgGuGu> ya .. hopefully 04:10 < dazo> MgGuGu: Not afaik ... try googling for broadcast and routing 04:11 < dazo> dazo: something in me screams out multi-cast routing as well .... but I'm not sure if that's a blind lead or not 04:11 < MgGuGu> i c 04:11 < MgGuGu> i'm not sure of the game itself 04:12 < MgGuGu> but i'm just making a guess out of myself 04:12 < MgGuGu> that's how they play this game .. someone setup a game server then everyone else on the same subnet sees it .. so i ended up concluding that this server-client discovery have sth to do with broadcasting 04:12 < MgGuGu> :D 04:14 < dazo> MgGuGu: surely .... because scanning for IP's in a big subnet is not efficient, broadcast is the way 04:14 < MgGuGu> ya 04:15 < dazo> MgGuGu: what you could do .... is to setup all your gamers with openvpn ... and use client-to-client directive in the config .... most probably you'll need to configure it as tap and not tun ... that'll give you a complete virtual network between all parties, completely independent of other networks, as it would be controlled inside the openvpn server 04:16 < MgGuGu> lettme see 04:16 < dazo> MgGuGu: but I'm sure it's better solutions as well ... as tap VPN has more traffic overhead and will be somewhat slower than tun VPNs 04:17 < dazo> !tunortap 04:17 < vpnHelper> dazo: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 04:18 < MgGuGu> hmm 04:18 < MgGuGu> i'v actually config with 04:18 < MgGuGu> tap and client-to-client 04:18 < MgGuGu> :D 04:18 < dazo> MgGuGu: then you're closer 04:19 < MgGuGu> ya 04:19 < MgGuGu> but still a problem 04:19 < MgGuGu> damn .. i'm a bit lost 04:19 < MgGuGu> haha 04:19 < MgGuGu> :D 04:19 < dazo> MgGuGu: the reason I believe you'd need tap ... is that then you can setup the tap0 interface on the VPN server to use 10.8.0.0 netmask 255.255.255.0 .... which would be almost like a "normal" local network 04:19 < MgGuGu> yup 04:20 < MgGuGu> i got mac machines n XPs all across 3 locations 04:20 < MgGuGu> n they can use NEtbios 04:20 < MgGuGu> file transfer 04:21 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 04:33 < MgGuGu> how many tapX interface ?? 04:34 < MgGuGu> *do i need 04:34 < MgGuGu> do I need as many tapX interface as the number of remote clients i'm expecting ?? 04:34 < dazo> MgGuGu: nope, you'll only need one ... and a big enough subnet on it 04:35 < dazo> MgGuGu: you'll also need ifconfig-pool (iirc) ... which will be the IP address pool each client gets an IP address from by the openvpn server 04:36 < MgGuGu> i c 04:41 -!- Perun [n=perun@2001:6f8:1316:1234:216:3eff:fe07:3160] has quit [Remote closed the connection] 04:44 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 05:01 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 05:15 -!- zamba [i=marius@sveigde.hih.no] has joined ##openvpn 05:23 -!- Perun [n=perun@2001:6f8:1316:1234:216:3eff:fe07:3160] has joined ##openvpn 05:24 < Perun> re 05:24 < Perun> I have still problems with the routes 05:25 < Perun> I use this ip's for the vpn ends: 10.0.0.1 and 10.0.0.2 05:25 < Perun> have added a route on my router for network 10.0.0.0/24 with gw ip of the vpn endpoint 05:26 < Perun> and it does not work, I can ping on both sides the ends of vpn tunnel but I cant ping into lan, or from lan to roadwarrior 05:29 < zamba> i'm trying to set up a vpn connection to be able to reach a remote subnet 05:29 < zamba> point is that the subnet isn't a private one 05:30 < zamba> meaning 192.168.x.x or 10.x.x.x 05:30 < zamba> should this do any difference? 05:30 < Roman123> Perun: Do you use the tun or the tap mode? 05:32 < Perun> Roman123: tun 05:33 < Roman123> Perun: to be clear, 10.0.0.1 05:33 < Perun> Roman123: ? 05:33 < Roman123> 10.0.0.x is your openvpn subnet for the clients? 05:33 < Perun> yep 05:33 < Roman123> and what's the lan behind the openvpn subnet? 05:33 < Perun> 192.168.50.0 05:34 < Roman123> and you added which route? 05:34 < Roman123> how does the command look? 05:34 < Perun> Roman123: dev tun 05:34 < Perun> ifconfig 10.0.0.1 10.0.0.2 (<- die getunnelten IP-Adressen von alpha und beta) 05:34 < Perun> secret meinname-key.txt 05:34 < Perun> argh lol 05:34 < Perun> Roman123: 10.0.0.0/24 via 192.168.50.60 dev br-lan 05:34 < Roman123> I can understand german 05:35 < Roman123> np 05:35 < Perun> 192.168.50.60 is the host with tun interface and one end point of the tunnel 05:37 < Perun> the route in on my default gw/router 05:37 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 05:38 < Roman123> well, I'm not an expert but here something like > list push "route 192.168.1.0 255.255.255.0"< always worked in the config file of my server 05:39 < Roman123> Perun: are you running linux? 05:39 < Perun> yep 05:39 < Perun> on both sides 05:41 < Roman123> Perun: maybe try a modified version (change the ip-address according to your needs) of this command in your openvpn configuration file, restart server and client. 05:41 -!- TimotiSt [n=Timoti@dsl91EC7EAF.pool.t-online.hu] has joined ##openvpn 05:41 < TimotiSt> hi 05:41 < Roman123> otherwise I have no idea why it should not work 05:43 < TimotiSt> after looking at the source i'm not sure, but does the linux tun/tap driver support .1q vlan in tap mode? 05:44 < Roman123> I'm also suffering from routing problem. Sometimes I get "From 192.168.51.1: icmp_seq=2 Redirect Host(New nexthop: 192.168.50.1)" messages. 05:44 < Roman123> s/problem/problems 06:00 -!- sentronbarby [n=Alex@84.114.180.116] has joined ##openvpn 06:00 < sentronbarby> Hello 06:09 -!- sunta [n=cw@achilles.raytion.com] has joined ##openvpn 06:09 < sunta> hi 06:14 < sunta> im new to openvpn, trying to connect vista to openvpn@ubuntu.8.10 using 2.1rc15 06:14 < Roman123> Perun: still there? 06:14 < sunta> initialitation sequence completes but I cannot ping back or forth. the error that occurs: 06:15 < Perun> Roman123: yep 06:15 < sunta> MULTI: bad source address from client [10.8.0.6], packet dropped 06:15 < Roman123> Perun: Since you speak german take a look at http://wiki.openvpn.eu/index.php/Hauptseite 06:15 < vpnHelper> Title: Hauptseite - OpenVPN Wiki (at wiki.openvpn.eu) 06:15 < Roman123> Perun: Do you know this site? 06:15 < Roman123> Perun: They offer some very nice step-by-step tutorials. 06:15 < Perun> Roman123: partially 06:16 < Roman123> Perun: but the config files are internationally :) 06:17 < MgGuGu> anyone tried to play Dota over ethernet bridge ?? 06:17 < MgGuGu> thx 06:17 < sunta> Roman123, thx for the openvpn.eu hint;) 06:18 < Roman123> MgGuGu: What or who is Dota? 06:18 -!- sentronbarby [n=Alex@84.114.180.116] has quit ["Verlassend"] 06:18 < Roman123> sunta: np 06:18 < MgGuGu> Warcraft 06:18 < Roman123> aha 06:18 < MgGuGu> network game i'd say 06:18 < MgGuGu> actually i've been talkin wif dazo 06:18 < MgGuGu> a while back 06:18 < MgGuGu> we drilled down that 06:18 < Roman123> nope, I'm haven't played a game for more than 10 years now 06:19 < MgGuGu> the broadcast msg from the game clients aren't reaching to each other 06:19 < Roman123> MgGuGu: MS Windows is the best real-time-adventure :-P 06:19 < MgGuGu> even though all VPN clients across 3 locations are on the same subnet, ping each other 06:19 < MgGuGu> omg 06:19 < MgGuGu> true! 06:19 < MgGuGu> :D 06:23 < sunta> MULTI: bad source address from client [10.8.0.6], packet dropped 06:23 < sunta> i dont get it 06:25 -!- nachox [n=imarambi@200.68.83.121] has joined ##openvpn 06:25 < nachox> guys, what kind of plugin line should i use when i want to use radius to authenticate my users? 06:29 < sunta> any hint on this:? WARNING: learn-address command failed: could not execute external program 06:31 < dazo> sunta: look carefully at your config file, you're probably using --learn-address option ... and whatever that is, might not be executable 06:31 < sunta> thx dazo will check that 06:31 < sunta> indeed 06:33 < sunta> omfg. now ping comes back 06:33 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit [Remote closed the connection] 06:34 < dazo> nachox: look for which plugins you have available in the source tree in the pluins/ directory ... it should give you a quick hint, I'd believe .... or else google will be your friend 06:34 < nachox> aparenly i have to use pam to do this 06:35 < sunta> cant you wrap PAM do use radius? 06:35 < nachox> but i dont know if the pam library for openvpn is working properly, i cannot use likewise to authenticate my vpn users, but likewise users can login to the linux box through ssh 06:35 < dazo> nachox: I thought it was also a separate radius plug-in too ... I probably remember wrong and it might have been a 3rd party plug-in 06:36 < nachox> *likewise is a tool to get AD and unix auth integration btw 06:36 -!- TimotiSt [n=Timoti@dsl91EC7EAF.pool.t-online.hu] has quit [Remote closed the connection] 06:38 < dazo> nachox: You might need to go in and adopt /etc/pam.d/ files ... not sure if openvpn uses it's own pam config here or not 06:38 < nachox> it is using login which is the same the login program uses 06:38 < dazo> nachox: then it's strange if it works with ssh but not openvpn 06:39 < nachox> it is, i agree 06:44 < Perun> how can I set the routes automaticly for a roadwarrior? 06:44 < dazo> Perun: on the server: push route 06:44 < Perun> aha 06:45 < dazo> Perun: if different for each roadwarrior, you can also use this via ccd 06:45 < Perun> no its ever the same 06:46 < dazo> then a global push will be your friend :) 06:47 < MgGuGu> i'v tcpdump'd on both of the client's interfaces 06:47 < MgGuGu> physical en1 06:47 < MgGuGu> and virtual tap0 06:48 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:48 < MgGuGu> it seems that the game is not broadcasting on tap0 06:48 < MgGuGu> there's no broadcast on tap0 while there're packets captured on en1 06:48 < dazo> MgGuGu: then you're missing a route, I'd say 06:48 < MgGuGu> oh 06:49 < Perun> dazo: hmm doesnt work 06:49 < MgGuGu> how can i configure that ? 06:49 < Perun> dazo: have this in my server conf: push "route 10.8.0.0 255.255.255.0" 06:49 < dazo> MgGuGu: or .... do you configure in the game somehow which interface to use? 06:50 < dazo> (or IP address?) 06:50 < MgGuGu> i have absolutely no idea how to config the game 06:50 < MgGuGu> hehe 06:50 < Perun> dazo: urgs I mean: push "route 192.168.50.0 255.255.255.0" 06:50 < dazo> Perun: then I'd pay a close attention to the log from the client .... using verb 3, probably, maybe verb 4 .... to see if it receives it or not 06:50 < Perun> dazo: ok 06:51 < dazo> MgGuGu: you most probably need to figure out that ... because it could be that it defaults to the local physical interface, but it should use your virtual interface and/or IP address of that virtual interface (tap dev) 06:51 < MgGuGu> ya 06:51 < MgGuGu> tat shld b it 06:52 < Perun> dazo: hmm dont see it: http://paste.debian.net/29365/ 06:52 < ecrist> good morning fuckers 06:52 < dazo> ecrist: morning sucker 06:52 < dazo> Perun: increase log level (--verb) 06:52 < Perun> ok 06:57 < Perun> dazo: pull=DISABLED is this the problem? 06:57 < dazo> Perun: yeah, that's most likely the reason 06:57 < Perun> dazo: this is my conf: http://paste.debian.net/29366/ 06:58 < Perun> but I get now (after adding 'client') : Options error: specify only one of --tls-server, --tls-client, or --secret 07:00 < dazo> Perun: that's to add authentication and improved encryption on the tunnel ... at minimum, consider --secret .... which is quick'n'easy to setup ... ideally, use certificates in addition to --secret 07:00 < Perun> dazo: I have 'secret' in the conf 07:01 < dazo> Perun: ahh ... sorry .... "specify only one of" 07:02 < dazo> Perun: you have tls-server and/or tls-client in addition 07:02 < Perun> dazo: no... I dont want to use tls/ssl now 07:03 < dazo> Perun: When using --tls-server or --tls-client, --tls-auth is used for the static key .... I mixed it with --secret in this setting 07:03 < Perun> dazo: hmm dosnt understand, what do I need to add to the conf? 07:03 < dazo> Perun: then you need to remove everything regarding --tls-{server|client} 07:03 < ecrist> WHY DO PEOPLE USE AN SSL VPN PRODUCT IF THEY DON'T WANT TO USE SSL? 07:03 < dazo> ecrist: good question 07:03 < Perun> ecrist: it comes later, now I will test it 07:04 < sunta> security is for wussies. so are backups 07:04 < Perun> connect with minimal conf, after that I will secuer it with tls/ssl 07:04 < ecrist> retarded. 07:04 < ecrist> openvpn isn't that hard to set up. 07:05 < dazo> sunta: I prefer Linus Torvalds comment to that, regarding backup .... "Backup is for whimps! Real men upload their work to the Internet and let the rest mirror it" 07:05 < sunta> ;) 07:05 < Perun> dazo: I dont have tls options there in my conf... 07:05 < Perun> only secret 07:05 < sunta> ecrist, its tricky when you are unexperienced. i work with linux/networks moren then 10years and dont get along with openVPN too well. thats why im here 07:06 < dazo> Perun: hmmm .... that's strange 07:06 < dazo> Perun: can you post a complete startup log with --verb 4? 07:06 < dazo> s/post/pastebin/ 07:06 < Perun> dazo: ok mom 07:07 < ecrist> mom? 07:07 < Perun> dazo: ee there is no log on the client side, I get only this error 07:08 < dazo> ecrist: don't worry, I'm not his mom :-P 07:08 < Perun> ecrist: moment pls 07:08 < Perun> :) 07:08 < dazo> Perun: then I basically don't know how you're getting this .... somewhere you must have something which picks up this 07:09 < dazo> dazo: which version are you using? 07:09 < Perun> :) 07:10 < Perun> dazo: OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008 07:10 < Perun> from debian lenny 07:10 < dazo> Perun: hmmm ... could you try to compile 2.1_rc15 and test that one? (you don't have to install it, just compile it and run it from the source tree) 07:13 -!- MgGuGu_ [n=chatzill@cm195.epsilon28.maxonline.com.sg] has joined ##openvpn 07:13 < MgGuGu_> sorry .. connection drop 07:16 -!- MgGuGu [n=chatzill@cm195.epsilon28.maxonline.com.sg] has quit [Read error: 113 (No route to host)] 07:16 -!- MgGuGu_ is now known as MgGuGu 07:18 < Perun> dazo: thts the log without 'client' in conf file: http://paste.debian.net/29367/ 07:21 < dazo> Perun: and your --secret is placed in '/etc/openvpn/leviathan.txt' ? 07:22 < Perun> dazo: yep 07:22 -!- alien8 [n=alien@indigo.alien8.org] has joined ##openvpn 07:23 < dazo> Perun: have you changed your config file now? ... because what I see here in this log to not match too well the config you pastebin'ed 07:23 < dazo> Perun: sorry, I found the port number now .... was looking wrong ... if the key is the only thing which is changed ... I'm pretty much confused 07:24 < Perun> dazo: http://paste.debian.net/29368/ thats the config now 07:24 < alien8> openvpn on a mac, has been fine for weeks using tunnelblick , this morning after a restart : Feb 27 13:22:18 chaos openvpn[311]: Need hold release from management interface, waiting... is all I'm getting. any clues please? :-/ 07:26 < Perun> grr I think I use the bridge mode.... no problem with routes etc :/ 07:26 < ecrist> Perun: if I may, you're over-complicating your setup by trying to avoid the parts you may find difficult. 07:27 < ecrist> setup of a bridged vpn is far more difficult that a routed vpn 07:27 < dazo> Perun: ecrist has a point 07:27 < dazo> Perun: I've always used --tls ... and I've never seen this error before, but I do get the same issue when trying myself 07:27 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 07:27 * dazo is using 2.1_rc15 for this test 07:27 < ecrist> alien8: from a terminal, ps auxwww | grep Tunnel 07:28 < ecrist> kill -9 all the PIDs you see as Tunnelblick or openvpn 07:28 < alien8> ok, have been debugging this for hours with full restarts and removed/everything/tried viscosity as well. etc. will try another kill ecrist 07:29 < Perun> it is possible to use secret and bridge mode? 07:29 < Perun> or do I need to use certs? 07:30 < dazo> Perun: I'm guessing you'll hit the same wall with bridged mode as well .... jump into the SSL/TLS world ... it's not that bad ... and it's plenty of certificate tools to help you out 07:31 < Perun> dazo: yep I do it, but now I want to have normal working connect before I use other auth etc 07:31 < ecrist> Perun: SSL *is* normal for OpenVPN 07:31 < alien8> ecrist: nuked all the PIDs for tunnelblick, none for openvpn as Feb 27 13:36:24 chaos openvpn[336]: Need hold release from management interface, waiting... 07:31 < alien8> Feb 27 13:36:37 chaos openvpn[336]: Signal received from management interface, exiting - restart tunnelblick - same thing, I bumped up logging to 5 and no clues there. 07:32 < ecrist> alien8: you kill -9? 07:32 < dazo> Perun: I've never tried to setup openvpn without certs ... and it usually works with, very well, I might add 07:32 < Perun> ecrist: but its complicated to set it up than secret... if I have working tunnel then I secure it with ssl 07:32 < alien8> yup ecrist 07:32 < dazo> Perun: it's not difficult 07:32 < dazo> Perun: If you want to have it the GUI way .... try TinyCA 07:32 < Perun> aha ok 07:32 < alien8> (I highly recommend certs for openvpn FWIW) 07:32 < dazo> Perun: if you want it the TUI way .... ssl-admin might help you out 07:33 < Perun> TUI? 07:33 < dazo> Perun: and you also have easy-rsa which is packaged together with openvpn ... even though a little bit strange usage 07:33 < dazo> TUI - Text User Interface 07:33 < ecrist> Perun: what OS? 07:33 < dazo> ecrist: Debian 07:33 < ecrist> ick 07:33 < dazo> :-P 07:34 < ecrist> ssl-admin is an option, but on linux, it's beyond his ability to configure ATM 07:34 < dazo> good to know 07:34 * dazo should probably have a close look at it ... "in the near future(tm)" .... 07:34 < Perun> ecrist: debian lenny 07:37 < alien8> ecrist: it's a full cert setup, I've got the certs out of my original tarball again just in case they got corrupted. config file as well.. it's totally bonkers 07:38 -!- Perun [n=perun@2001:6f8:1316:1234:216:3eff:fe07:3160] has quit ["Lost terminal"] 07:39 < alien8> i've removed tunnelblick, the viscosity kext's, rebooted etc etc 07:53 < ecrist> alien8: what version of tunnelblick? 07:53 < alien8> 3.0b10 - also tried viscocity latest version 07:54 < alien8> originally I was thinking that a cert had borked, or password was being asked for 07:55 < ecrist> did you try removing tunnelblick, and ~/Library/openvpn, restarting? 07:55 < alien8> yup 07:55 < ecrist> and you reinstall, add your ca, client cert/key, config, and what error do you get? 07:56 < alien8> all starts ok, then Feb 27 13:36:24 chaos openvpn[336]: Need hold release from management interface, waiting... 07:56 < alien8> if i could see what the hold was for that might help :-/ 07:57 < ecrist> http://openvpn.net/index.php/documentation/miscellaneous/management-interface.html 07:57 < vpnHelper> Title: Management Interface (at openvpn.net) 07:57 < ecrist> search for 07:57 < ecrist> -- hold 08:00 < sunta> the management is always the problem 08:01 < alien8> uh oh: The hold flag setting is persistent and will not be reset by restarts. 08:01 < alien8> um 08:01 < ecrist> alien8: tunnelblick sets the mgmt interface to port 1337 on 127.0.0.1 08:02 < alien8> so i can nc to that port, and tell it to 'hold off' ? 08:02 < ecrist> hold release 08:10 -!- TimotiSt [n=Timoti@mail.telequest.hu] has joined ##openvpn 08:18 < alien8> right that worked ecrist 08:18 < alien8> seems like 1 error at any time will lock that hold up and you're screwed till you release it 08:18 < alien8> thanks++ 08:19 < alien8> only then will you actually see the reason for the lock 08:19 < ecrist> glad I could help 08:20 -!- arzen1013 [n=Administ@119.123.227.197] has joined ##openvpn 08:23 -!- lkthomas_ [n=lkthomas@203.145.92.95] has joined ##openvpn 08:23 < lkthomas_> Sup all 08:24 -!- lkthomas_ [n=lkthomas@203.145.92.95] has quit [Client Quit] 08:27 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Read error: 60 (Operation timed out)] 08:27 -!- mikkel_ [n=mikkel@84.238.113.66] has joined ##openvpn 08:28 < arzen1013> Hi all, I have two sub network , one is 10.88.1.xxx , and 10.99.1.xxx, I want to through openvpn connect that two sub network, how to do it ? 08:30 < arzen1013> I installed openvpn server in 10.88.1.xx, and add : route 10.99.1.0 255.255.255.0 , but I still can't access 10.99.1.xxx from 10.88.1.xxx, why ? 08:30 < ecrist> arzen1013: read this: 08:30 < ecrist> !route 08:30 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 08:32 < arzen1013> ecrist: so, how to ? 08:32 < ecrist> arzen1013: did you read that link? 08:33 < dazo> obviously not 08:42 < arzen1013> ecrist: I add : push "route 10.99.1.0 255.255.255.0", and client-config-dir ccd & client-to-client, but still can't access 10.99.1.xxx from 10.88.1.xxx 08:44 < ecrist> arzen1013: did you read that link? 08:44 -!- Perun [n=perun@2001:6f8:1316:1234:216:3eff:fe07:3160] has joined ##openvpn 08:44 < Perun> re 08:44 < Perun> bridge does work... with tls :) 08:44 < arzen1013> dazo: I don't want access 10.88.1.xxx from 10.99.1.xxx, just only want to access 10.99.1.xxx from 10.88.1.xxx 08:44 < Perun> how can I start a script before the server starts? are there any options for it in server conf? 08:45 < ecrist> Perun: there are options. see the man page 08:45 < ecrist> !man 08:45 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 08:45 < Perun> aha 08:45 < ecrist> arzen1013: did you read that link? 08:46 < arzen1013> ecrist: yes, I read it, but still understand, could you obviously tech me ? 08:47 < ecrist> that link explains *exactly* how to do what you want. 08:47 < ecrist> no, I won't teach you, but I'll point you to the documentation 08:47 < arzen1013> I use : dev tun , mode 08:49 < Perun> ecrist: should I start the bridge build script with --up? 08:49 < ecrist> yes, that's what I'd recommend. 08:49 < ecrist> I'm out for now. good luck.k 08:49 < Perun> ecrist: thx 08:50 < arzen1013> ok, by ecrist: 08:51 < arzen1013> *bye :) 09:06 -!- MgGuGu [n=chatzill@cm195.epsilon28.maxonline.com.sg] has quit [Remote closed the connection] 09:14 < TimotiSt> after reading the tun.c source i'm still not sure: does a tap device (linux) support .1q vlans? 09:15 < dazo> TimotiSt: probably not 09:16 < sunta> damn my mouse is broken 09:17 -!- arzen10131 [n=Administ@119.123.226.126] has joined ##openvpn 09:22 -!- arzen10131 [n=Administ@119.123.226.126] has left ##openvpn [] 09:28 -!- sunta [n=cw@achilles.raytion.com] has quit ["Verlassend"] 09:29 < krzee> Perun, why are you still using bridge? 09:29 < krzee> i thought we figured out you didnt need bridge 09:30 < krzee> and i thought i explained that if you didnt need bridge, you shouldnt use it 09:31 -!- sunta [n=cw@achilles.raytion.com] has joined ##openvpn 09:31 < sunta> re 09:32 < krzee> fixed the rat? 09:32 < Perun> krzee: route doesnt worked here... with bridge no problems 09:33 < krzee> lol 09:34 < krzee> so its routings fault and not yours? 09:34 < Perun> it worked sometimes only, dont know why 09:34 < krzee> why exactly doesnt it work? 09:35 -!- arzen1013 [n=Administ@119.123.227.197] has quit [Read error: 110 (Connection timed out)] 09:35 < krzee> !bridge 09:35 < Perun> krzee: has had a route on router, and route on roadwarrior, I could ping roadwarrior from lan but not lan hosts from roadwarrior 09:35 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where 09:35 < vpnHelper> krzee: the protocol uses MAC addresses instead of IP addresses. 09:35 < krzee> #3 09:35 * dazo wonders why people struggle so much with routing .... it's like riding a bike 09:35 < krzee> seriously dazo 09:36 < sunta> !tun 09:36 < vpnHelper> sunta: Error: "tun" is not a valid command. 09:36 < krzee> then they do the harder, more overhead, less secure method because they dont wanna learn 09:36 < Perun> it works now with bridge + tls 09:36 < dazo> exactly 09:36 < Perun> thats enough for me 09:36 < krzee> sunta, whatchya lookin for? 09:36 < krzee> Perun, cool 09:36 < dazo> that's a Microsoft attitude .... hey, IE6 seems to render something, works for us, let's ship it! 09:36 < krzee> hahahah 09:36 < krzee> no kidding 09:36 < Perun> krzee: for home server secure enough IMHO 09:37 < krzee> definatly MS attitude 09:37 < krzee> LOL 09:37 < sunta> I have tun setup, can ping server from dialiupwarrior. but cannot access anything behind the server (lan) 09:37 < krzee> sunta, 09:37 < krzee> !route 09:37 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 09:37 < krzee> i made a writeup just for that 09:38 < sunta> really? I just read it 09:38 < dazo> krzee: can you make vpnHelper even more clever ... when it sees a line with .... "cannot access" and ping in the same sentence, just return !route? 09:38 < krzee> read it ALL without skimming, ask if you have problems after that 09:38 < sunta> the client is dialup. that doesnt seem to be covered in that guide 09:38 < sunta> ok 09:38 < Perun> krzee: I know I know... but bridge brings here smaller administration overhead... same lan etc 09:38 < krzee> dazo, its a supybot, if you code python you can 09:39 < Perun> krzee: and as I say, its for a home server 09:39 < krzee> its using factoid plugin for the !commands 09:39 < dazo> sunta: it is covered, indirectly .... just replace one of the nodes on the drawing and text with your roadwarrior, and you basically have it 09:39 < krzee> Perun, *shrug* you're done anyways so if i dont need to help you with it its out of my realm of importance, so to speak 09:40 < krzee> heheh 09:40 < sunta> will try my very best;) 09:40 < dazo> sunta: you most probably then just don't need to think about --iroute ... that's the different 09:40 < dazo> s/different/difference 09:40 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit [Read error: 104 (Connection reset by peer)] 09:40 < krzee> sunta, the lan is behind the server? 09:40 < sunta> yes krzee 09:40 < krzee> all you need is a push route 09:40 < krzee> whats the servers lan? 09:41 < sunta> 172.16.0.0 09:41 < sunta> push "route 172.16.0.0 255.255.0.0 09:41 < sunta> i have 09:41 < krzee> in my drawing the server is on 192.168.2.0, all youd hafta do is replace that with your lan everywhere, which is 1 place only 09:41 < dazo> krzee: I'll have a look ... python is familiar, just have never tried to do any bot things with it yet 09:41 < sunta> server 10.8.0.0 255.255.255.0 i have too 09:41 < krzee> your lan is a /16? 09:41 < sunta> yes 09:41 < krzee> why? 09:42 < krzee> you have over 254 machines at your lan and no segmenting? 09:42 < sunta> I took over this lan some time ago from some slacker 09:42 < Perun> krzee: although big thanks for your help 09:43 < sunta> whats the problem with 172.16/16 09:43 < krzee> np 09:43 < krzee> sunta, ive witnessed openvpn get confused on /16 networks iirc 09:44 < krzee> but it shouldnt, so lets try it anyways 09:44 < krzee> you said: 09:44 < krzee> [10:48] push "route 172.16.0.0 255.255.0.0 09:44 < krzee> you have a " after that, right 09:44 < krzee> ? 09:44 < sunta> yes sorry 09:44 < krzee> ok 09:45 < krzee> is the server on the default gateway for its lan? 09:46 < sunta> not all but good point. will try to ping a machine that has openvpnserver as default gw 09:46 < krzee> huh? 09:46 < krzee> differing default gateways on same lan? 09:46 < sunta> tried to ping a machine with different gw 09:46 < krzee> why dont you just segment then!? 09:47 < krzee> sounds 1/2 way done 09:47 < sunta> not really. 09:47 < krzee> oh wait, thats not openvpn related ill leave you to that stuff on your own 09:47 < sunta> sure;) 09:47 < krzee> read "ROUTES TO ADD OUTSIDE OF OPENVPN" under the drawing in my routing writeup 09:48 < krzee> which i assume you still have open cause you been reading over it so thorough ;] 09:49 < krzee> hey dazo, i just noticed your spoof, you part of the redhat team? 09:49 < dazo> krzee: my spoof? 09:49 < krzee> hostname 09:49 < dazo> krzee: ahh ... yeah, I am 09:49 < krzee> right on =] 09:50 < krzee> we should rpm up ecrist's ssl-admin! 09:50 < dazo> krzee: normally working on Red Hat Enterprise MRG products, mainly Messaging and Real-Time Kernel ... doing QA 09:50 -!- TimotiSt [n=Timoti@mail.telequest.hu] has left ##openvpn ["Konversation terminated!"] 09:50 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 09:50 < dazo> krzee: I'm not against .... I've been thinking I should spend some spare time making it run smoothly on Linux 09:51 < krzee> its runs diff on lin than bsd? 09:51 < krzee> i figured its only install where there is a diff 09:51 < krzee> its just a perl script 09:51 < dazo> krzee: last time I tried it ... it was a little bit ugly to get working .... 09:51 < dazo> krzee: yeah, I know ... it did not fly immediately out of the box, sort of 09:52 < krzee> i modded the Makefile and added a configure to make it run on lin right, but it was UGLY 09:52 < krzee> cause im totally not a coder 09:52 < krzee> and im a bsd guy so i could only test on gentoo and ubuntu 09:52 < dazo> krzee: aha ... I think this was before the time of the configure script .... but I can have a look an fix it up for you :) 09:52 < krzee> only linuxes i could get access to 09:52 < krzee> ahh 09:53 < krzee> ya it shouldnt even need configure, i just couldnt make a proper Makefile, lol 09:53 < krzee> i shell script well, so i used configure to fix the Makefile 09:53 < krzee> uglyhax 09:53 < dazo> krzee: heh ... I see ... I'll try to poke around with it next week or so, a bit hectic nowadays with deadlines approaching for new release packages 09:54 < krzee> right on, wait til deadlines are over, this is no biggie 09:54 < dazo> krzee: goodie :) 09:54 < krzee> ;] 09:54 < dazo> krzee: then I might even be able to write you a .spec file for rpmbuild as well ... and might even try to test the gentoo ebuild file as well :) 09:55 < krzee> ahh sweet 09:55 < krzee> did the ebuild ever get submitted? 09:55 < dazo> krzee: I've only heard rumours about it .... but no smoke afaik 09:55 < krzee> i talked to some guy and got the ball rolling, never heard anything past that 09:55 < dazo> krzee: yeah, that's the lead I was thinking about following 09:56 < krzee> i think my Makefile turned them off 09:56 < krzee> haha 09:56 < dazo> hehe 09:56 < krzee> (its ugly) 09:56 < krzee> (in case i hadnt mentioned that) 09:56 < dazo> krzee: I know .... I looked at it .... and thought: "If this is the BSD way, I'm not gonna touch BSD" :-P 09:56 < krzee> hahahaha 09:57 < krzee> no its the 'i dont code' way 09:57 < dazo> it explains a lot :) 09:57 < krzee> seriously, i wrote 1000's lines of .sh to run my old webhosting company 09:57 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 09:57 < krzee> if i knew real languages that woulda been so much easier 09:58 < dazo> krzee: why not dig into that? .... it's not that hard, is it? 09:58 < krzee> well im a few chapters in to the K&R book on C 09:58 < dazo> krzee: oh dear .... jumping straight into _that_ book .... no wonder it takes you time :-P 09:59 < krzee> hahahah 09:59 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 09:59 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit [Client Quit] 10:00 < krzee> ya i had to make 24 apps to get through chapter 1 10:03 < dazo> well, I shouldn't speak too loudly .... my very very first C program which I wrote in '98 (which was used in production for 5-6 years) ... it had no functions, no memory pointers and was purely based on on-disk-buffers .... and it was used to parse and split and reorganise input files .... but amazingly enough, we never found a single bug in it, and it was, against all odds, incredibly fast at that time .... processed files with 100k records 10:03 < dazo> within a minute (on dual Pentium2 hardware) 10:04 < krzee> haha right on 10:05 < sunta> thx for your help krzee. basically openvpn should be working. need to clean up this network now to be satisfied 10:06 < krzee> ok so now it works fine? 10:06 < sunta> ping vpnserver works. rest doesnt work but is routing problems I believe 10:06 < sunta> and its friday evening. I wont go any further today;) 10:07 < krzee> !route 10:07 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 10:07 < krzee> bottom 10:07 < krzee> under the drawing 10:07 < krzee> ahh right on 10:07 < krzee> have a good weekend =] 10:07 < sunta> printed it to read tomorrow. 10:07 < sunta> greets from rainy germany btw... 10:07 < krzee> greetings from peru 10:08 < krzee> sunny peru ;] 10:08 < sunta> wow cool. no kiddin I love peru;) noticed when I met that girl in venezuela 10:08 < sunta> yelixa, nice name hehe 10:08 < krzee> ya im loving it here too, im definitely coming back 10:13 < krzee> got myself a Brazilian model named amanda on my first night 10:13 < krzee> (but keeping her the whole time, not just that night) 10:17 -!- DarKnesS_WolF [n=wolf@unaffiliated/sherif] has joined ##openvpn 10:18 < DarKnesS_WolF> i have a question if the server got restarted how long it will take for the clients to connect back to the server ? or i have to restart the service on the client also ? 10:19 < sunta> should be automatic as far as I understand 10:19 < DarKnesS_WolF> sunta: the server restarted since like 10 mints and still can't reach the clients 10:20 -!- _Pete_ [n=petriai@e82-103-218-67.elisa-laajakaista.fi] has joined ##openvpn 10:20 < _Pete_> hello 10:20 < _Pete_> I have problems using openvpn with firewall 10:20 < dazo> DarKnesS_WolF: I believe it depends on the keepalive settings on the clients 10:20 < sunta> I just made a restart of the server and the client needed like seconds to reconnect 10:21 < _Pete_> I open port 1194 from openvpn server firewall 10:21 < _Pete_> but still vpn connection doesnt work 10:21 < _Pete_> without firewall it works (at least ping) 10:22 < _Pete_> !configs 10:22 < vpnHelper> _Pete_: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:22 < dazo> _Pete_: you probably are missing to open up the tun/tap interface in the FORWARD chain 10:23 < _Pete_> one thing is that I am using firestarter to config/use firewall 10:23 < _Pete_> on the server 10:23 < _Pete_> not familiar to config it by hand :( 10:24 < dazo> oh dear .... well, I've looked at firestarter once .... and I threw it out relatively quickly .... I'm sorry, I can't help you here how to make that work out 10:25 < dazo> _Pete_: but you should find some place to set up forwarding rules .... and you need to allow traffic from your tun/tap device which your openvpn config uses and let that traffic be allowed to reach the ethernet interface of your internal network 10:25 < sunta> take care guys. im off. appreciated the community 10:26 < _Pete_> dazo: ok 10:26 -!- sunta [n=cw@achilles.raytion.com] has quit ["you rock"] 10:26 < nemysis> Hello, Could I use same Keys for OpenSSL and OpenVPN 10:27 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit ["Ex-Chat"] 10:27 < dazo> nemysis: ehhh .... openvpn uses openssl for the encryption and certificate processing .... so, yeah, basically you should be able to do that ... not sure what you really asks about here 10:28 < DarKnesS_WolF> dazo: mmm can't check now :) too late can't reach the clients already 10:28 < nemysis> I need the Keys only for OpenVPN, usually use OpenSSH, is safe to use RSA or is better DSA Keys? 10:29 < alien8> DSA isn't 'better' than RSA, it's just different 10:29 < alien8> (FYI) 10:29 < nemysis> But SSH FAQs say the DSA is for Protokol 2 and is better 10:29 < dazo> nemysis: well, I'd recommend RSA ... just because there are one less theoretical bug in RSA compared to DSA 10:30 < dazo> nemysis: RSA had a patent issue earlier, but that patent expired, afaik 10:30 < alien8> yup patent expired a few years ago 10:30 < dazo> nemysis: and RSA supports up to 4096 bits .... while DSA supports up to 1024bits 10:30 < dazo> (in openssh, that is) 10:31 < nemysis> Yes this is right I use with GnuPG 4096 bits too 10:31 < dazo> nemysis: you cannot use openSSH keys for openvpn .... but you can use whatever keys openssl provides with openvpn 10:31 < nemysis> Yes I use only OpenSSL Keys for OpenVPN 10:31 < dazo> nemysis: for GnuPG, I think even stronger keys than 4kbit is possible as well .... 10:32 -!- gabe__ [n=fuzzimac@pool-151-203-155-122.wma.east.verizon.net] has joined ##openvpn 10:33 < dazo> nemysis: then I think you have your question answered 10:33 < nemysis> Yes this is right 10:33 < nemysis> Thanks 10:33 < dazo> nemysis: np! you're welcome 10:33 < gabe__> Hello, I am trying to connect to my vpn using viscosity, and I am getting the following error: Options error: You must define CA file (--ca) or PKCS#12 file (--pkcs12) 10:34 < krzee> viscosity? 10:34 < gabe__> I don't really know much about this, can anyone point me in the right direction? 10:34 < gabe__> os x client for vpn 10:34 < krzee> !howto 10:34 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:34 < krzee> ahh 10:34 < krzee> i use osx but never bothered with a gui 10:36 < alien8> viscocity or tunnelblick gabe__ 10:36 < dazo> gabe__: you most probably have not setup any SSL keys 10:36 < alien8> viscocity costs $9, tunnelblick is GPL 10:37 < gabe__> alien8: I have viscosity 10:38 < gabe__> dazo: where do I set up ssl keys? 10:38 < dazo> gabe__: most probably somewhere in the GUI .... I dunno, I'm not using osx 10:38 < krzee> umm 10:38 < gabe__> okay 10:38 < krzee> screw config'ing via gui 10:38 < krzee> config using a text editor 10:38 < krzee> then start and stop with your gui 10:38 < alien8> viscosity has a support forum gabe__ : http://www.viscosityvpn.com/support/ 10:38 < vpnHelper> Title: Viscosity - OpenVPN Client for Mac (at www.viscosityvpn.com) 10:39 < krzee> whoa 10:39 < krzee> that app actually looks kinda cool 10:39 < krzee> i might try it out sometime 10:39 < alien8> it's ok - draws pretty graphs ;) 10:40 < alien8> it'll import tunnelblick configs as well, so pretty nice if you want that stuff 10:40 < krzee> tunnelblick makes configs now? 10:40 < krzee> last i tried it you made the configs manually and ran them with tunnelblick 10:40 < alien8> nah, just takes the openvpn text files 10:41 < krzee> well ya, no matter what makes the configs its just the openvpn text files 10:41 < alien8> but you'll see - viscocity cuts them down, and GUI's it 10:41 < krzee> viscosity is still just giving you a front end for what we do in text editors 10:41 < krzee> with many less options for sure 10:41 < _Pete_> dazo: so if I dump firestarter and do the firewall rules myself what to do? I need ssh/http/bittorrent/openvpn available 10:42 < krzee> seen the size of the manpages? no gui will cover all that 10:42 < krzee> heheh 10:42 < krzee> !iptables 10:42 < vpnHelper> krzee: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 10:42 -!- gabe_ [n=fuzzimac@pool-72-79-222-33.spfdma.east.verizon.net] has joined ##openvpn 10:43 < krzee> that accepts all though 10:44 < krzee> then you read the manual! 10:44 -!- nachox [n=imarambi@200.68.83.121] has quit ["Saliendo"] 10:44 < krzee> my coder friends all hate writing manuals 10:44 < krzee> but they do it just for us! 10:44 < krzee> least we can do is read it 10:47 < krzee> alien8, so you paid for viscosity? 10:47 < alien8> just tried it, now using tunnelblick 10:47 < alien8> I had to recommend a few things to people, so made sure I went round all I could 10:49 < krzee> im just using commandline 10:49 < krzee> any command you can type into CLI you can make into a shell script 10:50 < krzee> then you make it filename.command 10:50 < krzee> and it becomes clickable 10:50 < alien8> indeed, but when you have 4 vpns up some people like a nice drop down list with checks/ticks 10:50 < krzee> so mine is a 1 liner that just runs openvpn configfile 10:50 < krzee> werd 10:50 < krzee> ya mines just for me 10:51 < krzee> time to go out and enjoy the vacation 10:51 < krzee> see ya guys 10:51 < dazo> c'ya! Enjoy 10:51 < alien8> :-) 10:52 < _Pete_> or right found solution using firestarter 10:52 < _Pete_> http://jcape.ignore-your.tv/2006/08/03/openvpn-and-firestarter/ 10:52 < vpnHelper> Title: Homage to Icarus Blog Archive OpenVPN and Firestarter (at jcape.ignore-your.tv) 10:52 < _Pete_> in case someone else needs too 10:55 < krzee> !learn firestarter as if you use firestarter to config your firewall you may want to see http://jcape.ignore-your.tv/2006/08/03/openvpn-and-firestarter/ for help 10:55 < vpnHelper> krzee: Joo got it. 10:58 -!- gabe__ [n=fuzzimac@pool-151-203-155-122.wma.east.verizon.net] has quit [Read error: 110 (Connection timed out)] 11:11 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 11:19 < _Pete_> hmm one question, my server is 10.69.1.2 and one client is 10.69.1.1 11:19 < _Pete_> if another clinet connects does it matter if that is too 10.19.1.1 ? 11:19 < _Pete_> 69 11:35 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:35 < nemysis> Is this good to make Keys for OpenVPN http://zlin.dk/p/?NjA0Njg4 11:35 < vpnHelper> Title: K-nopaste (at zlin.dk) 11:38 -!- mikkel_ [n=mikkel@84.238.113.66] has quit ["Leaving"] 11:56 < _Pete_> can there be multiple clients connected to one openvpn server at same time? 12:42 -!- david_ [n=david@mex01-2-88-178-132-11.fbx.proxad.net] has joined ##openvpn 12:42 < david_> elo 12:42 < david_> i have never tried this so i wanted any adcvice, i wanted to put a password on a client.key 12:43 < david_> but i asked myself when openvpn start (if it is launched by /etc/init.d) how is the password asked ? 12:44 -!- david_ is now known as dar__ 12:52 -!- mmcgrath [n=mmcgrath@mmcgrath.net] has joined ##openvpn 12:52 < mmcgrath> are there any docs on network tuning and speed troubleshooting? 12:54 -!- SH4|Gast457 [n=Gast428@p4FEE1AAF.dip0.t-ipconnect.de] has joined ##openvpn 12:54 < SH4|Gast457> Hi, can anybody tell me abount the script-security parameter? 12:56 < SH4|Gast457> no ip adresses and routes are set up by openvpn in vista, could this be the reason for it? 13:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:05 < SH4|Gast457> could anybody please take a look at the config? http://pastebin.com/d635a7971 13:06 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit [Remote closed the connection] 13:06 < SH4|Gast457> when I use ubuntu to connect to the server, everything works perfect 13:06 < SH4|Gast457> UAC is disabled in Vista 13:09 -!- toxygen [i=toxygen@stip-static-98.213-81-186.telecom.sk] has joined ##openvpn 13:09 < toxygen> hi 13:10 < toxygen> i would like to ask what is the proper way of making redirect such as assigning some external ip to vpn subnet ip, su clients can use openvpn as NAT for that ip 13:11 < toxygen> such as if you have allowed access to some server and you want your vpn clients to be able to access it through server 13:11 < toxygen> is that possible? 13:12 -!- Pred2k5 [n=Torsten@dslb-088-069-232-055.pools.arcor-ip.net] has joined ##openvpn 13:13 -!- Pred2k5 [n=Torsten@dslb-088-069-232-055.pools.arcor-ip.net] has left ##openvpn [] 13:13 < gabe_> okay... so if I am on the client machine, do I need to set up a CA Cert and Key file? or is that just on the server side? 13:14 < gabe_> and if so... how do I generate those files? 13:15 < toxygen> gabe_: build-key 13:19 -!- zaqsdfgh [i=52e6d07c@gateway/web/ajax/mibbit.com/x-a4efc5572929e390] has joined ##openvpn 13:19 < gabe_> toxygen: I need to do that for the client side? 13:19 < zaqsdfgh> hi 13:19 < zaqsdfgh> buddy 13:19 < zaqsdfgh> i try to following this tutorial http://doc.ubuntu-fr.org/openvpn 13:19 < vpnHelper> Title: openvpn - Documentation Ubuntu Francophone (at doc.ubuntu-fr.org) 13:19 < zaqsdfgh> http://doc.ubuntu-fr.org/openvpn 13:19 < vpnHelper> Title: openvpn - Documentation Ubuntu Francophone (at doc.ubuntu-fr.org) 13:20 < gabe_> toxygen: also, from where (on an os x machine) would I run that command from? 13:20 < zaqsdfgh> voila 13:20 < zaqsdfgh> so i got some question 13:20 < zaqsdfgh> it is not written on this tutorial 13:21 < zaqsdfgh> 01.pem ca.key client2.csr dh1024.pem serial 02.pem client1.crt client2.key index.txt serial.old 03.pem client1.csr client3.crt index.txt.attr server.crt 04.pem client1.key client3.csr index.txt.attr.old server.csr ca.crt client2.crt client3.key index.txt.old server.key 13:21 < zaqsdfgh> is it normal that i got all those files ? 13:21 < SH4|Gast457> no! 13:22 -!- mmcgrath [n=mmcgrath@mmcgrath.net] has left ##openvpn [] 13:23 < zaqsdfgh> where these 01.pem 02.pem 03.pem 04.pem for i use ? 13:23 < zaqsdfgh> for what purpose i have to use it ? 13:28 < zaqsdfgh> r u still there ppl 13:30 -!- zaqsdfgh [i=52e6d07c@gateway/web/ajax/mibbit.com/x-a4efc5572929e390] has quit ["http://www.mibbit.com ajax IRC Client"] 13:31 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 13:31 < SH4|Gast457> sorry, I can't help you, I only know that I have only 4 files in my keys folder 13:33 < SH4|Gast457> client.key, ca.crt, dh1024.pem, client.crt 13:35 < ecrist> ping krzee 13:35 < SH4|Gast457> 01.pem ca.crt dh1024.pem index.txt.attr index.txt.old serial.old server.csr 13:35 < SH4|Gast457> 02.pem ca.key index.txt index.txt.attr.old serial server.crt server.key 13:35 < SH4|Gast457> thats at my servers key folder 13:35 < SH4|Gast457> contains certificate for 1 client 13:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 13:48 -!- kim0 [n=kimoz@unaffiliated/kim0] has joined ##openvpn 13:49 < kim0> Hi .. I'm a openvpn server .. I have 2 lines of internet .. a remote client can only connect to me over one of the lines and not the other 13:50 < kim0> tcpdump on the remote end .. reveals my packets are not reaching him 13:50 < kim0> how do I know if the packets are not leaving my router or not entering through his firewall for sure ?! 13:57 < ecrist> krzee: your server arrived. after it warms up, I'll get it plugged in/etc. 14:12 < krzee> sweet 14:12 < krzee> one has a HD one doesnt 14:12 < krzee> so ild say lets go with the one that does ;] 14:15 -!- SH4|Gast457 [n=Gast428@p4FEE1AAF.dip0.t-ipconnect.de] has quit [Read error: 104 (Connection reset by peer)] 14:16 -!- SH4|Gast457 [n=Gast428@p4FEE1AAF.dip0.t-ipconnect.de] has joined ##openvpn 14:24 < ecrist> krzee: plugged in, powered up 14:24 < ecrist> need to assign IP and get you access 14:25 < ecrist> IOW, I need a user/pass on that box, probably root. :) 14:27 -!- mmarker [n=mmarker@m415336d0.tmodns.net] has joined ##openvpn 14:27 < mmarker> !route 14:27 < vpnHelper> mmarker: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 14:30 < krzee> hrmmm 14:31 < krzee> i think we need to format it 14:31 < krzee> lol 14:31 < krzee> that thing has been down forever 14:31 < krzee> actually, can you single user it? 14:31 < ecrist> probably, haven't tried 14:31 < krzee> ohhhh wait, that things running gentoo isnt it 14:32 < krzee> screw that, lets fbsd it! 14:32 < krzee> but dude, totally not time sensitive 14:32 < krzee> im on vacation til the 10th 14:32 < ecrist> yes, it's on gentoo 14:32 < krzee> and have NO plans on logging in til after that 14:32 < ecrist> ok, you 7.1 on it? 14:32 < krzee> ya if 7.1 loads on the HW for sure 14:33 < krzee> we may need 8 14:33 < krzee> a chipset wasnt supported back then so we had to go gentoo 14:33 < krzee> but should be fine by now, back then it was being dev'ed 14:34 < ecrist> ok, will get that on there for ya 14:35 < krzee> right on man, thx 14:35 < ecrist> np 14:35 < krzee> ill try to get an address to send that other box to soon for ya, im sure you dont want it taking up your space 14:36 < ecrist> doesn't matter, take your time. my server room is 12x10, and only has one rack, so there's space. :) 14:36 < krzee> sweet thx 14:52 -!- dar__ [n=david@mex01-2-88-178-132-11.fbx.proxad.net] has quit [Remote closed the connection] 15:22 -!- nemysis [n=nemysis@80-233.0-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 15:23 -!- nemysis [n=nemysis@80-233.0-85.cust.bluewin.ch] has joined ##openvpn 15:42 -!- mmarker [n=mmarker@m415336d0.tmodns.net] has quit [Read error: 104 (Connection reset by peer)] 15:52 -!- Spockz|servert [n=spockz@71pc198.sshunet.nl] has joined ##openvpn 15:53 < Spockz|servert> hello 15:54 < Spockz|servert> I got some windows machines here who seem to loose their way to the vpn netwrok 15:54 < Spockz|servert> packages for the VPN ip's are directed too the normal/default gateway. 15:55 < Spockz|servert> How can I fix this? 15:57 -!- krzee [n=k@unaffiliated/krzee] has quit ["Leaving"] 16:01 < Spockz|servert> ahr, nvm. Using the openvpn-gui-1.0.3.exe fixes the problem 16:12 -!- SH4|Gast457 [n=Gast428@p4FEE1AAF.dip0.t-ipconnect.de] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 16:41 -!- gabe_ [n=fuzzimac@pool-72-79-222-33.spfdma.east.verizon.net] has quit [] 17:16 -!- DarKnesS_WolF [n=wolf@unaffiliated/sherif] has quit [Read error: 110 (Connection timed out)] 17:21 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit ["This computer has gone to sleep"] 17:53 -!- toxygen [i=toxygen@stip-static-98.213-81-186.telecom.sk] has left ##openvpn [] 18:17 < kim0> Guys, anyway for openvpn to randomize its source port 18:55 < ecrist> kim0: it doesn't? 18:55 < kim0> guess not 18:55 < kim0> with nobind it does 18:56 < ecrist> not sure, I guess 18:56 < ecrist> sorry 19:06 < nemysis> port 1194 19:06 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 19:29 -!- rdz [i=roman@netpd.org] has joined ##openvpn 19:42 -!- arzen1013 [n=Administ@119.123.11.94] has joined ##openvpn 19:43 < arzen1013> Hi all, ccd folder place in 'OpenVPN\config\ccd' or 'OpenVPN\ccd' ? thanks 19:43 < krzee> whereever you want 19:43 < ecrist> what ever you prefer 19:43 < krzee> just have it match what you say it is in the config 19:43 < ecrist> krzee: 7.1 no-go, downloading december 8.0 snapshot 19:46 < arzen1013> ecrist: my server.ovpn setting is 'client-config-dir ccd', so , place in 'OpenVPN\config\ccd' , right? 19:46 < ecrist> no, in OpenVPN\ccd 19:46 < ecrist> krzee: pm? 19:46 < arzen1013> thanks ecrist: 19:47 < krzee> ecrist, werd, hopefully that works 19:47 * krzee crosses fingers 19:47 < krzee> sure 19:49 -!- kim0 [n=kimoz@unaffiliated/kim0] has quit [Remote closed the connection] 19:54 -!- arzen10131 [n=Administ@119.123.11.94] has joined ##openvpn 19:57 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 20:02 < arzen10131> ecrist: seem you are wrong, should be place in 'OpenVPN\config\ccd' , not in OpenVPN\ccd 20:07 -!- c64zotte1 [n=hans@p5B178F13.dip0.t-ipconnect.de] has joined ##openvpn 20:10 < arzen10131> !route 20:10 < vpnHelper> arzen10131: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 20:13 -!- arzen1013 [n=Administ@119.123.11.94] has quit [Read error: 110 (Connection timed out)] 20:23 -!- c64zottel [n=hans@p5B17B248.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 20:33 -!- arzen10131 [n=Administ@119.123.11.94] has left ##openvpn [] 20:33 -!- arzen10131 [n=Administ@119.123.11.94] has joined ##openvpn 20:39 < arzen10131> Hi all, I have two LANs, want to connect each other, A LAN 192.168.1.x ; B LAN 10.50.71.x ; openvpn server A.1 in 192.168.1.2 LAN, openvpn client B.1 in 10.50.71.21 LAN; now, from 192.168.1.2 can access 10.50.71.21, but can't access 10.50.71.111, how to ? thanks 20:52 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 21:23 -!- xor| [n=xor@asmodeus.ost.sgsnet.se] has joined ##openvpn 21:24 < ecrist> arzen10131: !route 21:25 < xor|> question: all commands that are listed in the man file, for example --local host, if i remove the -- prefix, are they exactly the same as what i can type in the config files? 21:31 < ecrist> for the most part, yes. 21:39 -!- Solver [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has quit ["leaving"] 21:39 < xor|> :D 21:59 -!- Solver [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has joined ##openvpn 22:00 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has joined ##openvpn 22:04 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 60 (Operation timed out)] 22:08 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 22:08 < tjz|lunch> hi jeff =) 22:08 -!- tjz|lunch is now known as tjz 22:09 < krzee> sup man 22:09 < krzee> hows it goin 22:09 < tjz> doing great =) 23:02 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 23:14 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 23:33 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit ["This computer has gone to sleep"] --- Day changed Sat Feb 28 2009 00:39 -!- rdw200169_ [n=randy@cpe-68-174-88-54.nyc.res.rr.com] has joined ##openvpn 00:54 -!- rdw200169 [n=randy@cpe-68-174-88-54.nyc.res.rr.com] has quit [Read error: 110 (Connection timed out)] 01:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:54 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 02:06 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 02:25 -!- arzen10131 [n=Administ@119.123.11.94] has quit [Read error: 110 (Connection timed out)] 02:34 -!- rdw200169_ is now known as rdw200169 02:39 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:42 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 03:01 -!- Spockz|servert [n=spockz@71pc198.sshunet.nl] has left ##openvpn ["Leaving"] 03:14 -!- krzie [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 04:55 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 05:27 -!- Maxtehmantus [n={}{}{}{}@203-97-238-106.cable.telstraclear.net] has joined ##openvpn 05:28 < Maxtehmantus> Hmm.. While setting up an OpenVPN setup following the HOWTO on openvpn.net, the easy-rsa scripts didn't seem to make a client certificate. 05:28 < Maxtehmantus> It just made a file (max.crt) with nothing in it (0 byte file) 05:31 < Maxtehmantus> Oh, nvm.. Didn't notice this. 05:31 < Maxtehmantus> The countryName field needed to be the same in the 05:31 < Maxtehmantus> CA certificate (US) and the request (NZ) 05:32 < Maxtehmantus> Thought it'd make more sense to put the client's location in the client cert.. Dunno 05:51 < Maxtehmantus> Hmm.. 05:52 < Maxtehmantus> Sat Feb 28 11:55:34 2009 TLS: Initial packet from x.x.x.x:xxxx, sid=d5951f90 74e19d94 05:52 < Maxtehmantus> Sat Feb 28 11:55:37 2009 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=US/ST=CA/L=LA/O=ares/OU=max/CN=ares/emailAddress=party@my.house 05:52 < Maxtehmantus> Sat Feb 28 11:55:37 2009 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 05:57 -!- _Pete_ [n=petriai@e82-103-218-67.elisa-laajakaista.fi] has left ##openvpn [] 05:58 < Maxtehmantus> Anyone got a clue on what the problem could be? 06:06 * Maxtehmantus wonders why it'd care about a self-signed certificate. 06:15 < Maxtehmantus> Do I need to get the certificate signed by some company? 06:24 < Maxtehmantus> Anyone? 06:24 < Maxtehmantus> Google doesn't seem to be helping here.. People with the problem get some response, then they'll never reply back. 06:25 < hads> You don't need to get it signed, easy-rsa works. 06:26 < Maxtehmantus> Well I followed what it had in the HOWTO and it didn't. O_ 06:26 < Maxtehmantus> o 06:26 < hads> Follow it better? :) 06:30 < Maxtehmantus> Hmm.. Should server.crt be the same as the cleint's crt file? 06:33 < hads> Nope 07:07 < ecrist> Maxtehmantus: no 07:34 * Maxtehmantus is still getting it. 07:35 < Maxtehmantus> (After clearing all of the crts, keys, etc.. Everything made by easy-rsa 07:37 < Maxtehmantus> Hmm.. Maybe easy-rsa is broken.. Dunno. 07:37 * Maxtehmantus tries making them on the other end. 07:49 < Maxtehmantus> Nope. Still doing it. 07:49 < Maxtehmantus> What the hell is going on? 07:49 < Maxtehmantus> The client names don't need do be "client1", "client2", ... do they? 07:55 < Maxtehmantus> So in easy-rsa.. I just go: . ./vars 07:55 < Maxtehmantus> ./clean-all; ./build-ca 07:55 < Maxtehmantus> Then press enter for everything, except commonname, where I type "ares" 07:56 < Maxtehmantus> Then ./build-key-server, again, defaults, (common name here is defaulted to "server"), and I enter a password. 07:57 < Maxtehmantus> Then ./build-key max, defaults (common name this time is defaulted to "max"), same password as I entered in ./build-key-server 07:57 < Maxtehmantus> Then ./build-dh 07:58 < Maxtehmantus> Then copy the files that each the server and the client need onto the hosts.. It should work, right? 08:13 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 113 (No route to host)] 08:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 09:05 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 09:06 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 09:12 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 09:54 -!- onats [n=onats@122.53.136.244] has joined ##openvpn 10:19 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:07 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 11:08 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 11:13 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:19 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 11:35 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 11:38 -!- tjz [n=tjz@bb116-15-157-37.singnet.com.sg] has quit ["bbl"] 11:39 -!- skx [i=skx@unaffiliated/skx] has quit [Read error: 104 (Connection reset by peer)] 11:44 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 11:44 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 11:48 -!- rubydiam_ [n=rubydiam@123.236.183.238] has joined ##openvpn 11:49 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 11:50 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 60 (Operation timed out)] 12:06 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 12:08 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 12:43 -!- d0wn_ [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 12:53 < vcs> I want to use OpenVPN to access the internal network of the server (in the 192.168.0.0 range). To do this would I need to add a route in both client and server configuration? 12:54 -!- d0wn [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has quit [Connection timed out] 12:59 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 13:02 -!- alien8 [n=alien@indigo.alien8.org] has quit [] 13:03 < krzee> vcs 13:03 < krzee> !route 13:03 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 13:03 -!- alien8 [n=alien@indigo.alien8.org] has joined ##openvpn 13:03 < krzee> it would just be a push route on the server config (pushes to clients) 13:04 < krzee> and as described after the drawing, a route added to the servers router assuming the server is not the default gateway 13:06 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 13:13 -!- kyrix [n=ashley@91-115-187-169.adsl.highway.telekom.at] has joined ##openvpn 13:19 < vcs> ty 13:21 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 13:21 -!- nemysis [n=nemysis@80-233.0-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 13:23 -!- nemysis [n=nemysis@80-233.0-85.cust.bluewin.ch] has joined ##openvpn 13:23 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 13:23 < mRCUTEO> so hiya all 13:38 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [] 14:31 -!- kyrix [n=ashley@91-115-187-169.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 14:32 -!- kyrix [n=ashley@91-115-187-43.adsl.highway.telekom.at] has joined ##openvpn 16:01 -!- kyrix [n=ashley@91-115-187-43.adsl.highway.telekom.at] has quit ["Leaving"] 16:31 -!- higuita [n=higuita@2001:b18:400f:0:211:d8ff:fe82:b10e] has quit [Remote closed the connection] 16:37 -!- higuita [n=higuita@2001:b18:400f:0:211:d8ff:fe82:b10e] has joined ##openvpn 16:48 -!- d0wn [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 16:53 -!- d0wn_ [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has quit [Connection timed out] 17:01 -!- Maxtehmantus [n={}{}{}{}@203-97-238-106.cable.telstraclear.net] has quit [Read error: 104 (Connection reset by peer)] 17:02 -!- Roman123 [n=Roman123@85-124-225-129.work.xdsl-line.inode.at] has joined ##openvpn 17:03 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 17:21 -!- star [n=Roman123@83-65-131-245.static.xdsl-line.inode.at] has joined ##openvpn 17:22 -!- star is now known as Guest93116 17:35 -!- Guest93116 [n=Roman123@83-65-131-245.static.xdsl-line.inode.at] has quit ["Leaving"] 17:38 -!- Roman123 [n=Roman123@85-124-225-129.work.xdsl-line.inode.at] has quit [Read error: 110 (Connection timed out)] 17:59 -!- Maxtehmantus [n={}{}{}{}@203-97-238-106.cable.telstraclear.net] has joined ##openvpn 18:00 < Maxtehmantus> This easy-rsa doesn't seem to work.. I'm still getting the client complaining that it's using a self-signed certificate.. Tried making the crt and keys on both the server and client. 18:01 < krzee> user error, but do you happen to not be using windows...? 18:02 < Maxtehmantus> Yes, I do so happen to not be using Windows. Why? 18:02 < krzee> oh 18:02 < krzee> cause theres a better app made by someone from in here 18:02 < krzee> but it runs on * except windows 18:03 < krzee> well, i guess it would work on windows too maybe if theres perl for windows 18:03 < Maxtehmantus> Well I don't see where the user error could come in.. I've followed up to the part where it says to start openvpn, and it won't work. 18:03 < krzee> you followed the howto? 18:03 < Maxtehmantus> Hmm.. Where can I get it? I'd be willing to try that. 18:03 < Maxtehmantus> Yes. 18:03 < Maxtehmantus> http://openvpn.net/index.php/documentation/howto.html 18:03 < krzee> ive seen many with your problem 18:03 < vpnHelper> Title: HOWTO (at openvpn.net) 18:03 < krzee> then i tell them to regen the certs 18:03 < krzee> they do, it works 18:04 < krzee> http://openvpn.net/howto 18:04 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 18:04 < krzee> ;] 18:04 < Maxtehmantus> What? ./revoke-full? 18:04 < krzee> huh? 18:04 < Maxtehmantus> "regen the certs" 18:04 < krzee> not revoke 18:05 < krzee> re-generate 18:05 < Maxtehmantus> How do I do that? Just go through the process of generating them again? 18:05 < Maxtehmantus> I've done that three times. 18:05 < krzee> well somehow you're getting some part wrong 18:06 < krzee> using build-key-server for server and build-key for client? 18:06 < Maxtehmantus> I don't think so. 18:06 < krzee> umm 18:06 < krzee> you actually READ the howto? 18:07 < Maxtehmantus> Yes. 18:07 < Maxtehmantus> btw, when I revoke the client (max), it shows: max.crt: /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=max/emailAddress=me@myhost.mydomain 18:07 < krzee> why would you revoke the client? 18:07 < Maxtehmantus> Then the server: server.crt: /C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=server/emailAddress=me@myhost.mydomain 18:07 < Maxtehmantus> Because I think it thinks they don't work together. 18:07 < Maxtehmantus> I dunno. 18:07 < krzee> lol 18:07 < krzee> no 18:07 < krzee> start over 18:08 < krzee> delete everything you did 18:08 < krzee> except dh 18:08 < krzee> thats fine 18:08 < Maxtehmantus> Mahia easy-rsa # rm -rf keys 18:08 < krzee> make sure EVERYTHING has different common names 18:08 < krzee> CA different than server different than any clients 18:09 < krzee> also 18:09 < krzee> if you followed the howto 18:09 < krzee> how did you miss: 18:09 < krzee> Note that in the above sequence, most queried parameters were defaulted to the values set in the vars or vars.bat files. The only parameter which must be explicitly entered is the Common Name. In the example above, I used "OpenVPN-CA". 18:09 < krzee> Generate certificate & key for server 18:09 < krzee> Next, we will generate a certificate and private key for the server. On Linux/BSD/Unix: 18:09 < krzee> ./build-key-server server 18:09 < krzee> On Windows: 18:09 < krzee> build-key-server server 18:10 < krzee> Generate certificates & keys for 3 clients 18:10 < krzee> On Windows: 18:10 < krzee> build-key client1 18:10 < krzee> build-key client2 18:10 < krzee> build-key client3 18:10 < Maxtehmantus> krzee, yes, I put ares for that common name (when running ./build-ca) 18:10 < Maxtehmantus> (Everything else was defaulted) 18:11 < Maxtehmantus> Then for ./build-key-server, I used server for the common name. 18:11 < Maxtehmantus> And for ./build-key max, I used max as the common name. 18:13 < krzee> [19:12] using build-key-server for server and build-key for client? 18:13 < krzee> [19:13] I don't think so. 18:13 < krzee> o_O 18:13 < Maxtehmantus> What? 18:14 < Maxtehmantus> well somehow you're getting some part wrong 18:14 < Maxtehmantus> I don't think so. 18:14 < Maxtehmantus> Was a delayed response. 18:14 < Maxtehmantus> Wasn't answering to the second thing you said there. 18:14 < Maxtehmantus> So the answer to the second thing is: yes 18:15 < Maxtehmantus> (It'd be rather trivial to answer that question within 1 second of you sending it - especially with aspects such as ping) 18:15 < Maxtehmantus> Oh, nvm, those are minutes. 18:17 < krzee> bbl 18:17 < krzee> heh 18:17 < Maxtehmantus> Wait. What was the alternative to easy-rsa? 18:17 < Maxtehmantus> You mentioned something about Perl. 18:17 < krzee> !ssl-admin 18:17 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 18:18 < Maxtehmantus> Mk, thanks. Will try that after easy-rsa one more time. 18:18 < krzee> adios! 18:18 < krzee> np 18:26 < Maxtehmantus> Hmm.. That wiki seems to lack the page. :\ 18:33 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit ["This computer has gone to sleep"] 18:39 < Maxtehmantus> Well the easy-rsa thing failed AGAIN 18:39 < Maxtehmantus> Either it's not so easy, or it's fucked. 18:41 < Maxtehmantus> Could it possibly be due to an openssl/openvpn version mismatch? Client is running OpenSSL 0.9.8h, OpenVPN 2.0.7. Server is running OpenSSL 0.9.8g, OpenVPN 2.0.9 18:42 < Maxtehmantus> And the only thing "ssl-admin" gets me on Google is some PHP script. 18:44 < Maxtehmantus> Oh, there it is: http://www.freshports.org/security/ssl-admin/ 18:44 < vpnHelper> Title: FreshPorts -- security/ssl-admin (at www.freshports.org) 18:49 -!- ElCheapo [n=elcheapo@d137-186-179-195.abhsia.telus.net] has joined ##openvpn 18:50 -!- elcheapo_ [n=elcheapo@d137-186-179-195.abhsia.telus.net] has joined ##openvpn 18:55 < dvl> Maxtehmantus: heh, that's my website. ;) 18:58 < Maxtehmantus> I see. 19:01 < Maxtehmantus> I think this secure-computing.net host is broken. 19:04 -!- c64zotte1 [n=hans@p5B178F13.dip0.t-ipconnect.de] has quit ["Leaving."] 19:04 * Maxtehmantus tries tinyca 19:07 < ecrist> fuckers 19:07 -!- ElCheapo [n=elcheapo@d137-186-179-195.abhsia.telus.net] has quit [Read error: 110 (Connection timed out)] 19:07 < Maxtehmantus> Yes? 19:07 -!- elcheapo_ [n=elcheapo@d137-186-179-195.abhsia.telus.net] has quit [Read error: 110 (Connection timed out)] 19:08 -!- rdw200169 [n=randy@cpe-68-174-88-54.nyc.res.rr.com] has quit ["Ex-Chat"] 19:18 < Maxtehmantus> Bleh. I don't get this tinyca crap. 19:18 < Maxtehmantus> I don't see why the hell easy-vpn isn't working for me. 19:18 < Maxtehmantus> rsa* 19:26 < ecrist> Maxtehmantus: the secure-computing.net host isn't broken 19:27 < Maxtehmantus> Hmm.. I don't think the problem is with easy-rsa.. It appears to be either with OpenVPN or my configuration. 19:27 < Maxtehmantus> I just tried the "sample-keys" from the source package.. They didn't work either. 19:28 < ecrist> Maxtehmantus: for the record, ssl-admin is a PERL script, not a PHP script 19:29 < Maxtehmantus> Yeah, Google's first few results were on some admin-ssl PHP script. 19:29 < ecrist> no, the third, FreshPorts, was for security/ssl-admin, a PERL script, in the FreeBSD ports tree. 19:30 < ecrist> ah, I see what you're talking about. 19:30 < ecrist> that's a plugin for wordpress. 19:31 -!- worch [i=worch@battletoad.com] has quit [Remote closed the connection] 19:31 -!- worch [i=worch@battletoad.com] has joined ##openvpn 19:31 < Maxtehmantus> Well secure-computing.net takes ages to load for me.. When I tried the SVN it just sat there (I had to kill -9 it) 19:32 < Maxtehmantus> I'll try on the other host. 19:32 < hads> Something else must be wrong if you followed the easy-rsa instuctions because they do work. 19:32 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 19:33 < ecrist> Maxtehmantus: what URL are you going to? 19:33 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 19:33 < Maxtehmantus> http://www.secure-computing.net/ssl-admin/ 19:33 < vpnHelper> Title: SCN Open Source - Trac (at www.secure-computing.net) 19:34 < Maxtehmantus> Maybe it's just my ISP. 19:34 < ecrist> I think it's your ISP. 19:35 < Maxtehmantus> :X links doesn't seem to like this site. 19:35 < ecrist> lol, joogot.noskills.net 19:36 < ecrist> tor? 19:36 < krzee> nah i own noskills.net 19:36 < Maxtehmantus> Odd.. Worked the second time. 19:36 < Maxtehmantus> First time, it screwed up the chars on the terminal,. 19:37 < ecrist> Maxtehmantus: you using tor? 19:37 < krzee> oh, lol 19:37 < Maxtehmantus> tor? 19:37 < ecrist> I see you coming from a range of IPs. 19:37 < ecrist> range = more than one 19:37 < Maxtehmantus> And what's with that joogot.noskills.net? Just a blank page. 19:37 < ecrist> not same subnet 19:37 < Maxtehmantus> ecrist, err.. Should see my home address (as used on IRC here: 203.97.238.106) 19:38 < krzee> joogot.noskills.net shouldnt have a webserver running at all 19:38 < Maxtehmantus> And the IP of a dedi I'm using.. 69.42.220.something 19:38 < Maxtehmantus> .13 I think is the default. 19:38 < Maxtehmantus> Wait, 69.42.221.107 19:38 < ecrist> Maxtehmantus: 69.42.221.107 19:39 < Maxtehmantus> Yes, that. 19:39 < ecrist> so, no problems on my end, just PEKAC? 19:39 < Maxtehmantus> PEKAC? 19:39 < ecrist> sorry, PEBKAC 19:40 < ecrist> Probelm Exists Between Keyboard And Chair 19:40 < Maxtehmantus> With what? Trying to access the site? 19:40 < ecrist> i.e. 19:36 < Maxtehmantus> First time, it screwed up the chars on the terminal,. 19:40 < ecrist> yes, that's my site, I like to know if people can't reach it. 19:40 < Maxtehmantus> Yeah, that was just links.. Dunno why that happened. 19:41 < ecrist> ssl-admin is my script, so I like to know if people have problems with that, too. :) 19:41 < ecrist> I'm out - gotta attend to the wife. ;) see ya'll tomorrow. 19:42 < Maxtehmantus> You might. 19:45 < Maxtehmantus> Well I think the link just sucks between me and your site. :d 19:46 < Maxtehmantus> svn worked fine on the dedi I use. 19:54 < dvl> is there an extra comman in there? 19:54 < Maxtehmantus> Huh? 19:55 < Maxtehmantus> Hmm.. I think there's a problem with my configurations: http://rafb.net/p/qlseOA73.html 19:55 < vpnHelper> Title: Nopaste - server.conf (at rafb.net) 19:55 < Maxtehmantus> http://dpaste.com/3655/ 19:55 < Maxtehmantus> Hmm.. wgetpaste on different machines used different pbs. O_o 19:56 < Maxtehmantus> The keys I generate with easy-rsa don't work, NOR do the sample ones in the source package of openvpn-2.0.9 19:57 < Maxtehmantus> Ah fuck. 19:57 < Maxtehmantus> ca max.crt 19:57 < Maxtehmantus> God, how'd I manage to do that. 19:58 < Maxtehmantus> Yeah.. That seems to be the problem. :X 20:01 < hads> So things aren't broken 20:02 < Maxtehmantus> Nope.. Seems to be working. 20:02 < hads> Right. 20:03 < Maxtehmantus> (With my certificates - don't bother trying to connect using the samples now) 20:08 < Maxtehmantus> Hmm.. Partially working. :\ 20:09 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 20:10 < Maxtehmantus> Hmm.. Maybe this could be a problem: 20:10 < Maxtehmantus> 172.16.7.0 172.16.7.5 255.255.255.0 UG 0 0 0 tun0 20:10 < Maxtehmantus> Shouldn't the gateway be the IP assigned to the tunnel on the server end? 20:10 * Maxtehmantus tries. 20:13 < Maxtehmantus> Hmm.. Why is tun0 on the client side on /32? Shouldn't it be /24, so it's part of the OpenVPN subnet? 20:14 < krzee> !/32 20:14 < vpnHelper> krzee: Error: "/32" is not a valid command. 20:14 < krzee> !factoids search / 20:14 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 20:14 < krzee> i was thinking 32 didnt sound right 20:14 < krzee> lol 20:14 < krzee> im headed back out to the party 20:14 < krzee> ecrist, thanx a lot man, you rule 20:15 < krzee> ecrist, im going to shut it down for now, as i wont be able to lock it down more than i just did yet 20:15 < krzee> so if you notice its off, thats no accident ;] 20:16 < Maxtehmantus> Oh right. It's a point-to-point link. 20:16 < Maxtehmantus> But that'd mean /30, and mine's /32 20:16 < krzee> prove it 20:16 < Maxtehmantus> inet addr:172.16.7.6 P-t-P:172.16.7.5 Mask:255.255.255.255 20:16 < krzee> negative 20:16 < krzee> stop over thinking 20:16 < krzee> openvpn is doing it right 20:17 < krzee> you arent understanding it 20:17 < krzee> but it is doing it right 20:17 < krzee> bbl 20:17 < Maxtehmantus> Oh hey, it works now. 20:17 < Maxtehmantus> 64 bytes from 172.16.7.1: icmp_seq=1 ttl=64 time=152 ms 20:18 -!- imachine [n=imachine@2002:8110:8acb:0:0:0:0:1] has quit [Connection reset by peer] 20:20 * Maxtehmantus is wondering if it'd be possible to let clients use the server's IP address[es]. 20:21 < Maxtehmantus> Hmm.. Probably just need to set up some simple routers on the server side. 20:21 < Maxtehmantus> Dunno. 20:27 -!- imachine [n=imachine@2002:8110:8acb:0:0:0:0:1] has joined ##openvpn 20:31 * Maxtehmantus hasn't really done much routing on Linux. 20:33 < Maxtehmantus> So how do I get it to forward connections from the OpenVPN server to hte internet? 20:33 < Maxtehmantus> Mahia ssl-admin # route add -host 209.85.171.100 gw 172.16.7.5 && nc -v -v 209.85.171.100 80 20:33 < Maxtehmantus> Doesn't seem to connect. 20:33 < Maxtehmantus> Sat Feb 28 18:33:12 2009 max/203.97.238.106:35153 MULTI: bad source address from client [10.1.1.1], packet dropped 20:33 < Maxtehmantus> Ah. 20:34 < Maxtehmantus> Although -s 172.16.7.6 doesn't seem to do anything either. 20:35 < Maxtehmantus> I don't think the server is routing packets from the tun0 device through the default gateway. 20:36 < Maxtehmantus> Only seem to be able to access the OpenVPN network (172.16.7.0/24) 20:37 < Maxtehmantus> Oh, and I can access other the server's configured IPs. 20:37 < Maxtehmantus> ntuS.uni.cc [69.42.220.7] 80 (http) open 20:38 -!- dijital1 [n=dijital1@66-168-204-177.dhcp.gsvl.ga.charter.com] has joined ##openvpn 20:39 < dijital1> have any of you been able ot configure openvpn server to where it actually pushes dns to the client? 20:44 < Maxtehmantus> What'd be really cool, is if I could assign a single specific IP address belonging to the server, to the client.. 20:45 < Maxtehmantus> So the client will be able to bind to 69.42.220.7, and the connection will be forwarded through OpenVPN to the server, to the internet (from 69.42.220.7) 20:46 < Maxtehmantus> (The server has quite a few IPs) 21:07 < Maxtehmantus> I think I know how to do this. 21:07 * Maxtehmantus got it so far on thes erver side. 21:09 < Maxtehmantus> Hmm.. How do I get the client to route all packets where the src=172.16.7.6 through OpenVPN (tun0)? 21:09 < Maxtehmantus> I thought Linux did that automatically, but it appears it doesn't. 21:10 < Maxtehmantus> eg, if an outbound packet has the source address 127.0.0.1, it should be sent to the loopback device (lo), right? 21:10 < Maxtehmantus> Because lo is assigned the subnet 127.0.0.0/8 21:11 < Maxtehmantus> So it should route packets with src=172.16.7.6 through tun0, because tun0 has 172.16.7.6/32 21:12 < Maxtehmantus> It's not though.. I need to set routes for the outgoing packets.. Strange. 21:13 < Maxtehmantus> Wait.. It makes sense that it doesn't. 21:13 < Maxtehmantus> Because 127.0.0.0/8 is on the route table. 21:18 < krzee> dijital1, i havnt, but ive helped many do it 21:18 < krzee> you need this: 21:18 < krzee> !pushdns 21:18 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 21:18 < krzee> read the link 21:18 < krzee> Maxtehmantus, 21:19 < krzee> you need this: 21:19 < krzee> !def1 21:19 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 21:19 < krzee> along with: 21:19 < krzee> ipforwarding enabled, and NAT running for the vpn ips on the server 21:19 < Maxtehmantus> I don't want to use a default gateway. 21:20 < Maxtehmantus> I just want it to do some source-based routing from the client side./ 21:20 < Maxtehmantus> So it'll forward packets with src=172.16.7.6 to tun0. 21:20 < krzee> then you setup the routes instead 21:20 < krzee> either way you need the rest 21:20 * Maxtehmantus doesn't know how to do source based routes. 21:21 < krzee> its not an openvpn problem 21:21 < Maxtehmantus> I know. 21:21 < krzee> its you learning how to use your OS from here on out 21:21 < Maxtehmantus> Yeah, I know. 21:21 < Maxtehmantus> But this being a VPN channel, people are likely to have done this before. 21:22 < krzee> it being saturday night for many people here, you're less likely to find help 21:22 < Maxtehmantus> Lies. It's Sunday afternoon. 21:22 < krzee> *shrug* 21:22 < Maxtehmantus> Evening, even. 21:22 < krzee> that wouldnt help your cause either 21:22 < krzee> lol 21:24 < dijital1> krzee: hmm I just want a stable vpn client 21:25 < krzee> pushing dns has to do with stability? 21:27 < krzee> dijital1, what OS is the client? 21:29 < krzee> well if you stick around ill see your answer later 21:30 < krzee> im in and out 21:30 < krzee> everytime i come back to my room i check out my computer 21:33 < dijital1> OSX 21:33 < dijital1> mac os 21:33 < dijital1> I'm here 21:33 < dijital1> sorry 21:33 < dijital1> I'm back now 21:34 < dijital1> mac os x 21:34 < dijital1> I've tried several hardware ssl clients and they always seem to misbheave 21:34 < dijital1> hardware gateways rather 21:35 < dijital1> I want something to performs as reliably as some of the juniper ssl vpn gear 21:36 < krzee> just run the script mentioned in the link i gave you 21:36 < krzee> osx is a unix at heart 21:37 < dijital1> *looks for the link* 21:37 < krzee> !pushdns 21:37 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 21:37 < krzee> you didnt read that link? 21:37 < dijital1> reading it now 21:38 < krzee> bad diji! 21:38 < dijital1> hmm 21:38 < dijital1> I wonder if I can get tunnelblick to run the script for me 21:39 < krzee> no, you can get openvpn to 21:39 < krzee> tunnelblick just starts and stops your openvpn for you 21:39 < dijital1> there's s "script" directive? 21:39 < krzee> which i accomplish with a 1 line shell script instead of some lame gui 21:39 < dijital1> that I can add to the openvon.conf on my client? 21:40 < krzee> theres like 5 ways to runs scripts in openvpn 21:40 < krzee> find them! 21:40 < krzee> !man 21:40 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 21:40 < krzee> look for the word script, it will appear many times 21:40 < krzee> (i also use osx) 21:41 < dijital1> cool 21:41 < dijital1> i"m actually probably going to have ot open 2 ports and run 2 instances 21:41 < dijital1> because I want just port forwarding and full tunnel mode which require different server configs 21:42 < krzee> port forwarding? 21:42 < krzee> shouldnt ssh work for that... 21:42 < krzee> (ssh tunnels) 21:42 < dijital1> well not really port forwarding.. more like connecting to the server running openvpn without passing all of my traffic over it 21:42 < krzee> and then whats full tunnel mode? 21:42 < krzee> passing all traffic? 21:42 < dijital1> so if I want to connect to my remote network but not tunnel all traffic over it I mean 21:43 < dijital1> I'd like to have the option to do both 21:43 < krzee> you dont HAVE to push options 21:43 < krzee> you can put them in client config 21:43 < dijital1> that's going to take 2 different instances because ther server configs are different to do that 21:43 < krzee> instead of pushing redirect-gateway 21:43 < dijital1> at least that's th e only way that I can think of to do it 21:43 < krzee> put it in client config 21:43 < krzee> then comment it out, and it wont be used 21:44 < krzee> (or have 2 client configs) 21:44 < dijital1> yeah.. and swap between then 21:44 < krzee> easy enough =] 21:47 < krzee> hows that work for ya 21:47 < krzee> (the idea) 21:47 < dijital1> that works 21:47 < dijital1> this is what my server config looks like 21:47 < dijital1> http://rafb.net/p/x6E7uo31.html 21:47 < vpnHelper> Title: Nopaste - No description (at rafb.net) 21:48 < dijital1> did you get that link? 21:48 < krzee> ya but if comments arent stripped im not reading it 21:48 < dijital1> vpnhelper emoted when I pasted it 21:48 < vpnHelper> dijital1: Error: "emoted" is not a valid command. 21:48 < dijital1> there aren't any comments in it 21:49 < krzee> great 21:49 < dijital1> it's all directives 21:49 < krzee> !tcp 21:49 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 21:50 < krzee> other than that, cool 21:50 < krzee> except what i told you: 21:50 < krzee> you still have push "redirect-gateway def1" 21:50 < krzee> for what i suggested youd remove that 21:50 < dijital1> http://rafb.net/p/pSCSu382.htmlhttp://rafb.net/p/pSCSu382.htmland this is my client config 21:50 < krzee> and add to the clients that you want that on for: 21:50 < dijital1> http://rafb.net/p/pSCSu382.html 21:50 < vpnHelper> Title: Nopaste - client config (at rafb.net) 21:51 < krzee> redirect-gateway def1 21:51 < dijital1> so I need to put that in the client then 21:51 < dijital1> vs. having the server push it 21:51 < krzee> beats running 2 instances 21:51 < krzee> unless its for business use and you need the control 21:51 < krzee> but it seems its for you 21:52 < dijital1> yep it is 21:52 < dijital1> so to make it udp, it would just be proto udp client correct? 21:52 < dijital1> proto udp-client 21:52 < krzee> no 21:52 < krzee> read the manual! 21:52 < krzee> !man 21:52 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 21:52 < krzee> im not the manual 21:52 < krzee> in fact im on vacation 21:53 < krzee> so im going back out 21:53 < dijital1> alright man 21:53 < krzee> =] 21:57 -!- rubydiam_ [n=rubydiam@123.236.183.238] has quit [Read error: 110 (Connection timed out)] 22:19 < dijital1> are you still there krzee? 22:25 * ecrist guesses no 22:25 < dijital1> hmmm 22:25 < dijital1> trying to figure out the udp connectivity 22:25 -!- Maxtehmantus [n={}{}{}{}@203-97-238-106.cable.telstraclear.net] has quit ["# killall -9 xchat && shutdown now"] 22:25 -!- Maxtehmantus [n={}{}{}{}@ntuS.uni.cc] has joined ##openvpn 22:26 < ecrist> what a name, {}{}{}{} 22:29 < dvl> HHH 22:30 < dvl> == Hash House Harriers 22:30 < ecrist> Hubert H Humphrey Metrodome? The Vikings play there... 22:32 -!- dijital1_ [n=dijital1@66-168-204-177.dhcp.gsvl.ga.charter.com] has joined ##openvpn 22:43 -!- dijital1 [n=dijital1@66-168-204-177.dhcp.gsvl.ga.charter.com] has quit [Read error: 110 (Connection timed out)] 22:45 -!- dijital1_ is now known as dijital1 22:45 -!- QWonder [n=QW@c-71-203-15-133.hsd1.fl.comcast.net] has joined ##openvpn 22:45 -!- QWonder [n=QW@c-71-203-15-133.hsd1.fl.comcast.net] has left ##openvpn ["Leaving"] 23:10 < krzee> proto udp 23:10 < krzee> all you had to do was read --proto in manual 23:10 < krzee> *back to gone* 23:27 -!- dijital1 [n=dijital1@66-168-204-177.dhcp.gsvl.ga.charter.com] has quit [Read error: 60 (Operation timed out)] 23:32 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 23:49 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 23:59 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit ["This computer has gone to sleep"] --- Day changed Sun Mar 01 2009 00:00 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 00:01 -!- Maxtehmantus [n={}{}{}{}@ntuS.uni.cc] has quit [Read error: 60 (Operation timed out)] 00:04 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 00:05 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit [Client Quit] 00:27 -!- Maxtehmantus [n={}{}{}{}@203-97-238-106.cable.telstraclear.net] has joined ##openvpn 00:27 < Maxtehmantus> Is it possible to get OpenVPN to detach after it's made the tun device? 00:28 < Maxtehmantus> Trying to set up a script to start OpenVPN and set up some routes.. Won't let me make the routes until the device is up. 00:41 -!- bsdx [n=bsd@61.17.165.191] has joined ##openvpn 00:56 < Maxtehmantus> Hmm.. I suppose --ipchange could work. 00:56 -!- bsdx [n=bsd@61.17.165.191] has left ##openvpn ["Leaving"] 01:06 -!- Maxtehmantus [n={}{}{}{}@203-97-238-106.cable.telstraclear.net] has quit ["# killall -9 xchat && shutdown now"] 01:06 -!- Maxtehmantus [n={}{}{}{}@ntuS.uni.cc] has joined ##openvpn 01:41 < ecrist> foo 01:41 < hads> bar 01:44 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 01:45 < hads> I think I need to get this remote router replaced, it's the only thing I can think of as being the issue. 01:46 -!- dijital1 [n=dijital1@66-168-204-177.dhcp.gsvl.ga.charter.com] has joined ##openvpn 01:46 < ecrist> good idea 01:46 < ecrist> !?!? 01:46 < vpnHelper> ecrist: Error: "?!?" is not a valid command. 02:16 -!- c64zottel [n=hans@p5B178CA3.dip0.t-ipconnect.de] has joined ##openvpn 02:23 < hads> I might setup bridging to try and get around the issue. 02:27 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 02:35 -!- dijital1 [n=dijital1@66-168-204-177.dhcp.gsvl.ga.charter.com] has quit [Read error: 60 (Operation timed out)] 02:35 -!- dijital1 [n=dijital1@66-168-204-177.dhcp.gsvl.ga.charter.com] has joined ##openvpn 03:25 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:26 -!- c64zottel [n=hans@p5B178CA3.dip0.t-ipconnect.de] has left ##openvpn [] 04:47 -!- arzen1013 [n=Administ@116.24.178.121] has joined ##openvpn 04:51 < arzen1013> Hi all, I use openvpn in window box as vpn server, and it is not gateway, it ip is :192.168.1.2, another LAN machine 192.168.1.9 , I want to it also can access 10.8.0.1 openvpn sub net, how to do it ? 05:48 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 06:04 -!- rodpod [n=rod@hick.org] has joined ##openvpn 06:21 -!- arzen1013 [n=Administ@116.24.178.121] has left ##openvpn [] 06:44 -!- Roman123 [n=Roman123@83-65-131-245.static.xdsl-line.inode.at] has joined ##openvpn 06:56 < Roman123> I have two networks (192.168.50.x and 192.168.51.x). Both are connected over a openvpn bridge by means of two openwrt router, which works very good. There is only one small problem: Sometimes, when a computer is connected to the 51er subnet, the dhcp server from the 50er subnet assigns an address. How can I filter the dhcp requests between both networks? 06:56 < Roman123> Is that possible? 06:58 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 06:58 < Gumbler> hello 06:58 < Gumbler> ;/ 06:58 < Gumbler> can somebody help me? i have the error "cannot locate HMAC in incoming packet from " (sry for my bad englisch) 06:59 < Gumbler> i use openvpn on debian and the client on vista.. 07:43 -!- fselo [i=52e6d07c@gateway/web/ajax/mibbit.com/x-3a480b1a2598416c] has joined ##openvpn 07:44 < fselo> hi there 07:44 < fselo> is it possible to install openvpn server on mac os x ? 07:45 < fselo> is there anyone here ? 07:48 -!- fselo [i=52e6d07c@gateway/web/ajax/mibbit.com/x-3a480b1a2598416c] has quit [Client Quit] 08:03 -!- j-a-b-b-a [n=Jabba@frnk-5f751312.pool.einsundeins.de] has joined ##openvpn 08:27 * ecrist is hung over... 08:28 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 08:29 < onats> from? 08:29 < ecrist> Jaegermeister + Red Bull 08:29 < ecrist> went to bed 4 hours ago. got up an hour ago. 08:30 < ecrist> got up for a good reason though - wife was on her way to work and needed some attention before she left. ;) 09:01 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 09:21 -!- Roman123 [n=Roman123@83-65-131-245.static.xdsl-line.inode.at] has quit ["Leaving"] 09:24 * ecrist goes and tears down his network. --- Log closed Sun Mar 01 09:41:48 2009 --- Log opened Sun Mar 01 09:41:52 2009 09:41 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 09:41 -!- Irssi: ##openvpn: Total of 57 nicks [0 ops, 0 halfops, 0 voices, 57 normal] 09:42 -!- Irssi: Join to ##openvpn was synced in 13 secs 10:01 < ecrist> grr. I just VLANd myself out of my management interface on my new switch. 10:01 < ecrist> rawr 10:01 * ecrist goes and hooks up serial console 10:17 < ecrist> 10:27 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 11:00 -!- nemysis [n=nemysis@80-233.0-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 11:00 -!- nemysis [n=nemysis@183-238.1-85.cust.bluewin.ch] has joined ##openvpn 11:01 * ecrist cheers for firmware upgrades 11:13 < rdz> hi all. i am very new to openvpn and i would like to achieve the following setup: openvpn server on win xp, which brigdes the clients to local network. all clients are also running win xp. i would like the bridge to be a simple and as transparent as possible, the whole traffic of the clients can go over the server, no additional routing should be necessary. there is lots of documentation many example are out there, but often they are not verbose enough for my li 11:13 < rdz> mited knowledge. also often they use feature, that i don't know what they are used for and/or i don't know how to use them (for instance, how to create the certificates). any hints are very welcome. --- Log closed Sun Mar 01 11:24:21 2009 --- Log opened Sun Mar 01 11:24:23 2009 11:24 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 11:24 -!- Irssi: ##openvpn: Total of 58 nicks [0 ops, 0 halfops, 0 voices, 58 normal] 11:24 -!- Irssi: Join to ##openvpn was synced in 12 secs 11:27 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 11:27 < reiffert> foo 11:40 -!- bandini [n=bandini@host24-109-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 11:48 -!- aowron [n=overkord@h28n1fls308o1114.telia.com] has left ##openvpn [] 11:56 < ecrist> beans 12:03 -!- Roman123 [n=Roman123@85-124-225-130.work.xdsl-line.inode.at] has joined ##openvpn 12:06 -!- rodpod [n=rod@hick.org] has quit [Remote closed the connection] 12:06 < Roman123> back home 12:06 < Roman123> hi 12:28 -!- bandini [n=bandini@host24-109-dynamic.16-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 12:41 -!- bandini [n=bandini@host24-109-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 13:02 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:18 < ecrist> hey krzee 13:18 < ecrist> new switch is the sexy 13:19 * krzee rubs his nipple and the gigaswitch at the same time 13:23 < reiffert> :) 13:24 < ecrist> I got a Linksys SRW2024 13:25 < ecrist> I was disappointed at first, the web interface was shoddy and activex-ish, and no SNMP. 13:25 < ecrist> but, I found a firmware update, got rid of activex controls and gave me SNMP 13:25 < ecrist> :) 13:25 < reiffert> my facsimile is stronger than your mobile. 13:26 < krzee> hah 13:27 * ecrist goes back to couch to continue being sick. 13:27 < krzee> sick? 13:27 < krzee> that sucks 13:27 < krzee> get well soon! 13:36 -!- j-a-b-b-a [n=Jabba@frnk-5f751312.pool.einsundeins.de] has quit [Client Quit] 13:36 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 14:18 -!- alien8 [n=alien@indigo.alien8.org] has left ##openvpn [] 14:30 -!- mib_gh2mp1 [i=52e6d07c@gateway/web/ajax/mibbit.com/x-9e4366f9f2f78096] has joined ##openvpn 14:32 < mib_gh2mp1> hi there 14:32 < mib_gh2mp1> i try to follow this tutorial 14:32 < mib_gh2mp1> http://doc.ubuntu-fr.org/openvpn` 14:32 < vpnHelper> Title: openvpn - Documentation Ubuntu Francophone (at doc.ubuntu-fr.org) 14:33 < mib_gh2mp1> http://doc.ubuntu-fr.org/openvpn 14:33 < vpnHelper> Title: openvpn - Documentation Ubuntu Francophone (at doc.ubuntu-fr.org) 14:33 < mib_gh2mp1> but i try to do on a mac os x 14:36 -!- Roman123 [n=Roman123@85-124-225-130.work.xdsl-line.inode.at] has quit ["Leaving"] 14:38 < mib_gh2mp1> is there anyone here ? 14:40 < mib_gh2mp1> hello 14:46 -!- mib_gh2mp1 [i=52e6d07c@gateway/web/ajax/mibbit.com/x-9e4366f9f2f78096] has left ##openvpn [] 15:20 -!- bandini [n=bandini@host24-109-dynamic.16-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 15:31 -!- mib_v5ncqcge [i=4570e460@gateway/web/ajax/mibbit.com/x-9e32c2be36141eff] has joined ##openvpn 15:31 -!- mib_v5ncqcge [i=4570e460@gateway/web/ajax/mibbit.com/x-9e32c2be36141eff] has left ##openvpn [] 15:32 -!- cscho0415 [n=cscho041@ool-4570e460.dyn.optonline.net] has joined ##openvpn 15:33 < cscho0415> hello i am trying to install on centos 4.5 and i get this error: 15:33 < cscho0415> liblzo.so.1 is needed by openvpn-1.6.0-1.1.fc3.rf.i386 15:33 < cscho0415> any help? 15:37 -!- cscho0415 [n=cscho041@ool-4570e460.dyn.optonline.net] has quit [] 16:13 -!- Bushmill- [n=nnnnl@verhau.de] has joined ##openvpn 16:37 -!- cscho0415 [n=cscho041@ool-4570e460.dyn.optonline.net] has joined ##openvpn 16:49 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 17:00 < reiffert> Hi Bushmill- 17:10 < krzee> To the security guy: 17:10 < krzee> You guys really should not leave open writeable shares, especially on a WEP network. 17:10 < krzee> I am a friend, so don't worry... but bad people could do bad things very easily. 17:10 < krzee> I would also change the router's password off of the default 17:10 < krzee> =] 17:10 < krzee> My recommendation is to change to WPA encryption just for the reception network, and to use a multiple-word passphrase. For example, you could make it "This is Aquavit" 17:10 < krzee> Then you could leave the shares open without being at such risk. 17:10 < krzee> -Jeff 17:11 < krzee> that is now on the reception desktop in a dir named README 17:12 < reiffert> Teaching 3rd world getting any better? 17:12 < krzee> lol 17:13 < krzee> im in peru right now 17:13 < krzee> not sure if this is 3rd world or not 17:14 < cscho0415> hello i am trying to install on centos 4.5 and i get this error: 17:14 < cscho0415> liblzo.so.1 is needed by openvpn-1.6.0-1.1.fc3.rf.i386 17:15 < krzee> tried installing lzo? 17:15 < cscho0415> cant find for centos 4.5 17:15 < krzee> http://www.google.com/search?q=centos%20lzo 17:15 < vpnHelper> Title: centos lzo - Google Search (at www.google.com) 17:15 < krzee> looks rather easy to find for me 17:16 < cscho0415> do they work for 4.5 17:16 < krzee> but i dont use linux really 17:16 < krzee> *shrug* 17:16 < reiffert> According to government sources, poverty is projected to be reduced to under 10% in eight years [3], and the President Alan Garcia has stated that by this time Peru will cease to be a third world nation. 17:16 < reiffert> wiki 17:16 < krzee> even if i used linux it wouldnt be one of those redhats 17:16 < krzee> but dazo is our resident redhat expert i believe 17:17 < krzee> you could always compile without compression and not need lzo 17:17 < krzee> or use a package manager that knows how to deal with dependancies (assuming thats an option in centos) 17:17 < cscho0415> um 17:17 < cscho0415> ok 17:17 < cscho0415> =p 17:18 < reiffert> krzee: it really looks like he is not installing openvpn from a package manager. 17:18 < krzee> best bet is to google 17:18 < krzee> reiffert, does centos have package managers? 17:18 < reiffert> krzee: but instead sucked a package from google and is trying to convince the package installer. 17:18 < krzee> or just rpm 17:18 < krzee> right 17:18 < cscho0415> i used rpm 17:19 < reiffert> krzee: my wild guess is that every major ditribution comes along with a package manager that can resolve such easy tasks... 17:19 < krzee> my google search found it for centos4 hella easy 17:19 < krzee> which makes me wonder how you were looking... 17:19 < reiffert> obviously not by using the package manager. 17:20 < krzee> OH RIGHT 17:20 < krzee> yum 17:20 < krzee> forgot bout that 17:20 < krzee> (which means my efforts to forget it were successful 17:21 < reiffert> cscho0415: yum list available |grep -i openvpn 17:22 < cscho0415> i have to install yum them =s 17:22 < krzee> could always switch to a real os ;] 17:22 < krzee> lol sorry, im a dick 17:23 < cscho0415> lol 17:23 < krzee> just go grab the rpm from my google search 17:23 < cscho0415> its my first com using linux 17:23 < krzee> i mean hell i even did the search for ya 17:23 < reiffert> wow, it really looks like there is NO openvpn on centos. sigh. 17:23 < cscho0415> fedora runs on centos reiffert 17:23 < krzee> reiffert, with yum you always need to find the right server to add and lameness like that 17:24 < reiffert> cscho0415: http://www.centos.org/docs/4/ 17:24 < vpnHelper> Title: CentOS-4 Documentation (at www.centos.org) 17:24 < reiffert> especially System Administration Guide 17:24 < reiffert> Paragraph III 17:24 < reiffert> Package Management 17:24 < reiffert> Package Management Tool 17:24 < reiffert> Installing Packages 17:24 < reiffert> Removing Packages 17:25 < krzee> http://www.webhostingtalk.com/showthread.php?t=595436 17:25 < vpnHelper> Title: HOWTO OpenVPN setup guide for FC3, FC4, FC5, CentOS and others,connecting via Windows - Web Hosting Talk - The largest, most influential web hosting community on the Internet (at www.webhostingtalk.com) 17:25 < cscho0415> lol im not that n00b reiffert 17:26 < reiffert> cscho0415: you said it's your first time with linux and it really looks like that you didnt find the docs right now, cause you were asking such questions like a windows guy. 17:26 < cscho0415> no i said tht was my first com using linux 17:26 < reiffert> krzee: you missed adding -forum -board to your search terms, eh? 17:26 < cscho0415> and im a mac / freebsd guy 17:26 < cscho0415> im NOT a win guy 17:27 < reiffert> cscho0415: I step back from my previous sentence :) 17:27 < cscho0415> lol 17:27 < cscho0415> =p 17:27 < krzee> reiffert, nah my google gave him rpm for lzo 17:27 < krzee> he could have it installed by now had he used it 17:27 < reiffert> krzee: I doubt that it will keep your system stable for a long time. 17:28 < krzee> ? 17:28 < reiffert> On the other hand I really cant believe centos doesnt come with openvpn itself 17:28 < krzee> it is in yum 17:28 < reiffert> krzee: downloading rpms from unthrusted sources ... uhhh. 17:28 < reiffert> untrusted 17:28 < krzee> If you have CentOS, follow the ?additional third party CentOS repos? 17:28 < krzee> reiffert, oh right 17:28 < krzee> ya ill never need to install a rpm on a box i run anyways 17:29 < krzee> when i go linux i go gentoo 17:29 < reiffert> http://wiki.centos.org/AdditionalResources/Repositories 17:29 < vpnHelper> Title: AdditionalResources/Repositories - CentOS Wiki (at wiki.centos.org) 17:29 < ecrist> evening, folks. 17:29 < cscho0415> g2g thanks for the help 17:29 < krzee> evening ecrist 17:29 < krzee> feeling better? 17:29 < reiffert> I'm stuck to Debian 17:29 < ecrist> a bit, actually. 17:30 < reiffert> He didnt call us pussys, looks still very ill. 17:30 < krzee> see the note i left on reception computer? 17:30 < krzee> hahaah reif 17:30 < ecrist> krzee: I did, yes, I've powered it down. 17:31 < krzee> ahh cool, i meant this one tho: 17:31 < krzee> To the security guy: 17:31 < krzee> You guys really should not leave open writeable shares, especially on a WEP network. 17:31 < krzee> I am a friend, so don't worry... but bad people could do bad things very easily. 17:31 < krzee> I would also change the router's password off of the default 17:31 < krzee> =] 17:31 < krzee> My recommendation is to change to WPA encryption just for the reception network, and to use a multiple-word passphrase. For example, you could make it "This is Aquavit" 17:31 < krzee> Then you could leave the shares open without being at such risk. 17:31 < krzee> -Jeff 17:31 < krzee> in a dir named READ ME on the desktop 17:32 -!- cscho0415 [n=cscho041@ool-4570e460.dyn.optonline.net] has quit [] 17:32 < ecrist> krzee: what WEP network? 17:32 < krzee> the one im on 17:32 < krzee> in the hotel 17:32 < ecrist> oh 17:32 < krzee> the reception network is WEP 17:32 < reiffert> :) 17:32 < krzee> and has best signal from my room 17:33 < krzee> the owner would have given me the key, but i didnt wanna bug him 17:33 < krzee> so i let myself in 17:33 < krzee> then inet went down so i started looking around 17:33 < krzee> turns out they arent taking security very seriously 17:33 < ecrist> lol 17:33 < krzee> i have access to all kinds of internal docs 17:33 < krzee> but yanno, owner is a buddy 17:34 < krzee> so he wouldnt care 17:34 < ecrist> heh, I thought you were talking about *my* network. 17:34 < krzee> no no 17:34 < krzee> i wont be doing anything of that sort 17:34 < krzee> that would be a violation of your trust 17:34 < ecrist> well, if you do notice anything, let me know. ;) 17:35 < krzee> joogot it 17:35 < ecrist> got hopped up on Jaegermeister and red bull last night. 17:35 < krzee> lol me too 17:35 < ecrist> was up till 4am drunk-dialing people 17:36 < ecrist> including a co worker. felt guilty this morning, tell I looked at the call log and realized we talked for over an hour. 17:36 < krzee> HAHAH 17:36 < ecrist> called him today, he was drunk too. 17:36 < krzee> successful drunk dial! 17:36 < ecrist> +1 ecrist 17:37 < krzee> thats like +10 17:37 < krzee> successful drunk dials are RARE 17:37 < reiffert> :) 17:37 < ecrist> I had a successful reverse drunk-dial, too. started chatting with my brother on FB, asked him to call me. 17:37 < ecrist> he did. 17:37 < ecrist> we only talked for a half our 17:37 < ecrist> hour* 17:39 < krzee> woohoo got nessus updating again 17:39 < krzee> my code had expired it seems 17:40 * ecrist starts production web/db server upgrades. 17:40 < krzee> they should make the gui aware of that 17:40 < ecrist> 6.3 to 7.1 17:40 < krzee> nice 17:40 < krzee> i like 7 17:41 < ecrist> I don't like the new bridging in 7 17:41 < ecrist> it's more in line with linux, but I didn't mind the sysctl 17:41 < krzee> ahh its not sysctl anymore? 17:41 < krzee> i liked it that way too 17:42 < krzee> whats it now? some app in world? 17:42 < ecrist> part of ifconfig 17:42 < ecrist> bridgeX interface 17:42 < krzee> bleh 17:42 < ecrist> ifconfig bridge0 addm en0 addm sk0 addm en1 17:42 < ecrist> adds en0, en1, and sk0 into a bridge 17:45 < krzee> i wonder why they felt the need to change that 17:48 < ecrist> crap, forgot to build one of the kernels 17:48 < krzee> doh, world and kernel outta sync? 17:49 < krzee> thats never fun 17:53 -!- zamba [i=marius@sveigde.hih.no] has left ##openvpn [] 17:54 * ecrist crosses fingers 17:56 -!- d0wn_ [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has joined ##openvpn 17:59 -!- Bushmill- is now known as Bushmills 18:07 -!- d0wn [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has quit [Connection timed out] 18:09 < ecrist> db server is back up and running. 18:09 < ecrist> now gotta wait for the damn kernel to compile on the web server. 20:06 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: pa, smk, Perun, Maxtehmantus 20:06 -!- Netsplit over, joins: Maxtehmantus, Perun, pa, smk 20:14 -!- Irssi: ##openvpn: Total of 56 nicks [0 ops, 0 halfops, 0 voices, 56 normal] 22:20 -!- Solver [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 22:21 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 22:51 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 23:26 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 23:38 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit ["This computer has gone to sleep"] --- Day changed Mon Mar 02 2009 00:44 -!- Jason404 [n=eggbean@host86-133-254-187.range86-133.btcentralplus.com] has joined ##openvpn 00:45 -!- Jason404 [n=eggbean@host86-133-254-187.range86-133.btcentralplus.com] has quit [Client Quit] 01:01 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Remote closed the connection] 01:01 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has joined ##openvpn 01:16 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 01:42 -!- tjz|lunch [n=tjz@bb116-15-157-37.singnet.com.sg] has joined ##openvpn 02:45 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 03:17 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:28 -!- Boulate [i=5c662730@gateway/web/ajax/mibbit.com/x-df3ec362ca1415e2] has joined ##openvpn 03:31 < Boulate> I all ! I just have a little question : I try to configure an OPENVPN, authentification seems to be ok, tun0 is mounted on the server, but when I start the client, I have no dev tun0 in my ifconfig :( (lsmod tun0 is ok) 03:32 -!- c64zottel [n=hans@p5B17B5AB.dip0.t-ipconnect.de] has joined ##openvpn 03:35 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 03:50 -!- Boulate [i=5c662730@gateway/web/ajax/mibbit.com/x-df3ec362ca1415e2] has quit ["http://www.mibbit.com ajax IRC Client"] 03:55 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 04:00 -!- Boulate [i=5c662730@gateway/web/ajax/mibbit.com/x-523e3ca2ab5c9600] has joined ##openvpn 04:00 < Boulate> Hi all (again ;)) Still no "tap0" in my ifconfig (debian client), and the logs says : TCP connection established with xxx:xxx:xxx:xxx : xxx 04:01 < Boulate> did you already have this probleme ? 04:03 < dazo> Boulate: from topic: "We need !configs and !logs" 04:03 < dazo> !configs 04:03 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 04:03 < dazo> !logs 04:03 < vpnHelper> dazo: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 04:05 < Boulate> ok ;) 04:48 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 04:52 -!- krzee [n=k@unaffiliated/krzee] has quit [Read error: 110 (Connection timed out)] 05:27 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 05:28 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 05:57 -!- Boulate [i=5c662730@gateway/web/ajax/mibbit.com/x-523e3ca2ab5c9600] has quit ["http://www.mibbit.com ajax IRC Client"] 06:16 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 06:29 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:41 -!- c64zotte1 [n=hans@p5B17A1E5.dip0.t-ipconnect.de] has joined ##openvpn 06:55 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 113 (No route to host)] 06:56 -!- c64zottel [n=hans@p5B17B5AB.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:58 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 07:08 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:10 -!- mikkel_ is now known as mikkel 07:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:13 -!- Solver [n=robert@99.229.28.193] has joined ##openvpn 07:30 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit [Read error: 60 (Operation timed out)] 07:30 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 08:12 -!- nemysis [n=nemysis@183-238.1-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 08:13 -!- nemysis [n=nemysis@43-55.3-85.cust.bluewin.ch] has joined ##openvpn 08:24 < ecrist> morning, fuckers 08:25 < reiffert> ecrist is back :) 08:25 < ecrist> lol 08:38 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 08:39 < tjz|lunch> lol 08:39 -!- tjz|lunch is now known as tjz 08:42 -!- brutuz [n=brutuz@ip67-88-58-242.z58-88-67.customer.algx.net] has quit ["Leaving"] 10:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:33 -!- mike_electron [n=ErrolB@de1-as5172.alshamil.net.ae] has joined ##openvpn 10:35 -!- tjz [n=tjz@bb116-15-157-37.singnet.com.sg] has quit ["bbl"] 10:44 -!- dijital1 [n=dijital1@66-168-204-177.dhcp.gsvl.ga.charter.com] has quit [Read error: 60 (Operation timed out)] 10:59 -!- nachox [n=imarambi@200.68.83.121] has joined ##openvpn 10:59 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:59 < krzee> !authpass 10:59 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 11:00 < nachox> guys, is it possible to setup 2 vpns (2 server.conf like files) listening in the same port? i basically need for them to use one or the other based on the certificate 11:01 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit ["Ex-Chat"] 11:04 < krzee> same port, only if diff protocol 11:04 < krzee> what are you trying to accomplish? 11:09 < nachox> different protocol? 11:09 < dazo> nachox: tcp/udp 11:09 < nachox> ohh 11:09 < dazo> nachox: but why? 11:10 < nachox> i have a couple of networks here and i want people to connect to one of them depending on the certificate they present 11:10 < nachox> username would do too i guess 11:10 < nachox> but certificate would be better 11:10 < dazo> nachox: which OS are you on? 11:10 < nachox> debian 11:11 < nachox> but windows clients would be connecting to it 11:11 < dazo> nachox: oki ... have a look at http://www.eurephia.net/ .... this can change iptables access for each VPN client based on username/cert 11:11 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) 11:11 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 11:12 < dazo> nachox: or else it's either different protocol, port or IP which will give you the possibility to do this 11:12 < nachox> i seem thanks guys 11:13 < nachox> *i see 11:13 < dazo> nachox: you can also checkout --client-config-dir 11:14 < dazo> nachox: I use --client-config-dir together with eurephia .... and depending on username/cert ... I push separate routes via a special config for each user ... and I control the access in addition with iptables 11:15 < nachox> thanks, i'll read about that plugin you showed me, it seems like the most flexible idea 11:24 < nachox> dazo, ok, the plugin you told me about requires an SQLite db where the usernames that authenticate against it are, i cannot do that since i'm using kerberos/AD to authenticate users 11:24 < dazo> nachox: ouch 11:25 < dazo> nachox: then you have only --client-config-dir left 11:25 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:25 -!- c64zottel [n=hans@p5B17A104.dip0.t-ipconnect.de] has joined ##openvpn 11:26 < sigmonsays> How do you see who is connected to ur openvpn? 11:27 < dazo> sigmonsays: which openvpn version? 11:28 < sigmonsays> 2.1 11:28 < reiffert> sigmonsays: I evaluate status.log 11:28 < dazo> sigmonsays: if you have enabled management interface, you can check it via that (only in 2.1) .... log files ... or netstat 11:28 < reiffert> --status file [n] 11:28 -!- elshaa [n=elshaa@o.es6.aedgency.net] has quit ["leaving"] 11:28 < sigmonsays> reiffert, Nice! 11:29 < sigmonsays> exactly what I was looking for 11:29 * sigmonsays inherited a openvpn setup. still poking around 11:29 < reiffert> sigmonsays: check this out 11:29 < reiffert> !howto 11:29 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:29 < sigmonsays> awesome 11:31 < reiffert> sigmonsays: http://openvpn-web-gui.sourceforge.net/ might be intresting. 11:31 < vpnHelper> Title: OpenVPN Web GUI 0.3.x (at openvpn-web-gui.sourceforge.net) 11:31 < nachox> dazo, i dont think that'll do either, my plugin line is using the defaut plugin already and i cant change it if i want kerberos via pam to still work 11:31 < sigmonsays> I don't like gui's but glad it exists 11:37 -!- soberbit [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 60 (Operation timed out)] 11:38 < sigmonsays> is there a cli reporting tool that parses openvpn statu? 11:39 -!- c64zotte1 [n=hans@p5B17A1E5.dip0.t-ipconnect.de] has quit [Connection timed out] 11:40 < reiffert> sigmonsays: check out the openvpn management stuff 11:40 < sigmonsays> word 11:40 < reiffert> HEADER,CLIENT_LIST,Common Name,Real Address,Virtual Address,Bytes Received,Bytes Sent,Connected Since,Connected Since (time_t),Duration 11:40 -!- soberbit [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 11:41 < reiffert> Doesnt look too complicated useing cat/less/more 11:45 < sigmonsays> i have a whole slew of things i'd liek to do ;) 11:45 < sigmonsays> seems the telnet ui / web page is suitable 11:46 -!- mike_electron [n=ErrolB@de1-as5172.alshamil.net.ae] has left ##openvpn [] 11:49 -!- nachox [n=imarambi@200.68.83.121] has quit ["Saliendo"] 12:09 < sigmonsays> *sigh* the gui just gives me "the openvpn server has no status file" but i've fixed all errors in the logs. 12:09 < sigmonsays> anyone run this with 2.1 ? 12:16 < sigmonsays> man this script is crap 12:24 < sigmonsays> Ugh. It doesn't even work w/ the newest version as the stauts headers have changed 12:24 < sigmonsays> Am I looking in the right place? obviously nobody uses the gui..... 12:34 < sigmonsays> ahh. multiple versions os status-file 12:48 < Gabriel25ny> sigmonsays look at webmin and webmin module for openvpn 12:48 < Gabriel25ny> I use the gui from ... webmin when I am lazy :)) 12:49 < sigmonsays> well there is stuff that's only doable in the telnet ui 12:49 < sigmonsays> i suppose I could do that 12:49 < sigmonsays> but I am donig this mostly for other people =) 12:50 < Gabriel25ny> sigmonsays then use webmin with openvpn modules 12:50 < sigmonsays> I hate webmin! 12:50 < ecrist> webmin is the devil 12:50 < Gabriel25ny> really easy ... to create ca client config 12:50 < sigmonsays> I shoulda RTFM 12:50 < Gabriel25ny> ecrist ... why are u saying that ? 12:51 < ecrist> it's code base is too messy, and module interactive works by accident. 12:51 < ecrist> :) 12:51 < Gabriel25ny> LOL 12:52 < ecrist> s/interactive/interaction/ 12:52 < Gabriel25ny> Well well I am useing webmin for samba config and openvpn ... and I never had a problem .. 12:52 < Gabriel25ny> but I start webmin when I need it 12:52 < ecrist> Gabriel25ny: without trying to insult, GUIs are for dweebs 12:52 < Gabriel25ny> rest of the time the service is toped 12:52 < ecrist> in terms of administering systems, anyways 12:53 < Gabriel25ny> ecrist ... you are right ... but when you have a lot of servers ... 12:53 < Gabriel25ny> then u have to think about ... 12:53 < ecrist> I *do* have a lot of servers, that's when LDAP comes in. 12:53 < Gabriel25ny> I can`t say to a client ... ssh in the box ... and do useradd lalala 12:54 < Gabriel25ny> then so smbpasswd -a lalala 12:54 < Gabriel25ny> and then go and edit /etc/samba/smb.cong 12:54 < ecrist> again, all done with LDAP 12:54 < Gabriel25ny> etc 12:54 < ecrist> :) 12:54 < ecrist> and I wrote a little PHP front-end for my dweebs, erm, coworkers. 12:56 < Gabriel25ny> Most of my customers are small business ... 12:56 < Gabriel25ny> and they have a server ... with openvpn samba ... etc 12:57 < Gabriel25ny> but if they need a new forlder to share ... then they use ... webmin ! 12:57 < sigmonsays> webminis the lsat thing u want when u have lots of servers 12:58 < Gabriel25ny> sigmonsays I have 100 customers ... and they have a server each ... I don`t want to be bother for "can i crate a new share folder, can I add another user 13:01 < sigmonsays> i'm definitely not happy w/ the webgui 13:01 < Gabriel25ny> yu because u know .... 13:01 < Gabriel25ny> ask your girlfrind ... to add a user in samba ... and give 755 permision to a folder :)) 13:01 < Gabriel25ny> :D 13:02 < sigmonsays> hehe 13:04 < Gabriel25ny> :)) 13:04 < Gabriel25ny> U got my point :) 13:05 < Gabriel25ny> I look like an idiot when I use GUI ... 13:05 < Gabriel25ny> because sometimes I have no idea what is that :) 13:05 < Gabriel25ny> but for people that they have no idea ... is good :) 13:05 < Gabriel25ny> few clicks away :) 13:11 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 13:22 -!- bandini [n=bandini@host111-210-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 13:33 -!- Irssi: ##openvpn: Total of 57 nicks [0 ops, 0 halfops, 0 voices, 57 normal] 14:13 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:20 -!- dijital1 [n=dijital1@66-168-204-177.dhcp.gsvl.ga.charter.com] has joined ##openvpn 14:37 -!- magic_1 [n=magic_1@unaffiliated/magic1/x-836121] has joined ##openvpn 14:39 < magic_1> hi guys some help would be greatly appreciated 14:39 < magic_1> how would i test my conf from command line 14:39 < ecrist> what do you mean? 14:39 < magic_1> well i havent got access to my webmin front end 14:40 < magic_1> you know how you would do a test before you would apply 14:41 < magic_1> well i only have ssh access to my server, however last thing i need is for it to crash 14:41 < magic_1> and i cant loose access at the moment 14:42 < magic_1> that would be the reason i would like to test 14:42 < magic_1> thanks guys for any help 14:44 < magic_1> i am not sure if safe-restart is going to do what is needed though 14:46 < magic_1> i have googled however i am just too worried at the moment to take any chances, really cant afford to loose connection if it fales 15:04 < magic_1> any thoughts 15:05 < magic_1> see the thing is i am trying to get openvpn setup 15:07 < magic_1> not keen to to shorewall restart 15:10 < reiffert> !howto 15:10 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:13 < magic_1> i have read it 15:13 < magic_1> thanks though 15:14 < magic_1> the openvpn part is not the problem 15:14 < reiffert> but? 15:14 < magic_1> just not sure of the command line commands i should use 15:15 < reiffert> beg your pardon? 15:15 < magic_1> i am not sure of the cmd line command that is needed to test the rules set before apply them 15:16 < reiffert> which ruleset? 15:17 < magic_1> well i created the rules that i wanted, now i usually use the webmin interface for shorewall 15:17 < magic_1> however i have only got cmd access at the moment 15:18 < magic_1> in the gui there is a "test" function that will check your rules before you can apply them 15:19 < reiffert> magic_1: better apply to a shorewall helper community. 15:19 < reiffert> #openvpn is about openvpn and not about rulesets nobody knows. 15:19 < magic_1> true thanks 15:20 < magic_1> guys i must apologize i have been in the wrong window 15:21 -!- BATHORY [n=kleber@189.56.9.50] has joined ##openvpn 15:21 < BATHORY> hi 15:22 < BATHORY> sombody already have this error SIGUSR1[soft,tls-error] received, client-instance restarting 15:36 < reiffert> openvpn catched a signal. 15:36 < reiffert> signal name: USR1 15:36 < reiffert> read what USR1 is about here: 15:36 < reiffert> !man 15:36 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:23 < magic_1> hi guys im back, however this time it is a openvpn question, the vpn is up and running however for some reason i cannot access any of the host within the network 16:23 < magic_1> as before any help is greatly appreciated 16:25 -!- BATHORY [n=kleber@189.56.9.50] has quit ["Leaving"] 16:27 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:28 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit ["Leaving"] 16:29 -!- c64zottel [n=hans@p5B17A104.dip0.t-ipconnect.de] has quit ["Leaving."] 16:51 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: dijital1, Feltenix, higuita, imachine, eagle, onats1, sigmonsays, bandini, magic_1, Typone 16:51 -!- Netsplit over, joins: magic_1, dijital1, bandini, eagle, onats1, imachine, higuita, Feltenix, sigmonsays, Typone 16:52 -!- worch_ [i=worch@battletoad.com] has joined ##openvpn 16:55 -!- ropetin_ [n=ropetin@mail.sohoemailsolutions.com] has joined ##openvpn 16:56 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: higuita, dijital1, bandini, eagle, magic_1, imachine, Typone 16:56 -!- _vcs [i=vcs@alien.jinxshells.com] has joined ##openvpn 16:56 -!- vcs [i=vcs@alien.jinxshells.com] has quit ["changing servers"] 16:56 -!- _vcs is now known as vcs 16:56 -!- stephenh_ [i=stephenh@69.30.200.88] has joined ##openvpn 16:56 -!- stephenh [i=stephenh@69.30.200.88] has quit [Read error: 104 (Connection reset by peer)] 16:56 -!- worch [i=worch@battletoad.com] has quit [Read error: 104 (Connection reset by peer)] 16:56 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 104 (Connection reset by peer)] 16:57 -!- Netsplit over, joins: magic_1, dijital1, bandini, eagle, imachine, higuita, Typone 16:58 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: clustermagnet, vcs, mkultras, blaxthos, dazo, disco-, d0wn_, krzie_, pa, kaii, (+19 more, use /NETSPLIT to show all of them) 16:59 -!- Netsplit over, joins: stephenh_, vcs, Solver, smk, pa, Perun, Maxtehmantus, d0wn_, Bushmills, reiffert (+11 more) 16:59 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 16:59 -!- Netsplit over, joins: meturaf, huslu, hads, kaii, troy-, vpnHelper, hardwire 17:53 < reiffert> Bushmills: ping 18:20 -!- Feltenix [n=Tanstaaf@adsl-074-166-075-102.sip.asm.bellsouth.net] has left ##openvpn [] 18:30 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 18:31 < hardwire> pong 18:33 -!- ropetin_ [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 145 (Connection timed out)] 19:29 -!- nemysis [n=nemysis@43-55.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 19:33 -!- nemysis [n=nemysis@43-55.3-85.cust.bluewin.ch] has joined ##openvpn 20:05 * dvl announces http://twitter.com/bsdcan 20:41 -!- Perun [n=perun@2001:6f8:1316:1234:216:3eff:fe07:3160] has quit [Operation timed out] 20:42 -!- Perun [n=perun@2001:6f8:1316:1234:216:3eff:fe07:3160] has joined ##openvpn 20:50 * ecrist follows 22:08 < dvl> ecrist: heh, sorry, I didn't mean to spam that here. 23:28 -!- Maxtehmantus [n={}{}{}{}@ntuS.uni.cc] has quit [Read error: 60 (Operation timed out)] 23:28 -!- Maxtehmantus [n={}{}{}{}@ntuS.uni.cc] has joined ##openvpn --- Day changed Tue Mar 03 2009 00:46 -!- bandini [n=bandini@host111-210-dynamic.25-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 01:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:48 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 01:50 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:08 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:10 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 02:11 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 02:32 -!- BlackDex [n=opera@213.144.231.91] has joined ##openvpn 02:41 < BlackDex> Hello there 02:41 < BlackDex> i am trying to set up an OpenVPN server 02:41 < BlackDex> and i cant seem to get my client to connect 02:41 < BlackDex> here is the log and config 02:41 < BlackDex> http://pastebin.com/m642be26a 02:42 < dazo> BlackDex: have you tried to remove --client-config-dir from your config? 02:43 < BlackDex> nope 02:43 < BlackDex> i will try that 02:44 < dazo> BlackDex: try to read the error messages you get ... they are really obvious when you first spend some time reading them through 02:45 < BlackDex> hmm when i remove it i get the following Options error: --ccd-exclusive must be used with --client-config-dir 02:45 < BlackDex> so removing is not an option 02:46 < dazo> BlackDex: well, that just tells you that you have an issue with user configs which is supposed to be located under the --client-config-dir 02:46 < dazo> "--client-config-dir authentication failed for common name 'myname' file='/etc/openvpn/servers/Org/ccd/myname'" 02:47 < BlackDex> aha 02:47 < BlackDex> hmm 02:47 < dazo> do you have this file? /etc/openvpn/servers/Org/ccd/myname ... is it a valid config file? 02:47 < BlackDex> thx for pointing me in the right direction :) 02:47 < BlackDex> there are no files in that folder 02:48 < dazo> try adding an empty file 02:48 < BlackDex> i see that i missed a important step :S 02:48 < BlackDex> creating clients 02:48 < BlackDex> i only created a cert 02:49 < dazo> mm ... as I said .... error messages are not that unclear, and you even highlighted this error message for me 02:50 < BlackDex> i think i was looking to fast 02:54 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 03:08 < BlackDex> hmm it now goes a view steps further 03:09 < BlackDex> but now i get the following error message: Assertion failed at crypto.c:162 03:09 < BlackDex> in the server log 03:12 < dazo> BlackDex: uhh ... assertions are never good ... that's a bug, actually .... which version are you using? 03:13 < BlackDex> ah fixed :) 03:14 < BlackDex> had something to do with the cipher which is not supported on the server or the client 03:14 < BlackDex> selected an other cipher, one with CBC and now it works 03:15 < dazo> BlackDex: hmmm ... but that should rather give a normal error message and not an assertion .... assertions caught when an error is not handled 03:15 < dazo> (if properly written, of course) 03:17 < BlackDex> hase something to do with ubuntu/debian 03:24 < dazo> hmm 03:35 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit ["Ex-Chat"] 04:15 -!- imachine [n=imachine@2002:8110:8acb:0:0:0:0:1] has quit ["rboot! once in 584 days ;]"] 04:23 -!- onats1 [n=15172@221.121.120.254] has quit ["Leaving."] 04:34 -!- _jack-- [n=kaushal@202.79.41.215] has joined ##openvpn 04:34 < _jack--> can somebody guide me how to setup and configure vpn in linux? 05:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 05:37 < nemysis> Is have OpenVPN compiled with "pam passwordsave ssl threads" is iproute2 needed for Server and Clients with dynamic IP Address? 05:40 < _jack--> nemysis: i want to simply configure OpenVPN in linux server... and if possible authentication with my ldap server 05:41 < _jack--> nemysis: have you any idea? 05:42 < nemysis> _jack-- I am new to OpenVPN 05:43 < _jack--> nemysis: me too... 05:51 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:00 < dazo> !howto 06:00 < vpnHelper> dazo: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 06:00 -!- nemysis [n=nemysis@43-55.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 06:00 < dazo> _jack--: nemysis: ^ ^ ^ 06:01 -!- nemysis [n=nemysis@189-114.3-85.cust.bluewin.ch] has joined ##openvpn 06:14 < _jack--> dazo: can you suggest me? 06:14 < _jack--> daze: how to install and configure? 06:15 < dazo> _jack--: I will just tell you the same which is in the howto ... so I'd prefer you to read that instead of having me quoting the howto .... much more efficient for both of us 06:15 < dazo> _jack--: you can also google "openvpn tutorial" ... you might find some nice articles from Linux Magazine or Linux Journal which can also help you out 06:34 < _jack--> dazo: ok thanks 06:36 -!- _jack-- [n=kaushal@202.79.41.215] has quit ["Leaving"] 07:25 < ecrist> good morning 07:26 < dazo> good morning! 07:56 < nemysis> good morning 07:56 < ecrist> hola 07:57 < nemysis> dazo Could You me help with dynamic IP Address on Server and Client 07:58 < dazo> nemysis: would like to, but I have a meeting in a few minutes and need to get prepared for it ... might be others here on the channel as well which might manage that 07:59 < nemysis> good have a good Meeting 08:00 < ecrist> nemysis: what is your problem? 08:00 < nemysis> I make new config for OpenVPN and not use it now 08:04 < ecrist> I don't understand. 08:23 < BlackDex> hello again 08:23 < BlackDex> i now have the vpn working, and i can access the samba share on the same server 08:23 < ecrist> gratz 08:25 < BlackDex> now we also have an network printer located on the local network 08:25 < BlackDex> which is normaly accessable by 10.0.0.100 08:26 < BlackDex> i have added a route in the vpn to route all "10.0.0.0 255.255.255.0" traffic to the vpn 08:26 < BlackDex> but i can't access the printer with 10.0.0.100 08:26 < BlackDex> what am i doing wrong? 08:26 < ecrist> you need routes in both directions 08:26 < ecrist> !route 08:26 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 08:26 < ecrist> read that 08:26 < BlackDex> ah k :) 08:26 < BlackDex> i will look at that 08:44 -!- polaru_ [n=polaru@93.113.192.70] has joined ##openvpn 08:44 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 113 (No route to host)] 08:46 -!- dazo [n=dazo@nat/redhat/x-294cdbb7902a7605] has quit [Read error: 104 (Connection reset by peer)] 08:46 -!- dazo [n=dazo@nat/redhat/x-0459cfa7ce609b71] has joined ##openvpn 09:09 -!- BlackDex [n=opera@213.144.231.91] has quit [Read error: 104 (Connection reset by peer)] 09:23 -!- BATHORY [n=kleber@189.56.9.50] has joined ##openvpn 09:50 -!- huslu_ [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has joined ##openvpn 09:50 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has quit [Remote closed the connection] 10:08 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 10:15 -!- rubydiamond [n=rubydiam@123.236.183.187] has joined ##openvpn 10:16 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [SendQ exceeded] 10:17 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:27 -!- polaru_ [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:11 -!- mkultras_ [n=scotth@208.98.242.129] has joined ##openvpn 12:23 -!- d0wn_ [n=d0wn@cpe-24-164-89-205.woh.res.rr.com] has quit [Connection timed out] 12:25 -!- mkultras [n=scotth@unaffiliated/mkultras] has quit [Read error: 110 (Connection timed out)] 12:27 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 12:29 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has joined ##openvpn 12:35 -!- _Sam-- [n=sam@fresco.kneedraggers.com] has quit ["Read error: 2.71828182846 (Excessive e)"] 13:04 -!- Akuma [n=dfsdf@modemcable161.131-21-96.mc.videotron.ca] has joined ##openvpn 13:04 < Akuma> hello, I managed to connect to the openvpn I have access to, but I cannot navigate the net 13:04 < Akuma> anyone know how I can solve this? 13:09 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Read error: 104 (Connection reset by peer)] 13:13 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 13:14 -!- BlackDex [n=opera@93-125-176-168.dsl.alice.nl] has joined ##openvpn 13:19 < BlackDex> Hello again 13:19 < skx> I am considering getting a VPS with Debian, probably on openvz or sth like that -- what needs to be enabled by the provider for openvpn server to work on that configuration? 13:19 < BlackDex> i have setup a VPN 13:19 < skx> tun or tap module? 13:20 < BlackDex> i can connect to the samba share on that same server 13:20 < BlackDex> but not to any other computer/route/access-point 13:20 < BlackDex> This is the config: http://pastebin.com/d40c23b13 13:21 < skx> BlackDex, what system, bridging or routing? 13:21 < skx> I had the same problem with bridging on bsd, have not yet resolved that 13:21 < BlackDex> routing 13:21 < skx> add appropriate routes 13:21 < BlackDex> i think i have all i need 13:21 < skx> and no, I don't know what should these be ;) 13:21 < BlackDex> :p 13:21 < BlackDex> darn :) 13:22 < BlackDex> i just need one route as far as i know 13:22 < BlackDex> 10.0.0.0 255.255.255.0 13:22 < skx> is the machine you run openvpn server on also a gateway for the (real, physical) network? 13:22 < skx> gateway/router/whatever 13:23 < BlackDex> it is not the gateway 13:23 < skx> that's probably the problem 13:23 < BlackDex> it servers as DHCP server and file/web server 13:23 < skx> but I haven't resolved that one either ;) 13:23 < BlackDex> hmm 13:24 < skx> ok, back to my question ;) 13:24 < skx> I am considering getting a VPS with Debian, probably on openvz or sth like that -- what needs to be enabled by the provider for openvpn server to work on that configuration? 13:24 < skx> only tap or tun? 13:25 < skx> anybody? ;) 13:27 < Akuma> hello, I managed to connect to the openvpn I have access to, but I cannot navigate the net 13:27 < Akuma> how would I go about solving this problem? 13:36 -!- Typone [n=nnnnnits@195.197.184.87] has quit ["Terminated with extreme prejudice - dircproxy 1.1.0"] 13:37 < ecrist> ugh, this bug is kicking my ass. 13:39 -!- Typone [n=itsme@195.197.184.87] has joined ##openvpn 13:49 -!- c64zottel [n=hans@p5B17AC3F.dip0.t-ipconnect.de] has joined ##openvpn 13:50 -!- c64zottel [n=hans@p5B17AC3F.dip0.t-ipconnect.de] has left ##openvpn [] 13:52 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Read error: 104 (Connection reset by peer)] 14:02 < reiffert> ecrist: still updating BSD? 14:02 < ecrist> no, still sick. 14:03 < reiffert> :( 14:04 < reiffert> Get well soon! 14:04 < ecrist> my wife is funny. I'm not one to go to the doctor, but she got me to go anyway. Kid has an appt tomorrow, she asked them to schedule me one at the same time (the three of us use the same doc) 14:04 < ecrist> hoping she'll give me good drugs tomorrow. 14:51 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:55 -!- Gumbler is now known as Gumbler|NotHere 14:55 -!- Gumbler|NotHere is now known as Gumbler 15:32 -!- BlackDex [n=opera@93-125-176-168.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 16:27 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 16:29 -!- BATHORY [n=kleber@189.56.9.50] has quit ["Fuisss"] 16:44 < Roman123> hi 16:56 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 18:03 -!- soberbit [n=kreg@208-98-188-95.directcom.com] has quit [Remote closed the connection] 18:07 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 19:40 -!- higuita [n=higuita@2001:b18:400f:0:211:d8ff:fe82:b10e] has quit [Remote closed the connection] 19:41 -!- higuita [n=higuita@2001:b18:400f:0:211:d8ff:fe82:b10e] has joined ##openvpn 20:11 -!- eliasp [n=quassel@78.43.213.203] has quit ["No Ping reply in 30 seconds."] 20:13 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 20:21 -!- eliasp [n=quassel@78.43.213.203] has quit [Read error: 104 (Connection reset by peer)] 20:21 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn --- Day changed Wed Mar 04 2009 00:14 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 00:30 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 00:31 -!- floyd_n_milan_ [n=mrugesh@203.129.237.147] has joined ##openvpn 00:35 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 00:38 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 113 (No route to host)] 00:39 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 00:52 -!- floyd_n_milan_ [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 113 (No route to host)] 01:35 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 01:39 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 02:10 -!- c64zottel [n=hans@p5B17AD0A.dip0.t-ipconnect.de] has joined ##openvpn 02:11 -!- nemysis [n=nemysis@189-114.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 02:11 -!- BlackDex [n=opera@213.144.231.91] has joined ##openvpn 02:11 < BlackDex> Hello agian. 02:12 -!- nemysis [n=nemysis@213-76.3-85.cust.bluewin.ch] has joined ##openvpn 02:12 < BlackDex> Im have problems with connecting to remote pc/printer's through the vpn 02:13 < BlackDex> i can only connect to the server where the vpn is connected on 02:13 < BlackDex> where the vpn is located on 02:13 < BlackDex> i have disabled the firewall etc.. 02:13 < BlackDex> changed gateway's, added routes to the router etc... 02:13 < BlackDex> what am i missing 02:14 < hads> ip forwarding? 02:14 < dazo> Akuma: Try checking out if you are using redirect-gateway ... looks like your default gateway goes away ... or another issue can also be that you push DNS server with an IP address which is not available for you 02:15 < dazo> BlackDex: is that remote pc/printer behind the openvpn server or openvpn client? 02:16 < dazo> BlackDex: I'd check out /proc/sys/net/ipv4/ip_forward .... it should be set to 1 as well 02:16 < BlackDex> ill explain it a bit 02:17 < BlackDex> we have a local LAN (10.0.0.0 255.255.255.0) 02:17 < BlackDex> the server where samba, vpn, web/ftp etc is located on is on 10.0.0.10 02:17 < BlackDex> the printer (with web interface) is located on 10.0.0.100 02:18 < BlackDex> there is also a route located on 10.0.0.254 02:18 < BlackDex> route = router/modem 02:18 < BlackDex> all services located on server it self (10.0.0.10) are accessable 02:19 < BlackDex> through VPN that is 02:19 < BlackDex> everything else on the local LAN can't be reached 02:19 < BlackDex> no ping etc... 02:20 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:21 < dazo> BlackDex: oki ... where is the openvpn server located on the network, on the LAN's default gateway? Or is it inside, as a separate server on the LAN? 02:21 < BlackDex> a seperate server on the LAN 02:21 < BlackDex> the router acts as gateway 02:22 < BlackDex> i also added a route to the router wich route 10.0.1.0 to 10.0.0.10 02:22 < BlackDex> but the ip_forward is currently set to 0 02:22 < hads> It needs to be 1 02:22 < dazo> BlackDex: try to flip that switch ;-) 02:22 < BlackDex> what does it do? 02:23 < hads> Forwards IP traffic :) 02:23 < dazo> BlackDex: it enables the kernel to forward IP traffic between interfaces 02:23 < BlackDex> do i only need to change it, and then its done? 02:23 < BlackDex> no services restart or something? 02:24 < dazo> BlackDex: nope, it's all in the kernel space 02:24 < BlackDex> whoho :P 02:24 < BlackDex> lets try 02:24 < dazo> BlackDex: you might want to edit /etc/sysctl.conf to make it reboot-proof 02:25 < dazo> but you'll need to flip it manually, or to reload the config with the sysctl command (forgot the proper options now) 02:26 < dazo> probably sysctl -p or something 02:27 < BlackDex> ah.. with the printer having the gateway set to 10.0.0.10 it works 02:28 < BlackDex> but i can't ping another local computer, because they don't have the 10.0.1.0 route added 02:29 < BlackDex> for example my computer has 10.0.0.2, but i can't ping it through the VPN 02:29 < dazo> BlackDex: does these computer have the default route to your router? 02:29 < dazo> *computerS 02:29 < dazo> (and the router, I presume do have the 10.0.1.0 route added) 02:31 < BlackDex> the default route of all the computers are that of the router 02:31 < BlackDex> and that router has an route added which redirects 10.0.1.0 to 10.0.0.10 02:32 < BlackDex> i can ping the router 02:35 < dazo> BlackDex: often such routes works ... but quite often, you need to put explicit routes on each client in these situations then 02:36 < BlackDex> anyway to push them to the client through dhcp? 02:36 < dazo> BlackDex: I believe it is .... long time ago I configured my last DHCP server .... which DHCP server are you using? 02:36 < dazo> (I'm pretty much ISC dhcpd supports it) 02:37 < BlackDex> isc-dhcpd-V3.1.1 02:38 < BlackDex> ill go try and look for something to do that :) 02:38 < dazo> BlackDex: why not placing openvpn server on your router? 02:40 < dazo> BlackDex: http://www.ezgr.net/blog/2009/03/03/distributing-multiple-routes-with-isc-dhcpd-and-dnsmasq/ 02:40 < vpnHelper> Title: Distributing multiple routes with ISC DHCPd and dnsmasq | Priestjim's Geeklog (at www.ezgr.net) 02:41 < BlackDex> dazo, the router is from my ISP 02:41 < hads> I have seen the same. My home network (OpenWRT and Linux clients) works fine with a route on the default router. A clients office (Netgear router and Windows clients) will not route from VPN clients to the LAN 02:41 < dazo> BlackDex: aha ... then I understand ... and of course, you don't need to have DHCP on the router ..... silly me 02:41 < BlackDex> i could change the gateway address in the DHCP to always use 10.0.0.10 02:42 < dazo> BlackDex: and then let that box route to default gw afterwards ..... hmmm .... might work 02:42 < BlackDex> so all clients use the 10.0.0.10 as a gateway 02:42 < hads> I used a bridged setup for that client to work around the issue. 02:42 < BlackDex> but then, if that server goes down for maintens or something, there is no internet :p 02:43 < dazo> BlackDex: but that only happens during night, when nobody is on the LAN, right? ;-) 02:44 < BlackDex> mostly yes :) 02:44 < BlackDex> but ill try the DHCP option 02:44 < BlackDex> like it more :) 02:45 < dazo> hads: I've had the same issues in Linux as well many years ago ... but that was back in the 2.0.x kernel series .... I believe that has improved now :) 02:45 < dazo> openwrt (stable) uses 2.4 kernels, I believe .... 02:45 < hads> dazo: I have been blaming the crappy Netgear router but I don't have a Windows box here to test on my LAN 02:46 < hads> OpenWRT uses 2.4 for broadcom devices (WRT54G etc.) and 2.6 for others. 02:46 < dazo> hads: nah, not worth testing .... won't work anyway, will it? ;-) :-P 02:46 < hads> Probably not :) 02:46 * dazo got a WRT54 02:46 * hads too 02:46 < hads> OpenWRT 8.09 was released the other day 02:47 * dazo goes to check that out 02:49 < reiffert> hads: 8.09 brings some nice features but it's broken as hell. 02:50 < hads> Oh yeah? Lucky I haven't upgraded then :) 02:51 < hads> Whatever I'm running currently works well anyway. 02:55 * dazo catches the hint .... stays away a little bit longer 02:57 < hads> What's actually broken out of interest? 03:21 < reiffert> wifi on broadcom to name one. checkout the bug database. 03:28 < BlackDex> well i want to thank you all for helping :) 03:28 < BlackDex> the main machines needed are accessable now 03:29 < dazo> BlackDex: congrats! :) 03:29 < BlackDex> in a few day's we get an other router which supports static routes, and that should fix the rest :) 03:30 < hads> Thanks. 03:33 -!- c64zottel [n=hans@p5B17AD0A.dip0.t-ipconnect.de] has quit ["Leaving."] 03:34 -!- lyles [n=song@124.161.72.166] has joined ##openvpn 03:35 < hads> I don't think I need to spend my evening looking through OpenWRT's trac. 03:35 -!- lyles [n=song@124.161.72.166] has left ##openvpn [] 03:43 -!- BlackDex [n=opera@213.144.231.91] has left ##openvpn [] 04:50 -!- onats [n=onats@unaffiliated/onats] has quit [Connection timed out] 05:08 -!- mrfree [n=mrfree@host1-89-static.40-88-b.business.telecomitalia.it] has joined ##openvpn 05:08 < mrfree> hi all 05:09 < mrfree> the openvpn server push a default gw... how can I prevent this client-site? 05:41 -!- stintel [i=stijn@madwifi/support/stintel] has joined ##openvpn 05:43 -!- stintel [i=stijn@madwifi/support/stintel] has left ##openvpn [] 05:52 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:56 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 06:00 -!- mrfree [n=mrfree@host1-89-static.40-88-b.business.telecomitalia.it] has quit ["Leaving"] 06:30 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:17 -!- c64zottel [n=hans@p5B17AD0A.dip0.t-ipconnect.de] has joined ##openvpn 08:49 -!- mkultras_ is now known as mkultras 10:34 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:53 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit ["Ex-Chat"] 11:16 < nemysis> Hello Can I have on Server and on Client Dynamic IP Address as NOip, DynDNS or I must use on Server static IP Address? 11:17 -!- antoine__ [n=antoine@193.253.141.89] has joined ##openvpn 11:17 < ecrist> nemysis: static IP is ideal, but dynamic IP with dyndns service should be OK. 11:18 < nemysis> thanks 11:18 < antoine__> hello 11:18 < ecrist> hi 11:19 < antoine__> i look information to make vpn with ipsec on ubuntu 8.10 to a Symbian S60V3 mvpn client 11:19 < antoine__> look for 11:19 < ecrist> antoine__: openvpn is not ipsec 11:19 < ecrist> it is ssl 11:19 < antoine__> does i have to use openswan? 11:20 < ecrist> not sure what that is 11:20 < dazo> antoine__: I don't think it exists an openvpn client for Symbian even ..... 11:20 < antoine__> i know openvpn is not ipsec protocol 11:20 < dazo> antoine__: openswan or freeswan are both ipsec 11:21 < dazo> antoine__: but I don't know which of them is good or not .... I don't use and have not been forced to use it ... so I've skipped digging into it 11:21 < antoine__> with wicth tools i can generate key on my computeur for my mobile ipsec client 11:21 * ecrist uses cisco gear for ipsec 11:22 < dazo> antoine__: dunno .... at this channel .... we mostly know about openvpn .... not so much ipsec things ..... maybe try #openswan or #freeswan (if they are here) 11:22 < antoine__> cisco gear is mobile client , if i use this i have to install vpnc on ubuntu? 11:23 < dazo> antoine__: vpnc is also just a client 11:23 < dazo> antoine__: but, yeah ... if you need a Ubuntu client too 11:24 < antoine__> its possible to use other protocole vpn client on symbian? 11:25 < dazo> antoine__: if you have the right software, everything is possible ..... but I haven't heard about any openvpn client yet, people have been asking about it on the openvpn-users mailing list ... but nobody have responded with any particular clues 11:25 < antoine__> if i not use the nokia software mvpn ipsec client wich one i have to choose? 11:26 < antoine__> ipsec is define by IETF what's difference with openvpn? 11:26 < dazo> antoine__: you'll have to search for it .... but afaik, it only exists ipsec based VPNs for Symbian 11:27 < antoine__> have you read it ? http://www.jacco2.dds.nl/networking/linux-l2tp.html 11:27 < dazo> antoine__: its different in the protocol layer .... and also in implementation .... ipsec needs to have code paths deep into the network layer in the kernel space, while openvpn is a software which do not need anything particular in kernel-space 11:27 < vpnHelper> Title: Using Linux as an L2TP/IPsec VPN client (at www.jacco2.dds.nl) 11:28 < antoine__> wich layer? 11:28 < dazo> antoine__: yeah, it exists a lot of l2tp/IPsec for Linux 11:28 < antoine__> transport layer? 11:28 < dazo> antoine__: I don't remember, but it does a lot of things in the kernel space .... which is why I basically do not like ipsec 11:28 < dazo> antoine__: most probably 11:29 < antoine__> humm iam embarassed 11:29 < dazo> antoine__: and it does this on the interface where the encrypted ipsec traffic goes in and out .... 11:30 < dazo> antoine__: while openvpn is just a user-space software which behaves just like an ordinary network service .... and puts the decrypted traffic into a virtual network interface 11:30 < dazo> antoine__: why embarassed? 11:33 < antoine__> i am embarrased because i hope that it will easier 11:33 < dazo> antoine__: hmm .... sorry for that 11:34 < dazo> antoine__: but if you really want to go the ipsec path .... try the #openswan channel here 11:36 * dazo vanishes for today 11:39 < antoine__> dazo thanks you say me lot informations and i try to understand all of them 11:48 < antoine__> for resume only ipsec make it possible and there is no other without ipsec? 11:48 < antoine__> no other way without ipsec? 11:48 < antoine__> but if make my own software 11:49 < antoine__> or find it? 11:53 < antoine__> virtual network interface is also call TAP? 12:13 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 13:10 -!- neuro_damage [n=neuro@nat-vlan200.sat.rackspace.com] has joined ##openvpn 13:21 < antoine__> help to tunneling computeur and nokia 13:28 < neuro_damage> so I was curious, I want to setup an openvpn client, I have a config file and a .key file, how do I exec on the config file etc ... 13:32 < antoine__> no SSL client for symbian? 13:33 < antoine__> what's difference between ssl and ipsec? 14:20 -!- magic_1 [n=magic_1@unaffiliated/magic1/x-836121] has quit [Read error: 110 (Connection timed out)] 14:20 -!- magic_1 [n=magic_1@41.208.50.160] has joined ##openvpn 14:24 -!- SpiritedBB [n=Spirited@208.50.100.19] has quit [Read error: 110 (Connection timed out)] 14:38 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:19 < dvl> antoine__: for you: http://lmgtfy.com/?q=what%27s+difference+between+ssl+and+ipsec%3F 15:19 < vpnHelper> Title: Let me google that for you (at lmgtfy.com) 15:19 -!- antoine__ [n=antoine@193.253.141.89] has quit ["Quitte"] 15:49 -!- c64zottel [n=hans@p5B17AD0A.dip0.t-ipconnect.de] has quit ["Leaving."] 17:29 -!- meturaf [i=meshuga@lenin.ww88.org] has quit [Read error: 110 (Connection timed out)] 17:54 -!- meshuga [i=meshuga@lenin.ww88.org] has joined ##openvpn 18:06 -!- Akuma0n3 [n=dfsdf@modemcable161.131-21-96.mc.videotron.ca] has joined ##openvpn 18:09 -!- mkultras [n=scotth@unaffiliated/mkultras] has quit [Read error: 110 (Connection timed out)] 18:21 -!- Akuma [n=dfsdf@modemcable161.131-21-96.mc.videotron.ca] has quit [Connection timed out] 18:23 -!- Akuma [n=dfsdf@modemcable161.131-21-96.mc.videotron.ca] has joined ##openvpn 18:36 -!- Akuma0n4 [n=dfsdf@modemcable161.131-21-96.mc.videotron.ca] has joined ##openvpn 18:38 -!- Akuma0n3 [n=dfsdf@modemcable161.131-21-96.mc.videotron.ca] has quit [Read error: 110 (Connection timed out)] 18:51 -!- Akuma [n=dfsdf@modemcable161.131-21-96.mc.videotron.ca] has quit [Read error: 110 (Connection timed out)] 18:56 -!- Akuma [n=dfsdf@modemcable161.131-21-96.mc.videotron.ca] has joined ##openvpn 19:01 -!- Akuma0n3 [n=dfsdf@modemcable161.131-21-96.mc.videotron.ca] has joined ##openvpn 19:02 -!- Akuma0n3 [n=dfsdf@modemcable161.131-21-96.mc.videotron.ca] has quit [SendQ exceeded] 19:11 -!- Akuma0n4 [n=dfsdf@modemcable161.131-21-96.mc.videotron.ca] has quit [Read error: 110 (Connection timed out)] 19:12 -!- arzen1013 [i=dce79842@gateway/web/ajax/mibbit.com/x-1d41d6c65478c97f] has joined ##openvpn 19:15 < arzen1013> Hi all, I have a question , I have a machine as openvpn server not gateway, it's vpn IP is: 10.8.0.1, local connection ip is 192.168.1.2, I wan to make other LAN machine 192.168.1.6 can access vpn LAN 10.8.0.1, how to do ? thanks 19:16 -!- Akuma [n=dfsdf@modemcable161.131-21-96.mc.videotron.ca] has quit [Read error: 110 (Connection timed out)] 19:36 < arzen1013> hello, anybody here / 19:55 < arzen1013> hello , anybody here ? 19:55 < arzen1013> I have a question , I have a machine as openvpn server not gateway, it's vpn IP is: 10.8.0.1, local connection ip is 192.168.1.2, I wan to make other LAN machine 192.168.1.6 can access vpn LAN 10.8.0.1, how to do ? thanks 20:24 < hads> !route 20:24 < vpnHelper> hads: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 20:28 < arzen1013> hads: I have read it more than once 20:31 < arzen1013> hads: I can access client LAN from openvpn server machine, but I want to access client LAN from other server LAN machine, I don't know how to add route in gateway 20:45 -!- xjkx [n=x@unaffiliated/xjkx] has joined ##openvpn 20:47 < xjkx> i ran openvpn --ca (the ca file) --config (the config file) typed user and password, it says "Wed Mar 4 23:55:29 2009 Initialization Sequence Completed" but i open my browser and type for a website that tells my ip and its the same. I am new to this, am i messing something ? 20:47 < xjkx> missing* 20:49 < xjkx> about my logs, there is nothing you wanna see, except this "Thu Mar 5 00:00:36 2009 NOTE: unable to redirect default gateway -- Cannot read current default gateway from system" 20:55 -!- xjkx [n=x@unaffiliated/xjkx] has quit [Read error: 104 (Connection reset by peer)] 20:56 -!- xjkx [n=x@unaffiliated/xjkx] has joined ##openvpn 20:56 < xjkx> added a default gw, and not it just doesn't ping 21:06 -!- tarbo2_ [n=me@unaffiliated/tarbo] has joined ##openvpn 21:09 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 110 (Connection timed out)] 21:10 -!- xjkx [n=x@unaffiliated/xjkx] has left ##openvpn [] 21:41 -!- sigmonsays [n=sig@ip65-46-255-194.z255-46-65.customer.algx.net] has quit [Read error: 110 (Connection timed out)] 22:33 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has quit [Read error: 110 (Connection timed out)] 22:47 -!- xjkx [n=x@unaffiliated/xjkx] has joined ##openvpn 22:47 < xjkx> anyone there ? i've asked some hours ago 22:57 -!- nemysis [n=nemysis@213-76.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 22:58 -!- nemysis [n=nemysis@194-92.3-85.cust.bluewin.ch] has joined ##openvpn 22:58 < xjkx> nemysis: hi 23:22 < xjkx> !route 23:22 < vpnHelper> xjkx: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 23:45 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn --- Day changed Thu Mar 05 2009 00:15 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has joined ##openvpn 00:15 < lavren> Me and a friend have a site-to-site VPN -- the connection seems to go idle really quickly, so within 5 minutes if I ping his VPN router from mine, it doesn't respond -- but if you try it again in about 10 seconds it starts responding again 00:16 < lavren> I'm not familiar with openvpn at all, but what typically causes something like this over an internet VPN 00:32 -!- fuffalo [n=fuffalo@S0106002191ea672c.cg.shawcable.net] has joined ##openvpn 00:33 < fuffalo> if i'm connecting to a openvpn server and i'm behind a router, should i need to change anything in my router? 00:33 < fuffalo> !route 00:33 < vpnHelper> fuffalo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 00:49 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has left ##openvpn [] 00:55 -!- tjz [n=tjz@bb116-15-157-37.singnet.com.sg] has joined ##openvpn 01:12 -!- harrisony [n=harrison@unaffiliated/harrisony] has joined ##openvpn 01:13 < harrisony> is there any nice way of having openvpn set up so every node is a client and a server (if that makes sense) 01:15 < harrisony> kinda like a mesh network in a way 01:39 -!- tjz [n=tjz@bb116-15-157-37.singnet.com.sg] has quit ["bbl"] 01:46 < xjkx> harrisony: people are dead here :s do you know a free vpn service ? 01:47 < harrisony> the only thing i can think of is hamachi.cc 01:47 < harrisony> which isnt openvpn 01:49 < xjkx> okey :s harrisony are you experienced with openvpn ? i can't ping when i connect 01:51 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:52 < xjkx> polaru: are you experienced with openvpn ? i cant ping when i connect 01:55 < harrisony> xjkx, no, and your not going to get help by spamming when anyone joins 01:55 < harrisony> i would try the mailing list 02:07 -!- c64zottel [n=hans@p5B17B1FD.dip0.t-ipconnect.de] has joined ##openvpn 02:07 -!- stephenh_ [i=stephenh@69.30.200.88] has quit [Read error: 60 (Operation timed out)] 02:10 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 02:19 -!- stephenh [i=stephenh@69.30.200.88] has quit [Read error: 60 (Operation timed out)] 02:21 < xjkx> harrisony: sorry i wasnt meaning to spam 02:45 -!- xjkx [n=x@unaffiliated/xjkx] has quit [Read error: 110 (Connection timed out)] 02:51 -!- xjkx [n=x@201009150172.user.veloxzone.com.br] has joined ##openvpn 02:59 -!- nemysis [n=nemysis@194-92.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 03:03 -!- magic_1 [n=magic_1@41.208.50.160] has quit ["Leaving"] 03:15 -!- nemysis [n=nemysis@170-62.106-92.cust.bluewin.ch] has joined ##openvpn 03:37 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 03:44 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 03:44 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit [Remote closed the connection] 03:50 -!- `VL [n=vl@82.138.2.25] has joined ##openvpn 03:51 < `VL> hello. does openvpn allows to set local port for client? i set option in config file, but it looks that openvpn just ignores it ;-( http://rafb.net/p/AIe9n746.html 03:51 < vpnHelper> Title: Nopaste - x (at rafb.net) 03:55 < reiffert> --bind --nobind 03:55 < reiffert> !man 03:55 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 03:56 < `VL> hm.. nobind is not set. is it by default? 04:03 < `VL> there is no --bind option in 2.07, nobind is not set, i tried to add 'local myaddr potr' but it still don't want to bind to specified local port and uses random... 04:06 < reiffert> 2.07 is ancient. 04:15 -!- kwek [n=kwek@206.Red-83-40-162.dynamicIP.rima-tde.net] has joined ##openvpn 04:15 < kwek> hey.. openvpn works fine for me and my collegue to the office.. but we cant ping each other.. what could this be 04:17 < reiffert> !client-to-client 04:17 < vpnHelper> reiffert: Error: "client-to-client" is not a valid command. 04:18 < reiffert> --client-to-client 04:18 < `VL> Bug: http://sourceforge.net/tracker2/index.php?func=detail&aid=1159432&group_id=48978&atid=454719 No binds to local port in tcp mode ;-( 04:18 < vpnHelper> Title: SourceForge.net: OpenVPN: Detail: 1159432 - openvpn doesn't bind to a specific port in tcp mode (at sourceforge.net) 04:19 < kwek> reiffert, thanks.. ill enable that 04:20 < reiffert> `VL: See 2nd comment. 04:20 < `VL> yes, i understand 04:21 < `VL> anyway, reasoning is strange. this option exists to modify default behaviour of client. 04:28 < reiffert> udp 04:29 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: krzee 04:29 -!- Netsplit over, joins: krzee 04:30 -!- arzen1013 [i=dce79842@gateway/web/ajax/mibbit.com/x-1d41d6c65478c97f] has quit ["http://www.mibbit.com ajax IRC Client"] 04:38 -!- Netsplit kornbluth.freenode.net <-> irc.freenode.net quits: krzee 05:02 -!- `VL [n=vl@82.138.2.25] has left ##openvpn ["happines is a positive cache flow"] 06:17 -!- mib_0b9j3e [i=52e6d07c@gateway/web/ajax/mibbit.com/x-2af0ec9d8bbd1f9d] has joined ##openvpn 06:24 < mib_0b9j3e> hi 06:24 < mib_0b9j3e> there 06:24 < mib_0b9j3e> i try to install openvpn server on mac os x 06:25 < mib_0b9j3e> by running this command i got this error : sudo openvpn server.conf 06:25 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 60 (Operation timed out)] 06:26 < reiffert> mib_0b9j3e: google up tunnelblick 06:26 < reiffert> == openvpn + gui for OSX 06:26 < mib_0b9j3e> i got this error : http://paste.ubuntu.com/126675/ 06:27 < reiffert> openvpn --config ...server.conf 06:28 < reiffert> mib_0b9j3e: dev tun0 instead of dev tun. 06:29 < mib_0b9j3e> i got this one http://paste.ubuntu.com/126676/ 06:29 < mib_0b9j3e> k i will try 06:33 -!- mib_0b9j3e [i=52e6d07c@gateway/web/ajax/mibbit.com/x-2af0ec9d8bbd1f9d] has quit ["http://www.mibbit.com ajax IRC Client"] 06:35 -!- mib_yua12r [i=52e6d07c@gateway/web/ajax/mibbit.com/x-c3ed7592f31600e6] has joined ##openvpn 06:35 < mib_yua12r> sorry 06:35 < mib_yua12r> connexion down 06:36 < mib_yua12r> now i got this error 06:36 < mib_yua12r> http://paste.ubuntu.com/126678/ 06:36 < mib_yua12r> by change dev tun to dev tun0 06:37 < mib_yua12r> hello reiffert 06:37 < reiffert> hi mib_yua12r 06:38 < reiffert> where are you from? 06:38 < mib_yua12r> from france 06:38 < reiffert> ah, parlez vous francais? 06:38 < mib_yua12r> of course 06:38 < mib_yua12r> man 06:39 < mib_yua12r> et vous ? 06:39 < reiffert> un petit peut 06:39 < mib_yua12r> where are you from ? 06:39 < reiffert> Germany, Mayance 06:39 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 06:39 < mib_yua12r> cool 06:39 < mib_yua12r> but i don't speak allemand 06:39 < reiffert> mib_yua12r: however, create that /dev/tun0 by running openvpn --mktun tun0 06:41 < mib_yua12r> sudo openvpn --mktun tun0 Password: Unrecognized option or missing parameter(s) in [CMD-LINE]:1: mktun Use --help for more information. 06:41 < reiffert> openvpn --mktun --dev tun0 06:41 < mib_yua12r> sudo openvpn --mktun --dev tun0 Unrecognized option or missing parameter(s) in [CMD-LINE]:1: mktun Use --help for more information. 06:42 < reiffert> wtf. wait. 06:42 < mib_yua12r> thx 06:43 < reiffert> ./openvpn --help |grep mktun 06:44 < mib_yua12r> Macusers$ ./openvpn --help |grep mktun -bash: ./openvpn: No such file or directory 06:44 < reiffert> come on, think. 06:45 -!- kwek [n=kwek@206.Red-83-40-162.dynamicIP.rima-tde.net] has left ##openvpn ["Ex-Chat"] 06:46 < mib_yua12r> apparently there is no help file 06:46 < reiffert> did you load the kernel extension tun.kext yet? 06:46 < reiffert> kextstat |grep tun 06:47 < mib_yua12r> i just try to follow this tutorial 06:47 < mib_yua12r> http://doc.ubuntu-fr.org/openvpn 06:47 < vpnHelper> Title: openvpn - Documentation Ubuntu Francophone (at doc.ubuntu-fr.org) 06:47 < reiffert> did you load the kernel extension tun.kext yet? 06:47 < reiffert> kextstat |grep tun 06:48 < mib_yua12r> yes i just done 06:48 < reiffert> kextstat |grep tun 06:48 < mib_yua12r> how to run tun.kext ? 06:49 < mib_yua12r> is it with this command kextstat |grep tun 06:49 < mib_yua12r> ? 06:49 < reiffert> tun.kext is a kernel extension. 06:49 < reiffert> you need that kernel extension. 06:49 < reiffert> it creates /dev/tun0 06:49 < reiffert> openvpn needs it. 06:50 < reiffert> tun.kext comes with tunnelblick. tunnelblick bundles openvpn and a gui. You know tunnelblick? 06:50 -!- cpm [n=Chip@guest-ap.xo.avitecture.net] has joined ##openvpn 06:50 < mib_yua12r> tunnelblick 06:51 < mib_yua12r> is it not an openvpn client ? 06:51 < mib_yua12r> it do as a server ? 06:51 < reiffert> we only need that tun.kext from tunnelblick 06:52 < mib_yua12r> is it for server or for client tunnelblick ? 06:53 < reiffert> both 06:53 < mib_yua12r> ok 06:53 < reiffert> 1. Get tunnelblick. 2. Install Tunnelblick, 3. Say "Let continue" 06:54 < mib_yua12r> ok thx a lot 06:54 < mib_yua12r> my batterie down now 06:54 < mib_yua12r> i m on macbook 06:54 < mib_yua12r> outside 06:54 < mib_yua12r> maybe the charge will be down soon 06:54 < reiffert> k 06:55 < mib_yua12r> so i have to install tunnelblick 06:55 < mib_yua12r> and generate key from it 06:55 < mib_yua12r> to use it from windows mobile 06:55 < mib_yua12r> is it possible ? 06:55 < reiffert> zucker:/Applications/Tunnelblick.app/Contents/Resources root# ls -al /dev/tun0 06:55 < reiffert> ls: /dev/tun0: No such file or directory 06:55 < reiffert> zucker:/Applications/Tunnelblick.app/Contents/Resources root# kextload tun.kext 06:55 < reiffert> kextload: tun.kext loaded successfully 06:55 < reiffert> zucker:/Applications/Tunnelblick.app/Contents/Resources root# ls -al /dev/tun0 06:55 < reiffert> crw-rw---- 1 root wheel 10, 0 Mar 5 14:02 /dev/tun0 06:55 < reiffert> zucker:/Applications/Tunnelblick.app/Contents/Resources root# --- Log closed Thu Mar 05 06:58:03 2009 --- Log opened Thu Mar 05 06:58:26 2009 06:58 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 06:58 -!- Irssi: ##openvpn: Total of 50 nicks [0 ops, 0 halfops, 0 voices, 50 normal] 06:58 -!- Irssi: Join to ##openvpn was synced in 1 secs 07:08 -!- mib_pfoeil [i=52e6d07c@gateway/web/ajax/mibbit.com/x-7e81b0b071d570e2] has joined ##openvpn 07:08 < mib_pfoeil> hi reiffert 07:08 < mib_pfoeil> i m back 07:08 < mib_pfoeil> i just finish installing tunnelblick 07:14 < mib_pfoeil> well i try to install openvpn on my mac os x 07:22 -!- mib_pfoeil [i=52e6d07c@gateway/web/ajax/mibbit.com/x-7e81b0b071d570e2] has quit ["http://www.mibbit.com ajax IRC Client"] 07:39 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 07:40 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 07:55 -!- A[D]minS^Work [n=Whisky@41.196.212.25] has joined ##openvpn 07:55 < A[D]minS^Work> in config file .. what i should add for -> ifconfig 07:55 < A[D]minS^Work> ifconfig ipaddress gateway ? 07:56 < dazo> A[D]minS^Work: you should probably read the docs more carefully ... it's pretty well explained there 07:56 < A[D]minS^Work> ok thx dazo 08:01 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has left ##openvpn ["Ex-Chat"] 08:03 < A[D]minS^Work> just question for who can answer it 08:04 < A[D]minS^Work> what is different between "VPN server list with simmetric key" and "VPN server list" in Webmin 08:04 < A[D]minS^Work> and which one i should use to create my configuration file 08:06 < A[D]minS^Work> local-Peer 192.168.1.1 192.168.1.254 ? 08:09 -!- A[D]minS^Work [n=Whisky@41.196.212.25] has left ##openvpn ["Leaving"] 08:30 -!- platin [n=platin@swrouter.swbs.etc.tu-bs.de] has joined ##openvpn 08:30 < platin> hey 08:30 < platin> i got a problem with my vpn 08:31 < platin> the computer is in a domain - and ive use openvpn with the gui. the user got no administration privilegs 08:31 < platin> now i want to start the openvpn service 08:31 < platin> but it says 08:31 < platin> faild to open "openvpnservice" 08:31 < platin> how to fix? 08:34 < ecrist> foo 08:44 -!- Tophat [n=Tophat@fpal5-a01.peop.tds.net] has joined ##openvpn 08:44 < Tophat> anyone have any experience taking the configuration from a Watchguard firewall to the OpenVPN platform? 08:45 < platin> no one an idea? 09:25 < xjkx> do you know any free service with shell access ? 09:25 < ecrist> there are many of them out there. 09:25 < ecrist> use google. 09:26 < xjkx> i came from there already, tried "vpn account" free "shell access" and some other keywords 09:56 -!- platin [n=platin@swrouter.swbs.etc.tu-bs.de] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 09:57 < xjkx> ecrist: suggest me keywords then 10:00 < ecrist> http://lmgtfy.com/?q=free+shell+account 10:00 < vpnHelper> Title: Let me google that for you (at lmgtfy.com) 10:03 -!- sigmonsays [n=sig@ip65-46-255-194.z255-46-65.customer.algx.net] has joined ##openvpn 10:06 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 10:08 < dazo> ecrist: that link rocks! 10:08 < dazo> :D 10:09 < ecrist> yeah, I found that site about two months ago, someday, I'll write a module for our bot. :) 10:09 < dazo> +1 10:29 < xjkx> thats for free shell, not for vpn with shell access 10:33 < dazo> xjkx: well, its probably just to readjust the google query then ... if you can't find anything, hey, we're not better here to find things than google already is 10:40 < xjkx> huh, what ? i just asked if anybody knew one server like that, he said i should have googled, and i told him i already did and expected maybe he would give me better keywords than mine, its not like i came here to ask for help googling lol 11:09 < reiffert> xjkx: and your openvpn question is? 11:17 -!- hads [n=hads@argon.nice.net.nz] has quit [Remote closed the connection] 11:18 -!- hads [n=hads@argon.nice.net.nz] has joined ##openvpn 11:58 < xjkx> reiffert: there is no ##vpn which makes this channel the closest to my question, that's how we usually do in freenode. anyway, i got a openvpn question thanks you asked. I will try to explain it: I connect by pppoe-start and after sending command "route" i see there is no default router set, which is why my message log cries about that, then I copied the only entry I had there and add to be default (route add default gw ip) so openvpn stopped 11:58 < xjkx> oh, and if i don't add a default geteway, i can access websites after connecting to vpn server, problem is that my ip remains the same 11:59 < xjkx> like it isn't connected, probably because it couldn't find the default router (which i added, as mentioned in first explanation) 12:00 < xjkx> and even with no default router set i have no problem with my normal connection, i think thats because its the only one there, no idea 12:04 -!- Jason404 [n=eggbean@host86-145-72-251.range86-145.btcentralplus.com] has joined ##openvpn 12:05 < Jason404> hey, does OpenVPN have any advantages over a hardware based PPTP VPN, like a cheap Netgear Prosafe router? 12:06 < Jason404> when you are connected to an OpenVPN VPN, do you still keep local network web connection? 12:06 < Jason404> do you with a PPTP hardware VPN ? 12:06 < dazo> Jason404: well, I'd guess that Netgear's router is also just running the VPN parts as software in its own closed router OS 12:07 < Jason404> any differences for the user though? 12:07 < dazo> Jason404: yes, local that's kept ... well, you can configure it in a diversity of ways 12:07 < Jason404> so being connected to the VPN does not affect your local networking or web? 12:07 < dazo> Jason404: probably not ... well, PPTP is built in into Windows .... while openvpn requires additional software to be installed 12:07 < Jason404> is that the case for a PPTP VPN as well, or not? 12:07 < dazo> Jason404: I don't know ... I've never tried setting up PPTP server 12:08 < Jason404> dazo: ic 12:08 < Jason404> i am not sure which way to go 12:08 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:08 < dazo> Jason404: but I can highly recommend openvpn .... it's open source, and it is rock solid .... I'm using OpenVPN 2.1_RC15 in production ... not have any issues 12:09 < Jason404> as OpenVPN has the disadvantage of it running on the very same server that I would need to connect to to fix if it was broken 12:09 < dazo> Jason404: and I'm using that with both Linux and Windows clients 12:09 < Jason404> so if I SSH/RDP into the server, the VPN will go down when I reboot it 12:10 < Jason404> dezo: I like what I hear about OpenVPN 12:10 < dazo> Jason404: well ... you could also setup a pure openvpn server in your network ... then the VPN wouldn't drop down when your other boxes are rebooted 12:11 < Jason404> I would like to know if PPTP VPNs can also be connected to while keeping the local web connection, without having to use the remote connection gatway 12:12 < Jason404> dazo: ic. But I am a home user, and do not want lots of machines on all the time, due to electricity costs. the only machne that will be on 24/7, will be my server, which would also be the only candidate for OpenVPN 12:12 < dazo> Jason404: http://www.soekris.com/net5501.htm ;-) 12:12 < vpnHelper> Title: Soekris Engineering > net5501 (at www.soekris.com) 12:12 < Jason404> the server is rock solid stable though, so it's not having a software VPN is not a big issue 12:13 < Jason404> how much would a micro-ATX machine cost to build? 12:14 < Jason404> I have been thinking of building a low-power HTPC, just powerful enoiugh to decode Blu-Ray 12:14 < Jason404> that would be good to use for OpenVPN I usppose 12:14 < dazo> Jason404: depends on your local dealers ;-) ... that soekris costs about EUR230 ... add a flash or a 2.5" IDE or SATA disk ... and you're there 12:15 < Jason404> not powefu enough to decode Blu-Ray though? 12:15 < dazo> Jason404: well, it's a 500MHz SoC .... so probably not :) 12:15 < Jason404> would be neat to make a low-power machine 12:16 < Jason404> yeah, thanks dazo. I will consider this route 12:16 < Jason404> although it will have to able to do the Blu-Ray thing 12:16 < dazo> Jason404: well, soekris do have a VPN board, to off-load encryption from main CPU ... not sure if you can use that as well to decrypt blueray disks 12:16 < Jason404> and HD gfx 12:16 < dazo> http://www.soekris.com/vpn1401.htm 12:16 < vpnHelper> Title: Soekris Engineering > vpn14x1 (at www.soekris.com) 12:17 < Jason404> would that card make the VPN connection faster or something? 12:18 < Jason404> this will only be a single connection VPN needed 12:19 < Jason404> i would not need CPU offloading if I am not at home watching Blu-Ray discs anyway, as the machine would be powrful enough for VPN if it can play BR 12:19 < dazo> Jason404: yeah, it will help encryption and decryption ... only BSD supported at the moment, Linux development in progress ... it claims to be able to handle between 210 and 400Mbps encryption streams 12:19 < Jason404> i will just have to find out what the minimum spec is for BR 12:19 < Jason404> ic 12:21 < Jason404> even with using OpenVPN, I gues it would be a good idea to forward a port througj NAT to another machine, just on case the VPN is down 12:21 < Jason404> insecure though? 12:23 < Jason404> dazo: so you are totally sure that with OpenVPN, you can still use your normal localconnection at the same time as the VPN connection? 12:23 < Jason404> I just ned to know that for sure 12:23 < Jason404> and are there any ssues with the beta, as I would need to use that for Win2008 12:23 < dazo> Jason404: very sure ... to redirect the default traffic, you need to configure that explicit ... actually, if you do not configure any network routes, all you have is an empty tunnel between to nodes 12:24 < Jason404> ok cool. I did not understand that, but I suppose I will once I start using it 12:24 < dazo> Jason404: For Vista (and most probably 2008) you must run 2.1_rc15 ... but, I'm confident that is rock solid ... I've run it in production since the release, and I have had no issues 12:25 < Jason404> great 12:26 < dazo> Jason404: to be honest, I would be surprised if RC15 will not become the stable 2.1 release which is expected to happen soon .... but on the other hand, we've been waiting for 2.1 for almost 2 years by now :-P 12:26 < Jason404> yeah, I saw the releasedates 13:11 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 13:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:21 -!- dazo_ [n=dazo@nat/redhat/x-2c7a4fd1671dfd7a] has joined ##openvpn 13:26 -!- dazo [n=dazo@nat/redhat/x-0459cfa7ce609b71] has quit [Read error: 145 (Connection timed out)] 13:27 -!- Jason404 [n=eggbean@host86-145-72-251.range86-145.btcentralplus.com] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 13:40 -!- dazo_ is now known as dazo 13:55 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 14:00 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 14:40 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:46 < Tophat> can openvpn work with SHA1-HMAC auth and 3DES-CBC encryption? 14:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:14 -!- demoncyber_ [n=marco@200.18.3.253] has quit ["Leaving"] 16:00 -!- xjkx [n=x@201009150172.user.veloxzone.com.br] has quit ["Leaving."] 16:16 < nemysis> I which to use --mode server for more Clients and --dev tun, what is the best for --topology? 16:16 -!- c64zottel [n=hans@p5B17B1FD.dip0.t-ipconnect.de] has left ##openvpn [] 16:27 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 16:27 -!- eliasp [n=quassel@78.43.213.203] has quit [Read error: 104 (Connection reset by peer)] 16:27 < hardwire> meh 16:28 < hardwire> has anybody configured openvpn to work like a mesh? 16:58 -!- sigmonsays_ [n=sig@ip65-46-255-194.z255-46-65.customer.algx.net] has joined ##openvpn 17:07 -!- sigmonsays [n=sig@ip65-46-255-194.z255-46-65.customer.algx.net] has quit [Read error: 110 (Connection timed out)] 17:58 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 17:59 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 18:05 < hardwire> anybody have experience with iroute and client-to-client? 18:05 < hardwire> I'm hoping clients will know what subnets are behind other clients.. and what external IP to use to reach clients directly? 18:17 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 19:08 < ecrist> evening, bitches 19:09 < ecrist> Tophat: openvpn is ssl, not ipsec 19:50 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 19:51 < onats> hello 19:51 < onats> how do i ensure that specific IP's are assigned to my clients? 19:51 < onats> do i need to create CCD's for each one? 20:49 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 21:01 -!- tarbo2_ [n=me@unaffiliated/tarbo] has quit [Read error: 110 (Connection timed out)] 21:54 -!- logiclr- [i=logiclrd@S0106000103208fb2.wp.shawcable.net] has joined ##openvpn 21:56 -!- logiclrd [i=logiclrd@S0106000103208fb2.wp.shawcable.net] has quit [Read error: 104 (Connection reset by peer)] 22:13 -!- dan [n=dan@155.229.22.98] has joined ##openvpn 22:13 < dan> Centimeter by centimeter he watched his cock grow thicker, 22:13 < dan> spreading Christa's cunt ever wider in its wake. Both of her hands 22:13 < dan> came down to grip the base of his cock as she looked down in disbelief. 22:13 < dan> At least six inches were outside of her now, and she had taken him 22:13 < dan> nearly all the way before. Curt opened his eyes and stared in disbelief. 22:13 < dan> He was growing even faster this time! His cumming continued to make him 22:13 < dan> buck like a bronco as his shaft grew ever more horse-like. Thicker and 22:13 < dan> longer -twined with huge, thick veins- his erection plowed into Christa's 22:13 < dan> tight bush like a dog trying to fit into a rabbit hole. 22:13 -!- dan [n=dan@155.229.22.98] has left ##openvpn [] 22:31 -!- OliTroll [n=oli@ip-78-94-201-203.unitymediagroup.de] has joined ##openvpn --- Day changed Fri Mar 06 2009 00:00 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 00:55 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 01:13 -!- nemysis [n=nemysis@170-62.106-92.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 01:14 -!- nemysis [n=nemysis@234-207.3-85.cust.bluewin.ch] has joined ##openvpn 01:15 -!- platin [n=platin@swrouter.swbs.etc.tu-bs.de] has joined ##openvpn 01:15 < platin> good morning 01:16 < platin> my openvpn says cannot load certificate file *****.crt whats the problem? 01:17 -!- tjz [n=tjz@bb116-15-157-37.singnet.com.sg] has joined ##openvpn 01:17 < tjz> hmm 01:18 < tjz> can two persons to the same vpn at the same time? 01:29 < platin> tjz, problem fixed... 01:29 < platin> i use a domain - and there were problems with the access to the certificates... 01:29 < platin> fixed with the privileges... 01:29 < platin> now it works 01:29 < platin> thanks for ur help anyway 01:47 < stephenh> tjz: yes 01:50 < tjz> without making additional client1,client2? 01:50 < hads> Certificates? 01:51 < hads> Multiple connections from the same cert are mentioned in the docs and in the server config. 01:51 < hads> Possible but not recommended. 01:52 < tjz> yea , cert 01:52 < tjz> i don't wish to allow multiple users to use the same cert to connect... 01:53 < hads> That's the default. 01:55 < tjz> ok 01:55 < tjz> i guess so 01:56 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit ["This computer has gone to sleep"] 01:59 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:12 -!- mazzachre [n=mazzachr@194.152.38.14] has joined ##openvpn 02:14 < mazzachre> Help... On one of the Windows clients when I connect to the server, it complains about the network address... Stating something about that it needs a netmask of 255.255.255.252... What is that about? The server have address 192.168.7.125/24 (on the inside) and it assigns addresses 150-165 on that network. Other windows clients connect fine... What is wrong? 02:15 < hads> !/30 02:15 < vpnHelper> hads: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 02:28 -!- harrisony [n=harrison@unaffiliated/harrisony] has left ##openvpn ["Leaving"] 02:33 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:08 -!- m31k0r [n=m31k0r@88.Red-81-36-156.dynamicIP.rima-tde.net] has joined ##openvpn 03:08 < m31k0r> hi 03:08 < m31k0r> does any body know if you stablish a tunnel between two networks 03:09 < m31k0r> if it's possible to identify the hosts in one of the networks in the other? 03:09 < hads> Yes 03:10 < m31k0r> so if one network is 192.168.1.X 03:10 < m31k0r> and the other 192.168.2.X 03:11 < m31k0r> the hosts on the first one will arrive to the other with IPs 192.168.1.1 03:11 < m31k0r> the hosts on the first one will arrive to the other with IPs 192.168.1.2 03:11 < m31k0r> the hosts on the first one will arrive to the other with IPs 192.168.1.3 03:11 < m31k0r> right? 03:11 < hads> You lost me 03:12 < m31k0r> sorry 03:12 < m31k0r> Well, if you have a roadwarrior configuration when each client stablishes a tunnel 03:12 < m31k0r> then you identify each host easily 03:12 < mazzachre> hads: Why does it work on some windows clients but not on others? 03:12 < m31k0r> because each host arrive to the internal network with a fixed IP 03:13 < m31k0r> but my question is if you stablish a tunnel to link to networks 03:13 < mazzachre> This is related to bridging, right? 03:13 < m31k0r> is possible to identify the hosts? 03:13 < m31k0r> yes 03:14 < hads> m31k0r: Identify them by subnet? 03:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:15 < hads> mazzachre: Pass, I don't understand Windows. 03:17 < m31k0r> no i want to indentify them like in the roadwarrior case 03:17 < m31k0r> because we want to filter to some ips the internal network services 03:18 < m31k0r> if i identify all the packets coming from the network with the same ip then it's uselesss 03:19 < hads> Not sure sorry 03:19 < mazzachre> hads: Heh... no one does... 03:19 < hads> Friday night :) 03:20 < m31k0r> ok thank you anyway 03:20 < m31k0r> I will try to research a bit more 03:20 < mazzachre> hads: The problem is related to bridging right? If I setup everything to use routing again it should work? (Except that I then have to find out how to setup correct routing rules for a network I can't control... 03:44 -!- Roman123 [n=Roman123@128.131.70.150] has joined ##openvpn 04:34 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 04:43 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 04:45 -!- prxtien [n=pro@115.131.200.228] has joined ##openvpn 04:50 < mazzachre> Uhm ok... found the problem with the windows machine... 04:52 < mazzachre> So... When using dev tap and bridged vpn... How many IP addresses on the server network does each connection take? 1 or 4? (Connecting to 192.168.7.125 and it can use the ip addresses 150-165 on that network for clients) 05:18 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:32 -!- platin [n=platin@swrouter.swbs.etc.tu-bs.de] has quit [Read error: 113 (No route to host)] 06:18 -!- Tophat [n=Tophat@fpal5-a01.peop.tds.net] has quit ["Leaving"] 06:20 -!- dijital1 [n=dijital1@66-168-204-177.dhcp.gsvl.ga.charter.com] has quit [Read error: 110 (Connection timed out)] 06:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 06:33 -!- prxtien [n=pro@115.131.200.228] has quit ["Leaving"] 06:34 -!- nemysis [n=nemysis@234-207.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 06:35 -!- nemysis [n=nemysis@233-66.3-85.cust.bluewin.ch] has joined ##openvpn 07:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Remote closed the connection] 07:54 -!- m31k0r [n=m31k0r@88.Red-81-36-156.dynamicIP.rima-tde.net] has quit ["Saliendo"] 08:04 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:36 < ecrist> mazzachre: 1 08:39 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 08:46 -!- SuperEvilDeath12 [n=death@212.206.209.177] has joined ##openvpn 08:46 < SuperEvilDeath12> question if i where to mutlicast over a openvpn vpn would all my packages go Caster -> Server -> Client or in a more p2p model ? 08:47 < reiffert> former 08:47 < ecrist> by nature of a vpn, all packets bound for the vpn must pass through the vpn endpoint 08:48 < SuperEvilDeath12> yeah i guess you kinda have a point there ecrist i guess it destroys my bandwith saving dream but hell etleast i know its gonna fail now :) 08:57 -!- A[D]minS [n=Whisky@unaffiliated/admins] has joined ##openvpn 08:57 < A[D]minS> !configs 08:57 < vpnHelper> A[D]minS: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 08:58 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 08:58 < mazzachre> ecrist: thanx! 08:58 < ecrist> mazzachre: np 08:59 < ecrist> good morning, krzee 08:59 -!- mazzachre [n=mazzachr@194.152.38.14] has quit [Remote closed the connection] 08:59 < krzee> mornin 08:59 < krzee> machu pichu was AWESOME 09:00 < krzee> and yes, i did blaze a joint at the top 09:00 * ecrist is jealous 09:00 < krzee> i got pics 09:00 < krzee> many many pics 09:01 < ecrist> sweet, send me a link (email, if you prefer) 09:01 < A[D]minS> would you please with this case : http://pastebin.com/d13e4e293 09:02 < A[D]minS> appreciate your advise 09:02 * ecrist wishes pastebin used black text 09:04 < ecrist> A[D]minS: are you running as root? 09:04 < A[D]minS> which part? 09:04 < A[D]minS> client side? 09:04 < A[D]minS> nope 09:04 < ecrist> you need to 09:04 < A[D]minS> ok let me try sudo 09:07 < krzee> i forgot my charger cable for my camera for the weekend 09:07 < krzee> 3 days of tours, machu pichu being last day 09:07 < krzee> the camera made it EXACTLY long enough 09:07 < krzee> last picture i wanted, then *poof* 09:08 * dazo is also jealous on krzee 09:08 < krzee> and i HAD to get the last pic in 09:08 < krzee> it was me smoking the joint up on machu pichu 09:09 < krzee> if i didnt get a pic of that it woulda been tragic 09:09 -!- kezhi [i=moneybag@drug.cartel.pl] has joined ##openvpn 09:10 < krzee> so the talent wasnt too special up in cusco (the city near machu pichu) 09:10 < krzee> the girls were so-so, and i didnt want an american traveler, i wanted a local 09:10 < krzee> so instead of a 10 i settled for a 5 - 6 09:10 < krzee> but i hit it 2x so i figure she was a 10 - 12 09:11 < krzee> ;] 09:11 < A[D]minS> woow working 09:11 < A[D]minS> ecrist: thx 09:11 < krzee> ecrist++ 09:11 < A[D]minS> ok i would like to understand how i can do it without root privileged 09:11 < krzee> which os? 09:12 < A[D]minS> Fedora 10 09:12 < krzee> basically, joo cant 09:12 < krzee> BUT 09:12 < krzee> you can have it drop its privs after it does what it needs root for 09:12 < krzee> (ie: adding routes and whatnot) 09:13 < A[D]minS> actually i couldn't get it 09:13 < krzee> huh? 09:14 < ecrist> krzee: I probably would have tried for a local, but gone for the traveler, if she was better than the locals. 09:14 < krzee> i went into it knowing i was down to take lower quality to have it be a peruvian 09:15 < ecrist> fair enough 09:15 < krzee> seeing as back here in lima im already with the brazilian model 09:15 < krzee> i had to get some peruvian 09:15 < ecrist> hehe 09:16 < krzee> besides, take a 6 2x and you got a 12! 09:16 < ecrist> my wife doesn't like sharing with women prettier than her, so I may have had a forced hand, as well. 09:16 < ecrist> lol 09:16 < krzee> hahah 09:18 < krzee> is she at least really pretty? 09:18 < krzee> cause that sounds like a really good deal 09:19 < dazo> A[D]minS: you can not start openvpn without root privileges .... but openvpn can, "degrade" itself to a non-privileged user when it is done with the "root-work" 09:19 < ecrist> yeah, she's very pretty 09:19 * krzee realizes what a dumb question that was 09:19 < dazo> A[D]minS: to start up openvpn without root privileges, you can use sudo .... sudo can be configured to allow openvpn to be started with root privileges without asking for a password 09:20 < krzee> "no my wife and the mother of my children is not attractive" lol 09:20 < krzee> dazo, good point, i didnt think of that 09:20 < ecrist> krzee: you ever watch married with children? I know guys like Al, who think their wives are hideous 09:20 < dazo> A[D]minS: another way can also be to play with PolicyKit in Fedora ... that's probably even safer than sudo, but I have not tried that approach 09:20 < krzee> lol theres a guy on the island i call al bundy 09:20 < krzee> you should hear him on the phone with her 09:21 < krzee> "whattaya want" 09:22 < ecrist> my former coworker would throw his phone across the room after getting off the phone with his wife. 09:24 < ecrist> my new switch doesn't track bandwidth on VLANS. :( 09:27 -!- SuperEvilDeath13 [n=death@212.206.209.177] has joined ##openvpn 09:27 -!- SuperEvilDeath12 [n=death@212.206.209.177] has quit [Read error: 104 (Connection reset by peer)] 09:30 < krzee> could track me by pushing my traffic through a pf box if you wanna 09:30 < krzee> (assuming thats the idea of what you were thinking 09:30 < krzee> ) 09:34 < ecrist> naw, got that solved 09:34 < ecrist> didn't you get the email? 09:34 < ecrist> your box is on its own switch port 09:34 < krzee> ahh cool 09:34 < krzee> im scared to check my email right now 09:34 < krzee> 422 messages 09:34 < ecrist> ouch 09:34 < ecrist> that's what happens when you go on vacation 09:35 < krzee> no kidding 09:35 < krzee> bbiaf, pedicure time 09:35 -!- krzee [n=k@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 09:35 < ecrist> with the VLAN thing, I was hoping I could aggregate multiple ports together for traffic monitoring. 09:37 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has left ##openvpn [] 09:44 -!- neuro_damage [n=neuro@nat-vlan200.sat.rackspace.com] has quit ["leaving"] 09:51 -!- A[D]minS [n=Whisky@unaffiliated/admins] has quit [Read error: 113 (No route to host)] 09:55 -!- polaru_ [n=polaru@93.113.192.70] has joined ##openvpn 10:03 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 110 (Connection timed out)] 10:09 -!- tjz [n=tjz@bb116-15-157-37.singnet.com.sg] has quit ["bbl"] 10:12 -!- kB-- [i=moneybag@drug.cartel.pl] has joined ##openvpn 10:13 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 10:15 -!- kezhi [i=moneybag@drug.cartel.pl] has quit [Remote closed the connection] 10:17 -!- kB-- is now known as kezhi 10:23 -!- Roman123 [n=Roman123@128.131.70.150] has quit ["Leaving"] 10:26 < krzee> http://www.ircpimps.org/pics/krzee_vaca/machublazu.JPG 10:34 -!- sigmonsays__ [n=sig@ip65-46-255-194.z255-46-65.customer.algx.net] has joined ##openvpn 10:37 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: pa 10:38 < ecrist> nice 10:39 -!- Netsplit over, joins: pa 10:39 < reiffert> pot :) 10:40 < reiffert> Even more :) 10:42 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit ["This computer has gone to sleep"] 10:46 < krzee> =] 10:46 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 10:46 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [Client Quit] 10:47 -!- sigmonsays_ [n=sig@ip65-46-255-194.z255-46-65.customer.algx.net] has quit [Read error: 110 (Connection timed out)] 10:47 < krzee> i cant even describe how badass machu pichu was 10:48 < krzee> i highly recommend it 10:52 < reiffert> Who was teaching them to build houses with 2 side roofs like the europeans do it? 10:52 < reiffert> http://upload.wikimedia.org/wikipedia/commons/a/a2/Macchu_picchu_panoramic.jpg 10:54 < ecrist> wouldn't that be considered common sense, in a way? 11:00 < reiffert> I know them from europe, but thats it. Just curious about similarity 11:14 < krzee> 2 side roofs? 11:15 < dazo> krzee: you have the upper side and the underside of the roof ... easy 11:18 < krzee> umm ok, i dont get it 11:18 < krzee> i learned a ton about how they built their stuff, so ild answer if i understoof the ? and knew the answer 11:30 < dvl> tape drives anyone? http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=110359343693 11:30 < vpnHelper> Title: TZ89N-AV SCSI DLT 7000 tape drive - used - eBay (item 110359343693 end time Mar-10-09 18:54:31 PDT) (at cgi.ebay.com) 11:30 < dvl> DLT 7000, robotics 11:33 -!- polaru_ [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:34 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:11 < vcs> Hi, I have added push "route 10.2.1.0 255.255.255.0" and "route 10.2.1.0 255.255.255.0" to my server.conf file, I can access 10.2.1.212 on the local network but not from any clients. The openVPN server is running on the gateway of that subnet, any idea what the issue could be? 12:12 < krzee> !route 12:12 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 12:14 < vcs> I read that allready :|, when I run route PRINT in the windows client, the route is not there at all. 12:16 < krzee> !logs 12:16 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 12:16 < krzee> !configs 12:16 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:26 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 12:27 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 12:27 < krzee> also, you didnt mention if the lan is behind client or server 12:30 -!- A[D]minS [n=Whisky@unaffiliated/admins] has joined ##openvpn 12:31 < A[D]minS> !route 12:31 < vpnHelper> A[D]minS: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 12:36 < A[D]minS> i have a weird problem with openvpn 12:37 < A[D]minS> i connect just for 10 sec then disconnect 12:37 < A[D]minS> http://pastebin.com/d4c67310a 12:37 < A[D]minS> any idea why i cut after 10 sec? 12:39 < krzee> multiple errors, increase verbosity 12:43 < krzee> verb 6 should be fine 12:45 < A[D]minS> i made it 6 12:46 < krzee> k, so lets see it 12:48 < A[D]minS> i am rebooting openvpn server because i need to make sure everything fine with this server :D 12:48 < A[D]minS> just in a moment i'll try again 12:59 < vcs> one momment, the lan is behind the server 12:59 < vcs> i will pastebin 13:05 < A[D]minS> krzee: the same 13:05 < A[D]minS> http://pastebin.com/d7b28dfe1 13:05 < A[D]minS> this is showing everything 13:06 < A[D]minS> maybe you can get whats wrong 13:06 < A[D]minS> if you want to pastebin my client.conf nd server.conf no problem 13:06 < ecrist> /topic Boats and Hos 13:10 < A[D]minS> now when i tried to connect it give this error 13:10 < A[D]minS> Fri Mar 6 23:17:17 2009 us=295898 UDPv4 WRITE [14] to 41.196.212.26:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 13:10 < A[D]minS> Fri Mar 6 23:17:17 2009 us=396256 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 13:11 < A[D]minS> once i do /etc/init.d/openvpn restart will work..but just for awhile then back to this error 13:17 -!- A[D]minS [n=Whisky@unaffiliated/admins] has quit [Excess Flood] 13:17 -!- A[D]minS [n=Whisky@unaffiliated/admins] has joined ##openvpn 13:19 -!- A[D]minS [n=Whisky@unaffiliated/admins] has quit [Remote closed the connection] 13:32 < ecrist> yay, my new keyboard drawer just arrived 13:50 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 104 (Connection reset by peer)] 14:13 -!- kezhi [i=moneybag@drug.cartel.pl] has quit ["napppp"] 14:16 -!- bandini [n=bandini@host111-210-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 14:24 < krzee> [14:06] one momment, the lan is behind the server 14:24 < krzee> then why do you have the route command in the server config? 14:26 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:11 < vcs> !route 15:11 < vpnHelper> vcs: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 15:15 -!- bandini [n=bandini@host111-210-dynamic.25-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 15:41 -!- krzee [n=k@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 15:42 -!- skx [i=skx@unaffiliated/skx] has quit [Read error: 110 (Connection timed out)] 17:03 -!- therian [n=Larson50@adsl-69-225-1-98.dsl.skt2ca.pacbell.net] has joined ##openvpn 17:03 < therian> why would i be able to connect to a samba share over openvpn but not an xp share 17:03 < therian> any ideas? 17:21 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 17:28 < reiffert> therian: you're asking *why*? 17:29 < therian> um ok more of how do i fix it? 17:29 < reiffert> Write a letter to bill@ms.com 17:29 < therian> kikz 17:29 < therian> lolz 17:34 -!- sigmonsays__ [n=sig@ip65-46-255-194.z255-46-65.customer.algx.net] has quit [Read error: 110 (Connection timed out)] 17:37 < ecrist> therian: two things, 1) this isn't ##windows and 2) you don't give us enough information, even if we wanted to help 17:41 -!- therian [n=Larson50@adsl-69-225-1-98.dsl.skt2ca.pacbell.net] has left ##openvpn [] 17:48 -!- Gomex [n=rafael@189.105.201.46] has joined ##openvpn 17:48 < Gomex> Hi 17:49 < Gomex> I have problem with Openvpn. I configured my openvpn ok, but I accidentally used clean-all and I lost all certs and keys 17:50 < ecrist> then you have to start over with the certs 17:50 < Gomex> I tried created the keys and certs again, but its don'ts works now :( 17:51 < ecrist> you need to distribute the new certs to your clients, too 17:51 < Gomex> is necessary I clean something before create another keys and certs? 17:51 < Gomex> yes, I did it 17:51 < ecrist> and you need to restart the vpn 17:51 < Gomex> ecrist, I did it 17:51 < Gomex> ecrist, I restarted Openvpn too 17:53 < ecrist> *shrug* 17:53 < Gomex> ecrist, I need use a command to clean something? 17:53 < ecrist> no 17:58 < Gomex> ecrist, Ok, I will try again slower 18:10 < Gomex> ecrist, I think that I forgot restart the openvpn 18:11 < Gomex> because I thought that I did it before, but I did it few time a ao with linux client and works... 18:41 < Gomex> ecrist, Works in Windows now! :D 18:42 < ecrist> glad to hear it 18:42 < Gomex> ecrist, thank you 18:43 < Gomex> ecrist, I think that in "storm" that I pass in work this morning, I forgot restart this! 20:09 -!- Gomex_ [n=rafael@189.105.135.171] has joined ##openvpn 20:32 -!- Gomex [n=rafael@189.105.201.46] has quit [Read error: 110 (Connection timed out)] 20:43 -!- Gomex_ [n=rafael@189.105.135.171] has quit [Read error: 110 (Connection timed out)] 21:51 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has joined ##openvpn 21:51 < lavren> In my tun0 interface I have the router IP "10.5.0.10" the next to it I see P-t-P:10.5.0.9, it is also in my routing table... where is that coming from? neither me nor my friend (the other vpn router) know 21:52 < lavren> and our connection is terrible on my end, there is some weird route that is coming into play 21:54 < lavren> oh nm 21:54 < lavren> that's normal 22:11 < hads> !/30 22:11 < vpnHelper> hads: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 22:42 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 23:14 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 23:14 -!- onats [n=15172@unaffiliated/onats] has quit [Nick collision from services.] 23:14 -!- onats_ is now known as onats 23:15 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn --- Day changed Sat Mar 07 2009 00:10 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 01:31 -!- nemysis [n=nemysis@233-66.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 03:34 -!- A[D]minS [n=Whisky@unaffiliated/admins] has joined ##openvpn 03:52 -!- JigSaw-2 [n=JigSaw-2@123.252.146.52] has joined ##openvpn 04:21 -!- A[D]minS [n=Whisky@unaffiliated/admins] has quit [Read error: 110 (Connection timed out)] 04:24 -!- nemysis [n=nemysis@193-86.3-85.cust.bluewin.ch] has joined ##openvpn 04:25 -!- A[D]minS [n=Whisky@unaffiliated/admins] has joined ##openvpn 04:29 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:54 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Connection timed out] 05:15 -!- A[D]minS [n=Whisky@unaffiliated/admins] has quit [Read error: 104 (Connection reset by peer)] 05:24 -!- nemysis [n=nemysis@193-86.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 05:29 -!- A[D]minS [n=Whisky@unaffiliated/admins] has joined ##openvpn 06:45 -!- onats1 [n=15172@221.121.120.254] has quit [Read error: 110 (Connection timed out)] 06:52 -!- mjt [n=mjt@isrv.corpit.ru] has joined ##openvpn 06:53 < mjt> that'd probably be an annoying question but... is openvpn.net down? 06:55 -!- JigSaw-2 [n=JigSaw-2@123.252.146.52] has quit [Read error: 104 (Connection reset by peer)] 06:58 < mjt> and a newbie question. I need to build a vpn-server with 100% static config and with specified IP addresses for server and all the clients (the clients should use an address assigned by the server). How to specify address of the server, and of each client? 06:58 < mjt> i can't get the whole picture, so I need an example to start with.. ;) 06:59 < mjt> --ifconfig looks like the right option, but it requires 2 arguments 06:59 < mjt> while i need only one. Tried --ifconfig $Localaddr 0.0.0.0, it worked but it's ugly. 07:01 < mjt> and 2 more probs right away. Specifying `--route 1.2.3.4' or `--route 1.2.3.4 255.255.255.255' gives `SIOCADDRT: Invalid argument' -- openvpn does not show the command itself. 07:01 < mjt> and -- as per above, -- i can't understand how to configure client's IP address statically in ccd/$cn 07:02 < mjt> so it shows 'no dynamic or static remote --ifconfig address is available' 07:35 < mjt> aha. Found --ifconfig-push option 07:52 -!- A[D]minS [n=Whisky@unaffiliated/admins] has quit [Read error: 110 (Connection timed out)] 07:55 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 08:04 -!- A[D]minS [n=Whisky@unaffiliated/admins] has joined ##openvpn 08:08 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 08:10 -!- A[D]minS [n=Whisky@unaffiliated/admins] has quit [Read error: 104 (Connection reset by peer)] 08:12 < reiffert> mjt: example to start with: 08:12 < reiffert> !howto 08:12 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:14 < reiffert> mjt: however, it looks like the webserver on openvpn.net is down. 08:14 < reiffert> mjt: http://web.archive.org/web/20080209040742/http://openvpn.net/ 08:24 < mjt> that's what i'm reading for several hours already ;) 08:25 < mjt> but i were really puzzled by the fake usage of fake p2p interface and peer addresses 08:25 < mjt> that's what i were asking really, to understand the principles 08:25 < mjt> now i see how it's done 08:26 < mjt> in all examples -- ifconfig 10.4.0.1 10.4.0.2; ifconfig-pool 10.4.0.4-10.4.0.250 08:26 < mjt> that 10.4.0.2 thing 08:26 < mjt> it's 100% fake 08:29 < mjt> in other words, there should be only one ip address in the ifconfig line (no peer), and routes should be device, not nexthop. I.e., route add $client dev $interface 08:29 < mjt> (instead of route add $client gw $fakenexthop) 08:41 < mjt> what does openvpn do when host routing table conflicts with openvpn's? I mean, say, host routes 10.4.0.5 to the tun interface, but openvpn does not know where to send it to? 08:45 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 08:52 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 08:53 < mjt> or in the other words, is there a way to tell openvpn to send some ICMP host unreach or somesuch in response to packets destined for "unknown" destinations? 09:03 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:50 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: eagle, qkf, rdz, meshuga, dazo, rubydiamond, xor|, skx, higuita, Typone, (+13 more, use /NETSPLIT to show all of them) 09:51 -!- Netsplit over, joins: rubydiamond, onats, lavren, skx, SuperEvilDeath13, OliTroll, logiclr-, eliasp, dazo, hads (+13 more) 09:58 < reiffert> mjt: thats a job for a firewall 10:01 < mjt> it's not 10:02 < mjt> the idea is to indicate that this client isn't connected *now*, instead of timing out 10:17 < mjt> " NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. 10:18 < mjt> -- any way to turn it off without shuttin up other useful warnings? 10:29 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 10:40 -!- joelsolanki [i=joelsola@123.237.173.76] has joined ##openvpn 10:40 < joelsolanki> Hi all 10:40 < joelsolanki> openvpn is donw ? 10:40 < joelsolanki> www.openvpn.net is down ? 10:42 < mjt> it is, for about 9 hours already (since i tried to access it) 10:42 < mjt> my guess is some i/o-related (disk) kernel OOPS 10:42 < mjt> and no watchdog configured 10:44 < joelsolanki> oh :( 11:02 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has quit ["lavren has no reason"] 11:04 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 131 (Connection reset by peer)] 11:04 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:13 -!- nemysis [n=nemysis@124-21.106-92.cust.bluewin.ch] has joined ##openvpn 11:29 -!- joelsolanki [i=joelsola@123.237.173.76] has quit [] 11:42 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 11:58 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Client Quit] 13:25 -!- gallatin [n=gallatin@dslb-092-072-070-152.pools.arcor-ip.net] has joined ##OpenVPN 13:36 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 13:37 < Roman123> Hi! 14:52 -!- davidm [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has joined ##openvpn 14:53 -!- davidm [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has left ##openvpn [] 15:58 -!- nemysis [n=nemysis@124-21.106-92.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 15:59 -!- nemysis [n=nemysis@16-45.3-85.cust.bluewin.ch] has joined ##openvpn 16:21 -!- OliTroll [n=oli@ip-78-94-201-203.unitymediagroup.de] has left ##openvpn [] 16:23 -!- gallatin [n=gallatin@dslb-092-072-070-152.pools.arcor-ip.net] has quit [Read error: 104 (Connection reset by peer)] 16:48 < Roman123> very silent here 16:48 < Roman123> anyone else awake= 17:40 -!- betabot [n=betabot@li20-55.members.linode.com] has joined ##openvpn 17:40 < betabot> hey 17:40 < betabot> i'm wondering how i would remove someone once they have a ca cert 17:41 < betabot> without having to make a new ca 17:41 < betabot> and resign everyone 17:45 < Roman123> betabot: yes it is possible 17:45 < Roman123> you can revoke a cert 17:47 < Roman123> betabot: Personally, I never revoked a certificate but you can plenty of howtos on google by searching for "openvpn + cert + revoke". 17:48 < Roman123> s/can/can find 17:48 < Roman123> !route 17:48 < vpnHelper> Roman123: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 17:50 < stephenh> betabot: ./revoke-full 17:50 < hads> (with easy-rsa) 17:56 < betabot> stephenh, so once i ./revoke-full then they can no longer log in? 17:56 < betabot> Roman123, thanks :) 17:57 < stephenh> if using easy-rsa as pointed out by hads 17:58 < stephenh> it does give an error at the end of revoking, but that is normal 18:01 < Roman123> I connected two LANs by means of two routers using openvpn (bridge mode): 192.168.50.0/24 and 192.168.51.0/24 are the networks behind the server (router) and the client (router), respectively. Everything works fine, i.e., I can transfer data in both directions. Now I like to connect to this network by means of a notebook (roadwarrior). Once the connection is established, I can transfer data from the 192.168.50.0/24 lan but not from 192.168.51.0/24 18:01 < Roman123> to the notebook although I have placed "route 192.168.51.0 255.255.255.0 192.168.50.1" in the notebook openvpn client config. 18:03 < betabot> stephenh, i am using easy-rsa 18:03 < betabot> stephenh, however when i tried it it failed horribly 18:03 < betabot> the username is the name before .crt & that in the /etc/openvpn/keys directory? 18:04 < stephenh> yes 18:06 < betabot> then it just failed horribly 18:07 < betabot> i have errors like: error on line 282 of config file '/etc/openvpn/openssl.cnf' 18:07 < betabot> 18931:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 282 18:07 < betabot> Using configuration from /etc/openvpn/openssl.cnf 18:07 < betabot> error on line 282 of config file '/etc/openvpn/openssl.cnf' 18:07 < betabot> 18932:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 282 18:07 < betabot> then it just starts failing 18:07 < stephenh> . ./vars first? 18:08 < stephenh> Roman123: 192.168.51.0 needs to know how to route back traffic to your road warrior subnet 18:09 < betabot> i sourced ./vars 18:09 < stephenh> ecrist wrote a little page regarding that sort of connectivity i think, can't remember it atm and i lost my inet history 18:09 < betabot> i just ran source ./vars then ./revoke-all [username] 18:09 < betabot> and it gave the same error 18:10 < betabot> its like its trying to find crl.pem, which doesn't exist 18:10 < stephenh> it hsould be in your keys directory 18:12 < betabot> nope 18:12 < Roman123> stephenh: the routeback works behind both lans. why does it not work to the road warrior although a bridged connection is utilized (no routing, the assigned ip to the road warrior is part of the 192.168.50.0/24 network). 18:12 < betabot> i have 01-07.pem 18:12 < betabot> dh2048.pem and revoke-test.pem 18:12 < Roman123> I don't understand that 18:13 < stephenh> is openvpn.net timing out for you guys too? 18:14 < Roman123> stephenh: yes 18:14 < stephenh> ok 18:15 < stephenh> is the 'client-to-client' directive in your openvpn config? 18:15 < Roman123> argh 18:15 < Roman123> stephenh: I guess I missed that 18:15 < betabot> so stephenh what do i do? 18:16 < Roman123> I thought about everything, every possible routing option but not about client-to-client :( 18:16 < Roman123> I'll try 18:16 < stephenh> ./build-key ; ./revoke-full 18:16 < stephenh> the last time i had an issue i did that and it worked 18:17 < stephenh> i can't remember if i had the same issue 18:17 < stephenh> Roman123: cool 18:17 < stephenh> i'm going to bed. 2.20am, email is taking too long to find mail i'm looking for 18:17 * Roman123 is trying 18:17 < Roman123> stephenh: thanks, n8 18:18 < stephenh> ok, good luck - i don't work with bridges ever, really. hope that directive sorts you out 18:19 < betabot> stephenh, it failed 18:19 < betabot> stephenh, first one worked, second failed with the same error 18:19 < stephenh> second command? second cert? 18:19 < betabot> yeah 18:19 < betabot> same error 18:20 < betabot> i'll pastebinnit 18:20 < stephenh> ok 18:20 < betabot> http://pastebin.ca/1355546 18:21 < betabot> thats just the revocation 18:21 < stephenh> use .bin pleae 18:21 < stephenh> i get a 403 forbidden message 18:22 < betabot> pastebin.com ? 18:22 < betabot> or what? 18:22 < stephenh> er, pastebin.com i mean 18:22 < stephenh> yeah, falling asleep here lol 18:22 < stephenh> losing my mind 18:22 < Roman123> stephenh: works 18:22 < Roman123> thanks 18:22 < stephenh> cool, np 18:22 < Roman123> good hint 18:22 < stephenh> sounded like a good one ;-) 18:22 < betabot> http://pastebin.com/d7f9f2bc6 18:25 < stephenh> error 23 at 0 depth lookup:certificate revoked <-- the error i was talking about (just created and deleted a key) 18:25 < betabot> what? 18:26 < betabot> stephenh, i'm getting a lack of certificate crl 18:28 < stephenh> reading now 18:32 < stephenh> missing that crl.pem is going to be a problem i think 18:33 < betabot> then what do i do? 18:34 < stephenh> you can try generate a new one with 'openssl ca -gencrl -out crl.pem -config /etc/openvpn/easy-rsa/openssl.cnf', but i don't know if that'll sort you out 18:35 < betabot> still don't have one 18:35 < betabot> ok 18:35 < betabot> yeah 18:35 < betabot> now it worked 18:35 < betabot> i hope 18:36 < betabot> it said ok at the end 18:36 < stephenh> to generate the crl.pem? 18:36 < stephenh> read two things so far, 18:37 < stephenh> one was to hash out the pkcs11_section in openssl.conf (although mine doesn't even have that) 18:37 < stephenh> second, to regenerate a lost crl.pem, you need to do: 18:37 < stephenh> openssl ca -gencrl -config ./openssl.cnf -keyfile 18:37 < stephenh> openssl ca -gencrl -config ./openssl.cnf -keyfile keys/ca.key -cert keys/ca.crt -out 18:37 < stephenh> erg 18:38 < stephenh> openssl ca -gencrl -config ./openssl.cnf -keyfile keys/ca.key -cert keys/ca.crt -out crl.pem 18:39 < betabot> stephenh, i made a crl.pem 18:39 < betabot> ok 18:39 < betabot> i've gotten a crl.pem 18:39 < betabot> i'll hash out that section 18:39 < betabot> where is openssl.conf 18:39 -!- SgtPepperKSU [n=keith@ip98-164-8-164.ks.ks.cox.net] has joined ##openvpn 18:39 < stephenh> in easy-rsa 18:40 < stephenh> betabot: really need to go, can't keep my eyes open 18:40 < betabot> error 23 at 0 depth lookup:certificate revoked 18:40 < betabot> \ 18:40 < betabot> ? 18:40 < betabot> stephenh, ok 18:40 < betabot> thanks for your help anyway 18:41 < stephenh> that is it working 18:41 < stephenh> your cert has been revoked 18:41 < betabot> ok 18:41 < betabot> excelent 18:41 < betabot> so from now on they can't reconnect? 18:41 < stephenh> yep 18:41 < stephenh> if you look inside the revoke-all file, you'll see right at the end it does a check to see if the cert is still active, and fails 18:41 < stephenh> that error 23 is the test failing 18:42 < betabot> cool 18:42 < betabot> so if they are still connected they stay connected 18:42 < betabot> is there any way to drop everyone from the vpn? 18:43 < stephenh> sure is, 18:43 < stephenh> can either restart the service, 18:43 < betabot> i just want to drop everyone for like 45 seconds 18:43 < stephenh> or i think it can be done with the telnet admin cli 18:43 < betabot> to make sure everything times out and there forced to reconnect 18:43 < stephenh> sure, their clients will reconnect automatically 18:44 < betabot> if there key is revoked, it'll fail? 18:44 < betabot> if not they'll just reconnect? 18:44 < stephenh> yes 18:45 < stephenh> good night 18:45 < betabot> thanks 18:52 < Roman123> night 19:00 -!- betabot is now known as simplechat_ 19:01 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 19:02 -!- higuita [n=higuita@2001:b18:400f:0:211:d8ff:fe82:b10e] has quit [Read error: 104 (Connection reset by peer)] 19:03 -!- higuita [n=higuita@2001:b18:400f:0:211:d8ff:fe82:b10e] has joined ##openvpn 19:22 -!- SgtPepperKSU [n=keith@ip98-164-8-164.ks.ks.cox.net] has left ##openvpn ["Leaving."] 19:30 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:21 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 20:25 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:27 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Client Quit] 20:28 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:33 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 20:35 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:39 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Client Quit] 22:08 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has joined ##openvpn 22:08 < lavren> Is there a good paper on configuring iptables on a VPN router using openvpn? 22:08 < lavren> I want all of my clients behind the VPN router to have routes to both the destination VPN network and the internet 22:09 < lavren> I've got this working intermittently, but I'm wondering if there is something more effective. 22:09 -!- prxtien [n=pro@teamaustralia.net.au] has joined ##openvpn 23:04 -!- gejr [n=gejr@unaffiliated/gejr] has joined ##openvpn 23:05 < gejr> how do i set a linux client to use proper dns? he doesn't seem to honor push "dhcp-option" DNS 192.168.1.100 as much as i'd like him to :) 23:40 -!- patintin [n=gnubie@cm92.omega113.maxonline.com.sg] has joined ##openvpn 23:40 * patintin waves.. 23:40 < patintin> is http://openvpn.net website down? 23:43 < patintin> hello? anyone? i want to read the openvpn howto 23:47 < hads> Patience patintin 23:47 < hads> and yes, it appears the site is down currently. 23:50 < patintin> hads: ok. i see. thanks. ;) --- Day changed Sun Mar 08 2009 00:12 -!- patintin [n=gnubie@cm92.omega113.maxonline.com.sg] has quit [Read error: 113 (No route to host)] 00:29 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 00:38 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 00:50 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has left ##openvpn [] 00:51 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 01:10 -!- ArtVandalae [n=SuperUnk@122.111.229.235] has joined ##openvpn 01:10 < ArtVandalae> Hi all, OpenVPN.net seems to be down. I've tried using Google cache, and am still unable to access it. Is there an alternative location I can access the website? 01:11 < hads> http://209.85.173.132/search?q=cache:duOUjpCIgcIJ:openvpn.net/howto.html+openvpn+owto&hl=en&client=firefox-a&gl=nz&strip=1 01:11 < vpnHelper> Title: HOWTO (at 209.85.173.132) 01:13 < ArtVandalae> hads, thank you 01:16 < mRCUTEO> !logs 01:16 < vpnHelper> mRCUTEO: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 01:16 < mRCUTEO> !route 01:16 < vpnHelper> mRCUTEO: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 01:16 < mRCUTEO> !SNAT 01:16 < vpnHelper> mRCUTEO: Error: "SNAT" is not a valid command. 01:20 < mRCUTEO> hiya krzie_ 01:26 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has left ##openvpn [] 01:57 -!- worch_ [i=worch@battletoad.com] has quit [Remote closed the connection] 03:03 -!- worch [i=worch@battletoad.com] has joined ##openvpn 03:09 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 03:45 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 03:45 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 04:26 -!- drzed_ [n=drzed@synflood.homelinux.org] has joined ##openvpn 04:26 < drzed_> hi there! 04:26 -!- drzed_ is now known as drzed 04:27 < drzed> i've got a central openvpn server and 2 vpn-client networks connect to the server 04:28 < drzed> both can talk to server but not to each other 04:28 < drzed> what do i have to do to get this working 04:33 < reiffert> !route 04:33 < vpnHelper> reiffert: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 04:33 < drzed> http://www.nopaste.com/p/aDi43SvDob <--- setup looks like this 04:38 < drzed> thx reiffert 04:38 -!- ArtVandalae [n=SuperUnk@122.111.229.235] has quit [Read error: 113 (No route to host)] 04:39 -!- ArtVandalae [n=SuperUnk@122.111.229.235] has joined ##openvpn 04:56 -!- onats [n=onats@unaffiliated/onats] has quit [Remote closed the connection] 04:58 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 05:28 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Client Quit] 05:41 < drzed> i did a detailed read of the given link, but i do still have no success 05:42 < drzed> bc/ the setup does differ quite a bit 05:43 < drzed> one my server i have multiple openvpn instances running (one for each client lan) 05:43 < drzed> so i do have differen tunX ifaces 05:44 < drzed> so for 192.168.4.0/24 there is a route to tun2 05:44 < drzed> and for 192.168.2.0/24 a route to tun1 05:45 < drzed> on client-server 4.0/24 there is a route to 192.168.2.0 via tun0 05:45 < drzed> 193.168.2.0/24 via 172.16.0.5 dev tun0 05:49 < drzed> hm strange the icmp reach tun0 on the client lan 05:52 -!- A[D]minS^Work [n=Whisky@41.196.212.25] has joined ##openvpn 05:54 < A[D]minS^Work> i would like to understand something... i installed OpenVPN on server with static ip under 1 eth and it works fine , now i want to use 2 Interfaces one for internet and one for locl network...and i'll need users who accessing the VPN Server get their ips from DHCP of local network 05:54 < A[D]minS^Work> dose it mean i must use bridge mode? 05:55 < A[D]minS^Work> openvpn.net down? 05:57 < prxtien> x 05:57 < A[D]minS^Work> ? 06:41 < reiffert> A[D]minS^Work: use archive.org 06:45 < A[D]minS^Work> reiffert, ok fine working 06:45 < A[D]minS^Work> now i would like to know something 06:45 < A[D]minS^Work> i have OpenVPN Server published with Interface eth0 with Internet IP 06:46 < A[D]minS^Work> i want to connect to this OpenVPN server and through eth1 access the Internal network 06:46 < A[D]minS^Work> is it applicable? 06:46 < A[D]minS^Work> and if yes can anyone advise how can i do it? 07:05 < reiffert> !route 07:05 < vpnHelper> reiffert: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 07:18 -!- zheng [n=zheng@218.82.137.65] has joined ##openvpn 07:30 < A[D]minS^Work> reiffert i used route but i couldn't reach the internal servers 07:31 -!- zheng [n=zheng@218.82.137.65] has quit ["Leaving"] 07:38 < reiffert> It's your firewall then. 08:24 -!- patintin [n=gnubie@cm92.omega113.maxonline.com.sg] has joined ##openvpn 08:41 -!- A[D]minS^Work [n=Whisky@41.196.212.25] has quit [Read error: 110 (Connection timed out)] 08:54 < ecrist> stephenh: !route 08:57 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:04 -!- patintin [n=gnubie@cm92.omega113.maxonline.com.sg] has quit [" HydraIRC -> http://www.hydrairc.com <- Chicks dig it"] 09:28 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 09:31 -!- JimUnderscore [n=zyme@216.218.95.3] has joined ##openvpn 09:31 < JimUnderscore> !route 09:31 < vpnHelper> JimUnderscore: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 09:33 < JimUnderscore> I'm probably overlooking something simple, but here 09:34 < JimUnderscore> is my question, I setup a vpn, got it to connect, it gets 10.8.0.x addresses, 09:34 -!- SuperEvilDeath14 [n=death@212.206.209.177] has joined ##openvpn 09:35 < JimUnderscore> but I can't ping or communicate with any other machine that are also connected and have a (10.8.0.x) address 09:42 -!- SuperEvilDeath13 [n=death@212.206.209.177] has quit [Read error: 145 (Connection timed out)] 10:05 -!- hkais1 [n=dpalic@p5B2F7AEE.dip.t-dialin.net] has joined ##openvpn 10:05 -!- hkais1 [n=dpalic@p5B2F7AEE.dip.t-dialin.net] has left ##openvpn [] 10:14 < ecrist> JimUnderscore: other VPN machines? 10:14 < ecrist> if so, you need to add client-to-client to the server config 10:17 < mjt> btw, is there a way to set up connection between two tls-servers? 10:17 < ecrist> no 10:18 < mjt> i mean, i've two servers each with a bunch of clients. I'm currently running two openvpn instances on one of them 10:18 < mjt> ok 10:18 < ecrist> what you can do is run a client session on one of the servers to connect it to the other. 10:18 < mjt> that's what i'm doing right now 10:18 < ecrist> a client conection shouldn't interfere with the running server connection 10:19 < mjt> just wondered if it's possible to do it in one process. 10:19 < ecrist> nope 10:19 < ecrist> if it were me, I'd probably use IPSec between the two servers 10:19 < ecrist> it's bidirectional, and only comes up when traffic needs to pass 10:20 < mjt> well, it's one more thing to learn, and extra arrangements on one of the sides (corporate firewall) 10:20 < ecrist> ah 10:20 < mjt> port #655 is open but not ipsec ;) 10:20 < mjt> (655 = tinc) 10:21 -!- ArtVandalae [n=SuperUnk@122.111.229.235] has left ##openvpn ["ArtVandalae -- Importer/Exporter"] 10:21 < mjt> But I had a bunch of other questions yesterday... ;) 10:22 < ecrist> well, I'm chained to a work table in my DC right now, so ask away, I'll answer in between walking over to our rack and punching keys 10:23 < mjt> in each example tls-server or the like, there's one fake setup element is in use - an IP address 10.4.0.2, the "other side", or "remote endpoint" of a "tunnel" which is 100% fake in case of server with multiple clients 10:23 < mjt> it puzzled me yesterday till i figured it out 10:24 < mjt> but it's used to set up routes. The question really is if it's possible to go without that address? 10:24 < mjt> (damn isp changed my ip again) 10:24 < ecrist> sure, use whatever addresses you want 10:25 < ecrist> those are examples, not rules. 10:25 < mjt> what's needed there is a "device route" (ip route add $foo dev $iface) 10:25 < mjt> the question is how to push those to clients 10:25 < ecrist> !route 10:25 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 10:25 < ecrist> read that 10:26 < ecrist> I left my DVI->VGA adapter at home, dammit 10:29 < mjt> well ok. it's all good, but does not answer my question. WHich is not really important as long as it's possible to run a command (have to use a script, while inline config is more readable) -- i mean, the --route (internal to openvpn) always uses nexthop, no way to specify device routes. 10:29 < mjt> and for client it's also not that important either as we have almost real "tunnel" 10:29 < mjt> just not completely clean, nothing wrong with that. 10:30 < mjt> speaking of routes -- is there a way to make openvpn to respond to packets to "unknown" clients with some ICMP net unreachable or somesuch? 10:31 < mjt> the idea is to set up routes for all clients at startup, but to let know the other host that this particular client isn't here yet, instead of letting it to time out 10:32 < mjt> ie, adding a route for whole 10.4.0.0/24 at startup, with that network used for clients. And instead of just dropping packets destined for some 10.4.0.25 (when it isn't connected), return some ICMP. 10:33 < ecrist> it should return NETRUNREAC 10:33 < mjt> thats what i'd think it does. 10:33 < mjt> ok, lemme check again 10:33 < mjt> when i tried it yesterday it just timed out 10:34 < mjt> i'm a newbie wiht openvpn, ran it for the first time yesterday (and immediately come to the problem with the site which was down :) 10:35 < mjt> but i know some bit of background with networking... ;) 10:37 < mjt> oh, and the site is still down... 10:39 < mjt> aha. It was iroute (from that wiki page) which I missed yesterday when testing that setup. 10:39 < ecrist> which site is down? 10:39 < mjt> openvpn.net 10:39 < ecrist> oh, we don't run that. 10:39 < mjt> it's THE site of openvpn 10:39 < ecrist> none of us in here are actually *with* openvpn, we just support it. 10:40 < ecrist> we tried becoming official, but they're sort of selfish and don't want outside help 10:40 < ecrist> *shrug* 10:40 < mjt> i didn't say you run it ;) It's just my bad luck, to come across evrything non-working excactly when I need it ;) 10:40 < ecrist> you can get to the documentation at beta.openvpn.net, though 10:40 < mjt> i used web.archive.org 10:40 < mjt> (which was in maintenance mode too yesterday, when I tried to access it for the first time :) 10:41 < ecrist> beta.openvpn.net seems more stable than openvpn.net 10:42 < mjt> irony 10:43 < ecrist> here's a funny story for you, we asked the openvpn folks to post links to our support docs, and they refused, saying they'd rather host them, and allow us to maintain them. 10:43 < ecrist> their reasoning was they were uncomfortable with our ability to keep the site online. 10:43 < ecrist> :) 10:43 < mjt> hmm. I had one more issue yesterday, but don't remember which one. 10:43 < mjt> heh 10:43 < mjt> lovely 10:43 < ecrist> secure-computing.net is *far* more stable than openvpn.net 10:43 < mjt> aha. 10:44 < mjt> but hm. 10:44 < mjt> ;) 10:44 < ecrist> hm? 10:44 < mjt> when looking at all the thing, I was thinking such a fat beast needs some more.. accurate security model. 10:44 < mjt> hm because you're not (probably) designing/writing the code 10:44 < ecrist> my site isn't as sharp-looking as theirs though. I suck at design. 10:45 < mjt> heh 10:45 -!- hkais1 [n=dpalic@p5B2F7AEE.dip.t-dialin.net] has joined ##openvpn 10:46 -!- hkais1 [n=dpalic@p5B2F7AEE.dip.t-dialin.net] has left ##openvpn [] 10:46 < mjt> but the thing is -- there are 2 kinds of stuff going on when openvpn process is running: the traffic, dealing with the network etc, and setting it all up. The first part is 100% unprivileged. The second one usually requires root. 10:46 < mjt> that's why keep-tun etc options are there 10:46 < mjt> (not sure of exact name but the idea should be clean) 10:47 < mjt> so that it first sets things up, next drops root and continues running there. 10:47 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 10:47 < ecrist> openvpn has the ability of de-escalating its privs 10:47 < ecrist> just add user and group args to the config 10:47 < mjt> yes 10:47 < mjt> but it will not be able to do interesting stuff anymore 10:47 < mjt> like, adding/deleting a route when a client connects 10:48 < mjt> /disconnects 10:48 < ecrist> that's why OpenVPN has internal routing 10:48 < ecrist> and why you need iroute in your ccd configs 10:48 < ecrist> those are setup, where needed, before de-escalation. everything else is internal to the process. 10:49 < mjt> but i wonder how difficult it will be to split it into 2 parts, one root-only that checks supplied credentials/whatever, sets up routes/etc, and another unprivileged that's running in chroot/user and talks with the privileged one using a simple well-defined protocol. 10:49 < mjt> first never talks with the network, only with the unpriv part of if 10:49 < mjt> *of it 10:50 < mjt> and if it's something useful, to start with :) 10:50 < mjt> because i'm only half a day with it, and it's quite possible i don't understand something yet ;) 10:50 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 60 (Operation timed out)] 10:51 < mjt> (sure there are many thing i don't know or else i'd not be there asking questions :) 10:52 < mjt> what i dislike in openvpn is it's huge size. Quite often a project that tries to become everything steps away from security. 10:53 < ecrist> it's huge size? 10:53 < mjt> it's fat 10:53 < ecrist> well, it does support a fair amount of configurability. 10:53 < mjt> well, compared with other similar stuff 10:53 < mjt> yes 10:53 < ecrist> much of it is desirable 10:53 < mjt> sure 10:54 < ecrist> almost necessary for a solid VPN package. 10:54 < mjt> the problem is that the larger it becomes, the more difficult to keep it secure 10:54 < mjt> (secure - i mean bug-free) 10:54 < ecrist> I don't think I'd agree with that. 10:54 < ecrist> the security of OpenVPN is handled by the SSL libraries 10:54 < ecrist> those are changing 10:55 < mjt> more code means more opportunities for bugs 10:55 < ecrist> what does change is the routing 10:55 < mjt> and yes, ssl scares me much more than openvpn ;) 10:55 < mjt> quite complex beast that talks directly with unfriendly network 10:56 < mjt> i'm paranoid. By definition of my profession :) 10:56 < mjt> but ok. Just a.. paranoid idea. 10:57 < mjt> one more little question.. is there a way to specify a reconnect timer/interval? 10:57 < mjt> in udp mode, that is 10:57 < mjt> i'm not sure i understand the connection model in this case 10:58 < mjt> right now when the other side becomes down (i just shut down openvpn server process), the client will try to re-establish connection on every packet it received destined for the tunnel connection 10:58 < mjt> or something like that anyway 10:58 -!- onats_ is now known as onats 10:59 < mjt> it prints ECONNREFUSED - about 10 of them in a row with one-second interval, and then restarts and tries again. 11:01 < ecrist> yes, let me look up the config, hang on 11:01 < mjt> oh, and a really excellent issue I ran across yesterday... not entirely openvpn-related but... 11:01 < ecrist> ping-restart I think. 11:02 < mjt> aha 11:02 < ecrist> look here for more info: http://beta.openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html 11:02 < vpnHelper> Title: OpenVPN 2.0.x (at beta.openvpn.net) 11:02 < ecrist> the entire man page. :) 11:02 < mjt> ok i got the idea -- thanks ecrist ! 11:02 < mjt> i was looking for something with timeout 11:02 < mjt> but it's ping 11:03 < mjt> (i did read the whole manpage, but somehow missed that) 11:03 < mjt> the issue i come across is like this. My ISP isnsists of changing the IP address every so often (it's adsl). The conection is handled by my home adsl router, that does NAT for my home network. 11:04 < mjt> yesterday I were testing openvpn when the ISP forced IP address change the next time 11:04 < mjt> and it suddenly stopped working, at all 11:04 < mjt> the packets were sent my my home machine, but never arrived at the destination 11:05 < mjt> the problem was that openvpn on both ends used fixed udp port. ANd the router remembered to nat that port from/to the two machines, with its OLD ip address! 11:06 < mjt> and each time i tried to make new connection from home, the router refreshed that NAT entry. 11:06 < mjt> updating its ttl, that is 11:06 < mjt> took me about 30 minutes to figure it out 11:07 < mjt> had to reboot the router to force it to forget the connection. Alternative was to use another port. 11:07 < ecrist> oops: http://www.thesun.co.uk/sol/homepage/news/article2284752.ece 11:07 < vpnHelper> Title: Brit nuclear HQ on Google Earth | The Sun |News (at www.thesun.co.uk) 11:08 < ecrist> mjt, you could probably do something with a script to refresh the ttl on the router, or use a dyndns service 11:08 < mjt> dyndns can't help here at all 11:10 < mjt> and i'd better replace the damn thing, -- i wanted to re-flash it with openwrt (openwrt.org) but this particular model isn't supported so i can't even install linux on it 11:10 < mjt> maybe will run it in bridge mode to do nat (and have real IP) on my real linux pc 11:11 < mjt> that's the difference between -j MASQUERADE and -j SNAT -- keeping entries when an interface goes down. 11:12 < mjt> this thing uses SNAT, while it should use MASQUERADE. Or it should remove all NAT entries with some /etc/ppp/ip-down script 11:13 * ecrist doesn't use linux. 11:13 < mjt> that prob @openvpn.net looks like an I/O subsystem (disk) on that machine is hosed, and no watchdog is configured 11:13 < ecrist> what makes you say that? 11:14 < mjt> it's quite typical behavour when it can't access its filesystem(s) 11:14 < mjt> seen that many, many times... ;) 11:15 < mjt> it accepts the tcp connections, it replies to pings, but anything that requires disk access is down. 11:16 < ecrist> ah, but you're not taking into account proxying for HA 11:16 < mjt> definitely not. I didn't know about that 11:16 < ecrist> which could simply be a down switch, bad ethernet cable, or a shutdown backend. 11:17 < ecrist> supposedly, they run a cluster of web servers, which, if it was just a disk, would mean 1/x connections would fail, where x is the number of nodes in their cluster. 11:18 < ecrist> theorhetically, their master node should detect the timeout, and remove the node from the cluster 11:18 < mjt> well, i never used HA stuff so can't comment 11:18 < ecrist> most people don't need HA 11:18 < ecrist> a single server with a hot-failover is sufficient. 11:18 < mjt> and this is one such place, i think ;) 11:18 < ecrist> well, not if you talk to their devs. 11:19 < mjt> openvpn.net site, that is ;) 11:19 < ecrist> (see mention of conversation above) 11:19 < ecrist> they claim to be transporting 1+ Gbps across the openvpn.net network 11:19 < ecrist> and through their web cluster 11:20 < ecrist> directly from the conversation: "We are currently hosting OpenVPN on two sites (Seattle & Dallas) with Gigabits links." 11:20 < mjt> that's quite alot 11:21 < ecrist> openvpn.net has a single IP, however, with 'The Planet' 11:22 < mjt> ok, i have to go to find some food, with kids too... ;) 11:22 < ecrist> which tells me it really probably is a single dedicated server in a colo in dallas 11:23 < ecrist> their working site, beta.openvpn.net, is at rackspace 11:23 < ecrist> :) 11:23 < mjt> ecrist: thank you for your comments. It's usually quite difficult to find someone who actually has knowlege and understands what he's talking about... 11:23 < mjt> ;) 11:23 < mjt> i'll go eat something right now.. bbl 11:23 < ecrist> l8r 11:43 -!- joelsolanki [i=joelsola@123.237.173.76] has joined ##openvpn 11:43 < joelsolanki> Hi all 11:43 < joelsolanki> still openvpn.net is down 11:43 < ecrist> beta.openvpn.net 11:43 < joelsolanki> oh :) 11:44 < joelsolanki> let me check 11:44 < joelsolanki> awesome that works. 11:44 -!- mode/##openvpn [+o ecrist] by ChanServ 11:44 < joelsolanki> ecrist: Hi 11:44 -!- ecrist changed the topic of ##openvpn to: openvpn.net is down, try beta.openvpn.net instead. 11:44 -!- mode/##openvpn [-o ecrist] by ecrist 11:45 < joelsolanki> can openvpn work with mysql database ? if yes then how secure it is to use in production environment 11:45 < ecrist> in what way would you couple mysql with openvpn? 11:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:56 < JimUnderscore> I finally figured it out, with client-to-client I was able to ping other clients but not the server, my problem was I needed to change the config from dev tun to dev tap 11:57 < JimUnderscore> it was sortof confusing because the instructions said to use dev tap if I was ethernet briding and bridged it with my ethernet interface, however I'm not bridging it to an ethernet interface I'm just running it as its own (virtual)lan 11:59 < joelsolanki> ecrist: sorry phone. i mean to say all openvpn configs and username/passwords, ssl stuffs should come from radius server using mysql as backend. 11:59 < joelsolanki> www.strongvpn.com 12:00 < joelsolanki> it seems they are providing hosted vpn service and using openvpn. 12:00 < ecrist> joelsolanki: without some hackery, no. 12:00 < ecrist> users/pass, yes 12:00 < ecrist> configs, not so much 12:00 < joelsolanki> hmm. 12:00 < ecrist> ssl stuffs, there isn't anything to be included. 12:00 < joelsolanki> aha 12:00 < ecrist> either it's a valid SSL cert, or it's not. 12:00 < joelsolanki> do you know strongvpn.com ? 12:01 < ecrist> no 12:01 < joelsolanki> they are using openvpn most probably. they give services of hosted vpn 12:01 < JimUnderscore> hmm, strongvpn...I think I used them once 12:02 < ecrist> ok, and this applies to your question how? 12:02 < joelsolanki> not really. now i m just trying to know how i can create hosted vpn environment. 12:03 < ecrist> well, use ldap for your user/pass on the backend, as it's better suited to such things. 12:03 < joelsolanki> hmm. agree 12:03 < ecrist> your ssl certificates need only be created and distributed 12:04 < joelsolanki> ok 12:04 < ecrist> server doesn't need to track all of the valid certificates, those are parsed out 12:04 < ecrist> 3) profit 12:04 < ecrist> everything else is the software package and servers you deploy 12:04 < joelsolanki> ok 12:04 < ecrist> and really, this has little to do with openvpn, it would work for anything 12:05 < joelsolanki> i understand. 12:05 < ecrist> with openvpn, you can build custom windows client packages, with your own logos, icons, etc 12:05 < joelsolanki> i see 12:05 < ecrist> you can do the same for Mac OS X, and you could build a wrapper for a linux client, but most of them would probably prefer to simply run the command themselves. 12:05 < joelsolanki> agree 12:05 < ecrist> hell, for $85/hour, I'll do all the dev for you. 12:06 < joelsolanki> :) 12:06 < joelsolanki> do you think the hosted vpn makes a good idea to business ? 12:06 < ecrist> if it didn't, you wouldn't see other companies out there making money 12:07 < joelsolanki> yes 12:07 < joelsolanki> a tech question. 12:09 < joelsolanki> if a customer who is using openvpn as client has 1 Mbps bandwidth and vpn server in usa has 10 Mbps bandwidth. so as far as i know that customer will get 1 Mbps after connecting to vpn to usa server. 12:09 < joelsolanki> is my knowledge correct ? 12:09 < ecrist> roughly, there's going to be overhead for the packet headers 12:09 < ecrist> and you introduce additional latency by adding more hops. 12:09 < ecrist> a proxy is almost always goign to be slower than a direct connection 12:10 < joelsolanki> hmm 12:10 < ecrist> also, it depends on the processor load on the VPN and client systems. 12:10 < joelsolanki> i see 12:10 < ecrist> encryption is going to chew proc time, and if the VPN server is too slow, or over used, it will affect bandwidth. 12:11 < joelsolanki> ok 12:12 < joelsolanki> i have 2 offices. 1st in canada and 2nd in germany. and vpn server is at USA. vpn server has config of client-client communication. 12:13 < joelsolanki> both offices are connected to vpn server in usa. 12:13 < joelsolanki> now if canada office and germany office send huge files over vpn then will the bandwidth of usa vpn server be used ? 12:13 < joelsolanki> or direct canada and germany banwdith will be used ? 12:14 < mjt> not direct 12:14 < mjt> unless you also connect this pair together 12:14 < ecrist> joelsolanki: yes 12:14 < mjt> it's just slightly different routing on the usa sade 12:14 < mjt> hm? 12:14 < ecrist> usa will be hit on both upload and download 12:14 -!- JimUnderscore [n=zyme@216.218.95.3] has quit [" HydraIRC -> http://www.hydrairc.com <- Organize your IRC"] 12:15 < joelsolanki> aah ok. 12:15 < mjt> aha, that's what i mean 12:15 < joelsolanki> got it :) 12:15 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:16 < ecrist> afternoon, krzee 12:16 < mjt> damn. I've read it kfreeze, or kernel freze ;) 12:17 < krzee> wassup eric! 12:17 < ecrist> you off your vacation yet? 12:17 < krzee> neg 12:18 < krzee> on tues i go back 12:18 < ecrist> lucky fucker 12:18 < krzee> totally 12:18 < krzee> except that im running out of $ 12:18 < krzee> lol 12:18 < ecrist> my wife is finally to the 'fun' stage of being pregnant. a little more randy. :) 12:18 < ecrist> isn't that always the rub? 12:19 < krzee> theres small talk of me coming down here to run a casino tho 12:19 < krzee> we'll see if that comes true or not 12:19 < ecrist> sweet 12:21 < ecrist> this box is taking far too long to compile freebsd. 12:21 < ecrist> I knew I should have done this last night. 12:28 -!- Irssi: ##openvpn: Total of 53 nicks [0 ops, 0 halfops, 0 voices, 53 normal] 12:29 < krzee> lol 12:32 < ecrist> this is an old box, too, though it's what I'd consider our core system 12:32 -!- A[D]minS [n=Whisky@unaffiliated/admins] has joined ##openvpn 12:32 < ecrist> OpenVPN, SVN, and Jabber all run on it. 12:40 < krzee> werd 12:40 < krzee> im sure you can get by with a pentium 1 or those 3 apps 12:41 < krzee> (another reason to love unixes) 12:45 < joelsolanki> :) 12:46 < krzee> s/or/for/ 12:47 < joelsolanki> (another reason to love unixes) 12:47 < krzee> LOL 12:47 < krzee> nice 12:47 < ecrist> it's a Dell 1650 with dual procs and 2x36GB disks in gmirror :) 12:47 < krzee> my boy who i colo with in san diego finally switched to freebsd 12:47 < krzee> then he asks me what frontend he should use for pf, because he needed one for iptables 12:47 < ecrist> 2xP3 1.113Ghz, 2GB ECC RAM 12:48 < ecrist> lol 12:48 < ecrist> vim for the frontend. 12:48 < krzee> im like you dont need a frontend for PF, iptables you did cause iptables usage is the lameness 12:48 < krzee> but freebsd they just do it right instead 12:48 < krzee> lol 12:48 < ecrist> I'm still torn between pf and ipfw, though. 12:48 < krzee> ya, im gunna tell him his frontend is nano 12:48 < krzee> ya, i do like the first come first serve factor of ipfw 12:49 < krzee> but pf scrub wins the battle for me 12:49 < ecrist> I've switch to pf because it's what I use at work, but it's missing some things ipfw does, and vice-versa 12:49 < ecrist> ah, pf scrub kills Xbox Live. 12:49 < ecrist> can't use it on my network at home becuase of that 12:49 < krzee> pf scrub with NOTHING else will confuse the SHIT outta nmap -O 12:49 < reiffert> beta.openvpn.net looks different. 12:49 < ecrist> it is, but it's all there. 12:50 < krzee> heyyyy nice 12:50 < krzee> openvpn access server!? 12:51 < krzee> i hope they arent windowsafying openvpn 12:51 < ecrist> yeah, looks nice, but no freebsd support atm 12:51 < ecrist> access server is a bit of windowsafying 12:52 < krzee> welp, i guess they waited long enough and were sure to build the base strong enough 12:52 < krzee> so i have no room to complain 12:53 < ecrist> sweet, 7.1 didn't break svn, openvpn, or trac 12:54 < ecrist> krzee: access-server, from what I gather, is an option, and isn't going to be required. 12:54 < ecrist> good ol' openvpn is still going to be aorund 12:54 < krzee> ya thats what it looks like to me too 12:55 < ecrist> bbiaf, gotta rebuild pam_ldap et al 13:05 < onats> arent you guys part of openvpn team? 13:07 < reiffert> openvpn is a one (two) man show. 13:07 < onats> who's the one / two? 13:07 < onats> active in this channel? 13:08 < reiffert> James Yonan and Francis Dinha 13:08 < reiffert> no. 13:09 < onats> what is this access server? 13:10 < reiffert> OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients. There are a number of server configurations options supported which are a carefully selected subset of a quite large set of possible OpenVP 13:10 < onats> yes. as posted on the website 13:10 < onats> lol 13:11 < onats> am gonna try it out anyway 13:11 < krzee> it looks like openvpn for MCSE's 13:11 < krzee> lol 13:12 < reiffert> It looks like buy license keys. 13:14 < onats> i got it 13:14 < ecrist> I talked to Francis about becoming the active support part OpenVPN, but they're not interested. 13:14 < onats> if a client wants to connect to a private network, he logs onto a web site on the server, authenticates, gets generated keys, and sets up ovpn on his/her machine 13:15 < krzee> ya, they just want to host our stuff so they can ruin it like they did the stuff they host 13:15 < krzee> they had a wiki, a forum, etc 13:15 < krzee> even have their own mail archives that they STILL havnt fixed 13:16 < onats> so does that mean openvpn is no longer going to be free? 13:16 < krzee> only if you need the MCSE version 13:17 < onats> if you dont, administrator has to manually manage/administer it right? 13:17 < onats> its basically an automation tool? 13:17 < krzee> i will personally go kick some ass if the current version changes licenses to require $$$ 13:17 < krzee> basically, if you can handle openvpn as you already know it, you have no worries 13:17 < onats> was openvpn based on some other opensource project? 13:18 < krzee> no 13:18 < onats> hey, btw, does anyone have a copy of the docs/FAQ's and everything else/old docs? 13:18 < krzee> well i dont believe so 13:18 < krzee> the FAQ is on the website 13:18 < krzee> !faq 13:18 < vpnHelper> krzee: "faq" is http://openvpn.net/index.php/documentation/faq.html 13:19 < onats> cant be loaded... 13:19 < onats> :(( 13:19 < onats> took em down? 13:19 < onats> why'd they open source? 13:19 < onats> for other people's contrib? 13:20 < krzee> lol i dunno, maybe cause the author is a good guy 13:20 < krzee> (just guessing) 13:20 < reiffert> the faq is on beta.openvpn.net 13:20 < krzee> those fags better keep all links working 13:21 < krzee> i have so many static links on the bot 13:21 < onats> saving now before it gets taken down 13:21 < onats> wehehhe 13:22 < reiffert> however, there are opensource versions of openvpn and if openvpn changes policy or license, there will be a fork() 13:22 < krzee> totally 13:23 < ecrist> krzee will be the new overlord 13:23 < onats> krzee, quick question. if i want the clients to get static IPs, i need to put them in cCD config file? 13:23 < onats> and ecrist 13:23 < krzee> !iporder 13:23 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice). 13:24 < onats> thanks! will read up 13:25 < krzee> np 13:25 < krzee> so for static you have 2 choices 13:25 < krzee> you can script it or use ccd entries 13:25 < krzee> if both exist, script takes precedence 13:26 < onats> script in? 13:26 < onats> im more familiar with CCD as what you've taught before 13:26 < krzee> --client-connect uses a script 13:26 < krzee> whatever script you build 13:26 < krzee> ya ccd is easier for most deployments 13:26 < krzee> but of course theres advantages to using the script as well 13:27 < krzee> i usually say go with ccd entries, but theres been usages where ive recommended client-connect scripts 13:28 < onats> ok ill read up on it tomorrow at work 13:29 < onats> thanks for the lead 13:29 < ecrist> I despise sun's java download requirements 13:29 -!- joelsolanki [i=joelsola@123.237.173.76] has quit [] 13:29 < onats> whats wrong with it? 13:43 < ecrist> you're required to go to their website and physically click 'I agree' to download it. 13:43 < ecrist> it breaks things like the FreeBSD ports tree 13:49 < mjt> anyone tried to chroot a tls-server? 13:50 < krzee> sure 13:50 < mjt> i guess ssl needs something in there too 13:50 < mjt> like /dev/random 13:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:51 < mjt> but ok, if it's supposed to work, i'll find out ;) 13:53 < krzee> you'll want persist stuff too 13:54 < mjt> does *bsd have "device" routes? Like "send this IP address over this device" as opposed to "via that nexthop" ? 13:54 < mjt> krzee: sure 13:54 < krzee> umm 13:55 < krzee> i dont see where you find the seperation... 13:57 < mjt> the actual difference is internal and small. It's if the 'nexthop' IP address will be the same as the destination when sending over that device, or different. 13:57 < mjt> when I send a packet from my 192.168.10.5/24 to 192.168.10.1, the two are the same. 13:58 < krzee> ohh, so your question is more about the source address when sending traffic over differing interfaces 13:58 < mjt> nothing to do with source address 13:58 < mjt> nexthop and destination, not source 13:58 < krzee> i dunno, maybe ecrist can answer 13:59 < mjt> but when i send packet from that same 192.168.10.5/24 to 1.2.3.4, i'm actually sending it to 192.168.10.1 (the gateway), not to 1.2.3.4 13:59 < mjt> in first case, nextho=destination, since the destination is directly reachable on this ethernet segment 13:59 < krzee> you're sending it to 1.2.3.4 on the IP level, but not on the ethernet level 13:59 < mjt> yes 14:00 * ecrist goes home. 14:00 < mjt> i tried to undestand this thing and already asked ecrist about that. But I still can't understand why it's done this.. strange way. 14:01 < mjt> bye ecrist 14:02 < krzee> its not *bsd 14:02 < krzee> its how the internet works 14:02 < mjt> nope 14:02 < krzee> layer 2 and layer3 14:02 < mjt> it's how openvpn works ;) 14:03 < krzee> umm 14:03 < krzee> no 14:03 < krzee> its how layer 2 and 3 work 14:03 < mjt> ;) 14:03 < krzee> openvpn happens to use those 14:03 < mjt> i'm trying to find the relevant section in the docs 14:04 < krzee> openvpn doesnt specify that stuff, it lets the OS handle it 14:04 < mjt> ok, the manpage, --server option 14:04 < mjt> ifconfig 10.8.0.1 10.8.0.2 14:05 < mjt> ifconfig-pool 10.8.0.4 10.8.0.251 14:05 < mjt> here, 10.8.0.2 is 100% fake 14:05 < mjt> it's unused, unreachable, but used to set up routes to clients 14:05 < mjt> and the next line 14:05 < mjt> route 10.8.0.0 255.255.255.0 14:06 < mjt> ifconfig+route will be like this on the host: 14:06 < mjt> inet 10.8.0.1 peer 10.8.0.2/32 14:06 < mjt> route 10.8.0.0/24 via 10.8.0.2 14:07 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: blaxthos, Bushmills, disco-, clustermagnet, dvl, krzie_ 14:07 < mjt> that ip address in the route line is SOLELY to send the packets to the tun device 14:07 -!- lavren [n=lavren@c-24-18-183-230.hsd1.wa.comcast.net] has quit ["lavren has no reason"] 14:07 -!- A[D]minS [n=Whisky@unaffiliated/admins] has quit [Excess Flood] 14:07 < mjt> in linux at least, i can use another route version: 14:07 < krzee> its internal 14:07 -!- Netsplit over, joins: Bushmills, krzie_, dvl, blaxthos, clustermagnet, disco- 14:07 < mjt> route 10.8.0.0/24 dev $tunnel 14:07 -!- A[D]minS [n=Whisky@196.219.128.160] has joined ##openvpn 14:08 < mjt> what's internal? 14:08 < mjt> the IP address? 14:08 < krzee> the .2 part 14:08 < krzee> heres why: 14:08 < mjt> it's not 14:08 < krzee> !/30 14:08 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 14:08 < krzee> !topology 14:08 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 14:08 < krzee> read that last link 14:09 < mjt> well, i'm pretty well aware of that /32 "pointopoint" thing 14:10 < mjt> here, the .2 is not "internal" per se 14:10 < mjt> it's used to set up route 14:10 < krzee> it IS internal 14:10 < mjt> i.e, to make `route' command happy. Or to deal with openvpn's internal `route' option deficiency 14:10 < krzee> right 14:10 < mjt> which expects the nexthop, not device 14:11 < krzee> to allow them to deal with windows lameness 14:11 < krzee> before they found topology subnet 14:11 < mjt> hence i asked is there's device routes in *bsd 14:11 -!- A[D]minS [n=Whisky@196.219.128.160] has quit [Remote closed the connection] 14:11 < mjt> s/is/if/ 14:12 < mjt> it's trivial to avoid that .2, but in this case --route has to be replaced with --cmd 14:12 < mjt> or --up -- whatever it is, i forgot 14:12 < mjt> and it's pretty much ok to use that .2 for a client 14:13 < mjt> it's just that traditionally, such type of interface had 2 IP addresses assotiated with it, "our" and "the remote" endpoints. 14:13 < krzee> false, you change it by changing the topology 14:14 < mjt> i mean interface of type POINTOPOINT, as opposed to ethernet-like -- ie, tun vs tap 14:14 < mjt> and it's not false 14:14 < mjt> and the remote endpoint address was never actually usedd 14:15 < mjt> think eg ppp links 14:15 -!- nemysis [n=nemysis@16-45.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 14:15 < mjt> the remote end does not care which IP we think is his 14:15 < mjt> it just accepts every packet send its way and injects it to the kernel's IP stack 14:15 < mjt> s/send/sent/ 14:16 -!- nemysis [n=nemysis@16-45.3-85.cust.bluewin.ch] has joined ##openvpn 14:16 < mjt> there's no "nexthop" in there, unlike with ethernets 14:16 < mjt> nexthop "field" in the packet, that is 14:17 < mjt> but the remote endpoint is used on the local machine, just for one single purpose -- to make routing table "happy" 14:18 < mjt> and openvpn goes further, inventing a bogus IP address for the remote "endpoint" (there are many endpoints actually). In examples anyway. 14:19 < mjt> in some operating systems, `route' command can only accept a "nexthop" IP address, not a device name. that's why. 14:19 < mjt> and openvpn implements its --route as the most common case. 14:20 -!- SgtPepperKSU1 [n=keith@ip98-164-8-164.ks.ks.cox.net] has joined ##openvpn 14:20 -!- SgtPepperKSU1 [n=keith@ip98-164-8-164.ks.ks.cox.net] has left ##openvpn ["Leaving."] 14:22 < mjt> that link you mentioned -- it talks about things like --server, --topology, -- i.e., "high-level" constructs. I.e, how openvpn will configure its interface and stuff automatically. But what I said above applies even to the lowest level, --ifconfig-noexec and everything done with scripts. 14:24 < mjt> the only small problem i had with all this stuff is -- it's not quite possible to --push a device route to a client, syntax-wise. openvpn insists on using nexthop IP address, and i can't push a --cmd (obviously) 14:25 < mjt> (on server, it's all done with --cmd since again --route requires nexthop, not device) 14:30 < mjt> blah. why that osdir.com page is set to Refresh: every so often, and is not cacheable?.. 14:31 < mjt> it's amazing what creative ways they're finding to utilize bandwidth and resources... 14:42 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 14:43 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 15:09 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 15:10 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 15:27 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 15:42 < ecrist> garrgh 15:42 < ecrist> now my named cores. 16:00 * mjt finally switched from named to unbound+nsd 16:00 < mjt> the two has their own... issues, but it's cleaner so far. 16:21 < mjt> hm. 16:21 < mjt> Mar 9 00:25:11 csrv ovpn-vtls[509]: TLS Error: cannot locate HMAC in incoming packet from 91.77.90.232:1194 16:21 < mjt> Mar 9 00:25:43 csrv last message repeated 15 times 16:21 < mjt> is that a DDoS protection? :) 17:03 < mjt> ok, so I've built the network again, testing that 'unknown client' thing. 17:03 < mjt> and just routed some IP address, in this case 192.168.10.250, to the tunnel 17:03 < mjt> and am trying to ping it. 17:04 < mjt> openvpn receives the packet, but fails to understand what to do with it 17:04 < mjt> GET INST BY VIRT: 192.168.10.250 [failed] 17:04 < mjt> and the packet gets ignored. 17:04 < mjt> instead of generating ICMP back. 17:05 < mjt> so the original connection times out. 17:09 -!- `md [i=nobody@kosmos.kawaii-shoujo.net] has joined ##openvpn 17:09 < `md> hi 17:10 < `md> i have a problem, maybe someone can help me, i'll try to explain: 17:11 < `md> i have a openvpn connection to a server, the server has 10.10.0.1 on thetun interface and my windows machine has 10.10.0.2 17:11 < `md> additionally my windows machine is on my local network which is 192.168.10.0/24 17:12 < `md> and now i need other hosts on the 192.168.10.0 network to be able to reach 10.10.0.1 17:12 < `md> how do i accomplish this? i already tried bridging the openvpn tuntap adapter with my physical network card, but that didnt work at all 17:13 < `md> i suppose my last hope would be to just enable nat on the windows machine, but i'd really like to avoid that 17:13 < mjt> http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 17:13 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 17:13 < `md> i was thinking that maybe you can somehow set some routes to make it work 17:13 < mjt> it's all explained in the HOWTO actually 17:14 < `md> oh? 17:14 < `md> cool, let me read it 17:14 < mjt> lol 17:14 < mjt> see /topic too 17:15 < `md> wow, this sounds promising 17:15 < mjt> hmm or maybe not - it probably was some other howto, not the one on openvpn.net 17:15 < mjt> but that wiki page is here anyway 17:17 < mjt> !route 17:17 < vpnHelper> mjt: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 17:18 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 17:19 < `md> yes 17:19 < `md> it explains it 17:19 < `md> but when it comes to the juicy part it doesnt explain what i need to do actually :( 17:19 < `md> ROUTES TO ADD OUTSIDE OF OPENVPN 17:19 < `md> that part at the end 17:19 < `md> thats exactly what i still need to know, cause i already have the iroute thingie in the ccd 17:20 < `md> 192.168.2.1 must know that for 192.168.1.x 192.168.3.x and the vpn internal network (for example, 10.8.0.x), it sends the traffic to 192.168.2.10 17:20 < `md> This is true for any number of lans you want to connect, whether server or client. 17:20 < `md> ^ 17:20 < `md> how do i add this route 17:21 < mjt> in --up 17:22 < mjt> or --route 17:23 < `md> dont i need to add this on the machines that need to access the vpn (those which are not the ones running openvpn) 17:23 < mjt> but if you're referring to that part.. well.. that''d be every machine on both LANs, I suppose. 17:23 < `md> yes 17:24 < mjt> if there's a machine C on one end, an R which is it's default gateway, and V which is running openvpn connected to the other side 17:24 < mjt> how C will know that for the network belongin to that other side the packets should be sent to V, not to R? 17:25 < mjt> as a possibility you can add that knowlege to R only, and it will do redirects for C 17:25 < `md> well 17:26 < `md> for example, i have my windows machine that has 192.168.10.40 and 10.10.0.2 and a debian machine that has 192.168.10.50 and my openvpn server which has 10.10.0.1 17:26 -!- Diddi [n=diddi@zonic.bsnet.se] has joined ##openvpn 17:26 < mjt> ow 17:26 < `md> now the debian machine needs to access 10.10.0.1 too, cause i want to use 10.10.0.1 as its gateway 17:26 < mjt> windows machine with more than one IP address.. why? 17:27 < `md> cause thats where i run openvp 17:27 < mjt> aha 17:27 < `md> n 17:28 < `md> so yeah i'm looking for a route command for the 192.168.10.50 machine 17:28 < mjt> ugh. how openvpn server can be a gateway for your debian as the two aren't directly connected? 17:28 < `md> so it knows it should route 10.10.0.0 stuff over 192.168.10.40 17:28 < `md> mjt: that is exactly what i'm trying to find out 17:29 < `md> how i can make the two communicate to each other 17:29 < mjt> you can't do that 17:29 < `md> not at all? 17:29 < mjt> we 17:29 < mjt> err 17:29 < mjt> you can't make openvpn server to be a gateway for your debian 17:29 < mjt> unless you run another tunnel between the two 17:30 < mjt> if you use the same definition as I do 17:30 < mjt> sure you can make them to see each other 17:30 < mjt> but a gateway is something that's directly reachable 17:30 < mjt> in your case your windoze machine will be a gateway 17:32 < mjt> think of the two -- 10.10.0.* and 192.168.10.* - as about two entirely separate ethernet segments 17:33 < mjt> with the only macine that has network cards on both being the windows box 17:34 < `md> yes 17:34 < Diddi> Hi! can someone explain to me, or point me to papers that do, how the certificates actually work. I'd like to know what KEY_COUNTRY etc. are use for, and why each client must have the same variables in order to be signed by the ca (: 17:35 < `md> mjt: so yeah, you said something interesting... 23:37:21 < mjt> sure you can make them to see each other <-- how would that even work? 17:36 < mjt> `md: debian should know to send packets for 10.10.* to your win 17:36 < mjt> and the other side should know to send packets fof 192.168.10 back to the tunnel 17:36 < mjt> that's basically it 17:37 < mjt> Diddi: as far as i can see (i started with openvpn today), those fields are ignored -- everything but the CommonName 17:38 < `md> 23:43:32 < mjt> `md: debian should know to send packets for 10.10.* to your win <- no right now it doesnt know how, and i want to know how i can make it do that 17:38 < `md> do i need to add my windows machine as a gateway for the debian machine? and enable nat on the windows machine? 17:38 < mjt> wug, that's basic networking 17:39 < `md> yeah 17:39 < `md> i know :/ 17:39 < mjt> ip route add 10.10.0.0/24 via 192.168.10.40 17:39 < Diddi> mjt: but from what I know they can't be left out empty either... and I'd like to use those field to see the actual location of the client (country etc) 17:40 < mjt> Diddi: that's exactly what i used them for so far 17:40 < mjt> openvpn only cares about CN 17:40 < mjt> and the whole thing should be signed by the ca 17:40 < `md> ah! 17:41 < mjt> Diddi: (but again, i'm not sure about that -- just try it out) 17:41 < Diddi> (: 17:42 < mjt> from the logic of it, and from my less-than-a-day expirence, it shold work 17:43 < Diddi> iirc the signing process will fail because the variables doesn't match.. which bothers me.. but I may be wrong with the whole idea of certs also (: 17:43 < mjt> how do you think it works in "real life" -- for web sites with real certificate authorities? 17:43 < mjt> tawte, verisign etc? 17:43 < mjt> the variables don't match by definition 17:44 < Diddi> that's why I think I may be doing it wrong also :P 17:52 < `md> mjt: it seems to work :O 17:53 < Diddi> mjt: ah, I found the policy_match section in openssl.cnf (: it specifies what variables that need to match the ca etc 18:02 < `md> mjt: so is there anything else i could try to do? 18:02 < `md> i mean so i can use 10.10.0.1 directly or indirectly as a gateway 18:03 < mjt> i don't understan that question 18:05 < `md> 23:36:45 < mjt> you can't make openvpn server to be a gateway for your debian 18:05 < `md> 23:36:53 < mjt> unless you run another tunnel between the two 18:05 < mjt> and? 18:05 < `md> so only other choice is running yet another vpn tunnel? 18:06 < mjt> it's possible to play some games with IP packets 18:07 < mjt> but i don't see a reason 18:07 < mjt> like, it's possible to read an infromation which was erased (filled with zeros) from your hard drive. But what for? 18:11 < `md> to me it seems superfluous having to run 2 vpn tunnels 18:13 < mjt> you can have config on your debian which is almost the same as on your doze 18:13 < mjt> i mean ip-wise - which routers are used for what 18:13 < mjt> but routing different networks over vpn is hardly possible 18:14 < mjt> (not impossible but involves quite some configuration and understanding. and i've no idea if it really IS possible on 'doze) 18:14 < `md> yeah me neither, well i guess i just try another tunnel or simply enabling nat on the windows machine then 18:15 < mjt> nat on dose will not change anything 18:16 < mjt> well 18:16 < mjt> unless you've an issue i think you have 18:16 < mjt> some ANOTHER issue, that is 18:16 < `md> which would that be? 18:17 < mjt> but if it's not what i think, it's entirely your fault because of your description of the problem ;) 18:17 < `md> it might be? i dunno :D 18:17 < mjt> you said about gateway 18:17 < mjt> how you expressed it - it's not possible or really difficult 18:17 < mjt> but i assumed you have another box right now htat acts as a gateway for both 18:18 < `md> no 18:18 < mjt> and you want the remote to act as a gateway for debian only, but not for windows 18:18 < mjt> THAT is difficult or impossible 18:18 < `md> no i want the remote to act as gateway for both 18:18 < `md> but both machines are on the same physical network 18:18 < mjt> so it's entirely your fault 18:18 < mjt> ;) 18:18 < `md> lol :) 18:19 < `md> well yeah explaining isnt my strong point :/ 18:19 < mjt> you see how different the issue is compared to what i was thinking it is?.. ;) 18:19 < mjt> but ok 18:20 < mjt> so your issue - you'll have to find out what exactly does not work 18:20 < mjt> i guess the gateway of the remote end does not know how to route packets for 192.168.10. 18:21 < mjt> or it tries to send packets with SOURCE address of 192.168.10 to the 'net and sure thing it doesn't work because the replies never comes back 18:21 < mjt> think of it as if you were installed another ethernet segment on the remote side, connecting it via your 'doze box 18:22 < mjt> you have to teach existing hosts there how to send packets to your net 18:22 < mjt> and to do NAT for it when sending to the outside 18:22 < mjt> but i'm out of here anyway, it's 02:29 here already, night 18:23 < mjt> (and in this case setting up NAT on 'doze actually makes quite good sense) 18:32 < `md> yeah and it even works 18:32 < `md> just port forwarding could be a bit annoying 18:36 -!- higuita [n=higuita@2001:b18:400f:0:211:d8ff:fe82:b10e] has quit [Read error: 104 (Connection reset by peer)] 19:07 -!- gejr [n=gejr@unaffiliated/gejr] has quit [Read error: 131 (Connection reset by peer)] 19:07 -!- gejr [n=gejr@unaffiliated/gejr] has joined ##openvpn 19:10 -!- Arkonide_ [n=source@p57B8F9EC.dip.t-dialin.net] has joined ##openvpn 19:10 -!- Arkonide_ [n=source@p57B8F9EC.dip.t-dialin.net] has left ##openvpn ["openvpn"] 19:11 -!- dpie [n=dpie@88-134-159-57-dynip.superkabel.de] has joined ##openvpn 19:12 < dpie> hi there i have problems to set up a vpn connection to perfect privacy in ubuntu, maybe anyone has a few minutes to help me? 19:33 -!- nemysis [n=nemysis@16-45.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 19:49 -!- klasikahl [n=zg@unaffiliated/klasikahl] has joined ##openvpn 19:50 < klasikahl> uh seeing as how openvpn.net is down, where can i grab the latest lzo and openvpn tarballs? sf files send users to openvpn.net 19:57 -!- dpie [n=dpie@88-134-159-57-dynip.superkabel.de] has left ##openvpn [] 20:36 -!- klasikahl [n=zg@unaffiliated/klasikahl] has quit ["Lost terminal"] 20:39 -!- `md [i=nobody@kosmos.kawaii-shoujo.net] has left ##openvpn [] 20:39 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has quit [Read error: 110 (Connection timed out)] 20:51 -!- DaveQB [n=DaveQB@dward.us] has joined ##openvpn 21:01 -!- onats [n=onats@unaffiliated/onats] has quit [Nick collision from services.] 21:01 -!- onats [n=15172@221.121.120.254] has joined ##openvpn 21:02 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 21:02 -!- onats [n=15172@221.121.120.254] has left ##openvpn [] 21:02 -!- onats [n=15172@221.121.120.254] has joined ##openvpn 21:04 -!- onats [n=15172@221.121.120.254] has left ##openvpn [] 21:04 -!- onats [n=15172@221.121.120.254] has joined ##openvpn 21:06 < ecrist> evening, kids 21:08 < DaveQB> Just a quick question by a newbie with OpenVPN. The DHCP range you choose, does this need to be the same rang, or a part of the DHCP range the OpenVPN resides on or a totally seperate DHCP range [and the OpenVPN server bridges the remote DHCP range tinto the local DHCP range/network ] ? 21:08 < DaveQB> I hope that makes sense 21:08 < onats> morning 21:09 < onats> uncle 21:09 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has joined ##openvpn 21:09 < ecrist> DaveQB: depends on what you're doing, tun or tap 21:09 < ecrist> typically, the VPN subnet is completely separate from the LAN, and proper routes are put in place 21:13 -!- onats [n=15172@221.121.120.254] has left ##openvpn [] 21:14 -!- onats [n=15172@221.121.120.254] has joined ##openvpn 21:26 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has quit [Read error: 110 (Connection timed out)] 21:29 -!- nemysis [n=nemysis@49-228.1-85.cust.bluewin.ch] has joined ##openvpn 21:29 -!- onats [n=15172@221.121.120.254] has quit ["Leaving."] 21:35 < DaveQB> ecrist: Thanks. I want the remote users to be seamlessly in the LAN that the OpenVPN is on. 21:36 < DaveQB> ecrist: So still have them on a different rsubnet ? 21:37 < DaveQB> How do they get onto the LAN then ? A ruote on the OpenVPN server box ? 22:12 -!- onats_ [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 22:12 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 22:15 -!- worch [i=worch@battletoad.com] has quit [Read error: 104 (Connection reset by peer)] 22:19 -!- worch [i=worch@battletoad.com] has joined ##openvpn 22:20 -!- fuffalo [n=fuffalo@S0106002191ea672c.cg.shawcable.net] has quit [] 22:57 -!- fuffwork [n=fuffalo@S0106002191ea672c.cg.shawcable.net] has joined ##openvpn 22:58 < fuffwork> when i try to add a new tap-win32 virtual ethernet adapter, i get "tapinstall.exe failed." I'm in vista and running it as an admin, anything else i need to do? 23:03 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 23:20 -!- hardwire [n=spencers@62-197-137-216.mtaonline.net] has joined ##openvpn 23:57 -!- fuffwork [n=fuffalo@S0106002191ea672c.cg.shawcable.net] has quit [] --- Day changed Mon Mar 09 2009 00:16 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 00:16 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 02:21 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 02:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:45 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:05 < dazo> DaveQB: if you want them to seamlessly in the network, it can sound like you'd like to do bridging. But setting up a separate network segment is usually better ... you just define that network segment and provide routing information to the VPN clients ... usually by using 'push "route "' ... or just a route statement with the same info in the client config 03:36 < dazo> !route 03:36 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 03:36 < dazo> DaveQB: ^^^ 03:40 < mjt> hmm 03:40 < mjt> "Options error: --local addresses must be distinct from --ifconfig addresses" 03:41 < mjt> how to force it to stop complaining? 03:42 < mjt> i can use ifconfig in --up instead of --ifconfig, but this way breaks push route 03:50 < mjt> damn. it's too "smart". it dislikes even my internal IP address range. I want to shut up all this nonsense. 03:55 < mjt> ok, and here's something else. 03:56 < mjt> i want openvpn to be a "backup" vpn - alternative to the solution our ISP provides (connecting remote offices). Normally, there's a route to whole client network (10.90.0.0/16, whatever) pointing to the ISP's equipment. But when a particular client connects, I want to set up its particular route to go over openvpn interface (tls-server). 03:57 < mjt> it seems like it's impossible to do without running openvpn process as root. 03:58 < mjt> alternatively I can set up a socket (or a fifo) writable by openvpn user, have root-owned process listen to it and run a script at client connect/disconnect that will `echo $client up|down > fifo' 04:00 < mjt> any less ugly solution? :) 04:15 < mjt> wow. openvpn.net is up again! 04:16 -!- Diddi [n=diddi@zonic.bsnet.se] has quit [Remote closed the connection] 04:27 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Leaving"] 04:55 < reiffert> !topic 04:55 < vpnHelper> reiffert: Error: "topic" is not a valid command. 04:55 < mjt> it's /topic 04:55 < mjt> but you have to be op to change it 04:56 < reiffert> Hm, someone +n'ed the channel. 04:56 < reiffert> ecrist: /topic Check your firewall. We need !logs and !configs. See !howto for beginners, !route for lans behind openvpn 04:57 < mjt> it's 04:57 there now 04:57 < mjt> he's probably asleep 04:58 < mjt> heh. and his clock is off by 8 minutes, too 05:02 -!- mode/##openvpn [+o dazo] by ChanServ 05:02 -!- dazo changed the topic of ##openvpn to: openvpn.net is down, try beta.openvpn.net instead. || Check your firewall || We need !logs and !configs || See !howto for beginners || !route for lans behind openvpn 05:03 -!- mode/##openvpn [-o dazo] by ChanServ 05:03 < dazo> reiffert: satisfied? 05:04 < reiffert> dazo: no. 05:04 < reiffert> 10:22 < mjt> wow. openvpn.net is up again! 05:04 < dazo> reiffert: uhh ... didn't see that one :) fixing 05:05 -!- mode/##openvpn [+o dazo] by ChanServ 05:05 -!- dazo changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs || See !howto for beginners || !route for lans behind openvpn 05:05 -!- mode/##openvpn [-o dazo] by ChanServ 05:06 < reiffert> Please add: || Also intresting: !man !/30 !topology 05:06 -!- mode/##openvpn [+o dazo] by ChanServ 05:06 -!- dazo changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs || See !howto for beginners || !route for lans behind openvpn || Also intresting: !man !/30 !topology 05:06 <@dazo> reiffert: Good point! 05:06 -!- mode/##openvpn [-o dazo] by ChanServ 05:07 < reiffert> Fix the whitespace? 05:08 < dazo> reiffert: not easy making you happy today .... :-P 05:08 -!- mode/##openvpn [+o dazo] by ChanServ 05:08 -!- dazo changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs || See !howto for beginners || See !route for lans behind openvpn || Also intresting: !man !/30 !topology 05:08 -!- mode/##openvpn [-o dazo] by ChanServ 05:10 < reiffert> dazo: ah well, I just smile each time when you get opless after doing something :) 05:10 < dazo> reiffert: careful now ......... ;-) 05:10 < reiffert> :) 05:35 < mjt> whee. 05:38 < mjt> !man 05:38 < vpnHelper> mjt: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 05:38 < mjt> in the other words, RTFM! 05:45 < dazo> mjt: basically, yes ;-) ... 90% of all questions coming to this channel is because the person asking question have not bothered to do so ... and if they would have done that, they wouldn't have to ask us ... 05:46 < dazo> and we'll basically just say the same which is in the docs already too, if we would answer :-P 05:46 < mjt> it's that way everywher 05:46 < mjt> e 05:46 < dazo> mm ... unfortunately :( 05:47 < mjt> but ok... anyone around to answer a question or two that are NOT covered by docs/mans? :) 05:48 < dazo> mjt: shoot! ... and see who answers ;-) 05:49 < mjt> when I add a route for a network who's client isn't conneced yet, how can i force openvpn to return back something sensible like ICMP net unknown/unreachable, instead of just dropping the packet? 05:50 < mjt> connected even 05:50 < dazo> mjt: you want to route a network behind the client? 05:50 < mjt> well, let it be the client itself, -- makes no difference 05:51 < dazo> mjt: well ... it does a matter ... i depends on which route parameter to use .... route or iroute 05:51 < mjt> i've an openvpn interface. I add soome 1.2.3.4 route to that interface and ping it -- the packets goes to bitbucket. I'd expect to receive some "network unreachable" back 05:52 < dazo> mjt: aha! well, that's a question I've never seen before (10 points for you!) ... I'm really not sure, actually 05:52 < mjt> that route gets addded when openvpn server starts, when no clients are connected. I route all client's addresses 05:52 < mjt> he 05:52 < mjt> heh 05:53 < mjt> oh well. 05:53 < mjt> ok, one more thing... different MTU values for different clients possible? 05:53 < dazo> mjt: I would probably .... send this question to openvpn-users@lists.sourceforge.net .... you'll need to register to the mailing list before you can send anything here .... but that's really worth a shot 05:54 < mjt> aha 05:54 < mjt> i didn't know it's on SF 05:55 < mjt> "Options error: --local addresses must be distinct from --ifconfig addresses" 05:55 < mjt> -- any way to shut it up and just do what I said? :) 05:55 < mjt> (yes I explicitly used the same IP in --local and --ifconfig) 05:55 < dazo> mjt: no, I would not expect it to be possible with different MTU values ... that's because (IIRC) that the MTU value is set on the tun/tap device, and not for the connection itself .... to have different MTU's I'd expect you need more tun/tap devices (=more openvpn processes with different ip/port numbers) 05:56 < mjt> heh. I expected something of that sort about MTU belonging to an interface ;) 05:56 < dazo> mjt: you can shut up that message by correcting it .... must be distinct ... cannot go around that one 05:56 < mjt> the thing is that internally, openvpn server will fragment the packets 05:57 < mjt> but the actual MTU may be different per-client, so that fragmentation should be done differently for each client 05:57 < dazo> mjt: I'm not sure if it is the openvpn server itself or if it just sets the MTU value at the interface and let the kernel driver do the fragmentation ... 05:58 < mjt> openvpn may do fragmentation (--fragment) or it may let the IP stack (on the path) to do it (--mtu-disc) 05:58 < mjt> and speaking of different IP address for --ifconfig and --local - that's wrong requiriment to have the to differ 05:58 < mjt> two 05:58 < dazo> mjt: ahh ... true ... you have 2 levels of MTU ... what goes on the eth interface (where openvpn can adopt it's own packages) ... and the MTU used on the tun/tap device .... didn't think about that now 05:59 < mjt> so make that 3, not 2 ;) 05:59 < mjt> there's also PATH mtu, like, each CLIENT may have its own MTU on its own eth 05:59 < mjt> (but it's in fact even more complicated) 05:59 < dazo> mjt: have you tried --client-config-dir .... that's the only option I know about to setup config variations per client 06:00 < mjt> yes -- doesn't work, openvpn complains about wrongly placed option 06:00 < mjt> ;) 06:00 < dazo> mjt: you're getting to go far above my level of MTU knowledge .... I'll might appoint you as MTU expert soon ;-) 06:00 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 06:00 < mjt> 'hwell. 06:01 < dazo> mjt: well, in that case ... it's not supported now :( .... you may try that question as well on the mailing list 06:01 < mjt> i'd be glad if someone tell me where an expert can ask his own questions... ;) 06:01 < mjt> aha, on the mailinglist! ;) 06:04 < dazo> mjt: it's different people on the mailing list as well ... and there are some really experienced users there too :) Highly recommended! :) 06:05 < mjt> thanks! 06:05 * dazo will pay attention to mailing list ... curious about what answers might come ... 06:07 < mjt> looking at the code, it seems the openvpn internal fragmentation will just work in almost all cases as it just splits the packet into two halves (which is 750 bytes) and adds its own overhead, so the resulting thing shold not exceed ~1010 bytes anyway -- hardy a problem in nowadays networks. 06:07 < mjt> problematic MTU values are usually in range 1400..1499, not less. 06:08 < mjt> (1492 for typical ADSL line) 06:19 < mjt> ok, i had to comment out that --local vs --ifconfig check in the code - there's no way to disable it 06:24 < mjt> (well, there is -- by not using --ifconfig and the rest of "easy" options) 07:00 < mjt> !route 07:00 < vpnHelper> mjt: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 07:00 < mjt> that page does not answer one (at least) question 07:00 -!- cpm [n=Chip@guest-ap.xo.avitecture.net] has joined ##openvpn 07:00 < mjt> how openvpn on the server knows to route its own LAN to the host? 07:01 < mjt> and ditto for all the other participants, for their own LANs 07:01 < mjt> shouldn't there be iroute for each? 07:03 < mjt> or does it just hand "everything" to the host? 07:04 < mjt> (if not client-to-client, everything received from other peers gets pushed to the TUN interface to reach the local kernel IP stack, that is) 07:06 -!- nemysis [n=nemysis@49-228.1-85.cust.bluewin.ch] has quit [Remote closed the connection] 07:07 -!- nemysis [n=nemysis@49-228.1-85.cust.bluewin.ch] has joined ##openvpn 07:09 -!- nemysis [n=nemysis@49-228.1-85.cust.bluewin.ch] has quit [Remote closed the connection] 07:12 -!- nemysis [n=nemysis@49-228.1-85.cust.bluewin.ch] has joined ##openvpn 07:13 -!- nemysis [n=nemysis@49-228.1-85.cust.bluewin.ch] has quit [Remote closed the connection] 07:21 -!- nemysis [n=nemysis@49-228.1-85.cust.bluewin.ch] has joined ##openvpn 07:31 -!- basty [n=basty@212.218.65.230] has joined ##openvpn 07:31 < basty> hi 07:32 < dazo> mjt: everything gets pushed to the IP stack normally ... if client-to-client is enabled, it activates it's internal routing in openvpn, where traffic from all clients on connected to the given openvpn process are routed/duplicated to the other clients on connected ... I'd believe that goes primarily for broadcast, multicast and specific client IP addresses are only sent to the given client 07:33 < mjt> so --iroute basically makes sense only together with --client-to-client 07:33 < basty> I am using OpenVPN 2.0.7 for about 3 years now - without any problems. Today I just wanted to create a new user to my openvpn. As soon as I transfer the certificate to the client I am getting errors like: VERIFY ERROR: depth=0, error=unable to get local issuer certificate - but whats the problem? I mean the "old" users I have created 3 years ago - are still working fine. 07:33 < dazo> mjt: well ... iroute is a kind of "backward routing" ... it gives the possibility to route the subnet from a client to the server .... route goes only from servers side to the client 07:34 < dazo> basty: you need to also transfer the same CA certificate too most probably 07:35 < basty> dazo: yeah - of course I did that also.... 07:35 < dazo> basty: which OS? 07:35 < mjt> there are no clients or servers when routing is concerned, -- everything is symmethric 07:35 < basty> dazo: SuSE 9.3 07:36 < basty> dazo: another error in the logfile: TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned and TLS Error: TLS object -> incoming plaintext read error and TLS Error: TLS handshake failed 07:36 < dazo> basty: please send us complete log file and config 07:36 < dazo> !logs 07:36 < vpnHelper> dazo: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 07:36 < dazo> !configs 07:36 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:37 < basty> okay - one sc 07:37 < basty> s/sc/sec :-) 07:37 < dazo> mjt: I'm talking about openvpn clients and openvpn servers .... I meant the relation between those processes .... 07:39 < mjt> well. your explanation confused me further ;) 07:39 < mjt> that "backward routing" thing 07:40 < mjt> iroute tells the server that this particular network is "behind" this particular client 07:40 < mjt> so i was wrong, it's orthogonal with client-to-client 07:41 < dazo> mjt: when the openvpn connection uses "route" .... it means that the network from behind the openvpn server is routed to the client. This will not work backwards, you cannot route a network behind the openvpn client with the route parameter. In this case, you need to use the iroute parameter on the client 07:42 < dazo> mjt: what --client-to-client does ... is that it allows all the VPN clients to see/contact each other, and this traffic never reaches the kernels IP stack, but is handled internally in the openvpn server 07:42 * mjt is confused even further... ;) 07:43 < basty> dazo: http://pastebin.com/d568d897b 07:43 < mjt> "The reason why two routes are needed is that the --route directive routes the packet from the kernel to OpenVPN. Once in OpenVPN, the --iroute directive routes to the specific client." 07:44 < mjt> aha. so --route only adds kernel routes, not internal-to-opvnvpn ones 07:44 < mjt> i was thinking it does both 07:44 < dazo> basty: do you have configs as well? 07:44 < basty> dazo: oh.sorry...one sec 07:46 < basty> dazo: what kind of configs do you need ? even the openssl.cfg ? 07:46 < dazo> basty: I need the openvpn client and server config 07:46 < basty> ah ok 07:46 < mjt> and ccd 07:46 < mjt> ;) 07:47 < dazo> true ... I'll bug for that if I see it is included in the config ... but right now, I don't think I need it 07:47 < basty> dazo: dumb question..where can I find the openvpn server config ? I am sorry - I used to install it 3 years ago..and cant remember anymore ;) 07:47 < dazo> basty: good question .... have a look under /etc/openvpn ... 07:47 < basty> ah doh 07:47 < basty> found it 07:49 < basty> dazo: http://pastebin.com/d6abc18d4 07:49 < mjt> is there a way to stop it from verifying keys (openvpn-vulnkey)? 07:49 < dazo> mjt: scrap Ubuntu or Debian and install a proper Linux distro :-P 07:49 < mjt> aha 07:50 < mjt> 'hwell. another recompile is in order. 07:50 < mjt> (it's debian, for about 8 years) 07:52 < basty> dazo: foud anything weirdo in the config ? I mean..the old users are stilling working fine..i quess there is something messed up with the certificates... 07:52 < dazo> basty: I'm looking now 07:52 < basty> thx 07:58 -!- mode/##openvpn [+o ecrist] by ChanServ 07:58 -!- mode/##openvpn [-o ecrist] by ecrist 07:59 < dazo> basty: I would double check if the double backslashes are needed in the client config 08:07 < dazo> basty: and if that's not helping ... I would try to recreate the client certificate 08:10 -!- mode/##openvpn [+o ecrist] by ChanServ 08:10 -!- mode/##openvpn [-n] by ecrist 08:10 -!- mode/##openvpn [+n] by ChanServ 08:11 -!- mode/##openvpn [-n] by ecrist 08:11 -!- mode/##openvpn [-o ecrist] by ecrist 08:11 < mjt> whee. 08:14 < basty> dazo: I removed the double slash...and created the client cert again..but..still the same problem 08:15 < dazo> basty: and the client cert is signed by the proper CA key? 08:16 < basty> dazo: how can I check that ? ;) I jused typed ". ./vars" in the easy-rsa folder...and created a client cert with "./build-key "username"" 08:16 < basty> just I mean..sorry for my english and all these typos.. ;-) 08:17 < dazo> basty: well, was the other (old) client certificates also created in this directory? 08:17 < basty> dazo: yep 08:17 < basty> dazo: but for right now the server ca is located in /etc/openvpn/ 08:18 < dazo> basty: make sure that the CA files in /etc/openvpn is the same as in the easy-rsa dir 08:19 < basty> dazo: hrm..it seems that the size of this certificate ist different... 08:19 < basty> should I copy the ca.* files from /etc/openvpn in the current directory and create the client ca again ? 08:20 < dazo> basty: if they differ .... you will get into big troubles, no matter what you do :-P 08:20 < dazo> basty: do you have many openvpn clients active? 08:20 < basty> dazo: only 5 08:21 < basty> dazo: i will try to copy the whole /etc/openvpn/ into the easy-rsa keys directory and try to generate another key 08:21 < dazo> basty: because worst case, you would need to recreate all client certs ... 08:21 < basty> ah okay..no problem ;) 08:22 < basty> ...at least it have to work... 08:22 < dazo> basty: backup of files is always a good idea :) 08:22 < basty> yeah 08:22 < basty> hehe 08:26 < basty> yeah 08:26 < basty> it worked 08:26 < basty> thanks much, dazo 08:26 < basty> :) 08:26 < dazo> basty: no prob! 08:26 < basty> have a nice day 08:26 < basty> bye 08:27 -!- basty [n=basty@212.218.65.230] has quit [] 08:39 < mjt> lovely 08:39 < mjt> WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1436' 08:39 < mjt> -- that gets printed on BOTH ends 08:40 < mjt> so each thinks its tun-mtu=1500 and remote's =1436 08:40 < dazo> mjt: that's solved by --link-mtu, I believe 08:40 < mjt> you don't understand ;) 08:40 < dazo> sorry .... tun-mtu, I mean 08:40 < mjt> i didn't touch --*-mtu this time 08:40 < mjt> it's all default settings 08:41 < mjt> but each side thinks the other has different tun-mtu 08:41 < mjt> the warning i pasted above gets printed on both ends *exactly* 08:41 < mjt> not reversing it on one end 08:41 < dazo> you're still sure you want to play further with debian? :-P 08:41 < mjt> what it has to do with debian? 08:41 < dazo> I see ... yeah that's very odd 08:42 < dazo> debian might have done extra kernel tweaks which is not picked up by openvpn on the tun interface 08:42 < mjt> kernel tweaks?? 08:42 < mjt> it's standard tun, vanilla kernel.org kernel 08:43 < dazo> mjt: not debian patched kernel? 08:43 < mjt> and i just reviewed the other patches in debian dir 08:43 < mjt> no 08:43 < dazo> which openvpn version? 08:43 < mjt> and even if it was, there's nothing debian did of that sort 08:43 < mjt> it says 2.1pre11 08:43 < dazo> mjt: well, double check /etc/sysctl.conf as well .... and other configs related to /proc/sys settings 08:43 < mjt> the site mentions only pre10 08:43 < mjt> he 08:44 < dazo> mjt: try upgrading to openvpn 2.1_RC15 ... that's for sure stable 08:44 < mjt> but the sate mentions pre10 is the latest.. no? 08:44 < mjt> site 08:45 < dazo> mjt: I know that I've been running RC15 since it was released without any issues ... I don't know the pre*-releases 08:45 < mjt> om 08:45 < mjt> rc10 and rc11 it is, not pre 08:46 < mjt> but i think i know where that mtu stuff comes from. 08:46 < mjt> my fault and openvpn's fault together 08:47 < mjt> the lower mtu is set up on the tun interface which i made persistent 08:47 < mjt> and forgot about that 08:47 -!- Bluespuke [n=chatzill@87.240.206.215] has joined ##openvpn 08:47 < mjt> now i removed *-mtu settings from the config and expected it to be the default 08:47 < Bluespuke> hi 08:47 < mjt> but it left the old settings 08:48 < mjt> ok, both are my faults really 08:48 < mjt> because other side also configured mtu on its interface after push handling 08:48 < mjt> and had exactly the same prob 08:48 < dazo> mjt: Typical PEBKAC ....... :-P 08:49 < mjt> openvpn's fault is that it advertises 1500 to the other end while it perfectly knows its local tun is less than that 08:49 < mjt> ok, fixed that. 08:49 -!- kala_ [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 08:50 < Bluespuke> i successfully created a VPN with a network bridge, how can i access from PC1 (network A / VPN client) to PC2 (network B) through my server PC (network B / VPN server) ? 08:51 < dazo> Bluespuke: Did you configure it using bridge setup? (bridging local eth interface and tap interface) 08:51 < Bluespuke> yes, bridge on my server 08:52 < dazo> Bluespuke: and the VPN client receives a proper IP address on the tap interface, which is within the network scope on your lan of your server side eth 08:52 < dazo> ? 08:54 < Bluespuke> no it's kinda weird :s 08:54 < Bluespuke> 169.254.216.183 :( 08:54 < mjt> weird what? 08:54 < mjt> heh. link-local segment 08:54 < dazo> Bluespuke: okey ... now it's time to give us logs and configs 08:54 < dazo> !logs 08:54 < vpnHelper> dazo: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 08:54 < dazo> !config 08:54 < vpnHelper> dazo: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 08:54 < dazo> !configs 08:54 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 08:54 < mjt> heh 08:55 < vcs> do openvpn pushed routes show up in the windows command "route PRINT"? 08:55 < vcs> for clients 08:55 < vcs> i cant get any routes I push to show up there 08:56 < mjt> sure the routes should be in client's routing table 08:56 < dazo> vcs: make sure the openvpn runs with admin privileges 08:56 < vcs> does anything look invalid about this line: push "route 10.2.1.0 255.255.255.0" 08:57 < vcs> that is not going through to the admin account of my windows box 08:57 < mjt> !logs 08:57 < vpnHelper> mjt: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 08:58 < Bluespuke> my configs: http://pastebin.com/m601114ea 09:00 < dazo> Bluespuke: what is the network range on your client side? 09:00 < vcs> hmmm there is a "Certificate not yet valid error" in the server logs 09:01 < Bluespuke> both networks are 192.168.1.* 09:01 < dazo> Bluespuke: that's your problem 09:01 < vcs> but i can still connect to server via vpn 09:01 < vcs> :| 09:01 < dazo> Bluespuke: they need to be different .... esp. when doing bridging 09:01 < Bluespuke> so it's impossible without changing one of them? 09:01 < dazo> Bluespuke: yes 09:01 < Bluespuke> ok 09:01 < mjt> i'd not say that 09:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 131 (Connection reset by peer)] 09:02 < mjt> it's perfectly ok to have both in 192.168.1.* range 09:02 < mjt> as long as they're bridged 09:02 < mjt> and as long as there's no repeated IPs 09:02 < Bluespuke> they are given automaticly by DHCP... 09:02 < ecrist> stay away from 192.168.x/16 in VPN subnets 09:02 < dazo> mjt: that's a long shot ... that can really cause some issues ... as both network address is .0 and broadcast is .255 on both networks ... and if you then have the same gateway address 09:03 < ecrist> stay away from 192.168.x/16 in VPN subnets 09:03 < ecrist> stay away from 192.168.x/16 in VPN subnets 09:03 < ecrist> stay away from 192.168.x/16 in VPN subnets 09:03 < ecrist> stay away from 192.168.x/16 in VPN subnets 09:03 < ecrist> stay away from 192.168.x/16 in VPN subnets 09:03 < dazo> ecrist: +1 09:03 < vcs> after I build a key in the easy-rsa directory for a client, is there anything I need to do otherwise? 09:03 < ecrist> !1918 09:03 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 09:03 < vcs> i dont remember if i did the last time I ran openvpn 09:03 < ecrist> use a different 1918 address space. 172.16/12 is usually safe 09:04 < mjt> nothing wrong with 192.168/16 09:04 < ecrist> mjt: you will collide with ~95% of private LANs out there. 09:04 < mjt> no 09:04 < mjt> because i'm not a part of them 09:04 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 110 (Connection timed out)] 09:04 < mjt> we don't iteract with each other 09:05 < mjt> dazo: as i said, there should be no repeated addresses, including those used for gateways 09:06 < dazo> mjt: how do you avoid to duplicate the broadcast address in this setting? 09:06 < ecrist> if you're going to have clients connecting from unknown, uncontrolled areas, stay away from 192.168.x/16 09:06 < mjt> dazo: nothing wrong with broadcasts either. it will broadcast to both sides, that's all. 09:07 < mjt> ecrist: that's true 09:08 < mjt> i don't know how to do it easily with openvpn yet (i'm only one day with it, a complete newbie). But i did something very similar using vtun, bridging 192.168.99/24 where half of the machines where on one side and half on another, both halfs random. 09:09 < mjt> a client boots (on either side), broadcasts a dhcp requests (to 255.255.255.255), dhcp server on the other side responds and assigns a random IP from that /24, and specifies a gateway which actually resides on the other side too. 09:10 < dazo> mjt: well ... but you also have to consider that you can only have 1 DHCP server on the complete network ... if you do it like this, you need to make sure that the openvpn connection is established before clients begins requesting for IP addresses 09:10 < mjt> yes 09:10 < mjt> see above ;) 09:10 < mjt> and again, nothing wrong with more than one dhcp in the network. 09:10 < mjt> as long as they know each other and/or assign addresses from differnt ranges 09:11 < dazo> mjt: if the openvpn link breaks ... half of your network will fail to work completely, esp. if the offended clients needs to refresh IP addr 09:11 < mjt> 192.168.99.51-60 one, and .61-70 another for example, whatever. 09:11 < mjt> sure 09:12 < mjt> that half will work halfway still -- seeing each other 09:12 < dazo> mjt: you might manage to make it run, in a short time perspective ... but it is absolutely insane to do it like this ... because you are depended on the other side of the network to have a stable network infrastructure 09:13 < mjt> it depends 09:13 < mjt> in our case it was a "remote" room (on another side of the building) with an ethernet cable going over all the building 09:14 < mjt> all the servers were on this side, so if the cable is broken they can't work anyway 09:14 < dazo> mjt: if the openvpn link fails ... if the internet link break ... you actually render the remote network without DHCP server completely useless, esp. when ip addresses are refreshed/requested 09:14 < mjt> it's useless w/o the link anyway 09:14 < mjt> so no difference 09:14 < dazo> mjt: in your setup, true 09:15 < mjt> it was a quick hack to make that room work 09:15 < dazo> mjt: but most people do not use openvpn for local connectivity, but for remote locations 09:15 < dazo> mjt: exactly, it's a hack 09:15 < mjt> sure 09:16 < mjt> $boss was afraid someone will listen on that cable on the way, thats the reason for the tunnel ;) 09:16 < mjt> later on we planned to set up ipsec but moved to another office instead. 09:16 < dazo> please tell me that it at least was 100m between the rooms ..... 09:16 < mjt> no, about 60 09:17 < ecrist> dazo, ethernet spec < 100m for copper 09:17 < dazo> ecrist: true ... Forgot that :-P 09:17 < dazo> well ... STP is 200, I think .... UTP is <100 yes 09:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:18 < mjt> there was a competitor of ours, sorta, in the intermediate offices... so the risk was real ;) 09:20 < mjt> but the thing i wanted to say is -- quite weird things are possible with networks. and there are cases (rare but still) when such weird setups are ok. 09:25 -!- Bluespuke [n=chatzill@87.240.206.215] has quit [Read error: 110 (Connection timed out)] 09:26 < mjt> quite some soho routers (adsl, wifi, etc) comes with default IP of 192.168.1.1 09:27 < mjt> and if you've a host with that IP already, .... 09:27 < mjt> ecrist: i can't make openvpn to return NETUNREACH still 09:28 < mjt> did you do something for that to work? Which setup did you have where it worked? 09:29 < ecrist> mjt, no, I was stating that, if the network is not routable, then that should be the result. If that's not what you're seeing, the implementation is not what I'd expect 09:30 < mjt> aha! 09:31 < mjt> (by "not routable" i mean there's a host route for it pointing to the tun device, but openvpn does not know it) 09:32 < reiffert> ecrist: when I wrote: someone +n'ed the channel, I originally meant: +t 09:34 -!- Bluespuke [n=chatzill@87.240.206.215] has joined ##openvpn 09:45 < mjt> why, technically, two tls-servers can't talk to each other? 09:46 -!- AlNahar [n=bitz@124.40.43.214] has joined ##openvpn 09:46 < AlNahar> HELLO FRIENDS 09:46 -!- AlNahar is now known as AnNahar 09:46 < AnNahar> i need help! 09:46 < AnNahar> can i use openvpn to get a U.S. ip address? 09:46 < mjt> hm. 09:46 < mjt> !help 09:46 < vpnHelper> mjt: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 09:47 < reiffert> AnNahar: yes. 09:47 < AnNahar> can i do this through using networkmanager-openvpn? 09:47 < AnNahar> i'm on f10 09:47 < dazo> AnNahar: http://www.strongvpn.com/ 09:47 < vpnHelper> Title: StrongVPN.com - Strong security for your internet connection and anonymity for your online presence (at www.strongvpn.com) 09:47 < AnNahar> but the only howto i found was for ubuntu:( 09:47 < reiffert> AnNahar: 09:47 < reiffert> !howto 09:47 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:47 < AnNahar> dazo, im not interested in a pay service 09:48 < mjt> pick any open proxy of your choice... ;) 09:48 < AnNahar> but strongvpn is pay service, rite? 09:48 < dazo> AnNahar: well, you need a destination host to connect to, to provide you with access .... so unless you have some nice friends in the US, you don't have much choices 09:48 * mjt used to feed dsbl.org with open proxies, several 1000s every day... 09:48 < AnNahar> well, i would just use ninjaproxy, but that doesn't seem to let me do what i want at hulu.com 09:49 < dazo> AnNahar: are you worried about protecting the network traffic? Or are you just in need of a pure US IP addr? 09:49 < AnNahar> i mean, im looking for something like hotspot shield, but for linux 09:49 < AnNahar> dazo, im currently in japan and i want to watch a video on hulu:O 09:50 < AnNahar> i found a howto for openvpn, but it's for ubuntu and the files are either in diff places or nonexistant for me on f10 09:50 < mjt> that's a bit unfair, isn't it? 09:50 < dazo> AnNahar: go for a proxy solution .... Chinese people like strongvpn .... as they can avoid "The Great Firewall" 09:50 < AnNahar> mjt, what's a bit unfair? 09:51 < mjt> pretending you're at a different place.. and (ab)using someone elses resources.. ;) 09:51 < dazo> AnNahar: configs on F10 should be found in /etc/openvpn .... the rest of the docs is usually under /usr/share/doc/openvpn-/ 09:51 < AnNahar> mjt, you mean like, using a proxy? 09:51 < mjt> like, using someone elses proxy ;) 09:51 < AnNahar> who is someone else? 09:52 < reiffert> wasteoftime. 09:52 < mjt> wug. proxy is not "who", it's "it" 09:53 < AnNahar> you said someone else's proxy 09:53 < AnNahar> im asking which someone are you talking about? 09:53 < mjt> whatever or whomever - who's proxy you want to use 09:53 < AnNahar> uhh 09:53 < AnNahar> there's zillions of proxies that are free for public use 09:53 < mjt> yse 09:53 < mjt> yes 09:54 < mjt> you see the smile at the end of all my statements? 09:54 < mjt> or some, anyway 09:54 < AnNahar> i dont see why they don't have something like ninjaproxy 09:54 < AnNahar> that works on hulu 09:55 < AnNahar> i mean, a web based proxy 09:55 < dazo> mjt: what's wrong about using a public proxy if it is publicly available to anyone? I don't see the problem .... the problem is more on those sites who believes that region blocking based on IP addr is a clever solution 09:55 < mjt> wug. 09:55 < mjt> it was a joke. sorta anyway 09:56 < AnNahar> dazo, do you know of any free proxies i can use? 09:56 < AnNahar> without having to use openvpn, etc? 09:56 < AnNahar> just to watch something on hulu 09:56 < dazo> AnNahar: no, I've not been following that ... I just know that Chinese people use strongvpn, and pay for it ... and hulu works pretty well 09:56 < mjt> i dealt with various botnets/spambots before, quite alot, and the word "proxy" *TO ME* become something evil which gets ABused by evil people. A hot button, of sort. 09:57 < AnNahar> poopie 09:57 < AnNahar> im going to have to reboot to xp to use hotspot shield 09:58 -!- AnNahar [n=bitz@124.40.43.214] has quit [Remote closed the connection] 10:10 < Bluespuke> i changed one of the networks from 192.168.1.* to 192.168.2.* and now everything is working very well 10:10 < Bluespuke> THX 4 ur help guys 10:14 -!- Bluespuke [n=chatzill@87.240.206.215] has quit ["ChatZilla 0.9.84 [Firefox 3.0.7/2009021910]"] 10:14 < dazo> Bluespuke: np! :) I'm happy it worked out in the end 10:18 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 10:18 -!- kala_ [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 60 (Operation timed out)] 10:20 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 10:22 -!- mode/##openvpn [+n] by ChanServ 10:22 -!- mode/##openvpn [+o ecrist] by ChanServ 10:22 -!- mode/##openvpn [-t] by ecrist 10:22 -!- mode/##openvpn [-o ecrist] by ecrist 10:31 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 10:31 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 11:01 -!- Irssi: ##openvpn: Total of 52 nicks [0 ops, 0 halfops, 0 voices, 52 normal] 11:11 < reiffert> Thx 11:17 -!- SURFkees [n=kees@honderdzevenentwintig.surfnet.nl] has joined ##openvpn 11:18 < SURFkees> Is there a difference between OpenVPN 2.0 and 2.1 in the way it handles --up scripts and how it handles the standard output of commands used in those scripts? 11:19 < SURFkees> in 2.1 my --up script generates "(Inappropriate ioctl for device)" whenever I do for example a "ifconfig dev up" 11:20 < mjt> shouldn't it be $dev, not dev ? 11:21 < mjt> from this point of view, there should be no difference. it's not related to standard output that's for sure. 11:21 < SURFkees> well, dev is just an example here 11:22 < SURFkees> the --up script gets called, does a "ifconfig s6 up" and gets that error 11:22 < SURFkees> if I change it to "ifconfig s6 up >/dev/null" it works 11:22 < mjt> lovely 11:22 < mjt> try strace'ing it 11:23 < mjt> like, strace -o /tmp/trc ifconfig ... 11:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:28 < dazo> SURFkees: yes, it has been some changes .... which 2.1 version are you using? 11:29 < SURFkees> 2.1_rc11 11:29 < ecrist> use 2.1_rc15 11:29 < dazo> SURFkees: try first to upgrade to RC15 ... it has come some changes in between RC10 and RC13 which gives some of the old behaviour back 11:30 < mjt> ok, i was wrong it seems. 11:31 < dazo> SURFkees: and then you need to check out the --script-security parameter in the man pages ... this is also to tweak the behaviour even more 11:31 < SURFkees> Yea, I already had it on "3 system" to see if that was the problem, but I will have to check wit rc15 11:32 < dazo> SURFkees: the older OpenVPN versions used a rather unsafe API when calling those scripts 11:32 < SURFkees> Right 11:33 < SURFkees> Well, I'll have a look at the latest version 11:33 < dazo> SURFkees: yeah, you're probably bitten by the incompatibility bug .... you may also try to encapsulate the command and it's argument in the config ..... --up "myscript param1 param2 etc" 11:35 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:35 < SURFkees> that's what I'm currently doing :) 11:39 < dazo> SURFkees: then you're into a good track :) I'm just throwing out ideas from what I remember on the fly ;-) 11:40 < SURFkees> hehe, no problem. I was hoping for a quick fix. I wasn't really intending on using 2.1 yet since it's still a RC. 11:42 < SURFkees> hmm, still odd that Debian has added rc11 to it's stable repo 11:44 < dazo> SURFkees: RC15 is the most stable one of all releases ... and yes, it's been some tension on the mailing list about that 2.1 has been in RC for 2 years ;-) 11:45 < SURFkees> hehe, I don't really mind. I rather have a good finished product than a rushed one ;) 11:45 * dazo has used RC15 since it was released without any issues at all 11:47 < SURFkees> Well, I don't really have time to test 2.1 before my deadline, so I'm stuck with 2.0 I guess. Just didn't expect Debian would have added 2.1 to it's stable repo :) 11:58 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 12:00 < ecrist> SURFkees: 2.1_rc15 is stable 12:00 -!- AlNahar [n=bitz@124.40.43.214] has joined ##openvpn 12:00 < AlNahar> hi 12:00 < AlNahar> it seems hotspot shield uses openvpn 12:00 < ecrist> great 12:01 < SURFkees> openvpn website still calls it a beta release 12:02 < AlNahar> ecrist, so how do i use openvpn to use hotspot shield info in linux? 12:02 < ecrist> SURFkees: so? 12:02 < SURFkees> so I will consider it a beta release 12:02 * mjt builds a _rc15 debian package... 12:02 < ecrist> AlNahar: you'd have to ask the hotspot shield folks. I haven't used their service. 12:02 < ecrist> SURFkees: then quit bellyaching. 12:03 < SURFkees> I have. Just downgraded to 2.0.9 12:03 < AlNahar> http://www.ventanazul.com/webzine/articles/openvpn-ubuntu-and-hulu 12:03 < AlNahar> see 12:03 < vpnHelper> Title: Install OpenVPN on Ubuntu, Hulu Outside the US and Network Security | Ventanazul (at www.ventanazul.com) 12:03 < AlNahar> HULU 12:03 < AlNahar> err UBUNTU! 12:03 < AlNahar> i have fc10 12:03 < dazo> SURFkees: RC15 will most likely become the final 2.1 ... it really is the closest you get to a final release at the moment ... and nobody understands the hesitation of giving it a proper "stable" stamp 12:04 < dazo> AlNahar: the basic file based config is identical to all openvpn versions, on all platforms 12:04 < AlNahar> dazo, nay! 12:04 < AlNahar> dazo, have you used nm-openvpn? 12:04 < dazo> AlNahar: that's not file based config 12:04 < ecrist> AlNahar: network manager is crap 12:04 < AlNahar> dazo, i know that 12:04 < dazo> +1 12:05 < ecrist> don't use network manager 12:05 < AlNahar> dazo, i cannot follow that howto because the files are not there 12:05 < AlNahar> nor in another location 12:05 < ecrist> open a terminal and type 'openvpn ' 12:05 < dazo> AlNahar: skip the gui crap ... go edit config files manually .... it's just as easy ... and works immediately 12:05 < AlNahar> dazo, of course, i need a public proxy 12:05 < AlNahar> poopity poop 12:05 < AlNahar> i just rebooted to windows to use hotspot shield to watch something on hulu 12:06 < AlNahar> im trying to avoid having to do that again, but i did notice openvpn.exe was running 12:06 < dazo> AlNahar: in that link you sent ... it's a complete openvpn config file ready for you there 12:06 < AlNahar> dazo, nay sir 12:06 < mjt> dazo: btw, it looks like debian folks have several good points 12:06 < dazo> AlNahar: look for "The Configuration Files: openvpn.conf" 12:06 < AlNahar> some of the example stuff is not there either 12:07 < AlNahar> Comment all lines in /etc/default/openvpn and add: 12:07 < AlNahar> AUTOSTART="openvpn" 12:07 < AlNahar> not that one 12:07 < AlNahar> cp -r /usr/share/doc/openvpn/examples/easy-rsa/ . - not this one either 12:07 < mjt> wug 12:07 < dazo> AlNahar: well ... that's off-topic here ... as that's an Ubuntu issue ... not openvpn issue 12:07 < AlNahar> mjt, WHY do you keep saying that strange word? 12:07 < AlNahar> dazo, it's off topic to talk about openvpn in fedora? 12:08 < mjt> it's impossible to know how openvpn is packaged on every distro 12:08 < AlNahar> mjt, i didn't say it was possible 12:08 < AlNahar> i just said to say it's off topic is silly 12:08 -!- AlNahar [n=bitz@124.40.43.214] has left ##openvpn ["Leaving"] 12:08 < dazo> AlNahar: in this channel we can help out configuring openvpn ... and we do it via config files 12:09 < dazo> too late 12:09 < mjt> he's a bit too impulsive 12:10 * mjt installs -rc15 as debian package... 12:10 < dazo> Well ... if he had read the complete web page he sent a link to ... and used a couple of more brain cells .... he would have solved it .... but we're not helping people eat their food, we're just helping them to find it 12:13 < mjt> NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables 12:13 < mjt> that's what -rc15 prints on startup 12:13 < mjt> silly 12:14 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 12:14 < mjt> i think i'll go and clean up all those idiotic warnings and notices... :( 12:15 < dazo> mjt: send a patch to the openvpn-devel list as well 12:15 < dazo> see what they say :) 12:15 < mjt> this notice is new 12:15 < mjt> it wasn't here in -rc11 12:15 < mjt> but it's useless 12:16 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Connection timed out] 12:16 < mjt> it forces me to set -script-seecurity to 2 just to shut it up, even if I don't use any script 12:16 < dazo> yeah, they did some changes in rc12 or rc13 (don't recall now) ... and then somebody came up with this idea ... because without changing it to level 2, older configs wouldn't work 12:16 < mjt> but it will be obvious in the logs 12:17 < mjt> that's why it's useless. 12:17 < dazo> yeah, that's why it got added into the logs :) .... but the other thing is that that warning should only be used if scripts or plugins were used 12:17 < mjt> i mean, it logs a warning, since quite some time, when it actually tries to execute something and script-level forbids it 12:18 < dazo> if you read the mailing list from last autumn, you'll find the discussion about --script-sec 12:19 < mjt> other than this new NOTICE, it seems to work. 12:20 < mjt> www.corpit.ru/debian/tls/openvpn/ -- debian packages w/o debian stuff 12:21 -!- SURFkees [n=kees@honderdzevenentwintig.surfnet.nl] has quit ["Leaving"] 12:21 < mjt> just uploaded -rc15 there 12:35 -!- hardwire` [n=hardwire@srv001.gandi.brutetech.com] has joined ##openvpn 12:36 -!- hardwire [n=spencers@62-197-137-216.mtaonline.net] has quit ["Ex-Chat"] 12:36 -!- hardwire` is now known as hardwire 12:48 < mjt> is there a way to use random port on the client? 12:49 < mjt> it defaults to `port 1194'. setting port to 0 (which means 'use any random port' for the OS) is not accepted (openvpn claims it's invalid) 13:05 < reiffert> udp or tcp? 13:08 < mjt> udp 13:23 < reiffert> using lport? 13:23 < reiffert> -- 13:23 < reiffert> port = atoi (p[1]); 13:23 < reiffert> if (!legal_ipv4_port (port)) 13:23 < reiffert> { 13:23 < reiffert> msg (msglevel, "Bad local port number: %s", p[1]); 13:23 < reiffert> goto err; 13:23 < reiffert> } 13:24 < reiffert> static inline bool 13:24 < reiffert> legal_ipv4_port (int port) 13:24 < reiffert> { return port > 0 && port < 65536; 13:24 < reiffert> } 13:26 < ecrist> so, looks to be trivial to code the functionality mjt would want. 13:27 < ecrist> why don't you get right on that, reiffert? 13:46 < reiffert> sorry? 14:01 * mjt is back 14:01 < mjt> oh 14:01 < mjt> heh. I were testing the port0 change -- replaced > with >= in that legal_ipv4_port 14:04 < mjt> and the reason for that is my crappy adsl router that keeps conntrack entry across IP address change, and crappy ISP that those forces changes every so often (very annoying) 14:04 < mjt> the router's running linux btw. 2.6.8.something 14:07 < reiffert> and does it work? 14:16 < Gumbler> !route 14:16 < vpnHelper> Gumbler: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 14:17 < mjt> it works, yeah 14:17 < mjt> at least on linux 14:21 < mjt> 33782 39630 -- that's the port(s) it is getting 14:21 < ecrist> mjt, why not, rather than code it to depend on a linux feature, code it to see the 0, and handle it internally to openvpn? 14:22 < mjt> i actually changed the call to legal_ipv4_port() near the "port" option 14:22 < mjt> well, i expect *bsd to behave similarily 14:23 < mjt> and probably solaris too 14:23 < mjt> (it was quite some time ago when i last used solaris) 14:24 < mjt> the thing is - so far no one needed anything of this sort. 14:24 < ecrist> expect and know are two things. 14:24 < mjt> yes 14:24 < ecrist> actually, if you google, it's a common question 14:25 < mjt> for another thing, i almost gave up sending patches for various programs i use. it usually does not work. for me so far it's less hassle to maintain a local patch than to try to submit such things. 14:26 < mjt> such as this new NOTICE thing about script-security level 14:27 < mjt> (introduced in -rc14 hence new) 14:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Remote closed the connection] 14:43 < ecrist> I totally agree. Why bother contributing to open source software when it takes effort. 14:45 < reiffert> Well, I failed so many times hitting authors "I just dont personally like this patch", I handle it like mjt. 14:56 -!- romero [n=user@193.219.160.109] has joined ##openvpn 15:06 < mjt> i usually hit silence. 15:06 -!- bandini [n=bandini@host237-109-dynamic.41-79-r.retail.telecomitalia.it] has joined ##openvpn 15:07 < mjt> a good example - anyone know how much probs it can create when timestamps in syslog are in various different languages and encodings in the same file? 15:07 < reiffert> Arrogance, ignorance and snootiness. 15:07 < mjt> it's because syslog(3) routine does strftime() based on current $LANG 15:08 < mjt> which, on multi-user system, may be anything. 15:08 < mjt> also based on $TZ, so that timestamps are completely random... 15:09 < mjt> the trivial solution is to just stop adding the timestamp, since syslog damon does that anyway. Alternative is to do local implementation of strftime() (it's very small) 15:09 < mjt> both variants were proposed in about 1988 15:09 < mjt> that's 20(!) years ago 15:09 < mjt> i sent that stuff several times to the glibc mailinglist. 15:09 < mjt> no response so far. 15:10 < mjt> well, this one is atypical. but gave me good lesson. 15:15 < mjt> very nice for patches was Erik Allmann (sendmail), was very thankful. But he had another prob, and it's not a surprize sendmail had so many.. issues. He applied several patches of mine but didn't even bother to COMPILE-test them or actually look at them - I did an obvious mistake in one of the patches (solaris's kstat() calls). 15:15 < mjt> so the next version he released didn't compile on solaris. 15:33 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 15:41 < Kreg-Work> if one collected all the previous users keys, the origlan ca and key, would it be possible to remake an easy-rsa thing? such as all the history and stuff. 15:41 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 15:54 < krzee> easy-rsa thing? 15:54 < krzee> easy-rsa is just a script... 15:54 < mjt> the keys he mean, i think... ;) 15:55 < krzee> but he said if he collects all keys previous... 15:56 < mjt> well, it puzzled me too and hence i didn't comment ;) 15:59 < Roman123> Without a correct time, openvpn does not work properly and therefore I'm suffering from the following problem: My internet provider uses pppoe, which sucks bad ass. Sometimes, when I reboot my OpenWRT router it takes quit some time (up to four pppoe connection tryouts) until the connection is established. The only problem about that is getting the clock as fast as possible synced (using ntpd). It takes quite some time until ntpd syncs the clock. I 15:59 < Roman123> s there a clever workaround to start, e.g., ntpdate, right after the connection is established or by means of openvpn? Is it possible to execute a script triggert by the openvpn connection attempts? 16:00 < Roman123> s/triggert/triggered 16:00 < krzee> well 16:00 < krzee> theres a few places to hook in scripts in openvpn 16:00 < krzee> but the easiest i would think is to make a little wrapper script 16:00 < Roman123> ok 16:00 < krzee> which runs ntpdate, and after successfully syncing the clock starts openvpn 16:01 < mjt> Roman123: btw, who do you restart your router to start with? 16:01 < krzee> i believe in the manual theres a section where it lists execution order of scripts 16:01 < mjt> krzee: there is 16:02 < Roman123> openvpn is started by an /etc/init.d script 16:02 < Roman123> mjt: reboot 16:02 < Roman123> mjt: what do you mean? 16:02 < mjt> why do you reboot it? 16:02 < krzee> "Sometimes, when I reboot my OpenWRT router it takes quit some time" 16:02 < Roman123> If some settings have been changed 16:03 < krzee> werd 16:03 < mjt> heh. "YOu have moved the mouse. Windows needs to be restarted for the changes to take effect" 16:03 < krzee> well theres 2 ways to fix it 16:03 < Roman123> or if there is a power failure 16:03 < krzee> and you know both now =] 16:03 < krzee> so imma watch a movie and take a nap 16:03 < mjt> but ok. 16:04 < mjt> (when i had a router with openwrt, it had almost 2 years uptime before it fried) 16:06 < Roman123> mjt: after changing /etc/config/ it is sometimes easier to enter "reboot" and wait for 20 seconds than to apply ifdown, ifup, whatever :) 16:06 < mjt> yes 16:08 < mjt> i used it in 'set up & forget' mode, not messing with it much. 16:09 -!- onats_ [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 16:11 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 16:12 < reiffert> argh argh argh! 16:12 < reiffert> quote: "The initial window size is determined via the two-way handshake" 16:12 < mjt> mss 16:13 < reiffert> ccna 16:17 < Roman123> mjt: got a very creative hint. :-) I should place a small script into /etc/hotplug.d/iface. I'll try that. Probably the easiest fix. 16:17 < mjt> welcome to OpenWRT ! :) 16:18 < Roman123> yep, very helpful :) 16:55 < Roman123> mjt: I guess the easiest way is to put the script into /etc/ppp/ip-up.d :-P 17:19 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 17:20 -!- purifiedmadness [n=user@c-71-229-205-237.hsd1.co.comcast.net] has joined ##openvpn 17:32 -!- nemysis [n=nemysis@49-228.1-85.cust.bluewin.ch] has quit [Connection timed out] 17:32 -!- bandini [n=bandini@host237-109-dynamic.41-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:33 -!- nemysis [n=nemysis@49-228.1-85.cust.bluewin.ch] has joined ##openvpn 17:36 -!- purifiedmadness [n=user@c-71-229-205-237.hsd1.co.comcast.net] has left ##openvpn [] 17:43 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 17:44 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 17:59 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 18:19 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 19:43 -!- prxtien [n=pro@teamaustralia.net.au] has quit ["changing servers"] 20:29 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Remote closed the connection] 20:29 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 21:09 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Read error: 104 (Connection reset by peer)] 22:00 -!- romero [n=user@193.219.160.109] has quit [Read error: 104 (Connection reset by peer)] 22:00 -!- romero [n=user@193.219.160.109] has joined ##openvpn 22:07 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has quit [Read error: 110 (Connection timed out)] 22:07 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 22:10 < ecrist> evening, folks 22:35 < ecrist> fine, you guys suck 22:50 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 23:33 -!- eliasp_ [n=quassel@78.43.213.203] has joined ##openvpn 23:34 -!- eliasp [n=quassel@78.43.213.203] has quit [Read error: 131 (Connection reset by peer)] --- Day changed Tue Mar 10 2009 01:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:52 < mjt> hi ecrist 01:52 < mjt> heh 02:18 -!- onats_ [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 02:19 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 02:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 02:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:12 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:18 -!- Uranellus [n=Uranellu@unaffiliated/uranellus] has joined ##openvpn 03:18 -!- simplechat_ is now known as simplechat 03:19 < Uranellus> ovpn-client[1817]: Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:2: topology (2.0.9) .. where should I look in order to fix this ? server or client conf? (btw this was log was ommited on the client side) 03:19 < krzee> cant push topology option 03:20 < Uranellus> krzee: I don't have any push lines on server side .. 03:20 < krzee> do you have the word topology in either? 03:21 < Uranellus> or is it because I tempoary set duplicate-cn ? 03:23 < Uranellus> krzee: http://pastebin.ca/1357188 03:25 < Uranellus> hm, seems not bo be because of the duplicate-cn option .. just removed it from the server side, and still getting the same messages 03:26 < Uranellus> hm, server logs show 'PUSH_REPLY,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.1.38 10.8.1.37' (status=1) but why? 03:27 < Uranellus> server version is: OpenVPN 2.1_rc7 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Jun 11 2008 (ubuntu 8.04) 03:31 < Uranellus> client version is: OpenVPN 2.0.9 arm-unknown-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 23 2007 03:32 < Uranellus> (debian 4.0) 03:32 < Uranellus> hm, seems to be a problem b/w 2.1 and 2.0.x 03:39 < Uranellus> unfortuanately the http://openvpn.net/index.php/documentation/miscellaneous/protocol-compatibility.html page contains nothing about this? 03:39 < vpnHelper> Title: Protocol Compatibility (at openvpn.net) 03:40 < Uranellus> hehe 03:41 < mjt> krzee: topology is pushable as far as i can see 04:00 < Uranellus> mjt: but not to a 2.0.x openvpn client .. 04:00 < Uranellus> well it looks like it's an error message in the logs, but the connection is fine anyway .. 04:51 < dazo> Uranellus: If you use topology on the server, I believe it is pushed implicit by the server to the client, even if you do not push it explicit 04:51 < dazo> Uranellus: and topology is only supported in OpenVPN 2.1 04:53 < Uranellus> dazo: any way to turn it off, serverside? 04:53 < dazo> Uranellus: it most probably works fine, because it manages to setup the routes correctly on the OpenVPN 2.0 client ... despite that the topology is not set correctly. But topology just changes how routing and addressing schemes are setup 04:53 < dazo> Uranellus: you must remove topology from the server config 04:53 < Uranellus> dazo: http://pastebin.ca/1357188 there's my conf .. 04:54 < dazo> Uranellus: anyway, if it is possible for you to upgrade your clients ... I'd recommend you to upgrade them to 2.1RC15 (server as well, in fact) ... that's just as rock solid as the 2.0.9 04:54 < dazo> Uranellus: now that's interesting 04:57 -!- Mark____ [n=mark@ip24-56-23-192.ph.ph.cox.net] has joined ##openvpn 04:57 < Mark____> !howto 04:57 < vpnHelper> Mark____: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 04:57 < Uranellus> dazo: but as I said, it seems not to influence the functionality .. therefore I might look over it .. 04:57 < Mark____> anyone looking into cuda and openvpn? 04:57 < mjt> cuda? 04:57 < Mark____> graphics card acceleration 04:57 < Mark____> using the stream processors 04:57 < dazo> Uranellus: I just quickly read about topology config in the man pages .... 'topology net30' is the default behaviour in openvpn 2.0 ... you can try to add that then in the config, but I'm not sure it will solve it 04:59 < dazo> Uranellus: anyway, really consider to upgrade to 2.1 ... 2.0.9 is not as updated as the 2.1_RC15 ... and the RC15, I believe, will become the final 2.1 release .... 2.1 has been in RC state for way too long already, and is by most distros considered to be the latest stable version 05:00 < Uranellus> dazo: ok thanks, will consider that 05:02 < dazo> Mark____: not afaik ... But that's really an interesting approach! 05:03 < Mark____> aes on an 8800gtx can get 8ish gbit/s 05:03 < dazo> Mark____: you could join the openvpn-devel mailing list and ask about it ... I'm sure more people will be interesting in this 05:03 < Mark____> a pentium 4 1.8 can do 64 mbit/s 05:03 < Mark____> thats AES-128 bandwidth 05:03 < dazo> Mark____: exactly! I'd love to see that in openvpn! :) 05:03 < Mark____> i mean, something like that might have to be done at the openssl or gnutls library level 05:04 < Mark____> but it could really set openvpn apart 05:04 < dazo> Mark____: that's true ... it most probably will need to go into the openssl libs, when I think about it .... and then all software using openssl will use that as an accelerator 05:05 < Mark____> yea ive got a ton of good ideas for cuda 05:05 < Mark____> but im no crypto-genious 05:05 < Mark____> lol 05:05 < dazo> Mark____: openssl already do have a plug-in interface of some kind for such accelerator cards ... so most likely here 05:05 < Mark____> im just a random guy with a 9600GT that doesnt play games and wants to put it to use 05:05 < dazo> Mark____: pity! Do you want to become one? ;-) 05:05 < Mark____> haha 05:05 < Mark____> no it takes a special kind of guy for crypto 05:05 < Mark____> im not indian or european 05:05 < Mark____> plus i dont have a big bushy beard 05:06 < dazo> Mark____: believe me .... big bushy beard just shows your personality, not your coding skills .... and I'm sitting among a lot of coders at work ;-) 05:06 < Mark____> but man, a 20mbit stream over my wireless network takes 20% of a sempron 2400+ 05:07 < dazo> Mark____: yeah, I know .... I'd love to see openssl and openvpn accelerated 05:07 < Mark____> have you looked at the prices of hardware vpn stuff? 05:08 < Mark____> like 6 grand for some junk that can only do 700mbit aes 05:08 < Mark____> when a 100 dollar graphics card can do an order of magnitude better 05:08 < Mark____> lol 05:08 < dazo> Mark____: no, not really ... well, I've looked at Soekris device with VPN accelerator ... that's not so bad, but the Linux driver seems not to be updated for a long time :( 05:08 < Mark____> i dont use vpn for anything 'serious' 05:09 < Mark____> more of an access control, but i had to look at the cost of hardware just for fun 05:09 < dazo> Mark____: the only thing which can be difficult ... is that the GPU must allow the main CPU to do other stuff than just graphics 05:09 < Mark____> well, the newer ones all support it 05:09 < Mark____> and ATI has something similar 05:09 < dazo> Mark____: but if that API is in place, it's really a goodie thing 05:10 < Mark____> i read a scientific paper from a guy who said it was more efficient to leave key scheduling on the main cpu 05:10 < Mark____> and just handle the algorithm in the gpu 05:10 < Mark____> would be nice to put compression on the gpu too 05:11 < Mark____> it will be nice when we reach a time when encryption and compression are essentially 'free' for the system 05:11 < dazo> Mark____: oh, I'm sure ... that's what Sony does in the Playstation 3 as well, with the Cell processors ... they can do much more that just the graphic ... 05:11 < Mark____> yes, but the ps3 locks the rsx graphics card (probably due to drm) since one of the early firmwares 05:11 < Mark____> sucks, cant use the ps3 for mythtv until we find a way to get into it :P 05:12 < dazo> Mark____: but you can't push it too far ... because it will take away some of the bandwidth of the internal buses on the mainboard .... you can't push all heavy duty to the GPU and let the CPU only do scheduling, unless the kernel code is heavily reworked 05:12 < Mark____> yea 05:12 < Mark____> 8gbit was theoretical 05:12 < Mark____> was like 8.24 exactly 05:13 < dazo> Mark____: yeah, but even 1/8 of that is still better than most CPUs 05:13 < Mark____> well, it wasnt 'theoretical' but it was in a lab setting 05:13 < Mark____> no network, like you said 05:13 < Mark____> which will probably eat a few gbit of that 05:14 < dazo> Mark____: so that's really not a bad case ... and in this setting, I believe it is doable ... but it also depends on the intern bus architecture on the main board as well ... if that bus can only push 400MBit ... it's not much useful anymore 05:14 < Mark____> well 05:14 < Mark____> 400mbit is still much better than the cpu 05:14 < Mark____> lab results for the p4 1.8ghz were 64mbit 05:15 < Mark____> http://www.google.com/url?sa=U&start=2&q=http://www.manavski.com/downloads/PID505889.pdf&ei=lD22SaTFConYsAOQj_T2CA&usg=AFQjCNGCbAWFAmGOqCSd3-HJFB6cQqCDZA 05:15 < Mark____> they only got 1.53mbit on a geforce 3 05:15 < Mark____> hacking the card to do aes with opengl routines 05:15 < Mark____> lol 05:17 < Mark____> As the final results show, 05:17 < Mark____> moving the data to and back from the device memory may 05:17 < Mark____> become the slowest operation when doing cryptography on the 05:17 < Mark____> GPU. It is due to the bandwidth of the PCIExpress interface 05:17 < Mark____> which is only about 3,2 GB/s compared to the 50 GB/s of the 05:17 < Mark____> onboard memory of the GeForce 8800 graphics card. 05:17 < Mark____> ahh 05:17 < Mark____> oops, sorry, thought it would paste as one line 05:18 < Mark____> the 8800 was 19.60x faster than the p4 3.0ghz they used 05:18 < dazo> Mark____: yeah ... well, this will come more and more ... for sure! :) 05:18 < Mark____> aes-256 had a max bandwidth of 6.65gbit 05:18 < Mark____> if the bus is the limiting factor 05:19 < Mark____> might as well use aes-256 lol 05:21 < dazo> Mark____: heh ... but another thing ... what will also come more and more are CPU and GPU which are integrated ... so when you buy the next-gen CPU, it will also contain the GPU unit .... and that's probably also to make better use of the power in the GPU unit ... and when CPU and GPU is inside the same CPU shell, the efficiency will be even higher, as the internal bus inside the CPU is even beefier than the motherboard buses 05:21 < Mark____> hmm 05:21 < Mark____> i wonder what the api will be for that 05:22 < Mark____> the thing about cuda is 05:22 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 05:22 < Mark____> nvidia sells beefed up ones 05:22 < dazo> Mark____: it will be the same as before ... but now the instruction goes to the CPU which then instructs the GPU what to do with what memory segments 05:22 < Mark____> just for number crunching 05:22 < Mark____> ahh so a new instruction set probably 05:22 < Mark____> gcc will have to do all the work :P 05:22 < Mark____> lol 05:23 < dazo> Mark____: Might be ... but not necessarily ... it could still use the same API ... but the instructions to the GPU would no longer pass over the motherboard buses, but just pass over to the GPU on the internal bus in the CPU unit 05:24 < dazo> Mark____: most probably the CPU would then have an extra set of data-buses which would be connected to the video-ram (which needs to be of even higher speed than normal DRAM) 05:24 < Mark____> probably a lot of l3 or something 05:25 < dazo> Mark____: and then it might sit a "graphic producer" on the "other side" of the VRAM which than produces images of whats stored in the VRAM 05:25 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 05:26 < Mark____> yea, just a small chip to drive the output 05:26 < dazo> There are several VRAM types ... and one of the types have 1 read/write bus and 1 read-only bus, which such a "graphic producer" usually is attached to 05:27 < dazo> Mark____: exactly ... so I believe we will see that CPU and GPU will melt more and more together .... and then you'll have even more throughput for number crunching (which encryption surely is all about) on the CPU uni 05:27 < dazo> t 05:27 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:28 < Mark____> i wonder if that will split intel/amd 05:28 < Mark____> maybe all of x86 05:28 < Mark____> if they both try to put gpu/cpu together 05:28 < dazo> Mark____: and in reality ... it ends up with where we were 20 years ago .... a "powerful" CPU and a video card which basically just knew how to produce video signals out of VRAM .... but it just goes a lot quicker in this "new" version 05:29 < dazo> Mark____: Neither ATI nor nVidia will choose only AMD or Intel .... they will work with both of them, that's for sure .... the question is more if AMD and/or Intel want's to work with ATI and nVidia 05:29 < Mark____> well amd bought ati 05:30 < Mark____> intel is working on their own gpu/cpu combo on their roadmap 05:30 < Mark____> i dunno what nvidia is doing 05:30 < dazo> Mark____: oh, true! I forgot ... then that's for sure a partnership ... which actually makes it very much interesting ... because that makes it very much likely that Intel+nVidia will be uniting 05:31 < dazo> I'm not sure AMD wants to share the ATI ideas with Intel, at least not in the beginning 05:31 < mjt> btw, nvidia had more success with amd so far, i think. That is, more successful chipsets 05:31 < mjt> or maybe not recently 05:36 < dazo> mjt: yeah, AMD was better at several points compared to the Intel P3 and P4 ... but from Intel Pentium D and the Core series, AMD went behind again. AMD was early and aggressive on the 64bit architecture ... but when Intel then finally decided to focus much more on the x86_64 architecture instead of Itanium ... it went to Intels favour again 05:38 < dazo> mjt: the challenge AMD have, is that they need to be compliant with the vast majority of the Intel instructions .... they can add their own extra things, but they always needs to have a certain compatibility set ... it's not easy to become leading in this scope 05:39 < Mark____> rofl, i couldnt figure out why topology subnet wasnt working 05:40 < Mark____> gentoo, bleeding edge gentoo 05:40 < Mark____> has 2.0.7 as latest in portage 05:40 < Mark____> even my ubuntu has 2.1........... 05:42 < dazo> Mark____: yeah, Gentoo's openvpn developer is not staying much updated ... I've been wondering if I should help out here 05:42 < dazo> Mark____: I believe 2.1_RC15 is just keyworded as unstable ... I think I heard something about that some weeks ago 05:42 < Mark____> well i found there is a package 05:42 < Mark____> yea 05:42 < Mark____> i dont like unmasking things though 05:43 < dazo> Mark____: I'm running RC15 on Gentoo Hardened .... and it's rock solid 05:43 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has joined ##openvpn 05:43 < lclimber> hello guys, i have a question, is there a way to enable the forward bit on a windows system as you do it on linux?? 05:51 < dazo> lclimber: on WinXP I believe you can mark somewhere in the GUI that "I want to share Internet via this interface", or something like that .... most probably properties on the interface 05:51 < lclimber> thanks dazo 05:52 < dazo> lclimber: I'd believe that enables some kind of routing .... but I'm not a windows guru, so others might have better clues 05:52 < reiffert> enabling sharing Internet enables NAT. 05:52 < dazo> lclimber: ^^ ... I was wrong :( 05:53 < reiffert> Thats the point where XP starts playing tricks with me, insisting to own 192.168.1.1, which is exactly the point where I stopped using Windows. 05:54 < dazo> reiffert: haha ... Windows do have quite some guts :-P 05:54 * dazo stopped using Windows back in '96 05:55 < reiffert> I started using Linux by that time. 05:55 < lclimber> the thing is that i established a vpn connection from a windows system to my linux vpn server, now i need to be able to connect to a network wich is connected to a different nic on the windows machine, now i set a route on my vpn server that routes all the packages going to the net of the nic number 2 on my windows machine through the tunnel, but i am still not able to establish any kind of connection, do you have any suggestions? 05:56 < reiffert> lclimber: look whats going on on those interfaces by the help of wireshark 05:56 < reiffert> and tcpdump for the linux case. 05:56 < dazo> lclimber: suggestion find an relatively old PC ... install Linux ... and use that instead for openvpn routing:-P 05:57 < lclimber> dazo, well that would be great, unfortunatly i don't have any pc's availables 06:00 < dazo> lclimber: pity :( 06:01 < dazo> lclimber: and no old router of any kind ... which could run openwrt/x-wrt or other linux based firmwares? 06:01 -!- onats__ [n=onats@122.53.136.244] has joined ##openvpn 06:01 < reiffert> erm, and now you insist following crazy proposals? 06:02 < dazo> (though throughput might not be too efficient) 06:02 < dazo> reiffert: You cannot achieve the impossible without attempting the absurd! ;-) 06:03 < reiffert> How about first trying the obvious to get finished? 06:03 < dazo> reiffert: details, details, details ... 06:03 -!- Uranellus [n=Uranellu@unaffiliated/uranellus] has left ##openvpn [] 06:03 * dazo is hungry .... going for lunch ... 06:03 < lclimber> good reflexion dazo, but i think i have a routing problem on the vpn server, i'll try to figure it out, and i'll let you know if it works 06:04 < dazo> lclimber: sure ... yeah, that's probably sensible if you think the problem is there :) 06:05 < reiffert> sigh. 06:05 < reiffert> dont think and guess, start a packet dumper and *know* 06:12 -!- sts_ [n=sts@hmm.ono.at] has joined ##openvpn 06:12 -!- sts_ [n=sts@hmm.ono.at] has left ##openvpn [] 06:19 -!- onats_ [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 07:03 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 07:13 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 07:14 < ecrist> good morning, folkd 07:14 < dazo> ecrist: good morning, sir! 07:14 < ecrist> sir?!? 07:14 < ecrist> I work for a living... 07:15 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Client Quit] 07:15 < dazo> ecrist: nahh ... it's just the "International ecrist sir day" today 07:16 < ecrist> oh, I must have missed that one. 07:17 < dazo> You should read more news :-P 07:22 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 07:31 < mjt> hi ecrist ! 07:39 < ecrist> hi mjt 07:42 < ecrist> why so many ctcps? 08:12 < mjt> just one 08:12 < mjt> (was afk for a bit) 08:12 < ecrist> /ignore * CTCPS 08:13 < reiffert> hehe: 14:12 [freenode] CTCP Tue reply from temba: Mar 10 14:12:42 2009 08:13 < reiffert> he changed TIME to Tue 08:13 < mjt> noticed you said 'he' before, i replied but it was too late - 04:something your time 08:13 < mjt> hi 08:14 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 08:23 < mjt> ecrist: btw, your time is off by 8 minutes, it seems. 08:25 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit ["Leaving."] 08:26 < ecrist> mjt, when you said that yesterday, I fixed my time. 08:27 < ecrist> so, your CTCP TIME from 01:52 this morning would have had the correct time. 08:27 < ecrist> :\ 08:30 < reiffert> looks ok 14:12 [freenode] CTCP TIME reply from ecrist: Tue Mar 10 08:12:34 2009 08:32 < mjt> ecrist: ok i didn't knw 08:36 < ecrist> mjt, you did a CTCP TIME yesterday, and this morning. my time was corrected between the two, so you *did* know, you just chose not to pay attention. 08:40 < mjt> nitpicker ;) 08:41 < ecrist> I get irritated at nosy people. :P 08:42 < mjt> nosy? 08:42 < ecrist> nosey? 08:43 < mjt> damn. the online dictionary is down. 08:44 < ecrist> as in, putting your nose where it doesn't belong. like my system time. 08:44 < mjt> aha 08:44 < mjt> well, it's somewhat unfair about "doesn't belong" 08:45 < mjt> someone pinged you and i checked what time it is at your timezone 08:45 < mjt> because i was thinking it's night at your side 08:45 < mjt> nothing wrong with that, i think. Do you think differently? 08:46 < mjt> i've no idea which timezone you're at. and if you're supposed to be sleeping or whatever. 08:46 < mjt> ctcp time helps 08:46 < ecrist> fair enough 08:46 < mjt> nosy -- "unduly curious about the affairs of others; prying; meddlesome" 08:46 < mjt> got it 08:47 < mjt> (english isn't my native language as you may have guessed ;) 09:14 < mjt> blah 09:14 < mjt> RESOLVE: Cannot resolve host address: [...]: [TRY_AGAIN] A temporary error occurred on an authoritative name server. 09:15 < mjt> that's an... interesting error description. 09:43 < ecrist> what's wrong with it? 10:08 -!- onats__ is now known as onats 10:11 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 10:12 < toddoon> hi how do i set my account to access a vpn network because it said Cannot open TUN/TAP dev /dev/net/tun: Permission denied (errno=13) 10:15 < dazo> toddoon: you need to start openvpn with root privileges 10:16 < toddoon> dazo: ok 10:16 < toddoon> you mean the client 10:16 < toddoon> ? 10:17 < ecrist> yes 10:18 < dazo> toddoon: client or server, doesn't matter ... openvpn needs to be started with root privileges, no matter what you want to do 10:26 -!- onats [n=onats@122.53.136.244] has quit [Remote closed the connection] 10:37 < ecrist> norton is having a bad day 10:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:57 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 10:58 -!- eliasp_ is now known as eliasp 11:55 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 11:55 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit [Client Quit] 11:58 < ecrist> you guys are boring today 12:06 -!- tjz [n=tjz@bb116-14-182-232.singnet.com.sg] has joined ##openvpn 12:13 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit [Remote closed the connection] 12:16 -!- Irssi: ##openvpn: Total of 55 nicks [0 ops, 0 halfops, 0 voices, 55 normal] 12:22 -!- tjz [n=tjz@bb116-14-182-232.singnet.com.sg] has quit ["bbl"] 12:27 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit [Client Quit] 12:47 < nemysis> Could I place replay-persist file in /var/tmp or /etc/openvpn? 12:49 < ecrist> where ever you want, I think 12:54 < dazo> nemysis: if you have SELinux enabled, you might get some issues if the context on the directories are wrong 12:55 < nemysis> I don't have SELinux 12:56 < nemysis> i think is better /var/tmp this is 20GB and / is only 4GB 12:57 < dazo> nemysis: I would probably avoid such files in tmp dirs ... rather create a /var/openvpn or /var/lib/openvpn ... or something like that 12:57 < dazo> tmpdirs might be cleaned up regularly, depending on your distro 12:58 < nemysis> thanks I use Gentoo /var/openvpn is good 12:59 < dazo> nemysis: Gentoo is good too :) 12:59 < dazo> Gentoo do not clean up too much automatically, unless enabled in /etc/rc.conf (iirc) ... but it can do that on boot if enabled 13:00 < nemysis> Yes I am moderator for Linux and use Gentoo since 2002 i have in openvpn.conf now replay-persist /var/lib/openvpn/persist.file 13:04 < ecrist> you are a moderator for linux? 13:04 < dazo> nemysis: then you're a bigger Gentoo guru than I am ;-) 13:04 < dazo> c'ya guys! 13:05 < nemysis> I love Gentoo much and use only Fluxbox not KDE or Gnome 13:06 < nemysis> I am moderator for Linux on ES forums 13:07 < dazo> (before I hit for the door now) nemysis: we should try to get some speed up to Gentoo to get openvpn-2.1_RC15 up to become stable in Gentoo ... and have a good look at ssl-admin which krzee and ecrist have been working on as well 13:08 < dazo> nemysis: we can catch up that thread tomorrow again, if you are interested 13:08 < nemysis> I use this Version 13:15 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 13:26 < ecrist> \ 13:49 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has quit ["Saliendo"] 13:59 -!- gejr [n=gejr@unaffiliated/gejr] has quit [Read error: 104 (Connection reset by peer)] 13:59 -!- gejr [n=gejr@unaffiliated/gejr] has joined ##openvpn 14:10 -!- Perun [n=perun@2001:6f8:1316:1234:216:3eff:fe07:3160] has quit [Read error: 104 (Connection reset by peer)] 14:36 -!- nemysis [n=nemysis@49-228.1-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 14:37 -!- nemysis [n=nemysis@49-228.1-85.cust.bluewin.ch] has joined ##openvpn 14:41 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 14:50 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:29 -!- Mark____ [n=mark@ip24-56-23-192.ph.ph.cox.net] has quit [Read error: 110 (Connection timed out)] 15:31 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 15:48 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Connection timed out] 15:54 < Roman123> hi 16:59 -!- sigmonsays [n=sig@ip65-46-255-194.z255-46-65.customer.algx.net] has joined ##openvpn 16:59 < sigmonsays> can open vpn server.conf handle includes of any kinda? 17:01 < hads> I've not seen it mentioned 17:02 < sigmonsays> my problem is how to slice up my dhcp pools. I'd like to template'ize my configs 17:02 < sigmonsays> so i'm givign a /24 for each openvpn servers 17:02 < sigmonsays> but i cant include the unique portion :( 18:07 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 18:11 < sigmonsays> my openvpn clients are doing nat and I don't know why 18:11 < sigmonsays> i'd like to have openvpn not rewrite the packet as I have my network configured appropriatly 18:30 < sigmonsays> !route 18:30 < vpnHelper> sigmonsays: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 18:32 -!- Kalavera [n=Kalavera@190.8.151.14] has joined ##openvpn 18:32 -!- Kalavera [n=Kalavera@190.8.151.14] has quit [Client Quit] 18:33 < sigmonsays> !topology 18:33 < vpnHelper> sigmonsays: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 18:33 -!- Kalavera [n=Kalavera@190.8.151.14] has joined ##openvpn 18:34 < Kalavera> hello I have a problem with my openvpn configuration 18:39 < sigmonsays> what's up Kalavera ? 18:39 < Kalavera> my tun/tap interface is up 18:40 < Kalavera> IPs are up 18:40 < Kalavera> but I can't have communication between networks 18:40 < sigmonsays> i'm trying to figure out a similiar issue 18:41 < sigmonsays> I have my vpn server doing nat 18:41 < sigmonsays> but I dont' want it to do nat 18:41 < sigmonsays> and just want it to "route" the packets 18:41 < sigmonsays> Kalavera, You may be able to iptables -t nat -A POSTROUTING -j MASQUERADE 18:42 < Kalavera> ohhhh 18:42 < Kalavera> let me try 18:42 < sigmonsays> I personally don't want nat 18:42 < sigmonsays> because then everywhere they go appears as the IP of ur vpn server 18:43 < sigmonsays> i can't figure out hwo to turn that off though :( 18:43 < Kalavera> mmm each remote network ? 18:43 < Kalavera> 192.168.2.x 192.168.3.x and 192.168.4.x ? 18:44 < Kalavera> mmm nop didn't work 18:45 < sigmonsays> heh 18:46 < Kalavera> I don't have firewall rules yet 18:46 -!- eliasp [n=quassel@78.43.213.203] has quit ["No Ping reply in 30 seconds."] 18:46 < Kalavera> I mean INPUT, FORWARD and OUTPUT 18:47 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 18:52 < sigmonsays> I just need to figure out hwo to make linux route packets 18:56 < Kalavera> lol 18:56 < Kalavera> I am having this problem 18:56 < sigmonsays> ;) 18:56 < Kalavera> RTNETLINK answers: No such process 18:56 < sigmonsays> wierd! 18:56 < Kalavera> when I tried to apply an ip route 19:09 < Kalavera> why I have two configurations? one as client and one as server ? 19:23 -!- Kalavera [n=Kalavera@190.8.151.14] has quit [Read error: 60 (Operation timed out)] 19:43 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 19:53 < sigmonsays> Hrm: MULTI: no free --ifconfig-pool addresses are available 19:53 < sigmonsays> what does this mean 20:13 -!- eliasp_ [n=quassel@78.43.213.203] has joined ##openvpn 20:18 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: dazo, eliasp 20:18 -!- Netsplit over, joins: eliasp, dazo 20:23 -!- eliasp [n=quassel@78.43.213.203] has quit [Connection timed out] 20:28 < ecrist> evening, folks 21:37 -!- Maxtehmantus [n={}{}{}{}@ntuS.uni.cc] has quit [Nick collision from services.] 22:27 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 23:22 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:46 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 23:47 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:55 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] --- Day changed Wed Mar 11 2009 00:06 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 00:25 -!- eliasp_ [n=quassel@78.43.213.203] has quit ["No Ping reply in 30 seconds."] 00:25 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 00:31 -!- ploo [n=lbz@c-98-245-144-7.hsd1.co.comcast.net] has joined ##openvpn 01:05 -!- Natilous [n=natilous@194.225.128.240] has joined ##openvpn 01:07 < Natilous> Hi,all .. I wanna run a LanAccounting server..can u Help me or give me a Document to do it? 01:10 < Natilous> any help ? 01:19 -!- Natilous [n=natilous@194.225.128.240] has left ##openvpn [] 01:25 -!- mjt [n=mjt@isrv.corpit.ru] has quit ["reboot"] 01:53 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:49 -!- enzotib [n=enzotib@unaffiliated/enzotib] has joined ##openvpn 02:50 < enzotib> !logs 02:50 < vpnHelper> enzotib: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 02:51 < enzotib> !configs 02:51 < vpnHelper> enzotib: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 03:03 -!- Natilous [n=natilous@194.225.128.240] has joined ##openvpn 03:04 -!- Natilous [n=natilous@194.225.128.240] has left ##openvpn [] 03:09 -!- Natilous [n=natilous@194.225.128.240] has joined ##openvpn 03:09 < Natilous> Hey .. how can i run LanAccounting ? 03:09 < Natilous> anyone can help me ? 03:12 -!- enzotib [n=enzotib@unaffiliated/enzotib] has left ##openvpn ["Fuori servizio - Ricevuto segnale 15"] 03:12 -!- enzotib_ [n=enzotib@unaffiliated/enzotib] has joined ##openvpn 03:14 < enzotib_> hi all, I would to connect two machine with openvpn point to point, I have the following configurations and log files http://pastebin.com/m572f5a8b , needless to say it doesn't work 03:17 < enzotib_> when the client (is a laptop) is on the same network as the server, the connection is established correctly 03:40 -!- Natilous [n=natilous@194.225.128.240] has left ##openvpn [] 03:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:10 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 04:10 < toddoon> hi after initialization sequence completed i have WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 10.3.0.0 255.255.255.0' 04:12 < toddoon> what does it mean and how do i fix it? 04:14 < enzotib_> toddoon, there is a "ifconfig" line in the remote config file? 04:16 < toddoon> enzotib_: i am not the administrator of the server so i don't know 04:16 < toddoon> but for people who are working with Windows it works 04:17 -!- Mark_ [n=mark@ip24-56-23-192.ph.ph.cox.net] has joined ##openvpn 04:17 < enzotib_> toddoon, apart from that warning, it works or not? 04:18 < Mark_> anyway to selectively pull pushed options? 04:18 < Mark_> i.e. i want the ip address the server gives but i dont want its routes 04:18 < Mark_> are there environment variables i can script something up with? 04:20 < toddoon> enzotib_: i have difficulty to ping others virtual clients, for example i could ping 10.3.0.10 which is the openvpn server but not 192.168.0.51 which is the same computer but with nat address 04:21 < Mark_> does the client know the route? 04:21 < Mark_> is the client linux? 04:21 < toddoon> i am on linux (the client) and the server is Windows :p 04:21 < Mark_> okay well 04:21 < Mark_> type ip route 04:22 < Mark_> do you have a route to 192.168.0 ? 04:22 < toddoon> wait i paste the result 04:22 < enzotib_> by the way, I have a connection problem, some info: http://pastebin.com/m572f5a8b 04:22 < toddoon> http://pastebin.com/m4c502da8 04:23 < Mark_> okay toddoon, 04:23 < Mark_> i see you have a route to 192.168.0.x 04:23 < Mark_> but its over eth0, not the openvpn interface 04:23 < toddoon> yes 04:23 < toddoon> ok 04:23 < Mark_> also 04:24 < Mark_> your using bridge mode (dev tap) 04:24 < toddoon> http://pastebin.com/m5c8af26a 04:25 < toddoon> i am using tap yes 04:25 < Mark_> you have an odd configuration for what you are doing 04:25 < Mark_> so your linux computer is 192.168.0.25 is on network 1 04:26 < toddoon> yes 04:26 < Mark_> and you have a windows computer as a server.. is that on the same network or different network 04:26 < toddoon> thats my openvpn conf http://pastebin.com/m52dbc72f 04:27 < toddoon> Mark_: on a different network 04:27 < Mark_> well 04:27 < Mark_> the problem is 04:27 < Mark_> both private networks are the same ip address 04:27 < Mark_> also 04:27 < Mark_> bridge mode would mean giving the client an ip address on the same network 04:27 < Mark_> client is 192.168.0.x 04:28 < Mark_> server is 192.168.0.x 04:28 < toddoon> i have some difficulties to understand what you said but it is interresting 04:28 < Mark_> cannot tell 'which 192.168.0.x' to choose 04:28 < toddoon> yes certainly 04:29 < toddoon> client is 192.168.0.25 04:29 < Mark_> it will be hard to link these with vpn 04:29 < Mark_> because of the address collision 04:29 < toddoon> server is 192.168.0.51 04:29 < toddoon> erf 04:29 < Mark_> yes but both are 192.168.0. 04:29 < Mark_> so the client cannot decide which to choose 04:30 < toddoon> ok it is a poor server configuration the 'admin' didn't know a lot apparently 04:30 < toddoon> isn't there a solution because with Windows it works some times :p 04:31 < Mark_> you could do some really nasty hacks 04:31 < Mark_> hehe 04:31 < Mark_> nothing easy 04:31 < toddoon> ^ 04:31 < toddoon> ok 04:32 < toddoon> so leave it i hope that i haven't to use a lot this 'vpn' 04:32 < Mark_> yea i mean with tap you are supposed to have a bridge too 04:32 < Mark_> its weird 04:33 < toddoon> lol 04:33 < Mark_> basically with tap device its a bridged vpn 04:34 < Mark_> you wouldnt use 10.3.0.8 04:34 < Mark_> would give it an address from the servers subnet 04:34 < toddoon> ok 04:35 < Mark_> anyway 04:35 < Mark_> enzotib_, 04:35 < Mark_> whats your issue 04:35 < Mark_> im a novice but i might be able to help 04:36 < enzotib_> Mark_, in the pastebin you could see the config and log files 04:36 < enzotib_> but I cannot connect 04:37 < Mark_> well 04:37 < Mark_> you are using udp 04:37 < Mark_> maybe thats your snag 04:37 < Mark_> try setting proto tcp in your server config 04:38 < enzotib_> uhm 04:38 < enzotib_> ok 04:38 < Mark_> cus i see your nmap shows tcp 80 listening 04:38 < enzotib_> yeah, your right 04:38 < enzotib_> but I cannot test it now, i'm not at home 04:39 < Mark_> also your configuration looks like its missing some things 04:39 < Mark_> so im not sure it will work like you want it 04:40 < Mark_> also in my config im just using port xxx 04:40 < Mark_> not lport 04:40 < Mark_> works fine 04:42 < enzotib_> Mark_, when the laptop is in the same network of the server the connection works fine 04:42 < enzotib_> so I think it is a firewall problem, and the tcp/udp problem can really be the point 04:42 < Mark_> ahh ye 04:42 < Mark_> a 04:44 < Mark_> id just use netstat to double check what its listening on 04:47 < enzotib_> Mark_, the server: udp 0 0 0.0.0.0:80 0.0.0.0:* 10521/openvpn 04:48 < enzotib_> so "proto tcp" is the line to add to the config file? 04:48 < enzotib_> to both ends 04:49 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 04:58 -!- eagle [i=eagle@ar.en.elak.jultomte.net] has quit [Read error: 104 (Connection reset by peer)] 04:59 < Mark_> yea 04:59 < Mark_> well on the linux client 04:59 < Mark_> it depends on your config 04:59 < Mark_> but something like 04:59 < Mark_> proto tcp-client 04:59 < Mark_> remote 1.2.3.4 80 04:59 < Mark_> would do the trick 05:00 < enzotib_> thanks very much Mark_ 05:00 < Mark_> np 05:04 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:27 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 05:28 < mRCUTEO> hiya krzee 05:28 < mRCUTEO> :D 05:32 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [Client Quit] 05:32 -!- benedictus [n=chatzill@221.157-244-81.adsl-dyn.isp.belgacom.be] has joined ##openvpn 05:33 -!- mf_417 [n=mf@194.225.128.240] has joined ##openvpn 05:34 < mf_417> hi, is there any solution to manage user's bandwith over vpn? 05:35 < mf_417> I mean max width + max monthly download limit 05:36 < Mark_> nothing built into openvpn 05:36 < Mark_> but you could do something with iptables/linux 05:36 < dazo> mf_417: not in openvpn ... but you can use your OS' own mechanism for doing that on the virtual interface (tun/tap) 05:36 < Mark_> actually im pretty sure you can attach qdiscs to the vpn interface 05:36 < Mark_> to do rate limiting yea 05:37 < dazo> mf_417: ^^ Mark_ got straight to the point 05:37 < mf_417> dazo: u mean something like cbq or tc over tap0 ? 05:37 < Mark_> yea 05:37 < Mark_> that can handle rate limiting 05:37 < dazo> mf_417: I've never tried it ... Mark_ seems to know very well :) 05:37 < Mark_> as far as 'accounting' 05:37 < Mark_> for monthly limits 05:37 < Mark_> well i dont know personally, but 05:37 < Mark_> 4: tun0: mtu 1500 qdisc pfifo_fast qlen 100 05:38 < Mark_> pfifo_fast is the default qdisc 05:38 < Mark_> so it makes sense that you could replace it 05:38 < Mark_> like any other interface 05:38 < Mark_> 2: eth0: mtu 1500 qdisc htb qlen 1000 05:38 < Mark_> etc 05:38 < mf_417> traffic on tun0 is encrypted ? 05:38 < dazo> mf_417: that's inside the tunnel ... so the traffic here is the unencrypted one 05:38 < Mark_> if you setup openvpn correct, it will be encrypted between the tun devices 05:39 < Mark_> but you can still see unencrypted with something like 05:39 < Mark_> tcpdump -i tun0 05:39 < Mark_> because its not encrypted until it leaves tun0 05:39 < Mark_> if you tcpdump -i eth0, you will see its all encrypted 05:39 < Mark_> (assuming tun0 tunnels through eth0) 05:39 < mf_417> u mean input traffic is UNencrypted and output traffic is ENcrypted? 05:40 < dazo> -> tun0 -> openvpn(encrypt/decrypt) <-> internet <-> openvpn(encrypt/decrypt) -> tun0 -> (unencrypted traffic) 05:40 < Mark_> well it depends on your definition of input and output 05:40 < Mark_> exactly, dazo explains it well 05:41 < mf_417> So I can easily manage bandwidth by tc 05:41 < Mark_> yes 05:41 < Mark_> accounting though, there are many options 05:41 < mf_417> Now, how I can manage monthly download limits? 05:41 < Mark_> i know iptables can count packets 05:42 < dazo> mf_417: for quotas ... like monthly limits .... that's more tricky ... You would need to log the traffic amount, which is logged by openvpn ... parse it, store it ... and then controll the access somehow .... 05:42 < mf_417> ok, if iptables can count, I can write a script that do it 05:42 < Mark_> there are also some programs i think 05:43 < Mark_> that can do it all automatically 05:43 < dazo> mf_417: I've been working on another project related to improving authentication and access controll to the network .... http://www.eurephia.net/ ... I log that information in an SQLite database .... so I guess it would be possible to extend this to include limits per account 05:43 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) 05:43 < Mark_> ive only done rate limiting, never have kept track of per ip bandwidth (just use cacti and stuff for an entire server) 05:44 < dazo> mf_417: and it could be restricted on either iptables level (which means that the client would be able to connect with openvpn) ... or to "disable" the openvpn account, denying openvpn connections 05:44 < Mark_> openvpn-status has some information too about bandwidth 05:44 < Mark_> as dazo said (i didnt know this before) 05:44 < Mark_> hehe 05:45 < mf_417> Mark_: can u remember name of that programs that u said can do the job automatically? 05:45 < Mark_> no ive never used, i just remember reading about them over the years 05:45 < Mark_> i just found a script you might be able to modify 05:45 < Mark_> http://wiki.openvz.org/Traffic_accounting_with_iptables 05:45 < vpnHelper> Title: Traffic accounting with iptables - OpenVZ Wiki (at wiki.openvz.org) 05:46 < mf_417> tanx alot Mark_ and dazo 05:47 < dazo> mf_417: np! you're welcome 05:48 < Mark_> i found something called ipac-ng too 05:48 < Mark_> http://martybugs.net/linux/ipac.cgi 05:48 < vpnHelper> Title: Bandwidth Monitoring with ipac-ng (at martybugs.net) 05:48 < Mark_> looks kind of crappy 05:49 < Mark_> iptables is probably best 05:49 < Mark_> so you can put specific rules 05:49 < mf_417> Mark_: tanx, I'll check it too 05:51 < Mark_> uh oh 05:51 < Mark_> http://www.microsoft.com/technet/security/bulletin/MS09-006.mspx 05:51 < Mark_> sounds serious 05:54 < dazo> "The most serious vulnerability could allow remote code execution if a user viewed a specially crafted EMF or WMF image file from an affected system." ... 05:54 * dazo would like to figure out how 05:54 < dazo> :-P 05:54 < Mark_> it freaked me out when virtualbox restarted 05:55 < Mark_> i thought it crashed 05:55 < Mark_> thats the first time ive ever seen windows automatically reboot without any user input for windows update 05:55 < Mark_> thats why i said it must be serious 05:55 < dazo> Mark_: probably just Microsoft trying out this vulnerability :-P 05:55 < dazo> on your box 05:56 < mf_417> Mark_: u can simple exploit it by metasploit + one crafted wmf + a link to your file on your valid-ip server 05:56 < dazo> And it basically covers all Windows version which is still "valid" ... 05:56 < mf_417> I think it is a vul. in picture viewer of microsoft 05:57 < dazo> mf_417: ...... strike "picture viewer of" .... and you'll get it right 05:59 < mf_417> I saw a video about this vul. 05:59 < mf_417> a cracker breaks into on machine that was behind NAT and Firewall 06:00 -!- benedictus [n=chatzill@221.157-244-81.adsl-dyn.isp.belgacom.be] has quit ["ChatZilla 0.9.84 [Firefox 3.0.7/2009021910]"] 06:01 < Mark_> well 06:01 < Mark_> whats sad is 06:01 < dazo> mf_417: yeah, of course ... send a corrupt picture which opens an SSL encrypted tunnel via port 443 to your own cracker-server ... and you'll basically have it 06:01 < Mark_> it affects everything 06:01 < Mark_> windows 2000 to 2008/vista 06:01 < Mark_> its like they copy and paste bad code for 10 years 06:01 < Mark_> lol 06:01 < dazo> Mark_: you think they don't do that? :-P 06:02 < dazo> If they didn't ... it might be even less errors :-P 06:02 < Mark_> a kernel mode bug too 06:03 < dazo> But the fun thing .... a lot of people hate the UAC in Vista .... but that came to improve all these weaknesses .... 06:03 < dazo> so it can't be easy being Microsoft too :-P 06:04 < Mark_> t Microsoft rates as critical but in the exploitability index they rate it a "3 - Functioning exploit code unlikely" and add that "Consistent denial of service is more likely than reliable, functional code execution." 06:05 < Mark_> of course 06:06 < Mark_> this is like the 800th exploit in gdi 06:06 < Mark_> so theres probably 10 more now 06:08 < dazo> :-P 06:16 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has joined ##openvpn 06:16 < L|NUX> hello every one 06:16 < Mark_> hi 06:17 < L|NUX> Mark_: i have very strange issue 06:17 < Mark_> whats up 06:18 < L|NUX> i have installed openvpn b/w two linux boxes one is acting as server another one is acting as client 06:18 < L|NUX> now when i start client i keep getting this error 06:18 < L|NUX> Mar 11 17:35:31 bangladesh openvpn[21051]: TLS: Initial packet from 61.78.75.92:1194, sid=77c642a9 b2b0c8fb 06:18 < L|NUX> Mar 11 17:35:32 bangladesh openvpn[21051]: VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=KG/ST=NA/L=BISHKEK/O=OpenVPN-TEST/CN=korea.vplphone.com/emailAddress=info@korea.vplphone.com 06:18 < L|NUX> Mar 11 17:35:32 bangladesh openvpn[21051]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 06:18 < L|NUX> Mar 11 17:35:32 bangladesh openvpn[21051]: TLS Error: TLS object -> incoming plaintext read error 06:18 < L|NUX> Mar 11 17:35:32 bangladesh openvpn[21051]: TLS Error: TLS handshake failed 06:18 < L|NUX> i have tried to create keys manually but same issue is coming again and again :( 06:19 < Mark_> hmm 06:19 < L|NUX> any idea ? 06:21 < Mark_> hmm 06:21 < Mark_> is date/time correct on both servers? 06:21 < L|NUX> lemme check 06:22 < L|NUX> [root@bangladesh keys]# date 06:22 < L|NUX> Wed Mar 11 17:39:06 BDT 2009 06:22 < L|NUX> [root@bangladesh keys]# 06:22 < L|NUX> [root@korea openvpn]# date 06:22 < L|NUX> Wed Mar 11 20:52:50 EDT 2009 06:22 < L|NUX> [root@korea openvpn]# 06:22 < L|NUX> 2nd one is server time :$ 06:22 < L|NUX> should i change timezone ? 06:23 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Connection timed out] 06:23 < Mark_> no 06:23 < Mark_> but make sure are correct 06:23 < Mark_> like 06:23 < Mark_> its not 20:52 EDT 06:23 < Mark_> its 6 or 7 AM eastern time 06:23 < Mark_> lol 06:24 < L|NUX> let me change on client server same timezone 06:24 < L|NUX> :) 06:24 < Mark_> if korea is really in korea, fix timezone 06:24 < Mark_> lol 06:24 < Mark_> if korea is on east coast usa, then time is way wrong 06:24 < Mark_> lol 06:24 < L|NUX> its in korea 06:25 < L|NUX> what time is it in EDT ? 06:25 < L|NUX> let me know 06:27 < Mark_> do you have ntpdate installed? 06:27 < Mark_> just type ntpdate -u time.nist.gov 06:27 < Mark_> will set clock to atomic clock 06:28 < dazo> L|NUX: which distro are you using? 06:28 < L|NUX> nope 06:28 < L|NUX> ok 06:28 < L|NUX> lemme update 06:28 < L|NUX> centos 06:28 < L|NUX> centos 4.4 06:28 < dazo> L|NUX: openvpn version? 06:29 < L|NUX> 2.0.9 06:29 < L|NUX> on both ends 06:29 < Mark_> i think its a time issue 06:30 < dazo> L|NUX: even though 2.1RC15 is not officially announced as the stable release .... it is just as solid and stable as 2.0.9 ... I recommend updating to that version 06:30 < dazo> Mark_: you might be right 06:30 < L|NUX> dazo: but i have sync my time ntpdate -u time.nist.gov 06:31 < Mark_> sync time and still failure? 06:31 < Mark_> "certificate is not yet valid" 06:31 < Mark_> not yet 06:31 < Mark_> so i think when you created it 06:31 < Mark_> it was in the 'future' 06:31 < Mark_> hehe 06:32 < L|NUX> tes 06:32 < L|NUX> re-creating cert 06:39 -!- mf_417 [n=mf@194.225.128.240] has left ##openvpn [] 06:39 < L|NUX> works 06:39 < L|NUX> :0 06:40 < L|NUX> Mark_: thanks 06:41 < Mark_> np 06:57 -!- m31k0r [n=m31k0r@88.Red-81-36-156.dynamicIP.rima-tde.net] has joined ##openvpn 06:58 < m31k0r> hello folks! 06:58 < m31k0r> I have a problem in a network2network configuration 06:59 < m31k0r> if I ping from one site to another arribes but not in the other way 06:59 < m31k0r> if you use tcpdump 06:59 < m31k0r> then you see that ping are arriving good to the nic 06:59 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 07:00 < m31k0r> but when the openvpn changes de packets from the eth0 to the tun0 07:00 < m31k0r> then the origin Ip is changed to the tunnel entry point one 07:00 < m31k0r> does any body understands what is happening here? 07:03 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has quit [] 07:16 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 07:18 < ecrist> good morning, folks 07:19 -!- hads_ [n=hads@argon.nice.net.nz] has joined ##openvpn 07:19 -!- hads [n=hads@argon.nice.net.nz] has quit [Remote closed the connection] 07:20 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 07:35 < dazo> m31k0r: a couple of things to check out .... if running Linux, make sure /proc/sys/net/ipv4/ip_forward is set to 1 07:36 < dazo> m31k0r: then check your firewall config ..... allow traffic to/from tun/tap devices (depending on your config) to pass in the FORWARD chain (in Linux) 07:37 < dazo> m31k0r: and lastly ... check your routing tables 07:37 < dazo> !route 07:37 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 07:37 < m31k0r> yes it is 07:37 < dazo> m31k0r: ^^^ ... that link might give you even more ideas 07:38 < m31k0r> well I will check but the behaviour is so strange 07:38 < dazo> m31k0r: if you're using iptables .... check also iptables -t nat .... make sure you don't masq tun/tap traffic 07:39 * dazo did just a quick brainstorm here now 07:39 < dazo> for more info ... we'll need at least configs 07:39 < dazo> !configs 07:39 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:44 < m31k0r> I think the problem is a masquerade rule we have on the firewall 07:44 < m31k0r> as you point 07:45 < ecrist> firewalls are the #1 cause of VPN problems 07:45 < ecrist> hence the channel topic 07:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 08:04 -!- onats_ [n=onats@122.53.131.243] has joined ##openvpn 08:06 -!- onats_ is now known as onats 08:20 -!- toddoon [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit ["Ex-Chat"] 08:22 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 08:22 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:33 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Leaving"] 09:38 -!- Ramasule [i=c7550801@gateway/web/ajax/mibbit.com/x-3d7ad7830ba3304d] has joined ##openvpn 09:38 < Ramasule> Good morning 09:40 < Ramasule> If someone has some spare time to help me figure this one out here is my problem. I can connect to my OpenVpn server at home using the web gui but when I use the tomato linksys to connect it fails on the tls negotiation. I used the same keys and loggin and everything, I even tried changing routers. I dont understand what the problem could be. 09:40 < dazo> Ramasule: which openvpn versions are you using? ... Are clocks in sync? 09:42 < Ramasule> clocks are in sync 09:42 < Ramasule> latest vpn 09:43 < dazo> Ramasule: which latest? 2.1_RC15? 09:43 < Ramasule> let me find out for sure 09:44 < dazo> Ramasule: it might be issues if there are 2.1 servers and 2.0 clients ... usually aligning all clients and server to the 2.1_RC15 have really solved issues for most users 09:45 < Ramasule> what is the command to check what version of openvpn it is? 09:45 < dazo> /usr/sbin/openvpn --version 09:46 < Ramasule> k 09:46 < Ramasule> ill brb 09:47 < Ramasule> server is 2.0.9 09:49 < dazo> and your clients? 09:49 < Ramasule> client is 2.1_r15 09:49 < Ramasule> sorry im having to ssh into routers 09:49 < Ramasule> little slow 09:49 < dazo> np 09:49 < Ramasule> its confusing because I had it working at home and then when I toke it to my workplace it no longer worked 09:50 < dazo> And the tomato linksys is the one running 2.0.9? 09:50 < Ramasule> no the tomato is running 2.1_r15 09:50 < Ramasule> my sme server is the one runnin 2.0.9 09:50 < dazo> goodie 09:51 < dazo> that combination should in theory work fine ... do you have some kind of firewall in front of your openvpn client? 09:51 < Ramasule> yes a nasty one 09:51 < Ramasule> but heres my conundrum 09:51 < Ramasule> my openvpn_gui client on my laptop works 09:51 < Ramasule> but then on the router it dosnt 09:51 < dazo> I used to use udp transport to "get home" .... and when I changed work, I had to change to tcp because the udp transport didn't work out well 09:52 < dazo> aha ... and the tomato linksys router is on the same network as the laptop? 09:52 < ecrist> !tcp 09:52 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 09:52 < Ramasule> yes 09:52 < Ramasule> my laptop and router are hooked into another router 09:53 < dazo> that's really odd 09:53 < Ramasule> yeah 09:53 < dazo> Ramasule: time to post server and client logs ... and configs 09:53 < dazo> !logs 09:53 < vpnHelper> dazo: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 09:53 < dazo> !configs 09:53 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:53 < Ramasule> sgtpepper was also kind enough to try to connect given teh keys I used and he got hte same problem 09:53 < Ramasule> verb 6 09:53 < Ramasule> k 09:53 < Ramasule> i will set 09:54 < Ramasule> I wil lgive you the log from my laptop as well 09:56 -!- m31k0r [n=m31k0r@88.Red-81-36-156.dynamicIP.rima-tde.net] has quit ["Saliendo"] 10:19 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 10:21 < Ramasule> hello 10:24 < Ramasule> http://www.apttest.kicks-ass.net/serverloglaptop.htm 10:24 < vpnHelper> Title: Untitled 1 (at www.apttest.kicks-ass.net) 10:24 < Ramasule> http://www.apttest.kicks-ass.net/serverlogrouter.htm 10:24 < vpnHelper> Title: Untitled 1 (at www.apttest.kicks-ass.net) 10:24 < Ramasule> http://www.apttest.kicks-ass.net/serverlaptoplog.htm 10:24 < Ramasule> http://www.apttest.kicks-ass.net/serverrouterlog.htm 10:25 < Ramasule> http://www.apttest.kicks-ass.net/DerekLVPN_09_03_10.rar for config files on laptop 10:25 < Ramasule> and client key 10:26 < Gabriel25ny> !/30 10:26 < vpnHelper> Gabriel25ny: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 10:26 < Gabriel25ny> !topology 10:26 < vpnHelper> Gabriel25ny: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 10:29 < Ramasule> scratch the 2 server logs they should be 10:29 < Ramasule> http://www.apttest.kicks-ass.net/serverlogrouter.htm 10:29 < vpnHelper> Title: Untitled 1 (at www.apttest.kicks-ass.net) 10:29 < Ramasule> http://www.apttest.kicks-ass.net/serverlogrouter.htm 10:29 < vpnHelper> Title: Untitled 1 (at www.apttest.kicks-ass.net) 10:41 -!- c64zotte1 [n=hans@p5B17B135.dip0.t-ipconnect.de] has joined ##openvpn 10:42 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 10:42 -!- nemysis [n=nemysis@49-228.1-85.cust.bluewin.ch] has quit [Connection timed out] 10:43 -!- nemysis [n=nemysis@178-32.106-92.cust.bluewin.ch] has joined ##openvpn 10:55 < Ramasule> !howto 10:55 < vpnHelper> Ramasule: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:55 < Ramasule> damn you vpnhelper 10:55 < Ramasule> !vpnhelper fix vpn 10:55 < vpnHelper> Ramasule: Error: "vpnhelper" is not a valid command. 10:56 < Ramasule> i know :( 11:08 < Ramasule> oh i can pastebin right in here 11:08 < Ramasule> thats kinda cool 11:15 * krzee doesnt see the configs... 11:19 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 11:19 -!- Ramasule [i=c7550801@gateway/web/ajax/mibbit.com/x-3d7ad7830ba3304d] has left ##openvpn [] 11:19 -!- Ramasule [i=c7550801@gateway/web/ajax/mibbit.com/x-3d7ad7830ba3304d] has joined ##openvpn 11:19 < Ramasule> http://www.apttest.kicks-ass.net/server-bridge.conf.nocomment 11:19 < Ramasule> there is the server config 11:21 < krzee> and client... 11:21 < krzee> also, wheres the client log 11:21 < krzee> The requested URL /serverlaptoplog.htm was not found on this server. 11:21 < krzee> and, why do you want a bridged setup? 11:21 < krzee> especially when you use WINS 11:22 < krzee> if you already have wins, SMB will work in tun 11:22 < krzee> with less overhead and more security 11:22 < krzee> (i say more security because of the lack of security in layer2) 11:22 < Ramasule> I dont knwo I used the sme contribution 11:23 < krzee> sme contribution? 11:23 < Ramasule> it is integrated into my sme server panel 11:23 < krzee> heh 11:23 < krzee> !configs 11:23 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:23 < Ramasule> http://wiki.contribs.org/Main_Page 11:23 < krzee> oops 11:23 < vpnHelper> Title: SME Server (at wiki.contribs.org) 11:23 < krzee> i mean 11:23 < krzee> !sample 11:23 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 11:24 < Ramasule> i dont knwo how to get the client one because its in tomato firmware 11:24 < Ramasule> and when I ssh into the box it is very limited what I can do 11:25 < krzee> !router 11:25 < vpnHelper> krzee: "router" is if you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them 11:25 < Ramasule> I did turn on loggin and posted it 11:25 < krzee> [11:21] The requested URL /serverlaptoplog.htm was not found on this server. 11:25 < Ramasule> yes below it I said ignore hte server ones they are at /serverloglaptop.htm 11:25 < krzee> that also goes for posting the configs too, just never had anyone not able to post their configs before 11:25 < Ramasule> log is in the middle 11:26 < krzee> [10:29] scratch the 2 server logs they should be 11:26 < krzee> [10:29] http://www.apttest.kicks-ass.net/serverlogrouter.htm 11:26 < krzee> [10:29] Title: Untitled 1 (at www.apttest.kicks-ass.net) 11:26 < krzee> [10:29] http://www.apttest.kicks-ass.net/serverlogrouter.htm 11:26 < vpnHelper> Title: Untitled 1 (at www.apttest.kicks-ass.net) 11:26 < vpnHelper> Title: Untitled 1 (at www.apttest.kicks-ass.net) 11:27 < Ramasule> it has to be something in the router config because my gui client works fine 11:27 < krzee> config or firewall or something of that nature 11:27 < Ramasule> yeah 11:27 < krzee> looks like the laptop stops receiving responses at 09:11:00 11:28 < Ramasule> thats when I disconnected 11:28 < Ramasule> isnt it? 11:28 < krzee> ya but your server log is from a different point 11:28 -!- c64zotte1 [n=hans@p5B17B135.dip0.t-ipconnect.de] has quit ["Leaving."] 11:28 < Ramasule> i have one for the laptop and one for the router 11:28 < krzee> i only have til 09:06:18 11:28 < krzee> doesnt it make sense to gimme logs from the SAME time period? 11:29 < Ramasule> didnt I? 11:29 < Ramasule> let me check again thanks krzee sorry for frustrating you 11:29 < krzee> check your timestamps 11:29 < krzee> np 11:29 < Ramasule> http://www.apttest.kicks-ass.net/serverloglaptop.htm 11:29 < vpnHelper> Title: Untitled 1 (at www.apttest.kicks-ass.net) 11:30 < Ramasule> that the one your looking for? 11:30 < Ramasule> i think i got them mixed up 11:30 < Ramasule> I did too 11:30 -!- enzotib_ [n=enzotib@unaffiliated/enzotib] has quit ["Sto andando via"] 11:30 < krzee> that was the same 11:31 < krzee> its the router thats a diff time 11:31 < krzee> restart openvpn all together on both 11:31 < krzee> then gimme the log from start to first not working connection attempt 11:31 < krzee> like when it gives up and tries again 11:32 < Ramasule> i fixed the links 11:34 < Ramasule> but the router one is still wrong so im restarting 11:34 < Ramasule> and ill try to use pastebin down there 11:37 < krzee> umm, log links are same 11:38 < Ramasule> thats what I said 11:38 < Ramasule> im using pastebin 11:38 < Ramasule> hmm 11:38 < Ramasule> that didnt work out so well 11:41 < krzee> k im going back to idle 11:41 < krzee> tired 11:44 < Ramasule> http://www.apttest.kicks-ass.net/logrouter.log 11:44 < Ramasule> http://www.apttest.kicks-ass.net/serverlogrouter.log 11:44 < Ramasule> dang thanks krzee 11:51 -!- benedictus [n=chatzill@221.157-244-81.adsl-dyn.isp.belgacom.be] has joined ##openvpn 11:52 -!- benedictus [n=chatzill@221.157-244-81.adsl-dyn.isp.belgacom.be] has quit [Remote closed the connection] 12:01 -!- unixSnob [n=jj@starfury.spearlink.com] has joined ##openvpn 12:02 < unixSnob> any ovpn developers in here? you guys need to make openvpn smarter about dates; make it so an openvpn client has the ability to ask the server what the date is, and then report back that date 12:04 < Ramasule> I think I pissed them all off, and they left. :P 12:05 < unixSnob> you told them about the date issue :)? 12:05 < Ramasule> no I asked for help, and then gave them a bunch of shitty log files 12:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:08 < dazo> Ramasule: I'm sorry I left out ... still at work and had to take of some things ... but my time is running out today :( 12:09 < dazo> s/take of/take care of/ 12:09 < Ramasule> haha no problem I think i gave krzee a headache trying ot help me :P 12:09 < Ramasule> time is always running out 12:09 < Ramasule> damn you time 12:09 < Ramasule> !kill time 12:09 < vpnHelper> Ramasule: Error: "kill" is not a valid command. 12:09 < Ramasule> :( 12:23 < Ramasule> oh well :/ 12:24 -!- Gumbler is now known as Apfel 12:24 -!- Apfel is now known as Gumbler 12:24 -!- Ramasule is now known as Apfel 12:24 < Apfel> lol 12:25 -!- Apfel is now known as Ramasule 12:25 -!- unixSnob_ [n=jj@starfury.spearlink.com] has joined ##openvpn 12:42 -!- unixSnob [n=jj@starfury.spearlink.com] has quit [Read error: 110 (Connection timed out)] 12:55 -!- billly [i=billy@misfacio.com] has joined ##openvpn 13:01 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has joined ##openvpn 13:02 < ecrist> afternoon, folks 13:02 < ecrist> unixSnob_ and Ramasule: there are not any OpenVPN developers in here, that we're aware of. 13:03 < ecrist> so, if you want to bitch, email them directly. 13:03 < Ramasule> whos bitching 13:03 < ecrist> or, *gasp*, contribute 13:03 < Ramasule> I was trying to cracka joke 13:03 < Ramasule> If I contribute kernels around the world would panic 13:03 < Ramasule> bada ba ting 13:04 < unixSnob_> ecrist: this problem requires bitching, not contribution, because it appears to be a deliberate defect in openvpn that I would undo, and they might not want me reversing anything deliberate 13:04 < lclimber> hello guys i am trying to connect 2 networks over a vpn, the situation is the following, i have one vpn server and a client wich has a subnet of it's own, now when i conect the client to the server, the client is able to connect to the pc's on the serer subnet, but when i try to connect from the server to the client subnet i get no answer, i routed the packages from net server that go to the client's net through the vpn net, but 13:04 < lclimber> still no answer, any ideas?? 13:04 < ecrist> unixSnob_: I think your issue is with SSL, not OpenVPN. OpenVPN doesn't rewrite SSL libraries, they use the standard ones. 13:05 < ecrist> and the requirement for time synchronization between client/server is out of scope for the protocol. 13:05 < ecrist> there are other such things for that. 13:06 < ecrist> lclimber: have a look here: 13:06 < ecrist> !route 13:06 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 13:06 < ecrist> look for the section on iroute, specifically 13:06 < lclimber> thanx ecrist 13:10 < Ramasule> hmm that is a good read 13:12 < billly> am I having the same problem as lclimber? I have a VPS for the openvpn server, and my homepc as the client, I can connect to the VPN, and I see the packets on server side, but everything on my PC times out 13:19 < ecrist> billly: read the same article, ask questions you may have afterwards 13:19 < lclimber> yeah, that was the answe!!!! thanx a lot 13:19 < ecrist> krzee wrote it, thank him next time you see him 13:26 < lclimber> sure 13:32 -!- allquixotic [n=sean@129-2-175-109.wireless.umd.edu] has joined ##openvpn 13:33 < allquixotic> Hi, how can I quickly test whether my live OpenVPN network connection is split tunneled? I can get into the LAN just fine, but I'm really interested in tunneling all IP traffic through the server. 13:35 < reiffert> !redirect-gateway 13:35 < vpnHelper> reiffert: Error: "redirect-gateway" is not a valid command. 13:35 < reiffert> allquixotic: --redirect-gateway def1 13:36 < billly> sigh I have no idea what's wrong 13:37 < allquixotic> reiffert: Thanks :) 13:37 < billly> I'm not trying to reach any other private networks behind the server/clients 13:38 < billly> just trying to access the internet through my vpn 13:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:42 < Ramasule> -away 13:44 < billly> http://rafb.net/p/mWDDIz78.html <-- can anyone see if anything's wrong? client-->server works, but it seems like no traffic from server-->client works 13:44 < vpnHelper> Title: Nopaste - openvpn (at rafb.net) 13:47 < ecrist> billly: you need a couple things for that to work 13:47 < ecrist> 1) you need --redirect-gateway def1 on the server config 13:48 < ecrist> 2) on the server, you need proper NAT configured for VPN clients, or you need to be distributing *real* ips via OpenVPN 13:49 < lclimber> or you can install a proxy server 13:50 < billly> would bridging be simpler? 13:50 < billly> because all I really need is one client (me) 13:50 < ecrist> no 13:53 < billly> oh I think I see what's going on now 13:57 < billly> nice it works 13:57 < billly> ecrist: thanks :D 14:02 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 14:03 -!- unixSnob_ [n=jj@starfury.spearlink.com] has quit ["leaving"] 14:06 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has quit [Remote closed the connection] 14:10 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 14:10 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit [Read error: 104 (Connection reset by peer)] 14:10 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 14:16 < Bushmills> live long and prosper 14:20 * vcs shows Bushmills with dilithium radiation 14:20 < vcs> showers* 14:20 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:21 < reiffert> vcs: thats superman, isnt it? 14:22 < vcs> no, dilithium crystals are what powers the enterprise 14:22 < vcs> http://en.wikipedia.org/wiki/Dilithium_(Star_Trek) 14:22 < reiffert> Ah, now where you mention that it really sounds familiar :) 14:22 < Bushmills> no, that's cryptonite 14:23 < vcs> thats how spock died, he replaced a dilithium crystal with no protection 14:23 < vcs> so the enterprise could escape the genesis weapon 14:23 < reiffert> Ah, really. 14:23 < vcs> yep 14:23 < Bushmills> he died another time, on genesis 14:23 < reiffert> Thats the same death I think. 14:23 < vcs> live long and prosper my friends 14:23 < vcs> yes 14:23 < Bushmills> on that planet with molecular instability 14:24 < Ramasule> KHAAAAANNNN 14:24 < vcs> the eugenics wars were not good to poor old khan :P 14:25 < Bushmills> causing some sort of dimensional deficiency on his tactics 14:25 -!- jameshicks212121 [n=james@static-67-62-198-140.dsl.cavtel.net] has joined ##openvpn 14:25 < vcs> the new star trek movie comes out this summer 14:26 < vcs> not sure if i am excited or not 14:26 < reiffert> We all are, no matter, after all we spent so many years of wasted time with startrek, we'll just have to be. 14:26 * Bushmills showers vcs with pangalactic gargleblaster 14:26 < reiffert> :) 14:27 * vcs beheads Bushmills with a Bat'leth 14:28 < Bushmills> good try, here's a band aid for your finger 14:29 < vcs> lol 14:30 < jameshicks212121> !route 14:30 < vpnHelper> jameshicks212121: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 14:30 * Bushmills tips vcs off to sylar 14:30 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:31 -!- allquixotic [n=sean@129-2-175-109.wireless.umd.edu] has quit [Read error: 110 (Connection timed out)] 14:33 -!- romero [n=user@193.219.160.109] has left ##openvpn [] 14:36 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit ["This computer has gone to sleep"] 14:38 < ecrist> 'this idler has gone to sleep' 14:40 < jameshicks212121> hey all, anybody familiar with client error Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:3: topology (2.0.9) in response to a server config setting of push "redirect-gateway def1" when the client is running WinXP? 14:40 < ecrist> yep 14:40 < jameshicks212121> great 14:41 < jameshicks212121> anywhere I can read up on it? 14:41 < ecrist> looks like you're connecting to a server running 2.1 from a client running 2.0.9 where the server has an option (topology) which isn't available in 2.0.9 14:42 < jameshicks212121> so if I update the client all will be well? 14:43 < ecrist> should be, yeah 14:44 < jameshicks212121> thanks you saved the last hair on my head. I'm going to comb it over now. 14:44 < ecrist> lol, glad to help 14:46 -!- allquixotic [n=sean@129-2-131-69.wireless.umd.edu] has joined ##openvpn 14:47 < ecrist> jameshicks212121: thanks, I've added this to the SCN OpenVPN FAQ 14:47 < ecrist> http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ 14:47 < vpnHelper> Title: OpenVPN/FAQ - Secure Computing Wiki (at www.secure-computing.net) 14:49 < allquixotic> billly: How'd you fix your routing problem with the redirect-gateway option? I'm having some problems with that right now. 14:52 -!- allquixotic [n=sean@129-2-131-69.wireless.umd.edu] has quit ["Ex-Chat"] 14:59 < jameshicks212121> ecrist: cool 15:10 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 15:16 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 15:19 < Ramasule> bahahahahhhhhhhaaaaaaahhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh 15:19 < ecrist> you must have realized how small your penis really is, eh? 15:19 < Ramasule> no just the guy standing in the mirror 15:19 < Ramasule> hey wait a second 15:20 < Ramasule> no I stillcant get my router connecting 15:29 < jameshicks212121> ecrist: I had my client update their software and the error message went away but the redirect-gateway def1 is still not working. I've posted all the particulars here http://pastebin.com/d1a4fac5a if you care to take a look. Thanks. 15:31 < jameshicks212121> the strange thing is that http traffic does seem to get routed but VNC will not work. I've setup tcpdump on the server and told it to listen to tun0 and can see all the clients http traffic being routed through the tunnel but cannot get the client to ping a local machine. 15:32 < jameshicks212121> another strange thing is that the client was working fine with the older client software less than a week ago. 15:34 < Ramasule> Ok 15:36 < Ramasule> if I have a server with samba and wins running on it what is the best method to connect a vpn router (tomato firmware) to this server. My server is currently running a openvpn contribution from somebody and it set it up in vpn mode. http://www.apttest.kicks-ass.net/server-bridge.conf.nocomment is the current config file. 15:41 < krzee> i told you the best way 15:41 < krzee> tun, instead of tap 15:41 < krzee> configuring the configs manually instead of that gui 15:41 < krzee> !sample 15:41 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 15:41 < krzee> that is enough to get you started 15:41 < krzee> along with: 15:41 < krzee> !man 15:41 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 15:46 < Ramasule> do I need to add those push options to the config though krzee 15:49 < Bushmills> don't try to set it as password 16:00 -!- enzotib_ [n=enzotib@unaffiliated/enzotib] has joined ##openvpn 16:10 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 16:11 -!- jameshicks313131 [n=james@static-67-62-198-140.dsl.cavtel.net] has joined ##openvpn 16:14 -!- jameshicks212121 [n=james@static-67-62-198-140.dsl.cavtel.net] has quit [Read error: 110 (Connection timed out)] 16:21 < enzotib_> hi all, I have a connection problem, here are config and log files, and other info: http://pastebin.com/m5f852a5b 16:32 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 16:34 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 16:35 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 16:39 -!- Kreg-Work is now known as soberbit-work 16:47 -!- plaerzen [n=carpe@static-66-11-76-241.ptr.terago.net] has joined ##openvpn 16:47 -!- jameshicks313131 [n=james@static-67-62-198-140.dsl.cavtel.net] has quit [Read error: 110 (Connection timed out)] 16:47 < plaerzen> moin 16:49 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit ["This computer has gone to sleep"] 17:17 < enzotib_> hi all, I have a connection problem, here are config and log files, and other info: http://pastebin.com/m5f852a5b 17:25 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 17:42 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Connection timed out] 18:25 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 18:30 -!- enzotib_ [n=enzotib@unaffiliated/enzotib] has quit ["Fuori servizio - Ricevuto segnale 15"] 18:47 -!- allquixotic [n=sean@pool-151-196-247-171.balt.east.verizon.net] has joined ##openvpn 18:51 -!- enzotib [n=enzotib@unaffiliated/enzotib] has joined ##openvpn 18:51 -!- enzotib [n=enzotib@unaffiliated/enzotib] has quit [Client Quit] 19:02 -!- allquixotic [n=sean@pool-151-196-247-171.balt.east.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 20:38 < Ramasule> redirect-gateway 20:38 < Ramasule> !redirect-gateway 20:38 < vpnHelper> Ramasule: Error: "redirect-gateway" is not a valid command. 20:38 < Ramasule> !gateway-redirect 20:38 < vpnHelper> Ramasule: Error: "gateway-redirect" is not a valid command. 20:38 < Ramasule> !--redirect-gateway def1 20:39 < vpnHelper> Ramasule: Error: "--redirect-gateway" is not a valid command. 20:39 < Ramasule> --redirect-gateway def1 20:39 -!- hads_ is now known as hads 20:45 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: jfkw, ploo, huslu_, Typone 20:45 -!- billly [i=billy@misfacio.com] has left ##openvpn [] 20:46 -!- Netsplit over, joins: ploo, Typone 20:50 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 20:50 -!- huslu_ [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has joined ##openvpn 21:00 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 21:03 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 21:06 -!- SuperEvilDeath14 [n=death@212.206.209.177] has quit ["Nettalk6 - www.ntalk.de"] 21:19 -!- Ramasule [i=c7550801@gateway/web/ajax/mibbit.com/x-3d7ad7830ba3304d] has quit ["http://www.mibbit.com ajax IRC Client"] 23:19 -!- ploo [n=lbz@c-98-245-144-7.hsd1.co.comcast.net] has quit ["Leaving"] 23:35 -!- davidm [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has joined ##openvpn 23:35 -!- davidm [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has left ##openvpn [] --- Day changed Thu Mar 12 2009 00:02 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 00:29 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit ["This computer has gone to sleep"] 01:11 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 02:02 -!- dan__t [n=dant@ns1.hitb.net] has joined ##openvpn 02:02 < dan__t> Hello. 02:03 < dan__t> I'm trying to figure out how index.txt gets updated via pkitool. I don't know if I'm just plain retarded, tired, or what, but I can't figure it out. 02:03 < dan__t> I see database = $KEY_DIR/index.txt per the shipped openssl.cnf 02:04 < dan__t> But I see no reference to 'database' in pkitool 02:10 -!- SuperEvilDeath14 [n=death@212.206.209.177] has joined ##openvpn 02:12 < dan__t> ...because its provided by openssl's 'ca' 02:45 -!- dan__t [n=dant@ns1.hitb.net] has left ##openvpn ["Leaving"] 02:48 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:42 -!- onats [n=onats@122.53.131.243] has joined ##openvpn 04:39 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has joined ##openvpn 04:42 < lclimber> hello, yesterday i posted a question for connecting 2 networks over a vpn using 2 linux machines, now i need to connect the two same networks but on the server sie a have a linux machine and on the client net i have a windows openvpn client making connections, my question is, is there a way to make windows work as a gateway as you do on linux, on linux i had to activate the forward bit, but is it possible to make such configurati 04:42 < lclimber> ons on windows?? 04:43 < reiffert> From my experience, bridging is working with windows quite well. 04:44 < reiffert> On the other hand, there is "connection sharing", which is some kind of nat which comes with microsoft stupidities. 04:45 < reiffert> Routing would be the best approach I guess, but I dont know if it will "just work" or else. 04:45 < hads> Windows is confusing 04:56 < lclimber> indeed, it is very confusing 04:57 < lclimber> i tryed using connection sharing wich apparently does the job but in only one way, i mean i can reach the subnet from the vom server, but the other way aroung 05:02 < lclimber> reiffert how do you configure bridging on a windows client? 05:05 < reiffert> !howto 05:05 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 05:06 < lclimber> thanx 05:06 < reiffert> http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 05:06 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 05:06 < reiffert> same steps than Bridge Server on Windows XP 05:26 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 06:13 -!- onats [n=onats@122.53.131.243] has quit [Remote closed the connection] 06:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:25 -!- nemysis [n=nemysis@178-32.106-92.cust.bluewin.ch] has quit [Remote closed the connection] 06:26 -!- nemysis [n=nemysis@178-32.106-92.cust.bluewin.ch] has joined ##openvpn 06:27 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [] 06:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 06:42 -!- onats [n=onats@122.53.131.243] has joined ##openvpn 07:07 < ecrist> morning, folks 07:23 -!- nemysis [n=nemysis@178-32.106-92.cust.bluewin.ch] has quit [Connection timed out] 07:25 -!- nemysis [n=nemysis@143-117.3-85.cust.bluewin.ch] has joined ##openvpn 07:49 -!- dazo_ [n=dazo@nat/redhat/x-03e49a76085a46a4] has joined ##openvpn 07:51 -!- dazo is now known as Guest99792 07:52 -!- dazo_ [n=dazo@nat/redhat/x-03e49a76085a46a4] has quit [Client Quit] 07:53 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 07:54 -!- dazo [n=dazo@nat/redhat/x-e2e88e9051111d2f] has joined ##openvpn 07:56 -!- Guest99792 [n=dazo@nat/redhat/x-2c7a4fd1671dfd7a] has quit [Read error: 145 (Connection timed out)] 08:44 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 08:46 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: huslu_ 08:49 -!- huslu_ [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has joined ##openvpn 08:53 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 09:14 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: huslu_ 09:15 -!- Netsplit over, joins: huslu_ 09:18 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 09:20 < mRCUTEO> !man 09:20 < vpnHelper> mRCUTEO: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 09:20 < mRCUTEO> !/30 09:20 < vpnHelper> mRCUTEO: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 09:20 < mRCUTEO> !topology 09:20 < vpnHelper> mRCUTEO: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 09:21 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has left ##openvpn [] 09:21 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 09:21 < mRCUTEO> !logs 09:21 < vpnHelper> mRCUTEO: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 09:24 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [] 10:06 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 10:14 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit ["Leaving"] 10:16 -!- ignis_ [n=ignis@bzq-219-148-69.static.bezeqint.net] has joined ##openvpn 10:16 < ignis_> hello to all 10:17 < ignis_> if i have set up an openvpn as tun with a specific subnet say the suggested 10.8.0.0 to a network of addresses that are different say 192.168.1.0 10:18 < ignis_> users succeed connecting with a new assigned address of type 10.8.0.x but can't communicate with inner network 10:18 < ignis_> i read the manual several times but didn't succeed setting up a push route or anything else successfully, please help me 10:22 < ignis_> i am sorry for not pasting logs etc it's simply that the data in the files is for the company i work for and i can't reveal that, also i believe that information is not needed in this case since the question is general and straight forward and not related to a specific situation 10:22 < ignis_> !howto 10:22 < vpnHelper> ignis_: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:22 < ignis_> oh and i read the howto 10:22 < ignis_> tried to follow it but didn't succeed with this 10:23 < ignis_> I am on a linux (ubuntu) on windows it's a peace of cake (doing bridging etc) 10:23 < ignis_> ubuntu 8.04 2.6.24-23-generic 10:25 < ignis_> well? no one? 10:30 -!- ignis_ [n=ignis@bzq-219-148-69.static.bezeqint.net] has quit ["Leaving"] 10:46 -!- dgodfather [n=dgodfath@bzq-219-148-69.static.bezeqint.net] has joined ##openvpn 10:46 < dgodfather> if i have set up an openvpn as tun with a specific subnet say the suggested 10.8.0.0 to a network of addresses that are different say 192.168.1.0 10:46 < dgodfather> users succeed connecting with a new assigned address of type 10.8.0.x but can't communicate with inner network 10:47 < dgodfather> how do i make a client able to communicate(ping) with inner network computers? 10:48 < dgodfather> i read the howto, and tried to push route but i don't understand how to do it. can succeed configuring it, please help me 10:48 < dgodfather> i am running the server on linux machine 10:49 < dgodfather> maybe i should use tap like windows installation does? 10:52 -!- plaerzen [n=carpe@static-66-11-76-241.ptr.terago.net] has quit [Read error: 110 (Connection timed out)] 11:02 < ecrist> ignis_ didn't even stick around 10 mins... 11:02 < ecrist> but now he's you. 11:03 < ecrist> !route 11:03 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 11:03 < ecrist> dgodfather: read that ^^^^ 11:03 < dgodfather> second 11:03 -!- onats_ [n=onats@122.53.136.244] has joined ##openvpn 11:03 < dgodfather> please, thank you 11:04 -!- boney_ [n=boney@81-235-226-119-no91.tbcn.telia.com] has joined ##openvpn 11:05 < boney_> Hey, can someone tell me where i can find a list of all the "error codes" and what they (exactly) mean 11:05 < ecrist> google? 11:05 < boney_> icde tried with no luck :) 11:05 < boney_> tried the openvpn.net site aswell 11:06 < ecrist> if you have specific questions, ask here, otherwise your best bet is in the source code 11:07 < boney_> kk, well im interested in code=113 ( no route to host ), just need a reliable reference where i can check it out 11:08 < dgodfather> ecrist, sorry for the change in name i left inorder to change it, didn't like it :) didn't mean to full anyone 11:08 < ecrist> you can change it with /nick 11:09 < dgodfather> ecrist, well i am not very familiar with IRC and forgot that option 11:09 < dgodfather> so you say routing is my solution? 11:10 < ecrist> yep 11:10 < dgodfather> ecrist, thanks man it looks exactly what i was looking for 11:15 < dgodfather> ecrist, it seems this is for a situation where the clients are behind another lan. my situation is that clients are connecting from the www, not from another lan 11:15 < dgodfather> is the vpn address space the push route i need to do? 11:16 < ecrist> no. you need to setup two routes 11:16 < ecrist> you need to push route the vpn server LAN addresses, and you need to have a route on your lan gateway for the VPN subnet. 11:17 < dgodfather> so it's a route on the server with the vpn address space and a push route with the server's lan address space ? 11:21 -!- onats [n=onats@122.53.131.243] has quit [Connection timed out] 11:21 < boney_> Just greped for code=113 in the source with no results, anyone have a clue why? 11:25 < ecrist> why would you expect to find code=113 in the source? 11:27 < boney_> Daemon keeps writing it in the openvpn.log, so i thought there might be any hints in the source 11:27 < ecrist> if you post your logs here, we can probably help you 11:27 < boney_> read UDPv4 [EHOSTUNREACH]: No route to host (code=113) 11:27 < boney_> i know what the problem is, but i need to know what code=113 means :P 11:29 < ecrist> that is the problem 11:29 < ecrist> no route to host 11:29 < boney_> i know.. 11:29 < boney_> but what exactly does code=113 mean? 11:30 < ecrist> no route to host 11:30 < boney_> k, so its just a reference to EHOSTUNREACH 11:30 < ecrist> aye 11:30 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Connection reset by peer] 11:30 < boney_> thanks 11:30 < boney_> happen to know if its documented somewhere? 11:31 < dgodfather> ecrist, can you please help me configure what i need? all these route adding, i don't understand it 11:31 < dgodfather> i read the page but can't configure it. all these i route entries and using the ccd 11:31 < ecrist> dgodfather: the routing link I gave you above explains a lot of it, and some things you won't need. 11:33 < dgodfather> yes but as i understand i need to define an iroute and user ccd directories 11:33 < dgodfather> where do i create the ccd directories? 11:34 < ecrist> you don't need an iroute or ccd entries 11:34 < dgodfather> but i did push route to the 192 11:34 < dgodfather> 192.168.2.0 network 11:34 < dgodfather> and the route to 10.8.0.0 11:35 < dgodfather> and still my client cant ping an inner user 11:35 < dgodfather> computer 11:36 < dgodfather> anything else i need to configure? 11:37 < ecrist> your firewall 11:37 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 11:38 < dgodfather> no firewall 11:38 < ecrist> your VPN server needs to be enabled as a gateway, as well 11:38 < dgodfather> i wrote exactly like that, route 10.8.0.0 255.255.255.0 11:38 < dgodfather> what do you mean? 11:38 < ecrist> I don't know what the linux part of that is, but on freebsd it gateway_enable="YES" in /etc/rc.conf 11:38 < ecrist> !linux 11:38 < vpnHelper> ecrist: Error: "linux" is not a valid command. 11:38 < ecrist> !search lin 11:38 < vpnHelper> ecrist: supybot.plugins.RSS.headlineSeparator, supybot.plugins.RSS.announce.showLinks, supybot.plugins.RSS.showLinks, supybot.databases.plugins.channelSpecific.link, and supybot.databases.plugins.channelSpecific.link.allow 11:40 < dgodfather> ecrist, enabling the vpnserver machine as gateway is OS stuff? 11:40 < ecrist> yes 11:40 < dgodfather> it won't interrupt my regular network activity? 11:40 < dgodfather> should i have written a route command like route -add 10.8.0.1 .... etc.? 11:41 < ecrist> no 11:41 < dgodfather> in the server.conf 11:41 < dgodfather> no to which 11:41 < dgodfather> ? 11:42 < ecrist> I can't speak whether it'll interrupt your network or not, as I'm not your netwrok admin. 11:42 < ecrist> you don't need to add the route on the server, as it's already aware of the route 11:44 < dgodfather> ecrist, so all i need is the push route line? push "route 192.168.2.0 255.255.255.0" ? 11:45 < ecrist> and you need to enable ip forwarding in your kernel' 11:54 < dgodfather> thank you ecrist 11:54 -!- dgodfather [n=dgodfath@bzq-219-148-69.static.bezeqint.net] has quit ["Leaving"] 11:59 < drzed> !\30 11:59 < vpnHelper> drzed: Error: "\30" is not a valid command. 12:00 < ecrist> !/30 12:00 < vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 12:00 < drzed> !/30 12:00 < vpnHelper> drzed: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 12:00 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:00 < drzed> !topology 12:00 < vpnHelper> drzed: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 12:15 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:35 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: jfkw, soberbit-work, hads 12:36 -!- Netsplit over, joins: jfkw, soberbit-work, hads 12:36 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Connection reset by peer] 12:36 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 12:36 -!- hads [n=hads@argon.nice.net.nz] has quit [Remote closed the connection] 12:37 -!- hads [n=hads@argon.nice.net.nz] has joined ##openvpn 12:58 -!- CybDev [i=cybdev@unaffiliated/cybdev] has joined ##openvpn 12:58 < CybDev> !route 12:58 < vpnHelper> CybDev: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 13:02 < CybDev> !topology 13:02 < vpnHelper> CybDev: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 13:04 < CybDev> so i have a rather dumb question, i have a local ip range of 10.0.0.0/24, and using openvpn to connect to another vpn net on range 10.0.0.0/24... any way to force the route statements to use a spesific device? 13:04 < ecrist> ew, you've got conflicting IP ranges. 13:04 < CybDev> yeah 13:05 < ecrist> you can force the route statements to specific interfaces, but not within OpenVPN, I think. 13:05 < ecrist> it's an OS-level thing. 13:05 < CybDev> i know 13:05 < CybDev> i was kinda hoping i could specify device within openvpn 13:05 < CybDev> i can pull it off by manually altering the routing table with iproute 13:05 < CybDev> but it sucks as it has to be re-done every time the connection is dropped and re-connected :-/ 13:06 < CybDev> if "route-gateway" took a device parameter too i think that would have solved a lof of my problems 13:07 < CybDev> or any of the route directives for that matter 13:23 -!- fbond [n=fab@pool-64-223-124-145.burl.east.verizon.net] has joined ##openvpn 13:24 < fbond> Hi, I have a remote user trying to get in, but it seems he's on a network that doesn't like his UDP traffic (I think). 13:24 < fbond> Any easy way to have one user connect via TCP ... ? I guess I'd have to run another OpenVPN server, right? 13:25 < CybDev> tunneling tcp in tcp isn't really the best idea, and should be avoided if at all possible 13:26 < CybDev> maybe you can work around it by running it on port 53 or smth 13:26 < CybDev> also the source port on the client can be changed with an option, bind or lport or smth if memory serves me right (check the manpage) 13:26 < ecrist> fbond: you'd have to run another instance. 13:27 < CybDev> (53/udp - dns - is usually allowed even in pretty strictly firewalled environments) 13:29 < fbond> CybDev: Ah, port 53 is a brilliant idea. 13:29 < CybDev> sometimes you can get away with just changing the client local port to 53 btw 13:29 < CybDev> requires root privs tho :-/ 13:30 < CybDev> served me well in the past :-) 13:31 < fbond> Hm, OpenVPN doesn't connect from a random client port? 13:31 < dazo> fbond: CybDev: 53/udp can be a good idea ... if you use --tls-auth .... or else your openvpn process might have some fun when DNS scanners pass your server 13:31 < CybDev> yeah, dazo 13:32 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 13:38 < fbond> dazo: Hm, why will tls auth help with that? 13:39 < dazo> fbond: because openvpn will not initiate any contact with the remote host if the TLS authentication (using the same static key in addition on both client and server) do not match what's expected 13:39 < dazo> fbond: its a kind of simple protection against DoS attacks 13:40 < CybDev> might wanna read up on the hmac parts of the man page fbond 13:40 < dazo> fbond: and if somebody port scans your server ... 53/udp will look like it's nothing there 13:40 < dazo> fbond: CybDev has a good hint 13:41 < CybDev> might have a slight performance penalty, but if you're not using openvpn for bulk data transfers it shouldn't hurt :-) 13:45 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:46 < dazo> security always has a cost ... openvpn adds a cost ... if the cost is too high, you can run unencrypted as well .... and so on 13:49 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has quit ["Saliendo"] 13:51 < CybDev> openvpn turned out to be one of the cheapest solutions, and in addition being the most flexible and scalable aswell :-) 13:52 < CybDev> hardware ipsec boxes cost a shitload and generally deliver pretty poor performance in my experience :-/ 13:57 < ecrist> for persistent LAN-LAN connections, I prefer cisco IPsec. 13:59 < CybDev> and how much did you pay for that solution? :P 14:01 < ecrist> $350 14:02 < ecrist> CybDev: it's not wrong to spend money smartly 14:02 < ecrist> just because you can't afford/justify a piece of cisco hardware doesn't mean others can't or shouldn't 14:05 < CybDev> $350 for the complete solution? 14:05 < ecrist> yes 14:05 < CybDev> that was very cheap 14:06 < ecrist> indeed 14:06 < CybDev> what kinda units did you get? 14:06 < ecrist> cisco 1841 14:06 < CybDev> last hardware ipsec box i fiddled around with cost around 150k nok i think 14:06 < ecrist> lol 14:06 < ecrist> freebsd can do ipsec out of the box. 14:07 < CybDev> (fibrechannel gigabit thingie) 14:07 < ecrist> i'm a proponent for using the right tool for the job 14:08 < CybDev> hehe, yeah 14:09 < ecrist> in my opinion, on corporate networks, ipsec is a better supported method for lan to lan connections, and if you're going to use ipsec, you might as well use real hardware for it. 14:12 < CybDev> how does it perform tho, bulk data and connection counts etc? 14:14 < CybDev> (which was one of the problems with that earlier mentioned box, bulk single-session filetransfers were just fine, but it couldn't handle tonns of simultaneous short connections very well) 14:14 < ecrist> our bread and butter is many simultaneous connections with many short files 14:15 < CybDev> :-) 14:16 < CybDev> got any experience with hardware ssl offloading btw? 14:16 < ecrist> none, sorry. 14:16 < ecrist> there are people that do it. 14:16 < CybDev> hehe, no worries, shot in the dark 14:17 < ecrist> there are folks I know that buy soekris boxes with crypto cards, throw netbsd on em and use them as openvpn servers. 14:17 < boney_> !search code=113 14:17 < vpnHelper> boney_: There were no matching configuration variables. 14:17 < CybDev> yeah i'm hearing mixed things about it 14:17 < ecrist> boney_: you're missing routes 14:17 < ecrist> 113 is NETUNREACH 14:17 < CybDev> ah, ssl offload cards works quite nicely 14:18 < boney_> i know what the problem is and i know how to solve it, i just want to find a list that i can use as reference 14:18 < boney_> a list, paper, documentation that explicitly explains code=113 14:18 < CybDev> but i was looking more in the direction of a proxy/firewall like thing that could handle that part so my webservers wouldn't have to negotiate all those ssl sessions all the time 14:18 < boney_> and i do know that code=113 is ref to No route to host 14:18 < ecrist> 113 isn't an openvpn issue, I don't think, I believe it's a network stack error code 14:18 < boney_> ah 14:18 < boney_> thanks for the hind 14:19 < boney_> hint 14:19 < ecrist> CybDev: F5 14:19 < ecrist> that's what they do, one of the things anyways 14:19 < ecrist> the other thing you could do is run an apache reverse proxy handling your SSL and proxy back to your real web servers. 14:20 < CybDev> yeah it's currently not a problem, well, solved for now anyway 14:21 < ecrist> additionally, in many cases, it's not necessary to encrypt the entire site. logins, etc, are ideally all that is encrypted. 14:21 < ecrist> ROT13 should be fine. ;) 14:21 < CybDev> we don't have that luxury :P 14:22 < ecrist> really screw them up and go ROT14 14:22 < CybDev> let's go all out and make it ROT15! 14:22 < ecrist> or, ooh ooh, ROT26 14:22 < CybDev> "unbreakable" 14:22 < CybDev> haha 14:22 < ecrist> ROT26 is easy to decode in your head, so no need for writing it down on paper, less of a security breach. :) 14:23 < CybDev> makes no difference :P 14:24 < CybDev> still as hard as rot13 or whatever 14:25 < ecrist> ROT13 is short for rotation-13, meaning a 13-character shift of letters in the alphabet. ROT26 would mean you rotate them 26 times, or back to where you started. 14:25 < ecrist> abc in ROT13 = nop abc in ROT26 = abc 14:26 < CybDev> yeees 14:26 < CybDev> but any computerized string is usually more than just the lowercase us letters :P 14:26 < CybDev> and the elgorithm is exactly the same with a different offset 14:27 < CybDev> *algorithm 14:27 < CybDev> you'd need an exact wraparound to just skip the step :P 14:27 < CybDev> (which i assume was the idea :P) 14:27 < CybDev> base64 encoded data with rot64 encryption? :P 14:33 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:48 -!- logiclr- [i=logiclrd@S0106000103208fb2.wp.shawcable.net] has quit [Read error: 104 (Connection reset by peer)] 15:20 < ecrist> you are the ball lickers! 15:21 < vcs> fire phasers 15:21 < ecrist> vcs -1 for make a star trek reference 15:22 < vcs> ecrist -1 for make ball licker joke 15:22 < ecrist> ecrist + 80 for being ecrist 15:33 < kaii> >LOG:1236889985,N,write UDPv4: No buffer space available (code=55) 15:33 < kaii> has anybody ever seen this error message? 15:34 < ecrist> yep, it means your firewall is blocking ICMP traffic, usually 15:34 < kaii> why icmp? 15:35 < kaii> in my case it seems that the upload is shaped (for voip and ack priorization) and the upload queue is full 15:36 < kaii> the kernel says like "cant take your packet now" and openvpn does not retransmit it. (if my understanding is correct) 15:36 < kaii> so the packet is lost, keepalive fails and the "inactivity timeout" occurs 15:36 < kaii> (in circumstances) 15:37 < kaii> the vpn is functional (because the app protocols that are sent through the tunnel DO the retransmit), but drops every 10 minutes or so when a packet burst make the keepalive fail. 15:38 < kaii> any suggestions? 15:38 < kaii> i thought like "maybe you can recognize the openvpn control packets and priorize them too", but tcpdump blew this illusion away. 15:39 < kaii> after all, the problem is not that the queue is full, the problem is that the control packets are not retransmitted .. 15:40 < kaii> switching to TCP would solve this problem, but this is a large VPN mesh and a TCP tunnel with UDP voice inside is a big mess and ends in roboter speech 15:41 < kaii> is there some dev channel for openvpn? ^^ 15:43 -!- qfk\ [n=void@cpc3-whit2-0-0-cust661.cdif.cable.ntl.com] has joined ##openvpn 15:47 -!- vcs [i=vcs@alien.jinxshells.com] has left ##openvpn [] 16:03 -!- qkf [n=void@cpc3-whit2-0-0-cust661.cdif.cable.ntl.com] has quit [Connection timed out] 17:33 < ecrist> kaii: no, this is the only openvpn channel 17:35 < ecrist> kaii: your problem is with a firewall, I assure you. 17:35 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 17:50 < sigmonsays> i'm having arbitrary connectino issues with openvpn 17:50 < sigmonsays> many work. some don't 17:50 < sigmonsays> is there some tcp/iptables stuff I need to tweak? 17:50 < sigmonsays> i'm doing NAT through tun 17:59 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 18:16 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit ["Leaving"] 18:17 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 18:17 * sigmonsays wants to kill openvpn 18:17 < sigmonsays> it fails connections at 63 18:17 < sigmonsays> always 18:20 < CybDev> 63? 18:20 < sigmonsays> i can disconnect one place, and then it connects elsewhere 18:20 < sigmonsays> I don't get it 18:21 < sigmonsays> client complains about no default gateway: failed to parse/resolve route for host/network: 10.128.0.0 18:21 < sigmonsays> but it does that even when it works 18:22 < CybDev> eurh 18:22 < CybDev> sounds to me like your config is messed up 18:22 < sigmonsays> and all the other 62 people are fine? :) 18:26 < sigmonsays> care to help a min w/ my configs? 18:26 < sigmonsays> they are suprisingly simple 18:29 < CybDev> nopaste them, along with debug output? 18:29 < sigmonsays> Sure 18:31 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 18:31 < sigmonsays> well probably not :) 18:31 < sigmonsays> Let me research some more 18:31 < CybDev> lol 18:32 < CybDev> start with connection limits :P 18:55 < sigmonsays> hehe, 240? :) 18:55 < sigmonsays> that's what i got configured :) 18:55 < sigmonsays> is there a make_operator_insaine_limit = 62 anywhere? 18:57 < CybDev> tis why i wondered about the config 18:57 < CybDev> also what os is this? 18:57 < CybDev> and what error does it fail with? 18:57 < CybDev> (set log level to 9 or smth) 19:09 < Bushmills> sigmonsays, my opinion is, you should follow that lead given by "no default gateway" 19:14 < CybDev> if i understood him correctly the problem occured when the 63rd client connected? 19:14 < sigmonsays> Bushmills, yah 19:14 < sigmonsays> how come others connect just fine 19:15 < sigmonsays> it's some artificial limit 19:15 < CybDev> but without debug log from server and client, and configs, it's not real easy to help :P 19:15 < ecrist> evening, folks 19:17 < Bushmills> netmask /26, maybe? 19:17 < ecrist> the problem is with /30 subnetting in tun VPNs. Only 62 are allowed in a /24 VPN subnet 19:17 < ecrist> exec -o echo "255/4" | bc -l 19:17 < ecrist> 63.75000000000000000000 19:17 < ecrist> one of the /30s is taken by the server IP and it's own internal tun interface. 19:18 < CybDev> :-) 19:18 < ecrist> but what do I know. ;) 19:18 < CybDev> what is the advantage of using a tun type vpn anyway? 19:19 < Bushmills> over a slice of cheese? 19:19 < CybDev> yes, a slice of cheddar 19:19 < CybDev> not tun vs tap obviously 19:22 < CybDev> oh well, getting late, off i go 19:22 < CybDev> *gone* 19:23 -!- tarbo2_ [n=me@unaffiliated/tarbo] has joined ##openvpn 19:36 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 110 (Connection timed out)] 20:14 -!- Mark_ [n=mark@ip24-56-23-192.ph.ph.cox.net] has quit [Read error: 54 (Connection reset by peer)] 21:09 < Bushmills> !route 21:09 < vpnHelper> Bushmills: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 21:17 -!- Mark``` [n=mark@ip24-56-23-192.ph.ph.cox.net] has joined ##openvpn 21:18 < ecrist> hi Mark``` 21:19 < Mark```> heya 21:19 * ecrist goes to hang with the wife. 21:19 < Mark```> my gf is making cookies 22:20 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 22:32 -!- Irssi: ##openvpn: Total of 48 nicks [0 ops, 0 halfops, 0 voices, 48 normal] 22:49 -!- tjz [n=tjz@bb116-14-182-232.singnet.com.sg] has joined ##openvpn 23:02 < tjz> hmm 23:02 < tjz> Some issue with vista system.. user still get his ISP's IP though he is clearly connected to the vpn.. 23:02 < tjz> it works for windows xp 23:03 < tjz> he is using openvpn 2.1 rc5 for his system 23:16 < Bushmills> tjz, why shouldn't he? 23:16 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 23:21 < tjz> yea 23:21 < tjz> strange x_x 23:21 < tjz> he is using tcp 23:21 < tjz> his ISP block udp 23:21 < tjz> x_x 23:22 < Bushmills> i mean, why should being connected to vpn prevent a machine to obtain an ip address for a different interface? 23:26 < tjz> his ISP really put down lot of restriction 23:27 < Bushmills> if his machine connects through his provider, that's not a problem. if it is, he can unplug the connection. otherwise, it is perfectly normal that he obtains an ip address. --- Day changed Fri Mar 13 2009 00:24 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has joined ##openvpn 00:36 < tjz> thx for the info.. 00:36 < tjz> just too weird for his case 00:41 -!- tjz [n=tjz@bb116-14-182-232.singnet.com.sg] has quit ["bbl"] 00:44 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 02:03 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 02:19 -!- onats_ [n=onats@122.53.136.244] has quit [Read error: 110 (Connection timed out)] 02:19 -!- onats_ [n=onats@122.53.131.243] has joined ##openvpn 02:23 -!- SuperEvilDeath15 [n=death@212.206.209.177] has joined ##openvpn 02:23 -!- SuperEvilDeath14 [n=death@212.206.209.177] has quit [Read error: 104 (Connection reset by peer)] 02:41 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:41 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has quit [] 04:16 -!- nemysis [n=nemysis@143-117.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 04:16 -!- nemysis [n=nemysis@138-248.3-85.cust.bluewin.ch] has joined ##openvpn 04:30 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 04:31 -!- kempo [n=kempo@95.211.2.31] has joined ##openvpn 04:31 < kempo> hello everyone 04:33 < kempo> could anybody look at this: http://p.nn-d.de/848 04:33 < vpnHelper> Title: NoName-Development - Pastebin (at p.nn-d.de) 04:45 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:22 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has joined ##openvpn 05:34 -!- Spabby [n=G@host-84-9-136-112.dslgb.com] has joined ##openvpn 05:35 < Spabby> hi folks, I'm trying to assign static ips on my openvpn using the ccn directory and files named the same as the client, but i can't get my windows client to connect 05:36 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 05:36 < Spabby> my vpn works fine without the client config file in the ccd directory 05:36 < Spabby> but once I add the ccd with the line 05:36 < Spabby> ifconfig-push 192.168.20.100 192.168.20.1 05:36 < Spabby> my client will not connect 05:36 < Spabby> the subnet I am using 192.168.0.0 05:38 < Spabby> I lie 05:38 < Spabby> it's 192.168.20.0 05:41 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 05:47 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 05:58 -!- Spabby [n=G@host-84-9-136-112.dslgb.com] has left ##openvpn [] 06:13 -!- disco- [n=disco@andromeda.h4xed.com] has quit [Remote closed the connection] 06:37 < Bushmills> that's a good config, excluding windows clients. 06:47 < ecrist> that ifconfig line will not work with 2.0.9 and tun. 06:49 -!- kempo [n=kempo@95.211.2.31] has left ##openvpn [] 07:08 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 07:30 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 07:56 -!- gnubie [n=gnubie@cm92.omega113.maxonline.com.sg] has joined ##openvpn 07:56 * gnubie waves 07:58 < gnubie> my home server is also my gateway which directly connected to the internet. if i setup openvpn server on my box, the remote host need not to setup bridged or router configuration, right? 07:59 -!- kyrix [n=ashley@mail.ic-vienna.at] has joined ##openvpn 08:14 * ecrist waves back at gnubie 08:15 < ecrist> I don't understand your question, however. 08:16 < gnubie> ecrist: do i need to configure routing or bridge even if the server is already facing to the internet and the client that will connect to it will only connect that server only and nothing more? 08:24 -!- onats__ [n=onats@122.53.136.244] has joined ##openvpn 08:28 < ecrist> up, not really. 08:29 < ecrist> s/up/um/ 08:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:34 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:37 -!- onats_ [n=onats@122.53.131.243] has quit [Read error: 110 (Connection timed out)] 08:43 -!- kyrix [n=ashley@mail.ic-vienna.at] has quit ["Leaving"] 08:43 < Bushmills> gnubie, clients can see beyond the server also without bridged config on the server 08:43 < Bushmills> gnubie, but it needs a wee bit of extra config on the server 08:50 -!- d [n=d@webmailserver.nisira.com.pe] has joined ##openvpn 08:50 < d> hi all 08:50 < d> Can I access to a ACtive Directory Domain throw a OpenVPN? 08:50 -!- d is now known as Guest98439 08:52 < gnubie> Bushmills: ok 08:56 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Remote closed the connection] 08:58 < ecrist> Guest98439: yes, you can 09:09 < Guest98439> ecrist but when I see the Login Window, I select DOMAIN: MYDOMAIN an telehpnic access? 09:10 < ecrist> Guest98439: not sure, you can do it, but it's gotta be as a windows service. 09:10 < ecrist> this is really more a windows question than an OpenVPN question. 09:15 < Guest98439> ecrist, I have a Domain Controler in SIte A , and I like to have a openvpn with Site B, the PCs in Site B can access the Domain throw openvpn to Site A? 09:16 < dazo> Guest98439: I don't know much about Win (and it's not a related to openvpn itself) ... but I do know that if the account is enabled as a "disconnected" profile, the user can login on the box, get the desktop and then startup OpenVPN and connect to the network 09:17 < dazo> Guest98439: but if the user have never been logged into that box before ... s/he needs to login unto that box while being either connected to the physical or VPN network, so that the authentication happens and is cached on the client 09:20 < dazo> Guest98439: in your scenario ... if you setup a router (preferably somewhere along on the default gateway route, to make it easier for you) on SiteB which establishes the VPN connection to SiteA ... and setup the DHCP correct to push out the needed WINS server (on SiteA), DNS server (on SiteA and a secondary on SiteB) etc ... then you it should work 09:21 < dazo> Guest98439: but most probably you would like to have a Win server on SiteB as well, which is replicating auth data from the master AD in SiteA ... that way, your clients will be able to logon also when the VPN (or Internet) connection is down 09:22 < dazo> Guest98439: From SiteA you will then manage the server in SiteB through the Windows admin GUI as well ... where all needed settings are pushed to SiteB by the SiteA AD 09:24 < Guest98439> with ISA Server VPN I can login whitout other AD Server in Site B 09:25 < dazo> Guest98439: but then you do need to have the VPN connection open, I presume 09:25 < dazo> Guest98439: in this case ... you will have the same situation as with OpenVPN 09:26 < dazo> Guest98439: you can make it work with OpenVPN without a server in SiteB ... but if the VPN connection or Internet connection fails, the login of users who have not authenticated themselves on that PC before, will not work ... as long as "disconnected" profile is enabled 09:27 < dazo> Guest98439: if the user account is not setup as a "disconnected" profile (I've forgotten the proper word), it denies caching of authentication data on the local client itself 09:29 < dazo> Guest98439: it's all about how reliable you want to have your network ... and how dependent you make yourself to the VPN connection 09:29 < dazo> never plan for best case scenarios ... because worst case scenarios happens much more often than you want ... and always when it really do not fit into your schedule 09:32 < dazo> Guest98439: anyhow ... to make a VPN net work as you want ... you anyway need to push the proper WINS and DNS servers to all clients on SiteB ... only that way, the clients get a clue of where to find the DC ... and you need to make sure that all those SMB/CIFS ports used are not blocked across the VPN tunnel anyhow 09:37 < Guest98439> dazo 09:37 < Guest98439> lets 09:37 < Guest98439> I can do it or not? 09:37 < Guest98439> I can connect to SiteB trow a openvpn to SITE A AD? 09:38 < dazo> Guest98439: I my English that unclear? .... Yes you can ... but you need to configure the DHCP server at SiteB correctly to push needed info for your clients to find and see the AD at SiteA 09:39 < dazo> Guest98439: and you do need to make sure that SMB/CIFS ports (with AD you also need kerberos, and possibly also LDAP ports) used by the Windows AD server to pass freely over the VPN network to the SiteB network 09:40 < dazo> Guest98439: the last point here, covers setting up network routes and firewall config correctly .... including on the SiteA AD 09:48 < Guest98439> ok 09:48 < Guest98439> thanks 09:50 < ecrist> /topic Boats and HOs 10:07 -!- felix_ [n=felix@p578b665c.dip0.t-ipconnect.de] has joined ##openvpn 10:07 < felix_> Hi 10:07 < ecrist> howdy 10:08 -!- onats_ [n=onats@122.53.131.243] has joined ##openvpn 10:12 -!- diegoviola [n=diego@adsl-142-206.click.com.py] has joined ##openvpn 10:16 < ecrist> felix_: have a question you wanted to ask? 10:19 < felix_> yeah, i d like to know if there s a possibility to integrate lines (not comments) into openvpn.conf which will be ignored by openvpn and will be parsed by a script which runs when a user logs on 10:19 -!- diegovio1a [n=diego@adsl-142-206.click.com.py] has joined ##openvpn 10:20 < felix_> we ve got an administration vpn and i force the clients into specific nets by common name and there are about 4 different options and a config parser but i thought it would be nicer to have it directly in the openvpn.conf 10:23 < dazo> felix_: have you looked at --client-config-dir ? 10:24 < felix_> we use client-connect 10:25 < felix_> client-config-dir also for using scripts right? 10:26 -!- onats__ [n=onats@122.53.136.244] has quit [Read error: 110 (Connection timed out)] 10:27 < reiffert> --client-connect script 10:27 < reiffert> Run script on client connection. The script is passed the com- 10:27 < reiffert> mon name and IP address of the just-authenticated client as en- 10:27 < reiffert> vironmental variables (see environmental variable section be- 10:27 < reiffert> low). 10:28 -!- onats_ [n=onats@122.53.131.243] has quit [Connection timed out] 10:30 < felix_> yes i m using that, and i have a script http://chaos-disciple.org/cgit/ovpn-ip-manager/ 10:30 < dazo> felix_: what do you want to do in that script? 10:30 < vpnHelper> Title: ovpn-ip-manager - script for custom ip distribution on openvpn servers (at chaos-disciple.org) 10:33 < dazo> felix_: maybe a silly question ... but why do you want to control the IP address of the client like this? 10:34 < felix_> dazo: the vpn is routed into an administration network with different hosts, each host is administrated by a different guy and it s easier and more secure to filter for ip addresses then 10:34 < dazo> felix_: so you want to limit access in a firewall? 10:34 < felix_> dazo: right 10:35 -!- diegoviola [n=diego@adsl-142-206.click.com.py] has quit [Read error: 110 (Connection timed out)] 10:35 < dazo> felix_: why not use the clients VPN MAC address instead? ... or pick out the IP address assigned in the --learn-address phase? 10:35 -!- diegovio1a is now known as diegoviola 10:35 < felix_> I would just like to have a nicer implementation which fits better into openvpn so that its easier for others to use my script 10:36 < dazo> felix_: openvpn provides you with the address it assigns to the VPN client in the --learn-address script 10:36 < dazo> felix_: even MAC address of the client 10:37 < dazo> felix_: this way, you don't need to create a config file on-the-fly for the client assigning the IP address 10:37 < felix_> well i d like to assign subnets to specific common names 10:38 < felix_> for example internal.guy-a.hostname will allow access to the admin network but internal.guy-b.hostname is in another subnet 10:38 < dazo> felix_: sure ... I won't stop you :) ... I've written a module in C which does authentication primarily, but it updates iptables rules on-the-fly, based on the MAC address 10:39 < felix_> dazo: iptables updating is difficult in this case because the ssh logons will go onto other hosts 10:39 < felix_> dazo: this machine is a xen dom0 and shouldnt do anything not necessary 10:40 < dazo> felix_: aha ... yeah, that's actually my next phase in my project .... to send iptables updates to another box from the openvpn process 10:42 < felix_> dazo: the machines are administrated by different people, would you like your neighboor beeing able to do any crap in your iptables ? 10:43 < dazo> felix_: not directly .... but if I knew that the table chains accessible where limited, and that I could control src/dst of the entry of the client tables, I would be calmer 10:45 < dazo> felix_: but actually the openvpn do not send explicit dst. address and names .... all this plug-in receives is "destination chain" (-j), "src MAC addr" .... and in the master config of openvpn it is defined which table chain these updates will go into 10:46 < felix_> okay 10:55 < diegoviola> hi 11:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:27 * ecrist hates looking like an ass to the boss. 11:33 < diegoviola> guys i will be starting an itsp soon, voip provider... but our main telco blocks sip+rtp, i tried to encrypt it with sip+tls+srtp and the signalling works but they still can see the rtp headers and block the media... i tried using openvpn and send all the traffic trough it and that works fine 11:33 < diegoviola> but how can i do the tunneling when i have a hundreds of customers? 11:35 < diegoviola> i tried the static key mini howto 11:57 < diegoviola> what can of configuration could i use for a massive carrier-grade setup? 11:57 < diegoviola> what kind of* 11:57 -!- felix_ [n=felix@p578b665c.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 12:15 -!- regis [n=regis@LPuteaux-151-42-24-190.w193-252.abo.wanadoo.fr] has joined ##openvpn 12:15 -!- regis is now known as Guest90354 12:19 -!- Guest90354 [n=regis@LPuteaux-151-42-24-190.w193-252.abo.wanadoo.fr] has quit [Client Quit] 12:20 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 12:50 < ecrist> diegoviola: not sure what you mean by 'carrier-grade' 13:02 -!- regis_ [n=regis@LPuteaux-151-42-24-190.w193-252.abo.wanadoo.fr] has joined ##openvpn 13:02 -!- regis_ is now known as Rere 13:02 -!- Rere is now known as Rere10 13:05 -!- Rere10 [n=regis@LPuteaux-151-42-24-190.w193-252.abo.wanadoo.fr] has quit [Client Quit] 13:27 -!- felix_ [n=felix@static-87-79-66-24.netcologne.de] has joined ##openvpn 13:28 -!- Guest98439 [n=d@webmailserver.nisira.com.pe] has quit [] 13:36 -!- felix_ is now known as pleed 13:55 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has quit ["Saliendo"] 14:11 -!- pleed [n=felix@static-87-79-66-24.netcologne.de] has quit [Read error: 110 (Connection timed out)] 14:30 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:32 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has quit [Remote closed the connection] 14:32 -!- jpalmer [n=jpalmer@71.3.0.205] has joined ##openvpn 14:36 -!- pleed [n=felix@static-87-79-236-180.netcologne.de] has joined ##openvpn 15:16 -!- gnubie [n=gnubie@cm92.omega113.maxonline.com.sg] has quit [" HydraIRC -> http://www.hydrairc.com <- s0 d4Mn l33t |t'z 5c4rY!"] 16:09 * sigmonsays smacks windows 16:09 * sigmonsays smacks windows for using a /30 16:10 < ecrist> what's wrong with a /30? 17:17 -!- quentusrex [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has joined ##openvpn 17:18 < quentusrex> Is it possible to have a setup where some clients can access all vpn clients, but other clients can only access the server? 17:19 < quentusrex> Basically setup so that 10.5.*.* can access any vpn client, including the ones that are 'limited', and anything on 10.6.*.* can only access the server, but not anything else in 10.5.*.* or 10.6.*.* ???? 17:19 < quentusrex> !man 17:19 < vpnHelper> quentusrex: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 17:24 < quentusrex> I would like to have the --client-to-client connection for some, but not for others.... 17:25 < quentusrex> So, is a profile like that available or possible? 17:26 < reiffert> readup what client-to-client expands to. see manpage 17:26 < reiffert> And think about bad clients adding routes manually. 17:28 -!- cscho0415 [n=cscho041@ool-4570e460.dyn.optonline.net] has joined ##openvpn 17:29 < cscho0415> hello, can some one help me setup openvpn 17:44 < reiffert> !howto 17:44 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:45 < diegoviola> ecrist: i just want to know what kind of config to use for million of computers 17:45 < diegoviola> a server config that my clients will connect to? 17:45 < diegoviola> with the same certificate? 18:08 < diegoviola> i need to know what kind of config to set up for a scalable system 18:09 < diegoviola> i tried client-server from two machines only 18:10 -!- cscho0415 [n=cscho041@ool-4570e460.dyn.optonline.net] has quit [] 18:14 -!- diegovio1a [n=diego@adsl-142-206.click.com.py] has joined ##openvpn 18:15 < diegovio1a> i need to know what kind of config to set up for a scalable system 18:27 < diegovio1a> how would i also configure my ip phones that don't have a vpn client to connect to a vpn 18:28 < hads> They would need to connect through a gateway that does support OpenVPN 18:29 -!- diegoviola [n=diego@adsl-142-206.click.com.py] has quit [Connection timed out] 18:30 < diegovio1a> so something like this: phone -> gw (connected to the vpn) -> vpn server? 18:30 -!- diegovio1a is now known as diegoviola 18:32 -!- dazo [n=dazo@nat/redhat/x-e2e88e9051111d2f] has quit [Read error: 145 (Connection timed out)] 18:38 -!- dazo [n=dazo@nat/redhat/x-b03334b74c651cde] has joined ##openvpn 18:42 < Bushmills> hi reiffert 18:47 -!- cscho0415 [n=cscho041@ool-4570e460.dyn.optonline.net] has joined ##openvpn 18:53 < diegoviola> hads: how do you think would be better, put a FS server and let the customers register to that and from the FS server encrypt everything to outside, or set up the openvpn server on the FS server and let the clients connect to it and encrypt it? 18:56 < Bushmills> what good is encryption if the first hops are without? 18:56 < hads> Bushmills: He's doing to to get around protocol blocking at an ISP 18:58 < hads> diegoviola: Depends how many instances of FreeSWITCH and OpenVPN you want to manage. 19:02 < diegoviola> i want to make it as simple as possible 19:04 < Bushmills> is it wise to have customers running over a net a provider tries to block the service they use? 19:04 < Bushmills> can't you just run your stuff on, say, a dedicated server at a server farm? 19:05 < Bushmills> (no need to work around things, that makes things much easier, therefore is consistent with your requirement) 19:06 < hads> Bushmills: I *think* it's a common end user ISP that is the issue. 19:06 < hads> But he can clarify that, I'm working from memory of a conversation in #freeswitch 19:07 < diegoviola> I need to be able to make SIP calls through the ISP 19:07 < diegoviola> that is blocking things 19:08 < Bushmills> then do what hads said, on that particular machine. openvpn from a gateway there to your openvpn server 19:09 < diegoviola> so openvpn on all customers machines? 19:09 < Bushmills> do they all have that issue? 19:10 < diegoviola> yes 19:10 < Bushmills> change your customers :D 19:10 < hads> I think it's the country. 19:10 < Bushmills> change the country 19:10 < hads> heh 19:11 < hads> Sell them all snom phones which do OpenVPN :) 19:20 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 19:25 -!- cscho0415 [n=cscho041@ool-4570e460.dyn.optonline.net] has quit [] 19:26 < diegoviola> hads: if only i could encrypt rtp headers with srtp, that would have made my life easier... 19:26 < diegoviola> i think 19:34 < diegoviola> hads: why i can't encrypt RTP completely with SRTP? 19:34 < diegoviola> what's the point of it then? 19:34 * krzee checks what channel hes in 19:35 < krzee> #freeswitch would be where i would ask that channel, but it aqlso depends what software both endpoints use 19:35 < krzee> err, where ild ask that question 19:36 < krzee> if you control both sides, you can encrypt * any way you like 19:36 < krzee> otherwise, you are held to what the software supports 19:37 < krzee> hah cool, you were already in there 20:01 -!- diegoviola [n=diego@adsl-142-206.click.com.py] has quit [Read error: 110 (Connection timed out)] 21:43 -!- dvl [n=nnnnnnnn@pdpc/supporter/professional/dvl] has left ##openvpn ["Leaving"] 22:47 -!- diegoviola [n=diego@adsl-142-206.click.com.py] has joined ##openvpn 23:11 -!- pleed [n=felix@static-87-79-236-180.netcologne.de] has quit [Read error: 113 (No route to host)] 23:22 -!- tedz [n=aaa@internet-223-98.narocnik.mobitel.si] has joined ##openvpn 23:22 < tedz> Hi 23:22 < tedz> !howto 23:22 < vpnHelper> tedz: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 23:23 < tedz> !route 23:23 < vpnHelper> tedz: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 23:35 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] --- Day changed Sat Mar 14 2009 00:55 -!- nemysis [n=nemysis@138-248.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 00:56 -!- nemysis [n=nemysis@16-30.3-85.cust.bluewin.ch] has joined ##openvpn 02:29 -!- diegoviola [n=diego@adsl-142-206.click.com.py] has quit [Read error: 60 (Operation timed out)] 03:11 < reiffert> Moin Bushmills 03:30 -!- krzie_ [i=krzee@joogot.noskills.net] has quit [Read error: 110 (Connection timed out)] 03:32 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 113 (No route to host)] 03:32 -!- rere10 [n=regis@LAubervilliers-151-13-69-209.w217-128.abo.wanadoo.fr] has joined ##openvpn 03:34 < rere10> bonjour tous, qqn parle francais ou est-ce un forum anglais ? 03:39 -!- rere10 [n=regis@LAubervilliers-151-13-69-209.w217-128.abo.wanadoo.fr] has left ##openvpn ["Quitte"] 03:54 -!- SgtPepperKSU [n=keith@ip98-164-8-164.ks.ks.cox.net] has joined ##openvpn 03:55 < SgtPepperKSU> Hi. Is there any way (SIGUSRx, etc) to force OpenVPN to update the status file (eg specified with "status status.log) on command? 03:56 < SgtPepperKSU> like how SIGUSR2 sends it to the syslog (in daemon mode), except to the already specified file? 04:23 < SgtPepperKSU> wow, I guess I'll try back another time 04:23 -!- SgtPepperKSU [n=keith@ip98-164-8-164.ks.ks.cox.net] has left ##openvpn ["Leaving."] 04:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:57 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [] 07:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:20 -!- jwasner [n=jwasner@cpe-72-191-5-183.satx.res.rr.com] has joined ##openvpn 08:24 -!- jwasner [n=jwasner@cpe-72-191-5-183.satx.res.rr.com] has left ##openvpn [] 08:41 -!- drzed_ [n=drzed@80.123.158.163] has joined ##openvpn 08:42 -!- drzed [n=drzed@synflood.homelinux.org] has quit [Read error: 104 (Connection reset by peer)] 10:15 -!- drzed_ is now known as drzed 11:14 -!- smk_ [n=scott@cobra.httpd.org] has joined ##openvpn 11:14 -!- smk [n=scott@cobra.httpd.org] has quit [Read error: 54 (Connection reset by peer)] 11:22 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:41 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has joined ##openvpn 11:44 -!- dangermouse [n=dmouse@78.147.240.182] has joined ##openvpn 11:44 < quentusrex_> reiffert: I Could deal with a client trying to add a route, but I would like to get something similiar setup... 11:44 < quentusrex_> Even if I need to use two different openvpn servers.... 11:45 < dangermouse> Hey, I need to set up a VPN. Which will maintain my sanity: openvpn or ipsec? (disregarding the differences in operation/features) 11:45 < quentusrex_> Use one server, for 'limited' clients, and one server for 'unlimited' clients. and give the unlimited server access to all the limited clients... 11:46 < quentusrex_> dangermouse: openvpn has been much easier to implement for me then ipsec... 11:47 < dangermouse> quentusrex_: ok, thanks 11:47 < dangermouse> It has a nicer looking website too :D 11:47 < quentusrex_> :) 11:48 < quentusrex_> the learning curve might be a little steep, but it makes sense after a bit... 11:48 < quentusrex_> just make sure to be able to test stuff, and have a multiple computer sandbox.... 11:48 < quentusrex_> life is easier that way... 11:48 < dangermouse> ok 11:49 < dangermouse> It's for a project at University, my supervisor just told me I need to setup a VPN. No requirements or anything, so it's a bit hard to pick an implementation 8-) 11:49 < quentusrex_> yeah, go with openvpn... 11:50 < quentusrex_> have you decided if you'll use individual certs for each connection? or global certs? 11:50 < dangermouse> No idea, VPN is realy new to me 11:51 < quentusrex_> ok, well. I've gotten a few of the more simple implementations setup already. so if you have any questions let me know... 11:51 < dangermouse> ok, I'm just writing a preliminary report at the moment, I begin my project next week so I will probably be back with lots of questions hehe :) 11:52 < quentusrex_> with the certs, it is a question of: do you want to be able to disable access on a per person level??? 11:53 < quentusrex_> or on a group based level? 11:54 < dangermouse> mm not sure. Can I use kerberos for user authentication? 11:54 < quentusrex_> I have heard you could. I have not used it. 11:56 < quentusrex_> I use PKI certs.... 11:56 < dangermouse> oh ok 12:35 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has quit ["What did you expect me to say?"] 12:36 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has joined ##openvpn 13:19 -!- mib_zaf5lt [i=52e6d07c@gateway/web/ajax/mibbit.com/x-35e86c4096268060] has joined ##openvpn 13:19 < mib_zaf5lt> hi 13:19 < mib_zaf5lt> is there any one here ? 13:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:27 -!- dangermouse [n=dmouse@78.147.240.182] has left ##openvpn [] 13:38 -!- mib_zaf5lt [i=52e6d07c@gateway/web/ajax/mibbit.com/x-35e86c4096268060] has quit ["http://www.mibbit.com ajax IRC Client"] 15:22 -!- gejr [n=gejr@unaffiliated/gejr] has quit [Read error: 110 (Connection timed out)] 15:50 -!- diegoviola [n=diego@adsl-142-206.click.com.py] has joined ##openvpn 16:55 -!- quentusrex [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has quit [Read error: 110 (Connection timed out)] 17:08 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 18:09 -!- qkf [n=void@cpc3-whit2-0-0-cust661.cdif.cable.ntl.com] has joined ##openvpn 18:12 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 18:15 -!- quentusrex [n=quentusr@97-113-103-127.tukw.qwest.net] has joined ##openvpn 18:16 -!- qfk\ [n=void@cpc3-whit2-0-0-cust661.cdif.cable.ntl.com] has quit [Read error: 110 (Connection timed out)] 18:21 -!- mib_gc4i88 [i=52e6d07c@gateway/web/ajax/mibbit.com/x-4924002b45326ebb] has joined ##openvpn 18:21 < mib_gc4i88> hi 18:23 < mib_gc4i88> i got this http://pastebin.ubuntu.com/131349/ 18:23 < mib_gc4i88> error 18:23 < mib_gc4i88> what i have tod o ,N 18:29 -!- mib_gc4i88 [i=52e6d07c@gateway/web/ajax/mibbit.com/x-4924002b45326ebb] has quit ["http://www.mibbit.com ajax IRC Client"] 19:35 -!- tedz [n=aaa@internet-223-98.narocnik.mobitel.si] has quit [] 20:15 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 20:17 < gorkhaan> Hi everyone! I'd like to know one thing. If my clients are connecting to my server on interface ETH0, and TUN0 is Masqueraded to ETH0 from TUN0, the data flow is doubled. But what if I create a Bridged network, between ETH0 and TUN0? Will the data flow be doubled? :) 20:18 < ecrist> not sure I follow 20:18 < ecrist> it shouldn't be, no 20:20 < gorkhaan> so the packets way kidda this: internet -> eth0 -> tun0 <-- NAT --> eth0 --> Internet 20:20 < gorkhaan> as u can see eth0 is there twice 20:22 < gorkhaan> So my point is if I modify my stuff to Bridget network instead of NAT-ed, what is gonna be? :) 20:25 < gorkhaan> anyone pls? is it too late for ask kindda questions? XD 20:29 < gorkhaan> Never mind. I'll ask again later. thx anyway. bbcu 20:29 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit ["Tvozom"] 20:51 -!- diegoviola [n=diego@adsl-142-206.click.com.py] has quit ["Reconnecting"] 20:51 -!- diegoviola [n=diego@adsl-142-206.click.com.py] has joined ##openvpn 21:54 -!- quentusrex [n=quentusr@97-113-103-127.tukw.qwest.net] has quit [Read error: 113 (No route to host)] 22:07 -!- skx [i=skx@unaffiliated/skx] has quit [Read error: 104 (Connection reset by peer)] 22:07 -!- skx [i=skx@217.17.32.190] has joined ##openvpn 22:15 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 22:26 -!- nemysis [n=nemysis@16-30.3-85.cust.bluewin.ch] has quit [Connection timed out] 22:27 -!- nemysis [n=nemysis@103-154.3-85.cust.bluewin.ch] has joined ##openvpn 22:37 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 104 (Connection reset by peer)] 23:00 < diegoviola> what's better for voip, bridging or routing? where scalability is important 23:03 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 23:14 < diegoviola> briding means having a tun virtual device and assigning ip's to that device to connect to the vpn right? 23:14 < diegoviola> and routing means only having to add a special netmask to the physical device? 23:15 < diegoviola> or ip 23:15 < diegoviola> i need a scalable solution that will allow me to use any *ip* phone just as easy as one computer, or whatever 23:38 < Bushmills> diegoviola, other way around, bridging gives you a tap device. 23:38 < Bushmills> non-bridging config gives tun 23:40 < diegoviola> oh, so both requires a virtual device 23:41 < Bushmills> yes. well, require .. those come up automatically when vpn connects 23:41 < diegoviola> what worries me is, how i will configure my ip phones to use vpn? 23:41 < Bushmills> by routing through the vpn deivce 23:41 < Bushmills> device 23:41 < diegoviola> i know snom does openvpn, but i can't force my customers to get it 23:43 < diegoviola> Bushmills: so i will need a computer here that is connected with openvpn and route the phones through that? 23:43 < Bushmills> my default route goes through the tun device given by openvpn 23:44 < Bushmills> looks like this: http://forthfreak.net/snap/route.png 23:45 < Bushmills> also, the vpn server can push routes 23:46 < Bushmills> (telling the client to use server specified routes) 23:46 < Bushmills> that's probably what you want for your clients because then they don't need to bother 23:47 < diegoviola> yeah but i don't know if my ip phones will be able to add a tun device 23:47 < diegoviola> i'm a bit confused, i will give it a try 23:47 < diegoviola> thanks 23:47 < Bushmills> where will openvpn client run? 23:49 < diegoviola> oh customers machines 23:49 < Bushmills> that's where the tun device will be 23:49 < diegoviola> yep i see 23:49 < Bushmills> and where a route to specify to route through vpn will exist 23:49 < diegoviola> i was confusing myself with the "routing" name, i thought that routing didn't required a virtual device 23:49 < diegoviola> i see 23:49 < Bushmills> virtual device is just like a real device 23:49 < diegoviola> got it 23:50 < Bushmills> routing goes to one or the other 23:51 < diegoviola> i see 23:54 < Bushmills> hehe ... 23:55 < Bushmills> 16 tasks running ... on a machine with 2 kilobytes RAM 23:55 < diegoviola> nice 23:58 < Bushmills> stacks using more than half of that 23:59 < Bushmills> looks a bit bizarre, that board: http://forthfreak.net/pari/board.jpg --- Day changed Sun Mar 15 2009 00:06 -!- sg [n=hypercub@unaffiliated/supergeek] has joined ##openvpn 00:06 < diegoviola> interesting, whats that? 00:06 < sg> Question: Does the server that is running OpenVPN have to be my network's router? 00:07 < Bushmills> sg, no 00:08 < sg> Bushmills: Alright...forgive me, I am a total noob and I could really find a straightforward answer in the FAQ 00:08 < Bushmills> sg, no worries 00:08 < sg> When a client connects to the VPN, then, does it get assigned an IP address on my network? 00:09 < Bushmills> sg, it will have two addresses, at least. one for for physical interface(s), and one for the virtual device used by openvpn 00:10 < Bushmills> the virtual device is being assigned an ip adress specific for the net your vpn machines are in 00:10 < sg> gotcha 00:10 < Bushmills> for all it matters, the virtual device looks and feels like a physical device. 00:10 < sg> can i change that virtual device IP to be assigned via DHCP from the VPN-server's network from an existing DHCP server? 00:12 < Bushmills> sg, i doubt that. better leave that task to the vpn server, which knows about the fact that the net for the vpn clients is a bit special 00:13 < sg> oh, ok 00:13 < sg> Bushmills: then with a "standard" config can devices in the openvpn net interact with other IP addresses on the actual net the openvpn server is connected to? 00:15 < Bushmills> two ways: either the clients route the traffic to local net through the physical interface connected to the local net, or the vpn server does ip forwarding/maskerading/NAT between VPN net and local net. 00:16 < sg> ah 00:16 < sg> i see 00:16 < Bushmills> doesn't make an awful amount of sense to use a vpn on the local net, btw 00:17 < sg> i'm not doing it like that 00:17 < Bushmills> i suppose having a route to local, and a wan route through vpn makes more sense 00:17 < sg> here's my situation 00:17 < sg> i'm stuck on a campus with an extremely restrictive firewall 00:17 < sg> blocks all outbound ports except 80 and SSL 00:17 < sg> >_> 00:17 < Bushmills> ok., piercing 00:18 < sg> so...i have a home server which i hope to setup openvpn on 00:18 < sg> this home server is in another state and is on a net with other devices on it (family member's computers, wii, dvr, etc) 00:18 < sg> what i need to do is be able to connect via a VPN to my home server 00:19 < sg> then be able to interact from my computer with other devices on my home net (family members PCs, wii, dvr etc) 00:19 < Bushmills> sounds quite feasible 00:19 < sg> indeed 00:19 < Bushmills> on your home machine you'd set up masquerading 00:19 < sg> i'm just not sure how to go about doing it seeing as i have no networking experience, let alone experience with openvpn 00:20 < Bushmills> so your vpn client - the campus machine - can see beyond the home machine 00:20 < sg> right...when it interacts with my home network will it use the IP address of my home server or will it be assigned its own? 00:21 < Bushmills> your vpn connection will use ip addresses assigned by yourself. usually an rfc1918 address, like 10.x.x.x 00:21 < Bushmills> so both campus machine and your home server share ip adresses on that net, in addition to other interfaces and addresses 00:22 < sg> got it 00:27 < sg> Bushmills: so if my campus machine decides to say..download something from my dvr, my DVR will see the connecting IP as the home server? 00:27 < Bushmills> sg, that is determined by the route. what what connections where to are routed through which interface. 00:28 < sg> this is of course assuming i am on campus and connecting to my home server via openvpn 00:29 < Bushmills> if you route the addresses of your home net through vpn, programs accessing machines on your home net go through the vpn 00:30 < Bushmills> you can also set default route through vpn, in which case also your "normal" traffic uses your home machine as gateway to internet 00:30 < sg> got it 00:30 < Bushmills> (that's about my setup here) 00:31 < sg> how do you set the default route on a windows machine? 00:31 < sg> i freaking hate windows :/ 00:31 < Bushmills> sg, you'd probably tell the server to instruct clients to add routes 00:32 < sg> ah 00:32 < Bushmills> but don't ask me about windows. i don't hate it - i probably would if i knew it. 00:32 < sg> ok, then, thanks 00:33 < sg> it's a frustrating and extremely closed platfortm 00:33 < sg> platform* 00:33 < sg> i only use it for video games :) 00:33 < Bushmills> last time i run windows was under OS/2 00:34 < sg> heh 00:37 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has quit ["What did you expect me to say?"] 00:51 < sg> is openvpn offline for you guys? 00:51 < sg> i keep getting timed out when i access the site 00:52 < diegoviola> seems to be down here as well 00:52 < sg> damnit. 01:08 -!- sg [n=hypercub@unaffiliated/supergeek] has quit [] 01:55 -!- JackPhil [n=chatzill@61.130.215.10] has joined ##openvpn 01:57 < JackPhil> could i put username/password in a config file 01:57 < JackPhil> so it can auto login when i start the vpn client 02:36 -!- JackPhil [n=chatzill@61.130.215.10] has quit ["ChatZilla 0.9.84 [Firefox 3.0.5/2008120121]"] 03:42 < diegoviola> when openvpn.net will be back? 03:46 < hads> When whatever is broken is fixed I'd guess. 04:42 < reiffert> diegoviola: http://beta.openvpn.net/ 04:44 -!- reiffert changed the topic of ##openvpn to: openvpn.net is down. try http://beta.openvpn.net/ || Check your firewall || We need !logs and !configs || See !howto for beginners || See !route for lans behind openvpn || Also intresting: !man !/30 !topology 04:44 -!- ChanServ changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs || See !howto for beginners || See !route for lans behind openvpn || Also intresting: !man !/30 !topology 04:44 -!- mode/##openvpn [+t-o reiffert] by ChanServ 04:44 < reiffert> ecrist: when you set -t next time, please tell the chanserv as well. 04:46 < diegoviola> reiffert: thanks 04:46 < diegoviola> reiffert: oh nice, is that a new web site? looks nice 04:47 < diegoviola> except that i'm not much of a flash guy but looks nice 04:47 < diegoviola> =p 05:46 -!- mib_3w7l1r [i=52e6d07c@gateway/web/ajax/mibbit.com/x-6cc4d8933bd2a50b] has joined ##openvpn 05:46 < mib_3w7l1r> hi 05:47 < mib_3w7l1r> is there anyone here ? 05:51 < mib_3w7l1r> hello 05:51 < mib_3w7l1r> noone there ? 06:09 < mib_3w7l1r> hello 06:09 < mib_3w7l1r> noone hteeer 06:13 -!- diegoviola [n=diego@adsl-142-206.click.com.py] has quit [Read error: 110 (Connection timed out)] 06:16 -!- mib_3w7l1r [i=52e6d07c@gateway/web/ajax/mibbit.com/x-6cc4d8933bd2a50b] has quit ["http://www.mibbit.com ajax IRC Client"] 06:35 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 06:38 -!- mib_t3azmg [i=52e6d07c@gateway/web/ajax/mibbit.com/x-f01e2d07d20e1d0a] has joined ##openvpn 06:38 < mib_t3azmg> hi 06:38 < mib_t3azmg> is there anyone ihere 06:40 < gorkhaan> Hi! I'd like to ask something. I have an OpenVPN server and I'm Masquerading TUN0 to ETH0. Clients are physically connecting to ETH0. So the packets way are kinnda this: Internet --> Eth0 --> tun0 <-- (Masquerading) --> Eth0 --> Internet. As U can see eth0 is there twice. This means 2X data flow. My Question is if I'm wanna use Bridging instead of NAT-ing, what is gonna be? :) 06:41 < gorkhaan> NATING: (tun0 data flow) = (2 x eth0 data flow) 06:41 < gorkhaan> Bridging: ??? 06:43 < gorkhaan> Anyone plz? :) 06:43 < mib_t3azmg> i just newbies 06:43 < mib_t3azmg> i think you should know the answer 06:44 < mib_t3azmg> after following some tutorial on the net 06:44 < mib_t3azmg> i just finish configuring my openvpn server which running on ubuntu 06:45 < mib_t3azmg> now it is is listening mode 06:45 < mib_t3azmg> i mean i able to ping my openvpn server 06:45 < Mark```> cannot connect? 06:45 < gorkhaan> I cant afford to modify now, cos' clients are connected. I've found bridging tutorial, I can do it, but I wanna be sure it is gonna be better if I bridging. :) 06:46 < Mark```> bridging isnt better 06:46 < Mark```> less efficient 06:46 < Mark```> does not scale well 06:47 < gorkhaan> I see. And what about this data-flow-doubling stuff? 06:47 < mib_t3azmg> is it normal that it display this error ? : http://pastebin.ubuntu.com/131496/ 06:47 < Mark```> so you have a server somewhere with an ethernet port, traffic comes in from clients, then goes back out? 06:47 < gorkhaan> yes on the same interface: ETH0 06:47 < Mark```> that sounds normal 06:47 < mib_t3azmg> or what i have to have to do ? 06:47 < Mark```> just like a proxy.. 2x the traffic is used 06:47 < Mark```> you are working for the client 06:47 < Mark```> then sending him the results 06:47 < Mark```> mib_t3azmg, TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use 06:48 < Mark```> some other program is already using port 1194 06:48 < Mark```> probably another copy of openvpn 06:48 < Mark```> you can check with something like 06:48 < Mark```> netstat -anp | grep 1194 06:48 < mib_t3azmg> sudo netstat -anp | grep 1194 udp 0 0 0.0.0.0:1194 0.0.0.0:* 6481/openvpn 06:49 < gorkhaan> okay then. thx Mark. I stay with NAT. 06:49 < gorkhaan> thx 06:49 < mib_t3azmg> i can't understand why it display 0.0.0.0 ? 06:49 < Mark```> is the openvpn server on the same switch 06:50 < Mark```> 0.0.0.0 means ALL 06:50 < Mark```> wildcard 06:50 < Mark```> etc 06:50 < Mark```> * 06:50 < mib_t3azmg> k 06:50 < Mark```> gorkhaan: are clients and openvpn server on the same switch? 06:51 < mib_t3azmg> as i say before this is the tutorial that i follow 06:51 < mib_t3azmg> http://doc.ubuntu-fr.org/openvpn 06:51 < Mark```> what is the problem mib 06:51 < Mark```> if netstat says 06:51 < Mark```> udp 0 0 0.0.0.0:1194 0.0.0.0:* 6481/openvpn 06:51 < Mark```> udp 0 0 0.0.0.0:1194 0.0.0.0:* 6481/openvpn 06:51 < Mark```> means openvpn is running 06:51 < Mark```> udp port 1194 06:52 < mib_t3azmg> k so everything working correctly is it ? 06:52 < Mark```> i cant tell 06:52 < gorkhaan> Mark: Nope. I've got 1 eth0, 1 tun0 for server. so Clients are connected on eth0, then traffic goes to tun0, then traffic goes back to eth0 to the clients. THat's why data flow is doubled on eth0 06:52 < Mark```> but its definately running 06:53 < Mark```> yea gorkhaan, theres nothing you can do 06:53 < Mark```> its just a fundamental fact of how that is 06:53 < Mark```> any type of 'middle man' 06:53 < gorkhaan> Okay, thanks :) 06:53 < Mark```> proxy.. vpn.. etc when used like that 06:54 < Mark```> np 06:54 < mib_t3azmg> k so can i follow the rest of tutorial to configure on the client side ? 06:54 < Mark```> yea 06:54 < mib_t3azmg> thx Mark``` 06:54 < Mark```> i havent read french in so long 06:54 < gorkhaan> Last question: I'd like to Compile OpenVPN to windows, Because I'd like to use auth-user-pass for Autologin for my clients. Which compiler should I use for do that? I need to set a FLAG before compiling there is in the Manual I've read. 06:55 < Mark```> but your openvpn server is running if netstat says that 06:55 < Mark```> just remember for client.. udp and port 1194 06:56 < mib_t3azmg> k 06:56 < gorkhaan> On linux it's working auth-user-pass /etc/openvpn/autologin autologin file contains my Username and passwd. that's fine. but this isnt working on winsh*t. because it isnt compiled that way 06:56 < Mark```> gorkhaan: this guy says it is 'painful': http://ehsanakhgari.org/blog/2008-05-04/compiling-openvpn-windows 06:56 < Mark```> he has notes on how he did it 06:56 < gorkhaan> thx let's see 06:57 < mib_t3azmg> well this is the openvpn client file configuration 06:57 < mib_t3azmg> http://pastebin.ubuntu.com/131498/ 06:57 < Mark```> mib_t3azmg, you have proto tcp in your client 06:57 < mib_t3azmg> as you can see i choose TUN type 06:57 < Mark```> but your server is using udp 06:58 < Mark```> must be the same 06:58 < Mark```> udp or tcp 06:58 < Mark```> but both must be the same 06:58 < mib_t3azmg> yes it is udp 06:58 < mib_t3azmg> ok i will change 06:58 < Mark```> also 06:58 < Mark```> remote xx.xx.xx.xx 443 06:58 < Mark```> means port 443 06:58 < Mark```> you have 1194 06:58 < Mark```> so needs to be 06:58 < Mark```> remote xx.xx.xx.xx 1194 06:59 < mib_t3azmg> thx for your remark 06:59 < mib_t3azmg> a lot 06:59 < Mark```> np 06:59 < mib_t3azmg> so if i understand correctly 06:59 < mib_t3azmg> on the line 5 07:00 < mib_t3azmg> remote xx.xx.xx.xx 443 (remplacez les xxxx.xx par l'adresse de votre serveur) 07:00 < mib_t3azmg> i have to put my openvpn server public ip something like 82.02.211.123 1194 is it ? 07:00 < Mark```> yes 07:01 < Mark```> thats correct 07:01 < Mark```> remote 82.02.211.123 1194 07:01 < mib_t3azmg> yeah 07:01 < mib_t3azmg> excellent 07:01 < mib_t3azmg> http-proxy-option AGENT "xxxxxxxxxxxx" (user agent personalis'e) 07:01 < Mark```> i dont know that option 07:01 < Mark```> i dont use it 07:01 < mib_t3azmg> is it necessary to fill up that option 07:02 < mib_t3azmg> ? 07:02 < Mark```> i would just remove it 07:02 < mib_t3azmg> k 07:02 < mib_t3azmg> user agent you don't know 07:02 < mib_t3azmg> so i can remove that one from client configuration file ? 07:03 < mib_t3azmg> so can i remove that option from client configuration file ? 07:03 < Mark```> yea 07:03 < gorkhaan> One more "problem": I'm doing PortForward to my clients. When they connect, a script runs and updating the firewall to set the PortForward to their IP. When they disconnect _normally_ portforward gonna be deleted from the firewall. That's fine. But if some of my clients are disconnectig HARD, I mean they don't use the normal Disconnect button ( in OpenVPN GUI ), from my firewall the portforward stays there, even if the client disconnected ( hard ). T 07:03 < gorkhaan> hat's bad because "they are spamming" my firewall with this. I often need to use a default FW script: iptables-restore vpnfirewall. Is there a chance to solve this? ( 07:04 < mib_t3azmg> coool 07:05 < mib_t3azmg> as you can see i follow that tutorial to have full access on my gsm phone 07:05 < Mark```> gorkhaan maybe a seperate script 07:05 < Mark```> i dont know 07:05 < gorkhaan> how do u mean? :) 07:05 < Mark```> like something that checks clients being alive 07:05 < Mark```> openvpn keepalive doesnt detect eventuallly? 07:06 < gorkhaan> But even if it detects openvpn server wont run my clientdisconnect.sh script, which deletes the portforward rules... or am I wrong? 07:07 < gorkhaan> I post my server.conf, a mom 07:07 < Mark```> hmm 07:08 < gorkhaan> http://pastebin.com/d53488993 there u go 07:09 < gorkhaan> as u can see: client-disconnect /etc/openvpn/config/vpnserver/clientdisconnect.sh the DC script 07:10 < gorkhaan> U saind that: like something that checks clients being alive. I can write a ping script for it, but is there a way with openvpn to solve this? :) 07:10 < Mark```> does clientdisconnect ever run 07:10 < Mark```> ? 07:10 < Mark```> even if client clean disconnects? 07:10 < Mark```> i have heard of some bugs where disconnect does not get called 07:11 < gorkhaan> it works, but if openvpn dont catch the ClientDisconnect signal from the client, I'm f_cked :D 07:12 < gorkhaan> my firewall is fckd. 07:12 < gorkhaan> It isnt a big deal, but somethimes it's driving me to nuts. XD 07:12 < Mark```> hmm 07:13 < gorkhaan> http://pastebin.com/d5690d9fd 07:13 < gorkhaan> here is my client disconnect script 07:15 < gorkhaan> echo $ifconfig_pool_remote_ip > ./lool dont bother I forgot to comment it out. I was testing does the envinromental works. It is. :) 07:16 < Mark```> hmm 07:16 < Mark```> http://forums.whirlpool.net.au/forum-replies-archive.cfm/1020191.html 07:16 < Mark```> maybe you have no timeouts? 07:16 < Mark```> Its cool all... The client-disconnect script does run but it takes a few minutes before it does (3-4 minutes). 07:16 < Mark```> Thanks. 07:16 < Mark```> so maybe need to adjust keepalive 07:16 < Mark```> default might be 5-10 minutes 07:17 < gorkhaan> Where do i need to place "keepalive"? to server config? 07:18 < gorkhaan> because I have there: keepalive 20 120 07:20 < gorkhaan> Mark: never mind. I'm gonna write a ping script. I will use Cron for that 07:21 < gorkhaan> thanks anyway. :) 07:21 < Mark```> hmm 07:21 < Mark```> i also notice you have a timeout 07:21 < Mark```> are you using xinetd? 07:22 < Mark```> err 07:22 < Mark```> inactive 600 07:23 < gorkhaan> sry. what is xinetd? 07:24 < Mark```> its a tcp server 07:24 < Mark```> like a wrapper 07:24 < Mark```> but i guess the answer is no 07:25 < gorkhaan> u're right. I'm not using it. 07:25 < Mark```> http://209.85.173.132/search?q=cache:Gwc1lWNimpwJ:openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html+openvpn+manual&hl=en&client=firefox-a&gl=us&strip=1 07:25 < Mark```> are several options 07:25 < Mark```> inactive (i dont think you need) 07:25 < Mark```> but maybe ping and ping-exit 07:26 < Mark```> will help you 07:26 < gorkhaan> thx 07:26 < Mark```> hmm 07:26 < Mark```> according to docs 07:26 < Mark```> keepalive is just a combo for ping and ping-restart combo 07:27 < Mark```> i think openvpn should do what you want 07:27 < Mark```> but i am not expert enough to know the answer 07:28 < Mark```> anyway if i dont go to bed my girlfriend will beat me :P 07:28 < Mark```> good luck you guys 07:29 < gorkhaan> :D thanks mate. here is only T-1328. Middle of the day 07:29 < gorkhaan> cu man 07:33 < mib_t3azmg> for me it is not working 07:33 < mib_t3azmg> hesgone 07:35 -!- mib_t3azmg [i=52e6d07c@gateway/web/ajax/mibbit.com/x-f01e2d07d20e1d0a] has quit ["http://www.mibbit.com ajax IRC Client"] 07:52 -!- mode/##openvpn [+o ecrist] by ChanServ 07:52 -!- mode/##openvpn [-t] by ecrist 07:52 -!- mode/##openvpn [-o ecrist] by ecrist 07:52 -!- ecrist changed the topic of ##openvpn to: openvpn.net is down. try http://beta.openvpn.net/ || Check your firewall || We need !logs and !configs || See !howto for beginners || See !route for lans behind openvpn || Also intresting: !man !/30 !topology 07:53 < ecrist> reiffert: I forgot about another chanserv mode, separate from mlock, topiclock. it's been turned off and should work as advertised now. :) 08:57 -!- nemysis [n=nemysis@103-154.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 09:04 -!- nemysis [n=nemysis@103-154.3-85.cust.bluewin.ch] has joined ##openvpn 09:21 -!- diegoviola [n=diego@adsl-142-206.click.com.py] has joined ##openvpn 09:32 -!- pandrew [n=andrew@79.114.4.185] has joined ##openvpn 09:33 < pandrew> !route 09:34 < pandrew> hey guys! can i push routes with explicit gateways to clients? 09:34 -!- qkf [n=void@cpc3-whit2-0-0-cust661.cdif.cable.ntl.com] has quit [] 09:35 < pandrew> i mean everywhere i see push "route ... i only see a network, and a netmask specified. i also need to specify the gateway 09:56 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 09:56 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 10:15 < ecrist> pandrew: you may be able to, let me look 10:16 < ecrist> pandrew: did you read the man page? 10:18 < ecrist> well, if you did, you'd see that the route option allows for the specification of a remote gateway 10:18 < ecrist> remember that with routing tables, you need to specify a next-hop that the client already knows how to route, and is on the same subnet as the cliet. 10:21 -!- diegoviola [n=diego@adsl-142-206.click.com.py] has quit [Read error: 110 (Connection timed out)] 10:53 -!- nemysis [n=nemysis@103-154.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 10:54 -!- nemysis [n=nemysis@103-154.3-85.cust.bluewin.ch] has joined ##openvpn 11:03 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit ["Tvozom"] 11:11 < pandrew> ecrist: i did found a route command, but i didn't realise that it has the same parameters as the push route. 11:11 < pandrew> anyway i tries it now, and it works 11:35 -!- c64zotte1 [n=hans@62-12-246-241.pool.cyberlink.ch] has joined ##openvpn 11:39 -!- c64zotte1 [n=hans@62-12-246-241.pool.cyberlink.ch] has quit [Client Quit] 11:39 -!- c64zotte1 [n=hans@62-12-246-241.pool.cyberlink.ch] has joined ##openvpn 11:47 -!- mjt [n=mjt@isrv.corpit.ru] has joined ##openvpn 11:47 < mjt> heh. So openvpn.net is STILL/AGAIN/whatever down. 11:47 < mjt> oh well. 11:52 < mjt> what's the changes in 2.1-beta16 compared with beta15? 12:14 < mjt> ecrist: ping? 12:15 < mjt> ecrist: do you remember my --port change? 12:23 -!- drzed [n=drzed@80.123.158.163] has left ##openvpn [] 12:24 < mjt> ghrm. Now I'm.. confused again. 12:24 < mjt> -topology subnet requires tap-win32 driver version 8.2 or higher. 12:24 < mjt> is 8.0.0.4 higher or lower than 8.2 ? 12:25 < mjt> of lower, where's 8.2 or higher version? 12:25 -!- vaejovis [i=tweek@67.202.101.69] has joined ##openvpn 12:25 < mjt> (installed 2.1beta16) 12:25 < vaejovis> sup 12:26 -!- nemysis [n=nemysis@103-154.3-85.cust.bluewin.ch] has quit ["I am off"] 12:26 -!- nemysis [n=nemysis@103-154.3-85.cust.bluewin.ch] has joined ##openvpn 12:35 -!- mepholic [n=what@hydra.weserv.in] has joined ##openvpn 12:36 < vaejovis> sup 12:37 < mepholic> you homo 12:54 -!- pandrew [n=andrew@79.114.4.185] has left ##openvpn [] 13:01 -!- vaejovis_ [i=tweek@67.202.101.69] has joined ##openvpn 13:01 -!- vaejovis [i=tweek@67.202.101.69] has quit [Read error: 54 (Connection reset by peer)] 13:15 < mjt> any way on windows to "redirect" dns requests for certain domains to a given nameserver? 13:15 < mjt> like, logging into an office vpn, names in the office should be resolved using the office nameserver, the rest should be done using usual method. 13:16 < mjt> office.example.com => here, the rest => there. 13:38 < mjt> ok, so if dhcp-option DOMAIN and DNS are pushed/configured, win queries the given nameserver for *everything*. 13:39 < mjt> AND it queries the default NS too. 14:08 < CybDev> fun fun fun 14:08 < CybDev> the joys of working with windows 14:11 < mjt> ghrm.. and it started using the office's proxy, too 14:12 < mjt> ok, the `subnet' topology (which seems to be accepted by the windows end).. it does.. strange thing 14:13 < mjt> I have a 192.168.67.254 (the server), and .221 and .253 (two clients). 14:13 < mjt> when pinding .253 from .221, the ICMP reaches the server (.254), which sends a REDIRECT 14:14 < mjt> 192.168.67.254 > 192.168.67.221: ICMP redirect 192.168.67.253 to host 192.168.67.253, length 68 14:14 < mjt> pinging even 14:15 < mjt> should i disable icmp-redirects on the server for that? The redirect it sends is umm... wrong. 14:16 < mjt> well, both .253 and .221 are accessible on this interface, but it's not an ethernet interface (tun) 14:16 < mjt> so the redirect will lead back to the server again. 14:18 < mjt> disabling send_redirects does not help, the redirect is still being sent. 14:23 < mjt> got it. When using fake nexthop on the server config it works. 14:35 < mjt> damn. this is just insane. 14:36 < mjt> if one does not sent script-security, openvpn barfs about it being too low and scripts will not be executed. If it's set to 2 as suggested, just to shut the damn NOTE up, it barfs that it's too high and that scripts now may be executed. 14:36 < mjt> s/sent/set/ 14:37 < mjt> any way to shut down the warning about "extremely common" 192.168.0.x 192.168.1.x subnets? 14:37 < mjt> (which I don't use anyway, so it's false) 14:46 < mjt> ok, so the only way is to patch that nonsense out. oh well. 14:57 -!- vaejovis_ [i=tweek@67.202.101.69] has quit ["leaving"] 15:05 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 15:06 < rashed2020> Hello everyone 15:06 < rashed2020> !howto 15:06 < rashed2020> Isn't that how it works? 15:06 < mjt> the bot's down, it seems 15:07 < rashed2020> Well, I'm trying to set up a VPN 15:07 < rashed2020> But moving from Hamachi to OpenVPN doesn't seem like the easiest thing to do 15:07 < rashed2020> Could you recommend any guides? 15:08 < mjt> not me 15:08 < mjt> 2nd day with it ;) 15:09 < rashed2020> Did you get it to work yet? 15:09 < mjt> not in a way i want it to be. 15:09 < mjt> but that requires source changes anyway 15:09 < rashed2020> Ok yea, don't go there. 15:09 < rashed2020> That's gonna scare me off 15:10 < mjt> alredy did... 15:10 < mjt> ;) 15:10 < rashed2020> lol 15:30 -!- Bushmills changed the topic of ##openvpn to: openvpn.net is down. try http://beta.openvpn.net/ || Check your firewall || We need !logs and !configs || See !howto for beginners || See !route for lans behind openvpn || Also interesting: !man !/30 !topology 15:37 < CybDev> O_o 15:37 -!- Dougy [i=Douglas@64.18.154.248] has joined ##openvpn 15:37 < Dougy> hey all 15:37 < Dougy> Whats up? 15:37 < CybDev> do i smell a move to a commerical license :-/ 15:37 * Dougy waves to ecrist 15:37 < Dougy> Hey, I haven't used openvpn in a while and dont have any idea what I'm doing 15:38 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 15:38 < Dougy> krzee! 15:38 < krzee> yeeee 15:38 < Dougy> say i have a real ip block, say 50.50.50.50/27, and I want openvpn to give each client one of those ips (a real one), and have it show as their IP when they surf (same thing as redirect-gateway, but the actual real ip allocated by the vpn shows as their ip instead of the one openvpn is bound to) 15:38 < Dougy> how would i go about this 15:39 < krzee> could bridge and hand out those ips prolly 15:39 < krzee> or could do a bi-directional nat 15:39 < Dougy> krzee: you forgot how stupid i was when i was actively doing stuff 15:39 < mjt> why not just use topology=subnet 15:39 * Dougy tried the cheap way 15:39 < krzee> Dougy, then you are asking a question above your skill level 15:39 < Dougy> krzee: obviously 15:41 < Bushmills> Dougy, sounds like a waste of precious ip addresses - vpn ip addresses can't be directly contacted by non-vpn machines anyway 15:41 < Dougy> Bushmills: it's a waste if a lot of ip's are in use 15:41 < Dougy> There's only 5 clients 15:41 < Dougy> so not a big deal 15:42 < Bushmills> Dougy, for logging access, whether you use rfc1918 addresses or your 50.x.x.x net addresses makes no difference 15:42 < Dougy> Bushmills: it's not that 15:42 < Dougy> I feel like making it seem like its a corporate network 15:42 < Dougy> when people are connected are on and around on the interwebs 15:42 < mjt> what's wrong with using real IPs and subnet topology? 15:42 < Dougy> the office network up here at the DC has a /26 routed 15:42 < Dougy> for 3 computers 15:43 < Dougy> my ip is 15:43 < Bushmills> do you know corporate networks with the clients exposed to the net through public ip addresses? 15:43 < Dougy> nope 15:43 < Bushmills> so why would it feel like a corporate network if you use those? 15:43 < Dougy> Bushmills: it's hard for me to explain it 15:43 < Dougy> the way I want 15:43 < Dougy> :p 15:44 < Bushmills> well. shouldn't make a big difference whether you set up the server to use 50.x.x.x or 10.x.x.x addresses for clients 15:45 < mjt> it makes no difference at all 15:45 < Dougy> meh forgeti t 15:45 < Bushmills> it does. on one case, you need to press a key which is slightly more to the left than in the other key when configuring. 15:46 < mjt> it's idiocy Bushmills 15:46 < Bushmills> mjt, i don't judge on sense. if Dougy wants it, it's his choice. 15:47 < Bushmills> just pointing out that it doesn't make a lot of should suffice. 15:47 < Dougy> krzee 15:47 < Dougy> pm 15:47 < mjt> ok 15:49 < mjt> what's the "sense" behind --keepalive option? 15:49 < krzee> mjt 15:49 < mjt> i mean, it expands to `if mode server: ping 10; ping-restart 120" 15:50 < krzee> oh ok 15:50 < krzee> was gunna say that 15:50 < Bushmills> mjt, besides, it could be that he has 17 million interfaces on his local nets, and exhausted the rfc1918 address space. 15:50 < mjt> but why restart? 15:50 < krzee> you saw what ping and ping-restart do? 15:50 < mjt> it just restrts every 120 secs 15:50 < krzee> cause if no ping responses in that amount of time, it'll restart 15:50 < mjt> ad infinitum 15:50 < mjt> yes 15:50 < mjt> but the client is gone 15:50 < krzee> good for making clients re-connect when not responding 15:50 < krzee> exactly 15:50 < krzee> you put it on the clients 15:50 < mjt> and the server restarts and restarts 15:50 < krzee> they'll make it back that way 15:51 < krzee> then dont put it on your server, lol 15:51 < mjt> in `mode server' it should expand to ping-exit, not ping-restart 15:51 < mjt> i think 15:51 < mjt> that's my point 15:51 < Bushmills> but the keepalive only comes into action when connection is not alive anymore, so it can't be really kept alive. 15:51 < mjt> but i wanted to ask first, what sense is behind it.. 15:52 < mjt> yes Bushmills 15:52 < krzee> For example, --keepalive 10 60 expands as follows: 15:52 < krzee> if mode server: 15:52 < krzee> ping 10 15:52 < krzee> ping-restart 120 15:52 < krzee> push "ping 10" 15:52 < krzee> push "ping-restart 60" 15:52 < krzee> else 15:52 < krzee> ping 10 15:52 < krzee> ping-restart 60 15:52 < Bushmills> should be more like --reconnect 15:52 < krzee> it does not expand to mode server 15:52 < mjt> sure it does not 15:52 < krzee> according to the manual... 15:52 < mjt> but it expands to different things depending if it's mode server or not 15:52 < krzee> no kidding 15:53 < mjt> and if mode IS server, --keepalive expands to --ping-RESTART 15:53 < mjt> but it makes more sense to make it expand to --ping-EXIT instead 15:53 < mjt> IMHO 15:53 < krzee> it tells the server to restart if a client hasnt responded in DOUBLE the time the client should be reconnecting in if it didnt get a response 15:53 < krzee> so in other words 15:53 < krzee> after 60 the client should reconnect 15:53 < krzee> after 120 if still nothing, server could be the problem, so restart that 15:54 < mjt> hm 15:54 < krzee> see how it pushes a time 1/2 that of what it uses itself... 15:54 < mjt> yes sure 15:54 < krzee> they did it right ;] 15:54 < mjt> but usually there's nothing wrong with the server 15:54 < krzee> and since it was confusing for a lot of people (like you for example) im glad they made a single command for you to use 15:54 < krzee> mjt: then dont use it 15:55 < mjt> the only wrong i can think off right away is a server on a dinamic IP 15:55 < krzee> but it was a good way to do it 15:55 < mjt> dynamic even 15:55 < mjt> fun 15:57 < Dougy> o.O 15:57 < Dougy> krzee: dell box leaves tomorrow hopefully 15:57 < krzee> ya im building some too dougy 15:57 < Dougy> I have.. on my desk right now.. 15:57 < krzee> q9400 8gb ram 15:57 < Dougy> nice 15:57 < krzee> 4core 15:57 < Dougy> i know 15:57 < Dougy> lol 15:57 < krzee> that'll be my new desktop running osx86 15:58 < krzee> then im replacing my nfs 15:58 < Dougy> E6750, 4gb, 1x250gb / Q8200, 4gb, 1x320 / 2xPentium 4 2.8, 2gb ram, 120gbg ide 15:58 < Dougy> 120gb* 15:58 < krzee> i grabbed 6 1.5 TB drives 15:58 < Dougy> i just racked another one of those p4's 15:58 < Dougy> i have enough boards and cpu's and drives to build 10 more 15:58 < Dougy> just need chassis 15:59 < krzee> the nfs will be dual core amd64 running fbsd8+zfs 15:59 < Dougy> i have like 5 pentium 4 socket 775's on my desk 15:59 < krzee> also 8GB ram 15:59 < Dougy> doign nothing 15:59 < Dougy> and a bunch of 478's 15:59 < Dougy> nice 16:00 < krzee> ya zfs loves amd64 and lotsa ram 16:00 < Dougy> AMD :< 16:00 < Dougy> er 16:00 < Dougy> amd cpu ? 16:00 < Dougy> or intel 16:00 < krzee> im running it on a i686 with 3gb ram now, and zfs is working... 16:00 < Dougy> nice 16:00 < krzee> but it crashes if i do real stuff on it for like a week 16:00 < krzee> zfs really wants 64bit 16:01 < Dougy> I want to build these servers and rent them out 16:02 < krzee> oh and i grabbed a 500gb drive for the laptop 16:02 < krzee> lil seagate 500gb internal 16:02 < krzee> i was in the usa so i stocked up 16:02 < krzee> i head home tuesday, in peru right now 16:02 < Dougy> ooh 16:02 < Dougy> where were you here 16:02 < krzee> full suitcase full of parts 16:03 < krzee> cali, vegas, orlando for 1 night 16:03 < Dougy> neato 16:03 < krzee> ya i wanted to hit NY 16:03 < krzee> but time just got away from me 16:06 < mjt> Mar 15 23:56:44 csrv ovpn-vtls[5039]: chroot to 'ccd' and cd to '/' succeeded 16:06 < mjt> Mar 15 20:56:44 csrv ovpn-vtls[5039]: GID set to openvpn 16:06 < mjt> it needs tzset() before chroot() 16:07 < krzee> checked the code and it doesnt, but should? 16:07 < mjt> even if it does, it does it wrongly ;) 16:07 < mjt> see the timestamps above 16:10 < Bushmills> krzee, that's under solaris, or the fuse user space driver? 16:10 < krzee> freebsd has been building zfs for awhile 16:10 < krzee> pjd rocks it 16:11 < krzee> its still experimental tho 16:11 < krzee> so i watch it on the freebsd-current mail list 16:14 < mjt> is it worth the effort(s) to send patches like this tzset() one? 16:14 < mjt> and where to send them? :_ 16:15 < mjt> ;) 16:40 -!- krzee [n=k@unaffiliated/krzee] has quit ["Leaving"] 16:40 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 16:45 < krzee> dougy: check out nerios.net 17:00 -!- bfdjsif [n=me@64.18.154.248] has joined ##openvpn 17:00 -!- Dougy [i=Douglas@64.18.154.248] has quit [Nick collision from services.] 17:00 -!- bfdjsif is now known as Dougy 17:00 < Dougy> krzee: yes? 17:00 < Dougy> what about em 17:01 < Dougy> i know the guy who owns it 17:01 < krzee> they're very good 17:01 < krzee> same 17:01 < krzee> danny 17:02 < Dougy> well, i know the owner of systeminplace 17:02 < krzee> ahh 17:05 < Dougy> yea 17:05 < Dougy> woot irc allowed on that freebsd vps 17:06 -!- Dougy [n=me@64.18.154.248] has quit [] 17:10 -!- c64zotte1 [n=hans@62-12-246-241.pool.cyberlink.ch] has quit ["Leaving."] 17:11 < rashed2020> !howto 17:11 < rashed2020> dammit, still nothing 17:13 < krzee> my bad 17:13 < krzee> 1min 17:16 < rashed2020> krzee: me? 17:16 < krzee> yup 17:16 < rashed2020> Alright 17:19 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 17:19 < krzee> !hotwo 17:19 < vpnHelper> krzee: Error: "hotwo" is not a valid command. 17:19 < krzee> bleh 17:19 < krzee> !howto 17:19 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:19 < krzee> there we go 17:20 < krzee> dunno how that died 17:20 < krzee> err, the box rebooted, but i expected crontab to start it 17:22 < krzee> ahh there 17:23 < krzee> i forgot -d -m in screen 17:23 < ecrist> evening, krzee 17:23 < krzee> g'evening 17:53 -!- Googleman [n=azerty@82.101.189.37] has joined ##openvpn 17:54 < Googleman> hi all 17:54 < Googleman> anyone can tell me if there way to setup openvpn with pptp client ? 17:55 < krzee> there is not 17:59 < Googleman> what is best way to encrypt connection ? 18:09 < CybDev> rot13 :-) 18:10 -!- |COM|Styx1 [n=Julian@cpe-071-075-056-061.carolina.res.rr.com] has joined ##openvpn 18:10 < |COM|Styx1> hello 18:10 < |COM|Styx1> anyone have experience with openvpn + qemu? 18:12 < ecrist> nope, sorry 18:12 < ecrist> rot26 18:13 < |COM|Styx1> ? 18:13 < krzee> Googleman, default uses blowfish for data channel 18:13 < krzee> which many consider to be a good encryption method 18:19 < ecrist> krzee, when do you want that server fired up? 18:19 -!- |COM|Styx1 [n=Julian@cpe-071-075-056-061.carolina.res.rr.com] has left ##openvpn ["Leaving."] 18:19 < krzee> not yet 18:21 < ecrist> I'm picking up another new-to-me server tomorrow 18:22 < ecrist> little Dell 1850 18:22 < ecrist> going to segregate some of my services again. 18:23 < krzee> abraham lincoln would be mad 18:23 < ecrist> lol 18:23 < ecrist> I'm getting too many hosted services on the one box that's public facing. 18:23 < ecrist> my email, web, everything runs on that box. 18:24 < ecrist> so, going to put their shit on the new box, only a single-core Xeon, and keep my stuff on the current box. I think. 18:24 < ecrist> I might change things up, too. 18:24 < ecrist> that way, when one of the shitty little sites gets hacked again, I'm not suffering. 18:26 < ecrist> that, and I might be hosting more than some hobby boxes soon. 18:26 < ecrist> one guys talking about subsidizing multiple T1s and helping pay for a generator. :P 18:27 < krzee> sick 18:28 < ecrist> did the math recently. cheaper over three years to buy a generator and two T1s than host in a colo with real space 18:28 < ecrist> power in DCs has gotten seriously expensive 18:29 < ecrist> my employer's colo bill just went up $400/mo for an electricity surcharge. 18:34 -!- Googleman [n=azerty@82.101.189.37] has quit [] 19:00 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Connection reset by peer] 19:35 < mepholic> !topology 19:35 < vpnHelper> mepholic: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 20:11 -!- nemysis [n=nemysis@103-154.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 20:12 -!- nemysis [n=nemysis@220-238.1-85.cust.bluewin.ch] has joined ##openvpn 20:15 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:22 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 20:40 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 21:03 < rashed2020> !howto 21:03 < vpnHelper> rashed2020: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 21:04 < rashed2020> Is there any specific reason why I shouldn't use OpenVPN 1.X? 21:05 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 22:08 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 22:33 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 23:11 -!- Phoenixfire159 [n=Phoenixf@c-71-236-122-148.hsd1.pa.comcast.net] has joined ##openvpn 23:12 < Phoenixfire159> help, I'd like openvpn to update an ldap database with client ip address on virtual network when a client connects and disconnects 23:12 < Phoenixfire159> how to do this? 23:12 < Phoenixfire159> I'm looking at client-config-dir, is this the right direction? 23:19 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:51 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn --- Day changed Mon Mar 16 2009 00:03 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 60 (Operation timed out)] 00:11 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 00:18 -!- Phoenixfire159 [n=Phoenixf@c-71-236-122-148.hsd1.pa.comcast.net] has left ##openvpn [] 00:40 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 00:49 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has joined ##openvpn 00:52 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 00:58 -!- jjjwoi [n=www@moscow.perfect-privacy.com] has joined ##openvpn 00:58 < jjjwoi> can anyone tell me how to prevent so called 'DNS-leaks'? 01:10 -!- breestrees [n=matt@pcp045799pcs.pcv.reshall.calpoly.edu] has joined ##openvpn 01:10 < jjjwoi> breestrees, hello 01:10 < breestrees> when openvpn creates the tun device on linux, what is the actual command it uses? i need to add this command to the sudoers file. hello jjjwoi 01:12 < jjjwoi> breestrees do you know how to prevent so called 'DNS leaks'? 01:13 < breestrees> what do you mean by leaks 01:13 < breestrees> you mean you want dns requests to be forwarded through the tunnel? 01:13 < jjjwoi> i dont want my true IP to show up 01:15 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 01:19 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has quit [Read error: 110 (Connection timed out)] 01:53 -!- glguy [n=eric@pdpc/supporter/professional/glguy] has joined ##openvpn 01:55 -!- breestrees [n=matt@pcp045799pcs.pcv.reshall.calpoly.edu] has quit ["Leaving"] 02:21 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 02:56 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:01 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 03:08 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 03:09 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has left ##openvpn [] 03:58 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 03:58 < joelsolanki> Hello all 04:00 < joelsolanki> does openvpn works perfect on 64 BIT windows 2003 server ? 04:01 < joelsolanki> i am having issues on this. 04:01 < joelsolanki> dont know voip stuff is giving trouble 04:02 -!- SuperEvilDeath15 [n=death@212.206.209.177] has quit [Read error: 113 (No route to host)] 04:03 -!- SuperEvilDeath15 [n=death@212.206.209.177] has joined ##openvpn 05:20 -!- jjjwoi [n=www@moscow.perfect-privacy.com] has quit [] 05:36 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:54 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Leaving"] 06:11 < joelsolanki> Hi all 06:11 < joelsolanki> is it possible to route public ip thru openvpn ? 06:14 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 06:23 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [] 06:58 -!- onats_ [n=onats@122.53.136.244] has joined ##openvpn 06:58 -!- onats_ is now known as onats 07:02 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 07:22 -!- cyconx86 [n=cycon@131.203.115.65] has joined ##openvpn 07:23 < cyconx86> hey all. quick question. if i can start an openvpn daemon session from command line but not init.d service, what's the next thing I should check? 07:23 < cyconx86> am getting error "Options error: In [CMD-LINE]:1: Error opening configuration file:" 07:30 < dazo> cyconx86: do you give the full path to your config file? Can you (as the user you want to start openvpn) do cat ? 07:31 < cyconx86> dazo: i've tried defining the full path in the init.d script, yes. i'm attempting to start as root at the moment, just to eliminate permissions issues 07:32 < dazo> cyconx86: actually, that will not be successful ... when I think about it (slow head monday morning) ... openvpn needs root permissions to setup and configure the TUN/TAP device and setup the routes pushed by the server 07:32 < cyconx86> dazo: right - i'm starting as root right now 07:33 < dazo> cyconx86: you can however use the --user option ... which will degrade openvpn permissions to that user when it do not need those permissions anymore 07:33 < dazo> cyconx86: but you anyway need to be root when starting the service 07:33 < dazo> cyconx86: to allow a non-root user to do so .... you can have a look at sudo 07:34 < cyconx86> dazo: but my problem is i can launch the full command from root's bash prompt, but get this issue when calling "service openvpn start" 07:34 < cyconx86> dazo: if I put the command "echo `whoami`" in the startup script it comes back as root 07:34 < dazo> cyconx86: aha! sorry ... I got it the other way around 07:35 < cyconx86> dazo: i've also tried testing via echo all the other $variables in the startup script 07:35 < dazo> cyconx86: whoami can mislead you when called from scripts ... 07:35 < cyconx86> dazo: in any case, any ideas what should i check next? 07:35 < dazo> cyconx86: but if you get the error opening config file ... Check all permissions (including SELinux if that's used and also getfacl) 07:36 < cyconx86> dazo: aha, that's a good call, hadn't thought about selinux 07:36 < dazo> cyconx86: Which distro are you running? 07:36 < cyconx86> dazo: centos. 07:37 < cyconx86> dazo: if i run "setenforce 0" it lets me start. think you've got it. thanks (c: 07:38 < dazo> cyconx86: check /var/log/messages for audit log entries .... such issues can easily be resolved with some scripts (which I dont recall now) 07:38 * dazo needs to learn SELinux much better 07:38 < dazo> cyconx86: it's probably just wrong context on either config file or config dir 07:38 < cyconx86> dazo: "restorecon -R -v /etc/openvpn" fixes it for good 07:39 < dazo> cyconx86: there you go :) 07:55 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 104 (Connection reset by peer)] 07:56 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:11 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 08:14 < ecrist> mjt: pong? 08:17 < ecrist> Bushmills: you are incorrect in your statement yesterday 08:17 < ecrist> 15:41 < Bushmills> Dougy, sounds like a waste of precious ip addresses - vpn ip addresses can't be directly contacted by non-vpn machines anyway 08:17 -!- cyconx86 [n=cycon@131.203.115.65] has left ##openvpn ["Leaving"] 08:33 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Client Quit] 08:33 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 08:38 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn --- Log closed Mon Mar 16 08:54:35 2009 --- Log opened Mon Mar 16 16:24:22 2009 16:24 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 16:24 -!- Irssi: ##openvpn: Total of 47 nicks [0 ops, 0 halfops, 0 voices, 47 normal] 16:24 -!- Irssi: Join to ##openvpn was synced in 1 secs 16:24 < ecrist> ugh 16:25 < ecrist> Francis Dinha says they're having problems with a hosting provider, which is the cause of their outages lately. 16:34 -!- nemysis [n=nemysis@220-238.1-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 16:36 -!- nemysis [n=nemysis@163-19.3-85.cust.bluewin.ch] has joined ##openvpn 16:45 -!- jfkw_ [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 16:46 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has joined ##openvpn 16:57 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Read error: 110 (Connection timed out)] 17:09 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 18:26 -!- skx [i=skx@217.17.32.190] has left ##openvpn [] 18:34 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 18:47 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has quit [Read error: 110 (Connection timed out)] 19:10 < sigmonsays> anyone know of a command line interface to the management port of openvpn? 19:10 < sigmonsays> admittedly i hvan't even gone through all the commands, but it appears somewhat powerful 20:57 -!- sg [n=hypercub@unaffiliated/supergeek] has left ##openvpn [] 20:57 -!- sg [n=hypercub@unaffiliated/supergeek] has joined ##openvpn 21:00 -!- jfkw_ [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 21:09 < ecrist> sigmonsays: yea, telnet localhost 21:17 -!- Mark``` [n=mark@ip24-56-23-192.ph.ph.cox.net] has quit [Remote closed the connection] 21:23 -!- sg [n=hypercub@unaffiliated/supergeek] has quit [Read error: 110 (Connection timed out)] 21:23 -!- DaveQB [n=DaveQB@dward.us] has left ##openvpn ["Kopete 0.12.4 : http://kopete.kde.org"] 21:25 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 21:47 -!- mepholic is now known as astlin 22:01 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 22:05 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 22:37 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: mjt 22:38 -!- Netsplit over, joins: mjt 22:50 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: mjt, clustermagnet, dazo, blaxthos, Bushmills 22:51 -!- Netsplit over, joins: dazo, Bushmills 22:51 -!- blaxthos [n=blaxthos@64.94.108.181] has joined ##openvpn 22:51 -!- Netsplit over, joins: clustermagnet 22:51 -!- Netsplit over, joins: mjt 23:30 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 23:57 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] --- Day changed Tue Mar 17 2009 00:00 -!- dr_octalgon [n=dr_octal@c-71-204-128-111.hsd1.ca.comcast.net] has joined ##openvpn 00:01 < dr_octalgon> hi guys, I think I've found a bug in the proposed bridge-setup script, should I just mail info@openvpn? Or is there a bugtracker I should file at? 00:12 -!- dr_octalgon [n=dr_octal@c-71-204-128-111.hsd1.ca.comcast.net] has left ##openvpn [] 00:31 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:47 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: sigius, astlin, rdz, simplechat 00:49 -!- astlin [n=what@hydra.weserv.in] has joined ##openvpn 00:49 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 00:49 -!- simplechat [n=betabot@li20-55.members.linode.com] has joined ##openvpn 00:49 -!- rdz [i=roman@netpd.org] has joined ##openvpn 00:49 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [SendQ exceeded] 00:49 -!- rdz [i=roman@netpd.org] has quit [SendQ exceeded] 00:50 -!- tjz [n=tjz@bb116-14-182-232.singnet.com.sg] has joined ##openvpn 00:50 -!- rdz [i=roman@netpd.org] has joined ##openvpn 00:50 -!- simplechat [n=betabot@li20-55.members.linode.com] has quit [Connection reset by peer] 00:50 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 00:51 -!- betabot [n=betabot@li20-55.members.linode.com] has joined ##openvpn 00:53 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 01:01 -!- mepholic_ [n=what@hydra.weserv.in] has joined ##openvpn 01:01 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: astlin 01:02 -!- Netsplit over, joins: astlin 01:02 -!- astlin [n=what@hydra.weserv.in] has quit [SendQ exceeded] 01:55 -!- Chrnos [i=Kuro@190.53.8.79] has joined ##openvpn 01:57 < Chrnos> Hello, any1 know how i can fix high latency i have between server and clients? i'm using tap 01:58 < reiffert> latency is an attribute of the media and internetwork between server and client. 02:04 < Chrnos> what you mean? 02:07 < Chrnos> i know the ping varies depending on the location between the server and users but I say if I will ping the vpn server ip lan I have high latency if I will ping the server ping the public is "normal" in certain words in vpn I get high pings 02:09 -!- mepholic_ [n=what@hydra.weserv.in] has quit [Read error: 110 (Connection timed out)] 02:22 -!- geaaru [n=geaaru@host176-171-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn 02:22 < geaaru> hi, is it possible configure openvpn server for assign a dedicated ip address for a dedicated certificate? 02:22 < geaaru> thanks in advance 02:22 < reiffert> Chrnos: Allright. Draw a picture of your network infrastructure, give us your config and define the difference between high and normal. Also hand us your firewall configuration. 02:23 < reiffert> geaaru: yes. 02:24 < reiffert> bbl, work. 02:24 < geaaru> can you supply me a link where is describe this way, please? 02:37 < krzee> geaaru, 02:37 < krzee> !iporder 02:37 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice). 02:37 < krzee> you prolly want ccd 02:37 < krzee> (choice #2) 02:37 < krzee> !ccd 02:37 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 02:38 < geaaru> ah ok, thank you very very much for replies 02:38 < krzee> np 02:42 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 02:42 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has left ##openvpn [] 02:44 -!- geaaru [n=geaaru@host176-171-dynamic.44-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 02:45 -!- geaaru [n=geaaru@host176-171-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn 02:49 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 02:51 < tjz> hey jeff 02:51 < tjz> :P 02:51 < tjz> btw, is it possible to 1 command to generate our .ca, .crt cert/ 02:52 < krzee> in ssl-admin, yes 02:52 < krzee> !ssl-admin 02:52 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 02:52 < tjz> does this include generate our ovpn file? 02:53 < krzee> no, we'll add mind reading in the next version tho 02:53 < krzee> actually, yes it does 02:53 < krzee> but you pre-set the default to take advantage of that 02:54 < tjz> ok 02:54 < krzee> it'll even zip up the package 02:54 < krzee> iirc 02:55 < krzee> check it out 02:55 < krzee> ecrist made it 02:56 < tjz> cool 02:56 < tjz> where is the file? 02:56 < tjz> =) 02:56 < krzee> dunno man, play with it 02:56 < krzee> or read the manual 02:56 < tjz> lol 02:56 * tjz fainted 02:57 < tjz> lol 02:57 < krzee> gnite, sleep time 02:57 < tjz> ok 02:57 < tjz> gd nite 03:09 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 03:19 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:44 < Chrnos> reiffert, or other want to help me here my "network infrastructure" http://img4.imageshack.us/img4/6082/lann.jpg and here my config http://pastebin.com/d5775b24c 03:45 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has joined ##openvpn 04:13 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 04:14 -!- c64zottel [n=hans@cust.static.84-253-61-22.cybernet.ch] has quit [Read error: 113 (No route to host)] 04:18 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 04:18 -!- onats [n=onats@122.53.131.243] has quit [Read error: 110 (Connection timed out)] 04:19 -!- onats [n=onats@122.53.136.244] has joined ##openvpn 04:23 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 04:55 -!- betabot is now known as simplechat_ 05:17 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:34 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 05:39 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [] 05:51 -!- Chrnos [i=Kuro@190.53.8.79] has quit ["Saliendo"] 05:52 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 05:54 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 05:58 -!- Chrnos [i=Kuro@190.53.8.79] has joined ##openvpn 06:02 -!- protocols [n=protocol@p5791FB52.dip.t-dialin.net] has joined ##openvpn 06:17 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 06:41 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 110 (Connection timed out)] 06:41 < ecrist> morning folks 07:05 < mjt> hi ecrist 07:55 -!- geaaru [n=geaaru@host176-171-dynamic.44-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 08:07 -!- rubydiamond [n=rubydiam@123.236.183.169] has joined ##openvpn 08:09 -!- geaaru [n=geaaru@host176-171-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn 08:13 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 08:34 < ecrist> I'm so ronery, so ronery, so ronery and sadry arone... 08:36 -!- ilreds [i=c2b93a94@gateway/web/ajax/mibbit.com/x-b8ef68d5b8889143] has joined ##openvpn 08:37 < ilreds> hi to all 08:38 < ecrist> howdy 08:38 < rashed2020> Hello everyone 08:39 < rashed2020> In my easy-rsa dir I have to other dirs 08:39 < rashed2020> 1.0 and 2.0 08:39 < rashed2020> Should I delete 1.0 and copy all the files in 2.0 a level up? 08:39 < mjt> you should copy 2.0 to somewhere else and modify it there to suit your needs. 08:40 < rashed2020> I've got a copy of it somewhere else 08:40 < rashed2020> Where does OpenVPN want the files though 08:40 < mjt> it doesn't want hem 08:40 < mjt> them 08:40 < rashed2020> So they're just for me to use? 08:40 < mjt> yes 08:41 < rashed2020> Ok cool, thanks. 09:00 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Leaving"] 09:16 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has left ##openvpn [] 09:24 < ilreds> using ccd subdirectory configuration, can i push different router for each client? 09:25 < mjt> sure 09:26 < ilreds> mjt: how? simply inserting push route directive into ccd files? 09:27 < mjt> yup 09:27 < ilreds> ok 09:27 < mjt> note that in reality you have only one router... 09:28 < mjt> which topology do you use? 09:43 < dazo> rashed2020: ideally ... the easy-rsa files should be stored on a box not connected to any network at all ... this is your CA, which signs certificate requests and returns a valid certificate for your server and clients ... but you need to copy out your server certificate and put it on your openvpn server. Where to place them is up to you, it depends on your config files 09:44 < mjt> dazo: he asked about the scripts, not keys... 09:45 < dazo> mjt: "... copy all the files in 2.0..." ... that's not just keys 09:45 < mjt> thats anything BUT keys ;) 09:46 < dazo> mjt: if you have changed the config ... if not, the keys also comes into this directory 09:49 -!- tjz [n=tjz@bb116-14-182-232.singnet.com.sg] has quit ["bbl"] 10:03 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 60 (Operation timed out)] 10:33 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 10:41 -!- geaaru [n=geaaru@host176-171-dynamic.44-79-r.retail.telecomitalia.it] has quit ["Leaving"] 10:47 -!- jul_ [n=jul@colonel.verygames.net] has joined ##openvpn 10:49 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 10:49 < jul_> Hello. i have a problem, i installed openvpn client/server , it'ok but when i ping from the client I saw ping in the server (tcpdump) but any return on client. any ideas ? 10:50 -!- smk_ is now known as smk 10:54 < ecrist> jul_: your question is difficult to understand 10:54 < jul_> ecrist: ok 10:54 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 10:55 < jul_> i have 2 pc, 1 server 192.168.0.1 1 client 192.168.0.6 -> when i ping from server to client i saw with tcpdump on client the ping but ping in server don't have return 10:57 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 60 (Operation timed out)] 10:58 < jul_> ecrist: it's more clear now ? 11:03 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:10 < krzee> jul_, those internal VPN ips? 11:10 < krzee> or the LAN ips? 11:10 < krzee> bridging or routing? 11:13 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 11:13 < krzee> you shouldnt be using that subnet for the vpn, its too common and wont work when a client has that as LAN ip 11:13 < krzee> otherwise, its your firewall 11:16 -!- sd1 [n=tux@pD9E7BB17.dip.t-dialin.net] has joined ##openvpn 11:16 < jul_> krzee: VPN ip , routing 11:17 < jul_> this ip are not used in my networks 11:17 < jul_> i use 10.0.0.0 11:21 < jul_> read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 11:22 < jul_> it's for this error, when i try to ping with verbose 5 -> i saw Rwr on server and client 11:23 < dazo> jul_: that's a typical the result of iptables blocking access 11:25 < soberbit-work> if i start making vpn keys for clients outside of my company, what would be normal to enter into the attributs of the key? 11:25 < soberbit-work> their company name and email address instead? 11:26 < ecrist> no 11:27 < ecrist> certain pieces of data need to match, or certificates will not be valid 11:27 < soberbit-work> what's the purpose of the email field. 11:27 < ecrist> to have the user's email address 11:28 < soberbit-work> normal to sign the key with my company, city, org, and put the users own hostname/email in? 11:29 < ecrist> yep 11:32 < hardwire> can you roll your own tunnelblick? 11:32 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 11:33 < hardwire> I got openvpn gui with a custom config + keys working just fine .. 11:33 < jul_> so strange : i ping on my client to my server in my client i saw the sending and the receiving but ping say me 100% lost 11:35 < ecrist> hardwire: sure, why not? 11:37 < hardwire> ecrist: I suppose I'd just have to change the packaging and recompile it every time. 11:37 < ecrist> recompile what? 11:38 < hardwire> tunnelblick 11:38 < ecrist> hardwire, what are you re-rolling? 11:38 < hardwire> just need to put custom conf and key files into a package 11:38 < ecrist> you can do that without a recompile 11:38 < hardwire> so that I can just hand it to somebody 11:38 < hardwire> got info? 11:42 < ecrist> hardwire: mac os x .app files are just directories, handled specially by the OS 11:42 < ecrist> put the config is there, distribute. 11:42 < ecrist> easy 11:42 < hardwire> hmm 11:44 < ecrist> this isn't #mac-devel ;) 11:46 < hardwire> sorry. 11:46 < ecrist> you could look into viscosity, as well, they have native support for packaging, iirc 11:47 < ecrist> Easily pre-configure Viscosity so your users don't have to. Viscosity can be set up to automatically create VPN connections on first launch so users are good to go no matter their VPN knowledge. 11:47 < ecrist> ^^^ from their main web site 11:47 < ecrist> !fe 11:47 < vpnHelper> ecrist: Error: "fe" is not a valid command. 11:48 < ecrist> !learn fe as Mac: Tunnelblick (http://code.google.com/p/tunnelblick/) or Viscosity (http://www.viscosityvpn.com) 11:48 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 11:48 < ecrist> krzee: will you *please* fix my bot access 11:49 < ecrist> !learn fe as Win: OpenVPN GUI (http://www.openvpn.se) 11:49 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 11:50 < ecrist> !learn fe as Linux: OpenVPN Admin (http://sourceforge.net/projects/openvpn-admin/) 11:50 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 11:50 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 11:55 < ecrist> !whoami 11:55 < vpnHelper> ecrist: I don't recognize you. 11:56 -!- mode/##openvpn [+o ecrist] by ChanServ 11:56 -!- vpnHelper was kicked from ##openvpn by ecrist [ecrist] 11:56 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 11:56 -!- vpnHelper was kicked from ##openvpn by ecrist [ecrist] 11:56 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 11:56 -!- vpnHelper was kicked from ##openvpn by ecrist [ecrist] 11:56 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 11:56 -!- vpnHelper was kicked from ##openvpn by ecrist [ecrist] 11:56 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 11:56 -!- vpnHelper was kicked from ##openvpn by ecrist [ecrist] 11:56 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 11:56 -!- vpnHelper was kicked from ##openvpn by ecrist [ecrist] 11:56 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 11:57 -!- mode/##openvpn [-o ecrist] by ecrist 12:00 < ecrist> !learn fe as Mac: Tunnelblick (http://code.google.com/p/tunnelblick/) or Viscosity (http://www.viscosityvpn.com) 12:00 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 12:00 < ecrist> !whoami 12:00 < vpnHelper> ecrist: ecrist 12:00 < ecrist> grr 12:01 * ecrist looks for his banhammer 12:01 -!- ilreds [i=c2b93a94@gateway/web/ajax/mibbit.com/x-b8ef68d5b8889143] has quit ["http://www.mibbit.com ajax IRC Client"] 12:03 < ecrist> hardwire: http://www.viscosityvpn.com/support/?section=faq&supportid=6 12:03 < hardwire> whats vpnHelper for? 12:04 < soberbit-work> openvpn work in Windows 7? 12:05 < ecrist> soberbit-work: yes, it does 12:05 < soberbit-work> recoimmend better than this? http://www.fiberworks.com/DNN/Support/OpenVPN/tabid/171/language/en-US/Default.aspx 12:05 < vpnHelper> Title: OpenVPN Windows 7 (at www.fiberworks.com) 12:05 < ecrist> windows 7 is not yet supported, and there can be issues with vista, but it can be gotten to work. 12:06 < dazo> hardwire: vpnHelper is here just to frustrate ecrist ;-) 12:06 < ecrist> indeed 12:06 < ecrist> /kick krzee 12:06 < ecrist> 12:06 -!- ##openvpn You need to be a channel operator to do that 12:06 < ecrist> soberbit-work: that looks fine 12:08 < dazo> soberbit-work: you might want to check out the openvpn mailing list ... you'll find it at sourceforge ... it was some people discussing it there a few weeks ago ... I believe the latest 2.1_RC15 is not supported right out of the box ... but I believe it was an unofficial fix on the openvpn-users list, iirc 12:08 < dazo> soberbit-work: vista works 12:08 < dazo> (RC15, that is) 12:09 < soberbit-work> i don't get alot of experiece with openvpn on xp/vista. first time i got a client returning saying he runs windows 7 12:09 < soberbit-work> still running openvpn-2.0.9-gui-1.0.3-install.exe for XP/Vista clients 12:10 < soberbit-work> not sure if there is a better choice for xp/vista 12:10 < dazo> soberbit-work: 2.1_RC15 is the preferred one for Vista upstream 12:11 < soberbit-work> just going by updates from openvpn.net ? 12:11 < soberbit-work> back in the day seemed like 3rd party clients where were I was always directed to. 12:13 < dazo> soberbit-work: from one of the mails in the mailing list: "i'd like to say, the latest release (2.1r15), works just FINE, however, the installer doesn't. It seems to check the windows version, and say's it's incompatible.. it worked fine in compatibility mode though." 12:13 < soberbit-work> cool 12:14 < dazo> soberbit-work: a version with a fixed installer for win7 ... http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe 12:14 < ecrist> the link above indicates use of compatibility mode 12:15 < dazo> ecrist: yeah, but the last installer RC15e tells Win7 its safe to run in native Win7 mode, I believe 12:16 < krzee> heh 12:16 < dazo> it's a tiny thread in openvpn-devel from Jan. 17 2009@07:43 ... "[Openvpn-devel] windows 7 and openvpn" 12:16 < krzee> ./ban ecrist 12:16 < krzee> [12:16] * ##openvpn :You need to be a channel operator to do that 12:16 < krzee> hehe 12:17 < krzee> !learn win7 as http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 12:17 < vpnHelper> krzee: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 12:18 < krzee> !learn win7 as http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 12:18 < vpnHelper> krzee: Joo got it. 12:19 < soberbit-work> thanks for the help. gonna have the client try both 12:19 < soberbit-work> the rc15 with compat and rc15e without compat 12:20 < dazo> soberbit-work: the only difference is in the installer ... not openvpn binaries 12:20 < dazo> soberbit-work: so jump straight unto the rc15e version ... less hassle 12:21 < soberbit-work> roger 12:30 -!- jul_ [n=jul@colonel.verygames.net] has quit [Read error: 145 (Connection timed out)] 12:34 < krzee> [12:00] !learn fe as Mac: Tunnelblick (http://code.google.com/p/tunnelblick/) or Viscosity (http://www.viscosityvpn.com) 12:34 < vpnHelper> Title: tunnelblick - Google Code (at code.google.com) 12:34 < krzee> you wanted to have !fe? 12:34 < krzee> also, if you leave those ()'s around links, they are not clickable in most clients 12:35 < krzee> which is another reason you never end a factoid with a link, it will get an appended comma when another entry is added to the factoid 12:35 -!- protocols [n=protocol@p5791FB52.dip.t-dialin.net] has quit ["Leaving"] 12:43 < reiffert> Hi guys 12:43 < ecrist> heya reiffert 12:43 < sd1> hey 12:44 < reiffert> How to keep customers from taking my offer and buying the staff themselfes, now that they know what they need and what it will approx. cost? 12:44 < Bushmills> hi reiff 12:44 < reiffert> Hi Bushmills 12:46 < ecrist> reiffert: that's hard to do. usually, it's done by offering such things for less than it would cost them to do it themselves. 12:46 < reiffert> ecrist: oh, and thats the point where I need one dedicated hardware dealer, giving me some discount? 12:52 < Bushmills> reiffert, by combining the offer with services, possibly needed services, they can't just buy in the shop. 12:53 < Bushmills> a heap of metal and plastic is different from a working installation 12:53 -!- nemysis [n=nemysis@163-19.3-85.cust.bluewin.ch] has quit [Connection timed out] 12:54 < reiffert> Ah well, I could imagine, that they just try to it themselves. 12:54 < Bushmills> reiffert, who wants customers one can't trust anyway :D 12:55 -!- nemysis [n=nemysis@163-19.3-85.cust.bluewin.ch] has joined ##openvpn 12:55 < reiffert> :) 13:03 -!- sd3 [n=tux@pD9E7E2B9.dip.t-dialin.net] has joined ##openvpn 13:05 < ecrist> reiffert: not necessarily. really, it's a matter of finding a combination of services and products which create a greater benefit for the cost that rolling your own. 13:06 < ecrist> for example, I own a small security company. we do mostly sub-contracting to big companies. us being small and nimble, we can roll with varying work flows and don't have to worry about lay offs, as we've got many large clients, so having our own staff is worth-while 13:07 < ecrist> those large customers don't want their own staff, as they don't want the hassles of lay off and the like if they have a lull in business. 13:07 < ecrist> so, it 'cheaper' for them to pay us $65/hour for each tech, than to pay their own techs $30/hour + benefits + insurance + unemploy insurance + etc etc etc 13:08 < ecrist> even though, when it comes to green, they're paying a higher hourly rate to us than they would the tech. 13:08 < ecrist> in this case, if they have a lull in work, they simply don't call us. 13:08 < ecrist> in your case, you can fill a similar roll, and sell it to them as such 13:09 < ecrist> give them a fixed cost for your time, offer service contracts. businesses like *known* costs. an employee is almost always an unknown factor (gota give them raises, etc) 13:10 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 13:20 -!- sd1 [n=tux@pD9E7BB17.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 13:31 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:32 -!- joelsolanki [i=joelsola@124.125.151.27] has joined ##openvpn 13:32 < joelsolanki> Hey all 13:32 < joelsolanki> morning / afternoon :)( 13:32 < joelsolanki> :) 13:33 < ecrist> hi 13:33 < joelsolanki> oh hey 13:34 < joelsolanki> i wanted to ask a question 13:34 < joelsolanki> can we route a single public ip or bunch of Ips thru openvpn ? 13:39 < joelsolanki> ecrist: you there ? 13:40 < ecrist> yep 13:40 < ecrist> the answer is yes 13:40 < joelsolanki> oh :) 13:40 < joelsolanki> any hints or suggestion on this 13:41 < joelsolanki> i m thinking to use linux as openvpn server 13:45 * Bushmills would use openvpn as openvpn server instead 13:47 < Bushmills> joelsolanki, and yes, you can sort of route public ip addresses through openvpn, sort of. assuming you mean "allow world to connect to openvpn client as if it was the machine with the pub address, while in fact the server has that address" 13:47 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 13:53 < joelsolanki> aha 14:02 < ecrist> Bushmills: why can't openvpn be useds to 'actually' route real IPs? 14:02 < ecrist> please explain yourself 14:03 < joelsolanki> if we route then atleast traffic will be encrypted will pass thru vpn so thats fine. 14:04 < joelsolanki> i dont any security issue. but it could be if any one has tested 14:04 < joelsolanki> i dont see any security i mean 14:09 < ecrist> joelsolanki: it can be done, and has been done. that's all you should need to worry about, provided you setup routing accordingly. 14:10 < Bushmills> ecrist, you'd use the routing facility of the OS, and openvpn merely as the network transport. 14:12 -!- joelsolanki [i=joelsola@124.125.151.27] has quit [] 14:14 < ecrist> Bushmills: I think you're over-complicating things. 14:14 -!- Cyllene [i=OdsIJx7t@unaffiliated/cyllene] has joined ##openvpn 14:15 < ecrist> you *can* route public IPs through OpenVPN without issue 14:15 < Cyllene> Hi, I am using the openvpn source code as a muse to my code. I have found this: 14:15 < Cyllene> #define ASSERT(x) do { if (!(x)) assert_failed(__FILE__, __LINE__); } while (false) 14:15 < Cyllene> What's the point of the do/while loop if the condition is false? 14:16 < ecrist> Cyllene: no developers here for openvpn, just support community. though, some here may develop, nothing specific to OpenvPN 14:16 -!- sd3 [n=tux@pD9E7E2B9.dip.t-dialin.net] has left ##openvpn [] 14:16 < Cyllene> I see. 14:20 < Bushmills> ecrist, i do route pub ip through openvpn. though in my case i use the DNAT target of iptables, though i am confident that adding a route to the routing table could work as well. i don't know of an openvpn-only way. 14:20 -!- Cyllene [i=OdsIJx7t@unaffiliated/cyllene] has left ##openvpn [] 14:21 < mjt> do{}while(false) executes exactly once 14:21 < mjt> but syntactically it can be placed between if() and else 14:21 < mjt> unlike the if that's inside that {} 14:22 < mjt> if (foo) ASSERT(bar); else baz; 14:24 < ecrist> Bushmills: as an example, if you've got a /28 and a /30 from your ISP, with your endpoint for the /30 being your OpenVPN server, you can have your ISP set a static route for the /28 to point to your endpoing for the /30, at which point you simply use the /28 as your OpenVPN address space 14:24 < Bushmills> ecrist, yes, i think i mentionend adding a route. 14:25 < Bushmills> still, this is what i consider "using OS facilities", not "using openvpn" 14:26 < mjt> you have to have the IP addresses somehow. 14:26 < ecrist> you're over-complicating your explanation. you can route public IPs over an Openvpn connection 14:26 < Bushmills> i don't argue with that 14:34 < ecrist> and yes, you can sort of route public ip addresses through openvpn, sort of. 14:34 < ecrist> those are your words. sort of is incorrect. you *can*. 14:36 < Bushmills> that was "can .. using openvpn" but you told how you "can... using OS routing facility" 14:37 < Bushmills> how do you route public ips with openvpn instead, then? 14:37 < ecrist> define a specific usage and I'll give you a specific example 14:38 < ecrist> or, read !route 14:40 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:01 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 15:17 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Read error: 104 (Connection reset by peer)] 15:32 -!- mib_0400sz [i=52e6d07c@gateway/web/ajax/mibbit.com/x-a438ef8ea570c942] has joined ##openvpn 15:32 < mib_0400sz> hi 15:32 < mib_0400sz> there 15:32 < mib_0400sz> is there anyone here ? 15:33 -!- mib_0400sz [i=52e6d07c@gateway/web/ajax/mibbit.com/x-a438ef8ea570c942] has quit [Client Quit] 15:33 < krzee> lol 15:35 -!- mib_oyzxjo [i=52e6d07c@gateway/web/ajax/mibbit.com/x-f0ac0f47614287e7] has joined ##openvpn 15:35 < mib_oyzxjo> hi 15:35 < krzee> hey 15:35 < krzee> just ask your question 15:35 < mib_oyzxjo> thx 15:35 < mib_oyzxjo> well 15:36 < mib_oyzxjo> i try to generate a key each time it give me 15:36 < mib_oyzxjo> unable to write 'random state' 15:36 < mib_oyzxjo> is it normal ? 15:37 < krzee> you in a freebsd jail or some other way you are unable to use /dev/random or /dev/urandom? 15:37 < mib_oyzxjo> i don't know 15:37 < krzee> you dunno your system? 15:37 < mib_oyzxjo> i just using ubuntu 15:38 < krzee> get in as root 15:38 < mib_oyzxjo> which mean what i have to do ? 15:39 < mib_oyzxjo> i m newbies 15:39 < mib_oyzxjo> i just following this tutorial http://doc.ubuntu-fr.org/openvpn 15:39 < krzee> learn how to use your operating system 15:39 < vpnHelper> Title: openvpn - Documentation Ubuntu Francophone (at doc.ubuntu-fr.org) 15:39 < mib_oyzxjo> you mean i have to launch that command as a root ? 15:39 < mib_oyzxjo> is it ? 15:40 < krzee> [15:38] get in as root 15:40 < krzee> correct 15:40 < mib_oyzxjo> sorry i miss understand 15:40 < krzee> be root 15:40 < mib_oyzxjo> well 15:40 < mib_oyzxjo> k 15:40 < mib_oyzxjo> i just try 15:43 * ecrist consideres mibbit ban 15:48 < mib_oyzxjo> thx krzee 15:48 < mib_oyzxjo> it working 15:48 < mib_oyzxjo> now 15:48 < mib_oyzxjo> thx a lot krzee 15:48 < krzee> np 15:52 -!- mib_oyzxjo [i=52e6d07c@gateway/web/ajax/mibbit.com/x-f0ac0f47614287e7] has quit ["http://www.mibbit.com ajax IRC Client"] 16:10 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 16:11 -!- mib_vmz0uw [i=52e6d07c@gateway/web/ajax/mibbit.com/x-46b81c574432a31c] has joined ##openvpn 16:11 < mib_vmz0uw> hi 16:11 < mib_vmz0uw> there 16:12 < mib_vmz0uw> my connexion was lost 16:12 < mib_vmz0uw> last time 16:13 < mib_vmz0uw> i can't able to connect to openvpn server 16:13 < mib_vmz0uw> and this the log 16:13 < mib_vmz0uw> http://paste.ubuntu.com/132698/ 16:18 < mib_vmz0uw> hello 16:18 < mib_vmz0uw> is there anyone here ? 16:19 < Bushmills> you are 16:19 < mib_vmz0uw> thx 16:19 < mib_vmz0uw> you too 16:19 < mib_vmz0uw> well 16:20 < mib_vmz0uw> do you see my problem 16:20 < mib_vmz0uw> my openvpn server is in listening mode 16:20 < mib_vmz0uw> i can ping to my server 16:20 < mib_vmz0uw> but the client can't connect to the server 16:22 < mib_vmz0uw> helllllllllo 16:22 < mib_vmz0uw> r u still there ? 16:23 < krzee> are you joking? 16:23 < krzee> Tue Mar 17 22:03:09 2009 us=848000 Cannot load certificate file client1.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib 16:24 < krzee> your cert file isnt where you said it was 16:24 < krzee> Cannot load certificate file client1.crt: ... No such file or directory 16:24 < mib_vmz0uw> no the file i was put it 16:25 < mib_vmz0uw> on my windows mobile 6 device 16:25 < krzee> well either its in the wrong location or you have the wrong location in your config 16:25 < mib_vmz0uw> \Program Files\OpenVPN\config\ 16:25 < krzee> but thats your problem 16:28 < mib_vmz0uw> there \Program Files\OpenVPN\config\ i got 4 files : ca.crt client1.crt client1.key and the sfr.ovpn files 16:29 < mib_vmz0uw> then how it can say there is no file 16:29 < mib_vmz0uw> i can't understand really 16:29 < krzee> it must not be looking there 16:30 < krzee> try adding cd \Program Files\OpenVPN\config\ 16:30 < mib_vmz0uw> so where i have to put 16:30 < krzee> [16:30] try adding cd \Program Files\OpenVPN\config\ 16:30 < krzee> into the config file 16:31 < mib_vmz0uw> as i say there : \Program Files\OpenVPN\config\ i got 4 files : ca.crt client1.crt client1.key and the sfr.ovpn files 16:31 < krzee> do what i said, or dont 16:31 < krzee> up to you 16:32 < mib_vmz0uw> so sorry i don't understand u 16:33 < krzee> add this to your config file 16:33 < krzee> (ovpn file) 16:33 < krzee> cd \Program Files\OpenVPN\config\ 16:35 < ecrist> /mode ##openvpn +b *@gateway/web/ajax/mibbit.com/* 16:35 < mib_vmz0uw> plz wait 16:37 < mib_vmz0uw> this is the actual client configuration file 16:38 < mib_vmz0uw> i just move all the four files : ca.crt client1.crt client1.key and the sfr.ovpn files to \Program Files\OpenVPN\config\ 16:38 < mib_vmz0uw> done 16:38 < mib_vmz0uw> then 16:39 -!- podman99a [n=keith@93-96-160-18.zone4.bethere.co.uk] has joined ##openvpn 16:39 < podman99a> hey all ... is openVPN compatible with the Vista/XP VPN Client 16:40 < podman99a> !howto 16:40 < vpnHelper> podman99a: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:44 < mib_vmz0uw> hello 16:44 < podman99a> hi? 16:46 < mib_vmz0uw> no thaaat was for my question* 16:47 < podman99a> ah ... yea seems a little quiet in here 16:48 < mib_vmz0uw> r u from europe 16:48 < krzee> mib_vmz0uw, im going away to do some things 16:48 < krzee> but i recommend you learn how to use computers before you try openvpn 16:48 < krzee> adios 16:49 < mib_vmz0uw> i m so 16:49 < mib_vmz0uw> sorrrrrrrrry 16:49 -!- mrcerulean [n=chris@adsl-69-232-76-240.dsl.sndg02.pacbell.net] has joined ##openvpn 16:49 < mib_vmz0uw> i just understand your question 16:50 < mib_vmz0uw> i just not understand your question 16:50 < mib_vmz0uw> thatt's don't say me to howo use computer 16:51 < mrcerulean> Good afternoon. I'm trying to get OpenVPN up and running and I'm 98% of the way there (I think). I can connect to the remote box and ping both the tun IP and the real IP. I cannot ping past it, though. http://pastebin.com/m5aad014e is my openvpn.conf and my iptables. 16:51 < mrcerulean> I'm sure this is something simple... 16:51 < mrcerulean> :) 16:51 < mib_vmz0uw> if u make sentence i can better understand$ 16:55 < hads> mrcerulean: ip_forward? 16:55 < mrcerulean> Urgh 16:55 < mib_vmz0uw> i m at the final i dont 16:56 < mib_vmz0uw> i m at the final step and noone dont want to help 16:56 < mib_vmz0uw> me`u`u`u`u`u`u 16:56 * mrcerulean slaps himself 16:56 < hads> It's always something simple you forget :) 16:57 < mrcerulean> That shouldn't require a restart, right? 16:57 < hads> Nope 16:57 < mrcerulean> Still no joy... 16:58 < mrcerulean> hads: Although, we now know that ip_forward is set. :D 16:59 -!- mib_vmz0uw [i=52e6d07c@gateway/web/ajax/mibbit.com/x-46b81c574432a31c] has quit ["http://www.mibbit.com ajax IRC Client"] 16:59 < mrcerulean> I can also ping *back* from the OpenVPN box to the tun device on my Windows machine. 17:00 < mrcerulean> What should the route command in the client configuration file look like? 17:00 < hads> You setup routing on the default gateway? 17:01 < mrcerulean> hads: Yes. 17:01 < mrcerulean> hads: errr... no. 17:01 < hads> !route 17:01 < vpnHelper> hads: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 17:02 < mrcerulean> hads: There are routes there--I assume they were automagically set up? 17:03 -!- mepholic_ [n=what@hydra.weserv.in] has joined ##openvpn 17:04 < hads> Sorry, I have to get back to work now. 17:04 < mrcerulean> hads: I do a push route, wich is not the same as an iroute, I'm guessing... 17:04 < mrcerulean> Thanks for the help! 17:08 -!- mode/##openvpn [+o ecrist] by ChanServ 17:08 -!- mode/##openvpn [+b *!*@gateway/web/ajax/mibbit.com/*] by ecrist 17:08 -!- mode/##openvpn [-o ecrist] by ecrist 17:10 < ecrist> sorry mibbit users, but signal to noise is too high. 17:11 < hads> heh 17:14 < ecrist> sweet! just bought a dell 1850 from someone off CL for $200. it's got 2 more years of on-site service left. 17:14 * ecrist does a little dance. 17:15 < ecrist> 4GB RAM, dual-core Xeon 2.8GHz, 2x73GB 15K drives, PERC 4e/Si. only one power supply though 17:16 < ecrist> lol, another power supply is only $29.99 on ebay. 17:16 -!- mepholic_ [n=what@hydra.weserv.in] has quit [Remote closed the connection] 17:16 -!- mepholic_ [n=what@hydra.weserv.in] has joined ##openvpn 17:26 < krzee> for 200~? 17:26 < krzee> ~? 17:26 < krzee> !? 17:26 < vpnHelper> krzee: Error: "?" is not a valid command. 17:26 < krzee> damn 17:27 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 17:27 < ecrist> krzee: yeah, he asked $250, I offered $200 cash (before he was here, it's a dick move to change the price when you're already there) 17:27 < ecrist> that Xeon is 64-bit, too. :) 17:31 < CybDev> that's quite nice ecrist 17:31 < ecrist> I'm thrilled. :) 17:31 < ecrist> hoping to have it running tonight. will take a couple weeks to get everything migrated over I want to move. 17:46 -!- soberbit-work [n=kreg@208-98-188-95.directcom.com] has quit [Remote closed the connection] 17:49 < mrcerulean> OK. After my connection is set up, I have an IP of 10.10.91.6. My route goes to 10.10.91.5. Where is this device? 17:50 < ecrist> virtual. it's the other end of your ptp tunnel 17:50 < mrcerulean> Yes, but it doesn't show up in ifconfig... 17:51 < mrcerulean> And I cannot ping it from either end. 17:52 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 17:53 < podman99a> !howto 17:53 < vpnHelper> podman99a: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:56 < mrcerulean> podman99a: The HOWTO got me this far. :) 17:57 < krzee> !/30 17:57 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 17:59 < mrcerulean> OK. My problem appears to be that traffic is not being routed back. The HOWTO states that the gateway device on the LAN (server side) needs to have a route back to the TUN device (which makes sense). What if I don't have access to change the routes on the gateway device? 17:59 < krzee> mrcerulean, if its really bothering you you can use 2.1 and topology subnet 17:59 < krzee> !topology 17:59 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 17:59 < krzee> mrcerulean, see the bottom of this: 17:59 < krzee> !route 17:59 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 18:00 < krzee> in fact read it all 18:00 < krzee> it explains everything you need to know about connecting lans behind openvpn 18:01 < mrcerulean> Yes. So. Because I have a route on the OpenVPN box itself, I can talk to that box. But because I don't have a route on the LAN gateway, I cannot talk past that box. 18:01 < mrcerulean> Makes perfect sense. 18:02 < mrcerulean> Can I use the OpenVPN box as a NAT device for the LAN? 18:04 < mrcerulean> OK. 18:04 < krzee> you mean as the default gateway? 18:04 < mrcerulean> I confirmed that that's the problem by adding a route to another box on the inside. 18:04 < mrcerulean> krzee: Basically, is there a configuration that I can use where I don't have to add a route to the entire LAN? 18:05 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 18:05 < Chrnos> so the topology feature is on version 2.0.9 ? 18:05 < Bushmills> mrcerulean, it is possible. i do that. 18:06 < Bushmills> simply set default route to vpn device. enable NAT on the server side. 18:09 < mrcerulean> So, Bushmills, set the default route to the TUN device on the client side, then enable NAT on the server side? 18:10 < Bushmills> right 18:11 < Bushmills> you may need to add an extra route to the server, an not relying on it being connectable through the default route 18:11 < Bushmills> (which will be over vpn ...) 18:13 -!- podman99a [n=keith@93-96-160-18.zone4.bethere.co.uk] has quit [] 18:13 < mrcerulean> Bushmills: How do I change the default route on the client side? 18:13 < mrcerulean> Bushmills: Sorry for the silly question... 18:13 < Bushmills> man route 18:14 < mrcerulean> Oh. 18:14 < mrcerulean> You mean change it on the OS level, not the OpenVPN configuration level... 18:14 < Bushmills> right 18:15 < Bushmills> unless ecrist finds that too complicated, in that case he probably knows how to do that with openvpn alone 18:16 < mrcerulean> Bushmills: The problem is that I'm sending this out to non-technical folks for setting up on their Windows machines. Doing it with the client configuration file is preferable. However, I've requested that the route be added to the LAN gateway. If that happens, we'll be good. 18:17 < Bushmills> i have zero windows exposure 18:17 < mrcerulean> Bushmills: You are a lucky, lucky man. 18:18 < Bushmills> i suppose windows has a man command too 18:18 < mrcerulean> Well, yes. And I can certainly set up *my* box. But non-technical users may have issues. 18:19 < Bushmills> well, set it up for them and charge them for it. 18:19 < mrcerulean> I like the way you think... :) 18:19 < Bushmills> as windows users they're supposed to being used getting charged 18:23 < Bushmills> oh. thinking of it, i must amend my "zero exposure". i have been playing a network first person shooter, not more than 4 weeks ago. 18:38 -!- Traveler3 [n=traveler@bgl93-3-82-230-208-124.fbx.proxad.net] has joined ##openvpn 18:38 -!- Traveler3 [n=traveler@bgl93-3-82-230-208-124.fbx.proxad.net] has quit [Client Quit] 18:38 -!- Traveler5 [n=traveler@bgl93-3-82-230-208-124.fbx.proxad.net] has joined ##openvpn 18:39 -!- Traveler5 [n=traveler@bgl93-3-82-230-208-124.fbx.proxad.net] has quit [Client Quit] 18:39 -!- Traveler3 [n=traveler@bgl93-3-82-230-208-124.fbx.proxad.net] has joined ##openvpn 18:39 -!- Traveler8 [n=traveler@bgl93-3-82-230-208-124.fbx.proxad.net] has joined ##openvpn 18:39 -!- Traveler8 [n=traveler@bgl93-3-82-230-208-124.fbx.proxad.net] has quit [Client Quit] 18:45 -!- Traveler3 [n=traveler@bgl93-3-82-230-208-124.fbx.proxad.net] has quit [Remote closed the connection] 19:01 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 19:15 -!- arag00rn [n=arag00rn@albert.ip6.smallunix.net] has joined ##openvpn 19:18 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has left ##openvpn ["Ex-Chat"] 19:58 -!- arag00rn [n=arag00rn@albert.ip6.smallunix.net] has quit ["leaving"] 20:22 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 20:22 < ecrist> mrcerulean: you want --redirect-gateway in the server config 20:23 < ecrist> it's covered in the man page. total option is 'redirect-gateway def1' if I remember correctly. 20:23 < ecrist> make sure you've got NAT and/or proper routing setup for your VPN subnet on the VPN server, or things will break horribly. 21:06 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 21:06 -!- onats1 [n=15172@221.121.120.254] has left ##openvpn [] 21:07 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 21:32 < mrcerulean> ecrist: Is that done on the client side? 21:38 < mrcerulean> ecrist: That works when set client side. Now all traffic is routing over the VPN, which works for me. Out of curiosity, is there a setting that would only direct LAN traffic out TUN? 21:41 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 21:42 < ecrist> mrcerulean: the redirect-gateway option can be either server or client, but the NAT and routing needs to be on the other end. 21:45 < mrcerulean> ecrist: I put it on the client side and set NAT and routing on the server and all is happy. 21:47 < ecrist> glad to hear. 21:47 < ecrist> usually that option is set on server side, but as long as your server is setup for it, you're good to go. 21:50 < mrcerulean> ecrist: What I'm trying to avoid is having the (non-technical) Windows users do anything other than double-click the task tray icon. :) 21:54 < ecrist> unless there are users whom you *don't* want to redirect all traffic for, I'd put the directive in the server config 21:58 < mrcerulean> ecrist: But if I put the directive in the server config, won't I have to set routes on the client side? 22:27 < onats1> anyon heard of DNS tunneling? OT 22:31 -!- nemysis [n=nemysis@163-19.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 22:33 -!- nemysis [n=nemysis@149-63.107-92.cust.bluewin.ch] has joined ##openvpn 22:59 -!- mrcerulean1 [n=chris@ppp-71-137-137-32.dsl.sndg02.pacbell.net] has joined ##openvpn 22:59 -!- mrcerulean [n=chris@adsl-69-232-76-240.dsl.sndg02.pacbell.net] has quit [Read error: 104 (Connection reset by peer)] 23:25 -!- onats_ [n=onats@unaffiliated/onats] has quit [Read error: 113 (No route to host)] 23:34 -!- Chrnos [i=Kuro@190.53.8.79] has quit [Read error: 104 (Connection reset by peer)] 23:43 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 23:44 -!- Kurogane [i=Kuro@190.53.8.79] has joined ##openvpn 23:49 < ecrist> yep 23:50 < ecrist> there was an article on hackzine today or yesterday. also covered ICMP tunnelling, iirc. 23:50 * ecrist looks for a link 23:52 < ecrist> http://thomer.com/howtos/nstx.html and http://thomer.com/icmptx/ (respectively). The hackzine article is at http://blog.makezine.com/archive/hacks/ 23:52 < vpnHelper> Title: NSTX (IP-over-DNS) HOWTO (at thomer.com) 23:52 < ecrist> mrcerulean1: not sure what you mean, but nothing special I'm aware of. 23:54 < Kurogane> Hello i have a problem with a vpn inside vpn i have *high* latency between the server and users outside vpn i got normal latency here my "network infrastructure" http://img4.imageshack.us/img4/6082/lann.jpg and here my config http://pastebin.com/d5775b24c 23:59 < ecrist> I don't understand your graphic 23:59 < ecrist> what version of openvpn are you running? --- Day changed Wed Mar 18 2009 00:04 < Kurogane> beta 00:04 < Kurogane> tested beta and stable and same 00:04 < onats1> ecrist, thanks! 00:06 < onats1> is there a quick way to test this assuming im not in an airport? 00:14 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 00:20 < ecrist> onats1: nothing i'm aware of after a few rum and cokes 00:20 < hads> Block all traffic except DNS 00:21 -!- znoG [n=gs@host167.190-31-166.telecom.net.ar] has joined ##openvpn 00:21 < znoG> howdy 00:21 < ecrist> hi 00:22 < znoG> i've got an issue with openvpn i was hoping you guys might know what the deal is .. i've got my local lan on 192.168.1.0/24 .. then my gw on 192.168.1.254 .. there is just one remote host on 192.168.1.200 that I want to access over the VPN so I want the router (192.168.1.254) to respond (or proxy) the arp over the tunnel so that hosts on my local lan can access 192.168.1.200. 00:22 < znoG> Any ideas? 00:23 < znoG> ideally the remote lan and the local lan would be on different subnets, but unfortunately thats not the case. 00:23 -!- mrcerulean1 [n=chris@ppp-71-137-137-32.dsl.sndg02.pacbell.net] has left ##openvpn [] 00:23 < ecrist> that's fine, using bridged VPN (aka tap) 00:23 < znoG> ah, im using tun 00:23 < znoG> i think 00:24 < ecrist> aye, tap is more complicated, so tun is often recommended and used. 00:24 < znoG> yep tun 00:24 < ecrist> also, I' would caution you against the subnet you're currently using 00:24 < znoG> how i'm doing it right now is adding a static route on the machines that need access to .200 to go via the gw 00:24 < ecrist> it's WAY too common on residential and bussiness gateways by default 00:25 < znoG> yeah, i agree, problem is I can't change the subnet on either end or there would double nat everywhere 00:25 < znoG> they use 192.168.1.x here, so i would have to make my switch 10.0.0.x or whatever 00:25 < znoG> which means double nat to get out to the net 00:26 < ecrist> naw, you can use two NATs without actually being true double NAT 00:26 < znoG> ok i'll go with your suggestion and change my local subnet 00:27 < ecrist> think about it. one VPN subnet NATs to the internet, but is true IP to the other VPN subnet, even though the second VPN subnet also NATs to the internet. both NAT'd, but not actually double-NAT. 00:28 < Kurogane> so ecrist you have idea what causing my problem? 00:28 < ecrist> unless one is using the other for actual internet access, which means youv'e got more broken than you think. ;) 00:29 < ecrist> Kurogane: not aware of a current beta, and I still don't understand your graphic, or what problem you're having 00:31 < Kurogane> what part not understand? 00:31 < ecrist> any of it. 00:31 < ecrist> what version of software are you using, and explain your problem 00:32 < Kurogane> i'll try to resumen all 00:37 < Kurogane> if you see my crappy graphic there are server vpn and 3 pc, when pc1 connect to server vpn and ping the 'interanl ip server' in this case 10.8.0.1 i got high latency (as see in graphic) in the same pc1 if i ping the external (public ip) i got low latency between pc1 and server and if i ping between clients i have also have high latency if i ping normal (public ip) in the clients. the version i using is 2.09 client and server too 00:38 < Kurogane> hope now understand me =/ 00:39 < Kurogane> in little word inside vpn i got high latency 00:47 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 00:57 -!- Asymmetry [n=jcoffman@adsl-69-149-18-84.dsl.rcsntx.swbell.net] has joined ##openvpn 00:59 < Asymmetry> Having a little bit of a routing issue. Two subnets: LAN is 10.1.1.0/24, and VPN is 10.1.2.0/24. When connected to VPN, 2.0 can talk to 1.0, but not the other way around. How would I configure my routing, and where would I do so? 01:01 < onats1> Asymmetry, i think you have to add something like this: push "route 10.0.1.0 255.255.255.0" 01:01 < onats1> on server config.. 01:01 < onats1> can you try it? 01:01 < onats1> and "client-to-client " 01:01 < Asymmetry> onats1, Would the route argument be the LAN network, or the VPN? 01:02 < onats1> Asymmetry, the 10.0.1.0 in my case is my LAN behind the server 01:03 < onats1> wait, which one can't ping again? 01:03 < Asymmetry> onats1, VPN clients can talk to LAN systems. LAN systems can NOT talk to VPN clients. 01:03 < onats1> ahhh 01:03 < onats1> hold on 01:04 < onats1> i have something like this on my config: 01:04 < onats1> iptables -I FORWARD 1 --source 10.0.66.0/24 -j ACCEPT iptables -I FORWARD -i br0 -o tun0 -j ACCEPT iptables -I FORWARD -i tun0 -o br0 -j ACCEPT 01:04 < onats1> where 10.0.66.0 is the VPN Client's subnet.. 01:05 < onats1> so i think you have to add some routes on your router/server... 01:05 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 01:05 < onats1> to forward requests to your client subnet to an interface or gateway.. 01:06 < onats1> i'm not sure though.. i did my setup last year, and am almost forgetting it.. 01:06 < onats1> did it work? 01:07 < Asymmetry> Can I add that iptables line to my server config, or do I have to enter it manually? 01:08 < onats1> i dont think you can add it in the server config. that lines on my device are in startup scripts. 01:09 < Asymmetry> Alright. 01:10 < onats1> please do tell me if it worked 01:18 -!- simplechat_ is now known as simplechat 01:22 < onats1> Asymmetry, did it work? 01:22 < Asymmetry> onats1, Unfortunately, no. I'm digging a little more into iptables. 01:22 < onats1> wait 01:24 -!- onats1 is now known as onats 01:35 < onats> Asymmetry, can you do a traceroute to your VPN client's IP? 01:35 < onats> and tell me where it stops? 01:36 < Asymmetry> onats, It never gets anywhere with it. 01:36 < Asymmetry> I just get timeouts on all hops. 01:37 < onats> where are you pinging it from? 01:37 < onats> from LAN client? 01:37 < Asymmetry> onats, One of them, yes. 01:37 < onats> it should at least get to your gateway 01:38 < onats> where's your VPN server located anyway? 01:38 < onats> is it another device on your LAN? 01:38 < onats> or on the same device as router/gateway? 01:39 < Asymmetry> Another device 01:48 < onats> then i think your router has to have some routes to push all requests to 10.1.2.0 (vpn subnet) to that other device 01:50 < Asymmetry> I've tried that. :P I have a route set up to forward everything for the 10.1.2 subnet to the 10.1.1.2 machine. 10.1.1.2 is the IP of the LAN-side interface of the server that it's on. 01:51 < onats> and then do a traceroute from there 01:51 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:51 < onats> it should go to your gateway, then to your 10.1.1.2 01:52 < onats> then from 10.1.1.2, you have to have a route to the interface which was assigned to the VPN... 01:52 < onats> that's how i understand it 01:54 -!- Asymmetry [n=jcoffman@adsl-69-149-18-84.dsl.rcsntx.swbell.net] has quit [Read error: 104 (Connection reset by peer)] 01:54 < onats> lol 01:54 < onats> what happened 01:54 < onats> ecrist, you there? 01:54 -!- Asymmetry [n=jcoffman@adsl-69-149-18-84.dsl.rcsntx.swbell.net] has joined ##openvpn 01:57 < onats> what happeneD? 01:58 < Asymmetry> onats, It don't work. :D 02:00 < onats> 'what didn't work first 02:00 < onats> were you able to traceroute? 02:03 < Asymmetry> No. 02:05 < Asymmetry> onats, here's how it's set up: 02:05 < Asymmetry> Router: Dest - 10.1.2.0, gateway - 10.1.1.2 02:06 < Asymmetry> Server: Dest - 10.1.2.0, gateway is the local system 02:06 < Asymmetry> onats, I'm going to get some sleep, and work on this some more tomorrow. 02:06 < onats> ayt 02:06 < onats> good luck 02:07 -!- Asymmetry [n=jcoffman@adsl-69-149-18-84.dsl.rcsntx.swbell.net] has quit [Read error: 131 (Connection reset by peer)] 03:52 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 04:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:06 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 06:21 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 06:24 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:32 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 06:46 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 101 (Network is unreachable)] 07:41 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 131 (Connection reset by peer)] 07:53 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 08:07 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 08:43 -!- fbond [n=fab@pool-64-223-124-145.burl.east.verizon.net] has quit ["leaving"] 08:48 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Leaving"] 08:55 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 08:56 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 09:01 -!- onats [n=15172@unaffiliated/onats] has quit ["Leaving."] 09:24 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 09:59 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Success] 10:09 -!- jul_ [n=jul@colonel.verygames.net] has joined ##openvpn 10:13 < jul_> hello, i have this error, anybody can explain me what is it ? :ULTI: bad source address from client [10.0.0.40], packet dropped 10:20 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 10:21 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 10:21 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: simplechat 10:27 -!- betabot [n=betabot@li20-55.members.linode.com] has joined ##openvpn 10:32 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 10:40 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:52 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 60 (Operation timed out)] 11:01 -!- Gumbler is now known as Gumbler|NotHere 11:01 -!- Gumbler|NotHere is now known as Gumbler 11:24 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:34 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:55 -!- disco- [n=disco@andromeda.h4xed.com] has quit [Read error: 104 (Connection reset by peer)] 12:08 -!- jul_ [n=jul@colonel.verygames.net] has quit ["Lost terminal"] 12:46 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 13:05 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 13:24 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 13:47 < ecrist> I'm here now... 14:36 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 15:03 -!- skx [i=skx@unaffiliated/skx] has joined ##openvpn 15:03 < skx> Hello, I am trying to configure openvpn server on Debian and when I change server 10.8.0.0 255.255.255.0 to server 172.17.29.0 255.255.255.0 clients cannot access the Internet (as in other machines than the openvpn server) through the vpn 15:03 < skx> there is some NAT autoconfigured somewhere probably 15:03 < skx> where to look 15:03 < skx> ? 15:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:10 -!- pmguy [n=ekjsdm@c-24-5-243-180.hsd1.ca.comcast.net] has joined ##openvpn 15:10 < pmguy> i have a question about openvpn and virtual machines 15:13 -!- skx [i=skx@unaffiliated/skx] has left ##openvpn [] 15:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:19 -!- podman99a [n=keith@93-96-160-18.zone4.bethere.co.uk] has joined ##openvpn 15:20 < podman99a> hey all... suffering of noob syndrome... have my VPN connection active however unable to access the internet through it or the rest of the lan behind the host machine? 15:20 < podman99a> in simple terms or .ovpn samples? 15:24 < podman99a> !route 15:24 < vpnHelper> podman99a: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 15:29 < pmguy> !virtual machine 15:29 < vpnHelper> pmguy: Error: "virtual" is not a valid command. 15:29 < pmguy> !VM 15:29 < vpnHelper> pmguy: Error: "VM" is not a valid command. 15:29 < podman99a> Umm... thats brill for my local lan however I want to send ALL traffic through the connected VPN internet/remote lan ? 15:35 < podman99a> maybe im not explaining it correctly?... config examples/requirements for client->Server->Lan/World ?? 15:37 < Bushmills> podman99a, set up NAT/masquerading on the server. NAT the traffic from your VPN device 15:38 < Bushmills> just the same you'd do if it was a wire connection 15:44 < podman99a> Bushmills, problem is i have no idea where to look for that info .... its getting my head around the initial connection to the lan... i cant/couldnt even ping my server, however think i had ip addressing all wrong.... 15:45 < Bushmills> podman99a, iptables 15:45 < podman99a> winblows 15:45 < podman99a> just to throw a spanner in the works and only 1 interface 15:45 < Bushmills> doesn't have windows something comparable? 15:46 < reiffert> podman99a: netfilter.org documentation, nat howto, chap 4.2 "I just want masquerading. help!" 15:46 < reiffert> ah, windows. sorry. 15:47 < reiffert> http://technet.microsoft.com/en-us/library/bb457077.aspx 15:47 < vpnHelper> Title: Overview of Network Address Translation (NAT) in Windows XP (at technet.microsoft.com) 15:47 < podman99a> lovley people... now ill prob loose u when i try and connect... so ill load these links ... do some test and play for a bit... before i come back crying 15:47 < Bushmills> or does windows still use ipchains? 15:48 < reiffert> oh maybe http://www.google.de/search?q=windows+nat+service&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a 15:48 < vpnHelper> Title: windows nat service - Google-Suche (at www.google.de) 15:48 < podman99a> so would i be betteroff moving my OVPN server to a nix box so i can use IP tables for routing? 15:49 < podman99a> i can do ip tables... lol 15:49 < reiffert> probably. 15:49 < Bushmills> reiffert, if i don't count FPS playing, last time i was exposed to windows was when we uploaded the GPS maps from your windows box to my GPS 15:50 < podman99a> easier to log i presume 15:50 < reiffert> easier to anything. 15:50 < Bushmills> that's so long ago, there could be iptables in windows by now :D 15:50 < reiffert> reliable. 15:50 < reiffert> working. 15:55 < podman99a> just finding a spare box i can break in my rack... when i have played ill be back... THANKS so far ... lots of great ideas 16:00 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 16:04 -!- diegoviola [n=diego@adsl-137-127.click.com.py] has joined ##openvpn 16:06 < ecrist> evening, folks 16:27 -!- diegoviola [n=diego@adsl-137-127.click.com.py] has quit [Read error: 110 (Connection timed out)] 17:03 -!- iMatter [n=iMatter@unaffiliated/imatter] has joined ##openvpn 17:03 < iMatter> Im having errors with OpenVPN 17:04 < iMatter> it keeps asking me to source the vars file 17:04 < iMatter> i did it and now when i do ./clean-all it just gives me the warning 17:04 < iMatter> i tried the ./build-ca but its telling me to source the vars file 17:05 < iMatter> !howto 17:05 < vpnHelper> iMatter: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:19 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:22 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 17:41 -!- pmguy [n=ekjsdm@c-24-5-243-180.hsd1.ca.comcast.net] has quit [] 17:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 18:00 < ecrist> iMatter: those issues are with easy-rsa 18:00 < ecrist> to source the vars file, if you're using bash, use the command 18:00 < ecrist> . ./vars 18:00 < ecrist> or source ./vars 18:00 < iMatter> did that 18:00 < iMatter> a couple times.. 18:01 < ecrist> that's all you gotta do 18:01 < iMatter> same error thing 18:01 < iMatter> when i try anything else 18:06 < ecrist> what shell are you using? 18:18 < iMatter> bash 18:18 < iMatter> well the default one on Ubuntu 8.04 18:31 -!- podman99b [n=keith@93-96-160-18.zone4.bethere.co.uk] has joined ##openvpn 18:31 < podman99b> hey all... when i connect to my VPN server (New Setup) i get a default gateway of 10.8.0.5, however my servers IP (which i can ping) is 10.8.0.1 ?? how can i set the correct gateway? 18:47 -!- podman99a [n=keith@93-96-160-18.zone4.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] 19:29 -!- iMatter [n=iMatter@unaffiliated/imatter] has left ##openvpn ["Ex-Chat"] 19:30 -!- podman99b [n=keith@93-96-160-18.zone4.bethere.co.uk] has quit [] 19:39 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 19:56 -!- nemysis [n=nemysis@149-63.107-92.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 19:57 -!- nemysis [n=nemysis@173-48.3-85.cust.bluewin.ch] has joined ##openvpn 20:00 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 110 (Connection timed out)] 21:17 -!- eliasp_ [n=quassel@78.43.213.203] has joined ##openvpn 21:24 -!- eliasp [n=quassel@78.43.213.203] has quit [Read error: 145 (Connection timed out)] 22:22 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 23:07 -!- eliasp_ [n=quassel@78.43.213.203] has quit [Read error: 145 (Connection timed out)] 23:09 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 23:23 -!- Chrnos [i=Kuro@190.53.8.79] has joined ##openvpn 23:26 -!- Chrnos [i=Kuro@190.53.8.79] has quit [Read error: 54 (Connection reset by peer)] 23:26 -!- Chrnos [i=Kuro@190.53.8.79] has joined ##openvpn 23:26 -!- Kurogane [i=Kuro@190.53.8.79] has quit [Read error: 104 (Connection reset by peer)] 23:30 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:30 -!- Chrnos [i=Kuro@190.53.8.79] has quit [Read error: 104 (Connection reset by peer)] 23:30 -!- Chrnos [i=Kuro@190.53.8.79] has joined ##openvpn 23:36 -!- Chrnos [i=Kuro@190.53.8.79] has quit [Read error: 104 (Connection reset by peer)] 23:37 -!- Chrnos [i=Kuro@190.53.8.79] has joined ##openvpn 23:41 -!- Chrnos [i=Kuro@190.53.8.79] has quit [Read error: 104 (Connection reset by peer)] 23:41 -!- Chrnos [i=Kuro@190.53.8.79] has joined ##openvpn --- Day changed Thu Mar 19 2009 00:40 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 01:13 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 01:41 -!- Chrnos [i=Kuro@190.53.8.79] has quit [Read error: 110 (Connection timed out)] 01:41 -!- Chrnos [n=Kuro@plcbackup.powerlayer.net] has joined ##openvpn 01:47 -!- Chrnos [n=Kuro@plcbackup.powerlayer.net] has quit [Read error: 104 (Connection reset by peer)] 01:47 -!- Chrnos [n=Kuro@plcbackup.powerlayer.net] has joined ##openvpn 01:54 < reiffert> Chrnos: fix your client please. 02:01 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 02:09 -!- Chrnos [n=Kuro@plcbackup.powerlayer.net] has quit [Read error: 110 (Connection timed out)] 02:16 -!- tjz [n=tjz@bb116-14-182-232.singnet.com.sg] has joined ##openvpn 02:18 -!- betabot is now known as simplechat_ 02:26 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:58 -!- tjz [n=tjz@bb116-14-182-232.singnet.com.sg] has quit ["bbl"] 03:25 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 03:32 -!- podman99a [n=keith@78-86-189-73.dsl.cnl.uk.net] has joined ##openvpn 03:33 < podman99a> hey all... how can i set my gateway on my clients to the correct IP, my VPN server is 10.8.0.1 however my client gets assigned a gateway of 10.8.0.5 03:42 < podman99a> to help assist her are my configs / ipconfig from my winblows client 03:45 < podman99a> and here is my route? 192.168.239.0 255.255.255.0 10.8.0.5 10.8.0.6 30 03:45 < podman99a> the ip of 10.8.0.5 does not exist?? how can i change that assignment? or make it exist 03:50 < hads> !/30 03:50 < vpnHelper> hads: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 03:50 < podman99a> hads is that for me? 03:50 < hads> Ya 03:50 < podman99a> thanks 03:50 < hads> np 03:53 < mjt> damn that fake ip on the server to which routes are assigned.. the p2p one... I wonder how to make it to respond to pings... 03:54 < podman99a> hads, so i should be able to see the remote lan then ?... just i cant ping that gateway which now makes sense... time to check my routing is correct .. Thanks 03:54 < podman99a> !route 03:54 < vpnHelper> podman99a: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 03:56 < podman99a> Oops! This link appears broken. ... damn was working yesterday 03:56 < podman99a> google cache rocks 04:03 < podman99a> yea still unable to ping my remote lan ... 192.168.239.100 is a server i know exists 04:07 < mjt> . o O { tcpdump } 04:07 < podman99a> can someone please check that paste bin then slap me up a little.... im unable to access remote stuffs like i would expect 04:08 < podman99a> 09:08:14.544307 IP 10.8.0.6 > 192.168.239.100: ICMP echo request, id 1, seq 23014, length 40 .... but no response 04:08 < mjt> does it arrive on the other end? 04:09 < mjt> ie, follow the path and see where it breaks. 04:09 < podman99a> tracert ? 04:09 < mjt> tcpdump 04:09 < mjt> tcpdump -npi $interface proto ICMP 04:10 < mjt> unless... your other machine is windows. 04:10 < mjt> in which case it becomes more complicated. 04:10 < podman99a> my client is winblows server is ubuntu 04:11 < mjt> well, there is windump but i failed to run it a few times i tried. 04:11 < mjt> <== not a 'doze expert.... 04:11 < podman99a> ah ... HANG ON..... ok... let me explain... 04:12 < podman99a> my vpn server is assigned an internal lan IP of 192.168.239.200 (I can ping this and get responses)... however my exchange server is on the same remote lan with 192.168.239.100 and im unable to ping that. 04:12 < mjt> no... i'll go eat something first... ;) 04:13 < podman99a> hehe its only other hardward within the remote lan i cant access the server is ok but nothing else works... this is something simple hwoever thats why i cant do it lol 04:30 < Bushmills> mjt> does it arrive on the other end? 04:33 < podman99a> the ping request gets to the vpn server but goes no further 04:47 < dazo> podman99a: check your routing and firewall ... also on the clients you try to reach on the other network (via VPN) 04:48 * dazo did a read-up 04:49 < dazo> podman99a: are you saying that ping packets from vpn-client -> vpn-server -> exchange server ... goes fine, from exchange server -> vpn-server, goes also fine ... but from vpn-server -> vpn-client fails? 04:49 < dazo> podman99a: if that's the case, you either have a routing and/or firewall issue on the vpn server 04:53 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 04:56 < podman99a> only pinging from client to stuff..... so client->server (PING OK) ... client->Server->otherhost (Fails) 04:58 < podman99a> any posts for routing from the server to other stuffs ... im guessing iptables and route add ? 05:15 < dazo> podman99a: that's a classic routing and/or firewall issue (including wrong configured NAT) 05:16 < dazo> podman99a: you're guessing right ... remember that routes can also be set in openvpn configs as well 05:18 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 05:22 < podman99a> dazo, great news im not far from working ... however... any docs which would help me with my routing issues? 05:23 < dazo> podman99a: have you looked at !route? 05:23 < dazo> !route 05:23 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 05:23 < podman99a> thourght u would say that ... lol... been through that several times and cant work it out... but ... if at first you dont succeed etc... 05:24 < hads> ip_forward 05:27 < dazo> podman99a: hads mentions something I had forgotten .... check if /proc/sys/net/ipv4/ip_forward is set to 1 ... 05:28 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:34 < podman99a> dazo, ip forwarding = 0 05:34 < dazo> podman99a: thats your problem 05:34 < dazo> podman99a: echo 1 > /proc/sys/net/ipv4/ip_forward 05:35 < dazo> podman99a: you might also want to edit /etc/sysctl.conf as well to enable it at boot time 05:36 < Bushmills> NAT: http://scarydevilmonastery.net/masq 05:37 < podman99a> Bushmills, mynet = (MY REMOTE LAN IP's)..... 05:37 < podman99a> ? 05:37 < Bushmills> what are "remote LANs" ? 05:38 < Bushmills> lan = local area network 05:38 < podman99a> the VPN server side lan 05:38 < podman99a> not my client lan 05:40 < Bushmills> server does NAT for packets coming from MYNET 05:40 < podman99a> umm..... iptables v1.3.8: Couldn't load target `MASQUERAD':/lib/iptables/libipt_MASQUERAD.so: cannot open shared object file: No such file or directory 05:40 < podman99a> my bad on last error 05:41 < Bushmills> why don't you read what you typed (and spot possible mistakes) before you paste in her? 05:41 < Bushmills> here 05:41 < podman99a> i copied from that site... fixed now... 05:42 < Bushmills> well, it says " -j MASQUERADE" there 05:42 < podman99a> ok im guessing im missing a route somewhere as my pings from client hit the server but dont hit the lan 05:43 < dazo> podman99a: are you sure you really want MASQ? .... it's usually not needed at all for VPN to an internal network 05:44 < dazo> podman99a: and it adds just more complexity 05:44 < Bushmills> he want's to see networks behind the vpn server 05:44 < podman99a> im not sure what i need... all i know is packets are hitting Server and not going any further ... i need to able to access whole server lan from client 05:45 < Bushmills> there was mention of default route through vpn 05:46 < podman99a> my route on client says 192.168.239.0/24 > 10.8.0.5 05:47 < dazo> Bushmills: yeah, but that's no reason to add MASQ as well ... it's all about routing 05:48 < dazo> podman99a: is your openvpn server also the default gateway on your internal network? 05:49 < podman99a> yes through the virtual address of .5 05:49 < dazo> so your internal network uses .5 as default gateway ... and your openvpn server uses .5 on the internal interface? 05:50 < podman99a> no ... sorry just understood the lingo and changing default gateway on that interface.... as you can see... noob and 1st time setup 05:51 < dazo> podman99a: being a noob and first setup is no limitations for learning new things ;) 05:51 < podman99a> getting there... although now that machine has dissappeared... whoops 05:52 < dazo> podman99a: okey ... in that case, since the default gateway is another host .... you need to add the VPN route on your default gateway, pointing at your openvpn box 05:52 < dazo> podman99a: so if your VPN network is 10.8.0.0/255.255.255.0 .... you'll need a route like this: route add -net 10.8.0.0 netmask 255.255.255 gw x.x.x.5 05:53 < dazo> and that route needs to be on your default gateway .... some routers do not like that, or do not process it properly ... and then you can work around that with just adding that route on your hosts which you want to be available via VPN 05:53 < podman99a> AHH.. ok any one know how to remove all routes .... ? 05:54 < podman99a> box not accessible from outside world... but works internal so need to remove routes and get back to workin state 05:54 < dazo> podman99a: you'll need to pick them down one by one :( 05:55 < podman99a> iptables -L lists no routes 05:56 < dazo> podman99a: iptables do not do anything with routing ... that's firewalling 05:56 < dazo> podman99a: you need to look at the route command 05:57 < podman99a> yea ive removed routes by stoping openvpn but didnt resolve... am restarting networking and see if it comes back 05:57 < Bushmills> i suggest some reading up on networking, routing, and NAT in general 05:58 < dazo> Bushmills: using NAT in VPN .... is a horrible hack if you do not understand the basic concepts of routing 05:59 < dazo> podman99a: did you also remove your original default gw? That will stop resolving 05:59 < Bushmills> dazo, again, this is meant in combination with the vpn server also being meant as the wan gateway, and going there through default route 05:59 < podman99a> ok thats back up ... now to test routing 06:00 < dazo> Bushmills: if you want to redirect traffic from VPN and out "to the world" .... I agree, NAT is needed .... but for the traffic hitting the internal network from VPN, NAT should not be used at all, IMHO 06:02 < Bushmills> dazo, podman meant to connect to wan through the vpn server 06:02 < podman99a> ok so my server needs route to lan --- 192.168.239.0(Dest) - 10.8.0.2(gateway) 06:03 < Bushmills> at least, that was still the intention yesterday 06:03 < dazo> podman99a: let's get things clear now .... which network segments do you have ... and where? 06:04 < podman99a> Client 192.168.1.0/24 -- VPN Network 10.8.0.0/24 -- ServerNetwork 192.168.239.0/24 06:04 < dazo> podman99a: Client is the side of the VPN client? 06:04 < podman99a> yes 06:04 < dazo> podman99a: and you want the VPN client to access ServerNetwork only? 06:05 < dazo> via tha VPN 06:05 < podman99a> yes (proxy will do rest later so no need for nat) 06:05 < dazo> podman99a: perfect 06:06 < dazo> podman99a: the you need on your default gateway .... route add -net 10.8.0.0 netmask 255.255.255.0 gw 06:07 < dazo> podman99a: if that route on your default gw do not work .... you will also need that route on your internal boxes which you want to be exposed for the VPN clients 06:08 < dazo> podman99a: on your VPN client ... in the config .... you can add this line: route 192.168.239 255.255.255.0 10.8.0.2 06:08 < dazo> whoops .... missing something 06:08 < dazo> route 192.168.239.0 255.255.255.0 10.8.0.2 06:09 < dazo> (I presume that 10.8.0.2 is the IP address which is the "other side" of the VPN tunnel on your VPN client) 06:10 < podman99a> those routes are in place as standard... i believe from my ovpn config 06:12 < podman99a> http://pastebin.ca/1365149 06:12 < podman99a> my routing when connected to vpn 06:16 < dazo> dr-peper is your openvpn server? 06:17 < podman99a> yea 06:17 < dazo> 192.168.239.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 <<--- then this route should not be there 06:17 < dazo> you don't want to route traffic aimed for your local network back to your VPN tunnel :) 06:17 < podman99a> ok, that im guessing is on the Server, so i need to remove that from the VPN server.conf file ? 06:19 < dazo> podman99a: probably, if that's where you added it 06:20 < dazo> podman99a: except for that, the routing seems fine .... you also most probably do not need this route on your server as well 06:20 < dazo> 192.168.1.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 06:20 < dazo> if you do, that should be an iroute in the client config 06:25 < podman99a> that last route is for server to communicate with client ... i believe, in which case allows me remote access to connected clients from server ?? 06:25 < podman99a> OHHHHH# 06:26 < dazo> podman99a: if you want to access the VPN client (initiate the contact) from the server side network ... then it needs to be an iroute in the client config to make it work 06:26 < podman99a> yea i have an i roue... and due to your pure genius i can ping network 06:26 < podman99a> now to try the other way 06:28 < podman99a> ok i cant get from server to my clients lan... which would be the iroute yea? 06:29 < dazo> podman99a: that's correct 06:30 < dazo> podman99a: but remember to also check your firewall settings on your openvpn client then 06:30 < podman99a> iroute 192.168.1.0 255.255.255.0 -<< is in my ccd/client1 file? 06:30 < dazo> podman99a: ahh ... almost 06:31 < dazo> podman99a: since that's on the server side .... you'll need to use push ...... push "iroute 192.168.1.0 255.255.255.0" 06:32 < dazo> podman99a: I initially meant in the config file on the physical openvpn client .... but by using push, you can push things to the client config from the openvpn server config 06:38 < podman99a> dazo, but is the server being able to see the client lan a routing thing for the server 06:39 < dazo> podman99a: need to run ... back in an hour 06:39 < podman99a> k thanks ... a great help... pleasure speaking to you 06:40 < dazo> podman99a: you will of course need to add extra routes on your default gw for the 192.168.1.0 ... and set your VPN server as the gateway 06:40 < dazo> podman99a: np! A pleasure to help! 06:50 < podman99a> ok... anyone else... this one less technical... lol... can i make openvpn connect to vpn server before login screen on windows 2k+ server ... as im going to try hosted AD 07:05 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:06 < mjt> try running it as service 07:07 < mjt> (just enable it -- it's already there) 07:07 < podman99a> cool.... mjt, how can i give that client a static IP address through the VPN save using the vpnn DHCP ... ccd/clien2 ..?? 07:07 < ecrist> morning, kids 07:08 < mjt> podman99a: is it a question, or an answer? 07:08 < mjt> Hi ecrist 07:08 < ecrist> howdy 07:09 < podman99a> hopefully both ? 07:09 * mjt is fighting with IBM's support today... 07:19 -!- onats [n=onats@unaffiliated/onats] has quit [Remote closed the connection] 07:21 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 07:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:46 -!- gebi [n=gebi@84-119-57-55.dynamic.xdsl-line.inode.at] has joined ##openvpn 08:46 < gebi> hi all :) 08:47 < gebi> how can i configure openvpn on the clientsite with auth-user-pass, but without pull 08:47 < ecrist> gebi: not sure what you mean, exactly 08:48 < gebi> with pull openvpn gets a wrong route setup from server and kills my internet conectivity 08:48 < gebi> but it says i need pull in order to use auth-user-pass 08:48 < gebi> can i somehow ignore the pushed routes from the server in openvpn? 08:52 < ecrist> don't think so. 08:55 < mjt> ecrist: btw, that 'node unreach' ICMP code is not being returned by openvpn (when the IP address belongs to some client but that client isn't connected) 08:56 < mjt> so someone has to write code to do that ;) 09:17 < ecrist> mjt: have at it. ;) 09:17 < CybDev> 'route-nopull' 09:18 < CybDev> read the manpage :-) 09:19 < gebi> CybDev: hm... nopull doesn't give a single match in http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html 09:19 < vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net) 09:19 < CybDev> http://openvpn.net/index.php/documentation/manuals/openvpn-21.html 09:19 < vpnHelper> Title: OpenVPN 2.1 (at openvpn.net) 09:19 < CybDev> not in 20 no 09:20 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 09:21 < gebi> for 2.0 i've just started openvpn in his own namespace and changed the ip binary to a wrapperscript which just returns true for every ip route invocation ;) 09:21 < gebi> CybDev: thx :) 09:21 < CybDev> you didn't say which version you were running :P 09:21 < gebi> np, it's easier to upgrade 09:22 < CybDev> i suppose so 09:28 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 09:33 -!- srg [n=srg@dsbg-4db5624d.pool.einsundeins.de] has joined ##openvpn 09:37 < ecrist> ugh, I hate building mail servers. 09:42 -!- srg is now known as SubZero273 09:56 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 60 (Operation timed out)] 10:03 < podman99a> wow all ... im back... bad news... lol 10:04 < podman99a> i am unable to route from my lan (vpn) to my client any ideas? 10:04 < CybDev> topic? 10:05 < podman99a> i think i need to set a default gateway for the 192.168.1.0 range however as my lan is winblows (in this case) setting up the route causes all kinds of errors mainly unable to create route 10:06 < dazo> podman99a: you should never ever change the default route unless you want all kinds of traffic through your tunnel 10:07 < podman99a> no ive left them alone since the 1st error.... so my box has a default ip of 213.146.186.xxx and secondary ip of 192.168.239.100, my client has an ip of 192.168.1.67, i can ping box from client but not other way 10:08 < dazo> podman99a: would you be willing to share your configs with us? 10:08 < dazo> !configs 10:08 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:08 < dazo> podman99a: both server (including --ccd's) and client 10:12 < podman99a> dazo: http://pastebin.ca/1365308 10:12 < podman99a> thanks loads 10:13 < CybDev> err 10:13 < dazo> podman99a: first comment ... in server config .... you have push "route 192.168.1.0 255.255.255.0" .... this will cause problems 10:13 < CybDev> you have route directives in the server conf?! 10:13 < dazo> podman99a: change that to push iroute 10:14 < dazo> CybDev: what's wrong about that? In many cases thats fine 10:14 < dazo> podman99a: I saw your iroute in addition .... just remove the first push route 10:14 < podman99a> dazo: removed now 10:14 < dazo> podman99a: and you must also remove the route 192.168.1.0 255.255.255.0 10:15 < podman99a> this is still server yea 10:15 < podman99a> k done 10:15 < dazo> podman99a: yes, in server 10:16 < dazo> okey ... now you can try and see how it works 10:16 < dazo> podman99a: sorry 10:16 < dazo> podman99a: you have one more issue ... the very last iroute in the config (line 33), remove that one too 10:17 < podman99a> k removed testing now 10:19 < CybDev> ah, my bad, i never thought of using it that way 10:19 < dazo> CybDev: np! :) 10:19 < podman99a> Client: ping OVPN Server OK -- ping InsideLan box OK 10:20 < podman99a> Server: Ping client FAIL -- InsideLan box ping client FAIL 10:20 < dazo> podman99a: so you cannot ping your internal LAN from your openvpn server? 10:20 < podman99a> yes internal lan can ping vpn server 10:20 < podman99a> internal lan cannot ping client 10:21 < CybDev> those windows boxes with the firewall enabled? 10:21 < podman99a> firewall off 10:21 < dazo> podman99a: also on the TAP interface in Windows? 10:21 < podman99a> completly 10:21 < podman99a> i hate windows firewall... never use it 10:21 < dazo> podman99a: so you are also saying that the openvpn server cannot ping your VPN client? 10:22 < dazo> podman99a: well ... in Windows you _should__definitely_ use it ....... 10:22 < dazo> even if it's horribly inflexible ... but it's still better than nothing 10:22 < CybDev> unless you use some other software 10:22 < CybDev> how does openvpn like zonealarm and such? 10:23 < podman99a> my routes: http://pastebin.ca/1365311 10:23 < podman99a> to the outside world i have a cisco so no one gets in on anything other than std web ports... a patch for a bigger problem, but it works 10:24 < podman99a> only full access client is my office lan 10:24 < dazo> podman99a: your ovpn server routes looks very fine 10:25 < dazo> which IP address do you use to ping your client? 10:25 < podman99a> my client it 192.168.1.67 , which is my internal IP range, 10:25 < dazo> podman99a: can you try to ping the ovpn IP address the client have? 10:26 < dazo> from both openvpn server and the other internal LAN clients? 10:26 < podman99a> ovpn server OK, internal lan FAIL 10:26 < podman99a> 10.8.0.6 is what i pinged 10:27 < dazo> sounds good ... that means that your windows box do not route traffic from it's TUN/TAP device to the proper interface on your windows box ... that's probably why it doesn't work 10:28 < podman99a> windows box does not have tap device??... tap/tun is my ubuntu box 10:28 < podman99a> or are we talkin "client" 10:29 < podman99a> its the RC stuff from ovpn site... so hope so lol 10:29 < dazo> podman99a: sorry, the openvpn client yes 10:29 < podman99a> umm... fix? 10:29 < dazo> podman99a: what kind of OS do you have on your client? 10:30 < dazo> podman99a: somehow I thought it was Windows ... but I might be wrong 10:30 < podman99a> *COUGH* vista *COUGH* 10:30 < dazo> podman99a: yeah, I thought I had caught that already 10:31 < podman99a> TAP-Win32 Adapter V9 10:31 < dazo> podman99a: okey ... I'm not a windows person at all .... I've tried Vista 5-6 times in my life .... so I know close to nothing about it 10:31 < dazo> podman99a: you might want to try one thing 10:31 < podman99a> do tell... 10:31 < dazo> which I overlooked now 10:32 < dazo> dazo: run this command in a command line on your openvpn server: route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.8.0.2 10:32 < dazo> and try pinging the 192.168.1.x address from the openvpn server 10:34 < podman99a> TCP dump shows the request but no reply 10:34 < dazo> podman99a: on which interface did you run tcpdump? 10:34 < podman99a> tun0 10:34 < podman99a> sorry on server not client that was 10:35 < dazo> podman99a: that's fine ... if you run tcpdump -i tun0 on the server .... and you see ICMP ECHO request going on the tunnel without response back .... it means that the routing on the openvpn server is correct 10:35 < dazo> podman99a: but Vista do not respond to it 10:35 < podman99a> bastads 10:35 < podman99a> lol 10:36 < podman99a> so would a tcpdump .. thing on windows help? 10:36 < dazo> podman99a: can you, just to be sure, try to ping the 192.168.1.67 (your Vista IP addr) on the Vista box? 10:36 < podman99a> replied 10:36 < podman99a> tap adapter im guesing? 10:36 < dazo> podman99a: maybe ... you could see what happens on both the TUN/TAP interface ... and on the eth0 of Vista 10:37 < dazo> podman99a: that's probably the right IP answering, the physical interface ... so that means ping is enabled on that IP addr ... that was what I tried to make sure was enabled 10:37 < podman99a> does it matter that in the advanced settings for the tap adapter have no mac address ... grasping at straws 10:38 < dazo> podman99a: nope, not important when you run in TUN mode 10:38 < podman99a> it does ne way just gui says it dont.... 10:38 < dazo> podman99a: you'll need to figure out how to enable routing in vista 10:38 < podman99a> i can modify routes in vista 10:38 < dazo> podman99a: if you figure out that .... ping from openvpn server should work 10:39 < podman99a> what would i be looking to do ... route from 10.8.0.6 to 192.168.1.0 10:39 < dazo> podman99a: this is not a routing table issue ... this is to enable IP traffic forwarding, to be precise 10:39 < podman99a> ah oic 10:39 < dazo> podman99a: you have the needed routes ... so this is kind of a /proc/sys/net/ipv4/ip_forward setting for Vista, kind of 10:40 < podman99a> would bridging the 2 connections solve that ? 10:40 < podman99a> the tap and eth 10:42 < dazo> podman99a: that would be a solution ... but then you need to change your openvpn config to TAP 10:43 < dazo> podman99a: but that's more a hack around the proper solution ... but I also assume Vista can do basic routing 10:43 < podman99a> ah ... think i have found the enable routing in vista 10:43 < dazo> podman99a: what did you find? 10:45 < podman99a> et IPEnableRouter=0x01 in the registry HKLM\System\CurrentControlSet\Services\TCPIP\Parameters. Note: the default value is 0. 10:45 < podman99a> still no reply though 10:46 < podman99a> plodding on through google 10:46 < dazo> podman99a: that sounds right .... but you might need further help from Windows/Vista guru's now .... as I've said earlier, I'm not that .... I'm more deeper into Linux :) 10:49 < podman99a> no winbloz gurus in here then no? lol 10:50 < dazo> podman99a: there are some .... but I've forgotten who it was .... :-P 10:50 < podman99a> man that room sucks... ##windows seems antivirus nightmare.... why wont someone make evolution easily exchange compatible and id be using linux full time lol 10:52 < dazo> podman99a: evolution is not the evolution it should be .... more unstable than outlook, even without the exchange plugin .... but evolution can connect to exchange now, but I don't remember if the OWA must be enabled on the server 10:53 < podman99a> yea must be but ... its such a mission... 10:54 < dazo> podman99a: you have also the openexchange project too ... not sure about the progress though 10:54 < podman99a> dazo: sucks... too complex 10:54 < podman99a> dazo: exchange server has lovley interfaces and management tools (although slow) lol 10:55 < podman99a> AND NO ROUTING lol 10:55 < CybDev> screw exchange, use online collaboration tools instead :-) 10:55 < podman99a> comment of the day "if your using vista and know what ip routing is there is a problem" 10:55 < ecrist> this isn't #windows-bashing 10:56 < CybDev> no, #exchange-bashing ! 10:56 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 10:57 < podman99a> ne way ... routing enable routing on vista... any vpn/windows nerds in 10:57 < ecrist> podman99a: what are you trying to do? 10:58 < podman99a> enable routing in vista... apparently i have to reboot ... so ill be back 10:58 < dazo> ecrist: ping from server to client's internal network is not replying 10:58 < podman99a> 2 mins peeps 10:59 < ecrist> has !route been referenced? 10:59 < dazo> ecrist: yes 11:00 < dazo> ecrist: I've helped him through the config ... all routes and config is sane now .... and tcpdump on openvpn server see the ICMP ECHO req on the tun0 interface, but no reply 11:00 < dazo> ecrist: and firewall is disabled 11:01 < CybDev> can you ping the pvn client from the lan computer at all? 11:01 < CybDev> *vpn 11:01 < CybDev> and to the lan interface, not the ip it gets on the tun interface 11:01 < ecrist> and the client LAN has a route for the VPN subnet? 11:02 < dazo> CybDev: podman99a tried to ping the VPN IP address from server and it answered .... from client pinging local net IP and VPN IP worked 11:02 < CybDev> what's the default gw on that LAN? 11:03 < dazo> ecrist: VPN client can ping servers behind the openvpn server 11:03 < CybDev> is it the vpn client, or some other box? 11:03 < dazo> CybDev: ^^ 11:03 < ecrist> that's not what I asked. 11:03 < ecrist> do other computers on the client LAN have a route to the VPN? 11:03 < dazo> CybDev: default gateway issues should also be fixed and covered 11:03 < CybDev> is the lan computer using the vpn client as a default gw? 11:04 -!- podman99a [n=keith@78-86-189-73.dsl.cnl.uk.net] has quit [] 11:04 < dazo> ecrist: we're not that far .... seems his client is a roadwarrior .... but he wants network behind the openvpn server to access the openvpn client 11:04 -!- diegoviola [n=diego@adsl-137-127.click.com.py] has joined ##openvpn 11:05 < CybDev> that requires routes to be in place on the network behind the openvpn server 11:05 < dazo> CybDev: nope ... but it has explicit route to the VPN tunnel .... as I said earlier, openvpn client can ping machines behind the openvpn server ... it's the other way around which is the issue 11:06 < CybDev> ok, so if i get this right 11:06 < dazo> CybDev: and we see traffic reaching the tun0 interface on the openvpn server .... but no reply back from the openvpn client on the tun0 interface 11:07 < dazo> CybDev: my conclusion is that the Vista box do not forward IP traffic between the interfaces 11:07 < CybDev> is the vista box the vpn server or the client? 11:07 < CybDev> i'm confused 11:07 < dazo> CybDev: the client 11:08 < CybDev> didn't he post the routing tables somewhere? 11:08 -!- SubZero273 [n=srg@dsbg-4db5624d.pool.einsundeins.de] has quit ["Konversation terminated!"] 11:08 < dazo> Vista/openvpn client <---> Ubuntu/openvpn server <---> (LAN) <---> internal server 11:08 < dazo> CybDev: he did pastebin it yes 11:09 < CybDev> and there is a LAN behind the openvpn client aswell i take it? 11:09 < dazo> http://pastebin.ca/1365311 11:09 < CybDev> thanks 11:09 -!- podman99a [n=keith@78-86-189-73.dsl.cnl.uk.net] has joined ##openvpn 11:10 < dazo> CybDev: That I really do not know explicit ... but I presume so, as that's IP address is 192.168.1.67 11:10 < podman99a> hey all ... routing appears to be enabled now ... acording to ipconfig /all 11:10 < dazo> (yeah, I know ... bad range ... but there's no conflicting zones here) 11:10 < podman99a> wow ur talking about me 11:10 < dazo> podman99a: yeah, I've been updating some other people here :) 11:10 < CybDev> mm-kay 11:10 < podman99a> cool 11:11 < CybDev> and can the client ping the openvpn server at all? 11:11 < podman99a> yes 11:11 < CybDev> and the server can ping the clients tun ip? 11:11 < CybDev> but not the clients lan ip? 11:11 < dazo> podman99a: you can take over the answers here ... 11:11 < dazo> CybDev: that's my impression yes 11:11 < podman99a> in my case i believe that to be 10.8.0.6 if so then yes 11:12 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:12 < CybDev> run 'ipconfig /all' on the windows boxes(i wonder if that command still is around in vista? :P) and 'ip a sh' on the linux server? 11:13 < CybDev> just after the ip for lan and vpn interfaces 11:13 < podman99a> 192.168.1.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 <-- is my ovpn route to my client 11:14 < podman99a> 10.8.0.6 on client .1 on server however server uses virtual ip's 2-5 for windows clients 11:16 < CybDev> um 11:16 < CybDev> maybe i'm a bit rusy on those tun devices 11:17 < CybDev> but shouldnt the route be using 10.8.0.6 as a gateway to reach 192.168.1.0/24 ? 11:17 < dazo> CybDev: they're confusing .... you have different p-t-p addresses on client and server, usually .... unless topology /30 is used, iirc 11:20 < CybDev> still got that url for the config paste aswell? 11:21 * CybDev increases buffer size on his irc client while he's at it :P 11:21 < podman99a> however just noticed i cant ping the Server Lan from client, however can ping the server 11:21 < podman99a> http://pastebin.ca/1365308 11:21 < podman99a> but thats old configs now 11:21 < dazo> podman99a: does that reflect changes we did? 11:22 < podman99a> na ... will paste new 11:22 < dazo> podman99a: server config is all we changed ... so that should be enough 11:23 < podman99a> http://pastebin.ca/1365348 11:25 < dazo> CybDev: we did add one more manual route at the end .... route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.8.0.2 on the openvpn server 11:25 < CybDev> i'm curious as to that 10.8.0.2 thing 11:25 < CybDev> which interface actually has that address? 11:26 < dazo> CybDev: that should be the interface for 10.8.0.0/24 network 11:26 < podman99a> CybDev: tun0 = 10.8.0.1 (2-5) 11:30 < CybDev> 2-5? 11:30 < CybDev> grmbl 11:30 < CybDev> !/30 11:30 < vpnHelper> CybDev: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 11:30 < podman99a> my client's dhcp server/gateway is .5 11:35 < CybDev> i still can't make sense of that 10.8.0.2 route... if i understand it correctly, the openvpn server has a "iron" ip 10.8.0.1 and "virtual" 10.8.0.2, but that's just between the openvpn and server stack, now according to the manual the first available range for a client is 10.8.0.4/30, which assigns .5 to a fake dhcp server, and .6 to the client (4 and 7 lost in net/bcast) -> shouldn't the gw statement be either 10.8.0.1 or 10.8.0.6? 11:36 < CybDev> but hey, i've been wrong before :P 11:36 < CybDev> in fact, i usually can't get those things right, which is why i went with the good old tried and tested tap/bridge model ^^ 11:38 < podman99a> i would use tap/bridge but would i not need 2 nics on the server? 11:39 < ecrist> no, you wouldn't 11:39 < dazo> podman99a: no, not at all 11:39 < CybDev> it just sets up a virtual subnet on vpn only 11:39 < dazo> podman99a: but it's more overhead on the traffic on the VPN tunnel 11:39 < CybDev> how you choose to use it is ofc up to you 11:40 < ecrist> CybDev: I've stopped trying to wrap my head around how OpenVPN does some routing. generally, routes will point to the other end of a client's /30 11:40 < CybDev> on the client the "destination" should be the first available address on the 30 net afaik? 11:41 < CybDev> so it should be the other way around when coming from the server? 11:41 < podman99a> ok... someone point me in the right direction adn ill setup bridgeing tonight and play 11:41 < dazo> podman99a: you don't need bridging to use tap .... 11:41 < dazo> podman99a: but tap can enable bridging if you want that 11:48 < podman99a> ??... now im getting lost again... should i use routed or bridged? 11:51 -!- Zeti [n=gs@e180031019.adsl.alicedsl.de] has joined ##openvpn 11:51 < Zeti> hi folks 11:51 < Zeti> almost everthing is running fine 11:51 < CybDev> http://pastebin.ca/1365369 <-- granted i've never mixed in your stuff with iroutes and such on it, this just adds an extra virtual subnet, used for some gaming stuff i think (h00ray for multiplayer games that works without cracks on the same subnet :P) 11:51 < Zeti> only redirect-gateway makes some problems 11:52 < Zeti> no matter what the client always reports Thu Mar 19 17:49:41 2009 ROUTE default_gateway=192.168.0.1 with it being my router and not the server 11:52 < Zeti> any ideas where to take a look? 11:53 < dazo> podman99a: aim for routed ... that's the easiest, and that can also work over TAP 11:57 < podman99a> ok ... so CybDev is your pastebin link there for my benifit? 11:58 < diegoviola> hi everyone... is there a way that a lan and a vpn could interact together, between the two... applications on it, etc 11:59 < CybDev> i don't know podman99a, like i said i've never tried it with iroute etc... 11:59 < CybDev> that particular config (on different nets and such ofc) does all such things via iptables and nat 12:05 < podman99a> ok well making my way home now so ill have a play tonight and see what i can do ... 12:05 < podman99a> thanks 12:05 -!- CybDev [i=cybdev@unaffiliated/cybdev] has quit [Read error: 60 (Operation timed out)] 12:09 -!- Zeti [n=gs@e180031019.adsl.alicedsl.de] has quit ["Verlassend"] 12:10 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 145 (Connection timed out)] 12:10 -!- CybDev [n=cybdev@unaffiliated/cybdev] has joined ##openvpn 12:15 < CybDev> if it wasn't so cheap i'd switch coloc provider in the blink of an eye :-/ 12:15 -!- podman99a [n=keith@78-86-189-73.dsl.cnl.uk.net] has quit [Read error: 60 (Operation timed out)] 12:19 -!- diegoviola [n=diego@adsl-137-127.click.com.py] has quit [Read error: 104 (Connection reset by peer)] 12:20 -!- diegoviola [n=diego@adsl-137-127.click.com.py] has joined ##openvpn 12:31 < Bushmills> diegoviola, yes. pinging one from the other is a way of interaction. 12:34 < diegoviola> Bushmills: so lan and vpn is perfectly interactable? 12:35 -!- disco- [n=disco@andromeda.h4xed.com] has quit [Remote closed the connection] 12:37 < Bushmills> yes, sure 12:38 < Bushmills> it helps viewing vpn as wire, and the interface as ... interface 12:39 < diegoviola> yep, thanks 12:40 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 12:44 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 12:46 < mjt> what's the way to assign an IP address to a given client without PUSHing it? 12:46 -!- waKKu [n=vaKKu@unaffiliated/wakku] has joined ##openvpn 12:46 < waKKu> hi folks.. 12:47 < waKKu> what is the right command to perform after logrotate for openvpn.log ? 12:47 < waKKu> my new logs are getting empty :( 12:48 < mjt> i'd say it's --syslog 12:49 < waKKu> hm.. no 13:02 < CybDev> have to agree with mjt on that one :P 13:16 < dazo> waKKu: to do log rotates, you most probably need to restart the openvpn process after rotating the file .... and if that's not a good approach, logging via syslog is the way to go, and to let syslog handle log rotation 13:20 < waKKu> dazo thanks.. i found an option on logrotate "copytruncate" that says work with this case 13:21 < waKKu> but syslog is a better option, sure. 13:50 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 13:56 -!- hagna [n=hagna@70.102.57.178] has joined ##openvpn 13:59 < hagna> would you call vpn without encryption a vlan? 13:59 < hagna> can I do that with openvpn? 14:05 -!- podman99a [n=keith@93-96-160-18.zone4.bethere.co.uk] has joined ##openvpn 14:05 < podman99a> hey all ... bad news im back 14:05 < ecrist> dammit 14:05 < hagna> rats 14:06 * ecrist kills himself 14:06 < podman99a> gonna do some tests to work out where im at then ill be back for help! lol 14:07 < podman99a> ok ... client can ping vpnserver and vpnserver lan, vpn server is unable to ping my clients remote lan 14:07 < podman99a> sorry ... my client (ignore remote lan) 14:08 < ecrist> podman99a: do you have iroute setup? 14:08 < podman99a> prob not but ill check ... i know i did but advise here said not to... one min 14:08 < podman99a> push "iroute 192.168.1.0 255.255.255.0" is the only iroute i have and thats in ccd/client1 14:09 < ecrist> and client1 is the client with the LAN issue? 14:09 < podman99a> client1 is my vpn client which cannot be pinged from the VPN 14:09 < ecrist> do you have client-to-client enabled on the server? 14:10 < podman99a> yes 14:10 < podman99a> 192.168.1.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 ---- is the route to client on VPNServer 14:10 < ecrist> the vpn server cannot ping the vpn ip of client1? 14:11 < podman99a> vpn ip of client being my 192 range assigned by my router or my 10.8.0.?? address assigned by the VPN? 14:11 < ecrist> VPN ip would the the IP address for the VPN. :\ 14:11 < podman99a> the vpn server can ping the 10.8.0.6 address of client1 14:12 < ecrist> ok, what is the 192 ip for client1? 14:12 < podman99a> 192.168.1.67 which is client-side lan ip address 14:12 < ecrist> can you ping that address from the VPN server? 14:12 < podman99a> no 14:13 < ecrist> what OS is that system? 14:13 < podman99a> vista 14:14 < ecrist> do you have ip forwarding enabled? 14:14 < podman99a> IP Routing Enabled. . . . . . . . : Yes 14:14 < ecrist> windows firewall enabled or no? 14:14 < podman99a> Off 14:16 < ecrist> hrm 14:16 < ecrist> vista *is* the devil 14:16 < podman99a> yea but ubuntu does not support my tablepc very well... else id be using that lol 14:17 < podman99a> but thats another story... this should work?? i think? 14:17 < ecrist> well, your problem appears to be a routing issue on client1, not routing traffic between 10.8/x and 192/x 14:18 < ecrist> see this: http://www.computing.net/answers/networking/how-to-connect-two-different-subnets/4545.html 14:18 < vpnHelper> Title: How to connect two different subnets (at www.computing.net) 14:19 < podman99a> reading now 14:19 < ecrist> I think youv'e got that covered, but worth a shot. 14:19 < ecrist> I think your issue is OS-level, at the least. 14:20 < podman99a> could the beta openvpn (the vista one) have a broken tap driver? 14:21 < ecrist> doubt it 14:21 < ecrist> you can communicate with the VPN. it's a routing issue, not a TAP issue 14:21 < podman99a> k 14:21 < podman99a> downloading wireshark for vista see if i can see a problem 14:22 < ecrist> podman99a: your issue is vista is not forwarding packets from one interface to the other 14:22 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: worch, pa 14:22 < ecrist> from another machine on client1's LAN, can you pint 10.8.0.6? 14:22 < podman99a> ecrist: and hopefully with an error or bounce?... unless vista is (and very likley) screwed ... may give me something to google for 14:22 -!- Netsplit over, joins: worch, pa 14:25 < ecrist> totally separate, http://www.microsoft.com/mac/products/remote-desktop/default.mspx 14:25 < vpnHelper> Title: Connect Across Platforms with Remote Desktop Connection | Mactopia (at www.microsoft.com) 14:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:10 < podman99a> ok... still no luck peeps 15:10 < ecrist> podman99a: throw out vista 15:11 * podman99a moans at ##ubuntu to make hptouchsmart tx2 better compatible with touch screen 15:12 * ecrist points out this is ##openvpn 15:16 < podman99a> soo.. does this work ok with XP or 2008Server? 15:25 < ecrist> should work OK on XP 15:36 < podman99a> no news on 2k8 15:36 < podman99a> ok ... well... im gonna try my updates and see if i can make this work on ubu 15:37 -!- podman99a [n=keith@93-96-160-18.zone4.bethere.co.uk] has quit [] 15:37 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 15:42 < mjt> so.. any way to configure an IP address on a server for a client without actually pushing it? 15:43 < mjt> iroute? 15:45 < CybDev> why wouldn't you want to push it? 15:45 < mjt> i don't want to accept network config requests on the other side. 15:45 < mjt> ie, don't want to --pull 15:45 < CybDev> 2.0 or 2.1? 15:45 < mjt> 2.1 15:46 < CybDev> 2.1 has a route-nopull option 15:46 < CybDev> for the client that is 15:46 < mjt> well, the question isn't about client, but about server 15:46 < mjt> everything just work on the client, except that it logs warnings about options being pushed which it does not accept. 15:47 < mjt> so i want to stop server from pushing them 15:47 < mjt> and without --ifconfig-push the server does not know that client's IP. 15:47 < CybDev> obviously :P 15:51 * mjt still can't replace vtun and tinc -- both are still in use, and openvpn is the 3rd... 15:53 -!- Viper550 [i=Viper550@d57-220-221.home.cgocable.net] has joined ##openvpn 15:53 < Viper550> !howto 15:53 < vpnHelper> Viper550: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:23 -!- Evilliksass [n=admin@64-71-25-50.static.wiline.com] has joined ##openvpn 16:23 < Evilliksass> !howto 16:23 < vpnHelper> Evilliksass: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:26 < Evilliksass> If I want to use pre shared keys with openvpn what are the requirements? I am using pfsense and all it tells me is that the shared key I input is not valid 16:36 < CybDev> is it the same key on both the server and the client? 16:52 < Evilliksass> CybDev: yes. 17:14 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:19 -!- podman99a [n=keith@93-96-160-18.zone4.bethere.co.uk] has joined ##openvpn 17:19 < podman99a> hey all.. bad news... ne way... any ideas on my routing problems with vista? 17:24 < podman99a> !vista 17:24 < vpnHelper> podman99a: Error: "vista" is not a valid command. 17:24 < podman99a> !route 17:24 < vpnHelper> podman99a: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 17:36 < podman99a> ne one here use openvpn and vista? 17:50 -!- nemysis [n=nemysis@173-48.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 17:50 -!- nemysis [n=nemysis@69-188.3-85.cust.bluewin.ch] has joined ##openvpn 17:55 -!- podman99a [n=keith@93-96-160-18.zone4.bethere.co.uk] has quit [Read error: 60 (Operation timed out)] 18:35 -!- menace [n=knorr@unaffiliated/menace] has joined ##openvpn 18:37 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Success] 18:50 -!- diegoviola [n=diego@adsl-137-127.click.com.py] has quit [Connection timed out] 19:59 -!- menace [n=knorr@unaffiliated/menace] has left ##openvpn [] 20:17 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 20:27 < Bushmills> vista! /me fetches a crucifix and some garlic 20:38 < Bushmills> vista isn't the answer 20:38 < Bushmills> vista is the question. the answer is "no" :D 21:01 -!- hads [n=hads@argon.nice.net.nz] has left ##openvpn [] 21:06 -!- mepholic_ is now known as mepholic 21:19 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has joined ##openvpn 22:16 -!- xor| [n=xor@asmodeus.ost.sgsnet.se] has quit [Read error: 60 (Operation timed out)] 22:18 -!- xor| [n=xor@asmodeus.ost.sgsnet.se] has joined ##openvpn 22:30 -!- Viper550 [i=Viper550@d57-220-221.home.cgocable.net] has quit ["THANK YOU FOR PLAYING"] 22:53 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 23:26 -!- smk [n=scott@cobra.httpd.org] has quit ["rebooting"] --- Day changed Fri Mar 20 2009 00:28 -!- Kurogane [i=Kuro@190.53.8.79] has joined ##openvpn 00:29 < Kurogane> I have a problem in my vpn the clients when connect to the vpn is working but i have 2 problems 00:30 < Kurogane> 1. a client can't ping on the ip node (10.10.0.1) give him TTL expired in transit 00:31 < Kurogane> 2. if client ping other client give him the same error 00:32 < Kurogane> but only one client not have this problems the others yes. 00:32 < Kurogane> what you think causing this problem? 00:34 < Kurogane> forget to mencion when say TTL expired in transit on vpn server give him a strange ip (is not setting in anywhere 10.192.68.x) and when ping the client happend the same but with other ip 0.192.68.x 00:44 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 00:44 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:38 -!- c64zottel [n=hans@p5B17AF52.dip0.t-ipconnect.de] has joined ##openvpn 01:38 -!- c64zottel [n=hans@p5B17AF52.dip0.t-ipconnect.de] has left ##openvpn [] 01:55 -!- pmguy [n=ekjsdm@82-34-204-54.cable.ubr13.enfi.blueyonder.co.uk] has joined ##openvpn 01:55 < pmguy> How does one specifically configure your ROUTER or COMPUTER to allow Internet access via OpenVPN _only_? That is-- including all forms of javascript and Java. 01:57 < reiffert> redirect-gateway def1 01:58 < pmguy> ok how do you do that? 01:59 < reiffert> Do you have a running openvpn setup? 02:01 < pmguy> yes 02:09 < pmguy> no one? 03:03 -!- podman99a [n=keith@78-86-189-73.dsl.cnl.uk.net] has joined ##openvpn 03:11 < podman99a> hey guys... ok have same problems on my ubuntu machine at work... my windows client has been taken offline from VPN, now testing my ubuntu version (From APT) its connected and i ca ping its vpn address of 10.8.0.6, but not its real ip of 192.168.1.73 03:12 < dazo> podman99a: have you enabled ip_forward? /proc/sys/net/ipv4/ip_forward 03:12 -!- simplechat_ is now known as simplechat 03:13 < dazo> podman99a: anyway ... Ubuntu is almost like Vista :-P .... Get a real distro, not a spaceman distro :-P 03:13 < podman99a> dazo.... true... enable and restart networking? 03:13 < dazo> podman99a: did cat /proc/sys/net/ipv4/ip_forward give you 1? 03:14 * dazo got unsure if podman99a's "true" was aimed at ip_forward or Vista/Ubuntu comment 03:15 < podman99a> yes 03:15 < podman99a> enabled 03:15 < podman99a> testing ping now 03:16 < podman99a> ping to 10.8 success.... localnet of 192.168.1.73 failed (BOTH from server)# 03:16 < dazo> podman99a: and you have checked that firewalling is not blocking the traffic? 03:16 < podman99a> no iptables rules setup 03:17 < dazo> podman99a: oki ... I need to restart my box now ... in the mean time, can you put configs on pastebin ... and also all routes and iptables-save dump from your Ubuntu client on pastebin too? 03:18 < podman99a> k 03:18 -!- dazo [n=dazo@nat/redhat/x-b03334b74c651cde] has quit ["Leaving"] 03:23 -!- dazo [n=dazo@nat/redhat/x-799df3ba13b2efcc] has joined ##openvpn 03:24 < podman99a> wb .. http://pastebin.com/m13948e6b 03:24 < dazo> podman99a: oki ... I'm back ... wherever you put your pastebin, I'm ready 03:25 * dazo wonders if he is blind :-P 03:25 < podman99a> wb .. http://pastebin.com/m13948e6b 03:25 * dazo looks at pastbin 03:25 < podman99a> ah k 03:26 < dazo> podman99a: ccd/client1 .... you have disabled push iroute 03:27 < dazo> podman99a: and you are also missing a crucial route on the server as well 03:27 < podman99a> ? 03:27 < podman99a> ok have enabled the CCD iroutee 03:28 < dazo> podman99a: the server route, you can enable by doing this from command line, just for testing .... route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.8.0.2 03:28 < podman99a> still nothing 03:29 < dazo> podman99a: oki ... time for tcpdump ... on both ubuntu client and openvpn server 03:30 < podman99a> SERVER -> 08:29:46.993074 IP 10.8.0.1 > 192.168.1.73: ICMP echo request, id 42557, seq 6, length 64 03:30 < podman99a> client shows nothing 03:30 < dazo> podman99a: and that was on tun0 or eth0? 03:30 < podman99a> tun0 03:31 < podman99a> also eth0 shows nothing 03:31 < dazo> podman99a: interesting ... the packet disappears in the tunnel 03:31 < podman99a> wish my car would do that.... how can we get more debugging info on that packet? 03:31 < dazo> podman99a: by nothing, you mean no ICMP traffic? .... you should see openvpn traffic, though 03:32 < podman99a> using proto ICMP 03:32 < pmguy> dazo do you know how to keep executables like Java or Flash from returning IP information? 03:33 < dazo> pmguy: nope ... I'm not using Java nor Flash .... and I'm in #openvpn mode now, not #devel :-P 03:33 < pmguy> im referring to while using OpenVPN 03:33 < podman99a> yea i see UDP packets from time to time but not same ammount as lines in tcpdump on servers tun0 03:34 < dazo> podman99a: I am really puzzled by this ... that you do not even see the packet coming in on your client 03:34 < dazo> podman99a: that's good ... Which openvpn versions are you running? 03:34 < podman99a> client 2.1_rc11 03:34 < dazo> pmguy: I don't see the connection between openvpn and java/flash .... 03:35 < dazo> podman99a: could you please try to upgrade both sides to 2.1_rc15? .... compiling from source code is piece of cake with openvpn 03:35 < podman99a> server 2.1_rc6 ... WOW thats old 03:36 < dazo> podman99a: _that_ could be an issue 03:36 < podman99a> possibly the vista issue too... since its doing it both sides 03:36 < dazo> podman99a: it might be .... because what you experience here is very very odd 03:37 < podman99a> this is gonna put files in weird places... but ill have to fix that later 03:37 < dazo> podman99a: even though I don't like Ubuntu ... the network stack in the kernel to other Linux distros is the same, so that's why I'm really puzzled that even the Ubuntu based client don't respond on ICMP .... unless ..... 03:38 < dazo> podman99a: let me check one thing .... it is possible to disable ping response on kernel level in Linux ... can you try to ping localhost on your Ubuntu client? ... if that works, ping response is enabled 03:38 < podman99a> response OK 03:39 < dazo> pmguy: I would guess you need to figure out the network stack from java/flash ... which is OS dependent, and not openvpn dependent ... as openvpn just creates and uses a virtual network interface 03:40 < dazo> podman99a: good ... that means that no strange blocks should be present ... your ubuntu client should be open then 03:40 < podman99a> making server now 03:40 < dazo> podman99a: cool! do the same on the client as well, please .... using the same version both places usually removes other issues as well 03:40 < dazo> other possible issues, I mean 03:43 < pmguy> whats the network stack from java/flash ???? 03:46 < reiffert> http://freshmeat.net/projects/jnetstack/ 03:46 < vpnHelper> Title: Java Network Stack | freshmeat.net (at freshmeat.net) 03:47 < podman99a> dazo, pings still not getting through to that address.... and have added route manually and no pings - 10.8 address works 03:48 < dazo> podman99a: this is absolutely absurd ....... 03:49 * dazo is about go mentally crazy .... 03:50 < dazo> podman99a: can you setup your configs to verb 4 ... do a complete reconnect and pastebin the result? 03:52 < podman99a> server and client or just server? 03:52 < dazo> podman99a: both 03:53 < dazo> podman99a: and then after that, you can update configs to verb 6 and run the daemons without logging and without putting them in the background (not daemon).... and to do the ping exercise again .... iirc correctly, you should see streams of rrWWWwwRrrRwWWw ... spawning out an both sides ... this r's are openvpn is reading/receiving traffic .... w's are writing .... and small/capital letters is if it is the local instance or the remote insta 03:53 < dazo> nce performing the action 03:54 < dazo> s/run the daemons/run openvpn/ 03:56 < podman99a> 200+ lines on server... 03:56 < dazo> podman99a: but both r and w's? Or a majority of of w's? 03:58 < podman99a> http://pastebin.com/m2cfed8b5 --> done... its the winbloz client though 04:00 * dazo reads logs 04:01 < podman99a> the ping packet is not being sent through the tunnel? 04:02 < dazo> podman99a: I think I see an issue .... 04:02 < podman99a> ive pinnged with log=6 and when i ping the 10 address i get loads and quick... when i ping the 192 i get bugger all ???? 04:02 < dazo> # 04:02 < dazo> Fri Mar 20 08:55:18 2009 us=865787 78.86.189.73:63189 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1442' 04:02 < dazo> # 04:02 < dazo> Fri Mar 20 08:55:18 2009 us=865843 78.86.189.73:63189 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1400' 04:02 < podman99a> ah 04:03 < dazo> podman99a: you might want to explicit set those values to the lowest reported values here .... just so they will agree 04:03 < podman99a> specify tun-mtu=1500 in both configs? or remove from client 04:03 < podman99a> both to 1400? 04:03 * dazo continues to read 04:03 < dazo> podman99a: both to 1400 with tun-mtu .... and 1442 for link-mtu 04:05 < podman99a> only one of tun-mtu or link-mtu may be used? ... which one is best? 04:05 < dazo> podman99a: good question ... the one which works :-P try link-mtu first 04:07 < podman99a> no better in data transfer 04:07 < dazo> do you see the same errors on the log? 04:07 < podman99a> na not there 04:08 < dazo> podman99a: so no tun-mtu nor link-mtu errors reported in the log at all now? 04:08 < podman99a> not that ive seen 04:09 < dazo> podman99a: okey 04:09 * dazo continues to read logs 04:09 < dazo> podman99a: I got the impression you are testing ubuntu on the client side, are you not? 04:09 < podman99a> WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400) ------->>> ill change to tun-mtu 04:10 < podman99a> client was ubuntu but using windows for the moment can go back to that if needed 04:10 < dazo> podman99a: grrr ..... we need to have some consistency here now ... you might as well also have ip_forward issues in Vista, remember? 04:11 < podman99a> ill change to ubuntu for both sides 04:11 < podman99a> saves me windows on taskbar that way 04:11 < dazo> podman99a: yeah, I read the man pages for openvpn .... might be that --fragment 1500 would be better than link-mtu 04:14 < podman99a> just setting that up and testing be a few mins 04:19 < podman99a> pings still not going into the tunnel? 04:19 < podman99a> well .... IP 10.8.0.1 > 192.168.1.73: ICMP echo request, id 9222, seq 31, length 64 04:20 < podman99a> but no reply 04:20 < podman99a> so they hitting tunnel but not getting to client 04:20 < dazo> podman99a: and what does verb 6 activity show you? 04:20 < dazo> on the server 04:20 < podman99a> i start ping and after 10 seconds nothing been sent 04:21 < podman99a> then i get a few of ----> Fri Mar 20 09:20:38 2009 us=107709 client1/78.86.189.73:64172 UDPv4 READ [61] from 78.86.189.73:64172: P_DATA_V1 kid=0 DATA len=60 04:21 < dazo> podman99a: so you do not see any RW's at all? Or they simply stops... get's silent? 04:21 < podman99a> which im guessing is keep alive stuff 04:21 < podman99a> no R/W although get READ/WRITE messages 04:21 < podman99a> is response from previous ---- >Fri Mar 20 09:20:38 2009 us=107828 client1/78.86.189.73:64172 UDPv4 WRITE [61] to 78.86.189.73:64172: P_DATA_V1 kid=0 DATA len=60 04:22 < podman99a> i have 10 pairs of that in log but sent 86 ping packets... all were lost 04:22 < dazo> podman99a: oki ... I begin to wonder if it is something really odd on your server now .... as long as the traffic hits the tun0 but do not reach the openvpn process 04:23 < podman99a> true.... latest verion... AH HANG ON 04:23 < dazo> podman99a: do you get more log entries if you ping the VPN address of your client 04:23 < podman99a> no that therry is pants /proc/sys/net/ipv4/ip_forward = 1 on server 04:23 < podman99a> yes 04:23 < podman99a> read writes in line/time with pings 04:24 < podman99a> Fri Mar 20 09:24:04 2009 us=201853 client1/78.86.189.73:64172 TUN WRITE [84] --- >and read straight after 04:24 < dazo> podman99a: good 04:24 < podman99a> is the 10.8.0.2 the correct gateway for 192.168.1.0 packets? 04:25 < podman99a> must be as its hits the tun0 but not the vpn process 04:25 < dazo> podman99a: I'm just wondering ... this is really odd ... yes, 10.8.0.2 should be the proper gateway 04:25 < podman99a> i take it u have this working??.... lol 04:25 < dazo> podman99a: can you do a ifconfig -a on your box and pastebin that? 04:26 < podman99a> serever -- >http://pastebin.com/mfe4c179 04:26 < dazo> podman99a: I'm using openvpn a lot .... not often I do the iroute stuff though, but I have got it working pretty easily enough thouhg 04:27 < podman99a> my idea was if urs works... see if configs are diffent... but that wouldnt matter... as this is simple stuff from what i can see... just not working 04:27 < podman99a> lol 04:27 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:28 < dazo> podman99a: I've done the comparing already ;-) ... but this begins to be outside openvpn now, how I see it ... or somewhere in between the openvpn process, the tun.ko driver and the tun interface 04:28 < dazo> podman99a: so it can be kernel stuff, it can be a config issue .... but it's getting pretty tricky by now 04:28 < podman99a> i like giving a challenge.. 04:29 < dazo> podman99a: anyway, any reason you want to access the 192.168.1.x address of your box? Why not access the VPN address? 04:29 < podman99a> has to be server side as not working on 2 clients and different versions 04:29 < podman99a> now.... thats a good question that i hope u can answer... lol 04:29 < podman99a> im setting up remote sites for active directoty 04:29 < podman99a> so windows server in rack and server on client 04:29 < podman99a> 2 way comms.... ? 04:29 < dazo> podman99a: that's what I'm feeling .... running Ubuntu on server side? 04:30 < podman99a> yea 04:30 < podman99a> 2.6.24-16-server 04:30 < dazo> podman99a: I see ... but does the server side need to initiate contact with the clients at all? 04:30 < podman99a> AD replication ... clients will do all accessing of internet/vpn with server 04:31 < dazo> podman99a: I've never tried Ubuntu on server side ... I got Ubuntu Ibix (started with Gutsy->Hardy->Ibix) on my private laptop, but I am planning to scrap it, because it's really a crappy distro 04:31 < dazo> podman99a: aha ... I see 04:32 < dazo> podman99a: sounds convenient then to have subnet access then 04:32 < podman99a> yea... makes everything seem like they in same office althoguh 10 miles+ appart 04:33 < dazo> podman99a: Well, this whole issue is getting incredibly complex now .... you've done now everything by the book, as far as I can tell from what I've seen 04:33 < podman99a> ummm... work arounds? 04:34 < podman99a> im avoiding windows server VPN's as i want to keep things secure 04:35 < dazo> podman99a: this might be something to bring up further to ubuntu people actually ... all distroes have their own tweaks, but Ubuntu is known for having the most dirty ones, to "make it work now!(tm)" .... and that can often backfire ... I'm wondering if that's something you might hit into now 04:35 < podman99a> ok ... which distro would you recommend for this kind of thing? 04:35 < podman99a> im easy have no real preference 04:36 < dazo> podman99a: totally agreed ... did you say you ran the openvpn server in virt? 04:36 < podman99a> hell no ... hate virtuals 04:36 < dazo> podman99a: sorry ... I mixed you with another one then :-p 04:37 < podman99a> nothing beats the feel of a whole and real processor running your services 04:38 < dazo> podman99a: you have several distro options .... I'm using Gentoo, but that's not easy to install .... You have Novel SuSE Linux Server (SLES), which I also do not recommend due to how they do their community work, and mingling a little bit too much with Microsoft - but it could be a good option for you, just because of that mingling ..... And then you have Fedora, Red Hat Enterprise Linux and CentOS 04:39 < podman99a> gentoo it is ..... lol... ill play with windows VPN for now so this client can get on with his life... lol... but for my proper vpn ill create gentoo one 04:39 < dazo> podman99a: if you don't want commercial support at all .... I probably would go for CentOS or Fedora .... the advantage of CentOS is that it is basically a Red Hat Enterprise Linux with pretty good updates and migration later on from CentOS to RHEL is not that painful, it is said 04:40 < dazo> podman99a: If you're considering commercial support .... RHEL or SLES is good options 04:40 < podman99a> i am the commercial support 04:40 < podman99a> lol 04:40 < CybDev> poor bastards ;-) 04:40 < podman99a> i know ... bad aint it 04:41 < dazo> podman99a: heh ... well, with RHEL at least, you have pretty good community and pretty good responses on support issues as well 04:41 < podman99a> the only payments i do for linux is donations to the people who make it happen 04:42 < dazo> podman99a: and that's what you also do when you pay for a RHEL or SLES distribution .... Red Hat employs some thousands of developers working with Fedora and RHEL 04:42 < CybDev> RHEL is nice when you need someone to blame :P 04:42 < dazo> CybDev: +1 04:43 < podman99a> but package updates to latest are slow i find... well found... not used RHEL for 2 years now 04:43 < CybDev> gentoo is ace when you need to fix things yourself :-) 04:43 < CybDev> RHEL is slow for a reason, same as debian 04:43 < CybDev> bleeding edge software and commercially stable software are two entirely different worlds :P 04:44 < dazo> podman99a: RHEL is slow because if you get a RHEL5.3 installation, it is guaranteed support and full functionality for all software for 7 years since release 04:44 < podman99a> CybDev: i have a gentoo server which runs my monitoring,... and sun server... thats a sexy distro.... ill make that happen on a now box though as have not updated gentoo in AGES 04:44 < dazo> podman99a: updating any linux distro is just as crucial as updating Windows every day 04:46 < podman99a> dazo, yea but i was a novice at these things when i set gentoo up over 2 years ago, and didnt want to break things... and have no KVM at my rack, have one now so can keep better eye on things, but as i say .... its been a while... im phasing out the old in favor of new so will take a while 04:46 < dazo> podman99a: fair enough 04:47 < dazo> podman99a: anyway ... choose a distro you are familiar with and feel comfortable with ... and combine that with which support possibilities you got 04:47 < podman99a> running 3000+ domains (hosting) and about 50 servers (dedicated) have got calls down to about 10 a day, so thats all good, have developer making my new clever things in to automated functions on my website... just a slow process.... 04:48 < dazo> podman99a: pretty awesome :) 04:48 < podman99a> dazo, i know gentoo is good and great support/documentation so will use that 04:48 < podman99a> ne way... 04:48 < podman99a> on with vpn... so ill speak later guys... thanks loads... shame my servers suck lol 04:48 < dazo> podman99a: heh ... no prob! :) 04:49 < dazo> podman99a: I just hope that Gentoo will work better .... I really do ... or else I'm gonna feel baaaaad :-P 04:50 < podman99a> lol 04:51 < dazo> podman99a: just one last really desperate attempt .... try to switch openvpn configs from UDP to TCP ... just have that one ruled out 04:51 * dazo remember he had to do that in one network to make it work 04:51 < dazo> podman99a: but I don't expect it to help ... since traffic to VPN IP's seems to work 04:52 < podman99a> umm... good point... ill try in a bit... damn phone ... lol 04:56 < CybDev> ,eh 04:56 < CybDev> gentoo is going down the drain :-( 04:56 < CybDev> half (or more?) of the package maintainers switched over to ubuntu or arch :-/ 04:56 < CybDev> such a shame :-( 04:57 < dazo> CybDev: Didn't know that ... but Ubuntu maintainers escape further again to other distros as well .... so I think that's just normal "circulation" ... but if Gentoo is loosing more than it manages to get in, it's big big shame 04:59 < CybDev> yeah, gentoo has been suffering for the last couple of years tbh 04:59 < CybDev> i'm still using it, but my overlay has grown a lot and is starting to be a pain to maintain :-/ 04:59 < dazo> CybDev: I've noticed that the Hardened team is struggling ... but on the other hand, it seems to get the most important CVE fixes and keeps it in pretty good shape ... but, yeah, it's not too quick updates 05:00 * dazo noticed that 2.6.28 kernel was recently available .... a jump from 2.6.25 05:00 * dazo imagines ecrist will complain about non-openvpn discussions here now :-P 05:01 < CybDev> hardened was always struggeling :P 05:01 < reiffert> I've heared that bridging is broken in 2.6.28 so its back at openvpn. 05:01 < CybDev> it is? 05:02 < CybDev> oh yeh, forced to run -27 since my fking raid controller drivers won't compile on 28 or later :-( 05:02 < reiffert> from what I've heared the bridge doesnt learn mac addresses, so sends every frame to all interfaces. 05:31 < dazo> reiffert: that's only when doing bridging? brctl stuff ... not the tun/tap driver, I hope? 05:33 < reiffert> when doing bridging, brctl stuff. 05:41 < dazo> reiffert: good .... I got worried for a 2.6.28 upgrade now .... thx! 05:48 -!- cpm [n=Chip@guest-ap.xo.avitecture.net] has joined ##openvpn 06:19 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 06:20 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 06:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:04 < ecrist> morning folks 07:05 < ecrist> dazo: I have no problem with non-openvpn discussion provided a couple conditions are met. 1) other users aren't trying to have openvpn discussions and 2) it's not a typical BS Windows-bashing convo. 07:10 * CybDev slaps ecrist around a bit with a Windows Vista installation disk 07:10 < CybDev> <3 07:11 < reiffert> That doesnt hurt that much 07:15 < dazo> reiffert: if that would happen to me .... I would have kicked him out! :-P 07:16 * ecrist wedges said install disk into CybDev's rectum, next to his size 13 combat boot. 07:16 < dazo> ecrist: morning! :) I'm happy there are flexible people here :) 07:23 < ecrist> morning 07:29 < podman99a> ok ... time for the gentoo... out with the big guns.... dont know how long it will take to install may be a min ... maybe an hour... 07:29 < ecrist> ew, linux 07:31 < podman99a> ecrist: surly you weapon of choice isnt windows? 07:32 < podman99a> OMG... its installing openvpn 2.0.7-r2 07:39 < dazo> podman99a: yeah ... the openvpn maintainer is not paying attention to the radar at all 07:39 < dazo> podman99a: I believe 2.1_RC15 is masked now 07:42 < podman99a> no im using VERY old portage... time to learn how to update..... just downloading latest now 07:43 < dazo> podman99a: emerge --sync 07:43 < dazo> podman99a: but still, the latest sync will give 2.0.7 last time I checked ... .2.1 is masked 07:43 < ecrist> podman99a: I use Windows ME for everything I do. 07:44 < podman99a> ecrist: wow, you rock! 98 with tweaks 07:45 < ecrist> I don't even update the system. 07:46 < ecrist> I kid, I'm a FreeBSD guy 07:47 < ecrist> 07:47 CTCP VERSION reply from ecrist: irssi v0.8.12 - running on FreeBSD i386 07:54 < podman99a> ecrist, ummmmm.... 07:59 < ecrist> podman99a: ? 08:05 -!- waKKu [n=vaKKu@unaffiliated/wakku] has left ##openvpn [] 08:11 -!- edthefox [n=eddie@h42.79.22.98.dynamic.ip.windstream.net] has joined ##openvpn 08:15 -!- edthefox [n=eddie@h42.79.22.98.dynamic.ip.windstream.net] has left ##openvpn [] 08:18 -!- edthefox [n=eddie@h42.79.22.98.dynamic.ip.windstream.net] has joined ##openvpn 08:25 -!- bsund [n=bsund@unaffiliated/bsund] has joined ##openvpn 08:42 -!- mooncup [n=a@unaffiliated/mooncup] has joined ##openvpn 08:42 < mooncup> heya 08:42 < mooncup> !howto 08:42 < vpnHelper> mooncup: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:43 < ecrist> mooncup: how goes? 08:43 < mooncup> best check if it's in there before I actually ask my question 08:43 < mooncup> not bad ecrist 08:43 < mooncup> finally penetrated my uni firewall 08:43 < mooncup> I've had to listen on port 22 08:43 < mooncup> Now I need to work out how to actually route my internet through the vpn 08:44 < mooncup> my client is running on vista 08:44 < mooncup> Do I need to do anything special serverside first, or is it all clientside conf for this? 08:45 < ecrist> on server side, you need to setup NAT for VPN clients, and add redirect-gateway def1 to the server config 08:46 < mooncup> I'm gonna have to learn networking 08:46 < mooncup> this should be interesting :P 08:47 < mooncup> Oh, do I just uncomment push "redirect-gateway" 08:47 < mooncup> ? 08:48 < ecrist> add def1 to the end, before the final " 08:49 < mooncup> push "redirect-gatewaydef1" 08:51 < mooncup> What do I do clientside? 08:51 < ecrist> push "redirect-gateway def1" 08:51 < ecrist> nothing to do client side. 08:52 < mooncup> but how does vista know to route my internet through the vpn> 08:53 < ecrist> because the server is pushing the 'redirect-gateway def1' to the client 08:54 < mooncup> If I visit a site in firefox, I'm still connecting from my normal ip :/ 08:55 < ecrist> mooncup: did you restart the openvpn server? 08:55 < mooncup> yeah 08:55 < ecrist> post your logs on the client 08:55 < ecrist> s/on/from/ 08:56 < mooncup> Fri Mar 20 04:53:51 2009 you.just.lostthega.me/144.124.140.106:55972 SENT CONTROL [you.just.lostthega.me]: 'PUSH_REPLY,redirect-gateway def1,route 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' (status=1) 08:56 < mooncup> That's from the server 08:56 < mooncup> I'll just get the client ones 08:56 < ecrist> pastebin.ca 08:56 < ecrist> or .com 08:56 < mooncup> yeah 08:56 < mooncup> http://mooncup.pastebin.com/m694df0fc 08:57 < mooncup> ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct. [if_index=10] 08:57 < mooncup> I'm guessing that relates to the problem 08:59 < ecrist> mooncup: upgrade to 2.1-rc15 08:59 < ecrist> or later, I think there's an RC16 now 08:59 < ecrist> see this link for reference: http://skriptd.wordpress.com/2007/07/12/openvpn-gui-on-windows-vista/ 08:59 < mooncup> Is the config the same? >.< 08:59 < vpnHelper> Title: OpenVPN GUI on Windows Vista skriptd (at skriptd.wordpress.com) 09:00 < ecrist> yes, the config is the same. 09:00 < mooncup> Alrighty 09:00 < ecrist> you only need to change the client, server should be OK 09:00 < mooncup> cool stuff 09:00 < ecrist> more help on routing at the following link: 09:00 < ecrist> !route 09:00 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 09:01 < mooncup> OpenVPN 2.1_beta7 & OpenVPN GUI 1.0.3 09:01 < mooncup> Is that what I want? 09:02 < mooncup> or should I get openvpn from the official website 09:02 < ecrist> get openvpn from the official site 09:02 < ecrist> bet7 is broken. 09:03 < ecrist> beta7 09:03 < mooncup> kk 09:08 < mooncup> strange 09:08 < mooncup> it seems to be ignoring my port and trying to connect to 1194 09:09 < mooncup> remote you.just.lostthega.me 22 is quite definately in the conf 09:09 < mooncup> Fri Mar 20 14:09:09 2009 Attempting to establish TCP connection with 173.65.196.9:1194 09:10 < ecrist> try 09:10 < ecrist> remote you.just.lostthega.me 09:10 < ecrist> port 1194 09:11 < mooncup> same problem 09:11 < ecrist> hrm 09:12 < mooncup> It did this before 09:12 < mooncup> I can't remember how I fixed it 09:12 < mooncup> well I made a new conf file 09:12 < mooncup> that seems to have worked 09:12 < mooncup> maybe it caches it somewhere 09:13 < ecrist> I'm not a windows guy, so my windows-specific support ability is limited. sorry 09:13 < mooncup> Nah that's cool 09:13 < mooncup> thanks for all the help so far 09:14 < mooncup> ok so the vpn is connected again 09:14 < mooncup> but I still don't seem to be routing my net through it 09:14 < mooncup> I'm gonna go reread that blogpost I think 09:14 < ecrist> logs, again? 09:15 < mooncup> http://mooncup.pastebin.com/m66b55363 09:15 < mooncup> hang on 09:15 < mooncup> let me run it as administrator 09:15 < mooncup> I just realised I'm not 09:16 < mooncup> aha 09:16 -!- dergringo [n=philipp@63-112.105-92.cust.bluewin.ch] has joined ##openvpn 09:17 < mooncup> I think my net is now being routed through it 09:17 < mooncup> but I can't seem to resolve domains 09:17 < ecrist> you need to have DNS accessible via the VPN when you're redirecting your gateway 09:17 < ecrist> another push option in the config 09:17 < mooncup> ahh 09:19 < dergringo> Hi. I just set up ovpn for the first time. Server is a Windows 2k3 and clients are linux and windows. Connection goes fine. No problems so far. But there is one thing: From the client I can ping 10.18.14.1, I can ping 192.168.1.130 (servers lan address) but I can't ping any other machine in the server lan. 09:19 < ecrist> http://www.secure-computing.net/ip.php will tell you which IP you're coming from. 09:19 < ecrist> dergringo: you need to have proper routing setup on the server LAN. it's my guess that your other machines don't know how to route to the VPN subnet 09:20 < mooncup> push "dhcp-option DNS 10.8.0.1" 09:20 < mooncup> do I just need to uncomment that? 09:20 < ecrist> so, you need to either 1) add a static route to the VPN on each machine on the server LAN, or 2) put a route on your default gateway, pointing to the VPN server for that subnet 09:20 < ecrist> mooncup: do you have a DNS server running on your VPN server? 09:20 < mooncup> No 09:20 < mooncup> I can install one if I need to though I suppose 09:21 < ecrist> then i'd change the IP to a DNS server IP your VPN server uses. 09:21 < mooncup> Ahh 09:21 < mooncup> I see what you mean 09:22 < dergringo> ecrist, thanks. Well I need to find out how to set routes on that D-Ling Gateway. 09:24 < mooncup> I still seem unable to resolve 09:25 < dergringo> What happens when the client's AND server's subnet is 192.168.1.0 255.255.255.0 09:27 < mooncup> I just tried to ping an ip and it timed out 09:27 < mooncup> So I'm wonderif I've i've done the routing wrong somewhere too 09:27 < mooncup> *wondering if 09:36 < dergringo> Can I display a message on the client after successful connect? 09:36 < ecrist> sure, --up-script 09:37 < dergringo> ecrist, great! Everything works fine. I love it! Can I set the message in the config file? 09:42 < nemysis> What is the best DNS Server for Linux on Sever? 09:43 < dergringo> bind9 ? 09:48 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 10:01 -!- hagna_ [n=hagna@70.102.57.178] has joined ##openvpn 10:17 < mooncup> cheers for the help ecrist 10:17 -!- intralanman [n=lanman@va-67-76-163-209.sta.embarqhsd.net] has joined ##openvpn 10:17 < mooncup> I'm going afk now, I'll carry on messing with settings when I get back 10:21 -!- intralanman [n=lanman@va-67-76-163-209.sta.embarqhsd.net] has quit [Client Quit] 10:21 < bsund> I use openvpn to get through firewalled schoolnet. It works with openvpn, but when I snat my xbox to the tunnel nothing happens. I can snat it through the wlan (internet) succesfully. Any one have any idea what to do? 10:22 -!- l2trace99 [n=jr@static-71-251-65-16.tampfl.fios.verizon.net] has joined ##openvpn 10:23 < bsund> IE ping -I tun0, works but ping -I eth0 doesn't, even though is is snat/masquerade to the tunnel 10:24 < bsund> is/it 10:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 10:28 < l2trace99> is there a way to have the openvpn daemon reread its config without kicking everybody ? 10:30 < l2trace99> SIGUSR1 ? 10:32 < l2trace99> hmmm roll the dice 10:34 < dazo> l2trace99: in general, it's usually SIGHUP ... but I'm not sure if openvpn kicks out anyone on that 10:37 < l2trace99> just did it 10:37 < l2trace99> no one complained so i guess it doesn't 10:37 < l2trace99> ;) 10:38 < l2trace99> but I don't have a lot of users on it right now 10:47 < ecrist> l2trace99: yes, using the mgmt interface 10:52 < hagna_> so can I configure openvpn to work with a mediation server and clients like hamachi? 10:52 < ecrist> hagna_: not sure. iirc, hamachi is a customized version of openvpn. 10:53 < l2trace99> yes 10:54 < hagna_> customized as in configured or significantly altered 10:54 < l2trace99> ecrist: I connected to the management interface and send SIGHUP. It is all good. I just wasn't sure 10:55 < l2trace99> ecrist: so I took a chance and it worked out 10:55 < ecrist> gratz 10:55 < l2trace99> ecrist: I got a an empty chamber so I get to pull again 10:56 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 10:56 < ecrist> l2trace99: there is a mgmt interface command to tell the server to reread the config. 10:57 < ecrist> it's not sighup, but similar. 10:57 < ecrist> should be covered in the docs 11:00 -!- c64zottel [n=hans@p5B17AF52.dip0.t-ipconnect.de] has joined ##openvpn 11:00 -!- c64zottel [n=hans@p5B17AF52.dip0.t-ipconnect.de] has left ##openvpn [] 11:26 < dergringo> The openvpn tray Icon shows no "connect" on Win XP SP3 even though there is a test.ovpn file in the config dir 11:47 -!- hagna [n=hagna@70.102.57.178] has quit ["leaving"] 11:55 -!- dergringo [n=philipp@63-112.105-92.cust.bluewin.ch] has quit ["Leaving"] 12:05 -!- meshuga [i=meshuga@lenin.ww88.org] has quit ["Changing server"] 12:10 -!- fedya [n=fedya@75.112.143.226] has joined ##openvpn 12:12 < fedya> i can't ping machines through the vpn tun, i checked the firewall, there are no rules and policy set to ACCEPT on all chains 12:15 -!- lolipop [n=soontak@122.197.95.219.jb02-home.tm.net.my] has joined ##openvpn 12:27 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 12:32 < fedya> WRFri Mar 20 13:32:16 2009 us=58225 ted/75.112.143.226:51529 Bad LZO decompression header byte: 69 12:32 < fedya> i keep getting these on verb 5 when trying to ping the server 12:41 -!- atomic__ [n=atomic@78.157.9.222] has joined ##openvpn 12:42 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:43 < atomic__> hi, i've setup a openvpn infrastructure to connect two networks for the sole purpose of H323 hardware based video conferencing (Polycom solution) 12:43 < atomic__> i am experiencing garbled audio and low frame rate, could using LZO compression be an issue here ? 12:44 < atomic__> anyone with a similar experience ? 12:45 < ecrist> fedya: have you tried turning off compression? 12:45 < fedya> i'm trying that now, i think one side was set for compression and the other wasnt 12:51 -!- podman99a [n=keith@78-86-189-73.dsl.cnl.uk.net] has quit [Read error: 110 (Connection timed out)] 12:51 < fedya> got it 12:51 < fedya> i changed the wrong thing in the client config 13:28 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 110 (Connection timed out)] 13:44 -!- Evilliksass [n=admin@64-71-25-50.static.wiline.com] has left ##openvpn [] 13:54 -!- tarbo2_ [n=me@unaffiliated/tarbo] has quit [No route to host] 13:58 -!- podman99a [n=keith@93-96-160-18.zone4.bethere.co.uk] has joined ##openvpn 14:25 -!- podman99a [n=keith@93-96-160-18.zone4.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] 14:26 -!- podman99a [n=keith@93-96-160-18.zone4.bethere.co.uk] has joined ##openvpn 14:30 -!- podman99b [n=keith@93-96-160-18.zone4.bethere.co.uk] has joined ##openvpn 14:31 -!- podman99a [n=keith@93-96-160-18.zone4.bethere.co.uk] has quit [Read error: 104 (Connection reset by peer)] 14:31 -!- fedya [n=fedya@75.112.143.226] has quit [] 14:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:57 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 15:17 < hagna_> so what's the tun equivalent in freebsd? 15:37 < reiffert> tun. 15:37 < hagna_> yep I see it 15:37 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 15:45 -!- nemysis [n=nemysis@69-188.3-85.cust.bluewin.ch] has quit [Connection timed out] 15:46 -!- nemysis [n=nemysis@141-87.3-85.cust.bluewin.ch] has joined ##openvpn 15:46 < pmguy> How does one specifically configure your ROUTER and/or COMPUTER to allow Internet access via OpenVPN _only_? That is-- including all forms of javascript and Java. 15:47 < pmguy> Does anyone know? 16:01 < reiffert> redirect-gateway def1 16:03 < Roman123> any gentoo user here? 16:03 < pmguy> and what the heck is that 16:03 < pmguy> i did a search on that 16:03 < reiffert> Roman123: There is nothing special about openvpn and gentoo. 16:03 < reiffert> pmguy: it's an openvpn option. 16:04 < reiffert> Roman123: just ask your questions. 16:04 < pmguy> how do i know if its set or not? 16:04 < reiffert> You have a look inside the server config. 16:04 < reiffert> Or - you take a close look to the clients routing table. 16:04 < pmguy> what file is that? 16:05 < pmguy> whereabouts? 16:05 < reiffert> pmguy: I name them s.conf, other people might call them server.conf or openvpn.conf, whatever. 16:05 < pmguy> reiffert: may i pm 16:05 < reiffert> pmguy: let me ask my crystal ball, I'll be back in a minute. 16:07 < pmguy> reiffert: can you just tell me how to set that option on? 16:07 < reiffert> pmguy: you edit the server configuration. 16:08 < reiffert> and add this line: 16:08 < reiffert> push "redirect-gateway def1" 16:08 < reiffert> save the config file. 16:08 < reiffert> restart the openvpn server. 16:08 < reiffert> connect a client 16:08 < reiffert> and there you are. 16:08 < pmguy> im not running the server 16:09 -!- atomic__ [n=atomic@78.157.9.222] has quit ["Leaving."] 16:09 < Roman123> my question is about handling different openvpn client configurations in gentoo 16:09 < reiffert> pmguy: then ask the guy who is running the server, to add this line for your config. 16:09 < Roman123> they are located in /etc/openvpn/*.ovpn 16:10 < pmguy> and that will protect me from ActiveX ? 16:10 < Roman123> how can I establish a certain client connection, e.g., mynetwork1.ovpn 16:11 < Roman123> I guess there is a gentoo specific solution. 16:11 < reiffert> pmguy: look, this channel is about openvpn, it's not about browsers, not about microsoft, not about activex, not about javascript and even not about java. your openvpn question is? 16:11 < pmguy> and Flash 16:11 < Roman123> and not openvpn --config xxxx 16:12 < reiffert> Roman123: allright, I'd probably just enter openvpn --config foo.ovpn into a shell, I have no idea about mouse clicking. 16:12 < Roman123> reiffert: me too 16:12 < Roman123> there is a short command line solution (except from --config) 16:13 < pmguy> my openvpn question is: how can it protect my anonymity while still allowing me to access the full range of the internet 16:13 < reiffert> alias of="openvpn --config foo.ovpn"? 16:14 < reiffert> pmguy: openvpn can add a new default route for you, so that ALL traffic will travel through the openvpn tunnel. 16:14 < reiffert> pmguy: is this what ya want? 16:14 < pmguy> yes 16:14 < pmguy> BUT 16:14 < pmguy> is openvpn also a proxy? 16:14 < reiffert> no. 16:15 < pmguy> ok 16:16 < reiffert> so tell the administrator of your openvpnserver: Please add that line to your config, you might want to check out client-config-dir to have that option only for one specific client. 16:17 -!- pmguy [n=ekjsdm@82-34-204-54.cable.ubr13.enfi.blueyonder.co.uk] has left ##openvpn [] 16:22 < hagna_> so can I connect a client from behind a stateful firewall to a server that has port 1194 udp open? 16:24 < reiffert> depends on that firewall, might work. 16:24 < hagna_> reiffert: just to test I use the command openvpn --remote josh --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 9 16:24 < hagna_> on the client 16:39 < ecrist> evening, bitches 16:39 < ecrist> hagna_: most firewalls should allow it, yes. 16:40 < ecrist> keep in mind that udp is a stateless protocol, but there are firewall packages out there that put fake 'state' on udp sessions. 16:40 < ecrist> namely, pf 16:40 * ecrist goes back out to the living room 16:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:44 < hagna_> hmm how do I know it's working or not? 16:47 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 16:48 < hagna_> ping from the client says operation not permitted but the server has RECEIVED PING PACKET in the log 16:55 < hagna_> oh nm when I switched back to tun0 on the client it worked 16:56 < reiffert> :) 17:02 < Kurogane> I have a problem in my vpn. the clients when connect to the vpn is working but i have 2 problems 17:03 < Kurogane> 1. a client can't ping on the ip node (10.10.0.1) give him TTL expired in transit. when say TTL expired in transit on vpn server give him a strange ip (is not setting in anywhere 10.192.68.x) and when ping the client happend the same but with other ip 10.192.68.x 17:03 < Kurogane> 2. if client ping other client give him the same error but only one client not have this problems the others yes. 17:04 < Kurogane> what you think causing this problem? here the config http://pastebin.com/d1b7e3fe8 17:14 < hagna_> how do you turn on ip_forward in freebsd? 17:15 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:15 < reiffert> hagna_: sysctl 17:16 < hagna_> reiffert: oh dang it is on hmm 17:17 < reiffert> Kurogane: can you please rephrase. Please make short sentences. So people can understand you. Thanks. 17:17 -!- boney [n=boney@81-235-226-119-no91.tbcn.telia.com] has joined ##openvpn 17:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 17:22 < hagna_> my setup is A -- B --(vpn)-- C 17:22 < hagna_> on A I ping C 17:22 < hagna_> packets seem to transmit but not return 17:23 < hagna_> forwarding is turned on on B the freebsd box 17:23 < hagna_> running pfsense 17:26 < reiffert> run tcpdumpm on B to see the packets travel 17:27 < reiffert> tcpdump -n -i en0 proto ICMP 17:27 -!- boney_ [n=boney@81-235-226-119-no91.tbcn.telia.com] has quit [Read error: 110 (Connection timed out)] 17:30 < hagna_> reiffert: yep that's what is happening 17:30 < hagna_> tcpdump -n -i em3 proto ICMP shows icmp requests but not responses 17:30 < hagna_> also B has two nics and it's a bridge 17:30 < hagna_> em3 and em2 17:35 < reiffert> And B talks to C over the tun device? 17:36 < reiffert> Well, time to add some network adresses and masks, interfaces and such information for me then. 17:37 < hagna_> ok 17:37 < hagna_> 22:35:36.450273 IP 10.1.2.201 > 10.4.0.1: ICMP echo request, id 25424, seq 1, length 64 17:37 < hagna_> 22:35:37.450059 IP 10.1.2.201 > 10.4.0.1: ICMP echo request, id 25424, seq 2, length 64 17:37 < hagna_> is what I get with tcpdump -n -i tun0 proto ICMP 17:37 < hagna_> when I ping from B to C I get 17:37 < hagna_> 22:36:05.919415 IP 10.4.0.2 > 10.4.0.1: ICMP echo request, id 22888, seq 0, length 64 17:37 < hagna_> 22:36:06.141482 IP 10.4.0.1 > 10.4.0.2: ICMP echo reply, id 22888, seq 0, length 64 17:37 < hagna_> netmasks are all 255.255.255.0 17:38 < reiffert> k, show routing table of C. 17:38 < hagna_> how do you do that on freebsd? 17:38 < reiffert> netstat -nr 17:40 < hagna_> http://pastebin.com/d4667e200 17:40 < reiffert> allright. look. 17:40 < reiffert> When C wants to send an answer it is going to send it to 10.1.2.201 17:41 < reiffert> but it doesnt know what to do with such a packet and sends it to its default gw 166.70.something 17:41 < hagna_> oh interesting 17:41 < reiffert> so what you need is a route back to B 17:42 < hagna_> ahh yes 17:43 < reiffert> btw, I cant find tun0 or 10.4.0.2 on your routing table. 17:44 < hagna_> reiffert: oh that's because the vpn is off 17:45 < reiffert> sigh. 17:45 < reiffert> :) 17:46 < hagna_> http://pastebin.com/d73fdc7d6 17:46 < reiffert> what you need is 17:46 < hagna_> a bigger monitor 17:46 < reiffert> push "route 10.1.2.0 255.255.255.0" in openvpn server config 17:46 < reiffert> and thats it 17:47 < hagna_> since I'm not using config files would I just route -net 10.1.2.0 255.255.255.0 gw 10.4.0.2 ? 17:54 < reiffert> route add -net ... 17:55 < reiffert> you'll need to do this whenever the tunnel comes up. 17:57 < Kurogane> lets try again i repharse my question 17:57 < Kurogane> I have a problem, when clients are connected to the vpn works fine but I have 2 problems. 17:58 < reiffert> ok, understoof. 17:58 < Kurogane> 1. Clients can not ping the vpn lan, if the client makes ping the vpn server in this case (10.10.0.1) shows an error "TTL expired in transit." That shows you an error when given ip 10.192.68.4 ping the server and that IP is not registered with the vpn. 17:58 < reiffert> stop. 17:58 < reiffert> sentence too long parse error. 17:58 < Kurogane> uh? 17:59 < Kurogane> my problem is too complex for simple words 17:59 < reiffert> what exactly is "the vpn lan"? 17:59 < Kurogane> the vpn ip? 17:59 < reiffert> IP or LAN? 18:00 < Kurogane> ip 18:00 < reiffert> So VPN Clients cannot ping the VPN-Server IP? 18:01 < Kurogane> yes and not, yes because give an answer not because reply TTL expired in transit. 18:02 < reiffert> !configs 18:02 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:03 < Kurogane> http://pastebin.com/d1b7e3fe8 18:04 < reiffert> Server OS? 18:05 < Kurogane> Gentoo Linux 18:06 < reiffert> connect a client, then paste: 18:06 < reiffert> ifconfig -a 18:11 < Kurogane> http://pastebin.com/d5938e913 18:13 < Bushmills> TTL expired sounds like a loop to me 18:14 < reiffert> Bushmills: as you can see he is offering 10.10.1.2 to his client, but the client's IP adress is 10.8.0.3 18:14 < reiffert> Kurogane: ifconfig -a <- run this on the openvpn server. 18:15 -!- edthefox [n=eddie@h42.79.22.98.dynamic.ip.windstream.net] has quit ["leaving"] 18:17 < Bushmills> can't see that. the DHCP server is 10.8.0.3, client and server are both 10.10.... 18:18 < Bushmills> ehm no. 18:18 < reiffert> Bushmills: you are wrong: http://pastebin.com/d5938e913 18:20 < Kurogane> http://pastebin.com/d28c7649a 18:20 < Bushmills> then, why is client ip address 10.8.xx while vpn net has a netmask of /24? 18:21 < Kurogane> Bushmills, huh? 18:22 < reiffert> Kurogane: what are you trying to do, talk to virtual machines? 18:22 < Bushmills> server is 10.10.x.x, pushed route is 10.10.x.0/24, client is 10.8.x.x. should that work? 18:23 < reiffert> Kurogane: http://pastebin.com/d1b7e3fe8 line: 8, 30 and 34: Change that from 10.10.x.x to 10.8.x.x restart the server 18:24 < Kurogane> Bushmills, no. i change the config previously10.10.x.0/24 and now is 10.8.x.x/24 sorry for confused you 18:24 < reiffert> Kurogane: please, send us new !configs then 18:24 < Kurogane> i send you the good ones 18:25 < reiffert> http://pastebin.com/d1b7e3fe8 18:25 < reiffert> you need to adjust line 8, 30 and 34 in there. 18:27 < Kurogane> http://pastebin.com/d22d7e6bc 18:28 < reiffert> ok. now it looks like a working openvpn tunnel. 18:28 < reiffert> on the client enter: ping 10.8.0.1 ... works? 18:33 < Kurogane> is not works still give me TTL expired in transit 18:34 < reiffert> Kurogane: windows does not support topology subnet. 18:34 < reiffert> !/30 18:34 < vpnHelper> reiffert: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 18:34 < reiffert> !topology 18:34 < vpnHelper> reiffert: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 18:34 < Kurogane> but, i shutdown the modem (client) and restart a now it is work the causing is the dam..... modem 18:35 < Kurogane> not works? topology subnet? 18:37 < Kurogane> and that why i upgrape becuase i need host /24 becuase the default have openvpn is only /30 18:37 < reiffert> subnet -- Use a subnet rather than a point-to-point topology by configuring the tun interface with a local 18:37 < reiffert> IP address and subnet mask, similar to the topology used in --dev tap and ethernet bridging mode. This mode 18:37 < reiffert> allocates a single IP address per connecting client and works on Windows as well. Only available when serv- 18:37 < reiffert> er and clients are OpenVPN 2.1 or higher, or OpenVPN 2.0.x which has been manually patched with the --topol- 18:37 < reiffert> ogy directive code. When used on Windows, requires version 8.2 or higher of the TAP-Win32 driver. When 18:37 < reiffert> used on *nix, requires that the tun driver supports an ifconfig(8) command which sets a subnet instead of a 18:37 < reiffert> remote endpoint IP address. 18:38 < reiffert> Ah, sorry, I was wrong. 18:39 < Kurogane> so topology works in linux and windows 100%? 18:40 < reiffert> DOES IT WORK FOR YOU? 18:40 < reiffert> woups 18:46 < Kurogane> yes, but i see is not work 100% is connect and ping now, but does not act as / 24 i can not see in LAN, as with tap device in there i can see in LAN 18:47 < Kurogane> and you asking why not use tap is becuase i have high lactency 18:48 < reiffert> Kurogane: sorry, but I dont understand your 2nd last sentence. 18:48 < Kurogane> what 2nd last sentence? 18:49 < Kurogane> lactency? 18:49 < Bushmills> lactose allergy? 18:49 < reiffert> that one: 18:49 < reiffert> 00:46 < Kurogane> yes, but i see is not work 100% is connect and ping now, but does not act as / 24 i can not see in LAN, as with tap device in there i can see in LAN 18:53 < Kurogane> the topolgy feature is create becuase tun have a problem to work in /24 host right? 18:57 < reiffert> No, because of windows not capable of point to point routes. 18:57 -!- sigmonsays [n=sig@ip65-46-255-194.z255-46-65.customer.algx.net] has left ##openvpn ["Leaving"] 19:10 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 19:15 -!- hagna [n=hagna@71-219-31-133.slkc.qwest.net] has joined ##openvpn 19:16 < hagna> so client connects to server vpn how does the client map the server's subnet into ips that don't conflict with the client's subnet? 19:29 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 19:55 -!- krzie [i=krzee@joogot.noskills.net] has joined ##openvpn 20:24 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 20:40 -!- hagna [n=hagna@71-219-31-133.slkc.qwest.net] has quit [Read error: 110 (Connection timed out)] 21:53 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Read error: 110 (Connection timed out)] 21:56 -!- Kurogane [i=Kuro@190.53.8.79] has quit ["Saliendo"] 21:59 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 21:59 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 22:03 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 22:09 < rashed2020> Guys, can I have openVPN act as an extension to my local network? 22:09 < rashed2020> So that all connecting clients get an IP that's accessible by any of the local machines 22:34 < krzie> yes 22:34 < krzie> see this page i wrote up describing how 22:34 < krzie> !route 22:34 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 22:34 < krzie> that describes how to hookup lans on either side of the openvpn connection 22:34 < krzie> behind the server and behind the client 22:35 < krzie> you can even connect multiple lans 22:35 < rashed2020> klj 22:35 < rashed2020> I think I disconnected, so if someone answered my question could you please say it again 22:36 < krzie> i worked hard on that, please read the whole thing thoroughly 22:36 < krzie> you didnt disconnect, i just answered you 22:40 < rashed2020> Oh, great! Thank you. 22:42 < krzie> np =] 22:43 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 104 (Connection reset by peer)] 22:49 < rashed2020> krzie: Just one real fast question 22:49 < rashed2020> Wait, you wrote that page, right? So I can ask you something using the example on the page? 23:00 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 23:03 < krzie> you could if i wasnt leaving, bbl 23:03 < krzie> ask it and ill answer later 23:09 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 23:20 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [Read error: 110 (Connection timed out)] 23:41 < rashed2020> Nah, nevermind. I figured out. 23:41 < rashed2020> Great howto. Thank you! 23:55 < krzee> np =] 23:55 < krzee> glad it helped you --- Day changed Sat Mar 21 2009 00:30 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 01:00 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 01:04 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Client Quit] 03:33 < ecrist> evening, motha fuckas 03:37 < ecrist> krzee: I'm going to rewrite the routing page a bit tomorrow or sunday to be more generic and add some content. you can still claim it as yours, as most of the content will remain the same, but I'll be either added content to describe redirecting default gateway or adding a page and rewriting the routing page for compat with redirect of default gateway 04:00 -!- KSB [n=chatzill@77.223.78.76] has joined ##openvpn 04:00 < KSB> hello 04:01 < KSB> anyone try to run two VPN-servers on one machine? I run OpenVPN and MPD on same machine, and they serving one subnet, somebody do thing like this? 04:01 < KSB> th problem is bridging between MPD and OVPN clients 04:01 < jpalmer> t/win 21 04:02 -!- KSB is now known as KpeHDeJIb 04:02 -!- lolipop [n=soontak@122.197.95.219.jb02-home.tm.net.my] has quit [Read error: 104 (Connection reset by peer)] 04:02 < reiffert> MPD? 04:03 < KpeHDeJIb> mpd, yes 04:03 < KpeHDeJIb> FreeBSD 04:03 < reiffert> that freebsd ppp vpnd? 04:03 < KpeHDeJIb> Multi-link PPP daemon 04:03 < KpeHDeJIb> for Windows-clients 04:06 < reiffert> bridging those adapter is pointless. those are point to point adapters. 04:07 < KpeHDeJIb> yes I know that is PPP, but how can I route traffic between MPD-clients and OpenVPN-clients? 04:09 < KpeHDeJIb> for instance, I connect to OVPN server from one machine and take IP 192.168.10.10, then I connect from another machine from Windows to MPD and take IP 192.168.10.2 04:09 < KpeHDeJIb> OVPN-client can ping server and Windows-client can ping server 04:10 < KpeHDeJIb> but then I try to ping each over - fail 04:10 < reiffert> put them in different subnets. 04:10 < KpeHDeJIb> hm, and route between subnets? 04:11 < reiffert> y 04:11 < KpeHDeJIb> oh, I don't think about this... 04:11 < KpeHDeJIb> I can try, thx 04:11 < reiffert> Or - use openvpn on windows as well. 04:15 < KpeHDeJIb> the point is use two VPN-servers, if only I could use OVPN on Windows-clients, but I can't, I'm not the person who take decisions 04:16 < reiffert> security of mppp is bad. 04:16 < reiffert> You just need to capture 3 packets at connection and you can bruteforce on 3des md4. 04:17 < reiffert> at the start of the connection that is 04:17 < reiffert> So if you already run openvpn, it should be easy for the decision makers of switching windows to openvpn as well. 04:18 < reiffert> mac os x also comes with a nice openvpn GUI. windows as well. 04:18 < KpeHDeJIb> yes, maybe I can explain this to them, thx 04:19 < reiffert> can be configured with and without passwords. 04:19 < reiffert> so for those who like to type their password, just encrypt their key with theit own password. 04:19 < KpeHDeJIb> ah, yes, I use username/password scheme 04:20 < KpeHDeJIb> and no certificates ( 04:21 < reiffert> You should use certificates 04:22 < KpeHDeJIb> only ca.crt 04:23 < reiffert> no client certs? 04:23 < KpeHDeJIb> yes 04:24 < reiffert> well, no security then. 04:24 < KpeHDeJIb> yes 04:24 < reiffert> want security? 04:24 < KpeHDeJIb> this is one of my stupid requirements 04:25 < reiffert> "No security" or "use username + password"? 04:25 < KpeHDeJIb> username and password, and external authenticate script for OpenVPN 04:26 < KpeHDeJIb> because, and this is my favorite place, we can't let one person to connect to both VPN-servers at one time 04:27 < reiffert> Use certificates and encrypt the certificate with their password. 04:28 < reiffert> however, you should use certificates and use an additional auth-user-pass-verify if you stick to user/pass. 04:30 < KpeHDeJIb> thx for advice 04:33 < reiffert> welcome 04:35 < reiffert> You are from Yekatarinenburg? 04:35 < KpeHDeJIb> yes 04:36 < KpeHDeJIb> why you asking? 04:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:36 < reiffert> What about the weather in that region, do you still have ice and snow? 04:37 < KpeHDeJIb> ) yes, some snow on the street 04:38 < reiffert> And how long will that weather last in spring? April? 04:41 < KpeHDeJIb> each time is differ, for example on the last year at this time we haven't snow or ice on the street 04:41 < KpeHDeJIb> and sry for my english, btw 04:43 < reiffert> Your english is quite well, at least I can understand you :) 04:45 < reiffert> Do people from your region already have asian style faces? Are there many asia lookalike people living in your city? 04:45 < KpeHDeJIb> but April is usually that month when snow on the street is disappearing 04:47 < KpeHDeJIb> no, I see asian-like faces very rarely, usualy on China-market :) 04:47 < reiffert> Sounds like a short summer to me. What do people do during short period of summer, going crazy? 04:48 < KpeHDeJIb> yes, we have very short summer, and everyone want get vacation on this period, to go away from our country and get some rest ) 04:50 < reiffert> People like to go away during summer? Do they travel to the northern regions then (to get more ice and snow)? 04:51 < KpeHDeJIb> btw the climat is quite hard, on the winter we have -40 C and on the summer we have +40 C 04:51 < KpeHDeJIb> :D no of course 04:52 < KpeHDeJIb> but usualy our summer is cold, +40C is rare temp 04:53 < KpeHDeJIb> and this is the reason, why people fly away to some sunny places 04:54 < reiffert> it sounds like a crazy place to be. 04:55 < KpeHDeJIb> the climat is not our main problem ;) 04:55 < reiffert> heat-pipes during winter? 04:55 < reiffert> No girls? 04:56 < KpeHDeJIb> no we have lot of beutiful girls 04:56 < KpeHDeJIb> :) 04:59 < reiffert> thanks for the nice talking 04:59 < KpeHDeJIb> you are welcome 05:00 < KpeHDeJIb> ok, bye, I go to do my fraking job ) 05:00 -!- KpeHDeJIb [n=chatzill@77.223.78.76] has quit ["ChatZilla 0.9.84 [Firefox 3.0.7/2009021910]"] 05:39 -!- boney [n=boney@81-235-226-119-no91.tbcn.telia.com] has quit [Nick collision from services.] 05:39 -!- boney [n=boney@81-235-226-119-no91.tbcn.telia.com] has joined ##openvpn 05:39 -!- boney [n=boney@81-235-226-119-no91.tbcn.telia.com] has quit [Nick collision from services.] 05:44 -!- boney_ [n=boney@81-235-226-119-no91.tbcn.telia.com] has joined ##openvpn 07:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 07:58 -!- ctx144k_ [n=andre@p5B0DEE55.dip.t-dialin.net] has joined ##openvpn 07:58 < ctx144k_> hello all... 08:02 < ctx144k_> my openvpn-server will get tonight a new ip-adress... how should i change the clients remote-adress? is there a way to give a fallback remote-adress? if the first willnot be active, the second willbe use? 08:09 < reiffert> !man 08:09 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 08:09 < reiffert> checkout --remote 08:11 < ctx144k_> thanks 08:38 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has joined ##openvpn 08:40 < Snicks|TWw> hi, i'm trying to create a vpn-connection, using network-manager(ubuntu 8.10), i can't click the ok-button, so i should give more information, but which info is needed? 08:40 < CybDev> !logs 08:40 < vpnHelper> CybDev: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 09:33 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 09:48 < ecrist> ctx144k_: try using a domain name you can update, rather than an IP address 09:50 < reiffert> ecrist: and what about DNS TTL? 09:50 < ctx144k_> iam trying 2 remote-values in my config... 09:50 < ctx144k_> ill see tonight :) 09:50 < reiffert> ctx144k_: as far as I understand you will have to deply new configs to every client, dont you? 09:51 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 60 (Operation timed out)] 09:53 -!- sunta49 [n=user@achilles.raytion.com] has joined ##openvpn 09:53 < sunta49> krzie or krzee 09:53 < sunta49> just passin by to say thx for your great tutorial;) 09:54 < sunta49> hi to peru from germany 09:54 < ctx144k_> yes, i did 09:54 < ctx144k_> 90 clients with a new remote ip-adress 09:54 < ctx144k_> and the old as fallback.... 09:55 < sunta49> !route 09:55 < vpnHelper> sunta49: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 09:55 < reiffert> ctx144k_: why not just deply them a config with the new address? 09:55 < ctx144k_> i dont understand... 09:56 < reiffert> ctx144k_: when you have to hand a new config file to 90 clients, why dont you just put in the new ip address into that config file? 09:57 < ctx144k_> i could download every reboot a default vpn.conf... but its to oversized... the changing of the servers ip should configure every day 09:57 < ctx144k_> yes i did 09:57 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:57 < sunta49> !rout/dis 09:57 < vpnHelper> sunta49: Error: "rout/dis" is not a valid command. 09:57 -!- sunta49 [n=user@achilles.raytion.com] has quit ["Disconnecting"] 09:57 < ctx144k_> i created a new vpn.conf - and deployed on the 90 clients 09:58 < ctx144k_> iam ready with that 10:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:16 < roentgen> !route 10:16 < vpnHelper> roentgen: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 10:29 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 11:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:13 < krzee> that was very nice of sunta49 11:20 -!- ctx144k_ [n=andre@p5B0DEE55.dip.t-dialin.net] has quit ["Verlassend"] 11:53 < reiffert> want a Kleenex? 12:26 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has quit [Read error: 110 (Connection timed out)] 12:28 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 12:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:56 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has joined ##openvpn 13:05 -!- nemysis [n=nemysis@141-87.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 13:06 -!- nemysis [n=nemysis@75-240.3-85.cust.bluewin.ch] has joined ##openvpn 13:06 -!- mepholic [n=what@hydra.weserv.in] has quit [Remote closed the connection] 13:34 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has joined ##openvpn 13:38 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 14:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 15:16 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has quit [Read error: 110 (Connection timed out)] 15:18 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 15:46 < mjt> i wonder.. what's the IP address to use on the "other end" of the openvpn tun device -- the fake one? 15:47 < mjt> i don't have any dedicated network for openvpn, but use addresses that are on eth0 interfaces 15:48 < mjt> ie, the same on eth0 and openvpn -- that's on all ends. 15:59 < krzie> depends on your config... 16:02 < krzie> but if using a very standard config, with server 10.8.0.0, then server will be 10.8.0.1 and first client will be 10.8.0.6 16:02 < krzie> because of: 16:02 < krzie> !/30 16:02 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 16:07 < mjt> i've, say, 192.168.1.1/24 on eth0 on host1, and 192.168.2.1/24 on eth0 on host2 16:08 < mjt> and i'm using THE SAME addresses for the openvpn endpoints too 16:08 < krzie> bad call 16:08 < mjt> don't see why 16:08 < krzie> you understand routing? 16:08 < mjt> this way, each host has only one address 16:08 < mjt> sure 16:08 < mjt> well, i think i am, and guess it depends on what you mean. 16:08 < krzie> you saying that actually works? 16:09 < krzie> cause it sure as hell shouldnt 16:09 < mjt> it works for over 10 years already 16:09 < krzie> ok 16:09 < krzie> *shrug* 16:09 < mjt> and i don't see a single reason why it shouldn't 16:09 < krzie> you're using tun and not tap? 16:09 < mjt> well 16:09 < mjt> it really does not matter much 16:09 < mjt> both ways works 16:09 < krzie> *shrug* ok 16:09 < krzie> whats your question...? 16:09 < reiffert> well, not ok if you ask me. 16:09 < mjt> provided the rest of config is ok 16:10 < mjt> heh 16:10 < krzie> reiffert i agree, but see no reason to argue 16:10 < krzie> lol 16:10 < krzie> if hes happy, fine by me 16:10 < mjt> but i am interested really. why the setup we've here shouldn't work,. 16:10 < mjt> the above simple example 16:10 < mjt> with two /24 networks and two nodes 16:11 < mjt> why should not it work? 16:11 < reiffert> mjt: so you are saying that on host 1, eth0 and tun0 got 192.168.1.1? 16:11 < mjt> yes 16:11 < mjt> all ifaces has the same address. 16:11 < krzie> because your internal vpn network should be different than existing networks to not confuse the shit out of routing tables 16:11 < mjt> why there should be any confusion?? 16:12 < reiffert> mjt: if you like to reach 192.168.1.100, how does host1 know if he has to send the frame to tun0 or to eth0? 16:12 < mjt> on host 1, network 192.168.1.0/24 gets routed to eth0 and ..2.0/24 to openvpn 16:12 < krzie> exactly 16:12 < mjt> ^^ 16:12 < reiffert> krzie: well the question is, if arp who has packets get out on both interfaces. 16:12 < mjt> damn 16:12 < mjt> well. 16:12 < krzie> reiffert hes saying tun 16:13 < mjt> there's no need to arp for the other network 16:13 < mjt> because it's not directly connected 16:13 < krzie> hes also saying host1 has vpn ip in .1.x and host2 has vpn ip of .2.x 16:13 < krzie> which is not possible 16:13 < mjt> trying to arp it means we've error 16:13 < reiffert> then why eth0 got an ip addr at all? 16:13 < mjt> why not possible??? :) 16:13 < krzie> because thats not how tun works... 16:13 < mjt> to be fair, there's no need to assign any address to any interface at all 16:14 < krzie> you're using ptp or server? 16:14 < krzie> how bout this mjt, show us your configs pls 16:14 < krzie> !configs 16:14 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:14 < mjt> internally, on linux at least, assigning 192,168.1.1/24 to eth0 means exactly 2 things: 16:14 < mjt> internally, on linux at least, assigning 192,168.1.1/24 to eth0 means exactly 2 things: 16:14 < mjt> 1) makeing the host to recognize the single address as its own, to answer on pings etc 16:15 < krzie> pete and repeat were on a boat, pete fell off... who was still on the boat?> 16:15 < mjt> and 2) to add a single line to routing table saying that the rest of /24 should arp on eth0 16:15 < mjt> for 1), that address is not assotiated with eth0 16:15 < reiffert> krzie: the driver 16:15 < krzie> lol reif 16:15 < reiffert> mjt: paste ifconfig -a as well 16:16 < mjt> well, that'd be long 16:16 < krzie> mjt, back to my real question, whats your question? 16:16 < mjt> we've about 50 hosts here 16:16 < reiffert> just do it 16:16 < reiffert> and while beeing there, netstat -nr 16:16 < krzie> since you're saying everything works, i think this conversation has no point 16:16 < reiffert> argh. 16:16 < mjt> if you want it, i can make a simple 2-host config on pair of virtual machines for that 16:16 < krzie> or is something not working as expected? 16:17 < mjt> well, i had one question, more academical. but no i'm curious why you guys don't understand such a simple thing as routing... 16:17 < krzie> lol 16:18 < krzie> i wrote the comprehensive doc on openvpn routing, and i know reif knows all of it too 16:18 < krzie> but sure, we dont get it ;] 16:18 < mjt> i'm serious 16:18 * reiffert is too 16:19 -!- onats [n=onats@unaffiliated/onats] has quit [Success] 16:19 < mjt> both understand `ip addr add' and `ip route add' commands, right? 16:19 < mjt> on linux 16:19 < krzie> i dont use linux, but im pretty sure i get the point 16:19 < krzie> <-- bsd guy 16:19 < mjt> ok 16:19 < mjt> so lemme paste something... 16:19 < krzie> paste this... 16:19 < krzie> !config 16:19 < vpnHelper> krzie: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 16:19 < reiffert> equal to me, linux >> bsd 16:19 < krzie> err 16:19 < krzie> !configs 16:19 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:20 < reiffert> and ifconfig eth0 tun0, netstat -nr 16:20 < mjt> no, i refuse to paste configs for those systems 16:20 < mjt> i'll sanitize things first 16:20 < krzie> ok then whats our conversation actually going to lead to? 16:20 < reiffert> meanwhile ... 16:20 < krzie> you wanted to know the endpoint for your first client 16:20 < reiffert> anyone into racedriving? 16:20 < krzie> which cant be answered without your config file 16:20 < krzie> reif, im gunna build by new nfs today! 16:21 < krzie> dual core amd64 with 4x1.5TB drives in fbsd8 ZFS raidz 16:21 < krzie> and 8GB ram 16:23 < reiffert> I'm lying down with a terrible cold, watching 12h sebring while trying to migrate a php webserver to a fastcgi+php webserver 16:23 < reiffert> hardware raidcontroller? 16:23 < krzie> nah bro, ZFS raidz 16:23 < krzie> filesystem raid 16:24 < krzie> check out zfs, its fucking sweetness 16:24 < reiffert> heard of it, no native zfs on linux 16:24 < krzie> still experimental in fbsd, but i been using it for a yr and stay up to date about it on freebsd-current maillist 16:24 < krzie> ya its only on solaris, opensolaris, freebsd, and osx 16:25 < reiffert> osx? together with macfuse or native on 10.5? 16:25 < krzie> native read only on 10.5 i THINK, 10.6 they'll get it crackin better 16:25 < krzie> 10.6 is only for improving already existing features from 10.5 16:26 < krzie> ie: making EVERYTHING even network stack and whatnot shared acrossed cores and stuff 16:26 < reiffert> time to get some jobs to get some new hardware, I'm on ancient stuff like 1200Mhz PPC and AMD Athlon 32bit 16:26 < krzie> hehe 16:26 < Bushmills> reiffert, hot lemon with slivovitz tends to help me with those colds 16:26 < krzie> ya i have first gen macbook pro and an old ass amd 2400+ currently 16:27 < krzie> so that amd is getting replaced by amd dual core 64bit, since ZFS really really wants 64bit 16:27 < mjt> http://pastebin.com/m115538f3 -- here 16:27 < krzie> and ill stop using my laptop as my primary desktop 16:27 < krzie> oh, and i grabbed a 42" sharp aquos to be my new monitor 16:27 < krzie> =] 16:27 < reiffert> Bushmills: it looks like I'm suffering from a virus, I doubt alcohol will fight the virus down, but Ute already got me some Honey and ginger-tea 16:28 < krzie> # 16:28 < krzie> ifconfig 10.0.1.1 10.0.2.1 16:28 < krzie> # 16:28 < krzie> route 10.0.2.0 255.255.255.0 # why openvpn does not understand /24? 16:28 < krzie> # 16:28 < krzie> ifconfig-push 10.0.2.1 10.0.1.1 16:28 < krzie> # 16:28 < Bushmills> during my munich stay i liked to serve hot apfelkorn 16:28 < krzie> push "route 10.0.1.0 255.255.255.0" 16:28 < krzie> there we go 16:28 < krzie> you arent using 192.x for internal vpn ips 16:28 < krzie> told you so! 16:28 < mjt> s/10.0/192.168/g 16:28 < Bushmills> deadly stuff 16:28 < mjt> less typing 16:29 < krzie> lol 16:29 < krzie> whatev 16:29 < krzie> these configs arent even real *ignores* 16:29 < krzie> plus its ptp, very different than anything i was talking about 16:29 < krzie> i was talking about server 16:29 < mjt> add one more client 16:29 < mjt> and it will be server 16:30 < krzie> negative 16:30 < mjt> and here will be my questin 16:30 < mjt> ok 16:30 < krzie> ptp setup doesnt do 3 ways 16:30 < krzie> and doesnt have clients 16:30 < krzie> or servers 16:30 < krzie> just 2 peers 16:30 < mjt> exactly 16:30 < mjt> so what's the p2p addy to use? ;) 16:30 < mjt> here was my first question ;) 16:30 < Bushmills> mjt, that's the proverbial pearls for pigs, as you discovered that those guys know zilch about routing anyway 16:30 < krzie> on 1 side its 10.0.1.1, on the other its 10.0.2.1 16:31 < Bushmills> :P 16:31 < mjt> yes 16:31 < krzie> and there will be no 3rd side 16:31 < krzie> if you want to use 3, need server statement instead, and need to use a diff network for internal vpn stuff 16:31 < mjt> false 16:31 < krzie> Bushmills you have a clue what you're talking about? 16:31 < krzie> mjt, ok... proive me wrong 16:31 < krzie> prove 16:31 < Bushmills> routing .. hmm .. that's what people use a GPS for ? 16:32 < mjt> 00:29 < krzie> these configs arent even real *ignores* 16:32 < mjt> how? 16:32 < krzie> that is NOT a full config file 16:32 < krzie> just some bs you whipped up for the sake of argument, not what was asked for 16:32 < mjt> ok 16:32 < mjt> moment. 16:32 < krzie> but anyways, its a moot point 16:33 < krzie> cause now i know its ptp 16:33 < krzie> ptp you can do what we said you couldnt, but you cant have a 3rd peer 16:33 < krzie> without another openvpn instance at least 16:33 < krzie> cause theres no server 16:33 < Bushmills> krzie, think so. i forgot the ... tags 16:34 < krzie> if you want more than a peer to peer, you need to use server/client setup and use a seperate network for internal vpn 16:34 < krzie> Bushmills, ahh 16:34 < krzie> ;] 16:34 < reiffert> or several openvpn instances. 16:35 < reiffert> plus some intresting algorithm to get from one "client" to another. 16:35 < mjt> http://pastebin.com/m608a9eb7 16:36 < krzie> if you can push routes in ptp that would handle that, but could potentially get ugly to manage 16:36 < mjt> 3 hosts, with server 16:36 < mjt> so 3rd peer 16:36 < krzie> just use the server statement, will make your life easier 16:37 < krzie> !sample 16:37 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 16:37 < mjt> my question was about how to choose that fake p2p address... academical question, i wanted some network that's unroutable now and in the future... ;) 16:37 < reiffert> http://speed.edgeboss.net/wmedia-live/speed/8999/300_speed-lms_video_1_050720.asx 16:38 < vpnHelper> Title: American Le Mans SeriesAmerican Le Mans SeriesAmerican Le Mans Series (at speed.edgeboss.net) 16:38 < reiffert> for the flash guys: http://almsacura.globalmediaservices.tv/ 16:39 < vpnHelper> Title: SpeedTV (at almsacura.globalmediaservices.tv) 16:39 < mjt> krzie: --server introduces that fake openvpn network, -- exactly the thing i don't see reason to have... 16:39 < reiffert> and the live timings http://www.americanlemans.com/index_live.php 16:42 < mjt> krzie: so can you explain why do you think p2p can't have 3rd peer? 16:43 < krzie> its peer to peer 16:43 < mjt> and? 16:43 < krzie> not peer to peers 16:43 < mjt> it's the interface which is p2p 16:43 < krzie> thats how it was made... 16:44 < mjt> so you refuse to make your points? 16:44 < mjt> or for proof you need my real configs? 16:44 < krzie> lets just put it this way, if you're doing it im happy for you 16:45 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 16:45 < mjt> well, you're here telling people how to do things. And you're telling them wrong. And refuse to describe why you're saying what you say? 16:45 < mjt> that's nice of you. 16:45 < mjt> and selfish. 16:46 < krzie> all docs ive read say im right 16:46 < krzie> which is what i go by 16:46 < mjt> openvpn docs? 16:46 < krzie> the manual + howto 16:46 < mjt> yeah 16:46 < reiffert> mjt: erm, I think you've made it to one corner of a possible configuration, are you porposing to send all people into that corner? 16:46 < krzie> if you made it work differently than they say it works, im happy for you and surprised 16:47 < krzie> as for me, ill point people to the solutions the developers intended 16:48 < mjt> krzie: do you have good understanding on how rouding works on bsd? Because i want to understand if linux is different here or it's just that only very few people understand the things (so that there's no docs) 16:48 < krzie> (as i have been for over a yr or 2 now) 16:49 < krzie> standard routing, sure... i dont use any special routing protocols or anything as i have yet to have a need for them 16:49 < krzie> i havnt dug into the code or anything, but ive accomplished everything ive set out to do 16:49 < mjt> what i have in mind is the p2p *interface* (not necessary related to openvpn), or, rather, the "peer" address of it (like ifconfig foo 1.2.3.4 pointopoing 4.3.2.1) 16:50 < mjt> what it is used for in routing in bsd 16:52 < krzie> route add -host 1.2.3.4 4.3.2.1 16:52 < mjt> to make long story short. I had a p2p tunnel between two hosts, and i always used the same IP addresses on eth0 and on p2p iface as i described above (not openvpn and pure p2p, think ppp). And once I had to move one endpoint to another host, but wasn't able to reconfigure the remote end. 16:52 < krzie> you're using such a nonstandard setup i may not be of much help, as i thought it wouldnt work in openvpn 16:52 < mjt> so it was 10.0.0.5 on my end, both ppp and eth0. And i had to move it to machine with ip 10.0.0.9. 16:53 < krzie> im more accostomed to what the developers had in mind 16:53 < mjt> obviously i wasn't able to assign .5 on my end of ppp on that new machine, because that way real .5 will be unaccessible. 16:53 < krzie> you say what you're doing works, so im happy for you on that, but i sure didnt expect it to work 16:53 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 16:54 < mjt> so i assigned .9 to it. the other end was thinking we've .5 here, but we didn't, but we had ANOTHER machine with .5. 16:54 < mjt> and on the other end.. i pinged .5, and it.. worked. 16:54 < mjt> and i started thinking why. 16:54 < krzie> see how much easier it would be to just use server with an internal vpn network and a correct routing setup? :-p 16:54 < krzie> !route 16:54 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 16:55 < krzie> why you're against using openvpn as the devs intended is beyond me, do you expect to gain some sort of security from doing it that way? 16:57 < mjt> the thing is, for the remote, the endpoint (.5) was meant NOTHING. It sent packets to the tunnel without saying it meant to send it for .5 as on an ethernet segment (nexthop). our end didn't know to which nexthop the remote sent it either - it just was receiving packets destined for given IP and routed it - .5 for another machine on ether segment etc. 16:58 < mjt> but ok 16:58 < krzie> so your setup didnt work as intended at all times...? im shocked 16:58 < mjt> i think it's not interesting to you 16:58 < mjt> it was 16:58 < reiffert> just go on, I'm still reading. 17:00 < mjt> blah. rc15 now warns me about missing --keepalive for server. 17:00 < mjt> but --keepalive does not work correctly for a server with static ip. 17:01 < krzie> how so? 17:02 < mjt> in case ping went w/o reply i want the server to "close" the connection with the client instead of looping forever filling logs with connection-retries. 17:03 < krzie> ahh, keep-alive expands to have ping-restart 17:03 < krzie> its doing what it should 17:03 < mjt> --keepalive expands to --restart, i need --exit 17:03 < krzie> but there is an option for what you want, lemme find it for ya 17:03 < krzie> !man 17:03 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 17:03 < mjt> man openvpn works ;) 17:03 < krzie> sure does, but im at work 17:04 < mjt> aha, here we go 17:04 < mjt> --server example in the manpage 17:04 < krzie> --ping-exit n 17:04 < mjt> yes 17:04 < krzie> openvpn [options...] --inactive 3600 --ping 10 --ping-exit 60 17:04 < krzie> when used on both peers will cause OpenVPN to exit within 60 seconds if its peer disconnects, but will exit after one hour if no actual tunnel data is exchanged. 17:05 < mjt> lol 17:05 < mjt> 01:03 < mjt> --keepalive expands to --restart, i need --exit 17:05 < mjt> i meant --ping-exit and --ping-restart 17:05 < krzie> cool, so you know what you want 17:05 < mjt> openvpn complains that --keepalive is missing in server config 17:05 < mjt> and THAT i don't want ;) 17:05 < krzie> just ignore the complaint... it still runs doesnt it...? 17:06 < mjt> sure 17:06 < mjt> heh 17:06 < krzie> its there for those who know less than you 17:06 < mjt> looks like i'm not good at describing things... 17:06 < krzie> you know enough to ignore that 17:07 < mjt> and here for my first question -- see --server in the manpage. be it net30 or p2p (note p2p here for a server - it's for something, you said p2p is only 2 peers) 17:08 < krzie> --server implies it is NOT ptp 17:08 < mjt> --topoligy p2p, and the interface is POINTOPOINT (it's the flag, in all caps) 17:08 < mjt> can you say why 10.8.0.2 is used here? 17:08 < mjt> do you see it's 100% fake and dead? 17:08 < krzie> !/30 17:08 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 17:09 < krzie> explained in detail there 17:09 < krzie> first link 17:09 < krzie> can be avoided with: 17:09 < krzie> !topology 17:09 < vpnHelper> krzie: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 17:09 < mjt> krzie: it's not a question from someone who does not understand it. 17:09 < mjt> i'm asking if YOU understand it ;) 17:09 < krzie> can you say why 10.8.0.2 is used here? 17:09 < krzie> do you see it's 100% fake and dead? 17:09 < krzie> yes, and i pointed to the explanation 17:10 < krzie> it was only done that way as a hack around lame windowsness 17:10 < krzie> as explained in http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html 17:10 < vpnHelper> Title: New subnet topology feature ready for testing: msg#00020 network.openvpn.devel (at osdir.com) 17:10 < krzie> til they found a better way and made topology subnet 17:11 < mjt> lame windowsness. ok, that's good explanation 17:11 < krzie> i gave links 17:11 < mjt> yeah 17:11 < krzie> i dont need to repeat them 17:11 < mjt> that's good explanation, and i mean that, no sarcasm 17:12 < mjt> because now i understand that things i'm doing here aren't quite possible on 'doze 17:12 < mjt> hence, i think, all the docs say to use "traditional" ways, compatible with doze. 17:13 < krzie> makes sense 17:13 < mjt> i've seen that message when looking at the topology thing about a week ago 17:13 < mjt> that your mesage that is 17:13 < mjt> was trying to understadn why it looked so.. hackish, so to say 17:14 < mjt> (still in my browser cache :) 17:14 < krzie> hehe 17:16 < mjt> "If all O/S would have supported true PtP links over the tun interface, this could have been done with the OpenVPN server using only one IP address and each client using another IP address." 17:16 < mjt> that's what i'm using here 17:17 < krzie> gotchya 17:17 < mjt> and it really does not matter if that one ip address is also used on eth0 or even lo (if it's not 127/8) 17:17 < mjt> ok 17:18 < krzie> welp, that explains why i never seen your setup used 17:18 < krzie> and i think you found the answer to your question as well 17:18 < krzie> so everyones happy 17:18 < mjt> heh yeah ;) 17:19 < krzie> except reif, hes still sick =/ 17:20 < reiffert> I'm fine, watching a heavy weight boxing match and 12h of sebring at the same time 17:20 < mjt> krzie: what i really wanted after seeing your replies/suggestions is just to bring this stuff to your attention. That one-IP-per-host-doesn't-matter-if-used-elsewhere. 17:20 < mjt> and my question went unanswered. but it's academical anyway. 17:21 < krzie> watching the gomez fight? 17:21 < reiffert> yep 17:21 < reiffert> klitschko doesnt look well, much too defensive in the 1st 3 rounds 17:21 < krzie> yup i got it on too 17:22 < reiffert> still open end, I think fitness will decide 17:22 < reiffert> s,,endurance, 17:22 < krzie> klitschko was a HUGE favorite too 17:23 < krzie> like - 8 dollars 17:23 < mjt> hmm. I can use anything from 127/8 for that fake address. 17:24 < reiffert> let's estimate time differences between you and me, it'm at 1:22 17:24 < reiffert> 1:20 17:24 < reiffert> :15 17:24 < reiffert> 1:10 17:24 < krzie> 6:20ish here (pm) 17:24 < reiffert> 1:00 17:24 < krzie> im on EST right now 17:24 < reiffert> the fight round timer ... 17:24 < reiffert> 0:30 17:25 < reiffert> 0:20 17:25 < krzie> ohhh 17:25 < krzie> lol 17:25 < reiffert> 0:10 17:25 < krzie> 20 17:25 < krzie> (im on satelite) 17:25 < reiffert> 0 17:25 < reiffert> I'm on satelite as well 17:25 < krzie> 0 17:26 < krzie> you got a few seconds on me 17:26 < reiffert> aprox. another 10 secs, more than I was expecting (2-3s) 17:26 < krzie> and less than a sec of lag between us 17:26 < krzie> ... CTCP PING reply from reiffert: 0.996 seconds 17:28 < mjt> btw, is there a way to call real `route' or `ip' command but without using script? 17:28 < mjt> instead of using the wrapper provided by --route 17:29 < mjt> (why not script is -- when it all is in one config file it's easier to understand) 17:29 < krzie> by without using script, you mean without calling an external script, or without using the wrapper? 17:30 < krzie> (or both) 17:30 < mjt> there are 2 ways to set up routes: using --route and using --up script and doing it all there 17:30 < mjt> (or both) 17:30 < krzie> i believe ive seen what you want 17:31 < mjt> when using --up all the stuff is within that script, not visible from the config 17:31 < krzie> lemme give a look in a min 17:31 < krzie> its busy here for a min 17:31 < mjt> but --route is very limited wrapper... ;) 17:31 < mjt> and if there's quite some routes to set up, it all becomes somewhat clumsy. maybe just for me who used openvpn for a few days only. 17:33 < mjt> and oh, i've one more question too. Which probably should go to the mailinglist -- I asked it here already... 17:33 < reiffert> without a vpn subnet? 17:33 < mjt> hmm? 17:33 < mjt> ah 17:34 < mjt> well, it makes no difference really - imagine there are many clients with their own LANs, so all the routes has to be specified anyway. 17:34 < reiffert> SCNR 17:34 < krzie> !factoids search route 17:34 < vpnHelper> krzie: 'winroute', 'iroute', 'router', and 'route' 17:34 < mjt> !router 17:34 < vpnHelper> mjt: "router" is if you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them 17:34 < mjt> lol 17:34 < reiffert> krzie: That round was close to a KO for both. 17:35 < reiffert> krzie: worth watching next rounds. 17:35 < mjt> !winroute 17:35 < vpnHelper> mjt: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 17:37 < mjt> krzie: you know the code a bit? Where it descides that it does not know the destination IP address in a packet it just read from the tun device and discards it? I want it to return ICMP host unreach or something in that case instead of dropping the packet. 17:41 < krzie> i sure dont 17:41 < krzie> =/ 17:42 < krzie> what i was looking for was the limit for adding routes 17:42 < krzie> !factoids search limit 17:42 < vpnHelper> krzie: "pushlimit" is This is a limitation of OpenVPN: the push block cannot exceed a maximum of about 1 KB 17:42 < krzie> there it is! 17:42 < krzie> but i guess thats for pushing routes, maybe not for adding them 17:45 < krzie> looks like the up script may be what you gotta settle for, i cant find the option im looking for right now 17:47 < mjt> there was some other option? 17:48 < mjt> route-up, route-method 17:48 < krzie> i coulda sworn i saw a way to specify how to add the routes, but i may have been thinking of this 17:48 < krzie> --route-noexec 17:48 < krzie> Don't add or remove routes automatically. Instead pass routes to --route-up script using environmental variables. 17:49 < krzie> which isnt what you want 17:49 < krzie> --route-method is for windows 17:49 < mjt> well, that's too much attention for mere 'cosmetic' thing, i think 17:50 < krzie> agreed 17:50 < mjt> nothing wrong with --up script 17:50 < krzie> i think an up script is the best 17:50 < krzie> yup 17:51 < krzie> hey look at that, we agreed! 17:51 < krzie> ;] 17:52 < mjt> ;) 17:53 < mjt> "WARNING: 'ifconfig' is present in local config but missing in remote config" -- that's just because it didn't --pull ;) 17:53 < mjt> looks like i'll go patch all those warnings again. 17:53 < mjt> just too much noise in logs. 17:55 < krzie> --ifconfig-nowarn 17:56 < mjt> aha! 17:56 < krzie> --disable-occ 17:56 < krzie> Don't output a warning message if option inconsistencies are detected between peers. An example of an option inconsistency would be where one peer uses --dev tun while the other peer uses --dev tap. 17:57 < mjt> that --ifconfig one is really useful 17:57 < mjt> thanks! 17:57 < mjt> so far all its warnings is false alarms here. 18:02 < krzie> np 18:02 < krzie> ya they're useful for new users using standard setups 18:04 < mjt> like --keepalive one? :) 18:04 < krzie> exactly like that 18:05 < mjt> or new (in rc14) --script-security warning (3 variants of it) which cant be turned off at all? :) 18:05 < krzie> ya that ones important, many peoples stuff breaks because of that new feature 18:06 < krzie> (until they add --script-security that is) 18:06 < mjt> it already logs a warning when it actually comes to execution of a script 18:07 < mjt> no need to warn beforehead, "just for sake of warning" 18:07 < mjt> (i had to patch the whole thing out) 18:10 < ecrist> evening, fuckers 18:10 < mjt> heh 18:10 < mjt> before it was "kids". Now its something else. what next ? :) 18:11 < ecrist> usually it's fuckers or bitches 18:11 < ecrist> kids comes out when I'm either tired or not feeling well. ;) 18:11 < krzie> lol 18:11 < krzie> g'evening 18:11 < krzie> im finally back to the island, now im paying for the length of my vacation 18:11 < krzie> it was a lil bit extended 18:12 < ecrist> lol 18:12 < krzie> (stayed gone 2 months instead of 1) 18:12 < mjt> hmm 18:12 < mjt> !router 18:12 < vpnHelper> mjt: "router" is if you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them 18:13 < krzie> every factoid on that bot comes from needing to be said (usually many times) 18:13 < krzie> lol 18:13 < mjt> so openwrt guys package openvpn wiht logging turned off by default? 18:13 < ecrist> krzie: when will you fix my bot access? 18:13 < krzie> "please post your logs" "i dont have any" 18:13 < krzie> sorry ecrist, ill get to it soon i promise 18:14 < krzie> mjt, they need to, very small filesystem cant handle logs 18:14 < krzie> it logs nothing 18:14 < mjt> ever heard of logrotate or busybox's in-memory log buffer? 18:14 < krzie> prolly doesnt even run sysylog at all 18:14 < mjt> it does 18:14 < ecrist> mjt: it's still a performance hit, regardless 18:15 < reiffert> nextversion openwrt comes with in-memory buffer logs. 18:15 < krzie> mjt, i dunno man... i dont use any of that stuff... i just know that its common that people running that asking for help dont have logs til i say !router 18:15 < mjt> i use it (openwrt) here and hacked kernels for it before... 18:16 < mjt> (but not used openvpn - only vtun, -- which I modified quite alot before too, when it was with Max still) 18:16 < krzie> mjt, then we'ld likely never need to type !router at you 18:17 < mjt> ;) 18:18 * ecrist goes to play CoD 18:18 < krzie> cash on delivery! 18:18 < reiffert> ecrist: 4 or 5? 18:19 < mjt> i wonder why explicit-exit-notify does not work... looking at the code again... 18:20 < krzie> heh, i somehow never saw that option before 18:21 < mjt> the server never notices the client has quit even if explicit-exit-notify is set. 18:22 < krzie> and you're using udp, right? 18:22 < mjt> yes 18:23 < krzie> no ideas here 18:23 < mjt> the server receives the packets (both, as i used 2 for notify) 18:23 < krzie> quitting with CTRL C, kill -9? 18:23 < krzie> or like ping-exit 18:23 < krzie> ahh so they are sent 18:23 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has joined ##openvpn 18:31 < mjt> so it really should be --up. because of this: 18:31 < mjt> ERROR: Linux route delete command failed: could not execute external program 18:32 < mjt> (that's because it's chrooted and run as user - it will not be able to modify routes anuyway) 18:32 < krzie> that would be --down, but will still have the same problem 18:33 < krzie> unless you give the user to access it, or call sudo from within the script and give the user access that way 18:33 < mjt> if i use --route it has the above problem 18:33 < mjt> so the solution is to use --up instead of --route 18:33 < krzie> it'll still have that problem 18:33 < mjt> no 18:33 < krzie> well kinda 18:33 < mjt> it will not error out in logs 18:33 < mjt> which is the only prob 18:33 < krzie> it wont attempt to delete the routes 18:33 < krzie> oh ok 18:34 < krzie> then correct 18:34 < mjt> routes will be deleted automatically together with interface. 18:34 < mjt> like malloc'ed memory with the process ;) 18:35 < krzie> ahh ok, you're using dynamic interfaces =] 18:35 < mjt> no 18:36 < krzie> if the interface gets removed on exit you are 18:36 < krzie> (static would be made with openvpn --mktun) 18:36 < mjt> yup 18:38 < mjt> and so i need something in-between verb 0 and verb 1. 18:38 < krzie> the warnings are that much of a bother? dont they only occur on connect? 18:39 < mjt> to log connects/disconnects but not all the other cruft (reusing/lzo initalized) 18:39 < mjt> when they connect/disconnect all the time... ;) 18:40 < krzie> ahh, i take it you log to syslog and tail your syslogs...? 18:40 < krzie> i could see it being annoying in that situation 18:40 < mjt> that or just search for particular events and what was around them 18:40 < mjt> and WARNING and ERROR in logs scares me 18:41 < mjt> my eyes are trained to be able to catch those in a log being cat'ed onto the screen.. ;) 18:41 < krzie> haha 18:41 < krzie> i dont actually get any warnings 18:41 < krzie> but i use very standard style setups 18:41 < krzie> (as we went over earlier, lol) 18:42 < krzie> in fact !sample is from me, but dummied down a lil) 18:42 < mjt> heh 18:42 < mjt> . o O { Dummied down } 18:42 < mjt> i like that "term" 18:43 < mjt> (english isn't my native language) 18:48 < krzie> ahh, you speak it well 18:48 < mjt> don't tell me how i *speak* it as you don't know.. and believe me, you really don't! :) 18:48 < mjt> lol 18:49 < krzie> well you type it well *shrug* 18:49 < mjt> (i don't know how to pronounce half the words) 18:49 < mjt> ;) 18:49 < krzie> those of us that spend too much time online usually just call it talking although it is typing 18:50 < krzie> but your spelling and grammar is better than many native english speakers on IRC 18:56 < mjt> heh thanks. Some time ago when I was new on IRC it was difficult for me to understand what others says, esp. various shorthands (ur a here). So I was thinking that my statements are also difficult to understand, and tried to use accurate language... ;) 18:57 < mjt> lol. 18:57 < mjt> --up ip route add foo bar baz # 18:57 < mjt> the `#' at the end to stop `ip' from recognizing the stuff passed by openvpn :) 18:58 < mjt> (actually doesn't work) 18:58 < krzie> nope, gotta toss it into a script 18:58 < krzie> good try tho 19:01 < mjt> heh 19:01 < mjt> it works 19:01 < mjt> has to be in quotes 19:01 < krzie> ahh 19:01 < mjt> --up "foo bar baz #" 19:01 < krzie> i had tried something similar before and it didnt, i guess i never tried quotes 19:02 < krzie> duely noted 19:02 < krzie> you may not need the # with the quotes 19:02 < mjt> without # it passes all the rest as described in man for --up 19:03 < mjt> ..in which case all OpenVPN-generated arguments will be appended to cmd to build a command line which will be passed to the shell. 19:04 < mjt> the # gets interpreted by the shell. 19:05 < krzie> werd 19:07 < mjt> and it wont work on windows! :) 19:08 < krzie> ya no ip command hehe 19:08 < krzie> and # may not be a windows comment, dont rememeber 19:08 < krzie> but --route will work ;) 19:08 < krzie> then again, most your setup doesnt work on windows anyways 19:09 < krzie> so why stop now! 19:12 < mjt> eh. so now i see why using 127.something for that fake p2p "endpoint" IP didn't work. 19:13 < mjt> ..because --route is not able to specify the device and by default 'lo' was used. 19:13 < mjt> now it all works. 19:14 < mjt> i used 127.1.2.3 (arbitrary) for the ovpn `endpoint' on the server (instead of 10.8.0.2 as in --server example in the manpage) 19:15 < mjt> and routed all the client networks "via" it 19:15 < mjt> fun. 19:17 < mjt> 192.168.1.0/24 via 127.3.2.1 dev vrgs src 10.77.240.9 19:17 < mjt> (the key word was `dev' which --route does not provide) 19:18 < mjt> heh. 19:18 < mjt> --up accepts an inline script too 19:18 < krzie> the string *dev* doesnt even appear in bsd manpage for route 19:19 < mjt> --up "for r in 1/2 3/4 5/6; do ip route add $r via $ifconfig_remote dev $dev; done #" (don't forget #) 19:19 < mjt> it can't be.. lemme look at it... 19:19 < mjt> hmm 19:19 < krzie> well its easy to tell, /dev and no matches 19:19 < mjt> i used to avoid /30 networks on real ethernet, and it worked on freebsd too 19:20 < mjt> ip addr add $foo/32 dev eth0; ip route add $gw/32 dev eth0; ip roue add default via $gw 19:20 < krzie> oh bleh 19:20 < krzie> -interface 19:20 < krzie> hehe 19:20 < mjt> yeah 19:21 < mjt> route [-v] [-A family] add [-net|-host] target [netmask Nm] [gw Gw] [metric N] [mss M] [window W] [irtt I] [reject] [mod] [dyn] [reinstate] [[interface] If] 19:21 < krzie> helps when i look for the right string ;] 19:23 < mjt> so in terms of route.. route add -host $gw dev eth0; route add default gw $gw 19:23 < mjt> er s/dev/interface/ 19:24 < krzie> s/dev/-interface/ 19:24 < mjt> linux accepts all 3 forms it sems 19:24 < mjt> ok it's enough for today -- it's 03:24 here already, night 19:25 < krzie> gnite 19:25 < mjt> thank you for my good mood! bbl 19:25 < krzie> haha, later 19:26 * krzie enters ecrist's game and shoots him, then leaves the game 19:26 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has quit [Nick collision from services.] 19:27 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 19:43 < ecrist> sup guys 19:44 < ecrist> reiffert: world at war 19:44 < krzie> just recovering from learning about mjt's setup, you 19:44 < krzie> ? 19:45 < ecrist> lots of people cheating with lag switches tonight 19:45 < krzie> cheaters! 19:45 < ecrist> world at war is smart enough to end the game when it detects it, so in the last couple hours, I've only been able to complete about 4 matches. all the others exited due to 'poor connection quality to the host' 19:47 < ecrist> sweet, my mn tax return came is last night 19:47 < ecrist> extra $1200 in the bank. :D 19:47 < krzie> why cant it just boot the ofender...? 19:48 < krzie> 1200, sweet! 19:48 < ecrist> the only system a lag switch works for it the one hosting the game. if you boot the host, the game is over. 19:48 < krzie> thats 10 1.5 TB hds 19:48 < ecrist> xbox live 19:48 < krzie> oh i see 19:48 < ecrist> a host is randomly chosen at the start of a match 19:48 < krzie> i dont play games so im not savvy to that 19:49 < ecrist> my backup server has 2 750GB drives in mirror, all I need. 19:49 < krzie> im tossing 4 1.5's into my NFS tonight 19:49 < krzie> (into my new nfs) 19:50 < ecrist> I don't have anything in which I need that much space. 19:50 < ecrist> my two macs back up to a single 250GB drive 19:52 < ecrist> now, the backup server at work is a sexy beast, IMHO 19:52 < ecrist> 12x500GB SATA2 drives in RAID 60 19:52 < ecrist> faaaaast 19:54 < krzie> hrm never seen a 60 19:54 < krzie> seen a 50 19:54 < ecrist> fucking sweet. Theo et al finally pulled their heads out of their asses and made chroot part of base openssh. 19:54 < krzie> but i get the idea 19:54 < krzie> 6/0 19:54 < ecrist> 60 is a 50 with an extra parity drive 19:54 < krzie> ahh gotchya 19:54 < krzie> that makes me wrong then, lol 19:55 < krzie> so its striped 5's with an extra parity-only drive...? 19:55 < ecrist> bye bye to our proprietary ssh server. 19:55 < ecrist> right, RAID 5 is a stripe with one parity. RAID 6 is a stripe with 2 parity. 19:56 < ecrist> and RAID 0 is a stripe, put it together, you've got two RAID 6s striped together, each with two parity drives. 19:56 < ecrist> essentially, I can lose 4 disks, simultaneously out of the 12, and still be operational. 19:56 < krzie> hardcore 19:56 < ecrist> did I mention it's fast? 19:57 < krzie> nope, but you mentioned its faaaaast 19:57 < ecrist> price tag for that box was just this side of $11k 19:57 < ecrist> much of that was the ass-raping for 'universal sata drives' from dell. 19:57 < ecrist> :\ 19:58 < ecrist> they won't sell just the hot-swap caddy. gotta buy a drive with them. 500GB SATA2 drives were $350 each, or so. 19:58 < ecrist> boss didn't seem to care, so why should I? :) 20:04 < krzie> for sure 20:04 < krzie> and you KNOW that data is safe 20:04 < krzie> short of a fire 20:04 < krzie> (or something similar) 20:04 < ecrist> we do off-site backups for that. 20:04 < krzie> then again with that kinda onsite backup im sure you have offsite too 20:04 < krzie> hehe exactly 20:10 < ecrist> well, I'm out. going to party tonight. ttyl8r 20:11 < krzie> sweet, have fun 20:14 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 20:20 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has quit [Read error: 113 (No route to host)] 20:29 -!- mepholic [n=what@hydra.weserv.in] has joined ##openvpn 21:01 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has quit [Read error: 110 (Connection timed out)] 21:49 -!- hagna [n=hagna@71-219-31-133.slkc.qwest.net] has joined ##openvpn 21:50 < hagna> so if the vpn client is not the gateway of the lan how do the other machines on the lan know how to route across the vpn for the remote? 21:51 < hagna> I'll assume one remote in this case 21:53 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has joined ##openvpn 21:56 -!- jpalmer [n=jpalmer@about/windows/regular/jpalmer] has quit [Client Quit] 22:16 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 22:24 < krzie> !route 22:24 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 22:24 < krzie> see the bottom 22:24 < krzie> under the picture 22:39 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 22:56 -!- hagna [n=hagna@71-219-31-133.slkc.qwest.net] has quit [Read error: 110 (Connection timed out)] --- Day changed Sun Mar 22 2009 01:54 -!- znoG [n=gs@host167.190-31-166.telecom.net.ar] has quit [Read error: 60 (Operation timed out)] 01:56 -!- znoG [n=gs@host24.190-226-185.telecom.net.ar] has joined ##openvpn 04:14 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Remote closed the connection] 04:22 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:35 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 05:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 05:02 -!- podman99b [n=keith@93-96-160-18.zone4.bethere.co.uk] has quit [] 05:22 -!- nemysis [n=nemysis@75-240.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 05:27 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 05:29 -!- nemysis [n=nemysis@75-240.3-85.cust.bluewin.ch] has joined ##openvpn 05:29 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Remote closed the connection] 05:29 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 07:12 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 07:13 < reiffert> Bushmills: might be intresting for you as well:# 07:13 < reiffert> I got a public root server with a public /29 net. I was bridging eth0 and tap0 to br0 and connecting a client (my laptop) 07:14 < reiffert> now my laptop got a public IP address 07:17 < reiffert> Is this possible without bridging and redirect-gateway? 07:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:52 < ecrist> morning folks 08:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:17 < reiffert> hi ecrist 08:19 < ecrist> morning, reiffert 08:26 -!- waxman [n=cfluegel@static.88-198-83-123.clients.your-server.de] has joined ##openvpn 08:26 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has joined ##openvpn 08:27 -!- waxman [n=cfluegel@static.88-198-83-123.clients.your-server.de] has left ##openvpn [":q"] 08:51 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:12 -!- nemysis [n=nemysis@75-240.3-85.cust.bluewin.ch] has quit [Connection timed out] 10:13 -!- nemysis [n=nemysis@75-240.3-85.cust.bluewin.ch] has joined ##openvpn 10:14 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 10:17 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 10:31 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 11:07 -!- scott_ [i=scott@207.126.166.46] has joined ##openvpn 11:07 < scott_> I can seem to connect to the openvpn but then I'm unable to surf the internet 11:07 < scott_> What could cause this? 11:09 < Bushmills> scott_, your inability to read topic 11:09 < scott_> Firewall is disaled 11:09 < Bushmills> try the "route" bit 11:10 < scott_> this was being tested on a dedi serv 11:10 < scott_> !route 11:10 < vpnHelper> scott_: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 11:10 < Bushmills> scott_, try http://scarydevilmonastery.net/masq 11:11 < scott_> thx 11:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:13 < scott_> hrmm 11:13 * scott_ activates ip forward 11:14 < scott_> i'm using push "redirect-gateway" so I can use the vpn to connect out to anywhere I want 11:14 < ecrist> scott_: you'll need proper NAT set up as well 11:15 < scott_> Yeah I'm nat'ing the vpn ips 10.x.x.x over the external interface 11:15 < scott_> and the vpn interface "tun0" I'm allowing everything on it 11:15 < scott_> I can connect I even get assigned a 10.x.x.x ip 11:16 < scott_> just cant connect to anything afterwards 11:16 < Bushmills> server masq config, extremely likely 11:16 -!- scott_ [i=scott@207.126.166.46] has quit [Read error: 131 (Connection reset by peer)] 11:16 -!- scott_ [i=scott@gotpot.org] has joined ##openvpn 11:17 < scott_> just loaded the firewall up again 11:17 * scott_ connects again 11:20 < scott_> newp even still 11:20 < scott_> deny's my internet's 11:22 < ecrist> scott_: sounds to me like your NAT is broken 11:24 < scott_> eouch 11:24 < scott_> nat on $ext from $vpn_net to any -> ($ext) 11:25 < scott_> $vpn_net="10.x.x.x/24' 11:25 < scott_> $vpn_net="10.x.x.x/24" 11:27 < ecrist> looks like pf, freebsd? 11:28 < ecrist> can you post your configs? 11:28 < scott_> yep 11:28 < scott_> sure 11:28 < scott_> just a sec 11:28 < scott_> what my pf.conf/openvpn.conf? 11:33 * scott_ tries to get them rdy 11:33 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:39 < ecrist> scott_: openvpn configs 11:39 < ecrist> hey krzee 11:39 < krzee> hey man! 11:51 < scott_> damn 11:51 < scott_> this is not working 11:52 < krzee> you might need to be more specific... 11:53 < scott_> getting my configs to pastebin.ca 11:53 < krzee> should be easy 11:53 < scott_> i know 11:53 < scott_> lol 11:53 < krzee> !configs 11:53 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:53 < scott_> I'm going to re-read the example server.conf before I post 11:53 < krzee> hehe 11:56 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has quit [Read error: 60 (Operation timed out)] 11:59 < scott_> i followed http://www.ubergeek.co.uk/blog/2008/05/openvpn-freebsd-pf-windows-howto/ 11:59 < vpnHelper> Title: OpenVPN on FreeBSD with PF and Windows XP Howto | Ubergeek Technical Howtos' (at www.ubergeek.co.uk) 11:59 < scott_> same exact conf 12:00 < scott_> only i didnt use the route option 12:04 < krzee> funny i find myself not wanting to go to the walkthrough site 12:06 < ecrist> !freebsd 12:06 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 12:07 < scott_> thx 12:11 < scott_> yeah i've done that 12:11 < scott_> I can connect I get my 10.x ip but I cant go anywhere 12:11 < scott_> no websites or nothing' 12:12 < krzee> lol 12:12 < krzee> theres the prob! 12:12 < scott_> \? 12:12 < scott_> cant have 10.x ip? 12:13 < krzee> sure you can 12:13 < krzee> but your vpn is fine 12:13 < krzee> you are redirecting gateway 12:13 < krzee> right? 12:13 < scott_> yes 12:13 < krzee> you enabled ip forwarding? 12:13 < krzee> turned on NAT on your server? 12:13 < scott_> yes 12:13 < scott_> yes 12:13 < krzee> you sure...? 12:14 < scott_> positive 12:14 < krzee> its not in the walkthrough 12:14 < scott_> I'm using pf for nat 12:14 < krzee> err wait ya it is 12:14 < scott_> and sysctl net.inet.ip.forward 12:14 < scott_> thats set to 1 12:15 < scott_> Now i'm trying to vpn from my windows box to my fbsd server (vpn) 12:15 < krzee> !configs 12:15 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:15 < scott_> I installed the .exe of the openvpn copy'd the keys/client config 12:15 < krzee> i dont care bout the walkthrough, i wanna see yours 12:16 < scott_> and it connects just no internet 12:16 * scott_ will have to email to self then post 12:16 < krzee> ssh in? 12:16 < krzee> copy paste? 12:17 < scott_> server.conf 12:17 < scott_> http://pastebin.ca/1368184 12:17 < ecrist> scott_: there is a freebsd port, pastebinit 12:19 < krzee> hah didint know that 12:19 < scott_> both server/client config http://pastebin.ca/1368186 12:19 < krzee> push "redirect-gateway" 12:19 < krzee> !def1 12:19 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 12:19 < krzee> !pushdns 12:19 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 12:20 < scott_> ehrmm 12:20 < scott_> so my push dns / gateway I need to fix? 12:21 < krzee> well 12:21 < krzee> to push dns you need a script as described in the link 12:22 < krzee> for the pushing gateway, you should use def1 if you want it to have inet after tunnel is killed 12:22 < krzee> also, ifconfig-pool-persist ipp.txt will NOT make the client have a static ip 12:22 < krzee> its more of a suggestion 12:22 < krzee> if that matters to you 12:22 < krzee> !iporder 12:22 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice). 12:25 < scott_> do i need to push the dns? 12:25 < ecrist> you may 12:26 < ecrist> more than likely 12:38 < krzee> is 207.126.166.43 a dns server? 12:40 < krzee> connect to your vpn, then ping 74.125.45.100 12:40 < krzee> does it work? 12:42 < mjt> btw, what's the `Use --client-config-dir file' method? How exactly it works? :) 12:43 < mjt> in !iporder 12:43 < krzee> !ccd 12:43 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 12:43 < mjt> or, rather, which directive(s) it is looking for? 12:44 < mjt> that !iporder really talks about ALL client-specific settings, not bout just IP address(se). 12:45 < mjt> (--ifconfig-pool is one exception) 12:45 < mjt> i know only one directive to assign an ip address to a given client (without pool) -- it's ifconfig-push (probably misnamed). Are there others? 12:46 < krzee> umm 12:46 < krzee> no, it talks about ip addresses 12:46 < krzee> but in !ccd you can use much more 12:46 < krzee> read about it in !man 12:46 < krzee> !man 12:46 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 12:47 < mjt> read it many times in last few days ;) 12:48 < mjt> so --ifconfig-push and --ifconfig-pool are the only options right? I mean, there's no way to assign an IP but not push it -- something like --peer-ip foo ? 12:51 < krzee> The following options are legal in a client-specific context: --push, --push-reset, --iroute, --ifconfig-push, and --config. 12:51 < krzee> thats from --client-config-dir in the manual 12:52 < krzee> so, right 12:52 < krzee> well 1/2 right 12:52 < krzee> you cant push ifconfig-pool 12:52 < krzee> but ya ifconfig-push is what you were looking for 12:56 -!- bandini [n=bandini@host81-105-dynamic.45-79-r.retail.telecomitalia.it] has joined ##openvpn 13:08 < scott_> sorry was on the phone 13:08 * scott_ scrolls up 13:08 < scott_> krzee: yes that .43 ip is the dns server ip 13:09 < scott_> krzee: connecting to the vpn allows me to ping nothing or surf to nothing 13:09 < scott_> krzee: I need to still fix the redirect-gateway 13:12 < krzee> ya but that wont be your problem 13:13 < krzee> im thinking its something to do with your nat 13:13 < krzee> check if the nat rule is getting hit 13:17 < scott_> hrmm 13:18 < scott_> I use PF/FreeBSD and I have the following nat rule with vpn="tun0" as the vpn interface and ext="em0" has the external interface 13:18 < scott_> nat on $vpn from $vpn_net to any -> ($ext) 13:18 < scott_> I even changed $vpn to $ext 13:18 < scott_> vpn_net="10.x.x.x/24" 13:18 < scott_> Ip.forwarding is active 13:19 < scott_> do I need to activate hte box to act as a gateway asweLL?\ 13:24 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 13:24 < scott_> I'm using def1 for redirect-gateway 13:24 < scott_> but its using the cable connection and not the server's connection 13:25 < krzee> client log at verb 6 please 13:25 < scott_> just a sec 13:27 < scott_> woah 13:27 < scott_> alotta info 13:28 < krzee> yup 13:29 < scott_> what info you looking for in there 13:29 < krzee> i want everything from start to connect completed 13:29 < krzee> like completely completed 13:30 < scott_> http://pastebin.ca/1368249 13:30 < scott_> there u go 13:30 < krzee> !mitm 13:30 < vpnHelper> krzee: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 13:31 < krzee> !winroute 13:31 < vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 13:31 < krzee> try route-method exe 13:31 < krzee> in client config 13:32 < krzee> which windows ya using? 13:32 < scott_> vista 13:32 < krzee> eww 13:32 < krzee> !factoids search vista 13:32 < vpnHelper> krzee: No keys matched that query. 13:32 < krzee> try route-method exe 13:34 < scott_> hrmm 13:36 < krzee> then tell me if you still get ROUTE: route addition failed errors 13:36 < krzee> oh dude 13:36 < krzee> you're starting openvpn as admin right 13:36 < krzee> ? 13:37 < scott_> ok 13:37 < scott_> so I used the remote-method 13:37 < scott_> now no internet 13:37 < scott_> and the dns isn't being used 13:37 < krzee> remote-method? 13:37 < krzee> route-method 13:37 < scott_> yeah 13:38 < scott_> thats what I ment 13:38 < krzee> and i didnt ask about internet 13:38 < scott_> route-method exe 13:38 < krzee> i asked if that error was still present 13:38 < scott_> in the log? 13:38 < krzee> yes 13:39 < krzee> just paste the log again with verb 6 13:39 < krzee> after adding that entry 13:39 < scott_> no no route errors 13:39 < scott_> I will paste anyway 13:41 < krzee> haha my neighbor started blasting music in spanish 13:41 < scott_> http://pastebin.ca/1368260 13:41 < krzee> (i live in a spanish speaking country) 13:41 < krzee> now he knows who has the louder sound system 13:41 < scott_> ahh 13:41 < scott_> hahahahaha 13:41 < krzee> ping 74.125.45.100 13:41 < krzee> from client 13:42 < krzee> routes were added right this time 13:42 < krzee> Sun Mar 22 14:34:03 2009 us=192340 TEST ROUTES: 2/2 succeeded len=1 ret=1 a=0 u/d=up 13:42 < krzee> Sun Mar 22 14:34:03 2009 us=192386 route ADD 207.126.166.42 MASK 255.255.255.255 192.168.1.1 13:42 < krzee> OK! 13:42 < scott_> let me reconnect 13:43 < scott_> yes I can ping it 13:43 < krzee> show me: 13:44 < krzee> cat /etc/resolv.conf 13:44 < krzee> oh wait its windows 13:44 < krzee> lol 13:44 * scott_ nods 13:44 < scott_> lol 13:44 < krzee> !pushdns 13:44 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 13:44 < krzee> see the link 13:44 < krzee> you now only have a dns problem 13:44 < krzee> you can manually override dns to be 4.2.2.1 and it will work 13:45 < krzee> or 13:45 < krzee> if you are pushing 13:45 < krzee> goto a command prompt 13:45 < krzee> net stop dnscache 13:45 < krzee> net start dnscache 13:45 < krzee> (that can be run from a script that you tell openvpn to run) 13:46 < scott_> i did 13:46 < scott_> and on nslookups I'm getting bad error valure 13:46 < scott_> value 13:46 < krzee> go make it 4.2.2.1 13:47 < scott_> whois dns server is that? 13:47 < krzee> make that your dns server 13:47 < krzee> manually in tcp/ip options 13:48 < krzee> bigboy-2:~ Jeff$ whois 4.2.2.1 13:48 < krzee> OrgName: Level 3 Communications, Inc. 13:48 < krzee> NameServer: NS1.LEVEL3.NET 13:48 < krzee> NameServer: NS2.LEVEL3.NET 13:49 < krzee> its an easy to remember, open to the world, recursive dns server 13:49 < krzee> its been up for many yrs 13:52 < scott_> damn 13:52 < scott_> so when I connect to the vpn 13:52 < scott_> I cant access my other internal boxes at home where I connect from 13:52 < scott_> ? 13:55 < krzee> !route 13:55 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 14:00 -!- bandini [n=bandini@host81-105-dynamic.45-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 14:27 -!- kezhi [i=moneybag@in-t-er.n-e-t.name] has joined ##openvpn 15:20 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 15:22 -!- kezhi [i=moneybag@in-t-er.n-e-t.name] has quit [Remote closed the connection] 15:31 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 15:42 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 60 (Operation timed out)] 16:01 -!- onats__ [n=onats@122.53.131.243] has joined ##openvpn 16:09 -!- onats_ [n=onats@unaffiliated/onats] has quit [Read error: 145 (Connection timed out)] 16:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 16:33 < krzie> scott_ howd !route help ya? 16:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:38 -!- brimstone [n=brimston@pdpc/sponsor/digium/brimstone] has joined ##openvpn 16:38 < brimstone> !route 16:38 < vpnHelper> brimstone: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 16:39 < brimstone> heh, i was just skimming that 16:39 * brimstone goes back to read it completely 16:41 < krzie> lol 16:42 < reiffert> :) 16:42 < brimstone> in the example on the page, what's the server's "server" line? 16:43 < krzie> that doesnt come into play until under the picture, then i assumed it was server 10.8.0.0 255.255.255.0 16:44 < krzie> 192.168.2.1 must know that for 192.168.1.x 192.168.3.x and the vpn internal network (for example, 10.8.0.x), it sends the traffic to 192.168.2.10... 16:44 < brimstone> right right 16:44 < krzie> "for example, 10.8.0.x" means it would be server 10.8.0.0 255.255.255.0 16:45 < krzie> the only thing that matters is its not = to any of the lans 16:45 * brimstone goes off to tinker with stuff for a bit 16:45 < krzie> (or other clients) 16:46 < krzie> the manual / howto uses 10.8.0.0 because its basically never used 16:47 < krzie> so i use the same for the same reason (and to be less confusing) 16:47 < krzie> hey ecrist 16:48 < krzie> i see you linked something at the end of my writeup 16:48 < krzie> that guy scott earlier had that exact error mentioned in the link 16:48 < krzie> it was fixed easy by route-method exe 16:50 < krzie> ahh i see people in comments mention that too in that link 16:59 < krzie> there, i changed the caveats section 17:00 < krzie> http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing#Caveats 17:00 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 17:01 < krzie> that error is new with vista, but xp was known to have the same problem with a diff error msg, which was and is fixed by !winroute 17:01 < krzie> !winroute 17:01 < vpnHelper> krzie: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 17:03 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has quit [Read error: 60 (Operation timed out)] 17:05 -!- znoG [n=gs@host24.190-226-185.telecom.net.ar] has quit [Read error: 110 (Connection timed out)] 17:17 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has joined ##openvpn 17:42 < scott_> hrmm 17:42 < scott_> sigh 17:42 < scott_> still no internet 18:10 < krzie> you already proved you had internet 18:10 < krzie> the ping worked 18:10 < krzie> no DNS you mean 18:13 < brimstone> ok, so, i seem to be missing something simple 18:14 < brimstone> i have a vps with a static public address, and 2 clients on dynamic public addresses, one of these clients is the router for a LAN i'd like all vpn machines to access 18:15 < brimstone> i can setup a simple routed vpn and push routes to the hosts, but i can't seem to expose the LAN of one of the clients correctly 18:15 < brimstone> thoughts? 18:16 < krzie> brimstone 2 things 18:16 < brimstone> only 2? wow 18:16 < krzie> 1) the lans do NOT use the same subnet, right? 18:16 < krzie> ie: both are not 192.168.0.x 18:17 < brimstone> the vpn subnet and the client subnet are different 18:17 < krzie> theres more than 1 client, theres also a server 18:17 < krzie> NONE are the same, right? 18:17 < brimstone> nope 18:17 < scott_> krzie: I want to use m vpn's internet 18:17 < scott_> krzie: not my own internet 18:18 < krzie> scott_ after we fixed your route problem, you could ping 18:18 < krzie> that was through the vps inet 18:18 < krzie> but your dns wasnt working 18:18 < krzie> i thought we figured that out hours ago 18:18 < krzie> brimstone, ok... 18:18 < scott_> krzie my dns server does work tho 18:19 < krzie> brimstone: so heres #2... the client who is the router for its lan works for routing the lan, but the client who is not does not 18:19 < krzie> am i correct? 18:19 < brimstone> krzie: right, one client is the router for the lan, the other client is just a simple node on the vpn behind a linksys router or something 18:21 < krzie> ok 18:21 < krzie> !route 18:21 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 18:21 < krzie> see right under the picture 18:22 < krzie> ROUTES TO ADD OUTSIDE OF OPENVPN 18:22 < scott_> when I go to whats my ip i get my own ip addy and not the vpns 18:22 < scott_> :( 18:23 < krzie> you need to add a route to its router telling it that for every lan you want to communicate with, including vpn network, it must send packets to the vpn node 18:23 < krzie> scott_ 18:23 < krzie> !configs 18:23 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:23 < krzie> !logs 18:23 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 18:24 < krzie> (scott, not brimstone) 18:26 < krzie> brimstone, to see whats happening currently, read ROUTES TO ADD OUTSIDE OF OPENVPN again 18:26 < krzie> i give a step by step of why its not working for you 18:26 < krzie> and 2 ways to fix it 18:26 < krzie> the easy way and the bitch of a way 18:26 < brimstone> alright, thanks 18:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 18:32 < scott_> krzie: http://pastebin.ca/1368548 18:33 < scott_> dev tun damn maybe it should be dev tun0 18:39 < scott_> I'm connected to the vpn now and it seems the dns lookups go threw the vpn 18:39 < scott_> but not the web traffic 18:41 < krzie> that makes less than no sense 18:41 < krzie> show me client's route print 18:42 < scott_> hrmm 18:44 < krzie> cause... 18:44 < krzie> Sun Mar 22 19:20:56 2009 us=408643 route ADD 0.0.0.0 MASK 128.0.0.0 10.249.20.5 18:44 < krzie> OK! 18:44 < krzie> Sun Mar 22 19:20:56 2009 us=527462 route ADD 128.0.0.0 MASK 128.0.0.0 10.249.20.5 18:44 < krzie> OK! 18:44 < krzie> that means it successfully redirected gateway 18:44 < krzie> and if it hadnt, youd dns wouldnt go over vpn without another route entry 18:45 < krzie> unless that link i looked at earlier was right and route-method exe just made it ACT like it worked 18:45 < krzie> when you show me route print ill know 18:45 -!- brimstone is now known as Brimstone 18:45 -!- Brimstone is now known as brimstone 18:47 < scott_> krzie: http://pastebin.ca/1368559 18:47 < scott_> i'm still using route-method exe 18:48 < krzie> i know, if you werent youd be getting that error 18:49 < scott_> ah 18:50 < krzie> your routing table looks right to me 18:50 < krzie> try removing def1 and reconnecting, i wanna see it then 18:50 < krzie> then gimme the same info 18:52 -!- bn43 [n=dhashen@196.212.81.58] has joined ##openvpn 18:53 < scott_> hrmm 18:53 < scott_> it will not work 18:53 < scott_> without def1 18:53 < krzie> it should 18:53 < krzie> def1 only changes how it does it 18:53 < krzie> !def1 18:53 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 18:54 < scott_> when i add def1 what info do you want? the clients route print? 18:54 < krzie> what wont work is getting out to the inet after shutting down openvpn 18:54 < krzie> unless it can add the route back 18:54 < krzie> which it should be able to since you arent dropping perms 18:54 < brimstone> ooh! i think i have it working 18:55 < bn43> hi - I've been working on this for hours now - when I start openvpn on my ubuntu box, it asks me for aut username and password - no matter what i do client fails but server passes 18:55 < bn43> I'd like to know what I'm doing wrong pls 18:55 < scott_> flag removed restarted openvpn 18:55 < scott_> now i will reconnect 18:56 < krzie> bn43, how are you starting it? 18:56 < krzie> im guessing networkmanager 18:56 < bn43> /etc/init.d/openvpn start 18:56 < scott_> ok reconnected 18:56 < scott_> wow dns still going over vpn 18:56 < krzie> bn43, as root? 18:57 < bn43> i followed http://www.thebakershome.net/?q=node/56 18:57 < bn43> yes 18:57 < vpnHelper> Title: How to Install Openvpn | The Bakers Homepage (at www.thebakershome.net) 18:57 < scott_> I can't access web-traffic tho 18:57 < krzie> bn43 why would it want a password, you using some sort of PW auth? 18:58 < scott_> and I cant access any boxes on my own lan 18:58 < bn43> I suppose it has to do with me doing "./build-key-pass username" ? 19:00 < bn43> I've added a client.conf in /etc/openvpn to test if client can login - this is where I'm getting stuck 19:00 < bn43> even tried this from a windows client 19:01 < bn43> this is so frustrating! I think I'm almost there! 19:02 < bn43> krzie: when I do ./build-key-pass username - I use that username when asked for Auth Username right? 19:08 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 19:08 < krzie> only if you want your keys locally password protected 19:08 < krzie> i personally never do that 19:11 < brimstone> you can also stuff the keys in a p12 so you can change the passwords without rebuilding the keys 19:16 < bn43> aaaargh! I did not do the client.conf file properly - left a character out - fixed and now no errors! 19:17 < bn43> next issue - copied the client.conf accross to the config folder on windows machine and renamed extension to .ovpn 19:17 < bn43> um sorry its 2:15 in the morning here - not thinking lucidly 19:18 < bn43> should I be copying the the clients crt, csr and key file to the windows machine too? 19:19 < krzie> seperate client? 19:19 < bn43> yeah 19:20 < bn43> now I'm testing with an external machine - loaded the openvpn gui 19:20 < bn43> um - exits with error saying cannot load certificate file 19:20 < krzie> if its a different client, give it a different key 19:21 < krzie> and csr is a request, only needed on the CA 19:21 < krzie> (for adding the a CRL if ever needed) 19:22 < bn43> now I'm confused - I created a test user and tested locally via client.conf file on my ubuntu box 19:22 < bn43> now I want to move this user to an external box 19:22 < bn43> which is a windows box 19:22 < brimstone> krzie: thanks for your help, i got it all sorted out and working 19:22 < brimstone> this is exciting! 19:23 < krzie> np =] 19:23 < bn43> when I say created, I did this via ./build-key-pass username 19:23 < bn43> where username=test1 19:28 < krzie> cool 19:32 -!- brimstone [n=brimston@pdpc/sponsor/digium/brimstone] has left ##openvpn ["WeeChat 0.2.6"] 19:37 < krzie> in the howto it tells you which files go to the client machine 19:37 < krzie> in fact it says which files go in each machine 19:37 < krzie> !howto 19:37 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 19:42 < krzie> !factoids search file 19:42 < vpnHelper> krzie: "pwfile" is OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h 19:42 < krzie> heh, ignore that 20:03 -!- bn43 [n=dhashen@196.212.81.58] has quit ["Ex-Chat"] 20:19 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has joined ##openvpn 20:27 < scott_> sorry lost my internets 20:28 < scott_> krzie: so what can I do? 20:40 < krzie> http://skriptd.wordpress.com/2007/07/12/openvpn-gui-on-windows-vista/ 20:40 < vpnHelper> Title: OpenVPN GUI on Windows Vista skriptd (at skriptd.wordpress.com) 20:41 < scott_> Yeah I have it installed etc 20:41 < scott_> I have all the certs copy'd over 20:41 < krzie> umm no 20:41 < krzie> you're using 2.0.9 20:42 < krzie> try 2.1_rc15 20:42 < krzie> http://openvpn.net/release/openvpn-2.1_rc15-install.exe 20:43 < scott_> hrmm 20:44 * scott_ downloads 20:47 < scott_> installed 20:47 < scott_> connected 20:47 < scott_> same result 20:49 < scott_> ahh 20:49 < scott_> cant access my lan 20:49 < scott_> or internet 20:49 < krzie> you havnt set up anything for accessing the lan yet 20:49 < krzie> and i still believe the problem has to do with NAT for internet 20:49 < scott_> christ 20:50 < krzie> because your routes are being added 20:50 < krzie> as we proved 20:50 < krzie> did you remove def1 and give me a link to your route print? 20:50 < krzie> if so i missed it 20:51 < scott_> mmm i'll do it again 20:59 < scott_> damnit 21:00 < scott_> http://pastebin.ca/1368669\ 21:00 < scott_> there http://pastebin.ca/1368669 21:12 < scott_> so what you think? 21:19 < krzie> i think your machine now has NO route to the internet (besides its gateway (192.168.1.1) and the vpn machine (207.126.166.42) 21:19 < scott_> krzie: your right it was a nat issue 21:19 < krzie> so ANY inet traffic is going over the vpn 21:19 < scott_> I now have internet 21:19 < scott_> and whats my ip shows the vpn ip 21:20 < krzie> thats why its first part of the topic ;] 21:20 < scott_> I just cant access my own lan tho 21:20 < krzie> go add def1 back now that you fixed that 21:20 < scott_> oh ok 21:20 < krzie> for accessing your lan, you do diff stuff 21:20 < krzie> you shouldnt be able to yet 21:20 < krzie> !route 21:20 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 21:20 < scott_> Ok so we keep def1 now ? 21:21 < krzie> !def1 21:21 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 21:21 < krzie> we always wanted def1 21:21 < krzie> i just had you remove it so i could say this: 21:21 < krzie> your machine now has NO route to the internet (besides its 21:21 < krzie> gateway (192.168.1.1) and the vpn machine (207.126.166.42) 21:21 < krzie> so ANY inet traffic is going over the vpn 21:21 < krzie> but yes, you always wanted def1 21:22 < scott_> ok 21:22 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 21:23 * scott_ adds def1 back and reads the route 21:23 < krzie> dont need to read anything 21:23 < scott_> oh 21:23 < scott_> I need need to add any route's 21:23 < krzie> ohhh 21:24 < krzie> duh right 21:24 < krzie> the !route 21:24 < krzie> my bad 21:24 < krzie> you definitely need to read that, lol 21:24 < krzie> bbiaf 21:24 -!- Dralspire [n=dral@unaffiliated/dralspire] has joined ##openvpn 21:26 < scott_> thanks again 21:27 < Dralspire> I have been reading like a crazy monkey about redirect-gateway with the standard .conf files. Is there a reason why standard gateway and DHCP server are pushed as 10.8.0.5 with those standard files? 21:40 < krzee> huh? 21:40 < krzee> ohh 21:40 < krzee> well gateway is obvious 21:41 < krzee> it IS called redirect-gateway 21:41 < krzee> BUT 21:41 < krzee> !def1 21:41 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 21:41 < krzee> and for dhcp... i think you are talking about the problem where dhcp requests go over the tunnel and get lost... 21:41 < krzee> !dhcp 21:41 < vpnHelper> krzee: "dhcp" is redirect-gateway bypass-dhcp gets around the problem of DHCP packets to the local DHCP server being incorrectly routed into the tunnel. Available in 2.1 21:41 < krzee> so you want redirect-gateway bypass-dhcp def1 21:42 < krzee> if i understood your problem right 21:42 < krzee> would have been an easy find in the manual, harder in google 21:42 < krzee> scott_, no problem 21:45 -!- Dralspire [n=dral@unaffiliated/dralspire] has quit [Nick collision from services.] 21:51 < scott_> hrmm 21:51 < scott_> I added the push 21:51 < scott_> still no work 21:51 < scott_> maybe just mnaybe hrmm 21:55 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 22:02 < krzee> read the whole thing 22:02 < krzee> thoroughly 22:03 < krzee> before you ask ANYTHING about it 22:03 < scott_> I did 22:03 < scott_> I want to use push/route before I do iroute configs 22:03 < scott_> for diff clients etc 22:04 < krzee> hah 22:04 < krzee> this isnt an and/or type of thing 22:05 < krzee> it MUST be done a certain way to work 22:05 < krzee> !iroute 22:05 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 22:06 < scott_> ahh is ee 22:06 * scott_ changes some settings 22:07 < scott_> !ccd 22:07 < vpnHelper> scott_: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 22:08 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 22:22 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 22:28 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 60 (Operation timed out)] 22:42 < scott_> hrmm 22:46 < scott_> krzee: still around? 23:18 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 23:19 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 60 (Operation timed out)] 23:23 -!- mepholic_ [n=what@67.159.9.139] has joined ##openvpn 23:26 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 23:28 -!- mepholic [n=what@hydra.weserv.in] has quit [Nick collision from services.] 23:28 -!- mepholic_ is now known as mepholic 23:28 < krzee> just ask your ? 23:29 < krzee> others here know as much as me about openvpn as well 23:29 < krzee> im in and out, building some computers 23:34 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 23:47 < scott_> krzee: Ok here is my setup OpenVPN (FreeBSD / Dedi Serv) and a Win2k3 Serv (VPN @ home) how can I vpn to the openvpn box and still access my win2k3 serv at home ? 23:50 < krzee> whats the home lan? 23:51 < krzee> for lan behind server its just a push route in server config 23:51 < scott_> 192.168.249.0 23:51 < krzee> push "route lan_subnet 255.255.255.0" 23:51 < krzee> so... 23:51 < krzee> push "route 192.168.249.0 255.255.255.0" 23:51 < scott_> now the lan isn't on the vpn server 23:51 < krzee> dude 23:52 < krzee> i made that !route writeup for a reason 23:52 < krzee> its an iroute and a push route 23:52 < scott_> with a ccd config? 23:55 < scott_> damn can't do openvpn or regular vpn at the sametime 23:57 < scott_> !iroute 23:57 < vpnHelper> scott_: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 23:57 < scott_> i've been doing the same thing over and over --- Day changed Mon Mar 23 2009 00:05 -!- mepholic_ [n=what@66.90.73.234] has joined ##openvpn 00:06 < krzee> !insanity 00:06 < vpnHelper> krzee: "insanity" is doing the same thing over and over expecting different results 00:06 < krzee> LOL 00:07 < krzee> if you dont have it by tomorrow ill help 00:07 < krzee> but im busy for now 00:07 < krzee> putting together computers with a girl waiting impatiently in my bed 00:07 < krzee> (and shes not a wife / girlfriend / serious) 00:11 < scott_> I see 00:11 * scott_ needs it for work tomo 00:11 < scott_> I think i'ma have a win2k box in the dc that'll make things much easier.. 00:12 -!- mepholic [n=what@67.159.9.139] has quit [Read error: 113 (No route to host)] 00:12 < scott_> krzee: thx for the support & tine tho been really helpfull 00:12 < scott_> gn ppl 00:13 -!- scott_ [i=scott@gotpot.org] has left ##openvpn [] 00:19 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 01:00 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [] 01:13 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has quit [Read error: 110 (Connection timed out)] 01:48 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 02:23 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 110 (Connection timed out)] 03:15 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:44 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 03:44 < joelsolanki> !route 03:44 < vpnHelper> joelsolanki: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 03:44 < joelsolanki> Hi all 03:45 < joelsolanki> i have few vpn setups already running and i use push route to accessing lan and that works good. 03:45 < joelsolanki> but right now i have some different scenario 03:45 < joelsolanki> push "route 192.168.1.0 255.255.255.0" 03:46 < joelsolanki> vpn server is a vps machine. 03:46 < joelsolanki> it has 1 public ip and 1 private ip. and has 1 lan card only. 03:46 < joelsolanki> so private ip is virtual ethernet. 03:46 < joelsolanki> and one tunnel that what openvpn creates 03:47 < joelsolanki> now all is good. i can ping 192.168.1.50 that is vpn server's private ip. 03:47 < joelsolanki> but i have few server that is 192.168.1.101 but i cant ping it or access it. 03:47 < joelsolanki> tracert shows me that it routing is good. it goes thru tunnel 03:48 < joelsolanki> from vpn server i can access 192.168.1.101 server easily. 03:48 < joelsolanki> i have never implemented lan routing on vps scenario. 03:48 < joelsolanki> any hints plz ? 03:59 -!- bn43 [n=dhashen@196.212.81.58] has joined ##openvpn 04:06 < bn43> hi - I'm almost getting to get the openvpn-gui to work - I get an error when it connects - tls key negotiation fails. I'm on an internal lan which I've assumed is not firewalled for internal traffic. I can ping the server from the client - what should I look out for? 04:08 < dazo> bn43: tls key neg. error is a bit vague .... but it can mean that either a static key used in --tls-auth is wrong or that you have another certificate issue as well 04:08 < dazo> bn43: if you send complete logs, it will help us help you 04:08 < dazo> !logs 04:08 < vpnHelper> dazo: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 04:10 < dazo> joelsolanki: you might need to setup a route in your .101 box ... to route your VPN addresses back via the .50 (your openvpn server) 04:10 < bn43> um I just have the client's - I'm running an ubuntu hardy heron desktop and have been to /var/log/ and don't see a openvpn log file 04:10 < joelsolanki> dazo: oh ok 04:11 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 04:11 < dazo> bn43: well, openvpn-gui logs will be fine enough (from the client) ... I presume that a windows client, isn't it? 04:12 < dazo> bn43: on the server you might check your config for how logging is setup 04:12 < bn43> where should I be looking for the openvpn logs server 04:12 < dazo> bn43: lets start with the client side first, and we'll look into the server if needed 04:12 < bn43> where do I pastebin? 04:12 < dazo> !pastebin 04:12 < vpnHelper> dazo: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 04:18 < bn43> http://www.pastebin.ca/1368937 04:19 < dazo> bn43: would you please edit the client config and add "verb 6" in it ... and add pastebin the log again? 04:19 < bn43> note that I changed the port to 8001 as I know I can use that with another application 04:21 < dazo> bn43: I noticed that port number ... be aware that that could mean that the traffic might go via a proxy ... esp. if your other application is web based 04:21 < bn43> ok - won't be able to do right now but will get on later - thank you for being so helpful 04:21 < dazo> bn43: np! 04:21 -!- bn43 [n=dhashen@196.212.81.58] has quit ["Ex-Chat"] 04:29 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 04:49 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 05:52 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:56 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: eliasp, floyd_n_milan, huslu_, CybDev, vpnHelper, simplechat, Typone 05:57 -!- Netsplit over, joins: floyd_n_milan, CybDev, eliasp, simplechat, vpnHelper, Typone, huslu_ 06:20 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 07:09 < ecrist> morning, folks 07:12 < krzee> mornin 07:12 < krzee> my nfs box is beefy 07:12 < krzee> unfortunately im having issues with fbsd8-current bootonly snapshot 07:12 < krzee> ftp install doesnt wanna happen 07:12 < krzee> so im downloading the dvd snapshot 07:13 < ecrist> why would you run 8 right now? 07:13 < ecrist> ZFS? 07:13 < krzee> exactly 07:14 -!- nemysis [n=nemysis@75-240.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 07:14 -!- nemysis [n=nemysis@190-236.1-85.cust.bluewin.ch] has joined ##openvpn 07:16 < krzee> turns out my NFS box has 5 onboard sata ports 07:16 < krzee> so i might toss in the backup 1.5TB drive and let ZFS know its for hot spare 07:17 < krzee> but im thinking i prolly wont, no reason to make it spin when the machine is on if im not using it 07:27 < ecrist> the drive should sleep if it's not being used 07:27 < ecrist> it'll spin up on boot, but that's it 07:27 < ecrist> q 07:32 -!- Kvajnto [n=ls@116.232.76.93] has joined ##openvpn 07:34 < Kvajnto> !howto 07:34 < vpnHelper> Kvajnto: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:05 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 08:17 -!- lukask [n=l@212.100.49.238.fixip.bitel.net] has joined ##openvpn 08:18 < lukask> !howto 08:18 < vpnHelper> lukask: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:23 < ecrist> krzee: how soon until you want that server online? I've got to get another power strip; starting to run out of space. 08:23 < krzee> prolly a week or so 08:23 < krzee> should be plenty of time to make your upgrade 08:24 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 110 (Connection timed out)] 08:25 < ecrist> ah, excellent. I'm going to put a second circuit in that rack, too. 08:26 < ecrist> most of the servers in there have multiple power supplies. going to pick a second up for that 1850 I just got on ebay today. only a 15A circuit in there right now, got 7 systems on one circuit and all the switches/routers 08:26 < ecrist> and, supposedly, a couple more servers from a buddy on the way 08:29 < lukask> Hi! I just happened to solve a problem, but I don't really understand why it was solved. OpenVPN host-to-host via UDP between two sites; "tun-mtu 1500 fragment 1200 mssfix" on both sides. The vpn dropped packets bigger than 1392Bytes (including overhead). I now removed 'fragment 1200', and the connection works ? 08:32 < krzee> solved it by getting rid of the options you didnt understand therefore shouldnt have been using ;) 08:32 < krzee> !man 08:32 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 08:32 < lukask> krzee, you're too right 08:33 < lukask> I just *know* I had a reason to put the fragment option there in the first place ... just that it was a year ago ;) 08:33 < lukask> Yes, I tried to wrap my head around this for the last few hours :/ 08:35 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Leaving"] 08:55 -!- lukask [n=l@212.100.49.238.fixip.bitel.net] has quit ["Ex-Chat"] 08:55 < ecrist> krzee: take a look at http://www.secure-computing.net/images/test1.bmp (look at test1.bmp, test2.bmp, and test3.bmp) and tell me what you think 08:55 < ecrist> please 09:01 -!- fixxxermet [n=kjohnson@dsl092-156-002.wdc2.dsl.speakeasy.net] has joined ##openvpn 09:02 < fixxxermet> !howto 09:02 < vpnHelper> fixxxermet: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:03 < fixxxermet> great. My boss has openvpn.net blocked 09:06 < ecrist> fixxxermet: the entire domain? 09:06 < ecrist> use a proxy, or try beta.openvpn.net 09:06 < fixxxermet> The whole domain. Looking up a proxy now 09:07 < fixxxermet> Google's cache might work 09:12 < fixxxermet> http://openvpn.net/howto gives a 404 09:15 < ecrist> http://openvpn.net/index.php/documentation/howto.html 09:15 < vpnHelper> Title: HOWTO (at openvpn.net) 09:19 < fixxxermet> Yeah I found it - was just reporting the 404 09:20 < fixxxermet> "The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files over a secure channel." - Which files need to be copied to my client, and where to on that machine? 09:21 < ecrist> clients need four files, the config, the ca certificate (not key), and the client certificate/key pair 09:23 < fixxxermet> so ca.crt, client.crt, client.key, and the config file (which I haven't mad yet)? 09:23 < fixxxermet> made* 09:23 < ecrist> yep 09:29 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 09:49 -!- c64zottel [n=hans@cust.static.84-253-61-19.cybernet.ch] has joined ##openvpn 09:49 -!- c64zottel [n=hans@cust.static.84-253-61-19.cybernet.ch] has left ##openvpn [] 09:59 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 10:11 -!- sunta [n=cw@achilles.raytion.com] has joined ##openvpn 10:11 < sunta> yo 10:11 < sunta> !route 10:11 < vpnHelper> sunta: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 10:12 < sunta> krzee, got my thanks? 10:15 -!- stuarta [n=stuarta@unaffiliated/stuarta] has joined ##openvpn 10:20 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has joined ##openvpn 10:29 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:49 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 10:57 -!- sunta [n=cw@achilles.raytion.com] has left ##openvpn ["Verlassend"] 11:06 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 11:25 -!- bn43 [n=dhashen@196.212.81.58] has joined ##openvpn 11:27 -!- Skered [n=dereks@c-71-60-49-148.hsd1.pa.comcast.net] has joined ##openvpn 11:31 < Skered> !howto 11:31 < vpnHelper> Skered: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:32 < Skered> http://openvpn.net/index.php/documentation/howto.html maybe? 11:32 < vpnHelper> Title: HOWTO (at openvpn.net) 11:38 < ecrist> yeah, they changed their link 11:38 < ecrist> ping krzee 11:38 < ecrist> can you fix the bot, since you won't give me access? 11:42 -!- bn43 [n=dhashen@196.212.81.58] has quit [Read error: 104 (Connection reset by peer)] 11:42 -!- bn43 [n=dhashen@196.212.81.58] has joined ##openvpn 11:43 -!- nemysis [n=nemysis@190-236.1-85.cust.bluewin.ch] has quit [Remote closed the connection] 11:46 < ecrist> I sent an email to Francis, hopefully he can fix the redirect 11:46 < bn43> Hi I have a problem with openvpn-gui that does not connect - I have changed the configs to verb 6 - in pastebin http://www.pastebin.ca/1369266 11:46 < bn43> Can someone help pls? 11:50 < ecrist> verb 3 is usually sufficient 11:50 < bn43> someone called dars asked me to do that before posting 11:51 -!- nemysis [n=nemysis@190-236.1-85.cust.bluewin.ch] has joined ##openvpn 11:51 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 11:52 < ecrist> did you see TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 11:52 < ecrist> !logs 11:52 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 11:52 < bn43> yes 11:52 < ecrist> and? 11:53 < bn43> but I'm not sure what to do about that - google search says make sure firewall not blocking- have checked that 11:53 < ecrist> see here: http://www.imped.net/oss/misc/openvpn-2.0-howto-edit.html 11:53 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at www.imped.net) 11:54 < ecrist> search for your error I posted. there are some solutions mentioned 11:54 < bn43> I can ping the server from the client and I have connected my ubuntu desktop directly to pc via a hub 11:54 < bn43> ok 11:54 < ecrist> ping is different than udp 11:56 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit [Client Quit] 11:59 < bn43> ecrist: page states exact problem but I an not running a firewall on either the server or client 12:02 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 104 (Connection reset by peer)] 12:03 < ecrist> FYI folks: 12:03 < ecrist> Eric, 12:03 < ecrist> Sorry about this.. We are in the process of moving the files to a new provider.. I will make sure that my engineers will take care of this problem.. 12:03 < ecrist> Francis 12:04 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:13 < Kvajnto> I have a openvpn connection running now, but apart from pinging the openvpn server I can't access anything. I'm pretty sure I need to route the traffic to the default gateway somehow, but I'm not sure how to do this. I included everything I could think of and pasted on pastebin (ifconfig eth0, /etc/network/interfaces and my server/client configs). I'm really new to this, so my configs might look a bit messed up... 12:14 < Kvajnto> Using routing. 12:15 < Kvajnto> Maybe should add that the server machine is a VPS running on XEN. 12:19 < dazo> !route 12:19 < vpnHelper> dazo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 12:19 < dazo> Kvajnto: ^^^ 12:20 < Kvajnto> Ok, cool. I'll have a look. 12:22 < dazo> Kvajnto: in general, if you can ping over the tunnel, the other host ... and you can access services on the openvpn server from the client ... you basically have the configs pretty nicely working, it's just routing and/or firewalling missing 12:25 < Kvajnto> Sounds good. All of this is a bit overwealming to be honest. Hopefully that link will shed some light on all of this =) 12:26 < bn43> I still can't get anywhere with my problem - I have checked as best I can on what to do in http://www.imped.net/oss/misc/openvpn-2.0-howto-edit.html 12:26 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at www.imped.net) 12:29 < fixxxermet> ecrist: Sorry - where do I copy the PKI files that I created on my server to on my client? 12:29 < fixxxermet> to the easy-rsa/keys dir? 12:31 < dazo> fixxxermet: wherever you want .... you define locations in your openvpn configs 12:31 < fixxxermet> You are right. 12:31 < fixxxermet> Thanks. 12:31 -!- stuarta [n=stuarta@unaffiliated/stuarta] has left ##openvpn [] 12:31 < dazo> fixxxermet: but on your server ... you only want the key and crt file for the server + CA crt .... and on client only client keys + CA.crt 12:32 < fixxxermet> right 12:33 < bn43> pls anyone? I'm getting a TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 12:34 < dazo> fixxxermet: and never ever ever ever share the ca.key .... that's the most sacred file you'll have ... because with this one you sign new certificates which will be accepted by the server .... the best location for such files are off-line storage 12:37 < Kvajnto> On my XP client, if I do "route print" I'm supposed to see the routes that were pushed to me, right? Because I don't =) 12:38 < dazo> Kvajnto: are you running openvpn client with admin privileges? 12:38 < Kvajnto> Yes. 12:38 < dazo> Kvajnto: which win version and which openvpn version? 12:38 < dazo> Kvajnto: strike win version ... xp 12:38 < Kvajnto> 2.0 12:39 -!- chrisbdaemon [n=chrisbda@unaffiliated/chrisbdaemon] has joined ##openvpn 12:39 < Kvajnto> I'm doing: push "redirect-gateway" also, if that will interfere. 12:39 < dazo> Kvajnto: that can be one reason .... try upgrading to 2.1_RC15 ... but that might require an upgrade on your server as well .... a few openvpn versions do not work well together 12:39 < dazo> Kvajnto: no, that should be fine 12:39 < Kvajnto> The gateway gets pushed, though. 12:40 < chrisbdaemon> are there any known issues with the openvpn client and windows xp sp3? I have openvpn setup on an openbsd firewall and mac os x clients are able to connect just fine but windows xp users have their connections dropped after about 30 seconds 12:40 < dazo> Kvajnto: well, actually ... when you push a default gateway, no other explicit routes should be needed on the client though 12:40 < dazo> chrisbdaemon: not if you run openvpn 2.1_rc15 12:41 < Kvajnto> chrisbdaemon: Maybe you need to allow ping in the windows firewall? 12:42 < chrisbdaemon> dazo: are there fixes in openvpn 2.1_rc15? 12:42 < dazo> chrisbdaemon: a lot 12:42 < dazo> chrisbdaemon: 2.1_rc15 is actually the most stable and bug free release so far 12:42 < bn43> pls anyon 12:43 < chrisbdaemon> dazo: Excellent, I'll make my own port for that then :) and see if the openbsd port maintainer will update the port :P 12:46 < Kvajnto> dazo: I couldn't really find anything about this in that link you provided, so how would I go about making a route between the default gateway I get on my client (10.8.0.5) and my actual default gateway (222.222.165.129)? Must be some simple route command =) 12:46 < dazo> Kvajnto: if you skip the redirect-gateway first ... and try to get basic routing working first, it might go easier 12:47 < dazo> Kvajnto: and then you need the route options in your configs 12:47 < Kvajnto> Did say something about "ip forwardning", but didn't really explain anything about it. I'm quite sure I haven't enabled anything like that. 12:47 < dazo> Kvajnto: ahh ... sorry .... of course, that's a good thing to check 12:47 < dazo> Kvajnto: cat /proc/sys/net/ipv4/ip_forward 12:48 < dazo> Kvajnto: that should give you "1" as a result .... if not .... echo "1" to that file 12:48 < Kvajnto> 0 =) 12:48 < Kvajnto> Ok. I'll try again. 12:48 < chrisbdaemon> dazo: would openvpn 2.1_rc7 have those fixes in it that i need? 12:48 < chrisbdaemon> or does it need to be rc15 12:49 < dazo> chrisbdaemon: some, but not all ... rc15 is safest ... and rc7 do have some issues when using it against other versions as well 12:49 < chrisbdaemon> alright, thanks 12:50 < chrisbdaemon> dazo: also, I have never had to upgrade openvpn before, would I just drop in the new binaries or do I have reconfigure things? 12:51 < chrisbdaemon> have to* 12:52 < Skered> Anyone using Tunnelblick on MacOS X? It no longer changes my DNS settings if I push dhcp-option DNS x.x.x.x 12:52 < dazo> chrisbdaemon: configs should basically be the same, but you might get some warnings you didn't get before ... because some options have been misunderstood before .... can be pretty annoying to get them everytime you startup ... but that's usually it 12:52 < dazo> chrisbdaemon: script-security is one thing you might need to look at if you use scripts in openvpn 12:53 < Skered> doh stupid me.... 12:53 < Skered> nm that message. I know why it's not. 12:54 < bn43> hi I'm having a problem - TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) - I have copied the ta.key from the server to the client and ensured there are no firewall issues - please can someone help? 12:55 < Skered> bn43: You're using tls-auth in both your server conf and client conf? 12:56 < bn43> yes 12:56 < dazo> bn43: does it work without tls-auth? 12:56 < bn43> I've comment out on both client and server and still same error 12:57 < dazo> bn43: are you using udp or tcp? have you tried tcp if you're using udp? .... might be you have some network issues which do not like udp 12:57 < Skered> What about the permissions on the key file? 12:57 < dazo> that's also a good thing to check 13:00 < bn43> changing to tcp does not help 13:00 < bn43> permissions on which key file? 13:01 < Skered> bn43: What tls-auth is pointing to. 13:01 < Skered> I think it has to be not readable by group and other. 13:02 -!- pons [n=pons@pc-66-126-83-200.cm.vtr.net] has joined ##openvpn 13:02 < pons> guys, is it possible to create a vlan over a tap tunnel? 13:02 < pons> i mean, vconfig add tap0 99 13:02 < pons> creates tap0.99 13:02 < chrisbdaemon> dazo: alright, i'm going to do some testing I guess and start using the latest, thanks a ton for the info, been fighting with the windows openvpn clients for weeks :P 13:02 < dazo> pons: I don't think that is supported yet 13:02 < bn43> ta.key is has root.root group and owner 13:03 < pons> but it doesn't work 13:03 < dazo> pons: I don't think that is supported yet 13:03 < pons> dazo: mmm, how could i implement something similar? 13:03 < pons> other paralel vpn ? 13:03 < mjt> bn43: how about increasing the verbosity level and seeing which packets gets sent and received? 13:03 < dazo> pons: yeah, that might be a solution 13:04 < pons> a vpn inside this vpn 13:04 < bn43> mjt: I raised it to 6 on client and server 13:04 < dazo> pons: uhhh .... sounds like wasting of CPU time ... parallel tunnels, not inside each other 13:06 < pons> dazo: my infrastructure works with a main server and other 2 clients that connect 2 different networks together, and by bridging both networks works, but mixes traffic. 13:06 < pons> a vlan would have been the best 13:07 < dazo> pons: but you have other option, as vlan is not implemented .... at least I've never heard about vlan implementation .... so you'll need to route that traffic into separate tunnels and on the vpn server you'll need to tag each of the tun/tap devices accordingly to your wishes 13:08 < bn43> I pastebin my server.conf and client - http://www.pastebin.ca/1369337 13:08 < pons> and an unencrypted tap between this 2 machines? 13:08 < pons> is it possible? 13:09 < Skered> !route 13:09 < vpnHelper> Skered: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 13:09 < bn43> Skered: is that for me? 13:10 -!- chrisbdaemon [n=chrisbda@unaffiliated/chrisbdaemon] has quit ["Leaving"] 13:14 < bn43> pls anyone - this is driving me nuts - I've been trying to get this to work for the past 2 days now 13:15 < Skered> bn43: No 13:15 < Skered> bn43: What are the permissions on the key files? 13:15 < Skered> ta.key 13:16 < bn43> root.root 13:17 < Skered> ls -l ta.key 13:18 < bn43> oh man I'm dense - thats just ownership 13:18 < bn43> -rw------- 13:19 < Skered> How are you running openvpn? 13:19 < bn43> as a service - on ubuntu hardy heron 13:19 < bn43> /etc/init.d/openvpn start 13:20 < bn43> I installed via aptitude 13:20 < Skered> On the client side. 13:20 < bn43> oh - openvpn-gui 13:21 < Skered> What are the permissions of the ta.key on the client side? 13:22 < bn43> funny thing is xp does not list a security option when looking at properties of the file 13:25 < bn43> any other ideas? 13:27 < Skered> Do you have 'ns-cert-type server' in the client conf? 13:28 < bn43> http://www.pastebin.ca/1369337 13:31 < Skered> Change tls-client to client 13:32 -!- pons [n=pons@unaffiliated/pons] has quit [] 13:34 < bn43> is there a way to test the bridge connection? I followed this : http://www.thebakershome.net/?q=node/56 - could it be something to do with that? 13:34 < vpnHelper> Title: How to Install Openvpn | The Bakers Homepage (at www.thebakershome.net) 13:35 < bn43> Skered: no difference 13:35 < bn43> with changing tls-client to client 13:35 < Skered> bn43: Just to check. When you changed to tcp you changed that on both ther server and the client right? 13:35 < bn43> yes 13:36 < Skered> Ok 13:37 < Skered> No idea then. Only other idea might be if the server is behind a firewall but if you're connecting to it I don't think that's the issue 13:37 < Skered> Or your client is behind a software XP firewall? 13:38 < bn43> ok thanks for the help! I'm going to have to tackle this tomorrow 13:38 < bn43> no 13:38 < bn43> disabled 13:38 < bn43> made sure of that :-) 13:39 -!- achilles [n=achilles@62.90.14.151] has joined ##openvpn 13:39 < bn43> thanks all for trying to help 13:39 -!- bn43 [n=dhashen@196.212.81.58] has quit ["Ex-Chat"] 13:40 < achilles> hello, one question please, I'm trying to connect site-to-site vpn, the headQ 192.168.1.0/16 and the branch 192.168.2.0, the question is, should the Tun0 devices has a different subnet and then I should route between them ? 13:41 < achilles> or just getting the two sites on the same subnet ? 13:41 -!- martian67 [i=user5490@about/linux/regular/martian67] has joined ##openvpn 13:42 < martian67> for some reason my windows client is getting a netmask of "10.8.0.5" from the server 13:42 < martian67> but the config file has no mention of that address 13:42 < ecrist> martian67: that's not a net mask 13:42 < martian67> i know :) 13:42 < ecrist> !/30 13:42 < vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 13:43 < martian67> Ethernet adapter Local Area Connection 6: 13:43 < martian67> Connection-specific DNS Suffix . : 13:43 < martian67> IP Address. . . . . . . . . . . . : 10.8.0.6 13:43 < martian67> Subnet Mask . . . . . . . . . . . : 10.8.0.5 13:43 < ecrist> no pasting here, please 13:43 < martian67> IP Address. . . . . . . . . . . . : fe80::2ff:dcff:fe22:9eaa%10 13:43 < martian67> Default Gateway . . . . . . . . . : 13:43 < martian67> is the output of ipconfig 13:43 < martian67> on windows 13:43 < martian67> i cant ping the vpn gateway 13:43 < martian67> sorry 13:43 < ecrist> paste your server and client configs 13:43 < ecrist> !configs 13:43 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:44 < martian67> whats ccd? 13:44 < ecrist> client-specific configs on the server side 13:44 < martian67> oh right 13:44 < ecrist> if you don't know what they are, you likely don't have any 13:44 < martian67> i dont have that 13:47 < mjt> Subnet Mask is umm... nice. 13:48 < martian67> yea i dont get it o.O 13:48 < martian67> http://pastebin.com/m1c12e144 13:48 < martian67> server config 13:49 < Skered> I can send data to a machine that's on the same network as the OpenVPN server. However when the data is sent to the machine it asks who 10.0.8.6 is via a arp request. Nothing replies. I need a 'route 10.0.8.0 255.255.255.0' in my server's conf to fix this? I can see all this network activity by using tcpdump on the LAN machine. 13:52 < martian67> OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct 1 2006 13:52 < martian67> Developed by James Yonan 13:52 < martian67> Copyright (C) 2002-2005 OpenVPN Solutions LLC 13:52 < martian67> oops 13:52 < martian67> sorry 13:52 < martian67> http://pastebin.com/m382768b 13:52 < martian67> thats my client config 13:53 < martian67> i really dont get whats going wrong in such a simple setup :s 13:53 < martian67> Skered, openVPN is not layer 2 by default 13:55 < martian67> any light you care to shed on this issue would be appricated 13:57 < Skered> ah I think i need client-to-client. 13:57 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit ["Leaving."] 13:59 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 14:00 < ecrist> martian67: FYI, 2.1_rc16 is current version 14:00 < ecrist> nm, 2.1_rc15 14:02 < martian67> i dont want to run an rc 14:02 < martian67> its outside my distro's package managment 14:02 < martian67> makes things very messy :/ 14:03 < ecrist> you're currently running an rc 14:03 < ecrist> rc11 14:03 < ecrist> :\ 14:03 < ecrist> OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008 14:03 < martian67> oh lol 14:03 < martian67> its just what came with debian 14:03 < ecrist> and it's out of date 14:03 < martian67> shrug lol 14:03 < ecrist> update it to rc15 14:04 < ecrist> there is a bug in ipp pools in rc11 14:06 < martian67> is there a workaround? 14:07 < krzee> not using ipp / not using rc11 ! 14:08 < martian67> so if i use a ccd to assign an ip 14:08 < martian67> i shouldnt have an issue? 14:08 < krzee> thats better anyways 14:08 < krzee> ipp is a suggestion 14:08 < martian67> ok thank you 14:08 < krzee> ccd is a real way to assign static ips 14:08 < krzee> !iporder 14:08 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice). 14:08 < martian67> well i dont really care one way or another 14:08 < martian67> i just want it to work heh 14:09 < krzee> !ipp 14:09 < vpnHelper> krzee: "ipp" is Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !static 14:09 < martian67> its a single client anyways 14:09 < krzee> hrm 14:09 < krzee> !static 14:09 < vpnHelper> krzee: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 14:09 < martian67> !ccd 14:09 < vpnHelper> martian67: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 14:10 < krzee> brb 14:11 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 14:11 < martian67> willl ifconfig-push work properly on windows? 14:11 < martian67> !ifconfig-push 14:11 < vpnHelper> martian67: Error: "ifconfig-push" is not a valid command. 14:14 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:20 < hagna_> so what's the major and minor number of tunl0 on linux? 14:22 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 14:22 < martian67> krzee, how do i disable ipp 14:24 -!- dazo_ [n=dazo@nat/redhat/x-3d9e8b90d961bc23] has joined ##openvpn 14:27 < Kvajnto> Okay. Now I finally got everything to work thanks to "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE". Do I need to add this somewhere so that it will be that way everytime I reboot my computer? 14:28 < Kvajnto> dazo: Thanks for the help by the way. 14:29 -!- dazo [n=dazo@nat/redhat/x-799df3ba13b2efcc] has quit [Read error: 113 (No route to host)] 14:35 < ecrist> martian67: just remove the ipp options from the config 14:35 < martian67> yes, its working now 14:35 < dazo_> Kvajnto: be sure you only MASQ traffic going out on the Internet .... internal network traffic to your own net on the remote site should not be masq'd 14:35 < martian67> correct subnet, but now i cant ping 14:35 < martian67> grrr 14:35 < martian67> no iptables rules or firewalls in the way 14:35 < martian67> both are off/blank 14:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:40 < Kvajnto> dazo: Ehm... how do I know if that's the case? 14:40 < Kvajnto> ?= 14:40 < Kvajnto> =) 14:40 < ecrist> martian67: client-to-client 14:40 < martian67> ecrist, its enabled 14:40 < martian67> irrelivant anyways, i cant ping the vpn host address 14:41 < ecrist> you should be able to ping the VPN server address, if not, it's a firewall issue 14:41 < martian67> there is no firewall 14:42 < ecrist> ok, sure, but, if you're connected to the VPN, and you've been assigned an IP, and the logs look OK, if you can't ping the VPN server address, it's a firewall issue. 14:42 < martian67> sigh 14:42 < martian67> the only thing i could be 14:42 < martian67> is either windows firewall 14:42 < martian67> or iptables 14:42 < martian67> iptables rules are blank 14:42 < martian67> and windows firewall is totally disabled 14:42 < ecrist> martian67: we get ~200 people in/out of here a week with similar problems. There's a reason our channel topic is what it is. 14:43 < martian67> it cant possibky BE a firewall 14:43 < ecrist> ok, show me the latest logs from server and client showing a successful connection. 14:44 < martian67> sec 14:55 < martian67> ecrist, http://pastebin.com/m373f46bf 14:58 < martian67> # 14:58 < martian67> # 14:58 < martian67> Mon Mar 23 13:47:37 2009 OpenVPN ROUTE: failed to parse/resolve route for host/network: 10.8.0.0 14:58 < martian67> im not sure what that in particular is refering to 14:58 < martian67> i have no routes IN my server.conf :/ 15:00 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 15:01 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 60 (Operation timed out)] 15:03 < ecrist> krzie: new logo on the site, lemme know what you thinkn 15:11 < martian67> ecrist, http://openvpn.net/howto.html#policy 15:11 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 15:11 -!- chrisbdaemon [n=chrisbda@unaffiliated/chrisbdaemon] has joined ##openvpn 15:11 < martian67> it says i need to have a pair of ifconfig-push addresses 15:11 < martian67> but, when i set that, i gives me a netmask of 10.8.0.6 15:12 < chrisbdaemon> hey, I could use a bit of help, i'm trying to set up openvpn 2.1_rc15 on openbsd 4.4 and I got the client connecting just fine after setting up the configuration and copying the keys over and everything but I'm getting a bunch of "Authenticate/Decrypt packet error: cipher final failed" errors 15:12 < chrisbdaemon> what would cause those? 15:13 < chrisbdaemon> the configurations were copied from a working openvpn 2.0.9 installation 15:16 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has quit [Read error: 110 (Connection timed out)] 15:16 < krzie> chrisbdaemon you using any special cipher settings? 15:17 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has joined ##openvpn 15:17 < krzie> !route 15:17 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 15:19 < krzie> i like it, but suddenly dont remember the old one 15:19 -!- achilles [n=achilles@62.90.14.151] has quit ["Leaving"] 15:20 < chrisbdaemon> krzie: Ah, I found it, when I copied over the configuration file from the working installation of it I tried to strip out the comments but it took out some important things with it P 15:20 < chrisbdaemon> :P * 15:31 < krzie> !configs 15:31 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:31 < krzie> theres the regex to strip comments 15:36 < chrisbdaemon> alright, got that working 15:40 -!- dazo_ is now known as dazo 15:43 < chrisbdaemon> !logs 15:43 < vpnHelper> chrisbdaemon: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 15:48 < chrisbdaemon> alright, now i have a bit of another problem. I'm able to get my client to connect and ping the internal address of the box running openvpn but traffic doesn't go past that to other hosts on the lan 15:48 < chrisbdaemon> using ethernet bridging 15:49 < chrisbdaemon> arp traffic doesn't get passed through like it should 15:49 < chrisbdaemon> or at least arp, probably more 15:50 < martian67> ok for some reason, my windows hostmask is being set to 10.8.0.5 15:50 < krzie> why are you briding? 15:50 < martian67> rather than what it should be 15:51 < martian67> err netmask 15:51 < chrisbdaemon> krzie: because thats what I had set up before :P to allow broadcasts through 15:51 < chrisbdaemon> unless theres a good reason not to allow broadcasts through 15:54 < krzie> broadcasts will go through in a routed tap setup 15:54 < krzie> without layer2 15:54 < chrisbdaemon> so i should change it to routing mode instead of bridging? 15:54 < chrisbdaemon> does nfs and samba still work over that? 15:55 < martian67> samba and nfs dont rely on broadcast anyways 15:55 < martian67> you can use them both over the internet if you wish 15:55 < chrisbdaemon> ok 15:55 < martian67> (not that its a good idea) 15:55 < krzie> samba you should enable wins 15:55 < krzie> !wins 15:55 < vpnHelper> krzie: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 15:56 < krzie> nfs you dont need anything special 15:56 < chrisbdaemon> thanks 15:56 < krzie> np 15:56 < martian67> im really stumped :/ 15:56 < krzie> so why do you even want broadcasts? 15:57 < martian67> i have the latest version of openVPN on both ends 15:57 -!- diegoviola [n=diego@adsl-136-248.click.com.py] has joined ##openvpn 15:58 < diegoviola> hi 15:58 < diegoviola> is there a way to see if a client is connected to my vpn? 15:58 < diegoviola> like a status or something 15:58 < krzie> management interface 15:59 < chrisbdaemon> krzie: I forget my reasoning behind it to be honest, i set it up a while ago 15:59 < krzie> !tunortap 15:59 < vpnHelper> krzie: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 16:03 -!- blaxthos [n=blaxthos@64.94.108.181] has quit [Read error: 113 (No route to host)] 16:04 -!- fixxxermet [n=kjohnson@dsl092-156-002.wdc2.dsl.speakeasy.net] has quit ["Leaving."] 16:07 -!- Kvajnto [n=ls@116.232.76.93] has quit [] 16:10 < chrisbdaemon> alright.. i changed it to routing and its still not working quite right, should i pastebin my config file or something? 16:10 < chrisbdaemon> the client connects alright but traffic doen't get from tun0 to the physical interface 16:14 < krzie> !configs 16:14 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:17 < chrisbdaemon> http://pastebin.com/d2afdf566 16:18 < chrisbdaemon> thats on openbsd 4.4 16:18 < chrisbdaemon> server running openbsd 4.4, client running tunnelblick on mac os x 16:21 < krzie> # 16:21 < krzie> push "route 10.0.0.1 255.255.255.0" 16:21 < krzie> unnecessary 16:23 < chrisbdaemon> hmm, does this look right? 16:23 < chrisbdaemon> tun0: flags=8051 mtu 1500 16:23 < chrisbdaemon> groups: tun 16:23 < chrisbdaemon> inet 10.0.0.1 --> 10.0.0.2 netmask 0xffffffff 16:23 < krzie> yes 16:23 < krzie> !/30 16:23 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 16:23 < krzie> that explains why 16:23 < krzie> and the link in !topology explains why they did it that way 16:24 < chrisbdaemon> ya, opening it up 16:25 < krzie> you prolly wanna remove ipp.txt after changing from bridge to tun 16:25 < krzie> also good to know: 16:25 < krzie> !ipp 16:25 < vpnHelper> krzie: "ipp" is Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !static 16:25 < krzie> !learn ipp as also see !iporder 16:25 < vpnHelper> krzie: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 16:25 < krzie> !learn ipp as also see !iporder 16:25 < vpnHelper> krzie: Joo got it. 16:26 < chrisbdaemon> oh, that output from ifconfig was from the server 16:26 < chrisbdaemon> that i pasted 16:26 < chrisbdaemon> not a client 16:26 < krzie> i know 16:26 < chrisbdaemon> ok 16:26 < krzie> only the server would take .1 16:27 < krzie> first client would own .6 16:27 < krzie> with .5 as the internal virtual side of the tunnel 16:27 < chrisbdaemon> i was curious why it would show a tunnel between the server and a client on the vpn thats not associated with openvpn 16:27 < krzie> as explained in the link you opened 16:27 < krzie> huh? 16:27 < chrisbdaemon> the server is at 10.0.0.1, theres another server at 10.0.0.2 16:28 < krzie> not another server 16:28 < chrisbdaemon> ifconfig tun0 shows a tunnel between 10.0.0.1 and 10.0.0.2 16:28 < krzie> did you read !/30 16:28 < krzie> the link 16:28 < chrisbdaemon> i skimmed it, yes 16:28 -!- mindframe- [n=mindfram@unaffiliated/mindframe] has joined ##openvpn 16:29 < mindframe-> is it possible to run an openvpn server in windows without administrative privileges? 16:29 < diegoviola> is there a way to run openvpn on the background? 16:30 < krzie> !winnoadmin 16:30 < vpnHelper> krzie: Error: "winnoadmin" is not a valid command. 16:30 < krzie> !factoids search win 16:30 < vpnHelper> krzie: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', and 'win7' 16:30 < krzie> !win_noadmin 16:30 < vpnHelper> krzie: "win_noadmin" is http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows 16:30 < mindframe-> thanks 16:30 < krzie> diegoviola of course, i believe its --daemon or something like that 16:30 < mindframe-> thats the document I found, was hoping there was another way 16:31 < krzie> mindframe- negative 16:31 < mindframe-> I was hoping to not have to create the TAP interface 16:31 < krzie> lol 16:31 < krzie> not a chancxe 16:31 < krzie> -x 16:32 < krzie> --daemon [progname] 16:32 < krzie> Become a daemon after all initialization functions are completed. This option will cause all message and error output to be sent to the syslog file (such as /var/log/messages), except for the output of shell scripts and ifconfig commands, which will go to /dev/null unless otherwise redirected. 16:32 < krzie> i was right, its --daemon 16:33 < diegoviola> whats that progname argument 16:33 < krzie> !man 16:33 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has quit [Read error: 110 (Connection timed out)] 16:33 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:33 < krzie> go read about it 16:33 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 16:35 < diegoviola> ok thanks 16:36 < mindframe-> "There is work in progress to enhance the OpenVPN Service so it can be controlled via a TCP socket" 16:36 < mindframe-> what's the status on that? 16:36 < krzie> its called the management interface 16:36 < krzie> its been around awhile, ive never used it 16:36 < mindframe-> so it's in beta? 16:36 < krzie> no idea, never used it 16:37 < krzie> but its been around for awhile as i said 16:37 < mindframe-> going to check it ouut:) 16:37 < krzie> its made for programs to use it, as opposed to humans... so it shouldnt be extremely user friendly 16:37 < krzie> werd, should be plenty of info in the manpage 16:37 < krzie> and likely some good stuff in the mail list 16:37 < krzie> !mail 16:37 < vpnHelper> krzie: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive, or (#3) http://thread.gmane.org/gmane.network.openvpn.user/ for the openvpn-user archives 16:38 * krzie does a doubletake on #2 and #3 16:39 < chrisbdaemon> does openvpn handle dhcp on its own for the vpn clients? 16:40 < chrisbdaemon> heres the doc on it.. http://openvpn.net/index.php/documentation/miscellaneous/management-interface.html 16:40 < vpnHelper> Title: Management Interface (at openvpn.net) 16:41 * Skered learns about tap vs tun OpenVPN.. so that's why I can't connect to the network machines 16:47 < krzie> !route 16:47 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 16:47 < krzie> thats for connecting the lans in on a routed setup 16:47 < krzie> (aka tun) 17:00 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 17:02 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:02 < rashed2020> What 17:03 < rashed2020> What's the difference between using !route and tun? 17:04 < krzie> umm 17:05 < krzie> !route is a document for setting up a tun routed setup to allow communication between lan/lans and vpn 17:05 < vpnHelper> krzie: Error: "route" is not a valid command. 17:05 < krzie> heh 17:07 -!- mindframe- [n=mindfram@unaffiliated/mindframe] has quit [Remote closed the connection] 17:10 < diegoviola> --management IP port [pw-file] 17:10 < diegoviola> does the password has to be a file 17:11 < diegoviola> ? 17:17 -!- chrisbdaemon [n=chrisbda@unaffiliated/chrisbdaemon] has quit ["Leaving"] 17:18 < krzie> well since it says pwfile, im guessing so 17:18 < krzie> as i said 2x, ive never used it 17:18 < krzie> nor have i heard of anyone in here using it (which doesnt mean they havnt) 17:33 -!- pons [n=pons@190.162.32.183] has joined ##openvpn 17:33 < pons> guys, is it possible to have 2 tap devices for 1 vpn? 17:41 < krzie> hows that make sense in your head>? 17:46 < pons> instead of creating 1 tap device, create 2 with the same auth, but different devices, like 2 different networks going on the same vpn link 17:46 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 17:47 < krzie> are you trying to have failover over 2 inet connections? 17:47 < krzie> also, why are you using tap? 17:48 < pons> because of bridging 17:48 < pons> don't like tun 17:48 < krzie> ... why are you bridging? 17:48 < krzie> !tunortap 17:48 < vpnHelper> krzie: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 17:48 < pons> maybe that's because? 17:48 < krzie> if you have no answer you dont want bridge 17:49 < krzie> !bridge 17:49 < vpnHelper> krzie: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where 17:49 < vpnHelper> krzie: the protocol uses MAC addresses instead of IP addresses. 17:49 < krzie> see #3 17:49 < pons> i mean, that's why 17:49 < krzie> what are you using 17:50 < pons> i'm using tap because i'm bridging a lan that's far away to another network and i need to get there as if i'm connected directly in that cable 17:51 < pons> so, i use tap 17:51 < pons> a couple of bridges 17:51 < pons> and tada 17:51 < pons> everything works 17:52 < pons> just that now i'm mixing traffic so i'm thinking on a way of separating it or spliting it, but the thing i think i'm gonna do is make another link 17:52 < krzie> umm 17:53 < krzie> you did not give an actual reason to use tap 17:53 < krzie> tun can do what you said, and do it faster 17:53 < krzie> less overhead, and more secure 17:53 < krzie> wanna try again? 17:54 < pons> i need layer 2 17:54 < pons> that's it 17:54 < krzie> but to simplify the answer to your actual question, with tun yes with tap i dont think so 17:54 < krzie> what layer2 stuff do you use? 17:54 < krzie> lol 17:54 < pons> there was an answer to my question? 17:54 < krzie> yes, i just gave it 17:54 < krzie> but to simplify the answer to your actual question, with tun yes with 17:54 < krzie> tap i dont think so 17:55 < krzie> theres could be a longer answer, thats the simple answer 18:14 < krzie> actually maybe it could be done 18:14 < krzie> with tun i know it can 18:15 < krzie> but basically just forget that its a vpn, and look for the OS's way of accomplishing that normally 18:30 < reiffert> Heard about the netcomm home dsl router botnet including 80.000 hacked dsl modems? 18:33 < krzie> the router itself was remotely vuln? 18:33 < reiffert> http://www.h-online.com/security/Botnet-based-on-home-network-routers--/news/112913 18:33 < vpnHelper> Title: Botnet based on home network routers - News - The H Security: News and features (at www.h-online.com) 18:33 < reiffert> ssh without password 18:33 < krzie> oh god 18:33 < krzie> thats bad 18:35 < reiffert> My first thought was "wow, cool, hehe!", 2nd one "crazy shit" and then repetitive "I'm scared" 18:35 < krzie> no kidding 18:35 < krzie> i skipped #1 18:35 < krzie> straight to #2, #3 18:35 < reiffert> :) 18:36 < reiffert> Oh and this is what bablefish made from the original german article: http://babelfish.yahoo.com/translate_url?doit=done&tt=url&intl=1&fr=bf-home&trurl=http%3A%2F%2Fwww.heise.de%2Fnewsticker%2FBot-Netz-aus-Heimnetz-Routern--%2Fmeldung%2F134992&lp=de_en&btnTrUrl=Translate 18:36 < vpnHelper> Title: Translation result for http://www.heise.de/newsticker/Bot-Netz-aus-Heimnetz-Routern--/meldung/134992 (at babelfish.yahoo.com) 18:37 < reiffert> Which makes you believe that backwards writing germans are we 18:40 -!- diegoviola [n=diego@adsl-136-248.click.com.py] has quit [No route to host] 18:42 < krzie> Psybot demonstrates that the botnet problem is not something that only affects Windows PCs. 18:42 < krzie> LOL 18:42 < krzie> no kidding *eyeroll* 18:42 < krzie> it effects anything that could be manually exploited 18:42 < krzie> otherwise known as ANYTHING 18:43 < krzie> just a matter if work vs payout makes it worth doing to the guys scripting it 18:46 < reiffert> I'm waiting for the day a major windows antivirus software get's involved in acting as a trojan horse 18:46 < reiffert> At least it's running in kernel space :) 18:47 < reiffert> Oh, wasn't that one supposed to be used by government? 18:49 -!- pons [n=pons@unaffiliated/pons] has quit [] 18:51 -!- pons [n=pons@190.162.32.183] has joined ##openvpn 18:58 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 19:32 < krzie> norton has been exploited before 19:57 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 20:36 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 20:37 -!- mepholic_ [n=what@66.90.73.234] has quit [Remote closed the connection] 20:37 -!- mepholic_ [n=what@hydra.weserv.in] has joined ##openvpn 20:38 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 104 (Connection reset by peer)] 20:38 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has quit [Excess Flood] 20:38 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has joined ##openvpn 20:38 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 20:52 -!- marek__ [n=marek@78.8.139.58] has joined ##openvpn 20:52 < marek__> hi, can you help me with seting up openvpn? 20:54 < krzie> we wont hold any hands or do it for you, but we'll answer some questions or point you the right way 20:55 < krzie> you have a specific question? 20:55 < marek__> yup, ue Mar 24 02:55:13 2009 SIGUSR1[soft,connection-reset] received, process restarting 20:55 < marek__> i did something wrong with configuration 20:55 < marek__> im beginner in it 20:56 < marek__> i used how to 20:56 < krzie> !logs 20:56 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 20:56 < krzie> !configs 20:56 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 20:56 < marek__> ok it will take some time 20:57 < krzie> well im sure im not going anywhere for about an hour 20:57 < marek__> this is on server side: 20:57 < marek__> http://pastebin.com/m2ed8612b 20:57 < krzie> but after that ill prolly disapeer 20:57 < krzie> ahh, a ptp tunnel 20:58 < krzie> not that it matters, but you prolly misspelt .log in log-append /var/log/openvpn.og 20:58 < marek__> client side: 20:58 < marek__> http://pastebin.com/m4ed1ff51 20:59 < krzie> welp it doesnt get more simple than that... 21:00 < marek__> how can i check logs? there are no log files at /var/log/openvpn.log 21:01 < krzie> on server it would be /var/log/openvpn.og on yours 21:01 < krzie> since you misspelt 21:01 < marek__> http://pastebin.com/m45cf5254 21:01 < marek__> this is from console 21:01 < krzie> but both are prolly in /var/log/messages 21:01 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 21:01 < krzie> (thats where mine are by default...) 21:02 < krzie> thats not verb 6 21:02 < krzie> !logs 21:02 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 21:02 < marek__> cat: /var/log/openvpn.og: No such file or directory 21:02 < krzie> remove tcp-server / tcp-client 21:02 < marek__> what does it mean - "verb set to 6"? 21:03 < krzie> its over-riding your proto udp 21:03 < marek__> krzien how can i remove them? 21:03 -!- rubydiam_ [n=rubydiam@123.236.183.188] has joined ##openvpn 21:03 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 104 (Connection reset by peer)] 21:03 < krzie> by removing the line from the configs! 21:03 < krzie> with whatever your text editor is!? 21:04 < krzie> you see where your configs say verb 4 21:04 < krzie> make it verb 6 21:04 < krzie> if you dunno how to edit a file in your os you need to learn your OS before setting up a vpn 21:05 < marek__> sorry krzie 21:05 < marek__> i didnt get it 21:05 < krzie> no reason to appologize 21:06 < marek__> i removed thoose lines 21:06 < marek__> http://pastebin.com/m7bbd64e 21:06 < krzie> you must be root 21:07 < krzie> start it with sudo or be root first 21:08 -!- marek__ [n=marek@78.8.139.58] has quit [Remote closed the connection] 21:10 -!- marek__ [n=marek@78.8.139.58] has joined ##openvpn 21:11 < marek__> http://pastebin.com/m537bd3e8 21:11 < marek__> :/ 21:11 < krzie> server log 21:13 < marek__> hmmm 21:13 < marek__> "/var/log/messages - nothing interesting 21:13 < marek__> "/var/log/openvpn.og - no file 21:13 < krzie> welp, you'll find it 21:13 < krzie> ill be in the bathroom while you do 21:14 < krzie> make sure you start it as root 21:16 < marek__> http://pastebin.com/m2c83e8da 21:16 < marek__> :/ 21:17 < krzie> # 21:17 < krzie> Tue Mar 24 03:14:43 2009 TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use 21:17 < krzie> that doesnt seem obvious to ya? 21:18 < marek__> no 21:18 < marek__> i tried to restart openvpn 21:18 < krzie> its already running 21:18 < krzie> kill the old one 21:18 < marek__> ok 21:18 < marek__> but still connection refused 21:19 < krzie> still # 21:19 < krzie> Tue Mar 24 03:14:43 2009 TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use 21:19 < krzie> ? 21:20 < marek__> Tue Mar 24 03:20:02 2009 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 21:20 < krzie> thats not the real error 21:20 < krzie> thats the result of some other error 21:21 < krzie> log from server... 21:21 < marek__> where can i find them? 21:21 < krzie> not my job 21:21 < marek__> http://pastebin.com/m484582f0 21:21 < krzie> but from console works for me 21:22 < krzie> thats a kernel message, i want openvpn 21:22 < krzie> but do you have something like selinux or whatever those kernel protection things are called in linux running? 21:22 < marek__> http://pastebin.com/m2b16c2df 21:23 < krzie> hey hey, finally using verb 6 21:23 < krzie> good job 21:23 < krzie> # 21:23 < krzie> Tue Mar 24 03:20:04 2009 us=898733 TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use 21:23 < krzie> ITS STILL ALREADY RUNNING 21:23 < krzie> ps auxw|grep openvpn 21:23 < marek__> i kiled it on server first 21:24 < krzie> obviously not 21:25 < marek__> i killed it once again 21:25 < marek__> ere are the logs from server 21:25 < marek__> http://pastebin.com/m44996fdb 21:25 < marek__> are they ok? 21:28 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: krzie, pa, worch 21:28 -!- Netsplit over, joins: krzie, worch, pa 21:30 < Skered> I'm finding conflicting reports about tun interfaces. I can't communicate with machines on the LAN with a tun device? I have to use tap? 21:30 < krzie> Skered, read my doc on how to do it 21:30 < krzie> !route 21:30 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 21:30 < krzie> definitely not a reason to use tap 21:32 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 21:42 < Skered> This really only works if you know the client's network subnet? 21:43 < krzie> if you're trying to route to the clients lan, of course 21:43 < krzie> in my example im connecting a lan behind the server, and a lan behind each of the 2 clients 21:44 < krzie> there could be tons more clients, and all would be able to reach those 3 lans 21:44 < Skered> I was looking at page today and I wass thinking ROUTES TO ADD OUTSIDE OF OPENVPN is what I should be looking at because it seeems that's what is happening. 21:44 < krzie> very commonly overlooked 21:45 < Skered> Because what is happening is I can send pings to a machine that's on the LAN but then it asks via arp who is 10.0.8.6 with no reply. 21:45 < Skered> Is that the same case? It doesn't send the packets on to it default route however like the examples hsows 21:45 < Skered> shows 21:46 < krzie> ya it has no clue where to send the packets 21:46 < Skered> btw on my setup the router and the openvpn are on the same machine. 21:46 < krzie> hrm 21:46 < Skered> er the router is the OpenVPN server. 21:47 < krzie> the vpn is running on router for the lan you wanna reach? 21:47 < Skered> Yes 21:47 < krzie> ok, and the lan you wanna connect is behind the server? 21:47 < krzie> then all you should need is a push route 21:47 < Skered> Yes 21:47 < krzie> nothing more 21:47 < krzie> and ip forwarding enabled 21:47 < krzie> and firewall rules allowing it to work 21:47 < Skered> push route 10.0.0.0 255.0.0.0 is in the server.conf 21:48 < krzie> thats a huge push 21:48 < krzie> whats the internal vpn network? 21:48 < Skered> 10.0.8.0/24 21:48 < krzie> you can very very likely make it a smaller route than that 21:49 < krzie> and whats the LAN? 21:49 < Skered> 10.0.0.0/8 21:49 < krzie> the lan is really a /8? 21:49 < Skered> Right now yes 21:49 < krzie> thats why it isnt working 21:49 < krzie> cant make the internal vpn network inside the lan subnet 21:50 < Skered> So I should make that /24 not /8? 21:50 < krzie> if you cant change the lan, change the vpn network to a 192.168.8.x/24 21:50 < krzie> yes 21:50 < krzie> if you can change the lan, you should 21:50 < krzie> its unnecessarily big 21:51 < Skered> Ok let me try that. 21:52 < Skered> I think Iwas using 10.0.8.0/24 because that's what the example was using 21:52 < krzie> example woulda been 10.8.0.0/24 21:52 < krzie> at least if you were using openvpn docs 21:55 < krzie> also 21:55 < krzie> when you push a route 21:55 < krzie> its push "route network netmask" 21:55 < krzie> in quotes 21:56 < krzie> (just in case that wasnt there) 21:56 < krzie> i figure it was tho, but worth mentioning 21:56 < krzie> but ya, what i said does explain why it was arping 21:56 < krzie> it expected the stuff to be on local network 21:57 < krzie> and routing table will shoot for layer2 before layer3 if its told it can 21:58 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 22:00 < Skered> Yeah, that works 22:00 < Skered> Thanks. 22:01 < krzie> np 22:01 < Skered> However I can't get out to the Internet now. I'll check that out later 22:01 < Skered> But I can connect any LAN machine. 22:01 < krzie> you using redirect gateway? 22:01 < Skered> Yes 22:01 < Skered> redirect gateway def1 22:02 < krzie> you were using the existing nat rules because of being in the other subnet 22:02 < krzie> now you need new nat rules 22:02 < krzie> (another nat rule i mean) 22:02 < krzie> i take it you changed the vpn network instead of the lan 22:03 < Skered> Yes 22:03 < krzie> so you need a new nat rule for the new network 22:04 < Skered> Otherwise I would have to put on pants and go to the LAN machine that's a coule blocks away 22:04 < krzie> haha understood 22:04 < krzie> although that would be good, i totally understand 22:04 < krzie> and prolly would choose the same 22:04 < krzie> hah 22:14 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 22:16 < krzie> Skered and since i t worked before you know its just a matter of copying and very slightly modifying (only on the copy) some of your existing rules on the server 22:16 < krzie> so it should be very easy for you 22:26 -!- rubydiam_ [n=rubydiam@123.236.183.188] has quit [Read error: 60 (Operation timed out)] 22:46 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has quit [Remote closed the connection] 22:58 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has joined ##openvpn 23:16 -!- caturdayz [n=caturday@cpe-74-74-232-154.rochester.res.rr.com] has joined ##openvpn 23:16 < caturdayz> i've got a vpn set up to bridge onto my home network 23:17 < caturdayz> does anyone know how to tell the vpn client about the proper route for getting to the other things on the network? --- Day changed Tue Mar 24 2009 00:19 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 00:56 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 01:27 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 60 (Operation timed out)] 01:46 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has quit [Read error: 110 (Connection timed out)] 01:49 -!- pons [n=pons@unaffiliated/pons] has quit [] 02:32 -!- marek__ [n=marek@78.8.139.58] has quit [Read error: 110 (Connection timed out)] 03:10 -!- marek__ [n=marek@195-254-156-98.wro-com.net] has joined ##openvpn 03:12 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:31 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 03:31 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has left ##openvpn [] 03:41 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 03:48 -!- marek__ [n=marek@195-254-156-98.wro-com.net] has quit [Read error: 104 (Connection reset by peer)] 04:14 < reiffert> caturdayz: push "route netaddr mask" 04:29 -!- nemysis [n=nemysis@190-236.1-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 04:30 -!- nemysis [n=nemysis@197-24.3-85.cust.bluewin.ch] has joined ##openvpn 04:35 -!- andriijas [n=andreas@c83-248-2-99.bredband.comhem.se] has joined ##openvpn 04:36 < andriijas> Hi, im trying to setup an openvpn server home on a machine running os x. I can connect to it from work but the server log is filled with write to TUN/TAP : Input/output error (code=5) 04:36 < andriijas> when i google that i only find people who gets that in their client log 04:48 -!- maijadoo [n=Miranda@77.119.56.123.wireless.dyn.drei.com] has joined ##openvpn 04:59 < maijadoo> hi, i'm trying to start openvpn and get the following messages .. any ideas? device br0 already exists; can't create bridge with the same name 04:59 < maijadoo> device eth0 is already a member of a bridge; can't enslave it to bridge br0. 04:59 < maijadoo> device tap0 is already a member of a bridge; can't enslave it to bridge br0. 04:59 < maijadoo> SIOCADDRT: Network is unreachable 05:12 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:16 < maijadoo> no ideas? 05:24 -!- floyd_n_milan_ [n=mrugesh@203.129.237.147] has joined ##openvpn 05:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:37 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 110 (Connection timed out)] 05:48 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 06:07 -!- andriijas [n=andreas@c83-248-2-99.bredband.comhem.se] has quit ["reboot"] 06:32 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 06:41 < mjt> maijadoo: only you can say what's going on and why your startup script (--up command?) tries to set up a bridge that's already up-n-running. 06:42 < mjt> i think anyway. To be fair, I've no idea how openvpn manages bridges. 07:03 < ecrist> morning, folks 07:03 -!- floyd_n_milan_ [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 07:03 < maijadoo> mjt: no ... i had a wrong ip config ... it's running now ;) thx 07:31 -!- andriijas [n=andreas@c83-248-2-99.bredband.comhem.se] has joined ##openvpn 07:31 < andriijas> i have an openvpn server running on my mac mini in os x at home and im running openvpn on my macbook in os x when im at office to connect to home 07:32 < andriijas> is it possible to get bonjour working over the vpn? 07:32 < andriijas> very hard to find facts about this on google 07:32 < ecrist> yes, but you need to use tap, instead of tun 07:33 < ecrist> which I don't think you can actually do with OS X, as there's no way to bridge ethernet interfaces in the OS, I'm aware of. 07:34 < ecrist> actually, read this: 07:34 < ecrist> http://forums.macosxhints.com/archive/index.php/t-58909.html 07:34 < vpnHelper> Title: Bonjour across subnets [Archive] - The macosxhints Forums (at forums.macosxhints.com) 07:37 < andriijas> ecrist: okay. i have a linux server at home, if i set up openvpnserver on that one instead bridging should be possible? 07:38 < ecrist> yes, should work OK 07:39 < andriijas> 3. Does Bonjour work between multiple subnets? 07:39 < andriijas> Yes. The first release of DNS Service Discovery [DNS-SD] for Mac OS X concentrated on Multicast DNS [mDNS] for single-link networks because this was the environment worst served by IP software. Starting in Mac OS X 10.4, Bonjour now uses Dynamic DNS Update [RFC 2316] and unicast DNS queries to enable wide-area service discovery. 07:41 < andriijas> not possible to forward "unicast dns queries" in routed openvpn? 07:42 < ecrist> openvpn doesn't really handle that. it's an os-level thing 07:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 07:43 < andriijas> hmmm ok. 07:45 < andriijas> its wierd os x doesnt have any ethernet bridging 07:46 < ecrist> it might, and I just might not know where to find it. 07:49 < andriijas> nah i dont think so, i read something about it via google 07:49 < andriijas> only some commercial software 07:49 -!- asdf [n=wtf@pessa.net] has joined ##openvpn 07:50 < asdf> we have a cisco vpn and are using a group username/password. how should i configure openvpn client to connect? 07:50 < asdf> i have the cisco pcf file 07:53 < ecrist> asdf: you can't use openvpn for cisco vpns 07:54 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:54 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 104 (Connection reset by peer)] 07:56 < asdf> funny, i thought that was the case, and i asked my boss how i'd connect and he said cisco uses "open standards"? :x 07:58 < ecrist> yes and no 07:58 < ecrist> most SSL vpns are incompatible with eachother. 07:58 < ecrist> Cisco IPSec VPNs are vanilla, but that's it. 07:58 < ecrist> Cisco does have an OS X client, as well as a Linux client. 07:59 < ecrist> you will need a CCO login to download the software, which you can register for if you've got a piece of hardware with a current service plan. 07:59 < asdf> oh i didn't know they had a linux client 07:59 < ecrist> I might even have a copy of one. hang on 07:59 < asdf> rock, thanks 08:00 -!- onats__ is now known as onats 08:01 < ecrist> I've got them somewhere, just don't know where. I was going to upload them to my wiki, and apparently failed to do so. 08:01 < onats> hi all 08:01 < ecrist> hi onats 08:01 < onats> hey ecrist 08:01 < asdf> ecrist: no worries, i can dig a copy up at work, thanks for the help. much appreciated! :) 08:03 < ecrist> asdf: if you can get copies of the client software, I'd appreciate a copy of all three 08:03 < ecrist> I think I know where my copies are, just not available here. I think they're on an old linux box at home. 08:03 < ecrist> if I find them, obtain different ones, I'll make the available here: http://www.secure-computing.net/wiki/index.php/Cisco_VPN_Clients 08:04 < vpnHelper> Title: Cisco VPN Clients - Secure Computing Wiki (at www.secure-computing.net) 08:04 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 60 (Operation timed out)] 08:04 < ecrist> andriijas: man ifconfig on your mac os x box, look for an option called bonddev 08:04 < ecrist> that is the new bridging, perhaps. 08:04 < ecrist> it's technically link aggregation, but that's really all bridging is. 08:05 < ecrist> nm, It is not possible to associate a bond with pseudo interfaces such as vlan. Only physical eth- ernet interfaces may be associated with a bond. 08:07 < ecrist> perhaps man networksetup is informative? 08:07 < andriijas> damn it takes a lot of different args :) 08:10 < andriijas> setting up openvpn with tap and bridging on os x seems like breaking new water 08:12 -!- maijadoo [n=Miranda@77.119.56.123.wireless.dyn.drei.com] has quit [Read error: 110 (Connection timed out)] 08:13 < ecrist> only because os x doesn't have proper bridging 08:13 < ecrist> :\ 08:13 < ecrist> one of the major beefs I've got with the os 08:15 < andriijas> i guess i could live iwth routed vpn. hehe. works like a charm. 08:22 < andriijas> ecrist: hmm, do i really need a virtual device to be able to bridge? 08:23 < andriijas> its not possible to bridge through a pyshical interface? 08:23 < caturdayz> reiffert: thanks, i'll see if that works when i go to work today 08:25 < ecrist> andriijas: bridging is usually accomplished at the OS level, with a pseudo device being the aggreagte between two other interfaces, pseudo or real 08:25 < ecrist> s/two/two or more/ 08:26 < andriijas> hence the need for kernel support 08:27 -!- caturdayz [n=caturday@cpe-74-74-232-154.rochester.res.rr.com] has quit ["Leaving"] 08:27 < andriijas> shit the same. ill just stick with my working routed vpn 08:27 < andriijas> :) 08:27 < andriijas> thanks ecrist 08:27 -!- andriijas [n=andreas@c83-248-2-99.bredband.comhem.se] has left ##openvpn [] 08:27 < ecrist> np 08:44 -!- buzzDrive [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has joined ##openvpn 08:44 < buzzDrive> Can someone have issues about collision packet in a vpn network? 08:45 < reiffert> Collision on layer1? 08:45 < buzzDrive> I don't know, there are two networks links with vpn but both are 192.168.0.0/24 08:46 < ecrist> easy, change the IP range on one of them. 08:46 < buzzDrive> someone here told me it was source of problem, right? 08:46 < ecrist> !1918 08:46 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 08:47 < buzzDrive> ok thanx 08:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:50 < buzzDrive> The server are windows server what is the issue to change the ip range? 09:08 < reiffert> ? 09:09 < reiffert> You cant connect two subnets with openvpn when the two subnets are identical. 09:10 < Bushmills> the router wouldn't know what interface packet must be routed to 09:11 < ecrist> now, there are some *VERY* hacky things you can do with NAT/PAT and duplicate subnets with policy-based routing, but it's a little wacky 09:14 < reiffert> buzzDrive: do you feel ready for evil hackery? 09:14 < buzzDrive> reiffert: ? 09:14 < ecrist> even if he is, I'm not going to try and explain it. 09:14 < reiffert> Bushmills: thats not right. The router knows exactly where to route a packet to. 09:15 < reiffert> buzzDrive: question is: you have a problem, you where told a solution. Does it work? 09:15 < reiffert> you were told a solution 09:15 < Bushmills> when destination is one subnet for two interfaces are in? 09:15 < Bushmills> oh right, to the first interface it finds in the routing table 09:15 < buzzDrive> buzzDrive: I have the hand on the server it was just to explain why it doesn't works all the time 09:16 < reiffert> Bushmills: the router knows the network and a vpn transfer network. 09:17 < Bushmills> two vpn interfaces, like tun0 and tun1, in the described case 09:17 < Bushmills> both in the same subnet 09:17 < reiffert> Bushmills: If I understand 14:45 < buzzDrive> I don't know, there are two networks links with vpn but both are 192.168.0.0/24 09:18 < reiffert> Bushmills: right, than there are two networks with identical addresses and one vpn link between them. 09:19 < reiffert> we could of course ask buzzDrive to explain the setup 09:19 < Bushmills> i th 09:20 < Bushmills> i think i am losing interest 09:20 < buzzDrive> do you know an article a wiki which explain that openvpn cannot be linked between 2 identical subnet, it s for justifying to the administrator 09:21 -!- pons [n=pons@pc-66-126-83-200.cm.vtr.net] has joined ##openvpn 09:23 < reiffert> it's plain logic. 09:24 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Leaving"] 09:27 < ecrist> buzzDrive: I've got a link to a wiki whcih states it. gimme a sec 09:29 < ecrist> http://www.secure-computing.net/wiki/index.php/Durrrr 09:29 < vpnHelper> Title: Durrrr - Secure Computing Wiki (at www.secure-computing.net) 09:30 < reiffert> hehe 09:32 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 09:33 -!- pons [n=pons@unaffiliated/pons] has quit [] 09:35 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 09:42 -!- jul_ [n=jul@colonel.verygames.net] has joined ##openvpn 09:42 < jul_> hello, can i push a route with interface ? 09:43 < ecrist> yes, I think so. 09:43 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit ["Leaving"] 09:43 < ecrist> jul_: have you read the man page? 09:43 < jul_> i try route ip netmask tun0 but it doesn't works 09:44 < jul_> ecrist: yes i read but i don't find it 09:44 < jul_> -route network/IP [netmask] [gateway] [metric] 09:44 < ecrist> looks like no. you can route to a gateway, but not an interface with openvpn 09:44 < ecrist> --route network [netmask] [gateway] [metric] 09:45 -!- mikkel [n=mikkel@84.238.113.66] has joined ##openvpn 09:45 < jul_> but: pn_gateway -- The remote VPN endpoint address (derived either from --route-gateway or the second parameter to --ifconfig when --dev tun is specified). 09:46 < jul_> i don't understand this 09:47 < jul_> because when i push a route, the client add route but not with the device tun0 :( 09:48 < ecrist> it should add a correct route to the vpn, automatically 09:49 < jul_> ecrist: yes but with wrong device 09:51 < jul_> maybe with route-up 10:06 < jul_> or not 10:12 -!- fixxxermet [n=kjohnson@69.85.26.2] has joined ##openvpn 10:13 -!- mooncup [n=a@unaffiliated/mooncup] has quit [Excess Flood] 10:13 -!- mooncup [n=a@haha.you.lostthega.me] has joined ##openvpn 10:22 -!- jul_ [n=jul@colonel.verygames.net] has quit ["Lost terminal"] 10:27 < fixxxermet> So I just setup my first openvpn vpn. My client can ping the server's subnet, but the server can not ping the client's subnet? 10:29 < mjt> RESOLVE: Cannot resolve host address: : [TRY_AGAIN] A temporary error occurred on an authoritative name server. 10:30 < mjt> who the f* was that helpful and translated the error codes? 10:32 < mjt> really, that's fascinating. I never saw a piece of software which is this good and sucky at the same time. 10:32 < mjt> usually it either sucks or not. this one -- it's both. 10:37 < ecrist> mjt: what is your big beef with that error? 10:41 -!- n0u [i=Chaton@unaffiliated/nou] has joined ##openvpn 10:41 < mjt> the translation is nonsense 10:41 < mjt> "error on auth nameserver" - thats plain frong 10:41 < mjt> wrong even 10:41 < ecrist> o.O 10:42 < mjt> the error was due to openvpn running chrooted and i forgot persist-remote-ip, it has exactly _nothing_ to do with "auth nameserver" 10:42 < mjt> but i had some debugging with a chain of nameservers here, to determine which auth ns has a problem... 10:43 < mjt> it's sorta like all those useless-annoying-"helpful" warnings all over which I had to patch out, but worse. 10:44 < mjt> openvpn needs a good, massive, friendly cleanup 10:45 < n0u> is there a way to run a script when a connection has been initiated ? (in tls-{server,client} mode) 10:45 < mjt> n0u: --up script 10:45 < mjt> er 10:45 < n0u> i said "connection initiated" 10:46 < n0u> not tun up 10:46 < mjt> yeah. 10:46 < n0u> route-up doesn't fit either 10:46 < mjt> that's my 'er' ;) 10:46 < n0u> ok 10:46 < n0u> something like the client-connect for tls-server 10:46 < mjt> just wasn't fast enough to type.. and esp. to *think* before typing :) 10:47 < n0u> because i don't want some routes to stay when the tunnel link is not up 10:47 < mjt> !iporder 10:47 < vpnHelper> mjt: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice). 10:48 -!- nemysis [n=nemysis@197-24.3-85.cust.bluewin.ch] has quit [Read error: 104 (Connection reset by peer)] 10:48 < mjt> --client-connect script 10:48 < mjt> that's in tls-server 10:49 < mjt> as of client, it really does not matter if it's --up or --post-up (so to say) 10:49 < mjt> because it's done very close to each other 10:49 < n0u> Options error: --client-connect requires --mode server 10:49 < mjt> yes 10:50 < n0u> i said tls-server :) 10:50 < mjt> blame openvpn for misleading options ;) 10:50 < mjt> as i just did for wrong error code tranlation 10:50 < ecrist> mjt, you complain a lot. 10:50 < mjt> and read the difference 10:50 < n0u> i agree :) 10:50 < mjt> ecrist: i know 10:50 < n0u> (with ecrist) :) 10:51 < mjt> heh 10:51 < mjt> but i think (hope?) i'm complaining not about nothing 10:51 -!- achilles [n=achilles@82.205.120.165] has joined ##openvpn 10:51 < mjt> ie, most my complaints are valid. 10:52 < mjt> (i'd love to know if i wrong. seriously) 10:52 < n0u> another one, is there a way to specify the local ip openvpn (in server mode this time) would use in case the server has several ip ? (haven't really searched for this one) 10:53 < n0u> specify on per client basis 10:53 < mjt> n0u: no 10:53 < mjt> n0u: it listens on only one IP 10:53 < n0u> no 10:53 < mjt> i mean it's global, not client-specific 10:53 < n0u> it listen to all ip by default, you mean there's no source ip selection configuration 10:54 < achilles> hello, I have simple question please, I'm running openvpn for site to site connectivity, it's okay and everything is well, I just wonder how can the head quarter get another branch ? I mean, now it's site to site, how can I make it site to many sites ? 10:54 < mjt> you can tell it to listen on that ip or this 10:54 < mjt> but that's global option 10:55 < mjt> n0u: see --local 10:55 < n0u> sure, that's not the question :) when it binds to ANY i'd like to be able to select the source ip 10:55 < mjt> that depends on the client 10:55 < n0u> nope 10:55 < n0u> nevermind 10:55 < mjt> heh ok 10:56 < mjt> achilles: 2.0 introduced --mode server 10:56 < mjt> achilles: so you can have "star"-like config - one server in the center and many branches connecting to it. 10:56 < achilles> mjt, yes exactly this is what I want 10:56 < achilles> mjt, thank you very much 10:57 < mjt> heh, it wasn't difficult ;) 10:57 < achilles> mjt, but how can I assign an IP to each branch connection point to define routing rules 10:58 < mjt> see the many examples. tls-server is probably what you want 10:58 < mjt> it's pointless to repeat the docs here 10:58 < mjt> !howto 10:58 < vpnHelper> mjt: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:59 < achilles> mjt, thank you very very much 10:59 < achilles> absolutely I will 10:59 < achilles> mjt, I got an idea, what If I started many vpn servers on different ports ? 11:00 < mjt> that'll work too 11:00 -!- nemysis [n=nemysis@197-24.3-85.cust.bluewin.ch] has joined ##openvpn 11:00 < achilles> okay great, I will see the HowTo and see what is the best 11:00 < achilles> mjt, thank you again 11:00 < mjt> you may also consider tinc and vtun for that -- first also has server mode, vtun can run from inetd and use only one port. 11:00 < mjt> (just few more alternatives ;) 11:01 < achilles> aah thank you for telling me 11:01 < mjt> heh n/p 11:01 < achilles> :) 11:01 < ecrist> you can specify the IP openvpn listens on... 11:01 < mjt> --local 11:02 < mjt> achilles: you'll find mentions of me in both, btw :) 11:02 < achilles> :) 11:10 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 11:11 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 104 (Connection reset by peer)] 11:17 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 11:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:31 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 11:32 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:33 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 11:37 < n0u> "--multihome : Configure a multi-homed UDP server.\n" 11:37 < n0u> \o/ 11:37 < n0u> should have read the source right away :) 11:38 -!- diegoviola [n=diego@adsl-136-248.click.com.py] has joined ##openvpn 11:39 < diegoviola> hi, i have a vpn working with openvpn, multiples users, etc... the ip of my vpn server is 10.8.0.1, but i would like to have vpn.foo.org, do i need to run a local domain server on my vpn server for that? 11:39 < achilles> mjt, you sure it's written how to implement like a start vpn connections in HowTo ? 11:39 -!- pielgrzym [n=pielgrzy@1str003.multi-play.net.pl] has joined ##openvpn 11:40 < ecrist> achilles: what are you lookin gofr? 11:40 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 11:40 < achilles> ecrist, thank you, I'm trying to get multiple branches connected the headquarter as site-to-site to route voip calls 11:41 < pielgrzym> hi peeps - I'm trying to run openvpn client to connect to my work network - I've got two files from my admin .crt and .key shall I use .crt for ca as well as for cert in client config? Now I get auth errors while connecting and I'm frustrated with vague documentation for the client ;P 11:41 < achilles> ecrist, I established site-to-site and it's perfect 11:41 < ecrist> achilles: you don't want site-to-site, you want a server a multiple clients. 11:41 < ecrist> voip will work fine on routed VPN, so go with that. 11:41 < achilles> ecrist, ah .. hmm, but in this scenario, can I know each client what IP does it take ? 11:42 < achilles> which is the branch actually the client 11:42 < ecrist> pielgrzym: you need the ca.crt and also the config 11:42 < ecrist> you can use client-config-dir 11:42 < pielgrzym> ecrist: I see :) error=self signed certificate in certificate chain - this is the error for not having this file? 11:43 < pielgrzym> ecrist: just to be sure - my admin has this ca.crt file, right? Only the server should generate the keys for the clients right? 11:45 < ecrist> pielgrzym: in a strict SSL environment, the root ca has the root certificate and root key. all certificates can be (and should be) freely distributed. keys should always be kept secret. so, users don't get the CA key, and really, the root ca shouldn't have the client keys. 11:45 < ecrist> in the reality of VPNs, however, the root ca is administered by the network admin, who will usually auto-generate a certificate/key pair for each client. 11:45 < pielgrzym> ecrist: I see 11:45 < ecrist> you should be distributed four files, ca.crt, client.crt, client.key and client.conf 11:46 < ecrist> your vpn client needs a copy of the ca certificate to compare things to 11:46 < pielgrzym> ecrist: got all of them apart ca.crt ;) 11:47 < pielgrzym> ecrist: thanks! :) 11:47 < ecrist> np 11:52 < achilles> guys, when configuring client-specific rules as sysadmin1,contractor1 ..etc in the the HowTo, how can I refer that this client is sysadmn1 this is contractor .. is it configured from the client configurations ? 11:57 -!- cQix [n=attse@host86-132-121-65.range86-132.btcentralplus.com] has joined ##openvpn 11:59 < mjt> achilles: each client gets its own cert, with its own unique common name. that's basically 11:59 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 11:59 < mjt> all 12:00 < mjt> you can use one cert for all, in which case there will be impossible to know who's who 12:00 < mjt> (at least as far as openvpn is concerned) 12:00 < cQix> Hi there. I've a problem with openvpn bridging. I actually followed http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html and set it up as described. The VPN connection is open "Initialization Sequence Completed" but the ping does not go through. I've wiresharked the communication on tap0 and can see the arp request going out, but no reply at all. Firewall where deactivated - No result. 12:00 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 12:01 < mjt> cQix: but do you see the packets on other side? 12:01 < mjt> arriving there, that is 12:01 < achilles> mjt, ah the with preshared key this is not possible 12:01 < achilles> right > 12:01 < achilles> ? 12:02 < mjt> never used and actualy never tried to look how psk mode works 12:02 < cQix> mjt: No. Tested also the other way (Client -> Server)No arp 12:02 < mjt> cQix: so turn on debugging? 12:02 < achilles> mjt, okay thank you very much 12:04 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:04 < cQix> mjt: Client init: http://pastebin.com/m186e3d03 12:04 -!- achilles [n=achilles@82.205.120.165] has quit ["Leaving"] 12:05 < mjt> well.. nope. 12:05 < mjt> i mean. 12:05 < cQix> What would you need 12:06 < mjt> i'm not an expert here, come to openvpn about a week ago. Before i tried tinc, which had a mode where it logged every packet it received from tun/tap device and sent to 'net. 12:06 < mjt> and in that logging it was almost always obvious where things went wrong. 12:06 < mjt> i didn't try that with openvpn yet 12:07 < cQix> Ok. Will try to set wireshark to log everything from the inital start. 12:07 -!- n0u [i=Chaton@unaffiliated/nou] has left ##openvpn [] 12:07 < mjt> o 12:08 < mjt> i'm not saying about 'from initial' 12:08 < mjt> i mean the actual exchange of arp packets 12:08 < mjt> you do understand this stuff, it seems 12:08 < cQix> Afterwards there's nothing of interest 12:08 < cQix> little 12:09 < mjt> well, running wireshark and knowing what ARP is -- that's very, very good signs. 12:09 < cQix> But as it seems, not enought for this 12:09 < mjt> seriously 12:09 < mjt> many ppl who come here uses nmap to see which ports are open on their unix box, instead of netstat... 12:10 < mjt> but if arp packets are not forwarded.. well, it's openvpn's settings somehow. 12:11 < mjt> and i don't know how bridging works with it. 12:11 < cQix> It uses the basic brctl and then says that ip ...128 to ...254 is for the clients 12:12 < mjt> as far as i understand, openvpn should forward just any packet to the other side. 12:12 < cQix> should, that's the problem 12:13 < cQix> But anyway. Bad day. The powersupply started burning and so on 12:13 < mjt> bad day - that's for sure ;) every day's bad ;) 12:14 < mjt> (I don't even remember what i started fixing today -- trying fixin that i encountered another issue, tried to fix it, but failed because another bug, tried to fix that and... that was a long one ;) 12:14 < cQix> yep 12:14 < cQix> and 4 me it started 2 days ago like this 12:17 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 12:18 < mjt> cQix: lucky you 12:18 < mjt> i'm about 1.5 years in this mode already :) 12:19 < cQix> ok. I'm not full time sysadmin 12:19 < cQix> most of the time webdev 12:20 < cQix> But now we need this vpn server set up newly 12:20 < cQix> and so on 12:20 < ecrist> freebsd has sockstat, which is the best method to determine which ports are open. 12:20 < ecrist> actually doing a port scan on localhost with nmap is silly 12:24 -!- buzzDrive [n=guillaum@mic92-8-82-234-142-186.fbx.proxad.net] has quit ["Ex-Chat"] 12:26 -!- cpm_ is now known as cpm 12:28 < hagna_> so how do I tell this vpn client machine to route inbound packets to tun0? 12:28 < hagna_> on linux 12:30 -!- TigerDuck [i=ralf@port-92-194-48-119.dynamic.qsc.de] has joined ##openvpn 12:30 < TigerDuck> hi 12:31 < TigerDuck> !howto 12:31 < vpnHelper> TigerDuck: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:34 < krzee> inbound packets? 12:34 < krzee> what are you actually trying to do hagna_ 12:35 < hagna_> krzee: A -- B -- GW and B -- VPN 12:36 < krzee> thats giberish to me 12:36 < hagna_> yeah hang on 12:36 < krzee> try using your words pls 12:36 < hagna_> machine A connects to B which connects to the gateway 12:36 < hagna_> B also connects to a vpn via openvpn 12:36 < krzee> is a and b on the same lan? 12:36 < hagna_> and I want B to route packets from A destined for 10.4.0.1 to the right place 12:36 < hagna_> krzee: yes and B is a bridge 12:37 < krzee> are you using tun? 12:37 < hagna_> yep 12:37 < TigerDuck> Where could I find hints on how to use the update-resolv-conf script correctly? 12:37 < krzee> !pushdns 12:37 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 12:37 < TigerDuck> Thanks 12:37 < krzee> np, i think that thread will lead you somewhere 12:38 < krzee> so what is 10.4.0.1? 12:38 < hagna_> krzee: the ip of the other side of the vpn 12:38 < hagna_> on B it's 10.4.0.2 12:38 < krzee> and B talks to the vpn fine? 12:38 < hagna_> yes 12:38 < hagna_> I can ping 10.4.0.1 just fine 12:38 < krzee> your question contained your answer 12:39 < hagna_> so I would win at jeaopardy 12:39 < hagna_> jeapordy 12:39 < krzee> just give A a route to 10.4.0.0 255.255.255.0 pointing at lan ip of B 12:39 < krzee> if there are many A's, add the route to their default gateway 12:39 < hagna_> krzee: I think there is a way to do it without changing the route on A 12:40 < krzee> yes, by changing the route on their default gateway 12:40 < hagna_> I'd like to do the routing on the bridge 12:40 < krzee> well, too bad 12:40 < krzee> its their default gateway or them 12:40 < krzee> BUT 12:40 < hagna_> you can tell the bridge to route packets 12:40 < krzee> the other side of the vpn must know about the network that is talking to it 12:40 < krzee> or it cant respond 12:41 < krzee> so other side needs to know to route A's lan through the vpn 12:41 < hagna_> yes 12:41 < krzee> which could be done through a push route if you werent using ptp 12:41 < hagna_> ptp? 12:41 < krzee> or are you using topology subnet? 12:41 < hagna_> haven't picked one yet 12:42 < krzee> server / client or ifconfig 10.4.0.1 10.4.0.2 ? 12:42 < krzee> whats A's lan? 12:42 < hagna_> 10.1.2.0/24 12:44 < krzee> try adding to the other side of config , route 10.1.2.0 255.255.255.0 12:44 < krzee> that will instruct openvpn to add the route to that lan to go over vpn 12:44 < krzee> and how do you specify ips in openvpn? 12:45 < krzee> im guessing ifconfig 10.4.0.1 10.4.0.2 12:45 < hagna_> yes 12:45 < krzee> which means its point to point (ptp) 12:45 < krzee> so you did choose 12:45 < hagna_> openvpn --remote $REMOTE --dev tun0 --ifconfig 10.4.0.2 10.4.0.1 --verb 9 --float 12:45 < hagna_> that's on B 12:45 < krzee> then on other side add --route 10.1.2.0 255.255.255.0 12:46 < krzee> (NOT ON B) 12:47 < hagna_> ok thanks I'll try it when I get a chance 12:47 < krzee> but you also need the route i said on A 12:48 < krzee> unless B is A' default gateway 12:48 < krzee> in which case the route is already there when openvpn is running 12:48 < krzee> if the router behind B is the gateway (transparent bridge) then either A or it must have the route 12:49 < krzee> btw, that tunnel will have no encryption 12:50 < hagna_> wow seems like you are really familiar with this 12:50 < krzee> hehe 12:50 < krzee> aye 12:50 < TigerDuck> Quite funny. Using my configuration in WinXP it smoothly enables name resolution. In Ubuntu it connects equally smooth but does not add the extra dns server to /etc/resolv.conf 12:51 < TigerDuck> When I add the nameserver manually, everything is just perfect 12:51 < krzee> ive never used that included script 12:52 < krzee> but basically you want a script in the up option 12:52 < krzee> ild prolly make my own 12:52 < krzee> that just mv's the file to a backup 12:52 < TigerDuck> I see 12:52 < TigerDuck> good point 12:52 < krzee> then echo's the new NS to new resolv.conf 12:52 < krzee> then down script to mv the backup over the new one 12:53 < TigerDuck> I'll do that, too. Thanks for the hint 12:53 < krzee> but ild read that script too 12:53 < krzee> cause it may have thought of stuff i didnt 12:53 < TigerDuck> I'll do 12:53 < krzee> =] 12:53 < krzee> yw 13:00 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 13:03 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 13:21 < TigerDuck> krzee: My resolving problem seems to be rather common and there seem to be no proper solution at hand if one wants to stick to update-resolv-conf as it seems in https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/226185 13:21 < vpnHelper> Title: Bug #226185 in openvpn (Ubuntu): "update-resolv-conf script does not restore old values" (at bugs.launchpad.net) 13:21 < TigerDuck> So, I'll write my own replace scripts for up and down 13:21 < TigerDuck> Thanks for the enlightenment 13:22 < TigerDuck> bye 13:22 -!- TigerDuck [i=ralf@port-92-194-48-119.dynamic.qsc.de] has left ##openvpn ["Leaving."] 13:24 < mjt> for that thing i had a special file included from named.conf, -- named.conf.forwarders. Various pieces were writing/rewriting it and triggered named reload. 13:24 < mjt> that works much more reliable. 13:25 < mjt> (named running on local machine, resolv.conf is static) 13:25 -!- PeoplesAdvocate [n=chatzill@adsl-75-63-149-29.dsl.snantx.sbcglobal.net] has joined ##openvpn 13:25 < mjt> it's strange this quite obvious and trivial method isn't used by linux distributions 13:28 < PeoplesAdvocate> Hello, Im running Ubuntu 8.04. When I run the Command openvpn path/to/server.conf it goes all the way to this message " Tue Mar 24 13:10:14 2009 Initialization Sequence Completed" then my terminal hangs, I cannot enter anymore commands. Is this normal or am I running it wrong? 13:29 < krzee> mjt, good thinking 13:30 < krzee> your console hangs? are you remote? 13:30 < PeoplesAdvocate> yes im ssh into the system 13:30 < krzee> and it is the client, and you are using redirect-gateway? 13:30 < PeoplesAdvocate> we are under same lan 13:31 < krzee> securing wireless? 13:31 < krzee> and it is the client, and you are using redirect-gateway? 13:31 < PeoplesAdvocate> no im trying to get openvpn server running 13:32 < krzee> so its the server? 13:32 < PeoplesAdvocate> yes 13:32 < krzee> are you using tun or tap 13:32 < PeoplesAdvocate> tap 13:32 < krzee> you're bridging? 13:32 < PeoplesAdvocate> yes 13:32 < krzee> while already on the same lan? 13:33 * krzee expects thunder and lightning 13:33 < PeoplesAdvocate> yes im ssh into my server cause no monitor on it. Im setting up openvpn so someone can login 13:33 -!- cQix [n=attse@host86-132-121-65.range86-132.btcentralplus.com] has quit [] 13:33 < krzee> first of all, why do you want a bridge 13:34 < krzee> (90% of the time this question leads to me saying you dont want a bridge) 13:34 < ecrist> krzee: did you look at my new site logo? 13:34 < PeoplesAdvocate> no i do want a bridge, Im running my server from a fujitsu p1120, LOL 13:34 < krzee> ya ecrist i like it 13:34 < krzee> but suddenly cant remember what the old logo looked like 13:35 < krzee> PeoplesAdvocate, didnt you say you are using a tap bridge? 13:35 < ecrist> just a padlog 13:35 < ecrist> padlock 13:35 < PeoplesAdvocate> yes 13:35 < krzee> ok ya i like the new one 13:35 < krzee> PeoplesAdvocate, if you dont want a bridge, why are you doing it? 13:35 < PeoplesAdvocate> no i do want a bridge 13:35 < krzee> ok, why?\ 13:35 < PeoplesAdvocate> that is the only option for me 13:36 < krzee> what layer2 protocol are you running over the vpn that requires you to bridge? 13:36 < PeoplesAdvocate> if you look at pic of a fujitsu p1110 netbook I cannot upgrade anything on it. 13:36 < krzee> lol 13:37 < krzee> you dont need to to use routing 13:37 < krzee> i only have 1 nic on all my systems 13:37 < krzee> well, on most 13:37 < krzee> but openvpn never requires 2 nics 13:37 < krzee> or any other upgrades you're thinking of 13:37 < krzee> in fact a bridge will use more resources than routed tun 13:37 < krzee> so... 13:37 < PeoplesAdvocate> the way i understand it you need to nics to run openvpn on routing right? 13:37 < krzee> what layer2 protocol are you running over the vpn that requires you to bridge? 13:37 < krzee> no 13:37 < krzee> 1 nic for either setup 13:38 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 13:38 < PeoplesAdvocate> hmm 13:38 < krzee> !tunortap 13:38 < vpnHelper> krzee: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 13:39 < PeoplesAdvocate> lets say a friend and I want to play a lan game will it work with routing? 13:39 < krzee> lan gaming would be a reason to use a bridge 13:39 < krzee> as most use layer2 protocols 13:39 < krzee> is that what your vpn is for? 13:39 < PeoplesAdvocate> yeah 13:39 < PeoplesAdvocate> LOL 13:39 < krzee> there ya go 13:39 < krzee> thats a valid answer 13:40 < krzee> BUT 13:40 < krzee> you cant bridge while on the same lan 13:40 < krzee> you're prolly starting a storm on your switch 13:41 < krzee> everything layer2 is being forwarded to the other side of the bridge, which is the same lan 13:41 < krzee> which causes more 13:41 < krzee> which causes more 13:41 < krzee> which causes more 13:41 < krzee> kaboom 13:41 < PeoplesAdvocate> so if im on the same lan as the server and my router assigns the IP to me, if my friend gets into the vpn server it wont act as we are in the same server? 13:42 < krzee> im saying server and client cant be on same lan 13:42 < krzee> which is what it sounded like you were saying... 13:42 < PeoplesAdvocate> we no he is elsewhere 13:42 < krzee> ok 13:42 < PeoplesAdvocate> he will connect to me to play, get it? 13:42 < krzee> lets see your configs 13:42 < krzee> !configs 13:42 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:43 < krzee> im no bridging expert, i havnt used a bridge in years 13:43 < krzee> (cause i have no layer2 protocols to vpn) 13:43 < krzee> hey ecrist 13:44 < krzee> ZFS filesystem version 13 13:44 < krzee> [14:01] FreeBSD 8.0-CURRENT-200902 #0: Mon Feb 16 22:17:04 UTC 2009 13:44 < krzee> [14:01] CPU: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ (2204.71-MHz K8-class CPU) 13:44 < krzee> [14:01] usable memory = 8030814208 (7658 MB) 13:44 < krzee> [14:02] rgephy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseT, 1000baseT-FDX, auto 13:44 < krzee> [14:02] acd0: DVDR at ata0-slave UDMA33 13:44 < krzee> [14:02] ad4: 1430799MB at ata2-master SATA300 13:44 < krzee> [14:02] ad6: 1430799MB at ata3-master SATA300 13:44 < krzee> [14:02] ad8: 1430799MB at ata4-master SATA300 13:44 < krzee> [14:02] ad10: 1430799MB at ata5-master SATA300 13:44 < krzee> storage/nfs 3.7T 128K 3.7T 0% /nfs 13:44 < krzee> =] =] 13:45 < PeoplesAdvocate> my configs are fine, its just that when I enter this command "sudo openvpn /path/to/server.conf" it runs sucessfully, it gives me this message at the end " 13:45 < PeoplesAdvocate> Tue Mar 24 13:10:14 2009 Initialization Sequence Completed 13:45 < PeoplesAdvocate> then i cant enter no more commands 13:45 < krzee> !logs 13:45 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 13:45 < krzee> how can you say your configs are fine when it isnt working... 13:45 < krzee> can you log back in over ssh after? 13:46 < PeoplesAdvocate> yes 13:46 < krzee> you wouldnt be here if you could garuntee your configs are fine 13:46 < krzee> so... 13:46 < krzee> oh wait 13:46 < krzee> you can log back in... 13:46 < PeoplesAdvocate> yes 13:46 < krzee> then is the vpn working...? 13:46 < krzee> after you log back in 13:46 < PeoplesAdvocate> its just i dont know if im running it right 13:46 < krzee> can you ping the client? 13:47 < krzee> well its a bridge, the ip is changing when you start openvpn 13:47 < krzee> so relogging in is expected to me 13:47 < PeoplesAdvocate> i have to open up another connection because if i ctrl-c it will terminate openvpn 13:47 < krzee> you can run openvpn is daemon more by adding daemon to the config also 13:47 < krzee> that way you can close that dead term 13:47 < krzee> and it'll keep running 13:48 < PeoplesAdvocate> ohhh 13:48 < reiffert> krzee: 3.7TB netto made from? 13:48 < PeoplesAdvocate> i see now 13:48 < krzee> reiffert, huh? 13:48 < krzee> netto? 13:48 < PeoplesAdvocate> let me try that 13:48 < PeoplesAdvocate> hold on 13:48 < reiffert> krzee: e.g. 4 x 1 TB raid5 brutto will give you 3TB netto 13:48 < krzee> ahh 13:49 < krzee> NAME STATE READ WRITE CKSUM 13:49 < krzee> storage ONLINE 0 0 0 13:49 < krzee> raidz1 ONLINE 0 0 0 13:49 < krzee> ad10s1g ONLINE 0 0 0 13:49 < krzee> ad4 ONLINE 0 0 0 13:49 < krzee> ad6 ONLINE 0 0 0 13:49 < krzee> ad8 ONLINE 0 0 0 13:49 < krzee> 100G reserved for the OS 13:49 < krzee> not using zfsONroot this time 13:49 < krzee> 4x 1.5's 13:50 < reiffert> and how many disks may fail? 13:50 < krzee> 1 iirc, i could have more fail by using raidz2 13:50 < krzee> but this is as much for play as real usage 13:50 < PeoplesAdvocate> ahhh, its working now, I just added daemon to top of server config file and now its running with hanging my term 13:50 < reiffert> raidz2 implies adding more disks I guess? 13:51 < PeoplesAdvocate> top 13:51 < krzee> im not too sure of raidz2, i just know it offers more redundancy 13:51 < krzee> 4 is prolly enough to use it 13:51 < reiffert> reducing available disk space below 50% I guess. 13:51 < reiffert> I really should get new hardware :) 13:52 < krzee> i would expect so 13:52 < PeoplesAdvocate> krzee I appreciate your time and help. 13:52 < krzee> np =] 13:52 < PeoplesAdvocate> got it working 13:52 < krzee> i really really hope my new intel system runs osx86 13:52 < krzee> intel q9400 proc 13:52 < krzee> mmmm 13:53 -!- PeoplesAdvocate [n=chatzill@adsl-75-63-149-29.dsl.snantx.sbcglobal.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.7/2009021910]"] 13:53 < krzee> also with 8gb ram, and a 1.5TB drive 13:53 < krzee> but ill build that later 13:53 < krzee> i still need to get my new TV here first 13:53 < krzee> until the new TV is here that system is somewhat pointless to me 13:53 < krzee> so im spending my time on my nfs first 13:53 < reiffert> Is there virtualisation support for os x as guest available yet? 13:54 < krzee> no idea, but that would be AWESOMENESS 13:54 < krzee> ild love to run that vmware host OS 13:54 < krzee> and run a few OS's in parallel 13:55 < reiffert> yep 13:55 < krzee> ehxi or whatever that acronym is 13:55 < reiffert> how many q9400 you got, two? 13:55 < krzee> nah, 1 13:55 < krzee> the nfs is amd64 13:55 < krzee> for increased zfs love 13:56 < krzee> but shit, the q9400 is quad core 13:56 < reiffert> But just one :) 13:56 < krzee> thats plenty! =] 13:56 < krzee> haha 13:56 -!- Great_Anta_baka [n=tensai@dsl-245-171-245.telkomadsl.co.za] has joined ##openvpn 13:56 < krzee> price tag on my suitcase of hardware was plenty enough as is 13:56 < krzee> im so glad i made it through customs without harassment 13:57 < krzee> i had an escort through ;] 13:57 < krzee> otherwise the pricetag woulda been WAY higher 13:57 < reiffert> I dont see an intel equiv. for amd hypertransport yet, so I just dont know what to get, quadcore opterons or xeons. 13:58 < krzee> time to see how zfs likes my tweaks 13:58 < reiffert> tweaks? 13:58 < krzee> tuning 13:58 < krzee> nothing too crazy 13:58 < krzee> just the suggested stuffs 13:58 < Great_Anta_baka> hi. when i add the following routes I can no longer ping any hosts (0.0.0.0/1 and 128.0.0.0/1.) why is that? 13:58 < krzee> (for now) 13:58 < krzee> !def1 13:59 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 13:59 < krzee> you did it manual or used def1? 13:59 < Great_Anta_baka> manual 13:59 < Great_Anta_baka> def1 doesnt work 13:59 < krzee> def1 sure does work 13:59 < Great_Anta_baka> says it cant read my gateway 13:59 < krzee> ohh 13:59 < krzee> you on ppp? 13:59 < Great_Anta_baka> ya 13:59 < krzee> ahh 13:59 < krzee> gimme a few 13:59 < Great_Anta_baka> thought that might be the issue 14:00 < Great_Anta_baka> ty 14:00 < krzee> its in the mail list somewhere 14:00 < Great_Anta_baka> ah 14:00 < Great_Anta_baka> been going through them 14:00 < krzee> !mail 14:00 < vpnHelper> krzee: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive, or (#3) http://thread.gmane.org/gmane.network.openvpn.user/ for the openvpn-user archives 14:00 < Great_Anta_baka> but couldnt find anything 14:00 < krzee> the gmane is the one to search 14:00 < krzee> the openvpn.net archive blows 14:00 < krzee> no searchability or scanning threads 14:00 < Great_Anta_baka> i see 14:00 < Great_Anta_baka> thats where i was 14:01 < krzee> subject openvpn and ppp 14:01 < krzee> date dec 18, 2008 14:03 < Great_Anta_baka> yeah think i am on that thread now 14:03 < krzee> Subject: [Openvpn-users] Fix for "Cannot read current default gateway" problem on Linux 14:04 < krzee> that was the title of the final post 14:04 < krzee> Hi! 14:04 < krzee> In the diff (agains 2.1_rc15) is the solution for the old* 14:04 < krzee> problem of (not) detecting default gateway on linux systems 14:04 < krzee> if it is a device route. 14:04 < krzee> The patch is attached as a gzipped diff output to this mail message : 14:04 < krzee> http://thread.gmane.org/gmane.network.openvpn.user/25117/focus=25127 14:04 < krzee> (direct link to patch : 14:04 < vpnHelper> Title: Gmane Loom (at thread.gmane.org) 14:04 < krzee> http://cache.gmane.org//gmane/network/openvpn/user/25127-001.bin 14:04 < krzee> rename to patch.gz after download) 14:04 < krzee> It was tested by one affected user (Antonis Tsolomitis, see the 14:04 < krzee> thread "openvpn and ppp" on the openvpn-users list) 14:04 < krzee> If I forgor anything, ask. 14:04 < krzee> Regards, 14:04 < krzee> David 14:04 < krzee> *See mail list threads: 14:05 < krzee> "Redirect-gateway on dialup" 14:05 < krzee> 14:05 < vpnHelper> Title: Gmane Loom (at thread.gmane.org) 14:05 < krzee> "redirect-gateway + http-proxy + ppp problem" 14:05 < krzee> 14:05 < vpnHelper> Title: Gmane Loom (at thread.gmane.org) 14:05 < krzee> "Cannot redirect gateway after pppd connection" 14:05 < krzee> 14:05 < vpnHelper> Title: Gmane Loom (at thread.gmane.org) 14:05 < krzee> "openvpn and ppp" 14:05 < krzee> 14:05 < vpnHelper> Title: Gmane Loom (at thread.gmane.org) 14:05 < krzee> there ya go 14:05 * mjt looks around... 14:05 < krzee> lol sorry 14:05 < Great_Anta_baka> arent you gonna get banned for that? 14:05 < mjt> ;) 14:05 < krzee> not likely ;] 14:05 < Great_Anta_baka> but ty :P 14:06 < krzee> (im an op, and it was only used to help you) 14:06 < mjt> poor vpnHelper - now he had some work to do ;) 14:06 < Great_Anta_baka> hehe 14:06 < krzee> haha i was thinking that too mjt 14:06 < krzee> see how he lagged 14:06 < krzee> lol 14:06 < Great_Anta_baka> haha 14:07 < mjt> it was asleep. but awake at the end. 14:08 < krzee> i think he was checking the pacthes for a title 14:08 < krzee> haha 14:09 < krzee> prolly a bug to be found there 14:16 < Great_Anta_baka> ok 14:16 < Great_Anta_baka> sweeet 14:16 < Great_Anta_baka> its detecting the gatway 14:16 < Great_Anta_baka> but now getting no route to host :/ 14:16 < Great_Anta_baka> if i remove the 128.0.0.0/1 route i can ping some of the hosts on the office network 14:17 < Great_Anta_baka> but when its there i can ping nada 14:18 < Great_Anta_baka> i cant even ping the bridge interface on the openvpn server 14:19 < krzee> im out of help for awhile, gotta finish my nfs before heading out to work 14:19 < ecrist> krzee: sup? 14:19 < krzee> but im sure others here will pick it up 14:19 < Great_Anta_baka> kk 14:19 < Great_Anta_baka> thanks for the help tho 14:19 < ecrist> oh, see your 8.0-CURRENT running 14:19 < ecrist> nice 14:19 < krzee> ecrist, im just all happy bout my new nfs, was pasting stuff from it 14:19 < krzee> ya! 14:20 < krzee> time to see if 900G can be copied via sata2 drives without a crash 14:20 < krzee> from UFS to ZFS 14:20 < krzee> if it does that ill be satisfied that the upgrade went well 14:20 < ecrist> sweet 14:20 < krzee> then ill stress test with some torrents 14:20 < krzee> always crashed fbsd7+zfs within 3 days 14:20 < krzee> but that was zfs6 14:20 < ecrist> I stress-tested our system here, but it's just regular ol' UFS 14:20 < krzee> also was on i386 14:21 < krzee> amd64 has much more love for ZFS 14:21 < ecrist> /dev/mfid0 3.5T 1.2T 2.1T 37% /d 14:21 < ecrist> you has more space than me. and my server was much more 'spensive 14:22 < krzee> storage/nfs 3.7T 10G 3.7T 0% /nfs 14:22 < krzee> /dev/ad12 1.3T 827G 418G 66% /backup 14:22 < krzee> copying * from /backup to /nfs now 14:22 < krzee> we'll see how it goes =] 14:22 < krzee> ya but my system is using experimental stuffs 14:22 < krzee> not wise for importantness 14:23 < mjt> is zfs really that good compared with others? 14:24 < krzee> it will be when its not experimental 14:24 < mjt> with all the buzz around... 14:24 < krzee> http://en.wikipedia.org/wiki/Comparison_of_file_systems 14:24 < vpnHelper> Title: Comparison of file systems - Wikipedia, the free encyclopedia (at en.wikipedia.org) 14:24 < krzee> check it out 14:24 < krzee> plus the snapshots are <3 14:24 -!- chrisbdaemon [n=chrisbda@unaffiliated/chrisbdaemon] has joined ##openvpn 14:25 < chrisbdaemon> !routing 14:25 < vpnHelper> chrisbdaemon: Error: "routing" is not a valid command. 14:25 < Great_Anta_baka> what is the default mtu on openvpn? 14:25 < krzee> !route 14:25 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 14:25 < chrisbdaemon> thanks 14:25 < krzee> Great_Anta_baka, see manual --mtu 14:25 < krzee> !manual 14:25 < vpnHelper> krzee: Error: "manual" is not a valid command. 14:25 < krzee> err 14:25 < Great_Anta_baka> ty 14:25 < krzee> !man 14:25 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 14:25 < Great_Anta_baka> lol 14:25 < krzee> also see --mtu-test 14:25 < krzee> expecially for your setup 14:25 < krzee> !mtu 14:25 < Great_Anta_baka> i see 14:25 < vpnHelper> krzee: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 14:26 < krzee> #2 14:26 < mjt> that's the next topic of my interest - mtu ;) 14:27 < mjt> because all previous tunnel solutions had... umm... issues here. 14:27 < krzee> mjt, cool you can show me the intricacies of the settings after you learn them ;] 14:27 < hagna_> oh ip forwarding 14:27 < hagna_> hehe 14:27 < mjt> damn 14:27 < mjt> i wanted to ask questions... ;) 14:28 < krzee> lol im sure others can answer 14:28 < hagna_> so client can push routes to server? 14:28 < krzee> no 14:28 < krzee> but server can specify routes 14:28 < hagna_> dang 14:28 < krzee> if client could push to server ild call that a problem 14:28 < mjt> krzee: you sure for the 'no' ? 14:28 < krzee> think of situation where clients are just users and server is production 14:28 < mjt> i didn't try, but how about --pull on SERVER ? :) 14:29 < krzee> read on pull 14:29 < mjt> i mean in theory 14:29 < mjt> ok 14:29 < krzee> --pull 14:29 < krzee> This option must be used on a client which is connecting to a multi-client server. 14:30 < mjt> another helpful restriction i guess 14:30 < mjt> ;) 14:30 < krzee> aye 14:30 < hagna_> hrm 14:30 < ecrist> krzee: http://www.secure-computing.net/images/clx_rack1.jpg 14:30 < krzee> but server can specify routes 14:30 < krzee> the whole idea of push is to control clients from server 14:30 < hagna_> krzee: server doesn't know in this case 14:30 < hagna_> ok I'll rethink this 14:30 < ecrist> the 1u and 3u boxes above the one with all the blue lights is our backup server 14:30 < krzee> traveling lan? 14:30 < krzee> the whole lan is moving? 14:31 < krzee> damn! 14:31 < hagna_> krzee: no, but say there are 10 14:31 < krzee> i wanna visit and play!!! 14:31 < hagna_> :) 14:31 < krzee> 10 what 14:31 < hagna_> 10 lans not moving 14:31 < krzee> !route 14:31 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 14:31 < krzee> thats no problem 14:31 < krzee> server will know 14:31 < krzee> !iroute 14:31 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 14:32 < ecrist> that 4u of equipment was ~$11,000 14:32 < krzee> server needs to know based on clients common-name 14:32 < krzee> DAMN ecrist 14:32 < krzee> oh ok thats work related 14:32 < ecrist> oh, yeah, not my lan 14:32 < krzee> i was thinking that was where my box was 14:32 < krzee> hahah 14:32 < ecrist> oh, no, my rack isn't so impressive 14:32 < hagna_> heh 14:32 < krzee> i would assume not! 14:32 < krzee> lol 14:33 < ecrist> *but* someone may be financing a generator for me. ;) 14:33 < krzee> awesome!! 14:33 < krzee> 33G copied over and i must leave 14:33 < krzee> i hope it doesnt blow up while im gone 14:33 < ecrist> l8r 14:33 < krzee> i wont know for a couple hrs 14:33 < krzee> hrm 14:34 < hagna_> so server knows my lan subnet? 14:34 < krzee> ecrist, you know the ssh option to allow connect-back? 14:34 < hagna_> ok I should read that 14:34 < ecrist> krzee: no, I use screen 14:34 < krzee> so i can allow myself to get in from a box while im at work today 14:34 < mjt> it's port-forwarding 14:34 < mjt> or something else? 14:35 < mjt> it can share one connection with other ssh'es 14:35 < krzee> nah not openvpn related 14:35 < krzee> i dont have time to setup a vpn on it 14:35 < mjt> yeah 14:35 < mjt> openssh can use a connection established by another openssh 14:36 < krzee> oh right 14:36 < krzee> ya thats what i want 14:36 < krzee> connect out to a server and allow it to connect back over that 14:36 < mjt> but it works in one direction 14:36 < mjt> -o ControlMaster=auto -o ControlPath=/some/where/socket 14:37 < mjt> it does not work back 14:38 -!- Alocado [n=matthias@dslb-088-068-039-189.pools.arcor-ip.net] has joined ##openvpn 14:38 < Alocado> hello 14:39 < Alocado> it's possible to have an encrypted user/passwort auth for openvpn? 14:40 -!- martian67 [i=user5490@about/linux/regular/martian67] has quit [Excess Flood] 14:40 -!- martian67 [i=user5490@about/linux/regular/martian67] has joined ##openvpn 14:41 < krzee> !passwd 14:41 < vpnHelper> krzee: Error: "passwd" is not a valid command. 14:41 < kala> Alocado: what do you mean? 14:41 < krzee> !pass 14:41 < vpnHelper> krzee: Error: "pass" is not a valid command. 14:41 < krzee> !factoids search pass 14:41 < vpnHelper> krzee: 'winpass', '2.1-winpass-script', 'password', and 'authpass' 14:41 < krzee> !authpas 14:41 < vpnHelper> krzee: Error: "authpas" is not a valid command. 14:41 < krzee> !authpass 14:41 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 14:42 < Alocado> kala, if a openvpn client connects to a server, i could use certificate authentification or username/password auth 14:42 < Alocado> but: 14:42 < Alocado> user/password is (afaik) not encrypted while transferring the login credentials 14:43 < Alocado> is that correct? 14:43 < kala> its transmitted over the openvpn tunnel 14:43 < krzee> doubt that 14:43 < krzee> (doubt that its correct, sniff to check) 14:43 < krzee> auth isnt the only encryption that goes on in ovpn) 14:44 < kala> Alocado: the client configuration options and everything whats transmitted between the client and server should be secure 14:45 < Alocado> so i need no client certificates? 14:45 < krzee> HIGHLY NOT RECOMMENDED 14:48 < kala> hmm ... 14:49 < kala> Alocado: it seems that if you don't have client certificates, then you need to provide pre-shared secret to setp up the secure channel 14:49 < kala> and the pre-shared secret is the same over all clients, which is bad 14:49 < chrisbdaemon> i could use some help, i'm trying to setup openvpn to allow users access to a lan at 10.0.0.0/24 and put the users on the 10.0.1.0/24 range. they can connect just fine and can ping the 10.0.0.1 server but pings don't reach clients behind the openbsd firewall that runs openvpn 14:50 < chrisbdaemon> heres the server config file 14:50 < chrisbdaemon> http://pastebin.com/d320bf678 14:50 < mjt> Alocado: it's not difficult at all to follow easy-rsa howto steps to create your certs 14:50 < chrisbdaemon> i read the !routing doc and did what it said, but its still not quite working 14:51 < mjt> . o O { tcpdump } 14:53 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:54 < Alocado> mjt, i know, but i need to have a VERY DYNAMIC structure 14:54 < chrisbdaemon> can anyone see if i'm doing something horribly wrong in my configuration? 14:54 < Alocado> i have to activate, deactivate and reactive vpn clients without accessing the clients 14:55 < kala> then the client certs are the only option? 14:57 < Alocado> can i "un-revoke" certificates? 14:58 < kala> umm ... 14:58 < kala> good question :) 14:58 < kala> you could separate authentication and authorization perhaps. 14:59 < Alocado> once i created the certificate i have NO possibility to change it later... it's bound to hardware ;) 14:59 < chrisbdaemon> Alocado: if you have to be able to take away access from clients can't you use ccd to put them into a subnet that doesn't connect to anything else? 14:59 < kala> authentication as "having valid cert" and authorization as "being memeber if certain LDAP group" 14:59 < chrisbdaemon> then take it back out when they get it back 15:00 < Alocado> ok, next question: what happens if my root certificate gets out of date? 15:01 < kala> then you need to supply the next root cert 15:01 < kala> which is bad, I suppose :) 15:02 -!- Great_Anta_baka [n=tensai@dsl-245-171-245.telkomadsl.co.za] has quit [Read error: 110 (Connection timed out)] 15:02 < Alocado> ;) 15:02 < Alocado> oh yes 15:02 < kala> Alocado: thats a good question. In my country, they have smart-card issuer root cert valid until 2016 15:03 < kala> should ask them, what they plan to do in 7 years 15:03 -!- Great_Anta_baka [n=tensai@dsl-245-171-245.telkomadsl.co.za] has joined ##openvpn 15:05 < Alocado> ok... what happens if all clients have the same client certificate? is this a problem? 15:06 < hagna_> hmm odd I can ping 10.1.2.201 from across the vpn but nmap says WARNING: Unable to find appropriate interface for system route to 10.4.0.2 15:07 < kala> Alocado: what do you do, if one of your client is compromised? 15:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:08 < Alocado> then i have a problem :D 15:08 < Great_Anta_baka> ok my adsl mtu is 1492 and my openvpn mtu is 1500... will this cause problems when using udp to connect the client to the server? 15:08 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 15:09 -!- achilles [n=achilles@62.90.14.151] has joined ##openvpn 15:12 -!- achilles [n=achilles@62.90.14.151] has quit [Client Quit] 15:12 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 15:14 -!- Alocado [n=matthias@dslb-088-068-039-189.pools.arcor-ip.net] has quit ["Ex-Chat"] 15:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:20 < mjt> usually it does not 15:20 < mjt> Great_Anta_baka: usually it does not 15:20 < Great_Anta_baka> kk 15:21 < mjt> i'm with 1492 mtu too. openvpn does mss-fixing 15:21 < Great_Anta_baka> mmm then i really dont know why i am getting No route to host (code=113) 15:21 < mjt> routes has nothing to do with MTU 15:22 < Great_Anta_baka> thought it might be frame/packet loss 15:22 < mjt> it'd be timeout or whatnot, but not no route. 15:22 < mjt> (unless you're bridgin and losing arp packets) 15:22 < Great_Anta_baka> mmm.. can you elaborate? 15:23 < Great_Anta_baka> well it works when i dont have the route 128.0.0.0/0 15:23 < Great_Anta_baka> well it works when i dont have the route 128.0.0.0/1 15:23 -!- RUS [n=Mirc@88.214.199.27] has joined ##openvpn 15:23 < mjt> that's a good route... 15:23 < Great_Anta_baka> :/ 15:23 < Great_Anta_baka> so it must be on the server side then? 15:23 < mjt> "it" = what? 15:24 < Great_Anta_baka> the problem 15:24 < Great_Anta_baka> wait 15:24 < Great_Anta_baka> i am too confused 15:24 < Great_Anta_baka> aarhg 15:24 * Great_Anta_baka reads some more man pages 15:29 < Great_Anta_baka> what is the 128.0.0.0/1 route for? 15:31 < kala> its almost the same effect as 0/0 route, but doesn't conflict with existing 0/0 route 15:32 -!- diegovio1a [n=diego@adsl-136-248.click.com.py] has joined ##openvpn 15:36 < Great_Anta_baka> i see 15:36 < Great_Anta_baka> so that compliments the 0.0.0.0/1 15:36 < Great_Anta_baka> to cover the entire range 15:36 < Great_Anta_baka> ? 15:36 < kala> yes 15:40 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Success] 15:45 < Great_Anta_baka> ok so i got both those routes on my client machine. But I cannot even ping the VPN server and I creep getting no route to host errors in the client openvpn window 15:45 < Great_Anta_baka> keep* 15:49 -!- chrisbdaemon [n=chrisbda@unaffiliated/chrisbdaemon] has quit ["Leaving"] 15:49 -!- diegoviola [n=diego@adsl-136-248.click.com.py] has quit [Connection timed out] 15:49 < reiffert> Great_Anta_baka: did you show us your config yet? 15:50 < Great_Anta_baka> no will pastie it 15:50 < reiffert> !configs 15:50 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:52 < Great_Anta_baka> http://pastie.org/425804 15:53 < Great_Anta_baka> servr 15:53 < Great_Anta_baka> http://pastie.org/425805 15:54 < reiffert> paste /etc/openvpn/up.sh 15:55 < Great_Anta_baka> in a sec.. link went down :/ 15:55 < reiffert> why tcp? 15:55 < reiffert> status: openvpn NOT connected: are client and server in the same subnet? 15:55 < Great_Anta_baka> was udp was just trying tcp out 15:56 < Great_Anta_baka> it connects fine 15:56 < Great_Anta_baka> and when i dont do routing 15:56 < Great_Anta_baka> i can ping the work computers 15:56 < reiffert> I cant see any routing attempts. 15:56 < Great_Anta_baka> but can ping computers out of the network 15:56 < reiffert> and please answer my 2nd question. 15:57 < Great_Anta_baka> what is this push "redirect-gateway local def1" .. i will past the file in a second 15:57 < reiffert> status: openvpn NOT connected: are client and server in the same subnet? 15:58 < Great_Anta_baka> yes 15:58 < reiffert> like e.g. connected via wireless? 15:58 < Great_Anta_baka> no its an adsl connection 15:58 < reiffert> when you dont start openvpn 15:58 < reiffert> whats the IP of the client? 15:59 < Great_Anta_baka> 41.245.171.2XX 15:59 < Great_Anta_baka> thats my ppp ip 15:59 < reiffert> allright, what are you trying to achive? 15:59 < Great_Anta_baka> i am trying to route all my traffic through the vpn 16:00 < reiffert> does everything else work when you remove that line from the server.config: 16:00 < reiffert> push "redirect-gateway local def1" 16:00 < reiffert> ? 16:00 < Great_Anta_baka> yes 16:00 < reiffert> sure? 16:00 < Great_Anta_baka> ya 16:00 < reiffert> really? 16:00 < Great_Anta_baka> i can ping all the office computers 16:00 < reiffert> then change that line to push "redirect-gateway def1" 16:01 < Great_Anta_baka> just not further than that 16:01 < Great_Anta_baka> both of them have the same effect 16:01 < reiffert> then dont. 16:01 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 16:01 < reiffert> s,then,they, 16:02 < Great_Anta_baka> so then is it impossible for me to reach computers out side of the office network without adding a route for each network outside it? 16:02 < reiffert> would you please try it again with push "redirect-gateway def1" 16:02 < reiffert> without the local flag 16:02 < Great_Anta_baka> thats what it is on at the moment.. 16:03 < Great_Anta_baka> but i think that comp jsut crashed... AAARRRRHHHGGG 16:03 < reiffert> from what I can see on http://pastie.org/425804 you are using local. 16:03 < Great_Anta_baka> oh 16:03 < Great_Anta_baka> soz 16:03 < reiffert> s.o.ss? 16:03 < Great_Anta_baka> indeed 16:04 < Great_Anta_baka> will have to come back here when i get back to work tomorrow 16:04 < Great_Anta_baka> ooh its back 16:04 < Great_Anta_baka> wee 16:05 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 60 (Operation timed out)] 16:05 < RUS> hi anybody ? can you help me to configure my openvpn ? 16:05 < reiffert> RUS: 16:06 < reiffert> !howto 16:06 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:07 < RUS> reiffert i read it. and configure well, but i have some troubles 16:07 < RUS> you see my topic on centos.org 16:07 < RUS> http://www.centos.org/modules/newbb/viewtopic.php?topic_id=19246&forum=40 16:07 < vpnHelper> Title: www.centos.org - Forums - CentOS 5 - Networking Support - please help to configure openvpn and routing (at www.centos.org) 16:08 < reiffert> Why are you using openvpn to get packets from one vmware client to another? 16:09 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 16:10 < reiffert> RUS: however, what you need to do is changing the subnet of windows xp to be outside of 192.168.0.0/24 16:10 < RUS> i try to configure. it's a training server 16:10 < RUS> reiffert why i must change? 16:11 < reiffert> http://www.secure-computing.net/wiki/index.php/Durrrr 16:11 < vpnHelper> Title: Durrrr - Secure Computing Wiki (at www.secure-computing.net) 16:11 < RUS> hm...will try. it's a good skill for me :) 16:17 -!- Great_Anta_baka [n=tensai@dsl-245-171-245.telkomadsl.co.za] has quit [Read error: 104 (Connection reset by peer)] 16:18 -!- Great_Anta_baka [n=tensai@196-209-178-64-wrbs-esr-2.dynamic.isadsl.co.za] has joined ##openvpn 16:20 -!- Great_Anta_baka [n=tensai@196-209-178-64-wrbs-esr-2.dynamic.isadsl.co.za] has quit [Client Quit] 16:20 -!- tensai_ [n=tensai@196.33.159.83] has joined ##openvpn 16:21 -!- tensai_ [n=tensai@196.33.159.83] has quit [Client Quit] 16:21 -!- tensai_ [n=tensai@196.33.159.83] has joined ##openvpn 16:21 -!- tensai_ [n=tensai@196.33.159.83] has quit [Client Quit] 16:21 -!- Great_Anta_baka [n=tensai@196.33.159.83] has joined ##openvpn 16:24 < mjt> identical subnets? What's that? 16:25 < mjt> i had to connect two offices using the same 192.168.1.1/24 network 16:25 < mjt> (ie, both were using it, with .1 being the gateway) 16:26 < mjt> it worked after some ugly NATing 16:26 < reiffert> mjt: I was doing the same with bridging :) 16:26 < reiffert> cause I couldnt replace the default gateways there. 16:27 < mjt> heh. i think we had this discussion before ;) 16:27 < reiffert> probably :) 16:27 < mjt> were half the office was on one side and another on another, with intermixed IPs 16:27 < mjt> it was my situation too, at another time in another place. 16:28 < mjt> (one dhcp server for both ends assigning addresses from the same common pool) 16:28 -!- bandini [n=bandini@host152-105-dynamic.10-79-r.retail.telecomitalia.it] has joined ##openvpn 16:29 < reiffert> I run two dhcp servers with firewalls on both vpn ends 16:30 -!- RUS [n=Mirc@88.214.199.27] has quit [Remote closed the connection] 16:31 < mjt> that my case was a temporary hack that lasted for about a month -- $boss was afraid that an ethernet cable between two parts of the building is too easy target for the (non-our) rooms on the way so I had to set up that tunnel. Later on we moved to another office. 16:38 -!- fixxxermet [n=kjohnson@69.85.26.2] has quit ["Leaving."] 16:41 -!- Great_Anta_baka [n=tensai@196.33.159.83] has quit [No route to host] 16:46 -!- Great_Anta_baka [n=tensai@dsl-245-151-145.telkomadsl.co.za] has joined ##openvpn 16:46 < Great_Anta_baka> reiffert, thank you 16:46 < Great_Anta_baka> that worked 16:46 < Great_Anta_baka> seems i was trying the local option with the unpatched version of openvpn 16:47 < Great_Anta_baka> only problem is after running the vpn for a few seconds the connection dies 16:48 < Great_Anta_baka> but if i ssh in the connection is permanently on 16:48 < Great_Anta_baka> i cant even ping it for a couple of minutes after it after i close the vpn connection 16:48 < Great_Anta_baka> the vpn server that is 16:50 < reiffert> use keepalive 10 120 16:50 < reiffert> on server and client 16:50 < reiffert> i'd also switch to udp and i'd probably dont touch mtu settings. 16:50 < Great_Anta_baka> ty 16:51 < reiffert> and remove comp lzo from both 16:51 < Great_Anta_baka> will try that out now 16:51 < Great_Anta_baka> kk 16:54 < reiffert> erm, explicitly disable comp lzo 17:03 < Great_Anta_baka> do i do that with a flag when i start the server 17:03 < Great_Anta_baka> i am just using "service openvpn restart" 17:04 < reiffert> "do that"=? 17:07 < Great_Anta_baka> explicitly disable comp lzo 17:07 < Great_Anta_baka> i just commented it out 17:09 < reiffert> default is adaptive, you should use no instead. 17:10 < reiffert> and read the manpage entry for every option 17:12 < Great_Anta_baka> ya saw the options now.. seems like there is a problem with the routerboard that is forwarding the public ip to my machine.. until i get this sorted out it looks like there is no vpn access for me :/ 17:13 -!- benedictus [n=chatzill@99.156-244-81.adsl-dyn.isp.belgacom.be] has joined ##openvpn 17:21 -!- mikkel [n=mikkel@84.238.113.66] has quit ["Leaving"] 17:22 < krzie> reif, he'll want to play with mtu cause he is on ppp iirc 17:23 < krzie> i think it was him 17:23 < krzie> ya it was (after scrolling up) 17:25 -!- bandini [n=bandini@host152-105-dynamic.10-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:25 -!- Great_Anta_baka [n=tensai@dsl-245-151-145.telkomadsl.co.za] has quit [Client Quit] 17:26 -!- Great_Anta_baka [n=tensai@196.33.159.83] has joined ##openvpn 17:27 < Great_Anta_baka> well.. i have to be off.. work in 8 hours 17:27 < Great_Anta_baka> thanks for all the help 17:28 -!- benedictus [n=chatzill@99.156-244-81.adsl-dyn.isp.belgacom.be] has quit [Client Quit] 17:28 < krzie> Great_Anta_baka 17:28 < Great_Anta_baka> yup 17:28 < krzie> did you mention to reif that you were on ppp? 17:28 < Great_Anta_baka> ya 17:28 < krzie> ok cool 17:28 < Great_Anta_baka> he said mtu was fine.. at least i think it was him 17:28 < krzie> use mtu-test on client to see if mtu is fine 17:28 < krzie> ya he did, i figured he didnt know you were on ppp 17:29 < Great_Anta_baka> i mentioned it a couple of times 17:29 < Great_Anta_baka> so think he knew 17:29 < krzie> with mtu-test on client openvpn will tell you 17:29 < Great_Anta_baka> well i am chatting to you through the vpn connection now 17:29 < Great_Anta_baka> so i am guessing its ok 17:30 < Great_Anta_baka> and no errors showing up 17:30 < Great_Anta_baka> on client screen 17:30 < Great_Anta_baka> but will try it out later 17:30 < krzie> nice =] 17:31 < krzie> normally i say dont play with mtu, ild definitely try mtu-test on ppp or satelite tho 17:31 < krzie> just to be sure 17:31 < Great_Anta_baka> although i would be interested in finding out if its possible that if the connection breaks and the client is still trying to reconnect.. if its possible to use the normal ppp gateway 17:31 < Great_Anta_baka> cos the route only gets removed once the client openvpn program is terminated 17:32 < Great_Anta_baka> but i will do that when i wake up 17:32 < Great_Anta_baka> now its sleepy time 17:32 < Great_Anta_baka> :] 17:32 < krzie> sure it is 17:32 < krzie> !def1 17:32 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 17:32 < krzie> ohh i see what you mean 17:32 < krzie> my bad 17:32 < Great_Anta_baka> ;) 17:43 -!- RUS [n=Mirc@88.214.199.27] has joined ##openvpn 17:43 < RUS> hi again 17:45 < RUS> help me please. 17:45 < RUS> i have openvvpn server configured on centos OS 17:45 < RUS> i connect to openvpn server nice. but internet on client don't work 17:45 < RUS> now vpn server is dedicated in datacenter 17:46 < krzie> so in other words you are using redirect-gateway 17:46 < krzie> and thats the only part not working, you can ping across the vpn 17:46 < krzie> right? 17:46 < RUS> redirect-gateway def1 17:47 < krzie> and thats the only part not working, you can ping across the vpn 17:48 < RUS> WOW yes i can ping internet adresses now its COOL 17:48 < krzie> haha i was only talking about vpn ips 17:48 < krzie> but cool ;] 17:48 < krzie> can you resolv hostnames? 17:48 < RUS> nslookup ? 17:48 < krzie> sure 17:48 < krzie> or ping a hostname 17:48 < krzie> same stuff 17:49 < RUS> i can ping internet addresses 17:49 < krzie> i take it you mean by hostname 17:49 < krzie> so cool 17:49 < RUS> no ip addresse 17:49 < krzie> glad to have attempted to help 17:49 < RUS> s 17:49 < krzie> (seems you didnt need any) 17:49 < RUS> whait plz. 17:49 < RUS> i try to configure dns pushing 17:49 < krzie> well ping a hostname! 17:50 < RUS> just see my server conf 17:50 < krzie> exactly, thats what i was thinking 17:50 < krzie> CAN YOU PING A HOSTNAME? 17:50 < RUS> yes 17:50 < krzie> ok, you're done 17:50 < RUS> but 17:50 < krzie> its using old ns? 17:51 < RUS> i have server.conf thats string push "dhcp-option DNS 10.8.0.1" but nsllokup shom me a dns ips from my internet connection 17:51 < krzie> !pushdns 17:51 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 17:51 < krzie> see #3 17:51 < krzie> err #2 17:51 < reiffert> did RUS change the identical subnets yet? 17:51 < krzie> also be sure your NS is listening on 10.8.0.1 17:52 < RUS> yes it is. see that please 17:52 < krzie> reif: no clue, lets see what he says 17:52 < krzie> ... 17:53 < RUS> http://pastebin.com/d5ea53ab9 17:53 < reiffert> RUS: still trying the xp vmware centos thing? 17:53 < RUS> reiffert no i try to setting up on dedicated serv now 17:53 < RUS> no vmware 17:54 < reiffert> k 17:54 < RUS> but now 10.8.0.1 don't resolve for me webnames 17:54 < reiffert> RUS: paste: 17:54 < krzie> i told you rus 17:54 < krzie> see #2 17:54 < krzie> !pushdns 17:55 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns 17:55 < krzie> read that link, or dont 17:55 < krzie> but your solution is there 17:56 * reiffert was about to ask for ipconfig and client log, but stops here. 17:57 < krzie> hes pushing dns, and is caught by the standard caveat that catches everyone 17:57 < krzie> all he has to do is listen to vpnHelper ;] 17:57 < RUS> ok i read that. this is xp bug. 17:58 < krzie> and you ran the commands Jan tells you fixes it? 17:58 < krzie> (and it fixed it?) 17:58 < krzie> if so, script it into a batch file and use it in a script that openvpn runs 18:01 < reiffert> Be sure to read the reply from Peter 18:01 < hagna_> what's the deal with nmap it won't use the same route as ping 18:02 < reiffert> whats the deal with my bike, it doesnt act like my car? 18:03 < RUS> i need to reboot after adding this reg patch ? 18:04 < reiffert> krzie: what about Jonathans last statement? 18:05 < reiffert> krzie: cause I never ran into this. 18:05 < krzie> oh no kidding, i didnt see peters response 18:05 < krzie> that deserves to be in vpnhelper! 18:06 < krzie> interesting on the last statement... 18:06 < krzie> RUS, could you try upgrading to 2.1_RC15 and not using any other fixes please? 18:06 < krzie> ill happily link you to it even 18:07 < krzie> http://openvpn.net/release/openvpn-2.1_rc15-install.exe 18:07 < RUS> 18:07 < RUS> ok 18:07 < RUS> thats a good reason 18:07 < krzie> if that works it will be good for us to know 18:07 < krzie> its a very common problem 18:07 < krzie> reif, funny i never read that whole thread 18:08 < krzie> i saw jans response on the list, found it in archive, and linked to it 18:08 < krzie> responses came later 18:08 < reiffert> RUS: which version were you using until now? 18:08 < RUS> 2.0.9 18:09 < reiffert> uh. 18:09 < reiffert> krzie: any idea when 2.1 gets released? 18:09 < krzie> heh, less than none 18:10 < RUS> openvpn-2.0.9-gui-1.0.3-install.exe 18:10 < RUS> i use that 18:10 < reiffert> RUS: 2.0.9 is 2.5 years old. 18:10 < ecrist> !irclogs 18:10 < vpnHelper> ecrist: "irclogs" is http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.) 18:11 < RUS> reiffert i like openvpn gui. can i use it ? 18:11 < reiffert> RUS: yes 18:13 < reiffert> http://slashdot.org/pollBooth.pl?qid=1749&aid=-1 18:13 < vpnHelper> Title: Slashdot Poll (at slashdot.org) 18:15 < hagna_> reiffert: ping works fine do you why nmap wont? 18:15 < krzie> how isnt it 18:16 < hagna_> Starting Nmap 4.76 ( http://nmap.org ) at 2009-03-24 17:14 MDT 18:16 < hagna_> WARNING: Unable to find appropriate interface for system route to 10.4.0.2 18:16 < vpnHelper> Title: Nmap - Free Security Scanner For Network Exploration & Security Audits. (at nmap.org) 18:16 < krzie> you using redirect-gateway? 18:16 < krzie> im thinking no and that its a ptp link 18:16 < hagna_> yes right 18:16 < hagna_> I added a route and it's pingable at least 18:17 < hagna_> I added a route on the server and it's pingable 18:17 < krzie> why dont you read the nmap man page and start it correctly then 18:17 < hagna_> nmap 10.1.2.201 -e tun0 gives the same message 18:17 * krzie notes this isnt the nmap help chan 18:17 < krzie> you're trying to port scan over your vpn? 18:17 < krzie> LOL 18:18 < krzie> hallarious 18:18 < hagna_> you are hilarious 18:18 < krzie> sure 18:18 < hagna_> :) 18:19 < RUS> people 18:19 < RUS> i have installed that new version openvpn-2.1_rc15-install 18:19 < RUS> but it work also with that error 18:19 < krzie> ahh, too bad 18:20 < RUS> this is openvpvn serv bug... 18:20 < RUS> outpost firewall show me that he says destination unreachable. i need to configure iptables now for dns forwarding 18:21 * reiffert head -> table 18:21 < RUS> wich table ? 18:22 < krzie> he basically facepalmed 18:22 < krzie> but skipped the palm and went straight to his desk 18:23 < RUS> i smile too. but i don't understand :) 18:24 < krzie> go back to the mail list we linked you to 18:24 < krzie> if your pings are routed right, your dns traffic is too (unless you somehow decided to block it in your firewall) 18:28 < RUS> it's hard to understand 18:28 < RUS> i download registry patch and exec it 18:28 < krzie> and rebooted? 18:29 < RUS> no 18:29 < RUS> :) 18:29 < krzie> ... 18:29 < krzie> welcome to windows 18:29 < RUS> :) 18:29 < RUS> LOL 18:30 < krzie> please report back on the reg patch too 18:30 < krzie> if it works for you i want to link it in to vpnHelper 18:34 < hagna_> oh I found out it needs -m state --state INVALID 18:34 < hagna_> anyway just fyi 18:34 < ecrist> holy crap krzie 18:34 < ecrist> http://www.secure-computing.net/logs/openvpn.html 18:34 < vpnHelper> Title: ##openvpn statistics created with mIRCStats v1.23 by ecrist (at www.secure-computing.net) 18:34 < ecrist> look down at activity stats 18:35 < RUS> friends 18:35 < RUS> i go to smoke and i'll be back with my troubles LOL 18:36 < krzie> so you did this 18:36 < krzie> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache] 18:36 < krzie> "Start"=dword:00000002 18:36 < krzie> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters] 18:36 < krzie> "MaxCacheTtl"=dword:0000003c 18:36 < krzie> "MaxNegativeCacheTtl"=dword:00000000 18:36 < krzie> "ServerPriorityTimeLimit"=dword:00000000 18:36 < krzie> "NetFailureCacheTime"=dword:00000000 18:36 < krzie> "NegativeSOACacheTime"=dword:00000000 18:36 < krzie> right? 18:36 < krzie> damn ecrist 18:36 < reiffert> Well, I dont see how this changes the behaviour.. 18:36 < krzie> im pretty damn active 18:37 < reiffert> oh, really? 18:37 < krzie> can that even be right!? 18:37 < krzie> 1 krzee [5098] [2741] [7408] [6025] 21272 "so without looking for the formatting" 18:37 < krzie> 2 @ecrist [307] [3439] [3262] [2057] 9065 "sounds like a problem with the private key" 18:37 < reiffert> ? 18:38 < krzie> holy crap krzie 18:38 < krzie> http://www.secure-computing.net/logs/openvpn.html 18:38 < vpnHelper> Title: ##openvpn statistics created with mIRCStats v1.23 by ecrist (at www.secure-computing.net) 18:38 < ecrist> krzie: that's my irssi log file starting august 1, 2008 18:38 * xor| i just figured out that openvpn does not support ipv6 :( 18:39 < ecrist> xor|: the *internet* just started supporting it... 18:39 < xor|> :b 18:39 < krzie> xor| correct, it'll tunnel ipv6 traffic just fine, but will not bind to ipv6 18:39 < xor|> its ok :) i guess that will be fixed soon :D 18:40 < krzie> dont hold your breath 18:40 < krzie> it'll likely be supported at some point, i dont expect it in 2.1 18:40 < reiffert> nice stats btw. 18:40 < xor|> nah, i can use IPsec instead :) 18:41 < ecrist> the relation map is interesting 18:41 < krzie> agreed 18:41 < reiffert> --tun-ipv6 18:41 < reiffert> Build a tun link capable of forwarding IPv6 traffic. 18:41 < krzie> with you and i in the middle 18:41 < krzie> reiffert, yup but no binding to ipv6 socket 18:47 < krzie> damn i knew i was active here, but those stats make me think i need a life 18:52 < ecrist> lol 18:52 < ecrist> jeev didn't take "no" for an answer and ended up getting kicked out 6 times. 18:52 < ecrist> Example: 23:54 < jeev> assmuncher 18:52 < ecrist> 00:00 -!- jeev was kicked from ##openvpn by ecrist [ecrist] 18:52 < krzie> oh page 2! 18:53 < ecrist> ecrist couldn't handle the responsibility and had to be deopped 7 times. 18:53 < krzie> (by himself!) 18:54 < krzie> well it got who i like talking to correct 18:54 < krzie> except jeev 18:54 < krzie> (whom i banned, lol) 18:55 < krzie> vpnHelper got kicked 6 times, lol 18:55 < vpnHelper> krzie: Error: "got" is not a valid command. 18:56 -!- pauten [n=pauten__@12-208-65-240.client.mchsi.com] has joined ##openvpn 18:57 -!- mode/##openvpn [+o krzie] by ChanServ 18:57 -!- vpnHelper was kicked from ##openvpn by krzie [lets make it 7] 18:57 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 18:57 -!- mode/##openvpn [-o krzee] by krzie 18:57 -!- mode/##openvpn [-o krzie] by krzie 18:58 < pauten> hey, I was reading through the howto and i found something that didn't look like it was completely explained. when you want to assign a user a static ip address the example is "ifconfig-push 10.9.0.1 10.9.0.2" to give the user 10.9.0.1, whats the point of the second address? 18:58 < pauten> if its being pushed to ifconfig shouldn't it be a netmask? 18:58 < krzie> !man 18:58 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 18:58 < RUS> ppl thats work fine thanks. 18:58 < krzie> RUS, the regedit? 18:58 < RUS> YES i have an IP from panama now !!! :L) 18:59 < RUS> krzie : yes regedit only with hands 18:59 < krzie> sweet, time to update the bot 18:59 < RUS> why ? 18:59 < RUS> i saved that link in my openvpn distr folder 19:00 < krzie> for others ;] 19:00 < RUS> for me for other systems 19:00 < krzie> !learn pushdns as http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 for a perm fix via regedit 19:00 < vpnHelper> krzie: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 19:01 < RUS> i need another help with startup my serv. When i rebbot it file /proc/sys/net/ipv4/ip_forward set to 0 again and iptables rules set to 0 too. I think it's a not cool init scripts do that...i wanna find them 19:02 < krzie> !learn pushdns as http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 for a perm fix via regedit 19:02 < vpnHelper> krzie: Joo got it. 19:07 < RUS> anybody thanks to YOU 19:07 < RUS> you are welcome always for me 19:07 < RUS> maybe sombody wanna buy iphone with a lowest price ? :) 19:08 < krzie> !factoids search lin 19:08 < vpnHelper> krzie: 'linipforward', 'linnat', 'linfw', and 'lintrafaccnt' 19:08 < krzie> !linipforward 19:08 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 19:08 < RUS> ohhh thanks 19:08 < krzie> np 19:09 < RUS> i have a cheapest iphone on my us friend hands. and we sold it on ebay. nobody wants to buy it for enjoy? 19:09 < RUS> i like iphones it's very good phone i think 19:10 * krzie loves that bot 19:10 < krzie> what price? 19:10 < ecrist> ok, I tuned the stats, lots more data now. 19:10 < RUS> 600$ 19:10 < RUS> it's never opened and work with any cell providers 19:11 < krzie> are you joking? $600 is WAY too much 19:11 < krzie> and i can crack those in a second anyways 19:11 < krzie> lol 19:11 < krzie> if you were talkin $200 ild consider it 19:11 < krzie> 600 i LOL 19:11 < krzie> "cheapest" 19:12 < RUS> hm...you can see pricegrabber or other sites 19:12 < RUS> and find it for 800 or 750 19:12 < krzie> ild get cheaper than that at the local store 19:12 < ecrist> this != ##buy-my-shit 19:13 < krzie> oh ya, and that 19:14 < RUS> ok :) 19:14 < RUS> lol 19:14 < krzie> ill happily trade your iphone for my openvpn support 19:14 < krzie> :-p 19:14 < RUS> :))) 19:15 < RUS> very very much thanks guys 19:15 -!- diegovio1a [n=diego@adsl-136-248.click.com.py] has quit ["Reconnecting"] 19:15 < krzie> yw 19:15 -!- diegoviola [n=diego@adsl-136-248.click.com.py] has joined ##openvpn 19:15 < RUS> it's very very deep night in my GMT 19:15 < RUS> im very sleepy and go home now 19:15 < krzie> 8:20 here 19:16 < RUS> 3.16AM 19:16 < reiffert> GMT is on 00:16 atm 19:18 < RUS> bb all see ya 19:18 < RUS> very very good mood today 19:18 -!- RUS [n=Mirc@88.214.199.27] has quit ["Miranda IM! Smaller, Faster, Easier. http://miranda-im.org"] 19:31 < krzie> lol everyone like talking with me according to detailed stats 19:39 < ecrist> I'm working on automating that stats page to be updated on the :15 and :45 of every hour 19:39 < krzie> windows generated? 19:39 < ecrist> and, I'm going to restart the stats for 2009, with a separate page for 2008 19:39 < ecrist> yeah, paid for the registered version a few years ago, still have it 19:40 < ecrist> so figured i'd use it. 19:40 < krzie> werd 19:40 < ecrist> I've got a windows server in my home rack for some security software I run for my side business 19:40 < krzie> i dislike the windows scheduler (their crontab) 19:40 < ecrist> figure, if it's using power, might as well do something with the cycles 19:40 < krzie> haha ya 19:40 < ecrist> meh, I've gotten used to it over the years. 19:42 < krzie> thats my favorite part of not being a pro tech anymore 19:42 < krzie> no more getting used and being used to the windows way 19:43 < ecrist> it's what makes me a fat paycheck 19:44 < krzie> dont get me wrong, i understand 19:46 -!- pauten [n=pauten__@12-208-65-240.client.mchsi.com] has quit ["Leaving"] 20:15 < ecrist> ok, mircstats is updated 20:16 < ecrist> krzie: can you update !irclogs to include http://www.secure-computing.net/logs/openvpn.html please? 20:16 < vpnHelper> Title: ##openvpn statistics created by ecrist (with a little help from mIRCStats v1.23 :) (at www.secure-computing.net) 20:18 < krzie> replace or include? 20:18 < krzie> !irclogs 20:18 < vpnHelper> krzie: "irclogs" is http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.) 20:18 < krzie> ahh, include 20:19 < krzie> !learn irclogs as http://www.secure-computing.net/logs/openvpn.html for the stats 20:19 < vpnHelper> krzie: Joo got it. 20:33 < ecrist> ok, I changed some settings, removed vpnHelper from the list, and removed mention of operator status in the stats 20:33 < krzie> werd 20:33 < krzie> and im looking up how to give you factoid access 20:33 < ecrist> lol, my current quote is 'what a pretty little cuchie' 20:34 < krzie> hahaha 20:34 < krzie> you rigged it! 20:35 -!- huckleberry [n=tom@OL169-205.fibertel.com.ar] has joined ##openvpn 20:36 < huckleberry> !howto 20:36 < vpnHelper> huckleberry: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 20:36 < huckleberry> !configs 20:37 < vpnHelper> huckleberry: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 20:40 < ecrist> sweet, I can include images and such in the output, so I've got my new logo as my image. 20:40 < huckleberry> !logs 20:40 < vpnHelper> huckleberry: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 20:43 < ecrist> krzie: http://www.secure-computing.net/logs/openvpn_page_2.html#urltr 20:43 < vpnHelper> Title: ##openvpn statistics created by ecrist (with a little help from mIRCStats v1.23 :) - Detailed info (at www.secure-computing.net) 20:43 < ecrist> sorry, http://www.secure-computing.net/logs/openvpn_page_2.html 20:43 < vpnHelper> Title: ##openvpn statistics created by ecrist (with a little help from mIRCStats v1.23 :) - Detailed info (at www.secure-computing.net) 20:43 < ecrist> look at the ecrist entry 20:43 < krzie> hahaha 20:44 < krzie> www.ircpimps.org/pimpin.jpg 20:44 < krzie> my pic (scaled down maybe) ? 20:46 < ecrist> I'll scale it 20:48 < ecrist> would you like a slogan? 20:48 < ecrist> mine is 'Boats and Hos' 20:49 < krzie> "...They must find it difficult ... Those who have taken authority as the truth, rather than truth as the authority..." 20:50 < ecrist> done 20:52 < krzie> thx =] 20:52 < ecrist> as much as I'm not a fan of mIRC, mIRCstats is pretty tight 20:52 < ecrist> I wish there was a FreeBSD port for it. 20:54 -!- tensai_ [n=tensai@196.33.159.83] has joined ##openvpn 20:55 < ecrist> I'm out for the night. see you folks tomorrow 20:55 < krzie> gnite, im still trying to give you factoid access, lol 20:55 < krzie> i may just kill the bot and mod the config 20:56 < huckleberry> I'm following the static key mini-howto, and I'm having trouble getting it to work. 20:56 -!- mepholic_ [n=what@hydra.weserv.in] has quit ["Leaving"] 20:56 < huckleberry> Openvpn server running on Ubuntu 8.04. My Macbook Pro as the client. 20:58 < huckleberry> The client never connects to the client. And, I can't ping the IP address that is assigned to the tun0 interface on the client. 20:58 < krzie> [msg(vpnHelper)] admin capability add ecrist +Factoids 20:58 < krzie> [vpnHelper(i=vpn@unaffiliated/krzee/bot/vpnhelper)] Joo got it. 20:58 < krzie> booya 20:58 < huckleberry> Tail of the log and output from some troubleshooting commands here: http://pastebin.com/d5ed685d0 20:58 < krzie> ecrist if still here, can you identify and try to add a factoid? 21:02 < huckleberry> I apologize for the dumb question...can anyone help? 21:02 < krzie> firewall 21:02 < krzie> its writing with no reads 21:02 < krzie> tcpdump will show you which side is not seeing traffic from the other 21:03 < krzie> =] 21:03 < huckleberry> I thought it might be the firewall on the mac, so I went to System Preferences->Security and checked "Allow all incoming connections" 21:04 < krzie> welp 21:04 < krzie> tcpdump will show you which side is not seeing traffic from the other 21:05 < huckleberry> if the client assigns its own tun0 interface the 10.8.0.2 IP address, then shouldn't I be able to ping 10.8.0.2 from itself? 21:05 < huckleberry> kind of like pinging 127.0.0.1? 21:05 < krzie> makes sense to me 21:06 < krzie> but 21:06 < krzie> tcpdump will show you which side is not seeing traffic from the other 21:06 < huckleberry> but it's not even able to ping itself 21:06 * krzie wonders how many pastes it'll take 21:07 -!- Great_Anta_baka [n=tensai@196.33.159.83] has quit [No route to host] 21:10 < huckleberry> all right, you don't have to paste any more.. 21:10 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 21:11 < huckleberry> on the client, 'tcpdump -i tun0' shows 0 packets 21:11 < krzie> and on the server...? 21:11 < huckleberry> on the client, 'tcpdump -i en1' shows UDP packets heading to the openvpn server 21:11 < krzie> tun if is good 21:12 < huckleberry> on the server, no packets received 21:12 < huckleberry> so, I shouldn't be concerned that I'm not capturing packets on tun0 on the client? 21:12 < huckleberry> that's normal? 21:27 < krzie> no, firewall issue 21:27 < krzie> so niether side is getting packets? 21:27 < huckleberry> nope 21:27 < huckleberry> afraid not 21:28 < krzie> !logs 21:28 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 21:28 < krzie> not a tail, the whole thing at verb 6 21:28 < krzie> (both sides) 21:28 < huckleberry> ok...give me just a few minutes 21:40 < huckleberry> client log: http://pastebin.com/d22542724 21:42 < huckleberry> server log: http://pastebin.com/d4e3c249d 21:45 < huckleberry> server log seems pretty straightforward...it starts up, then waits, and never receives anything. 21:45 < huckleberry> i notice there's an ifconfig error message on line 182 of the client log: 21:45 < huckleberry> ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address 21:52 < krzie> # 21:52 < krzie> Tue Mar 24 23:38:50 2009 us=793278 /sbin/ifconfig tun0 delete 21:52 < krzie> # 21:52 < krzie> ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address 21:52 < krzie> # 21:52 < krzie> Tue Mar 24 23:38:50 2009 us=798407 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure 21:53 < krzie> !configs 21:53 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 21:54 < krzie> looks like the link that is listening cant be reached at all 21:54 < krzie> is it behind a router? 21:54 < krzie> if so, check your port forwarding 21:54 < krzie> is it behind a firewall? if so check that the port is open 22:03 < huckleberry> server config: http://pastebin.com/d217b02b1 22:03 < huckleberry> client config: http://pastebin.com/dc7aa16 22:04 < huckleberry> nothing exciting in the configs...just cut-and-pasted from the howto 22:05 < huckleberry> the server is an amazon ec2 instance. Port 1194 is open. 22:05 < huckleberry> I was able to set up a second ec2 instance as an openvpn client and connect it to the openvpn server successfully. 22:05 -!- ftp3 [n=none@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has joined ##openvpn 22:05 < huckleberry> just can't get it to work with my laptop. 22:06 < krzie> niether config has an option to connect out 22:07 < huckleberry> (of course the two ec2 servers are on the same network, so they wouldn't have firewall issues like I may be having.) 22:07 < ftp3> hi, i want to setup openvpn on a server, so that i can connect (via openvpn) to the server (from my laptop) and surf the net over the server, using an IP the server assigns me. I am looking for a tutorial, but I am not sure what I am wanting to do is called, so I can find the proper tutorial. 22:07 < krzie> one needs to connect to the other... 22:07 < huckleberry> option to connect out? 22:07 < krzie> remote ip port 22:07 < krzie> ftp3 22:07 < krzie> !sample 22:07 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 22:07 < krzie> then !def1 22:07 < krzie> !def1 22:07 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 22:08 < krzie> then turn on ip forwarding 22:08 < krzie> !lin_ipforward 22:08 < vpnHelper> krzie: Error: "lin_ipforward" is not a valid command. 22:08 < krzie> !factoids search lin 22:08 < vpnHelper> krzie: 'linipforward', 'linnat', 'linfw', and 'lintrafaccnt' 22:08 < krzie> !linipforward 22:08 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 22:08 < krzie> then setup NAT 22:08 < krzie> !linnat 22:08 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 22:09 < huckleberry> krzie: doesn't the remote ip port default to 1194 if not specified? 22:09 < krzie> dunno, does it hurt to specify it? 22:09 < huckleberry> krzie: there is no port in the configs from the static key mini-howto 22:09 < huckleberry> which I'm following exactly 22:10 < krzie> ild assume theres a remote option in it 22:10 < krzie> which you dont have 22:11 < huckleberry> i see what you're saying..cut and paste error on my part 22:11 < huckleberry> i fixed the pastebin now 22:12 < huckleberry> i left off the first line with the 'remote ...' config in the past 22:12 < krzie> thats all that was missing? 22:12 < huckleberry> e 22:12 < huckleberry> yes 22:12 < huckleberry> sorry about that 22:12 < krzie> try proto tcp in both 22:12 < huckleberry> I totally understand your skepticism at this point! 22:12 < huckleberry> :) 22:12 < krzie> maybe that provider you mentioned blocks udp at the border 22:13 < krzie> if tcp works, lets try udp 53 if you dont run a NS on it 22:14 < huckleberry> i just add 'proto tcp' lines to both configs? 22:14 < krzie> ya 22:14 < huckleberry> ok 22:14 < huckleberry> hang on... 22:16 < huckleberry> oops...I got this: Options error: --proto tcp is ambiguous in this context. Please specify --proto tcp-server or --proto tcp-client 22:23 < huckleberry> good news 22:23 < huckleberry> I set proto tcp-server on server, and proto tcp-client on client 22:24 < huckleberry> and they connected! 22:24 < huckleberry> Wed Mar 25 00:21:59 2009 us=592799 Peer Connection Initiated with 75.101.200.162:1194 22:24 < huckleberry> I can ping the 10.8.0.1 server from the client! 22:25 < huckleberry> now I just need to go figure out what's blocking udp packets 22:25 < krzie> their border gateway 22:25 < krzie> try udp 53 22:25 < huckleberry> ok, will do 22:27 < huckleberry> no love with udp 53 22:28 < huckleberry> writes in client log, nothing in server log 22:30 < ftp3> krzie: which were you pointing out to me? "remote ip port" or "! sample" ? 22:31 < huckleberry> allright, I see what the problem was... 22:31 < huckleberry> amazon ec2 has a command to open ports: 'ec2-authorize' 22:32 < huckleberry> I specified opening port 1194, and I thought it would open it for tcp and udp traffic 22:32 < huckleberry> but it didn't 22:32 < huckleberry> it defaults to tcp only 22:32 < huckleberry> so, I never had it open for udp 22:33 < huckleberry> krzie: thanks so much for your help 22:34 < huckleberry> I really appreciate your patience with what I know is a totally commonplace problem. 22:35 < krzie> yw 22:37 < ftp3> krzie: can you tell me which thing you were telling me? I did not follow which was directed to me 22:37 < krzie> everything from ftp3 to !linnat 22:37 < krzie> was at you 22:39 < ftp3> oh, lol 22:39 < ftp3> ok, thanks! 22:39 < ftp3> reading now 22:41 < krzie> np 22:45 < krzie> !irclogs 22:45 < vpnHelper> krzie: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats 22:51 -!- huckleberry [n=tom@OL169-205.fibertel.com.ar] has quit [] --- Day changed Wed Mar 25 2009 00:08 -!- pauten [n=pauten__@12-208-65-240.client.mchsi.com] has joined ##openvpn 00:08 < pauten> !configs 00:08 < vpnHelper> pauten: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 00:08 < pauten> just wanted the magic regex :) 00:14 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 00:39 < Skered> Unless the VPN client allows you to accept a different cert a mitm attack should just fail to connect? 00:47 -!- tensai_ [n=tensai@196.33.159.83] has quit [Read error: 113 (No route to host)] 00:53 -!- diegoviola [n=diego@adsl-136-248.click.com.py] has quit [Success] 01:04 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 01:13 -!- pauten [n=pauten__@12-208-65-240.client.mchsi.com] has quit ["Leaving"] 01:20 < krzee> Skered, 01:20 < krzee> !mitm 01:20 < vpnHelper> krzee: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 01:20 < krzee> otherwise a client cert signed by same CA could be used in a MITM attack 01:29 -!- RUS [n=Mirc@88.214.199.27] has joined ##openvpn 01:29 < RUS> hi everybody 01:38 < RUS> wich logs with ip addresses you can find in Dedicated Server logs ? i use only ssh and openvpn services 01:42 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 02:24 -!- nemysis [n=nemysis@197-24.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 02:25 -!- nemysis [n=nemysis@197-24.3-85.cust.bluewin.ch] has joined ##openvpn 02:30 -!- floyd_n_milan_ [n=mrugesh@203.129.237.147] has joined ##openvpn 02:32 < krzee> while you try to find a way to say that in better english im going to hookup my new gigabit ethernet switch 02:32 < krzee> brb 02:37 -!- krzy [i=nobody@hemp.ircpimps.org] has joined ##openvpn 02:43 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 113 (No route to host)] 02:43 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 02:55 < reiffert> moin 03:00 < krzy> moin 03:00 -!- krzy is now known as krzee 03:04 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:04 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 03:09 < krzee> yay for gigabit to my NFS 03:09 < krzee> gigabit rocks! 03:09 < krzee> im so glad i always bought cat5e or cat6 now 03:10 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 03:10 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:14 -!- RUS [n=Mirc@88.214.199.27] has quit [Read error: 113 (No route to host)] 03:19 -!- reallove [n=dan@unaffiliated/reallove] has joined ##openvpn 03:19 < reallove> Hi. I have setup the server with ifconfig-pool-persist ipp.txt , the content of ipp.txt looks like "client,192.168.168.254" , but the client with the key client.key does NOT get the specified IP address. 03:19 < reallove> where can be the issue ? 03:36 < krzee> !ipp 03:36 < vpnHelper> krzee: "ipp" is (#1) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !static, or (#2) also see !iporder 03:37 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 110 (Connection timed out)] 03:37 < krzee> also, if you are using tun and not topology subnet, .254 isnt even a valid ip 03:37 < reallove> !static 03:37 < vpnHelper> reallove: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 03:37 < krzee> !iporder 03:37 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice). 03:42 < reallove> I don't exactly get what the 1st choice can be 03:42 < reallove> the --client-connect script 03:42 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit [Read error: 110 (Connection timed out)] 03:46 < krzee> !man 03:46 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 03:50 < krzee> choice #2 is easiest 03:50 < krzee> choice #1 is more flexible 03:50 < krzee> choice #3 is dynamic 03:50 < krzee> ipp.txt is basically a suggestion 03:51 < reallove> krzee: thanks for the hints,I solved the 'issue' 03:51 < reiffert> !ipp 03:51 < vpnHelper> reiffert: "ipp" is (#1) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !static, or (#2) also see !iporder 03:51 < reiffert> we should add: ipp is ifconfig-pool-persist 03:51 < reiffert> cause openvpn manpage doesnt know the word ipp 03:52 < reallove> added client-config-dir ccd in server.conf , and in ccd I created a file named client , with the content ifconfig-push 192.168.168.253 255.255.255.0 03:52 < reallove> and it's working like desired,the client got the IP 192.168.168.253 . 03:52 < krzee> reiffert, good point 03:52 < krzee> !forget ipp 03:52 < vpnHelper> krzee: Error: 2 factoids have that key. Please specify which one to remove, or use * to designate all of them. 03:52 < krzee> !forget ipp * 03:52 < vpnHelper> krzee: Joo got it. 03:53 < reiffert> !ccd 03:53 < vpnHelper> reiffert: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 03:54 < reiffert> must-see: http://www.spiegel.de/video/video-57488.html 03:54 < vpnHelper> Title: Video - SPIEGEL ONLINE - Nachrichten (at www.spiegel.de) 03:54 < reiffert> carrying 180KG 03:55 < krzee> !learn ipp as the option --ifconfig-pool-persist ipp.txt does NOT create static ips 03:55 < vpnHelper> krzee: Joo got it. 03:55 < reiffert> The one after side-kick is on ice 03:55 < krzee> !learn ipp as Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 03:55 < vpnHelper> krzee: Joo got it. 03:56 < krzee> !ipp 03:56 < vpnHelper> krzee: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 03:56 < reiffert> !iporder 03:56 < vpnHelper> reiffert: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice). 03:56 < reiffert> !static 03:56 < vpnHelper> reiffert: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 03:57 < krzee> !learn iporder as if you use --ifconfig-pool-persist see !ipp 03:57 < vpnHelper> krzee: Joo got it. 03:57 < krzee> !iporder 03:57 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice)., or (#4) if you use --ifconfig-pool-persist see !ipp 03:58 < krzee> 1048 root 4 50 0 4692K 1200K RUN 0 5:18 28.42% nfsd 03:58 < krzee> wow 03:59 < krzee> on a dual core amd64 4200+ 03:59 < krzee> (gigabit lan tho) 03:59 < reiffert> :) 04:00 < reiffert> 28% looks like a too high value to me. 04:00 < krzee> my laptop is using about 30% too tho 04:00 < krzee> and thats dual core 2.16 macbook pro 04:01 < krzee> i guess gigabit takes some CPU 04:01 < krzee> i wouldnt have guessed it 04:02 < krzee> ya seems high to me too tho, thats why i pasted it 04:02 < krzee> 28% for nfsd just cause im copying at 10MB/s over the lan 04:03 < krzee> ild hate to see what it does with fiber 04:03 < krzee> im also using -mapall, but that cant be that much cpu 04:03 < krzee> 19% now 04:04 < reiffert> nfsv4? udp, tcp? 04:04 < krzee> whatever fbsd default is 04:04 < krzee> good question tho 04:04 < krzee> time to tcpdump 04:04 < reiffert> 10MB/s is nothing. 04:05 < reiffert> even on 60MB/s I didnt see anything like this before. 04:05 < krzee> tcp 04:05 < reiffert> even my Pentium 1, 233Mhz works for 10MB/s 04:05 < krzee> i need to make that udp 04:05 < reiffert> Try it again with udp pls 04:05 < krzee> ya 04:06 < krzee> once i google how 04:08 < reiffert> are you saying that on gbit you manage 10MB/s? 04:09 < krzee> peaks at 11MB/s 04:09 < krzee> yes 04:09 < reiffert> thats 100mbit/s u know? 04:09 < reiffert> far from gbit 04:09 < krzee> wait you're right 04:09 < krzee> wtf 04:10 < reiffert> IIRC udp is just a mount option for the client 04:10 < reiffert> -o udp 04:10 < krzee> hrm does gigabit have diff cable length restrictions? 04:10 < krzee> im in apple, APPLE K doesnt give that option 04:11 < reiffert> open up a terminal and enter all your knowledge with your fingers 04:11 -!- reallove [n=dan@unaffiliated/reallove] has left ##openvpn [] 04:11 < krzee> apple + K, nfs://10.0.0.69/nfs 04:11 < reiffert> sigh. 04:11 < krzee> ya but i love mounting from the finder 04:11 < reiffert> sigh 04:11 < krzee> ill do it for the sake of testing tho 04:12 < krzee> i wonder if my very very long cat5e cable is at fault 04:12 < reiffert> mount_nfs -U 04:12 < reiffert> how long long? 04:12 < reiffert> specs are 100meter 04:12 < krzee> nah under 100ft 04:12 < krzee> like 80 i think 04:12 < reiffert> approx 330 feet 04:13 < krzee> autoselect did make me use 100baseTX 04:13 < krzee> so i used media 1000baseT mediaopt full-duplex 04:13 < krzee> media: Ethernet 1000baseT (100baseTX ) 04:13 < reiffert> which is full duplex, aint it? 04:13 < reiffert> oh, just 100Base... 04:13 < krzee> still says that in parens tho 04:13 < reiffert> I guess one of your NIC's is 100mbit only? 04:14 < krzee> the mac reports 1000 04:14 < reiffert> k. 04:14 < krzee> and the nfs.. 04:14 < krzee> supported media: 04:14 < krzee> media autoselect 04:14 < krzee> media 1000baseT mediaopt full-duplex 04:14 < krzee> media 1000baseT 04:14 < krzee> media 100baseTX mediaopt full-duplex 04:14 < krzee> media 100baseTX 04:14 < reiffert> let's assume thats ok for a minute and test nfs on udp 04:14 < krzee> ok 04:15 < reiffert> btw, whats the distance unit in .us, is it feet? 04:15 < krzee> yes 04:16 < reiffert> however, lets do it over udp, then exchange the media 04:17 < reiffert> just a guess, could you login via ftp and do something like: put "| dd if=/dev/zero bs=1M count=100 " zero 04:19 -!- onats_ [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 04:19 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 04:20 < krzee> bash-3.2# mount_nfs -o udp 10.0.0.69:/nfs /nfs 04:20 < reiffert> -U on my 10.4 osx 04:20 < reiffert> -U Force the mount protocol to use UDP transport, even for TCP NFS 04:20 < reiffert> mounts. (Necessary for some old BSD servers.) 04:20 < krzee> only a -o on 10.5 04:21 < reiffert> speed? 04:21 < krzee> thats -o mntudp here 04:21 < krzee> remounted with that 04:21 < krzee> bash-3.2# mount_nfs -o mntudp 10.0.0.69:/nfs /nfs 04:23 < reiffert> -o should be enough, ensure that your nfsd is listening on udp 04:23 < reiffert> -o udp 04:23 < krzee> theres the prob 04:23 < krzee> its not 04:23 < reiffert> that might explain the mount to fail :) 04:23 < krzee> [root@nfs /root]# sockstat -l4|grep nfs 04:23 < krzee> root nfsd 1046 3 tcp4 *:2049 *:* 04:24 < krzee> it didnt fail tho, it just mounted tcp 04:24 < reiffert> damn 04:24 < krzee> tcp4 10136 492 nfs.nfsd bigboy.lan.52984 ESTABLISHED 04:24 < reiffert> meanwhile pipe some dev/zero over the wire.. 04:24 < reiffert> put "| dd if=/dev/zero bs=1M count=100 " zero 04:25 < krzee> sftp> put "| dd if=/dev/zero bs=1M count=100 " zero 04:25 < krzee> not gunna open a ftp server just for that 04:25 < krzee> lemme get udp working 04:26 < reiffert> or use netcat 04:36 < krzee> weird 04:36 < krzee> nfsd wont start up for me with just -u -n 4 04:36 < krzee> but will with -t -u -n -4 04:36 < krzee> err 04:36 < krzee> but will with -t -u -n 4 04:36 < reiffert> however, bsd details I can proove atm, what about speed? 04:37 < krzee> media: Ethernet 1000baseT (100baseTX ) 04:37 < krzee> i bet its the parens 04:37 < krzee> im thinking to blame the cable 04:37 < reiffert> it's not. 04:37 < krzee> lemme try another by moving it closer 04:38 < reiffert> how many MB/s over udp? 04:39 < krzee> 7 04:40 < reiffert> outch 04:40 < krzee> peaking at 8 04:40 < reiffert> My cdrom drive is faster than your Gbit 04:40 < reiffert> hehe 04:40 < krzee> now im moving the box to test the cable 04:40 < krzee> brb in 1 sec 04:41 < krzee> oh easier 04:41 < krzee> ill plug in the laptop over there 04:41 < krzee> brb 04:41 < reiffert> laptop gbit? 04:41 < krzee> yup 04:42 < krzee> all macbook pro's got it 04:42 < krzee> media: autoselect (1000baseT ) status: active 04:42 < reiffert> ah, sounds better 04:42 < krzee> right 04:42 < krzee> the 100baseTX in parens aint right 04:42 < reiffert> time to udp/tcp then 04:42 < krzee> on the bsd box 04:42 < krzee> that was udp 04:43 < krzee> 8MB/s 04:43 < krzee> tcp got me 10-11 04:43 < krzee> time to plugin over there 04:43 < krzee> brb in 1 sec 04:43 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 04:44 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:44 < krzee> media: autoselect (100baseTX ) status: active 04:44 < krzee> yup 04:44 < krzee> i was right 04:45 < reiffert> hm, cat5e is enough for gbit per definition 04:46 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 04:46 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:47 < krzee> hrmm 04:47 < reiffert> sounds bad. 04:47 < krzee> looks like i got a cat5 cable with cat5.E written on it 04:47 < krzee> fuggers 04:47 < reiffert> UTP? 04:48 < krzee> aye 04:48 < reiffert> FTP? S/FTP? 04:48 < reiffert> forget that unshielded crap. 04:48 < krzee> im on a UTP right now too 04:48 < reiffert> where it comes to upper bounds like 80meters 04:49 < krzee> ahh so it prolly is my length 04:49 < krzee> well, i think i know what i gotta do 04:50 < krzee> move my setup so the long cable goes from switch to router 04:50 < krzee> ;] 04:50 < krzee> laptop is normally on wifi, i can goto livingroom to plugin when i need gigabit to the nfs 04:50 < reiffert> Uh, David Sommerseth is going to rewrite openvpn for a proper multithreading, wtf? 04:50 < krzee> whaaat? 04:50 < reiffert> it works so perectly, he's going to break the bunny 04:51 < reiffert> openvpn-devel 04:51 < krzee> craziness 04:51 < reiffert> To my mind, he just should add an udp socket and put that into the select() RFDS and WFDS sets 04:52 * krzee digs through bins for more cat5.e or cat6 cables 04:52 < reiffert> :) 04:52 < reiffert> so your short cable didnt make it as well? 04:53 < reiffert> oh btw, are you running a switch inbetween? 04:53 < krzee> they're all on the gigabit switch i just picked up 04:53 < krzee> which is plugged into the router 04:54 < krzee> booya, both cables in the laptop bag were cat5E 04:54 < krzee> time to move stuffs 04:54 < krzee> brb again 04:54 < reiffert> what kind of gbit switch, vendor, model? 04:55 < krzee> airlink 101 04:55 < krzee> AGIGA5SW-B 04:55 < krzee> nothing special, but isnt at fault here 04:55 < krzee> proved it was the cable 04:56 -!- krzy [i=nobody@hemp.ircpimps.org] has joined ##openvpn 04:58 < reiffert> Just curious, could you link them directly, without anything inbetween, just for a test_ 04:59 < reiffert> A straight through cable should be enough, the NIC's most probably will handle it right. 05:00 < krzy> sure, after i test it my way 05:00 < krzy> if we dont get results i want 05:01 < reiffert> 60MB/s is a minimum. 05:01 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 05:02 < krzy> there 05:02 < krzy> now media autoselect works right 05:03 < krzy> (well it worked right before, but now it does what i want) 05:06 < reiffert> even with the 80m cable? 05:06 < krzy> no i moved my switch 05:06 < krzy> 80M cable will give switch to router 05:15 -!- krzy [i=nobody@hemp.ircpimps.org] has quit [Read error: 104 (Connection reset by peer)] 05:15 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 05:18 < krzee> 15MB/s peaks at 18MB/s 05:18 < krzee> so we broke the 100mbit barrier, but still WEAK 05:18 < krzee> time for xover cable 05:19 < krzee> which im not against using all the time for nfs if really needed 05:19 < krzee> not most convenient , but will teach me to buy a $12 switch, lol 05:20 < reiffert> 15-18 = udp? 05:20 < reiffert> a straight cable most prob will do 05:21 < krzee> well i have cat5e xover 05:21 < krzee> right here 05:22 < krzee> same speed 05:22 < krzee> tcp again, ill try udp again now 05:22 < krzee> i went back to normal after our previous test showed less BW 05:22 < krzee> throughput rather 05:24 < krzee> 8MB - 10MB with udp 05:24 < krzee> im getting faster tcp than udp 05:24 < krzee> (again) 05:24 < reiffert> thats very uncommon. 05:24 < krzee> even with my xover 05:24 < reiffert> these are the results for xover? 05:25 < reiffert> got any S/FTP Cat6 around? 05:25 < krzee> dont think so, will look 05:26 < reiffert> what kind of NIC's do you have in there, any Intel stuff_ 05:27 < reiffert> Doh, I should stop using german style keyboards. 05:32 < krzee> realtek in the bsd box 05:32 < krzee> found a cat6 cable 05:32 -!- dazo [n=dazo@nat/redhat/x-3d9e8b90d961bc23] has quit ["Leaving"] 05:33 < krzee> stranded 05:35 < krzee> same 05:35 < krzee> im thinking it could be the re0 drivers in fbsd8-current 05:35 -!- dazo [n=dazo@nat/redhat/x-f73bd4897b4bd55b] has joined ##openvpn 05:37 -!- dazo [n=dazo@nat/redhat/x-f73bd4897b4bd55b] has quit [Client Quit] 05:37 < krzee> cause im out of other ideas 05:37 -!- dazo [n=dazo@nat/redhat/x-c507256ee2b67d96] has joined ##openvpn 05:38 < reiffert> uh, realtek, we call them realdreck, which prounounces the same and means real-dirt 05:38 < krzee> onboard 05:39 < krzee> ill pick up a card in the daytime 05:39 < krzee> see how that goes 05:39 < reiffert> time to get some cool ones then 05:41 < krzee> thanx for bouncing ideas around with me 05:41 < reiffert> I wanna be somebody, be somebody soon! 05:44 < krzee> hah 05:44 < krzee> further idea that its the driver 05:45 < krzee> now the cat6 to the switch gets sensed as 100 TX 05:45 < reiffert> wow. 05:45 < krzee> whereas a 5.e sensed as 1000 05:46 < reiffert> same cable between both PC's? 05:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:46 < reiffert> means, does it get sensed as 1000 when you plug it between the PCs? 05:46 < krzee> actually, yes it does 05:47 < krzee> but the 5.E gets 1000 to same port on switch 05:47 < reiffert> looks like the switch is causing it to get sensed as 100 then, right? 05:47 < krzee> weirdness 05:48 < krzee> would seem that way til i plug in the 5.e cable 05:48 < krzee> and that one works fine 05:48 < krzee> makes me think the driver is goofy 05:48 < krzee> i AM using -current... 05:49 < reiffert> which means? 05:49 < krzee> err no it switched back to 100 05:49 < krzee> started as 1000 05:49 < reiffert> "it"? 05:49 < krzee> then went back 05:49 < reiffert> cat6 between PCs? 05:49 < krzee> it being bsd box's autosense 05:49 < krzee> nah cat6 between pc's was same as cat5.e between them 05:49 < krzee> i was seeing if i could at least plug them in via switch 05:50 < reiffert> well, sounds really strange to me. Mind putting in two linux live boot cds? 05:50 < krzee> i think its the switch with the bsd box 05:50 < krzee> it tried for 1000 so i thought it had it (reported it for a minute) 05:50 < reiffert> from what I can"t follow you, it sounds like the switch, yes 05:51 < krzee> sorry its getting late, im getting harder to understand 05:51 < krzee> 7am 05:54 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:55 < krzee> hrm ya i can blame the switch for some stuff 05:55 < krzee> for sure 05:55 < krzee> this cable gets sensed as 100mbit in port2 05:55 < krzee> and 1000 in port 3 05:56 < krzee> on my mac even 05:56 < krzee> but since crossover didnt get me over 20, thats not the only issue 05:57 < dazo> krzee: do you have tools like ethtool? ... could it be that 1GB is disabled in software? 05:57 -!- Flumdahl [i=n30@shell.auth.se] has joined ##openvpn 05:57 < krzee> tbh ive never even heard of that 05:58 < krzee> but im getting up to 18MB/s 05:58 < krzee> think i should download some tools? 05:58 < dazo> ethtool is brilliant for checking the flags on NICs ... and reconfigure it, if needed .... not sure if it's Linux only, or Posix compatible 05:59 < dazo> you also have mii-tool as well 05:59 < Flumdahl> hmm, i have an little problem with bridged openvpn server in debian. wount allow traffic over the brigde 05:59 < krzee> first things first 05:59 < krzee> why do you want a bridge? 05:59 * dazo expected that question 05:59 < krzee> ;] 06:00 < Flumdahl> krzee: did you ask me ? 06:00 < krzee> yes 06:00 < krzee> dzo, noticed how often they actually want a bridge? 06:00 < Flumdahl> i want to route out some real ips instead of use a nat ip 06:01 < dazo> krzee: bridge sounds cool, you know ... :-P 06:01 < krzee> haha 06:01 < krzee> i have a big red one in the bay area for sale! 06:01 < Flumdahl> !configs 06:01 < vpnHelper> Flumdahl: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 06:02 < Flumdahl> !howto 06:02 < vpnHelper> Flumdahl: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 06:02 < dazo> Flumdahl: it's very seldom bridge is the solution ... very honestly ... unless you need to do layer2 traffic between sites 06:02 < krzee> yup 06:02 < krzee> !tunortap 06:02 < vpnHelper> krzee: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 06:03 < krzee> just do a bi-directional nat 06:03 < krzee> a 1:1 nat 06:03 < mjt> NAT is EVIL (tm) 06:03 < mjt> ;) 06:03 < dazo> Flumdahl: using NAT on the VPN tunnel ... that's also a lazy way how to sort routing in the proper way .... NAT on VPN are for users who are too lazy or not willing to understand routing concepts 06:03 < krzee> Flumdahl, mjt will help ya with your bridge! 06:03 < mjt> lol 06:04 < Flumdahl> dazo: that i have working but htat is not the correct way i want it 06:04 < reiffert> a bridge is the way to use. 06:04 < krzee> dazo, not if he wants to access inet over the vpn 06:04 < Flumdahl> i have some ips at my home i want to share with a friend 06:04 * mjt did not even try bridge with openvpn. 06:04 < dazo> krzee: yeah, that's true .... 06:04 < krzee> but i got what ya meant, and for what you meant you were right (as a way out of !route) 06:05 < Flumdahl> !route 06:05 < vpnHelper> Flumdahl: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 06:05 * dazo needs to be clearer about what he means 06:06 < krzee> im taking it Flumdahl doesnt even use nat at home 06:06 < krzee> has external ips for every machine 06:06 < Flumdahl> yes 06:06 < krzee> and even has extra (lucky!) 06:07 < krzee> so Flumdahl where do you run into your problem? 06:07 < Flumdahl> that is what we want to do with my friends network to. i have 10 more ips that i dont use. and i want to setup an bridged vpn server so he can use some of those 10 ips 06:07 < krzee> hes aware his inet will be slower? 06:07 < Flumdahl> krzee: vpn server works. and vpn client connects to vpn server. but i cant connect to anything the other side of bridge 06:07 < Flumdahl> yes we know that 06:07 < krzee> lets see !configs 06:07 < krzee> !configs 06:07 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 06:08 < Flumdahl> what is ccd entries ? 06:08 < krzee> !ccd 06:08 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 06:08 < Flumdahl> ah 06:08 < Flumdahl> hold 06:10 < krzee> reiffert, i have a backtrack2 image handy, think thats good enough? 06:10 < krzee> (for booting my bsd box with to test gigalan with xover) 06:11 < Flumdahl> http://pastebin.com/m75018c10 06:11 < Flumdahl> there u have my setup 06:12 < krzee> version of openvpn? 06:13 < reiffert> krzee: I have no idea what you are talking about. backtrack2 image 06:13 < reiffert> ? 06:13 < Flumdahl> OpenVPN 2.1_rc11 and debian 5 on both servers 06:13 < krzee> .200 is the gateway for your lan Flumdahl ? 06:13 < krzee> reiffert, its a pentesting livecd based on linux 06:13 < Flumdahl> krzee: no . 06:14 < krzee> Flumdahl, theres your problem prolly 06:14 < Flumdahl> hold then 06:14 < krzee> --server-bridge [ gateway netmask pool-start-IP pool-end-IP ] 06:14 < krzee> give it the gateway it would be using if it were plugged into your lan 06:15 < krzee> (because once its bridged in, it IS plugged into your lan) 06:15 < reiffert> krzee: sure, give it a try. Know what ya doing or need some help with it? 06:15 < krzee> i expect ill be fine 06:16 < Flumdahl> krzee: now is all up and running again with .199 (my gw ip) instead of .200 ... i can still not ping .199 from my vpn client server.... and i have added routes to 06:17 < krzee> routes? 06:17 < krzee> no routes needed, this is layer2 06:17 < Flumdahl> krzee: if i dont do routes the client connects with my main network 06:17 < Flumdahl> not over the tunnel 06:17 -!- onats_ is now known as onats 06:17 < krzee> huh? 06:17 < Flumdahl> yah, i want all trafic to go over the vpn tunnel 06:18 < krzee> my brain is turning to mush, someone else will need to help ya 06:18 < krzee> seems 7:20 am is my cutoff tonight 06:18 < reiffert> we need a pointnclick browser thing, for people drawing their networks for us. It's always the same. People think wrong, tell us 20% and expect a solution. 06:18 < krzee> reiffert, thanx for the help troubleshooting the gigalan 06:19 < reiffert> krzee: it's keeping me off doing stupid work, yw :) 06:19 < krzee> reiffert, http://www.gliffy.com/ 06:19 < vpnHelper> Title: Gliffy Online Diagram Software (at www.gliffy.com) 06:20 < krzee> thats how i made the network drawing on !route 06:20 < onats> has anyone here used an alix board? 06:20 < krzee> its sweet for just that 06:20 < onats> krzee? 06:20 < krzee> i havnt 06:21 < onats> something similar? 06:21 -!- Flumdahl [i=n30@shell.auth.se] has left ##openvpn [] 06:22 < reiffert> will have to remember that. Hm I was about to help Flumdahl 06:22 < krzee> ya i guess he's got better things to do 06:23 < krzee> especially better than reading the manual 06:23 < krzee> For example, server-bridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8.0.254 expands as follows: 06:23 < krzee> 06:23 < krzee> mode server 06:23 < krzee> tls-server 06:23 < krzee> ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0 06:23 < krzee> push "route-gateway 10.8.0.4" 06:23 -!- Flumdahl [i=n30@shell.auth.se] has joined ##openvpn 06:23 < krzee> the push route needed is automatic 06:23 < reiffert> Flumdahl: ok, please explain your setup to me and paste !configs for me 06:23 < krzee> as i was just saying while you were gone... 06:23 < reiffert> Flumdahl: and your goal and problems. 06:24 < krzee> the only push route needed for making inet flow over bridge 06:24 < krzee> is automated in server-bridge 06:24 < krzee> from manual: 06:24 < krzee> For example, server-bridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8.0.254 expands as follows: 06:24 < krzee> 06:24 < krzee> mode server 06:24 < krzee> tls-server 06:24 < krzee> ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0 06:24 < krzee> push "route-gateway 10.8.0.4" 06:25 < krzee> which is why i told you to fix the first argument to be the gateway that he would use if plugged into your LAN 06:25 * krzee lets reiffert take over 06:25 < krzee> goodnight guys! 06:25 < Flumdahl> reiffert: hold 2 sec 06:26 < reiffert> Flumdahl: k, I'm doing some stupid work on another screen, I'll check back from time to time. 06:27 < Flumdahl> reiffert: http://pastebin.com/m1decba42 06:28 < Flumdahl> reiffert: i can not ping 88.80.13.199 from my vpn client (88.80.13.201) ... the goal is to have all routing from client server over the tunnel and not over the main network... 06:28 < krzee> that pastebin is wrong 06:29 < krzee> you already said .200 isnt your lan's gateway 06:29 < Flumdahl> krzee: i did change. 88.80.13.199 is gateway for my lan 06:29 < Flumdahl> .200 is bridge ip 06:29 < krzee> so fix the pastebin before giving to reiffert 06:29 < Flumdahl> krzee: i did ? 06:29 < Flumdahl> line 12: server-bridge 88.80.13.199 255.255.255.192 88.80.13.201 88.80.13.202 06:29 < reiffert> Where the difference between "bridge script on vpn server:" and "Server vpn conf:"? 06:29 < krzee> server-bridge 88.80.13.200 255.255.255.192 88.80.13.201 88.80.13.202 06:30 < krzee> line 36 06:30 < krzee> maybe only do each config 1x 06:30 -!- onats [n=onats@unaffiliated/onats] has quit [Remote closed the connection] 06:30 < Flumdahl> wtf have i paste : 06:30 < Flumdahl> hahaha 06:31 < reiffert> :) 06:31 < reiffert> krzee: you know what happens when you close your laptops screen? 06:31 < krzee> my transfers stop =[ 06:31 < krzee> but ya, i need to step away from the laptop 06:31 < krzee> lol 06:32 < krzee> <-- laptop crackhead 06:32 < reiffert> Flumdahl: while pasting: paste: brctl show 06:32 < reiffert> Flumdahl: ifconfig -a 06:34 < Flumdahl> http://pastebin.com/m29d892d9 06:35 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 06:35 -!- aaa320 [n=chatzill@83.125.45.111] has joined ##openvpn 06:35 < stephenh> hi, do i need to make use of iroute when i have routed WAN links as well as VPN links? I would like a subnet on the other side of a serial link to access a remote openvpn subnet (if that makes sense) 06:35 < Flumdahl> reiffert: but a question. shall there not be a /dev/tap* ? 06:35 -!- aaa320 [n=chatzill@83.125.45.111] has quit [Client Quit] 06:35 < Flumdahl> brb, will just go smoke 06:36 < krzee> stephenh, 06:36 < krzee> !iroute 06:36 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 06:36 < reiffert> Flumdahl: /dev/net/tun is required. 06:37 < reiffert> Flumdahl: after that openvpn --mktun --dev tap0 will work 06:37 < reiffert> Flumdahl: mknod c /dev/net/tun 10 200 06:38 < reiffert> Flumdahl: or whatever your mknod takes. 06:38 < reiffert> mknod /dev/net/tun c 10 200 06:40 < mjt> on modern systems it's done automatically (udev) 06:41 < mjt> the only thing needed is to load the module 06:42 < reiffert> mjt: When I'm setting up a new server the first thing I remove is udev 06:42 < mjt> i don't install it :) 06:42 < reiffert> ah well, might be an option for me :) 06:43 < mjt> but dynamic /dev is a good thing imho. I was against it for many years but linux forced it on me and now i sorta like it. 06:43 < Flumdahl> reiffert: /dev/net/tun exist 06:43 < reiffert> Flumdahl: enter: ifconfig tap0 up 06:43 < stephenh> krzee, i'll try it out, what confused me was i'm not going openvpn lan to openvpn lan, but coming from a lan via serial link, to openvpn client via the openvpn server 06:43 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 06:43 < mjt> (forced by changing major/minor numbers of my boot device (vda) on every boot) 06:44 < stephenh> makes sense though, 'the network is not one that openvpn knows about' 06:44 < reiffert> Flumdahl: however, back to: what is working and what is not? 06:44 < krzee> stephenh, if its behind the client its behind the client 06:45 < krzee> if behind the server its behind the server 06:45 < krzee> regardless of what the link is 06:45 < Flumdahl> reiffert: from the client... i can ping brigde ip on vpn server ... nothing else 06:45 < krzee> serial, ethernet, fiber... same idea 06:45 < reiffert> Flumdahl: that is .199? 06:45 < stephenh> i understand 06:46 < Flumdahl> reiffert: gateway is .199 06:46 < reiffert> Flumdahl: your networks gateway is .199? 06:46 < Flumdahl> .199 is my gw on my lan 06:46 < reiffert> then why do you use it in server-bridge 88.80.13.199? 06:47 < reiffert> ah, allright, forget it. 06:47 < Flumdahl> reiffert: krzee said it or i missunderstood him 06:47 < Flumdahl> gw netmask starip endip 06:47 < Flumdahl> for the vpn client 06:47 < reiffert> just curious, where's differnce between 06:47 < reiffert> # 06:47 < reiffert> vpn server config: 06:47 < reiffert> and 06:47 < reiffert> # 06:47 < reiffert> vpn server bridge script: 06:48 < krzee> For example, server-bridge 10.8.0.4 255.255.255.0 10.8.0.128 10.8.0.254 expands as follows: 06:48 < krzee> 06:48 < krzee> mode server 06:48 < krzee> tls-server 06:48 < krzee> ifconfig-pool 10.8.0.128 10.8.0.254 255.255.255.0 06:48 < krzee> push "route-gateway 10.8.0.4" 06:48 < krzee> gateway does go there 06:48 < Flumdahl> reiffert: what i know its so i can use my local network over the vpn 06:48 < stephenh> krzee: and if i just want to get to the vpn client and not into the lan behind it? i would use the openvpn assigned client IP not the vpn client LAN IP of vpn client ? 06:48 < reiffert> krzee: thanks, I'm already reading the manpage. It discovers what I made wrong two days ago, I took it as net-address :) 06:48 < Flumdahl> so i dont need to use any iptables or other stuff 06:49 < krzee> hehe gotchya 06:49 < krzee> and now my xfers are done 06:49 < krzee> so im really leaving this time! 06:49 < reiffert> Flumdahl: # 06:49 < reiffert> vpn server config: 06:49 < reiffert> Flumdahl: what file did you take to paste this? 06:49 < krzee> stephenh, you dont do any iroute or routes to just reach the vpn client 06:49 < Flumdahl> reiffert: huh? what you mean ? 06:50 < krzee> and yes, vpn internal ip 06:50 < Flumdahl> reiffert: i pasted my vpn server.conf and client.conf 06:50 < reiffert> Flumdahl: line 1 to 21 on http://pastebin.com/m29d892d9 06:50 < stephenh> thanks, :-) 06:50 < reiffert> Flumdahl: and line 23 to 42? 06:51 < Flumdahl> reiffert: 1-21 that is on the vpn server. 23-42 is the vpn client 06:51 < reiffert> Flumdahl: bullshit 06:51 < krzee> no, its an accidental repaste (i hope) 06:51 < reiffert> vpn client is 93-110 06:51 < Flumdahl> reiffert: no? 06:51 < Flumdahl> ah 06:52 < reiffert> and why does eth0 still have an inet4 address .231? 06:52 < Flumdahl> reiffert: eth0 has .231 yes 06:52 < reiffert> thats supposed to be an additional IP of br0- 06:52 < ecrist> morning guys 06:52 < Flumdahl> reiffert: br0 has 88.80.13.200 06:52 < reiffert> Flumdahl: sorry, I mixed up eth0 and eth1. 06:52 < reiffert> my fault. 06:53 < reiffert> Flumdahl: from the client paste: 06:53 < reiffert> Flumdahl: ifconfig -a 06:53 < onats> need a console cable! demmit! 06:53 < reiffert> Flumdahl: route -n 06:54 < reiffert> Flumdahl: add it to http://pastebin.com/m1557c8c2 06:54 < Flumdahl> http://pastebin.com/m7aaac609 06:54 < Flumdahl> ahh already make a new one 06:55 < reiffert> Flumdahl: connect the client to the server, then redo ifconfig -a and route -n pls 06:56 < Flumdahl> http://pastebin.com/m52733e32 06:56 < reiffert> dont do additional route commands 06:56 < reiffert> from another PC from your server network do: ping 88.80.13.201 06:56 < reiffert> works? 06:56 < Flumdahl> no 06:57 < Flumdahl> i did try that from my gw 06:57 < reiffert> paste route -n from server 06:57 < Flumdahl> vpn server? 06:58 < reiffert> yes 06:59 < Flumdahl> http://pastebin.com/ma5df7b1 06:59 < ecrist> !learn fe as Mac: Tunnelblick (http://code.google.com/p/tunnelblick/) or Viscosity (http://www.viscosityvpn.com) 06:59 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 07:00 < ecrist> !learn fe as Mac: Tunnelblick (http://code.google.com/p/tunnelblick/) or Viscosity (http://www.viscosityvpn.com) 07:00 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 07:00 < ecrist> krzee: no go on the learn. :( 07:00 < ecrist> I re-identified, too. 07:04 -!- floyd_n_milan_ [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [] 07:04 < onats> people here on serious mode? 07:10 < ecrist> why you ask, onats? 07:11 < onats> well just wanted to chat chat 07:11 < onats> :D 07:13 < ecrist> oh, that's fine, unless people are trying to get openvpn help 07:13 < ecrist> krzee, got another config. I'm going to build a home page with an iframe later today, but in the mean time, look at this: 07:13 < ecrist> http://www.secure-computing.net/logs/openvpn-last30.html 07:13 < vpnHelper> Title: ##openvpn statistics created by ecrist (with a little help from mIRCStats v1.23 :) (at www.secure-computing.net) 07:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:19 < onats> whee! i'm 22! 07:19 < onats> hehehe 07:20 < ecrist> onats, remove -last30 from the URL, get full stats starting aug 1, 2008 07:20 < ecrist> at least from when I was online/available 07:20 < onats> whee! i'm 21! 07:20 < onats> lol 07:24 < onats> ecrist, what do you do for work? 07:24 < onats> security? 07:26 < ecrist> one of the things, yes. 07:26 < ecrist> my 'day' job is a FreeBSD admin for a medical claim clearing house 07:26 < ecrist> I also own a small business which installs/services/etc security and access control systems 07:27 < ecrist> last, I'm a reserve deputy for the local sheriff's dept 07:29 < onats> multitasking! 07:31 < onats> US based? 07:31 < ecrist> yes 07:31 < onats> hows the recession affecting you / your business? 07:34 < onats> forget i asked:D 07:34 < ecrist> why? 07:35 < onats> dunno... it might be a sensitive topic? 07:36 < ecrist> going good. two of the best industries to be in right now are IT and health care. I'm an IT guy in the health care industry. 07:36 < onats> healthcare maybe.. but IT? isn't that the first to go in companies there? 07:36 < ecrist> no 07:44 < ecrist> not touchy for me, either. was on the phone 07:45 < ecrist> in my particular field, there's been a lot of regulatory changes in the last year, which ensure employment of myself and the company I work for. 07:45 < onats> HIPAA or something like that? 07:45 < onats> not familiar with it that much though 07:45 < ecrist> well, HIPAA's been around a while 07:46 < ecrist> the changes I'm talking are in reference to switching from print-image and paper submissions to all electronic submissions. 07:46 < onats> ahhhh 07:46 < onats> document imaging? 07:46 < ecrist> I live in Minnesota, and as of Jan 8th or something, all medical claims are required to be submitted electronically. There are a ton of clinics and small practices that have been submitting paper claims 07:47 < ecrist> where I work, we provide the electronic transmittal. So, these companies can submit a print-image claim, and we can electronically convert and submit it to the insurance companies. 07:48 < ecrist> we have other value-added services, such as claim tracking, and we automatically fix common errors, such as omitted NPI/Provider IDs, incorrect zip codes, etc. 07:48 < onats> i see. 07:48 < onats> st. paul or MN? 07:48 < onats> i mean minneapolis? 07:48 < ecrist> fwiw, we do all of this on FreeBSD servers. :) 07:49 < ecrist> technically, Minnetonka, which is the minneapolis side of the river. 07:49 -!- pielgrzym [n=pielgrzy@1str003.multi-play.net.pl] has quit [Read error: 104 (Connection reset by peer)] 07:49 < ecrist> St. Paul and Minneapolis are only ~10 miles apart 07:49 < onats> i see 07:49 < onats> i've been to St. Paul 07:49 < onats> everything closes down after 5! 07:49 < onats> lol 07:49 < ecrist> our servers are in Minneapolis downtown. 07:49 < ecrist> very true. it's been a problem St. Paul has been trying to fix for a long time. 07:50 < ecrist> about eight to ten years ago, not only was St. Paul desolate after 5pm, but it was scary too. they've done a lot to clean that town up. 07:50 < onats> there's still a lot of people there asking you for a dollar! lol 07:51 < onats> "got some change?" then these guys are pretty big! lol 07:51 < ecrist> worse in Minneapolis. 07:53 -!- belZe [i=server3@p5091D32C.dip.t-dialin.net] has joined ##openvpn 07:53 < belZe> good day together 07:54 < ecrist> I'm a fan of the twin cities, though. the cold weather keeps much of the crud out 07:56 < belZe> i am trying to run openvpn with bridge but got a little problem. the bridge doesnt seem to accept/forward/learn arp request coming from the openvpn-side. if im trying to ping a host in the lan of the openvpn server from my openvpn-client it doesnt work. if i try it the other way around it works suddenly. my config: http://np.megab.it/250a3f7ed5.html 07:56 < vpnHelper> Title: gnopaste v0.5.5 - brought to you by ghcif.de (at np.megab.it) 07:56 < belZe> creating the bridge using the predefined script coming with openvpn 07:57 < ecrist> belZe: can I inquire as to why you're using bridge vs tun? 07:57 < belZe> the openvpn-server is a vm running on an esx host where i already enabled/allowed promisc mode on the vswitch 07:58 < belZe> @ecrist: we are running several application using broadcasts 07:58 -!- RexMundi_ [n=RexMundi@off.spillgroup.com] has joined ##openvpn 07:58 < belZe> and while we dont want to play with bcrelay or something bridging is the easier way to go 07:59 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit [Read error: 104 (Connection reset by peer)] 07:59 < ecrist> ok, we ask because most of the people who come in here don't actually need bridging. 08:00 < belZe> we also got some old apps using ipx and appletalk 08:00 < ecrist> eew 08:00 < belZe> but thats not the point and cant be the reason not to work :D 08:01 < ecrist> !logs 08:01 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 08:01 < belZe> alright. sec 08:07 < belZe> server log: http://np.megab.it/8c22631e0f.html client log: http://np.megab.it/b06fe146a6.html 08:07 < vpnHelper> Title: gnopaste v0.5.5 - brought to you by ghcif.de (at np.megab.it) 08:08 < ecrist> ok, gimme a few to review them 08:09 < belZe> localnet of client is != net of openvpn 08:09 < ecrist> you need to update your version of OpenVPN 08:10 < ecrist> you're running 2.1rc11, latest version is 2.1rc15, which fixes bugs present in your version 08:10 < belZe> are there any issues with that version related to my problem? or just security based? :) 08:10 < ecrist> see here http://openvpn.net/index.php/documentation/change-log/changelog-21.html 08:10 < vpnHelper> Title: 2.1 Change Log (at openvpn.net) 08:10 < ecrist> rc12 fixed a bug in --lladdr, which is present in your config 08:11 < belZe> alright, was lazy there and got the one from the debian repo ;) 08:13 < ecrist> if you're running an RC, it's always a good idea to run the latest version, and expected if you're seeking support. ;) 08:17 < ecrist> also, if you're going to obfuscate the IP addresses, make sure your email domain doesn't resolve in such as way as to identify the obfuscated part of the IP address. 08:18 < belZe> email domain resolves to a different subnet ;) 08:18 < belZe> (to say: not my section :P) 08:18 < ecrist> sure, but I'm aware of the class B: 08:18 < ecrist> % Information related to '132.176.0.0 - 132.176.255.255' 08:18 < ecrist> inetnum: 132.176.0.0 - 132.176.255.255 08:18 < ecrist> netname: FERNUNI-NET 08:18 < ecrist> descr: FernUniversitaet Hagen 08:19 < ecrist> I don't see anything else interesting in the logs. upgrade your server/client version and try again. 08:19 < belZe> yep, but its not one huge class B of course :) but youre right, noticed the cert line too late :) 08:20 < ecrist> if it still doesn't work, post the new logs. 08:21 < belZe> yep 08:21 < belZe> thanks so far *turns his screen black with /bin/bash again* 08:27 < belZe> alright, that didnt make it. preparing logs 08:28 < ecrist> one thing at a time. we'll get it working. 08:29 < belZe> i can't escape the feeling that its still something with the esx vswitch 08:30 < ecrist> it could be, setting up bridging can be a pain, especially with VMs 08:33 < belZe> server: http://np.megab.it/954234c1bc.html client: http://np.megab.it/94ee85ac22.html 08:33 < vpnHelper> Title: gnopaste v0.5.5 - brought to you by ghcif.de (at np.megab.it) 08:34 < ecrist> ok, here's some silly tests. can the connected client ping the VPN interface of the server? 08:34 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 113 (No route to host)] 08:34 < belZe> yep, can ping the bridge 08:34 < ecrist> have you tried *disabling* iptables? 08:36 < belZe> you mean by unloading the modules? 08:37 < belZe> they arent loaded by default, getting loaded first time i run iptables 08:38 < ecrist> often, users think their firewall is disabled or set to allow all traffic, and they're mistaken. only way to test is to fully disable the firewall. I'm not familiar at all with iptables, so I couldn't tell you how to do it. With pf, it's just pfctl -d to disable all rules and pfctl -e to enable all rules 08:39 < ecrist> does br0 have a different IP than eth0? 08:39 < ecrist> or are they one and the same? 08:40 < ecrist> you can't ping anything on the rest of the LAN, right? 08:40 < belZe> br0 gets the ip eth0 had before setting up the bridge. handled through the bridge-start script 08:40 < belZe> eth0 and tap0 dont have adressed when bridge is set up, as seen above 08:40 < belZe> d=s 08:41 < ecrist> ok, ignoring the VPN, can the vpn server ping other machines on it's own LAN? 08:42 < belZe> yep 08:43 < belZe> and clients can ping each other (client-to-client should secure that) 08:43 < ecrist> but VPN clients cannot ping other machines on the LAN. 08:44 < belZe> i can set up continuing ping from client -> server in lan and it doenst work. if i ping server in lan -> client it works on the client all of a sudden. therefore i think its some arp issue on the bridge 08:45 < ecrist> iptables, accept rules reference br0, correct? 08:48 -!- onats [n=onats@unaffiliated/onats] has quit [Remote closed the connection] 08:48 < ecrist> are tap0 and eth0 promiscuous? 08:48 < belZe> everythings empty and there hasnt ever been anything :) 08:48 < belZe> yep they are 08:48 < belZe> http://np.megab.it/250a3f7ed5.html 08:48 < vpnHelper> Title: gnopaste v0.5.5 - brought to you by ghcif.de (at np.megab.it) 08:49 < ecrist> sorry, can't read the german options. 08:49 < ecrist> what does this say: G"ultigkeitsbereich:Verbindung 08:49 < belZe> oh 08:50 < belZe> scope 08:50 < belZe> that is 08:50 < belZe> verbindung = connection 08:51 < belZe> thats the fe80 ipv6 address, its ok 08:51 < ecrist> http://openvpn.net/archive/openvpn-users/2004-02/msg00248.html 08:51 < vpnHelper> Title: [Openvpn-users] OpenVPN and bridging: ARP problem? (at openvpn.net) 08:51 < ecrist> I'm reading that thread, see if anything applies. 08:51 < belZe> yeah saw that too 08:55 < ecrist> I'm not seeing anything right away. Perhaps krzee knows? 08:55 < ecrist> !bridge 08:55 < vpnHelper> ecrist: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where 08:55 < vpnHelper> ecrist: the protocol uses MAC addresses instead of IP addresses. 08:55 < belZe> it was the rp_filter 08:55 < belZe> ! 08:55 < belZe> oh man 08:55 < ecrist> what is rp_filter? 08:55 < belZe> good question 08:55 < ecrist> so, you have it working? 08:55 < ecrist> if so, what did you do to fix it? 08:55 < belZe> at least echo 1 > /proc/sys/net/ipv4/conf/br0/rp_filter allows me pinging all servers on the lan now 08:56 < ecrist> adding to wiki page for future reference 08:58 < belZe> reverse path filter; it is a check to see if, for a packet arriving on an interface, a packet sent to the original packet's source address would be sent out on that interface; if not, the arriving packet is dropped. it can be considered an attempt at detecting packets with spoofed source addresses. 08:58 < ecrist> http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#I_seem_to_be_having_problems_with_ARP_requests_reaching_the_VPN_from_my_server.27s_LAN._How_do_I_fix_this.3F 08:58 < vpnHelper> Title: OpenVPN/FAQ - Secure Computing Wiki (at www.secure-computing.net) 08:59 < ecrist> there, added that to our FAQ 09:00 < ecrist> thanks for the information 09:00 < ecrist> sorry I wasn't more helpful. :) 09:01 < mjt> hmm that's... wrong. 09:02 < ecrist> mjt: fix it 09:02 < mjt> unless you're multihomed, rp_filter usually does not do any bad. 09:02 < ecrist> bridgine a LAN in the way belZe is, would be considered multi-homed 09:03 < belZe> im gonna try that on a fresh environment 09:03 < mjt> rp_filter stays on the way when packets goes different ways back and forth 09:04 < mjt> with a "help" of advanced routing capabilities (policy routing) too 09:04 < mjt> in almost all other cases it's a sign that routing isn't set up correctly 09:05 < mjt> btw, there's log_martians knob in the same dir, to make rp_filter verbose. 09:05 < ecrist> mjt: can you offer the 'correct' fix, then? 09:05 < mjt> i just switched to this very window.. reading the scrollback now. 09:05 < mjt> -ENOCONTEXT ;) 09:06 < mjt> ghrm 09:06 < mjt> but for br0, tap0 and eth0 - which iface has which IP? 09:06 < mjt> only br0 should have an IP. 09:07 < belZe> yep, thats the way it is and tap0 and eth0 are on promisc 09:07 < mjt> what's "G"ultigkeitsbereich:Verbindung " ? 09:08 < ecrist> IPv6 scope 09:08 < belZe> Scope:Link 09:08 < belZe> or Connection, whatever 09:08 < mjt> oh ok 09:08 < mjt> where's the routing table? 09:09 < ecrist> he posted, above 09:09 < mjt> damn, and i asked the same q ecrist asked :) 09:10 < belZe> routing was only localnet and default gateway 09:10 < mjt> i don't see the routing table 09:10 < mjt> http://np.megab.it/250a3f7ed5.html -- shows ifconfig, brctl, iptables and configs 09:10 < vpnHelper> Title: gnopaste v0.5.5 - brought to you by ghcif.de (at np.megab.it) 09:11 < belZe> yep, its not there 09:11 < belZe> but its only localnet and default gw 09:11 < mjt> (btw, i prefer to use ip utility instead of ifconfig+route) 09:11 < belZe> for routes and tunnels im using it, yep 09:11 < mjt> can you show `ip r' please? It'll be 2 lines in that case. 09:12 -!- n0u [i=Chaton@unaffiliated/nou] has joined ##openvpn 09:12 < mjt> i think i know what's the prob 09:12 < n0u> mjt: in the end i agree with you, openvpn SUX ! ;-) 09:12 < belZe> cleaning the machine right now, changed something on hardware config etc. can take up a few moments :) 09:12 < mjt> ok ;) 09:12 < mjt> n0u: lol 09:13 < mjt> n0u: but believe me, it suxx less (in some areas anyway) than others ;) 09:13 < ecrist> I don't understand why you think OpenVPN sucks... 09:13 < n0u> i've been using others in the past :) 09:13 < n0u> it's time to see if others have evolved :) 09:14 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 09:15 < ecrist> n0u: what sucks about openvpn? 09:16 < mjt> n0u: to me, openvpn has 2 good things. It's much more secure (or at least in theory) - i mean various measures against potential bugs, like ta.key, dropping privs and chrooting. And usage of udp for everything, with nat/firewall-friendly design. 09:16 < mjt> no other solution i know has that 09:17 < n0u> i've been a openvpn user for a long long time 09:17 < mjt> and also the MTU thing which, with openvpn, basically just works. 09:17 < n0u> when the server feature appeared i was not very happy with the way i would have to setup network routes on both the system & openvpn 09:17 < mjt> but openvpn lacks general "architecture". Most its options are quite.. random. 09:18 < n0u> now i need some feature that the tls-server/tls-client mode doesn't have 09:19 < ecrist> n0u: which features? 09:19 < ecrist> mjt: why do you say that? 09:19 < mjt> it's almost complete opposite to tinc in this area. Tinc is well-designed. But some just does not work and has never been tested... F.e. mtu probes - they generate a random data and *comress* it to determine the MTU... ;) 09:19 < n0u> so i had to test the server and i'm angry because of the way network is handled 09:19 < mjt> ecrist: because i see it? 09:21 < ecrist> mjt: something I've noticed about you, which honestly seems overly counter-productive, is you complain about many things, and whine about how things work, yet you offer no better method or alternatives. 09:21 < ecrist> to me, this is being a troll 09:21 < n0u> ecrist: i want to be able to launch a script when a tls-client is connected/( authenticated) 09:21 < mjt> --connet-script 09:21 < ecrist> that's easy 09:21 < mjt> er 09:21 < n0u> ecrist: the --client-{dis,}connect option are only available to the server mode 09:21 < mjt> --client-script 09:21 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 09:22 < ecrist> on the client, --up-script 09:22 < mjt> y 09:22 < n0u> --up is run when the tun is setup 09:23 < n0u> as i said before i've been using openvpn for a long time 09:23 < mjt> for client, the two events becomes one 09:23 < n0u> nope 09:23 < n0u> not with persist-tun 09:23 < mjt> aha. now i see what you mean, finally 09:24 < mjt> you need to run something when client lost connection with the server? 09:24 < mjt> and "reconnected" again 09:24 < n0u> i have quite a complex network setup, load balancing/source routing. and i don't want to use the server mode because it can't handle this complex setup 09:24 < n0u> i need --client-{dis,}connect for tls-server 09:25 < n0u> it can't be clearer 09:26 < mjt> ghrm 09:26 < mjt> i don't get it. 09:26 < mjt> re-read it some 10 times ;) 09:27 < ecrist> n0u: perhaps you need to fix your network setup? 09:27 < n0u> you can't, nevermind 09:27 < mjt> --mode server and --tls-server 09:27 < n0u> ecrist: perhaps i don't 09:27 < ecrist> ok, so openvpn can't do what you want, what can we help you with today? 09:28 < n0u> you can't help me with anything, i just came to kid a bit since last time mjt was complaining a lot 09:28 < n0u> my time now 09:29 < n0u> don't be angry if you can't help, that's ok :) 09:29 < ecrist> not angry, just don't want trolls. I'm on a troll-cleaning mission today 09:29 * ecrist eyes mjt 09:30 < n0u> troll ? i thought we were grownups 09:30 -!- sunta [n=cw@achilles.raytion.com] has joined ##openvpn 09:30 < sunta> hi 09:31 < ecrist> hi sunta 09:31 < ecrist> n0u: perhaps you need to come around more often. many in here are not grown ups 09:31 < reiffert> like me and Bushmills 09:32 < ecrist> especially reiffert 09:32 < belZe> alright 09:32 < mjt> by the way, where i complained today? 09:32 < mjt> i think i said something good about openvpn 09:33 < n0u> anyway troll is a kiddies' word :) when they don't understand something they use it ;-) 09:33 < ecrist> I guess I am a kiddie, then. 09:33 < belZe> @mjt: so im here in the non-working state again, rp_filter 0 09:33 < belZe> u wanted ip r, right? 09:33 < sunta> problem: VPNclients cannot mount NFS-volumes. I see mount-request on the server " authenticated mount request from 10.8.0.6:1013 for /softarchiv (/softarchiv)" and no further error on the server. the client though gets "mount.nfs: access denied by server while mounting (null)". anyone familiar with such a problem? 09:33 < mjt> yeah 09:33 < belZe> 10.66.6.0/24 dev br0 proto kernel scope link src 10.66.6.200 09:33 < belZe> default via 10.66.6.254 dev br0 09:34 < mjt> and.. no lo? 09:34 < n0u> ecrist: ;-) sorry to tease you :) 09:34 < belZe> @mjt: no lo 09:34 < belZe> did the script flush there anything it shouldnt do? 09:34 < n0u> i'll be serious and find a solution based on openvpn in silence 09:35 < mjt> belZe: and what did you ping from what when it didn't work? 09:35 < belZe> client -> server on lan (not the bridge) 09:35 < n0u> i was thinking i could replace several instances of openvpn running in --tls-server by one running in --server, a solution could be to run several instance of openvpn running in --server mode \o/ sounds good, init ? 09:35 < mjt> aha 09:37 < belZe> @mjt: like "aha! *bling bling*" or "aha ... oh ... hm"? :) 09:37 < Bushmills> being grown-up is overrated 09:38 < mjt> belZe: thinking :) 09:38 < belZe> hehe ok 09:38 < mjt> well, there definitely should be a route for lo (127/8) 09:40 < mjt> (but it should not change things) 09:40 < belZe> @ecrist: maybe you should hide that solution on your wiki again, because it isnt working anymore :) 09:42 < ecrist> belZe: really? 09:43 < belZe> yeah, set up the machine with a fresh debian and rp_filter doesnt help anymore 09:43 -!- sunta [n=cw@achilles.raytion.com] has left ##openvpn ["Verlassend"] 09:44 < belZe> same effect again. client->server doesnt work but as soon as i do server->client the client->server works 09:44 < ecrist> page edited. 09:45 < belZe> and as soon as i delete the arp entry for the server on the client it doesnt work anymore 09:46 < mjt> so basically, you've a single bridge which joins your lan (10.66.6.0/24) and the tun device. 09:46 < belZe> yep 09:46 < mjt> and the only other machine is the default gw (10.66.6.254) 09:46 < mjt> on local end 09:46 < belZe> nah theres me on the one hand and another server 09:52 < mjt> (this damn phone...) 09:53 -!- Irssi: ##openvpn: Total of 54 nicks [0 ops, 0 halfops, 0 voices, 54 normal] 09:53 < mjt> the gw (.254) - is it on the lan or on the other end? 09:53 < mjt> (just to be sure :) 09:54 < belZe> errr...the route table abose is from the server 09:54 < mjt> yeah 09:54 < belZe> therefore its ofc on the local net of the openvpn server 09:54 < mjt> ok 09:54 < belZe> openvpn server = .200 09:54 < mjt> yeah 09:55 < belZe> gw = .254, another server=.10, i am=.220 and vpnclient is .201 09:55 < mjt> does your lan completely works when tun is up? 09:55 < belZe> local net of the vpnclient is completely different to the localnet the vpnserver has 09:55 < mjt> yup 09:56 < belZe> at least windows tells me hes ready :) i can reach the bridge and other clients (client-to-client). i can see arp requests coming through 09:56 < mjt> bridge = .200 you mean? 09:57 < belZe> bridge = openvpn server, yeah :) 09:57 < mjt> so, what does not work? .199 to .201 and back? 09:58 < mjt> do you see arp packets on tun0? 09:58 < mjt> (btw, promisc mode makes no sense on tun as it receives everything anyway) 09:58 < mjt> (or tap, for that matter) 10:00 < belZe> 201->10 doesnt work 10:00 < belZe> but works all of a sudden when i try 10->201 10:00 < mjt> so follow the arp packets. 10:00 < mjt> do you see arp requests on tap0 when pinging .10 from .201 ? 10:00 < mjt> do they propagate to br0 and eth0? 10:01 < mjt> note that this setup is quite unsafe for the server 10:01 < mjt> (vpn server that is) 10:02 < mjt> any client can set up any address from this /24 on its end and start replying to arp requets, and vpn server will think that, say, .10 is thaaat way instead of on the lan. 10:03 < belZe> thats no problem, all clients are under my control 10:03 < mjt> (it's the same on the lan, any wksta can stole that .10 too, but it's easier to deal with compared with when that wksta is remote) 10:05 < belZe> sorry to interrup this discussion. i need to get home now. 4pm. otherwise i wont get lunch 10:06 < belZe> gonna check that tomorrow again 10:06 < mjt> k 10:22 -!- c64zottel [n=hans@62.12.213.52] has joined ##openvpn 10:23 -!- c64zottel [n=hans@62.12.213.52] has left ##openvpn [] 10:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:40 -!- n0u [i=Chaton@unaffiliated/nou] has left ##openvpn ["server mode SUCKS ;-) suck=kiddies's verb"] 10:43 -!- mode/##openvpn [+o ecrist] by ChanServ 10:43 -!- mode/##openvpn [+b *!*@unaffiliated/nou] by ecrist 10:43 -!- mode/##openvpn [-o ecrist] by ecrist 10:59 < mjt> that's an interesting setup belZe have 11:00 < mjt> suppose there was no network activity for quite some time, so that all ARP caches are cleaned. 11:00 < mjt> now vpn server sends out a packet destined for one of vpn clients 11:00 < mjt> it gets wrapped into openvpn protocol and sent to the gateway 11:01 < mjt> and now, vpn server has to send ARP to its interface to determine who's .254 (the gateway) 11:01 < mjt> it sends out the ARP request to br0, which forwards it to eth0 AND tun0 11:01 < mjt> so openvpn gets a packet which should be sent to tunnel. 11:02 -!- caotic [n=ccolorad@201.101.15.197] has joined ##openvpn 11:02 < mjt> wrapping it to its protocol, sending out to br0 to the gateway.. but we had there already. 11:02 < mjt> s/had/was/ 11:04 < mjt> the good thing is that the IP stack will not send ANOTHER ARP in this case, knowing that it already sent one a few moments before and is awaiting for the reply. 11:07 < caotic> Hi, can someone please help me. I am trying to connect from my linux box to a windows server and I only know the server Ip user/password. Right now I am ussing openbpn-admin but havent really make sense of it 11:08 < ecrist> caotic: we need to know more about your setup 11:08 < ecrist> !configs 11:08 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:09 < caotic> I do have Remote Desktop acces to the server ... 11:11 < caotic> ecrist: how can I find out what configs the window server has ? 11:12 < ecrist> they're going to be in text files, don't remember where they're kept, hang on 11:13 < ecrist> C:\Program Files\OpenVPN\config 11:13 < ecrist> should be a config file in there 11:14 < caotic> so openvpn cannot interface with winodws native vpn support ? 11:16 < ecrist> no 11:17 < ecrist> windows native VPN is L2TP/PPTP 11:17 < ecrist> openvpn is SSL 11:17 * caotic facepalm I wasted a half day of work yesterday :P 11:17 < caotic> openvpn connections can ocurr without certificates without that much security risk ? 11:18 < caotic> any solution for loging in a winodws vpn without openvpn ? 11:22 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:30 < mjt> there's pptp server software for windows 11:30 < mjt> i think it's included into server version 11:30 < mjt> but i'm not 100% sure 11:36 < ecrist> see here http://www.onecomputerguy.com/networking/xp_vpn_server.htm 11:36 < vpnHelper> Title: WindowsXP VPN Server (at www.onecomputerguy.com) 11:37 < ecrist> !irclogs 11:37 < vpnHelper> ecrist: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats 11:37 < ecrist> !learn irclogs as http://www.secure-computing.net/log/openvpn-last30.html for stats from the last 30 days. 11:37 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 11:39 -!- Irssi: ##openvpn: Total of 53 nicks [0 ops, 0 halfops, 0 voices, 53 normal] 11:43 < mjt> ecrist: why you banned n0u ? 11:44 < mjt> btw, that URL (last30) does not work (404) 11:45 < ecrist> !learn irclogs as http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 11:45 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 11:45 < ecrist> forgot the s on logs 11:46 < mjt> stupid helper ;) 11:58 -!- c64zottel [n=hans@62.12.213.52] has joined ##openvpn 11:59 -!- c64zottel [n=hans@62.12.213.52] has left ##openvpn [] 12:31 -!- caotic_ [n=ccolorad@201.101.15.197] has joined ##openvpn 12:32 -!- caotic [n=ccolorad@201.101.15.197] has quit [Read error: 113 (No route to host)] 12:43 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has joined ##openvpn 12:49 -!- localadmin [n=chatzill@75.53.44.51] has joined ##openvpn 12:50 < localadmin> hello 12:50 < localadmin> I have looked around and can't tell if openvpn can cat as a ssl client for checkpoint network extender 12:51 -!- localadmin is now known as mikeones_ 12:53 < ecrist> mikeones_: I don't believe so. 12:55 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has quit [Read error: 60 (Operation timed out)] 12:58 -!- caotic_ [n=ccolorad@201.101.15.197] has quit [Read error: 110 (Connection timed out)] 12:59 -!- mjt [n=mjt@isrv.corpit.ru] has quit ["reboot!..."] 13:06 -!- mikeones_ [n=chatzill@75.53.44.51] has quit [Read error: 104 (Connection reset by peer)] 13:14 -!- Kvajnto [n=ls@116.233.5.100] has joined ##openvpn 13:14 -!- ftp3 [n=none@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has left ##openvpn [] 13:17 -!- mjt [n=mjt@isrv.corpit.ru] has joined ##openvpn 13:20 -!- caotic_ [n=ccolorad@201.101.15.197] has joined ##openvpn 13:35 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 13:47 -!- RUS [n=Mirc@88.214.199.27] has joined ##openvpn 13:47 < RUS> hi anybody 13:49 -!- cpm [n=Chip@guest-ap.xo.avitecture.net] has joined ##openvpn 13:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:54 -!- jul_ [n=jul@colonel.verygames.net] has joined ##openvpn 13:55 < jul_> how can i desactive encryptation of data between client and server ? 13:57 < krzee> you sure? 13:58 < RUS> oh krzee hi my friend 13:58 < krzee> heyhey 14:07 < RUS> may be you wanna my iphone ?:) 14:07 < RUS> ;-) 14:07 < krzee> maybe you didnt catch that this isnt #buymystuff 14:08 < RUS> it's a joke krzee 14:08 * krzee pets the banhammer 14:08 -!- jul_ [n=jul@colonel.verygames.net] has quit ["Lost terminal"] 14:26 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:45 -!- eWizard [n=identd@78.63.180.97] has joined ##openvpn 14:48 < martian67> can openvpn do ip-in-ip ? 14:50 -!- suprsonic [n=suprsoni@97-87-2-183.dhcp.mdsn.wi.charter.com] has joined ##openvpn 14:51 < suprsonic> in a client/server role can the client and server be assigned a static key or does it require separate keys? 14:59 -!- sunga [n=naft@77.109.123.56] has joined ##openvpn 14:59 < sunga> hi people 14:59 < sunga> !howto 14:59 < vpnHelper> sunga: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:00 < sunga> !logs 15:00 < vpnHelper> sunga: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 15:00 < sunga> !configs 15:00 < vpnHelper> sunga: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:00 < sunga> !route 15:00 < vpnHelper> sunga: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 15:05 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 15:11 -!- suprsonic [n=suprsoni@97-87-2-183.dhcp.mdsn.wi.charter.com] has left ##openvpn [] 15:12 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 15:32 < krzie> hi sunga 15:33 -!- Kvajnto [n=ls@116.233.5.100] has quit [] 15:42 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 104 (Connection reset by peer)] 15:43 -!- krzie [i=krzee@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 15:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:05 < ecrist> krzee: bot still doesn't work for me, btw 16:13 -!- RUS [n=Mirc@88.214.199.27] has quit ["Miranda IM! Smaller, Faster, Easier. http://miranda-im.org"] 16:20 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 16:27 -!- MrDusty [n=dusty@88-105-71-110.dynamic.dsl.as9105.com] has joined ##openvpn 16:28 < MrDusty> Hey guys, I am using a PPTP connection to my work's VPN to access the intranet. It all works fine. However when I try to do system stuff like apt-get update; apt-ge tupgrade -y ; apt-get dist-upgrade -y it times out, when i try to do any downloading it timesout or comes down in bytes.. its almost as if, the pc gets confused as to which connection to send the packets out (vpn, or wifi) and timesout thinking about it, im not sure bu 16:28 < MrDusty> t it means when I am connected to the vpn using the internet as normal is near enough impossible ? 16:29 < ecrist> what VPN software are you using? 16:29 < ecrist> are you the admin? 16:30 -!- krzie [i=krzee@joogot.noskills.net] has joined ##openvpn 16:31 * mjt suspects usual MTU probs.... 16:32 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 16:33 < krzie> ahh cool, you're playing with mtu mjt? 16:34 < krzie> you first checked whats up with --mtu-test? 16:34 < krzie> im curious if when it sees mtu issues if it suggests settings or not 16:34 < krzie> i guess i could dig through the code if i cared enough tho, lol 16:34 < mjt> i'm not 16:35 < mjt> MrDusty said he has download probs (timeout/stalls) with his PPTP-based VPN. 16:35 < mjt> i've no idea how it relates to openvpn, but it looks like typical MTU prob. 16:36 < krzie> ahh 16:36 -!- ftp3 [n=none@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has joined ##openvpn 16:36 < mjt> i yet to play with openvpn's mtu stuff. 16:36 < mjt> had no chance this far. 16:38 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 16:38 -!- temba_alternativ [i=pommes@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 16:39 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has quit [Read error: 104 (Connection reset by peer)] 16:39 < mjt> i know only one vpn so far that messes up^W^Wfixes tcp mss window 16:39 < mjt> also many cheap home routers based on linux does that. 16:39 < mjt> wonder why. 16:41 < krzie> ya so far ive had no reason to play with mtu 16:50 -!- eWizard [n=identd@78.63.180.97] has quit [Read error: 104 (Connection reset by peer)] 16:51 < mjt> there should be problems still, with !tcp 16:51 < mjt> mtu probs are always.. fun 16:52 < mjt> about a month ago i were dealing with an.. fantastic situation here, with an isp that's named.. mtu.ru 16:52 < mjt> :) 16:52 < mjt> it's adsl with typical 1492 (8 bytes for the adsl header) 16:52 < mjt> everything works on their side, with one.. issue. 16:53 < mjt> the equipment that delivers traffic to me, the pre-last hop, the one which knows the MTU is non-standard, has address in private 10.something range. 16:53 < krzie> oh ya if MrDusty is tunneling tcp over tcp thats likely his problem 16:54 < krzie> haha my isp does that to me too 16:54 < krzie> uses 10.x internal 16:54 < mjt> so the ICMP must-fragment is being sent with 10.xsomething source address 16:54 < mjt> and gets dropped on the way by other transit ISPs who does proper filtering 16:55 < krzie> hah that sucks 16:55 < mjt> i had two places trying to reach my machine, one place worked and another not. 16:55 < mjt> and just by some luck or what, i noticed the source of that damn ICMP. 16:55 < mjt> on the side that worked 16:56 < mjt> the other place was connected to an ISP who did proper filtering 16:57 < mjt> talked with mtu.ru (irony) support monkeys the other day, almost 4 hours on the phone. 16:57 < krzie> ya that is good irony 16:57 < mjt> trying to describe "which site does not work for me in which MSIE version" 16:57 < krzie> i still cant believe you think your english isnt very good... 16:57 < krzie> you type better than many native americans 16:57 < mjt> only type ;) 16:58 < krzie> hahha 16:58 < krzie> you called mtu.ru with mtu issues on their network, and the guy didnt seem to understand what the mtu problem means 16:58 < krzie> classic 16:59 < mjt> lost time it was really, and i sorta knew it will be that way... 17:00 < mjt> but i was disappointed that i had to debug the thing almost whole night.... :) 17:00 < mjt> and that was my last usage of tinc. sadly. 17:03 -!- Stevethe1irate [n=noxville@clam.leg.uct.ac.za] has joined ##openvpn 17:19 < ftp3> I have a question.. lets say my home has no firewall.. so, i connect my laptop (via openvpn) to our openvpn server at our office. Is my laptop safe? (does this question make sense?) 17:20 < mjt> very little sense... 17:20 < ftp3> ok let me rephrase it 17:20 < mjt> it'll be possible to connect to your laptop from office 17:20 < mjt> just like if you connected it into office LAN 17:21 < ftp3> i am trying to surf securely into our office vpn. if i have no firewall at home, and i just connected through my home isp to "somesite" my computer would be vulnerable to scans, etc.. I am thinking, if I am connecting to the office vpn.. i would not have a public ip anymore and be safe? or an i being stupid? 17:22 < mjt> i'd not say "stupid" about someone who's trying to think about his security 17:23 < ftp3> right.. thanks. but i mean.. when i connect to the office vpn, it says my ip is now "192.168.x.x" instead of before that it says the IP my isp gives me 17:23 < mjt> but you'll have to be connected to your home ISP anyway, in order to connect to your office. 17:23 < ftp3> exactly 17:23 < mjt> and this is where you'll get all the scans from. 17:24 < ftp3> extactly.. so, even though openvpn has me connected to my office, and gives me an IP there.. my home computer still also pings as the isp IP? 17:24 < mjt> openvpn makes "second network card" 17:25 < ftp3> because once i connect to the office lan, if i goto: http://www.whatismyip it says the office IP 17:25 < mjt> redirect-gateway or proxy 17:25 < ftp3> i see.. so, the first network card is not being used for my outgoing stuff.. but it is still vulnerable to an incoming attack.. correct? 17:25 < mjt> sorta 17:26 < mjt> very close 17:26 < mjt> but with your setup, i guess you actually ARE safe. 17:26 < mjt> hm 17:26 < mjt> difficult to say for windows. 17:26 < ftp3> i'm thinking.. if i goto starbucks.. am i safe :-) ya know 17:27 < ftp3> not that i am the kinda guy that sits in starbucks on his laptop.. so lets say airport 17:27 < ftp3> :-) 17:27 * mjt has no idea what starbucks is... 17:27 < ftp3> i guess the best way to find out is to scan myself when i am connected that way ;-) 17:27 < mjt> it looks like you will be open still 17:28 < mjt> but i've an idea for you 17:28 < ftp3> yes? 17:28 < mjt> you can see which services are "exported" to your network card 17:28 < mjt> and just disable them. 17:28 < mjt> THAT will work. 17:28 < ftp3> i see 17:29 < ftp3> ok, thank you ;-D 17:29 < mjt> starting with disabling "File and Print sharing for windows networks" in your network adaptor config. 17:29 < mjt> and "client for microsoft networks" 17:29 < mjt> (not sure for exact names, it was quite some time ago) 17:30 < ftp3> right.. i get your idea.. makes sense. Thanks. I am going to check on that now 17:30 < mjt> `netstat -a' command will show you 17:30 < mjt> which ports are listening 17:30 < mjt> closed port = no way to exploit it. 17:31 < krzie> if you redirect-gateway and only have a route to their gateway, you wont be able to reply to others on the lan 17:31 < mjt> if you're going via your office network, i guess it's the effect of redirect-gateway 17:31 < krzie> assuming its a 255.255.255.255 to their gateway, which i believe it is 17:31 < krzie> your replies will go over the vpn and disappear 17:32 < krzie> still, not as good as turning on yourfirewall 17:32 < mjt> well, lan is not a problem usually 17:32 < krzie> and even better than firewall, turning off the stuff like mjt said 17:32 < krzie> i'm thinking.. if i goto starbucks.. am i safe :-) ya know 17:32 < krzie> not that i am the kinda guy that sits in starbucks on his laptop.. so lets say airport 17:32 < krzie> hes talking bout lan 17:32 < ftp3> when i look at the results in netstat -a and I concerned with EVERYTHING (ie 127.0.0.1:port) or just my.isp.ip:port ? 17:32 < krzie> lan in the wild 17:33 < krzie> not 127.0.0.1:port 17:33 < krzie> but anything else really 17:33 < ftp3> ok good.. thats a lot less ;-) 17:33 < mjt> 0.0.0.0:port too 17:33 < ftp3> anyway, firewall is clearly the answer 17:33 < krzie> very much 0.0.0.0:port 17:33 < mjt> strictly speaking, it's trivial to connect to 127.1 over network too. 17:34 < mjt> to windows anyway 17:34 < mjt> but that's advanced... ;) 17:34 < mjt> and requires direct (on-lan) access. 17:34 < MrDusty> mjt, sorry for the late reply. No I am an employee trying to connect to my works vpn, its a PPTP vpn not sure the server side software. I use Ubuntu network manager client for PPTP connections .. 17:34 < ftp3> it would just be great if i could (easily) disallow anything either way over network1 and force anything else to come/go through network2 (openvpn) 17:34 < krzie> mjt: how? 17:35 < MrDusty> I connect from laptop -> adsl router -> internet -> work vpn. 17:35 < MrDusty> Never used a VPN before .. 17:35 < mjt> krzie: the same as on unix 17:36 < mjt> you remove your loopback route and IP and pretend it's on the lan. 17:36 < mjt> on another machine that is 17:37 < mjt> and just connect to it 17:37 < krzie> and the target will reply even with its loopback route? 17:37 < mjt> most unixes now has protection for that 17:37 < mjt> it's done differently in different OSes 17:37 < mjt> in linux it's controlled by rp_fiter, it's more general than just 'lo' 17:38 < mjt> (reverse path filter, -- checking if a reply to incoming packet will go to the same iface as the packet comes from and dropping if not) 17:39 < mjt> MrDusty: reduce MTU of your pptp interface, on both ends, if you can. that's about it. 17:39 < mjt> MrDusty: and it has nothing to do with openvpn really 17:39 -!- caotic_ [n=ccolorad@201.101.15.197] has quit [Read error: 54 (Connection reset by peer)] 17:39 < mjt> different software different vendors different protocols 17:40 < krzie> MrDusty, this isnt #pptp 17:41 < krzie> if you switch to openvpn this is the right place 17:41 < mjt> MrDusty: (another option is to find who's breaking PMTUD and fix it... but oh well.) 17:41 < krzie> otherwise, you found the wrong channel 17:41 * mjt expects another 3-hour delay before the next reply... ;) 17:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 17:42 < MrDusty> mjt, Ok, I am not the server admin, just the end user. What can I do about it ? 17:42 < krzie> you can go to a channel where they help with pptp 17:43 < krzie> or you can switch to openvpn 17:43 < krzie> or you can go idle 17:43 < krzie> really its between those 3 choices... 17:43 < mjt> MrDusty: for reference: MTU stands for Maximum Transmission Unit, or the max size of data packet that can be sent/accepted. PMTUD = Path MTU discovery. Somehow you have to ensure the packets the two systems sends can be transmitted all the way from one to another. 17:44 < mjt> in theory it should work, but there are many places when it breaks, usually misconfig 17:44 < mjt> hm 17:44 < krzie> and if your tunnel is tcp, thats likely your problem, but i wouldnt know cause we dont help poeople with pptp here 17:44 < MrDusty> i doubt its misconfig on there part - we're talking about Message Labs. 17:45 * krzie grabs his banhammer 17:45 < mjt> i think it'll be sufficient to reduce mtu on only one end, so that his system will send proper mss 17:45 < mjt> MrDusty: misconfig anywhere on the way between the two systems 17:45 < mjt> including your home router and your isp and whatnot 17:45 < MrDusty> hrm 17:45 < MrDusty> how do normal people connect to a vpn then ? 17:46 < mjt> what's vpn? 17:46 < MrDusty> is it possible to use openvpn to connect to a vpn that requires PPTP? 17:46 < mjt> no 17:46 < MrDusty> ok 17:46 < mjt> different protocol 17:46 < mjt> krzie: pptp is gre 17:46 < mjt> not tcp 17:47 < mjt> and any encapsulation means one or another issue with MTU 17:47 < MrDusty> mjt, ok, so if your employer said connect to this vpn it requires PPTP heres the username and password how would you connect to it ? 17:47 < mjt> because it reduces the MTU obviously 17:47 < mjt> i'd killed pptp and replaced it with something else ;) 17:47 -!- mode/##openvpn [+o krzie] by ChanServ 17:48 -!- MrDusty was kicked from ##openvpn by krzie [maybe you didnt catch it... but this isnt #ptpp] 17:48 < mjt> oh 17:48 < mjt> ok 17:48 -!- mode/##openvpn [-o krzie] by krzie 17:48 < mjt> off-topic, i know. 17:48 -!- MrDusty [n=dusty@88-105-71-110.dynamic.dsl.as9105.com] has joined ##openvpn 17:48 < mjt> sometimes i just can't stop :) 17:49 < MrDusty> why such an attitude? 17:49 < krzie> mjt, not your fault... you're just being helpful 17:49 < krzie> but i did tell him a few times 17:49 < krzie> MrDusty, YOURE IN THE WRONG CHAN 17:49 < MrDusty> krzie, omg, your such an arrogant fuck. 17:49 < krzie> i only said it and got ignored 3 times 17:49 < krzie> ok... 17:49 -!- mode/##openvpn [+o krzie] by ChanServ 17:49 -!- mode/##openvpn [-o+b MrDusty *!*n=dusty@*.as9105.com] by krzie 17:50 -!- MrDusty was kicked from ##openvpn by krzie [bye] 17:50 -!- mode/##openvpn [-o krzie] by krzie 17:50 < mjt> dusty - it's when there's a lot of dust on something, right? :) 17:51 < krzie> correct =] 17:51 < krzie> [MrDusty(n=dusty@88-105-71-110.dynamic.dsl.as9105.com)] you are one dumb fucker, op in a channel about vpns and 17:51 < krzie> you think PPTP is TCP based LOL - WHAT A DUMB CUNT YOU ARE!!!!!!!!!!!!!!!!!!!!!!! 17:51 < krzie> ... Ignoring ALL messages from *!*dusty@88-105-71-110.dynamic.dsl.as9105.com 17:51 < krzie> lol 17:52 < mjt> sigh. 17:52 < krzie> ya 17:52 < krzie> he got 3 warnings, then a kick without ban to see if he got the point 17:52 < krzie> obviously not 17:52 < krzie> and i dont know a THING bout pptp, by choice 17:53 < krzie> which is why im not in #pptp (if that exists) 17:53 < mjt> ppp-over-GRE it is, basically. 17:53 < krzie> ahh 17:54 < mjt> with tcp control connection, encryption and compression. (C) M$. 18:00 -!- krzie [i=krzee@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 18:00 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 104 (Connection reset by peer)] 18:03 < ecrist> nice, second time today the banhammer came out 18:05 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 18:05 -!- krzie [i=krzee@joogot.noskills.net] has joined ##openvpn 18:05 -!- krzie [i=krzee@joogot.noskills.net] has left ##openvpn [] 18:06 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##openvpn 18:06 < mjt> eth-tls: port 45(tls-win2x4) entering forwarding state 18:06 < ecrist> what happened to you? 18:06 < mjt> er 18:06 < krzie> rtorrent is crashing joogot 18:06 < krzie> but instead of fixing it im just letting it crash it up 18:06 < krzie> lol 18:06 < krzie> should have 1 more before im done getting osx86 18:06 < mjt> bad rtorrent, bad! :) 18:07 < ecrist> when it's done crashing, fix my bot access. ;) 18:07 < krzie> iDeneb_v1.4_OSx86_ISO 18:07 < krzie> shit i thought i did, you werent here to test 18:07 < krzie> lemme look at it 18:07 < ecrist> ah, I tested, and it didn't work. 18:08 < krzie> ya see i made my second ban in bout a yr? 18:08 < krzie> hehe 18:09 < ecrist> yes, second ban today, actually 18:09 < krzie> wow 18:09 < krzie> channel record i think 18:09 < krzie> 2 in 1 day 18:09 -!- temba_alternativ [i=pommes@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 18:09 < ecrist> heh, probably. 18:10 < krzie> last i remember was jeev 18:10 < krzie> we like never ban people 18:10 < ecrist> that was the last person 18:10 < krzie> and usually only kick eachother, lol 18:10 < ecrist> exactly 18:10 < ecrist> once or twice I've had to op up, then people start behaving. 18:14 * mjt still doesn't understand why ecrist banned n0u... 18:17 < krzie> [msg(vpnHelper)] user list --capability=+factoid 18:17 < krzie> [vpnHelper(i=vpn@unaffiliated/krzee/bot/vpnhelper)] ecrist and krzee 18:18 < krzie> you should be fine 18:18 < ecrist> ok 18:18 < krzie> now to make sure it writes to disk 18:18 < krzie> prolly lost it after i did it yesterday cause of crash 18:18 < ecrist> learn irclogs as http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 18:18 < vpnHelper> Title: ##openvpn stats from ecrist! (at www.secure-computing.net) 18:18 < ecrist> !learn irclogs as http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 18:18 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 18:19 < ecrist> lemme re-auth 18:19 < krzie> be sure that you are identified before trying again 18:20 < ecrist> !learn irclogs as http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 18:20 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 18:20 < krzie> ahh 18:20 < ecrist> grumble.. 18:20 < krzie> 1sec 18:20 < krzie> [msg(vpnHelper)] user list --capability=+factoids.learn 18:20 < krzie> err 18:21 < krzie> there 18:21 < krzie> now go for it 18:21 < ecrist> !learn irclogs as http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 18:21 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 18:21 < ecrist> lemme re-auth 18:21 < krzie> show me whoami 18:21 < ecrist> !learn irclogs as http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 18:21 < krzie> !whoami 18:21 < vpnHelper> krzie: krzee 18:21 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 18:21 < ecrist> !whoami 18:21 < vpnHelper> ecrist: ecrist 18:21 < krzie> wtf 18:22 * ecrist is not worthy. 18:22 < krzie> [msg(vpnHelper)] user list --capability=+factoids.learn 18:22 < krzie> [vpnHelper(i=vpn@unaffiliated/krzee/bot/vpnhelper)] ecrist and krzee 18:22 < krzie> ecrist: Error: You don't have the factoids.learn capability. 18:22 < krzie> that makes no sense to me 18:22 < ecrist> me either 18:23 < ecrist> krzie: get rid of the + 18:23 < krzie> nah thats needed 18:23 < mjt> !whoami 18:23 < vpnHelper> mjt: I don't recognize you. 18:23 < ecrist> !user list --capability=factoids.learn 18:23 < vpnHelper> ecrist: krzee 18:23 < krzie> + to add, - to remove 18:24 < ecrist> I think it's being globbed funny 18:24 < krzie> !user list --capability=+factoids.* 18:24 < vpnHelper> krzie: ecrist and krzee 18:24 < ecrist> !user list --capability=factoids.* 18:24 < vpnHelper> ecrist: krzee 18:24 < krzie> !user list --capability=+factoids.learn 18:24 < vpnHelper> krzie: ecrist and krzee 18:24 < krzie> hah 18:24 < mjt> ok, time to go to bed.. bye. 18:24 < krzie> screw it im putting you in the config manually 18:24 < krzie> brb 18:24 < ecrist> lol 18:24 < krzie> later mjt 18:25 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit ["Ctrl-C at console."] 18:28 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 18:28 < krzie> i think i see what it is 18:28 < ecrist> fixed? 18:29 < ecrist> should I try again? 18:29 < krzie> nope 18:29 < krzie> 1sec 18:29 < krzie> !user list --capability=+factoids.* 18:29 < vpnHelper> krzie: ecrist and krzee 18:29 < krzie> now try 18:30 < ecrist> !learn irclogs as http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 18:30 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 18:30 < krzie> !user list --capability=+admin 18:30 < vpnHelper> krzie: ecrist and krzee 18:30 < ecrist> LOL 18:30 < krzie> you are identified since it came back? 18:30 < ecrist> yep, just did 18:30 < ecrist> !whoami 18:30 < vpnHelper> ecrist: ecrist 18:30 < ecrist> before I did learn 18:31 < krzie> ecrist message it this: 18:31 < krzie> admin capability add ecrist +factoids.learn 18:31 < krzie> wtf 18:31 < ecrist> error 18:32 < krzie> WARNING 2009-03-25T16:31:51 Denying ecrist!n=ecrist@mr.garrison.secure- 18:32 < krzie> computing.net for lacking "admin" capability. 18:32 < krzie> !user list --capability=admin 18:32 < vpnHelper> krzie: krzee 18:32 < ecrist> krzie: here's what I'm thinking 18:32 < krzie> hrm maybe you're right 18:32 < ecrist> the + is being globbed wrong 18:32 < krzie> maybe no + in messaging 18:32 < krzie> in config its needed 18:33 < krzie> try now... 18:33 < krzie> !user list --capability=admin 18:33 < vpnHelper> krzie: ecrist and krzee 18:33 < ecrist> !learn irclogs as http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 18:33 < vpnHelper> ecrist: Joo got it. 18:33 < ecrist> bingo 18:33 < krzie> yeee 18:34 < krzie> try again pls 18:35 < ecrist> !learn irclogs as http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 18:35 < vpnHelper> ecrist: Joo got it. 18:35 < ecrist> !irclogs 18:35 < vpnHelper> ecrist: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days., or (#4) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the 18:35 < vpnHelper> ecrist: last 30 days. 18:35 < krzie> now forget irclogs 4 18:35 < ecrist> !forget irclogs 4 18:35 < vpnHelper> ecrist: Joo got it. 18:35 < krzie> nice 18:36 < krzie> their docs are outdated 18:36 < krzie> what the manual says todo is wrong 18:36 < ecrist> typical of OSS 18:38 < krzie> there, i removed all the + stuffs 18:38 < krzie> should be good now 18:38 < ecrist> thanks! 18:38 < krzie> lemme kill the bot to make sure it writes stuff out to disk 18:38 < krzie> np 18:39 < krzie> vpnHelper die 18:39 < vpnHelper> krzie: Error: "die" is not a valid command. 18:39 < ecrist> heh, the jabber bot I wrote does that automatically. 18:39 < krzie> vpnHelper quit 18:39 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit ["krzie"] 18:39 < krzie> so does supybot 18:39 < krzie> unless the system crashes 18:39 < krzie> as rtorrent has caused 2x today 18:40 < ecrist> no, I mean, it does it as soon as a config change is made via messages 18:40 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 18:40 < krzie> ahh 18:41 < krzie> [msg(vpnHelper)] rss info feed://ovpnforum.com/external.php?type=RSS2 18:41 < krzie> [vpnHelper(i=vpn@unaffiliated/krzee/bot/vpnhelper)] Error: I couldn't retrieve that RSS feed. 18:41 < krzie> that explains that 18:42 < krzie> oh no it doesnt cause the whole site is down 18:42 < krzie> lol 18:43 < krzie> i find this funny bout the firefox error for address not found 18:43 < ecrist> the site is down? 18:43 < krzie> Did you make a mistake when typing the domain? (e.g. "ww.mozilla.org" instead of "www.mozilla.org") 18:43 < krzie> their example is a typo in the HOST not domain 18:44 < krzie> yup, its down 18:44 < ecrist> DNS failure 18:44 < ecrist> the site is up - against my advice, Dougy chose to host DNS at bergenhosting.net 18:44 < ecrist> I'm getting SRVFAIL 18:44 < krzie> haha 18:45 < krzie> i run some ns, im sure you do too 18:45 < krzie> and he leaves it at some hosting co 18:45 < ecrist> I've got a ton of NS stuff going on 18:45 < ecrist> I've got secondaries in WI, and I'm hosting secondaries for a couple small ISPs out there. 18:45 < ecrist> I'll send him an email. 18:46 < ecrist> sent 18:46 < ecrist> I tell you, me and my dsl/cable are more reliable than most data centers. 18:48 < ecrist> I'm going out for a walk. One of my dogs is driving me crazy. 18:48 < ecrist> back later. 18:49 < krzie> cool 18:49 < krzie> after you got that box running fbsd i know the support is better than most DC's 18:50 < krzie> lol 18:53 -!- the_mo [i=mo@team-aow.de] has joined ##openvpn 19:04 < the_mo> !route 19:04 < vpnHelper> the_mo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 19:04 -!- duxex [n=duxex@63.214.229.20] has joined ##openvpn 19:06 < the_mo> it seems like im having some sort of routing/forwarding problem. i want the vpn to work as an encrypted connection to the internet. the vpn tunnel is correctly set up and working. 19:07 < the_mo> using tcpdump i can see the tun0 device getting the ICMP echo requests im sending from the client 19:07 < the_mo> yet, the eth0 device doesnt get these packets so they aint forwarded from the tun0 device to the eth0 device 19:08 < duxex> did you use redirect-gateway? 19:08 < the_mo> yep 19:08 < duxex> :( 19:08 < the_mo> ipv4 forwarding is also enabled server-side 19:08 < krzie> using tun, right? 19:08 < krzie> oh duh, tun0 19:08 < the_mo> yea 19:09 < duxex> I also setup iptables rules that restrict any adapter to my VPN host and allow all other traffic out my VPN tun0 device 19:09 < duxex> to be 100% sure 19:09 < the_mo> ive been using the exact same setup on another server, where it did work, so i figured its gotta be some server-side stuff 19:09 < duxex> did you do your iptables stuff? 19:09 < duxex> on the server 19:10 < duxex> iptables -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE is on my server 19:10 < krzie> prolly NAT 19:10 < krzie> can you reach the server vpn ip via ping? 19:10 < krzie> the internal address 19:10 < the_mo> yea 19:10 < krzie> oh, prolly nat 19:10 < krzie> !linnat 19:10 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 19:10 < krzie> using linux? 19:10 < the_mo> ye 19:11 < the_mo> ive set up iptables with that postrouting stuff, yep 19:12 < duxex> I have one too, does anybody know a way I can push clients hostnames up to my VPN server so I can easily differentiate the hosts, I have the same key for guest hosts 19:12 < krzie> !def1 19:12 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 19:12 < duxex> !dns 19:12 < vpnHelper> duxex: Error: "dns" is not a valid command. 19:12 < krzie> push clients hostnames? 19:13 < krzie> a) clients dont push ANYTHING to the server 19:13 < krzie> b) what are you wanting? 19:13 < the_mo> setup is: client pc is supposed to use the vpn tunnel to access the internet 19:13 < krzie> the_mo so you're using redirect-gateway def1, right? 19:14 < the_mo> yep 19:14 < krzie> what os is the client? 19:14 < the_mo> client is linux as well 19:14 < krzie> both sides started as root? 19:15 < the_mo> yep 19:15 < the_mo> ive got the clients conf right here: http://rafb.net/p/n7cidc22.html 19:15 < vpnHelper> Title: Nopaste - No description (at rafb.net) 19:15 < krzie> yup i was bout to say.. 19:15 < krzie> !configs 19:15 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 19:15 < krzie> !logs 19:15 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 19:16 < krzie> hrm, didnt know you could redirect-gateway over a ptp link 19:16 < krzie> but i guess i dont see why not 19:16 < krzie> route 0.0.0.0 0.0.0.0 19:16 < krzie> remove that 19:17 < krzie> also 19:17 < krzie> why are you using tcp? 19:17 < krzie> firewall wont allow for udp? 19:17 -!- prxtien [n=pro@teamaustralia.net.au] has joined ##openvpn 19:17 < the_mo> exactly 19:17 < krzie> pro! 19:17 < krzie> wassup brutha 19:17 < krzie> mah brutha from another country 19:18 < prxtien> not much mayne 19:18 < prxtien> you? 19:18 < krzie> just got back to my island this last week 19:18 < krzie> building some new boxen and whatnot 19:18 -!- duxex [n=duxex@63.214.229.20] has quit ["Leaving"] 19:18 < prxtien> sweet 19:19 < prxtien> in another week or so i should be outta here 19:19 < krzie> ya i came back with a whole suitcase full of parts 19:19 < krzie> nice! 19:19 < krzie> i cant believe you're still in there 19:19 < krzie> gotta be getting old 19:19 < the_mo> hm.. wth, i was pushing the route 0000 0000 stuff from the server side as well, i guess ima remove that too -.- 19:19 < prxtien> 3 1/2 weeks so far this time 19:19 < krzie> the_mo yup 19:20 < the_mo> ok didnt change nything sadly 19:20 < prxtien> kr hows the girls goin 19:20 < krzie> good pro, i had me a lil brazillian model in peru while i was out there 19:21 < the_mo> both openvpns are running verb6 currently and the packets show up nicely in both consoles, yet i dont get ping replies to my client when pining the internet 19:21 < prxtien> ehehe nice 19:21 < prxtien> kr, you ever see problems with site-to-site always open bridge between sites having problems with certificates? 19:22 < krzie> wouldnt know, i never use bridge 19:22 < krzie> why are you using it? 19:22 < prxtien> after maybe 1-2 days the latency goes from 40ms to about 300-1000 ms 19:22 < krzie> prxtien you using tcp? 19:22 < prxtien> im not using bridge, i just ment i am bridging the sites together eheh 19:22 < prxtien> nah udp 19:22 < krzie> umm 19:22 < prxtien> if i use statickey it works nie 19:22 < prxtien> nice even 19:22 < krzie> if you arent using bridge you arent bridging them together 19:22 < krzie> hehe 19:22 < the_mo> so heres server config, no surprise there i guess http://rafb.net/p/zsPECz84.html 19:22 < vpnHelper> Title: Nopaste - server side conf (at rafb.net) 19:22 < krzie> you are connecting them using routing 19:22 < prxtien> mmmm 19:23 < prxtien> im using tun 19:23 < krzie> the_mo remove the push from server 19:23 < krzie> you already defined it in client 19:23 < krzie> and you cant push anyways 19:23 < krzie> no pull in client, and not using client/server mode 19:24 < the_mo> aight 19:24 < the_mo> just a style change i guess but thx 19:24 < krzie> np 19:25 < krzie> also add def1 to your redirect-gateway 19:25 < krzie> oh nm its on the client one 19:33 < the_mo> hm okay, i just tried stopping the firewall for a sec (server side), didnt change nything 19:34 < the_mo> gotta be sumthin else 19:35 < krzie> !linfw 19:35 < vpnHelper> krzie: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 19:35 < krzie> (as well as) 19:35 < krzie> !linnat 19:35 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 19:38 < krzie> !linipforward 19:38 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 19:39 < krzie> also check client firewall 19:39 < krzie> make sure its gunna allow stuff from the server 19:39 < the_mo> it does, since im getting replies from the server just fine 19:40 < the_mo> ive been running tcpdump on both devices (server side) while running a PING on client side 19:40 < the_mo> while the dump at the tun device got the request, eth0 didnt, so i guess its not being forwarded 19:40 < krzie> that means its allowing the source of server from the server 19:40 < krzie> make sure it allows any source, from the server 19:41 < the_mo> uhm... hu? sorry :) 19:44 < the_mo> im having a 'iptables -A FORWARD -i tun0 -j ACCEPT' rule if thats what ya meant 19:45 * ecrist starts work on recoding his site 19:47 < krzie> !logs 19:47 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 19:47 < krzie> ecrist, gunna do adwords? 19:47 < ecrist> not redoing the wiki, atm, but i don't think I'm going to 19:48 < ecrist> I might actually proposition some folks I know for posting ads directly 19:49 < ecrist> I've run into Ethan Galstad a number of times, might call him and ask if he wants to advert nagios, and I might hit up the openvpn folks for ads for their commercial stuff. 19:49 < ecrist> ;) 19:49 < ecrist> adwords is crap, imho 19:49 < ecrist> speaking as a former advertiser, as well as a former adwords lister 19:53 < ecrist> maybe I should just drupal my site. 19:54 < ecrist> odds are, I'm not going to do any ads. 19:54 < krzie> werd 19:54 < krzie> funny how we changed sides on that one 19:54 < krzie> lol 19:56 < the_mo> PM'd the log files if thats ok 19:57 < krzie> its ok if you dont want much help 19:57 < krzie> theres many more here than me that know whats up 19:57 < krzie> wouldnt be the first time they found something i miss 19:57 < krzie> but thats your gamble to make 19:59 < the_mo> havent seen that much activity in ere right now, its pretty late now anyhow. lets just see if theres something in there that i didnt think is looking wrong :) 19:59 < the_mo> ... for now 20:00 < krzie> late? 9est, 6pst for americans 20:00 < the_mo> uhm... yea nvm that, silly me 20:03 < the_mo> gah screw it, ma box is connected to the internet anyways, no need to keep the ip secret i guess 20:03 < the_mo> http://rafb.net/p/fJ92mz82.html 20:03 < vpnHelper> Title: Nopaste - client log (at rafb.net) 20:03 < the_mo> http://rafb.net/p/LWhHwF30.html 20:03 < vpnHelper> Title: Nopaste - No description (at rafb.net) 20:04 < the_mo> hm.. lazy me, later is the server side log 20:04 < reiffert> moin 20:04 < krzie> moin reif 20:05 < krzie> the_mo is having a problem with his redirect-gateway stuff, configs (ptp) and logs looked fine to me 20:05 < krzie> he says his firewall is right, i havnt looked at it yet 20:05 < reiffert> the_mo: using vmware? 20:05 < the_mo> no 20:05 < reiffert> krzie: "having a problem" ? 20:06 < krzie> he can ping acrossed the firewall but not getting anything from inet 20:06 < krzie> the_mo you trying to ping inet ip by ip to test? 20:06 < reiffert> client os? 20:06 < krzie> (not by hostname) 20:06 < the_mo> yep, tried ip as well 20:06 < the_mo> client is linux as well currently 20:06 < reiffert> the_mo: paste routing table 20:07 < reiffert> route -n 20:07 < reiffert> when beeing connected 20:07 < the_mo> client/serv 20:07 < krzie> client 20:07 < reiffert> openvpn version? 20:07 < reiffert> the_mo: paste routing table from the client 20:08 < the_mo> http://rafb.net/p/ZL3PiQ43.html 20:08 < vpnHelper> Title: Nopaste - route -n client side (at rafb.net) 20:08 < reiffert> the_mo: and: ifconfig -a 20:09 < reiffert> the_mo: disconnect openvpn, paste route -n again please 20:10 < the_mo> only 3 lines now 20:10 < the_mo> 10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 20:10 < the_mo> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 20:10 < the_mo> 0.0.0.0 10.1.1.254 0.0.0.0 UG 1 0 0 eth0 20:10 < the_mo> http://rafb.net/p/NvCkN221.html 20:10 < vpnHelper> Title: Nopaste - ifconfig -a client side (at rafb.net) 20:11 < reiffert> krzie: r u sure the routing table looks ok when beeing connected? 20:12 < ecrist> should I bother including a big library like dojo or jquery? 20:12 < reiffert> the_mo: however, connect the client to your server and run tcpdump on the server, like this: 20:12 < reiffert> tcpdump -n -i tun0 proto ICMP 20:12 < reiffert> then run: ping 193.99.144.80 on the client 20:13 < reiffert> paste what tcpdump puts out. 2-3 lines are enough. paste it to IRC 20:13 < the_mo> mmh.. you like using heise for ping tests as well dont you ;) 20:13 < reiffert> no. I like the dns server from my university. 20:14 < the_mo> 02:17:31.756946 IP 10.0.0.1 > 193.99.144.80: ICMP echo request, id 52234, seq 4, length 64 20:14 < the_mo> 02:17:32.757396 IP 10.0.0.1 > 193.99.144.80: ICMP echo request, id 52234, seq 5, length 64 20:14 < the_mo> 02:17:33.757276 IP 10.0.0.1 > 193.99.144.80: ICMP echo request, id 52234, seq 6, length 64 20:14 < the_mo> ive said it before :), the tun device gets the echo requests 20:14 < reiffert> ok, the problem is your server. 20:14 < the_mo> the eth0 doesnt 20:14 < reiffert> you fucked up masquerading. 20:14 < the_mo> yea 20:14 < reiffert> iptables -t nat -v -n -L 20:14 < reiffert> paste 20:14 < reiffert> as well as 20:14 < reiffert> iptables -t filter -v -n -L 20:15 < reiffert> !ip_forward 20:15 < vpnHelper> reiffert: Error: "ip_forward" is not a valid command. 20:15 < the_mo> first one doesnt return any rules *scratchhead* 20:15 < reiffert> !ip_forward 20:15 < vpnHelper> reiffert: Error: "ip_forward" is not a valid command. 20:15 < reiffert> /proc/sys/net/ipv4/ip_forward 20:15 < the_mo> set to 1, yep 20:16 < reiffert> !learn ip_forward as dont forget to echo 1 > /proc/sys/net/ipv4/ip_forward when doing masquerading on linux. See netfilter.org Masquerading Howto, Chapter 4.2 "Help! I just want masquerading" 20:16 < vpnHelper> reiffert: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 20:16 < reiffert> vpnHelper: fuck off 20:16 < vpnHelper> reiffert: Error: "fuck" is not a valid command. 20:16 < reiffert> the_mo: please, do what I was asking for. 20:16 < krzie> reif 20:16 < krzie> !linipforward 20:17 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 20:17 < reiffert> vpnHelper: whoami 20:17 < vpnHelper> reiffert: I don't recognize you. 20:17 < reiffert> vpnHelper: may I introduce myself? 20:17 < vpnHelper> reiffert: Error: "may" is not a valid command. 20:17 < krzie> you could find it with: 20:17 < krzie> !factoids search forward 20:17 < vpnHelper> krzie: 'winipforward' and 'linipforward' 20:18 < reiffert> the_mo: as you seem to refuse to give further information ... netfilter.org is your friend. 20:18 < the_mo> http://rafb.net/p/y74XAN95.html 20:18 < vpnHelper> Title: Nopaste - iptables -t nat -v -n -L (at rafb.net) 20:18 < reiffert> krzie: lets add the netfilter.org masquerading howto 20:18 < the_mo> im still here :o 20:18 < reiffert> the_mo: 2nd cmd 20:18 < krzie> !learn linipforward as See netfilter.org Masquerading Howto, Chapter 4.2 "Help! I just want masquerading" 20:18 < vpnHelper> krzie: Joo got it. 20:19 < the_mo> incomming 20:19 < reiffert> krzie: it's called nat howto, sorry. 20:19 < reiffert> krzie: http://netfilter.org/documentation/HOWTO//NAT-HOWTO-4.html#ss4.1 20:19 < reiffert> chap 4.1 20:19 < vpnHelper> Title: Linux 2.4 NAT HOWTO: Quick Translation From 2.0 and 2.2 Kernels (at netfilter.org) 20:19 < krzie> !linnat 20:19 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 20:19 < krzie> already there ;] 20:19 < the_mo> http://rafb.net/p/6muVzx73.html (2nd) 20:19 < vpnHelper> Title: Nopaste - No description (at rafb.net) 20:19 < krzie> !forget linipforward 2 20:19 < vpnHelper> krzie: Joo got it. 20:20 < reiffert> the_mo: iptables -I FORWARD -i tun0 -o eth0 -j ACCEPT 20:20 < reiffert> the_mo: iptables -I FORWARD -o tun0 -i eth0 -j ACCEPT 20:20 < reiffert> the_mo: both commands and you are done. 20:20 < the_mo> jeez 20:20 < the_mo> awesome 20:20 < reiffert> the_mo: note, your firewall is fucked up, too. Especially chain OUTPUT 20:21 < the_mo> yea i know 20:21 < the_mo> dont hit me, its a system a friend set up, and it runs suse :X 20:21 < krzie> eww 20:21 < reiffert> eww. 20:21 < reiffert> does it work now? 20:21 < the_mo> yep, thats what my awesome was sposed to mean, thanks a lot 20:22 < krzie> reif++ 20:22 < reiffert> welcome 20:22 < reiffert> !configs 20:22 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 20:22 < krzie> i should add that to the bot, theres a tote board plugin for that 20:22 < krzie> where we can ++ eachother 20:22 < krzie> haha 20:23 < reiffert> krzie: learn configs as paste interface configuration from both, client and server, when beeing disconnected and when beeing connected. Be sure to add the routing tables for both situations from client and from server 20:23 < the_mo> ok awesome, now onto getting that stupid suse firewall script to not overwrite that rules, wheres my hammer 20:23 < krzie> !interface 20:23 < vpnHelper> krzie: Error: "interface" is not a valid command. 20:23 < reiffert> krzie: ... that is route -n or netstat -nr. Interface config windows: ipconfig /all, linux/bsd: ifconfig -a 20:23 < reiffert> the_mo: hammer is in rc.conf iirc 20:23 < the_mo> haha 20:23 < reiffert> the_mo: or in yast. 20:24 < the_mo> na, the script has some place to add custom rules 20:24 < ecrist> krzie: dougy fixed the dns for ovpnforum.com 20:24 < krzie> !learn interface as paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server 20:24 < vpnHelper> krzie: Joo got it. 20:24 < krzie> funny i had JUST tried refreshing before you said that 20:24 < krzie> didnt work, now it does 20:24 < krzie> lol 20:24 < ecrist> just got an email from him 20:25 < ecrist> not that anyone uses the site. 20:25 * ecrist is out 20:26 < the_mo> yast doesnt let you directly specify custom iptables rules and only has a very limited (as always) window to allow/disallow stuff 20:28 -!- mode/##openvpn [+o krzie] by ChanServ 20:28 < reiffert> yeah, let's do a kick party 20:29 -!- krzie changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || Also interesting: !man !/30 !topology 20:29 -!- krzie was kicked from ##openvpn by krzie [topic changer!!!] 20:29 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##openvpn 20:30 < krzie> hehe 20:30 -!- reiffert changed the topic of ##openvpn to: foo 20:30 < krzie> aww common 20:30 -!- reiffert changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || Also interesting: !man !/30 !topology 20:31 < krzie> =] 20:34 < reiffert> please add to !interface: hint: ipconfig /all ifconfig -a route -n netstat -nr 20:37 -!- onats [n=onats@unaffiliated/onats] has quit [Nick collision from services.] 20:37 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 20:37 < krzie> !learn interface as in windows: ipconfig /all - in unix, ifconfig -a , for both netstat -rn 20:37 < vpnHelper> krzie: Joo got it. 20:38 < krzie> netstat -rn works in win and bsd, im sure lin too 20:39 < reiffert> works on linux as well 20:39 < reiffert> route -n looks more familiar than netstat -nr 20:39 < reiffert> thomas@mail:~$ /sbin/route -n 20:39 < reiffert> Kernel IP routing table 20:39 < reiffert> Destination Gateway Genmask Flags Metric Ref Use Iface 20:39 < reiffert> 88.198.83.80 0.0.0.0 255.255.255.248 U 0 0 0 br0 20:39 < reiffert> 88.198.83.80 0.0.0.0 255.255.255.240 U 0 0 0 br0 20:39 < reiffert> 78.46.105.64 0.0.0.0 255.255.255.224 U 0 0 0 br0 20:39 < krzie> route print as well for windows 20:39 < reiffert> 0.0.0.0 78.46.105.65 0.0.0.0 UG 0 0 0 br0 20:39 < reiffert> well on linux it's exactly the same.. 20:40 < krzie> its just easier to say 1 command for all 3 20:40 < krzie> when that can happen 20:40 < reiffert> netstat -nr 20:41 < krzie> -rn ;] 20:41 < krzie> lol 20:41 < krzie> !forget interface 2 20:41 < vpnHelper> krzie: Joo got it. 20:42 < krzie> !learn interface as in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 20:42 < vpnHelper> krzie: Joo got it. 20:48 < reiffert> bbl 21:03 < krzie> werd 21:07 -!- nemysis [n=nemysis@197-24.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 21:22 -!- the_mo [i=mo@team-aow.de] has left ##openvpn ["thanks again"] 21:25 -!- belZe [i=server3@p5091D32C.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:25 -!- belZe [i=server3@p5091D0BB.dip.t-dialin.net] has joined ##openvpn 21:36 -!- nemysis [n=nemysis@197-24.3-85.cust.bluewin.ch] has joined ##openvpn 21:52 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 22:34 -!- nemysis [n=nemysis@197-24.3-85.cust.bluewin.ch] has quit [Connection timed out] 22:35 -!- nemysis [n=nemysis@74-130.3-85.cust.bluewin.ch] has joined ##openvpn --- Day changed Thu Mar 26 2009 00:04 -!- _jack-- [n=kaushal@202.79.41.215] has joined ##openvpn 00:06 < _jack--> I have installed openvpn in linux server. I can access web port(80) of all network computer(servers) but i can't access the web port of openvpn installed server.. 00:06 < _jack--> can anybody have any ideas? 01:13 -!- _jack-- [n=kaushal@202.79.41.215] has quit [Read error: 104 (Connection reset by peer)] 01:26 -!- _jack-- [n=kaushal@202.79.41.215] has joined ##openvpn 01:32 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 01:42 < _jack--> i have installed openvpn server in linux computer. i can access the web (port 80) of other computer in the network but can't access the web(port 80) of openvpn installed computer... 01:43 < _jack--> how can i do that? anybody have any idea? 02:18 -!- _jack-- [n=kaushal@202.79.41.215] has quit ["Leaving"] 02:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:48 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 03:09 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:10 -!- polaru [n=polaru@93.113.192.70] has quit [No route to host] 03:10 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:23 < mjt> !interface 03:23 < vpnHelper> mjt: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 03:26 -!- _jack-- [n=kaushal@202.79.41.215] has joined ##openvpn 03:58 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 113 (No route to host)] 04:11 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 04:16 < reiffert> moin 04:34 < _jack--> moin 04:47 < _jack--> how can i open web pages(port 80) of openvpn installed linux server machine? 04:47 < _jack--> i can access web pages of all server in openvpn server's network servers... 04:50 < krzee> use the vpn ip of the vpn machine for it 04:51 < krzee> (after making sure webserver listens on it) 04:51 < krzee> !dh 04:51 < vpnHelper> krzee: Error: "dh" is not a valid command. 04:51 < krzee> !actoids search dh 04:51 < vpnHelper> krzee: Error: "actoids" is not a valid command. 04:51 < krzee> !factoids search dh 04:51 < vpnHelper> krzee: 'bridge-dhcp' and 'dhcp' 04:51 < krzee> bleh 04:52 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:53 < krzee> ecrist, when you get this, i am using ssl-admin on fbsd8-current with up to date openssl from ports, and the dh menu item does nothing for me, just hangs... may wanna test 05:07 < reiffert> found some time to plug in some NICs for your gbit lan? 05:07 < krzee> didnt have time to pick any up 05:08 < krzee> but i notice serious delay on getting a connection to anything on the inet when plugged into that switch 05:08 < krzee> vs direct on wifi 05:08 < krzee> so i think i need a NIC for the bsd box and a new switch =/ 05:08 < krzee> ill get the NIC first tho so i can check out the xover cable 05:13 < _jack--> krzee: i have using ip of vpn machine..but can' access the web... 05:13 < krzee> make sure its listening on the vpn ip 05:13 < krzee> (webserver) 05:14 < _jack--> krzee: is there firewall issues? but i can access the other web server of vpn machine's network.. 05:14 < krzee> sure could be 05:17 < _jack--> krzee: i can't ping vpn machine? but can ping other 05:18 < krzee> welcome to your firewall issue 05:18 < krzee> !linfw 05:18 < vpnHelper> krzee: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 05:18 < krzee> howd you set it up so you could access the lan? 05:56 < mjt> . o O { gbit lan... } 05:56 < mjt> with my switch @home, using jumbo frames slows things down. Linearly with frame size. 05:57 < mjt> (nothing to do with openwrt but.. fun) 05:57 -!- zheng [n=Miranda@222.66.224.110] has joined ##openvpn 05:58 < mjt> I tried to stream hd video. gbe is almost enough. i was hoping to reduce overhead by using jumbo frames (less interrupts etc). The speed dropped from 980mbps to about 400mbps when increasing packet size from 1500 to 7200 bytes. 06:00 < mjt> i can only guess that the switch i use splits and reassembles packets internally hence slows down quite alot. because when connecting two PCs directly, increasing MTU actually increases speed. 06:00 < zheng> hi 06:00 < zheng> Hi, all, openvpn can act as a server and a client synchronously? how to config it? 06:00 < zheng> Just like this: 06:00 < zheng> Host.A(clt)--->(svr)Host.B(clt)----->(svr)Host.C 06:01 < zheng> How to config Host.B? 06:01 < mjt> zheng: two instances 06:01 < mjt> two separate interfaces and two configs 06:02 < zheng> two instances? it's the only method? 06:02 < mjt> yes 06:02 < mjt> another method is to modify the source. patches welcome, i guess ;) 06:02 < mjt> technically there's nothing to stop it from acting as both client and server. 06:02 < zheng> oh, isee, so bad, 06:03 < mjt> but that code isn't written 06:03 < zheng> mjt, thx, 06:03 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 06:03 < zheng> I'll read the source. 06:11 < _jack--> krzee: i can ping tap0 ip but can't public ip of vpn machine.... 06:24 -!- bsund [n=bsund@unaffiliated/bsund] has left ##openvpn [] 06:42 < ecrist> morning, folks 06:52 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 07:06 < reiffert> moin 07:15 -!- zheng [n=Miranda@222.66.224.110] has quit ["Miranda IM! Smaller, Faster, Easier. http://miranda-im.org"] 07:32 < ecrist> his setup is flawed. 07:32 < ecrist> was about to tell him, until I saw he left. 07:32 < ecrist> *shrug* 07:38 < mjt> what's flawed in his setup? 07:39 < mjt> (i think you're talking about zheng, right?) 07:39 < ecrist> unless he's doing some weird gateway redirection, there's no reason to run a server on Host.C. Host.C and Host.A could connect to a server running on Host.B 07:40 < mjt> aha 07:40 < mjt> well, the question he asked -- that's the same queston i asked some time ago as well. 07:40 < mjt> and it was for a reason. 07:40 < mjt> here, i've two separate networks that belongs to two separate organisations. 07:40 < ecrist> there are few good reasons to do it that way 07:41 < mjt> we run our own network, and need to access "their" network 07:41 < mjt> so there's 2 servers, and one of them acts as client for another. 07:42 < mjt> (actually we've 4 servers running like that, but that's details) 07:43 < ecrist> if you don't control all of the servers, there's potential for ip address duplication, which breaks the whole thing 07:43 < ecrist> last I checked, VPNs pass traffic in both directions... 07:43 < mjt> the client that's running on the server does not accept options from other server 07:44 < mjt> ie, it does not have --pull option 07:44 < ecrist> sure, but you need an ip address, regardless 07:44 < mjt> and it will only pass whatever traffic i'll tell it. 07:44 < mjt> yes 07:44 < ecrist> and, again, you run the risk of duplicate IPs, unless you control all the servers 07:45 < mjt> there are 2 aspects here - just potential conflict of address space and deliberate attempt(s) to break into someone's net. 07:45 < belZe> hey guys, been busy all day. no time trying openvpn today :( 07:46 < mjt> ecrist: we agreed on the former, and i took care of the latter by adding necessary constraints on my side. 07:47 -!- js_ [n=js@193.0.253.161] has joined ##openvpn 07:48 < mjt> omg. 07:48 < mjt> speaking of address space conflicts... 07:48 < js_> when a second user in my lan tries to connect to the same openvpn endpoint as i, he gets connection refused, why is that? 07:48 < mjt> a client of ours is using 169.254.244.0/24 for their lan 07:48 < ecrist> lol 07:49 < ecrist> really, there isn't anything too wrong with that. systems that auto-assign the address space should detect useds IPs 07:49 < mjt> and they asked for tunnel from "outside" to that their lan 07:50 < mjt> some renumber is in order. i can't let them out (even into our infrastructure) with those IPs. 07:51 < _jack--> public ip of openvpn linux machine is not pinging...how to make it pingable? 07:51 < mjt> js_: sure it's not some firewall prob and he actually tries to send packet to that host? 07:51 < mjt> _jack--: if it's not "pingable", how can you connect to it in order to set up tunnel? 07:52 < mjt> (assuming that by "pingable" you actually mean "reachable" or somesuch) 07:52 < _jack--> mjt: i have used natting 07:53 < _jack--> i can ping the private ip assigned by openvpn ...ie tap0 07:53 < mjt> belZe: by the way, just in case... is your nat table empty (iptables)? 07:55 < js_> mjt: apparently it was a config error on his side, but we ran into a second problem 07:55 < ecrist> _jack--: you need to enable ip forwarding 07:56 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:56 < js_> both of us can't be connected at the same time 07:56 < mjt> _jack--: if you want help, please, descrbe your problem cleanly. Before typing it in there, re-read it and try to see it from a point of view of someone who has no idea at all how your config looks like. 07:56 < ecrist> js_: do you have mode --server? 07:56 < js_> if i'm connected and he connects, my tunnel dies 07:56 < ecrist> !configs 07:56 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:56 < mjt> js_: using the same cert? 07:57 < ecrist> mjt: same cert wouldn't get connection refused 07:57 < ecrist> either, it would work, or the first connection would be dropped 07:57 < js_> i got rid of connection refused, that was because he had set tcp instead of udp 07:57 < js_> mjt: hmm, i made different certs, but i'll check anyway 07:58 < mjt> ecrist: < js_> if i'm connected and he connects, my tunnel dies 07:58 < ecrist> ah, I didn't see that line. was responding to lines above that 08:00 < js_> we use the same "ca", but "cert" and "key" differ 08:00 < ecrist> js_: can you pastebin your server logs, please? 08:00 < _jack--> mjt: actually i have setup openvpn in linux machine. it is working....this machine is also web server...from vpn client machine, i can ping private ip assigned by openvpn(tap0) but can't ping public ip of openvpn machine...anyhow i want to access the web server.. 08:00 < js_> ecrist: one sec 08:00 < ecrist> _jack--: see my message to you, above 08:01 < js_> ecrist: hehe, thanks for that, i just found this "MULTI: new connection by client 'trodon.se' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want mu 08:01 < js_> ltiple clients using the same certificate or username to concurrently connect." 08:02 < ecrist> :P 08:02 < js_> is it the ca.crt that causes the conflict then? 08:03 < _jack--> ecrist: i have no idea about ip forwarding?...how can do that? 08:03 < mjt> client.key 08:03 < ecrist> no, it's the CN of the client cert 08:03 < mjt> and cert 08:03 < js_> they can be the same even if "diff" shows they're not? 08:03 < ecrist> so, if you created two client certs with the same CN, you'll run in to that problem. 08:04 < js_> ahhh 08:04 < js_> i see 08:04 < js_> thanks a lot 08:04 < ecrist> diff will show different certificates, because of the encryption 08:04 < js_> yeah, i thought so 08:07 -!- _jack-- [n=kaushal@202.79.41.215] has quit ["Leaving"] 08:51 -!- fraggan [n=frhe@gate-kd.krsystem.se] has joined ##openvpn 08:54 < ecrist> hi, fraggan 09:18 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 09:20 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: rdz, l2trace99, krzie, RexMundi_, clustermagnet, dazo, xor|, pa, hagna_, worch, (+19 more, use /NETSPLIT to show all of them) 09:20 -!- Irssi: ##openvpn: Total of 28 nicks [0 ops, 0 halfops, 0 voices, 28 normal] 09:21 -!- Netsplit over, joins: tarbo2 09:21 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 09:22 -!- belZe [i=server3@p5091D0BB.dip.t-dialin.net] has joined ##openvpn 09:22 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 09:22 -!- l2trace99 [n=jr@static-71-251-65-16.tampfl.fios.verizon.net] has joined ##openvpn 09:22 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 09:22 -!- RexMundi_ [n=RexMundi@off.spillgroup.com] has joined ##openvpn 09:22 -!- dazo [n=dazo@nat/redhat/x-c507256ee2b67d96] has joined ##openvpn 09:22 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has joined ##openvpn 09:22 -!- Bushmills [n=nnnnl@verhau.de] has joined ##openvpn 09:22 -!- clustermagnet [n=vasiliy@ec2-75-101-158-130.compute-1.amazonaws.com] has joined ##openvpn 09:29 -!- sunga [n=naft@77.109.123.56] has joined ##openvpn 09:29 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 09:29 -!- xor| [n=xor@asmodeus.ost.sgsnet.se] has joined ##openvpn 09:29 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 09:29 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 09:29 -!- Solver [n=robert@99.229.28.193] has joined ##openvpn 09:29 -!- kaii [n=kai@ciphron.de] has joined ##openvpn 09:32 < ecrist> I want to shoot our web developer 09:33 < ecrist> we spent an entire year normalizing our web code and making it compliant to standards. 09:33 < ecrist> all of the code he's written since has been cobbled-together crap 09:35 < SuperEvilDeath15> standards are for pussy's if it works in IE7 then its fine :P 09:35 -!- frhe_ [n=frhe@gate-kd.krsystem.se] has joined ##openvpn 09:35 -!- fraggan [n=frhe@gate-kd.krsystem.se] has joined ##openvpn 09:35 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:35 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##openvpn 09:35 -!- prxtien [n=pro@teamaustralia.net.au] has joined ##openvpn 09:35 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 09:35 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 09:35 -!- hagna_ [n=hagna@70.102.57.178] has joined ##openvpn 09:35 -!- rdz [i=roman@netpd.org] has joined ##openvpn 09:35 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 09:35 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 09:36 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: krzie, fraggan, rdz, frhe_, hagna_, troy-, Kreg-Work, Gumbler, reiffert, prxtien, (+1 more, use /NETSPLIT to show all of them) 09:36 < ecrist> SuperEvilDeath15: funny, but it's just the inverse. he builds his code testing in firefox. ~70% f our user base uses IE. his code isn't working in IE 09:37 < ecrist> he told me he assumes it's because IE isn't compliant. turns out, it's his code. 09:37 < ecrist> one fairly simple page has ~100 errors 09:38 < ecrist> missing tags, duplicate tags, unclosed divs, etc. 09:41 -!- Netsplit over, joins: frhe_, fraggan, mikkel, krzie, prxtien, Kreg-Work, reiffert, hagna_, rdz, Gumbler (+1 more) 09:43 -!- frhe_ [n=frhe@gate-kd.krsystem.se] has quit [Read error: 104 (Connection reset by peer)] 09:48 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: krzie, rdz, fraggan, hagna_, troy-, Kreg-Work, Gumbler, reiffert, prxtien, mikkel 09:54 -!- Netsplit over, joins: reiffert 09:54 -!- Gumbler_ [i=Gumbler@animux.de] has joined ##openvpn 09:54 -!- krzie [i=krzee@joogot.noskills.net] has joined ##openvpn 09:54 -!- Netsplit over, joins: prxtien 09:54 -!- Kreg-Work_ [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 09:54 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:56 -!- hagna [n=hagna@70.102.57.178] has joined ##openvpn 09:56 -!- Gumbler_ is now known as Gumbler 09:56 < ecrist> so many netsplits today 09:56 -!- rdz [i=roman@195.176.254.176] has joined ##openvpn 09:57 -!- troy- [n=troy@38.103.146.115] has joined ##openvpn 10:02 -!- clustermagnet [n=vasiliy@ec2-75-101-158-130.compute-1.amazonaws.com] has left ##openvpn [] 10:12 -!- worch [i=worch@battletoad.com] has joined ##openvpn 10:12 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 10:17 < cpm> enjoy the ride 10:36 * ecrist shoots above-referenced developer. 10:44 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: pa, worch 10:44 -!- Netsplit over, joins: worch, pa 10:53 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has joined ##openvpn 11:03 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: pa, worch 11:05 -!- Netsplit over, joins: worch, pa 11:08 -!- achilles [n=achilles@82.205.120.165] has joined ##openvpn 11:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:08 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: pa, worch 11:09 -!- Netsplit over, joins: pa, worch 11:10 < achilles> hello guys, I have a simple problem, I have site to site vpn, one is server and the another is client, the tunnel is perfect but if the tunnel is idle for short time, it loses the connectivity and I have to ping a server from the another end point to return back in life, the tun0 device doesn't go off 11:12 < Bushmills> achilles, won't any activity, not just ping, make it active again? 11:12 < achilles> just ping make it again 11:13 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: pa, worch 11:13 < Bushmills> only ping, i.e. no connection if you don't ping before? 11:13 -!- Netsplit over, joins: pa, worch 11:14 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: pa, worch 11:15 < Bushmills> you might want to check out the keepalive option - though it is meant to detect if the other side went down, not to keep it active. 11:15 -!- mikkel_ is now known as mikkel 11:15 < Bushmills> but as it pings in interval specified, it should do the job 11:16 < achilles> Bushmills, yes I run a process ping -i 10 ... in the background 11:16 < achilles> and it's ok with it I think 11:17 -!- Netsplit over, joins: worch, pa 11:17 < Bushmills> server has a keepalive option, which would probably make your extra ping process unnecessary 11:20 < achilles> that would be great 11:20 < ecrist> recommend --keepalive 10 120 11:29 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: pa, worch 11:29 -!- Netsplit over, joins: worch, pa 11:40 < achilles> Bushmills, ecrist thank you very much 11:46 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: pa, worch 12:06 -!- Netsplit over, joins: worch, pa 12:13 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:19 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: pa, worch 12:19 -!- Netsplit over, joins: pa, worch 12:19 -!- achilles [n=achilles@82.205.120.165] has quit ["Leaving"] 13:14 -!- znoG [n=gs@host131.190-139-153.telecom.net.ar] has joined ##openvpn 13:14 < znoG> hey all.. i've got an openvpn server in shared key mode, and i want to setup different routes depending on which client connects .. is there a way to specify them on the client side and not server side? 13:15 < znoG> ie. client 1 connects with the key .. route 192.168.100.0/24 on the server to client 1 ... client 2 connects with the same key -> route 192.168.1.0/24 to client 2 13:15 < znoG> ideally i'd like to specify the routes on the client side openvpn 13:15 < znoG> ie. tell the server which networks to route to the connecting client 14:00 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 14:22 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has joined ##openvpn 14:22 -!- SuperEvilDeath16 [n=death@212.206.209.177] has joined ##openvpn 14:22 < Improv> Is there a way to have a single OpenVPN server serve both TCP and UDP clients yet? 14:23 < reiffert> No, but there is a discussion on the mailinglist. 14:23 < Improv> reiffert: Ahh. I'll take a look. I desperately need this function - running two instances of OpenVPN would not work well for our needs. 14:28 < reiffert> Then take a seat, add an additonal socket() bind() and put the resulting filedescriptor into the rfds and wfds select sets, done. 14:28 < Improv> I would prefer not to patch it myself if at all possible :) 14:29 < reiffert> else explain why running two instances would not work for you. 14:29 < reiffert> well, you can hire a programmer doing the job for you. 14:30 < Improv> reiffert: OpenVPN is embedded into a network testbed infrastructure, and we already have code that manages routes between our networks - running two instances with their own IP pools and stuff would make that code very hairy 14:31 < ecrist> Improv: they would need their own pools, but could serve the same subnet 14:31 < Improv> reiffert: As it so happens, I am a programmer, I just *like* thinking of OpenVPN as a black box. 14:31 < Improv> ecrist: Right, but if a node falls back to UDP, it can't keep its assigned IP 14:31 < reiffert> sure it does. 14:32 < reiffert> it's a matter of configuration. 14:32 < Improv> I thought the OpenVPNs have a range of IPs they hand out 14:33 < Improv> and if a node's IP is assigned to it, it would have to be within the range of that OpenVPN 14:33 < Improv> Lol, this is like thinking about phone# portability :) 14:33 < reiffert> Improv: if a client "falls back from tcp to udp" or "from one instance to another", it is allready disconnected, right? 14:33 < reiffert> and even if not. 14:34 < Improv> In a perfectly ideal world, I'd be able to tell the openvpn server to serve both tcp and udp, and have clients try udp first and if it fails then try udp... 14:34 < reiffert> the client comes up with a unique identifier 14:34 < reiffert> the certificate 14:34 < Improv> reiffert: Yes, but the IP address is in all sorts of databases 14:34 < reiffert> just hand out the same ip to that particular certificate 14:34 < reiffert> done 14:34 < reiffert> Improv: so? 14:35 < Improv> reiffert: ... Ok, maybe I am not getting something here. 14:35 < Improv> 2 instances of OpenVPN - do they need their own IP pools or not? 14:35 < reiffert> Where exactly did you stop getting things? 14:35 < Improv> Let's find out :) 14:35 < reiffert> Improv: they could have their own IP pools, but they dont need to. 14:36 < Improv> If I want the "node can automatically ping all other nodes on the same openvpn server" config, can that work across openvpns without enabling general routing? 14:36 < reiffert> yes. 14:37 < Improv> Really? That's handy. The openvpns somehow will spot each other and forward traffic without my needing to tell the OS anything? 14:38 < Improv> I'll have to read up more about setting that up 14:38 -!- SuperEvilDeath15 [n=death@212.206.209.177] has quit [Read error: 113 (No route to host)] 14:39 < Improv> With any luck all this will be academic - still arguing with the sysadmins at Intel about their stupidly restrictive firewall. ... 14:39 < reiffert> I just wonder what those last things have to do with where you stopped getting things. 14:41 < ecrist> Improv: I hate to tell you, but your config is broken 14:41 < reiffert> ? 14:42 < Improv> reiffert: I was under the impression that I would need to set up a separate pool of IPs on a separate "subnet" for each openvpn to hand out, and that I would need to set up routing between those pools in order for vpn clients to see each other for "client-to-client" to work, and also that they would not be able to retain the same IP when moving from tcp to udp or vice versa 14:42 < ecrist> Improv: Openvpn doesn't require it's own subnet 14:42 < ecrist> subnet != pool 14:42 < ecrist> an openvpn pool of addresses can be within an existing subnet on a LAN 14:43 < reiffert> Improv: you can do soo many things with openvpn, howabout you start now and learn them, step by step or get lost in docs first? 14:43 -!- diegoviola [n=diego@adsl-136-248.click.com.py] has joined ##openvpn 14:43 < ecrist> for that matter, why not run a bridged VPN, assigning IPs from a non-openvpn DHCP server to begin with. 14:43 < Improv> reiffert: I do like powerful software - I guess I should learn more about it. 14:43 < ecrist> all that stuff goes away. 14:44 < Improv> ecrist: I'll look into that. Thanks for the suggestion. 14:45 < Improv> I only looked into OpenVPN for a few hours before I started to integrate it into our network testbed software - maybe I should've spent more time on it. 14:46 < reiffert> Improv: openvpn can pass layer 3 packets from one side to another. thats were a transfer-subnet takes part. 14:46 < reiffert> Improv: it also can pass layer 2 frames from side to side, thats where the latter happens. 14:47 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has quit [Read error: 110 (Connection timed out)] 14:47 < reiffert> Improv: with the former (tun), basic routing rules may or may not take part 14:47 < Improv> reiffert: The way we're using OpenVPN is just meant to traverse NAT/provide "static" IPs to remote parts of our network testbed.. 14:47 < reiffert> Improv: passing ethernet frames is done with the tap adapter, which may be used to take part in a bridge. 14:48 < Improv> I'm presently using tun - I'm hoping not to change that unless I must. 14:48 < reiffert> Improv: openvpn can handle ip pools just like a dhcp server would. It even can act as a dhcp server (just basic stuff) 14:49 < reiffert> Improv: another option is to hand out static ip addresses. so everytime the same client connects, it will get the same ip address. 14:49 < reiffert> you can even mix both situations. 14:49 < reiffert> !ccd 14:49 < reiffert> !ipp 14:49 < vpnHelper> reiffert: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 14:49 < vpnHelper> reiffert: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 14:50 < reiffert> hope you get the idea(s) 14:50 < Improv> reiffert: so long as the client-to-client stuff works across different openvpns and I can use truly static IPs, all using tun rather than tue, I will be happy. 14:50 < Improv> I clearly have more reading to do. 14:52 < Improv> So far I am quite happy with OpenVPN (although I still think allowing both tcp and udp in the same daemon would be a plus) 14:52 < Improv> Thanks for the help, reiffert and ecrist 14:53 < ecrist> np 15:08 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 15:15 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has quit ["ircII EPIC4-2.6 -- Are we there yet?"] 15:16 -!- ftp3 [n=none@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has left ##openvpn [] 15:21 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:41 < mjt> !static 15:41 < vpnHelper> mjt: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 16:05 -!- jameswhite [n=james@fapestniegd.jameswhite.org] has joined ##openvpn 16:17 -!- dazo_home [n=David@r9dm48.net.upc.cz] has joined ##openvpn 16:17 < dazo_home> !howto 16:17 < vpnHelper> dazo_home: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:17 < dazo_home> !route 16:17 < vpnHelper> dazo_home: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 16:27 < dazo_home> krzee: ecrist: any of you on now? anyone know about where tunnelblick hides the openvpn binary? 16:27 * dazo_home is helping out a friend on mac over the phone 16:30 < dazo_home> By the way ... any known issues with tunnelblick and --auth-user-pass ? 17:08 < dazo_home> never mind ... we managed to enable sshd .... so openvpn got compiled from scratch 17:10 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 17:28 < krzie> just got in 17:28 < krzie> tunnelblick doesnt control anything i know of 17:28 < krzie> it just runs openvpnj 17:28 < krzie> err -j 17:28 < krzie> so there should be no issues with tunnelblick + * 17:30 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:32 < krzie> and if there are, just dont use tunnelblick 17:32 < krzie> its simple enough to make a script double-clickable in osX 17:32 < krzie> you just make a bash script, and make it named something.command 17:33 < krzie> then they close the window to kill the vpn 17:33 < krzie> hell i think thats easier than tunnelblick 17:42 -!- dli [n=dli@adsl-75-22-21-198.dsl.chcgil.sbcglobal.net] has joined ##openvpn 17:42 < dli> hi, "tcpdump -i tun0" can shows traffic, but I couldn't ping either way 17:43 < dli> no firewall 17:43 < krzie> firewall 17:43 < krzie> lol 17:43 < krzie> !linfw 17:43 < vpnHelper> krzie: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 17:45 < dli> krzee, I don't have any firewall both side:( default to accept 17:48 < krzie> default to accept on all those chains? 17:49 < dli> krzee, let pastebin iptables -L 17:49 < dli> krzie, http://pastebin.ca/1373444 17:49 < reiffert> dli: use -n on tcpdump 17:50 < reiffert> and when pasting iptables use iptables -t filter -v -n -L and iptables -t nat -v -n -L 17:50 < reiffert> !interface 17:50 < vpnHelper> reiffert: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 17:52 < krzie> dli, what are you trying to ping? 17:54 < dli> krzie: new iptables -F, http://pastebin.ca/1373450 17:54 < dli> krzie: IP of the other end 17:55 < dli> krzie: tcpdump -i tun0, http://pastebin.ca/1373446 17:56 < reiffert> dli: tell him to use -n on tcpdump as well 17:56 -!- huslu_ is now known as huslu 17:58 < krzie> hehe 17:58 < krzie> use -n on tcpdump as well! 17:58 < krzie> and more importantly to me, 17:58 < krzie> !logs 17:58 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 17:58 < dli> reiffert, krzie : tcpdump -n -i tun0: http://pastebin.ca/1373453 17:58 < reiffert> what is he trying to achive anyway? 17:58 < krzie> reiffert, you seen everything i did 17:58 < dli> reiffert, I couldn't ping, or use any service at all 17:59 < krzie> you popped in right at the start 17:59 < dli> krzie, let me do verb 6 17:59 < reiffert> dli: tcpdump tells us: you can. 17:59 < reiffert> dli: looks like a phone call to your mama 17:59 < krzie> reiffert, good call... i need to call my mama too 18:00 < reiffert> however, 192.168.2.2 fucked up routing. 18:00 < krzie> !configs 18:00 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:00 < reiffert> krzie: I did today, birthday 18:00 < dli> reiffert, ping 192.168.2.2 with 100% packet loss 18:00 < krzie> lets see those configs 18:00 < krzie> even before the logs 18:01 < reiffert> dli: do as you were told: !logs !configs and more important: !interface 18:01 < dli> !interface 18:01 < vpnHelper> dli: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 18:02 < krzie> i think !configs is most important if you say routing got messed up, prolly quickest way to his solution 18:03 < reiffert> dli: that tcpdump you were pasting, where did that come from, client or server_ 18:03 < dli> reiffert, from the server 18:03 < dli> reiffert, krzie: interfaces with openvpn on: http://pastebin.ca/1373460 18:04 < reiffert> dli: why are there three different subnets on tun0? 18:04 < reiffert> dli: yong = serverss 18:06 < dli> reiffert, aha, might be the problem 18:06 < dli> reiffert, configs: http://pastebin.ca/1373461 18:07 < dli> reiffert, double checked, don't see 3 subnets 18:08 < dli> reiffert: just 192.168.2.1/32 192.168.2.2/32 18:08 < reiffert> dli: from the tcpdump you were pasting, I can see three. 18:09 -!- hagna [n=hagna@70.102.57.178] has quit ["leaving"] 18:09 < dli> reiffert, 192.168.1.3 is the IP of wlan0 on yong 18:09 < dli> reiffert, 192.168.2.2 is tun0 on yong 18:09 < reiffert> dli: and that packet belongs to tun0? 18:10 < dli> reiffert, 18:07:29.557373 IP 192.168.1.3.5060 > 192.168.2.1.5060: SIP, length: 596 18:10 < dli> reiffert, yes, from "tcpdum -n -i tun0" 18:14 < dli> reiffert, logs at the client side: http://pastebin.ca/1373473 18:14 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has joined ##openvpn 18:14 < dazo_home> krzee: thanks! Yeah, I don't know what was wrong with tunnelblick ... but the guy is not too advanced at all, but when he managed to enable ssh ... I got into the box, downloaded and compiled openvpn ... put a shell script on the desktop ... and it worked out pretty nicely :) 18:14 < dazo_home> krzee: thanks anyway! :) 18:16 < krzie> perfect, exactly what i woulda done 18:16 < krzie> you made the shell script named something.command? 18:16 < krzie> if so its double clickable for him 18:16 < dli> krzie, logs at the server side: http://pastebin.ca/1373475 18:17 < dazo_home> krzee: no, I didn't know about that extension .... I called startvpn.sh ... and he figured out that he could click on it somehow, and the terminal fired and he could log in 18:17 < krzie> wow theres a lot of people needing help with ptp setups lately 18:17 < dazo_home> krzee: I'll try to remember to tell him to rename it, though ;-) 18:17 < krzie> he prolly had to right click and tell it to run in term 18:17 < krzie> yup, once its .command he just clicks and boom 18:18 < krzie> my boy at apple told me that one =] 18:19 < dazo_home> krzie: cool ... I'll pass the info further ... anyway, tunnelblick sounds like a nice option .... but when I tried to figure out things about it, it's a dead silent community around it .... kinda disappointing, considering it's one of the few gui tools for openvpn and osx ... I'd expect more response 18:19 < krzie> hrm, those logs tell me openvpn is working fine 18:20 < krzie> dazo_home ya back when i tried it all it would do is crash 18:20 < krzie> maybe ill try it again so i can help people with it 18:20 < krzie> but to me its always been pointless as i wanna see the stuff in the term anyways 18:20 < krzie> so i make the shell script like you did, then put a shortcut to it in stacks 18:20 < krzie> (i use a shortcut so i can change the icon on it) 18:21 < krzie> my scripts are all in stacks and all use www.ircpimps.org/pimpin.jpg as their icon) 18:21 < dazo_home> krzie: yeah, but for such point'n'click people, they don't like terminals, as it disrupts their karma 18:21 < dazo_home> cool icon 18:21 < krzie> hehe, ya gui's for commandline tools disrupts mine, so i understand 18:22 < krzie> thanx =] 18:22 < krzie> i had a guy make it for me (im graphicly retarded) 18:22 < krzie> and i hosted his private web stuff for a yr or 2 18:22 < dazo_home> nice deal :) 18:22 < dazo_home> well ... I'm headed for bed now .... c'ya guys tomorrow! 18:22 < krzie> yup, he loved it and i love what i got 18:22 < krzie> later! 18:22 -!- dazo_home [n=David@r9dm48.net.upc.cz] has quit ["Leaving"] 18:28 < dli> krzie, any idea? 18:29 < krzie> get on yong and ping 192.168.2.1 18:29 < krzie> also those logs you sent me were useless kinda 18:30 < krzie> i need both sides, and i need them from the very start 18:30 < krzie> logs from after the connection dont mean anything to me 18:30 < krzie> except that packets are being grabbed and responded to 18:31 < dli> krzie, one moment 18:32 < reiffert> he also forgot routing tables and all the stuff when beeing not connected. 18:32 < krzie> ild also like to congratulate you on following directions from !logs and !configs better than many people 18:32 < krzie> doh, i guess not from !interface tho 18:32 < krzie> lol 18:33 < krzie> !interface 18:33 < vpnHelper> krzie: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 18:33 < krzie> follow that one to a T please 18:37 < dli> krzie, logs from the client side: http://pastebin.ca/1373490 18:38 < dli> krzie, server side logs: http://pastebin.ca/1373491 18:39 < dli> reiffert, route at the server side: http://pastebin.ca/1373492 18:39 < krzie> # 18:39 < krzie> Mar 26 18:31:44 localhost openvpn[24169]: OpenVPN 2.0.7 x86_64-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Nov 10 2008 18:39 < krzie> dude 18:40 < krzie> updaten that 18:40 < krzie> any idea how many yrs old that is? 18:40 < krzie> 2.0.9 is like 4 yrs old 18:41 < dli> reiffert, route at the client end: http://pastebin.ca/1373494 18:41 < reiffert> dli: sorry, I'm watching latest episodes on heroes and 24, I lost interest. 18:42 < dli> krzie, I can upgrade to 2.1_rc15 18:42 < krzie> good, upgrade both sies to that 18:42 < krzie> sides 18:44 < krzie> howd you even find that old code? 18:45 < dli> krzie, it's stable version on gentoo :( 18:45 < krzie> i been helping in this chan for like 2 yrs and never seen a version that old 18:45 < krzie> no way, ive installed from gentoo portage before 18:45 < dli> Available versions: 2.0.6 2.0.7-r2!t (~)2.0.9!t (~)2.1_rc15 18:45 < krzie> it for sure was at least 2.0.9 18:45 < dli> 2.0.9 is masked by ~amd64 18:45 < krzie> o 18:45 < krzie> ya i wasnt using amd64 18:46 < krzie> install from source if you must 18:46 < krzie> but 2.1_rc15 is what you want 18:46 < krzie> so if you can use portage for that, go for it 18:46 < dli> krzie, 2.0.9 also masked by ~x86 18:48 < krzie> i have no gentoo now, but get 2.1_rc15 running 18:48 < krzie> however you gotta do it 18:51 < dli> krzie, great, it simply works with 2.1_rc15 18:51 < krzie> right on 18:51 < krzie> reiffert, it was his old ovpn version 18:51 < krzie> (2.0.7) 18:51 < dli> krzie, let me see whether I can bug bugs.gentoo.org 18:52 < krzie> cool, always appreciate someone helping us see the same problem less times 18:53 < reiffert> :) 19:01 -!- nemysis [n=nemysis@74-130.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 19:02 -!- nemysis [n=nemysis@16-167.3-85.cust.bluewin.ch] has joined ##openvpn 19:20 < krzie> !learn allinfo as Please type !configs !logs and !interface to see all the info we want to be able to help you 19:20 < vpnHelper> krzie: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 19:20 < krzie> bleh 19:20 < krzie> !learn allinfo as Please type !configs !logs and !interface to see all the info we want to be able to help you 19:20 < vpnHelper> krzie: Joo got it. 19:20 < reiffert> hehehe 19:20 < krzie> vpnHelper whoami 19:20 < vpnHelper> krzie: krzee 19:20 < krzie> thats right, and dont you forget it! 19:21 < reiffert> make the bot paste that info to everyone joining automatically 19:21 * krzie threatens vpnHelper with a kill -9 19:21 < krzie> reiffert, thing is we often dont need all that 19:21 < reiffert> people even dont put "all that" online, even if we need it 19:21 < krzie> many times i just give them !route or !linfw etc 19:22 < krzie> lol no kidding 19:22 < krzie> ie: his problem, with !configs if he gave us version as it asked, we woulda stopped right there 19:22 < reiffert> yep 19:22 < krzie> but im so accustomed to not getting it, i forgot to demand it 19:23 < reiffert> 2nd time in the last 24hours 19:23 < krzie> i was just happy he used verb 6 and didnt have comments in the configs 19:23 < reiffert> :)) 19:23 < krzie> why is everyone who needs help using ptp lately? 19:23 < krzie> must be some new writeup high on google or something 19:23 < reiffert> Just like I am for every guy removing the comments, hell yeah 19:24 < reiffert> krzie: two answers: everyone is using tun as you tell them not to use briding, so all the problems are with ptp 19:24 < reiffert> I forgot the 2nd one 19:25 < krzie> but tun with server (net30) seems like the more common approach to me 19:25 < krzie> i seem to be mistaken lately 19:25 < krzie> but ya, i am a tun nazi 19:25 < krzie> lol 19:25 < reiffert> people should get an idea of basic routing ... 19:26 < krzie> totally, bridging is so rarely actually the solution 19:26 < krzie> and its actually less easy to setup! 19:26 < krzie> (imho) 19:27 < krzie> ild really like to make a writeup for default routing over the vpn, but i just dont know where to start 19:27 < krzie> it would have so many 'ifs' 19:28 < krzie> with links to other writeups 19:28 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 19:28 < krzie> 3 for like each thing, win lin and bsd 19:28 < reiffert> let's start with !howto :) 19:29 < krzie> ya but i believe my walkthrough on !route is better than the howto for that purpose 19:29 < krzie> i wish i had !route when i was learning it 19:29 < krzie> i actually had to dig through the code before i fully understood iroute 19:30 < krzie> (when i was chaining ovpn's for anonymizing) 19:30 < krzie> 1 machine with 2 clients, routing from 1 server to other to go to another client doing same thing 19:31 < krzie> took really understanding iroute to accomplish 19:32 < reiffert> Never used iroute yet, guess I'll have to learn it some day 19:33 < krzie> !iroute 19:33 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 19:33 < krzie> now you fully understand it 19:33 < krzie> =] 19:45 -!- onats [n=15172@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 20:07 < dli> now, I'm doing ekiga voip through openvpn, no need for SIP accounts 20:08 < ecrist> dazo: did you get your question answered? 20:09 < ecrist> I see you sort of did. 20:10 < ecrist> for the record, the openvpn binary is kept in /Applications/Tunnelblick.app/Contents/Resources on default-installed Tunnelblick 20:10 < ecrist> there is no problem replacing the binary with self-compiled copies, as I did so before they supported rc15 on 2.1 20:20 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has quit [Read error: 110 (Connection timed out)] 20:33 -!- znoG [n=gs@host131.190-139-153.telecom.net.ar] has quit [Read error: 110 (Connection timed out)] 21:23 -!- belZe [i=server3@p5091D0BB.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:23 -!- belZe [i=server3@p5091CFCA.dip.t-dialin.net] has joined ##openvpn 22:08 < krzie> oh hey ecrist 22:08 < krzie> did you see my message about ssl-admin and dh? 22:09 < krzie> (not that it effected me, i just thought youd like to know) 22:09 < krzie> when i ran the openssl command as stolen from easy-rsa2 it worked just fine 22:13 < krzie> but when i ran dh from ssl-admin, it just froze up, required a ctrl C, checked top and it wasnt trying to do anything, no cpu usage 22:13 < krzie> when i ran it manually it used 100% of a core 22:14 < krzie> i can check what was wrong when i get home if you like 22:17 < ecrist> krzie: no, I didn't 22:17 < ecrist> please, otherwise hit me up tomorrow and I'll look into it. 22:17 * ecrist is working on a basic blackberry theme 22:18 < krzie> sweet 22:19 < krzie> ill take a look tonight while im building my new desktop 22:19 < ecrist> there's a free 'today' theme for my 8900 curve, but it requires Desktop Manager - a windows app 22:19 < ecrist> I don't have a windows box 22:19 < krzie> (and while i teach myself how to burn dvds in fbsd) 22:19 < ecrist> so I'm building a theme for OTA download 22:19 < krzie> i thought you said you had a winbdows box for work stuffs 22:20 < ecrist> ok, s/$/ that I want to install a 300MB app on simply to install a theme/ 22:20 < krzie> haha 23:39 -!- diegoviola [n=diego@adsl-136-248.click.com.py] has quit ["leaving"] --- Day changed Fri Mar 27 2009 00:00 * ecrist buys another domain. 00:00 < ecrist> bbthe.me 00:02 < krzee> ? 00:02 < krzee> oh 00:02 < krzee> bb theme 00:02 < krzee> gotchya 00:22 < Flumdahl> any one that running vpn client on openbsd ? 00:25 < krzee> neg but it shouldnt be hard... 00:25 < Flumdahl> need to use it with tun* interface 00:25 < Flumdahl> do i need to have tun interface on the server to? 00:26 < krzee> sure 00:26 < krzee> what os is server? 00:26 < Flumdahl> debian 00:27 < krzee> ok 00:27 < krzee> wheres the problem you're running into? 00:27 < krzee> i was thinking server was windows and you were confused bout howto use tun on win 00:28 < krzee> cause it only has tap device, but that "tap" can emulate tun 00:28 < krzee> but thats not it, so whats up? 00:30 < Flumdahl> have not tested it yet. just know that a real tap interface wont work in openbsd cuz they have no support for that. only tun interfaces. so my question was just if i can mix it up with a tap interface on the server and tun on client 00:31 < krzee> why would you even want to do that? 00:31 < krzee> tun sends layer3 00:31 < krzee> tap sends layer2 00:31 < krzee> besides, for 99% of stuff you only want layer3 00:31 < krzee> and thats hilarious theres no tap for obsd 00:32 < Flumdahl> hmm 00:45 -!- krzy [i=nobody@hemp.ircpimps.org] has joined ##openvpn 00:46 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Nick collision from services.] 00:46 -!- krzy [i=nobody@hemp.ircpimps.org] has quit [Client Quit] 00:46 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:31 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 01:37 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:38 < krzee> Flumdahl, http://kerneltrap.org/mailarchive/openbsd-misc/2008/2/19/911924 01:38 < vpnHelper> Title: Re: openvpn client with tap device | KernelTrap (at kerneltrap.org) 01:39 < krzee> !learn obsdtap as http://kerneltrap.org/mailarchive/openbsd-misc/2008/2/19/911924 to see how to get obsd using tap (but you should prolly use tun anyways) 01:39 < vpnHelper> krzee: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 01:40 < krzee> !learn obsdtap as http://kerneltrap.org/mailarchive/openbsd-misc/2008/2/19/911924 to see how to get obsd using tap (but you should prolly use tun anyways) 01:40 < vpnHelper> krzee: Joo got it. 01:53 -!- _jack-- [n=kaushal@202.79.41.215] has joined ##openvpn 02:30 < krzee> ecrist, i dont see why dh in ssl-admin didnt work, looks good to me in the code 02:30 < krzee> only thing i could think is to brace the vars 02:30 < krzee> for extra protection for them 02:30 < krzee> but shouldnt need it 02:40 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:00 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 03:06 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:06 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 03:13 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:00 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 04:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:45 -!- _jack-- [n=kaushal@202.79.41.215] has quit ["Leaving"] 04:46 -!- xipo [n=x@81-229-83-53-no65.business.telia.com] has joined ##openvpn 04:50 < xipo> !route 04:50 < vpnHelper> xipo: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 05:00 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:08 < xipo> !logs 05:08 < vpnHelper> xipo: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 05:09 < xipo> !howto 05:09 < vpnHelper> xipo: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 05:39 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:04 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: stephenh, xor|, sunga, ropetin 06:05 -!- Netsplit over, joins: sunga, ropetin, xor|, stephenh 06:06 * cpm kicks things 06:16 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 06:41 -!- dli [n=dli@adsl-75-22-21-198.dsl.chcgil.sbcglobal.net] has quit [Read error: 60 (Operation timed out)] 06:41 -!- dli [n=dli@adsl-75-22-28-192.dsl.chcgil.sbcglobal.net] has joined ##openvpn 07:08 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 07:12 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 07:34 < ecrist> morning, folks 08:01 < xipo> Im very novice with openvpn. Would it be easy to add a second computer on the server side? I have one server that one can access externally with a VPN. On that server there is a couple of virtual servers running and I want to be able to access them without installing openvpn on them aswell. 08:02 < xipo> Im going to read the manual but thought I asked first to see if it is easy todo, otherwise I don't want to fiddle with it. 08:07 < dazo> xipo: with openvpn you have a variety of different ways how to connect computers and networks together in a pretty secure way (depending on the configuration you end up with) 08:07 < dazo> xipo: read the docs ... google for openvpn tutorials as well ... I believe Linux Journal has an old article about it, and it gives you the basic knowledge as well 08:07 < dazo> xipo: and have a look at the !howto 08:08 < dazo> !howto 08:08 < vpnHelper> dazo: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:10 -!- fixxxermet [n=kjohnson@dsl092-156-002.wdc2.dsl.speakeasy.net] has joined ##openvpn 08:12 < fixxxermet> !interface 08:12 < vpnHelper> fixxxermet: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 08:12 < ecrist> xipo: see here: 08:12 < ecrist> !route 08:12 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 08:12 < ecrist> dazo: use the bot, man 08:12 < ecrist> ;) 08:13 < dazo> dazo: heh ... I try to ... but I don't remember all those fancy things you've put into it ;-) 08:15 < fixxxermet> !configs 08:15 < vpnHelper> fixxxermet: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 08:20 < kala> is there a way for openvpn server to register client's name and IP-aadress in a DNS server ? 08:20 < fixxxermet> I have 8 hosts up on my server's network, but the client is only able to reach 3 of them. And vice versa - the server can not reach all hosts on the client's network. server is ubuntu, ovpn 2.0.6. client is centos, ovpn 2.0.9. http://pastebin.com/d7b791116 should be my relevant info. 08:20 < kala> I don't want to set up a DHCP server on the LAN and use --server-bridge for that purpose. It feels kind of bad and the tunnel setup-time is probably longer? 08:22 < ecrist> fixxxermet: sounds like a routing issue 08:22 < ecrist> kala: not really 08:26 < kala> ecrist: I could perhaps write a custom script wich --client-connect 08:27 < kala> but this is the only way I could think of 08:29 < ecrist> kala: the built-in dhcp server for openvpn is poorly-featured. your best bet is to either use static IPs, or run bridged with a 'real' DHCP server. 08:30 < Bushmills> kala, you could assign fixed addresses for vpn clients, and use a DNS which also serves from /etc/hosts (where you add the vpn names and addresses) or add them to to dns zone file 08:30 < fixxxermet> ecrist: Any recommendations? I am having trouble wrapping my head around routing tables for VPNs 08:31 < ecrist> fixxxermet: there's two options, really. you either need to put a static route for the VPN on each client system on the server lan, or you can put one route on your LAN default gateway, pointing to the VPN subnet 08:33 < fixxxermet> So if the client network is 192.168.8.0/24 and the server network is 192.168.0.0/24... Client: route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.0.47 (eth1 on server) Server: route add -net 192.168.8.0 netmask 255.255.255.0 gw 192.168.8.10 (eth1 on client) ? 08:34 < ecrist> yes 08:34 < ecrist> well 08:34 < kala> Bushmills: if I run a DNS server on the OpenVPN server machine, then I would need to have two separate zones for "vpn-connected clients" and "LAN-connected" clients 08:34 < ecrist> no 08:34 < ecrist> fixxxermet: see here 08:34 < ecrist> !route 08:34 < vpnHelper> ecrist: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 08:34 < fixxxermet> alright, thanks 08:34 < Bushmills> kala, wouldn't matter as the DNS can serve both 08:35 < Bushmills> kala, if you mean, that DNS should resolve differently depending on what interface the resolve request came in, that's more like a DNS issue 08:40 < kala> no, I mean if a client support needs to connect to the machine, he needs to know, if they need to do RDP to machine.openvpn.company.com or machine.lan.company.com 08:40 < fixxxermet> I am so used to skimming that I've almost forgotten how to read. 09:13 < fixxxermet> ecrist: OK, I believe my openvpn configuration is now correct. I haven't added any custom routing as I am doing the testing from the openvpn server itself. Both my client and server can ping hosts on the other's subnet, but not all of them. Why would this happen? 09:16 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has joined ##openvpn 09:23 < ecrist> fixxxermet: hard to say, without bein on your LAN 09:23 < ecrist> my guess would be you've got incorrect routing or conflicting IPs. 10:24 -!- eWizard [n=identd@78.63.180.97] has joined ##openvpn 10:50 -!- xipo [n=x@81-229-83-53-no65.business.telia.com] has quit [] 10:54 -!- isox [n=dacurmud@rvd1901f0a.sprocketnetworks.com] has joined ##openvpn 10:55 < isox> hello, I'm having a bit of a major performance problem with openvpn 2.1. I've got a setup where I have two /24's vpn'ed into a central server... after about 2 minutes the connection between site a -> site b becomes unusable (however the connection to the central server seems fine) 10:56 < ecrist> isox: can you paste your configs? 10:56 < ecrist> !configs 10:56 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:56 < isox> yeah one second. 10:58 < reiffert> tcp and comp lzo 11:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:02 < isox> ecrist http://pastebin.ca/1374084 11:03 < isox> ecrist, its openvpn OpenVPN 2.1_rc7 on the clints, and the latest openvpn 2.1 series from the openvpn site. 11:09 < isox> ecrist you take a look at those? 11:24 < kala> reiffert: tcp and comp lzo is bad? 11:30 -!- lifeforms [n=walter@tau.lfms.nl] has left ##openvpn [] 11:43 < eWizard> !topology 11:43 < vpnHelper> eWizard: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 11:43 < eWizard> !/30 11:43 < vpnHelper> eWizard: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 11:46 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:16 -!- thm [n=thomas@fedora/thm] has joined ##openvpn 12:17 < thm> hi! is it true that one openvpn cannot listen on TCP and UDP at the same time? 12:19 < dazo> thm: there's no way to configure that, afaik 12:23 < thm> one could run a second openvpn instance, but then IPs would change depending which one you connect to 12:39 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 60 (Operation timed out)] 12:41 < krzee> correct 12:41 < krzee> although if you are a good scripter the ips can stay the same 12:41 < krzee> !iporder 12:41 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice)., or (#4) if you use --ifconfig-pool-persist see !ipp 12:41 < krzee> first method gives ip based on a script 12:44 < krzee> i take it back, you dont need to be that good to do it, lol 12:46 < eWizard> Hello. I can't get server and/or client to ping each other. I think the problem is with wrong routes. I'm using a bridged connection. Short information: http://www.paste.lt/paste/0020b428a484a32f0205ceaa701b5605 More detailed description: http://www.paste.lt/paste/63074c8fbe5271ed4c15728dd28f396b 12:46 < krzee> a) why are you bridging? 12:47 < krzee> b) if you are bridging, why would it be wrong routes? (bridging is layer2, routes are layer3) 12:47 < krzee> pls focus on a) 12:48 < eWizard> a) for smb share on local network 12:48 < krzee> omg do not use 2.0.6 12:48 < krzee> upgrade to 2.1_rc15 12:49 < krzee> and use wins on the smb share, then use tun 12:49 < eWizard> b) I think routing table on client side is not filled corectly :) 12:49 < krzee> !wins 12:49 < vpnHelper> krzee: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 12:49 < thm> krzee: that might solve the problem assigning IPs at first glance, but not the problem that both openvpn instances shouldn't use the same subset 12:49 < eWizard> Ok, I'll try to upgrade. Thats the version from freebsd port and mac ports :) 12:49 < thm> s/subset/subnet 12:50 < krzee> thm, split a /24 in half for each 12:50 < krzee> eWizard, someone had a gentoo problem yesterday that amounted to him using 2.0.7 12:51 < thm> krzee: doesn't help, if a client connects to one instance one time, and to the other second time 12:51 < krzee> (which was what he got from portage) 12:51 < ecrist> isox: if it hasn't been said, update all clients/servers to rc15 12:51 < krzee> hrm ya you're right 12:51 < krzee> isox, also be sure you're using UDP 12:52 < krzee> isox, i guess they gotta use diff ips, but routing can all work the same still 12:52 < krzee> err 12:52 -!- kraut [i=kraut@blackhole.netzdeponie.de] has joined ##openvpn 12:52 < krzee> i mean thm , i guess they gotta use diff ips, but routing can all work the same still 12:52 < kraut> hi 12:52 < kraut> any ideas why i'll get this message? 12:52 < krzee> kraut!! 12:52 < kraut> read UDPv4 [EHOSTUNREACH]: No route to host (code=113) 12:52 < krzee> ltns man 12:52 < kraut> what? 12:53 < krzee> long time no see 12:53 < kraut> do we know each other? 12:53 < krzee> moin 12:53 < kraut> moin ;) 12:53 < kraut> this openvpn drives me crazy 12:54 < krzee> you used to idle here like a year or so ago =] 12:54 < krzee> hrm 12:54 < krzee> kraut, 12:54 < krzee> !allinfo 12:54 < vpnHelper> krzee: "allinfo" is Please type !configs !logs and !interface to see all the info we want to be able to help you 12:55 < krzee> eWizard, switch to tun after enabling wins, you'll be happier with the performance once you get it working 12:56 < eWizard> ok, I'll try. 12:57 < eWizard> But first I'll upgrade to newer version. 12:57 < krzee> perfect =] 12:58 -!- belZe [i=server3@p5091CFCA.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 12:59 -!- belZe [i=server3@p5091CFCA.dip.t-dialin.net] has joined ##openvpn 13:07 < isox> im getting pretty poor throughput with openvpn 2.1. I have a master server with 2 clients connected... when transfering from client to client through th master server i only se about 50k/s and this is on a 10MB link 13:07 < isox> my configs are at http://pastebin.ca/1374084 13:08 < isox> if someone could take a look and suggest options I'd appreciate it 13:08 < krzee> isox, i take it you've tried removing all mtu options, and using --mtu-test on the client? 13:09 < krzee> also removing fragment option 13:11 < isox> yeah i've tried without the options 13:12 < isox> i'v not tried mtu-test, what does that do? 13:12 < krzee> !man 13:12 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 13:12 < krzee> bbiaf, looking at a new apt i may buy 13:18 < eWizard> Upgrading to 2.1 rc15 didn't work. Time to try routing. :) 13:57 < ecrist> isox: did you upgrade your clients and server? 14:08 < mjt> is there some "MAC address space" for private use, anyone know? 14:09 < mjt> to be used for mac addresses on virtual tunnels and the like? 14:09 < mjt> like 192.168/16 and 10/8 in IP world 14:13 < mjt> 'hwell. 14:13 < mjt> http://en.wikipedia.org/wiki/MAC_address#Address_details -- locally administered address 14:13 < vpnHelper> Title: MAC address - Wikipedia, the free encyclopedia (at en.wikipedia.org) 14:24 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:30 < krzie> eWizard, hows the routing going? 14:31 < krzie> mjt, umm since MAC addresses dont go outside the lan, ild say they're all for private use 14:32 -!- eWizard [n=identd@78.63.180.97] has quit [Remote closed the connection] 14:33 < krzie> hah must have went well (or very bad) 14:33 < mjt> \u0448 \u043e\u0433\u044b\u0435 \u0432\u0449\u0442\u044d\u0435 \u0446\u0444\u0442\u0435 \u0437\u0449\u0435\u0444\u0442\u0435\u0448\u0444\u0434 \u0441\u0434\u0444\u044b\u0440\u0443\u044b\u044e\u044e\u044e 14:33 < mjt> errr 14:33 < mjt> i just don't want potential clashes 14:33 < mjt> with other physical NICs on the same LAN 14:34 < mjt> I had to debug such an issue today (two virtual interfaces), -- believe me, it's diffucult to debug :) 14:53 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 15:35 < Bushmills> mjt, 00-01-01-xx-xx-xx are private 15:35 < Bushmills> i.e. not assigned to any vendor 15:35 < Bushmills> so are 00-05-4F-xx-xx-xx macs 15:36 < Bushmills> mjt, there are more unassigned ranges, you can look them up for example here: http://standards.ieee.org/regauth/oui/oui.txt 15:37 -!- mjt [n=mjt@isrv.corpit.ru] has quit [Remote closed the connection] 15:38 < Bushmills> you're welcome 15:48 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 15:59 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 16:01 -!- onats__ [n=onats@122.53.136.244] has joined ##openvpn 16:02 -!- boojit [n=boojit@gw.carter.to] has joined ##openvpn 16:09 -!- b00jit [n=boojit@gw.carter.to] has joined ##openvpn 16:16 < b00jit> Hi: I'm having an issue where when I run my vpn over UDP I experience PL, but not when i run it over TCP. I'm wondering if someone can give me some pointers on the best way to go about debugging this. 16:18 -!- onats_ [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 16:21 -!- boojit [n=boojit@gw.carter.to] has quit [Read error: 110 (Connection timed out)] 16:22 -!- b00jit is now known as boojit 16:39 -!- nemysis [n=nemysis@16-167.3-85.cust.bluewin.ch] has quit [Connection timed out] 16:39 -!- fixxxermet [n=kjohnson@dsl092-156-002.wdc2.dsl.speakeasy.net] has left ##openvpn [] 16:40 -!- nemysis [n=nemysis@16-167.3-85.cust.bluewin.ch] has joined ##openvpn 16:41 < reiffert> PL? 16:42 < boojit> packet loss 16:43 < boojit> here's how it cropped up: our DSL connection at work is a bit dodgy right now, this is a seperate issue. so just pinging the first hop from my DSL modem to the first ISP router, i'm getting 1-2% packet loss. 16:43 < boojit> So that needs to be fixed, obviously. 16:44 < boojit> But interestingly, I'm finding that if i connect to my openvpn server over this dodgy connection using UDP, I get anywhere bedween 5-7% PL. If I use TCP i get like 0% PL 16:46 < reiffert> see how many loss you have, when you transfer TCP payload over the UDP link, instead of sending ICMP payload over the UDP link. 16:46 < reiffert> s,see,look, 16:47 < reiffert> !factoids search tcp 16:47 < vpnHelper> reiffert: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 16:47 < boojit> i see where you're coming from, acutally i have just been setting up tests of this nature. 16:48 < boojit> yes i've read this which is why I'm compelled to use UDP, but my actual test results are not helping to convince me. 16:48 < reiffert> allright. From my standpoint it's just plain logic. 16:49 < boojit> thanks for the pointers btw. 16:49 < reiffert> udp is a connectionless and stateless protocol. 16:49 < reiffert> icmp is as well. 16:49 < reiffert> so whenever openvpn is loosing udp packets, it doesnt recognize this. 16:49 < boojit> whereas tcp does. right. 16:50 < reiffert> loosing icmp packets on the payload side is recognized, but does not lead to a retransveral 16:50 < reiffert> whenever you are transmitting tcp on the payload side, tcp will take care for every single bit from the transport stream. 16:51 < boojit> right so you're saying that the delivery safeguards built into TCP are helping that icmp packet make it there when I'm using openvpn/tcp, because of retransmission, etc. I'm not getting that with openvpn/udp. 16:51 < boojit> yes i see. 16:51 < reiffert> I'd say forget all those icmp stuff and think about your payload. is it mainly udp or tcp? 16:52 < boojit> So it's false to assume that my performance over the UDP is worse simply because i'm seeing more PL with ICMP ping 16:52 < boojit> it's all TCP 16:52 < reiffert> right. TCP? use openvpn/udp then. 16:52 < reiffert> you might use tcptraceroute for your tests here. 16:53 < boojit> ok. So what I really want to do is design my test so I'm looking at TCP performance and then I'll get a real view of which one has the better connection 16:53 < reiffert> but a simple wget and checksumming algorithm will do as well 16:53 < boojit> yeah 16:53 < boojit> yeah that actually makes a lot of sense. 16:53 -!- thm [n=thomas@fedora/thm] has left ##openvpn [] 16:54 < reiffert> where as tcp already contains checksumming for every packet. 16:54 < reiffert> a simple wget will do. 16:54 < reiffert> you might try many small files, starting from 50 bytes, up to 1500 bytes and beyond 16:54 < boojit> yeah so really, when you think about it, particularly if the underlying link is a bit dodgy, you don't want to use openvpn/TCP while sending TCP data 16:54 < reiffert> or just one big file. 16:54 < reiffert> depends on what your payload will lookalike 16:54 < boojit> because of the retransmit issue described in your prev. link. 16:55 < reiffert> boojit: it's called segmenting and windowing, or in other words: acknowledgements 16:55 < reiffert> send packet, get ack, send packet, get ack 16:55 < reiffert> send packet, get no ack, resend packet 16:56 < reiffert> which is just a simple example. 16:56 < boojit> right and if you're using openvpn/tcp and sending tcp data over it, then you're going to have that whole conversation going on at both levels 16:56 < reiffert> send packet, send packet, send packet, get ack from all three, send packet andsoon 16:56 < reiffert> boojit: exactly 16:57 < boojit> ok well thanks for the tips reiffert, that makes a lot of sense. I appreciate your time. 16:57 < reiffert> welcome 16:57 < reiffert> you might wanna have a look on comp-lzo as well. I dont like it, I disable it every time. 16:57 < reiffert> your tests might discover. 16:58 < reiffert> (even the opposite) 17:01 < boojit> really 17:01 < boojit> well that's interesting, because i always enable it every time 17:02 < boojit> what's the theory behind comp-lzo causing issues? 17:02 < reiffert> small lags that occur when typing on remote ssh sessions 17:02 < reiffert> let's say 100-250ms 17:03 < reiffert> I dont get them putting comp-lzo off 17:03 < boojit> i'll test that as well then 17:04 < boojit> latencies are really my biggest concern -- my payloads are pretty small in size, but they are latency sensitive 17:04 < reiffert> Be sure to use the latest openvpn beta. 2.1rc15 or sth 17:04 < reiffert> doing ancient database stuff? 17:05 < boojit> no this is a custom application that we're developing 17:05 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has quit [Read error: 110 (Connection timed out)] 17:06 < boojit> we have some legacy hardware that is serial. We are writing a proxy to send the serial conversation to a remote machine 17:06 < reiffert> I'd be very intrested in your results, I really like to see them, once you've made them 17:06 < reiffert> Bushmills: any idea on boojit? 17:06 < Bushmills> hang on, need to read up first 17:07 < reiffert> Bushmills: last 20 lines will do 17:07 < Bushmills> latency? 17:07 < boojit> what happens is there are heartbeats sent every second between the hardware and the receiver -- if the receiver doesn't get them in time, it assumes the hardware has dropped. 17:07 < Bushmills> try reducing MTU 17:08 < reiffert> Bushmills: latency, serial conversation 17:08 < boojit> I will write up a little bit more about what we are doing and post a link so you can see what is going on. 17:09 < reiffert> boojit: why not let the hardware talk to your application on the hardware side, and have that application talk to another application over openvpn? Advantage of that is that the application on the hardwareside can handle situations like this. 17:09 < reiffert> ... and keep the conversation running to the hardware device 17:11 < boojit> well--it's a bit complicated to explain quickly. Better if i write it up a little more fully. This serial hardware device is a custom wireless base station that is handling communication from our custom wireless handsets. What we're trying to do is make it so we can have the base station in NY and the controlling application in London, for example 17:11 < Bushmills> boojit, i hade latency problems with WLAN when auto speed select was enabled 17:12 < reiffert> I guess that custom wireless base station already got an ethernet connector and is capable of 802.1Q VLANs? 17:12 < Bushmills> whenever speed changed, and it did so frequently, i experienced short phases with traffic low 17:13 < boojit> no, that's not it. I'm doing a terrible job of explaining. I'll write it up more fully and then that will explain it better. 17:13 < reiffert> boojit: Or do you want to stick on a external management device? 17:13 < reiffert> boojit: will it be worth waiting? 17:14 < reiffert> boojit: or is it a matter of days? 17:15 < boojit> Ok so the way our solution works (this is all custom hardware and software developed by us) is you have a base station that connects to a laptop via serial. This base station controls the wireless handsets. Now on the laptop side, we have a program that sits on the serial port and handles conversations to/from the base station (and therefor the handsets) 17:16 < Bushmills> heartbeat of a second without queuing between NY and London may be on the short side too when you rely on shared international lines. 17:16 < boojit> now what we're doing is writing a serial proxy. The idea is that this proxy sits on the serial port on NYCmachine. On LondonMachine, we have modified the IMLPort program (the program that normally sits on the serial port) to connect to this proxy over TCP 17:17 < reiffert> boojit: you are describing just one possible solution. Why not let openvpn run on the base station itself? 17:17 < boojit> so all the serial data between the NYCmachine and Londonmachine is just sent back and forth through this stuff 17:17 -!- petrolhead [i=blaat@77.109.123.56] has joined ##openvpn 17:17 < boojit> the base station isn't capable of running OpenVPN. 17:17 -!- sunga [n=naft@77.109.123.56] has quit [Read error: 104 (Connection reset by peer)] 17:17 < reiffert> CPU Arch? 17:18 < boojit> I don't know, i have to talk to the hardware guys. This is "legacy" stuff -- it's old, custom hardware. Don't know the arch 17:18 < reiffert> (and OS) 17:19 < reiffert> boojit: but the base station can talk ethernet over a wire? 17:19 < boojit> so i should also point out that this proxy solution is really a quick bodge to get us over the hump until our new hardware devices come out -- they will be all ethernet based, no serial coms at all 17:19 < Bushmills> just serial, i understood 17:19 < boojit> reiffert: no it cannot. It's a little black box with an antenna and a serial port 17:19 < reiffert> Bushmills: very strange piece of hardware for talking to handsets, isnt it? 17:19 < Bushmills> so i'll be connected to a box with network and serial 17:20 < Bushmills> reiffert, not really. custom design can be odd 17:20 < reiffert> Ok. 17:21 < boojit> so anyway, it's latency sensitive because the IMLPort program is listening for heartbeats from the base station and the handsets. If they don't get there in time, IMLPort dumps the base station. 17:21 < reiffert> boojit: I would not transfer serial communication around the world, but instead run an application on that laptop, that a) talks to the device via serial b) talks to an application running on the computer in london over openvpn 17:22 < Bushmills> that's what the serial proxy is all about, i reckon 17:22 < boojit> yes 17:22 < Bushmills> whether it does protocol translation or 1:1 is another matter 17:22 < reiffert> Bushmills: that application I'm talking about is handling basestation and handsets. 17:22 < boojit> except that it's kind of a dumb proxy -- it's literally just sending the serial coms back and forth exactly as they come off the serial port 17:23 < reiffert> It just dont cares about wether london is connected or not. 17:23 < Bushmills> i suppose you could fake the heartbeat 17:23 < Bushmills> and update it from real counterpart once every so often 17:23 < Bushmills> but decoupled from the 1 sec requirement 17:23 < reiffert> Bushmills: you talking to me or him? 17:23 < Bushmills> i'm shouting to world 17:24 < boojit> that's somjething we are considering, and will probably have to do. In any case, it's latency sensitive for other reasons. Latency issues will never go away because of what is expected from these devices. 17:24 < reiffert> boojit: are there any latency issues between station and laptop? 17:25 < Bushmills> IMLPort runs in NY? 17:25 < Bushmills> and base station sits in London? 17:25 < reiffert> I would run a webserver on that laptop and control it from a browser in London 17:25 < reiffert> Laptop can talk to base station, no latency issues 17:26 < reiffert> link can do down, no problem 17:26 < reiffert> link = openvpn link 17:26 < reiffert> Problem is: you need to rewrite the ILMPort whatever program. 17:26 < boojit> yeah, well i'm sort of running to a point where I can't give much more detail. In any case, can I ask a little bit more about this MTU stuff? what MTU setting do you recommend? 17:27 < Bushmills> try 1.5 ... 2 times heartbeat package size 17:27 < boojit> ok 17:27 < Bushmills> or heartbeeat payload +16 or +24 17:27 < boojit> ok i will fart around with that then. 17:28 < reiffert> whenever the openvpn link goes down, the base station will be lost. 17:28 < Bushmills> packet size .. 17:29 < boojit> ok i will try that. reiffert, Bushmills thanks so much for the insight and listening to me ramble on 17:30 < Bushmills> gl 17:31 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:32 < reiffert> How long will that periodic crypt authentication handshake last on openvpn? 17:33 < reiffert> Bushmills: as far as I understood boojit, they are sending the serial communication over a tcp connection 17:33 < Bushmills> sounds like it. 17:35 < Bushmills> hm .. with smaller packet sizes, prioritizing smaller packets with some load balancing setup could be helpful too 19:29 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 19:48 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 60 (Operation timed out)] 19:58 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 20:26 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 21:23 -!- belZe [i=server3@p5091CFCA.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:24 -!- belZe [i=server3@p5091CCCC.dip.t-dialin.net] has joined ##openvpn 21:43 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 22:50 -!- martian67 [i=user5490@about/linux/regular/martian67] has left ##openvpn ["Leaving"] 23:35 -!- onats__ [n=onats@122.53.136.244] has quit [Read error: 110 (Connection timed out)] --- Day changed Sat Mar 28 2009 00:00 -!- eliasp [n=quassel@78.43.213.203] has quit ["No Ping reply in 30 seconds."] 00:00 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 00:34 -!- sunga [n=naft@77.109.122.179] has joined ##openvpn 00:45 -!- petrolhead [i=blaat@77.109.123.56] has quit [Read error: 110 (Connection timed out)] 01:06 -!- dan__t [n=dant@ns1.hitb.net] has joined ##openvpn 01:06 < dan__t> Hello. 01:09 < dan__t> So, would I use --client-connect to, say, run some iptables command based on the client connecting to OpenVPN? 01:10 < reiffert> Hi dan__t 01:10 < reiffert> yes, you would. 01:10 < dan__t> Excellent. That's perfect. 01:11 < dan__t> And the env var 'bytes_sent'. Is that a cumulative total on a per-user per-session basis? 01:11 < dan__t> Would I use that if I wanted to find out how many bytes a user used in one session? 01:11 < reiffert> Yes. 01:11 < dan__t> well, bytes that were sent to the client, anyway. 01:11 < reiffert> From the manpage: 01:11 < dan__t> But that would only be available to me after the client had disconnected, correct? 01:11 < reiffert> bytes_sent 01:11 < reiffert> Total number of bytes sent to client during VPN session. Set 01:11 < reiffert> prior to execution of the --client-disconnect script. 01:11 < dan__t> Ah hah. 01:12 < dan__t> Ok, so only the --client-disconnect script can interpret that env var 01:12 < reiffert> you will find it in the status log as well. 01:12 < reiffert> dan__t: what OS are you running? 01:12 < dan__t> Linux, 2.6 01:13 < reiffert> dan__t: which version of openvpn are you running? 01:13 < dan__t> 2.1 01:13 < reiffert> e 01:13 < reiffert> dan__t: which version of openvpn are you running? 01:13 < dan__t> ? 01:14 < reiffert> 2.1 rc? 01:14 < dan__t> 2.1-0.29.rc15.el5 01:14 < dan__t> Why? 01:14 < dan__t> I'm just testing a proof of concept here. 01:14 < reiffert> 0.29? el5? 01:14 < dan__t> centos package. 01:14 < reiffert> However. Type man openvpn to your terminal 01:15 < reiffert> You know how to move within and search through manpages? 01:15 < dan__t> I've been reading the manual page. 01:16 < dan__t> I'm reading it. I just want to know at what *times* I can query those env vars. 01:16 < dan__t> And it looks like I can't just pick a connection, at any point in time, and expect to snag something like 'bytes_sent' 01:16 < dan__t> Like I can't poll the value of 'bytes_sent' off of a client session every 10 seconds. 01:16 < reiffert> status log 01:17 < dan__t> Yeah I can only get that after the client disconnects. 01:17 < dan__t> Which, again, has nothing to do with me polling the existing connection at set intervals. 01:17 < reiffert> wrong. 01:17 < reiffert> status log 01:17 < dan__t> So if I see an OpenVPN session, I can query that connection for its current value of bytes_sent? 01:17 < reiffert> yes. 01:17 < dan__t> !howto 01:17 < vpnHelper> dan__t: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 01:17 < dan__t> How do I do that, reiffert? 01:18 < reiffert> dan__t: status log 01:18 < dan__t> !topology 01:18 < vpnHelper> dan__t: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 01:18 < dan__t> So the status log, logs all the data for all those env vars, at set intervals? 01:18 < dan__t> !/30 01:18 < vpnHelper> dan__t: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 01:18 < reiffert> dan__t: no. 01:18 < dan__t> So why od you keep saying "status log" 01:19 < reiffert> dan__t: it does not log all the data for all "those" env vars, but it does log bytes_sent, among others. 01:19 < dan__t> At what interval? 01:19 < reiffert> you define. 01:19 < dan__t> How? 01:19 < dan__t> With what directive? 01:19 < reiffert> read the manpage. 01:20 < dan__t> I've bene reading it. Can you hint me towards it? I wouldn't be asking in here if I didn't first read the manpage. 01:20 < dan__t> I have a clue. I assure you. 01:20 < dan__t> I promise you. 01:20 < reiffert> status log 01:20 < dan__t> right, there's no entry for "status log" 01:20 < reiffert> oh, really. 01:21 < reiffert> what might it be then? 01:21 < reiffert> --umbrella maybe? 01:21 < reiffert> or --fridge? 01:21 < reiffert> or --status? 01:21 < reiffert> you were reading the manpage, you should know. 01:21 < reiffert> You promised me. 01:22 < dan__t> I see --log, but it mentions nothing of an interval. 01:22 < reiffert> You see so many things, but what you dont see is what I type here. 01:27 < dan__t> Right. 01:27 < dan__t> That was hidden. 01:28 < dan__t> Guess the man page is wrong, there is no "log" argument to --status 01:29 < dan__t> (joke) 01:30 < dan__t> Thanks. 01:32 < dan__t> I'll have to F with that when I have a live client I can R&D with 01:36 -!- dli [n=dli@adsl-75-22-28-192.dsl.chcgil.sbcglobal.net] has left ##openvpn ["Leaving"] 01:48 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 02:57 < krzee> lol 02:57 < krzee> funny scroll is funny 03:42 -!- c64zottel [n=hans@p5B17B1D5.dip0.t-ipconnect.de] has joined ##openvpn 03:42 -!- c64zottel [n=hans@p5B17B1D5.dip0.t-ipconnect.de] has left ##openvpn [] 03:45 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 03:53 -!- sunga [n=naft@77.109.122.179] has quit [Read error: 104 (Connection reset by peer)] 03:53 -!- gallatin [n=gallatin@dslb-092-073-117-171.pools.arcor-ip.net] has joined ##OpenVPN 03:59 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:13 -!- Snicks|TWw [n=Snicks@s55915823.adsl.wanadoo.nl] has joined ##openvpn 05:08 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 05:56 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 05:59 < onats> anyone up? I need some help. is it possible for ISP to block UDP traffic? 05:59 < onats> how do i test it? 06:01 < krzee> of course it is, they can block anything they want 06:01 < krzee> easiest way is with netcat 06:01 < krzee> *goes to sleep* 06:02 < onats> thanks krzee 06:02 < onats> checking 06:17 -!- bandini [n=bandini@host186-21-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 06:29 < onats> Sat Mar 28 12:28:03 2009 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 06:29 < onats> does that mean that the network on the other side is not accepting the connection? 06:39 < Skered> onats: telnet host 1194 06:39 < Skered> That's a quick way to see if you're able to connect 06:51 < ecrist> morning, folks 06:54 < ecrist> Skered: you can't telnet to a UDP port. 07:08 -!- Snicks|TWw is now known as Snicks|eat 07:20 -!- satman [n=satman@135.166-245-81.adsl-dyn.isp.belgacom.be] has joined ##openvpn 07:22 < satman> what happens on a linux box if you have a tun device (eg 10.10.10.10/24) and you create a route to a network with as next-hop this tun-device (10.10.10.10), but no application is processing the packets? are the packets simply dropped? 07:32 < ecrist> sure, where would they go? 07:33 < ecrist> however, if you've got a route on that host for those, then the kernel *would* be handling those packets, so they wouldn't be dropped. 07:38 < reiffert> Moin 07:38 < reiffert> satman: kernel handles routing, applications do not. 07:44 < ecrist> reiffert: that's mostly true. OpenVPN does some routing. As a general rule, though, you're correct. 07:46 -!- Snicks|eat is now known as Snicks|afk 07:48 < reiffert> ecrist: I doubt that openvpn will actually route packets 07:48 < ecrist> reiffert: it actually *does* route packets for clients with iroute statements. This is all handled internally to the daemon 07:48 < ecrist> it's limited routing, but it is there. 07:49 < reiffert> ah, I defenitly need to read that pieace of code 07:49 < ecrist> kernel passes the packet to tun0, which is the interface controlled by openvpn, which the routes the packet to the correct client. 07:50 < ecrist> it was all kernel driven before openvpn had server mode (with one tun interface) 07:57 < reiffert> I see. 08:35 -!- gallatin [n=gallatin@dslb-092-073-117-171.pools.arcor-ip.net] has quit ["Client exiting"] 08:47 -!- bandini [n=bandini@host186-21-dynamic.20-79-r.retail.telecomitalia.it] has quit [Read error: 113 (No route to host)] 08:53 -!- boojit [n=boojit@gw.carter.to] has quit [Remote closed the connection] 08:58 -!- boojit [n=boojit@216.160.8.126] has joined ##openvpn 10:13 < reiffert> boojit: any news yet? 10:29 -!- satman_ [n=satman@235.153-246-81.adsl-dyn.isp.belgacom.be] has joined ##openvpn 10:43 -!- satman [n=satman@135.166-245-81.adsl-dyn.isp.belgacom.be] has quit [Read error: 110 (Connection timed out)] 10:50 -!- Snicks|afk [n=Snicks@s55915823.adsl.wanadoo.nl] has quit [Read error: 110 (Connection timed out)] 11:14 -!- Dougy [i=doug@64-18-144-2.ip.bergenhosting.com] has joined ##openvpn 11:17 -!- satman_ [n=satman@235.153-246-81.adsl-dyn.isp.belgacom.be] has quit [Remote closed the connection] 11:53 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:07 -!- k12linux [n=k12linux@206.40.109.153] has joined ##openvpn 12:08 < k12linux> Some change with openVPN between Fedora9 and F10 is preventing me from reaching anything except the openvpn server. (after upgrading server to F10). SElinux is permissive right now. Suggestions? 12:08 < k12linux> Pings to remote LAN make it to VPN server but are not forwarded out to lan. 12:08 < reiffert> read the openvpn changelog. 12:09 < reiffert> k12linux: which sounds like it is a routing problem. 12:09 < reiffert> k12linux: or firewalling issue. 12:09 < k12linux> nod. That's what I thought at first. Routes appear correct on both ends and FW is off on server. 12:09 < k12linux> (temporarily for testing) 12:13 < reiffert> proove the latter. 12:14 < k12linux> remote is assigned 192.168.77.6: routing table on server shows: 192.168.88.0 192.168.88.2 255.255.255.248 UG 0 0 0 tun0 12:14 < k12linux> typo 12:15 < k12linux> remote client is 192.168.88.6 12:15 < reiffert> stop. 12:15 < reiffert> just paste your firewall to a paste service. 12:15 < reiffert> like this: iptables -t filter -v -n -L 12:15 < reiffert> and: iptables -t nat -v -n -L 12:16 < reiffert> !factoids search ip forward 12:16 < vpnHelper> reiffert: 'winipforward' and 'linipforward' 12:16 < reiffert> !linipforward 12:16 < vpnHelper> reiffert: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 12:16 < reiffert> check this. 12:19 < reiffert> and while pasting paste: 12:19 < k12linux> bleh... reading that last bit I know what happend.. DOH! I never updated /etc/sysctl.conf 12:19 < reiffert> ifconfig -a and route -n 12:19 < k12linux> after new install 12:19 < reiffert> bad bad bunny 12:19 < k12linux> yep.. that fixed it. Feel like an idiot. lol 12:20 -!- jave [n=user@95.209.51.93] has joined ##openvpn 12:20 < jave> hello 12:20 < jave> I'm having some trouble getting an openvpn tunnel working 12:21 < k12linux> reiffert: I've set up enough of these that I should have thought of that. 12:21 < jave> I cant ping a machine on the network inside of an openvpn server from a openvpn client 12:21 < jave> but I can ping the client from a machine inside the openvpn 12:24 < k12linux> jave: are you talking about a setupl like: client-LAN <-> OpenVPN-Client <-> OpenVPN-Server <-> Server-LAN ? 12:25 < reiffert> k12linux: he is not. 12:25 < reiffert> jave: 12:25 < reiffert> !configs 12:25 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:28 -!- prattfall [n=sten@c-71-194-163-213.hsd1.il.comcast.net] has joined ##openvpn 12:28 -!- prattfall [n=sten@c-71-194-163-213.hsd1.il.comcast.net] has left ##openvpn [] 12:58 < Dougy> oO 12:59 < reiffert> . 12:59 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 13:08 < Bushmills> problem description misleading. "trouble getting vpn tunnel working". as you can ping client over vpn, tunnel is up. 13:09 < Bushmills> in ner guten stunde fngt die dark hour an. werd dann wohl mal mit netbook-backlight beleuchten. 13:09 < Bushmills> und meine led taschenlampe dazu. 13:09 < Bushmills> vielleicht mein avr stadion einschalten. 13:10 < Dougy> sprechen se englisch 13:10 * Dougy can't spell 13:10 < Bushmills> oh sorry 13:10 < Bushmills> thought i was on a different channel 13:10 < Bushmills> my mad 13:10 < Bushmills> ehm 13:10 < Bushmills> bad 13:10 < Dougy> haha 13:10 * Dougy doesn't speak german 13:11 < Dougy> that's nearly everything i know in german and its still wrong 13:11 < Bushmills> neither did I. I was writing this. 13:12 < Bushmills> the chat client has channel tabs selectable by mouse wheel, seems i hit the wheel accidentally. 13:15 -!- nemysis [n=nemysis@16-167.3-85.cust.bluewin.ch] has quit [Success] 13:16 -!- nemysis [n=nemysis@16-167.3-85.cust.bluewin.ch] has joined ##openvpn 13:16 -!- k12linux [n=k12linux@206.40.109.153] has left ##openvpn ["Leaving"] 13:23 < kraut> where is openvpn looking for client certs and keys? 13:23 < kraut> i have them in /etc/openvpn/keys 13:23 < kraut> is that a default? 13:23 < reiffert> moin kraut 13:23 < kraut> moin reiffert 13:23 < kraut> i got a strange issue with a client, since i updated it, i get all the time "no route to host" 13:24 < reiffert> /etc/openvpn is a default, so it will have to tell openvpn to find them like this 13:24 < reiffert> crt keys/foo.crt 13:24 < kraut> and i think the cert-authentification fails 13:24 < kraut> i did that 13:24 < reiffert> !configs 13:24 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:24 < kraut> ca /etc/openvpn/keys/ca.crt 13:25 < reiffert> just paste the bunch of stuff 13:25 < reiffert> and have openssl x509 -in foo.crt -text -noout validate the time period for that this certificate should be valid 13:25 < reiffert> | End or something 13:25 < kraut> http://pastebin.com/m7774692b 13:25 < reiffert> | grep End 13:25 < kraut> that's my server config 13:25 < kraut> the client is a avm fritzbox 13:26 < kraut> not that easy to paste that ;) 13:26 < kraut> hmmmm 13:26 < kraut> http://pastebin.com/m539d7489 13:27 < kraut> # 13:27 < kraut> ar 28 19:25:56 exodus ovpn-server[12388]: 91.97.3.40:2057 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 13:27 < kraut> # 13:27 < kraut> but wtf, why? 13:27 < kraut> Mar 28 19:25:56 exodus ovpn-server[12388]: 91.97.3.40:2057 TLS Error: TLS handshake failed 13:27 < reiffert> verb 6 might tell ya 13:28 < kraut> http://pastebin.com/m66ac4dd4 13:28 < kraut> not really 13:29 < kraut> the cert is called freedom2.netzdeponie.de, why don't i see that in the lgos? 13:30 < kraut> something changed on the client side, but i don't know what 13:32 < kraut> reiffert: any ideas? 13:33 < reiffert> kraut: yeah, send client config and client log and 19:25 < reiffert> and have openssl x509 -in foo.crt -text -noout validate the time period for that this certificate should be valid 13:34 < kraut> ah, with tcp it's looking like a cert problem 13:34 < kraut> need to check that tomorrow 13:34 < kraut> must go now 13:34 < reiffert> k cu 14:04 -!- jave [n=user@95.209.51.93] has quit [Read error: 60 (Operation timed out)] 15:01 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 15:09 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 145 (Connection timed out)] 15:30 < krzie> sup guys 15:34 < krzie> damn kraut still having tha tproblem =/ 15:41 < Dougy> my head is pounding 15:42 < krzie> haha 15:42 < krzie> hangover? 15:42 < Dougy> nope 15:42 * Dougy doens't drink 15:42 < Dougy> doesn't 15:44 * krzie does 15:45 < Dougy> <16 15:46 < krzie> i spent every weekend of my 14 yr old life with a hangover 15:46 < Dougy> lmfao 15:53 < Bushmills> krzee, then you don't know submarine special. 15:54 < krzie> i guess not 15:54 < Dougy> hrmm 15:54 * Dougy can build a nice server for not that much 15:55 < krzie> cool, colo it and gimme root! 15:55 < krzie> freebsd please 15:55 < Bushmills> krzee, hangover relief 15:56 < Dougy> krzie: no to both 15:56 * Dougy is gonna rent it 15:56 < krzie> Bushmills i always used weed for that 15:56 < Bushmills> http://forthfreak.net/snap/submarine.png 15:56 < Bushmills> sorry, babelfished. 15:57 < krzie> oh hell no 15:57 < krzie> milk + alcohol is asking for it 15:58 < Bushmills> well, it's your hangover, not mine, 15:58 < krzie> im not 14 anymore 15:58 < krzie> i barely ever get a hangover 15:58 < krzie> i find 2 things help 15:59 < krzie> 1) lots of sex and water before bed 15:59 < krzie> 2) if you do get a hangover, smoke some hash in the morning 16:00 < Bushmills> some would say that lots of alcohol and lots of sex are mutually exclusive. 16:00 < krzie> no way 16:00 < krzie> the drunk dick comes with much power 16:00 < Dougy> lots of sex ft dubs 16:06 -!- damentz [i=damentz@support.team.at.shellium.org] has joined ##openvpn 16:06 < damentz> hello everyone 16:06 < krzie> hello 16:07 < damentz> hey i have a question 16:07 < krzie> ... 16:07 < damentz> i'm using openvpn to setup a vpn in my house using a bridge 16:07 < krzie> why bridge? 16:07 < damentz> so i can access other systems on my network 16:07 < krzie> !route 16:07 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 16:07 < krzie> you can do that with tun 16:07 < krzie> i even made a walkthrough for it 16:08 < damentz> !!! 16:08 < vpnHelper> damentz: Error: "!!" is not a valid command. 16:08 < damentz> krzie, what about if you were to play a game 16:08 < krzie> the game operates over layer2? 16:09 < damentz> hmm, udp 16:09 < damentz> so that's.. transport level? 16:09 < damentz> layer* 16:09 < krzie> tun 16:09 < damentz> really? 16:09 < damentz> ok 16:09 < krzie> udp / tcp = layer3 16:09 < krzie> layers is protocols that use MAC address 16:09 < krzie> like ethernet packets 16:10 < damentz> ok 16:10 < damentz> but then why are there bridges at all? 16:11 < Dougy> krzie: 16:11 < Dougy> if you buy chassis/ram/drives etc 16:11 < krzie> for layer2 VPNs 16:11 < Dougy> i got two xeon 5050s that you can have 16:11 < krzie> which you dont need (and most dont) 16:11 < krzie> but some do 16:11 < krzie> sweet 16:11 < krzie> very kind donation of you, i will sing your praises for years to come 16:12 < damentz> krzie, ok i see what's going on 16:13 < krzie> dougy, but actually i dunno what ild do with them 16:13 < krzie> i even have an extra box sitting in ecrists basement i cant figure out what to do with 16:13 < krzie> 1/2 of me wants to just buy a 1u case and have him rack it up 16:14 < krzie> the other 1/2 wonders who in my family could use a computer 16:15 < krzie> nevertheless, very kind of you to offer 16:16 < damentz> using routes, every person must add a route to see your system right? 16:16 < krzie> no 16:16 < damentz> hmm? 16:16 < krzie> you just add the route to their default route 16:16 < krzie> (aka the router) 16:16 < damentz> hmm 16:16 < krzie> its all in my writeup! 16:17 < krzie> thats why i say: 16:17 < krzie> READ IT DONT SKIM IT 16:17 < damentz> hehe, ok 16:17 < krzie> !route 16:17 < vpnHelper> krzie: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 16:20 < Dougy> krzie: np 16:20 < Dougy> chips arent cheap either 16:21 < Dougy> krzie: http://www.fadfusion.com/selection.php?product_item_number=10026801984 16:21 < vpnHelper> Title: INTEL BX805555050P XEON 5050 DC LGA771 3.0G 2X2MB 65NM 667MHZ BOX PASSIVE (at www.fadfusion.com) 16:26 < damentz> krzie, i added a route to my router 16:28 < krzie> damn, i wish i had something to do with them 16:28 < damentz> i still wish to do a bridge though 16:28 < krzie> damentz, you already switched to routed tun? 16:28 < damentz> for some reason it makes more sense 16:28 < Dougy> krzie: i should just build a srever and rent it 16:28 < krzie> no, it doesnt 16:28 < Dougy> server 16:28 < krzie> !bridge 16:28 < Dougy> except its expensive as balls 16:28 < vpnHelper> krzie: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where 16:28 < vpnHelper> krzie: the protocol uses MAC addresses instead of IP addresses. 16:28 < krzie> !tunortap 16:28 < vpnHelper> krzie: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 16:28 < damentz> hmm 16:29 < damentz> i'm still confused by your article 16:29 < damentz> it's saying i must add an iroute entry for the clients? 16:30 < krzie> is the lan behind the client or server? 16:30 < krzie> !iroute 16:30 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 16:30 < damentz> behind the server 16:30 < damentz> i don't care about the client's lan 16:30 < krzie> then no 16:30 < krzie> all you need is a push route 16:30 < damentz> ok 16:30 < damentz> umm, i did that on the router 16:30 < reiffert> saving the world again by converting another poor guy .. yeah it must be krzie 16:30 < damentz> is that ok? 16:30 < krzie> as is done in my article with the servers lan 16:30 < krzie> lol reif 16:30 < krzie> everyone thinks bridging is what they need 16:31 < krzie> and like 0.5% is correct 16:31 < reiffert> 7topic be prepared to say bye bye bridge 16:31 < krzie> hell, my first setup was bridged 16:31 < krzie> cause i ddint know any better 16:32 < reiffert> I was reading that howto ... it said something like tun is much easier. bridge is for nerds, so I decided to have a bridge in the 2nd attempt :) 16:33 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 16:33 < damentz> krzie, in the configuration for openvpn, one of the comments say, "remember that these private subnets will also need to know to route the OpenVPN client address pool (10.8.0.0/255.255.255.0) back to the openvpn server 16:33 < reiffert> I really dont remember about my first openvpn setup ... hmmm. 16:33 < damentz> my router supports static routes 16:33 < damentz> would that be good enough? 16:33 < krzie> its only a static route that you could want 16:33 < krzie> give the client a LAN static ip 16:34 < damentz> ok 16:34 < damentz> so like 10.8.0.5 16:34 < damentz> bingo 16:34 < damentz> and redirect the gateway back to the openvpn server? 16:34 < damentz> err, sorry for all the questions, i've been working on this since yesterday for fun 16:34 < krzie> no, a LAN static ip 16:34 < krzie> not the vpn ip, the lan ip 16:35 < krzie> whats your clients ip on the lan? 16:35 < reiffert> maybe we should teach an eliza bot. 16:36 < krzie> eliza? 16:36 < damentz> what do you mean? 16:36 < reiffert> http://nlp-addiction.com/eliza/ 16:36 < vpnHelper> Title: Eliza Chat bot (at nlp-addiction.com) 16:36 < damentz> what is it set up to be in openvpn? 16:36 < krzie> damentz 16:36 < krzie> you know what a LAN is? 16:36 < damentz> the 10.8.0.0 subnet 16:36 < damentz> ya, the local one i'm in 16:36 < reiffert> http://nlp-addiction.com/chatbot/ 16:36 < vpnHelper> Title: Chatbot List (at nlp-addiction.com) 16:37 < krzie> 10.8.0.x is likely your VPN network 16:37 < krzie> which is NOT a lan 16:38 < krzie> forget about the vpn for a second 16:38 < Bushmills> grin, reiffert, rookies here. 16:38 < krzie> what is the LAN ip 16:39 < krzie> hahaha reif, that bot would be fun 16:39 < krzie> would be cool to have it just idle until we unleash it 16:39 < reiffert> we would have to create a new one, answering all the openvpn questions the people ask. 16:39 < damentz> krzie, ok 16:39 < damentz> yes 16:40 < reiffert> maybe from the ecrist chatlog. 16:40 < damentz> that 10.8 is designated by the openvpn config 16:40 < krzie> good call! 16:40 < krzie> tons of seed to feed it 16:40 < krzie> it would probably have no problem debating bridge vs tun 16:40 < krzie> damentz might be an eliza bot 16:40 < damentz> lol nah 16:41 < krzie> hes taken me in quite a circle without telling me his lan ip 16:41 < damentz> i'm not even female 16:41 < reiffert> it will has to learn about a conversation taking place between several users about a subject 16:41 < damentz> 192.168.0.108 16:41 < reiffert> and crap 16:42 * krzie claps for damentz 16:42 < krzie> so tell the router that for any traffic going to 10.8.0.0 255.255.255.0 to send it to 192.168.0.108 16:42 < krzie> then make sure that 192.168.0.108 never changes ips 16:43 < reiffert> or use a dynamic routing protocol 16:43 < damentz> !! 16:43 < vpnHelper> damentz: Error: "!" is not a valid command. 16:43 < damentz> wait 16:43 < damentz> that doesn't make sense 16:43 < krzie> then be sure to add this line to server config: push "route 192.168.0.0 255.255.255.0: 16:43 < damentz> my vpn server is 192.168.0.150 16:43 < krzie> err 16:43 < krzie> then be sure to add this line to server config: push "route 192.168.0.0 255.255.255.0" 16:43 < krzie> DUDE I WAS ASKING YOU THAT 16:43 < damentz> yes, i have that line 16:43 < damentz> you asked what my client ip was 16:43 < damentz> so i told you 16:43 < damentz> not my server 16:43 < krzie> ok well 16:44 < krzie> you cant have them on the same network 16:44 < krzie> one must be changed 16:44 < krzie> cant have both on 192.168.0.x 16:44 < reiffert> 192.168.0.200 wants to send a packet to 10.8.0.6, which travels to your LAN router, which will tell the LAN Client to re-send the packet to the openvpn server, which sends it to the openvpn client 16:44 < krzie> which is all clearly explained in my article under the pretty picture 16:45 < reiffert> tits? 16:45 < krzie> reiffert i should add a picture of tits, would prolly get people to pay attention to the article 16:45 < reiffert> the !route one? 16:45 < damentz> krzie, i don't think that was explained 16:45 < reiffert> (which I still didnt read yet) 16:45 < reiffert> !route 16:45 < vpnHelper> reiffert: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 16:45 < krzie> yes 16:46 < krzie> damentz thats cause you didnt read everything 16:46 < krzie> cause it is! 16:46 < krzie> although the part about lans having diff subnets wasnt 16:46 < krzie> i will add that 16:46 < reiffert> it starts with an example. I hate it. :) 16:48 < krzie> haha 16:48 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 16:48 < krzie> reiffert feel free to help with it if you like 16:49 < reiffert> it will end in briding :) 16:49 < damentz> krzie, ok well i think it is setup 16:49 < krzie> lol reif 16:50 < krzie> damentz, so you changed a lan to another network? 16:50 < damentz> what? 16:50 < krzie> ie: a side is no longer 192.168.0.x 16:50 < damentz> krzie, that will be my next test 16:50 < krzie> you cant have them on the same network 16:50 < krzie> one must be changed 16:50 < krzie> cant have both on 192.168.0.x 16:50 < krzie> no test 16:50 < damentz> i'll be heading to dunkin donuts 16:50 < krzie> im telling you what must happen 16:50 < krzie> best if you change the server 16:50 < damentz> change the dhcp leases to like something odd right? 16:51 < damentz> right 16:51 < damentz> so my home network can't be 192.168.0 16:51 < krzie> to something like 192.168.50.x 16:51 < damentz> probably something weird like .7 16:51 < damentz> or ya 16:51 < damentz> these public wifi spots are not like that though 16:51 < krzie> welp, many places are 16:51 < krzie> but you've been told it wont work in that situation, the rest is up to you 16:52 < damentz> krzie, is there a way to ignore the local network? 16:52 < damentz> like i want all of my connections to route through vpn 16:52 < damentz> i saw an option for that 16:52 < krzie> doesnt change my day any if you choose to ignore me 16:52 < krzie> !def1 16:52 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 16:52 < krzie> !man 16:52 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:52 < damentz> lol 16:52 < damentz> oh boy, more reading 16:53 < krzie> you will also need to turn on NAT and ip forwarding on your server 16:53 < krzie> server is linux? 16:53 < damentz> yes 16:53 < damentz> i have ip forwarding 16:53 < krzie> !linnat 16:53 < damentz> but NAT? 16:53 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 16:53 < krzie> !linipforward 16:53 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 16:54 < damentz> oh! 16:54 < krzie> yes, you are saying you want a 10.8.0.x ip to be NATed to the outside world 16:54 < damentz> ok ipforwarding i already did 16:54 < damentz> umm, yes 16:54 < krzie> just like your server lan already is 16:54 < damentz> so dunkin donuts -> house -> online 16:54 < damentz> basically i don't care what local network i'm in when i'm not in my house 16:54 < damentz> i want the network environment to be about the same 16:54 < damentz> but thanks for the nat tip 16:55 < krzie> so change your home network to something never used 16:55 < krzie> like 192.168.50.x or 10.100.10.x 16:55 < krzie> something the outside world will never have their lan set to 16:55 < damentz> yes 16:55 < krzie> then setup NAT on the vpn server machine as described above 16:55 < damentz> i'll do it when everyones out of my house 16:55 < krzie> then push redirect-gateway def1 to the client 16:56 < damentz> ya, i saw that directive 16:56 < damentz> i didn't know an iptables rule was required 16:56 < krzie> yup, since 10.8.0.x isnt a routeable ip on the internet 16:56 < krzie> just like your router must nat your current 192.168.0.x ips 16:59 < damentz> ok awesome 16:59 < damentz> just enabled that rule 17:10 < reiffert> 172.16.0.0/12 17:11 < krzie> !factoids search 19 17:11 < vpnHelper> krzie: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 17:12 < reiffert> came to mind when reading 17:12 < reiffert> 22:55 < krzie> so change your home network to something never used 17:15 < krzie> ya thats one isnt used too often 18:03 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 18:04 < damentz> thank you krzie for all the help 18:04 < damentz> i just tested my vpn, it works! 18:04 < damentz> everything is tunneled through my house 18:04 < damentz> too bad my upload speed is slow 18:08 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 60 (Operation timed out)] 18:18 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 18:36 -!- portishead [n=micha@HSI-KBW-091-089-136-168.hsi2.kabel-badenwuerttemberg.de] has joined ##openvpn 18:47 -!- portishead [n=micha@HSI-KBW-091-089-136-168.hsi2.kabel-badenwuerttemberg.de] has left ##openvpn ["Verlassend"] 18:55 < krzie> yw 19:01 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 19:30 < dan__t> Hi. 19:30 < krzie> high 19:30 < dan__t> what's up. 19:31 < krzie> killing time, bout to roll out for a min for a smoke 19:31 < dan__t> word. 19:31 < krzie> but lots of time to be killed 19:31 < krzie> like 4 hours hah 19:31 < krzie> then i get to go pickup some hash! 19:32 < krzie> and maybe roll out to a party my lil bro is singing at 19:33 < dan__t> oic. 19:34 < krzie> but more likely to just go home smoke some hash and work on my systems 19:34 < krzie> haha 19:35 < krzie> need help with anything or just killing time like me? 19:35 < dan__t> Naw just bored. I was trying to think of a way to solve a high availability problem with OpenVPN, but it would be the wrong tool for the job. 19:36 < krzie> by high avail you mean like running it over 2 uplinks 19:36 < krzie> ? 19:36 < dan__t> Naw, by having a failover disaster recovery site. 19:36 < dan__t> Looks like BGP is the answer. 19:36 < krzie> ahh right 19:36 < dan__t> OpenVPN would be neat - map one IP to two RFC1918 IPs and go nuts using NAT 19:36 < dan__t> but that still leaves me with a single point of failure. 19:37 < dan__t> Unless I had two OpenVPN servers doing that type of thing. 19:37 < dan__t> But even with them, I'd need BGP. 19:37 < krzie> can always BGP over vpn links as well 19:37 < krzie> exactly 19:37 < krzie> openvpn isnt your answer, but can fit in if required to 19:38 < dan__t> And my customer doesn't understand that you can't just make up BGP shit. You can't have a datacenter location with a provider who delegates BGP to you, and have some VPS place across the country do the same thing. 19:38 < dan__t> Providers with ASNs and IP space don't jive like that, yo. 19:38 < dan__t> apples/oranges 19:38 < krzie> tbh i dunno much about real routing protocols like BGP 19:39 < krzie> never had excuses to play with them yet 19:39 < dan__t> eh I'm AWARE, I have a good overview of how it works 19:39 < dan__t> never implemented it, probably never will. 19:39 < krzie> im sure once i have a reason and opportunity to, i will learn it no prob 19:39 < dan__t> Yeah exactly. 19:39 < krzie> werd so we're bout = there 19:39 < dan__t> werd. 19:45 < dan__t> root 522 58.6 3.1 36391284 1031776 pts/0 Sl+ 20:44 0:25 java 19:47 < krzie> damn, whatchya running on java? 19:47 < dan__t> wowza streaming server 19:58 < krzie> werd 19:58 < dan__t> piece of shit 19:58 < dan__t> but its good for porn so whatever. 20:23 -!- belZe [i=server3@p5091CCCC.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:24 -!- belZe [i=server3@p5091C717.dip.t-dialin.net] has joined ##openvpn 21:05 -!- onats1 [n=15172@221.121.120.254] has quit [Read error: 113 (No route to host)] 21:06 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 21:16 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Connection timed out] 21:34 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 21:44 -!- j3g [n=andrer@200.130.18.1] has joined ##openvpn 21:44 < j3g> !route for lans behind openvpn 21:44 < vpnHelper> j3g: Error: "route" is not a valid command. 21:44 < j3g> oh 21:44 < j3g> !route 21:44 < vpnHelper> j3g: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 21:44 < j3g> lol 21:48 < j3g> Anyone know if it is possible to run two openvpn instances on 2 computers (2 clients on one box, 2 servers on the other) and have just some specific kind of traffic (ie: voip) using one of the tunnels? 21:48 < j3g> I want to have voip going on another wan tunnel 21:54 < onats_> krzee you there? 21:55 < krzie> yup 21:55 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 21:55 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 21:55 < krzie> j3g, thats called source based routing, what os? 21:55 < krzie> i know linux can do it via iptables, but i dont know exactly how 21:55 < krzie> i never had a reason to do it 21:56 < onats_> can you help me out with something? 21:56 < krzie> depends, but ill tyr 21:56 < onats_> i have this vpn setup... only one client can connect to the server 21:56 < onats_> well actually the only one is currently connected to it 21:57 < onats_> when i try to connect the other clients, it always times out 21:57 < krzie> !configs 21:57 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 21:58 < onats_> what about the configs? 21:58 < krzie> vpnHelper told you 21:58 < vpnHelper> krzie: Error: "told" is not a valid command. 21:58 < onats_> it was actually working fine for a couple of months already 21:58 < krzie> !configs 21:59 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 21:59 < onats_> ahh ok sorry 21:59 < onats_> :D 22:00 < krzie> ;] 22:01 -!- rashed2020 [n=shabati@67.205.245.208] has quit [Read error: 110 (Connection timed out)] 22:04 < onats_> krzee, http://pastebin.ca/1375381 22:06 -!- ploo [n=lbz@c-98-245-144-7.hsd1.co.comcast.net] has joined ##openvpn 22:06 < ploo> anyone ever have issues with packets coming up short? 22:07 < ploo> im in a terminal through openvpn and it freezes, tcpdump shows packets short on both ends 22:08 < krzie> short? 22:08 < krzie> you mean like some being dropped? 22:09 < ploo> full length of packet doesn't make it 22:10 < ploo> 66 some bytes 22:10 < krzie> using tcp or any mtu options? 22:11 < ploo> its intermittent, my ssh sessions sometimes freeze also 22:11 < ploo> mtu is set to 1500 22:11 < krzie> onats_, could it have to do with a firewall somewhere in between? 22:11 < onats_> krzie, i'm considering that possibility... the devices are remote from me.. 22:11 < krzie> that seems most likely to me 22:11 < onats_> i can't telnet to the port 2000 from the client though 22:12 < ploo> tun-mtu 1500 proto tcp-client dev tun 22:12 < krzie> ahh hah! 22:12 < krzie> tcp 22:12 < krzie> !tcp 22:12 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 22:12 < krzie> thats likely your problem ploo 22:13 < krzie> onats_, telnet doesnt operate on udp... you could test with netcat tho 22:13 < onats_> krzie, however, there's one client that connects successfully... 22:13 < krzie> so we have an idea where the firewall or other issue would be then 22:14 < krzie> ive seen ISPs and DCs do all sorts of dumbness 22:15 < ploo> krzie, so UDP then ? :p 22:16 < krzie> right 22:16 < onats_> im hoping its not the ISP that's blocking the port. it would be quite difficult to talk to the ISP tech guys 22:17 < krzie> i hope the same for you, shouldnt be hard to check with netcat 22:17 < damentz> hey krzie, guess what 22:17 < damentz> i'm at dunkin donuts using vpn 22:17 < ploo> so configure udp on both ends and I should be ok 22:17 < krzie> =] 22:17 < damentz> all connections are going through my house :) 22:18 < damentz> just the way i wanted it 22:18 < ploo> thought I tried that before, I'll change it up thanks 22:18 < krzie> cool, grab me a jelly donut 22:18 < damentz> then i took the time to setup a caching nameserver which turned out was very easy 22:18 < damentz> bind9 in debian is preset to be a caching nameserver, i just set the precedence to the opendns servers 22:18 < damentz> next i might setup polipo or squid 22:18 < onats_> how do i know if netcat got through? 22:18 < onats_> nc -u right? 22:19 < krzie> damentz you might like socks as well, dante is a nice package for it 22:19 < krzie> onats_, read its manpage 22:19 < damentz> i was reading about dante 22:19 < krzie> !google udp test netcat 22:19 < damentz> i tried setting it up, never finished 22:19 < vpnHelper> krzie: Netcat - The TCP/IP Swiss Army Knife: ; {LANG_NAVORIGIN}: ; Having fun with netcat. - Linux Forums: 22:21 < damentz> krzie, so give me an example of using dante 22:21 < damentz> like, what would i need it to 22:21 < damentz> just read the package information 22:21 < krzie> damentz, read the docs, this is a help channel for openvpn 22:21 < damentz> what does circuit level mean? 22:21 < damentz> oh well 22:21 < damentz> let me find their irc channel, lol 22:21 < krzie> ive setup dante a few times, but i dont know it well enough to give support 22:22 < krzie> i just read the docs and do what they say... 22:22 < damentz> i know, but what is it for? 22:22 < damentz> that's what i don't know 22:22 < krzie> its a socks5 daemon 22:22 < damentz> i don't know what i could use it for, it's just a name to me 22:22 < damentz> err, right 22:22 < damentz> so a proxy? 22:23 < krzie> yes an encrypted proxy 22:23 < damentz> ohhh, that's cool 22:23 < damentz> hmm, i could have used this information while at school 22:23 < damentz> i'll set one up for my friend, he's at baylor university 22:23 < damentz> so he can play warsow or something online 22:23 < damentz> though, openvpn would work just fine 22:24 < damentz> no well 22:24 < damentz> he already uses tor for sites he can't get to 22:24 < krzie> bbiaf 22:24 < damentz> be back in a fickle? 23:58 < damentz> hey krzie, are there any books or online resources to learn more about networking in general? --- Day changed Sun Mar 29 2009 00:07 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 00:09 -!- derick_d [n=derick@61.49.254.120] has joined ##openvpn 00:25 < j3g> krzie: sorry for the delay in answering, the OS is linux (ubuntu 8.04) 00:25 < j3g> i was away :) 00:25 < j3g> the original question was 00:25 < j3g> Anyone know if it is possible to run two openvpn instances on 2 computers (2 clients on one box, 2 servers on the other) and have just some specific kind of traffic (ie: voip) using one of the tunnels? 00:25 < j3g> I want to have voip going on another wan tunnel 00:25 < j3g> you said it's about source based routing 00:26 < j3g> so regular routing (adding a route just for that IP) won't do, right? 00:26 -!- dan__t [n=dant@ns1.hitb.net] has quit [Read error: 104 (Connection reset by peer)] 00:26 -!- _dan__t [n=dant@ns1.hitb.net] has joined ##openvpn 00:47 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 00:48 -!- onats [n=15172@unaffiliated/onats] has quit [Read error: 113 (No route to host)] 01:02 -!- derick_d [n=derick@61.49.254.120] has quit ["\u6682\u79bb"] 01:14 < krzee> j3g, well depends... 01:14 < krzee> if you set your voip app to use the ip range of the other vpn, no problem 01:14 < krzee> very simple 01:15 < krzee> but if you will be connecting out to the inet to an ip you dont want to specify by itself, then no 01:15 < krzee> if you already know the exact ips you need to connect to through the special vpn, there isnt many many of those ips, then its easy 01:15 < krzee> so i guess i need more info the answer the question right 01:18 < reiffert> moin 01:19 < krzee> moin 01:20 < reiffert> back to CEST (Summertime) 01:29 < krzee> sweet 01:29 < krzee> i should come out that way sometime 01:29 < krzee> met some cool german girls back in SD, im sure they could show me cool places to go 01:32 < reiffert> SD? 01:34 < krzee> san diego 01:34 < reiffert> :) 02:03 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [] 02:15 -!- rashed2020 [n=shabati@67.205.245.208] has joined ##openvpn 02:22 < krzee> !forum 02:22 < vpnHelper> krzee: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 02:49 -!- _dan__t is now known as dan__t 02:58 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 03:00 -!- rashed2020 [n=shabati@67.205.245.208] has quit [] 03:15 -!- c64zottel [n=hans@p5B179258.dip0.t-ipconnect.de] has joined ##openvpn 03:53 -!- bn43 [n=dhashen@196.212.81.58] has joined ##openvpn 03:55 < bn43> hello all - I'm having problems connecting to my openvpn server via a windows client - says handshake failed after trying via openvpn-gui. Is there a way for me to test via my ubuntu box that I can login locally to see that it works?> 03:59 < krzee> !logs 03:59 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 03:59 < krzee> !clients 03:59 < vpnHelper> krzee: Error: "clients" is not a valid command. 03:59 < krzee> err 03:59 < krzee> !configs 03:59 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 04:13 < krzee> One night, Pinnochio's girlfriend says to him, "This stinks. Every time we make love I get splinters." So Pinnochio goes to Gepetto to ask his advice. Gepetto says, "Sandpaper, my boy, that's all you need." A few days later Gepetto runs into Pinnochio and says, "So how are you doing with the girls now?" Pinnochio says, "Who needs girls?" 04:19 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 04:21 < bn43> krzee: ROFL 04:21 < krzee> =] 04:22 < krzee> you gunna post !logs and !configs? 04:22 < krzee> (that was directed at you) 04:22 < bn43> ok I tested on my ubuntu box and I think its to do with my bridge - ran openvpn client on the box itself and get this error Sun Mar 29 11:14:35 2009 Note: Cannot ioctl TUNSETIFF tap0: Device or resource busy (errno=16) 04:22 < bn43> Sun Mar 29 11:14:35 2009 Note: Attempting fallback to kernel 2.2 TUN/TAP interface 04:22 < bn43> Sun Mar 29 11:14:35 2009 Cannot open TUN/TAP dev /dev/tap0: No such file or directory (errno=2) 04:22 < bn43> Sun Mar 29 11:14:35 2009 Exiting 04:24 < krzee> http://www.timesonline.co.uk/tol/news/uk/health/article5993187.ece 04:24 < vpnHelper> Title: Stem cells to grow bigger breasts - Times Online (at www.timesonline.co.uk) 04:24 < krzee> you started it as root? 04:24 < krzee> also 04:24 < krzee> why do you want bridge? 04:25 < bn43> following a howto that said I need a bridge for vpn to work 04:25 < bn43> yes I have 04:25 < krzee> !tunortap 04:25 < vpnHelper> krzee: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 04:25 < krzee> !sample 04:25 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 04:29 < bn43> um - I followed this - http://www.thebakershome.net/openvpn_tutorial and followed the script to make the bridge 04:29 < vpnHelper> Title: How to Install Openvpn | The Bakers Homepage (at www.thebakershome.net) 04:30 < bn43> I don't think I need to specifically address traffic to a MAC - just contact via IP 04:30 < bn43> how do I fix this> 04:30 < bn43> this? 04:31 < krzee> welp 04:31 < krzee> we're gunna start by putting you with the right config 04:31 < krzee> no reason to fix the wrong one 04:31 -!- bandini [n=bandini@host33-110-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn 04:32 < krzee> not my fault you used some walkthrough you shouldnt have used instead of reading the howto 04:32 < krzee> i can either point you to the howto or help you do it right... 04:32 < krzee> upto you 04:32 < bn43> yes I know - I just googled it 04:32 < krzee> for the howto option, !howto 04:32 < bn43> help me do it right would really be great! 04:32 < krzee> for the other one, see above 04:33 < bn43> I'm just worried that the bridge script will conflict with trying to put it right 04:34 -!- bandini [n=bandini@host33-110-dynamic.44-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 04:36 < krzee> unbridge 04:40 < bn43> i had to stop openvpn before stoping the bridge script 04:40 < bn43> now ifconfig does not show br0 or tap0 04:41 < bn43> sorry my routing got messed up when I stopped the bridge 04:41 < bn43> krzee: u still there? 04:41 < krzee> there ya go... 04:41 < krzee> ya 04:42 < bn43> ok stopped the bridge now - whats next? 04:42 < krzee> reboot if you messed up routing 04:42 < krzee> it'll be fresh 04:42 < krzee> then look at my !sample 04:42 < krzee> change it to your needs 04:43 < Flumdahl> !sample 04:43 < vpnHelper> Flumdahl: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 04:43 * krzee posted that 20min ago 04:43 < krzee> we're going at a pretty slow pace :-p 04:44 < krzee> you're lucky scanning these harddrives is taking FOREVER 04:44 < bn43> krzee: how does the tun device get create? does openvpn server do it automatically? 04:44 < krzee> ive gone up 13% in 27min 04:44 < Flumdahl> your bridge script will probably create your tun interface 04:44 < krzee> so basically 1% every 2 minutes 04:45 < bn43> ya but I have stopped the bridge script 04:45 < krzee> which means its like an 3 hrs to scan a drive =[ 04:45 < krzee> yes, automagical 04:45 < bn43> ok brb 04:45 < krzee> although you can make it manually if you need it static 04:45 < krzee> no reason to if only 1 openvpn running on a box and nothing else using tuns 04:45 < Flumdahl> !float 04:45 < vpnHelper> Flumdahl: Error: "float" is not a valid command. 04:45 < Flumdahl> :S 04:46 < krzee> !man 04:46 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 04:46 < krzee> what versions are you running? 04:46 < krzee> (as my bot asked you 47 minutes ago) 04:47 < krzee> aka 24% of my scan ago 04:54 < bn43> root@dhashen-laptop:/etc/openvpn# /etc/init.d/openvpn restart 04:54 < bn43> * Stopping virtual private network daemon. [ OK ] 04:54 < bn43> * Starting virtual private network daemon. Segmentation fault 04:54 < bn43> * server (FAILED) 04:54 < bn43> sumthing wong 04:58 < bn43> krzee: I think something wrong with creating the tun device 04:59 < bn43> ifconfig does not show tun 04:59 < krzee> !logs 04:59 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 04:59 < krzee> do you have tuntap loaded into the kernel? 05:01 -!- onats__ [n=onats@122.53.136.244] has joined ##openvpn 05:02 < bn43> how do I see if tuntap is loaded into kernel? 05:02 < krzee> by learning how to use your operating system 05:03 < krzee> kldstat | grep tun maybe 05:03 < krzee> i dont really use linux 05:03 < krzee> that'll check for a loaded module 05:04 < krzee> i think 05:04 < krzee> either way 05:04 < krzee> !logs 05:04 < bn43> kldstat not found 05:04 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 05:04 < krzee> !logs 05:04 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 05:04 < bn43> posting server log 05:05 < bn43> ok this is curious - server.conf has verb set to 9 but I don't have much in the server log 05:05 < krzee> then you arent looking at the server log 05:06 < krzee> prolly a status file 05:06 < krzee> vpnHelper, factoids search log 05:06 < vpnHelper> krzee: 'logs', 'irclogs', and 'topology' 05:06 < krzee> nm there 05:06 < krzee> check system logs 05:10 < bn43> http://www.pastebin.ca/1375590 05:14 < bn43> sorry - after looking at the log I realised I did not save my server.conf properly! 05:19 -!- onats_ [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 05:22 < krzee> did you also realize you barely gave me any of the log? 05:22 < krzee> which doesnt matter if you fixed it 05:24 < bn43> yeah fixed it! 05:24 < bn43> I did a tail of syslog 05:25 < krzee> now whats your end goal 05:25 < krzee> access the whole lan? redirect all traffic over vpn? or just securely access the machine 05:26 < bn43> access the whole lan securely 05:26 < krzee> !learn redirect as please see !def1 !linnat !linipforward for linux, and !def1 !winnat !winipforward for windows 05:26 < vpnHelper> krzee: Joo got it. 05:26 < krzee> ok 05:26 < krzee> !route 05:26 < vpnHelper> krzee: "route" is http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT 05:26 < krzee> read it DONT SKIM IT 05:26 < krzee> read it DONT SKIM IT 05:26 < krzee> !learn route as READ IT DONT SKIM IT 05:26 < vpnHelper> krzee: Joo got it. 05:27 < bn43> i'm testing this on my laptop - I will then be installing on a file and internet gateway server 05:27 < bn43> yes windows clients 05:27 < bn43> cool will read it 05:27 < krzee> dont skim it =] 05:32 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 05:43 -!- onats__ [n=onats@122.53.136.244] has quit [Read error: 113 (No route to host)] 06:21 -!- _jack-- [n=kaushal@202.79.41.215] has joined ##openvpn 06:26 -!- onats [n=onats@unaffiliated/onats] has quit [Remote closed the connection] 06:28 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 06:32 -!- bandini [n=bandini@host33-110-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn 06:34 < bn43> krzee: u still there? 06:43 < bn43> hi all I've been reading the !route howto and I'm a little confused - the ccd file specified in server.conf - that does not exist - where must I create it? 06:44 < bn43> I point the ca, cert files to /etc/openvpn/easy-rsa/2.0/keys/ 06:44 < bn43> must I create a ccd file for each windows client connecting? 06:45 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:47 < bn43> krzee: ok I got it right! I've been spending long hours on this and my config files where not configured right! 06:51 -!- dazo_home [n=David@r9dm48.net.upc.cz] has joined ##openvpn 06:52 * dazo_home is reading http://beta.openvpn.net/images/pdf/openvpn_access_server_system_admin_guide.pdf ... OpenVPN access server ... To work, SELinux must be disabled, default values for OpenVPN server port is 443/tcp ... what the heck!?!?!? 06:55 * dazo_home finds it a pity that OpenVPN Access Server is closed source as well 07:01 < onats> the guy's gotta make some money 07:03 < dazo_home> onats: I can live with that, but closing the software is a old fashioned way how to make money ... just look at what Novell and Red Hat does ... 07:03 < dazo_home> onats: and closing the software, does not make the software more secure 07:04 < onats> true... 07:04 < onats> i guess its more of protecting interests... 07:04 < dazo_home> yeah ... 07:06 < onats> dazo, are you familiar with DMZ? 07:06 < dazo_home> onats: yeah 07:06 < dazo_home> onats: what are you wondering about? 07:07 < onats> if a host is set into the dmz port, does that mean all traffic / ports get routed to that host? 07:07 < dazo_home> onats: ahh ... on such SOHO routers? Yeah, usually it means that 07:07 < onats> i mean a host is set to be in the DMZ? 07:07 < onats> DAMMIT! 07:07 < onats> i've been figuring out since yesterday why the clients couldn't connect 07:08 < dazo_home> onats: but if you only want some ports .... just use port fwd and route the different ports to your inside hosts 07:08 < onats> there's this other guy who configured the security camera and put the DVR in the DMZ 07:08 < onats> i know!!! 07:08 < onats> i just found it now 07:08 < dazo_home> aha 07:08 < onats> next time i'm going to change the passwords and any changes have to go through me 07:08 < dazo_home> clever guy .... not 07:08 < onats> putting the device in DMZ is really not the right solution. dumbass 07:08 < dazo_home> I always do it like that .... I shall know about any changes in the network 07:09 < dazo_home> exactly 07:09 * onats is fuming 07:09 < onats> i just wasted lots of hours on that. my fault too for not checking the DMZ soon enough 07:09 * dazo_home heads for some food 07:10 < dazo_home> heh ... such things happens ... "Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement." 07:11 < onats> the configuration i put in those routers were already stable 07:12 < onats> have been stable for a couple of months 07:12 < onats> i was already reaching the point that i was doubting maybe the ISP was blocking UDP traffic.. 07:12 < onats> hehehe 07:12 < dazo_home> ouch 07:13 < dazo_home> well .... the password of the routers was probably the weak link here :-P 07:22 < onats> i had to give it to the owners 07:25 < bn43> hi I still need some clarification on routing plz - I have been reading !route and not getting the routing right 07:27 < bn43> I have a laptop running ubuntu - I get my network access via 192.168.27.0 net via wifi which is eth1, have configured the openvpn server to the ethernet card which is eth0 on 192.168.1.0 net 07:27 < bn43> openvpn privides client with 10.8.1.0 net 07:29 < bn43> I'm trying to get client to ping 192.168.27.0 net - in server.conf I have put in 'push "192.168.27.0 255.255.255.0" ' 07:29 < bn43> what am I missing here? 07:31 < bn43> um so client connects to 2 nets - 192.168.1.0 which is how it connects to my laptop, and then the openvpn client over 192.168.1.0 to the openvpn network 10.8.1.0 07:36 < dazo_home> bn43: have you enabled ip_forward? .... have you checked firewall? (esp. the FORWARD chain) 07:37 < bn43> no firewall - I'm reading about forward 07:37 < dazo_home> cat /proc/sys/net/ipv4/ip_forward ... If I recall correctly 07:39 < bn43> If I'm understanding this correctly, because the client is connecting to 192.168.1.0 net, that net on my laptop needs to have routing to the 192.168.27.0 right? 07:40 < onats> dazo, have you played with SoC devices that boot from CF cards? 07:41 < dazo_home> onats: nope ... but I'm considering to buy a Soekris Engineering box ... 07:41 < onats> i just got an alix board 07:41 < onats> i can't boot it yet! argh! 07:41 < onats> heheh 07:41 < onats> i wonder which channel i can ask for help for this one 07:41 -!- _jack-- [n=kaushal@202.79.41.215] has quit ["Leaving"] 07:41 < dazo_home> bn43: yes, your client needs a route for the network on the server side ... the gateway would then be your VPN address on the server side 07:42 < dazo_home> onats: silly board :-P 07:42 < onats> dazo_home, it is? this board sucks? 07:42 < bn43> um - right - been working on this for 6 hours straight and my head is swimming - think I gotta take a break and get back to this soon 07:43 < dazo_home> onats: no, I have no idea ;-) ... I haven't tried any SoC boards at all, but I'm getting one for sure :-P 07:43 < dazo_home> bn43: good plan :) 07:43 < dazo_home> onats: I've heard several people mentioning Alix boards .... but I don't remember any pointers right now 07:44 < onats> oh ok.. 07:44 < onats> i think its pretty good (have yet to be seen) 07:44 < onats> i've read that the amd geode has a hw based AES encryption chip, or something like that... 07:44 < onats> which makes vpn throughput faster 07:45 < dazo_home> I'll ping you about your experiences when you've had it in production for a little while ;) 07:45 < bn43> thanks all 07:45 -!- bn43 [n=dhashen@196.212.81.58] has quit ["Ex-Chat"] 07:46 < onats> yeah.. that is if i can get it to boot! ahhaha 07:46 < dazo_home> onats: yeah ... that's a big plus with Geode .... what I also like about the Soekris (which is also Geode, iirc) is that they even have a PCI based VPN accelerator as well .... but Linux drivers seems not to be worked on :( 07:46 < onats> so what OS are you supposed to run on it? 07:47 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 07:48 < dazo_home> I'm planning on a Linux distro, but I'm primarily getting soekris due to a PCI slot .... put in a Firewire card ... 4-5 disks on firewire and put them into a raid and hook it up to the network .... 07:48 < dazo_home> my own little NAS box .... cheaper and much more flexible, as I can install boxbackup more easily as backup client as well 07:49 < dazo_home> s/client/server/ 07:53 < onats> alix board has a mPCI slot 07:53 < onats> ahhh PCI slot! 07:53 < onats> sorry 07:53 < onats> why don't you just get an atom integrated board? 07:53 < onats> that's got a 1.6GHz processor! 07:53 < onats> heheh 08:19 -!- bn43 [n=dhashen@41.28.164.102] has joined ##openvpn 08:27 < dazo_home> Been considering that ... but I want something which can work without screen, and which I even can install without a screen .... and soekris got serial port console .... My plan is to but this box somewhere well hidden, just supply power and network, unless I add a miniPCI card with wifi ... not sure about that yet ... so I want it to consume next to nothing of power, low heat and silent ... the only thing which may make noise is the disks 08:27 -!- bn43 [n=dhashen@41.28.164.102] has quit ["Ex-Chat"] 08:27 < dazo_home> http://www.soekris.com/net5501.htm 08:27 < vpnHelper> Title: Soekris Engineering > net5501 (at www.soekris.com) 08:39 < ecrist> dazo_home: soekris + SSD 08:40 < dazo_home> ecrist: yeah ... but I want 1TB in RAID5 for all my stuff .... I have photography as a hobby ;-) 08:41 < dazo_home> ecrist: so that's why I want to put things on real disks ... and in firewire to get some speed 08:47 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 08:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:58 < ecrist> dazo_home: firewire is slower than PCI bus. You'd see better performance with SATA2 or SAS 09:00 < dazo_home> ecrist: hmm ... true ... sata2 would be better actually, but I will also be limited to 100Mbit on the NICs on this box as well, so I have no expectations to go higher ... even though I might wait until a version with 1Gbit comes and the price is right 09:02 -!- nemysis [n=nemysis@16-167.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 09:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 09:08 < ecrist> dazo_home: why do RAID5? 09:09 < dazo_home> ecrist: data integrity ... I want to be sure that even if 2 disks fails that I can restore most of the data 09:09 < ecrist> RAID5 you get one disk failure 09:09 < ecrist> RAID6 you can have two failures 09:10 < ecrist> neither one provide data integrity 09:10 < dazo_home> heh ... I meant RAID6 ... 09:10 * dazo_home is too used to write RAID5 09:11 -!- nemysis [n=nemysis@37-16.107-92.cust.bluewin.ch] has joined ##openvpn 09:12 < dazo_home> ecrist: depends on what you mean with data integrity .... I don't mean that data cannot be modified or that changes are tracked .... purely meant as a security mechanism in case of hardware failure 09:18 < ecrist> RAID6 is the sexy. 09:18 < ecrist> out backup system at the office uses it. 09:18 < ecrist> 12 SATA2 drives, 500GB each, RAID6+0 09:19 < ecrist> /dev/mfid0 3.5T 1.2T 2.0T 37% /d 09:19 < Dougy> hayyyyyy ecrist 09:19 < ecrist> sup Dougy? haven't seen you around in a while. 09:19 < Dougy> notta 09:19 < Dougy> yeah been busy sick.. you name it i got it 09:19 < Dougy> lol 09:19 < Dougy> RAID 10 is cool too 09:20 < ecrist> dazo_home: with 6+0, can have 4 drive failures simultaneously, and still keep going. :) 09:20 < Dougy> Unit UnitType Status %RCmpl %V/I/M Stripe Size(GB) Cache AVrfy 09:20 < Dougy> ------------------------------------------------------------------------------ 09:20 < Dougy> u0 RAID-10 OK - - 64K 1396.96 OFF OFF 09:20 < Dougy> oO 09:21 < dazo_home> Dougy: but I want a setup where at least 2 drives can fail at the same point .... 09:21 < Dougy> talk to ecrist :) 09:21 < dazo_home> Dougy: heh 09:21 < Dougy> all i said was raid10 is cool 09:21 < Dougy> never said its good for you ot r anyone else :p 09:21 < dazo_home> ecrist: yeah, that's more like a setup I'd prefer ;-) 09:22 < Dougy> meh im tired of this new office already 09:22 < ecrist> dazo_home: out system cost us ~$11,000 to build 09:22 < ecrist> s/out/our/ 09:23 < Dougy> ecrist: have you any use for two 5050s 09:23 < ecrist> what are 5050s? 09:23 < Dougy> LGA 771 dempsey dual core xeons 09:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:24 < dazo_home> ecrist: yeah .... I'm planning for something cheaper ... and I'll start with less disks ... but I'm also building up a NAS for media streaming another place as well .... so that might be worth caring with me 09:24 < ecrist> just the procs? don't think I've got anything that will take them. 09:24 < Dougy> k 09:24 < Dougy> yeah 09:24 < Dougy> hrmmmmmm 09:24 < Dougy> CentOS 5.3 is due out today.. 09:24 < ecrist> dazo_home: why don't you go with FreeBSD 8.0-current and ZFS? krzee just got it set up, loving it from what I read. 09:25 < ecrist> Dougy: what did they come out of? 09:25 < ecrist> I *may* have a place for them in my new box. 09:25 < Dougy> ecrist: a box sitting in my room 09:25 < Dougy> theyve been there for serveral months 09:26 < dazo_home> ecrist: I know Linux to my fingertips, been using that since 96 or so ..... but yeah, I probably should investigate the *BSD family .... I know just ZFS from what I've read, and it seems neat ... but ext3 has never ever failed me .... reiserfs has failed me once, but managed to restore 98% 09:27 < ecrist> Dougy: they might fit in this dell server I've got here, 1850, what do you want for them? 09:27 < Dougy> you pay me to ship them 09:27 < Dougy> they are yours 09:27 < Dougy> fwiw - 667 mhz fsb 09:28 < Dougy> They are 3.0 ghz, 4mb cache xeons 09:28 < Dougy> dual core, 667 mhz fsb 09:29 < ecrist> mm, 2.8Ghz w/800Mhz FSB 09:29 < ecrist> http://www.ecomhost.net/dedicated/pe1850_specs.pdf 09:29 < ecrist> don't think I can use them. 09:29 < Dougy> k 09:29 < Dougy> lol 09:30 < ecrist> that system is going to be my new primary server 09:30 < Dougy> cool stuff 09:31 * Dougy will just build a box and rent it with the 5050s 09:31 < ecrist> 1x2.8Ghz Xeon, 4GB RAM, FreeBSD 64-bit, 2x15k 73GB disks in gmirror, dual 550W power supplies and 2 years of on-site service remaining. All for the low, low, price of $200 curteousy of craigslist. ;) 09:32 < Dougy> wow nice 09:33 < Dougy> i'm gonna order a couple of servers worth of parts 09:33 < Dougy> build myself like 7k worth 09:33 < ecrist> my current webserver is a dell 1750, 2x2.4GHz Xeon, 1GB RAM, FreeBSD 32-bit, 2x36GB 10k drives, dual power supplies. 09:33 < Dougy> yuck 09:34 < ecrist> load avg is only 0.9 09:34 < Dougy> so? old xeons lol 09:34 < Dougy> i just unlodaed both my old dells 09:34 < Dougy> had a dual 3.6 ghz with 2 satas and a dual 3.2 with 2 sata 09:34 * ecrist <3 Dell 09:34 * Dougy <3 SuperMicro 09:34 < ecrist> eew 09:35 < ecrist> we have nothing but problems with supermicro, and parts are hard to find for them after they're EOL 09:35 * Dougy has never had a problem with SM 09:37 < ecrist> we've got a server, about 3 years old, power supplies were EOL's by SM. it took almost a month to find a replacement 09:37 < Dougy> eew 09:37 < kraut> moin 09:37 < Dougy> ey 09:48 < ecrist> wow, I started a blackberry theme hosting site last friday. someone asked me to post a donation link. I did, they donated $10 towards me developing the site. 09:48 < ecrist> that was fast turn around. 09:48 < Dougy> lol 09:48 < Dougy> nice 09:49 < Dougy> my client owns e107designs.org 09:49 < ecrist> that site times out 09:49 < Dougy> oO 09:49 < Dougy> works fine for me 09:50 < ecrist> now it works. 09:50 < Dougy> intersting 09:50 < Dougy> its a google Pr5 09:50 < ecrist> I got what looks like an internal redirect 09:50 * Dougy got a link back on there for free 09:50 < ecrist> what is an e107? 09:51 < ecrist> nm, google didn't fail me. 09:51 < Dougy> e107 is an extremely populra CMS 09:51 < Dougy> popular 09:51 < ecrist> http://lmgtfy.com/?q=e107designs 09:51 < vpnHelper> Title: Let me google that for you (at lmgtfy.com) 09:51 < Dougy> nice 09:57 < Dougy> e107 is nice 10:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 10:22 -!- mjt [n=mjt@isrv.corpit.ru] has joined ##openvpn 11:43 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 11:59 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 12:00 < mRCUTEO> !/30 12:00 < vpnHelper> mRCUTEO: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 12:00 < mRCUTEO> !topology 12:00 < vpnHelper> mRCUTEO: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 12:00 < mRCUTEO> !interface 12:00 < vpnHelper> mRCUTEO: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 12:07 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [] 12:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:59 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:01 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 14:12 -!- Diddi [n=diddi@colalapp.bsnet.se] has joined ##openvpn 14:13 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 14:14 < Diddi> hm.. without trying all too hard to find the answer; is it possible to have openvpn using a remote and/or secondary CA to check the certs with? 14:15 < Diddi> or is it perhaps rather an openssl issue ? 14:15 < kraut> reiffert: got my vpn running again. the strange thing is, that udp is not working, tcp is working like a charm. 14:16 < kraut> reiffert: i think that is an issue within the firmware-modification. need to investigate that. 14:34 < reiffert> kraut: which one, freetz or avm? 14:35 < kraut> freetz 14:35 < kraut> this dsld is teh sucks 14:35 < kraut> total blackbox... you through a ip-packet in and hope, it comes out on the other side 14:35 < reiffert> yeah. How about paying someone for getting avm's svn repo? 14:36 < kraut> na, actually we are planing to replace dsld with iptables and pppd 14:36 < reiffert> and kernel pppoe? 14:36 < kraut> yep 14:36 < reiffert> or userland, well whatever 14:37 < kraut> the problem is to size that for the capacity of the flash 14:37 < reiffert> do you know anything about that magical number of possible voice call recordings on an USB stick? 14:37 < kraut> 20 or 30 was it 14:37 < reiffert> when there are 255 on an USB stick, the voice recording function stops working 14:38 < kraut> ah, 255 makes more sense 14:38 < kraut> yep. i heard about it 14:39 < reiffert> ah well, how stupid is this? 14:39 < kraut> don't ask me, it sucks also hell 14:39 < reiffert> some avm support guy told me, that they opened an internal ticket for this case, but after 4 months and many new updates, no changes at all. 14:40 < kraut> yep and there is also no really soloution to delete them 14:40 < kraut> you need to do this by hand or with a cronjob 14:40 < reiffert> It just sucks so much. Imagine this box at a business place like a car repair station ... voice recorder stops working every week. 14:40 < reiffert> yeah 14:40 < kraut> yep, i know 14:42 < reiffert> is there any freetz software replacing this piece of avm hell by any chances? 14:42 < kraut> not at the moment 14:42 < kraut> but perhaps you could do this on your own with dtmfbox? 14:43 < reiffert> I have no idea. dtmfbox is avm stuff or free software? Allready part of freetz? 14:44 < kraut> free 14:44 < kraut> yep 14:45 < kraut> but it's more a kind of a softswitch 14:45 < kraut> i have less skills concerning this telephone stuff :) 14:47 < reiffert> Once I had a voice recorder built from vgetty, 250 funny messages playing one on random 14:48 < kraut> hrhr 14:48 < reiffert> capisuite was replacing it 2 years later (vgetty = modem hell). 14:49 < reiffert> at least both voice recorders didnt have any limits. 15:01 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 15:03 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: boojit 15:03 -!- boojit [n=boojit@gw.carter.to] has joined ##openvpn 15:09 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 60 (Operation timed out)] 15:18 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 15:27 < reiffert> boojit: any news? 15:29 -!- Flumdahl [i=n30@shell.auth.se] has left ##openvpn [] 15:31 < krzie> kraut still having your problem in ivpn? 15:31 < krzie> ovpn? 15:35 < reiffert> 21:15 < kraut> reiffert: got my vpn running again. the strange thing is, that udp is not working, tcp is working like a charm. 15:35 < reiffert> 21:16 < kraut> reiffert: i think that is an issue within the firmware-modification. need to investigate that. 15:35 < reiffert> 21:34 < reiffert> kraut: which one, freetz or avm? 15:35 < reiffert> 21:35 < kraut> freetz 15:39 < krzie> firmware mod? 15:39 < krzie> he using some sort of hardware auth? 15:39 < krzie> like those lil secure keychain dongles? 15:40 < reiffert> adsl router 15:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:41 < krzie> umm, i dont think so 15:41 < krzie> if his adsl router wouldnt allow udp to pass, he'ld have no DNS 15:42 < krzie> does he use one of those linux ones? 15:42 < reiffert> yep 15:42 < krzie> checked out his firewall and whatnot? 15:42 < reiffert> dunno 15:43 < krzie> he could be blocking his own stuffs 15:43 < reiffert> problem is, all this network stuff on his hardware was replace by vendor. closed source. 15:43 < reiffert> replaced 15:43 < krzie> i have a hard time believing his router wont allow udp passthrough 15:43 < krzie> because of firmware 15:48 < Bushmills> many routers can operate as dns proxies, and their dhcp server tells client to use routers as dns. with this setup, udp doesn't need to go "through" router 15:49 < Bushmills> i suppose dig @remotedns hostname would tell 15:56 < mjt> speaking of voip and stuff like that. Here, we're using voice applications over openvpn connections. I wonder if it'll be better to set proper MTU on the tunnel interface. 15:56 < mjt> (instead of relying on -mssfix which obviously does not work for udp) 16:04 < krzie> mjt, mtu-test would tell you 16:04 < krzie> which i remember telling you 16:05 < mjt> i know mtu-test. i just wonder if it is really necessary :) 16:07 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Solver, bandini, kaii 16:07 -!- Netsplit over, joins: bandini, Solver, kaii 16:08 < krzie> you dont need to change mtu unless mtu-test says so 16:08 < krzie> in fact changing the mtu when it doesnt say so will probably hurt more than it could help 16:09 < mjt> it's.. interesting. 16:09 < mjt> note that most of the time, there will be no problems/issues at all -- with TCP connections, due to mssfix. 16:10 < mjt> but "some other" packets will be fragmented 16:10 < mjt> including udp 16:10 < mjt> which is all voip 16:10 < mjt> so yeah, there's no need to touch mtu because in "almost all cases" it just works. 16:12 < mjt> i'll experiment tomorrow -- wonder if setting up real MTU will change quality of voice anyhow... 16:13 < mjt> (it sucks since i switched to openvpn, but i didn't know because i don't use it - my collegues told me) 16:13 -!- kaii [n=kai@ciphron.de] has quit [Remote closed the connection] 16:13 -!- kaii [n=kai@ciphron.de] has joined ##openvpn 16:14 < mjt> and i wonder if openvpn needs it per-client instead of per-interface... 16:28 -!- Flumdahl [i=n30@shell.auth.se] has joined ##openvpn 16:51 -!- Dougy is now known as Dougy[Office] 17:03 -!- c64zottel [n=hans@p5B179258.dip0.t-ipconnect.de] has quit ["Leaving."] 17:31 < krzie> !route 17:31 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:32 < krzie> mjt, you gotta realize, you have udp going over udp 17:32 < krzie> so now 2 layers that can drop packets instead of 1 17:32 < krzie> dont get me wrong, you're doing it right 17:32 < krzie> but ya... 17:32 < krzie> anyways tho, SIP works great for me over UDP, and i have 300ms latency from me to my openvpn server 17:33 < krzie> which then connects to the next place before the sip connecting is really established 17:33 < krzie> (my pbx isnt directly connected to the PSTN) 17:40 -!- dazo_home [n=David@r9dm48.net.upc.cz] has quit ["Leaving"] 17:49 < ecrist> ARAHADAHDA!!! 17:49 < ecrist> my bank is run by tight asses 17:50 < ecrist> they charge $9, yes, N I N E DOLLARS for use of an ATM that's not theirs. 17:50 < ecrist> ON TOP OF the standard ATM fee. 17:52 < krzie> bank of america? 17:52 < ecrist> no, TCF 17:52 < krzie> dunno them 17:52 < krzie> but wash mutual kicks ass 17:52 < krzie> they dont even charge for international wire transfers 17:53 < ecrist> cool 18:01 < dan__t> hm 18:10 < krzie> !irclogs 18:10 < vpnHelper> krzie: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 18:33 -!- ToXo [n=carbon@hosr3141-04.hh.se] has joined ##openvpn 18:33 < ToXo> Hii Rooom !!! 18:33 < ToXo> If i wll install and configure OPen VPN on Fedora... 18:34 < ToXo> then do i also need open client or window XP built in connection can connect with this server ???? 18:35 < ToXo> 58 people sitting here !! 18:35 < ToXo> HellOoo !!!! any one 18:38 < dan__t> Chill. 18:39 < dan__t> No, the built-in cannot. 18:39 < dan__t> OpenVPN GUI is a good option in that case, though. 18:39 < dan__t> Windows' "VPN" client uses PPTP, and MPEE, which is a horridly shitty excuse for a VPN. OpenVPN is SSL-based. Different mechanisms, they are not compatible. 18:42 < krzie> !learn notcompat as ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible 18:42 < vpnHelper> krzie: Joo got it. 18:42 < ToXo> if we dont implement security thing still it will not compatible ? 18:42 < krzie> IT IS NOT COMPAT 18:42 < krzie> and wont be, i dont care what you do 18:42 < krzie> but you can run openvpn on windows as well 18:43 < ToXo> hmm.. which vpn server will be nice in which we dont hav to use any client software ? 18:43 < ToXo> openVPN server ? 18:43 < krzie> we only help with openvpn 18:43 < krzie> if you want openvpn, you need openvpn on ALL machines which will directly connect 18:43 < krzie> but you only need 1 machine running openvpn in each network, even if you want the whole lan connected 18:44 < ToXo> hmm.. 18:45 < ToXo> but i heard some where that windows client can work with openvpn server.. 18:46 < ToXo> anywayz... the story is that.. i want to browse the service which is only available in that country 18:47 < ToXo> so .. i wll connect my system with that country server.. and then use that particular service 18:47 < ToXo> for that i thought i should install openvpn on that server 18:48 < krzie> well, openvpn can work on windows 18:48 < krzie> if you install openvpn on it 18:48 < krzie> but listen to me, OPENVPN ONLY CONNECTS WITH OPENVPN 18:48 < ToXo> yes .. offcourse.. 18:49 < ToXo> i was just unsure that.. why not only windows XP/ Vista client can connect to OPENVPN 18:49 < ToXo> vista also ? 18:49 < krzie> yes, you can have the client default route over the server 18:49 < krzie> yes, with 2.1 rc15 18:49 < ToXo> means ? 2.1 18:49 < krzie> the version 18:50 < krzie> you really should read the howto 18:50 < krzie> !howto 18:50 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 18:50 < krzie> also 18:50 < krzie> !sample 18:50 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 18:50 < krzie> then if you want to connect lans: 18:50 < krzie> !route 18:50 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 18:50 < krzie> for default routing over the vpn: 18:50 < krzie> !redirect 18:50 < vpnHelper> krzie: "redirect" is please see !def1 !linnat !linipforward for linux, and !def1 !winnat !winipforward for windows 18:50 < ToXo> hmm. thanks.. !! but you said that yes with 2.1 of vpns .. 18:51 < krzie> openvpn 2.1 rc15 18:51 < krzie> its the version you want 18:51 < ToXo> oh i see !! 18:55 < ToXo> Thanks alot... !! Guys!! 18:55 < krzie> yw 18:55 < krzie> !learn notcompat as openvpn only connects to openvpn 18:55 < vpnHelper> krzie: Joo got it. 18:55 < ToXo> ----<-<--@ 18:56 < ToXo> taket this flower and put it at door of this room :) 18:56 < ToXo> bye all !! 18:56 < krzie> lol 18:56 < krzie> bye 18:56 < krzie> hey you never read !redirect 18:56 < krzie> you'll want that info when it comes time 18:56 < ToXo> redirect where ? 18:56 < krzie> !redirect 18:56 < vpnHelper> krzie: "redirect" is please see !def1 !linnat !linipforward for linux, and !def1 !winnat !winipforward for windows 18:57 < ToXo> oh ok !!.. 18:57 < krzie> for sending your traffic from client through server's inet connection 18:57 < ToXo> see ya 18:57 -!- ToXo [n=carbon@hosr3141-04.hh.se] has left ##openvpn [] 18:59 < krzie> lol 19:21 < onats1> is there a way to scan the irc logs, even if i wasn't online that time? 19:24 < krzie> !irclogs 19:24 < vpnHelper> krzie: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 19:25 < onats1> if ecrist isn't online, no logs? 19:25 < krzie> right 19:25 < krzie> thats who collects them 19:26 < krzie> but hes on more than the bot 19:26 < krzie> lol 19:26 < krzie> and he has a very good connection 19:26 < krzie> so trust me, its best that way anyways 19:27 < onats1> alright.. might need to go back on irc logs. was able to boot up my alix already! wheee! heheh 19:27 < krzie> alix? 19:27 < onats1> wait 19:28 < krzie> my nfs took a fatty shit 19:29 < krzie> 3 of 4 of the drives are bad 19:29 < krzie> 2 ofthe 4 crash the diag disk (SeaTools) 19:29 < krzie> and i always bought seagate to avoid this crap 19:31 < onats1> well at least its lifetime warranty! 19:31 < krzie> ya great, now i get to send them to usa and get raped by customs when they come back 19:31 < onats1> krzie, http://www.pcengines.ch/alix2d3.htm 19:31 < vpnHelper> Title: PC Engines alix2d3 product file (at www.pcengines.ch) 19:32 < onats1> where are you based again? 19:32 < onats1> try sending to SG 19:32 < krzie> caribbean 19:32 < krzie> same deal 19:33 < krzie> oh basically like a soekris box 19:33 < onats1> yes 19:34 < krzie> how much? 19:45 < Bushmills> krzee, try clicking the "shop" button, there are prices 19:45 < krzie> he may not have bought from them 20:03 < onats1> i bought it from netgate 20:03 < onats1> total cost around $230 including shipping, casing, wifi card 20:03 < onats1> from pcengines direct it comes out cheaper, but shipping is more expensive 20:03 < krzie> right on 20:13 -!- belZe [i=server3@p5091C717.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)] 20:14 -!- belZe [i=noone@p5091CCF4.dip.t-dialin.net] has joined ##openvpn 20:33 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 21:26 -!- Kreg-Work_ [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 110 (Connection timed out)] 21:27 -!- Kreg-Work_ [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 21:57 -!- dli_ [n=dli@adsl-75-21-88-19.dsl.chcgil.sbcglobal.net] has joined ##openvpn 21:59 < dli_> can I run two VPNs simultaneously, A->B, and B->A, each one serves as server in once. so, I can always have VPN as far as one way port forwarding works 22:55 < ecrist> onats1: my irssi session is the one doing the logging. 22:57 < ecrist> dli_: that will break horribly 23:04 < onats1> ecrist, how do i get it? download the logs from the link: http://www.secure-computing.net/logs/openvpn.txt.gz 23:04 < onats1> ? 23:04 < ecrist> yes 23:04 < ecrist> it's all the logs from aug 1 2008 till now 23:04 < dli_> ecrist, why? 23:05 < ecrist> gzipped it's like 3MB 23:05 * ecrist goes to bed. 23:09 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn --- Day changed Mon Mar 30 2009 01:00 < reiffert> moin 01:10 -!- bandini [n=bandini@host33-110-dynamic.44-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 01:19 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 01:20 -!- onats_ [n=onats@unaffiliated/onats] has quit [Read error: 60 (Operation timed out)] 02:05 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:23 -!- qkit [n=kiew@203.82.91.34] has joined ##openvpn 02:30 < qkit> afternoon all. 02:30 < qkit> Guys, i have a question. Was UDP connection are faster then TCP connection in openvpn? can i used both in the openvpn setting? 02:35 < qkit> ? 02:40 -!- qkit [n=kiew@203.82.91.34] has left ##openvpn [] 02:48 < kala> both simultaneusly? 02:50 < kala> the --learn-address script could be used to update the client's dynamic DNS name, after connection and disconnection, right? 03:06 < onats1> !configs 03:06 < vpnHelper> onats1: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 03:06 < onats1> !sampleconfigs 03:06 < vpnHelper> onats1: Error: "sampleconfigs" is not a valid command. 03:06 < onats1> !sampleconfig 03:06 < vpnHelper> onats1: Error: "sampleconfig" is not a valid command. 03:06 < onats1> !sample 03:06 < vpnHelper> onats1: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 03:07 < onats1> krzee, are you awake? 03:20 < Bushmills> onats1, ls -l /usr/share/doc/openvpn/examples/sample-scripts 03:24 < onats1> thanks Bushmills. looking. 03:26 < onats1> Bushmills, do you have a format for ifconfig-pool-persist file? 03:26 < onats1> !ifconfig-pool-persist 03:26 < vpnHelper> onats1: Error: "ifconfig-pool-persist" is not a valid command. 03:27 -!- onats1 is now known as onats 03:27 < Bushmills> that's on of the files in the ccd dir? 03:27 < Bushmills> one 03:27 < onats> i dont think it has to be in ccd 03:27 < onats> basically i want to assign static IP's to the clients connecting 03:29 < Bushmills> yes. put a file, containing s.t. like ifconfig-push 10.86.80.6 10.86.80.7, with name of key (without the key extension), into ccd subdirectory of openvpn dir 03:30 < kraut> moin 03:34 -!- huslu_ [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has joined ##openvpn 03:34 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has quit [Remote closed the connection] 03:34 < Bushmills> and make sure the server config has a line like client-config-dir ccd 03:34 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 03:35 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:37 -!- FuraX [n=cp@umb-sls99-003.u-strasbg.fr] has joined ##openvpn 03:38 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 03:38 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:40 -!- dli__ [n=dli@adsl-75-22-17-129.dsl.chcgil.sbcglobal.net] has joined ##openvpn 03:52 < onats> that's for ccd... ok. i'm trying out this ifconfig-pool-persist first.. 03:53 < onats> problem with this router i'm using, there's no other directory i can write files to, except temp 03:55 -!- dli_ [n=dli@adsl-75-21-88-19.dsl.chcgil.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 03:58 < Bushmills> i vaguely seem to remember that i switched to ccd config since ipp.txt entries weren't reliably assigning the same ip address upon reconnection. 03:59 < Bushmills> but - how can ipp.txt be updated if /tmp is the only dir you can write to? 04:00 < onats> there's a section there on the router config where i can run scripts on startup 04:00 < onats> it creates the files in temp dir 04:00 < onats> this is only temporary 04:01 < onats> great. now vpn wont start on my device 04:20 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 04:24 < reiffert> moin 04:51 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:02 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 05:03 -!- _jack-- [n=kaushal@202.79.41.215] has joined ##openvpn 05:49 -!- overrider [n=override@unaffiliated/overrider] has joined ##openvpn 05:51 < overrider> hello there, id like to install openvpn on a server i have in another country, and then connect to it and surf the web via it, sort of using it as a secure proxy. can this be done? i mean, i dont need the server to issue me any IP or anything, it cant, it just has 1 public IP. maybe set it up so it issues me a localhost ip, eg 127.0.10.10 or so? 05:53 < overrider> !howto 05:53 < vpnHelper> overrider: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 06:33 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 06:46 -!- nemysis [n=nemysis@37-16.107-92.cust.bluewin.ch] has quit [Connection timed out] 06:49 -!- nemysis [n=nemysis@226-12.107-92.cust.bluewin.ch] has joined ##openvpn 07:10 -!- overrider [n=override@unaffiliated/overrider] has quit ["leaving"] 07:17 < c64zottel> hello 07:17 < c64zottel> i am port forwarding through a rv042 router to the openvpn-server 07:18 < c64zottel> i can see the incoming packages with tshark, but the openvpn-server is not responding, i tried verb9, and i can't see any reaction of the server when a package is arriving 07:22 < dazo> c64zottel: check your firewall config .... might be that you're blocking something in either filter or nat table 07:22 < dazo> c64zottel: also check with netstat -lnptu ... if you find openvpn process there 07:23 < c64zottel> dazo: openvpn is running, i could connect without the port forwarding 07:23 < c64zottel> the machine has no fw 07:24 < dazo> c64zottel: where does the portfwd happen? On the same box as openvpn, or on a box in front of openvpn box? 07:24 < c64zottel> different box 07:24 < c64zottel> the openvpn server is on an esx, the router is a r042 07:25 < c64zottel> and i can see the incoming packages on the esx 07:25 < dazo> c64zottel: then something goes wrong with the portfwd some how .... have you checked if both tcp and udp port forwarding is supported? And what about the openvpn box? tcp or udp? 07:26 < dazo> c64zottel: ahh 07:26 < c64zottel> vpn-esx:/etc/openvpn# tshark -i eth1 -f "port 1194" 07:26 < c64zottel> Running as user "root" and group "root". This could be dangerous. 07:26 < c64zottel> Capturing on eth1 07:26 < c64zottel> 0.000000 84.x.x.x -> 10.10.1.74 UDP Source port: 57360 Destination port: openvpn 07:26 < dazo> c64zottel: sounds fair enough 07:26 < c64zottel> all udp 07:27 < c64zottel> there is not much to make wrong 07:27 < dazo> c64zottel: then you really do have a firewall issue somehow .... if the openvpn process do not react to those packages at all 07:27 < c64zottel> ovpn-esx:/etc/openvpn# iptables -L 07:27 < c64zottel> Chain INPUT (policy ACCEPT) 07:27 < c64zottel> target prot opt source destination 07:27 < c64zottel> Chain FORWARD (policy ACCEPT) 07:27 < c64zottel> target prot opt source destination 07:27 < c64zottel> ACCEPT all -- anywhere anywhere 07:27 < c64zottel> ACCEPT all -- anywhere anywhere 07:27 < c64zottel> Chain OUTPUT (policy ACCEPT) 07:28 < c64zottel> target prot opt source destination 07:28 < dazo> c64zottel: what about the nat table? 07:28 < c64zottel> ovpn-esx:/etc/openvpn# iptables -L -t nat 07:28 < c64zottel> Chain PREROUTING (policy ACCEPT) 07:28 < c64zottel> target prot opt source destination 07:28 < c64zottel> Chain POSTROUTING (policy ACCEPT) 07:28 < c64zottel> target prot opt source destination 07:28 < c64zottel> MASQUERADE all -- anywhere anywhere 07:28 < c64zottel> Chain OUTPUT (policy ACCEPT) 07:28 < c64zottel> target prot opt source destination 07:28 < c64zottel> i hope its ok posting like a pig here... 07:28 < dazo> c64zottel: that MASQUERADE rule seems odd .... 07:28 < c64zottel> this once 07:29 < dazo> c64zottel: you might get some complaints by the others here .... 07:29 < c64zottel> hm, that comes from a 2nd nic, which is disabled 07:29 < dazo> c64zottel: can you try to do iptables -t nat -F && iptables -F ... just to have them really clean 07:30 < c64zottel> echo 1 > /proc/sys/net/ipv4/ip_forward 07:30 < c64zottel> /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE 07:30 < c64zottel> /sbin/iptables -A PREROUTING -p udp --dport 1194 -i eth0 -t mangle -j ACCEPT 07:30 < c64zottel> /sbin/iptables -A PREROUTING -i eth0 -t mangle -j DROP 07:30 < c64zottel> /sbin/iptables -A FORWARD -i tap0 -o eth1 -j ACCEPT 07:30 < c64zottel> /sbin/iptables -A FORWARD -i eth1 -o tap0 -j ACCEPT 07:30 < c64zottel> that is the fw 07:30 < reiffert> why that mangle table magic? 07:31 < dazo> c64zottel: I have no idea .... 07:32 < dazo> c64zottel: please try to flush all tables .... because those FORWARD rules makes absolutely no sense at all ... default policy is ACCEPT for all your chains, you cannot make it even more explicit than that 07:32 < c64zottel> ok, i did iptalbes -F {-t nat, -t mangle } 07:32 < dazo> c64zottel: do the filter table as well ... without -t 07:33 < c64zottel> i did 07:33 < dazo> c64zottel: good 07:33 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 07:33 < c64zottel> no effect 07:34 < reiffert> he needs to flush the mangle table as well 07:34 < reiffert> c64zottel: paste on pastebin: 07:34 < c64zottel> reiffert: no sure anymore, once i wanted just to open 1194 07:34 < reiffert> iptables -t filter -L -v -n 07:34 < reiffert> iptables -t mangle -L -v -n 07:34 < c64zottel> reiffert: mangle is flushed 07:34 < reiffert> iptables -t nat -L -v -n 07:34 < dazo> c64zottel: oki ... add some logging on the INPUT and OUTPUT rules now ..... -I INPUT --dport -j LOG --log-prefix " INPUT >>" ... and similar for output ... and have a look at dmesg 07:34 < reiffert> opening a port: filter table 07:35 * reiffert better keeps his mouth shut now 07:35 < dazo> c64zottel: mangle table is used to change things inside the tcp/ip package ... not to block or open access ... that's all done in the filter table, thus the name filter 07:37 < c64zottel> dazo: right, but there were a problem, i can't remember, but filter has not accepted the rule 07:37 < reiffert> btw, what is c64zottel's Problem? 07:38 < dazo> c64zottel: then something was wrong in the rule definition .... you never want to filter in mangle, that's chaotic 07:38 < reiffert> did he mention that he is running on vmware? 07:38 < dazo> reiffert: yes ... esx 07:38 < reiffert> last week there's been a guy with problems on vmware as well 07:39 < dazo> reiffert: when enabling portfwd on the router in front, the traffic hits the vm but not the openvpn process ... without portfwd all is fine 07:39 < reiffert> I think it was Flumdahl 07:39 < dazo> reiffert: that's neat info .... might be some vmware issues then .... 07:39 * dazo looks in scrollback 07:39 < reiffert> dazo: how does that paket get to openvpn without portfwd? 07:40 < reiffert> dazo: I was handling Flumdahl by privat chat, plenty of ssh sessions. 07:40 < c64zottel> ovpn-esx:~# iptables -I INPUT --dport 1194 -j LOG --log-prefix "INPUT>>" 07:40 < c64zottel> iptables v1.4.2: Unknown arg `(null)' 07:40 < c64zottel> ok, whats wrong? 07:40 < dazo> reiffert: that beats me .... that's why I began to suspect something in the iptables 07:40 * dazo will double check syntax 07:41 < reiffert> tcpdump should help you. 07:41 < dazo> reiffert: he's been using tshark .... seems reasonable 07:41 < c64zottel> reiffert: dazo: there is a 2nd nic, and i used it as a normal server with an external ip-address, but now we want to save the external ip-address 07:41 < dazo> reiffert: but not sure if that hooks unto the device before or after the netfilter 07:42 < mjt> iptables -I requires 2 arguments, not one 07:42 < dazo> iptables -I INPUT -j LOG --log-prefix "[INPUT ]" 07:42 < mjt> iptables -I $CHANNEL $number 07:42 < dazo> mjt: if you skip the number, it goes at the top 07:42 < mjt> aha. didn't know 07:43 < reiffert> dazo: before. 07:43 < reiffert> dazo: (when using libpcap) 07:44 < dazo> reiffert: yeah, I thought so ... that's why I would like to do logging in iptables ... to see what passes 07:44 < reiffert> mjt: number is optional. 07:45 < dazo> c64zottel: did you see my "modified" log change? ... not sure if it was those >> which could give an issue 07:45 < mjt> when you used all 3 - ipfw, ipchains and iptables (and now they proposed nftables)... it's not that difficult to misremember some things :) 07:45 < c64zottel> dazo: the --dport was the issue 07:45 < mjt> and dport requires proto 07:45 < dazo> mjt: well ... ipfw and ipchains have been dead since .... 2000 or so? 07:46 < dazo> c64zottel: yeah ... sorry! I forgot to add -p udp 07:46 < c64zottel> http://pastebin.com/m6b44949a 07:47 < c64zottel> ok, here are the lines, without port 1194 07:47 < c64zottel> i will change it now... 07:47 < reiffert> dazo: ah well, tcpdump captures before netfilter magic. 07:47 < reiffert> dazo: I'd preferr tcpdump. afk 07:49 < c64zottel> iptables -A OUTPUT -j LOG --dport 1194 -p udp 07:49 < c64zottel> iptables v1.4.2: Unknown arg `(null)' 07:49 < mjt> dazo: yeah, ipchains was gone together with kernel v. 2.2. But i still - sometimes - don't remember if something was that way in iptables or ipchains :) 07:49 < mjt> c64zottel: put -p udp before 07:50 < c64zottel> ok 07:50 < mjt> before dport, that is 07:50 < reiffert> I think he's missing the ulog/log module 07:51 < reiffert> try ulog when log fails 07:51 < dazo> reiffert: log worked ... it was just issues with --dport ... and missing -p udp 07:51 < mjt> in that case the error message is differrent 07:51 < mjt> iptables correctly handles missing modules - both kernel and userspace 07:52 < mjt> ("correctly" = with clean error messages in this case) 07:52 < mjt> esp. 1.4+ 07:52 < c64zottel> but there is nothing in /var/log/{messages,kern.log} 07:52 < mjt> but is your sys[k]log[d] running to start with? :) 07:53 < c64zottel> probably i have to give a log-file? 07:53 < dazo> c64zottel: dmesg should give you everything 07:53 < c64zottel> mjt: yes 07:53 -!- _jack-- [n=kaushal@202.79.41.215] has quit [Read error: 113 (No route to host)] 07:53 < dazo> c64zottel: it logs via klog .... and klog messages are viewable via dmesg 07:53 < mjt> dmesg will show everything, yeah 07:53 < c64zottel> dazo: and that's still nothing 07:54 < dazo> c64zottel: then your packets gets lost in the kernel somehow 07:54 < c64zottel> Mar 30 15:54:38 ovpn-esx kernel: [615534.830425] device eth1 entered promiscuous mode 07:54 < c64zottel> Mar 30 15:54:42 ovpn-esx kernel: [615538.580614] device eth1 left promiscuous mode 07:54 < mjt> dazo: btw, there are several syslogds out there. I prefer the one from inetutils, which includes klogd into the same binary. 07:54 < mjt> lovely 07:54 < c64zottel> these two line are in /var/log/messages and are shown by dmesg 07:54 * dazo prefers syslog-ng ... due to the flexible and more understandable configs 07:55 < mjt> i prefer old-scool things ;) 07:55 < mjt> c64zottel: what's the system? kernel? 07:55 < c64zottel> Linux ovpn-esx 2.6.26-1-686 #1 SMP Sat Jan 10 18:29:31 UTC 2009 i686 GNU/Linux 07:55 < mjt> ok 07:55 < c64zottel> but how can that be? iptables shows nothing but tshark does? 07:56 < mjt> easy 07:56 < mjt> 16:49 < c64zottel> iptables -A OUTPUT -j LOG --dport 1194 -p udp 07:56 < dazo> c64zottel: that's because the packages do not reach the netfilter somehow .... and that can be either a bug in the vmware's NIC driver ... or a kernel bug 07:56 < mjt> i note the -A option 07:56 < c64zottel> ok 07:56 < mjt> -A means adding the LAST rule 07:57 < mjt> not the FIRST. 07:57 < c64zottel> mjt: but thats the only rule 07:57 < mjt> heh 07:57 < dazo> mjt: that's why I used -I ... to get it first in the chain ... because the package needs to pass the first rule 07:57 < c64zottel> ovpn-esx:~# iptables -L 07:57 < c64zottel> Chain INPUT (policy ACCEPT) 07:57 < c64zottel> target prot opt source destination 07:57 < c64zottel> LOG udp -- anywhere anywhere udp dpt:openvpn LOG level warning prefix `input>>' 07:57 < mjt> and OUTPUT chain 07:57 < c64zottel> for output the same 07:58 < mjt> do you use bridge by a chance? 07:58 < c64zottel> i agree, but we flushed it before, right? 07:58 < c64zottel> its a tap device, yepp 07:58 < mjt> i mean, --dport in OUTPUT 07:58 < dazo> c64zottel: yeah... I just wanted to be absolutely safe'n'sure 07:58 < c64zottel> ah, damn 07:58 < mjt> c64zottel: the thing is: if it's bridging, iptables wont see it 07:58 < mjt> ebtables will 07:59 < mjt> UNLESS the packets are destined for your host 07:59 < mjt> and for input/output and dport. If one side has --no-bind (or how it is), the port on that side will be different 08:00 < mjt> s/different/random/ 08:00 -!- AdvoWork [n=AdvoWork@unaffiliated/advowork] has joined ##openvpn 08:00 < c64zottel> mjt: yes, i understand 08:00 < c64zottel> i deleted the --dport on output 08:00 < c64zottel> i installed ebtables 08:00 < AdvoWork> hi there,i need to edit my server.conf but ive got no idea where it is, what file references server.conf so i can work out where it is? 08:00 < c64zottel> i guess, it uses the same rules like iptables 08:01 < dazo> AdvoWork: whic OS? 08:01 < dazo> c64zottel: nope 08:01 < c64zottel> does the logging works equally? 08:01 < mjt> c64zottel: it's different - it works on ethernet level, not IP level 08:01 < AdvoWork> dazo, ubuntu 08:01 < dazo> AdvoWork: have you looked under /etc/openvpn/ ? 08:01 < mjt> c64zottel: i mean, it knows nothing about ip addresses, ports and the like 08:02 < AdvoWork> dazo, ive got a folder in there calle examples 08:02 < AdvoWork> ive been following this guide http://www.thebakershome.net/?q=node/56 08:02 < vpnHelper> Title: How to Install Openvpn | The Bakers Homepage (at www.thebakershome.net) 08:02 < AdvoWork> and im now on step 12 08:03 < c64zottel> ok 08:03 < c64zottel> then i gonna read the manual first... 08:03 < mjt> c64zottel: but what are you trying to do? 08:03 < mjt> why did you install ebtables? 08:04 < AdvoWork> dazo, do i need to copy server.conf and client.conf from examples to /etc/openvpn/ ? 08:04 < c64zottel> because, i guessed its helpful to find the error... 08:04 < mjt> and how do you think ebtables will help you? :) 08:04 < dazo> AdvoWork: you probably need to create that file yourself .... but I'm not sure I would recommend starting with setting up bridging if you do not explicitly need layer2 network traffic passing 08:04 < c64zottel> i have no idea, because, i don't know what ebtabels does 08:05 < dazo> mjt: maybe he wanted to install that because you talked about it? ;-) 08:05 -!- onats__ [n=onats@122.53.131.243] has joined ##openvpn 08:05 < c64zottel> mjt: but i am very open for suggestions 08:05 < AdvoWork> dazo, how do i know if i need that then? 08:05 < mjt> ebtables is like iptables but on the "ethernet" layer 08:05 < mjt> lets one restricts mac addresses for example 08:05 < c64zottel> i got that 08:06 < mjt> c64zottel: as far as i understand you've 3 interfaces - the real nic, a bridge, and your virtual nic, right? 08:06 < c64zottel> mjt: right 08:06 < mjt> (maybe others but that's details) 08:06 < c64zottel> the 2nd nic is down 08:07 < mjt> so are the packets shown on real nic AND the virtual iface? 08:07 < mjt> tcpdump/wireshark/whatever 08:07 < c64zottel> just on the real nic 08:07 < c64zottel> eth1 08:08 < mjt> lovely. 08:09 < mjt> so check the ARP table too (ip neigh show) 08:09 < mjt> can you ping your virtual machine? 08:09 < c64zottel> 10.10.1.190 dev eth1 lladdr 00:16:b6:87:54:76 STALE 08:09 < c64zottel> 10.10.2.34 dev eth1 lladdr 00:17:08:48:d5:46 REACHABLE 08:09 < c64zottel> i am connected via ssh to the virtual machine 08:10 < mjt> dev eth1??? 08:10 < mjt> that's... wrong. 08:10 < mjt> it should be on the bridge 08:10 < c64zottel> ok, i am sorry, i mixed it 08:10 < c64zottel> i use bridging in openvpn 08:11 < c64zottel> i am confused, what do you mean with it should be on the bridge? 08:11 < mjt> i was thinking you're bridging your real nic (eth1) with your openvpn virtual nic. 08:12 < mjt> if that's not the case, scratch just everything i said so far.... 08:12 < c64zottel> i guess not, the config is pretty simple, openvpn uses tap0, and i have a normal nic, eth1 which is connected to the lan 10.10.1.74 08:14 < c64zottel> ok, i tried the same with ssh, and the same problem 08:14 < c64zottel> hm 08:14 < c64zottel> maybe, i should try another kernel, or? 08:16 < mjt> the same with ssh? 08:16 < c64zottel> yepp 08:20 < mjt> it's not kernel-related, or should not be. 08:21 < mjt> but what did you do with ssh? 08:21 * mjt were reading scrollback... 08:21 -!- Diddi [n=diddi@colalapp.bsnet.se] has quit [Read error: 113 (No route to host)] 08:22 < c64zottel> mjt: i tried to port forward port 22 08:22 < mjt> note it's tcp not udp 08:22 < mjt> (jfyi) 08:22 -!- onats_ [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 08:23 < mjt> where your default route goes on this box? 08:23 -!- Diddi [n=diddi@colalapp.bsnet.se] has joined ##openvpn 08:23 < mjt> (i mean: might it be rp_filter?) 08:23 < mjt> or maybe some routing entry to that client IP... 08:24 < mjt> rp_filter works right between tcpdump (libpcap) and iptables `nat' and `filter' tables. Not sure about `mangle' table. 08:26 -!- paruchuri [n=paruchur@61.16.248.242] has quit ["Leaving"] 08:34 < c64zottel> i tried not that hard... 08:38 < mjt> bah 08:38 < c64zottel> i guess its better to try i different machine, but i have to eat first... 08:39 < c64zottel> dazo: mjt: thanks for the great help 08:41 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:04 -!- Georgio [n=IceChat7@dsl-240-15-156.telkomadsl.co.za] has joined ##openvpn 09:04 < Georgio> Hi can anyone help me with openvpn? 09:04 < Georgio> can i get help here or should i find a different channel? 09:06 < Georgio> I keep getting a "VERIFY ERROR: depth=1, error=self signed certificate in certificate chain" 09:06 < dazo> Georgio: if you give more info .... some people here might jump up and volunteer in helping you out 09:06 < Georgio> can anyone help 09:06 < dazo> Georgio: see !logs and !configs 09:06 < dazo> !logs 09:06 < vpnHelper> dazo: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 09:06 < dazo> !configs 09:06 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:06 < Georgio> cool thanks dazo 09:06 < mjt> help. help! HELP! 09:06 < mjt> ;) 09:07 < dazo> Georgio: seems like mjt wants to help out ;-) 09:07 < mjt> i want to go really 09:07 < dazo> heh 09:07 < mjt> it's boring to stay in office 09:07 < Georgio> basically i have setup openvpn server on a ubuntu machine and am now trying to start the openvpn client (from windows) 09:07 < mjt> and i want to eat. 09:08 < Georgio> mjt 09:08 < Georgio> could you help 09:08 < Georgio> VERIFY ERROR: depth=1, error=self signed certificate in certificate chain 09:08 < Georgio> what could the cause of this be 09:08 < dazo> Georgio: which version of openvpn are you using? 09:09 < Georgio> i copied the ca.crt, client.crt and client.key from the server 09:09 * mjt has no idea 09:09 < mjt> that's not my area 09:09 < dazo> Georgio: from that error ... you have some certificate issues .... where did you copy those files from? Did you generate them? 09:09 < Georgio> i generated them on the server 09:09 < Georgio> and then copied them over to the client 09:10 < dazo> Georgio: with easy-rsa? 09:10 < Georgio> OpenVPN 2.1_rc7 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Jun 11 2008 09:10 < Georgio> Developed by James Yonan 09:10 < Georgio> Copyright (C) 2002-2005 OpenVPN Solutions LLC 09:10 < dazo> Georgio: and you get that error on the client or server? 09:10 < Georgio> client 09:11 < dazo> Georgio: okey ... first you need to upgrade to openvpn 2.1_rc15 .... the rc7 on ubuntu is veeeery troublesome 09:11 < mjt> they have rc11 packaged 09:11 < Georgio> i'm using openvpn client for windows 09:11 -!- onats [n=15172@unaffiliated/onats] has quit [Nick collision from services.] 09:11 -!- onats__ is now known as onats 09:11 < dazo> Georgio: and in the client you should also go for the latest version .... it's a lot of small fixes which is included into RC15 09:12 < dazo> Georgio: yeah, but make sure you're running RC15 on both sides ... that'll take away some issues and possible issues 09:12 < Georgio> okay 09:12 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 09:13 < Georgio> Once i have upgraded... Do i need to copy the certificates from the ubuntu server to the windows machine? 09:14 < dazo> Georgio: the releases between rc7-rc11 came rapidly ... then it was a few months and then a race from rc11 to rc15, which I'm guessing most probably will be the final 2.1 release 09:14 < dazo> Georgio: nope ... not yet 09:14 < dazo> Georgio: but we might need to have a look unto how you created the certificates, they might have been created wrong in addition ... but since I know Ubuntu+rc7 is a tragedy, I want to have tried that upgrade first 09:15 < Georgio> cool 09:15 < Georgio> will try and upgrade it now 09:15 < dazo> Georgio: have fun :) .... And compiling from source, if that's needed, is not difficult at all with openvpn 09:16 < Georgio> I think i will have to compile from source 09:16 < Georgio> apt-get says i have the latest one. 09:16 < Georgio> should i remove my exisitng version of openvpn first? 09:24 < onats> how do you connect the pigtail antenna cable to a wifi card? push it in? 09:24 < dazo> Georgio: apt-get might say that ... but that do not mean that apt-get is right ;-) 09:24 < dazo> Georgio: you need to uninstall openvpn from apt-get .... and probably compile from source 09:24 < Georgio> cool 09:24 < Georgio> thanks 09:24 < dazo> Georgio: fetch the latest and greatest from http://openvpn.net/ 09:24 < dazo> np 09:24 < vpnHelper> Title: Welcome to OpenVPN (at openvpn.net) 09:25 < mjt> http://www.corpit.ru/debian/tls/openvpn/ will work on ubuntu too. 09:25 < vpnHelper> Title: Index of /debian/tls/openvpn (at www.corpit.ru) 09:25 < dazo> mjt: is that patched somehow? 09:26 < mjt> lemme look... 09:26 < dazo> just wondered about that ~rc15 .... that ~ makes me worried :-P 09:27 < mjt> it's now-standard debian thing 09:27 < dazo> as the official package name is openvpn-2.1_rc15 09:27 < mjt> yes 09:27 < mjt> but _ is forbidden in debian package names 09:27 < dazo> aha 09:27 < dazo> silly restriction :-P 09:27 < mjt> ~ sorts before all other chars, including "" (empty string" 09:28 < mjt> in debian version string anyway 09:28 < mjt> and the underscore (_) is used as delimiter between package name, version and architecture 09:28 < ecrist> morning, folks 09:28 < dazo> ecrist: morning! :) 09:28 < mjt> and nope, not much patches. 09:28 < mjt> hi ecrist 09:29 < mjt> i took rc11 from debian 09:29 < mjt> well, and removed some silly warnings 09:30 < mjt> (tzset-before-chroot still does not work - yet to figure what's wrong) 09:31 < dazo> mjt: Have you tried to send your patches upstream? 09:31 < krzee> folks!? 09:31 < krzee> ecrist must be sick 09:31 < mjt> hmm? 09:31 < mjt> dazo: it's on my todo list :) 09:31 < Georgio> dazo: i get this message when i try and build it 09:31 < Georgio> error: Failed build dependencies: 09:31 < Georgio> openssl-devel >= 0.9.6 is needed by openvpn-2.1_rc15-1.i386 09:31 < Georgio> lzo-devel >= 1.07 is needed by openvpn-2.1_rc15-1.i386 09:31 < Georgio> pam-devel is needed by openvpn-2.1_rc15-1.i386 09:31 < Georgio> pkcs11-helper-devel is needed by openvpn-2.1_rc15-1.i386 09:31 < Georgio> should i download each of those apps? 09:32 < Georgio> seperately? 09:32 < mjt> wtf is that?? 09:32 < dazo> Georgio: those packages should be available in apt-get 09:32 < krzee> your package manager should 09:32 < dazo> Georgio: just take them from there ... and retry the compilation 09:32 < mjt> which repository it is? 09:33 < mjt> some ubuntu thing? 09:33 < dazo> Georgio: but I think I would recommend you the upstream version .... from http://openvpn.net/ .... just to be sure you are on the top level 09:33 < vpnHelper> Title: Welcome to OpenVPN (at openvpn.net) 09:33 < Georgio> i downloaded version 2.1 rc15 09:33 < mjt> rpm? 09:34 < Georgio> yes 09:34 < Georgio> rpm 09:34 < mjt> aha, makes sense ;) 09:34 < Georgio> what makes sense? 09:34 < mjt> i wondered where that funny package name come from... :) 09:34 < dazo> Georgio: http://www.openvpn.net/release/openvpn-2.1_rc15.tar.gz 09:34 < mjt> now it all clear. 09:35 < Georgio> i got that one 09:35 < dazo> Georgio: did you do rpmbuild then? That's not needed 09:35 < Georgio> and ran this command: rpmbuild -tb openvpn-2.1_rc15.tar.gz 09:35 < Georgio> oh 09:35 < dazo> Georgio: aha ... oki .. have you installed those missing packages? 09:35 < dazo> Georgio: you need them anyway .... and then you can do .... ./configure && make 09:36 < mjt> they're named differently on debian/ubuntu 09:36 < Georgio> couldn't be found in the apt-get 09:36 < mjt> first it's not -devel but -dev 09:36 < mjt> and second it's libpam0g-dev, not pam-dev etc. 09:36 < Georgio> right 09:36 < Georgio> ;-) sorry i'm new at this 09:37 < mjt> it's distro-specific things 09:37 < ecrist> krzee: not sick, just tired today. ;) 09:37 < mjt> happens when you try to build rpm on dpkg-based distro 09:37 < Georgio> E: Couldn't find package openssl-dev 09:37 < mjt> libssl-dev 09:38 < Georgio> that seemed to work 09:38 < Georgio> right 23 megs downloading 09:40 < Georgio> rrr 09:40 < Georgio> still not working 09:40 < Georgio> rpmbuild -tb openvpn-2.1_rc15.tar.gz 09:40 < Georgio> error: Failed build dependencies: 09:40 < Georgio> openssl-devel >= 0.9.6 is needed by openvpn-2.1_rc15-1.i386 09:40 < Georgio> lzo-devel >= 1.07 is needed by openvpn-2.1_rc15-1.i386 09:40 < Georgio> pam-devel is needed by openvpn-2.1_rc15-1.i386 09:40 < Georgio> pkcs11-helper-devel is needed by openvpn-2.1_rc15-1.i386 09:42 < dazo> Georgio: try to search up openssl, lzo, pam and pkcs11 in synaptic (or whichever tool you prefer) ... and install the latest available development packages 09:42 < dazo> Georgio: and then you just need to unpack that tar-ball .... run ./configure inside it .... and the make command ..... and it will start compiling 09:43 -!- miguelcma [n=miguelcm@87-196-211-151.net.novis.pt] has joined ##openvpn 09:44 < miguelcma> hi. anyone knows why OpenVPN gives a segmentation fault on OpenWRT Kamikaze 8.09? 09:45 < dazo> miguelcma: ouch ... that's a tricky one .... how big filesystem do you have on that box? 09:45 < miguelcma> dazo: 512 MB 09:45 < dazo> miguelcma: flash? or HD? 09:45 < miguelcma> flash 09:46 < dazo> miguelcma: I see ... you could try to install gdb package .... ipkg tool, I believe .... or strace .... and run openvpn via those utilities 09:46 < mjt> is it a common prob - free-space-in-filesystem-related crashes? 09:46 < dazo> miguelcma: you might get a little hint then what goes wrong 09:47 < dazo> mjt: if the gdb package can fit ... you don't have to worry about core files 09:47 < miguelcma> what do you mean with gdb? debugging openvpn? 09:47 < dazo> mjt: the default openwrt openvpn package do not need any extra space, as logging is disabled usually 09:48 < Georgio> dazo: i did the make 09:48 < Georgio> everything seemed okay 09:49 < Georgio> how can i check if it worked? 09:49 < dazo> Georgio: so now you have an openvpn binary in that directory? 09:49 < dazo> Georgio: ./openvpn --help 09:49 < Bushmills> Georgio, you dance around it and chant 09:49 < dazo> lol 09:49 < miguelcma> dazo: do you think the problem is my 512MB CFlash? 09:50 < Georgio> Bushmills 09:50 < dazo> miguelcma: no, not really ... gdb is just a utility for debugging programs 09:50 < Georgio> i'm dancing 09:50 < Georgio> seems like it worked 09:50 < dazo> Georgio: then you can do: sudo make install 09:50 < Bushmills> see, unconventinal measures often help 09:51 < Georgio> install or install-sh? 09:51 < dazo> Georgio: no .... sudo make install 09:51 < dazo> Georgio: just those 3 words 09:51 < miguelcma> ok, dazo, thanks for your help :) i'll try something 09:52 < Georgio> done 09:52 < dazo> miguelcma: you can try to do verb 6 or something ... log to stdout .... and maybe you get a clue 09:52 < dazo> Georgio: you have now installed openvpn from source ;-) 09:52 < dazo> Georgio: now start up your server with your config .... openvpn --config ..... and see how it worls 09:52 < dazo> works 09:53 -!- Georgio_ [n=IceChat7@dsl-240-15-156.telkomadsl.co.za] has joined ##openvpn 09:53 < Georgio_> sorry 09:54 < Georgio_> don't know what happened there 09:55 < dazo> Georgio_: something happened? 09:55 < miguelcma> dazo: openvpn --verb 6... nothing special :\ just the segmentation fault 09:55 < Georgio_> umm 09:56 < Georgio_> yes 09:56 < dazo> miguelcma: and that comes immediately? No log lines at all? 09:56 < Georgio_> hahaha not sure what though 09:56 < dazo> Georgio_: try connecting you client 09:56 < dazo> Georgio_: try connecting you _openvpn_ client, that is 09:56 < miguelcma> dazo: no, I get all the lines ok.. until the segmentation fault 09:56 < dazo> miguelcma: can you pastebin that log? 09:57 < Georgio_> if i type openvpn outside of that directory it gives me this message 09:57 < Georgio_> bash: /usr/sbin/openvpn: No such file or directory 09:58 < miguelcma> sure: http://pastebin.com/d7951d88b 09:58 < dazo> Georgio_: ahh ... it's probably under /usr/local/sbin/openvpn .... sorry, forgot to mention a little detail under configure 09:59 < dazo> Georgio_: but that's not so important .... close the shell and reopen it, and it'll work again 10:00 < Georgio_> i'm logged in via ssh 10:00 < Georgio_> i'll close the session 10:01 < Georgio_> and start it again 10:01 < Georgio_> or should i restart the server? 10:03 < Georgio_> okay openvpn is working 10:03 < Georgio_> how do i set it up? 10:03 < dazo> Georgio: it's enough to restart the session .... it's a hashing table in your shell which needs to be updated :) 10:03 < Georgio_> cool 10:03 < Georgio_> sorted 10:04 < dazo> Georgio: have you configured openvpn? 10:04 < Georgio_> no 10:04 < dazo> Georgio: aha ... I thought you said you had a config already earlier on .... you could use that as a starting point 10:05 < Georgio_> you said i'd need to look at how to create certificates 10:05 < Georgio_> the /etc/openvpn directory is still around 10:05 < Georgio_> with my previous setupo 10:05 < dazo> Georgio: that's the next thing .... first we will try to startup the server .... and you need to setup the server config and try starting openvpn with that .... then we'll look at the logs 10:05 < dazo> Georgio: I hoped for that ;-) 10:06 < miguelcma> dazo: http://pastebin.com/d7951d88b 10:06 < Georgio_> cool 10:06 < Georgio_> where is the new openvpn 10:06 < Georgio_> obviously under /usr/sbin/openvpn 10:07 < Georgio_> should i copy the config file there? 10:07 < dazo> Georgio: nope ... leave it where it is 10:07 < Georgio_> oh 10:07 < Georgio_> okay 10:07 < dazo> Georgio: we will use start openvpn like this: openvpn --config /etc/openvpn/server.conf .... or whatever is the right path for your config 10:07 < dazo> miguelcma: that's a hard nut 10:08 < dazo> miguelcma: is your openvpn box client or server? 10:08 < miguelcma> dazo: client 10:08 < miguelcma> dazo: i think it will be difficult to solve :\ i don't get any clue 10:08 < Georgio_> cool 10:08 < Georgio_> it seemed to work 10:10 < dazo> miguelcma: hmmm .... Nope, you would really need gdb on this one, to hopefully get a better clue .... or you could try to run ulimit -c 5242880 ... which might give you a core file which can be investigated on another box 10:11 < Georgio_> dazo: i run "openvpn --config /etc/openvpn/easy-rsa/openvpn.conf" it returned to the new line 10:11 < Georgio_> where to now? 10:11 < dazo> Georgio: that's expected as you probably have a line in the config saying: daemon 10:11 < dazo> Georgio: try to connect your client now 10:12 -!- Georgio [n=IceChat7@dsl-240-15-156.telkomadsl.co.za] has quit [Read error: 110 (Connection timed out)] 10:12 < miguelcma> dazo: ok, i'll try to investigate this issue. thanks for you time :) 10:12 < dazo> miguelcma: no prob! :) Hope you'll fix it soon! 10:12 < Georgio_> so i run /etc/init.d/openvpn start? 10:12 < miguelcma> thnks 10:12 -!- miguelcma [n=miguelcm@87-196-211-151.net.novis.pt] has quit ["Leaving"] 10:12 < dazo> Georgio_: do you still have that file there? 10:13 < dazo> Georgio_: that openvpn --config line which you ran, really started your openvpn server 10:13 < Georgio_> right 10:13 < Georgio_> that file was still there 10:13 < Georgio_> must i try start the client now? 10:13 -!- afonso [n=afonso@bl7-96-151.dsl.telepac.pt] has joined ##openvpn 10:14 < dazo> Georgio_: yeah ... that's what I've been trying to say now 3 times ;-) 10:14 < Georgio_> sorry 10:14 < Georgio_> i thought i'd have to build the certificates or something 10:15 < dazo> Georgio_: we will see that now soon 10:15 < Georgio_> i will install the client on windows now 10:15 < Georgio_> might take a while 10:16 < dazo> Georgio_: sure ... If I'm not here when you're back, others here might take over 10:16 < Georgio_> okay 10:17 < Georgio_> thanks 10:17 < dazo> Georgio_: np! 10:18 * mjt is back and is reading the scrollback... 10:20 < mjt> yay. 10:20 < mjt> and i'm going home, finally. Oh well, it was a stoooopid day. Monday, as usual ;) 10:22 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has quit ["Leaving."] 10:28 < Georgio_> okay dzo 10:28 < Georgio_> i ran the client 10:29 < Georgio_> i get a warning and an error 10:29 < Georgio_> do you want them? 10:29 < Georgio_> WARNING: No server certificate verification method has been enabled 10:30 < Georgio_> NOTE: OPenVPN 2.1 requires '--script-security 2' or higher 10:31 < Georgio_> right i copied the same certificate files back 10:32 < Georgio_> and i'm getting the same error i was getting with the previous version 10:34 < Georgio_> It looks like this:::: 10:34 < Georgio_> Mon Mar 30 17:32:40 2009 OpenVPN 2.1_rc15 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 19 2008 10:34 < Georgio_> Mon Mar 30 17:32:40 2009 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 10:34 < Georgio_> Mon Mar 30 17:32:40 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables 10:34 < Georgio_> Mon Mar 30 17:32:40 2009 LZO compression initialized 10:34 -!- Georgio_ [n=IceChat7@dsl-240-15-156.telkomadsl.co.za] has quit [Excess Flood] 10:34 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 10:34 -!- Georgio [n=IceChat7@dsl-240-15-156.telkomadsl.co.za] has joined ##openvpn 10:35 < Georgio> sorry i pasted more than 5 lines 10:35 < Georgio> can anyone help me? 10:39 < dazo> Georgio: time to paste config files :) 10:39 < dazo> !configs 10:39 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:39 < dazo> !pastebin 10:39 < vpnHelper> dazo: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 10:40 < Georgio> ??? 10:40 < Georgio> dazo: which config file would you like to see? 10:40 < dazo> Georgio: openvpn server and client configs 10:41 < Georgio> dazo: can i paste it in a private message? 10:41 < Georgio> dazo: otherwise i will get booted again 10:41 < dazo> Georgio: pastebin please .... quicker and easier 10:41 < Georgio> right 10:44 < Georgio> :-D how do i pastebin 10:44 < Georgio> to pastebin.ca? 10:44 < krzee> !pastebin 10:44 < vpnHelper> krzee: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 10:45 < krzee> oops, didnt see dazo said that 10:45 < krzee> <--- serious hangover, gunna be 1/2 retarded today 10:45 < dazo> krzee: I was about to answer the same any way ;-) 10:45 < Georgio> 403 -forbidden??? 10:45 < dazo> uhh? 10:45 < krzee> !google pastebin 10:45 < vpnHelper> krzee: pastebin - collaborative debugging tool: ; pastebin - Wikipedia, the free encyclopedia: ; Nopaste: 10:46 < Georgio> http://pastebin.com/d71361309 10:46 < Georgio> that is the server config file 10:46 < Georgio> http://pastebin.com/d7de58d0a 10:46 < Georgio> that is the client config 10:46 < dazo> Georgio: can you also pastebin /var/log/openvpn/openvpn.log from the server? 10:47 < krzee> at verb 6 10:47 < krzee> also 10:47 < krzee> !ipp 10:47 < vpnHelper> krzee: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 10:54 -!- miguelcma [n=miguelcm@87-196-211-151.net.novis.pt] has joined ##openvpn 10:54 < miguelcma> dazo: hi again. I've found the problem! I forgot the dh.pem file 10:55 < dazo> miguelcma: uhh ... and that causes segfault? that's nasty 10:55 < dazo> miguelcma: congrats! 10:55 < miguelcma> yup. it's strange. but is working now :) 10:56 < miguelcma> thnaks again for your time 10:57 < dazo> miguelcma: no prob! Nice to know about this one actually 10:57 < dazo> miguelcma: which openvpn version was this? 10:57 * dazo will consider to have a look at the source 10:57 < miguelcma> OpenVPN 2.0.9 i386-linux [SSL] built on Feb 8 2009 10:58 < miguelcma> running on OpenWrt Kamikaze 8.09 10:58 -!- SuperEvilDeath16 [n=death@212.206.209.177] has quit [Success] 10:59 -!- AdvoWork [n=AdvoWork@unaffiliated/advowork] has quit ["Leaving"] 11:00 < Georgio> Sorry dazo this file is huge 11:00 < Georgio> just adding the end of it 11:00 < dazo> Georgio: ah ... okey ... delete it ... and restart openvpn and send that log 11:00 < miguelcma> this silent segmentation caused by dh.pem is an known issue? it can be an openwrt specific issue 11:01 < Georgio> http://pastebin.com/d5864d2d 11:02 < Georgio> there is the last one 11:02 < Georgio> that is the end of log file 11:02 < krzee> miguelcma, never heard anything about it 11:03 < krzee> and dh is not a mandatory feature 11:03 < krzee> (its a good idea, but plenty of openvpn users go without it) 11:04 < miguelcma> hum.. should i report a bug on your tracker? 11:05 < krzee> no, you arent using the most up to date version 11:05 < krzee> so its pointless 11:05 < krzee> 2.1 rc15 is the up to date version 11:05 < krzee> 2.0.9 is 4+ yrs old 11:05 < miguelcma> ouch.. 4 years is a lot 11:06 < miguelcma> i'm using this one because it was the openwrt buildroot default 11:06 -!- ikla [n=lbz@fw1.aspsys.com] has joined ##openvpn 11:07 < dazo> miguelcma: that's what I'm not sure about .... 11:07 < dazo> miguelcma: that's why I'm wondering about openvpn version 11:07 < dazo> Georgio: thanks! I'll have a look at it soon 11:07 < Georgio> great thank you dazo! 11:15 < Georgio> hey Dazo 11:15 < Georgio> have you managed to have a look 11:15 < Georgio> sorry if i'm pestering 11:15 < dazo> Georgio: I'm looking at your log 11:15 < Georgio> thanks 11:15 < miguelcma> hope no one asks for this segmentation fault 11:16 < miguelcma> bye. thanks again 11:16 -!- miguelcma [n=miguelcm@87-196-211-151.net.novis.pt] has quit ["Leaving"] 11:16 < dazo> Georgio: it do not give enough info :( ... But that's changeable :) 11:16 < Georgio> good grief okat 11:17 < Georgio> what do you need me to do? 11:17 < dazo> Georgio: can you please change the server config a little bit? ... stop the openvpn process ... delete the old log file ... edit the config, on line 26 you have verb4 ... increase that to verb 5 11:18 < dazo> and then start openvpn again 11:19 < Georgio> how do i stop the opwnvpn 11:20 < dazo> killall openvpn 11:20 < Georgio> ps -ef 11:20 < krzee> ps auxw|grep openvpn 11:20 < Georgio> didn't show openvpn running 11:20 < Georgio> weird 11:20 < krzee> kill -9 11:20 < dazo> Georgio: since we started it manually, we'll need to stop it like this 11:21 < Georgio> openvpn: no process killed 11:21 < dazo> krzee: kill -9 ... it too much at the beginning .... kill -TERM is usually enough 11:21 < dazo> Georgio: ps axuw| grep openvpn .... does that give you anything? 11:21 < krzee> kill -9 `ps auxw|grep openvpn|awk '{print $2}'` 11:21 < krzee> hehe 11:22 < Georgio> root 7134 0.0 0.0 3004 764 pts/0 S+ 18:37 0:00 grep openvpn 11:22 < krzee> dazo, cool... i always -9 stuff 11:22 < krzee> Georgio might not be starting it in daemon mode 11:22 < krzee> (i didnt look at his confs) 11:23 < dazo> krzee: -9 == -KILL .... which is the most nasty way to stop a process, the process have no chance to shutdown properly ... while -TERM will allow it to do a graceful shutdown 11:23 -!- Diddi [n=diddi@colalapp.bsnet.se] has quit [Read error: 113 (No route to host)] 11:23 < krzee> graceful smasheful 11:23 < krzee> i kill like a barbarian! 11:23 < dazo> krzee: I've noticed :-P 11:23 < krzee> lol 11:23 < dazo> TERM = -15 11:23 < krzee> i club the process until it submits 11:24 < dazo> krzee: until it comes sneaking out of the ethernet? 11:24 < krzee> i dont even kill it til its already begging for it 11:24 < krzee> leaking memory and stuff 11:24 < krzee> then i kill -9 11:25 < dazo> krzee: in emergency situation that's needed ..... sounds like apache processes though :-P 11:26 < dazo> krzee: my normal routine it kill -15 / -TERM .... kill -3 / -QUIT .... and then kill -9 / -KILL .... but I've began to use the kill names, because I mixed some of the numbers a couple of times :-P 11:26 < krzee> (or windows, lol) 11:27 < dazo> krzee: Reminds me of an old Windows joke ..... "How to execute Windows? format c:" 11:27 < krzee> hahah 11:27 < Georgio> hmm 11:27 < Georgio> i don't think openvpn was running 11:27 < krzee> no kidding 11:28 < dazo> Georgio: then we're unto something 11:28 < dazo> Georgio: okey ... then, lets make sure we have absolutely controll 11:28 < Georgio> i am root 11:28 < dazo> Georgio: in the config .... hash out the "daemon" sentence .... #daemon 11:28 < Georgio> okay 11:29 < dazo> Georgio: and do the same with the log-append sentence .... now we will get all logging to screen 11:29 < dazo> line 24 - log-append 11:29 < dazo> 25 11:29 < Georgio> done 11:29 < Georgio> now? 11:30 < dazo> Georgio: good! then lets start openvpn: openvpn --config 11:30 < dazo> Georgio: and it should now print a lot of stuff to the screen .... I want that stuff .... especially after you try to connect from your windows client 11:31 < Georgio> Options error: Unrecognized option or missing parameter(s) in /etc/openvpn/easy-rsa/openvpn.conf:17: comp-lzo (2.1_rc15) 11:31 < krzee> not compiled with comp-lzo 11:31 < Georgio> i had to compile openvpn with lzo disabled 11:31 < Georgio> yes 11:31 < Georgio> there was an error on lzo 11:31 < krzee> if you know that, you should know to comment that from both configs 11:31 < dazo> Georgio: okey .... hash out that line as well 11:33 < Georgio> http://pastebin.com/d4b9efeb4 11:33 < Georgio> output\ 11:35 * dazo looks 11:36 < dazo> Georgio: if you look at line 26 ......... 11:36 < Georgio> yes 11:36 < dazo> Cannot open /etc/openvpn/dh1024.pem 11:36 < Georgio> right 11:37 < Georgio> will look at this 11:37 < dazo> where do you have that file? you need to fix that 11:37 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 11:39 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:39 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 11:41 < Georgio> Sorry that was a stupid mistake 11:41 < Georgio> check the output file now :http://pastebin.com/db5a5ed1 11:42 < dazo> Georgio: this seems more reasonable .... can you try to connect your client? 11:42 < Georgio> looks better 11:42 < dazo> sure does! Now openvpn is actually running ;-) 11:42 < Georgio> hahah 11:43 < Georgio> Here is the output: http://pastebin.com/d3995509e 11:45 < dazo> Georgio: was this the output from the client? 11:45 < Georgio> yes 11:47 < dazo> Georgio: okey ... lets do some config changes on the client as well 11:47 < Georgio> cool 11:47 < Georgio> what must i change 11:47 < dazo> comp-lzo is disabled on the server, so we must disable it on the client as well 11:48 < dazo> increase verb to 5 there as well 11:48 < Georgio> okay should i send you the output? 11:49 < dazo> Georgio: please do 11:49 < Georgio> http://pastebin.com/d5ac60a99 11:50 < dazo> Georgio: how is it with the firewall settings on your server? Have you opened up for openvpn? udp port 1194 11:50 < Georgio> will check 11:52 < Georgio> just trying to see 11:56 < Georgio> okay it seems the port is open 11:57 < dazo> Georgio: when you have sorted out the firewall ... you would see that the openvpn server process would begin to write things unto the screen on client connects 11:57 < dazo> Georgio: so unless nothing happes here, just the same openvpn screen ... you do not manage to get a connection through 11:57 < Georgio> the server seems to be doing nothing 11:58 < Georgio> would the only reason for this be the firewall? 11:58 * ecrist points to channel topic. 11:58 < dazo> Georgio: usually that's the case yes 11:58 < ecrist> Georgio: turn of your firewall. if it starts working, you've found your problem. 11:59 < Georgio> firewall is completely off 11:59 < Georgio> no luck 11:59 < Georgio> the server is on my local network 12:00 < Georgio> just for testing now 12:00 < dazo> Georgio: iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT ; iptables -F ; iptables -X ; iptables -t nat -F ; iptables -t nat -X .... that would cleaup and open it completely up 12:01 < dazo> I missed one ... iptables -t -P POSTROUTING 12:01 < Georgio> where do i put this? 12:01 < dazo> I missed one ... iptables -t -P POSTROUTING ACCEPT 12:01 < dazo> run them in a root shell 12:01 < Georgio> would this affect security? 12:01 < dazo> Georgio: make sure you run the -P ones first 12:02 < dazo> Georgio: yeah, it turns off firewalling, until you reload your firewall rules again 12:03 < Georgio> nervous to turn my server firewall off 12:03 < Georgio> how do i turn it all back on? 12:03 < dazo> Georgio: you can make a backup 12:03 < dazo> iptables-save > fw-backup.ipt 12:04 < dazo> Georgio: and to restore it .... iptables-restore < fw-backup.ipt 12:06 < Georgio> what is the opposite of accept? decline? 12:07 < Georgio> as decline didn't work 12:07 < dazo> DROP or REJECT 12:07 < dazo> Georgio: but ... you are closing the firewall again? 12:07 < dazo> Georgio: did you run a test with it completely open? 12:08 < Georgio> postrouting says bad argument 12:09 < Georgio> i tried it with all the other options and still didn't work 12:09 < dazo> Georgio: ahh .... I see something is missing 12:09 < Georgio> okay 12:09 < dazo> sorry! iptables -t nat -P POSTROUTING ACCEPT 12:09 < dazo> forgot 'nat' 12:10 < Georgio> still no luck 12:10 < dazo> show me your cmd line 12:10 < Georgio> server cmd line?\ 12:10 < dazo> which fails ... or you meant connecting still failed? 12:11 < Georgio> connection still failing 12:11 < dazo> Georgio: okey ... please do iptables-save ... and pastbin the result 12:12 < Georgio> http://pastebin.com/d7f7bfe09 12:13 < dazo> please check that the port numbers are identical in server and client configs .... your fw is open now 12:13 < dazo> please check that IP addresses are correct as well 12:14 < Georgio> yes it the same ports. 12:14 < Georgio> and the same ip addresses. 12:14 < dazo> and the remote statement is the ip address of the server? 12:14 < Georgio> yes 12:14 < dazo> Georgio: is openvpn running on bare metal or in a virtual machine? 12:15 < Georgio> bare metal 12:15 < dazo> okey ... time to dig up tcpdump 12:15 < dazo> install that if it's not available 12:15 < dazo> and run tcpdump -n -i 12:16 < dazo> and see if something happens here when you try to connect from the client 12:16 < Georgio> 19:31:59.658074 IP 192.168.1.98.1808 > 192.168.1.1.22: . ack 3713296 win 64351 12:16 < Georgio> 19:31:59.658081 IP 192.168.1.1.22 > 192.168.1.98.1808: P 3718184:3718412(228) ack 16485 win 18224 12:16 < Georgio> 19:31:59.658104 IP 192.168.1.1.22 > 192.168.1.98.1808: P 3718412:3718560(148) ack 16485 win 18224 12:17 < Georgio> that is the repetitive 3 line output 12:17 < dazo> .98 is your client .... and .22 is your server? 12:17 < Georgio> .98 is my client 12:17 < dazo> heh 12:17 < Georgio> .1 should be the server 12:17 < dazo> my fault 12:17 < dazo> tcpdump -n -i port ! 22 12:17 < dazo> you say ssh traffic 12:17 < dazo> saw 12:18 < Georgio> tcpdump -n -i eth0 port ! 22 12:18 < Georgio> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 12:18 < Georgio> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 12:18 < dazo> and complete silence? 12:18 < Georgio> 19:33:26.738078 IP 192.168.1.98.3620 > 192.168.1.1.1194: UDP, length 14 12:18 < Georgio> 19:33:26.738167 IP 192.168.1.1 > 192.168.1.98: ICMP 192.168.1.1 udp port 1194 unreachable, length 50 12:18 < Georgio> 19:33:28.772731 arp who-has 192.168.1.67 tell 192.168.1.5 12:19 < dazo> Georgio: is openvpn running on the server? 12:19 < dazo> silly question, I know ..... but need to be sure 12:19 < Georgio> no as it wasn't running as daemon 12:19 < Georgio> SORRY 12:19 < dazo> Georgio: it may run in a console .... that's fine ... as long as it's running 12:19 < Georgio> let me get it running and then check that output 12:20 < dazo> Georgio: it's just good to have it visible in another console now .... then you see if it connects or not 12:22 < Georgio> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 12:22 < Georgio> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 12:22 < Georgio> 19:37:16.966303 IP 192.168.1.98.3629 > 192.168.1.1.1194: UDP, length 14 12:22 < Georgio> 19:37:16.966365 IP 192.168.1.1 > 192.168.1.98: ICMP 192.168.1.1 udp port 1194 un reachable, length 50 12:23 < dazo> Georgio: I have not idea what's blocking you on your server .... but something is surely blocking you 12:23 < Georgio> right 12:23 < dazo> Georgio: you need to figure out what blocks you .... when that's done ..... you might see things working again 12:24 < Georgio> okay 12:24 < dazo> Georgio: or at least, when you get a connection through, we can play further with your config 12:24 < Georgio> okay 12:24 -!- afonso is now known as afonso|away 12:24 < Georgio> might you be on the forum tomorrow? 12:25 < dazo> Georgio: I might be .... but it's my working hours, so I might be more busy ... I have several meetings tomorrow .... but there are others here who might be helpful as well 12:25 < Georgio> thank you thank you thank you dazo 12:25 < Georgio> you are a legend... 12:25 < dazo> Georgio: you're welcome! 12:25 < dazo> Georgio: oh no .... far from that ;-) 12:26 < Georgio> i really appreciate all your help 12:26 < Georgio> if i could by you a beer i would 12:26 < Georgio> (b) 12:29 -!- Georgio [n=IceChat7@dsl-240-15-156.telkomadsl.co.za] has quit ["If at first you don't succeed, skydiving is not for you"] 12:32 < krzee> he wouldnt buy you one 12:32 < krzee> but he'ld by you one 12:32 < krzee> ;] 12:34 < dazo> heh .... maybe he saw his empty wallet :-P 12:36 -!- bandini [n=bandini@host53-107-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn 12:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:56 < reiffert> moin 12:56 < reiffert> dazo: did you get c64's stuff running? 12:57 < dazo> reiffert: I withdrew from the discussion after mjt entered into it .... not sure how it ended 12:57 < reiffert> 15:38 < c64zottel> i guess its better to try i different machine, but i have to eat first... 12:57 < dazo> reiffert: didn't have time to check my logs, so I didn't see if Flumdahls experiences ..... oh ... good, probably a good attempt 12:59 < dazo> reiffert: it's pretty strange case ... tcpdump/tshark catches the packet in the interface ... but it never reached netfilter log .... so somewhere those packages got lost .... 13:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 13:23 -!- sunga [n=naft@77.109.122.179] has joined ##openvpn 13:23 < sunga> good evening 13:24 < ecrist> howdy 13:25 < sunga> a quick and simple question: I want to set up openvpn this evening but I cant afford to lose any wan connectivity nor reboot...is this possible? 13:30 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 13:33 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 13:41 < reiffert> dazo: well, he didnt tell us anything about where he actually is doing stuff, either on guest or host OS. 13:42 < dazo> reiffert: I got the impression it was inside a guest os ... but true, it was not explicit 13:45 < Bushmills> sunga, yes, possible 13:45 < sunga> ok then im going to take a shot 13:46 < Bushmills> sunga, stick to the howto, don't set up bridging config, and things should be fine 13:47 < sunga> im having the install menu right in front of menu 13:47 < sunga> of me* 13:47 * Bushmills can't remember any install menu 13:47 < sunga> I should select all things at the choose components window I presume? 13:47 < Bushmills> is that windows? 13:48 < sunga> like TAP virtual adaptor etc 13:48 < Bushmills> no tap. tun you want 13:48 < Bushmills> but if you install on windows, my suggestions may be ill-advised 13:49 < sunga> it is windows yes 13:49 * Bushmills knows about windows about as much as an innuit of sun screen factor 13:49 < sunga> hahaha 13:49 < sunga> ok then ill get to the hotwo 13:49 < sunga> !howto 13:49 < vpnHelper> sunga: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:50 < sunga> it doesnt say anything about that adaptor 13:50 < sunga> but I think a virtual one is quite handy for e.g. firewalling purposes 13:50 < sunga> so Ill just select all and carry one 13:50 < sunga> on 13:51 < mjt> where by default configs stored on windows? ProgramFiles\OpenVPN\{...} -- what's in {...} ? 13:54 < sunga> btw Bushmills I should use routing instead of bridging? I dont need to share samba over vpn 13:54 < sunga> nor play games or so 13:54 < Bushmills> sunga, yes, routing, definitely 13:54 < ecrist> mjt: what are you talking about? 13:55 < mjt> about location of configs? 13:56 < sunga> ok thanks 13:56 < sunga> seems like the installer is hanging or so :/ 13:57 < ecrist> mjt: configs 13:57 < ecrist> or just config, can't remember 13:58 < mjt> got it. OpenVPN\config\ 13:58 < mjt> i don't have windows handy and am writing a small instruction for my collegue 14:05 < reiffert> Bushmills: no tun on windows. 14:05 < reiffert> Bushmills: tap adapter handles it on win 14:06 < reiffert> Bushmills: I was just licking at one of my fingers ... 14:07 < reiffert> Bushmills: 10 minutes before I was using them to handle a bunch of dry chilis for making chili pouder... 14:07 < reiffert> Bushmills: yam yam 14:07 < Bushmills> try to stick it in your nose :) 14:08 < sunga> ok tried again openvpn is nog installed 14:08 < Bushmills> greek chilies? 14:08 < sunga> lets continue with reading the howto 14:08 < reiffert> Bushmills: I now _know_ what your father meant by "dont open the pouder-maker inside a room" 14:09 < Bushmills> hehe 14:09 < reiffert> Bushmills: My nose allready is free now 14:09 < reiffert> yeah, the greek chilies from croatia 14:09 < Bushmills> how do they compare in terms of spicyness to the powdered ones you had before? 14:10 < reiffert> the bigger ones all were containing mold, the smaller ones have been ok 14:10 < reiffert> Very spicey I guess from licking my fingers, but I didnt try them yet.. 14:11 < Bushmills> try to dry the bigger ones in a dehydrator next time 14:11 < reiffert> Mildew 14:11 < reiffert> yeah, window-bar or something .. next time 14:12 < Bushmills> in two years there'll probably be weapons-grade ground chili 14:13 < reiffert> :) 14:13 < reiffert> Might be effective on close distance combats, like streets and houses 14:14 < Bushmills> when the postpones dorset naga came through 14:14 < Bushmills> postponed 14:14 < Bushmills> and i know who has such a dehydrator... the same folks there the spice grinder came from. 14:14 < Bushmills> where .. 14:15 < reiffert> dorset naga? 14:15 < sunga> ok after install I think the first thing that I should do is setting up the PKI? 14:15 < sunga> as in, generating certificates 14:15 < reiffert> ah 14:15 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: xor|, krzee, pa, huslu_, damentz, Solver, worch, stephenh 14:15 < reiffert> sunga: when the howto says so .. yes 14:15 < Bushmills> rumoured to be originally developed by thai army 14:15 < reiffert> if not, then continue whatever the howto proposes 14:16 -!- Netsplit over, joins: krzee, huslu_, Solver, damentz, stephenh, xor|, pa, worch 14:16 < reiffert> http://reallycoolseeds.co.uk/shop/catalog/product_info.php?products_id=29&osCsid=a956dd2abb165611a090d1bf18dbd660 14:16 < vpnHelper> Title: Really Cool Seeds (at reallycoolseeds.co.uk) 14:16 < reiffert> Approx number of seed per pack: 20 14:16 < reiffert> 6 Pound 14:17 < reiffert> ritish 14:17 < sunga> ok reiffert 14:17 < Bushmills> seen them for about 4 quid (around 5 E) 14:20 < Bushmills> i suppose the advise then will not be "don't open grinder in room" but "don't open it in the same town" :D 14:22 < reiffert> hehe 14:22 < reiffert> wear a mask 14:25 < reiffert> 21:24 [freenode] freenode-connect [freenode@freenode/bot/connect] requested CTCP VERSION from reiffert: 14:25 < reiffert> ? 14:25 < reiffert> did I say FBI triggerable words? 14:25 < reiffert> Like C4, Bomb, Clinton? 14:29 -!- afonso|away is now known as afonso 14:30 < reiffert> What do you think about the german big mobile phone provider's thought of preventing VOIP and Skype for Mobile Internet Connections? 14:30 < reiffert> T-Online that is 14:30 < sunga> sucks 14:30 < sunga> but makes sence for them 14:30 < sunga> its all about the profits 14:32 < reiffert> It's preventing technical progress I think. 14:35 < Bushmills> try one of these: http://forthfreak.net/echelon 14:35 < Bushmills> though it might need some updating 14:36 < Bushmills> doesn't even mention "Osama" 14:37 < reiffert> I'd add M4. 14:37 < reiffert> the M16 is somewhat old 14:40 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:44 -!- znh [n=hans@unaffiliated/znh] has joined ##openvpn 14:44 < znh> Good day! 14:45 < znh> I successfully managed to get an OpenVPN server up and running. I however accidently lost the client's key. how does one generate a client certificate and private key? 14:56 < sunga> should be in the howto 14:56 < sunga> !howto 14:56 < vpnHelper> sunga: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:58 < znh> Yes but this howto assumes to follow all steps 14:58 < znh> I copied the keys to different directories.. so the howto doesn't match no more 15:00 < mjt> so correct the howto to match your config 15:01 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 15:13 < ecrist> bitches ain't shit but hos and tricks, so lick on these nuts and suck a dick. get the fuck out after you're done... 15:14 < reiffert> "hos and tricks"? 15:15 -!- afonso is now known as afonso|away 15:17 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 15:22 < Bushmills> znh, what did you learn from that experience? 15:23 < znh> The hos and tricks experience? Well.. It was awesome 15:23 < Bushmills> the "accidentally losing things" experience 15:23 < znh> It sucked. Why? 15:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:24 < Bushmills> znh, some learn that it may be beneficial to take steps which help to prevent those accidents 15:24 < znh> that's a nice way of putting that 15:26 < znh> Actually I took measurements to avoid that situation. They however, failed. 15:26 < Bushmills> well, nobody is perfect. 15:26 < znh> I disagree. 15:26 < Bushmills> here's your chance to try again 15:27 < znh> Certainly. 15:36 -!- afonso|away is now known as afonso 16:04 -!- znh [n=hans@unaffiliated/znh] has quit [Remote closed the connection] 16:13 < ecrist> reiffert: http://www.azlyrics.com/lyrics/drdre/bitchesaintshit.html 16:13 < vpnHelper> Title: DR DRE LYRICS - Bitches Ain't Shit (at www.azlyrics.com) 17:03 < Bushmills> mask 17:04 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 17:44 < ecrist> what? 19:11 -!- afonso is now known as afonso|away 19:30 -!- afonso|away is now known as afonso 20:02 < krzie> bleh 20:03 < krzie> my laptop socks app musta crashed 20:11 -!- belZe [i=noone@p5091CCF4.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)] 20:11 -!- belZe [i=noone@p5091CC0A.dip.t-dialin.net] has joined ##openvpn 20:46 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 60 (Operation timed out)] 20:48 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 21:15 -!- afonso [n=afonso@bl7-96-151.dsl.telepac.pt] has quit [] 21:21 < onats1> howdy 21:21 * onats1 is still dizzy 21:25 < krzie> wassup 21:25 < krzie> why dizzy? 21:35 < onats1> too much to drink:| 21:36 < krzie> haha 21:46 < dan__t> Hi. 21:46 < krzie> doesnt anyone need help? im bored 21:46 < dan__t> I do. 21:46 < dan__t> You familiar with openssl.cnf? 21:46 < krzie> lol that was easy 21:46 < krzie> not overly, but somewhat 21:47 < krzie> whats your question? 21:47 < dan__t> As I understand, you need to reference it when using the openssl utility, right? 21:47 < krzie> if its not where expected... 21:47 < dan__t> so I set values in openssl.conf, yet I'm prompted for those values when using the openssl utility. 21:47 < dan__t> I'm expecting to see like a "provided" keyword or something. 21:48 < krzie> when prompted are they the default (shown to you when prompted)? 21:48 < onats1> krzie, me, i need help 21:49 < dan__t> Yes, they are the values which I have defined through env vars. 21:49 < onats1> do you have a sample file for ifconfig-pool-persist 21:49 < onats1> ? 21:49 < krzie> onats1, openvpn makes that file itself 21:49 < krzie> !ipp 21:49 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 21:49 < krzie> dan__t thats what should be 21:50 < dan__t> I don't want to be prompted for it. 21:50 < krzie> dan__t, is something not working as expected? 21:50 < krzie> oh you building an automated tool? 21:50 < dan__t> Its working as expected. I simply don't want to be prompted for these values, when the defaults are clearly correct and present. 21:50 < dan__t> Well, thinking about it. 21:51 < onats1> !iporder 21:51 < vpnHelper> onats1: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice)., or (#4) if you use --ifconfig-pool-persist see !ipp 21:51 < onats1> !static 21:51 < vpnHelper> onats1: "static" is use --ifconfig-push in a ccd entry for a static ip for the vpn client 21:51 < krzie> dan__t, im not sure how to turn that off 21:52 < dan__t> Ok, so, when you asked if I had a question, that was it. 21:53 < krzie> i just looked in openssl manpage and it doesnt have like --silent or anything 21:53 < dan__t> Yeah, I didn't see that either. 21:57 < krzie> but that manpage doesnt even contain the string config 21:57 < krzie> so theres gotta be better docs 21:57 < dan__t> prompt = no 21:57 < dan__t> per openssl.cnf 21:57 < dan__t> I believe... 21:57 < dan__t> The manpage is pretty shitty. 21:57 < dan__t> it references all the sub-commands as individual man pages. 21:59 < krzie> ya prompt=no 21:59 < krzie> http://www.mail-archive.com/openssl-users@openssl.org/msg31052.html 21:59 < vpnHelper> Title: Re: Automating Openssl commands (at www.mail-archive.com) 22:00 < dan__t> its part of 'man req' 22:00 < krzie> weak 22:00 < krzie> should be a single, but large, comprehensive manpage 22:00 < krzie> imho 22:00 < dan__t> indeed. 22:04 < dan__t> 4691:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:a_mbstr.c:154:maxsize=2 22:04 < dan__t> Bullshit. 22:04 < dan__t> KEY_COUNTRY is two characters long. 22:05 < krzie> aye 22:06 < krzie> everytime i tried to use USA i was reminded of that 22:06 < dan__t> I'm using "US" 22:06 < krzie> btw you ever check out ssl-admin? 22:06 < krzie> its pretty lazy 22:06 < krzie> and will package up your client stuff into a zip for ya 22:06 < dan__t> no, i'll check it out 22:07 < krzie> (assuming you gave it a sample openvpn config) 22:07 < krzie> !ssl-admin 22:07 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 22:07 < krzie> coded by ecrist =] 22:08 < krzie> !learn static as also see !ccd 22:08 < vpnHelper> krzie: Joo got it. 22:09 < dan__t> haha god damnit 22:09 < dan__t> then why the f am i wasting my time on ths. 22:09 < dan__t> that's exactly what i was looking for like two weeks ago. 22:09 < krzie> !learn quietopenssl as see http://www.mail-archive.com/openssl-users@openssl.org/msg31052.html and read 'man req' to see how to make openssl not prompt you 22:09 < vpnHelper> krzie: Joo got it. 22:10 < krzie> !learn quietopenssl as also see !ssl-admin for a sweet tool for managing your certs 22:10 < vpnHelper> krzie: Joo got it. 22:10 < krzie> hehe glad to help =] 22:11 < onats1> hey what's this?!?! 22:11 < onats1> certificate management? 22:13 < krzie> yup 22:13 < krzie> !ssl-admin 22:13 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 22:19 < dan__t> thank yo 22:19 < dan__t> you 22:19 < dan__t> so the CRL URI/URL, i can just serve that up unprotected, right 22:19 < krzie> yup 22:19 < krzie> doesnt matter who sees it in my opinion 22:20 < krzie> all they could know is which certs cant connect 22:20 < dan__t> yeah. 22:24 < dan__t> Man what a bad-ass utility. 22:24 < dan__t> That's perfect. 22:24 < krzie> i agree 22:24 < krzie> hey does it build dh keys good for you? 22:24 < dan__t> hmmm 22:25 < dan__t> yeah there's an option 22:25 < dan__t> I don't quite understand the significance of the DH params 22:25 < krzie> right, use it pls 22:25 < dan__t> Can you elaborate? 22:25 < krzie> !dh 22:25 < vpnHelper> krzie: Error: "dh" is not a valid command. 22:25 < krzie> hrms 22:25 < krzie> basically its a random seed 22:25 < krzie> !security 22:25 < vpnHelper> krzie: "security" is "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 22:25 < dan__t> yeah 22:25 < krzie> 1sec 22:25 < dan__t> sure. 22:26 < krzie> oh hey does ssl-admin offer to build a TLS static key? 22:27 < dan__t> not that far yet. 22:27 < krzie> i wanna find a simple explanation 22:27 < krzie> foir my bot 22:39 < krzie> !learn dh as build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN 22:39 < vpnHelper> krzie: Joo got it. 22:48 < krzie> there ya go 22:48 -!- ploo [n=lbz@c-98-245-144-7.hsd1.co.comcast.net] has quit [Remote closed the connection] 22:51 < krzie> that simple but effective as an answer? 22:54 < krzie> damn now i see why so many people think they want bridging 22:54 < krzie> all walkthroughs seem to have briding 22:54 < krzie> bridging 22:56 < krzie> welp, ill bbl =] 22:56 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 22:56 < lolipop> !route 22:56 < vpnHelper> lolipop: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 23:00 < dan__t> hrm, wondering if there's a way to throw command-line arguments at ssl-admin 23:00 < dan__t> ecrist, thank you, bw. 23:00 < dan__t> btw, too. 23:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 131 (Connection reset by peer)] 23:59 -!- Skered [n=dereks@c-71-60-49-148.hsd1.pa.comcast.net] has quit [Read error: 110 (Connection timed out)] --- Day changed Tue Mar 31 2009 00:19 < dan__t> Hi. 00:47 -!- onats1 is now known as onats 00:47 < onats> Hi 00:48 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 01:10 -!- bandini [n=bandini@host53-107-dynamic.21-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 01:26 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 01:31 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 01:42 -!- Skered [n=dereks@c-71-60-63-159.hsd1.pa.comcast.net] has joined ##openvpn 02:37 < kraut> moin 02:51 -!- Skered_ [n=dereks@c-71-60-63-159.hsd1.pa.comcast.net] has joined ##openvpn 02:52 -!- Skered [n=dereks@c-71-60-63-159.hsd1.pa.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 02:52 -!- Skered_ [n=dereks@c-71-60-63-159.hsd1.pa.comcast.net] has quit [SendQ exceeded] 02:52 -!- Skered_ [n=dereks@c-71-60-63-159.hsd1.pa.comcast.net] has joined ##openvpn 02:52 -!- Skered_ [n=dereks@c-71-60-63-159.hsd1.pa.comcast.net] has quit [Remote closed the connection] 03:05 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:12 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has joined ##openvpn 03:43 -!- _jack-- [n=kaushal@202.79.41.215] has joined ##openvpn 03:51 -!- nemysis [n=nemysis@226-12.107-92.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 03:52 -!- nemysis [n=nemysis@61-28.107-92.cust.bluewin.ch] has joined ##openvpn 04:37 -!- Georgio [n=IceChat7@dsl-240-15-156.telkomadsl.co.za] has joined ##openvpn 04:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:41 < Georgio> Hello all. Could someone please help me. I have a a internal server that has all our work files, etc. we are running a samba server, as all the other office machines run off windows (i know, boo). I want to get openvpn to tunnel from our public ip 41.240.0.0 to our internal server ip 192.168.1.1. How do i do this? 04:43 < dazo> Georgio: have a look at !route 04:43 < dazo> !route 04:43 < vpnHelper> dazo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 04:44 < reiffert> did anyone play with http://labs.mozilla.com/projects/ubiquity/ yet? 04:44 < vpnHelper> Title: Mozilla Labs Ubiquity (at labs.mozilla.com) 04:46 < Georgio> anyone :-) 04:48 < Georgio> in the config file? 04:52 < dazo> reiffert: that looks neat! 05:00 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 05:14 < onats> what is this? in a nutshell? 05:16 -!- dli__ [n=dli@adsl-75-22-17-129.dsl.chcgil.sbcglobal.net] has left ##openvpn ["Leaving"] 05:18 < Georgio> dazo i'm so lost with that document 05:18 < dazo> Georgio: hmmm .... where do you get lost? 05:20 < Georgio> the server on the lan has an ip of 192.168.1.1. The public ip is 41.240.0.0 05:22 < dazo> Georgio: how is your knowledge about basic network routing? 05:26 < dazo> Georgio: I'm headed out for lunch now .... but if you do not know too much about network routing ... this link gives an introduction to that: http://www.scribd.com/doc/10245818/Networking-Tutorial-TCPIP-Over-Ethernet 05:26 < vpnHelper> Title: Networking Tutorial - TCPIP Over Ethernet - Internet & Technology, Research, and networking tcp ip ethernet router mac address cidr (at www.scribd.com) 05:26 < dazo> Georgio: and in your network setup .... you need to play with the route parameter 05:27 < Georgio> wow where to start 05:28 < Georgio> okay thanks 05:43 -!- Sinky_ [n=stancho@78.90.99.168] has joined ##openvpn 05:43 < Sinky_> Hi guys 05:43 -!- c64zottel [n=hans@cust.static.84-253-61-21.cybernet.ch] has left ##openvpn [] 05:44 < Sinky_> Are there any statistics about the maximum users that can connect with openvpn to server (1 ghz, 256 DDR2) ? About the PC overload and so on ? 05:52 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 06:14 < _jack--> vpnHelper: i have some trouble in routing...I have installed openvpn server in my linux machine..this machine is also web server...all things are working. i can access other computers in openvpn server network from client....But the problem is that i can't access the web server.. 06:14 < vpnHelper> _jack--: Error: "i" is not a valid command. 06:15 < _jack--> vpnHelper: i have some trouble in routing...I have installed openvpn server in my linux machine..this machine is also web server...all things are working. other computers in openvpn server network from client are accessible....But the problem is that can't access the web server.. 06:15 < vpnHelper> _jack--: Error: "i" is not a valid command. 06:15 < _jack--> vpnHelper: have some trouble in routing...we have installed openvpn server in my linux machine..this machine is also web server...all things are working. other computers in openvpn server network from client are accessible....But the problem is that can't access the web server.. 06:15 < vpnHelper> _jack--: Error: "have" is not a valid command. 06:20 -!- Georgio_ [n=IceChat7@41.4.171.182] has joined ##openvpn 06:25 -!- Georgio_ [n=IceChat7@41.4.171.182] has quit [Read error: 104 (Connection reset by peer)] 06:25 -!- Georgio_ [n=IceChat7@dsl-240-15-156.telkomadsl.co.za] has joined ##openvpn 06:37 -!- Georgio [n=IceChat7@dsl-240-15-156.telkomadsl.co.za] has quit [Read error: 113 (No route to host)] 07:01 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 104 (Connection reset by peer)] 07:02 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 07:03 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 104 (Connection reset by peer)] 07:06 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 07:12 -!- _jack-- [n=kaushal@202.79.41.215] has left ##openvpn ["Leaving"] 07:12 -!- _jack-- [n=kaushal@202.79.41.215] has joined ##openvpn 07:17 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 104 (Connection reset by peer)] 07:17 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 07:23 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 54 (Connection reset by peer)] 07:24 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 07:29 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 104 (Connection reset by peer)] 07:33 -!- _jack-- [n=kaushal@202.79.41.215] has quit ["Leaving"] 07:33 -!- _jack-- [n=kaushal@202.79.41.215] has joined ##openvpn 07:35 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 07:47 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 07:48 -!- _jack-- [n=kaushal@202.79.41.215] has quit ["Leaving"] 07:48 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 131 (Connection reset by peer)] 07:49 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 07:52 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 104 (Connection reset by peer)] 07:53 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 07:54 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 104 (Connection reset by peer)] 07:55 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 08:00 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 54 (Connection reset by peer)] 08:03 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 08:05 -!- paruchuri [n=paruchur@61.16.248.242] has quit [Read error: 104 (Connection reset by peer)] 08:25 -!- paruchuri [n=paruchur@61.16.248.242] has joined ##openvpn 08:33 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 104 (Connection reset by peer)] 08:44 -!- Georgio_ [n=IceChat7@dsl-240-15-156.telkomadsl.co.za] has left ##openvpn [] 08:53 < onats_> WASSUPER! 08:53 -!- onats [n=15172@unaffiliated/onats] has quit [Nick collision from services.] 08:53 -!- onats_ is now known as onats 08:54 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 08:55 -!- onats [n=onats@unaffiliated/onats] has quit [Remote closed the connection] 08:59 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:05 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 09:21 -!- onats1 [n=15172@221.121.120.254] has quit ["Leaving."] 09:24 -!- vlt [n=dm@suez.activ-job.com] has joined ##openvpn 09:25 < vlt> Hello. Any idea how to examine the certificate of a remote OpenVPN server? 09:29 < dazo> vlt: have a look at --tls-verify ... works for sure on server, but should work on client as well 09:31 < dazo> vlt: or if you want to do the validation in C ... the info is also available when writing a plug-in and using the --plugin option 09:34 < vlt> dazo: Is "--tls-verify" an openssl or ovpn option? 09:34 < dazo> vlt: openvpn 09:35 < dazo> vlt: it will provide you with some info from the certificate which you then can use for controls .... unfortunately certificate digest is not one of the parameters .... but I have a patch for openvpn which provides that as well 09:36 < vlt> dazo: hmmm ... I'll try to explain. There's a remote ovpn server listening on 1194 but I don't know anything about it. I want it to tell me the SSL cert data. Can I use --tls-verify then? 09:36 < dazo> vlt: yes, but you need to write a script which do the verification based on the info you receive 09:39 < vlt> dazo: Something like `openvpn --tls-verify ` doesn't work. It expects a whole bunch of further options like --dev ... 09:39 < vlt> dazo: Can I find a docu somewhere? 09:40 < reiffert> 5su 09:40 < dazo> vlt: you'll need to dig up some docs on the plug-in interface .... I'm in a meeting now, but I'll have a look when it's over 09:45 < ecrist> morning, bitches 09:54 < onats> morning slut 09:54 -!- NaomiCruz [n=chatzill@user-0ccejib.cable.mindspring.com] has joined ##openvpn 09:55 -!- NaomiCruz [n=chatzill@user-0ccejib.cable.mindspring.com] has left ##openvpn [] 10:33 -!- mRCUTEO [n=IRCLUNAT@124.13.93.105] has joined ##openvpn 10:39 -!- mRCUTEO [n=IRCLUNAT@124.13.93.105] has quit [] 11:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:59 -!- stephenh [i=stephenh@69.30.200.88] has quit [Read error: 113 (No route to host)] 12:08 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 12:18 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 12:19 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:56 -!- Optic [n=dfraser@miso.capybara.org] has joined ##openvpn 12:56 < Optic> hello... I have a system with a broken RTC. Is it possible to get openvpn to ignore the dates on the SSL/TLS certificate files? 12:57 < Optic> system always boots up in 1999 and the keys aren't valid yet :( 12:58 < dazo> Optic: why not run ntpdate on boot ... and the ntpd? ... then your clocks should be fine .... it's not that difficult to setup, and then you have solved your real issue 12:59 -!- bandini [n=bandini@host53-107-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn 12:59 < Optic> dazo: yes, i'm going to be trying that. Will openvpn magically pick up the new date and connect, or do I have to restart it when the clock gets set? 13:00 < Optic> ah, openvpn handles it fine once the clock is set 13:00 < dazo> Optic: openvpn uses gettimeofday() or something similar to catch the clock .... so openvpn uses whatever system time you have present at that point 13:00 < dazo> (gettimeofday() == system call / os cal) 13:01 * dazo need to run 13:01 < Optic> thanks! 13:40 -!- j3g [n=andrer@200.130.18.1] has quit ["Thanks folks!"] 13:55 < ikla> whats the default mtu setting for openvpn server? 14:05 -!- tsunami [n=tsunami@64.119.141.126] has joined ##openvpn 14:06 < tsunami> is it possible to link the gui to the server. i.e. whne you shut the gui down you stop the service 14:06 < tsunami> !howto 14:06 < vpnHelper> tsunami: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:06 < tsunami> !configs 14:06 < vpnHelper> tsunami: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:09 < ecrist> tsunami: not that I'm aware 14:10 < tsunami> our challenge here is allowing our users (who are users on the system) to enable and disable the vpn connection 14:10 < ecrist> just run it as a service, sans GUI 14:11 < ecrist> open up the services window and start/stop the service 14:12 < tsunami> were worried about the service being left on for prolonged periods of time 14:12 < tsunami> in the background 14:16 -!- bandini [n=bandini@host53-107-dynamic.21-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 14:18 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 14:24 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 14:26 < ecrist> tsunami: so what if it is? 14:29 < tsunami> security 14:31 < ecrist> heh, not really. 14:35 < krzie> lol 14:36 < krzie> just dont bridge and theres no added security risk 14:36 < krzie> and use a tls static key for HMAC 14:36 < krzie> !hmac 14:36 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 14:36 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 14:40 < krzie> the server could kill itself when the client disconnects, but you have no way of restarting it when another client wants to reconnect 14:40 < tsunami> in the config file how do you add directories with spaces in them? 14:40 < krzie> my guess would be with "'s 14:41 < krzie> but im 99% sure the example in the howto (aka the sample config has an example with a windows dir with spaces) 14:41 < krzie> err, (aka the sample config) 14:41 < krzie> !howto 14:41 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:42 -!- c64zotte1 [n=hans@p5B17B098.dip0.t-ipconnect.de] has joined ##openvpn 14:42 < krzie> # "C:\\Program Files\\OpenVPN\\config\\foo.key" # 14:43 -!- c64zotte1 [n=hans@p5B17B098.dip0.t-ipconnect.de] has quit [Client Quit] 15:57 -!- tsunami [n=tsunami@64.119.141.126] has quit [] 15:59 < ikla> krzie, switching to udp on the tunnel fixed that issue I had with packets coming up short 16:00 < krzie> =] 16:02 < ikla> can I set it up for udp and tcp in the config? 16:02 < krzie> no, but you can run 2 servers 16:02 < ikla> same machine just different config file 16:03 < krzie> yup 16:04 < ikla> with udp I was having packet loss issues with large file transfers 16:05 < krzie> you tried mtu-test? 16:05 < ikla> no 16:08 < ikla> figures out the largest packet size in both directions? 16:09 < krzie> right 16:09 < krzie> finds best mtu for the connection 16:13 < ikla> you seen that help with packet loss? 16:13 < ikla> on a udp tun 16:22 -!- Borf [n=Borf@5ED293EA.cable.ziggo.nl] has joined ##openvpn 16:23 < Borf> !logs 16:23 < vpnHelper> Borf: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 16:23 < krzie> whats up 16:25 < Borf> I'm having some problems setting up openvpn xD 16:25 < krzie> i might need more detail 16:26 < Borf> I've got a dedicated server in a datacenter, and I want to use it to create a virtual network, in a same way hamachi sets up one 16:26 < krzie> i dont use hamachi, whats your goal 16:26 < Borf> things work ok when I connect, things work ok when someone else connects, things don't work when we both connect at the same time 16:26 < krzie> !configs 16:26 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:27 < Borf> my goal is to make a 10.7.0.x network routed through that dedicated server 16:28 < Borf> server (linux) http://test.exnw.com/game.txt , client (win32) http://dump.borf.info/game.txt 16:28 < Borf> as soon as that other person connects, my connection gets kicked out 16:29 < krzie> !ipp 16:29 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 16:30 < krzie> switch to dev tun 16:30 < Borf> that's all ? 16:31 < krzie> you dont need tls-client, but should uncomment tls-auth 16:31 < krzie> the 1 tells the client it is the client and 0 tells server its the server 16:31 < krzie> (for tls) 16:31 < krzie> now... 16:31 < krzie> im gunna guess your other client is using the same cert 16:32 < krzie> and thats prolly the cause of the problem you are having 16:32 < krzie> the other stuff is just things i caught that you should fix 16:32 < Borf> nope he isn't 16:32 < krzie> also, you could add a little security by using dh 16:32 < krzie> !dh 16:32 < vpnHelper> krzie: "dh" is build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN 16:33 < krzie> so the client has a different common-name than your client? 16:33 < krzie> lemme rephrase, 16:33 < krzie> NO 2 machines have the same common-name in their certs...? 16:34 < Borf> nope 16:34 < krzie> !logs 16:34 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 16:34 < krzie> also, after the first client is done connecting, connect the second 16:34 < krzie> then send me all 3 16:34 < Borf> hmm I have to go for a couple of minutes, be right back 16:36 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has joined ##openvpn 16:42 < Borf> ok back 16:42 * Borf starts configuring 16:44 < krzie> you read !ipp right? 16:47 * ecrist needs to find a graphics person 16:47 < krzie> for business or fun? 16:47 < krzie> i know a guy locally with mad skills, im sure he'ld be cheap if its for biz (aka willing to pay) 16:47 < krzie> plus we could just make it cancel colo costs and i pay him locally when you're happy with it 16:48 < js_> ditto 16:58 < ecrist> krzie: it's for my bbthe.me website 16:59 < krzie> ahh 16:59 < ecrist> I'm alright at the backend coding, but the graphical gooeyness is not my thing 16:59 < ecrist> not a business venture. 16:59 < ecrist> speaking of your server, when are you wanting that turned back on? 16:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:59 < krzie> well my guy is a straight up artist, but hes so busy with school i couldnt bring him something unless i offered him something in return 16:59 < krzie> but im sure someone will come through here 17:00 < krzie> toss it on topic maybe someone will bite 17:00 < ecrist> ah, no worries. I'll find someone to help on crackberry 17:00 < krzie> ahh good point 17:00 < krzie> should be real soon 17:00 < krzie> its been 1 hassle after another 17:00 < krzie> im sending back 3 seagate 1.5TB drives for RMA right now 17:01 < krzie> my inet got cut off cause i never got a bill in like 7 months 17:01 < krzie> so i got a huuuge bill the other day, 27th 17:01 < krzie> sent in a few hundred USD, told them ild pay the rest today 17:01 < krzie> they cut it off yesterday 17:01 < krzie> fuckers 17:01 < krzie> i guess they expect me to guess what the bill is and send it in or something 17:02 < ecrist> lol 17:02 < ecrist> I hate that. 17:02 < krzie> no kidding 17:03 < krzie> so i changed banks when i was in usa 17:03 < krzie> BofA was charging me monthly 17:03 < krzie> wamu doesnt 17:03 < krzie> well after that i renewed my skype account 17:03 < krzie> got shut off for fraud cause paypal tried to use my bank 17:03 < krzie> (totally forgot) 17:04 < krzie> so now im verifying my bank with paypal, then gunna get skype back on 17:04 < krzie> lol 17:04 < krzie> fun stuff man! 17:04 < ecrist> soudns like it 17:04 < krzie> (paypal also had my cc on file, coulda just used that) 17:05 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has quit ["Always try to be modest, and be proud about it!"] 17:19 < Borf> krzie: I think I found the problem..I had the wrong certificate / key in the server.... 17:19 < Borf> can't test it properly right now, but I think it's working properly now :) 17:19 < Borf> anyway, another day tomorrow...g'night 17:19 < krzie> nite 17:47 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Connection timed out] 17:48 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 17:58 -!- gebi_ [n=gebi@84-119-43-219.dynamic.xdsl-line.inode.at] has joined ##openvpn 18:08 -!- gebi_ [n=gebi@84-119-43-219.dynamic.xdsl-line.inode.at] has quit [Read error: 145 (Connection timed out)] 18:08 < ikla> krzie, does mtu-test set the mtu or do I need mtu-disc also? 18:09 < krzie> !mtu 18:09 < vpnHelper> krzie: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 18:09 < krzie> see the manual for detailed explanation 18:09 < krzie> !man 18:09 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 18:09 -!- gebi [n=gebi@84-119-57-55.dynamic.xdsl-line.inode.at] has quit [Read error: 110 (Connection timed out)] 18:10 -!- gebi [n=gebi@84-119-57-210.dynamic.xdsl-line.inode.at] has joined ##openvpn 18:11 * ecrist revels in his sed wonderfulness. 18:12 < ikla> si 18:12 < krzie> <3 sed 18:15 < ecrist> sed -i '' -e 's%^MIDlet-Description:.*%MIDlet-Description: Hosted at http://bbthe.me for free!%' \ 18:15 < ecrist> -e "s%^MIDlet-Vendor:.*%MIDlet-Vendor: $2%" \ 18:15 < ecrist> -e "s%^RIM-COD-Module-Name:.*%RIM-COD-Module-Name: $3%" -e "s%^MIDlet-Name:.*%MIDlet-Name: $3%" \ 18:15 < ecrist> -e "/RIM-COD-URL/s% com_% /$DIR/com_%g" $TMPFILE 18:15 < vpnHelper> Title: BBThe.me: Home (at bbthe.me) 18:16 < ecrist> pretty simple, really, but allows me to edit a JAD for deployment with one command and a few options. ;) 18:16 < ecrist> I hope PHP can do all that. 18:16 < ecrist> http://www.secure-computing.net/wiki/index.php/Sed 18:16 < vpnHelper> Title: Sed - Secure Computing Wiki (at www.secure-computing.net) 18:59 < ecrist> muahahah 18:59 < ecrist> I've gotta brush up on some perl, but I think I've figured out how to extract some images from RIMs COD binary. 19:15 < krzie> extortion? 19:15 < krzie> "get out of that binary or ill whack ya over the head with a large trout!" 19:17 < ecrist> is there a good byte editor for freebsd? 19:17 < ecrist> ah, bed 19:49 < ikla> if you don't specify an mtu setting in the config what does it default to? 20:09 < dan__t> hi 20:09 * dan__t stabs krzie 20:15 * ecrist stabs dan__t 20:20 < krzie> ikla 20:20 < krzie> !man 20:20 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 20:23 -!- belZe [i=noone@p5091CC0A.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:23 -!- belZe [i=noone@p5091C908.dip.t-dialin.net] has joined ##openvpn 20:23 < dan__t> :/ 20:49 * ecrist begins writing a perl script to extract PNGs from binaries 20:56 < ecrist> woot, that was fast 21:01 < dan__t> ecrist, you rock. 21:02 < dan__t> ssl-admin is my new best friend. 21:04 < dan__t> any chance its oging to go to a single command-line style? 21:04 < dan__t> ssl-admin --create-ca var1 var2 var3 etc etc 21:05 * krzie is willing to guess no 21:22 < ecrist> dan__t: I've got a few issues. 21:23 < ecrist> 1) ssl-admin needs a lot of work. it should be using the ssl perl libraries, but it's not, because I was lazy when I wrote it. 21:23 < ecrist> I'm probably not going to do anything till i get off my ass and do that. 21:23 < ecrist> 2) I've got a new pet project that's more fun right now. ;) 21:23 < ecrist> but, I would really like batch-mode and command line arguments for ssl-admin, for sure. 21:24 < ecrist> now, if someone were donating money to me to develop the applicaiton, I'd probably put more time into it. 21:24 < ecrist> the problem is, it works right now, and so it's a 'If it isn't broken, don't fix it,' thing. 21:25 < ecrist> well krzie, I can extract the PNGs out of the binary files now. ;) 21:26 < ecrist> theme developers are having mixed feelings. one side, AWESOME!, the other, hey, you shouldn't be able to get that out of the file. SADFACE 21:26 < ecrist> so, with some perl foo, a bit o' grep, and some ImageMagick fun, I can automagically figure out which file is the thumbnail. :D 21:26 < ecrist> sorry, I ramble on. 21:28 < krzie> hahaha sweet man 21:28 < krzie> time for me to detach for the night (unless the phone co actually turned my inet back on) 21:28 < krzie> which i highly doubt, nothing happens fast here... 21:29 < krzie> they didnt even send me a bill for like 7 months 21:32 < ecrist> krzie: quick store 21:33 < ecrist> after we talked about that earlier, I had the same thing happen. My business partner's EVDO card was turned off. I logged in to the site, our business account had reached it's 'spending limit' because we hadn't paid a bill. Talked to customer service, haven't gotten a bill since December. 21:33 -!- Optic [n=dfraser@miso.capybara.org] has left ##openvpn [] 21:34 < ecrist> I was told that when we signed up for online account access, we were automatically signed up for e-billing. Their invoices have been going to SPAM for three months. 21:34 < ecrist> grr 22:27 -!- vladi [n=vladi@cpe-75-80-161-192.san.res.rr.com] has joined ##openvpn 22:28 < vladi> hi, how can i specify the dev to use in the server conf? "dev vpn0" gives me an error "server-bridge directive only makes sense with --dev tap" 22:37 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 22:37 < onats1> !/30 22:37 < vpnHelper> onats1: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 22:37 < onats1> !topology 22:37 < vpnHelper> onats1: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 22:41 < dan__t> ecrist, I don't ask that in a "why doesn't application abc have feature xyz" manner. I completely understand what's involved, and certainly understand your viewpoint. 22:41 < dan__t> I know how it works, I promise :) --- Day changed Wed Apr 01 2009 00:15 -!- _jack-- [n=kaushal@202.79.41.215] has joined ##openvpn 00:26 -!- nemysis [n=nemysis@61-28.107-92.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 00:27 -!- nemysis [n=nemysis@245-199.3-85.cust.bluewin.ch] has joined ##openvpn 01:20 -!- _jack-- [n=kaushal@202.79.41.215] has quit [Read error: 113 (No route to host)] 01:26 -!- SuperEvilDeath14 [n=death@212.206.209.177] has joined ##openvpn 01:45 -!- qwaza [n=dexter@gateway.geodesic.com] has joined ##openvpn 01:47 < qwaza> hi all, has anybody faced around 50% packet losses at random intervals with openvpn 2.1 ? 01:47 < dan__t> krzie, you up? 01:47 < qwaza> or any clues as to how to deal with it? 01:48 < dan__t> tried testing with mtr? 01:48 < qwaza> nope 01:49 < qwaza> mtr is a tool right 01:49 < qwaza> i tried mssfix 1300, but that didn't fix it. can't use fragment size 01:51 < qwaza> dan__t, mtr is a graphical tool. can't use it on a firewall. alternatives? 01:51 < dan__t> No, its not. 01:51 < dan__t> Well, that one may be. 01:52 < qwaza> well, apt-get says it needs all sorts of libx libs 01:53 < qwaza> ok i'll get back with my config files pastebined 02:13 < reiffert> mtr got a curses frontend as well 02:14 < reiffert> However, !configs 02:14 < reiffert> !configs 02:14 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 02:26 < kraut> moin 02:31 < reiffert> moin 02:33 < qwaza> http://pastebin.com/d615c49dc Please have a look 02:33 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 02:33 < qwaza> i repeat, there is a steady 50% packet loss 02:34 < qwaza> mssfix of 1300 didn't help 02:41 < qwaza> any ideas? anyone? what can i do to resolve this? 02:55 < reiffert> remove from server.conf: line 10, 17,18,19,21,22 02:55 < reiffert> 25 02:55 < reiffert> from client conf: line 46 02:55 < reiffert> update both to 2.1rc15 02:57 < reiffert> How to you measure "packet loss"? 03:01 < qwaza> the packet loss was reported from ping 03:02 < reiffert> What are you planning to send over the tunnel, mostly tcp or udp data? 03:02 < qwaza> both 03:03 < qwaza> it is already functional and working 03:03 < qwaza> i'm basically troubleshooting the packet loss 03:03 < reiffert> icmp is a stateless protocol, so is the tunnel protocol udp. 03:03 < qwaza> yes 03:03 < qwaza> but why should i loose 50% of my icmp pings? 03:03 < reiffert> When you send 100MB of tcp payload over the udp tunnel, you won't loose a single byte. 03:04 < qwaza> dns queries timeout 03:04 < qwaza> over the vpn 03:04 < reiffert> change the tunnel protocol to tcp then. 03:04 < qwaza> i see 03:04 < reiffert> oh and btw 03:04 < reiffert> !factoids search mtu 03:04 < vpnHelper> reiffert: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 03:05 < qwaza> ok i'll do try that. unfortunately, this is a corporate vpn and the client configs are all not in my hands 03:05 < qwaza> so i can't really work with mtu, only mss which didn't workout 03:05 < qwaza> so, the only recourse is to switch to tcp? 03:06 < reiffert> 10:05 < qwaza> so i can't really work with mtu, only mss which didn't workout 03:06 < reiffert> why is that? 03:06 < qwaza> then i have to change the mtu of the client too, according to the man page 03:07 < reiffert> when you switch to tcp, you have to do as well. 03:07 < qwaza> yes :( 03:08 < qwaza> just wondering, how do the vast majority of vpns function over udp? 03:08 < qwaza> do they face packet loss too? doesn't that openvpn protocol handle the losses? 03:08 < reiffert> How many of those vast majority do you know personally? 03:09 < qwaza> three. doesn't openvpn usually run over udp? 03:09 < qwaza> i'm not complaining, just wonmdering 03:10 < qwaza> *wondering 03:10 < reiffert> start running the mtu test. results? 03:10 < qwaza> will get back with those 03:18 -!- qwaza [n=dexter@gateway.geodesic.com] has quit ["Leaving"] 03:22 -!- boojit [n=boojit@gw.carter.to] has quit [Read error: 60 (Operation timed out)] 03:24 -!- boojit [n=boojit@gw.carter.to] has joined ##openvpn 03:31 -!- _jack-- [n=kaushal@202.79.41.215] has joined ##openvpn 04:57 < _jack--> how to enable web access of openvpn installed linux machine? 04:59 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:01 < kaii> openvpn? web access? 05:07 -!- lukask [n=l@212.100.49.238.fixip.bitel.net] has joined ##openvpn 05:08 < _jack--> yeah.... 05:09 < _jack--> kaii: actually openvpn is installed in linux machine is working..also can accessible to other server in that network... 05:10 < _jack--> but the problem is that openvpn server is also web server..and can't access web from client 05:10 < lukask> Hi! I have a problem where I'm somewhat lost ... an vpn host-to-host, where on one side we hava a dsl-line with a router and a vpn-host, on the other side is a "secure computing Sidewinder 5.2.x" router and firewall and behind that a vpn-host. The vpn worked nicely, but for a few days now packets >17000bytes just get dropped :/ 05:23 < lukask> Grmbl ... reducing the link-mtu to 1300 helped. darn borken internet. 06:01 -!- lukas__ [n=l@212.100.49.238.fixip.bitel.net] has joined ##openvpn 06:08 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Stevethe1irate, rdz, vlt, isox, ikla, Borf, l2trace99, onats1, krzie, kraut, (+50 more, use /NETSPLIT to show all of them) 06:08 -!- Netsplit over, joins: Flumdahl, lukas__, lukask, cpm, _jack--, boojit, floyd_n_milan, SuperEvilDeath14, nemysis, onats1 (+50 more) 06:13 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 06:16 -!- lukask [n=l@212.100.49.238.fixip.bitel.net] has quit [Read error: 110 (Connection timed out)] 06:47 -!- achilles [n=achilles@82.205.120.165] has joined ##openvpn 06:49 < achilles> hello, I'm using openvpn for site-to-site connectivity, it's good, but what if the internet disconnected for few minutes, is there a way to reconnect automatically ? 07:08 < ecrist> achilles: it's covered in the man page. iirc, it's --retry-infinite 07:16 -!- rdz [i=roman@195.176.254.176] has quit [Read error: 104 (Connection reset by peer)] 07:16 < achilles> ecrist, oh I looked at the man page .. I didn't notice. thank you very much, I started to write my own cron-ed job to check connectivity I found this http://www.linuxquestions.org/questions/linux-networking-3/openvpn-does-not-reconnect-621097/ 07:16 < vpnHelper> Title: OpenVPN does not reconnect - LinuxQuestions.org (at www.linuxquestions.org) 07:17 < achilles> hehe .. that one! 07:33 < belZe> hello together 07:35 < belZe> @ecrist: finally some time to get back to my the-bridge-doesnt-want-to-learn-arp-coming-from-ovpn-client problem :) 07:46 < belZe> hey mjt, you remember my scenario? arp-replies arent propagated to tap0 somewhow, i can see both - request and reply - on eth0 and br0 07:47 -!- lukas__ [n=l@212.100.49.238.fixip.bitel.net] has quit ["Ex-Chat"] 07:51 -!- arshavin [n=asd@host213-123-233-96.in-addr.btopenworld.com] has joined ##openvpn 07:52 < arshavin> Hey, does anyone know of a decent open vpn front end interface allowing for easy administration 07:52 < arshavin> like adding/removing users(certicates) etc... 07:52 < ecrist> arshavin: yes 07:52 < ecrist> !ssl-admin 07:52 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 07:59 -!- _jack-- [n=kaushal@202.79.41.215] has quit ["Leaving"] 07:59 < kala> ecrist: btw, I think I can update the client A and PTR record on the Windows DNS server. I still have to integrate the script to the actual OpenVPN server, but I hope its not too difficult 08:03 < arshavin> ecrist : thanks for that but I don't suppose there is a product commercial or otherwise that is a bit friendlier? I don't want to give that script )which looks fairly powerful) or a layuser 08:03 < arshavin> ecrist : especially if they have to ssh into a box first and run it 08:07 < ecrist> arshavin: no, there's nothing out there for 'layusers.' 08:07 < ecrist> If they can't handle running a menu-driven script over ssh, they probably shouldn't be administering your OpenVPN system. 08:08 < ecrist> now, OpenVPN folks are coming out with a commercial application soon to do what you're looking for, but it's not available yet, and I'm not certain on pricing. 08:08 < arshavin> Administration yes but the simple adding/removing of users for example 08:08 < ecrist> arshavin: that *is* administration 08:09 < ecrist> once the server is configured, adding/removing users is all that's left. 08:09 < ecrist> check out beta.openvpn.net 08:09 < ecrist> information on the app I mention 08:09 < arshavin> Yes but it doesn't take a genius to click new user and fill out a form :) so I'd love to find something like that 08:09 < arshavin> thanks 08:09 < ecrist> arshavin: did you try ssl-admin? 08:09 < ecrist> it's almost that easy 08:09 < ecrist> ssh 08:09 < ecrist> ./ssl-admin 08:10 < arshavin> I'm going to set that up on the current VPN box now as it will help me alot 08:10 < ecrist> user's given a menu. option '4' is one-step request/sign, fill out form, press 'z' to zip the package for a user. 08:10 < arshavin> but I'm the only IT guy in the company. even though we are mainly technically minded developers. 08:11 < ecrist> if you allow people to arbitrarily create certificates for themselves, your VPN is not secure. 08:11 < arshavin> "people" would be limited to some of the dev team managers 08:12 < arshavin> still it's about ease of use so yeah something pointy and clicky is where I'd like to be just to remove the burden from me :) 08:12 < arshavin> but I'll give ssl-admin a go now for myself 08:13 < ecrist> check out the site above, it's probably what you're looking for, when it's released. 08:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:19 -!- achilles [n=achilles@82.205.120.165] has quit [Read error: 60 (Operation timed out)] 08:35 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:41 -!- SuperEvilDeath14 [n=death@212.206.209.177] has quit ["Nettalk6 - www.ntalk.de"] 08:46 -!- SuperEvilDeath14 [n=death@212.206.209.177] has joined ##openvpn 08:49 -!- arshavin [n=asd@host213-123-233-96.in-addr.btopenworld.com] has quit [] 08:53 -!- achilles [n=achilles@mail.masrouji.com] has joined ##openvpn 09:12 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 09:19 -!- achilles [n=achilles@mail.masrouji.com] has quit [Read error: 113 (No route to host)] 09:20 -!- ecrist changed the topic of ##openvpn to: Canadian Mounty back-door discovered in OpenVPN versions going back to 0.83. 09:38 -!- SlashLife [n=slashlif@unaffiliated/slashlife] has joined ##openvpn 09:38 -!- mode/##openvpn [+o SlashLife] by ChanServ 09:38 <@SlashLife> Uhh ... Oo 09:38 -!- mode/##openvpn [-o SlashLife] by SlashLife 09:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:49 -!- ThoMe [i=tm@tm.muc.de] has joined ##openvpn 09:49 -!- mode/##openvpn [+o ThoMe] by ChanServ 09:49 <@ThoMe> servus 09:49 <@ThoMe> hello 09:49 < ecrist> hi 09:50 <@ThoMe> have an error on my server when i connect with my openvpn client (installed on my snom sip telefon) 09:50 <@ThoMe> "~" 09:50 <@ThoMe> telefon ) telephone 09:50 < ecrist> ok 09:50 < ecrist> !configs 09:50 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:51 < ecrist> !logs 09:51 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 09:51 <@ThoMe> "tls_process: killed expiring key" 09:56 -!- mode/##openvpn [+o ecrist] by ThoMe 09:56 -!- mode/##openvpn [-o ecrist] by ThoMe 09:58 <@ThoMe> ecrist: this is my config from my pc, works good: 09:58 <@ThoMe> http://paste.keks.be/430/txt 09:58 <@ThoMe> this is my config from my phone: http://paste.keks.be/429/txt with the error (killed expiring key) 10:02 < ecrist> ok, and logs? 10:02 <@ThoMe> ecrist: moment. sorry pls 10:03 <@ThoMe> ecrist: http://paste.keks.be/431/txt 10:03 <@ThoMe> ecrist: oh, now i see, my pc has also the problem 10:05 -!- mode/##openvpn [-o ThoMe] by ThoMe 10:05 < ThoMe> ecrist: can you help me? 10:08 < SlashLife> Mhh ... would it be possible to "chain" OpenVPN connections? 10:08 < ecrist> SlashLife: what do you mean? 10:08 < SlashLife> e.g. I'd first need to get into my universities VPN to be able to connect to the internet ... and then I'd need to through this VPN to my home VPN. 10:08 < ecrist> ThoMe: hang on 10:09 < ThoMe> *hang* 10:09 < ecrist> SlashLife: the more you tunnel, the more fragmented packets get 10:09 < ecrist> you should be able to, but you may see performance problems. 10:10 < ecrist> ThoMe: 'killed expiring key' isn't an error, it's normal 10:11 < SlashLife> ecrist: Performance is not the issue. :) Could I lessen the severity of this effect by lowering my home VPNs MTU? 10:11 < ecrist> you could. use --test-mtu 10:11 < ecrist> !mtu 10:11 < vpnHelper> ecrist: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 10:11 < SlashLife> Ah, thanks. 10:11 < ThoMe> ecrist: hm. when i call over 11 minutes then i have break over ~5 seconds. 10:11 < ThoMe> ecrist: hm. 10:12 < ThoMe> but onyl when i use openvpn. 10:12 < ThoMe> without i have not breaks. 10:12 < ecrist> ThoMe: read this for reference: http://openvpn.net/archive/openvpn-users/2007-07/msg00104.html 10:12 < vpnHelper> Title: Re: [Openvpn-users] TLS: tls_process, killed expiring key - What does this mean? (at openvpn.net) 10:12 < ThoMe> ecrist: and the breaks? you have a idea for this? 10:13 < ecrist> ThoMe: I can only guess about that. 10:14 < ecrist> my guess is low bandwidth or cpu power on the device 10:14 < ThoMe> mh ok 10:16 < ThoMe> ecrist: i must use "dev tap" on server AND client side? 10:16 < ThoMe> of i can use dev tap on my server and dev tun on my client? 10:17 < ecrist> they must match on both sides 10:17 < ecrist> if (server.config == tap); then (client.config == tap); fi 10:22 -!- fixxxermet [n=kjohnson@66.92.156.2] has joined ##openvpn 10:22 -!- mode/##openvpn [+o fixxxermet] by ChanServ 10:22 <@fixxxermet> hmm 10:23 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:23 -!- mode/##openvpn [+o rubydiamond] by ChanServ 10:25 <@fixxxermet> I've setup a openvpn server and a client along with the client-to-client option and the various push route options yet I am still unable to fully access each others lan. I can ping one or two machines on each lan from the other side, but that is it. 10:26 < ecrist> fixxxermet: did you setup iroutes? 10:26 <@fixxxermet> Yes, with the ccd 10:26 <@fixxxermet> pasting everything onw 10:26 < ecrist> what about firewalls? 10:27 <@fixxxermet> Port 1194 udp is forwarded to both the sever and the client 10:27 <@fixxxermet> http://pastebin.com/d58e0af5b be my info 10:28 < ecrist> right, but what about non-1194 traffic? 10:28 < ecrist> my guess is you're running into a firewall issue 10:29 <@fixxxermet> that would make sense 11:01 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 11:01 -!- mode/##openvpn [+o polaru] by ChanServ 11:03 -!- elventear [n=elventea@208.42.115.81] has joined ##openvpn 11:03 -!- mode/##openvpn [+o elventear] by ChanServ 11:03 -!- elventear [n=elventea@208.42.115.81] has left ##openvpn [] 11:28 < ThoMe> ecrist: emm 11:29 < ThoMe> ecrist: my client said: http://paste.keks.be/432/txt 11:29 < ThoMe> ecrist: client config: http://paste.keks.be/433/txt 11:30 < ThoMe> ecrist: server config: http://paste.keks.be/434 11:30 < ThoMe> ecrist: server log: http://paste.keks.be/435/txt 11:31 < ThoMe> can you help me? 11:42 -!- SlashLife [n=slashlif@unaffiliated/slashlife] has quit [Read error: 110 (Connection timed out)] 11:43 < ThoMe> ecrist: huhu? 11:55 -!- sm01 [n=sepe@ti300720a080-0064.bb.online.no] has joined ##openvpn 11:55 -!- mode/##openvpn [+o sm01] by ChanServ 11:56 <@sm01> I'm hosting a openvpn server at my linux server and I'm going to be using windows clients but I can't seem to understand if I should use tun or tap. What is your opinion? 12:06 < ecrist> sm01: tun, unless you have a specific reason to use tap 12:06 < ecrist> ThoMe: what's your issue? 12:07 < ecrist> I don't see anything in your logs, a few lines of regular stuff. 12:09 < ikla> anyone ever have issues with ssh sessions freezing through a udp tun? 12:09 <@sm01> ecrist: What would be a reason to choce tap then? 12:12 <@sm01> well I guess it is routing that is my need so I'll stick with tun then? 12:21 -!- sm01 [n=sepe@ti300720a080-0064.bb.online.no] has quit ["leaving"] 12:23 < ecrist> ikla: no 12:23 < ecrist> unless there's a shoddy connection 12:40 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 13:08 -!- kyrix [n=ashley@91-115-26-112.adsl.highway.telekom.at] has joined ##openvpn 13:08 -!- mode/##openvpn [+o kyrix] by ChanServ 13:11 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 13:11 -!- mode/##openvpn [+o plaerzen] by ChanServ 13:11 <@plaerzen> hello irc :) long time. 13:22 < ecrist> hey plaerzen 13:23 <@plaerzen> We moved offices about a month ago so I've been supremely busy 13:35 < ecrist> moving offices can be fun. a break in the dullness of day-to-day 13:40 < Dougy[Office]> ecrist: i know 13:41 <@fixxxermet> If my server is on 192.168.0.47 and my client on 192.168.8.10, and I want every computer on each lan to have access to every other on the other lan (which client-to-client is for?), how does the "server" option relate to my setup? 13:46 -!- nemysis [n=nemysis@245-199.3-85.cust.bluewin.ch] has quit [Read error: 104 (Connection reset by peer)] 13:48 -!- JediMaster [n=JediMast@5ad961ea.bb.sky.com] has joined ##openvpn 13:48 -!- mode/##openvpn [+o JediMaster] by ChanServ 13:48 <@JediMaster> hey guys, I'm fairly new to openvpn, I've used tunneldigger to generate the openvpn config for both server and clients 13:49 * JediMaster wonders how he's got the @ 13:51 -!- achilles [n=achilles@62.90.14.185] has joined ##openvpn 13:51 -!- mode/##openvpn [+o achilles] by ChanServ 13:51 <@JediMaster> ok, I can see when openvpn is running, on the client port 5000 is open 13:52 <@JediMaster> achilles: is everyone opped in this channel? 13:53 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:57 -!- reiffert [n=thomas@mail.webersheim.de] has left ##openvpn [] 13:57 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 13:57 -!- mode/##openvpn [+o reiffert] by ChanServ 13:58 -!- mode/##openvpn [-ooo achilles fixxxermet JediMaster] by reiffert 13:58 -!- mode/##openvpn [-oo kyrix plaerzen] by reiffert 13:58 < plaerzen> awe 13:58 <@reiffert> ecrist: somethings going wrong here ... 13:58 <@reiffert> krzie: any idea? 14:02 -!- JediMaster [n=JediMast@5ad961ea.bb.sky.com] has left ##openvpn [] 14:02 -!- JediMaster [n=JediMast@5ad961ea.bb.sky.com] has joined ##openvpn 14:02 -!- mode/##openvpn [+o JediMaster] by ChanServ 14:02 <@JediMaster> heh reiffert: what's with chanserv? 14:03 -!- mode/##openvpn [-o JediMaster] by JediMaster 14:04 <@reiffert> I have no idea. 14:04 < JediMaster> after several pages of debug, I'm getting: http://pastebin.com/d4a910687 14:04 < JediMaster> in my syslog 14:05 -!- mode/##openvpn [-o reiffert] by reiffert 14:06 -!- SlashLife [n=slashlif@port-92-195-163-82.dynamic.qsc.de] has joined ##openvpn 14:06 -!- mode/##openvpn [+o SlashLife] by ChanServ 14:06 < JediMaster> anyone got any idea why it's not connecting? 14:07 -!- mode/##openvpn [-o SlashLife] by SlashLife 14:11 -!- reiffert [n=thomas@mail.webersheim.de] has left ##openvpn [] 14:11 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 14:11 -!- mode/##openvpn [+o reiffert] by ChanServ 14:11 -!- ecrist was kicked from ##openvpn by reiffert [nice joke on april the 1st, eh?] --- Log closed Wed Apr 01 14:11:38 2009 --- Log opened Wed Apr 01 14:35:19 2009 14:35 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 14:35 -!- Irssi: ##openvpn: Total of 64 nicks [3 ops, 0 halfops, 0 voices, 61 normal] 14:35 -!- mode/##openvpn [+o ecrist] by ChanServ 14:35 -!- Irssi: Join to ##openvpn was synced in 1 secs 14:35 <@ecrist> heh 14:36 -!- mode/##openvpn [-o ecrist] by ecrist 14:37 < ecrist> reiffert: happy April Fool's Day! 15:04 -!- kyrix [n=ashley@91-115-26-112.adsl.highway.telekom.at] has quit ["Leaving"] 15:28 -!- tsunami [n=tsunami@64.119.141.126] has joined ##openvpn 15:28 -!- mode/##openvpn [+o tsunami] by ChanServ 15:35 -!- disco- [n=disco@andromeda.h4xed.com] has quit [Connection timed out] 15:40 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 15:40 -!- mode/##openvpn [+o disco-] by ChanServ 16:03 -!- fixxxermet [n=kjohnson@66.92.156.2] has left ##openvpn [] 16:19 -!- ecrist changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || Also interesting: !man !/30 !topology 16:19 -!- Irssi: ##openvpn: Total of 63 nicks [5 ops, 0 halfops, 0 voices, 58 normal] 16:20 -!- mode/##openvpn [+o ecrist] by ChanServ 16:20 -!- mode/##openvpn [-oooo disco- nemysis plaerzen reiffert] by ecrist 16:20 -!- mode/##openvpn [-oo tsunami ecrist] by ecrist 16:20 -!- Irssi: ##openvpn: Total of 63 nicks [0 ops, 0 halfops, 0 voices, 63 normal] 16:25 < SlashLife> "the following test will take about two minutes..." 16:25 < SlashLife> I sure would like to know what it's testing. :< 16:39 -!- tsunami [n=tsunami@64.119.141.126] has quit [] 16:40 -!- ThoMe [i=tm@tm.muc.de] has quit [Remote closed the connection] 16:40 < Kreg-Work_> when signing keys, what is the use of the email address field? the email address of the admin making the keys, or the email address of the user getting the key? 16:50 -!- gebi_ [n=gebi@84.119.81.115] has joined ##openvpn 16:51 < krzie> Kreg-Work_ doesnt really matter, makes more sense to use the users i guess 16:51 < krzie> i just make stuff up 16:51 < krzie> your@mom 16:51 < krzie> hehe 16:53 -!- gebi [n=gebi@84-119-57-210.dynamic.xdsl-line.inode.at] has quit [Read error: 145 (Connection timed out)] 16:54 < Kreg-Work_> lol 16:54 < Kreg-Work_> well you have to answer similar questions when signing ssl certs for things like web servers. but never really sure what the main purpose was 16:55 < krzie> for that it would be admin 16:55 < krzie> when accepting the cert it can be seen by the end user 16:58 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has joined ##openvpn 16:58 < SgtPepperKSU> !/30 16:58 < vpnHelper> SgtPepperKSU: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 16:59 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has left ##openvpn ["Leaving."] 17:00 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:17 -!- JediMaster [n=JediMast@5ad961ea.bb.sky.com] has quit [Connection timed out] 18:06 -!- Dougy[Office] [i=doug@64-18-144-2.ip.bergenhosting.com] has quit ["Lost terminal"] 18:14 -!- mode/##openvpn [+o krzie] by ChanServ 18:15 -!- krzie changed the topic of ##openvpn to: Sorry, the openvpn project has been cancelled due to a lawsuit by microsoft. Any further use of the program will get you sent to prison 18:15 -!- mode/##openvpn [-o krzie] by krzie 18:15 * krzie snickers 18:37 -!- DvlDog [n=DvlDog@c-76-111-238-130.hsd1.fl.comcast.net] has joined ##openvpn 18:58 -!- JediMaster [n=JediMast@84.9.122.189] has joined ##openvpn 18:58 < JediMaster> awww, not auto-op'ed this time =( 19:01 < JediMaster> is there a nice quick way to get openvpn setup? I've always found it way too time consuming to get going 19:01 < JediMaster> tried using "tunneldigger" and I couldn't get it working 19:05 -!- DvlDog [n=DvlDog@c-76-111-238-130.hsd1.fl.comcast.net] has quit [Read error: 110 (Connection timed out)] 19:06 < krzie> ild say by reading the docs... 19:06 < krzie> but 19:06 * krzie points at the topic 19:08 < krzie> still here? 19:11 < ecrist> sup guys? 19:11 * krzie points at the topic and the calendar 19:11 < ecrist> krzie: you missed it 19:12 < ecrist> I had chanserv auto-opping everyone all day today 19:12 < krzie> aww, what'd i miss? 19:12 < krzie> hahahahah 19:12 < krzie> nice man 19:12 < ecrist> /msg chanserv access ##openvpn set *!*@* +O 19:13 < ecrist> slashdot has been a fail all day, though 19:14 < ecrist> too many lame attempts at false news. 19:14 < ecrist> like the just-posted 'Microsoft Asks Fed for Bailout' 19:14 < krzie> sounds like the other 364 days 19:14 < krzie> lol 19:15 < krzie> i just had the head of security tell a guy that he needed to go out and check his car cause his rims and tires had been stolen 19:15 < ecrist> heh 19:17 < krzie> everyone was cracking up when he walked out 19:17 < krzie> haha 19:18 < ecrist> I posted, without permission, a theme a guy named Dylan Macleod wrote. He sent me an email asking me to take it down because I was cutting into his ad revenue. 19:18 < ecrist> I told him his thoughts on the matter didn't matter. 19:18 < ecrist> He asked why. 19:19 < ecrist> I said it was because he was from Canada. 19:19 < krzie> lol 19:19 < ecrist> his response, and I quote, 'What is wrong with you?' 19:19 < krzie> hahahah 19:24 < krzie> that was april fools tho right? 19:24 < ecrist> not at all 19:24 < krzie> like, you'll take it down? 19:24 < ecrist> oh, I took it down 19:24 < ecrist> still think he's a pile of shit because he's from canada 19:24 < krzie> lol 19:24 < krzie> whys it matter where hes from 19:25 < ecrist> because it's CANADA 19:25 < ecrist> krzie, when the Canada military takes it's break, the MN national guard is going to invade. we're going to build more cabins up there. 19:25 < ecrist> s/Canada/Canadian/ 19:26 < krzie> hah 19:26 < krzie> invade washington instead and tell them to allow states to run their own states 19:26 < JediMaster> sorry to break up the fun and get all on-topic ;-) (mind you considering the current topic...) 19:26 < krzie> aka reinstate the 10th amendment 19:26 < JediMaster> If I want to setup two VPNs that will go via two different interfaces to a remote server, can I use the same key for the client? 19:27 < ecrist> sure 19:27 < krzie> you can 19:27 < JediMaster> kk, ta 19:32 < ecrist> http://www.youtube.com/watch?v=Xtc1MG9bDrg&eurl=http%3A%2F%2Fwww%2Edivinecaroline%2Ecom%2Farticle%2F22117%2F71004%2Dseven%2Dhoaxes%2Dapril%2Dfirst&feature=player_embedded 19:32 < vpnHelper> Title: YouTube - Camp Okutta - An Adventure Camp for Kids (at www.youtube.com) 19:39 < ecrist> ROFLMAO 19:40 < ecrist> if you look in that URL, you can find the word, 'Farticle' 19:40 * ecrist goes and has another. 19:41 < krzie> hahah 19:45 < JediMaster> do I need the dh1024.pem file on the client? 19:45 < ecrist> no 19:45 < krzie> not only do you not need it 19:45 < krzie> it cant do anything there 19:45 < JediMaster> kk 19:46 < JediMaster> so I just need client.* and ca.crt? 19:46 < ecrist> and client.crt and client.key 19:46 < ecrist> oh, yeah 19:46 < krzie> !factoids search cert 19:46 < vpnHelper> krzie: 'servercert', 'certs', and 'nocert' 19:46 < ecrist> and client.config 19:46 < JediMaster> hence the * =) 19:46 < krzie> !certs 19:46 < vpnHelper> krzie: "certs" is (#1) use !easy-rsa-unix for easy-rsa, or (#2) use !ssl-admin for ecrists copy of ssl-admin to make and manage your certs 19:46 < krzie> err thats not it 19:47 < ecrist> JediMaster: don't instult me when I'm drinking! 19:47 < JediMaster> lol 19:47 < ecrist> or insult. 19:47 < krzie> !factoids search where 19:47 < vpnHelper> krzie: No keys matched that query. 19:47 < krzie> !factoids search file 19:47 < vpnHelper> krzie: "pwfile" is OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h 19:47 < krzie> bleh 19:47 < krzie> i thought i had something there for that one 19:47 < krzie> in the howto it has a table of what files go where 19:47 < krzie> !howto 19:47 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 19:49 * JediMaster followed the instructions and they actually worked 19:49 < JediMaster> ! 19:49 < JediMaster> =) 19:50 < krzie> haha 19:50 * JediMaster is a programmer, so he doesn't RTFM unless he REALLY has to 19:50 < JediMaster> now to do the next stupid part 19:50 < krzie> hrm i would think a programmer would understand how important the manual is in a complicated program 19:50 < krzie> rather than ask for help 19:51 < ecrist> indeed 19:51 < ecrist> I'm a pseudo-programmer and I RTFM all the time. 19:51 < JediMaster> krzie: maybe when I was a sysadmin, but I'm more of a programmer than sysadmin, so I just want it to work now =) 19:51 < ecrist> ooh, I hate programmers like that. I'm a sysadmin in a partial devel environment. 19:51 < ecrist> all the programmers are the same way 19:52 < JediMaster> now I've got to get it to run on two different ports so I can use iptables on the client to put one through one interface and the other through the other interface 19:52 < krzie> welp 19:52 < JediMaster> as I've got 2 ADSL lines (25Mbps combined) 19:52 < ecrist> 'Hey Eric. I want to use perl module X in my program. will you install it for me?' 'Rot in Hell' I say. 19:52 < krzie> you need 2 instances of the program running 19:52 -!- SatanClaus [n=SatanCla@unaffiliated/satanclaus] has joined ##openvpn 19:53 < SatanClaus> hiho 19:53 < krzie> hohoho 19:53 < ecrist> I was going to kickban you on principle, then noticed the n was at the *end* rather than before the t 19:53 < SatanClaus> ;) 19:53 < SatanClaus> just a short question... is there any way to get around the need for loading the kernel module tun? 19:54 < ecrist> no 19:54 < krzie> yes 19:54 < JediMaster> maybe 19:54 < ecrist> unless you'd rather load kernel module for tap 19:54 < JediMaster> =D 19:54 < SatanClaus> i want to setup an openvpn server but only own a vserver where I don't have control over the kernel 19:54 < krzie> by staticly building it into the kernel 19:54 < krzie> or by not using openvpn 19:55 < krzie> if you want a vps for it, i can speak for a company that is cheap, responsive, and works fine with openvpn 19:55 < krzie> www.nerios.net #nerios on efnet 19:55 -!- SgtPepperKSU1 [n=keith@ip98-164-8-164.ks.ks.cox.net] has joined ##openvpn 19:55 < SgtPepperKSU1> !/30 19:55 < vpnHelper> SgtPepperKSU1: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 19:57 * ecrist goes and drinks more. 20:02 < JediMaster> heh, nice, 20ms ping to my colo machine with the openvpn server running 20:03 < JediMaster> through the vpn 20:04 < JediMaster> ok, next silly part to this project, connecting the two vpns together using ling aggregation 20:04 < JediMaster> if it's even possible 20:04 < krzie> neg 20:05 < krzie> but you can use a routing protocol over them 20:06 < JediMaster> routing's not going to work 20:06 < JediMaster> need to double up the bandwidth 20:07 < krzie> ild say if it can be done on normal links it can be done on the vpn links 20:07 < JediMaster> what's the best way of running openvpn in the background? nohop and & ? 20:07 < krzie> READ THE FUCKING MANUAL 20:07 < JediMaster> pfft, it's 2am, eyes are blurry 20:07 < JediMaster> been doing this for 5+ hours 20:07 < krzie> --daemon, and thats the last plainly spelt out in manual freebie 20:08 < JediMaster> ta 20:08 < krzie> yw 20:11 * JediMaster goes off to RTFM as it doesn't actually do anything at all 20:11 < krzie> !man 20:11 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 20:11 -!- tsunami [n=tsunami@c-24-60-83-222.hsd1.ma.comcast.net] has joined ##openvpn 20:11 < JediMaster> thanks again 20:12 < krzie> np 20:14 < SatanClaus> may i ask why the vpn-server needs a kernel module to be loaded at all? 20:15 < krzie> because it uses a tun or tap device 20:15 < krzie> which unless compiled into the kernel requires a module 20:15 < krzie> if compiled into the kernel, you need no module 20:15 < SatanClaus> ok, so why does it need such a device? 20:15 < krzie> cause thats how it works! 20:16 < krzie> if you wanna go figure out howto code it differently, feal free, the code is open source 20:16 < SatanClaus> ;) but why? i mean it's just a server... listening on one port, answering with some packets 20:16 < krzie> umm no 20:16 < krzie> its NOT just a server listening on a port 20:16 < SatanClaus> not? 20:17 < krzie> its a server listening on a port that creates a tunneled connection 20:18 < JediMaster> ok, I've actually looked and RTFM'ed and I've got: openvpn --daemon openvpn1 --cd /etc/openvpn --dev tun0 server.conf 20:18 < JediMaster> but tun0 isn't showing up in ifconfig 20:19 < JediMaster> the config works fine when running in the foreground with just openvpn server.conf 20:19 < krzie> you can put daemon in the config 20:19 < krzie> and cd 20:19 < krzie> and dev 20:19 < krzie> without the --'s 20:19 < JediMaster> handy to know 20:19 < krzie> basically all options can go in config 20:19 * krzie swears the manual says that 20:20 < krzie> OPTIONS 20:20 < krzie> OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash ("--"), this prefix can be removed when an option is placed in a configuration file. 20:21 < JediMaster> it doesn't start up if I put daemon in the config 20:21 < krzie> as in, you dont see it in ps auxw|grep openvpn? 20:21 < krzie> or you dont see output to the screen 20:22 < JediMaster> nm, got it workingnow 20:22 < krzie> heh 20:22 < JediMaster> getting blurry-eyed 20:22 -!- belZe [i=noone@p5091C908.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:22 -!- belZe [i=server3@p5091CA0B.dip.t-dialin.net] has joined ##openvpn 20:22 < krzie> then goto sleep 20:23 < krzie> it'll be there tomorrow 20:23 < JediMaster> I have 4 ssh terminals open and I had already had the same config started on the same port on the same server heh 20:23 < JediMaster> still not why the --daemon didn't work though 20:25 < JediMaster> hmmm should two instances use different ip ranges? 20:25 < krzie> they MUST 20:25 < JediMaster> they've both started up as 10.0.0.1 on tun0 and tun1 20:26 < JediMaster> ok, ta 20:28 < JediMaster> sweet, I can ping both 20:29 -!- SatanClaus [n=SatanCla@unaffiliated/satanclaus] has quit [Remote closed the connection] 20:31 < JediMaster> yup, you're right, ifenslave doesn't like tun devices 20:31 -!- SatanClaus [n=SatanCla@unaffiliated/satanclaus] has joined ##openvpn 20:32 * JediMaster cries 20:32 * JediMaster wants uuuuuuber fast single connection 20:32 < SatanClaus> re 20:32 < JediMaster> wb 20:32 < SatanClaus> sorry, had a timeout... 20:33 * Bushmills wants a pile of chocolate, the size of a planet system 20:35 < JediMaster> shame it'd have it's own gravity and all the components would seperate out and be pretty yucky 20:36 < JediMaster> this is what I get if I try to aggregate the two tun's together: Master 'bond0': Error: set hw address failed....Master 'bond0', Slave 'tun0': Error: Enslave failed 20:36 < SatanClaus> ok, what i want to do is to setup a vpn or proxy for my girlfriend who's currently in Helsinki and needs to watch a german tv show via internet for her work (sounds strange but that's how it is). the show is provided on the tv station's website with some kind of flash that doesn't work on my computer and I didn't succeed saving an episode for her... somehow the only thing i have is a vserver, where I'm root but can't load kernel modules o 20:36 < SatanClaus> r modify the kernel. so what would you do if I may ask 20:36 < krzie> SatanClaus try a socks proxy 20:36 < krzie> or a normal web proxy 20:36 < SatanClaus> squid? 20:36 < krzie> difference being socks allows encryption 20:37 < krzie> yup squid is a normal web proxy 20:43 < krzie> OR you can get a cheap VPS from nerios, i know they'll get you going with openvpn 20:43 < krzie> if you wanna use openvpn as your solution 20:44 < SatanClaus> yupp, i'm currently reading up on socks vs. proxy ;) 20:44 < krzie> difference = encryption 20:44 < krzie> socks5 basically uses ssh's encryption 20:45 < krzie> whereas a normal proxy doesnt use encryption 20:45 < krzie> which seems unimportant for what you're talking about 20:45 < SatanClaus> it also sounds as if socks supports more than just http... and I'm afraid that the flash stuff loads the video payload via udp 20:45 < krzie> yup i socksify udp 20:45 < krzie> so good point 20:45 < krzie> i use dante for my socks daemon 20:46 < SatanClaus> thanks, will have a look then 20:46 < krzie> np 20:46 < SatanClaus> (if you can understand that I'm not too willing to invest into a second vps) 20:50 < JediMaster> SatanClaus: most of the flash video is just over standard http 20:50 < JediMaster> there could always be an exception though 20:54 < JediMaster> krzie: thanks for the help, must go now, it's 3am and work in the morning =( 20:54 < krzie> yw 20:54 < SatanClaus> awww, why can't openvpn run in userspace :-/ 20:55 < krzie> dude 20:55 < krzie> its been explained 20:56 < krzie> it runs in userspace, but requires tuntap because you use it to TUNNEL 20:56 < krzie> besides, a socks is easier to setup 20:57 < SatanClaus> yupp, but in my usecase it would work perfectly without the /dev/tun|tap 20:57 < SatanClaus> :p 20:57 < krzie> no 20:57 < krzie> it would be 100% useless 20:57 < SatanClaus> why not, just because of iptables? 20:57 < krzie> IT WOULDNT DO ANYTHING 20:57 < krzie> lol 20:58 < krzie> the WHOLE point of openvpn is to tunnel 20:58 < krzie> thats what openvpn does 20:58 < krzie> it uses tun to tunnel ip traffic, or tap to tunnel ethernet traffic 20:58 < krzie> but no matter what, take out the fact that it tunnels and it becomes NOTHING 20:58 < SatanClaus> yupp, so on the one side it wraps it up, on the other it unwraps, right? 20:59 < krzie> umm 20:59 < krzie> on both sides it tunnels 20:59 < SatanClaus> and fakes a network interface which is then in the desired network 20:59 < krzie> the server client thing is just for who hands out the settings 21:01 < krzie> regardless, if you cant load anything into the kernel, or get the person who can to do it, then you wont be using openvpn 21:02 -!- JediMaster [n=JediMast@84.9.122.189] has quit ["fnarble"] 21:03 < SatanClaus> yupp, that's what I got from your first message :-/ 21:07 -!- tsunami [n=tsunami@c-24-60-83-222.hsd1.ma.comcast.net] has quit [] 21:10 < SatanClaus> my question was just why it needs to be a kernel module... and what i now got for me is that it is because it provides a lot of flexibility if you have /dev/tun on both sides connected with each other, as you can then use other tools, e.g. iptables, route, etc. on both sides to configure what to be done with packets... just as if another mysterious nic was plugged into your computer and provides a "hey, i can beam your packets from here t 21:10 < SatanClaus> o there" ;) 21:10 < krzie> no 21:10 < krzie> not how it works 21:10 < SatanClaus> so just say yes and you're done ;) 21:10 < krzie> but feel free to code it and prove me wrong if you think you can do it 21:12 < SatanClaus> ok, what's wrong about what I just said? 21:13 < krzie> until you code it and prove me wrong, thats not how it works 21:13 < krzie> stop wasting your time arguing about it and go setup what you need 21:13 < SatanClaus> I'm doing that ;) 21:13 < SatanClaus> right now 21:14 < krzie> werd 21:14 < SatanClaus> but nevertheless i want to understand what i didn't understand regarding openvpn 21:14 < SatanClaus> as i'm using that each day when connecting to the university network 21:14 < krzie> the fact that tunneling doesnt happen in iptables 21:14 < SatanClaus> when did i say that? 21:15 < krzie> each other, as you can then use other tools, e.g. iptables, 21:15 < krzie> route, etc. on both sides to configure what to be done with 21:15 < krzie> packets... just as if another mysterious nic was plugged into 21:15 < SatanClaus> and? 21:15 < krzie> openvpn uses tun because it TUNNELS 21:15 < krzie> you wont reproduce that with iptables + route 21:16 < SatanClaus> that's not what I said... 21:16 < krzie> *shrug* im leaving 21:16 < krzie> adios 21:16 < SatanClaus> but you can then "after beamin"... 21:16 < SatanClaus> bye 21:16 < SatanClaus> and sorry and thanks again 21:17 < krzie> damn i forgot to do 1 thing before i detached 21:17 < SatanClaus> the topic? 21:17 < krzie> ya 21:19 -!- mode/##openvpn [+o krzie] by ChanServ 21:20 -!- krzie changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || Also interesting: !man !/30 !topology 21:20 -!- krzie changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || Also interesting: !man !/30 !topology 21:20 -!- mode/##openvpn [-o krzie] by krzie 21:20 < krzie> *detached* 21:48 -!- SgtPepperKSU1 [n=keith@ip98-164-8-164.ks.ks.cox.net] has left ##openvpn ["Leaving."] 22:10 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 22:56 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: stephenh, jameswhite, sigius 22:56 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: mjt, eliasp, vlt, Flumdahl, CybDev, kraut, simplechat, Typone 22:57 -!- Netsplit over, joins: vlt, Flumdahl, mjt, eliasp, kraut, CybDev, simplechat, Typone, sigius, stephenh (+1 more) 23:07 < SatanClaus> ssh user@server.com -D 1080 23:07 < SatanClaus> ouch 23:07 < SatanClaus> could've been so easy ;) 23:07 < SatanClaus> good night 23:08 -!- SatanClaus [n=SatanCla@unaffiliated/satanclaus] has quit ["bye"] 23:15 -!- datruth [i=scott@gotpot.org] has joined ##openvpn 23:17 < datruth> I'm on ubuntu 8.10 i can connect to my open vpn but i can't seem to use the vpn for web traffic? 23:31 -!- backtracker [n=backtrac@200.106.102.187] has joined ##openvpn 23:31 < backtracker> hi 23:31 < backtracker> I have my .conf, .crt, .key and ca.crt 23:31 < backtracker> Now what should I do to connect to the VPN? 23:32 < backtracker> openvpn some_parameters 23:32 < backtracker> first time with this 23:46 < reiffert> !howto 23:46 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 23:49 < SlashLife> "Uncomment out the client-to-client directive if you would like connecting clients to be able to reach each other over the VPN. By default, clients will only be able to reach the server." - is this necessary if I am bridging it with the LAN anyway? 23:50 < reiffert> If in doubts, try it out. 23:51 < SlashLife> That'll be hard without a second client for the beginning. :| 23:51 < SlashLife> And since I tend to forget about such options, I'd prefer to configure it now instead of "on demand" 23:52 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Remote closed the connection] --- Day changed Thu Apr 02 2009 00:08 -!- backtracker [n=backtrac@200.106.102.187] has quit ["leaving"] 00:23 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 01:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:12 -!- ghfu [n=unknown@gateway.geodesic.com] has joined ##openvpn 01:13 < ghfu> hi, any disadvantages in using tcp as the proto for site-to-site vpn instead of udp? 01:16 < reiffert> !factoids search tcp 01:16 < vpnHelper> reiffert: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 01:16 < ghfu> thanks 01:21 < ghfu> thats an excellent explanation! 01:26 < ghfu> !factoids search udp 01:26 < vpnHelper> ghfu: No keys matched that query. 01:26 < ghfu> :0 01:27 -!- ghfu [n=unknown@gateway.geodesic.com] has left ##openvpn ["Leaving"] 01:27 < reiffert> !factoids search forward 01:27 < vpnHelper> reiffert: 'winipforward' and 'linipforward' 01:28 < reiffert> !winipforward 01:28 < vpnHelper> reiffert: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 02:25 -!- nemysis [n=nemysis@209-90.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 02:30 < kraut> moin 03:11 -!- ekenix [n=eken@58.35.164.249] has joined ##openvpn 03:18 -!- ekenix [n=eken@58.35.164.249] has left ##openvpn [] 03:44 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:46 < datruth> I'm on ubuntu 8.10 i can connect to my open vpn but i can't seem to use the vpn for web traffic? 04:11 -!- SlashLife [n=slashlif@unaffiliated/slashlife] has quit [Connection timed out] 04:19 -!- SlashLife [n=slashlif@unaffiliated/slashlife] has joined ##openvpn 04:20 < SlashLife> !/30 04:20 < vpnHelper> SlashLife: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 04:20 < SlashLife> !topology 04:20 < vpnHelper> SlashLife: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 04:22 -!- SuperEvilDeath15 [n=death@212.206.209.177] has joined ##openvpn 04:24 -!- SuperEvilDeath14 [n=death@212.206.209.177] has quit [No route to host] 05:02 < reiffert> moin kraut 05:12 < reiffert> SlashLife: without any details it sounds like you are using a web proxy. 05:12 < reiffert> afk 05:12 < SlashLife> reiffert: I take it you are the channel troll here? 05:14 < kraut> hi reiffert 05:40 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:03 -!- mazzachre [n=mazzachr@194.152.38.14] has joined ##openvpn 06:06 < mazzachre> Hi... I have a problem.. I am setting up a bridged vpn to our server park... The servers have net addresses on 172.16.0.0/16 and I have set aside 172.16.250.0/24 for the bridged clients... When I connect the vpn my client gets 172.16.250.1 so that works... The server's internal address is 172.16.0.1 (on eth1) however I can't reach the internal net from the client... 06:07 < mazzachre> I have a push route to 172.16.0.0/16 from the server, and route on the client says: "172.16.0.0 172.16.0.1 255.255.0.0 UG 0 0 0 tap0 172.16.0.0 * 255.255.0.0 U 0 0 0 tap0" 06:07 -!- onats1 [n=15172@221.121.120.254] has left ##openvpn [] 06:08 < mazzachre> I am allowing forwarding and have setup the rules found in the howto... 06:08 < mazzachre> Can someone help me? 06:10 < mazzachre> I have network access from the server... I can ssh into it's external address (on eth0) and I have full access to the lan on eth1 aswell. 06:10 < mazzachre> please? 06:12 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 06:12 < mazzachre> If I try to ping 172.16.250.1 from the openvpn server, I get destination host unreachable 06:13 < mazzachre> What am I doing wrong here? 06:15 -!- HurricaneHarry_ [n=harold@falling.demon.nl] has joined ##openvpn 06:15 -!- HurricaneHarry_ [n=harold@falling.demon.nl] has left ##openvpn ["Ik ga weg"] 06:15 -!- HurricaneHarry_ [n=harold@falling.demon.nl] has joined ##openvpn 06:16 -!- HurricaneHarry_ [n=harold@falling.demon.nl] has left ##openvpn ["Ik ga weg"] 06:49 -!- gebi_ is now known as gebi 07:02 < ecrist> morning, fuckers 07:09 < mazzachre> morning! 07:19 < ecrist> mazzachre: why are you using bridged? 07:32 < mazzachre> well.. possibly because of excess fail... I will try to set it up differently now... but I lost connection... 07:32 < mazzachre> I set it up that way because I am not good with networks and routing have failed me before... 07:32 < ecrist> ok. probably 90% of vpns can be setup with tun. very few people need to use tap vpns. 07:39 < dazo> mazzachre: if you need a quick and not too advanced guide to basic network routing, have a look here: http://www.scribd.com/doc/10245818/Networking-Tutorial-TCPIP-Over-Ethernet 07:39 < vpnHelper> Title: Networking Tutorial - TCPIP Over Ethernet - Internet & Technology, Research, and networking tcp ip ethernet router mac address cidr (at www.scribd.com) 07:42 < mazzachre> dazo: Thx... I know that from back in uni... learned basic networking there... the osi stack and tcp and low level... I am not very proficient though... Especially when it comes to routing... 07:42 < dazo> mazzachre: you don't have to think much about OSI stack ... and that intro do not even mention it ... well it mentions it saying it won't mention it again 07:43 < mazzachre> ya :) 07:43 < dazo> mazzachre: and that guide, if you read it ... it should be able to get you up to some basic understanding .... and routing is a lot easier than bridging 07:44 < dazo> OSI layers are for geeks who already understands everything about networking and wants to be super-geeks :-P 07:44 < mazzachre> Well.. my immidate problem right now is that I have fucked up the connection to the server... so I am beyond repair at the moment... 07:44 < dazo> ouch 07:48 < mazzachre> And the admin is on holiday... and I leave on holiday saturday... 07:48 * mazzachre should know better than to fiddle with these things up to a holiday... 07:48 -!- dazo changed the topic of ##openvpn to: Check your firewall || We need !logs and !confi+1gs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || Also interesting: !man !/30 !topology 07:48 -!- dazo changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || Also interesting: !man !/30 !topology 07:48 < dazo> whoops ... wrong window 07:49 < mazzachre> !route 07:49 < vpnHelper> mazzachre: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 07:54 -!- boojit [n=boojit@gw.carter.to] has quit [Read error: 60 (Operation timed out)] 07:58 < mazzachre> Ahh.. got connection back... phew... 07:59 -!- ozirus [n=Furkan@88.242.78.196] has joined ##openvpn 08:00 < mazzachre> reboot worked... 08:02 < datruth> I really need help with bridging my openvpn with my wireless can anyone help me with this? 08:07 < datruth> Can someone please help me with this? 08:11 -!- datruth [i=scott@gotpot.org] has quit ["leaving"] 08:18 < ecrist> dazo: !route 08:19 < dazo> ecrist: yeah, I now that one ... but when people do not understand the contents here ... I send them further to the other link, so that they get the basic knowledge ... 08:27 < mazzachre> Hmm... Now it seems to find its way into the firewall again... 08:29 < mazzachre> Can someone help me with firewalling here? ecrist and dazo? (Now that I have setup routing... I can connect and that seems to work. When I ping something on the LAN of the VPN it is put in the tun device...) 08:30 < dazo> mazzachre: Linux + iptables? 08:31 < mazzachre> http://www.pastebin.ca/1379956 yep 08:31 < mazzachre> dazo: Yep, linux +iptables 08:31 * dazo looks 08:31 < mazzachre> That is how it looks right now (Not really my firewall) 08:32 -!- mooseman447 [n=mooseman@pool2-iu-conf.nat.cliu.org] has joined ##openvpn 08:32 < mooseman447> hey 08:32 < mooseman447> if i want to route all ip traffic on a client through the vpn all i need to do is add redirect-gateway def1 in the client's config right? 08:32 < dazo> mazzachre: seems to be reasonable starting point 08:33 < mazzachre> dazo: I would think so... it is our sysadm that have set it up... he is quite knowledgeable... he is however also on vacation :/ 08:33 < dazo> mazzachre: is you VPN server the default gateway for you clients on LAN? 08:33 < dazo> is your* 08:35 < mooseman447> i ask because i added that line and reconnected to the openvpn server and i cant load or ping anything on the client 08:35 < mazzachre> dazo: Uhm... unknown? I want a "road warrior" setup :) So I can connect my workstation from anywhere (mostly at home or the office) to the network where the vpn server is setup... The vpn server is one of the servers on the server hosting site... 08:36 < dazo> mazzachre: oki ... is the default gateway on your LAN clients this OpenVPN server? (twisting the question around) 08:37 < mazzachre> uhm... not understood... 08:37 < mazzachre> No... it is not supposed to be default gw... 08:38 < dazo> mazzachre: that might be why you have problems 08:38 < dazo> mazzachre: on your default gateway you then need to add a route for your VPN network through your OpenVPN server 08:39 < mazzachre> :( I don't have access to do anything on the default gateway the LAN here... 08:40 < mazzachre> (I am developper, not corporate sysadm...) our sysadm don't even have that access... Only on the production server setup :( 08:40 < mazzachre> I am pushing our routes to the netwotk for the clients... 08:41 < mazzachre> 172.16.0.0 192.168.90.5 255.255.0.0 UG 0 0 0 tun0 08:42 < dazo> mazzachre: which clients ... LAN clients? 08:45 < mazzachre> Uhm.... the setup is supposed to be like this: "Servers have ips 172.16.0.0/16, with openvpn server having internal address 172.16.0.1 and an external ip address, other servers exist on the 172.16 net... clients (like my workstation) is sitting around the world, vpn connecting to the openvpn server to ssh (and other connections) to the servers on the 172.16 network... 08:47 < mazzachre> My workstation have that route setup, 172.16.0.0 through 192.168.90.5 which is its tun0 device (in the openvpn-status.log I have "192.168.90.6,mra.client.vpn.wifact.com,194.152.38.14:2863,Thu Apr 2 15:44:39 2009") 08:47 < mazzachre> and in tun0 in ifconfig it says inet addr:192.168.90.6 P-t-P:192.168.90.5 Mask:255.255.255.255 08:48 < mazzachre> tcpdumping packages on tun0 lists the packages when I try to ping something (172.16.1.1 which exists) but no return packages... 08:50 < mazzachre> Apr 2 15:50:01 openvpn ovpn-server[2933]: mra.client.vpn.wifact.com/194.152.38.14:2272 Authenticate/Decrypt packet error: cipher final failed 08:50 < mazzachre> what is this? 08:51 -!- mooseman447 [n=mooseman@pool2-iu-conf.nat.cliu.org] has quit ["Leaving"] 08:54 < mazzachre> Ah... found out... 08:56 < mazzachre> dazo? 08:57 -!- ozirus [n=Furkan@88.242.78.196] has left ##openvpn ["Kopete 0.12.7 : http://kopete.kde.org"] 09:09 < mazzachre> dazo: Are you here? 09:10 < dazo> mazzachre: sorry, yeah ... I'm at work and it needed my attention .... will be back again soon 09:14 < mazzachre> ok ;) 09:28 -!- Guest35431 [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has joined ##openvpn 09:39 -!- ozirus [n=Furkan@88.242.78.196] has joined ##openvpn 09:43 < ozirus> while trying to create client-to-net vpn connection with http://dpaste.com/22612/ configurations i can't connect clients to server. i always get http://dpaste.com/22613/ error from client-side. any idea? 09:44 -!- Rochdi [n=abid@196.203.51.17] has joined ##openvpn 09:45 < Rochdi> hello 09:45 < Rochdi> I'm use'in OpenVPN on a pfSense Gateway 09:46 < Rochdi> I'm using OpenVPN on a pfSense Gateway 09:46 < Rochdi> I can connect to pfSense, but I cant reach lan network 09:46 < Rochdi> can you help me ? 09:47 < Rochdi> can you help me ? 09:48 < Rochdi> I used this : http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN 09:48 < vpnHelper> Title: VPN Capability OpenVPN - PFSenseDocs (at doc.pfsense.org) 09:48 < Rochdi> vpnHelper: I used it 09:48 < vpnHelper> Rochdi: Error: "I" is not a valid command. 09:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:49 < Rochdi> vpnHelper: sorry, i can't understand you 09:49 < vpnHelper> Rochdi: Error: "sorry," is not a valid command. 09:49 < ecrist> Rochdi: what problems are you having? 09:50 < Rochdi> I'm using OpenVPN on a pfSense Gateway 09:50 < Rochdi> I used this : http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN 09:50 < vpnHelper> Title: VPN Capability OpenVPN - PFSenseDocs (at doc.pfsense.org) 09:50 < Rochdi> I can connect to pfSense, but I cant reach lan network 09:50 < ecrist> I hate to say it, but you need to talk to the pfsense folks on that 09:51 < Rochdi> ecrist: can you help me please 09:51 < ecrist> they do funky things with configs and system layout 09:51 < mazzachre> When connecting my client to the server, should I not be able to ping the clients new ip address? (It have gotten 192.168.90.5/6 ptp) and should the client not be able to ping some addresses also on that network? 09:53 < ecrist> mazzachre: your VPN client should be able to ping the server VPN address, probably 192.168.90.1 09:53 < ozirus> anybody knows a simple guide about how to setup openvpn with auth-user-pass-verify autentication only (not included certs)? with a script and simple configuration files... 09:54 < mazzachre> ecrist: it is not... firewall? 09:54 < ecrist> ozirus: google should be able to help you with that. there are some basic scripts included with openvpn. if you want encryption, you should still be using certificates, though. 09:55 < ecrist> mazzachre: from the client, can you ping the VPN server address? 09:56 < mazzachre> ecrist: the external address or the 192.168.90.1 address? 09:56 < ecrist> the VPN address 09:57 < ecrist> if I'm going to help you, at least read what I write. 09:57 < mazzachre> ecrist: I just didn't understand... No, I can't ping the VPN address 09:58 < ecrist> then you have a firewall issue 10:05 < mazzachre> apparently I have more than a simple firewall issue... I have no idea how that stinking firewall system (ipmasq) works... Or why it is installed :( It seems to block everything and anything... Or something else is wrong :( 10:12 < mazzachre> ecrist: When I ping from the client to the server VPN address, I don't get any return, on the vpn server, there is no output from tcpdump -i tun0 10:13 < ecrist> mazzachre: disable your firewall 10:17 < mazzachre> ecrist: no difference... 10:18 < mazzachre> When I kill all iptables rules and set policy to ACCEPT for channels, I still cannot ping the server VPN address from a connected client... 10:19 < ecrist> mazzachre: post your logs and configs, please 10:20 < mazzachre> ecrist: http://www.pastebin.ca/1380034 server config 10:21 < ecrist> !configs 10:21 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:21 < ecrist> comments are a pain to read around 10:21 < ecrist> see the grep 10:24 < mazzachre> http://www.pastebin.ca/1380036 10:24 < mazzachre> sry 10:24 < ecrist> *much* better :) 10:25 < mazzachre> Server side: OpenVPN 2.0.9 x86_64-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Sep 22 2007 10:26 < mazzachre> Client sie: OpenVPN 2.0.7 i686-pc-linux-gnu [SSL] [LZO] [EPOLL] built on Nov 24 2008 10:27 -!- kezhi [i=moneybag@in-t-er.n-e-t.name] has joined ##openvpn 10:27 < ecrist> !logs 10:27 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 10:27 < mazzachre> ecrist: which log files would that be? 10:28 < mazzachre> o.O 10:28 < mazzachre> They are HUGE! 10:28 < ecrist> mazzachre: all we need is a new 'connection' 10:28 < ecrist> up until traffic starts flowing 10:29 < mazzachre> http://www.pastebin.ca/1380047 10:29 < mazzachre> Server side... 10:29 < mazzachre> Have grepped on openvpn... 10:30 < ecrist> in your logs, note line 13 - you've got multiple clients using the same certificate 10:31 < ecrist> occurs again on line 41 10:32 < mazzachre> Hmm.... how can that happen? The certificate is only on this workstation, no others are using the vpn yet (until I have gotten it to work) 10:32 < ecrist> line 50 indicates a firewall blockage 10:32 < ecrist> don't know, mazzachre, not my network. 10:32 < mazzachre> From client http://www.pastebin.ca/1380051 10:33 < ecrist> I would say, start with figuring out your competing clients, and make sure your firewall is really open. 10:33 < ecrist> on both ends. 10:33 -!- kezhi is now known as prozacwizard 10:34 < mazzachre> How to figure out the competing clients? I only have one machine and this is the only place I have the certificates... 10:34 < SlashLife> Mhh ... I'm a bit puzzled by the server-bridge configuration entry ... The IP range at the end - how does it affect me if I want to assign IPs to VPN users through the DHCP? Is that even possible? 10:34 < ecrist> SlashLife: the end range is so you can assign ips through openvpn within the same range as the local lan. 10:35 < ecrist> omit those if you want a local DHCP server to handle assignments 10:35 < SlashLife> Ah, ok. The comment for did didn't say anything about omitting it, thanks. 10:36 < SlashLife> *for it 10:37 < ecrist> mazzachre: your client server certificates don't match 10:37 < ecrist> rebuild your certificates 10:37 < ecrist> you're using two different cipher lengths 10:37 < ecrist> see here for more information: http://forum.openwrt.org/viewtopic.php?id=474 10:37 < vpnHelper> Title: OpenWrt / OpenVPN (at forum.openwrt.org) 10:38 < mazzachre> DOOOOOOH!!!!! 10:38 < mazzachre> Ya... I just found that out.. 10:39 < mazzachre> Now I have set the certificate and key length correct and everything works... 10:39 < SlashLife> Hey mazzachre btw. :) 10:39 < mazzachre> thx ecrist 10:39 < mazzachre> hi 10:39 < mazzachre> lol 10:42 < SlashLife> The other question I had earlier today (unfortunately with just one client atm, I am not able to test it): Uncomment this directive (client-to-client) to allow different clients to be able to "see" each other. -- does this even affect me when bridging? 10:42 < ecrist> SlashLife: I haven't tried, but probably. 10:45 -!- mazzachre [n=mazzachr@194.152.38.14] has quit [Remote closed the connection] 10:47 -!- fixxxermet [n=kjohnson@69.85.26.2] has joined ##openvpn 10:48 < fixxxermet> For a setup where both lans (client and server) can fully access each other, does it matter if I use a tun or a tap setup? 10:48 < ecrist> fixxxermet: use tun 10:48 < ecrist> !route 10:48 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:48 < ecrist> read that page, your setup is covered 10:50 < SlashLife> Mhh ... thanks for your input. Unfortunately: Options error: Unrecognized option or missing parameter(s) in openvpn/openvpn.conf:95: server-bridge (2.0.6) - seems it wants the range after all. 10:50 < ecrist> SlashLife: read the man page, it's all discussed there. 10:52 < SlashLife> Oops. There's a man page. *finds a stone and hides* 10:53 < SlashLife> I'll do that. Thanks and sorry. :/ 10:53 < ecrist> !man 10:53 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 10:55 -!- Rochdi [n=abid@196.203.51.17] has quit [Remote closed the connection] 10:55 < SlashLife> I have the howto open, the ethernet bridging manual, the FAQ and the whole FreeBSD section on Bridging, DHCP etc and last but not least the annotated sample config ... but I honestly forgot to check whether there was a man page. :( 10:56 < ecrist> SlashLife: why are you using bridging? 10:56 < ecrist> oh, have you read this 10:56 < ecrist> !freebsd 10:56 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 10:56 < ecrist> it's a tun setup, but much will apply to you. 10:58 < SlashLife> Oh, no, I didn't. Thanks. 10:59 < SlashLife> I have tap and the bridge up and running already, so that shouldn't matter. :) It's just lots of new information for me. 11:00 < SlashLife> Regarding bridging: If everything works out as planned, I'd have three equivalent methods of connecting to my home network: Directly to the wired LAN, VPN over WLAN (got a few scriptkiddies around here) or VPN through WAN. 11:00 < SlashLife> Regardless which way I choose, I'd like to have the same IP in every case. 11:07 -!- Rochdi [n=abid@196.203.51.17] has joined ##openvpn 11:10 -!- Rochdi1 [n=abid@196.203.51.17] has joined ##openvpn 11:12 -!- ozirus [n=Furkan@88.242.78.196] has quit [Remote closed the connection] 11:13 -!- Rochdi1 [n=abid@196.203.51.17] has quit [Remote closed the connection] 11:14 -!- Rochdi1 [n=abid@196.203.51.17] has joined ##openvpn 11:14 -!- Rochdi1 [n=abid@196.203.51.17] has quit [Remote closed the connection] 11:28 -!- Rochdi [n=abid@196.203.51.17] has quit [Read error: 110 (Connection timed out)] 11:30 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Connection timed out] 11:30 -!- prozacwizard [i=moneybag@in-t-er.n-e-t.name] has quit [Remote closed the connection] 11:32 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 11:33 -!- ikla [n=lbz@fw1.aspsys.com] has quit [Remote closed the connection] 11:45 -!- DeRoSvOs [n=jacob@bas8-ottawa23-1177761899.dsl.bell.ca] has joined ##openvpn 11:45 < DeRoSvOs> !howto 11:45 < vpnHelper> DeRoSvOs: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:29 -!- Guest35431 [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has left ##openvpn [] 12:36 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:50 -!- DeRoSvOs [n=jacob@bas8-ottawa23-1177761899.dsl.bell.ca] has left ##openvpn [] 13:22 -!- achilles [n=achilles@62.90.14.185] has quit ["Leaving"] 13:45 -!- l4p32 [n=sepe@ti300720a080-0064.bb.online.no] has joined ##openvpn 13:47 < l4p32> I connect to my openvpn server all the time from outside my home-network. But when I'm in the same network I'm able to connect and obtain a ip but I'm disconnected after a while and when I'm connected I'm not able to ping any of the server ips. I only changed the external ip in the config file to the local, but it doesn't seem to work. Anyone have a clue why it won't work? 13:50 < l4p32> anyone? 13:55 < l4p32> I want to connect to openvpn with a local client.. 13:59 -!- l4p32 [n=sepe@ti300720a080-0064.bb.online.no] has quit ["leaving"] 14:04 -!- Kreg-Work_ [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 113 (No route to host)] 14:48 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 14:52 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:28 -!- pgrace [n=pgrace@2001:470:8a93:2:20c:29ff:fee9:9689] has joined ##openvpn 15:28 -!- Dougy [i=doug@64-18-144-2.ip.bergenhosting.com] has joined ##openvpn 15:30 < pgrace> I have a really odd situation. I'm using openvpn between a linux server and a windows client. The vpn is up and running, I can ping, everything's great. Until I do something like a ps aux or bring up irc in screen, in which case the terminal screen begins to draw and then.. stops. 15:30 < pgrace> this is with ipv6, by the way. 15:30 < pgrace> Has anyone heard of this before? Is it an mtu issue or something? 15:53 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:54 -!- fixxxermet [n=kjohnson@69.85.26.2] has left ##openvpn [] 16:11 -!- ThoMe [i=tm@tm.muc.de] has joined ##openvpn 16:11 < ThoMe> hiho 16:12 < ThoMe> have a openvpn cliento n my snom phone. when the server can't connect with my openvpn server I would like reconnect in X seconds 16:12 < ThoMe> how i can set it? 16:12 < ThoMe> client side or server? 16:12 < ThoMe> client: http://paste.keks.be/441/txt 16:12 < ThoMe> can anybody help me? 16:12 < ThoMe> thank you! 16:13 < ThoMe> my last log-line in my server: Thu Apr 2 23:07:04 2009 SNOM_370_HERR_WINDELS/77.47.52.27:64260 SIGTERM[soft,delayed-exit] received, client-instance exiting 16:13 < ThoMe> and now, dont reconnect :-( 16:16 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [Read error: 110 (Connection timed out)] 16:16 < krzie> !man 16:16 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:16 < krzie> theres all sorts of reconnect otions 16:16 < krzie> options 16:17 < krzie> but it should try automaticly, show me this: 16:17 < ThoMe> krzie: hello. i have read this. but i can't find this. 16:17 < krzie> !configs 16:17 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:17 < ThoMe> krzie: my config http://paste.keks.be/441/tx 16:17 -!- gebi_ [n=gebi@84.119.81.184] has joined ##openvpn 16:17 < ThoMe> krzie: my config http://paste.keks.be/441/txt 16:18 < krzie> and server... 16:19 < ThoMe> krzie: http://paste.keks.be/442 16:20 < krzie> !logs 16:20 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 16:22 < ThoMe> krzie: have only logs from server http://paste.keks.be/443 16:22 < krzie> i want the whole log from start to finish at verb 6 16:22 < ThoMe> krzie: grr. moment 16:28 -!- gebi [n=gebi@84.119.81.115] has quit [Read error: 113 (No route to host)] 16:36 < ecrist> howdy 16:37 < krzie> yeeeehaw 16:37 < krzie> ;] 16:43 < sunga> does anyone here tunnel tightvnc over a vpn? I cant find the option or way to change the listening port to the ip adress my virtual adaptor is using 16:44 < krzie> dunno anything about tightvnc 16:44 < krzie> any openvpn questions? 16:45 < sunga> well how can you verify you got a working, secure connection over the vnc port? 16:45 < sunga> I tunneled sabnzbd over port 80 to 8081 on the server machine 16:45 < sunga> I want to verify traffic to it is going over port 80 and secured 16:45 < sunga> wireshark? 16:48 < krzie> using redirect-gateway or without? 16:48 < krzie> openvpn runs on the same machine that runs the vnc? 16:49 < sunga> yes 16:49 < krzie> connect to the vpn ip 16:49 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 16:50 < krzie> vpn ip:port for the vnc connection 16:50 < krzie> know what i mean> 16:50 < krzie> ? 16:51 < sunga> yes but that doesnt work because tightvnc isn't listenin on the vpn ip and I cant force it 16:51 < krzie> start it after the vpn is established 16:52 < krzie> unless it has a place to enter what ip it listens on, it should be binding to * 16:52 < krzie> easy to check with netstat 16:55 < sunga> im on vnc right now will be hard to restart tightvnc I guess 16:55 < sunga> if i close it I lose connection, duh 16:56 < krzie> *shrug* check netstat 16:56 < krzie> if it needs to be started after vpn is up, thats easy enough 16:56 < krzie> just script up something to start it and use it in a hook in openvpn 16:57 < krzie> so connection to vpn is made, then the script starts up the vnc app 16:58 < sunga> ye to bad I cant script =) 16:59 < krzie> should be completely simple 16:59 < krzie> just a matter of opening it in dos 16:59 < krzie> once you have that command, you put the command in a text file with extention .bat 16:59 < krzie> then its an executable batch script 17:00 < krzie> then you figure out how to kill it, and put that command in a .bat for disconnect (if thats even needed) 17:00 < krzie> the way to test that: 17:00 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 17:00 < krzie> try to connect now, if that doesnt work, open vnc app after vpn is established, if that works you know it needs to be opened after 17:01 < krzie> then disconnect vpn, reconnect it and try to connect to vnc 17:01 < krzie> if it can still be contacted over the vpn, you dont need to worry bout shutting it down 17:01 < krzie> OR 17:01 < krzie> i know windows remote desktop just works 17:02 < krzie> cause ive implimented it for someone before 17:02 < krzie> and since it should ONLY be accessible over the vpn, security of the app is less important 17:03 < krzie> you follow? 17:03 < sunga> yes 17:03 < sunga> prefer vnc though more options and feels faster 17:05 < krzie> cool, since it has more options, what ip it listens on should be one 17:05 < krzie> since remote desktop has that 17:06 < krzie> either way, i can only help you with openvpn 17:06 < krzie> and... 17:06 < krzie> !notovpn 17:06 < vpnHelper> krzie: Error: "notovpn" is not a valid command. 17:06 < krzie> !factoids search not 17:06 < vpnHelper> krzie: 'notopenvpn' and 'notcompat' 17:06 < krzie> !notopenvpn 17:06 < vpnHelper> krzie: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 17:07 < krzie> i guess theres another way to handle it tho, one that works via openvpn 17:07 < krzie> if you move the vpn to another machine on the same lan 17:07 < krzie> then you use 17:07 < krzie> !route 17:07 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:07 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 17:07 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Client Quit] 17:07 < krzie> you can connect to the machine over the vpn by LAN ip 17:07 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 17:08 < krzie> that will garuntee the traffic passes over the vpn, without needing to change the vnc's settings 17:08 < krzie> =] 17:08 < krzie> wassup ropetin 17:23 -!- icmp [n=icmp@unaffiliated/icmp] has joined ##openvpn 17:23 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 17:24 < icmp> Hi, I have a question. I'm doing a static PSK setup on my vpn. I was wondering what is the purpose of the "ifconfig" statement on the server and clients sides? I've seen exmaples that say to use 2 un-used address on the server side and simply reverse them on the client. But this doesn't seem to make sense. 17:24 < icmp> Can someone calrify the use of ifconfig for me in a TUN environment? 17:24 < krzie> well 17:24 < krzie> you only want 2 machines connected to eachother? 17:24 < krzie> or a hub/spoke setup 17:24 < icmp> No, more than two. 17:24 < krzie> ok so you dont want to use ifconfig at all 17:24 < krzie> you want the server statement 17:25 < icmp> Hub/spoke. But not remote-access. Simply all connected users hitting the central server. 17:25 < krzie> like this: 17:25 < krzie> !sample 17:25 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 17:25 < icmp> If I use server though I cannot use a static key. 17:25 < icmp> It says I have to go PKI. 17:25 < krzie> you dont want a static key, you want certs 17:25 < icmp> I know the difference, and I know what I want. 17:25 < krzie> you use bsd or linux? 17:25 < icmp> I want a simply PSK. Is that possible? 17:25 < icmp> Linux. 17:25 < icmp> s/simply/simple/ 17:25 < krzie> a static key is much less secure than certs 17:25 < icmp> I realize that. 17:25 < krzie> !ssl-admin 17:25 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 17:25 < icmp> No, no. 17:25 < icmp> Is it possible? 17:25 < krzie> makes it extremely simple to manage your certs 17:26 < icmp> I suppose I'll go PKI, thank you. 17:26 < icmp> Btw, ircpimps 4 life. 17:26 < krzie> i believe it is if you make your own auth system using a script 17:26 < icmp> Yeah I wrote a django interface for new users. 17:26 < krzie> heheh you know of us? =] 17:26 < icmp> < node, syrrus's frient 17:26 < icmp> friend 17:26 < krzie> ahhh right on bro 17:27 < krzie> if you REALLY want only static keys, you also wanna auth with passwords 17:27 < krzie> that way you can use the username as your common-name 17:27 < krzie> !nopass 17:27 < vpnHelper> krzie: Error: "nopass" is not a valid command. 17:27 < krzie> err 17:27 < krzie> !nocert 17:27 < vpnHelper> krzie: "nocert" is (#1) to use login and pass (NO CERTS) for auth in server setup, you want --username-as-common-name --auth-user-pass-verify --client-cert-not-required, or (#2) to know more, read about those config options in the manual (!man) 17:27 < krzie> then you can also use a static key 17:27 < krzie> note, i DO NOT recommend this method 17:28 < krzie> much better off to use the full security offered to you 17:28 < krzie> and with ssl-admin managing the certs and even a CRL is VERY simple 17:28 < krzie> like on the verge of fun :-p 17:29 < krzie> but if you choose to go that route, you may want the passwords saved in a file so no human interaction (also do NOT recommend it) 17:29 < krzie> !pwfile 17:29 < vpnHelper> krzie: "pwfile" is OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h 17:29 < krzie> i think thats everything you could wanna know on that subject =] 17:30 < krzie> but if you care about security like i know you do seeing as you're oldschool 0x41, take my advice and use certs 17:31 < krzie> also when you're done, feel free to show me your configs (type !configs to see how i want them) and ill tell you if anything can be improved for security 17:34 < sunga> its working now 17:34 < sunga> it is listening on all available ips 17:34 < sunga> had to restart openvnc and tightvnc 17:35 < sunga> gonna try tomorrow on a external location if I can login over vpn too 17:35 < sunga> lets hope it works 17:35 < sunga> im off to bed now nn thanks so much for the help 17:35 < krzie> np man 17:44 < krzie> icmp, wanna know bout anything else? 17:45 < icmp> No I got it working now. 17:46 < krzie> cool, you go the pki route or implimented l/p + --username-as-common-name 17:46 < icmp> I went with PKI. 17:46 < krzie> nice 17:47 < krzie> want me to take a glance and see if i can see anything to beef it up? 17:47 < krzie> ie: checking for MITM, dh seed, etc 17:47 < krzie> i dont mind, im bored, plus a friend of sy is a friend of mine 17:47 < icmp> I'm only pushing a route to the server itself (172.16.1.1). So there's no need to work about that. An my diffie-hellman params are at 2048. All perms are nobody and it's running with a confined selinux policy. 17:48 < icmp> I think I'm good. 17:48 < krzie> using cert type server checking on clients? 17:48 < krzie> tls static key for HMAC sigs? 17:49 < icmp> From what I read in the docs, openvpn does bidirectional authentication by default. The client should be verifying the server and visa versa by default. 17:49 < krzie> is the route that you're pushing to the server a lan behind a client? 17:49 < krzie> somewhat 17:49 < icmp> And I'm not worried about HMAC sigs, since openvpn implements a type of PFS. 17:49 < krzie> but 2 certs signed by a CA can still auth even tho both are clients 17:49 < icmp> Meaning the seed is changing dynamically anyway. 17:49 < krzie> !mitm 17:49 < vpnHelper> krzie: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 17:49 < krzie> hmac sigs: 17:49 < krzie> !hmac 17:49 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 17:49 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 17:49 < icmp> brb 17:49 < krzie> ok 17:56 < reiffert> SlashLife: regardings scriptkiddies around your place: be sure that they cant use your WLAN by ip over dns. 17:57 < krzie> <3 IPoDNS 17:57 < reiffert> SlashLife: I was mixing up your nick with that guy who was asking a question right before you. Thanks for the flowers. 17:58 < reiffert> Moin krzie 17:58 < krzie> moin! 17:58 < krzie> http://www.doeshosting.com/code/NStun.sh 17:59 < krzie> my script for starting iodine and correctly setting up and destroying routes for it 17:59 < krzie> iodine being a IPoDNS tool 18:00 < reiffert> I thought about setting this up for so many times ... 18:00 < reiffert> the day will come for sure .. 18:00 < krzie> welp, you'll enjoy that script when the time comes 18:00 < krzie> its nice and lazy 18:01 < krzie> and tested in linux/bsd/osx 18:01 < reiffert> and the other way around, I'd like to prevent using IPoDNS at the public places I care about the WLAN 18:01 < reiffert> but let's think about a solution when it's time for that 18:02 < reiffert> when time has come ... 18:02 < krzie> well the solution is public 18:02 < reiffert> I definitly have to improve my english. Sigh. But how? 18:02 < krzie> and starbucks has implimented it 18:03 < reiffert> I have to improve my english, definitly. 18:03 < krzie> odd, ive never seen you have a problem communicating in english 18:04 < krzie> let me find the way to block it for you 18:05 < reiffert> My vague idea is limiting the DNS queries per minute to 10/m for the unauthenticated clients. 18:05 -!- dli_ [n=dli@adsl-75-22-21-245.dsl.chcgil.sbcglobal.net] has joined ##openvpn 18:06 < krzie> ild think changing the mtu would be easier 18:06 < krzie> seeing as the oversized packets of a tunnel are overkill for legit dns 18:07 < krzie> also a nice way to allow recursive dns without being a ddos relay/amplifier 18:07 < reiffert> The WLAN concept as follows: unencrytped public access, dhcp. Client begins surfing and gets redirected to the authentication page. 18:08 < reiffert> after authentication the mac address makes it into the whitelist/firewall. 18:08 < krzie> right but you need a much larger MTU to actually tunnel over dns than you need for real dns 18:09 < krzie> the thing is with that, they allow dns and do the redirection after 18:09 < reiffert> Ah. 18:09 < krzie> you can still resolve stuff 18:09 < krzie> but its usually forced through their nameserver 18:09 < reiffert> Will have to remember that. 18:09 < krzie> so their nameserver relays to your fake one after being told to by your real one for a subdomain you made and forwarded dns 18:09 < krzie> if they dont allow dns, they do allow icmp 18:10 < krzie> and theres an app to tunnel over icmp 18:10 < krzie> although ive never seen the one that allows icmp in real life 18:10 < krzie> i just know its been seen by others, which is why the tool exists 18:10 < reiffert> well, I always thought the IPoDNS works as: client asks local DNS (same machine that plays the dhcp server) for a name, e.g. foo.bar.com and the DNS hands the question to the authorized DNS from bar.com, now? 18:11 < krzie> ok 18:11 < krzie> then bar.com says for foo, ask this other NS 18:11 < reiffert> s,now,no, 18:11 < krzie> but the other NS isnt a real ns 18:11 < krzie> foo.bar.com is actually a fake NS setup for tunneling 18:11 < krzie> if using iodine, it auths, then sets up a tunnel 18:11 < reiffert> bar.com just answer with 127.0.0.2 or a very long name e.g. for the MX 18:12 < reiffert> and that very long name can be taken for data 18:12 < krzie> then my routing script makes the default route go over the tunnel that was just setup 18:12 < krzie> actually iirc it works on dns null requests 18:12 < krzie> which i think is how they block 18:13 < reiffert> like I said, on one day I have to look through all the possible solutions. 18:13 < reiffert> Hm, reading english books might improve my english ... 18:14 < krzie> ya i plan on reading some books in spanish for that same reason 18:14 < reiffert> any recent scifi on books? 18:14 < krzie> no idea, i dont really read anymore 18:14 < reiffert> common estas? 18:14 < krzie> too much computer work to be done 18:14 < krzie> estoy muy bien, gracias 18:15 < krzie> (como estas?) 18:15 < reiffert> de nada, muchas gracias, bonna noche 18:16 < krzie> bonna is italian (bonna note), buenas noches = spansih =] 18:16 < reiffert> My girl has got some people in her workgroup that come from mexico, portugal, spain and italy. It's quite a fun talking to these peoples :) 18:16 < krzie> hehehe right on 18:17 < krzie> mexico and spain... they prolly need to talk a 3rd language to communicate 18:17 < krzie> err 2nd 18:17 < reiffert> Funny thing is I can understand them in whatever language they are talking to eachother, cause I've had some years of french in school, years ago 18:18 < reiffert> Personally I really like to speak in german to them, so can try to learn the language of that country they stay in :) 18:18 < krzie> agreed 18:19 < krzie> thats why i learn spanish, if im going to live here i need to speak the native language 18:19 < reiffert> Most of them do understand me, just like the same for me in italian/portuguese/spanish 18:19 < krzie> i felt that way about people who move to usa, and i feel that way about myself now that i live in a spanish speaking country 18:20 < reiffert> It's a matter of practising .. 18:21 < krzie> yup 18:22 < krzie> since i stopped finding american girls and switched to local girls my spanish has GREATLY improved 18:22 < krzie> took me a good 8 months to have good enough spanish to get locals 18:22 < reiffert> :) 18:22 < krzie> before that i was finding damn near every american girl on the island, lol 18:22 < reiffert> :) 18:22 < krzie> now i dont care about them, i like the local girls more 18:23 < krzie> let the locals have them while i go for their girls 18:23 < krzie> ;] 18:23 < reiffert> :) 18:26 -!- dli_ [n=dli@adsl-75-22-21-245.dsl.chcgil.sbcglobal.net] has left ##openvpn ["Leaving"] 18:31 -!- Sinky_ [n=stancho@78.90.99.168] has quit [Connection timed out] 19:04 < ecrist> Boats and Hos 19:05 < krzie> hos on boats! 19:10 -!- pgrace [n=pgrace@2001:470:8a93:2:20c:29ff:fee9:9689] has quit [Read error: 113 (No route to host)] 19:12 < ecrist> If I knew C, and had nothing better to do, I'd fork OpenVPN 19:12 < krzie> what would the fork accomplish? 19:12 < ecrist> decent support, code clean-up 19:14 < krzie> only thing i can think of is tunneling over ipv6 and support for a 3rd location for 2 parties to bypass NAT 19:15 < ecrist> the biggest feature I'd add is configuration push, similar to 'commercial' vpn packages like cisco 19:15 < ecrist> and the ability to push new certificates/keys to clients 19:15 < krzie> ahh ya that would be cool 19:16 < ecrist> oh, and support for proper load balancing without connection dropping 19:16 < krzie> currently scriptable, but could be built in 19:16 < ecrist> i.e. two vpn servers, one can seamlessly take over for the other as problems occur 19:16 < ecrist> without dropping the vpn 19:16 < krzie> i believe thats the job of a routing protocol outside ovpn 19:17 < ecrist> krzie: negative. if you switch servers, your key gets out of sync, even if the servers currenlty use the same server certificate 19:17 < krzie> ahh right 19:17 < ecrist> pfsync is the idea I'm thinking of, synchroniztion of state tables. 19:18 < ecrist> basic idea. 19:19 < krzie> gotchya 19:24 < icmp> I have a question. Does openvpn actually match the CN in a client certificate against their ip address? Or can the CN be any value? 19:24 < ecrist> CN can be any value 19:24 < ecrist> CN identifies unique users 19:24 < icmp> I remeber cisco being a little picky about it, that's all. 19:24 < ecrist> and is used for client-specific configs. 19:26 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 19:32 < krzie> for client specific settings: 19:33 < krzie> !ccd 19:33 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 19:33 < krzie> if you're looking to make a client stay on the same vpn ip, see this 19:33 < krzie> !iporder 19:33 < vpnHelper> krzie: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice)., or (#4) if you use --ifconfig-pool-persist see !ipp 19:49 -!- icmp [n=icmp@unaffiliated/icmp] has quit ["Leaving"] 20:00 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 20:00 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 20:26 -!- belZe [i=server3@p5091CA0B.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:26 -!- belZe [i=server3@p5091CA11.dip.t-dialin.net] has joined ##openvpn 20:46 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 21:10 * ecrist considers take 'C' classes at comm college 21:10 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 21:11 < ecrist> sup sh 21:11 < ecrist> sup zheng even. 21:12 < zheng> hi, all 21:12 < zheng> how can I forbid cllients to change their virtual ip address? 21:13 < ecrist> zheng: how are they changing it? 21:14 < zheng> I means , when I assign 10.8.0.2 to a client, then the tunnel setup and works, but I dont hope the client change his IP to 10.8.0.3, 21:14 < ecrist> shoot them 21:14 < ecrist> they won't change it again 21:14 < zheng> how? 21:15 < zheng> I means assign fixed IP to clients. 21:15 < ecrist> no, actually shoot them. 21:15 < ecrist> it's how we do it in Taliban. 21:16 < zheng> where? 21:16 < zheng> where r u from? 21:16 < ecrist> zheng: they shouldn't be changing it. it's going to break their VPN. if it breaks, it won't work. 21:16 < ecrist> they'll figure it out and not do it again 21:26 < zheng> ecrist, I test it, when I change the IP, the vpn tunnle go on working 21:26 < zheng> sometime it works , sometime it don't. 21:27 < zheng> a minute, I re-test it now 21:27 < ecrist> zheng: why do you care? 21:28 < zheng> I want to group all clients into multi-group, 21:28 < ecrist> have you read the howto? 21:28 < ecrist> !howto 21:28 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 21:28 < ecrist> this is covered 21:29 < ecrist> coupled with an --up-script, you can easily punch the correct holes in the firewall 21:32 < zheng> Its unralated to firewall 21:33 < ecrist> zheng: do you know what you're doing? 21:34 < zheng> ecrist, when I use username/password auth mode, I find the ccd/clients-config-dir clients specific file is not in use 21:34 < zheng> and the ccd files were be overrided. 21:34 < zheng> :( 21:34 < zheng> Im reading the whoe HOWTOs 21:35 < ecrist> zheng: ccd is coupled with ssl certs. no ssl, no ccd 21:41 < zheng> what? say it 21:46 < ecrist> what? you say it 21:47 < zheng> ah? really? why? 21:48 < zheng> certs and user/pass are different auth mode. 21:48 < zheng> what's their others dirfference? 21:51 < zheng> I just test it again, the clients can change their virtual ip and the tunnel will go on. 21:52 < ecrist> zheng: ccds are assigned based on CN of ssl certificate 21:55 < zheng> I know it. but I config the username-as-common-name. When I use ccd + user/pass, It can recongnize the ccd/clients files, why It can treat the clients files as the clients when using SSL certs? 21:55 < zheng> I know it. but I config the username-as-common-name. When I use ccd + user/pass, It can recongnize the ccd/clients files, why It can NOT treat the clients files as the clients when using SSL certs? 21:56 < ecrist> it does, when using ssl, not with user/pass 21:59 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 22:32 -!- RexMundi [n=RexMundi@off.spillgroup.com] has joined ##openvpn 22:32 -!- RexMundi_ [n=RexMundi@off.spillgroup.com] has quit [Read error: 104 (Connection reset by peer)] 22:49 -!- huslu_ is now known as huslu 23:23 -!- bandini [n=bandini@host31-106-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn 23:39 -!- zheng_ [n=zheng@222.66.224.110] has joined ##openvpn 23:41 -!- zheng [n=zheng@222.66.224.110] has quit [Success] --- Day changed Fri Apr 03 2009 00:04 -!- ploo [n=lbz@c-98-245-144-7.hsd1.co.comcast.net] has joined ##openvpn 00:05 < ploo> whats the best GUI for linux? 00:05 < damentz> ploo, i don't know your tastes 00:05 < damentz> start off with gnome, kde, and xfce first 00:06 < ploo> gopenvpn ? 00:06 < ploo> vpn gui :p 00:06 < damentz> oh lol 00:06 < damentz> idk, never used one 00:07 < damentz> setting it up in text was really easy 00:07 < damentz> ploo, once you get it working correctly the first time 00:07 < damentz> the configuration begins to make sense 00:07 < ploo> thats not the problem just easy launch from X 00:07 < ploo> :p 00:34 < zheng_> ecrist, r u there? 00:35 < zheng_> ecrist, when a packet from a client to a client, how to internal routing? 00:35 < zheng_> by TAP mac address? 00:56 -!- bandini [n=bandini@host31-106-dynamic.21-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 01:59 -!- Sinky [n=stancho@78.90.99.168] has joined ##openvpn 02:08 < dan__t> hrm... 02:10 < dan__t> When using --client-config-dir, do I need to specify any kind of extension to said file(s)? 02:10 < dan__t> What kind of information CAN I put in a ccd file? Anything, really - it just take precedence over the server? 02:12 < dan__t> hm, "same name as the client's X509 common name..." 02:12 < dan__t> I'm making up random common names. Big fat md5 strings. 02:14 -!- ]sintax[ [n=sintax@cpe-72-184-119-119.tampabay.res.rr.com] has joined ##openvpn 02:14 < ]sintax[> !howto 02:14 < vpnHelper> ]sintax[: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:14 < dan__t> the "x509 common name", is that what the client ends up sending TO openvpn? 02:14 < ]sintax[> !route 02:14 < vpnHelper> ]sintax[: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 02:15 < dan__t> in regards to --client-config-dir 02:40 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:55 < ]sintax[> how come i'm missing init-config on a fresh install? 02:59 < zheng_> when packet from a client to b cliient, the packet will be decrypted in server then re-crypt it? 03:07 < kraut> moin 03:08 < dan__t> moin 03:08 * dan__t stabs. 03:09 < dan__t> So, using ccd is nice and all. But according to the man page: "of a just-authenticated client...". What if I want to specify TLS credentials, which are required by the user to authenticate, inside the cc file? 03:10 < dan__t> chicken before egg etc etc. 03:10 < dan__t> heh 03:11 < dan__t> "just authenticated client" implies that they were already tls verified 03:51 < Flumdahl> I am trying to set up bridge utils but everytime i type "brctl addbr br0" i get the error message "add bridge failed: Package not installed" yet checking with apt-get tells me that bridge-utils is installed and is the latest verison. i am running debian 4.0 etch with a custom kernel 03:52 < Flumdahl> its kernel problem 04:09 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 113 (No route to host)] 04:32 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 04:42 -!- kippix [n=kippix@gob75-1-81-57-24-181.fbx.proxad.net] has joined ##openvpn 04:43 < kippix> J osa 04:56 -!- BiNaRyCoDE [n=BiNaRyCo@host-72-174-87-108.gdj-co.client.bresnan.net] has joined ##openvpn 04:58 < BiNaRyCoDE> Hi! When I first installed openVpn, it installed everything i needed even the config files!!! I didn't have to configure anything! I could connect immediately but now it doesn't automatically configure my config files. Does anyone know how to automatically get openvpn to generate config files? 05:04 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:09 < BiNaRyCoDE> ? 05:14 -!- BiNaRyCoDE [n=BiNaRyCo@host-72-174-87-108.gdj-co.client.bresnan.net] has quit [] 05:15 -!- zheng_ [n=zheng@222.66.224.110] has quit [Remote closed the connection] 05:17 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:18 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:19 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 104 (Connection reset by peer)] 05:51 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 05:55 -!- gebi_ is now known as gebi 06:04 -!- irc [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has joined ##openvpn 06:04 -!- irc is now known as Guest53023 06:05 -!- Guest53023 [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has left ##openvpn [] 06:05 -!- ir1 [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has joined ##openvpn 06:05 -!- ir1 [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has quit [Client Quit] 06:06 -!- Alagar [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has joined ##openvpn 06:15 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:44 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 07:12 -!- nRocha [n=nRocha@unaffiliated/nrocha] has joined ##openvpn 07:18 < nRocha> hello... Is possible during the openvpn connection a balance traffic? Or is possible only at startup? 07:19 < nRocha> hello... Is possible during the openvpn connection a traffic balancing? Or is possible only at startup? 07:22 < nRocha> someone? 07:28 < nRocha> Anyone idea? 07:37 < ecrist> nRocha: what do you mean? 07:39 < nRocha> I need the balacing the openvpn's traffic between 2 links. 07:40 < ecrist> OpenVPN itself doesn't do that. You'd have to use another protocol, over OpenVPN, to do that. 07:43 < nRocha> Some example the how do? 07:43 < ecrist> not an openvpn question. it's basic networking 07:43 < ecrist> CARP or DNS round-robin would handle it. 07:44 < nRocha> ok, thank you. 07:56 < mjt> or linux advanced routing thing. but those are complicated for a beginner. 07:59 * ecrist wonders what the point of that comment was 08:04 -!- eliasp [n=quassel@78.43.213.203] has quit [Read error: 113 (No route to host)] 08:05 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 08:09 -!- tsunami [n=tsunami@64.119.141.126] has joined ##openvpn 08:17 -!- eliasp_ [n=quassel@78.43.213.203] has joined ##openvpn 08:18 -!- eliasp [n=quassel@78.43.213.203] has quit [Read error: 113 (No route to host)] 08:20 < ecrist> LOL: http://www.centos.org/modules/newbb/viewtopic.php?topic_id=19246&forum=40 08:20 < vpnHelper> Title: www.centos.org - Forums - CentOS 5 - Networking Support - please help to configure openvpn and routing (at www.centos.org) 08:20 < ecrist> someone found my Durrrr post. 08:40 < tsunami> if you install openvpn from an admin account there isn't any problems with running it through the gui that I have seen in my testing 08:40 < tsunami> is this correct? 08:41 < ecrist> sure 08:41 < tsunami> the only reason i ask is there is documentation as to how to run the software as a user 08:41 < tsunami> but it seems I don't need to go that far 09:46 -!- tsunami [n=tsunami@64.119.141.126] has quit [] 10:04 -!- tsunami [n=tsunami@64.119.141.126] has joined ##openvpn 10:10 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has joined ##openvpn 10:11 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 10:26 -!- Irssi: ##openvpn: Total of 64 nicks [0 ops, 0 halfops, 0 voices, 64 normal] 10:44 -!- kami- [n=user@unaffiliated/kami-] has joined ##openvpn 10:44 < kami-> hello 10:45 < kami-> I have a problem: TLS Error: TLS key negotiation failed to occur within 60 seconds 10:46 < kami-> it occurs when the client is in _some_ network which is not under my control 10:46 < kami-> this time, it's an ADSL connection 10:47 < kami-> the connection attempt is logged on the client *and* on the server, but the key negotiation fails, though 10:48 < kami-> both sides say: Initial packet from ... 10:49 < kami-> I have no firewall in place at the client 10:51 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has quit [Client Quit] 10:57 -!- kami- [n=user@unaffiliated/kami-] has quit [Remote closed the connection] 11:14 < dan__t> hi 11:14 < dan__t> hi 11:21 < ecrist> howdy 11:21 < ecrist> howdy 11:23 < tsunami> hello 11:23 < tsunami> hello 11:23 < tsunami> I don't know why I say goodbye, I say hello! 11:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:33 < dan__t> heh 11:34 < dan__t> Today I'm doing some testing, since some things in the manpage aren't entirely clear. 11:34 < dan__t> I'll report back and let you know. 11:34 < dan__t> from earlier: So, using ccd is nice and all. But according to the man page: "of a just-authenticated client...". What if I want to specify TLS credentials, which are required by the user to authenticate, inside the cc file? 11:34 < dan__t> "just authenticated client" implies that they were already tls verified 11:35 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:37 < ecrist> I don't understand your question 11:38 < mjt> openvpn (in tls-server mode) supports only one type of credentials: namely, any credentials signed by the given CA. 11:38 < dan__t> What part of it needs explanation? 11:38 < ecrist> mjt: you're incorrect 11:38 < dan__t> So it cna be any key so long as its signed by the CA? 11:39 < ecrist> dan__t: yes 11:39 < mjt> translation: any key signed. 11:39 < mjt> heh 11:39 < ecrist> so, you can send the same client certificate out for all your clients 11:39 < ecrist> make sure you've got 'duplicate-cn' in your config, though 11:39 < dan__t> Sorry, OpenVPN not being a strong point, nor TLS for that matter... thinking about this. 11:39 < mjt> ecrist: (granted, also username/pw thing, but that's not tls, right?) 11:39 < dan__t> Yep, familiar with that one. 11:40 < ecrist> mjt, TLS is the encryption, and has a basic authentication (signed my X ca or not). 11:40 < mjt> yup 11:41 < dan__t> Ok, I got ya now. 11:41 < ecrist> please don't spew information as fact, when you don't know. 11:41 < ecrist> you seem to do that a lot... 11:41 < dan__t> fact 11:41 < mjt> ghrm. In this case, please tell me what exactly did I say wrong? 11:41 < dan__t> No, just kidding. 11:42 < ecrist> 11:38 < mjt> openvpn (in tls-server mode) supports only one type of credentials 11:42 < mjt> what's wrong with that? 11:42 < ecrist> it's wrong 11:42 < ]sintax[> how come i'm missing init-config on a fresh install? 11:43 < mjt> oh well. 11:43 < ecrist> ]sintax[: is that a shell script? 11:43 < mjt> ecrist: you called me a troll a while back. But now YOU are behaving like troll. 11:43 < ]sintax[> http://blog.innerewut.de/2005/7/4/openvpn-2-0-on-openbsd 11:43 < ]sintax[> its listed on there 11:43 < vpnHelper> Title: BlogFish: OpenVPN 2.0 on OpenBSD (at blog.innerewut.de) 11:43 -!- mode/##openvpn [+o ecrist] by ChanServ 11:43 -!- mode/##openvpn [+b *!*n=mjt@*.corpit.ru] by ecrist 11:43 -!- mjt was kicked from ##openvpn by ecrist [ecrist] 11:43 -!- mode/##openvpn [-o ecrist] by ecrist 11:45 < ecrist> ]sintax[: are you sure you're in the correct directory? 11:45 < ]sintax[> i tried searching my entire disk for that file, it doesn't exist 11:45 < dan__t> What a tool. 11:46 < ecrist> it might be an openbsd-specific thing 11:46 < ecrist> skipping that line, you should be fine 11:46 < ecrist> . ./vars is what really initializes the environment. 11:47 < ]sintax[> i tried skipping that and when i type ./vars or source vars, i get a huge spam of command not found errors from openssl.cnf, did i miss something? i tried following the tutorial on openvpns site 11:48 < ecrist> can you pastebin the entire error somewhere? 11:48 < ]sintax[> sure, 1 sec 11:48 < ]sintax[> http://pastebin.ca/1381033 11:49 < ecrist> ah, you need to use bash for those scripts 11:49 < ecrist> then . ./vars will initialize correctly 11:50 < ]sintax[> what do you mean use bash? 11:50 < ecrist> bash is a shell 11:50 < ]sintax[> i know what bash is but i'm using it 11:50 < ]sintax[> thought you might have meant something else 11:50 < ]sintax[> that's just how my PS1 is setup 11:51 < ]sintax[> http://pastebin.ca/1381036 11:52 < ecrist> odd, those errors are usually from people not using bash as the shell. 11:52 < ecrist> I don't know, I guess. 11:52 < ]sintax[> same errors with ksh 11:52 < ]sintax[> is there a cert im supposed to generate is that what its looking for ? 11:54 < ]sintax[> looks like ive got more reading to do lol 11:54 < ecrist> yeah, OpenVPN uses SSL certificates for encryption and base authentication 11:54 < ]sintax[> i wasnt sure whether or not to use IPSec or OpenVPN for a VPN server ;-p 11:54 < ecrist> OpenVPN is generally easier for vpns with lots of clients. 11:55 < ecrist> IPSec is a pain, unless you've got a static lan-lan setup 11:55 < ]sintax[> yeah it seemed like a pain with the giant config files structure 11:55 < ]sintax[> this OpenVPN - Building And Integrating Virtual Private Networks (2006) should still work fine right? 11:57 < ecrist> should, although you're on OpenBSD, try reading this: 11:57 < ecrist> !freebsd 11:57 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 11:58 -!- filePeter [n=filePete@95.88.146.254] has joined ##openvpn 11:59 < ]sintax[> maybe if I figure it out i should write a tutorial since there seems to be a lack of them 12:00 < filePeter> Hi, I using CF-CBC as encryption. But on my linksys Openwrt this is not very good for my performance. Can i reduce the bitrate for that? How "insecure" is that? Thanks. 12:02 < ecrist> filePeter: you can change the encryption, but security goes down with lower-bit keys. 12:03 < ecrist> anything >128 should be good enough, as things are rekeyed every 60 minutes by default. 12:06 < filePeter> ecrist: Rekeyed? Cool! How to set it? 12:07 < ecrist> filePeter: it's automatic 12:07 < ecrist> setting key length and such is done in the ssl certificates. 13:05 -!- Alagar [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has left ##openvpn [] 13:12 -!- filePeter [n=filePete@95.88.146.254] has quit ["leaving"] 13:36 -!- kippix [n=kippix@gob75-1-81-57-24-181.fbx.proxad.net] has quit [Remote closed the connection] 13:48 < Flumdahl> !config 13:48 < vpnHelper> Flumdahl: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 13:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:57 -!- ]sintax[ [n=sintax@cpe-72-184-119-119.tampabay.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 13:57 -!- sintax [n=sintax@cpe-72-184-119-119.tampabay.res.rr.com] has joined ##openvpn 13:58 -!- sintax is now known as ]SintaX[ 14:03 -!- nRocha [n=nRocha@unaffiliated/nrocha] has quit [Read error: 145 (Connection timed out)] 14:04 < ecrist> Flumdahl: !configs 14:04 < Flumdahl> !configs 14:04 < vpnHelper> Flumdahl: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:25 -!- mweichert [n=mweicher@216.13.154.21] has joined ##openvpn 14:25 < mweichert> hello! 14:25 < mweichert> I'm just new to OpenVPN - but wow, it's an amazing piece of software 14:25 < mweichert> seems easy to get started with 14:26 < ]SintaX[> i'm new as well, mind if i ask what OS you're using it on ? 14:26 < mweichert> Win and Linux 14:26 < ]SintaX[> ah ok 14:26 < mweichert> Win64 and BusyBox 14:27 < mweichert> I'm reading the OpenVPN book by PacktPub 14:27 * ]SintaX[ wishes it covered openbsd better 14:27 < mweichert> finished the chapter "The First Tunnel" ... I got a working tunnel using tap. 14:28 < mweichert> SintaX, having troubles installing tap/tun ? 14:28 < ]SintaX[> no i'm just having trouble getting it to configure initially on openbsd :-\ 14:28 < mweichert> are there no binaries available in ports? 14:29 < ]SintaX[> i've installed it from ports, i'm just getting weird errors when i run vars 14:29 < ]SintaX[> but i figure im missing something somewhere else 14:29 < mweichert> can someone help me understand how to get openvpn to play nice with firewalls? From what I get out of it, I can have it tunnel through port 443? 14:32 < mweichert> also too, can someone confirm for me that what I've done is peer-to-peer networking? 14:33 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:33 < mweichert> ]SintaX[, what do you mean by 'run vars'? Sorry - maybe I'm not well enough into openvpn, but I'd like to help if I could 14:33 < ]SintaX[> you know the 'vars' file you're supposed to run in the easy-rsa dir? 14:34 < mweichert> ]SintaX[, ah, I'm not there yet. I'm just using Static Key tunnels right now 14:34 < ]SintaX[> hmm i thought this step was required to get it to even work haha 14:35 < ]SintaX[> i've taken too long a break from BSD and networking in general so im really rusty with both 14:35 < mweichert> no - there are two approaches to getting openvpn working, AFAIK: static key and PKI (public key infrastructure) 14:35 < mweichert> easy-rsa is related to PKI 14:36 < ]SintaX[> ah i didn't know that. the tutorials for the OS i've found suck or im just too stupid to follow them with my setup heh 14:39 < Flumdahl> what is it need to write in the server/client conf so openvpn automaticly makes the routes so all traffic from clients goes over the vpn tunnel ? 14:40 < mweichert> ]SintaX[, what client os are you using to connect to openbsd? 14:40 < ]SintaX[> i'm trying to vpn two openbsd machines 14:41 < ecrist> ]SintaX[: try my perl script 14:41 < ecrist> !ssl-admin 14:41 < ]SintaX[> i wonder if i could follow the same approach you used with static key 14:41 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 14:41 < ecrist> easy-rsa sucks balls 14:41 < ]SintaX[> thats nice to know, that did seem a bit of a pita 14:41 < mweichert> ]SintaX[, I think you can do this in four steps 14:42 < mweichert> 1) Generate a private key on one of the servers. 14:42 < mweichert> 2) Copy the private key, rrrr... static key to your other server 14:43 < mweichert> 3) Configure your conf file with: 14:43 < mweichert> dev tap 14:43 < mweichert> secret key.txt 14:43 < mweichert> ping 10 14:43 < mweichert> comp-lzo 14:44 < mweichert> ifconfig 10.3.0.5 255.255.255.0 # the ip you want to listen on 14:44 < mweichert> remote 10.30.0.1 # the ip you want to connect to 14:44 < ]SintaX[> i dont need two interfaces on each machine do i? some tutorials have said that but i dont think my network setup is the same 14:44 < ecrist> ]SintaX[: no, you don't. 14:44 < ]SintaX[> i'm just experimenting with two VM's inside of vmware right now with one interface each 14:45 < mweichert> you need one physical interface 14:45 < mweichert> on each machine 14:45 < mweichert> and one virtual interface (tap or tun) 14:45 < ]SintaX[> ok 14:45 < ecrist> and, unless you're using ethernet protocols, such as IPX, you should probably use tun rather than tap 14:45 < ]SintaX[> let me boot these machines up and try 14:45 < mweichert> that's fine 14:45 < mweichert> same here 14:45 < ]SintaX[> im going to try them on the same subnet 192.168.1.X 14:47 < mweichert> ]SintaX[, I believe you tunnel needs to be established on a different subnet (I very-much could be wrong about that) 14:48 < mweichert> is there anything wrong with setting up several (like 50) static key VPNs? 14:50 < ]SintaX[> ecrist i can vpn two machines on the same subnet right? wouldnt that encrypt all traffic between the two 14:52 < mweichert> yes, I know you can encrypt two machines on the same subnet... but I don't know if your tunnel should be routed on the same subnet 14:52 < ]SintaX[> ah 14:52 < mweichert> for example... 14:52 < mweichert> you can tunnel between 192.168.0.1 and 192.168.0.2 14:53 < ]SintaX[> thats on the same subnet isnt it? 14:53 < mweichert> but your tunnel should be created on 10.3.0.1 and 10.3.0.2 14:53 < ]SintaX[> cant believe how rusty i am with networking :-( 14:53 < mweichert> yes, that's on the same subnet - the hosts with you want to encrypt traffic between 14:53 < mweichert> but the tunnel is established on a different subnet 14:53 < krzie> i take it you are trying to secure wireless or something? 14:54 < krzie> so you will be default routing over the encryption 14:54 < krzie> right? 14:54 < ]SintaX[> eventually i'm going to work on that, i'm just trying to learn how to setup a vpn on the two machines 14:54 < krzie> !local 14:54 < vpnHelper> krzie: "local" is a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless. 14:54 < krzie> other than that, its the same as always 14:54 < krzie> !sample 14:54 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 14:55 < ecrist> ]SintaX[: yes, you can 14:56 < ecrist> but mweichert is on the right track. you need non-conflicting ip spaces. 14:56 < ]SintaX[> so i use the perl script ecrist made to make the crt/pem/key files? 14:56 < ecrist> yes. it requires a bit of initial config, I recomend taking the one out of SVN rather than any static versions you find out there. 14:57 < ]SintaX[> ok 14:57 < ecrist> if you were using freebsd, it's in the ports tree 14:57 < ecrist> haven't tested/submitted to net/open bsd 15:00 -!- mtoledo [n=user@c906c009.virtua.com.br] has joined ##openvpn 15:00 -!- mtoledo [n=user@c906c009.virtua.com.br] has quit [Remote closed the connection] 15:04 < mweichert> ecrist, can you help me understand the advantages of using PKI over static key? 15:06 < ecrist> mweichert: you can only have one client, iirc, with static key 15:06 < ecrist> static key is ok for simple 1-1 connections 15:06 < ecrist> PKI comes in when you need multiple clients on the same system. 15:10 < mweichert> ecrist, but why not just define multiple static key connections? 15:11 < mweichert> I guess that would require a lot of manual configuration and many ports? 15:20 < krzie> lol ya, and it would take more resources and generally be an administration PITA 15:20 < krzie> kinda like how you dont need DNS 15:20 < krzie> you could just edit your hosts file for everything you ever wanna connect to 15:20 < krzie> but common, which sounds easier 15:21 < mweichert> ok, fair enough. :) 15:21 < mweichert> krzie - can I squeeze in one more question... after I create a static key tunnel between two clients, do I configure any routing to over over the tunnel, or will that just happen automagically? :) 15:23 < mweichert> btw - are static key tunnels simliar to how ipsec tunnels work? 15:29 < krzie> it wont default route over that unless you tell it to 15:29 < krzie> do you plan on more than 2 connections? 15:29 < krzie> more than 2 endpoints 15:30 < krzie> because server mode is far easier thanpoint to point for that, better to do it right than try to manage multiple point to point modes solely so you dont need to learn how to manage the certs 15:46 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 15:48 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:10 < mweichert> I agree krzie. Thanks. 16:12 < krzie> np 16:23 -!- mweichert [n=mweicher@216.13.154.21] has quit ["Leaving"] 16:24 -!- tsunami [n=tsunami@64.119.141.126] has quit [] 16:28 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 16:52 -!- tsunami [n=tsunami@c-71-233-239-25.hsd1.ma.comcast.net] has joined ##openvpn 16:56 -!- sjzzalx [n=jeff@70.102.50.18] has joined ##openvpn 16:57 < sjzzalx> What is a DNS suffix and why do I need one to resolve internal hostnames from a logged-in client? I'm already pushing the DNS server's address. 16:57 < sjzzalx> !howto 16:57 < vpnHelper> sjzzalx: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:57 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 17:05 < krzie> !pushdns 17:05 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 for a perm fix via regedit 17:11 -!- tsunami [n=tsunami@c-71-233-239-25.hsd1.ma.comcast.net] has quit [] 17:12 -!- tsunami [n=tsunami@c-71-233-239-25.hsd1.ma.comcast.net] has joined ##openvpn 17:13 < sjzzalx> krzie: Thanks. Should my DNS IP be the VPN gateway or the real subnet's DNS server? It doesn't seem to work with either for me. 17:14 < krzie> the dns server you wanna use is inside the lan behind the vpn machine? 17:14 < sjzzalx> krzie: It's on the same machine as the VPN, this is all on a pfsense box 17:15 -!- RexMundi [n=RexMundi@off.spillgroup.com] has quit ["Ik ga weg"] 17:15 < krzie> test by requesting dns specifying dns server 17:15 < krzie> also check that the firewall isnt blocking cause now you're showing up as coming from vpn ip 17:16 -!- tsunami [n=tsunami@c-71-233-239-25.hsd1.ma.comcast.net] has quit [Client Quit] 17:16 < krzie> racism is so 80's 17:16 < krzie> oops wrong chan 17:17 -!- tsunami [n=tsunami@c-71-233-239-25.hsd1.ma.comcast.net] has joined ##openvpn 17:18 < krzie> ie: host ircpimps.org ns.doeshosting.com 17:18 < krzie> will use ns.doeshosting.com to check dns for ircpimps.org 17:18 < krzie> test if dns works manually like that 17:19 < sjzzalx> krzie: it does work manually like that 17:19 < sjzzalx> through either the VPN gateway or the internal DNS server 17:19 < sjzzalx> but it doesn't work if I try to ping, etc. 17:20 < sjzzalx> with both ips added to resolv.conf 17:20 < krzie> show me resolv.conf 17:21 < sjzzalx> http://pastebin.com/m164e8858 17:23 < krzie> ok so which ips worked in manual test 17:23 -!- tsunami [n=tsunami@c-71-233-239-25.hsd1.ma.comcast.net] has quit [] 17:23 < sjzzalx> the last two, 10.x 17:23 < krzie> remove the first one, and keep the one that uses vpn ip 17:23 < krzie> remove the other 17:23 < krzie> so only 1 entry 17:24 < sjzzalx> krzie, that works, thanks. But, I would like to be able to resolve the other hostnames on my home network, too 17:24 < sjzzalx> via 192.168.1.1 17:25 < krzie> try putting the home one under the vpn one 17:25 < krzie> see if that works 17:25 < krzie> (we seem to have ventured outside of vpn troubleshooting, but i dont mind helping since i might be able to help and you've clearly read docs and know what you're doing) 17:26 < krzie> OR, you could make one of them slave for the other over the vpn 17:26 < krzie> even slave for eachother 17:27 < krzie> that way you can resolv both networks from each dns server 17:28 < sjzzalx> krzie: Interesting, I'm not aware of DNS slaves. I'll have to look into it. This seems to work now, though, so thanks very much. I can't test my home network resolver since I think only localhost is up right now there. :) 17:28 < krzie> =] np 17:28 < krzie> you use bind i assume>? 17:29 < krzie> allow-transfer { ip_address; }; 17:30 < sjzzalx> I'm just using resolv.conf right now, I don't really want to deal with bind, so I'll just change the order in resolv.conf. Thank you very much though, for the help and your willingness to provide it. 17:30 < krzie> then for example: 17:30 < krzie> zone "thekeelecentre.com" { type slave; masters { 217.206.238.155;}; file "slave/thekeelecentre.com.db"; notify no; }; 17:30 < krzie> umm, you said you are running nameservers in each lan 17:30 < krzie> this is done by nameserver software 17:31 < krzie> since you mention resolv.conf, i see you use a unix-like os 17:31 < krzie> and bind is the most common 17:32 < krzie> but ya, you're welcome =] 17:32 < sjzzalx> Indeed, that's all on pfSense's side right now and it's handled by it; I'm fairly sure they use bind, but I don't want to set up anything locally to override, or to mess with pfSense's things elsewise when I can just reorder resolv.conf and have it all nice and functional. I appreciate the reference though and will remember it when/if I need to do something else to make the fix less hackish. :) 17:39 < krzie> np 17:39 < krzie> btw im sure pfsense supports slaves in the dns stuff 17:39 < krzie> but i dont mess with guis 17:39 < krzie> i just edit the files 17:50 < dan__t> Hi. 17:50 < dan__t> So, have a question re: tls 17:53 < krzie> go for it... 17:54 < krzie> tls as used in openvpn: 17:54 < krzie> !hmac 17:54 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 17:54 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 18:16 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 18:20 < krzie> dan__t, didnt you have a question? 18:22 < dan__t> I was working on it. 18:22 < dan__t> Sorry, distracted with work :/ 18:24 < krzie> ya i know how that is 18:24 < dan__t> Ok, so. 18:32 < dan__t> heh 18:32 < dan__t> lame. 18:32 < dan__t> So with tls, any client key that is signed by my CA can connect. 18:33 < dan__t> What enables me to stop them from connecting, even if a key is signed by my CA? 18:33 < dan__t> I can publish a CRL, but how can/do I enforce that the client *must* reference that 18:33 < krzie> tls only has to do with HMAC sigs 18:33 < dan__t> Or does OpenVPN reference the CRL? 18:33 < krzie> clients dont reference crl 18:33 < krzie> server does 18:33 < krzie> CRL is a list of clients that can no longer connect 18:34 < dan__t> I understand that. 18:34 < dan__t> How do I get OpenVPN to use that though? 18:35 < krzie> !man 18:35 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 18:35 < krzie> 1sec 18:37 < dan__t> Sure. Thanks. 18:45 < krzie> --crl-verify crl 18:45 < krzie> Check peer certificate against the file crl in PEM format. 18:45 < krzie> A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. 18:45 < krzie> Suppose you had a PKI consisting of a CA, root certificate, and a number of client certificates. Suppose a laptop computer containing a client key and certificate was stolen. By adding the stolen certificate to the CRL file, you could reject any connection which attempts to use it, while preserving the overall integrity of the PKI. 18:45 < krzie> The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised. 18:46 < krzie> !crl 18:46 < vpnHelper> krzie: "crl" is (#1) --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) 18:46 < vpnHelper> krzie: that will create the CRL file for you. ssl-admin will also build a crl for you 18:51 < krzie> but you said you had a tls question 18:51 < krzie> CRL has nothing to do with tls 18:52 < krzie> tls inside openvpn is just for building a static key that packets get signed with, if the packets arent signed with it then the server ignores 18:52 < krzie> and doesnt even process 18:54 < krzie> those signatures are known in openvpn as HMAC signatures 18:55 < krzie> everything you need to know about tls in openvpn is in !hmac and everything you need to know about CRL in openvpn is in !crl 18:55 < krzie> =] 18:55 < krzie> i think instead of tls you meant ssl 18:56 < krzie> but also, if you use tls, a client with a ssl cert signed by your CA cant connect unless he also has the tls static key 20:10 < dan__t> Not my day man, I'm trying to participate, I appreciate the time. 20:10 < krzie> all good =] 20:14 < krzie> im at work anyways, not going anywhere for now 20:18 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 60 (Operation timed out)] 20:25 -!- belZe [i=server3@p5091CA11.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:25 -!- belZe [i=noone@p5091CE96.dip.t-dialin.net] has joined ##openvpn 20:39 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 21:30 < onats> morning people 21:31 < krzie> mornin 21:32 < krzie> although its night here 21:32 < krzie> hehe 21:32 < onats> whats new? 21:37 < krzie> not much really 21:37 < krzie> rebuilt the NFS again yesterday 21:37 < krzie> since 3 drives proved to be bad 21:38 < krzie> so now the other 3 are in there for ZFS, and i tossed in an old 80gb IDE for the OS 21:38 < onats> what os is that running on? 21:38 < onats> solaris? 21:38 < krzie> freebsd 8-current 21:38 < krzie> although its not all that current, feburary snapshot 21:39 < krzie> ill catch it up soon tho 21:39 < krzie> then when the 3 drives i RMA'ed come back ill toss in the 4th and add it to the zfs pool 21:39 < onats> nice 21:39 < krzie> zfs is nice about that 21:39 < onats> what do you put in it anyway? 21:40 < krzie> my NFS 21:40 < krzie> movies and apps and stuff 21:40 < onats> lol 21:40 < krzie> really anything i dont need on the laptop 24/7 21:40 < onats> i thought something mission critical 21:40 < krzie> hahah nope 21:40 < krzie> nothing mission critical would possible go on an experimental FS on a dev OS 21:40 < krzie> possibly 21:41 < krzie> also just tossed a 500gb seagate in the macbook pro 21:41 < krzie> so thats pretty cool 21:42 < krzie> next mission, build the quad core intel box i have waiting in parts and setup osX86 on it 21:42 < krzie> that'll be dopeness 21:48 < krzie> how bout you? 21:49 < krzie> anything cool or new? 21:51 -!- timttwtdi [n=erik@c-24-245-3-7.hsd1.mn.comcast.net] has joined ##openvpn 21:52 < onats> figuring out how to move installation of opkg packages to another partition... 21:52 < onats> i have this 1 GB CF card with openwrt on it, on the 64MB. I just opened up the rest of the partition and want the packages to go in there so it won't use up the primary partition 21:53 < onats> i'm playing with this alix board i got two weeks ago 21:53 < onats> pretty sweet piece of HW 21:53 < onats> hehe 21:53 < krzie> ahh right on 21:54 < krzie> i remember looking at it 21:55 < onats> what's your primary machine? 21:55 < onats> laptop? 21:55 < krzie> currently 21:55 < krzie> til i get that osx86 box up 21:55 < krzie> well then i need to wait til i get my bigscreen over here 21:55 < krzie> but the goal is to make that my primary machiine and let the lappy rest 21:55 < krzie> poor thing is overworked 21:56 < onats> hehe 21:56 < onats> im running a quad core here too 21:56 < onats> for my primary 21:58 < krzie> sweet 21:58 < krzie> i overpowered the shit outta my new NFS 21:58 < onats> what proc are you planning to get? 21:58 < krzie> dual core amd64 with 8gb ram 21:58 < krzie> for the intel i got a q9400 21:58 < onats> i thought you said quad core? 21:58 < onats> ahh 21:58 < krzie> the quad core is for osx86 21:58 < krzie> the dual core amd64 is for the nfs 21:58 < onats> wow, thats a lot of powerful HW! 21:59 < timttwtdi> I'm missing a piece in my openvpn configuration and I'm wondering if someone can tell me what step I may have missed. 21:59 < krzie> the nfs will have 4x 1.5TB drives 21:59 < krzie> i say will cause i had to RMA 3 of them 21:59 < onats> isn't a dual core amd64 a bit overpowered for a storage server? 21:59 < krzie> timttwtdi, sure 21:59 < krzie> !configs 21:59 < timttwtdi> openvpn set up on client and server with keys. client and server can connect and ping one another. 21:59 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 21:59 < krzie> oh ok 21:59 < krzie> then whats your goal? 21:59 < timttwtdi> verified by tcpdump -i tun0 on vpn server 21:59 < krzie> onats yes, it is 21:59 < krzie> lol 22:00 < krzie> but i wanted amd64 for ZFS 22:00 < onats> and for your osx86, are you gonna do video editing? 22:00 < krzie> ZFS likes amd64 22:00 < timttwtdi> cannot ping any hosts on vpn server network. 22:00 < krzie> nope, but i may crack encryptions and stuff like that when im bored enough 22:00 < krzie> timttwtdi, i made a writeup just for that 22:00 < krzie> timttwtdi, you use tun right? 22:00 < timttwtdi> wow. strange. just started working. 22:01 < krzie> !route 22:01 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 22:01 < timttwtdi> I've got tcpdump running across the room and all of a sudden show ICMP echo requests. 22:01 < krzie> they should get the requests no matter what 22:01 < krzie> but unless routes are right, no responses 22:02 < krzie> read my writeup 22:02 < timttwtdi> after initial setup I tried contacting hosts on the subnet, couldn't, and then read through the FAQ 22:03 < krzie> read my writeup 22:03 < krzie> its everything you need to know about connecting lans behind openvpn 22:04 < krzie> onats, and since i was going amd64, it wasnt much more $ to go dual core 22:04 < krzie> and ram isnt that expensive, may as well shove 8gb its way 22:04 < onats> hehe yes 22:04 < krzie> the main $ was spent on the harddrives 22:04 < onats> i have 8 gigs here too. never been able to fully max it out yet 22:04 < krzie> i bought 6 1.5TB seagates 22:04 < onats> how much is a 1.5TB in USD there? 22:04 < krzie> i picked them up for $120 each 22:05 < krzie> but i was in san jose california 22:05 < krzie> on vacation 22:05 < onats> roughly the same here 22:05 < krzie> brought a whole suitcase of parts back 22:05 < krzie> (i no longer live in usa, was on vaca) 22:05 < onats> isn't the carribean close to the east coast? jamaica? 22:06 < krzie> ya its not far from florida 22:06 < krzie> and jamaica is in the caribbean 22:14 < onats> are you high all the time there? 22:14 < onats> heheh 22:14 < krzie> nah but i was when i lived in california 22:15 < krzie> the weed out here SUCKS compared to cali 22:16 < krzie> http://www.ircpimps.org/pics/krzee_vaca/SDC10038.JPG 22:16 < krzie> theres what i was smoking about a month ago when i visited california 22:17 < timttwtdi> krzie, it's a good read. 22:18 < krzie> thanx, learn anything useful? 22:19 < timttwtdi> I identified the problem. whenever I stopped ipmasq on the openvpn machine it would essentially echo "0" > /proc/sys/net/ipv4/ip_forward 22:19 < timttwtdi> er. one of the problems. 22:19 < krzie> ahh, sucks 22:19 < timttwtdi> I am not joining networks of clients connecting to the openvpn server, so iroute is not for me. 22:20 < krzie> right, just a simple push route 22:20 < krzie> is openvpn server on the router for its LAN? 22:20 < timttwtdi> I believe now that I figured out why packets where not going when I thought they should be going i just need to determine the proper way to add static routes for machines on the vpn server network. 22:20 < timttwtdi> yes. 22:21 < timttwtdi> oh- I had the push route working. that 22:21 < krzie> so openvpn is running on the default gateway for its LAN...? 22:21 < timttwtdi> 's why tcpdump -i tun0 on the server displayed incoming packets. 22:21 < krzie> (server) 22:21 < timttwtdi> yes. 22:21 < krzie> then you should be done, no static routes needed 22:21 < timttwtdi> and I am using a region of that subnet address space for vpn address ;-P 22:21 < krzie> bad! 22:22 < krzie> vpn network should be totally different 22:22 < krzie> you arent bridging 22:22 < krzie> give it like 10.8.0.x or something 22:22 < timttwtdi> not right now. I may try bridging sometime. 22:22 < krzie> bridging < tunneling 22:22 < krzie> only used when really needed 22:23 < krzie> for tunneling layer2 protocols that are NOT samba 22:23 < krzie> i say not samba cause in that case you should use wins 22:24 < timttwtdi> yes sir/ma'am! will change vpn addresses pronto! 22:24 < krzie> so ya... you're doing it right 22:24 < krzie> also, no clients can have same LAN addresses as the server 22:25 < krzie> and if you start adding lans behind clients, that goes for their lan's addresses too 22:25 < krzie> (im a guy =] ) 22:26 < timttwtdi> I would never want to offend a female comrade (better safe than a greater ratio) 22:27 < krzie> heheh right on 22:27 < timttwtdi> thanks for the info. I'll pass it on to the next neophyte. 22:28 < krzie> howd it work for ya? 22:29 < timttwtdi> I'm checking to see if a route can give me a round-trip message before I reconfigure the network addresses. 22:30 < krzie> it can without changing a thing after you reconfigure it 22:30 < krzie> also if you like you can post your configs and i can tell you if anything can be improved 22:30 < krzie> (im bored for the next few minutes, then i leave) 22:31 < timttwtdi> it'll probably be more than a few minutes. 22:31 < timttwtdi> I want to get things working 'the wrong way as an exercise 22:32 < krzie> sounds good 22:32 < krzie> hehe 22:32 < krzie> in the meantime i can still look over your configs if you want 22:32 < krzie> little things like !hmac and !mitm and !dh it would still work, but not as good as it could 22:33 < krzie> but of course thats totally up to you 22:35 < timttwtdi> http://pastebin.com/f6b987e4e 22:35 < krzie> !configs 22:35 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 22:36 < krzie> pls use that to strip comments 22:36 < timttwtdi> did you know that there are command-line utilities for interacting with pastebin? 22:36 < krzie> yes, i know freebsd has one in ports 22:39 < timttwtdi> http://pastebin.com/f63f8e721 22:39 < timttwtdi> I guess I could have stripped blank lines too. 22:39 < krzie> ya i been meaning to change that regex 22:39 < krzie> haha 22:40 < timttwtdi> insert a sed to only strip double empties or something. 22:41 < krzie> the same grep can do it 22:42 < krzie> just another | 22:42 < krzie> |^$ 22:42 < timttwtdi> I didn't think grep expressions could span lines. 22:42 < krzie> if the first char is the last char 22:43 < timttwtdi> oh. I just meant that grep can't strip pairs of empty lines as far as I know. 22:44 < krzie> grep -vE '^#|^;|^$' 22:44 < krzie> care to try that and see how it looks for the hell of it? 22:44 < krzie> i see you're pushing dns 22:44 < krzie> you will find this post interesting (first link) 22:44 < krzie> !pushdns 22:44 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 for a perm fix via regedit 22:45 < krzie> and other than that, ild say its a perfect config (minus the vpn subnet thing i said earlier) 22:46 < krzie> actually, i take back the "other than that" 22:46 < krzie> its a perfect config 22:46 < timttwtdi> :-D 22:46 < krzie> (minus the vpn subnet thing i said earlier) ;] 22:47 < timttwtdi> it was my first! 22:47 * timttwtdi blushes 22:47 < krzie> hehe 22:47 < krzie> comes with reading the docs =] 22:47 < krzie> if only more took the time you did 22:48 < onats> jedi master, you are. 22:48 < krzie> !configs 22:48 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;' client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 22:48 < timttwtdi> Jedi Master? No. I'm a Debian User. 22:48 < krzie> lemme fix that now since we touched on the subject 22:48 < krzie> hahah 22:48 < krzie> !forget configs 22:48 < vpnHelper> krzie: Error: 2 factoids have that key. Please specify which one to remove, or use * to designate all of them. 22:48 < krzie> !forget configs * 22:48 < vpnHelper> krzie: Joo got it. 22:49 < krzie> !learn configs as please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$'client.conf`), also include which OS and version of openvpn. 22:49 < vpnHelper> krzie: Joo got it. 22:49 < krzie> !learn configs as dont forget to include any ccd entries 22:49 < vpnHelper> krzie: Joo got it. 22:49 < krzie> !configs 22:49 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$'client.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 22:50 < krzie> and yes i know i could simplify that regex, but my bot wouldnt like it cause [] is for embedding commands for my bot 22:51 < krzie> grep -vE '^[#;$]' would be cooler 22:51 < timttwtdi> are any of you guys openvpn devs? 22:51 < krzie> negative 22:52 < timttwtdi> well thanks anyways ^_^ 22:52 < krzie> np man 22:52 < krzie> i think reiffert has submitted bits of code 22:52 < krzie> but theres really like 2 main devs afaik 22:52 < krzie> (or 1 maybe) 22:52 < krzie> ahh damn i typo'ed 22:53 < krzie> !forget configs * 22:53 < vpnHelper> krzie: Joo got it. 22:53 < krzie> !learn configs as please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn. 22:53 < vpnHelper> krzie: Joo got it. 22:53 < krzie> !learn configs as dont forget to include any ccd entries 22:53 < vpnHelper> krzie: Joo got it. 22:57 < timttwtdi> I did something interesting tonight when troubleshooting. 22:58 < timttwtdi> have you ever called tcpdump on the interface you are ssh'd into a machine on without limiting the scope of tcpdump? 22:59 < timttwtdi> esp. if you've got gigabit. 22:59 < krzie> lol yes 22:59 < krzie> bbl 22:59 < krzie> gnite 22:59 < timttwtdi> 'night. thx. 23:11 -!- p_quarles [n=lee@unaffiliated/pquarles] has joined ##openvpn 23:12 < ecrist> night, fuck heads. 23:13 < p_quarles> so, I'm a bit puzzled: I successfully set up a tunnel, and can ping the tun device on the server from the client; but all traffic is still going through the LAN-connected device by default 23:14 < p_quarles> there's nothing in the "how-to" at openvpn.net, but I'm guessing there's some other step that will be obvious in retrospect 23:15 < ecrist> sure there is. you need to route interesting traffic over the vpn 23:15 < ecrist> see --redirect-gateway 23:16 < p_quarles> ecrist: okay, damn, now I see it in the docs; guess I didn't know what I was looking for; thanks 23:16 < ecrist> np 23:29 -!- p_quarles [n=lee@unaffiliated/pquarles] has left ##openvpn ["thanks!"] --- Day changed Sat Apr 04 2009 00:08 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 00:51 < Flumdahl> http://pastebin.com/m1a1ed3e2 00:51 < Flumdahl> anyone that can help ? 00:56 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:57 -!- vadi01 [n=vadi01@217.118.93.23] has joined ##openvpn 00:58 < Flumdahl> krzee: hey there. 01:03 < Flumdahl> !howto 01:03 < vpnHelper> Flumdahl: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 01:04 < Flumdahl> !/30 01:04 < vpnHelper> Flumdahl: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 01:16 -!- vadi01 [n=vadi01@217.118.93.23] has quit [Read error: 110 (Connection timed out)] 01:17 -!- vadi01 [n=vadi01@217.118.93.122] has joined ##openvpn 01:30 < reiffert> moin 01:39 < Flumdahl> :D 01:40 < Flumdahl> hmm, how do i write in server conf so client only can use one specific ip ? 01:43 < reiffert> !factoids search static 01:43 < vpnHelper> reiffert: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) also see !ccd 01:44 < Flumdahl> !ccd 01:44 < vpnHelper> Flumdahl: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 01:46 < Flumdahl> hmm 01:47 < Flumdahl> Options error: option 'ifconfig-push' cannot be used in this context 01:47 < Flumdahl> ifconfig-push ipadress netmask ? 01:48 < reiffert> !man 01:48 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 01:55 -!- vadi01 [n=vadi01@217.118.93.122] has quit [Read error: 110 (Connection timed out)] 02:28 < Flumdahl> hmm, do i need to use ca cert key dh for ccd ? 02:32 < reiffert> you need a common name for ccd. common names sound like certificates. CN 02:32 < reiffert> afk, sorry 02:35 < Flumdahl> are there no other way to lock a specific ip to an client? 02:56 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 03:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:30 -!- jnnewton [n=jnnewton@adsl-75-62-227-23.dsl.ksc2mo.sbcglobal.net] has joined ##openvpn 03:32 < jnnewton> if anyone is here, i could use some setup clarification. the docs say /usr/share/doc/packages/openvpn or /usr/share/doc/openvpn-2.0 (it's best to copy this directory to another location such as /etc/openvpn". 03:33 < jnnewton> first of all, the directory structure i got from apt is different, everything they refer to is in /usr/share/doc/openvpn/examples/easy-rsa/2.0, which is not reference. 03:34 < jnnewton> they for the copy part, whic dir to copy to /etc/openvpn ? the whole thing, or just the 2.0 folder? 03:55 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 03:57 -!- jnnewton [n=jnnewton@adsl-75-62-227-23.dsl.ksc2mo.sbcglobal.net] has quit ["So this is it. Were going to die."] 04:34 -!- carpe_ [n=carpe@vip2.tundraeng.com] has joined ##openvpn 04:36 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 05:05 -!- jnnewton [n=jnnewton@adsl-75-62-227-23.dsl.ksc2mo.sbcglobal.net] has joined ##openvpn 05:14 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 05:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:38 -!- jnnewton [n=jnnewton@adsl-75-62-227-23.dsl.ksc2mo.sbcglobal.net] has quit ["You may get an opportunity for advancement today. Watch it!"] 06:46 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 60 (Operation timed out)] 07:07 -!- sloburnie [n=sloburni@p579889AB.dip.t-dialin.net] has joined ##openvpn 07:08 -!- sloburnie [n=sloburni@p579889AB.dip.t-dialin.net] has left ##openvpn ["Verlassend"] 07:26 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has quit [Read error: 60 (Operation timed out)] 07:26 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 07:30 -!- eliasp_ is now known as eliasp 08:04 -!- hkais [n=xenoadmi@p50815F50.dip.t-dialin.net] has joined ##openvpn 08:04 < hkais> hello 08:05 < hkais> i have troubles to configure my connection to run on pointopoint mode 08:05 < hkais> previousely is was working in bridge mode, which I want quit due to the scaling problems 08:06 < hkais> i get the error on the client http://pastebin.com/m160785e3 08:29 < ecrist> looking 08:29 < ecrist> hkais: the error is pretty clear... 08:30 < ecrist> !configs 08:30 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 08:31 < hkais> ecrist: I got my error. It was the problem, that I set the server with tap interface instead of tun... 08:31 < hkais> now it is running 08:48 < hkais> ecrist: not properly 08:48 < hkais> i have a 10.11.12.0 LAN. my VPN goes to 10.11.22.0. 08:48 < hkais> I cannot ping any device on the 10.11.12.0 lan from the VPN-network. 08:49 < hkais> the pings (ICMP) aren't reachng the device in the lan 08:53 < ecrist> hkais: see here 08:53 < ecrist> !route 08:53 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 08:53 < ecrist> also, what OS are you using? 08:53 < hkais> ubuntu/linux 08:53 < hkais> for the server and currently also ubntu client 08:53 < hkais> but it will be a windows later 08:54 < ecrist> you need to set ip_forwarding in proc, I believe 08:54 < ecrist> only for the server, though. 08:56 -!- onats [n=onats@unaffiliated/onats] has quit [Connection timed out] 08:57 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 09:04 < hkais> ecrist: thx! I forgot the forward in the kernel! 09:06 < ecrist> np 09:15 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] 09:31 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:11 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:15 -!- hkais [n=xenoadmi@p50815F50.dip.t-dialin.net] has left ##openvpn ["Leaving."] 11:09 -!- archvile [n=archvile@c-71-200-216-240.hsd1.fl.comcast.net] has joined ##openvpn 11:10 < archvile> hi, i'm getting a error when trying to connect to a vpn about not being able to load a CA cert 11:10 < archvile> Cannot load CA certificate file ca.crt (SSL_CTX_load_verify_locations): error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib 11:10 < archvile> am i missing a package? 11:10 < archvile> or is it not being pointed to the correct location 11:24 -!- archvile_ [n=archvile@c-71-200-216-240.hsd1.fl.comcast.net] has joined ##openvpn 11:32 -!- archvile1 [n=archvile@c-71-200-216-240.hsd1.fl.comcast.net] has joined ##openvpn 11:32 -!- archvile [n=archvile@c-71-200-216-240.hsd1.fl.comcast.net] has quit [Read error: 113 (No route to host)] 11:33 -!- archvile1 [n=archvile@c-71-200-216-240.hsd1.fl.comcast.net] has quit [Client Quit] 11:34 -!- archvile [n=archvile@c-71-200-216-240.hsd1.fl.comcast.net] has joined ##openvpn 11:44 -!- archvile [n=archvile@c-71-200-216-240.hsd1.fl.comcast.net] has quit ["leaving"] 11:46 -!- archvile_ [n=archvile@c-71-200-216-240.hsd1.fl.comcast.net] has quit [Read error: 113 (No route to host)] 11:52 < onats> anyone alive? 12:04 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 12:11 < dan__t> Nope. 12:11 < dan__t> krzee 12:11 < dan__t> krzie 12:11 < dan__t> R*(@##@*@$R@#*(% 12:20 -!- bsdbandi1 [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 12:52 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 60 (Operation timed out)] 12:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:56 < onats> boom! 12:59 -!- bsdbandi1 [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] 13:05 -!- Exilant [i=goelzera@berlin.ethz.ch] has joined ##openvpn 13:10 < Exilant> !route 13:10 < vpnHelper> Exilant: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:12 < dan__t> krzie, RE: crl, OpenVPN references this file and based on its contents will either allow or disallow the client? 13:15 < dan__t> http://madboa.com/geek/openssl/ 13:15 < vpnHelper> Title: OpenSSL Command-Line HOWTO (at madboa.com) 13:15 < dan__t> Ahhh, long lost resource. 13:22 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 13:24 < Flumdahl> anyone here who knows howto lock an client to only one ip address without use cert and key? i only use a secret key 13:25 < Flumdahl> i have googled alots today but can not find any solution to it 13:25 < Flumdahl> i find that static ip with ccd but i dont want to use all those crt etc etc 13:29 < dan__t> I'd use a --client-connect script 13:29 < dan__t> wait, to one IP address 13:30 < dan__t> Nevermind. I'm not sure on that one, actually. 13:30 < Flumdahl> dan__t: yes for just one ip. or more 13:31 < Flumdahl> prq have only secret key file and if they dont insert the ip somewhere i can not use it 13:31 < dan__t> http://openvpn.net/index.php/documentation/howto.html#policy 13:31 < vpnHelper> Title: HOWTO (at openvpn.net) 13:31 < dan__t> I think you're stuck using ccd 13:31 < Flumdahl> hmm 13:31 < Flumdahl> must be another way 14:00 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 14:05 < dan__t> I'm not sure. 14:06 -!- c64zottel [n=hans@p5B1780E0.dip0.t-ipconnect.de] has joined ##openvpn 14:06 -!- c64zottel [n=hans@p5B1780E0.dip0.t-ipconnect.de] has left ##openvpn [] 14:21 < Flumdahl> crl-verify is that needed to get ccd to work ? 14:26 -!- gallatin [n=gallatin@dslb-092-072-077-251.pools.arcor-ip.net] has joined ##OpenVPN 14:29 -!- tsunami [n=tsunami@c-24-60-83-222.hsd1.ma.comcast.net] has joined ##openvpn 14:30 < dan__t> I'm not sure..... 14:30 < dan__t> What does the manual page say? 14:42 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 104 (Connection reset by peer)] 14:42 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 14:50 < krzie> no 14:50 < krzie> !ccd 14:50 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 14:51 < krzie> i didnt scroll up so if you have unanswered stuff feel free to ask again 14:52 < dan__t> haha ok 14:52 < dan__t> np 14:52 < dan__t> Just hacking on some openssl arguments so I can further automate pki 14:53 < dan__t> writing my own little wrapper to maintain the CRL, as well. 14:59 < krzie> ahh cool 14:59 < krzie> if you know perl you could make it commandline stuff for ssl-admin 14:59 < krzie> would be cool 15:02 < dan__t> Yea I was looking at it. I'm not such a great programmer :( 15:03 < Flumdahl> the ccd filename shall be the same i name the key/cert file for the client?? 15:06 < Exilant> !howto 15:06 < vpnHelper> Exilant: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:06 < dan__t> The CCD should be of the same name as the "common name" 15:06 < krzie> when you make the cert theres a common-name field 15:07 < krzie> thats what ccd// must be 15:08 < Flumdahl> aha 15:08 < Flumdahl> thanks 15:09 < dan__t> er, trailing slash? 15:09 < dan__t> its a directory? Its a file, right? 15:09 < krzie> oops 15:09 < krzie> ya my mistake 15:09 < dan__t> oh ok 15:09 < dan__t> don't confuse me 15:09 < dan__t> haha 15:09 < krzie> hehe 15:10 < krzie> time for me to finally dive into nagios 15:11 < dan__t> That sucks man. 15:12 < krzie> why? 15:13 < dan__t> Nagios is the bastard child of everything unholy. 15:13 < krzie> lol 15:14 < dan__t> Ever use Zabbix? 15:14 < Exilant> i'm trying to setup an openvpn network in bridged mode. i got it working to the point where it somehow connects, yet i cannot even ping into the private net. both client and server run linux, and a route is set up on the client. Can someone please hint me in the right directtion, how to find out where the error is? 15:15 < krzie> Exilant can you ping the vpn ips? 15:15 < Exilant> no 15:15 < krzie> why are you using bridged mode? 15:16 < Exilant> From 192.168.178.201 icmp_seq=1 Destination Host Unreachable 15:16 < krzie> dan__t, never heard of it 15:16 < Exilant> because routed mode didn't work 15:16 < krzie> Exilant, bridged mode is only the right choice in very few situations, what is yours in this care? 15:16 < dan__t> Go check it out. 15:16 < krzie> thats no reason, it just means you didnt do it right in routed 15:17 < Flumdahl> hmm 15:17 < Exilant> that samba is easier to access was my main reason 15:17 < Flumdahl> i only missing one thing... crl-verify .pem file. how do i create that one ? 15:17 < krzie> no its not 15:17 < krzie> !wins 15:17 < vpnHelper> krzie: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 15:17 < krzie> !crl 15:17 < vpnHelper> krzie: "crl" is (#1) --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) 15:17 < vpnHelper> krzie: that will create the CRL file for you. ssl-admin will also build a crl for you 15:17 < krzie> Exilant, you want wins in routed mode for your samba 15:18 < krzie> Flumdahl, see above #2 15:18 < Exilant> ok 15:18 < Exilant> i'll try that 15:18 < krzie> heres a few steps in right direction: 15:19 < dan__t> Man I'm still fucked up from last night. 15:19 < dan__t> Pretty bad. 15:20 < dan__t> I thought sake wasn't supposed to give you hangovers. 15:20 < Flumdahl> krzie: thanks 15:22 < krzie> np 15:22 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:28 < dan__t> Ok, got SSL done. 15:29 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 15:44 < krzie> http://www.freebsd.org/ports/portaudit/03140526-1250-11de-a964-0030843d3802.html 15:44 < vpnHelper> Title: portaudit: zabbix -- php frontend multiple vulnerabilities (at www.freebsd.org) 15:44 < krzie> ill pass 15:56 < krzie> actually, maybe ill use zabbix: http://www.nagios.org/faqs/viewfaq.php?faq_id=39&expand=false&showdesc=false 15:56 < vpnHelper> Title: Nagios: FAQs : Can I monitor a host without defining any services for it? (at www.nagios.org) 15:56 < krzie> ill just protect it from public entrance 15:56 < dan__t> hh 15:57 < dan__t> heh 15:57 < krzie> basically i only wanna monitor 2 networks, 1 has a webserver and 1 only can be reached with ping 15:57 < dan__t> 1.6.4 is the current release. 15:58 < krzie> ahh so its the port thats out of date 15:58 < krzie> *grabs source* 16:01 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] 16:11 < Flumdahl> when i run the ccd part in openvpn... that ccd file for my server. can i setup for example 3 ips to one person to there instead of only one ip ? 16:11 < krzie> huh? 16:11 < Flumdahl> yah ... in ccd/commonname 16:12 < Flumdahl> i write push "ip netmask" 16:12 < krzie> !static 16:12 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) also see !ccd 16:12 < krzie> ifconfig-push you meant 16:12 < Flumdahl> ah, i have push "ifconfig ip netmask" 16:13 < Flumdahl> krzie: but yes, that one. can i allow more ips there? 16:13 < krzie> i dont believe so 16:13 < krzie> this is vpn software 16:13 < krzie> that has no purpose in a vpn 16:13 < Flumdahl> uhm? 16:13 < krzie> why would you need to give more private vpn ips to a client? 16:14 < Flumdahl> its not private ip ... its public internet ips 16:14 < krzie> possibly that can be done with a bridge, or with tun using NAT 16:15 < krzie> but i wont be the one helping with it 16:15 < Flumdahl> i have it bridged already 16:15 < krzie> umm dude 16:15 < Flumdahl> i will just setup an linuxserver and i will try it 16:15 < krzie> then why are you bothering with pushing ip 16:16 < krzie> just take the ips, you're on the same lan 16:16 < Flumdahl> krzie: that is what i dont want to be allowed 16:16 < krzie> thats bridged 16:16 < Flumdahl> i dont want the client to be able to just "take" ips 16:16 < krzie> when you bridge you're on the same lan 16:16 < krzie> too bad, you are using a bridge 16:16 < Flumdahl> i wanna have some control so client1 dont steel client2s ips 16:17 < krzie> then dont use a bridge 16:17 < Flumdahl> i need brdige to use the public ips ? 16:17 < krzie> but you also cant use topology subnet i believe 16:17 < krzie> which means you need to waste 4 ips per client 16:17 < krzie> no, i said you can do it with a NAT 16:17 < krzie> but youd still need to waste 4 ips per client 16:17 < krzie> using net30 topology 16:17 < krzie> otherwise a client can just ifconfig to another ip 16:18 < Flumdahl> i will test if it works with more ips in ccd file 16:18 < krzie> err wait tho 16:18 < krzie> youd be wasting 4 internal VPN ips with tun, not pubolic 16:18 < Flumdahl> just going to install the server first that i will try as client 16:18 -!- bandini [n=bandini@host31-106-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn 16:19 < krzie> then you can use bidirectional NAT (ipf called this binat) to nat the ip both ways (in and out) 16:19 < krzie> BUT, you wont be able to give multiple over the same link 16:19 < krzie> because net30 uses a /30 16:19 < krzie> the other ips would need their own /30 16:33 < Flumdahl> works perfect :D 16:33 < krzie> what does? 16:33 < Flumdahl> bridge and put in more ips in ccd/file 16:33 < krzie> cool 16:34 < Flumdahl> if i dont have ips there it wont work at all 16:34 < krzie> now connect a second client 16:34 < krzie> and manually ifconfig to an ip taken by first 16:34 < krzie> or even better, disconnection first client, connect second 16:34 < krzie> second gets its ips 16:34 < krzie> then manually ifconfig to first clients ip and watch it get jacked 16:35 < krzie> then connect a third while the first 2 are connected xfering traffic 16:35 < Flumdahl> i dont have more than 1 user on the server conf 16:35 < krzie> then arp poison client 1 and 2 and sniff all their traffic (and your lans traffic) over the bridge 16:35 < dan__t> 4325:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 42 16:35 < dan__t> what the fuck. 16:36 < krzie> i wanna have some control so client1 dont steel client2.s ips 16:36 < krzie> im telling you right now, he easily can 16:36 < krzie> not only that, but he can sniff the traffic over the bridge 16:36 < krzie> not just from other clients, but from the whole lan, anyone on the same switch as server 16:37 < krzie> thats not openvpn's fault, its how layer2 works 16:37 < Flumdahl> krzie: i cant steel ips now. 16:37 < Flumdahl> i tried to steel my workstations ip over the vpn 16:37 < krzie> sure you can 16:38 < Flumdahl> no ip conflicts or nothing 16:38 < krzie> i could :-p 16:39 < dan__t> me too, me toO! 16:40 < krzie> a bridged in client can do anything he could if he was attached to the same switch 16:40 < krzie> because HE IS attached to the same switch 16:40 < krzie> via a bridge 16:41 < Flumdahl> krzie: this vpn solution i am working with is not for some secure network ... its for swedish people to go away from the swedish laws 16:41 < krzie> i easily tunnel my traffic outside of my area using a tun 16:42 < krzie> but i dont need public ips for people to reach me from 16:42 < krzie> if i did ild use ssh port forwarding 16:49 < dan__t> So just by LOOKING at a client cerficicate I can't tell that it has been revoked, right 16:49 < dan__t> I'd need to look at the crl 16:49 < krzie> right 16:49 < dan__t> Because... naturally, I can't modify the client cert. 16:49 < dan__t> Ok. Alright. I get it now. 16:49 < krzie> how could you change the cert thats been stolen 16:50 < dan__t> PKI, you silly fuck. 16:50 < dan__t> You're my bitch now. 16:50 < krzie> lol 16:54 < Exilant> ok, i switched back to tun, and it is working better than ever before, i can ping the vpn server, and access the https server on the same machine. but if i try other computers in the private network, i get "Destination Port Unreachable". I'm trying to figure that out, but thanks for the hints so far :) 16:54 < krzie> !route 16:54 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:54 < krzie> there is my writeup for exactly what you want 16:55 < krzie> my writeup assumes 1 server and 2 clients, all with lans behind them to connect to 16:55 < krzie> so its likely a little more complicated than your setup, but provides all info you need 16:56 < dan__t> What is the 'serial' file used for, when using OpenSSL? 16:56 < krzie> making your CRL 16:56 < dan__t> Its just an incremental number. 16:56 < krzie> i believe 16:56 < dan__t> openssl updates it etc etc 16:58 < dan__t> real 0m16.479s 16:58 < dan__t> Just batch made 100 keys, csr's, and crt's 16:58 < dan__t> not bad 16:58 < dan__t> and signed them 16:58 < dan__t> well, duh, implying .crt 16:58 < krzie> ya a crt is a signed csr 16:58 < krzie> hehe 16:59 < Exilant> krzie: are you sure? i thought that implies it gets routed correctly, but gets stuck in some firewall? 17:01 < dan__t> route != firewall 17:01 < dan__t> route = clue of how to get somewhere 17:03 < krzie> Exilant 17:03 < krzie> !route 17:03 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:03 < krzie> read it 17:07 < dan__t> hrm 17:07 < dan__t> Just made a script to pull some routes from MySQL, to be stuffed in a ccd 17:07 < dan__t> there's a client-connect option I think 17:07 < dan__t> Which passes the CN of the key as an argument in an env var 17:07 < dan__t> So I'm taking that, then building a dynamic CCD file based on that. 17:07 < dan__t> Then, client-disconnect will remove it. 17:08 < dan__t> I really hope this works. I'm going to test this out with a bunch of doctors 17:08 < dan__t> They'll be using the OpenVPN client from XP and Vista 17:11 < krzie> no dont build dynamic ccd option 17:11 < krzie> !iporder 17:11 < vpnHelper> krzie: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice)., or (#4) if you use --ifconfig-pool-persist see !ipp 17:11 < krzie> just give static ip from client-connect 17:12 < krzie> thats what its for! 17:12 < dan__t> no..... i need routes 17:12 < dan__t> I want to push a shitton of specific routes to clients, on a per-client basis. 17:12 < krzie> oh bleh right 17:12 < dan__t> The only mangling I'm going to do with IPs are to use iptables' SNAT 17:12 < krzie> cant push routes directly from the script? 17:12 < dan__t> But that comes way after openvpn, so its a non-issue 17:12 < dan__t> no, because each client could/may be different. 17:12 < krzie> oh no that would be from a diff script 17:12 < krzie> an --up script 17:13 < dan__t> Yeah 17:13 < krzie> which would run on client 17:13 < dan__t> No 17:13 < krzie> so i guess you're doing it right, interesting setup 17:13 < dan__t> I'd push routes from the server 17:13 < dan__t> yeah 17:13 < krzie> right i gotchya 17:13 < dan__t> using 'push' from that ccd 17:13 < dan__t> ccd file 17:13 < krzie> im interested to hear how that does 17:13 < dan__t> Yeah dude this could be bad-ass. 17:13 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 17:13 < dan__t> I'm going to POC this and if it works, I'll be interested in learning more about licensing 17:14 < krzie> if its shell script either make it nice and give it to james for inclusion, or ild be happy to help clean it up for ya 17:14 < krzie> my personal fav license is the BSD license 17:14 < krzie> it basically says: you can use this ANY way you want, just dont claim you wrote it, give me my props 17:15 < dan__t> wlrd 17:15 < dan__t> word 17:15 < krzie> which is why you see so much BSD code in the major OS's 17:15 < dan__t> there's a commercial agenda behind all of this but I'll contribute what I am able to. 17:15 < dan__t> The least I can do is give some back. 17:15 < dan__t> I'll definitely give out the scripts for pulling ccd data from mysql like I'm doing 17:16 < krzie> werd 17:16 < krzie> im not much of a coder but definitely know scripting 17:16 < krzie> so happy to help any way you need etc 17:16 < krzie> but i have no mysql so no testing from me, lol 17:17 < dan__t> the sad part is 17:17 < dan__t> most of it is going to be php 17:17 < dan__t> heh 17:22 < krzie> ahh 17:25 < dan__t> Man 17:25 < dan__t> I still hurt. 17:25 < krzie> next time tell him you wanna be on top 17:25 < krzie> OOOOOOOOOO 17:25 < krzie> lol 17:25 < dan__t> heh 17:26 < dan__t> Mmmm, no 17:26 < dan__t> You wish that were the case, eh 17:26 < krzie> haha 17:28 < dan__t> http://l7-filter.sourceforge.net/ 17:28 < vpnHelper> Title: Application Layer Packet Classifier for Linux (at l7-filter.sourceforge.net) 17:28 < dan__t> seen that before 17:28 < dan__t> ? 17:28 < dan__t> trying to block p2p voa openvpn 17:28 < dan__t> via, rather 17:28 < dan__t> p2p and torrents 17:33 -!- ]SintaX[ [n=sintax@cpe-72-184-119-119.tampabay.res.rr.com] has quit [Read error: 110 (Connection timed out)] 17:57 -!- l2trace99 [n=jr@static-71-251-65-16.tampfl.fios.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 18:01 < Exilant> yay, got it working 18:01 < Exilant> thanks all 18:10 -!- gallatin [n=gallatin@dslb-092-072-077-251.pools.arcor-ip.net] has quit ["Client exiting"] 18:23 -!- tsunami [n=tsunami@c-24-60-83-222.hsd1.ma.comcast.net] has quit [] 18:28 < krzie> yw 18:36 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] 18:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 19:10 < dan__t> Cool, my gf is buying me smokes. 19:10 < dan__t> $90.00 in sushi last night and she goddam better do whatever I tell her to. 19:10 < krzie> lol 19:10 < krzie> oh hey reiffert ya here? 19:40 -!- Exilant [i=goelzera@berlin.ethz.ch] has quit ["e^P-P = 20. For large values of P or small values of 20."] 20:24 -!- belZe [i=noone@p5091CE96.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:24 -!- belZe [i=noone@p5091D590.dip.t-dialin.net] has joined ##openvpn 20:36 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 21:17 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 21:17 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 21:42 < dan__t> Hmm, another night of hacking. 21:50 -!- ploo [n=lbz@c-98-245-144-7.hsd1.co.comcast.net] has quit ["Leaving"] 21:52 < onats> $90 dollar sushi? what's included in it? 21:53 < onats> a Chirashi-Don here cost's $10. with uni/unagi 22:01 < dan__t> We ate a shitton. 22:01 < dan__t> And the sake didn't help. 22:01 < dan__t> Anyone have a definition on the format of OpenSSL's crl list? 22:09 < onats> what's a shitton? 22:09 < onats> "shit" on? 22:09 < onats> lol 22:10 < dan__t> like five sake bomber rounds worth 22:10 < dan__t> like a 10oz thing of sake and a tall Kirin 22:10 < dan__t> That's good for 2-3 good ones 22:11 < dan__t> No wonder everyone hates OpenSSL. 22:11 < onats> why? 22:11 < dan__t> Half of the stuff you actually want details on is not documented. 22:12 < onats> guess that's how the originators got paid... 22:13 < dan__t> And continue to get paid. 22:24 < dan__t> http://www.unrest.ca/Unix-and-Administration/working-with-ssl-certificates 22:24 < vpnHelper> Title: Working with SSL Certificates | Knowledge Base (at www.unrest.ca) 22:24 < dan__t> Jackpot. 23:05 -!- mf_417 [n=mf@194.225.128.240] has joined ##openvpn 23:08 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 23:12 < mf_417> Hi, I have configured an OpenVPN server and provided an ipp.txt file with the hope that my assigned IPs will be from this pool, but unfortunately clients did not get the IPs I assigned :(( any Idea? 23:14 < mf_417> ping 23:58 -!- miguelcma [n=miguelcm@87-196-111-144.net.novis.pt] has joined ##openvpn 23:58 < miguelcma> hi. i'm trying to appply rules like "route " (usually on server.conf) 23:59 < miguelcma> but i want them applied only when a specific client connects 23:59 < miguelcma> how can I do it? --- Day changed Sun Apr 05 2009 00:36 -!- miguelcma [n=miguelcm@87-196-111-144.net.novis.pt] has quit ["Leaving"] 00:52 < onats> miguelcma, you should create CCD entries for each client 00:52 < onats> !ccd 00:52 < vpnHelper> onats: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 00:52 < onats> woops 02:10 -!- mf_417 [n=mf@194.225.128.240] has left ##openvpn [] 02:16 < dan__t> wat 03:11 -!- dirkD [n=dirk@dirkdokter.nl] has joined ##openvpn 03:12 < dirkD> !logs 03:12 < vpnHelper> dirkD: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 03:26 < dirkD> i have set up a bridged vpn, with a seperate DHCP server, and there is traffic going over it :) 03:26 < dirkD> But.... just non-ip traffic. DHCP works, but i can't ping from the client to the server and vice versa. 03:26 < dirkD> Ping from server to client: nothing. 03:26 < dirkD> Ping from client to server: i see requests coming in on the server, but the server doesn't respond. 03:26 < dirkD> - iptables: http://pastebin.com/m3b01a263 and http://pastebin.com/mb04d88 03:26 < dirkD> - openvpn configs: http://pastebin.com/m16a8648a and http://pastebin.com/mc1e3f5a 03:26 < dirkD> - routing tables: http://pastebin.com/m514e29b4 and http://pastebin.com/m1681e690 03:26 < dirkD> - interfaces: http://pastebin.com/m7b522092 and http://pastebin.com/m779a7278 03:26 < dirkD> XCENTOS is the openvpn server, SERVER1 is the openvpn client 03:26 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] 03:33 < reiffert> dirkD: ping from server to client: On which interface do you see the icmp packets while running tcpdump? 03:35 < reiffert> and please show us a brctl show br0 03:36 < dirkD> that's the problem: i don't see any icmp traffic when pinging from the server to the client 03:36 < dirkD> but i do see this: 03:36 < dirkD> 12:28:31.928011 arp reply 192.168.45.66 is-at 8a:c9:64:d8:ec:e8 (oui Unknown) 03:36 < dirkD> 12:28:32.870331 arp who-has 192.168.45.66 tell xcentos 03:36 < dirkD> 12:28:32.927902 arp reply 192.168.45.66 is-at 8a:c9:64:d8:ec:e8 (oui Unknown) 03:36 < dirkD> 12:28:33.870354 arp who-has 192.168.45.66 tell xcentos 03:36 < reiffert> And what exactly is tap1 used for on server? 03:36 < dirkD> it's nod used 03:36 < dirkD> should i remove it? 03:37 < dirkD> http://pastebin.com/m2bd1e26c 03:37 < dirkD> aha 03:37 < dirkD> it's in the bridge 03:38 < reiffert> why do you get arp request for 45.66? Should be within the same range than the br0 Interface 03:39 < reiffert> which is 192.168.1.0/24 03:40 < dirkD> uhm, my vpn subnet is 192.168.45.0/24 03:40 < reiffert> 10:26 < dirkD> - interfaces: http://pastebin.com/m7b522092 and http://pastebin.com/m779a7278 03:40 < reiffert> which one is that frfom the server? 03:42 < reiffert> You dont have a vpn subnet when using bridging. You create your bridge like this: 03:42 < dirkD> xcentos is the server 03:42 < dirkD> but isn't it possible to use a seperate subnet for it? 03:42 < dirkD> or do i need a vritual interface on eth0 then? 03:42 < reiffert> look: 03:43 < reiffert> tap0 and eth0 both must not have an ip address assigned to them 03:43 < reiffert> they both are bound on br0 03:43 < reiffert> which carries one IP address. 03:43 < dirkD> aha 03:44 < reiffert> http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 03:44 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 03:44 < dirkD> yes, but it worked some time ago 03:45 < reiffert> for the beginning, you can let the openvpn server play the dhcp server for the openvpn clients. 03:45 < reiffert> thats done by server_bridge directive, see the manpage for an example 03:45 < reiffert> sorry, server-bridge that is 03:45 < dirkD> yes, but is it possible to use dynamic dns updates then? 03:45 < reiffert> yes. 03:47 < reiffert> ah well, it is not, but I'd recommend using the server-bridge directive at the beginning to get things working 03:48 < reiffert> so again, tap0[1,2,3], eth0 no IP address (0.0.0.0 promisc up) 03:48 < reiffert> br0 one ip address 03:48 < reiffert> clients gets an ip address within that subnet. 03:51 < dirkD> ok, but the lan subnet is the same on the client and the server 03:51 < reiffert> hm? 03:51 < dirkD> oh, wait, i could make a virtual interface on the bridge i think 03:51 < reiffert> ?? 03:52 < dirkD> the client and server are both in 192.168.1.0/24 03:52 < reiffert> you dont need .45.0 03:53 < dirkD> but.... won't i get conflicts when i use 192.168.1.0/24 for both the VPN and the LAN on both sides? 03:53 < reiffert> so tell me, what do you know about ethernet bridging and why do you want to use it? 03:54 < dirkD> brb in 20 minutes 03:54 < dirkD> then i'll draw it 04:11 -!- Flumdahl [i=n30@shell.auth.se] has quit ["reboot && upgrade world."] 04:12 < dirkD> reiffert: http://webmeeting.dimdim.com/portal/JoinForm.action?meetingRoomName=dirkd 04:12 < vpnHelper> Title: Welcome to Dimdim. (at webmeeting.dimdim.com) 04:14 < dan__t> !30 04:14 < vpnHelper> dan__t: Error: "30" is not a valid command. 04:14 < dan__t> !/30 04:14 < vpnHelper> dan__t: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 04:14 < dan__t> bitch 04:14 < dan__t> !topology 04:14 < vpnHelper> dan__t: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 04:18 < dirkD> reiffert: so that's the idea 04:19 < dirkD> reiffert: like this, machines on the xcentos end don't need the openvpn client 04:20 < dirkD> and like this it's easy to add a machine to the 'vpn' 04:20 < dirkD> just by adding a virtual nic with a 192.168.45.x ip-address 04:28 < dirkD> reiffert: never mind, i understand it now :) 04:29 < dirkD> thanks for your help 04:33 < dan__t> Maximum length of --push buffer (1024) has been exceeded 04:33 < dan__t> Come on. 04:33 < dan__t> Seriously? 04:34 < reiffert> !factoids search push buffer 04:34 < vpnHelper> reiffert: No keys matched that query. 04:34 < reiffert> !factoids search push 04:34 < vpnHelper> reiffert: 'push', 'push-reset', 'pushlimit', and 'pushdns' 04:34 < reiffert> !pushlimit 04:34 < vpnHelper> reiffert: "pushlimit" is This is a limitation of OpenVPN: the push block cannot exceed a maximum of about 1 KB 04:34 < dan__t> I see it.. I'm going to make common.h my bitch. 04:34 < reiffert> !factoids search push block 04:34 < vpnHelper> reiffert: No keys matched that query. 04:35 < reiffert> dan__t: good luck 04:35 < dan__t> I'll let ya know. 04:35 < reiffert> dirkD: welcome 04:36 < dirkD> oops, now i have a another problem of course 04:36 < dirkD> i un-bridged tap0 04:36 < dirkD> and gave it a 192.168.45.x ip 04:37 < dirkD> but how to let the computers on the xcentos side connect to that ip now? 04:41 < dirkD> nvm, fixed with a virtual interface on the bridge 04:42 < dan__t> 131072 04:42 < dan__t> We'll see how well that works. 04:58 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 05:27 -!- Flumdahl [i=n30@shell.auth.se] has joined ##openvpn 06:01 < dan__t> Hah. It worked. 06:08 < dan__t> Apr 5 04:08:17 centos5 openvpn[19193]: OpenVPN ROUTE: cannot add more than 100 routes 06:08 < dan__t> God damnit. 06:09 < reiffert> dan__t: wtf? 06:11 < dan__t> YEah. 06:11 < dan__t> Rebuilding with MAX_ROUTES 16384 06:19 < dan__t> [root@centos5-test1 SOURCES]# route -n|wc -l 06:19 < dan__t> 191 06:19 < dan__t> Apr 5 04:19:32 centos5 openvpn[28387]: ERROR: Linux route add command failed: external program exited with error status: 2 06:19 < dan__t> Coincidence? I think not. 06:21 < dan__t> Oh, maybe that's correct. 06:47 < dan__t> FWIW, OpenVPN blows up between 514 and 550 routes 06:47 < dan__t> Wigs out with: Apr 5 04:46:01 centos5 openvpn[5527]: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options 06:48 < dan__t> ...which is a lie. 06:58 < dan__t> beh. can't run client-connect inside ccd files eh 07:06 < reiffert> dan__t: why should you? 07:07 < dan__t> Guess it doesn't matter so long as I have $1 07:09 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 08:09 < ecrist> dan__t: why do you have so many routes? 08:25 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has joined ##openvpn 08:34 -!- mRCUTEO [n=IRCLUNAT@96.9.131.183] has quit [] 08:47 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 08:55 < timttwtdi> !pastebin 08:55 < vpnHelper> timttwtdi: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 09:00 < timttwtdi> I wonder if someone could help me. 09:01 < timttwtdi> I believe there is something wrong with my openvpn server configuration because the routes and forwarding of the settings once running act predictably, but don't actually facilitate two-way operation of the vpn. 09:02 < timttwtdi> here is my server and client configs along with the output of route: http://pastebin.com/f6021bff8 09:02 < sunga> does anyone know a good windows firewall where I can choose the interface on which it should work (seperate rules for seperate interfaces) and that is able to allow ip ranges and single ip's to a certain interface? 09:06 < timttwtdi> ping requests from a vpn endpoint are received by the server and forwarded to the subnet for which the vpn server is also a gateway (192.168.2.0/24) and the vpn server receives a reply, but does not forward that reply back to the vpn endpoint. 09:12 < timttwtdi> there are no rules in iptables and /proc/sys/net/ipv4/ip_forward is obviously '1' 09:14 < ecrist> sunga: checkpoint 09:15 < ecrist> timttwtdi: see here 09:15 < ecrist> !route 09:15 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:15 < timttwtdi> I should amend what I said earlier ^^^^ that the route rules act predictably but don't facilitate operation. The 'once-removed' method of routing via an undefined intermediate ip does work (as I see on the client) but doesn't seem to be working for the server. 09:16 < timttwtdi> ecrist, I have read that. iroute does not apply in my case. 09:17 < timttwtdi> and the routes to return the reply to the vpn endpoint do seem to exist. 09:18 < ecrist> what, specifically, isn't working? give me an example 09:19 < timttwtdi> ping requests from a vpn endpoint are received by the server and forwarded to the subnet for which the vpn server is also a gateway (192.168.2.0/24) and the vpn server receives a reply, but does not forward that reply back to the vpn endpoint. 09:19 < timttwtdi> tcpdump verifies this exact behavior 09:19 < ecrist> what version of openvpn? 09:19 < timttwtdi> 2.1~rc11-1 09:21 < timttwtdi> I am pinging from 192.168.3.6 (a vpn endpoint) to 192.168.2.10 (hostname 'water') on the subnet behind the openvpn server and receive replies 09:21 < timttwtdi> tcpdump -i eth0 on the vpn server: 09:21 < timttwtdi> 09:19:33.957359 IP water.local > 192.168.3.6: ICMP echo reply, id 3136, seq 716, length 64 09:21 < ecrist> timttwtdi: sounds like a firewall issue 09:22 < timttwtdi> tcpdump -i tun0 only displays the requests on the server; no replies. 09:22 < timttwtdi> iptables -L show no entries. 09:22 < ecrist> so, you're not seeing the reply hit the OpenVPN server at all? you're only showing the reply leaving the client machine? 09:23 < reiffert> ecrist: no, he's watching the replies entereing the LAN NIC on the VPN Server. 09:23 < timttwtdi> sorry, that was incorrect 09:23 < reiffert> timttwtdi: hint: use -n on tcpdump. 09:23 < ecrist> oh, didn't see the line above the tcpdump output, my mistake 09:24 < reiffert> timttwtdi: paste the routing table: route -n 09:25 < timttwtdi> duh! 09:26 < timttwtdi> sorry; what I meant earlier was that I had cleared rules from my firewall. 09:26 < timttwtdi> someone just pointed out to me that I had only added 3 of the necessary 4 rules to iptables 09:27 < ecrist> grr 09:27 < reiffert> spark 09:28 < timttwtdi> I had added the accept forward rule on the physical interface, but not the accept input rule 09:28 < ecrist> it's ok, everyone blows me off when I tell them their issue is their firewall. 09:28 < timttwtdi> it's frustrating because I knew that I needed all four and didn't notice that it was missing. 09:28 * ecrist points at channel topic 09:29 -!- timttwtdi [n=erik@c-24-245-3-7.hsd1.mn.comcast.net] has left ##openvpn ["Leaving"] 09:29 -!- timttwtdi [n=erik@c-24-245-3-7.hsd1.mn.comcast.net] has joined ##openvpn 09:29 < ecrist> fucker 09:29 < timttwtdi> ? 09:30 < ecrist> :P thought you left without a 'thank you' 09:30 < ecrist> well, I'm out. going to watch some tv before work. 09:30 < timttwtdi> leaving was the only way I knew how to see the topic (I've been on the channel for two days) 09:31 < timttwtdi> ecrist, thank you very much. 09:48 < ecrist> timttwtdi: /topic usually works. :) 10:38 < timttwtdi> oh. thank you. 10:50 -!- mode/##openvpn [+o ecrist] by ChanServ 10:50 -!- mode/##openvpn [-b *!*n=mjt@*.corpit.ru] by ecrist 10:50 -!- mode/##openvpn [-o ecrist] by ecrist 11:19 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 11:24 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 11:29 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 11:29 < thedoc> !howto 11:29 < vpnHelper> thedoc: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:29 < thedoc> Is that a trigger? ;p 11:32 < thedoc> Well well, I got it ;) 11:32 < thedoc> Thanks guys! 11:32 -!- thedoc [n=andelyx@unaffiliated/thedoc] has left ##openvpn [] 11:56 -!- timttwtdi [n=erik@c-24-245-3-7.hsd1.mn.comcast.net] has quit ["Leaving"] 12:11 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 12:12 < theDoc> Hello all, can someone please point me to some resource? I have my vpn tunnel up however, it seems to be assigning me a x.x.x.6 with a /30 subnet mask and ipconfig is showing the gateway as empty. 12:12 < theDoc> Is there something else I'm missing to route all traffic over the vpn when it's up? 12:13 < theDoc> 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.97.58.1,topology net30,ping 10,ping-restart 120,ifconfig 10.97.58.6 10.97.58.5' (status=1) -- I'm seeing this in the logs but the client machine isn't making changes to it's routing table. 12:16 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:17 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 12:18 < theDoc> No one at all? :o 12:21 < krzee> ? 12:24 < theDoc> krzee: I'm wondering why my vpn tunnel comes up but the gateway is left blank and all the traffic is still being routed over my normal wlan0 interface. 12:24 < theDoc> krzee: I'm not sure what I'm missing. However, the logs are showing, ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct. [if_index=29] 12:24 < theDoc> and this, Mon Apr 06 01:19:10 2009 route ADD 10.97.58.1 MASK 255.255.255.255 10.97.58.9 12:25 < theDoc> I'm not sure why it's not tunneling the traffic through. Windows 7 over here, for the client machine 12:25 < krzee> windows? 12:25 < krzee> !win7 12:25 < vpnHelper> krzee: "win7" is http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 12:25 < krzee> !winroute 12:25 < vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 12:25 < theDoc> Oh, ok. 12:25 < theDoc> Thanks! 12:25 < krzee> np =] 12:26 < theDoc> I'll give it a go, just got openvpn running for the first time. 12:26 < krzee> also you mentioned gateway stuff 12:26 < krzee> you using redirect-gateway? 12:28 < reiffert> he is 12:29 < reiffert> 19:13 < theDoc> 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.97.58.1,topology net30,ping 10,ping-restart 120,ifconfig 10.97.58.6 10.97.58.5' (status=1) -- 12:29 < krzee> looks like you're pushing dns 12:29 < krzee> !pushdns 12:29 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 for a perm fix via regedit 12:29 < krzee> see link 1 12:30 < krzee> aka factoid #2 12:30 < reiffert> he is missing the gateway. 12:30 < krzee> show us the redirect-gateway line 12:30 < reiffert> not sure about that "bypass-dhcp" 12:30 < krzee> are you tunneling over ppp btw? 12:31 < krzee> !dhcp 12:31 < vpnHelper> krzee: "dhcp" is redirect-gateway bypass-dhcp gets around the problem of DHCP packets to the local DHCP server being incorrectly routed into the tunnel. Available in 2.1 12:32 < krzee> theDoc, is this a dialup link? 12:33 < krzee> oh reiffert 12:33 < krzee> i made my #1 on the island my girlfriend 12:35 -!- doc`hmm [n=andelyx@bb116-15-11-145.singnet.com.sg] has joined ##openvpn 12:36 < doc`hmm> krzee: It works :) 12:36 < doc`hmm> Thanks! 12:36 < doc`hmm> Just wondering why, it's a one way traffic now ;p 12:36 < krzee> huh? 12:37 < doc`hmm> krzee: Well, the tunnel is up and I can ping the vpn server, no traffic goes out of it though. 12:37 < krzee> !linnat 12:37 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 12:37 < doc`hmm> Doh, it's coming to 2am. I should get sleep and work on it tomorrow. 12:37 < krzee> !linipforward 12:37 < vpnHelper> krzee: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 12:37 < krzee> your vpn server must be running nat and have ip forwarding enabled 12:38 < doc`hmm> krzee: That vpn server has a routable ip on the public internet 12:38 < krzee> and the vpn hands out a non-routable ip 12:38 < krzee> which must be NAT'ed if you want internet over the vpn 12:39 < doc`hmm> krzee: home box --> public internet --> vpn server --> internet 12:39 < doc`hmm> That's the current setup I have at the moment 12:39 < ecrist> unless you push 'real' ips from your vpn, which is *very* rare. ;) 12:40 < doc`hmm> ecrist: Nope, that's not what I want to do (I think I read you right there), I want to tunnel all traffic into the vpn server and push it out from there. 12:41 < doc`hmm> Oh yes, I do need NAT. 12:41 < doc`hmm> wtf. 12:41 < doc`hmm> >_> 12:45 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 12:46 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 113 (No route to host)] 12:47 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:48 < krzee> no shit doc`hmm 12:48 < krzee> thats why i told you you do 12:48 < krzee> 10.97.58.6 is client1's ip 12:48 < krzee> which means you used server 10.97.58.0 255.255.255.0 or something similar 12:48 < krzee> which is NOT routable on the internet 12:49 < doc`hmm> Oh, yes. 12:49 < doc`hmm> That's right. 12:49 < doc`hmm> It's 2am. I need to go slap myself 12:49 < doc`hmm> >_> 12:49 < doc`hmm> krzee: sorry, wasn't thinking ;) 12:52 < doc`hmm> Ok, time for bed. 12:52 < doc`hmm> I'll work on it tml ;p 12:52 < doc`hmm> krzee: Thanks for the help :) 12:54 < krzee> yw =] 13:16 -!- doc`hmm [n=andelyx@bb116-15-11-145.singnet.com.sg] has quit [Read error: 113 (No route to host)] 13:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:01 < krzie> damn i was a dick earlier 14:01 < krzie> thats what a nice whiskey hangover will do 14:03 * Bushmills recalls krzie claiming that he's not prone to hangovers 14:03 < krzie> doesnt happen often 14:03 < krzie> but i also never drink whiskey 14:05 < Bushmills> hehe. i never got a hangover from a substance I didn't drink 14:05 < krzie> no choice last night, they had no rum or beer 14:05 < krzie> i was like fuckit bring me whiskey (since there isnt a place on the island that doesnt have whiskey) 14:07 < Bushmills> time for moonshining 14:08 * Bushmills watches the yeast bubbling merrily 14:09 < Bushmills> one earlier batch: http://forthfreak.net/ginger/img_1354.jpg 14:14 < krzie> haha sweet 14:14 < krzie> reminds me of being in jail 14:15 < krzie> making the pruno and the banana rama 14:15 < Bushmills> sounds good 14:15 < krzie> the pruno didnt taste too good, but it did the job 14:16 < Bushmills> reiffert had some of that stuff, so I can refer to second opinion 14:16 < krzie> oh you're local to reif? 14:18 < Bushmills> yes 14:18 < krzie> awesome man 14:20 < Bushmills> well, not always, in the past. distance was as far between 500 and 1500 km, and 15 km now. 14:21 < krzie> ahh so you guys have known eachother a long time 14:21 < Bushmills> shortest, a few years back, was about 1 km 14:21 < Bushmills> several years, yes 14:41 < Bushmills> a few days ago i made my most economic alcoholic drink as far, which was a kind of lemon wine 14:42 < Bushmills> came down to about 20 c per liter 14:43 < Bushmills> right now, apples are bubbling 14:52 < krzee> awesome! 14:56 < Bushmills> stuff in the bottles is gingerbeer. alcoholic. carribean variation. 14:57 < krzee> <-- lives in the caribbean 14:57 < Bushmills> that's why i mention it :D 14:57 < krzee> =] 15:00 < Bushmills> but i tend to make that stuff much stronger than literature suggests. 15:01 < Bushmills> 4 times as much or even more ginger 15:01 < dan__t> Hi. 15:01 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 15:03 < dan__t> hey krzee 15:03 < dan__t> http://pastebin.ca/1382964 15:04 < krzee> hehe werd 15:06 < dan__t> At least I can manage and record all the data now. 15:14 < krzee> !factoids search win 15:14 < vpnHelper> krzee: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', and 'win7' 15:14 < krzee> !win_noadmin 15:14 < vpnHelper> krzee: "win_noadmin" is http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows 15:15 < krzee> !learn win_noadmin as and http://article.gmane.org/gmane.network.openvpn.user/24873 for vista 15:15 < vpnHelper> krzee: Joo got it. 15:15 < krzee> !win_noadmin 15:15 < vpnHelper> krzee: "win_noadmin" is (#1) http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows, or (#2) and http://article.gmane.org/gmane.network.openvpn.user/24873 for vista 15:15 -!- wuffi600 [n=keck0f@g224200215.adsl.alicedsl.de] has joined ##openvpn 15:16 < wuffi600> hi. 15:16 < krzee> dan__t, sounds like you're partially on your way to a badass gui 15:16 < krzee> dan__t, maybe you should play with management interface too 15:16 < dan__t> Just some interesting PHP 15:16 < dan__t> Yeah that's next. 15:16 < krzee> you could end up with something really really nice 15:16 < krzee> hey wuffi600 15:18 < wuffi600> Can openvpn act as a pptp-client to connect to a microsoft-vpn-Server using mschapv2? 15:19 < krzee> !notcompat 15:19 < vpnHelper> krzee: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 15:19 < wuffi600> krzee, thanx for that quick and good answer.. 15:19 < krzee> np 15:20 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 15:21 < wuffi600> krzee, could you recommend another tool apart from "linux-pptp" that could do the job? maybe stunnel? 15:22 < krzee> nope, i cant 15:22 < krzee> ive never used pptp and likely never will 15:22 < wuffi600> krzee. thank you 15:22 < krzee> np 15:22 < wuffi600> krzee, have a nice day. 15:22 < krzee> you too =] 15:22 -!- wuffi600 [n=keck0f@g224200215.adsl.alicedsl.de] has left ##openvpn [] 15:22 < krzee> hey dan 15:22 < krzee> whyd the little girl walk around with a fish in her pocket? 15:23 < krzee> so she could smell like the big girl! 15:26 < dan__t> heh 15:34 < dan__t> Speaking of women.. mine will be here soon, we're going to go apt shopping 15:34 < dan__t> Which means I need a shower. bbl. 15:35 < krzee> adios 15:43 -!- sunga [n=naft@77.109.122.179] has quit ["pieuw pieuw"] 15:49 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 15:50 -!- M08w is now known as M06w 15:59 < krzee> !man 15:59 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:33 -!- Borf [n=Borf@5ED293EA.cable.ziggo.nl] has quit [Read error: 104 (Connection reset by peer)] 16:38 -!- mepholic [n=what@67.202.101.69] has joined ##openvpn 16:38 < mepholic> hi guys 16:38 < mepholic> do diffie-hellman parameters need to be generated for every vpn server on a vpn? 16:38 < mepholic> or only once for the first? 16:39 < krzee> theres multiple servers? 16:39 < mepholic> yeah 16:40 < krzee> how so... 16:40 < mepholic> well, this vpn is basically 16:40 < mepholic> a bunch of servers at different datacenters 16:40 < mepholic> hooked up to a vpn 16:41 < mepholic> i want to have multiple vpn servers hooked up to the vpn as failsafes 16:41 < krzee> but as far as the vpn is concerned 16:41 < krzee> theres only 1 server 16:41 < krzee> the rest are clients 16:41 < mepholic> no 16:41 < mepholic> i want there to be 2 or 3 servers 16:41 < mepholic> with the rest being clients 16:41 < krzee> umm sure 16:41 < krzee> yes, every server gets dh params 16:41 < mepholic> ok 16:41 < krzee> same or not, no biggie 16:42 < mepholic> thanks 17:12 < dan__t> hi. 17:19 < dan__t> Anyone familiar with building tunnelblock from a svn co? 17:20 < Flumdahl> are there any way to bandwidht limit a vpn server in the server.conf ? 17:21 < dan__t> Use --shaper 17:22 < dan__t> (on both client and server) 17:22 < Flumdahl> but if the client change it? 17:24 < dan__t> Read the man page that discusses that. 18:12 -!- sjzzalx [n=jeff@70.102.50.18] has quit ["Leaving."] 18:44 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 19:14 -!- mepholic [n=what@67.202.101.69] has quit [Remote closed the connection] 19:24 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 19:31 -!- doc`hmm [n=andelyx@bb116-15-5-251.singnet.com.sg] has joined ##openvpn 19:42 -!- carpe_ is now known as plaerzen 19:46 -!- doc`hmm [n=andelyx@bb116-15-5-251.singnet.com.sg] has quit [Read error: 113 (No route to host)] 19:47 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit [Operation timed out] 19:47 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 19:55 < dan__t> krzie 19:58 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:05 -!- doc`hmm [n=andelyx@119.73.165.162] has joined ##openvpn 20:05 -!- doc`hmm is now known as theDoc 20:35 -!- belZe [i=noone@p5091D590.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:35 -!- belZe [i=server3@p5091CAF6.dip.t-dialin.net] has joined ##openvpn 20:39 -!- tsunami [n=tsunami@c-71-233-239-25.hsd1.ma.comcast.net] has joined ##openvpn 20:44 -!- blahdeblah [n=paulgear@124-171-161-177.dyn.iinet.net.au] has joined ##openvpn 20:44 < blahdeblah> !howto 20:44 < vpnHelper> blahdeblah: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 20:44 < blahdeblah> !route 20:44 < vpnHelper> blahdeblah: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:47 * dan__t stabs krzee 20:47 < blahdeblah> Hi. I've already read the howto, and it doesn't seem to indicate whether it's possible to reload the openvpn multi-client server without disconnecting the clients 20:47 < blahdeblah> I'm working for a company that has about 25 remote sites to connect via openvpn, and they want to be able to change options (esp. routes) and restart individual clients without affecting everyone. Is this possible? 20:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Success] 20:55 < dan__t> Hmm, good question. 20:58 < blahdeblah> Good questions are cool; good answers are better! ;-) 21:00 < blahdeblah> As an alternative to no-disconnect restarts, is there a way that we can either aggregate all client LAN routes in one server route directive, or specify the route directive in the CCD? 21:02 < blahdeblah> e.g. if i have up to 254 clients, each using a 192.168.x.0/24 remote subnet, can i specify "route 192.168.0.0 255.255.0.0" to tell OpenVPN that all of those subnets should be routed through the tun interface? 21:03 < dan__t> Why couldn't you? 21:03 < dan__t> You could use a netmask or CIDR notation 21:04 < blahdeblah> I tried it and it didn't seem to work - i wondered whether i was missing something. 21:05 < dan__t> Give me an example of that route push 21:05 < dan__t> I take that back, I don't know if you can use CIDR 21:05 < blahdeblah> There's no push 21:05 < blahdeblah> I mean the server side 21:05 < dan__t> ooh. 21:05 < dan__t> Well sure I don't see why not. 21:05 < dan__t> route add -net 192.168.x.0/24 -dev tunXYZ ? 21:06 < blahdeblah> I'm talking about the route directive in openvpn's server.conf 21:07 < dan__t> each connection creates a tun interface 21:07 < dan__t> each separate connection, rather 21:07 < blahdeblah> Not in the server configuration 21:07 < blahdeblah> There's only tun0 on the server 21:07 < dan__t> Maybe I'm mistaken. 21:07 < dan__t> The clients *are* on the tun interface 21:07 < blahdeblah> Yep 21:07 < dan__t> What is your goal? 21:08 < blahdeblah> Hang on - writing an example 21:08 < dan__t> word 21:08 < dan__t> I'll brb, going to go burn one. 21:12 < blahdeblah> Let's say the head office server is 192.168.0.1/24 and it has incoming client connections from 192.168.1.1/24, 192.168.2.1/24, and 192.168.3.1/24 (LANs on remote office sites). 21:12 < blahdeblah> To get everything talking to everything, it seems you need these directives on the server: client-to-client, push "route 192.168.0.0 255.255.252.0" (to get the RO routing to HO), route 192.168.x.0 255.255.255.0 (for appropriate routing of each RO LAN), and iroute 192.168.x.0 255.255.255.0 (in the CCD file for each client). 21:13 < blahdeblah> This means that to add a new RO, you have to add its config to the HO server and restart, which causes VPN downtime for all ROs. I want to avoid this if possible. 21:31 < ecrist> sup, bitches? 21:31 < ecrist> I'm off to please my lady. Have fun with your keyboards. :P 21:32 < ecrist> blahdeblah: yes, you can reload the config on the server without booting clients 21:32 < ecrist> you need to use the management interface to do so, however, a SIGINT will disconnect all the clients. 21:32 < blahdeblah> ecrist: How? I've tried a number of combinations and none seem to work for me 21:33 * blahdeblah scratches his head - what management interface? 21:33 < ecrist> go http://openvpn.net/index.php/documentation/manuals/openvpn-21.html and search the page for 'management interface' 21:33 < vpnHelper> Title: OpenVPN 2.1 (at openvpn.net) 21:33 < blahdeblah> What about 2.0? 21:34 < ecrist> http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html 21:34 < vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net) 21:34 < ecrist> search the page for 'management interface' 21:34 * blahdeblah searches 21:34 < ecrist> right in the man page. ;) 21:35 < ecrist> here's another gem 21:35 < ecrist> http://openvpn.net/index.php/documentation/miscellaneous/management-interface.html 21:35 < vpnHelper> Title: Management Interface (at openvpn.net) 21:35 < ecrist> !mgmt 21:35 < vpnHelper> ecrist: Error: "mgmt" is not a valid command. 21:35 < ecrist> !learn mgmt as http://openvpn.net/index.php/documentation/miscellaneous/management-interface.html 21:35 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 21:36 < ecrist> !learn mgmt as http://openvpn.net/index.php/documentation/miscellaneous/management-interface.html 21:36 < vpnHelper> ecrist: Joo got it. 21:37 * blahdeblah turns on the management interface in his openvpn server 21:37 < blahdeblah> Thanks for the tip ecrist - that is well buried on the site. This is the first i've heard of it. 21:43 < blahdeblah> ecrist: So where is the restart option? Doesn't seem to be there in my 2.0.9 server 21:43 < blahdeblah> Reload config, i mean 21:47 < blahdeblah> http://linuxman.wikispaces.com/OpenVPN+remote+office+setup explains what i'm trying to achieve here. ecrist, dan__t: any suggestions greatly appreciated 21:47 < vpnHelper> Title: linuxman OpenVPN remote office setup (at linuxman.wikispaces.com) 21:47 * blahdeblah heads off for lunch 21:47 < dan__t> Oh shit. 21:47 < dan__t> I totally forgot. 21:51 < dan__t> reboot, brb. 22:01 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 22:03 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 22:05 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [Client Quit] 22:08 -!- theDoc- [n=andelyx@119.73.165.162] has joined ##openvpn 22:09 -!- theDoc- [n=andelyx@119.73.165.162] has quit [Read error: 54 (Connection reset by peer)] 22:09 -!- theDoc- [n=andelyx@119.73.165.162] has joined ##openvpn 22:25 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Success] 23:56 -!- Alagar [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has joined ##openvpn --- Day changed Mon Apr 06 2009 00:36 -!- theDoc- is now known as theDoc 00:49 < dan__t> Any way to prevent a client from trying to change the IP address? They couldn't do that anyway right 00:49 < theDoc> dan__t: I believe you can set inside your server.conf file if you want to assign the same ip to the client 00:49 < dan__t> Well that's not so much it, but I don't want the client to be able to change IPs during a connection 00:50 < theDoc> dan__t: I'm new to this but I don't think your client can just change IP's during connection, since your server.conf file has specified the parameters for the connecting client 00:51 < dan__t> That's the answer I was hoping to hear 00:51 < theDoc> dan__t: I *don't* think they can do that, I'm not an expert on openvpn by any measure, still learning 00:52 < dan__t> Understood. 00:52 < dan__t> Also trying to find the difference between --client-connect, --up, --route-up etc etc. I think they all perform the same thing, just at different times. 00:56 < theDoc> ergh. 00:57 < theDoc> I hate stupid customers whom insist that they're right. 00:57 < theDoc> Well fuck, if you're right, you wouldn't be coming to me with that problem now would you?! 00:58 < dan__t> haha 00:58 < dan__t> Nice. 00:58 < dan__t> So why does $common_name passed to a client-connect script contain a trailing underscore 00:58 < dan__t> common_name=dc60f2348413978b9e49f5be6685a949_ 01:16 < krzee> dan__t, yes there is a way 01:16 < krzee> [01:49] Any way to prevent a client from trying to change the IP address? They couldn't do that anyway right 01:16 < krzee> use tunnel mode, with topology net30 (default) 01:17 < krzee> then force them into a static ip using a ccd entry or client-connect script 01:17 < krzee> this gives them their own /30 01:17 < krzee> so any attempt to change their address will result in no route 01:17 < krzee> because any other ip will be outside their /30 01:18 < krzee> !/30 01:18 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 01:18 < krzee> using bridge or topology subnet, they can change it 01:18 -!- Alagar [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has quit [Remote closed the connection] 01:18 < krzee> (i swear i broke that down to you before, bbut maybe it was someone else) 01:19 < krzee> [01:52] Also trying to find the difference between --client-connect, --up, --route-up etc etc. I think they all perform the same thing, just at different times. 01:19 < dan__t> word. 01:19 < krzee> they all are hooks to run an external script 01:19 < dan__t> just at different stages right 01:19 < krzee> but because they occur at different times, they have different uses 01:19 < dan__t> yeah 01:19 < dan__t> got it. 01:19 < dan__t> just clarifying. 01:23 < dan__t> rad, thank you. 01:27 < krzee> np =] 01:43 < theDoc> Oh brilliant. 01:43 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 01:43 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 01:44 < theDoc> I got my vpn tunnel working 01:44 < theDoc> ! 01:44 < dan__t> Hrm. Can I use multiple client-connect script definitions? 01:44 < dan__t> word 01:46 < reiffert> multiple as in #!/bin/bash script1 script2 script3? 01:46 < krzee> i dont get the question 01:46 < dan__t> uh, sorry - directives. 01:46 < dan__t> No, as in multiple: 01:46 < krzee> oh if thats it, no... but a script can call another script 01:46 < dan__t> client-connect /somescript 01:46 < dan__t> client-connect /otherscript 01:46 < dan__t> yeah 01:46 < reiffert> dan__t: I was pasting somescript. 01:46 < dan__t> ok. 01:47 < dan__t> wait, what? 01:47 * reiffert waits. 01:47 < krzee> lol 01:47 < dan__t> unWait(); 01:47 < dan__t> what? 01:48 < reiffert> I was about to say the same thing than krzee but in a different way. 01:48 < dan__t> oh ok. 01:49 < krzee> somescript can call otherscript 01:49 < krzee> but i rather doubt both can be called from client-connect directive 01:49 < krzee> either first or last will likely be ran, with the other forgotten 01:49 < krzee> mind you, im guessing here 01:50 < krzee> you can tell me if im wrong, but its a educated guess 01:50 < krzee> woop 01:50 < dan__t> Understood. 01:50 < krzee> debian almost done installing on my VM 01:50 < dan__t> That's unfortunate. 01:51 < krzee> agreed, which is why its only going on a VM 01:51 < dan__t> ./whois dan__t 01:51 < dan__t> heh 01:51 < krzee> zabbix hated my fbsd 01:51 < krzee> [02:51] * [dan__t] (n=dant@ns1.hitb.net): dant 01:51 < krzee> [02:51] * [dan__t] ##openvpn 01:51 < krzee> ?? 01:53 < krzee> so im gunna see if zabbix is that much easier to get working on debian, if it is i will switch my completely unused VPS to debian and give it an actualy purpose 01:53 < krzee> actual 01:53 < krzee> since i wont be using the vps for anything other than monitoring 2 machines using zabbix, i believe it really doesnt matter what i run 01:55 < krzee> and while i far prefer gentoo to debian, im lazy and just want it to come with stuff ready 01:55 < blahdeblah> !topology 01:55 < vpnHelper> blahdeblah: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 01:59 < blahdeblah> Anyone else have a suggestion on http://linuxman.wikispaces.com/OpenVPN+remote+office+setup which i posted earlier? 01:59 < vpnHelper> Title: linuxman OpenVPN remote office setup (at linuxman.wikispaces.com) 01:59 < krzee> dan__t, was i supposed to learn something from the whois? 02:00 < krzee> blahdeblah, what was your question? i have no desire to read another walkthrough 02:00 < blahdeblah> It's not a walkthrough 02:00 < krzee> ok going 02:00 < blahdeblah> krzee: Basically, i'd like to be able to reconfigure remote offices without needing to disconnect all other remote offices 02:02 < krzee> you dont need to restart openvpn for that 02:02 < blahdeblah> You seem to on 2.0.9 02:02 < krzee> why do you believe you do? 02:02 < blahdeblah> Because i've tried signalling the running daemon, and it disconnected the other clients 02:02 < krzee> you dont need to signal either 02:03 < blahdeblah> So how do you add new client routes? It doesn't just automatically sense changes in the server startup config, does it? 02:03 < krzee> nope, you add the route 02:03 < krzee> all route command does is add a system route to the routing table 02:03 < blahdeblah> The documentation says that the route directive does something more than that 02:03 < krzee> do it manually after editing the config 02:03 < krzee> umm, no 02:03 < krzee> !man 02:03 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 02:03 < krzee> lemme read again 02:04 < krzee> Add route to routing table after connection is established. Multiple routes can be specified. Routes will be automatically torn down in reverse order prior to TUN/TAP device close. 02:04 < krzee> This option is intended as a convenience proxy for the route(8) shell command, while at the same time providing portable semantics across OpenVPN's platform space. 02:04 < blahdeblah> I'll try to find the spot 02:04 < krzee> note the second sentance 02:05 < krzee> the ccd entry does more 02:05 < blahdeblah> yeah - but there was something else that indicated otherwise. 02:05 < krzee> !iroute 02:05 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 02:05 < krzee> but ccd entries are read upon client connection, and therefor you dont need to signal 02:05 < krzee> btw, nice lil writeup 02:05 < krzee> feel free to steal anything you want from my similar writeup... 02:05 < krzee> !iroute 02:05 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 02:05 < krzee> errrr i mean 02:05 < krzee> !route 02:05 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 02:06 < krzee> thats my writeup 02:08 -!- _dan__t [n=dant@vpn.withparity.net] has joined ##openvpn 02:08 < blahdeblah> Yeah - read it already 02:09 < krzee> oh cool 02:09 -!- dan__t [n=dant@ns1.hitb.net] has quit [Read error: 104 (Connection reset by peer)] 02:09 < _dan__t> hmmmm 02:09 -!- _dan__t is now known as dan__t 02:09 < krzee> seems you read it correctly, your setup is good =] 02:09 < krzee> so ya, forget about signaling the process 02:10 < krzee> just add the route and let the client connect 02:10 < krzee> it'll be fine =] 02:10 < blahdeblah> Bah - can't find it 02:10 < krzee> you cant find it cause it doesnt exist 02:10 < krzee> --route explains what it does 02:10 < blahdeblah> My memory's not *that* bad. ;-) 02:10 < krzee> --route network/IP [netmask] [gateway] [metric] 02:10 < krzee> Add route to routing table after connection is established. Multiple routes can be specified. Routes will be automatically torn down in reverse order prior to TUN/TAP device close. 02:10 < krzee> This option is intended as a convenience proxy for the route(8) shell command, while at the same time providing portable semantics across OpenVPN's platform space. 02:10 < krzee> that is very clean 02:10 < krzee> err 02:10 < krzee> that is very clear 02:11 < blahdeblah> But basically what you're saying is that if i want to i can just route add 172.20.0.0/16 to tun0 and that should work. 02:11 < krzee> correct, just make it identical to the routes openvpn added 02:11 < krzee> thats all --route doesw 02:11 < blahdeblah> Identical, or equivalent? 02:11 < krzee> identical 02:12 < krzee> as explained by the 2 sentances i pasted from the manual 2x 02:12 < krzee> now if you were PUSHING the route, we'ld have a problem 02:12 < blahdeblah> In my example i had 3 routes: route 172.20.11.0 255.255.255.0 / route 172.20.12.0 255.255.255.0 / route 172.20.13.0 255.255.255.0 02:12 < blahdeblah> I would much rather aggregate them into one 02:12 < blahdeblah> Is that feasible? 02:12 < krzee> cause then youd hafta manually add it to all clients' routing table to do what you want 02:12 < krzee> no 02:13 < krzee> lemme paste why from my writeup 02:13 < krzee> !route 02:13 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 02:13 < blahdeblah> I've read it already! :-) 02:13 < krzee> that was for me 02:13 < krzee> needed the link 02:13 < krzee> here: 02:13 < krzee> You may realize that client1 should not route 192.168.1.0 traffic over the vpn, and that client2 should not route 192.168.3.0 traffic over the vpn (because those networks are local to each client). Because of the iroute entries you will see below, openvpn knows this too and skips the push for the client. 02:13 < krzee> oh actually for local its fine 02:13 < krzee> thats for pushing 02:14 < blahdeblah> It doesn't matter anyway, because there's already a specific matching route via the local eth0 02:14 < blahdeblah> I just push 172.20.0.0/16 and it works fine - that is as it should be 02:14 < krzee> so sure, i guess you might be able to get away with making it 255.255.0.0 02:14 < blahdeblah> It's the server side that i just find a little clunky 02:15 < krzee> oh ya you do push a /16 02:15 < krzee> interesting 02:15 < krzee> oh well i guess it has a more specific route for its own already 02:15 < krzee> good call 02:15 < krzee> sure, you can do the same locally 02:16 < blahdeblah> I find that aggregating routes like that makes things a lot cleaner, and eliminates the need for dynamic routing in a lot of cases. 02:16 < krzee> then you never even need to add routes locally manually when adding a new client-lan 02:16 < blahdeblah> Now you're understanding me! 02:16 < krzee> just make the ccd entry and booya 02:16 < blahdeblah> That's it 02:16 < krzee> either way no signaling needed 02:16 < blahdeblah> I just want to know whether i should expect that to "just work" 02:17 < krzee> well i expect it to 02:17 < krzee> while i havnt done it, all my experience says it will 02:17 < blahdeblah> OK - i'll have another try 02:21 < krzee> basically, if it works for those 3, it'll work for the next ones you add 02:21 < blahdeblah> yeah 02:21 < blahdeblah> Trying now 02:21 < krzee> since you'll only be changing ccd configs from there on out 02:21 < blahdeblah> thanks for your help krzee 02:22 < theDoc> Say guys, if I wanted to migrate the existing vpn config files to another server of a different hardware, do I need to resign anything? 02:22 < krzee> ya man np, love helping someone who took time to read the docs and follow them 02:22 < theDoc> or generate new keys or any odd stuff like that? 02:22 < krzee> theDoc, nope 02:22 < krzee> all is well 02:22 < theDoc> krzee: Thanks, ;) It's all working now :) 02:22 < krzee> can be any supported OS as well 02:22 < krzee> although if its from windows to unix or vise versa theres some gotchyas 02:22 < blahdeblah> theDoc: Just don't try to use it on the old hardware... ;-) 02:23 < theDoc> Oh yes. 02:23 < blahdeblah> (At the same time, i mean...) 02:23 < theDoc> It's running on a p4 at the moment 02:23 < theDoc> I might migrate it if there are more users 02:23 < krzee> like how you specify dirs and whatnot 02:23 < krzee> so the configs may need lil editing for things like that 02:23 < krzee> but certs are perfect 02:23 < theDoc> I'm only worried about the ca.crt, server.crt/key stuff 02:23 < theDoc> Cert and key stuff. 02:24 < theDoc> I can deal with the config files :) 02:24 < krzee> then you have no worries 02:24 < theDoc> Aye, thanks. 02:24 < krzee> np 02:29 < krzee> theDoc, you should be able to get quite a few users connected before you have HW issues 02:29 < krzee> how many are you thinking? 02:29 < theDoc> krzee: I'm not sure at the moment, I'm having a /30 for each user here on a /24 subnet 02:30 < theDoc> I might end up with something like, 64 users or so 02:30 < theDoc> before I run out addresses 02:30 < krzee> ahh doing it for biz 02:30 < theDoc> ahh, yes 02:30 < krzee> ya some nice strong hw will be good in the future 02:31 < krzee> and when that time comes maybe you can switch to a /16 with /30's 02:31 < theDoc> krzee: It's for a mockup at the moment 02:31 < krzee> you need /30's? 02:31 < krzee> so they cant change ips for example 02:31 < theDoc> I don't expect a gazillion users tomorrow, we're just starting out with beta. 02:31 < krzee> sure i follow ya 02:31 < theDoc> krzee: /30's work fine for now, because each user should stick to their own tunnel and not touch another user 02:32 < krzee> without --client-to-client they cant anyways 02:32 < krzee> check out !topology for the way to use 1 ip / client 02:32 < theDoc> !topology 02:32 < vpnHelper> theDoc: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 02:32 < krzee> without --client-to-client clients cant communicate 02:32 < krzee> even if in same subnet 02:32 < theDoc> Yep, I don't have that enabled in my server.conf 02:32 < theDoc> No clients should be able to communicate anyway. ;p You're supposed to be "isolated" 02:33 < krzee> the server will smack down attempts 02:33 < krzee> right 02:33 < krzee> so you should be able to get away with that assuming you dont need to make sure to lock users into their own vpn IP 02:33 < krzee> if you do need to lock them into never being able to change VPN ips, then thats different 02:34 < krzee> in that case you wanna keep net30 02:34 < krzee> but otherwise, topology subnet in 2.1 is for you 02:35 < theDoc> krzee: There's no need for me to lock them into the vpn IP. 02:35 < krzee> then you can use 2.1 with topology subnet 02:35 < theDoc> krzee: Since this is really for mobile warriors to encrypt their data before sending it out to the public internet 02:35 < krzee> and then its 1 ip per client 02:41 < theDoc> krzee: Yep, that too. 02:41 < theDoc> Does openvpn support split-tunneling? 02:41 < theDoc> I don't suppose it does but it'll be interesting to see if it can perform like the Cisco ASA 02:42 < krzee> split tunneling?? 02:42 < krzee> care to define that? 02:43 < theDoc> krzee: Like say, traffic destined for ip address_x doesn't get tunneled into the vpn, while the rest does. 02:43 < krzee> sure its a matter of what you route 02:43 < krzee> you control any routes you want, as does the user 02:44 < krzee> they will have their existing default route 02:44 < theDoc> Hmm. 02:44 < theDoc> Yep. 02:44 < krzee> but then they get 2 new default routes 02:44 < krzee> because you used def1 02:45 < krzee> which works because it adds slightly more specific routes, and therefor gets used instead of the existing one 02:45 < theDoc> ahh. 02:45 < krzee> you can add another more specific route to bypass that 02:45 < krzee> and another more specific route to bypass that 02:45 < krzee> etc until you are routing a single ip 02:45 < krzee> hehe 02:45 < theDoc> Windows is confusing the fuck out of me. 02:45 < theDoc> Stupid piece of shit. 02:45 < krzee> heh 02:51 < theDoc> Regardless, I'm extremely glad that my vpn tunnel is now working. 02:51 < theDoc> However, I'm wondering how the fuck can someone not know tcp/udp shit and become the head of network ops. 02:51 < krzee> lol 02:51 < krzee> all too common i believe 02:52 < theDoc> krzee: and that said person sent an email today asking me to stfu because .. I suggested something that everyone else agrees it would work. 02:52 < theDoc> krzee: I build networks, I got told to stfu and stop sprouting rubbish by someone whom doesn't know tcp/udp :( 02:52 < krzee> i worked in a NOC for a couple months when i had a court case pending and couldnt use self employment to try to get an ankle bracelet if it came to that 02:52 < krzee> while at the NOC i couldnt believe the incompetence of my bosses 02:53 < theDoc> krzee: It's fucking ridiculous as to how these people can get a job. 02:53 < krzee> the guy who hired me wanted to backup his website which he couldnt access via ftp 02:53 < krzee> so i told him to use wget 02:53 < theDoc> Oh yes, wget works as well. 02:53 < krzee> but he had no clue what it was or how to do it 02:53 < theDoc> .. 02:53 < krzee> i told him to read the man page 02:53 < krzee> which he also couldnt figure out 02:53 < theDoc> doh! 02:54 < krzee> finally i just typed it in for him 02:54 < krzee> lol 02:54 < theDoc> I can understand if it's something cryptic like vpn configs. 02:54 < theDoc> But wget??! Hello??! 02:54 < krzee> im sure he couldnt figure out how to ssh in either 02:54 < theDoc> That's like saying, where is my f1 key!? 02:54 < theDoc> ... 02:54 < krzee> seriously 02:54 -!- fad_xxx [n=fad@pppoe-88-147-239-215.san.ru] has joined ##openvpn 02:54 < krzee> thats how bad it was 02:54 < theDoc> krzee: I've had people come and tell me how good they are at this whole "nix" thing and can't figure out scp 02:54 < theDoc> ;) 02:54 < krzee> lol 02:55 < krzee> i have a 830G scp going on right now 02:55 < theDoc> Oh nice. 02:55 < theDoc> What are you transferring? 02:55 < krzee> my old ZFS NFS xferring * to my new ZFS NFS 02:55 < krzee> [root@nfs /nfs]# du -h -d 1 . 02:55 < krzee> 369K ./work 02:55 < krzee> 76K ./torrents 02:55 < krzee> 28G ./win_bak 02:55 < krzee> 4.3G ./ron_paul 02:55 < theDoc> Ahh. 02:55 < krzee> 30G ./mac_apps 02:55 < krzee> 20G ./books 02:55 < krzee> 42G ./games 02:55 < krzee> 28G ./apple_bak 02:55 < krzee> 42G ./music 02:55 < krzee> 2.3G ./images 02:55 < krzee> 4.0K ./.TemporaryItems 02:55 < krzee> 61G ./win_apps 02:55 < krzee> 570G ./movies 02:55 < krzee> 828G . 02:56 < krzee> but the old one is only 100mbit nic 02:56 < theDoc> krzee: What is the -d flag? I don't seem to have that -d option on my redhat box 02:56 < theDoc> ;o 02:56 < krzee> so its slowwwww 02:56 < krzee> depth 02:56 < krzee> so it doesnt go past 1 dir deep 02:57 < krzee> <-- bsd 02:57 < theDoc> Oh, bsd. 02:57 < theDoc> Figures. 02:57 -!- bandini [n=bandini@host31-106-dynamic.21-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 02:57 < krzee> FreeBSD 8.0-CURRENT-200902 02:58 < krzee> FreeBSD 7.0-STABLE 02:58 < krzee> also HUGE difference in the hardware 02:58 < dan__t> ok. 02:59 < dan__t> iptables wrapper works. 02:59 < dan__t> creates routes based off of SQL data 02:59 < dan__t> pushes those routes via ccd 02:59 < dan__t> lays down the law with iptables 02:59 < krzee> haha your setup is pretty nice 02:59 < dan__t> so clients can't try pushing their own routes 02:59 < krzee> umm 02:59 < theDoc> For some reason.. 02:59 < krzee> pushing their own? 02:59 < dan__t> yeah. 03:00 < krzee> clients dont push anything 03:00 < dan__t> er. 03:00 < dan__t> adding a route to their table to go through the vpn 03:00 < krzee> ahh 03:00 < dan__t> That's what I meant by pushing, sorry. 03:00 < dan__t> So there's a very VERY restrictive ruleset of routes. 03:02 < dan__t> krzee, you do iptables? 03:02 < krzee> nah i use bsd 03:02 < krzee> this is my 3rd linux install 03:03 < dan__t> iptables -N INPUT-d8e8fca2dc0f896fd7cb4cb0 03:03 < dan__t> iptables -A INPUT -s 10.8.0.1 -m comment --comment "d8e8fca2dc0f896fd7cb4cb0031ba249 | re-assign to custom chain | gcj2" -j INPUT-d8e8fca2dc0f896fd7cb4cb0 03:03 < dan__t> iptables -A INPUT-d8e8fca2dc0f896fd7cb4cb0 -s 10.8.0.1 -d 4.2.2.2/32 -m comment --comment "d8e8fca2dc0f896fd7cb4cb0031ba249 | accept destination | gcj2" -j ACCEPT 03:03 < krzee> ive used gentoo before, had ubuntu on dualboot on my macbook pro (to get aircrack working without usb dongle), and now im tossing debian on a VM for testing stuffs 03:03 < dan__t> So, create a new table with a semi-random name that corresponds to the common name of the client cert 03:04 < dan__t> and send traffic through it 03:05 < theDoc> I wonder who's the lucky guy to be having a server with the ip address of 133.7.133.7 03:05 < dan__t> heh 03:05 < krzee> lol 03:05 < krzee> 13.37.13.37 too, right? 03:06 < theDoc> Oh, that too. 03:06 < krzee> :-p 03:07 < theDoc> https://ws.arin.net/whois 03:07 < vpnHelper> Title: ARIN: WHOIS Database Search (at ws.arin.net) 03:07 < theDoc> Japan-Internet 03:08 < krzee> umm 03:08 < theDoc> NetRange: 133.0.0.0 - 133.255.255.255 03:08 < theDoc> CIDR: 133.0.0.0/8 03:08 < theDoc> NetName: JAPAN-INET 03:08 < theDoc> NetHandle: NET-133-0-0-0-1 03:08 < theDoc> ;D 03:08 < krzee> [root@nfs2 /storage/nfs]# whois 03:08 < krzee> heh 03:08 < theDoc> Oh right, that too 03:08 < theDoc> wtf 03:08 -!- fad_xxx [n=fad@pppoe-88-147-239-215.san.ru] has quit [Read error: 54 (Connection reset by peer)] 03:08 < krzee> be lazier! 03:08 < krzee> ;] 03:08 < theDoc> Be lazy! 03:09 < theDoc> respectively owned by japan and xerox 03:10 < krzee> niether responds to ping 03:11 < theDoc> Yep. 03:11 < theDoc> I got a destination host unreachable for the xerox one 03:18 -!- bandini [n=bandini@host234-109-dynamic.41-79-r.retail.telecomitalia.it] has joined ##openvpn 03:21 -!- onats_ [n=onats@unaffiliated/onats] has quit [Connection timed out] 03:22 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 04:01 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 04:02 < blahdeblah> krzee: Thanks for the help - i've updated my wiki page to reflect 04:02 < blahdeblah> Works well now 04:02 < krzee> np =] 04:04 < krzee> where you mention topology subnet you may want to make mention that its like ifconfig-pool-linear but compatible with windows 04:05 < krzee> thanx for linking in my writeup and the shoutout =] 04:05 < blahdeblah> good point 04:06 < krzee> also, openvpn2.1 is available in centos 04:07 < krzee> the source will compile painlessly ;] 04:10 < dan__t> why does $common_name passed to a client-connect script contain a trailing underscore 04:11 < krzee> dunno 04:11 < dan__t> wtf 04:11 < krzee> you're the first ive actively seen use a client-connect 04:12 < dan__t> wtf 04:12 < dan__t> seriously? 04:12 < krzee> ive recommended it before to some 04:12 < krzee> but they say oh cool thanx and i never hear from them again 04:12 < krzee> hehe 04:12 < dan__t> heh 04:16 < theDoc> lmao, http://digg.com/d1o084 04:16 < vpnHelper> Title: Raccoon bites off man's penis after attempted rape (at digg.com) 04:33 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:36 < dan__t> Welp, I need to pass out. 04:37 < dan__t> Have a good one, thanks again for the help, krzee. 04:43 < krzee> yw 04:58 -!- floyd_n_milan_ [n=mrugesh@203.129.237.147] has joined ##openvpn 04:58 -!- Alagar [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has joined ##openvpn 04:59 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 104 (Connection reset by peer)] 05:13 -!- dazo|h [n=David@r9dm48.net.upc.cz] has joined ##openvpn 05:22 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 06:19 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 06:22 < lataffe> !howto 06:22 < vpnHelper> lataffe: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 06:22 < lataffe> !route 06:22 < vpnHelper> lataffe: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 06:27 -!- tsunami [n=tsunami@c-71-233-239-25.hsd1.ma.comcast.net] has quit [] 06:56 < onats_> hey guys 06:56 -!- onats_ is now known as onats 07:00 -!- tsunami [n=tsunami@64.119.141.126] has joined ##openvpn 07:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:52 -!- floyd_n_milan_ [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 104 (Connection reset by peer)] 08:27 -!- rhousand [n=ryan@rrcs-70-63-90-226.midsouth.biz.rr.com] has joined ##openvpn 08:28 < rhousand> whats the best way to remove an ex-employee from openvpn? 08:31 < plaerzen> remove his server-side keys? 08:32 < ecrist> you need to revoke his certificate 08:33 < rhousand> thanks! 08:39 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has quit [Read error: 104 (Connection reset by peer)] 08:40 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 08:45 -!- dazo|h [n=David@r9dm48.net.upc.cz] has quit ["Leaving"] 08:51 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 08:57 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 08:57 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Client Quit] 09:00 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 09:08 -!- belZe [i=server3@p5091CAF6.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 09:10 -!- m31k0r [n=m31k0r@142.Red-81-33-47.dynamicIP.rima-tde.net] has joined ##openvpn 09:10 < m31k0r> hi 09:10 < m31k0r> does anybody know if it's possible to use windows key repository in openvpn configuration? 09:13 < rhousand> I think that I am using the same key for every client? http://pastie.org/438408 09:17 < rhousand> can i still kill only one user? 09:21 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has quit [Read error: 104 (Connection reset by peer)] 09:22 -!- karlpinc [n=kop@meme-net.meme.com] has joined ##openvpn 09:27 -!- m31k0r [n=m31k0r@142.Red-81-33-47.dynamicIP.rima-tde.net] has quit ["Saliendo"] 09:27 < karlpinc> I'm having problems trying to build a win32 openvpn 2.1 rc15 installer on Debian etch. First, the domake-win and related scripts are not executable. After working around that I get 'configure: error: OpenSSL Crypto library not found.' which I believe is due to pointing ./configure --with-ssl-lib=$H/$OPENSSL_DIR/out, which has Windows executables so no wonder the test fails. What should I do to build a Windows installer? 09:42 -!- tsunami [n=tsunami@64.119.141.126] has quit [] 09:43 < dazo> karlpinc: just a dumb question, since I don't know .... but is OpenVPN supposed to support win32 building on Linux at all? 09:43 -!- tsunami [n=tsunami@64.119.141.126] has joined ##openvpn 09:45 -!- stephenh [i=stephenh@69.30.200.88] has quit [Remote closed the connection] 09:45 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 10:01 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 10:05 -!- tsunami [n=tsunami@64.119.141.126] has quit [Read error: 113 (No route to host)] 10:07 < karlpinc> dazo : I thought so. 10:07 -!- tsunami [n=tsunami@64.119.141.126] has joined ##openvpn 10:08 < dazo> dazo: which cross compiler are you using? 10:08 < dazo> karlpinc: ^^ 10:08 < kala> karlpinc: See INSTALL-win32.txt for more info 10:09 < karlpinc> dazo : The domake-win says to install MinGW 10:10 < dazo> karlpinc: Yeah, Fedora Project has put some effort into building win32 apps on Linux .... might be you need to have a look how to do that, including the OpenSSL part .... might be you need to build the OpenSSL with MinGW first 10:10 < karlpinc> kala : That's for installing pre-built binaries on Windows. 10:10 < karlpinc> dazo : Supposedly openvpn has a tarball with pre-built binaries already. 10:10 < kala> hmm 10:11 < dazo> karlpinc: it should all be available from http://www.openvpn.net/ ... but might be that only source is as tar ball .... 10:11 < vpnHelper> Title: Welcome to OpenVPN (at www.openvpn.net) 10:11 < karlpinc> dazo: I've installed it. The problems come later. 10:12 < dazo> I see 10:12 < karlpinc> Maybe I should ask the openvpn-users mailing list, or the devel list? 10:12 < theDoc> Anyone has a documentation on how to setup openvpn to use user/pass for clients? 10:13 < theDoc> I can't seem to find anything substantial. Is this even supported? 10:13 < karlpinc> theDoc : Yes. I've done it. Used the manual and the HOWTO. The server side is linux though. 10:13 < dazo> karlpinc: try the -devel list 10:13 < karlpinc> dazo: Will do. 10:14 < kala> karlpinc: http://openvpn.net/index.php/documentation/install.html?start=1 and scroll down to "Notes -- Building from source" 10:14 < vpnHelper> Title: Installation (Win32) - Page 2 (at openvpn.net) 10:14 < theDoc> karlpinc: Yes, I have a nix server. I would prefer to do user/pass authentication as opposed to using certs as I do now. 10:14 < dazo> theDoc: how do you want to authenticate users? against a separate user database (virtual users) or against PAM? 10:14 < theDoc> dazo: I'd say user database. 10:15 < karlpinc> dazo : (Pam will do virtual users too.) 10:15 < dazo> theDoc: have a look at http://www.eurephia.net/ 10:15 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) 10:15 -!- MarcWeber [n=marc@88.80.200.63] has joined ##openvpn 10:15 < MarcWeber> Mon Apr 6 17:14:11 2009 write to TUN/TAP : Invalid argument (code=22) 10:15 < MarcWeber> Is this a serious error? 10:15 < theDoc> dazo: Thanks. 10:15 < dazo> karlpinc: Wasn't aware of that ... but I'm going to dig more upon PAM auth later on :) 10:16 < dazo> theDoc: You might actually want to take the latest version from git at the moment ... worst case, I can pull it down and do a quick tar ball for you, but git is preferred right now 10:17 < ecrist> you're best off getting PAM auth working, most authentication schemes out there have PAM modules 10:17 < theDoc> Ohh, dazo. You're the developer for it? :o 10:17 < dazo> theDoc: I am 10:17 < dazo> theDoc: it's' a work in progress ... but I have it running in production on one site already, so it works very well in that setup 10:18 < theDoc> ahh. 10:18 < theDoc> dazo: I'll give it a go. Will donate money to help development process 10:18 < dazo> theDoc: well, I'm working 100% with Open Source all ready .... so it won't help too much right now .... but I'll consider it 10:19 < theDoc> ahh, ok. 10:19 < dazo> theDoc: but my employer allows me to spend some time on eurephia in work hours as well 10:19 < theDoc> dazo: How far in are you into the dev? 10:19 < theDoc> Oh, that's nice. 10:19 -!- mikey| [n=Mikey@93-96-140-104.zone4.bethere.co.uk] has joined ##openvpn 10:19 < dazo> theDoc: I'm putting together the last details for the admin utility, a few more features which must go in ... and then 0.9.4_beta release will come 10:19 < karlpinc> kala : Looks like there you're expected to be running Windows.... 10:20 < dazo> theDoc: and if that is stable ... it's only some nice docs missing to make it a 1.0 release 10:20 * dazo has already spent some time putting together the docs as well 10:20 < mikey|> hi, i set up vpn on my remote linux server and I install the client on my windows laptop. Everything loads fine but no traffic is routed through the vpn interface. Any ideas why? 10:20 < dazo> mikey|: have you setup routes? 10:21 < theDoc> dazo: Ah, ok. I'm going to require this module for a production machine, should I be going with your stable or developers release? 10:21 < mikey|> dazo: no, I didnt know I had to add routes, I followed a guide from a blog 10:22 < dazo> theDoc: if you pull the git tree ... you'll get what's ready for the 0.9.4 beta release basically .... it's just admin utility tweaks ... the auth module for openvpn has been stable for quite some time 10:22 < theDoc> Oh, ok. 10:22 < dazo> mikey|: have a look at !route 10:22 < dazo> !route 10:22 < MarcWeber> Where is the right place to add extra routing commands which should be executed when openvpn starts up? 10:22 < vpnHelper> dazo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:22 < mikey|> thanks 10:23 < theDoc> dazo: I'll give it a roll and see how it goes, thanks! :) 10:23 < dazo> theDoc: What's missing in admin utility is features for add/delete/list blacklisted usernames, certificates and IP addresses ... and the same for resetting attempt counts ... except for that, it's ready 10:24 < dazo> theDoc: cool! Don't hesitate to contact me if you stumble upon something 10:24 < MarcWeber> Can I switch off encryption? I only need a tunnel. Will this gain much performance? (700kbits/s) 10:24 < dazo> theDoc: I'm willing to do quick fixes if you find something critical 10:25 < karlpinc> MarcWeber : Yes and yes. 10:25 < karlpinc> MarcWeber : Or save cpu cycles anyway. 10:26 < theDoc> dazo: I seem to have a cmake issue, well, I think it's on my end anyway ;p 10:26 < dazo> theDoc: which cmake version do you have? 10:27 < dazo> theDoc: I'm wondering how well it works with the 2.4 version .... I know 2.6 should work pretty okey 10:27 < karlpinc> kala, dazo : It's all starting to make sense. I think I'm supposed to be building on MS Windows. :-P 10:27 < theDoc> cmake is 2.6 10:27 < theDoc> However, I'm getting this error. 10:27 < dazo> karlpinc: good to know :) 10:28 < theDoc> dazo: http://pastebin.com/m37a59323 10:28 < dazo> theDoc: you need libxml and libxslt probably too 10:29 < dazo> theDoc: CMAKE_C_COMPILER not set ... that's an odd one ... 10:29 < theDoc> dazo: Yep, I have those already. 10:29 < theDoc> and yes, that's odd. 10:29 < karlpinc> dazo : I'm suffering a quick change of plans. ;-) All I really want is a custom installer, so I'm switching to using the NSIS installer maker on linux and I'll just get the windows binaries directly from openvpn. 10:29 < theDoc> dazo: Would you have any idea on that cmake_c_compiler issue? 10:30 < dazo> theDoc: which distro are you using? 10:30 < dazo> theDoc: I've tried to build this on SuSE, Fedora, Gentoo, of different versions .... and never seen the CMAKE_C_COMPILER error .... 10:30 < theDoc> That's odd. 10:31 < kala> karlpinc: thats what we were suspecting as well 10:31 < dazo> theDoc: --openvpn-src .... this one needs a path to the openvpn source code 10:31 < theDoc> dazo: I installed openvpn via an rpm. 10:31 < dazo> karlpinc: NSIS for Linux? Can you pin-point me to somewhere? .... I'm into such a project myself to setup my own Win installer 10:32 < theDoc> So in this case, where exactly do I point it? :o 10:32 < dazo> theDoc: yeah ... but eurephia needs a patch into the openvpn source as well 10:32 < theDoc> Ohh. 10:32 < theDoc> Hmm. 10:32 < dazo> theDoc: please have a look at the wiki pages ... I believe they should be pretty much straight forward ... at least I hope 10:32 < karlpinc> If I download the 2.1 rc15 zip version am I getting MS Windows binaries? 10:33 -!- Swiatecki [n=ns@0x5739be9e.arcnqu1.dynamic.dsl.tele.dk] has joined ##openvpn 10:33 < karlpinc> dazo : Debian has a NSIS package. (Natch. ;-) 10:33 < karlpinc> dazo : Otherwise, I dunno. Get it from the product website? 10:33 < theDoc> dazo: Let me go mess around with it, I'll give it a go 10:34 < dazo> theDoc: the issue is that eurephia does authentication against the certificate SHA1 digest, which is sent from openvpn to the plug-ins ... so I've added a patch to only add that, and it's not upstream yet ... I hope it will be at some day :) 10:34 < ecrist> debian just released support for the FreeBSD kernel. muahaha! 10:34 < ecrist> freebsd is getting closer to world domination. 10:34 < MarcWeber> When I don't use secret static.key 10:34 < theDoc> ahh, ok 10:34 < dazo> sounds like debian wants to be DebianBSD .... 10:35 < MarcWeber> will this switch off encryption? 10:35 < ecrist> http://lists.debian.org/debian-devel-announce/2009/04/msg00001.html 10:35 < vpnHelper> Title: New architectures (at lists.debian.org) 10:36 -!- benedictus [n=chatzill@152.70-243-81.adsl-dyn.isp.belgacom.be] has joined ##openvpn 10:37 < MarcWeber> karlpinc Do you just know how to switch off encryption? 10:40 -!- theDoc- [n=andelyx@208.99.194.194] has joined ##openvpn 10:40 < theDoc-> fuck. 10:40 < theDoc-> Stupid wireless shit 10:41 -!- mikey| [n=Mikey@93-96-140-104.zone4.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] 10:41 < MarcWeber> What dose this push exactly mean? Does this mean that these routes are set up at the client? 10:44 < dazo> MarcWeber: push means that the option you push will be "setup" on the client .... the server pushes an option to the connected clients config 10:45 < MarcWeber> dazo So I got that right. How can I run commands such as iptables -A POSTROUTING -s ... -j MASQUERADE automatically on server startup? 10:45 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 10:45 < MarcWeber> and remove them on tear down? 10:46 < karlpinc> MarcWeber : It means that you can change the client's config dynamically by changing the server's config, so you don't have to mess with the client config if the stuff you push changes. 10:46 < dazo> MarcWeber: you'll probably need to tweak the startup scripts 10:46 < karlpinc> MarcWeber : I forget how to turn off encryption. I think it's the --crypt arg. 10:47 < MarcWeber> karlpinc Removing the static key made it faster. So probably this turned it off as well 10:47 < MarcWeber> I feel I finally can setup traffic shaping today :)) 11:00 -!- tsunami [n=tsunami@64.119.141.126] has left ##openvpn [] 11:02 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 11:04 < MarcWeber> So manually editing /etc/init.d/openvpn is the way to add iptable commands? I'll try 11:09 < karlpinc> Humm... How can I get all the stuff that comes in the pre-compiled Windows version, without the installer so I can make my own installer? 11:09 < MarcWeber> When adding addtional networking setup, which is the recommended way waiting till openvpn has setup the tun devices? 11:10 < MarcWeber> Using a while ! ifconfig | grep .. ; loop ? 11:11 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:17 -!- theDoc- [n=andelyx@208.99.194.194] has quit [Read error: 110 (Connection timed out)] 11:27 -!- Swiatecki [n=ns@0x5739be9e.arcnqu1.dynamic.dsl.tele.dk] has quit ["Ex-Chat"] 11:29 -!- olger901 [n=olger901@cable-159-18.zeelandnet.nl] has joined ##openvpn 11:29 < olger901> !configs 11:30 < vpnHelper> olger901: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:30 < olger901> !route 11:30 < vpnHelper> olger901: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:31 -!- theDoc- [n=andelyx@208.99.194.194] has joined ##openvpn 11:36 < olger901> How can I access local clients behind the VPN server (the local clients are inside the same local subnet as the vpn server) network using routing mode? 11:36 < olger901> Because both the clients behind the openvpn server and the clients connecting to the openvpn server would need to know the route... 11:38 < dazo> olger901: you need to setup routes .... and it is pretty well explained in !route 11:39 < reiffert> dazo: In this very moment I was about to point him to the topic :) 11:40 < olger901> I just read that part indeed 11:40 < olger901> But users only need to be able to access the network behind the VPN server, they shouldn't be able to access eachothers network ;) 11:40 < dazo> olger901: if running Linux ... you may also check that /proc/sys/net/ipv4/ip_forward is set to 1 ... (cat and echo) ... and also check your firewall settings, to make sure you allow traffic to be forwarded between tun/tap and your internal network 11:41 < dazo> olger901: then you can just skip the "iroute" part of that guide ... it's the same principles 11:41 < reiffert> dazo: he is still missing a static route on his lan gateway. 11:41 < dazo> reiffert: oh true!! 11:41 < reiffert> pointing to his ovpn server 11:41 < dazo> thx! 11:41 < dazo> olger901: ^^^ 11:42 < olger901> Yeah, thats the part I'm missing 11:42 < olger901> Or which I don't fully understand... :$ 11:43 < olger901> but from what I think, all I would need to do is add an iroute in the server config file, for the server config right? 11:44 < dazo> olger901: on that router (your default gateway) you'll need to add a route explicit ... so if you VPN network is 10.8.0.0/24 ... and your OpenVPN is 192.168.1.130 ... you need on the default gw to add a route like this: route add -net 10.8.0.0/24 gw 192.168.1.130 ... that's all, basically ... but it needs to be tweaked to match your setup and OSes 11:44 < dazo> olger901: no, iroute is only for accessing network behind openvpn clients 11:45 < olger901> on the router, which the openvpn server is behind right? 11:45 < dazo> on your default gateway, you must add this extra route 11:46 < olger901> dazo: What do you mean with your default gateway; the gateway of the openvpn server, or the gateway of the home clients? 11:46 < dazo> from how things were described here ... I have understood that you have an openvpn server in the inside of your default gateway/internet router 11:47 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 60 (Operation timed out)] 11:47 < dazo> olger901: let's try to make a quick "drawing" 11:47 < dazo> olger901: ------{internet}---------- 11:48 < dazo> and the other clients on your "LAN" is behind (to the right of) "your Internet router" 11:48 < dazo> right? 11:48 < olger901> OpenVPN client 192.168.3.x ---- internet ------ Router (LAN: 192.168.0.254) (WAN: 82.176.xx.xx) ---------- OpenVPN Server (192.168.0.1) 11:49 < olger901> so at work, there's a router iwth 1 WAN IP, behind the router there are various clients and one server 11:49 < dazo> good! your default gateway is 192.168.0.254 for computers on the LAN 11:49 < olger901> the server has linux with openvpn installed 11:50 < olger901> the clients at home usually 192.168.1.x need to be able to connect to the openvpn server take over their own computers using rdp 11:50 < dazo> olger901: so at this router (192.168.0.254) you need to add a route explicit, which says that route VPN network via gateway 11:50 < olger901> and then all clients would be accessible as well? 11:50 < dazo> olger901: this is setup you're working on here, is pretty much straight forward 11:51 < dazo> olger901: no, because you don't use iroute ... but this is the tricky thing about routing 11:51 < reiffert> dazo: what kind of gateway are you using within your LAN? 11:51 < dazo> olger901: you VPN client sends a request to reach 192.168.0.94 (f.ex) ... the OpenVPN client will route this through the VPN to the server, and the server to the client 11:52 < olger901> yeah 11:52 < olger901> Client -> Router at work -> Server at work -> Remote Computer 11:52 < dazo> olger901: then when 192.168.0.94 replies to that package, it do not know the route back, so it goes to the default gateway - your 192.168.0.254 11:52 < olger901> correct 11:53 < olger901> so I would need to add a route like: route add -net 192.168.100.0/24 gw 192.168.0.254 (100 is the VPN subnet) 11:53 < dazo> olger901: and then your default gateway must have a route which then understands that your VPN network needs to go through you OpenVPN server ... or else it will send the traffic straight out on WAN 11:53 < reiffert> olger901: sounds good. 11:53 < dazo> olger901: that is correct 11:54 < reiffert> olger901: what is the openvpn server, 0.254? 11:54 < dazo> olger901: just remember, it must be on your default gw 11:54 < olger901> the server (all in one small sbs server) is 0.1, the router is .0.254 11:54 < dazo> (192.168.0.254 box) 11:54 < reiffert> dazo: 0.254 is his default gw, and not the openvpn server 11:54 < olger901> you mean it must be ont he same subnet right? 11:54 < reiffert> on the default router do: route add -net 192.168.100.0/24 gw 192.168.0.1 11:55 < reiffert> where default router is 0.254 and openvpn server is 0.1 11:55 < dazo> olger901: ^^ that is a good explanation 11:56 < olger901> uhm, sorry for all the confusion, but why route it through 0.1, cause it's the OpenVPN server? 11:56 < olger901> and OpenVPN will automatically know howto route it back to the client? 11:57 < dazo> olger901: yes, traffic coming from the VPN via the OpenVPN server needs to go back to the OpenVPN server when the clients responds 11:57 < olger901> ok, then everything is clear to me, thanks a lot for clearing that up :) 11:57 < dazo> olger901: np! :) 11:58 < reiffert> lets wait until it works. 11:59 < dazo> reiffert: pessimistic? :-P 11:59 -!- innnit [n=andre@79-73-46-223.dynamic.dsl.as9105.com] has joined ##openvpn 11:59 < olger901> I won't know until tomorrow, when I can try to connect remotely :P 12:01 < reiffert> olger901: A PC, lets call it 192.168.0.123 wants to send a packet to 192.168.100.25 12:02 < reiffert> olger901: as 100.25 is not on the same subnet as 0.123, that packet will travel to the default router. 12:02 < reiffert> the default router will answer "Oh, a packet to 100.25, send it to the openvpn server, 192.168.0.1" 12:02 < olger901> Yeah, the default router does know what to do with it, because of the static route, forwards it to 0.1 like stated in the router and 0.1 forwards it back to the client 12:03 < reiffert> actually the packet will get resend and 0.123 will remember the alternative path for some time. 12:04 < karlpinc> Looks like p7zip can be used to extract the files from the Windows nsis installer. 12:04 < reiffert> 0.1 will hand the packet to 100.25, who should know about the 0.0/24 net because of push "route 192.168.0.0 255.255.255.0" 12:05 < olger901> Isn't there a way to make this easier / automatic, like OSPF or something? 12:05 < dazo> olger901: it is easy already, you just need to learn it :-P 12:06 < dazo> "Science should explain things as simply as possible but no simpler" (Albert Einstein) 12:07 < olger901> Well, this isn't exactly science, this is called System- and Networkadministration :P 12:08 < dazo> for me ... network = computer science ;-) 12:08 < reiffert> olger901: allright, read the fucking manual. 12:08 < dazo> heh 12:09 < olger901> lol :P 12:09 < olger901> Manuals don't tell everything either, experience is one of the most important things in this business IMHO 12:10 < dazo> +1 12:10 * reiffert sees many dollars. 12:10 < reiffert> gimme all you have and I let you share my experience :) 12:11 < olger901> I can share mine too in return for exp, but my knowledge is mostly windows SBS based networking unfortunately :P 12:13 < reiffert> This explains why you think that manuals dont tell everything. 12:14 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 12:15 < olger901> lol, I know they mostly do in Linux, and if the manual doesn't, google oftenly does, but I'm no linux dummy either :P 12:17 < olger901> btw, would I need both the push route and the regular route directives in my server configuration file? :P 12:22 < MarcWeber> olger901: Depends on what you want to do. If the ip of your connection line is on a different subnet than your vpn on the server side you have to use a route 12:23 < karlpinc> olger901 : Read the networking admin guide at tldp.org. It's old but the principls continue to apply. 12:27 < olger901> Ok, found it, don't really think I need it 12:27 < olger901> bb in 30 12:38 -!- Alagar [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has left ##openvpn [] 12:39 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 12:44 -!- theDoc- [n=andelyx@208.99.194.194] has quit [Connection timed out] 13:03 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 13:30 -!- benedictus [n=chatzill@152.70-243-81.adsl-dyn.isp.belgacom.be] has quit [Client Quit] 13:30 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 13:36 < ecrist> !dns 13:36 < vpnHelper> ecrist: Error: "dns" is not a valid command. 13:36 < dan__t> HI. 13:38 < ecrist> !learn dns as Level3 open recursive DNS server at 4.2.2.1 13:38 < vpnHelper> ecrist: Joo got it. 13:38 < ecrist> howdy, dan__t 13:39 < dan__t> How's it goin man 13:39 < ecrist> working for the man, atm 13:39 < dan__t> don't forget 4.2.2.2, 4.2.2.3, 4.4.4.4 iirc 13:39 < dan__t> Ah hah. Today's my day off... today is hardcore hack on projects day. 13:39 < ecrist> !forget dns 13:39 < vpnHelper> ecrist: Joo got it. 13:40 < dan__t> So now that I know that iptables can handle > 20k chains..... 13:40 < dan__t> I can proceed with my POC. 13:40 < ecrist> !learn dns as Level3 open recursive DNS server at 4.2.2.1 13:40 < vpnHelper> ecrist: Joo got it. 13:40 < ecrist> dan__t: those other addresses you gave aren't recursive 13:40 < dan__t> Uh, I thought they were 13:40 < dan__t> That's why I said "IIRC" :) 13:41 < dan__t> I knew 4.2.2.1 for sure. 13:41 < ecrist> 4.4.4.4 doesn't respond and the other two forward to root zones 13:41 < dan__t> Yeah they do. 13:41 < dan__t> I'm up to .20 13:42 < dan__t> Are you hizzigh? 13:43 < ecrist> what? 13:45 < dan__t> what 13:45 < dan__t> they are recursive 13:45 < dan__t> uh unless they use 4.2.2.1 as a forwarder 13:49 < ecrist> actually, level 3 uses anycast addressing, which means all those you're using are actually talking to the same server. 13:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:51 < dan__t> Got it. 14:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 14:24 < karlpinc> I was wrong, p7zip won't get me the content of the openvpn nsis installer. I'll probably end up finding a Windows box to compile it on. It's too bad it won't cross compile. :-P 14:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:41 -!- dirkD [n=dirk@dirkdokter.nl] has quit [Remote closed the connection] 14:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:41 -!- AnAnt [n=anant@217.139.224.193] has joined ##openvpn 15:44 < AnAnt> Hello, I configured the openvpn server such that it pushes to reach the subnet behind the server 15:44 < AnAnt> yet on the client, I find that the default gateway route has been replaced 15:44 < krzie> server and clients have different LAN subnets? 15:44 < AnAnt> yup 15:45 < AnAnt> server: 192.168.1.x 15:45 < AnAnt> client: 192.168.99.x 15:45 < krzie> redirect-gateway being used? 15:45 < AnAnt> nope 15:45 < krzie> what is the vpn subnet? 15:46 < AnAnt> vpn subnet is 10.8.0.x 15:46 < krzie> !configs 15:46 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:46 -!- nemysis [n=nemysis@41-21.107-92.cust.bluewin.ch] has joined ##openvpn 15:50 < AnAnt> krzie: http://pastebin.com/maf9c89f 15:51 < krzie> not saying this is the problem, but rc11 has known problems 15:51 < krzie> moving up to rc15 would be a good idea 15:53 < krzie> still waiting for client config 15:53 < krzie> why are you using dev tap? 15:53 -!- innnit [n=andre@79-73-46-223.dynamic.dsl.as9105.com] has quit [Read error: 60 (Operation timed out)] 15:54 < AnAnt> krzie: how would the client access the subnet without tap ? 15:54 < krzie> tun 15:54 < krzie> you're using routed config over tap anyways 15:54 < AnAnt> krzie: will I be able to do ssh, and so over tun ? 15:54 < krzie> tun is layer3 (aka ip layer) 15:55 < krzie> tap is layer2, but you're using it to do routed over 15:55 < krzie> which means you're wasting the overhead for no reason 15:55 < krzie> !tunortap 15:55 < vpnHelper> krzie: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 15:55 < AnAnt> I see 15:55 < krzie> the client can access the subnet because of the push route 15:56 < krzie> has nothing to do with tap 15:56 < krzie> still waiting on client config 15:56 < AnAnt> krzie: I use network manager at client 15:56 < krzie> !ubuntu 15:56 < vpnHelper> krzie: "ubuntu" is dont use network manager! 15:56 -!- mtoledo [n=user@c906c009.virtua.com.br] has joined ##openvpn 15:56 < krzie> find the config, it exists... 15:57 < MarcWeber> http://mawercer.de/~marc/net.svg That's the basic setup what I'd like to setup. However I'd like to use openvpn instead of socat 15:57 < krzie> also i see you're using ipp.txt 15:57 < krzie> !ipp 15:57 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 15:57 < MarcWeber> Is there some documentation telling me how to route all traffic but the opevpn connection through the vpn tunnel ? 15:58 -!- mtoledo [n=user@c906c009.virtua.com.br] has left ##openvpn ["ERC Version 5.0 $Revision: 1.743 $ (IRC client for Emacs)"] 15:58 < krzie> MarcWeber, you need redirect-gateway, NAT, and ipforwarding 15:58 < krzie> what os is the server on MarcWeber ? 15:58 < MarcWeber> krzie linux 15:58 < krzie> !def1 15:58 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 15:58 < krzie> !linnat 15:58 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 15:58 < krzie> !linipforward 15:58 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 15:58 < krzie> there ya go 15:58 < krzie> oh and: 15:58 < krzie> !sample 15:58 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 16:00 < MarcWeber> krzie: ;-) Don't flood. The MASQUERADING option does already work. I was still looking for the SNAT line though. My problem is the client side. 16:01 < MarcWeber> When setting the default route to route through the tunnel nothing seems to work anymore. 16:01 < MarcWeber> The strange thing is that even tcpdump -i tun0 does no longer show any packages.. 16:02 < MarcWeber> krzie Am I right that I have to use two different routing tables: One for the openvpn connection and one for everything else ? 16:02 < krzie> marc, using routed tun, right? 16:03 < AnAnt> krzie: if I use tun, should I still do: push "route 192.168.1.0 255.255.255.0" at the server ? 16:03 < krzie> AnAnt, honestly, only if you use tun, as theres almost no reason to ever use tap with server command 16:03 < krzie> so yes 16:04 < MarcWeber> krzie: I'm not sure what routed tun refers to. Let me look it up 16:04 < krzie> you using dev tun? 16:04 < krzie> and server as opposed to server-bridge 16:06 < MarcWeber> krzie: http://rafb.net/p/1fbUR680.html 16:07 < vpnHelper> Title: Nopaste - No description (at rafb.net) 16:07 -!- innnit [n=andre@92.40.202.113.sub.mbb.three.co.uk] has joined ##openvpn 16:07 < MarcWeber> THat's my setup which does alread work when only routing all connections from a specific user id. 16:08 < MarcWeber> Propabbly this is called routed tun (?) 16:10 < AnAnt> krzie: thanks, solved ! 16:11 < AnAnt> krzie: 1) used tun, 2) found an option in NetworkManager to disabled using VPN as default route 16:12 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:12 < krzie> np AnAnt 16:13 < krzie> MarcWeber, yes thats a ptp tun 16:14 < MarcWeber> krzie Have you seen my picture? 16:14 < krzie> i have 16:14 < MarcWeber> So is a ptp tun the right tool ? 16:14 < krzie> your NAT is wrong 16:15 -!- AnAnt_ [n=anant@41.237.147.119] has joined ##openvpn 16:15 < AnAnt_> krzie: thanks, solved ! 16:15 < AnAnt_> krzie: 1) used tun, 2) found an option in NetworkManager to disabled using VPN as default route 16:15 < krzie> yup, good job =] 16:15 < krzie> MarcWeber your NAT is wrong 16:16 < krzie> why would packets coming from the vpn have a src address of 192.168.2.0/24 when the vpn uses 10.8.0.2 10.8.0.1 16:16 < MarcWeber> krzie Because I routed them into the tunnel this way? 16:16 < krzie> wrong! 16:16 < krzie> !linnat 16:16 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 16:16 < MarcWeber> http://rafb.net/p/3DhW1I15.html @ krzie line 24 16:16 < vpnHelper> Title: Nopaste - No description (at rafb.net) 16:16 < krzie> you want the command EXACTLY as i have it in #1 16:17 < AnAnt_> krzie: now I got a question, the subnet @ server side is 192.168.1.x, what if the subnet @ client side is also 192.168.1.x , will I be able to access both internet websites & vpn sites at the same time ? 16:17 < krzie> anayou will break routing in that situation 16:17 < krzie> err 16:17 < AnAnt_> krzie: ok, I thought so 16:18 < krzie> which is why its nice to make sure to use some wierd lan number for lans where you connect the whole lan to ovpn 16:18 < krzie> like your client's lan is(assuming a road-warrior setup) 16:18 < krzie> if people wont be logging in from unknown locations, it dont matter much 16:19 < AnAnt_> ok 16:19 < krzie> anant_, if you wil be adding more lans, you may find my routing writeup handy 16:19 < krzie> !route 16:19 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:19 < krzie> or if you just wanna learn more about openvpn routing 16:20 < MarcWeber> krzie First of all it worked. You'r setup (#1) says -s 10.8.0.0/24, but my local LAN is 192.168.2.*. I can't do nat on the client because I need the 192.168.2.x ips on the vserver to do traffic shaping. 16:21 < krzie> YOU ARENT NATing YOUR LOCAL LAN 16:21 < krzie> you need to nat your vpn lan 16:22 < krzie> the vpn subnet rather 16:22 < krzie> and for traffic shaping 16:22 < krzie> see --shaper in the manpage 16:22 < krzie> !man 16:22 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:23 < AnAnt_> krzie: thanks for the help 16:23 < AnAnt_> bye 16:23 -!- AnAnt_ [n=anant@41.237.147.119] has quit ["leaving"] 16:26 < MarcWeber> krzie That's new option I didn't knew about. I thought I had to use tc commands (which can be created by tcng) 16:26 < MarcWeber> I'll read more vpn documentation first to understand what you've said 16:28 < krzie> sounds good 16:28 < krzie> remember, you're contacting the cliuent over the tunnel 16:28 < krzie> which has a 10.8.0.x ip 16:28 < krzie> so your packets will come with that source address 16:29 < krzie> and THAT will be the ip that needs to be NATed 16:29 < krzie> anything else will be lulz 16:29 -!- AnAnt [n=anant@217.139.224.193] has quit [Read error: 110 (Connection timed out)] 16:42 < MarcWeber> You say I can't sent a package originating from 192.168.x.x through a 10.8.0.1 <----> 10.8.0.2 virtual cable ? 16:42 < krzie> im telling you that you need to nat 10.8.0.x 16:42 < krzie> i dont care if you choose to believe me or not, you came here for help and i gave you the answer 16:43 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 16:44 < krzie> thats all i can do 16:44 < MarcWeber> krzie: At which point will the nat (network adress translation) take place exactly? Must this be done on the client (before entering the tunnel) or at the end of the tunnel? 16:44 < krzie> the side that is being routed through 16:45 < krzie> packets go from A to B to inet, B needs to NAT the vpn network 17:12 < dan__t> hmm 17:16 -!- blahdeblah [n=paulgear@124-171-161-177.dyn.iinet.net.au] has quit ["Leaving."] 17:16 -!- mtoledo [n=user@189.102.205.95] has joined ##openvpn 17:44 -!- hagna [n=hagna@70.102.57.178] has joined ##openvpn 17:44 < hagna> so what do you do to avoid conflicts between two clients on the same subnet? 17:44 < krzie> change one 17:45 < hagna> on the client side or sever side? 17:45 < krzie> same subnet different network, and not sharing the LAN behind it = no problem 17:46 < krzie> same subnet different network, sharing both LANs = change a lan subnet 17:46 < krzie> same subnet same network = only connect 1 and route to the rest through that 17:46 < hagna> I thin kit's one 17:47 < krzie> its one what 17:47 < hagna> the server is connected to both lans but both lans don't need to connect to each other 17:47 < hagna> the first one 17:47 < krzie> so you're using iroutes fort exampke... 17:47 < krzie> for example 17:47 < hagna> um what's that? 17:48 < krzie> the way you access a lan behind a client... 17:48 < krzie> oh #1 was not sharing the lan behind the client 17:48 < krzie> ok there should be no problem then 17:48 < krzie> are you having a problem? 17:48 < hagna> oh yeah right they are setup to route properly to the server machine (it's just one machine and not a network) 17:48 < hagna> I haven't done it yet I'm just trying to understand 17:49 < hagna> the problem I see is 17:50 < hagna> what is the server wants to ping machine 7 in lan 1 but there is also a machine 7 in lan 2 17:50 < hagna> /is/if 17:51 < hagna> I guess I need NAT on the server 17:51 < hagna> krzie: am I making sense? 17:52 < krzie> no 17:52 < krzie> you shouldnt be accessing ANYTHING in the lan 17:52 < krzie> just the vpn ip 17:53 < krzie> unless you're sharing the lan, in which case you are using #2 not #1 17:53 < hagna> ahh ok #2 then 17:53 < krzie> then you must change a lan and read !route 17:53 < krzie> !route 17:53 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:53 < hagna> but lans don't need to route to each other 17:54 < krzie> then dont use client-to-client and dont push their routes 17:54 < hagna> so what do you do on the server to avoid collisions? 17:55 < krzie> the point of my writeup is for you to understand what ever command does, so you can change it to fit your needs 17:55 < krzie> not to just give you every command to use 17:55 < krzie> YOU CHANGE A NETWORK! 17:55 < dan__t> heh 17:55 < hagna> not sure what that means yet :), but I'm reading your writeup 17:55 < krzie> dude 17:56 < krzie> your problem will be they are on the same subnet 17:56 < dan__t> So would client-to-client be used if I wanted to basically turn OpenVPN in to a bridge? 17:56 < krzie> SO YOU CHANGE ONE 17:56 < dan__t> Well, not a real "bridge" in the L2 sense... 17:56 < krzie> a bridge would be for layer2 17:56 < dan__t> But connecting two networks, where one side might provide all services such as DHCP and DNS and such? 17:56 < krzie> client-to-client allows packets to pass from 1 client to another 17:56 < krzie> dhcp is layer2 17:56 < dan__t> Right, so what if I simply wanted to extend an existing network 17:56 < dan__t> Then I want OpenVPN to relay DHCP. 17:57 < krzie> then you use a bridge, which is a terrible reason to use a bridge 17:57 < krzie> screw dhcp 17:57 < dan__t> heh 17:57 < krzie> just make it so the lans can talk 17:57 < krzie> like in !route example 17:57 < dan__t> That's all I want. 17:58 < dan__t> I want OpenVPN's client IP pool to come from network A's space 17:58 < krzie> *shrug* upto you 17:58 < krzie> why? 17:58 < dan__t> Well yeah, I'm just wondering the best way to achieve that overall goal. 17:59 < dan__t> I want office A and office B to be in the same IP space 17:59 < dan__t> Same subnet, even. 17:59 < krzie> if one is 10.1.0.x and other is 10.1.1.x, other is 10.1.2.x, but all can communicate with no problem, whats the problem? 17:59 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 60 (Operation timed out)] 17:59 < krzie> but why? 17:59 < krzie> is there an actual point? 17:59 < krzie> in large businesses they break up subnets in the same building 17:59 < dan__t> Being that office A might only have a /24 17:59 < krzie> you're trying to do the opposite, makes no sense to me 17:59 < dan__t> I understand how subnetting works. 18:00 < dan__t> I guarantee you. 18:00 < dan__t> I promise :) 18:00 < krzie> ok 18:00 < krzie> well ya you can do it with a bridge 18:00 < krzie> a layer2 bridge 18:00 < krzie> i wouldnt, but you know what you're doing... 18:00 < dan__t> Yeah, I used "bridge" in a general sense, not a true networking sense. 18:00 < krzie> but you want it in a true networking sense 18:00 < dan__t> I also guarantee you unequivably beyond a shadow of a doubt that I actually know what I'm talking about. 18:01 < dan__t> I just don't know how to achieve this in OpenVPN. 18:01 < krzie> now you do, a bridge 18:02 < hagna> so network B has 10.1.1.x and you want it to access a machine in network A 10.1.0.x? 18:02 < krzie> tap, and --server-bridge 18:03 < krzie> hagna, no he wants all clients to recieve ips from the server's dhcp pool 18:03 < krzie> so network A has 10.0.0.x lets say, he wants b and c to get ips from 10.0.0.x as well 18:03 < dan__t> Notice I said *POOL*, not *SERVER*. 18:03 < krzie> i said pool as well 18:03 < dan__t> So I can simply assign that designated POOL to OpenVPN to give to clients on office B 18:04 < krzie> right 18:04 < krzie> you tell your lan dhcp server to not touch a certain part of the pool 18:04 < krzie> then you tell openvpn to feel free to hand them out 18:04 < krzie> OR you tell openvpn to let the clients grab from dhcp 18:04 < krzie> read --server-bridge 18:04 < krzie> !bridge 18:04 < vpnHelper> krzie: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything where 18:04 < vpnHelper> krzie: the protocol uses MAC addresses instead of IP addresses. 18:04 < krzie> !forget bridge 4 18:04 < vpnHelper> krzie: Joo got it. 18:04 < dan__t> Got it. 18:05 < krzie> !learn bridge as useful for anything where the protocol uses MAC addresses instead of IP addresses. (but not samba, see !wins) 18:05 < vpnHelper> krzie: Joo got it. 18:06 < dan__t> word. 18:07 < dan__t> thanks. 18:07 < krzie> yw 18:08 < hagna> um so when you said CHANGE ONE earlier did you mean the ip of the conflicting machine on the other lan or the client openvpn configuration on the lan or the server configuration? 18:08 < krzie> change the ip space of the lan 18:09 < hagna> and if that's not an option couldn't I use NAT on the server? 18:09 < krzie> i guess 18:09 < krzie> have fun with that 18:09 -!- SlashLife [n=slashlif@unaffiliated/slashlife] has quit [Connection timed out] 18:09 < krzie> ugly hack 18:09 < hagna> heh 18:09 < krzie> better to just do it right 18:10 < hagna> I don't have control over the ip space of the lan 18:10 < krzie> you have someone there who is admin enough to get ovpn installed for you 18:10 < krzie> tell him to login to the router and change that shit 18:10 < hagna> heh I'm the admin 18:10 < hagna> that's how I know 18:10 < krzie> then do it yourself, lol 18:11 < krzie> i havnt heard of a router or other dhcp server in the world that wont let you change the lan ip space 18:11 < hagna> yeah I agree 18:12 < hagna> I'm just talking about what to do when you get collisions between two lans 18:12 < krzie> change one's lan ip space! 18:12 < krzie> (for like the 4th time) 18:12 < hagna> that's not the question really 18:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 18:12 < hagna> it's more how do you detect a collision 18:12 < krzie> by knowing that you have 2 lans you're routing to that are = 18:13 < krzie> i guess grep iroute ccd/* would make that easy enough 18:13 < hagna> that's good for manually 18:13 < krzie> you only add them manually 18:13 < krzie> if you dont add the iroute in ccd entry, you arent routing to their lan 18:13 < krzie> so theres no issue 18:14 < hagna> ok well it's been fun 18:14 < krzie> same 18:14 -!- hagna [n=hagna@70.102.57.178] has quit ["leaving"] 18:14 < krzie> lulz 18:16 < MarcWeber> krzie: I've found my problem: I did forget a RETURN so the first mark was overriden by a second one. Everything seems to be working fine now. Thank you for your support. 18:16 < dan__t> haha 18:16 < krzie> you saying you didnt need to nat vpn_subnet? 18:17 < MarcWeber> krzie: Let me paste the whole setup to rafb.net. Give some seconds to prepare 18:17 < krzie> sure 18:17 < krzie> im just curious from what you said if you didnt nat 10.8.0.x 18:18 < krzie> its working so dont bother wasting the time to paste 18:58 < MarcWeber> http://rafb.net/p/otoTuo86.html @ krzie 18:58 < vpnHelper> Title: Nopaste - No description (at rafb.net) 19:01 -!- innnit [n=andre@92.40.202.113.sub.mbb.three.co.uk] has quit ["Leaving."] 19:02 < MarcWeber> krzie: Does this answer all your questions? 19:07 < krzie> cool, enjoy 19:35 < MarcWeber> One last question :-) Having a subnet A ==== B ==== C == D where A,B,C,B are connected by a network hub and D is the router connected to the ISP. Can I make B route its packages via A without VPN and without having the router send the package as well (the router is on the same wire and will forward all packages adressed to the internet, correct?) 19:36 < MarcWeber> The TCP/IP protocol doesn't contain a "router" field or such, only destination and source, right? 19:40 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 19:43 < krzie> sure 19:43 < krzie> as shown in !route under the picture 19:43 < krzie> you can choose between 2 options 19:44 < krzie> 1) adding the route on the router, benefit is you only add it on 1 machine and all work 19:44 < krzie> or 2) add the route on the local machine (B in your example), benefit is only B has the route and you dont need to touch the router 19:45 < MarcWeber> Wired. I've tried route add default gw A and the packages didn't show up on its eth0.. 19:46 < krzie> packets should be going over the vpn at the vpn address, and therefor the route should be for that address 19:46 < krzie> as oposed to the lan address 19:46 < krzie> you say your nat was on the lan address on and vpn address, i dont believe that should work, but if you're happy thats as far as i care 19:47 < MarcWeber> It does. But only for the client beeing connected to the vpn server.. 19:47 < MarcWeber> So does a TCP/IP package contain a "route to " IP shadowing the real destination (such as www.google.de) ? 19:48 < MarcWeber> It would have been easiest to not setup VPN on all the pcs on the LAN. Anyway I'm really tired now. I have to go to bed. 19:55 -!- olger901 [n=olger901@cable-159-18.zeelandnet.nl] has quit [] 20:08 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 20:08 -!- theDoc [n=andelyx@119.73.165.162] has quit [Remote closed the connection] 20:08 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 20:12 < krzie> no 20:12 < krzie> each packet gets routed according to the routing table on the machine passing it to the next place 20:13 < krzie> theres a src and a dst 20:13 < krzie> the most specific matching route matching dst will be the path the packet takes 20:13 < krzie> then dst will reply back to src when the time comes 20:14 < krzie> NAT is a matter of rewriting the src 20:14 < krzie> and then rewriting the dst as the packet comes back 20:35 -!- miguelcma [n=miguelcm@87.196.144.39] has joined ##openvpn 20:36 < miguelcma> hi all :) 20:36 < krzie> hey 20:37 < miguelcma> i'm trying to do a redudant openvpn network, with 3 servers connected each other, with ospf discovering the best route on the network 20:37 < miguelcma> it is working very good 20:38 < miguelcma> except one thing... when i disconnect a link, some routes doesn't work. and i discovered the problem is with "iroute" rules 20:38 < krzie> so you have clients with lans behind them? 20:38 < miguelcma> yes 20:38 < miguelcma> is there any way to remove that "iroutes" and use only "route"? 20:39 < krzie> no 20:39 < krzie> !iroute 20:39 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 20:39 < miguelcma> the sittuation is very difficult to explain here, but the problem is with "iroutes" 20:39 < krzie> but if you have the same ccd entries on every server ild think it would work fine 20:39 < krzie> oh except that then every machine needs to know to route through that server 20:39 < krzie> i see what your prob is 20:39 < krzie> no clue how you'd fix it tho 20:39 < miguelcma> yes, that is the problem :\ 20:40 < krzie> ild think instead of 100% redundant like that you could just have 3 servers that arent all used at same time 20:40 < krzie> and use stuff to choose what to connect to 20:40 < krzie> so when server1 dies, they all connect to server2 20:40 < krzie> when that dies, they all connect to server3 20:41 < krzie> i believe you can have them connect back to server1 when its up 20:41 < krzie> read all about stuff in 2.1 manual 20:41 < krzie> !man 20:41 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 20:41 < miguelcma> yes, that's what I'm trying to do 20:41 < miguelcma> but, how can I have all them onnected to the other server? 20:41 < krzie> you are trying to have all 3 servers connected at same time 20:41 < krzie> im saying thats the problem 20:42 < miguelcma> no, because i have ospf between them 20:42 < krzie> sounds like because you need iroute stuff, you gotta only use 1 server at a time 20:42 < miguelcma> ospf find the best route 20:42 < krzie> like failover instead of redundant 20:42 < miguelcma> the problem is that i don't know to the server each client is connected 20:43 < krzie> ya it sounds like a tough spot to be in 20:43 < krzie> not sure how you're gunna fix that one, maybe someone else has an idea, i suggest the mail list 20:43 < krzie> !mail 20:43 < vpnHelper> krzie: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive, or (#3) http://thread.gmane.org/gmane.network.openvpn.user/ for the openvpn-user archives 20:44 < krzie> !forget mail 3 20:44 < vpnHelper> krzie: Joo got it. 20:45 < miguelcma> http://miguel.martinsalmeida.com/stuff/network.pdf 20:45 < miguelcma> this is my sittuation 20:45 < krzie> i see where the problems come from 20:45 < krzie> its just the solutions im not sure of 20:45 < miguelcma> sede can ping everyone, but not 10.88.1.1, nor 10.88.1.1 20:45 < miguelcma> i really don't know what to do 20:46 < miguelcma> ospf is giving me the best route.. its working very well.. the problem is only with openvpn :\ 20:46 < krzie> but not 10.88.1.1, nor 10.88.1.1 20:47 < miguelcma> 10.88.1.9, nor 10.88.1.1 20:47 < krzie> ahh 20:47 < krzie> without ospf you can ping it? 20:47 < miguelcma> no 20:48 < krzie> VPS is a server? 20:48 < miguelcma> i don't have any "route" rules configured on openvpn 20:48 < krzie> or a client? 20:48 < miguelcma> yes, all the three are servers 20:48 < krzie> how are they connected to eachother? 20:48 < miguelcma> each one connected to the other 20:48 < krzie> servers dont make outbound connections 20:48 < miguelcma> server-client 20:48 < krzie> !configs 20:48 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 20:48 -!- afonso [n=afonso@bl11-12-251.dsl.telepac.pt] has joined ##openvpn 20:49 < krzie> so each machine runs a client and a server? 20:49 < miguelcma> oh, i'm using "topology subnet" 20:49 < miguelcma> yes 20:49 < krzie> and you have iroute stuff in ccd entries? 20:49 < miguelcma> i'll pastebin 20:50 < krzie> also read !route 20:50 < krzie> a lot wont apply to you, but it will very much help to be familiar with the standard way to set this stuff up without all the complication you are adding 20:50 < krzie> to understand every command as it relates in openvpn 20:51 < krzie> like iroute and its relationship to route 20:51 < krzie> !route 20:51 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:51 < miguelcma> http://pastebin.com/m300f1080 20:51 < krzie> # 20:51 < krzie> root@VPS # cat /etc/openvpn/ccd/sede 20:51 < krzie> # 20:51 < krzie> onfig-push 10.88.1.254 255.255.255.0 20:52 < krzie> i take it that some got cut off, right? 20:52 < miguelcma> oh, sry, it was the copy/paste.. it is ok on the server 20:52 < ecrist> GOOD EVENING, FUCKERS 20:52 < krzie> ok 20:52 < krzie> ecrist, ready for some mental rubix cube of a setup? 20:52 < krzie> check out what miguelcma is doing 20:52 < krzie> haha 20:53 < miguelcma> eheh 20:53 * ecrist reads up 20:54 < krzie> miguelcma, and does castrodaire have a route back to every vpn network that may access it through VPS's lan ip? 20:54 < miguelcma> the router or the lan? 20:54 < krzie> router 20:54 < miguelcma> yes 20:55 < miguelcma> the first three routes 20:55 < krzie> tcpdump shows that the ping gets to castrodaire? 20:55 < miguelcma> tcpdump -i tun0 icmp ? 20:55 < ecrist> I'm skipping lots, but why not run tap, allowing all the servers to simply be transport? do routing higher up the OSI, where it belongs. 20:55 < ecrist> routed isn't the right technology to use for your setup 20:55 < krzie> hrm, nice point 20:56 < krzie> this is a job for tap 20:56 < krzie> ecrist with the win 20:56 < miguelcma> hum, really? 20:56 < ecrist> yep 20:56 < krzie> im so used to saying "DONT USE TAP" that i didnt think of that 20:56 < miguelcma> i don't know very well how tap works 20:56 < miguelcma> lol 20:56 < krzie> it connects at layer2 20:57 < krzie> basically bridging all of them 20:57 < krzie> well optionally bridging them all 20:57 < krzie> but for you, bridging them all =] 20:57 < miguelcma> i can use the same multiple lans and multiple servers for redundancy? 20:58 < afonso> the 3 servers are not directly connected. i don't think you can use layer2 20:58 * karlpinc lusts after a supported cross-compile from Linux to Windows 20:58 < krzie> yes, but without worrying about iroute and whatnot 20:58 < afonso> it's just a simulation 20:58 < krzie> afonso, thats what tap is for 20:58 < krzie> connecting them at layer2 when NOT directly connected 20:59 < krzie> if they were plugged into eachother he could use a bridge without vpn 20:59 < afonso> humm, sorry then 20:59 < krzie> unless i misunderstood you 20:59 < karlpinc> I don't suppose there's any way to get Windows binaries etc without the installer? (Aside from building my own that is.) 21:00 < miguelcma> with a bridge connecting all of them, i will need a centralized dhcp server? 21:00 < krzie> openvpn can act as one, or you can have one 21:00 < krzie> your choice 21:00 < krzie> see --server-bridge 21:02 < miguelcma> hum... i think i have a lot to read tonight :p 21:02 < afonso> krzie: it makes sense... i've been helping miguelcma with this project for so many hours now, i couldn't see another solution. 21:03 < krzie> shiet ild have a lot to read for a couple days doing your setup 21:03 < krzie> and ive been here helping people for like a yr or 2 21:04 < miguelcma> lol 21:04 < afonso> krzie: since OSPF is working so well, don't you think there may be a way to do the iroutes right? 21:05 < afonso> krzie: it's a little hard at this point to drop everything already done. 21:06 < krzie> the iroutes are right 21:06 < krzie> *shrug* 21:06 < afonso> the routing table in the kernel works perfectly 21:06 < krzie> ecrist was right 21:06 < krzie> this should be a shitton easier connecting them all at layer2 and letting your ospf layer3 stuff handle routing 21:07 < afonso> do we really need OSPF if we connect averything layer2? 21:13 < krzie> let me go back to my origional suggestion 21:13 < krzie> mail list 21:13 < krzie> theres some experts in exactly this on the list 21:13 < krzie> it wouldnt be the first thread of this nature 21:14 < krzie> and would be nice to have a nice archive on it for my bot to link to 21:14 < krzie> !mail 21:14 < vpnHelper> krzie: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 21:18 -!- prxtien [n=pro@teamaustralia.net.au] has quit [Read error: 110 (Connection timed out)] 21:18 < afonso> !iroute 21:18 < vpnHelper> afonso: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 21:25 < ecrist> ospf would still be used 21:26 < ecrist> s/would/could/ 21:27 < ecrist> though not really needed 21:27 < ecrist> the remote network routing address would keep the same static IP 21:30 < ecrist> so, with bridging, they're all on the same network, ARP would figure out how to get to the router, not OSPF 21:30 < ecrist> OSPF could be used if you're worried about link cost and multi-homing your connections 'properly' 21:30 < ecrist> but, i'm done talking to myself. 21:33 < afonso> i'm listening... 21:33 < miguelcma> ecrist: yes, the best path is important in this setup 21:43 < afonso> is there any way to add iroutes only when a client connects? and remove them when it disconnects? 21:44 < krzie> thats the only time they are active 21:44 < krzie> bbl 21:45 < afonso> the problem is that some iroute should be inactive when certain clients connect 21:47 < afonso> for instance, iroute 10.88.1.0 255.255.255.0 should be present iff it could not connect to server 10.88.1.1 21:48 < afonso> i can't find a way to do this 21:50 < ecrist> iroutes are only in effect when that client is connected. 21:56 < afonso> i don't understand why adding to many iroute rules can make a connection stop working then 21:57 < ecrist> are they being added to ccd, or to main config? 21:58 < afonso> ccd 22:01 < ecrist> you shouldn't have too many problems, unless you've got more than 100 routes 22:03 < afonso> are iroutes takem into account before kernel routes? 22:03 < ecrist> depends 22:03 < afonso> because the problems seems to be there... 22:05 < ecrist> well, openvpn has its own internal routing mechanism for vpn routes. that's processed first for traffic to/from tun/tap devices, kernel second 22:05 < afonso> kernel routing table says to go through tun1 to reach 10.88.2.0 and iroutes states i can reach 10.88.2.0 in tun0 22:05 < ecrist> I'm telling you, use tap. 22:05 < afonso> ok, you're probably right 22:05 < afonso> i give up! :( 22:06 < ecrist> you can still use OSPF. but you're trying to route over a fairly rigid structure. bridging opens the flexibility back up. 22:07 * ecrist goes to bed. 22:08 < afonso> ok, ty ecrist 22:08 < afonso> sleep tight 22:08 < miguelcma> thanks too 22:13 -!- ftp4 [n=ftp3@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has joined ##openvpn 22:17 -!- afonso [n=afonso@bl11-12-251.dsl.telepac.pt] has quit [] 22:18 -!- miguelcma [n=miguelcm@87.196.144.39] has quit ["Leaving"] 23:57 -!- sartan [n=JP@S0106000f66a59cb0.cg.shawcable.net] has joined ##openvpn 23:58 < sartan> Conceptually, is there any functionality directly within openvpn for policy routing? Checking executable names in userspace, checking tcp/ip ports in networkland, etc? If criteria matches, use openvpn; otherwise, use default system routing --- Day changed Tue Apr 07 2009 00:00 < sartan> I suppose it counts that i'll look at openvpn on windows.. on linux i'd just bust out iptables for this sort of thing. 00:19 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 00:26 -!- Alagar [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has joined ##openvpn 00:27 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 110 (Connection timed out)] 00:28 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 00:29 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 00:47 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 00:48 < theDoc> Say guys, anyone has managed to get a WindowsXP/Vista box to setup the vpn tunnel using it's own "create new network" option? 00:48 < theDoc> I can get it to work with the open-vpn gui client, no dice with Window's default. 01:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:06 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 01:12 < zheng> HI, all, In openvpn internal VIRTUAL Route Table, tap mode use virtual MAC address, but tun mode use virtual IP 01:12 < zheng> address? 01:12 < zheng> why? 01:12 < zheng> In TAP mode, it can use Virual IP Address? 01:29 < reiffert> moin 01:30 < reiffert> zheng: tap handles ethernet frames 01:30 < reiffert> zheng: tun cares about IP packets. 01:31 < zheng> reiffert, yes, tap handles ether freame, but why It cannot route it by virtual IP? like normal IP packets? 01:34 < zheng> I think it is probable route Virtual IP packets by Virtual IP Address. 01:34 < zheng> now I'm reading the source. 01:41 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 01:42 -!- sartan [n=JP@S0106000f66a59cb0.cg.shawcable.net] has left ##openvpn ["no"] 01:45 < dazo> theDoc: The "Create new network" option does not support OpenVPN, afaik ... it's only for PPTP VPN's afaik ... might be that other commercial ones uses an API to integrate into this GUI, but that's just guessing from my side 01:49 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 01:49 < theDoc> dazo: Ahh, I see. 01:50 < theDoc> No wonder I couldn't get it to work. 01:50 < theDoc> heh 01:50 < dazo> heh 01:52 < dazo> That's both the advantage and disadvantage of OpenVPN ... it's not integrated into any OS at all, just a tiny separate piece of software ... you won't be able to use such integrated API's, but it's darn flexible when you get begin to configure it 01:53 < theDoc> dazo: Yes, however it'll be even better if OS's started supporting openvpn using their intergrated API's. 01:53 < theDoc> I can see how alot of people can capitalize on that. 01:54 < dazo> theDoc: Not sure MS is too much interested in that .... as they have their own PPTP ... other vendors most probably pay MS money to get the API .... 01:54 < dazo> it would benefit a lot of companies with this API more open .... but not MS 01:55 < theDoc> dazo: MS probably doesn't bother. 01:55 < theDoc> However, it'll be good for SME's. 01:55 < dazo> theDoc: when it comes to Open Source ... they bother ... to ignore it as much as possible :-P 01:56 < theDoc> dazo: Oh right, while the rest of us proceed on with OS stuff, microsoft continues to hide in the corner playing with himself. 01:58 < dazo> exactly ... even though, it must be said ... they do _seem_ to improve, beginning to participate in Open Source communities ... but nobody knows if that's just another attempt of their EEE strategy ... 01:59 < theDoc> I'm guessing it's another attempt. 01:59 < theDoc> Windows 7 was a step in the right direction though 01:59 < theDoc> I'd like to see openvpn being integrated into many different OS's. 01:59 < theDoc> Support for clients I mean 02:01 < dazo> true enough 02:02 < theDoc> Right now, since I'm starting my vpn service, I'd be forcing all my clients to be installing a copy of openvpn-gui ;p 02:02 < theDoc> gack! 02:10 < dazo> mm ... many people try to create their own installer somehow for windows, which contains a minimalistic config file, which relies on server pushing whatever can be pushed from server to clients 02:16 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:16 < theDoc> dazo: Yeah, I'll do that 02:23 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 04:36 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 04:38 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:40 -!- detys [n=admin@ks31179.kimsufi.com] has joined ##openvpn 04:40 < detys> Hi 04:40 < detys> I'm trying to give my clients a fixed IP 04:41 < detys> I've got this in my server config 04:41 < detys> route 10.9.0.0 255.255.255.252 04:41 < detys> and I've got this in my iptables 04:41 < detys> MASQUERADE all -- 10.9.0.0/30 anywhere 04:41 < detys> Now it works for client1 with 04:41 < detys> ifconfig-push 10.9.0.2 10.9.0.1 04:42 < detys> but for client2 with ifconfig-push 10.9.0.10 10.9.0.9 04:42 < detys> openvpn connects OK 04:42 < detys> but webtraffic doesn't work 04:42 < detys> I haven't tested other sort of traffic 04:42 < detys> but it works fine for client1 04:43 < detys> can someone help me out please? 04:48 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:55 < reiffert> see what --server expands to, it might be that you are missing a push "route ..." 05:06 -!- coChosh9 [i=coChosh9@gateway/tor/x-91204993eac4b3af] has joined ##openvpn 05:20 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:32 -!- detys [n=admin@ks31179.kimsufi.com] has quit ["Leaving"] 05:32 -!- detys [n=admin@ks31179.kimsufi.com] has joined ##openvpn 05:32 < detys> hey thanks i fixed it 05:32 < detys> turns out my iptables was'nt up to date 05:33 < detys> i just had to run iptables-restore -c < /etc/iptables.rules 05:33 < detys> One thing thouhg 05:33 < detys> I have revoked client5 05:33 < detys> but now I can't generate a new client5 05:33 < detys> if I do ./build-key client5. The client5.key and client5.crt have the same checksum as the old one 05:34 < detys> so I can't use that common name anymore? 05:34 < detys> How can I generate a new client5 that isn't blacklisted 05:38 -!- coChosh9 [i=coChosh9@gateway/tor/x-91204993eac4b3af] has quit [Remote closed the connection] 05:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 06:04 -!- coChosh9 [i=coChosh9@gateway/tor/x-81848008e69e8d21] has joined ##openvpn 06:07 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 06:10 -!- coChosh9 [i=coChosh9@gateway/tor/x-81848008e69e8d21] has quit [Remote closed the connection] 06:24 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:29 < MarcWeber> (LAN: A - B - C - D ) and ( B - slow internet connection - vserver ) 06:29 < MarcWeber> Now I'd like to route the traffic from A - B - C ( D is the router ) through the VPN tunnel B - vserver. 06:30 < MarcWeber> Is the best way to do this create a VPN with B beeing the server on the LAN and then make B route traffic to v-server (the routing to the vserver does already work) 06:38 -!- coChosh9 [i=coChosh9@gateway/tor/x-dbde9b43a7be8a1a] has joined ##openvpn 06:40 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 06:59 -!- zheng [n=zheng@222.66.224.110] has quit [Read error: 104 (Connection reset by peer)] 07:03 -!- detys [n=admin@ks31179.kimsufi.com] has quit [Remote closed the connection] 07:22 < MarcWeber> Which is the relation command line option and configuration file option? I've seen that some command line options such as --server network mask can expand to multiple configuratin file options, right? 07:22 < MarcWeber> Can I put all command line options into the config file equally well? 07:26 < dazo> MarcWeber: yes you can ... all options (except --config, I presume) can be put into a config file, by removing the '--' 07:27 < dazo> MarcWeber: for multiple config files, that's doable with client specific configs ... --client-config-dir 07:41 < MarcWeber> --mktun and --rmtun is just a wrapper for os specific commands, right? 07:48 < onats> guys, a little bit of OT here.. anyone know how to pair a nokia phone using hcitools/rfcomm? 07:52 < MarcWeber> onats: Maybe also try ##networking. I've no idea. 07:53 < dazo> onats: have you looked into /etc/rfcomm.conf (or wherever that config is located) 07:54 < onats> dazo, yes... have been looking... 07:54 < dazo> onats: I believe you mainly had to setup the HW "mac" address of the phone here ... start rfcommd and then do a connect with the rfcomm cli 07:54 < dazo> it's ages since I used that now 07:55 * dazo converted to Sony Ericsson ... which gives you bnep0 interface instead, which is a pure network card 07:58 -!- mtoledo [n=user@189.102.205.95] has quit [Read error: 110 (Connection timed out)] 08:04 < onats> i only have nokia phones available here... :( 08:04 < onats> maybe you have your old config files lying around there? 08:05 < dazo> onats: sorry .... I've had Sony Ericsson for 4 years and have changed laptop twice in between .... 08:05 < dazo> onats: I'll have a quick look if I still have a bookmark somewhere 08:06 < dazo> onats: http://www.spiration.co.uk/post/1307/Ubuntu%20Linux%20-%20Bluetooth%20and%20GPRS%20dialup%20connection ... have you seen this? it's pretty close to what I setup 08:06 < vpnHelper> Title: Ubuntu Linux - Bluetooth and GPRS dialup connection (at www.spiration.co.uk) 08:07 < dazo> onats: http://users.tkk.fi/u/kehannin/bluetooth/bluetooth.html ... this might also be interesting 08:07 < vpnHelper> Title: Linux USB Bluetooth <-> Nokia 6310i (at users.tkk.fi) 08:08 < onats> o 08:08 < onats> i've seen the 2nd link, which i followed earlier 08:08 < onats> the first one has tools specific to ubuntu (no package on openwrt)... 08:08 < onats> anyway, my problem is the PIN from the x86 machine seems to be not being presented to the phone... 08:09 < dazo> onats: well, it's not specific tools for ubuntu ... it's standard bluez utilities 08:10 < onats> the bluez-pin? 08:10 -!- mtoledo [n=user@201-93-152-83.dsl.telesp.net.br] has joined ##openvpn 08:11 < dazo> onats: bluez-pin is a default "hack" to use a fixed pin code when pairing phones and Linux 08:12 < dazo> onats: what you basically need is the kernel modules (rfcomm, l2cap, etc) ... hcitool and rfcomm 08:12 < onats> dazo, already there.. 08:13 < onats> how do i force the PC side to present the PIN? 08:13 < onats> a static pin even 08:14 < dazo> onats: then start rfcomm with rfcomm bind rfcomm0 ... then you should have /dev/rfcomm0 08:14 < dazo> aha 08:14 < dazo> hmm 08:14 * dazo things 08:14 * dazo thinks 08:14 < onats> i already have rfcomm0... 08:14 < onats> and 1 for the other phone 08:15 < ecrist> morning, folks 08:15 < onats> morning ecrist 08:16 < dazo> onats: http://www.summet.com/blog/2007/01/09/pairing-devices-with-linux-bluez/ ... could this help you out? 08:16 < vpnHelper> Title: Jays Technical Talk Forced pairing of devices with Linux BlueZ (at www.summet.com) 08:16 < dazo> ecrist: morning 08:16 < dazo> onats: /etc/bluetooth/hcid.conf .. this is where you set which pin-code program to use 08:17 * dazo begins to refresh old knowledge 08:17 < onats> dazo, pin_helper? 08:18 < dazo> onats: in some bluez version, I believe the behaviour changed ... so after a certain version, you could even set the static key in this config file directly 08:18 < onats> lemme paste my hcid.conf 08:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:19 < dazo> man hcid.conf 08:20 < onats> http://pastebin.ca/1384871 08:21 < onats> yup 08:21 < dazo> onats: security none|auto|user 08:21 < dazo> none means the security manager is disabled. auto uses local PIN, by default from pin_code, for 08:21 < dazo> incoming connections. user always asks the user for a PIN. 08:21 < onats> i set it to 1234, and auto 08:21 < dazo> yepp 08:35 < onats> oh boy 08:44 * ecrist finally gets around to prioritizing packets for the office voip 08:47 < onats> dazo, any other ideas? 08:47 < dazo> onats: hmmm ... not right now .... 08:48 < onats> ok thanks for your help 08:48 < onats> hope to get it up in a few hours time 08:48 < dazo> onats: np! Sorry I'm out of ideas by now 08:50 -!- mtoledo [n=user@201-93-152-83.dsl.telesp.net.br] has quit [Read error: 60 (Operation timed out)] 09:05 -!- dcestari [n=dcestari@190.199.164.160] has joined ##openvpn 09:05 < dcestari> hello everybody 09:06 < ecrist> hi 09:10 -!- SpinaL [n=administ@12.177.178.136] has joined ##openvpn 09:10 < dcestari> I belive I'm having trouble with mtu 09:10 < dcestari> but I'm not sure how to solve it 09:11 < ecrist> !mtu 09:11 < vpnHelper> ecrist: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 09:12 < dcestari> I think it's that because in the manual, under --tun-mtu it said "MTU problems often manifest themselves as connections which hang during periods of active usage." 09:12 < dcestari> and that's exactly my issue 09:12 < dcestari> thanks 09:12 < dcestari> I'll check that 09:12 < ecrist> tcp or udp? 09:14 < dcestari> udp 09:15 < dcestari> tcp had troubles 09:15 < dcestari> I had to reconnect all the time 09:15 -!- rhousand [n=ryan@rrcs-70-63-90-226.midsouth.biz.rr.com] has quit [Remote closed the connection] 09:16 < SpinaL> Can openvpn use passworded x.509 certs ? If so how do you put that in the conf file on the client? I googled for this but was unable to find anything. I have an existing PKI for openswan x.509 certs and would like to continue using it for openvpn certs. 09:18 < ecrist> SpinaL: yes, but you can't put the directly in the config 09:19 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 09:19 < ecrist> 1) why would you use password-protected certificates, and then store the password in the config? 09:19 < ecrist> 2) you can do this, with compile options for openvpn 09:20 < SpinaL> ecrist so openvpn will prompt for the password ? 09:20 < ecrist> yes 09:20 < plaerzen> ecrist, Why do you know so much?? 09:21 < ecrist> plaerzen: I don't. I just guess well. ;) 09:22 < plaerzen> ecrist, I myself have the same problem. 09:22 < plaerzen> ecrist, Helps with the paycheck too. 09:23 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 09:24 < SpinaL> ecrist so if all certs are passworded, you would need to be at the console when the server boots to type in the password for its cert ? 09:27 < ecrist> yes 09:29 < dazo> SpinaL: why not use password-less certificates ... if you are willing to have the password in a config, what's the point of having password protected certs? 09:29 < dazo> SpinaL: it's also easy enough to remove passwords in certs as well, if you want that too 09:41 -!- coChosh9 [i=coChosh9@gateway/tor/x-dbde9b43a7be8a1a] has quit [Remote closed the connection] 09:50 < dcestari> how do I run a ping mtu test from linux? 09:53 < dcestari> !mtu 09:53 < vpnHelper> dcestari: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 09:55 < dcestari> I ran --mtu-test and it gave me this "NOTE: This connection is unable to accomodate a UDP packet size of 1541. Consider using --fragment or --mssfix options as a workaround." 09:55 -!- coChosh9 [i=coChosh9@gateway/tor/x-7d52f1a163f83292] has joined ##openvpn 09:56 < dcestari> anyone? 10:02 < dcestari> !howto 10:02 < vpnHelper> dcestari: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:07 < dcestari> anyone could help with an mtu problem? 10:11 < ecrist> http://www.engadget.com/2009/04/07/data-robotics-goes-large-with-8-bay-drobopro/? 10:11 < vpnHelper> Title: Data Robotics goes large with 8-bay DroboPro (at www.engadget.com) 10:11 < ecrist> grr 10:11 < ecrist> dcestari: did you see !mtu? 10:11 < dcestari> I did 10:11 -!- mtoledo [n=user@c906c009.virtua.com.br] has joined ##openvpn 10:11 < ecrist> !mtu 10:11 < vpnHelper> ecrist: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 10:11 < dcestari> I got an output I could not interpetre 10:12 < dcestari> Tue Apr 7 10:19:23 2009 NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes. 10:12 < dcestari> Tue Apr 7 10:22:32 2009 NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1541,541] remote->local=[1541,1437] 10:12 < dcestari> Tue Apr 7 10:22:32 2009 NOTE: This connection is unable to accomodate a UDP packet size of 1541. Consider using --fragment or --mssfix options as a workaround. 10:13 < ecrist> ok, did you look in the man page for --mssfix or --fragment? 10:14 < ecrist> try --link-mtu 541 on the client side 10:15 < dcestari> I did, but I don't know what value to put there 10:15 < dcestari> ok, I'll try that. 10:15 < ecrist> your message tells you 10:15 < ecrist> read it 10:15 < dcestari> I know, you must be used to read this, but is not as easy to me. 10:16 < dcestari> I really don't understand the output 10:18 < dcestari> that did it, the link-mtu 10:18 < dcestari> I wonder why. 10:20 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 10:21 < theDoc> Question guys, is it possible to disable the client from requiring ca.crt to bring the vpn tunnel up? 10:21 < theDoc> That would mean that the server doesn't use it's self-signed certs as well. 10:21 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 10:22 < ecrist> theDoc: so you want to disable encryption? 10:23 < ecrist> !plain 10:23 < vpnHelper> ecrist: Error: "plain" is not a valid command. 10:23 -!- mtoledo` [n=user@189.80.89.234] has joined ##openvpn 10:23 < theDoc> ecrist: Is it possible to still maintain encryption without using the ca.crt? 10:23 < ecrist> how would that work? 10:24 < ecrist> encryption is two ways. you need a private/public key on both ends. 10:24 < theDoc> Ahh, right. 10:24 < ecrist> you could use static keys 10:24 < theDoc> ecrist: Sorry, need to get spanked ;p I got confused for a moment. 10:24 < dazo> asymetric encryption use private/public key, the trad. SSL style .... symetric encryption uses static keys on both sides 10:25 < theDoc> Correct me if I'm wrong by wouldn't asymetric keys be harder to break in this case? 10:25 < ecrist> theDoc: what do you mean? 10:26 < dazo> theDoc: The asymetric encryption is mainly used on the control channel... between client and server, so they can use symetric encryption on the data channel 10:26 < theDoc> I think I should go and redo my PKI lesson ;( 10:26 < dazo> theDoc: A 128 bit symetric key can be much stronger and harder to crack than a 1024 bit asymetric key pair 10:27 < kala> dazo: are you sure? 10:27 < dazo> theDoc: and asymetric encryption is much slower than symetric ... thus the use of symetric key on data channel and asymetric on control channel 10:28 < dazo> kala: yes, because with asymetric encryption you have at least some known data which can be used to reverse the encryption ... with symetric you basically have no clue what the encryption key could be 10:28 < kala> theDoc: back to your original question, it should be possible. But then you cannot verify that you are talking to the correct server 10:28 < theDoc> kala: Yes. 10:29 < theDoc> kala: That's what I'm trying to get around, the whole verification of the correct server. 10:29 * dazo read about key strength and differences many years ago ... can try to find resources if interested 10:29 < kala> dazo: why is that? 10:29 -!- dcestari [n=dcestari@190.199.164.160] has quit [] 10:29 < kala> dazo: I mean, how come that when asymmetrically encrypting, you have some known data and when symmetrically encrypting, you don't have any known data? 10:29 < dazo> kala: the key point in PKI is to have a unique enough prime number .... the longer key, the bigger prime number 10:30 < dazo> kala: so when you have the public key, it is claimed that it is possible to figure out the prime number through some brute forcing and a lot of calculation time ... when you get a match, you have the decryption key 10:30 < kala> you have the private keyu 10:30 < kala> key 10:31 < kala> not the decryption key 10:31 < dazo> kala: public key is the encryption key ... and through that you can get the prime number needed, to take it one step further to begin cracking the decryption key 10:32 -!- cpm [n=Chip@guest-ap.xo.avitecture.net] has joined ##openvpn 10:33 < dazo> kala: and this is why you need key sizes bigger than >1024 to really have it more safe on PKI ... than compared to symetric encryption where 128 bit gives a very hard and difficult to crack, since you have no clue at all what the encryption key could be 10:33 < kala> anyway, yes you are right, that you could crack the public key and get the private key out of it. Compared to symmetric encryption, you would need to have some chosen cleartext to work with. But I still doubt that its easier to break 1024 bit RSA, than 128 bit Blowfish 10:33 < ecrist> she's a brick and I'm drowning slowly... 10:34 -!- mtoledo [n=user@c906c009.virtua.com.br] has quit [Connection timed out] 10:35 < dazo> kala: http://www.ketufile.com/Symmetric_vs_Asymmetric_Encryption.pdf 10:35 < dazo> page 7 10:35 < dazo> page 5, I mean 10:36 < theDoc> Man, this whole security thing takes it all another step ;) 10:36 * theDoc dances around with a Cisco router 10:37 < theDoc> Personally, I thought asymetric was the more secured one. 10:38 < theDoc> Because 2 keys were required instead of 1 key. 10:38 < kala> dazo: hmm. I must stand corrected :) 10:38 < kala> dazo: "As of 2003[update] RSA Security claims that 1024-bit RSA keys are equivalent in strength to 80-bit symmetric keys, 2048-bit RSA keys to 112-bit symmetric keys and 3072-bit RSA keys to 128-bit symmetric keys." from wikipedia article 10:39 -!- ben1597 [n=ben1597@cs-wlc-136.cs.umn.edu] has joined ##openvpn 10:40 < dazo> theDoc: that's exactly why it is weaker ... because you have a known part of the encryption key ... while in symmetric an attacker will not have any known factors to work out from, which makes it more difficult to crack it 10:40 < dazo> theDoc: the PDF I sent a link to, even claims that you need a RSA key with at least 15K bit key to compare security with AES-256 symmetric 10:41 < dazo> theDoc: so OpenVPN uses a hybrid system ... where the symmetric key are changed regularly, and exchanged over an asymmetric channel 10:42 < ecrist> !encryption 10:42 < vpnHelper> ecrist: Error: "encryption" is not a valid command. 10:42 < onats> almost done!!!:D 10:42 < ecrist> !learn encryption as Why symetric encryption is better: http://www.ketufile.com/Symmetric_vs_Asymmetric_Encryption.pdf 10:42 < vpnHelper> ecrist: Joo got it. 10:42 < ben1597> If I can ping through a VPN server to hosts on the subnet of the VPN server (not the VPN subnet), but not be able to SSH into those hosts, what does that tell you? 10:43 < ecrist> you have a firewall issue 10:43 < dazo> ben1597: that it's not working? 10:43 < theDoc> ben1597: sshd is not running 10:43 < ben1597> :-D 10:43 < ecrist> like the topic suggests 10:44 < ben1597> Normally I use a more complex firewall, but for testing purposes I've added rules manually to an empty table. 10:44 < theDoc> !topology 10:44 < vpnHelper> theDoc: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 10:45 < ecrist> ben1597: 99.999% of the time, we're told that the firewall has been reset/cleared/killed/shot in the mouth/etc and the user is mistaken. 10:45 < theDoc> dazo: I could have sworn that many years ago back in school, we were taught that asymmetrical > symmetrical 10:46 -!- mtoledo` [n=user@189.80.89.234] has quit [Read error: 104 (Connection reset by peer)] 10:47 < dazo> theDoc: if you haven't read the cryptology's papers on this subject, it's easy to think so ... because the key size is much bigger :) ... but the fact is that it needs to be so big to have at least some security 10:47 < ben1597> I have 4 rules right now (http://pastebin.com/f624a8f3c). Maybe I'm in that .001% ? 10:47 -!- mtoledo` [n=user@c906c009.virtua.com.br] has joined ##openvpn 10:48 < ecrist> ben1597: you can ping, which mean the VPN works. 10:48 < ecrist> that's all it does. 10:48 < ben1597> yes. and nslookup works too. 10:48 < ecrist> great, then fix your firewall 10:49 < theDoc> dazo: Yes, I was under that impression. Well, thank you for correcting me on that 10:49 < theDoc> ;) 10:49 < dazo> no worries :) 10:50 < ecrist> OpenVPN doesn't allow or block anything, it simply sets up routes or bridges. run a traceroute from the vpn client to the host you're trying to ssh into. if it looks good, the traffic is being blocked somewhere. 10:50 < theDoc> That's more proof that school doesn't always teach the right thing ;p 10:50 < theDoc> ecrist: Well, you forgot the part about encrypting the data ;) 10:50 < dazo> theDoc: unfortunately, it's enough of teacher who do not care about staying updated ... 10:50 < ecrist> theDoc: that's an optional feature, enabled by default. 10:51 < theDoc> ecrist: ahh, I see. 10:54 < ben1597> ecrist: Yep; that works. 10:55 < ben1597> I'll take your word for it that OpenVPN isn't to blame. 10:56 < dazo> ben1597: remember also to check the other tables in iptables as well .... as nat, mangle, etc 10:56 < dazo> ben1597: if you have a blocking rule here too, it will stop ... even though the filter table looks nice 10:56 < ben1597> iptables -L lists everything- doesn't it? 10:56 < dazo> ben1597: only filter table 10:56 < ben1597> Oh! 10:56 < dazo> ben1597: use iptables-save .... that will show everything .... 10:57 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:57 < ben1597> So there is a man behind the curtain. 10:57 < ben1597> Holy crap that's a lot 10:58 < dazo> ben1597: that's one of the "annoying" things with iptables .... people forget that there are other tables as well .... I wish that it didn't list the filter table by default when -t is missing .... that would have sharpened the mind of iptables users 10:58 < ben1597> I am enlightened; thank you. 10:58 < dazo> ben1597: your welcome :) 10:59 < ecrist> !iptables 10:59 < vpnHelper> ecrist: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 10:59 < ecrist> dazo: does that look right? 10:59 < dazo> ecrist: it only manipulates the filter table here too 10:59 < dazo> ecrist: just a sec, and I'll prepare a more comprehensive version 11:00 < ecrist> thanks 11:05 < dazo> ecrist: http://pastebin.com/m583a31ef ... there you have it 11:05 < dazo> ecrist: probably more suitable for a wiki 11:07 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 11:08 < ben1597> Could either of you recommend a guide with a good treatment of iptables? 11:09 < dazo> ecrist: it do not touch the raw table ... but people playing with that one usually knows how to turn of iptables ... the same for ebtables as well (kind of "layer2" firewalling) 11:09 < theDoc> !iptables 11:09 < vpnHelper> theDoc: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 11:09 < dazo> ben1597: not quite sure what you really want ... as it is a very broad topic ... 11:10 < ben1597> Hopefully something that applies to a setup where the VPN server is the gateway to a NAT'd network. 11:15 < dazo> ben1597: this is a little outdated iptables tutorial ... but the basics is still valid, and should work pretty well still ... http://www.faqs.org/docs/iptables/index.html 11:15 < vpnHelper> Title: Iptables Tutorial 1.1.19 - Firewall (at www.faqs.org) 11:15 < dazo> ben1597: a little bit more updated version: http://iptables-tutorial.frozentux.net/iptables-tutorial.html 11:15 < vpnHelper> Title: Iptables Tutorial 1.2.2 (at iptables-tutorial.frozentux.net) 11:16 < krzee> !mail 11:16 < vpnHelper> krzee: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 11:16 < krzee> (for me) 11:16 < ben1597> Thanks; I'll get reading (openvpn-users too). 11:17 < dazo> ben1597: on the last link (tutorial 1.2.2) ... you can probably start with chapter 3, if you don't want to go really deep into differences different TCP/IP protocols 11:19 < onats> whee! dazo, got it to work!:D 11:19 < dazo> onats: cool! 11:19 < dazo> onats: what was the key? 11:20 < onats> paired from the phone, and commented out part of the 3g.sh script that wants to assign a pin 11:20 < onats> that ate one day of my life 11:20 < onats> actually 2 11:21 < onats> we're going up a mountain resort tomorrow but there's no wifi there 11:21 < onats> i mean no net connection 11:28 < ecrist> !firewall 11:28 < vpnHelper> ecrist: "firewall" is please see http://openvpn.net/man#lbBD for more info 11:28 < ecrist> !learn firewall as see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. 11:28 < vpnHelper> ecrist: Joo got it. 11:28 < ecrist> !firewall 11:28 < vpnHelper> ecrist: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. 11:29 < ecrist> !learn iptables as see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall 11:29 < vpnHelper> ecrist: Joo got it. 11:33 -!- innni2 [n=andre@79-74-126-105.dynamic.dsl.as9105.com] has joined ##openvpn 11:41 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:44 -!- nemysis [n=nemysis@41-21.107-92.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 11:47 -!- nemysis [n=nemysis@67-154.3-85.cust.bluewin.ch] has joined ##openvpn 11:50 < onats> anyone here have freetime? 11:50 < onats> :D 11:56 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 11:56 < ecrist> I'm here. I'm at work, so I have freetime. ;) 11:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:57 < onats> hehehe 11:57 < onats> but its non-vpn related 11:59 < onats> ok to ask? 11:59 < onats> networks related still 12:09 < ecrist> sure 12:14 -!- mtoledo` [n=user@c906c009.virtua.com.br] has quit [Read error: 60 (Operation timed out)] 12:17 < onats> ok. am trying to assign dhcp only to wireless interface 12:17 < onats> the wireless clients are able to connect already, but i still can't get ip's from the dhcp 12:18 < onats> is that supposed to come from dnsmasq? or is there a service that has to be running in order to throw out IPs? 12:18 -!- Guest24440 [n=Barry_Tr@64.123.245.253] has joined ##openvpn 12:19 < ecrist> onats: I don't know dnsmasq 12:19 < onats> alright 12:19 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 110 (Connection timed out)] 12:19 < Guest24440> anyone know how to get openvpn to drop routes that are not active 12:19 < ecrist> Guest24440: what do you mean? 12:20 < Guest24440> and use it with a dyanmic route daemon like zebra to have failover/ load balancing for fix IP range 12:20 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 12:20 < Guest24440> i want client to keep the same ip but I want it to connect to either server 12:20 < Guest24440> with is easy from the client side 12:21 < Guest24440> but from the server side you have to know which server has the active route to that network 12:22 < Guest24440> someone has to have done this before 12:23 < Guest24440> i believe zebra would advertise the route , but openvpn does not remove it route table when not connected .. thus not letting the change flow upstream thru OSPF 12:24 -!- innni2 [n=andre@79-74-126-105.dynamic.dsl.as9105.com] has quit ["Leaving."] 12:26 < ecrist> oh, you again 12:26 < ecrist> didn't I tell you to use tap yesterday? 12:26 * karlpinc thinks that openvpn would be more portable if install-win32/settings.in !define MAKE_JOBS was 1 instead of 2 12:30 < Guest24440> no 12:31 < Guest24440> r u telling me tap will drop routes and tun does not? 12:32 -!- hardwire [n=hardwire@srv001.gandi.brutetech.com] has quit ["Coyote finally caught me"] 12:32 < krzie> tap doesnt work on routes 12:32 < krzie> its layer2 12:32 -!- mtoledo` [n=user@c934af3b.virtua.com.br] has joined ##openvpn 12:32 < krzie> works with arp 12:32 < Guest24440> I need layer 3 12:33 < krzie> i believe anything added in a ccd entry is dropped when the client disconnects 12:34 < Guest24440> i have routes for hosts with dedicated ips 12:34 < Guest24440> those route seem to stay even with client is not connected 12:35 < Guest24440> http://www.linuxjournal.com/article/9915 12:35 < vpnHelper> Title: Building a Multisourced Infrastructure Using OpenVPN (at www.linuxjournal.com) 12:35 < Guest24440> just found this 12:36 < Guest24440> u too looks like 12:36 < Guest24440> hard to believe that is the only way 12:36 < Guest24440> be nice if openvpn server would just add/remove routes as connects where made 12:36 < Guest24440> sure make this easy 12:36 < krzie> lol 12:37 < Guest24440> or am i off base 12:37 < krzie> would be nice if it would give me a blowjob in the morning too 12:37 < Guest24440> need to make feature request 12:37 < krzie> but in the end its just vpn software 12:37 -!- SpinaL [n=administ@12.177.178.136] has quit ["DMDirc exiting"] 12:37 < Guest24440> not really 12:37 < karlpinc> I'm trying to compile 2.1 rc15 on Windows XP using MinGW 5.1.4 and I get the error "cryptoapi.c:55: error: 'CryptAcquireCertificatePrivateKey' redeclared as a different kind of symbol". It says the previous declaration was at c:/mingw/include/wincrypt.h. Should I be using a different version of mingw or what should I do to resolve this? 12:37 < Guest24440> if it creates routes and knows when clients are connect 12:38 < Guest24440> it seems quite simple and to be the right place to add/remove the routes 12:38 < ecrist> Guest24440: openvpn has some very simplistic routing mechanisms. 12:38 < krzie> i said it should drop stuff it was given via ccd entries on client disconnect 12:40 < krzie> and openvpn's route command is just a hook into the system route command, no more no less, it exists for your convienence only, is very simplistic and , halfway only exists for the fact that diff OS have diff exact commands to add routes 12:40 < krzie> s/ and ,/, and/ 12:40 < Guest24440> [root@vpnp1wi1 xxxx ]# cat /etc/openvpn/openvpn-*status.log | grep '172.18.64' 12:40 < Guest24440> [root@vpnp1wi1 xxxx ]# route -n | grep '64' 12:40 < Guest24440> 172.18.64.0 172.18.253.2 255.255.255.0 UG 0 0 0 tun1 12:41 < Guest24440> nope 12:41 -!- Alagar [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has quit [Remote closed the connection] 12:41 * krzie wonders what thats supposed to mean to us =/ 12:42 < Guest24440> well still think would be nice 12:42 < krzie> then code it 12:42 < krzie> its open source and welcomes contibutions 12:42 < Guest24440> u got a point 12:42 < Guest24440> been a while since wrote anything but good excuse to try 12:42 < krzie> i garuntee nobody would be mad at you for making the patch to do what you want 12:43 < krzie> and theyd even likely say thanx after you mail'ed it to the list 12:43 < Guest24440> downloading code now 12:43 < Guest24440> thats for the help 12:43 < krzie> right on =] 12:44 < krzie> i look forward to seeing it, if you dont feel like signing up to the list or whatever ild be happy to send it out to public for ya, maybe someone else will like it too 12:44 < krzie> ild say you should make it a ./configure option to enable or not 12:44 < Guest24440> true 12:45 < krzie> since it will change a basic functionality of how ovpn works (using route is very common) 12:47 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 12:51 -!- Guest24440 [n=Barry_Tr@64.123.245.253] has left ##openvpn [] 12:52 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 12:53 < onats> i just want to share something 12:54 < onats> i now have a mobile router!:D openwrt based alix board, with a bluetooth dongle, connecting to a nokia phone, dialing 3g. now serving internet!:D 12:55 < karlpinc> The problem seems to be that openvpn is delareing the function to work-around that MinGW 3.1 is missig the declaration, but now there's 2 different declartions: "static BOOL WINAPI (*CryptAcquireCedrtificatePrivateKey) (..." in openvpn and "BOOL WINAPI CryptAcquireCertificatePrivateKey(..." in MinGW. What's the best way to resolve this issue? (Frankly, maybe the problem is that gcc shouldn't be complaining at all?) Any suggestions? 12:56 < karlpinc> I'm not sharp in C but don't those declarations mean the same thing? 12:57 < karlpinc> Should I be reporting this to someone who cares? 13:00 < krzie> your problem is you're trying to compile for windows in linux? 13:00 < karlpinc> No. I'm compling for windows in windows. Following the directions as given in the 2.1 rc15 domake-win32 fle. 13:01 < karlpinc> (file) 13:01 < krzie> ahh 13:01 < krzie> trying to change a config option to save pw's in file? 13:01 < krzie> for pw auth...? 13:01 < karlpinc> krzie (I wish I was compiling for windows in linux.) 13:01 < krzie> you mentioned gcc 13:01 < krzie> i didnt know that existed in win 13:02 < krzie> (ive never compiled source in win) 13:02 < karlpinc> krzie : No. I want my own nsis installer, and I can't get the windows binaries from anywhere. So, I'm compiling. 13:02 < krzie> gotchya 13:02 < krzie> ild help if i could 13:02 < krzie> <-- stopped messing with win a few yrs back 13:02 < karlpinc> krzie : MinGW is a fork of Cygwin, so it can be more windows like. 13:03 < krzie> ahh 13:03 < karlpinc> krzie : I stopped messing with Windows Years ago. 13:04 < krzie> yet here you are ;] 13:04 < karlpinc> krzie : It seems Windows won't go away. :-P 13:05 < krzie> lol yup 13:06 < karlpinc> krzie : Seriously, there's some problem between the 2.1 rc15 and the latest production MinGW and the gcc it ships with. Somebody should care. I think the problem is that OpenVPN no longer needs the duplicate declaration because it's in MinGW already. Easy enough to patch, except I'm on Windows. 13:06 -!- mtoledo` [n=user@c934af3b.virtua.com.br] has quit [Read error: 113 (No route to host)] 13:07 < karlpinc> For the moment I'm going to comment out the duplcate declaration in OpenVPN. But somebody upstream of me should know there's a problem.... 13:08 < krzie> i dont think its that nobody cares 13:08 < krzie> i think you need to talk to devs or something maybe 13:08 < krzie> !dev 13:08 < vpnHelper> krzie: Error: "dev" is not a valid command. 13:08 < krzie> hrm 13:08 < krzie> !factoids search dev 13:08 < vpnHelper> krzie: No keys matched that query. 13:08 < krzie> =/ 13:08 < krzie> theres a dev maillist 13:08 < krzie> !mail 13:08 < vpnHelper> krzie: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 13:10 < krzie> first link 13:10 < krzie> !learn dev as https://lists.sourceforge.net/lists/listinfo/openvpn-devel to sign up for devel mail list 13:10 < vpnHelper> krzie: Joo got it. 13:11 < karlpinc> I don't suppose I can send them an email without subscribing? 13:11 < krzie> not sure, i know you can to -users 13:11 < krzie> devel is low volume anyways tho 13:11 < karlpinc> krize: I'll give it a go. 13:24 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 110 (Connection timed out)] 13:25 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 13:33 -!- PacoBell [n=PacoBell@adsl-75-15-133-14.dsl.snlo01.sbcglobal.net] has joined ##openvpn 13:34 < PacoBell> !howto 13:34 < vpnHelper> PacoBell: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:34 < PacoBell> !route 13:34 < vpnHelper> PacoBell: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:35 < PacoBell> !man 13:35 < vpnHelper> PacoBell: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 13:35 < PacoBell> !/30 13:35 < vpnHelper> PacoBell: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 13:36 < karlpinc> Allright, now gcc is bitching because the code's assigning a value to something that's not a pointer. Shouldn't openvpn be using a different name for CryptoAcquireCertPrivateKey, so it does not conflict with the win api? 13:39 < krzie> im not sure if anyone here is familiar with compiling from source in windows 13:39 < krzie> but i wont say dont ask, cause ya never know 13:39 < krzie> just saying if you dont get an answer, its not from a lack of people caring 13:42 < karlpinc> I'm thinking it's more of a C question.... 13:43 < krzie> i promise it compiles fine on freebsd 13:43 < krzie> 6 7 and 8 13:43 -!- ben1597 [n=ben1597@cs-wlc-136.cs.umn.edu] has quit [Read error: 60 (Operation timed out)] 13:44 < karlpinc> krzie : It's in an #ifdef for windows :P 13:45 < krzie> ahh right, back to the fact that you're compiling from source in windows =] 13:46 < krzie> but it is a very on-topic question of course 13:46 < krzie> so this would be the right place to ask (along with dev mail list i believe) 13:47 < karlpinc> Uh, how do I do a search and replace over a lot of lines in vi? 13:47 < krzie> not sure, i prefer nano, can only do basic stuffs in vi 13:48 < krzie> but i think /string is search 13:48 < krzie> so its prolly /string 13:48 < karlpinc> krzie : I'm an emacs sorta guy. 13:48 < krzie> could possibly just be a regex there 13:48 < krzie> like s/something/replace/ 13:49 < PacoBell> :s/search_string/replacement_string/g 13:49 < krzie> ahh werd 13:49 < krzie> i was close =] 13:49 < krzie> missing the : 13:49 < PacoBell> g for global 13:49 < krzie> well ya 13:49 < PacoBell> Be vewwy careful with that one. 13:49 < karlpinc> PacoBell : I thought I tried that and it told me not found. Maybe I mis-typed. 13:49 < PacoBell> Mebee. 13:49 < karlpinc> PacoBell : That will do lots of lines? 13:50 < krzie> a prior grep could help be sure its fine 13:50 < krzie> with the trailing g it will do the whole file 13:50 < karlpinc> PacoBell : I know :q! really well. 13:50 < PacoBell> Supposedly, I just googled the answer. LOL! 13:50 < krzie> and matches 13:50 < krzie> lol PacoBell =] 13:50 < PacoBell> karlpinc: *snicker* 13:50 < krzie> my educated guess was good =] 13:51 < karlpinc> I think it wants a range, whatever the hell that is. 13:51 * karlpinc going to find my vi cheat sheet 13:52 * PacoBell needs his vi cheat sheet burned into his retinas 13:52 < krzie> not i 13:53 < krzie> i only need vi on rare occasions 13:53 < ecrist> vi < vim 13:53 < PacoBell> There are some places that won't let me install anything =( 13:53 < krzie> so knowing d/dd/:w/:q!/:x/o/i/esc is good enough for me 13:54 < PacoBell> Ah, yes, /esc is my happy green place... 13:54 < karlpinc> krzie : No, you also need to know a. 13:55 < krzie> ahh forgot bout a 13:55 < krzie> i have been just using i and moving 1 forward 13:55 < krzie> lol 13:55 < ecrist> krzie: don't forget :%!xxd and :%!xxd -r 13:56 < karlpinc> krzie: Then you can't put anything on the end of a line. 13:56 < krzie> hah i never knew those 13:56 < krzie> karlpinc, sure you can 13:56 < krzie> go to the end, i arrow to the right, type 13:57 < krzie> i is insert, a is append, same shit diff cursor location 13:57 < karlpinc> krzie : Ah, the arrows. 13:57 < krzie> arrows will work once in typing mode 13:57 < karlpinc> krzie : Newfangled stuff. 13:57 < ecrist> krzie: for that, use A instead of a 13:57 < krzie> without taking you out of typing mode 13:57 < krzie> *shrug* how bout i stick to nano ;] 13:58 < ecrist> /mode -o krzie 13:58 < ecrist> nano is for lusers 13:58 < plaerzen> real programmers use ed 13:59 < krzie> im not a programmer 13:59 < krzie> explains that! 13:59 < PacoBell> Oh dear... http://xkcd.com/378/ 13:59 < vpnHelper> Title: xkcd - A Webcomic - Real Programmers (at xkcd.com) 13:59 < plaerzen> http://xkcd.com/378/ 13:59 < PacoBell> HAH! 13:59 < plaerzen> DAMN 13:59 < plaerzen> too late 13:59 < krzie> LOL 13:59 < krzie> nice 14:00 * PacoBell waves to all the xkcd fans in the room 14:00 * plaerzen waves back. 14:01 < krzie> <3 xkcd 14:01 < PacoBell> "Good ol' C-x M-c M-butterfly" 14:01 < plaerzen> haha 14:02 < plaerzen> I love that strip 14:02 < ecrist> one of my favorites is http://xkcd.com/303/ 14:02 < vpnHelper> Title: xkcd - A Webcomic - Compiling (at xkcd.com) 14:03 < ecrist> or 'Bobby Tables' 14:03 < PacoBell> hyuk hyuk! 14:03 < krzie> ya bobby tables is my favorite one! 14:03 < plaerzen> "Did you actually name your son "Bobby drop table students;--" ? 14:04 < krzie> I hope you're happy! 14:04 < plaerzen> "Someone should learn to sanitize their database inputs" 14:04 < PacoBell> Huh, classic. 14:04 < krzie> I hope you learned to properly sanatize db inputs! 14:04 < krzie> or of course the mother hacker who is cooking and rewriting packets on the fly while blocking the vpn etc 14:05 < ecrist> that's a good one, too. 14:05 < plaerzen> yeah, that's a good one too 14:05 < plaerzen> using oven mitts 14:05 < plaerzen> "How do you type in oven mitts?" 14:05 < ecrist> http://xkcd.com/528/ 14:05 < vpnHelper> Title: xkcd - A Webcomic - Windows 7 (at xkcd.com) 14:05 < krzie> oooo newer 14:05 < krzie> i need to catchup 14:06 < plaerzen> xkcd and ctrl alt del are the only 2 webcomics I read 14:06 < PacoBell> Ditto. *there goes my productivity for the day* 14:06 < ecrist> questionablecontent.com is a good one. 14:06 < PacoBell> I'm kinda a fan of Real Life Comics, too. 14:06 < ecrist> though Jeph is a bit crazy 14:06 < PacoBell> ecrist: ^5! 14:08 < PacoBell> Wow, I so felt like doing this the other day... http://xkcd.com/562/ 14:08 < vpnHelper> Title: xkcd - A Webcomic - Parking (at xkcd.com) 14:08 < ecrist> krzie: you know xkcd comes out three times a week, right? 14:09 < krzie> nah never bothered checking that, i just catchup on huge chunks occasionally 14:09 < krzie> its more fun that way 14:09 < ecrist> ah, I have a bookmark group with XKCD, Cyanide & Happiness and Questionable Content 14:10 < ecrist> xkcd is update MWF, the other two M-F 14:11 < plaerzen> I thought CH was updated every day ? 14:12 < ecrist> it is. 14:12 < ecrist> well, monday through friday, I think 14:12 < plaerzen> oh right 14:12 < plaerzen> m-f 14:13 < plaerzen> m-f >< mf 14:14 < plaerzen> alright, time to get some food. bbiab 14:18 < ecrist> http://xkcd.com/492/ 14:18 < vpnHelper> Title: xkcd - A Webcomic - Scrabble (at xkcd.com) 14:26 < krzie> http://xkcd.com/487/ 14:26 < vpnHelper> Title: xkcd - A Webcomic - Numerical Sex Positions (at xkcd.com) 14:26 < krzie> hahahah 14:26 -!- mmcgrath [n=mmcgrath@mmcgrath.net] has joined ##openvpn 14:27 < mmcgrath> When I try to connect to an openvpn service on an aliased interface (eth0:0) I get connections errors. 14:27 < mmcgrath> I'm not quite sure what to do about it 14:28 < mmcgrath> Anyone have any ideas? The specific error I get is... 14:28 < krzie> !configs 14:28 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:29 < mmcgrath> Apr 7 18:14:09 bastion2 openvpn[12117]: read UDPv4 [EHOSTUNREACH]: No route to host (code=113) 14:29 < mmcgrath> Apr 7 18:14:10 bastion2 openvpn[12117]: read UDPv4 [ECONNREFUSED|EHOSTUNREACH]: No route to host (code=113) 14:29 < mmcgrath> but if I connect to eth0 directly it works fine 14:30 < kraut> mmcgrath: could you please try tcp instead of udp? 14:30 < kraut> (on both sides!) 14:31 < krzie> or check firewall rules 14:31 < mmcgrath> kraut: sure, one sec getting configs in order as well. 14:31 < krzie> udp > tcp whenever possible 14:31 < mmcgrath> http://pastebin.ca/1385187 14:32 < mmcgrath> I'm assuming this is packets coming in eth0:0's IP via udp and out via eth0's IP via udp causing the confusion 14:32 < krzie> ahh right 14:32 < krzie> sure could be 14:32 < kraut> erm no! 14:33 < kraut> there is a special error message for that situation! 14:33 < krzie> oh right 14:33 < kraut> "no route to host" is another problem i think 14:33 < krzie> get a MULTI error when its that 14:34 * mmcgrath verifies iptables isn't the problem first 14:34 < krzie> hey mmcgrathm is 192.168.0.0 already a lan subnet on either client or server? 14:35 < krzie> oh god using /16 14:35 * ecrist guesses itis 14:35 < krzie> LOL 14:35 < mmcgrath> kraut: nope, just for the vpn we have, and it's a non-routed vpn for what that's worth. 14:35 < krzie> dude, dont do that! 14:35 < ecrist> !1918 14:35 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 14:35 < krzie> you cant have a single client in 192.168.x.x with this config 14:35 < ecrist> pick another from our bucket o' IPs! 14:35 < krzie> (or the server) 14:35 < krzie> thats the worst server statement i ever seen 14:36 < mmcgrath> kraut: it was for better organization of the IP's we have so we can seperate them out later. We're still at step one of a multi step process :) 14:36 < krzie> pls do change it =] 14:36 < ecrist> your kids will hate you 14:36 < krzie> yes, butterflies are furiously flapping their wings at you over this 14:36 < kraut> what is he doing? 14:36 < kraut> missed the point 14:36 < krzie> # 14:36 < krzie> server 192.168.0.0 255.255.0.0 14:36 < kraut> ah, /16 rape 14:36 < mmcgrath> naw, this vpn setup is for a group of servers geographically spread around. not for end users. 14:37 < krzie> mmcgrath can you garuntee that niether server nor ANY clients will be on a 192.168.x.x? 14:37 < krzie> and will you really have so many clients that you need a /16? 14:37 < mmcgrath> yeah, we can. otherwise I wouldn't have used it :) 14:37 < mmcgrath> no but like I said, step one of a multi step process. 14:37 < ecrist> mmcgrath: do you have 16,382 vpn clients? 14:38 < krzie> with !topology you get 254 ips per /24 14:38 < mmcgrath> right now all servers need access to all other servers, we're working to be in a setup that's not the case. 14:38 < krzie> !route 14:38 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:38 < krzie> thats how you give all lans access to eachother 14:38 < krzie> also, you really dont want that server statement 14:38 < krzie> it makes babies cry 14:38 < kraut> mmcgrath: erm, a /16 won't work! 14:38 < mmcgrath> I really do understand what having a /16 does, I really do know why I picked it. Thanks for the warning though. 14:39 < krzie> you dont wanna make babies cry do you? 14:39 < mmcgrath> kraut: uhh, and yet it does. 14:39 < kraut> and it's totally stupid to use such a huge net! 14:39 < krzie> mmcgrath, oh wasnt aware you werent having any problems, ignore us then 14:39 < kraut> mmcgrath: ever thought about broadcasts? 14:39 < ecrist> LOUD NOISES! 14:39 < mmcgrath> kraut: yes, so lets say I sent a broadcast to the /16. 14:39 < mmcgrath> and only 100 nodes are on the network. 14:39 < krzie> I DONT KNOW WHY WE'RE YELLING 14:39 < krzie> lol 14:39 < kraut> lemmy in your net, i'll storm your broadcast and you'll have fun 14:39 < mmcgrath> tell me, at the network layer, how that's different. 14:39 < mmcgrath> seriously. 14:40 < mmcgrath> keep in mind that earlier I mentioned it's a non-routed net. 14:40 < kraut> uhmm 14:40 < mmcgrath> how many more bit's get broadcast? 14:40 < mmcgrath> 0 14:40 < ecrist> 'do you want to come to my pants party? 14:40 < krzie> before you get past a /24 with topology subnet you will need another server to handle the additional connections anyways more than likely 14:40 < ecrist> mmcgrath: check your firewall for issues, otherwise is probably a kernel routing bug 14:43 < krzie> also you're aware that you only need 1 machine at each location connecting to the server, right? 14:43 < krzie> i mean shit, you have over 254 locations, and arent using cisco? 14:44 < mmcgrath> ecrist: bummer not the firewall. 14:44 < mmcgrath> this is RHEL5.3 BTW, not sure I mentioned that. 14:45 < mmcgrath> it is quite strange though, I switch back to eth0 and it all works just fine, switch it to eth0:0 and get nothing but failures. 14:45 < ecrist> mmcgrath: what version of OpenVPN, and why such an old version of linux? 14:45 < ecrist> why are you running it on an alias? 14:46 < mmcgrath> ecrist: when you say kernel routing bug, in theory would I not be seeing that from machines on a LAN? 14:46 < mmcgrath> ecrist: RHEL5.3 came out about 4 months ago. 14:46 < mmcgrath> I'm running on an alias to try to use a heartbeat aliased IP. 14:47 < mmcgrath> This is the first UDP service I've done that with. I'm going to test tcp in a bit. 14:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:49 < ecrist> I'm confusing RHEL with Fedora 14:50 < mmcgrath> it's openvpn-2.1 14:50 < ecrist> rc? 14:50 < ecrist> or are you the first with the release? ;) 14:50 < krzie> if so i missed an announcement 14:50 < krzie> and need to do a series of upgrades 14:51 < mmcgrath> The full tag is 2.1-0.29.rc15.el5 14:51 * mmcgrath isn't the packager. just grabbed it from EPEL. 14:51 < krzie> ahh good rc15 is latest 14:51 < krzie> not sure what 1-0.29 refers to 14:51 < krzie> but 2.1-rc15 is latest 14:52 -!- SpaceBas1 [n=ndawson@pool-96-253-96-54.rcmdva.fios.verizon.net] has joined ##openvpn 14:52 < SpaceBas1> hey folks 14:52 < ecrist> hey SpaceBas1. 14:52 < SpaceBas1> I can establish my tunnel but DNS seems to only resolve for internal address - ie I can ping machine1.local but not google.com 14:53 < krzie> i take it you're using redirect-gateway 14:54 < krzie> is it only dns, or can you not ping by ip either? 14:54 * ecrist goes home. 14:54 < krzie> are you pushing dns? 14:54 < krzie> basically, give us more info 14:55 < SpaceBas1> trying IP now 14:55 < SpaceBas1> yes, doing a redirect-gateway 14:55 < SpaceBas1> ok, fixed one issue - DNS server was not set to respond to the openvpn subnet 14:55 < SpaceBas1> so now its returning the query, but the ping fails outside of the local network 14:56 < krzie> using NAT? 14:56 < krzie> what OS? 14:57 < SpaceBas1> krzie: client is OSX, server is BSD (PFsense) - there is NAT on the PFsense box 14:57 < SpaceBas1> and now that you say that, let me check for outbound nat 14:58 < SpaceBas1> bingo! 14:58 < SpaceBas1> glad you said that, thanks! 14:58 < krzie> you must nat the vpn ips 14:58 < krzie> np 14:58 < SpaceBas1> been doing dev tap with a bridge so this hasn't been an issue - recent PFsense upgrade left me without tap option :( 14:59 < krzie> welp, better for you! 14:59 < krzie> !tunortap 14:59 < vpnHelper> krzie: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 15:00 < SpaceBas1> but I love me some layer 2 goodness 15:00 < SpaceBas1> like kerberos auth and mDNS 15:07 < mmcgrath> ecrist: FWIW, it works fine with proto tcp, breaks with proto udp. 15:07 < SpaceBas1> I was doing tap with udp - was working great 15:07 < krzie> interesting... howd you know kraut? 15:08 < kraut> wth? 15:08 < krzie> ecrist: FWIW, it works fine with proto tcp, breaks with proto udp. 15:08 < kraut> krzie: i hat excact the same issue few days ago 15:08 < krzie> that was your suggestion 15:08 < krzie> ahh 15:08 < kraut> krzee: thought it was an issue with avm dsld 15:08 < krzie> !tcp 15:08 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 15:09 < krzie> heres something to know before sticking with tcp 15:09 < kraut> didn't had time to investigate that 15:09 < krzie> or at least to know when you run into tcp issues 15:09 < mmcgrath> yeah I don't want to use tcp, but udp is failing for me. 15:09 < kraut> udp would be better, cause you don't have any flow problems 15:20 < mmcgrath> Ah, seems I just needed to add "local aliasedip" to the openvpn config. 15:20 < mmcgrath> working great now on udp too. 15:21 < krzie> hrm no shit 15:21 < krzie> !man 15:21 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 15:21 * krzie looks 15:21 < krzie> --local host 15:21 < krzie> Local host name or IP address for bind. If specified, OpenVPN will bind to this address only. If unspecified, OpenVPN will bind to all interfaces. 15:22 < krzie> hrm aliasedip doesnt appear anywhere in the manual 15:22 < krzie> you find that in the source? 15:22 < mmcgrath> well for me it was: 15:22 < mmcgrath> local 10.8.34.50 15:22 < krzie> ohhhh, lol 15:22 < mmcgrath> :) 15:23 < krzie> gotchya, interesting it only worked when binding specificly to that ip, will remember that for the next guy 16:14 -!- rfxr [n=rfxr@adsl-67-126-192-10.dsl.chic01.pacbell.net] has joined ##openvpn 16:16 < rfxr> Help please? :-) Do I need to use bridge mode in order to route from server to client LAN? I can ping from client LAN to server LAN but cannot ping from server to client LAN. 16:16 < krzie> no 16:16 < krzie> you need to read and understand this: 16:16 < krzie> !route 16:16 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:17 < rfxr> thank you 16:17 < krzie> yw 16:17 < rfxr> was looking for that :-) 16:18 < krzie> =] 16:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:28 -!- SpaceBas1 [n=ndawson@pool-96-253-96-54.rcmdva.fios.verizon.net] has quit ["Lost terminal"] 16:33 < rfxr> kraut, SUCCESS! Thank you very very much ;) 16:33 < rfxr> oops 16:33 < rfxr> krzie, SUCCESS! Thank you very very much ;) 16:33 < krzie> glad it helped =] 16:33 < rfxr> :-) 16:33 < rfxr> been fighting with routes for an hour ;) 16:33 < krzie> very common requested info, spent some good time on that writeup 16:34 < krzie> but it saves me tons more time on helping people =] 16:34 < rfxr> if they will read it anyway ;) 16:34 -!- mtoledo` [n=user@189.102.205.95] has joined ##openvpn 16:34 < krzie> lol ya 16:35 < kraut> rfxr: any thanks to me are welcome ;) 16:35 < rfxr> kraut, ok :-) 16:36 < krzie> lol 16:46 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:19 -!- SpaceBass [n=SP@pool-96-253-96-54.rcmdva.fios.verizon.net] has joined ##openvpn 17:19 < SpaceBass> hey folks - back at it, trying to get a site-to-site tunnel working 17:19 < SpaceBass> keep getting this on the server: TLS Error: Unroutable control packet received from 17:33 -!- mmcgrath [n=mmcgrath@mmcgrath.net] has left ##openvpn [] 17:39 -!- rfxr [n=rfxr@adsl-67-126-192-10.dsl.chic01.pacbell.net] has left ##openvpn ["Leaving"] 17:39 < SpaceBass> now getting this error: (si=3 op=P_ACK_V1) 17:39 < krzie> !configs 17:39 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 17:39 < krzie> !logs 17:39 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 17:40 < SpaceBass> server log -http://pastebin.ca/1385427 17:41 < SpaceBass> client log - http://pastebin.ca/1385428 17:41 < krzie> those arent verb 6 17:42 < SpaceBass> unfortunatly they are all I have access to with these endpoints 17:42 < krzie> you dont control the machines? 17:43 < SpaceBass> I do - and I'm sure at some point on this PFsense box I could get below their xml logging layer to the raw logs, but its going to take some forum posting to get at it 17:44 < krzie> well can you at least egt the raw configs? 17:44 < krzie> get 17:44 < krzie> cause if not theres no helping you 17:44 < SpaceBass> again, not easily - but I'll try 17:44 < SpaceBass> the concern there is that I cannot edit them even if I do find them 17:44 < SpaceBass> the web gui will overwirte them 17:44 < krzie> sucks for you i guess 17:45 -!- PacoBell [n=PacoBell@adsl-75-15-133-14.dsl.snlo01.sbcglobal.net] has left ##openvpn [] 17:45 < SpaceBass> clearly 17:45 < krzie> i dont use any of those web gui's, cant help ya with that 17:45 < krzie> i do use openvpn, and will happily try to help with that 17:45 < SpaceBass> thats the challenge with these things - as soon as you apply any kind of interface things start to break down 17:46 < krzie> well 17:47 < krzie> ild say when the interface overwrites manual changes its lame 17:47 < krzie> there should at least be a sync command where the interfaces learns the new edits 17:47 < krzie> a web ui is one thing, enforcing that it MUST be used is another 17:48 < SpaceBass> I'd agree with that 17:48 < krzie> i see nothing wrong with a nice web ui, i personally choose not to use them, but to each their own... but it should be optional when used 17:54 < karlpinc> I'm _still_ trying to compile 2.1 rc15 on windows. Something is really borked (and it's windows). Bad things happen at random. I get segfaults, I get messages telling me that m4 1.4 or later is needed but m4 --version says version 1.4 is installed, and so forth. What should I try? 17:55 < krzie> karl, posting to the dev mail list =] 17:55 * krzie swears hes said that 17:55 < SpaceBass> progress... 17:55 < SpaceBass> client conf - http://pastebin.ca/1385436 17:56 < SpaceBass> server conf - http://pastebin.ca/1385438 17:56 < krzie> niether of those are a client or server 17:56 < krzie> its ptp mode 17:57 < SpaceBass> isn't that what I want for a site-to-site tunnel? 17:57 < krzie> sure 17:57 < krzie> but theres still no client or server 17:57 < krzie> ;] 17:58 < krzie> post /etc/rc.filter_configure 17:58 < krzie> comment # 17:59 < krzie> tls-server 18:00 < krzie> fromn what you called the server 18:00 < SpaceBass> trying to follow ... 18:00 < krzie> pastebin /etc/rc.filter_configure 18:00 < krzie> and comment tls-server 18:00 < SpaceBass> no such file - not sure if thats a BSD thing or a PFsense thing 18:00 < krzie> from server2.conf 18:00 < krzie> # 18:00 < krzie> up /etc/rc.filter_configure 18:00 < krzie> # 18:00 < krzie> down /etc/rc.filter_configure 18:00 < krzie> its a your openvpn config thing 18:01 < krzie> (this is why gui's shouldnt setup configs) 18:01 < karlpinc> !devs 18:01 < vpnHelper> karlpinc: Error: "devs" is not a valid command. 18:01 < krzie> !dev 18:01 < vpnHelper> krzie: "dev" is https://lists.sourceforge.net/lists/listinfo/openvpn-devel to sign up for devel mail list 18:01 < karlpinc> krzie : Actually, I was hoping for the archives. 18:02 < SpaceBass> ok... I see what you are saying 18:02 < krzie> karlpinc 18:02 < krzie> !mail 18:02 < vpnHelper> krzie: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 18:02 < SpaceBass> comment out the up; down; tls-server lines ? 18:02 < krzie> thats user archives, im sure you can find dev archive there too 18:03 < krzie> SpaceBass if the up script doesnt exist, go ahead and comment it 18:03 < krzie> but your log doesnt complain that it doesnt exist 18:03 < krzie> making me think its gotta be there 18:03 < SpaceBass> it is, I was mistaken 18:03 < krzie> oh actually it might be complaining 18:03 < krzie> well then pastebin it! 18:04 < krzie> also your version of openvpn is very old 18:04 < SpaceBass> http://pastebin.ca/1385442 18:04 < krzie> 2.0.6 is quite a few yrs back 18:04 < krzie> 2.0.9 is latest stable and is like 4 yrs old i think 18:04 < krzie> we all use 2.1rc15 now-a-days 18:05 < SpaceBass> i'll submit a request on that one - not sure why they are using something so old 18:06 < krzie> so just comment tls-server and give it a try 18:06 < onats> morning!:D 18:07 < krzie> also comment the push route 18:07 < krzie> as it cant be used 18:07 < SpaceBass> krzie, thanks for the help, its been an education for me :D 18:08 < SpaceBass> indeed the web gui is overwriting it, but at least now I have the education to submit a bug report 18:08 < krzie> not in a ptp setup without pull, besides you have the route added at the bottom of the other side anyways 18:08 < krzie> just start it from commandline 18:08 < krzie> yanno, the normal way 18:09 < krzie> do your testing and see you can get it up 18:09 < krzie> then worry bout your gui knowing what you need to change 18:09 < SpaceBass> good idea 18:09 < SpaceBass> openvpn[13104]: Options error: Parameter ca_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified. 18:10 < krzie> lol i didnt see that part 18:10 < krzie> you have 1 side setup for ptp mode 18:10 < krzie> other side setup for client/server mode (half way) 18:10 < SpaceBass> and the other for remote access? 18:10 < krzie> must remove ca cert and dh 18:10 < SpaceBass> interesting... 18:10 < krzie> and other side needs the exact same key 18:10 < krzie> key file 18:11 < krzie> and a reference to it in the config 18:12 < krzie> if their gunna give you something as complicated as openvpn to setup in web gui, they should give you the chance to edit the file raw from the gui 18:12 < krzie> thats what your ticket should tell them 18:12 < krzie> openvpn has sooooo many config options 18:12 < SpaceBass> it sure does :d 18:12 < krzie> no web gui could handle it all and make any sense 18:13 < SpaceBass> and I've configured it by hand on the client site before in a road warrior setup and would agree that it might actually be easier to do that way 18:13 < krzie> might? 18:13 < krzie> shiiiet 18:13 < krzie> its the only way 18:13 < SpaceBass> baby steps for me - admitting I have a problem is the first step 18:13 < SpaceBass> (and right now the gui is my problem) 18:13 < krzie> lol 18:14 < krzie> # 18:14 < krzie> ca /var/etc/openvpn/server2.ca 18:14 < krzie> # 18:14 < krzie> cert /var/etc/openvpn/server2.cert 18:14 < krzie> # 18:14 < krzie> key /var/etc/openvpn/server2.key 18:14 < krzie> # 18:14 < krzie> dh /etc/dh-parameters.1024 18:14 < krzie> only keep the key entry 18:14 < krzie> the rest go byebye 18:14 < krzie> then you copy that keyfil;e to the other box 18:14 < krzie> and make an entry for it there too 18:14 < krzie> although i think it gets a diff option now, lemme check 18:14 < krzie> !man 18:14 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 18:15 < krzie> ya, use secret 18:16 < krzie> make sure to copy the file using a secure connection like sftp 18:16 < krzie> as its your only security on this setup 18:16 < krzie> the better way is to make a client/server setup 18:16 < krzie> better as far as security at least 18:16 < SpaceBass> connected via ssh tunnel currently 18:17 < krzie> but shit you're almost there anyways 18:17 < krzie> and actually 18:17 < krzie> forget about that key file 18:17 < krzie> generate the secret like this 18:17 < krzie> openvpn [ --genkey ] [ --secret file ] 18:17 < SpaceBass> actually, got the key files in place 18:17 < krzie> openvpn --genkey --secret 18:17 < krzie> ya but thats a keyfile for a cert 18:18 < krzie> might be better to make a keyfile that was meant to be a pre-shared key 18:18 < krzie> it'll work like this, but could possibly be less secure 18:18 < krzie> (im not sure, so lets do what the docs say) 18:18 < SpaceBass> is that why I get this: openvpn[45701]: Options error: Parameter priv_key_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified. 18:18 < krzie> you still have it in as key 18:19 < krzie> needs to be secret 18:19 < krzie> the entry key is for server/client 18:19 < SpaceBass> gotcha 18:19 < krzie> the entry secret is for ptp preshared-key 18:19 < krzie> regenerate it with the command i gave you 18:19 < krzie> copy it over 18:19 < krzie> and use secret 18:20 < krzie> on both sides 18:20 < SpaceBass> got it 18:20 < SpaceBass> copying now 18:23 < SpaceBass> ok...progress 18:24 < SpaceBass> ran openvpn ../../../server2.conf on Box A and got: 18:24 < SpaceBass> route: writing to routing socket: File exists 18:24 < SpaceBass> add net 10.1.1.0: gateway 10.250.1.2: route already in table 18:25 < krzie> repaste your configs 18:25 < krzie> and also 18:25 < krzie> !interface 18:25 < vpnHelper> krzie: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 18:25 < SpaceBass> one sec 18:25 < SpaceBass> btw - I really appreciate your help. Know your time is valuable but its been a real education for me 18:26 < krzie> yw 18:26 < krzie> its only slightly slowing down my first install of zabbix =] 18:27 < SpaceBass> remote conf - http://pastebin.ca/1385455 18:27 < SpaceBass> local conf - http://pastebin.ca/1385456 18:27 < SpaceBass> secrets are the same 18:28 < krzie> yup you woulda never gotten to route otherwise 18:28 < SpaceBass> local ifconfig - http://pastebin.ca/1385457 18:28 < SpaceBass> remote - ifconfig http://pastebin.ca/1385458 18:28 < krzie> you didnt comment the push route 18:29 < krzie> from local 18:29 < krzie> you cant push in your setup 18:29 < SpaceBass> drat - doing it now 18:29 < krzie> in fast you have a push to comment in both 18:30 < SpaceBass> done 18:30 < krzie> local has 2 openvpn's running, you're aware of that? 18:30 < SpaceBass> yes 18:30 < SpaceBass> the other is for road warriors and its working 18:30 < krzie> here do this for me 18:31 < krzie> i want 1 pastebin for local and 1 for remote 18:31 < krzie> with config, ifconfig, and routing table 18:31 < SpaceBass> k 18:31 < krzie> otherwise you're gunna have me with 6 pastebins 18:31 < krzie> comment the push's first 18:31 < krzie> and let me know it still has the error 18:31 < krzie> (after restarting both) 18:32 < SpaceBass> remote - http://pastebin.ca/1385463 18:32 < krzie> and which sides gets the error? 18:33 < SpaceBass> local http://pastebin.ca/1385465 18:33 < SpaceBass> just executed openvpn again on both sides - neither errored 18:33 < SpaceBass> checking logs now 18:33 < SpaceBass> remote - openvpn[10091]: MANAGEMENT: Cannot bind TCP socket on 127.0.0.1:1194: Address already in use (errno=48) 18:34 < SpaceBass> same on the local 18:34 < krzie> prolly same address/port as your first install 18:34 < SpaceBass> the ports are unique 18:34 < SpaceBass> road warrior setup uses 4405 18:35 < krzie> then its already running 18:35 < krzie> ps auxw|grep openvpn 18:35 -!- cmb [n=cmb@pfsense/coreteam/cmb] has joined ##openvpn 18:35 < SpaceBass> here's a kink - which I totally forgot about... the remote box is behind another router, so its WAN IP is a bogon (the other router doesnt block anything and it has a static public IP) 18:36 < krzie> also i see you're trying to route 10.1.1.0/24 over the vpn 18:36 < krzie> but it seems you already have that route locally on both sides 18:37 < SpaceBass> ok, killed the orphaned processess on both side 18:37 < SpaceBass> suspect thats why the route was present 18:37 < SpaceBass> relaunch ovpen on both sides 18:38 < SpaceBass> remote: # openvpn ./server2.conf 18:38 < SpaceBass> route: writing to routing socket: File exists 18:38 < SpaceBass> add net 10.1.1.0: gateway 10.250.1.2: route already in table 18:38 < krzie> ya no kidding 18:38 < krzie> theres already a 10.1.1.0 network local to it 18:39 < SpaceBass> see that now 18:39 < krzie> hrm wait no maybe not 18:39 < krzie> redo that pastebin 18:39 < krzie> i want routing table BEFORE AND AFTER starting openvpn 18:40 < krzie> so kill openvpn, paste routing table, start it, paste routing table after full connection made 18:40 < SpaceBass> going to bounce that remote box 18:40 < krzie> make sure the only openvpn process running is the road warrior one that should not conflict with the at all 18:40 < krzie> bounce? 18:40 < SpaceBass> reboot 18:40 < krzie> ok 18:41 < SpaceBass> meanwhile on the local box: 18:41 < SpaceBass> # openvpn ./server1.conf 18:41 < SpaceBass> add net 10.1.5.0: gateway 10.250.1.2 18:41 < SpaceBass> # 18:43 < SpaceBass> when I see that add net line, is that info only "? 18:43 < krzie> right 18:43 < krzie> no error should mean it added the route 18:44 < SpaceBass> cool 18:44 < SpaceBass> also, here is local conf again, where is the line that tells it the IP of the remote machine? http://pastebin.ca/1385474 18:45 < krzie> there isnt one, the other machine connect to this one 18:45 < krzie> although either or both can have remote entries 18:45 < SpaceBass> gotcha 18:46 < krzie> err wait 18:46 < SpaceBass> something's wrong on that end - gotta make a call 18:46 < krzie> either im blind or NIETHER have remote entries 18:46 < SpaceBass> thats what I was getting at 18:46 < krzie> as in niether is connecting to anything 18:46 < krzie> lol 18:46 < krzie> thats just remote 18:47 -!- HardDisk_WP [n=Marco@wikipedia/harddisk] has joined ##openvpn 18:47 < HardDisk_WP> heya all 18:48 < HardDisk_WP> I have a small server sitting at home, and a laptop I use often with public WLANs 18:48 < krzie> whoa, a wikipedia spoof 18:48 < krzie> cool 18:48 < HardDisk_WP> I now want to use the small server at home (Debian Testing, NAT port forwarding is possible) to act as an internet gateway 18:49 < HardDisk_WP> so that no one can spoof data I send 18:49 < krzie> then you need: 18:49 < krzie> !def1 18:49 < HardDisk_WP> but, as a friend of mine has an iPod touch and also wants to use it 18:49 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 18:49 < krzie> !linnat 18:49 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 18:49 < krzie> !linipforward 18:49 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 18:49 < HardDisk_WP> can I make the VPN password-based? 18:49 < krzie> ipod doesnt have tuntap drivers, he cant use it 18:49 < HardDisk_WP> ah, ok. 18:49 < krzie> no matter what you do, until it has tuntap drivers hes SOL 18:50 < krzie> in fact i make a plea to the world in a script i wrote to make tuntap drivers 18:50 < krzie> !google krzee iodine 18:50 < vpnHelper> krzie: TipsAndTricks - iodine: ; #!/bin/sh ...: ; IP-over-DNS - Mac Forums: 18:50 < HardDisk_WP> i thought the ipods have some VPN capab, or is it another VPN technology they can? 18:50 < krzie> link #2 i make my plea 18:50 < krzie> they support pptp and ipsec 18:50 < krzie> !notcompat 18:50 < vpnHelper> krzie: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 18:51 < HardDisk_WP> Ah. 18:51 < HardDisk_WP> krzie, is this script what I think it is?? 18:51 < HardDisk_WP> DNS tunneling using OpenVPN? 18:51 < krzie> lol, likely 18:51 < krzie> no 18:51 < krzie> using iodine 18:51 < krzie> its for automating the setup of routes for iodine 18:52 < krzie> since its a PITA to do manually everytime 18:52 < HardDisk_WP> "iodine lets you tunnel IPv4 data through a DNS server" 18:52 < HardDisk_WP> WOW. 18:52 < krzie> correct =] 18:52 < krzie> not good for fastness, but nice for those spots you can get dns but no inet 18:52 < HardDisk_WP> like our McDonald's. :D 18:52 < HardDisk_WP> Sounds cool, indeed. 18:53 < krzie> aye 18:54 < krzie> and you'll enjoy my script if you use it (i hope) 18:54 < HardDisk_WP> they kicked me out of #linux in efnet two months ago as I asked for help with setting up some other dnstunnel solution, lol 18:54 < krzie> and if someone gets tuntap working on iphone, please make me aware, im always here 18:54 < krzie> nstx? 18:55 < HardDisk_WP> no idea who it was... apparently they do not like anything POSSIBLY related to hacking over there^^ 18:55 < krzie> thats efnet 18:55 < krzie> (i been there since 94) 18:59 < krzie> i once got banned from #freebsdhelp for not talking for too long 18:59 < krzie> lol 18:59 < krzie> (efnet) 18:59 < krzie> all i could even say was "really?" 19:00 < HardDisk_WP> lol 19:00 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 60 (Operation timed out)] 19:00 < HardDisk_WP> krzie, query please? i dont want to reveal the pastebin with my network details that public 19:00 < krzie> and tunneling over dns is NOT hacking 19:01 < krzie> they allow a service, you use it as you feal suits you 19:01 < HardDisk_WP> I mentioned the fucking McDonald's hotspot, maybe because of this... 19:01 < krzie> you dont break any security, dont crack anything, etc 19:01 < HardDisk_WP> exactly 19:01 < krzie> sure you can msg the pastebin if youd rather take the chance that others cant help you 19:01 < HardDisk_WP> mh ok^^ 19:01 < HardDisk_WP> http://pastebin.com/d18f989ac 19:01 < krzie> (theres often others here that find a solution when i dont) 19:02 < HardDisk_WP> contains some quick schema of everything I got available 19:02 < krzie> oh we're talking bout the dns tunnel now? 19:02 < krzie> you dont want openvpn over the dns tunnel 19:02 < HardDisk_WP> btw, does openvpn support IPv6? It'd be really cool to access IPv6 stuff also... 192.168.1.9 is acting as a SIXXS relay also 19:02 < HardDisk_WP> both 19:02 < krzie> dns tunnel is a terrible connection already, to tunnel over that tunnel you will have a SHITTY experience 19:03 < HardDisk_WP> i wanna have both OpenVPN and dnstunnel, if possible. the first for public WiFis, the dnstunnel for mcdonalds 19:03 < krzie> you'll be tunneling tcp over udp + encryption over udp dns 19:03 < krzie> the iodine docs will easily get you going with iodine 19:03 < krzie> lets seperate those 2 setups 19:03 < HardDisk_WP> yep, thats what I thought. 19:04 < krzie> ill help with openvpn, use iodine docs for iodine, its simple 19:04 < HardDisk_WP> OpenVPN via DNStunnel, I think this is overkill =) 19:04 < HardDisk_WP> kk, so let's start w/ openvpn :) 19:04 < krzie> not only overkill, it will be a terrible connection 19:04 < krzie> ok 19:04 < HardDisk_WP> package is installed already 19:04 < krzie> !sample 19:04 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 19:04 < krzie> !linnat 19:04 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 19:04 < krzie> !linipforward 19:05 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 19:05 < krzie> !def1 19:05 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 19:05 < krzie> thats everything you need to know 19:05 < krzie> heres a sweet tool for managing your ssl certs 19:05 < krzie> !ssl-admin 19:05 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 19:05 < HardDisk_WP> ok. what about the keys? 19:06 < krzie> openvpn docs will walk you through easy-rsa if you want, personally i dont like easy-rsa 19:06 < krzie> niether does ecrist, so he made ssl-admin 19:06 < krzie> which i must say rocks 19:06 < HardDisk_WP> it's not in debian, I fear? ;) 19:06 < krzie> svn 19:06 < krzie> subversion 19:06 < HardDisk_WP> kk 19:07 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 19:07 < HardDisk_WP> what's the checkout URL? https://www.secure-computing.net/svn/trunk/ssl-admin/ 19:07 < vpnHelper> Title: svn - Revision 43: /trunk/ssl-admin (at www.secure-computing.net) 19:07 < HardDisk_WP> ? 19:07 < krzie> !ssl-admin 19:07 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 19:07 < krzie> #2 19:07 < krzie> ya prolly better one you psated 19:07 < krzie> pasted 19:07 < HardDisk_WP> kk thanks 19:07 < krzie> np 19:08 < krzie> so what do you do with wikipedia? 19:08 < krzie> <3 the wikipedia 19:09 < HardDisk_WP> I operate a popular IRC bot (shoulda be in >30 channels, I dunno exactly) for lots of wikipedia channels, and have over 13k edits in something like 4 years 19:09 < krzie> btw for dns tunnel you need 2 machines on the inet, 1 running a real NS and 1 running a fake one (iodined) 19:09 < krzie> ahh sweet 19:09 < krzie> like my bot in here? 19:10 < krzie> or hooked into wikipedia 19:10 < HardDisk_WP> vpnHelper is yours? 19:10 < vpnHelper> HardDisk_WP: Error: "is" is not a valid command. 19:10 < krzie> ya 19:10 < HardDisk_WP> nice :) 19:10 < krzie> | vpnHelper (i=vpn@unaffiliated/krzee/bot/vpnhelper) (unknown) 19:10 < HardDisk_WP> krzee, the IRC bot is only wikipedia-related, similar to your one. I did run a "real" wikipedia bot, though. 19:10 < krzie> coolness 19:11 < HardDisk_WP> .oO( and every of these bots is entirely php-written... I musta be insane. ) 19:12 < krzie> you wrote them? 19:12 < krzie> mine just uses supybot (python) 19:14 < HardDisk_WP> I didn't write the IRC backend itself, I used the SmartIRC framework. But all the module code is from me... check it out : /msg unilinky help 19:15 < krzie> ahh werd 19:24 < HardDisk_WP> LXMUKS01:/static/ssl-admin# ./ssl-admin 19:24 < HardDisk_WP> Syntax error in ~~~ETCDIR~~~/ssl-admin/ssl-admin.conf 19:25 < krzie> grr 19:25 < krzie> did you ./configure? 19:26 < HardDisk_WP> yep... 19:27 -!- qknight [n=joachim@serverkommune.de] has joined ##openvpn 19:27 < qknight> hi 19:27 < HardDisk_WP> Ah. 19:27 < HardDisk_WP> I didn't make install :p 19:28 < qknight> i would like to connect two networks behind nat (the linuxservers i want to use to connect both networks is not the router) 19:28 < qknight> how would i do that? 19:28 < HardDisk_WP> krzie, do you have write access to the repo? the makefile assumes it runs on mac os x and so the "wheel" group is present 19:31 < HardDisk_WP> and what is the $ENV{'KEY_CN'} = ""; 19:31 < HardDisk_WP> for? 19:32 < SpaceBass> krzie, minor crisis averted - had a huge routing problem when I rebooted the remote box 19:34 < krzie> prolly common-name 19:34 < krzie> i do have write access 19:34 < krzie> if you wanna fix the makefile it would be cool =] 19:34 < krzie> i made configure and edited the makefile to make it work on linux best i could 19:34 < krzie> but im no coder 19:34 < krzie> just a scripter 19:35 < krzie> doesnt linux have wheel group...? 19:37 < HardDisk_WP> apparently not, it fucked up here. maybe it' s debian specific 19:38 < krzie> odd, i tested it in ubuntu 19:38 < krzie> which is based on debian i believe 19:39 < HardDisk_WP> ubuntu is based on debian, nothing more^^ 19:40 < qknight> s/based/derived/ 19:41 < HardDisk_WP> krzie, http://pastebin.com/m758b0b8a line 43 :X 19:42 < krzie> gotchya 19:43 < krzie> hrm, prog 19:44 < krzie> odd, is the prog dir there? 19:44 < HardDisk_WP> yes 19:44 < krzie> are you root? 19:44 < krzie> if not, do you have perms to write there? 19:45 < krzie> index.txt should be a file you would be making 19:45 < HardDisk_WP> i am root 19:49 < krzie> hrm 19:49 < krzie> i wonder why you cant make the file then 19:49 < krzie> any file exist there? 19:52 < HardDisk_WP> mnslu:/etc/ssl-admin# ls prog/ 19:52 < HardDisk_WP> crl.pem index.txt index.txt.attr install serial 19:57 < krzie> ls -la that dir 19:59 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 60 (Operation timed out)] 19:59 < HardDisk_WP> krzie, http://pastebin.com/m6d3d32b7 20:00 < karlpinc> krzie: Agonized screaming email sent to dev list. Well, agonized anyway. 20:00 < SpaceBass> progress krzie 20:00 < SpaceBass> remote - http://pastebin.ca/1385540 20:01 < krzie> HardDisk_WP, and /etc/ssl-admin has o+rx? 20:01 < krzie> err 7xx rather 20:02 < HardDisk_WP> drwxr-xr-x 7 root root 4.0K Apr 8 02:40 . 20:02 < HardDisk_WP> (run in /etc/ssl-admin) 20:05 < krzie> hrmz 20:05 < krzie> whoami 20:06 < krzie> (i know you said you're root, and smart enough that i shouldnt even need that) 20:06 < krzie> but i have no clue what else would stop that from being written 20:07 < HardDisk_WP> mnslu:/etc/ssl-admin# whoami 20:07 < HardDisk_WP> root 20:07 < HardDisk_WP> mnslu:/etc/ssl-admin# id -a 20:07 < HardDisk_WP> uid=0(root) gid=0(root) groups=0(root) 20:10 < HardDisk_WP> krzie, manually editing the file works 20:10 < HardDisk_WP> oh, of course 20:10 < HardDisk_WP> # 20:10 < HardDisk_WP> # 20:10 < HardDisk_WP> 1986:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('/etc/ssl-admin/prog/index.txt','r') 20:10 < HardDisk_WP> it's opened for *read*, not write. 20:10 < HardDisk_WP> maybe the ssl-admin creates it automatically, when closing 20:10 < HardDisk_WP> which would explain its existance after quitting ssl-admin 20:11 < krzie> ecrist would know best 20:12 < HardDisk_WP> do you know when he's online? 20:12 < ecrist> I know nothing 20:12 < ecrist> what? 20:13 < krzie> ssl-admin woes 20:13 < krzie> debian 20:14 < ecrist> ack, use a real OS, like freebsd. :) 20:14 < krzie> lol 20:14 < ecrist> HardDisk_WP: what version of ssl-admin? from SVN? 20:14 < HardDisk_WP> Yep 20:15 < ecrist> ok, lemme pull a copy and 'start from scratch' with you 20:15 < HardDisk_WP> 'kay, I'll delete the /etc directory and make isntall again 20:16 < ecrist> is there a linux installer? oh yeah, krzie did it. 20:16 < krzie> he said he has no wheel group in debian 20:17 < HardDisk_WP> fixed that problem in the makefile, actually 20:17 < HardDisk_WP> simply changed the -g parameter in install 20:17 < ecrist> ah, that would cause a problem. 20:17 < ecrist> hrm, thought it was 0:0 rather than root:wheel. 20:17 < krzie> and i admit while my linux changes were ugly, they worked when testing on debian, redhat and gentoo 20:18 < HardDisk_WP> ah. maybe the wheel group gets created in the desktop versions ^^ 20:18 < HardDisk_WP> this install is a really bare one, i hand-selected every package. 20:18 < krzie> gentoo ;] 20:18 < krzie> but ya 20:19 < krzie> err 20:19 < krzie> i said debian 20:19 < krzie> i meant tested on ubuntu redhat and gentoo 20:19 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 20:19 < krzie> no deb 20:19 < krzie> although i mdid just install deb on a vm at home 20:20 -!- theDoc [n=andelyx@119.73.165.162] has quit [Client Quit] 20:21 < ecrist> HardDisk_WP: all the install/configure things do is setup correct pathing. 20:22 < krzie> aye 20:22 < HardDisk_WP> yep, that's what I could see from their code 20:22 < ecrist> 'their' is me and krzie, btw 20:22 < ecrist> I wrote ssl-admin, krzie's fixed a couple bugs for me. ;) 20:23 < krzie> although im to blame for the ugly stuff :p 20:23 < ecrist> krzie: ssl-admin doesn't seem to work on mac os x 20:23 < ecrist> :( 20:23 < krzie> umm, ive used it 20:23 < krzie> osx is my primary desktop 20:23 < ecrist> oh, durrr 20:24 < krzie> i can test again when i get home tho 20:24 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 20:24 < krzie> HardDisk_WP the paths right from configure for debian? 20:25 < HardDisk_WP> yes 20:25 < krzie> sweet 20:25 < ecrist> Syntax error in ~/Library/ssl-admin/ssl-admin.conf 20:25 < ecrist> grr 20:26 < krzie> latest svn? i dont see how that would happen in osx and not bsd 20:27 < ecrist> yeah, latest svn. here's why: 20:27 < ecrist> my $result = do $config_file; 20:27 < ecrist> die "Syntax error in $config_file\n\n" unless ($result); 20:27 < ecrist> I think. 20:28 < ecrist> blast, I'm to 'blame'' 20:29 < krzie> ? 20:30 < ecrist> I don't know, something's not being executed correctly. 20:30 < krzie> trace it? 20:30 < HardDisk_WP> can I help you, or is this mac os specific? 20:31 < krzie> seems osx but dont see how since its perl 20:31 < ecrist> not sure. been a while since I've looked at this code. got another pet project currently. 20:31 < krzie> maybe diff perl vs than i use... 20:31 < krzie> i have bunches of stuff from macports... could have updated perl 20:34 < ecrist> I think ~ isn't being expanded correctly. 20:35 < krzie> oh does perl no likee? 20:35 < krzie> if thats it just use /Library 20:35 < krzie> put it global instead of user 20:36 < ecrist> ok, it's the ~ that's not being expanded in perl 20:38 < ecrist> commited 20:39 < krzie> i like user better tho 20:39 < krzie> because of filevault 20:39 < krzie> encrypts homedir only 20:39 < ecrist> yeah, me too. 20:39 < ecrist> could be a work around of some kind. would have to be some glob of shell for current user 20:40 < krzie> easy one 20:40 < ecrist> however, doing this removes the ability of separate admins running the program 20:40 < krzie> just /Users/`whoami`/Library 20:40 < krzie> true 20:40 < ecrist> could be a configure option, ala windows. 20:40 < ecrist> 'Install for just this user, or all users?' 20:41 < krzie> also true 20:41 < krzie> and only for osx 20:41 < krzie> easily done 20:41 < krzie> i can do that later if ya like 20:41 < krzie> when im home 20:41 < ecrist> at this point, why not write a cocoa front-end, too? 20:41 < krzie> lol 20:41 < ecrist> sure, have at it. :) 20:42 < ecrist> ok, fixing the paths fixes the error 20:42 < ecrist> there's a missing check, though, which I'm going to fix now. 20:43 < krzie> did you see what his error was? 20:43 < krzie> http://pastebin.com/m758b0b8a 20:43 < krzie> line 43 20:43 < ecrist> he got quiet, so I assumed he left. 20:44 < krzie> nah he just couldnt help with the osx specific stuffs 20:44 < ecrist> will look into this when i fix the latest bug 20:44 -!- ben1597 [n=ben1597@c-24-245-3-7.hsd1.mn.comcast.net] has joined ##openvpn 20:44 < HardDisk_WP> no i am still here ecrist / krzie 20:44 < HardDisk_WP> don't worry =) 20:44 < ecrist> HardDisk_WP: lemme fix this minor issue I discovered and I'll look at your problem. 20:45 < HardDisk_WP> just goin to grab something to eat, it's 03:45 here :p 20:48 < ecrist> w00t! my fixes work, make the program a little more usable on initial run, and fixed an OS X install issue. 20:49 < ecrist> I really should work more on this program. 20:49 < ecrist> packaging it for freebsd is *such* a PITA, though. 20:50 < HardDisk_WP> but easier than debian, probably 20:50 < ecrist> never looked into it, really. 20:50 < krzie> and since we dont use linux someone else would need to step in there 20:50 < ecrist> afaik, with linux, I just have to build a package and done. FreeBSD ports tree is a little involved. 20:51 < krzie> a redhat guy was here talkin bout putting in their system, but i dunno if that ever happened 20:51 < ecrist> doh! I'm missing something, I think, krzie 20:51 < krzie> i talked to gentoo guys but they laughed at my weak hack of a configure/makefile and i dont think it was approved / taken on by one of their guys 20:52 < ecrist> Error Loading extension section v3_ca 20:52 < ecrist> 744:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name:v3_utl.c:319: 20:52 < ecrist> 744:error:2206B069:X509 V3 routines:X509V3_EXT_conf:invalid extension string:v3_conf.c:138:name=crlDistributionPoints,section= 20:52 < ecrist> 744:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in extension:v3_conf.c:92:name=crlDistributionPoints, value= 20:52 < ecrist> OpenSSL exited with errors. Please read above and address the problems indicated. at /usr/local/bin/ssl-admin line 194, <> line 3. 20:52 < karlpinc> Seems to be a problem with 2.1 rc15 and nsis 2.44. SF_SELECTED winds up defined so install-win32/openvpn.nsi generates an error. I can't figure out what's setting it though, and don't know enough about nsis to know what to do about it. (An ifdef comes to mind...) 20:52 < krzie> doh! 20:53 < krzie> oh and that weird problem i had with dh keys being made is gone now, on a new install of the same exact snapshot of fbsd8-current 20:53 < ecrist> krzie: didn't you add something to the ssl config? I might be missing that. 20:54 < ecrist> v3_ca or something? 20:54 < krzie> i added the server stuffs 20:54 < krzie> to openssl.conf 20:54 < krzie> and added S option 20:54 < ecrist> I'm thinking we've been telling people to use svn when it's not been tested. 20:54 < ecrist> :\ 20:55 < krzie> i tested it on osx/and 3 linux's before my commits 20:55 < krzie> and directly after 20:56 < ecrist> I need to give this script some attention, anyways 21:04 < ecrist> ok, the fresh install on my osx system gets the same error HardDisk_WP was getting 21:04 * ecrist puts on his 'TS' hat 21:05 < ecrist> the problem is with my logic in CRL generation 21:05 < HardDisk_WP> debugging time :) 21:06 < ecrist> ah, easy fix, I thinkk. 21:13 < HardDisk_WP> ecrist / krzie: what timezone are you? 21:13 < ecrist> CST 21:13 < ecrist> for me 21:13 < krzie> im in AST 21:13 < krzie> which is = to EST right now 21:13 < ecrist> HardDisk_WP: I have the update placed in SVN. testing it now 21:15 < ecrist> grr 21:15 < ecrist> didn't quite fix it 21:28 < HardDisk_WP> ecrist / krzie i'm off to bed... i shoulda be back in 5 hours or so 21:28 < ecrist> HardDisk_WP: ok 21:28 < ecrist> the main error is fixed 21:28 < ecrist> committed to svn 21:29 < HardDisk_WP> i can't test any more now... the nslu crashed and i'm too tired to run a full fsck on this slow USB disk^^ i'll test when I wake uo 21:30 < HardDisk_WP> gn8 21:30 < ecrist> l8r 21:32 < krzie> nite 21:33 < krzie> hey HardDisk_WP 21:33 < krzie> http://xkcd.com/545/ 21:33 < vpnHelper> Title: xkcd - A Webcomic - Neutrality Schmeutrality (at xkcd.com) 21:33 < krzie> lol 21:33 < HardDisk_WP> rofl :D 21:41 < ecrist> ok, appears as though ssl-admin has the major bugs fixed. 21:41 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 60 (Operation timed out)] 21:46 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 21:53 -!- onats [n=onats@unaffiliated/onats] has quit [Remote closed the connection] 21:58 < ecrist> krzie: you still around? 21:58 < ecrist> nm 21:59 < krzie> yup 21:59 < krzie> in and out for now 21:59 < ecrist> working on a freebsd ports-tree wrap for ssl-admin 21:59 < ecrist> my head is spinning 21:59 < krzie> in shell? 21:59 < ecrist> ? 22:00 < krzie> shell script? 22:00 < ecrist> oh, already have that. trying to figure out what the fuck it was doing. 22:00 < ecrist> think it was written before you did your linux stff 22:01 < krzie> ahh 22:13 < ecrist> grr 22:13 < ecrist> I just spent an hour undoing what shouldn't have been undone. 22:14 < ecrist> *BANG* 22:14 < dan__t> WHAT 22:14 < dan__t> WHAT 22:14 < dan__t> WHAT 22:14 < dan__t> I'll make an RPM for it. 22:14 < ecrist> that would be great! 22:14 < dan__t> rpm is my bitch++ 22:21 < krzie> what what 22:21 < krzie> in the butt 22:28 < ecrist> ok, patch built, and tested. submitting pr 22:39 < ecrist> sent. I'm off to bed. 22:39 < ecrist> l8r 22:39 < ecrist> dan__t: let me know if you need anything from me to build the RPM 22:39 < ecrist> the entire SVN tree is world-readable 22:40 < dan__t> werd 22:40 < dan__t> thanks. 22:40 < ecrist> Collaborative Fusion, inc claimed they were going to help develop it back in February, but that was the last I ever heard. 22:41 < ecrist> oh well. g'night. 22:45 < dan__t> I can't develop. 22:45 < dan__t> But I can roll krzie's cheating wife in to an RPM. 22:47 < dan__t> ;) 22:47 < krzie> wife? hahaha you really dont know me 22:49 < dan__t> hahaha 22:49 < dan__t> I was going to say "dead wife" but I thought you might get mad. 22:50 -!- ben1597 [n=ben1597@c-24-245-3-7.hsd1.mn.comcast.net] has quit ["Leaving"] 22:58 < karlpinc> fyi, OpenSSL CVE-2009-0590 and CVE-2009-0789: ASN.1 are out 22:58 < dan__t> nice. 22:59 < karlpinc> I finally got a working build on Windows. *blech* 22:59 < dan__t> What do you mean finally? 22:59 < dan__t> What was wrong with it? 22:59 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 23:00 < karlpinc> dan__t : It took 14 hours. Mostly being on Windows was wrong with it. 23:00 < dan__t> Noted. 23:00 < dan__t> Why'd it take so long? 23:00 < karlpinc> There's 2 bugs in 2.1 rc15 with MinGW 5.1.4 23:00 < theDoc> Hi all :) 23:01 < karlpinc> The first is that openvpn cryptoapi.c assumes mingw does not know about the full win crypo api, but now it does so the code breaks. 23:01 < dan__t> I see. 23:02 < dan__t> Which, OpenVPN itself, or OpenVPN GUI? 23:02 < karlpinc> The second is that with nsis 2.44 SF_SELECTED is set but install-win32/openvpn.nsi sets it anyway so there's an error when the installer is built. 23:03 < karlpinc> dan__t : OpenVPN itself. 23:03 < karlpinc> dan__t : It depends on what version of mingw you're using as to whether you need the #ifdef(s). 23:03 < dan__t> Ah. 23:03 < dan__t> Understood. 23:03 < dan__t> Is OpenVPN GUI going to be around for a while you suppose? 23:03 < karlpinc> dan__t : It's now packaged with openvpn. I hope so. ! 23:04 < karlpinc> dan__t : I'm relying on it. 23:04 < dan__t> I didn't know it was. 23:04 < dan__t> But that's bad-ass. 23:04 < dan__t> What are you doing with it? 23:05 < karlpinc> Uh, starting and stopping vpn tunnels. :-) 23:05 < dan__t> heh 23:05 < karlpinc> I'm deploying it. 23:06 < dan__t> rad 23:07 < karlpinc> dan__t : But what really took so long is that about 6 months ago I tried to get a Logitech quickcam working. It left cruft on the XP box, even though uninstalled, that runs and interferes with cygwin/msys in truely random and bizzare ways. That took a good 5 hours. Just another day in MS Windows land. 23:07 < dan__t> haha. 23:08 < karlpinc> dan__t : Made even more special by the fact that the camera never did work. 23:08 < dan__t> haha 23:08 < dan__t> Well. Right now I'm waiting on WHMCS 23:08 < dan__t> Its not working as I expected it to, for sure. 23:08 < karlpinc> dan__t : ? 23:08 < dan__t> Suspend and Unsuspend action hooks are not working as expected. 23:08 < karlpinc> dan__t : WHMCS? 23:09 < dan__t> Billing system. 23:10 < karlpinc> dan__t : Any good? 23:11 < dan__t> I've been through them all. 23:11 < dan__t> And this is the one that I've found that works the best. 23:11 < dan__t> I've done ModernBill, Ubersmith, HSPC, ClientExec, and many others 23:12 < karlpinc> dan__t : If it's not FOSS I tend to stay away. Spent too much brain on stuff that's long gone. Sometimes you need what you need though. 23:13 < dan__t> Believe me, I've searched through and through for some FOSS application that does 1/2 of what any of these commercial systems do. 23:14 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 60 (Operation timed out)] 23:21 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 23:23 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 23:27 -!- krzie [i=krzee@unaffiliated/krzee] has quit [Read error: 110 (Connection timed out)] 23:28 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 110 (Connection timed out)] 23:38 < dan__t> so, karlpinc the GUI is now packaged with OpenVPN? 23:38 < dan__t> Can I still build it with NSIS and stuff? 23:39 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN --- Day changed Wed Apr 08 2009 00:07 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:09 -!- rodpod [n=rod@hick.org] has joined ##openvpn 00:18 -!- WormFood [n=wormfood@58.60.118.151] has joined ##openvpn 00:22 < WormFood> can openvpn, in server mode, support both udp and tcp? 00:25 < dan__t> I do not believe it can support both. 00:25 < dan__t> I gave up on trying to use UDP because so many bullshit routers make it suck. 00:30 < MarcWeber> Is there a way to make opnevpn connect to a server A if it's reachable and B if A is down? 00:30 < dan__t> Just list different 'remote' lines. 00:37 < WormFood> MarcWeber, you can script that 00:37 < MarcWeber> WormFood What do you mean? while true; do if ping -c1 $server1; use_server_1 else use_server_2; fi; done? 00:40 < dan__t> Use two 'remote' lines. 00:40 < dan__t> As many as you wish. 00:40 < dan__t> That's what they're there for. 00:46 < WormFood> something like that 00:48 < WormFood> "On the client, multiple --remote options may be specified for redundancy, each referring to a different OpenVPN server." <-- straight from the openvpn man page 00:48 < WormFood> did you try that? 00:48 < dan__t> And didn't Marc Weber retire? 00:49 < WormFood> The OpenVPN client will try to connect to a server at host:port in the order specified by the list of --remote options.The client will move on to the next host in the list, in the event of connection failure. 01:00 < MarcWeber> dan__t: retire ? :-) That was'nt me then. I'll try multiple remote settings. Thank you! 01:00 < dan__t> F1 driver... 01:00 < dan__t> nevermind heh 01:06 < reiffert> moin 01:06 < reiffert> WormFood: udp+tcp: no. 01:07 < reiffert> dan__t: Webber with double b. 01:08 < dan__t> heheh 01:11 -!- krzie [i=krzee@joogot.noskills.net] has joined ##openvpn 01:23 < theDoc> Anyone might have an idea what could be throwing this error up? write UDPv4: No Route to Host (WSAEHOSTUNREACH) (code=10065) 01:23 < theDoc> Oh wait, might be a user error 01:27 < theDoc> Stupid user. Disconnecting from his own wifi network and wondering why he can't connect to the vpn. 01:27 < theDoc> >:o 01:27 -!- ftp3 [n=none@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has joined ##openvpn 01:32 < ftp3> hey.. i am trying to automagically generate a openssh installer with the keys to email to my "people" :). I know that untangle does this, but i cannot find any tutorial or instructions.. anyone have any ideas for me? 01:35 < dan__t> For which part exactly? 01:40 < ftp3> well, i want to do this automagically on my linux box 01:41 < ftp3> so, if i need to create a new openvpn account key, etc for someone, i just want to run a script like "buildkey fred@home.com" and it will email fred his windows installer with his keys already in it 01:42 < ftp3> does that make sense? 01:46 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:47 < kraut> moin 01:47 < krzee> moin 01:56 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 03:04 < MarcWeber> push "x"; What is x to set the ip address of a client ? I'd like to assign them using client-config-dir 03:06 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:07 < MarcWeber> Can I push an "ifconfig" command? 03:08 < MarcWeber> It's not listed in the list of --push 03:18 < krzee> !static 03:18 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) also see !ccd 03:18 < krzee> =] 03:19 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:35 -!- ]Sintax[ [n=sintax@cpe-72-184-119-119.tampabay.res.rr.com] has joined ##openvpn 03:36 < ]Sintax[> what's the deal with init-config ? i've seen a cpl tutorials online now that mention it and i can't find it on my system 03:37 < krzee> init-config? 03:37 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 03:37 < ]Sintax[> yes 03:37 < ]Sintax[> http://blog.innerewut.de/2005/7/4/openvpn-2-0-on-openbsd like here for example 03:37 < vpnHelper> Title: BlogFish: OpenVPN 2.0 on OpenBSD (at blog.innerewut.de) 03:38 < krzee> oh part of the easy-rsa script 03:38 < krzee> better to just use ssl-admin anyways 03:38 < krzee> !ssl-admin 03:38 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 03:38 < krzee> find / -name easy-rsa 03:38 < krzee> its there somewhere 03:39 < ]Sintax[> ok thank you ill check into that 03:39 < krzee> but ssl-admin will make making your certs easy and damn near fun 03:39 < krzee> at least it was that way for me 03:39 < krzee> was/is 03:40 < ]Sintax[> ill just be excited if i can get openvpn working in the first place with what im trying to do haha 03:40 < krzee> whats that 03:41 -!- lolipop [n=ice_crea@219.94.54.133] has joined ##openvpn 03:41 < ]Sintax[> well theres no reason for what im doing other than to get some more experience but i've got an OpenBSD 4.4 machine here and just installed OVPN on it and am going to try a site-site setup to connect to a 4.4 OBSD VMware machine i've setup inside my friends network across the inet 03:42 < ]Sintax[> if i figure it out i might write a HOWTO since there seems to be a lack of them 03:42 < krzee> ok well a) 03:42 < krzee> init-config is part of eary-rsa 03:42 < krzee> which is for certs 03:42 < krzee> which is for server/client 03:42 < krzee> site-site is ptp 03:42 < krzee> non server/client 03:43 < krzee> b) if you want experience maybe you want server/client instead of site-site 03:43 < krzee> in which case heres what you want: 03:43 < ]Sintax[> that might be easier to start with eh? server/client 03:43 < krzee> !ssl-admin 03:43 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 03:43 < krzee> for making the certs 03:43 < krzee> !sample 03:43 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 03:43 < krzee> a basic generic config 03:43 < krzee> (mine) 03:43 < krzee> !route 03:43 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 03:43 < ]Sintax[> init-config doesnt exist on my box 03:43 < krzee> my walkthrough on routing to lans 03:44 < krzee> well i guess whatever package manager you installed from didnt give you it 03:44 < ]Sintax[> i used ports 03:44 < krzee> (obviously you used one since its in the source) 03:44 < ]Sintax[> on openbsd 03:44 < krzee> dunno its in freebsd ports 03:44 < krzee> but i dont use obsd 03:44 < ]Sintax[> weird.. 03:44 < ]Sintax[> i wonder if a package would have had it 03:44 < krzee> i guess it follows their slogan tho 03:44 < krzee> "unusable by default" 03:44 < krzee> ;] 03:44 < ]Sintax[> will your setup here work for single interface machines? most tutorials ive found are for dual-nic machines 03:45 < ]Sintax[> Haha 03:45 < krzee> openvpn NEVER needs dual nic 03:45 < krzee> which is why reading the manual > reading google's howtos 03:45 < krzee> but you must have tuntap in the kernel or the kernel mod 03:46 < krzee> err tun i mean for obsd 03:46 < krzee> since theres no true tap for obsd 03:46 < ]Sintax[> well i think those scenarios are for machines running as NAT/Router devices you know? internal and external interfaces 03:46 < krzee> whatever 03:46 < krzee> you never need 2 devices for openvpn 03:46 < ]Sintax[> good to know 03:47 < krzee> now since you're just doing this to play 03:47 < krzee> after you get that working... 03:48 < krzee> then move on to connecting your own client in from mobile laptop 03:48 < krzee> to encrypt your connection through the vpn in hostile lans 03:48 < krzee> for that you'll need: 03:48 < krzee> !def1 03:48 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 03:48 < ]Sintax[> that sounds like fun 03:48 < krzee> and on the server you will need: 03:48 < krzee> ip forwarding turned on 03:48 < krzee> NAT enabled for the vpn network 03:49 < krzee> and for every command you see in my config and in your final configs 03:49 < krzee> !man 03:49 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 03:49 < krzee> read what they do! 03:49 < krzee> *back to securing the webserver for me* 03:50 < krzee> if you come across ?'s feel free to ask 03:50 < ]Sintax[> thanks a bunch ! 03:50 < krzee> yw 03:50 < ]Sintax[> appreciate it 03:51 < krzee> make sure to read !route carefully 03:51 < krzee> it has a ton of info packed into a lil writeup 03:51 < ]Sintax[> okay 04:10 < ]Sintax[> i dont think im going to have much luck getting ssl-admin running on openbsd 04:10 < krzee> just grab from svn 04:10 < krzee> all it requires is perl and openssl 04:10 < krzee> and zip for 1 feature if you use it 04:11 < ]Sintax[> im not sure why SVN for OBSD wants to install a bunch of apache deps and such 04:11 < krzee> lame 04:11 < ]Sintax[> im downloading all the files 1 by 1 04:11 < krzee> subversion shouldnt need apache 04:11 < krzee> lol obsd 04:11 < krzee> wget for the win? 04:11 < ]Sintax[> yep! 04:11 < ]Sintax[> ftw 04:12 < krzee> note i never tested the lil configure stuff i added for linux on obsd 04:12 < krzee> it was written by ecrist for fbsd 04:12 < ]Sintax[> ah 04:12 < krzee> (which i also use) 04:12 < krzee> and im no coder by any definition, but i script a bit 04:13 < krzee> so i added a configure script to rewrite the makefile to let it install to right places in linux 04:13 < krzee> if that doesnt work right on obsd just mod the makefile manually 04:13 < ]Sintax[> maybe with a little tweaking i can get it to work 04:13 < krzee> easy to see what it wants 04:13 < krzee> it would be very slight tweaking 04:13 < krzee> and obvious what it wants 04:14 < krzee> but likely = to fbsd 04:14 < ]Sintax[> ok i've got the whole dir downloaded 04:14 < ]Sintax[> typical ./configure ? 04:14 < ]Sintax[> or perl ssl-admin ? 04:16 < krzee> configure 04:16 < krzee> then make install 04:16 < krzee> then ssl-admin 04:16 < ]Sintax[> configure failed horribly 04:16 < krzee> although you must edit a config file first 04:16 < krzee> then mod it 04:16 < krzee> i warned ya 04:16 < ]Sintax[> ah 04:16 < krzee> just mod the makefile 04:16 < ]Sintax[> lol im no coder either ;-p 04:16 < krzee> read the configure and makefile 04:16 < krzee> its simple shell script 04:17 < ]Sintax[> i need to edit ETCDIR?=VARETC and the other two correct ? 04:17 < krzee> i dont have the files in front of me 04:18 < krzee> but i have a sed expression editing it 04:18 < krzee> for each 04:18 < krzee> just do my sed manually for what it should be on your OS 04:19 < ]Sintax[> hmm 04:19 < ]Sintax[> feeling like an idiot for not knowing what to do here lol, although it is overly complicated for being on OpenBSD ya know 04:20 < ]Sintax[> well sed -i isnt valid on here so i dont know what -i does on your system 04:20 * ]Sintax[ smashes openbds 04:20 < krzee> s/oldstring/newstring/ 04:20 < krzee> edits files in place 04:20 < krzee> (-i) 04:21 < ]Sintax[> mine only has -a -e -f -n -u lol 04:21 < krzee> which is what you'll be doing manually 04:21 < ]Sintax[> http://pastebin.ca/1385811 04:21 < krzee> since without that or redirection it would print to stdout 04:22 < krzee> just pastebin the configure and Makefile 04:22 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 04:22 < ]Sintax[> http://pastebin.ca/1385812 configure 04:23 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:23 < ]Sintax[> http://pastebin.ca/1385812 configure and makefile is http://pastebin.ca/1385813 04:26 < krzee> oh i see 04:26 < krzee> i did check out openbsd's filestructure 04:27 < krzee> i just didnt check their sed 04:27 < krzee> weaksauce no in-line sed for obsd 04:27 < ]Sintax[> isnt that weird lol 04:27 < ]Sintax[> sed is different from free/openbsd 04:28 < krzee> ok so check this out 04:28 < krzee> s+VARETC+/etc+g 04:28 < krzee> that is a switch regular expression 04:28 < krzee> means 04:28 < krzee> take VARETC and change it with /etc globally 04:28 < krzee> so for every instance of VARETC in the Makefile, replace it with /etc 04:28 < krzee> go do that 04:29 < krzee> then do the same for the other 2 04:29 < ]Sintax[> so i dont need to bother with the configure do i? 04:29 < krzee> nope 04:29 < krzee> just do what it does manually 04:29 < krzee> but then theres 1 more thing when you're done 04:29 < krzee> cause the last 1 04:29 < krzee> has its own sed -i 04:29 < ]Sintax[> cant i just edit ETCDIR?=VARETC and put /etc ? 04:30 < krzee> you just remove VARETC and make it /etc 04:30 < krzee> ETCDIR?=/etc 04:30 < ]Sintax[> hmmm see if i can remember what VARMAN should be 04:30 < krzee> you should prolly be using an easier OS if you dunno regular expressions 04:31 < ]Sintax[> no i mean.. which man it wants 04:31 < krzee> here comes the bitch 04:31 < ]Sintax[> bin/man or local/man or share/man ;-p 04:32 < krzee> you will need to edit ssl-admin itself 04:32 < krzee> and remove a line from the Makefile 04:32 < ]Sintax[> hah 04:32 < krzee> shit i'm gunna hafta redo that Makefile cause of this 04:32 < krzee> gay ass obsd sed 04:33 < krzee> it doesnt matter which man dir 04:33 < krzee> as long as it is in your MANPATH it works 04:33 < ]Sintax[> ok i got those 3 variables changed 04:33 < krzee> ok 04:33 < krzee> ignore the 4th 04:34 < krzee> now remove line 18 from Makefile 04:34 < krzee> SEDCMD "s+~~~ETCDIR~~~+${ETCDIR}+g" ssl-admin 04:34 < krzee> then go into ssl-admin 04:34 < krzee> manually 04:34 < ]Sintax[> ok 04:35 < krzee> search and replace ~~~ETCDIR~~~ with your etc dir 04:35 < ]Sintax[> which is just /etc right 04:35 < krzee> ya 04:36 < krzee> (in freebsd we prefer /usr/local/etc/ for 3rd party software as to not confuse from base software) 04:36 < krzee> but you can read about that in man hier someday on fbsd ;] 04:36 < krzee> after that (no more instances of ~~~ETCDIR~~~ exist in ssl-admin), make install 04:37 < ]Sintax[> i used to use freebsd alot but now im playing with openbsd for a bit 04:38 < ]Sintax[> hmmm did something wrong 04:38 < krzee> btw theres nothing you have seen yet that isnt a standard command in the commandline 04:39 < ]Sintax[> http://pastebin.ca/1385828 04:39 < ]Sintax[> im not sure if its printing those sed lines as if they worked or didnt 04:39 < krzee> hah 04:39 < krzee> install doesnt have -v in obsd 04:39 < ]Sintax[> figures 04:40 < krzee> shit i think i should be writing notes on this 04:40 < krzee> just remove the -v's 04:40 < ]Sintax[> i can log the channel and you can go back through it 04:40 < krzee> its just for verbosity 04:40 < krzee> oh right, we have it logged 04:40 < ]Sintax[> wow you'd think it would have that 04:40 < krzee> !irclogs 04:40 < vpnHelper> krzee: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 04:41 < krzee> err wait 04:41 < krzee> oh nm its good 04:41 < ]Sintax[> http://pastebin.ca/1385829 hows that ;-p 04:41 < krzee> just remove those -v's 04:42 < krzee> i assume its good 04:42 < krzee> we'll see 04:42 < ]Sintax[> well apparently some of it didnt work 04:42 < ]Sintax[> err wait 04:42 < krzee> whats the new error... 04:43 < ]Sintax[> its a user error :-D 04:43 < ]Sintax[> ok now just run ssl-admin right? 04:43 < krzee> aye 04:43 < ]Sintax[> after i edit* 04:45 < ]Sintax[> nice script 04:45 < krzee> thanx but from there on i cant take credit 04:45 < krzee> my work was what didnt work for you, lol 04:45 < ]Sintax[> one more for ya http://pastebin.ca/1385831 04:46 < krzee> did you edit your sample config? 04:46 < krzee> (ike it told you you had to) 04:46 < ]Sintax[> $ENV{'KEY_CRL_LOC'} = "URI:https://www.secure-computing.net/crl.pem"; 04:46 < ]Sintax[> do i need to do one of those 04:46 < ]Sintax[> i left that line alone 04:46 < krzee> thats fine 04:46 < krzee> you arent at the point where you could possibly need a CRL 04:46 < krzee> you're just playing 04:46 < krzee> !crl 04:46 < vpnHelper> krzee: "crl" is (#1) --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) 04:46 < vpnHelper> krzee: that will create the CRL file for you. ssl-admin will also build a crl for you 04:46 < ]Sintax[> let me fix up the other conf file ;-p 04:47 < krzee> ok im gone 04:47 < krzee> gl to you 04:47 < ]Sintax[> http://www.ircpimps.org/openvpn.configs should be my server.conf ? 04:47 < ]Sintax[> thanks ! i'll get there! i might sleep first before i finish it heh 04:54 -!- Gumbler is now known as Gumbler|NotHere 04:54 -!- Gumbler|NotHere is now known as Gumbler 04:58 < MarcWeber> Which is the option to set the permanent tun device name to be used? 04:58 < dazo> MarcWeber: --dev tun0 ? 04:59 < MarcWeber> --dev tun0 --dev-type tun :-) 05:03 < dazo> MarcWeber: yeah, to be explicit ... --dev-type is normally only needed when you use another prefix than tun or tap on --dev ... but might be OS and ovpn version dependent 05:03 -!- WormFood [n=wormfood@58.60.118.151] has left ##openvpn ["Leaving"] 05:11 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:12 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 05:30 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:37 < HardDisk_WP> ping krzee 05:37 < HardDisk_WP> ping ecrist 05:38 -!- lolipop [n=ice_crea@219.94.54.133] has quit ["Konversation terminated!"] 05:53 -!- theDoc [n=andelyx@bb116-15-19-68.singnet.com.sg] has joined ##openvpn 05:59 -!- theDoc [n=andelyx@bb116-15-19-68.singnet.com.sg] has quit [] 05:59 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 05:59 -!- theDoc [n=andelyx@208.99.194.194] has quit [Remote closed the connection] 06:05 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 06:14 -!- hans67521 [n=jcputter@mail.centerweb.co.za] has joined ##openvpn 06:15 < hans67521> is openvpn access server free? 06:15 < hans67521> or free "as in beer" 06:17 < MarcWeber> hans67521: GPLv2 06:23 < hans67521> but why does it then need a license to install 06:24 < hans67521> which vpn setup the faster one, routing or bridging? 06:26 < theDoc> They both do different things. 06:29 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:33 < reiffert> free as in you send beer, I send openvpn 06:33 < reiffert> hans67521: routing 06:33 < reiffert> (faster setup) 06:56 < hans67521> i mean in terms of speed? 07:04 < reiffert> 1 setup per 10 minutes vs 1 setup per 20 minutes 07:05 < ecrist> ping pong! 07:12 < dazo> hans67521: nope ... Access Server is closed .... but seems to be only a management package around standard OpenVPN 07:15 -!- illio [n=illio@2808ds1-arve.0.fullrate.dk] has joined ##openvpn 07:15 * ecrist reads http://www.openbsd.org/ports.html#Create 07:15 < vpnHelper> Title: OpenBSD Ports and Packages (at www.openbsd.org) 07:20 < illio> Having a bit of trouble with setting openvpn up on a OpenWRT router.. Here's the server conf: http://pastebin.ca/1385933 .. and here's the client conf: http://pastebin.ca/1385937 .. Now when I try to connect to the server (which is running of course), I get this: http://pastebin.ca/1385939 .. So I immediately think "It's probably IPTables".. sa I checked the /etc/firewall.user file on OpenWRT, but the OpenVPN stuff is there and should be work 07:20 < illio> ing: http://pastebin.ca/1385934 07:22 -!- hans67521 [n=jcputter@mail.centerweb.co.za] has quit [] 07:22 < ecrist> illio: something is killing the proccess on you router 07:23 < illio> Hehe.. nevermind! 07:23 < illio> OpenVPN had crashed on the router for some unspecified reason.. so it actually wasn't running :-P.. oops 07:23 < illio> ecrist, that's obviously a possibility yes.. I'll have to keep an eye on it and see if it does it again.. I haven't noticed it before 07:23 -!- illio [n=illio@2808ds1-arve.0.fullrate.dk] has quit ["Leaving"] 07:29 -!- illio [n=illio@2808ds1-arve.0.fullrate.dk] has joined ##openvpn 07:39 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 07:40 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 07:48 -!- illio [n=illio@2808ds1-arve.0.fullrate.dk] has quit [Read error: 104 (Connection reset by peer)] 07:54 -!- FuraX [n=cp@umb-sls99-003.u-strasbg.fr] has quit [Remote closed the connection] 08:00 < HardDisk_WP> ecrist, did you manage to fix that script? 08:02 -!- illio [n=illio@2808ds1-arve.0.fullrate.dk] has joined ##openvpn 08:03 < illio> I'm a bit unsure if I got disconnected before sending my messages before.. so I'm just gonna repost them.. sorry if anyone get's a duplicate 08:03 -!- mtoledo` [n=user@189.102.205.95] has quit [Read error: 110 (Connection timed out)] 08:03 < illio> I'm actually having one issue .. when I do get a connection the vpn, my client says the following: http://pastebin.ca/1385964 .. and I can't access the internet, even though my server config here: http://pastebin.ca/1385933 .. should allow it... 08:03 < illio> according to the errors, it seems to be the route command 08:03 < illio> The local network with access to the internet at the vpn location is 192.168.1.x 08:03 < illio> and the actual device the vpn server is running on is 192.168.1.2 .. and the gateway is therefore 192.168.1.1 08:07 < ecrist> HardDisk_WP: yes, it was fixed right before you left. 08:07 < ecrist> updates are in svn 08:08 < HardDisk_WP> ok 08:08 < HardDisk_WP> lemme pull 08:09 < ecrist> illio: what's the IP address of the client machine, BEFORE connecting to the VPN? 08:11 < illio> ecrist, 192.168.1.114 08:11 < ecrist> that's your problem 08:12 < ecrist> you can't use 192.168.0/23 for VPNs, at the very least. you've go conflicting routes. 08:15 < illio> ecrist, so what could I use instead? 08:15 < illio> ecrist, how about something like 10.8.1.0? 08:16 < ecrist> illio: you need to setup your VPN lan to be something other than 192.168.x, and build from there. 08:16 < illio> ecrist, okay.. I'll try that 08:16 < ecrist> too many home routers use that address range, so you'll almost always have conflict 08:16 < ecrist> !1918 08:16 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 08:16 < ecrist> any of those will work, even 192.168.8.0/24 would be fine 08:17 -!- theDoc- [n=andelyx@208.99.194.194] has joined ##openvpn 08:18 < illio> ecrist, okay thanks man 08:18 < ecrist> np 08:21 < HardDisk_WP> ecrist, this is current ssl-admin.conf http://pastebin.com/m14f829fd 08:21 -!- illio [n=illio@2808ds1-arve.0.fullrate.dk] has quit [Read error: 104 (Connection reset by peer)] 08:22 < ecrist> ok, still thowing errors? 08:22 < HardDisk_WP> no, I'm gonna run it now 08:22 < HardDisk_WP> or did I fuck sth. up in the conffile? 08:22 < ecrist> nope, config looks ok 08:23 < HardDisk_WP> kk 08:23 < HardDisk_WP> ===> Moving certficate and key to appropriate directory. 08:23 < HardDisk_WP> Creating initial CRL...Using configuration from /etc/ssl-admin/openssl.conf 08:23 < HardDisk_WP> FAILssl-admin installed Wed Apr 8 15:23:26 CEST 2009 08:23 < HardDisk_WP> I can't find your OpenVPN client config. Please copy your config to 08:23 < HardDisk_WP> /etc/ssl-admin/packages/client.ovpn 08:23 < HardDisk_WP> this comes before the menu screen 08:24 < ecrist> yeah, that FAIL is a misnomer, it actually works. haven't figured out how to get rid of the error. 08:24 < ecrist> the CRL does get created, though 08:24 < HardDisk_WP> ah ok 08:25 < ecrist> really, I need to start using the perl ssl module, rather than the commandline openssl 08:25 < HardDisk_WP> ecrist, ok, so what do I have to do now to get openvpn server running on the NSLU? In the end, it should be so that the laptop would behave exactly as if it would be attached directly to the router where the NSLU also is 08:27 < ecrist> HardDisk_WP: what types of network traffic do you need passed? (what programs/protocols?) 08:31 < HardDisk_WP> if possible, everything - it 'd be that cool to be able to access this streaming stuff from my NAS also from outside 08:31 < HardDisk_WP> i think what i need is called bridging, correct me if i'm wrong 08:31 < ecrist> tun is probably all you need. 08:31 < ecrist> !freebsd 08:31 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 08:32 < HardDisk_WP> ok 08:32 < ecrist> some of that link is installation on freebsd, but the majority of it should apply 08:32 < MarcWeber> ifconfig-push 10.9.0.10 10.9.0.9 08:32 < MarcWeber> Why are there two ips ? 08:33 < ecrist> one is remote endpoint, one is local endpoint 08:33 < ecrist> !/30 08:33 < vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 08:33 < HardDisk_WP> ecrist, uh, there's no KEY_DIR in my version of ssl-admin.conf 08:34 < ecrist> can you paste the error? 08:35 < ecrist> KEY_DIR is a variable that should have been set by ./configure 08:36 < HardDisk_WP> Lastly, your KEY_DIR directory must already exist, or the script will error out. In our test installation here, we need to create this directory: 08:36 < HardDisk_WP> mkdir /usr/local/etc/openvpn/ssl 08:36 < HardDisk_WP> ah okay 08:36 < ecrist> oh, that page needs to be updates 08:36 < ecrist> updated* 08:36 < HardDisk_WP> ah, ok^^ 08:36 < ecrist> ssl-admin used to be a much simply perl script, which would auto-install itself. 08:36 < ecrist> that's not the case anymore. 08:37 < ecrist> you've already done all the setup for ssl-admin, ignore those parts of that wiki page 08:37 < HardDisk_WP> kk 08:38 -!- illio [n=illio@2808ds1-arve.0.fullrate.dk] has joined ##openvpn 08:42 -!- illio [n=illio@2808ds1-arve.0.fullrate.dk] has quit [Read error: 54 (Connection reset by peer)] 08:43 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 08:45 < HardDisk_WP> ecrist, do I have to run openssl dhparam -out KEY_DIR/active/dh1024.pem 1024 ? 08:47 < reiffert> HardDisk_WP: no, just read the howto. 08:48 < reiffert> ah, ssl-admin, sorry, /me shuts up 08:49 < MarcWeber> What makes a ptp link that special that it has to be emulated for win32 TUN/TAP driver emulations? 08:49 < HardDisk_WP> ecrist, uh... your server config example... it makes clients have their own network 08:51 < ecrist> what do you mean? 08:51 < MarcWeber> ecrist: I just don't understand that part yet. 08:51 < HardDisk_WP> server - The IP address and subnet the virtual interface should have. Your clients will get addresses on this network. 08:51 < ecrist> HardDisk_WP: yes, that's correct 08:52 < ecrist> MarcWeber: windows sucks, that's all 08:52 < ecrist> it's been fixed in 2.1, iirc 08:52 < ecrist> !topology 08:52 < vpnHelper> ecrist: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 08:52 < MarcWeber> When using --server 10.8.0.0 255.255.255.0 this expands to "... ifconfig 10.8.0.1 10.8.0.2 08:52 < MarcWeber> ..." 08:56 -!- illio [n=illio@2808ds1-arve.0.fullrate.dk] has joined ##openvpn 08:56 < ecrist> MarcWeber: yes, we're aware. 08:58 -!- SpaceBass [n=SP@pool-96-253-96-54.rcmdva.fios.verizon.net] has quit ["Leaving"] 08:59 -!- nemysis [n=nemysis@67-154.3-85.cust.bluewin.ch] has quit [Connection timed out] 09:00 -!- nemysis [n=nemysis@67-154.3-85.cust.bluewin.ch] has joined ##openvpn 09:00 < HardDisk_WP> ecrist, http://pastebin.com/m48030c38 this is the network setup 09:01 < HardDisk_WP> using your server.conf would give my laptop some 172.30.x.x address, right? 09:04 < MarcWeber> What kind of data comes out of the application side of a tun/tap device? kind of stdin/stdout binary stream representing packages? 09:04 < ecrist> HardDisk_WP: yes, it would. 09:04 < ecrist> MarcWeber: tun/tap is a standard pseudo network interface. 09:06 < ecrist> HardDisk_WP: since you would probably be putting the openvpn server on your DHCP server machine/router, you wouldn't really need any additional config, other than in the server config to add a push statement for your LAN subnet. 09:06 < ecrist> as I was talking to illio above, you can't reliably use 192.168.0/23 across a VPN - too many conflicts. 09:07 < ecrist> so, you'd need to renumber your home LAN 09:07 < MarcWeber> http://rafb.net/p/r8Rj1D59.html I got this from the docs. But i still don't see what the "Network address" and "Broadcas address" are used for in /30 09:07 < vpnHelper> Title: Nopaste - No description (at rafb.net) 09:07 < HardDisk_WP> ecrist, that's doable, actually 09:07 < ecrist> and, on your dad's router, do a portforward rule to your server for udp port 1194 09:07 < HardDisk_WP> ecrist, my router is DMZ, so that's no prob 09:07 < ecrist> MarcWeber: read up on networking and how subnetting works. 09:07 < ecrist> then come back 09:08 < ecrist> ah, then that part is set. 09:08 < HardDisk_WP> ecrist, the DHCP server is my router, btw. the OpenVPN gate will be the NSLU 09:08 -!- illio [n=illio@2808ds1-arve.0.fullrate.dk] has quit [Read error: 104 (Connection reset by peer)] 09:09 < ecrist> oh, then you'll need to add a static route on the LAN gateway for your VPN ips space 09:10 < ecrist> alternatively, you could run a bridged VPN, to avoid all the routing, but you still need to renumber your LAN 09:10 < HardDisk_WP> yep, then I'll go the bridged way. it isn't that hard to renumber three machines ^^ 09:12 < ecrist> @1918 09:12 < ecrist> !1918 09:12 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 09:13 < HardDisk_WP> i think i'll go with the 172.16 netmask, then. i have never seen this one in any hotspot or company LAN 09:13 < ecrist> generally, anything in 172.16/12 is OK. it seems common practice to use 192.168.0/23 for home routers, 10.0/16 for businesses, and 172.16/12 for VPNs 09:14 < HardDisk_WP> brb, mighta take me 10mins till every device on my net is renumbered properly 09:15 -!- illio [n=illio@2808ds1-arve.0.fullrate.dk] has joined ##openvpn 09:16 -!- illio [n=illio@2808ds1-arve.0.fullrate.dk] has quit [Client Quit] 09:20 -!- BBishop [i=dexter@unaffiliated/blackbishop] has joined ##openvpn 09:22 -!- BBishop [i=dexter@unaffiliated/blackbishop] has quit [Client Quit] 09:24 < HardDisk_WP> re 09:25 < HardDisk_WP> ecrist, okay, laptop, nslu and router are renumbered and work properly 09:33 < HardDisk_WP> ecrist, what now? 09:36 < ecrist> did you setup a bridged vpn? 09:37 < MarcWeber> 16:10 < HardDisk_WP> yep, then I'll go the bridged way 09:42 -!- Flumdahl [i=n30@shell.auth.se] has quit ["reboot"] 09:52 < HardDisk_WP> ecrist, yep... http://pastebin.com/m7d233bb is the server.conf 09:53 < HardDisk_WP> but there's no server.key/server.pem in the /etc/ssl-admin/active 09:53 < ecrist> HardDisk_WP: did you create them? 09:54 < ecrist> ssl-admin isn't 100% openvpn-specific, you need to create those certs. 09:54 < ecrist> there's an 'S' option in the menu 09:55 < ecrist> I'm actually setting up a bridged vpn for the first time, as we speak. 09:56 < HardDisk_WP> kk now there is mnslu. key/pem/crt files in active folder 09:56 < HardDisk_WP> set the crt and key file instead of server.key/crt 10:02 < ecrist> HardDisk_WP: I'm not going to walk you through every step.. there are tons of documents out there that do so already 10:03 < HardDisk_WP> kk 10:03 < HardDisk_WP> actually, the server started... let me see if it works as expected 10:14 < MarcWeber> ecrist Ok. I got that the network address is the lower bound of the "masked" ip range and that the broadcast is the upper bound of the ip range masked by the subnet mask. 10:15 < MarcWeber> I still don't know when the network address is used. I neither know when the broadcast is used within the p2p link. 10:18 < ecrist> MarcWeber: what's the purpose of your questions? 10:19 < ecrist> this isn't #OSI_101 10:19 < MarcWeber> Basically I just want to know how to configure openvpn. Still reading the man page.. 10:23 < ecrist> you're best off ignoring the small details. 10:33 < HardDisk_WP> ecrist: the vpn connection works from outside :) 10:34 < HardDisk_WP> now only one problem remains: i cant ping anything else from 172.16.1.x than my own 172.16.1.50 ip address. okay, this is likely due to I forgot bridging, but why can't I ping at least the VPN gate itself? 10:37 < HardDisk_WP> ecrist: in server.conf I stated server-bridge 172.16.1.4 255.255.255.0 172.16.1.50 172.16.1.100 10:37 < HardDisk_WP> but why can't I ping at least .1.4, then? 10:37 < HardDisk_WP> this shoulda be pingable even without bridging, right? 10:37 < HardDisk_WP> client-to-client and push "redirect-gateway def1 bypass-dhcp" are enabled 10:39 < ecrist> HardDisk_WP: firewall? 11:19 < HardDisk_WP> ecrist, none that I know of 11:23 < HardDisk_WP> ecrist, actually there is no tun or tap device shown in ifconfig... 11:23 -!- lough [i=nn@ip68-97-0-203.ok.ok.cox.net] has joined ##openvpn 11:23 < lough> !logs 11:23 < vpnHelper> lough: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 11:23 < lough> !howto 11:23 < vpnHelper> lough: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:26 < lough> alright heres the error i get when using openvpn-gui 11:26 < lough> http://pastebin.com/m16024141 11:26 < lough> im assumng port 443 is in use by something on my computer but i dont see anything in netstat -a 11:27 < lough> it used to work but then it stopped working probably two weeks back. i cant think of what ive changed 11:30 < lough> !interface 11:30 < vpnHelper> lough: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 11:31 < HardDisk_WP> lough, 443 is HTTPS 11:31 < HardDisk_WP> do you have Azureus or Skype running?? 11:31 < HardDisk_WP> these two tend to use 443 sometimes 11:32 < lough> skype 11:32 < HardDisk_WP> ah yes. shut it down and then retry 11:33 < lough> ok perfect that did it 11:33 < ecrist> ping krzee 11:33 < krzee> werd 11:33 < ecrist> or krzie 11:34 < krzee> pong 11:34 < ecrist> hey, you had any problems with tunnelblick setting up two vpn connections on os x to two separate places? 11:34 < krzee> i only tried it 1x 11:34 < krzee> 2 years ago 11:34 < krzee> it crashed every time i started it, without fail 11:34 < ecrist> I'm getting an invalid password error, think it's for the mgmt interface 11:34 < krzee> so ive never actually used tunnelblick 11:34 < ecrist> yeah, that's what's happening to me. 11:35 < lough> thank you HardDisk_WP 11:35 < krzee> i dont get why people use it at all 11:35 < HardDisk_WP> no problem :) 11:35 < krzee> i mean shit 11:35 < krzee> heres how i start openvpn 11:35 < ecrist> nm, might be a misconfig with my cert. 11:35 < ecrist> krzee: Tunnelblick is the sexy, Viscosity is even better. 11:36 < ecrist> but it's $9 or some shit 11:36 < MarcWeber> Any experiences wether compression should be enabled (700kbit/s) ? 11:36 < krzee> bigboy-2:~ Jeff$ cat /Applications/scripts/routed.command 11:36 < krzee> open "/Applications/Proxifier.app" 11:36 < krzee> sudo /usr/local/sbin/openvpn /Users/Jeff/vpn/routed.conf 11:36 < krzee> bigboy-2:~ Jeff$ 11:36 < krzee> so that is double-clickable 11:36 < krzee> then i tossed a shortcut to it in stacks 11:36 < krzee> and gave it a cool icon, www.ircpimps.org/pimpin.jpg 11:37 < krzee> screw a gui for something thats handled in 1 line of shell script 11:37 < krzee> (2 for me cause i proxify over it) 11:37 < ecrist> ah, that doesn't work so well for my end users, though. 11:37 < krzee> they dunno how to click? 11:38 < krzee> shit its easier than tunnelblick 11:38 < krzee> tunnelblick they have to click, then click to start 11:38 < krzee> mine you just click 11:38 -!- theDoc- [n=andelyx@208.99.194.194] has quit [Read error: 110 (Connection timed out)] 11:38 < krzee> oh and type password (but same in tunnelblick too) 11:39 < krzee> and the password tunnelblick wants is to raise privs 11:39 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 11:39 < krzee> cause yanno, needs root to start 11:39 -!- c64zottel [n=hans@p5B17B39F.dip0.t-ipconnect.de] has joined ##openvpn 11:40 < ecrist> RAWR 11:40 < krzee> MarcWeber, you can keep compression adaptive if you like 11:40 < krzee> MarcWeber, by samples of the data it'll decide how much to encrypt it 11:43 < ecrist> hrm. 11:44 < ecrist> my openvpn is looking for a passphrase. wtf 11:44 < HardDisk_WP> Crap, I can't bridge-start 11:44 < HardDisk_WP> Wed Apr 8 18:43:33 2009 Note: Cannot ioctl TUNSETIFF tap0: Device or resource busy (errno=16) 11:45 < krzee> ecrist, not your osx pw for raising privs? 11:45 < ecrist> no, something elese 11:45 < ecrist> gotta figure it out 11:45 < krzee> odd 11:45 < krzee> !configs 11:45 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:45 < krzee> if you want 11:46 < krzee> another pair of eyes could help 11:47 < ecrist> sure, I think it's ssl-related, though 11:47 < krzee> ohh 11:47 < krzee> built cert wanting pw? 11:47 < krzee> start it manually 11:47 < krzee> take tunelgay outta the loop 11:49 < ecrist> did that, get erro 11:49 < ecrist> http://pastebin.ca/1386170 11:49 < ecrist> http://pastebin.ca/index.php 11:50 < MarcWeber> krzee: Thanks. That's even the default. 11:50 < krzee> aye =] 11:50 * krzee holds himself back from the bridge questions cause he knows who hes talking to 11:50 < krzee> LOL 11:51 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 11:51 < ecrist> http://pastebin.ca/1386172 11:51 < ecrist> that's the error log, krzee 11:51 < krzee> verb 6 help? 11:52 < ecrist> wait one.. 11:53 < krzee> also 11:53 < krzee> client-connect /usr/local/etc/openvpn/client-connect.sh 11:53 < krzee> could that not be getting the right auth? 11:54 < krzee> also, could you not be giving it the right script-security? 11:54 < ecrist> http://pastebin.ca/1386179 11:54 < ecrist> krzee: no scripts it's pulling up. 11:56 < krzee> its pulling up client-connect 11:57 < krzee> Note that the return value of script is significant. If script returns a non-zero error status, it will cause the client to be disconnected. 11:57 < ecrist> I'm concerned with line 337 in the last log. 11:57 < ftp3> hey.. i am trying to automagically generate a openssh installer with the keys to email to my "people" :). I know that untangle does this, but i cannot find any tutorial or instructions.. anyone have any ideas for me? 11:57 < ftp3> so, if i need to create a new openvpn account key, etc for someone, i just want to run a script like "buildkey fred@home.com" and it will email fred his windows installer with his keys already in it 11:57 < krzee> right, but im saying that could be why 11:57 < krzee> comment the client-connect 11:58 < krzee> see if it helps a 1time test 11:58 < krzee> ssl-admin will zip up their keys and openvpn config 11:58 < krzee> !ssl-admin 11:58 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 11:58 < ecrist> krzee: added script-security 3 to config, get same auth_failed control message 11:58 < krzee> but its not a windows thing 11:59 < krzee> try commenting client-connect 11:59 -!- c64zottel [n=hans@p5B17B39F.dip0.t-ipconnect.de] has left ##openvpn [] 11:59 < MarcWeber> What happens with files in /etc/openvpn? I tried putting the files up down there (scripts setting up and removing nat) 11:59 < HardDisk_WP> argh 11:59 < MarcWeber> I got syntax error near "done" (part of my for loop) 11:59 < HardDisk_WP> since the bridge is up, openvpn cant connect anymore -.- 11:59 < ecrist> krzee: I was looking at the wrong thing. you're right 11:59 < ecrist> another set of eyes 11:59 < HardDisk_WP> Wed Apr 08 18:59:14 2009 Local Options hash (VER=V4): 'd79ca330' 12:00 < HardDisk_WP> Wed Apr 08 18:59:14 2009 Expected Remote Options hash (VER=V4): 'f7df56b8' 12:00 < HardDisk_WP> Wed Apr 08 18:59:14 2009 UDPv4 link local: [undef] 12:00 < HardDisk_WP> Wed Apr 08 18:59:14 2009 UDPv4 link remote: 93.104.114.155:1194 12:00 < ecrist> was looking at client side, not server side. 12:00 < HardDisk_WP> and then it hangs 12:00 < krzee> ahh 12:00 < ecrist> removed those lines, starts up fine. 12:01 < krzee> werd 12:01 < ecrist> btw, freebsd openvpn bridging is SUPER easy 12:01 < MarcWeber> :-) It has been my init script.. 12:01 < HardDisk_WP> brb 12:01 < krzee> good im forwarding all bridge questions to you! 12:01 < krzee> lol 12:01 < ecrist> note the 'freebsd' qualifier in there. 12:01 < krzee> :-p 12:01 < ecrist> I'm going to be doing a write-up on the wiki this afternoon 12:02 < krzee> ahh nice 12:04 < ecrist> can't ping my server ip, but I'll work on it after lunch. bbiab 12:07 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 12:12 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:14 -!- taner [n=taner@f048039067.adsl.alicedsl.de] has joined ##openvpn 12:14 < taner> hi 12:16 < taner> how is to disconnect a vpn tunnel ? (command) 12:17 < ftp3> anyone have any thoughts on my question? 12:17 < krzee> kill 12:17 < krzee> (@ taner) 12:18 < krzee> you stop the application, it kills the vpn 12:18 < krzee> yes ftp3, i gave you my thoughts 12:18 < ftp3> ohhh, that was directed at me? 12:18 < ftp3> !ssl-admin 12:18 < vpnHelper> ftp3: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 12:18 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 12:18 < ftp3> right? 12:18 < krzee> [12:57] so, if i need to create a new openvpn account key, etc for someone, i just want to run a script like "buildkey fred@home.com" and it will email fred his windows installer with his keys already in it 12:18 < krzee> [12:57] right, but im saying that could be why 12:18 < krzee> [12:57] comment the client-connect 12:18 < krzee> [12:58] see if it helps a 1time test 12:18 < krzee> [12:58] ssl-admin will zip up their keys and openvpn config 12:18 < krzee> [12:58] !ssl-admin 12:18 < taner> krzee: thank you 12:18 < krzee> right 12:18 < krzee> np taner 12:19 < ftp3> krzee, ok, i will check that out. Thanks 12:19 < krzee> np 12:19 < krzee> oh wait 12:19 < krzee> [13:18] [12:58] ssl-admin will zip up their keys and openvpn config 12:19 < krzee> [13:18] [12:58] !ssl-admin 12:19 < krzee> only that was at you 12:20 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:20 < ftp3> checking it 12:20 < krzee> what os will you use to make certs? 12:23 < ftp3> centos or debian 12:23 < krzee> cool 12:23 < krzee> use it from svn then 12:23 < krzee> ecrist and HardDisk_WP found/fixed debian bugs last night 12:25 < taner> how is to connect with different certs, so it runs in background ? "openvpn /../user.conf &" but then i will not be asked to password 12:25 < taner> linux 12:25 < krzee> you only get asked for a password under 2 conditions 12:26 < krzee> 1) you made it that way in the config by using pw auth 12:26 < krzee> 2) you made it that way when making the certs by password protecting them 12:26 < krzee> 3) you arent starting it as root and must elevate your privileges 12:26 < krzee> so make that 3 12:26 < ftp3> krzee: are there any docs for ssl-admin? I cant find anything 12:26 < krzee> runs in background is --daemon or add the word daemon to the config 12:26 < krzee> !ssl-admin 12:26 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 12:27 < krzee> link 1 is the most on web, man ssl-admin works too tho 12:28 < ftp3> krzee: i see, so that makes keys. .but that does not send a openvpn installer like I was talking about. correct? 12:28 < krzee> correct 12:28 < krzee> as i said 12:28 < krzee> ssl-admin will zip up their keys and openvpn config 12:29 < krzee> it will make them, sign them, and bundle it with their openvpn config 12:29 < krzee> thats the most i can help ya with 12:29 < krzee> but should be stupid simple to setup from there, could even make a batch file very simply to handle it from there 12:30 < taner> condition 2 12:30 < krzee> well taner 12:30 < ftp3> krzee :-) thanks 12:31 < krzee> either live with typing in the password, or dont make them that way 12:31 < krzee> of course you can strip the pw as well, it would be an openssl command 12:31 < taner> krzee: i have the certs with password 12:31 < krzee> ftp3, np 12:32 < krzee> was there some reason you thought you wouldnt need to interactively type in the password when you made your certs require passwords? 12:34 < krzee> if you want to strip the password, try reading and understanding this page: 12:34 < krzee> http://www.informit.com/articles/article.aspx?p=30115&seqNum=4 12:34 < vpnHelper> Title: InformIT: Setting Up a Secure Apache 2 Server > Managing Certificates (at www.informit.com) 12:34 < krzee> same basic idea as far as removing the passphrase goes 12:34 < taner> thank you 12:34 < krzee> (or you could regen) 12:34 < krzee> np 12:36 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 12:37 -!- mtoledo` [n=user@c906c009.virtua.com.br] has joined ##openvpn 12:40 < HardDisk_WP> anyone of you really fit in debugging network problems? 12:40 < HardDisk_WP> NSLU w/ TCP openVPN is 172.16.1.9 @ port 1194 12:41 < HardDisk_WP> laptop in same LAN as NSLU can successfully telnet 172.16.1.9:1194 12:41 < krzee> !tcp 12:41 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 12:41 < HardDisk_WP> krzee, it's same prob with udp, only that I can test tcp connectivity with telnet 12:41 < HardDisk_WP> now, portforwarding for 1194 is correctly set to 172.16.1.9 on router 172.16.1.1 12:41 < krzee> and udp connectivity with nc 12:42 < HardDisk_WP> krzee, laptop is windows 12:42 < krzee> eww 12:42 < HardDisk_WP> but when I now connect laptop to outer router and then try to telnet 192.168.0.9:1149 it doesnt work 12:42 < krzee> go on 12:42 < HardDisk_WP> it can't connect from outside. 12:42 < krzee> firewall 12:43 < HardDisk_WP> it worked before, I changed nothing except some iptables stuff on 172.16.1.9 12:43 < krzee> ding ding ding 12:43 < HardDisk_WP> my router wasnt changed at all 12:43 < krzee> show HardDisk_WP what hes won! 12:43 < krzee> a neeeeeeew firewall ruleset! 12:43 < HardDisk_WP> krzee, to make stuff even better: iptables doesnt show any "forbidden"... http://pastebin.com/m56a26646 12:44 < krzee> im no linux guy 12:44 < HardDisk_WP> and especially, the NSLU only has one ethernet port. so why the hell can I connect from *inside* my router, but not via portforward?? 12:44 < krzee> but its either a firewall or NAT 12:44 < HardDisk_WP> mine is a NAT router, but has portforward for TCP and UDP 1149 set 12:45 < krzee> you say NAT is fine... so we know its firewall 12:45 < HardDisk_WP> but how could iptables on the NSLU affect this in any way? o_O 12:45 < HardDisk_WP> mh... lemme try something# 12:46 < krzee> dunno bro, you're the linux guy here 12:47 < krzee> !linfw 12:47 < vpnHelper> krzee: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 12:48 < krzee> or somethin 12:48 < krzee> (ive never used iptables in my life) 12:48 < krzee> ive used ipfw, ipf, pf 12:50 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 12:54 < ]Sintax[> pf ftw 13:01 < HardDisk_WP> ah, ic. 13:01 < HardDisk_WP> apparently something went wrong with bridging 13:03 < HardDisk_WP> i fucking hate bridging networks. 13:05 < ]Sintax[> hey krzee 13:13 -!- c64zottel [n=hans@p5B17B39F.dip0.t-ipconnect.de] has joined ##openvpn 13:18 -!- c64zottel [n=hans@p5B17B39F.dip0.t-ipconnect.de] has quit [Client Quit] 13:18 -!- c64zottel [n=hans@p5B17B39F.dip0.t-ipconnect.de] has joined ##openvpn 13:20 -!- mtoledo` [n=user@c906c009.virtua.com.br] has quit [Read error: 104 (Connection reset by peer)] 13:20 -!- tharvey [n=tharvey@adsl-76-205-222-173.dsl.snlo01.sbcglobal.net] has joined ##openvpn 13:21 -!- taner [n=taner@f048039067.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 13:21 < tharvey> is it true to say that openvpn is fips-197? 13:22 < tharvey> if I understand correctly fips-197 is the publication that specifies AES and simply requires AES-128, AES-192, and AES-256 - which OpenVPN support 13:26 -!- mtoledo` [n=user@c906c009.virtua.com.br] has joined ##openvpn 13:30 < krzee> the real question isnt about openvpn 13:30 < krzee> its about openssl 13:31 < krzee> openvpn doesnt handle its own encryption 13:31 < krzee> openssl handles it 13:33 -!- ystla [n=chatzill@97.66.75.162] has joined ##openvpn 13:34 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 13:40 < MarcWeber> I've a strange problem using openvpn: when scp file user@internet_server: scp stops at 100%. 13:44 < ystla> !howto 13:44 < vpnHelper> ystla: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:13 < ecrist> holy spooky http://www.collegehumor.com/video:1906578 14:13 < vpnHelper> Title: Disney Templates - CollegeHumor Video (at www.collegehumor.com) 14:16 < ]Sintax[> wow ecrist thats crazy hah 14:24 < HardDisk_WP> anyone here who is experienced in linux network interface bridging? 14:24 < ecrist> HardDisk_WP: there are how-to's on the openvpn site for those things. 14:25 < HardDisk_WP> ecrist, I followed the howto, that is the problem :D 14:25 < HardDisk_WP> as soon as I use this bridge-start script, the services on the machine become unusable by anything outside the NSLU's network 14:28 -!- SpaceBass [n=ndawson@pool-96-253-96-54.rcmdva.fios.verizon.net] has joined ##openvpn 14:31 < SpaceBass> hey folks 14:31 < SpaceBass> after a few days, I've managed to get a site to site tunnel working, but seem to be having problems with the routing 14:32 < SpaceBass> I cannot ping either side of the tunnel network 14:35 < ecrist> the vpn client cannot ping the vpn server address? 14:38 -!- eliasp [n=quassel@78.43.213.203] has quit ["No Ping reply in 30 seconds."] 14:42 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 14:43 -!- eliasp [n=quassel@78.43.213.203] has quit [Client Quit] 14:44 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 14:49 < SpaceBass> ecrist: its a ptp setup, neither side can ping the other 14:49 < ecrist> firewall 14:50 < SpaceBass> could be - thats part of what Im trying to determine 14:50 < SpaceBass> both of the endpoints are also the firewalls for the respecitve networks 14:50 < SpaceBass> seems to be a routing issue actually 14:53 < SpaceBass> here's what I dont get, when I try and ping the local side of the tunnel It errors out pinging an address up stream http://pastebin.ca/1386382 14:57 < ecrist> ROFLMFAO 14:57 < ecrist> SpaceBass: right in your log, it say 'Communication prohibited by filter' 14:57 < ecrist> what do you think that means? 14:58 < ecrist> I'll give you a hint, firewalls are considered packet filters, there's one, pf, which stands for packet filter. 14:58 < ecrist> so, reading that, my guess that you've a firewall issue still stands. :) 14:58 * ecrist goes away 14:59 -!- tharvey [n=tharvey@adsl-76-205-222-173.dsl.snlo01.sbcglobal.net] has left ##openvpn ["Leaving"] 14:59 < SpaceBass> ecrist: I got that, thanks... but still not sure its the issue 14:59 < ecrist> ok, disable all packet filtering, and try your ping 14:59 < SpaceBass> if that is the case, then rules engine of th firewall is broken 15:00 < ecrist> more often, it's the admin that's broken. 15:00 < SpaceBass> its setup as an any/any now - no filtering 15:00 < ecrist> must not be. those packets are being blocked by the firewall 15:00 < ecrist> the system is even telling you so 15:00 < ecrist> really have to leave now. l8r 15:02 < SpaceBass> not sure why I'm getting filter and TTL issues on a bogon address that is not part of my network 15:03 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 145 (Connection timed out)] 15:06 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 15:11 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 15:19 -!- SpaceBass [n=ndawson@pool-96-253-96-54.rcmdva.fios.verizon.net] has quit ["Lost terminal"] 15:35 -!- hans67521 [n=jcputter@41.24.190.116] has joined ##openvpn 15:36 < hans67521> can someone please have a look at my openvpn config i have added a push route to the client but cant ping the lan 15:36 < hans67521> http://pastebin.com/m4362717f 15:38 < hans67521> here is my client config 15:38 < hans67521> http://pastebin.com/m475211f5 15:40 < hans67521> cant ping internal ip of server aswell 15:42 -!- hans67521 [n=jcputter@41.24.190.116] has quit [Read error: 104 (Connection reset by peer)] 15:43 -!- hans67521 [n=jcputter@mail.centerweb.co.za] has joined ##openvpn 15:43 < hans67521> hello 15:44 -!- M08w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [Read error: 113 (No route to host)] 15:57 -!- felixthecat12 [n=jcputter@mail.centreweb.co.za] has joined ##openvpn 15:57 < felixthecat12> hello 15:57 < felixthecat12> what is the recommened mtu to use for openvpn server and client on tun device? 15:58 < krzie> !mtutest 15:58 < vpnHelper> krzie: Error: "mtutest" is not a valid command. 15:58 < krzie> !mtu-test 15:58 < vpnHelper> krzie: Error: "mtu-test" is not a valid command. 15:58 < krzie> bleh 15:58 < krzie> !mtu 15:58 < vpnHelper> krzie: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 15:58 < krzie> !learn mtu-test as you can just use --mtu-test on the client to see what the best mtu for your connection is 15:58 < vpnHelper> krzie: Joo got it. 16:10 -!- lough [i=nn@ip68-97-0-203.ok.ok.cox.net] has quit [Read error: 110 (Connection timed out)] 16:10 -!- lough [n=nn@ip-129-15-127-224.fennfwsm.ou.edu] has joined ##openvpn 16:12 -!- felixthecat12 [n=jcputter@mail.centreweb.co.za] has quit [Read error: 60 (Operation timed out)] 16:15 -!- hans67521 [n=jcputter@mail.centerweb.co.za] has quit [Read error: 113 (No route to host)] 16:21 -!- mtoledo` [n=user@c906c009.virtua.com.br] has quit [Read error: 113 (No route to host)] 16:22 -!- ystla [n=chatzill@97.66.75.162] has quit ["ChatZilla 0.9.84 [Firefox 3.0.8/2009032609]"] 16:40 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:44 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 16:48 -!- c64zottel [n=hans@p5B17B39F.dip0.t-ipconnect.de] has left ##openvpn [] 16:49 < HardDisk_WP> krzie, fixed the connectivity problem :) 16:49 < HardDisk_WP> problem was 16:49 < HardDisk_WP> the bridge-start script DID NOT SET A FUCKING GATEWAY! 16:49 < HardDisk_WP> so the tcp connection init packets arrived at the NSLU 16:49 < HardDisk_WP> but could not be sent back! 16:51 < HardDisk_WP> so no connection coulda ever be established. 16:51 < HardDisk_WP> brb 16:56 < krzie> ohhh right 16:56 < krzie> i forgot about that 16:56 < krzie> i havnt bridged in a couple years 16:59 < HardDisk_WP> re 17:00 < HardDisk_WP> krzie, do you have write access to the OpenVPN docs? 17:00 < krzie> neg 17:00 < krzie> nobody here does 17:00 * krzie points to the double # 17:00 < HardDisk_WP> Crap =) 17:00 < krzie> but, the dev maillist is the place for that 17:00 < krzie> !dev 17:00 < vpnHelper> krzie: "dev" is https://lists.sourceforge.net/lists/listinfo/openvpn-devel to sign up for devel mail list 17:04 -!- lough [n=nn@ip-129-15-127-224.fennfwsm.ou.edu] has quit [] 17:10 -!- mtoledo` [n=user@189.102.205.95] has joined ##openvpn 17:41 < HardDisk_WP> krzie, one problem still remains, though: push "redirect-gateway def1 bypass-dhcp" doesnt work - a traceroute shows the packets still go through the primary ethernet port of the laptop, but not through the VPN 17:49 < krzie> you're not using a routed setup 17:49 < krzie> its on the same network, just change the routes manuallt 17:49 < krzie> maually 17:50 < krzie> read how that works and you'll likely see why its not for bridged (i blieve its not) 18:11 < HardDisk_WP> ah okay 18:47 -!- gebi_ [n=gebi@84-119-54-65.dynamic.xdsl-line.inode.at] has joined ##openvpn 19:00 -!- gebi [n=gebi@84.119.81.184] has quit [Read error: 110 (Connection timed out)] 19:32 < ]Sintax[> krzie and krzee = same person? 19:33 < krzie> aye 19:33 < krzie> i his him and he is me 19:33 < krzie> err 19:34 < krzie> i is him and he is me 19:34 < ]Sintax[> i'm almost done with setting these two boxes up so far 19:34 < ]Sintax[> finally 19:35 < ]Sintax[> on the wiki for openvpn_server, it mentions in the openvpn config file, "push route x.x.x.x x.x.x.x", is this needed or not? because in the other file it links to "openvpn.configs" its missing that 19:36 -!- gebi_ is now known as gebi 19:41 < krzie> my sample configs were not for default routing through the tunnel 19:41 < ]Sintax[> ah 19:42 < ]Sintax[> do i basically want to have the same files on both machines? all the keys i generated on one machine and the configs? 19:42 < ]Sintax[> thats about all i have left to do 19:42 < krzie> look at the howto 19:42 < krzie> it tells you what cert files go where 19:43 < krzie> !howto 19:43 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 19:45 < ]Sintax[> hmmm quite a bit different than the other tutorial i was reading 20:01 < krzie> most tutorials i see seem to think everyone should be on a bridge too 20:01 < krzie> which is very very wrong 20:05 < ]Sintax[> what is ipp.txt for? 20:05 < ]Sintax[> i see it in your config file 20:07 < krzie> !ipp 20:07 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 20:07 < ]Sintax[> i think i've made a big mess now 20:07 < krzie> you know the manual tells you everything too, right? 20:08 < ]Sintax[> well the manual doesnt seem to work very well with OpenBSD nor does the other guide :-\ 20:09 < krzie> you could always try an OS that is compatible with actually running programs 20:10 < ]Sintax[> yeah might have to do that until i at least get the hang of setting up openvpn normally 20:23 -!- Randune [n=Miranda@CPE002129686737-CM001bd7a862f2.cpe.net.cable.rogers.com] has joined ##openvpn 20:23 < Randune> hi all 20:24 < Randune> !howto 20:24 < vpnHelper> Randune: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 20:24 < Randune> !route 20:24 < vpnHelper> Randune: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:30 < Randune> I have a question about openvpn that I can't seem to find in the howto 20:31 < Randune> I wish to use my remote OpenVPN server as a defaut gateway when I am connected to it remotely 20:31 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 20:31 < Randune> I've added the necessary iptables rules I think 20:31 < Randune> but I cannot connect. 20:31 < Randune> iptables -i tun0 -j ACCEPT 20:32 < Randune> iptables -A -i tun0 -j ACCEPT 20:32 < Randune> iptables -A INPUT -i tun0 -j ACCEPT 20:32 < Randune> that's it..the last one:) 20:32 < Randune> iptables -A OUTPUT -o tun0 -j ACCEPT 20:32 < Randune> I can connect to the VPN..but I cannot access the ssh server on the openvpn box 20:33 < Randune> anyone have any ideas? 20:34 < krzie> make sure ssh is running on the vpn ip as well 20:34 < krzie> ie: *:22 20:34 < krzie> then connect to it via vpn ip 20:35 < Randune> right..sshd is listening on all interfaces 20:35 < Randune> but I still cannot connect to it 20:36 < Randune> if I allow all the traffic through tun0 it should connect should it not? 20:37 < Randune> I have established a route on the remote windows box 20:37 < Randune> so it knows how to get to my LAN remotely 20:37 < Randune> maybe iptraf would show something..I'll try it 20:38 < krzie> i dont use iptables 20:38 < krzie> but i can tell you this... 20:38 < krzie> !linfw 20:38 < vpnHelper> krzie: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 20:40 < Randune> k..I will try that..thanks. 20:40 -!- Randune [n=Miranda@CPE002129686737-CM001bd7a862f2.cpe.net.cable.rogers.com] has left ##openvpn [] 22:12 -!- cmb [n=cmb@pfsense/coreteam/cmb] has quit [] 22:22 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit [Remote closed the connection] 22:28 < theDoc> Is it possible to be sniffing a users traffic on the vpn server itself or does it stay encrypted? 22:32 < krzie> !irclogs 22:32 < vpnHelper> krzie: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 22:35 < krzie> !factoids search nat 22:35 < vpnHelper> krzie: 'bsdnat', 'nat', and 'linnat' 22:36 < krzie> !factoids search bsd 22:36 < vpnHelper> krzie: 'bsdnat', 'freebsd', 'fbsdbridge', 'fbsdjail', and 'obsdtap' 22:37 < krzie> !learn bsdipforward as set gateway_enable="YES" 22:37 < vpnHelper> krzie: Joo got it. 22:37 < krzie> !forget bsdipforward 22:37 < vpnHelper> krzie: Joo got it. 22:37 -!- TheDox [n=jcase@voip.sysadmins.com] has joined ##openvpn 22:37 < krzie> !learn bsdipforward as set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd 22:37 < vpnHelper> krzie: Joo got it. 22:37 < TheDox> ok krze 22:37 < TheDox> ok here 22:37 < krzie> sup dox 22:37 < krzie> here you go... 22:37 < krzie> !sample 22:37 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 22:37 < krzie> thats a basic config 22:37 < krzie> to redirect over the vpn you want: 22:37 < krzie> !def1 22:37 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 22:38 < krzie> but then you need: 22:38 < krzie> !linnat 22:38 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 22:38 < krzie> !bsdnat 22:38 < vpnHelper> krzie: "bsdnat" is http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html 22:38 < krzie> (depending on os) 22:38 < krzie> and also: 22:38 < krzie> !linipforward 22:38 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 22:38 < krzie> !bsdipforward 22:38 < vpnHelper> krzie: "bsdipforward" is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd 22:38 < krzie> (depending on os) 22:39 < krzie> so basically, you use redirect-gateway def1 to redirect your gateway over the VPN 22:39 < TheDox> ah ok 22:39 < krzie> then the vpn server must have ip forwarding enabled, and NAT your VPN network 22:39 < krzie> and thats that 22:39 < krzie> for managing your certs, i highly recommend this: 22:40 < krzie> !ssl-admin 22:40 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 22:40 < krzie> its far better than easy-rsa which is the scripts ovpn comes with 22:40 < TheDox> ever use it with ubuntu? we run freeBSD no, but im planning on grabbing another box just for the vpn 22:40 < TheDox> and ubuntu i know better 22:40 < krzie> sure 22:41 < krzie> tons of people use ovpn with ubuntu 22:41 < krzie> me and the guy who made ssl-admin use freebsd 22:41 < krzie> but he (ecrist) is very active in here so if theres a problem we'ld prolly wanna figure it out to fix it 22:42 < TheDox> k 22:42 < krzie> speaking of which, openbsd has a gay version of sed so i need to re-mod the configure/makefile sometime soon when i get a chance =/ 22:43 < TheDox> yes openbsd appears to be gay 22:43 < TheDox> i hate nick registry services 22:43 < krzie> hah we used to only allow people in here when they're registered 22:43 < TheDox> o 22:44 < krzie> but we loosened that up a couple months ago 22:44 < TheDox> why 22:44 < krzie> *shrug* kept trolls out 22:44 < TheDox> o 22:44 < krzie> and overly lames 22:44 < krzie> if you cant figure out nickserv you shouldnt be running an openvpn ;] 22:47 -!- cmb [n=cmb@pfsense/coreteam/cmb] has joined ##openvpn 22:47 < krzie> but i must say 22:47 < krzie> openvpn is FAR less complicated than zabbix 22:48 < TheDox> i can figure it out ez 22:48 < TheDox> i jsut dont like nickserv 22:48 < krzie> oh for sure i know 22:48 < krzie> i wasnt talking bout you 22:48 < krzie> was a blanket statement 22:48 < krzie> oh and also 22:48 < krzie> if you decide you want access to your lan over the vpn 22:48 < krzie> !route 22:48 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 22:49 < krzie> theres the writeup i made on that 22:54 < krzie> *detached* 22:54 < theDoc> Is it possible to be sniffing a users traffic on the vpn server itself or does it stay encrypted? 22:55 < TheDox> sniff the outgoing and incoming 22:56 < TheDox> has to decrypt before going out heh 23:10 < krzee> umm 23:10 < krzee> what do you mean 23:10 < krzee> like if the server was owned could they sniff? 23:10 < krzee> or could someone MITM you 23:25 < krzee> theDoc 23:26 -!- Sinky_ [n=stancho@78.90.99.168] has joined ##openvpn 23:26 < krzee> pls refine the question for me to answer it right 23:36 -!- Sinky [n=stancho@78.90.99.168] has quit [Read error: 104 (Connection reset by peer)] --- Day changed Thu Apr 09 2009 00:00 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 01:18 < krzee> hahahah 01:18 < krzee> heres an email from the freeswitch maillist 01:18 < krzee> Hi Guys, 01:18 < krzee> 01:18 < krzee> I?m no Linux guru, but today I inadvertently had 1000+ call attempts going through FS, load according to TOP was 16.5. Calls were still absolutely perfect. Can I throw out the rule book on load ? CPU was ~45% on each core. (dual) 01:18 < krzee> 01:18 < krzee> Regards, 01:18 < krzee> 01:18 < krzee> ild like to see asterisk do THAT 01:18 < krzee> you will NEVER see that message in an asterisk place 02:19 < dazo> theDoc: if you sniff the traffic on the tun/tap device, and the traffic going inside the tunnel is unencrypted, then yes, you would see the traffic in clear text ... and that's often why you want the VPN tunnel to do the encryption initially 02:20 < krzee> yup 02:21 < krzee> and if someone is bridged into your network, they can sniff over your switch with arp poisoning just like if they were plugged in 02:21 < krzee> and if hey are on the same lan as you, they cant sniff your connection 02:21 < krzee> as long as you followed: 02:21 < krzee> !mitm 02:21 < vpnHelper> krzee: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 02:22 < krzee> same with if they are anywhere else in the middle 02:22 < krzee> wassup dazo 02:23 < dazo> krzee: back at work .... :-P 02:23 < dazo> krzee: u? 02:23 < krzee> smokin some hash playing with zabbix 02:23 < krzee> someone here recommended it when i was bout to checkout narios, glad they did 02:23 < krzee> err 02:24 < krzee> nagios 02:24 < krzee> turns out nagios couldnt just test with a ping, which is what i needed... zabbix does 02:24 < krzee> bout to whip up shell scripts to fire off when conditions are met 02:25 < dazo> aha ... I know nagios get a lot of attention, but I haven't tested it myself .... I probably should setup something like this on one of my sites 02:25 < dazo> nice 02:25 < dazo> zabbix is OSS? 02:25 < krzee> ya GPL 02:26 * dazo decided to look at that one as well now 02:30 < kraut> moin 02:30 < krzee> moin 02:32 * dazo should probably not do any sysadmin work yet when he begins to look for package files under /var/log .... 02:33 < krzee> haha 02:36 -!- Sinky [n=stancho@78.90.99.168] has joined ##openvpn 02:40 < dazo> just skimmed the Zabix doc .... _that_ looks interesting .... 02:42 < theDoc> I'm testing out zabbix ;p 02:42 < krzee> hehe werd 02:42 < krzee> thedoc, was that you who mentioned it? 02:43 < theDoc> No ;) 02:43 < krzee> haha werd 02:53 < dan__t> %#@%@!#%#^!@#$ 02:53 < dan__t> dazo, did you look under ~/ ? 02:54 < dazo> heh ... I knew I needed to look under /usr/portage .... and I type /var/log ..... so, it's just too early in the morning for me :-P 02:54 < reiffert> coffee++ 02:54 * dazo don't like coffee ..... 02:55 -!- Sinky_ [n=stancho@78.90.99.168] has quit [Connection timed out] 02:55 < theDoc> I spy a gentoo user. 02:55 < reiffert> amphetamine++ 02:55 < dazo> theDoc: that's correct ;-) 02:55 < theDoc> dazo: Very good distro for learning, horrible for production. 02:55 < theDoc> Since most of us in production don't have ridiculous amounts of time for compiling ;) 02:56 < dazo> reiffert: I live now in a country where even white caffeine is considered to be a bad drug .... not sure I can manage the amphetamine then :-P 02:57 < dazo> theDoc: I've been using Gentoo in production environments since 2005 ... yeah, upgrades takes longer time ... but I really have 100% control over everything ... and I don't get a bunch of "default installed packages" which I would never use in production ... I know exactly what's installed and why 02:58 < theDoc> dazo: Yes, I can see that coming from a sysadmin, I'm a net engineer by nature ;p 02:58 < theDoc> I don't have that load of time to be figuring out cryptic look stuff from the lines of code ;) 02:59 < krzee> thedoc, compiling doesnt take long 02:59 < krzee> in the big picture 02:59 < reiffert> dazo: where is that country and what its name? 02:59 < krzee> setup a server right and you dont need to compile stuff much once its how it should be 02:59 < dazo> reiffert: so you didn't figure it out with your CTCP TIME requests? :-P .... I'm in Czech 03:00 < krzee> gentoo is the linux with the most bsd feel 03:00 < krzee> at least thats what i thought when i used it 03:00 < reiffert> dazo: I couldnt, not even after identifying mysqlf to the nickservices :) 03:01 < dazo> krzee: I think even the crux distro might be even closer .... as it even has /usr/ports and the ports command ;-) 03:01 < dazo> mysqlf .... oh dear ..... reiffert is a geek :-P 03:02 < krzee> nvr seen crux 03:02 < reiffert> hehe mysqlf 03:02 < reiffert> rotfl 03:03 < reiffert> time for getting some coffee 03:03 < dazo> krzee: I'm not sure I would recommend it for production .... when I tried it some years ago, it was nice and easy to install, but maintenance is a hassle and not too well up-to-date on packages 03:04 < krzee> doesnt sound much like fbsd 03:06 < dazo> krzee: crux is just another distro to the already overfilled distro pool .... while *bsd is not that many and therefor you have more users who put a bigger demand to it being updated 03:06 < krzee> yup 03:07 < krzee> and its easy to admin/has great features/ and easy maintenance 03:07 < dazo> mm 03:08 < dazo> Unfortunately, Gentoo is also loosing the pace it once had .... so I'm wondering what to do on the next server needing an install .... 03:08 < dazo> *BSD has crossed my mind 03:10 < krzee> if gentoo is your fav linux you may find yourself really liking fbsd 03:10 < krzee> s/iptables/pf/ 03:10 < krzee> +CARP 03:10 < dazo> Yeah ... But I can write iptables rules a sleep without doing any mistakes .... 03:10 < dazo> CARP? 03:11 < krzee> =] 03:11 < krzee> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/carp.html 03:11 < vpnHelper> Title: Common Access Redundancy Protocol (CARP) (at www.freebsd.org) 03:13 < krzee> oh and MAC 03:13 < krzee> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mac.html#MAC-SYNOPSIS 03:13 < vpnHelper> Title: Mandatory Access Control (at www.freebsd.org) 03:14 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:14 < dazo> krzee: MAC sounds like SELinux, though 03:14 < dazo> CARP looks neat 03:14 < krzee> portaudit stays pretty up to date and stops you from installing ports with known security vulns 03:14 < krzee> and adds a portion to your nightly emails telling you any installed ports with known issues 03:15 < krzee> jails 03:15 < dazo> hmmmm .... I need to give it a shot on a test box at least ... 03:15 < krzee> (put your webserver on its own read-only filesystem with its own seperate memory if you like) 03:18 < krzee> ZFS rocks my home NFS, and will be BADASS when its done being experimental 03:20 < dazo> ZFS sounds promising .... but I don't like CDDL license it uses :( 03:20 < krzee> ya 03:20 * dazo is picky about licences ... but not as badly as Mr. Stallman :-P 03:20 < krzee> i thought it was gunna be re-made to be BSD 03:20 < dan__t> hi. 03:20 < dan__t> a/s/l 03:20 < krzee> h/a/s/h 03:21 < dazo> j/e/r/k 03:21 < dan__t> HEH! 03:24 < krzee> dan__t, ever fully finish your setup? 03:26 < dan__t> i was spending some good time on it 03:27 < dan__t> a friend of mine called me up, said she got pulled over, the cop found out she had a glass of wine earlier. she blew a .08 03:27 < dan__t> So I had to go get a friend and pick her and her car up blah blah blah. I just got back. 03:30 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 104 (Connection reset by peer)] 03:30 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 03:32 < krzee> umm 03:32 < krzee> the cop 'found out'? 03:32 -!- theDoc- [n=andelyx@208.99.194.194] has joined ##openvpn 03:32 < krzee> and 03:32 < krzee> .08 > a glass of wine 03:33 < krzee> ESPECIALLY earlier 03:33 < krzee> but werd 03:34 < reiffert> it's a she. 03:37 < krzee> even if its a 90lb she 03:39 < reiffert> "I said to him: just one glass of wine" 03:39 < reiffert> And I forgot to mention the other 3 glasses 03:39 < dan__t> she's about 90lbs. 03:40 < dan__t> Bet the cop was just trying to get her number. 03:40 < dan__t> Shit, I would have. 03:46 < krzee> exactly reiffert 03:46 < krzee> i figured if i told him i drank 1 he would trust me and not do his job versus me keeping my mouth shut and hoping he went away 03:46 < krzee> is what that sentence meant to me 03:47 < krzee> hehe 03:49 -!- theDoc [n=andelyx@208.99.194.194] has quit [Read error: 110 (Connection timed out)] 03:57 < Bushmills> wine? 03:57 * Bushmills raises an ear 03:59 < theDoc-> ergh. 03:59 < theDoc-> Anyone up for helping me take a look at fedora's setup of cacti? 04:00 < theDoc-> I have it running on gentoo but for some reason, I see to be missing something in fedora 04:00 < theDoc-> ;( 04:00 < dan__t> Been a while since I've used Cacti.... 04:00 < dan__t> What part is broken? 04:00 < theDoc-> dan__t: I can't seem to get to my index.php to start configuring cacti on the web browser. 04:00 < theDoc-> Keeps throwing up the no permission ;( 04:01 < theDoc-> [thedoc@antares include]$ ls -lah | grep config.php 04:01 < theDoc-> lrwxrwxrwx 1 root root 17 2009-04-08 23:54 config.php -> /etc/cacti/db.php 04:01 < dan__t> Like a 403 or what 04:01 < krzee> ls -l /etc/cacti/db.php 04:01 < theDoc-> [thedoc@antares include]$ ls -lah /etc/cacti/db.php 04:01 < theDoc-> -rw-r--r-- 1 cacti apache 1.9K 2009-04-09 00:50 /etc/cacti/db.php 04:01 < dan__t> cat /etc/httpd/conf.d/cacti.conf 04:01 < dan__t> Allow From, Deny From etc etc 04:01 < krzee> ls -l /etc/|grep cacti 04:02 < theDoc-> Oh wtf, I don't have a /etc/httpd/conf.d/cacti.conf 04:02 < theDoc-> ;o 04:02 < theDoc-> [thedoc@antares include]$ ls -l /etc/cacti 04:02 < theDoc-> total 4 04:02 < theDoc-> -rw-r--r-- 1 cacti apache 1929 2009-04-09 00:50 db.php 04:02 < krzee> umm 04:03 < krzee> not what i asked for, seen that already 04:03 < krzee> ls -l /etc/|grep cacti 04:03 < theDoc-> [thedoc@antares conf.d]$ ls -l /etc/|grep cacti 04:03 < theDoc-> drwxr-xr-x 2 root root 4096 2009-04-08 23:54 cacti 04:03 -!- Gruelius [n=Julius@60-241-89-235.static.tpgi.com.au] has joined ##openvpn 04:03 < theDoc-> Oh heh, I found out where. 04:03 < krzee> ok i was thinking maybe you had taken x from the dir 04:04 < theDoc-> DENY from all 04:04 < theDoc-> >_> 04:04 < theDoc-> Sorry ;p 04:04 < Gruelius> Hi, can i ask about routes here? or strictly openvpn questions 04:04 < krzee> is it openvpn related routes? 04:04 < Gruelius> yes 04:04 < krzee> or like "how do i use ospf" 04:04 < Gruelius> the routes to access subnets behind the client and openvpn server 04:04 < krzee> !route 04:04 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 04:04 < krzee> i made a writeup for ya 04:04 < Gruelius> cheers 04:05 < krzee> =] 04:05 < Gruelius> i think ive got the right routes set but cant ping anything so i guess back to the books 04:05 < krzee> you'll know after that 04:05 * krzee bets he knows what part it'll click for you at 04:07 < Gruelius> yeah i think i need to add the routing to the pc's behind the openvpn server 04:07 < krzee> their default gateway (router) 04:08 < krzee> its explained right under the picture 04:08 < krzee> in detail 04:08 < krzee> including the explanation of exactly whats going on in your situation 04:08 < theDoc-> Hm, this is odd. 04:09 < theDoc-> my /cacti directory via http is blank! 04:09 < Gruelius> krzee: push "route 10.1.1.0 255.255.255.0" that gives all clients the route for the 10.1.1.0./24 subnet 04:10 < krzee> theDoc-, directoryindex in http.conf have index.php? 04:10 < Gruelius> the vpn clients get assigned ip's 10.0.0.x 04:10 < krzee> so? 04:10 < Gruelius> would the pc's in the 10.1.1.x subnet need a route for the 10.0.0.x ip's? 04:11 < theDoc-> krzee: Not sure, checking. 04:11 < krzee> Gruelius, its explained right under the picture 04:11 < krzee> easiest is to add the route back to their router 04:12 < Gruelius> kk 04:12 < krzee> if you CANT, you must add one to every machine behind the vpn-endpoint which should be able to communicate to/from vpn 04:12 < krzee> but they already default route to that router 04:12 < Gruelius> kk 04:12 < krzee> so just add it there 04:12 < krzee> as it explains in detail 04:12 < Gruelius> ahh add the route in the router 04:12 < Gruelius> gotcha 04:13 < krzee> READ IT DONT SKIM IT 04:13 < krzee> you'll understand 04:13 < Gruelius> yeah im reading 04:19 < theDoc-> krzee: No dice, I've checked httpd.conf 04:20 < krzee> turn on indexes 04:21 < theDoc-> krzee: I just tested, if I throw the entire cacti bunch of files into /var/www/html, I'm just getting a blank page. 04:21 < theDoc-> It's probably httpd.conf fucking up somewhere. 04:22 < theDoc-> Do I have to compile php support for that like gentoo? 04:22 < krzee> if php is compiled, you need to tell httpd about it 04:22 < theDoc-> ahh. 04:22 < krzee> ports should toss in the module for you 04:22 < krzee> but thats all 04:22 < krzee> its not the OS, its the software 04:23 < krzee> apache and php 04:23 < theDoc-> Sorry, new to this fedora core 04:23 < krzee> ive never used it 04:23 < krzee> had to do a thing or 2 to help a close friend once, so glad i dont use it 04:24 < theDoc-> ahh. No probs 04:24 < theDoc-> I'll tinker with this a little more 04:53 -!- theDoc- is now known as theDoc 04:58 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:02 < Gruelius> krzee: ive added the routes but i still cant get it to work, im also a bit confused about the virtual device 05:02 < krzee> why confused? 05:03 < Gruelius> its got an inet addr and a P-t-P addr ,which one do i use for the routing (on the server itself) 05:03 < krzee> show me 05:03 < Gruelius> http://www.pastebin.ca/1386961 <- routing table on the openvpn server 05:04 < krzee> ifconfig 05:04 < Gruelius> ifconfig http://www.pastebin.ca/1386962 05:04 < krzee> ok and which do you put where? 05:04 < Gruelius> one vpn client has been given the address 10.2.1.6 05:04 < krzee> right 05:04 < Gruelius> so with those routes (created by openvpn) 05:04 < krzee> !/30 05:04 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 05:05 < krzee> the client with .6 is routing to .5 which is actually internal to openvpn 05:05 < krzee> it was their workaround 05:05 < krzee> you can read why in !topology 05:05 < krzee> ok and which IP do you put where? 05:06 < Gruelius> i tried making routes without sucess, but shouldnt i be able to ping that addr from the server itself? 05:06 < Gruelius> the client 05:07 < krzee> what routes 05:07 < krzee> where 05:07 < krzee> if you arent specific i cant help you 05:07 < Gruelius> http://www.pastebin.ca/1386961 05:07 < Gruelius> thats the routing table on the server 05:07 < krzee> i saw that 05:07 < Gruelius> the client connected to the server getting a IP of 10.2.1.6 05:07 < krzee> wasnt my question 05:07 < krzee> so!? 05:07 < Gruelius> but i cant ping it from the server itself 05:08 < Gruelius> but i thought those routes were the right ones 05:08 < krzee> what routes did you try to mess with? 05:08 < krzee> with NO routes added pinging that will work 05:08 < krzee> openvpn knows what basic routes to add 05:08 < krzee> you only need to add routes for extra stuffs 05:08 < Gruelius> well i tried adding 10.2.1.0 10.2.1.1 255.255.255.0 and that didnt work 05:08 < krzee> !configs 05:08 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 05:08 < krzee> why would you do that? 05:09 < krzee> openvpn knows what its doing 05:09 < krzee> you're just gunna break it 05:09 < Gruelius> yeah 05:09 < Gruelius> cause pinging it doenst work 05:09 < Gruelius> with no routes added 05:09 < Gruelius> like with that table i posted before i cant ping it 05:10 < krzee> [05:10] the vpn clients get assigned ip's 10.0.0.x 05:10 < krzee> now 10.2.1.x ...? 05:10 < Gruelius> i changed it 05:10 < krzee> !configs 05:10 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 05:10 < Gruelius> to see if the routing table would change 05:10 < Gruelius> 1 sec 05:12 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:12 < Gruelius> http://pastebin.com/m6d157d6c 05:19 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Success] 05:27 < reiffert> krzee: any idea how I tell OS X: what ever I type in a terminal.app window, treat it as iso-8859-15 and *NOT* as utf-8? 05:28 < krzee> only term? 05:29 < reiffert> hm, global setting might do as well 05:34 < krzee> system prefs 05:34 < krzee> international 05:34 < krzee> something in lang or input menu maybe 05:35 -!- Gruelius [n=Julius@60-241-89-235.static.tpgi.com.au] has quit [Read error: 104 (Connection reset by peer)] 05:35 -!- Gruelius [n=Julius@60-241-89-235.static.tpgi.com.au] has joined ##openvpn 05:46 < reiffert> German is Unicode only there 05:46 < reiffert> When I switch to american roman style I dont have the Umlauts 05:46 < reiffert> which I need 05:46 < reiffert> Which is what I need 05:46 -!- Gruelius [n=Julius@60-241-89-235.static.tpgi.com.au] has left ##openvpn ["Leaving"] 05:48 < reiffert> hm, lets try with .inputrc magic 05:48 -!- nemysis [n=nemysis@67-154.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 05:48 < reiffert> convert meta stuff 05:48 -!- nemysis [n=nemysis@67-154.3-85.cust.bluewin.ch] has joined ##openvpn 05:50 < krzee> you just need 1 char? 05:50 < krzee> and wont be using it often? 05:51 < krzee> if so, make a lil script to printf it, and make it named u or something, then you can `u`se it like that 05:51 < krzee> lol 05:51 < krzee> ugly but functional 05:52 < reiffert> I need all german umlauts in iso-8859-15 05:52 < reiffert> For quite some time now. Have to write some texts 05:53 < reiffert> difference between unicode and 8859-15 is: two bytes vs. one byte 05:53 < krzee> werd 05:53 < krzee> i have no idea what an umlaut is 05:53 < krzee> haha 05:53 < reiffert> uaoUOA with two dots above them 05:53 < krzee> ahh 05:53 < krzee> ? 05:53 < krzee> like that? 05:53 < krzee> alt+u u 05:54 < reiffert> I cant see them here, irssi on screen sucks ass with special chars 05:54 < reiffert> "u 05:54 < krzee> yup 05:54 < krzee> ? 05:54 < krzee> alt+u a 05:54 < reiffert> but in principle alt+u u gives me a two byte unicode 05:54 < krzee> etc etc =] 05:54 < reiffert> 0x303 0x274 05:54 < krzee> i dunno anything bout that 05:54 < reiffert> sorry, \303\274 05:54 < reiffert> octal 05:54 < krzee> i just know i made that char 05:54 < krzee> hehe 05:55 < krzee> ? 05:55 < krzee> ? 05:55 < krzee> it works for all of them for my display 05:55 < reiffert> 196 on http://en.wikipedia.org/wiki/ISO/IEC_8859-15 05:55 < vpnHelper> Title: ISO/IEC 8859-15 - Wikipedia, the free encyclopedia (at en.wikipedia.org) 05:55 < reiffert> 214 05:55 < reiffert> 220 05:55 < reiffert> and so on. One Byte chars. 05:56 < reiffert> -15 also knows as latin9 05:56 < krzee> ? 05:56 < krzee> thats the image from 196 for me 05:56 < krzee> thats all i know, how to make the char you said 05:57 < krzee> if its the wrong bytes internally, i dunno 05:57 < krzee> but you said a char, i made it on my display =] 05:57 < krzee> 214 - ? 05:57 < reiffert> how can I see all available localezucker:~ ute$ locale -a |grep -i de 05:57 < reiffert> zucker:~ ute$ locale -a |grep -i de 05:58 < reiffert> de_DE 05:58 < reiffert> de_DE.ISO8859-1 05:58 < reiffert> de_DE.ISO8859-15 05:58 < reiffert> de_DE.UTF-8 05:58 < krzee> 220 - ? 05:58 < reiffert> zucker:~ ute$ export LC_CTYPE de_DE.ISO8859-15 05:58 < reiffert> -bash: export: `de_DE.ISO8859-15': not a valid identifier 05:58 < reiffert> wtf? 05:58 < krzee> ild man locale 06:15 < reiffert> 13:13 <@rorx> reiffert: the inspector.. Command-i 06:15 < reiffert> display 06:15 < reiffert> charecter set encoding 06:16 < reiffert> sigh sigh sigh 06:16 < reiffert> #macosx 06:17 < krzee> cool 06:17 < krzee> i can rename the title from there tooo 06:19 < reiffert> jup 07:09 -!- mtoledo` [n=user@189.102.205.95] has quit [Read error: 110 (Connection timed out)] 07:11 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: vlt, ]Sintax[, kraut, Typone 07:12 -!- Netsplit over, joins: vlt, ]Sintax[, kraut, Typone 07:29 -!- dazo [n=dazo@nat/redhat/x-c507256ee2b67d96] has left ##openvpn ["Leaving"] 07:29 -!- dazo [n=dazo@nat/redhat/x-c507256ee2b67d96] has joined ##openvpn 07:47 -!- SpaceBass [n=ndawson@pool-96-253-96-54.rcmdva.fios.verizon.net] has joined ##openvpn 08:07 < SpaceBass> morning folks 08:07 < ecrist> howdy 08:07 < SpaceBass> I have established a tunnel b/t two gateways. On each gateway I can ping the remote site of the tunnel, but not the local 08:07 < ecrist> fix your firewall? 08:07 < SpaceBass> ecrist: I'm making progress :D 08:08 < SpaceBass> ecrist: thats my goal, just not sure how to trouble shoot 08:08 < ecrist> !iptables 08:08 < vpnHelper> ecrist: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall 08:09 < SpaceBass> ecrist: this box is using PF ... and configuring it manually is a challenge (not impossable though) 08:09 < ecrist> ah, pf is great. 08:09 < SpaceBass> I'm running the PFsense router/firewall/nat distro ... its nice indeed 08:10 < ecrist> so, you can ping the VPN ip of the server, but you can't ping your own VPN ip? 08:10 < SpaceBass> and I'd like to think I have a basic understand, but far from an expert 08:10 < SpaceBass> yeah so if the tunnel is 192.168.123.1 --> 192.168.123.2 I can ping 192.168.123.2 08:11 -!- mtoledo` [n=user@c906c009.virtua.com.br] has joined ##openvpn 08:11 < ecrist> the other is virtual, SpaceBass 08:11 < ecrist> it doesn't *really* exist 08:11 < ecrist> so, in short, quit trying to ping it 08:11 < SpaceBass> ah! well that helps :D 08:12 < SpaceBass> Still, Network A can ping resources on Network B but not viceversa 08:12 < SpaceBass> checking the routes now 08:13 < ecrist> well, that still sounds like firewall 08:13 < ecrist> is pf doing nat for you? 08:13 < SpaceBass> which appears to be the problem... Gateway B has networkA/24 using its own upstream gateway, not the VPN 08:13 < SpaceBass> ecrist: yes, doing nat with PF 08:15 < SpaceBass> ok - manually added the route: route add 10.1.1.0/24 192.168.123.1 08:15 < ecrist> the problem with running something like pfsense, is you don't *really* know everything that's going on under the hood. 08:15 < SpaceBass> that fixed it ! 08:15 < ecrist> normally, I'd tell you to disable the firewall and test 08:15 < SpaceBass> ecrist: you nailed it... PF is hard for a novice like me to troubleshoot b/c you can't really dig in 08:15 < ecrist> you're not pushing that route? 08:15 < SpaceBass> ecrist: ok, help me uunderstand pushing and pulling routes - I'm reading the docs too...so I want to add a push line on the client? 08:16 < ecrist> read this: 08:16 < ecrist> !route 08:16 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 08:16 < ecrist> sounds like you need an iroute on the server 08:17 < SpaceBass> thanks for the help the past two days... let me read that and keep playing 08:17 < SpaceBass> excited to at least have the tunnel up 08:18 < SpaceBass> final question - if I no longer want PFsense to be my Ovpn end points, I assume I could use dedicated machines on each network and then just setup the routing on the PFsense box? 08:19 < ecrist> yep 08:19 < ecrist> your firewall is a good place to put a vpn server, though. 08:19 < SpaceBass> I can see why that would be the case 08:21 < SpaceBass> looks like the gateways can ping resources on each others networks, but not the clients 08:22 < ecrist> do you have client-to-client? 08:22 < SpaceBass> to your point - its checked in the webgui but now that I look, its not in the conf file 08:23 < SpaceBass> thats why I wanted to use a dedicated box for oVPN, I think PFsense has some kinks 08:24 < ecrist> yeah. pfsense is really just a freebsd system 08:24 < ecrist> rather than doing it in the gui, set it up from the command line 08:24 < SpaceBass> yeah 08:24 < SpaceBass> thats what I'm doing - but I have to keep the webgui from overwriting my changes 08:24 < SpaceBass> it doesnt sync - which I think is a poor design 08:25 < ecrist> !freebsd 08:25 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 08:25 < ecrist> follow those instructions, should get you going 08:25 < SpaceBass> thanks again 08:25 < ecrist> disable openvpn in the webgui 08:25 < SpaceBass> ahhh good idea, and just execute from the CLI 08:27 < ecrist> yep 08:30 -!- infinity_ [i=brendon@saleen.netcal.com] has quit [Read error: 104 (Connection reset by peer)] 08:30 -!- infinity_ [i=brendon@saleen.netcal.com] has joined ##openvpn 08:34 < SpaceBass> added client-to-client and mode server and a push route line ...seemse to have botches things 08:36 < ecrist> did you read the route link above? 08:36 < SpaceBass> yeah 08:37 < SpaceBass> re-reading now :D 08:38 < ecrist> does that network exist on the client end, or the server end? 08:41 < SpaceBass> on the server I have push route lines for both the local network and remote 08:41 < SpaceBass> and a route line for the remote 08:42 < ecrist> that's a problem, though 08:42 < ecrist> read the route link. you need ccds and iroute statements 08:43 < ecrist> your setup is covered on that page 08:44 < SpaceBass> I thought thats what I was covering - I added the iroute on the client and got an error "cannot be used in this context" 08:45 < SpaceBass> ahhh the ccd - didn't know what that was refering to...got it now 09:02 < SpaceBass> ok... back to where I was... one way routing at the gateway level only 09:03 < ecrist> can you draw a diagram of your network and post it somewhere? 09:03 < SpaceBass> working on the routes now 09:03 -!- TheDox [n=jcase@voip.sysadmins.com] has quit ["TheDox has no reason"] 09:03 < SpaceBass> ecrist: I'll try 09:16 -!- WastePotato [n=WastePot@unaffiliated/wastepotato] has joined ##openvpn 09:16 -!- WastePotato [n=WastePot@unaffiliated/wastepotato] has left ##openvpn [] 09:18 -!- teddy__ [n=teddy@208.92.235.227] has joined ##openvpn 09:20 < teddy__> How should I lockout 2 of my OpenVPN users? Deleting their unix account? Are there better ways ? 09:22 < ecrist> since you're in an openvpn channel, I assume you're using openvpn? 09:23 < ecrist> you can simply revoke their client SSL certificates 09:33 < teddy__> Each user was not generated their own certificate...Can you still revoke a ssl certificate per user? 09:47 < SpaceBass> ecrist: got a network diagram comming right up - had to track down a copy of vizio :( 09:48 < SpaceBass> http://www.flickr.com/photos/nickdawson/3426787662/ 09:48 < vpnHelper> Title: network on Flickr - Photo Sharing! (at www.flickr.com) 09:50 < ecrist> SpaceBass: looking now. coulda just used paint, or ascii chars, too 09:51 < SpaceBass> ececrist Im OCD like that 09:52 < ecrist> SpaceBass: your setup is covered, start to finish, on the routing page I linked you. 09:52 < ecrist> paste your configs 09:52 < ecrist> !configs 09:52 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:52 < SpaceBass> yeah - I've been following that and know I'm very close 09:56 < SpaceBass> http://pastebin.ca/1387140http://pastebin.ca/1387140 09:56 < SpaceBass> oops 09:56 < SpaceBass> http://pastebin.ca/1387140 09:57 < ecrist> SpaceBass: your configs are wrong 09:57 < ecrist> oh, wait, hang on, misread something 09:58 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 10:01 < ecrist> SpaceBass: is the CN on the certificate client1 is using 'lynchburgclient'? 10:01 < ecrist> !logs 10:01 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 10:02 < SpaceBass> ecrist: yes, the CN is lynchburgclient 10:04 < SpaceBass> logs 01 < ecrist> SpaceBass: is the CN on the certificate client1 is using 10:04 < SpaceBass> oops 10:05 < SpaceBass> http://pastebin.ca/1387148 10:06 < SpaceBass> still not getting a routing table entry on the client side 10:09 < ecrist> still reading 10:09 < SpaceBass> take your time - and hope you'll tell me how I can repay the favor 10:09 < SpaceBass> appreciate your help 10:09 < ecrist> your ifconfig-push is wrong 10:11 < ecrist> try 'ifconfig-push 192.168.123.5 192.168.123.6' 10:11 < ecrist> and remove the ifconfig line from your client config 10:12 < SpaceBass> ok 10:14 < SpaceBass> and the ifconfig-push goes in the ccd, correct? 10:14 < ecrist> yes 10:16 < SpaceBass> ok - logs on both side say its up...cannot ping in either direction 10:17 * ecrist grumbles 10:17 < SpaceBass> :) 10:17 < ecrist> firewall issue 10:18 < SpaceBass> let me keep at it for a few, work with the firewall and see what I can come up with 10:18 < SpaceBass> back in a few 10:18 < ecrist> ok 10:21 < theDoc> That's odd. 10:22 < theDoc> in my openvpn-server.log, I have an UNDEF 10:22 < theDoc> .. 10:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:21 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 11:23 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:36 -!- huslu_ [n=huslu@c-67-165-238-82.hsd1.co.comcast.net] has joined ##openvpn 11:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:49 -!- huslu [n=huslu@c-98-245-66-172.hsd1.co.comcast.net] has quit [Read error: 113 (No route to host)] 11:59 -!- mooncup [n=a@unaffiliated/mooncup] has quit [No route to host] 12:02 < SpaceBass> ok...think I've narrorwed it down... ecrist I dont think my setup is reading/using the ccd 12:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:12 -!- scooby2 [n=scooby2@pdpc/supporter/active/scooby2] has joined ##openvpn 12:15 < SpaceBass> the client is not getting the push-ifconfig 12:20 -!- rodpod [n=rod@hick.org] has quit [Read error: 104 (Connection reset by peer)] 12:23 -!- mweichert [n=mweicher@216.13.154.21] has joined ##openvpn 12:23 < mweichert> does anyone know how to make an OpenVPN connection with the iPhone? Maybe there is an indirect way to achieve this? 12:25 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: ftp4, SpaceBass 12:29 -!- ftp4 [n=ftp3@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has joined ##openvpn 12:44 -!- SpaceBass [n=ndawson@pool-96-253-96-54.rcmdva.fios.verizon.net] has joined ##openvpn 12:44 < SpaceBass> ugly netsplit 12:45 < ecrist> bah, you and ftp4 were the only ones in this channel affected. 12:45 < SpaceBass> really? 12:46 < ecrist> 12:25 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: ftp4, SpaceBass 12:46 < SpaceBass> ha 12:46 < SpaceBass> took a few steps forward and a few back 12:49 < SpaceBass> http://pastebin.ca/1387268 12:49 < ecrist> you're interrupting my porn viewing now. ;P 12:50 < SpaceBass> why do you think I need the VPN working? can't very well look at pron on my network can I? 12:51 < ecrist> error, again, in your ifconfig-push ccd 12:51 < ecrist> second address should be .6, not both .5 12:51 < SpaceBass> F me! 12:51 < SpaceBass> been looking at this way too long 12:55 < SpaceBass> still not sure my ccd is being read 12:55 < SpaceBass> the client isn't getting the ifconfig 12:56 < ecrist> ok, you fixed the line, restarted openvpn (just to be safe) and restarted client? 12:56 < ecrist> !logs 12:56 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 13:00 < SpaceBass> http://pastebin.ca/1387278 13:01 < SpaceBass> i see an extra backslash in th path for the ccd, but I aslo see it using the options via the server log 13:02 < ecrist> ok, looks like things are working. 13:03 < SpaceBass> why doesnt it setup the tunnel IPs on the client ? 13:03 < SpaceBass> ovpnc1: flags=8010 metric 0 mtu 1500 Opened by PID 24071 13:03 < ecrist> you gave me server log, lemme see client log 13:04 < SpaceBass> it was in there too, but here it is on its own http://pastebin.ca/1387281 13:05 < ecrist> that's not showing me startup 13:08 -!- mtoledo` [n=user@c906c009.virtua.com.br] has quit [Read error: 113 (No route to host)] 13:09 < SpaceBass> http://pastebin.ca/1387285 13:09 < SpaceBass> I dont see it referencing the cn name lynchburgclient anywhere 13:10 < ecrist> your logs are backwards. 13:10 < ecrist> like this. 13:10 < ecrist> to read things 13:10 < SpaceBass> in reverse order? yeah 13:10 < ecrist> I find it difficult 13:10 < SpaceBass> leme see if I can fix that 13:12 < SpaceBass> client log - normal order http://pastebin.ca/1387289 13:12 < ecrist> lemme see your configs again, current ones 13:14 < SpaceBass> current configs http://pastebin.ca/1387292 13:17 -!- mweichert [n=mweicher@216.13.154.21] has quit ["Leaving"] 13:18 < ecrist> ok, here's the issue 13:18 < SpaceBass> lay it on me 13:18 < ecrist> from server config, remove ifconfig line, add server 192.168.123.0 255.255.255.0 13:19 < ecrist> restart, dance, show me !logs again, if it doesn't work. 13:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 13:22 < SpaceBass> server log 13:22 < SpaceBass> http://pastebin.ca/1387304 13:23 < SpaceBass> client log 13:23 < SpaceBass> 14:12 < SpaceBass> client log - normal order http://pastebin.ca/13872 13:23 < SpaceBass> drat paste error... 13:23 < SpaceBass> client log http://pastebin.ca/1387305 13:24 < SpaceBass> still no IP on the tunnel adaptor for the client 13:28 < SpaceBass> btw: Subject: C=US, ST=Virginia, L=Lynchburg, O=NSnet/emailAddress=npdweb@nickdawson.net, CN=lynchburgclient 13:29 < SpaceBass> thats from the client -wanted to verify that it was the right cn name 13:29 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 13:33 < ecrist> current configs, again, please? 13:34 < SpaceBass> http://pastebin.ca/1387292 13:35 < ecrist> um, I said current configs 13:35 < SpaceBass> leme get a fresh cat 13:37 < SpaceBass> http://pastebin.ca/1387309. 13:38 < karlpinc> I'm curious wheather there's any demand for this patch: http://article.gmane.org/gmane.network.openvpn.devel/2581 13:38 < vpnHelper> Title: Gmane -- Mail To News And Back Again (at article.gmane.org) 13:38 < SpaceBass> brb - going to get power adaptor for laptop 13:42 < karlpinc> The idea is to allow customization of the OpenVPN MS Windows installer without having to compile. 13:46 < ecrist> karlpinc: did you have any feedback from the mailing list? 13:51 < karlpinc> ecrist : A couple of people said suggested installing the windows version and then snarfing the files from there. Sounded dicey to me. 13:54 < ecrist> if I knew C, and had time, I'd fork OpenVPN 13:56 < karlpinc> ecrist : Why? 13:56 -!- Sinky [n=stancho@78.90.99.168] has quit [Read error: 110 (Connection timed out)] 13:58 < ecrist> karlpinc: a few reasons, really. 1) more consistent releases and transparency, 2) better enterprise support 14:01 < reiffert> 14:02 -!- Flumdahl [i=n30@shell.auth.se] has joined ##openvpn 14:02 < Flumdahl> WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 91.210.104.0 255.255.254.0' <-- do i get as error, i have never used any ifconfig lines in server.conf 14:03 < ecrist> are you using them in client config? 14:04 < Flumdahl> yes 14:04 < Flumdahl> http://pastebin.com/m745f55c3 <-- there is my server conf and version 14:04 < ecrist> then you're wrong 14:04 < ecrist> karlpinc and reiffert: http://pastebin.ca/1387326 14:05 < reiffert> ? 14:06 < ecrist> ? 14:06 < Flumdahl> http://pastebin.com/m1dc7ad97 there is both client and server config. 14:06 < reiffert> ecrist: ah, so you are about to fork openvpn. 14:07 < karlpinc> ecrist : ok. 14:07 < ecrist> reiffert: I wish I could, but I'm a talentless ass-clown. 14:07 < ecrist> all I do is idle is IRC 14:08 < karlpinc> ecrist : What does "transparency" mean? Do they respond on the devel list? 14:08 < Flumdahl> shall i use the ifconfig in server conf? 14:08 < Flumdahl> push "ifconfig 91.210.104.95 255.255.254.0" 14:08 < Flumdahl> ? 14:08 < reiffert> ecrist: soo .. and why are you pasting such useless sentences to a pasteservice then? 14:09 < ecrist> Flumdahl: properly configured, you either of ifconfig lines on both server and client, or you have them neither place, with a server in server config 14:09 < Flumdahl> so in server config i write server serverip servermask ? 14:10 < ecrist> reiffert: karlpinc was asking why I'd fork, if I had the tools. couldn't remember all the reasons i'd come up with, so pasted that. your initial, '?' comment made me believe you were curious as well. 14:10 < ecrist> apparently I was mistaken 14:10 < ecrist> Flumdahl: yes. and remove ifconfig from client config 14:11 < reiffert> ecrist: oh, that was an accidentally typed german umlaut 14:11 < ecrist> ah 14:11 < Flumdahl> ecrist: but, if i setup ifconfig line in server conf with my servers ip... will that not be a ip conflict then because i have that ip on my br0 ? 14:16 < HardDisk_WP> ecrist, do you have /charset utf-8? 14:17 < HardDisk_WP> I can see an ö from reiffert so I guess you're ISO-8859 or some other obscure charset 14:19 < ecrist> HardDisk_WP: nope 14:19 < ecrist> I'd hardly call it obscure... 14:21 < HardDisk_WP> what charset do you use? 14:22 < ecrist> send me that character again, reiffert 14:22 < HardDisk_WP> ö 14:22 < ecrist> HardDisk_WP: whatever default is for irssi 14:22 < HardDisk_WP> here you go 14:22 < ecrist> that character shows up now. had to set it to utf-8 in irssi 14:24 < ecrist> I don't know the irssi default charset 14:31 -!- grandee [n=tinkle@80-254-74-45.dynamic.swissvpn.net] has joined ##openvpn 14:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Remote closed the connection] 14:53 -!- grandee [n=tinkle@80-254-74-45.dynamic.swissvpn.net] has quit ["bbl"] 15:05 < SpaceBass> ecrist: I feel like I keep taking one step forward two back :D 15:09 < SpaceBass> I'm still not sure the client is getting the CCD http://pastebin.ca/1387309 15:15 -!- rodpod [n=rod@hick.org] has joined ##openvpn 15:15 -!- mtoledo` [n=user@189.102.205.95] has joined ##openvpn 15:22 < ecrist> SpaceBass: does the VPN come up on the client, and does the client have the .5 ip address? 15:23 < SpaceBass> ecrist: logs suggest its up, but no the client never gets the .5 15:26 < ecrist> SpaceBass: at this point, I'm going to say it's a pfsense thing. 15:26 < ecrist> try on other hosts, as you'd mentioned this morning. 15:27 < SpaceBass> ecrist: thanks - I'll give that a go 15:29 < SpaceBass> before I totally give up - rather than pushing the ifconfig to the client, could I add it to the client's config? 15:29 < ecrist> you can try, I've never done a config like that, though 15:31 < SpaceBass> strange thing was that I had it working b/t gateways earlier - wish I had saved "snapshot" configs 15:42 < HardDisk_WP> krzie, ping 15:49 < krzie> hey man 15:51 < krzie> good timing, i just re-attached 15:52 < HardDisk_WP> :) 15:52 < HardDisk_WP> krzie, I got OpenVPN up and running :) 15:52 < HardDisk_WP> now, the iodine stuff 15:53 < krzie> thats where i dont help, i just point you to the right place 15:53 < krzie> (which i did) 15:53 < HardDisk_WP> I just need some help with that domain stuff. because the only server usable for running the DNS server is on a dialup connection 15:54 < krzie> lol 15:54 < krzie> then you dont get to run iodine 15:54 < krzie> it requires you to have 2 servers 15:54 < krzie> one for real DNS, 1 for fake DNS 15:54 < krzie> the real points to the fake for dns authority for a subdomain 15:55 < HardDisk_WP> hmm wait, I got another vserver (problem is: it isnt reliable^^) 15:56 < HardDisk_WP> krzie, does the server running iodine require a tun/tap device? 15:56 < krzie> yes 15:56 < HardDisk_WP> and it needs a static IP= 15:56 < HardDisk_WP> ? 15:56 < krzie> its a dns TUNNEL 15:56 < krzie> no, dyndns is enough for that 15:57 < HardDisk_WP> :) 15:57 < krzie> but dialup wont work 15:57 < HardDisk_WP> Why not? 15:57 < krzie> mtu is shitty enough when using a 100mbit 15:57 < krzie> do it over dialup and you're better off using smoke signals 15:57 < HardDisk_WP> Oh. 15:58 < HardDisk_WP> But I can try out, I guess? :D 15:58 < krzie> do whatever you want 15:58 < krzie> heh 15:58 < krzie> it wont hurt me any 15:58 < HardDisk_WP> ^^ 16:01 < SpaceBass> ecrist: I got it! 16:01 < ecrist> gratz 16:01 < SpaceBass> ecrist: one very simple little word... "client" missing from the client.conf 16:01 < ecrist> oh, I thought I checked for that. 16:01 < ecrist> mea culpa 16:01 * SpaceBass would dance if I wasn't recovering from a knee reconstruction 16:01 < SpaceBass> ecrist: not on your shoulders at all - I should have know that as a basic 16:02 < HardDisk_WP> krzie, so http://pastebin.com/m6d72874 would be basically correct? 16:03 < SpaceBass> ecrist: still no routing b/t clients, but know that has to be pfsense 16:03 < ecrist> SpaceBass: do you have an openvpn-status file? 16:03 < ecrist> look in there, contains openvpn's internal routing table 16:04 < ecrist> if it's not listed there, your problem is with openvpn, otherwise it's firewall 16:04 < SpaceBass> ecrist: not sure about the status file - I'll investigate 16:04 < SpaceBass> but at least I can ping remote recources from the respective gateways 16:05 < Flumdahl> hmm, why wont my shaper work on server? directly when i insert shaper 131072 in server conf it wont setup the route on my client at all. if i erase the shaper line and restart the server and connect it works fine again 16:12 * SpaceBass is so close he can taste it 16:20 < krzie> HardDisk_WP: thats where i dont help, i just point you to the right place 16:20 < krzie> (which i did) 16:20 < krzie> i dont do iodine support 16:20 < HardDisk_WP> kk 16:20 < krzie> its one of those things where if you get it working its cause you figured it out 16:21 < krzie> unlike openvpn where im willing to help walk someone through it 16:21 < krzie> but for now, time for me to work on a side-job 16:21 < krzie> a guy wants me to setup an automated way to lie to a shitton of nameservers about his reverse dns based on a whitelist 16:21 < SpaceBass> if my routes on the gateways allow traffic, then I'd think the clients would work 16:21 < krzie> im like "umm, bind made that for us, but finding the nameservers to lie to from the whitelist of domains will need some custom work, and could get pricey" 16:22 < krzie> booya, gunna make a lil script and get paid++ 16:22 < krzie> (the job isnt for my buddy, its for a guy using him as a proxy) 16:33 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 16:34 -!- grandee [n=tinkle@80-254-66-61.dynamic.swissvpn.net] has joined ##openvpn 16:48 -!- SpaceBass [n=ndawson@pool-96-253-96-54.rcmdva.fios.verizon.net] has quit ["Lost terminal"] 16:48 -!- bandini [n=bandini@host234-109-dynamic.41-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 16:49 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 17:04 < MarcWeber> I've some trouble routing udp through the the vpn network. Are there any known pitfalls? Using iperf -cu $vpn_server works whatsoever.. 17:19 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 18:06 < krzie> is it voip by chance? being routed over the vpn which NATs it? 18:06 < krzie> if so, you'll need STUN 18:29 -!- afonso [n=afonso@bl6-119-108.dsl.telepac.pt] has joined ##openvpn 18:29 < afonso> hi guys 18:32 < afonso> i have a client with a lan connected to a openvpn server. something similar to what's explain on the howto 'Including multiple machines on the client side when using a routed VPN' on the official website 18:34 < afonso> the thing is: if i ping the client's tun0 IP from the server, i get around 2ms of latency. BUT if i ping the first lan ip (which is on the same router as the tun0), i get around 20ms. 18:34 < afonso> is there an explanation for this? 18:34 < afonso> 18ms just to jump from tun0 to eth0? 18:49 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 19:06 < dan__t> Well. 19:06 < dan__t> All that good shit I talked about WHMCS can pretty much go down the drain now. 19:16 -!- cirdan [n=chris@c-68-45-49-233.hsd1.nj.comcast.net] has joined ##openvpn 19:16 < cirdan> !howto 19:16 < vpnHelper> cirdan: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 19:16 < cirdan> eh 19:26 -!- grandee [n=tinkle@80-254-66-61.dynamic.swissvpn.net] has quit ["bbl"] 19:34 < afonso> can anyone answer my question? 19:42 < dan__t> njo 19:42 < dan__t> no 19:55 -!- SpaceBass [n=SP@pool-96-253-96-54.rcmdva.fios.verizon.net] has joined ##openvpn 19:55 < SpaceBass> evening 20:05 < dan__t> howdy. 20:14 < krzie> nope, i have no answer for you afonso 20:14 < afonso> :( 20:14 < afonso> i'm i doing something wrong or is this normal? 20:14 < ecrist> everyone who doesn't understand OpenVPN are bitches. 20:14 < krzie> it would go from vpn ip out through lan if to the router to the client, back to router, back to vpn endpoint then back over the vpn 20:15 < krzie> but that shouldnt add 18ms 20:15 < krzie> since all added stuff is on-lan 20:15 < afonso> i agree 20:15 < afonso> that's why i'm asking 20:15 < krzie> maybe some latency from firewalls in the middle or a slow router or something 20:16 < krzie> the packet could be going through many more firewall rules than it would if it were on-lan 20:16 < krzie> dunno 20:16 < afonso> it a router with 500Mhz and 256MB ram 20:16 < afonso> not really slow... 20:16 < krzie> but its not openvpn related as the vpn connection has the good ping 20:16 < krzie> the added latency happens outside the vpn 20:17 < afonso> but lan connections also have good pings 20:17 < krzie> should 20:17 < krzie> but they also dont come with the source ip of your vpn network 20:17 < krzie> which seems to be the only time its high latency im guessing 20:18 < ecrist> bitches, I say 20:18 < dan__t> Bitches. 20:18 < krzie> lol eric 20:18 -!- scooby2 [n=scooby2@pdpc/supporter/active/scooby2] has left ##openvpn [] 20:19 < afonso> i though it could be something with the iroutes and openvpn 20:19 < krzie> not if you get ANY ping reply 20:19 < afonso> i don't see another explanation 20:20 < krzie> !route 20:20 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:20 < krzie> !iroute 20:20 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 20:20 < krzie> i don't see another explanation 20:20 < krzie> its not even a POSSIBLE solution 20:21 < afonso> why? you assume that openvpn can't be slow? 20:21 < afonso> in any circunstance... 20:22 < krzie> dude 20:22 < krzie> you told me ping tun tun endpoint was 2ms 20:23 < krzie> thats all thats happening over the vpn 20:23 < krzie> the rest is on your lan 20:23 < krzie> you didnt figure that out on your own? 20:24 < afonso> yeah but the ip on the lan is on the same router... 20:24 < afonso> i don't see the kernel taking 18ms to jump between interfaces 20:24 < krzie> welp, the only place openvpn is in the picture is between tun endpoints 20:25 < krzie> the rest is outside of openvpn 20:25 < krzie> period 20:26 < afonso> ok 20:27 < afonso> but it's still weird that this only happens with tun0... and not any other interface 20:27 < afonso> *between 20:27 < krzie> i told you whats different 20:27 < krzie> different source ip 20:27 < krzie> what firewall is on your router? 20:27 < afonso> iptables 20:28 < krzie> i dont use linux, but if it were pf on bsd, i would make a pass rule on the top of the list, and ild make it quick so it was immediately passed and hit NO more rules 20:28 -!- gebi [n=gebi@84-119-54-65.dynamic.xdsl-line.inode.at] has left ##openvpn [] 20:28 < krzie> to rule that out 20:30 < afonso> i already ruled that out 20:31 < krzie> ok well 20:31 < krzie> !notovpn 20:31 < vpnHelper> krzie: Error: "notovpn" is not a valid command. 20:31 < afonso> i'm accepting everything, no more rules 20:31 < krzie> !notopenvpn 20:31 < vpnHelper> krzie: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 20:31 < krzie> what channel that would be, i dont know 20:31 < afonso> ok ok 20:31 < krzie> but the fact that the tun stuff is fast, dunno man 20:31 < krzie> you could try a traceroute? 20:31 < afonso> i did 20:31 < krzie> see where the latency increases 20:32 < krzie> also, how the hell are you 2ms from your endpoint? 20:32 < krzie> lol 20:32 < afonso> root@Sede:/etc/openvpn-core# traceroute 192.168.231.1 20:32 < afonso> traceroute to 192.168.231.1 (192.168.231.1), 30 hops max, 38 byte packets 20:32 < afonso> 1 192.168.231.1 (192.168.231.1) 19.637 ms 19.116 ms 19.082 ms 20:33 < afonso> i don't even see the jump 20:33 < krzie> well that dont help any 20:34 < krzie> this is a tcp or udp vpn? 20:35 < afonso> udp 20:35 < krzie> good 20:35 < krzie> tried mtu-test? 20:35 < krzie> !mtu-test 20:35 < vpnHelper> krzie: "mtu-test" is you can just use --mtu-test on the client to see what the best mtu for your connection is 20:36 < krzie> although its likely the default, wont hurt to test 20:37 < afonso> sorry krzie. i'll have to give it a try tomorrow 20:37 < afonso> thank for your help! 20:39 -!- afonso [n=afonso@bl6-119-108.dsl.telepac.pt] has quit [] 20:41 < krzie> hehe 20:41 < krzie> hi im running openvpn on my webserver, and now my mailserver is running slow, can someone help me? 20:43 < dan__t> whmcs 20:43 < dan__t> what a bunch of fags. 20:44 < krzie> wtf is whmcs 20:44 < dan__t> Their support responses are terse, they're ill-informed. If I ask a very technical question they reply with "yes", or "no", without any elaboration. 20:44 < dan__t> Billing system. 20:44 < dan__t> We talked about this the other day. 20:44 * dan__t kicks krzie in the vagina. 20:44 < krzie> my vagina is out of town for a couple days 20:44 < krzie> she'll be back sunday 20:45 < dan__t> awesome 20:46 < dan__t> You familiar with any billing systems, krzie? 20:46 < krzie> neg 20:53 < krzie> my billiong system was always "hey man, you owe me $x" 20:54 < dan__t> yea 20:54 < dan__t> im sick of that 20:54 < dan__t> too many clients for that any more 20:54 < dan__t> i still do billing in ms office accounting :/ 20:54 < krzie> werd 20:55 < krzie> thats when ild get someone to my my accounting for me 20:55 < krzie> thats how much i like to deal with billing 20:55 < dan__t> heh 20:55 < krzie> although of course a billing system is better 20:55 < krzie> but im a fan of delegation 20:57 < dan__t> i'm a fan of keeping my money. 20:58 < krzie> ya and im actually a bigger fan of automation than delegation 20:58 < krzie> so you win on both 21:05 -!- SpaceBass [n=SP@pool-96-253-96-54.rcmdva.fios.verizon.net] has left ##openvpn ["Leaving"] 21:20 -!- grandee [n=tinkle@80-254-75-26.dynamic.swissvpn.net] has joined ##openvpn 21:26 < grandee> Hi guys, could somebody recommend a good commercial VPN service provider that uses openvpn? 21:27 < krzee> i believe dan was making a system to be done 21:27 < krzee> err to be one 21:28 < grandee> krzee, do you mean dan__t? 21:29 < krzee> yup 21:30 < grandee> what sort of price was he thinking of asking? 21:30 < krzee> no clue 21:30 < krzee> i only talked tech stuff 21:30 < grandee> maybe i'll ask him personally 21:31 < grandee> sure thanks krzee 21:31 < krzee> np =] 21:31 < grandee> i'm using pptp at the moment with swissvpn 21:32 < krzee> ya i understand why youd wanna switch 21:33 < grandee> openvpn has a reputation as being the best 21:37 < dan__t> That, and swissvpn has a reputation of sucking. 21:38 < grandee> hi dan__t you are going to offer vpn service? how much are you thinking of charging? 21:39 < grandee> dan__t: the biggest problem with swissvpn is that they use pptp 21:39 < dan__t> It really wasn't a general purpose VPN. I was toying with the idea tonight, and began to work on some code to allow it for general use. 21:39 < dan__t> How long have you been using SwissVPN? 21:40 < grandee> one week approx 21:40 < dan__t> Where are you located? 21:40 < grandee> Canada 21:41 < dan__t> To be perfectly honest, my pricing is quite a bit more than what SwissVPN advertises. 21:42 < grandee> what are your privacy policy 21:42 < grandee> $15 US? 21:42 < dan__t> I was thinking around $20/mo for basic, if I offer it. I have a pretty unique setup that I can't elaborate on which I'll be charging $35/mo for 21:43 < dan__t> Privacy policy is that anyone asking me for information regarding a client can go kick rocks. 21:43 < dan__t> I do need to log just about every connection for statistics, load averaging, forecasting etc etc. 21:43 < dan__t> And enough to bill a credit card. 21:44 < dan__t> What a God awful ugly site. 21:44 < grandee> are you a openvpn developer? 21:45 < dan__t> I am not. I'm a Linux systems administrator by trade. 21:45 < dan__t> Emphasis on load balancing, distribution, clustering, storage etc etc. 21:46 < grandee> 20 dollar is a little expensive for me, but i'm sure your service would blow the doors off anybody elses 21:47 < dan__t> And a formidable degrader of krzie's better half. 21:47 < dan__t> Yeah, its not for everyone. 21:47 < dan__t> There are a few things involved that will make it hands down better than anything I've seen in the past 21:47 < dan__t> I have this habit of starting a project that 289342323 other people do. 21:47 < dan__t> This time i did the research, and the niche that I'm shooting for is not saturated. 21:48 < grandee> sounds interesting 21:50 < grandee> anyway thanks for your time, hope to use openvpn in the future 21:51 < dan__t> I'm a few weeks away from going "live" 21:51 < dan__t> I figure I'll still be hanging out around here. If you see me, feel free to say hello. 21:52 < grandee> sure thats cool thanks dan__t :) 21:56 -!- rodpod [n=rod@hick.org] has quit [Read error: 104 (Connection reset by peer)] 22:01 -!- grandee [n=tinkle@80-254-75-26.dynamic.swissvpn.net] has quit ["goodnight"] --- Day changed Fri Apr 10 2009 00:17 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 00:19 -!- Alagar [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has joined ##openvpn 00:23 -!- theDoc [n=andelyx@bb121-6-127-231.singnet.com.sg] has joined ##openvpn 00:23 -!- theDoc [n=andelyx@bb121-6-127-231.singnet.com.sg] has quit [Client Quit] 00:26 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 01:15 < reiffert> moin 01:21 < dazo> moin 01:22 < krzee> moin 01:26 < dan__t> moin 01:40 < dan__t> Free PowerEdge 2600, 2x32G Ultra320 10k's, 512M RAM, Xeon 2.8 01:40 < dan__t> Shipping from CA to AZ worth it? heh 02:19 -!- prozacwizard [i=moneybag@you.can.do.it.cx] has joined ##openvpn 02:24 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 02:29 -!- prozacwizard [i=moneybag@you.can.do.it.cx] has quit [Remote closed the connection] 02:41 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:41 < dazo> dan__t: yeah, I would say so .... you can prep it up to 2GB RAM pretty cheap nowadays ... and you have a pretty good server 02:41 -!- tjz [n=tjz@bb220-255-151-27.singnet.com.sg] has joined ##openvpn 02:41 < dazo> dan__t: depending on how old the disks are ... you might consider new disks 02:42 < dan__t> yea 02:42 < dan__t> ultra320's 02:42 < dan__t> that's hardcore++ 02:42 < dan__t> don't know what I would ever use them for 02:42 < dan__t> I just need a big-ass VM server 02:42 < tjz> long long long long time never come check this channel 02:42 < tjz> :( 02:42 < dazo> dan__t: well, it's not state of the art any more .... but it rocks, that's for sure :) 02:42 < dan__t> U320 is backwards compat with u160 last I recall. I could just fill it with big-ass u160's 02:42 < tjz> hi to all my new friends 02:42 < dan__t> tjz, what the f are you talking about 02:43 < tjz> hi dan 02:43 < tjz> = 02:43 < tjz> =) 02:43 < dazo> dan__t: true you can use U160 disks in U320, but not the other way, iirc 02:43 < dan__t> Correct. 02:43 < dan__t> Hello, tjz. 02:44 < dazo> dan__t: it might not be powerful enough for serving a lot of VM's .... as the CPU would benefit having Virt support ... but it sounds good enough for other things .... would probably do well as a mid-range database server or dedicated high-end webserver 02:44 < dan__t> whatever 02:44 < dan__t> vmware does me well 02:45 < dan__t> i just need something for developing with 02:45 < dan__t> this VPN thing is the first side project I've done in a month 02:45 < dan__t> I gave up side projects to study for a shitton of certs I should already have. 02:45 < dazo> heh 02:46 < krzee> [02:40] Free PowerEdge 2600, 2x32G Ultra320 10k's, 512M RAM, Xeon 2.8 02:46 < krzee> [02:40] Shipping from CA to AZ worth it? heh 02:46 < dan__t> So with that... I need a lab 02:46 < krzee> absolutely 02:47 < dan__t> And I can run a lab on a beefed up 2600 02:47 < krzee> ild pay shipping to the caribbean if i found that 02:47 < dan__t> I'll just ebay another xeon because its a dual socket board 02:47 < dan__t> and beef it up to 8G RAM 02:47 < dan__t> at least 02:47 < dan__t> 750w power supply 02:47 < dan__t> goddam 02:47 < dan__t> two of them, even 02:47 < krzee> damn nice 02:47 < krzee> rackmount? 02:47 < dan__t> no, tower 02:47 < dan__t> soho 02:47 < krzee> ahh 02:47 < dan__t> funny how this came back to me 02:48 < krzee> still, free 02:48 < dan__t> I did some contract work for some retard in California 02:48 < dan__t> They ran out of business befure they paid me 02:48 < krzee> if you find more freeness please let me know if you dont take it 02:48 < dan__t> my friend worked there, he made off pretty well 02:48 < dan__t> the retard gave a few servers to my friend 02:48 < dan__t> he's giving them to me because he felt bad I didn't get paid 02:48 < krzee> nice 02:49 < dan__t> i'm still fighting whmcs 02:49 < dan__t> haven't hacked on openvpn in a day and a half 02:49 < dan__t> there's one problem I'm still trying to get over. 02:50 < dan__t> http://forum.whmcs.com/showthread.php?t=19364 02:51 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 02:53 < krzee> You are not logged in or you do not have permission to access this page. This could be due to one of several reasons: 02:54 < dan__t> gay. 02:54 < krzee> http://www.zabbix.com/forum/showthread.php?p=44784#post44784 02:56 < dan__t> 2) I would like to be able to view multiple graphs at the same time. 02:56 < dan__t> make a screen, throw graphs in that screen 02:56 < dan__t> 3) When viewing those graphs I would like to have the percentages and numbers displayed there as well. 02:56 < dan__t> edit those in the graph display properties 02:56 < dan__t> 4) I would like the filter to apply to the graphs I view. 02:56 < dan__t> which filter? 02:57 < dan__t> oh 02:57 < dan__t> the filter pretty much sucks. 02:57 < krzee> time and date filter 02:57 < dan__t> right 02:57 < dan__t> you're fucked 02:57 < krzee> to only view a certain date range 02:58 < krzee> nah this rocs 02:58 < dan__t> that filter sucks completely. 02:58 < krzee> rocks 02:58 < dan__t> the rest of it does sure 02:58 < krzee> just small things need fixing 02:58 < dan__t> check out the dashboard yet? 02:58 < krzee> yup 02:58 < krzee> ya doesnt do much for my lil setup 02:58 < dan__t> The dashboard looks great on a 60" plasma with like 600 hosts. 02:58 < krzee> but availability reports and monitoring - events does all i want 02:58 < krzee> in fact when they fix availability reports, its all ill need 02:59 < krzee> so the username to view will only get reports 02:59 < krzee> ild like finer grained user rights 02:59 < dan__t> yeah 02:59 < krzee> they only give menus 02:59 < dan__t> they're kinda tricky. 02:59 < dan__t> use host groups. 02:59 < krzee> il like submenus 02:59 < krzee> ild 02:59 < dan__t> yeah 02:59 < dan__t> use hostgroups for perms 02:59 < krzee> so i could clean out what i dont want 02:59 < krzee> i do 02:59 < dan__t> give permis to hostgroup ABC etc etc 02:59 < krzee> but only allows access to entire menus 03:00 < krzee> like monitoring 03:00 < krzee> i dont need all 11 submenus 03:00 < krzee> only 1 of them 03:00 < krzee> and reports availabilty report 03:01 < krzee> so now for 1 submenus i must enable 12 i dont want 03:01 < krzee> err 03:01 < krzee> so now for 2 submenus i must enable 12 i dont want 03:01 < krzee> and in reports - status the user can see exactly how much is being monitored 03:02 < krzee> i think he should only see what he has rights to, even if it is just a # 03:02 < dan__t> hehe 03:02 < dan__t> overall not bad though huh 03:02 < krzee> very much so 03:02 < krzee> im nitpicking there 03:02 < dan__t> has its quirks 03:02 < dan__t> its young 03:02 < krzee> ya 03:02 < dan__t> polling 70k items and 600 hosts gets crazy 03:02 < dan__t> need some hardcore++++ sql machines for that 03:03 < krzee> understandably so 03:03 < dan__t> talking like 2-2500 queries/sec 03:03 < krzee> it allows you to do so much, if you enable a shitton it will need the resources 03:03 < dan__t> haha 03:03 < dan__t> yeah 03:04 < tjz> hi jeff!! 03:04 < tjz> =) 03:04 < tjz> lol 03:04 < tjz> in the wee hour 03:04 < krzee> hey 03:04 < tjz> happy good friday 03:04 < tjz> :P 03:04 < dan__t> pbbbttht. 03:04 < krzee> Required server performance, new values per second 0.0667 03:04 < tjz> lol 03:04 < krzee> every friday is good 03:04 < dan__t> Just another occasion to party myself stupid. 03:04 < krzee> its those mondays that need help 03:05 < tjz> hahahaha 03:05 < tjz> can't agree more 03:05 < tjz> lol 03:06 < krzee> hey dan, any ideas here? 03:06 < krzee> http://www.zabbix.com/forum/showthread.php?t=12225 03:07 < dan__t> take a few values and average them 03:07 < dan__t> that's what I do with icmpping 03:08 < krzee> im doing that 03:08 < dan__t> average 3 rounds, and if their sum > 2 then its probably a not false positive 03:08 < dan__t> do this 03:08 < dan__t> use templates. 03:08 < dan__t> make "service" templates. 03:08 < krzee> read the whole thing 03:08 < dan__t> I'd have, like, Generic Linux Template 03:08 < dan__t> Generic windows template 03:08 < dan__t> etc etc 03:08 < dan__t> then all hosts that are of that type get that template 03:09 < krzee> im preventing trigger fire if zabbix network goes down 03:09 < dan__t> i'd have items and graphs associated with that template 03:09 < dan__t> i'd make graphs and triggers and items associated with another template called "Disk Device sda" 03:09 < krzee> so if last 3 pings avg to 0 for hemp, and last ping to joogot was good, FIRE 03:09 < dan__t> and just apply them to the host, make them overlap 03:09 < dan__t> yeah 03:09 < dan__t> I don't know about that one 03:09 < krzee> i think i found it, bout to test 03:10 < krzee> 9 & Logical AND 03:10 < dan__t> jea 03:10 < krzee> sweet this could even detect jitter 03:10 < dan__t> brb smokes and cokes 03:10 < krzee> great for a voip company 03:10 -!- Alagar [n=helpdesk@pool-173-55-246-4.lsanca.fios.verizon.net] has quit [Remote closed the connection] 03:19 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 03:20 < dan__t> k 03:20 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 03:20 < dan__t> god damn you whmcs 03:21 -!- nemysis [n=nemysis@67-154.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 03:22 -!- nemysis [n=nemysis@67-154.3-85.cust.bluewin.ch] has joined ##openvpn 03:25 < krzee> {hemp:icmppingsec.avg(#3)}=0&{joogot:icmppingsec.avg(#2)}#0 03:27 < dan__t> don't use icmppingsec 03:27 < krzee> and why not 03:27 < krzee> it works! 03:27 < dan__t> what if the ping is 0.0000ms 03:28 < krzee> i like seeing the latest graph 03:28 < krzee> umm, thats 0 03:28 < krzee> means its down 03:28 < krzee> exactly what im testing for 03:28 < dan__t> uh 03:28 < dan__t> eyes 03:28 < dan__t> sorry 03:29 < krzee> if the avg of the last 3 pings to hemp is 0 and the avg of last 2 pings to joogot is NOT 0, alarm!!! 03:30 < dan__t> yes 03:31 -!- _lataffe_ [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 03:41 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:44 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:44 < tjz> i don't think there is a fool proof solution.. 03:44 < tjz> i tend to get some false alarm! 03:44 < tjz> too 03:48 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has quit [Read error: 110 (Connection timed out)] 03:49 < krzee> umm mines pretty foolproof against when the zabbix machine loses connection 03:50 < tjz> ok 03:53 -!- js_ [n=js@193.0.253.161] has quit [Remote closed the connection] 04:03 -!- lepine [n=leprecha@ip-70-38-54-219.static.privatedns.com] has joined ##openvpn 04:04 < lepine> !/30 04:04 < vpnHelper> lepine: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 04:04 < lepine> !topology 04:04 < vpnHelper> lepine: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 04:05 < lepine> !route 04:05 < vpnHelper> lepine: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 04:06 < lepine> I'm trying to set myself up with a tunnel that i can use safely at conferences and public wifi 04:07 < lepine> i got it working 04:07 < lepine> i'm currently being masqueraded from my colo'ed server. 04:08 < lepine> thing is, whenever i connect to to the vpn, i have to delete the default gateway on my machine, and add the openvpn server as default gw 04:08 < lepine> is there a way i can have the server push that config? it can push new routes (add) ... but can it push deletions? 04:08 < dan__t> redirect-gateway 04:08 < lepine> i've done that 04:08 < lepine> not working 04:08 < lepine> not properly anyway 04:09 < dan__t> hm 04:09 < dan__t> what do both client and server logs tell you? 04:09 < dan__t> beh i gotta pass out 04:09 < dan__t> krzie will be around in a few. 04:09 < lepine> so should i actually 04:18 -!- lepine1 [n=leprecha@206-248-132-81.dsl.teksavvy.com] has joined ##openvpn 04:27 < krzee> [05:08] thing is, whenever i connect to to the vpn, i have to delete the default gateway on my machine, and add the openvpn server as default gw 04:27 < krzee> redirect-gateway def1 04:27 < krzee> !def1 04:27 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 04:27 < krzee> if you say its not working, post logs 04:30 -!- lepine [n=leprecha@ip-70-38-54-219.static.privatedns.com] has quit [Read error: 110 (Connection timed out)] 04:34 -!- djc [n=djc@xavamedia.nl] has joined ##openvpn 04:37 < djc> so I have a problem; I have a topology subnet-based setup 04:38 < djc> but I can't ssh to one of the clients 04:38 < djc> my co-worker is logged in on the local subnet that machine is in, so the sshd is apparently not the problem 04:38 < djc> and I can still ping the machine from one of my other clients, so at least there is some VPN connection 04:38 < djc> but when I try to ssh in over VPN, I get connection refused 04:39 < djc> any clues as to how to troubleshoot this would be appreciate 04:39 < djc> d 04:42 < djc> no one? :| 04:51 < kraut> moin 04:51 < djc> !logs 04:52 < vpnHelper> djc: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 04:52 < djc> !configs 04:52 < vpnHelper> djc: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 04:52 < djc> !interface 04:52 < vpnHelper> djc: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 04:54 < djc> kraut: moin; would you be able to help me troubleshooting 04:55 < kraut> i'm just on the jump 05:11 < djc> probably no one from openvpn.net is awake at this time? 05:44 -!- js_ [n=js@193.0.253.161] has joined ##openvpn 06:07 < reiffert> djc: use tcpdump on every single machine involved and inbetween. 06:08 < reiffert> djc: check if the packets get to that machine. If so, check if the answers get back to you. 06:16 < krzee> djc 06:16 < krzee> did you check sshd is listening on the vpn ip? 06:16 < krzee> like *:22 06:17 < reiffert> connection refused sounds like it, yes. 06:18 < krzee> aye 06:18 < reiffert> "like it" = "like it is involved" 06:18 < krzee> refused means the packets got there 06:18 < krzee> but it said "no way" 06:18 < krzee> so round trip packets 06:18 < krzee> as opposed to connection timed out 06:22 < krzee> oh and nobody from openvpn.net is around here even if they are awake 06:22 < krzee> ssh: connect to host 127.0.0.1 port 22: Connection refused 06:23 < krzee> host was contacted just fine but no daemon listening 06:23 < krzee> ssh: connect to host 10.0.0.69 port 22: Operation timed out 06:23 < krzee> host cant be contacted 06:24 < krzee> unless you play with blackhole settings and make the first just timeout too or course... 06:24 < krzee> but either way, thats what your problem is djc 06:38 < djc> hmm 06:38 < djc> (sorry, was away for a bit 06:38 < djc> ) 06:38 < djc> but isn't it pretty weird that ping works when http/ssh don't? 06:39 < djc> plus, this vpn just worked before 06:41 < djc> and yeah, I had the idea about sshd not listening on the VPN if, too, but my sshd_config has ListenAddress 0.0.0.0, which I'm pretty sure means it should listen on every iface 06:43 < djc> OMFG 06:45 < reiffert> krzee: alternative idea: firewall says: R 06:45 < ecrist> morning, fuckers 06:46 < ecrist> refused can also mean the firewall is blocking 06:46 < djc> okay, so it turned out that because there was a different login order, the server was not at the IP I specified, so I was trying to ssh into the local box, which most definitely doesn't have either ssh or http running 06:47 < reiffert> djc: firewalls can confuse things and people. yes. 06:47 < djc> okay, so I should obviously make sure my server always gets a fixed IP 06:48 < krzee> !static 06:48 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) also see !ccd 06:48 < krzee> !forget static 2 06:48 < vpnHelper> krzee: Joo got it. 06:48 < krzee> !learn static as also see !ccd and !iporder 06:48 < vpnHelper> krzee: Joo got it. 06:48 < djc> !iporder 06:48 < vpnHelper> djc: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP (next choice)., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice)., or (#4) if you use --ifconfig-pool-persist see !ipp 06:49 < krzee> bleh i wanna change that one too 06:49 < djc> so can I just assign one IP and have the rest auto-assigned? 06:49 < krzee> sure 06:49 * ecrist uses a /23 on his vpn, the first /24 is for dynamic IPs, the second is for static ips 06:51 < krzee> !change iporder 2 s/(next choice)./(next choice). see !ccd/ 06:51 < vpnHelper> krzee: Joo got it. 06:51 < krzee> !iporder 06:51 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP ((next choice). see !ccd., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice)., or (#4) if you use --ifconfig-pool-persist see !ipp 06:52 < krzee> !change iporder 2 s/((/(/ 06:52 < vpnHelper> krzee: Error: 's/((/(/' is not a valid regular expression. 06:52 < ecrist> you need to escape the parens 06:52 < krzee> !change iporder 2 s/\(\(/\(/ 06:52 < vpnHelper> krzee: Joo got it. 06:52 < krzee> !iporder 06:53 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) -- Use --client-config-dir file for static IP \(next choice). see !ccd., or (#3) -- Use --ifconfig-pool allocation for dynamic IP (last choice)., or (#4) if you use --ifconfig-pool-persist see !ipp 06:53 < krzee> heh 06:53 < djc> lol 06:53 < krzee> !change iporder 2 s/\\// 06:53 < vpnHelper> krzee: Error: 's/\\\\//' is not a valid regular expression. 06:53 < krzee> !change iporder 2 s/\// 06:53 < vpnHelper> krzee: Error: 's/\\//' is not a valid regular expression. 06:53 < krzee> cute 06:53 < krzee> !forget iporder 2 06:53 < vpnHelper> krzee: Joo got it. 06:53 < krzee> !forget iporder 2 06:53 < krzee> !forget iporder 2 06:53 < vpnHelper> krzee: Joo got it. 06:53 < vpnHelper> krzee: Joo got it. 06:54 < djc> !ipp 06:54 < vpnHelper> djc: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 06:54 < djc> !clientconnect 06:54 < vpnHelper> djc: Error: "clientconnect" is not a valid command. 06:54 < krzee> !learn iporder as Use --client-config-dir file for static IP (next choice) !ccd for more info 06:54 < vpnHelper> krzee: Joo got it. 06:55 < krzee> !learn iporder as Use --ifconfig-pool allocation for dynamic IP (last choice) 06:55 < vpnHelper> krzee: Joo got it. 06:55 < krzee> !learn iporder as if you use --ifconfig-pool-persist see !ipp 06:55 < vpnHelper> krzee: Joo got it. 06:55 < krzee> !iporder 06:55 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !ccd for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 06:58 < djc> !ccd 06:58 < vpnHelper> djc: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 06:59 -!- mode/##openvpn [+o krzee] by ChanServ 06:59 <@krzee> Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || Also interesting: !man !/30 !topology !iporder 06:59 <@krzee> err 06:59 -!- krzee changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || Also interesting: !man !/30 !topology !iporder 06:59 -!- mode/##openvpn [-o krzee] by krzee 06:59 -!- dazo is now known as dazo_gone 07:00 < djc> so in the sample config file it says to put "ifconfig-push 10.9.0.1 10.9.0.2" in the ccd/Thelonious file 07:00 < djc> but what are those ip addresses for? 07:00 < djc> I'm assuming one is the address you want to assign to that client 07:00 < djc> but what is the other? 07:00 < krzee> thats only for ptp setup 07:01 < krzee> where this is no client and server, only 2 endpoints 07:01 < djc> sorry, you lost me 07:02 < krzee> theres 2 ways to have openvpn as far as that goes 07:02 < krzee> server - clients 07:02 < krzee> or point-to-point 07:02 < krzee> ptp can only handle 2 endpoints 07:02 < djc> ok 07:02 < krzee> it was the mode for openvpn version 1 07:03 < krzee> !sample 07:03 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 07:03 -!- mode/##openvpn [+o krzee] by ChanServ 07:03 -!- krzee changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || Also interesting: !man !/30 !topology !iporder !sample 07:03 -!- mode/##openvpn [-o krzee] by krzee 07:04 < krzee> aww shit 07:04 < krzee> i messed up on iporder 07:04 < krzee> !forget iporder 2 07:04 < krzee> !forget iporder 2 07:04 < vpnHelper> krzee: Joo got it. 07:04 < krzee> !forget iporder 2 07:04 < vpnHelper> krzee: Joo got it. 07:04 < vpnHelper> krzee: Joo got it. 07:04 < ecrist> krzee: don't need to be op to change topic 07:04 -!- ecrist changed the topic of ##openvpn to: Eric rocks! 07:05 < krzee> !learn iporder as Use --client-config-dir file for static IP (next choice) !static for more info 07:05 < vpnHelper> krzee: Joo got it. 07:05 < krzee> !learn iporder as Use --ifconfig-pool allocation for dynamic IP (last choice) 07:05 < vpnHelper> krzee: Joo got it. 07:05 < djc> !static 07:05 < vpnHelper> djc: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) also see !ccd and !iporder 07:05 -!- ecrist changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || Also interesting: !man !/30 !topology !iporder !sample 07:05 < krzee> !learn iporder as if you use --ifconfig-pool-persist see !ipp 07:05 < vpnHelper> krzee: Joo got it. 07:05 < krzee> ecrist loves to be the one who sets the topic 07:05 < krzee> lol 07:05 < ecrist> naw 07:06 < ecrist> was just demonstrating. :) 07:06 < krzee> you do it with /topic deoped? 07:06 < krzee> or through chanserv 07:06 < ecrist> yep 07:06 < krzee> ahh cool 07:07 < ecrist> surprisingly, nobody's abusing it. 07:07 < ecrist> reiffert's suggestion 07:07 < krzee> oh i figured only we could 07:07 < krzee> *shrug* that works 07:07 < krzee> we can always lose the abusers ;] 07:07 < ecrist> exactly 07:08 < krzee> welcome to ##openvpn, we have given you enough rope to hang yourself with, tie it wisely 07:08 < krzee> haha 07:09 < djc> krzee: so can I see the ccd/ipp.txt that go along with your sampleconfigs, too? 07:09 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: isox, dazo_gone, Bushmills, djc, karlpinc, kaii 07:09 -!- ThoMe is now known as thomas 07:09 < krzee> pretend it doesnt exist 07:09 < krzee> openvpn makes it itself 07:09 < krzee> and i will remove it anyways 07:09 < krzee> cause ipp is kinda useless 07:10 -!- Netsplit over, joins: djc, dazo_gone, karlpinc, kaii, isox, Bushmills 07:10 -!- thomas [i=tm@tm.muc.de] has quit [Killed by ballard.freenode.net (Nick collision)] 07:10 -!- ThoMe [n=tm@tm.muc.de] has joined ##openvpn 07:10 < krzee> there, removed 07:11 < krzee> !ipp 07:11 < vpnHelper> krzee: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 07:11 < krzee> see #2 07:11 < djc> !static 07:11 -!- kraut [i=kraut@blackhole.netzdeponie.de] has quit [Connection timed out] 07:11 < vpnHelper> djc: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) also see !ccd and !iporder 07:12 < reiffert> ecrist: sorry? 07:12 < reiffert> ah, -t 07:13 < krzee> djc, is it that complicated? 07:13 < krzee> i thought my bot spelt it out pretty simply 07:13 < djc> krzee: yes, sorry, I'm not that well-versed in all of this 07:14 < krzee> ok 07:14 < djc> and it's a while ago that I set this up 07:14 < krzee> !static 07:14 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) also see !ccd and !iporder 07:14 < krzee> !ccd 07:14 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 07:14 < djc> one of the attractions of subnet topology is that it makes it work just like a normal DHCP-run subnet 07:14 < krzee> all it does is get around this: 07:14 < krzee> !net30 07:14 < vpnHelper> krzee: "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 07:14 < krzee> and heres how: 07:14 < krzee> !topology 07:14 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 07:15 -!- kraut [i=kraut@2001:6f8:12a9:0:0:0:4:0] has joined ##openvpn 07:15 < krzee> but that doesnt make ifconfig-push any different 07:15 < krzee> !man 07:15 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 07:15 < djc> yeah, reading the manual now 07:16 < krzee> example: ifconfig-push 10.8.0.0 255.255.255.0 07:17 < djc> right 07:17 < krzee> err 07:17 < krzee> example: ifconfig-push 10.8.0.4 255.255.255.0 07:17 < krzee> my bad 0.0 wouldnt be cool 07:17 < djc> yeah 07:19 < krzee> !forget static 2 07:19 < vpnHelper> krzee: Joo got it. 07:19 < krzee> !learn static as example: ifconfig-push 10.8.0.6 255.255.255.0 07:19 < vpnHelper> krzee: Joo got it. 07:20 < krzee> !learn static as also see !ccd and !iporder 07:20 < vpnHelper> krzee: Joo got it. 07:22 < reiffert> time for opening the grill season 07:22 < reiffert> time to open the grilling season? 07:22 < ecrist> hell yeah 07:29 < djc> ARGH 07:29 < djc> wtf 07:32 < djc> guys, I love openvpn when it works, but configuration is just a fucking pain 07:32 < djc> I'll just work with connect-order IPs for now 07:32 < krzee> lol 07:32 < krzee> you had it spoon fed to you 07:33 < krzee> my bot did everything but add it to your config for you 07:33 < djc> I know you think so, but apparently I'm just not too bright or not as into openvpn that what your bot did felt as spoonfeeding 07:33 < djc> I tried to specify --route and it just kept complaining about not having a gateway 07:34 < krzee> it gave you the commands to paste in your config 07:34 < krzee> wasnt it a static ip you wanted to add...? 07:34 < krzee> not having a gateway... you on dialup? 07:34 < djc> yes, but to use ccd I apparently need to add route? 07:34 < krzee> no... 07:34 < krzee> !ccd 07:34 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 07:34 < krzee> does it say something about route there? 07:35 < djc> the text from the example config did say something about that 07:35 < krzee> i said my bot spoonfed you, not some example config somewhere 07:35 < djc> this is from the official one 07:35 < krzee> *shrug* 07:36 < djc> but ok, let me try again 07:36 < krzee> you misunderstood it, and my bot DID tell you exactly what to do 07:36 < krzee> what it probably said is that iroute MUST go in a ccd entry if it is going to be used 07:36 < krzee> but a better explanation of that stuff is in my routing writeup (!route) 07:36 < krzee> but it has nothing to do with static ips 07:37 < qknight> afonso: /j #kde 07:37 < djc> !iporder 07:37 < vpnHelper> djc: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 07:37 < krzee> afonso isnt even in here qknight 07:37 < djc> !static 07:37 < vpnHelper> djc: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 07:38 < djc> !ccd 07:38 < vpnHelper> djc: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 07:39 < krzee> goodnight 07:39 < tjz> niteee 07:39 < djc> well, I have client-configdir /etc/openvpn/ccd in my config, then /etc/openvpn/cdd/client1 contains ifconfig-push 10.8.0.2 255.255.255.0 07:40 < djc> but 10.8.0.2 is still given out to client2 if I connect it first 07:40 < djc> but thanks for your patience 07:43 -!- tjz [n=tjz@bb220-255-151-27.singnet.com.sg] has quit ["bbl"] 07:45 < djc> to be fair, the ccd for client1 seems to work, but that apparently doesn't mean that other clients can get that IP address 07:45 < djc> which is .. well, stupid 07:46 -!- djc [n=djc@xavamedia.nl] has left ##openvpn [] 07:48 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 60 (Operation timed out)] 07:49 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 08:03 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Remote closed the connection] 08:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:58 -!- c64zottel [n=hans@p5B17B25E.dip0.t-ipconnect.de] has joined ##openvpn 08:59 -!- c64zottel [n=hans@p5B17B25E.dip0.t-ipconnect.de] has quit [Client Quit] 09:00 -!- c64zottel [n=hans@p5B17B25E.dip0.t-ipconnect.de] has joined ##openvpn 09:25 -!- c64zottel [n=hans@p5B17B25E.dip0.t-ipconnect.de] has quit ["Leaving."] 09:34 -!- teddy__ [n=teddy@208.92.235.227] has quit [SendQ exceeded] 09:36 -!- lepine [n=leprecha@ip-70-38-54-219.static.privatedns.com] has joined ##openvpn 09:37 -!- lepine1 [n=leprecha@206-248-132-81.dsl.teksavvy.com] has quit [Read error: 110 (Connection timed out)] 09:42 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 09:47 < ecrist> krzee: when you want that server turned up? 10:02 < lepine> this might not be an openvpn specific question, but that's the scope i'm wondering about anyway ... is there a way to have the server push dns servers ... but have the client use it's pre-existing dns for local domains? eg, i want to tunnel out of work, and i want to use my own DNS whenever possible ... except that any queries to our local windows domain will fail ... what can i do? except a last hosts file 10:03 < lepine> *except a long hosts file 10:04 < lepine> or offering recursion on my own dns and host copies of the zones (i dont want to) 10:04 < ecrist> lepine: that doesn't really work in *any* network scenario 10:05 < lepine> so i 10:05 < lepine> have to use a large hosts file? 10:06 < ecrist> yes, if you've got a bunch of private dns stuff on two separate networks. 10:07 < lepine> bleh, using work's DNS would make the vpn more or less pointless 10:09 < lepine> The day they start logging DNS queries, i'll start getting worried ... i can live with that for now ... 10:10 < lepine> is there a way i can set that behaviour in the client ... keep the push dns ... so other clients use the supplied DNS ... but this one client for me at work doesnt? 10:22 < ecrist> hrm, I don't know that there's a why to *not* push an option 10:22 < ecrist> lemme look 10:22 < ecrist> what version openvpn? 10:24 -!- lepine [n=leprecha@ip-70-38-54-219.static.privatedns.com] has quit ["Leaving."] 10:36 < ecrist> nm 10:36 -!- codev [n=avinash@static-71-172-94-115.nwrknj.fios.verizon.net] has joined ##openvpn 10:37 < codev> I'm trying to get openVPN set up correctly, and I can't ping across the tunnel 10:37 * ecrist points to the channel topic 10:38 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 10:38 < codev> I've checked that, and I have accept as my default policy (flushed) and also ip.forward is on 10:38 < codev> It's basically stopped at PREROUTING .. 10:41 < HardDisk_WP> codev, do you use bridged tunnel? 10:43 < codev> HardDisk_WP: routed 10:43 < HardDisk_WP> ah ok 10:44 < HardDisk_WP> check your gateway settings, nevertheless 10:44 < HardDisk_WP> look if you got crap in the routing tables 10:44 < codev> 10.14.16.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 10:45 < codev> That's basically my ptp tun 10:46 < codev> I've got some other routes as well, none overlapping .. like 192.168.122.X that routes to some VMs.. and I can't ping them either 10:46 < codev> so at that point 192.168.122.4 would come over tun0 and would get hung in prerout 10:46 < HardDisk_WP> ok... no idea, sorry 10:46 < HardDisk_WP> eh wait 10:46 < HardDisk_WP> you route everything over tun0... 10:46 < HardDisk_WP> circle routing. 10:47 < HardDisk_WP> of course. 10:47 < HardDisk_WP> route everything to the openvpn server via eth0 or whatever your inet connection is 10:48 < codev> I have a subnet 192.168.122.X I want to be accessible from the client 10:48 < codev> 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 10:49 < codev> as far as I know..I'd just push that route to the clients.. 10:49 < codev> that's not the whole table, let me pastebin 10:51 < codev> http://www.pastebin.ca/1388064 11:25 < ecrist> codev: are you *sure* it's not your firewall? 11:26 < ecrist> generally, 'I cant ping the vpn address' mean your firewall is FUBAR 11:28 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:45 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 11:53 -!- nemysis [n=nemysis@67-154.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 12:00 -!- nemysis [n=nemysis@67-154.3-85.cust.bluewin.ch] has joined ##openvpn 12:31 -!- huslu_ is now known as huslu 12:42 < dan__t> hi. 12:45 < codev> ecrist: there are NO rules :-/ and def. policy is accept 12:53 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 13:06 < HardDisk_WP> codev, do you have another firewall installed? 13:06 < HardDisk_WP> an IDS maybe? 13:08 -!- adac [n=nutella@host99-45-static.61-88-b.business.telecomitalia.it] has joined ##openvpn 13:10 < adac> Is there a log file on client side that is more verbose than the /var/log/daemon.log ? I get this error at the moment while trying to connect to the vpn server: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 13:14 -!- mepholic [n=what@67.202.101.69] has joined ##openvpn 13:15 < mepholic> Hey guys 13:15 < codev> adac, can you keep in foreground and crank up debugging? 13:15 < codev> HardDisk_WP: doubt it man, base gentoo install lol 13:15 < mepholic> I'm having problems getting non computer uh... clients onto my vpn 13:16 < codev> mepholic: what? lol 13:16 < mepholic> I mean like.. wifi access points and stuff 13:16 < mepholic> ok, my setup: 13:16 < mepholic> i have an openvpn server running on a dedicated server at a nearby datacenter 13:16 < mepholic> clients from all over the country can connect to it 13:16 < HardDisk_WP> mepholic, DD-WRT is capable of being an VPN hotspo 13:17 < HardDisk_WP> üt 13:17 < HardDisk_WP> +t 13:17 < mepholic> this is a tab based vpn 13:17 < mepholic> uh 13:17 < mepholic> tap* 13:17 < mepholic> HardDisk_WP, not my question, hold on just a minute :) 13:17 < adac> codev, sorry I don't understand? 13:18 < mepholic> anyways, i'm running a DHCP server so i can have multiple vpn servers on the same subnet 13:18 < HardDisk_WP> ah k 13:18 < mepholic> now what I am doing at my house, is i have 2 ethernet adapters in my computer 13:18 < mepholic> connected to the vpn 13:18 < mepholic> then i bridged the vpn interface and one of the ethernet adaptors 13:18 < mepholic> that is then plugged into a vlan on my switch 13:19 < mepholic> so i have a vlan on my switch that I can plug computers into and be "directly" on the vpn 13:19 < mepholic> it works with my laptop just fine 13:19 < mepholic> now i tried to plug a WAP11 Linksys Wireless access point into it 13:19 < mepholic> i configured it beforehand 13:20 < mepholic> then plugged it into the vpn 13:20 < mepholic> and it doesnt work 13:20 < mepholic> i can't get ping responses, clients on the access point can't get to the vpn, etc 13:20 < mepholic> same thing with a Cisco ATA 186 i have 13:21 < mepholic> no pings, can't access the web interface 13:21 < mepholic> that is an analog to ip telephone convertor 13:21 < codev> :-/ 13:21 < mepholic> does anybody know why I can get computers to work, but not other network devices? 13:22 < mepholic> the one thing that i thought about was the weird subnet 13:22 < mepholic> 14.28.0.0/14 13:22 < mepholic> I even tried to statically configure the access point 13:23 < mepholic> put it on 14.28.3.10 with 14.28.1.1 as the gateway, 255.252.0.0 as the netmask, etc 13:23 < mepholic> no luck 13:24 < mepholic> by the way, this is a linux bridge 13:27 < mepholic> anyways, I'm baffled 13:29 < codev> i have the same problem, but it's just..that i can ping my vpn lol 13:30 < mepholic> from a bridge? 13:30 < codev> im trying to get the client's ping to get through a bridge on the VPN server 13:30 < codev> i've got a ton of VMs and they're sitting on a bridge 13:30 < codev> route looks good 13:30 < codev> i just have no idea 13:30 < mepholic> lololol 13:30 < mepholic> god i love vm's 13:30 < mepholic> openvz? 13:31 < codev> qemu/kvm actually 13:31 < mepholic> ew 13:31 < mepholic> i got it working perfectly with openvz 13:31 < codev> how is openvz? 13:31 < mepholic> awesome 13:32 < mepholic> other then the need to replace your kernel 13:32 < mepholic> but you can cram toms of vps's onto a box 13:32 < codev> ah, do that anyway cause this KVM env is ONLY to test a live Xen env 13:32 < mepholic> they are really fast too 13:32 < mepholic> ah 13:32 < codev> my routing was working fine until i added openvpn 13:32 < codev> then i fucked it all up 13:32 < codev> now i cn't even ping vpn lol 13:32 < mepholic> well, if you are going to be running openvpn off of a vps, use xen 13:33 < mepholic> if you are using tap that is 13:33 < mepholic> it works fine with tun on openvz 13:33 < mepholic> but tap won't work 13:34 < mepholic> so what i did, is i have a hardware node running a tap based openvpn server 13:34 < codev> it must be something im doing that's wrong cause the examples work fine 13:34 < mepholic> with the tap interface and a few vps's in a bridgwe 13:34 < codev> what do you have rnning on openvz?? 13:34 < mepholic> well 13:34 < mepholic> a dns server, a ntp server, a dhcp server 13:35 < mepholic> ntp and dhcp are on the same box 13:35 < mepholic> well 13:35 < mepholic> vm 13:35 < mepholic> dns is on a seperate vm 13:35 < mepholic> then i have an other hardware node on the other side of the country with a few more vm's 13:35 < mepholic> another dns server 13:35 < codev> gotcha 13:35 < mepholic> some other stuff 13:35 < mepholic> main server is in chicago 13:36 < mepholic> the secondary dns is in vancouver 13:36 < mepholic> then i have another box in toronto doing things like ldap and such 13:37 < mepholic> this has been an ongoing project since early december 13:47 -!- codev [n=avinash@static-71-172-94-115.nwrknj.fios.verizon.net] has quit ["Lost terminal"] 14:22 < krzee> why do you want bridge instead of routed tunnel? 14:23 < krzee> also 14:23 < krzee> Fixed.... Turns out it was a VMWare issue with it not allowing the interfaces 14:23 < krzee> to be promisc. Once I turned it on, things worked great!!!! 14:23 < krzee> thats a recent message from the mail list 14:23 -!- ampsix [i=moneybag@has.no.info.tm] has joined ##openvpn 14:24 < krzee> (that was a bridge) 14:24 -!- cirdan_ [n=chris@c-68-45-49-233.hsd1.nj.comcast.net] has joined ##openvpn 14:25 -!- cirdan_ [n=chris@c-68-45-49-233.hsd1.nj.comcast.net] has quit [Client Quit] 14:26 -!- cirdan [n=chris@c-68-45-49-233.hsd1.nj.comcast.net] has quit [Nick collision from services.] 14:27 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 14:28 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:29 < mepholic> why do you want bridge instead of routed tunnel? 14:29 < mepholic> routed tunnels are useless 14:29 < krzee> ?? 14:29 < mepholic> first of all, i couldn't do dhcp 14:29 < krzee> why would you need dhcp? 14:29 < mepholic> or anything else that the vpn is actually meant for 14:29 < mepholic> anything requireing broadcasts or multicasts 14:30 < krzee> broadcasts are ip packets sent to ethernet, a routed tap will do 14:30 < mepholic> i'm talking about like 14:30 < mepholic> samba, online games, etc 14:30 < mepholic> lan games 14:30 < krzee> same = wins 14:31 < krzee> lan games, if they use layer2 are a good reason tho 14:31 < krzee> but to say routed tuns are useless is very wrong 14:31 < mepholic> kraut, roujted tunnels are useless for me 14:31 < krzee> cause over 90% of the time thats what people who are trying to setup a bridge really need 14:31 < krzee> !tunortap 14:31 < vpnHelper> krzee: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 14:31 < mepholic> which i dop 14:32 < krzee> cool 14:32 < krzee> carry on 14:32 < mepholic> i just wanna figure out why this isn't working 14:32 < mepholic> i don't see why it wouldnt be 14:32 < krzee> i missed the question 14:32 < mepholic> well, there is no reason that it shouldn't be 14:32 < mepholic> read up 14:33 < mepholic> i explained everything up there 14:33 < mepholic> kind of a longish question 14:33 < krzee> i would but i need to leave in 3 minutes 14:33 < mepholic> now what I am doing at my house, is i have 2 ethernet adapters in my computer 14:33 < mepholic> connected to the vpn 14:33 < mepholic> then i bridged the vpn interface and one of the ethernet adaptors 14:33 < mepholic> that is then plugged into a vlan on my switch 14:33 < mepholic> so i have a vlan on my switch that I can plug computers into and be "directly" on the vpn 14:33 < mepholic> it works with my laptop just fine 14:33 < mepholic> now i tried to plug a WAP11 Linksys Wireless access point into it 14:33 < mepholic> i configured it beforehand 14:33 < mepholic> then plugged it into the vpn 14:33 < mepholic> and it doesnt work 14:33 < mepholic> i can't get ping responses, clients on the access point can't get to the vpn, etc 14:33 < mepholic> same thing with a Cisco ATA 186 i have 14:33 < mepholic> no pings, can't access the web interface 14:33 < mepholic> :3 14:34 < krzee> you know you dont need 2 nics for openvpn right? 14:34 < mepholic> for what i'm doing, I do 14:34 < mepholic> you see, my computer is a client 14:35 < mepholic> one is plugged into my lan, which goes out to the internet 14:35 < mepholic> the other is plugged into a 6 port vlan on my switch 14:35 < mepholic> tap0 is bridged with eth1 14:35 < mepholic> which is plugged into the switch 14:35 < krzee> ya man i have no clue 14:35 < krzee> i havnt setup a bridge in years 14:35 < mepholic> so i can plug devices into the switch on that vlan, and they'll be on the vpn 14:36 < krzee> if one of my servers gets owned im not gunna let my lan be vuln to layer2 attacks 14:36 < krzee> i stick to layer3 for the inet 14:36 < mepholic> it's not like this is a business 14:36 < krzee> me niether 14:36 < mepholic> its just a project i'm working on 14:36 < mepholic> but you can't get to my lan from the vpn 14:37 < mepholic> i just want to be able to for example, have a wifi access point that is on the vpn directly 14:37 < krzee> cool, i still dont know 14:37 < mepholic> mmk 14:37 < mepholic> thanks anyways 14:38 < krzee> np, woulda helped if it was a setup i had some experience with 14:38 < mepholic> well, you understand the problem though, right? 14:38 < mepholic> computers will work when they are plugged into the vlan, but other network devices won't 14:39 < krzee> ild call that a good thing personally 14:39 < krzee> *shrug* 14:40 < krzee> do you even get ARP? 14:40 < krzee> shit its 3:40 i gotta go 14:40 < mepholic> yes i do 15:01 -!- cunderid [n=arne@p548EFDD5.dip.t-dialin.net] has joined ##openvpn 15:08 -!- cunderid [n=arne@p548EFDD5.dip.t-dialin.net] has left ##openvpn ["Ex-Chat"] 15:12 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 15:18 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 15:23 < krzie> werd back 15:51 < dan__t> werd 15:54 -!- ampsix [i=moneybag@has.no.info.tm] has quit [Remote closed the connection] 15:54 < krzie> zabbix is <3 15:58 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 16:01 < adac> can someone help me with this error: http://pastebin.com/m4fb7d7e1 ? 16:06 < troy-> if i run build-key client2 at a later time do i need to rerun ./build-dh? 16:07 < dan__t> no\ 16:07 < troy-> what does build-dh do? 16:07 < krzie> dh keys are only generated 1x, and only go on the server 16:07 < krzie> !dh 16:07 < vpnHelper> krzie: "dh" is build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN 16:08 < troy-> ah, thank you 16:08 < krzie> np 16:08 < krzie> # 16:08 < krzie> Fri Apr 10 22:56:09 2009 us=5565 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 16:09 < krzie> are you sure you're connecting to the right port on the right ip with the right protocol? 16:09 < krzie> if so, are you sure the firewall on the remote machine has that port for that ip for that protocol open? 16:09 < adac> krzie, yes I'm sure about the ip and port 16:09 < krzie> and if so, are you sure the service provider allows a connection to that port on that ip for that protocol to be connected to 16:10 < adac> problem is the vpn server is behind a NAT 16:10 < krzie> then setup the port forward 16:10 < adac> I did port forwarding on my linuxy server to the vpn server machine 16:10 < krzie> either you didnt open the port in the firewall or your port forward didnt work 16:11 < krzie> cause connection refused means 1 very specific thing 16:11 < krzie> it got a request, and actively refused it 16:11 < krzie> versus a timeout 16:11 < adac> krzie, port forwarding also should also be fine...i did that a hundred times on other apps. :( 16:11 < krzie> also 16:11 < krzie> consider moving from rc11 to rc15 16:11 < krzie> (even tho thats not your problem, it could be another) 16:12 < adac> krzie, I see 16:12 < krzie> then maybe you didnt open the port in firewasll 16:12 < krzie> but its something along those lines 16:12 < krzie> doublecheck its UDP and not TCP you forwarded/opened 16:12 < dan__t> Are you using UDP over a really, really shitty router? 16:12 < dan__t> Like, say, a Linksys WRT 16:12 < krzie> hey those arent that shitty! 16:13 < dan__t> They are for OpenVPN 16:13 < krzie> ive got some serious no-name routers that are much shittier! 16:13 < dan__t> and heavy UDP 16:13 < dan__t> heh 16:13 < krzie> heheh 16:13 < dan__t> Do they butcher UDP? No. 16:13 < dan__t> haha 16:13 < adac> krzie, dan__t uhh I see probaly udp makes the problem 16:13 < krzie> (i grabbed a few wifi routers to test diff WEP attacks on diff routers) 16:13 < krzie> it could be, but if you can get UDP working you want to 16:13 < krzie> !tcp 16:13 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 16:14 < dan__t> oh, whatever. 16:14 < adac> krzie, dan__t: this is how i did forwarding on the server router to the server vpn: http://pastebin.com/m36fcc313 16:14 < dan__t> The margin of failure or error is so miniscule that on 10MBit I'm not going to give a flying fuck. 16:14 -!- guy191 [n=carbon@hosr3141-04.hh.se] has joined ##openvpn 16:14 < guy191> Hii room 16:14 < dan__t> Hii dude. 16:14 < krzie> hiiii 16:15 < guy191> which VPN Software work with by default WinXP VPN client ? 16:15 < krzie> !notcompat 16:15 < vpnHelper> krzie: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 16:15 < guy191> i meant open VPN dont work with XP clients 16:15 < krzie> sure it does, but not with default one 16:15 < krzie> you can install openvpn on windows... 16:15 < krzie> even comes with a lil gui for ya 16:15 < guy191> yes.. openvpn client ? 16:16 < krzie> and can be installed as a service 16:16 < krzie> openvpn doesnt have a client / server app 16:16 < krzie> the config decides how it works 16:16 < krzie> but yes 16:16 < adac> krzie, dan__t: with openvpn: do I have to port forward the port also on client side? 16:16 < krzie> adac 16:16 < krzie> no 16:16 < guy191> krzie: open vpn is not client/server app 16:16 < krzie> not if the client is connecting to the server 16:17 < krzie> guy191 openvpn can be setup to run client/server 16:17 < krzie> or point-to-point 16:17 < adac> krzie, ok I see! I read this somewhere in the internet (: 16:17 < dan__t> No, but if your firewall has no knowledge of a "related" or "established" port then you're fucked. 16:17 < krzie> but you use the exact same install no matter what 16:17 < guy191> i meant.. if i wll install opevnvpn server on linux then clients wil be XP installed client 16:17 < krzie> the config decides how it acts 16:17 < dan__t> However, if you can connect to the internet through it, chances are great that it does. 16:17 < guy191> oh i see 16:18 < guy191> which VPN router work very well with XP by default clients ?.. 16:18 < guy191> Cisco routers ? 16:18 < krzie> adac, most routers will automaticly map a way back through the nat when you make an outbound connection, thats how STUN works for voip 16:18 -!- mepholic [n=what@67.202.101.69] has quit [Remote closed the connection] 16:18 < adac> krzie, ok I see! 16:19 < krzie> guy191 dunno, this is a channel for openvpn only 16:19 < krzie> and openvpn works great for XP 16:19 < krzie> as well as linux, bsd 16:19 < guy191> hmm.. 16:20 < krzie> if you use ssl-admin it will even zip up the client config with their certs, they just move those files into the right place after installing openvpn, and booya all done 16:23 < adac> krzie, so do i need to port forward udp and tcp on vpn server side? 16:24 < dan__t> Either OR 16:26 < adac> dan__t, well in my config there is udp uncommentet so i guess it has to be the udp port that needs to be forwarded? ;) 16:26 < dan__t> One would assume so. 16:26 < adac> hehehe :) 16:28 < krzie> heheh 16:33 < adac> Ok I get another error now after forwarding with the correct udp protocol now :P http://pastebin.com/m4dc54877 16:34 < guy191> what is benefits of DMZ.. where we need to use it ? 16:36 < guy191> adac: its a error of open VPN with SSL ? 16:37 < dan__t> guy191, when one host in the organization should not be connected by any means to any other part of the organization? 16:39 < guy191> Dan__t: sorry didnät get .. wat u said ? 16:42 < krzie> a DMZ is good for seperating something that can be connected to from the world from the LAN which cannot 16:42 < krzie> so lets say your webserver gets owned 16:42 < krzie> its in a seperate lan, and does not comprimise the rest of your network if your firewall is setup correctly 16:43 < guy191> hmm.. 16:43 < guy191> which Distro is best for Open VPN ? 16:43 < krzie> very common for corporate networks 16:44 < krzie> basically a DMZ is part of the network which is less trusted than the rest 16:44 < krzie> guy191, whichever distro you are most comfortable with 16:44 < adac> krzie, dan__t: what is the difference between server.crt and ca.crt? which of those two are needed on client side? 16:45 < krzie> openvpn runs fine on all BSD and linux distros, it comes down to how well you know the system for the rest of administration 16:45 < guy191> hmm.. Ubuntu / Centos 16:45 < krzie> adac, see !howto 16:45 < krzie> there is a table of which files go where 16:45 < krzie> the difference is plain when you understand how PKI works 16:45 < krzie> (so read about it) 16:45 < adac> krzie, ok! 16:46 < guy191> adac: read this one regarding keys.. looking nice 16:46 < guy191> http://openvpn.net/archive/openvpn-users/2004-09/msg00252.html 16:46 < vpnHelper> Title: [Openvpn-users] SSL/TLS Configuration (at openvpn.net) 16:46 < adac> guy191, thx! 16:48 < krzie> also for making keys, you may enjoy ssl-admin 16:48 < krzie> very good key management system 16:48 < krzie> !ssl-admin 16:48 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 16:48 < guy191> krzie: if we have all Unix systems on LAN with VPN SErver.. so the client will connect to it and share network.. what extra things wll be important on VPNServer to configure for sharing XP client with LINUX /Unix LAN services ? 16:48 < krzie> if you want to use the packaging ovpn.conf + ssl-keys feature you need to install zip as well 16:49 < krzie> guy191 what services will need to be shared? 16:49 < guy191> file sharing.. 16:49 < krzie> and for LANs behind openvpn, see !route (as the topic says) 16:49 < krzie> file sharing using samba? 16:49 < reiffert> guy191: a firewall 16:49 < krzie> file sharing using NFS? 16:49 < reiffert> = important 16:49 < krzie> file sharing using ftp? 16:49 < guy191> krzie: samba/nfs.. 16:49 < krzie> file sharing using your mom to hand them manually? 16:50 < krzie> there we go! 16:50 < krzie> for samba you will need WINS 16:50 < krzie> !wins 16:50 < vpnHelper> krzie: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 16:50 < reiffert> wins sucks. 16:50 < krzie> reiffert negative, its better than using a bridge for samba 16:50 < guy191> krzie: why wins ? 16:50 < reiffert> just use a broadcast relay 16:51 < krzie> *shrug* you could do that too, but windows was made to use wins anyways 16:51 < reiffert> or bridging setup (openvpn= 16:51 < krzie> either way, broadcast relay or wins 16:51 < guy191> krzie: if client is connect to network then samba services on that UNIX/LINUX servers in not enough through samba ? 16:51 < krzie> maybe you could write a doc on adding a broadcast relay reif 16:51 < reiffert> samba was designed to be used on LANs and not on VPN tunnels 16:51 < krzie> and for NFS support on windows, you're on your own, its a PITA and i never found a reliable free method 16:51 < guy191> hmm.. 16:52 < reiffert> ah well, windows networking that is. 16:52 < krzie> reiffert sure it was, thats why they made wins 16:52 < reiffert> crap 16:52 < krzie> well was kinda, not too good of performance on it 16:52 < krzie> in fact rather poor 16:52 < krzie> but hell its a windows protocol, what do we expect 16:52 < reiffert> wins helps browsing but its not speeding up file transfer across vpn tunnels 16:52 < guy191> krzie: i noticed that VISTA in lan dont support SAMBA ? 16:53 < krzie> i wouldnt know, ive never used vista and never will 16:53 < krzie> i use osx and BSD 16:53 < guy191> haha oh yes !! 16:53 < reiffert> oh yes!! 16:53 < krzie> yes oh yes! 16:53 * krzie dry humps the desk 16:53 < reiffert> yeah yes yes oh yeah!! 16:54 < krzie> whoever pasted this: http://openvpn.net/archive/openvpn-users/2004-09/msg00252.html 16:54 < vpnHelper> Title: [Openvpn-users] SSL/TLS Configuration (at openvpn.net) 16:54 < guy191> haha what happend guyz 16:54 < krzie> they didnt make the server cert right 16:54 < krzie> !servercert 16:54 < vpnHelper> krzie: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mitm 16:54 < krzie> -extensions server is important for !mitm 16:54 < guy191> i meant Ooh yes.. becoz i m sitting in UNIX/LINUX world so why vista wll be here 16:55 < reiffert> krzie: you could hand that in your openssl.cnf file 16:55 < adac> hmm it seems that I'm now connectet to the vpn...but i still have the local ip adress and not the remote one 16:55 < reiffert> guy191: oh YES! 16:55 < krzie> adac: 16:55 < krzie> !configs 16:55 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:55 < krzie> what do you mean the local ip and not remote 16:55 -!- unix3 [n=unix3@201.199.62.74] has joined ##openvpn 16:56 < reiffert> adac: maybe because of IP addresses are made to be used locally .. 16:56 < krzie> you mean you expected it to automagicly default route through the VPN? 16:56 < adac> krzie, aye :) 16:56 < unix3> Hello all 16:56 < krzie> heres what you need: 16:56 < krzie> !def1 16:56 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 16:56 < krzie> !linnat 16:56 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 16:56 < reiffert> I want to have the IP address of google.com, gimme YES YES YES! 16:56 < adac> krzie, It was like that whn I connected to my other vpn 16:56 < krzie> !linipforward 16:56 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 16:56 < reiffert> !static 16:56 < vpnHelper> reiffert: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 16:56 < reiffert> !ccd 16:56 < vpnHelper> reiffert: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 16:56 < reiffert> !ipp 16:56 < vpnHelper> reiffert: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 16:56 * krzie dry humps reiffert's desk 16:56 < reiffert> :) 16:57 < guy191> krzie: network Manager tool also play a vital role with open VPN on Linux .. ? 16:57 * reiffert takes a ride 16:57 < reiffert> bbl 16:57 < krzie> reiffert why the floop for static ips? did i miss someone asking bout that, lol 16:57 < krzie> !ubuntu 16:57 < vpnHelper> krzie: "ubuntu" is dont use network manager! 16:57 < adac> krzie, ôk I did that ;) 16:57 < reiffert> krzie: wanna have some lard for the dry desk? 16:57 < guy191> !centos 16:57 < vpnHelper> guy191: Error: "centos" is not a valid command. 16:57 < krzie> bring on the lard! 16:57 < guy191> !fedora 16:57 < vpnHelper> guy191: Error: "fedora" is not a valid command. 16:58 < adac> No i just play arounfd with the config files...I'm sure I find out how to make this work! 16:58 < reiffert> !YES 16:58 < vpnHelper> reiffert: Error: "YES" is not a valid command. 16:58 < reiffert> doh 16:58 < krzie> lol reiffert 16:58 < guy191> any wayz..Thanks Guzy for discussion !! 16:58 < krzie> you're in a funny mood today ;] 16:58 < reiffert> !learn YES as i meant Ooh yes.. 16:58 < guy191> !vpnhelper 16:58 < vpnHelper> reiffert: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 16:58 < vpnHelper> guy191: Error: "vpnhelper" is not a valid command. 16:59 < guy191> !helper 16:59 < vpnHelper> guy191: Error: "helper" is not a valid command. 16:59 < guy191> ba bye !! 16:59 < krzie> !winnat 16:59 < vpnHelper> krzie: Error: "winnat" is not a valid command. 16:59 < guy191> !bye 16:59 < vpnHelper> guy191: Error: "bye" is not a valid command. 16:59 < krzie> bye guy 16:59 < reiffert> öäü 16:59 < reiffert> afk 16:59 -!- guy191 [n=carbon@hosr3141-04.hh.se] has left ##openvpn [] 17:00 < unix3> hello guys.. iam a newbie in firewalls.. I have read docs.. and I have successfully established a VPN bewteen to sites (client connecting to server) .. Iam asking some orientation to configure this to actually do something for me... iam a little confused on the config that server.conf should have to allow my client to access an IP. 17:01 -!- Gumbler is now known as Gumbler|NotHere 17:01 < unix3> What i have in server.conf is # Address range for the tun(4) interfaces server 10.0.1.0 255.255.255.0 , # Add routes to the remote networks to the server's routing table route 192.168.0.0 255.255.255.0 ... based on that what do I do on the client to be able to ping _something_ in the servers network? 17:02 < krzie> !route 17:02 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:02 < unix3> am i suppose to be able to ping 10.0.1.1 from the client .. and it answering? 17:02 < krzie> only if you set it up correctly 17:02 < krzie> see the part of that doc below the picture 17:04 < unix3> hmm ok, iam reading it.. but.. id like to note that.. ultimately all I want to do is terminate all the traffic from my client to the internet gateway that the server uses.. thats all :P 17:04 < krzie> i thought you said you wanted to access the lan 17:05 < unix3> at first.. just to test.. because i havent been able to do anything with my VPN hehe.. but it would be better just ot go ahead and do this internet termination over the vpn 17:05 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:06 < krzie> what os is server? 17:06 < unix3> most of the FAQs and docs ive read are just to link to LANs 17:06 < unix3> openbsd 17:06 < krzie> you need to setup NAT for the vpn ips to the inet on the server 17:06 < krzie> as well as IP forwarding 17:06 < krzie> and then: 17:06 < unix3> i know how to do that... 17:07 < krzie> !def1 17:07 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 17:07 < krzie> that can be used in the client.conf or pushed to it from server conf 17:08 < krzie> and if youd report back on how to nat and ip forward in openbsd, i can add it to my bot 17:08 < krzie> !bsdnat 17:08 < vpnHelper> krzie: "bsdnat" is http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html 17:08 < krzie> !forget bsdnat 17:08 < vpnHelper> krzie: Joo got it. 17:09 < krzie> !learn fbsdnat as http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html 17:09 < vpnHelper> krzie: Joo got it. 17:09 < unix3> okey iam kinda understanding now.. So in my client server.. I can NAT all traffic from eth0 to tun .. is that wha need as step 1?t I 17:09 < krzie> huh? 17:09 < krzie> no 17:10 < krzie> if you want to redirect all traffic from client to go to inet through server, you NAT the vpn network on the server 17:10 < unix3> what do I need to nat within my client server to where again' 17:10 < krzie> wtf is a clientserver 17:10 < unix3> please disregard client server, i meant client 17:11 < krzie> on the server 17:11 < krzie> in the firewall 17:11 < krzie> you nat vpn network to external 17:11 < unix3> understood 17:11 < krzie> just like if it were a LAN and your server were the router 17:11 < unix3> and what do i do on the client.. nothing? 17:12 < krzie> !def1 17:12 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 17:12 < krzie> you make it default route over the vpn 17:12 < unix3> understood 17:13 < krzie> ip forwarding must be enabled on the server machine as well 17:13 < unix3> both enabled. :) 17:13 < krzie> note, this does NOT help you with seeing the lan 17:13 < krzie> those are 2 very seperate things 17:13 < unix3> its ok, i dont need that 17:13 < krzie> they can co-exist, but are done differently 17:13 < unix3> for now though 17:13 < krzie> when it comes time to have lans connectable, see !route 17:14 < unix3> ok step by step :) 17:14 < krzie> my writeup explaining everything you could need to know for that 17:14 < krzie> =] 17:15 < krzie> and if you wouldnt mind sharing how you enabled ip forwarding and nat rules on openbsd, i could update by not for the next guy 17:15 < krzie> (i use freebsd) 17:15 < unix3> So back to the client.. I just change the default gateway . What is this about a def1 flag? where is that suppose to go? 17:15 < krzie> !def1 17:15 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 17:15 < krzie> READ THAT 17:15 < krzie> dont skim, my bot doesnt have fluff in those descriptions 17:15 < krzie> !man 17:15 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 17:16 < unix3> ok let me get this first to work and ill brb 17:16 < krzie> cool 17:18 < krzie> !factoids search forward 17:18 < vpnHelper> krzie: 'winipforward', 'linipforward', and 'bsdipforward' 17:19 < krzie> !learn ipforward as please choose between !linipforward !winipforward and !fbsdipforward 17:19 < vpnHelper> krzie: Joo got it. 17:19 < krzie> !bsdipforward 17:19 < vpnHelper> krzie: "bsdipforward" is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd 17:19 < krzie> !forget bsdipforward 17:19 < vpnHelper> krzie: Joo got it. 17:19 < krzie> !learn fbsdipforward as is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd 17:19 < vpnHelper> krzie: Joo got it. 17:19 < krzie> !factoids search nat 17:19 < vpnHelper> krzie: 'nat', 'linnat', and 'fbsdnat' 17:19 < krzie> !nat 17:19 < vpnHelper> krzie: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding 17:19 < krzie> hrmz 17:20 < krzie> !learn nat as please choose between !linnat and !fbsdnat for specific howto 17:20 < vpnHelper> krzie: Joo got it. 17:21 < krzie> !learn redirect as in order to have the client send all inet traffic through the server's inet, you will need redirect-gateway on the client (or pushed from server, see !push) 17:21 < vpnHelper> krzie: Joo got it. 17:22 < krzie> !learn redirect as you will also need NAT enabled for the vpn network on the server as well as ip forwarding (see !nat and !ipforward) 17:22 < vpnHelper> krzie: Joo got it. 17:23 < krzie> !push 17:23 < vpnHelper> krzie: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 17:23 < krzie> there we go! 17:24 < unix3> so for now on the client.. all I do is something like: /usr/local/sbin/openvpn --config /etc/openvpn/client.conf --redirect-gateway def1 17:24 -!- krzie changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || !redirect for sending inet traffic through server || Also interesting: !man !/30 !topology !iporder 17:25 < krzie> you can put redirect-gateway def1 in the config 17:25 < krzie> anything can be put in the config if you remove the -- 17:25 < krzie> but ya that works too... 17:25 < unix3> nice 17:26 < unix3> ok lets try this out :) 17:26 < krzie> it can also be pushed to take away the option from the client (if it wasnt you) 17:26 < krzie> i like to push most stuff to clients so i can admin * from the server 17:26 < unix3> yeah through command line 17:26 < krzie> but thats not needed 17:27 < unix3> openvpn is absolutely incredible 17:27 < krzie> no i mean you put the otion in server.conf but you push it 17:27 < unix3> ohh ok 17:27 < krzie> push "redirect-gateway def1" 17:27 < krzie> would make it appear in the client.conf magically on connect, but they wouldnt see it in the config 17:28 < krzie> its like an override on client.conf managed from the server 17:28 < krzie> and it can be done only for certain ones if you use ccd entries 17:28 < krzie> !ccd 17:28 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 17:32 < unix3> ok.. iam confused again. I understand there are several ways for me to give command to openvpn... put why did you say I can push <> inside the config.. you mean I should literally put the words push and order within the config? 17:32 < krzie> you dont need to 17:33 < krzie> since you use openbsd i figure you're kinda advanced 17:33 < krzie> so i was telling you the diff ways an option can be given 17:33 < krzie> redirect-gateway def1 in client.conf is plenty 17:33 < krzie> another way is push "redirect-gateway def1" in server.conf 17:34 < krzie> another way is push "redirect-gateway def1" in a ccd entry on server side for only a certain client, and not all of them like option 2 was 17:34 < krzie> just use #1 if that confuses you 17:34 < krzie> #1 being: redirect-gateway def1 in client.conf is plenty 17:35 < unix3> oki :P 17:35 < krzie> and lemme rephrase that 17:36 < krzie> since you use openbsd and all your questions were specific to openvpn (ie: you understand your OS) 17:36 < krzie> if you were noobish using openbsd you would have had a few openbsd specific questions as well :-p 17:38 < unix3> ok it seems it worked, by default gateway is now 10.0.1.5 ... 17:38 < unix3> however ifconfig output for tun, says its doing 10.0.1.6 -> 10.0.1.5 17:39 < krzie> yup 17:39 < unix3> seems iam half way 17:39 < krzie> !net30 17:39 < vpnHelper> krzie: "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 17:40 < unix3> hmm ok i think iam good at least for the client... n ow I configure the server.. right krzie ? :) 17:41 -!- psomas [n=psomas@adsl-140-115.adsl.ntua.gr] has joined ##openvpn 17:41 < krzie> i thought you said you already had ipforwarding and nat on the server 17:41 < unix3> i do 17:41 < unix3> not nat 17:42 < unix3> let me do nat 17:42 < krzie> well nat the vpn network as if it were the lan 17:42 < krzie> and booya 17:43 < psomas> hello 17:43 < unix3> kraut, if i do that.. what happens if the vpn server also hosts apache for example.. that will continue to work.. right? 17:43 < krzie> sure why not 17:44 < krzie> but it wont go over vpn unless you specify the vpn ip and have apache listen on it 17:44 < unix3> its ok dont need that 17:44 < krzie> cause the only way to have a connection to the vpn is to have a direct route to it overriding your vpn default route 17:45 < psomas> is it possible to have multiple tls-remote statements(if u have multiple remote statements with remote-random)? 17:46 < troy-> i'm having an issue whereby two people are connected to the VPN and the server cant ping one of them 17:53 < unix3> nfe0 log on nfe0 from tun0:network to any -> nfe0 pf.conf NAT line 17:53 < unix3> that will redirect tun0 to nfe0 17:58 < krzie> thanx 17:59 < krzie> tested it? 17:59 < unix3> kraut, ok done.. but its not working.. I cannot ping google.com from the client 17:59 < unix3> please remember i did put some route stuff in the server.conf 17:59 < krzie> check logs on server 17:59 < unix3> that needs to be taken out right? 17:59 < krzie> any errors when adding the routes? 17:59 < krzie> possibly 17:59 < krzie> how bout this 17:59 < krzie> !configs 17:59 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 17:59 < krzie> !logs 17:59 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 17:59 < troy-> krzie, both clients can ping the server and the server cant ping them - *but* the clients cant ping eachother 18:00 < troy-> any idea what might be wrong? 18:00 -!- adac [n=nutella@host99-45-static.61-88-b.business.telecomitalia.it] has quit ["Verlassend"] 18:00 < krzie> yes 18:00 < krzie> you need client-to-client in the server config 18:01 < unix3> interesting, when I ssh into the client.. it takes forever 18:02 < troy-> krzie, lol 18:03 < krzie> unix, you using tcp or udp? 18:05 < dan__t> So.... anyone want to school me on all the fields of a CRL? 18:05 < krzie> !crl 18:05 < vpnHelper> krzie: "crl" is (#1) --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) 18:05 < vpnHelper> krzie: that will create the CRL file for you. ssl-admin will also build a crl for you 18:06 < dan__t> I know what the CRL is, I know its function. 18:06 < dan__t> but all the fields inside of it - I want to know all possible fields, what they're called, etc etc 18:06 < krzie> ahh, then i cant expand for ya =] 18:06 < krzie> ecrist might know 18:06 * dan__t stabs ecrist 18:07 < unix3> krzie, http://pastebin.com/m1e80bbf4 18:07 < krzie> gunna go with the interrogation method? 18:07 < krzie> haha 18:07 < dan__t> hah 18:09 < krzie> unix3 ill be a minute, busy for a few but i have the link open 18:09 < krzie> grab the logs while you wait for me 18:09 < krzie> !logs 18:09 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 18:10 < krzie> and you pasted server.conf 2x, no client.conf 18:10 < krzie> and no ccd entries 18:11 < unix3> krzie, iam sorry.. please disregard all of it.. one min 18:19 -!- psomas [n=psomas@adsl-140-115.adsl.ntua.gr] has left ##openvpn [] 18:25 < unix3> krzie, http://pastebin.com/m5a047ca9 18:25 < unix3> there we go :P 18:26 < krzie> you might like to add this: 18:26 < krzie> !hmac 18:26 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 18:26 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 18:27 < unix3> understood.. 18:28 < unix3> btw... krzie when i do show route ... in the client.. it takes forever.. 18:28 < unix3> to show 18:28 < krzie> # 18:28 < krzie> push "route 172.16.0.0 255.255.255.0" 18:28 < krzie> # 18:28 < krzie> route 192.168.0.0 255.255.255.0 18:28 < krzie> # 18:28 < krzie> route 192.168.1.0 255.255.255.0 18:28 < krzie> this means the following: 18:28 < krzie> clients should all route 172.16.0.0 255.255.255.0 through the firewall 18:28 < krzie> the server should add 2 routes to its kernel's routing table 18:29 < krzie> 192.168.0.x and 192.168.1.x 18:29 < krzie> you say theres 1 ccd file 18:29 < krzie> so i assume both those lans are behind 1 client 18:29 < krzie> and that the name of that ccd file is EXACTLY the same as the common-name of the client 18:30 < unix3> no.. unfortunately i just got that from a default config.. 18:30 < unix3> i think i should delete them all 18:30 < unix3> it is exactly the same 18:30 < krzie> well thats what those do, decide if you need it or not and act occordingly 18:31 < krzie> but unless one of 172.16.0.x 192.168.0.x 192.168.1.x is the same as a lan you are using, they wont be doing anything 18:31 < unix3> what does it mean when you say that... clients should all route 172... ? 18:31 < krzie> if they are, and you have it backwards, it could screw something up 18:31 < krzie> push "route 172.16.0.0 255.255.255.0" 18:31 < krzie> this tells all clients to route that network through the vpn 18:32 < krzie> by adding a route in their kernel routing table 18:32 < unix3> there is a single LAN.. and that is.. 192.168.1.0 .. and its on the client 18:32 < unix3> the only LAN on the server is the internet itself 18:32 < krzie> and youd like it to work over the vpn? 18:32 < krzie> (the lan) 18:33 < krzie> and do you want it to work for other clients as well? or just for the server? 18:33 < unix3> krzie, i dont care about any lan actually.. 18:33 < krzie> then remove all 3 of those and the ccd file 18:33 < unix3> understood 18:33 < unix3> brb 18:33 < unix3> coffee 18:34 < krzie> No CCD file in client 18:34 < krzie> thats good, cause its not an option 18:34 < krzie> hehe 18:34 < krzie> and that wasnt what i wanted from your logs 18:34 < krzie> i want everything from start to finish of making the connection 18:35 < krzie> if i only wanted the portion of you pinging, i would have said so ;] 18:35 < krzie> i want it all! 18:35 < krzie> lol 18:35 < krzie> paha in spanish means jackoff 18:36 < krzie> spelt paja tho 18:37 < krzie> <-- lives in a spanish speaking country 18:39 < dan__t> America? 18:39 < dan__t> Or California? 18:39 < krzie> lol 18:39 < krzie> i moved out of california 2 yrs ago 18:39 < krzie> caribbean 18:40 < dan__t> wow, seriously? 18:40 < dan__t> what's it like living out there 18:40 < dan__t> never really thought of... living out there. 18:41 < krzie> its great 18:42 < krzie> cheap, beautiful, etc etc 18:44 < unix3> <--- also lives in a spanish speaking country 18:46 < dan__t> cheap? 18:46 < dan__t> like how cheap. 18:46 < dan__t> what do you do for work? 18:51 -!- unix3 is now known as epaphus 18:51 < dan__t> eh? wake up, bitch. 19:05 < epaphus> krzie, this is the log for the server http://pastebin.com/m2a30d0f8 19:06 < epaphus> this is the log for the client http://pastebin.com/d42a81ee 19:08 < epaphus> I think it is wise to note that the ifconfig output for the client shows for tun: inet 10.0.1.6 --> 10.0.1.5 netmask 0xffffffff , and the output on the server shows tun as.. inet 10.0.1.1 --> 10.0.1.2 netmask 0xffffffff 19:08 < epaphus> is that of any relevance? 19:12 -!- psomas [n=psomas@adsl-140-115.adsl.ntua.gr] has joined ##openvpn 19:14 < epaphus> krzie, ? 19:18 < epaphus> anybody? :) 19:33 < troy-> is there anything in the config that can be changed to optimize throughput? 19:33 < troy-> i can never seem to sustain more than 100KB/s 19:36 < krzie> ok im back 19:36 < epaphus> krzie, :) 19:36 < troy-> <3 krzie 19:36 < krzie> epaphus those ips are normal, type !/30 for more info 19:36 < krzie> troy: type !mtu-test 19:36 < troy-> !mtu-test 19:36 < vpnHelper> troy-: "mtu-test" is you can just use --mtu-test on the client to see what the best mtu for your connection is 19:36 < krzie> (assuming you use udp) 19:38 < krzie> epaphus i dont see any problem, whats wrong? 19:38 < krzie> oh you're unix3 19:38 < krzie> check your NAT rules 19:39 < krzie> doublecheck ip forwarding is enabled 19:39 < troy-> krzie, how do i know what the dev id is? 19:39 < krzie> troy- why do you think you need it? 19:40 < krzie> you have multiple tun devices or renamed it? 19:40 < troy-> C:\Program Files\OpenVPN\bin>openvpn.exe --mtu-test 19:40 < troy-> Options error: You must define TUN/TAP device (--dev) 19:40 < krzie> LOL 19:40 < krzie> put it in the client config 19:40 < krzie> how would it POSSIBLY test mtu without knowing what server to connect to 19:40 < troy-> inside the ovpn file? 19:40 < psomas> ovpn on windows server 19:40 < psomas> ugly 19:41 < krzie> psomas mtu-test goes in the client 19:41 < psomas> :P 19:41 < troy-> psomas, its just a windows endpoint 19:41 < psomas> ah 19:41 < psomas> soz then :) 19:41 < krzie> soz? 19:41 < psomas> sorry 19:42 < krzie> ahh 19:43 < epaphus> krzie, i checked all that.. seems to be ok.. Iam almost sure that the problem is within the client server.. something to do with the way the traffic goes out of it.. it isnt normal that after I enabled the redirect option.. something was messed up in the rouring table.. because when i SSH into the server it takes about 2 monutes to give me a password and login prompt 19:43 < krzie> epaphus wtf is a client server 19:43 < epaphus> when i saw "client server" iam referringt o the client 19:43 < epaphus> to the client 19:43 < krzie> only use one of those words per machine 19:43 < troy-> krzie, i get an error saying it will only work with proto udp 19:43 < psomas> the client "daemon" prolly 19:44 < epaphus> krzie, when iam in the client.. and i type route show, it takes forever or doesnt show the tables 19:44 < krzie> troy, troy: type !mtu-test 19:44 < krzie> (assuming you use udp) 19:44 < troy-> !mtu-test 19:44 < vpnHelper> troy-: "mtu-test" is you can just use --mtu-test on the client to see what the best mtu for your connection is 19:44 < krzie> since you dont 19:44 < krzie> !tcp 19:44 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 19:44 < krzie> you should expect low performance on a tcp vpn, that link explains why (i got that link from the man page) 19:45 < epaphus> i was thinking that ... why ifconfig said that tun is inet 10.0.1.6 --> 10.0.1.5 ... how did it invent those IPs? shouildnt it be inet 10.0.1.6 --> to.the.ip.of.the.tun.in.the.server? 19:45 < krzie> no epaphus, i told you 2x now to type !/30 to understand why 19:45 < epaphus> !/30 19:45 < vpnHelper> epaphus: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 19:45 < krzie> although if you use 2.1 you can make it that way by reading !topology 19:46 < epaphus> krzie, ok so anyways.. the logs appear to be ok? and they appear to initialize the connection with one another correctly.. right? 19:47 < krzie> perfectly 19:47 < krzie> including routes 19:47 < krzie> your problem is either firewall, NAT, or ip forwarding 19:48 < krzie> all 3 would be on the server machine, and outside of openvpn 19:49 < krzie> you might need to specify the vpn ip range or something, i havnt played in obsd since 1999 19:49 < epaphus> firewall meaning you suspect the udp port is blocked.. right? 19:49 < krzie> no 19:49 < troy-> krzie, what should be in my ovpn file for mtu-test to work? 19:49 < krzie> it wouldnt connect if that was it 19:49 < epaphus> well my firewall only has 1 line, thats the NAT Line 19:49 < krzie> troy-, youd need to be in udp for that, but mtu isnt your problem, the fact you are on TCP is 19:49 < krzie> (as explained in !tcp ) 19:49 < troy-> krzie, i already changed that option 19:50 < krzie> epaphus i cant help you with openbsd specific stuff, but your problem is in 1 of those 3 places, and not in openvpn 19:50 < krzie> troy- so both sides are connected in udp now? 19:50 < troy-> oh, nope 19:50 < epaphus> krzie, oki.. 19:50 < krzie> then you didnt! 19:53 < epaphus> I think i see the problem now LOL... 20:02 < epaphus> This is the typical error message that the server is not reachable.. right ? Apr 10 13:07:23 UsbOcean openvpn[876]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Apr 10 13:07:23 UsbOcean openvpn[876]: TLS Error: TLS handshake failed Apr 10 13:07:23 UsbOcean openvpn[876]: TCP/UDP: Closing socket 20:03 < troy-> krzie, for some reason i can no longer ping my gateway when the connection is udp 20:04 < krzie> yes 20:04 < krzie> troy, did you look in logs for errors? 20:05 < epaphus> krzie, the yes was for me.. right? 20:05 < krzie> yes 20:10 < epaphus> krzie, and this is the typical last line when OpenVPN has been initialized successfully right.. Apr 10 20:06:51 vpn openvpn[25131]: Initialization Sequence Completed ? 20:12 < krzie> yes, but that doesnt garuntee there wasnt an error above 20:13 < krzie> example, some windows clients will get routing errors but still succeed, i have !winroute for them 20:13 < krzie> but your logs looked fine 20:13 < krzie> and all routes were added right 20:13 < krzie> etc 20:13 < krzie> your problem is where i said it was 20:13 < epaphus> yeah its just that i did a little change on the nat now my client wont connect.. buit it looks like the server did startup LOL 20:13 < epaphus> yup 20:14 < epaphus> its ok, this is the fun stuff.... ill deal by myself 20:14 < krzie> This is the typical error message that the server is not reachable.. 20:14 < krzie> right ? Apr 10 13:07:23 UsbOcean openvpn[876]: TLS Error: TLS key 20:14 < krzie> negotiation failed to occur within 60 seconds (check your network 20:14 < krzie> connectivity) Apr 10 13:07:23 UsbOcean openvpn[876]: TLS Error: TLS 20:14 < krzie> handshake failed Apr 10 13:07:23 UsbOcean openvpn[876]: TCP/UDP: 20:14 < krzie> Closing socket 20:14 < krzie> that points to firewall issue 20:14 < krzie> open the udp port 20:14 < krzie> as i said before, all problems you get now til it works are firewall, nat, or ip forwarding 20:14 < epaphus> yup 20:14 < epaphus> checking all 20:15 < epaphus> thing is i broke something, so iam fixing 20:15 < krzie> when those are right, unless you modify your configs, it will work 20:15 < epaphus> :) super fun 20:15 < krzie> you're in the !notopenvpn territory now ;] 20:16 < epaphus> absolutely 20:16 * krzie loves his bot 20:22 < troy-> krzie, is there anything that limits the speed of individual connections? 20:22 < troy-> like i cant seem to get more than 1Mb/s 20:23 < troy-> per stream 20:23 < krzie> yes, --shaper if you choose to use it 20:23 < troy-> will it increase my per stream speed? 20:23 < krzie> are you still on tcp? 20:23 < troy-> udp 20:23 < krzie> no, it will lower it if you use it 20:23 < krzie> ok, did you test mtu now that you're on udp? 20:24 < troy-> hmm no, sec :P 20:25 < krzie> Uploading jefftest.zip to /usr/home/krzee/jefftest.zip 20:25 < krzie> jefftest.zip 100% 3964KB 3.9MB/s 00:01 20:25 < krzie> thats over a vpn connection (same lan, 2 colo'ed boxes at a datacenter) 20:25 < krzie> a 3.9M file in 1sec 20:31 < epaphus> krzie, the problem is my NAT line in server.... I honestly cannot get it correctly... do you have the line for freebsd? 20:33 < krzie> !fbsdnat 20:33 < vpnHelper> krzie: "fbsdnat" is http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html 20:33 < krzie> thats what i have 20:33 < krzie> i havnt done nat in bsd since like yr 2000 20:33 < krzie> in fact i havnt done nat whatsoever since then 20:34 < krzie> except for lil linksys type routers 20:35 < krzie> !google openbsd nat 20:35 < vpnHelper> krzie: PF: Network Address Translation (NAT): ; OpenBSD as a Simple NAT Router - blog.scottlowe.org - The weblog ...: ; NAT with pf | O'Reilly Media: 20:38 < epaphus> yeah well.. the nat line is this one . nat on re0 from tun0:network to any -> re0 20:39 < epaphus> the thing is.. when I enable it.. then immediatley my client looses the connection and cant connect 20:39 < epaphus> something must be wrong 20:39 < krzie> welp 20:39 < krzie> as i said 20:39 < krzie> i cant help you with your openbsd specific problem 20:39 < epaphus> i know :) 20:39 < epaphus> just saying for others to comment :P 20:39 < krzie> ahh werd 20:43 < krzie> pass in on $wlan_if inet proto udp from $wlan_if:network to ($wlan_if) port 1194 keep state 20:43 < krzie> try that, changing wlan_if with eth0 20:52 < troy-> krzie, when i use udp for some reason i cant ping the gateway 20:52 < troy-> everything connects fine but no traffic gets through 20:53 < krzie> troy- troy, did you look in logs for errors? 20:53 < krzie> !logs 20:53 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 20:53 < troy-> i did 20:53 < troy-> oh k 21:02 < troy-> krzie, nothing in log to indicate an issue 21:02 < troy-> just a ton of stuff 21:02 < krzie> ill be the judge of that 21:02 < krzie> verb 6 21:02 < troy-> hehe where to post? 21:02 < troy-> yep 21:03 < krzie> !pastebin 21:03 < vpnHelper> krzie: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 21:04 < troy-> krzie, http://pastebin.ca/1388535 21:06 < krzie> thats the client? 21:06 < troy-> yep 21:06 < krzie> and wheres the server log... 21:07 < troy-> good question 21:07 < troy-> gimme one min :P 21:07 < krzie> also when pushing dns to a windows client, you must read this 21:07 < krzie> !pushdns 21:07 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 for a perm fix via regedit 21:09 < epaphus> krzie, iam pretty sure I have the NAT correct... firewall is ok.. I can ping the server from the client though... I cant ping anything else... and... the wierdest thing of all is... if I do a traceroute from the client to the IP of the server it seems its taking the regular internet route i had before openvpn was setup 21:10 < krzie> of course it is 21:10 < krzie> if it didnt how would the vpn stay up? 21:10 < epaphus> oh :) 21:10 < krzie> and your problem is still in 1 of the 3 places i said it was 21:10 < epaphus> oki 21:10 < krzie> that answer WILL NOT BE CHANGING 21:10 < krzie> !forget pushdns 3 21:10 < vpnHelper> krzie: Joo got it. 21:11 < krzie> !learn pushdns as http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit 21:11 < vpnHelper> krzie: Joo got it. 21:12 < troy-> krzie, http://pastebin.ca/1388538 21:13 < krzie> thats NOT a logfile 21:13 < troy-> krzie, i usually just do ipconfig /registerdns 21:13 < krzie> whatever works for you 21:13 < krzie> #3 is a permanent fix 21:14 < krzie> (known to work on XP and Vista): 21:14 < troy-> krzie, where does openvpn write the log file? 21:14 < troy-> for linux 21:14 < psomas> troy-: depends on the conf i think 21:14 < krzie> i dunno man, depends on your system 21:14 < krzie> check /var/log/messages maybe 21:14 < psomas> if u don't specify prolly u can see it at syslog 21:15 < troy-> yep its writing a ton of crap to messages 21:15 < krzie> i want it from start to end of connecting message 21:17 < epaphus> krzie, iam being told to ping the tunnels endpoint.. in my case what would that be? 21:17 < krzie> client is whatever.6 21:17 < krzie> server is whatever.1 21:17 < troy-> krzie, http://pastebin.ca/1388540 21:17 < troy-> updated with real log 21:19 < krzie> ok troy, remove ipp.txt and reconnect 21:19 < krzie> then ping 172.16.2.1 from the client after reconnecting 21:19 < epaphus> krzie, wow neat.. apparently it doesnt add any latency when it goes through the vpn?? 21:20 < epaphus> double wow 21:20 < krzie> often does 21:20 < krzie> *shrug* 21:20 < krzie> should add a little ild say 21:20 < krzie> yanno, more overhead and sometimes even must split tcp packets to fit in a packet with the overhead 21:21 < krzie> but its hard to complain about it not adding any ;] 21:21 < krzie> troy, after you remove the ipp.txt restart the server 21:22 < krzie> or shut it down, remove it, restart it 21:22 < krzie> then connect the client 21:22 < krzie> then ping 172.16.2.1 from the client 21:22 < troy-> krzie, no good 21:22 < krzie> ild say lose the ipp command all together 21:22 < krzie> its kinda useless, can only mess some things up 21:22 < troy-> should i remove it from config and try again? 21:23 < krzie> troy, what ip is the client? 172.16.2.6? 21:23 < troy-> yes 21:23 < krzie> ping that from server 21:23 < troy-> okay 21:24 < troy-> krzie, btw with udp is nat an issue? 21:25 < krzie> nat isnt your problem 21:25 < krzie> firewall definitely could be 21:25 < krzie> in fact thats what i suspect 21:25 < troy-> yep i do have one of those 21:26 -!- troy_ [n=troy@72.37.245.28] has joined ##openvpn 21:26 < epaphus> krzie, iam sorry perhaps asking this question rephrased.. not my intention to annoy you... but route show on the client says my default gateway is 10.0.1.5 , but the endpoint you said is 10.0.1.1 .. is that ok? 21:26 < krzie> troy- make sure all firewalls allow 172.16.2.x through tun interface 21:27 < troy_> krzie: i only i only have a network firewall 21:28 < troy_> neither server nor endpoint has a firewall 21:28 < epaphus> if I ping from the client 10.0.1.1 I get a latency of 200ms , if I ping 10.0.1.6 I get a latency of 430ms ... i dotn understand that :P 21:30 < troy_> krzie: i cant ping from the server either 21:31 < epaphus> btw krzie .. I cant ping my default gateway on my client (10.0.1.5) 21:31 < troy_> epaphus: seems we have the same problem 21:31 < krzie> epaphus you shouldnt be able to, did you read !/30 (the link in it) 21:32 < krzie> your gateway is .1 21:32 < krzie> .5 is internal ovpn shit to get around windows lameness 21:32 < krzie> they figured out a better way, so now 2.1 has topology subnet 21:32 < epaphus> but this is OBSD to OBSD 21:33 < epaphus> and iam in 2.1 :P 21:33 < krzie> they made topology net30 the default because of what i said 21:33 < epaphus> i c 21:33 < epaphus> ok ok 21:33 < krzie> and its still default for now, you can change it manually if you cant understand !/30 21:33 < troy-> krzie, any thoughts on why it wont work with UDP? 21:34 < krzie> firewall 21:34 < krzie> !linfw 21:34 < vpnHelper> krzie: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 21:35 < troy-> krzie, i dont have one on either machine 21:35 < troy-> but there is a firewall infront of the client 21:35 < epaphus> krzie, can you help me understand why is it that when I ping .1 i get 200ms, and .6 gets double? 21:36 < krzie> no 21:36 < krzie> troy-, sounds like a good place to look 21:36 < epaphus> ok, why so? krzie 21:36 < krzie> cause i dont know 21:36 < epaphus> oki 21:39 < troy_> krzie: will i see an improvment by upgrading to 2.1 from 2.0.9? 21:40 < krzie> could be, but i still sazy its a firewall 21:40 < troy_> will UDP be much better performance? 21:40 < krzie> !tcp 21:40 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 21:41 < epaphus> iam also going to test tcp 21:41 < epaphus> just in case its a udp thing 21:41 < troy_> tcp works flawlessly for me 21:41 < epaphus> troy_, whats your issue? 21:41 < troy_> cant ping gateway 21:41 < epaphus> from client, right? 21:41 < troy_> or server -> client 21:42 < epaphus> whats your ifconfig output for tun0 in the client.. and what is the ip of the gateway your a pinging? 21:42 < epaphus> also, according to the logs.. both sites establish a connection? 21:44 < troy_> according to logs both sides are established 21:44 < troy_> i'm pinging 172.16.2.1 as my gw 21:44 < krzie> epaphus's problem is it connects and pings fine, but he cant route inet traffic over his vpn 21:44 < krzie> because his nat, firewall, or ip forwarding is broken 21:44 < epaphus> troy-, paste ifconfig on pastebin for me 21:45 < epaphus> thats exactly my problem.. 21:45 < epaphus> lol 21:45 < krzie> no, its not 21:45 < krzie> troy cant ping his tunnel endpoints 21:45 < krzie> you can 21:45 < krzie> so for him it is firewall 21:45 < krzie> for you its one of those 3 21:46 < epaphus> oh thats heavy 21:46 * krzie wonders why hes even still here 21:46 < troy-> epaphus, himm its working now 21:46 < troy-> krzie, now its workin for some odd reason 21:46 < troy-> lalalalal 21:46 < troy-> <3 krzie 21:46 < epaphus> weird thing from troy_ is he can get it to work for tcp 21:46 < troy-> krzie, only thing i changed is adding SNAT for .1 and .2 21:46 < troy-> and it worked.. 21:46 < epaphus> krzie, we all appreciate your help.. at the end you will see when i get it up it was worth it 21:46 < troy-> la la la :< 21:47 < epaphus> troy-, what is snat, what os is this? 21:47 < krzie> troy-, aka you added a rule to your firewall ;) 21:47 < krzie> snat = linuxism 21:47 < troy-> lol 21:47 < krzie> source nat 21:47 < troy-> krzie, but i cant ping the client from tehh server 21:48 < krzie> firewall 21:48 < krzie> lol 21:48 < troy-> no no no :( 21:49 * krzie makes his bot reepond to ANYTHING troy says until it works with "firewall" 21:49 < troy-> krzie, speeds are about equal with UDP 21:49 < troy-> about 1Mb/s 21:49 < krzie> im just telling you whats in the manual, with tcp you can expect degradation of speeds as compared with udp 21:50 < troy-> maybe if you have a shoddy connection 21:50 < krzie> maybe if you need to resend any packets 21:50 < troy-> yah, exactly 21:51 < krzie> that happens more often than you may think 21:51 < krzie> watch a packet sniffer for a day 21:54 < epaphus> krzie, must the client originate the connection directly from a public ip assigned to it.. or can the client by under a nat? 21:55 < troy-> krzie, without the vpn i can download from the server at 500KB/s 21:55 < troy-> with the VPN i'm lucky to get 130KB/s 21:55 < krzie> client can be under a nat, no problem 21:55 < krzie> troy, sorry to hear that 21:55 < krzie> did you check mtu-test? 21:55 < epaphus> troy-, how is the latency differance? 21:55 < troy-> krzie, it errored 21:55 < troy-> wouldnt work 21:56 < krzie> lol 21:56 < krzie> upgrade 21:56 < krzie> you know 2.0.9 is like 4 yrs old right? 21:56 < troy-> yes 21:57 * troy- upgrades 21:58 < troy-> krzie, my config files can stay the same rite? 21:59 -!- psomas [n=psomas@adsl-140-115.adsl.ntua.gr] has quit [Client Quit] 22:01 < krzie> yes 22:02 < epaphus> what is mtu test? 22:02 < krzie> !mtu-test 22:02 < vpnHelper> krzie: "mtu-test" is you can just use --mtu-test on the client to see what the best mtu for your connection is 22:05 < epaphus> ohh nice 22:05 < troy_> how can i query openvpn for version# 22:05 < krzie> !man 22:05 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 22:05 < krzie> check the manual 22:07 < troy_> figured it out 22:07 < troy_> krzie: whats weird is it takes 4-5mins before openvpn can ping gw using udp 22:07 < troy_> but if you wait it out magically it happens 22:08 < krzie> also source nat isnt the real solution, allowing the tun ip is 22:08 < krzie> but whatev 22:09 < troy_> speeds are equal to the past ver 22:09 < krzie> mtu-test works? 22:09 < troy_> appears to 22:09 < krzie> you're using 2.1_rc15? 22:09 < troy_> yep 22:09 < krzie> well whats it say when you mtu-test 22:10 < troy-> Fri Apr 10 23:04:32 2009 us=171000 tun_mtu = 1500 22:10 < troy-> Fri Apr 10 23:04:32 2009 us=171000 tun_mtu_defined = ENABLED 22:10 < troy-> Fri Apr 10 23:04:32 2009 us=171000 link_mtu = 1500 22:10 < troy-> Fri Apr 10 23:04:32 2009 us=171000 link_mtu_defined = DISABLED 22:10 < troy-> Fri Apr 10 23:04:32 2009 us=171000 tun_mtu_extra = 0 22:10 < troy-> Fri Apr 10 23:04:32 2009 us=171000 tun_mtu_extra_defined = DISABLED 22:10 < krzie> !pastebin 22:10 < vpnHelper> krzie: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 22:10 < troy-> lol 22:10 < troy-> it was 6 :/ 22:10 < krzie> thats not mtu-test results 22:10 < krzie> thats you grep'ing the logfile for 'mtu' 22:11 < krzie> comment the word daemon 22:11 < troy-> correct 22:11 < krzie> add the word mtu-test 22:11 < krzie> and connect 22:12 < troy_> connected 22:12 < krzie> both sides are now 2.1? 22:12 < troy_> i installed the windows ver but it still says openvpn gui v1.0.3 22:13 < troy_> C:\Program Files\OpenVPN\bin>openvpn --version 22:13 < troy_> OpenVPN 2.1_rc15 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 19 2008 22:13 < troy_> so yep, both 2.1 22:13 < krzie> comment the word daemon 22:13 < krzie> add the word mtu-test 22:13 < krzie> and connect 22:13 < troy_> i did 22:14 < troy_> i'm connected.. 22:14 < krzie> so it ran some tests in the forground? 22:14 < troy_> its scrolling so quick its hard to tell 22:14 < troy_> what am i looking for? 22:14 < krzie> oh right 22:14 < krzie> turn verb back to 4 22:14 < krzie> lol 22:14 < troy_> hehe 22:15 -!- jimi [n=jimi@cpe-065-184-197-243.ec.res.rr.com] has joined ##openvpn 22:15 < jimi> How can I solve this? Fri Apr 10 23:13:22 2009 WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0] 22:15 < troy_> connected 22:15 < krzie> by changing the LAN's subnet on one of the sides is on 22:16 < troy_> Fri Apr 10 23:15:23 2009 us=234000 NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes. 22:16 < jimi> shit, not an option :( 22:16 * troy_ twiddles thumbs 22:16 < krzie> jimi, you dont run EITHER side? 22:16 * troy_ turns clock forward 2 mins 22:16 * krzie puts a muzzle on troy 22:17 < troy_> @_@ 22:17 < jimi> i run both sides... but, there are so many devices relying on 255.255.255.0 that it would be very dificult and time consuming to do this in a production environment 22:17 < krzie> no no 22:17 < krzie> dont change the netmask 22:17 < krzie> change the subnet! 22:17 < krzie> the part that is 192.168.1 22:17 < krzie> subnet + netmask = network 22:17 < krzie> basically 22:18 < krzie> err no im wrong there 22:18 < krzie> but whatev its been awhile since i went over vocab 22:18 < krzie> change the 192.168.1 on 1 side 22:19 < krzie> perferably the server if you can 22:19 < krzie> that way you wont have more clients with the same subnet connecting later 22:19 < troy_> Fri Apr 10 23:18:58 2009 us=343000 NOTE: failed to empirically measure MTU (requires OpenVPN 1.5 or higher at other end of connection). 22:19 < krzie> 192.168.1 is too common 22:19 < krzie> troy you restarted both sides with 2.1? 22:20 < krzie> ohhhhh wait 22:20 < krzie> you still cant ping both directions, right? 22:21 < troy_> krzie: correct 22:21 < troy_> both sides were restarted 22:21 < krzie> fix your firewall problem first then 22:21 < troy_> but it takes a few mins before i can even ping one way 22:21 < krzie> you still have one 22:21 < troy_> mmm 22:21 < krzie> in fact the 'fix' you did earlier wasnt a fix, just a hack 22:22 < krzie> to fix it for real you need to allow the vpn network instead of SNAT'ing 22:22 < troy_> how do i do that? 22:22 < krzie> by learning how your firewalls work 22:22 < krzie> im not your network admin 22:23 < krzie> your openvpn is setup correctly 22:23 < krzie> thats what we do here :-p 22:23 < troy_> damned 22:23 < troy_> hint? 22:24 < epaphus> back 22:24 < epaphus> ok so... back to work.. iam going to try tcp, and then iam going to try a different client 22:28 -!- jimi_ [n=jimi@cpe-065-184-197-243.ec.res.rr.com] has joined ##openvpn 22:28 -!- jimi [n=jimi@cpe-065-184-197-243.ec.res.rr.com] has quit [Read error: 113 (No route to host)] 22:28 < jimi_> changed my subnet to .2 and still getting the error 22:29 < krzie> show the error now pls 22:29 < krzie> troy, i dont use linux, and i gave you the hint 22:29 < krzie> !linfw 22:29 < vpnHelper> krzie: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 22:30 < jimi_> the error hasnt changed 22:30 < krzie> you changed it, killed both openvpns, started both, and got THAT EXACT error? 22:30 < jimi_> yes 22:30 < krzie> show me your server statement 22:30 < jimi_> potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0] 22:31 < jimi_> server 172.16.0.0 255.255.255.0 22:32 < jimi_> push "route 192.168.1.0 255.255.255.0" 22:32 < krzie> !configs 22:32 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 22:32 < krzie> 192.168.1.0 is the lan behind the server? 22:33 < jimi_> yes 22:34 < jimi_> http://pastie.org/443505 22:39 < krzie> why dev tap? 22:39 < krzie> why tcp? 22:39 < krzie> see !ipp if you have ipp.txt to try to have static ips 22:40 < jimi_> !ipp 22:40 < vpnHelper> jimi_: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 22:40 < jimi_> k 22:40 < krzie> !tunortap 22:40 < vpnHelper> krzie: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 22:40 < krzie> !tcp 22:40 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 22:40 < krzie> still waiting on client.conf 22:40 < jimi_> you didnt ask for it... 22:41 < krzie> !configs 22:41 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 22:41 < jimi_> server.conf 22:41 < krzie> (#1) please pastebin your client and server 22:41 < krzie> configs 22:41 < troy_> krzie: with TCP i'm seeing fairly high latency 22:42 < troy_> almost double what it should be 22:42 < jimi_> http://pastie.org/443508 22:43 < krzie> troy: i told you to read !tcp 3 times, it explains why 22:43 < krzie> then you told me only over a shoddy link 22:43 < krzie> what more do you want? 22:43 < krzie> jimi: why are you using dev tap, and tcp? 22:44 < krzie> also you might wanna change how your server cert is signed 22:44 < krzie> !mitm 22:44 < vpnHelper> krzie: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 22:44 < jimi_> k 22:44 < krzie> ok as for your real problem... 22:44 < krzie> !interface 22:44 < vpnHelper> krzie: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 22:44 < krzie> !logs 22:44 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 22:45 < jimi_> im not doing all that. 22:45 < jimi_> dev tap/tun... or tcp has nothing to do w/ why the routes are not working. 22:46 < jimi_> you would rather just have the bot spit out the same factoids over and over, instead of actually assisting. 22:46 -!- jimi_ [n=jimi@cpe-065-184-197-243.ec.res.rr.com] has left ##openvpn ["Leaving"] 22:47 < krzie> LOL 22:47 < krzie> im sure thats my loss 22:48 -!- mode/##openvpn [+o krzie] by ChanServ 22:48 -!- mode/##openvpn [+b *!*jimi@*.rr.com] by krzie 22:48 -!- mode/##openvpn [-o krzie] by krzie 22:54 -!- troy_ [n=troy@72.37.245.28] has quit ["leaving"] 22:56 < epaphus> krzie, what would happen if two clients have the same cert ? 23:28 < epaphus> krzie, u there? 23:52 -!- nemysis [n=nemysis@67-154.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 23:53 -!- nemysis [n=nemysis@194-1.3-85.cust.bluewin.ch] has joined ##openvpn 23:55 < epaphus> IT WORKED!!!!!!!!!!!!!! 23:55 < epaphus> FINALLY!!!!!!!!!!!!!!!!!! 23:55 < epaphus> THANK YOU SO MUCH krzie 23:56 < epaphus> my nat was incorrectly done on the server --- Day changed Sat Apr 11 2009 00:02 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:05 < epaphus> krzie, ill see you tomorrow :) 00:07 < troy-> epaphus, did you fix the ping issue? 00:07 < epaphus> troy-, yes 00:07 < epaphus> troy-, i rebuilt my firewall from scratch 00:07 < epaphus> in the server 00:08 < epaphus> troy-, the only thing I have pending is.. that my client doesnt resolve DNS... it must be a simple dns line in the server.conf .. do you have such? 00:08 < troy-> i do sir 00:09 < epaphus> troy-, can you help me here? 00:09 < troy-> push "dhcp-option DNS 4.2.2.1" 00:09 < troy-> push "dhcp-option DNS 4.2.2.2" 00:12 < epaphus> troy-, thanks 00:12 < epaphus> how are you doing troy- 00:35 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 00:36 < troy-> epaphus, decent and yourself? 00:40 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 00:40 < rubydiamond> Hi guys 00:41 < rubydiamond> I freshly installed ubuntu on my laptop 00:41 < rubydiamond> now want to connect to office using openvpn client on ubuntu 00:48 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 01:04 < rubydiamond> anybody here 01:13 < theDoc> Yep, ok 01:30 < rubydiamond> theDoc, hey 01:30 < rubydiamond> I have connected to openvpn 01:30 < rubydiamond> but is not able to use vpn dns 01:30 < rubydiamond> how do I start openvpn with dns option set 01:30 < rubydiamond> theDoc, yt? 01:34 < rubydiamond> anybody in 01:34 < rubydiamond> need help 01:38 -!- mf_417 [n=mf@194.225.128.240] has joined ##openvpn 01:39 < mf_417> Hi, is there any way to manually assign ip to clients of openvpn, when using tap ? ccd works fine but just for tun 01:40 < rubydiamond> guys.. 01:40 < rubydiamond> how do I push dns using openvpn 01:40 < rubydiamond> mf_417, help 01:40 < rubydiamond> I am using openvpn client 01:40 < mf_417> rubydiamond: I have same problem 01:42 < mf_417> ping 01:42 < mf_417> is there any way to manually assign ip to clients of openvpn, when using tap ? ccd works fine but just for tun 01:48 -!- mf_417 [n=mf@194.225.128.240] has left ##openvpn [] 01:52 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:25 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 02:25 < reiffert> moin 02:27 < reiffert> push "dhcp-option DNS 123.34.32.21 02:27 < reiffert> " 02:27 -!- Administrat [n=chatzill@1-2-5-1a.orby.sth.bostream.se] has joined ##openvpn 02:27 -!- Administrat [n=chatzill@1-2-5-1a.orby.sth.bostream.se] has left ##openvpn [] 02:28 < kraut> moin 02:28 < reiffert> moin moin kraut 02:28 < krzee> moin 02:29 < kraut> moin moin reiffert 02:29 < kraut> steife brise hier ;) 02:29 < kraut> mit spitzen "st" ;) 02:29 < kraut> INORMALLANGNOW 02:29 < krzee> lol 02:30 < reiffert> INO what? 02:30 < reiffert> aye aye mein kaptein 02:30 < kraut> hrhr, arrrrrhoi salty seadog! ;) 02:35 < rubydiamond> kraut, hey 02:35 < kraut> hi rubydiamond 02:35 < rubydiamond> want to setup openvpn client with auto dns push 02:36 < rubydiamond> sudo openvpn anil.ovpn 02:36 < rubydiamond> I am able to connect my office sites with ip 02:36 < rubydiamond> but I also want to use dns server of my office 02:38 < kraut> rubydiamond: you could use "cmd" with a script that setups your dns 02:38 < kraut> is that a soloution? 02:38 < kraut> brb 02:40 < rubydiamond> kraut, hey 02:40 < rubydiamond> don't go. 02:40 < rubydiamond> hey could you you give me link related to it 02:40 < rubydiamond> kraut, yt? 02:43 < kraut> man openvpn -> --up cmd and --down cmd 02:43 < kraut> just a simple script, which backups your resolv-file and after the tunnel is down, copy it back to the old state 02:43 < kraut> rubydiamond: imho there isn't any feature, that the server could push the dns 02:44 < kraut> rubydiamond: yt? 02:44 < rubydiamond> yes 02:45 < rubydiamond> hey.. was playing with dns 02:45 < rubydiamond> btw .. what cmd you are talking 02:45 < kraut> just look into the man page, section --up cmd and --down cmd 02:45 < kraut> everything you need is described there 02:46 < rubydiamond> sudo openvpn anil.ovpn --up update-resolv-conf 02:46 < rubydiamond> [sudo] password for anil: 02:46 < rubydiamond> Options error: I'm trying to parse "anil.ovpn" as an --option parameter but I don't see a leading '--' 02:46 < rubydiamond> Use --help for more information. 02:46 < kraut> the options may be used in the client config as "up cmd $shellscript" and "down cmd $shellscript" 02:47 < kraut> yep, in the config you may not use "--", just use them without them 02:47 < kraut> the "--" is used, if you start openvpn from the cli directly 02:47 < kraut> like "openvpn --foobar conf" 02:47 < rubydiamond> trying 02:49 < rubydiamond> Sat Apr 11 13:18:24 2009 /etc/openvpn/update-resolv-conf tun0 1500 1541 10.226.239.26 10.226.239.25 init 02:49 < rubydiamond> Sat Apr 11 13:18:24 2009 openvpn_execve: external program may not be called due to setting of --script-security level 02:49 < rubydiamond> Sat Apr 11 13:18:24 2009 script failed: external program fork failed 02:49 < rubydiamond> Sat Apr 11 13:18:24 2009 Exiting 02:49 < rubydiamond> got this 02:49 < rubydiamond> I added two lines up and down in my conf 02:49 < kraut> GAH 02:50 < kraut> put "security-level 2" in your config 02:50 < kraut> sorry 02:50 < kraut> "script-security 2" 02:50 < kraut> that's the correct option 02:52 < rubydiamond> kraut, thanks a lot 02:52 < rubydiamond> it worked 02:52 < rubydiamond> it was awesome help 02:52 < kraut> :) 02:52 < kraut> no problem 02:52 < rubydiamond> I actually could not set it up properly couple of time.. had spent lots of hours on it 02:53 < kraut> btw. it could be a security issue to allow script-security to 2, just keep that in mind 02:57 < rubydiamond> btw, what could be 02:57 < rubydiamond> it ? 02:58 < rubydiamond> kraut, when i do /etc/init.d/openvpn start or stop.. it does not load my config 02:58 < rubydiamond> I have to always to openvpn anil.conf 02:58 < rubydiamond> need I rename anil.conf to something else 02:59 < kraut> is your config in /etc/openvpn/ ? 02:59 < kraut> everything in that directory with suffix .conf should be parsed 03:05 < rubydiamond> kraut, yes 03:05 < rubydiamond> okay 03:05 < rubydiamond> it was not .conf 03:05 < rubydiamond> it was .opvpn 03:05 < kraut> that's the suffix for windows 03:07 < rubydiamond> okay 03:07 < rubydiamond> kraut, yea, it worked 03:07 < rubydiamond> thanks a lot 03:07 < kraut> no problem 03:07 < kraut> bill is on the way ;) 03:14 < rubydiamond> :) 03:19 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 03:20 < kraut> need to go, batteries are low 03:20 < kraut> bye 03:34 < rubydiamond> okay bye 03:43 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 04:03 -!- e3032 [n=sepe@ti300720a080-0064.bb.online.no] has joined ##openvpn 04:03 < e3032> Is it possible to show a list of clients connected to my openvpn server? 04:08 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:08 < e3032> This should be possible ... 04:10 < e3032> ........ 04:12 -!- e3032 [n=sepe@ti300720a080-0064.bb.online.no] has quit ["leaving"] 04:34 -!- carpe_ [n=carpe@vip2.tundraeng.com] has joined ##openvpn 04:36 -!- Gumbler|NotHere is now known as Gumbler 04:36 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 05:06 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 05:20 -!- c64zottel [n=hans@p5B1794D6.dip0.t-ipconnect.de] has joined ##openvpn 05:31 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 06:32 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 07:12 < krzee> CPU: 36.0% user, 0.0% nice, 63.6% system, 0.4% interrupt, 0.0% idle 07:12 < krzee> i love seeing that during a buildworld 07:12 < krzee> 2 amd64 cores used 100% 07:23 -!- cmb [n=cmb@pfsense/coreteam/cmb] has quit [Read error: 110 (Connection timed out)] 07:50 < ecrist> dan__t: what is you want to know about CRLs? 08:23 -!- c64zottel [n=hans@p5B1794D6.dip0.t-ipconnect.de] has quit ["Leaving."] 08:37 -!- Flumdahl [i=n30@shell.auth.se] has quit [Read error: 110 (Connection timed out)] 10:20 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 10:20 < epaphus> hello all 10:21 < epaphus> krzie, u there? 10:34 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 10:40 < epaphus> Well guys. my VPN works like a charm.. the problem is that the client which is a OpenBSD box doesnt resolve DNS. If I push a DNS option at the server.. It doesnt affect my client (probably because my client doesnt have any type of dhcp to get that value) .. so how do I go arround with this? 10:46 < Bushmills> epaphus, does the pushed DNS show up in /etc/resolv.conf? 10:46 < epaphus> Bushmills, in the client? 10:46 < Bushmills> yes 10:48 < epaphus> no it did not 10:49 < Bushmills> any other DNS there? 10:49 < epaphus> yes 10:50 < Bushmills> that's a working DNS? 10:51 < epaphus> yes, I have changed that and its working now 10:51 < epaphus> that was a working DNS before the VPN though 10:52 < epaphus> when I ping hostname does the resolving part take place in the client, or at the server Bushmills ? 10:52 < Bushmills> supposedly, pushing a DNS by vpn server should reflect in that file 10:52 < Bushmills> resolving takes place in client 10:53 < Bushmills> but client could use vpn server as dns, provided it is set up as dns 10:54 < Bushmills> but usually you would have one recursive DNS on your local net, which is used by the machines on the local net. 10:54 < epaphus> ohh, interesting... why do we suppose that after I Installed the VPN my DNS ips stoped working though? 10:54 < epaphus> yeah... 10:55 < Bushmills> maybe because of routing. could all your traffic (including dns requests) be routed to the vpn server? 10:57 < epaphus> ohhh DNS is being resolved within the client, but the client uses the VPN to contact the dns 10:57 < epaphus> got it 10:57 < epaphus> wellfor some reason those IPs didnt like a foreigner to contact them i guess 10:59 < Bushmills> having a short route, low propagation, to DNS is beneficial 10:59 < epaphus> yeah ill try to place a DNS within the vpn server then 11:07 < epaphus> I wonder, IAm using the VPN to access the internet on the client machine. Whats the point of having two default routes..? 11:07 < epaphus> default 10.0.1.5 UGS 0 18 - 48 tun0 11:07 < epaphus> default 192.168.1.1 UGS 1 1295 - 48 nfe0 11:10 < Bushmills> more likely that it is a misconfiguration than that there's a point to it 11:11 < epaphus> well, the redirect-gateway option automatically did part of this, iam sure:P 11:13 < Bushmills> it doesn't do that here 11:13 < epaphus> ohh 11:13 < epaphus> ill delete it :) what os are you using Bushmills ? 11:14 < Bushmills> Linux 11:14 < epaphus> iam in unix 11:14 < Bushmills> using redirect-gateway in client config, not pushed by server 11:14 < epaphus> me too. 11:16 < epaphus> so... unless clients key is compromised.. another client should not be able to login to the vpn server.. right? 11:16 < Bushmills> sounds about right 11:35 < epaphus> Quick question, If I use vpn with UDP ..does that mean that ICMP needs to be enabled? 11:41 < karlpinc> epaphus : No. 11:41 < Bushmills> it means that all tcp,udp and icmp traffic is tunneled through udp 11:42 < Bushmills> (all traffic routed through vpn interface) 11:45 < epaphus> hmm, for some reason I just switched the client/server to use UDP.. and I opened the UDP port in the firewall .. but it doesnt connect 11:46 < epaphus> maybe i didnt open it right 11:56 -!- simplechat [n=betabot@li20-55.members.linode.com] has quit [Remote closed the connection] 11:56 -!- betabot [n=betabot@li20-55.members.linode.com] has joined ##openvpn 12:00 -!- guy191 [n=carbon@hosr3141-04.hh.se] has joined ##openvpn 12:01 < guy191> Hii Room !! 12:01 < guy191> need to ask few things.. hope i wll take few nice answers with me from here :) 12:02 < Bushmills> !howto 12:02 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:02 < Bushmills> :D 12:02 < guy191> trying to establish VPN network in between my friend which is using laptop and my office network 192.168.0.0/24 12:03 < guy191> HI Bushmills.. 12:03 < guy191> i m not using openvpn.. but its relates to vpn so 12:04 < Bushmills> what vpn software are you trying to use? 12:04 < guy191> i m using hardware Zywall USG 100 device 12:05 < guy191> http://www.zyxel.com/web/product_family_detail.php?PC1indexflag=20040908175941&CategoryGroupNo=4E8412D7-AF41-41EA-987C-ACA23F38108A 12:05 < vpnHelper> Title: ZYWALL USG 100 - Network Security in a Single Box for Offices of up to 25 People - ZyXEL Product & Solution (at www.zyxel.com) 12:06 < guy191> oh helper you know :).. 12:06 < guy191> !VpnHelper you are best 12:06 < vpnHelper> guy191: Error: "VpnHelper" is not a valid command. 12:06 < guy191> anywayz 12:07 < Bushmills> !botsnack 12:07 < vpnHelper> Bushmills: Error: "botsnack" is not a valid command. 12:07 < guy191> on other side .. only one guy.. not LAN 12:07 < Bushmills> hmm 12:07 < guy191> here is he saying in Policy Setting 12:08 < guy191> local policy.. our LAN network ip network/netmask 12:08 < guy191> remote policy.. otherside network and subnetmask 12:08 < guy191> no before that.. 12:09 < guy191> which ports should open on my LAN side for seeing network computers on my friends laptop? 12:09 < dan__t> hi 12:10 < Bushmills> !routing 12:10 < vpnHelper> Bushmills: Error: "routing" is not a valid command. 12:10 < guy191> oh hi dan__t 12:10 < dan__t> whatsup 12:10 < guy191> how are you ? 12:10 < Bushmills> !route 12:10 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 12:10 < dan__t> I'm ok. Trying to wake up. 12:10 < guy191> nutting jst trying to confiuge vpn.. 12:10 < dan__t> I'm eating Triscuits. 12:10 < dan__t> And drinking a diet coke. 12:11 < dan__t> Breakfast of champions. 12:11 < guy191> good.. dan__t you should take some vpn sandwiches with linux fresh juice :) 12:11 < dan__t> wtf 12:11 < guy191> haha 12:11 < dan__t> Are you hizzigh? 12:11 < guy191> sorry !! 12:11 < guy191> hizzigh.. whats dat 12:11 < dan__t> high 12:11 < guy191> no i m not hizzigh 12:12 < guy191> brb 12:14 < dan__t> k 12:18 -!- epaphus [n=unix3@201.199.62.74] has quit ["Leaving"] 12:21 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 12:27 -!- [4-tea-2] [n=aurel@buehne.mutantenstadl.de] has joined ##openvpn 12:28 < [4-tea-2]> !route 12:28 < vpnHelper> [4-tea-2]: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 12:38 < [4-tea-2]> Howdy, I'm connecting from a machine with a dynamic ip to a openvpn server, so I've set a host route to the server via the DSL interface. 12:39 < [4-tea-2]> What's the proper way to tell local machines how to reach other services on the openvpn server? 13:08 < [4-tea-2]> Masquerading works, but that way I lose encryption for those connections. 13:16 -!- ftp4 [n=ftp3@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has quit [Read error: 113 (No route to host)] 13:16 < dan__t> You can't really directly tie a service in to OpenVPN. 13:17 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 13:17 < rubydiamond> hi guys 13:17 < dan__t> You can set routes. You can't set rules based on ports etc etc unless using some sort of packet filtering or inspection, such as iptables 13:17 < rubydiamond> I need help on pushing openvpn dns to my laptop 13:18 < rubydiamond> dan__t, I am not able to use dns of my work.. from my laptop .. though I can access sites using ip.. also I have added up and down lines in my config 13:18 < rubydiamond> which should push dns 13:18 < [4-tea-2]> dan__t: I'm comfortable with iptables, but I'm not sure what's the right way to go. 13:18 < rubydiamond> but it's not doing so 13:18 < dan__t> Give me an example, [4-tea-2] 13:19 < dan__t> rubydiamond, http://openvpn.net/index.php/documentation/howto.html#dhcp 13:19 < vpnHelper> Title: HOWTO (at openvpn.net) 13:20 < rubydiamond> dan__t, I am using client 13:21 < rubydiamond> I think openvpn server is pushing it 13:21 < dan__t> Using what? 13:21 < rubydiamond> but my client is not able to use dns 13:21 < [4-tea-2]> dan__t: openvpn from dynip.ispone aka server.mylocal.net to realip.isptwo, isp two routes mylocal.net to me, so I have static IP addresses for my machines at home. 13:21 < rubydiamond> dan__t, I am using openvpn command line client on ubuntu 13:21 < [4-tea-2]> dan__t: I want to access e.g. the webserver on realip.isptwo:80 from workstation.mylocal.net. 13:21 < dan__t> Then just edit /etc/resolv.conf, rubydiamond 13:22 < dan__t> Can you ping it, [4-tea-2] ? 13:22 < rubydiamond> dan__t, yeah.. but what should I add there 13:22 < dan__t> er, you'd add what you normally would put there 13:22 < dan__t> nameserver 1.2.3.4 13:23 < [4-tea-2]> dan__t: from server.mylocal.net, I can ping realip.isptwo which goes "around" the vpn, or I can ping the link-local ip to the openvpn endpoint (I've chosen an rfc1918 address there, 10.something) 13:23 < rubydiamond> Sat Apr 11 23:44:59 2009 TUN/TAP device tun0 opened 13:23 < rubydiamond> Sat Apr 11 23:44:59 2009 TUN/TAP TX queue length set to 100 13:23 < rubydiamond> Sat Apr 11 23:44:59 2009 /sbin/ifconfig tun0 10.226.239.26 pointopoint 10.226.239.25 mtu 1500 13:23 < rubydiamond> Sat Apr 11 23:44:59 2009 /etc/openvpn/update-resolv-conf tun0 1500 1541 10.226.239.26 10.226.239.25 init 13:23 < rubydiamond> Sat Apr 11 23:44:59 2009 /sbin/route add -net 192.168.8.0 netmask 255.255.248.0 gw 10.226.239.25 13:23 < rubydiamond> Sat Apr 11 23:44:59 2009 /sbin/route add -net 10.226.239.1 netmask 255.255.255.255 gw 10.226.239.25 13:23 < rubydiamond> Sat Apr 11 23:44:59 2009 Initialization Sequence Completed 13:23 < rubydiamond> oh sorry.. 13:23 < rubydiamond> I pasted here 13:23 < dan__t> I'm sorry, its still fuzzy [4-tea-2] 13:24 < rubydiamond> but dan__t I don't know what are the name server ip at work 13:24 < rubydiamond> dan__t, do you see some above 13:25 < dan__t> Use 4.2.2.1? 13:25 < dan__t> I don't know. 13:26 < [4-tea-2]> dan__t: okay, let me try to rephrase my problem. When I establish the openvpn connection for my local network, I set a default route to openvpn's tun device and a host route to the physical device that I use to talk (via a DSL router) pointing to the openvpn's server real ip address (outside the openvpn tunnel). 13:28 < [4-tea-2]> dan__t: when all I needed from that server was the openvpn connection, that was perfectly fine. Now I'd like to reach other services (e.g. a webserver) on the very server that acts as my openvpn server. And preferably, I'd like those connections to benefit from openvpn's encryption. 13:28 < dan__t> Oh, right. 13:28 < dan__t> hmmm 13:35 < rubydiamond> dan__t, openvpn on linux machine suck 13:35 < rubydiamond> there is no good client 13:35 < rubydiamond> which can properly setup dns 13:35 < rubydiamond> after connecting to vpn 13:36 < rubydiamond> on mac and windoze it works awesome 13:41 < guy191> if one computer from outside want to connect with LAN through VPN 13:41 < guy191> all that LAN clients should also have installed that client software ? 13:41 < guy191> or only that guy which is trying to access it from outside ? 13:42 < guy191> any one ???? 13:42 < guy191> i meant about client software.. 13:43 < guy191> all the guys which want to be in a part of vpn .. even in lan or from outside will use vpn client ? 13:47 < dan__t> You just need a clue about doing it, rubydiamond 13:47 < dan__t> I told you what to do 13:47 < dan__t> I told yuou which options to use in OpenVPN. 13:48 < rubydiamond> dan__t, hmm 13:48 < rubydiamond> dan__t, used 13:48 < dan__t> No, guy191. A remote client "becomes" part of that LAN. 13:48 < dan__t> Kind of. 13:52 < dan__t> rubydiamond, all the OpenVPN clients work the same way. 13:52 < dan__t> They all have the same options, use the same communication, obey the same routes 13:52 < dan__t> They're all the same. 13:52 < dan__t> I'm sorry that it doesn't have a fuzzy cute GUI by default. 13:53 < dan__t> I'll.... bitch at the author or something. For shame, I know, right? 14:00 < rubydiamond> dan__t, both windows and mac have good gui clients 14:02 < dan__t> Great. 14:26 < dan__t> They all work the exact same way. 14:26 < dan__t> Your argument is invalid. 14:29 -!- _lataffe_ [n=lars@212.89-10-28.nextgentel.com] has quit [Read error: 110 (Connection timed out)] 14:36 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 14:42 < krzee> actually 14:43 < krzee> you can have certs or a PSK 14:43 < krzee> guy191, see !route 14:46 < guy191> my vpn client has connect with vpn server 14:46 < guy191> now how can i check that its working fine ? 14:47 < guy191> its not pinging to that network from command promt 14:47 < guy191> what the other ways to test connection ? 14:59 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 15:05 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 15:16 < guy191> Hii room !! 15:16 < guy191> any one ? 15:17 -!- guy191 [n=carbon@hosr3141-04.hh.se] has left ##openvpn [] 15:17 -!- guy191 [n=carbon@hosr3141-04.hh.se] has joined ##openvpn 15:18 < guy191> back !!1 15:18 < guy191> actualy today is my first day here.. 15:18 < guy191> or even in this vpn configuration .. 15:18 < guy191> i have setup vpn.. now need to test from my remote client pc.. 15:18 < guy191> which is connect to internet.. and vpn client also showing that its connected 15:19 < guy191> now i canot ping to lan.... why ? 15:19 < guy191> hav to configure some thing on client network connection ? 15:27 < krzie> !route 15:27 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:29 < guy191> hi krzie.. how r u ? 15:30 < guy191> krzie: i have read this doc... 15:30 < guy191> my scenrio is little bit different 15:30 < guy191> only one computer from outside want to connect with my LAN .. 15:31 < guy191> his vpn client has connect with my vpn server.. actualy i m not using openVPN.. 15:31 < krzie> and the lan is behind the server or client 15:31 < krzie> !notcompat 15:31 < vpnHelper> krzie: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 15:31 < guy191> lan is behind that hardware gateway device 15:31 < guy191> i know compatiblity 15:32 < krzie> you said you arent using openvpn 15:32 < guy191> yes then ? 15:32 < krzie> so why are you here? 15:32 < guy191> ZYWALL USG 100 15:33 < guy191> jst for little bit info regarding vpn.. 15:33 < krzie> can only help you with openvpn 15:33 < guy191> yes i know.. suppose here its openvpn.. and client as connected with it.. 15:33 < krzie> pointless 15:33 < krzie> not gunna waste my time 15:33 < guy191> now he canät ping all other lan nodes 15:34 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 15:34 < guy191> only tell that .. how can we test on client side 15:34 < guy191> test the connectivity from that outsider ? 15:34 -!- mode/##openvpn [+o krzie] by ChanServ 15:34 <@krzie> seriously, this is a openvpn help channel 15:34 <@krzie> !notopenvpn 15:34 < vpnHelper> krzie: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 15:35 < guy191> ok .. Sorry .. Dont mind !! 15:35 -!- mode/##openvpn [-o krzie] by ChanServ 15:38 < krzie> werd 15:38 < krzie> however, if you switch to openvpn you can do that as well 15:39 < krzie> (likely with stronger encryption) 15:39 < guy191> Thanks.. !! yes i know that openvpn is best.. 15:39 < krzie> *shrug* best depends on needs 15:40 < guy191> some times we should also configure on another platform.. it also nice for our carreer 15:40 < krzie> some people dont like that we cant directly connect clients bypassing server 15:40 < krzie> and some people need a couple thousand connections, cisco might be better for them, comes with support and all that 15:40 < guy191> we shouldnät stuck on one apple.. 15:41 < guy191> yes..offcourse.. 15:41 < krzie> but i feel the strongest encryption is available here, because they dont try to do it and maintain it themselves 15:41 < krzie> very smart move to use openssl for all that 15:41 < krzie> and its very configurable 15:41 < krzie> very very flexible 15:42 < guy191> anywayz.. now my time is wasting.. time to go and work 15:42 < guy191> be happy n takecare !! 15:42 < guy191> ba bye !! 15:42 < krzie> you too =] 15:42 -!- guy191 [n=carbon@hosr3141-04.hh.se] has left ##openvpn [] 16:01 -!- dupondje [i=DuReX@78-21-212-23.access.telenet.be] has joined ##openvpn 16:02 < dupondje> !route 16:02 < vpnHelper> dupondje: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:13 < dupondje> mmm, I want to put a vpn server on my server (internet ip), so I can connect 2 networks together that are behind a router ... 16:13 < dupondje> any id where to start :) 16:19 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving"] 16:23 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has joined ##openvpn 16:24 < quentusrex_> Is it possible to deny some clients access to certain parts of the subnet? even though they have the routes pushed? 16:24 < quentusrex_> such as through iptables, or something? 16:28 < karlpinc> krzie : People _could_ directly connect clients if they tried, using dyndns and such. 16:29 < karlpinc> quentusrex_ : Sounds like that's what iptables is for. (You might try looking at shorewall for an easier configuration.) 16:29 < dupondje> !howto 16:29 < vpnHelper> dupondje: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:44 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 16:51 < dan__t> hi 16:52 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 16:52 < epaphus> Hey guys, where can I read more about the access controls that openvpn has? 16:53 < dan__t> in the manpage 16:53 < dan__t> what specifically were you looking at? 16:53 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 16:53 < epaphus> an overview of what access control can do in the real life 16:59 < krzie> krzie : People _could_ directly connect clients if they tried, 16:59 < krzie> using dyndns and such. 16:59 < krzie> false 17:00 < krzie> when connecting from 1 client to another over openvpn, it will always flow through the server 17:07 < epaphus> krzee, thanks for the help yestreday 17:09 < krzie> you're welcome 17:09 < krzie> get your stuff sorted out? 17:11 < epaphus> btw.. redirect-gateway left two routes.. I need to delete one... not sure how to do it permanently.. because if I delete it with route delete.. it just comes back after a reboot 17:11 < epaphus> this bothers me a little.. default 10.0.1.5 UGS 0 0 - 48 tun0 17:11 < krzie> what route? 17:11 < epaphus> default 192.168.1.1 UGS 1 83 - 48 nfe0 17:11 < epaphus> the default being 192.168.1.1 17:12 < krzie> !interfaces 17:12 < vpnHelper> krzie: Error: "interfaces" is not a valid command. 17:12 < krzie> !interface 17:13 < vpnHelper> krzie: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 17:16 < epaphus> krzee, http://pastebin.com/d6500f389 ... see.. there is really no point to have a second default gateway as 192.168.1.1 if I already have the defualt gateway as the VPN 17:16 < krzie> thats what def1 was 17:16 < krzie> overrides without deleting 17:17 < krzie> so if you kill the vpn you have inet 17:17 < krzie> !def1 17:17 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 17:17 < epaphus> ohh understood 17:17 < epaphus> well, i dont want it that way.. if I kill the VPN .. its dead 17:17 < krzie> if you kill the vpn you still have a route to the internet 17:17 < epaphus> thats right, i dont want it that way 17:17 < krzie> but if you dont, you have a more specific route to the inet through the vpn, so that is all thats used 17:17 < epaphus> if I kill the VPN i want it to be dead 17:18 < krzie> fine, remove def1 from redirect-gateway 17:18 < epaphus> krzee, iam sorry.. i think i didint explain myself correctly.. 17:19 < epaphus> this machine is meant to always be connected to the VPN.. which is why i consider that that the default gateway being 10.0.... is cool... what i want to delete is the regular path to the internet which is 192.168.1.1 .... i understand if I delete the regular path and the VPN is down i wont have internet 17:19 < krzie> hey so howd you fix your nat / firewall issue? 17:19 < epaphus> but thats the way i want it 17:19 < krzie> THEN DONT ADD def1 17:19 < epaphus> krzee, i had to do a firewall from scratch.. its not as easy as 1 line. 17:19 < krzie> its only like that because you have def1 in redirect-gateway 17:19 < epaphus> ohh okie 17:19 < epaphus> sorry 17:19 < epaphus> thanks 17:19 < krzie> np yw 17:20 < krzie> if you wouldnt mind adding to our wiki with your firewall setup, it would be cool 17:20 < krzie> !wiki 17:20 < vpnHelper> krzie: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN 17:20 < krzie> (under the openvpn section of course) 17:20 < krzie> thats the same wiki i made my routing setup walktrhough on 17:20 < epaphus> krzee, i can paste it for your in pasetbin.. is that ok? 17:21 < krzie> its about the same to add it to the wiki, it takes anonymous posts 17:21 < krzie> and i dont wanna butcher anything, since you understand it now and i dont 17:21 < epaphus> oki 17:30 < krzie> toss in how you set ip forwarding too pls! =] 17:31 < epaphus> oki 17:31 < krzie> you'll be helping tons of openvpn users with that info im sure! 17:32 * krzie notes thats how communities like this rock, we get free help from those who have done it if we need it, then we give the help back to those who need it after us ;] 17:45 < epaphus> krzee, if I push a dns server in the server.conf .. the client must configure tun0 with dhcp on.. right? 17:46 < krzie> no, you just need to use a script to update your resolv.conf 17:46 < epaphus> krzee, a script?? 17:46 < krzie> theres one included with openvpn, ive heard mixed opinions on it 17:46 < krzie> personally i would make my own if i ever used it 17:46 < epaphus> ohhh... okie 17:47 < krzie> BUT 17:47 < krzie> you said you ONLY want inet through the vpn 17:47 < krzie> so thats much easier 17:47 < krzie> since the vpn doesnt need dns to connect (just give an ip to the remote command) 17:47 < krzie> and set the dns manually, and dont have anything that would override it 17:48 < epaphus> yup 17:48 < epaphus> agreed 17:48 < krzie> but if you decide you need to push it, !pushdns is a good thread to read, although mostly talks about a windows problem with pushing dns i think they touch on doing it in unix too 17:49 < reiffert> YES OH YES!! 17:49 < krzie> you asked about auth controls, i have no clue what you were asking 17:49 < reiffert> !yes 17:49 < vpnHelper> reiffert: Error: "yes" is not a valid command. 17:49 < krzie> but if you refine your question, maybe mention a goal or something, maybe someone can answer it 17:49 < krzie> moin reif 17:49 * reiffert = someone 17:49 < reiffert> howdy 17:52 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 17:56 < reiffert> he doenst trust me, eh? 17:57 < krzie> he only truely trusts me 17:57 < krzie> cause i brought him into this world, and i can take him back out 17:57 < krzie> ;] 18:03 < reiffert> I can make him dig into it much deeper ... 18:29 -!- aluis_ [n=aluis@78.52.30.238] has joined ##openvpn 18:46 < krzie> ive read that line 10 times or so reif, still have no clue what you meant 18:46 < krzie> lol 18:58 -!- quentusrex_ [n=quentusr@c-24-19-34-21.hsd1.wa.comcast.net] has quit [] 19:37 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 60 (Operation timed out)] 19:45 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 19:46 < troy-> do i need to restart openvpn for it to pickup on new profiles? 19:46 < krzie> define profiles 19:46 < troy-> new keys 19:46 < krzie> do you need to restart the server when you setup new clients? 19:46 < krzie> (thats the question?) 19:46 < troy-> yep 19:46 < krzie> no 19:46 < troy-> kk 19:47 < krzie> they're signed by the same ca, they will work 19:47 < krzie> if you had meant prfiles in the server config, yes 19:47 < krzie> if you had meant ccd entries in the server, no 19:47 < krzie> thats why i had you clarify 19:47 < krzie> =] 19:53 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 19:55 < dan__t> man 19:55 < dan__t> i'm done working in like 5 mins 19:55 < dan__t> I'm going to get krunk. 19:55 < dan__t> I found a place that I can walk to that has Boddingtons on tap. 20:04 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:04 < troy-> krzie, how can i run openvpn as non-root? 20:04 < krzie> must START it as root 20:04 < krzie> but can drop privs immediately after 20:04 < troy-> how do i do that? 20:05 < krzie> --user --group and some persist options 20:05 < krzie> persist-key and persist-tun iirc 20:05 < krzie> lets see 20:05 < krzie> !sample 20:05 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 20:05 < krzie> user vpn 20:05 < krzie> group vpn 20:05 < krzie> persist-key 20:05 < krzie> persist-tun 20:05 < krzie> yup 20:06 < troy-> so in server.conf 20:06 < krzie> in whatever conf you want to run as non-root 20:06 < krzie> i do it on all 20:07 < krzie> (note, this isnt for windows) 20:07 < krzie> win is done differently 20:07 < troy-> server is on linux :) 20:08 < krzie> thats good for the server, i dont run it as root on any sides 20:08 < krzie> server or clients 20:08 < troy-> thanks krzie 20:08 < krzie> basically, i never run anything as root unless i have a reason to run it as root 20:08 < krzie> np 20:09 < troy-> krzie, i had to do it so ident would show up as that user 20:12 < krzie> ya, not a good nuff reason for me 20:12 < krzie> if i irc through my socks my ident is 'nobody' 20:12 < krzie> im ok with that 20:13 < krzie> more ok than giving up running it in a sandbox at least 20:13 < krzie> but thats a decision for each admin to make 20:13 < epaphus> krzee, if I want other people to use my client to connect through my vpn... the best way to do such thing would be to put in a second NIC and nat the traffic through tun0 ... and perhaps install a dhcpd also... right.... thats one way... ? 20:14 < krzie> why a second nic? 20:14 < krzie> werd 20:15 < epaphus> well.. thats how I usuallly share my internet.. 20:15 < epaphus> what other way can I let many users go out through the internet via my vpn? 20:16 < krzie> by giving them certs to connect to it 20:16 < krzie> its already setup 20:20 < epaphus> well yeah.. but that way its not transparent to them 20:20 < epaphus> if they use me as their gateway 20:20 < epaphus> then they dont have option 20:23 < krzie> im missing what you plan on having 20:23 < epaphus> I was planning on having the clients use my machine as their internet gateway 20:23 < krzie> you saying other people on your server's lan? 20:24 < epaphus> yes 20:24 < epaphus> so they are always connected to the LAN 20:24 < krzie> are they plugged in to the lan or you want them to be, but through the vpn 20:25 < epaphus> i want to make it so .. when they plugin to the LAN they are already connected to the VPN.. regardless of any config on their pc 20:26 < krzie> ok im still missing the point, you are basically answering yes to 2 totally different questions 20:26 < krzie> are they remote and you want them to access the lan over the vpn 20:26 < krzie> or are they local and you want them to access the inet over the vpn? 20:27 < epaphus> second choice 20:28 < krzie> ok grab another nic, make a new subnet for it 20:28 < epaphus> listening.. 20:29 < krzie> they are on the same lan as the client, right? 20:29 < epaphus> correct 20:29 < krzie> scratch the new nic 20:29 < epaphus> ok... 20:29 < krzie> put them on the same lan as the client 20:29 < epaphus> go on please.. 20:29 < krzie> give that client an iroute entry in a ccd entry 20:29 < krzie> for its lan 20:30 < krzie> their default gateway should be your client 20:30 < epaphus> what do you mean when you say " give that client" you mean.. taje the IP of the PC and put it in the ccd 20:30 < krzie> and your server needs to NAT the client's lan ips as well 20:30 < krzie> !ccd 20:30 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 20:30 < krzie> !iroute 20:30 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 20:31 < krzie> in addition to that, the server will need a route entry for the client lan 20:31 < krzie> just like in !route 20:31 < krzie> its basically just !route plus a default gateway change and a nat entry 20:31 < krzie> (both of which are outside openvpn) 20:32 < epaphus> a nat to where from where.. 20:32 < krzie> just like you nat the vpn network 20:32 < krzie> except now you'll nat the client lan network 20:32 < krzie> (as well) 20:32 -!- aluis__ [n=aluis@g227114042.adsl.alicedsl.de] has joined ##openvpn 20:32 < epaphus> the nat i did was on the server.. the client has no nats right now 20:33 < krzie> and that will remain the same 20:33 < krzie> the packets will still have SRC address of client lan when they get to the server, and the server will nat that 20:33 < krzie> better than a double-nat 20:33 < krzie> what you were thinking would work as well, but be more complicated 20:33 < epaphus> so that means that the PC would have to have a new gateway which I need to give it. 20:34 < krzie> unnecesarily more complicated 20:34 < krzie> what? 20:34 < krzie> "the pc"... we're talking about a minimum of 3 machines currently 20:34 < epaphus> yes. 20:34 < krzie> talk clearly pls 20:34 < epaphus> ok... 20:36 < epaphus> we have the PC that i want to connect through the client to the VPN. 20:36 < krzie> wow i wish you had started with that sentance 20:36 < krzie> ! 20:36 < krzie> much better =] 20:36 < epaphus> iam asking, in the PC.. the current gateway is 192.168.1.1 , which is currently a router with regular access to the internet 20:37 < epaphus> my client (the vpn client) has .5 20:37 < krzie> right, the PC will need the client as its gateway 20:37 < epaphus> got it 20:37 < epaphus> ok 20:37 < epaphus> one min to think hehe 20:37 < krzie> ;] 20:37 < krzie> thats the easy way 20:37 < krzie> other option is to get another nic, and setup a whole other network 20:38 < krzie> they'll both work, depends on your needs 20:38 < krzie> if you go with the other network the nic goes to a switch 20:38 < epaphus> that would be pointless though 20:38 < epaphus> this is so much fun :P 20:38 < krzie> and you run dhcpd on it 20:38 < epaphus> right 20:38 < krzie> to auto-assign the gateway, dns, ip 20:38 < krzie> with a totally new subnet 20:38 < krzie> (but pointless if only 1 machine) 20:38 < krzie> the point comes when you want 2 totally seperate lans 20:39 < krzie> or maybe if there were 10 machines on each, easier administration 20:40 < epaphus> i can still have 50 machines on the same NIC.. i can even run dhcpd based on the MAC to configure those... 20:40 < epaphus> or static 20:40 < krzie> guess so, although wouldnt the other dhcp server answer too? 20:40 < krzie> or do you have fine grained enough control on that one to make it ignore some 20:41 < epaphus> i think i can do that 20:41 < epaphus> iam sure i can 20:41 < epaphus> discriminate (sp?) 20:41 < krzie> cool 20:42 < krzie> whatever makes you happy 20:42 < krzie> personally ild go with seperate lans before setting up something like that 20:42 < krzie> the words admin nightmare come to mind 20:42 < epaphus> a little cleaner, right? 20:42 < krzie> totally 20:42 < epaphus> yeah... 20:42 < krzie> BUT 20:42 < krzie> like i said, if its only 1 or 2 machines 20:42 < krzie> just set their ip / gateway / dns manually 20:42 < epaphus> its 40 hehehehe 20:42 < krzie> get a nic and a switch 20:43 < krzie> thats like $20 20:43 < epaphus> ok ill do the clean way 20:43 < epaphus> i understand everything.. except the part of the nat.. what exactly am I natting? 20:45 < krzie> the subnet you create for the clients 20:45 < krzie> you will buy a nic, and make it like 192.168.50.1 20:45 < krzie> where 50.1 is NOT being used yet 20:45 < krzie> then its lan gets 50.x 20:45 < krzie> you will nat 50.x on the vpn server 20:46 < krzie> but ONLY after you setup !route 20:46 < krzie> !route 20:46 < epaphus> the vpn server is to tun, right? 20:46 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:46 -!- nemysis [n=nemysis@194-1.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 20:46 < krzie> pretend 192.168.1.0 in my example is 50.0 in our conversation 20:47 < krzie> the vpn server is to tun, right? 20:47 < krzie> huh 20:47 < krzie> ? 20:47 -!- nemysis [n=nemysis@225-225.1-85.cust.bluewin.ch] has joined ##openvpn 20:47 < krzie> you must talk clearly for me to understand 20:47 < epaphus> I nat the new subnet to tun , or to the first NIC on my client? 20:47 < krzie> on the server you currently have a nat setup 20:47 -!- [4-tea-2] [n=aurel@buehne.mutantenstadl.de] has quit ["leaving"] 20:48 < krzie> do the EXACT same thing you did, but with the new subnet you create instead of the vpn subnet 20:48 < epaphus> oki 20:48 < epaphus> and route 20:48 * krzie thinks you dont fully understand what you were doing when you set it up, cause its the EXACT same thing 20:48 < epaphus> also ccd? or not in this case.. right? 20:48 < krzie> yes in this case, go read !route 20:48 < epaphus> i do, believe me.. i had to do the firewall from zero 20:48 < epaphus> oki 20:48 < epaphus> thanks 20:49 < krzie> and 20:49 < krzie> pretend 192.168.1.0 in my example is 50.0 in our conversation 20:49 < krzie> 50.0 being the subnet you are about to invent 20:49 < epaphus> understood 20:49 < krzie> you however can skip 1 thing in there 20:50 < krzie> push "route 192.168.1.0 255.255.255.0" 20:50 < krzie> you dont need that unless you have more clients connecting from elsewhere that need communications with your new lan 20:50 < epaphus> oki 20:50 -!- aluis_ [n=aluis@78.52.30.238] has quit [Read error: 110 (Connection timed out)] 20:53 < epaphus> for now iam going to save this conversation.. and try to learn how to connect my linux ubuntu into the obsd... i saw some differences in the client.conf defaults... 20:54 < krzie> screw the defaults 20:54 < krzie> it should just work 20:56 < epaphus> out of curiosity... how owuld the server react if two clients have the same cert? iam lazy to do a cert LOL 20:58 -!- Dougy[home] [i=doug@64-18-144-2.ip.bergenhosting.com] has joined ##openvpn 20:58 < Dougy[home]> Hey all 20:58 < epaphus> hi 20:58 < Dougy[home]> sup 20:59 < krzie> sup doug 21:00 < krzie> ltns 21:00 < Dougy[home]> hey krzie 21:00 < Dougy[home]> i heard that 21:00 < Dougy[home]> how goes it 21:00 < krzie> good man, put together my new quad core last night 21:00 < Dougy[home]> awesome 21:00 < krzie> recompiled the kernel on my NFS overnight so i can burn the osx86 dvd 21:00 < Dougy[home]> I bought a server last night 21:00 < krzie> so when i get home ill play with that 21:01 < Dougy[home]> i got a hella deal 21:01 < krzie> after a lil hash of course 21:01 < krzie> lets hear it 21:01 < Dougy[home]> dual xeon 3.2, 1gb ram, 2x80gb hard drive 21:01 < Dougy[home]> in a SuperMicro 4 sata hotswap case 21:01 < Dougy[home]> with a 500 watt psu 21:01 < Dougy[home]> for $155 shipped 21:01 < krzie> WTF 21:01 < krzie> how do you always get these deals 21:01 < krzie> im jealous like half the time we talk 21:01 < krzie> lol 21:01 < Dougy[home]> ebay 21:02 < Dougy[home]> i got 21:02 < krzie> its a rackmount? 21:02 < Dougy[home]> yes 1u 21:02 < Dougy[home]> 2x hotswap, pentium 4 3.0, 2gb ram 21:02 < krzie> damn bro 21:02 < Dougy[home]> 2xhotswap 21:02 < krzie> savage 21:02 < Dougy[home]> for $105 21:02 < Dougy[home]> krzie: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&ssPageName=STRK:MEWNX:IT&item=230334825480 21:02 < vpnHelper> Title: Supermicro 1U Dual Xeon 3GHz 1GB DDR266 80GB Server - eBay (item 230334825480 end time Apr-08-09 15:34:10 PDT) (at cgi.ebay.com) 21:03 * krzie hacks dougy's ebay and changes the shipping address 21:03 < Dougy[home]> krzie: send me $25 21:03 < Dougy[home]> and you can have all the guts of it 21:03 < Dougy[home]> all i want is the case 21:03 < Dougy[home]> mobo, harddrive, memory, ipmi card 21:03 < Dougy[home]> all yours 21:03 < krzie> you're kidding me? 21:03 < Dougy[home]> for 25 bux 21:03 < Dougy[home]> id rather say 50 bucks 21:03 < Dougy[home]> but 25 sure ill give you it 21:03 < Dougy[home]> i mean the case new is $400, so i got a heller deal on it 21:03 < krzie> shit if i can buy a case and send that to you to toss it in, ill take that for sure 21:03 < Dougy[home]> yea sure 21:03 < krzie> im in another country so shipping back and forth wouldnt work 21:04 < Dougy[home]> if you wanna do 50bux go for it 21:04 < Dougy[home]> i will see 21:04 < Dougy[home]> if i can klepto some more ram for it 21:04 < Dougy[home]> y'know.. like make it 4 gigs or some shit 21:04 < krzie> sickness 21:04 < Dougy[home]> but id def like to ask for 50 at that point 21:04 < krzie> for sure 21:04 < Dougy[home]> but yah, tis yours for that 21:04 < Dougy[home]> albeit you will need a decent little case for that 21:04 < Dougy[home]> it wont run on a 260 watt psu 21:04 < Dougy[home]> you'll def need 400 21:05 < krzie> dual cpu, for sure it dont do 250 21:05 < Dougy[home]> yea 21:05 < Dougy[home]> those old cpu's are power whores 21:05 < Dougy[home]> I ran a dual 3.2 wtih 4gb ram on 350 21:06 < krzie> i have a box sitting at ecrists house with no purpose, not rackmount tho 21:06 * Dougy[home] is trying to rent out vps's and servers and not doing too well 21:06 < krzie> maybe ill kick that into the deal for ya, im sure you'd find something to do with it 21:06 < Dougy[home]> id offer you colo too but i can only offer you it at the price i get it for 21:06 < krzie> ya thats a saturated market 21:06 < Dougy[home]> and probably too much for your blood 21:07 < krzie> very likely 21:07 < krzie> i get too good of deals 21:07 < Dougy[home]> i get offered stuff now and again 21:07 < Dougy[home]> so krzie 21:07 < krzie> ie: i have 2 100mbit boxes i pay $500/yr for 21:07 < Dougy[home]> im lead bidder right now on.. 21:07 < krzie> (total, not each) 21:07 < Dougy[home]> Pentium 4 3.0 ghz 21:07 < Dougy[home]> 2gb ram ,2x36gb hd 21:07 < Dougy[home]> 2 hotswap case 21:07 < Dougy[home]> top bid is currently $0.99 :] 21:08 < krzie> damn, no minimum 21:08 < krzie> ? 21:08 < Dougy[home]> nope 21:08 < Dougy[home]> i won the other one for $35 21:08 < Dougy[home]> same spec 21:08 < krzie> i hope theres no snipers and you pay $1 21:08 < krzie> damn bro 21:08 < Dougy[home]> 2x supermicro hotswap, 250w psu 21:09 < dan__t> computars? 21:09 < dan__t> wher?!!!?// 21:10 < krzie> lol 21:10 < krzie> all your <$100 cpu belong to doug 21:11 < Dougy[home]> lol 21:13 < Dougy[home]> i have a bunch of socket 478 p4's on my desk 21:13 < Dougy[home]> and at work i have like 21:13 < Dougy[home]> 20 P4SGA+'s (478 p4's) 21:13 < dan__t> I'm waiting for the girl to get here so we can go get fucked up. 21:13 < krzie> dan__t dont forget to take nekkid pics of her and post them for us 21:14 < krzie> she wont care when shes all hammered 21:14 < krzie> :-p 21:14 < dan__t> word. 21:15 < Dougy[home]> lol 21:15 < Dougy[home]> man 21:15 < Dougy[home]> so does anyone need a vps? 21:15 < Dougy[home]> $5/mo ! 21:15 < Dougy[home]> sorry kids, no bsd yet 21:16 < krzie> no bsd == no krzee 21:16 < krzie> hehe 21:16 -!- _Dougy [i=doug@64-18-144-2.ip.bergenhosting.com] has joined ##openvpn 21:16 < dan__t> centos? 21:16 < dan__t> can I use them for hardcore blackhat SEO? 21:16 < krzie> whats SEO? 21:16 < Dougy[home]> search engine optimziation 21:16 < Dougy[home]> optimization 21:16 < Dougy[home]> blackhat seo.. bastard 21:17 < dan__t> heh 21:17 < dan__t> whatever's clever 21:17 < dan__t> so that's a no eh 21:17 < Dougy[home]> i don't even know what it is 21:17 * Dougy[home] googles 21:17 < dan__t> don't worry 21:17 < dan__t> its cool 21:17 < Dougy[home]> oh 21:17 < Dougy[home]> never mind the googling 21:17 < Dougy[home]> i recognize the term now 21:17 < Dougy[home]> def not :p 21:17 < dan__t> why not 21:17 < Dougy[home]> that is dirty 21:18 < krzie> rigging search results? 21:18 < Dougy[home]> right 21:18 < krzie> gotchya 21:18 -!- huslu_ [n=huslu@c-67-165-238-82.hsd1.co.comcast.net] has joined ##openvpn 21:18 < krzie> can i use it to sell my viagra to people that didnt sign up for my emails? 21:18 < krzie> 21:18 < dan__t> Where in CO are you, huslu_? 21:18 < dan__t> heh 21:19 < dan__t> i finally un-fucked whmcs 21:19 < dan__t> Only took like... I don't know, three days. 21:19 < dan__t> :/ 21:19 < Dougy[home]> whmcs 21:19 < Dougy[home]> is ok 21:19 < dan__t> Its the shit. 21:19 < Dougy[home]> i use it, but id rather use something else 21:19 < dan__t> Everything else sucks. 21:19 < Dougy[home]> but there isnt much better 21:19 < dan__t> There you go. 21:19 < Dougy[home]> not for automated anything 21:19 < Dougy[home]> imo 21:20 < Dougy[home]> freshbooks is great for a third party one 21:20 < dan__t> automated billing, yes. 21:20 < Dougy[home]> i would use it, but too lazy to move 21:20 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: jameswhite, kraut, huslu, Dougy 21:20 -!- _Dougy is now known as Dougy 21:21 < dan__t> eh. 21:21 < dan__t> alright, i need to get in the shower. 21:21 < dan__t> later, kids. 21:21 < krzie> adios 21:21 < Dougy[home]> get out of here 21:23 < Dougy[home]> krzie i got something for you 21:23 < Dougy[home]> hold 21:23 < Dougy[home]> here 21:23 < Dougy[home]> http://cgi.ebay.com/Silicon-Mechanics-2-x-AMD-Opteron-246-2-0-GHz-1U-Server_W0QQitemZ190290736825QQcmdZViewItemQQptZCOMP_EN_Servers?hash=item190290736825&_trksid=p3286.c0.m14&_trkparms=72%3A1234%7C66%3A2%7C65%3A12%7C39%3A1%7C240%3A1318%7C301%3A1%7C293%3A1%7C294%3A50 21:23 < vpnHelper> Title: Silicon Mechanics 2 x AMD Opteron 246 2.0 GHz 1U Server - eBay (item 190290736825 end time May-01-09 16:37:37 PDT) (at cgi.ebay.com) 21:23 -!- kraut [i=kraut@blackhole.netzdeponie.de] has joined ##openvpn 21:24 -!- kraut [i=kraut@blackhole.netzdeponie.de] has quit [Killed by sagan.freenode.net (Nick collision)] 21:24 -!- kraut [i=kraut@2001:6f8:12a9:0:0:0:4:0] has joined ##openvpn 21:24 -!- huslu [n=huslu@c-67-165-238-82.hsd1.co.comcast.net] has joined ##openvpn 21:24 -!- jameswhite [n=james@fapestniegd.jameswhite.org] has joined ##openvpn 21:25 < krzie> moin kraut 21:25 -!- kraut_ [i=kraut@blackhole.netzdeponie.de] has joined ##openvpn 21:25 < Dougy[home]> krzie: check that out 21:25 < krzie> my client im on can only click 1 line 21:25 < krzie> then i have to paste the rest 21:25 < krzie> that one is 5 lines deep 21:25 -!- kraut [i=kraut@2001:6f8:12a9:0:0:0:4:0] has quit [SendQ exceeded] 21:25 < Dougy[home]> grrmbl 21:25 < Dougy[home]> go to ebay 21:25 -!- kraut_ is now known as kraut 21:25 < Dougy[home]> search silicon mechanics 21:25 < Dougy[home]> you will see some bad ass deals 21:27 < krzie> shit you just reminded me bout a couple things i need to get 21:27 < Dougy[home]> like? 21:27 < krzie> i need like 2 dvd burners and i saw a deal too good to passup on a TV 21:27 < krzie> like $350 for a 32" hdtv 21:27 < Dougy[home]> ah 21:28 < krzie> which im sure would make a nice computer monitor ;] 21:28 < krzie> http://www.onsale.com/shop/detail~dpno~7773760~descr~Westinghouse-322+720p+LCD+HDTV+with+Built-In+ATSCfNTSCfClearQAM+Tuner+-+Refurbished.aspx 21:28 < vpnHelper> Title: Westinghouse SK32H540S-R 32 720p LCD HDTV with Built-In ATSC/NTSC/ClearQAM Tuner - Refurbished (at www.onsale.com) 21:29 < epaphus> hey guys, how can I learn more about load balancing on OPenVPn? and how it is determined to "balance " ? 21:30 < krzie> what do you mean by that? 21:30 < Dougy[home]> krzie: did you go to ebay 21:30 < epaphus> well, I see tha tin the client.conf you can input several servers... to balance bewteen the servers 21:30 < krzie> yup, didnt see anything too special 21:31 < krzie> blocks you mean? 21:32 < epaphus> # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. remote my-server-1 1194 ;remote my-server-2 1194 21:32 -!- huslu [n=huslu@c-67-165-238-82.hsd1.co.comcast.net] has quit [Connection timed out] 21:32 < epaphus> according to the example cofig in ubuntu for openvpn 2.1 21:34 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: dazo_gone, vlt, isox, kraut, ftp3, mtoledo`, xor|, pa, carpe_, worch, (+18 more, use /NETSPLIT to show all of them) 21:34 -!- ThoMe is now known as thomas 21:34 < krzie> havnt read much on it but i believe it just tries them in order til one works, unless you use remote-random or something like that to randomize it 21:34 < epaphus> krzee, do you know where i can read more? 21:34 < krzie> you use openbsd, prolly would enjoy learning about CARP more 21:34 < krzie> yes i do! 21:34 < krzie> !man 21:34 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 21:34 < krzie> the same place you can learn about everything else in openvpn, the manual! 21:35 -!- Netsplit over, joins: tarbo2, troy-, kraut, aluis__, carpe_, Bushmills, isox, kaii, karlpinc, dazo_gone (+18 more) 21:35 -!- thomas [n=tm@tm.muc.de] has quit [Killed by sagan.freenode.net (Nick collision)] 21:36 -!- ThoMe [n=tm@tm.muc.de] has joined ##openvpn 21:36 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: tarbo2, troy- 21:39 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 21:43 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 21:44 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [SendQ exceeded] 21:45 < epaphus> krzee, do you think CARP would apply to this? 21:45 < epaphus> i dont know carp 21:48 < krzie> CARP is for automated local failover 21:48 < krzie> its one of the great things to come from obsd 21:48 < krzie> fbsd has it now so :-p 21:54 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Solver, HardDisk_WP, infinity_ 21:55 -!- Netsplit over, joins: infinity_ 21:56 -!- HardDisk_WP [n=Marco@wikipedia/harddisk] has joined ##openvpn 21:56 -!- Solver [n=robert@99.229.28.193] has joined ##openvpn 22:02 < Dougy[home]> krzie 22:04 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 22:05 < krzie> dougy 22:05 < Dougy[home]> i am a dirt bag 22:08 < krzie> me too, its fun isnt it 22:09 < Dougy[home]> krzee 22:09 < Dougy[home]> look what im doing on my 45/mo colo 22:09 < Dougy[home]> http://www.upload3r.com/serve/110409/1239505080.png 22:09 < Dougy[home]> krzie * 22:13 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 22:17 -!- epaphus [n=unix3@201.199.41.166] has joined ##openvpn 22:21 -!- Dougy[home[ [i=doug@64-18-144-2.ip.bergenhosting.com] has joined ##openvpn 22:22 < krzie> im krzee too, same thing 22:22 < krzie> damn, you're using that sucker 22:22 < epaphus> Iam reading through the options of the OpenVPN client.conf.. there is a part where you can specify if you want to connect through a http proxy... I cant imagine any logic in regards to that... i mean are they expecting to channel it through something like squid? 22:23 < krzie> epaphus some companies ONLY allow outbound connections through http proxy 22:23 < krzie> (like squid) 22:23 < Dougy[home[> lol 22:23 < Dougy[home[> krzie: i know 22:23 < Dougy[home[> im a dick tho 22:23 < Dougy[home[> lol 22:24 < krzie> i almost never use that much BW on my colos 22:24 < krzie> i certainly dont sustain it 22:24 < krzie> and they dont even check my usage 22:24 < Dougy[home[> well 22:24 < epaphus> this may off topic but.. can squid actually support tcp traffic like the one for the VPN? hell i think squid cant even proxy SSL 22:24 < Dougy[home[> i sponsor a bunch of open source projects on it 22:25 < Dougy[home[> none of which im gonna share 22:25 < krzie> epaphus ive never tried, dunno... but i suspect some can or it wouldnt be there 22:25 < Dougy[home[> if anyone wants a VPS 22:25 < epaphus> ohh well :) 22:25 < krzie> open source + not share 22:25 < Dougy[home[> perfect for openvpn 22:25 < Dougy[home[> $5/month 22:25 < krzie> seems like a contradiction 22:26 < Dougy[home[> by not share 22:26 < Dougy[home[> i mean not sharing that i host them 22:26 * krzie pegs 400mbit on his vps from dougy 22:26 < Dougy[home[> they dont want people to know 22:26 < epaphus> btw off topic too... do you think there is really value to a quad core.. in comparison to the productivity versus the price..? or its just like a gift... 22:26 < Dougy[home[> krzie: you will get a bill for that 22:26 < Dougy[home[> at $20/Mbps 22:26 < krzie> come find me! 22:27 < krzie> epaphus, depends on what is needed for the job of the server 22:27 < krzie> if you are video rendering, definitely 22:28 < krzie> if you are running openvpn, absolutely not 22:28 < epaphus> hmm, yeah iam pretty self centered sometimes.. your right. i dont do any of that stuff 22:29 < epaphus> I remember the days when I hosted a website with thousands of visitors per hour on a pentium III and i never had a problem 22:29 < epaphus> :P 22:30 < krzie> i put together my new quad core last night 22:30 < krzie> with 8GB ram 22:30 < epaphus> i heard... 22:30 < epaphus> nice 22:30 < krzie> but that will be my primary desktop 22:30 < krzie> and i use my stuff =] 22:30 < troy-> krzie, nice. 22:30 < troy-> mine only has 4G ram but upgradable to 8G 22:31 < krzie> i believe i could use 16GB 22:31 < krzie> 4x4gb 22:31 < krzie> but seriously, why 22:31 < krzie> lol 22:32 < epaphus> ohh well, no further comments :P 22:37 < troy-> krzie, what kind of throughput do you get on your tunnels? 22:38 -!- Dougy[home] [i=doug@64-18-144-2.ip.bergenhosting.com] has quit [Remote closed the connection] 22:39 < krzie> *shrug* never been unhappy with it 22:39 < troy-> but sever hundred Kbps 22:39 < troy-> err several hundred KBps 22:39 < krzie> megabytes / sec 22:39 < troy-> krzie :P 22:40 < troy-> i cant figure out why mine is so low 22:40 < krzie> didnt you say yours was tcp? 22:40 < troy-> yes, but i've tried UDP as well with similar results 22:40 < krzie> dunno 22:41 < krzie> maybe someone in bwteen does funny mtu stuff 22:41 < troy-> without the VPN between same hosts i get MB/s 22:42 < krzie> what do you use the vpn for? 22:42 < troy-> transferring backups 22:42 < krzie> maybe you would get better results with a ssh tunnel or socks server 22:42 < krzie> or scp even 22:46 < troy-> yeah, mite be a good idea 22:48 < krzie> also, did you change the encryption method for the channel? 22:48 < krzie> or is it using the default (blowfish) 22:49 < krzie> that could make a lil diff, i use blowfish 22:49 < krzie> but for offsite backups ild just use scp 22:50 < krzie> which uses ssh for encryption 22:50 < troy-> yep 22:50 < troy-> lemme check 22:50 -!- theDoc [n=andelyx@bb116-15-5-216.singnet.com.sg] has joined ##openvpn 22:51 < troy-> krzie, i dont see any reference to crypt in server.conf 22:51 < Dougy[home[> pastebin 22:51 -!- Dougy[home[ is now known as Dougy[home] 22:51 < krzie> k its prolly blowfish then 22:51 < troy-> ah its Dougy[home] :P 22:51 < Dougy[home]> WHERE 22:51 < krzie> if you didnt change it its blowfish 22:51 < krzie> anyways, test it with scp 22:51 < Dougy[home]> You are now logged in. (id Dougy, username i=doug, hostname 64-18-144-2.ip.bergenhosting.com) 22:51 < Dougy[home]> w00t 22:51 < troy-> makes sense 22:51 < krzie> the speed 22:53 < epaphus> --remote-random 22:53 < epaphus> When multiple --remote address/ports are specified, or if connection profiles are being used, initially randomize the order of the list as a kind of basic load-balancing measure. ... "BASIC" .. it was to good to be true :P 22:53 < epaphus> but its a neat option 22:54 < krzie> i guess 22:54 < krzie> nothing i see myself ever using 22:55 < epaphus> its neat when you have 50 clients 22:55 < epaphus> or more.. 22:56 < epaphus> problem is.. if one of those servers acts up.. example it has a slow link.. its may be hard to diagnose which one it is because they will hcange so rapidly... 22:56 < epaphus> i can imagine random people saying .. my connection is slow, ohh now it isnt, now it is.. now it isnt 22:57 < krzie> i dont think you understand 22:57 < krzie> it doesnt change moment to moment 22:57 < krzie> it randomizes which server you connect to 22:57 < epaphus> ohhhhh it changes once per client 22:57 < epaphus> ohhh.. 22:57 < Dougy[home]> fail 22:57 < krzie> LOL 22:57 * Dougy[home] high fives krzie 22:58 < epaphus> oh okie :) 22:58 < krzie> ^5 22:58 < Dougy[home]> i wanted to say 22:58 < Dougy[home]> pound it 22:58 < Dougy[home]> but that sounds so flamingly 22:58 < Dougy[home]> bad 22:58 < Dougy[home]> i didnt 22:58 < krzie> shamrock vs diaz fight is bout to start 22:58 < krzie> so ill be idle 22:58 < Dougy[home]> k 22:58 < Dougy[home]> bed time 22:58 < Dougy[home]> ciao childs 22:59 < krzie> childs, lol 22:59 < krzie> can you even drive yet!? 23:00 < Dougy[home]> yes 23:00 < krzie> legally 23:01 < krzie> ;] 23:01 < Dougy[home]> yes$ 23:01 < Dougy[home]> yes 23:01 < krzie> ;] 23:01 < krzie> lol 23:01 < krzie> im just fuckin with ya too, youre more mature than many on irc 23:01 < Dougy[home]> dont push it now 23:01 < Dougy[home]> lol 23:02 < krzie> ~lotta lolcats here 23:04 < epaphus> wow... traffic shaper is very neat... :) 23:14 < epaphus> anyways... could somebody provide me an example of how to send a SIGNAL to openvpn ... iam not quite sure.. ? 23:17 -!- lepine [n=leprecha@76-10-138-13.dsl.teksavvy.com] has joined ##openvpn 23:17 < lepine> !topology 23:17 < vpnHelper> lepine: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 23:18 -!- mtoledo`` [n=user@189.102.205.95] has joined ##openvpn 23:20 -!- Dougy[home] [i=doug@64-18-144-2.ip.bergenhosting.com] has quit [] 23:23 < lepine> I've been playing around with tunnelling w/ openvpn these past few days ... 23:23 < lepine> is a 40% throughput hit normal? 23:23 < lepine> my server is my web server from which i can saturate my home connection 23:24 < lepine> but when doing speedtests, i'm getting 3mbps instead of 5 23:27 -!- lepine1 [n=leprecha@ip-70-38-54-219.static.privatedns.com] has joined ##openvpn 23:28 < epaphus> hey guys... now iam proceeding on setting up a client with OPenVPN 2.1 on UBuntu. When i run the openvpn --config client.conf command... the prompt returns again to input and no process is generated. Also the /var/log/messages doesnt change... how could I troubleshoot this? 23:28 < lepine1> Sorry, there was an obvious error in my ways. I connected to my vpn (and timedout on irc ... i kept writing until i noticed) ... 23:29 < lepine1> I was using speedtest.net to test, instead of my usual server ... 23:29 -!- mtoledo` [n=user@189.102.205.95] has quit [Read error: 113 (No route to host)] 23:29 < lepine1> the throughput hit is approx. 15% ... is that normal? COuld a better server make it better? 23:30 < lepine1> epaphus: there *is* a verbosity setting somewhere 23:30 < epaphus> verb is set to 6 23:30 < lepine1> oh, that's high enough for me 23:31 < epaphus> and for me :P 23:31 < lepine1> do excuse me ... i'm quite the noob 23:32 < lepine1> to either openvpn, openssl, pki, or even encryption! 23:34 < lepine1> could someone point me towards a decent document that will teach me how to generate a private key ... and csr? 23:35 < lepine1> and hopefully will get me up to speed on this whole encryption/pki thing? 23:38 < krzee> epaphus, are you starting it as root? 23:38 < epaphus> krzee, yes iam 23:38 < krzee> lepine: 23:38 < krzee> !ssl-admin 23:38 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 23:39 < krzee> for an alternate package for generating them that is SIMPLE 23:39 < krzee> or the howto for the easy-rsa way 23:39 < krzee> ssl-admin makes it easier, assuming you arent doing it on windows 23:43 < epaphus> no suggestions anybody ? :) 23:44 < krzee> nope, read your logs 23:44 < krzee> !route 23:44 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 23:44 < krzee> (that was for me) 23:44 < krzee> (mail list reply) 23:44 -!- lepine [n=leprecha@76-10-138-13.dsl.teksavvy.com] has quit [Read error: 110 (Connection timed out)] 23:45 < epaphus> krzee, well... the logs /var/log/messages doesnt have anything when i startup openvpn 23:45 < epaphus> or try to 23:46 < lepine1> krzee: thanks, reading 23:47 -!- theDoc [n=andelyx@bb116-15-5-216.singnet.com.sg] has quit [] 23:47 < lepine1> can one generate keys on a machine other than the ones they will be used on? 23:47 < lepine1> there's a tool in gnome called tinyca 23:49 < krzee> yes, its the normal way 23:50 < krzee> i know nothing about tinyca, but more often than not keys are generated in a secure place away from the vpn 23:50 < krzee> at my house its done on a machine that gets no interaction with the inet 23:51 < krzee> ca.key is the cornerstone of secure certs 23:51 < lepine1> right 23:51 < lepine1> the one thing i'm still not sure about is how to revoke keys ... or how that works 23:51 < krzee> i use ssl-admin 23:51 < lepine1> in that page you linked ... 23:51 < krzee> it generates the crl for you when you need it 23:51 < lepine1> it mentions a URI for revoked crts ... 23:51 < krzee> and it keeps track of client certs 23:52 < krzee> honestly i have no clue what that does 23:52 < krzee> ive never revoked a cert 23:52 < krzee> never needed to, lol 23:52 < krzee> ecrist would know tho when hes in 23:52 < lepine1> does that mean a certificate will *always* be valid (minus the timeframe) ... but clients must check on that revoked cert list to check first? 23:52 < krzee> since he coded ssl-admin 23:52 < krzee> clients dont check it 23:52 < krzee> server does 23:52 < krzee> to decide if the client is valid 23:52 < lepine1> right, i meant client as user of the pki 23:55 < lepine1> krzee: if you're generating *keys* on another machine, you still have to transmit it ( and store it ) on the machine for which it's destined ... what's the securty advantage here? 23:59 < krzee> because the ca.key is safe 23:59 < krzee> which is what REALLY matters 23:59 < lepine1> yes, that i can see 23:59 < krzee> if i get your ca.key, you're whole pki setup is screwed 23:59 < lepine1> but generating client keys ... --- Day changed Sun Apr 12 2009 00:00 < krzee> anything else you can fix 00:00 < lepine1> or did i misunderstand you 00:00 < krzee> pki's security rests upon a safe ca.key 00:00 < krzee> you can have clients make their own csr 00:00 < krzee> they send to you 00:00 < krzee> you take to CA server in secure location 00:00 < krzee> sign it 00:00 < krzee> send them their .crt over encrypted channel 00:00 < krzee> and its fine 00:01 < lepine1> ok cool, that makes sense 00:01 < krzee> csr can be sent any way 00:01 < krzee> crt should be kept safe 00:01 < krzee> ca.key should have an armed guard ;] 00:01 < lepine1> sneaker-net basically 00:08 < lepine1> can openvpn handle 4096 bit keys? 00:08 < lepine1> it's the default value in tinyca 00:11 < krzee> i use them 00:11 < lepine1> alrighties 00:12 < lepine1> do you make use of sub-ca's? 00:12 < krzee> one thing tho, not a whole lot of testing some of these algorithms at 4096 has gone on 00:12 < krzee> so for all we know we could be making them less secure by going to 4096 00:12 < lepine1> i assume that using them is a good idea ... since a sub ca being compromised doesn't compromise the whole PKI ... just what's under that sub-ca 00:13 * krzee thinks back to an XOR encryption that you just had to XOR the contents against itself to get the unencrypted text 00:13 < krzee> no i dont 00:13 < lepine1> lol 00:13 < krzee> and ive seen people with problems from using them 00:13 < lepine1> but is that the advantage, atleast on paper? 00:15 < lepine1> sorry, i don't mean to monopolize your time ... it's just how i learn ... think outloud with people that are better than me, and question everything ... 00:18 < krzee> no 00:18 < krzee> thats not the point of a sub-ca 00:18 < krzee> its no more secure 00:18 < lepine1> oh 00:18 < lepine1> then what is the point? adminstrative convenience? 00:18 < krzee> yes 00:18 < krzee> im sure google will explain 00:19 < lepine1> added to the 'to google' queue 00:19 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn 00:30 < krzee> !freebsd 00:30 < vpnHelper> krzee: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 00:35 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: vlt, ftp3, CybDev, ]Sintax[, kraut, reiffert, Typone 00:37 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit [Client Quit] 00:38 -!- kraut [i=kraut@blackhole.netzdeponie.de] has joined ##openvpn 00:38 -!- Typone [n=itsme@195.197.184.87] has joined ##openvpn 00:38 -!- vlt [n=dm@suez.activ-job.com] has joined ##openvpn 00:38 -!- ]Sintax[ [n=sintax@cpe-72-184-119-119.tampabay.res.rr.com] has joined ##openvpn 00:38 -!- ftp3 [n=none@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has joined ##openvpn 00:38 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 00:38 -!- CybDev [n=cybdev@unaffiliated/cybdev] has joined ##openvpn 00:49 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: vlt, ftp3, CybDev, ]Sintax[, kraut, reiffert, Typone 00:50 -!- Netsplit over, joins: kraut, Typone, vlt, ]Sintax[, ftp3, reiffert, CybDev 01:08 -!- lepine1 [n=leprecha@ip-70-38-54-219.static.privatedns.com] has quit [Connection timed out] 01:12 -!- ]Sintax[ [n=sintax@cpe-72-184-119-119.tampabay.res.rr.com] has quit [] 01:13 -!- lepine [n=leprecha@76-10-138-13.dsl.teksavvy.com] has joined ##openvpn 01:17 < lepine> what does this mean: Sun Apr 12 02:22:46 2009 us=717749 Cannot load certificate file /path/to/file.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib 01:23 < krzee> it means your crt isnt actually located at /path/to/file.crt 01:23 < krzee> you might wanna put a real location 01:23 -!- burak575 [n=burak575@88.244.246.59] has joined ##openvpn 01:24 < Bushmills> krzee, do ou 01:24 < Bushmills> you ever sleep? 01:24 -!- burak575 [n=burak575@88.244.246.59] has left ##openvpn [] 01:25 < krzee> i was thinking that earlier 01:25 < krzee> decided on not really 01:25 < Bushmills> then "yes, usually at the end of the month" might be a suitable answer 01:26 < krzee> lol 01:26 < lepine> krzee: nm, my bad ... the file was there ... but it was an exported certificate, and not a pem or other such file 01:31 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn 01:32 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit [Client Quit] 01:35 -!- epaphus [n=unix3@201.199.41.166] has quit [Read error: 60 (Operation timed out)] 01:37 < lepine> openvpn rocks 01:39 -!- lepine1 [n=leprecha@ip-70-38-54-219.static.privatedns.com] has joined ##openvpn 01:39 < lepine1> I'm loving openvpn ... 01:40 < lepine1> i should have made this small investment in time years ago 01:40 < lepine1> god knows how many cons i've been to and either being stuck on links through ssh, or browsing normally and crossing my fingers 01:52 < krzee> through ssh isnt that bad if you do it right 01:52 < krzee> it creates a connection a socks proxifier can use 01:53 < krzee> so you can actually send basically anything over it 01:53 -!- lepine [n=leprecha@76-10-138-13.dsl.teksavvy.com] has quit [Connection timed out] 01:53 < krzee> he'll ive sent voip over a correctly configured socks server even 01:54 < krzee> (not sure if ssh tunnel will do udp 01:54 < krzee> (not sure if ssh tunnels will do that or not tho) 01:54 < lepine1> oh, i was ssh'ing to a box, and using command line tools! 01:54 < lepine1> not using tunnels :P 01:54 < krzee> oh 01:55 < lepine1> go mutt and lynx! 01:55 < krzee> hah 01:55 < krzee> if you had ssh you had a secure proxy to use your normal browser 01:55 < lepine1> lynx really didn't like the Exchange Web Access though :P 01:55 < krzee> haha 01:55 < krzee> links might have handled that better too 01:55 < krzee> links behaves better for some of that stuff 01:56 < lepine1> well ... i sincerely doubt either links or lynx has any support for active x whatsoever :P 01:56 < lepine1> (ms don't try using xmlhttprequest) 01:58 < lepine1> anyway ... the reason i'm up in arms about tunnelling is to do it at work. I recently got a scare by talking to an ex-employee who stayed as a consultant, and mentionned my boss said he had a way of monitoring me ... 01:58 < lepine1> knowing my boss, as much as he would want to ... he was most likely bluffing 01:58 < lepine1> however, i won't take any chances 01:59 < lepine1> other than tunnelling through my vpn 01:59 < lepine1> what else should i consider? 01:59 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 01:59 < lepine1> i've got ubuntu installed on my machine ... but can't get it setup right (i would look like an idiot if i cant get my quad monitor setup correctly) 02:04 < krzee> how would you look admitting you're having problems doing something in ubuntu? 02:04 < krzee> 02:04 < lepine1> lol 02:05 < lepine1> well, quad monitors is a different ballgame 02:05 < lepine1> and quite frankly, i can't justify the time investment to hacking that just yet 02:05 < krzee> im sure it isnt that much different in the config files 02:05 < krzee> ild be shocked to find out it was 02:06 < lepine1> there's a reason why the config tools only support two monitors 02:06 < krzee> because its the windows of the linux world? 02:06 < lepine1> well, it's probably not that complicted 02:06 < lepine1> lol 02:06 < lepine1> i've got an nvidia card, with the nvidia driver 02:07 < krzee> good thing you're in linux, those drivers suck for freebsd cause its closed source 02:07 < lepine1> dual works on 2 monitors 02:07 < lepine1> then i've got an ati card, which i haven't tried configuring 02:07 < lepine1> (it's pci, also) 02:07 < lepine1> nvidia is pci-e 02:08 < lepine1> so i figured using xinerama to make a virtual screen with the nvidia + the two ATI ... 02:08 < lepine1> i'm sure it's something along those lines 02:09 < lepine1> perhaps i can bypass the nvidia twinview, and use xinerama all the way, on 4 screens instead of 3 ... 02:10 < lepine1> but on to my original question 02:10 < lepine1> how safe would i be from scrutiny if tunnelling with a vpn? 02:10 < lepine1> what other snooping vectors can you think of? 02:11 < lepine1> physical key loggers ... but that's obvious, and implies someone will take time to check what i'm typing, which is impossible given everyone in the office already works too much and don't want extra tasks :P 02:12 < lepine1> while sticking to windows, i'm open to software keyloggers ... screen caps 02:12 < lepine1> and other such things 02:13 -!- uned [i=uned@gateway/tor/x-e84019702922f89e] has joined ##openvpn 02:14 < uned> my provider uses bandwidth limiting per connection, so how do i get openvpn to connect to its client(s) through 20 tunnels simultaneously? 02:16 < lepine1> hmmm, that'd be a nice hack 02:16 < krzee> !mitm 02:16 < vpnHelper> krzee: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 02:16 < krzee> !servercert 02:16 < vpnHelper> krzee: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mitm 02:16 < uned> lepine1: but difficult too? 02:16 < lepine1> probably noy 02:16 < lepine1> maybe you can get a proof of concept going with iptables 02:17 < krzee> !irclogs 02:17 < vpnHelper> krzee: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 02:18 < lepine1> or perhaps there's the possibility to bond the links 02:18 < uned> lepine1: could you help me? 02:18 < uned> iirc there are some ways to fuse two network interfaces into one 02:18 < lepine1> i'd be glad to help ... cant garantee to be much use though 02:18 < uned> is this what i'd need? 02:19 < lepine1> yes 02:19 < lepine1> that would likely be the best option, vs some iptables hack 02:19 < uned> i think such a how-to would be a nice addition to an openvpn wiki 02:20 < lepine1> perhaps not very useful for 99.9% of people ... but certainly a nice feat indeed 02:20 < uned> so do i simply run the server twenty times on different ports and then fuse the interfaces? 02:20 < lepine1> no, you would be running 20 clients to one server 02:21 < uned> all 21 on just one computer? 02:21 < lepine1> or, actually, that could depend on your ISP's traffic shaping 02:21 < lepine1> but i would try 20 clients to one server first (much simpler) 02:21 < uned> all 21 on just one computer? 02:22 < lepine1> well, 20 clients on the client, 1 server on the server 02:22 < uned> on each client. i see 02:23 < lepine1> there's a server directive that says it can accept many connections with one same certificate 02:23 < lepine1> duplicate-cn i believe 02:23 < uned> oh, and another question: i have server, client1, client2 and a lot of traffic between client1 and client2. does that traffic have to pass through the server? 02:24 < lepine1> client1 and client2 being two different machines, yes 02:24 < uned> lepine1: i'm ok with running twenty clients with twenty different config directories and keys, only, won't they be very resource-uneconomical? 02:24 < lepine1> the tool you're looking for is most likely ifenslave 02:25 < lepine1> i don't know if openvpn will let you run more than one connection with the same config file 02:25 < lepine1> it would be a hassle if not 02:25 < lepine1> but atleast you don't necessarily have to do the same on the server 02:26 < lepine1> and you *can* use the same keys 02:26 < lepine1> what have you tried as of now? 02:26 < lepine1> openvpn is by default udp ... 02:26 < krzee> !ipp.txt 02:26 < vpnHelper> krzee: Error: "ipp.txt" is not a valid command. 02:26 < krzee> !ipp 02:26 < vpnHelper> krzee: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 02:26 < lepine1> the first step i think would be really understanding your ISP's traffic shaping 02:27 < lepine1> does it really understand a connection? 02:27 < krzee> !iporder 02:27 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 02:27 < lepine1> or does it just assume anything from the same ip:port to the same ip:port is a connection? 02:27 < lepine1> or does it inspect packets and actually check if it's a connection 02:27 < krzee> !hmac 02:27 < lepine1> if it does that ... udp might not even be shaped at all 02:27 < vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 02:27 < vpnHelper> krzee: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 02:28 < uned> how can i get rid of some server traffic by making client1 and client2 communicate to one another separately, with only some very-low-traffic server supervision? 02:30 < lepine1> client1 and client2 being 2 different computers? 02:30 < lepine1> or just 2 instances of vpn connections on the same machine? 02:30 < lepine1> the later makes no sense to me, so i will assume the first 02:30 < lepine1> and in that case, i don't think it's possible 02:31 < uned> two different computers that happen to have more bandwidth available than the server (ironically, i know) 02:31 < lepine1> imagine the VPN being an ethernet cable ... and the server being a switch 02:31 < lepine1> it has to go through the switch 02:31 < uned> much more bandwidth available! 02:31 < lepine1> eh, weird 02:31 < uned> right 02:31 < uned> i knew it 02:32 < lepine1> well, you could always run a vpn between the two 02:32 < uned> i was hoping i could somehow make my vpn more flexible 02:32 < lepine1> maybe there's a way to make a mesh out of vpn'ed machines 02:32 < lepine1> but that's probably out of the scope of openvpn 02:32 < lepine1> but that could be a cool project 02:33 < lepine1> that'd be really cool 02:33 < lepine1> not terribly elegant or useful, but cool nevertheless 02:33 < uned> so i was hoping there was some way to use the server only for doing some authentication stuff and let the clients communicate to each other for the real heavy traffic 02:35 < lepine1> do you want tcp/ip connections specifically? 02:36 < lepine1> or just a way to exchange files? 02:36 < lepine1> google said this: http://www.synacklabs.net/projects/cutlass/ 02:36 < vpnHelper> Title: Cutlass - Encrypted Peer-to-Peer communications (at www.synacklabs.net) 02:36 < uned> i'd prefer connections. that's be the most transparent so then i won't have to care about some per-situation challenges 02:37 < lepine1> yeah, so would i 02:37 < uned> s/that's/that'd/ 02:38 < lepine1> particularly relevant: http://www.mesh-networks.org/ 02:38 < vpnHelper> Title: Mesh Networks Research Group (at www.mesh-networks.org) 02:38 < lepine1> and mentions openvpn on the first page 02:39 < lepine1> wait, that's wireless 02:40 < uned> lepine1: then should i try to run every participating machine as both client and server simultaneously and use the ifenslave interface instead of the tuns? 02:40 < uned> do you think this would be the most transparent? 02:41 < krzee> [03:28] how can i get rid of some server traffic by making client1 and client2 communicate to one another separately, with only some very-low-traffic server supervision? 02:41 < krzee> totally doesnt exist in openvpn 02:41 < lepine1> krzee: yeah, we're discussing how one could do such a thing 02:41 < uned> krzee: and no workaround? 02:41 < krzee> none that have been made 02:41 < krzee> feel free 02:41 < lepine1> end result ... how does one make a mesh network with vpn's instead of wireless AP's 02:42 < krzee> my idea was to have a client request to the server to start the process between clients 02:42 < lepine1> totally doable ... but outside of the scope of openvpn per se 02:42 < krzee> server checks with the client if its ok (config option) 02:42 < krzee> if so the client sends some info to the server 02:42 < krzee> to start the new negotiation process 02:42 < krzee> so they can exchange keys and info beforehand in an already encrypted channel 02:43 < krzee> they could even both connect out to eachother to bypass NAT 02:43 < krzee> but im no coder 02:43 < krzee> feel free, like i said 02:43 < krzee> openvpn is open source, you're free to contribute 02:43 < uned> krzee: but how can the server start the process between clients? 02:44 < krzee> client1 tells server it wants a direct connect with client2 02:44 < krzee> server tells client2 02:44 < lepine1> krzee: am i crazy to think that a mesh made of vpn nodes on the internet would be awesome, eventhough it would be quasi useless? 02:44 < uned> krzee: i would only contribute utilities, not main code 02:44 < krzee> client2 says yes or no 02:44 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 60 (Operation timed out)] 02:44 < krzee> lepine1, i dont see how that could be built in with openvpn 02:44 < lepine1> on top of 02:44 < lepine1> you can be a client easy, and run a server 02:45 < krzee> doesnt seem too special to me 02:45 < lepine1> lol 02:45 < lepine1> all there is to figure out is the routing 02:45 < lepine1> and ip addressing 02:45 < krzee> !route 02:45 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 02:45 < lepine1> there are mesh routing protocols available 02:45 < krzee> !iporder 02:45 < vpnHelper> krzee: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 02:45 < uned> is running 20 clients on one machine very resource-intensive? 02:45 < krzee> there you go, routing and ip addressing 02:46 < krzee> uned, depends on bandwidth usage, i cant give exact answers 02:46 < krzee> more bandwidth means more encryption going on 02:46 < krzee> so more cpu 02:46 < krzee> also depends on type on encryption im sure 02:46 < krzee> (for the communication channel only, blowfish by default) 02:47 < lepine1> krzee: those route pushes would have to change during the lifetime of the server though 02:47 < krzee> how so? 02:47 < lepine1> one can't expect all nodes of the mesh to come online at the same time 02:48 < krzee> im not talking about mesh 02:48 < lepine1> i was 02:48 < krzee> i dont care about it, want it, or see why it is needed 02:48 < krzee> hehe 02:48 < lepine1> lol, i don't see the point either, frankly ... but i would find it really cool 02:48 < uned> krzee: your answer works for one instance of openvpn as well. i was talking only about the "running multiple openvpns" part. does it add a lot of weight? 02:48 < lepine1> well, i guess one could make large 'lans' through the internet 02:49 < lepine1> and have traffic move more efficiently at times 02:49 < krzee> ohhh i see, i thought you meant 1 server taking 20 clients 02:49 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn 02:49 < krzee> no idea uned 02:49 < lepine1> there's most likely some overhead to having 20 connections instead of one, given the same throughput 02:50 < lepine1> ip wise, you will be sending more on the wire, for sure 02:50 < uned> lepine1: would that make it inadvisable? 02:50 < lepine1> no, i don't think so ... we're not talking a huge amount of overhead 02:50 < lepine1> but if you want to be told running 20 clients will add overhead ... 02:51 < lepine1> i'll say sure, because just that is overhead ... i'm no no position to quantify how much, either network bandwith, or cpu ressources it would add though 02:51 < lepine1> but sure thing is, that it adds some 02:52 < lepine1> krzee: perhaps this mesh thing could turn out being a useful TOR 02:52 < lepine1> same principle, but useful for TCP connections ... 02:52 < krzee> *shrug* i think its not openvpn's job and its for sure nothing im interested in 02:52 < uned> lepine1: what do you mean by "sending more on the wire", like twenty connections * 100 kbps > one 2000 kbps connection just because of the separate processing/encrypting? 02:53 < lepine1> oh wait ... the IP end points would never be the same 02:53 < lepine1> krzee: i never said this would be openvpn's job ... 02:53 < lepine1> actually i would be against implementing such a feature 02:53 < lepine1> uned: yes 02:54 < lepine1> every packet has to contain source and destination and other information 02:54 < uned> don't they have to include it when over just one connection anyway>? 02:54 < lepine1> yeah ... 02:55 < lepine1> well, to send X amount of information, you have to send N packets ... 02:55 < lepine1> perhaps i was wrong in assuming that because you're splitting them up in diff pipes, that you can send the same information, in the same number of packets 02:56 < lepine1> ok, lets assume that tcp/ip overhead won't be considerable 02:56 < uned> so is there any difference between sending that information over just one connection and sending it over multiple connections if the only consideration is bandwidth? 02:56 < lepine1> processing 20 tcp/ip connections isn't much of a big deal for anuy computer nowadays 02:57 < lepine1> no, the overhead, if any, is rather inconsiderable 02:57 < uned> this is really good 02:57 < lepine1> here's another idea 02:57 < lepine1> 1 vpn client per computer, 1 server 02:57 < lepine1> but have iptables split the packets on a range of ports 02:57 < lepine1> that will give your ISP a harder time 02:58 < uned> how can iptables do something like this by itself? 02:58 < lepine1> tha mangle table, i think 02:58 < lepine1> *the 02:58 < lepine1> (the port modification part anyway) 02:58 < uned> i mean, won't openvpn enforce one, single, connection? 02:59 < lepine1> i don't know how you could do the round robin on the ports 02:59 < lepine1> true 02:59 < lepine1> but you have iptalbes on the client split the packets over N ports 02:59 < lepine1> then the server recombine them on the same port when the come in, before being handed to the server socket 02:59 < uned> do you actually mean iptables can simply split any connection into many? that's be beyond the scope of iptables, i think 03:00 < lepine1> it would be transparent to openvpn 03:00 < lepine1> uned: that might be 03:00 < lepine1> but, if you're using udp ... 03:00 < lepine1> there's no connection 03:00 < uned> s/that's/that'd/ 03:00 < uned> oh 03:00 < uned> right 03:00 < uned> and i am 03:00 < lepine1> the question is, can iptables do a round robin kind of thing for that 03:00 < krzee> yes 03:00 < krzee> [03:56] so is there any difference between sending that information over just one connection and sending it over multiple connections if the only consideration is bandwidth? 03:01 < krzee> yes to that i mean 03:01 < krzee> there is DEFINITELY more overhead 03:01 < lepine1> krzee: due to the encryption? 03:01 < krzee> especially depending on the size of packets being xmitted 03:01 < lepine1> or tcp/ip? 03:01 < krzee> because new headers will need to be added to EACH packet 03:01 < lepine1> krzee: yes, but the way to look at this is ... 03:01 < krzee> so if each of the 20 is sending things with small packets (ie: voip) 03:02 < krzee> even tho inside its the same BW 03:02 < lepine1> would the number of packets used to send X amount of information be the same whether it was sent on one link, or more? 03:02 < krzee> outside, large amount more 03:02 < krzee> some people have reported 1/2 speeds due to stuff like that 03:02 < krzee> and with more connections comes more headers being added, and if each of those is sending stuff in small packets... 03:02 < lepine1> yeah, but that's a limitation of tcp/ip ... not openvpn 03:03 < krzee> then it gets huge 03:03 < krzee> its not a limitation of anything 03:03 < lepine1> if your app sends small packets ... 03:03 < krzee> its a byproduct of sending packets inside tunnels 03:03 < lepine1> that not something you can control 03:04 < lepine1> well, the point of all this, is that openvpn creates additional overhead 03:04 < lepine1> basically, a second set of tcp/ip headers inside a packet 03:04 < krzee> either way, 10mbit of data going from 1 client (before the tunnel) and 10mbit of data going from 20 will be different after the tunneling 03:05 < krzee> or so i figure 03:05 < lepine1> i don't think having one or more links (vpn) would add much overhead 03:05 < lepine1> bandwidth wise 03:06 < lepine1> if you're round robin'ing plain packets onto multiple vpn links 03:06 < lepine1> you're doing the same as round robin'ing them on multiple plain links 03:07 < uned> then the best solution is to design a vpn wherein each participant is both a server (to which everybody is always connected) and a client (to everybody else's server), right? 03:07 < lepine1> the overhead comes from the encryption 03:07 < lepine1> that would be the simplest solution i think 03:07 < lepine1> but one client cannot talk to a server it's not connected to 03:08 < lepine1> unless you do some routing tricks to pass through the server 03:08 < lepine1> or have them on the same vpn, and allow cross talking 03:08 < lepine1> which amounts to having all the connections going through the sevrver anyway, so there's still the bw problem 03:08 < uned> lepine1: which is just what ifenslave does, isn't it? 03:09 < lepine1> i never used it ... but i think all it does is combine 1+ network connections (say ethernet) into one logical interface 03:10 < uned> lepine1: oh, you didn't get it: all the possible connections are always on all the time! 03:10 < lepine1> it doesnt care about routing or anything 03:10 < lepine1> ifenslave is not the tool for you here 03:10 < lepine1> that was when dealing with multiple vpn connections to one server 03:10 < lepine1> and those would likely habe to be tap devices 03:10 < uned> not even ifenslave plus good routing? 03:12 < lepine1> ifenslave is like talking on the phone with two phones at the same time 03:12 < lepine1> but only for one conversation 03:12 < krzee> [04:07] then the best solution is to design a vpn wherein each participant is both a server (to which everybody is always connected) and a client (to everybody else's server), right? 03:12 < uned> oh 03:12 < krzee> best solution for what? 03:13 < lepine1> krzee: some peer to peer ish thing 03:13 < krzee> oh the mesh thing? 03:13 < lepine1> well, that's where i got the idea 03:13 < uned> krzee: for (or actually instead): "so i was hoping there was some way to use the server only for doing some authentication stuff and let the clients communicate to each other for the real heavy traffic" 03:13 < lepine1> but he wants more than 2 computers on the network 03:13 < krzee> i already gave you my idea for that 03:13 < krzee> more than 2 computers is no problem, my idea works for that 03:14 < lepine1> yeah, he doesn't want to code 03:14 < krzee> on demand they negotiate peer-to-peer using the server as a middle-man 03:14 < lepine1> he wants something that works soon :P 03:14 < krzee> lol good luck 03:14 < uned> krzee: could you please paste it again, i may have not connected your answer to my question 03:14 < krzee> my answer was how someone could code it 03:14 < krzee> my idea on how it would work 03:14 < lepine1> uned: his suggestion was implementing something hard to do in code 03:14 < lepine1> not a ready made solution 03:15 < krzee> ill bbl 03:15 < lepine1> krzee: nice talking to you, quite entertaining 03:15 -!- sofh [n=patanahi@119.153.59.236] has joined ##openvpn 03:15 < lepine1> i'll most likely be gone to sleep by the time you come back 03:15 < sofh> hi all 03:15 < lepine1> hi 03:16 < sofh> need your suggestion .. 03:16 < sofh> Regarding openvpn everything is orite..Thanks to its programmers to give us such a robust application 03:16 < krzee> lepine1, right on, have a good nite 03:16 < sofh> but i have one question... 03:17 < lepine1> sofh: i'm no expert, but i'll try to help 03:17 < sofh> suppose i have around 200 pcs in our organizations and i want all of them to connect to my openvpn SERVEr..then do i have to create keys/cert for all 200 clients and manually distribute them to 200 pcs ? 03:17 < lepine1> you *could* script it 03:17 < sofh> i could script to generate 100 or 1000 keys/cert for clients ..but how to distribute them ? 03:17 < lepine1> script, send them via scp 03:18 < sofh> still its a big job to manually sit and send all files.. 03:18 < uned> so i still don't understand why "a vpn wherein each participant is both a server (to which everybody is always connected) and a client (to everybody else's server)" is not easy and feasible both as a workaround for eliminating the (otherwise very burdened) third-party server and instead my multiple connections workaround i mentioned in the beginning 03:18 < sofh> isn't they any alternative auth method we can do ? 03:18 < lepine1> password only type of thing? 03:18 < lepine1> i believe so 03:18 < sofh> i have seen a perl script in sample scripts folder 03:19 < sofh> what i want to keep the user/pass no my db 03:19 < sofh> and let openvpn authenticate on the base of that db 03:19 < uned> s/instead/instead of/ 03:19 < sofh> in this way i will just have to drop an email with user/pwd which could be automated via some script to get the user/pwd from the db and email to relavent person 03:19 < lepine1> i don't know what authentication mecanisms openvpn supports 03:19 < lepine1> but it does PAM for sure 03:20 < lepine1> you will still need to distribute you CA.crt to all the clients 03:20 < sofh> that doesn't matter 03:20 < sofh> i have recompiled the openvpn and included Ca.crt and my client.conf in it 03:20 < lepine1> uned: it's a viable solution 03:20 < lepine1> just more complicated on the long run 03:21 < sofh> only i need an alternative method to let the users authenticate themselves with server without having cert key files on their pc 03:21 < lepine1> openvpn does password only authentication 03:21 < uned> (except between everybody and the per-connection-limited server itself, of course) 03:22 < lepine1> it's a question of how openvpn can authenticate clients 03:22 < sofh> lepine1! could you please explain what do you mean by password only ? 03:22 < lepine1> uned: right 03:22 < uned> lepine1: please give me some examples of long-run complications 03:22 < sofh> means no username ? 03:23 < lepine1> well, without a username, you are running a big security risk 03:23 < lepine1> anyone with the ca.crt can connect 03:23 < sofh> thts why i was thinking to use some sort DB :$ 03:24 -!- betabot is now known as simplechat 03:24 < lepine1> sofh: -plugin module-pathname [init-string] 03:24 < lepine1> on http://www.openvpn.net/index.php/documentation/manuals/openvpn-21.html 03:24 < vpnHelper> Title: OpenVPN 2.1 (at www.openvpn.net) 03:24 < lepine1> mentions running a function for authentication 03:25 < lepine1> then this: --auth-user-pass-verify script method 03:25 < sofh> lepine1: ok let me check it... 03:25 < krzee> [04:18] still its a big job to manually sit and send all files.. 03:25 < krzee> scp them to a https server 03:25 < krzee> tell clients where they can get theirs 03:25 < lepine1> true enough 03:28 < sofh> i will try to do in a way i want , if not possible then i will DO as its possible :) 03:28 < sofh> simple :) 03:33 -!- huslu_ is now known as huslu 03:44 -!- Wachert [n=wachert@p3EE2FCB1.dip.t-dialin.net] has joined ##openvpn 04:02 < lepine1> sofh: http://www.eurephia.net/ 04:02 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) 04:02 < lepine1> support mysql/postgres 04:05 -!- Administrat [n=chatzill@1-2-5-1a.orby.sth.bostream.se] has joined ##openvpn 04:06 -!- Administrat is now known as TAG 04:06 -!- TAG is now known as Administrat 04:07 -!- Administrat is now known as Tagger 04:07 -!- Tagger is now known as Intheblue 04:09 < Intheblue> who #Intheblue 04:11 -!- Intheblue [n=chatzill@1-2-5-1a.orby.sth.bostream.se] has quit ["good night"] 04:33 -!- kraut [i=kraut@blackhole.netzdeponie.de] has quit [Connection reset by peer] 04:35 -!- kraut [i=kraut@blackhole.netzdeponie.de] has joined ##openvpn 04:45 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit [] 05:06 -!- dupondje [i=DuReX@78-21-212-23.access.telenet.be] has quit [Read error: 104 (Connection reset by peer)] 05:07 -!- dupondje [n=jl@78-21-212-23.access.telenet.be] has joined ##openvpn 05:17 -!- vadi01 [n=vadi01@81.18.134.61] has joined ##openvpn 05:18 < vadi01> can someone tell me how to install a vpn server in centos 5.3? 05:19 < lepine1> yum install openvpn ? 05:19 < lepine1> i'm on debian, so that was a wild guess 05:20 < vadi01> lepine1: ok but using openvpn, it is kind of complicated to connect users from windows... 05:20 < lepine1> there is openvpn gui 05:20 < vadi01> lepine1: is there any simple way like as it was using the pptpd server 05:20 < lepine1> still not completely idiot-proof, but much better than command line tools 05:32 -!- vadi01 [n=vadi01@81.18.134.61] has left ##openvpn ["Leaving"] 05:33 -!- sofh [n=patanahi@119.153.59.236] has quit [] 05:42 -!- lepine1 [n=leprecha@ip-70-38-54-219.static.privatedns.com] has left ##openvpn [] 05:48 -!- vadi01 [n=vadi01@81.18.134.61] has joined ##openvpn 05:49 < vadi01> lepine1: you still there? 05:49 < vadi01> how can i use openvpn to use only pap authentication? 05:50 < krzee> pap = ? 05:51 < vadi01> yea as in without encryption 05:51 < vadi01> i just want my clients connecting to the server...via dialup vpn 05:56 < krzee> you got it listening to a dialup device? 05:56 < krzee> no encryption is easy, dont put a secret statement or certs 05:56 < krzee> but it should only listen to a tun or tap device 06:00 < vadi01> ok. so in the client side no need for certificates yea? 06:00 < vadi01> all they need to do is just connect to the server via vpn dial up? 06:02 < uned> krzee: how can i create client keys client-side *without* transferring ca.key, but only ca.crt? 06:02 < uned> krzee: from the server 06:05 < krzee> ca.key never leaves the CA machine 06:06 < krzee> and the client can only make a csr 06:06 < krzee> the CA machine signs it 06:06 < krzee> thats what turns it into a crt 06:06 < uned> krzee: what is the openvpn tool that i have to use in order to "turn" the csr into the crt? 06:07 < uned> krzee: i guess it's one of the tools in easy-crypt/, but i don't know which one 06:07 < uned> krzee: nor do i know the syntax 06:36 < uned> krzee: are you still there? 06:57 < uned> krzee: or not? 07:12 -!- uned [i=uned@gateway/tor/x-e84019702922f89e] has quit [Remote closed the connection] 07:15 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 07:26 -!- vadi01 [n=vadi01@81.18.134.61] has quit [Read error: 104 (Connection reset by peer)] 07:26 -!- vadi01 [n=vadi01@81.18.134.61] has joined ##openvpn 07:33 -!- uned [i=uned@gateway/tor/x-149bb1d680ae5d5f] has joined ##openvpn 07:49 -!- Wachert [n=wachert@p3EE2FCB1.dip.t-dialin.net] has quit ["Nettalk6 - www.ntalk.de"] 07:55 -!- uned [i=uned@gateway/tor/x-149bb1d680ae5d5f] has quit [Remote closed the connection] 07:59 -!- uned [i=uned@gateway/tor/x-bef2d113b0306aea] has joined ##openvpn 07:59 < uned> krzee: i was disconnected, did you answer in the meantime? 08:02 -!- zheng [n=zheng@114.92.139.29] has joined ##openvpn 08:03 -!- antii [n=unknown@unaffiliated/antii] has joined ##openvpn 08:04 < antii> hello 08:04 < antii> is it possible to set up a NAT on the computer that is connected to the VPN so i can connect threw it on another computer (lan)? 08:04 < antii> so like two computers share traffic 08:08 < zheng> it is possible. 08:08 < antii> but i havent found a guide for it :S 08:08 < zheng> the others pc gateway to it. 08:09 < uned> zheng: what openvpn easy-rsa/ tool should i use to turn a key request into a key? 08:09 < antii> zheng: you got experience of this? 08:10 < zheng> uned, there are detail step by step in the HOWTO 08:11 < uned> zheng: that's precisely not true 08:11 < uned> zheng: that's the very missing thing 08:11 < antii> zheng: lets say i have my vpn on my server (running linux) and wanna connect threw it from my workstation (windows) 08:11 < zheng> antii, no, I dont't test it, but I know it is possbile. 08:11 < antii> that is possible right? 08:11 < uned> zheng: frustratingly so 08:12 < antii> sec 08:12 < antii> zheng: but then i just set the gateway manually 08:12 < antii> must try this 08:13 < zheng> antii, you can set the route mannully 08:13 < antii> zheng: but do i even need openvpn then? 08:13 < antii> on my workstation 08:14 < zheng> no, 08:15 < antii> nice 08:15 < antii> just use the cmd right 08:15 < zheng> the top like this: pc ---> gateway/openvpn ====/ssl/====> other vpn endpoint 08:15 < antii> yes 08:16 < antii> now i only have to set up nat on the server ;:p 08:21 < uned> zheng: what openvpn easy-rsa/ tool should i use to turn a key request into a key? 08:21 < zheng> a minute, 08:21 < uned> zheng: sorry, i just resent it, i didn't mean it only for you 08:22 < zheng> I'l check it for you. 08:24 < zheng> ./build-req mycert 08:24 < zheng> ./sign-req mycert 08:24 < zheng> ./build-key mycert 08:24 < zheng> the 3 steps can help you generate a mycert.cer/.key 08:28 < uned> zheng: thank you. however, i know these, it's just that they work only on the signing machine (i.e. the machine that has ca.key). 08:29 < uned> zheng: how do i get it signed client-side? 08:30 < zheng> ? 08:30 < zheng> He cert has been a signed key. 08:30 < uned> zheng: i would need your question to be a little more specific. :) 08:30 < zheng> for server, also for clients; 08:31 < uned> are you implying all i need to transfer from the server to the client is ca.crt? 08:33 < krzee> you can only sign it on the ca machine 08:33 < krzee> i said this like 3 times earlier 08:33 < krzee> you really dont get it? 08:33 < krzee> [07:05] ca.key never leaves the CA machine 08:33 < krzee> [07:06] and the client can only make a csr 08:33 < krzee> [07:06] the CA machine signs it 08:33 < krzee> [07:06] thats what turns it into a crt 08:35 < uned> krzee: i would *love* to sign it on the ca machine, but i don't know how. could you please tell me how? 08:35 < krzee> by reading the howto 08:35 < krzee> !howto 08:35 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:35 < krzee> its plainly spelt out there 08:36 < krzee> zheng went to the howto and pasted the commands 08:36 < uned> zheng: that's precisely not true. and i've read the how-to THOROUGHLY. 08:36 < uned> krzee: those commands only work on the ca machine, don't you understand? 08:36 < krzee> THEN DO IT ON THE CA MACHINE! 08:36 < krzee> lol 08:36 < zheng> ease-rsa is a simple CA. 08:36 < krzee> and send the client what they need 08:36 < krzee> zheng, i agree, but prefer ssl-admin 08:36 < uned> krzee: i don't have the slightest intention to generate my client key on the ca machine just because the how-to is unrealistic! 08:36 < krzee> !ssl-admin 08:36 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 08:37 < krzee> the howto is very realistic, many use it without problem 08:37 < krzee> ive used the method in the howto MANY times 08:37 < zheng> yes, I gree with krzee 08:37 < uned> krzee: how can i use a server-created key on the client? 08:38 < krzee> !mitm 08:38 < uned> krzee: (without transferring it, that is!) 08:38 < vpnHelper> krzee: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 08:38 < krzee> ohh 08:38 < krzee> without transfering it?> 08:38 < krzee> are you drunk? 08:38 < uned> krzee: oh! 08:38 < uned> krzee: now i get it! 08:39 < krzee> i misunderstood the question at first, ignore !mitm 08:39 < krzee> The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files over a secure channel. 08:39 < uned> krzee: so what you're implying is either ca.key or client.key has to be transferred no matter what, only it's more secure to transfer client.key. is that right? 08:39 < krzee> didnt you read that thoroughly? 08:40 < krzee> read the table above what i just posted 08:40 < krzee> READ THE HOWTO 08:40 < krzee> http://openvpn.net/howto.html#pki 08:41 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 08:41 < krzee> there i dug the direct link to the section out of the source for you 08:41 < uned> krzee: i read it thoroughly, but bathed in wishful thinking 08:41 < krzee> since you read it so thoroughly im sure you know all of that and are only asking what it plainly says for fun 08:41 < uned> krzee: so please answer my latest question. i know the table by heard, and then more accurately. i only need a confirmation that a .key would eventually have to be transferred, no matter what. 08:42 < krzee> you said "only a key" earlier 08:42 < krzee> pay attention to the table 08:42 < uned> krzee: i just need a confirmation that a .key has to be transferred no matter what. 08:42 < uned> krzee: which would be understandable 08:42 < krzee> whatever it says a client needs, needs to be transfered 08:42 < krzee> why must i repeat what the howto says? 08:42 < uned> krzee: i know, but they promise i could generate everything on the client 08:42 < krzee> The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files over a secure channel. 08:42 < krzee> The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files over a secure channel. 08:42 < krzee> right below a table saying that the key must goto the client 08:43 < uned> krzee: i know, but they promise i could generate everything on the client 08:43 < krzee> no 08:43 < krzee> you can generate the client key and csr there 08:43 < krzee> but until you have a clue how these scripts work, dont 08:43 < krzee> learn, then use 08:44 < uned> are you advising me not to generate the client key client-side? 08:44 < krzee> not until you are capable of doing it 08:45 < krzee> for now, follow the howto 08:45 < uned> i am capable: all i need to do is copy ca.crt and ca.key. but i don't like it. i want to use some openvpn-maintained secure channel to send a signing request. 08:45 < krzee> maybe even figure out what the openssl commands in those scripts do 08:45 < krzee> how the hell will you send the signing request over openvpn? 08:45 < uned> krzee: figuring out what i need to do is exactly why i'm asking you a simple question for which i'm sure there's a simple answer 08:45 < krzee> if you have openvpn up you dont need the signing request sent 08:46 < uned> krzee: no 08:46 < uned> krzee: i was hoping the client would just try to connect and the server would ask me something to the effect of "should i accept to sign this client's key?" 08:46 < uned> krzee: i don't find it very sci-fi. do you? 08:47 < krzee> lol 08:47 < krzee> yes 08:47 < krzee> very' 08:47 < krzee> do you happen to run windows? 08:47 -!- kala_ [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 08:48 < uned> i don't see why, as long as i know what i'm doing and who's connecting. like this, mitm is always an issue. 08:48 < krzee> whatever 08:48 < krzee> *back to idle* 08:48 < uned> this would be a normal feature 08:48 < uned> and useful 08:49 < uned> why would openvpn depend on ssh? 08:49 < uned> it wouldn't be the first time in the history of cryptography that an application is self-sufficient. i know it's tricky, but ssh is tricky too. everything is tricky. i'm only talking about the feature itself, not about misusing it. 09:01 -!- kala_ [n=kala@83.151.191.90.dyn.estpak.ee] has quit ["leaving"] 09:01 -!- kala_ [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 09:02 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 110 (Connection timed out)] 09:10 -!- vadi01 [n=vadi01@81.18.134.61] has quit [Read error: 110 (Connection timed out)] 09:15 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn 09:50 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:56 -!- antii [n=unknown@unaffiliated/antii] has quit [Read error: 54 (Connection reset by peer)] 10:08 -!- vadi01 [n=vadi01@81.18.134.61] has joined ##openvpn 10:10 -!- vadi01 [n=vadi01@81.18.134.61] has left ##openvpn ["Leaving"] 10:26 -!- solexious|netbk [n=solexiou@89.193.183.199] has joined ##openvpn 10:26 < solexious|netbk> !howto 10:26 < vpnHelper> solexious|netbk: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:29 < solexious|netbk> Hello, I'm reading though the how to but wonder if some one can point me in the right direction with what path of setup I need to follow? My server is on a 192.168.5.0/24 network and I want any connecting clients to be given an ip from 192.168.5.50-60 as if they were another physical box on the network. Would this be bridged or routed? 11:05 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit [] 11:13 < uned> krzee: i've thought it through and you're really making no sense. i guess you just have to find my idea ridiculous or else you're next. 11:16 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 11:19 < M06w> taking a computer running a single 2.7GHz processor with 512mb ram, an average integrated 10/100 network card, and windows server 03 as basis, how many separate vpns should I be able to run comfortably? 11:19 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 11:31 < krzee> or else im next what? 11:31 < krzee> M06w, no clue 11:31 < krzee> uned, "you just have to find my idea ridiculous or else you're next." 11:31 < uned> krzee: to claim the title :) 11:31 < krzee> im next what...? 11:31 -!- mode/##openvpn [+o krzee] by ChanServ 11:31 -!- mode/##openvpn [+b *!*i=uned@*gateway/tor/x-bef2d113b0306aea] by krzee 11:31 -!- uned was kicked from ##openvpn by krzee [krzee] 11:32 <@krzee> title that 11:32 -!- mode/##openvpn [-o krzee] by krzee 11:38 < solexious|netbk> nice 11:49 < solexious|netbk> !route 11:49 < vpnHelper> solexious|netbk: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 12:18 -!- epaphus [n=unix3@201.199.62.74] has quit [Remote closed the connection] 12:33 < reiffert> When kicking people on IRC I'd really like to see a valid kick reason ... 12:36 -!- dupondje [n=jl@78-21-212-23.access.telenet.be] has quit [Read error: 104 (Connection reset by peer)] 12:36 -!- dupondje [n=jl@78-21-212-23.access.telenet.be] has joined ##openvpn 12:37 -!- dupondje [n=jl@78-21-212-23.access.telenet.be] has quit [Read error: 104 (Connection reset by peer)] 12:37 -!- dupondje [n=jl@78-21-212-23.access.telenet.be] has joined ##openvpn 12:40 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 12:42 < epaphus> hello all 12:42 < M06w> hellow epap 12:59 -!- azaghal [n=azaghal_@mail.netset.co.yu] has joined ##openvpn 12:59 < azaghal> !howto 12:59 < vpnHelper> azaghal: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:59 < azaghal> !topology 12:59 < vpnHelper> azaghal: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 13:00 < azaghal> !iporder 13:00 < vpnHelper> azaghal: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 13:01 < azaghal> Hello, can anyone point me to (or explain) the "update" event in case of --learn-address directive? 13:11 < solexious|netbk> Hello, I'm reading though the how to but wonder if some one can point me in the right direction with what path of setup I need to follow? My server is on a 192.168.5.0/24 network and I want any connecting clients to be given an ip from 192.168.5.50-60 as if they were another physical box on the network. Would this be bridged or routed? 13:12 < solexious|netbk> I believe its bridged? 13:50 < azaghal> solexious|netbk: Either 13:51 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 13:51 < solexious|netbk> azaghal, oh 13:53 -!- azaghal [n=azaghal_@mail.netset.co.yu] has quit [Read error: 60 (Operation timed out)] 14:12 -!- dupondje [n=jl@78-21-212-23.access.telenet.be] has quit [Read error: 104 (Connection reset by peer)] 14:13 -!- dupondje [i=DuReX@78-21-212-23.access.telenet.be] has joined ##openvpn 14:16 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has quit [Read error: 110 (Connection timed out)] 14:18 -!- Flumdahl [i=n30@shell.auth.se] has joined ##openvpn 14:18 < Flumdahl> anyone here that has a working server.conf with shaper ? 14:18 -!- unix3_ [n=unix3@ip249-10.ct.co.cr] has joined ##openvpn 14:39 < reiffert> Flumdahl: shaper as in lartc.org? 14:39 < Flumdahl> reiffert: shaper as bandwidth limit some users 14:40 < Flumdahl> in the config files for openvpn 14:40 < Flumdahl> reiffert: i wanna bw limit some ips 14:43 < reiffert> Flumdahl: I could paste you some lines of the manpage, but I guess that's what you've seen allready? 14:47 < Flumdahl> reiffert: yes, i dont get it to work as it should. if i have the shaper line in my server config it wont setup the routes :S 14:48 < Flumdahl> it wont work even if you write route commands manually in cmd in windows for example 14:51 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn 14:54 -!- unix3_ [n=unix3@ip249-10.ct.co.cr] has quit [Client Quit] 15:02 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 15:03 < reiffert> Flumdahl: awful! 15:03 < reiffert> Flumdahl: 2.1rc15? 15:03 < reiffert> !shaper 15:03 < vpnHelper> reiffert: Error: "shaper" is not a valid command. 15:04 < reiffert> Flumdahl: what did you set the shaper value to? 15:05 < Flumdahl> to 1 mbit 15:05 < reiffert> like in "1 mbit" or more like "123456789"? 15:07 < Flumdahl> shaper 131072 15:07 < Flumdahl> 131 072 byte is 1 megabit 15:07 < reiffert> right, bytes per sec. 15:08 < reiffert> did you try different settings? change mtu? 2.1rc15? 15:10 < Flumdahl> its openvpn 2.0.9 15:10 < reiffert> update && report back 15:12 < ecrist> good afternoon, fuckers 15:52 < reiffert> welcome back my sweet little pussy 15:55 < Bushmills> reeks of plenty of pheromones here 15:55 < reiffert> reeks sounds like netherlands 15:56 < Bushmills> that's "ruiken" 15:59 < reiffert> rieken in belgium 15:59 < Bushmills> in fact, there is a dutch word "reeks" but that has a different meaning: "sequence" 16:00 -!- solexious|netbk [n=solexiou@89.193.183.199] has quit [Remote closed the connection] 16:10 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 16:10 < reiffert> Flumdahl: works with 2.1rc15? 16:11 < reiffert> OpenVPN 2.0.9 -- released on 2006.10.01 (Change Log) 16:12 < Flumdahl> i solved it with a script . :d 16:12 < reiffert> ? 16:14 < reiffert> ?? 16:16 < reiffert> please give us more details on that 16:26 < troy-> krzie, around? 16:52 -!- dupondje [i=DuReX@78-21-212-23.access.telenet.be] has quit [Read error: 104 (Connection reset by peer)] 16:52 -!- dupondje [i=DuReX@78-21-212-23.access.telenet.be] has joined ##openvpn 16:55 -!- nemysis [n=nemysis@225-225.1-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 16:56 -!- nemysis [n=nemysis@225-225.1-85.cust.bluewin.ch] has joined ##openvpn 17:01 -!- kaii [n=kai@ciphron.de] has quit [Remote closed the connection] 17:01 -!- kaii [n=kai@ciphron.de] has joined ##openvpn 17:12 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 17:28 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:48 -!- Wachert [n=wachert@p3EE2E710.dip.t-dialin.net] has joined ##openvpn 18:03 -!- Wachert [n=wachert@p3EE2E710.dip.t-dialin.net] has quit ["Nettalk6 - www.ntalk.de"] 18:09 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has joined ##openvpn 18:09 < epaphus> hello guys, I have now successfully installed my openVPN client on ubuntu... 18:10 < epaphus> but its not applying the push DNS :( .. any suggestions 18:10 < epaphus> the push dns paramter is recorded in the server.conf 18:13 < epaphus> is it maybe because I put the push DNS options at the last line of the server.conf ? 18:13 < epaphus> would it help to put it in the client.conf? 18:15 < epaphus> brb 18:15 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has quit [Remote closed the connection] 18:27 -!- boris_ag [n=boris_ag@217-142-126-200.fibertel.com.ar] has joined ##openvpn 18:27 < boris_ag> !logs 18:27 < vpnHelper> boris_ag: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 18:27 < boris_ag> !configs 18:27 < vpnHelper> boris_ag: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:28 < boris_ag> !howto 18:28 < vpnHelper> boris_ag: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 18:28 < boris_ag> !iporder 18:28 < vpnHelper> boris_ag: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 18:28 -!- at1z0r [i=at1z0r@gateway/shell/rootnode.net/x-a4a853c981c6e79a] has joined ##openvpn 18:29 < at1z0r> hi guys 18:29 < at1z0r> http://dpaste.com/32496/ 18:30 < at1z0r> and can't ping anything 18:30 < at1z0r> simply doesn't work :) 18:30 < at1z0r> using arch linux 18:32 < boris_ag> helo - I'm having this problem that appears in openvpn FAQs: "I can ping through the tunnel, but any real work causes it to lock up. Is this an MTU problem?" 18:32 * ecrist guesses firewall 18:32 < ecrist> boris_ag: usually 18:32 < ecrist> !mtu 18:32 < vpnHelper> ecrist: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 18:32 < boris_ag> tried with different MTU but no success 18:33 < boris_ag> also. several other coworkers uses default 1500 and works fine for them, using the same server and the same openvpn client version 18:33 < at1z0r> !logs 18:33 < vpnHelper> at1z0r: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 18:33 < at1z0r> !configs 18:33 < vpnHelper> at1z0r: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:37 -!- solexious [n=solexiou@80-41-109-207.dynamic.dsl.as9105.com] has joined ##openvpn 18:39 < solexious> Hia, tried to setup my server using the official how to for bridging but doing this makes my eth loose connection, any idea how I can stop this? 18:39 < at1z0r> same here, but on client side ;p 18:41 < solexious> hehe, dam :) 18:42 < solexious> The how to seems great, just think I need a few bits to click in my head for me to follow it correctly 18:43 < at1z0r> :) 18:46 -!- boris_ag [n=boris_ag@217-142-126-200.fibertel.com.ar] has quit [] 18:47 < troy-> ii have a bug complaint 19:17 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit [] 19:32 -!- at1z0r [i=at1z0r@gateway/shell/rootnode.net/x-a4a853c981c6e79a] has left ##openvpn ["EKG2 bejbi! http://ekg2.org/"] 19:35 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 19:47 -!- boris_ag [n=boris_ag@217-142-126-200.fibertel.com.ar] has joined ##openvpn 19:48 < boris_ag> hi guys - having problems with MTU size and found 1500 is the optimal (1472+28), but getting this on vpn client side: "Data Channel MTU parms [ L:1544 D:1428 EF:44 EB:135 ET:72 EL:0 AF:3/1 ]".. is that 1544 correct ? 19:55 < boris_ag> !mtu 19:55 < vpnHelper> boris_ag: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 20:00 < boris_ag> if MTU needs to be changed, is just enough to change it with mssfix or do I have to modify the mtu size of the tap interface ? 20:00 < boris_ag> as well 20:24 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 20:26 < reiffert> the former 20:33 -!- aluis_ [n=aluis@g227126172.adsl.alicedsl.de] has joined ##openvpn 20:46 -!- boris_ag [n=boris_ag@217-142-126-200.fibertel.com.ar] has quit [Read error: 104 (Connection reset by peer)] 20:47 -!- boris_ag [n=boris_ag@217-142-126-200.fibertel.com.ar] has joined ##openvpn 20:51 -!- aluis__ [n=aluis@g227114042.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 21:07 -!- nubcake [n=gab@c-75-73-8-45.hsd1.mn.comcast.net] has joined ##openvpn 21:08 -!- eedk [n=eed@berlin.perfect-privacy.com] has joined ##openvpn 21:08 < nubcake> Im having a problem running build-dh command on both a vista 64bit machine, and on a winXP machine. it just borks out while its creating all the dots with error, unable to write 'random state' anyway to fix this ? 21:09 < eedk> could anyone tell me where i could find a listing of good openvpn services? google just isnt working for this one. 21:14 < reiffert> nubcake: http://www.google.de/search?hl=de&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=6Kr&q=openvpn+unable+to+write+random+state&btnG=Suche&meta= 21:14 < vpnHelper> Title: openvpn unable to write random state - Google-Suche (at www.google.de) 21:14 < reiffert> eedk: services as in? 21:15 < eedk> as in providers 21:15 < reiffert> what shall they provide? 21:16 < reiffert> please place an example for me, it just beats me. 21:16 < eedk> a vpn 21:16 < eedk> an openvpn vpn 21:16 < nubcake> reiffert: i know how to use google, I wouldnt be here if I didnt. that gives no info on building keys within a windows environment. 21:16 < reiffert> hrmn. I've never heared about people offering openvpn servers for the use of 3rd party people. 21:17 < eedk> well then you obviously cant help me. thanks though. 21:17 < reiffert> nubcake: I'm sorry but I'm not a windows user. Try the openvpn mailinglist is all I can give you now. 21:17 < reiffert> eedk: same goes to you, openvpn mailinglist. 21:18 < eedk> oh 21:21 -!- boris_ag [n=boris_ag@217-142-126-200.fibertel.com.ar] has quit [Read error: 110 (Connection timed out)] 21:34 < krzee> [22:16] reiffert: i know how to use google, I wouldnt be here if I didnt. that gives no info on building keys within a windows environment. 21:34 < krzee> the howto does 21:35 < krzee> its the same easy-rsa package 21:39 < nubcake> krzee: yea I know but there is no help anywhere in regards to a windows box giving a unable to write 'random state' error when compiling keys. 21:42 < nubcake> its ok i used my debian box to build the keys, just kinda silly thats what i have to do 21:49 < troy-> krzee, how can i make openvpn output status without writing to a logfile? 21:58 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 21:58 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 21:59 < krzee> \ 22:27 < troy-> sup krzee 22:43 -!- ftp4 [n=ftp3@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has joined ##openvpn 22:45 -!- ftp4 [n=ftp3@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has quit [Client Quit] 23:18 < troy-> why isnt the latest openvpn version in the dag repo? 23:21 -!- nubcake [n=gab@c-75-73-8-45.hsd1.mn.comcast.net] has quit ["(I was using ) Version:(2.04) Wasted:(2 Hours 14 Minutes and 3 Seconds Online)"] 23:28 -!- lolipop [n=ice_crea@149.21.95.219.cbj01-home.tm.net.my] has joined ##openvpn 23:59 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn --- Day changed Mon Apr 13 2009 00:50 -!- eedk [n=eed@berlin.perfect-privacy.com] has quit [Read error: 110 (Connection timed out)] 01:11 -!- uned_back [i=uned@gateway/tor/x-ebe3403c5bd6a687] has joined ##openvpn 01:11 -!- uned_back [i=uned@gateway/tor/x-ebe3403c5bd6a687] has left ##openvpn ["Leaving"] 01:11 -!- uned_back [i=uned@gateway/tor/x-ebe3403c5bd6a687] has joined ##openvpn 01:12 -!- tjz [n=tjz@bb220-255-151-27.singnet.com.sg] has joined ##openvpn 01:12 < uned_back> how do i generate the client key on the client instead of on the server machine? 01:12 < tjz> u have to generate on the server machine 01:12 < tjz> no way you can self-generate on client side 01:13 < uned_back> tjz: why is sending a request and receiving the key from the server more secure than simply receiving a server-generated key from the server? 01:14 < uned_back> tjz: don't they both involve transferring the key from the server? 01:24 < uned_back> tjz: from the how-to: "Now wait, you may say. Shouldn't it be possible to set up the PKI without a pre-existing secure channel? The answer is ostensibly yes. ...." 01:25 < uned_back> tjz: this would make it necessary to only receive a certificate, no key 01:31 < uned_back> this "submit" word from "and then submit a Certificate Signing Request (CSR) to the key-signing machine" makes it look like there's some scripted way to do it, not like i have to send some request file manually and run the scripts manually on the server and then transfer the certificate file manually back to the client. so "submit" either is confusing or i still don't understand it. 01:47 -!- lolipop [n=ice_crea@149.21.95.219.cbj01-home.tm.net.my] has quit [Read error: 110 (Connection timed out)] 01:47 -!- lolipop [n=ice_crea@149.21.95.219.cbj01-home.tm.net.my] has joined ##openvpn 01:50 < dan__t> Generate a csr, and sign it? 01:52 < uned_back> dan__t: you mean "send the csr file to the server, then have the server generate a signed certificate (file), then send the signed certificate file back to the client", right? 01:52 < dan__t> Not in those exact words, but yes. 01:52 < dan__t> Do you know how TLS, PKI etc etc work? 01:53 < uned_back> dan__t: for stylistic reasons, or are there any inaccurate terms? 01:54 < dan__t> what 01:54 < dan__t> No, that's accurate. 01:54 < uned_back> "not in those exact words" 01:54 < uned_back> oh, good 01:54 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:54 < dan__t> Generate the mofscking crt on the client, send it to the server, sign it, send it back to the client. 01:54 < dan__t> And go nuts. 01:55 < dan__t> Don't be a tool and quote me on everything I say. I'll tell you enough to get started and mop it up on your own. 01:55 < dan__t> http://openvpn.net/index.php/documentation/howto.html#pki 01:55 < vpnHelper> Title: HOWTO (at openvpn.net) 01:55 < dan__t> Look at the matrix towards the bottom of that section. 01:58 < uned_back> dan__t: you're saying i should send the .crt file to the server. but shouldn't i send the .csr one? 02:03 -!- mode/##openvpn [+o krzee] by ChanServ 02:03 -!- mode/##openvpn [+b *!*uned@*tor*] by krzee 02:04 -!- uned_back was kicked from ##openvpn by krzee [didnt i ban you?] 02:04 < dan__t> What a fucking tool. 02:04 -!- mode/##openvpn [-b *!*i=uned@*gateway/tor/x-bef2d113b0306aea] by krzee 02:04 < dan__t> tjz, you can generate the csr on the client. 02:07 <@krzee> seriously dan 02:07 <@krzee> [12:31] uned, "you just have to find my idea ridiculous or else you're next." 02:07 <@krzee> [12:31] krzee: to claim the title :) 02:07 <@krzee> [12:31] im next what...? 02:07 <@krzee> [12:31] >chanserv< op ##openvpn 02:07 <@krzee> haha 02:07 <@krzee> besides 02:08 <@krzee> that guy has been asking the same fucking simple question (and been answered over 10 times) for over a day 02:08 < dan__t> heh 02:08 <@krzee> even without him mouthing off trying to threaten that should be enough for a ban, lol 02:08 < dan__t> kewl.... just made a function in PHP to maintain a CRL from MySQL... 02:08 -!- mode/##openvpn [-o krzee] by krzee 02:08 < dan__t> Man I need some new music. 02:08 < dan__t> Already wore out that new Prodigy album 02:09 < krzee> damn prodigy still makes new albums? 02:09 < dan__t> and that Cage The Elephant album 02:09 < dan__t> Yeah, just came out a few days ago I think. 02:09 < krzee> last i listened to was smack my bitch up 02:09 < dan__t> Fat of the Land... still a great one heh 02:09 < krzee> (which by the way is still the best video of all times) 02:09 < dan__t> Indeed. 02:09 < dan__t> Total mindfuck. 02:10 < dan__t> Let's see what TPB has... 02:10 < dan__t> Dude I'm going to go out and visit you. 02:10 < dan__t> For like a month. 02:10 < dan__t> ok? 02:10 < dan__t> And we're going to wreck some vacationing sluts. 02:10 < krzee> not sure if you wanna really 02:11 < krzee> i dont live near water and i work a lot 02:11 < dan__t> why not 02:11 < dan__t> why not, you live in the Bahamas and don't live near the water? 02:11 < krzee> lol, well an hour away 02:11 < krzee> but not like on it 02:11 < dan__t> what do you do for work anyway 02:11 < dan__t> cabana boy? 02:11 < krzee> granted i cant live TOO far away from it 02:12 < krzee> nah im an international spy ;] 02:12 < dan__t> Ok, 006 02:12 < krzee> 0069 actually 02:13 < theDoc> Hello all :) 02:13 < theDoc> Seems like a good time to drop in. 02:13 < reiffert> moin 02:13 < krzee> whats up doc 02:13 < krzee> (pls use bugg bunny voice) 02:14 < dan__t> heh 02:14 < krzee> buggs 02:14 < dan__t> Bugs 02:14 < theDoc> hehe 02:14 < dan__t> I met Chuck Jones when I was like 5 02:14 < theDoc> How is everyone doing today? 02:15 < dan__t> My dad bought a few cells that he made right there on the spot and autographed them for me 02:15 < dan__t> They're pretty bad-ass 02:15 < krzee> good, cant wait for the computer store to open 02:15 < krzee> i need some sata dvd burners 02:15 < krzee> turns out i couldnt load osx86 cause of my IDE chipset 02:15 < theDoc> I need a few more clusters of servers around the globe to balance out vpn traffic. 02:15 * theDoc dances. 02:15 < dan__t> oh speaking of 02:16 < dan__t> krzee, can you make me a jail or something on that which I can use 02:16 < dan__t> I need an osx machine to fuck around with tunnelblick on 02:16 < krzee> i cant cause its local, but you can load osx86 =/ 02:17 < dan__t> wtf 02:17 < dan__t> i'll just vpn in 02:17 < dan__t> .. 02:17 < krzee> negative ghost rider 02:17 < dan__t> i'm going to murder you like Goose 02:17 < krzee> werd 02:17 < theDoc> Apparently, some of us are old enough to remember top gun ;) 02:17 < theDoc> Man, I feel old now. 02:18 < theDoc> When Val Klimer was hot ;p 02:18 < krzee> lol 02:18 < krzee> dude 02:18 < theDoc> iceman was the shit. 02:18 < krzee> i found out last night a guy i know from a hacking group was born when i was already on irc 02:18 < krzee> THAT made me feel old 02:18 < theDoc> lol 02:19 < dan__t> So, let me get this straight 02:19 < theDoc> krzee: By hacking, you mean stuff like hackintosh? 02:19 < dan__t> You're a bunch of old dudes? 02:19 < theDoc> or exploiting servers for a living? ;p 02:19 < krzee> dan, im 27 02:19 < krzee> theDoc, *shrug* 02:19 < krzee> lets just say the kid has skills 02:19 < krzee> and was born when i was already on efnet 02:20 < dan__t> Don't feel bad. 02:20 < dan__t> I'm 25. 02:20 < dan__t> heh 02:20 < krzee> nah i dont, it was just a lil mindfuck 02:20 < theDoc> In all honesty, I have no idea how do you guys get into exploiting systems. I could dance around and write firewall rules but besides that, I have nfi how to be breaking in ;p 02:21 < theDoc> and I take my hat off to those who can. 02:21 < dan__t> I literally tracked down some dude and kicked his ass for doing it. 02:21 < dan__t> Found out that he lived in Denver, too. 02:21 < theDoc> dan__t: >_>;; 02:22 < dan__t> Felt goooooooood 02:22 < dan__t> heh 02:22 < theDoc> dan__t: Care to share how you did it? 02:23 < dan__t> Got lucky. The dude actually used to work for a customer of ours. 02:23 < dan__t> I cheated. 02:23 < theDoc> Oh, figures. 02:23 < theDoc> dan__t: Backtracking, call a couple of people? ;p 02:23 < dan__t> Yep. 02:24 < krzee> http://ircpimps.org/prank/ 02:24 < vpnHelper> Title: Index of /prank (at ircpimps.org) 02:24 < theDoc> dan__t: Without cheating, is that possible? 02:24 < krzee> that was when bionic took over #RNS on efnet 02:24 < dan__t> I'm sure it is. 02:25 < krzee> i got ahold of his dox and started calling his family 02:25 < theDoc> krzee: How on earth do you guys do that is beyond me 02:25 -!- mf_417 [n=mf@194.225.128.240] has joined ##openvpn 02:26 < mf_417> Hi 02:26 < mf_417> how can I change default "--script-security" of openvpn? 02:26 < krzee> hey! 02:26 < mf_417> ping 02:26 < mf_417> how can I change default "--script-security" of openvpn? 02:26 < krzee> umm 02:26 < krzee> by using the command script-security 02:26 < krzee> followed by the level to set it to 02:27 < mf_417> and where is this command? 02:27 < krzee> where does it go or where is it documented? 02:27 < dan__t> man openvpn 02:27 < dan__t> Its right there 02:27 < krzee> aye it is 02:28 < krzee> !man 02:28 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 02:28 < dan__t> krzee, i start beta on Thursday 02:28 < krzee> beta what? 02:28 < dan__t> of my shit. 02:28 < krzee> oh cool 02:28 < dan__t> jeah. 02:28 < mf_417> tanx 02:29 < krzee> of your db based cert management system? 02:29 < krzee> you gunna allow it to also keep them in flat files? 02:29 < dan__t> No. 02:29 < dan__t> I'm tying it in to WHMCS right now 02:30 < krzee> ahh cool 02:31 < krzee> [03:24] that was when bionic took over #RNS on efnet 02:31 < krzee> btw that was 12 years ago 02:32 < dan__t> This song is bad-ass 02:32 < dan__t> Aquabats - Super Rad 02:32 < theDoc> 12 years ago :o 02:32 < krzee> just wanted to make it clear that it was when i was a youngster 02:33 < krzee> i wouldnt be harassing families over the takeover of an IRC channel anymore 02:33 < mf_417> krzee: Ok, it works fine 02:34 < mf_417> I must change /etc/init.d/openvpn ? 02:34 < krzee> cool, glad to hear 02:34 < krzee> no, why would you? 02:34 < mf_417> I must automate update-resolv-conf process on clients 02:34 < mf_417> I use an script for this purpose 02:34 < mf_417> and openvpn deny to run external scripts by default 02:35 -!- tjz [n=tjz@bb220-255-151-27.singnet.com.sg] has quit ["bbl"] 02:35 < krzee> ok, you just put that in the config without the -- 02:35 < mf_417> I changed etc/init.d/openvpn and added --script-security 2 --dev tap0 and now it works fine 02:35 < krzee> and booya 02:35 < krzee> (kinda like all config options) 02:37 < mf_417> tanx alot, it works fine 02:39 < dan__t> krzee, how's your MySQL? 02:39 < krzee> only used it 1x 02:40 < dan__t> hm 02:44 -!- lolipop [n=ice_crea@149.21.95.219.cbj01-home.tm.net.my] has quit [Read error: 110 (Connection timed out)] 02:45 -!- lolipop [n=ice_crea@149.21.95.219.cbj01-home.tm.net.my] has joined ##openvpn 02:45 -!- mf_417 [n=mf@194.225.128.240] has left ##openvpn [] 02:48 -!- Wachert [n=wachert@p3EE2E710.dip.t-dialin.net] has joined ##openvpn 03:09 < dan__t> ok, codine is kicking my ass... later. 03:17 -!- tjz [n=tjz@bb220-255-151-27.singnet.com.sg] has joined ##openvpn 03:28 -!- azaghal [n=azaghal_@217.24.18.195] has joined ##openvpn 03:28 -!- azaghal is now known as Guest19001 03:35 -!- lolipop [n=ice_crea@149.21.95.219.cbj01-home.tm.net.my] has quit ["Konversation terminated!"] 04:14 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 04:14 < onats> hello 05:04 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has quit [Read error: 60 (Operation timed out)] 05:06 -!- zheng_ [n=zheng@114.92.139.29] has joined ##openvpn 05:11 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 05:18 -!- mtoledo`` [n=user@189.102.205.95] has quit [Read error: 60 (Operation timed out)] 05:18 -!- onats [n=15172@unaffiliated/onats] has quit ["Leaving."] 05:20 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:21 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:21 -!- jfkw_ [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 05:25 -!- zheng [n=zheng@114.92.139.29] has quit [Read error: 113 (No route to host)] 05:28 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 05:43 -!- theDoc [n=andelyx@bb220-255-184-252.singnet.com.sg] has joined ##openvpn 05:45 -!- theDoc [n=andelyx@bb220-255-184-252.singnet.com.sg] has quit [Client Quit] 05:45 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 05:57 -!- dupondje [i=DuReX@78-21-212-23.access.telenet.be] has quit ["Ex-Chat"] 07:09 -!- VeXocide [i=vexocide@snail.stack.nl] has joined ##openvpn 07:10 < VeXocide> hi, when i set up a tunnel to a friend the interface gets an ipv6 link and global address 07:11 < VeXocide> but then a default route is added via the link address for ipv6, instead of the global, might anyone have a clue as toe why ? 07:11 < VeXocide> -e 07:19 -!- Guest19001 [n=azaghal_@217.24.18.195] has quit ["Одлазим"] 07:20 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 08:05 -!- Wachert [n=wachert@p3EE2E710.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 08:06 -!- zheng [n=zheng@114.92.138.88] has joined ##openvpn 08:11 -!- Kevin` [n=kevin@etmalec.net] has joined ##openvpn 08:11 < Kevin`> hey 08:12 < Kevin`> should I specify a push route AND route for a subnet which is connected at one of the clients? 08:15 < reiffert> !route 08:15 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 08:20 < Kevin`> <3 08:21 < Kevin`> nice and complete 08:22 < Kevin`> although fwiw "yes" would have worked ;D 08:23 -!- zheng_ [n=zheng@114.92.139.29] has quit [Read error: 110 (Connection timed out)] 08:34 < reiffert> crystall ball broken 08:53 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 09:00 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: isox, dazo_gone, Bushmills, karlpinc 09:00 -!- karlpinc [n=kop@69.17.73.250] has joined ##openvpn 09:00 -!- isox [n=dacurmud@209.144.31.10] has joined ##openvpn 09:00 -!- dazo_gone [n=dazo@62.40.79.66] has joined ##openvpn 09:00 -!- Bushmills [n=nnnnnl@verhau.de] has joined ##openvpn 09:02 -!- Irssi: ##openvpn: Total of 62 nicks [0 ops, 0 halfops, 0 voices, 62 normal] 09:34 -!- djshotglass [n=dextro@d216-232-234-123.bchsia.telus.net] has joined ##openvpn 09:35 * djshotglass loves topics like this 09:35 < djshotglass> answered my q's 09:35 < djshotglass> :) 09:35 < djshotglass> !route 09:35 < vpnHelper> djshotglass: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:35 < djshotglass> !redirect 09:35 < vpnHelper> djshotglass: "redirect" is (#1) please see !def1 !linnat !linipforward for linux, and !def1 !winnat !winipforward for windows, or (#2) in order to have the client send all inet traffic through the server's inet, you will need redirect-gateway on the client (or pushed from server, see !push), or (#3) you will also need NAT enabled for the vpn network on the server as well as ip forwarding (see !nat and 09:35 < vpnHelper> djshotglass: !ipforward) 09:36 < ecrist> glad we could help, djshotglass 09:40 -!- kraut [i=kraut@blackhole.netzdeponie.de] has quit [Remote closed the connection] 09:41 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has joined ##openvpn 09:41 < epaphus> hello all 09:43 -!- VeXocide [i=vexocide@snail.stack.nl] has left ##openvpn [] 09:45 < djshotglass> anyone ever have a machine tun http https traffic though one mahcine and the rest though another? 09:46 < theDoc> djshotglass: Sounds split-tunneling you're looking at there. 09:47 < djshotglass> :) 09:47 * djshotglass googles 09:48 < ecrist> djshotglass: you need to use some policy-based routing, which is far beyond the scope of this channel. 09:50 < theDoc> djshotglass: If you have a dmz and a couple of Cisco routers, I believe PBR and split tunneling might be your answer. 09:55 < reiffert> djshotglass: depends on your OS. 10:10 -!- Kobaz [n=kobaz@its.kobaz.net] has joined ##openvpn 10:10 < Kobaz> Mon Apr 13 11:00:13 2009 PUSH: Received control message: 'PUSH_REPLY,route 10.2.2.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.2.2.22 10.2.2.21' 10:10 < Kobaz> Mon Apr 13 11:00:13 2009 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:2: topology (2.0.9) 10:10 < Kobaz> how would i fix that? 10:11 -!- kraut [i=kraut@blackhole.netzdeponie.de] has joined ##openvpn 10:11 < reiffert> Kobaz: update to 2.1rc15 10:11 < Kobaz> on the server? 10:12 < reiffert> both 10:12 < Kobaz> mm 10:12 < Kobaz> i'm using openvpn-gui on the client 10:12 < theDoc> Kobaz: Vista or Win7? 10:12 < Kobaz> vista 10:13 < theDoc> Upgrade to 2.1rc15 ^^; That solved it for me 10:13 < reiffert> he is using ancient 2.0.9 10:14 < reiffert> no such option topology in there. 10:14 < Kobaz> will the new client with with an old server? 10:14 < reiffert> no. 10:33 < Kobaz> hmm 10:34 < theDoc> heh, what a bitch. Directing people to hairytaco.com 10:34 < theDoc> lol 10:38 < Kobaz> hmm 10:38 < Kobaz> the windows openvpn gui for 2.1beta7 is borken 10:40 < ecrist> use 2.1rc15 10:40 < Kobaz> Mon Apr 13 11:37:37 2009 route ADD 10.2.2.0 MASK 255.255.255.0 10.2.2.21 10:40 < Kobaz> Mon Apr 13 11:37:37 2009 ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct. [if_index=20] 10:40 < Kobaz> Mon Apr 13 11:37:37 2009 Route addition via IPAPI failed 10:40 < Kobaz> there is no rv15 for windows 10:40 < Kobaz> rc 10:41 < Kobaz> well not of openvpn-gui 10:41 < ecrist> Kobaz: yes there is. I'm looking at openvpn-2.1_rc15-install.exe on the site, now 10:41 < Kobaz> yeah i see 10:41 < Kobaz> i've always used openvpn-gui for windows 10:41 < ecrist> OpenVPN GUI is now packaged in the Windows installer. 10:41 < Kobaz> okay, i'm gettin that now 10:41 < Kobaz> ah i see 10:41 < ecrist> why can't people read? 10:41 < Kobaz> i dunno 10:42 < Kobaz> i'm just doing what i've always done :P 10:44 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has quit [Read error: 110 (Connection timed out)] 10:45 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:47 -!- onats [n=onats@122.53.139.213] has joined ##openvpn 10:53 < reiffert> Kobaz: SIGH SIGH SIGH 10:59 -!- zheng [n=zheng@114.92.138.88] has quit ["Leaving"] 11:01 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:06 -!- jfkw_ [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 11:07 < onats> anyone familiar with proxies here? 11:07 < onats> is tinyproxy any good? 11:07 < reiffert> this is #openvpn 11:09 -!- Wachert [n=wachert@p3EE2E710.dip.t-dialin.net] has joined ##openvpn 11:13 -!- tjz [n=tjz@bb220-255-151-27.singnet.com.sg] has quit ["bbl"] 11:21 -!- _andre [n=andre@fosforo.k8.com.br] has joined ##openvpn 11:21 < _andre> hello 11:22 < _andre> i was reading about the failover mechanisms that openvpn supports 11:23 < _andre> is it also possible to do load balancing? 11:23 < _andre> in my current config i have two servers connected via a tunnel 11:23 < reiffert> no. it's not. 11:23 < _andre> ok 11:24 < _andre> thanks 11:28 < ecrist> it is, to a degree, but with features outside of openvpn 11:30 < _andre> you mean using something like lvs? 11:32 < ecrist> no, I mean with something like, listing multiple remote lines in your client configs, but having half your users use one first, the other half the other first. 11:32 < onats> reiffert, i know, but people here are a lot knowledgeable on networks stuff 11:32 < ecrist> or DNS round-robin, but then if the dns returns differently on refresh, the tunnel will go down/back up 11:34 -!- Wachert [n=wachert@p3EE2E710.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 11:45 -!- tsunami [n=tsunami@64.119.153.26] has joined ##openvpn 11:45 < tsunami> Are the docs on running openvpn as non-admin still applicable? (they were written in 2005) 11:49 < _andre> ecrist: i see 11:54 < reiffert> tsunami: perfect question for the mailinglist 11:55 < tsunami> reiffert: how do i get on that? 11:56 < reiffert> http://openvpn.net/index.php/documentation/miscellaneous/mailing-lists.html 11:56 < vpnHelper> Title: Mailing Lists (at openvpn.net) 12:01 < tsunami> has anyone in here had luck running this as a user? 12:02 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 12:02 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has joined ##openvpn 12:02 -!- _andre [n=andre@fosforo.k8.com.br] has left ##openvpn [] 12:10 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 12:13 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has joined ##openvpn 12:14 < Improv> The key presentation is the primary means by which clients identify themselves to an OpenVPN server, correct? 12:15 < onats> correct 12:15 < onats> ? 12:15 < Improv> Hmm... so it is used for both authentication and identification... 12:16 < onats> yes 12:16 < onats> the key has a label, and the actual key itself 12:16 < onats> wait what am i saying 12:16 * onats had a couple of shots of green label:D 12:17 < Improv> I am integrating it into network testbed software, where each node will need to have multiple tunnels in place, so I guess that means each client has multiple keys, one for each connection... 12:17 < onats> that... you better ask the experts 12:18 < Improv> Was hoping to bump into some here :) 12:19 < onats> want to know who the experts are here in this channel? 12:20 < Improv> I've sometimes chatted with some pretty knowledgable ppl here. 12:33 < kraut> moin 12:35 < Improv> Hmm.. for layer-2 vpns where the main point is for nodes to talk to each other, there's no need for the server to do TCP itself on that network, is there? 12:36 < Improv> by which I mean it'd be fine for the server not to have an IP address on the tue... 12:38 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 12:39 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 12:40 < tsunami> has anyone been successful in running a gui for openvpn as a user? 12:46 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 12:57 -!- lipin [n=li@static-ip-77-89-127-186.promax.media.pl] has joined ##openvpn 12:57 < lipin> !redirect 12:57 < vpnHelper> lipin: "redirect" is (#1) please see !def1 !linnat !linipforward for linux, and !def1 !winnat !winipforward for windows, or (#2) in order to have the client send all inet traffic through the server's inet, you will need redirect-gateway on the client (or pushed from server, see !push), or (#3) you will also need NAT enabled for the vpn network on the server as well as ip forwarding (see !nat and 12:57 < vpnHelper> lipin: !ipforward) 12:59 -!- krzee [n=k@unaffiliated/krzee] has quit ["Leaving"] 12:59 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:03 < epaphus> Hi guys, i setup a vpn client with gateway--redirect , and it works great.. it deletes the default local route as I want it... however ... if I disconnect my network cable and put it back on.. it overwrites the vpn route and adds the local gateway as default therefore leaving my vpn bypassed... same happens if wireless gets disconnected and reconnected. How can I avoid this?? 13:04 < epaphus> I need to be _always_ accessing the internet through my VPN.. if i dont have access to the VPN it should NOT go through the local network. 13:05 < lipin> !redirect 13:05 < vpnHelper> lipin: "redirect" is (#1) please see !def1 !linnat !linipforward for linux, and !def1 !winnat !winipforward for windows, or (#2) in order to have the client send all inet traffic through the server's inet, you will need redirect-gateway on the client (or pushed from server, see !push), or (#3) you will also need NAT enabled for the vpn network on the server as well as ip forwarding (see !nat and 13:05 < vpnHelper> lipin: !ipforward) 13:06 < lipin> !def1 13:07 < vpnHelper> lipin: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 13:09 < lipin> !winnat 13:09 < vpnHelper> lipin: Error: "winnat" is not a valid command. 13:10 < lipin> !winipforward 13:10 < vpnHelper> lipin: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 13:11 < lipin> !winnat 13:11 < vpnHelper> lipin: Error: "winnat" is not a valid command. 13:12 < lipin> !nat 13:12 < vpnHelper> lipin: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 13:13 < ecrist> lipin, please quite spamming. 13:13 < ecrist> if you're looking for something, search in private chat with the bot, or ask here. 13:13 < ecrist> we'd be happy to come up with the right !key 13:14 < lipin> ok i am new to irc i though it is private help bot :) sorry 13:14 < epaphus> lipin, was that for me? 13:15 < lipin> no it was for my problem i cant get redirect-gateway to work :/ 13:16 < ecrist> lipin: it is, if you /msg the bot, the replies come back in a private message. :) 13:16 < ecrist> lipin, you're probably not natting the vpn clients 13:18 < lipin> mayby someone can help me i am using linksys with tomato and vpn with wtatic key i tried to redirect-gateway from vista but i cant get 0.0.0.0 leading to vpn ip in route tables (sorry for pseudo english) 13:22 < lipin> hmm vpnHelper doesnt work in private chat 13:22 < ecrist> !linnat 13:22 < vpnHelper> ecrist: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 13:28 < Improv> epaphus: You probably need to change how your network-management tool works 13:28 < Improv> epaphus: If you're on Fedora or Debian, it's gnome-network-manager's fault 13:29 < Improv> epaphus: I don't know if they have an option to do what you want though. 13:29 < Improv> epa: I rather doubt it, actually 13:42 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has quit ["ircII EPIC4-2.6 -- Are we there yet?"] 13:45 < lipin> ahh why it needs to be so hard? is there someone to help me and check what is wrong http://www.linksysinfo.org/forums/showthread.php?p=343777#post343777 here are my unccessful tries (redirect-gateway doesnt work) 13:46 < reiffert> !def1 13:46 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 13:46 < reiffert> lipin: have a look at this. 13:47 < lipin> i did use def1 but it didnt help 13:48 < reiffert> try to be more specific "does/did not help" does not help us. 13:49 < reiffert> to be more specific use a network sniffer like tcpdump or wireshark. 13:49 < reiffert> they will tell you where packets travel to and where they stop. 13:49 < lipin> thats the problem i am just ordinary guy but 0.0.0.0 with 172.16.0.1 is not created win windows routetable 13:50 < lipin> and i get error when connecting: Mon Apr 13 20:37:37 2009 OpenVPN ROUTE: omitted no-op route: 192.168.1.1/255.255.255.255 -> 192.168.1.1 13:50 < reiffert> my ordinary crystal ball is broken, I'm sorry. 13:52 < lipin> all my traffic goes trough 192.168.1.1 instead of 172.16.0.1 there is no rule created in routetable for vpn tunel i use redirect-gateway def1 and tun interface 13:54 < lipin> nah thanks for help i will make ssh tunnel no hope in here :-/ 14:01 < dan__t> Hi. 14:01 < dan__t> No one cares, lipin 14:01 < dan__t> YOu're not going to guilt anyone in to helping you. 14:01 < dan__t> What's the problem? 14:01 < dan__t> No one being available to answer your question does not imply we're all assholes. 14:01 < dan__t> You do understand how IRC works, especially when supporting a FOSS product, right? 14:02 < dan__t> People have jobs, lives, etc etc. 14:02 < dan__t> 14:02 < dan__t> I just think that's severely retarded logic. 14:05 < lipin> sorry if i insult you i guess my english is not great i know that is comunity driven poject and i cant expect any help and its great that irc channel like that exists chill my friend i am not calling anybody asshole I rather think that its great that you are here 14:09 -!- djshotglass [n=dextro@d216-232-234-123.bchsia.telus.net] has left ##openvpn [] 14:14 -!- nemysis [n=nemysis@225-225.1-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 14:15 -!- nemysis [n=nemysis@132-254.3-85.cust.bluewin.ch] has joined ##openvpn 14:15 < dan__t> Ok, so, ask your question :) 14:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:21 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has quit ["Leaving"] 14:21 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has joined ##openvpn 14:24 < lipin> Why openvpn is not creating in windows vista 0.0.0.0 route using the 172.16.130.2 interface and 172.16.130.1 as the gateway? If I use redirect-gateway def1 and static key. I can ping 172.16.130.1 (that’s openvpn server ip) and i get 172.16.130.2 so it seems that tunnel is established. 14:25 < lipin> openvpn runs on linksys router bridged to belkin router in wds mode and i am conected to this belkin trough wifi 14:26 < lipin> thats the problem i can make wds connection only with wep encryption so i want to secure this link using vpn network 14:27 < reiffert> 20:54 < lipin> nah thanks for help i will make ssh tunnel no hope in here :-/ 14:27 < reiffert> !net30 14:27 < vpnHelper> reiffert: "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 14:28 < lipin> dan__t wrote ask your question so i did once again 14:29 < dan__t> I did. Blame me. 14:30 < dan__t> That is a good read though, lipin 14:30 < dan__t> I suspect you'll find your answer in there. 14:36 < krzie> if you need it to be easier to understand, you can have .2 be the first client, .3 be the second, etc etc 14:36 < krzie> by using 2.1 with: 14:36 < krzie> !topology 14:36 < vpnHelper> krzie: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 14:38 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 14:51 -!- Lilarcor [n=Lilarcor@168.sub-97-165-229.myvzw.com] has joined ##openvpn 14:54 < lipin> did i understand it right ? i have ifconfig 172.16.130.1 172.16.130.2 in router and i am making tunnel from pc ifconfig 172.16.130.2 172.16.130.1 on router side there is linux on pc windows so next ip i could use in theory is 172.16.130.5 but i use static key so i am only one client and i dont really understand how it relates to me should i make 4 ip space between 172.16.130.1 and 172.16.130.2 ? 14:58 < lipin> and vpn said that local and remote endpoints must be in /3 subnet like i had before 14:59 < krzie> lipin ifconfig 172.16.130.1 172.16.130.2 is for a ptp style setup 14:59 < krzie> from what you're saying you want more than 2 clients 14:59 < krzie> so use server 172.16.130.0 255.255.255.0 14:59 < krzie> it will automagicly assign ips for you on clients 14:59 < krzie> just user the command client on them 15:00 < krzie> like this: 15:00 < krzie> !sample 15:00 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 15:00 < reiffert> 20:54 < lipin> nah thanks for help i will make ssh tunnel no hope in here :-/ 15:00 < krzie> lol reif 15:00 < tsunami> anyone successful in deploying openvpn as user account (not admin) 15:00 < reiffert> it's pointless, he is repeating himself, so are we. 15:00 < krzie> ahh gotchya 15:01 < krzie> tsunami i dont use windows, BUT 15:01 < krzie> !factoids search admin 15:01 < vpnHelper> krzie: 'ssl-admin' and 'win_noadmin' 15:01 < krzie> !win_noadmin 15:01 < vpnHelper> krzie: "win_noadmin" is (#1) http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows, or (#2) and http://article.gmane.org/gmane.network.openvpn.user/24873 for vista 15:03 -!- Lilarcor [n=Lilarcor@168.sub-97-165-229.myvzw.com] has quit [] 15:04 < lipin> i want p2p connection to test if internet traffic (it dosnt now) goes trough tunnel if it works then i will bother with generating keys etc. 15:04 < lipin> server config 15:04 < lipin> daemon 15:04 < lipin> ifconfig 172.16.130.1 172.16.130.2 15:04 < lipin> proto udp 15:04 < lipin> port 1194 15:04 < lipin> dev tun21 15:04 < krzie> you looked at the topic? 15:04 < lipin> comp-lzo yes 15:04 < lipin> keepalive 15 60 15:04 < krzie> !pastebin 15:04 < lipin> verb 3 15:04 < vpnHelper> krzie: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 15:04 < lipin> secret server1-static.key 15:04 < lipin> status-version 2 15:04 < lipin> status server1.status 15:04 < lipin> client config 15:04 < lipin> dev tun 15:04 < lipin> proto udp 15:04 < krzie> next paste that big = kick 15:04 < lipin> remote 192.168.1.1 1194 15:04 < lipin> ifconfig 172.16.130.2 172.16.130.1 15:04 < lipin> comp-lzo 15:04 < lipin> secret static.key 15:04 < lipin> route-gateway 192.168.1.1 15:04 < lipin> redirect-gateway def1 15:05 -!- mode/##openvpn [+o krzie] by ChanServ 15:05 <@krzie> ahh it stopped 15:05 -!- mode/##openvpn [-o krzie] by krzie 15:05 < krzie> dont do that 15:05 < krzie> when you entered chanserv told you, you must pastebin anything over 5 lines 15:05 < lipin> ok i am trying my best in this IT jungle and new experience of IRC chat 15:05 -!- krzie [i=krzee@unaffiliated/krzee] has left ##openvpn [] 15:05 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##openvpn 15:05 < krzie> -ChanServ(ChanServ@services.)- [##openvpn] Welcome to ##openvpn. Please don't 15:05 < krzie> paste more than 5 lines to the channel; use pastebin.com or other, 15:06 < krzie> please see the topic in this channel 15:06 < krzie> you can type /topic if your IRC client doesnt display it 15:06 < krzie> || !redirect for sending inet traffic through server || 15:07 < krzie> so type !redirect to see what you need if that is your goal 15:07 < krzie> whoa whoa whoa 15:07 < krzie> remote 192.168.1.1 1194 15:08 < krzie> redirect-gateway def1 15:08 < krzie> 192.168.1.1 is on the same LAN, right? 15:08 < lipin> yes 15:08 < krzie> will that be the case in the final setup? 15:08 < lipin> its router with vpn 15:08 < krzie> securing your wifi? 15:08 < lipin> yes 15:08 < krzie> !local 15:08 < vpnHelper> krzie: "local" is a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless. 15:09 < lipin> it didnt help i tried it before 15:09 < krzie> right, because you didnt type !redirect 15:09 < krzie> BUT, you will need thaty too 15:09 < krzie> please dont tell us what we say isnt right, we have experience with this stuff 15:10 < krzie> which is why we're here 15:10 < krzie> you dont, which is why you're here 15:11 < lipin> so what should i do next if its still doesnt work 15:11 < reiffert> die() 15:11 < reiffert> ah wait, 15:11 < lipin> and my pc is going always trough 192.168.1.1 15:11 < reiffert> 20:54 < lipin> nah thanks for help i will make ssh tunnel no hope in here :-/ 15:12 < reiffert> use your ssh tunnel. 15:12 < krzie> you ever gunna type !redirect? 15:12 < krzie> or you just dont wanna see what you need...? 15:12 < krzie> ya, or use your ssh tunnel, lol 15:13 < lipin> !redirect 15:13 < vpnHelper> lipin: "redirect" is (#1) please see !def1 !linnat !linipforward for linux, and !def1 !winnat !winipforward for windows, or (#2) in order to have the client send all inet traffic through the server's inet, you will need redirect-gateway on the client (or pushed from server, see !push), or (#3) you will also need NAT enabled for the vpn network on the server as well as ip forwarding (see !nat and 15:13 < vpnHelper> lipin: !ipforward) 15:13 < reiffert> 20:05 < lipin> !redirect 15:13 < reiffert> 2 hours ago 15:13 < krzie> reiffert ahh, see i just got here, lol 15:14 < lipin> yes and i was told tell it directly to bot (dont spam in here) and when i do it it says redirect is no valid command 15:15 < lipin> i dont want any war in here just a valuable help not guys laughting and coping same line with my ssh quote 15:16 < lipin> !winnat 15:16 < vpnHelper> lipin: Error: "winnat" is not a valid command. 15:16 < lipin> doesnt work btw 15:16 < krzie> reeeeally 15:16 < krzie> !factoids search nat 15:16 < vpnHelper> krzie: 'nat', 'linnat', and 'fbsdnat' 15:16 < krzie> hah true, i need to make that i guess 15:16 < krzie> bleh, i hate windows 15:17 < krzie> your server is windows? 15:17 < lipin> my server is linksys router 15:17 < krzie> then you dont need !winnat 15:18 < krzie> you need !linnat 15:18 < krzie> and !linipforward 15:18 < lipin> !linnat 15:18 < vpnHelper> lipin: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 15:18 -!- Wachert [n=wachert@p3EE2B858.dip.t-dialin.net] has joined ##openvpn 15:18 < lipin> i did posrouting it didnt help 15:18 < krzie> and !linipforward 15:18 < lipin> !linipforward 15:18 < vpnHelper> lipin: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 15:19 < krzie> and very importantly, you need local on your redirect-gateway line 15:19 < krzie> and !linipforward 15:19 < krzie> oops 15:19 < krzie> misfire 15:19 < krzie> but ya, when you have !local !linnat and !linipforward all correct, it will work 15:19 < krzie> route-gateway 192.168.1.1 15:20 < krzie> you also dont need that line 15:24 < krzie> also, you're saying you will wait until it works 1 way before you do it the right way... that is accepting that you will give up if it isnt easy for you, which sets you up for failure 15:24 < krzie> i strongly suggest that in your time on the computer you change your outlook if you would like to learn and successfully run whatever it is you want 15:25 < krzie> set things up correctly the first time, know that no matter how hard it is for you that you will spend the time reading the docs until you get it right 15:26 < lipin> can i check somehow if postrouting was added to iptables ? 15:29 < lipin> i am leaving tomorrow and i want to leave secured network in my sisters flat so ssh is not giving up its just worst case scenario leading to many calls why this and this program doesnt work and how to configure it just like me in here 15:30 -!- KaiForce [n=chatzill@adsl-70-228-83-175.dsl.akrnoh.ameritech.net] has joined ##openvpn 15:30 < krzie> lipin, its up to you to learn your operating system (in this case linux) 15:30 < krzie> but that is all you need to accomplish 15:32 < KaiForce> Remote user with a previously functioning OpenVPN GUI client getting this message: "ERROR: Exit Event ('openvpngui_exit_event_0') is signaled" when trying to connect. Any idea what I can look for (the server is functioning). 15:32 < krzie> KaiForce turn up verb to 6 on the client and the server 15:32 < krzie> !logs 15:32 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 15:32 < KaiForce> krzie: thanks, wilco 15:33 < krzie> =] 15:34 < krzie> happy to take a look when you get them posted 15:34 < krzie> first thing that comes to my head (totally a guess) is cert may have expired or the time on the pc may be off 15:35 < krzie> but guesses mean nothing, the logs at verb 6 should help 15:37 < lipin> could you take a look at my iptables, route tables it still dosnt work after doing all this steps http://pastebin.com/m219161a1 15:37 < lipin> and there is error: Warning: route gateway is not reachable on any active network adapters: 172.16.130.1 15:38 < krzie> !configs 15:38 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:40 < krzie> oh that error is prolly because of this: 15:40 < krzie> route-gateway 192.168.1.1 15:40 < krzie> remove that line 15:41 < lipin> its deleted now 15:41 < lipin> rest is same with added local in redirect-gateway 15:42 < tsunami> is there any updated info on running ovpn as a user w/o admin... I have a hard time believing I can't get around this issue. (the issue being I can't use an encrypted connection as a user) 15:42 < krzie> tsunami did you read the links i gave you? 15:43 < tsunami> yeah 15:43 < krzie> thats all i know 15:44 < tsunami> it says it can't find a .dll file as the user when I gave access to all 15:44 < tsunami> er.. i'm venting sry 15:44 < krzie> i dont use windows, but the people who do say that works 15:53 < KaiForce> hmmm, time on PC, that is something I didn't consider 15:53 < KaiForce> I'm waiting to hear back from the end user 15:53 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has quit ["Leaving"] 15:59 < KaiForce> doh, no user response yet. I'll try again tomorrow. Thanks again krzie 15:59 -!- KaiForce [n=chatzill@adsl-70-228-83-175.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.8/2009032609]"] 16:04 < lipin> bye bye enough :-) no succes :-( thanks for help & irc induction (i will fight this again in 2 weeks :-) and i am going to make this bloody linux server/router run well) 16:05 -!- lipin [n=li@static-ip-77-89-127-186.promax.media.pl] has quit [] 16:05 < tsunami> anyone know how to pass credentials when running openvpn as a service? 16:11 < krzie> !factoids search auth 16:11 < vpnHelper> krzie: 'tls-auth' and 'authpass' 16:12 < krzie> !factoids search pass 16:12 < vpnHelper> krzie: 'winpass', '2.1-winpass-script', 'password', and 'authpass' 16:12 < krzie> !authpass 16:12 < vpnHelper> krzie: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 16:12 < krzie> hrmm 16:12 < krzie> i know its in there somewhere 16:12 < krzie> !pwfile 16:12 < vpnHelper> krzie: "pwfile" is OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h 16:12 < krzie> there it is 16:13 -!- tsunami [n=tsunami@64.119.153.26] has quit [] 16:19 -!- dupondje [n=dupondje@235.167-78-194.adsl-static.isp.belgacom.be] has joined ##openvpn 16:19 < dupondje> !route 16:19 < vpnHelper> dupondje: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:20 < dupondje> is there a way to make iroute dynamic ? 16:20 < dupondje> cause client will be laptop, so sometimes it doesn't need to route 192.168.2.* over VPN 16:20 < dupondje> and sometimes not 192.168.3.* for example 16:21 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has joined ##openvpn 16:22 < epaphus> Hey guys, I got a real issue with OpenVPN client in my desktop pc... its a fight bewteen the default route and whenever dhclient gets a new lease .. it overwrites the default route to route everything to VPN. 16:22 < epaphus> whats the best way to solve this? 16:23 < epaphus> if Iam not carefull and watch out closely when the computer gets a new dhcpd lease.. I can find myself routing the traffic through my local gateway and not the VPN and I wouldnt notice it 16:26 < epaphus> krzee, u there ? :) 16:30 < dupondje> its death :p 16:41 < epaphus> dupondje, hmm? are you referring to this? 16:51 < Bushmills> epaphus, set up your dhcp client to not overwrite default route 16:52 < epaphus> Bushmills, well what would occur if.. I want to some day just boot into my computer and start using the internet via the local..? I would have to set the route myself..? 16:53 < epaphus> Its too bad I cant tell dchlient not to overwrite if a current default route already exists. 16:54 < Bushmills> well, i answered your first question, not the "what if" part 16:54 < epaphus> :) 16:54 < epaphus> thank you though 16:55 < Bushmills> time that we finally get mind reading computers which can handle those "what if" situations 16:56 < epaphus> :) 17:01 < reiffert> lets start with it right now: 17:01 < reiffert> http://www.ocztechnology.com/products/ocz_peripherals/nia-neural_impulse_actuator 17:01 < vpnHelper> Title: OCZ Technology | Products | OCZ Peripherals | nia - Neural Impulse Actuator (at www.ocztechnology.com) 17:04 -!- Wachert [n=wachert@p3EE2B858.dip.t-dialin.net] has quit [Connection timed out] 17:11 < krzie> epaphus did someone answer this question yet? 17:11 < krzie> Hey guys, I got a real issue with OpenVPN client in my desktop pc... 17:11 < krzie> its a fight bewteen the default route and whenever dhclient gets a 17:11 < krzie> new lease .. it overwrites the default route to route everything to 17:11 < krzie> VPN. 17:12 < krzie> not sure if someone answered, but if you look in the manual you will see a flag for redirect-gateway to bypass the dhcp server 17:12 < krzie> its bypass-dhcp or something like that 17:15 < krzie> oh nm bushmills gave you a good answer, i missed that 17:16 < Bushmills> yes, those one-liners tend to be overlooked 17:17 < krzie> hows it goin man 17:17 < Bushmills> right on 17:17 < Bushmills> just returned from family, been out on visit over easter 17:17 < krzie> ahh cool 17:18 < krzie> i stayed in and got some good work done 17:18 < krzie> finished my zabbix NMS and built my new desktop 17:18 < Bushmills> i probably gained 3 kilos 17:18 < krzie> will install osX86 on it tonight now that the computer store is open so i could pickup sata dvd drives 17:18 < krzie> (it didnt like my ide chipset) 17:19 < Bushmills> cool. sounds like you've been productive 17:19 < krzie> ya man, im excited to get that box up 17:19 < krzie> quad core intel with 8gb ram 17:20 < Bushmills> high power dissipation. did you inherit a nuke? 17:20 < krzie> o and my 3 seagate 1.5TB drives should be coming back from getting RMA'ed tomorrow 17:20 < krzie> hahah nah i just want some real power 17:20 < krzie> a box i can crack stuff on when needed, and that can handle my everyday life as well 17:21 < Bushmills> hehe 17:21 < krzie> i been using my macbook pro for * for like 3 years now 17:21 < krzie> i feel bad for the poor thing 17:21 < Bushmills> if i tell you what my main computer is, you'll either laugh, or look disgusted 17:21 < krzie> overused 17:21 < krzie> nah if it works for you thats all that matters 17:22 < krzie> i demand a lot from mine, so it was time to go big 17:22 < krzie> if you heard what i put in my NFS youd laugh at me for the over-the-edge power i used for it 17:22 < krzie> (i may have gone overboard on that one) 17:23 < Bushmills> but i can do development on battery power, 3 to 4 cpus involved 17:23 < Bushmills> ehm. 5 actually 17:24 < krzie> nice 17:24 < krzie> you play with vmware esxi at all? 17:24 < krzie> (i always get that acronym wrong) 17:24 < Bushmills> no. my main machine lacks the power (speak: RAM) for it. 17:25 < krzie> ahh 17:25 < Bushmills> 512 k is a bit contrained 17:25 < Bushmills> ehm 17:25 < Bushmills> mb 17:25 < krzie> ild like to run it, but not on the nfs cause i use zfs for my filesystem and not on my desktop cause i want osx86 and dont think it works on esxi 17:25 < krzie> so im SOL 17:25 < Bushmills> my other "machine" is 2 kb 17:26 < krzie> 2kb what 17:26 < Bushmills> RAM 17:26 < krzie> umm 17:26 < krzie> atari? lol 17:26 < krzie> thats less than my ipod touch 17:26 < krzie> altair? 17:26 < Bushmills> nah. atmel controllers on which i'm running interactive interpreter, incremental compiler, multitasking ... 17:27 < epaphus> krzie, thanks 17:27 < krzie> wow, crazy stuff 17:27 < krzie> epaphus, np but after reading bout it in manpage im thinking its maybe not what you wanted 17:28 < epaphus> its ok i discovered that if you leave def1 17:28 < epaphus> then... it will do what i want 17:28 < krzie> ohhh right 17:28 < epaphus> how are you doing krzie ? :) 17:28 < krzie> good call 17:28 < krzie> im doing very well 17:28 < epaphus> me too 17:29 < epaphus> i installed gopenvpn 17:29 < epaphus> its great.. what a breeze 17:29 < krzie> Bushmills, sounds above my skilllevel, would be fun to watch 17:29 < krzie> epaphus, yup... very nice app 17:31 < epaphus> krzie, is this your preferred..? have you used any other? 17:31 < krzie> i havnt used any other because this is my preferred 17:32 < krzie> and its my preferred because i trust openssl far more than ipsec or pptp's proprietary protocols 17:32 < epaphus> ipsec is a proprietaty thing? ohh.. cisco? 17:32 < krzie> right 17:36 < Bushmills> krzee, no, not above level. maybe, beside your skill set but positively not anything you wouldn't be able to pick up. 17:37 < krzie> i can agree with that 17:39 < Bushmills> be warned though that the technology used in those controllers is something i have been recurrently busy with for about 30 years. 17:40 < Bushmills> means, it's not something one would pick up in a matter of 10 minutes 17:40 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has quit ["Leaving"] 17:40 < krzie> ya its not something i have a need to use either 17:41 < krzie> (as far as i know...) 17:42 * Bushmills is a pre-ibm-pc fossil 17:44 < Bushmills> wanna see the first "real" computer i was learning to program on? 17:45 < krzie> sure 17:45 < Bushmills> http://www.columbia.edu/acis/history/5100.html 17:45 < vpnHelper> Title: The IBM 5100 Portable Computer (at www.columbia.edu) 17:46 < Bushmills> http://forthfreak.net/ibm5100.jpg better picture of that machine 17:49 < Bushmills> predates the IBM pc by 6 years 17:52 < krzie> savage 17:59 < Bushmills> it was slow, memory starved, and a ridiculously small text mode screen, but had an APL interpreter in ROM, which made it interactive. 18:00 < dupondje> how to solve my problem ? :x 18:00 < Bushmills> quite different from the ibm 360 mainframe machines i failed to grasp assembly for at that time. 18:08 < krzie> dupondje, what was it? 18:09 < krzie> Bushmills awesome man, i dont even code aside from scripting, so maybe i was right when i said above my skill level ;] 18:12 < Bushmills> actually, programming those controllers is - by virtue of the added interpreter and compiler in flash - very similar to scripting. 18:12 < krzie> ahh cool 18:12 < krzie> we im pretty damn handy in the shell scripting 18:13 < Bushmills> i actually wrote a version of it in javascript, which runs in your web browser 18:13 < krzie> ya 18:14 < krzie> while im not a coder im familiar with where you use the different onces and what they are 18:14 < Bushmills> or worse, also a version written as bash script 18:14 < krzie> and i can read through source to get an idea of whats going on 18:14 < Bushmills> probably (one of the) most complex bash scripts in existence 18:14 < Bushmills> ah 18:15 < krzie> heres my second favorite script i wrote (mainly cause of the comments i think) 18:15 < Bushmills> wanna get an idea what's going on by looking at a bash script (grin) 18:15 < krzie> http://www.doeshosting.com/code/mkimg 18:15 < krzie> sure, post it ill look 18:16 < Bushmills> http://scarydevilmonastery.net/bashforth enjoy :D 18:17 < Bushmills> virtual machine, interpreter, compiler, run time environment 18:19 < Bushmills> (but i foretell you need at least 3 looks to get an idea what's going on) 18:20 < krzie> no shit 18:21 < krzie> and i already learned a command i didnt know (declare) 18:21 < krzie> why use that over a normal var? 18:23 < krzie> damn that script is more complicated than the package i wrote to run my whole webhosting company (which i since shutdown) 18:23 < Bushmills> several possible reasons. you can give the declared data item characteristics an implicit declaration wouldn't give, for example, or 18:24 < Bushmills> declaration during "load"/"compile" time takes the time which would otherwise be needed at run time when declaration is done implicitely 18:24 < krzie> dude, that is a hardcore script 18:25 < Bushmills> also, better factoring. i can keep the declaration together in one section which helps me to know what gets actually declared 18:25 < dan__t> meh 18:25 < dan__t> Fuck Sendmail. 18:25 < dan__t> :( 18:25 < krzie> agreed dan, dont use it 18:25 < Bushmills> especially in combination with a bash invocation option which disables implicit declaration 18:25 < krzie> postfix or qmail 18:25 < dan__t> Postfix is my bitch. 18:25 < dan__t> unfortunately I can't change this setup. 18:26 < dan__t> I need to always BCC incoming mail for a particular user. 18:30 < Bushmills> dan__t, redirect mail for that user to a mail server running postfix, in its virtual file put for the recipient both real/final email address and bcc address :D 18:31 < Bushmills> or a procmail recipe could do the job too 18:33 < krzie> and to redirect mail in sendmail you just put ~/.forward with only the email address to forward to 18:35 < Bushmills> i think that's actually procmail handling that way of forwarding 18:36 < dan__t> alias hackery. 18:36 < dan__t> done and done. 18:36 < dan__t> aliases, rather. 18:36 < krzie> ahh, i never mess with sendmail 18:38 < krzie> i only know that cause freebsd comes with sendmail, and if its not gunna run a mailserver i leave sendmail running but not binding to an ip so it can deliver me its periodic emails (using .forward) 18:38 < krzie> thats all i know (and want to know) about sendmail 18:38 < krzie> besides how to turn it off ;] 18:39 < krzie> dupondje, didnt you have a question...? 18:40 < Bushmills> [22:20] is there a way to make iroute dynamic ? 18:40 < Bushmills> [22:20] cause client will be laptop, so sometimes it doesn't need to route 192.168.2.* over VPN 18:41 < krzie> ahh 18:41 < krzie> not dynamic, but you can use 2 accounts from the laptop 18:41 < krzie> 1 whose common-name is associated with the iroute, and you only use when connecting from the place with the lan 18:41 < krzie> other for when you are a road warrior 18:42 -!- sirus [i=scott@gotpot.org] has joined ##openvpn 18:42 < sirus> !redirect 18:42 < vpnHelper> sirus: "redirect" is (#1) please see !def1 !linnat !linipforward for linux, and !def1 !winnat !winipforward for windows, or (#2) in order to have the client send all inet traffic through the server's inet, you will need redirect-gateway on the client (or pushed from server, see !push), or (#3) you will also need NAT enabled for the vpn network on the server as well as ip forwarding (see !nat and 18:42 < vpnHelper> sirus: !ipforward) 18:54 * krzie closes Bushmills' shell script before his head explodes 19:15 -!- theDoc [n=andelyx@bb116-15-11-175.singnet.com.sg] has joined ##openvpn 19:46 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 19:51 -!- theDoc [n=andelyx@bb116-15-11-175.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 20:14 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn 20:33 -!- aluis__ [n=aluis@e176245079.adsl.alicedsl.de] has joined ##openvpn 20:51 -!- aluis_ [n=aluis@g227126172.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 20:52 < krzie> sirus, did you understand that? 20:52 < krzie> !nat 20:52 < vpnHelper> krzie: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 20:53 -!- theDoc [n=andelyx@162.202-128-197.unknown.qala.com.sg] has joined ##openvpn 20:54 -!- theDoc [n=andelyx@162.202-128-197.unknown.qala.com.sg] has quit [Client Quit] 20:59 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 21:26 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit [] 21:34 -!- Dougy[home] [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 21:34 < Dougy[home]> heyo 21:41 < krzie> bored 21:42 < Dougy[home]> me too 21:42 < Dougy[home]> fighting with this server 21:42 < Dougy[home]> mother f 21:42 < Dougy[home]> im memtesting to see if it locks again 21:42 * Dougy[home] is mad 21:51 < Dougy[home]> rm -rf /centos 21:51 < Dougy[home]> goodbye rhel5 21:51 < krzie> lol 21:51 < krzie> i wouldnt even say hello to it 21:54 < Dougy[home]> meh 21:54 < Dougy[home]> its not bad 22:10 -!- sn1ffer723 [n=davidj@68-187-222-247.dhcp.oxfr.ma.charter.com] has joined ##openvpn 22:23 < sn1ffer723> I am looking for a recommendation to do site-to-site IPSec VPNs 22:23 < sn1ffer723> What are your thoughts on NetScreens 22:23 < sn1ffer723> ? 22:25 < krzie> you're in the wrong channel 22:25 < krzie> we dont do ipsec here 22:26 < krzie> !notcompat 22:26 < vpnHelper> krzie: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 22:26 < krzie> !notovpn 22:26 < vpnHelper> krzie: Error: "notovpn" is not a valid command. 22:26 < krzie> !notopenvpn 22:26 < vpnHelper> krzie: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 22:26 < krzie> !learn notovpn as [notopenvpn] 22:26 < vpnHelper> krzie: Joo got it. 22:26 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 22:27 < theDoc> I hope this works and xdiff didn't fuck up 3 config files. 22:42 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 22:42 < Dougy[home]> !forum 22:42 < vpnHelper> Dougy[home]: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 22:44 < Dougy[home]> hmm 22:44 < Dougy[home]> there are posts 22:45 < Dougy[home]> ! 22:45 < krzie> heh 22:49 < krzie> i almost dont wanna delete them either 22:49 < krzie> i mean sure its porn spam, but at least he posted pics 22:50 < krzie> wtf wheres my admin privs? 22:52 < krzie> ahh i see 22:57 < Dougy[home]> lol 22:57 < krzie> there, replied 22:58 < Dougy[home]> woot 22:58 -!- sn1ffer72 [n=davidj@Interference.CTCNet.com] has joined ##openvpn 22:58 < krzie> adios bbl 22:58 * sirus loves vpn 23:02 < Dougy[home]> MOTHER F 23:07 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 23:10 -!- Dougy[home] [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 23:14 -!- sn1ffer723 [n=davidj@68-187-222-247.dhcp.oxfr.ma.charter.com] has quit [Read error: 110 (Connection timed out)] 23:14 -!- diegoviola [n=diego@adsl-142-4.click.com.py] has joined ##openvpn 23:14 < diegoviola> is there a way to make the encryption stronger in openvpn? 23:14 < diegoviola> what's the default? 23:35 < diegoviola> is there a way that i could access the internet network from the openvpn server i'm connecting to? --- Day changed Tue Apr 14 2009 00:01 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:02 < diegoviola> guys i need some help, i'm new with this openvpn stuff 00:03 < diegoviola> i have connected to the pptp vpn of a friend, and i was able to use his internet's ip to connect to my voip switch 00:03 < diegoviola> i didn't had to make my sip switch listen on his vpn network ip 00:03 < diegoviola> i just connected as i would normally 00:04 < diegoviola> when i set up a vpn client-server i need to make my switch listen on my openvpn server ip address 00:04 < diegoviola> and i don't want that 00:07 < dan__t> diegoviola> is there a way that i could access the internet network from the openvpn server i'm connecting to? 00:07 < dan__t> of course, why not? 00:07 < dan__t> what's the default? 00:07 < dan__t> depends on the keyset used 00:08 < diegoviola> the thing is that i have voip blocked (sip protocol), my isp blocks it 00:08 < diegoviola> but when i connected to his pptp i was able to connect just fine to my voip network 00:08 < diegoviola> i don't know how 00:08 < diegoviola> i think his pptp created a interface with his ip on my system 00:08 < diegoviola> with his internet ip 00:09 < dan__t> I'll be back in an hour. 00:09 < dan__t> Either wait for me, or someone else 00:09 < dan__t> sorry heh 00:09 < dan__t> Its called good NAT trickery. 00:09 < dan__t> Whatever he did with IPs had nothing to do with the VPN, it had everything to do with IP routing behind that VPN server 00:11 < diegoviola> nope, his ppp0 creates a interface with 10.10.10.3 here 00:11 < diegoviola> i see 00:11 < dan__t> (yeah, it is) 00:11 < dan__t> :) 00:11 < dan__t> bbl 00:12 < diegoviola> please let me know when you have some time to help me with this network 00:14 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:15 < diegoviola> http://pastie.org/445744 00:15 < diegoviola> his vpn creates a ppp0 interface with the vpn ip 00:16 < diegoviola> and adds a routing to his internet gateway 00:16 < diegoviola> on my machine 01:04 < diegoviola> anyone? 01:14 < diegoviola> is there a way i can create a vpn tunnel between me and my server, and then use the server internet for my computer 01:14 < diegoviola> like, add the ip of the server on my route table 01:24 -!- Cephalon [n=Cephalon@195.251.124.109] has joined ##openvpn 01:24 -!- Cephalon [n=Cephalon@195.251.124.109] has left ##openvpn ["adios"] 01:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:24 -!- Cephalon [n=Cephalon@195.251.124.109] has joined ##openvpn 01:25 < Cephalon> hello, can someone tell me how can my vpn clients to communicate each other, because now i have only client-server communication 01:26 < diegoviola> Cephalon: look at the client-to-client option 01:29 < Cephalon> thanx diegoviola, it works 01:33 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: roentgen, tarbo2, coChosh9, Gumbler 01:33 -!- ThoMe is now known as thomas 01:34 < diegoviola> np 01:34 < diegoviola> can someone help me please? 01:34 -!- Netsplit over, joins: roentgen, tarbo2, coChosh9, Gumbler 01:34 -!- thomas [n=tm@tm.muc.de] has quit [Killed by ballard.freenode.net (Nick collision)] 01:35 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Alagar, Cephalon, simplechat 01:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [SendQ exceeded] 01:39 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: coChosh9, tarbo2, Gumbler 01:39 -!- Netsplit over, joins: coChosh9, Gumbler 01:39 -!- dazo_gone is now known as dazo 01:42 -!- ThoMe [i=tm@tm.muc.de] has joined ##openvpn 01:42 -!- betabot [n=betabot@li20-55.members.linode.com] has joined ##openvpn 01:44 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: coChosh9, Gumbler 01:44 -!- ThoMe is now known as thomas 01:45 < dazo> diegoviola: it's a lot of people here who might want to help, I dunno ... but it's easier to help when you come up with a question ........ hint hint 01:47 -!- Cephalon [n=Cephalon@195.251.124.109] has joined ##openvpn 01:47 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 01:47 -!- simplechat [n=betabot@li20-55.members.linode.com] has joined ##openvpn 01:48 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:48 -!- simplechat [n=betabot@li20-55.members.linode.com] has quit [SendQ exceeded] 01:49 -!- Cephalon [n=Cephalon@195.251.124.109] has quit [Excess Flood] 01:50 -!- Cephalon [n=Cephalon@195.251.124.109] has joined ##openvpn 01:50 < diegoviola> dazo: well, let me explain... i connected my linux computer to my friend's vpn, which uses pptp... it assigned me a private ip address: 10.10.10.3, and also added me a route to his gateway, then i could connect to my voip server normally as i would with the internet ip, i didn't had to make my voip software listen to any other ip but the internet ip... and my traffic would appear with the vpn server ip 01:50 < diegoviola> dazo: does that makes sense? 01:50 < diegoviola> http://pastie.org/445744 01:50 < diegoviola> that was the config i had when i connected to his vpn 01:50 < diegoviola> i'm trying to do something similar with openvpn 01:51 < dazo> diegoviola: are you using openvpn or pptp? 01:51 < diegoviola> dazo: openvpn now 01:51 < diegoviola> dazo: i'm trying to do the same thing i made with pptp but with openvpn... 01:52 < dazo> diegoviola: aha ... I got concerned that you tried to use openvpn against a pptp service ... bec. that would not work out at all 01:52 < diegoviola> no, i'm not using pptp 01:52 < dazo> good 01:52 < diegoviola> 100% openvpn 01:52 < diegoviola> i have a client-server openvpn set up here 01:53 < dazo> Just trying to understand your case .... 01:53 < diegoviola> but i want to be able to use the openvpn server internet 01:53 < dazo> So you want all Internet traffic to pass over the VPN channel? 01:53 * dazo do not quite catch your problem 01:53 -!- Cephalon [n=Cephalon@195.251.124.109] has quit [Client Quit] 01:54 -!- coChosh9 [i=coChosh9@gateway/tor/x-3018485ce1e7e2de] has joined ##openvpn 01:54 < diegoviola> dazo: yes, that basically 01:54 < diegoviola> i want all the traffic to go from my computer to the vpn 01:55 < dazo> okey ... if you want to redirect all Internet traffic from the client .... you need to look into adding --redirect-gateway in your client config (or pushing it from the server) 01:55 < dazo> that's basically all you need :) 01:55 < dazo> --redirect-gateway defl ... I believe might be the right option .... double check it against the man pages 01:55 < diegoviola> thanks 01:58 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 02:03 -!- antii [n=whaj@unaffiliated/antii] has joined ##openvpn 02:03 < antii> hello 02:04 < antii> can anyone help me setup "intern routing", i got a crappy guide that is "Ok" :P 02:07 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:19 < kraut> moin 02:38 -!- vlt [n=dm@suez.activ-job.com] has left ##openvpn [] 02:49 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 110 (Connection timed out)] 03:02 -!- antii [n=whaj@unaffiliated/antii] has quit [Read error: 113 (No route to host)] 03:03 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 03:03 < Bushmills> diegoviola, http://scarydevilmonastery.net/masq 03:03 < Bushmills> (assuming linux on vpn server) 03:06 < diegoviola> Bushmills: thanks a lot 03:08 < Bushmills> np 03:09 -!- sn1ffer72 [n=davidj@Interference.CTCNet.com] has quit [Connection timed out] 03:20 < onats1> !route 03:20 < vpnHelper> onats1: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 03:20 < onats1> i have a question 03:21 < onats1> what's the difference if i just create a proxy server on my LAN (behind the vpn server), and use it as proxy for traffic, than the !redirect? 03:21 < onats1> in terms of performance? 03:21 < onats1> !redirect 03:21 < vpnHelper> onats1: "redirect" is (#1) please see !def1 !linnat !linipforward for linux, and !def1 !winnat !winipforward for windows, or (#2) in order to have the client send all inet traffic through the server's inet, you will need redirect-gateway on the client (or pushed from server, see !push), or (#3) you will also need NAT enabled for the vpn network on the server as well as ip forwarding (see !nat and 03:21 < vpnHelper> onats1: !ipforward) 03:39 -!- diegoviola [n=diego@adsl-142-4.click.com.py] has quit [Read error: 110 (Connection timed out)] 03:54 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 03:54 -!- thomas [i=tm@tm.muc.de] has quit [Killed by ballard.freenode.net (Nick collision)] 03:54 -!- ThoMe [i=tm@tm.muc.de] has joined ##openvpn 04:13 -!- coChosh9 [i=coChosh9@gateway/tor/x-3018485ce1e7e2de] has quit [Remote closed the connection] 04:30 -!- eliasp_ [n=quassel@78.43.213.203] has joined ##openvpn 04:33 -!- coChosh9 [i=coChosh9@gateway/tor/x-861bdb4dfd29b5ad] has joined ##openvpn 04:36 -!- eliasp [n=quassel@78.43.213.203] has quit [Read error: 145 (Connection timed out)] 05:09 -!- Wachert [n=wachert@p3EE2F1B2.dip.t-dialin.net] has joined ##openvpn 05:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:30 -!- inigo_work [n=inigo@212.21.227.90] has joined ##openvpn 06:30 < inigo_work> hello 06:34 < inigo_work> i'm getting this: http://pastebin.com/d1d84e2f6 06:35 < inigo_work> i don't know. I think this have work other times before. 06:36 < inigo_work> i don't know what to check 06:37 < inigo_work> we use to build certificates using build-key-pkcs12 06:37 < inigo_work> do i need to modify the revoke-full script ? 06:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:45 < dazo> inigo_work: ... seems like your cert file is empty .... that cannot be empty 06:45 < dazo> keys/emialag.crt: empty 06:46 < dazo> inigo_work: ahh ... sorry ... I read to quickly ... you're doing easy-rsa stuff .... my mistake 06:46 < inigo_work> maybe my index.txt is corrupted or something like ? 06:47 < dazo> inigo_work: are you sure /etc/openvpn/usuariosBiko/ca/openssl.cnf has not been changed? 06:47 < inigo_work> i'm trying -verbose in openssl lines and strace, but i don't see 06:47 < inigo_work> ono ca # stat /etc/openvpn/usuariosBiko/ca/openssl.cnf 06:47 < inigo_work> File: `/etc/openvpn/usuariosBiko/ca/openssl.cnf' 06:47 < inigo_work> Size: 7487 Blocks: 16 IO Block: 4096 regular file 06:47 < inigo_work> Device: fd00h/64768d Inode: 116784 Links: 1 06:47 < inigo_work> Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root) 06:47 < inigo_work> Access: 2009-04-14 13:33:13.000000000 +0200 06:47 < inigo_work> Modify: 2005-09-27 00:33:28.000000000 +0200 06:47 < inigo_work> Change: 2009-04-06 09:38:13.000000000 +0200 06:47 < inigo_work> it isn't seems changed 06:47 < inigo_work> doesn't 06:47 < dazo> nope 06:49 < dazo> inigo_work: I'm sorry .... I'm not sure how easy-rsa works under the hood .... might be you should have a look at the script works and try to run the openssl commands manually 06:49 < dazo> or add debug info into the script 06:50 < inigo_work> yes, i will try 06:50 < inigo_work> thanks dazo 06:50 < inigo_work> time to lunch here :) 06:50 < dazo> :) 06:50 < dazo> enjoy! 06:50 < inigo_work> thanks 06:59 -!- betabot is now known as simplechat 06:59 -!- SuperEvilDeath15 [n=death@212.206.209.177] has quit [Read error: 113 (No route to host)] 07:00 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 07:00 -!- SuperEvilDeath15 [n=death@212.206.209.177] has joined ##openvpn 07:04 -!- tsunami [n=tsunami@64.119.153.26] has joined ##openvpn 07:12 -!- asdf [n=wtf@pessa.net] has left ##openvpn [] 07:46 < tsunami> running open vpn as just a service from a user gets me an error in the log saying "can't read Auth username from stdin" Any ideas? 08:01 < ecrist> well-covered in the howto 08:26 -!- MissNeBuN [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 08:49 < Alagar> இனிய புத்தாண்டு நல் வாழ்த்துகள் 08:49 < ThoMe> Hello. 08:50 < ecrist> Alagar: what is that? 08:50 < ThoMe> Spricht hier wer ein wenig deutsch? 08:50 < ecrist> English in here, folks. 08:51 < Alagar> this is greetings of tamil new year 08:51 < Alagar> today is a tamil new year 08:51 < ecrist> ThoMe: please don't PM me. what do you need? 08:53 -!- solexious [n=solexiou@80-41-109-207.dynamic.dsl.as9105.com] has quit [Read error: 110 (Connection timed out)] 08:53 < ThoMe> ecrist: I have a VoIP phone with OpenVPN client. After some time the phone stays are short, whenever anything is renewed. 08:55 < ecrist> ThoMe: you've a lot of variables. 08:55 < ecrist> doesn't the phone work OK over the internet, without the vpn? 08:55 < ThoMe> ecrist I mean "anything is renewed" > "Tue Apr 14 14:59:42 2009 SNOM_370_HERR_WINDELS/77.47.83.155:61014 TLS: tls_process: killed expiring key 08:56 < ThoMe> ecrist: Is it posible a VPN-Connection with less System Requirements on my Client? 08:56 < ThoMe> ecrist: Jep, have the SNOM Phone 370 on 6 places, without VPN. works good. 08:57 < ThoMe> ecrist: 've seen that you connect only with a certificate can build? 08:57 < ThoMe> +I 08:58 < ecrist> I don't run VoIP over VPN, so I can't help you very much with that. 08:59 < ThoMe> ecrist: no, i mean, openVPN. i use three lines, server cert and then the bundle from my client private/pub. its posible with one? 08:59 < ThoMe> ecrist: TLS: tls_process: killed expiring key < you can change the key lifetime, check the man page, not sure the exact config option 09:02 < ThoMe> ecrist: i use google with "key lifetime". thank you very much. have a nice day! 09:03 -!- Wachert [n=wachert@p3EE2F1B2.dip.t-dialin.net] has quit ["Nettalk6 - www.ntalk.de"] 09:05 < ThoMe> ecrist: tls-timeout this? 09:06 < ThoMe> ecrist: or this key-method ? 09:08 < ThoMe> ecrist: or --reneg-sec ? :-) 09:08 < ThoMe> mamia, many options... 09:09 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 09:09 < ThoMe> ecrist: is reneg-sec a client option or server? 09:10 < theDoc> ecrist: Just leave it alone, ipv6 shouldn't be enabled. 09:10 < ecrist> theDoc: ? 09:10 < theDoc> ecrist: With regards to your ipv6 question in #Cisco 09:11 < ecrist> theDoc: got people getting through the vlans using ipv6 and windows file sharing 09:11 < ecrist> we want to disable that 09:11 < theDoc> ecrist: no ipv6 enable 09:11 < ecrist> unknown command 09:11 < ecrist> tried that 09:11 < theDoc> Odd. 09:12 < ThoMe> ecrist: emm, is this "reneg-sec 604800" the right option? (reneg-sec" ? 09:12 < theDoc> ecrist: What does no ipv6 give you? 09:12 < ecrist> Switch(config)#no ipv6 ^ 09:12 < ecrist> % Invalid input detected at '^' marker. 09:12 < ecrist> Switch(config)#no ipv6 ^ 09:12 < ThoMe> ecrist: :-( 09:12 < ecrist> IOS upgraded needed? 09:13 < theDoc> ecrist: Seems like your IOS doesn't support v6. 09:13 < theDoc> Which switch is it? 09:13 < ecrist> C2960 is all I know. 09:13 < theDoc> ecrist: Do you have access to that switch to do a show version to get the IOS version? 09:14 < ecrist> I posted that in #cisco 09:14 < theDoc> 12.2 is ancient man ;p 09:14 < theDoc> Time for IOS upgrade. 09:14 < ThoMe> ecrist: huhu? 09:15 < theDoc> ecrist: Oops sorry about it, I was thinking about the router IOS which is at 12.4. 09:21 -!- eliasp_ is now known as eliasp 09:37 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:37 < epaphus> Hello all. 09:38 < epaphus> COuld I use the same config files for OpenVPN1.0.9 then the ones I used for 2.0 ? 09:38 < ecrist> prolly mostly ok, but I'd check the docs 09:44 -!- zheng [n=zheng@114.92.138.88] has joined ##openvpn 09:45 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 09:50 -!- karlpinc [n=kop@69.17.73.250] has quit [Read error: 110 (Connection timed out)] 09:55 < tsunami> has anyone here had luck with openvpn as non-admin? I've been through docs and am getting a stange error in the log: could not read auth username from stdin. I donno where/what stdin is... 10:05 -!- onats2 [n=15172@221.121.120.254] has joined ##openvpn 10:07 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Dougy, boney_, troy-, onats1, tarbo2, kaii 10:08 -!- Netsplit over, joins: Dougy 10:08 -!- Netsplit over, joins: boney_ 10:09 -!- Netsplit over, joins: kaii 10:11 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 10:11 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 10:11 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 10:11 -!- troy- [n=troy@worldnet.tauri.ca] has quit [SendQ exceeded] 10:11 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [SendQ exceeded] 10:13 < kaii> tsunami: stdin is the input from shell/bash .. openvpn wants to read a password from your keyboard but actually there was nothing to read. 10:13 < kaii> tsunami: configure openvpn to not use keyboard interactive authentification when running as a daemon. 10:13 < tsunami> but i need to enter a password... 10:15 < kaii> either run openvpn interactively on a shell and enter it, or use another method. 10:15 < kaii> its all in the FAQ on openvpn.net 10:15 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: onats1 10:15 -!- Netsplit over, joins: onats1 10:16 < kaii> if you want this connection to be "always connected", password auth is blocking it from reconnect. 10:16 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 10:16 -!- onats1 [n=15172@221.121.120.254] has quit [Connection reset by peer] 10:16 < kaii> iirc you can provide the password in a file, see FAQ for that 10:17 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 10:17 < tsunami> my issue is running as non-admin... i can get everything working on admin but not non-admin. I have been through every doc 4 times 10:21 < ThoMe> --reneg-sec n < !howto 10:24 < vpnHelper> Kyle2: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:25 < Kyle2> hello there.. ive been through the OpenVPN howto.. and im just trying to get two machines to see each other with OpenVPN.. and i'm currently getting this: Tue Apr 14 15:40:06 2009 us=324142 TEST ROUTES: 0/0 succeeded len=-1 ret=0 a=0 u/d=down 10:25 < Kyle2> Tue Apr 14 15:40:06 2009 us=324167 Route: Waiting for TUN/TAP interface to come up... 10:25 < Kyle2> but the VPN just doesnt seem to be live 10:26 < Kyle2> openvpn --remote gateway.bar.com --dev tun0 --ifconfig 10.99.99.1 10.99.99.2 --verb 9 10:26 < Kyle2> openvpn --remote foo.bar.com --dev tun0 --ifconfig 10.99.99.2 10.99.99.1 --verb 9 10:26 < Kyle2> those are the two sets of commands ive used for either end 10:30 -!- coChosh9 [i=coChosh9@gateway/tor/x-861bdb4dfd29b5ad] has quit [Remote closed the connection] 10:31 -!- coChosh9 [i=coChosh9@gateway/tor/x-87a24efbb8c9d12d] has joined ##openvpn 10:35 -!- plooo [n=lbz@fw1.aspsys.com] has joined ##openvpn 10:35 < plooo> can you force openvpn to listen a specific interface in the conf? 10:37 -!- Kyle2 [n=newbie@cpc2-sout5-0-0-cust535.sotn.cable.ntl.com] has quit ["Quit"] 10:38 < Bushmills> plooo, option --local should do - i never tried that one though 10:40 -!- coChosh9 [i=coChosh9@gateway/tor/x-87a24efbb8c9d12d] has quit [Remote closed the connection] 10:41 -!- nemysis [n=nemysis@132-254.3-85.cust.bluewin.ch] has quit [Connection timed out] 10:42 -!- nemysis [n=nemysis@108-90.3-85.cust.bluewin.ch] has joined ##openvpn 10:42 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 10:51 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 10:51 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has joined ##openvpn 10:54 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 10:56 < plooo> config file though? 10:56 -!- inigo_work [n=inigo@212.21.227.90] has quit [Client Quit] 10:58 -!- aluis__ [n=aluis@e176245079.adsl.alicedsl.de] has quit [Remote closed the connection] 10:59 -!- zheng [n=zheng@114.92.138.88] has quit ["Leaving"] 11:06 -!- coChosh9 [i=coChosh9@gateway/tor/x-7141d404162f1fe6] has joined ##openvpn 11:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:13 < Bushmills> usually the same without the leading dashes 11:42 -!- apollo13 [i=pd@unaffiliated/apollo13] has joined ##openvpn 11:42 -!- karlpinc [n=kop@meme-net.meme.com] has joined ##openvpn 11:43 < apollo13> hi, I am trying to push a new dns server to the clients, but on the client I get (during connection initialization): Tue Apr 14 18:32:06 2009 ERROR: Linux route add command failed: external program exited with error status: 7 11:43 < apollo13> any ideas? 11:44 < apollo13> I am trying something like this: http://paste.pocoo.org/show/112511/ 11:44 < apollo13> oddly enough it works via the NetworkManager (http://projects.gnome.org/NetworkManager/), so I have no idea what's wrong while using the console 11:44 < vpnHelper> Title: NetworkManager - Linux Networking made Easy (at projects.gnome.org) 11:45 < apollo13> !route 11:45 < vpnHelper> apollo13: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:45 < ecrist> apollo13: running as root? 11:45 < apollo13> ecrist: using sudo yes 11:46 < apollo13> clients don't need to communicate with other clients, I only need to reach the network behind the server 11:46 < apollo13> (which works) 11:46 < apollo13> and use dns there, cause of some virtualhosts 11:49 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has quit ["Leaving"] 11:49 < apollo13> not using root can't get me connected after all, as my sys isn't setup to allows ordinary users to allocate tun/tap devices dynamically 11:52 < apollo13> that's the whole connection log: http://paste.pocoo.org/show/112513/ 11:54 < apollo13> the route itself gets pushed through, as such everything but dns works 12:02 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 12:03 < apollo13> ecrist: I increased verbosity on the client, could this have something todo with it? 12:03 < apollo13> Tue Apr 14 19:01:33 2009 us=947294 route_gateway_via_dhcp = DISABLED 12:03 < apollo13> Tue Apr 14 19:01:33 2009 us=947314 allow_pull_fqdn = DISABLED 12:05 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 12:06 < epaphus> Hello guys, I have a new config for a client to connect to the server.. the client spits a lot of writes after it connects but then it outputs this error.. Tue Apr 14 12:04:16 2009: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 12:06 < epaphus> Tue Apr 14 12:04:16 2009: TLS Error: TLS handshake failed 12:06 < epaphus> Tue Apr 14 12:04:16 2009: TCP/UDP: Closing socket 12:06 < epaphus> what could this be? 12:12 -!- plooo [n=lbz@fw1.aspsys.com] has quit ["Leaving"] 12:28 -!- apollo13 [i=pd@unaffiliated/apollo13] has left ##openvpn ["Leaving"] 12:35 < tsunami> is it possible to use environment variables within the config file? 12:36 < ecrist> tsunami: please read the docs 12:36 < tsunami> k 12:39 < epaphus> might as well send anybody to read the docs... 12:39 < epaphus> :P 12:39 < ecrist> we do 12:43 < tsunami> i cant find any refernces to environment variables 12:43 < tsunami> .. 12:43 < ecrist> tsunami: what do you want to do 12:43 < tsunami> use environment variables within the config file to standardize on one config throughout the company 12:43 < ecrist> epaphus: have you checked network connectivity? 12:44 < ecrist> tsunami: that doesn't really help 12:44 < epaphus> ecrist, yes 12:44 < ecrist> epaphus: you've got a firewall problem, more than likely. 12:44 < krzee> firewall problems!?!?! but nobody ever has those! 12:44 < krzee> hehehe 12:45 < tsunami> %userprofile%\ca.crt that would be awesome 12:45 < ecrist> tsunami: configs are really just command line arguments 12:46 < ecrist> it may work, give it a shot 12:46 < tsunami> ive tried.. just wondering if anyone has tried to bend that 12:51 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 12:52 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 12:53 < epaphus> well, i can say for sure its not a firewall problem... I have applied a new fireall that was tested to work.. no go 12:53 < epaphus> could it be a SSL issue? 12:58 < dan__t> what the eff 12:59 < dan__t> Why does OpenVPN always put an underscore after the CN in all the debugging and stuff 12:59 < dan__t> In all env vars etc etc 12:59 -!- Kyle5 [n=newbie@cpc2-sout5-0-0-cust535.sotn.cable.ntl.com] has joined ##openvpn 12:59 < Kyle5> !logs 12:59 < vpnHelper> Kyle5: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 13:02 < Kyle5> hello there.. im having an issue with openvpn gui on server 2003... ive got two server 2k3 boxes, and the vpn comes up fine, but ive given the 'vpn server' a 10.8.0.1/255.255.255.252 address on its TUN/TAP interface..... but it's allocating a 10.8.0.6/255.255.255.252 to the client.. and it wont route 13:02 < Kyle5> the two clients cant ping each other 13:02 < ecrist> client-to-client 13:03 < ecrist> add that to the server config, restart the daemon, you're done 13:03 < ecrist> !/30 13:03 < vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 13:03 < Kyle5> OK.. what does that do specfically? 13:04 < ecrist> it's all in the docs 13:05 < ecrist> you complain of two clients not being able to ping eachother 13:05 < ecrist> add client-to-client to the config 13:06 < Kyle5> ecrist: i added client-to-client and its still giving unrouteable addresses at each end 13:07 < Kyle5> ie: one on 10.8.0.6/255.255.255.252 and the other on 10.8.0.1/255.255.255.252 13:08 < epaphus> aha!! the error message in the server is more detailed then that of the client.. this is the log 13:08 < epaphus> Apr 14 13:31:03 mailhost openvpn[17983]: 190.10.68.228:55924 VERIFY ERROR: depth=0, error=unsupported certificate purpose: /C=IT/ST=Italy/O=Internet_Inc./CN=vpn1-3.irfoi.com/emailAddress=ufr@iseoi.com 13:08 < epaphus> Apr 14 13:31:03 mailhost openvpn[17983]: 190.10.68.228:55924 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned 13:08 < epaphus> Apr 14 13:31:03 mailhost openvpn[17983]: 190.10.68.228:55924 TLS Error: TLS object -> incoming plaintext read error 13:08 < epaphus> sorry for the flood :( 13:12 < epaphus> suggestions..? 13:14 < krzee> Kyle5, thats how it works 13:14 < Kyle5> right.. i think im sort of getting this 13:14 < krzee> see !/30 as ecrist pasted to understand why, see !topology to see how to change it 13:14 < Kyle5> yeah, ive just picked it up 13:15 < Kyle5> ive no problem with the idea.. just want it to work! :) 13:18 < Kyle5> ive picked up the /30 business... but i'm think im still somewhat lost with the IP routing 13:23 < Kyle5> OK.. my client can now ping home by adding a routing entry.. but the server cannot ping the client.. i assume im missing a routing entry? 13:23 < ecrist> Kyle5: your error above leads me to believe they're not connected to the vpn 13:24 < Kyle5> ecrist: the vpn is there for sure, the client can ping the server by adding a route using the /30, but the server cannot ping the client 13:27 < Kyle5> OK.. I think thats sorted 13:27 < Kyle5> client and server can ping each other nopw 13:28 < Kyle5> however, in the example i used, there were some push settings to setup default routing... and i suspect im mising home? 13:28 < Kyle5> push "route 172.16.0.0 255.255.255.0" 13:28 < Kyle5> i just have that one 13:28 < Kyle5> do i need others? 13:32 -!- fixxxermet [n=meep@cmu-24-35-53-185.mivlmd.cablespeed.com] has joined ##openvpn 13:32 < ecrist> depends on your network 13:33 < Kyle5> OK 13:33 < fixxxermet> !howto 13:33 < vpnHelper> fixxxermet: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:33 < fixxxermet> !route 13:33 < vpnHelper> fixxxermet: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:34 < dan__t> Ok... I'm still on track for doing closed beta on thursday 13:54 < fixxxermet> My client is getting "Linux route add command failed: shell command exited with error status: 7" when I start openvpn. http://pastebin.com/d750aa1c3 are my config files 13:58 < dan__t> Look at line 19 of client.conf 13:58 < dan__t> What's wrong with it? 13:58 < dan__t> And why are you pushing and pulling the same routes? 13:58 < dan__t> Either push, or pull. 13:58 < fixxxermet> ah. 13:58 < dan__t> Doing both can become mutually exclusive. 13:59 < fixxxermet> I don't know what is wrong with #19. 13:59 < fixxxermet> But removing #18 does allow me to connect 14:08 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 14:08 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 14:24 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 14:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:00 -!- Solver_ [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has joined ##openvpn 15:06 -!- Solver [n=robert@99.229.28.193] has quit [Read error: 110 (Connection timed out)] 15:13 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has joined ##openvpn 15:21 < epaphus> now I regenerated all my certs.. keys , etc .. and iam getting this error.. anybody have suggestions? 15:21 < epaphus> Apr 14 15:19:30 arenas openvpn[6414]: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=IT/ST=Italy/L=Milan/O=Internet_Inc./CN=Internet_Inc/emailAddress=unix3@ijeoi.com 15:21 < epaphus> Apr 14 15:19:30 arenas openvpn[6414]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 15:21 < epaphus> Apr 14 15:19:30 arenas openvpn[6414]: TLS Error: TLS object -> incoming plaintext read error 15:28 -!- Solver_ [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 15:33 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 15:36 < fixxxermet> I shouldn't need client-to-client if I have only 1 client, even if I want the server and client LANs to have full access to eachother, right? 15:39 -!- Timpa88 [i=timpa2@c-441170d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 15:40 -!- KaiForce [n=chatzill@adsl-70-228-83-175.dsl.akrnoh.ameritech.net] has joined ##openvpn 15:41 < Timpa88> !interface 15:41 < vpnHelper> Timpa88: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 15:41 < Timpa88> jahaja :P 15:41 < fixxxermet> So... Say my openvpn server is not also the firewall. Pinging a device on the client or server lan won't work because the device won't know where to send the reply back to, as it is on a different network. Which is why I would need to add a route on the gateway? 15:42 < krzie> fixxxermet, for that you just need !route 15:42 < krzie> correct and correct 15:42 < fixxxermet> !route 15:42 < krzie> i explain all of that under the image in !route 15:42 < vpnHelper> fixxxermet: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:42 < krzie> but seems you either read it or understand already 15:42 < Timpa88> the firewall is like shorewall,iptables etc. 15:43 < fixxxermet> Problem is that our gateway / firewall is a dlink box, and doesn't let us mess with routes 15:43 < krzie> i give the other option there too 15:43 < krzie> the easy way is to add the route to the default gateway 15:43 < Timpa88> open a port range fixxxermet? 15:43 < krzie> the alternative is to add a route on every device in the lan 15:43 < fixxxermet> port range? 15:43 < krzie> (every device that needs communication over the firewall) 15:44 < fixxxermet> right 15:44 < krzie> Timpa88, his problem has nothing to do with ports 15:44 < Timpa88> ok sorry 15:44 < krzie> at least not this problem, i havnt scrolled up 15:44 < krzie> he just neds a route back to the vpn network on machines in the lan 15:44 < Timpa88> route add in command 15:44 < Timpa88> :) 15:44 < fixxxermet> My client is .8.10 and I can ping that from the server, .0.47. Curiously, I can also ping my printer, .8.47, though I can not ping any other devices. .8.47 actually replies. Let me check this gateway... 15:44 < krzie> easy way is to add it to their default gateway, but when that cant be done he could still add it to the individual devices 15:45 < Timpa88> http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 15:45 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 15:45 < Timpa88> good site. 15:45 < krzie> fixxxermet, you are rouiting not bridging... right? 15:45 < krzie> thanx =] i wrote that 15:45 < Timpa88> :D 15:45 < fixxxermet> Did you? 15:46 < krzie> sure did 15:46 < fixxxermet> Good one :) 15:46 < krzie> thanx 15:48 < Timpa88> damn, encrypted lvm is taking time to format :( 15:50 < krzie> OSx86 is being a serious pain in my ass too =[ 15:50 < krzie> HCL says my hardware should be fine, yet it seems to not be 15:50 < krzie> but i will get it working... oh yes i will 15:50 < Timpa88> hehe :D 15:50 < Timpa88> debian 5 x64 im using 15:50 < krzie> ahh werd 15:50 < krzie> my nix boxen are all fbsd 15:50 < Timpa88> ooh i see 15:51 < Timpa88> i dont understand the bsd yet :P 15:51 < krzie> although i do have a debian box in a virtual machine for playing with when i need to 15:51 < Timpa88> i'll get on that later in my lafe 15:51 < Timpa88> debian is pretty easy 15:51 < Timpa88> and thats what i want :) 15:51 < krzie> i must say i prefer gentoo to it 15:51 < krzie> but im still a BSD guy really 15:51 < krzie> i only startup linux when i really have to 15:51 -!- Solver [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has joined ##openvpn 15:51 < Timpa88> ok :) 15:51 < Timpa88> hehehe 15:52 < Timpa88> you really like to configure all by your self? :P 15:53 < krzie> in reference to gentoo or BSD? 15:55 < Timpa88> gentoo and bsd ... the same 15:55 < Timpa88> you still have to configure EVERYTHING :P 15:56 < krzie> very different, although tbh i like to use the minimal install when i setup BSD 15:56 < krzie> takes a little longer to setup that way, but at least it ONLY has what i want 15:56 < Timpa88> ok :D 15:56 < krzie> and if you do it right, a little longer in the beggining means a lot less work later 15:56 < Timpa88> maybe :) 15:56 < krzie> and i prefer to ONLY have what i need on each box 15:57 -!- KaiForce [n=chatzill@adsl-70-228-83-175.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.8/2009032609]"] 15:57 < Timpa88> Ok :) 15:58 * plaerzen dances the openvpn dance. 15:58 < krzie> lol 15:58 < krzie> sup plaerzen 16:00 < Timpa88> hehehehe 16:11 < Timpa88> krzie: why do this chan have double # ? :P 16:11 < krzie> double # on freenode means it is not directly associated with the real project 16:12 < Timpa88> oh! i see 16:12 < krzie> meaning the people that run this channel are not part of the openvpn project 16:12 < Timpa88> Ok :) 16:12 < Timpa88> thanks for that info! 16:12 < krzie> np 16:17 < fixxxermet> If .0.47 is my server and .8.0/24 is my client, is route add -net 192.168.8.0 netmask 255.255.255.0 gw 192.168.0.47 the right command for a PC on the server lan? 16:17 < plaerzen> krzee, today is a dramatic day l. . . . . lay-off day *wince* 16:18 < plaerzen> lots of AD accounts to be disabled =s 16:18 < krzie> doh! 16:19 < krzie> fixxxermet sounds good to me 16:21 < fixxxermet> Well I'm trying to ping .0.2 from .8.10 (the client) - running tcpdump -i tun0 on .0.47 (the server) shows "17:19:40.487649 IP 10.8.0.6 > 192.168.0.2: ICMP echo request, id 26995, seq 174, length 64" - why 10.8.0.6 instead of 192.168.8.10 16:23 < fixxxermet> hmm 16:24 < fixxxermet> route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.0.47 on .0.2 worked 16:24 < fixxxermet> Now pings are responding 16:24 < fixxxermet> But why can't it see the actual IP, instead of the 10.8.0.0 ip? 16:24 -!- bandini [n=bandini@host34-106-dynamic.45-79-r.retail.telecomitalia.it] has joined ##openvpn 16:25 < krzie> you mean why do packets flow over the vpn as 10.8.0.x? 16:25 < fixxxermet> yes sir 16:26 < krzie> because of how the kernel handles it 16:26 < krzie> its headed through that interface, so it uses the src ip of it 16:26 < krzie> much more often than not thats how youd want it in other situations 16:27 < fixxxermet> Not how I want it in this case 16:31 < krzie> *shrug* why not? 16:31 < fixxxermet> Well it looks like I can still ping each LANs respective private IPs, so I guess it doesn't matter 16:32 < krzie> exactly 16:32 < fixxxermet> great 16:47 < krzie> sounds like you did all the reading... 16:48 < krzie> if you like you can post your configs without comments on pastebin and ill tell you if theres anything you can do for added security 16:48 -!- tsunami [n=tsunami@64.119.153.26] has quit [] 16:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:13 -!- bandini [n=bandini@host34-106-dynamic.45-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:19 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has quit [Client Quit] 17:22 -!- Dougy[Home] [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 17:22 < Dougy[Home]> KRZEE !! :D 17:22 -!- Timpa88 [i=timpa2@c-441170d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 17:30 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has joined ##openvpn 17:30 < epaphus> Hey guys, I see there is an option for pass auth aside from SSL.... how exactly is the user prompted for a password? 17:36 < krzie> !factoids search auth 17:36 < vpnHelper> krzie: 'tls-auth' and 'authpass' 17:36 < krzie> !authpass 17:36 < vpnHelper> krzie: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 17:39 < dan__t> So... am I always going to have one tun0 device on the server regardless of how many clients I have connecting? 17:41 < krzie> correct, if you use --server 17:46 < dan__t> Opposed to what? 17:46 < krzie> point to point 17:47 < epaphus> krzie, if I use the client and setup the second NIC so that other users can connect to the internet by placing the vpn client as their default gateway... that means that the auth options wont apply to them.. because the connection would already be made.. right? 17:49 < krzie> it wont apply to anyone until you restart the server 17:49 < krzie> then it will apply to them when they reconnect 17:50 < krzie> but the lan behind the client wont need to auth 17:50 < krzie> they just need the route, which happens after the client auths 17:50 < epaphus> right, the lan isnt really authing.. got it 17:50 < krzie> nah the lan is using a route, nothing to do with openvpn 17:50 < krzie> just happens to be a route that goes over openvpn 17:51 < epaphus> got it 17:51 < dan__t> Got it. 17:52 < dan__t> Cool, ccd scripts are almost done. 17:52 < dan__t> pulls routes from sql etc etc. 17:52 < krzie> --up can go in a ccd? 17:52 < dan__t> what 17:53 < dan__t> no, using client-connect to run a shell script that generates the ccd on the fly 17:53 < krzie> oh ok 17:53 < krzie> so not ccd, gotchya 17:53 < dan__t> Well, sorta. 17:53 < dan__t> client-connect script generates the ccd 17:53 < krzie> i knew that, but forgot 17:53 < krzie> umm no 17:54 < dan__t> Go on. 17:54 < krzie> it is prefered by openvpn over ccd 17:54 < dan__t> what is 17:54 < krzie> it doesnt need to generate anything 17:54 < krzie> !iporder 17:54 < vpnHelper> krzie: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 17:54 < dan__t> oh er wait client-connect can write to that temp file argument....... 17:55 < dan__t> right? 17:55 < dan__t> I'm trying to send routes to the client. 17:55 < krzie> i believe you can do everything you want from the client-connect script, 17:55 < dan__t> That's all I want to use ccd shit for. 17:55 < dan__t> yeah 17:55 < krzie> without making it setup ccd/ entries 17:55 < dan__t> but I need to write output to the temp file that client-connect sends as argv[1] 17:56 < krzie> werd, i guess you have more experience with --client-connect that me, so i should listen to ya =] 17:56 < dan__t> Yeah: If the script wants to generate a dynamic config file to be applied on the server when the client connects, it should write it to the file named by $1. 17:56 < dan__t> awesome, I can skip ccd altogether 17:56 < krzie> right, thats what i thought 17:56 < dan__t> i need to go take a shower, back in a few. 17:56 < krzie> cool 17:56 < dan__t> yeah from in there I can push "route 1.2.3.4 255.255.255.255" etc etc 17:59 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has quit ["Leaving"] 18:00 < Dougy[Home]> krzie 18:00 < Dougy[Home]> krzie 18:00 < Dougy[Home]> krzie 18:00 < krzie> dougy 18:00 < krzie> dougy 18:00 < krzie> dougy 18:00 < Dougy[Home]> I got my xeon server 18:00 < Dougy[Home]> =[ 18:00 < Dougy[Home]> =]* 18:00 < Dougy[Home]> http://www.upload3r.com/serve/140409/1239746625.jpg 18:02 < krzie> sweet 18:02 < krzie> tell it i said hi 18:02 < Dougy[Home]> haha 18:02 < Dougy[Home]> its fans got a bit louder 18:03 < krzie> but who cares how loud server fans are 18:03 < krzie> they go in datacenteres full of them 18:04 -!- Kyle5 [n=newbie@cpc2-sout5-0-0-cust535.sotn.cable.ntl.com] has quit ["Quit"] 18:04 < Dougy[Home]> lol 18:04 < Dougy[Home]> nono 18:04 < Dougy[Home]> when i told it you said hi 18:04 < Dougy[Home]> its fans got louder 18:06 < krzie> ohhh, lol 18:06 < Dougy[Home]> haha 18:14 -!- Timpa88 [n=timpa2@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 18:15 < Timpa88> krzie: u there ? 18:15 < krzie> i am 18:16 < Dougy[Home]> when aint he 18:16 < Dougy[Home]> the fool lives here 18:16 < krzie> lol, ild argue if i had a legit argument to make 18:16 < Dougy[Home]> ahahaa 18:16 < Dougy[Home]> hmm 18:16 < Dougy[Home]> krzie: i got another server today 18:16 < Dougy[Home]> for $26 18:16 < Dougy[Home]> 2 hotswap again 18:17 < Timpa88> krzie: have you used "mydns" sometime? 18:17 < krzie> negative 18:17 < Timpa88> Ok 18:17 < Timpa88> anyone in here that have use/used mydns? 18:17 < krzie> i use bind 18:17 < Timpa88> i prefer that 18:17 < Timpa88> but 18:17 < Timpa88> im using ISPConfig now, and it should use MyDNS 18:17 < Timpa88> but i f*cking can't use my local ip as dns server like 192.168.0.1 18:17 < Timpa88> "unkown hosts" 18:18 < krzie> *shrug* 18:18 < krzie> i dont use web gui's 18:18 < Timpa88> :D 18:24 < Dougy[Home]> krzie: u r baller 18:29 -!- Timpa88 [n=timpa2@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 18:42 < krzie> hey ecrist, you here? 18:43 < Dougy[Home]> ecrist ecrist ecrist ecrist ecrist ecrist ecrist ecrist 18:43 * Dougy[Home] is stress testing the hell out of his Xeons 18:50 < Dougy[Home]> ugh 18:50 < Dougy[Home]> huckleberry finn 18:52 -!- Timpa88 [n=timpa2@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 19:16 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 19:39 -!- Dougy[Home] [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 19:55 -!- troy- is now known as troy 20:02 < troy> krzie, you around? 20:06 < krzee> sure 20:06 < krzee> kinda 20:06 < krzee> bout to start a game of dominoes 20:09 -!- dupondje [n=dupondje@235.167-78-194.adsl-static.isp.belgacom.be] has quit [Read error: 104 (Connection reset by peer)] 20:10 < Timpa88> FINALLY 20:10 < Timpa88> my server is up n running 20:10 < Timpa88> :D 20:11 < Timpa88> Just have to configure the mailserver, but i think i will do that tomorrow maybe... 20:11 < Timpa88> :) 20:18 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 20:20 -!- theDoc [n=andelyx@119.73.165.162] has quit [Client Quit] 20:20 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 20:43 -!- k0pp [n=k0pp@c-75-71-208-249.hsd1.co.comcast.net] has joined ##openvpn 20:52 -!- scwang [n=scwang@123.118.126.119] has joined ##openvpn 21:00 -!- scwang [n=scwang@123.118.126.119] has left ##openvpn ["Leaving"] 21:05 -!- k0pp [n=k0pp@c-75-71-208-249.hsd1.co.comcast.net] has quit [Remote closed the connection] 21:08 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 21:20 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 21:49 < Kobaz> theDoc: using the wrong authentication method? 21:50 < Kobaz> er 22:00 < theDoc> huh? 22:03 < Kobaz> wrong channel 23:46 < reiffert> haha, Kobaz demonstrates his ability to read. 23:47 < reiffert> once again. 23:51 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 23:53 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn --- Day changed Wed Apr 15 2009 00:06 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:34 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 01:12 -!- tjz [n=tjz@bb220-255-151-27.singnet.com.sg] has joined ##openvpn 01:13 < tjz> !redirect 01:13 < vpnHelper> tjz: "redirect" is (#1) please see !def1 !linnat !linipforward for linux, and !def1 !winnat !winipforward for windows, or (#2) in order to have the client send all inet traffic through the server's inet, you will need redirect-gateway on the client (or pushed from server, see !push), or (#3) you will also need NAT enabled for the vpn network on the server as well as ip forwarding (see !nat and 01:13 < vpnHelper> tjz: !ipforward) 01:33 -!- c64zottel [n=hans@p5B17B484.dip0.t-ipconnect.de] has joined ##openvpn 01:33 -!- c64zottel [n=hans@p5B17B484.dip0.t-ipconnect.de] has left ##openvpn [] 01:33 -!- c64zottel [n=hans@p5B17B484.dip0.t-ipconnect.de] has joined ##openvpn 02:24 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 03:23 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:27 < krzee> Germany++ 04:27 < krzee> http://salem-news.com/articles/january112008/cancer_treatment_11008.php 04:27 < vpnHelper> Title: Breakthrough Discovered in Medical Marijuana Cancer Treatment - Salem-News.Com (at salem-news.com) 04:47 < c64zottel> hello, when creating a CA via openssl, is it possible to enter the PEM pass phrase over cli? 05:02 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 05:04 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 05:09 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 05:25 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 06:06 < sirus> Hrmm I guess im going to need a proxy server for my IM 06:06 < sirus> openvpn doesn't seem to work for that 06:06 < sirus> :( 06:10 < Bushmills> sirus, openvpn gives you a transport, not a caching mechanism 06:11 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 06:11 < Bushmills> but using IM over openvpn without proxy is entirely possible 06:12 < Bushmills> i suppose your problem is either: 06:12 < Bushmills> !route 06:12 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 06:12 < Bushmills> or restrictive remote 06:14 < krzee> hey bush 06:15 < krzee> you happen to have windows there? 06:25 < Bushmills> yes. one in the kitchen, two in the living room 06:25 < Bushmills> i can see that it is a sunny day 06:25 < reiffert> :) 06:34 < krzee> haha 06:34 < krzee> nevermind 06:34 < krzee> found a friend on aim running windows 06:34 < Bushmills> http://forthfreak.net/snap/windows.png 06:35 < Bushmills> reiffert, interesting for you might be the contents of the jar, bottom left 06:35 < Bushmills> just made a new lemon wine starter 06:37 -!- [4-tea-2] [n=aurel@buehne.mutantenstadl.de] has joined ##openvpn 06:38 < Bushmills> krzee, you can talk to windows AIM clients from non-windows machines, no need to run windows yourself. 06:41 < [4-tea-2]> Howdy. I'm routing a /28 over OpenVPN to my home. That includes an IP address for my laptop. I would like to establish a second OpenVPN only for the laptop's IP when I'm on the road. 06:41 < krzee> Bushmills, i needed someone running windows, i found him on aim 06:42 < [4-tea-2]> I'm having a hard time figuring out how to fix the routing when the second OpenVPN is running. I think I need routing protocol daemons everywhere, right? 06:43 < Bushmills> [4-tea-2], maybe use a different user to login, with a different openvpn key when on the road, so a different ip address is assigned to laptop when on the road 06:43 < sirus> Bushmills: well im at work I can seem to connect everywhere else accept aol I use openvpn and I have where the openvpn is the default gateway do I need to push a manual route? 06:43 < krzee> for the laptop just set it up with a VPN ip and NAT it 06:45 < sirus> Bushmills: the PF firewall is alloing all traffic comming from the vpn to the outside world on protocols tcp, udp, icmp 06:46 -!- coChosh9 [i=coChosh9@gateway/tor/x-7141d404162f1fe6] has quit [Remote closed the connection] 06:46 < Bushmills> sirus, no idea what the problem is, but be assured that openvpn doesn't filter aim connection 06:46 * Bushmills would point at AOL 06:47 < sirus> hrmm 06:47 < sirus> anywhere else I can connect 06:47 < sirus> just not at work 06:47 < sirus> so I will need a proxy perhaps? 06:47 < Bushmills> sirus, try jabber 06:47 < [4-tea-2]> krzee: NAT seems to be the cheapest solution... I need to use two NAT rules, one for my /28, one for the rest of the world, would you agree? 06:48 < sirus> Bushmills: well I could use meebo but my pidgin client connects to msn,yahoo,icq etc wanna see if I can get aol in to 06:48 < Bushmills> sirus, but - well - AIM and ICQ are in terms of protocol identical, and i know that ICQ works over openvpn, no extra steps needed 06:48 < [4-tea-2]> krzee: since for my /28, the NATted connections should be coming from the server's OpenVPN-tunnel-IP, while for the rest of the world they need to be coming from the server's real IP? 06:49 < sirus> e world on protocols tcp, udp, icmp 06:49 < sirus> 07:46 -!- coChosh9 [i=coChosh9@gateway/tor/x-7141d404162f1fe6] has quit [Remote closed the connection] 06:49 < krzee> [4-tea-2], you already have the first tunnel setup, right? 06:49 < sirus> 07:46 < Bushmills> sirus, no idea what the problem is, but be assured that openvpn doesn't filter aim connection 06:49 < sirus> 07:46 * Bushmills would point at AOL 06:49 < sirus> 07:46 < sirus> hrmm 06:49 < sirus> 07:47 < sirus> anywhere else I can connect 06:49 < sirus> 07:47 < sirus> just not at work 06:49 < krzee> sirus, wtf 06:49 < sirus> err 06:49 < sirus> mouse error 06:49 < krzee> hehe werd 06:49 < sirus> Lost connection with server: 06:49 < sirus> Connection interrupted by other software on your computer. 06:49 < sirus> lol 06:49 < [4-tea-2]> krzee: yes, OpenVPN on $server is routing my /28 and I've been using that for a while. 06:50 < sirus> I have no other software :( 06:50 < krzee> [4-tea-2], is the ip you want laptop to come from on an interface on $server? 06:51 < [4-tea-2]> krzee: I think we have to talk about two ips there, because the laptop needs to talk to a) my /28 net and b) the rest of the world. 06:51 < krzee> ahh 06:52 < krzee> well how bout this... 06:52 < [4-tea-2]> krzee: the ip for a) would be the rfc1918 address I'm using within the first OpenVPN tunnel 06:52 < krzee> why does it even need to connect to a different VPN? 06:52 < [4-tea-2]> krzee: the ip for b) would be the server's "real" ip. 06:52 < krzee> or are the ip 06:52 < [4-tea-2]> krzee: is there another way? 06:52 < krzee> or are the ip's being handed out as is, no nat 06:52 < krzee> ? 06:52 < krzee> sure theres another way, you hand out VPN ips and nat each one to the ip you want them on 06:53 < [4-tea-2]> My /28 uses non-1918 routed IP addresses, I hope that answers that question? 06:53 < krzee> then you can have unlimited users on whichever IPs you say 06:53 < krzee> yes, that answers is 06:53 < krzee> back to this: 06:53 < krzee> [07:51] <[4-tea-2]> krzee: I think we have to talk about two ips there, because the laptop needs to talk to a) my /28 net and b) the rest of the world. 06:53 < krzee> so you push a route to the /28 to the client 06:53 < krzee> and you push a route to them for the second vpn 1918 ips 06:54 < Bushmills> [4-tea-2], maybe DNATting the laptop ip address from server to a laptop rfc1918 address, rather than bridging it, is an option. 06:54 < ecrist> good morning, peeps 06:54 < ecrist> Dougy: what's up? 06:54 < krzee> Bushmills, he was never thinking of bridging i dont think 06:54 < krzee> ecrist, he was just doing that cause i asked if you were around 06:54 < ecrist> ah 06:54 < krzee> i found a home for that pc taking up basement space 06:55 < ecrist> ah 06:55 < ecrist> the tower? 06:55 < krzee> yup 06:55 < Bushmills> oh. my mistake, i thought i had picked up "bridge" somewhere 06:55 < krzee> and sorry i been slacking on having you boot the other box, i been working a ton and my spare time has been spent on my osx86 box lately 06:55 < krzee> but im confident ill have that sucker done one of these days! 06:56 < ecrist> oh, doesn't really bother me either way, it's just sitting down there 06:56 < krzee> (hopefully today since my 1.5 seagates get back here today 06:56 < Bushmills> see what lack of coffee can do to a man 06:57 < [4-tea-2]> krzee, Bushmills: thanks for your advice, I think I'm beginning to wrap my head around it, I'll try the nat setup and get back to you. 06:57 < krzee> yw =] 06:58 < Bushmills> gl 06:58 -!- Wachert [n=wachert@p3EE2D5A5.dip.t-dialin.net] has joined ##openvpn 07:01 < ecrist> krzee: my first shot, first target on the range yesterday (first of the day, not ever) http://www.secure-computing.net/files/04142009_bullseye.jpeg 07:03 < krzee> thats badass 07:03 < krzee> except that it says you were shooting a 22 07:03 < krzee> who you gunna stop with that? lil old women? 07:03 < krzee> ;) 07:03 < ecrist> model, not calibre 07:03 < krzee> ohhh 07:04 < ecrist> glock 22 is a .40 07:04 < krzee> doh, my bad 07:04 < krzee> that'll stop some shit 07:04 < ecrist> :D 07:07 < ecrist> http://www.secure-computing.net/files/04142009_40rnds.jpeg is 40 rounds, same day 07:08 -!- nemysis [n=nemysis@108-90.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 07:10 -!- nemysis [n=nemysis@196-235.3-85.cust.bluewin.ch] has joined ##openvpn 07:10 < krzee> what distance? 07:10 < ecrist> 7 yards 07:10 < krzee> werd 07:11 < ecrist> would be bad-ass if I could do that at 15 yards 07:14 < [4-tea-2]> Do I understand correctly that OpenVPN is able to push/remove a route for vpn_2 to an already established vpn_1? 07:14 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:14 < ecrist> yes 07:14 < ecrist> you use iroute statements to define routes reachable on other clients 07:14 < ecrist> see here: 07:14 < ecrist> !route 07:15 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 07:15 < [4-tea-2]> Yeah, that's where I got that idea from. :D 07:15 < [4-tea-2]> I'm thinking about setting up a host route on every machine in my /28 for my laptop, pointing to my local router (= OpenVPN client). 07:17 < [4-tea-2]> If my laptop is at home, it will talk to all other machines locally using the router, if I'm on the road and the second vpn is established, the router would than, thanks to OpenVPN's extra route, forward all traffic through the OpenVPN connections. 07:17 < [4-tea-2]> I think I like that better than the NAT solution we talked about a couple of minutes ago. 07:19 < [4-tea-2]> But that would only work if my local router (endpoint of vpn_1) would actually get to know when vpn_2 is established or disconnected. I'm not sure I see where/how that's happening. 07:26 < [4-tea-2]> Nah, I guess I misunderstood, iroute seems to be... static. 07:27 < krzee> [08:14] you use iroute statements to define routes reachable on other clients 07:27 < krzee> thats actually not true eric 07:27 < ecrist> o.O 07:27 < krzee> it CAN be true, but by itself isnt 07:28 < ecrist> well, it's 1/2 true 07:28 < ecrist> you still need the route statement in the server config 07:28 < krzee> you use iroute to notify openvpn to handle routing when the kernel points to openvpn but openvpn itself doesnt know which client to send the traffic to 07:28 < krzee> without client-to-client it has nothing to do with other clients accessing said lan 07:29 < krzee> ya the route command tells kernel about the route, then iroute tells openvpn which client to associate it with 07:31 < krzee> oh dude, i read that as 'reachable by other clients' i think you meant the same thing as me 07:31 < krzee> i think you did mean lans behind the clients 07:31 < ecrist> that's what i meant... 07:31 < krzee> bleh i shouldnt try to correct people at 8:30 am 07:31 < ecrist> lol 07:32 < ecrist> s/people/eric/ && s/at 8:30 am/ever/ 07:32 < ecrist> :P 07:32 < krzee> lol 07:32 < krzee> and thats the late version of 8:30am not the early one 07:33 < ecrist> eew 07:34 < [4-tea-2]> Looks like I'm picking up my first idea, using a routing daemon. If nothing else, I might learn something. 07:34 < krzee> *shrug* the NAT sounds 1000x easier 07:35 < krzee> but gl to ya 07:37 < [4-tea-2]> krzee: NAT would result in more work down the road, and existing services in my local net wouldn't work unless they were all told about the new IP. 07:37 < krzee> by 'local net' you mean the /28? 07:38 < krzee> or a lan you current push a route to that you didnt mention 07:38 < [4-tea-2]> krzee: also, I would open local services in the local net, yes, the /28, to other users on the OpenVPN server. 07:38 < krzee> to give them the route, you just add a push route to the server 07:39 < krzee> push "route vpn_network netmask" 07:39 < krzee> i have no idea what that last line meant 07:39 < [4-tea-2]> Sorry, misunderstanding, I think. If I use NAT, not only the laptop, but also the OpenVPN server itself would be able to talk to my local services. I don't want that. 07:40 < krzee> local services as in services on what machines? 07:40 < [4-tea-2]> Let's say my local NFS. 07:40 < krzee> local NFS is what/where 07:40 < krzee> a vpn client? a machine on a lan behind a vpn client? 07:40 < [4-tea-2]> The server is at home in my /28. 07:41 < krzee> and it gets its IP from connecting to the vpn server? 07:41 < [4-tea-2]> The /28 is routed to the vpn server and forwarded to my home via the OpenVPN connection. 07:42 < krzee> why would that open anything up that is not currently opened up? 07:42 < krzee> you just nat traffic thats NOT headed for certain IPs 07:42 < krzee> and pass the traffic that is 07:43 < krzee> but werd 07:43 < krzee> do what feels best for you 07:43 < [4-tea-2]> If I use NAT, all incoming connections from the notebook get the natted ip, which is the ip of the vpn server - wrong? 07:43 < krzee> doesnt have to be all 07:43 < krzee> depends on your rules 07:43 < krzee> (your rules in the firewall that does the NAT) 07:44 < krzee> it'll do whatever you tell it to ;] 07:45 < [4-tea-2]> Well, let's say ip addresses are limited resources and I can't have any more non-rfc1918 addresses than I already got: one for the vpn server, and the /28 for the lan behind the vpn server. 07:46 < [4-tea-2]> If I don't reuse the existing address for the laptop from the /28, and I can't get a new address, the natted connections need to use an existing address, which is the one of the vpn server? 07:46 < [4-tea-2]> My brain hurts. 07:46 < krzee> mine too and i havnt slept 07:46 < [4-tea-2]> Are you the brain doctor? 07:47 < krzee> im gunna try to get this usb stick bootable, get osx86 installing and crash out 07:47 < krzee> sorry to run on you 07:47 < krzee> but ill prolly end up confusing both of us more than help right now 07:47 < [4-tea-2]> I'm gonna revive my ancient knowledge of RIP and see if I end up doing NAT after all. :D 07:52 -!- KaiForce [n=chatzill@adsl-70-228-83-175.dsl.akrnoh.ameritech.net] has joined ##openvpn 07:59 -!- kyrix [n=ashley@mail.ic-vienna.at] has joined ##openvpn 08:03 -!- Drarok_ [n=drarok@imma.chargin.mah.laser.drarok.com] has joined ##openvpn 08:03 < Drarok_> Afternoon! 08:03 < ecrist> Morning! 08:04 -!- troy is now known as troy- 08:04 < Drarok_> Quick question: Do I have to use OpenVPN at the client end? Ie: I can't use Windows built-in VPN like pptp? 08:04 < Bushmills> you can't 08:04 < Bushmills> i.e. you have to 08:05 < ecrist> Drarok_: OpenVPN is it's own protocol. it's different than pptp and cisco SSL vpn 08:05 < Drarok_> Ah, thought so. Fair enough. 08:05 < ecrist> it's still an ssl vpn, but different. 08:06 < theDoc> Is there a comparison chart somewhere on the different vpn implementations? 08:06 < ecrist> not one I'm aware of 08:06 < Drarok_> Planning to use it at work, as our so-called router says it supports VPN, but in actual fact doesn't. If we have to install it on the clients, no big deal, but I couldn't find definitive info. Thanks. :) 08:06 < theDoc> Drarok_: Depends on which router. 08:07 < ecrist> a lot of routers are coming out with built-in vpn support, including comcast's business gateways 08:07 < theDoc> I don't think there's an industry standard wide implementation for vpns like they do for routing protocols. 08:07 < ecrist> they tend to support pptp vpns 08:07 < ecrist> s/routers/consumer routers/ 08:08 < theDoc> ecrist: There isn't a way to mix and match the different vpn implementations yet is there? 08:08 < ecrist> no 08:08 < ecrist> don't think there ever will be 08:09 < ecrist> there are client packages that support multiple vpn types, but that's it 08:10 < theDoc> ecrist: That's a bummer. Hopefully the newer OS's will integrate the different protocols used for pptp, openvpn, cisco 08:12 < ecrist> ah, cisco is proprietary, and only give certain people access to their client software (cco login required) 08:12 < ecrist> openvpn would be a good one to support, however 08:12 < theDoc> ecrist: Yes, that'll be a bummer though, since if I have clients whom move between openvpn implementations and Cisco vpn 08:13 < ecrist> the problem isn't so much the actual encryption of the traffic, they all use standard encryption methods 08:13 < ecrist> it's the featuresets that come along with them 08:13 < theDoc> ecrist: I'm not sure why I can't setup an openvpn tunnel from the Windows stuff. 08:13 < theDoc> Is that a protocol difference? 08:13 < theDoc> That doesn't seem like a feature set issue. 08:13 < ecrist> widnows stuff is PPTP 08:14 < ecrist> you need the openvpn client 08:14 < theDoc> Ah, ok. 08:14 < ecrist> which is SSL 08:14 < krzee> !notcompat 08:14 < vpnHelper> krzee: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 08:14 < theDoc> Oh, figures. 08:24 -!- Wachert [n=wachert@p3EE2D5A5.dip.t-dialin.net] has quit ["Nettalk6 - www.ntalk.de"] 08:29 < Drarok_> Hmmm 08:29 < Drarok_> ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct. [if_index=22] 08:30 < theDoc> Drarok_: Upgrade to 2.1rc15 for your client. 08:31 < Drarok_> Win Fista incompatibility? 08:33 < theDoc> Yes. 08:37 < Drarok_> Seems I have to start it from an elevated command prompt, but pinging works :) 08:40 < theDoc> Drarok_: Yes, that's right. 08:41 < theDoc> Because to insert a route into the routing table, they need admin access. 08:47 < Drarok_> Aye, seems to work in the GUI (now I put the configs in the right place...) 08:47 < Drarok_> That damn "Compatibility Files" thing sucks 08:48 < Drarok_> Thanks guys, see you later :) 08:48 -!- Drarok_ [n=drarok@imma.chargin.mah.laser.drarok.com] has left ##openvpn [] 08:54 -!- kyrix [n=ashley@mail.ic-vienna.at] has quit ["Leaving"] 09:08 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has joined ##openvpn 09:15 -!- Kevin`_ [n=kevin@rrcs-67-52-47-69.west.biz.rr.com] has joined ##openvpn 09:17 -!- Kevin` [n=kevin@etmalec.net] has quit ["hai"] 09:17 -!- Kevin`_ is now known as Kevin` 09:25 -!- KaiForce_ [n=chatzill@170.225.31.132] has joined ##openvpn 09:26 -!- KaiForce_ [n=chatzill@170.225.31.132] has quit [Remote closed the connection] 09:27 -!- KaiForce [n=chatzill@adsl-70-228-83-175.dsl.akrnoh.ameritech.net] has quit [Read error: 104 (Connection reset by peer)] 09:33 -!- unix3_ [n=unix3@190.10.68.228] has joined ##openvpn 09:34 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has quit [Read error: 104 (Connection reset by peer)] 09:37 -!- unix3_ is now known as epaphus 10:02 -!- troy- is now known as troy 10:15 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 104 (Connection reset by peer)] 10:15 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 10:23 -!- theDoc- [n=andelyx@208.99.194.194] has joined ##openvpn 10:35 < epaphus> !iroute 10:35 < vpnHelper> epaphus: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 10:36 < epaphus> !search route 10:36 < vpnHelper> epaphus: There were no matching configuration variables. 10:36 < plaerzen> !ecrist 10:36 < vpnHelper> plaerzen: Error: "ecrist" is not a valid command. 10:36 < ecrist> ? 10:36 < epaphus> !search ccd 10:36 < vpnHelper> epaphus: There were no matching configuration variables. 10:36 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 10:36 < epaphus> how do I pull the info of ccd.. ? :) 10:36 < epaphus> routes withing ccds 10:37 < ecrist> !ccd 10:37 < vpnHelper> ecrist: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 10:39 < epaphus> !route 10:39 < vpnHelper> epaphus: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:39 -!- theDoc_ [n=andelyx@208.99.194.194] has joined ##openvpn 10:44 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 10:46 < plaerzen> I just like it when people say my name 10:50 -!- RUS [n=Mirc@mcc-dyn-19-152.kosnet.ru] has joined ##openvpn 10:53 < epaphus> I have read the wiki... but Iam honestly confused and need a little "push" ... my configuration is simpler. I have a client who has a lan behind it (192.168.2.0) it needs to be able to access the VPN. Thats the only LAN in the picture. 10:54 < epaphus> It is my understanding I add.. push "route 192.168.2.0 255.255.255.0" .. and also I would still need an iroute in the ccd of the clients common name? 10:54 < epaphus> iroute 192.168.2.0 255.255.255.0 10:54 < epaphus> Can somebody please confirm this.. I honestly am not understanding this.. 10:55 -!- theDoc- [n=andelyx@208.99.194.194] has quit [Read error: 110 (Connection timed out)] 10:57 < epaphus> btw.. my client is configured with TWO nics.. one for the internet (ext_if) and the other for the LAN (int_if) . There is a NAT so that the int_if can access the internet via the ext_if already 10:59 -!- theDoc_ [n=andelyx@208.99.194.194] has quit [Read error: 110 (Connection timed out)] 11:02 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 11:03 < [4-tea-2]> Can I tell OpenVPN to only set up a route AFTER the vpn connection has been established? 11:04 -!- RUS2590 [n=Mirc@mail2.ecomsupplier.com] has joined ##openvpn 11:04 < RUS2590> hi anybody 11:11 < dan__t> Hi. 11:12 < dan__t> What makes you think that a route would work BEFORE the connection was established, [4-tea-2]? 11:12 -!- RUS [n=Mirc@mcc-dyn-19-152.kosnet.ru] has quit [Read error: 110 (Connection timed out)] 11:12 -!- funky [n=repulse@unaffiliated/funky] has joined ##openvpn 11:13 < funky> hello people 11:13 < funky> is it relatively trivial to add AD (or ldap) authentication to openvpn ? 11:13 < funky> do I need a specific version to achieve it? 11:14 < dan__t> I think you need a plugin for that. 11:14 < dan__t> http://code.google.com/p/openvpn-auth-ldap/ 11:14 < vpnHelper> Title: openvpn-auth-ldap - Google Code (at code.google.com) 11:15 < funky> thank you, I'm gonna read a bit 11:15 < epaphus> anybody can help me..? on the previous question 11:16 < dan__t> I cannot. 11:16 < dan__t> I've never done that before. 11:19 < funky> dan__t: do you know if this plugin works with AD ? 11:19 < dan__t> I do not know, I've never used it. 11:19 < dan__t> I'd say give it a shot. 11:19 < funky> ok 11:19 < dan__t> I'm not too familiar with AD, either. 11:19 < dan__t> And how "LDAP compatible" it is in that regard 11:19 < funky> yup, me neither 11:20 < dan__t> I thought you could just speak LDAP with AD but I may just be completely retarded. 11:23 < funky> you should, but I just wanted to make it sure 11:25 < [4-tea-2]> dan__t: I don't think it works, but it's there even when there's no vpn connection established, and that's bad (in my special case). 11:25 < funky> Tested against OpenLDAP, the plugin will authenticate against any LDAP server that supports LDAP simple binds -- including Active Directory. 11:25 < funky> FYI 11:26 < dan__t> There's your answer. 11:29 < funky> yup 11:29 < funky> thanks for the info 11:29 < [4-tea-2]> I can't find anything in the manual indicating that it's possible to raise a route only when the connection is active. Yet another plan spoiled. :D 11:32 < [4-tea-2]> All I want is the same fixed address on my laptop, no matter how it's connected, seems so simple, yet I can't wrap my head around it. 11:38 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 60 (Operation timed out)] 11:38 -!- RUS2590 [n=Mirc@mail2.ecomsupplier.com] has quit [Read error: 110 (Connection timed out)] 11:58 -!- epaphus [n=unix3@213.159.9.15] has joined ##openvpn 12:13 < Bushmills> [4-tea-2], i use DNAT on server, to address translate incoming packets through VPN to portable client 12:13 < dan__t> So client-connect will pass a temp file in the form of $1, ok, I got it. 12:13 < Bushmills> though i think somebody here should have a better solution. though it works for me. 12:13 < dan__t> What path is that relative to? 12:15 < [4-tea-2]> Bushmills: I have three different cases... connected to local FE (no VPN), connected to local Wlan (VPN to local server), and connected elsewhere (VPN to remote server). And my brain hurts. 12:15 < dan__t> --tmp-dir 12:15 < dan__t> got it 12:16 < Bushmills> [4-tea-2], if routing runs danger to get messy, you can still ip alias the NIC to multiple ip addresses, and route them differently 12:18 < [4-tea-2]> Bushmills: then my laptop would use up three addresses of my /28? That's expensive, but, yes, I could do that. I'm kinda disappointed that I'm too stupid to do it with only one address, though. 12:18 < Bushmills> [4-tea-2], i don't see the need for three addresses from your /28, because i think that in at least two instances you can use RFC1918 addresses 12:19 < Bushmills> but as you know our setup requirements better than I do, I can't really judge on that. I merely think, one public ip address ought to be enough 12:19 < Bushmills> s/our/your/ 12:21 < Bushmills> such as, why should your portable use one of your /28 addresses (from the remote server) to appear as on your LAN 12:22 < [4-tea-2]> Because then I could use my local services as if it were on my LAN. That's exactly the point. ;) 12:22 < Bushmills> is useless for routing too the portable anyway, because packets sent to that address will go to the server anyway, and not to gateway at LAN 12:23 -!- kraut [i=kraut@blackhole.netzdeponie.de] has left ##openvpn [] 12:23 < Bushmills> no matter how you are connected to the net, packets sent to one public ip address are always routed to one and the same NIC anyway 12:24 < Bushmills> and there you can, if you choose to, decide to send them somewhere else to. such as, to your portable. 12:24 < [4-tea-2]> I kinda lost you somewhere. 12:25 < Bushmills> therefore i am a bit confused why you would want to use ip addresses from your /28 for all possibilities to connect to the net 12:25 < [4-tea-2]> Bushmills: because I'd like my laptop to appear to be on the local lan at all times. 12:26 < Bushmills> [4-tea-2], assume you are owner of ip block a.b.c.0/24. 12:26 < Bushmills> now i ping a.b.c.x 12:26 < Bushmills> where does the ping go to? 12:26 < [4-tea-2]> To my remote VPN server. 12:26 < [4-tea-2]> via VPN to a.b.c.x 12:26 < Bushmills> right. now you connect your notebook to the net through a different gateway. and i ping again. 12:27 < Bushmills> where will the ping go to now? 12:27 < [4-tea-2]> In a perfect world: remote VPN server -> local gateway/VPN server -> notebook 12:27 < Bushmills> it will arrive at the same remote vpn server 12:28 < [4-tea-2]> Yeah. And that one should know where to send it... dynamically. But it seems I can only tell it statically. 12:28 < Bushmills> that's why i am confused about you thinking of using your a.b.c.0/24 addresses to connect to different networks 12:28 < [4-tea-2]> ...or I use a routing daemon and I can't figure out how OpenVPN und ripd would interact. 12:28 < Bushmills> packets will still go to the same vpn server first 12:28 < [4-tea-2]> Bushmills: that's what I want to use OpenVPN for, that's what it's main use is, isn't? 12:29 < Bushmills> and to route them from there to your notebook, you don't need a routing daemon 12:29 -!- epaphus [n=unix3@213.159.9.15] has quit [Connection timed out] 12:29 < Bushmills> yes. what i do for that purpose is, i configured a DNAT rule on the remote server 12:30 < Bushmills> (i think i mentioned that twice already) 12:30 < Bushmills> remote server runs linux 12:30 < [4-tea-2]> Yeah, but I fail to understand how that would help me, though I start to suspect that's entirely my fault. 12:30 < Bushmills> DNAT is specific to iptables which is specific to Linux 12:31 < [4-tea-2]> iptables is my friend. 12:31 < Bushmills> then consider to look at DNAT if there aren't any better suggestions from this channel 12:31 < [4-tea-2]> Bushmills: if I understand you correctly, how would desktop.mynet reach laptop.mynet? 12:32 < Bushmills> i think you could use a bridging config on the server, but that's not my own experience 12:32 < [4-tea-2]> Bushmills: desktop.mynet believes that laptop.mynet is a machine on the local network unless a host route tells it otherwise. 12:33 < [4-tea-2]> Bushmills: that host route would have to be set up ONLY when laptop.mynet has a VPN connection to the VPN server. And that seems to be my problem. 12:33 < Bushmills> remote server is where packets to your /28 go to. that server masquerades incoming packets to one of those addresses and sends it to the RFC1918 address your notebook uses, of your vpn address space 12:34 < [4-tea-2]> Bushmills: remote server is where packets from the outside go. I'm asking about packets from the inside now. 12:34 < Bushmills> [4-tea-2], why? if notebook is offline, it doesn't really matter whether it is routed or not. packets won't arrive at notebook anyway 12:35 < Bushmills> packets from inside to world? what does your /28 have to do with that? 12:35 < [4-tea-2]> Bushmills: the notebook isn't offline. It might be connected to the local wlan ap or to wlan ap anywhere in the world, and it should still (thanks to OpenVPN) get its traffic routed. I can make this work statically, no problem. But I can't make this in a way that it adapts automagically to where the laptop currently is. 12:36 < Bushmills> i think i lost you 12:36 < Bushmills> an address of your /28 on your notebook is relevant for incoming packets, but not for outgoing packets 12:39 < Bushmills> probably all you need is using the remote vpn server as gateway, and set up nat there. 12:40 < [4-tea-2]> Bushmills: actually, I got that already running. ;) 12:40 < Bushmills> one single ip address on remote server is enough for that 12:40 < Bushmills> so what's the problem then? 12:40 -!- benedictus [n=chatzill@150.159-244-81.adsl-dyn.isp.belgacom.be] has joined ##openvpn 12:42 < [4-tea-2]> Bushmills: ping notebook.mynet only works from ping desktop.mynet when the notebook is connected locally by wire. 12:42 < [4-tea-2]> As I said before: 12:42 < [4-tea-2]> All I want is the same fixed address on my laptop, no matter how it's connected, seems so simple, yet I can't wrap my head around it. 12:43 < Bushmills> your notebook has one same fixed address: 127.0.0.1 :D 12:43 < [4-tea-2]> If only for scientific curiosity, I don't want give up yet on finding out whether it's possible. I realize there are plenty of other ways that would achieve something similar. 12:45 -!- benedictus [n=chatzill@150.159-244-81.adsl-dyn.isp.belgacom.be] has quit [Client Quit] 12:45 < [4-tea-2]> Someone just told me to use "tinc", that supports something called "Automatic full mesh routing"... I wonder if that's all I'm looking for. 12:49 -!- funky [n=repulse@unaffiliated/funky] has quit [Read error: 60 (Operation timed out)] 12:50 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 12:55 -!- troy is now known as troy- 12:56 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has joined ##openvpn 13:12 < epaphus> hmmm 13:28 -!- Drarok_ [n=drarok@imma.chargin.mah.laser.drarok.com] has joined ##openvpn 13:28 < Drarok_> Evening team. It appears I need ip forwarding, or potentially a different bridging method... 13:29 < Drarok_> Server is running at 10.8.0.0/24, internal network is a 192.168.254.0/24... 13:29 < Drarok_> I want to be able to hit other boxes on the 192 addresss... What should I read? 13:30 -!- Drarok_ is now known as Drarok 13:38 -!- KaiForce [n=chatzill@adsl-70-228-83-175.dsl.akrnoh.ameritech.net] has joined ##openvpn 14:24 -!- tsunami [n=tsunami@64.119.153.26] has joined ##openvpn 14:33 -!- tsunami [n=tsunami@64.119.153.26] has quit [] 14:40 -!- Kevin` [n=kevin@rrcs-67-52-47-69.west.biz.rr.com] has quit [Read error: 104 (Connection reset by peer)] 14:42 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:47 < epaphus> HI guys sorry for repeating this unanswered question.. but Iam honestly confused and need a little "push" ... my configuration is simpler. I have a client who has a lan behind it (192.168.2.0) it needs to be able to access the VPN. Thats the only LAN in the picture. 14:47 < epaphus> It is my understanding I add.. push "route 192.168.2.0 255.255.255.0" .. and also I would still need an iroute in the ccd of the clients common name? 14:47 < epaphus> iroute 192.168.2.0 255.255.255.0 14:47 < epaphus> Can somebody please confirm this.. I honestly am not understanding this.. 14:48 < epaphus> btw.. my client is configured with TWO nics.. one for the internet (ext_if) and the other for the LAN (int_if) . There is a NAT so that the int_if can access the internet via the ext_if already 14:54 < ecrist> epaphus: see here 14:54 < ecrist> !route 14:54 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:55 < epaphus> ecrist, i did. thats the wiki.. i said i already read it .. :) 14:56 < ecrist> epaphus: everything else is having the proper routes configured. 15:01 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has quit ["Leaving"] 15:01 < epaphus> ecrist, have you done this before... I would put the push "route 192.168.2.0 255.255.255.0" , in CCD : iroute 192.168.2.0 255.255.255.0 ... thats it..? 15:05 -!- troy- is now known as troy 15:10 -!- ftp3 [n=none@pool-71-117-187-57.ptldor.dsl-w.verizon.net] has left ##openvpn [] 15:13 -!- Kyle5 [n=newbie@cpc2-sout5-0-0-cust535.sotn.cable.ntl.com] has joined ##openvpn 15:15 < Kyle5> OK... ive got an Openvpn server on windows 2003 on a 172.16.0.x network.. and an openvpn client (linux) on a 10.1.0.x network.. the openvpn client is able to ping items on the 172.16.0.x network, but the openvpn server cannot ping 10.1.0.x.. the client is running RHEL and ive verified ipv4_forward is enabled but im not sure if i need any iptables entries.. can someone point out if i do or not? theres no firewall running on the bo 15:16 -!- KaiForce [n=chatzill@adsl-70-228-83-175.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.8/2009032609]"] 15:21 -!- sirus [i=scott@gotpot.org] has quit [Read error: 60 (Operation timed out)] 15:31 < epaphus> !ccd 15:31 < vpnHelper> epaphus: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 15:32 < Kyle5> epaphus: is that related to my query? 15:32 < epaphus> Kyle5, no 15:32 < Kyle5> oh ok :) 15:41 < ecrist> epaphus: 'proper routes configured' means the rest of the network, outside openvpn 15:42 < epaphus> ecrist, so it doesnt really matter what ccd and route on the server.conf i put... iam pretty much sure i did the right configs outside of VPN... 15:42 < epaphus> that is NAT my internal nic with the external one 15:42 < epaphus> you cant really nat my internal NIC with tun0 15:42 < epaphus> it wil conflict 15:44 < epaphus> well at least now I can ping my endpoint from a LAN computer 15:44 < epaphus> :) 15:44 < epaphus> but i just cant access the internet 15:44 < Drarok> Hmm, I don't think our network is clever enough to set routes... It's just a cheapo router... It seems I can do some kind of NATing, though? 15:47 -!- sirus [i=scott@gotpot.org] has joined ##openvpn 15:51 -!- afonso [n=afonso@bl6-102-90.dsl.telepac.pt] has joined ##openvpn 15:57 -!- fixxxermet [n=meep@cmu-24-35-53-185.mivlmd.cablespeed.com] has left ##openvpn [] 15:59 < Drarok> Is it possible to have OVPN just pass-thru to the real network, DHCP and all? I'mm guessing not... 16:02 -!- tsunami [n=tsunami@64.119.153.26] has joined ##openvpn 16:09 < krzie> sure, if you bridge 16:10 < krzie> usually not something i recommend but im too tired to argue today 16:10 < krzie> (at least for now) 16:10 < epaphus> hello krzie :) 16:11 < Drarok> If it's not recommnded, what's the alternative? 16:12 < Drarok> The OpenVPN box is our FreeBSD dev/svn box, so that's ok, but there's another testing server I'd like to access, and potentially hit samba shares on random boxes inside the LAN 16:16 < dan__t> Anyone ever used any of those SSL accelerator cards with OpenVPN before? 16:17 < dan__t> Wondering if its even worth the cost of just throwing another box at my OpenVPN setup to scale laterally, than to use one of those cards in a single machine. 16:30 < krzie> Drarok: read !route and !wins 16:30 < krzie> epaphus hey 16:31 < Drarok> !route 16:31 < vpnHelper> Drarok: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:32 < Drarok> Back later once I've read not skimmed ;) 16:32 < krzie> =] 16:38 < Drarok> Bleh, the examples are much more complex than I need 16:38 < krzie> thats much better than not being as complex as you need 16:39 < krzie> you can figure out what each ip represents in that, replace with yours what you need, and forget the rest 16:39 < Drarok> Perhaps, but having a case that's similar to what I need would mean I don't need to guess at what's relevant :( 16:39 < krzie> lol ya then you wouldnt have to learn anything, thats true 16:40 < krzie> but the point of my writeup wasnt to give you your personal config, it was to teach you what each of those things mean 16:40 < Drarok> I don't need to learn to an expert route-everything level ;p 16:40 < krzie> so you can adapt it to your personal needs 16:40 < Drarok> Think I might need to read it about 10 times, ho hum 16:40 < Drarok> Perhaps it'll make more sense in the morning :) 16:40 < krzie> the manpage also has a lot more info than you need, but it also has every piece of info that you do need 16:41 < krzie> ;] 16:41 < krzie> in fact thats basically a prerequisite of a good doc 16:41 < krzie> how many lans do you have that need to be routable over the VPN? 16:44 < Drarok> Just one. At the VPN server end, there's 192.168.254.0/24, and the (sometimes multiple, dial-in) clients need to access that. The Server has a single NIC plugged into the 192 LAN, udp port forwarded so I can connect. 16:44 < krzie> simple 16:44 < krzie> just push the route to it's lan to clients 16:45 < krzie> like push "route 10.0.0.0 255.255.255.0" 16:45 < Drarok> Then how do boxes at the LAN end see clients? Or can't they? 16:45 < krzie> assuming its lan was 10.0.0.0/24 16:45 < krzie> did you read not skim my doc? 16:45 < krzie> that is gone over right under the pretty picture 16:46 < krzie> where it says "ROUTES TO ADD OUTSIDE OPENVPN" 16:46 < krzie> it gives 2 ways to do it, and an explanation of what happens before you do it 16:46 < krzie> (aka, why it must be done) 16:46 < krzie> and for the samba... 16:46 < krzie> !wins 16:46 < vpnHelper> krzie: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 16:47 < Drarok> annpoying work-around? 16:48 < krzie> assuming you cant do it the right way, ya 16:48 < krzie> adding a route to every machine on a lan is very annoying to me 16:49 < Drarok> Yeah, very, but I can't see any mention of a "right" way 16:50 < krzie> you skimming...? 16:50 < Drarok> I just re-read the but under the picture 16:50 < Kyle5> OK.. can someone tell me why when ive got this entry in my routing tables " 10.1.0.0 255.255.252.0 10.3.0.2 10.3.0.1 1 16:50 < Drarok> But that example makes no sense 16:50 -!- c64zottel [n=hans@p5B17B484.dip0.t-ipconnect.de] has quit ["Leaving."] 16:50 < Drarok> I don't need the server end to see anything on the client's LAN 16:50 < Drarok> I just want a bog-standard dial-in style vpn 16:51 < Drarok> Where users connect, see the LAN, and are happy. 16:51 < Drarok> :( 16:51 < krzie> Kyle5: 16:51 < krzie> !/30 16:51 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 16:52 < krzie> Drarok you need to read it for understanding, not to just drop in replace your personal info 16:52 < krzie> but ill explain it anyways 16:52 < Kyle5> OK.. can someone tell me why when ive got this entry in my routing tables "10.1.0.0 255.255.252.0 10.3.0.2".. with 10.3.0.0 being the openvpn subnet.. ive got tcpdump running on tun0 at the other end, but when i ping 10.1.0.10 its not even making it through 16:52 < krzie> if a machine on the same lan as your server gets a packet from the vpn network, how will it reply? 16:52 < krzie> it will check its routing table 16:53 < krzie> NOT find an entry, so send it to the default gateway 16:53 < krzie> which wont have an entry, so send to ITS default gateway (the inet)\ 16:53 < krzie> then it gets dropped because it is 1918 ip 16:53 < Kyle5> yeah i know that 16:53 < krzie> not you kyle 16:53 < Kyle5> oh sorry :P 16:53 < krzie> im still talking to him ;] 16:53 < krzie> ill get to yours in a sec 16:53 < krzie> so Drarok 16:54 < krzie> you have 2 options 16:54 < krzie> give it a route back in the router (easy way) 16:54 < Drarok> I get the problem with LAN clients being unable to reply... 16:54 < krzie> or add a route back to each machine in the lan (annoying other way) 16:54 < Drarok> And our router is rubbish :( 16:54 < krzie> if you cant add a route in your router you gotta do the other way 16:55 < Drarok> Manually on each LAN client? 16:55 < krzie> client? 16:55 < krzie> manually on each machine in the lan, yes 16:55 < Drarok> Box I want to talk to 16:55 < Drarok> But... That's insane! 16:55 < krzie> it must know that for VPN_NETWORK it must route to LAN_IP_OF_VPN_ENDPOINT 16:56 < krzie> no shit, get a router that doesnt suck :-p 16:56 < krzie> my linksys can add routes 16:56 < Drarok> But... 16:56 < krzie> in fact my $15 router can 16:56 < Drarok> Windows Server can do exactly what I want. 16:56 < krzie> no, it cant 16:56 < krzie> unless its the default gateway for the lan 16:56 < Drarok> You forward some ports, you dial in, you can a LAN IP, everything (AFAIK) is happy 16:56 -!- tsunami [n=tsunami@64.119.153.26] has quit [] 16:56 < krzie> in which case ANYTHING can (if you can add routes to it) 16:57 * Bushmills passes around the weed 16:57 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 16:57 < krzie> yeeeee 16:57 < krzie> hell yes Bushmills 16:58 < Drarok> Hmmm... Perhaps it is the default route, then passes traffic onwards to the router. 16:58 < Drarok> I'm not sure, it's at a clients. 16:58 < krzie> what is the gateway for the lan? 16:58 < Drarok> Can't tell from here. 16:58 < krzie> lol 16:58 < krzie> ifconfig on the fbsd box 16:58 < Drarok> Oh, I know that. 16:58 < krzie> err, route -rn|grep G 16:58 < Drarok> I mean at the WinServer site 16:59 < Drarok> The one that does what I want ;) 16:59 < krzie> you either bridged or the machine is default gateway for its lan, or you setup the routes correctly like im telling you to 16:59 < krzie> NEXT 16:59 < krzie> Kyle5, whats the problem? 17:00 < Kyle5> Ok.. the crux of it is 17:00 < Kyle5> OK.. I've got two lans on either side of the VPN... 10.1.0.x/22 on the Client and 172.16.0.0/24 on the Server .. the OpenVPN Client can ping 172.16.0.x addresses fine, but the OpenVPN Server cannot ping 10.1.x.x addresses. 17:00 < Drarok> Bridging is surely what I want, and all this routes talk is just confusing me >_< 17:00 < krzie> Kyle5: have you read !route? 17:00 < krzie> !route 17:01 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:01 < Kyle5> yeah i have 17:01 < krzie> i made that writeup for just this kinda stuff 17:01 < Kyle5> and as far as i can see 17:01 < Kyle5> ive got the correct config 17:01 < krzie> ok, !configs 17:01 < krzie> !configs 17:01 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 17:02 < Kyle5> ok 17:02 < Kyle5> http://pastebin.ca/1393255 17:02 < Kyle5> there you go 17:02 < Kyle5> ive worked with the assumption i dont need iroute because its not multiple lans 17:05 < epaphus> krzie, remember the double NIC thing i was going to do.. to allow PCs on a LAN connect to a second NIC on the vpn client so that they can access the inet? 17:05 < epaphus> krzie, well.. I found out that i didnt need the NAT On the client.. 17:05 < epaphus> packets are being routed ok, because I can ping my endpoint 17:06 < epaphus> however when i traceroute any IP .. it raches the endpoint (VPN server) but then the VPN server doesnt know what to do with the IP... 17:06 < epaphus> i think i need a second NAT in my server 17:07 < krzie> dude 17:07 < krzie> thats what i told you epaphus 17:08 < krzie> EXACTLY what i told you days ago 17:08 < Kyle5> krzie, any ideas? 17:08 < epaphus> ohh iam sorry, i understood that I needed a NAT in the client 17:09 < epaphus> not a second NAT in the server :) 17:09 < krzie> no epaphus, i specificly told you you did not when you said you did 17:09 < krzie> !irclogs 17:09 < vpnHelper> krzie: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 17:09 < krzie> you can go read me telling you that if you want 17:09 < krzie> Kyle5 1min 17:09 < Kyle5> thanks 17:10 < epaphus> krzie, thats ok :) no prob 17:12 < krzie> Kyle5, you have no ccd entries on the sever? 17:13 < Kyle5> no 17:13 < Kyle5> i wasnt sure i needed iroute or not 17:13 < krzie> you need to 17:13 < krzie> !iroute 17:13 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 17:14 < Kyle5> so... i need to create a a server side ccd file with "iroute 10.1.0.0 255.255.252.0" 17:14 < Kyle5> ? 17:14 < Kyle5> or anything else? 17:15 < krzie> assuming 10.1.0.0/24 is the lan behind the client, right 17:15 < krzie> it must be in a file named COMMON-NAME-OF-CLIENT in the ccd dir you put for --client-config-dir 17:16 < krzie> the server has the route entry, so thats right 17:16 < krzie> then the LAN on the client side needs a route on the gatewya, possibly 2 17:16 < krzie> unless openvpn is running on the default gateway for the client lan 17:16 < krzie> (is it?) 17:17 < Kyle5> its not 17:17 < krzie> ok, do the 2 lans need to talk to eachother? 17:17 < Kyle5> on the client side, its a procurve switch, and is already configured 17:17 < Kyle5> yeah they do 17:17 < krzie> ok so heres what they need 17:17 < krzie> each default gateway on each lan needs to know 2 things 17:17 < reiffert> Please note, there can only be *one* file named COMMON-NAME-OF-CLIENT. 17:18 < reiffert> Just put it all in there. 17:18 < krzie> 1) for 10.3.0.0/24 it sends the traffic to the LAN_IP of the local vpn node 17:18 < epaphus> krzie, i dont understand what i need to NAT In the server. MY original NAT was 10.0.1.0/24 to re0 .... 17:18 < Kyle5> each default gateway needs a route back to the openvpn machine... which needs to have ipforwarding activate? 17:18 < krzie> 2) same thing for the LAN on the other side of the VPN 17:18 < krzie> epaphusgo look in the irclogs 17:19 < epaphus> krzie, so now what..? do i nat re0 to 192.168.2.0/24 ? 17:19 < krzie> i already explained this fully to you and dont wanna repeat myself again after re-learning your setup 17:20 < Kyle5> the other question is.. is there a client-common-name thing for the clientside? 17:20 < epaphus> krzie, i remember you saying ... you must do the exact same thing you did in the server for NAT.. thats all 17:20 < krzie> then go back and read the logs 17:20 < krzie> cause i fully explained it, 2x i think 17:21 < krzie> Kyle5, huh? 17:21 < Kyle5> as in... set the ccd file to the name's common name 17:21 < Kyle5> how the hell do you define the common name of the client? 17:22 < reiffert> everything after 'CN=' 17:22 < Kyle5> the whole lot? 17:22 < reiffert> lemme think about your question. 17:22 * reiffert bed 17:22 < krzie> whole lot? 17:22 < krzie> theres only 1 client with that lan behind it 17:23 < Kyle5> yeah 17:23 < krzie> so thats the common-name you put the iroute in 17:23 < krzie> !ccd 17:23 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 17:23 < Kyle5> yes 17:23 < Kyle5> but how do i know what the common-name is? 17:23 < Kyle5> theres no definition for it 17:23 < krzie> you made the certs didnt you? 17:23 < Kyle5> yeah 17:23 < Kyle5> oh THAT name 17:23 < Kyle5> ok 17:24 < krzie> a) its in your ipp.txt 17:24 < krzie> b) you specified it when you made the certs 17:24 < krzie> c) its in your logs 17:26 < Kyle5> yeah got it 17:26 < Kyle5> OK 17:26 < Kyle5> will it tell me in the logs if it loaded the CCD file? 17:26 < krzie> sure 17:26 < krzie> the server log you'll see it used the iroute 17:27 < Kyle5> ok...so it didnt 17:27 < Kyle5> bugger 17:27 < krzie> did you restart after adding --client-config-dir 17:27 < krzie> (the server) 17:27 < Kyle5> yeah 17:27 < krzie> !logs 17:27 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 17:28 < Kyle5> i think its because i havent addressed it properley.. being a windows openvpn server 17:28 < krzie> no diff with this in win vs unix 17:29 < Kyle5> well, in terms of file addressing there is 17:29 < krzie> as long as you gave it the ccd dir correctly 17:29 < krzie> you mean the PATH? 17:29 < Kyle5> yeah 17:29 < krzie> ok true that 17:29 < Kyle5> my fault, i believe 17:30 < Kyle5> thankyou 17:30 < krzie> yw 17:30 < Kyle5> its working as i wanted now, so many thanks 17:30 < krzie> np man 17:31 < krzie> your setup is 2x as hard as Drarok and he already gave up ;] 17:31 < Kyle5> hehe 17:31 < Kyle5> i hadnt clocked i needed the iroute with just one lan on the end.. but there we go 17:31 < krzie> iroute is whenever theres a lan behind the client 17:31 < Kyle5> i know now :P 17:32 < krzie> not just lan, but any ip that openvpn itself wouldnt know about, but the kernel of the openvpn server does send to openvpn 17:32 < Kyle5> yeah of course 17:32 < epaphus> krzie, i downlaoded the logs.. but its a binary format file.. :( 17:32 < krzie> its an internal method for openvpn to relate ips/networks with its clients 17:34 < krzie> its a gzip file 17:34 < krzie> gunzip it! 17:35 < krzie> it'll get a lot bigger when you gunzip it, like my pants 17:39 < epaphus> krzie, i did gunzip it.. in order to get the openvpn.txt ... but that is a binary file 17:39 < epaphus> cant you kindly, repeat to me what I should nat? please 17:39 < krzie> that would require me re-learning your whole setup 17:39 < krzie> lets just put it this way 17:39 < krzie> whatever the source ip of the packets headed to the server 17:40 < krzie> if they are meant to hit the inet 17:40 < krzie> must be natted 17:40 < krzie> (at the server) 17:40 < epaphus> right so: 17:40 < krzie> in the exact same way your current nat works 17:41 < krzie> epaphus type file openvpn.txt 17:41 < krzie> see if its a tar 17:41 < krzie> he might have meant to name it .tgz 17:42 < epaphus> LAN machine (192.168.0.201) -> Client (192.168.0.10) -> tunnel -> server 17:42 < epaphus> but i dont know what IP to nat... 192.168.2.0/24 on the server ? 17:42 < Kyle5> jhhhhhhhhhnjmmmmmmmmmmmmmmmm8888 17:43 < krzie> epaphus, you've been here many days, asking the same questions getting the same answers 17:43 < krzie> i really dont wanna re-understand your network to repeat myself 17:44 < epaphus> nevermind.. thank you krzie i fixed it 17:44 < krzie> great! =] 17:44 < krzie> your network to repeat myself 17:44 < krzie> oops misfire 17:45 < krzie> too easy to copy/paste in this term, lol 17:45 < krzie> krzee@hemp:~> file openvpn.txt 17:45 < krzie> openvpn.txt: ASCII English text, with very long lines 17:46 < krzie> --- Log opened Fri Aug 01 12:49:14 2008 17:46 < krzie> 12:49 -!- ecrist [n=ecrist@snipe.secure-computing.net] has joined ##openvpn 17:46 < krzie> 12:49 -!- ServerMode/##openvpn [+ns] by zelazny.freenode.net 17:46 < krzie> thats not binary dude 17:47 < epaphus> sorry 17:47 < krzie> i just wanted to make sure it was named correctly 17:48 < krzie> so users could read it if they want it 17:50 < Drarok> Blurgh, I give up for the night, found a guide for BSD that said I wanted bridging, now I can't even ping the endpoint! 17:50 < Drarok> krzie: I appreciate your time, though. I'm sure I'll see you again... ¬_¬ 17:50 < Drarok> G'night 17:50 -!- Drarok is now known as drarok 17:51 < krzie> that guide is wrong 17:51 < krzie> in fact most the guides you'll find on google suck 17:51 < krzie> but do whatever makes you happy 17:51 < krzie> bridging will work, its just a waste of overhead and a little less secure 17:57 < epaphus> krzie, ive been here many days.. but ive setup 3 different VPNs with different configs btw 17:57 < krzie> oh i coulda sworn that was the same vpn as day1 17:57 < krzie> i never caught you were asking the same questions for other vpns 17:57 < epaphus> :) 17:58 < krzie> which seems more weird 17:58 < krzie> cause ild think you understood the answers after doing it correctly already 17:58 < krzie> no? 17:59 < epaphus> not completely... i do have clues sometimes 17:59 < krzie> cool ;] 17:59 < krzie> well what matters is you got it fixed up =] 17:59 < krzie> so you did what we were talking about? 18:00 < krzie> got a second nic and made a new seperate network ? 18:00 < epaphus> yes 18:00 < krzie> to have 2 lans, 1 that routes over vpn default and other that routes straight to inet 18:00 < krzie> thats pretty cool 18:00 < epaphus> one LAN. two nics. 1 nic for NET, other for LAN 18:00 < epaphus> by NET I mean internet 18:01 < krzie> but the nic for INET is actually part of a different lan, right? 18:01 < epaphus> yes 18:01 < krzie> ya, coolness 18:04 < krzie> so i guess you've been on an openvpn setup spree from the sound of it 18:04 < krzie> how many more you got on the list? 18:05 < epaphus> iam done.. now I just need to add more NICS.. 18:05 < krzie> more nics...? 18:05 < epaphus> the user that want to get on a specific VPN just plugs his PC to the switch for that VPN 18:05 < epaphus> thats how they wanted the config here to be 18:06 < epaphus> etc 18:06 < krzie> oh i see 18:06 < epaphus> :P 18:06 < epaphus> then if somebody is travelling 18:06 < krzie> you're gunna keep repeating that setup 18:06 < epaphus> and stays in a hotel... 18:06 < epaphus> they connect as a client directly to the server 18:06 < epaphus> with gopenvpn 18:06 < krzie> i take it you're doing this for sidework 18:06 < epaphus> :) 18:10 < epaphus> day over, thanks all 18:10 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 18:14 -!- funky [n=repulse@unaffiliated/funky] has joined ##openvpn 18:24 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has joined ##openvpn 18:25 < Kyle5> ok. thanks all and night 18:25 -!- Kyle5 [n=newbie@cpc2-sout5-0-0-cust535.sotn.cable.ntl.com] has quit ["Quit"] 18:52 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has quit [Read error: 113 (No route to host)] 18:59 -!- row [i=row@who.br0ke.me.uk] has joined ##openvpn 19:01 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 19:02 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has quit ["IceChat - Its what Cool People use"] 19:07 < krzie> Dougy here? 19:19 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 19:19 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 19:30 -!- sirus [i=scott@gotpot.org] has quit [Read error: 60 (Operation timed out)] 19:30 -!- sirus [i=scott@gotpot.org] has joined ##openvpn 19:46 < ecrist> sup motha fucka's? 19:46 < krzie> gellin, like magellin 19:47 < ecrist> you keep adding -krzee 19:47 < ecrist> o.O 19:47 < krzie> i wrote it! 19:47 < ecrist> aye 19:47 < ecrist> so the log says. ;) 19:47 < krzie> i dont want it copywritten or anything, but ild like my name on it 19:48 < ecrist> ok, I'll fix it for ya. gimme a few. (muahahahaha) 19:48 < krzie> why would you remove my name from my doc? 19:49 < ecrist> -krzee doesn't look 'clean' to me. I don't mind authorship, though. 19:50 < krzie> clean? im krzee! 19:50 < ecrist> not a big deal, just something I noted. 19:50 < krzie> if i IRCed as Jeff it would say -Jeff ;] 19:50 < ecrist> and I wouldn't like -Jeff 19:50 < ecrist> I wouldn't like -ecrist, either 19:50 < krzie> i see 19:51 < ecrist> ah, you do all your edits anon 19:51 < krzie> well you can change it however you want, just let it say i wrote it 19:51 < krzie> sometimes i do, sometimes not 19:51 < ecrist> well, now. you used to log in 19:51 < krzie> pointless to login to add -krzee or something equally small 19:52 < ecrist> indeed. 19:52 < ecrist> I usually don't log in. 19:52 < ecrist> if you couldn't tell, I watch the full RSS for my wiki. :) 19:52 < ecrist> been getting a fair bit of spam where someone will delete most of an article and replace it with 'adlfaj43rsad4fadf4q' 19:53 < krzie> thats weaksauce 19:53 < krzie> i guess we might hafta remove anon edits then huh? 19:53 < ecrist> indeed. that's why I watch the RSS 19:53 < ecrist> I get maybe 3-5 edits per week. 19:53 < ecrist> most from me. 19:55 < krzie> ya part of me still wants to make a doc to replace !default 19:55 < ecrist> reminds me, I should finish my freebsd + bridged article 19:55 < krzie> but it will be such a pain in the ass 19:55 < krzie> because most of it is OS specific 19:56 < krzie> i guess i could just doc the openvpn specific part (which is damn near nothing) 19:56 < ecrist> I have 8000 things I'd like to do. my most recent project, bbthe.me, is only getting attention at this point because every time someone wants to post an update or new theme, I have to do it manually. 19:56 < krzie> and say "heres what you need to figure out in your OS" 19:56 < ecrist> 'tis why I'm on the puter now. 19:56 < ecrist> krzie + ecrist = OpenVPN Doc Team 19:56 < krzie> ahh cool, so its getting a bit of action? 19:56 < ecrist> yeah 19:57 < ecrist> it would get a ton more if I'd develop the fucking thing 19:57 < krzie> lol 19:57 < ecrist> I probably only get around to posting 2/3 of the themes sent to me. 19:58 < ecrist> job + side company + sheriff dept + wife/kid + social life = bahh! 19:58 < krzie> new kid popped out a bit ago, right? 19:58 < ecrist> not yet 19:58 < ecrist> July 16 19:58 < krzie> oh whoa 19:58 < ecrist> got a plumber in the house today and tomorrow remodelling the basement for a new master bedroom 19:58 < krzie> <-- no sense of time 19:59 < ecrist> then I get to build walls, do electrical, etc. 19:59 < ecrist> and if I think I have time now, wait till the kid comes! 19:59 < ecrist> it's all good. I like being busy. 19:59 < krzie> for real 19:59 < ecrist> brb 20:09 < row> If I am using a ethernet bridge is there anyway I can make certian stuff not go over the bridge and go over my actual connection (windows vista)? 20:09 < row> ie voip stuff? 20:09 < krzie> no but if you use routed mode, yes 20:10 < krzie> which is less overhead therrefor better performance for voip anyways 20:10 < krzie> !tunortap 20:10 < vpnHelper> krzie: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 20:10 < row> k 20:11 < ecrist> krzie: 17:46 ##openvpn: < krzie> 12:49 -!- ecrist [n=ecrist@snipe.secure-computing.net] has joined ##openvpn 20:11 < ecrist> ? 20:11 < krzie> showing him he was full of shit saying the logfile was binary 20:11 < ecrist> ah 20:11 < ecrist> lol 20:11 < ecrist> it's just a gzip 20:12 < krzie> as i told him 20:12 < ecrist> drarok: !freebsd 20:14 < ecrist> krzie: ephadfadsfasdfa (or whatever) has been asking the same questions every day. he doesn't understand network routing. his problem is 100% covered on !routing 20:14 < krzie> i know 20:14 < krzie> he finally got it figured out 20:14 < krzie> after i explained it twice i told him i wouldnt do it again 20:15 < ecrist> oh, I didn't read that far. 20:15 < krzie> told him to read me explaining iot before in the logs 20:15 < krzie> and he finally figured it out after claiming the logs were binary format 20:15 < krzie> lol 20:15 < ecrist> heh 20:16 < ecrist> just bought a computer for our 7 year old. thank god for Apple Remote Desktop 20:16 < krzie> hes getting apple!? 20:16 < krzie> lucky kid! 20:17 < ecrist> new mac mini c2duo 2gb ram samsung 22" lcd 20:17 < krzie> sick 20:17 < ecrist> we're an apple house 20:17 < ecrist> aside from my servers. those are 100% freebsd 20:18 < krzie> just like my house 20:18 < ecrist> though I considered putting Mac OS X server on the new mini 20:18 < ecrist> I'm liking the parental controls, setting time limits and such. with ARD, I can sit here, in my office, and watch what he's doing on his screen, without him knowing. 20:19 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 20:19 < krzie> if my parents had that i woulda never gotten into computers 20:19 < krzie> it all started at age 11 with porn 20:19 < krzie> progressed to many illegal activities by age 13 20:19 < ecrist> you were a late bloomer 20:20 < ecrist> ;) 20:20 < krzie> umm, this was '92 20:20 < ecrist> aye 20:20 < ecrist> you've gotta be about my age then. 20:21 < krzie> 27 20:21 < krzie> 28 later in the yr 20:21 < ecrist> I'm not planning on spying on the kid too much. just enough to keep him safe from crazy people out there. 20:21 < ecrist> I'll be 30 in oct... 20:21 < ecrist> ugh 20:21 < krzie> tru, inet has changed a bit since the old days 20:22 < ecrist> I'm really nervous about him getting into gang stuff and pedos finding him. 20:22 < theDoc> Do we see it becoming a platform for pedo's? 20:22 < krzie> theDoc to an extent, yes 20:22 < theDoc> Sooner or later, ipsec/vpn/gre will all be commonly used to encrypt more child porn than ever. 20:22 < ecrist> he's a really outgoing kid who loves to please, so he's susceptible to peer-pressure. 20:23 < theDoc> ecrist: Might I suggest you just keep an eye on him, be open and explain the dangers to him. 20:23 < theDoc> This really isn't the internet of the early 90's. 20:23 < ecrist> theDoc: already there. we've been told we're too open with him. 20:23 < theDoc> I parents did that with me ;p 20:23 < krzie> theDoc i expect onion routing to be used more than those for that 20:23 < theDoc> krzie: I suspect the on demand vpn service I run now will be abused for that sooner or later. I'll be having to do some work on that area. 20:24 < ecrist> with higher-speed connections, I prediction most common network traffic (browsing, email, comms) will be randomly-routed through the net within 5 years. as a common practice 20:24 < theDoc> ecrist: While I wouldn't go so far as to sniff his traffic, I might just log the websites he visits. 20:24 < krzie> however, my belief in privacy is stronger than my hate for that stuff 20:24 < ecrist> when most people have 100Mb+ connections, it'll be a lot easier 20:24 < krzie> while there is nothing more that sickens me more 20:24 < karlpinc> ecrist : Then why arn't people encrypting their email now? 20:25 < ecrist> karlpinc: it'll get there, I suspect. 20:25 < theDoc> krzie: Yes, that's true. However, the government is taking a very strong approach to the whole, if you aren't a criminal, you have nothing to encrypt. 20:25 < krzie> TOTALLY FALSE 20:25 < theDoc> Which worries me, because some of them build a profile of you based on you IM/email/surfing habits. 20:25 < theDoc> Just look at UK/Singapore/China/Australia. 20:25 < karlpinc> ecrist : People don't care. If they cared they wouldn't run that unnamed OS with lots of security holes. 20:25 < krzie> thats like saying you should submit to illegal searches cause if you arent a criminal you have nothing to hide 20:26 < krzie> giving up privacy for temporary security is both stupid and naive 20:26 < ecrist> for me, personally, I don't do/say anything I'm afraid of people seeing. If I do things I don't want public, nobody knows about them. 20:26 < theDoc> krzie: Precisely, it's always more open to abuse. 20:26 < theDoc> ecrist: Precisely! That or encrypt it ;p 20:26 < krzie> i encrypt everything and will never submit to a search, and i have nothing to hide 20:27 < theDoc> krzie: Which country do you live in? 20:27 < krzie> im also very strongly for all the other amendments in the bill of rights as well 20:27 -!- afonso [n=afonso@bl6-102-90.dsl.telepac.pt] has quit [] 20:27 < ecrist> karlpinc: I wouldn't say people don't care. I'd say most people are mis/ill-informed, and don't know any better. 20:27 < krzie> im from california, although i left to the caribbean 20:27 < krzie> i read the patriot act 20:27 < theDoc> I believe there was a couple of high profile cases which involved child porn and encryption. IIRC, the guy was ordered by the courts to provide the decryption key. 20:27 < krzie> that was time for me to leave 20:28 < karlpinc> ecrist : Maybe so, but it won't change. 20:28 < theDoc> I'm not sure what the patriot act entails, I'm not from the US. 20:28 < krzie> think: enabling act from nazi germany 20:29 < theDoc> You've got to be shitting me, america was all for the freedom and stuff and cuddly teddy bears. 20:29 < krzie> yup 20:29 < krzie> i shoulda taken the other pill 20:29 < krzie> woken up and believed whatever i wanted 20:29 < karlpinc> theDoc: American's used to laugh that the Soviets needed a passport to travel within the country. 20:30 < theDoc> karlpinc: Are you guys at the same stage as them already? 20:30 < theDoc> Man, this world is just fucked up, everyone is just stepping on everyone for their own agenda. 20:30 < krzie> its different in america, cause everyone still thinks they have rights 20:30 < krzie> nobody pays attention 20:30 < karlpinc> theDoc: The Feds have passed the Real ID act, which requires the states to issue identity papers, and those will be required to get on transport. 20:31 < karlpinc> theDoc: But it's costing the states money so they're late implimenting. 20:31 < krzie> karlpinc, im impressed, not too many people know bout that 20:31 < theDoc> karlpinc: That's fucking ridiculous. I wonder if they have been wiretapping secretly for sometime now. 20:32 < krzie> theDoc they can wiretap secretly legally now 20:32 < theDoc> Just to keep track of "people whom might be dangerous". For instance, the little kid down the road downloading torrents. 20:32 < krzie> they can even do secret arrests 20:32 < krzie> as long as they claim they suspected terrorism links, NEVER prove it and never talk to a judge 20:32 < karlpinc> theDoc: Years and years. Echelon (sp?) allows member states to spy on the citizens of other member states, and report back. So even though it's Illegal for the US to spy on it's citizens, we trade data with other Echelon members. 20:32 < theDoc> krzie: You guys are coming up on par quick with N.Korea and China. 20:32 < krzie> just "we suspected a link to terrorism" and you have no rights except the 3rd amendment left 20:33 < krzie> theDoc, i know, i left 20:33 < theDoc> krzie: Doesn't the 3rd amendment protect civilian rights? 20:33 < karlpinc> krzie : For somewhere better? 20:33 < theDoc> This is open to abuse in so many ways. 20:33 < krzie> 3rd is you dont have to house troops 20:33 < krzie> karlpinc, depends how you look at it really 20:34 < krzie> the corruption here is know, but makes it easier on me 20:34 < krzie> if someone wanted to tap me here ild know about it very soon, for a fee of course 20:34 < krzie> even tho i do nothing illegal, i like privacy 20:34 < theDoc> I just find it very disturbing. 20:34 < krzie> its the patriot in me, i FULLY believe in the US constitution 20:34 < theDoc> That the amount of people whom have no idea that their privacy is being infringed upon. 20:34 < karlpinc> It's a new age, privacy is obsolete, except for what you enforce yourself. 20:35 < theDoc> karlpinc: I'm starting to feel that it should be mandatory to be tunneling all traffic into a vpn. 20:35 < krzie> theDoc it is to me 20:36 < krzie> i dont even google from my real ip 20:36 < krzie> evvvvver 20:36 < theDoc> krzie: Neither do I. I hop through a vpn server which I own. 20:36 < krzie> i know what i know about openvpn routing from figuring out how to chain vpn's 20:36 < theDoc> I'll be nuts to send plaintext stuff out of this box. 20:37 < theDoc> krzie: Although I feel that this kind of segregation of traffic will sooner or later form a seperate entity or another "internet" 20:37 < krzie> aka a darknet 20:37 < krzie> theres many darknets in existence 20:38 < krzie> encrypted networks closed off to the inet, but running on top of it 20:38 < theDoc> krzie: ah yes. 20:38 < theDoc> krzie: Did you read the new bill that was proposed where the US president could have the power to shutdown any network? 20:38 < karlpinc> krzie : Traffic analysis will reveal you anyway, unless you're also sending random traffic, and even then.... 20:39 < krzie> yes doc 20:39 < krzie> karlpinc this is true, but nothing automated will 20:39 < krzie> as i mentioned i dont actually do anything that anyone cares about 20:39 < krzie> but the watching is all automated 20:40 < krzie> if i did do that kinda stuff ild throw some satelites in the mix 20:40 < theDoc> karlpinc: Do you mean sending traffic to the darknet? 20:40 < karlpinc> krzie : Who knows what's automated. I did some stegnography once and got an immediate request for the file from the MI6 or some such organization in the UK. 20:40 < krzie> he means everything i mentioned 20:40 < theDoc> Oh, ok. 20:40 < krzie> whoa, crazy! 20:41 < karlpinc> krzie: google "trojan cow" 20:41 < theDoc> karlpinc: ! 20:41 < krzie> thats much more than i thought they had 20:41 < krzie> !google trojan cow 20:41 < vpnHelper> krzie: The Trojan Cow Project: ; Security Port Scanner, Trojan Port List: Trojan Cow: ; BD Trojan Cow 1.0: Attack Signature - Symantec Corp.: 20:41 < krzie> hit #1? 20:42 < karlpinc> krzie : Yup. 20:42 < krzie> one thing i dont like is that people often blame the police 20:42 < krzie> but the thing is, they dont make the rules, i fully blame our congress and senate for going along with the BS 20:42 < krzie> and of course 20:43 < krzie> the most blame goes to the people 20:43 < krzie> for without their willful ignorance, none of that stuff would happen 20:43 < krzie> (it wouldnt be allowed to, we have more guns) 20:43 < krzie> (just like the founders intended) 20:45 < theDoc> This is just scary ;p 20:46 < krzie> favorite movie: V for Vendetta 20:47 < dan__t> Hi. 20:47 < dan__t> So, anyone have a clue about CRL formats? 20:47 < ecrist> dan__t: I answered your question ~3 days ago 20:47 < krzie> didnt ecrist tell you all that? 20:47 < krzie> oh, lol 20:47 < dan__t> You did not! 20:48 < krzie> ecrist, i think its groundhog weak 20:48 * ecrist gets logs 20:48 < krzie> err week 20:48 < dan__t> Well maybe you did, but the odds of me being shitfaced were 50/50 20:48 < dan__t> I'd appreciate a moment of your time to bring that subject up, please. 20:48 < ecrist> lol, FINALLY, HONESTY COMES TO ##OPENVPN 20:48 < dan__t> Honest? About drinking? Shit, I'll be the first to admit I'm a 25 year old that drinks like a 22 year old. 20:49 < krzie> dan__t, best way for that is !irclogs 20:49 < krzie> !irclogs 20:49 < vpnHelper> krzie: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 20:49 < dan__t> damnit. 20:49 < dan__t> How far back does it go? 20:49 < ecrist> naw, I'll answer his questions again 20:49 < dan__t> Thank you. 20:49 < krzie> august 20:49 < ecrist> dan__t: they go back to august 1st, 2008 20:50 < dan__t> oic. 20:50 < dan__t> Alright, so assuming I was shitfaced, the CRL is formatted in..... 20:50 < ecrist> it's a PEM encrypted file 20:51 < dan__t> Er. My index.txt says otherwise. 20:51 < ecrist> what does your index.txt say? 20:51 < dan__t> Wait. 20:51 < dan__t> Fuck. I'm confused. 20:52 * ecrist doesn't know anything, and goes away. 20:52 < dan__t> haha 20:52 < dan__t> Yes, I'm confused. 20:53 < dan__t> I had wrongly assumed index.txt was in fact the CRL. 20:53 < dan__t> Now I'm not entirely sure what it is for. 20:53 < dan__t> database index file according to openssl.cf 20:53 < dan__t> cnf 20:53 < ecrist> index.txt is what tells openssl what the next serial should be used (or the last that was used) for a certificate 20:54 < ecrist> aye, so what do you really want to know? 20:54 < ecrist> how to read it? 20:54 < dan__t> what about 'serial'? 20:54 < dan__t> well if its in PEM I can just decode it. 20:54 < ecrist> sigh 20:54 < dan__t> what 20:54 < ecrist> you sound like my 7 year old. 20:54 < krzie> haha 20:55 < ecrist> Dad, how do I do this. Me: Like this. Son: I know. 20:55 < dan__t> Oh, he knows how to extract shit from a .pem, too? 20:55 < dan__t> That's cool. 20:55 < dan__t> index.txt tells openssl what the next serial should be. 20:55 < krzie> he prolly knows how a CRL works 20:55 < dan__t> 'serial' does... the same? 20:55 < dan__t> I see its a hex incremental counter of some sort. to which extent it functions I do not know. 20:56 < ecrist> op ##openvpn ecrist 20:56 * krzie bets ecrist's son could break down PKI to his teacher in class 20:56 < dan__t> haha 20:56 < krzie> then he'ld ask the teacher for their ca.key 20:56 < dan__t> Alright, I guess my confusion ultimately lies in the difference between index.txt and 'serial' 20:56 < krzie> (and get it) 20:57 < ecrist> the index.txt defines the next available serial. 20:57 < ecrist> without it, you start at 0x0 20:57 < dan__t> ok. 20:58 < dan__t> Got it. 20:59 < dan__t> What does the 'serial' file provide OpenSSL with? 21:00 < ecrist> holy shit 21:00 < ecrist> each certificate signed by the CA cert has a serial number 21:00 < dan__t> Yes. 21:00 < ecrist> that's it 21:01 < dan__t> Yeah, why can't OpenSSL use index.txt and increment the last serial found by 1, and use that 21:01 < dan__t> what's 'serial' got to do with it, that's what i'm asking 21:01 < dan__t> "That's just not how it works"? 21:02 < dan__t> I'm trying really hard, but I just understood that there's two serials involved. 21:03 < ecrist> dan__t: read O'Reilly OpenSSL 21:04 < ecrist> or ask in #openssl 21:04 < dan__t> Yeah just popped open the ebook 21:04 < dan__t> obviously i'm confused. 21:07 < dan__t> Besides key generation, we will create three files that our CA infrastructure will need. The first file is used to keep track of the last serial number that was used to issue a certificate. It's important that no two certificates ever be issued with the same serial number from the same CA. We'll call this file serial and initialize it to contain the number 1. OpenSSL is somewhat quirky about how it handles this file. It expects the value to be in hex, 21:07 < dan__t> and it must contain at least two digits, so we must pad the value by prepending a zero to it. The second file is a database of sorts that keeps track of the certificates that have been issued by the CA. 21:07 < dan__t> mkay so openssl doesn't give fuckall about index.txt in regards to the actual serial number used. 21:08 < dan__t> THAT is what I was getting at. 21:08 < dan__t> er, actual serial number used for new certificates. 21:08 < dan__t> That's clever. Good way to do things. That works just the same was as.......... well, nothing. Nothing at all uses this type of counter. Nothing. 21:09 < dan__t> But thanks for going over that again with me. 21:13 < dan__t> What I'm getting at, is I'm trying to make a wrapper that stores this info in SQL. 21:13 < dan__t> I want to maintain a CRL from a database. 21:14 < dan__t> My process invokes OpenSSL to ultimately sign and distribute keys, and I want this CRL to be maintained/modified after each key is either issued or revoked. 21:16 < krzie> you only update a CRL when revoking 21:16 < krzie> what do you plan on updating it with when you simply issue a key 21:17 < krzie> the key to NOT revoke...? 22:46 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn 23:09 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit [] 23:21 -!- tsunami [n=tsunami@c-71-233-239-25.hsd1.ma.comcast.net] has joined ##openvpn --- Day changed Thu Apr 16 2009 00:03 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:09 -!- tsunami [n=tsunami@c-71-233-239-25.hsd1.ma.comcast.net] has quit [] 00:24 < dan__t> No, I plan on updating it immediately after I revoke a key. 00:24 < dan__t> .....as I've said a few times in the last few weeks. 00:34 -!- floyd_n_milan [n=quassel@124.247.220.202] has joined ##openvpn 00:39 -!- floyd_n_milan [n=quassel@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 00:46 -!- floyd_n_milan [n=quassel@124.247.220.202] has joined ##openvpn 00:47 -!- floyd_n_milan [n=quassel@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 00:51 -!- floyd_n_milan [n=quassel@124.247.220.202] has joined ##openvpn 00:55 -!- floyd_n_milan [n=quassel@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 01:15 -!- floyd_n_milan [n=quassel@124.247.220.202] has joined ##openvpn 02:27 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:06 < drarok> !freebsd 03:06 < vpnHelper> drarok: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 03:24 < drarok> Righto, it seems there are routing options in our cheapo router! 03:24 < drarok> So now the LAN can ping 10.8.0.1, as it's routed to the IP of the OpenVPN box... 03:25 < drarok> It does mean all traffic will hit the router twice though... LAN clients send to default gateway, which is the router, so it passes traffic to OVPN, which then pushes the tunneled traffic back through its default route... 03:33 -!- c64zottel [n=hans@p5B17ACFD.dip0.t-ipconnect.de] has joined ##openvpn 04:02 -!- ghoti [n=paul@CPE00c095f003f8-CM001371886cc2.cpe.net.cable.rogers.com] has joined ##openvpn 04:02 * ghoti looks around 04:03 < ghoti> question: could openvpn be configured to benefit from a Hifn crypto accelerator? 04:03 * theDoc looks at himself and goes to bed. 04:03 < ghoti> hm, not a bad idea... 04:16 -!- nemysis [n=nemysis@196-235.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 04:17 -!- nemysis [n=nemysis@196-235.3-85.cust.bluewin.ch] has joined ##openvpn 04:17 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 04:49 -!- kala_ [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 60 (Operation timed out)] 04:51 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 04:52 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 04:52 < drarok> And bingo, I get get one of our hosted server onto the VPN \o/ 04:52 < drarok> Another refuses, potentially a firewall issue :( 04:52 < drarok> Thanks for your time, guys :) 04:59 < drarok> Relevant? 04:59 < drarok> Thu Apr 16 10:59:10 2009 us=508047 UDPv4 WRITE [14] to 87.xxx.xxx.xxx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 05:00 < drarok> all those 0s can't be good 05:31 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:39 < drarok> Bingo. 05:39 < drarok> Bad LZO decompression... 05:39 < drarok> --comp-lzo missing >_< 05:39 < drarok> Now both boxen online, woo! 05:48 -!- Alagar [n=helpdesk@95.154.197.29] has quit ["Leaving."] 05:48 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 06:01 -!- Timpa88 [n=timpa2@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 06:10 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 06:31 -!- tsunami [n=tsunami@c-71-233-239-25.hsd1.ma.comcast.net] has joined ##openvpn 06:36 -!- tsunami [n=tsunami@c-71-233-239-25.hsd1.ma.comcast.net] has quit [] 06:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:30 < ecrist> good morning, folks 07:30 < drarok> Afternoon :( 07:42 < drarok> Can someone explain ifconfig-push, I think it's the source of my problems... 07:42 < drarok> Docs say '--ifconfig-push local remote-netmask ' 07:42 < ecrist> it pushes an Ip to the client. 07:42 < drarok> remote netmask? 255.255.255.0 gives an error... 07:43 < ecrist> ifconfig-push is for ccd entries 07:43 < drarok> Yup, I have 3 ccd files 07:43 < ecrist> so 07:44 < ecrist> ifconfig-push 172.30.0.5 172.30.0.6 07:45 < drarok> What's the relevance of the .5 and .6 ? 07:45 < drarok> I have 3 clients I want to have static IPs, can I use .10 .15 and .20, or are they too close together? 07:47 < ecrist> well, starting at 0, you count up by 4. server take .0/30, so first client available is .5/30 07:47 < ecrist> .4 is the network address, .5 is client, .6 is server virt endpoint, and .7 is broadcast 07:47 < ecrist> it's covered in the howto 07:48 < ecrist> you can avoid the /30 with 2.1 and use of topology 07:48 < ecrist> !/30 07:48 < vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 07:48 < ecrist> !/topology 07:48 < vpnHelper> ecrist: Error: "/topology" is not a valid command. 07:48 < ecrist> !topology 07:48 < vpnHelper> ecrist: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 07:53 < drarok> Isn't 1st availble client .4? .0. 1 .2 and .3 used by server? 07:53 < ecrist> 07:47 < ecrist> .4 is the network address, .5 is client, .6 is server virt endpoint, and .7 is broadcast 07:56 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:57 < drarok> Hmm, I don't think the ccd has anything to do with my current problem 07:57 < drarok> second client complains: 07:57 < drarok> Thu Apr 16 13:57:10 2009 us=999020 UDPv4 WRITE [14] to 87.127.38.144:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 07:58 < ecrist> that line means nothing to me. 07:58 < ecrist> !logs 07:58 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 08:05 < drarok> http://pastebin.com/m71c09dc7 08:05 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 08:05 < drarok> http://pastebin.com/m1b736a8d 08:09 < drarok> The 2 clients are both on the same LAN, so I could do some magic and route through just one of them, but then if the vpn client box goes down, I lose access to all 3 servers there. 08:12 < drarok> It appears only 1 client works at a time... Hmm 08:17 < ecrist> !configs 08:17 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 08:17 < ecrist> looks like your clients aren't getting IPs 08:20 < drarok> They're not even doing the TLS bit 08:20 < ecrist> yes they are 08:22 < drarok> http://pastebin.com/m7022ed6 08:23 < drarok> Well, one does, but if I leave it 60 secs, I get a TLS error 08:23 < drarok> (On the broken ones) 08:24 < ecrist> are the server and clients all on the same network? 08:24 < drarok> Noooo 08:24 < drarok> That would be silly :) 08:24 < drarok> Server is next to me, clients are in a datacentre 08:24 < ecrist> ok 08:25 < ecrist> um, you didn't include your ccd entries 08:26 < drarok> [root@bugs /usr/local/etc/openvpn]# cat ccd/data 08:26 < drarok> ifconfig-push 10.8.0.5 10.8.0.6 08:27 < ecrist> that's the client that's not working? 08:27 < drarok> None of them worked last I tried. Seems if I kill the server, leave it a few mins, start back up, one can connect. 08:27 < drarok> But yeah, data can't connect atm 08:28 < ecrist> do your clients each have their own certificate, or are they all using the same one? 08:29 < drarok> Each their own, with unique common names 08:29 < drarok> (Am I right that the ccd file just needs to be named `thecn` ?) 08:29 < ecrist> yes 08:29 < ecrist> client config show logging at verb 3. can you show me logs at verb 6? 08:31 < drarok> Eh? They're all verb 6 08:31 < ecrist> http://pastebin.com/m7022ed6 08:31 < ecrist> line 34 08:31 < drarok> Oh, I'm overriding that 08:31 < drarok> openvpn --config filename --verb 6 08:32 < ecrist> k 08:32 < drarok> http://pastebin.com/m1b736a8d line 148 08:32 < drarok> # 08:32 < drarok> Thu Apr 16 14:00:30 2009 us=410065 verbosity = 6 08:32 -!- tsunami [n=tsunami@64.119.153.26] has joined ##openvpn 08:33 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:33 < ecrist> drarok: looks like you've got some sort of connectivity problem. 08:34 < ecrist> don't think it's related to OpenVPN 08:34 < drarok> So how come one client can connect :( 08:34 < ecrist> see here: http://openvpn.net/archive/openvpn-users/2005-02/msg00442.html 08:34 < vpnHelper> Title: Re: [Openvpn-users] TLS Handshake not happening (at openvpn.net) 08:35 < ecrist> I'm guessing you've a firewall issue 08:37 < drarok> Hmm, but surely no clients could connect then? 08:37 < ecrist> I don't know how you've got your NAT setup 08:39 < drarok> Is it possible the NAT is crap and routing all UDP packets on that port to the 1st client, do you think? 08:44 < ecrist> perhaps 09:00 < [4-tea-2]> Bushmills: a pic says more than a thousand words... I should've probably done this before, but here's a diagramm, for the record: http://mutantenstadl.de/Diagramm1.png 09:21 < ecrist> that's a hard-to-read diagram 09:23 < ecrist> [4-tea-2]: care to explain it, and your problem? 09:24 < [4-tea-2]> The laptop should always be using the same IP address, no matter how/where it's connected. 09:25 < ecrist> an internal IP, or a 'real' IP? 09:25 < [4-tea-2]> As real as it gets. ;) 09:26 < [4-tea-2]> The /28 is routed by my "virtual" ISP to the VPN gateway, I pick it up using OpenVPN, because my "real" ISP is... uhm... hostile. :D 09:26 < [4-tea-2]> And the laptop's ip is one out of that /28 09:27 < [4-tea-2]> My current status is that I can't do that with OpenVPN alone, but perhaps with a combination of OpenVPN and a routing daemon, like ripd. 09:28 < ecrist> properly set up, you can do it with openvpn and a proper 1-to-1 nat 09:29 < [4-tea-2]> ecrist: I wish I could, but I don't see how. 09:31 < plaerzen> [4-tea-2], that looks like a darknet or something 09:32 < drarok> I have achieved a zen-like state. Turned on IP forwarding at the one client that will connect for now, added routes at datacentre. 09:33 < [4-tea-2]> plaerzen: I think for a darknet, there would have to be more lines towards the internet cloud. This is actually only about my local, private net and the one laptop I take on the road with me. 09:34 * plaerzen nods. Cool setup, nontheless 09:34 < ecrist> [4-tea-2]: I'll draw up what you need to do. 09:35 < [4-tea-2]> A simplified "solution" would be to always route all traffic for the laptop through a static VPN connection to the local server - but I'm trying to avoid having to push unnecessary traffic over the DSL line, that's why I think I need two VPN connections and something (ripd) telling the world which one is currently in use. 09:36 < ecrist> ? I'm not really sure what you're trying to do i guess 09:37 < [4-tea-2]> I can try to explain in quick words what the goal is... I think it should become clear together with the diagram. 09:37 < [4-tea-2]> case A) my notebook is connected to my local switch and can stream HD video from my local server (direct connection to get best possible speed) 09:38 < reiffert> explain != quick words 09:38 < reiffert> however, simple routing will solve this for you. local net >> routing to other nets. 09:39 < [4-tea-2]> case B) I take my notebook to the garden, get a rfc1918 address from the wlan AP, establish a VPN connection to local server, get the same IP adress as for case A) and can use all services locally. 09:40 < [4-tea-2]> case C) I'm on the road, connect to the internet in any possible way, establish a VPN connection to the VPN gateway (NOT the "local server", because that's behind the DSL line), and still get the same IP address and routing for that address in my local net changes so it's host routed via the VPN gateway. 09:40 -!- drarok [n=drarok@imma.chargin.mah.laser.drarok.com] has left ##openvpn [] 09:41 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:42 < [4-tea-2]> (in case C) I can obviously not stream HD video, because the DSL line lacks the bandwidth, but I can still access all my local services from local server or even access the desktop machine). 09:42 < [4-tea-2]> If that's a pipe dream, tell me, so I stop wasting time and hurting my brain. :D 09:43 < ecrist> it's a bit of a pipe dream 09:44 < [4-tea-2]> But I succeeded in explaining what I want? 09:44 < ecrist> it can be done, but I think the hassle in setting it up is rather large. 09:44 < ecrist> yes 09:44 < ecrist> really your largest hurdle is your own knowledge 09:45 < [4-tea-2]> That's a hurdle that can be easily overcome. 09:45 < [4-tea-2]> And jumping over that is my main motivation for this, anyway. 09:47 < ecrist> ok, here's what I'll tell you. Can can do what you describe with the following tools: 09:47 < ecrist> 1) OpenVPN 09:47 < ecrist> 2) a firewall with a properly configured 1-to-1 nat 09:48 < ecrist> 3) two openvpn client configs a) full connection and b) just local stuff 09:48 < ecrist> everything else is configured in the ccd entries on the openvpn server for the given client in regards to what is routed over the vpn 09:50 < ecrist> no external routing daemon is needed 09:53 < [4-tea-2]> Without a routing daemon, how will the local server know when the laptop is connected to the VPN gateway? 09:54 < [4-tea-2]> OpenVPN would have to push a host route to the local server when it sees the laptop connect, and remove that route when it disconnects, right? 10:07 -!- tsunami [n=tsunami@64.119.153.26] has quit [] 10:16 -!- KaiForce [n=chatzill@adsl-70-228-83-175.dsl.akrnoh.ameritech.net] has joined ##openvpn 10:18 -!- mnickels [n=mnickels@12.177.178.136] has joined ##openvpn 10:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:23 < mnickels> I can not get the tap driver to install in Vista64 correctly. I am using the administrator account, it still shows up with an exclamation in Device Manager. I am using Oprnvpn-2.0.9-gui-1.0.3-install.exe. Anyone have an idea of what to check? I've disabled the UAC and driver signing. 10:24 < ecrist> [4-tea-2]: yes, but you can do that with client up/down scripts 10:24 < ecrist> :) 10:25 < ecrist> mnickels: you need to use the latest RC, 2.1rc15 for vista 10:27 < mnickels> ahh I knew i was messing up somewhere! I've seen some forum posts that it was working after searching google, But I didn't see what version of software .. thx ecrist 10:32 < epaphus> hello all 10:39 < mnickels> ecrist, can i just install 2.1rc15 over the top of the existing install or do I need to uninstall 2.0.9 ? 10:50 < ecrist> mnickels: I'd uninstall 2.09 10:53 < dan__t> Hi. 10:53 < tjz> hi dot.. 10:53 < tjz> :P 10:56 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:57 < tjz> wb jeff 10:59 * dan__t stabs krzee 11:00 < tjz> lol 11:16 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 11:30 -!- albech [n=albech@119.42.78.75] has joined ##openvpn 11:31 < albech> can i use openssl on another system to create certificates? the reason i am asking this question is because i dont want to install openssl on my embedded device if it is not needed 11:31 < albech> maybe even use dropbear to create the certs? 11:36 < dazo> albech: In an ideal world, you should never create certificates on the same device as OpenVPN (or any other SSL server) 11:37 < dazo> albech: keys and certs can be created on another box .... ideally, this is a separate box which is not connected to any networks at all ... as the key signing is really a high security task, which provides information to identify a host 11:38 < dazo> in a production environment, you don't want your CA to be compromised 11:41 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 110 (Connection timed out)] 11:49 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 11:50 < albech> dazo, excellent.. thanks 12:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:29 -!- seven [n=seven@193.164.131.45] has joined ##openvpn 12:30 < seven> question 12:31 < seven> hello ? 12:32 < seven> is it possible to forward a static ip thowgh openvpn 12:32 < seven> ? 12:32 < seven> through ? 12:33 < seven> anyone ? 12:33 < seven> ------------------------------------------------------------------------------------------------------- 12:34 < seven> blah blah blah 12:34 < seven> yada yada 12:34 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has joined ##openvpn 12:34 < seven> hello 12:34 < seven> !@1 12:34 < vpnHelper> seven: Error: "@1" is not a valid command. 12:34 < seven> @1 12:35 < Improv> Do certificate authorities/certs/hostkeys define in themselves which directory/openssl config to use? 12:35 < seven> please reform your question 12:36 < Bushmills> seven, the ip which is assigned to client is used. that ip can be static, yes. 12:36 < Bushmills> !ccd 12:36 < vpnHelper> Bushmills: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 12:36 < seven> I know about ccd 12:36 < Improv> seven: If I want multiple separate OpenVPNs with their own OpenSSL certificate systems, will different values for "ca/cert/key" do it? 12:36 < seven> but I failed to include a static one in the server.conf 12:37 < Bushmills> i use an entry in ccd dir for the clients with static address 12:37 < Bushmills> but i don't need to tell you because you know 12:37 < seven> Improv : you want separate OpenVPNs with their own OpenSSL certificate systems to do what ? 12:38 < seven> no I need to know 12:38 < seven> give me an example 12:38 < seven> I know about ccd 12:38 < seven> but I need an example for a working static ip 12:38 < Improv> seven: I want to have SSL configs that are entirely independent of each other attached to OpenVPN instances that are entirely independent of each other. 12:39 < seven> what should be included in server.conf and ccd/thelonioughs lines ? 12:39 < Improv> seven: I need to know if the ca/cert/key directives in the OpenVPN config determine which ssldir to use. 12:39 < Bushmills> echo "ifconfig-push 10.10.10.4 10.10.10.5" > ccd/keyname 12:40 < seven> Improv : I am sorry I can't help cause I couldn't get it, sorry dude 12:41 < seven> then 10.10.10.4 is the static IP ? 12:42 < seven> and shouldn't I add some related line to server.conf 12:42 < seven> ? 12:42 -!- Snoopy [n=ubu@p54A16927.dip.t-dialin.net] has joined ##openvpn 12:42 -!- Timpa88 [i=timpa2@91.210.104.125] has joined ##openvpn 12:42 < seven> !static ip 12:42 < vpnHelper> seven: Error: "static" is not a valid command. 12:42 < seven> !ccd 12:42 < vpnHelper> seven: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 12:42 -!- Snoopy [n=ubu@p54A16927.dip.t-dialin.net] has quit [Client Quit] 12:43 < seven> !static 12:43 < vpnHelper> seven: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 12:43 < Bushmills> seven, just uncommenting client-config-dir ccd from server config should do 12:43 < seven> I'll try it now and feed you back 12:47 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has quit ["ircII EPIC4-2.6 -- Are we there yet?"] 12:48 < seven> Bushmills 12:48 < seven> question 12:48 < seven> echo "ifconfig-push 10.10.10.4 10.10.10.5" > ccd/keyname 12:48 -!- troy is now known as troy- 12:49 < seven> which one is the satic IP in here ? 12:49 < seven> ? 12:49 < seven> %! 12:49 < seven> $ 12:49 < seven> $$$$ 12:49 < seven> $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 12:50 < seven> $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 12:50 < Bushmills> seven, first. you can use netmask, for second. 12:50 < seven> $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 12:50 < seven> aha 12:52 < seven> look 12:52 < seven> this is the server info 12:53 < seven> ip : a.b.c.d 12:53 < seven> gateway a.b.c.f 12:53 < seven> I have an empy IP 12:54 < seven> a.b.c.n 12:54 < seven> wish to forward it through ovpn 12:54 < seven> ccd exists 12:54 < seven> netmask : 255.255.255.128 12:54 < seven> what should I add to ccd/keyname ? 12:55 < seven> is this true : echo "ifconfig-push a.b.c.n 255.255.255.128" > ccd/keyname 12:56 < seven> and how the client would recognize the gateway 12:56 < seven> what is the gatewat in this case ? 12:56 < seven> a.b.c.d OR a.b.c.f ? 12:56 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 12:56 < seven> and do we need to make some NATtin job ? 12:57 < seven> Bushmills ? 12:58 < seven> ?!!??? 12:58 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has joined ##openvpn 12:58 < seven> anyone 13:00 < seven> 1 13:00 < seven> 2 13:00 < seven> 3 13:01 < seven> !ccd 13:01 < vpnHelper> seven: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 13:01 < seven> !iporder 13:01 < vpnHelper> seven: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 13:02 < seven> !ipp 13:02 < vpnHelper> seven: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 13:05 -!- seven_ [n=seven@193.164.131.45] has joined ##openvpn 13:05 -!- seven [n=seven@193.164.131.45] has quit [Read error: 54 (Connection reset by peer)] 13:09 -!- KaiForce [n=chatzill@adsl-70-228-83-175.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.8/2009032609]"] 13:09 < [4-tea-2]> ecrist: no ripd needed, indeed. 13:10 < ecrist> got it working? 13:10 < [4-tea-2]> well... uhm... a prototype. ;) 13:10 < ecrist> excellent! 13:10 -!- mnickels [n=mnickels@12.177.178.136] has quit [Read error: 110 (Connection timed out)] 13:11 < [4-tea-2]> I've been using static keys, so I don't have --up or ccds until I switch to TLS. 13:12 < [4-tea-2]> I think I realize now why Bushmills didn't understand me last night, when I complained that OpenVPN would not allow me to set routes dynamically. I guess the way I used it, it creates all interfaces and routes when the daemon is started, 13:13 < [4-tea-2]> and when using TLS it creates them "on demand" when a client establishes a connection? 13:13 -!- seven__ [n=seven@a188-23.adsl.paltel.net] has joined ##openvpn 13:16 -!- seven_ [n=seven@193.164.131.45] has quit [Read error: 54 (Connection reset by peer)] 13:27 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 13:27 -!- freezer__ [n=freezer@sd-89-236.stud.uni-potsdam.de] has joined ##openvpn 13:27 < freezer__> hi 13:28 < freezer__> is there an SHA128 in openssl? 13:33 -!- mnickels [n=mnickels@12.177.178.136] has joined ##openvpn 13:34 -!- mnickels [n=mnickels@12.177.178.136] has quit [Client Quit] 13:38 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has quit ["ircII EPIC4-2.6 -- Are we there yet?"] 13:56 -!- Kurogane [i=Kuro@190.53.8.79] has joined ##openvpn 13:58 < Kurogane> there are other port use openvpn? becuase i enable the port 1194 tcp/udp incoming and outgoing and still can't connect 14:00 -!- UtopiahGHML [n=libre@rps7452.ovh.net] has joined ##openvpn 14:00 < UtopiahGHML> !howto 14:00 < vpnHelper> UtopiahGHML: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:03 < UtopiahGHML> hi ##openvpn 14:05 < UtopiahGHML> I admit I only skimmed through the howto so if my question is ridiculous just burn me to flame but... I was wondering if I set up OpenVPN on my server running last Debian stable, if I change the config to run it on port 53 (having to DNS daemon started there) and point my openvpn client there, will I be able to browse the net as if I was on the server? 14:05 < UtopiahGHML> s/having to DNS/having no DNS/ 14:07 < ecrist> sure, but you've got to have nat and routing properly configured. 14:11 -!- tjz [n=tjz@bb220-255-151-27.singnet.com.sg] has quit [Read error: 54 (Connection reset by peer)] 14:12 < krzie> !default 14:12 < vpnHelper> krzie: (default ) -- Returns the default value of the configuration variable . 14:12 < krzie> err 14:12 < krzie> !redirect 14:12 < vpnHelper> krzie: "redirect" is (#1) please see !def1 !linnat !linipforward for linux, and !def1 !winnat !winipforward for windows, or (#2) in order to have the client send all inet traffic through the server's inet, you will need redirect-gateway on the client (or pushed from server, see !push), or (#3) you will also need NAT enabled for the vpn network on the server as well as ip forwarding (see !nat and 14:12 < vpnHelper> krzie: !ipforward) 14:13 < krzie> bleh i need to re-write that 14:13 < krzie> !factoids search ipforward 14:13 < vpnHelper> krzie: 'winipforward', 'linipforward', 'ipforward', and 'fbsdipforward' 14:13 < krzie> !forget redirect 14:13 < vpnHelper> krzie: Error: 3 factoids have that key. Please specify which one to remove, or use * to designate all of them. 14:13 < krzie> !forget redirect 14:13 < vpnHelper> krzie: Error: 3 factoids have that key. Please specify which one to remove, or use * to designate all of them. 14:13 < krzie> !forget redirect 14:13 < vpnHelper> krzie: Error: 3 factoids have that key. Please specify which one to remove, or use * to designate all of them. 14:13 < krzie> !forget redirect * 14:13 < vpnHelper> krzie: Joo got it. 14:13 < krzie> grr sorry for the flood 14:14 < ecrist> /kickban krzie excess flood 14:14 -!- Timpa88_ [n=timpa2@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 14:15 -!- Timpa88_ [n=timpa2@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit [Client Quit] 14:15 < krzie> !learn redirect as to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 14:15 < vpnHelper> krzie: Joo got it. 14:16 < UtopiahGHML> !autoconfigure target=myserver from=readmybrain 14:16 < vpnHelper> UtopiahGHML: Error: "autoconfigure" is not a valid command. 14:16 < UtopiahGHML> :/ 14:16 -!- albech [n=albech@119.42.78.75] has quit [Connection timed out] 14:18 -!- albech [n=albech@119.42.77.174] has joined ##openvpn 14:31 -!- Timpa88 [i=timpa2@91.210.104.125] has quit [Read error: 110 (Connection timed out)] 14:39 -!- Timpa88 [n=timpa2@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 14:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:55 < seven__> !def1 14:55 < seven__> !def1 14:55 < vpnHelper> seven__: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 14:56 -!- seven__ [n=seven@a188-23.adsl.paltel.net] has quit ["Leaving"] 14:56 -!- seven__ [n=seven@a188-23.adsl.paltel.net] has joined ##openvpn 14:56 < seven__> !def1 14:56 < vpnHelper> seven__: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 15:01 < krzie> def1 def1 def1 15:01 * krzie does the def1 dance 15:10 < seven__> I am wondering if it is possible to route internet-resolvable IP using openvpn 15:10 < seven__> u think its possible ? 15:10 < seven__> ?!? 15:10 < krzie> as in: sending inet traffic through server? 15:11 < seven__> no 15:11 < Timpa88> Anyone here know any good VPN Service in Russia? 15:11 < krzie> Timpa88 negative 15:11 < Timpa88> :( 15:11 < seven__> why in russia ? 15:11 < krzie> but i dont know anything in russia 15:11 < krzie> except moscow 15:11 < seven__> I can help 15:11 < Timpa88> outside EU 15:11 < Timpa88> we can this stupid law 15:11 < seven__> wanna vpn service ? 15:11 < Timpa88> yes seven__ 15:12 < seven__> talk to me on pm 15:12 < Timpa88> Ok! 15:12 < krzie> you can get a VPS and run your own 15:12 < Timpa88> yes 15:12 < Timpa88> i know 15:12 < Timpa88> but too expensive 15:12 < krzie> dougy sells them for $5/month 15:12 < Timpa88> we have go this new law 15:12 < Timpa88> and i need to get a vpn outside EU 15:12 < krzie> and he'ld even setup openvpn too i believe 15:12 < krzie> (USA) 15:12 < ecrist> seven__: yes, it is 15:13 < Timpa88> otherwise we have to pay like 30000usd per movie we download 15:13 < Timpa88> and so on ... 15:13 < Timpa88> krzie: reverse dns? dedicated ip ? 15:13 -!- mode/##openvpn [+o ecrist] by ChanServ 15:13 <@ecrist> no warez, or mentions of it, please 15:13 < krzie> Timpa88 very likely both 15:13 -!- Timpa88 was kicked from ##openvpn by ecrist [ecrist] 15:13 -!- Timpa88 [n=timpa2@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 15:13 < krzie> but Dougy is the person to ask 15:14 < krzie> ecrist what about my pirated copy of openvpn? 15:14 < krzie> ;] 15:14 -!- mode/##openvpn [-o ecrist] by ecrist 15:15 * krzie copies opensource software for personal use! 15:15 < krzie> 15:16 < ecrist> if I owned this server, that'd be worthy of a k-line, krzie. >:) 15:16 < krzie> damn i forgot to get the openbsd nat rules from epaphus 15:16 < krzie> hahah 15:16 < krzie> its opensource, cant be pirated for personal use! 15:16 < krzie> if its GPL it could be illegal to redistribute (without including the source code) 15:17 < krzie> but for personal use anything goes ;] 15:19 < seven__> I am wondering how to route internet-resolvable IP using openvpn 15:27 -!- unix3_ [n=unix3@190.10.68.228] has joined ##openvpn 15:28 < seven__> I am wondering how to route internet-resolvable IP using openvpn 15:33 < krzie> well, you might have to explain what you mean by that 15:33 < krzie> otherwise ill continue to have no clue what you're trying to say 15:35 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 15:37 -!- Timpa88 [n=timpa2@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 15:40 -!- Timpa88 [i=timpa2@67.212.72.189] has joined ##openvpn 15:40 -!- Timpa88 [i=timpa2@67.212.72.189] has quit [Client Quit] 15:40 -!- Timpa88 [i=timpa2@67.212.72.189] has joined ##openvpn 15:41 -!- troy- is now known as troy 15:51 -!- seven__ [n=seven@a188-23.adsl.paltel.net] has quit [Read error: 113 (No route to host)] 15:55 -!- Timpa88 [i=timpa2@67.212.72.189] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 15:57 -!- Timpa88 [i=timpa2@91.210.104.125] has joined ##openvpn 16:05 < plaerzen> if a pig loses it's voice, is it disgruntled ? 16:06 -!- mode/##openvpn [+o ecrist] by ChanServ 16:06 -!- plaerzen was kicked from ##openvpn by ecrist [ecrist] 16:06 -!- mode/##openvpn [-o ecrist] by ecrist 16:06 < ecrist> he deserved it. 16:06 < ecrist> muahahaha! 16:06 < Timpa88> makt missbrukare 16:07 -!- unix3_ [n=unix3@190.10.68.228] has quit [Client Quit] 16:08 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 16:08 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 16:09 < epaphus> hello all 16:09 < epaphus> krzee, u there? 16:10 * plaerzen peers around at everyone and starts spreading anti-ecrist sentiment by calling him little hitler... or perhaps ecristler 16:12 < ecrist> lol 16:14 -!- c64zottel [n=hans@p5B17ACFD.dip0.t-ipconnect.de] has quit ["Leaving."] 16:16 < krzie> ecristler 16:16 < krzie> LOL 16:23 * plaerzen takes a bow. 16:24 -!- Timpa88_ [n=timpa2@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 16:35 -!- Timpa88 [i=timpa2@91.210.104.125] has quit [Read error: 110 (Connection timed out)] 16:40 < Bushmills> plaerzen, i think most people here simply ignore ecrist 16:45 -!- Timpa88_ [n=timpa2@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 16:45 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 16:47 -!- MarcWeber [n=marc@88.80.200.63] has left ##openvpn [] 17:01 < ecrist> Bushmills: that cuts deep... 17:01 < ecrist> krzie: just got back from the range. another bullseye, first shot on target! 17:01 < krzie> nice bro 17:01 < ecrist> 7yds, .40 17:02 < krzie> might be time to backup some 17:02 < ecrist> I did. I'm not so good at 17yds 17:03 < ecrist> out of 49 rounds, only 44 hit paper. 17:03 < krzie> i am with the right gun, but not the avg one 17:03 < krzie> my buddy has a SWEET 45 (totally cant remember the model) 17:03 -!- r_001 [n=r_001@86.99.14.155] has joined ##openvpn 17:03 < krzie> but each piece was made together 17:03 < krzie> has the exact same serial on every piece 17:03 < krzie> also rather expensive 17:03 < krzie> but that thing is SOOOO accurate 17:04 < r_001> how can I use VPN for internet browsing ? 17:04 < krzie> r_001 by reading the topic 17:04 < ecrist> I was wrong 43/49 hit paper, 38 were scoring rounds 17:05 < r_001> krzie: can you send me the topic please 17:05 < krzie> type /topic 17:05 < ecrist> this was rapid fire, too, though. and 1/2 were one handed, 1/2 of those being weak-side 17:05 < krzie> oh damn 17:05 < krzie> i never shoot 1 handed weak side 17:06 < krzie> i bet none would hit from 17 yrds left handed 17:06 < krzie> lol 17:06 < ecrist> hehe 17:06 < ecrist> well, some had to, but those are probably my misses. 17:06 < r_001> !howto enter username 17:06 < vpnHelper> r_001: Error: "howto" is not a valid command. 17:07 < krzie> lol 17:07 < krzie> ok lets do it like this 17:07 < r_001> krzie: what's the free username and password for CISCO free VPN Server ? 17:07 < krzie> heres the howto: 17:07 < krzie> umm dude 17:07 < krzie> cisco uses ipsec 17:07 < krzie> !notcompat 17:07 < vpnHelper> krzie: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 17:07 < r_001> howto: user CISCO ? 17:07 < krzie> no no 17:07 < krzie> !howto 17:07 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:08 < krzie> you CAN NOT use cisco's client with openvpn 17:08 < krzie> !redirect 17:08 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 17:10 < r_001> krzie: now I convert to OPENVPN, but it ask for Certificate files 17:10 < r_001> what is that ?? 17:10 < krzie> !howto 17:10 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:15 < r_001> krzie: I can't find the import type file at the howto 17:15 < krzie> import? 17:15 < r_001> yes 17:15 < krzie> forget about EVERYTHING that had to do with your ipsec setup 17:16 < krzie> you get to start over if you are moving to openvpn 17:16 < krzie> !notcompat 17:16 < vpnHelper> krzie: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 17:16 < r_001> I'm using kVPN 17:16 < krzie> is that openvpn? 17:16 < krzie> ... 17:16 < r_001> yes, it's a GUI for openVN 17:16 < r_001> openVPN 17:16 < krzie> then why does anything need to be imported... 17:18 < r_001> the certiicated file 17:18 < krzie> if you're already using openvpn, you dont need to import anything 17:21 * ecrist HAHAs at krzie 17:21 < r_001> krzie: I didn't use it before, it's my first time 17:22 < r_001> what is the certificate file types ? 17:22 < plaerzen> .crt 17:23 < plaerzen> krzee, does openvpn connect to Suspension bridge? I have one near my house I would like to network to all my kittens. 17:38 -!- lataffe_ [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 17:39 -!- lataffe_ [n=lars@212.89-10-28.nextgentel.com] has quit [Client Quit] 17:43 < krzie> hahahah plaerzen 17:43 < krzie> you're on a roll lately 17:44 < krzie> r_001 either read the howto or read the howto 17:44 < krzie> or, read the howto 17:45 -!- freezer__ [n=freezer@sd-89-236.stud.uni-potsdam.de] has left ##openvpn ["Leaving"] 17:48 -!- atglenn [n=atglenn@wiktionary/ArielGlenn] has joined ##openvpn 17:53 -!- r_001 [n=r_001@86.99.14.155] has quit [Read error: 113 (No route to host)] 17:55 < epaphus> krzie, so.. if I have multiple clients on 1 machine.. and multiple NICs .. the best way to route each is through a NAT... right...? 17:56 < epaphus> this would be the first time i do this on the client machine 17:58 < epaphus> actually I would NAT each NIC to the corresponding TUN... 18:03 < epaphus> Iam going to create two client.conf ... one will be TUN1 AND TUN0.. would openvpn know however not to assign them the same IPs? 18:12 -!- alami [n=up@unaffiliated/alami] has joined ##openvpn 18:13 < alami> !howto 18:13 < vpnHelper> alami: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 18:14 < krzie> epaphus i have no clue what you're trying to say, but i heavily suggest you learn networking if you plan on setting up VPNs for profit 18:14 < krzie> seeing as we arent getting a cut 18:14 < krzie> of course if you feel like cutting someone in, im sure that person would be happy to continue being your personal walkthrough for every business you set these up for 18:20 < epaphus> krzie, you kidding me right? 18:20 < epaphus> please tell me you are. 18:21 < epaphus> krzee, Iam so sorry then.... I guess you should put that in the topic... No help if you are setting up VPNs in your job.. or perhaps contact the users of any linux distro... to see if they use it in production use... and tell them they need to pay 18:22 < epaphus> off course..everybody in this channel sets up VPNs only for personal use. 18:22 < krzie> dude 18:22 < epaphus> its not about where you use it.. its a matter of learning and sharing that... opensource wouldnt be as big as it is if it wasnt for that 18:23 < krzie> you keep asking the same stuff, cause you dont care to learn 18:23 < krzie> you only care to get it setup 18:23 < krzie> then you come back and ask the same type of stuff again for the next job, cause you didnt learn 18:23 < krzie> it gets old 18:24 < epaphus> dude you dont know the case... your just annoyed Iam #6 in the IRC stats for more active hehe.. but believe me... I dont ask the same questions... its similar.. but not the same.. yes they do have to do with routing. 18:24 < epaphus> anyways, thanks for the help. 18:25 -!- afonso [n=afonso@bl6-118-240.dsl.telepac.pt] has joined ##openvpn 18:26 -!- afonso [n=afonso@bl6-118-240.dsl.telepac.pt] has left ##openvpn [] 18:27 < krzie> maybe im the only one who feels this way, we'll see by the amount of response 18:52 < dan__t> Suck my balls. 18:53 < dan__t> How's that for a response? 18:53 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 18:54 < krzie> that was like mine, but short and sweet 19:13 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit [Read error: 60 (Operation timed out)] 19:13 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 19:14 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 19:16 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 19:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 19:30 < dan__t> hha 19:30 < dan__t> so I'm not going to maintain a CRL as I thought I would. 19:31 < dan__t> I'm just not going to create a ccd, and use ccd-exclusive 19:44 -!- albech [n=albech@119.42.77.174] has quit [Read error: 104 (Connection reset by peer)] 20:09 -!- SuperEvilDeath15 [n=death@212.206.209.177] has quit ["Nettalk6 - www.ntalk.de"] 20:10 -!- atglenn [n=atglenn@wiktionary/ArielGlenn] has quit ["Leaving."] 20:13 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 20:13 -!- theDoc [n=andelyx@119.73.165.162] has quit [Client Quit] 20:13 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 20:15 -!- albech [n=albech@119.42.77.174] has joined ##openvpn 20:40 < zheng> #join #php 21:12 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn 21:43 -!- tjz [n=tjz@bb220-255-151-27.singnet.com.sg] has joined ##openvpn 21:45 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: pa 21:47 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: HardDisk_WP 21:54 -!- Netsplit over, joins: pa 21:54 -!- Netsplit over, joins: HardDisk_WP 22:01 < zheng> TUN is short for tunne, and TAP is short for what? 22:16 -!- Lilarcor [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit [] --- Day changed Fri Apr 17 2009 00:07 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:17 -!- troy [n=troy@worldnet.tauri.ca] has quit [Read error: 110 (Connection timed out)] 00:19 < reiffert> zheng: http://en.wikipedia.org/wiki/TUN/TAP 00:19 < vpnHelper> Title: TUN/TAP - Wikipedia, the free encyclopedia (at en.wikipedia.org) 00:20 < zheng> vpnHelper, Thx, Could you pls give a simple text info about TAP? TAP = what? because I cannot read wikipedia.org, I only use IRC. 00:20 < vpnHelper> zheng: Error: "Thx," is not a valid command. 00:20 < zheng> Thx. 00:21 < zheng> vpnHelper is a robot? 00:21 < vpnHelper> zheng: Error: "is" is not a valid command. 00:21 < zheng> reiffert, pls? 00:23 < reiffert> cant read wikipedia? why is that? 00:23 < theDoc> TAP = network tap 00:23 < theDoc> Simulation of an ethernet device 00:25 < zheng> isee, TAP is not a abbrev, just a analogy symbol. Thanks. 00:27 < reiffert> zheng: dies your government filter out wikipedia even for shanghai? 00:27 < reiffert> does 00:27 < zheng> reiffert, no, not government, it's our company limit, 00:28 < zheng> I cannot use www now. 00:28 < zheng> You know I'm from shanghai? 00:29 < reiffert> 07:29 [freenode] -!- zheng [n=zheng@222.66.224.110] 00:29 < reiffert> whois 222.66.224.110 00:29 < zheng> oic, 00:29 < reiffert> inetnum: 222.66.224.104 - 222.66.224.111 00:29 < reiffert> netname: ACTION-TEC 00:29 < reiffert> descr: Action Tec(Shanghai) Co., Ltd. 00:50 -!- troy [n=troy@worldnet.tauri.ca] has joined ##openvpn 01:27 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: M06w, krzie, worch, Dougy, xor|, theDoc, Gumbler, tarbo2, ghoti, row, (+47 more, use /NETSPLIT to show all of them) 01:28 -!- SuperEvilDeath15 [n=death@212.206.209.177] has joined ##openvpn 01:29 -!- Netsplit over, joins: krzee, ghoti, Alagar, HardDisk_WP, pa, tjz, albech, theDoc, ropetin, alami (+47 more) 01:37 -!- nemysis [n=nemysis@196-235.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 01:38 -!- nemysis [n=nemysis@137-215.3-85.cust.bluewin.ch] has joined ##openvpn 01:55 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 02:02 -!- zheng [n=zheng@222.66.224.110] has quit [Remote closed the connection] 02:37 < onats2> hehehe 02:42 -!- Cronix [n=bigluks@et-1-16.gw-nat.bs.ka.oneandone.net] has joined ##openvpn 02:46 < Cronix> hi 02:46 < Cronix> my openvpn client isnt creating a tun / tap device 02:47 < Cronix> running debian lenny 32bit 02:47 < Cronix> kernel 2.6.26-1-686 02:49 < Cronix> on the server machine it starts and gives me an SIOCADDRT: File Exists 02:50 < Cronix> but it creates the Tun0 device on that machine 02:52 -!- alami [n=up@unaffiliated/alami] has quit [Read error: 104 (Connection reset by peer)] 02:52 -!- alami_ [n=up@p57A74150.dip.t-dialin.net] has joined ##openvpn 02:53 -!- alami_ is now known as alami 03:24 < Cronix> this is my client config: http://pastebin.com/m510857f2 03:27 < Cronix> this is the startup logfile: http://pastebin.com/m7635edcb 03:29 < Cronix> http://pastebin.com/m24b75415 03:30 < Cronix> my ifconfig output 03:32 < Cronix> thats was the clientside 03:32 < Cronix> serverside files: 03:33 < Cronix> Log: http://pastebin.com/m1fc417fe 03:33 < Cronix> config: 03:33 < Cronix> http://pastebin.com/m56f4515c 03:34 < Cronix> ifconfig: http://pastebin.com/m73251dc7 03:34 < Cronix> anything else u need to help me? 03:36 -!- c64zottel [n=hans@p5B17AD87.dip0.t-ipconnect.de] has joined ##openvpn 03:51 -!- bandini [n=bandini@host115-106-dynamic.45-79-r.retail.telecomitalia.it] has joined ##openvpn 04:05 -!- tiav [n=tiav@91.197.165.222] has joined ##openvpn 04:21 -!- Patrik [n=none@81-233-255-230-no13.business.telia.com] has joined ##openvpn 04:21 -!- Patrik is now known as Guest89974 04:27 < Guest89974> Hi, I'm trying to connect to my ubuntu openvpn server (2.1-rc7) with a windows vista/xp client (ver 2.0.9) but ran into some trouble. "LS Error: TLS key negotiation failed to occur within 60 seconds". Is the certificates wrong or something? 04:30 -!- zheng3 [n=roger@222.66.224.106] has joined ##openvpn 04:30 -!- zheng3 [n=roger@222.66.224.106] has quit [SendQ exceeded] 04:31 -!- zheng3 [n=roger@222.66.224.106] has joined ##openvpn 04:31 -!- zheng3 [n=roger@222.66.224.106] has left ##openvpn [] 04:32 -!- zheng3 [n=roger@222.66.224.106] has joined ##openvpn 04:32 < Guest89974> I also get "WARNING: No server certificate verification method has been enabled." But when following the link in the error message I cannot add the "remote-cert-tls server". It says the option isn't valid. 04:32 < zheng3> hi, 04:33 < zheng3> why TAP's interal routing is based MAC addr, but TUN's interal route is based IP addr? 04:37 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 04:40 < dazo> zheng3: TAP goes on Layer2 in the OSI stack, iirc ... while TUN goes higher up and does only IP related stuff .... TAP cannot do anything else than MAC, while TUN could probably do both, but as only IP is supported, IP routing is simpler 04:41 < dazo> Guest89974: you probably want to look into --tls-remote instead 04:42 < Cronix> im kinda going crasy here 04:42 < Cronix> it isnt working on my client ;( 04:42 < Cronix> server works like a charm 04:42 < dazo> Guest89974: regard. your key negotiation failure .... try upgrading to 2.1_RC15 ... preferably on both server and client side first 04:42 < Cronix> but i cant get my client to create a tun0 device 04:43 < dazo> Cronix: Using debian on both client and server? 04:43 < Cronix> jup 04:43 -!- Guest89974 is now known as patrik 04:43 * dazo looks 04:43 < Cronix> ^^ 04:43 < patrik> dazo, Ok, I'll take a look 04:43 < Cronix> but kernel of server is diffrent 04:44 < zheng3> dazo, thanks in advance, but I think TAP can also deal L3 packet(IP),so it can unified the intenal ROUTING query method, right? 04:44 < Cronix> client haz 2.6.26 and server haz 2.6.24 04:44 < dazo> Cronix: usually not a problem .... if you have the tun module available and loadable on your client 04:44 < Cronix> i can make 04:44 < Cronix> modprobe tun 04:44 < Cronix> without any problem 04:45 < Cronix> and lsmod | grep tun gives me an valid output 04:45 < Cronix> so tun module is defenetely loaded 04:45 < dazo> Cronix: goodie 04:45 < Cronix> but it wont show up on ifconfig 04:45 < Cronix> and 04:45 < Cronix> ifup tun0 dun works 2 04:46 -!- bandini [n=bandini@host115-106-dynamic.45-79-r.retail.telecomitalia.it] has quit [Read error: 113 (No route to host)] 04:46 < dazo> Cronix: silly question ... but you try to start openvpn client as root? .... just needs to be 120% sure 04:46 < Cronix> su && /etc/init.d/openvpn start 04:47 < dazo> Cronix: goodie 04:47 < Cronix> http://pastebin.com/mf20750a 04:47 < Cronix> ifup tun0 output 04:47 < dazo> can you increase verb on your client to 5 ... and then share that result? 04:47 < Cronix> sure 04:47 < zheng3> because after decrypt the cypher packet, TAP can deal the L2 + L3 packet,~ 04:48 < Cronix> omg 04:48 < Cronix> now THATS a huge logfile 04:48 < dazo> Cronix: not as bad as with verb 9 ;-) 04:50 < Cronix> xD 04:50 < dazo> zheng3: TAP goes lower down in the OSI stack, so it can handle all kind of protocols, AppleTalk, IPX, IPv6, whatever .... while TUN is only "scratching the surface", only supporting IP traffic .... so TAP will support any protocols higher up in the OSI stack 04:50 < Cronix> ok here it is 04:50 < Cronix> http://pastebin.com/m4274bdec 04:51 < dazo> zheng3: But the disadvantage with TAP is that you get much more overhead 04:51 < dazo> !tunortap 04:51 < vpnHelper> dazo: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 04:51 < Cronix> hmm 04:51 * dazo looks at logs again 04:52 < Cronix> ^^ 04:52 < dazo> Cronix: seems fine for me .... no errors here .... and you still do not get any tun device at all? 04:52 < Cronix> nope 04:53 < Cronix> just 04:53 < Cronix> eth0, eth1 and lo 04:53 < zheng3> daze, isee, isee, you means TAP can be able to not ONLY ip packets, so it's HASH key is MAC hw, 04:53 < Cronix> eth0 and eth1 are physical existing network cards 04:53 < Cronix> and lo the loopback localhost thing 04:53 < zheng3> thx!!! 04:53 < Cronix> nothing else 04:54 < theDoc> Oh wtf. 04:54 < theDoc> tpb lost their case. 04:54 < theDoc> >_> 04:54 < Cronix> w00t 04:56 < Cronix> how u know? 04:58 < dazo> zheng3: yeah, on layer2 in the OSI stack, MAC address is the key to establish contact 05:00 < dazo> theDoc: tpb lost!?!? .... well, Sweden is becoming worse and worse in the technical world ... they're even doing packet inspection on all internet traffic passing the country :( 05:00 < zheng3> daze, I get it now, thx again. another question, why TUN can check whether virtual IP is changed? but TAP dont check virtual MAC address changed? 05:01 < zheng3> dazo, sorry~ for my wrong spelling 05:01 < theDoc> dazo: vpn's will be the in thing very shortly:) 05:01 < Cronix> jep 05:01 < Cronix> xD 05:01 < theDoc> Thankfully, I already run a small scale ip vpn company ;p 05:01 < Cronix> i need my vpn to work 05:01 * theDoc ducks 05:01 < Cronix> ;( 05:03 < dazo> zheng3: That's kind of right, as OpenVPN has it's own internal ARP table, so when the VPN IP address changes, it learns which MAC is connected to which IP .... but I've never experienced that a already assigned VPN IP address is changed during a session, but that might be that I haven't experienced OpenVPN in a large scale setup 05:05 < zheng3> dazo, thx for your help 05:05 < dazo> Cronix: I really do not see what's happening on your box at all ... it seems like the tun/tap driver is not working properly ... 05:06 < Cronix> is there any way i can fix that`? 05:06 < dazo> Cronix: do you have /dev/net/tun ? 05:06 < Cronix> lwdeb:/etc/openvpn# cat /dev/net/tun 05:06 < Cronix> cat: /dev/net/tun: Die Dateizugriffsnummer ist in schlechter Verfassung 05:06 < Cronix> lwdeb:/etc/openvpn# 05:06 < Cronix> hmm 05:06 < Cronix> WTF 05:07 < Cronix> Die Dateizugriffsnummer ist in schlechter Verfassung = the fileaccessnumer is in a bad mood 05:07 < Cronix> like that 05:07 < Cronix> what could THAT mean? o0 05:07 < dazo> Cronix: as long as you have that file ... it's fine 05:07 < Cronix> kk+ 05:07 < dazo> Cronix: no, that's a correct state 05:07 < Cronix> alright 05:07 < dazo> Cronix: # cat /dev/net/tun 05:07 < dazo> cat: /dev/net/tun: File descriptor in bad state 05:07 < Cronix> jeah right 05:07 < dazo> But it works on my box 05:07 < Cronix> hmm 05:08 < Cronix> with my client config? 05:08 < dazo> Cronix: I see you are running 2.1_rc11 ... try upgrading to rc15 first 05:08 < Cronix> what? 05:08 < Cronix> how? 05:08 < dazo> Cronix: at first glance, your client config seems sensible 05:08 < Cronix> where? 05:08 < Cronix> sensible? 05:08 < Cronix> what kind of sensible? 05:09 < dazo> Cronix: if it's not in Debian repos .... you can compile it yourself .... it's pretty easy, you need lzo-dev and openssl-dev packages .... and the source from http://www.openvpn.net/ 05:09 < vpnHelper> Title: Welcome to OpenVPN (at www.openvpn.net) 05:09 < dazo> Cronix: client config looks fine 05:09 < Cronix> k 05:09 < Cronix> hm 05:09 < Cronix> is there an svn? 05:09 < Cronix> xD 05:10 < Cronix> pub svn 4 checkout 05:10 < dazo> Cronix: yeah ... but it's quicker to pull the tar ball ..... curl http://openvpn.net/release/openvpn-2.1_rc15.tar.gz | tar xzvf - 05:11 < Cronix> -curl +wget 05:11 < Cronix> have no curl installed 05:12 -!- zheng3 [n=roger@222.66.224.106] has quit [Remote closed the connection] 05:12 < dazo> Cronix: heh ... then you can't unpack on the fly :-P ... but wget works as well 05:12 < Cronix> ^^ 05:12 < Cronix> and on debian 05:12 < Cronix> its not openssl-dev 05:12 < Cronix> its 05:12 < Cronix> libssl-dev 05:13 < dazo> ahh ... well, you caught my main point :) 05:13 < Cronix> ^^ 05:14 < dazo> it's a billion distros available ... I have no intent to learn all of them, only those I want to use myself, and I expect others to know how to handle the distro of their choice ;-) 05:15 < Cronix> ^^ 05:15 < Cronix> i have 4 PC's here 05:15 < Cronix> @ work 05:15 < Cronix> xD 05:15 < Cronix> 2debian, 1mac g3 and 1 dell with win 7 05:15 * dazo goes for lunch 05:22 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:44 -!- patrik [n=none@81-233-255-230-no13.business.telia.com] has quit [Read error: 113 (No route to host)] 05:54 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 06:01 -!- youngpro [n=pro@teamaustralia.net.au] has joined ##openvpn 06:07 -!- youngpro is now known as pro 07:14 -!- tiav [n=tiav@91.197.165.222] has quit [Remote closed the connection] 07:39 -!- alami [n=up@unaffiliated/alami] has quit [Read error: 110 (Connection timed out)] 07:39 -!- alami [n=up@p57A77127.dip.t-dialin.net] has joined ##openvpn 07:42 -!- theDoc [n=andelyx@bb116-15-81-155.singnet.com.sg] has joined ##openvpn 07:47 -!- theDoc [n=andelyx@bb116-15-81-155.singnet.com.sg] has quit [Client Quit] 07:47 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 07:48 -!- EQUIV [n=equiv@217-210-188-35-no110.tbcn.telia.com] has joined ##openvpn 07:49 < EQUIV> can I have a VPN server through a vpn tunnel? 07:50 < EQUIV> I want to split another vpn connection so that more than one can be connected at the same time 07:50 < EQUIV> is that possible? 07:50 < ecrist> sure 07:51 < ecrist> but there are potential mtu issues 07:51 < EQUIV> How do I set up the default gateways? 07:51 < ecrist> it's covered in the man page 07:51 < ecrist> or how to 07:53 < EQUIV> How do I get pptpd to listen on ppp0? 07:54 < ecrist> sorry, we don't support pptp in here. 07:54 < EQUIV> Okey :/ 07:54 -!- EQUIV [n=equiv@217-210-188-35-no110.tbcn.telia.com] has left ##openvpn ["Lämnar"] 08:46 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 08:55 -!- seven_ [n=seven@193.164.131.45] has joined ##openvpn 08:56 < seven_> Hi there, do you know a good howto for forwarding resolvable internet static IP to a client over openvpn ? thank you 08:56 < ecrist> seven_: didn't you ask that question yesterday? 08:57 < seven_> sure 08:57 < seven_> but got no answer 08:57 < seven_> do you have one ? 08:57 < ecrist> forwarding resolvable ips is no different that 1918 addresses 08:57 < seven_> look 08:57 < seven_> I could forward those IPs 08:58 < seven_> but server dd not deal with them 08:58 < seven_> did 08:58 < ecrist> sure it does. 08:58 < seven_> they had the IP with no internet 08:58 * plaerzen waves. 08:58 < ecrist> I've done it myself, and I know people who did it. 08:58 < seven_> very nice 08:58 < ecrist> seven_: then you're missing the proper routing on the server end. 08:58 < ecrist> morning, plaerzen 08:58 < seven_> could you give me a copy of the config files 08:59 < ecrist> seven_: they're no different that regular config file 08:59 < seven_> should be natted first then ? 08:59 < ecrist> nat isn't required 08:59 < ecrist> just proper routing 08:59 < seven_> should I put the config here ? 09:00 < ecrist> what am I going to do with it? 09:00 < seven_> well 09:00 < seven_> find the mistake 09:00 < seven_> if exists 09:00 < ecrist> sure, but you haven't really told me your problem. 09:00 < ecrist> !configs 09:00 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:01 < seven_> my problem is : I want to forward a Resolvable static IP 09:01 < seven_> couldn't achive that 09:01 < seven_> look 09:02 < seven_> I have this in my server.conf : 09:02 < seven_> client-config-dir ccd 09:02 < seven_> route the.static.IP subnet 09:02 < seven_> that was in the server.conf 09:02 < ecrist> seven_: have you read this? 09:02 < ecrist> !route 09:02 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:03 < seven_> then I have an error here ? 09:04 < seven_> I have at the ccd/keyname : 09:05 < ecrist> seven_: have you read the link I posted above? 09:05 < seven_> ifconfig-push the.static.IP subnet 09:05 < seven_> I am 09:05 < ecrist> read it, completely, then come back 09:05 < seven_> ok thanks 09:06 < theDoc> hello all 09:09 < seven_> welcome 09:14 -!- bandini [n=bandini@host63-106-dynamic.11-79-r.retail.telecomitalia.it] has joined ##openvpn 09:18 < ecrist> lol 09:18 < ecrist> http://www.centos.org/modules/newbb/viewtopic.php?topic_id=19246 09:18 < vpnHelper> Title: www.centos.org - Forums - CentOS 5 - Networking Support - please help to configure openvpn and routing (at www.centos.org) 09:22 < epaphus> good morning all :) 09:27 < plaerzen> g'morning 09:28 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 09:36 < plaerzen> So. How is everyone this fine spring Friday ? 09:37 < ecrist> friggin' fantastic! 09:37 -!- gerente [i=gerente@189.96.241.121] has joined ##openvpn 09:37 < ecrist> I get to round up drunks tonight on a 'safe and sober' detail. mauahahaha 09:37 < ecrist> warm weather = drunk driving 09:39 < gerente> Hi, I create small c program tu run in --up option, this example open and write text in file and return 0, but openvpn always says: script failed: returned error code 1 09:40 < ecrist> my guess is it's failing. 09:40 < gerente> ecrist: yes, but how debug it? 09:41 < ecrist> not sure, really 09:41 < ecrist> what're you doing that you need a binary for the up script? 09:41 -!- damcgett [n=chatzill@mail.voxpilot.com] has joined ##openvpn 09:42 < dazo> gerente: the C program needs to send return 1 or return 0 in the main function to work 09:43 < plaerzen> ecrist, The joys of living right smack downtown. I can stumble home from all the best places. 09:43 < dazo> gerente: I've done this as an experiment earlier, and it worked like a charm .... 09:43 < dazo> gerente: try to create a test program ... which only does return 0 in the main function .... 09:43 < gerente> dazo: hum.. ok 09:44 < dazo> gerente: if that fails ... it might be an issue with the openvpn config .... depends on which version you're running 09:45 < damcgett> Hey, I'm wondering if the following might be possible: I have a openvpn server and a remote client, connection is working fine. Is it possible to configure a route so that other machines on the same network as the remote client can use its vpn connection to access resources on the lan of the vpn server? 09:46 < ecrist> yes 09:46 < ecrist> you just need to do one of two things 09:47 < ecrist> 1) setup nat on the vpn client for the local lan and enable ip forwarding in the kernel, and route the appropriate network 09:47 < ecrist> or 2) read here 09:47 < ecrist> !route 09:47 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:48 -!- Cronix [n=bigluks@et-1-16.gw-nat.bs.ka.oneandone.net] has quit [Remote closed the connection] 09:50 < gerente> dazo: ok, only return 0 and script-security 2 work fine... 09:51 < dazo> gerente: that sounds sensible 09:52 < damcgett> option one sounds good, but the client is using windows xp.. 09:52 -!- seven_ [n=seven@193.164.131.45] has quit [Read error: 104 (Connection reset by peer)] 09:53 -!- seven_ [n=seven@a196-6.adsl.paltel.net] has joined ##openvpn 09:56 < seven_> hi again 09:57 < seven_> hello ? 09:58 * dazo warns seven_ that we don't jump on peoples commands ... we are here and answer when we get questions we can answer 09:59 < seven_> ? 09:59 < seven_> I did not understand 09:59 < seven_> what is my mistake to be warned ? 10:00 < seven_> anyway 10:00 < seven_> I need a working configs 10:00 < seven_> for forwarding a resolvable internet static IPs 10:01 < seven_> and I'll give annual webhosting for free for it 10:07 < [4-tea-2]> seven_: do you have a working VPN connection? 10:08 < seven_> sure 10:08 < seven_> and I can redirect my connection over it 10:09 < [4-tea-2]> seven_: the static IP is routed to the VPN server? 10:09 < seven_> I am not sure 10:09 < seven_> can I give you the configs 10:09 < seven_> so you can check it ? 10:09 < [4-tea-2]> I can traceroute the static IP for you und tell you what's the last hop I see. 10:10 < seven_> but I can't reveale them here, can we continue on private ? 10:10 < [4-tea-2]> If that is your VPN server, you should be good. If not, then not. 10:10 < [4-tea-2]> You can /msg me, if you want. 10:10 < seven_> its my server 10:10 < seven_> and my server 10:10 < seven_> service 10:10 < seven_> may I pm you ? 10:10 < [4-tea-2]> Yes. 10:11 < seven_> thanks 10:31 * plaerzen just poked a paper clip through his eyebrow 10:32 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:50 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:51 < ecrist> and, krzee is a bitch, so I wouldn't listen to that advice 10:52 < krzee> hah sucks that my advice was to send ecrist $ then 10:52 < ecrist> doh! 10:52 < krzee> speaking of which, i need to do that pretty soon here 10:53 < krzee> i figure ill have you ship that one tower first 10:53 < krzee> so i can toss both in together 10:53 < ecrist> ok 10:53 < krzee> (both payments) 10:53 < ecrist> http://secure-computing.net/files/04162009_bullseye.jpg 10:53 < ecrist> another one, yesterday. :D 10:54 < krzee> haha 10:54 < krzee> you're just a 007 10:54 < ecrist> I'm going to start shooting at further distances now. 10:56 < krzee> makes sense 10:57 * plaerzen prefers "Riker" 10:57 < plaerzen> I started out as 007, then I got good with the ladies. 10:57 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 11:00 -!- troy is now known as troy- 11:23 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has joined ##openvpn 11:49 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has joined ##openvpn 11:54 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has quit [Read error: 110 (Connection timed out)] 11:54 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has joined ##openvpn 12:01 -!- gerente [i=gerente@189.96.241.121] has quit [Client Quit] 12:02 -!- hagna [n=hagna@70.102.57.178] has joined ##openvpn 12:02 < hagna> the server says MULTI: bad source address from client [10.1.2.60], packet dropped when pinged from the client 12:03 < hagna> why is it checking? 12:11 < hagna> I added a route for it on the server with "ip route add" 12:17 -!- unix3_ [n=unix3@190.10.68.228] has joined ##openvpn 12:21 -!- alami [n=up@unaffiliated/alami] has quit [Read error: 104 (Connection reset by peer)] 12:21 -!- alami [n=up@p57A77127.dip.t-dialin.net] has joined ##openvpn 12:23 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has quit [Read error: 110 (Connection timed out)] 12:27 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 12:28 -!- seven_ [n=seven@a196-6.adsl.paltel.net] has quit ["Leaving"] 12:38 < unix3_> hmm.. is it ok if I remove this when starting up my client.. i dont understand what difference it would make.. --management-hold "Start OpenVPN in a hibernating state, until a client of the management interface explicitly starts it with the hold release command." 12:43 < hagna> ok so I can route to the client machine at 10.132.0.4, but not the client subnet of 10.1.0.0/16 from the server half of the connection 13:04 -!- c64zottel [n=hans@p5B17AD87.dip0.t-ipconnect.de] has left ##openvpn [] 13:09 -!- eliasp_ [n=quassel@78.43.213.203] has joined ##openvpn 13:10 -!- eliasp [n=quassel@78.43.213.203] has quit [Dead socket] 13:13 -!- eliasp [n=quassel@78.43.213.203] has joined ##openvpn 13:14 -!- eliasp__ [n=quassel@78.43.213.203] has joined ##openvpn 13:15 -!- eliasp [n=quassel@78.43.213.203] has quit [Read error: 104 (Connection reset by peer)] 13:15 -!- eliasp_ [n=quassel@78.43.213.203] has quit ["No Ping reply in 30 seconds."] 13:15 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 13:18 -!- unix3_ [n=unix3@190.10.68.228] has quit [Client Quit] 13:25 -!- hoops125 [n=hoops125@CPE001839c147df-CM001a7008191a.cpe.net.cable.rogers.com] has joined ##openvpn 13:25 < hoops125> !redirect 13:25 < vpnHelper> hoops125: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 13:27 < hoops125> What exactly does the bypass-dns directive do? I have it enabled with --redirect-gateway, though all my dns traffic is not going through the vpn 13:29 < hoops125> !nat 13:29 < vpnHelper> hoops125: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 13:30 < hoops125> !ipforward 13:30 < vpnHelper> hoops125: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 13:30 < hoops125> !linipforward 13:30 < vpnHelper> hoops125: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 13:30 < hoops125> !def1 13:30 < vpnHelper> hoops125: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 13:30 < hoops125> !man 13:30 < vpnHelper> hoops125: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 13:39 -!- troy- is now known as troy 13:41 -!- hoops125 [n=hoops125@CPE001839c147df-CM001a7008191a.cpe.net.cable.rogers.com] has left ##openvpn [] 13:45 < ecrist> who's the bitch, now? 14:15 -!- albech [n=albech@119.42.77.174] has quit [Read error: 110 (Connection timed out)] 14:15 -!- albech [n=albech@119.42.77.112] has joined ##openvpn 14:16 < plaerzen> you? 14:32 -!- c64zottel [n=hans@p5B17AD87.dip0.t-ipconnect.de] has joined ##openvpn 14:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:48 < [4-tea-2]> How do I execute scripts when the VPN connection is actually established? 14:49 < Bushmills> [4-tea-2], call scripts by name 14:49 < [4-tea-2]> Ah, got it. 14:50 < [4-tea-2]> on the client, with --up-delay, on the server with --client-connect 14:50 < [4-tea-2]> ...I think. 14:50 < [4-tea-2]> But the man page fooled me more than once. ;) 14:51 < [4-tea-2]> Bushmills: what did you mean, can I just call the scripts from the ccd file? 14:51 < [4-tea-2]> (I already set --script-security 2) 14:52 < Bushmills> i misunderstood. thought, connection has been established, and now you want to execute scripts 14:52 < Bushmills> wasn't clear you intended to execute script upon connection 14:54 < [4-tea-2]> I'm still trying to reuse a static IP for a local connection and a VPN connection. 14:55 < [4-tea-2]> Since I used the setup from the "Static Key Mini Howto", that meant I couldn't do the route magic I needed from OpenVPN and had to it with a shell script instead. 14:57 < [4-tea-2]> Now I've switched to ca keys, with server and client, and I'm trying to put the script stuff in the OpenVPN config, in order to get rid of the shell script. 15:01 -!- Alagar [n=helpdesk@95.154.197.29] has quit ["Leaving."] 15:30 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:03 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 16:12 -!- onats2 [n=15172@221.121.120.254] has quit [Read error: 104 (Connection reset by peer)] 16:15 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.8/2009032609]"] 16:32 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has joined ##openvpn 16:55 -!- c64zottel [n=hans@p5B17AD87.dip0.t-ipconnect.de] has quit ["Leaving."] 17:02 -!- damcgett [n=chatzill@mail.voxpilot.com] has quit [Read error: 113 (No route to host)] 18:19 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has quit [Read error: 110 (Connection timed out)] 18:30 < krzie> [4-tea-2] what pastebin the script 18:38 < krzie> -what 19:01 < dan__t> WHAT 19:01 < dan__t> WHAT 19:01 < dan__t> WHAT 19:01 < dan__t> WHAT 19:01 < dan__t> WHAT 19:01 < dan__t> WHAT 19:02 < dan__t> what's up. 19:08 < krzie> what what 19:08 < krzie> in the butt 19:09 < krzie> i said what what 19:09 < krzie> in the butt 20:50 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 21:39 -!- nemysis [n=nemysis@137-215.3-85.cust.bluewin.ch] has quit [Success] 21:39 -!- nemysis [n=nemysis@236-141.3-85.cust.bluewin.ch] has joined ##openvpn 21:44 -!- theDoc [n=andelyx@bb116-15-81-155.singnet.com.sg] has joined ##openvpn 21:44 -!- theDoc [n=andelyx@bb116-15-81-155.singnet.com.sg] has quit [Client Quit] 21:44 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 23:55 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn --- Day changed Sat Apr 18 2009 00:05 -!- alami_ [n=up@p57A77127.dip.t-dialin.net] has joined ##openvpn 00:06 -!- alami [n=up@unaffiliated/alami] has quit [Read error: 104 (Connection reset by peer)] 00:14 -!- kala_ [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 00:23 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit [] 00:27 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 110 (Connection timed out)] 00:29 -!- Techdeck [n=meh@IGLD-84-228-21-28.inter.net.il] has joined ##openvpn 00:29 < Techdeck> hey fellas 00:30 < Techdeck> I set up an openvpn server just like instructed in the gentoo wiki, I also set up the client and started it / connected to my server 00:30 < Techdeck> it seems my connection to the server is fine, I can even ping myself (10.8.0.6) with no problems through the server 00:30 < Techdeck> problem is, I cannot ping 10.8.0.1 from the client side, and when I go to whatismyip.com I still have my IP, and not the server one 00:30 < Techdeck> any ideas what is the problem? 00:31 < Techdeck> http://en.gentoo-wiki.com/wiki/OpenVPN <-- the gentoo wiki, by the way 00:31 < vpnHelper> Title: OpenVPN - Gentoo Linux Wiki (at en.gentoo-wiki.com) 00:32 < Techdeck> anyone around? 00:44 < Techdeck> come on :9 01:04 -!- onats_ [n=onats@unaffiliated/onats] has quit [Remote closed the connection] 01:05 -!- theDoc [n=andelyx@208.99.194.194] has quit [] 01:07 -!- albech [n=albech@119.42.77.112] has quit [Read error: 104 (Connection reset by peer)] 01:21 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn 01:31 < krzee> you cant ping .1 means firewall problem 01:31 < krzee> on the server 01:31 < krzee> !linfw 01:31 < vpnHelper> krzee: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 01:32 < krzee> (the first part of the topic told you to check your firewall ;] ) 01:34 -!- Techdeck` [n=meh@Techdeck.org] has joined ##openvpn 01:40 -!- Techdeck [n=meh@IGLD-84-228-21-28.inter.net.il] has quit [Read error: 104 (Connection reset by peer)] 01:41 -!- Techdeck [n=meh@84.228.21.28] has joined ##openvpn 01:42 -!- Techdeck [n=meh@84.228.21.28] has quit [Read error: 54 (Connection reset by peer)] 01:42 -!- Techdeck [n=meh@84.228.21.28] has joined ##openvpn 01:44 -!- Techdeck` [n=meh@Techdeck.org] has quit [Read error: 104 (Connection reset by peer)] 01:48 -!- Techdeck [n=meh@84.228.21.28] has quit [Read error: 104 (Connection reset by peer)] 02:03 -!- js_ [n=js@193.0.253.161] has quit [Read error: 113 (No route to host)] 02:04 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: bandini, ropetin 02:06 -!- Netsplit over, joins: ropetin 02:10 -!- bandini [n=bandini@host63-106-dynamic.11-79-r.retail.telecomitalia.it] has joined ##openvpn 02:17 -!- bandini [n=bandini@host63-106-dynamic.11-79-r.retail.telecomitalia.it] has quit [Connection reset by peer] 02:17 -!- bandinia [n=bandini@host63-106-dynamic.11-79-r.retail.telecomitalia.it] has joined ##openvpn 02:26 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 02:28 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:42 -!- js_ [n=js@193.0.253.161] has joined ##openvpn 02:57 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 02:58 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:04 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: js_ 03:06 -!- Netsplit over, joins: js_ 03:12 -!- troy is now known as troy- 03:18 -!- alami [n=up@p57A77127.dip.t-dialin.net] has joined ##openvpn 03:18 -!- alami_ [n=up@unaffiliated/alami] has quit [Read error: 104 (Connection reset by peer)] 03:53 -!- c64zottel [n=hans@p5B17BF3F.dip0.t-ipconnect.de] has joined ##openvpn 04:02 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 04:03 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:03 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Dougy, ThoMe, karlpinc, worch 04:04 -!- Netsplit over, joins: karlpinc, Dougy, ThoMe, worch 04:09 -!- SuperEvilDeath16 [n=death@212.206.209.177] has joined ##openvpn 04:13 -!- Guest88 [n=guest88@dslb-088-073-110-028.pools.arcor-ip.net] has joined ##openvpn 04:16 < Guest88> since i got a vpn connection with openvpn --config client.conf established i cannont connect to sites anymore, just pure ping with ip works. what can i do ? (i have opensuse) 04:18 < Guest88> it seems that name resolution doesnt work any more... 04:19 < Guest88> i tried it with a fresh restart, with networkmanager and without, but it didnt helped 04:21 < krzee> change your nameserver 04:21 < krzee> 4.2.2.1 will work for testing 04:21 < krzee> that can be done in /etc/rc.conf 04:21 < krzee> !factoids search ns 04:21 < vpnHelper> krzee: 'insanity', 'lans', 'pfsense', 'pushdns', 'wins', 'quietopenssl', and 'dns' 04:21 < krzee> !dns 04:21 < vpnHelper> krzee: "dns" is Level3 open recursive DNS server at 4.2.2.1 04:22 < Guest88> got it. /etc/resolv.conf was overwritten... 04:22 < Guest88> thx 04:22 -!- Guest88 [n=guest88@dslb-088-073-110-028.pools.arcor-ip.net] has quit ["Java user signed off"] 04:26 -!- SuperEvilDeath15 [n=death@212.206.209.177] has quit [No route to host] 04:27 -!- Guest88 [n=guest88@dslb-088-073-110-028.pools.arcor-ip.net] has joined ##openvpn 04:31 < Guest88> when i start a connection via openvpn -config asdf.conf - How can I stop this connection. I tried it with /etc/init.d/openvpn stop, but webpages show me, that the ip is still the other one. 04:31 < krzee> killall -9 openvpn 04:32 < Guest88> now i have no internet anymore... :( 04:33 -!- Flumdahl [i=n30@shell.auth.se] has quit [Read error: 110 (Connection timed out)] 04:33 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 04:33 < krzee> !configs 04:33 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 04:33 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 04:34 < krzee> you havnt said ANYTHING about your setup, nobody can help you without knowing about it 04:34 < Guest88> with killall -9 openvpn && rcnetwork restart i get my old ip back - but i cannot believe that this is the correct way... 04:34 < krzee> correct way? 04:35 < krzee> you run openvpn in daemon mode, killing it is the correct way 04:35 < krzee> the fact that you have no inet means you are using --redirect-gateway 04:35 < krzee> the fact that it doesnt come back means you arent using def1 04:35 < Guest88> and what can i do to have internet after killing? 04:35 < krzee> why do you make me guess your entire setup instead of posting the configs i asked for? 04:37 < Guest88> krzee: http://pastie.org/450630 04:38 < krzee> read this again 04:38 < krzee> !configs 04:38 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 04:40 < Guest88> i have no server configs 04:40 < krzee> if theres no server, you have nothing to connect to 04:41 < krzee> also 04:41 < Guest88> it is not my server, it the server of university 04:41 < krzee> with comments removed 04:41 < krzee> i even gave the command for it 04:41 < krzee> ok well the university has a setting wrong 04:41 < krzee> most likely they are pushing --redirect-gateway but without this: 04:41 < krzee> !def1 04:41 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 04:44 -!- Guest88 [n=guest88@dslb-088-073-110-028.pools.arcor-ip.net] has quit ["Java user signed off"] 05:15 -!- alami [n=up@unaffiliated/alami] has quit [Read error: 104 (Connection reset by peer)] 05:16 -!- alami [n=up@p57A77127.dip.t-dialin.net] has joined ##openvpn 05:19 -!- eliasp__ is now known as eliasp 05:33 -!- nemysis [n=nemysis@236-141.3-85.cust.bluewin.ch] has quit [Read error: 104 (Connection reset by peer)] 05:40 -!- nemysis [n=nemysis@236-141.3-85.cust.bluewin.ch] has joined ##openvpn 06:15 -!- alami_ [n=up@p57A77127.dip.t-dialin.net] has joined ##openvpn 06:16 -!- alami [n=up@unaffiliated/alami] has quit [Read error: 54 (Connection reset by peer)] 06:24 -!- albech [n=albech@119.42.77.112] has joined ##openvpn 07:30 -!- alami [n=up@p57A739F9.dip.t-dialin.net] has joined ##openvpn 07:31 -!- alami_ [n=up@unaffiliated/alami] has quit [Read error: 60 (Operation timed out)] 07:36 -!- c64zottel [n=hans@p5B17BF3F.dip0.t-ipconnect.de] has left ##openvpn [] 08:01 < [4-tea-2]> With a static client-to-client setup, OpenVPN uses two IP addresses per connection. 08:01 < [4-tea-2]> With a "real" setup (client-server), it uses four. How come? 08:03 < [4-tea-2]> Does it split the network configured with the "server" statement in one /30 per client? 08:09 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit ["The Lord of Murder Shall Perish."] 08:21 -!- Quintin [n=user@208.119.128.251] has joined ##openvpn 08:31 < Quintin> I built a remote support tool that "pushes" a VNC connection to me so I can help clients. But I no longer have a public IP that I can control ... I'm travelling a lot. So, can I have the VPN server forward all traffic on a certain port to the VPN client on a certain port, and then point my helpdesk tool at the VPN server? 08:32 -!- tjz [n=tjz@bb220-255-151-27.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 08:36 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn 08:45 < [4-tea-2]> Quintin: unless you're using the VPN for other stuff as well, I would recommend ssh instead. 08:48 < Quintin> [4-tea-2]: sometimes I use it to drag and drop stuff onto server (samba), otherwise VPN was just to learn how to make it go... how would I do what I need with SSH ??? 08:48 < Quintin> Remember, I don't control the network I am using locally 08:48 < [4-tea-2]> Assuming that VNC uses a single TCP port, SSH port forwarding can probably do what you need. 08:49 < [4-tea-2]> As in: ssh -g -R :localhost: 08:50 < [4-tea-2]> That will bind an ssh tunnel on : on the server, accept traffic from anywhere, and forward that traffic to your local machine, sending it to :. 08:51 < [4-tea-2]> ...as long as this ssh connection is alive. 08:52 < [4-tea-2]> If your target machine is a windows box, "putty" can do port forwarding. Don't know about other clients. 08:53 < [4-tea-2]> If you want to solve the problem with OpenVPN, I think you can do it by redirecting the incoming traffic on the VNC port to the VPN tunnel, possibly with iptables DNAT 09:08 -!- mbutUbuntu01 [n=sampler@static-217-133-40-175.clienti.tiscali.it] has joined ##openvpn 09:08 < mbutUbuntu01> hello folks 09:08 < mbutUbuntu01> I've a little problem... 09:09 < mbutUbuntu01> I've created a link between two servers, but during the night the link went down even if on both servers the openvpn daemon and the tap interface 09:10 < mbutUbuntu01> were (and are still) correctly configured... why the link goes down automatically??? 09:10 < mbutUbuntu01> I need a persistent link 09:13 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 09:13 < [4-tea-2]> I wasn't aware that OpenVPN closed connections for no good reason. Perhaps --keepalive could help? 09:14 < [4-tea-2]> My crappy DSL router likes to drop natted connections when they are inactive for a while. --keepalive avoids that behaviour. 09:17 < mbutUbuntu01> I'm using keepalive 14 360000 09:17 < mbutUbuntu01> I know 360000 it's a very big value 09:18 < [4-tea-2]> So why do you use it? 09:18 < [4-tea-2]> Wouldn't it be smarter to recognize earlier when the link is down? 09:18 < mbutUbuntu01> because I had the same problem past days 09:18 < mbutUbuntu01> the link went down 09:19 < mbutUbuntu01> right 09:19 < mbutUbuntu01> if I give 14 30, if the server doesn't answer for 30 seconds the client re-resolve the ip of the server??? 09:20 < [4-tea-2]> Not sure, I wouldn't use a DNS name in --remote, because I don't necessarily have a DNS service before the tunnel is established. 09:20 < mbutUbuntu01> I need 09:21 < mbutUbuntu01> I've only dinamic public IPs 09:21 < mbutUbuntu01> no static.... :D:D 09:21 < [4-tea-2]> I see. Perhaps with a 24hr disconnect by the ISP? 09:23 < mbutUbuntu01> no 09:23 < [4-tea-2]> If the server got a new IP every night and it took a while for your dynamic dns service, that would explain why you had a problem every night. 09:23 < mbutUbuntu01> my connections have good quality and reliability 09:24 < mbutUbuntu01> [4-tea-2], so what can I do for a stable VPN link??? 09:25 < [4-tea-2]> So your problem is that for unknown reasons the VPN connection is closed every night and is not automagically re-established until you intervene? 09:25 < mbutUbuntu01> right 09:26 < [4-tea-2]> Have you checked the log file, server and client-side? 09:26 < mbutUbuntu01> I think I sholud say you that the client is behind a router 09:27 < mbutUbuntu01> I've no log files.... I thought openvp wrote automatically logs... 09:27 < mbutUbuntu01> I must write this directive in the .conf 09:28 < [4-tea-2]> On Debian, it's by default configured to log via syslog to /var/log/daemon.log 09:28 < mbutUbuntu01> I'm on archlinux 09:28 < mbutUbuntu01> on both points 09:29 < [4-tea-2]> Well, check the usual suspects. 09:29 < mbutUbuntu01> what? 09:30 < [4-tea-2]> e.g. /var/log/{messages,daemon.log,syslog} or whatever they are called on archlinux. 09:30 < mbutUbuntu01> ok 09:31 < [4-tea-2]> "grep -rl ovpn /var/log/" could give a hint. 09:32 < mbutUbuntu01> [4-tea-2], only question the keepalive flag must be the same on both client and server?? 09:32 < [4-tea-2]> I *think* one keepalive statement will take care of both ends automagically. 09:32 < [4-tea-2]> That's how I understand the man page. 09:33 < [4-tea-2]> Correction: 09:33 < [4-tea-2]> I *think* a keepalive statement ON THE SERVER will take care of both ends automagically. 09:35 < mbutUbuntu01> on the messages.log I've the information on the activation of the link, not on the failure of the link... 09:36 < mbutUbuntu01> on the both client and server I have no info on the failure... 09:36 < mbutUbuntu01> Apr 18 12:27:43 localhost openvpn[6302]: Peer Connection Initiated with 79.53.100.126:1194 09:36 < mbutUbuntu01> yesterday 09:36 < mbutUbuntu01> Apr 18 16:29:16 localhost openvpn[6302]: Peer Connection Initiated with 217.133.40.175:22149 09:36 < mbutUbuntu01> and today 09:36 < [4-tea-2]> It failed silently? Were the openvpn processes still running when you noticed the VPN link was down? 09:37 < mbutUbuntu01> yes 09:37 < mbutUbuntu01> [I have pasted the incorrect line] 09:37 < mbutUbuntu01> daemons and interfaces were up on both sides 09:37 < mbutUbuntu01> but the link was down 09:37 < [4-tea-2]> I'm lost, sorry. 09:38 < [4-tea-2]> I don't think that's supposed to happen. 09:38 < mbutUbuntu01> I'm lost too... it seems to be a paradox 09:38 < [4-tea-2]> My ISP disconnects me each night and I get a new IP, OpenVPN never took more than a few seconds to reestablish the VPN. 09:39 < mbutUbuntu01> I want try to leave an ssh connection or a ping always 09:39 < mbutUbuntu01> is it possible that the router blocks the traffic? 09:39 < [4-tea-2]> You might want to try switching to tcp. 09:39 < [4-tea-2]> Perhaps your router can handle tcp better than udp. 09:40 < mbutUbuntu01> the router is not mine... 09:40 < mbutUbuntu01> I can't have access to the router.... 09:40 < [4-tea-2]> You don't have to. ;) 09:40 < [4-tea-2]> Let OpenVPN use tcp instead of udp. 09:41 < mbutUbuntu01> I need openvpn only because noone wants a few ports forwarded.. 09:41 < mbutUbuntu01> on .the .conf? 09:41 < [4-tea-2]> I think it's worth a try. The router might be smarter handling a tcp connection than single udp packets. 09:41 < [4-tea-2]> Let me see what I use... 09:42 < [4-tea-2]> On the server: "proto tcp-server" in server.conf 09:42 < [4-tea-2]> On the client: "proto tcp" in wifi.conf 09:43 < [4-tea-2]> Hmmm. According to the man page, I should have used "proto tcp-client" on the client. 09:44 < [4-tea-2]> But it works anyway. :D 09:45 < mbutUbuntu01> ok 09:45 < [4-tea-2]> I changed it now to tcp-client, it still seems to work. 09:45 < mbutUbuntu01> proto tcp-server proto tcp-client 09:45 < mbutUbuntu01> works works 09:45 < mbutUbuntu01> keepalive 14 60 09:45 < mbutUbuntu01> on both sides 09:45 < mbutUbuntu01> I hope it works always.... 09:46 < [4-tea-2]> good luck! 09:46 < mbutUbuntu01> but If I have the same problem I don't know how manage it.... 09:46 < [4-tea-2]> I'd suggest as first step: increase verbosity for the log messages 09:47 < mbutUbuntu01> 3 ?? 09:47 < [4-tea-2]> But I think we've addressed the two problems that were involved... the keepalive restart delay, and the router possibly failing to nat udp packages over an extended time. 09:48 < mbutUbuntu01> so you think it should work? 09:48 < [4-tea-2]> Yes, but I also think it shouldn't have NOT worked in the first place. :D 09:49 < mbutUbuntu01> for the keepalive incorrect configuration? 09:50 < [4-tea-2]> I believe you said you used that ridiculously large keepalive value only AFTER the problem started, correct? 09:50 < mbutUbuntu01> I don't perfectly remember but I think yes... 09:51 < mbutUbuntu01> the first experiment I do was a few weeks ago 09:51 < [4-tea-2]> Well, just try and see. I don't think the changes we've done can hurt in any way. 09:52 < mbutUbuntu01> now the link is up 09:52 < mbutUbuntu01> [4-tea-2], thanks 09:53 < [4-tea-2]> my pleasure, hope it helps 09:53 < mbutUbuntu01> even if it will not work I know something new.... :D 10:01 -!- mbutUbuntu01 [n=sampler@static-217-133-40-175.clienti.tiscali.it] has quit ["Sto andando via"] 10:10 -!- c64zottel [n=hans@p5B17BF3F.dip0.t-ipconnect.de] has joined ##openvpn 10:15 < [4-tea-2]> Sweet, now I know how to the local machines in my network that one of them has moved from the local net to a VPN connection. 10:15 < [4-tea-2]> *how to tell 10:30 -!- MissNeBuN [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit ["This computer has gone to sleep"] 10:32 -!- tjz [n=tjz@bb116-15-135-176.singnet.com.sg] has joined ##openvpn 11:06 -!- Quintin [n=user@208.119.128.251] has left ##openvpn [] 11:22 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit ["The Lord of Murder Shall Perish."] 11:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:44 -!- r_001 [n=r_001@86.99.21.4] has joined ##openvpn 11:44 < r_001> I need a config file for openVPN, any one can send it to me please 11:45 < r_001> config file! 11:45 < r_001> !config file 11:45 < vpnHelper> r_001: Error: 'supybot.file' is not a valid configuration variable. 11:45 < r_001> !conf file 11:45 < vpnHelper> r_001: Error: "conf" is not a valid command. 11:46 < alami> !menu 11:46 < r_001> !.conf file 11:46 < vpnHelper> alami: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 11:46 < vpnHelper> r_001: Error: ".conf" is not a valid command. 11:46 < r_001> !menu 11:46 < vpnHelper> r_001: "menu" is (#1) please use '!factoids search *', or (#2) you can leave it a * to see all, or replace it with a word to search for 11:46 < r_001> * 11:46 < r_001> !* 11:46 < vpnHelper> r_001: Error: "*" is not a valid command. 11:46 < alami> !help 11:46 < vpnHelper> alami: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 11:46 < r_001> alami: can you send me a config file 11:46 < r_001> it's my first time to use VPN 11:47 < alami> i can't sorry but i will search you one now 11:47 < alami> don't care 11:47 < alami> !factoids search .conf 11:47 < vpnHelper> alami: No keys matched that query. 11:47 < alami> !openvpn 11:47 < vpnHelper> alami: Error: "openvpn" is not a valid command. 11:48 < r_001> how to do run your VPN ? 11:48 < alami> i don't have it now, i have it on VM.. 11:48 -!- lapinferoce [n=eric@bny93-4-82-235-240-122.fbx.proxad.net] has joined ##openvpn 11:49 < alami> hat!factoids search * 11:49 < alami> !factoids search * 11:49 < vpnHelper> alami: More than 100 keys matched that query; please narrow your query. 11:51 < alami> !configs 11:51 < vpnHelper> alami: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:52 < alami> my computer is weired :( 11:52 < alami> wait plz i will restart 11:53 < r_001> alami: tyt 11:54 < r_001> people anyone here know how to configure VPN easy ? 11:55 -!- alami [n=up@unaffiliated/alami] has quit [] 11:57 < Bushmills> r_001, reading the howto and setting up server and client accordingly is the standard method 11:57 < Bushmills> !howto 11:57 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:57 < r_001> Bushmills: I did 11:57 < r_001> but it's useless 11:57 -!- albech [n=albech@119.42.77.112] has quit [Connection timed out] 11:57 < r_001> I'm using kvpn 11:57 < r_001> not command line 11:58 < r_001> I'm new man 11:58 < Bushmills> sorry, i don' know of a simpler way 11:58 -!- albech [n=albech@119.42.77.112] has joined ##openvpn 11:59 -!- Dougy [i=doug@64-18-144-2.ip.bergenhosting.com] has quit [Remote closed the connection] 11:59 < Bushmills> but if you fail to set it up using kvpn, that way seems to be more complicated 11:59 < r_001> :( 11:59 < r_001> Bushmills: at kVPN, ask for config gile 11:59 < r_001> file* 11:59 < r_001> but I don't know from where I can get it 12:00 < r_001> I just want to use VPN, to open some sites 12:00 -!- Dougy [i=doug@64-18-144-2.ip.bergenhosting.com] has joined ##openvpn 12:00 < Dougy> hey 12:00 < r_001> my country block skype 12:00 < r_001> so I want to use it to open skype 12:00 < Bushmills> /usr/share/doc/openvpn/examples/ contains example configs 12:01 < Dougy> hey Bushmills 12:01 < Bushmills> how's it, Dougy 12:01 < Dougy> it is 12:01 < Dougy> you? 12:02 < Bushmills> finefine 12:02 * Dougy is excited for wednesday 12:02 < r_001> Bushmills: I have to create server and client !!!? 12:02 < Dougy> yes 12:02 < Bushmills> rainyday nevetheless iamheading outside 12:03 < Dougy> its amazing here 12:03 < Dougy> and im stuck in an office 12:03 < Dougy> lol 12:03 < Bushmills> r_001, yes. if not you, who else? 12:03 < Bushmills> r_001, a consultant, maybe? 12:08 -!- lapinferoce [n=eric@bny93-4-82-235-240-122.fbx.proxad.net] has quit [Remote closed the connection] 12:09 < r_001> Bushmills: do you have any free proxy server ip I can use 12:09 < r_001> or any free VPN server I can connect to 12:12 < Bushmills> r_001, sorry, i have to pay for my servers, can't just pass them on for free 12:12 < r_001> how much ? 12:14 < Bushmills> about 250 dirham 12:15 < [4-tea-2]> r_001: why do the UAE block skype? 12:15 < r_001> to gain profit from hight calls costs 12:15 < r_001> [4-tea-2]: do you have any way to use skype 12:15 < Bushmills> r_001, have you checked out SIP phones? 12:15 < r_001> I tired JAP 12:15 < r_001> same same 12:16 < r_001> JAP isn't working 12:16 < [4-tea-2]> I don't think JAP or TOR will provide the bandwidth needed for telephony. 12:17 < r_001> [4-tea-2]: both of them are blocked too :( 12:17 < r_001> [4-tea-2]: do you have any ideas to solve this problem ? 12:17 < [4-tea-2]> Are you sure, OpenVPN isn't blocked as well? 12:17 < Bushmills> r_001, openvpn is not a public service. it is more like .. a cable implemented in software which you can install between two machines. 12:17 < r_001> Bushmills: is there any public VPN server I can use ? 12:18 < Bushmills> i know of none. which doesn't mean that there isn't any. 12:18 < [4-tea-2]> r_001: if there was and it was public, it would need a lot of bandwidth because a lot of people would be using it, right? 12:19 < r_001> hotspot is one of free VPN server, but I don't know how to connect to it 12:19 < [4-tea-2]> you could rent a root server somewhere and set up your own VPN server there. 12:20 < Bushmills> r_001, best guess is ... 12:20 < Bushmills> what [4-tea-2] said... 12:20 < r_001> [4-tea-2]: how to setup a VPN server there ? 12:20 < Bushmills> command line :D 12:20 < [4-tea-2]> Would OpenVPN run on a virtual server? I don't think they usually offer tun/tap, right? 12:23 < [4-tea-2]> Ah, it seems it depends on the vserver technology in use. 12:23 * Bushmills gone, enjoying the rain 12:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 12:27 < r_001> [4-tea-2]: anyway thank you 12:27 < r_001> have a nice day 12:27 -!- r_001 [n=r_001@86.99.21.4] has quit [Remote closed the connection] 12:31 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:55 -!- troy- is now known as troy 13:03 -!- Hydroxide [n=jim@debian/developer/jimmy] has joined ##openvpn 13:05 < Hydroxide> hi ... I have a reasonably up-to-date Vista SP1 32-bit install, and I just downloaded OpenVPN 2.1rc15. I'm getting errors from Vista saying that tap0901.sys has known compatibility problems with this version of Windows 13:05 < Hydroxide> is that warning accurate or is it a holdover from the former tap0801 driver which did have problems? 13:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 13:16 < Hydroxide> never mind, it was just windows handling the situation badly when I had an incompatible older version installed. uninstalling that first worked. 13:16 -!- Hydroxide [n=jim@debian/developer/jimmy] has left ##openvpn [] 13:25 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:30 -!- c64zottel [n=hans@p5B17BF3F.dip0.t-ipconnect.de] has quit ["Leaving."] 14:15 -!- albech [n=albech@119.42.77.112] has quit [Read error: 110 (Connection timed out)] 14:15 -!- albech [n=albech@119.42.77.133] has joined ##openvpn 14:54 -!- Lilarcor_ [n=Lilarcor@2.sub-97-1-137.myvzw.com] has joined ##openvpn 15:01 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 15:55 -!- tjz [n=tjz@bb116-15-135-176.singnet.com.sg] has quit [Connection timed out] 16:04 -!- mbutUbuntu01 [n=mbutu@host217-110-dynamic.8-79-r.retail.telecomitalia.it] has joined ##openvpn 16:05 < mbutUbuntu01> hello folks... 16:05 < krzie> hello 16:05 < mbutUbuntu01> I made a giant error 16:06 < mbutUbuntu01> i gave ifconfig tap0 down on remote client 16:06 < mbutUbuntu01> I should give tap0:0 down 16:06 < mbutUbuntu01> a stupid giant error.... 16:06 < mbutUbuntu01> :-( 16:07 < mbutUbuntu01> do you know if after some time openvpn restars the interface? 16:07 < mbutUbuntu01> what a stupid 16:07 < krzie> i dont believe it will 16:07 < mbutUbuntu01> :D:D:D 16:08 < krzie> just tell someone there to reboot it if its a service 16:08 < mbutUbuntu01> I'll wait monday... 16:08 < mbutUbuntu01> eh... 16:08 < mbutUbuntu01> there is no service... 16:08 < krzie> it doesnt start on boot?\ 16:08 < mbutUbuntu01> that machine is in my school 16:08 < mbutUbuntu01> yes it does automatically starts on boot 16:09 < krzie> so a reboot would fix 16:09 < mbutUbuntu01> but I can't reboot the machine 16:09 < mbutUbuntu01> and nobody can... 16:09 < krzie> now i see its not windows, and its running tap 16:09 < mbutUbuntu01> yeah 16:09 < krzie> may i ask what layer2 protocol you use over your vpn? 16:09 < mbutUbuntu01> not windows not... 16:09 < mbutUbuntu01> tcp 16:09 < krzie> thats layer3 16:09 < krzie> !tunortap 16:09 < vpnHelper> krzie: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 16:09 < krzie> !tcp 16:09 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 16:10 -!- bandinia [n=bandini@host63-106-dynamic.11-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 16:11 < mbutUbuntu01> krzie, today someone here helps me on this VPN... I had a problem: the link went down 16:12 < mbutUbuntu01> krzie, what do you mean with tuortap? 16:13 < krzie> if you arent tunneling something destined for a MAC address, you want tun 16:13 < krzie> aka layer2 16:14 < mbutUbuntu01> ok 16:14 < mbutUbuntu01> I use tap 16:17 < krzie> i know 16:17 < krzie> which is why im telling you that 16:18 < krzie> if you were using tun i wouldnt bother telling you that you're most likely wasting overhead 16:19 < mbutUbuntu01> krzie, do you wnat to know were the remote client is?? 16:19 < krzie> huh? 16:20 < mbutUbuntu01> In the electronic music laboratory 16:20 < mbutUbuntu01> I study there in a Music Academy 16:20 < krzie> cool 16:20 < mbutUbuntu01> but noone must know that there is a link between me and there 16:20 < krzie> i dont see how that changes anything... 16:21 < mbutUbuntu01> mmhh 16:21 < mbutUbuntu01> I tried to call and I didn't know that there was a person during the night 16:22 < mbutUbuntu01> he could restart the machine 16:22 < mbutUbuntu01> but I fear he could say that I have access on Academy's private LAN... 16:22 < mbutUbuntu01> I dont'n know... 16:23 < mbutUbuntu01> what would you do? 16:23 < krzie> i prolly wouldnt be tunneling into my schools lan if i wasnt allowed to 16:23 < UtopiahGHML> :) 16:24 < krzie> unless it was to change my grades or something, which im pretty sure isnt what you're doing... 16:24 < krzie> lol 16:24 < mbutUbuntu01> I'm not doing nothing illegal 16:24 < krzie> they allow you to tunnel in? 16:24 < mbutUbuntu01> I only need to work on a project that involves laboratory PCs 16:25 < mbutUbuntu01> krzie, no 16:25 < krzie> so you are giving yourself access that you are not allowed to have? 16:25 < mbutUbuntu01> but You MUST know that in Italy everyone like to stop you doing something cool or intellectual 16:25 < krzie> lol 16:25 < krzie> im pretty sure that has nothing to do with it 16:26 < krzie> its about security, not because its 'cool' 16:26 < krzie> if it was my school network you wouldnt be able to get your vpn out 16:26 < krzie> ;] 16:26 < mbutUbuntu01> krzie, sorry... the "cool" thing is not have a tunnel 16:26 < mbutUbuntu01> the "cool" thing is the project I'm working on 16:26 < krzie> but anyways, do whatever you gotta do 16:27 < krzie> theres nothing you can do bout the fact you broke it remotely 16:27 < krzie> so wait or get it fixed remotely 16:27 < mbutUbuntu01> krzie, I think it's better to wait monday.... 16:27 < mbutUbuntu01> :D:D:D 16:28 < mbutUbuntu01> krzie, what do you mean with "if it was my school network you wouldnt be able to get your vpn out" ?? 16:28 < krzie> i mean ild enforce my rules through technology 16:28 < krzie> not through trust 16:28 < krzie> like if i was their admin 16:29 -!- floyd_n_milan [n=quassel@unaffiliated/floydnmilan/x-000001] has quit ["http://quassel-irc.org - Chat comfortably. Anywhere."] 16:29 < mbutUbuntu01> krzie, sorry I'm not engliesh motherlanguage... 16:29 < mbutUbuntu01> I don'w understand 16:29 < krzie> i would make it so you could not connect to a vpn 16:30 * [4-tea-2] just switched his connection from tcp to udp. 16:30 < krzie> good job [4-tea-2] 16:30 < [4-tea-2]> thanks for the link, krzie 16:30 < krzie> np 16:30 < mbutUbuntu01> krzie, you must know also that security is an optional 16:31 < mbutUbuntu01> :D:D 16:31 < mbutUbuntu01> they think that a sure network is a disconnected network 16:32 < mbutUbuntu01> but when you ask to forward a port from the router to an internal server they say "no!!!" 16:32 < mbutUbuntu01> but I say that the risk is about the same... 16:32 < mbutUbuntu01> they say no!!!! 16:32 < UtopiahGHML> 0_o 16:33 < mbutUbuntu01> but If we need a website, the Academy has no money to buy a private host and noone autorize you to forward two stupids ports 16:34 < mbutUbuntu01> I think they are only some pieces of shit 16:34 < krzie> i wouldnt do it either if that makes you feel any better... 16:34 < krzie> anyone need help with openvpn before i go do other things? 16:34 < mbutUbuntu01> so I made this VPN link to have this site and not only... 16:35 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 16:41 < krzie> bash: /usr/bin/grep: Argument list too long 16:41 < krzie> i hate that 16:41 < krzie> then i hafta do a for loop just to grep 16:43 < funky> could any of you paste ifconfig/route from a openvpn server (routed mode) in pastebin.com or any of the sort 16:43 < funky> I don't understand how many networks I finally should have 16:44 < krzie> umm 16:44 < krzie> why dont you paste yours and ill tell you if its right 16:44 < krzie> or tell me what you dont understand... 16:44 < krzie> im guessing its this: 16:44 < krzie> !/30 16:44 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 16:44 < funky> let's see 16:45 < krzie> server is using .1 ptp .2, first client is using .6 ptp .5, but only server can ping .6 and client can only ping .1 16:45 < krzie> so you dont understand why it would be like that... am i right? 16:45 < funky> mine is much simpler than that 16:45 < funky> ptp ? 16:46 < krzie> in ifconfig 16:46 < krzie> inet 10.8.1.1 --> 10.8.1.2 netmask 0xffffffff 16:46 < krzie> like that 16:46 < funky> aha 16:46 < krzie> yet that box cant ping .2 16:46 < krzie> (cause its internal to openvpn, as explained in !/30 and !topology 16:47 < krzie> it can however ping .6 16:48 < funky> how many interfaces do you have in a simple case scenario ? 16:48 < funky> network interfaces 16:48 < krzie> for my vpn, 1 16:48 < funky> mm 16:48 < krzie> because i use client/server mode i can connect as many clients to that interface as i want 16:48 < krzie> !sample 16:48 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 16:48 < krzie> thats an example of client/server mode 16:49 < krzie> how bout this 16:49 < krzie> just ask your real question 16:49 < krzie> something along the lines of "i want to do this, im trying to do this, how can i do that" 16:49 < krzie> and we'll go from there 16:50 < funky> ok 16:50 < funky> let's see.. 16:50 < funky> let me think, I got new information with all that stuff that you just gave me 16:51 < funky> I don't want to make you lose your time 16:51 < funky> let me try it by myself 16:51 < krzie> ok 16:51 < funky> thank you very much for your interest 16:51 < funky> are you usually around ? 16:51 < krzie> !irclogs 16:51 < vpnHelper> krzie: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 16:51 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 16:51 < funky> because I've got some "advanced" questions for later 16:51 < krzie> that has graphs of who is around, what times of the day, etc 16:51 < funky> thank you again 16:52 < krzie> but basically it comes down to im here way too often 16:52 < krzie> and i seem to talk too much, lol 16:52 < funky> XD 16:52 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 16:52 < funky> first I want to run a very simple scenario 16:53 < funky> but later, I need -> AD auth, Vlans 16:53 < krzie> whats your end goal 16:53 < krzie> ahh 16:53 < krzie> vlans...? 16:53 < funky> yes, I mean, I got let say 100 users 16:53 < funky> user #1 always has the same ip using cable 16:54 < funky> I want him to get that same IP from the vpn 16:54 < funky> but user #2 has a different ip in a different vlan 16:54 < krzie> !static 16:54 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 16:54 < funky> yup, I read something about the ccd entries 16:54 < krzie> !ccd 16:54 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 16:55 < funky> ok, i've got a lot of info 16:56 < funky> thank you 16:56 < funky> reading time 16:56 < krzie> np 17:02 -!- Lilarcor_ [n=Lilarcor@2.sub-97-1-137.myvzw.com] has quit [Client Quit] 17:26 -!- Dougy[Home] [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 17:26 < Dougy[Home]> hey all 17:26 < Dougy[Home]> krzie: hi 17:26 < krzie> sup doug 17:26 < Dougy[Home]> oh man 17:26 < Dougy[Home]> that was epic 17:26 < Dougy[Home]> lol 17:27 < Dougy[Home]> krzie.. someone spammed the forum and added 17:27 < Dougy[Home]> "PS sorry" 17:27 < Dougy[Home]> at the end 17:27 < krzie> more porn? 17:27 < Dougy[Home]> nope 17:27 < Dougy[Home]> http://www.ovpnforum.com/viewtopic.php?f=6&p=128&sid=6595886f95c695cd7dc0f179e94ab629#p128 17:27 < vpnHelper> Title: OpenVPN Forum View topic - best computer home based business (239 $ per day) (at www.ovpnforum.com) 17:27 < krzie> damn i liked the porn one 17:27 < Dougy[Home]> Haha. 17:27 < Dougy[Home]> Hmm.. man. 17:27 * Dougy[Home] is a bit shaken up at the moment 17:29 < krzie> why? 17:29 < Dougy[Home]> I don't even know 17:29 < Dougy[Home]> but 17:29 < Dougy[Home]> its weird. 17:29 * Dougy[Home] doesn't even know how to explain it 17:29 < Dougy[Home]> but 17:29 < Dougy[Home]> I have a bad gut feeling something bad is going to happen 17:30 < krzie> theres hes removed 17:30 < krzie> along with his posts 17:30 < Dougy[Home]> nice 17:31 < Dougy[Home]> i hate this too, cuz last time i had this feeling a bunch of people i know died in a horrible car wreck 17:31 < Dougy[Home]> fwiw there's another spam post in there 17:31 < krzie> hah more spam too 17:31 < Dougy[Home]> Everyone in here should join the FORUM 17:31 < krzie> lol 17:32 < krzie> why would they, they get help here 17:32 * Dougy[Home] hasn't talked to ecrist in a while 17:32 < Dougy[Home]> because forums are win, krzee 17:32 < Dougy[Home]> krzie I* 17:32 < Dougy[Home]> ....... 17:32 < Dougy[Home]> krzie * 17:32 < Dougy[Home]> Tab key fail. 17:32 < Dougy[Home]> hrm... krzie.. i have a ton of old xeons sitting here.. 17:32 < Dougy[Home]> like 15 17:32 < Dougy[Home]> like Irwindales and some others 17:33 < krzie> ok he's deleted too 17:34 < Dougy[Home]> nice 17:34 < Dougy[Home]> Ahahahhaa. The Yankees are getting spanked,. 17:34 < krzie> savagely 17:34 < krzie> 20/4 17:34 < Dougy[Home]> lmfao 17:34 < Dougy[Home]> i know 17:34 < Dougy[Home]> win 17:35 < krzie> mets fan? 17:35 < Dougy[Home]> yessssssir 17:35 < Dougy[Home]> it's not that i don't like the yankees.. i just hate that they are all spoiled twats 17:35 < krzie> i hate that they try to buy the championship 17:35 < Dougy[Home]> ll 17:35 < Dougy[Home]> lol 17:35 < krzie> so i love when they get spanked like this 17:35 < Dougy[Home]> me too 17:35 < Dougy[Home]> hmm.. i need some new irc networks to go hang on 17:36 < krzie> ohey 17:36 < Dougy[Home]> i have been around the same old shops 17:36 < Dougy[Home]> for 5 years 17:36 < Dougy[Home]> maybe more 17:36 < krzie> whats a website with info on your VPSs? 17:36 < Dougy[Home]> my expensive ones 17:36 < Dougy[Home]> or my cheapo mini ones 17:36 -!- tjz [n=tjz@bb116-15-44-154.singnet.com.sg] has joined ##openvpn 17:37 < Dougy[Home]> ? 17:37 < krzie> wouldnt there be 1 link with both infos? 17:37 < Dougy[Home]> neg, i have 2 separate pages 17:37 < krzie> well, both i guess 17:37 -!- mbutUbuntu01 is now known as mbutuarch 17:37 < Dougy[Home]> www.bergenhosting.com/vps.php is my expensive ones (i can always work out a deal for krzee's friends) and www.bergenhosting.com/budgetvm.php are the minis 17:38 < krzie> werd 17:38 < krzie> so the real answer to my first question was www.bergenhosting.com/ 17:38 < krzie> hehe 17:39 < Dougy[Home]> fair enough 17:39 < Dougy[Home]> lol 17:39 * Dougy[Home] was thinking about relaunching BudgetVM.com 17:52 < Dougy[Home]> wow 17:52 < Dougy[Home]> i was looking for "ness" 17:52 < Dougy[Home]> she used to be here a long long time ago 17:52 < Dougy[Home]> <~wahrheit> yeah, i know who you're talking about 17:52 < Dougy[Home]> <~wahrheit> that person hasn't been on this network in probably, i don't know, 4-5 years. it was before i came along 17:52 < Dougy[Home]> krzie: see what i mean about me only having my old diggs? 17:53 < Dougy[Home]> lol 17:53 < krzie> old diggs? 17:53 < Dougy[Home]> as in 17:53 < Dougy[Home]> old hangouts 17:53 < Dougy[Home]> i only have a few places that i have been at for ages 17:53 < Dougy[Home]> lol 17:53 < krzie> ahh 17:54 * Dougy[Home] needs new places to hang out.. and sell servers 17:54 < Dougy[Home]> ahahaha 17:54 < Dougy[Home]> whoo paycheck.. $335 17:55 < krzie> ouch 17:55 < krzie> bet that on shogun rua in tonights fight 17:55 < krzie> 335 can get ya 536 17:57 -!- Dougyyy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 17:57 -!- Dougy[Home] [n=me@ool-43503ed4.dyn.optonline.net] has quit [Nick collision from services.] 17:57 -!- Dougyyy is now known as dougy[home] 17:58 < dougy[home]> back 17:58 < dougy[home]> did you say anything to me krzie 17:58 < krzie> whoo paycheck.. $335 17:58 < krzie> ouch 17:58 < krzie> bet that on shogun rua in tonights fight 17:58 < krzie> 335 can get ya 536 17:58 < dougy[home]> ah yea 17:58 < dougy[home]> 335 can get ya 536 17:58 < dougy[home]> lol 17:58 < dougy[home]> 335 for 45 hours of work 17:58 < dougy[home]> after tax 17:58 < dougy[home]> * Disconnected 17:59 < krzie> so 335 turns into 871 17:59 < krzie> (or nothing, depending who wins) 17:59 < krzie> lol 18:02 < dougy[home]> ah 18:02 < dougy[home]> lol 18:07 < karlpinc> What is "direction" in --secret file [direction]? What are the possible values and what do they mean? 18:07 < krzie> !man 18:07 < karlpinc> Where do I rtfm? 18:07 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 18:08 < reiffert> karlpinc: on the chair, in front of your computer. 18:08 < karlpinc> krzie : Yes, where in there? I read that? 18:08 < krzie> umm, at --secret 18:08 < karlpinc> reiffert : Where it says "i.e. one side should use "0" and the 18:08 < karlpinc> other should use "1""? 18:09 < reiffert> karlpinc: normally people *search* within manpages to read the paragraph around a possible answer and repeat that until illumination. 18:09 < karlpinc> reiffert : Did so, can't find it. Maybe I'm having a brain fart, so I asked here. 18:09 < reiffert> allright, let me help you. 18:09 < reiffert> 01:07 < karlpinc> What is "direction" in --secret file [direction]? What are the possible values and what do they mean? 18:10 < krzie> -secret file [direction] 18:10 < krzie> Enable Static Key encryption mode (non-TLS). Use pre-shared secret file which was generated with --genkey. 18:10 < krzie> The optional direction parameter enables the use of 4 distinct keys (HMAC-send, cipher-encrypt, HMAC-receive, cipher-decrypt), so that each data flow direction has a different set of HMAC and cipher keys. This has a number of desirable security properties including eliminating certain kinds of DoS and message replay attacks. 18:10 < krzie> When the direction parameter is omitted, 2 keys are used bidirectionally, one for HMAC and the other for encryption/decryption. 18:10 < krzie> The direction parameter should always be complementary on either side of the connection, i.e. one side should use "0" and the other should use "1", or both sides should omit it altogether. 18:10 < krzie> The direction parameter requires that file contains a 2048 bit key. While pre-1.5 versions of OpenVPN generate 1024 bit key files, any version of OpenVPN which supports the direction parameter, will also support 2048 bit key file generation using the --genkey option. 18:10 < reiffert> When the direction parameter is omitted, 2 keys are used bidi- 18:10 < reiffert> rectionally, one for HMAC and the other for encryption/decryp- 18:10 < reiffert> tion. 18:10 < reiffert> The direction parameter should always be complementary on either 18:10 < reiffert> side of the connection, i.e. one side should use "0" and the 18:10 < krzie> Static key encryption mode has certain advantages, the primary being ease of configuration. 18:10 < krzie> There are no certificates or certificate authorities or complicated negotiation handshakes and protocols. The only requirement is that you have a pre-existing secure channel with your peer (such as ssh ) to initially copy the key. This requirement, along with the fact that your key never changes unless you manually generate a new one, makes it somewhat less secure than TLS mode (see below). If an attacker manages to steal your key, everything that w 18:10 < reiffert> other should use "1", or both sides should omit it altogether. 18:10 < reiffert> The direction parameter requires that file contains a 2048 bit 18:10 < reiffert> key. While pre-1.5 versions of OpenVPN generate 1024 bit key 18:10 < krzie> Another advantageous aspect of Static Key encryption mode is that it is a handshake-free protocol without any distinguishing signature or feature (such as a header or protocol handshake sequence) that would mark the ciphertext packets as being generated by OpenVPN. Anyone eavesdropping on the wire would see nothing but random-looking data. 18:10 < reiffert> files, any version of OpenVPN which supports the direction pa- 18:10 < reiffert> rameter, will also support 2048 bit key file generation using 18:10 < krzie> lol 18:10 < reiffert> the --genkey option. 18:11 < reiffert> Time for some bunny hopping 18:11 < karlpinc> Thats nice. So it says there are 4 possibilites, gives two, says you can use 0 and 1 as "pairs". That does not tell me much. 18:11 < reiffert> bbl 18:11 < reiffert> karlpinc: be sure to read the rest on top and above those lines. 18:11 < reiffert> & 18:13 < karlpinc> reiffert : The part that says "direction" is optional, or the paragraph above that? 18:14 < karlpinc> I just don't get it. Suppose I want to enable HMAC-send keys. What value should be supplied for direction? 18:16 < karlpinc> Really what I want to do is use --tls-auth, but I want the client having to do the work. Should the server have 0 or 1 for direction? 18:20 < karlpinc> I.e. 1 requires the other end to do the encryption, or 1 requires this end to do the encryption? 18:21 < karlpinc> Or, does 1 mean don't encrypt? 18:22 < dougy[home]> hrmm 18:22 < dougy[home]> flooders 18:22 < dougy[home]> reiffert!!!!!!!!!!!!!!! 18:22 < karlpinc> dougy[home] : That's what killbots are for. 18:26 -!- troy is now known as troy- 18:29 < krzie> lol 18:29 < krzie> karlpinc, all that is very clearly explained in the manual 18:29 < krzie> !man 18:29 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 18:29 < krzie> very very clearly explained 18:30 < karlpinc> krzie : I don't see it in the 2.0 manual. Perhaps I should look in the 2.1 manual. 18:31 < krzie> look in the manual which corresponds with your version of openvpn 18:34 < karlpinc> krzie : Ok. I've read both manuals. Would you please point me to the sentence that says what's different when you say "0" than when you say "1"? For that matter, 0 and 1 just appear as a "for instance". Where does it say that those are the only legal values? I just don't see it. 18:35 < karlpinc> krzie : I'm imagining that 1 really means "true -- require the other end to use the secret before I talk to it", but that's a guess. 18:37 < karlpinc> krzie : It could mean "true - have this end use the secret when talking to the other end". I don't see anything spelled out. 18:37 < karlpinc> gone -- will check back for answers. 18:41 < krzie> i have no clue what you're looking for that isnt plainly spelt out in the manual 18:43 -!- mbutuarch [n=mbutu@host217-110-dynamic.8-79-r.retail.telecomitalia.it] has quit ["Leaving"] 18:47 < dan__t> wat 18:50 < dougy[home]> krzie: you say spelt too 18:50 < dougy[home]> ! 18:50 < krzie> *shrug* 18:50 < dougy[home]> i got in trouble in english class for that 19:00 -!- nemysis [n=nemysis@236-141.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 19:00 -!- Dougyyy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:01 -!- nemysis [n=nemysis@236-141.3-85.cust.bluewin.ch] has joined ##openvpn 19:09 < krzie> !route 19:09 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 19:17 -!- dougy[home] [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 19:22 < krzie> there 19:22 < krzie> i added a forum post about my routing document, and linked the document to it 19:23 < krzie> Written by krzee @ ##OpenVPN @ freenode IRC 19:23 < krzie> Feel free to discuss this document on the unofficial OpenVPN forum at: OpenVPN Forum: Lans behind OpenVPN 19:23 < krzie> http://www.ovpnforum.com/viewtopic.php?f=8&t=98 19:23 < vpnHelper> Title: OpenVPN Forum View topic - Lans behind OpenVPN (at www.ovpnforum.com) 19:23 < Dougyyy> krzie - win 19:26 < krzie> how am i possibly still a junior user? 19:27 < krzie> oh i see, it was never setup 19:28 < Dougyyy> nod 19:29 < krzie> there we go 19:29 < krzie> now im a VPN helper 19:30 < Dougyyy> woot 19:30 < krzie> and after 20 you become a member 19:30 < krzie> after 50 you become a senior member 19:30 < Dougyyy> nice 19:31 < Dougyyy> :) 19:32 < krzie> hey go here 19:32 < krzie> http://www.masflowteam.com/ 19:32 < vpnHelper> Title: **|| MASFLOWTEAM.COM || ** (at www.masflowteam.com) 19:32 < krzie> vote for ghetto george at the bottom bottom right 19:50 -!- troy- is now known as troy 20:52 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 21:02 -!- dougy[home] [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 21:12 < krzie> !configs 21:12 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 21:19 -!- Dougyyy [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 21:20 < krzie> !tcp 21:20 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 21:32 < krzie> hey dougy 21:32 < krzie> how do i make a post sticky and closed? 21:32 < krzie> i made a new post in configuration saying what we need to help them 21:34 < dougy[home]> hmm 21:34 < dougy[home]> hell if ir emember 21:34 < dougy[home]> i dont even remember my user/pass 21:34 < dougy[home]> lol 21:52 < krzie> ... whose forum is this? 21:55 < dougy[home]> what? 21:56 < krzie> like isnt this your forum? 21:56 < dougy[home]> yes 21:56 < dougy[home]> look at my last login date, lol 21:57 < krzie> well common admin... admin! 21:57 < dougy[home]> ahh ah 21:58 < dougy[home]> there we go 21:58 < dougy[home]> Last visit was: 10 Dec 2008 18:40 21:58 < krzie> its stupid that admin stuff is 100 21:58 < krzie> its stupid that admin stuff is 100% seperate from bwosing the forum 21:59 < dougy[home]> yeah 21:59 < krzie> i should be able to delete someones post from there, manage a user from there, make a post sticky from there, close a thread from there 21:59 < dougy[home]> agreed 22:00 < krzie> http://www.ovpnforum.com/viewtopic.php?f=6&t=99 22:00 < vpnHelper> Title: OpenVPN Forum View topic - General rules for getting help (at www.ovpnforum.com) 22:01 < krzie> pls close and sticky it 22:01 < dougy[home]> already was reading it :] 22:03 -!- troy is now known as troy- 22:08 -!- Dougyyy [i=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 22:08 < Dougyyy> hmm 22:08 < Dougyyy> FFFFFFS 22:08 < Dougyyy> wifi fails so hard 22:09 < Dougyyy> ecrist: ping 22:09 < dan__t> PONG MOTHERFUCKER 22:12 < Dougyyy> dan__t: you are not welcome here 22:12 < dan__t> No. 22:12 < dan__t> I'm just bored. 22:22 < krzie> heh 22:30 -!- dougy[home] [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 113 (No route to host)] 22:42 < Dougyyy> meh 22:42 < Dougyyy> gf went to sleep 22:42 < Dougyyy> so im off 22:42 < Dougyyy> cya 22:42 < krzie> what bout that thread 23:09 -!- krzie [i=krzee@unaffiliated/krzee] has quit ["My damn controlling terminal disappeared!"] 23:26 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 23:44 -!- tjz [n=tjz@bb116-15-44-154.singnet.com.sg] has quit ["bbl"] --- Day changed Sun Apr 19 2009 00:25 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 00:34 -!- albech [n=albech@119.42.77.133] has quit [Read error: 104 (Connection reset by peer)] 01:00 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 01:02 -!- albech [n=albech@119.42.77.133] has joined ##openvpn 01:05 -!- albech_ [n=albech@119.42.77.133] has joined ##openvpn 01:21 -!- albech [n=albech@119.42.77.133] has quit [Connection timed out] 01:22 -!- albech_ is now known as albech 01:25 < krzee> !pushdns 01:25 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit 01:26 -!- albech [n=albech@119.42.77.133] has quit [Read error: 104 (Connection reset by peer)] 01:50 -!- albech [n=albech@119.42.77.133] has joined ##openvpn 01:53 < reiffert> moin 01:59 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has joined ##openvpn 02:00 -!- Gabriel25ny [n=missnebu@pool-72-68-157-205.nycmny.fios.verizon.net] has quit [Client Quit] 02:10 < krzee> moin moin 02:43 -!- theDoc- [n=andelyx@bb116-15-19-198.singnet.com.sg] has joined ##openvpn 02:49 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 03:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:31 -!- mandh_ [n=chatzill@82.137.216.38] has joined ##openvpn 03:34 -!- mandh_ is now known as mandh 03:40 -!- mandh is now known as mandh12 03:42 -!- mandh12 is now known as mandh 03:44 -!- mandh [n=chatzill@82.137.216.38] has left ##openvpn [] 03:45 -!- mandh [n=chatzill@82.137.216.38] has joined ##openvpn 03:48 < mandh> Hi , i have open vpn client connect to more that remote server , when remote server one fail , it connect successfully to the second one , but when first one back to work , the client still connected to the second one , any hint please 03:48 < mandh> 03:59 -!- mandh [n=chatzill@82.137.216.38] has quit ["ChatZilla 0.9.84 [Firefox 3.0.8/2009032609]"] 04:03 -!- mandh [n=chatzill@82.137.216.38] has joined ##openvpn 04:06 < krzee> only 1 idea 04:07 < krzee> you can have a script check which you're on, if on second one, ping first 04:07 < krzee> if first responds, kill openvpn and start it again 04:08 < krzee> then it will connect to first 04:08 < krzee> *shrug* 04:08 < krzee> or you can connect first and second and make it not matter which you're on 04:08 < mandh> yes 04:08 < krzee> gnite 04:08 < krzee> gf waiting for me 04:09 < mandh> so there is no another solution 04:09 < mandh> build in in openvpn itself 04:28 -!- c64zottel [n=hans@p5B179D59.dip0.t-ipconnect.de] has joined ##openvpn 04:54 -!- lynx_r [n=quassel@95-107-123-151.dsl.orel.ru] has joined ##openvpn 05:09 -!- theDoc- [n=andelyx@bb116-15-19-198.singnet.com.sg] has quit [Read error: 113 (No route to host)] 05:18 -!- nihilstar [n=nihil@89.136.243.243] has joined ##openvpn 05:42 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit [Read error: 110 (Connection timed out)] 05:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 06:05 -!- nihilstar [n=nihil@89.136.243.243] has quit ["Ex-Chat"] 06:08 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 06:10 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 06:12 -!- onats [n=15172@unaffiliated/onats] has quit [Nick collision from services.] 06:12 -!- onats_ is now known as onats 06:13 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 06:22 -!- bandini [n=bandini@host63-106-dynamic.11-79-r.retail.telecomitalia.it] has joined ##openvpn 06:25 -!- mandh [n=chatzill@82.137.216.38] has quit ["ChatZilla 0.9.84 [Firefox 3.0.8/2009032609]"] 07:22 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 07:22 < gebura> hi 07:23 < gebura> i am looking for help for debugging networkmanager-openvpn , i am on the right place (nobody answer on #nm) ? 07:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:48 -!- lynx_r [n=quassel@95-107-123-151.dsl.orel.ru] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 08:30 -!- row [i=row@who.br0ke.me.uk] has quit [] 08:47 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 09:01 -!- dougy[home] [i=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 09:05 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn 09:10 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 09:15 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 09:15 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 09:18 -!- Dougyyy [i=Douglas@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 09:21 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit ["The Lord of Murder Shall Perish."] 09:52 -!- Yasuo [n=Max@dslb-088-072-201-207.pools.arcor-ip.net] has joined ##openvpn 09:52 < Yasuo> hiho 09:53 < Yasuo> when i connect two clients to a openvpn server, is it normal that they cannot ping each other per default? 09:53 < gebura> firewall problem ? 09:54 < Yasuo> the server is firewalled, but Port 1194 is open and the clients are conencted 09:54 < gebura> ok sory, i misread 09:54 < gebura> no idea 09:54 < Yasuo> according to tcpdump the ping of the 1st client did not reach the 2nd client 09:55 < Yasuo> np 09:55 < gebura> can the server ping each other ? 09:55 < gebura> what is the mask of server / client ? 09:56 < gebura> maybe you can use ip_forwarding (dirty hack but i down know very well openvpn) 09:56 < Yasuo> all masks are 255.255.255.255 09:57 < Yasuo> default config setting 09:57 < gebura> you should test with /24 09:57 < gebura> (= 255.255.255.0) 09:58 < Yasuo> server 10.8.0.0 255.255.255.0 tahst the default 10:00 < theDoc> Yasuo: By default, if your clients are assigned a /30, they cannot ping each other. 10:00 < theDoc> I have that on my setup, I don't really want the clients to be communicating. 10:02 < Yasuo> how do i change it to /24? by server.config? 10:03 < Yasuo> i have a service running on one client, and the 2nd has to access it 10:05 < theDoc> Yasuo: Probably inside server.conf, I'm lazy enough to not want to fire up my config file to check it for you 10:06 < theDoc> !route 10:06 < vpnHelper> theDoc: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:06 < Yasuo> server 10.8.0.0 255.255.255.0 10:06 < Yasuo> tahts written down in my config. but the cleints have 255.255.255.255 10:06 < theDoc> Err, No 10:06 < theDoc> Hm 10:06 < theDoc> Yasuo: I believe that's somewhere in the docs, try searching ;p 10:07 < Yasuo> k :P 10:08 -!- troy- is now known as troy 10:08 < Yasuo> maybe i should just run the openvpn on the VM runniong the desired service and forward openvpn's udp-port 10:09 < gebura> Yasuo, you also have to verifiy that your client have a route to 10.8.0.x not only to 10.8.0.1 (if 1 is the server) 10:14 < Yasuo> ok i just had to push it 10:15 < Yasuo> it confused me a bit thats all :) 10:15 < Yasuo> push "route 10.8.0.0 255.255.255.0" 10:36 -!- xororand [n=xororand@unaffiliated/xororand] has joined ##openvpn 10:37 -!- Dougy [i=doug@64-18-144-2.ip.bergenhosting.com] has quit ["Lost terminal"] 11:09 -!- albech [n=albech@119.42.77.133] has quit [Read error: 110 (Connection timed out)] 11:09 -!- albech [n=albech@119.42.77.158] has joined ##openvpn 12:47 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 113 (No route to host)] 13:00 -!- mavimo [n=marco@host93-9-dynamic.104-80-r.retail.telecomitalia.it] has joined ##openvpn 13:01 < mavimo> hi @ all.. 13:23 -!- mavimo [n=marco@host93-9-dynamic.104-80-r.retail.telecomitalia.it] has left ##openvpn [] 13:34 -!- c64zottel [n=hans@p5B179D59.dip0.t-ipconnect.de] has left ##openvpn [] 13:37 < dougy[home]> troy fails 13:39 < troy> ????? 13:39 < troy> bbiab 13:40 < dougy[home]> ahaha 13:40 < dougy[home]> k 14:10 < dan__t> WHAT 14:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 14:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:42 -!- theDoc [n=andelyx@208.99.194.194] has quit [] 14:58 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 15:06 -!- Yasuo [n=Max@dslb-088-072-201-207.pools.arcor-ip.net] has quit ["Leaving."] 15:09 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 15:12 -!- Kurogane [i=Kuro@190.53.8.79] has quit ["Saliendo"] 15:31 < dougy[home]> sigh 15:31 < dougy[home]> i try to set up an easy vpn 15:31 < dougy[home]> and fail 15:32 < dougy[home]> there we go.. 15:32 < dougy[home]> it magically worked 15:39 < Bushmills> there's no magic about replicating the steps from the howto 15:39 < dougy[home]> well 15:39 < dougy[home]> vpn was up for 5 minutes and didn't work 15:39 < dougy[home]> then abruptly RDP went through 15:40 < Bushmills> was already open before openvpn connected? 15:40 < dougy[home]> nope 15:41 < Bushmills> any other check you did, like, pinging remote? 15:43 -!- troy is now known as troy- 15:43 < Bushmills> however, would result of setting up openvpn depend on magic, not many people were successfully running it 15:44 < Bushmills> i'd even propose: in case of magic as one ingredient of peer to peer communication, openvpn would be superfluous 15:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:57 -!- troy- is now known as troy 16:47 -!- nemysis [n=nemysis@236-141.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 16:49 -!- nemysis [n=nemysis@25-190.3-85.cust.bluewin.ch] has joined ##openvpn 16:56 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: ThoMe, karlpinc, worch 16:58 -!- Netsplit over, joins: karlpinc, worch 16:58 -!- bandini [n=bandini@host63-106-dynamic.11-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 16:59 -!- Netsplit over, joins: ThoMe 18:02 -!- albech [n=albech@119.42.77.158] has quit [Read error: 60 (Operation timed out)] 18:13 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit [Read error: 104 (Connection reset by peer)] 18:13 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 18:23 -!- troy is now known as troy- 19:35 < ecrist> dougy[home]: pong 19:49 < dougy[home]> hihi 19:49 < dougy[home]> :) 19:50 < ecrist> what were you pinging me fore? 19:50 < ecrist> s/e$// 19:52 < dougy[home]> need help 19:52 < dougy[home]> heh 19:52 < dougy[home]> on the forum i mean 19:53 < dougy[home]> is there phpmyadmin on your server somewhere? 19:53 < ecrist> oh, ok, what do you need? 19:53 < ecrist> yes 19:53 < ecrist> 19:53 < ecrist> /sql-admin 19:53 * dougy[home] needs to modify the email address for the admin user so he can recover the pw 19:54 < dougy[home]> now to find the user info 19:55 < ecrist> it's in the phpbb config file 19:55 < dougy[home]> yes 19:55 < krzee> also if you can figure out how to close a thread and make it sticky... 19:55 < krzee> pleae do 19:55 < dougy[home]> i mean i need to find the info to log into the ftp 19:55 < krzee> please 19:55 < dougy[home]> and krzee: once i get the admin pass 19:55 < dougy[home]> ;p 19:55 * ecrist has admin 19:55 < krzee> i made a post for what to give us to get help in configuration 19:55 < ecrist> krzee, you're an admin, iirc 19:56 < krzee> ya, cant find how to do that 19:56 < krzee> ive been removing the spam and whatnot... 19:56 < dougy[home]> ecrist: how is mrs. crist? 19:56 < ecrist> doing good. 19:56 < ecrist> krzee, which forum needs to be closed/stickied? 19:56 < dougy[home]> hmm 19:57 < dougy[home]> google' search is failing me 19:57 < ecrist> the general rules for getting help section? 19:58 < dougy[home]> balls where did i put that email hah 19:59 < ecrist> dougy[home]: resent 20:04 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:06 < dougy[home]> ecrist 20:06 < dougy[home]> did i ever mention you da man? 20:07 < ecrist> :) nope 20:07 < dougy[home]> well, i did now 20:07 < dougy[home]> h.s-c.net/sql-admin ? 20:08 < ecrist> yes 20:08 < dougy[home]> 404 20:12 < ecrist> https://www.secure-computing.net/sql-admin 20:12 < vpnHelper> Title: phpMyAdmin 2.10.0.2 (at www.secure-computing.net) 20:15 * ecrist goes away 20:16 < dougy[home]> oh 20:16 < dougy[home]> i went to hosting./sql-admin 20:16 < dougy[home]> not just s-c.net 20:17 < dougy[home]> krzie: there? 20:26 < dougy[home]> fail 20:38 < krzee> ? 20:43 -!- troy- is now known as troy 21:03 -!- dougy[home] [i=Douglas@ool-43503ed4.dyn.optonline.net] has quit [] 21:09 < karlpinc> krzee : You were spectactularly unhelpful yesterday. I just spent less time reading the code to get the answer than the time I wasted in irc with you. And it was much less frustrating. It's a shame that this channel was a time suck rather than a help. 21:10 < krzee> thats great 21:10 < krzee> i dont even remember you 21:10 < karlpinc> krzee : I could have your handle wrong. If so I apologize. 21:10 < krzee> nah im here pretty often, could have been 21:11 < onats1> lol 21:11 -!- onats1 [n=15172@221.121.120.254] has left ##openvpn [] 21:11 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 21:32 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 21:56 -!- tjz [n=tjz@bb116-15-44-154.singnet.com.sg] has joined ##openvpn 22:53 < zheng> Can PF(i.e. packet filter) control or filter the packets from a client to another client? How to do it? 22:54 < sirus> client to another client? 22:55 < zheng> I means, A<->B, A<->C, but I want to cut the B<->C, is it possible? 22:55 < zheng> yes, client to client? 23:00 < sirus> i dunno 23:07 -!- tjz [n=tjz@bb116-15-44-154.singnet.com.sg] has quit [Read error: 54 (Connection reset by peer)] 23:10 -!- tjz [n=tjz@bb121-6-18-221.singnet.com.sg] has joined ##openvpn 23:10 -!- albech [n=albech@119.42.76.62] has joined ##openvpn 23:13 -!- albech [n=albech@119.42.76.62] has quit [Client Quit] 23:24 -!- albech [n=albech@119.42.76.62] has joined ##openvpn 23:37 -!- scwang [n=scwang@123.118.123.27] has joined ##openvpn 23:54 < krzee> zheng, 23:54 < zheng> krzee, yes 23:54 < krzee> are you asking if there is a way to cut the server out of the chain when openvpn clients communicate? 23:54 < zheng> yes, 23:54 < krzee> so the clients can directly exchange packets...? 23:55 < krzee> cant be done with openvpn 23:55 < krzee> yet 23:55 < krzee> if you are a good coder ild be happy to give you how i think it could be done 23:55 < zheng> can not ? 23:55 < krzee> can not 23:55 -!- c1rcuit [n=c1rcuit@pool-70-111-224-141.nwrk.east.verizon.net] has joined ##openvpn 23:56 < c1rcuit> how do i start openvpn from command line? 23:56 < c1rcuit> i mean termina; 23:56 < c1rcuit> l 23:56 < c1rcuit> lol 23:56 < krzee> !man 23:56 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 23:56 < zheng> yes, I want to know how you think it. 23:56 < krzee> you just run it with the config file 23:56 < krzee> for the most basic 23:56 < krzee> everything else can go in the config 23:56 < krzee> (and anything in the config can be on commandline) 23:57 < krzee> zheng, you're a good coder? 23:57 < c1rcuit> i am getting "openvpn: service not started" 23:57 < zheng> eh, yes, I'm a software engineer. 23:57 < krzee> sweet 23:57 < krzee> ok heres my idea 23:57 < krzee> there would be an extra client config option 23:57 < krzee> to allow it to go direct or not 23:58 < krzee> then the person requesting the connection tells the server it wants to go direct with the client in question 23:58 < krzee> (automaticly based on the config option that told it so) 23:59 < krzee> the server then gives the other client info to make an outbound connection to you 23:59 < krzee> and tells your client about it to, both with all needed info given to it by server 23:59 < krzee> they can even do key exchange through the server 23:59 < krzee> since both know about it, they can make outbound connections at eachother real quick and boom, nat is broken on both sides --- Day changed Mon Apr 20 2009 00:00 < krzee> and keyx is done by server, so just as secure 00:00 < zheng> yes, I know you explain the exchage process. 00:01 < zheng> but I think the internal PF function can OR should be be able to control the c2c traffic? 00:01 < krzee> negative 00:01 < krzee> SSL doesnt work like that 00:02 < krzee> all traffic inside the tunnel needs to go to the server 00:02 < krzee> who then sends it through a completely different ssl tunnel 00:02 < krzee> my idea is the solution to this problem 00:02 < krzee> with built in 2-way nat hole punching 00:03 < zheng> yes, but when FORWARD, it is decrypted and it is plaintext, and server can jugde the intenal ROUTING/ 00:03 < krzee> good luck to you 00:03 < krzee> if you decide to work on my idea pls let me know, that would rule 00:03 < zheng> OK, thank you so much. 00:04 < c1rcuit> when i try to reload something in openvpn, it says that the service is not started (from terminal, in fedora) 00:12 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:12 < krzee> openvpn --config 00:13 -!- floyd_n_milan [n=quassel@124.247.220.202] has joined ##openvpn 00:13 < krzee> if you want the service way you need to setup your os's service stuff correctly 00:13 < krzee> but with openvpn itself thats how you start it 00:13 < krzee> i believe you send a restart signal with kill to reload the config 00:14 < zheng> krzee, there was a misunderstand. I want to know is it possible that the server can connect some clients and cut some clients, not a client forward direct to anothter client. 00:14 < zheng> I means, Server=S, Clients=A,B,C. 00:15 < krzee> so you want some clients can communicate with others and some can not 00:15 < zheng> S --- A, S --- B, S ---C, and A ---B, BUT, A ---X--- C. 00:15 < krzee> i would think you can filter that in the firewall, but im not 100% sure 00:15 < zheng> I means server cut connection between some clients. 00:16 < krzee> if it doesnt work it could be that when openvpn knows a route internally that the packets never hit the kernel 00:17 < krzee> you could also try pushing that client a route to break routing for 10.8.0.0 255.255.255.0 00:18 < krzee> although if that person fixed that route they could still communicate 00:18 < krzee> The --client-to-client flag tells OpenVPN to internally route client-to-client traffic rather than pushing all client-originating traffic to the TUN/TAP interface. 00:18 < krzee> ya i dont think the firewall method will work 00:19 -!- c1rcuit [n=c1rcuit@pool-70-111-224-141.nwrk.east.verizon.net] has left ##openvpn ["Leaving"] 00:19 < krzee> When this option is used, each client will "see" the other clients which are currently connected. Otherwise, each client will only see the server. Don't use this option if you want to firewall tunnel traffic using custom, per-client rules. 00:21 < krzee> so how about this 00:21 < krzee> leave out --client-to-client 00:21 < krzee> give the ones that should communicate a push route "10.8.0.0 255.255.255.0" 00:21 < krzee> in a ccd/ config 00:22 < krzee> i mean push "route 10.8.0.0 255.255.255.0" 00:26 < krzee> that should make them route that traffic to the server, and without --client-to-client that should go to the device before finding its way back to the process 00:40 < zheng> Thx very much, I get it. 00:47 < krzee> np 00:59 -!- scwang [n=scwang@123.118.123.27] has left ##openvpn ["Leaving"] 01:06 < krzee> happy 420 01:06 < tjz> what is 420? 01:06 < tjz> lol 01:15 < krzee> !google 420 01:15 < vpnHelper> krzee: 420 (cannabis culture) - Wikipedia, the free encyclopedia: ; What is 420? What does 420 Mean? The origins of 420 - Concept420: ; Urban Dictionary: 420: 01:15 < krzee> first link 01:28 < tjz> thx jeff 01:29 < tjz> yucks.. 01:29 < tjz> durg.. 01:29 < tjz> drug.. 01:30 < tjz> omg 01:30 < tjz> my friend like this day 01:30 < tjz> he wanna smoke 01:34 < Bushmills> krzee, i think i can bust the last myth ("4:20 is tea time for pot-smokers in Holland.") 01:45 < krzee> it spread world wide ;] 01:46 < krzee> ohh 01:47 < krzee> right 01:47 < krzee> but the part about an rafael is true 01:47 < krzee> im from that general area 02:08 -!- albech [n=albech@119.42.76.62] has quit [Read error: 104 (Connection reset by peer)] 02:09 < onats1> anyone up? 02:09 < onats1> krzee? 02:10 < dan__t> No. 02:26 -!- albech [n=albech@119.42.76.62] has joined ##openvpn 02:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:44 -!- c64zottel [n=hans@p5B17B263.dip0.t-ipconnect.de] has joined ##openvpn 04:12 < onats1> you're up 04:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:25 -!- Coke [n=coke@90-231-88-79-no84.business.telia.com] has joined ##openvpn 05:26 < Coke> Hi. Is it possible to authenticate vpn with only rsa key, no certificates? 05:28 < [4-tea-2]> Coke: check the "static key mini howto" on the OpenVPN page. 05:28 < [4-tea-2]> Coke: you will lose some functionality, though. 05:29 < [4-tea-2]> ...and some security, obviously. 05:30 < Coke> [4-tea-2]: I don't really see how a certificate adds significant amounts of security 05:31 < [4-tea-2]> Coke: if someone records all your VPN traffic and gets hold of your static key later, he can decrypt the recording. 05:31 < Coke> [4-tea-2]: sure. and if he gets hold of a local terminal and my root password I'm also screwed 05:32 < [4-tea-2]> As I understand it, using the TLS stuff, this can be avoided. Don't ask me for details. 05:32 < Coke> the rsa key would be used for tls 05:32 < [4-tea-2]> I just wanted to point it out, I'm not trying to tell you what's best for you. 05:32 < Coke> from what I understand, which isn't much, certificates are basically just fancy keys with additional information in them 05:33 < Coke> Basically, the only reason I don't want to use certificates is 1) I don't need them anywhere else, 2) already got rsa keys for SSH 05:34 < Coke> Also, generating new rsa keys using ssh-keygen is a one-line-shot compared to the 15+ steps and custom scripts under easy-rsa 05:34 < [4-tea-2]> Well, I started with a static key setup, then I noticed I need features that are only available with certs. 05:35 < Coke> such as? 05:36 < Coke> I'm not even sure OpenVPN is what I'm looking for. I have to separate LAN's, 192.168.1.0, that I want to connect together over Internet. 05:37 < [4-tea-2]> !route 05:37 < vpnHelper> [4-tea-2]: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 05:37 < [4-tea-2]> That should be a helpful read for setting that up. 05:38 < Coke> Indeed, routing seems to be my choice for this, but so far I have not gone past the step of creating certificates. 05:38 < [4-tea-2]> And to answer your last question, I think scripts that are run on client connection are only available with certs. 05:38 < Coke> What? 05:38 < Coke> "scripts that are run on client connection" ? 05:39 < [4-tea-2]> scripts which are run when the VPN connection is actually established, see --client-config-dir 05:40 < Coke> Run where by whom? 05:40 < Coke> I can't do echo "Hello world!" on my client in a terminal? 05:40 < [4-tea-2]> Heh, little misunderstanding. 05:41 < [4-tea-2]> In my setup, I need OpenVPN to run certain scripts when a client connects or disconnects, to fix routing/arp issues. 05:41 < Coke> Hm. I'm not sure VPN is the solution I'm looking for. 05:41 < Coke> All I want is for 192.168.1 packages to be routed via a virtual interface. 05:42 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: zheng 05:43 < [4-tea-2]> Coke: OpenVPN can certainly do that. 05:43 -!- Netsplit over, joins: zheng 05:43 < Coke> [4-tea-2]: but at what administrative cost? 05:44 < Coke> Even with the "easy" rsa scripts it's a 30+ step procedure just to get a connection. 05:44 < [4-tea-2]> Well, I learned a lot setting it up, and now it works. For me, it's been a good experience. 05:44 < Coke> [4-tea-2]: if certificates were useful to me in any other way I might consider spending 40 hours to set it up 05:45 < Coke> but creating a dozen files, requests, keys, signed certs, root certs etc just for one connection is a tad much 05:45 < [4-tea-2]> Well, as I said before -> static key mini howto 05:45 < [4-tea-2]> http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html 05:45 < vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 05:46 < [4-tea-2]> plus !route 05:46 < [4-tea-2]> (...if I understood correctly) 05:47 < Coke> Yes. 05:48 < Coke> What is pem and crt differences? 05:57 -!- cpm [n=Chip@guest-ap.xo.avitecture.net] has joined ##openvpn 06:01 < dazo> Coke: pem - is a file format .... crt is an SSL certificate, which can be formated as PEM, DER or PKCS#12 06:02 < dazo> Coke: I see you have some questions regarding to what benefits SSL certificate has ... 06:03 < Coke> dazo: already read about the limitations of the static key 06:03 < dazo> Coke: most importantly, it is a mechanism for authenticating the server and and clients 06:03 < Coke> dazo: i think most of my questions are regarding the mile long list of things to do just to setup authentication 06:05 < dazo> Coke: SSL certificates should be signed by a Certificate Authority (CA), which is a trusted third party. That means that when a client connects, it can validate if the server certificate is signed by a CA which it trusts. And the same for server can see if the client has a signature by a CA which it trusts 06:05 < Coke> I already made my CA 06:05 < Coke> it created a key file and a pem file 06:05 < Coke> I named them cacert.pem and cakey.pem 06:06 < dazo> Coke: the certificate management is more complex ... but also a lot more safer ... as it gives you control on the server later on to revoke clients which should not have access anymore .... and certificates can also have expiry dates 06:06 < Coke> After that I created a request, from that request I made the server certificate (I think) which resulted in two additional pem files 06:06 < Coke> dazo: I don't need any of those 06:06 < dazo> Coke: if you want something GUI .... you should check out tinyca ... that creates pretty good control over things 06:06 < Coke> dazo: there will only be two computers connected, routing trafic 06:06 < Coke> dazo: no thanks 06:07 < Coke> so I have no need of a root ca 3rd party nor multiple client certificates 06:07 < dazo> Coke: oki ... well, maybe I'm just paranoid ... but I don't see any reasons why not to setup certs when that's the basic security level of SSL, which openvpn is based upon .... if security is not important, why bother about encryption at all? 06:08 < Coke> dazo: ssl also connects using keys 06:08 < dazo> Coke: it's not difficult .... once you just learn the few basic steps 06:09 < Coke> dazo: I don't see the use for them 06:09 < Coke> dazo: there's no need for a 3rd party to verify anything and no need to have multiple, unique authorizations to clients. 06:10 < dazo> Coke: oki ... you don't need it to be a real 3rd party ... but when you created your own CA, that is your own 3rd party ... those files with CA keys and the generated keys, can be locked down on an USB key not connected to a computer at all 06:10 < dazo> Coke: you only need those files when generating new keys 06:11 < dazo> Coke: or to be more correct ... when signing new keys 06:11 < Coke> dazo: my clients don't have real host names either 06:11 < Coke> I'm not really in need of identifying the client since there will ever only be one 06:11 < Coke> I'm reading the ipsec manuals, it looks like it's a lot better at linking two networks together. 06:12 < dazo> Coke: ipsec got even more certificate integration 06:12 < dazo> Coke: certificates is a key factor in most VPN's 06:12 < Coke> but why? 06:13 < Coke> There's only one server and why client for my setup. 06:13 < Coke> and also, ipsec seems to use only keys for connecting net-to-net 06:13 < Coke> you only need certificates when you need to idenfity the client, as suspected. 06:14 < dazo> Coke: you can use certificates to authenticate both ways ... the client can authenticate the server, and vice versa 06:15 < Coke> dazo: for me they only need to be authorized 06:16 < Coke> or I guess authenticated, but they don't need to be identified 06:17 < Coke> dazo: I've got a total of TWELVE files just to setup a two-way secure communication 06:17 < Coke> whereas ssh requires just two. 06:17 < dazo> Coke: and why is that so bad?? .... lacking disk space? 06:17 < Coke> dazo: it really makes no sense for my setup to be so advanced 06:17 < dazo> Coke: And you only need ... config, server key and server cert on the server .... on client you need the same 3 files 06:18 < dazo> Coke: it is not advanced .... it really is not 06:18 < Coke> dazo: compared to rsa key 06:18 < Coke> it matters not, i have my openvpn server running now. guess it accepted all my pem-files 06:20 < dazo> Coke: and remember .... SSH does use client key, server key, and public key as well ... but in the SSL world, the key changes regularly ... SSH uses a complete different approach for that 06:20 < dazo> Coke: and RSA is also what OpenSSH uses ... that's just formats again, just as DSA is 06:22 < dazo> or to be correct, algorithm is the right term for RSA and DSA 06:23 < Coke> dazo: sure. still just need to copy one key into authorized_keys -> done 06:24 < Coke> do I need ca for the client ? 06:24 < dazo> Coke: but it still is not as solid and secure as proper SSL implementation with certificates ... and even OpenSSH can now be configured to use certificates as well, to improve that field 06:25 < dazo> Coke: you need the CA certificate, which is the same as CA cert as you have on the OpenVPN server 06:25 < Coke> Actually, for SSH it makes sense since you want to identify the users 06:25 < Coke> dazo: how come a browser doesn't need it? 06:26 < dazo> Coke: and it makes the same sense on VPN too .... you are letting a user from a unsecure network accessing your internal network ... that's exactly why you need certificates 06:26 < dazo> Coke: your browser does need them .... but you have 2 different approaches 06:27 < dazo> Coke: normally .... the browser only authenticates the server .... and when you don't need to install a CA cert, that's because the web server has already paid VeriSign or somebody else to sign their server certificate 06:27 < Coke> dazo: but I wont 06:27 < Coke> dazo: there's only 1 client that will ever connect and only one server 06:27 < dazo> Coke: but what if that client gets compromised? 06:27 < Coke> dazo: yeh, but the client is authenticated without having a ca locally 06:28 < Coke> dazo: what if they get access to a local terminal and root password? 06:29 < dazo> Coke: that's only limited by physical limitations .... if you place your console on the street ... sure, that's just as bad .... if you place it in a room without windows and only a door which you have the key for, that's safer 06:29 < Coke> dazo: what if someone gets hold of the key? 06:29 < Coke> it's actually more likely someone get hold of the physical key than getting the digital key 06:30 < dazo> Coke: if that's your reality, you have bad control on your physical premises 06:30 < Coke> dazo: it's not a bank 06:31 < Coke> dazo: we have an alarm, but it's still pretty easy to get in if you really want to 06:31 < Coke> in any case, why do I need the CA for the client? 06:31 < Coke> I thought the CA was to be kept safe, unavailable to the public? 06:31 < dazo> Coke: you don't need a CA for the client ... you need the CA certificate 06:31 < Coke> yeh, ca certificate 06:32 < dazo> Coke: the CA key (which is used for signing certificate requests), should be unavailable by the public 06:32 < Coke> If all files are on both client and server, I see no real security upgrade from a regular ssh key. It's just that the ssh key is split up into three files. 06:32 < Coke> ah, the key 06:33 < dazo> Coke: the certificate is only a kind of a signature .... and if that signature matches between what the server/client certificate signature and the CA certificate signature, that's a valid certificate 06:34 < Coke> dazo: why can't the client cert be used as a signature, like it works with browsers? 06:34 < dazo> Coke: the browser uses exactly the same system 06:34 < Coke> dazo: no 06:34 < dazo> Coke: yes 06:34 < Coke> dazo: I only get one certificate from my bank 06:34 < Coke> ONE 06:34 < Coke> oops 06:34 < [4-tea-2]> Coke, if you don't care for privacy, you probably don't need a VPN ("p" for "private"). Why not just use iptunnel (ipip). 06:34 < dazo> Coke: One of my banks, I need to download a client certificate .... which is used to identify me during login 06:35 < Coke> Who said I don't care about privacy? 06:35 < Coke> dazo: yes. 06:35 < Coke> dazo: how many certificates was taht? 06:35 < dazo> Coke: but normal https connections require that the server provides a server certificate which is signed by a trusted 3rd party, which is in your certificate register 06:36 < Coke> dazo: but the client downloads that on the fly 06:36 < Coke> dazo: I thought it worked like this CA cert is used to sign server cert which in turn is used to sign client certs. 06:37 < dazo> Coke: on such client certificates ... the browser generates a private and public key, creates a signing request, sends it to the server which signs the client certificate and sends it back to the browser, which then saves these three files in it's certificate register 06:37 < Coke> dazo: I see. 06:37 < dazo> Coke: http://en.wikipedia.org/wiki/Public_key_infrastructure 06:37 < vpnHelper> Title: Public key infrastructure - Wikipedia, the free encyclopedia (at en.wikipedia.org) 06:41 < Coke> dazo: anyway, I should use my server-cert.pem on both server and client? 06:41 < Coke> (as well as the same cacert.pem and server-key.pem) 06:42 < dazo> Coke: the client only needs the CA certificate .... and the client key .... the server needs only the CA certificate and the server key (and the DH params file) 06:43 < dazo> Coke: and the client needs the client certificate .... and the server needs the server certificate 06:44 < Coke> It's attempting to establish TCP connection now 06:48 < Coke> Hm. It's difficult to test the setup if both machines are already on the same LAN 06:51 < dazo> Coke: that's usually not going to work, of obvious reasons - routing .... but if you establish the VPN without any route statements ... you should be able to ping the other VPN end points from both sides 06:51 < Coke> dazo: naw, they just die 06:51 < Coke> Both the server and client are on 192.168.0 already 06:52 < dazo> Coke: exactly, because your probably have a route 192.168.0.0 255.255.255.0 statement in your config files 06:55 < Coke> dazo: sure 06:55 < dazo> Coke: if you comment out those route statements .... your test should work 06:57 < Coke> I didn't have them actually 06:57 < Coke> But I listened on the same interface as the server was setup for 06:57 < Coke> It is, of course, difficult to test it without changing the network on either client or server 06:59 < Coke> There 06:59 < Coke> It works 06:59 < Coke> Sweet. 06:59 < Coke> Although... I have to test which route it takes 07:01 < Coke> Hm. Why does the server behave as both 192.168.1.1 and 192.168.1.5? 07:02 < Coke> and my client got 192.168.1.6, can I control this? 07:04 < Coke> Oh, looks like my server has 192.168.1.1 on the interface. Don't know why it prints "ifconfig 192.168.1.6 192.168.1.5" 07:06 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:07 < Coke> Hm, I'm not really sure why it adds those routes, but... yeh. 07:07 < [4-tea-2]> Coke: I wondered about that, too. It doesn't happen with the static key setup. Someone told me it was necessary to circumvent some "Windows-only issue". 07:07 < Coke> those are unpingable addresses 07:07 < Coke> Also, broadcast address doesn't seem to work 07:08 < Coke> Now, this is a connection between machine A and machine B, what I really like is a connection between network A and network B 07:09 < Coke> is it as simple as adding my client machine as default gw for the 192.168.1 net? 07:09 < [4-tea-2]> Coke: didn't you say the local machines in the client network are already in 192.168.1.0/24? 07:10 < [4-tea-2]> pardon, I meant 192.168.0.0/24 07:11 < Coke> yes, they are in 192.168.0.0, but eventually there will be an internet between them 07:11 < [4-tea-2]> I don't think they can share a net, you would have to set up host routes for each machine on the other end. 07:11 -!- Cr0nix [i=irssi@62.141.56.213] has joined ##openvpn 07:11 < Cr0nix> hi al 07:11 < Coke> [4-tea-2]: hey, it says that odd address is "P-t-P" 07:12 < [4-tea-2]> Example: 192.168.0.10 is in the local net, 192.168.0.11 is in the remote net, how would your local machine know that it needs to route .10 differently than .11? 07:12 < Coke> It also has 255.255.255.255 mask and no bcast, so it doesn't work as an ordinary if 07:13 < Coke> [4-tea-2]: because it is mapped as 192.168.1.0/24 07:13 < Coke> [4-tea-2]: it works here right now 07:13 * [4-tea-2] shrugs. 07:13 < Coke> I can ping 192.168.0.9 and 192.168.1.1 to get hold of the same machine 07:13 < [4-tea-2]> See if you have a host route for 192.168.0.9. ;) 07:13 < Coke> imagine I had two physical network cards in these machines, it's the same thing, only instead of a nic it's a tcp connection 07:14 < Coke> no, not for .9 explicitly, but the gateway for 192.168.0.1 is still there 07:14 < [4-tea-2]> Coke: it would be the same problem with two physical nics. 07:14 < Coke> 192.168.0.0/24 07:14 < Coke> [4-tea-2]: what problem? 07:14 < [4-tea-2]> Example: 192.168.0.10 is in the local net, 192.168.0.11 is in the remote net, how would your local machine know that it needs to route .10 differently than .11? 07:14 < Coke> it doesn't 07:15 < Coke> The server has two interfaces, one 192.168.0.9 and one 192.168.1.1 07:15 < Coke> the latter is available only via openvpn 07:15 < [4-tea-2]> You said you're trying to connect to lans. 07:15 < Cr0nix> is here any1 who can point me to a working solution for the routing of internet through the openvpn tunnel? 07:15 < Coke> [4-tea-2]: I am 07:15 < [4-tea-2]> Both lans are using addresses in 192.168.0.0/24. 07:15 -!- troy is now known as troy- 07:15 < Cr0nix> !redirect 07:15 < vpnHelper> Cr0nix: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 07:16 < [4-tea-2]> Imagine a local setup with two nics, .10 routed via eth0, .11 routed via eth1. 07:16 < Coke> [4-tea-2]: in the future they will be, but I'm testing with two machines on the same LAN now 07:16 < Coke> [4-tea-2]: it can be done 07:16 < Cr0nix> !def1 07:16 < vpnHelper> Cr0nix: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 07:16 < Coke> [4-tea-2]: you just have to specify each route 07:16 < [4-tea-2]> Coke: that's exactly what I said. 07:16 < Cr0nix> !ipforward 07:16 < vpnHelper> Cr0nix: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 07:16 < Coke> [4-tea-2]: openvpn already specifies the routes 07:16 < [4-tea-2]> I don't think they can share a net, you would have to set up *host routes* for each machine on the other end. 07:17 < Cr0nix> !linipforward 07:17 < vpnHelper> Cr0nix: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 07:17 < [4-tea-2]> Well, never mind. If I'm right, you'll find out soon enough. 07:17 < Coke> [4-tea-2]: right about what? 07:17 < [4-tea-2]> ...and if I'm wrong you don't need to worry. 07:17 < Coke> [4-tea-2]: everything works dandy. 07:17 < Coke> [4-tea-2]: in the future my server won't be on this LAN and it won't have 192.168.0.9 as address, it will have some public IP 07:17 < [4-tea-2]> And there will be machines "behind" that server? 07:18 < Coke> [4-tea-2]: indeed. 07:18 < Cr0nix> !nat 07:18 < vpnHelper> Cr0nix: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 07:18 < [4-tea-2]> And they will also receive new, non-192.168.0.0/24 IP addresses? 07:18 < Cr0nix> !linnat 07:18 < vpnHelper> Cr0nix: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 07:18 < Coke> [4-tea-2]: I don't think that's possible or advisable 07:19 < Coke> [4-tea-2]: they will most likely be split up into two networks: 192.168.0 and 192.168.1 07:19 < [4-tea-2]> You can also use 192.168.0.0/25 and 192.168.128.0/25 to split an existing 192.168.0.0/24. 07:19 < Cr0nix> hm 07:20 < Coke> [4-tea-2]: true. but then I'd have to consider that when setting up DNS, broadcasts, etc 07:20 < Cr0nix> is it possible to assign ipv4 AND ipv6 adresses to vpn client? 07:20 < Cr0nix> *clients 07:20 < Cr0nix> so 07:21 < Cr0nix> client -> ipv6 and ipv4 tunnel -> vpn server with native ipv6 and ipv4 07:21 < [4-tea-2]> Will broadcast work across a normal OpenVPN connection? I seem to remember that a bridging setup is needed for that? 07:21 < Cr0nix> -> the interwebs 07:21 < Coke> [4-tea-2]: and then, I guess, it's all about adding a default gw for the alternate network 07:21 < [4-tea-2]> Coke: no, it isn't. ;) 07:22 -!- troy- is now known as troy 07:22 < Coke> [4-tea-2]: no? 07:22 < [4-tea-2]> Coke: it's all about adding a gazillion of host routes in your case, I think. That's why I'm trying to make you think about your network setup. 07:23 < Coke> [4-tea-2]: I already thought about it, with the current limitations I have little else to do about it 07:23 < [4-tea-2]> If there's a possibility that 192.168.0.10 will end up in one lan and 192.168.0.11 will end up in the other lan, your setup is broken by design, methinks. 07:23 < Coke> Ideally, the openvpn server/client would just magically make both 192.168.0 networks act as if they were on the same LAN 07:24 < Coke> [4-tea-2]: it won't, one network will have 192.168.1 and one will have 192.168.0 07:24 < [4-tea-2]> Coke: then don't use 192.168.1.0/24 for the OpenVPN-internal addresses. 07:25 < Coke> [4-tea-2]: I'm not sure what openvpn-internal address is 07:25 < [4-tea-2]> Use one net for lan1, one net for lan2 and a different net for the OpenVPN endpoints. 07:25 < Coke> afaik there are no "internal" addresses 07:25 < [4-tea-2]> The addresses bound to the tun devices 07:25 < Coke> [4-tea-2]: well, they would both have to be public IP's 07:25 < Coke> at least the server 07:26 < [4-tea-2]> Coke: ifconfig tun0 07:26 < [4-tea-2]> Coke: *that* address 07:26 < Coke> or I could setup the hw router properly instead of doing that 07:26 < Coke> [4-tea-2]: that should be the remote net 07:26 < [4-tea-2]> Coke: you said before it was 192.168.1.{1,5,6,whatever} 07:27 < Coke> My server will be 192.168.1.9 on eth0 and 192.168.0.1 on tun0 07:27 < [4-tea-2]> The OpenVPN manual advises against this. 07:28 < Coke> and my client will have reverse, it will have 192.168.0.10 on eth0 and 192.168.1.x on tun0 where x is whatever is decided to do that windows workaround thingie 07:28 < Coke> I don't see any other solution 07:29 < Cr0nix> the iptables command from the official howto dosnt work 07:29 < Cr0nix> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 07:29 < [4-tea-2]> Coke: Ideally, the server would be e.g. 192.168.2.1, on 192.168.0.x a network route for 192.168.1.0/24 would point to the gateway 192.168.2.1. 07:29 < Cr0nix> it gives me an error 07:29 < [4-tea-2]> Cr0nix: what error? 07:30 < Cr0nix> bad argument 'the.ip.address.here' 07:30 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Read error: 104 (Connection reset by peer)] 07:30 < [4-tea-2]> Cr0nix: typo? 07:30 < Cr0nix> nope 07:31 < [4-tea-2]> If you want, paste the full command line with all following lines somewhere and I'll have a look at it. iptables is my friend. 07:31 < Cr0nix> i sux very hardly at iptables 07:31 < Cr0nix> so thx 07:31 < Cr0nix> xD 07:32 < Cr0nix> can i post 3 lines here in cleartext or better use pastebin? 07:33 < [4-tea-2]> three lines is certainly okay 07:33 < Cr0nix> wlan-vpn:/etc/openvpn# iptables -t nat -A POSTROUTING 192.168.178.0/32 -o eth1 -j MASQUERADE 07:33 < Cr0nix> Bad argument `192.168.178.0/32' 07:33 < Cr0nix> Try `iptables -h' or 'iptables --help' for more information. 07:33 < Cr0nix> its the same syntax as mentioned on the openvpn howto 07:33 < Cr0nix> just a diffrent ip adress 07:33 < Cr0nix> +d 07:33 < Coke> [4-tea-2]: why do you want to have a different eth0 ip than the network it is actually on? 07:34 < [4-tea-2]> Cr0nix: you forgot the "-s" 07:34 < Cr0nix> needs interwebs on vpn connection 07:34 < Cr0nix> hm 07:34 < Cr0nix> now no error 07:34 < [4-tea-2]> ;) 07:34 < Cr0nix> but still no internet on my vpn client 07:34 < Cr0nix> damn it 07:35 < Cr0nix> i could kill iptables 07:35 < [4-tea-2]> That could have a gazillion reasons. ;) 07:35 < Cr0nix> jeah but for me its mostly iptables fault 07:35 < Cr0nix> because i dont no realy much about it 07:35 < [4-tea-2]> The VPN connection is established, you can ping the other end? 07:35 < Cr0nix> jup 07:35 < Cr0nix> certificate based auth 07:35 < [4-tea-2]> There's a default route (or two, if you used def1) pointing towards the tun device? 07:35 < Cr0nix> woo? 07:36 < Cr0nix> what? 07:36 < Cr0nix> i just made 07:36 < Cr0nix> push "redirect-gateway" 07:36 < [4-tea-2]> Shouldn't that be "redirect-gateway def1"? 07:36 < Cr0nix> never used def1 07:37 < [4-tea-2]> I think it's the preferred way to set up a default route. 07:37 < Cr0nix> and i have an kinda complicated network setup 07:37 < Cr0nix> xD 07:37 < [4-tea-2]> The default route tells your machine where to send traffic towards teh internets. 07:37 < Coke> [4-tea-2]: of course, this is all complicated by the fact that I'm trying to setup a vpn between two machines on the same lan. :) 07:38 < Cr0nix> vpn-client -> via wlan -> router -> via lan -> vpn server -> internet 07:38 < Cr0nix> thats my network setup here 07:39 < Cr0nix> vpn clients ip on non-vpn connection: 192.168.0.101 07:39 < Cr0nix> vpn clients ip on vpn connection: 192.168.178.6 07:39 < Cr0nix> router ip 07:39 < Cr0nix> 192.168.0.10 07:39 < [4-tea-2]> Cr0nix: paste the result of "route -n" somewhere, please. 07:39 < Cr0nix> kk 07:39 < Cr0nix> xD 07:40 < Cr0nix> from client or server 07:40 < Cr0nix> ? 07:40 < [4-tea-2]> client, please 07:40 < Cr0nix> server = debian, client = win xp 07:40 < [4-tea-2]> Damn. :D 07:40 * [4-tea-2] knows zilch about Windows, sorry. 07:40 < [4-tea-2]> "route /print" or something like that? 07:41 < [4-tea-2]> I meant "C:\> ROUTE.EXE /PRINT" or something like that? ;) 07:41 -!- troy is now known as troy- 07:41 < Cr0nix> xD 07:41 < Cr0nix> jeah im on it 07:42 < [4-tea-2]> Oh, how did you test whether you had internet connectivity on the client after setting up NAT? 07:43 < Cr0nix> ping 208.67.222.222 07:43 < [4-tea-2]> Perhaps your Windows machine is trying to reach the DNS service on your router via the VPN or something like that. Try to ping an IP address instead of a DNS hostname to make sure it's not just a DNS problem. 07:43 < [4-tea-2]> Excellent. ;) 07:43 < Cr0nix> ^^ 07:44 < Cr0nix> http://pastebin.com/m26b53b6f 07:45 < Cr0nix> route PRINT 07:47 < [4-tea-2]> Hmmm. As I said, I don't know much about Windows, but I'm kinda bamboozled because there are routes that use 192.168.178.5 as a gateway, but there's no host route for 192.168.178.5. 07:48 < [4-tea-2]> Not sure whether that's normal or not. 07:48 < Cr0nix> hm 07:48 < [4-tea-2]> Ah, never mind. Found it. :D 07:48 < Cr0nix> xD 07:48 < Cr0nix> as i sayd 07:48 < [4-tea-2]> 192.168.178.4/30 covers it. 07:48 < Cr0nix> my network setup here does even confusing me 07:48 < Cr0nix> xD 07:48 < [4-tea-2]> It seems the client side is okay, let's have a look at the server side. 07:49 < Cr0nix> so what do i need to type in for iptables? 07:49 < Cr0nix> so that all clients in th vpn network are routed over the vpn for internet 07:49 < [4-tea-2]> I'd like to see "route -n" and "iptables -vn -L -t nat" 07:49 < Cr0nix> kk 07:50 < Cr0nix> http://pastebin.com/m3d958114 07:50 < Cr0nix> http://pastebin.com/m447d6c6e 07:51 < Cr0nix> hm 07:51 < [4-tea-2]> Oh, it seems you got some leftovers in there. 07:51 < Bushmills> Cr0nix, on vpn server, something like this: http://scarydevilmonastery.net/masq 07:51 < Cr0nix> how to get rid of the "leftovers" 07:51 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 07:51 < Bushmills> on clients, you'd make vpn machine gateway 07:51 < [4-tea-2]> "iptables --table nat --flush" should clean them out. 07:52 < Coke> how the heck do I delete a route entry? it just says invalid argument 07:52 < Bushmills> Coke, bring down the interface. or route del ..... 07:52 < Cr0nix> jup [4-tea-2] theyre gone now 07:52 < [4-tea-2]> Cr0nix: then try the last iptables statement again... "iptables -t nat -A POSTROUTING -s 192.168.178.0/32 -o eth1 -j MASQUERADE" 07:52 < Coke> ah, no 07:52 < Coke> I gotta specify for which gateway too 07:53 < Coke> even though there was only one route for the network 07:53 < Cr0nix> hmmm 07:53 < Cr0nix> [4-tea-2]: still no ping reply from outside the vpn network 07:54 < [4-tea-2]> LOL 07:54 < [4-tea-2]> Sorry, I missed something obvious. 07:55 < Cr0nix> xD 07:55 < [4-tea-2]> flush again, then: 07:55 < [4-tea-2]> iptables -t nat -A POSTROUTING -s 192.168.178.0/24 -o eth1 -j MASQUERADE 07:55 < Cr0nix> doen 07:55 < [4-tea-2]> the /32 netmask was wrong. 07:55 < Cr0nix> done 07:55 < Cr0nix> hmm 07:55 < Cr0nix> now that looks good now 07:55 < Cr0nix> xD 07:55 < [4-tea-2]> Excellent. :D 07:56 < Cr0nix> perfect 07:56 < [4-tea-2]> Welcome to the wonderful world of OpenVPN. :D 07:56 < Cr0nix> big thx 07:56 < Cr0nix> ;D 07:56 < Cr0nix> jeah a second time 07:56 < Cr0nix> xD 07:56 < Cr0nix> btwe 07:56 < Cr0nix> btw 07:56 < [4-tea-2]> Cr0nix: Es war mir ein Fest! 07:56 < Cr0nix> is openvpn ipv6 ready jet? 07:56 < [4-tea-2]> no idea, I'm not IPv6-ready yet. 07:56 < Cr0nix> hm 07:56 < [4-tea-2]> My machines are, my provider is, I'm not. :D 07:57 < Cr0nix> im partically ipv6 ready xD 07:57 < Cr0nix> my isp isnt 07:57 < Cr0nix> my machines are via 6in4 tunnel 07:57 < Cr0nix> my dedicated1 is native ipv6 07:57 < Cr0nix> my other 2 dedicated are only ipv4 07:57 < [4-tea-2]> I even got a routed IPv6 from my ISP, but I'm planning to understand it first before I use it, I fear I might rip up large holes in my security setup. 07:57 < Cr0nix> oh jeah 07:57 < Cr0nix> u will 07:58 < Cr0nix> ipv6 dont like nat 07:58 < [4-tea-2]> ip6tables isn't my friend... yet. ;) 07:58 < Cr0nix> ^^ 07:59 < tjz> ip6tables.. i am newbie to using it 08:02 < Cr0nix> xD 08:02 < Cr0nix> hmm 08:02 < Cr0nix> another issue 08:03 < Cr0nix> openvpn wont let me generate more than 1 client certificate 08:04 < Coke> Cr0nix: just run openssl 08:04 < Cr0nix> and then? 08:05 < Coke> Cr0nix: well, first you run openssl req and then openssl ca to certify the request 08:05 < Cr0nix> ive done that already 08:05 < Cr0nix> i have certs and keys for my server and my 1. client 08:05 < Coke> Cr0nix: from that two files will be created, one cert and one key 08:05 < Cr0nix> now i need a key and a cert for my 2. client 08:06 < Coke> Cr0nix: so do exactly what you did for your client once more 08:06 < Cr0nix> k 08:06 < Cr0nix> but after i made the certs for my client for the first time 08:06 < Coke> make sure you change the output names, though 08:06 < Cr0nix> it tells me i need to edit my vars script 08:06 < Cr0nix> but ive done that before already 08:06 < Coke> I use openssl directly, don't know about any hacks 08:07 < Cr0nix> its the easy-rsa stuff from the openvßpn doc folder 08:07 < Coke> Yeh, didn't use that. 08:07 < Coke> It didn't seem easy to me at all. 08:08 < Coke> 15 scripts run in a 20-step tutorial 08:08 < Coke> using openssl you just use one binary twice. 08:08 < Coke> (three times if you're doing the server, for the dh) 08:09 < [4-tea-2]> Cr0nix: I've used the easy-rsa stuff, didn't have any problem. 08:09 < [4-tea-2]> Cr0nix: does it complain about a specific variable? 08:09 < Coke> [4-tea-2]: I didn't manage to get the route working, it has something to do with those extra magic addresses of .5 and .6 08:10 < Coke> [4-tea-2]: but I'll figure it out eventually and make sure that openvpn client behaves like a router for the net. if you could find a link to why this is discouraged I'd appreciate it much. 08:10 < [4-tea-2]> Cr0nix: I used build-key-server and build-key , build-key , etc. 08:10 < Cr0nix> jep 08:10 < Cr0nix> works now 08:10 < Cr0nix> i needed to source the vars file again 08:10 < Cr0nix> worked after that 08:10 < [4-tea-2]> Ah 08:12 < [4-tea-2]> Coke: where did you point the route for the remote lan? 08:12 < ecrist> good morning bitches! 08:12 < Coke> [4-tea-2]: on my client machine 08:12 < [4-tea-2]> ecrist: hello pimp! 08:12 < Coke> no, sorry, on a random other machine in the client side network 08:13 < Coke> I told it to use the client machine as gateway for 192.168.1.0, but it failed, then it turns out I can ping 192.168.1.6 directly from that machine 08:13 < [4-tea-2]> Coke: I mean where did you point it to... route -net 192.168.something.0 network 255.255.255.0 gw something? dev something? 08:14 < Coke> i.e, the client responds to 192.168.1.6 on the 192.168.0.11 interface. or something. 08:14 < Coke> [4-tea-2]: I routed all 192.168.1 through 192.168.0.11 08:14 < Coke> naturally, that was wrong, but it's getting late afternoon here now 08:15 < [4-tea-2]> Coke: there you go. 192.168.0.11 is not the VPN server address INSIDE the VPN connection. 08:15 < Coke> I'm getting ready to leave, so... 08:15 < Coke> [4-tea-2]: yeh, 192.168.1.6 would be correct 08:15 < [4-tea-2]> Well, let's try again tomorrow then. *snicker* 08:15 < Coke> I think. Hehe. Yes. 08:15 < [4-tea-2]> Coke: I don't think so. 08:16 < Coke> [4-tea-2]: yeh, I could ping the 192.168.1.6 address from the 192.168.0 network 08:16 < Coke> that is, my 192.168.0.11 seems to respond when I ping 192.168.1.6 08:16 < [4-tea-2]> Coke: I think 192.168.1.6 is a local address. You cannot tell your machine to use itself as a gateway, that doesn't make much sense. You need to tell it to use the OTHER side of the VPN tunnel as gateway. 08:16 < [4-tea-2]> ie. 192.168.1.1, correct? 08:16 < Coke> [4-tea-2]: i think you're misunderstanding what I did. 08:16 < [4-tea-2]> Probably. 08:16 < [4-tea-2]> Or you're misunderstanding how routing works. ;) 08:17 < Coke> the connection between server and client works fine, I can ping both, what I tried was to use the client machine as gateway from a third machine 08:17 < Coke> I'll figure it out tomorrow. Maybe. :) 08:17 < Coke> It shall be a glorious victory. 08:18 < Coke> How come none of the VPN services available use PROPER authentication? 08:18 < Coke> pptp isn't exactly uncrackable stuff 08:18 < [4-tea-2]> Too much coke makes my nose bleed. 08:19 < Coke> also, afaik they just do login/password 08:19 -!- zheng [n=zheng@222.66.224.110] has quit [Remote closed the connection] 08:21 < Coke> "pptp easy to setup, lacks real specs and security." sounds exactly like Microsoft to me. :) 08:21 < Coke> Ok, thanks anyway, byesies! 08:21 -!- Coke [n=coke@90-231-88-79-no84.business.telia.com] has quit ["Lost terminal"] 08:21 < ecrist> byesies? WTF? 08:22 * ecrist sets mode ##openvpn -gay 08:22 < tjz> LOL 08:22 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 08:35 < Bushmills> coke, what are the openvpn services? and what is proper authentication? 08:35 < Bushmills> oh. gone already 08:35 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 08:37 < [4-tea-2]> Just in time. My nose started bleeding. 08:38 -!- mnickels [n=mnickels@12.177.178.136] has joined ##openvpn 08:38 * Bushmills hands [4-tea-2] some platinum and a sledgehammer 08:43 -!- UtopiahGHML [n=libre@rps7452.ovh.net] has left ##openvpn [] 08:45 < mnickels> I have openvpn up and running with the webmin module on my test box. All works great, I do have a problem with the CA residing on this same box. Anyone see a problem with moving the CA.*, serial.txt, and index.txt to a USB thumb drive and creating symlinks from the keys directory to point to the respective files on the USB drive ? That way you could only generate certs if the USB drive is connected. 08:47 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 08:50 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit [Client Quit] 08:53 < [4-tea-2]> mnickels: excellent idea, I think it needs to be writable to increase the content of "serial.txt", though. 08:55 < dazo> mnickels: that's a very good idea indeed! :) ... You only need CA keys when signing CSR's .... otherwise they should be unavailable. 08:56 < Cr0nix> hm 08:56 < Cr0nix> i run in another issue 08:56 < Cr0nix> xD 08:57 < Cr0nix> if i use push for dns servers 08:57 < Cr0nix> it works fine with the opendns dns server at 208.67.222.222 and 208.67.220.220 08:58 < Cr0nix> but it wont work if i use own dns servers located at our local area network 08:58 < Cr0nix> the dns servers are working without the vpn like a charm 08:58 < [4-tea-2]> Is the DNS server running on the OpenVPN server? 08:58 < Cr0nix> nop 08:58 < Cr0nix> its running at 172.19.86.11 and 172.19.68.12 08:59 < [4-tea-2]> Does the machine running the DNS server know how to reach the VPN client? 08:59 < [4-tea-2]> Have a look at your iptables statement again. 08:59 < Cr0nix> i think it tells the vpn server which then tells it to my client or not? 08:59 < [4-tea-2]> It sets up NAT only for eth1, which is the device your DSL router is connected to, correct? 08:59 < Cr0nix> no 09:00 < Cr0nix> eth1 is linked to our local area network 09:00 < Bushmills> Cr0nix, do DNS allow requests from VPN interface/ip address? 09:00 < Bushmills> (assuming you mean to request DNS through VPN) 09:00 < Cr0nix> with many machines in it 09:00 < Cr0nix> and the router 09:00 < [4-tea-2]> I see. 09:00 < Cr0nix> so we have no pppoe 09:00 < Cr0nix> just dynamic ip's on our internal network 09:01 < Cr0nix> and yes the dns is reachable and answers if i dig it from the vpn server 09:01 < [4-tea-2]> Well, the masquerading *should* take care of it. 09:01 < [4-tea-2]> So tcp to the DNS server works, udp doesn't? 09:02 < Bushmills> "answers if i dig it" - that's an udp request 09:03 < [4-tea-2]> Oh, I thought that was tcp. Sorry. 09:03 < Bushmills> zone transfers are tcp. resolve requests are udp. 09:03 < Cr0nix> ok 09:03 < Cr0nix> changed dns back to our internaL 09:03 < Cr0nix> NSLOOKUP GOOGLE.DE WORKS 09:04 < Cr0nix> PING GOOGLE.DE WONT WORK 09:04 < Cr0nix> sry 4 caps 09:04 < [4-tea-2]> ...but now your shift key is broken. 09:04 < Cr0nix> ^^ 09:04 < mnickels> [4-tea-2], dazo, My real setup needs to be so easy a monkey can use it. Not sure how much easier it can get than webmin and a thumb drive. 09:04 < [4-tea-2]> mnickels: we didn't try to be ironic. It really is a good idea. Go ahead! 09:05 < Bushmills> Cr0nix, try mtr or traceroute 09:06 < [4-tea-2]> Cr0nix: on unices, the difference between ping and nslookup would be that ping uses the local rules for name resolution (e.g. including entries in /etc/hosts), while nslookup always asks a name server. 09:06 < [4-tea-2]> Cr0nix: no idea where your problem is coming from, though. 09:07 < mnickels> [4-tea-2], I use USB drives a often a possible to for this but was not sure if openssl would have a problem with it. I'll give it a test run and see how it goes. 09:07 < Cr0nix> traceroute works 09:07 < Cr0nix> slow like hell but till now it works 09:07 < ecrist> why would openssl have a problem with usb drives? 09:07 < Bushmills> can be a problem with reverse dns. ping may take much longer if rdns doesn't work 09:07 < Cr0nix> hmm 09:08 < Cr0nix> how to check that? 09:08 < Cr0nix> ok IT IS 09:08 < Cr0nix> from hop 7 in tracerout i dont get any hostnames anymore 09:08 < Cr0nix> exept the last hop 09:08 < Cr0nix> from google 09:08 < Cr0nix> that one has an hostname again 09:08 < [4-tea-2]> Cr0nix: that's "normal" 09:09 < Cr0nix> hmk 09:09 < Cr0nix> hm 09:09 < Cr0nix> seems to be rdns 09:09 < Cr0nix> it pings but takes ages to start pinging 09:10 < [4-tea-2]> Huh. I don't see where/how an ICMP reply would try a lookup? 09:10 < Cr0nix> sure 09:10 < Cr0nix> if u ping google.de 09:10 < Cr0nix> it must lookitup first 09:10 < [4-tea-2]> Sure. But google.de doesn't need to resolv MY IP to respond. 09:11 < Cr0nix> hmm 09:11 < Cr0nix> but it takes ages 09:11 < Cr0nix> xD 09:11 < Cr0nix> so 09:11 < Cr0nix> what the hell is going on here xDF 09:11 < [4-tea-2]> And your data packages should appear to have the sender address from your VPN server. If that can talk to your DNS server just fine, so should your client. 09:11 < Bushmills> [4-tea-2], where ping looks up hostname from ip address 09:12 < [4-tea-2]> Bushmills, ah, I see. 09:12 < [4-tea-2]> "ping -n" should help then. 09:13 < Cr0nix> hm 09:13 < Cr0nix> is there a easy method to log all requested sites on the vpn server? 09:14 < Bushmills> increase dns log level. but that's not in vpn config, but in dns config 09:14 < Cr0nix> if i as a vpn client request http://google.com the server should write it in a logfile for my user account 09:14 < vpnHelper> Title: Google (at google.com) 09:15 < Bushmills> asking that from openvpn is akin to asking that from a wire :D 09:15 < Cr0nix> hm 09:15 < Cr0nix> xD 09:15 < Cr0nix> kk 09:15 < Cr0nix> than not possible for me 09:16 < Cr0nix> but thats ok 09:16 < [4-tea-2]> Cr0nix: tcpdump is your friend. 09:16 < Bushmills> running a recursive DNS is not a big deal 09:16 < Cr0nix> i know 09:16 < Cr0nix> 1 have 2 own fully operating dns servers 09:16 < Cr0nix> so im into bind way more than in openvpn 09:16 < Cr0nix> xD 09:16 < [4-tea-2]> Cr0nix: no KiPo-DNS-Sperre for you, huh? ;) 09:16 < Cr0nix> nope 09:17 < Cr0nix> xD 09:17 < [4-tea-2]> same here. :D 09:17 < Bushmills> then you know what to change in config to log dns requests 09:17 < Cr0nix> and fully ipv6 capable dns servers for my domain 09:17 < Cr0nix> as glue in the biz tld dns servers 09:17 < Cr0nix> xD 09:17 < Cr0nix> Bushmills: shure 09:17 < Cr0nix> but i cant use them 09:17 < Cr0nix> xD 09:17 < Bushmills> why not? 09:17 < Cr0nix> i have to use company internal dns servers 09:18 < Cr0nix> and i dont have access to them 09:18 < Bushmills> i thought that's what the use of openvpn was about :D 09:18 < Cr0nix> or i have to create my own dns entrys for the companys intranet 09:18 < Cr0nix> hm 09:18 < Cr0nix> atm its more like a BIG security thing behind our inofficial trainee wifi network 09:19 < [4-tea-2]> I don't like that idea. Better figure out why they are slow to respond. 09:19 < Bushmills> i run recursive+authoritative DNS on the VPN server, and let the local DNS use those, over VPN, as upstream DNS 09:20 < Cr0nix> i have 3 servers in the interwebs 09:20 < Cr0nix> running dns, httpd, ircd and other stuff 09:20 < Bushmills> (my previous provider, BT, was logging and selling where customers connected to) 09:20 < Cr0nix> lol 09:20 < Cr0nix> hmm 09:20 < Cr0nix> so 09:20 < Cr0nix> lemme guess 09:20 < Cr0nix> [4-tea-2]: ur from germany 09:20 < Cr0nix> and 09:21 < Cr0nix> Bushmills: your from GB 09:21 < Cr0nix> xD 09:21 < Bushmills> Cr0nix, no. i lived in Ireland when i had BT as provider 09:21 < Cr0nix> damn 09:21 < Cr0nix> xD 09:21 < Cr0nix> so close 09:21 < Bushmills> but I'm same country as [4-tea-2] 09:21 < Cr0nix> hm 09:21 < Cr0nix> both germany? 09:22 < Cr0nix> or why can u speak german [4-tea-2] 09:22 < [4-tea-2]> I'm in Germany, yes. 09:22 < Bushmills> [4-tea-2], what part? 09:23 < [4-tea-2]> Ruhrgebiet 09:23 < Cr0nix> <- karlsruhe 09:23 < Bushmills> between 09:23 < [4-tea-2]> Xlink FTW 09:23 < Cr0nix> xD 09:24 < Cr0nix> naja 09:24 < Cr0nix> im only using the vpn because out wifi router dont understant wpa2 09:25 < Cr0nix> so i setted up the vpn to protect the network from our company from attacks 09:25 < [4-tea-2]> Cr0nix: Xlink was my ISP from 94 to 98 (I think). 09:25 < Cr0nix> hm 09:25 < Cr0nix> never heard about xlink 09:25 < Cr0nix> am atm @ alice 09:26 < [4-tea-2]> It was the first commercial ISP in Germany. 09:26 < Cr0nix> but working for an other big isp 09:26 < Cr0nix> ^^ 09:26 * [4-tea-2] too. ;) 09:26 < Cr0nix> ^^ 09:26 < Cr0nix> which? 09:26 < [4-tea-2]> frn 09:26 < Cr0nix> hm 09:26 < Cr0nix> frn? 09:26 < [4-tea-2]> "mobilcom debitel" 09:26 < Cr0nix> ahhh 09:26 < Cr0nix> *click* 09:26 < Cr0nix> xD 09:27 < Cr0nix> <- united internet 09:27 < Cr0nix> xD 09:27 < Cr0nix> azubi halt 09:27 < Cr0nix> ^^ 09:27 < [4-tea-2]> Ah, you must be my enemy then. :D 09:27 < Cr0nix> xD 09:27 < Cr0nix> *die debitel die* 09:27 < [4-tea-2]> arch nemesis, even. 09:28 < Cr0nix> ;D 09:28 < Cr0nix> but im so happy that i dont work for the morons ant our DSL dep. xD 09:28 < Cr0nix> <- server section 09:28 < Cr0nix> german datacenter etc 09:28 < Cr0nix> *centers 09:30 -!- mnickels [n=mnickels@12.177.178.136] has quit ["Leaving"] 09:32 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 09:33 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 09:37 < Cr0nix> hm 09:37 < Cr0nix> anyone here ever experimented with openvpn & etoken 09:37 < Cr0nix> ? 09:38 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 09:39 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:40 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Read error: 54 (Connection reset by peer)] 09:41 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 09:43 -!- jre2 [n=jre@host217-40-219-201.in-addr.btopenworld.com] has joined ##openvpn 09:43 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit [Client Quit] 09:53 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Connection reset by peer] 10:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:00 -!- lataffe_ [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 10:12 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 10:13 -!- flokuehn [n=flokuehn@62.111.103.27] has joined ##openvpn 10:15 < tjz> what is etoken? 10:17 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has quit [Read error: 110 (Connection timed out)] 10:18 < Cr0nix> its a smartcard 10:18 < Cr0nix> builded as a usb stick 10:18 < Cr0nix> to store certificates etc on 10:19 < tjz> cool 10:19 < Cr0nix> openvpn works with etoken since 2.1 10:19 < tjz> hmm.. 10:19 < Cr0nix> but i dont know how i bring my certificates to the format that etoken uses 10:20 < Cr0nix> it needs a pfx, p12 or cer file 10:20 < Cr0nix> and i dont know how the fuck i can convert my crtand keyfiles to a cer, pfx or p12 certificate 10:20 < Cr0nix> thats my main problem atm 10:21 < Cr0nix> and a search for etoken on the openvpn page brings not even one result 10:22 < tjz> not many used etoken w/ openvpn 10:22 < tjz> :) 10:22 < Cr0nix> yeah 10:22 < Cr0nix> i need at least one person who can tell me how i could convert my certs 10:23 < tjz> maybe have the server generate cer,pfx directly? 10:25 < Cr0nix> hm 10:25 < Cr0nix> how? 10:26 < Cr0nix> never used thos formats before 10:26 < Cr0nix> never even heared of them before 10:26 < tjz> same here 10:26 < Cr0nix> damn 10:27 < ecrist> Cr0nix: you're question is an OpenSSL question, not really an OpenVPN question 10:27 < dazo> Cr0nix: have you solved the conversion? 10:27 < dazo> that's also true 10:27 < Cr0nix> dazo: no 10:27 < Cr0nix> and ecrist hm ur right sry 10:28 < dazo> Cr0nix: to make p12 .... openssl pkcs12 -in -out cert.p12 .... and you can also add -CAfile to include CA cert in the same .p12 file as well 10:29 < Cr0nix> ah kewl 10:29 < dazo> Cr0nix: openssl pkcs12 -h ... usually gives you pretty good info on arguments 10:30 < Cr0nix> hm 10:30 < Cr0nix> i ssume i have to merge my .key and .crt to one pem file right? 10:55 < dazo> Cr0nix: yeah, that's right 10:57 -!- jre2 [n=jre@host217-40-219-201.in-addr.btopenworld.com] has left ##openvpn [] 10:57 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:57 < Cr0nix> kk 10:57 < Cr0nix> done so far 10:58 < Cr0nix> i got the p12 file and imported it to the token 10:59 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 11:00 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 11:14 -!- dazo [n=dazo@62.40.79.66] has quit [Remote closed the connection] 11:15 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 11:21 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:24 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 11:35 -!- penrod [n=pattonb@S010600105a1788d6.cg.shawcable.net] has joined ##openvpn 11:42 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 11:46 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit [Read error: 104 (Connection reset by peer)] 11:46 < Cr0nix> hm 11:46 < Cr0nix> damn etoken 11:51 -!- dazo [n=dazo@nat/redhat/x-b40504dd271611ba] has joined ##openvpn 11:52 < Cr0nix> damn it 11:52 < Cr0nix> openvpn acesses the etoken and crashes after that 11:52 < Cr0nix> no error 11:54 -!- Blackshark [n=a@p579FAE0D.dip.t-dialin.net] has joined ##openvpn 11:54 < Cr0nix> it dosnt even crashes completely 11:54 < Cr0nix> it just hungs up after it loaded the certificate from the etoken stick 11:54 < Cr0nix> i have to kill it via task manager 11:56 < Blackshark> hi i have a problem with pushing a route to the client which should let him access other servers. but for some strange reason i can not ping any ip's in the vpn network after the route has been pushed. has anyone a clue on this one? 11:56 < Bushmills> !route 11:56 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:56 < ecrist> Blackshark: I'm guessing you've got conflicting IP address ranges 11:58 < Blackshark> server has "server 172.17.0.0 255.255.255.0" and the route is a static internet ip 11:58 < Cr0nix> i want my eToken 2 work ;( *cry* 12:01 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:07 < Blackshark> ecrist: is there something i should know when trying to route to a static internet ip? 12:08 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 12:16 < dazo> Cr0nix: try to start openvpn via strace or gdb .... you might then be able to figure out where it crashes 12:16 < Cr0nix> cant 12:16 < Cr0nix> the client is a windows shitbox 12:18 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 12:19 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 12:22 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 12:23 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 12:27 -!- albech [n=albech@119.42.76.62] has quit [Read error: 104 (Connection reset by peer)] 12:30 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 12:31 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has joined ##openvpn 12:33 < Blackshark> ecrist: i think i know what the problem is. my vpn server is on a internet server with a static ip. but i also want to access this same server throu the secure network which is kind of a loop and the client doen't seem to like it 12:33 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 12:34 < ecrist> right 12:34 < ecrist> you need to provide an 'internal' IP securely or through DNS foo 12:37 < Blackshark> ecrist: can you give me a link or the command for the config? 12:37 -!- albech [n=albech@119.42.76.62] has joined ##openvpn 12:38 < Blackshark> ecrist: or do you mean a own ip just for the vpn to work 12:40 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 12:41 -!- albech_ [n=albech@119.42.76.62] has joined ##openvpn 12:41 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 12:44 -!- albech_ [n=albech@119.42.76.62] has quit [Read error: 54 (Connection reset by peer)] 12:49 -!- troy- is now known as troy 12:49 < Blackshark> !redirect 12:49 < vpnHelper> Blackshark: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 12:50 < Blackshark> !iporder 12:50 < vpnHelper> Blackshark: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 12:51 < Blackshark> !/30 12:51 < vpnHelper> Blackshark: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 12:57 -!- albech [n=albech@119.42.76.62] has quit [Connection timed out] 12:57 < [4-tea-2]> !topology 12:57 < vpnHelper> [4-tea-2]: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 12:57 < [4-tea-2]> Ah, nice. 13:03 -!- albech_ [n=albech@119.42.76.62] has joined ##openvpn 13:07 -!- bandini [n=bandini@host63-106-dynamic.11-79-r.retail.telecomitalia.it] has joined ##openvpn 13:19 -!- lataffe_ [n=lars@212.89-10-28.nextgentel.com] has quit [Read error: 110 (Connection timed out)] 13:33 -!- Blackshark [n=a@p579FAE0D.dip.t-dialin.net] has quit ["( www.nnscript.com :: NoNameScript 4.21 :: www.esnation.com )"] 13:44 -!- nemysis [n=nemysis@25-190.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 13:45 -!- nemysis [n=nemysis@25-190.3-85.cust.bluewin.ch] has joined ##openvpn 14:09 -!- karlpinc [n=kop@meme-net.meme.com] has quit [Read error: 104 (Connection reset by peer)] 14:14 -!- fraktlap [n=sdads@c-02dee655.03-54-626f721.cust.bredbandsbolaget.se] has joined ##openvpn 14:19 -!- fraktlap is now known as fraktlap_ 14:20 -!- fraktlap_ is now known as fraktlap 14:20 -!- fraktlap [n=sdads@c-02dee655.03-54-626f721.cust.bredbandsbolaget.se] has left ##openvpn [] 14:21 -!- fraktlap [n=sdads@c-02dee655.03-54-626f721.cust.bredbandsbolaget.se] has joined ##openvpn 14:27 -!- unix3 [n=unix3@static.226.79.46.78.clients.your-server.de] has joined ##openvpn 14:28 -!- unix3 [n=unix3@static.226.79.46.78.clients.your-server.de] has quit [Client Quit] 14:31 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 60 (Operation timed out)] 14:32 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:34 < fraktlap> if openvpn can't connect, how do I know if the problem is on myh end or on the vpn providers end? 14:34 < fraktlap> Mine says TLS Error: TLS key negotiation failed to occur within 60 seconds 14:35 < fraktlap> and handshake failed 14:39 -!- havoc [n=havoc@saturn.chaillet.net] has joined ##openvpn 14:39 < havoc> afternoon 14:57 -!- dli [n=dli@adsl-75-21-89-56.dsl.chcgil.sbcglobal.net] has joined ##openvpn 14:57 < dli> I'm running in server/client mode, how do I get fixed IP for clients? 15:00 < havoc> dli: two ways that I'm aware of.... 15:00 < havoc> three actually 15:01 < havoc> hardcoded on the client, managed by DHCP server by MAC addr, and managed by ovpn server via address pool and client config dir 15:01 < havoc> I *think* those are the ways 15:05 < dli> havoc, don't run dhcpd server 15:05 < dli> havoc, so, I need address pool, and client config dir 15:08 < havoc> if you want to have the ovpn server manage things, yes 15:09 < havoc> then in each client config file you do the ifconfig-push I think 15:19 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has quit [Remote closed the connection] 15:19 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has joined ##openvpn 15:29 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:43 -!- unix3_ [n=unix3@190.10.68.228] has joined ##openvpn 15:46 < ghoti> So ... if I have DeployStudio Server installed, do I even need the OSX Server System Image Utility? 15:46 < ghoti> Woops, wrong channel. :) 15:52 -!- gebura [n=nnnnnnnn@lescigales.org] has quit ["Terminated with extreme prejudice - dircproxy 1.2.0"] 15:53 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has quit [Read error: 110 (Connection timed out)] 15:53 -!- geb [n=geb@lescigales.org] has joined ##openvpn 15:57 -!- tjz [n=tjz@bb121-6-18-221.singnet.com.sg] has quit [Success] 15:59 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##openvpn 16:00 -!- unix3_ [n=unix3@190.10.68.228] has quit [Client Quit] 16:10 -!- frakt^lap [n=sdads@c-02dee655.03-54-626f721.cust.bredbandsbolaget.se] has joined ##openvpn 16:12 -!- js_ [n=js@193.0.253.161] has quit [Read error: 60 (Operation timed out)] 16:12 -!- js_ [n=js@193.0.253.161] has joined ##openvpn 16:14 * plaerzen dances. 16:18 -!- karlpinc [n=kop@meme-net.meme.com] has joined ##openvpn 16:28 -!- fraktlap [n=sdads@c-02dee655.03-54-626f721.cust.bredbandsbolaget.se] has quit [Read error: 110 (Connection timed out)] 16:30 < havoc> so, openvpn[-gui] on win2k3 as a client, it connects to the ovpn server but the TAP iface can't seem to get an IP from DHCP, while other clients can 16:31 < havoc> I'm guessing the TAP adapter for the version of openvpn I installed is incompatible with win2k3 16:31 < havoc> any thoughts? 16:32 < havoc> I have tried both the stable and development versions of openvpn-gui 16:46 -!- c64zottel [n=hans@p5B17B263.dip0.t-ipconnect.de] has quit ["Leaving."] 16:49 < krzie> ive done it on win2k3 before 16:49 < krzie> check that the firewall isnt active for the tap device 16:56 < havoc> krzie: thanks, I'll check 16:59 < krzie> i cant garuntee anything, i never used bridge mode in windows, but i know the device works in 2k3 16:59 < havoc> I'm not bridging 16:59 < krzie> oh ok, you mentioned dhcp, i assumed you meant from a dhcp server on a bridge 17:00 < havoc> I'm trying to use this win2k3 server as just another VPN client for a remote routed network 17:00 < krzie> ahh cool 17:00 < havoc> yes, addresses are managed by the remote DHCP server 17:00 < havoc> this win2k3 machine is the only problem, a few dozen other working clients 17:00 < krzie> by the openvpn process on the openvpn server, right? 17:00 < havoc> mostly winxp 17:01 < havoc> huh? 17:01 < krzie> as opposed to dhcpd or a router giving dhcp 17:01 < havoc> no, things are managed by DHCP, not openvpnd 17:01 < krzie> umm, how so? 17:01 < krzie> dhcp is not something that flows over a routed tun 17:02 < havoc> TAP, not TUN 17:02 < krzie> so the clients have dev tap? 17:02 < havoc> and yes, over TAP it works fines, I've been using it for a couple years this way 17:02 < krzie> and without a bridge? 17:02 < havoc> the linux clients are TAPs, and the windows clients are as well 17:02 < havoc> no bridge 17:03 < krzie> interesting 17:03 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:03 < krzie> mind if i see your configs? 17:04 < krzie> if for nothing else maybe i can learn something from them 17:04 < havoc> the ovpn configs are very basic, almost identical the the howto 17:04 < krzie> if i can. please strip comments from them 17:05 -!- frakt^lap [n=sdads@c-02dee655.03-54-626f721.cust.bredbandsbolaget.se] has quit [Read error: 60 (Operation timed out)] 17:05 < havoc> the trick I think is that the ovpn server is a multi-NIC linux box 17:06 < havoc> the DHCP server in this instance is an Windows DHCP server on one of the segments, and the linux box runs dhcp3-relay 17:12 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Stevethe1irate, havoc, isox, onats1, krzie, qknight, sirus, M06w, dazo, disco-, (+48 more, use /NETSPLIT to show all of them) 17:20 -!- Netsplit over, joins: epaphus, karlpinc, js_, krzie, geb, dli, havoc, krzee, nemysis, bandini (+48 more) 17:23 -!- geb [n=geb@lescigales.org] has quit [Remote closed the connection] 17:24 -!- geb [n=ngeb@lescigales.org] has joined ##openvpn 17:24 < krzie> hahaha i LOVE jager bombs! 17:24 < geb> hi/re 17:26 < Bushmills> why am i not surprised :D 17:26 < krzie> why do i get the fealing that you guys laugh at jager bombs in germany 17:26 < krzie> lol 17:26 < krzie> hey geb =] 17:28 < krzie> havok, well done config... you might wanna try verb 6 on the server / non-working client and see if the logs say anything interesting 17:28 < krzie> or post the logs and ill look 17:28 < havoc> I'm still poking about 17:28 < krzie> theres a couple things you could add for security too, if you're interested ill tell you what they are 17:28 < Bushmills> krzee, no we don't. in fact, that combination isn't seen too frequently 17:29 < Bushmills> krzee, you're more likely to see hard liquor from grain in your beer 17:29 < krzie> a jager bomb is a shot of jager dropped into a glass of red bull, then you drink it all very fast 17:30 < krzie> tastes very good, and is fun 17:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:31 < Bushmills> krzee, what's your date? 17:32 < krzie> my date? 17:32 < Bushmills> meaning, what day is it in your location 17:32 < krzie> its 4/20!!! 17:32 < Bushmills> yes! 17:32 < Bushmills> before you forget 17:32 < krzie> happy 420 bro! 17:32 < Bushmills> hehe 17:33 < krzie> ya i celebrated last night 17:33 < krzie> since ill be at work til after midnight 17:33 < krzie> thats so cool that everywhere in the world knows about that 17:33 < krzie> it comes from where im from 17:34 < Bushmills> i was just reminded of it from the chat in the #electronics channel :) 17:34 < krzie> im actually an op in #420 on efnet 17:36 < Bushmills> remarkable resemblance of 42 and 420 17:36 < krzie> oooo, the answer to life and everything 17:38 -!- tjz [n=tjz@bb121-6-18-221.singnet.com.sg] has joined ##openvpn 17:39 < havoc> bah, getting "The route addition failed: Either the interface index is wrong or the gateway does not lie on the same network as the interface. Check the IP Address Table for the machine." 17:40 < havoc> yet it's the same setup as every other machine 17:40 < havoc> it's just this win2k3 box that's not working 17:40 < havoc> granted it's the only win2k3 client, but linux, winxp, winxp64, vista, and vista64 clients all work fine, all same configs 17:47 < havoc> oh crap 17:48 < havoc> fixed, stooopid oversight 17:48 < havoc> DHCP service was *disabled* on the client ;) 17:48 < krzie> nice, what was it? 17:48 < krzie> ahhh there ya go 17:48 * havoc kicks the guy who set this up 17:49 < havoc> it's a web server in the DMZ 17:49 < havoc> we want to do backups of it from the LAN side 17:50 < krzie> yanno with tap if someone gets in they can do layer2 attacks on you over your vpn, right? 17:50 < havoc> yeah :| 17:50 < havoc> but there's no other way to do it 17:50 < havoc> this way they don't have full LAN access though 17:50 < havoc> all they can really do is fill up the space on the backup server to quota 17:51 < havoc> vpn/gw/router box controls everything else 17:51 < havoc> what this machine has access to is severely restricted 17:51 < krzie> cant they communicate via ARP? 17:51 < havoc> to what? 17:51 < havoc> they could try to dos the ovpn machine, but that's as far as they get 17:52 < krzie> to the server / machines on server's lan? 17:52 < krzie> via arp over layer2 tunnel... 17:52 < havoc> and since that box also firewalls the client in the dmz they'd knock themselves offline too 17:52 < krzie> not a dos 17:52 < krzie> they can arp poison 17:53 < havoc> eh 17:53 < havoc> I'm not that concerned :) 17:54 < krzie> cool 17:54 < krzie> do you want to hear the other stuff you can do to secure this vpn? 17:54 < havoc> a little downtime is not that big a deal 17:54 < krzie> theres 2 things you arent taking advantage of 17:54 < havoc> and they can only do it when the VPN is active 17:54 < havoc> yeah, I bet I know what they are ;) 17:54 < krzie> btw arp poisoning is NOT a dos attack and does NOT cause downtime 17:54 < krzie> its the mrthod for sniffing across a switched network 17:55 < havoc> yeah, that would do them no good 17:55 < havoc> no good past the router anyway 17:55 < havoc> not the way I have shorewall setup anyway 17:56 < havoc> as it is I'm doing arp proxying for the dmz hosts 17:56 < havoc> this way they have the same IP config in or out of the dmz 17:57 < havoc> krzie: it's a crazy convoluted setup 17:57 < havoc> multiple locations, all essentially Windows shops/clients glued together by linux 17:58 < krzie> cool, just wanted to make you aware of the fact you are opening yourself up to layer2 attacks when you dont need to 17:58 < krzie> but its all upto you, your setup 17:58 < havoc> yeah, there are a few things I need to do yet, I know :( 17:58 < havoc> just lacking time 17:58 < havoc> :( 17:58 < krzie> as for the stuff you could use to strengthen your vpn, !hmac and !mitm to see them 17:59 < havoc> yeah, saw that in the howto 17:59 < krzie> hmac would add hmac sigs to every packet, mitm would prtect you against man in the middle attacks 17:59 < krzie> by typing !mitm and !hmac you will see exactly how to impliment them 17:59 < havoc> the current state of everything is outdated and deperately needs reworking :( 18:00 < krzie> i would go with a very similar setup, but using dev tun 18:00 < havoc> but I'm not gonna worry about it until after June, if I still have a job 18:00 < havoc> krzie: no TUN on windows clients, AFAIK? 18:00 < krzie> negative 18:00 < krzie> dev tun will use the 'tap' interface 18:01 < havoc> ah 18:01 < krzie> it will use less overhead, be an easier setup, not need dhcp service, and no layer2 attacks 18:01 < krzie> of course if you use samba you'd need a WINS server 18:01 < havoc> I need DHCP 18:01 < krzie> whys that? 18:01 < havoc> most of the clients are AD members 18:02 < havoc> Active Directory 18:02 < krzie> oh i see 18:02 < krzie> cant AD work over layer3...? 18:02 < havoc> yes, as I said, *convoluted* :( 18:02 < krzie> or is it layer2 only? 18:03 < havoc> they need an IP on a subent w/ routes to/from the DC's 18:03 < krzie> openvpn can hand out ips without DHCP doing it 18:03 < krzie> as long as that DHCP server knows not to hand out those ips it works fine 18:03 < havoc> right, but it's way easier to manage it from one place 18:03 < krzie> but hell, no huge reason to change it now if it works fine 18:03 < havoc> there are 6 subnets in dhcp 18:04 < krzie> it would still be managed from 1 place, the openvpn server 18:04 < havoc> on the windows dhcp server that is 18:04 < havoc> only one of which is the vpn zone/subnet 18:04 < krzie> but still, its not broke... i understand you not wanting to change it 18:04 < havoc> no, from the vpn server and from the AD DHCP server 18:05 < havoc> AD DNS would also not get updated if ovpn handled it, which breaks all the netbios stuff 18:06 < krzie> gotchya 18:06 < havoc> there's just many many factors involved :( 18:06 < krzie> wins on the AD machine wouldnt handle that? (while allowing samba to work) 18:07 < havoc> no samba 18:07 < krzie> but ya, it works now like i said, why go through all that effort if you dont need to 18:07 < havoc> that would be yet another thing to maintain 18:07 < havoc> I've got 3 routed and one bridged location(s) all interconnected 18:07 < havoc> and all routed/firewalled differently 18:08 < krzie> sounds like thats actually more complicated than it has to be 18:08 < havoc> e.g. my home/office network being small is just bridged, but MASQ'd to the other networks 18:08 < havoc> so I have full access to them, but they have no access to my internal LAN 18:09 < havoc> krzie: I think I know what you're thinking, and I assure you that a central site w/ the other sites as clients was tried 18:09 < havoc> but do to the limited bandwidth at each site users had to be allowed to connect directly to each site 18:10 < havoc> and I set the routing metrics so they could actually be connected to multiple sites at once, but best path would be taken 18:10 < krzie> ahh nice 18:10 < krzie> i gotchya =] 18:10 < havoc> one site was a 6mbps/512kbps ADSL line :( 18:11 < krzie> hah i wish i could get that here 18:11 < havoc> while 2 other sites are *now* 15/2 mbps 18:12 < krzie> ya that makes sense 18:12 < havoc> so yes, it's complicated, but no more than necessary to support the traffic my users dish out :( 18:12 < krzie> understood 18:13 < havoc> I showed you a sanitized client config for one site, there are actually more routes with metrics from 25-50 18:13 < havoc> and the hmac stuff is *kindof* there, but got broken, that line was commented out, and removed from what I showed you 18:14 < havoc> the main issue is that right now I alone *am* the IT Dept. :( 18:16 < krzie> the hmac stuff is very very simple, just a static key 18:16 < krzie> !hmac 18:17 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 18:17 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 18:18 < krzie> then for MITM, all you do is rebuild the server cert to be signed as a server 18:19 < krzie> and tell the clients to check for it (!mitm / !servercert for details) 18:26 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 18:28 < havoc> krzie: thanks for the help :) 18:29 -!- havoc [n=havoc@saturn.chaillet.net] has left ##openvpn ["bbl"] 18:50 -!- eliasp_ [n=quassel@78.43.213.203] has joined ##openvpn 18:51 -!- eliasp [n=quassel@78.43.213.203] has quit [Read error: 113 (No route to host)] 19:36 -!- geb [n=ngeb@lescigales.org] has quit [Remote closed the connection] 19:37 -!- geb [n=nngeb@lescigales.org] has joined ##openvpn 19:39 < geb> hi 19:39 < geb> i was trying to debug network-manager openvpn on debian 19:40 < krzie> !ubuntu 19:40 < vpnHelper> krzie: "ubuntu" is dont use network manager! 19:40 < krzie> ;] 19:40 < geb> after a lot of search (and a valuable help :) ) i find that openvpn didn't export the trusted_ip env var 19:41 < geb> and that explained the problem and the solution (setting it manualy) 19:41 < krzie> setting it manually where? 19:43 < geb> http://pastebin.com/m73d454cd 19:43 < geb> with a dirty hack 19:44 < geb> now it works (i am connected from the vpn) but i wonder to know where to submit the bug report (if it usefull) 19:45 < geb> can anybody help me to see if it is a problem with debian packaging or openvpn ? 19:46 < krzie> sounds like a netmanager specific issue 19:47 < geb> sure ? man openvpn says that trusted_ip should be set (maybe it differ with the calling) 19:48 < krzie> what did it stop from working? 19:48 < krzie> and what version of openvpn do you have installed 19:50 < geb> debian testing 2.1~rc11-1 19:50 < krzie> and when starting the same tunnel without your hack, and without network manager, does it work? 19:50 < geb> yes it work 19:50 < krzie> also rc11 is no good, if gunna use 2.1 use rc15 19:50 < krzie> if it works without network manager but not WITH network manager, you know where the problem is 19:51 < krzie> it has many issues, which is why my bot tells you to not use it when i type !ubuntu 19:51 < geb> http://packages.debian.org/search?keywords=openvpn i don't have much choice :) 19:51 < vpnHelper> Title: Debian -- Package Search Results -- openvpn (at packages.debian.org) 19:51 < krzie> you're aware that openvpn will install fine from source... 19:52 < krzie> meaning you have as much choice as you choose to have 19:52 < geb> :) 19:53 < geb> it works without network-manager but network-manager use trusted_ip for updating routing table, that why there is a problem 19:54 < krzie> if network-manager doesnt work but openvpn does, you found the problem 19:55 < geb> i am note sure i understand well, you think the problem is network-manager ? 19:55 < krzie> it is 19:56 < krzie> cause you see, openvpn doesnt come with a gui 19:56 < geb> but man openvpn says that openvpn should set the $trusted_ip env 19:56 < geb> and it doesn't 19:56 < krzie> so any gui that should work with openvpn needs to conform to how openvpn works 19:56 < krzie> it would SET the var, which could not be exported to a parent 19:57 < krzie> you can only export to children, not parents 19:57 < krzie> but no matter what, its network-managers fault 19:57 < geb> it is in a children 19:57 < krzie> as if they want to work as a gui wrapper for openvpn, they need to conform to openvpn 19:57 < krzie> they cant do something how they expect it to work, they need to do it how it DOES work 19:58 < krzie> openvpn doesnt start network manager 19:58 < krzie> network manager starts openvpn 19:58 < krzie> which means openvpn is a child of NETMAN, and not the other way around 19:58 < krzie> but that does not matter 19:58 < geb> network manager start openvpn, witch start an network-manager process with --up 19:58 < krzie> heres all that matters: 19:59 < krzie> it works when you do it manually, not with network manager 19:59 < krzie> thats ALL that matters 19:59 < krzie> there is no argument to say its not network manager's fault 19:59 < krzie> also, try rc15 to see if that works 20:00 < krzie> because rc11 is known to have some issues (which is why its not the latest 2.1 releasE) 20:00 < geb> ok i will try 20:00 < geb> thanks :) 20:00 < krzie> but if it doesnt work, its metman's fault 20:01 < krzie> anything that doesnt work in netman but does from commandline is netman's fault 20:02 < geb> please note that i am not a netman developer just an user who find a problem and try to find where it come from :) 20:02 < geb> but thanks for your help :) 20:04 < krzie> np =] 20:06 -!- geb [n=nngeb@lescigales.org] has quit [Remote closed the connection] 20:07 -!- geb [n=nnngeb@lescigales.org] has joined ##openvpn 20:14 < geb> krzie, http://pastebin.com/m3539ea6c 20:14 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 20:15 < geb> so ... i think it is more a bug related to debian packaging (if rc11 brokes $trusted_ip) than network-manager 20:16 < krzie> ok 20:16 < krzie> so it worked when you installed rc15 from source? 20:16 < krzie> thats the easy way to tell that... 20:17 < krzie> if netman works with rc15 from source, than its either debian packaging or the fact that they are still using rc11 20:17 < theDoc> Only 2.1gb transferred. 20:17 < theDoc> Hmm. 20:17 < krzie> if not, than its netman 20:17 < krzie> sup doc 20:17 < theDoc> 'sup krzee 20:17 < theDoc> Check out the b/w usage after a couple of us have been using the vpn server for a month or so. 20:18 < theDoc> Only 2.1gb, we're kind of light ;p 20:18 < theDoc> I have 3tb worth of transfers to blow 20:20 < krzie> werd 20:20 < krzie> =] 20:22 < geb> krzie, i didn't installed it from sources (will test soon) , but did you see my link ? i seems that it is not network-manager related ( debian's openvpn rc11 don't export $trusted_ip) 20:23 < krzie> right, so its either a problem with debian packaging or with rc11 20:23 < krzie> you'll know for sure if it has anything to do with netman or not when you install from source to fix that problem 20:24 < geb> ok, should i compile it both on the client and the server or only the client ? 20:26 < krzie> are both using rc11? 20:26 < geb> yes 20:26 < krzie> you shouldnt be using rc11 anywhere 20:26 < geb> that's what debian provide 20:26 < krzie> if you choose to use dev branch, try to follow it, its accepted there may be some bugs 20:26 < krzie> thats debian's fault 20:27 < krzie> you can try to convince them to update, or do it yourself 20:27 < geb> i will submit a bug report, but just for testing should i update the server and the client or only the client ? 20:29 < krzie> no clue, i would update both 20:29 < geb> ok, thanks :) 20:45 -!- eliasp_ is now known as eliasp 20:46 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn 21:31 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit ["The Lord of Murder Shall Perish."] 22:19 -!- floyd_n_milan [n=quassel@unaffiliated/floydnmilan/x-000001] has quit ["No Ping reply in 90 seconds."] 22:19 -!- floyd_n_milan [n=quassel@203.129.237.147] has joined ##openvpn 22:25 -!- floyd_n_milan [n=quassel@unaffiliated/floydnmilan/x-000001] has quit ["No Ping reply in 90 seconds."] 22:26 -!- floyd_n_milan [n=quassel@124.247.220.202] has joined ##openvpn 22:30 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has joined ##openvpn 22:30 -!- Lilarcor_ [n=Lilarcor@pool-71-126-188-188.washdc.east.verizon.net] has quit [Remote closed the connection] 23:24 -!- Alagar [n=helpdesk@dont.rootkit.me] has joined ##openvpn --- Day changed Tue Apr 21 2009 00:10 -!- albech_ [n=albech@119.42.76.62] has quit [Read error: 110 (Connection timed out)] 01:07 -!- Kevin` [n=kevin@rrcs-67-52-47-69.west.biz.rr.com] has joined ##openvpn 01:37 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:40 -!- eliasp [n=quassel@78.43.213.203] has quit [Read error: 145 (Connection timed out)] 02:44 -!- c64zottel [n=hans@p5B17AC05.dip0.t-ipconnect.de] has joined ##openvpn 02:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:19 -!- c64zottel [n=hans@p5B17AC05.dip0.t-ipconnect.de] has left ##openvpn [] 03:56 < ThoMe> good morning! 03:56 < ThoMe> :-) 03:56 < ThoMe> knock knock wake up leo! :-) 04:00 < krzee> moin 04:01 < ThoMe> krzee: hallo 04:01 < ThoMe> krzee: du verstehst deutsch? 04:03 < krzee> just english 04:03 < ThoMe> krzee: I would like said to my openvpn server (193.108.19.245) push 04:03 < ThoMe> the net 193.108.19.0 04:03 < ThoMe> like: push "route 193.108.19.0 255.255.255.0 10.55.0.1" 04:03 < ThoMe> is this correct? 04:03 < krzee> !push 04:03 < vpnHelper> krzee: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 04:03 < ThoMe> krzee: push "route 193.108.19.0 255.255.255.0 10.55.0.1" 04:04 < krzee> who is 10.55.0.1? 04:04 < ThoMe> but when i try this then i have no connect anymore :-( 04:04 < ThoMe> 10.55.0.1 is the openvpn server /(internal)\ 04:04 < krzee> then remove that 04:04 < ThoMe> what? 04:04 < krzee> just push "route 193.108.19.0 255.255.255.0" 04:04 < ThoMe> ah ok 04:04 < krzee> so 193.108.19.0 is a network behind the server? 04:05 < ThoMe> Solver: hm, when i try this, wihtout 10.55.0.1 then 04:06 < ThoMe> eem. krzee 04:06 < ThoMe> Tue Apr 21 11:06:27 2009 us=765000 Bad LZO decompression header byte: 0 04:06 < ThoMe> hmm. 04:07 < ThoMe> krzee: my openvpn server has: eth0 = 193.108.19.245 04:08 < ThoMe> krzee: hm :-( 04:17 < ThoMe> krzee: huhu? 04:22 < krzee> !configs 04:22 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 04:23 < ThoMe> grrr 04:34 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 04:37 < krzee> !configs 04:37 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 04:38 < krzee> no need to message me logs 04:38 < krzee> my bot will tell you what i need 05:02 < krzee> ThoMe, you gunna post your configs...? 05:10 < geb> krzie, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=524979 05:10 < vpnHelper> Title: #524979 - openvpn dont set $trusted_ip when launching a child with --up - Debian Bug report logs (at bugs.debian.org) 05:13 < krzee> so netman worked right when ovpn was installed from source? 05:16 -!- troy is now known as troy- 05:16 < geb> i choose to report before completing the test as sugest by a debian developer 05:18 < krzee> weird suggestion but cool 05:42 -!- geb [n=nnngeb@lescigales.org] has quit [Remote closed the connection] 05:43 -!- geb [n=nnnngeb@lescigales.org] has joined ##openvpn 06:00 < ThoMe> krzee: wo, moment. 06:03 -!- Coke [n=coke@90-231-88-79-no84.business.telia.com] has joined ##openvpn 06:03 < Coke> Hi guys. I have my openvpn server and client connected to each other, is there some magic to making them behave like routers or is it simply a matter of setting up the correct NAT through iptables? 06:04 -!- Lilarcor_ [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has joined ##openvpn 06:04 -!- Lilarcor_ [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has quit [Remote closed the connection] 06:05 < Coke> oh wait, it's a simple forward 06:08 -!- Coke [n=coke@90-231-88-79-no84.business.telia.com] has left ##openvpn [] 06:22 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 06:37 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 06:58 -!- geb is now known as gebura 06:59 < krzee> !ipp 06:59 < vpnHelper> krzee: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 07:00 < krzee> !sample 07:00 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 07:01 < ecrist> heya mother fucking bitch-ass two-timing cum guzzling gutter sluts. 07:01 < krzee> sup eric 07:02 < ecrist> how goes today, krzee? 07:02 < krzee> its still last night ;] 07:03 < ecrist> ahh. 07:03 < ecrist> I'm getting ready to do some trail riding this weekend. 07:03 < ecrist> only a 4-day work-week this week. :) 07:03 < ecrist> preparing to roll ldap out to our last two systems here. 07:04 < ecrist> writing a staff front-end for client account management 07:04 < ecrist> mostly done, but man, what a pita 07:05 < krzee> right on =] 07:07 < ecrist> I have too much to do. 07:07 < ecrist> I still haven't rolled any services over to my new(ish) 1850 07:07 < ecrist> nor have I finished developing the blackberry theme site. 07:07 < ecrist> even though people are *still* wanting more themes posted there. 07:08 < ecrist> oh well. I'm going to look at some porn. 07:09 < ecrist> hey, did you and Dougy get the phpbb stuff figured out? I found your post and locked/stickied it. 07:09 < krzee> ahh werd 07:09 < krzee> howd you do it!? 07:10 < ecrist> I just clicked on moderator control panel and set the options. 07:10 < ecrist> don't you have mod access? 07:12 < krzee> i have admin control panel 07:12 < krzee> no mod control panel 07:12 < krzee> that must be why 07:12 < ecrist> ok, log in/out 07:13 -!- simplechat [n=betabot@li20-55.members.linode.com] has left ##openvpn ["Leaving"] 07:18 -!- thnee [n=thnee@thnee.se] has joined ##openvpn 07:18 < thnee> !howto 07:18 < vpnHelper> thnee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:18 < thnee> 0!redirect 07:18 < thnee> !redirect 07:18 < vpnHelper> thnee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 07:18 < thnee> !logs 07:18 < vpnHelper> thnee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 07:18 < thnee> !configs 07:18 < vpnHelper> thnee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:19 < thnee> !interface 07:19 < vpnHelper> thnee: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 07:21 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has joined ##openvpn 07:21 < thnee> i am connecting to a server using '# openvpn config.ovpn', and i get the tun0, and right IP and everything, and it works. but my DNS-settings are not update. the server does push DNS, and another OSX client does get the correct dns-settings. 07:23 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has quit [Client Quit] 07:23 < thnee> so how do i explore this problem further? it kida sucks to do networking with DNS 07:23 < thnee> without DNS.. 07:23 < ecrist> logs 07:23 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has joined ##openvpn 07:23 < ecrist> post logs from server and client 07:24 < krzee> the client is osx/? 07:24 < krzee> (that doesnt get the dns settings) 07:24 < thnee> my client is openvpn on linux, that doesnt get the dns settings. the other (OSX) client, does get them 07:24 < krzee> you need a script to update resolv.conf 07:25 < thnee> ok 07:25 < thnee> so openvpn isnt supposed to do this at all? (there isnt really a problem?) 07:26 < krzee> thats my understanding of it 07:26 < thnee> that sucks 07:26 < thnee> and i am supposed to just fix this script myself? 07:26 < krzee> windows a reg setting must be changed to allow it, unix needs a script to update resolv.conf 07:26 < thnee> or is there some package maybe? 07:26 < krzee> i believe a script comes with the source 07:26 < krzee> !pushdns 07:26 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit 07:27 < krzee> its mentioned in that thread 07:27 < ecrist> WHAT!?! I have to do something for myself? 07:27 < thnee> ecrist: calm down, it's not that big of a deal 07:27 < tjz> lol 07:28 < krzee> thnee, did you read up on what you were doing...? 07:28 < krzee> -dhcp-option type [parm] 07:28 < krzee> Set extended TAP-Win32 TCP/IP properties, must be used with --ip-win32 dynamic or --ip-win32 adaptive. This option can be used to set additional TCP/IP properties on the TAP-Win32 adapter, and is particularly useful for configuring an OpenVPN client to access a Samba server across the VPN. 07:28 < krzee> its for win32 07:29 < krzee> but a script can make a unix client use it too 07:29 < krzee> Note that if --dhcp-option is pushed via --push to a non-windows client, the option will be saved in the client's environment before the up script is called, under the name "foreign_option_{n}". 07:37 < thnee> well this /etc/openvpn/resolv.conf doesnt do much.. it exits immidiately, and nothing is changed 07:37 < thnee> sorry /etc/openvpn/update-resolv-conf 07:39 < thnee> i am simply running it, after connecting to the vpn 07:40 < thnee> doesnt matter if i run it with up or down as argument 07:41 < krzee> lol 07:41 < krzee> no kidding 07:41 < thnee> okay 07:41 < krzee> when it gets called via up variabled are passed to it 07:42 < krzee> when you call it it has no clue what you want 07:42 < thnee> it should say that.. 07:42 < thnee> anyway 07:42 < thnee> maybe i should just add it to my openvpn.conf instead of trying to run it by myself 07:42 < thnee> i was just interested in how it works 07:43 < krzee> read it to see how it works 07:43 < krzee> if you read the manual it doesnt need to say that 07:44 < krzee> because thats how all scripts work with openvpn 07:46 < thnee> ok so i added the up/down to /etc/openvpn/openvpn.conf (which didnt exist), and it does nothing. i am guessing openvpn has some other config file.. 07:47 < thnee> or maybe i should add it to my .ovpn file, but thats not what the script says 07:47 < krzee> the only config files it has is what you tell it 07:47 < thnee> can i put it there? 07:47 < krzee> add it to whatever config file you run in openvpn 07:57 < thnee> ok the synopsis for running openvpn is a little odd 07:58 < thnee> apparently i can run $ openvpn somefile.ovpn, but this doesnt really say in the manual 07:59 < thnee> it does however mention --config 07:59 < krzee> --config file 07:59 < krzee> Load additional config options from file where each line corresponds to one command line option, but with the leading '--' removed. 07:59 < krzee> If --config file is the only option to the openvpn command, the --config can be removed, and the command can be given as openvpn file 08:00 < krzee> its not said in the manual you say? 08:00 < thnee> oh 08:00 < thnee> so it's the same 08:01 < thnee> ok then i did it right, cause i added the up/down stuff to my .ovpn file, but it still doesnt change my resolv conf 08:02 < krzee> look in logs 08:03 < thnee> yes they tell me this openvpn_execve: external program may not be called due to setting of --script-security level 08:03 < ecrist> thnee: have you read any of the documentation? 08:03 < thnee> ecrist: yes 08:05 < krzee> !linipforward 08:05 < vpnHelper> krzee: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 08:05 < krzee> !linnat 08:05 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 08:09 < [4-tea-2]> thnee: script-security 2 08:09 < [4-tea-2]> thnee: this has been a recent change, I don't think it's in the man page. 08:09 < krzee> it is 08:09 < [4-tea-2]> It wasn't when I last checked. 08:09 < thnee> yeah i just read about it at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494998 08:09 < vpnHelper> Title: #494998 - tunnels that use update-resolvconf do not start after upgrade anymore - Debian Bug report logs (at bugs.debian.org) 08:09 < krzee> --script-security level [method] 08:09 < krzee> This directive offers policy-level control over OpenVPN's usage of external programs and scripts. Lower level values are more restrictive, higher values are more permissive. Settings for level: 08:09 < krzee> 0 -- Strictly no calling of external programs. 08:09 < krzee> 1 -- (Default) Only call built-in executables such as ifconfig, ip, route, or netsh. 08:09 < krzee> 2 -- Allow calling of built-in executables and user-defined scripts. 08:09 < krzee> 3 -- Allow passwords to be passed to scripts via environmental variables (potentially unsafe). 08:09 < thnee> tunnel works, DNS works 08:10 < krzee> The --script-security option was introduced in OpenVPN 2.1_rc9. For configuration file compatibility with previous OpenVPN versions, use: --script-security 3 system 08:10 < thnee> thanks for the help krzee 08:10 < krzee> np 08:10 < [4-tea-2]> http://openvpn.net/man.html <-- not there 08:10 < vpnHelper> Title: OpenVPN 2.0.x Man Page (at openvpn.net) 08:10 < krzee> right, it was introduced in 2.1rc9 08:10 < ecrist> [4-tea-2]: it's not a feature in 2.0.9 08:10 < krzee> shouldnt belong in 2.0 man page 08:10 < [4-tea-2]> That's what I meant to say before. 08:11 < ecrist> but, it *is* in the man page 08:11 < [4-tea-2]> I should've said "this has been a recent change, I don't think it's in the 2.0.9 man page." 08:11 < [4-tea-2]> Well, the man page on openvpn.net is my main reference, tbh. 08:11 < ecrist> there are two man pages 08:11 < ecrist> one for 2.0.x and one for 2.1.x 08:12 < ecrist> which is on openvpn.net 08:12 < [4-tea-2]> Hmmmm. Indeed. I would bet that a few weeks ago, there was 1.x and 2.0.x, but perhaps I got confused by the versioned HOWTOs. 08:13 < ecrist> there has been a 2.1.x man page for well over a year, at least. 08:13 < [4-tea-2]> Then I got confused. 08:14 < [4-tea-2]> ./nick Smoketoomuch 08:14 < thnee> lol 08:15 < krzee> !man 08:15 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 08:16 < [4-tea-2]> Can you add "(#4) picking the correct man page is advisable"? ;) 08:16 < krzee> seems useless to me 08:17 < [4-tea-2]> I see, all business. ;) 08:17 < [4-tea-2]> Just trying to make fun of my stupidity. It's the only way I can handle it. ;) 08:18 < krzee> hehehe 08:37 -!- tjz [n=tjz@bb121-6-18-221.singnet.com.sg] has quit [Success] 08:59 < ThoMe> krzee: huhu? 08:59 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:03 -!- theDoc- [n=andelyx@208.99.194.194] has joined ##openvpn 09:03 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Nick collision from services.] 09:03 -!- theDoc- is now known as theDoc 09:10 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 09:24 -!- albech [n=albech@119.42.76.62] has joined ##openvpn 09:43 < ecrist> what is huhu? 09:46 < [4-tea-2]> huhu is "hello" in german 09:47 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 09:47 -!- dli [n=dli@adsl-75-21-89-56.dsl.chcgil.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 09:51 -!- onats1 [n=15172@221.121.120.254] has quit [Read error: 113 (No route to host)] 09:52 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 09:52 -!- Stevethe1irate [n=noxville@clam.leg.uct.ac.za] has quit [Read error: 60 (Operation timed out)] 09:54 -!- Stevethe1irate [n=noxville@clam.leg.uct.ac.za] has joined ##openvpn 10:06 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 10:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:18 -!- tjz [n=tjz@bb220-255-39-133.singnet.com.sg] has joined ##openvpn 10:29 < funky> which method do you recommed me to use for auth against ldap/AD ? 10:39 < ecrist> there is a script out there for such. 10:39 < ecrist> dazo has has a program with claims to assist with the ephria or something 10:39 < ecrist> !ephria 10:39 < vpnHelper> ecrist: Error: "ephria" is not a valid command. 10:40 < ecrist> http://www.eurephia.net/ 10:40 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) 10:40 < ecrist> !learn ldap as http://www.eurephia.net/ 10:40 < vpnHelper> ecrist: Joo got it. 10:40 < dazo> funky: I have written an authentication module .... eurephia ... but it do not do AD nor LDAP yet 10:41 < ecrist> !forget ldap 10:41 < vpnHelper> ecrist: Joo got it. 10:41 < dazo> :) 10:41 < ecrist> !learn eurephia as http://www.eurephia.net/ 10:41 < vpnHelper> ecrist: Joo got it. 10:52 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 11:11 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 11:15 -!- nemysis [n=nemysis@25-190.3-85.cust.bluewin.ch] has quit [Connection timed out] 11:16 -!- nemysis [n=nemysis@214-42.106-92.cust.bluewin.ch] has joined ##openvpn 11:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:22 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 11:22 -!- albech_ [n=albech@119.42.76.62] has joined ##openvpn 11:23 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has joined ##openvpn 11:29 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:30 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Client Quit] 11:30 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:34 -!- c64zottel [n=hans@p5B17AC05.dip0.t-ipconnect.de] has joined ##openvpn 11:42 -!- albech [n=albech@119.42.76.62] has quit [Success] 11:55 < funky> sorry, I was working 11:56 < funky> http://code.google.com/p/openvpn-auth-ldap/ <- I'm trying this 11:56 < vpnHelper> Title: openvpn-auth-ldap - Google Code (at code.google.com) 11:56 < funky> but I still haven't been able to make it work 11:56 < funky> does any of you have tried this method before? 12:32 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has joined ##openvpn 12:32 < Improv> Hi all - is it hard to connect 2 layer2 OpenVPNs to each other? 12:33 < Improv> Or is it as simple as having the 2 servers mutually accepting each other as clients? 12:34 -!- albech_ [n=albech@119.42.76.62] has quit [Read error: 104 (Connection reset by peer)] 12:35 < krzee> Improv, do you need layer2 between the layer2 servers? 12:36 < krzee> actually, i guess that dont matter... 12:36 < krzee> just start a client on 1 server that connects to the other 12:37 < Improv> krzee: The servers don't intent to participate in the layer2 networks at all 12:37 < krzee> but if they give out ips in the same subnet there could be conflicts if you arent careful about who hands out what addresses 12:37 < krzee> ok, but you do in fact need layer2 vpn, right...? 12:37 < Improv> krzee: Ahh, ok, that shouldn't be a problem - I'll be statically assigning IPs 12:37 < Improv> krzee: Yes. I am integrating OpenVPN into network testbed software. 12:37 < krzee> gotchya 12:38 < Improv> krzee: .... and I'd configure that client to bridge its OpenVPN over the interface of the other OpenVPN... 12:38 < Improv> Is that right? 12:38 < krzee> is there a reason you need 2 servers? 12:38 < krzee> much easier to just have 1 12:39 < Improv> krzee: imagine 2 networks with 1 exposed system each, and then a bunch of systems with no public IPs 12:39 < krzee> i see no problem... 12:39 -!- Alagar [n=helpdesk@dont.rootkit.me] has left ##openvpn [] 12:39 < Improv> krzee: the nonexposed systems don't even have NAT 12:39 < krzee> hell you could do that with 1 server in routed OR bridged 12:39 < krzee> they can communicate with the openvpn machine on their lan, right? 12:39 < Improv> krzee: Yes 12:40 < krzee> ya, np 12:40 < Improv> but they need layer-2 connectivity to nonexposed systems in the other network 12:40 < Improv> and vice versa 12:40 < krzee> still np 12:40 -!- troy- is now known as troy 12:40 < krzee> think of it like this 12:40 < krzee> the tap interface is a virtual interface hooked into a virtual switch with many systems on it 12:40 < Improv> krzee: I don't see how I can avoid needing 2 openvpn instances, one on each of the 2 exposed systems 12:41 < krzee> (not really, but can think of it that way) 12:41 < Improv> and then all nodes as clients 12:41 < krzee> no way 12:41 < krzee> they can ARP to the openvpn node on their network 12:41 < krzee> after the bridge they can ARP through to all machines on the other side 12:41 < krzee> thats what a bridge is 12:41 < krzee> yes you need 2 instances 12:41 < Improv> I need isolation 12:41 < krzee> 1 client 1 server 12:42 < Improv> These packets can't go out over the normal channel. 12:42 < Improv> They *must* have a separate per-experiment IP that's uesr-defined. 12:42 < krzee> all nodes will communicate through the bridge to eachother 12:42 < Improv> and it must be separate from the normal network traffic 12:42 < krzee> IP doesnt matter, thats layer3 12:42 < krzee> layer2 bridge, they will all communicate using ethernet packets 12:42 < krzee> as if they were on the same switch 12:43 < Improv> hmm 12:43 < krzee> because you built a bridge between the 2 networks 12:43 < krzee> think of it as if it were 2 lans with a bridge connecting 12:43 < krzee> all in 1 location 12:43 < Improv> right 12:43 < krzee> its the same thing, only with a fancy vpn instead of a lil lan bridge 12:43 < Improv> I am not convinced that this gives me the depth of isolation I need. 12:43 < krzee> the what stays the same, only the how changes 12:44 < krzee> i have no clue what you mean by isolation 12:44 < krzee> if you bridge, this is what you get 12:44 < krzee> if you dont want that, you want routed 12:44 < krzee> i suggest to * to go routed, but you seem to need layer2 for custom software that must operate on layer2 12:44 < Improv> krzee: I think I need each node to talk openvpn to the exposed node too, in order to completely encapsulate the experimental network 12:45 < krzee> THATS HOW IT WORKS! 12:45 < krzee> arps will go over the vpn to the other side 12:45 < krzee> through their local node 12:45 < krzee> err their local vpn endpoint 12:45 < Improv> krzee: I think I could explain, but it would involve talking a lot more about our architecture than you'd care to know. 12:46 < krzee> welp, thats how a bridge works 12:46 < Improv> krzee: I am not trying to make layer2 bridges between existing networks that are being used "raw", I am trying to more "create" new layer2 networks 12:47 < krzee> then you must make real seperate lans 12:47 < Improv> Our network testbed software creates arbitrary network topologies for experiments.. 12:47 < Improv> and I am integrating OpenVPN into it 12:48 < krzee> ya i dont fully understand, but i think i made myself clear as to what i believe a bridge will give you 12:48 < Improv> Right. I don't think a simple bridge does all I want. 12:48 < krzee> whether thats what you want or not i cant say 12:48 < krzee> you can also pass layer2 without bridging 12:48 < krzee> by using dev tap but no bridge 12:49 < krzee> i cant elaborate on how or why that could help you, but i think you wanna play with it 12:49 < Improv> I'll look into that 12:49 < krzee> and if youd like to make a real detailed post the mail list might be a good place for this one 12:49 < krzee> !mail 12:49 < vpnHelper> krzee: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 12:50 < Improv> I'll send something to the uesrs list as a sanity check, thanks. 12:51 < krzee> np 12:52 < Improv> err... if I can figure out how news.gmane.org works :) 12:53 -!- albech_ [n=albech@119.42.76.62] has joined ##openvpn 12:55 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has quit ["ircII EPIC4-2.6 -- Are we there yet?"] 12:56 < krzee> to signup you want first link 12:56 < krzee> thats just the archive at gmane 13:52 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 13:56 -!- c64zottel [n=hans@p5B17AC05.dip0.t-ipconnect.de] has quit ["Leaving."] 14:29 < ecrist> You are the ones that are the ball lickers... 14:31 -!- Kobaz [n=kobaz@its.kobaz.net] has left ##openvpn [] 14:41 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:47 -!- gebura [n=nnnngeb@lescigales.org] has quit [Remote closed the connection] 14:48 -!- gebura [n=nnnnngeb@lescigales.org] has joined ##openvpn 14:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 14:54 < ecrist> ping krzee, got some freeswitch questions for you at some point. 14:59 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 15:35 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has quit [Read error: 110 (Connection timed out)] 15:38 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 15:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:06 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.8/2009032609]"] 16:18 < krzie> did you win the nigerian lottery!? 16:32 -!- karlpinc [n=kop@meme-net.meme.com] has quit [Read error: 60 (Operation timed out)] 17:02 < [4-tea-2]> Can I bind OpenVPN to two IP addresses without starting it twice? 17:02 < krzie> no, but you can let it bind to all addresses 17:03 < [4-tea-2]> Hmmm. 17:04 -!- gebura [n=nnnnngeb@lescigales.org] has quit [Read error: 60 (Operation timed out)] 17:04 < [4-tea-2]> I set up an alias interface on my VPN server, eth0:vpnhelper. When I try to connect to that IP, I seem to get responses from the main interface (eth0) instead. 17:04 -!- gebura [n=nnnnnnge@lescigales.org] has joined ##openvpn 17:05 < krzie> !factoids search alias 17:05 < vpnHelper> krzie: No keys matched that query. 17:05 < krzie> hrmmmz, i seen someone fix that before 17:05 < krzie> !factoids search ip 17:05 < vpnHelper> krzie: 'tls-cipher', 'iporder', 'winipforward', '2.1-winpass-script', 'chooseip', 'iptables', 'linipforward', 'ipv6', 'ipp', 'ipforward', and 'fbsdipforward' 17:05 < krzie> !chooseip 17:05 < vpnHelper> krzie: "chooseip" is OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice). 2 -- Use --client-config-dir file for static IP (next choice). 3 -- Use --ifconfig-pool allocation for dynamic IP (last choice). 17:05 < krzie> thats not it (happens to be the same as iporder) 17:05 < krzie> !iporder 17:06 < vpnHelper> krzie: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 17:06 < krzie> !forget chooseip 17:06 < vpnHelper> krzie: Joo got it. 17:06 < [4-tea-2]> I figured I could just let OpenVPN bind to the ip of eth0:vpnhelper to make sure it wouldn't send from the "wrong" address. 17:06 < krzie> !factoids search int 17:06 < vpnHelper> krzie: 'wintaphide', 'lintrafaccnt', and 'interface' 17:08 < [4-tea-2]> Well, I guess I will have to fix it with iptables instead. 17:09 < krzie> 1sec, theres an openvpn option for it 17:11 < [4-tea-2]> There's --float, but that doesn't help me. 17:11 < krzie> ya thats not it 17:15 < [4-tea-2]> Can't find anything in the man page... and this time I actually looked in the right one (2.1) *g 17:20 -!- bandini [n=bandini@host63-106-dynamic.11-79-r.retail.telecomitalia.it] has quit [Read error: 104 (Connection reset by peer)] 17:21 < krzie> hrm i cant find it either 17:21 < krzie> i also havnt slept 17:25 < [4-tea-2]> I'm trying the iptables SNAT approach, I can always fix it later. 17:31 -!- gebura [n=nnnnnnge@lescigales.org] has quit [Remote closed the connection] 17:31 < krzie> !factoids search win 17:31 < vpnHelper> krzie: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', and 'win7' 17:31 < krzie> !winipforward 17:31 < vpnHelper> krzie: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 17:32 -!- gebura [n=nnnnnnng@lescigales.org] has joined ##openvpn 17:32 -!- Gnewt [n=vector@207.115.69.54] has joined ##openvpn 17:32 < Gnewt> !howto 17:32 < vpnHelper> Gnewt: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:32 < Gnewt> !route 17:32 < vpnHelper> Gnewt: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:33 < Gnewt> Hmm 17:33 < Gnewt> If I'm VPNed into my server at home and I want to access 192.168.1.1 on my home network, how do I do that? 17:34 < krzie> is your home network behind the server or client? 17:34 < Gnewt> my server is on the home network 17:34 < krzie> !learn winnat as http://support.microsoft.com/kb/306126 for windows nat (windows calls it internet connection sharing aka ICS) 17:34 < vpnHelper> krzie: Joo got it. 17:35 < krzie> do any clients also sit on a 192.168.1.x lan? 17:35 < Gnewt> No my clients are outside of the LAN, usually from my school 17:35 < Gnewt> it's only one client... my laptop on a public network away from home 17:35 < krzie> right, but none of them are on a lan which also has 192.168.1.x, right? 17:36 < krzie> ok, so it is NEVER on 192.168.1.x, right? 17:36 < krzie> cause when it is, this will break stuff 17:36 < krzie> which is why i recommend changing your home lan subnet 17:36 < krzie> to something you never see while out in the wild 17:36 < Gnewt> Ahh yeah I should probably do that 17:36 < Gnewt> because other networks also have stuff on 192.168.1.x 17:36 < krzie> but basically youd just: push "route 192.168.1.0 255.255.255.0" 17:37 < krzie> yes, thats a good idea 17:37 < krzie> make it something rare 17:37 < Gnewt> What can I change it to? Something in the 192.168 or something way far away from that? 17:37 < krzie> !1918 17:37 < vpnHelper> krzie: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 17:37 < krzie> any of those which you think you'll never see out and about 17:37 < Gnewt> Okay, thanks very much :) 17:38 < krzie> 10.something.0.x is usually safe 17:38 < Gnewt> 192.168.240.0 maybe? 17:38 < Gnewt> or that 17:38 < krzie> that should work too 17:38 < Gnewt> Thanks for your help! :) 17:38 < krzie> i dont think ive ever seen 192.168.240.x 17:38 < krzie> np man =] 17:38 < Gnewt> me either 17:38 < Gnewt> Seeya later (I'll idle here) 17:38 < krzie> sounds good 17:38 < krzie> ill prolly be sounding like an idiot pretty soon, i didnt sleep at all 17:41 < [4-tea-2]> Damn. I'm too stupid to fix it with iptables, it seems. 17:41 < [4-tea-2]> It works perfectly well with --local , but I need ovpn to listen on a second address as well. 17:41 < [4-tea-2]> I guess I'm going to duplicate the configuration and start it twice. *sigh* 17:42 < krzie> sure it'll respond from that same ip when you do that? 17:47 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 17:51 < [4-tea-2]> Yes, the second IP I need opvn to run on is on a different i/f, and in a different net. 17:52 < [4-tea-2]> It just cannot use the main server IP to respond, because that is one of the IPs that I need to reach _through_ the VPN tunnel. 17:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:57 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:58 < [4-tea-2]> Heh. My routing table on my local server is becoming ridiculously large. 18:00 < krzie> !factoids search max 18:00 < vpnHelper> krzie: No keys matched that query. 18:00 < krzie> !factoids search lim 18:00 < vpnHelper> krzie: "pushlimit" is This is a limitation of OpenVPN: the push block cannot exceed a maximum of about 1 KB 18:00 < krzie> (something to keep in mind while making your routing table ridiculously large 18:00 < krzie> ) 18:02 < [4-tea-2]> Nah, that's not a problem, those routes are not pushed to the client. 18:02 -!- epaphus [n=unix3@190.10.68.228] has quit [Client Quit] 18:02 < [4-tea-2]> But I'm still running into other problems when I run two ovpns instead of one. 18:02 -!- hagna [n=hagna@70.102.57.178] has quit ["leaving"] 18:02 < [4-tea-2]> It seems I also need different keys for both instances. :( 18:03 < krzie> false 18:04 < [4-tea-2]> Well, I need different ccd/$ids 18:04 < krzie> if you use ipp.txt you absolutely need a diff one of those 18:04 < krzie> but the keys sure can be the same 18:05 < krzie> may i recommend giving each instance its own working dir 18:05 < [4-tea-2]> One instance serves 192.168.3.0/24, one 192.168.4.0/24, so I need to ifconfig-push the correct address, right? 18:05 < krzie> and copy the keys over instead of using the same path 18:05 < [4-tea-2]> I do that from ccd/$fqdn 18:05 < krzie> if you need static, absolutely 18:05 < krzie> so each gets its own ccd dir 18:05 < [4-tea-2]> But good idea. 18:05 < [4-tea-2]> Yeah, I'll do that. 18:05 < krzie> but the keys themselves will still work fine 18:06 < [4-tea-2]> Righto. 18:08 < [4-tea-2]> Heh, don't do that on-the-fly or ovpn might die. :D 18:08 < krzie> umm no 18:08 < krzie> you're only copying not moving 18:09 < [4-tea-2]> I had the tunnel with the wrong IPs running, reconfigured the server side, restarted the server side. 18:09 < [4-tea-2]> Then the client side died. ;) 18:09 < [4-tea-2]> I don't blame it. 18:09 < krzie> hehe 18:12 < [4-tea-2]> Well, that looks good now. When I enable Wifi on my laptop, it will either connect to my local dsl-router/wlan-ap and build an ovpn connection to the appropriate local ip of my server. 18:13 < [4-tea-2]> When my local wlan is not in reach, it will connect to any wlan ap, and build an ovpn connection to the public ip of my server, which is itself forwarded from my favorite provider through ovpn to my dynamic IP address. 18:15 < [4-tea-2]> When I disable wlan and attach a cable, ovpn is restarted on the laptop (in order to get rid of the tun device) and will try to keep connecting to my server, but locally it's not allowed, so I get an ovpn-free connection via local cable only. 18:15 -!- gebura [n=nnnnnnng@lescigales.org] has quit [Read error: 60 (Operation timed out)] 18:15 < [4-tea-2]> And it only took me the better part of a week. :D 18:15 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 18:25 < krzie> werd =] 18:25 < krzie> if you have time, maybe you could make a writeup on the wiki about it 18:25 < krzie> !wiki 18:25 < vpnHelper> krzie: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN 18:26 < krzie> i always say that to people when they get their unique setups working, nobody ever bothers to write on there besides ecrist and i tho =[ 18:27 -!- karlpinc [n=kop@meme-net.meme.com] has joined ##openvpn 18:27 < [4-tea-2]> Well, there's one more thing to do: convert the last ovpn connection from static keys to tls, but that should be easy. I'm planning to blog about it on my (German) blog. If I do that, I might actually go the extra step and translate it. 18:28 < krzie> thats plenty easy to change 18:28 < krzie> btw, you use fbsd? 18:28 < [4-tea-2]> Linux 18:28 < krzie> ahh 18:28 < krzie> was gunna say ports/security/ssl-admin is a great tool for managing your certs 18:28 < krzie> you can still use it if you like tho 18:28 < krzie> !ssl-admin 18:29 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 18:29 < krzie> its way cooler than easy-rsa 18:29 < [4-tea-2]> Oh, I'm totally happy with easy-rsa. 18:29 < krzie> werd 18:29 < krzie> i was ready to code my own til ecrist showed me ssl-admin 18:29 < krzie> (he wrote it) 18:30 < [4-tea-2]> I actually created all the keys I needed already, just need to deploy and change the config. 18:30 < krzie> its basically what i would have coded, only i woulda used bash and he used perl 18:30 < krzie> it even packages up the keys with a config and zips them for deployment =] 18:30 < [4-tea-2]> But since that involves changes to my connectivity, I will only do that when I know I can phone someone to fix my fuckups server-side. ;) 18:30 < krzie> and saves the info for future CRL making 18:30 < krzie> haha 18:50 -!- HD2 [n=Marco@velirat.de] has joined ##openvpn 18:51 -!- HardDisk_WP [n=Marco@wikipedia/harddisk] has quit [Connection reset by peer] 19:06 -!- HD2 is now known as HardDisk_WP 19:24 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 19:39 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 19:57 -!- ptchinster [n=ptchinst@137.28.246.232] has joined ##openvpn 19:58 < ptchinster> im following the guide here, http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, when i run the bridge-start script, the network becomes unreachable. ive followed it to a T, dont know what i did wrong 19:58 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 19:58 < ptchinster> only diff is of course the IP ranges and values i use 19:58 < krzie> it doesnt set the gateway 19:58 < krzie> add that at the bottom of the script 19:59 < ptchinster> how? 19:59 < ptchinster> gateway $gateway 19:59 < ptchinster> that appended? 19:59 < krzie> the way your OS does it... 19:59 < krzie> likely with the route command 19:59 < ptchinster> linux 20:00 < ptchinster> never used that before 20:02 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 20:02 -!- theDoc [n=andelyx@119.73.165.162] has quit [Remote closed the connection] 20:02 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 20:02 < ptchinster> route add default gw 192.168.1.1 eth0 20:04 < ptchinster> should i be adding it to the $eth, the $br or the $tap ? 20:04 < krzie> i dont setup bridged 20:05 < krzie> but br0 makes sense to me... 20:05 < ptchinster> well, thats not it either 20:05 < ptchinster> same problem 20:05 < krzie> welp, keep playing 20:05 < krzie> thats the common problem 20:06 < ptchinster> so then after i find the solution to the common problem, how can i not be like the others and get the fix somewhere in the documention 20:07 < krzie> i guess by messaging the mail list once you solve it 20:07 < krzie> !mail 20:07 < vpnHelper> krzie: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 20:07 < ptchinster> ah, just got it i think 20:07 < krzie> you can likely find others talking about it with a good google 20:14 -!- ptchinster [n=ptchinst@137.28.246.232] has quit ["Leaving."] 20:35 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 20:40 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 20:46 < theDoc> Anyone knows why I'm getting ICMP messages public addresses as the source and the vpn client address as destination? 20:47 < theDoc> Doesn't seem like I've established a connection with that particular host prior to that ICMP. 20:47 < theDoc> Oh wait, n/m. I didn't filter it properly 20:47 < theDoc> I did actually. 21:16 -!- theDoc [n=andelyx@208.99.194.194] has quit [] 21:26 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 21:28 -!- Schmee [n=zaphod@ppp100-124.static.internode.on.net] has joined ##openvpn 21:29 < Schmee> hi all. Hopefully this isn't off topic too far, but I've had no luck with Google on this subject. I need to connect to an openvpn server, but I need the client end to be router driven rather than client machine driven. Can anyone recommend a router which can be connected to an openvpn server without resorting to openwrt firmware? 22:15 -!- troy is now known as troy- 22:53 -!- oc80z [n=oc80z@quad.efnet.pe] has joined ##openvpn 23:54 < reiffert> !route 23:54 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 23:55 < reiffert> Schmee: however, openvpn runs on various archs and OS'. --- Day changed Wed Apr 22 2009 00:01 < Schmee> reiffert: I should have mentioned, I need it to run in bridge mode 00:03 < reiffert> so? 00:04 < Schmee> I assume from your response that it doesn't make a difference which mode, openvpn is either supported or not. 00:08 < reiffert> right. 00:10 < onats> i have a vpn server piggybacked onto my home router running dd-wrt. i get frequent disconnects with two clients connected. could it be that the router can no longer handle the load? 00:14 < reiffert> onats: try to monitor the load 00:14 < onats> reiffert, yeah.. actually sometimes it gets to 100%. well it happens often 00:15 < onats> is it possible that any attempts to DDOS brings the load of the router up? 00:15 < Schmee> reiffert: thanks for your help. Back to more research 00:17 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 110 (Connection timed out)] 00:34 -!- albech_ is now known as albech 00:38 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 00:44 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 01:09 -!- Schmee [n=zaphod@ppp100-124.static.internode.on.net] has quit ["Leaving"] 01:33 -!- c64zottel [n=hans@p5B17AB47.dip0.t-ipconnect.de] has joined ##openvpn 01:36 -!- SuperEvilDeath17 [n=death@212.206.209.177] has joined ##openvpn 01:45 -!- Alagar [n=helpdesk@dont.rootkit.me] has joined ##openvpn 01:51 -!- SuperEvilDeath16 [n=death@212.206.209.177] has quit [No route to host] 02:26 -!- troy- is now known as troy 02:35 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 02:36 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 02:36 -!- karlpinc [n=kop@meme-net.meme.com] has quit [Read error: 60 (Operation timed out)] 02:44 -!- troy is now known as troy- 02:48 -!- troy- is now known as troy 03:08 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:37 < ThoMe> hello? 03:51 -!- pro is now known as youngpro 03:54 -!- albech [n=albech@119.42.76.62] has quit [Read error: 60 (Operation timed out)] 04:07 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 04:08 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 04:08 -!- albech [n=albech@119.42.76.62] has joined ##openvpn 04:31 -!- karlpinc [n=kop@meme-net.meme.com] has joined ##openvpn 04:36 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 04:56 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:02 < ThoMe> can anybody help me with "net_gateway" ? 05:02 < ThoMe> :-) 05:14 -!- Alocado [n=matthias@vpn075.uni-trier.de] has joined ##openvpn 05:14 < Alocado> hello 05:15 < Alocado> what's the technical difference between server and client certificates? 06:25 -!- Alocado [n=matthias@vpn075.uni-trier.de] has quit [Read error: 113 (No route to host)] 06:45 -!- c64zottel [n=hans@p5B17AB47.dip0.t-ipconnect.de] has left ##openvpn [] 07:10 < ecrist> morning, folks 07:27 -!- tiav [n=tiav@91.197.165.222] has joined ##openvpn 07:35 -!- nemysis [n=nemysis@214-42.106-92.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 07:35 -!- nemysis [n=nemysis@178-248.1-85.cust.bluewin.ch] has joined ##openvpn 08:02 < dazo> ecrist: morning! 08:03 < dazo> ecrist: just a quick question ... I believe you know something about this ... but a guy claims that RAID10 has the same advantages as RAID6 .... what do you think about that? 08:03 < ecrist> no, it doesn't 08:03 < dazo> RAID10 is for me striping + mirror .... and nothing close to RAID5 or 6 08:03 < dazo> ecrist: thanks! That's what I thought as well :) 08:03 < ecrist> RAID10 is much faster than RAID 5 or 6 08:04 < ecrist> no overhead to generate parity 08:04 < ecrist> for db servers, I use 10, for backup servers, I use RAID 6 08:04 < dazo> ecrist: yeah, that I can follow 08:04 < dazo> ecrist: thanks again! 08:04 < ecrist> np 08:07 < [4-tea-2]> Where would I put a feature request for ovpn? 08:07 < ecrist> probably on the mailing list 08:07 < ecrist> what feature are you looking for? 08:07 < [4-tea-2]> Binding one ovpn instance to multiple, but not all, interface addresses. 08:08 < ecrist> can you use multiple local statements in the config? 08:09 < dazo> [4-tea-2]: I believe that's been discussed on the openvpn-users list already .... but please, bring it up again :) 08:10 < dazo> ecrist: I believe that it is meant to only listen for connection on specific interfaces .... like only eth0 and eth2 but not eth1, kind of 08:10 < ecrist> I don't understand 08:11 < [4-tea-2]> ecrist: no, only the first one is honored, the following --local statements are ignored. 08:11 < [4-tea-2]> dazo: that's kinda what I need. I want ovpn to bind to one (not all) addresses on eth0 (which has three addresses), and to eth1. 08:12 < ecrist> for now, I'd just bind to all, filter at the firewall 08:12 < [4-tea-2]> ecrist: that doesn't solve my problem, sadly. 08:12 < dazo> thats the only solution now 08:12 < [4-tea-2]> I'm running two ovpn instances now. 08:12 < ecrist> why? 08:12 < [4-tea-2]> (actually three, but the third one doesn't matter) 08:12 < ecrist> what am I missing? 08:13 < [4-tea-2]> One on eth0:ovpnhelper, one on eth1. 08:13 < [4-tea-2]> ecrist: when I bind ovpn to eth0, and try to establish a tunnel to the IP address of eth0:ovpnhelper, the response packets originate from the MAIN address of eth0. 08:13 < [4-tea-2]> ie. I connect to x.y.z.3 and x.y.z.1 responds. 08:14 < ecrist> so? 08:14 < [4-tea-2]> I need to reach x.y.z.1 THROUGH the tunnel. 08:14 < ecrist> sounds like you're missing a push route 08:15 < [4-tea-2]> ...and --float, if you take THAT approach. 08:15 < [4-tea-2]> But I don't like that approach. 08:15 < ecrist> ok 08:16 < [4-tea-2]> I don't think .3 should be sending packets that appear to be originating from .1. 08:16 < ecrist> [4-tea-2]: it's going to, it's not an OpenVPN issue, it's a TCP/IP stack issue on your OS 08:17 < ecrist> and it's a common issue 08:17 < [4-tea-2]> If it's not a ovpn issue, why does it work when ovpn is bound to .3 only? 08:18 < ecrist> because it's a TCP/IP stack issue. 08:18 < ecrist> if you have *any* daemon bound to multiple IPs on the same subnet, the responses will originate from the first IP in the subnet listed on the interface. 08:19 < ecrist> FreeBSD jails do it differently, but they've fixed the stack for those. 08:19 < ecrist> and also, the daemons are only bound to a single IP 08:19 < [4-tea-2]> ecrist: well, that's why I have that feature request. 08:20 < ecrist> ok, it's a sound reason, just arguing semantics at this point. it's not *really* an OpenVPN problem. 08:20 < [4-tea-2]> I understand. 08:21 < [4-tea-2]> Well, I think I understand. :D 08:21 < ecrist> if I may, why do you have openvpn listening to multiple IPs? 08:22 < [4-tea-2]> It's listening to a public IP so I can connect from teh interwebs, and to a local IP so I can connect from Wlan. 08:22 < ecrist> why not just listen to the public IP? 08:23 < [4-tea-2]> Because then all my traffic would be routed upstream by my DSL-Router/Wlan-AP, just to be routed back to the public IP which is not known to the router. 08:24 < [4-tea-2]> I'd rather keep traffic as local as possible, mainly for bandwidth reasons. 08:24 -!- c64zottel [n=hans@p5B17AB47.dip0.t-ipconnect.de] has joined ##openvpn 08:24 < ecrist> if the public and private IPs are on the same system, nothing would leave your network, or go 'upstrea' 08:25 < [4-tea-2]> The router isn't aware the public IP is local. 08:25 < [4-tea-2]> It's forwarded to my local server using ovpn. ;) 08:26 < ecrist> hrm, I'm glad your setup is working for you, but it sounds overly-complicated. 08:27 < [4-tea-2]> ecrist: actually, it's pretty simple. I have a /28 which is routed to a server in teh interwebs, I pick it up there using ovpn, and I have a laptop with an address from that /28 that I want to use with the SAME address no matter where I am. 08:28 < [4-tea-2]> So I need one ovpn connection for the /28, and one ovpn connection from my laptop to a machine within that /28. 08:28 < [4-tea-2]> ovpn-over-ovpn :D 08:30 < [4-tea-2]> Also, the DSL-router is not what I consider a trusted system, so it's isolated on an own interface and I make sure that I never route "plain" (unencrypted) traffic over it. All my (untrusted) DSL provider get's to see is the ovpn connection. 08:33 < [4-tea-2]> ecrist: I got a diagram if you believe in pictures saying more than a thousand words. ;) 08:34 < ecrist> naw 08:42 < [4-tea-2]> ;) 08:43 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:50 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 08:51 -!- Timpa88 [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 09:40 -!- straterra [n=straterr@projectstfu.com] has joined ##openvpn 09:40 < straterra> Hi..I'm getting the letters r and w spammed in to my openvpn log file..has anyone seen this before? 09:40 < ecrist> not i 09:43 < Bushmills> straterra, check file system. in case of write error, blocks may end up being part of file, but uninitialised. 09:43 < straterra> hmm 09:44 < straterra> all r/w 10:11 < dazo> straterra: check your verb settings in the config file 10:11 < dazo> straterra: verb > 4 usually gives this 10:11 < straterra> verb 5 10:12 < straterra> another admin set it..thanks 10:12 < dazo> straterra: if you want verbose info for logging ... 3 is user enough 10:12 < dazo> usually, I meant 10:12 * dazo leaves for today 10:16 < straterra> thanks 10:20 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:34 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 10:36 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 104 (Connection reset by peer)] 11:00 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 11:04 -!- c64zottel [n=hans@p5B17AB47.dip0.t-ipconnect.de] has left ##openvpn [] 11:07 -!- ScribbleJ [n=nnsj@99-35-164-150.lightspeed.dwgvil.sbcglobal.net] has joined ##openvpn 11:09 < ScribbleJ> Hi guys... using openvpn, auth pam option, I want to require a username/password forr all connection /except one/... which should just auth with the cert as standard. Is this possible? 11:09 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:09 -!- Timpa88 is now known as Timpa 11:11 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 11:11 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 104 (Connection reset by peer)] 11:19 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has joined ##openvpn 11:19 < Improv> Anyone here know much about the mailing lists? My post was rejected for some reason. 11:19 < ecrist> what was the reason? 11:20 < ecrist> I'm guessing a mail server misconfig on your part 11:20 < Improv> It just said "you are not allowed to post" 11:20 < Improv> I don't see any explicit reason in the message 11:20 < ecrist> I think you may need to be subscribed. 11:20 < Improv> (the "not allowed to post" came from lists.sourceforge.net, not from gname.org where I posted it, if that helps) 11:21 < ecrist> ah 11:21 < ecrist> gname.org is just a mirror, not the actual list. 11:21 < Improv> Ohh 11:21 < Improv> So I should post through sourcefnord 11:48 -!- Alagar [n=helpdesk@dont.rootkit.me] has quit [Remote closed the connection] 11:53 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has quit ["ircII EPIC4-2.6 -- Are we there yet?"] 12:01 -!- xororand [n=xororand@unaffiliated/xororand] has quit ["delete this;"] 12:20 -!- tiav [n=tiav@91.197.165.222] has quit [Remote closed the connection] 12:33 < dan__t> Ok. 12:33 < dan__t> We're almost ready to go........ 12:39 -!- straterra [n=straterr@projectstfu.com] has left ##openvpn [] 12:45 -!- dupondje- [n=dupondje@235.167-78-194.adsl-static.isp.belgacom.be] has joined ##openvpn 12:46 < dupondje-> I'm trying to make my 2 networks communicate with each other by using a OpenVPN server (with public ip) 12:46 < dupondje-> but Can't get it working, I can connect to the server etc 12:46 < dupondje-> but can't connect to the other network 12:47 < dupondje-> 'PUSH_REPLY,route 192.168.3.0 255.255.255.0,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5' 12:48 < dupondje-> this is the push reply :) 12:53 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:54 -!- albech_ [n=albech@119.42.76.2] has joined ##openvpn 12:55 -!- albech [n=albech@119.42.76.62] has quit [Success] 12:56 -!- theDoc- [n=andelyx@bb121-7-61-77.singnet.com.sg] has joined ##openvpn 12:59 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 13:04 -!- theDoc- [n=andelyx@bb121-7-61-77.singnet.com.sg] has quit [] 13:05 < dupondje-> can't even ping the server :s 13:05 < dupondje-> wtf 13:05 < dupondje-> with its OpenVPN ip 13:14 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 13:15 -!- dupondje [n=dupondje@235.167-78-194.adsl-static.isp.belgacom.be] has joined ##openvpn 13:22 -!- ScribbleJ [n=nnsj@99-35-164-150.lightspeed.dwgvil.sbcglobal.net] has left ##openvpn ["Leaving"] 13:25 -!- bandini [n=bandini@host135-109-dynamic.41-79-r.retail.telecomitalia.it] has joined ##openvpn 13:34 -!- dupondje- [n=dupondje@235.167-78-194.adsl-static.isp.belgacom.be] has quit [Read error: 110 (Connection timed out)] 13:36 -!- albech_ is now known as albech 13:46 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 14:16 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 14:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:10 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has joined ##openvpn 15:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:27 -!- Lilarcor_ [n=Lilarcor@53.sub-97-130-194.myvzw.com] has joined ##openvpn 15:27 -!- Lilarcor_ [n=Lilarcor@53.sub-97-130-194.myvzw.com] has quit [Remote closed the connection] 15:40 -!- dupondje [n=dupondje@235.167-78-194.adsl-static.isp.belgacom.be] has quit ["Ik ga weg"] 16:22 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 17:00 -!- Timpa [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit [Read error: 104 (Connection reset by peer)] 17:01 -!- Timpa [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 17:05 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 17:05 < Dougy> hello there childrens 17:08 < krzie> i got 2 compaq 42u raqs for sale, 400$ 17:09 < Dougy> hmmmmmm 17:09 < Dougy> meh 17:09 < Dougy> i'll pass 17:10 < Dougy> sup krzie 17:12 < krzie> chillen, you? 17:15 < Dougy> nada man 17:16 < Dougy> taking preorders atm 17:19 < Dougy> :P 17:20 < Dougy> Grrrrrr :, 17:20 < Dougy> :< 17:20 < Dougy> ecrist: ping 17:27 -!- bandini [n=bandini@host135-109-dynamic.41-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:49 -!- sirus [i=scott@gotpot.org] has quit [Read error: 113 (No route to host)] 17:54 < Dougy> krzie im dying of boredom 17:55 < Dougy> bring in the hookers 17:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection reset by peer] 18:02 -!- sirus [i=scott@gotpot.org] has joined ##openvpn 18:19 < krzie> ya im bored as shit too 18:19 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has quit [Read error: 110 (Connection timed out)] 18:20 < Dougy> haha 18:20 < Dougy> troy fails 18:31 < Dougy> http://www.upload3r.com/serve/220409/1240443016.jpg 18:39 < krzie> nice 18:40 < Dougy> my new toy 18:43 < krzie> werd 18:56 < Dougy> :) 20:08 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 20:29 -!- onats [n=15172@unaffiliated/onats] has quit ["Leaving."] 20:31 -!- dougy[home] [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 20:35 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has joined ##openvpn 20:37 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 60 (Operation timed out)] 21:56 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has quit [Read error: 113 (No route to host)] 21:57 < tjz> hey dougy 21:57 < tjz> :) 22:01 < dougy[home]> hey ! 22:03 < dougy[home]> tjz 22:26 < tjz> hehe 22:26 < tjz> long time never see you here 22:26 < tjz> :P 22:26 < tjz> how are you doing? 22:33 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 22:35 < tjz> -_- 22:35 < tjz> i see double 22:35 < tjz> lol 22:39 < ecrist> Dougy: pong 22:42 < ecrist> :\ 22:50 < tjz> lol 22:50 < tjz> do you guys run openvpn on linux as root ? 22:51 -!- dougy[home] [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 22:51 < krzie> i dont run it as root anywhere 22:52 < krzie> linux/bsd/osx 22:52 < tjz> yea 22:52 < krzie> because you never run anything as root unless you absolutely have to 22:52 < tjz> i think better security practice to run it as another user? 22:52 < tjz> yea 22:52 < krzie> you must start it as root, then you can tell it to drop privs 22:53 < tjz> hmm 22:53 < tjz> drop privs as in ? care to explain? 22:54 < krzie> see --user and --group in the manual 22:54 < theDoc> Yep, run it as root and it drops it to another user called nobody ;p 22:58 < tjz> ahh 22:58 < tjz> thxx, keff 22:58 < tjz> jeff 22:58 < tjz> :P 22:58 < tjz> txh thedoc 22:58 < tjz> :) 23:25 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:29 -!- c64zottel [n=hans@p5B17ACA3.dip0.t-ipconnect.de] has joined ##openvpn 23:30 < ecrist> why was dougy pinging me? 23:42 < ecrist> nm, going to sleeeeeeep 23:52 -!- troy is now known as troy- --- Day changed Thu Apr 23 2009 00:08 -!- sirus [i=scott@gotpot.org] has quit [Read error: 104 (Connection reset by peer)] 00:08 -!- sirus [i=scott@gotpot.org] has joined ##openvpn 00:16 -!- funky [n=repulse@unaffiliated/funky] has quit [Read error: 110 (Connection timed out)] 00:17 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 00:41 -!- dougy[home] [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 01:05 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 01:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:30 -!- c64zottel [n=hans@p5B17ACA3.dip0.t-ipconnect.de] has quit [Remote closed the connection] 01:31 -!- c64zottel [n=hans@p5B17ACA3.dip0.t-ipconnect.de] has joined ##openvpn 02:08 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:16 < theDoc> tjz: Surprise, you're singaporean. 02:16 -!- c64zottel [n=hans@p5B17ACA3.dip0.t-ipconnect.de] has left ##openvpn [] 02:23 -!- troy- is now known as troy 02:34 < tjz> omg 02:34 < tjz> i am 02:34 < tjz> you are... 02:34 < tjz> theDoc is n=andelyx@unaffiliated/thedoc * oh-snap! 02:34 < tjz> -_- 02:34 < theDoc> Yep, unaffiliated. 02:34 < theDoc> Singaporean as well ;p 02:34 < tjz> oh 02:34 < theDoc> really la, singaporean. 02:34 < tjz> hahaha 02:35 < theDoc> will not bluff you one. srs! 02:35 < theDoc> heh 02:35 < tjz> hahaha 02:35 < theDoc> How to indentify a singaporean ;D 02:35 < tjz> use our powerful singlish 02:35 < tjz> :p 02:35 < theDoc> ho seh liao la! I need a few more servers for my vpns:)) 02:35 < tjz> wow 02:35 < tjz> what are you working on? 02:36 < theDoc> tjz: anonymous vpn tunnels for lease :) 02:36 < tjz> cool 02:36 < theDoc> A couple more, a couple more. 02:36 * theDoc whistles. 02:37 < tjz> lol 02:37 * theDoc is going partially deaf in his right ear :( 02:37 < tjz> serious? 02:37 < tjz> lol 02:37 < tjz> hmm 02:38 < tjz> how come 02:38 < theDoc> Serious, I've been hearing a good constant buzzin' 02:38 < tjz> hmm.. 02:38 < tjz> from computer speaker or contruction site? 02:38 < theDoc> Neither, army days. 02:39 < tjz> omg 02:39 < tjz> yea 02:39 < theDoc> tjz: I used to be in armor. 02:40 < theDoc> Live firing and all, it's not good for your hearing. 02:40 < theDoc> engine + live firing of the 75mm maingun + gpmg = bad 02:40 < tjz> waaa 02:40 < tjz> that one really loud 02:40 < tjz> -_- 02:41 < tjz> but 02:41 < tjz> you are still in the 20s.. 02:41 < tjz> so young ..got such problem 02:41 < tjz> -_- 02:42 < theDoc> Unfortunately. :) 02:43 < theDoc> tjz: I guess you're in your 20's as well 02:44 < tjz> yea 02:45 < tjz> brb 02:45 < theDoc> brb, indeed. 02:45 < theDoc> I'm surprised to find a singaporean here though 03:01 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 03:04 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Kevin` 03:05 -!- Netsplit over, joins: Kevin` 03:08 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:37 -!- tiav [n=tiav@91.197.165.222] has joined ##openvpn 03:48 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 03:49 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 04:08 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:21 -!- AnAnt [n=anant@41.196.129.148] has joined ##openvpn 04:21 < AnAnt> Hello, is it possible to configure the openvpn server (& client) to authenticate using UNIX accounts on the server ? 04:24 < krzee> sure 04:25 < krzee> using PAM 04:28 < krzee> (in a --client-connect script iirc 04:28 < krzee> there should be an auth pam script in the source 04:29 < krzee> in the source tar.gz 04:29 -!- nemysis [n=nemysis@178-248.1-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 04:30 -!- nemysis [n=nemysis@77-242.3-85.cust.bluewin.ch] has joined ##openvpn 04:33 < AnAnt> krzee: auth-pam.pl 04:33 < krzee> there ya go 04:34 < AnAnt> so, nothing to be done on server side ? 04:34 < AnAnt> oh, sorry 04:34 < krzee> thats what goes on the server 04:36 < AnAnt> krzee: --auth-user-pass-verify can't be put in server.conf ? 04:38 < krzee> !authpass 04:38 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 04:38 < krzee> yes, it can 04:38 < krzee> maybe thats what i was thinking of as opposed to --client-connect 04:39 < krzee> ahh yes 04:39 < krzee> first hit in manual was for --auth-user-pass-verify\ 04:39 < krzee> For a sample script that performs PAM authentication, see sample-scripts/auth-pam.pl in the OpenVPN source distribution. 04:42 < AnAnt> the script says: For real world usage, see the auth-pam module in the plugin 04:42 < AnAnt> # folder. 04:46 < AnAnt> hplugin openvpn-auth-pam.so "login login USERNAME password PASSWORD" 04:46 < AnAnt> !openvpn-auth-pam.so 04:46 < vpnHelper> AnAnt: Error: "openvpn-auth-pam.so" is not a valid command. 04:47 < AnAnt> !plugin 04:47 < vpnHelper> AnAnt: Error: "plugin" is not a valid command. 04:47 < AnAnt> hmmm 04:58 < ThoMe> krzee: huuh? 04:58 < ThoMe> krzee: receive money? 05:25 -!- sirus [i=scott@gotpot.org] has quit ["leaving"] 05:27 < AnAnt> !pam 05:27 < vpnHelper> AnAnt: Error: "pam" is not a valid command. 05:30 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:44 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 06:10 -!- AnAnt [n=anant@41.196.129.148] has left ##openvpn [] 07:04 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:34 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 07:39 -!- onats_ is now known as onats 07:39 < onats> haro! 07:40 < ecrist> oh, haro hans brix! 07:47 -!- c64zottel [n=hans@p5B17ACA3.dip0.t-ipconnect.de] has joined ##openvpn 07:52 -!- row [i=row@who.br0ke.me.uk] has joined ##openvpn 07:52 < row> Anyone here run openvpn server on a virtuozzo guest? 07:52 < row> And does it actuall work :P 07:53 < row> ah found out it is possible 08:11 -!- Dougy [n=me@67.80.62.212] has joined ##openvpn 08:11 < ecrist> pong Dougy 08:11 -!- gebura [n=nnnnnnnn@lescigales.org] has left ##openvpn ["Quitte"] 08:29 -!- dougy[home] [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 113 (No route to host)] 08:36 -!- Dougy [n=me@67.80.62.212] has quit [Read error: 113 (No route to host)] 08:41 -!- ghoti [n=paul@CPE00c095f003f8-CM001371886cc2.cpe.net.cable.rogers.com] has quit [Read error: 104 (Connection reset by peer)] 08:42 -!- autoditac [n=autodita@p579E18F4.dip.t-dialin.net] has joined ##openvpn 08:43 < autoditac> hi. is there something like a 'logon message' that i can set? 08:47 < [4-tea-2]> autoditac: I don't think so. Who/what would display that message? ;) 08:50 < autoditac> Dunno. NetworkManager-openvpn displays that in a notification bubble. 08:51 < [4-tea-2]> autoditac: I see, that might be nice, but I don't think ovpn has a feature like that (at least I don't remember reading anything like it in the man page). 09:00 < ecrist> there really isn't one at this point in time. 09:12 < autoditac> ecrist: would be nice to have. vpnc has that, and i always like to join those vpns that say "Welcome in our house" :-) 09:14 < ecrist> Post a feature-request to the mailing list. 09:14 < ecrist> you could code it yourself, and submit a patch, as well. 09:16 < autoditac> ecrist: you definitely don't want that :-) 09:17 < autoditac> i should better sponsor a bounty or something like that. 09:41 -!- Yhetti [n=wes@75.150.50.65] has joined ##openvpn 09:43 < dazo> autoditac: I'd be willing to look into such a patch, if I just can get some spare time for it :) ... would be a fun patch to write, though :) 09:45 < Yhetti> Grr.. So I had a working OpenVPN setup for months using AES-128-CBC; installing some new DDWRT routers and changed everything to Blowfish and now none of the remotes will link to the server; all of them hit the 60 second timeout. Per the logs, the keys are correct (clearly, they didn't change) but the TLS fails after 60 seconds on every connection. What did I miss? 09:48 < dazo> Yhetti: seriously speaking ... I'd try another fw than dd-wrt .... I've had some bad experiences with them regarding security, which they neglected ... so if it's a buggy openvpn in there, I wouldn't be that much surprised 09:48 < Yhetti> I haven't actually moved anything to dd yet, it's still the old Linux routers 09:48 < Yhetti> with AES swapped for BF as the only change : / 09:49 < dazo> Yhetti: have a look at x-wrt (using openwrt in the bottom) ... I swapped to that one, and I'm happy! 09:49 < Yhetti> However, I'll def. look into other firmwares. DD was just my first test run 09:50 < Yhetti> Sorry, I should have mentioned that I didn't swap the hardware out yet : ) 09:50 < dazo> Yhetti: I discovered some iptables rules which allowed access from two different IP addresses in Germany ... I mentioned it on their phorum, and they never wanted to post an advisory about it .... just "yes, it will be fixed in the next release" 09:50 < Yhetti> weird..although, probably not surprising 09:51 < Yhetti> I'll take a look at x-wrt as soon as I can get my remotes back up : ) 09:51 < Yhetti> any thoughts on why changing the encryption type (I changed on both ends) would cause the TLS to suddenly fail? 09:51 < dazo> unfortunately ... but OpenWRT has behaved nice ... and X-WRT is the GUI extension on top of OpenWRT ... really easy to setup 09:52 < Yhetti> oh..apparently I just figured it out 09:52 < Yhetti> openvpn uses the kernel crypto modules? 09:53 < dazo> Yhetti: usually that's because of unsynch'ed ciphers, wrong static keys (--tls-auth) ... or in some cases also the network layer (sometimes you need to use tcp mode, instead of the preferred udp) 09:53 < dazo> Yhetti: OpenVPN uses OpenSSL 09:54 < dazo> Yhetti: also try to check out with verb 4 ... if you see some other warnings in the logs ... could be issues with MTU or other network related things 09:55 < dazo> Yhetti: which openvpn versions are involved? 09:55 * plaerzen waves. 09:57 < Yhetti> 2.0.9 Debian packages 09:57 < Yhetti> As soon as I did a modprobe blowfish it started working 09:58 < Yhetti> Which just raises further questions... 10:01 < Yhetti> x-wrt looks cool 10:06 < Yhetti> Now if only I could do 'modprobe rot13'. Get some real speed up in here... 10:19 < dazo> Yhetti: rot13!?!? .... I hope that was a joke .... 10:20 < Yhetti> : ) 10:20 < dazo> Yhetti: it might be that openssl uses the kernel encryption .... not sure about it, to be honest 10:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:22 < Yhetti> Probably does. I guess that way if you have hardware acceleration it will actually work 10:22 < Yhetti> oh well....it's up now. Going to give your suggestion a shot. And thanks for your time : ) Have a good day 10:22 -!- Yhetti [n=wes@75.150.50.65] has quit ["Ex-Chat"] 11:19 -!- c64zottel [n=hans@p5B17ACA3.dip0.t-ipconnect.de] has quit ["Leaving."] 11:21 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 11:33 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:34 < reiffert> moin 11:35 < theDoc> moin'! 11:36 < Bushmills> grias di 11:36 < reiffert> Moin theDoc 11:36 < reiffert> howdy Bushmills! 11:37 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:37 < theDoc> Oh dear, I just killed a conversation on another network :) 11:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:01 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:11 -!- rashed2020_ [n=admin@67.205.245.208] has joined ##openvpn 12:11 < rashed2020_> Hey guys 12:12 < rashed2020_> Are there any dis/advantages to having openVPN on the router as opposed to a box sitting inside the network? 12:25 < row> if openvpn goes nuts does not take down router? 12:27 < rashed2020_> Is that it? I read somewhere about something to do with bridging, but I lost the link =( I was hoping somewhere here would know what I'm talking about 12:29 -!- CyBerNetX [n=jbm@gre92-6-82-231-206-155.fbx.proxad.net] has joined ##openvpn 12:29 < CyBerNetX> !route 12:29 < vpnHelper> CyBerNetX: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 12:29 -!- tiav [n=tiav@91.197.165.222] has quit [Remote closed the connection] 12:31 -!- CyBerNetX [n=jbm@gre92-6-82-231-206-155.fbx.proxad.net] has left ##openvpn ["Leaving"] 12:34 -!- albech [n=albech@119.42.76.2] has quit [Read error: 54 (Connection reset by peer)] 12:48 < epaphus> Hello.. I have a gateway with two seperate VPN client configurations running. Behind this machine I have one LANs. None of the client.configs have -redirect gateway on (they would conflict) . MY question is what config must I do to allow the machine on the LAN to access the internet via a SINGLE vpn client ? 12:50 < epaphus> Desktop1 (172.168.1.200) --> Server_with-two-clients (172.168.1.100) -> VPN -> VPN server1 12:53 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 12:55 -!- rubydiamond [n=rubydiam@123.236.183.91] has joined ##openvpn 13:01 -!- albech [n=albech@119.42.76.2] has joined ##openvpn 13:12 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 13:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 13:32 < dan__t> hi 13:38 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 13:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 13:47 -!- bandini [n=bandini@host135-109-dynamic.41-79-r.retail.telecomitalia.it] has joined ##openvpn 13:51 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 104 (Connection reset by peer)] 13:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:02 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 14:15 -!- autoditac [n=autodita@p579E18F4.dip.t-dialin.net] has left ##openvpn [] 14:26 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 14:33 -!- penrod [n=pattonb@S010600105a1788d6.cg.shawcable.net] has quit [Read error: 110 (Connection timed out)] 14:43 < krzee> rashed2020_, if you are using routing and connecting lans, running it on the router has the advantage of not needing routes added to the router 14:43 < krzee> !route 14:43 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:44 < krzee> you can see what im talking about under the picture in "ROUTES TO ADD OUTSIDE OPENVPN" 14:54 < Dougy> hmm 14:54 < Dougy> krzeeeeeeeeeeeeeeeeeeeeeeeeeeeeee 14:55 < dan__t> o. 14:55 < dan__t> er, no. 14:59 < Dougy> ? 14:59 < Dougy> you are a grouch 14:59 < Dougy> go away. 14:59 < ecrist> Dougy: what were you pinging me for? 15:00 < Dougy> ecrist: password reset :-X 15:00 < ecrist> for what? 15:00 < Dougy> the info you sent me, i remember changing the pw 15:00 < Dougy> but no idea what the hell i set it to 15:00 < ecrist> lemme look it up 15:00 < Dougy> i use about 400 passwords literally and dont want to bomard your box trying to get it 15:00 < Dougy> cuz i have 400 diff ones and in that 400 theres probably 3 or 4 versions of each 15:02 < ecrist> ok, send me a pm with a new pass 15:02 < ecrist> I'll set it now. 15:02 < ecrist> the ssh password, right? 15:02 < Dougy> yes 15:02 < Dougy> so i can ftp 15:02 < Dougy> i just need to get phpbb config info 15:03 -!- troy is now known as troy- 15:04 < ecrist> send me a PM, otherwise you're SOL. I'm leaving in two minutes until next week 15:04 < Dougy> kk 15:04 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:04 < Dougy> can i change the pw 15:04 < Dougy> later 15:04 < Dougy> ? 15:04 < ecrist> sure, I don't care 15:04 < Dougy> or should this be the one its gonna stay 15:20 -!- Roman123 [n=Roman123@128.131.70.150] has joined ##openvpn 15:22 -!- Roman123 [n=Roman123@128.131.70.150] has left ##openvpn ["Vegetarians don't live longer, they just look older!"] 15:24 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 15:31 < Dougy> yayyyyyyyyyyyyyyyyyyyyy 15:46 < Dougy> wtf 15:46 < Dougy> i fail at ppbb 15:46 < Dougy> phpbb 15:55 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 15:55 < Dougy> krzee 15:55 < Dougy> grrrrrrrrrrr 15:57 < Dougy> !tcp 15:57 < vpnHelper> Dougy: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 15:58 < krzee> ? 15:58 < Dougy> i got admin user krzee 15:58 < Dougy> the pw 15:58 < Dougy> but cant seem to figure out how to give user douglas admin privs 15:58 < Dougy> i can goto admicnp and stuff but cant moderate posts 16:00 < krzee> sux4u! 16:01 < Dougy> :( 16:01 < Dougy> ugh god 16:01 < Dougy> someone is having me set up openvpn on windows 7 16:01 < krzee> !win7 16:01 < vpnHelper> krzee: "win7" is http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 16:01 < Dougy> does it need to be that to work? 16:01 < Dougy> he wants to redirect all traffic 16:02 < krzee> !redirect 16:02 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 16:02 < Dougy> i have that already 16:02 < Dougy> push "redirect-gateway def1 bypass-dhcp" 16:02 < Dougy> hes using 2.0.9 16:02 < krzee> !win7 16:02 < vpnHelper> krzee: "win7" is http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 16:02 < Dougy> now where is 2.1 rc15 for linux so it can match 16:02 < krzee> use the source luke 16:04 < Dougy> kk 16:04 * Dougy wasnt thinking 16:05 < krzee> however 16:05 < krzee> if you arent using anything 2.1 specific 16:05 < krzee> other sides can be 2.0 if you like 16:14 -!- dougy[home] [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 16:24 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 16:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:30 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:36 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has joined ##openvpn 16:37 < SgtPepperKSU> !iporder 16:37 < vpnHelper> SgtPepperKSU: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 16:39 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has left ##openvpn ["Leaving."] 16:42 < dougy[home]> the hellllllllllllllllllllllllllllllll 16:43 < dougy[home]> this guys pc connects and dhcp gives them 10.0.50.6, but the main server cant ping it 16:43 < dougy[home]> and vice versa 16:45 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [Read error: 113 (No route to host)] 16:54 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 16:55 -!- unix3 [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 17:01 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Typone 17:02 -!- Netsplit over, joins: Typone 17:07 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 17:13 -!- troy- is now known as troy 17:26 -!- dougy[home] [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 17:38 -!- dougy[home] [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 17:42 -!- bandini [n=bandini@host135-109-dynamic.41-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:50 < krzee> Dougy, check for errors in logs with verb6 17:51 < krzee> likely a win route add problem 17:51 < krzee> if so, see !winroute 17:56 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 18:26 < dan__t> hey 18:27 < dan__t> shut your mouth 18:27 < dan__t> !! 18:27 < vpnHelper> dan__t: Error: "!" is not a valid command. 18:27 < dan__t> !!!! 18:27 < vpnHelper> dan__t: Error: "!!!" is not a valid command. 18:27 < dan__t> !!!!!!!!sdf 18:27 < vpnHelper> dan__t: Error: "!!!!!!!sdf" is not a valid command. 18:28 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 18:32 -!- youngpro [n=pro@teamaustralia.net.au] has quit ["changing servers"] 18:32 -!- youngpro [n=pro@teamaustralia.net.au] has joined ##openvpn 19:09 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:13 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 19:13 -!- onats1 is now known as onats 19:19 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 19:24 < onats> morning 19:26 -!- dougy[home] [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 19:33 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:03 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: M06w, Typone 20:04 -!- Netsplit over, joins: M06w, Typone 20:39 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 20:40 < Dougy> WOW 20:40 < Dougy> COOOOOOOOOOOOOL 20:40 < Dougy> :D:DD:D:D:D:D:D:D: 21:13 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 21:22 < tjz> lol! 21:24 < onats> what is? 22:11 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 22:33 -!- dallas [n=dallas@70.122.232.154] has joined ##openvpn 22:34 < dallas> anyone figure out how to . ./vars ? 22:34 < dallas> apparently, I'm an idiot... 23:22 -!- Alagar [n=helpdesk@dont.rootkit.me] has joined ##openvpn 23:42 -!- albech [n=albech@119.42.76.2] has quit [Read error: 110 (Connection timed out)] 23:46 -!- albech [n=albech@119.42.76.2] has joined ##openvpn --- Day changed Fri Apr 24 2009 00:16 -!- dallas [n=dallas@70.122.232.154] has quit ["leaving"] 01:20 -!- nemysis [n=nemysis@77-242.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 01:20 -!- nemysis [n=nemysis@210-232.1-85.cust.bluewin.ch] has joined ##openvpn 01:42 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 02:44 -!- oc80z [n=oc80z@quad.efnet.pe] has quit [] 02:47 -!- keisangi [n=quassel@118.6.213.154] has joined ##openvpn 02:48 -!- keisangi [n=quassel@118.6.213.154] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 03:15 -!- karlpinc [n=kop@meme-net.meme.com] has quit [Read error: 60 (Operation timed out)] 03:21 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 03:29 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:47 -!- tiav [n=tiav@91.197.165.222] has joined ##openvpn 04:04 -!- Alagar [n=helpdesk@dont.rootkit.me] has quit [Remote closed the connection] 04:16 -!- onats [n=15172@unaffiliated/onats] has quit ["Leaving."] 04:43 -!- c64zottel [n=hans@p5B17AC41.dip0.t-ipconnect.de] has joined ##openvpn 05:19 -!- c64zottel [n=hans@p5B17AC41.dip0.t-ipconnect.de] has left ##openvpn [] 05:36 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:45 -!- theDoc [n=andelyx@bb219-75-46-162.singnet.com.sg] has joined ##openvpn 06:01 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 06:15 -!- karlpinc [n=kop@meme-net.meme.com] has joined ##openvpn 07:04 -!- thnee [n=thnee@thnee.se] has left ##openvpn [] 07:06 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has joined ##openvpn 07:11 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has quit [Client Quit] 07:17 -!- Roman123 [n=Roman123@128.131.70.150] has joined ##openvpn 07:41 -!- theDoc [n=andelyx@bb219-75-46-162.singnet.com.sg] has quit [Read error: 113 (No route to host)] 08:07 -!- Roman123 [n=Roman123@128.131.70.150] has quit ["Leaving"] 08:37 -!- Dougy [n=me@67.80.62.212] has joined ##openvpn 08:37 < Dougy> Anyone need some hostin'? 08:39 -!- ozirus [n=Furkan@88.244.229.137] has joined ##openvpn 08:48 < dazo> Dougy: what do you provide ... and to what price? 08:49 < Dougy> dazo: i can do just about anything and everything 08:49 < Dougy> what do you need? 08:50 < dazo> Dougy: diskspace primarily 08:50 < dazo> Dougy: and preferably rsync access 08:51 < dazo> Dougy: and it must be accessible over a secure link .... ssh or openvpn 08:52 < Dougy> pm sent 09:14 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has joined ##openvpn 09:18 < Dougy> Anyone else need something hosting related ? 09:18 < Dougy> :] 09:18 -!- ozirus [n=Furkan@88.244.229.137] has left ##openvpn [] 09:20 < [4-tea-2]> Dougy: where is the server located? 09:20 < [4-tea-2]> what country, I mean? 09:21 < Dougy> USA 09:23 < [4-tea-2]> They're preparing a copy of the Great Firewall of China in my home country. 09:24 < [4-tea-2]> Having a leg in the USA (and/or UK) might be useful in the long run. *ponder 09:27 < Dougy> Eek. 09:27 < Dougy> Great firewall of china, ha 09:27 < Dougy> yeah, i heard germany was getting bad, AU to 09:27 < Dougy> o 09:30 < [4-tea-2]> It's starting to have an impact. The law for the German GFWoC is in preparation, and while they said they would only use DNS blocking, they're now aiming for packet inspection. Unrelated to that, loads of youtube videos are already blocked because of some Germany-only copyright issue. 09:31 < Dougy> LAme. 09:32 < [4-tea-2]> Got an OpenVPN-accessible squid in your product portfolio? ;) 09:32 < Dougy> Nope. :( 09:33 < [4-tea-2]> Damn. ;) 09:34 < Dougy> I have VPS's you can set that up on, though 09:34 < Dougy> ;] 09:34 -!- Deffie [n=Deffie@nectarine/admin/deffie] has joined ##openvpn 09:34 < Deffie> hi all, just starting with openvpn, i've been able to connect a client to the work LAN through an umts connection and everything in the lan works 09:35 < Deffie> but the client doesnt get the default gateway 09:35 < Dougy> (Just for everyone here...) 09:35 < Dougy> !forum 09:35 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 09:35 < Deffie> and I have specified redirect-gateway 09:35 < Dougy> !configs 09:35 < vpnHelper> Dougy: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:36 < Deffie> :) 09:36 < Deffie> ok thank you 09:37 < [4-tea-2]> Deffie: perhaps also supply the line from the logfile containing "PUSH_REPLY" 09:37 < Dougy> [4-tea-2]: why not just use openvpn and use redirect-gateway 09:38 < [4-tea-2]> Dougy: ? 09:38 < Dougy> <[4-tea-2]> Got an OpenVPN-accessible squid in your product portfolio? ;) 09:39 < [4-tea-2]> Dougy: Oh, I wouldn't want to redirect all my traffic to the US. 09:39 < Dougy> Ah. 09:40 < Dougy> Just web? 09:40 < Deffie> http://pastebin.com/m53d308b9 09:40 < Deffie> it is just the log 09:40 < [4-tea-2]> Dougy: yeah, I don't think German politicians realize that the Internet has got more to offer than http, so they won't bother blocking anything else. Yet. 09:41 < Dougy> SSH tunnel? 09:41 < Deffie> and the server seems working ok, so maybe theres something in the client which isnt right 09:41 < [4-tea-2]> Deffie: I like "redirect-gateway def1", not sure whether that should be a problem, though. 09:41 < Deffie> do i need redirect-gateway in the client config too ? 09:41 < [4-tea-2]> Deffie: no 09:42 < Dougy> no 09:43 < [4-tea-2]> Deffie: as I understand it, def1 will add two almost-default routes instead of trying to overwrite/change an existing default route. Try that, if you want. 09:44 < [4-tea-2]> Deffie: if it works, "route -n" should show two routes with mask 128.0.0.0 and your "old" default route (which will be ignored as long as the 128.0.0.0-routes exist). 09:46 < [4-tea-2]> Dougy: tunneling ip over ip (ie. web traffic over ssh) does have disadvantages. 09:46 < Dougy> Fair enough 09:48 < [4-tea-2]> Dougy: have you tried ovpn with your virtualization solution? It should work as long as the guest system can set up tun devices, right? 09:50 < Dougy> yes 09:50 < Dougy> it's Xen 09:50 < Dougy> it can do anything 09:50 < Dougy> its hw level virtualization 09:54 -!- CyBerNetX [n=jbm@gre92-6-82-231-206-155.fbx.proxad.net] has joined ##openvpn 09:55 < CyBerNetX> !howto 09:55 < vpnHelper> CyBerNetX: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:04 * plaerzen dances the ovpn dance. He does it horribly. 10:05 < Dougy> Lol 10:06 < [4-tea-2]> plaerzen: I liked it, especially the part where your expressed your emotions about --client-config-dir. 10:08 < plaerzen> [4-tea-2], I was practising that part last night actually. I was having problems with the transition from that to --client-connect 10:11 -!- Lilarcor_ [n=Lilarcor@238.sub-97-131-26.myvzw.com] has joined ##openvpn 10:18 < [4-tea-2]> plaerzen: try this for inspiration: http://www.youtube.com/watch?v=4ULVQOneeZE :D 10:18 < vpnHelper> Title: YouTube - Praise You - Fatboy Slim (at www.youtube.com) 10:18 < [4-tea-2]> Damn you, vpnHelper, you spoiled it! 10:22 -!- Lilarcor_ [n=Lilarcor@238.sub-97-131-26.myvzw.com] has quit ["The Lord of Murder Shall Perish."] 10:23 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 10:26 -!- Optic [n=ndfraser@miso.capybara.org] has joined ##openvpn 10:26 < Optic> yo! 10:26 < Optic> have any of you tried using openvpn on windows embedded? 10:26 < Dougy> n 10:28 < plaerzen> lol 10:28 < Optic> hum 10:30 < Optic> or slipstreamed openvpn into a windows installer? 10:32 < Dougy> what? 10:32 < Optic> automated mass deployment of openvpn 10:32 < Optic> on windows ;) 10:48 -!- CyBerNetX [n=jbm@gre92-6-82-231-206-155.fbx.proxad.net] has quit [Read error: 113 (No route to host)] 10:50 -!- CyBerNetX [n=jbm@gre92-6-82-231-206-155.fbx.proxad.net] has joined ##openvpn 10:55 -!- tjz [n=tjz@bb220-255-39-133.singnet.com.sg] has quit [Connection timed out] 10:57 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 11:20 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:22 -!- CyBerNetX [n=jbm@gre92-6-82-231-206-155.fbx.proxad.net] has left ##openvpn ["Leaving"] 11:26 -!- zheng [n=zheng@114.92.138.88] has joined ##openvpn 11:28 -!- tiav [n=tiav@91.197.165.222] has quit [Remote closed the connection] 11:31 -!- zheng [n=zheng@114.92.138.88] has quit [Client Quit] 11:49 < krzee> lol 11:49 < krzee> cant say i have 11:56 -!- [4-tea-21 [n=aurel@buehne.mutantenstadl.de] has joined ##openvpn 12:02 -!- [4-tea-2] [n=aurel@buehne.mutantenstadl.de] has quit [Connection refused] 12:27 < krzee> !winroute 12:27 < vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 12:36 -!- albech [n=albech@119.42.76.2] has quit [Read error: 104 (Connection reset by peer)] 12:37 -!- tjz [n=tjz@bb116-15-38-124.singnet.com.sg] has joined ##openvpn 12:53 -!- Dougy [n=me@67.80.62.212] has quit [Read error: 110 (Connection timed out)] 12:53 -!- albech [n=albech@119.42.76.130] has joined ##openvpn 13:15 -!- Roman123 [n=Roman123@128.131.70.150] has joined ##openvpn 13:19 -!- Roman123 [n=Roman123@128.131.70.150] has left ##openvpn ["Vegetarians don't live longer, they just look older!"] 13:26 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 13:54 < Dougy> isp fail... 13:57 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 14:02 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 14:08 -!- [4-tea-21 is now known as [4-tea-2] 14:18 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 14:24 < rashed2020_> !brigde 14:24 < vpnHelper> rashed2020_: Error: "brigde" is not a valid command. 14:24 < rashed2020_> !bridge 14:24 < vpnHelper> rashed2020_: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for anything where the protocol uses MAC addresses instead of IP 14:24 < vpnHelper> rashed2020_: addresses. (but not samba, see !wins) 14:24 < rashed2020_> Whaaat... I'm confused now... 14:25 < rashed2020_> Which one supports broadcasting? 15:18 -!- Carlos_Tico [n=grillo@host-200-58-76-162.supernet.com.bo] has joined ##openvpn 15:19 < Carlos_Tico> hi i need help 15:19 < Carlos_Tico> anyone here who can give me a hand ? 15:19 < Dougy> i don't know 15:19 < Dougy> you have to tell me the problem first 15:19 < Carlos_Tico> oh ok .. 15:19 < Carlos_Tico> i can connect to my vpn 15:19 < Carlos_Tico> but i cannot see the network 15:20 < Carlos_Tico> any ideas ? 15:25 < Carlos_Tico> hello !!!!!!!!!!!!!!!!!!!!!!!!!! 15:25 < Dougy> nope 15:26 < Carlos_Tico> please Dougy 15:26 < Carlos_Tico> give me a hand 15:27 -!- Carlos_Tico [n=grillo@host-200-58-76-162.supernet.com.bo] has quit [] 15:30 -!- Carlos_Tico [n=grillo@host-200-58-76-162.supernet.com.bo] has joined ##openvpn 15:30 < Carlos_Tico> !route 15:30 < vpnHelper> Carlos_Tico: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:32 -!- Carlos_Tico [n=grillo@host-200-58-76-162.supernet.com.bo] has quit [Client Quit] 15:51 < plaerzen> haha. Drunk at lunch. 15:52 < reiffert> "Cannot see the network" - "Follow the cable at the back of your PC" 16:12 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has joined ##openvpn 16:20 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 16:31 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:10 -!- Carlos_Tico [n=grillo@host-200-58-76-162.supernet.com.bo] has joined ##openvpn 17:10 < Carlos_Tico> anyone here ? 17:11 < Carlos_Tico> anyone here ? 17:45 -!- Carlos_Tico [n=grillo@host-200-58-76-162.supernet.com.bo] has quit [] 18:08 -!- _impuls [n=MRD@chello213047089128.17.14.vie.surfer.at] has joined ##openvpn 18:14 < _impuls> !redirect 18:14 < vpnHelper> _impuls: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 18:15 < _impuls> !ipforward 18:15 < vpnHelper> _impuls: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 18:15 < _impuls> !linipforward 18:15 < vpnHelper> _impuls: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 18:15 < _impuls> !nat 18:15 < vpnHelper> _impuls: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 18:16 < _impuls> !linnat 18:16 < vpnHelper> _impuls: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 18:19 -!- youngpro [n=pro@teamaustralia.net.au] has quit [Read error: 60 (Operation timed out)] 18:20 < _impuls> !route 18:20 < vpnHelper> _impuls: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 18:22 < Dougy> Anyone need any kind of hostings? 18:42 < _impuls> I have a routing problem within my very simple openvpn/client constellation I tried to fix for 2 days now. 18:43 < _impuls> If someone could take a look at my config for a minute and give me some advice... 18:43 < _impuls> http://loos.stoerimpuls.net/random/openvpn/ 18:43 < vpnHelper> Title: Index of /random/openvpn (at loos.stoerimpuls.net) 18:57 < krzie> _impuls, strip the comments from the config 18:57 < krzie> like here: 18:57 < krzie> !configs 18:57 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:57 < Dougy> hey krzie :] 18:57 < krzie> sup soug 18:57 < krzie> doug 18:57 < Dougy> nada 18:57 < Dougy> trying to sell vps's man 18:58 < krzie> good luck 18:58 < krzie> over-saturated market 18:58 < Dougy> yes it is 18:58 < Dougy> to an exten 18:58 < Dougy> t 18:58 < Dougy> managable though 18:58 < krzie> then even when you get a bunch of customers, the work vs income ratio is fucked up 18:59 < Dougy> not true either 18:59 < krzie> oh ya? 18:59 < Dougy> yea 18:59 < Dougy> i have about $500/mo coming in off on my node 19:00 < Dougy> maybe.. 5 tickets a month? 19:00 < krzie> ok well thats much better than what i normally hear about 19:01 < _impuls> krzie: done ;) 19:01 < krzie> you're saying you profit $500/mo from selling vps's? 19:01 < _impuls> could you pls have a look at it again 19:01 < Dougy> no krzie not yet 19:01 < Dougy> i profit about 275 19:01 < Dougy> can prob fit another 50/mo worth on this current box 19:02 < Dougy> then back into the red i go 19:02 < krzie> _impuls where is 192.168.1.0 19:02 < _impuls> this is my clients - my home network 19:02 < krzie> $275/mo is not enough for me to setup a business 19:02 < _impuls> 10.10.1.0 is my tun0 on the server 19:03 < Dougy> krzie, it isnt 19:03 < Dougy> but 19:03 < Dougy> when it takes me about 2 hours of man power per month that isnt setting up new orders 19:03 < Dougy> just 2 hours tech 19:03 < Dougy> $275/month is doable :) 19:03 < krzie> _impuls is there other clients that will access the home network when logged into the vpn? 19:04 < _impuls> well, i want to use it as a inet traffic gateway at uni/other wifis 19:04 < krzie> ok... 19:04 < _impuls> so, its just gonna be me really 19:04 < krzie> so what exactly is the problem? 19:05 < _impuls> well, I cant get anything through 19:05 < krzie> when the client connects 19:05 < krzie> can he ping 10.10.1.1? 19:05 < _impuls> no ping from the client to anything behind the server 19:05 < _impuls> I can ping the servers tun 19:05 < _impuls> 10.10.0.1 19:05 < _impuls> but nothing behind it 19:05 < _impuls> no traceroute - none 19:05 < krzie> you didnt say there was a lan behind the server... 19:06 < _impuls> Nah, misunderstanding 19:06 < _impuls> I mean the inet could 19:06 < _impuls> *cloud 19:06 < krzie> linux? 19:06 < _impuls> yes 19:06 < _impuls> both 19:07 < krzie> !linipforward 19:07 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 19:07 < krzie> !linnat 19:07 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 19:07 < _impuls> did everything 19:07 < krzie> evidently not 19:07 < _impuls> did everything ;) 19:07 < krzie> if you had ip forwarding enabled, and NAT correctly setup for your vpn network, it would work ;] 19:07 < _impuls> heh 19:07 < _impuls> just reassured it as I came in the channel 19:08 < krzie> also 19:08 < krzie> !tcp 19:08 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 19:08 < _impuls> oh 19:08 < krzie> thats not causing your problem 19:08 < krzie> but its something good to know 19:09 < krzie> also, is the server able to reach machines on the 192.168.1.0 LAN? 19:09 < _impuls> well, I'd use UD, but you know how funny the fw rules on a wifi router sometimes can be 19:09 < krzie> another thing you will wanna know is that when you are connecting from the outside world, and want to reach the 192.168.1.0 lan, if you are on that same subnet your routing will get fubar 19:09 < krzie> UD=? 19:10 < _impuls> P 19:10 < krzie> it always worked for me 19:10 < krzie> even behind cheapo wifi routers 19:10 < krzie> but thats upto you, just wanted to make you aware of that 19:11 < _impuls> thx 19:11 < krzie> paste your iptables rules, im no linux guy but ill take a glance 19:12 < _impuls> oh for christs sake... apparently I can only ping either machines through tun0 if I have push redirect gateway DISabled 19:12 < _impuls> driving me nuts 19:12 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has quit [Read error: 110 (Connection timed out)] 19:13 < _impuls> already wasted a couple of hours on this... bah 19:13 < _impuls> gimme a sec for the tables... 19:19 < _impuls> okay, there is nothing in there besides iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 19:19 < _impuls> btw - reason I couldn't ping it was because of a firewall checking crontab script... 19:20 < _impuls> disregard that... 19:21 < _impuls> http://loos.stoerimpuls.net/random/openvpn/iptables-client+server 19:23 < _impuls> krzie: so, status quo - both nodes are able to connect through tun0 ips - both ways, but NOT server to 192.168.1.0 19:23 < krzie> lol 19:23 < krzie> <_impuls> okay, there is nothing in there besides iptables -t nat -A 19:23 < krzie> POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 19:23 < krzie> did you ever stop to think about what that rule means? 19:24 < krzie> and why it totally doesnt apply to you... 19:24 < _impuls> mate,I changed the IPs 19:24 < krzie> good 19:24 < krzie> (thats not what you said above) 19:24 < krzie> !linfw 19:24 < vpnHelper> krzie: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 19:25 < krzie> (also have the postrouting rule) 19:26 < krzie> oh wait a sec.. 19:26 < krzie> http://loos.stoerimpuls.net/random/openvpn/client-route 19:26 < krzie> that looks like you didnt have redirect-gateway 19:27 < _impuls> hmm... come again? 19:27 < _impuls> the pus redirect gateway is enabled atm 19:28 < Dougy> hm 19:28 < Dougy> what are some other cool channels on here worth hanging out in? 19:29 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 19:31 < _impuls> krzie: It does look a lot like a simple errorin the routing tables to me... 19:31 < krzie> *shrug* depends what you're into dougy 19:31 < _impuls> just cant figure out whats wrong.. 19:31 < krzie> _impuls update the client.route after connecting with redirect gateway 19:32 < _impuls> just for the record, why is he trying to route to 10.10.1.5 if the client has .6 and the server .1 ? 19:32 < krzie> !/30 19:32 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 19:33 < krzie> its because you are using topology net30 19:33 < krzie> as explained in detail above 19:33 < _impuls> thx... 19:33 < krzie> np 19:33 < Dougy> krzie: just some places to meet new and interesting people 19:34 < _impuls> (note to myself - take networking classes next semester) 19:34 < Dougy> anything *nix interests me 19:35 < _impuls> AD update the client.route after connecting with redirect gateway ... 19:35 < _impuls> I cant really follow you there 19:36 < _impuls> which entry to update... 19:37 < _impuls> OHA 19:38 < krzie> dougy, #freeswitch is a channel dedicated to the telephone software of the same name, if that interests you... 19:38 < krzie> its far superior to asterisk 19:38 < Dougy> hmm 19:38 < Dougy> i've never heard of 19:38 < krzie> you're prolly not hardcore into phones and whatnot 19:38 < Dougy> not even softcore into 19:38 < krzie> have you heard of metaswitch? 19:39 < krzie> oh ya thats why then 19:39 < _impuls> http://loos.stoerimpuls.net/random/openvpn/syslog.new 19:39 < Dougy> so krzie 19:39 < Dougy> this guy is paying me $50 an hour to work on his server 19:39 < _impuls> MULTI: bad source address from client [192.168.1.3], packet dropped 19:39 < Dougy> (install csf firewall, compile php and apache, and secure /tmp, and install eaccelerator) 19:39 < Dougy> lol 19:39 < krzie> _impuls thats cause your ccd entry is in the wrong place 19:40 < krzie> !ccd 19:40 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 19:40 < _impuls> common name should be michael.. 19:40 < krzie> your common-name is michael.client.loos.stoerimpuls.net 19:40 < _impuls> oh 19:40 < krzie> maybe it SHOULD be, but you didnt make it that way 19:40 < _impuls> ;) 19:40 < krzie> also, are you using ipp.txt as an attempt to have static ips? 19:41 < _impuls> yeah 19:41 < krzie> !ipp 19:41 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 19:41 < _impuls> never worked though 19:42 < _impuls> aaha 19:43 < krzie> so fix that stuff 19:43 < krzie> then i want you to connect to the vpn, and show me the client log, and client routing table 19:43 < krzie> hell, server log too 19:44 < krzie> use verb 5 on both sides 19:44 < krzie> until we're done, then you can go back to a more reasonable verbosity when you're done troubleshooting 19:45 < _impuls> cool, working on it... 19:46 < krzie> now remember when using static ips 19:46 < krzie> it MUST be .6 .10 .14 .18 etc 19:46 < _impuls> I just uncomment it for now... 19:46 < krzie> if you continue using net30 19:46 < krzie> uncomment it? 19:47 < _impuls> comment it 19:47 < krzie> ok 19:48 < Dougy> http://cgi.ebay.com/Supermicro-X7DVL-E-B-Intel-5000V-Dual-Xeon-Motherboard_W0QQitemZ120402439527QQcmdZViewItemQQptZLH_DefaultDomain_0?hash=item120402439527&_trksid=p3286.c0.m14&_trkparms=72%3A1205|66%3A2|65%3A12|39%3A1|240%3A1318|301%3A1|293%3A1|294%3A50 19:48 < vpnHelper> Title: Supermicro X7DVL-E-B Intel 5000V Dual Xeon Motherboard - eBay (item 120402439527 end time May-05-09 16:31:20 PDT) (at cgi.ebay.com) 19:48 < Dougy> hmmmmmmmmmmmmmmmmmmm 19:48 * Dougy scratches his chin interestedlyt 19:48 < Dougy> interestedly 19:48 < krzie> i dont think you can make interested an adverb by adding ly 19:49 < krzie> erronious! 19:49 < Dougy> ol 19:49 < Dougy> ok 19:49 < Dougy> s/interestedly/interested-like 19:51 < krzie> shit i was wrong anyways 19:51 < krzie> in·ter·est·ed (ntr-std, -tr--std, -t-rstd) 19:51 < krzie> adj. 19:51 < krzie> 1. Having or showing curiosity, fascination, or concern: I'm interested to hear about your family. 19:51 < krzie> 2. Possessing a right, claim, or stake: an interested party in the estate. See Usage Note at disinterested. 19:51 < krzie> inter·est·ed·ly adv. 19:51 < krzie> inter·est·ed·ness n. 19:51 < Dougy> hehehehehe 19:51 < Dougy> win 19:51 < krzie> you in fact CAN add ly on it 19:51 < krzie> sounds so wrong 19:52 < _impuls> http://loos.stoerimpuls.net/random/openvpn/syslog.server.new2 19:52 < _impuls> starting at minute 44/45 19:52 < _impuls> client is coming.. 19:54 < _impuls> http://loos.stoerimpuls.net/random/openvpn/syslog.client.new2 19:54 < _impuls> same issues like before 19:56 < _impuls> YOU LEGEND! 19:56 < _impuls> restarted openvpn 19:56 < _impuls> It works! 19:56 < _impuls> thanks a lot mate 19:56 < krzie> yw =] 19:56 < _impuls> hehehehehe 19:57 < _impuls> aaaawesome 19:57 < _impuls> can't tell you how great - I spent a whole day on this shit 19:57 < _impuls> it was the common name thing, eh?! 19:57 < krzie> seems so 19:57 < krzie> for static... 19:57 < krzie> !static 19:57 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 19:58 < krzie> also if you wanna repost server/client configs i can tell you anything you're missing 20:00 < _impuls> !ccd 20:00 < vpnHelper> _impuls: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 20:00 < _impuls> !iporder 20:00 < vpnHelper> _impuls: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 20:01 -!- theDoc [n=andelyx@bb219-75-46-162.singnet.com.sg] has joined ##openvpn 20:05 < _impuls> krzie: thanks again, I wont bother ya any longer. I think I can figure out the rest myself 20:05 < krzie> cool =] 20:05 < krzie> np 20:05 < _impuls> gnight guys! 20:05 -!- _impuls [n=MRD@chello213047089128.17.14.vie.surfer.at] has left ##openvpn [] 20:12 < Dougy> krzie is the shit 20:12 < Dougy> (Y) 21:00 -!- troy is now known as troy- 21:03 -!- DJ_HaMsTa [n=woot@c-69-136-240-75.hsd1.nj.comcast.net] has joined ##openvpn 21:03 < DJ_HaMsTa> !howto 21:03 < vpnHelper> DJ_HaMsTa: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 21:04 < DJ_HaMsTa> would PPTP slow down my connection ? 21:07 -!- troy- is now known as troy 21:07 < Dougy> hey troy 21:11 -!- DJ_HaMsTa [n=woot@c-69-136-240-75.hsd1.nj.comcast.net] has quit [] 21:26 -!- troy is now known as troy- 21:48 -!- nemysis [n=nemysis@210-232.1-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 21:49 -!- nemysis [n=nemysis@93-144.3-85.cust.bluewin.ch] has joined ##openvpn 21:52 < krzie> would PPTP slow down my connection ? 21:52 < krzie> !notopenvpn 21:53 < vpnHelper> krzie: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 22:15 -!- tjz [n=tjz@bb116-15-38-124.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 22:38 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 22:55 -!- tjz [n=tjz@bb219-75-22-243.singnet.com.sg] has joined ##openvpn 22:56 < Dougy> its tjz 22:59 < tjz> hey dougy ^_^ 22:59 < tjz> looong time no see you 22:59 < tjz> :) 22:59 < Dougy> hey hey 22:59 < Dougy> sup? 23:00 < tjz> doing great =) 23:00 < tjz> How are you doing? 23:01 < Dougy> So so 23:01 < Dougy> still got that openvz vps? 23:01 < tjz> hahaha 23:01 < tjz> yea 23:01 < Dougy> word 23:01 < Dougy> where from? 23:01 < tjz> got it working long time ago 23:01 < tjz> oh 23:01 < tjz> it is on my own hardware node 23:01 < tjz> hehe 23:01 < tjz> just keep playing around 23:02 < tjz> hehe 23:14 -!- Gnewt [n=vector@207.115.69.54] has quit [Connection timed out] 23:17 < krzee> has anyone here used PAM auth in 2.1? 23:21 < tjz> cool 23:22 < tjz> haven'try but look interesting to add another security layer 23:22 < tjz> i mean authentication layer.. 23:24 < Dougy> bed soon 23:24 < Dougy> krzee 23:24 < Dougy> i love people who pay me $50/hour to do easy shit 23:24 < Dougy> > * Install/update eAccelerator 23:24 < Dougy> > * MySQL 5.0 23:24 < Dougy> > * Change SSH port (also configure APF as necessary) 23:24 < Dougy> > * Add wheel user and disable direct root login over SSH 23:24 < Dougy> like that 23:24 < tjz> dougy, i want the $$ 23:24 < tjz> omg 23:24 < tjz> good $$ 23:24 < krzee> dougy, some guy from here gave me $30 to help him with openvpn via msg versus free in the channel 23:24 < tjz> $$_$$ 23:25 < krzee> (was very cool of him) 23:25 < tjz> ($$)_($$) 23:25 < tjz> lol 23:25 < Dougy> nice 23:25 < Dougy> tits with dollar signs 23:25 < Dougy> win 23:26 < tjz> hahaha 23:30 < tjz> lunchie time 23:30 < tjz> :) 23:30 < tjz> *yum* *yum* 23:31 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 23:40 < Dougy> i hate you, libxml, i hate you. 23:50 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] --- Day changed Sat Apr 25 2009 00:02 < tjz> lool 01:01 < reiffert> talking about -devel? 01:38 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 01:53 -!- gallatin [n=gallatin@dslb-092-073-124-237.pools.arcor-ip.net] has joined ##OpenVPN 02:04 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 02:20 -!- albech [n=albech@119.42.76.130] has quit ["Leaving"] 02:29 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 02:48 -!- rubydiam_ [n=rubydiam@123.236.183.220] has joined ##openvpn 02:57 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 03:10 -!- rubydiam_ [n=rubydiam@123.236.183.220] has quit [Success] 03:29 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 04:10 -!- youngpro [n=pro@teamaustralia.net.au] has joined ##openvpn 04:12 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 04:33 -!- carpe_ [n=carpe@vip2.tundraeng.com] has joined ##openvpn 04:36 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 05:04 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Connection timed out] 05:21 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 05:37 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 06:38 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:06 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 07:06 < Dougy> hey al 07:06 < Dougy> l 07:11 -!- gallatin [n=gallatin@dslb-092-073-124-237.pools.arcor-ip.net] has quit ["Client exiting"] 07:13 < Bushmills> 'morning Dougy 07:14 < Dougy> Hey dood 07:14 < Dougy> What's up? 07:21 * Dougy pokes Bushmills 07:32 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 07:36 < Bushmills> felt sympathetic for you greeting, and nobody greeting back 07:36 < Bushmills> can be frustrating 07:40 < tjz> lol 07:41 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has joined ##openvpn 07:43 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has quit [Client Quit] 07:49 < Dougy> lol 07:49 < Dougy> nah im used to it 07:49 < Dougy> hmmm 07:49 < Dougy> what local businesses can i go bother to buy web hosting from me... 07:52 < Bushmills> Dougy, try ultra on #physics, he was in specific need of a service 07:53 < Dougy> you got it 07:53 < Dougy> does he know you? 07:53 < Bushmills> no, unless he doesn't ignore my occasional comments there 07:54 < Dougy> oh 07:54 < Dougy> any idea what he was in need of 07:54 < Bushmills> yes. his provider has cut access to a voip server 07:55 < Dougy> ah 07:55 < Dougy> #physics oh lord 07:55 * Dougy 's brain will melt 07:56 < Bushmills> ventrilo, it was. max 8 users 07:59 -!- Optic [n=ndfraser@miso.capybara.org] has left ##openvpn [] 08:54 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 09:00 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 09:13 -!- tjz [n=tjz@bb219-75-22-243.singnet.com.sg] has quit [Read error: 60 (Operation timed out)] 09:18 -!- fixxxermet [n=meep@cmu-24-35-53-185.mivlmd.cablespeed.com] has joined ##openvpn 09:20 < fixxxermet> I am attempting to build a key for a second client, but the .crt file that is created has a size of 0. A .csr file is also created (which wasn't the last time that I did this)? 09:30 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 09:56 -!- theDoc [n=andelyx@bb219-75-46-162.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 09:56 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 09:56 -!- Roman123 [n=Roman123@128.131.70.150] has joined ##openvpn 09:56 -!- tjz [n=tjz@bb219-75-22-243.singnet.com.sg] has joined ##openvpn 09:59 -!- correcaminos [n=laguilar@nat1.inalambrica.net] has joined ##openvpn 10:15 < [4-tea-2]> fixxxermet: using easy_rsa? 10:18 -!- Dougy [i=doug@64-18-144-18.ip.bergenhosting.com] has joined ##openvpn 10:52 -!- epaphus [n=unix3@201.199.62.74] has quit [Remote closed the connection] 11:02 < fixxxermet> [4-tea-2]: yes sir 11:03 < [4-tea-2]> Did you remember to source ./vars again? (just guessing) 11:07 -!- Roman123 [n=Roman123@128.131.70.150] has left ##openvpn ["Vegetarians don't live longer, they just look older!"] 11:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:40 -!- pekster [n=pekster@c-76-113-143-76.hsd1.mn.comcast.net] has joined ##openvpn 12:10 -!- isox [n=dacurmud@209.144.31.10] has quit [Remote closed the connection] 12:10 -!- isox [n=dacurmud@rvd1901f0a.sprocketnetworks.com] has joined ##openvpn 12:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 12:20 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 13:15 -!- onoes [n=gokusv@96.57.117.26] has joined ##openvpn 13:24 < onoes> I just installed openvpn on this wondows box, but I see no icon to launch it in the tray 13:27 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 13:30 < Bushmills> !howto 13:30 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:37 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 13:37 < Bushmills> /bindkey ctrl-alt-H "!howto\n" 13:37 < Bushmills> oops 13:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 13:53 -!- _impuls [n=MRD@gateway.theta.stoerimpuls.net] has joined ##openvpn 13:54 < _impuls> !topology 13:54 < vpnHelper> _impuls: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 13:55 < _impuls> !redirect 13:55 < vpnHelper> _impuls: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 13:55 < _impuls> !ipforward 13:55 < vpnHelper> _impuls: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 13:55 < _impuls> !nat 13:55 < vpnHelper> _impuls: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 13:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:01 -!- Dougy [i=doug@64-18-144-18.ip.bergenhosting.com] has quit ["leaving"] 14:07 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 14:10 -!- onoes [n=gokusv@96.57.117.26] has quit [Read error: 60 (Operation timed out)] 14:32 -!- _impuls [n=MRD@gateway.theta.stoerimpuls.net] has quit [Read error: 110 (Connection timed out)] 14:39 -!- david_G [n=dave@modemcable064.248-203-24.mc.videotron.ca] has joined ##openvpn 14:40 < david_G> anybody can help me with client-disconnect option of openvpn? 14:42 < david_G> the script is not executed when my client disconnect ... but client-connect script exit(0) ... 14:42 < david_G> like said in the man page 14:44 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has joined ##openvpn 14:45 < david_G> ? 14:47 -!- david_G [n=dave@modemcable064.248-203-24.mc.videotron.ca] has quit ["leaving"] 15:07 -!- correcaminos [n=laguilar@nat1.inalambrica.net] has quit [Remote closed the connection] 15:41 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has quit ["Leaving"] 16:32 -!- joejax [n=joejax@70-4-230-207.pools.spcsdns.net] has joined ##openvpn 16:32 -!- evilGary [i=gary@freenode/staff/colchester-lug.gary] has joined ##openvpn 16:33 -!- joejax [n=joejax@70-4-230-207.pools.spcsdns.net] has quit [Client Quit] 16:33 -!- evilGary [i=gary@freenode/staff/colchester-lug.gary] has left ##openvpn [] 17:34 < krzie> !logs 17:34 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 17:34 < krzie> oops 17:34 < krzie> !irclogs 17:34 < vpnHelper> krzie: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 17:38 < krzie> !route 17:38 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:58 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 18:50 -!- nemysis [n=nemysis@93-144.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 18:51 -!- nemysis [n=nemysis@100-190.3-85.cust.bluewin.ch] has joined ##openvpn 19:14 -!- fixxxermet [n=meep@cmu-24-35-53-185.mivlmd.cablespeed.com] has quit ["Leaving."] 19:44 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 19:57 -!- nemysis [n=nemysis@100-190.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 19:58 -!- nemysis [n=nemysis@218-123.3-85.cust.bluewin.ch] has joined ##openvpn 19:59 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Read error: 110 (Connection timed out)] 20:23 -!- ERICH_ [n=eric@c-76-98-254-20.hsd1.pa.comcast.net] has joined ##openvpn 20:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 21:33 -!- ERICH_ [n=eric@c-76-98-254-20.hsd1.pa.comcast.net] has quit [] 21:33 -!- ERICH_ [n=eric@c-76-98-254-20.hsd1.pa.comcast.net] has joined ##openvpn 21:33 -!- ERICH_ [n=eric@c-76-98-254-20.hsd1.pa.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 22:32 -!- theDoc [n=andelyx@bb219-75-46-162.singnet.com.sg] has joined ##openvpn 22:32 -!- theDoc [n=andelyx@bb219-75-46-162.singnet.com.sg] has quit [Client Quit] 22:32 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 23:30 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 23:30 < Dougy> heyo 23:59 < theDoc> http://www.youtube.com/watch?v=9BxNJRxGbgE&feature=related 23:59 < theDoc> :) 23:59 < vpnHelper> Title: YouTube - Discovery Channel - I Love the World (with lyrics) (at www.youtube.com) --- Day changed Sun Apr 26 2009 00:16 -!- theDoc- [n=andelyx@208.99.194.194] has joined ##openvpn 00:32 < pekster> Hmm, !redirect isn't quite correct with the requirement of NAT if public IPs are used for VPN clients, but I suppose anyone doing that probably isn't using the bot for advice :P 00:34 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 00:38 -!- theDoc- [n=andelyx@208.99.194.194] has quit [Read error: 60 (Operation timed out)] 00:41 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 01:50 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 02:33 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 03:37 -!- xerxes [n=xerxes@BAG3da4.bag.pppool.de] has joined ##openvpn 03:40 < xerxes> please help, i have no idea what a vpn is...what is it good for? 03:42 < theDoc> It's for cuddles :) 03:43 < xerxes> haha 03:44 < xerxes> my boss said, he will not give me an account to his machine, but with a vpn 03:49 < theDoc> What a fucking douchebag. 03:49 < theDoc> You can't connect to that machine unless you have an account on it. 03:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:51 < xerxes> yeah..i know...so i need some sort of vpn...the only thing i know is openvpn is a vpn 03:52 < theDoc> xerxes: Once again, having a vpn doesn't grant you access to any machine 03:53 < xerxes> so he did a joke on me? 03:53 < xerxes> aw 03:53 < theDoc> I don't know but for sure, a vpn doesn't grant you access to any machine. 03:54 < xerxes> hm...im out of ideas 05:06 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has quit [Read error: 110 (Connection timed out)] 05:08 -!- xerxes [n=xerxes@BAG3da4.bag.pppool.de] has quit [Read error: 104 (Connection reset by peer)] 05:23 -!- dar__ [n=david@mex01-2-88-178-132-11.fbx.proxad.net] has joined ##openvpn 05:23 < dar__> elo! 05:23 < dar__> i m looking for a way to set a passphrase on client's private key ? 05:23 < dar__> i can't find any way to do that 05:26 < dar__> !redirect 05:26 < vpnHelper> dar__: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 05:32 -!- dar__ [n=david@mex01-2-88-178-132-11.fbx.proxad.net] has quit [Read error: 113 (No route to host)] 06:28 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 06:30 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:43 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 07:13 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 07:47 -!- theDoc [n=andelyx@bb219-75-46-162.singnet.com.sg] has joined ##openvpn 08:10 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["Lost terminal"] 08:13 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 08:14 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Client Quit] 08:15 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 08:32 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 08:32 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 08:46 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 113 (No route to host)] 08:50 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 09:12 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 09:24 -!- Optic [n=ndfraser@miso.capybara.org] has joined ##openvpn 09:26 -!- Optic [n=ndfraser@miso.capybara.org] has left ##openvpn [] 09:29 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 09:30 < theDoc> Anyone in? 09:30 < theDoc> wtb some help 09:30 < theDoc> :) 09:38 < reiffert> 16:37 -!- Irssi: ##openvpn: Total of 55 nicks [0 ops, 0 halfops, 0 voices, 55 normal] 09:38 * theDoc has some issues with openvpn on the linux box 09:38 < theDoc> :9 10:06 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 10:14 -!- zooko [n=user@nooxie.zooko.com] has joined ##openvpn 11:09 < pekster> theDoc: What kind of issues? 11:13 < theDoc> pekster> not sure why the openvpn server isn't pushing routes to my nix client machine. 11:13 < theDoc> everything isn't tunneling via the vpn at all even though i'm connected. 11:14 < pekster> theDoc: Does the client you want routes pushed to include the 'client' or 'pull' directive? 11:15 < pekster> Also, if you want "everything" tunneled via the VPN, you'll probably be wanting the 'redirect-gateway' option, optionally with the 'def1' paramater which adds giant /1 routes instead of replacing the default gateway 11:16 < theDoc> pekster> the config works fine on my winxp box 11:16 < theDoc> just not on the nix. 11:17 < pekster> You're not using something odd like a route-noexec option or something, right? Care to pastebin the config? 11:18 < pekster> Or route-nopull, which doesn't pull routes :) 11:20 < theDoc> pekster> i just got this nix box working, i just did an apt-get install openvpn and well, i haven't gone though any config files at the moment. everything was done via gui. 11:21 < pekster> I tried networkmanager once, and it sucked at doing sane things with OpenVPN. If you can get it working with a config file and connecting with some variation of 'openvpn --config /path/to/config' then you need to get the GUI to act correctly 11:22 < theDoc> hmm 11:22 < theDoc> I'll take a look at it 11:23 < pekster> I have a coworker that got networkmanager working finally for our company VPN, but he had to do some poking at the gconf settings for the application; I don't have more specifics than that since I just use config files where I can tell what's happening 11:25 < theDoc> pekster> don't fret it, i'm just enjoying the whole nix thing now 11:25 < theDoc> :p 11:25 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has quit ["leaving"] 11:25 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 11:57 -!- markus__ [n=markus@anonym.vpntunnel.se] has joined ##openvpn 12:06 -!- markus__ [n=markus@anonym.vpntunnel.se] has quit ["Lost terminal"] 12:08 -!- zooko [n=user@nooxie.zooko.com] has quit [Remote closed the connection] 12:13 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:15 -!- _impuls [n=MRD@chello213047089128.17.14.vie.surfer.at] has joined ##openvpn 12:21 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 13:47 -!- _impuls [n=MRD@chello213047089128.17.14.vie.surfer.at] has quit ["~"] 14:02 -!- rjd [n=rjd@sigkill.se] has joined ##openvpn 14:02 < rjd> !route 14:02 < vpnHelper> rjd: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:03 -!- _niko [n=OMGZboob@niko-niko.co.uk] has joined ##openvpn 14:04 < rjd> If openvpn clients shouldn't be able to talk to each others, do I have to divide each client into a different subnet? 14:04 < rjd> Tried with iptables rules, both in table nat and filter but can't prevent them to communicate. Is that not possible as long as their on the same network segment? 14:07 < _niko> !howto 14:07 < vpnHelper> _niko: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:07 < _niko> !redirect 14:07 < vpnHelper> _niko: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 14:08 < reiffert> rjd: --client-to-client 14:12 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:12 < rjd> thanks 14:13 -!- Dougy [i=doug@64-18-144-18.ip.bergenhosting.com] has joined ##openvpn 14:13 < Dougy> Heyh 14:13 < Dougy> krzie: there>? 14:15 < _niko> !nat 14:15 < vpnHelper> _niko: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 14:17 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [] 14:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Success] 14:20 < krzee> Dougy, !ask 14:21 -!- rubydiam_ [n=rubydiam@123.236.183.138] has joined ##openvpn 14:22 < _niko> !linnat 14:22 < vpnHelper> _niko: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 14:22 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:23 < Dougy> krzee: haha 14:23 < Dougy> freebsd is pissin gme off 14:35 < krzee> dougy, would you like to rephrase your complaint in the form of a question? 14:35 < krzee> :-p 14:36 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 14:38 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 14:42 -!- oc80z [i=oc80z@root.servergirl.net] has joined ##openvpn 14:42 < Dougy> krzee: nah 14:42 < Dougy> im just formatting the box 14:42 < Dougy> fuck the customer 14:42 < krzee> wow 14:42 < krzee> remind me to shop with you 14:43 < krzee> o_O 14:43 < Dougy> well 14:43 < Dougy> he told me i could 14:43 < Dougy> i told him i could dig around but its not likely to fix 14:43 < Dougy> so i tol d him im taking backups which i am and then format 14:45 < Dougy> w00t 14:45 * Dougy is selling a server 14:45 < Dougy> krzee: wanna buy an amd opt? 14:45 < Dougy> : 14:45 < Dougy> :P 15:22 -!- rjd [n=rjd@sigkill.se] has left ##openvpn [] 15:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 16:00 -!- rubydiam_ [n=rubydiam@123.236.183.138] has quit ["Leaving..."] 16:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:21 -!- Timpa88_ [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 16:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 16:33 -!- Timpa [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit [Read error: 110 (Connection timed out)] 16:47 -!- Timpa [n=timpa@193.13.142.180] has joined ##openvpn 17:05 -!- Timpa88_ [n=timpa@c-611070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit [Read error: 110 (Connection timed out)] 17:12 -!- chrisbray [n=chris@92-235-81-218.cable.ubr06.brom.blueyonder.co.uk] has joined ##openvpn 17:12 -!- Timpa [n=timpa@193.13.142.180] has quit [Read error: 110 (Connection timed out)] 17:14 < chrisbray> Hi guys, I've got openvpn working great, remote access is perfect, but can anyone help me with setting up an openvpn filter in syslog so openvpn's logging goes to /var/log/openvpn rather than /var/log/messages? I've tried "!openvpn\n *.* /var/log/openvpn" but it seems to go to both for some reason :( 17:20 -!- Timpa88 [n=timpa2@193.13.142.180] has joined ##openvpn 17:21 -!- Timpa88 [n=timpa2@193.13.142.180] has quit [Client Quit] 17:23 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 17:27 < krzie> 1sec 17:27 < krzie> !man 17:27 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 17:29 < krzie> --log file 17:29 < krzie> Output logging messages to file, including output to stdout/stderr which is generated by called scripts. If file already exists it will be truncated. This option takes effect immediately when it is parsed in the command line and will supercede syslog output if --daemon or --inetd is also specified. This option is persistent over the entire course of an OpenVPN instantiation and will not be reset by SIGHUP, SIGUSR1, or --ping-restart. 17:30 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:31 < krzie> thats 1 way, by avoiding syslog all together 17:31 < chrisbray> krzie: I can't just use syslog with a localX facility and then use the syslog features for piping and sending to a remote machine etc? 17:32 < chrisbray> It'd be nice if I could have it alert the syslog on my desktop when I had a login etc.. 17:32 < krzie> im sure you can, but i was just offering something inside openvpn 17:32 < krzie> your question might be better answered in a linux help chan im thinking 17:33 < krzie> although im sure if someone here knows offhand they'd be happy to share 17:33 < chrisbray> Do you know what facility code OpenVPN uses when it writes to the syslog? 17:34 < chrisbray> I can't seem to find an option to set it anywhere. 17:35 < krzie> no idea 17:35 < Dougy> :\wget/exit 17:35 -!- Dougy [i=doug@64-18-144-18.ip.bergenhosting.com] has quit ["leaving"] 17:37 < chrisbray> More investigation I think! Thanks for your help :) 17:37 < krzie> np 17:38 < krzie> although i think maybe putting syslogd in debug mode could help you figure out what facility its using 17:40 < krzie> oh no not debug mode, verbose mode 17:40 < krzie> -v Verbose logging. If specified once, the numeric facility and 17:40 < krzie> priority are logged with each locally-written message. If speci- 17:40 < krzie> fied more than once, the names of the facility and priority are 17:40 < krzie> logged with each locally-written message. 17:41 < krzie> so running syslogd with -vv will make it print logs with facility name 17:41 < krzie> note, im looking at syslogd in freebsd, ymmv 17:48 -!- onoes [n=gokusv@pool-98-109-202-70.nwrknj.fios.verizon.net] has joined ##openvpn 17:57 -!- nemysis [n=nemysis@218-123.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 17:58 -!- nemysis [n=nemysis@109-34.3-85.cust.bluewin.ch] has joined ##openvpn 18:03 < _niko> iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to 18:03 < _niko> sorry about that 18:04 < _niko> keep right clicking thinking i am in ubuntu =[ 18:04 -!- chrisbray [n=chris@92-235-81-218.cable.ubr06.brom.blueyonder.co.uk] has quit ["leaving"] 18:10 -!- onoes [n=gokusv@pool-98-109-202-70.nwrknj.fios.verizon.net] has quit [Read error: 54 (Connection reset by peer)] 18:30 < troy-> is there an openvpn client for blackberry? 18:30 < krzie> does it run windows mobile? 18:30 < troy-> mm nope 18:31 < krzie> then not that i know of, ecrist would likely know for sure, he runs a bb theme site 18:31 < troy-> thanks 18:32 < krzie> yw 18:34 < _niko> I finally conceed, I really didnt want to ask here until i felt i really tried. I am having trouble with the traffic forwading part of setting up my vpn, I tried the iptables command found in the howto with no result 18:34 < krzie> !redirect 18:34 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 18:35 < krzie> thats what you're talking about _niko 18:35 < krzie> ? 18:35 < _niko> yeah 18:35 < _niko> I went through that stuff earlier though 18:36 < krzie> !configs 18:36 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:39 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 18:42 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has joined ##openvpn 18:46 < _niko> http://pastebin.com/m32aec1a6 18:47 < krzie> !tcp 18:47 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 18:47 < krzie> not your problem, but something you wanna know 18:47 < _niko> ok 18:48 < krzie> i see a couple other things you should be doing, but ill save that for after 18:48 < krzie> people always start crying when i tell them how to make their vpn better before i help them solve their immediate problem 18:48 < krzie> !logs 18:48 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 18:49 < krzie> also, i see you're using 2.1_rc7 18:49 < krzie> rc7 has known issues, we're at rc15 now 18:51 < _niko> Ok,that was the version from apt, i forget they are not always up to date 18:52 < krzie> while i wait for the logs, are you using ipp.txt as an attempt to have static ips? 18:52 < _niko> I think so 18:53 < krzie> !ipp 18:53 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 18:53 < _niko> oh ok, I not actually bothered about having a static ip or ont 18:53 < krzie> ok 18:54 < _niko> where can I find the logs? 18:55 < krzie> if you are putting it in the background with daemon command, it'll be going through syslog 18:56 < _niko> ok 18:56 < krzie> oh i see you dont have daemon in the configs 18:56 < krzie> you let it run in the foreground? 18:56 < krzie> or you add --daemon on commandline? 18:58 < _niko> no i didnt add --deamon but it was running the the backgound on the server, I have found them though 18:58 < krzie> howd you background it without --daemon? 19:01 < _niko> to be honest i dont know. As far as im aware openvon is running when ther server starts 19:02 < krzie> ahh your os's stuff must add --daemon 19:03 < _niko> um, Im not sure where the logs for a connectoin start in this file 19:03 < krzie> stop openvpn 19:03 < krzie> on both sides 19:04 < krzie> verb 6 19:04 < krzie> then start it 19:04 < krzie> after connection is 100% finished, pastebin both logs 19:04 < _niko> ok 19:11 < _niko> do you want these logs in seperate pastebins? 19:13 < _niko> http://pastebin.com/m6fd864e5 19:14 < _niko> here they are all in one big pastebin 19:18 < krzie> ok that looks good 19:18 < krzie> so after you connect 19:19 < krzie> can client ping 10.8.0.1? 19:19 < _niko> yes 19:19 < krzie> can it ping 209.85.171.100? 19:20 < _niko> i can try 19:21 < _niko> no 19:21 < krzie> !linnat 19:21 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 19:21 < krzie> pastebin a dump of your iptables rules? 19:21 < krzie> also, double check ip forwarding is eanbled 19:21 < krzie> enabled 19:23 < _niko> i have no iptables rules anymore apart from to one placed in by iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 19:23 < krzie> !linfw 19:23 < vpnHelper> krzie: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 19:24 < krzie> so iptables is set to that above, along with the NAT command 19:24 < krzie> right? 19:24 < _niko> and Ip forwading is on, at least that is what sysctl.conf tells me 19:24 < _niko> yes 19:24 -!- galen [n=galen@c-24-20-185-90.hsd1.wa.comcast.net] has joined ##openvpn 19:24 -!- Timpa88 [n=timpa@193.13.142.180] has joined ##openvpn 19:25 < galen> Under ideal situations, how much latency is added when going through an OpenVPN tunnel? 19:25 < krzie> !linipforward 19:25 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 19:25 < krzie> _niko: cat /proc/sys/net/ipv4/ip_forward 19:25 < krzie> if its 1, its enabled 19:26 < krzie> galen, no idea... but i can tell you that you can make it best by using UDP and checking mtu with --mtutest 19:26 < krzie> !mtu 19:26 < vpnHelper> krzie: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 19:26 < krzie> --mtu-test i mean 19:26 < _niko> i get permisson denied even with sudo 19:26 < galen> krzie: i was hoping or some indications before i went too far down with testing 19:26 < galen> i agree, udp is best 19:26 < krzie> the manual agrees as well 19:26 < krzie> !tcp 19:26 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 19:28 < krzie> _niko, thats very weird 19:28 < _niko> it is, I didi uncomment the line in sysctl.conf for ip forwading and the server has been rebooted since then 19:28 < krzie> if you're root you should have access to * 19:29 < galen> krzie: i was just hoping for some useful reference values 19:29 < _niko> i will try it as su 19:29 < krzie> galen, i know you were 19:29 < galen> and yes, tcp on tcp sucks. i know this personally. 19:29 < krzie> the other thing that can come into play is which cipher you use 19:29 < krzie> by default its blowfish 19:30 < krzie> reference values, i have none 19:30 < krzie> oh and cpu usage obviously comes into play as well 19:32 < _niko> i tired the echo 1 >.... as root 19:32 < _niko> and nothing was echoed 19:32 < krzie> i didnt say to echo anything 19:33 < krzie> _niko: cat /proc/sys/net/ipv4/ip_forward 19:33 < _niko> oh cat 19:33 < _niko> sorry 19:34 < _niko> yeah 19:34 < _niko> 1 19:41 < krzie> ya that echo command you entered set it to 1 even if it wasnt 19:41 < krzie> double check you still cant ping that ip i said 19:41 < _niko> Krzie: I can ping 209.85.171.100 19:41 < _niko> just tried it 19:41 < _niko> and it happened 19:41 < krzie> ok 19:41 < krzie> so now ping google.com 19:41 < krzie> lets make sure dns is working... 19:42 < _niko> nothing 19:42 < krzie> grep nameserver /etc/resolv.conf 19:43 < _niko> grep nameserver /etc/resolv.conf 19:43 < _niko> nameserver 212.13.194.71 19:43 < _niko> nameserver 212.13.194.96 19:43 < krzie> host google.com 19:44 < _niko> ? 19:44 < krzie> type that 19:44 < _niko> command not found 19:44 < krzie> umm 19:44 < krzie> the command host wasnt found? 19:44 < Timpa88> krzie: can you do a lookup for me ? please? host skalet.org 19:45 < krzie> skalet.org has address 193.13.142.180 19:45 < krzie> skalet.org mail is handled by 10 mail.skalet.org. 19:45 < Timpa88> thanks 19:45 < Timpa88> :) 19:45 < _niko> that what it said 19:45 < Timpa88> does http://193.13.142.180/ works for you? or www.skalet.org? 19:45 < _niko> paul@niko-niko:~$ host google.com 19:45 < _niko> -bash: host: command not found 19:45 < krzie> weird 19:45 < krzie> gentoo? 19:45 < _niko> ubuntu 19:46 < Timpa88> in ubuntu it should be there :S 19:46 < _niko> i will see if i can install it 19:46 < _niko> paul@niko-niko:~$ host google.com 19:46 < _niko> google.com A 74.125.45.100 19:46 < _niko> google.com A 74.125.67.100 19:46 < _niko> google.com A 209.85.171.100 19:46 < Timpa88> correct 19:47 < krzie> _niko, but you cant ping google.com? 19:48 < _niko> um, was i ment to be doing this on the client :o 19:48 < Timpa88> krzie: if i have vpn on my server, and the ip is "193.13.142.180" and using nat routing on that machine too with shorewall .. why cant i surf into 193.13.142.180 but i can ping it? 19:48 < krzie> yes niko 19:48 < _niko> bugger 19:48 < _niko> the client is win 19:50 < _niko> i can ping the ip 209.85.171.100 but not google.com and im not sure about the dns stuff for win 19:55 < krzie> when i had you grep for nameservers, was it on client? 19:55 < _niko> no 19:55 < _niko> that was the server 19:56 < krzie> should be on client 19:57 < _niko> I'm not sure how to so something like that on win 19:57 < krzie> well, figure out what your NS is set to 19:57 < krzie> i believe ipconfig/all 19:59 < _niko> would it be the dns servers part? 19:59 < krzie> right 20:00 < _niko> DNS servers : 160.5.41.1 - 4 20:00 < krzie> try changing it to 4.2.2.1 20:03 < _niko> sorry, did you mean the dns ip's from the physical network adapter or from the tap-win32 adapter? 20:03 < krzie> dude 20:04 < krzie> just make your windows computer use 4.2.2.1 as its nameserver 20:04 < krzie> i dont even use windows, i cant walk you through changing its settings 20:05 < _niko> ok, will find out how. 20:05 < krzie> !dns 20:05 < vpnHelper> krzie: "dns" is Level3 open recursive DNS server at 4.2.2.1 20:06 < _niko> ok i have 20:07 < krzie> now stuff works =] 20:09 < krzie> your problem after we got the ip pinging was that your NS could only be reached while connected via your ISP 20:09 < krzie> so when tunneling to the server out to the net DNS couldnt work 20:09 < krzie> now you changed it to an open recursive NS, everything should be up and running 20:20 < _niko> :0 20:20 < _niko> it does work 20:20 < _niko> dude i think i love you, i have spent too long trying to do this 20:20 < _niko> thank you 20:21 < krzie> yw 20:22 < _niko> there are a few things i still dont understand but i think i will do some reading on that 20:22 < krzie> you interested in knowing what you should add? 20:22 < krzie> for added security.. 20:23 < krzie> well im gunna head out, if you wanna know what i was gunna say see !mitm and !hmac 20:24 < _niko> Ok then 20:24 < _niko> Thank you 20:24 < krzie> yw 20:24 < _niko> !mitm 20:24 < vpnHelper> _niko: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 20:25 -!- Timpa88 [n=timpa@193.13.142.180] has quit [Read error: 110 (Connection timed out)] 20:29 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 20:55 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 21:36 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 21:42 < ecrist> sub bitches? 21:42 < onats> lol 21:43 < onats> morning 22:46 < tjz> lol 22:59 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 23:08 -!- _niko [n=OMGZboob@niko-niko.co.uk] has left ##openvpn [] 23:31 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 23:38 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 23:50 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn --- Day changed Mon Apr 27 2009 00:03 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 60 (Operation timed out)] 00:05 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has quit [Read error: 110 (Connection timed out)] 00:13 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 01:27 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 110 (Connection timed out)] 01:30 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 02:02 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 02:05 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 02:38 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:44 < krzee> !route 02:44 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 02:49 -!- galen [n=galen@c-24-20-185-90.hsd1.wa.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 03:05 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 03:26 -!- ThoMe [i=tm@tm.muc.de] has quit ["leaving"] 03:26 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has quit [Read error: 110 (Connection timed out)] 03:32 -!- rashed2020_ [n=admin@67.205.245.208] has quit [] 04:05 -!- row [i=row@who.br0ke.me.uk] has quit [] 04:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:15 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 04:21 -!- Coke [n=coke@90-231-88-79-no84.business.telia.com] has joined ##openvpn 04:21 < mattock> Hi guys, I tried to find a solution from the new and old OpenVPN sites and the mailing lists archives, but didn't find anything concrete... I hope you can provide an answer to a few simple questions... 04:21 < mattock> is OpenVPN entirely GPLv2-licensed? Or are there proprietary/dual-licensed (GPL+closed source) components in it? Also, what would I do if I wanted to contribute documentation or code to the project? 04:22 < Coke> Quick question: I'm thinking about using a bridged network to connect two offices separated by a wan (internet). My plan is to use 192.168.1. for the host net and 192.168.2. for the branch office, is this a recommended setup? 04:22 < mattock> I'm trying to figure out how open the project to "external" developers 04:24 < theDoc> Coke> what subnet mask are you using? 04:26 < Coke> theDoc: 255.255.255.0 04:26 < Coke> theDoc: I'm guessing I could do with like /16 04:26 < theDoc> Coke> sure you can 04:26 < Coke> theDoc: but why? 04:26 < Coke> It's not like the C-nets are scarse on 192.168 04:27 < theDoc> Coke> Depends on your subnet scheme no? 04:27 < Coke> theDoc: there's none at the moment. 04:28 < Coke> theDoc: actually, I'm reading the docs now about bridging, seems that my branch office could connect to the same net? 04:29 < Coke> maybe even get an ip from the 192.168.1 network dhcp? 04:29 < Coke> i.e no need for two different subnets at all 04:30 < Coke> Hm, the FAQ pretty much answered me already 04:48 -!- Timpa88 [n=timpa@193.13.142.180] has joined ##openvpn 04:53 < reiffert> I run two dhcp servers on each side. 04:53 < reiffert> and I'm filtering out dhcp request from the wrong side of the net to prevent trouble. 04:53 < Coke> reiffert: sounds overly complicated 04:53 < Coke> but it will give you some redundancy when the connection is severed 04:54 < reiffert> It allows people to work even when the connection is down. 04:54 < Coke> yes 04:56 < reiffert> Coke: whats your OS openvpn is running on? 04:56 < Coke> reiffert: archlinux 04:56 < Coke> and Debian 04:56 < Coke> I could add some iptable rules to prevent broadcasts for dhcp leases perhaps 04:57 < reiffert> hamburg:~# ebtables -L 04:57 < reiffert> Bridge table: filter 04:57 < reiffert> Bridge chain: INPUT, entries: 2, policy: ACCEPT 04:57 < reiffert> -p IPv4 -i tap1 --ip-proto udp --ip-sport 67 -j DROP 04:57 < reiffert> -p IPv4 -i tap1 --ip-proto udp --ip-sport 68 -j DROP 04:57 < reiffert> Bridge chain: FORWARD, entries: 0, policy: ACCEPT 04:57 < reiffert> Bridge chain: OUTPUT, entries: 0, policy: ACCEPT 04:58 < Coke> so, just blocking udp 67 and 68 is enough? 04:59 < reiffert> with ebtables, yes. 04:59 < Coke> ebtables?? 04:59 < reiffert> yes. 04:59 < Coke> I'm using iptables, but the syntax looks similar 05:00 < reiffert> Once you start reading about ebtables is and what it does, you'll soon get an idea. 05:02 < Coke> reiffert: it's for bridge interfaces only? 05:07 < reiffert> http://ebtables.sourceforge.net/ 05:07 < vpnHelper> Title: ebtables (at ebtables.sourceforge.net) 05:08 < Alagar> hi i have deleted one folder with shift key . is any tools available to recover that folder. iam using Recovery Active Undelete RAID v5.5 but iam not able to findout that folder. i have deleted now only. iam using windows xp pro. sp2 05:09 < reiffert> Alagar: This irc channel is about openvpn. 05:10 < Alagar> reiffert: sorry 05:16 -!- mattock [n=mattock@gw.tietoteema.fi] has left ##openvpn [] 05:36 -!- floyd_n_milan [n=quassel@unaffiliated/floydnmilan/x-000001] has quit [Read error: 104 (Connection reset by peer)] 05:36 -!- floyd_n_milan [n=quassel@124.247.220.202] has joined ##openvpn 05:36 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 05:46 -!- Timpa88 [n=timpa@193.13.142.180] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 06:00 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 06:01 -!- Timpa88 [n=timpa@193.13.142.180] has joined ##openvpn 06:12 -!- Timpa88 [n=timpa@193.13.142.180] has quit [Nick collision from services.] 06:12 -!- Timpa88_ [n=timpa@193.13.142.180] has joined ##openvpn 06:12 -!- Timpa88_ [n=timpa@193.13.142.180] has quit [Remote closed the connection] 06:13 -!- Timpa88 [n=timpa@193.13.142.180] has joined ##openvpn 06:14 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 06:29 -!- zxcvop1 [n=Admin@120.28.148.175] has joined ##openvpn 06:31 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 06:38 -!- zxcvop1 [n=Admin@120.28.148.175] has quit [Connection reset by peer] 06:39 -!- zxcvop1 [n=Admin@120.28.148.175] has joined ##openvpn 06:39 -!- zxcvop1 [n=Admin@120.28.148.175] has left ##openvpn [] 06:40 -!- pekster [n=pekster@c-76-113-143-76.hsd1.mn.comcast.net] has quit [Read error: 110 (Connection timed out)] 06:46 -!- clau30 [n=clau@91.11.40.115] has joined ##openvpn 06:46 < clau30> hi.. how can I connect to a openvpn server using no authentication? 06:47 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 06:49 -!- floyd_n_milan [n=quassel@unaffiliated/floydnmilan/x-000001] has quit [Read error: 110 (Connection timed out)] 06:57 -!- Deffie_ [n=Deffie@mail.nectarine.info] has joined ##openvpn 07:02 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [Read error: 113 (No route to host)] 07:05 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 07:09 -!- clau30 [n=clau@91.11.40.115] has quit [Remote closed the connection] 07:09 -!- zxcvop [n=Admin@120.28.148.175] has joined ##openvpn 07:09 -!- clau30 [n=clau@91.11.40.115] has joined ##openvpn 07:10 -!- sniffersp [n=sniffers@200-201-138-22.static.spo.ifx.net.br] has joined ##openvpn 07:12 < sniffersp> help 07:12 < sniffersp> my openvpn error 07:12 < sniffersp> Authenticate/Decrypt packet error: cipher final failed 07:13 < sniffersp> 07:13 < sniffersp> good day, can someone help me with this error? "Authenticate / Decrypt packet error: cipher final failed" 07:18 -!- Deffie_ [n=Deffie@nectarine/admin/deffie] has quit [Read error: 110 (Connection timed out)] 07:19 < dazo> sniffersp: please ... have a look at the topic of the channel .... We need !logs and !configs and maybe !interface 07:19 < dazo> !logs 07:19 < vpnHelper> dazo: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 07:19 < clau30> !howto 07:19 < vpnHelper> clau30: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:21 < sniffersp> http://de.pastebin.ca/1404789 07:21 -!- floyd_n_milan [n=quassel@124.247.220.202] has joined ##openvpn 07:26 -!- theDoc [n=andelyx@bb116-15-84-168.singnet.com.sg] has joined ##openvpn 07:27 < sniffersp> :(:( 07:28 < sniffersp> dazo, help-me please 07:29 < dazo> sniffersp: let me guess ... you've not read your logfile carefully .... have you? 07:29 < dazo> sniffersp: you have 4 warnings .... and one of them states: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC' 07:29 < dazo> sniffersp: fix those 4 warnings, and you might have it working 07:30 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Remote closed the connection] 07:33 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 07:38 < sniffersp> :( 07:39 -!- zxcvop [n=Admin@120.28.148.175] has left ##openvpn [] 07:42 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Remote closed the connection] 07:46 -!- theDoc [n=andelyx@bb116-15-84-168.singnet.com.sg] has joined ##openvpn 07:49 -!- Coke [n=coke@90-231-88-79-no84.business.telia.com] has quit ["Lost terminal"] 07:51 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["leaving"] 07:51 -!- theDoc [n=andelyx@bb116-15-84-168.singnet.com.sg] has joined ##openvpn 07:56 < reiffert> link-mtu > 1500 doesnt make much sense. 07:56 < reiffert> I'd remove that. 07:57 < theDoc> Indeed. 07:58 * theDoc bounces. 07:58 < clau30> bounce, bounce 07:58 < theDoc> bounce, bounce bounce! 07:58 < theDoc> I wish someone would code a console based msn client. 07:58 < theDoc> :) 07:58 < reiffert> !kick 07:59 < vpnHelper> reiffert: Error: You don't have the ##openvpn,op capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 07:59 < theDoc> That would be fun. 08:00 -!- pekster [n=pekster@c-76-113-143-76.hsd1.mn.comcast.net] has joined ##openvpn 08:00 < ecrist> good morning 08:00 -!- pekster is now known as Guest92433 08:00 < theDoc> hey ecrist ;D 08:52 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 08:55 -!- clau30 [n=clau@91.11.40.115] has quit [Remote closed the connection] 09:13 -!- marcus_ [n=Marcus@03741-1.kunden.mk-netzdienste.de] has joined ##openvpn 09:16 < marcus_> hi all. i have set up multiple openvpn server configurations with different udp ports and tun adapters. in the 'server ...' string i have also defined different ip ranges. 09:17 < marcus_> but all clients seem to receive the server route address from the first config in alphabetic order 09:24 < [4-tea-2]> marcus_: how is that possible if they connect to a different port which is served by a ovpn instance with a dedicated configuration? 09:27 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:28 -!- nemysis [n=nemysis@109-34.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 09:29 -!- nemysis [n=nemysis@71-81.106-92.cust.bluewin.ch] has joined ##openvpn 09:32 -!- c64zottel [n=hans@p5B17B289.dip0.t-ipconnect.de] has joined ##openvpn 09:33 < marcus_> [4-tea-2], that's what i wonder, too. i am going to prepare a past so maybe you could take a look at it. mom 09:35 -!- zxcvop [n=Admin@120.28.148.175] has joined ##openvpn 09:36 < marcus_> lan2lan: http://pastebin.centos.org/25886 09:36 < marcus_> i am working with ccd files btw. 09:38 < marcus_> and here the roardwarrior.conf: http://pastebin.centos.org/25889 09:39 < marcus_> the route that is pushed to the rw: 10.9.0.1 255.255.255.255 10.10.2.1 10.10.2.2 30 09:44 -!- sniffersp [n=sniffers@200-201-138-22.static.spo.ifx.net.br] has quit ["Saindo"] 09:47 -!- carpe_ is now known as plaerzen 09:48 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 09:49 -!- unix3 [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 09:50 -!- zxcvop [n=Admin@120.28.148.175] has left ##openvpn [] 09:54 -!- Timpa88 [n=timpa@193.13.142.180] has quit [Read error: 113 (No route to host)] 09:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:59 -!- oc80z [i=oc80z@root.servergirl.net] has quit [Remote closed the connection] 10:02 -!- zxcvop [n=Admin@120.28.148.175] has joined ##openvpn 10:04 -!- zxcvop [n=Admin@120.28.148.175] has left ##openvpn [] 10:21 -!- nemysis [n=nemysis@71-81.106-92.cust.bluewin.ch] has quit [Connection timed out] 10:22 -!- nemysis [n=nemysis@163-66.3-85.cust.bluewin.ch] has joined ##openvpn 10:28 -!- marcus_ [n=Marcus@03741-1.kunden.mk-netzdienste.de] has quit ["Leaving"] 10:35 < ecrist> ping krzie 10:45 -!- pawpro [n=Miranda@host86-147-6-91.range86-147.btcentralplus.com] has joined ##openvpn 10:46 < pawpro> hello everybody. What is whichopensslcnf? I'm getting problems sourcing vars setting up openvpn 2.1rc7 on openbsd4.4 10:46 < ecrist> first, upgrade to 2.1rc15 10:47 < pawpro> thanks ecrist. Do you by any chance know where to get a tgz package for openbsd for it? 10:48 < ecrist> nope, sorry. 10:58 -!- nemysis [n=nemysis@163-66.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 10:59 < karlpinc> pawpro : It's in ports. 11:00 < karlpinc> pawpro : (Although maybe not the version you want.) 11:01 < karlpinc> pawpro : The good thing about ports are that they tend to work with the OS version you're using. 11:11 -!- victor- [n=victor@rrcs-71-41-16-46.sw.biz.rr.com] has joined ##openvpn 11:11 < victor-> if I have two openvpn servers, will openvpn client cycle through indefinitely? or will it stop at the last server in the list? 11:13 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:19 < ecrist> victor-: depends on if you have retry-infinite in the config 11:20 < victor-> ecrist: is that the same as 'resolv-retry infinite' ? i thought that only applies to DNS names? 11:20 < victor-> what if it resolves but can't connect? 11:21 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 11:30 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["Lost terminal"] 11:32 -!- bthesorceror [n=bthesorc@209.106.203.252] has joined ##openvpn 11:34 -!- nemysis [n=nemysis@109-178.3-85.cust.bluewin.ch] has joined ##openvpn 11:39 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:53 < ecrist> victor-: it's the same, it's not just DNS, it's connections, too 11:55 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has joined ##openvpn 11:56 -!- nemysis [n=nemysis@109-178.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 11:56 < Improv> Hey all - if I've started an openvpn instance but not given it a specific interfacename (e.g. tun rather than tun3), is there a good way to figure out what it took? 11:57 -!- bragon [n=Alex@geekshell.ipv6.geeknode.org] has joined ##openvpn 11:57 < bragon> Hi 11:57 < bragon> i'm reading the FAQ 11:58 < bragon> In the documentation we could read : 11:58 < bragon> The VPN carrier connection must currently use IPv4 endpoints, however there's a patch which can be found in the openvpn-devel archives which adds IPv6 support. This patch will probably be merged into the mainline post-2.0. 11:58 < bragon> i want to know where i can find this patch please :) 11:58 < bragon> i want to setup a ipv6 only vpn, and i need to test that 11:59 < Improv> bragon: The FAQ says it can be found in the openvpn-devel archives 11:59 < bragon> i'm on it 11:59 < Improv> so if I were you I'd go poking around in there 11:59 < bragon> http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel 11:59 < vpnHelper> Title: SourceForge.net: OpenVPN: openvpn-devel (at sourceforge.net) 11:59 < bragon> it's the good place not ? 12:01 < Improv> bragon: Actually, I wonder if that's the --tun-ipv6 patch 12:02 < Improv> Ifso, OpenVPN 2.1 has it 12:02 < bragon> ok 12:02 < bragon> thanks 12:06 < ecrist> Improv: sure 12:06 < ecrist> figure out which IP you gave it. 12:08 < Improv> ecrist: If it's Layer2, it doesn't have an IP 12:11 < Improv> ecrist: I basically need a way to distinguish large numbers of layer2 OpenVPNs without assigning them interfaces 12:11 < Improv> (specific interfaces, I mean) 12:19 < krzee> then name them specially 12:20 < krzee> you can name the process specially with --daemon 12:20 < krzee> and i believe you can staticly make the interface with a diff name as well 12:21 < krzee> and large numbers of layer2 vpns sounds like a terrible setup personally... 12:23 < ecrist> don't listen to krzee. he's a bitch who still sips from his mother's teat. 12:23 < ecrist> :P 12:23 < Improv> krzee: aha, the --daemon advice is spot-on 12:23 < Improv> krzee: But ... I do need to know what interface a given openvpn took so I can know how to bridge it 12:24 < krzee> you specify that with --dev 12:25 < Improv> krzee: I don't want to specify, I want to know. 12:25 < ecrist> krzee, he doesn't want to do that. 12:25 < krzee> *shrug* if you specify you wont know? 12:25 < ecrist> Improv: I'm curious as to why you don't want to assign it an interface number 12:25 < Improv> ecrist: Because I don't want to need to keep track of what interfaces I have already used 12:26 < krzee> and ecrist got it wrong, i actually sip from HIS mother's teat 12:26 < Improv> ecrist: I am gluing openvpn into a network testbed system called emulab - our openvpn server will dynamically allocate/teardown dozens of openvpns at a time 12:26 < krzee> Improv, create a wrapper which will make the interface for that specific openvpn instance, set openvpn config file to use it, andnstart openvpn 12:26 < krzee> oh god this again? 12:27 < Improv> ecrist: So I would prefer to let it pick an interface and let me know... 12:27 < krzee> didnt jjk on the maillist explain that openvpn is not what you want for this? 12:27 < ecrist> script it. 12:27 < Improv> krzee: He didn't exactly say that. 12:27 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 60 (Operation timed out)] 12:27 < ecrist> as krzee said, write a wrapper 12:28 * krzee bows out of the conversation 12:28 < Improv> I might do that... hmm 12:28 < ecrist> actually, iirc, tun/tap/gif tunnels are created with the PID that created them as part of the meta data 12:28 < ecrist> just pull that. 12:28 < krzee> hey thats correct 12:28 < krzee> good point 12:28 < ecrist> tun0: flags=8051 metric 0 mtu 1500 inet 172.30.1.89 --> 172.30.1.90 netmask 0xffffffff Opened by PID 999 12:29 < Improv> Oh... that's very nice. 12:30 < Improv> Yes, that will do nicely. 12:30 < Improv> Thanks for the hints. The --daemon and the ifconfig metadata will get me what I want 12:43 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 12:45 -!- nemysis [n=nemysis@89-14.3-85.cust.bluewin.ch] has joined ##openvpn 12:48 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 12:59 < bragon> ok 12:59 < bragon> i have ipv6 on my openvpn client 13:00 < bragon> but when i want to ping6 an host i have that in the server's log : 13:00 < bragon> Need IPv6 code in mroute_extract_addr_from_packet 13:00 < bragon> i google this issues but not a my answer 13:13 -!- plazmacrow [n=plazmacr@HSI-KBW-082-212-057-037.hsi.kabelbw.de] has joined ##openvpn 13:13 < plazmacrow> hello@all 13:13 < plazmacrow> I've problems sending DNS-Server via tun-tunnel 13:14 < plazmacrow> I'm using gentoo (on both sides), and the "push dhcp"-option 13:15 < plazmacrow> but the dns-server isn't recognised :-( 13:15 < plazmacrow> any ideas? 13:15 -!- Timpa88 [n=timpa@193.13.142.180] has joined ##openvpn 13:16 < Improv> plazmacrow: The clients don't get the dns-server you specify in their resolv.conf ? 13:18 < plazmacrow> Improv, thats correct. The specified DNS doesn't appear in the client-resolv.conf 13:22 < plazmacrow> the PUSH control message on the client-side is showing the specified options (including DNS-Server and domain) 13:24 < Improv> http://openvpn.net/archive/openvpn-users/2006-06/msg00097.html 13:24 < vpnHelper> Title: Re: [Openvpn-users] DNS push for Linux clients? (at openvpn.net) 13:24 < Improv> I wonder if that is still accurate 13:27 < ecrist> yes, it is. 13:29 < plazmacrow> ugh, that looks so dirty 13:30 < plazmacrow> but it seems to be the only way (beside using briding) 13:32 < Improv> plazmacrow: Getting married to OpenVPN seems a bit extreme. 13:33 < ecrist> o.O 13:34 < Improv> ecrist: Besides, because of gender issues, briding it might not be suitable for everyone. 13:35 < plazmacrow> ooops. typo - i meant "bridging" ;) 13:35 < ecrist> Improv: that depends on it's social acceptance in one's given region, and whether one likes to pitch or catch. 13:35 < Improv> plazmacrow: Aww.. it would've been a beautiful wedding 13:36 < Improv> Do you, plazmacrow, take OpenVPN to be your lawfully wedded bride, to configure and protect against unwanted signals, in sickness and in health... 13:36 < plazmacrow> LOL 13:36 < plazmacrow> Yes, I (try to) do ;) 13:37 < Improv> I now pronounce you man and VPN software. You may now kiss the bride 13:37 < Improv> ecrist: I bet you don't have a lot of weddings on this channel, eh? 13:45 < plazmacrow> okay, thank you guys. I still love OpenVPN ;) 13:45 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 13:49 -!- Improv [n=pgunn@ANXIETY.PC.CS.CMU.EDU] has quit ["ircII EPIC4-2.6 -- Are we there yet?"] 13:55 -!- plazmacrow [n=plazmacr@HSI-KBW-082-212-057-037.hsi.kabelbw.de] has left ##openvpn [] 14:01 -!- Schiz0|SD [i=schiz0@unaffiliated/schiz0] has joined ##openvpn 14:02 < Schiz0|SD> I'm having problems getting OpenVPN to give out static IPs. I added the client-config-dir to my config file, as well as created the dir. I created two files in there, "client1" and "client2" (which are the names in the ssl keys for those clients), but it's not giving out the proper IPs 14:03 < Schiz0|SD> I don't see "OPTIONS IMPORT: reading client specific options from ..." in my log files for openvpn, so it's not detecting the file or something? 14:11 < ecrist> !logs 14:11 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 14:24 < reiffert> Schiz0|SD: client1 is the Common Name of the certficate or just the CERT Filename? 14:25 < Schiz0|SD> common name 14:25 < Schiz0|SD> sorry, was afk for a min 14:25 < reiffert> !configs 14:25 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:25 < Schiz0|SD> yeah, i made sure I used the common name for each one 14:27 < Schiz0|SD> actually, i just got it working. I chmod'd everything 666 and tried it, so it's gotta be a permissions/ownership problem somewhere 14:38 < Schiz0|SD> Hm, now I'm having a problem connecting the clients :-\ 14:40 < Schiz0|SD> http://pastebin.ca/1405251 14:41 < Schiz0|SD> Server is 10.8.4.1, client1 is 10.8.4.2, client2 is 10.8.4.3. (That's the setup that gives the connection errors) 14:42 < Schiz0|SD> I ran --show-valid-subnets but I didn't really understand it. I tried changing some numbers around in tnhe IP, but now neither client can connect, haha 14:46 < reiffert> !topology 14:46 < vpnHelper> reiffert: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 14:46 < reiffert> !/30 14:46 < vpnHelper> reiffert: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 14:47 < reiffert> Schiz0|SD: windows anywhere? 14:47 < reiffert> !factoids search win 14:47 < vpnHelper> reiffert: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', 'win7', and 'winnat' 14:47 < Schiz0|SD> both clients are windows, server is FreeBSD 14:47 < reiffert> Schiz0|SD: then you must change the topology to net30 14:47 < Schiz0|SD> ok, I'll look around and figure it out 14:47 < Schiz0|SD> Thanks 14:48 < reiffert> !net30 14:48 < vpnHelper> reiffert: "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 14:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:22 -!- bthesorceror [n=bthesorc@209.106.203.252] has quit [] 15:27 < krzie> reiffert why does he need to use net30? 15:38 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 15:47 -!- adnc_ [n=numer@p54857A1D.dip.t-dialin.net] has joined ##openvpn 15:48 < adnc_> hello, i'm trying to set up openvpn on my openwrt and i do get 15:48 < adnc_> Options error: Parameter ca_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified. 15:48 < krzie> !configs 15:48 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:48 < adnc_> http://pastebin.com/m19928305 15:49 < krzie> umm 15:49 < adnc_> with this config 15:49 < adnc_> what could be wrong? 15:49 < krzie> ive never seen a config like this 15:49 < krzie> why all the extra stuff 15:49 < krzie> option etc etc 15:50 < adnc_> krzie: it is for openwrt 15:50 < krzie> weird 15:50 < krzie> i thought openwrt was basically a linux 15:50 < adnc_> yes, they manage it like this 15:50 < adnc_> krzie: ;) yes it is 15:51 < krzie> umm, ok 15:51 < krzie> heres what configs usually look like: 15:51 < krzie> !sample 15:51 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 15:52 < krzie> why are you using bridge mode? 15:52 < adnc_> krzie: i'm very new to vpn, i took this as an example 15:52 < adnc_> i'll have just a few users with me 15:52 < krzie> you plan on using any layer2 protocols?\ 15:52 < adnc_> no, not that below 15:53 < adnc_> application layer protocols would be enough for me 15:53 < krzie> layer3 (ip) 15:54 < adnc_> yes 15:54 < krzie> you want tun then 15:54 < krzie> take this as your new example: 15:54 < krzie> !sample 15:54 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 15:55 < krzie> wow 15:55 < adnc_> krzie: ok, let me try to handle it with your example 15:55 < krzie> does that really say verb 256!?!? 15:56 < adnc_> krzie: yes, i set it to 256 in the hope it would give me some more information, but it didnt at all 15:56 < krzie> no kidding 15:57 < krzie> --verb n 15:57 < krzie> Set output verbosity to n (default=1). Each level shows all info from the previous levels. Level 3 is recommended if you want a good summary of what's happening without being swamped by output. 15:57 < krzie> 0 -- No output except fatal errors. 15:57 < krzie> 1 to 4 -- Normal usage range. 15:57 < krzie> 5 -- Output R and W characters to the console for each packet read and write, uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets. 15:57 < krzie> 6 to 11 -- Debug info range (see errlevel.h for additional information on debug levels). 15:57 < adnc_> ok, i understand 15:57 < adnc_> so 3 should be ok for the example i think 15:58 < adnc_> what does local mean? which ip address is this? 15:58 < krzie> the ip to bind to on the interface 15:59 < adnc_> what is the client-config-dir? 15:59 < krzie> !ccd 15:59 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 15:59 < krzie> you know theres a manual, right? 15:59 < krzie> !man 15:59 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:02 < Bushmills> as far nobody here has been called "weenie" for admitting to have read the manual 16:02 < Bushmills> afaik :D 16:02 < krzie> lol 16:02 < krzie> moin! 16:03 < Bushmills> moinmoin, mr krzie 16:04 < adnc_> i've no such key for tls-auth i generated with easy-rsa 16:04 < krzie> !hmac 16:04 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 16:04 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 16:06 < adnc_> krzie: this looks good! 16:06 < adnc_> Initialization Sequence Completed 16:06 < adnc_> now i need to configure i client 16:06 < krzie> and are there lans behind openvpn? 16:06 < adnc_> krzie: only one 16:07 < krzie> behind server or client 16:07 < adnc_> behind server 16:07 < krzie> and server is the router for that lan? 16:07 < adnc_> yes 16:07 < krzie> what is the subnet of that lan? 16:07 < adnc_> 255.255.255.0 16:07 < krzie> thats the netmask... 16:08 < krzie> what is the ip the server sits on... 16:08 < adnc_> it is a simple class c, 192.168.1.x 16:08 < krzie> there we go 16:08 < krzie> 192.168.1.x 16:08 < krzie> push "route 192.168.1.0 255.255.255.0" 16:10 < krzie> (in the server config) 16:10 < adnc_> krzie: thank you 16:10 < krzie> since the client has the config option client, it implies --pull which makes all pushed config options work 16:10 < krzie> yw 16:19 < adnc_> krzie: i get on the client 16:19 < adnc_> TLS Error: cannot locate HMAC in incoming packet from 192.168.1.2:1194 16:20 < adnc_> have you got an idea what this could be caused from. i used the same ta.key file from the vpn server i generated there 16:20 < krzie> you need the EXACT same file on both sides 16:20 < adnc_> i do 16:20 < krzie> and server has 0, client has 1 16:20 -!- c64zottel [n=hans@p5B17B289.dip0.t-ipconnect.de] has quit ["Leaving."] 16:20 < adnc_> yes, can i somehow confirm this on the running openvpn server? 16:21 < krzie> no, you need access to both 16:21 < adnc_> since the config file is a bit different on the server, i wonder if there is a way to see it on the running openvpn 16:21 < adnc_> i do have access to both 16:22 < krzie> you restarted openvpn on both sides after modifying the configs... right? 16:22 < adnc_> krzie: yes i did 16:22 < adnc_> 192.168.1.102:40543 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 16:22 < adnc_> this is on the server 16:22 < adnc_> when i connect from my client 16:22 < adnc_> but my client is already connected to this server via wlan 16:22 < adnc_> and has an ip 16:23 < adnc_> i was hoping that it gets a second ip now 16:23 < krzie> they're on the same lan? 16:23 < adnc_> yes 16:23 < adnc_> is this a problem? 16:23 < krzie> no, but coulda been mentioned earlier 16:23 < krzie> also a GREAT reason to not be bridging 16:23 < adnc_> i see, well i'm testing it, so normally i would use vpn when i'm not on the same lan 16:24 < krzie> !configs 16:24 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:24 < krzie> !logs 16:24 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 16:25 < adnc_> krzie: is there something i could do? 16:25 < adnc_> ok 16:27 < adnc_> http://pastebin.com/d74a0b0f7 16:27 < adnc_> krzie: hope this would help 16:27 < krzie> !logs 16:27 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 16:28 < adnc_> the client log is on the bottom, i'll add the server logs aswell 16:28 < krzie> btw 2.1rc_11 has known problems 16:28 < krzie> we use 2.1_rc15 now 16:28 < adnc_> 2.0.9 here 16:29 < krzie> # 16:29 < krzie> Mon Apr 27 23:26:51 2009 OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Mar 9 2009 16:31 < adnc_> http://pastebin.com/d4ba867c1 16:31 < adnc_> this has server config, client config and also logs from server and client 16:33 < krzie> if openwrt is linux i dont get why it uses that f'ed up style config 16:33 < krzie> instead of a normal file 16:34 < adnc_> krzie: i can not change this and openwrt is well distributed open source router 16:34 < krzie> i am willing to bet it can run a normal config 16:34 < krzie> and im interested to see if you have the same issue when you do so 16:35 < adnc_> krzie: i could try to rewrite this config and start maybe bypass this config style 16:35 < krzie> just make the config look normal and start openvpn from commandline 16:35 < adnc_> ok 16:36 < adnc_> krzie: what format would the fiel then have, just simple line by line 16:36 < adnc_> without equals sign 16:36 < adnc_> like the config you gave me 16:36 < krzie> like the config i gave you 16:36 < krzie> which is also like the configs in the howto 16:36 < adnc_> ;) 16:36 < krzie> which is also like your client config 16:36 < krzie> which is also like every config on earth except your server :-p 16:37 < adnc_> hehe 16:37 < krzie> also, grab a md5 checksum of ta.key on both machines 16:37 < krzie> krzee@hemp:~> md5 rc.conf 16:37 < krzie> MD5 (rc.conf) = d425cb953a709296e5b8f88b7c69139d 16:37 < adnc_> krzie: it is really not my fault, if i would go to openwrt channel and start with this config, they would say, hold on, this looks much different 16:37 < krzie> they should be = 16:37 < krzie> cool, but i will only work at getting you up with openvpn 16:38 < adnc_> sure 16:38 < krzie> when that works you can go to them and see why their way doesnt work, if it doesnt 16:38 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 16:38 < adnc_> i somehow have the same feeling and believe that briding did also not work because of this 16:38 < adnc_> style of config 16:39 < krzie> bridging wouldnt have gone well while already on the same lan anyways 16:39 < krzie> you cant bridge a lan to itself 16:39 < adnc_> i understand 16:40 < krzie> ever plugged a switch into itself before? 16:40 < adnc_> krzie: i had nothing in the client-config-dir 16:40 < krzie> then remove the config option 16:41 < adnc_> krzie: i understand your idea 16:42 < adnc_> ohh ohh 16:43 < adnc_> Cannot load private key file /etc/openvpn/wrt.key': error:02001002:lib(2):func(1):reason(2): error:20074002:lib(32):func(116):reason(2): error:140B0002:lib(20):func(176):reason(2) 16:43 < adnc_> Mon Apr 27 23:42:38 2009 us=705611 Error: private key password verification failed 16:43 < adnc_> when i start from the command line with --config server.conf 16:43 < adnc_> this key does not have a password 16:43 < krzie> you password protected your private key?? 16:43 < adnc_> no i didn't i left it empty 16:44 < krzie> well thats what the error points to 16:44 -!- pawpro [n=Miranda@host86-147-6-91.range86-147.btcentralplus.com] has quit ["Miranda IM! Smaller, Faster, Easier. http://miranda-im.org"] 16:44 < adnc_> but with the openwrt stylish config this error didn't occure 16:46 < adnc_> when easy-rsa asks for password and i leave it empty, does it set an empty password or is the password not set at all 16:48 < krzie> which file did you run to make it in easy-rsa? 16:49 < krzie> im quite sure that the openwrt style config is for a wrapper, and not for starting it from commandline 16:49 < adnc_> build-key-server 16:50 < krzie> interesting 16:50 < krzie> well, if the ta.key copied correctly, my guess is that your openwrt style config isnt right 16:50 < adnc_> but i'm not using this anymore 16:51 < krzie> ild also be shocked if the push route command worked right on that style config 16:51 < krzie> paste the new config then 16:52 < adnc_> http://pastebin.com/d3fd11ab4 16:52 < krzie> you dont see anything wrong with the line with key in it? 16:53 < adnc_> ohh 16:53 < adnc_> i do 16:53 < adnc_> of course 16:53 < krzie> the line that openvpn told you it was having a problem in... 16:53 < adnc_> ahhh 16:53 < adnc_> now the initialization is complete 16:54 < adnc_> i'll try using my client now 16:54 < adnc_> ahh 16:54 < adnc_> i think that does work 16:54 < adnc_> Mon Apr 27 23:54:20 2009 WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0] 16:54 < adnc_> Mon Apr 27 23:54:20 2009 Initialization Sequence Completed 16:55 < adnc_> this is normal i suppose 16:55 < krzie> ya if this isnt the real reason you're setting up the vpn ignore it 16:56 < krzie> if on the otherhand you were planning on securing your wifi with openvpn, we would have more to do 17:00 < adnc_> krzie: i thank you very very much 17:00 < adnc_> i need to get up early tomorrow otherwise i would have loved to do a bit more on openvpn 17:00 < krzie> yw 17:03 -!- adnc_ [n=numer@unaffiliated/adnc] has quit ["Lost terminal"] 17:04 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 17:12 -!- Lilarcor [n=Lilarcor@246.sub-97-22-98.myvzw.com] has joined ##openvpn 17:24 -!- Lilarcor [n=Lilarcor@246.sub-97-22-98.myvzw.com] has quit ["The Lord of Murder Shall Perish."] 17:35 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 17:36 -!- unix3 [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 17:36 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:42 -!- tjz [n=tjz@bb219-75-22-243.singnet.com.sg] has quit [Connection timed out] 18:06 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 18:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 18:58 -!- jfkw_ [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 19:02 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Read error: 110 (Connection timed out)] 19:44 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has joined ##openvpn 20:28 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 20:31 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has quit ["The Lord of Murder Shall Perish."] 21:00 -!- nemysis [n=nemysis@89-14.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 21:01 -!- nemysis [n=nemysis@186-58.3-85.cust.bluewin.ch] has joined ##openvpn 21:30 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 104 (Connection reset by peer)] 22:00 -!- tjz [n=tjz@bb219-75-22-243.singnet.com.sg] has joined ##openvpn 22:06 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 22:32 -!- jfkw_ [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 22:46 -!- youngpro [n=pro@teamaustralia.net.au] has quit ["changing servers"] 22:46 -!- youngpro [n=pro@teamaustralia.net.au] has joined ##openvpn 23:02 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 23:26 -!- frankS2 [n=frank@ti500720a080-1234.bb.online.no] has joined ##openvpn --- Day changed Tue Apr 28 2009 00:39 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 00:47 -!- floyd_n_milan [n=quassel@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 01:11 -!- floyd_n_milan [n=mrugesh@124.247.220.202] has joined ##openvpn 01:13 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 01:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:40 -!- traceroute [n=tracerou@gprs13.swisscom-mobile.ch] has joined ##openvpn 01:47 -!- traceroute [n=tracerou@gprs13.swisscom-mobile.ch] has quit [Client Quit] 01:49 -!- Reisen [n=OMGZboob@niko-niko.co.uk] has joined ##openvpn 02:04 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 02:47 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["brb :)"] 02:48 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 02:55 -!- adnc [n=numer@141.41.40.146] has joined ##openvpn 03:00 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["leaving"] 03:03 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 03:32 -!- theDoc_ [n=andelyx@119.73.165.162] has joined ##openvpn 03:32 -!- theDoc_ is now known as theDoc- 03:41 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 03:52 -!- theDoc- is now known as theDoc 03:55 -!- c64zottel [n=hans@p5B17B09A.dip0.t-ipconnect.de] has joined ##openvpn 04:03 -!- adnc [n=numer@141.41.40.146] has quit ["Lost terminal"] 04:08 -!- Reisen [n=OMGZboob@niko-niko.co.uk] has left ##openvpn [] 04:26 -!- Coke [n=coke@90-231-88-79-no84.business.telia.com] has joined ##openvpn 04:29 < Coke> Can someone explain to me why a key and dh file are needed to get the certificate connection going? 04:30 < Coke> They are not needed when authenticating against web servers. 04:30 < Coke> And is there some "all-in-one-file" solution to openvpn clients with certs? 04:43 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 05:00 -!- Coke [n=coke@90-231-88-79-no84.business.telia.com] has left ##openvpn [] 05:18 -!- zheng [n=zheng@222.66.224.110] has quit [Client Quit] 05:41 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 05:43 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 05:47 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:47 -!- plazmacrow [n=plazmacr@HSI-KBW-082-212-057-037.hsi.kabelbw.de] has joined ##openvpn 05:47 < plazmacrow> hello@all 05:49 < plazmacrow> what is the reason for error "OpenVPN: Out of Memory"? I have enough free ram and hdd space. 05:55 -!- plazmacrow [n=plazmacr@HSI-KBW-082-212-057-037.hsi.kabelbw.de] has left ##openvpn [] 06:19 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: krzie, pa, plaerzen, ropetin, Alagar, onats_, karlpinc 06:21 -!- Netsplit over, joins: Alagar, onats_, ropetin, plaerzen, karlpinc, krzie, pa 06:50 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 06:58 -!- Coke [n=coke@90-231-88-79-no84.business.telia.com] has joined ##openvpn 07:04 -!- theDoc [n=andelyx@bb116-15-1-233.singnet.com.sg] has joined ##openvpn 07:07 -!- Stevethe1irate [n=noxville@clam.leg.uct.ac.za] has quit [Read error: 110 (Connection timed out)] 07:13 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:21 -!- zxcvop [n=Admin@222.127.187.183] has joined ##openvpn 07:22 < Coke> I see no errors or warnings, but then the client just exits with Connection reset, restarting [-1] 07:22 -!- Stevethe1irate [n=noxville@clam.leg.uct.ac.za] has joined ##openvpn 07:22 < Coke> I've got verbosity up to 11 07:22 < Coke> server reveals VERIFY ERROR: depth=0, error=self signed certificate 07:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 07:23 < Coke> The certificate has been signed using my own ca cert, so it's not self signed. 07:25 -!- zxcvop [n=Admin@222.127.187.183] has left ##openvpn [] 07:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:32 < Coke> Can I turn whatever this option is off? 07:42 -!- mattock [n=mattock@gw.tietoteema.fi] has quit ["Leaving."] 07:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 07:56 < Coke> fuck it 07:56 -!- Coke [n=coke@90-231-88-79-no84.business.telia.com] has quit ["Lost terminal"] 08:00 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Read error: 104 (Connection reset by peer)] 08:03 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 08:04 -!- c64zottel [n=hans@p5B17B09A.dip0.t-ipconnect.de] has left ##openvpn [] 08:25 < ecrist> morning, folks 08:37 < onats_> good evening 08:38 -!- onats_ is now known as onats 08:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:13 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 09:22 < frankS2> Hi, i am trying to make some certificates, but it do not proceed, as described here: http://pastie.org/461172 09:22 < frankS2> I wonder if anyone know how ot fix this? 09:23 < frankS2> I am following this how-to http://www.freebsddiary.org/openvpn-easy-rsa.php 09:23 < vpnHelper> Title: The FreeBSD Diary -- Creating your own Certificate Authority (at www.freebsddiary.org) 09:23 < plaerzen> morning ecrist 09:23 < ecrist> frankS2: you run freebsd? 09:23 < frankS2> yes sir 09:24 < ecrist> cd /usr/ports/security/ssl-admin && make install clean 09:24 < ecrist> copy/edit /usr/local/etc/ssl-admin/ssl-admin.conf accordingly, and enjoy 09:24 < ecrist> let me know if you run into any bugs, I wrote it. ;) 09:24 < frankS2> Oh, okay. thank you ecrist 09:24 < frankS2> hehe i will 09:25 < frankS2> installed now, im gonna start editing 09:29 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 113 (No route to host)] 09:33 < frankS2> ecrist: ive installed now, where can i find "create CA" under the menu? Does it have a different name? 09:35 < ecrist> lemme look at my verbiage 09:36 < ecrist> option CA 09:37 < frankS2> hm, i cant see it in the list 09:39 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit ["No Ping reply in 90 seconds."] 09:39 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 09:39 < frankS2> got it 09:40 < frankS2> *takes glasses on* 09:45 < frankS2> ecrist: what about "Create a client certificate" ? where can i find that 09:46 < ecrist> option 4 09:47 < ecrist> it's not only openvpn related app 09:49 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 09:56 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 10:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Success] 10:10 -!- straterra [n=straterr@projectstfu.com] has joined ##openvpn 10:10 < straterra> My openvpn client seems to connect to the VPN server ok..but it just sits there with two VERIFY OK messages and never pushes any routes 10:10 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:11 < straterra> Oh..tls key negotiation failed :/ 10:11 < straterra> I copied the ta.key file from the server..its the exact same file :/ 10:20 < ecrist> I love people who answer their own questions. :) 10:22 < straterra> I'm just going to remake all of my keys.. 10:23 < straterra> DH generation FAIL 10:25 -!- maninthemiddle [n=tt@unaffiliated/maninthemiddle] has joined ##openvpn 10:25 < maninthemiddle> hi 10:25 < maninthemiddle> what options do i need in client.conf to make openvpn get its ip address automatically? 10:25 < maninthemiddle> i assume server is configured correctly 10:26 < maninthemiddle> because it gives this message in log when i connect 10:26 < maninthemiddle> Tue Apr 28 18:18:52 2009 us=760538 MULTI: Learn: 10.30.90.6 -> forbit-afwbkbc/212.93.100.151:53758 10:26 < maninthemiddle> and if i then set ip address for tun0 on client to 10.30.90.6, and also add corresponding route, everything works 10:27 < maninthemiddle> but there should be a way for openvpn to do this automatically? 10:28 < maninthemiddle> both the server and client are linux boxes 10:33 -!- _impuls [n=MRD@pns-200-127.demo.tuwien.ac.at] has joined ##openvpn 10:34 < _impuls> hey guys! Quick question: how can I make openvpnd accept all source addresses in ccd/$common-name for a user? 10:35 < _impuls> would 0.0.0.0 do? 10:51 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: qknight 10:53 -!- qknight [n=joachim@serverkommune.de] has joined ##openvpn 10:54 < frankS2> Hi, i am not able to connect to my openvpn server, client and server logs are here: http://pastie.org/461287 anyone tell me what this means? 10:58 < straterra> I dont understand why Diffie Hellman is so slow 10:58 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 10:58 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:07 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit ["No Ping reply in 90 seconds."] 11:07 -!- floyd_n_milan [n=mrugesh@124.247.220.202] has joined ##openvpn 11:34 -!- Intensity [i=[5S34qXF@unaffiliated/intensity] has joined ##openvpn 11:38 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 11:38 -!- unix3 [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 11:47 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 11:52 -!- frankS2 [n=frank@ti500720a080-1234.bb.online.no] has quit [Read error: 110 (Connection timed out)] 11:55 -!- _impuls__ [n=MRD@pns-200-127.demo.tuwien.ac.at] has joined ##openvpn 11:56 -!- _impuls [n=MRD@pns-200-127.demo.tuwien.ac.at] has quit [Read error: 104 (Connection reset by peer)] 12:00 < _impuls__> hey guys! Quick question: how can I make openvpnd accept all source addresses in ccd/$common-name for a user? 12:10 -!- frankS2 [n=frank@ti500720a080-1234.bb.online.no] has joined ##openvpn 12:18 -!- maninthemiddle [n=tt@unaffiliated/maninthemiddle] has quit [":(){ :|:& };:"] 12:22 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 12:22 -!- __8472 [n=8472@230-36-16-84.mcrn.sk] has joined ##openvpn 12:23 < __8472> hi, i'm not sure if i fully understand the meaning of this "while non-Windows clients can accept them by using a client-side up script which parses the foreign_option_n environmental variable list" , from here http://openvpn.net/index.php/documentation/howto.html#dhcp 12:23 < vpnHelper> Title: HOWTO (at openvpn.net) 12:24 < __8472> what precisely should i set up with that "up" script? and where or how? 12:24 < dazo> __8472: Check out the man page for --up 12:25 * dazo goes home 12:25 < __8472> dazo: i did, but still i'm not sure what should be set 12:35 -!- __8472 [n=8472@230-36-16-84.mcrn.sk] has quit ["Leaving"] 12:52 -!- _impuls__ [n=MRD@pns-200-127.demo.tuwien.ac.at] has quit ["Lost terminal"] 13:15 -!- Timpa88 [n=timpa@193.13.142.180] has left ##openvpn [] 13:16 -!- Timpa88 [n=timpa@193.13.142.180] has joined ##openvpn 13:22 -!- _impuls_ [n=you@213.47.89.128] has joined ##openvpn 13:22 -!- Timpa88_ [i=timpa@c-371070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 13:22 -!- Timpa88 [n=timpa@193.13.142.180] has quit [Nick collision from services.] 13:22 -!- Timpa88_ [i=timpa@c-371070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit [Client Quit] 13:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:54 < _impuls_> !howto 13:54 < vpnHelper> _impuls_: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:54 < _impuls_> !route 13:54 < vpnHelper> _impuls_: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:58 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has joined ##openvpn 13:59 < _impuls_> Does still none know how to get the openvpnd to accept IPs from any local network [those which are not explicitly listed in ccd/$common-name]? 14:00 < _impuls_> Problem is, I get a class C IP at home, a class B at uni - - its likely to be different in any other (wifi) enviroment. 14:18 -!- ekristen [n=ekristen@68.33.133.72] has joined ##openvpn 14:19 < ekristen> I have the openvpn gui from openvpn.se downlaoded, I am trying to vpn to my server vpn, is there a howto on which options I need to select 14:19 -!- straterra [n=straterr@projectstfu.com] has left ##openvpn [] 14:39 -!- c64zottel [n=hans@p5B17B09A.dip0.t-ipconnect.de] has joined ##openvpn 14:44 -!- adnc [n=numer@unaffiliated/adnc] has joined ##openvpn 14:44 -!- ekristen [n=ekristen@68.33.133.72] has quit [] 15:12 < krzie> _impuls_ i dont fully understand the question... 15:12 < krzie> are you saying when at 1 location you have 1 lan behind the client to share, when at another you have a different lan behind the same client to share, and other locations you will be on random lan's with no lan to share? 15:19 < _impuls_> krzie: Hey man! 15:19 < _impuls_> Well, its not that I want to share anything behind my laptops 15:21 < _impuls_> I just can't get any traffic through if I'm i.e at Uni (where I get a 10.10.x.x) because I only got my home network (a 192.168.1.x) in my users ccd/michael.~ 15:22 < _impuls_> So it says the usual MULTI: bad source address from client, packet ... 15:23 < _impuls_> I know, I could put every net I use in the ccd and the push "route -etc-" in the server.conf... 15:23 < _impuls_> but that can't be the solution 15:23 < _impuls_> or is it..? 15:29 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 15:33 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 15:34 -!- _impuls [n=you@chello213047089128.17.14.vie.surfer.at] has joined ##openvpn 15:35 -!- _impuls_ [n=you@213.47.89.128] has quit [Client Quit] 15:52 -!- Wofl [n=nils@ip-129-15-127-228.fennfwsm.ou.edu] has joined ##openvpn 15:52 < Wofl> !howto 15:52 < vpnHelper> Wofl: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:53 < Wofl> hey guys, i need a quick opinion. 15:53 < Wofl> I have an dd-wrt router, which i could use as an openvpn server 15:54 < Wofl> i also have an old desktop connected to the router, which i could also use as a server 15:54 < Wofl> what would be a better option? 15:54 < Wofl> the router would be right there on the interface, might be helpful to hav it there 15:55 < Wofl> the desktop has more power in terms of cpu and ram and such (by a long shot), so i dunno 15:56 < ropetin> Wofl: how many users will you have connecting, and how much throughput are you expecting? 15:56 < Wofl> not very many users, mainly me with maybe 2-3 computers, plus a few servers on the local network 15:57 < ropetin> THe local servers would connect to the VPN? Seems unusual :) 15:57 < Wofl> throughput should be at least capeable of handling ssh/imap and a few others 15:57 < ropetin> However, in my experience if it's one or two concurrent, you'll be fine, otherwise you might run into a performance issue 15:58 < Wofl> well, what i need is a way to have my laptop be able to connect to my server from anywhere, local network or out in the worls 15:58 < Wofl> the router or the server? 15:59 < Wofl> or what would be the best solution? 16:05 < ropetin> But the point of the VPN would be to bring your remote users/systems locally, so they local boxes don't need to connect to the VPN. 16:05 < ropetin> No matter, I'd say if you have the server available for it, use it 16:17 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.9/2009040821]"] 16:26 -!- Wofl [n=nils@ip-129-15-127-228.fennfwsm.ou.edu] has quit [Read error: 104 (Connection reset by peer)] 16:27 -!- Wofl [n=nils@ip-129-15-127-228.fennfwsm.ou.edu] has joined ##openvpn 16:44 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 16:45 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 16:55 -!- Wofl [n=nils@ip-129-15-127-228.fennfwsm.ou.edu] has quit [Read error: 104 (Connection reset by peer)] 16:56 -!- Wofl [n=nils@ip-129-15-127-228.fennfwsm.ou.edu] has joined ##openvpn 16:57 -!- Wofl [n=nils@ip-129-15-127-228.fennfwsm.ou.edu] has quit [Client Quit] 16:58 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 17:04 -!- scooby2 [n=scooby2@pdpc/supporter/active/scooby2] has joined ##openvpn 17:05 -!- scooby2 [n=scooby2@pdpc/supporter/active/scooby2] has left ##openvpn [] 17:05 -!- scooby2 [n=scooby2@pdpc/supporter/active/scooby2] has joined ##openvpn 17:05 < scooby2> thats better 17:06 -!- Stevethe1irate [n=noxville@clam.leg.uct.ac.za] has quit [Remote closed the connection] 17:06 < scooby2> Is there any type of idle timeout setting? For PCI compliance I need to kick idle people offline. 17:06 -!- Stevethe1irate [n=noxville@clam.leg.uct.ac.za] has joined ##openvpn 17:08 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:09 < scooby2> ahh, --inactive 17:09 < scooby2> maybe 17:10 -!- adnc [n=numer@unaffiliated/adnc] has quit ["leaving"] 17:13 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:21 -!- c64zottel [n=hans@p5B17B09A.dip0.t-ipconnect.de] has quit ["Leaving."] 17:24 -!- lepine2 [n=lmacguir@ip-70-38-54-219.static.privatedns.com] has joined ##openvpn 17:25 < lepine2> Can a client publish it's own local network to the rest of the vpn network? 17:26 < lepine2> i know there's a setting to tell the server that a client has such and such networks available, but will the rest of the clients know? 17:27 < lepine2> or because the VPN becomes the main route, does just adding the routes to client1's local subnet on the server make it work? The server knows the routes to that subnet, and because all traffic for client2 goes through the server, it will route appropriately? 17:28 < lepine2> sorry if that's not exactly clear 17:30 < krzie> no lepine 17:30 < krzie> and here is why: 17:30 < krzie> !iroute 17:30 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 17:31 < krzie> except on your last part of your question 17:31 < krzie> if you are using redirect-gateway, and dont have a more specific route set for the lan, and client-to-client is enabled, yes it will just work 17:32 < lepine2> i didn't completely understand the iroute factoid ... will re-read a few times ... 17:32 < krzie> but the server must know about the lans behind clients via an iroute or nothing will be able to access them 17:32 < lepine2> but yes, i am using redirect-gateway, and set no routes 17:32 < krzie> basically heres what it means 17:32 < krzie> iroute has nothing to do with the kernel routing table 17:32 < krzie> the kernel routing table tells the OS to send the packets to openvpn 17:32 < krzie> but since its a server it doesnt know which client has that LAN 17:32 < krzie> unless you have an iroute entry 17:33 < krzie> the iroute entry is the glue for that 17:33 < lepine2> that's what i was thinking, the client tells the server it has such subnet ... therefore, the server adds routing to those via the tun interface ... and because all other clients have all traffic go through the vpn, and can see other clients, it would work. 17:33 < krzie> thats not how it works 17:33 < krzie> it must be an iroute, it must be in a ccd entry 17:33 < krzie> openvpn isnt setup to allow clients to make changes on the server 17:33 < lepine2> re-reading ... 17:34 < krzie> only the server can make changes on the clients (assuming --client or --pull ) 17:34 < lepine2> yeah, i guess that would be a huge security risk ... iroute 0/0 kind of thing ... 17:35 < lepine2> so what does iroute do exactly? if it does not alter the servers routing table? 17:35 < lepine2> or am i still misunderstanding? 17:36 < lepine2> and is there more than one way to have the client tell the server 'i have such subnet behind me' ... 17:36 < krzie> it is internal to openvpn 17:36 < krzie> tells the server which client the lan belongs to 17:36 < krzie> since the kernel can only point a network to openvpn 17:37 < krzie> the OS kernel routing table cant point to tun0:clientname 17:37 < krzie> only tun0 17:37 < lepine2> ah! 17:37 < lepine2> gotcha 17:37 < krzie> then openvpn gets packets for 192.168.1.x and says WTF i dont have any clients with that ip! 17:37 < krzie> but with the iroute, it does 17:38 < lepine2> alright, so the kernel routing table is not involved, but it comes down to about the same 17:38 < lepine2> openvpn is userspace, hence no kernel 17:38 < lepine2> wait, that wasn't sensical 17:38 < lepine2> *didn't make sebse 17:39 < lepine2> nm 17:39 < krzie> heh 17:39 < krzie> you're just confusing yourself now 17:40 < lepine2> is having a middle man (server) to connect a host to a network the best idea? considering the network (and vpn client) would be natted and no possibility of punching a hole (so can't run the server on the network) 17:40 < lepine2> would run the server on a routable host on the net 17:40 < lepine2> let the clients see each other and have an iroute 17:41 < krzie> if you have 2 machines which you cant open a port on, thats your only option 17:42 < lepine2> our windows admin barely knows IOS, and we have the ugliest router setup 17:43 < krzie> wtf is a windows admin doing running cisco routers!? 17:43 < krzie> smack the people who gave him that duty 17:43 < lepine2> we have one router and two switches, nothing worth speding a network admin on ... however, i would have paid for a decent consultant instead :-/ 17:43 < lepine2> oh, no worries, i'm sticking it to my bosses soon 17:44 < lepine2> are you a core developer? 17:45 < lepine2> you've been here helping everytime i've chimed in 17:45 < krzie> nah no devs here 17:45 < lepine2> ah 17:45 < krzie> the ## in ##openvpn means its not directly related to the project 17:45 < lepine2> oh, right 17:45 < krzie> whereas channels with a single # are 17:45 < krzie> (here on freenode) 17:45 < lepine2> it's a question of endorsement i think 17:45 < krzie> something like that 17:46 < lepine2> Always wondered why so many projects wouldn't list the channe; 17:46 < krzie> it was #openvpn before, but completely unmonitored and needed to be fixed 17:46 < lepine2> i mean, they don't have to vouch, or staff it ... just say it's there 17:46 < krzie> good question, no idea 17:47 < lepine2> that might bring quite a bit of people who don't bother reading the docs though 17:47 < krzie> we offered openvpn to use our forum and wiki in addition to us using #openvpn, they decided against it 17:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 17:47 < lepine2> "our forum" ? 17:47 < krzie> !forum 17:47 < vpnHelper> krzie: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 17:47 < krzie> !wiki 17:47 < lepine2> because there's some organization behind this channel? 17:47 < vpnHelper> krzie: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN 17:47 < lepine2> ah! 17:47 < lepine2> cool 17:49 < lepine2> i guess it keeps interactions to a minimum, and makes the mailing list the only medium they have to monitor 17:49 < krzie> *shrug* we woulda been monitoring it 17:49 < lepine2> which isn't necessarily a bad thing 17:49 < krzie> like we currently do 17:49 < lepine2> right 17:50 < krzie> we only offered them to post it on their site to give people the option to seek help on it 17:50 < krzie> since their forum and wiki are no longer around 17:50 < lepine2> and even that they refused? 17:50 < lepine2> hmmm, that's a little fascist i think 17:50 < krzie> ya, they said they could run it instead, we didnt like that since they let their last ones die, we dont want it to die 17:51 < krzie> but it dont matter really, we'll help those that find us 17:51 < krzie> and the mail list is a GREAT place for help 17:51 < krzie> some really knowledgeable people on there 17:52 * lepine2 just learned openvpn was incorporated 18:06 < _impuls> krzie: do you think you have an idea how to fix that problem I wrote about above? 18:06 < krzie> i didnt fully catch what it was 18:06 < _impuls> from before: 18:07 < _impuls> I just can't get any traffic through if I'm i.e at Uni (where I get a 10.10.x.x) because I only got my home network (a 192.168.1.x) in my users ccd/michael.~ 18:07 < _impuls> So it says the usual MULTI: bad source address from client, packet ... 18:07 < _impuls> I know, I could put every net I use in the ccd and the push "route -etc-" in the server.conf... 18:07 < krzie> you shouldnt need a ccd entry unless you are sharing the lan 18:08 < krzie> you need to figure out why your OS is sending its source address as public ip instead of the IP on the interface it is sending out of 18:08 < krzie> and tell it to stop 18:09 < _impuls> so, if I remove the ccd, I still have the push "route ip netmask" in the server.conf 18:09 < _impuls> for my specific local lan Im connecting from 18:09 < _impuls> well, I'll give it a shot 18:10 < krzie> are you sharing any lans over vpn? 18:10 < _impuls> nope 18:11 < _impuls> I'm just using it as an Inet gateway 18:12 < _impuls> Apr 29 01:11:53 loos ovpn-server[19039]: michael.client.loos.stoerimpuls.net/213.47.89.128:44445 MULTI: bad source address from client [192.168.1.2], packet dropped 18:12 < krzie> then you dont need a push route or an iroute 18:13 < krzie> you need to figure out why your OS is sending its source address as 18:13 < krzie> public ip instead of the IP on the interface it is sending out of 18:13 < _impuls> After removing my ccd & push route 18:13 < krzie> and tell it to stop 18:13 < krzie> i already told you 18:13 < _impuls> fair enough... 18:13 < _impuls> its the same with my other laptops - wierdly enough 18:14 < _impuls> so I guess its maybe rather on the server side... ? 18:19 < krzie> negative 18:19 < krzie> the problem is your client is sending packets with external ip as its source address 18:19 < krzie> as opposed to the ip on the interface its going through 18:26 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 18:31 < _impuls> This is driving me nuts - I checked the clients config - seems to be okay according to serveral tutorials 18:33 < krzie> IT IS OK 18:33 < krzie> its an os issue, not openvpn 18:42 -!- nemysis [n=nemysis@186-58.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 18:43 -!- nemysis [n=nemysis@25-137.3-85.cust.bluewin.ch] has joined ##openvpn 18:43 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 18:43 < Dougy> heyo 18:51 < _impuls> Hmm. I think I might just throw together a script that parses the neglected IP out of the logs and throw it in the ccd 18:52 < krzie> or you could figure out why your os is sending the other interface's ip as its source address 18:52 < krzie> whatever makes you happy i guess 18:57 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Stevethe1irate, _impuls, isox, Intensity, krzie, qknight, M06w, dazo, disco-, youngpro, (+43 more, use /NETSPLIT to show all of them) 18:57 -!- Netsplit over, joins: frankS2, Dougy, nemysis, lepine2, Stevethe1irate, scooby2, _impuls, Kreg-Work, Intensity, floyd_n_milan (+43 more) 19:12 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has joined ##openvpn 19:29 -!- _impuls [n=you@chello213047089128.17.14.vie.surfer.at] has quit [Read error: 104 (Connection reset by peer)] 19:30 < ecrist> evening, folks 19:31 < Dougy> hey 19:31 < Dougy> weren't you going away for a week? 19:31 -!- prop_ [n=dd@77.126.240.136] has joined ##openvpn 19:32 < ecrist> no, I went away for a weekend. 19:32 < Dougy> i misread then 19:32 < krzie> werrrrd 19:32 < Dougy> i thought you said week 19:32 < Dougy> not weekend 19:32 < prop_> !howto 19:32 < vpnHelper> prop_: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 19:34 < krzie> recurring is where its at 19:34 < Dougy> wrong window krzie 19:34 < Dougy> :p 19:34 < krzie> lol 19:34 < krzie> forgot to re-do the /q 19:45 < prop_> hey, I'm a complete noob and I'm still reading to understand better, I just wanna make sure I'm on the right track: 19:46 < krzie> ... 19:46 < prop_> I have a laptop with XP, I would like to use Public hot-spot wifi places. (such as coffeeshops and malls) .. and I would like to keep my privacy by using a secured connection to a remote centos server of mine, for accessing anything web related (http/https/sftp/ftp/ssh/pop/smtp) 19:46 < krzie> !redirect 19:46 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 19:47 < Dougy> prop_: you could ddo that 19:47 < Dougy> route all traffic through 19:47 < Dougy> or install openvpn on the server and access the server via its LAN ip 19:47 < krzie> umm, i think you misread something dougy 19:48 < krzie> oh wait maybe i did 19:48 < prop_> is there a 'cleaner' way of accessing the bot? or I should start ! ! ! each of the suggestions? (/privmsg it?) 19:48 < Dougy> oh 19:48 < Dougy> prop_: do you wnat to just access that particular server securely 19:48 < krzie> prop_ are you trying to only access services on 1 specific server? 19:48 < Dougy> or route everything through that server so your outgoing traffic is encrypted 19:48 < Dougy> ? 19:48 < krzie> of the whole inet over the vpn 19:48 < prop_> no :) 19:48 < Dougy> no what 19:49 < Dougy> we are thinking two different things (krzie and i) 19:49 < krzie> whole inet or 1 server? 19:49 < prop_> I want to use my laptop "regularly" .. http .. https .. ftp sftp ssh mail and such ... but tunnel everything though a "secured" server? 19:49 < krzie> ok, what i thought 19:49 < krzie> !redirect 19:49 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 19:49 < Dougy> my fault then :< 19:49 < Dougy> what krzie says 19:49 < krzie> as for bot commands, theres some in the topic, the rest good luck finding on your own ;] 19:50 < prop_> ok, let me try to /privmsg the bot instead of flooding here :) 19:50 < krzie> good luck with that 19:50 < prop_> !def1 19:50 < vpnHelper> prop_: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 19:50 < ecrist> don't think the bot does pvmsg 19:50 < krzie> it does, but you need to know the syntax 19:50 < prop_> ecrist: apparently it won't for the same public commands :\ 19:50 < krzie> (which i dont offhand) 19:51 < krzie> fine 1sec 19:51 < prop_> well if you guys don't mind I'll post these commands publicly, then ok :) 19:51 < prop_> !ipforward 19:51 < vpnHelper> prop_: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 19:51 < prop_> (getting interactive? :) 19:51 < krzie> [msg(vpnHelper)] factoids whatis ##openvpn def1 19:51 < krzie> [vpnHelper(i=vpn@unaffiliated/krzee/bot/vpnhelper)] "def1" is (#1) used in 19:51 < krzie> redirect-gateway, Add the def1 flag to override the default gateway 19:52 < krzie> there you go, thats the syntax 19:52 < prop_> oh, thanks 19:52 < krzie> yw 19:52 < prop_> btw, my requirement is native to general 'vpn' usages? or there are 'other' more appropriate usages for a vpn in general? 19:53 < krzie> your is 1 or the 3 most normal setups 19:54 < krzie> the other 2 would be a ptp link, and sharing lans with eachother over the vpn 19:54 < krzie> if it wasnt common i wouldnt have bothered to setup !redirect, that one was a PITA 19:54 < krzie> lol 19:55 < krzie> as you noticed when you typed !ipforward and it wanted you to choose between 3 options 19:55 < prop_> ic, as far as I could read .. the 'processing' concern is the same for both server and client? (mine is my laptop) 19:55 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has quit [Read error: 110 (Connection timed out)] 19:55 < krzie> processing as in CPU? 19:55 < prop_> krzie: yea, whats why I said as 'getting interactive' :) 19:55 < prop_> yes, CPU processing time/usage? 19:55 < krzie> ild expect so, they're encrypting and decrypting the same amount of packets 19:56 < krzie> for every packet one encrypts, the other decrypts, and visa versa 19:56 < prop_> (one would think encrypting will be much harsher.. but I guess my logic is flawed) 19:56 < krzie> maybe slight additional usage from server since it must also NAT and forward 19:56 < Dougy> krzie ya'll be ignorin mah pm 19:57 < krzie> oh were you waiting for a reply on something? lol 20:12 < Dougy> ahhahahahah 20:21 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 20:29 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["leaving"] 20:30 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 20:39 < prop_> I think that I might have wasted my time :) 20:39 < prop_> I'm using a OpenVZ account, last time I tried - I couldn't really modify anything "sysctl.conf" related 20:40 < prop_> so its pretty much a dead-end for me? 20:40 < krzie> you arent root? 20:41 < prop_> on the openvz account? yes 20:41 < krzie> dougy here can sell you a VPS that openvpn will work on 20:41 < prop_> but it seems that 'root' might not be enough for sysctl.conf? 20:41 < krzie> well if you're root you can enable ip forwarding 20:42 < Dougy> hahaha krzie 20:42 < Dougy> way to throw in a sales pitch for me 20:42 < krzie> ;] 20:42 < prop_> mm.. well it seems the 'setting' been accepted, not very sure how to make sure it really works ... I'll have to keep going and see where it gets me 20:42 < krzie> you in linux? 20:42 < Dougy> what setting in sysctl.conf did you change 20:42 < Dougy> prop_ 20:42 < Dougy> ? 20:43 < prop_> Dougy: currently I tried manually assign 1 to /proc/sys/net/ipv4/ip_forward, and it kept it 20:43 < krzie> !linipforward 20:43 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 20:43 < Dougy> yeah 20:43 < Dougy> to think i just typed that whole thingo ut 20:43 < Dougy> and put it on my clipboard just in cse 20:43 < Dougy> case 20:43 < Dougy> for nothing 20:43 * Dougy suicides 20:43 < prop_> last time I tried to change my TCP stacks, it pretty much gave me permission denied 20:43 < krzie> lol 20:43 < prop_> heh :) 20:43 < Dougy> so krzie 20:43 < Dougy> can i count you in for sure? 20:43 < Dougy> like 100% 20:44 < krzie> yes 20:44 < prop_> (100% count on him? for what?.. a bank job? :) 20:44 < Dougy> shhhhhh 20:44 < krzie> as a customer 20:44 < Dougy> quiet 20:44 < krzie> hes a pimp, im gunna be buying my hoes from him 20:44 < Dougy> krzie pm again 20:45 < prop_> oh, ic 20:45 < krzie> jk he sells dedicated servers and VPSs 20:45 < prop_> he has a website? :) 20:46 < krzie> http://www.bergenhosting.com/dedicated.php 20:46 < vpnHelper> Title: Bergen Hosting (at www.bergenhosting.com) 20:46 < Dougy> thats the servers 20:53 < Dougy> :> 21:07 < theDoc> Say guys, anyone uses vim to code webpages? :) 21:08 < krzie> im sure some people do 21:09 -!- lepine2 [n=lmacguir@ip-70-38-54-219.static.privatedns.com] has quit [Read error: 110 (Connection timed out)] 21:09 < theDoc> I'm wondering if I should give that a go. 21:09 < theDoc> I'd have to err, figure out how to color code it all. 21:12 -!- lepine1 [n=lmacguir@74.59.36.93] has joined ##openvpn 21:17 -!- lepine [n=leprecha@70.38.54.219] has joined ##openvpn 21:19 < lepine> how does one have a client ignore the redirect-gateway directive? 21:19 < lepine> !redirect-gateway 21:19 < vpnHelper> lepine: Error: "redirect-gateway" is not a valid command. 21:19 < lepine> !redirect 21:19 < vpnHelper> lepine: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 21:19 < lepine> !def1 21:19 < vpnHelper> lepine: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 21:20 < krzie> theres a noroute or nopull directive, something like that 21:20 < krzie> check the manual 21:21 < lepine> reading 21:22 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 21:23 < lepine> success! route-nopull 21:29 < Dougy> theDoc 21:29 < Dougy> never 21:30 < theDoc> Wha? 21:32 < Dougy> Say guys, anyone uses vim to code webpages? :) 21:33 < theDoc> Oh, you don't. 21:33 < theDoc> Well, that's normal I guess. 21:33 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has joined ##openvpn 21:33 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has quit [Remote closed the connection] 22:05 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 22:06 < prop_> if I get: "cat: /dev/net/tun: Permission denied" .... it means its a deadend for me? (centos under openvz) 22:08 < theDoc> No, it simply means you don't have the permissions to be doing stuff to /dev/net/tun? 22:08 < prop_> well, due to the fact I'm under a openvz .. means nothing I can do about it? 22:09 < prop_> I can only assume this 'module' is mandatory for openvpn? 22:09 < theDoc> prop_: Sorry, no idea on openvz. 22:09 < theDoc> and yes, I think it's mandatory for openvpn. 22:09 < theDoc> I could be wrong on that 22:10 < prop_> ic, I guess I'll try to google some more, see if there are any known workarounds 22:11 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 22:19 -!- plaerzen [n=carpe@66.11.76.242] has joined ##openvpn 22:24 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 22:35 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["leaving"] 22:36 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 22:46 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["leaving"] 22:56 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 23:30 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn --- Day changed Wed Apr 29 2009 00:03 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 00:39 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 00:40 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 00:40 < onats1> hey 00:49 < onats1> is there a gui helper to connect/disconnect available for linux? 01:52 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has joined ##openvpn 02:10 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 02:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:13 < dan__t> NetworkManager has an OpenVPN plugin. 02:14 < dan__t> Hey krzie, got a really weird one for you 02:14 < dan__t> So I'm going to specify multiple servers that a client will connect to, per their configuration file. 02:15 < dan__t> However I want to be able to tell the client which server to connect to - after already having connected to a server. 02:15 < dan__t> So the client connects to one of these servers, groovy. I then want to push another server directive, so the client disconnects and then connects to that server I just told it to reconnect to. 02:15 < dan__t> Is there anything like that? 02:17 < dan__t> Think of it as the server acting like an intermediary proxy or some shit 02:17 < dan__t> Client first connects to IT, then that server tells the client which server to actually reconnect ot. 02:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection reset by peer] 02:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 02:44 -!- deception [i=oc80z@root.servergirl.net] has joined ##openvpn 02:53 < dan__t> hmm 02:54 < dan__t> The problem being, I want to be able to SNAT IPs to clients using iptables hackery. However, some of those IPs might be on different machines etc etc. 03:01 < dan__t> And unfortunately I'm not able to do any kind of automated binding on the different machines etc etc 03:02 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 03:27 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 03:27 -!- lolipop [n=quassel@149.21.95.219.cbj01-home.tm.net.my] has joined ##openvpn 03:38 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 03:39 -!- mattock [n=mattock@gw.tietoteema.fi] has left ##openvpn [] 03:48 -!- lolipop [n=quassel@149.21.95.219.cbj01-home.tm.net.my] has quit [Read error: 110 (Connection timed out)] 03:52 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 03:54 -!- prop__ [n=dd@77.126.240.136] has joined ##openvpn 03:56 -!- prop_ [n=dd@77.126.240.136] has quit [Read error: 104 (Connection reset by peer)] 04:15 -!- gmarselis [n=gmarseli@93.97.20.215] has joined ##openvpn 04:15 < gmarselis> hey guys 04:16 < gmarselis> question: does openvpn fire "events" during login and timeout/logout times? 04:23 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Read error: 104 (Connection reset by peer)] 04:35 -!- idk-nva [n=niels@80.127.101.10] has joined ##openvpn 04:40 -!- adnc [n=numer@unaffiliated/adnc] has joined ##openvpn 04:40 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 04:44 < gmarselis> yes there are 04:44 < gmarselis> --client-connect 04:44 < gmarselis> --client-disconnect 04:44 < gmarselis> i love you 04:45 -!- gmarselis [n=gmarseli@93.97.20.215] has left ##openvpn [] 04:49 -!- idk-nva2 [n=niels@idk.xs4all.nl] has joined ##openvpn 04:58 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 05:00 -!- idk-nva [n=niels@80.127.101.10] has quit [Read error: 110 (Connection timed out)] 05:13 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 05:27 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:50 -!- c64zottel [n=hans@p5B17B1FA.dip0.t-ipconnect.de] has joined ##openvpn 06:05 -!- mattock [n=mattock@gw.tietoteema.fi] has quit ["Leaving."] 06:11 -!- c64zottel [n=hans@p5B17B1FA.dip0.t-ipconnect.de] has quit ["Leaving."] 06:12 -!- Coke [n=coke@90-231-88-79-no84.business.telia.com] has joined ##openvpn 06:13 < Coke> Quick question: what is the test done to match the server and client certificates? What is preventing someone from using any client certificate from the same CA and connect to my server? 06:14 < Coke> The client is currently testing for a proper server CN (using tls-remote), but can the reverse be done? 06:20 -!- Coke [n=coke@90-231-88-79-no84.business.telia.com] has left ##openvpn [] 06:46 -!- mattock [n=mattock@195.236.127.254] has joined ##openvpn 06:47 -!- mattock [n=mattock@195.236.127.254] has quit [Client Quit] 06:53 < prop__> if I get: "cat: /dev/net/tun: Permission denied" .... it means its a deadend for me? (centos under openvz) 06:53 < prop__> theres no workaround? 'tun' is mandatory? 07:03 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 07:09 -!- Stevethe1irate [n=noxville@clam.leg.uct.ac.za] has quit [Remote closed the connection] 07:10 -!- Stevethe1irate [n=noxville@clam.leg.uct.ac.za] has joined ##openvpn 07:22 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 07:24 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 07:27 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Client Quit] 07:30 -!- Stevethe1irate [n=noxville@clam.leg.uct.ac.za] has quit [Read error: 104 (Connection reset by peer)] 07:31 -!- Stevethe1irate [n=noxville@clam.leg.uct.ac.za] has joined ##openvpn 07:50 -!- onats [n=onats@unaffiliated/onats] has quit [Remote closed the connection] 07:56 -!- adnc [n=numer@unaffiliated/adnc] has quit ["Lost terminal"] 07:58 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 07:59 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 08:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 08:19 -!- pa [n=pa@unaffiliated/pa] has quit [Remote closed the connection] 08:42 -!- adnc [n=numer@unaffiliated/adnc] has joined ##openvpn 08:48 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 113 (No route to host)] 08:53 < adnc> !config 08:53 < vpnHelper> adnc: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 08:53 < adnc> !example 08:53 < vpnHelper> adnc: Error: "example" is not a valid command. 08:53 < adnc> !samples 08:53 < vpnHelper> adnc: Error: "samples" is not a valid command. 08:53 < adnc> !help 08:53 < vpnHelper> adnc: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 08:54 < adnc> there were some samples, does anyone know how to get them printed by the bot or where they are 08:59 < krzee> lol 08:59 < krzee> !sample 08:59 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 08:59 < krzee> !factoid search sam 08:59 < vpnHelper> krzee: Error: "factoid" is not a valid command. 08:59 < krzee> !factoids search sam 08:59 < vpnHelper> krzee: 'sample' and 'samba' 09:00 < krzee> !list factoids 09:00 < vpnHelper> krzee: change, forget, info, learn, lock, random, search, unlock, and whatis 09:00 < reiffert> !random 09:00 < vpnHelper> reiffert: "encryption": Why symetric encryption is better: http://www.ketufile.com/Symmetric_vs_Asymmetric_Encryption.pdf; "hmac": The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional 09:00 < vpnHelper> reiffert: level of security above and beyond that provided by SSL/TLS.; "quietopenssl": also see !ssl-admin for a sweet tool for managing your certs 09:00 < reiffert> !random 09:00 < vpnHelper> reiffert: "configs": please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn.; "redirect": to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server.; "pastebin": please 09:00 < vpnHelper> reiffert: paste anything with more than 5 lines into pastebin or a similar website 09:00 < reiffert> !all 09:00 < vpnHelper> reiffert: "all" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles 09:00 < reiffert> !random 09:00 < vpnHelper> reiffert: "irclogs": http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.); "iptables": then run iptables -F, iptables -Z after being SURE policies are set to accept; "notcompat": openvpn only connects to openvpn 09:01 < reiffert> !random 09:01 < vpnHelper> reiffert: "ssl-admin": if you use freebsd, it is in ports; "winpass": openvpnGUI for windows has a change password feature that will change the passphrase on your .key files; "ifconfig": usage: ifconfig l rn | Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices, rn is the IP address of the remote VPN endpoint. For TAP devices, rn is the subnet mask of 09:01 < vpnHelper> reiffert: the virtual ethernet segment which is being created or connected to. 09:01 < reiffert> !random 09:01 < vpnHelper> reiffert: "win_noadmin": and http://article.gmane.org/gmane.network.openvpn.user/24873 for vista; "static": also see !ccd and !iporder; "winroute": you may need to turn off routing and remote acess in administrative tools - routing and remote access 09:01 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 09:01 < reiffert> !random 09:01 < vpnHelper> reiffert: "winroute": many users also report it helps to add route-delay to give the interface extra time to get up; "notopenvpn": your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem; "fbsdbridge": http://www.freebsddiary.org/openvpn.php for dvl's writeup on bridging 09:01 < vpnHelper> reiffert: openvpn in freebsd 09:01 < krzee> easy there reiffert 09:01 < reiffert> hey 09:01 < reiffert> whats up 09:01 < adnc> ahh 09:01 < adnc> !sample 09:01 < vpnHelper> adnc: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 09:01 < adnc> thank you 09:01 < adnc> cool 09:01 < krzee> yw 09:02 < reiffert> !beer 09:02 < vpnHelper> reiffert: Error: "beer" is not a valid command. 09:02 < reiffert> !cool 09:02 < vpnHelper> reiffert: Error: "cool" is not a valid command. 09:02 < reiffert> !yes 09:02 < vpnHelper> reiffert: Error: "yes" is not a valid command. 09:02 < krzee> need i make it ignore you? 09:02 < adnc> krzee: these are the examples you showed me two days ago aren't they 09:02 < krzee> adnc, likely 09:02 < reiffert> Do whatever comes up to your mind :) 09:03 < krzee> cool, ordering a sandwich on the phone in that case 09:03 < reiffert> :) 09:03 < onats_> who wants a beer? 09:04 < onats_> reiffert, whats the good beer from where you're from? 09:04 < reiffert> I recall 30 to 50 .. 09:05 < reiffert> and of course the one Bushmills was creating himself 09:05 < reiffert> ginger-beer 09:06 < krzee> the weed beer we made in northern california was good 09:06 < adnc> krzee: with your example would the connecting client get an ip 09:06 < krzee> umm 09:06 < krzee> !man 09:06 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 09:06 < onats_> weed beer? brewed from weed? or just mixed with grass? 09:06 < krzee> see --server 09:06 < onats_> reiffert, US? 09:07 < adnc> how is this handled, i used this example and it connects but no routes are available 09:07 < krzee> brewed from weed, like pot 09:07 < onats_> 30 - 50 good beers? 09:07 -!- onats [n=onats@unaffiliated/onats] has quit [Nick collision from services.] 09:07 -!- onats_ is now known as onats 09:07 < reiffert> on high level of canbicogenes or after using a steam extractor? 09:07 < reiffert> onats: .DE 09:08 < krzee> i dunno what canbicogenes 09:08 < krzee> are 09:08 < krzee> but we made it just like they made hemp beer, but with real pot 09:08 < onats> ahhh ok 09:08 < onats> is hoegaarden from there? 09:08 < krzee> pot is actually related to hops 09:09 < onats> krzee<--- pothead 09:09 < krzee> sure 09:09 < onats> hehehe 09:09 < reiffert> the active component, unfourtunatly googles doesnt know my word-creation :( 09:10 < krzee> i worked in the medical marijuana biz for a couple yrs, grew with tractors and whatnot 09:10 < krzee> oh cannabinoids? 09:10 < onats> oh yeah... i remember i saw some ads for shoes made of hemp 09:10 < reiffert> ah, that sounds like it 09:10 < prop__> if I get: "cat: /dev/net/tun: Permission denied" .... it means its a deadend for me? (centos under openvz) 09:10 < krzee> yes, high levels 09:10 < prop__> theres no workaround? 'tun' is mandatory? 09:10 < krzee> do you know what cat does? 09:11 < reiffert> bbl, afk 09:11 < krzee> http://www.google.com/search?hl=en&q=marijuana+hops&btnG=Google+Search&aq=f&oq= 09:11 < onats> prop++, how about doing a sudo when you execute the command? 09:11 < vpnHelper> Title: marijuana hops - Google Search (at www.google.com) 09:11 < prop__> krzee: I got a vague idea :) 09:11 < prop__> onats: as root 09:11 < onats> oh ok 09:11 < krzee> onats, it shouldnt work 09:11 < krzee> he's trying to cat a network device 09:12 < krzee> cat is for concatenating files (or printing them to the screen) 09:12 < prop__> krzee: Note: Cannot open TUN/TAP dev /dev/net/tun: Permission denied (errno=13) 09:12 < krzee> tun isnt a file, its a device node 09:12 < onats> haha ok 09:12 < onats> i thought he was running a script or something 09:14 < adnc> WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0] 09:14 < adnc> is it possible to define that vpn uses a different subnet 09:15 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:16 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 09:17 < krzee> both sides are on the same lan? 09:17 < adnc> yes 09:18 < adnc> but i tried it from a different lan aswell 09:18 < adnc> and it does the same 09:18 < krzee> do you plan on sharing either lan with the other? 09:18 < adnc> no 09:18 < krzee> then ignore it 09:18 < krzee> what is your goal anyways 09:18 < adnc> but it doesnt work 09:18 < krzee> what is "work" 09:18 < adnc> i would like to access my local lan from outside via vpn 09:18 < krzee> that is sharing a lan! 09:18 < krzee> LOL 09:18 < adnc> ok, no ip routing to the lan 09:18 < krzee> thats exactly what i just asked you 09:19 < adnc> krzee: sorry for my bad english 09:19 < adnc> i missunderstood you 09:19 < krzee> you can NOT do that with 2 lans on the same subnets 09:19 < krzee> one must get re-numbered 09:19 < adnc> ok 09:19 < adnc> what exactly would i have to do? 09:20 < krzee> change the lan's subnet 09:20 < adnc> mhh 09:20 < adnc> krzee: i didn't understand. i only have one lan 09:21 < krzee> heh 09:21 < krzee> ok you have a client and a server 09:21 < adnc> yes 09:21 < krzee> both are on 192.168.1.x 09:21 < adnc> yes 09:21 < krzee> change one to something else 09:22 < adnc> is it possible to assign the client a different subnet-address 09:22 < adnc> so instead of changing the ip of the client or the server having the openvpn-lan on a different address 09:24 < krzee> it has nothing to do with the address assigned by openvpn 09:24 < krzee> my smaple files use 10.8.1.x for the openvpn subnet 09:24 < adnc> krzee: i thank you very much 09:24 < krzee> sample 09:25 < adnc> !push 09:25 < vpnHelper> adnc: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 09:29 < adnc> my client prints out this 09:29 < adnc> /sbin/ifconfig tun0 10.8.1.6 pointopoint 10.8.1.5 mtu 1500 09:29 < adnc> but i can not ping to 10.8.1.5 09:29 < adnc> is this normal? 09:29 < adnc> shouldn't it be reachable 09:29 < krzee> no 09:29 < krzee> !/30 09:29 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 09:30 < krzee> you should be pinging 10.8.1.1 09:30 < adnc> but even this ip is not reachable 09:30 -!- prop__ [n=dd@77.126.240.136] has quit [] 09:31 < krzee> then something is wrong 09:31 < krzee> !configs 09:31 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:31 < krzee> !logs 09:31 < vpnHelper> krzee: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 09:31 < adnc> ok 09:37 < adnc> http://pastebin.com/d58e393f 09:38 < adnc> and my lan address is 192.168.1.0 09:40 < krzee> and the client is on what lan...? 09:40 < adnc> 192.168.1.0 09:40 < adnc> and has the ip at the moment of 102 09:41 < krzee> and server lan is what? 09:41 < adnc> also 192.168.1.0 and has ip 2 09:41 < krzee> didnt i tell you you had to change ones? 09:42 < krzee> [10:21] both are on 192.168.1.x 09:42 < krzee> [10:21] change one to something else 09:42 < adnc> i was today outside at a friends home he has a different ip range and it still didn't work 09:42 < krzee> i didnt say that was all 09:42 < krzee> but i made it clear you needed to change that 09:43 < adnc> yes, but if i do this i won't be able to talk here 09:43 < krzee> ok well good luck 09:43 < krzee> ill be back later 09:43 < adnc> maybe you could tell me what else i would have to do 09:43 < adnc> and i could do all together 09:46 -!- maninthemiddle [n=tt@unaffiliated/maninthemiddle] has joined ##openvpn 09:46 < maninthemiddle> hi 09:47 < maninthemiddle> i have openvpn client and openvpn server 09:47 < maninthemiddle> client connected successfully and got ip 09:47 < maninthemiddle> but they cannot ping each other.. 09:47 < maninthemiddle> firewalls are turned off 09:47 < maninthemiddle> what can be the reason? 09:49 -!- theDoc [n=andelyx@bb116-14-219-110.singnet.com.sg] has joined ##openvpn 09:54 -!- traceroute [n=tracerou@gprs13.swisscom-mobile.ch] has joined ##openvpn 09:55 -!- traceroute [n=tracerou@gprs13.swisscom-mobile.ch] has quit [Client Quit] 09:55 -!- maninthemiddle [n=tt@unaffiliated/maninthemiddle] has quit [":(){ :|:& };:"] 09:59 -!- maninthemiddle [n=tt@unaffiliated/maninthemiddle] has joined ##openvpn 10:04 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:05 -!- idk-nva2 [n=niels@idk.xs4all.nl] has quit [] 10:12 -!- ekristen_ [n=ekristen@68.33.133.72] has joined ##openvpn 10:13 < ekristen_> the client cert for the openvpn client, does that need to be signed by the ca crt? 10:14 < ekristen_> or is it just a generated key and generated cert from the key for the client? 10:14 -!- ekristen_ is now known as ekristen 10:25 -!- prop_ [n=dd@77.124.153.214] has joined ##openvpn 10:25 -!- c64zottel [n=hans@p5B17B1FA.dip0.t-ipconnect.de] has joined ##openvpn 10:27 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 10:36 -!- joelsolanki [i=joelsola@123.237.172.89] has joined ##openvpn 10:36 < joelsolanki> Hi all 10:36 < joelsolanki> !redirect 10:36 < vpnHelper> joelsolanki: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 10:38 < joelsolanki> !/30 10:38 < vpnHelper> joelsolanki: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 10:38 < joelsolanki> !topology 10:38 < vpnHelper> joelsolanki: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 10:49 -!- __8472 [n=8472@230-36-16-84.mcrn.sk] has joined ##openvpn 10:52 < __8472> hi, how should that damn resolvconf work? because i'm trying to get it work, and it instantly works somehow strange on its own. once it changes the /etc/resolv.conf, next time it just leaves there previous entries , damn it 10:54 < __8472> another time it just doesn't change anything. 11:02 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 11:04 -!- __8472 [n=8472@230-36-16-84.mcrn.sk] has quit [Read error: 104 (Connection reset by peer)] 11:19 < ekristen> hello 11:20 < ekristen> so I have a successful vpn tunnel 11:20 < ekristen> using pki 11:20 < ekristen> but none of my traffic is going through the tunnel 11:22 -!- __8472 [n=8472@230-36-16-84.mcrn.sk] has joined ##openvpn 11:24 < ekristen> can anyone help? 11:25 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 113 (No route to host)] 11:29 < krzee> what traffic do you expect to go through the tunnel? 11:33 < krzee> ekristen, 11:33 < ekristen> traffic to my hosts that reside on the other side, ssh, ftp, http, https, 11:34 < krzee> on the other side as in a lan behind the other side, or the internet in general 11:35 -!- krzy [i=nobody@hemp.ircpimps.org] has joined ##openvpn 11:36 < ekristen> nm, its working, the guy I was working with is an idiot 11:36 < ekristen> that was telling me it wasn't working 11:40 -!- krzy [i=nobody@hemp.ircpimps.org] has quit [Remote closed the connection] 11:41 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:41 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 11:41 -!- krzy [i=nobody@hemp.ircpimps.org] has joined ##openvpn 11:41 -!- bragon [n=Alex@geekshell.ipv6.geeknode.org] has quit [Connection timed out] 11:42 -!- epaphus [n=unix3@190.10.68.228] has quit [Client Quit] 11:46 -!- ekristen [n=ekristen@68.33.133.72] has quit [Read error: 104 (Connection reset by peer)] 11:53 -!- __8472 [n=8472@230-36-16-84.mcrn.sk] has quit ["Leaving"] 12:06 -!- adnc_ [n=numer@p54855958.dip.t-dialin.net] has joined ##openvpn 12:16 -!- bragon [n=Alex@geekshell.ipv6.geeknode.org] has joined ##openvpn 12:17 -!- adnc [n=numer@unaffiliated/adnc] has quit [Read error: 110 (Connection timed out)] 12:29 -!- albech [n=albech@118.173.10.145.adsl.dynamic.totbb.net] has joined ##openvpn 12:38 -!- albech [n=albech@118.173.10.145.adsl.dynamic.totbb.net] has quit ["Leaving"] 12:45 -!- lepine1 [n=lmacguir@74.59.36.93] has left ##openvpn [] 12:50 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 12:52 < joelsolanki> krzee: HI 12:53 < joelsolanki> is it possible to bridge the lan on windows machine on which openvpn is also working but acting as vpn client ? 12:53 < joelsolanki> my aim is vpn server should be able to communicate with lan machines which are behind vpn client 12:53 < joelsolanki> possible ? 12:55 < krzy> i dont use bridge 12:55 < krzy> but its very possible with routed setup 12:56 < krzy> in fact i wrote a doc about how to connect lans behind server + clients, to see it type: !route 13:06 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has joined ##openvpn 13:13 < joelsolanki> aha 13:13 < joelsolanki> !route 13:13 < vpnHelper> joelsolanki: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:13 < joelsolanki> checking your doc 13:22 -!- maninthemiddle [n=tt@unaffiliated/maninthemiddle] has quit [":(){ :|:& };:"] 13:34 -!- adnc [n=numer@p54856A7F.dip.t-dialin.net] has joined ##openvpn 13:37 -!- joelsolanki [i=joelsola@123.237.172.89] has quit [] 13:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:49 -!- adnc_ [n=numer@p54855958.dip.t-dialin.net] has quit [Connection timed out] 13:51 -!- Gumbler is now known as Gumbler|NotHere 13:51 -!- Gumbler|NotHere is now known as Gumbler 14:12 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 14:12 < Dougy> krzie 14:12 < Dougy> ping 14:13 < Dougy> pingpingpingpingpingpingpingpingpingpingpingping 14:14 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 14:24 < Dougy> afk 14:31 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 14:58 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 14:59 < krzie> kickass bro 15:06 < ecrist> what's kickass? 15:06 < krzie> he got a cheap mb for me 15:06 < ecrist> sweet 15:08 < Dougy> yeah 15:08 < Dougy> p4sga+ for $30 15:08 < Dougy> its socket 478 tho 15:24 -!- prop__ [n=dd@77.124.153.214] has joined ##openvpn 15:26 -!- prop_ [n=dd@77.124.153.214] has quit [Read error: 104 (Connection reset by peer)] 15:29 -!- Timpa88 [i=timpa@c-371070d5.08-137-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 15:29 < Dougy> hey 15:30 < reiffert> ho 15:30 < Dougy> hey reiffert 15:30 < Dougy> :) 15:31 < reiffert> whats up Dougy? 15:32 -!- Timpa88 is now known as Timpa 15:34 < Dougy> nothing 15:34 < Dougy> bored out of my mind 15:40 < krzie> do i really need to fill this out? 15:40 < krzie> oops /q 15:40 -!- victor- [n=victor@rrcs-71-41-16-46.sw.biz.rr.com] has quit [Read error: 104 (Connection reset by peer)] 16:01 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 16:16 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 16:16 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 16:29 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 16:33 -!- nemysis [n=nemysis@25-137.3-85.cust.bluewin.ch] has quit [Connection timed out] 16:34 -!- nemysis [n=nemysis@92-23.3-85.cust.bluewin.ch] has joined ##openvpn 17:24 -!- adnc [n=numer@p54856A7F.dip.t-dialin.net] has quit ["leaving"] 17:30 < prop__> krzie: cat: /dev/net/tun: File descriptor in bad state 17:30 < prop__> krzie: now it works :) 17:54 -!- floyd_n_milan_ [n=mrugesh@124.247.220.202] has joined ##openvpn 17:55 -!- SanninMan [n=User@ch1.cproxy.cz] has joined ##openvpn 17:55 < SanninMan> yo 18:03 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 18:03 -!- SanninMan [n=User@ch1.cproxy.cz] has left ##openvpn ["Leaving"] 18:10 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 110 (Connection timed out)] 19:22 < Dougy> anyone need hosting? 19:28 < prop__> may I /privmsg you? 19:28 < Dougy> you may certainly 19:40 -!- c64zottel [n=hans@p5B17B1FA.dip0.t-ipconnect.de] has quit ["Leaving."] 19:43 -!- lepine [n=leprecha@70.38.54.219] has left ##openvpn [] 19:46 -!- theDoc [n=andelyx@bb116-14-219-110.singnet.com.sg] has joined ##openvpn 19:46 < onats1> buzz! 20:23 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:30 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 60 (Operation timed out)] 20:40 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has quit [Remote closed the connection] 20:41 -!- unix3 [n=unix3@201.199.62.74] has joined ##openvpn 20:42 -!- unix3 [n=unix3@201.199.62.74] has quit [Read error: 104 (Connection reset by peer)] 20:50 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 21:01 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 21:19 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 21:20 -!- epaphus [n=unix3@201.199.62.74] has quit ["Leaving"] 21:29 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.10/2009042316]"] 21:52 -!- karlpinc [n=kop@meme-net.meme.com] has quit ["BitchX: a new fragrance for men, by Calvin Klein"] 22:56 -!- albech [n=albech@118.173.10.145.adsl.dynamic.totbb.net] has joined ##openvpn 23:27 -!- albech [n=albech@118.173.10.145.adsl.dynamic.totbb.net] has quit [Remote closed the connection] 23:36 -!- albech [n=albech@118.173.10.145.adsl.dynamic.totbb.net] has joined ##openvpn --- Day changed Thu Apr 30 2009 00:02 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:25 < dan__t> hi. 00:25 < dan__t> krzie, wake up. 00:37 < dan__t> Well, that idea didn't work.......... 00:38 < dan__t> I need to use OpenVPN as sort of a router for other OpenVPN connections. 00:39 < dan__t> Reason being is that I want to SNAT certain clients, identifiable by their TLS CN, to use certain IPs. Those IPs might not be present on the machine that they're connecting to. 00:39 < dan__t> i.e. I'd have multiple 'server' directives in the client conf file 00:39 < dan__t> I might as well just drop the connection, and assume/hope the OpenVPN client just goes down that list. 00:46 < dan__t> Yea, that might be the best approach. 01:17 < reiffert> dan__t: create a tunnel between the servers 01:18 < dan__t> But I don't want to pass that traffic through the tunnel. 01:18 < dan__t> er, the traffic that the client would be using. 01:18 < dan__t> Because server A and server B might be across the world from each other. 01:18 < dan__t> I don't want to incur extra bandwidth charges just to tunnel that. 01:18 < reiffert> then use a dynamic routing protocol 01:24 -!- krzy [i=nobody@hemp.ircpimps.org] has quit [Read error: 104 (Connection reset by peer)] 01:25 < dan__t> I don't have that kind of control 01:28 < dan__t> I can't BGP or anything between peering points. 01:29 < reiffert> What was krzie's idea that you claim it was failing? 01:43 < dan__t> What? I never claimed such things. 01:43 < dan__t> I don't see a response to my question, I just looked through logs, perhaps you're confused? 01:52 < reiffert> 07:25 < dan__t> krzie, wake up. 01:52 < reiffert> 07:37 < dan__t> Well, that idea didn't work.......... 01:53 < dan__t> Sorry, I was trying my own idea. 01:53 < reiffert> ah 01:53 < reiffert> and what is it? 02:01 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 02:07 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 02:08 < dan__t> trying to see how a client would use mulltiple servers 02:08 < dan__t> round-robin or random or what 02:23 < dan__t> Doesn't look reliable, but it may just need more testing. 02:23 < dan__t> I'm tired and a few beers deep, I'll need to play with it some other night. 02:30 -!- onats1 [n=15172@221.121.120.254] has quit ["Leaving."] 02:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:48 -!- adnc [n=numer@141.41.40.139] has joined ##openvpn 03:48 < adnc> !route 03:48 < vpnHelper> adnc: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 04:09 -!- albech [n=albech@118.173.10.145.adsl.dynamic.totbb.net] has quit [Read error: 110 (Connection timed out)] 04:16 -!- joelsolanki [i=joelsola@123.237.172.62] has joined ##openvpn 04:16 < joelsolanki> !route 04:16 < vpnHelper> joelsolanki: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 04:16 -!- joelsolanki [i=joelsola@123.237.172.62] has quit [Client Quit] 04:26 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has quit ["Quit"] 04:35 -!- adnc [n=numer@141.41.40.139] has quit [Read error: 60 (Operation timed out)] 04:38 -!- prop_ [n=dd@77.124.153.214] has joined ##openvpn 04:38 -!- albech [n=albech@118.173.14.75] has joined ##openvpn 04:39 -!- prop__ [n=dd@77.124.153.214] has quit [Read error: 104 (Connection reset by peer)] 05:03 -!- zheng [n=zheng@222.66.224.110] has quit [Client Quit] 06:19 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 06:31 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["Lost terminal"] 06:36 -!- theDoc [n=andelyx@bb116-14-219-110.singnet.com.sg] has joined ##openvpn 06:41 -!- Alagar [n=helpdesk@95.154.197.29] has quit ["Leaving."] 06:49 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 07:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 07:02 -!- dazo [n=dazo@nat/redhat/x-b40504dd271611ba] has quit ["Leaving"] 07:06 -!- dazo [n=dazo@nat/redhat/x-4a26375fe2be66dc] has joined ##openvpn 07:17 -!- dazo [n=dazo@nat/redhat/x-4a26375fe2be66dc] has quit ["Leaving"] 07:17 -!- dazo [n=dazo@nat/redhat/x-47a430b4e0c1081a] has joined ##openvpn 07:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:53 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:29 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [Read error: 54 (Connection reset by peer)] 08:29 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 08:48 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [Read error: 104 (Connection reset by peer)] 08:48 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 08:50 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 08:52 -!- Timpa [i=timpa@c-371070d5.08-137-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 09:14 -!- Lilarcor [n=Lilarcor@167.sub-97-23-66.myvzw.com] has joined ##openvpn 09:18 -!- Lilarcor [n=Lilarcor@167.sub-97-23-66.myvzw.com] has quit [Client Quit] 09:20 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 113 (No route to host)] 09:47 -!- degrade [n=degrade@unaffiliated/degrade] has joined ##openvpn 09:50 < degrade> Does anybody have installed OpenVPN in Windows? 09:50 < albech> anyone here have a working openvpn installation in ubuntu 9.04 through the openvpn plugin in the network manager? 09:50 < degrade> It's possible to use OpenVPN client with Micro$oft Windows PPTP Server? 09:51 < albech> degrade, im fairly sure it isnt 09:51 < albech> degrade, download the openvpn windows gui 09:52 < degrade> albech: I will Try. The Client VPN from Windows close my network and use the VPN exclusively. 09:53 < degrade> albech: It's a feature, I know. But I need that my local Network doesn't close. 09:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:53 < albech> deception, i understand 09:53 < degrade> albech: I think that other client works with a other fashion. 10:06 -!- albech [n=albech@118.173.14.75] has quit [Remote closed the connection] 10:09 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [Read error: 54 (Connection reset by peer)] 10:10 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 10:10 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [Read error: 104 (Connection reset by peer)] 10:19 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 10:32 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 11:09 < dazo> degrade: OpenVPN != PPTP ... not compatible and will never be 11:11 < dazo> degrade: btw ... configuring openvpn on windows is almost the same as in Linux 11:12 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 11:22 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 11:25 -!- Deffie_ [n=Deffie@nectarine/admin/deffie] has joined ##openvpn 11:26 < degrade> dazo: thx 11:27 -!- degrade [n=degrade@unaffiliated/degrade] has quit ["leaving"] 11:31 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [Read error: 110 (Connection timed out)] 11:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:47 -!- Deffie_ [n=Deffie@nectarine/admin/deffie] has quit [Read error: 104 (Connection reset by peer)] 11:47 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 11:48 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [Read error: 54 (Connection reset by peer)] 11:49 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 11:52 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:52 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [Client Quit] 12:26 -!- elventear [n=elventea@216-243-176-160.static.iphouse.net] has joined ##openvpn 12:31 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 12:32 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [Client Quit] 12:51 < dan__t> Hi. 13:09 -!- theDoc [n=andelyx@116.197.244.5] has joined ##openvpn 13:17 -!- elventear [n=elventea@216-243-176-160.static.iphouse.net] has quit [Client Quit] 13:48 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 13:54 -!- asdzxc [n=azurit@adsl-dyn-160.95-102-50.t-com.sk] has joined ##openvpn 13:54 < asdzxc> hi 13:55 < asdzxc> how can i set OpenVPN to redirect all traffic through tunnel but only for some of my clients (not for all) ? 14:04 < asdzxc> it is possible to configure per user settings ? 14:06 -!- prop__ [n=dd@77.124.153.214] has joined ##openvpn 14:08 -!- plaerzen [n=carpe@66.11.76.242] has quit [Read error: 104 (Connection reset by peer)] 14:08 < asdzxc> anyone here ? 14:09 -!- prop_ [n=dd@77.124.153.214] has quit [Read error: 104 (Connection reset by peer)] 14:23 -!- deception [i=oc80z@root.servergirl.net] has quit [] 14:31 -!- nemysis [n=nemysis@92-23.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 14:32 -!- nemysis [n=nemysis@92-23.3-85.cust.bluewin.ch] has joined ##openvpn 14:42 -!- temoto-mobi [n=temoto@78-106-109-221.broadband.corbina.ru] has joined ##openvpn 14:43 < temoto-mobi> Hello. Can i configure openvpn client to filter routes it is accepting? Or maybe not accept routes at all? 14:43 < temoto-mobi> Damn server overrides my default route. 14:51 < bragon> its possible to fixe the @mac off a tap0 device ? 14:57 -!- floyd_n_milan_ [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit ["No Ping reply in 90 seconds."] 14:57 -!- asdzxc [n=azurit@adsl-dyn-160.95-102-50.t-com.sk] has left ##openvpn [] 14:58 -!- floyd_n_milan [n=mrugesh@124.247.220.202] has joined ##openvpn 15:03 -!- temoto-mobi [n=temoto@78-106-109-221.broadband.corbina.ru] has left ##openvpn ["WeeChat 0.2.6.1"] 15:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 15:08 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 15:19 -!- Timpa [i=timpa@c-851170d5.09-47-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 15:26 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:48 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 16:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:09 < troy-> is there a webclient version of openvpn? 16:29 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 16:47 < dan__t> hey bitches. 16:47 < dan__t> how/why/where would there be, troy-? 16:47 < dan__t> What are you looking to do? 16:48 < troy-> dan__t, i want a user to be able to login to the private network via a web-browser without client software 16:48 < dan__t> Kind of like how Juniper's shit works? 16:48 < dan__t> Not that I know of, no. 16:48 < troy-> or the Cisco platform, ya 16:48 < dan__t> Yea that's some bad-ass shit. 16:48 < dan__t> OpenvPN does not do that. 16:48 < dan__t> Trying to think of what I saw a while ago... did sort of the same thing. 16:55 -!- prop__ [n=dd@77.124.153.214] has quit [Connection timed out] 17:05 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:09 -!- epaphus [n=unix3@190.10.68.228] has quit [Client Quit] 17:27 -!- scyld [n=krajcong@unaffiliated/wasyl] has joined ##openvpn 17:29 < scyld> Hi ppl! Just a funny thing. Is there a way to establish a connection to a openvpn server with TLS cert expired? 17:29 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 17:29 < eliasp> hi 17:30 < scyld> I mean server cert expired, client cert is fine... 17:34 < eliasp> i have trouble using ccd ... it seems my ccd files are ignored... i have openvpn running with this arguments: 17:34 < eliasp> /usr/sbin/openvpn --config /etc/openvpn/management.conf --writepid /var/run/openvpn.management.pid --daemon --cd /etc/openvpn 17:35 < eliasp> as i'm using --cd /etc/openvpn i put my client-config-files into /etc/openvpn/ccd 17:35 < eliasp> i have a file evsrv002 there which contains 17:35 < eliasp> ifconfig-push 10.5.3.17 10.5.0.1 17:36 < eliasp> but when evsrv002 connects it gets another random IP 17:36 < eliasp> what's wrong with my config? 17:42 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 17:42 < Dougy> :> 18:02 -!- troy- [n=troy@worldnet.tauri.ca] has quit [Read error: 110 (Connection timed out)] 18:07 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 18:12 -!- scyld [n=krajcong@unaffiliated/wasyl] has quit ["leaving"] 18:39 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has joined ##openvpn 18:42 -!- prop_ [n=dd@77.124.153.214] has joined ##openvpn 18:53 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Stevethe1irate, isox, Intensity, krzie, qknight, M06w, dazo, disco-, youngpro, rubydiamond, (+44 more, use /NETSPLIT to show all of them) 18:54 -!- Netsplit over, joins: frankS2, prop_, epaphus, troy-, Dougy, eliasp, rubydiamond, Timpa, jfkw, floyd_n_milan (+40 more) 18:54 -!- Netsplit over, joins: Pagautas, [4-tea-2], Bushmills, jameswhite 18:56 -!- epaphus [n=unix3@static.204.79.46.78.clients.your-server.de] has quit ["Leaving"] 19:46 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 20:01 < ecrist> foo 20:07 < Dougy> hiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii 20:07 < Dougy> ecrist 20:07 < ecrist> sup? 20:07 < Dougy> nothing 20:07 < Dougy> sleepy as heck 20:07 < Dougy> you? 20:08 < ecrist> browsing the web. my new PFD shipped today, so I'm happy. 20:09 < ecrist> http://dogbytecomputer.com/mustang-md3183-u-bk-cr-deluxe-automatic-inflatable-w-hammar-inflator.html 20:09 < vpnHelper> Title: Mustang MD3183-U-BK/CR Deluxe Automatic Inflatable W/Hammar Inflator (at dogbytecomputer.com) 20:09 < reiffert> moin 20:09 < Dougy> nice 20:09 < ecrist> howdy, reiffert 20:10 < Dougy> ecrist: i am about to sign a colocation contract 20:10 < Dougy> tomorrow 20:10 < Dougy> :X 20:10 < ecrist> where? 20:11 < ecrist> I'm upgrading my cable internet service tomorrow. 20:11 < ecrist> 22Mb/5Mb 20:11 < Dougy> cool 20:11 < Dougy> I got 20:11 < Dougy> 10U, 10Amps, 20 Mbps on a 100MB port for $400 20:11 < Dougy> in new york city 20:11 < ecrist> not too shabby 20:11 < ecrist> which provider? 20:11 < Dougy> as in, the dc? 20:11 < Dougy> or the bw 20:11 < ecrist> don't you work for a colo? 20:11 < Dougy> yeah uhh 20:11 < Dougy> lets not go ther 20:11 < Dougy> e 20:12 < ecrist> lol 20:12 < Dougy> simply said nothing of mine is going in that "datacenter" 20:12 < Dougy> nothing wrong with the netowrk 20:12 < Dougy> everything wrong with the datacenter 20:12 < ecrist> bandwidth provider 20:12 < Dougy> right now, singlehomed cogent 20:12 < Dougy> in next 2 months.. WVFiber and Verizon are being added 20:12 < ecrist> who's the ISP? 20:12 < ecrist> (datacenter owner) 20:12 < Dougy> the building isnt just a DC 20:13 < Dougy> its also a department of justice headquarters 20:13 < Dougy> among other things 20:13 < Dougy> its over 30 stories tall 20:13 < ecrist> why does the size of the building matter? 20:13 < ecrist> it doesn't make the dc more reliable 20:13 < Dougy> doesnt 20:13 < Dougy> the floor of the bldg is owned by Cogent 20:16 < Dougy> supposedly extremely nice 20:16 < Dougy> all locking APC racks 20:18 < ecrist> my data center is in the basement of a one-story ranch-style home. 20:18 < ecrist> :P 20:18 < prop_> http://74.86.94.210/1.txt , is there hope for me? 20:19 < prop_> tried to read whatever guide I could find for the past two days, can't quite understand what/where I do wrong :| 20:19 < ecrist> 100Amps of service, 84u of space, and 22Mb/5Mb of bandwidth on dual gigabit links. :) 20:20 -!- youngpro [n=pro@teamaustralia.net.au] has quit [Read error: 110 (Connection timed out)] 20:20 < Dougy> cool ecrist 20:20 < ecrist> prop_: firewall issue 20:20 < ecrist> CONN_REFUSED is caused by firewalls 20:21 < ecrist> or the daemon not running on the other end. 20:22 < prop_> ecrist: I execute it manually 20:22 < prop_> ecrist: (this is the server side stdout) 20:23 < prop_> ecrist: the client is inside a lan, it there something special it needs? (for somereason I failed to see such requirement of the client) 20:26 < ecrist> not really. 20:26 * ecrist goes away 20:44 < prop_> ok, changed the default port 1194 --> 94 , and used TCP instead of UDP .. now I got a different issue.. lets try to google it up 21:34 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 22:33 < eliasp> i have network trouble with one of my clients (hanging SSH connections, etc.) and i get messages in the server log like these: http://dpaste.com/39899/ 22:33 < eliasp> what does this MULTI mean in this case? something critical? 22:33 < eliasp> the affected host is evsrv002.... nx9420-eliasp is my laptop-client... 22:34 < eliasp> i only get these messages, they don't appear for any other host 22:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 23:01 -!- Plecebo [n=larry@c-67-185-160-62.hsd1.wa.comcast.net] has joined ##openvpn 23:03 < Plecebo> Hello, I have a vpn that is having trouble staying connected. I'm able to connect, and able to remote desktop into a computer on the remote network. All works for a few minutes (3-5) then the remote desktop session dropps and I can no longer ping the remote computer. Oddly my client says that it is still connected and doesn't really indicate that it is lost connection or anything. 23:05 < Plecebo> Here is my client.conf http://pastebin.com/m3c41b298 23:10 < Plecebo> and my server.conf http://pastebin.com/m7d8ae9a8 23:25 -!- Plecebo [n=larry@c-67-185-160-62.hsd1.wa.comcast.net] has quit ["Leaving"] 23:40 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn --- Day changed Fri May 01 2009 00:07 -!- theDoc [n=andelyx@bb116-14-219-110.singnet.com.sg] has joined ##openvpn 00:11 -!- theDoc_ [n=andelyx@bb116-14-219-110.singnet.com.sg] has joined ##openvpn 00:12 -!- theDoc_ [n=andelyx@unaffiliated/thedoc] has quit [Client Quit] 00:19 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["leaving"] 00:20 -!- theDoc [n=andelyx@bb116-14-219-110.singnet.com.sg] has joined ##openvpn 00:21 -!- youngpro [n=pro@teamaustralia.net.au] has joined ##openvpn 00:45 -!- onats__ [n=onats@122.53.134.78] has joined ##openvpn 00:47 -!- onats_ [n=onats@unaffiliated/onats] has quit [Read error: 60 (Operation timed out)] 00:48 -!- prop__ [n=dd@77.124.153.214] has joined ##openvpn 00:50 -!- prop_ [n=dd@77.124.153.214] has quit [Read error: 104 (Connection reset by peer)] 00:52 < theDoc> Does openvpn support native v6 implementation yet? 01:55 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 02:19 < dan__t> v6? 02:19 < dan__t> v6 what 02:22 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 02:24 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 02:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:42 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: M06w, Typone 02:43 -!- Netsplit over, joins: M06w, Typone 02:45 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 03:02 -!- onats__ [n=onats@122.53.134.78] has quit [Read error: 110 (Connection timed out)] 03:20 -!- lolipop [n=soontak@219.95.197.122] has joined ##openvpn 03:32 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 03:50 -!- c64zottel [n=hans@p5B17AC88.dip0.t-ipconnect.de] has joined ##openvpn 03:50 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 04:46 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 110 (Connection timed out)] 04:46 -!- krzie [i=krzee@unaffiliated/krzee] has quit [Read error: 110 (Connection timed out)] 05:01 -!- krzie [i=krzee@joogot.noskills.net] has joined ##openvpn 05:01 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 05:07 -!- lolipop [n=soontak@219.95.197.122] has quit [Remote closed the connection] 05:18 -!- gallatin [n=gallatin@dslb-088-078-178-092.pools.arcor-ip.net] has joined ##OpenVPN 05:59 -!- feinoM [n=feinom@svale.hia.no] has joined ##openvpn 06:03 < feinoM> Hello :) I have a VPN client on network A connected to a VPN on network B. The client uses the DNS server on network B. I'm using a up-script to get this done. The problem is that when the local lease time expires for the client, the DNS server entries in /etc/resolv are replaced. Is there some way to avoid this? 06:41 -!- MarcWebe1 [n=marc@88.80.200.63] has joined ##openvpn 06:42 < MarcWebe1> Are there any known problem running openvpn on x86_64 systems (linux)? The strang thing is: scp shows 100%. But it doesn't terminate. running scp from a 32 bit system (same setup) works fine. 06:42 < ecrist> MarcWebe1: I'm not aware of any 64-bit specific problems with openvpn 06:43 < ecrist> if scp is at 100%, i'd say you've got some other issue 06:43 < MarcWebe1> Where to star debuggin this? 06:43 < MarcWebe1> it's the same with git push/pull 06:52 < MarcWebe1> Oh. well. it works for small files. 06:57 < MarcWebe1> It starts hanging when the file has 1295 bytes or more. 06:57 < ecrist> it works OK when not transferring over openvpn tunnels? 06:58 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 06:59 < MarcWebe1> ecrist: Sure. I've never encountered any trouble. But I don't forward packages through the vserver then. 06:59 < ecrist> don't know what a vserver is 07:00 < MarcWebe1> vserver= virtual server. I pipe my internet traffic through a small root (private) server having broadband connection to do traffic shaping. 07:16 < MarcWebe1> Using --fragment and --mssfix made it work :-) 07:18 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has joined ##openvpn 07:31 < ecrist> glad you were able to fix it 07:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 07:49 < MarcWebe1> I got these values: Fri May 1 14:19:55 2009 NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1541,1541] remote->local=[1541,1437] 07:49 < MarcWebe1> Can I deduce fragment and mssfixx options from this output? 07:49 < MarcWebe1> Can I make the server push those options to the client? ( I got wrong context errors or such) 07:56 -!- hyphenex [n=hyphenex@209.20.74.93] has joined ##openvpn 07:56 < hyphenex> Hey, I'm trying to run openVPN, but I'm getting the following error Options error: Unrecognized option or missing parameter(s) in /etc/openvpn/openvpn.conf:5: secret (2.1_rc15) 07:57 < ecrist> !configs 07:57 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:57 < ecrist> !logs 07:57 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 07:59 < hyphenex> my config file is at http://paste2.org/p/195720 07:59 < hyphenex> how might I find the logs? 08:07 < ecrist> if you run openvpn from the command line, they're in stdout 08:08 < ecrist> are you following a howto? 08:09 -!- Sir_J [n=Sir_J@mm-207-159-57-86.adsl.mgts.by] has quit ["Leaving"] 08:11 < hyphenex> ecrist: no errors then, just that one when I try and run 08:41 -!- theDoc [n=andelyx@202.138.182.71] has joined ##openvpn 08:43 -!- hyphenex [n=hyphenex@209.20.74.93] has quit ["leaving"] 09:38 -!- gallatin [n=gallatin@dslb-088-078-178-092.pools.arcor-ip.net] has quit ["Client exiting"] 09:47 -!- Timpa [i=timpa@c-851170d5.09-47-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 09:56 -!- prop_ [n=dd@77.124.153.214] has joined ##openvpn 09:58 -!- prop__ [n=dd@77.124.153.214] has quit [Read error: 104 (Connection reset by peer)] 09:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:08 -!- gregHome [n=gleblanc@75.108.45.57] has joined ##openvpn 10:22 -!- scooby2 [n=scooby2@pdpc/supporter/active/scooby2] has left ##openvpn [] 10:56 -!- mrpockets [n=mrpocket@CPE-67-48-248-23.new.res.rr.com] has joined ##openvpn 10:56 < mrpockets> Hello! 11:02 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 11:06 < Bushmills> rostock nach 6 min 1:0 gegen KL 11:17 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Read error: 110 (Connection timed out)] 11:19 -!- jfkw [n=jtk@cpe-74-74-158-219.rochester.res.rr.com] has joined ##openvpn 11:25 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 11:31 -!- nemysis [n=nemysis@92-23.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 11:32 -!- nemysis [n=nemysis@107-79.3-85.cust.bluewin.ch] has joined ##openvpn 11:39 -!- mrpockets [n=mrpocket@CPE-67-48-248-23.new.res.rr.com] has left ##openvpn [] 11:41 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has quit [Connection timed out] 12:33 -!- Timpa [i=timpa@c-0a1070d5.09-47-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 12:37 -!- Timpa [i=timpa@c-0a1070d5.09-47-626f6410.cust.bredbandsbolaget.se] has quit [Client Quit] 12:46 -!- jfkw_ [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 12:57 -!- jfkw [n=jtk@cpe-74-74-158-219.rochester.res.rr.com] has quit [Read error: 110 (Connection timed out)] 13:04 -!- Solvik [n=solvik@oxyradio.com] has joined ##openvpn 13:05 < Solvik> !redirect 13:05 < vpnHelper> Solvik: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 13:05 < Solvik> !def1 13:05 < vpnHelper> Solvik: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 13:12 -!- Timpa [i=timpa@193.13.142.180] has joined ##openvpn 13:24 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 13:40 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Success] 13:49 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Gumbler, Intensity, rubydiamond, ropetin, onats_, mikkel, temba 13:51 -!- Netsplit over, joins: temba, mikkel 13:51 -!- Netsplit over, joins: rubydiamond, Gumbler, Intensity, ropetin 13:51 -!- ekristen [n=ekristen@c-68-33-133-72.hsd1.md.comcast.net] has joined ##openvpn 13:51 < ekristen> Question, does openvpn traffic look like standard SSL traffic? 13:52 -!- onats_ [n=onats@122.53.139.235] has joined ##openvpn 13:58 -!- ekristen [n=ekristen@c-68-33-133-72.hsd1.md.comcast.net] has quit [] 14:36 -!- Solvik [n=solvik@oxyradio.com] has left ##openvpn ["Quitte"] 14:47 -!- prop__ [n=dd@77.124.153.214] has joined ##openvpn 14:48 -!- prop_ [n=dd@77.124.153.214] has quit [Read error: 104 (Connection reset by peer)] 15:04 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:07 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 15:21 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 15:22 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 15:36 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 16:09 < krzie> wassup 16:09 -!- krzie [i=krzee@unaffiliated/krzee] has left ##openvpn [] 16:09 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##openvpn 16:44 -!- epaphus [n=unix3@201.199.62.74] has quit ["Leaving"] 17:09 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 17:53 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 18:36 -!- c64zottel [n=hans@p5B17AC88.dip0.t-ipconnect.de] has quit ["Leaving."] 19:17 -!- Cr0nix [i=irssi@62.141.56.213] has quit [Read error: 110 (Connection timed out)] 19:27 -!- onats_ [n=onats@122.53.139.235] has quit ["Ex-Chat"] 19:38 -!- Celsiux-Nulled [n=Nullesd@85.17.165.5] has joined ##openvpn 19:38 < Celsiux-Nulled> hello :) 19:38 < Celsiux-Nulled> I have a question anybody around ? 20:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 20:20 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 20:26 < krzie> !ask 20:26 < vpnHelper> krzie: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/, or (#3) http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help 20:28 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 20:42 < prop__> SO - I managed to make my VPN scheme, 'openvpn server' on the remote machine(CentOS), 'openvpn client' on the laptop(XP) ... a problem I stumbled: 20:43 < prop__> my download transfer rate ability is ~300KByte, .. when I try to download from the openvpn server - I manage to get ~300KByte 20:44 < prop__> when I try to download from a machine outside from the openvpn server, the speed drops to 30KByte. 20:44 < prop__> (the server downloads that link at ~10MByte, and my client directly can download it at ~300KByte... but through the VPN .. its only 30KByte?) 20:53 < krzie> i dont understand what you mean 20:53 < krzie> are you saying the client is redirecting its gateway to go through the server? 20:54 < prop__> krzie: correct 20:54 < krzie> and that over the vpn it can get 300kb/s direct from server 20:54 < krzie> or outside the vpn it gets that speed 20:54 < prop__> both are correct, through the vpn it gets 300kb from the server, but 3rd party gets only 30KB 20:54 < krzie> you using udp or tcp? 20:55 < prop__> 300KByte is its ~ability 20:55 < krzie> in fact, do this: 20:55 < prop__> TCP 20:55 < krzie> !configs 20:55 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 20:55 < krzie> ahh 20:55 < krzie> read this: 20:55 < krzie> !tcp 20:55 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 20:55 < prop__> krzie: giveme a minute or so :) 20:56 < krzie> i no longer need your configs 20:57 < prop__> oh, it was a typo? 20:57 < krzie> there was a line of questions that you stopped me from needing to ask with your first answer 20:57 < krzie> seeing your configs would have stopped me from needing to go down a little list 20:57 < prop__> heh, I see you're experienced enough :) 20:58 < prop__> so let me read up on the tcp-tcp issue, and then try to figure out what requirement UDP has from my client-side 20:58 < krzie> been here awhile 20:58 < krzie> hehe 20:58 < krzie> client just needs to be able to make an outbound udp connection 21:00 -!- jfkw_ [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 21:01 < prop__> mm.. I thought TCP are doing a "connection" .. while UDP is more of a "hit and run" ? .. wouldn't that imply the client needs to listen on a UDP port? 21:02 < krzie> negative 21:02 < krzie> when a machine makes an outbound connection it knows (as does nat) to pay attention for responses 21:02 < krzie> otherwise you'd need to open a port for every udp protocol you use, which would damn near render udp useless 21:08 < prop__> krzie: well, it doubled it. now its stablized at ~60KB .. and the direct server access is still ~300KB 21:10 < krzie> everything must flow through the server to and from you to outside world 21:10 < krzie> including ack's and whatnot 21:10 < krzie> which could make the whole flow slower i would imagine 21:10 < krzie> you may be able to squeeze some more throughput with compression 21:10 < krzie> --comp-lzo or something like that 21:10 < prop__> mmmm 21:10 < krzie> !man 21:10 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 21:10 < krzie> its in there 21:11 < prop__> lzo is enabled on the default .conf I believe 21:11 < krzie> also, you may find testing your MTU to be useful 21:11 < krzie> !mtu 21:11 < vpnHelper> krzie: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 21:11 < prop__> (I used the default .conf) 21:11 < krzie> i dunno what default conf you have 21:11 < krzie> but check it anyways 21:11 < prop__> yes, its enabled on my .conf 21:11 < krzie> in !mtu just use #2 21:12 < krzie> add --mtu-test to the client config and connect up 21:12 < krzie> it'll test for a couple minutes and let you know your optimal mtu 21:13 < prop__> I'll have to look at openvpn.org for the mtu-test, one moment 21:13 < krzie> why do you need to look at openvpn.org for that 21:14 < prop__> because I'm not quite sure what/where/when? 21:14 < prop__> "openvpn --mtu-test" ? 21:14 < krzie> add --mtu-test to the client config and connect up 21:14 < krzie> it'll test for a couple minutes and let you know your optimal mtu 21:14 < krzie> err 21:14 < krzie> just mtu-test in the client config 21:17 < prop__> krzie: ok, added to the .conf and its running now 21:17 < prop__> I initially tried: "openvpn --mtu-test client.conf" 21:18 < krzie> if you have more than 1 option you must use --config 21:18 < krzie> you can only omit --config if its the only option passed 21:18 < prop__> oh, ic - mybad 21:18 < krzie> time for me to go 21:18 < krzie> gl to ya 21:18 < prop__> ok man, thanks a lot! 21:18 < krzie> yw 21:18 < prop__> I'll readup again on your info/links .. just to get a bit inshape :) 22:48 -!- Celsiux|Nulled [n=Nullesd@189.152.3.218] has joined ##openvpn 22:51 -!- Celsiux|Nulled [n=Nullesd@189.152.3.218] has quit [Remote closed the connection] 22:51 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 22:53 < Celsiux|Nulled> hi 22:54 < Celsiux|Nulled> does anybody knows how can I assign an specific IP to each client (external IP I am using openvpn to access internet) , because right now it only uses the main IP of the server 22:55 < Celsiux|Nulled> I have been searching on google and email lists but no answers to this so far 22:56 < Celsiux|Nulled> any idea or pointer? even if somebody has experience with that I am willing to remunarate for the task 23:06 -!- Celsiux-Nulled [n=Nullesd@85.17.165.5] has quit [Read error: 110 (Connection timed out)] 23:13 < ecrist> fuckers 23:14 < Celsiux|Nulled> ? 23:15 < ecrist> what is your question, worded differently? 23:16 < ecrist> nm. I'm going to bed. 23:18 < Celsiux|Nulled> ok 23:18 < Celsiux|Nulled> here is 23:18 < Celsiux|Nulled> I want to be able to assign each vpn client a different ip instead of the main shared server ip 23:18 < ecrist> each client does have its own IP 23:19 < Celsiux|Nulled> like I have around 10 ips (public) on my server but when I connect a vpn client to the server it always takes the main server ip 23:19 < ecrist> oh, that's an OS thing, really 23:19 < Celsiux|Nulled> iptables? 23:19 < ecrist> not any real good way around that 23:19 < ecrist> iptables would be a good way to remedy it 23:20 < Celsiux|Nulled> so one question if you willing to help I am not really good at admin stuff etc 23:20 < Celsiux|Nulled> lets say 23:20 < ecrist> i'd do it with PF, but I use a 'real' OS. :) 23:21 < Celsiux|Nulled> I would have to add a rule for each internal ip assigned by openvpn to route the traffic thru each extra ip I have? 23:21 < ecrist> yep 23:21 < Celsiux|Nulled> PF? 23:38 -!- ERICH_ [n=eric@c-76-98-254-20.hsd1.pa.comcast.net] has joined ##openvpn 23:42 -!- ERICH_ [n=eric@c-76-98-254-20.hsd1.pa.comcast.net] has left ##openvpn [] --- Day changed Sat May 02 2009 00:18 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 00:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:37 -!- bandinia [n=bandini@host174-107-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn 01:37 -!- Celsiux-Nulled [n=Nullesd@174.36.13.132-static.reverse.softlayer.com] has joined ##openvpn 01:44 -!- bandini [n=bandini@host150-210-dynamic.25-79-r.retail.telecomitalia.it] has quit [Read error: 60 (Operation timed out)] 01:53 -!- sond [n=sond@203.109.175.179] has joined ##openvpn 01:54 < sond> anyone home ? 01:55 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Success] 01:55 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 01:58 -!- Celsiux-Nulled [n=Nullesd@174.36.13.132-static.reverse.softlayer.com] has quit [Read error: 110 (Connection timed out)] 02:10 -!- sond [n=sond@203.109.175.179] has quit ["Leaving"] 03:13 -!- sond [n=sond@203.109.168.200] has joined ##openvpn 03:22 < sond> hmmm its up and running but doesn't showup via a netstat or nmap scan.. 03:29 -!- sond [n=sond@203.109.168.200] has quit ["Leaving"] 04:48 -!- MoonMaker [n=Thomas@BAC12b2.bac.pppool.de] has joined ##openvpn 04:50 < MoonMaker> Hi All. I've a question about scripting. Is it possible to open a messagebox when a user will connect from a client? I want to give the client user more information about openvpn and errors. 04:51 -!- prop__ [n=dd@77.124.153.214] has quit [Connection timed out] 04:53 -!- prop_ [n=dd@77.124.153.214] has joined ##openvpn 05:07 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 05:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:10 < prop_> my client's download speed from a target(no-vpn): ~300KB.. while client from the vpn server: 300KB.. while the server downloads from the target: 10MB ... while the client uses VPN tunnel, through that server.. the speed is only ~60KB 05:11 < prop_> the client is under XP, openvpn's client, UDP, comp-lzo 05:20 < Bushmills> prop_, traffic shaping by provider? 05:24 < prop_> Bushmills: mm? 05:24 < prop_> Bushmills: 1. direct access of the client to the target = 300KB 05:24 < prop_> Bushmills: 2. direct access of the server to the target = 10MB 05:25 < prop_> Bushmills: 3. client through a VPN to the target = ~60KB 05:26 < prop_> (HTTP GET transfer, using 'wget') 05:55 < frankS2> is there any command line way to add ppl to your addressbook in SHR? 06:00 -!- dmarkey [n=dmarkey@dmarkey.xen.prgmr.com] has joined ##openvpn 06:05 -!- theDoc [n=andelyx@202.138.182.71] has joined ##openvpn 06:05 < theDoc> Hello all, anyone might have an idea why route-push isn't working when I connect via gnome-network-manager? 06:46 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["leaving"] 06:46 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 07:00 -!- mikkel [n=mikkel@84.238.113.66] has joined ##openvpn 07:51 -!- nemysis [n=nemysis@107-79.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 07:52 -!- nemysis [n=nemysis@79-38.3-85.cust.bluewin.ch] has joined ##openvpn 08:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:09 < dmarkey> i want to join the network of 2 xen servers through a LAN 08:09 < dmarkey> a DHCP server is at one end 08:09 < dmarkey> through a WAN, sorry 08:11 < dmarkey> can openvpn be used for this 08:12 -!- MoonMaker [n=Thomas@BAC12b2.bac.pppool.de] has left ##openvpn [] 08:13 < [4-tea-2]> Since Xen supports tun/tap: yes. 08:15 < ecrist> dmarkey: yes 08:19 -!- kala_ [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 110 (Connection timed out)] 08:22 < dmarkey> ecrist: http://pastebin.com/m7841f7d 08:22 < dmarkey> that that look right for the server side 08:28 < dmarkey> does* 08:34 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has joined ##openvpn 08:34 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has quit [Remote closed the connection] 08:35 -!- Lilarcor [n=Lilarcor@8.sub-97-130-237.myvzw.com] has joined ##openvpn 08:43 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 09:01 -!- theDoc [n=andelyx@202.138.182.71] has joined ##openvpn 09:02 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 09:04 -!- Lilarcor [n=Lilarcor@8.sub-97-130-237.myvzw.com] has quit ["The Lord of Murder Shall Perish."] 09:04 -!- vpat [n=vaibhav@61.83.230.23] has joined ##openvpn 09:06 -!- vpat [n=vaibhav@61.83.230.23] has left ##openvpn [] 09:30 -!- Dougy [i=doug@64-18-144-18.ip.bergenhosting.com] has joined ##openvpn 09:30 < Dougy> krzie: ping 09:35 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:42 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 110 (Connection timed out)] 09:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:49 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 60 (Operation timed out)] 09:53 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["leaving"] 09:54 -!- theDoc [n=andelyx@202.138.182.71] has joined ##openvpn 09:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:11 -!- vieq [n=vieq@unaffiliated/vieq] has joined ##openvpn 10:11 -!- vieq [n=vieq@unaffiliated/vieq] has left ##openvpn ["I am outa here"] 10:11 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:34 -!- theDoc_ [n=andelyx@208.99.194.194] has joined ##openvpn 10:35 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Nick collision from services.] 10:35 -!- theDoc_ is now known as theDoc 10:40 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 10:54 -!- tjz [n=tjz@bb219-75-22-243.singnet.com.sg] has quit [Read error: 60 (Operation timed out)] 11:17 < Dougy> grr 11:17 < Dougy> krzie krzee w/e 11:18 -!- albech [n=albech@117.47.84.248] has joined ##openvpn 11:19 -!- albech [n=albech@117.47.84.248] has quit [Client Quit] 11:20 -!- albech [n=albech@117.47.84.248] has joined ##openvpn 11:21 -!- albech [n=albech@117.47.84.248] has quit [SendQ exceeded] 11:26 -!- albech [n=albech@117.47.84.248] has joined ##openvpn 11:27 -!- albech [n=albech@117.47.84.248] has quit [SendQ exceeded] 11:43 -!- albech [n=albech@117.47.84.248] has joined ##openvpn 11:44 -!- albech [n=albech@117.47.84.248] has quit [SendQ exceeded] 11:52 * Dougy smacks krzie 12:08 -!- Timpa [i=timpa@193.13.142.180] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 12:14 -!- Timpa [i=timpa@193.13.142.180] has joined ##openvpn 12:48 -!- tjz [n=tjz@bb116-15-91-53.singnet.com.sg] has joined ##openvpn 12:59 -!- prop_ [n=dd@77.124.153.214] has quit [Connection timed out] 13:06 < Dougy> imunna beat him 14:08 -!- c64zottel [n=hans@p5B1783F3.dip0.t-ipconnect.de] has joined ##openvpn 14:25 -!- c64zottel [n=hans@p5B1783F3.dip0.t-ipconnect.de] has quit ["Leaving."] 14:41 -!- prop_ [n=dd@77.124.153.214] has joined ##openvpn 15:01 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Read error: 60 (Operation timed out)] 15:36 < prop_> I can't figure it out: my vpn client uses the tunnel for internet access and DNS (redirect) 15:37 < prop_> if I traceroute IP addresses, random sites ... they all go through the 10.8.0.1 of the VPN server 15:38 < prop_> BUT... if I try traceroute PUBLIC_IP_OF_VPN_SERVER .... it shows its actually using the 'direct' route via my router? 15:39 < prop_> is there a special 'rule' for the public IP of the vpn server to be routed directly, and not via the tunnel --> public_ip ? 15:40 < Bushmills> prop_, how would openvpn talk to the vpn server if route to it was going through openvpn? 15:40 < prop_> Bushmills: thats a very very good question 15:41 < prop_> Bushmills: so if I want to judge the tunnel's transfer speed, I should actually use the internal IP, as in 10.8.0.1 15:42 < krzie> correct 15:42 < Dougy> KRZIE 15:42 < Dougy> PM 15:42 < Dougy> !!%!%!#% 15:42 < vpnHelper> Dougy: Error: "!%!%!#%" is not a valid command. 15:42 < krzie> dougy, i know you well enough you dont hafta ask, can just pm me 15:42 < Dougy> i did 15:42 < Dougy> hours ago 15:42 < krzie> i wasnt here 15:42 < krzie> as you may have noticed ;] 15:42 < Dougy> 5 hours ago 15:42 < Dougy> you should check 16:13 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has joined ##openvpn 16:14 < project2501a> hey guys, what's the order of the arguments passed by --[dis]connect-script ? $IP $COMMON_NAME or reverse? 16:15 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 16:16 < project2501a> --client-connect excuse me 16:19 -!- Roman123 [n=Roman123@starnet1.sinh.us] has left ##openvpn ["Vegetarians don't live longer, they just look older!"] 16:28 < Bushmills> project2501a, tmk, args are not passed at all but can be expanded from environment variables 16:31 < project2501a> ah! cool. i didn't quite understand that part in the man page 16:31 < project2501a> cool 16:32 < project2501a> Bushmills: is it common_name ? all lowercase? 16:33 < project2501a> OOH. SEXY!!!1 trusted_ip and untrusted_up 16:33 * project2501a bows down to the author of openvpn 16:35 < Bushmills> project2501a, all lowercase 16:37 < project2501a> <3 <3 <3 16:56 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 16:56 < Dougy> going home 17:03 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 17:05 * krzie streaks acrossed the channel 17:14 -!- mikkel [n=mikkel@84.238.113.66] has quit ["Leaving"] 17:41 -!- krzie changed the topic of ##openvpn to: Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || !redirect for sending inet traffic through server || Also interesting: !man !/30 !topology !iporder || http://lmgtfy.com/ 17:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 17:59 -!- ERICH_ [n=eric@c-76-98-254-20.hsd1.pa.comcast.net] has joined ##openvpn 18:13 -!- ERICH_ [n=eric@c-76-98-254-20.hsd1.pa.comcast.net] has left ##openvpn [] 18:14 -!- ERICH_ [n=eric@c-76-98-254-20.hsd1.pa.comcast.net] has joined ##openvpn 18:22 -!- ERICH_ [n=eric@c-76-98-254-20.hsd1.pa.comcast.net] has quit [Remote closed the connection] 18:43 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: worch 18:44 -!- Netsplit over, joins: worch 18:48 -!- apollo13 [i=pd@static.88-198-99-60.clients.your-server.de] has joined ##openvpn 19:32 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 54 (Connection reset by peer)] 19:32 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 19:42 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 19:47 -!- MarcWebe1 [n=marc@88.80.200.63] has left ##openvpn [] 20:21 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 20:33 -!- prop_ [n=dd@77.124.153.214] has quit [] 21:04 -!- SuperEvilDeath17 [n=death@212.206.209.177] has quit [Read error: 104 (Connection reset by peer)] 21:04 -!- floyd_n_milan_ [n=mrugesh@124.247.220.202] has joined ##openvpn 21:04 -!- gregHome_ [n=gleblanc@75.108.45.57] has joined ##openvpn 21:04 -!- SuperEvilDeath17 [n=death@212.206.209.177] has joined ##openvpn 21:05 -!- youngpro [n=pro@teamaustralia.net.au] has quit ["changing servers"] 21:06 -!- youngpro [n=pro@teamaustralia.net.au] has joined ##openvpn 21:19 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 110 (Connection timed out)] 21:20 -!- gregHome [n=gleblanc@75.108.45.57] has quit [Read error: 113 (No route to host)] 21:20 -!- yarihm [n=yarihm@adsl-68-124-30-156.dsl.pltn13.pacbell.net] has joined ##openvpn 21:20 < yarihm> hi everyone 21:21 < yarihm> when I assign an IP to a user having a bridged VPN, can he then change it using ifconfig and have the tunnel still work? 21:40 < Celsiux|Nulled> the end user? 21:48 < yarihm> yes 21:48 < Dougy> Celsiux|Nulled: nulled? 21:48 < yarihm> ? 21:48 < yarihm> Celsiux|Nulled, did you refer to my question? 23:21 -!- chasing`Sol [n=Ahmed@1.0.0.127.reverse-dns.net] has joined ##openvpn 23:40 -!- zxcvop [n=Admin@222.127.158.58] has joined ##openvpn 23:43 -!- chasing`Sol [n=Ahmed@1.0.0.127.reverse-dns.net] has quit ["Leaving"] 23:44 < zxcvop> anyone 23:44 < zxcvop> ? 23:47 -!- zxcvop [n=Admin@222.127.158.58] has left ##openvpn [] --- Day changed Sun May 03 2009 00:27 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 104 (Connection reset by peer)] 00:31 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 00:43 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 00:55 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 60 (Operation timed out)] 01:05 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 02:24 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:22 -!- Intensity [i=[5S34qXF@unaffiliated/intensity] has quit [Remote closed the connection] 03:26 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 03:27 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:42 -!- mikkel [n=mikkel@84.238.113.66] has joined ##openvpn 04:00 -!- nemysis [n=nemysis@79-38.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 04:01 -!- nemysis [n=nemysis@208-237.3-85.cust.bluewin.ch] has joined ##openvpn 05:03 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 110 (Connection timed out)] 05:23 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 05:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 07:07 -!- js_ [n=js@193.0.253.161] has quit [Remote closed the connection] 07:43 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 08:31 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 08:43 -!- floyd_n_milan [n=mrugesh@124.247.220.202] has joined ##openvpn 08:51 -!- floyd_n_milan_ [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 110 (Connection timed out)] 09:09 -!- seljo [n=matija@82.193.209.4] has joined ##openvpn 09:10 -!- seljo [n=matija@82.193.209.4] has left ##openvpn [] 09:10 -!- seljo [n=matija@82.193.209.4] has joined ##openvpn 09:10 < seljo> hi 09:11 < seljo> can someone explain the tun mode ? 09:11 < seljo> !iporder 09:11 < vpnHelper> seljo: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 09:12 < seljo> !interface 09:12 < vpnHelper> seljo: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 09:12 < seljo> !topology 09:12 < vpnHelper> seljo: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 09:12 < seljo> noone ? 09:13 -!- seljo [n=matija@82.193.209.4] has left ##openvpn [] 09:20 -!- js_ [n=js@193.0.253.161] has joined ##openvpn 10:05 -!- Celsiux-Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 10:18 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 10:23 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Read error: 110 (Connection timed out)] 10:29 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 10:34 -!- Celsiux-Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Read error: 60 (Operation timed out)] 10:36 -!- unix3 [n=unix3@201.199.62.74] has joined ##openvpn 10:37 -!- unix3 [n=unix3@201.199.62.74] has quit [Read error: 104 (Connection reset by peer)] 10:54 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 11:03 -!- fixxxermet [n=meep@cmu-24-35-53-185.mivlmd.cablespeed.com] has joined ##openvpn 11:05 < fixxxermet> !howto 11:05 < vpnHelper> fixxxermet: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:08 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["Lost terminal"] 11:11 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 11:38 < fixxxermet> I am getting an error when starting openvpn. http://pastebin.com/d386f9f26. I have verified my client file (clientKyle.crt: OK). Any other ideas? 11:43 -!- nemysis is now known as nemysis_ 11:52 -!- nemysis_ is now known as nemysis 11:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:04 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit ["I am off"] 12:04 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 12:13 -!- Solvik [n=solvik@oxyradio.com] has joined ##openvpn 12:22 -!- giovanni [n=giovanni@host-84-221-84-191.cust-adsl.tiscali.it] has joined ##openvpn 12:59 -!- giovanni [n=giovanni@host-84-221-84-191.cust-adsl.tiscali.it] has quit [Read error: 60 (Operation timed out)] 13:03 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 13:04 -!- [4-tea-2] [n=aurel@buehne.mutantenstadl.de] has quit [Read error: 111 (Connection refused)] 13:11 -!- giovanni [n=giovanni@host-84-221-84-191.cust-adsl.tiscali.it] has joined ##openvpn 13:17 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 13:18 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 13:25 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 13:25 * plaerzen waves 13:34 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has quit [Read error: 60 (Operation timed out)] 13:39 -!- giovanni_ [n=giovanni@host-84-221-84-191.cust-adsl.tiscali.it] has joined ##openvpn 13:39 -!- giovanni [n=giovanni@host-84-221-84-191.cust-adsl.tiscali.it] has quit [Read error: 110 (Connection timed out)] 13:46 < fixxxermet> http://pastebin.com/d1116e4b6 Can anyone help me with that error? 14:06 < fixxxermet> Sun May 3 15:03:08 2009 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=US/ST=MARYLAND/L=CATONSVILLE/O=SwiftStaffing/CN=ronlinuxdell/emailAddress=rswift@domain.tld The CN isn't being set right while I am building the ca files. 14:19 -!- fixxxermet [n=meep@cmu-24-35-53-185.mivlmd.cablespeed.com] has left ##openvpn [] 14:20 -!- fixxxermet [n=meep@cmu-24-35-53-185.mivlmd.cablespeed.com] has joined ##openvpn 14:24 -!- apollo13 [i=pd@unaffiliated/apollo13] has left ##openvpn ["Leaving"] 14:27 -!- giovanni_ [n=giovanni@host-84-221-84-191.cust-adsl.tiscali.it] has quit ["Sto andando via"] 15:10 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has joined ##openvpn 15:16 -!- Lilarcor [n=Lilarcor@pool-71-126-184-191.washdc.east.verizon.net] has quit ["The Lord of Murder Shall Perish."] 15:23 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 15:38 -!- Roman123 [n=Roman123@starnet1.sinh.us] has joined ##openvpn 15:39 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 15:45 -!- frankS2 [n=frank@ti500720a080-1234.bb.online.no] has quit [Remote closed the connection] 16:00 -!- Schiz0|SD [i=schiz0@unaffiliated/schiz0] has quit [Read error: 110 (Connection timed out)] 16:08 -!- yarihm [n=yarihm@adsl-68-124-30-156.dsl.pltn13.pacbell.net] has left ##openvpn ["Leaving"] 16:10 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 16:19 -!- gregHome_ [n=gleblanc@75.108.45.57] has quit [Read error: 104 (Connection reset by peer)] 16:27 -!- Roman123 [n=Roman123@starnet1.sinh.us] has quit ["Leaving"] 17:42 < dan__t> http://www.speedtest.net/result/465719975.png 17:53 -!- mikkel [n=mikkel@84.238.113.66] has quit [Client Quit] 17:59 -!- Timpa [i=timpa@193.13.142.180] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 18:12 < krzie> damn man 18:12 < krzie> thats fatty 18:25 < krzie> fixxxermet what CN are you trying to have? 18:27 < fixxxermet> krzie: Shouldn't the CN be the same as the IP that you are connecting to in client.conf with the 'remote' option? 18:28 < krzie> no 18:28 < krzie> it should be whatever you decide to name each machine 18:29 < krzie> as long as its unique its fine 18:29 < krzie> i have a CN of CA on my CA, server for my server, and random names for each client 18:29 < krzie> i dont think spaces would be handled right, prolly same for some other chars too 18:37 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 18:41 < fixxxermet> krzie: So when building my CA, the CN should match the hostname? And then the server key hostname is server? 18:41 < krzie> it does NOT need to be a hostname 18:41 < krzie> just anything unique 18:42 < fixxxermet> ok 18:53 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 18:54 < fixxxermet> so I guess the CN error is not related to my problem. 18:55 < reiffert> type = server 18:55 < fixxxermet> whats up? 18:55 < reiffert> nsCertType = server 19:21 < Guest92433> nsCertType is discouraged compared to an EKU of clientAuth or serverAuth 19:21 -!- Guest92433 is now known as pekster 19:59 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 20:54 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["leaving"] 20:57 -!- Celsiux-Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 21:01 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Read error: 60 (Operation timed out)] 21:04 -!- epaphus [n=unix3@201.199.62.74] has quit [Remote closed the connection] 21:18 -!- zig [n=zig@p1219-ipbf4706marunouchi.tokyo.ocn.ne.jp] has joined ##openvpn 21:19 < zig> hi all, I've setup a standard openvpn server (with server.conf provided in examples doc) 21:19 < zig> there is one think I do not understand, the server ip is 10.8.0.1 (I(m using nat, not a bridge) 21:20 < zig> but a defaullt gateway was defined as 10.8.0.2 on the server too; whad does it correspond to ? 21:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 21:21 < zig> additionally; when a client connect, no route is defined to it via the nat interface 21:21 < zig> I had to add it manually 21:39 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 22:29 -!- zig [n=zig@p1219-ipbf4706marunouchi.tokyo.ocn.ne.jp] has quit [Read error: 113 (No route to host)] 22:48 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 22:54 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] --- Day changed Mon May 04 2009 00:04 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 60 (Operation timed out)] 00:04 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:16 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 00:16 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 00:26 -!- frank__ [n=frank@ti500720a080-1234.bb.online.no] has joined ##openvpn 00:37 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 00:50 -!- infinity_ [i=brendon@saleen.netcal.com] has quit ["leaving"] 00:57 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit ["No Ping reply in 90 seconds."] 00:57 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 01:03 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 60 (Operation timed out)] 01:16 -!- worch [i=worch@battletoad.com] has quit [Read error: 60 (Operation timed out)] 01:16 -!- worch [i=worch@battletoad.com] has joined ##openvpn 01:29 -!- Deffie_ [n=Deffie@nectarine/admin/deffie] has joined ##openvpn 01:45 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 01:45 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 01:57 -!- krzee [i=nobody@hemp.ircpimps.org] has joined ##openvpn 02:11 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 02:13 -!- zig [n=zig@118.6.196.219] has joined ##openvpn 02:15 < krzee> !route 02:15 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 02:25 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 02:33 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 02:38 -!- Celsiux-Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Read error: 110 (Connection timed out)] 03:30 < dazo> !tunortap 03:30 < vpnHelper> dazo: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 03:35 -!- zig [n=zig@118.6.196.219] has quit [Read error: 113 (No route to host)] 03:37 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit ["No Ping reply in 90 seconds."] 03:43 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 04:04 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 04:04 -!- mattock [n=mattock@gw.tietoteema.fi] has left ##openvpn [] 04:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:50 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 05:40 -!- floyd_n_milan_ [n=mrugesh@203.129.237.147] has joined ##openvpn 05:44 -!- frank__ [n=frank@ti500720a080-1234.bb.online.no] has quit [Read error: 110 (Connection timed out)] 05:51 -!- Deffie_ [n=Deffie@nectarine/admin/deffie] has quit [] 05:51 -!- bagpuss_thecat [n=bagpuss_@2001:41c8:1:5253:0:0:0:2] has joined ##openvpn 05:54 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 113 (No route to host)] 05:54 -!- DeviantPeer [n=kvirc@87.196.181.110] has joined ##openvpn 05:54 < DeviantPeer> Hi all. 05:59 -!- floyd_n_milan_ is now known as floyd_n_milan 06:06 < reiffert> Hi DeviantPeer. 06:32 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 06:49 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 06:50 -!- Deffie_ [n=Deffie@nectarine/admin/deffie] has joined ##openvpn 06:51 -!- Stevethe1irate [n=noxville@clam.leg.uct.ac.za] has quit [Remote closed the connection] 06:52 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 08:04 -!- exoeoeoeoe [i=Executio@dslb-094-223-191-212.pools.arcor-ip.net] has joined ##openvpn 08:05 < exoeoeoeoe> http://3x3cut10n3r.mybrute.com/ <-- have fun & good luck 08:05 < vpnHelper> Title: 3x3cut10n3r My Brute (at 3x3cut10n3r.mybrute.com) 08:05 -!- exoeoeoeoe [i=Executio@dslb-094-223-191-212.pools.arcor-ip.net] has quit [Remote closed the connection] 08:10 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 08:17 -!- frank__ [n=frank@ti500720a080-6624.bb.online.no] has joined ##openvpn 08:26 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: bandinia, isox, frank__, feinoM, qknight, M06w, dazo, disco-, youngpro, xor|, (+46 more, use /NETSPLIT to show all of them) 08:27 -!- Netsplit over, joins: krzee, frank__, epaphus, nemysis, Deffie_, polaru, DeviantPeer, bagpuss_thecat, floyd_n_milan, jfkw (+46 more) 08:31 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:49 -!- epaphus [n=unix3@201.199.62.74] has quit [Success] 08:55 -!- frank__ [n=frank@ti500720a080-6624.bb.online.no] has quit [Read error: 110 (Connection timed out)] 09:07 -!- Cronixx [i=irssi@62.141.56.213] has joined ##openvpn 09:07 < Cronixx> hi all 09:07 < Cronixx> i wanna bin a static ip to the connected openvpn client 09:07 < Cronixx> is that even possible? 09:08 < Cronixx> so the client is accessible from outside via the openvpn servers static public IP 09:08 < Cronixx> like dyndns with IP's 09:09 -!- bagpuss_thecat [n=bagpuss_@2001:41c8:1:5253:0:0:0:2] has left ##openvpn [] 09:09 < Cronixx> is that even openvpn related or is it more iptables related question? 09:10 < project2501a> hey guys, question: can i make the damn openvpn server NOT timeout every connection? 09:11 < project2501a> is there an option that says "keep connection alive even if it's udp"? 09:11 < Cronixx> have u set keepalive in config? 09:12 < Cronixx> like 09:12 < Cronixx> keepalive 10 60 09:13 < project2501a> let me see. the server keeps resetting the connections. maybe i should enter keepalive on my end 09:14 < project2501a> ya i had keepalive 10 20 09:14 < Cronixx> hm 09:14 < project2501a> on my client 09:14 < Cronixx> try setting it higher 09:15 < project2501a> i just lowered that to 1 20 09:15 < project2501a> why higher? 09:15 < Cronixx> 10 30 or even 10 40 09:15 < Cronixx> because lower setting lets the server less time to answer 09:15 < project2501a> ah 09:15 < Cronixx> so if the server answers slow 09:15 < Cronixx> you could increese that time 09:15 < project2501a> erh, it's a hp dl320 09:15 < Cronixx> to let it wait loger for a reply 09:15 < project2501a> dual xeon :D 09:15 < Cronixx> ergo not time out the connection 09:15 < project2501a> on a fiber line :D 09:15 < Cronixx> hmm 09:15 < project2501a> ya 09:16 < Cronixx> im working on an dl360 with dual xeon atm 09:16 < project2501a> Cronixx: that's where *i* am at. at that "hmm" 09:16 < Cronixx> xD 09:16 < project2501a> i'm like wtf 09:16 < project2501a> i got 100mbit connection to my house 09:16 < Cronixx> omg 09:16 < project2501a> and the server is at work 09:16 < Cronixx> i want 2 09:16 < project2501a> and the piece of shit times out 09:16 < Cronixx> hmmm 09:16 < Cronixx> very strange 09:17 < project2501a> i need some cash so i can go buy a cisco router so i can deal with this problem permanently 09:17 < project2501a> anyway 09:17 < Cronixx> xD 09:17 < project2501a> set keepalive to 1 20 09:17 < Cronixx> maybe you can help me? 09:17 < project2501a> let's see what happens 09:17 < project2501a> Cronixx: sure 09:17 < project2501a> whatever i can bro 09:17 < Cronixx> i have a setup 09:17 < Cronixx> 2 servers 09:17 < project2501a> don't we all? :D 09:17 < project2501a> heheh :D 09:17 < project2501a> go ahead 09:17 < Cronixx> one is at a datacenter 09:18 < ecrist> good morning, folks 09:18 < Cronixx> with 3 static public ips 09:18 < Cronixx> and the other one at home 09:18 * project2501a waves to ecrist 09:18 < Cronixx> static ip to 09:18 < Cronixx> but firewalled 09:18 < Cronixx> so 09:18 < Cronixx> i now have a vpn tunnel between the servers 09:18 < Cronixx> now i want to set 1 of the 3 static IP's as the tunnel endpoint 09:19 < Cronixx> so the second server at my home is reachable from the static ip of the server in the datacenter 09:19 < Cronixx> every port needs to be forwarded to the server at my home / the vpn client 09:19 < Cronixx> for that ip 09:19 < Cronixx> it's done via iptables right? 09:20 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:20 < project2501a> ya 09:20 < Cronixx> damn 09:20 < Cronixx> i cant do a fu*k with iptables 09:20 < project2501a> hehe 09:20 < project2501a> is it production? 09:20 < Cronixx> sure 09:20 < Cronixx> wanna run a CSS server on the client 09:20 < project2501a> ya don't mess with production 09:20 < project2501a> oh, css. 09:20 < project2501a> dude :P 09:20 < Cronixx> oh its going to be production 09:20 < Cronixx> atm it isnt 09:20 < Cronixx> its a high end server 09:21 < Cronixx> just need to have a static ip 09:21 < Cronixx> ;D 09:21 < project2501a> have an internal ip and assign the tun to that 09:21 < Cronixx> css-server -> openvpn-client -> openvpn server -> static ip 09:21 < Cronixx> and other way round 09:21 < project2501a> or rather set the tun to the static ip you with 09:21 < project2501a> but 09:21 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 54 (Connection reset by peer)] 09:21 < Cronixx> how? 09:22 < project2501a> s/with/wish/ 09:22 < Cronixx> im not that crack in networking 09:22 < Cronixx> ;( 09:23 < project2501a> well, provided you run linux, modprobe tun; lsmod | grep tun 09:24 < project2501a> see if the tun module is loaded in the kernel 09:24 < Cronixx> the tunnel is already setted up 09:24 < project2501a> did you ifconfig the tunnel to the ip you want? 09:26 < Cronixx> how? 09:26 < Cronixx> w8 09:26 < Cronixx> i'll show u my configuration files 09:26 < project2501a> why? 09:26 < project2501a> ip forwarding is done via iptables 09:27 < Cronixx> http://pastebin.com/m65c8a211 09:27 < Cronixx> how does the iptables statement has to look like? 09:29 < project2501a> erh, dude, read the manual :P 09:29 < Cronixx> i hate iptables ;C 09:29 < Cronixx> the prob is 09:29 < Cronixx> i dont have eth0 - 2 on the server 09:29 < Cronixx> onyl venet0:0 - 2 09:30 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:57 -!- Deffie_ [n=Deffie@nectarine/admin/deffie] has quit [] 10:00 -!- Deffie_ [n=Deffie@nectarine/admin/deffie] has joined ##openvpn 10:02 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit ["No Ping reply in 90 seconds."] 10:02 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 10:04 -!- Cronixx [i=irssi@62.141.56.213] has quit ["Lost terminal"] 10:04 -!- Deffie_ [n=Deffie@nectarine/admin/deffie] has quit [Client Quit] 10:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:40 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 10:51 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 10:56 -!- DeviantPeer [n=kvirc@87.196.181.110] has quit ["KVIrc Insomnia 4.0.0, revision: , sources date: 20090115, built on: 2009/03/07 00:45:02 UTC http://www.kvirc.net/"] 11:11 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:24 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:35 -!- Timpa [n=timpa@c-c31470d5.09-47-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 11:41 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 11:42 -!- arturob [n=bandini@host230-23-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 11:56 -!- bandinia [n=bandini@host174-107-dynamic.44-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 12:03 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 12:17 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 12:20 -!- epaphus [n=unix3@190.10.68.227] has joined ##openvpn 12:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 12:29 -!- prop_ [n=dd@IGLD-84-228-155-161.inter.net.il] has joined ##openvpn 12:33 < prop_> guys, is there something I'm missing about the whole VPN operation? is there a real reason why a 300KByte line gets a penalty to -6Kbyte- ? 12:33 < prop_> I use IP#1 of the server, to connect to the VPN server, and I use IP#2 - to make GET HTTP request 12:33 < prop_> IP#1 = 300KByte , IP#2(through the tunnel) .. currently ~6KB 12:38 -!- arturob [n=bandini@host230-23-dynamic.20-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 12:44 -!- Cronix [n=Cr0nix@e180070100.adsl.alicedsl.de] has joined ##openvpn 12:44 < Cronix> hi all 12:44 < Cronix> is there a good tutorial for ip based routing out there for openvpn? 12:45 < Cronix> !redirect 12:45 < vpnHelper> Cronix: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 12:45 < Cronix> !ipforward 12:45 < vpnHelper> Cronix: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 12:45 < Cronix> !linipforward 12:45 < vpnHelper> Cronix: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 12:46 < Cronix> !nat 12:46 < vpnHelper> Cronix: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 12:46 < Cronix> !linnat 12:46 < vpnHelper> Cronix: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 12:46 -!- zig [n=zig@p1219-ipbf4706marunouchi.tokyo.ocn.ne.jp] has joined ##openvpn 12:47 < Cronix> thats useless 12:47 < Cronix> because i xont have eth0 etc on my server 12:47 < Cronix> theyre called venet0:0 etc for me 12:47 < prop_> virtual environment? 12:47 < Cronix> and iptabled throws out errors if i use them instead of eth0 etc 12:47 < Cronix> thats why i need ip based forwarding 12:48 < Cronix> but there arent any links or howtos out there 12:48 < Cronix> or lets say i havent found them 12:48 < prop_> Cronix: virtual environment? 12:48 < Cronix> jup 12:48 < Cronix> VRS server 12:48 < Cronix> need it for pseudo static ip of a server at my home 12:48 < prop_> Cronix: have you tried "venet0" ? 12:48 < Cronix> dosnt even exists 12:48 < Cronix> i have 3 ve nets 12:49 < Cronix> all 3 with a diffrent static public ip 12:49 < Cronix> venet0:0 is one ip 12:49 < Cronix> venet0:1 is one 12:49 < Cronix> and venet0:2 is an other one 12:49 < prop_> you don't have venet0 ? 12:49 < Cronix> nope 12:50 < Cronix> thats why i need to forward using source and xdestination ip 12:50 < prop_> "cat /dev/net/tun" ? 12:50 < Cronix> but it isnt even documented very well 12:50 < Cronix> exists 12:50 < Cronix> cat: /dev/net/tun: Die Dateizugriffsnummer ist in schlechter Verfassung 12:50 < Cronix> but thats normal 12:50 < Cronix> the vpn connection is etablished 12:51 < Cronix> i can ping between the servers 12:51 < Cronix> i can even ssh from one to another 12:51 < Cronix> but i need to use one of my 3 static ip's as defauklt route to route all the vpn traffic to the internet 12:51 < Cronix> but as i sayd 12:51 < prop_> mind to pastebin your ifconfig ? 12:51 < Cronix> those devices got only venet0:* 12:51 < Cronix> sure 12:52 < Cronix> ok 12:52 < Cronix> got venet0 but that localhost 12:52 < Cronix> sry 12:52 < prop_> Cronix: use venet0 12:52 < Cronix> but thats localhost 12:52 < prop_> use venet0 , define source and target 12:52 < prop_> iptables -t nat -L ? 12:53 < Cronix> how? 12:53 < Cronix> and why venet0? 12:53 < Cronix> it points to localhost 12:53 < Cronix> http://pastebin.com/d6a60fa25 12:53 < Cronix> my ifconfig 12:54 < prop_> what your iptables says ^^ ? 12:54 < Cronix> havent done anything with iptables jet 12:54 < Cronix> what do u want me to do? 12:54 < prop_> "iptables -t nat -L" 12:54 < Cronix> http://pastebin.com/m7a358c3f 12:54 < Cronix> empty 12:56 < Cronix> what i want 12:56 < Cronix> is 12:56 < Cronix> something like a DMZ 12:56 < Cronix> from the static IP# 12:57 < Cronix> to the server which is connected via VPN 12:57 < Cronix> and back 12:57 -!- frank__ [n=frank@ti500720a080-2263.bb.online.no] has joined ##openvpn 12:58 < prop_> not sure if I understand 12:59 < Cronix> server1 is reachable on the internet via 3 diffrent static IP's 12:59 < Cronix> one of the 3 IP should be used as gateway to the connected vpn client 12:59 < Cronix> so every port on that ip will be forwarded to the client 13:00 < Cronix> and every acces of the internet from the client should go out as this ip 2 13:00 < prop_> Cronix: well, now its more clear 13:00 < Cronix> so actually change the ip usage from server to client 13:00 < prop_> Cronix: well, now its more cleartry: iptables -t nat -I POSTROUTING -s VPN_CLIENT_IP -o venet0 -j SNAT --to GATEWAY_IP 13:00 < Cronix> so that the server cant use it anymore because every port will be used by the other server 13:00 < Cronix> and thats all? 13:01 < prop_> Cronix: that suppose to route the source to the public, regards the opposite direction I'm not familiar 13:01 < Cronix> hm 13:01 < Cronix> okay 13:01 < Cronix> thx xD 13:01 < prop_> but it could be that just switching places of source and target should work 13:01 < Cronix> trying now 13:02 < Cronix> do i need to echo 1 to some file? 13:03 < prop_> "echo 1 > /proc/sys/net/ipv4/ip_forward" 13:03 < Cronix> hm 13:03 < Cronix> still landing on the vpn server via ssh 13:04 < prop_> what do you mean 13:04 < Cronix> the client is connected 13:04 < Cronix> ive typed the 3 lines 13:04 < Cronix> (copy pasted them) 13:04 < Cronix> and ssh'd to the ip ive forwarded 13:04 < Cronix> but instead of been connected to the vpn client im connected to the vpn server 13:05 < prop_> check the opposite direction 13:05 < prop_> try from the client --> out to the world 13:05 < Cronix> how? 13:05 < Cronix> k 13:05 < Cronix> 1 sec 13:06 < Cronix> nope 13:06 < Cronix> still the internet ip of the client 13:06 < Cronix> do i need to change something clientside? 13:07 < prop_> push "redirect-gateway" <-- is on the server.conf ? 13:07 < prop_> push "dhcp-option DNS 10.8.0.1" <-- server.conf ? 13:08 < Cronix> jup 13:12 < prop_> mmmm 13:12 < prop_> Cronix: http://openvpn.net/index.php/documentation/howto.html#redirect 13:12 < vpnHelper> Title: HOWTO (at openvpn.net) 13:12 < prop_> Cronix: try reading up on that, I'm not sure whats wrong 13:12 < Cronix> alright 13:15 -!- arnold_ [n=arnold@85-127-205-89.dynamic.xdsl-line.inode.at] has joined ##openvpn 13:18 -!- epaphus [n=unix3@190.10.68.227] has quit [Client Quit] 13:19 -!- zig [n=zig@p1219-ipbf4706marunouchi.tokyo.ocn.ne.jp] has quit ["Quitte"] 13:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:21 < arnold_> !interface 13:21 < vpnHelper> arnold_: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 13:21 < arnold_> anyone can help me on a nasty problem with openvpn ? 13:22 < arnold_> my vpn was already working but since a restart of the server it doesn't work anymore 13:22 < arnold_> I get a connection to it 13:22 < arnold_> but I cannot ping 10.8.0.X (vpn tun0 devices) nur my destination LAN (192.168.2.X) 13:33 < ecrist> is openvpn running on the server? 13:33 < ecrist> !logs 13:33 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 13:37 < arnold_> http://pastebin.com/d2a729827 13:37 < arnold_> server 13:38 < ecrist> line 189 sticks out... 13:38 -!- Timpa [n=timpa@c-c31470d5.09-47-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 13:39 < arnold_> but route should be set 13:39 < arnold_> [root@server openvpn]# netstat -rn 13:39 < arnold_> Kernel IP Routentabelle 13:39 < arnold_> Ziel Router Genmask Flags MSS Fenster irtt Iface 13:39 < arnold_> 10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 13:39 < arnold_> 195.202.174.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 13:39 < arnold_> 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 13:39 < arnold_> 10.8.0.0 192.168.2.10 255.255.255.0 UG 0 0 0 eth0 13:39 < arnold_> 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0 13:39 < arnold_> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1 13:39 < arnold_> 0.0.0.0 195.202.174.1 0.0.0.0 UG 0 0 0 eth1 13:40 < ecrist> don't paste your routing table here, that's what pastebin is for. 13:40 < ecrist> ok, I don't know what that script does, but something exited wrong. all I'm saying. 13:40 < arnold_> http://pastebin.com/m7ae5c5d9 13:40 < ecrist> firewall missing some rules that you added manually? 13:40 < arnold_> nope should be all fine 13:40 < arnold_> also when I deactivate firewall it doesn't work 13:41 < ecrist> where are the client logs? 13:42 < arnold_> need to check how I can copy them (Tunnelblick doesn't like copy/paste) 13:43 < arnold_> client logs from command line: 13:43 < arnold_> http://pastebin.com/m767f85e2 13:43 < arnold_> I even cannot ping 10.8.0.X which I should be able even if routing is fucked up 13:45 < ecrist> rigt-click, select copy 13:45 < ecrist> it just doesn't like the command-c 13:45 < ecrist> can you ping 10.8.0.1? 13:46 < arnold_> no 13:46 < arnold_> here are the logs from tunnelblick: http://pastebin.com/m6585f309 13:47 < ecrist> ok, if you have an IP assigned by OpenVPN, it appears you have 10.8.0.6, you should be able to ping 10.8.0.1 13:48 < arnold_> but I cannot 13:48 < ecrist> if you cannot, it's 99% likely it's a firewall issue. 13:49 < arnold_> firewall is turned off 13:49 < ecrist> iptables? 13:49 < ecrist> !iptables 13:49 < vpnHelper> ecrist: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall 13:49 < arnold_> http://pastebin.com/m628e0c11 13:49 < arnold_> this is my current iptables setup 13:49 < arnold_> on the server 13:49 < ecrist> I'm the wrong one to ask about iptables, read the links from vpnHelper 13:50 < arnold_> at the moment it is set to accept anything 13:50 < ecrist> most people forget one set of tables or something when they disable their firewall 13:50 < arnold_> will check the pages 13:54 < arnold_> even with this config it doesn't work: 13:54 < arnold_> http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall 13:54 < vpnHelper> Title: OpenVPN/Firewall - Secure Computing Wiki (at www.secure-computing.net) 13:55 < arnold_> this is my tun0 on the client: 13:55 < arnold_> tun0: flags=8851 mtu 1500 13:55 < arnold_> inet 10.8.0.6 --> 10.8.0.5 netmask 0xffffffff 13:55 < arnold_> open (pid 1226) 13:56 < arnold_> any I even cannot ping this one 13:56 < arnold_> noname:~ arnold$ ping 10.8.0.6 13:56 < arnold_> PING 10.8.0.6 (10.8.0.6): 56 data bytes 13:56 < arnold_> ^C 13:56 < arnold_> --- 10.8.0.6 ping statistics --- 13:56 < arnold_> 1 packets transmitted, 0 packets received, 100% packet loss 13:56 < arnold_> , 14:01 < arnold_> any ideas ? 14:29 -!- Intensity [i=[HiX103q@panix1.panix.com] has joined ##openvpn 15:16 -!- arnold_ [n=arnold@85-127-205-89.dynamic.xdsl-line.inode.at] has quit [] 15:19 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 15:20 -!- znh [n=user@unaffiliated/znh] has joined ##openvpn 15:20 < znh> Hello lads 15:21 < znh> I have a few clients that make use of the redirect-gateway paramanter in the server config. can I configure a client to not listen to that paramanter? 15:21 < znh> I'd rather not touch the server's configuration file 15:23 < znh> *paramenter 15:28 < krzie> sure 15:28 < krzie> its somethi9ng along the lines of route-nopull or something 15:28 < krzie> !man 15:28 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 15:29 < znh> --route-noexec 15:29 < znh> Don't add or remove routes automatically. Instead pass routes to --route-up script using environmental variables. 15:29 < krzie> --route-nopull 15:29 < krzie> When used with --client or --pull, accept options pushed by server EXCEPT for routes. 15:29 < krzie> When used on the client, this option effectively bars the server from adding routes to the client's routing table, however note that this option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface. 15:29 < znh> oh 15:29 < krzie> it will ignore pushed routes with that 15:29 < krzie> but allow the rest of pull to work 15:30 < krzie> aka exactly what you asked for 15:30 < znh> I googled --route-nopull.. no results!? 15:30 < krzie> why use google when you have a manual 15:30 < znh> no clue. Im kinda brainwashed by Google 15:30 < krzie> fine, then use it right 15:31 < krzie> !google route-nopull 15:31 < znh> I can't find --route-nopull either on the man page 15:31 < vpnHelper> krzie: Gmane -- Mail To News And Back Again: ; Gmane -- Mail To News And Back Again: ; [Openvpn-devel] [PATCH] Default route metric: 15:31 < znh> closest thing I can find is route-noexec 15:31 < krzie> oh ya it seems to be a 2.1 option 15:32 < znh> using 2.0.9 here 15:32 < krzie> seems we found the problem 15:32 < krzie> upgrade the client you want not to pull to 2.1 15:32 < znh> won't I have issues with diffrent versions? 15:33 < krzie> you tell me 15:33 < krzie> (after trying) 15:33 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 15:33 < znh> (o really) 15:33 < krzie> i dont expect it to because i believe the stuff gets pushed both ways, but with nopull gets ignored by client 15:33 < znh> 2.1 is a development version correct 15:34 < krzie> i know they can connect fine, if the server uses something cthe client doesnt there would be a problem 15:34 < krzie> but i think this would be fine 15:34 < krzie> yes, 2.1 is devel 15:36 < znh> mm upgraded the client, connected without errors. yet no communication with the VPN 15:36 < znh> default gateway points to non-vpn though 15:37 < znh> Mon May 04 22:35:51 2009 Options error: option 'route' cannot be used in this co 15:37 < znh> ntext 15:37 < znh> Mon May 04 22:35:51 2009 Options error: option 'redirect-gateway' cannot be used in this context 15:37 < znh> Mon May 04 22:35:51 2009 Options error: option 'route' cannot be used in this co 15:37 < znh> ntext 15:38 < znh> without route-nopull it works out of the box. It's not a version conflicting 15:38 < krzie> !configs 15:38 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:39 < znh> http://pastebin.com/m38db2f79 15:39 < krzie> ... 15:40 < krzie> missing a few things 15:40 < znh> you tell me 15:40 < krzie> read what my bot said agai9n 15:40 < krzie> !configs 15:40 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:43 < znh> http://pastebin.com/m5b0e5aef 15:45 < krzie> what does and doesnt work when you connect the above client? 15:45 -!- Dougy [i=doug@64-18-144-18.ip.bergenhosting.com] has quit [Nick collision from services.] 15:45 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 15:45 -!- Dougy_ [i=doug@64-18-144-18.ip.bergenhosting.com] has joined ##openvpn 15:45 < Dougy> krzie 15:45 < Dougy> you know what makes me sad 15:45 < Dougy> that $25 backplane is too big for your server 15:45 < Dougy> so its useles 15:45 < Dougy> s 15:45 < krzie> lol 15:45 * Dougy sighs 15:45 < Dougy> $25 -> garbage 15:46 < znh> it can reach the internet through the LAN router. Client can't ping VPN router or anything on the VPN's LAN 15:46 < znh> with route-nopull that is. 15:48 < znh> tracert indicates that traffic is routed through the LAN router 15:49 < Dougy> krzie im gonna kill someone 15:49 < Dougy> :'( 15:49 < krzie> znh no kidding 15:49 < krzie> znh, ping 192.168.90.1 from the client after connecting 15:49 < znh> tried. times out 15:50 < krzie> znh 15:50 < krzie> !logs 15:50 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 15:50 < krzie> i only want the client log 15:51 * Dougy grunts 15:51 < krzie> also, something importasnt for you to know 15:51 < Dougy> gr 15:51 < krzie> !tcp 15:51 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 15:51 < Dougy> the backplate is a tower backplate 15:51 < Dougy> LAME 15:51 < krzie> dougy, helps to pay attention to what you're buying ;] 15:51 < Dougy> wel 15:52 < Dougy> i knew what i was buying 15:52 < Dougy> but this chassis is anal 15:52 < Dougy> http://www.google.com/url?sa=t&source=web&ct=res&cd=7&url=http%3A%2F%2Fwww.supermicro.com%2Fproducts%2Fchassis%2F1U%2F512%2FSC512L-200.cfm&ei=d1X_ScaQGoaeM_fF9a0E&usg=AFQjCNESju4h2c4IICny66RrwqPEv9_XkA 15:52 < vpnHelper> Title: Super Micro Computer, Inc. - Products | Chassis | 1U | SC512L-200B (at www.google.com) 15:52 < Bushmills> what is "remote IP-HERE 1194" ?? 15:52 < Dougy> http://www.supermicro.com/products/chassis/1U/512/SC512L-200.cfm 15:52 < vpnHelper> Title: Super Micro Computer, Inc. - Products | Chassis | 1U | SC512L-200B (at www.supermicro.com) 15:52 < znh> can't avoid TCP. UDP is blocked by firewall at allot of clients 15:52 < krzie> Bushmills hes hiding his ip cause he trusts us enough to get help but hes scared that we'll all hack him if he gives his ip 15:52 < Bushmills> did you massage the config to remove the actual ip adress there, or was that literally taken 15:53 < znh> removed IP on purpose. everyone can read pastebins :) 15:53 < krzie> yet he doesnt bother to use HMAC keys or check the server cert to stop MITM attacks 15:53 < Bushmills> ah, ok. looked a bit like an unfinished client config 15:54 < krzie> (which btw is explained in !hmac and !mitm ) 15:54 < Bushmills> moin moin krzie. 15:54 < krzie> moin 15:54 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 15:55 < krzie> http://www.youtube.com/watch?v=B7NTYeRg5Dg 15:55 < vpnHelper> Title: YouTube - A monkey trying to rape a goat (at www.youtube.com) 15:55 < Bushmills> grin 15:55 < znh> http://pastebin.com/m1cd182e3 client's log verb 6 15:57 < krzie> znh, add these to the client config 15:57 < krzie> route 192.168.90.0 255.255.255.0 15:57 < krzie> route 192.168.1.0 255.255.255.0 15:57 < krzie> then reconnect 15:58 < znh> Fuck yeah! 15:58 < znh> Thanks monkey. that did the trick 15:58 < krzie> yw 15:59 < znh> !hmac 15:59 < vpnHelper> znh: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the tls 15:59 < vpnHelper> znh: static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 16:00 < krzie> oh right you arent using UDP 16:00 < krzie> so that wont help, but you still want !mitm 16:00 < znh> !mitm 16:00 < vpnHelper> znh: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates 16:00 < znh> I used build-key-server script 16:00 < krzie> !servercert 16:00 < vpnHelper> krzie: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mitm 16:01 < krzie> grr its not there 16:01 < krzie> !sample 16:01 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 16:01 < krzie> !learn mitm as then use: ns-cert-type server in the client config 16:01 < vpnHelper> krzie: Joo got it. 16:01 < znh> is it really that bad to use TCP as protocol? 16:02 < krzie> did you bother reading the link? 16:02 < krzie> !tcp 16:02 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 16:02 < krzie> worst case ild do this: 16:02 < znh> I did bother. It's just not that easy 16:02 < krzie> run openvpn 2x, 1 for udp 1 for tcp 16:02 < krzie> 192.168.90.0 and 192.168.91.0 16:03 < krzie> then use blocks to try udp first, with fallback to tcp 16:03 < krzie> so anyone who can will use udp 16:03 < krzie> also if you dont run a NS on the server, use udp port 53 for server 16:03 < krzie> it will be open in more firewalls 16:03 < znh> m good one 16:07 < znh> can you explain in easy english what the downside is of using TCP? 16:07 < Dougy> krziue 16:07 < Dougy> krzie 16:07 < Dougy> i checked out the dc yesterday 16:07 < Dougy> i think im gonna sign up 16:07 < krzie> when you tunnel tcp over tcp the retransmission stuff built into tcp works against you 16:08 < krzie> a single retransmission can trigger a flood of retransmissions building on eachother from inside and outside the tunnel 16:08 < krzie> and degrade your whole tunnel 16:08 < znh> mm so on bad connections this would occur 16:08 < krzie> if you fully read that link it explains perfectly 16:09 < krzie> even with pictures 16:09 < project2501a> hey guys 16:09 < krzie> you just cant skim it 16:09 < krzie> znh, people have reported issues on good connections 16:09 < project2501a> is there anyway to make openvpn maintain the connection open? 16:09 < project2501a> like switch it to tcp? 16:09 < krzie> project2501a, read on --keepalive 16:09 < krzie> tcp is bad, read this: 16:09 < krzie> !tcp 16:09 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 16:09 * project2501a is reading 16:10 < project2501a> krzee: i got --keepalive on my client side, should i add it to the server side as well? 16:10 * znh loves that IE8 blocks about:blank by default 16:10 < krzie> project2501a, i expect after you understand what it is/does you wont need to ask that 16:11 < project2501a> krzee: hai hai krzee-sama 16:11 < plaerzen> sweet. I _may_ be reviewing papers for LISA '09 16:11 < project2501a> krzee: gomenasai! 16:11 < project2501a> plaerzen: can i haz free pass? :D 16:11 < Dougy> LISA? 16:11 < project2501a> sysadmin-con 16:11 < krzie> project2501a you speaking english? 16:11 < plaerzen> large installation system administration 16:11 < Dougy> ooh 16:12 < Dougy> hmm 16:12 < Dougy> cod5. 16:12 < project2501a> krzee: um, english, greek, german, spanish, italian and some japanese. 16:12 < project2501a> why? 16:12 < Dougy> whoa 16:12 < Dougy> i wish i spoke all those 16:12 < krzie> krzee: hai hai krzee-sama 16:12 < krzie> krzee: gomenasai! 16:12 < project2501a> oh, sorry :) 16:12 < project2501a> Dougy: i wish i was presenting a paper in LISA 16:12 < znh> project2501a: mio nomo estas Johano 16:13 < project2501a> znh: viva chinco de mayo :D 16:13 < znh> omfg 16:13 < Dougy> yo tengo un monstruo in mi pantalones 16:13 < Dougy> en* 16:13 < project2501a> Dougy: you wish :D 16:13 < Dougy> nope 16:13 < Dougy> yo tengo 16:14 < project2501a> anyway, happy zapatistas liberation movement day. 16:14 < project2501a> let's seeeeeee, sysadmin on a Plan 9 grid... 16:14 < Dougy> afk 16:14 < project2501a> plaerzen: where's lisa 09 taking place? 16:15 < znh> project2501a: btw that was Esperant 16:15 < znh> Esperanto 16:15 < plaerzen> project2501a, baltimore 16:15 < project2501a> znh: it looked italian-ish 16:16 < znh> that's the power of the language.. everyone can read it 16:16 < znh> and learn it :p 16:16 < project2501a> :D 16:16 < znh> I wish the fucknuts of the internets used that instead of English :) 16:17 < znh> !offtopic 16:17 < project2501a> znh: convince /b/ to use esperando ;) 16:17 < vpnHelper> znh: Error: "offtopic" is not a valid command. 16:17 < znh> heh. I have my doubts about /b/'s intelligence 16:17 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 16:17 < project2501a> that's the whole point, aint it? 16:18 < znh> "anonymous" 'chit-chat' 16:26 -!- chrisbdaemon [n=chrisbda@unaffiliated/chrisbdaemon] has joined ##openvpn 16:27 -!- znh [n=user@unaffiliated/znh] has quit ["Lost terminal"] 16:27 < project2501a> i just read the man page and added keepalive on the server conf 16:28 < project2501a> is there a way to test the server conf without restarting it? 16:28 < krzie> no 16:28 < Dougy> yes 16:28 < Dougy> run it on another dev server 16:28 < Dougy> ;] 16:28 < project2501a> Dougy: heh. ya, that's my project for tomorrow morning 16:29 < chrisbdaemon> Hey, I could use some help. I'm trying to setup openvpn on my OpenBSD 4.5 server and I get a whole bunch of errors when I put the openssl.cnf file that comes with the package, http://pastebin.com/d68d14b97 16:30 < chrisbdaemon> i think it might be something to do with "export KEY_CONFIG=`$EASY_RSA/openssl.cnf $EASY_RSA`" but i'm not sure.. 16:30 < chrisbdaemon> thats in vars btw 16:32 < krzie> that should be fine if $EASY_RSA is set right 16:34 < chrisbdaemon> which I didn't change, is openssl.cnf supposed to be a shell script? it looks like vars is trying to execute it.. 16:36 < chrisbdaemon> and it looks nothing like any shell scripts i've seen, more like just a plain configuration file 16:36 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 16:36 < krzie> no its not a shell script 16:37 < krzie> its the config file for openssl 16:37 < krzie> "export 16:37 < krzie> KEY_CONFIG=`$EASY_RSA/openssl.cnf $EASY_RSA`" 16:37 < chrisbdaemon> iirc, putting something in backticks executes it doesn't it? 16:37 < krzie> that exports a variable named KEY_CONFIG 16:37 < chrisbdaemon> ` 16:37 < krzie> those should be single quotes 16:38 < chrisbdaemon> the aren't :\ 16:38 < chrisbdaemon> thye* 16:38 < chrisbdaemon> they* 16:38 < krzie> time to fix it then 16:38 < krzie> i dont use easy-rsa 16:38 < krzie> i use ssl-admin 16:38 < krzie> !ssl-admin 16:38 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 16:39 < chrisbdaemon> and its not just openbsd's package that has that line in vars set like that, its in the source tarball from the openvpn site 16:40 < krzie> then it must work that way normally 16:40 < krzie> since shittons of people use it 16:40 < krzie> but as i said, i dont use easy-rsa 16:42 < chrisbdaemon> yea 16:49 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 16:51 < chrisbdaemon> well, thanks for the help 16:51 < chrisbdaemon> cya 16:51 -!- chrisbdaemon [n=chrisbda@unaffiliated/chrisbdaemon] has quit ["Leaving"] 17:26 -!- Celsiux-Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 17:40 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Read error: 104 (Connection reset by peer)] 17:50 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 145 (Connection timed out)] 18:10 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has joined ##openvpn 18:17 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 18:25 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.10/2009042316]"] 18:40 -!- elventear [n=elventea@216-243-176-160.static.iphouse.net] has joined ##openvpn 18:48 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 145 (Connection timed out)] 19:10 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 19:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 20:00 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:02 -!- Skiff [n=skiff@unaffiliated/skiff] has joined ##openvpn 20:02 < Skiff> !howto 20:02 < vpnHelper> Skiff: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 20:10 -!- ido-- [n=wtf@212.199.189.65] has joined ##openvpn 20:11 < prop_> anybody can help with transfer speed issues? 20:13 < ido--> hrm. i have a server 10.8.0.0 255.255.255.0 directive, and i'm testing my setup on a localhost (openvpn running on router, however for testing I"m connecting from within lan, yes i know its not that good). 20:14 < ido--> anyhow, when connecting, i notice the server is sending this to the client: SENT CONTROL [ido2]: 'PUSH_REPLY,route 10.8.0.0 255.255.255.0,ifconfig 10.8.0.6 10.8.0.5' (status=1) 20:14 < ido--> whats 10.8.0.5 ? 20:14 < krzie> !/30 20:14 < ido--> the servers ip is 10.8.0.1 20:14 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 20:15 < krzie> its a normal byproduct of the net30 topology which is default 20:16 < ido--> hrm. 20:16 < ido--> i am connecting from a windows host to a linux server. 20:17 < ido--> oh. i get it 20:17 < ido--> so .5 is the network address, and .6 is the virtual ip ? (of the client) 20:19 < krzie> virtual ip? 20:19 < krzie> .6 is the client's vpn ip 20:19 < krzie> .5 is internal to openvpn 20:19 < krzie> just like .2 on the server 20:19 < krzie> that link explained it all 20:19 < ido--> yeahk, thats what i meant. 20:21 < ido--> krzie, mind taking a look at this please: http://www.pastebin.ca/1412884 20:22 < ido--> if .5 is internal to the vpn, can it be the gateway ? 20:22 < krzie> just let openvpn handle it itself, it will do it correctly 20:22 < krzie> dont question what its doing 20:22 < ido--> i haven't added anything.. 20:22 < krzie> if you're having a problem related to that its on your end, not openvpn's 20:22 < krzie> ok, so whats the problem? 20:22 < ido--> those are all by default from the openvpn 20:23 < ido--> hrm 20:23 < krzie> do you need help with something? 20:23 < ido--> 192.168.0.0 255.255.255.0 10.8.0.5 10.8.0.6 30 20:24 < krzie> as i said 20:24 < krzie> do you need help with something? 20:24 < ido--> well 20:24 < ido--> when i have this routing table 20:24 < ido--> my cpu usage on the client starts going up 20:25 < ido--> and i have no network connectivity to 192* 20:25 < krzie> you using redirect-gateway 20:25 < krzie> ? 20:25 < ido--> nope 20:26 < ido--> but if you look at the routing table 20:26 < krzie> pushing a route to 192.168.0.0? 20:26 < ido--> yes 20:26 < krzie> lol 20:26 < krzie> you think that could somehow work while on-lan> 20:26 < krzie> ? 20:26 < krzie> you made a routing loop, of course the cpu goes up 20:26 < ido--> i know, thats what i was trying to say 20:26 < krzie> ok, comment out the push route 20:26 < krzie> or get off your own lan 20:26 < ido--> oh, wait. 20:27 < ido--> it does the push route by itself 20:27 < ido--> i've disabled it.. 20:27 < krzie> !configs 20:27 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 20:27 < krzie> also this: 20:27 < krzie> is your end project going to be on-lan or off-lan? 20:27 < ido--> why would i have it on-lan ? 20:27 < krzie> some people like to use it to secure wifi and whatnot 20:28 < krzie> but yes, very good question 20:28 < ido--> oh. right 20:28 < ido--> sec. 20:28 < krzie> why DO you have it onlan 20:28 < krzie> if thats not part of the goal, stop doing it 20:28 < ido--> actually i might need it on-lan too 20:28 < krzie> why? 20:29 < ido--> hrm. cross that out. i can live without that 20:29 < krzie> why were you thinking... 20:29 < krzie> to have machines in the lan communicate over the vpn too? 20:31 < krzie> cause if so, that can be done by reading !route 20:31 < ido--> http://www.pastebin.ca/1412893 20:31 < krzie> what is your REAL goal 20:31 < ido--> the conf is there 20:31 < ido--> off-lan access to lan 20:32 < fixxxermet> I have two clients accessing my server. One client is a desktop, which I use to directly access the server and the network. tcpdump shows this client as 10.8.0.10. The other client access the server through a gateway (his vpn client) and tcpdump shows that client as 192.168.8.40 20:32 < ido--> multiple clients 20:32 < fixxxermet> Problem is that when I add a 10.8.0.0 route to the computers on the server's LAN, client2 can not access the network, but client1 can 20:34 -!- elventear [n=elventea@216-243-176-160.static.iphouse.net] has quit [Client Quit] 20:37 < ido--> krzie ? 20:38 < krzie> fixxxermet, right, they need a route to 192.168.8.0 as well 20:39 < krzie> as well as every lan they need to communicate with 20:39 < krzie> easiest done through their default gateway 20:39 < krzie> this is explained in my routing writeup 20:39 < krzie> !routew 20:39 < vpnHelper> krzie: Error: "routew" is not a valid command. 20:39 < krzie> !route 20:39 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:39 < krzie> right under the network diagram 20:39 < fixxxermet> Unfortunately most gateways do not allow you to add custom routes 20:40 < ido--> then you need to add the route per machine on the lan? 20:40 < krzie> ya if they're cheap enough 20:40 < krzie> yes, as explained in my writeup 20:40 < krzie> ido 20:40 < krzie> # 20:40 < krzie> ifconfig 10.3.0.1 10.3.0.2 20:40 < krzie> # 20:40 < krzie> server 10.8.0.0 255.255.255.0 20:40 < krzie> why? 20:41 < ido--> oh. the first is a mistake. 20:41 < ido--> forgot that. 20:41 < krzie> no kidding 20:41 < ido--> eh. 20:41 < krzie> also you have the push route 20:41 < krzie> that you said you didnt have 20:41 < ido--> you said or I said ? 20:42 < krzie> it does the push route by itself 20:42 < krzie> i've disabled it.. 20:43 < ido--> hrm. yeah, but should it ? 20:43 < krzie> thats what broke you on-lan 20:43 < krzie> it should be there when off-lan 20:43 < ido--> hrm. 20:43 < ido--> any other comments besides those ? 20:43 < krzie> yup 20:43 < krzie> a few 20:43 < ido--> shoot.. 20:43 < krzie> almost dunno where to start 20:43 < krzie> ok... 20:44 < krzie> why on earth would you get rid of the whole cert system and ONLY use a pw? 20:44 < krzie> you dont like security? 20:44 < krzie> that ifconfig line needs to go all together 20:44 -!- Skiff [n=skiff@unaffiliated/skiff] has quit ["Leaving"] 20:44 < krzie> mode server is useless, it knows from the --server statement 20:45 < krzie> your LAN is on 192.168.0.x, so any time your client is on 192.168.0.x when remote, shit will break 20:45 < krzie> duplicate-cn is not a good idea 20:45 < ido--> how do i fix that ? (the duplicate subnet) 20:45 < krzie> you should use HMAC sigs (!hmac) 20:45 < krzie> and you never posted a client config, said what OS or version of openvpn) 20:46 < ido--> server linux 2.0.9 20:47 < ido--> clients on windows, 2.1 20:47 < krzie> why do you have client-cert-not-required 20:47 < krzie> how many clients do you plan on having? 20:47 < ido--> not so many actually 20:47 < krzie> did you make this yourself or copy/paste it from some walkthrough? 20:47 < ido--> 4-5 i suppose 20:47 < ido--> nope 20:48 < krzie> nope what 20:48 < ido--> didn't copy it. 20:48 < ido--> i actually did read a lot of the man page 20:48 < krzie> if i say "this or that" nope cant be an answer 20:48 < krzie> unless it was niether i guess 20:49 < krzie> ok, so why are you using certs, but saying they are not needed to connect? 20:49 < ido--> using only the ca to verify i'm connecting to the correct server 20:49 < ido--> but the server won't be able to verify its clients 20:49 < krzie> and how exactly does chpass check a password? 20:49 < ido--> env vars? 20:50 < krzie> chpass is used to add or change user database information 20:50 < ido--> no, hardcoded.. 20:50 < ido--> quick hack 20:50 < ido--> as i said, not so many clients 20:50 < krzie> umm, this is a completely messed up config imo 20:50 < krzie> ild start over 20:50 < ido--> ehe:) thanks. 20:50 < krzie> seriously 20:51 < ido--> i apprecate it. 20:51 < krzie> you have 4 or 5 clients, why not generate a cert for each? 20:51 < ido--> fixing the config as you said before. 20:51 < ido--> hrm. 20:51 < ido--> because that requires maintnence 20:51 < theDoc> krzie: You can use certs to just verify the identity of the server you are connecting to and use user/pass to authenticate against it. 20:51 < krzie> how so? 20:51 < theDoc> krzie: That's what I have running :) 20:52 < krzie> theDoc i wanted to see if thats what he was doing, but he didnt post his client config 20:52 < krzie> (even those my bot says BOTH) 20:52 < theDoc> ahhh. 20:52 < ido--> krzie, thats what i said earlier 20:52 < ido--> "using only the ca to verify i'm connecting to the correct server" 20:52 < krzie> ahh, that sentance didnt make sense to me 20:53 < krzie> i see what you were trying to say now tho 20:53 < theDoc> krzie: Do you happen to have an idea on how to tunnel vpn traffic through a transparent proxy which requires a login and which only permits http traffic over it? 20:53 * theDoc has such a problem :) 20:53 < krzie> actually yes 20:53 < krzie> thats built into openvpn 20:53 < ido--> http-proxy ? 20:53 < krzie> something like that, yup 20:53 < theDoc> krzie: Ahh, care to point me to some resources? 20:53 < theDoc> I'll take a look at it. 20:54 < krzie> !man 20:54 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 20:54 < krzie> look at every instance of the word proxy 20:54 < theDoc> I have an idea on what to do, was looking for some guides. 20:54 < krzie> screw a guide, use the manual 20:54 < theDoc> bbl, :) breakfast time. 20:54 * theDoc waves 20:54 < ido--> theDoc, its only about 3 directives. 20:54 < krzie> half the guides out there lead people to here with screwed up configs 20:54 < ido--> true. 20:54 < theDoc> krzie: ahaha. 20:55 < theDoc> I would just rebuild it myself and learn from it. 20:55 < krzie> ild like to see socks5 auth in openvpn 20:55 < krzie> it does socks5 but no auth 20:55 < krzie> http-proxy however, does do auth 20:55 < ido--> krzie, so does it now make more sense why client-cert-not-required+auth-user-pass-verify ? 20:56 < krzie> yes and no 20:56 < ido--> why not ? 20:56 < krzie> yes because i know what you're doing 20:56 < ido--> but you still prefer certs ? 20:56 < krzie> no because you are making your vpn far less secure because you dont wanna make 4 certs 20:56 < ido--> ok, thats someone true. 20:56 < ido--> hrm 20:57 < theDoc> krzie: It would be hell if I had something like 1,000 users and all of them are on certs:p 20:57 < theDoc> I'll spend my entire day doing certs for people 20:57 < ido--> should i make the certs with passcodes ? 20:57 < ido--> that is, if they're kept safe 20:57 < krzie> theDoc not so much, you had to get them all setup to begin with, with something like ssl-admin it would pack up their zip for you when you make them 20:58 < theDoc> krzie: Customers/end users don't want to be dealing with certs :P they want to just push buttons and make it into their account :P 20:58 < krzie> plus you could just script something to make them all in batch mode, go fuck your girl a time or 2, and have everything done including their configs and all zipped up 20:58 < theDoc> after all, I run an anonymous vpn tunnel service :P 20:58 < krzie> with certs they dont need a pw 20:58 < krzie> which is EASIER for the end user 20:58 < krzie> they click, connected 20:58 < theDoc> krzie: Yep, but they hop onto other comps and also want to use their vpn :P 20:58 < krzie> and they had to deal with a config file 20:58 < krzie> the cert is just as much effort 20:58 < ido--> theDoc, a free one ? :) 20:58 < krzie> at the exact same time 20:59 * krzie notes he said "customers / end users" 20:59 < ido--> !hmac 20:59 < vpnHelper> ido--: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 20:59 < vpnHelper> ido--: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 20:59 < krzie> as in "not people who just get free stuff" 21:00 < krzie> regardless 21:00 < krzie> theDoc, you have an argument for why not to use certs, he does not 21:00 < prop_> should I experience a huge transfer speed decrease while using a VPN as a gateway? 21:00 < krzie> prop_ depending on a bunch of factors, but pretty much yes 21:01 < ido--> i changed back to certs krzie, you made me change my mind. 21:01 < prop_> krzie: squid for eaxmple, for HTTP ... has almost no penalty 21:01 < theDoc> I'd think that if you start encapsulating your packets in ipsec, more overhead :) 21:02 < ido--> hrm. 21:03 < ido--> anything else i should change ? 21:03 < ido--> before i burn a new image ? 21:06 < krzie> ido, post BOTH configs again 21:06 < krzie> if you want that question answered 21:06 < ido--> sec 21:09 < ido--> http://www.pastebin.ca/1412918 21:10 < krzie> prop, you should also make sure you are using UDP, compression if it makes sense to, and have a good MTU 21:10 < krzie> ido--, add proto udp to both configs 21:10 < ido--> isn't udp the default ? 21:11 < krzie> ahh good you have tls-auth 21:11 < krzie> you said you were checking that the server was the server with certs before 21:11 < krzie> but your client config doesnt do it 21:11 < prop_> krzee: tried everything you suggested so far 21:11 < krzie> !mitm 21:11 < vpnHelper> krzie: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config 21:12 < prop_> krzee: I guess I'm doomed to use customized proxies :| 21:12 < ido--> doesn't ns-cert-type just very that the cert of the server is only for servers and not clients/email/etc or something? 21:12 < krzie> also check cpu usage on both sides when its slow 21:13 < prop_> krzie: cpu/ram is practically empty - and its always slow - today it was like 6KB slow 21:13 < krzie> ido, right, it tells the client to be sure that the cert which was sign4ed by the same CA was actually made for a server 21:13 < krzie> ido, otherwise i can use your cert to auth with you 21:13 < ido--> yeah i know 21:13 < ido--> i wrote some code that used libssl in the past 21:14 < krzie> cool, so go stop MITM attacks by adding that 21:14 < ido--> done. 21:14 < krzie> remote 192.168.0.1 \ 21:14 < ido--> yeah, its a tmp statement. 21:14 < krzie> that is the biggest reason i dont like people changing stuff to sanatize configs 21:15 < krzie> in reality its just remote right? 21:15 < ido--> yep 21:15 < ido--> actually, without the port 21:15 < krzie> you still gunna use passes? 21:15 < ido--> i just wrote the part now 21:15 < ido--> what are passes ? 21:15 < krzie> remove these 21:15 < krzie> # 21:15 < krzie> duplicate-cn 21:15 < krzie> # 21:15 < krzie> username-as-common-name 21:16 < ido--> hrm. still thinking about that. 21:16 < ido--> i think i'llremove them tho 21:16 < krzie> duplicate-cn is better of not being there 21:16 < krzie> username-as-common-name is 100% pointless in the config you posted 21:17 < ido--> true. 21:17 < ido--> removed. 21:17 < krzie> (the latest one) 21:17 < krzie> ok, repost configs 21:17 < krzie> oh wait 21:17 < krzie> you forgot to keep the push 21:17 < krzie> this config is for use outside the lan, keep the push 21:17 < krzie> the push was only bad INSIDE the lan 21:17 < ido--> oh. ok 21:17 < ido--> i got it now 21:17 < krzie> comment it out when testing inside the lan 21:17 < ido--> because it was in-lan, it added the push automatically 21:18 < ido--> gotcha! 21:18 < ido--> am i right ? 21:18 < krzie> no no 21:18 < krzie> it never added it automaticly 21:18 < krzie> you had it there when you shouldnt have 21:18 < krzie> it will NEVER push its lan without being told to 21:18 < ido--> weird then. i have no idea why i had it then 21:18 < ido--> one second. 21:19 < ido--> hrm 21:19 < ido--> how would i know the best MTU ? 21:19 < krzie> !mtu 21:19 < krzie> #2 21:19 < vpnHelper> krzie: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 21:19 < krzie> #2 21:19 < ido--> it depends on where i'm connecting from 21:19 < ido--> which i don't know atm. 21:19 < krzie> you're usually fine without specifying anything 21:20 < krzie> if you will be at the same place a lot its good to test it and set it up for that 21:20 < krzie> but how can anyone know what you need MTU at when you dunno where you'll be... 21:20 < ido--> MTU ping test = isn't there an icmp for this ? 21:20 < krzie> we could make it shitty so its good if you come from a satelite, but odds are you'll find some open wifi more often, hhehe 21:21 < krzie> what? 21:21 < krzie> ping IS icmp 21:21 < krzie> its icmp mode 8 iirc 21:21 < krzie> (for request) 21:22 < ido--> hrm 21:22 < ido--> i was talkin about path mtu 21:22 < ido--> yeah, it does that with ping iirc now 21:23 < krzie> ok i officially have no clue what you're talking about 21:23 < krzie> anyways, paste the new configs 21:23 < ido--> path MTU discovery 21:24 < krzie> ya openvpn doesnt do that 21:24 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 104 (Connection reset by peer)] 21:24 < ido--> hrm 21:24 < ido--> if i have a slow link 21:25 < ido--> anything special i should add ? 21:25 < krzie> you should prolly figure out what kinda mtu you'll be wanting when you're out 21:25 < krzie> go around to a few places youd use it from and use mtu-test in the clients config 21:26 < krzie> you already have adaptive compression 21:26 < ido--> http://www.pastebin.ca/1412931 21:26 < krzie> also since this sounds road-warrior setup like 21:26 < krzie> you want to change the subnet your server's LAN uses 21:27 < krzie> cause this wont work anywhere with 192.168.0.x as their subnet 21:27 < krzie> just make it 192.168.54.x or something 21:27 < krzie> then it shouldnt conflict with anything 21:28 < ido--> hrm. 21:28 < ido--> oh well. 21:28 < ido--> i've had same ip's on the lan for a decade or so 21:28 < ido--> eh. 21:28 < krzie> nice, due for a change then! ;] 21:28 < ido--> s/had/had the 21:29 < ido--> eh 21:30 < Dougy> HMM 21:30 < Dougy> krzie this dc is slackin mad balls 21:30 < Dougy> i want to sign the contract already 21:31 < ido--> thanks a lot krzee 21:31 < ido--> krzie. gonna test it now ! 21:31 < krzie> ido, read up on --ping that you are using, you will likely want to replace it with --keepalive 21:31 < krzie> after that, these are nice configs 21:32 < ido--> why the fuck are ebay/paypal so stupid 21:32 < krzie> because they already have your $ 21:32 < krzie> o_O 21:32 < ido--> paypal won't let me select paying out of my own balance, and offers only to pay from my bank account. 21:32 < ido--> they really do want my $$ 21:32 < krzie> nah it'll take from your balance first, just isnt an option 21:33 < ido--> i've got two accounts 21:33 < krzie> whether you pick bank or credit, it goes from your balance first 21:33 < ido--> personal and premiere 21:33 < ido--> and i want to pay half the personal (form balance) and the rest with CC which is linked to the second account 21:34 < krzie> hah good luck 21:34 < krzie> best you could do easily would be xfer from 1 to another (losing a percentage) then pay with cc 21:34 < ido--> the ebay account was linked to the second account, but noooo, paypal doesn't allow paying for an item which was bought with an ebay account not link to itself 21:35 < ido--> actually they did allow it back then 21:35 < ido--> anywho, i unlinked my paypal account from ebay, and linked the other one 21:35 < ido--> and it does show up as linked to it in ebay 21:36 < ido--> but again, no, paypal refuses to let me use my ebay account, says its already linked to another account 21:36 < ido--> someone should get fired for this 21:36 < krzie> haha 21:36 < ido--> "This auction account has already been registered by another PayPal account" 21:37 < ido--> fuck them, its registered with THIS paypal account (at least thats what it says on ebay's site) 21:37 < krzie> any more help with your vpn? 21:37 < ido--> hrm 21:37 < ido--> building an imge to test it with 21:37 < ido--> i'll return later if i'll need anything 21:37 < ido--> thanks a lot ! 21:38 < krzie> yw 21:38 < ido--> wonderful service around here 21:38 < ido--> cheers 21:38 < krzie> hehe 21:39 < ido--> oh 21:40 < ido--> actually i do have another question 21:40 < ido--> smaller one though 21:40 < ido--> i need another server/client pair 21:41 < ido--> in-lan 21:41 < krzie> why 21:41 < ido--> hrm. 21:41 < ido--> i've got a G1 googlephone 21:41 < krzie> those support tuntap? 21:42 < ido--> i want to tunnel a connection over tcp from it to the host (connected with usb, with a tcp port forwarded over it) 21:42 < ido--> i've got openvpn+tun.o compiled 21:42 < krzie> cool, good luck with that 21:42 < ido--> eh, 21:43 < ido--> anywho, what should i setup ? 21:43 < ido--> no need for encryption/compression/users/anything what-so-ever 21:43 < krzie> i actually have no clue what you're trying to do 21:43 < ido--> only in-lan 21:43 < krzie> no need for encryption/compression/users/anything what-so-ever 21:43 < krzie> that means you dont want openvpn 21:43 < krzie> think about a GRE tunnel or something 21:44 < krzie> although i dont see why you even need a tunnel 21:44 < krzie> what is the goal 21:45 < ido--> because i can have only specific ports forwarded 21:45 < ido--> and i want full network access 21:45 < krzie> no idea, hope that goes well for you, openvpn is likely not what you want 21:45 < ido--> why not ? creating a tunnel over a tcp connection ? 21:46 < krzie> no need for encryption/compression/users/anything what-so-ever 21:46 < krzie> that means you dont want openvpn 21:46 < krzie> a tunnel without any of that is just that, a tunnel 21:46 < ido--> i don't think GRE would work 21:46 < krzie> just use a tunnel, openvpn is a little overkill for that 21:47 < ido--> what other options do i have ? 21:47 < krzie> why do you need ports forwarded to your phone 21:47 < krzie> you gunna host services on it? 21:49 < ido--> no 21:49 < ido--> i'd like to have full internet access when its connected to my computer via usb when i have no wifi around 21:51 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 21:51 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 22:02 < krzie> ido, what does that have to do with port forwarding? 22:07 < ido--> hrm. ok, i wasn't clear on that 22:08 < ido--> the only way of communicating between the G1 and my pc directly over usb, is by using their debug utility, which can forward a port to the G1. 22:09 < ido--> now if i make a tunnel between the two, i can have full network access from the G1 via the PC. 22:09 < ido--> I've just found a way to a tunnel using SSH, but thats a bit limiting, since windows doesnt have an sshd 22:10 < ido--> well, not without cygwin. i wonder if it'll work with the cygwin one. 22:10 < ido--> actually i'm not sure it would, because it probably wouldn't know how to work with the tun device on windows 22:10 < ido--> ugh. 22:11 < ido--> openvpn would work though. 22:17 < krzie> one of us doesnt know what "forward a port" means 22:17 < krzie> im thinking its not me 22:18 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 22:18 < krzie> a forwarded port is only needed for a machine behind a nat to be contacted when it has a service listening for connections 22:18 < krzie> which is NOT what you seem to be talking about 22:19 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 60 (Operation timed out)] 22:33 -!- freaky_t [i=alpha@member.team-box.net] has joined ##openvpn 22:33 < freaky_t> !logs 22:33 < vpnHelper> freaky_t: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 22:33 < freaky_t> !howto 22:33 < vpnHelper> freaky_t: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 22:35 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 22:36 -!- zheng [n=zheng@222.66.224.110] has quit [Read error: 54 (Connection reset by peer)] 22:37 < ido--> krzie: I know what I'm talking about, the port is "forwarded" over the usb link (embedded in their driver for debugging purposes) 22:37 < ido--> anyhow, i got it working... minimal config, works like a charm 22:37 < krzie> what port! 22:37 < ido--> whichever tcp port i choose.. 22:37 < krzie> so to make an outbound connection you are saying it must be configured for port forwarding 22:38 < ido--> pc->G1 22:39 < ido--> the other way around isn't possible.. 22:39 < krzie> nm it doesnt matter 22:40 < ido--> i need to get port forwarding on windows though 22:40 < ido--> i saw it somewhere on the web today 22:47 -!- ido-- [n=wtf@212.199.189.65] has quit [] 22:49 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 22:49 < onats> hey guys, how do i check the IP's of the clients that connect to the vpn server? 22:50 < krzie> automated or on the fly? 22:52 < krzie> (@onats) 22:53 < onats> krzie, on the fly.. 22:53 < krzie> management interface might have that 22:53 < onats> just want to check now the IP of a particular client, coz i need to connect to it.. 22:53 < onats> management interface?? 22:53 < krzie> you can also give them static ips if you like by seeing !static 22:53 < onats> i dont think i have that yet.. 22:54 < onats> well thats in the plan, but i haven't really dug into it yet... 22:55 < onats> krzie, via command line? 22:56 < krzie> you could also see your status file or log 22:56 < krzie> if you use ipp.txt that should have it as well 22:57 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 22:57 < onats> ok lemme check.. tnx 22:57 * onats turned off logging 22:59 < krzie> well if you dont have a log, status file, ipp, management interface, or static ips, i dont think you can 23:12 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 60 (Operation timed out)] 23:26 < onats> krzie, the status file doesn't grow that much right? 23:29 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 23:29 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 23:32 -!- freaky_t [i=alpha@member.team-box.net] has quit [Read error: 104 (Connection reset by peer)] 23:39 -!- Cr0nix [n=Cr0nix@e180070205.adsl.alicedsl.de] has joined ##openvpn 23:48 -!- freaky_t [i=alpha@member.team-box.net] has joined ##openvpn 23:56 -!- Cronix [n=Cr0nix@e180070100.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 23:58 -!- boolias [n=boolias@c-98-207-42-206.hsd1.ca.comcast.net] has joined ##openvpn --- Day changed Tue May 05 2009 00:00 < boolias> hi there, anyone in have a minute to explain pkcs#12 files and how an openvpn server generates those for me? 00:01 -!- boolias is now known as oradude 00:02 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 00:05 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:42 -!- oradude [n=boolias@c-98-207-42-206.hsd1.ca.comcast.net] has quit [] 01:03 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 01:11 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has quit [Read error: 54 (Connection reset by peer)] 01:12 -!- lataffe [n=lars@89.10.28.212] has joined ##openvpn 02:02 < freaky_t> hi all i have a problem running a samba server over the vpn. in the logs from samba in log.nmbd it says 02:02 < freaky_t> [2009/05/05 08:50:38, 0] nmbd/nmbd_subnetdb.c:create_subnets(207) 02:02 < freaky_t> create_subnets: Waiting for an interface to appear ... 02:02 < freaky_t> and nothing else happens 02:02 < freaky_t> can anyone help me please? 02:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:21 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 02:22 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:22 -!- freaky_t [i=alpha@member.team-box.net] has quit [Remote closed the connection] 02:35 -!- freaky_t [i=alpha@member.team-box.net] has joined ##openvpn 02:45 < freaky_t> !man 02:45 < vpnHelper> freaky_t: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 03:19 -!- svenx [n=sveniu@pat-tdc.opera.com] has joined ##openvpn 03:21 -!- crocr [n=sveniu@leia.ifi.uio.no] has joined ##openvpn 03:32 -!- zheng [n=zheng@222.66.224.110] has quit [Remote closed the connection] 04:09 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 04:28 -!- youngpro [n=pro@teamaustralia.net.au] has quit ["changing servers"] 04:29 -!- nsar [n=nsar@121.54.32.108] has joined ##openvpn 04:29 < nsar> hello 04:29 -!- youngpro [n=pro@203.217.10.114] has joined ##openvpn 04:29 < nsar> some help may i have with the certificates for server to multiple clients 04:29 < nsar> ? 04:31 -!- nsar [n=nsar@121.54.32.108] has quit [Client Quit] 04:31 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 04:44 -!- youngpro [n=pro@203.217.10.114] has quit ["changing servers"] 04:44 -!- youngpro [n=pro@teamaustralia.net.au] has joined ##openvpn 04:49 -!- Celsiux-Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Read error: 110 (Connection timed out)] 04:50 -!- alinuxskyper99 [n=admin@193.227.191.91] has joined ##openvpn 04:51 < alinuxskyper99> Hi installed openvpn on server 2003 ...on my same lan and I can connect however I can not ping 10.8.0.1 .. it times out...I did not push any networks yet 04:56 < onats> !certificates 04:56 < vpnHelper> onats: Error: "certificates" is not a valid command. 04:56 < onats> !config 04:56 < vpnHelper> onats: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 04:56 < onats> !sample-configs 04:56 < vpnHelper> onats: Error: "sample-configs" is not a valid command. 04:56 < onats> !sample 04:56 < vpnHelper> onats: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 04:56 < onats> there 05:02 < reiffert> !factoids search sample 05:02 < vpnHelper> reiffert: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 05:02 < reiffert> !factoids search sam 05:02 < vpnHelper> reiffert: 'sample' and 'samba' 05:02 < reiffert> !factoids search cert 05:02 < vpnHelper> reiffert: 'servercert', 'certs', and 'nocert' 05:29 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 05:54 -!- andriijas [n=andreas@c83-248-2-99.bredband.comhem.se] has joined ##openvpn 05:56 < andriijas> i have 2 boxes at home, neither of them is the gateway to internet. one of them has an openvpn server which works fine and it can ping my laptop which is connected to the vpn from office, but how can i make my other box at home connect to my roadwarrior laptop? 05:56 < andriijas> the laptop can ping both computers from the vpn 06:09 -!- zheng [n=zheng@222.66.224.110] has quit [Remote closed the connection] 06:11 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 06:12 -!- zheng [n=zheng@222.66.224.110] has quit [Remote closed the connection] 06:14 -!- andriijas [n=andreas@c83-248-2-99.bredband.comhem.se] has left ##openvpn [] 06:16 -!- youngpro [n=pro@teamaustralia.net.au] has quit ["changing servers"] 06:16 -!- youngpro [n=pro@203.217.10.114] has joined ##openvpn 06:20 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 06:22 -!- zheng [n=zheng@222.66.224.110] has quit [Remote closed the connection] 06:23 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 06:24 -!- zheng [n=zheng@222.66.224.110] has quit [Remote closed the connection] 06:24 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 06:25 -!- zheng [n=zheng@222.66.224.110] has quit [Remote closed the connection] 06:25 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 06:39 -!- zheng [n=zheng@222.66.224.110] has quit [Read error: 104 (Connection reset by peer)] 06:42 -!- tuxinator [n=chatzill@195.34.89.245] has joined ##openvpn 06:44 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 06:59 < ecrist> morning 07:12 -!- Timpa [i=timpa@193.13.142.180] has joined ##openvpn 07:45 -!- sticky [n=zach@2001:470:1f11:5a7:b167:612a:7dd5:7964] has joined ##openvpn 08:12 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:37 -!- eliasp_ [n=quassel@95.208.45.212] has joined ##openvpn 08:51 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 110 (Connection timed out)] 09:01 -!- mattock [n=mattock@gw.tietoteema.fi] has quit ["Leaving."] 09:08 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has joined ##openvpn 09:16 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 09:25 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:00 -!- i3lack0p [i=merlin@69.69.150.7] has joined ##openvpn 10:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:18 < i3lack0p> having an issue setting up a OpenVPN host with multi client. This is my first attempt. http://pastebin.com/d6dfaed32 is a tail of my log on the client side 10:18 < i3lack0p> !howto 10:18 < vpnHelper> i3lack0p: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:20 < ecrist> i3lack0p: what os? 10:27 < i3lack0p> Host is CentOS 5.1 guest is winxp sp3 10:28 < i3lack0p> but other guest will include Mac OS X, Windows Vista, Windows XP and a few Ubuntu clients 10:35 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 10:38 < i3lack0p> what im looking to do is have these clients VPN to the server and access a Samba share on the node 10:41 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Deffie 10:44 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Dougy_, pekster 10:45 -!- Dougy [i=doug@64-18-144-18.ip.bergenhosting.com] has joined ##openvpn 10:46 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 10:52 -!- i3lack0p [i=merlin@69.69.150.7] has quit [Read error: 104 (Connection reset by peer)] 10:52 -!- i3lack0p [i=merlin@69.69.150.7] has joined ##openvpn 10:53 -!- i3lack0p [i=merlin@69.69.150.7] has quit [Read error: 104 (Connection reset by peer)] 10:53 -!- pekster [n=pekster@c-76-113-143-76.hsd1.mn.comcast.net] has joined ##openvpn 10:54 -!- pekster is now known as Guest26656 11:01 -!- onats__ [n=onats@122.53.134.78] has joined ##openvpn 11:06 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 145 (Connection timed out)] 11:13 -!- epaphus [n=unix3@78.46.79.204] has joined ##openvpn 11:19 -!- onats_ [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 11:23 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 11:25 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 11:26 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:35 < Alagar> is there dead peer detection mechanism active in our vpn gateway 11:35 < Alagar> i got the above question from my boss. what is the meaning of this 11:36 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 11:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:40 -!- bakers [n=bakers@bar-1.web-ster.com] has joined ##openvpn 11:40 < theDoc> Alagar: Sounds like it sends packets to you at intervals and if you don't respond after x seconds, it considers you disconnected 11:43 -!- VeRteXz [i=VeRteX@host1-48-dynamic.2-87-r.retail.telecomitalia.it] has joined ##openvpn 11:44 < VeRteXz> !interface 11:44 < vpnHelper> VeRteXz: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 11:44 < VeRteXz> !route 11:44 < vpnHelper> VeRteXz: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:44 < VeRteXz> !configs 11:44 < vpnHelper> VeRteXz: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:44 -!- VeRteXz [i=VeRteX@host1-48-dynamic.2-87-r.retail.telecomitalia.it] has left ##openvpn ["Bye Bye All"] 11:44 -!- VeRteXz [i=VeRteX@host1-48-dynamic.2-87-r.retail.telecomitalia.it] has joined ##openvpn 11:45 < Alagar> theDoc: thanks. one more help please. iam using fortigate 100A VPN Firewall how to findout Dead peer detection mechanism active or not? 11:46 < theDoc> Alagar: I'd spoon the firewall and whisper lovingly into her ears and tease her into telling me. 11:46 < theDoc> That's what I would do. I think you would want to try reading the manual. 11:46 < bakers> Can I create a client cert that requires a username and a password? 11:47 < theDoc> Yes. 11:55 < bakers> theDoc: How does one do that? 11:55 < theDoc> bakers: It's 1am, :p I just got back from work and I'm not really in the mood at the moment :p 11:55 < theDoc> It's somewhere in the guide I believe. 11:55 < theDoc> I'm lazy enough to not want to search it for you. 11:58 -!- VeRteXz [i=VeRteX@host1-48-dynamic.2-87-r.retail.telecomitalia.it] has left ##openvpn ["Bye Bye All"] 12:01 -!- epaphus [n=unix3@78.46.79.204] has quit ["Leaving"] 12:07 -!- i3lack0p [i=merlin@69.69.150.7] has joined ##openvpn 12:10 < i3lack0p> I am looking to set up OpenVPN host that a number of remote nodes and VPN to for establishing a Samba transfer... client to host... Host is CentOS 5.1 w/ OpenVPN 2.0.9, Client is Windows XP SP3 w/ OpenVPN 2.0.9... this is error im getting: http://pastebin.com/d6736f785 12:11 < i3lack0p> never establishes IP address and ability to communicate 12:16 < i3lack0p> hello? 12:18 < ecrist> see line 5 12:18 < ecrist> !configs 12:18 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:19 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 12:22 < i3lack0p> Client: http://pastebin.com/d3bc70457 | Host: http://pastebin.com/d1dc0443a 12:23 < i3lack0p> Host is CentOS 5.1 w/ OpenVPN 2.0.9, Client is Windows XP SP3 w/ OpenVPN 2.0.9 12:25 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:26 < ecrist> !logs 12:26 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 12:26 < i3lack0p> ok 12:34 < i3lack0p> Client Log: http://pastebin.com/d7b07be5e | Host Log: http://pastebin.com/d10b1724 12:38 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 12:40 -!- bafman [n=none@81.90.250.239] has joined ##openvpn 12:43 < bafman> hello, one quick question. I have "local" network with GW/server 192.168.1.1 running openvpn. Remote network is the same IP range also with colliding IP of GW/Server. Is there any way how to compensate without changing the IP of local range? 12:50 < svenx> ask the twats who set up the server side why they chose the most common ip range in home networks :) 12:50 < svenx> other than that, you can simply add some routes 12:51 < svenx> oh wait, gw also collides.. hm 12:51 < ecrist> reading now, i3lack0p 12:52 < bafman> svenx: me ;-). I created a home LAN, these days I decided SSH is not enough, thus I would like to add VPN. Most of the networks of my friends share the same layout 12:52 < ecrist> gotta tell you, that error is stumping me. 12:53 < ecrist> your configs looks fine 12:53 < bafman> I was wondering adding a new virtual IP for the GW/Server 12:53 < svenx> bafman: aha. that's possible. also, you could use the routing method of openvpn, and rather define a "rare" subnet to use for vpn clients 12:54 < bafman> svenx: but the virtual IP is a must then 12:55 < ecrist> i3lack0p: does the client ever get the .5 address assigned to the interface? 12:56 < ecrist> bafman: no, you need to renumber 12:56 < svenx> bafman: yes 12:56 < svenx> bafman: ..if your vpngw only has a single interface 12:58 -!- bakers [n=bakers@bar-1.web-ster.com] has quit ["Leaving"] 12:59 < bafman> svenx: or leave it as it is and when VPN is up, exclusively use remote IP range ... 12:59 < bafman> gents thank you for hinting 13:11 -!- netnoodle [n=netnoodl@pcp045837pcs.pcv.reshall.calpoly.edu] has joined ##openvpn 13:12 < netnoodle> hello, im using linux and the client is unable to redirect the gateway through the vpn automatically. i need to manually change the gateway using the "route" command in linux, but i'm not sure how to do this 13:20 < i3lack0p> ecrist: sorry wife grabbed me... according to OpenVPN GUI its been alocated, but the Local Area Connection 2 ( bound to TAP-Win32) keeps looking for DHCP addreess 13:21 < ecrist> hrm, it shouldn't be. 13:21 < ecrist> I don't have a lot of windows openvpn experience, sorry. 13:22 < i3lack0p> i dont either... ihave done site to site openvpn tunneling with static ips, but this is stumping 13:22 < ecrist> read here, see if anything sticks out to you 13:22 < ecrist> !freebsd 13:22 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 13:23 -!- clebig [n=clebig@87.100.60.106] has joined ##openvpn 13:24 < clebig> hi 13:27 -!- sticky [n=zach@2001:470:1f11:5a7:b167:612a:7dd5:7964] has quit ["Leaving"] 13:30 -!- netnoodle [n=netnoodl@pcp045837pcs.pcv.reshall.calpoly.edu] has quit [Remote closed the connection] 13:31 < clebig> I have a problem when I try to revoke a certificate, could you help me, here the output of revoke-full command : http://pastebin.fr/4423 13:37 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 13:41 -!- frank__ is now known as frankS2 13:42 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 60 (Operation timed out)] 13:52 -!- bafman [n=none@81.90.250.239] has quit ["leaving"] 13:53 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 13:55 < i3lack0p> ecrist: i switched over to my slackware box and tested it as a client. http://pastebin.com/d49cdae83 is what i got... but looking at i think ineed to gen the tun devices 14:01 < ecrist> i3lack0p: do you have the tun kernel module/device available? 14:08 < i3lack0p> lol im a dumbass... i just figured out my problem 14:08 < ecrist> please share 14:08 < i3lack0p> i had disabled the dhcp client service on my windows box cause i never us DHCP on it... its always static 14:09 < ecrist> ahhhhh 14:09 < ecrist> :) 14:09 < i3lack0p> so the adapeter couldnt recieve/send dhcp... like i said... dumbass 14:12 < ecrist> good to figure it out 14:48 -!- clebig [n=clebig@87.100.60.106] has quit ["The vast majority of our imports come from outside the country"] 14:57 -!- i3lack0p [i=merlin@69.69.150.7] has quit ["User pushed the X - because it's Xtra, baby"] 15:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:36 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 15:52 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.10/2009042316]"] 16:02 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:15 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:16 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 17:22 -!- prop_ [n=dd@IGLD-84-228-155-161.inter.net.il] has quit [Success] 17:38 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:40 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 17:57 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 18:44 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 19:18 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 19:35 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 19:35 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 19:56 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 20:01 < onats> buzz 21:21 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 104 (Connection reset by peer)] 22:17 < onats> how do i create a tun device? 22:18 < onats> openvpn --mktun --dev tun0 --dev-type tun? 22:29 < onats> !tun 22:29 < vpnHelper> onats: Error: "tun" is not a valid command. 22:55 -!- prop_ [n=dd@84.228.155.161] has joined ##openvpn 23:17 -!- jetole [n=Joe@204.13.0.100] has joined ##openvpn 23:28 -!- Cron1x [n=Cr0nix@e180071180.adsl.alicedsl.de] has joined ##openvpn 23:45 -!- Cr0nix [n=Cr0nix@e180070205.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 23:48 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn --- Day changed Wed May 06 2009 00:02 -!- epaphus [n=unix3@201.199.192.2] has joined ##openvpn 00:19 < reiffert> !factoids search tun 00:19 < vpnHelper> reiffert: 'mactuntap' and 'tunortap' 00:19 < reiffert> !factoids search mknod 00:19 < vpnHelper> reiffert: No keys matched that query. 00:20 -!- epaphus [n=unix3@201.199.192.2] has quit ["Leaving"] 00:20 < reiffert> onats: mknod /dev/net/tun c 10 200 00:23 < onats> reiffert, i got it this time. the library on my openwrt for tun drivers wasn't compatible 00:23 < onats> thanks:D 01:26 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 01:27 -!- mattock [n=mattock@gw.tietoteema.fi] has quit [Remote closed the connection] 01:27 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 01:48 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 02:08 < tuxinator> is it a good idea to put the route-method exe and route-delay 2 options in to global config? 02:27 -!- prop- [n=dd@84.229.209.63] has joined ##openvpn 02:31 -!- prop_ [n=dd@84.228.155.161] has quit [Read error: 60 (Operation timed out)] 02:46 < krzee> for windows 02:46 < krzee> but route-delay 2 might be a lil small 02:46 < krzee> i believe 30 is default if you specify route-delay with no arg 02:46 < krzee> !winroute 02:46 < vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 02:47 < krzee> thats only useful when a windows route cant be added 03:39 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:04 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 04:06 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:23 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 04:41 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 04:57 -!- prop_ [n=dd@84.229.209.63] has joined ##openvpn 05:01 -!- prop- [n=dd@84.229.209.63] has quit [Read error: 104 (Connection reset by peer)] 05:14 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 05:19 -!- eliasp_ is now known as eliasp 05:41 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 05:56 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 06:12 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 06:14 -!- prop_ [n=dd@84.229.209.63] has quit [Read error: 110 (Connection timed out)] 06:38 -!- onats__ [n=onats@122.53.134.78] has quit [Read error: 110 (Connection timed out)] 06:38 -!- onats__ [n=onats@122.53.137.107] has joined ##openvpn 06:43 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 06:43 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 06:52 < ecrist> krzee: server's powered up 06:59 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:20 -!- lataffe [n=lars@89.10.28.212] has quit [Read error: 145 (Connection timed out)] 07:31 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has joined ##openvpn 08:12 -!- mattock [n=mattock@gw.tietoteema.fi] has left ##openvpn [] 08:29 -!- lolmaus [n=lolmaus@77.72.19.231] has joined ##openvpn 08:29 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 08:29 < lolmaus> Hi! I've set up an openvpn server on my linux virtual server. I would like to connect to it from my WinXP machine. Can i use standard Windows VPN connection or i have to install OpenVPN too? 08:30 < lolmaus> The server is in bridging mode 08:33 < ecrist> you need openvpn 08:34 < ecrist> 'windows standard vpn' is PPTP/L2TP 08:34 < ecrist> OpenVPN is OpenvPN 08:35 < lolmaus> Thx 08:55 < lolmaus> Where do i put key files on Windows? 09:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 09:20 -!- crocr [n=sveniu@leia.ifi.uio.no] has quit [Read error: 60 (Operation timed out)] 09:23 -!- tuxinator [n=chatzill@195.34.89.245] has quit ["ChatZilla 0.9.84 [Firefox 3.0.9/2009040821]"] 09:34 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:37 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 09:39 < dazo> lolmaus: in directory on the HD ... normally no special key management thing ... if you use OpenVPN GUI, you'll find the folder via the Start menu 09:41 < dazo> lolmaus: to be precise, the path to the key files are defined in your config ... if no full path is given, it's relative to the directory of the config file 09:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:49 -!- nibu [n=bau@unaffiliated/nibu] has joined ##openvpn 10:10 -!- bau_ [n=bau@189.81.146.18] has joined ##openvpn 10:12 -!- nibu [n=bau@unaffiliated/nibu] has quit [Read error: 110 (Connection timed out)] 10:30 -!- JScoobyCed [n=crochefo@wsip-98-191-12-98.ri.ri.cox.net] has joined ##openvpn 10:31 < JScoobyCed> Hi, I am issuing "openvpn --mktun --dev tap0"... and then, I cannot see and tap0 interface in "ifconfig" and when I start the client it says "no such device tap0" 10:32 < JScoobyCed> the openvpn server is on WindowsXP configured with "dev tap", does that mean I can't access it from a linux machine? 10:33 < JScoobyCed> how to persist the 'tap' device? 10:37 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 10:41 < dazo> JScoobyCed: do you do --mktun --dev tap0 on the Windows box? 10:41 < JScoobyCed> dazo: nope, on ubuntu 10:42 < JScoobyCed> on windows box I created the tap interface using the tools provided by openvpn 10:42 < dazo> JScoobyCed: if you do ifconfig -a .... or ifconfig tap0 .... do you see the interface in this setup? 10:42 < dazo> JScoobyCed: yeah, that was what I was about to recommend 10:42 < JScoobyCed> I could access the windows openvpn when my machine was windows 10:43 < JScoobyCed> yes, ifconfig -a shows the device tap0 10:43 < dazo> JScoobyCed: there are no restriction on cross-platform connections .... so it should not be any issues with that, for sure 10:43 < dazo> JScoobyCed: and the openvpn process starts without any issues on the Ubuntu box? 10:43 < JScoobyCed> dazo: thanks for the 'ifconfig -a', I forgot about that 10:44 < JScoobyCed> dazo: so my tap0 device is here... why openvpn cannot see it? 10:44 < JScoobyCed> dazo: I tried to run as root, doesn't change 10:45 < JScoobyCed> dazo: should I 'ifconfig tap0 up ...' the interface? or config IP ? 10:45 < dazo> JScoobyCed: I presume you start openvpn as root ... so I would recommend you to set log level to 6 (verb 6 in config) ... and pastebin it .... you might even see some warnings in logs which can help you out 10:45 < JScoobyCed> ok, going to try that now 10:46 < dazo> JScoobyCed: no, that's not needed .... but the openvpn process must be started as root ... in *nix you can put --user and --group which will then "degrade" OpenVPNs privileges when it is done with the stuff needing root privileges 10:46 < dazo> JScoobyCed: I'll be waiting for logs then 10:47 < JScoobyCed> dazo: ok, got the logs 10:47 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 10:47 < JScoobyCed> dazo: how to 'pastebin' ? :) 10:47 < dazo> !pastebin 10:47 < vpnHelper> dazo: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 10:48 < JScoobyCed> !pastebin Wed May 6 22:46:42 2009 us=349210 OPTIONS IMPORT: timers and/or timeouts modified 10:48 < JScoobyCed> Wed May 6 22:46:42 2009 us=349242 OPTIONS IMPORT: --ifconfig/up options modified 10:48 < JScoobyCed> Wed May 6 22:46:42 2009 us=349270 OPTIONS IMPORT: route options modified 10:48 < JScoobyCed> Wed May 6 22:46:42 2009 us=349586 ROUTE default_gateway=192.168.41.1 10:48 < JScoobyCed> Wed May 6 22:46:42 2009 us=349700 Note: Cannot open TUN/TAP dev tap0: No such file or directory (errno=2) 10:48 < JScoobyCed> Wed May 6 22:46:42 2009 us=349734 Note: Attempting fallback to kernel 2.2 TUN/TAP interface 10:48 < vpnHelper> JScoobyCed: Error: "pastebin" is not a valid command. 10:48 < JScoobyCed> Wed May 6 22:46:42 2009 us=349775 Cannot open TUN/TAP dev tap0: No such file or directory (errno=2) 10:48 < JScoobyCed> Wed May 6 22:46:42 2009 us=349811 Exiting 10:48 < ecrist> !logs 10:48 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 10:48 < JScoobyCed> errr... not sure I did it well 10:48 < JScoobyCed> ok, trying logs 10:49 < JScoobyCed> !logs Wed May 6 22:46:42 2009 us=349210 OPTIONS IMPORT: timers and/or timeouts modified 10:49 < JScoobyCed> Wed May 6 22:46:42 2009 us=349242 OPTIONS IMPORT: --ifconfig/up options modified 10:49 < JScoobyCed> Wed May 6 22:46:42 2009 us=349270 OPTIONS IMPORT: route options modified 10:49 < JScoobyCed> Wed May 6 22:46:42 2009 us=349586 ROUTE default_gateway=192.168.41.1 10:49 < JScoobyCed> Wed May 6 22:46:42 2009 us=349700 Note: Cannot open TUN/TAP dev tap0: No such file or directory (errno=2) 10:49 < JScoobyCed> Wed May 6 22:46:42 2009 us=349734 Note: Attempting fallback to kernel 2.2 TUN/TAP interface 10:49 < vpnHelper> JScoobyCed: Error: "logs" is not a valid command. 10:49 < JScoobyCed> Wed May 6 22:46:42 2009 us=349775 Cannot open TUN/TAP dev tap0: No such file or directory (errno=2) 10:49 < JScoobyCed> Wed May 6 22:46:42 2009 us=349811 Exiting 10:49 < ecrist> I don't think you understand 10:49 < ecrist> you need to copy/paste into a web browser to www.pastebin.ca 10:49 < dazo> lol 10:50 < JScoobyCed> !!... sorry guys 10:50 < vpnHelper> JScoobyCed: Error: "!..." is not a valid command. 10:50 < JScoobyCed> dazo: http://www.pastebin.ca/1414344 10:50 < JScoobyCed> is that the way ? 10:50 < dazo> JScoobyCed: seems a lot better ;-) 10:50 < ecrist> yes 10:51 < JScoobyCed> dazo : I got only the client logs, no access to server since this morning that i switched to ubuntu 10:51 < JScoobyCed> dazo: do u need the full log? I put only the relevant errors 10:51 < dazo> JScoobyCed: ehhh .... I'm confused now .... do you have problems on you Ubuntu or Windows box? 10:52 < JScoobyCed> dazo: with ubuntu 10:52 < dazo> JScoobyCed: and what you showed me here, is from the Ubuntu log? 10:52 < JScoobyCed> dazo: the openvpn server is on windows xp 10:52 < JScoobyCed> dazo: I used to connect to it from windows openvpn cleint 10:52 < dazo> JScoobyCed: ubuntu logs - where you have problems? 10:53 < JScoobyCed> dazo: but now I formatted and instaled ubuntu 10:53 < JScoobyCed> now I cannot access to the windows openvpn server from ubuntu openvpn client 10:53 < JScoobyCed> that was the ubuntu openvpn client lg 10:53 < JScoobyCed> dazo: log 10:54 < dazo> JScoobyCed: that's fine enough ... good ... now I know more what I'm looking at 10:54 < JScoobyCed> dazo: sorry, I didn't explained at first 10:54 < dazo> JScoobyCed: so ifconfig -a gives you tap0 .... but openvpn do not see it ... that's very odd ... 10:55 < dazo> JScoobyCed: can we please see your config file as well? 10:55 < JScoobyCed> dazo: ok, hold on 10:55 < dazo> (just pastebin that one as well) 10:55 < JScoobyCed> dazo: sorry, I have to go (meeting with client) I'll pastebin in an hour 10:55 < JScoobyCed> dazo: or I'll wait 10:55 < JScoobyCed> dazo : tahnks 10:56 < dazo> JScoobyCed: oki ... no prob ... I might not be here at that point ... but there are a lot of others here which should be able to follow up 10:57 -!- JScoobyCed [n=crochefo@wsip-98-191-12-98.ri.ri.cox.net] has quit ["Leaving."] 10:59 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 11:09 -!- albech [n=albech@119.42.76.84] has joined ##openvpn 11:11 -!- albech [n=albech@119.42.76.84] has quit [SendQ exceeded] 11:17 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:29 -!- rubydiam_ [n=rubydiam@123.236.183.243] has joined ##openvpn 11:37 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 11:40 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: Intensity, feinoM, M06w, freaky_t, xor|, Dougy, vpnHelper, Typone, dmarkey, bau_, (+15 more, use /NETSPLIT to show all of them) 11:42 -!- Netsplit over, joins: feinoM 11:42 -!- nemysis [n=nemysis@145-184.3-85.cust.bluewin.ch] has joined ##openvpn 11:43 -!- Netsplit over, joins: freaky_t, Typone, M06w, reiffert, CybDev 11:43 -!- HardDisk_WP [n=Marco@velirat.de] has joined ##openvpn 11:44 -!- jetole [n=Joe@204.13.0.100] has joined ##openvpn 11:44 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has joined ##openvpn 11:44 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 11:44 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 11:45 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Connection timed out] 11:46 -!- SuperEvilDeath17 [n=death@212.206.209.177] has joined ##openvpn 11:46 -!- bau_ [n=bau@189.81.146.18] has joined ##openvpn 11:46 -!- frankS2 [n=frank@ti500720a080-2263.bb.online.no] has joined ##openvpn 11:46 -!- damentz [i=damentz@support.team.at.shellium.org] has joined ##openvpn 11:46 -!- xor| [n=xor@asmodeus.ost.sgsnet.se] has joined ##openvpn 11:47 -!- Dougy [i=doug@64-18-144-18.ip.bergenhosting.com] has joined ##openvpn 11:47 -!- Kevin` [n=kevin@rrcs-67-52-47-69.west.biz.rr.com] has joined ##openvpn 11:47 -!- svenx [n=sveniu@pat-tdc.opera.com] has joined ##openvpn 11:47 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has joined ##openvpn 11:47 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 11:47 -!- dmarkey [n=dmarkey@dmarkey.xen.prgmr.com] has joined ##openvpn 11:47 -!- Intensity [i=[HiX103q@unaffiliated/intensity] has joined ##openvpn 11:47 -!- Timpa [i=timpa@193.13.142.180] has joined ##openvpn 11:47 -!- Netsplit holmes.freenode.net <-> irc.freenode.net quits: dmarkey, Gumbler, Intensity, ropetin 11:47 -!- Netsplit over, joins: Intensity, dmarkey, Gumbler, ropetin 11:47 -!- nemysis is now known as Guest84910 11:51 -!- bau__ [n=bau@189.81.146.18] has joined ##openvpn 11:52 -!- bau_ [n=bau@189.81.146.18] has quit [Read error: 113 (No route to host)] 11:52 -!- `Ned [n=Ned@cpe-98-155-203-22.hawaii.res.rr.com] has joined ##openvpn 12:00 -!- Guest84910 is now known as nemysis 12:01 -!- nemysis is now known as Guest28032 12:01 -!- Guest28032 is now known as nemysis_ 12:01 -!- nemysis_ is now known as Guest47847 12:02 -!- Guest47847 [n=nemysis@145-184.3-85.cust.bluewin.ch] has quit ["I am off"] 12:02 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 12:33 -!- bau__ [n=bau@189.81.146.18] has quit ["Saindo"] 12:42 -!- jtc_0043 [n=Miranda@88-117-80-161.adsl.highway.telekom.at] has joined ##openvpn 12:45 < jtc_0043> hi, can anyone please help me get my openvpn routing working? ... i have a ovpnserver with the local ip 10.0.0.145 gw 10.0.0.254 sm 255.255.255.0, ovpn server gives the client the ip 10.1.0.6 in the openvpn.conf: server 10.1.0.0 255.255.255.0 ... how can i route the client to the 10.0.0.0 network? 12:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:49 -!- bandini [n=bandini@host192-106-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn 12:53 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 12:59 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 13:00 -!- JScoobyCed [n=crochefo@wsip-98-191-12-98.ri.ri.cox.net] has joined ##openvpn 13:00 < JScoobyCed> dazo: in case you're still here, please find my client.opvn: http://www.pastebin.ca/1414467 13:00 -!- jtc_0043 [n=Miranda@88-117-80-161.adsl.highway.telekom.at] has quit [Read error: 54 (Connection reset by peer)] 13:01 < JScoobyCed> dazo: no server config, but I used the one from the HOWTO documentation on openvpn website 13:07 -!- JScoobyCed [n=crochefo@wsip-98-191-12-98.ri.ri.cox.net] has left ##openvpn [] 13:12 -!- benedictus [i=chatzill@d51A5C736.access.telenet.be] has joined ##openvpn 13:18 -!- JScoobyCed [n=crochefo@wsip-98-191-12-98.ri.ri.cox.net] has joined ##openvpn 13:22 -!- benedictus [i=chatzill@d51A5C736.access.telenet.be] has quit [Client Quit] 13:23 -!- rubydiam_ [n=rubydiam@123.236.183.243] has quit [Client Quit] 13:35 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 13:35 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 13:45 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 13:46 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:56 -!- epaphus [n=unix3@190.10.68.228] has quit [Connection timed out] 14:05 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 14:26 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 14:26 -!- Celsiux-Nulled [n=Nullesd@189.152.112.56] has joined ##openvpn 14:40 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [] 14:45 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Success] 14:49 -!- zooonga [n=Miranda@88-117-80-161.adsl.highway.telekom.at] has joined ##openvpn 14:49 < zooonga> hi, i have a ovpnserver running on a server with ip 10.0.0.145 and gw 10.0.0.254 sm 255.255.255.0, ovpn server gives the client the ip 10.1.0.6 in the openvpn.conf: server 10.1.0.0 255.255.255.0 ... how can i route the client to the 10.0.0.0 network? 14:53 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 15:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 15:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:08 -!- coincoin1611 [n=coincoin@ASt-Lambert-154-1-59-6.w90-61.abo.wanadoo.fr] has joined ##openvpn 15:08 < coincoin1611> hi 15:08 < coincoin1611> it is the first time i set up a vpn 15:08 < ecrist> hi 15:08 < coincoin1611> and i succeded 15:08 < coincoin1611> but 15:09 < coincoin1611> the client can ping all the computer in my netword (where is the server) 15:09 < coincoin1611> but i cannot ping all the computers in the netword where the client is 15:09 < coincoin1611> do you have any idea ? 15:10 < ecrist> !iroute 15:10 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 15:10 < ecrist> and 15:10 < ecrist> !route 15:10 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:10 < coincoin1611> i read it right now 15:22 < coincoin1611> does this hold for bridge vpn ? 15:22 < ecrist> yes, if you're going to route other networks 15:22 < ecrist> you also need to make sure ip forwarding is enabled on the required clients/servers 15:23 < coincoin1611> the two networks are on the same subnet 192.168.1.0 with the same netmask 255.255.255.0 15:23 < coincoin1611> i took care of setting different ip adresses for all computers 15:23 < coincoin1611> do i even have to set up routes ? 15:24 < ecrist> if they're all the same address space, no 15:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:25 < coincoin1611> ok right now i am setting /proc/sys/net/ipv4/ip_forward to 1 15:25 < ecrist> also, make sure you've bridged the interfaces on both the client and server 15:25 < ecrist> and you're not blocking traffic on the firewall 15:26 < coincoin1611> yes with brctl ? i have done that it is br0 15:31 < coincoin1611> i have wireshark on my vpn server 15:31 < coincoin1611> and when from the server network i ping a computer on the client network 15:31 < coincoin1611> the arp request is sent received by the vpnserver and just after wirehark tells me that 15:31 < coincoin1611> the vpn server sends an UDP packet to the client 15:31 < coincoin1611> normally the client should diffuse this arp request no ? 15:35 -!- unix3 [n=unix3@190.10.68.228] has quit [Client Quit] 15:58 -!- googleman [n=zaeaze@41.221.18.166] has joined ##openvpn 15:59 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 16:00 < googleman> hi all 16:00 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 16:02 < googleman> how i do to configure openvpn to open a port range for external use like torrent emule ? 16:02 < JScoobyCed> hi. I still have issues with my winxp (openvpn server, using dev tap TAP001) <-> Ubuntu (openvpn client, using dev tap) 16:03 < JScoobyCed> I did 'openvpn --mktun --dev tap0' and issuing 'ifconfig a' shows the 'tap0' device 16:03 < JScoobyCed> but when I try to connect to the server it says 'tap0 : file not found (error 2)' 16:16 -!- coincoin161 [n=coincoin@90.61.226.6] has joined ##openvpn 16:16 -!- coincoin161 [n=coincoin@90.61.226.6] has left ##openvpn [] 16:23 -!- Timpa [i=timpa@193.13.142.180] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 16:25 < JScoobyCed> !quit 16:25 < vpnHelper> JScoobyCed: Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 16:25 -!- JScoobyCed [n=crochefo@wsip-98-191-12-98.ri.ri.cox.net] has left ##openvpn [] 16:27 -!- Timpa [i=timpa@193.13.142.180] has joined ##openvpn 16:33 -!- Timpa [i=timpa@193.13.142.180] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 16:33 -!- coincoin1611 [n=coincoin@ASt-Lambert-154-1-59-6.w90-61.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 16:37 < krzie> definitely, i havnt played with it but i know its there 16:38 < krzie> oops wrong chan 16:47 -!- zooonga [n=Miranda@88-117-80-161.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 17:11 -!- ariel [n=ariel@200-126-118-240.bk8-dsl.surnet.cl] has joined ##openvpn 17:24 -!- SeveredCross [n=bojanr@about/csharp/regular/severedcross] has joined ##openvpn 17:25 < SeveredCross> Hi y'all. Can someone help me WRT the Authenticate/Decrypt packet error: cipher final failed error? 17:25 < SeveredCross> Would it be caused by a firewall on the server side? 17:33 < SeveredCross> Hmm, I fixed that by switching ciphers, but I still don't have a connection through the VPN. 17:40 < SeveredCross> Configs at http://pastebin.com/f1a6ee8f8 (client) and http://pastebin.com/f84fc7ff (server) 17:41 < SeveredCross> (I realize the push route on the server isn't needed, it's cruft) 17:47 -!- epaphus is now known as Brun2 17:51 -!- dazo [n=dazo@nat/redhat/x-47a430b4e0c1081a] has quit [Read error: 110 (Connection timed out)] 17:54 -!- googleman [n=zaeaze@41.221.18.166] has quit [Read error: 110 (Connection timed out)] 17:54 -!- googleman [n=zaeaze@41.221.27.166] has joined ##openvpn 17:59 < SeveredCross> Hmm. 17:59 < SeveredCross> Apparently, the tun interface is receiving packets, but isn't sending anything back. What could cause this? 18:03 -!- googleman [n=zaeaze@41.221.27.166] has quit ["Leaving"] 18:19 -!- Celsiux-Nulled [n=Nullesd@189.152.112.56] has quit [Connection timed out] 18:24 -!- bandini [n=bandini@host192-106-dynamic.21-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 18:28 -!- Celsiux|Nulled [n=Nullesd@189.152.112.56] has joined ##openvpn 18:29 -!- Brun2 [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 18:30 < krzie> a firewall 18:30 < krzie> or a... firewall 18:31 < krzie> possibly a firewall 18:31 < krzie> or a routing issue 18:31 < krzie> but much more likely a firewall ;] 18:32 -!- Celsiux-Nulled [n=Nullesd@67.205.89.132] has joined ##openvpn 18:35 < SeveredCross> krzie: I opened the TUN interface wide, and nothing happens 18:35 < SeveredCross> . 18:35 -!- epaphus [n=unix3@201.199.34.174] has joined ##openvpn 18:35 < SeveredCross> (I have iptables rules to accept everything on the TUN interface, and to let everything go out) 18:36 -!- Celsiux|Nulled [n=Nullesd@189.152.112.56] has quit [Remote closed the connection] 18:36 < SeveredCross> Hmm, looks like I might've missed it on the OUTPUT chain 18:39 < SeveredCross> Yeah, I added an allow all on output tun0, and nothing happens. 18:41 < krzie> !configs 18:41 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:47 -!- epaphus [n=unix3@201.199.34.174] has quit [Read error: 60 (Operation timed out)] 18:48 < SeveredCross> Actually, I got it working. :) 18:54 -!- Timpa [i=timpa@c-191770d5.09-47-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 18:55 < krzie> what was it? 19:03 < SeveredCross> krzie: Just kinda....magically started working. 19:03 < SeveredCross> *shrugs* 19:04 * SeveredCross disappears. 19:04 -!- SeveredCross [n=bojanr@about/csharp/regular/severedcross] has left ##openvpn [] 19:14 < krzie> (aka it was his firewall) 19:14 < krzie> hehe 19:32 < krzie> ecrist here? 19:54 -!- epaphus [n=unix3@201.199.41.166] has joined ##openvpn 20:25 -!- ariel [n=ariel@200-126-118-240.bk8-dsl.surnet.cl] has quit ["Saliendo"] 20:45 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 60 (Operation timed out)] 20:46 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 20:52 -!- epaphus [n=unix3@201.199.41.166] has quit [Read error: 110 (Connection timed out)] 20:53 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has joined ##openvpn 21:39 -!- epaphus [n=unix3@static.226.79.46.78.clients.your-server.de] has quit ["Leaving"] 22:22 -!- las3r [n=las3r@c-66-31-200-74.hsd1.ma.comcast.net] has joined ##openvpn 22:30 -!- albech [n=albech@119.42.76.84] has joined ##openvpn 22:56 -!- fixxxermet [n=meep@cmu-24-35-53-185.mivlmd.cablespeed.com] has left ##openvpn [] 23:09 -!- xor| [n=xor@asmodeus.ost.sgsnet.se] has quit [Read error: 110 (Connection timed out)] 23:10 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 23:19 -!- Cr0nix [n=Cr0nix@85.180.70.46] has joined ##openvpn 23:31 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 23:35 -!- Cron1x [n=Cr0nix@e180071180.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 23:41 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 23:41 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn --- Day changed Thu May 07 2009 00:04 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 00:13 -!- knoxville [n=knoxvill@c-71-63-138-244.hsd1.mn.comcast.net] has joined ##openvpn 00:14 < knoxville> when I add push "route 192.168.1.0 255.255.255.0" and push "redirect-gateway" on the server.conf file, my windows client no longer gets internet, and ideas? 00:15 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:19 < knoxville> bump! 00:20 -!- Celsiux-Nulled [n=Nullesd@67.205.89.132] has quit [Connection timed out] 00:29 < knoxville> bump 00:37 < onats> what's the LAN ip of your windows client? 00:38 < onats> !tls 00:38 < vpnHelper> onats: Error: "tls" is not a valid command. 00:38 < onats> !tls-error 00:38 < vpnHelper> onats: Error: "tls-error" is not a valid command. 00:38 < onats> krzie, are you there? 00:40 < knoxville> onats, 192.168.1.50 00:41 < onats> and the vpn server's? 00:41 < knoxville> onats, 192.168.1.145 or 10.8.0.1 00:41 < onats> they are on the same LAN? 00:42 < knoxville> onats, right now they are just for the setup to get it working 00:42 < onats> ideally, your vpn server should be on a different subnet... 00:42 < knoxville> onats, correct, this I know, and it will be when I move my laptop on the road 00:45 < knoxville> ok I was able to get it working a little bit, I added this on the server side "route add default gw 192.168.1.254" and now the client is working great 00:45 < knoxville> the question now is, how can I make sure this happens when clients connect 00:48 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 00:49 < bsdbandit> im having 2 issues with openvpn 2.0 on openbsd 4.5 first issue that openvpn hangs when trying to start the openvpn server manually and 2 when trying to start up openvpn i noticed that the date show Wed Dec 31 1969 00:49 < bsdbandit> can someone help me out with this one 00:49 < bsdbandit> z/ 00:49 < bsdbandit> ? 00:50 < bsdbandit> :( 00:50 < onats> put it in a CCD file? 00:50 < onats> knoxville, put it in a ccd file? 00:51 < onats> are you routing all internet traffic to your home server? 00:54 < knoxville> onats, I will if that gets it working 00:57 < knoxville> onats, this is what I need to do Next, you must set up a route on the server-side LAN gateway to route the VPN client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary if the OpenVPN server and the LAN gateway are different machines). 01:01 < bsdbandit> yes 01:01 < knoxville> any help on the route portion 01:01 < bsdbandit> the openvpn server and firewall all run on the same machine 01:01 < knoxville> not in my case 01:01 < knoxville> it runs on my LAN not the gateway 01:02 < bsdbandit> oh ok 01:02 < bsdbandit> you might want to put that on the gateway 01:02 < knoxville> bsdbandit, yeah I was looking to do it eventually but there has to be a way to route it to work 01:04 < lolmaus> When adding a TAP thingie on my WinXP 64-bit, i get the following error: 01:04 < lolmaus> C:\Program Files (x86)\OpenVPN>"C:\Program Files (x86)\OpenVPN\bin\tapinstall.ex 01:05 < lolmaus> e" install "C:\Program Files (x86)\OpenVPN\driver\OemWin2k.inf" tap0801 01:05 < lolmaus> tapinstall.exe failed. 01:05 < lolmaus> Any solutions? 01:09 < onats> knoxville, are you using all command line, from a config file? 01:10 < knoxville> yeah complete terminal 01:10 < onats> ok 01:14 < onats> knoxville 01:14 < onats> i think you need to add something like this: iroute 192.168.1.0 255.255.255.0 01:14 < knoxville> onats, that would be on my server correct 01:15 < onats> yes, but it should be pushed to the clients 01:15 < knoxville> iroute is not a command in linux 01:15 < knoxville> it must have to go in the server.conf 01:15 < onats> yes.. 01:15 < knoxville> but I already have the push "route 192.168.1.0 255.255.255.0" in their 01:15 < onats> but in my setup, its in the ccd files 01:16 < onats> what do you need to do again? 01:16 < onats> basically heres my setup. i have 3 vpn sites, with different subnets, and all clients behind those LAN's can ping the clients in the other lans. 01:17 < onats> what setup do you want to achieve? 01:17 < knoxville> allow the clients be able to access the entire La 01:17 < knoxville> LAN 01:17 < onats> ok. same here 01:17 < knoxville> the 192.168.1.0/24 01:17 < onats> was able to do that 01:17 < knoxville> wats in your ccd file 01:17 < onats> do you have two sites? 01:18 < onats> on my server, i have something like this too: 01:18 < onats> iptables -I FORWARD 1 --source 192.168.66.0/24 -j ACCEPT 01:18 < jetole> Page is down => http://openvpn.net/index.php/documentation/howto.html 01:18 < onats> 192.168.66.0 is the vpn subnet 01:18 < jetole> MySQL is running in read only, page cannot do an insert 01:19 < jetole> Thought an admin may be listening 01:19 < jetole> also wasn't doing this 30 mins agp 01:19 < jetole> *ago 01:20 < onats> jetole, are you on the right channel? 01:23 < jetole> yes 01:23 < jetole> did you look at the URL 01:23 < lolmaus> SOS, i've got this tapinstall.exe failed on windows xp 64-bit 01:27 -!- deception [i=oc80z@quad.efnet.pe] has joined ##openvpn 01:28 < jetole> hmmm, I would like that howto to be up since I am trying to figure out how to patch against mitm 01:39 < reiffert> moin 01:42 -!- knoxville [n=knoxvill@c-71-63-138-244.hsd1.mn.comcast.net] has quit [Remote closed the connection] 01:42 < lolmaus> SOS, i've got this tapinstall.exe failed on windows xp 64-bit 01:44 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 01:49 -!- deception is now known as oc80z 01:50 -!- Mikaku [n=Mikaku@unaffiliated/mikaku] has joined ##openvpn 01:50 < Mikaku> fyi something is wrong in the http://openvpn.net/ web site: 01:51 < Mikaku> jtablesession::Store Failed 01:51 < Mikaku> DB function failed with error number 1290 01:51 < Mikaku> and more ... 01:51 < reiffert> We dont have that under control. 01:51 < Mikaku> reiffert: ah ok 01:51 < reiffert> Try the -devel mailinglist 01:52 < reiffert> But I doubt that the author will pay attention to anything that comes from the community. 01:53 < Mikaku> oh 01:53 < reiffert> There are so many proposals on the devel mailinglist that just get ignored totatlly. 01:54 < Mikaku> sad to hear that 01:54 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 01:55 < Mikaku> I thought that the author would be around this channel as it happens in other projects' channels 01:56 < reiffert> That would be very nice, indeed. 02:01 < Mikaku> sure :) 02:03 < reiffert> Even the mailinglist seems to be community-only to my eyes. It's been a long time that I saw a statement from the author. 02:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:06 < Mikaku> well the project seems to be a bit freeze because I don't see much activity in the version numbers 02:07 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 02:08 < Mikaku> 2.1 is stuck in RCs 02:12 < jetole> Mikaku: Actualy I already noticed this with the howto page and posted it a little while ago but I hadn't checked the rest of the site yet 02:13 < jetole> The error described on the howto pahe is that SQL is in read only mode and therefor cannot insert. I am hoping this is maintance related on the openvpn site since it seems hard to put MySQL into read only by accident 02:13 < Mikaku> jetole: ok thanks 02:13 < jetole> yeah, same error on http://openvpn.net/ about MySQL being in read only mode 02:15 < jetole> huh, I think this effectively implies that openvpn.net is using Joomla if I am not mistaken 02:15 < jetole> I mean the error it is giving about jos_session 02:15 < Mikaku> it seems that affects all the web site 02:15 < jetole> could also be custom writen and the author just named his table the same with the exact same format but I doubt it 02:15 < jetole> Mikaku: yeah it probably should 02:18 < jetole> well I found the hotwo via the wayback machine, http://web.archive.org/web/20080203163312/http://openvpn.net/howto.html 02:18 < jetole> 2008 is the newest one they seemded to have 02:18 < Mikaku> I use Google cache for that 02:19 < jetole> yeah I was actually looking for google cache first but didn't know the url and "google archive" didn't help too much 02:19 < Mikaku> the problem is that you can't follow links inside 02:19 < jetole> well you can with the archive.org 02:19 < jetole> try the url I just posted 02:19 < Mikaku> yep :) 02:19 < jetole> what is the google cache url? 02:20 < Mikaku> search for this in Google: http://openvpn.net/howto.html 02:20 < vpnHelper> Title: OpenVPN 2.0 HOWTO (at openvpn.net) 02:20 < Mikaku> and click on Cache 02:20 < jetole> click on Cache? 02:21 < jetole> Dammit, why do they make that so hard to find 02:21 < jetole> :P 02:21 < Mikaku> ;) 02:21 < jetole> actually I did just finish what I was looking for. I followed the steps for creating a cert that stops mitm on the server and wasn't sure how to configure the client to follow this but I just figured it out 02:22 < jetole> gonna go have a smoke, bbiab 02:22 < Mikaku> ok 02:26 < lolmaus> SOS, i've got this tapinstall.exe failed error on windows xp 64-bit. Can anyone help me with it? 02:27 -!- Cope_ [n=stephen@87-194-125-249.bethere.co.uk] has joined ##openvpn 02:28 -!- Cope_ is now known as Cope 02:30 < Mikaku> fyi http://openvpn.net/ is working again 02:30 < vpnHelper> Title: Welcome to OpenVPN (at openvpn.net) 02:32 < jetole> so it is 02:33 < jetole> I am assuming this was a maintnance issue since like I mentioned, it's hard to put MySQL into read only mode by accident 02:33 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:33 < Mikaku> you're right 02:40 < jetole> can someone recommend a good windows gui for openvpn where the user will not have administrative rights on the system? 02:43 < reiffert> openvpngui, bundeld with openvpn. 02:44 < jetole> also, is it possible to have a the client key/cert with the same name for all clients however the clients will not have the same CN in each one? I am thinking of creating a template directory and don't want to have to edit the config file for each client but can simply copy the key/cert into the template dir with the common name and send the template dir to clients 02:44 < jetole> reiffert: thanks 02:44 < krzee> !win_noadmin 02:44 < vpnHelper> krzee: "win_noadmin" is (#1) http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows, or (#2) and http://article.gmane.org/gmane.network.openvpn.user/24873 for vista 02:44 < reiffert> !factoids search cert 02:44 < vpnHelper> reiffert: 'servercert', 'certs', and 'nocert' 02:45 < reiffert> !certs 02:45 < vpnHelper> reiffert: "certs" is (#1) use !easy-rsa-unix for easy-rsa, or (#2) use !ssl-admin for ecrists copy of ssl-admin to make and manage your certs 02:46 < onats> reiffert, i'm getting a TLS Error: TLS handshake failed error. do you have any suggestions where to start? 02:46 < reiffert> jetole: 02:46 < reiffert> !factoids search duplicate 02:46 < jetole> um, lemme clearify this a little, suppose both John and Leo each have client.crt and client.key inside their config file, same name on each seperate computer but the CN for Leo is 'CN=leo' and for John 'CN=john' 02:46 < vpnHelper> reiffert: No keys matched that query. 02:46 < reiffert> jetole: however, --duplicate-n 02:46 < reiffert> jetole: however, --duplicate-cn 02:46 < Cope> I want to set up a remote access vpn to allow some users access to a windows machine in the office 02:46 < jetole> reiffert: but that isn't a duplicate cn 02:46 < Cope> I have a machine with one NIC, and I have an external IP availale 02:47 < Cope> Is the one NIC a problem? 02:47 < krzee> no 02:47 < reiffert> cert filename doesnt matter. 02:47 < jetole> Cope, no it isn't but you simply will want to firewall where they have access to 02:47 < jetole> reiffert: thats what I thought but wanted to make sure 02:47 < jetole> thanks 02:47 < krzee> reiffert, he is asking if he can use the same cert just change CN 02:47 < krzee> i think 02:47 < jetole> krzee: no 02:48 < jetole> I mean new certs will be created for each one 02:48 < krzee> ok 02:48 < reiffert> krzee: no, differnet certs but same filename each time, namely: client.crt client.key 02:48 < jetole> it was really just the file name I was wondering about 02:48 < krzee> my bad 02:48 < Cope> jetole: right, so as to only allow access to the windows machine? 02:48 < krzee> oh so his conf doesnt change 02:48 < jetole> Cope: right 02:48 < krzee> gotchya 02:48 < krzee> totally legit 02:48 < jetole> krzee: yes 02:48 < jetole> yeah, lol 02:48 < jetole> appreciate it guys 02:48 < Cope> Now - I've heard about IP conflicts unfortunately the office subnet is 192.168.1.0/24 02:48 < krzee> although ssl-admin will do the config packaging for you 02:48 < onats> TLS Error: TLS handshake failed <--- anyone have suggestions where to start looking? 02:48 < krzee> assuming you supply it with the base client config 02:49 < Cope> If $user is also on the same subnet, will they be able to route to the windows box on the office network? 02:49 < krzee> it'll give you a lil zip with their keys and their config 02:49 < krzee> Cope, if you set it up that way 02:49 < jetole> just saves some admin headache for sending out packages to a bunch of employees, this way I can just copy leo.crt, into template/client.crt, same thing for the key, and then tar it and send it to him 02:49 < krzee> !route 02:49 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 02:49 < krzee> cope, thats for you 02:49 < jetole> without worrying about changing cert name in the config each time 02:49 < krzee> Cope, that explains what to do when lans are behind server / client 02:49 < jetole> krzee: I don't think route is too helpful 02:50 < krzee> jetole, thats for Cope 02:50 < jetole> a route can only go as small as allowing ... 02:50 < jetole> oh, you know what 02:50 < jetole> that works 02:50 < reiffert> jetole: I made some config templates and I create the user files by the help of sed and zip. 02:50 < jetole> a route is 4 addresses I believe but one is net, one is router, one is host and one is broadcast 02:50 < krzee> so does ssl-admin 02:51 < jetole> ah I hate running zip on linux 02:51 < krzee> ssl-admin does it for you *shrug* 02:51 < jetole> alright, well back to work for me 02:52 < Cope> krzee: that doesn't seem to match my situation: users may be on 192.168.1.0/24; office network is -also- on 192.168.1.0/24; How can packets be routed from home to office over a vpn? 02:52 < krzee> cant change office's lan? 02:52 < Cope> not easily 02:52 < krzee> could use the NAT hack 02:52 < Cope> certainly not by tomorrow, when the vpn is needed 02:53 < Cope> !nathack 02:53 < vpnHelper> Cope: Error: "nathack" is not a valid command. 02:53 < krzee> hrm good call 02:53 < jetole> Cope: thats kinda like an anti tcp/ip situation 02:53 < krzee> i should make a !nathack 02:53 < Cope> jetole: that's what worries me 02:53 * Cope thinks hard. 02:54 < Cope> the windows box doesn't have to be on 192.168.1.0/24 - as long as there's a local router, it could be on a different subnet, connected to the vpn box maybe 02:55 < krzee> !learn nathack as when a lan has a common subnet and must be accessed by openvpn, and you dont have access to change the subnet: use the nathack! just tell the machine with the lan behind it to nat any incoming packets from the subnet over the tun device to some uncommon subnet. The router on that lan will need to know that the uncommon subnet gets routed to the VPN machine. 02:55 < vpnHelper> krzee: Joo got it. 02:55 < jetole> Cope: how should your home machine know if you want 192.168.0.50 on it's lan or vpn unless you specify 192.168.0.0/24 to be on both or you specify a route with higher priority for a subsection of 192.168.0.0/24, lets say 192.168.0.0/29 which comes first and is routed to your office but in this case 192.168.0.0/29 must not have any addresses within it that you will need to access simultaneously on your home network on 192.168.0.0/24 02:56 < Cope> jetole: exactly 02:56 < krzee> !learn nathack as the vpn endpoint with nat will also need ipforwarding enabled (see !ipforward) 02:56 < vpnHelper> krzee: Joo got it. 02:56 < krzee> there you go cope 02:56 < krzee> !nathack 02:56 < vpnHelper> krzee: "nathack" is (#1) when a lan has a common subnet and must be accessed by openvpn, and you dont have access to change the subnet: use the nathack! just tell the machine with the lan behind it to nat any incoming packets from the subnet over the tun device to some uncommon subnet. The router on that lan will need to know that the uncommon subnet gets routed to the VPN machine., or (#2) the vpn 02:56 < jetole> Cope: I would in fact change my home lan to a non conflicting subnet like 192.168.10.0/24 02:56 < vpnHelper> krzee: endpoint with nat will also need ipforwarding enabled (see !ipforward) 02:57 < krzee> jetole, he was saying the clients MAY be on that 02:57 < krzee> as in they are not under his control 02:57 < jetole> ah right 02:57 < krzee> best option is to change server lan 02:57 < Cope> krzee: right - they are random users, and non-technical 02:57 < krzee> but if that is also not in his control, he can use the nathack 02:57 < jetole> well I have that same situation which I am simply going to advise that you change it and if you don't then cry to someone else 02:58 < krzee> its true 02:58 < krzee> but theres another way as well 02:58 < krzee> i advise the same as you most the time 02:58 < Cope> I can change the server LAN, just not today - would be a significant upheaval 02:58 * jetole re reads the nethack 02:58 < krzee> not net 02:58 < krzee> NAT 02:58 < Cope> !nathack 02:58 < jetole> and where's the amulet of yandor, did a grue eat it? 02:58 < vpnHelper> Cope: "nathack" is (#1) when a lan has a common subnet and must be accessed by openvpn, and you dont have access to change the subnet: use the nathack! just tell the machine with the lan behind it to nat any incoming packets from the subnet over the tun device to some uncommon subnet. The router on that lan will need to know that the uncommon subnet gets routed to the VPN machine., or (#2) the vpn 02:58 < vpnHelper> Cope: endpoint with nat will also need ipforwarding enabled (see !ipforward) 02:58 < krzee> network address translation 02:58 -!- dazo [n=dazo@nat/redhat/x-1f91edc3c30070cd] has joined ##openvpn 02:59 < krzee> !forget nathack * 02:59 < vpnHelper> krzee: Joo got it. 02:59 < krzee> !learn nathack as when a lan has a common subnet and must be accessed by openvpn, and you dont have access to change the subnet: use the nathack! just tell the machine with the lan behind it to nat any incoming packets from the subnet over the tun device to some uncommon subnet. The router on that lan will need to know that the uncommon subnet gets routed to the VPN machine. 02:59 < vpnHelper> krzee: Joo got it. 02:59 < jetole> actually the nethack doesn't sound like a valid solution unless you are only expecting incomming traffic without sending any 02:59 -!- Mikaku [n=Mikaku@unaffiliated/mikaku] has left ##openvpn [] 02:59 < krzee> !learn nathack as the vpn endpoint with nat will also need ipforwarding enabled (see !ipforward and !nat) 02:59 < vpnHelper> krzee: Joo got it. 02:59 < krzee> its NOT a nethack 02:59 < krzee> NAT! 02:59 < krzee> lol 02:59 < krzee> nat nat nat! 03:00 < Cope> ok so my vpn server has one IP - some publically routed one 03:00 < krzee> cope 03:00 < krzee> heres how it works 03:00 < krzee> currently: 03:00 < jetole> nat too, I mean no matter what, you really should not have the same subnet on both ends and you're looking at only doing a hack to get around it 03:00 < jetole> thats just basic TCP/IP 03:01 < Cope> jetole: yes - I agree, and I can and will change the server lan, i just can't do it quickly 03:01 < krzee> the client connects, gets a route to 192.168.1.0 over vpn 03:01 < krzee> which breaks * 03:01 < jetole> Cope, well I agree however there is another solution, you mention that you only have one machine on the server lan they need access to? 03:01 < krzee> hrm 03:01 < krzee> !forget nathack * 03:01 < vpnHelper> krzee: Joo got it. 03:01 < jetole> brb, getting a glass of water 03:01 < Cope> jetole: that's correct; for now we need only access one machine - the windows one 03:02 < krzee> i dont think thats the situation for it actually, lemme think a sec 03:02 < krzee> ohh 03:03 < jetole> ok, this is easy 03:03 < krzee> nathack was for something very similar but not exactly the same 03:03 < jetole> Cope, figure out what net you want to change the lan to, for example, let's say you want to change it to 10.10.0.0/24 03:03 < krzee> its a hack for when you cant add the route to the router for the foreign subnet 03:03 < jetole> add a second IP address to the windows server on that network 03:03 < jetole> do the same thing for the openvpn server 03:03 < jetole> and tell openvpn to forward routing for that net only 03:04 < krzee> actually good call 03:04 < jetole> I do "good calls" occasionally 03:04 < Cope> how does the widnows server know how to route on the 10.10.0.0/24 subent? 03:04 < Cope> do i specify the vpn ip as the route? 03:04 < jetole> you specify a subnet for it 03:05 < jetole> actually I believe you might need to but then again 03:05 < krzee> not vpn ip 03:05 * Cope goes to look at the windows server 03:05 < krzee> you tell vpn to give clients a route to that ip through vpn 03:05 < jetole> my ovpn uses 10.100.0.0/24 and none of the internal computers have needed a manual route update 03:05 < jetole> then again I just realized my ovpn server is also a router 03:06 < Cope> right the windows machine has a spare nic --- Log closed Thu May 07 03:09:29 2009 --- Log opened Thu May 07 06:49:40 2009 06:49 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 06:49 -!- Irssi: ##openvpn: Total of 72 nicks [0 ops, 0 halfops, 0 voices, 72 normal] 06:49 -!- Irssi: Join to ##openvpn was synced in 1 secs 06:49 < jetole> !gui 06:49 < vpnHelper> jetole: Error: "gui" is not a valid command. 06:50 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 06:50 < ecrist> krzie: I'm here now. 07:06 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [Read error: 110 (Connection timed out)] 07:06 -!- las3r [n=las3r@c-66-31-200-74.hsd1.ma.comcast.net] has left ##openvpn [] 07:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:29 -!- Zulan [n=foooooo@141.30.64.40] has joined ##openvpn 07:30 -!- mosno [n=mosno@unaffiliated/mosno] has quit ["leaving"] 08:27 < Zulan> Hi, I am looking for something to compress multiple packets into one. Since I haven't found any working solution I have thought about hacking that it into openvpn, however it looks like the main processing is very single-packet oriented... Any thoughts on this? 08:27 < ecrist> why do you want to compress multiple packets into one? 08:27 < ecrist> really, you should just change your MTU, but most networks won't handle more than 1522, or less. 08:28 < Zulan> I want to reduce IP/UDP overhead 08:28 < ecrist> right, you need to change MTU 08:28 < ecrist> you can't really combine multiple packets in to one. 08:28 < Zulan> how would that help? 08:29 < ecrist> perhaps you should read about MTU, and how TCP/IP actually works? 08:29 < Zulan> I think i know fairly well how MTU and IP works 08:30 < ecrist> well, you must know more than I, then. good luck 08:30 < Zulan> The problem is that the tiny packets are sent by a closed source application at a high frequency 08:30 < Zulan> and due to the IP overhead the bandwidth requirement is very high 08:32 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: reiffert, CybDev 08:33 -!- Netsplit over, joins: reiffert, CybDev 08:33 < Zulan> I wan to do the combination, with the tunnel, not at a normal network level, i might have stated that incomprehensible 08:35 < Bushmills> Zulan, but tunneled packets still come with headers 08:37 < Bushmills> in fact, more headers. the tunneled packets carry headers, and the tunnel itself too. 08:37 < Zulan> Of course, but If i can put 5 packets into one, I only have one IP header sent through the bottleneck connection rather than 5 08:39 < Zulan> (well bascially I have to carry the 5 IP headers inside the tunnel anyway, but i could comress them) 08:39 < Bushmills> i might look at vtun, in your case 08:40 < Zulan> Actually I considered that, but that is not avaiable for the proprietary OS that the proriatary application runs on :/ 08:43 < Zulan> do you have a rough idea how much overhead openvpn introduces to a single packet? 08:44 -!- sunta [n=cw@achilles.raytion.com] has joined ##openvpn 08:44 < sunta> jo 08:45 < sunta> erm hi;) 08:45 < sunta> guys, which router supports openVPN? forgot which;:( 08:47 < sunta> dlink somewhat? 08:47 < ecrist> any that runs OpenWRT 08:47 < sunta> got an example? 08:48 < sunta> I want to connect a remote office with it. easier than setting up 10clients or? 08:49 < ecrist> http://www.dd-wrt.com/dd-wrtv3/dd-wrt/hardware.html 08:49 < vpnHelper> Title: Supported Hardware (at www.dd-wrt.com) 08:49 < ecrist> sunta: I'd setup a freebsd server as the client on that end and push the entire network across 08:49 < ecrist> !freebsd 08:49 < ecrist> !route 08:49 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 08:49 < ecrist> !iroute 08:49 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 08:49 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 08:49 < Bushmills> Zulan, increase of latency here is neglectable. close to measurement noise level. 08:49 < sunta> good idea 08:50 < ecrist> sunta: http://www.dd-wrt.com/wiki/index.php/Supported_Devices 08:50 < vpnHelper> Title: Supported Devices - DD-WRT Wiki (at www.dd-wrt.com) 08:50 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:50 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:50 < onats__> wazzah! 08:51 < sunta> what is freebsd though? 08:51 < sunta> just kiddin! 08:51 < Zulan> So i guess its in the range of ~20 bytes per packet? 08:51 < sunta> thx ecrist ! 08:51 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Nick collision from services.] 08:52 -!- cpm_ is now known as cpm 08:52 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 09:11 -!- Timpa [i=timpa@c-191770d5.09-47-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 09:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:29 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 09:31 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:35 -!- tjz [n=tjz@bb116-15-91-53.singnet.com.sg] has quit [Success] 09:52 -!- tjz [n=tjz@bb116-15-91-53.singnet.com.sg] has joined ##openvpn 09:54 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has quit [] 10:07 < frankS2> Hi, anyone here got any experince with ssl-admin? I am folling the MAN on secure-computing.net to create a certificate, but the only certs i get is ca.crt and ca.key and the dh1024 file 10:14 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:25 -!- sunta [n=cw@achilles.raytion.com] has left ##openvpn ["Verlassend"] 10:34 -!- Zulan [n=foooooo@141.30.64.40] has quit ["Konversation terminated!"] 10:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:08 -!- kachu [n=Zumbi@ip65-46-72-90.z72-46-65.customer.algx.net] has joined ##openvpn 11:09 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:35 -!- epaphus [n=unix3@190.10.68.228] has left ##openvpn ["Leaving"] 11:41 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 11:51 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 11:54 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 12:18 < frankS2> that means im missing 1 file 12:21 -!- jeiworth [n=jeiworth@189.177.186.95] has joined ##openvpn 12:24 < jeiworth> hi, i have a question regarding bridged vpn setup, i configured my bridge-start script and put it together with the bridge-stop into /usr/sbin, i can run it and it creates the bridge but how do i automate this on system boot? edit the openvpn service script in /etc/init.d/ or is the bridge persistent even for reboots? 12:26 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 12:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 12:50 -!- kachu [n=Zumbi@ip65-46-72-90.z72-46-65.customer.algx.net] has quit [Read error: 104 (Connection reset by peer)] 12:57 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 12:58 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 13:00 -!- jeiworth [n=jeiworth@189.177.186.95] has quit [Read error: 60 (Operation timed out)] 13:09 -!- jeiworth [n=jeiworth@189.177.186.95] has joined ##openvpn 13:11 -!- oandarilho01 [n=kvirc@in.databras.com.br] has joined ##openvpn 13:12 < oandarilho01> greetings! someone with PKCS#11 experience? 13:14 < oandarilho01> is there a 2.1 version post-rc15 ? 13:34 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 13:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:46 -!- bragon [n=Alex@geekshell.ipv6.geeknode.org] has quit [Read error: 60 (Operation timed out)] 14:14 < krzee> rc15 is the latest 14:14 < krzee> !download 14:14 < vpnHelper> krzee: "download" is http://www.openvpn.net/index.php/downloads.html 14:14 < krzee> it will be there when theres newer 14:23 -!- Hydrant [n=aj@CPE0011950c737b-CM0012c90d1420.cpe.net.cable.rogers.com] has joined ##openvpn 14:24 < Hydrant> hello all... I'm setting up openvpn, and I didn't realize that I have to do some extra work to get the openvpn server to work with other servers on the LAN... I need some help or direction to resources to figure out how to configure routing for other systems on the LAN to be able to communicate with the openvpn client 14:24 < Hydrant> !route 14:24 < vpnHelper> Hydrant: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:30 < Hydrant> k I have a question 14:30 < Hydrant> I want to set my router to forward traffic from the VPN clients to the VPN then right... 14:30 < krzee> huh? 14:31 < Hydrant> so if 192.168.2.10 gets a response from 10.8.0.2 for instance... it would send the response to the gateway at 192.168.2.1... and I'd want to route the 10.8.x.x traffic back through the VPN somehow ? 14:31 < krzee> ok thats not vpn clients 14:31 < krzee> thats LAN machines 14:32 < Hydrant> on the vpn server side 14:32 < krzee> and yes, that was covered in !route under the drawing 14:32 < Hydrant> yah, looking at it 14:32 < Hydrant> I'm a bit unclear on the exact solution 14:33 < krzee> if 192.168.2.x is the lan being accessed over openvpn 14:33 < krzee> then the machine on that lan running openvpn is the gateway for the vpn 14:33 < krzee> so it must be running ip forwarding (!ipforward) 14:33 < Hydrant> ah 14:34 < Hydrant> so I can add a route for the addresses of VPN clients on the router to that gateway once I have ipforwarding then 14:34 < krzee> and the router on its lan must know that for 10.8.0.x it sends packets to the machine running openvpn 14:34 < Hydrant> yah okay 14:34 < krzee> actually im not 100% you need ip forwarding 14:34 < krzee> try it first without ip forwarding 14:34 < Hydrant> okay I'll just add to the route table and see what happens 14:35 < krzee> on the router for that lan 14:35 < krzee> is the lan behind the server? 14:35 < Hydrant> the wiki is good by the way, I see you wrote it... but it might be a bit more help if you were to have a simple section first, then show the more complex example next 14:35 < Hydrant> yes 14:35 < Hydrant> the router currently is directly on the net 14:35 < Hydrant> and forwards openvpn port internally to the OpenVPN server 14:36 < Hydrant> oh sorry 14:36 < Hydrant> no, the lan isn't behind the server 14:36 < krzee> so you pushed a route? 14:36 < Hydrant> yes 14:36 < krzee> wait wait 14:36 < krzee> where is the lan? 14:36 < krzee> behind a client or a server? 14:36 < krzee> (relation to vpn) 14:37 < Hydrant> the lan is behind a linksys router that's currently forwarding the vpn port to an internal server 14:37 < krzee> heh 14:37 < krzee> not in relation to the inet 14:37 < krzee> in relation to the vpn 14:37 < Hydrant> ah 14:37 < Hydrant> well... I suppose behind the server then 14:37 < krzee> is it the lan with ovpn server or client 14:37 < Hydrant> openvpn server 14:38 < Hydrant> I have no interest in openvpn client networks 14:38 < krzee> ok, then its behind the server as far as vpn is concerned 14:38 < Hydrant> so I also wasn't sure if I needed client-client or not 14:38 < krzee> the router / firewalls are bypassed because they only exist on the outside of the tunnel 14:38 < krzee> well, do you need clients to access eachother? 14:38 < krzee> (without hitting the kernel / firewall rules) 14:39 < krzee> client-to-client allows openvpn to handle routing clients to eachother without hitting the kernel 14:39 < krzee> all internally 14:39 < krzee> as explained in: 14:39 < krzee> !man 14:39 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 14:41 < Hydrant> I would want say 10.8.0.11 to know about 10.8.0.12... 14:41 < Hydrant> but not to really use each other as gateways for their networks 14:43 < Hydrant> k... I setup a static routing table 14:43 < Hydrant> I don't seem to be able to ping other systems though, lemme see what the logs say 14:43 < Hydrant> !logs 14:43 < vpnHelper> Hydrant: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 14:44 < Hydrant> !iproute 14:44 < vpnHelper> Hydrant: Error: "iproute" is not a valid command. 14:44 < Hydrant> !interface 14:44 < vpnHelper> Hydrant: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 14:46 < Hydrant> !ipforward 14:46 < vpnHelper> Hydrant: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 14:46 < krzee> did you push a route to clients for the lan? 14:46 < Hydrant> !linipforward 14:46 < vpnHelper> Hydrant: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 14:46 < Hydrant> krzee: I adjusted my default router (linksys router) 14:46 < Hydrant> added a static route 14:46 < krzee> did you push a route to clients for the lan? 14:46 < krzee> (as explained if you read my walkthrough) 14:46 < Hydrant> I'm not sure what you mean 14:46 < Hydrant> oh, you mean adding route 14:47 < Hydrant> err. push route 14:47 < Hydrant> yes 14:47 < krzee> push "route 192.168.2.0 255.255.255.0" 14:47 < krzee> and the router on the lan is what OS? 14:47 < Hydrant> http://rafb.net/p/LKZXNV17.html 14:47 < vpnHelper> Title: Nopaste - No description (at rafb.net) 14:48 < Hydrant> it's a $89 linksys router :-P 14:48 < Hydrant> everything else is linux systems 14:49 < krzee> is it running linux or linksys firmware? 14:50 < Hydrant> linksys firmware 14:51 < Hydrant> http://rafb.net/p/XJYpTb38.html 14:51 < krzee> ok 14:51 < vpnHelper> Title: Nopaste - No description (at rafb.net) 14:51 < Hydrant> here is my route table on the router 14:52 < krzee> !configs 14:52 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:52 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 14:53 < Hydrant> server: http://rafb.net/p/lWiksH16.html 14:53 < vpnHelper> Title: Nopaste - No description (at rafb.net) 14:54 < Hydrant> client: http://rafb.net/p/g2qRHm47.html 14:54 < vpnHelper> Title: Nopaste - No description (at rafb.net) 14:56 < Hydrant> is there a way to see how packets are getting routed around? just traceroute I guess? 15:01 < Hydrant> aha... with ipforwarding it works perfectly! 15:10 -!- Hydrant [n=aj@CPE0011950c737b-CM0012c90d1420.cpe.net.cable.rogers.com] has left ##openvpn ["Konversation terminated!"] 15:14 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:46 -!- jeiworth [n=jeiworth@189.177.186.95] has quit [Read error: 110 (Connection timed out)] 16:00 -!- jeiworth [n=jeiworth@189.177.123.182] has joined ##openvpn 16:19 -!- bi0os_ [n=bi0os_@67.227.82.47] has joined ##openvpn 16:19 < frankS2> Hi, anyone here got any experince with ssl-admin? I am folling the MAN on secure-computing.net to create a certificate, but the only certs i get is ca.crt and ca.key and the dh1024 file 16:19 < frankS2> so i am missing the server.key/crt 16:23 -!- bi0os_ [n=bi0os_@67.227.82.47] has left ##openvpn [] 16:26 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:35 -!- KavanS [n=KavanS@static-71-117-242-28.ptldor.dsl-w.verizon.net] has joined ##openvpn 16:53 -!- oandarilho01 [n=kvirc@in.databras.com.br] has quit ["KVIrc 3.4.0 Virgo http://www.kvirc.net/"] 17:02 -!- Timpa [i=timpa@193.13.142.180] has joined ##openvpn 17:34 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 18:23 -!- mnm [n=quassel@c-71-194-111-121.hsd1.il.comcast.net] has joined ##openvpn 18:24 -!- mnm [n=quassel@c-71-194-111-121.hsd1.il.comcast.net] has quit [Remote closed the connection] 18:25 -!- mnm [n=quassel@c-71-194-111-121.hsd1.il.comcast.net] has joined ##openvpn 18:48 < reiffert> frankS2: ecrist and krzee know all about it 18:48 < ecrist> frankS2: do you have the latest version from SVN, or are you on FreeBSD, using ports version? 18:48 -!- eliasp [n=quassel@95.208.45.212] has quit [Read error: 131 (Connection reset by peer)] 18:49 < frankS2> freebsd ports 18:49 * ecrist wrote ssl-admin 18:49 -!- freaky_t [i=alpha@member.team-box.net] has quit [Read error: 104 (Connection reset by peer)] 18:49 < ecrist> the latest ports tree has the latest working copy of ssl-admin, so all the bits should b there. 18:49 < frankS2> http://www.secure-computing.net/wiki/index.php/FreeBSD_OpenVPN_Server/Routed 18:49 < vpnHelper> Title: FreeBSD OpenVPN Server/Routed - Secure Computing Wiki (at www.secure-computing.net) 18:49 < frankS2> i followed this 18:50 < ecrist> option 'S' will build an OpenVPN server certificate 18:50 < ecrist> that page is a little out of date. 18:50 < ecrist> see 18:50 < ecrist> !freebsd 18:50 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 18:50 < ecrist> but every thing else should apply 18:50 < ecrist> see option S on the ssl-admin menu 18:51 < frankS2> oh ok 18:51 < frankS2> the how-to should be updated then 18:51 < frankS2> hehe 18:51 < krzee> frankS2, did you choose S for server? 18:51 < frankS2> krz: no i just followed the manual 18:51 < krzee> ahh 18:51 < krzee> ya that was before S was added 18:52 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 18:52 < krzee> sup eric 18:52 < ecrist> nm. you? 18:52 < krzee> chillen 18:52 < ecrist> I got your server powered-up, btw. 18:53 < krzee> thinkin bout going out in a few but the girl dont feel good 18:53 < ecrist> aww 18:53 < krzee> ya i saw, thanx 18:53 < ecrist> wife and I are going to Disturbd concert tomorrow. :) 18:53 < krzee> niiiice 18:55 -!- freaky_t [i=alpha@member.team-box.net] has joined ##openvpn 18:56 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 18:59 < freaky_t> hi all i have a problem with the bridging setup. i have 1 ethernet device on that server (eth0). and im trying to create a bridge on it using the bridge-start script. but everytime i run the bridge-start script, my connection to the server gets lost and i cant connect to it anymore usingn ssh. i then have to restart the server. 19:00 < freaky_t> in the log theres this message: 19:00 < freaky_t> Cannot ioctl TUNSETIFF tap0: Device or resource busy (errno=16) 19:00 < freaky_t> oh wait no 19:00 < freaky_t> sorry wrong one 19:00 < freaky_t> this: 19:00 < freaky_t> May 8 01:39:43 master ovpn-server[19845]: /usr/bin/openssl-vulnkey -q -b 1024 -m 19:00 < freaky_t> May 8 01:39:44 master ovpn-server[19845]: TUN/TAP device tap0 opened 19:01 < freaky_t> can anyone help me? 19:03 < krzee> does the bridge script set a gateway for it? 19:04 < freaky_t> hm? 19:04 < freaky_t> what gateway? 19:04 < krzee> after it creates the bridge it must set a gateway 19:04 < krzee> right at the end 19:04 < krzee> common problem 19:05 < krzee> my guess is that if you set a gateway manually if it wasnt a remote box it would start working 19:05 < freaky_t> ok so what should i do now? 19:06 < freaky_t> how do i add this gateway? 19:06 < krzee> have it rebooted and add that to the script 19:06 < krzee> do you really need bridged? 19:06 < krzee> usually people try bridge but they should be using routed 19:06 < freaky_t> I want bridged so we can see each others PCs in the network 19:07 < freaky_t> what should I add to the script? 19:07 < krzee> with an IP protocol? 19:07 < freaky_t> i mean using windows network file sharing 19:07 < krzee> wins server? 19:07 < freaky_t> hmm 19:08 < freaky_t> would I only need to run a wins server to achieve that we can see each others PCs? 19:08 < krzee> yup 19:08 < freaky_t> oh cool 19:08 < krzee> !tunortap 19:08 < freaky_t> ^^ 19:08 < vpnHelper> krzee: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 19:08 < krzee> hrm 19:08 < krzee> !bridge 19:08 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for anything where the protocol uses MAC addresses instead of IP addresses. 19:08 < vpnHelper> krzee: (but not samba, see !wins) 19:08 < freaky_t> !wins 19:08 < vpnHelper> freaky_t: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 19:09 < freaky_t> what is a good wins server? 19:09 < krzee> windows only? 19:09 < freaky_t> maybe some linux too 19:09 < krzee> well the wins server can be on linux very easily, its part of samba 19:09 < krzee> you just change like 2 lines 19:09 < krzee> or whatever, its explained in the above link 19:09 < freaky_t> I can't get samba to run 19:10 < krzee> then you tell the windows machines to use him as the wins server 19:10 < freaky_t> i've allready posted to the mailing list 19:10 < freaky_t> nobody answers me since 2 days 19:10 < krzee> ya i use NFS (but i also dont use windows) 19:10 < krzee> iv e setup 19:10 < krzee> err 19:10 < krzee> ive setup samba before, but not much 19:11 < freaky_t> it doesnt recognize the interface 19:12 < krzee> try with tun 19:12 < freaky_t> yea 19:12 < freaky_t> i tried that with tun 19:12 < freaky_t> it tells me it cant find any interfaces 19:13 < krzee> when the vpn was already up? 19:13 < freaky_t> [2009/05/08 02:13:01, 0] lib/interface.c:load_interfaces(543) 19:13 < freaky_t> WARNING: no network interfaces found 19:13 < freaky_t> yea 19:13 < krzee> *shrug* i dont really use samba 19:13 < krzee> im sure they have a help channel somewhere 19:13 < freaky_t> i was there too asking for help and nobody answered me 19:13 < krzee> or a linux help chan would have people that use that 19:14 < freaky_t> i also searched for it using google 19:14 < krzee> still, not openvpn 19:14 < freaky_t> but i couldnt find anything that helped me 19:14 < freaky_t> ok :\ 19:14 < freaky_t> isnt there any single wins server? 19:14 < krzee> no idea 19:15 < freaky_t> hm ok thank you 19:15 < krzee> whats the goog tell you 19:15 < krzee> !google wins server 19:15 < vpnHelper> krzee: WINS server role: Configuring a WINS server: General: ; What Is WINS?: Windows Internet Name Service (WINS): ; Windows Internet Name Service - Wikipedia, the free encyclopedia: 19:15 < krzee> Setting up a WINS Server 19:15 < krzee> 29 Nov 2008 ... A WINS server can help hold down broadcast traffic when there are multiple computers on your network. This server has a static IP address ... 19:15 < krzee> (36) 19:16 < krzee> err (#6) 19:16 < freaky_t> ? 19:16 < freaky_t> hmm 19:16 < freaky_t> it just doesnt want to listen 19:18 < krzee> http://technet.microsoft.com/en-us/library/cc787764(WS.10).aspx 19:18 < vpnHelper> Title: Content not found (at technet.microsoft.com) 19:18 < Bushmills> grin 19:18 < krzee> sup Bushmills 19:19 < Bushmills> if there's "microsoft" written somewhere, it is usually at the begin of a cascade of errors :D 19:20 < krzee> lol 19:21 < Bushmills> still, my last message came made it, instead of giving me some message like "error: server timed out" 19:23 < Bushmills> but sometimes it's a bit frustrating. i am also on the #asm channel, and for a reason i cannot fathom, most questions come from people, trying to learn asm, using masm, under windows. 19:23 < Bushmills> what a bizarre combination, especially for learning first steps. 19:23 < krzee> haha 19:24 < krzee> like learning how to snow ski on a tropical island 19:24 < krzee> except less cool sounding 19:25 < Bushmills> more like, starting to learn skateboarding on a 70 incher, in the tube at hawaii, 19:25 < Bushmills> or learning to fly in a sukhoi acrobatics plane 19:26 < theDoc> or maybe, just simply painful:) 19:26 < Bushmills> yeah, but both alternative learning methods above imply that :) 19:28 < Bushmills> so when the bot said " Title: Content not found (at technet.microsoft.com)" it gave me some great relief 20:01 -!- jeiworth_ [n=jeiworth@189.234.35.254] has joined ##openvpn 20:01 -!- Dougy [i=doug@64-18-144-18.ip.bergenhosting.com] has quit [Nick collision from services.] 20:01 -!- Dougy_ [i=doug@64-18-144-18.ip.bergenhosting.com] has joined ##openvpn 20:01 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 20:01 < Dougy> heoy 20:01 < Dougy> heyo 20:02 < Dougy> krzie ding 20:02 < Dougy> mother f 20:02 < Dougy> krzie when you got a min, wanna assist in forum clean up 20:03 -!- KavanS [n=KavanS@static-71-117-242-28.ptldor.dsl-w.verizon.net] has quit ["Leaving"] 20:08 < Dougy> eh' 20:08 < Dougy> i got it 20:08 < Dougy> 30 threads gone 20:12 < freaky_t> krzee can u pls tell me how to set/create that gateway in the bridge-start script? because samba doesnt listen and i want people to see each other in the vpn 20:14 -!- jeiworth [n=jeiworth@189.177.123.182] has quit [Read error: 110 (Connection timed out)] 20:37 < onats> krzee, are you there? 20:39 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:41 < onats> !logs 20:41 < vpnHelper> onats: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 20:41 < onats> !configs 20:41 < vpnHelper> onats: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 20:41 -!- jeiworth_ [n=jeiworth@189.234.35.254] has quit [Read error: 110 (Connection timed out)] 20:55 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 21:07 < ecrist> bitches 21:08 < ecrist> Dougy: why not setup captcha and some other features to prevent SPAM? 21:08 < ecrist> I've been doing a ton of clean-up, but haven't gotten around to it in a week or two... 21:16 < Dougy> yeah 21:16 < Dougy> i cleaned up myself 21:16 < Dougy> i guess i should enable captcha one of these days 21:17 < Dougy> its my site, i guess i should start taking care of it 21:17 < Dougy> :X 21:17 < freaky_t> :D 21:17 < ecrist> I went in at one point and fixed permissions, I think I removed anon edits 21:17 < ecrist> oh, btw, I hacked the DB to give me admin/founder privs. hope you don't mind. ;) 21:18 < ecrist> gave those rights to krzee, too 21:22 < Dougy> no problems 21:22 < Dougy> i thought i had already done that 21:22 < Dougy> my b 21:23 < Dougy> fail. 21:23 < ecrist> eh, it was right before you disappeard for a while. 21:23 < Dougy> ecrist: epic fail 21:23 < Dougy> Timing cached reads: 4042 MB in 2.00 seconds = 2024.45 MB/sec 21:23 < Dougy> Timing buffered disk reads: 20 MB in 3.60 seconds = 5.56 MB/sec 21:23 < ecrist> no biggy. easy to hack a DB when the DB is on my server. :) 21:23 < Dougy> thats on a RAID 10 array. 21:24 < ecrist> ick, that's nasty 21:24 < Dougy> lame 21:24 < Dougy> its running 16 domUs 21:24 < Dougy> when it was under no load it was a lot better why 21:24 < Dougy> when it was under no load it was a lot better * 21:24 < Dougy> Timing cached reads: 7434 MB in 1.99 seconds = 3728.42 MB/sec 21:24 < Dougy> Timing buffered disk reads: 464 MB in 3.01 seconds = 154.23 MB/sec 21:24 < Dougy> ^ no load 21:25 < ecrist> I forgot to benchmark my new array 21:25 < ecrist> I'm going to do it now 21:27 < ecrist> ecrist@leopard:~-> dd if=/dev/random of=test.bin bs=1024k count=2000 21:27 < ecrist> 2000+0 records in 21:27 < ecrist> 2000+0 records out 21:27 < ecrist> 2097152000 bytes transferred in 55.518069 secs (37774225 bytes/sec) 21:29 < ecrist> that's 302 Megabits/sec on write for a 2G file 21:29 < ecrist> read from /dev/random 21:29 < ecrist> that's a RAID 60 21:29 < ecrist> 12 disks 21:30 < ecrist> I can't remember what it came to, but I did a RAID1 with all 12 disks, and it was *REALLY* fast 21:30 < ecrist> all SAS disks, 10k 21:30 < ecrist> oh, wait, sorry, SAS bus, SATA2 disks @ 7.2k 21:33 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 21:33 < ecrist> krzee's a bitch, though, so don't think anything of it 21:34 < krzee> lol 21:34 < ecrist> :) 21:34 < ecrist> krzee, have you ever read 'Lights Out'? 21:35 < krzee> nah 21:35 < krzee> i remember the game from when i was lil tho 21:35 < ecrist> the game? 21:35 < ecrist> no, it's a book, written by an on-line forum of people, early 2000's 21:35 < krzee> http://en.wikipedia.org/wiki/Lights_Out_(game) 21:36 < ecrist> http://secure-computing.net/files/lightsout.pdf 21:36 < ecrist> it's a 611 page book 21:36 < krzee> topic? 21:36 < ecrist> I, honestly, have spent my past two work-days reading it. 21:36 < ecrist> on page 416 now. 21:36 < ecrist> knowing you, a bit, you may enjoy it 21:38 < krzee> right on 21:38 < krzee> thc 21:38 < krzee> thx 21:38 < krzee> Saving to: `lightsout.pdf' 21:38 < ecrist> I don't read books, usually, because if I start a good one, I don't quit till it's done. 21:39 < ecrist> I owe the boss ~13 hours 21:39 < ecrist> I didn't get that email, btw. 21:40 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 21:41 < Dougy> itsw krzie ! 21:46 < Dougy> s/krzie/krzee/ 22:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 22:07 -!- jeiworth [n=jeiworth@189.163.165.139] has joined ##openvpn 22:21 -!- lough [n=nn@ip-129-15-127-150.fennfwsm.ou.edu] has joined ##openvpn 22:21 < lough> anyone use openvpn/openvpn-gui under windows 7? 22:25 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 22:34 -!- lough [n=nn@ip-129-15-127-150.fennfwsm.ou.edu] has quit [] 22:37 -!- lough [n=nn@ip-129-15-127-150.fennfwsm.ou.edu] has joined ##openvpn 22:38 < lough> im using windows 7 and i installed openvpn 2.1 rc16 and set the installer to vista compatability and run as administrator but when i click on the shortcut for the gui on my desktop, the icon doesnt show up in the notification tray but the process is running 22:38 < lough> rc15* 22:38 < ecrist> iirc, win7 isn't fully supported yet 22:39 < ecrist> sorry 22:40 < lough> hmm ok i got it to work 22:41 < lough> i had to set openvpn.exe and openvpn-gui.exe to vista compatability and have them run under admin privs 22:49 -!- lough [n=nn@ip-129-15-127-150.fennfwsm.ou.edu] has quit [] 22:53 -!- xor| [n=xor@asmodeus.ost.sgsnet.se] has joined ##openvpn 23:08 -!- Cron1x [n=Cr0nix@e180069134.adsl.alicedsl.de] has joined ##openvpn 23:17 -!- Cr0nix [n=Cr0nix@85.180.70.46] has quit [Read error: 145 (Connection timed out)] 23:31 -!- Xpistos [n=x@76.9.163.133] has joined ##openvpn 23:32 < Xpistos> We are using ClarkConnect (4.3) at work and are trying to decide what would be better OpenVPN or OpenSwan. Does OpenVPN have a plugin of WebMin? 23:32 < ecrist> not that I'm aware of 23:42 -!- jeiworth [n=jeiworth@189.163.165.139] has quit [Read error: 110 (Connection timed out)] 23:58 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Read error: 110 (Connection timed out)] --- Day changed Fri May 08 2009 00:14 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:20 < dan__t> hi. 01:03 -!- Xpistos [n=x@76.9.163.133] has quit [Remote closed the connection] 01:37 -!- lolipop [n=quassel@149.21.95.219.cbj01-home.tm.net.my] has joined ##openvpn 01:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:48 -!- Timpa [i=timpa@193.13.142.180] has quit [Read error: 113 (No route to host)] 02:21 -!- onats__ [n=onats@122.53.137.107] has quit [SendQ exceeded] 02:31 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 03:05 < alinuxskyper99> hi all ..got OpenVPN setup on a windows server..and Cisco router is the gateway...now I can ping the server..I want to be able to ping the computers on the subnet 03:05 < alinuxskyper99> should I add a route to the router pointing to the server / 04:01 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 04:29 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 04:38 -!- albech [n=albech@119.42.76.84] has quit [Read error: 54 (Connection reset by peer)] 04:57 -!- albech [n=albech@119.42.76.84] has joined ##openvpn 05:03 -!- Isen [n=marcus@pub.sizeit.se] has joined ##openvpn 05:04 < Isen> Hello. Anyone know if it is possible to have a list of active openvpn certificates? 05:04 < Isen> Instead of putting disabled in the client username in the ccd folder i put "active" on those that should work 05:04 < Isen> Can it be configured in anyway like that? 05:28 < frankS2> ecrist: another question, with ssl-admin. how can i create keys for the client to connect? which keys does the lcient have to use, and where should i place them in the openvpn server config? 05:50 -!- lolipop [n=quassel@149.21.95.219.cbj01-home.tm.net.my] has quit [Read error: 104 (Connection reset by peer)] 06:37 -!- Cr0nix [i=irssi@62.141.56.213] has joined ##openvpn 06:37 < Cr0nix> hi all 06:38 < Cr0nix> any 1 can tell me how i do forward all the invoming traffic on a specific static ip of the vpn server to one of my vpn clients 06:38 < Cr0nix> outgoing is working 06:38 < Cr0nix> i can browse the web with the ip of the vpn server 06:39 < Cr0nix> but i need to create some servers on the vpn client which should be reachable via one of the 3 static ip's the vpn server has assigned 06:39 < Cr0nix> how do i do that? 06:39 < Cr0nix> so 06:39 < Cr0nix> if i for eg. ssh to the vpn servers static internet IP 2 it should forward it to the vpn client 06:40 < Cr0nix> so im connected via ssh to the client and not to the server 06:40 < Cr0nix> how do i do that? 06:45 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 07:06 < Cr0nix> 69 users online and not even one is talking... OMFG 07:11 -!- Timpa [n=timpa@c-611370d5.09-47-626f6410.cust.bredbandsbolaget.se] has joined ##openvpn 07:14 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 07:15 < ecrist> frankS2: use option '4' in ssl-admin 07:15 < ecrist> you just need plain-ol' client SSL certs 07:15 < ecrist> they don't have to be part of the server config at all 07:16 < ecrist> for that, generate the CRL, available on the menu, and put that somewhere, and point your OpenVPN config to it. It should auto-update each time your revoke a certificate. 07:16 < ecrist> it should have been auto-generated when you created your CA cert. 07:31 -!- Timpa [n=timpa@c-611370d5.09-47-626f6410.cust.bredbandsbolaget.se] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 07:33 -!- skon_ [n=skon@123.208.1.176] has joined ##openvpn 07:43 -!- skon_ [n=skon@123.208.1.176] has left ##openvpn ["Leaving"] 08:52 < Cron1x> any1 here who can answer my question please? 08:53 < ecrist> Cron1x: you need policy-based routing on your firewall 08:53 < ecrist> which is beyond the scope of this channel 08:53 < ecrist> someone may be willing to help you, but it can be complicated 08:54 < Cron1x> hmm 08:54 < Cron1x> alright 08:54 < Cron1x> i wanna make a server available through the ip of the vpn server 08:54 < Cron1x> because the server is located at my home 08:54 < Cron1x> and i need a "static ip" 08:55 < Cron1x> like dyndns just with ip via vpn 08:55 < ecrist> sure, you can do that with a reverse NAT of sorts 08:55 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: qknight, Cope, troy- 08:58 -!- Netsplit over, joins: qknight 08:58 -!- Netsplit over, joins: Cope 09:02 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 09:10 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 09:11 -!- ThomasI [n=thomas@unaffiliated/thomasi] has joined ##openvpn 09:12 < ThomasI> !redirect 09:12 < vpnHelper> ThomasI: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 09:23 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["Lost terminal"] 09:30 -!- jeiworth [n=jeiworth@189.234.35.254] has joined ##openvpn 09:40 < frankS2> ecrist: oh ok.. thanks, so you create the client certs WITH the server file. ofcourse just ike ssh keys 09:49 -!- unix3 [n=unix3@190.10.68.228] has quit ["Leaving"] 09:50 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 09:53 -!- unix3 is now known as epaphus 10:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 10:43 -!- Timpa [i=timpa@193.13.142.180] has joined ##openvpn 10:54 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Success] 10:54 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 11:04 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 11:09 -!- jeiworth [n=jeiworth@189.234.35.254] has quit [Read error: 54 (Connection reset by peer)] 11:11 -!- jeiworth [n=jeiworth@189.177.29.193] has joined ##openvpn 11:12 -!- ThomasI [n=thomas@unaffiliated/thomasi] has quit ["Bye Bye!"] 11:28 -!- Cope [n=stephen@87-194-125-249.bethere.co.uk] has quit ["leaving"] 11:36 -!- jeiworth [n=jeiworth@189.177.29.193] has quit [Read error: 104 (Connection reset by peer)] 11:39 -!- jeiworth [n=jeiworth@189.177.22.63] has joined ##openvpn 11:43 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 11:53 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 12:42 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:42 -!- krzy [i=nobody@hemp.ircpimps.org] has joined ##openvpn 12:42 -!- krzy [i=nobody@hemp.ircpimps.org] has left ##openvpn ["Leaving"] 13:27 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 13:27 -!- Guest26656 is now known as pekster 13:40 -!- jeiworth_ [n=jeiworth@189.177.22.63] has joined ##openvpn 13:43 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Connection timed out] 13:49 -!- sixtwo [i=moneybag@has.no.info.tm] has joined ##openvpn 13:54 -!- jeiworth__ [n=jeiworth@189.177.22.63] has joined ##openvpn 13:54 -!- jeiworth_ [n=jeiworth@189.177.22.63] has quit [Read error: 104 (Connection reset by peer)] 13:55 -!- jeiworth [n=jeiworth@189.177.22.63] has quit [Read error: 110 (Connection timed out)] 14:12 -!- nate [n=nate@vodka.booze.org] has joined ##openvpn 14:12 < nate> !logs 14:12 < vpnHelper> nate: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 14:12 < nate> !configs 14:12 < vpnHelper> nate: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:12 < nate> !interface 14:12 < vpnHelper> nate: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 14:13 < nate> so while I am digging all that up, let me ask the question. I'm able to secure a connection to the server but I cannot obtain an IP address via DHCP(from openvpn) 14:14 < nate> linux server, windows client. 14:14 < nate> dhcp just times out on the client and assigns me a 169.x.x.x IP 15:26 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 15:52 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has quit ["Leaving"] 16:27 -!- jeiworth__ [n=jeiworth@189.177.22.63] has quit [Read error: 110 (Connection timed out)] 17:01 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 17:06 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 17:16 -!- EspritNett [n=Espritne@41.140.252.6] has joined ##openvpn 17:17 < EspritNett> i want to configure vpn 17:18 < EspritNett> i have a router 3com integred firewall 17:20 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Remote closed the connection] 17:29 < krzie> keep going... 17:42 -!- EspritNett [n=Espritne@41.140.252.6] has quit [Connection timed out] 18:25 -!- sixtwo [i=moneybag@has.no.info.tm] has quit [Remote closed the connection] 18:38 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 19:17 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 19:55 -!- temba_alternativ [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 20:05 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:10 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:34 -!- betabot [n=betabot@li20-55.members.linode.com] has joined ##openvpn 20:48 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 21:28 -!- mnm [n=quassel@c-71-194-111-121.hsd1.il.comcast.net] has quit [Read error: 113 (No route to host)] 21:33 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 22:10 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 22:45 -!- albech [n=albech@119.42.76.84] has quit [Read error: 60 (Operation timed out)] 22:55 -!- albech [n=albech@119.42.76.84] has joined ##openvpn 23:08 -!- Cronix [n=Cr0nix@e180066066.adsl.alicedsl.de] has joined ##openvpn 23:24 -!- Cron1x [n=Cr0nix@e180069134.adsl.alicedsl.de] has quit [Read error: 113 (No route to host)] 23:46 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 60 (Operation timed out)] 23:53 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 23:56 -!- lataffe [n=lars@212.89-10-28.nextgentel.com] has quit [Read error: 60 (Operation timed out)] --- Day changed Sat May 09 2009 00:12 -!- floyd_n_milan_ [n=mrugesh@203.129.237.147] has joined ##openvpn 00:14 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 113 (No route to host)] 00:35 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 01:15 -!- theDoc [n=andelyx@bb116-15-137-19.singnet.com.sg] has joined ##openvpn 01:15 -!- theDoc [n=andelyx@bb116-15-137-19.singnet.com.sg] has quit [Client Quit] 01:16 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 01:27 -!- floyd_n_milan_ [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 113 (No route to host)] 01:30 -!- Guiri [n=Guiri@76-204-5-74.lightspeed.livnmi.sbcglobal.net] has joined ##openvpn 01:31 < Guiri> So I have a migraine from this :-). Can anyone lend a hand? I compiled and installed it on OS X. I gave it a launchdaemon so it starts but I can't find where it stores the config file 01:31 < Guiri> Or figure out that Tun/Tap thing 01:32 < Guiri> !howto 01:32 < vpnHelper> Guiri: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 01:33 < krzee> it stores the config whereever you put it 01:33 < krzee> openvpn /path/to/ 01:34 < krzee> !tunortap 01:34 < vpnHelper> krzee: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 01:46 < Guiri> krzee: ./vars doesn't seem to pass my key directory that I define in easy-rsa and throws an error on clean-all 01:46 < Guiri> Any ideas? 01:46 < Guiri> The entire directory is written out in the script 01:47 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has joined ##openvpn 01:47 < krzee> did you follow it exactly? 01:48 < krzee> as in 01:48 < krzee> . ./vars 01:51 < Guiri> ah 01:51 < Guiri> thanks 01:51 < Guiri> sorry for the dumb questions 01:51 < Guiri> but this is difficult for me 01:52 < krzee> yw 02:07 < Guiri> Yeah I'm making headway now. Transferred the sample configs and generated the keyfiles at 2048 bits 02:15 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 02:22 -!- bandini [n=bandini@host142-110-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 02:39 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 03:16 -!- bassliner [n=armin@deepbass.org] has joined ##openvpn 03:17 < bassliner> !configs 03:17 < vpnHelper> bassliner: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 03:18 -!- gallatin [n=gallatin@dslb-092-073-122-121.pools.arcor-ip.net] has joined ##OpenVPN 03:18 -!- Guiri [n=Guiri@76-204-5-74.lightspeed.livnmi.sbcglobal.net] has left ##openvpn [] 03:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:34 -!- carpe_ [n=carpe@66.11.76.242] has joined ##openvpn 04:36 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 04:38 -!- albech [n=albech@119.42.76.84] has quit [Read error: 104 (Connection reset by peer)] 04:57 -!- albech [n=albech@119.42.76.84] has joined ##openvpn 05:03 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 05:04 -!- Alagar [n=helpdesk@pool-173-58-10-241.lsanca.fios.verizon.net] has joined ##openvpn 05:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:02 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 06:06 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 06:52 -!- `Ned [n=Ned@cpe-98-155-203-22.hawaii.res.rr.com] has quit ["Leaving"] 07:01 -!- Timpa [i=timpa@193.13.142.180] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 07:20 -!- Timpa [i=timpa@193.13.142.180] has joined ##openvpn 07:23 -!- Alagar [n=helpdesk@pool-173-58-10-241.lsanca.fios.verizon.net] has quit [Remote closed the connection] 08:02 -!- EspritNett [n=Espritne@41.140.252.4] has joined ##openvpn 08:04 -!- alinuxskyper99 [n=admin@193.227.191.91] has quit [Read error: 110 (Connection timed out)] 08:06 -!- azaghal [n=azaghal@198.225.178.212.adsl.dyn.beotel.net] has joined ##openvpn 08:09 < azaghal> Hello. Is it possible to tell OpenVPN daemon to close a connection to a particular client in some way? (without restarting it) 08:12 -!- gallatin [n=gallatin@dslb-092-073-122-121.pools.arcor-ip.net] has quit ["Client exiting"] 08:14 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 08:21 -!- frankS2 [n=frank@ti500720a080-2263.bb.online.no] has quit [Read error: 104 (Connection reset by peer)] 08:27 -!- EspritNett [n=Espritne@41.140.252.4] has quit [Connection timed out] 08:39 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 08:40 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 08:49 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Remote closed the connection] 09:05 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 09:05 < Dougy> hey all 09:05 < Dougy> anyone awake in here at all 09:06 < Dougy> http://www.ovpnforum.com/viewtopic.php?f=6&t=129 / http://www.ovpnforum.com/viewtopic.php?f=5&t=124 09:06 < vpnHelper> Title: OpenVPN Forum View topic - revoking a certificate (at www.ovpnforum.com) 09:06 < Dougy> if anyone wants to look / read / comment 09:12 < Bushmills> pre- or post coffee awake? 09:13 < Dougy> donno how competent you are 09:13 < Dougy> take a look at them two :> 09:13 < Bushmills> certificates aren't my speciality 09:14 < Bushmills> i suppose that was written as response to a question 2 days ago 09:17 -!- Celsiux-Nulled [n=Nullesd@67.205.89.132] has joined ##openvpn 09:32 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 09:34 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Read error: 110 (Connection timed out)] 09:35 < Dougy> lol 09:35 < Dougy> what about second one Bushmills 09:39 < bassliner> !help 09:39 < vpnHelper> bassliner: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 09:40 < bassliner> !help pki 09:40 < vpnHelper> bassliner: Error: There is no command "pki". 09:40 < Dougy> !forum 09:40 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 09:40 < bassliner> !help define 09:40 < vpnHelper> bassliner: Error: There is no command "define". 09:52 < freaky_t> krzee u there? 09:52 < Dougy> nope he is not 09:54 < Bushmills> Dougy, well, most likely cause, indeed. 09:54 < Dougy> que? 10:10 -!- albech_ [n=albech@119.42.76.84] has joined ##openvpn 10:38 < Dougy> Anyone need any colocatino? 10:38 < Dougy> colocation 10:45 -!- Blu3 [i=david@BlueLabs/Blu3] has joined ##openvpn 10:46 < Blu3> !redirect 10:46 < vpnHelper> Blu3: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 10:48 < Blu3> i've an oddity about using port based routing (iproute2) and openvpn. i have my rules all set such that the right packets get routed out the vpn and properly nat'd but the response comes back in, is seen on tun0 w/ tcpdump, but it never makes it to the userland application. in short, i use iptables to fwmark packets, ip rule match to the fwmark goes via a table, ip route for that table goes out the vpn. three statements 10:49 < Blu3> i've done routing like this before, not using openvpn, and it works fine. is there something about openvpn that i'm missing? 10:52 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 10:53 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 11:08 -!- Cr0nix [i=irssi@62.141.56.213] has quit [Remote closed the connection] 11:09 * Dougy yawns 11:09 < Dougy> Blu3: i'm sure you'll ask me since i spoke 11:10 < Dougy> i have no clue 11:15 < Blu3> :) nah, if you don't know, no worries 11:15 -!- Celsiux-Nulled [n=Nullesd@67.205.89.132] has quit [Success] 11:25 -!- frankS2 [n=frank@ti500720a080-2263.bb.online.no] has joined ##openvpn 11:26 -!- Celsiux-Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 11:34 < Blu3> hmm, i think i solved it. i forgot to disable RP 11:42 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 11:43 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Read error: 110 (Connection timed out)] 12:09 -!- epaphus is now known as andep 12:09 -!- andep [n=unix3@201.199.62.74] has left ##openvpn ["Leaving"] 12:10 -!- zend [n=unix3@201.199.62.74] has joined ##openvpn 12:14 < zend> Hello all. I have this scenario. PC on Private LAN --> Client without redirect-gateway enabled -> server 12:15 < zend> If I start the client with redirect-gateway my PC (which is configured to have the client as its default gateway) can surf the internet through the VPN without any problem. 12:16 < zend> However, iam trying to disable redirect-gateway on the client, and be able to have the PC still connect through the internet via the client. What would i need? 12:17 < zend> I have no special NAT rule in the client, I was thinking of a special NAT rule on the server? iam wrong? 12:19 < zend> krzee, u there? 12:21 -!- Blu3 [i=david@BlueLabs/Blu3] has left ##openvpn ["I ❤♥❤ Guys"] 12:24 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:55 < freaky_t> hi all i have a problem with samba and openvpn. im trying to run samba for filesharing and wins server. but when i start it, nmbd says it cant find any interface. if i only run nmbd with debug lvl to 10 (max) it says: 12:55 < freaky_t> not adding non-broadcast interface tun0 12:55 < freaky_t> WARNING: no network interfaces found 12:55 < freaky_t> but i want it to listen on tun0 12:56 < freaky_t> i have allready posted to the samba mailinglist and asked several times in #samba but nobody can help me. can anybody pls help me im trying this since 5 days :( 12:56 -!- Timpa [i=timpa@193.13.142.180] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 13:10 < freaky_t> or is anyone here who can tell me what line i have to add to the bridge-start script to not disconnect me from my server when i run the bridge-start script? because it's a dedicated server with only 1 ethernet card 13:11 < freaky_t> krzee u there? 13:12 < zend> funny how i ended my question with "krzee u there?" u do too 13:14 < freaky_t> yea hehe 13:14 < freaky_t> he was about to tell me a solution for my problem with the bridge-start script. but then he told me to use tun and try it. but it doesnt work as samba (nmbd) doesnt wanna listen on non-broadcast interfaces 14:07 < freaky_t> server 10.8.0.0 255.255.255.0 in the config 14:07 < freaky_t> another question. does anybody know how i can change the netmask of the tun (tun0) interface openvpn creates on every startup? because i want 255.255.255.0 but it is 255.255.255.255 even though i have server 10.8.0.0 255.255.255.0 in the config. 14:09 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 104 (Connection reset by peer)] 14:29 < jetole> freaky_t: this sounds like more of a samba issue to me 14:29 < freaky_t> yea 14:30 < freaky_t> and what about the last question? :D 14:30 < jetole> freaky_t: I don't believe you can, tun0 is a point to point connection _I_THINK_ 14:31 < freaky_t> aha ok 14:32 < jetole> actually 14:32 < jetole> and I was just thinking about this while I was afk for a min 14:32 < jetole> why do you want to change it 14:32 < jetole> what are you trying to do? 14:32 < freaky_t> i dont know someone told me to do it 14:33 < freaky_t> and when i manually changed the subnet mask of the interface 14:33 < freaky_t> to 255.255.255.255 the samba server started 14:33 < freaky_t> and nmbd bound to 10.8.0.1 14:33 < freaky_t> ;D 14:33 < freaky_t> but now suddenly it works 14:33 < freaky_t> i dont know why 14:33 < jetole> uh... neat 14:33 < freaky_t> ill soon restart the server and check if it still works 14:33 < jetole> there are options in sb.conf to define which nic to bind to 14:33 < freaky_t> but i cant reach samba from my client pc 14:34 < freaky_t> sb.conf? 14:34 < jetole> but I don't know that much about samba 14:34 < jetole> smb.conf 14:34 < freaky_t> yea i know but as i said, nmb always said not binding to non-broadcast interface tun0 14:35 < jetole> well I know tun0 is not a broadcast interface but I am not sure why it would not bind if wins-server is enabled 14:35 < jetole> in fact 14:35 < jetole> even netbios supports over tcp 14:36 < jetole> I played with this a little but since I also have a win2k3 server in the office I just chose to use that for WINS and had ovpn push the wins server via dhcp 14:36 < jetole> and that works for me 14:37 < freaky_t> hm ok 14:38 < freaky_t> ill restart my server now ill brb in 10 mins 14:44 -!- freaky_t [i=alpha@member.team-box.net] has quit [Remote closed the connection] 14:47 < zend> can anybody help me on my Client without redirect-gateway enabled -> server . How to route question... ? 14:51 -!- tuxsmouf [n=tuxsmouf@105.197.81-79.rev.gaoland.net] has joined ##openvpn 14:54 -!- Hydrant [n=aj@CPE0011950c737b-CM0012c90d1420.cpe.net.cable.rogers.com] has joined ##openvpn 14:54 < Hydrant> hello all... I've gotten VPN up, now I'm looking at how hard it's going to be to have DNS working 14:55 -!- freaky_t [i=alpha@member.team-box.net] has joined ##openvpn 15:09 < freaky_t> ok everything still working but i cant connect to the share on the server 15:10 < freaky_t> only via net use i can add a drive on my vista pc to that share 15:11 -!- Timpa [i=timpa@193.13.142.250] has joined ##openvpn 15:31 -!- Timpa [i=timpa@193.13.142.250] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 16:08 < krzie> zend: i assume you read !route 16:08 < krzie> Hydrant, see !pushdns if you have any issues 16:09 < krzie> freaky_t, still gotta get a wins server up, i still cant help, if you use samba see !wins 16:09 < krzie> its seriously just a line or 3 in the samba config 16:10 < krzie> jetole seems to have experience with it in windows too 16:12 < freaky_t> ok great ill try it thank you :D 16:13 < freaky_t> !wins 16:13 < vpnHelper> freaky_t: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 16:13 < zend> krzee, you assume correctly.. however i need more then that.. iam confused.. 16:14 < zend> krzee, route now iam trying to route 172.16.1.200 (pc lan IP) to tun 0 on the client. 16:14 < zend> that doesnt appear to make a difference 16:14 < zend> i can still ping the endpoint 16:19 < freaky_t> hm, krzee i still cant see the server in my network 16:20 < freaky_t> well i can use net use to make a drive to a share 16:26 -!- Timpa [i=timpa@193.13.142.250] has joined ##openvpn 16:28 < Timpa> Anyone that can source routing in FreeBSD ? 16:28 < freaky_t> still can't see anyone from the network 16:28 < freaky_t> im out of ideas :P 16:28 < krzie> freaky_t then you arent using WINS correctly 16:28 < freaky_t> i even set it as domain master 16:28 < freaky_t> how should I use it? 16:28 < krzie> no idea, i dont use wins 16:28 < krzie> as ive said 5 times 16:29 < freaky_t> oh yea sorry 16:29 < freaky_t> ^^ 16:29 < krzie> but everyone else ive told to use wins seems to get it working in under 5 min 16:29 < freaky_t> well 16:30 < freaky_t> i dont know what im doing wrong 16:30 * zend doesnt know either 16:30 < zend> krzee, can you help me... ? :D 16:31 < krzie> zend, explain your problem and why you think its not covered in !route 16:32 < zend> !route 16:32 < vpnHelper> zend: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:33 -!- Timpa [i=timpa@193.13.142.250] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 16:33 < freaky_t> umm, with an netmask of 255.255.255.0 on 10.8.0.0 am I in the same subnet as 10.8.0.1 as 10.8.0.6 ? i think i am ... 16:34 < freaky_t> i had some tutorial the last time 16:34 < freaky_t> but i can't find it anymore 16:37 < freaky_t> well yes 16:38 < freaky_t> i just used some calculator ;D 16:38 < freaky_t> i am in another workgroup but i dont think that matters? 16:38 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 16:40 < zend> krzee, scenario: PC on Private LAN --> Client without redirect-gateway enabled -> server . Iam trying to enable my PC to access on the internet through the vpn. In regards to what !route says to do I have done: 16:42 < zend> setup route 172.16.1.0 255.255.255.0 in the server.conf, also in the server a file with the common name of the client in /etc/openvpn/ccd/ 16:42 < zend> with: iroute 172.16.1.0 255.255.255.0 16:42 < freaky_t> well i dont get anything that looks like a error message in the logs 16:42 < freaky_t> hm 16:42 < krzie> but !route has nothing to do with accessing the inet 16:43 < krzie> if you want to access the inet through the server you want !redirect 16:43 < zend> !redirect 16:43 < vpnHelper> zend: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 16:43 < krzie> and why is redirect-gateway disabled? thats what you want 16:43 < krzie> only need iroute if you are accessing a lan behind the client 16:44 < krzie> as is made clear in !route 16:44 < zend> krzie, I have it disabled because I want the client to continue to have the default gateway as it is... BUT at the same time be able to provide internet through the established VPN to my PC. 16:44 < krzie> (and in !iroute) 16:44 < zend> thats what the challenge to me is 16:44 < krzie> no kidding 16:44 < krzie> thats like saying you want to make a pie, you want it to be apple, but you want it to be cherry, but it cant be apple AND cherry 16:44 < zend> If i enable --redirect-gateway-.. sure I get internet on my PC... 16:44 < krzie> the only way you make inet go over the VPN is by changing the gateway 16:45 < krzie> thats exactly how it works 16:45 < krzie> i guess you could run a socks proxy on the vpn ip and do it that way 16:45 < krzie> but then you can only route stuff that uses socks over the vpn 16:45 < zend> yes the gateway.. but I dont want to change the default gateway for the client. Isnt there a way to route 172.16.1.0/24 through the client to the VPN without changing the default gateway of the client ? 16:45 < krzie> and then you dont even need the vpn really 16:46 < krzie> what is it you really want, you are saying 2 different things 16:46 < krzie> you say you want INET, then you say you only want 172.16.1.0/24 which is NOT inet 16:47 < zend> I want to route 172.16.1.0/24 through the client to the VPN so that 172.16.1.0/24 has the same internet the VPN server has. 16:47 < freaky_t> find_workgroup_on_subnet: workgroup search for FREAKYYDE on subnet UNICAST_SUBNET: found. 16:47 < zend> i dont want to change the default gateway in the client though 16:47 < freaky_t> i really dont get what im doing wrong :\ 16:47 < freaky_t> ive used the guide from !wins 16:47 < krzie> zend: THEN YOU WANT redirect-gateway 16:48 < krzie> you also want to change the LAN machines to use the vpn client's lan ip as their gateway 16:48 < krzie> then you want NAT on the server 16:48 < krzie> and the server's NAT must NAT the vpn ips, as well as the LAN ips that are behind client 16:48 < krzie> you need the iroute you mentioned 16:49 < zend> krzie, i dont mean to be annoying.. but I dont want to change the default gateway in the clientbecause that means the client would also access the internet through the VPN 16:49 < zend> which is what i dont want 16:49 < krzie> then change the machine that is the client to one you do want that for 16:49 < krzie> when you understand routing you'll see why 16:51 < zend> ok let me change some pieces of something i intended to do in the future so that you can understand me better. 16:51 < freaky_t> is anybody in here familiar in using samba as a wins server? i dont see the server in the network and i cant connect to it using \\10.8.0.1\\ 16:51 < zend> krzie, what if I want to run in the client machine TWO VPN channels... and connect to it two LANs. Then channel 1 lan to one VPN, and the other lan to the second VPN. See why i need my default gateway on the client to be independent ? 16:52 < Dougy> krzie 16:52 < Dougy> what up my main man 16:52 < krzie> zend, i have no idea what you're saying 16:53 < zend> ok.. bare with me .. i appreciate it: 16:54 < freaky_t> hm :\ 16:54 < zend> bottom line is.. I want to route the internet that my PC has to use the internet on the vpn server through the client setup as a gateway for the PC. Based on that..... I know --redirect-gateway does this.. but that means that the client would also have all the outgoing connection routed through the VPNs internet too.. which is what i dont want. 16:55 < zend> Is it possible? 16:57 < zend> krzie 17:00 < reiffert> route del default gw ; route add default gw 17:00 < Dougy> HAI 17:00 < Dougy> THAR 17:00 < reiffert> WHAT 17:02 < Dougy> supsupsuspuspusup 17:02 < reiffert> shock to the system 17:03 < zend> reiffert, i think that would conflict with everything 17:03 < reiffert> zend: lets discuss it, why do you think so? 17:04 < zend> reiffert, this being applied in the client. correct ? 17:05 < reiffert> (you are right on the one hand, lets find a proper solution, which you already gave). Just have a close look on how redirect-gateway works and do it exactly like it works, but just on the server side. That is keep the connection to the openvpn client active and add a new default gw. 17:06 -!- Timpa [i=timpa@193.13.142.250] has joined ##openvpn 17:06 < zend> reiffert, "Just have a close look on how redirect-gateway works and do it exactly like it works, but just on the server side." why do you say "just on the server side"? 17:09 < reiffert> I think that what you want is: connect an openvpn client to an openvpn server and have the server take the client as its new default gateway. 17:10 < reiffert> So you have to assure that the client-server communication still uses the old gateway, even if the server takes a new default gateway afterwards. 17:10 < reiffert> is this what you want? 17:12 < zend> reiffert, nop... the server shouldnt be touched.. 17:12 < reiffert> allright, lets start over. what is what you want? 17:12 < zend> reiffert, PC on a private lan -> client connected to the VPN -> vpn server . 17:13 < zend> PC has its default gateway set to the client. 17:13 < reiffert> lets try to reduce the details as much as possible for now 17:13 < zend> goal is to have the PC connect to the internet through the client to the VPNs internet. 17:13 < zend> that is easily done by setting as we know.. the client with redirect-gateway 17:14 < zend> this scenario works 100% 17:14 < zend> however.. my dilemma is. 17:14 < zend> not using redirect-gateway on the client.. because I dont want the client to use the internet of the VPN server by default. 17:14 < reiffert> I can follow your explanation until "PC". 17:14 < zend> ok.. 17:15 < reiffert> try to use "Openvpn-client" and "Openvpn-server" 17:15 < zend> reiffert, there are 3 parties in this picture. 17:16 < reiffert> ok 17:16 < zend> "PC on a private lan" under the "openvpn-client" and the "openvpn-server" which the openvpn-client connects to. 17:16 < zend> are we clear on that? 17:16 < reiffert> let me rephrase 17:17 < zend> sure. 17:17 < reiffert> we have six parties, three on each side. One side got a router/gateway, an openvpn instance (client or server) and multiple other computers in the same LAN. 17:18 < zend> that configuration is suitable to explain what i want to do too. lets go with it 17:19 < reiffert> client server communication does work, allright. 17:19 < zend> correct 17:19 < reiffert> now lets add some numbers: 17:19 < reiffert> openvpnserver-lan is 192.168.100.0/24 17:19 < reiffert> openvpnclient-lan is 192.168.200.0/24 17:20 < zend> okey. 17:20 < reiffert> One Computer on the Client LAN, should send packets to one of the computers on the server-lan, right? 17:20 < zend> nop. 17:20 < zend> the server LAN isnt needed. 17:21 < zend> can we delete that ? 17:21 < reiffert> delete what, server LAN isnt needed? 17:21 < zend> it isnt. 17:21 < reiffert> k 17:21 < reiffert> One Computer on the Client LAN, should send packets to the openvpn-server, right? 17:21 < zend> if we use that it will make this more complicated. 17:21 < zend> correct 17:22 < reiffert> Tell this computer: 17:22 < reiffert> Send all packets that should travel to 192.168.100.0/24 to the openvpn-client. In terms of a unix route-command this looks likee: 17:23 < reiffert> route add -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.100.15 17:23 < reiffert> where 192.168.100.15 is the openvpn client 17:23 < reiffert> oh, my wrong! 17:23 < reiffert> where 192.168.200.15 is the openvpn client 17:23 < zend> correct. thats done. 17:23 < zend> i follow you 100% 17:23 < reiffert> route add -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.200.15 17:24 < reiffert> so packets travel from a computer to the openvpn client which hands them to the openvpn server. 17:24 < reiffert> step one is done, now lets take a look on how packets get back. 17:25 < zend> correct command would be: route add -net 192.168.200.0 netmask 255.255.255.0 gw 192.168.200.15 17:25 < zend> right? 17:25 < reiffert> correct command on the client lan's computer? 17:26 < zend> lets back one step please 17:26 < reiffert> all right, where to? 17:26 < zend> We are on the computer behind the openvpn-client and we want to send packets to the openvpn-server 17:26 < reiffert> allright. 17:26 < reiffert> route add -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.200.15 17:27 < reiffert> 200.15 is the openvpn client 17:27 < reiffert> 100.0 is the openvpn server lan 17:27 < zend> this applied in the computer behind the openvpn-client? 17:28 < reiffert> applies on the computer that belongs to the same LAN as the openvpn-client, yes. 17:28 < reiffert> +does 17:28 < zend> ok. *thinking* 17:28 < reiffert> let's assume the computer got 200.225 17:28 < reiffert> ping 192.168.100.10 will send this packet to 200.15 17:29 < zend> right 17:29 < zend> iam with you. 17:29 < zend> i dont know why we did this.. but go ahead 17:29 < reiffert> 200.15 (the client) will send this packet to 10.8.0.1 (the server), the server will internally route to it's outer IP address 100.10 17:29 < zend> correct. 17:30 < zend> how did the client do all that? a nat? 17:30 < reiffert> what you will have to add in the openvpnn server config file is push "route 192.168.100.0 255.255.255.0" 17:30 < reiffert> no, routing. no nat. 17:30 < reiffert> but thats just 50%, it's just one way. 17:30 < reiffert> we still have to care about the way back. 17:30 < zend> lets make a parenthesis 17:31 < reiffert> [] 17:31 < zend> We are just sending packets to 192.168.100.0 .. which yes.. its getting routed to where i want.. however.. remember that the PC shoudl route ALL packets (internet) to the client via the vpn 17:32 < reiffert> it's just sending all packets for destination 192.168.100.0 to the openvpn client 192.168.200.15 17:32 < reiffert> because we were adding a -net route: 17:32 < reiffert> route add -net 192.168.100.0 netmask 255.255.255.0 gw 192.168.200.15 17:33 < zend> thats what iam saying. What if the computer pings google.com ? 17:33 < reiffert> the computer will send a packet to google.com via its default gateway, e.g. 192.168.200.254 17:34 < zend> thats where we dont agree 17:34 < reiffert> ah, go on. 17:34 < reiffert> should the packet travel over the VPN as well? 17:34 < zend> the idea is to have the default gateway setup as 192.168.200.15 17:34 < zend> yes 17:34 < reiffert> all right, just do: 17:34 < reiffert> route del default gw 192.168.200.254; route add default gw 192.168.200.15 17:35 < zend> ok, lets move on :) 17:35 < zend> so now the packet is in .15 17:35 < reiffert> openvpn tunnel: server: 10.8.0.1, client: 10.8.0.5, ok? 17:35 < zend> fine 17:36 < reiffert> packet is at .15 17:36 < zend> right 17:36 < reiffert> packet will go to 10.8.0.5, will go to 10.8.0.1, will go to 192.168.100.10 17:36 < zend> who is 192.168.100.10 ? 17:36 < reiffert> openvpn server 17:36 < zend> ok. 17:37 < zend> same page.. go on.. 17:37 < zend> (it needs to reach google) 17:37 < reiffert> will get to 192.168.100.254 which is the gateway of that lan 17:37 < zend> ok. and off it went. 17:37 < zend> good. 17:37 < reiffert> now let's see about the reply from google. 17:38 < reiffert> 100.254 doesnt know yet, that it should send packets for destination 192.168.200.0 to 192.168.100.10 17:38 < reiffert> that's where we can take a decision: 17:39 < reiffert> either use NAT on 192.168.100.10 17:39 < reiffert> or talk to your gateway: he gateway, do as I say. 17:39 < zend> nat.. 17:39 < zend> (i already have it like that) 17:39 < reiffert> NAT complicates things. Routing much easier. 17:40 < zend> ok 17:40 < reiffert> ok, NAT. 17:40 < reiffert> (I like the Hey router, do as I say-part much more :-) 17:40 < reiffert> so NAT, after all the packet from google gets to 100.254 17:40 < reiffert> which hands it to 100.10 17:41 < reiffert> which knows about NAT which hands it to 10.8.0.5 17:41 < reiffert> which hands it to 200.225 (whatever is the computer in that lan) 17:42 < reiffert> this is the time where you tell me that it doesnt work, right? 17:43 < zend> all of this works 17:43 < zend> sec.. 17:43 < reiffert> :) 17:43 < reiffert> What was your problem/goal again please? 17:44 < zend> How to ping google.com from the client and not have it travel through the VPN to the server. 17:45 < reiffert> 00:34 < reiffert> should the packet travel over the VPN as well? 17:45 < reiffert> 00:34 < zend> yes 17:45 < reiffert> now you want the opposite? 17:45 < zend> I was referring to the packet originated on the LAN computer. not the packet originated on the client. 17:45 < reiffert> let's start over you are confusing me. 17:45 < reiffert> 200.225 got default gw 200.15? 17:46 < zend> 200.225 is the computer right? 17:46 < reiffert> yes 17:46 < zend> then yes 17:47 < reiffert> 00:44 < zend> How to ping google.com from the client and not have it travel through the VPN to the server. 17:47 < zend> yes 17:47 < reiffert> route add -host google.com netmask 255.255.255.255 gw 192.168.200.254 17:47 < zend> :( 17:47 < reiffert> ? 17:48 < reiffert> 00:45 < reiffert> 200.225 got default gw 200.15? 17:48 < zend> i cant do that for all possible URLs for traffic originated from the client. 17:48 < zend> yes, i stand behind that 17:48 < reiffert> then packets to google.com will travel over the vpn. 17:49 < reiffert> (and answers will do as well= 17:49 < reiffert> ) 17:49 < zend> are you familiar with --redirect-gateway ? 17:49 < reiffert> yes. 17:49 < zend> this is all posible thanks to this 17:50 < reiffert> right. 17:50 < zend> I really appreciate the diagram but i cant continue using it.. it is really much less complicated 17:50 < reiffert> but I still dont understand your statement: send everthing over the tunnel versus: dont send everything over the tunnel. 17:51 < zend> bottom line.. 17:51 < zend> working scenario is this: 17:51 < zend> a.) PC has its default gateway setup to the client. All pakctes reach the client. 17:51 < reiffert> PC? 17:52 < reiffert> ah, ok. 17:52 < zend> b.) openvpn-client has --redirect-gateway enabled 17:52 < reiffert> ok 17:52 < zend> so packet by default just goes over to tun, and off to.. 17:52 < reiffert> ok 17:52 < zend> c.) packet gets to vpn server and off to the internet. 17:53 < reiffert> ok 17:53 < zend> dilemma: 17:53 < zend> since client has --redirect gateway enabled .. if I ping google.com (or anything) that would also travel through the VPN. I dont want that. I dont want --redirect.gateway enabled. 17:54 < reiffert> let me rephrase: 17:54 < reiffert> you want that locally generated packets dont travel over the tunnel? 17:55 < zend> correct, thus not using --redirect-gateway 17:55 < reiffert> you dont want locally generated packets travel over the tunnel? 17:55 < zend> correct 17:55 < reiffert> I think that a proper solution will be OS dependent 17:56 < reiffert> 200.15 OS is? 17:56 < zend> assume its linux for easier ;) 17:56 < reiffert> policy routing www.lartc.org 17:56 < reiffert> have fun. 17:57 < reiffert> ip route 2 17:57 < zend> policy routing..? 17:57 < reiffert> e.g. send locally generated packets to 200.254 17:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:59 < zend> hm 18:00 < reiffert> let me ask that question on a german debian channel 18:00 < reiffert> http://lartc.org/howto/lartc.rpdb.multiple-links.html 18:00 < reiffert> looks like a start 18:00 < vpnHelper> Title: Routing for multiple uplinks/providers (at lartc.org) 18:01 < zend> hmm ok.. i thoght it would be simpler 18:01 < zend> but thank you...... 18:01 < reiffert> http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg06649.html 18:01 < vpnHelper> Title: [LARTC] fwmark routing of locally generated packets (at www.mail-archive.com) 18:01 < reiffert> http://lkml.indiana.edu/hypermail/linux/net/0308.3/0058.html 18:01 < vpnHelper> Title: Linux-Net Archive: Re: policy routing on locally generated packets, ip source addressselction, application routing (at lkml.indiana.edu) 18:02 < zend> thank you.. 18:02 < reiffert> http://osdir.com/ml/security.firewalls.netfilter.devel/2003-08/msg00178.html 18:02 < vpnHelper> Title: Re: policy routing on locally generated packets [s: msg#00178 security.firewalls.netfilter.devel (at osdir.com) 18:03 < reiffert> iproute2 can do routing based on a fwmark value 18:04 < reiffert> so you have to mark locally generated packets on your firewall / iptables 18:04 < reiffert> and there you are. 18:06 < zend> reiffert, thank you for taking the time to review this with me 18:07 < reiffert> What will it take for you to step the last two steps for a proper solution? 18:07 < reiffert> Any motivation that can be applied to you? 18:11 < zend> a beer :P 18:11 < zend> haha 18:11 < zend> thanks.. 18:11 < reiffert> well, now I'm curious .. 18:11 < reiffert> why is it that important for you, that locally generated packets do not travel over the tunnel? 18:13 < zend> so that I can add another instance of openvpn-client 18:13 < reiffert> oh, you should have mentioned that earlier in this conversation. 18:14 < reiffert> --redirect-gateway def1 18:14 < reiffert> done. 18:15 < zend> uhm... 18:16 < zend> i still have to "teach" what VPN to use in what case 18:17 < reiffert> updating my router, I might loose internet for some time, bbl 18:20 < zend> !def1 18:20 < vpnHelper> zend: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 18:34 < zend> reiffert, u there? 18:42 < zend> reiffert, please ping me when you are back :D 18:46 < reiffert> . 18:47 < zend> reiffert, I *think* this can be done differently.. 18:49 < zend> I started up my client without --redirect-gateway.. thus I have tun0 configured but nothing routed to it. 18:49 < zend> My routing table looks like this: 18:50 < reiffert> Ah, allright, let me guess: 18:50 < reiffert> On the PC in the client LAN: 18:50 < reiffert> route add default gw 192.168.100.10 18:50 < reiffert> route add -host 192.168.100.10 netmask 255.255.255.255 gw 192.168.200.15 18:50 < zend> hold please.. ;) 18:50 < zend> sec 18:51 < zend> without redirect-gateway enabled the client routing tables look this: http://pastebin.com/d3d07443b 18:51 < zend> are we clear on what I have at this moment ? reiffert 18:52 < reiffert> yep, do you think my approach might work as well? 18:52 < zend> please note that my client box has TWO nics.. one with 192.168.1.1 attached (current default gateway) and another with 172.16.1.1 18:53 < zend> hold, we can discuss this at the end so that i dont loose the point ;) 18:53 < zend> my PC uses 172.16.1.1 as the default gateway 18:54 < zend> so.. as soon as I add redirect-gateway and nat internal_if and external_if .. it works. (thats not the config i want.. but i want to make sure we are on the same page) 18:54 < zend> are we? 18:54 < reiffert> think so 18:55 < zend> ok so.. question is.. 18:56 < zend> taking for granted i dont have --redirect-gateway enabled, and that link i gave is you is my current routing table.. is there anyway that I can put it so that all destinations that come from the NIC attached to the 172.16.1.1 get routed to 10.0.1.9? 18:56 < zend> leaving my defualt gateway as it is 18:57 < zend> there must be a way without tagging packets 18:57 < reiffert> current routing table on the PC? 18:57 < zend> sec 18:59 < zend> reiffert, www.pastebin.com/d3d2d280 18:59 < zend> err sec 18:59 < reiffert> * Unknown post id, it may have expired or been deleted 19:00 < zend> http://pastebin.com/d3d2d280 19:00 < zend> its in spanish, but youll understand it :) 19:00 < zend> (windows btw) 19:00 < reiffert> uh, thats windows. 19:01 < reiffert> ok, here is my plan: 19:01 < reiffert> dont use redirect-gateway 19:01 < reiffert> on the windows computer add two routes: 19:01 < reiffert> route add -host 192.168.100.10 netmask 255.255.255.255 192.168.200.15 19:01 < reiffert> route add default gw 192.168.100.10 19:02 < reiffert> 1st line should be: 19:02 < reiffert> route add -host 192.168.100.10 netmask 255.255.255.255 gw 192.168.200.15 19:02 < reiffert> however, it's 2 o'clock in the morning, I'm heading to bed 19:03 < zend> ok.. 19:03 < zend> thank you for all your help 19:03 < zend> i advanced and have it lots more clear 19:03 < reiffert> yw 19:07 < krzie> the way that makes sense to me is to make a machine that SHOULD be sending its inet through server the vpn endpoint 19:07 < krzie> then let the machines route their inet through that machine 19:07 < krzie> let that machine use redirect-gateway 19:07 < krzie> then if the current vpn endpoint needs access to the VPN as well it can, but is not forced to route inet over it 19:11 < freaky_t> krzie can u tell me how to add this gateway to the bridge-start script if u can remember? because i'd like to try a bridging setup i cant get samba to run like this 19:14 < krzie> its just the route command 19:14 < krzie> read up on it for your OS 19:14 < freaky_t> I don't know what to route 19:15 < krzie> linux? 19:15 < krzie> bsd? 19:15 < krzie> osx? 19:16 < freaky_t> linux 19:16 < krzie> route add default gw 19:16 < freaky_t> what should be the gateway then? 19:17 < freaky_t> the problem is that im getting disconnected when i run the bridge-start script 19:17 < freaky_t> and i have to reboot the server 19:17 < krzie> if you caont answer that for your network a vpn is too advanced for you to be honest 19:17 < freaky_t> because i only have one NIC 19:17 < reiffert> setup the bridge before running openvpn. 19:18 < freaky_t> i know 19:18 < reiffert> just add the tap adapter to the bridge after openvpn server starts 19:18 < freaky_t> krzie i dont know why im getting disconnected from my server when i run the bridge-start script so i dont know what to route where 19:18 < reiffert> or, on the client side, add the tap adapter to the bridge when it's getting connected to the server. 19:18 < krzie> you are changing its connection to the inet, you MUST get disconnected 19:18 < reiffert> brctl addbr br0 19:18 < reiffert> brctl addif br0 eth0 19:18 < reiffert> in prior run: ifconfig eth0 0.0.0.0 promisc up 19:19 < freaky_t> i cant i'd get disconnected 19:19 < reiffert> afterwards: ifconfig br0 192.168.1.1 or whatever your eth0 ip was. 19:19 < freaky_t> it's a dedicated server 19:19 < krzie> then figure out WINS 19:19 < freaky_t> im trying since ages 19:19 < reiffert> on debian you can handle everything with network/interfaces file 19:19 < freaky_t> nobody can help me 19:19 < freaky_t> google doesnt tell me anything useful 19:20 < reiffert> && bed 19:21 < freaky_t> cya 19:21 < krzie> screw google, everyone who i suggested it to just read the manual i linked !wins too and it worked 19:23 < freaky_t> for me it doesnt 19:23 < freaky_t> dump workgroup on subnet UNICAST_SUBNET: netmask= 10.8.0.1: 19:23 < freaky_t> FREAKYYDE(1) current master browser = UNKNOWN 19:23 < freaky_t> MASTER 40899a03 (master server) 19:23 < freaky_t> i dont know what i should do 19:24 < zend> krzie, the idea was to have multiple LANs using different IPs as their default gateway to the client machine... BUT ALSO have that same client machine have multiple client instances to different VPNs.. and then according to the IP the LANs used as their gateway route them to the appropiate VPN. 19:24 < zend> route their internet through the appropiate VPN that is 19:25 < zend> i cant do that because 1 VPN "steals" the default gateway 19:25 < zend> which is why i wanted to not start it up with --redirect 19:29 < zend> ive seen cisco routers with ipsec do this.. :( 19:34 < krzie> hrm 19:34 < krzie> im curious if this can work or not, give it a shot 19:34 < krzie> lets say 10.8.0.1 is 1 vpn server 19:34 < krzie> so the client has 10.8.0.6 for vpn ip 19:34 < krzie> and we'll say it is 192.168.0.10 on its LAN 19:35 < krzie> tell another machine on that lan this: 19:35 < krzie> 10.8.0.0/24 routes to 192.168.0.10 19:35 < pekster> Why not have the DNS server for the corporate LAN accept dynamic record updates for VPN clients? 19:35 < krzie> 0.0.0.0 routes to 10.8.0.1 19:35 < freaky_t> i've sent another eMail to the samba mailinglist 19:35 < pekster> Then use DNS as it was intended to; resolve client names to IPs :) 19:36 < zend> pekster, for that each PC would be its own client.. and thats not the idea. 19:37 < pekster> Ah, okay, I'm coming into this a bit late in the game 19:37 < zend> krzie, *thinking* 19:37 < pekster> So the clients are given IPs from a DHCP server on the remote network, not the corp DHCP? 19:38 < krzie> freaky_t, you could also try a broadcast relay 19:38 < krzie> ive never attempted it but reiffert has mentioned it a few times as an alternative to WINS 19:39 < freaky_t> i wouldnt know what to relay where and how. 19:39 < freaky_t> ill try a broadcast relay if everythign else fails 19:39 < freaky_t> now im trying to get help ont he samba mailinglist 19:39 < krzie> i believe it just relays broadcasts 19:39 < krzie> not like you need to know about them 19:39 < freaky_t> thank you for ur help by the way ;D 19:40 < freaky_t> yea but i think i would have to set it up in some way 19:41 < zend> krzie, ive read your propal 5 times and I honestly do not understand it.. I only understand the IP of the vpn server is 10.9.0.1, and the client is 10.8.0.6 . Thats it.. 19:41 < pekster> When I set up remote sites for a corp network at my last job, we had the border router for the net doing DHCP-relay to the HQ DHCP server, and then it took care of DNS registration in the AD environment, allowing you to hit \\client-at-remote-site as you'd expect 19:42 < zend> krzie, and that there is machine in the LAN with 192.168.0.10 19:42 < krzie> heh 19:42 < krzie> ok lets do it this way 19:42 < krzie> what is the VPN address of the server, and the client? 19:43 < freaky_t> now it works 19:43 < freaky_t> dump workgroup on subnet 10.8.0.1: netmask= 255.255.255.0: 19:43 < freaky_t> FREAKYYDE(1) current master browser = MASTER 19:43 < freaky_t> MASTER 408c9a03 (master server) 19:43 < freaky_t> i didnt do anything 19:43 < zend> VPN server: 10.0.1.1 , Client is 10.0.1.9 19:43 < krzie> and what is the IP address of the client on the lan (same machine as vpn client, but LAN ip) and what is the IP of the machine on the lan that needs to default route through the VPN? 19:44 < freaky_t> but i still cant see the server 19:44 < freaky_t> ill try bcrelay 19:44 < zend> you mean the IP address of the gateway of the PC, and the IP of the PC krzie ? 19:45 < krzie> theres 2 boxes on the lan that matter 19:45 < krzie> the vpn endpoint and the machine that wants to route through it 19:45 < krzie> what are both their IPs on the lan 19:46 < zend> 172.16.1.1 , and the IP of the PC is 172.16.1.201 19:47 < krzie> so tell 172.16.1.201 that for 172.16.1.0 255.255.255.0 it routes through 172.16.1.1 19:47 < krzie> then tell it that for 10.0.1.0 255.255.255.0 it routes through 10.0.1.1 19:48 < krzie> then tell it for 0.0.0.0 0.0.0.0 (aka default) it routes through 10.0.1.1 19:49 < krzie> oops i messed up 19:49 < krzie> then tell it that for 10.0.1.0 255.255.255.0 it routes through 19:49 < krzie> 10.0.1.1 19:49 < krzie> i meant: 19:50 < krzie> then tell it that for 10.0.1.0 255.255.255.0 it routes through 172.16.1.1 19:50 < krzie> but honestly i dunno if that will work or not 19:50 < krzie> if it does, it will do what you want 19:52 < zend> hmm i appreciate your effort.. but iam burned.. i will review this tomorrow...... 19:53 < krzie> basically its this: 19:53 < krzie> the machine on the lan needs to know the server vpn ip is its default route 19:53 < krzie> but for that it needs routes to it 19:53 < zend> true 19:53 < krzie> so you tell it for 172.16.1.0 255.255.255.0 it routes through 172.16.1.1 (for its lan) 19:54 < krzie> that could already be there, depending on your setup 19:54 < zend> its there 19:54 -!- bandini [n=bandini@host142-110-dynamic.16-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 19:54 < krzie> then tell it that for 10.0.1.0 255.255.255.0 it routes through172.16.1.1 19:54 < zend> wait.. sec.. 19:54 < zend> who do i tell these two? the client? or the pc? 19:57 < krzie> the pc in the lan who wants to route over the vpn 19:58 < krzie> basically, it gets a route to the local vpn endpoint 19:58 < zend> sorry krzie but why should the PC do any type of change.. this is messy.. as far as the PC goes it should only connect to a PORT and grab the lease from dhcp.. the client should do all the routing.. 19:58 < krzie> then it gets a route to vpn server over that 19:58 < krzie> then it gets a default route over that 19:58 < krzie> hey, you're the one who wants to do it the hard way 19:59 < zend> yeah but that hard way I think should be done withing the client ;) 19:59 < krzie> good luck to you 19:59 < zend> after all, this is a router 19:59 < zend> ill keep you posted 19:59 < zend> thank you 20:01 < krzie> heres the thing you're missing 20:01 < krzie> everything is based on source and destination address 20:02 < krzie> if the machine on the lan just sends traffic at its default gateway, the traffic will go to whatever route the destination matches on the router 20:02 < krzie> for inet traffic that will be the default gateway 20:02 < krzie> (which was my first suggestion) 20:03 < freaky_t> krzie i dont know what i should relay :\ 20:03 < krzie> my last suggestion gets around that fact 20:04 < freaky_t> krzie can u help me? 20:04 < krzie> zend, personally what ild do is have a seperate box for every VPN 20:04 < freaky_t> u're the only perso i can ask but i dont wanna go on your nerves so just tell me ;D 20:04 < krzie> which requires nothing extra since you already want boxes to connect over that vpn 20:04 < freaky_t> person 20:05 < krzie> then let all extra machines that need to route over it route via the vpn endpoint for that network 20:05 < krzie> then use redirec-gateway 20:05 < krzie> freaky_t, i have never used samba, never use windows, do not use windows filesharing, have never wanted WINS or a broadcast relay 20:05 < freaky_t> hm ok :( 20:05 < krzie> so i can NOT help with them more than saying people use them to achieve your goal 20:06 < freaky_t> ok thank you :\ 20:06 < krzie> but i use the hell out of openvpn 20:06 < freaky_t> hehe, what do u use it for? 20:06 < krzie> so openvpn specific questions i have a much better chance of helping with 20:06 < freaky_t> do u use any network services? 20:07 < freaky_t> for the vpn 20:07 < freaky_t> anything nice to have for example? 20:07 < freaky_t> ;D 20:07 < krzie> umm 20:07 < krzie> well ive setup chains of them to anonymimze source of inet traffic 20:07 < krzie> i use it on some boxes as a secure way to enter the box 20:07 < freaky_t> hm ok 20:07 < freaky_t> ok ;D 20:07 < krzie> no services listening to the world other than openvpn, everything else only listening on the vpn 20:07 < freaky_t> thanks ^^ 20:08 < krzie> i use it for secure communications, ie: running an IRCD only internal to the vpn 20:08 < krzie> secure access to internal networks 20:08 < freaky_t> :) 20:09 < krzie> stuff like that 20:09 < freaky_t> ok 20:09 < krzie> i dont need to trust the security of services or protocol if i only allow them over the vpn 20:09 < freaky_t> yea 20:10 < krzie> some things also support socks, but not socks auth, so i run an open relay inside the vpn 20:10 < krzie> then only a connected vpn user can use it 20:10 < freaky_t> ok ;D 20:11 < krzie> theres an alternative for ya zend 20:11 < krzie> you could use a socksifier like the app proxifier on all machine that need to default over vpns 20:12 < krzie> then on the server you could run a socks daemon only listening on VPN ips 20:12 < krzie> then configure each lan machine to use whichever vpn you choose 20:12 < krzie> kind of like what i do, only for a very different reason 20:12 < krzie> i use socks to selectively route over the vpn 20:12 < krzie> torrents dont go over it, mail does, etc etc 20:13 < krzie> which i can specify based on IP range, port range, application, or any combination of those 20:14 < krzie> i can also choose to use all except what i say, or only what i say 20:18 < freaky_t> ill try to connect using my laptop running kubuntu now maybe i get more error messages there 20:22 < zend> krzie, why is it that I just couldnt nat the 172.16.1.0/24 network to tun0.. and thats it? i tried it a million times.. 20:22 < zend> but i will seek about that 20:25 < krzie> because the traffic wont even try gto go to the vpn to get NAT'ed 20:26 < krzie> you will need a nat too if you go the route way 20:26 < krzie> not if you go the socks way 21:04 < freaky_t> krzie well i can connect using Dolphin smb protocol. but it isnt shown under network 21:11 < freaky_t> so krzie could u tell me what gateway i should add in the bridge-start script? it just doesnt work whatever i try 21:27 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 21:43 -!- alinuxskyper99 [n=admin@193.227.191.91] has joined ##openvpn 21:45 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 21:54 -!- alinuxskyper99 [n=admin@193.227.191.91] has quit [Read error: 60 (Operation timed out)] 21:58 -!- alinuxskyper99 [n=admin@193.227.191.91] has joined ##openvpn 22:02 -!- azaghal_ [n=azaghal@195.252.105.9] has joined ##openvpn 22:07 -!- admin__ [n=admin@193.227.191.91] has joined ##openvpn 22:07 -!- alinuxskyper99 [n=admin@193.227.191.91] has quit [Read error: 131 (Connection reset by peer)] 22:07 -!- zend [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 22:18 -!- azaghal [n=azaghal@198.225.178.212.adsl.dyn.beotel.net] has quit [Read error: 113 (No route to host)] 22:28 -!- krzee [i=nobody@hemp.ircpimps.org] has joined ##openvpn 22:29 -!- admin__ [n=admin@193.227.191.91] has quit [Connection timed out] 23:04 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 23:06 -!- albech_ [n=albech@119.42.76.84] has quit [Client Quit] 23:06 -!- Cr0nix [n=Cr0nix@e180064168.adsl.alicedsl.de] has joined ##openvpn 23:07 -!- albech_ [n=albech@119.42.76.84] has joined ##openvpn 23:07 -!- tjz [n=tjz@bb116-15-91-53.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 23:08 -!- Cronix [n=Cr0nix@e180066066.adsl.alicedsl.de] has quit [Read error: 60 (Operation timed out)] 23:13 -!- alinuxskyper99 [n=admin@193.227.191.91] has joined ##openvpn 23:18 -!- Celsiux-Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Read error: 110 (Connection timed out)] 23:26 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 23:32 -!- alinuxskyper99 [n=admin@193.227.191.91] has quit [Read error: 110 (Connection timed out)] 23:35 -!- tjz [n=tjz@bb219-75-13-49.singnet.com.sg] has joined ##openvpn --- Day changed Sun May 10 2009 00:11 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 00:12 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 00:43 -!- tech [n=tech@76.25.242.237] has joined ##openvpn 00:44 < tech> anyone know how to use pptpd with ubuntu? 00:46 < krzee> !notovpn 00:46 < vpnHelper> krzee: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 01:00 < tech> ok how would I setup the openvpn server 01:01 -!- rubydiam_ [n=rubydiam@123.236.183.119] has joined ##openvpn 01:01 < krzee> !howto 01:01 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 01:01 < krzee> !manual 01:01 < vpnHelper> krzee: Error: "manual" is not a valid command. 01:01 < krzee> !man 01:01 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 01:02 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 54 (Connection reset by peer)] 01:04 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 01:05 -!- rubydiam_ [n=rubydiam@123.236.183.119] has quit [Read error: 54 (Connection reset by peer)] 01:27 < tech> ok have it installed and tried running config command and get a wierd message with vars 01:32 < krzee> you likely didnt type . ./vars like it said to 01:32 < krzee> the first . matters 01:32 < tech> yes I did 01:33 < tech> I just want to setup a vpn server with linux and windows client 01:33 < tech> I don't see any instructions for using this with a windows client krzee 01:34 < krzee> cause you just skimmed the howto 01:34 < krzee> dont expect to set this up as simply as microsoft office 01:34 < krzee> it will require a lot of reading and some understanding of networking 01:34 * reiffert is waiting for a sentence like: Hm, I cant connect to this cisco vpn server .. why didnt anyone tell me? 01:35 < tech> I have setup vpn's with windows server in the past, and they were quite easy to setup 01:36 < krzee> im curious how he found his way here to ask a pptp question 01:36 < krzee> yes 01:36 < krzee> microsoft is the quick and easy way 01:36 < tech> cause I am trying to do vpn 01:36 < krzee> openvpn is the secure way 01:36 < krzee> (note, i didnt say quick or easy) 01:36 < tjz> lol 01:37 < tech> my question is, how would I use a windows client with this? 01:37 < krzee> !howto 01:37 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 01:37 < krzee> openvpn runs on windows 01:37 < reiffert> Your initial question looks more like if anyone knows how to run pptpd on ubuntu.. 01:37 < tech> yea, that's where I started 01:37 < reiffert> it's quite simple. 01:37 < reiffert> /etc/init.d/pptpd start 01:38 < tech> yes I ran that and can run that on ubuntu 01:38 < krzee> !notcompat 01:38 < vpnHelper> krzee: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 01:38 < tech> but the windows client doesn't connect to it 01:38 < tjz> they are different products 01:38 < reiffert> tech: it does not? OpenVPN is your way then. 01:38 < tech> vpnHelper, thanks for that. then I need to NOT use this because it is useless 01:38 < vpnHelper> tech: Error: "thanks" is not a valid command. 01:39 < tech> bye now 01:39 -!- tech [n=tech@76.25.242.237] has quit ["Leaving"] 01:39 < krzee> damn that bot is lagged 01:39 < krzee> (or i am) 01:39 < reiffert> Always remember, those people keep our income high. 01:40 < tjz> lol 01:42 < krzee> hahah 01:44 < reiffert> 08:41 [freenode] CTCP PING reply from krzee: 46.806 seconds 01:44 < tjz> LOL 01:45 < krzee> sounds bout right =/ 01:45 < krzee> [02:45] * Ping reply from reiffert: 2.22 second(s) 01:45 < reiffert> stop sucking porn 01:45 < krzee> there we go 01:45 < reiffert> ah, there we go# 01:45 < reiffert> 08:45 [freenode] CTCP PING reply from krzee: 1.030 seconds 01:46 < tjz> O_o 01:49 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 01:54 -!- azaghal_ is now known as azaghal 02:10 < theDoc> Woohoo! 02:13 < krzee> yayyyyyy 02:13 < krzee> that woohoo mean you figured out the answer to my post here: http://www.insanelymac.com/forum/index.php?s=&showtopic=141154&view=findpost&p=1137316 02:13 < krzee> ??? 02:13 < vpnHelper> Title: [how to] Intel DG35EC - InsanelyMac Forum (at www.insanelymac.com) 02:43 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 02:48 -!- azaghal [n=azaghal@195.252.105.9] has quit [Read error: 131 (Connection reset by peer)] 03:03 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 03:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:12 -!- floyd_n_milan_ [n=mrugesh@203.129.237.147] has joined ##openvpn 03:13 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit ["No Ping reply in 90 seconds."] 03:36 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [Read error: 54 (Connection reset by peer)] 03:37 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 04:37 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 54 (Connection reset by peer)] 04:37 -!- alinuxskyper99 [n=admin@193.227.191.91] has joined ##openvpn 04:38 -!- albech_ [n=albech@119.42.76.84] has quit [Read error: 54 (Connection reset by peer)] 04:38 -!- albech [n=albech@119.42.76.84] has quit [Read error: 104 (Connection reset by peer)] 04:57 -!- albech_ [n=albech@119.42.76.84] has joined ##openvpn 04:57 -!- albech [n=albech@119.42.76.84] has joined ##openvpn 05:01 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 05:19 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 05:26 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 05:33 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 05:34 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 05:40 -!- alinuxskyper99 [n=admin@193.227.191.91] has quit [Read error: 60 (Operation timed out)] 05:42 -!- alinuxskyper99 [n=admin@193.227.191.91] has joined ##openvpn 05:44 -!- gregd [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has joined ##openvpn 05:49 < gregd> hi guys, i've got very strange behaviour using openvpn 2.0.9 server. I've got it configured as tun/udp server and keys for 2 clients generated. When I connect to it one client (always the same one) works perfectly fine (pinging google).. whilst the other one is loosing packets all the time on the way server-google. Client-server connection is always fine. What can be the cause? 05:54 < theDoc> gregd: How do you know that packets are dropping? 05:54 < gregd> theDoc: ping does not get respond for every one...I would say 10% to 20% are lost 05:55 < theDoc> gregd: Where are you pinging from? 05:55 < theDoc> gregd: Is that from your box or from the server? 05:55 < gregd> i'm located in the uk and the openvpn server in the us 05:55 < gregd> from my box im pinging 05:56 < theDoc> gregd: Is the other box also on the same physical LAN which the afflicted box is in? 05:56 < gregd> yes... that are 2 laptops... both on my desk.. the same laptops.. the sa,me operating system the same LAN 05:57 < gregd> is it possible that openvpn gives different gateways for each of the hosts connected? 05:58 < gregd> i'm just trying to generate new certificates and restart the whole configuration on server side 06:02 < theDoc> gregd: No, I don't think so. 06:03 < theDoc> gregd: Openvpn doesn't throw up different gateways. 06:03 < theDoc> gregd: Just check your assignment for the dns/subnet/gateway given. It should be the same if you are using route-push directive on your server. 06:03 < gregd> the other thing that i suspect is to use masquarad instead of NAT, will try it in a few minutes 06:03 < theDoc> gregd: Yeah, you should be using masquarad. 06:04 < theDoc> I'm still trying to find a way to bypass a http-proxy which I don't own :p 06:04 < theDoc> hmm. 06:04 < gregd> lol ;) 06:05 < theDoc> gregd: Not for anything neferious :) 06:05 < theDoc> Just tech knowledge :) 06:05 < theDoc> At the end of the day, if you do that in an organization where they have a clue :P you're just setting yourself up to get fired by the management. 06:05 < theDoc> I can see someone using that in schools, but in a workplace, hardly. 06:06 < gregd> that's somehow true.. but if u do it (create openvpn) on a udp and change port to less suspected one... if think you are rather safe ;) 06:06 < theDoc> gregd: True, but if the proxy server drops all traffic except http on port 80 :) 06:07 < gregd> get a vps and put openvpn tcp on 80? 06:07 < theDoc> Trying to masquerade your vpn traffic over the http connection is just another excuse for the management to fire you when they find out. 06:07 < theDoc> gregd: I rent out vpn tunnels :p 06:07 * theDoc chuckles. 06:08 < gregd> so now put a smart port forwarding and done ;) 06:08 < theDoc> I'm contemplating on getting another few windows 2k3 boxes so I can have better interopability for the windows users whom don't want to be tied to openvpn. 06:08 < theDoc> gregd: I just realized that my SP drops vpn traffic over port 80 :) 06:09 < gregd> hmm is it possible at all? 06:09 < theDoc> gregd: No idea, might be possible with NBAR. 06:09 < theDoc> or some kind of DPI. 06:10 < gregd> so how does youtube work than or.... skype.. they stream media over port 80... so there should be a clue 06:11 < theDoc> gregd: Yep, they might just filter vpn traffic on 80. 06:11 < theDoc> I know for sure that you can't assign port 80/8080 for http servers you run at home :) 06:35 -!- gregd [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has quit [Remote closed the connection] 06:35 -!- gregd [n=gregd@98.142.208.61] has joined ##openvpn 06:36 -!- gregd_ [n=gregd@98.142.208.61] has joined ##openvpn 06:39 -!- gregd [n=gregd@98.142.208.61] has quit [Read error: 104 (Connection reset by peer)] 06:49 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 06:49 -!- gregd [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has joined ##openvpn 06:54 -!- gregd_ [n=gregd@98.142.208.61] has quit [Read error: 110 (Connection timed out)] 07:07 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 07:22 -!- albech_ [n=albech@119.42.76.84] has quit [Client Quit] 08:52 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 08:58 < freaky_t> krzee i've set the wins server to my server's ip in my client's tap device - i can now ping "master" etc. but i still cant connect using normal windows filesharing 08:58 < freaky_t> it doesnt even connect 09:05 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 09:11 -!- gregd_ [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has joined ##openvpn 09:12 -!- gregd [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has quit [Remote closed the connection] 09:45 < Bushmills> oh? has krzee turned windows expert recently? 09:45 < Bushmills> http://forthfreak.net/misc/ola.gif 09:51 < freaky_t> \o/ 09:51 < freaky_t> ? :D 10:12 < Dougy_> oO 10:15 -!- gregd_ [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has quit [] 10:28 < Dougy_> GOD DAMN SPAMMING BASTARDS 10:28 * ecrist laughs at shitty forum operators 10:29 < ecrist> http://www.twincitiescarry.com/forum/viewtopic.php?t=12763 10:29 * Dougy_ goes to add captcha and clean up 10:29 < ecrist> not at you dougy 10:29 < ecrist> this guy that owns/runs the forum above, arrogant asshole 10:29 < ecrist> tried to ban me, didn't realize I have access to more IPs than he can ban. 10:29 < ecrist> hell, most of my web browsing is done through tor and other such anonymizers, anyways 10:30 < ecrist> page 7, I posted, after he'd banned me, and I got an angry email from him claiming I was hacking his web site. 10:31 < Dougy_> lol 10:31 < Dougy_> ecrist 10:31 < Dougy_> theres quite a few actual posts popping up on there 10:31 < Dougy_> and i dont know how to help any of em 10:31 < Dougy_> lol 10:31 < ecrist> oh, I'll look, gimme a few. 10:31 < Dougy_> http://www.ovpnforum.com/viewtopic.php?f=6&t=139&sid=640fb2d0cba7bbc577b7e8bcf538f3d5 10:31 < vpnHelper> Title: OpenVPN Forum View topic - Getting web access out of C-h-i-n-a (at www.ovpnforum.com) 10:31 < Dougy_> redirect-gateway 10:31 < Dougy_> no? 10:31 < Dougy_> :p; 10:32 < Dougy_> and there's http://www.ovpnforum.com/viewtopic.php?f=6&t=129 10:32 < vpnHelper> Title: OpenVPN Forum View topic - revoking a certificate (at www.ovpnforum.com) 10:32 -!- gregd [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has joined ##openvpn 10:33 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 10:33 < Dougy_> and last but not least http://www.ovpnforum.com/viewtopic.php?f=5&t=124 10:33 < vpnHelper> Title: OpenVPN Forum View topic - Using redirect-gateway in Windows XP (at www.ovpnforum.com) 10:44 -!- gregd [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has quit [] 10:44 -!- zug [n=m@94-192-16-41.zone6.bethere.co.uk] has joined ##openvpn 10:45 < zug> does anybody know how I can connect openvpn through a public server to avoid port forwarding 10:46 < zug> but then have the two endpoints directly connected to each other? 10:46 < ecrist> what? 10:46 < ecrist> I'm confused 10:46 < zug> not sure if its possible.. 10:46 < zug> ok 10:46 < zug> two openvpn clients 10:46 < zug> one server 10:46 < zug> can I both clients connect the server, but then be able to talk directly to each other 10:46 < zug> without having to go via the server? 10:47 < ecrist> no 10:47 < ecrist> their vpn session is between them and the server 10:48 < ecrist> the server has to be an intermediary 10:48 < zug> hmm ok thanks 10:56 -!- gregd [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has joined ##openvpn 11:05 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: jameswhite, Bushmills, rubydiamond, troy- 11:13 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 11:21 -!- Bushmills [n=nnnnnnl@verhau.de] has joined ##openvpn 11:21 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 11:21 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 11:23 -!- gregd_ [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has joined ##openvpn 11:23 -!- gregd [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has quit [Read error: 54 (Connection reset by peer)] 11:24 -!- alinuxskyper99 [n=admin@193.227.191.91] has quit [Read error: 104 (Connection reset by peer)] 11:24 -!- alinuxskyper99 [n=admin@193.227.191.91] has joined ##openvpn 11:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 11:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:42 -!- admin__ [n=admin@193.227.191.91] has joined ##openvpn 11:44 -!- alinuxskyper99 [n=admin@193.227.191.91] has quit [Read error: 104 (Connection reset by peer)] 12:20 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:22 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit [SendQ exceeded] 12:23 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 12:26 -!- admin__ [n=admin@193.227.191.91] has quit [Read error: 104 (Connection reset by peer)] 12:26 -!- alinuxskyper99 [n=admin@193.227.191.91] has joined ##openvpn 12:31 -!- admin__ [n=admin@193.227.191.91] has joined ##openvpn 12:31 -!- alinuxskyper99 [n=admin@193.227.191.91] has quit [Connection reset by peer] 12:43 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 12:53 -!- alinuxskyper99 [n=admin@193.227.191.91] has joined ##openvpn 12:54 -!- admin__ [n=admin@193.227.191.91] has quit [Read error: 104 (Connection reset by peer)] 13:07 < krzee> !mitm 13:07 < vpnHelper> krzee: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config 13:07 < krzee> !hmac 13:07 < vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 13:07 < vpnHelper> krzee: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 13:08 < krzee> !servercert 13:08 < vpnHelper> krzee: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mitm 13:09 -!- epaphus [n=unix3@201.199.62.74] has left ##openvpn ["Leaving"] 13:11 -!- gregd_ [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has quit [] 13:11 < krzee> !ssl-admin 13:11 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 13:12 -!- zend [n=unix3@201.199.62.74] has joined ##openvpn 13:12 < zend> hello 13:15 < zend> krzee, ive been reading on NAT more.. and it seems *technically* to do exactly what I want. In fact when I put it in practice I can still ping my endpoint.. but thats about it.. if I try pinging something else it generates a lot of writes in the vpn server but doesnt return anything.. you said that NAT and tun are not compatible.. why so? 13:18 -!- frankS2 [n=frank@ti500720a080-2263.bb.online.no] has quit [Remote closed the connection] 13:18 -!- frankS2 [n=frank@ti500720a080-2263.bb.online.no] has joined ##openvpn 13:20 -!- admin__ [n=admin@193.227.191.91] has joined ##openvpn 13:20 -!- alinuxskyper99 [n=admin@193.227.191.91] has quit [Read error: 104 (Connection reset by peer)] 13:24 -!- gregd_ [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has joined ##openvpn 13:40 -!- admin__ [n=admin@193.227.191.91] has quit [Read error: 110 (Connection timed out)] 13:48 -!- alinuxskyper99 [n=admin@193.227.191.91] has joined ##openvpn 13:48 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 13:51 -!- gregd_ [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has quit [Remote closed the connection] 13:52 -!- gregd [n=gregd@98.142.208.61] has joined ##openvpn 14:11 -!- admin__ [n=admin@193.227.191.91] has joined ##openvpn 14:14 < zend> krzee, i found the way to do it like i wanted to ;) 14:15 < reiffert> how so? 14:16 < krzie> ya pls explain 14:23 < reiffert> just curious, did my proposal have any chance to work? 14:24 < reiffert> that was: 14:24 < zend> Well, actually reiffert found it not me.. I just did research today and confirmed in fact I think it is the way to do.. 14:24 < zend> policy routing 14:24 < zend> :P 14:24 < reiffert> route add -host 192.168.100.10 netmask 255.255.255.255 gw 192.168.200.15 14:24 < reiffert> route add default gw 192.168.100.10 14:25 < krzie> right, on the machine in the lan, not the router... right? 14:25 < reiffert> right. 14:25 < krzie> thats the same thing i told him, heheh 14:25 < reiffert> krzie: same thing = policy routing or those 2 routing lines? 14:25 < krzie> well the last thing i told him, not the first 14:25 < krzie> the idea behind those 2 lines 14:26 < krzie> i didnt know it had a name 14:26 < zend> yeah but reiffert proposed policy routing in the router 14:26 < zend> which is not the same as this example 14:26 < reiffert> I was proposing policy routing on the openvpn client machine. 14:26 < zend> ohh 14:26 < zend> yeah, correct 14:26 < zend> not the PC obviously 14:26 < zend> the openvpn client machine 14:26 < reiffert> but then those two routing lines for the LAN machine (windows) came to my mind. 14:26 -!- alinuxskyper99 [n=admin@193.227.191.91] has quit [Connection timed out] 14:27 < zend> reiffert, well i didnt research on the later one.. because I think this is cleaner 14:27 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 14:27 < reiffert> nah, policy routing is OS dependent. 14:27 < zend> true.. 14:27 < reiffert> just plain routing is more clean and sane. 14:27 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 14:28 < reiffert> please try my later one as well, I'm really curious. 14:28 < zend> reiffert, well thank you... :) 14:28 < zend> and krzie for the help. 14:28 < reiffert> Want my paypal address? 14:29 < krzie> i do i do! 14:29 < krzie> password too! 14:29 < zend> :-) 14:29 < reiffert> :) 14:30 -!- gregd_ [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has joined ##openvpn 14:31 -!- admin__ [n=admin@193.227.191.91] has quit [Connection timed out] 14:33 -!- gregd [n=gregd@98.142.208.61] has quit [Read error: 104 (Connection reset by peer)] 14:43 < project2501a> hey guys. i'm a bit confused and i'm getting conflicting information: is it true that an openvpn connection gets dropped because ovpn runs over udp? 14:43 < Dougy_> hah 14:44 < Dougy_> reiffert: 14:44 < Dougy_> lol 14:44 < project2501a> sorry for the stupid question, but i can't get a straight answer as to why does my ovpn connection get re-initiated every now and then 14:45 < krzie> it should re-key every hour 14:45 < krzie> you actually getting disconnected? 14:45 < project2501a> yup 14:46 < project2501a> more than once an hour 14:46 < krzie> !config 14:46 < vpnHelper> krzie: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 14:46 < krzie> err 14:46 < krzie> !configs 14:46 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:46 < project2501a> krzie: getting configs, be right with you 14:50 -!- gregd_ [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has quit [] 14:50 < project2501a> .... aaand vpn timed out :P hold please 14:51 -!- gregd [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has joined ##openvpn 14:53 -!- gregd [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has quit [Client Quit] 14:53 < krzie> you use tcp? 14:53 < krzie> connecting over something like ppp pppoe satelite? 14:53 < project2501a> heh 14:53 < project2501a> i wish 14:53 < project2501a> something is screwing up the config 14:53 < project2501a> erh, the connection 14:54 < project2501a> no, it's just straight dsl into work. work is on fiber from BT 14:56 < Dougy_> hey krzie 14:56 < Dougy_> ewwwwwwwwwww 14:56 < Dougy_> BT 14:56 < krzie> why ewww bt 14:57 < Dougy_> bt sucks 14:57 < krzie> he has better options over there? 14:58 < project2501a> not where i'm at mate 14:58 < krzie> ya its easy for people who are in FIOS range to say that 15:00 < Dougy_> fios can kiss my ass too 15:00 < Dougy_> krzie 15:00 < Dougy_> check out what my isp does 15:00 < Dougy_> http://www.cedmagazine.com/News-Cablevision-DOCSIS30-101-Mbps-042809.aspx 15:00 < vpnHelper> Title: Cablevision pushes DOCSIS 3.0 needle to 101 Mbps (at www.cedmagazine.com) 15:00 < krzie> ya docsis3 is good 15:01 < Dougy_> 101Mbps 15:01 < Dougy_> uncapped 15:01 < Dougy_> for $100 15:01 < krzie> ecrist is in the first location to carry docsis3 15:02 < krzie> mssfix 1200 15:02 < krzie> why? 15:02 < krzie> and i refuse to read your client.conf 15:02 < krzie> you did not strip comments 15:03 < krzie> push "route 10.22.0.0 255.255.254.0" 15:03 < krzie> you have a million of those 15:03 < krzie> why not just 10.22.0.0 255.255.0.0 15:03 < reiffert> I'm on 32mbit for EUR 22,90/month 15:04 < krzie> i get 1.5mbit down 768kbit up for ~ $100/us 15:04 < krzie> per mo 15:04 < reiffert> 2mbit up 15:06 < reiffert> incl. telefon "flatrate" 15:09 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 15:14 < project2501a> krzie: oh, sorry about not stripping the comments 15:14 < project2501a> krzie: good question about the route. i've asked that myself, and apparently it's for "security puproses". but i think it's bullshit 15:15 < krzie> are there any other 10.22 networks? 15:15 < krzie> if not, there is NO difference from your vpn's perspective 15:15 < project2501a> we got a bunch of them 15:15 < project2501a> and apparently not all are supposed to be accessed 15:16 < krzie> !factoids search lim 15:16 < vpnHelper> krzie: "pushlimit" is This is a limitation of OpenVPN: the push block cannot exceed a maximum of about 1 KB 15:16 < project2501a> by everybody 15:16 < project2501a> oooh 15:16 < project2501a> seriously? 15:16 < project2501a> did i mention that my work is like dilbert's workplace? 15:16 < project2501a> heh 15:19 -!- Cr0nix [n=Cr0nix@e180064168.adsl.alicedsl.de] has quit [Remote closed the connection] 15:21 < krzie> also you have mssfix 15:21 < krzie> do you have a good reason for that? 15:21 < project2501a> we got windows clients 15:22 < krzie> so? 15:22 < project2501a> that config is as old as the first linux kernel :( 15:22 < krzie> thats not an OS thing, its a MTU thing 15:22 < project2501a> *nod* 15:22 < krzie> and it could be whats screwing you up 15:22 * project2501a reads up on mssfix 15:23 < krzie> !man 15:23 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 15:24 < project2501a> i got it open, mate 15:24 < project2501a> i thought that mssfix was there to fix the problem with the windows tcp stack 15:25 < krzie> negative 15:25 < krzie> its part of a group of settings for fixing MTU issues 15:25 < krzie> like if you were on ppp pppoe or satelite 15:26 < project2501a> oooh 15:26 -!- gregd [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has joined ##openvpn 15:27 < project2501a> see, learning shit like that on your own, or as said in latin "in vacuo" 15:27 < project2501a> is impossible 15:28 < project2501a> which is one of the things pissing me off: if i don't talk to other people, how the heck am i going to find out stuff about apocryphal stuff like this? 15:34 < project2501a> openvpn honors SIGHUP as "read conf again" right? 15:35 -!- zend [n=unix3@201.199.62.74] has quit ["Leaving"] 15:35 < krzie> not sure but its in the man 15:35 < krzie> under SIGNALS 15:35 < project2501a> *nod* read that. says so 15:35 < project2501a> says that it does so 15:35 < project2501a> just making sure 15:37 < project2501a> nope 15:37 < project2501a> it died on a -SIGHUP signal 15:37 < project2501a> hmm 15:37 -!- gregd [n=gregd@80-41-251-54.dynamic.dsl.as9105.com] has left ##openvpn [] 15:38 < krzie> SIGHUP 15:38 < krzie> Cause OpenVPN to close all TUN/TAP and network connections, restart, re-read the configuration file (if any), and reopen TUN/TAP and network connections. 15:38 < project2501a> yup 15:38 < project2501a> mine died :( 15:38 < project2501a> i read that in the manual 15:38 < project2501a> but apparently this one died *sigh* 15:38 < krzie> you remember when i typed !configs 15:38 < project2501a> ya 15:38 < krzie> you left out almost everything 15:38 < project2501a> did i? 15:38 < krzie> read the WHOLE THING again 15:39 < krzie> !configs 15:39 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:39 < project2501a> *nod* 15:39 < project2501a> sorry mate :) 15:39 < project2501a> thank you for your help, i don't mean to be difficult 15:39 < krzie> its ok, i cant fiogure out why damn near nobody reads the whole message frmo the bot 15:39 < krzie> from 15:40 < project2501a> i can tell you why 15:41 < project2501a> i didn't read it cuz i wanted a solution in a hurry. so, i didn't read the whole message, just the "pastebin the config" and the "use grep" 15:41 < project2501a> but then the "use grep" step was out sight, so i completely forgot about it 15:41 < project2501a> hm 15:41 < krzie> but it leads to taking a longer time 15:41 < project2501a> ya 15:41 < project2501a> sign of the times, mate 15:41 < project2501a> seriously 15:42 < project2501a> i see it in other parts of society, and i detest it. but then i go and do it myself in my own work. 15:42 < project2501a> which basically proves i'm an idiot ;) 15:42 < krzie> lol 15:42 < project2501a> or no different than any other member of the society 15:44 < project2501a> fast food, fast work, faster results, "no, you're being too slow", "sysadmins do everything right the first time", "losers try, winers take home the prom queen and fuck her" 15:44 -!- epaphus [n=unix3@201.199.62.74] has quit ["Leaving"] 15:44 < project2501a> i'm writing an article on that "winner all the time" culture 15:45 < reiffert> isnt project2501a the guy whose initial question was about pptpd? 15:45 < krzie> i thought losers took her to prom, winners fucked her when they had free time 15:45 < krzie> no that was someone else i believe 15:45 < krzie> his config shows someone set it up had a clue 15:46 < reiffert> :) 15:47 < reiffert> I just read a single line from project2501a. 15:47 < reiffert> 22:41 < project2501a> i didn't read it cuz i wanted a solution in a hurry. 15:47 < krzie> tru 15:47 < reiffert> So the other guy fell into my mind .. 15:47 < krzie> at least he admits it i guess, seeing as 75%+ do it as well 15:48 < project2501a> reiffert: sorry, not me mate 15:49 < reiffert> project2501a: sorry, not you mate? 15:49 < project2501a> why shouldn't i admit it? i mean, i had this config dropped into my lap and i don't have particular experience with openvpn. no reason to play it like i'm l33t or anything. 15:49 < krzie> not him that was askin bout pptpd 15:49 < project2501a> what krzie said ^-- 15:50 < krzie> comment mssfix from server and client, see how that works 15:50 < project2501a> already did that 15:50 < krzie> if it fixes it you must remove it from all clients 15:50 < project2501a> and testing it 15:50 < reiffert> krzie: right, although it sounds like him until now :) 15:50 < krzie> hehe gotchya 15:50 < project2501a> reiffert: i'm sorry if i sound whiny 15:50 < project2501a> or clueless 15:50 < krzie> reiffert i was just refering to reiffert: sorry, not me mate 15:50 < reiffert> krzie: jup, that was clear. 15:51 < project2501a> ah, yeah, well, i'm a Greek guy, who has lived in the US for 10 years and now, i'm in the UK. i pick up the lingo ;) 15:51 < reiffert> project2501a: nah, whiny is far from an excuse why you refuse to read docs. 15:51 < krzie> im pissed off, i need to pickup a pci-e vid card for my osx86 box, but no computer stores open on sunday 15:51 < ecrist> fuckers 15:52 < krzie> seriously! 15:52 < krzie> they should be open during the day when i need parts 15:52 < project2501a> reiffert: true that. i am reading the docs, but at my level of knowledge some section of the man page seem, well, apocryphal 15:52 < reiffert> project2501a: thats why people made a howto page. For the beginners and impatient ones. 15:52 < project2501a> read the howto as well 15:52 < reiffert> read as in past tense? 15:52 < krzie> reiffert mssfix is covered in the howto? 15:53 < reiffert> krzie: standard beginners config files are. 15:54 < krzie> his configs arent very beginner, but you wouldnt know that cause they're too top secret to post to the chan (lulz) 15:54 < ecrist> lol 15:54 < project2501a> reiffert: ya, as in past tense, when i got this dropped on my lap. i'm stupid, but not that much to come here and ask for help without doing _some_ reading up before hand ;) . i know how this works. i need to bridge the knowledge gap between me and the guy who set that openvpn up, that's all. 15:54 < reiffert> ah mental ignore will fix that. 15:54 < project2501a> krzie: nah, not "top secret" just scared of the boss 15:55 < krzie> heres the trick: 15:55 < project2501a> bad time to lose my job 15:55 < krzie> remove the remote line 15:55 < project2501a> *nod* will do 15:55 < krzie> then theres no priv info 15:55 < krzie> it connects, so remote line isnt a problem 15:56 < reiffert> openvpn.net is down btw 15:57 < reiffert> once again. 15:57 < reiffert> and back online. wohoo. 15:59 < project2501a> http://rafb.net/p/3vuLHd71.html <-- my client config 15:59 < vpnHelper> Title: Nopaste - client config (at rafb.net) 15:59 < krzie> looks good 16:00 < krzie> a tls static key wouldnt be a bad idea, but doesnt mean the end of the world if you dont have it 16:00 < krzie> for info on that see !mac 16:00 < krzie> err see !hmac i mean 16:00 < project2501a> *nod* 16:00 < project2501a> http://rafb.net/p/faI8Rm54.html <-- current server config 16:00 < vpnHelper> Title: Nopaste - current server config (at rafb.net) 16:00 < project2501a> removed the mssfix 16:01 < krzie> its working? 16:01 < krzie> )problem solved?) 16:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:02 < project2501a> krzie: i'm testing it now mate 16:02 < project2501a> it's been half an hour since i re-started it 16:03 < project2501a> and the connection is stable 16:03 < project2501a> that might have been the whole thing.... 16:03 < project2501a> there's no passing of knowledge from previous sysadmins at my work 16:04 < krzie> thats common 16:04 < project2501a> so, the reason that option was there, might have been that 3 years ago, we had a 1mbit line, which was high-latency 16:04 < project2501a> but now we got 100mbit 16:04 < project2501a> but i'll never now that 16:05 < krzie> the 1mbit was isdn? 16:05 < krzie> or ppoe maybe 16:05 < ecrist> ISDN doesn't do 100Mbit 16:05 < krzie> 1mbit 16:05 < ecrist> ISDN doesn't do 1mbit 16:06 < ecrist> it maxes out at 128k, really. after that, you're considered fractional T1 16:07 < krzie> k 16:07 < krzie> still coulda been pppoe 16:07 < project2501a> or E1 in europe 16:07 < project2501a> but yeah, basically it was slow 16:08 < project2501a> i think i'll buy you beers guys 16:08 < reiffert> want our paypal account? 16:09 < project2501a> reiffert: i keep reading your nickname as "reiser" 16:09 < project2501a> hans, is that yoU? 16:10 < reiffert> yes, thats me. 16:10 < project2501a> where did you get the connection in prison? :D 16:10 < reiffert> directed wave lan. 16:11 < project2501a> deadly connection, i suppose 16:11 < project2501a> the fees must be murder 16:23 < project2501a> looks like the mssfix was at fault 16:24 < project2501a> i haven't been sending data down that route, and it's stable 16:24 * project2501a pops open a newcastle brown ale 16:24 < project2501a> cheers guys 16:32 -!- zug [n=m@94-192-16-41.zone6.bethere.co.uk] has quit [] 16:33 -!- jeiworth [n=jeiworth@189.163.185.70] has joined ##openvpn 17:19 -!- Skered [n=dereks@c-24-3-205-125.hsd1.pa.comcast.net] has joined ##openvpn 17:21 -!- epaphus [n=unix3@201.194.13.22] has joined ##openvpn 17:22 < Skered> I would guess you can't do this only becuase it seems the best way to allow a non-admin to run OpenVPN. However you can use subinacl to allow a user to start/stop OpenVPN service can you use subinacl to also allow a user to make routing changes? 17:26 < reiffert> !subinacl 17:26 < vpnHelper> reiffert: Error: "subinacl" is not a valid command. 17:35 -!- `Ned [n=Ned@98.155.203.22] has joined ##openvpn 17:57 < ecrist> what did I do? 17:57 < krzie> !factoids search admin 17:57 < vpnHelper> krzie: 'ssl-admin' and 'win_noadmin' 17:57 < krzie> !win_noadmin 17:57 < vpnHelper> krzie: "win_noadmin" is (#1) http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows, or (#2) and http://article.gmane.org/gmane.network.openvpn.user/24873 for vista 18:45 -!- jeiworth [n=jeiworth@189.163.185.70] has quit [Read error: 110 (Connection timed out)] 19:57 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 20:16 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:26 -!- frankS2 [n=frank@ti500720a080-2263.bb.online.no] has quit [Excess Flood] 20:27 -!- frankS2 [n=frank@ti500720a080-2263.bb.online.no] has joined ##openvpn 20:28 -!- epaphus [n=unix3@201.194.13.22] has quit [Read error: 110 (Connection timed out)] 20:33 < freaky_t> hey krzie i got wins working. i had to set the openvpn server as wins server on the client network card 20:33 < freaky_t> but i still cant see the server 20:33 < freaky_t> and cant connect to it using windows 20:33 < freaky_t> using \\10.8.0.1\\ 20:33 < freaky_t> but that's a samba thing 20:48 -!- epaphus [n=unix3@201.199.41.166] has joined ##openvpn 21:01 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 21:14 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 21:21 -!- lolipop [n=quassel@149.21.95.219.cbj01-home.tm.net.my] has joined ##openvpn 21:34 -!- Kevin` [n=kevin@rrcs-67-52-47-69.west.biz.rr.com] has quit ["leaving"] 21:52 -!- Kevin` [n=kevin@rrcs-67-52-47-69.west.biz.rr.com] has joined ##openvpn 22:55 -!- epaphus [n=unix3@201.199.41.166] has quit [Read error: 110 (Connection timed out)] 23:13 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 23:33 -!- floyd_n_milan_ is now known as floyd_n_milan 23:37 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn --- Day changed Mon May 11 2009 00:23 -!- agnogenic [n=agnogeni@c-98-212-193-28.hsd1.il.comcast.net] has joined ##openvpn 00:48 < agnogenic> Hello, I'm having an issue with openvpn. :02001002:system library:fopen:No such file or directory: 00:48 < agnogenic> error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib 00:50 < agnogenic> I have not been able to google this. I just installed my system, and am waiting for xorg to compile. 00:55 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 00:55 -!- alinuxskyper99 [n=admin@193.227.191.91] has joined ##openvpn 00:57 -!- alinuxskyper99 [n=admin@193.227.191.91] has quit [Client Quit] 01:01 -!- Delf [n=Eldkraft@c-89-160-11-82.cust.bredband2.com] has joined ##openvpn 01:01 < Delf> howdy 01:02 < Delf> !howto 01:02 < vpnHelper> Delf: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 01:02 < Delf> Is it possible to create a mesh network with openvpn? 01:03 -!- agnogenic [n=agnogeni@c-98-212-193-28.hsd1.il.comcast.net] has quit [Client Quit] 01:05 < Delf> anyone? 01:10 < Delf> 69 people and no one is here :( 01:25 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 01:30 < reiffert> Delf: it's not. 01:34 < Delf> Any other program similar to OpenVPN that does mesh? 01:35 < reiffert> This is #openvpn. 01:35 < Delf> I thought it was ##OpenVPN 01:36 < Delf> I know what the topic is, sorry for talking outside of it. 01:39 < reiffert> Delf: it's not a matter of asking me private or on a public channel, it's just that this channel is about openvpn and it's not about mesh networks, nor expect people to know about similar to openvpn software that does mesh. 01:40 < Delf> reiffert: Ok 01:42 < Delf> !topology 01:42 < vpnHelper> Delf: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 01:50 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 01:56 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has quit [Read error: 54 (Connection reset by peer)] 01:57 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has joined ##openvpn 02:14 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 02:15 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 02:15 -!- Artelius [i=router@60-242-27-57.static.tpgi.com.au] has joined ##openvpn 02:20 < Artelius> Hi, I've had a routed VPN running for a while and recently it stopped working 02:20 < Artelius> The first time, a server restart fixed it but it has returned, and restarts on both ends don't help 02:21 < Artelius> The error: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 02:25 < Artelius> Oh well, I thought not. 02:25 -!- Artelius [i=router@60-242-27-57.static.tpgi.com.au] has quit [] 02:40 < krzee> lol @ impatient 02:48 -!- mRCUTEO [i=cuteo@58.26.212.3] has joined ##openvpn 02:48 < mRCUTEO> hiya tjz 02:48 < mRCUTEO> hiya krzee 02:48 < mRCUTEO> :D 02:48 < mRCUTEO> hiya everyone :D 02:51 < Bushmills> yes, as if leaving the channel would somehow accelerate getting an answer 02:51 < tjz> omg 02:51 < tjz> mrcuteo! 02:51 < tjz> super duper MIA!!! 02:51 < tjz> lol 02:51 < mRCUTEO> :D 02:52 < tjz> i can sense you are real busy 02:52 < tjz> :P 02:52 < tjz> hehe 03:00 < krzee> wassup =] 03:07 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 03:08 < mRCUTEO> :D 03:16 -!- mattock [n=mattock@gw.tietoteema.fi] has left ##openvpn [] 03:17 -!- mattock [n=mattock@195.236.127.254] has joined ##openvpn 03:22 -!- mRCUTEO [i=cuteo@58.26.212.3] has quit [] 03:31 -!- lolipop [n=quassel@149.21.95.219.cbj01-home.tm.net.my] has quit [Remote closed the connection] 03:34 -!- lolipop [n=quassel@149.21.95.219.cbj01-home.tm.net.my] has joined ##openvpn 03:35 -!- lolipop [n=quassel@149.21.95.219.cbj01-home.tm.net.my] has quit [Remote closed the connection] 03:38 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 03:45 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 03:58 -!- c64zottel [n=hans@p5B17B05C.dip0.t-ipconnect.de] has joined ##openvpn 04:07 -!- c64zottel [n=hans@p5B17B05C.dip0.t-ipconnect.de] has left ##openvpn [] 04:11 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 04:32 -!- mattock [n=mattock@195.236.127.254] has left ##openvpn [] 04:32 < krzee> http://www.ovpnforum.com/viewtopic.php?f=10&t=141 04:33 < vpnHelper> Title: OpenVPN Forum View topic - Idea for direct connections (at www.ovpnforum.com) 04:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:38 -!- albech [n=albech@119.42.76.84] has quit [Read error: 54 (Connection reset by peer)] 04:57 -!- albech [n=albech@119.42.76.84] has joined ##openvpn 05:10 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 05:11 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 05:35 -!- eliasp_ [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 05:35 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 131 (Connection reset by peer)] 05:39 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:05 -!- Skered [n=dereks@c-24-3-205-125.hsd1.pa.comcast.net] has left ##openvpn [] 06:11 -!- boojit [n=boojit@gw.carter.to] has joined ##openvpn 06:14 < boojit> Hi: I have a security question about OpenVPN. We have a bunch of remote small networks that we tie together via an openVPN client at each remote site connecting to an OpenVPN server. We have it configured so any client at remote endpoint 1 can access any client at remote endpoint 2 through the openVPN connectivity. 06:15 < boojit> Someone asked me, if an attacker was to gain access to the OpenVPN server, would they be able to see the unencrypted conversation between client at RE 1 and client at RE 2? 06:16 < boojit> essentially, does the conversation between RE1 and the openVPN server get decrypted and re-encryped before deliver to RE2? 06:17 < boojit> or is the conversation between RE1 and RE2 encrypted end-to-end? 06:42 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 06:46 -!- eliasp_ [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit ["No Ping reply in 90 seconds."] 06:46 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 06:54 < boojit> ok found the answer to my query, and yeah, that was obvious now I think about it: http://article.gmane.org/gmane.network.openvpn.user/26489 06:54 < vpnHelper> Title: Gmane -- Mail To News And Back Again (at article.gmane.org) 07:19 -!- CybDev [n=cybdev@unaffiliated/cybdev] has quit [Remote closed the connection] 07:21 -!- CybDev [i=cybdev@abducted.by.aliens.org] has joined ##openvpn 07:22 < Delf> Can i set up OpenVPN to be both Client AND server? 07:23 < ecrist> no 07:23 < ecrist> you need to run it twice 07:24 < Delf> I see 07:25 < Delf> each instance with seperate adapter? 07:27 < reiffert> virtual adapter. 07:27 < Delf> yes 07:28 < reiffert> yes. 07:28 < reiffert> tun0, tun1, ... 07:28 < reiffert> tap0, tap1, ... 07:29 < Delf> is it possible to run two instances as service? 07:29 < reiffert> OS? 07:29 < Delf> win xp 07:29 < reiffert> dunno 07:29 < reiffert> but most probably. 07:30 < Delf> Problem is, you cannot have same ip# for both 07:30 < Delf> virtual adapters 07:30 < reiffert> that's called a feature. 07:30 < Delf> Which? 07:30 < reiffert> 14:30 < Delf> Problem is, you cannot have same ip# for both 07:31 < boojit> I run two instances of OpenVPN with no problem, but that's on linux. 07:31 < Delf> I see 07:32 < Delf> i can run multiple instances of OpenVPN too but i dont seem to them run as a service on win xp 07:32 < dazo> Delf: in Windows, I believe you'll need to create the second TUN/TAP adapter (via the OpenVPN group in the Start menu) ... then it'll work out 07:32 * dazo is not a Windows guru 07:32 < Delf> dazo: yes, i do have two adapters 07:33 < Delf> Can one instance connect to multiple servers? 07:33 < dazo> Delf: :) ... anyway, each of the adapters needs different IP's that's for sure 07:33 < dazo> Delf: nope 07:34 < dazo> Delf: but you can list several remotes, and it will reconnect to the next one if one fails 07:34 < Delf> yes, that i have tried. 07:34 < Delf> simply by adding more lines of remote 07:34 < dazo> Delf: one process = one connection .... but for the server, it can handle multiple clients 07:35 < dazo> but for clients, it's 1:1 07:35 < Delf> Yes, but a server cannot connect to a remote server, can it? 07:35 < dazo> Delf: exactly ... in that case, the server is a server and not a client .... server accepts connections, clients initiates connections 07:36 < Delf> would there be a problem if there could be hybrids? 07:36 < dazo> Delf: you configure OpenVPN to be either a server or a client ... it cannot be both at the same time .... but you can run several openvpn processes with different configs at the same time 07:37 < Delf> yes, thats what i thought earlier. But then i run into the problem of having different ip# for each adapter 07:37 < dazo> there's no way around that 07:39 < Delf> I'm trying to create a mesh, but it seems like OpenVPN cannot do that. 07:39 < dazo> I don't think OpenVPN supports such infrastructure at all 07:42 < Delf> If it was possible to both accept and initiate connections, and if server could ask clients to connect to eachother it would be nice. Thats while not having client-to-client in the server config 07:42 < Delf> it be nice. 07:43 < dazo> mm ... but that's not where OpenVPN is today ... but it's open source ... just to start hacking ;-) 07:43 < Delf> I'm not a coder of any kind. I don't know much of anything either. 07:45 < Delf> Maybe theres a reason this feature does not exist. I remember a while ago someone had made some posts about this 07:45 < Delf> perhaps a security issue or something, i dont know. 07:47 < Delf> Is it even called mesh networking? Were not talking about wi-fi 07:47 < dazo> Delf: might be ... anyway, a mesh network is to create ad-hoc networks with features as connection sharing .... normally, that's not what you really want if you want a secure VPN ;-) 07:48 < dazo> s/create ad-hoc/automatically create ad-hoc/ 07:48 < Delf> ? 07:48 < reiffert> sigh. 07:48 < reiffert> !factoids search mesh 07:48 < vpnHelper> reiffert: No keys matched that query. 07:49 < dazo> reiffert: was I that far away? 07:49 < reiffert> !learn mesh as openvpn does do mesh networking. 07:49 < vpnHelper> reiffert: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 07:49 < dazo> ahh 07:49 < Delf> brb 07:51 < dazo> !learn mesh as openvpn does do mesh networking. 07:51 < vpnHelper> dazo: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 07:51 < dazo> :( 07:51 < dazo> !whoami 07:51 < vpnHelper> dazo: I don't recognize you. 08:18 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 104 (Connection reset by peer)] 08:24 < ecrist> I think I'm going to get rid of anon edits on the wiki 08:24 < ecrist> !learn mesh as openvpn does do mesh networking 08:24 < vpnHelper> ecrist: Joo got it. 08:24 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:30 < reiffert> ecrist: you missed a "not"? 08:31 < reiffert> so was I 08:32 < dazo> yeah, a 'not' is missing 08:34 < ecrist> 07:51 < dazo> !learn mesh as openvpn does do mesh networking. 08:34 < ecrist> 07:49 < reiffert> !learn mesh as openvpn does do mesh networking. 08:34 < dazo> I know ... I didn't see it until you mentioned it :) 08:34 < ecrist> !forget mesh 08:34 < vpnHelper> ecrist: Joo got it. 08:35 < ecrist> !learn mesh as openvpn does not do mesh networking 08:35 < vpnHelper> ecrist: Joo got it. 08:35 < dazo> ecrist: thx! 08:35 < ecrist> no problem 09:07 -!- jeiworth [n=jeiworth@189.234.82.49] has joined ##openvpn 09:10 -!- albech [n=albech@119.42.76.84] has quit [Read error: 110 (Connection timed out)] 09:11 -!- albech [n=albech@119.42.76.84] has joined ##openvpn 09:43 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 09:45 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Client Quit] 09:45 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 09:46 -!- theDoc_ [n=andelyx@208.99.194.194] has joined ##openvpn 09:46 < carpe_> hi 09:47 -!- carpe_ is now known as plaerzen 09:47 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Client Quit] 09:47 -!- theDoc_ [n=andelyx@208.99.194.194] has quit [Client Quit] 09:48 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 09:49 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has joined ##openvpn 10:09 < ecrist> sup, plaerzen 10:15 < plaerzen> oh, the usual 10:15 < plaerzen> work work. 10:19 < ecrist> aye, same here. 10:19 < ecrist> finally get to take my concealed weapons class on saturday. ::cheers:: 10:20 < js_> i always forget, what' the setting on the server to enable that clients can speak to eachoter? 10:20 < ecrist> client-to-client 10:23 < js_> any client side configuration needed? 10:23 < ecrist> Dougy_: I've enabled avatars on teh forum, and I've added a forum rules entry for the configuration sub topic 10:23 < js_> nevermind, the client had changed ip 10:23 < ecrist> js_: no 10:23 < js_> what's a good way to set static ips for clients? 10:23 < ecrist> !static 10:23 < vpnHelper> ecrist: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 10:24 < js_> !ccd 10:24 < vpnHelper> js_: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 10:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:40 -!- Timpa [i=timpa@193.13.142.250] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 10:59 < plaerzen> ecrist, what do you need concealed weapons for? 10:59 < ecrist> shooting bad guys 11:00 * plaerzen frowns. 11:06 < ecrist> why the frown? 11:06 -!- jeiworth [n=jeiworth@189.234.82.49] has quit [Read error: 110 (Connection timed out)] 11:07 < ecrist> http://secure-computing.net/files/04142009_40rnds.jpeg 11:07 < ecrist> I'm a good shot. ;) 11:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 11:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:20 < plaerzen> lol you should have changed the target at some point before it was 1/4 gone 11:27 -!- Timpa [i=timpa@193.13.142.250] has joined ##openvpn 11:36 -!- youngpro [n=pro@203.217.10.114] has quit [Read error: 145 (Connection timed out)] 11:41 -!- ke4qqq [n=ke4qqq@fedora/ke4qqq] has joined ##openvpn 11:44 < ke4qqq> hey guys - I have resolv-retry infinite set in my config file, have 'push "dhcp-option DNS xx.xx.xx.xx"' and most of my clients have no problems with resolution, however, I have a single winxp client that gets another dhcp-option (domain) but is resolving against their ISPs dns server. Thoughts on what I need to look for? 11:45 * dazo wonders if ecrists picture is a result of one bullet .... or several ..... :-P 11:48 < ecrist> dazo, 49 rounds of a 50 round box 11:49 < ecrist> the other one, was in the first target: http://secure-computing.net/files/04142009_bullseye.jpeg 11:49 < ecrist> ke4qqq: sounds like they have a static DNS server set in their networking config 11:50 < ke4qqq> ecrist - don't think so, but I'll check 11:51 < ke4qqq> ecrist: nope - all the wired and wireless adapters on that machine acquire dns via dhcp 12:10 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has joined ##openvpn 12:11 -!- SgtPepperKSU [n=kmoyer@209.184.240.68] has left ##openvpn ["Leaving."] 12:13 -!- a-l-p-h-a [n=a-l-p-h-@unaffiliated/a-l-p-h-a] has joined ##openvpn 12:14 < a-l-p-h-a> I'm just wondering something... if I'm at home, and connected to my office openVPN, whatever i'm surfing, can it get logged? My question is does the vpn connection act as a proxy, or do I connect straight out? 12:16 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 12:19 < ecrist> depends on how the routing is done, a-l-p-h-a 12:27 < a-l-p-h-a> route-method exe 12:27 < a-l-p-h-a> route-delay 2 12:27 < a-l-p-h-a> that's what's in the config with regards to routing. 12:27 < ecrist> look at your OS routing table 12:28 < a-l-p-h-a> ooh. 12:28 < ecrist> if they're monitoring you, look for a 0/1 route 12:28 < ecrist> or, a redirection of DNS services 12:32 < a-l-p-h-a> cool... all the hops in my tracert are my isp's. 12:35 < ecrist> verify DNS, and you're good to go 12:59 -!- hallo99 [n=johannes@xdsl-87-78-126-234.netcologne.de] has joined ##openvpn 13:00 < hallo99> I need to connect to an openvpn server, which requires me to give a username password, how can I put these into the config file, so I don't have to be asked if I start the vpn 13:01 < ecrist> you need to compile OpenVPN to support it, first off 13:02 < hallo99> I am using debian, I hope they did that for me 13:03 < dazo> hallo99: make sure that you're running the latest version .... 2.1_rc15 .... I'm not sure if Debian is that fresh 13:03 < ecrist> hallo99: http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html 13:03 < vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net) 13:03 < ecrist> search the page, about half way down for auth-user-pass 13:07 < hallo99> It works, thanks a lot 13:17 < ecrist> no problem 13:18 -!- a-l-p-h-a [n=a-l-p-h-@unaffiliated/a-l-p-h-a] has left ##openvpn [] 13:21 -!- hallo99 [n=johannes@xdsl-87-78-126-234.netcologne.de] has quit ["leaving"] 13:40 -!- jeiworth [n=jeiworth@189.234.82.49] has joined ##openvpn 14:06 -!- rubydiamond [n=rubydiam@unaffiliated/rubydiamond] has quit ["Leaving..."] 14:49 < jeiworth> sorry for this n00b question but where can i find the web gui for openvpn that is also showed on the openvpn homepage? in the gui section there appear to be only binaries for various platforms... 14:49 < ecrist> can you give me a link? 14:49 < ecrist> are you talking about the access server? 14:50 < ecrist> !learn access-server as penVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients. There are a number of server configurations options supported which are a carefully selected ... 14:50 < ecrist> ... subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server. 14:50 < vpnHelper> ecrist: Joo got it. 14:50 < ecrist> !forget access-server 14:50 < vpnHelper> ecrist: Joo got it. 14:50 < ecrist> !learn access-server as OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients. 14:50 < vpnHelper> ecrist: Joo got it. 14:51 < ecrist> !learn access-server as There are a number of server configurations options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server. 14:51 < vpnHelper> ecrist: Joo got it. 14:51 < ecrist> !learn access-server as http://beta.openvpn.net/index.php/access-server/download-openvpn-as.html 14:51 < vpnHelper> ecrist: Joo got it. 14:51 < ecrist> !access-server 14:51 < vpnHelper> ecrist: "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations 14:51 < vpnHelper> ecrist: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://beta.openvpn.net/index.php/access-server/download-openvpn-as.html 14:53 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:58 < jeiworth> ecrist: thanks, looking into it 14:59 < jeiworth> i was starting to fear that the openvpn project was slowly but surely dying, looking at the latest updates, especially of the guis 14:59 < ecrist> not dying. there are only two core people to the project, and they want to keep it that way. 15:00 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 15:00 < jeiworth> only 2? wow, thats not a whole lot, and they dont want any help? 15:01 < ecrist> nope 15:04 < jeiworth> hmm and i see they want to start making money, just registered and got a free lic key for 5 connecting clients :D 15:04 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 15:05 < Tatster> !route 15:05 < vpnHelper> Tatster: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:05 < Tatster> !howto 15:05 < vpnHelper> Tatster: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:06 < Tatster> Hi all. I've been testing out Adito (SSL browser-based VPN) but run into a few stability issues and noted that in recent posts on forums that there is discussion about the Adito project coming under the OpenVPN umbrella 15:07 < Tatster> stumbled across http://beta.openvpn.net and thought "mmm this looks quite good" 15:07 < vpnHelper> Title: Welcome to OpenVPN (at beta.openvpn.net) 15:07 < jeiworth> this bot is quite talkative *g* 15:08 < Tatster> but reading some stuff today I saw somewhere that it is limited to 2 concurrent users - is this correct ? 15:08 < jeiworth> Tatster: i just registered there and got a free license valid for 5 connections 15:09 < Tatster> jeiworth: ok, that sounds promising. While that will probably be enough for me at this point in time, do you know what the score is with more users ? 15:10 < jeiworth> Tatster: hmm depends on what you are referring to, resource limits? i think the biggest limitation anyone will have in a private dsl-line is bandwidth 15:11 < APTX|> I'm trying to set up openvpn 2.1.x as server on windows 2k8. I used the default config file, only modified the cert paths. It starts up properly, but configures the network device to use the IP 169.254.70.216 which is not in the 10.8.0.0 network. What's going on? 15:11 < jeiworth> i am currently running a "normal" openvpn installation (standard package from ubuntu repo) and we have a 2mbps/348kbps line, its ok for 2-3 but then it gets really slow 15:14 < Tatster> jeiworth: yeah, I guessed that would be the case, was just a bit puzzled by the docs saying 2 concurrent 15:16 < jeiworth> Tatster: hmm strange, the docs for the beta, or which one? 15:18 < Tatster> it was in the OpenVPN access server admin guide 15:18 < Tatster> 3.2 Obtain License Key 15:18 < Tatster> Before you can begin Access Server configuration, you will need to obtain a license key for 15:18 < Tatster> OpenVPN Access Server. License keys, including free 2 concurrent connection license keys, can 15:18 < Tatster> be obtained from www.openvpn.net once you are registered and signed in to the website. Once you 15:18 < Tatster> have your license key, you can highlight and copy it so that you are ready to paste it when you run 15:18 < Tatster> ovpn-configserver. 15:18 < Tatster> oops sorry, though that would go on one line 15:23 < jeiworth> spamm0r ;oP 15:23 < jeiworth> hmm well, i am not sure if that means that you get 5 client licenses and only can use 2 at the same time or not 15:24 < jeiworth> however, i like the idea of the client setup through the browser though 15:25 < Tatster> it still requires users to download and installed the packaged file 15:25 < Tatster> just presents it to them as a single pre-configured exe 15:25 < jeiworth> exactly 15:26 < jeiworth> anyway, i am trying to build my own according to this http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package-Rev1.1.html 15:26 < vpnHelper> Title: HowTo Roll Your Own OpenVPN Windows Installation Package (at openvpn.se) 15:31 < ecrist> jeiworth: the making-money part is only for the access server 15:31 < ecrist> the core openvpn should stay free/open 15:33 < Tatster> ecrist: so do I understand it correctly then that the access server is what gets you the auto-generated client package and a scripted server install, whereas with the core server doesn't have these features ? 15:34 < ecrist> yes 15:34 < ecrist> but, you can build your own 'generator' 15:34 < jeiworth> ecrist: yes, that is how i understand it 15:34 < ecrist> ssl-admin packages keys for you 15:37 -!- Intensity [i=[HiX103q@unaffiliated/intensity] has quit [Remote closed the connection] 16:13 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has left ##openvpn ["Leaving"] 16:14 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has joined ##openvpn 16:22 -!- multiverse [n=multiver@209.147.120.138] has joined ##openvpn 16:42 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 16:44 < krzie> i dont see a reason to pre-package 16:44 < krzie> all you need to do is have them install openvpn, and give them a zip with keys / config 16:44 < krzie> with a batch file in the zip to place them in the right place 16:45 < krzie> and boom, done 16:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [No route to host] 16:48 -!- Intensity [i=[d6X6ISA@panix1.panix.com] has joined ##openvpn 16:57 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:21 < APTX|> ... I still don't know what the problem was, but setting ip-win32 to manual and setting the ip address/mask by hand worked. Somehow the driver failed to set the adress properly :/ 17:22 -!- jeiworth [n=jeiworth@189.234.82.49] has quit [Read error: 110 (Connection timed out)] 17:32 -!- jeiworth [n=jeiworth@189.177.22.63] has joined ##openvpn 17:37 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has quit [Read error: 60 (Operation timed out)] 17:37 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 18:01 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Connection timed out] 18:03 -!- krzie [i=krzee@unaffiliated/krzee] has quit [Read error: 110 (Connection timed out)] 18:04 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 110 (Connection timed out)] 18:07 -!- krzie [i=krzee@joogot.noskills.net] has joined ##openvpn 18:12 -!- Lilarcor [n=Lilarcor@208-59-127-87.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has joined ##openvpn 18:12 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 18:13 < krzie> APTX| got logs from the failed attempts? 18:18 < APTX|> krzie: well I could set ip-win32 back to default and give you whatever you want... the problem was that the console said it telling the device to set an IP address (via dhcp) and a comepletely different one got set :/ 18:18 < krzie> show me 18:18 < krzie> if you wanna try to make it work that way 18:18 < krzie> if you're happy with this, so am i 18:23 -!- Lilarcor [n=Lilarcor@208-59-127-87.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has quit ["The Lord of Murder Shall Perish."] 18:24 < APTX|> riiight... 18:24 < APTX|> I just figured it out 18:24 < krzie> nice, what was it? 18:25 < APTX|> the dns client service was disabled 18:25 < krzie> ahh 18:25 < krzie> i was thinking it might be a service, dunno that i woulda came up with that exact one tho 18:25 < krzie> in fact im pretty sure i wouldnt have 18:25 < krzie> (i dont really use win) 18:25 < APTX|> I've enabled it when I ran OpenVPN as a service, as it was a dependancy 18:26 < krzie> any other depended on services? 18:28 < krzie> !learn win_services as if the adapter fails to set the IP properly check that dns client service is enabled. 18:28 < vpnHelper> krzie: Joo got it. 18:28 < APTX|> well the OpenVPN service depends on the DHCP client and tap-win32 18:28 < krzie> tap-win32 is a service? 18:29 < krzie> !forget win_services 18:29 < vpnHelper> krzie: Joo got it. 18:29 < APTX|> that I can't really say, but it comes up in the services' dependancies list 18:30 < krzie> !learn win_services as if the adapter fails to set the IP properly check that dns client service, DHCP client service, and tap-win32 is enabled. 18:30 < vpnHelper> krzie: Joo got it. 18:30 < krzie> nice, thanx =] 18:33 < APTX|> ... I meant dhcp not dns 18:33 < krzie> oh 18:33 < krzie> i woulda thought of that one then 18:33 < APTX|> sorry, there is no dns service involved 18:33 < krzie> hehe 18:33 < krzie> !forget win_services 18:33 < vpnHelper> krzie: Joo got it. 18:33 < krzie> !learn win_services as if the adapter fails to set the IP properly check that DHCP client service, and tap-win32 is enabled. 18:33 < vpnHelper> krzie: Joo got it. 18:34 < krzie> !forget win_services 18:34 < vpnHelper> krzie: Joo got it. 18:34 < krzie> !learn win_ipfail as if the adapter fails to set the IP properly check that DHCP client service, and tap-win32 is enabled. 18:34 < vpnHelper> krzie: Joo got it. 19:25 -!- jeiworth [n=jeiworth@189.177.22.63] has quit [Read error: 60 (Operation timed out)] 19:28 -!- ropetin [n=ropetin@pdpc/supporter/student/ropetin] has left ##openvpn [] 19:31 -!- multiverse [n=multiver@209.147.120.138] has quit ["Leaving"] 19:47 -!- frankS2 [n=frank@ti500720a080-2263.bb.online.no] has quit [Remote closed the connection] 19:48 -!- frankS2 [n=frank@ti500720a080-2263.bb.online.no] has joined ##openvpn 20:13 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 20:19 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:36 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 21:10 -!- Delf1 [n=Eldkraft@c-89-160-11-82.cust.bredband2.com] has joined ##openvpn 21:11 -!- Delf [n=Eldkraft@c-89-160-11-82.cust.bredband2.com] has quit [Read error: 104 (Connection reset by peer)] 21:29 -!- Hydrant [n=aj@CPE0011950c737b-CM0012c90d1420.cpe.net.cable.rogers.com] has left ##openvpn ["Konversation terminated!"] 21:41 -!- jeiworth [n=jeiworth@189.163.185.70] has joined ##openvpn 22:29 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 22:30 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 22:40 -!- multiverse [n=multiver@00121729f848.click-network.com] has joined ##openvpn 22:41 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has joined ##openvpn 23:04 -!- Celsiux-Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 23:16 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: theDoc, Bushmills, freaky_t, Isen, tuxsmouf 23:16 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: isox, `Ned, feinoM, krzie, M06w, dazo, disco-, ke4qqq, nemysis, pa, (+39 more, use /NETSPLIT to show all of them) 23:17 -!- Netsplit over, joins: frankS2, Isen, tuxsmouf, freaky_t, Bushmills, theDoc, Celsiux-Nulled, project2501a, multiverse, jeiworth (+44 more) 23:21 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 23:32 -!- Delf1 is now known as Delf 23:34 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Success] 23:39 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 23:39 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 23:40 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] --- Day changed Tue May 12 2009 00:00 -!- multiverse [n=multiver@00121729f848.click-network.com] has quit ["Leaving"] 00:18 -!- jeiworth [n=jeiworth@189.163.185.70] has quit [Read error: 110 (Connection timed out)] 00:26 -!- albech [n=albech@119.42.76.84] has quit ["Leaving"] 01:06 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit ["No Ping reply in 90 seconds."] 01:06 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 01:20 -!- huslu [n=huslu@c-67-165-238-82.hsd1.co.comcast.net] has quit [Read error: 113 (No route to host)] 01:33 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 01:33 < onats> hai! 01:51 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 01:51 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 01:56 < dan__t> Hi. 01:56 < reiffert> hi 01:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:25 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:32 -!- theDoc [n=andelyx@208.99.194.194] has quit [Read error: 110 (Connection timed out)] 02:39 -!- mRCUTEO [i=cuteo@ns.dave.sidma.edu.my] has joined ##openvpn 02:40 < mRCUTEO> !redirect 02:40 < vpnHelper> mRCUTEO: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 02:40 < mRCUTEO> !def1 02:40 < vpnHelper> mRCUTEO: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 02:41 < mRCUTEO> !ipforward 02:41 < vpnHelper> mRCUTEO: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 02:41 < mRCUTEO> !winipforward 02:41 < vpnHelper> mRCUTEO: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 02:43 < mRCUTEO> !linipforward 02:43 < vpnHelper> mRCUTEO: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 02:43 < mRCUTEO> !topology 02:43 < vpnHelper> mRCUTEO: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 02:44 < mRCUTEO> !iporder 02:44 < vpnHelper> mRCUTEO: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 02:46 -!- mRCUTEO [i=cuteo@ns.dave.sidma.edu.my] has quit [] 02:46 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:54 < reiffert> star trek schon angeschaut? 02:59 < krzee> schlong 03:07 -!- master_of_master [i=master_o@p549D669D.dip.t-dialin.net] has joined ##openvpn 03:16 < Bushmills> grin 03:17 < krzee> my osx86 box finally works!!!!! 03:19 < krzee> <-- very happy 03:23 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 03:26 < Bushmills> non-apple hardware on which you got applesoft working? 03:28 < krzee> yes 03:28 < krzee> a dg35ec with a q9400, 8gb ddr2 667 ram, nvidia 9400GT 03:29 < Bushmills> nice 03:30 < krzee> hell ya man, im stoked! 03:33 < krzee> o and a 1.5TB sata2 drive 03:34 < Bushmills> what? not a scsi raid?? 03:36 < krzee> lol, no 03:36 < krzee> i dont even like scsi 03:36 < krzee> you can get 10k sata drives now 03:37 < krzee> scsi is too expensive $/gig 03:39 < Bushmills> interface speed or raw media transfer speed is not everything that matters. 03:42 < krzee> right, size does too 03:42 < krzee> and price 03:44 < Bushmills> scsi does have technical advantages. those also come to bear in multitasking environments 03:49 -!- albech [n=albech@119.42.76.84] has joined ##openvpn 04:03 -!- c64zottel [n=hans@p5B17AE45.dip0.t-ipconnect.de] has joined ##openvpn 04:25 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:38 -!- albech [n=albech@119.42.76.84] has quit [Read error: 104 (Connection reset by peer)] 04:40 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 04:57 -!- albech [n=albech@119.42.76.84] has joined ##openvpn 05:17 -!- tjz [n=tjz@bb219-75-13-49.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 05:19 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 05:44 -!- surya [n=surya@203.129.237.147] has joined ##openvpn 05:56 -!- frankS2 [n=frank@ti500720a080-2263.bb.online.no] has quit [Read error: 104 (Connection reset by peer)] 05:57 -!- frankS2 [n=frank@ti500720a080-0156.bb.online.no] has joined ##openvpn 06:07 -!- project2501a [n=gmarseli@msend2.ebuyer.com] has joined ##openvpn 06:24 -!- jeiworth [n=jeiworth@189.163.185.70] has joined ##openvpn 06:24 -!- onats_ [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 06:26 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 06:35 -!- tjz [n=tjz@bb121-6-114-207.singnet.com.sg] has joined ##openvpn 06:47 < ecrist> morning, folks 06:50 < theDoc> hello! 06:50 < dazo> morning 06:50 * theDoc has to make a note not to do sysadmin work while drunk:) 06:51 < theDoc> I locked myself out of a server in the US this morning:) 06:51 < ecrist> lol 06:51 < ecrist> that sucks 06:51 < theDoc> lol, thankfully it's a demo system and I got the guys to reinstall the box 06:55 < theDoc> ecrist: I'd like to point out some errors in your Cisco IOS wiki 06:55 < theDoc> :p 06:55 < ecrist> please do 06:55 < theDoc> Shift + Ctrl + 6 would kill the process, not shift + 6 06:55 < ecrist> better yet, correct them 06:55 < theDoc> err, control+6 does it 06:56 < theDoc> Err, fuck 06:56 < theDoc> Ctrl+6 doesn't do it. 06:56 < theDoc> It's ctrl shift 6 iirc 06:56 * theDoc slaps himself 06:56 < ecrist> so, I *was* correct? 06:56 < ecrist> o.O 06:56 < theDoc> Nono, wrong. 06:56 < theDoc> It's control shift 6. 06:56 < theDoc> You have control 6. 06:57 < ecrist> ah, could you correct it? 06:57 < theDoc> Do you mind if I make an account? 06:57 < ecrist> not at all 06:57 < theDoc> I don't profess to be a Cisco junkie but I could contribute a few HOW-TO's, since I'm labbing at home. 06:58 -!- frankS2 [n=frank@ti500720a080-0156.bb.online.no] has quit ["Konversation terminated!"] 07:05 -!- frankS2 [i=nobody@algorit.me] has joined ##openvpn 07:24 < theDoc> Anyone has ever tried to make openvpn work with Cisco ASA/PIX/Concentrator? 07:25 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 07:25 < muh2000> hi 07:25 < theDoc> 'sup man 07:27 < muh2000> when openvpn starts and the server freezes, what is most likely responsible for freezing it? the tun/tap module? suse9.3 07:27 < theDoc> muh2000: Your entire server locks up? 07:27 < theDoc> and you can't ssh in either or the process fucks itself? 07:29 < muh2000> theDoc: not mine, the server of a acquaintance... he said the complete server freezes. (i guess no ssh/login) sounded serious 07:30 < muh2000> openvpn runs rockstable on my boxes :D 07:30 < theDoc> muh2000: As far as I know, I've never seen such an issue, could quite possibly be a hardware issue? 07:32 < muh2000> theDoc: hmmm i dont think so, everything else is running fine. or maybe an issue with openvpn&the nic...? 07:32 < theDoc> muh2000: Highly unlikely. 07:32 < muh2000> ok 07:32 < theDoc> muh2000: What does dmesg throw up, if there's any possiblity of doing a strace or something. 07:32 < theDoc> I'm not sure ;p 07:33 < muh2000> i ma not at the box nor have i contact right now to him. but since it froze i think there wouldnt be much possible doing dmesg. maybe tail -f kern.log at the next try on another terminal 07:34 < theDoc> Could be. 07:34 < theDoc> muh2000: I don't think openvpn would just break the box. 07:34 < muh2000> my advice to him was building openvpn from sources and upgrading ^^ 07:34 < theDoc> muh2000: or just do apt-get install openvpn-server 07:35 < muh2000> i think it is the tun module since it is the only "bigger" thing that gets moved into the system. 07:35 < muh2000> theDoc: suse doesnt have apt-get :D 07:35 < theDoc> muh2000: Is that some obscure NIC you are using? 07:36 < muh2000> not that i know of (not me, a friend of me... but doesnt matter ) 07:37 < muh2000> are there any nics known to make trouble? 07:38 < theDoc> muh2000: I'd say that if that was the case, your OS would have problems as well. 07:38 < theDoc> Not just limited to openvpn 07:38 < muh2000> ok 07:39 < muh2000> my guess is that there is something wrong with the kernel. 07:40 < muh2000> well i know later maybe more. 07:40 < theDoc> Maybe with the tun module. 07:40 < theDoc> Yeah. 07:40 < muh2000> i gave him some advice i would do in such a situation - i am looking forward to how this plays out :) 07:40 < theDoc> Indeed. 07:41 < theDoc> I'm just waiting for my server to be rebuilt. 07:41 < theDoc> I was screwing around today and guess what, I broke stuff ;) 07:41 < muh2000> LOL 07:41 < muh2000> hardware or software wise? 07:41 < theDoc> muh2000: I turned off ssh :) 07:42 < muh2000> rofl :D 07:42 < theDoc> muh2000: I'm in Singapore, my box is in US :) 07:42 < muh2000> no rescue boot system? 07:42 < theDoc> Stupid company wanted to charge me 110 USD to turn ssh on. 07:42 < theDoc> I told them to go fuck themselves and they can reinstall it for me for free. 07:42 < theDoc> Jesus christ. 07:42 < muh2000> lol 07:42 < theDoc> It's a demo/test system anyway 07:42 < muh2000> monit could help in such situations 07:43 < theDoc> muh2000: I wish there was something like, reload in 5. 07:43 < theDoc> Something like Cisco, where if you fuck up, the config doesn't save and it reloads in 5 mins :) 07:43 < muh2000> http://mmonit.com/monit/ 07:43 < vpnHelper> Title: Monit (at mmonit.com) 07:44 < muh2000> it can do a restart if a process isnt on. 07:44 < theDoc> Awesome. 07:44 < theDoc> muh2000: But to be honest, I was screwing around with webmin and I proceeded to royally fuckup after I messed with ssh stuff in a GUI :p 07:44 < theDoc> Proof that GUI's are evil. 07:44 < muh2000> word 07:45 < muh2000> never liked webmin or similar tools anyway :) 07:45 < theDoc> muh2000: I use this because it's a demo system and I have a colleague whom isn't an extreme console monkey working on it too. 07:45 < theDoc> Tried to make it easier for him. 07:45 < muh2000> hehe 07:45 < theDoc> First time ever, locking myself out ;p 07:45 < muh2000> :) 07:46 < theDoc> Now, I need to email goaddy to change my email address. 07:46 < theDoc> How stupid ;p 07:46 < muh2000> lol 07:47 -!- surya [n=surya@203.129.237.147] has quit ["Leaving"] 08:11 < krzee> !win7 08:11 < vpnHelper> krzee: "win7" is http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 08:12 -!- Roman123 [n=Roman123@128.131.70.150] has joined ##openvpn 08:56 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 08:59 -!- Roman123 [n=Roman123@128.131.70.150] has quit ["Leaving"] 09:03 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:12 -!- jeiworth [n=jeiworth@189.163.185.70] has quit [Read error: 110 (Connection timed out)] 09:23 -!- Ubuntuuuu [n=Roseenet@41.248.245.111] has joined ##openvpn 09:24 < Ubuntuuuu> i want to configure vpn 09:24 < Ubuntuuuu> , i have a router 3com integred firewall 09:24 < Ubuntuuuu> and a server ubuntu 09:24 < theDoc> epic, http://img17.imageshack.us/img17/4121/k4vsjpg.jpg 09:24 < theDoc> :) 09:24 < theDoc> nsfw. 09:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:25 < Bushmills> i want a cup of tea 09:26 < Bushmills> i have a water kettle 09:26 < Bushmills> and a cup 09:26 < Bushmills> :P 09:30 < reiffert> get some tea at the supermarket 09:47 < Ubuntuuuu> i see that people here talk about food not vpn 09:47 < Ubuntuuuu> :( 09:48 < Ubuntuuuu> :s 09:51 < theDoc> We occasionally talk about .. other stuff ;p 09:53 < Ubuntuuuu> ok 09:53 < reiffert> Ubuntuuuu: your VPN question is? 09:54 < Ubuntuuuu> iwant to configure vpn , i have a router 3com and a server ubuntu , 09:54 < reiffert> I want a cup of tea, I have a water kettle and a cup. 09:54 < reiffert> your VPN question is? 09:55 < reiffert> however: 09:55 < reiffert> !howto 09:55 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:55 < reiffert> start here. 09:55 < Ubuntuuuu> where i will configure vpn in the router or in the server?? 09:56 < theDoc> Ubuntuuuu: On your server, router does routing. 09:56 < theDoc> Unless you have something like a Cisco and you can run your site-to-site vpn via the router. 09:57 < Ubuntuuuu> i want to acced via internet in my network 09:57 < theDoc> Well, that doesn't make sense. 09:57 < theDoc> It's like saying, I want to download the internet. 09:57 < Ubuntuuuu> ok 09:58 < Ubuntuuuu> i dont have a great knowlege , im just a student, ok thank you very much 10:00 < theDoc> Ubuntuuuu: Aren't we all students? ;) 10:01 < Ubuntuuuu> i don t know , ok no problem , thanks 10:01 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 10:12 -!- multiverse [n=multiver@209.147.120.138] has joined ##openvpn 10:12 < multiverse> Hi, I followed this tutorial - http://www.howtoforge.com/openvpn-server-on-centos-5.2 - to get openvpn working. I get: VERIFY ERROR: depth=0, error=unsupported certificate purpose - Here is my conf and logs: http://pastebin.com/de689c66 10:12 < vpnHelper> Title: OpenVPN Server On CentOS 5.2 | HowtoForge - Linux Howtos and Tutorials (at www.howtoforge.com) 10:13 < multiverse> I actually used CentOS 5.3 instead of 5.2. 10:21 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 10:30 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 104 (Connection reset by peer)] 10:31 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 10:36 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 10:41 < reiffert> multiverse: and here is the openvpn howto, including standard configs: 10:41 < reiffert> !howto 10:41 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:42 < reiffert> multiverse: please note that 1723 is the pptpd default port. openvpn runs on 1194. 10:43 < reiffert> multiverse: your client config requires to take a client cert and key file. not the server one. 10:44 < reiffert> You'll get the idea, once you read the howto-paragraph about certificates. 10:58 -!- throughnothing [n=will@74.205.24.229] has joined ##openvpn 11:03 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:09 -!- jeiworth [n=jeiworth@189.234.82.49] has joined ##openvpn 11:15 < ecrist> theDoc: I've added some content to the cisco page for backups, see if that's incorrect for me, please? 11:15 < ecrist> :) 11:25 -!- Ubuntuuuu [n=Roseenet@41.248.245.111] has quit ["Quitte"] 11:32 < multiverse> reiffert: thanks. Should I uninstall the openvpn I yummed from rpmforge? 11:35 < reiffert> multiverse: ask a guy that knows about your distribution. I do now. 11:35 < reiffert> now = not 12:08 < dazo> multiverse: which version of openvpn did you find there? 12:09 < dazo> multiverse: I know RHEL and Fedora ships openvpn-2.1_rc15, iirc ... so if you have that from rpmforge, I don't see any reason why to throw that one out 12:09 * dazo double checks RHEL 12:10 < dazo> RHEL - openvpn-2.1.0.29.rc15.el5 12:11 < dazo> (that is RHEL 5.3) 12:11 < dazo> (it's found in the EPEL btw) 12:19 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 12:26 < multiverse> dazo: I have openvpn-2.0.9-1.el5.rf installed 12:27 < dazo> multiverse: I would recommend you to trace down then 2.1_rc15 package ... CentOS 5.3 should be able to handle RHEL 5.3 EPEL packages pretty well 12:28 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 12:32 < multiverse> dazo: is that release pertinent to the howto posted by reiffert? 12:34 < dazo> multiverse: well, 2.1 RC15 is quite newer (and also just as stable) and does also contain several bugfixes ... so running the latest version everywhere will help avoid some troubles 12:34 -!- rreyes [n=rodrigo@76-222-222-201.adsl.terra.cl] has joined ##openvpn 12:34 * dazo needs to drive and pick up wife ... back tomorrow 12:35 < rreyes> hi all... has anyone tried to use vpn for accessing a sonicwall NSA 2400 VPN? 12:36 < reiffert> yes. 12:40 -!- viric [n=viric@62.57.137.96] has joined ##openvpn 12:40 < viric> Hello! 12:40 < viric> I'd like to use openvpn... 12:40 < viric> I have a machine with a public IP, which could run openvpn 12:40 < viric> And I have two machines, behind NAT, which should be in the same "network". I want them to connect to the public machine openvpn 12:41 < viric> with openvpn 12:41 < viric> Is it possible that the openvpn instance in the public machine doesn't put traffic into any tun or tap device? 12:41 < viric> I've seen "--dev null" as an option, but I don't understand if it's anything I'd need. 12:44 < Bushmills> viric, but you want the server to send and receive traffic through tun0, that's how the clients talk to the server 12:45 < viric> that's how the server talks with the rest of the network layer of the OS 12:45 < viric> as far as I understand. 12:45 < viric> The clients will have its tun device, sure. 12:46 < Bushmills> on both sides are tun devices. those act as virtual NICs, through those can server and clients have ip addresses in the same network 12:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:47 < viric> mmm 12:47 < viric> maybe I can simply setup UDP 'nat' in the public network 12:47 < viric> And then I don't have to run any openvpn program in the public server. 12:48 < viric> in the public *machine* I mean. 12:49 < Bushmills> sure, if that suits your cause 12:50 < rreyes> reiffert: Any advice on where to start? 12:50 < rreyes> any tutorial? 12:51 < Bushmills> on page 1? 12:51 < viric> Ok, I'll go for the iptables manual. 12:52 < rreyes> Bushmills: Funny... any tutorial on how to to use vpn for accessing a sonicwall NSA 2400 VPN? 12:52 < viric> mmm no, that doesn't fit my case. 12:52 < viric> :( 12:52 < Bushmills> oh, ok. i read it as "any advice on where to start any tutorial" :D 12:52 < rreyes> Bushmills: :D 12:54 < viric> rreyes: there is a howto 12:55 < rreyes> viric: Really? Where can I find it? 12:56 < viric> for openvpn? 12:56 < viric> http://openvpn.net/index.php/documentation/howto.html 12:56 < vpnHelper> Title: HOWTO (at openvpn.net) 13:00 < reiffert> rreyes: !howto 13:00 < reiffert> rreyes: start at the howto. 13:01 < viric> so 13:01 < viric> I think that what I want is some kind of udp forwarder, which I can't implement with iptables 13:02 < viric> If I knew how to search, whether anyone wrote that... 13:09 < reiffert> so .. what is what you want? 13:13 < viric> I have two machines behind NAT 13:13 < viric> I want them to meet with openvpn, when one of them wants. 13:15 < viric> Additionally, I have a public machine available, but I don't want unencrypted traffic to go through it. 13:15 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 13:15 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 13:16 < viric> So I think of writting a program for the public machine which will forward data between two udp ports 13:16 < viric> The destination of those udp ports will be the address of the latest received packet. 13:17 < reiffert> I cant imagine what you are trying to establish... just too specific sentences. 13:17 < viric> machineA connects to the public machine udp port (where the 'forwarder' listens) 13:17 < reiffert> try to step away from examples. 13:17 < viric> machineB connects to the public machine udp port2 (where the 'forwarder' listens) 13:17 < viric> reiffert: ? 13:18 < reiffert> I cant follow you. 13:18 < viric> I've seen some nat-traversal programs... but none of the machines behind NAT have a firewall with a static public address 13:18 < viric> Mmm 13:18 < viric> Do you understand my problem, before trying to understand the only solution I thought of? 13:19 < viric> :) 13:19 < reiffert> no. 13:19 < viric> ok 13:19 < viric> I have two machines, behind NAT. The public address of both NAT firewalls isn't static. 13:19 < reiffert> I dont understand this. 13:19 < viric> oh. 13:19 < Bushmills> viric, running openvpn on the public machines sounds pretty much like what you want. 13:19 < viric> Bushmills: the public machine isn't safe. 13:20 < Bushmills> (and set up the two peers as openvpn clients) 13:20 < viric> reiffert: what you don't understand? any word? 13:21 < viric> Bushmills: I don't trust the processes in the public machine 13:21 < viric> Bushmills: so I'd prefer there to be nothing unencrypted. 13:22 < reiffert> viric: I do understand the words: two, NAT, public address, firewall. I do not understand if those two machines are in the same subnet and so on. 13:22 < viric> reiffert: those machines are behind two different NAT machines, the internet being in the middle of the NAT firewalls 13:22 < reiffert> viric: now we come closer to what my crystal ball would have told me. 13:22 < viric> machine1 -- firewall -- internet -- firewall2 -- machine2 13:23 < viric> Sorry, I didn't mention the internet. 13:23 < reiffert> for me it pretty much looked like: 13:23 < viric> I want a vpn between machine1 and machine2. Same net, not the same subnet. 13:23 < reiffert> machine1 -- 13:23 < reiffert> machine2 |-- firewall 13:23 < reiffert> but however, machine1 -- firewall -- internet -- firewall2 -- machine2 13:23 < viric> ok, sorry. 13:24 < reiffert> two options: 13:24 < reiffert> take bushmills advise, let openvpn server run on an internet machine 13:24 < viric> I have a public machine in the internet, whose address doesn't change, and I don't trust its processes. 13:24 < reiffert> tell firewall1 to portforward udp/1194 to machine1 and let the openvpn server run on machine1. 13:25 < viric> reiffert: machine1 doesn't know the address of firewall2, and machine2 doesn't know the address of firewall1 13:25 < Bushmills> (doesn't comply with requirement " want them to meet with openvpn, when one of them wants.") 13:25 < viric> because the firewalls don't have static addresses 13:25 < reiffert> viric: solve this by using dyndns or similar. 13:25 < reiffert> Bushmills: meet with whom? 13:26 < viric> and I may not have access to the firewall configuration 13:26 < Bushmills> was one stated requirement, further up 13:26 < reiffert> viric: have fun writing your whatever program. 13:26 < viric> yes. 13:26 < viric> :D 13:26 < Bushmills> but client can't initiate communication if server on the other end isn't online 13:27 < viric> Bushmills: fine. 13:27 < viric> Whenever a machine goes online, it should be reachable for any vpn. 13:27 < viric> I think I can achieve that with a user program forwarding udp packets. 13:27 < Bushmills> for *any* .. you're sure about that? 13:28 < Bushmills> such as "your vpn can re reached by mine when it is online" 13:28 < viric> for any "vpning", I mean. So if machine1 is up, machine2 should be able to start the openvpn. And also the other way round. 13:28 < Bushmills> do you have a lot of pr0n which i can download? 13:28 < viric> ? :) 13:28 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 13:29 < Bushmills> that's a new meaning of "vpn", namely "virtual public network" 13:30 < viric> I'd like as if both machines are in the same net, through the interne. 13:30 < viric> internet. 13:30 < Bushmills> do reiffert's suggestion 2 13:31 < viric> It's like an ipsec tunnel configuration, but I simply don't know the remote addresses. But I have a machine, whose address I know, and can be a forwarder. 13:32 < viric> Of the two firewalls... One of them, I cannot touch. The other, isn't always the same. As... it could be any firewall. 13:32 < Bushmills> put client behind the one you can't touch 13:32 < viric> connecting to what? 13:33 < Bushmills> to server on the other peer 13:33 < viric> the other peer is a mobile station, which can be behind some firewalls. 13:33 < viric> In the sense... not always the same firewall. 13:33 < viric> I could make it update a dyndns hostname. 13:34 < Bushmills> get a trustworthy machine with a public ip address 13:34 < viric> but nevertheless... I don't think I can manipulate the other firewall. 13:34 < viric> Bushmills: :) ok 13:34 < viric> First I'll program a bit. I think I can get it working. 13:34 < viric> without trusting anything. 13:35 < viric> but my machines. 13:36 < Bushmills> run an encrypted tunnel thorugh a tunnel. have the outer tunnel go through the public machine 13:37 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 13:37 < viric> ah, yes. 13:37 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 13:37 < viric> that can also work. 13:39 < viric> I don't know how to do that with openvpn.. 13:39 < Bushmills> i'd think of openvpn as the outer tunnel 13:40 < viric> and the inner? 13:40 < Bushmills> but what to use for inner tunnel, no idea. would have to look for something myself 13:40 < viric> ok. 13:40 < viric> ipsec would be fine. 13:40 < reiffert> or use a socks proxy 13:41 < Bushmills> probably something very simple should do 13:41 < viric> nowadays I'm using ssh tunnels with a socks proxy 13:41 < viric> but as that goes using TCP, it isn't very reliable. 13:41 < viric> moreover, given the good connection I have with my ISP. 13:41 < viric> I thought I could get it better with openvpn 13:42 < Bushmills> i might look at vtun, whether that's suitable as inner tunnel 13:42 < viric> ok. 13:43 < viric> thank you! 13:43 < Bushmills> np. gl. 13:43 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 13:43 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 13:52 < ecrist> Boats and Hos 13:53 < ecrist> Bushmills: tunnels in tunnels is bad, mmkay? 13:54 < Bushmills> don't run openvpn over pppoe 13:54 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 13:55 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 13:56 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 13:57 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 14:01 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 14:01 -!- muh2000 [n=muh2000@pc010.whatismyipv6.info] has joined ##openvpn 14:06 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 14:06 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 14:07 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 14:14 -!- bandini [n=bandini@host75-104-dynamic.45-79-r.retail.telecomitalia.it] has joined ##openvpn 14:19 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Read error: 54 (Connection reset by peer)] 14:20 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 14:26 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 14:30 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 14:30 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 14:34 -!- project2501a [n=gmarseli@msend2.ebuyer.com] has quit [Read error: 60 (Operation timed out)] 14:41 < viric> Bushmills: I finally wrote the udp forwarder 14:41 < viric> it works fine 14:45 < freaky_t> is there any openvpn client for windows xp SP3? 14:45 -!- Timpa [i=timpa@193.13.142.250] has quit ["Reconnecting."] 14:45 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 14:49 -!- jeiworth [n=jeiworth@189.234.82.49] has quit [Operation timed out] 14:51 < xattack> freaky_t: its supposed openvpn works fine in all versions of windows 14:51 < freaky_t> no 14:51 < freaky_t> i mean the openvpn gui 14:52 < freaky_t> and openvpn 14:52 < freaky_t> it doesnt work with winxp SP3 14:52 < freaky_t> can anyone help me? 14:53 < xattack> freaky_t :which version of openvpn gui are you using ? 14:53 < freaky_t> http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe 14:53 < reiffert> use a recent openvpn. 2.0.9 is ancient. 14:54 < freaky_t> this is the current stable oO 14:54 < xattack> freaky_t :try this page http://www.openvpn.net/index.php/downloads.html 14:54 < vpnHelper> Title: Downloads (at www.openvpn.net) 14:55 < xattack> there?s a couple of new versions which you can try 14:55 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 14:55 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 14:56 < freaky_t> ok thanks xattack 15:00 < freaky_t> xattack it also doesnt work. the user is missing many menu entries 15:00 < freaky_t> context menu entries 15:00 < freaky_t> in the openvpn guy 15:00 < freaky_t> gui 15:01 < xattack> freaky_t:now , which version are you using? 15:02 < xattack> ? 15:03 < freaky_t> http://www.openvpn.net/release/openvpn-2.1_rc15-install.exe 15:03 < freaky_t> the current development version 15:04 < freaky_t> xattack wait ill show u a picture 15:04 < freaky_t> im using windows vista btw for me it works just not for the friend with windows xp sp3 15:04 < freaky_t> www.cmaass.de/isaberso.JPG 15:04 < freaky_t> here 15:05 < freaky_t> that's how the client context menu looks like 15:05 < freaky_t> he installed everything 15:06 < xattack> mmmm, does he has administrators account in that computer ? 15:07 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 15:07 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 15:07 < freaky_t> he has admin access but wait 15:07 < xattack> ok 15:08 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 15:09 < freaky_t> xattack the user as which hes installing openvpn has admin rights he says 15:09 < freaky_t> any other ideas? oO 15:10 < xattack> no , to be honest with you , i dont know , im using the same OS and the same SP and im not having problems with ovpn ..... .... 15:11 < krzie> !logs 15:11 < vpnHelper> krzie: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 15:11 < freaky_t> wait 15:12 < freaky_t> he says that when trying to install it says the tap device is incompatible im waiting for him to tell me the exact error message 15:12 < krzie> hes not in the channel? 15:12 < freaky_t> where is the log from the client? 15:12 < freaky_t> no wait 15:12 < freaky_t> ill ask him to join 15:12 < xattack> ok 15:12 < freaky_t> hes not that good in english 15:13 < freaky_t> these are the errors: 15:13 < freaky_t> http://www.cmaass.de/openvpn.png 15:13 -!- Stone[t] [n=stone@pD9E672A2.dip.t-dialin.net] has joined ##openvpn 15:13 < freaky_t> hey Stone[t] ;D 15:13 < freaky_t> there he is 15:13 < freaky_t> oh Stone[t] that error is ok i think 15:13 < freaky_t> just click Installation fortsetzen 15:14 < Stone[t]> hi 15:14 < krzie> thats not errors 15:14 < freaky_t> yea 15:14 < krzie> thats just a picture of him needing to install the driver 15:14 < freaky_t> yea it says that the driver failed the windows compatibility test or whatever 15:14 < krzie> no shit, cause they didnt pay microsoft 15:14 < freaky_t> ok simply install it stone 15:15 < krzie> and why should they 15:15 < freaky_t> yea ;D 15:15 < krzie> just install it 15:15 < freaky_t> he has reinstalled openvpn several times now 15:15 < freaky_t> krzee do u think theres anything in the client logs? 15:15 < krzie> how would i know? 15:16 < krzie> from what ive seen he hasnt even tried to run it, and i dont read minds 15:16 < freaky_t> maybe u've seen his pic http://www.cmaass.de/isaberso.JPG there is almost nothing listed in the context menu of the openvpn gui 15:17 < freaky_t> no connect or whatever 15:17 < freaky_t> so i thought maybe the gui cant find openvpn 15:17 < freaky_t> but he said he installed everything from the installer 15:17 < freaky_t> Stone[t] findest du logs? 15:17 < xattack> freaky_t:usually logs are in in the directory where openvpn is installed 15:17 < Stone[t]> mom 15:17 < freaky_t> Stone[t] im verzeichnis von openvpn sollten die logs sein 15:17 < freaky_t> xattack ok thanks hes looking for it 15:18 < Stone[t]> no errorlogs 15:18 < xattack> fille tanke 15:19 < freaky_t> ok he cant find error logs 15:19 < freaky_t> :((( 15:19 < xattack> mmm , so no erros logs ..., could he paste the complete path where he look for that logs , please? 15:20 < freaky_t> Stone[t] du sollst den kompletten pfad uns sagen wo du nach den loggs guggst 15:20 < Stone[t]> \OpenVPN\log \OpenVPN 15:20 < Stone[t]> and in all other folders... 15:20 < freaky_t> Stone[t] kompletten pfad 15:20 < Stone[t]> C:\Programme\OpenVPN... 15:21 < freaky_t> ok 15:21 < xattack> ok 15:23 < freaky_t> so any ideas? :\ 15:25 -!- bandini [n=bandini@host75-104-dynamic.45-79-r.retail.telecomitalia.it] has quit [Read error: 113 (No route to host)] 15:25 < xattack> well mmmmmm, i guess the problem is in your system, you could try to install it in the windows safe mode and see what happens , but that not a solution at all , i mean as i told you i have at this moment the same plataform and verision that your friend and it?s working find , may be something in your windows get fu****d .......may be reinstalling it (the OS) or you can try ms tech support in order to verify that all is working fine in you OS 15:25 < xattack> ...but that guys always lacks! 15:26 < xattack> good luck...see ya 15:26 -!- xattack [i=xattack@132.248.108.239] has quit [] 15:26 < Stone[t]> hm... 15:38 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:43 -!- Stone[t] [n=stone@pD9E672A2.dip.t-dialin.net] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 15:48 < multiverse> reiffert: thanks for the help, I got it working 15:48 < multiverse> dazo: thanks for the help, I got it working 15:52 < freaky_t> ok i think we'll not use openvpn 15:52 < freaky_t> because nothing is working and im trying since 1 week 15:53 < freaky_t> thank you for all your help ;D 15:53 < krzie> im still waiting for someone to actually say what the problem is 15:53 < krzie> lol 15:53 < krzie> but that works too 15:54 < freaky_t> i have thousand of problems 15:55 < freaky_t> samba doesnt work 15:55 < freaky_t> my friend cant connect to the vpn 15:55 < freaky_t> i dont understand why im getting some subnet mask 15:55 < freaky_t> it says dhcp server is at 10.8.0.5 but i dont run any dhcp server 15:55 < krzie> samba is not openvpn related 15:55 < freaky_t> 10.8.0.5 is also not pingable 15:55 < krzie> for why its .5 you need to understand !/30, it is doing exactly what it should 15:55 < krzie> it should NOT be pingable 15:56 < reiffert> :) 15:56 < krzie> its internal, and can be done differently if using 2.1 by reading !topology 15:56 < freaky_t> krzee i cant see anyone in the network 15:56 < krzie> and for why he cant connect, i still havnt seen any logs 15:56 < freaky_t> he doesnt have any logs 15:56 < freaky_t> look at the picture! 15:56 < krzie> thats cause your wins isnt setup right, i remember saying that many times now 15:56 < krzie> fuck the picture 15:57 < freaky_t> at the picture there is no Connect menu entry 15:57 < krzie> tell him to enable logging then 15:57 < freaky_t> how should anything be logged 15:57 < freaky_t> krzee and i dont know how to set up wins 15:57 < krzie> LOL, windows users 15:57 < freaky_t> if its not working 15:57 < krzie> "it doesnt say connect, what do i do!?" 15:57 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 15:57 < freaky_t> it has NO entries. only about and quit. 15:58 < krzie> it doesnt say connect cause his config isnt in the right place with .ovpn file extension 15:58 < freaky_t> my openvpn has connect/edit config/show status etc. 15:58 < freaky_t> that's missing and it seems like openvpn gui doesnt find openvpn maybe that's why all the entries are missing 15:58 < krzie> maybe because the files arent in the right places with the right file extension, like i just said 16:00 < freaky_t> and even if he can connect we still can't see each other on the network. i let samba run as WINS and set WINS server to 10.8.0.1 on my network card options (client) if i then try to ping "master" which should be the netbios name of the server it starts pinging some server at gts7.westmaster.com if i then set the network card to be private network on it it pings a IP of my server but not the main 16:00 < freaky_t> IP where the openvpn server listens 16:01 < freaky_t> also the network card isnt private per default i need to manually set it every time 16:02 < krzie> "network card isnt private per default" 16:02 < krzie> huh? 16:02 < freaky_t> the network behind it 16:02 < krzie> i have no clue what you're saying 16:02 < freaky_t> in windows vista at the network center where u see all your connections it says the network behind the openvpn adapter is public - when i change it to private it pings some other ip of my server 16:03 < krzie> oh lol 16:03 < krzie> vista is so gay 16:03 < krzie> im way glad ive never had to use it 16:03 < krzie> and i never will 16:03 < krzie> hey reiffert you here? 16:03 < freaky_t> :( 16:11 < reiffert> playing with my PCI Wifi card 16:12 < krzie> werd 16:12 < krzie> i got my osx86 box up, very happy =] 16:12 < krzie> turns out i needed an external vid card 16:12 < reiffert> successfully managed to make it play as WPA client. 16:12 < krzie> nice, wpa_supplicant? 16:12 < reiffert> yeah, after some driver hell in the linux kernel 16:13 < krzie> patched it up for reinjection? 16:13 < reiffert> as you might know they were changing all wifi API's three times in the last couple of month 16:13 < reiffert> dunno yet, thats the next thing on my list 16:13 < freaky_t> krzee u were right it was .ovpn i forgot to tell him that he has to change it from .conf 16:13 < krzie> werd, you used aircrack before? 16:15 < krzie> reif, if not feel free to ask me if you get questions after you get all patched up 16:16 < krzie> i used to help a lil in their chan 16:16 -!- znh [n=znh@unaffiliated/znh] has joined ##openvpn 16:16 < znh> Hello lads :) 16:16 < krzie> i dont really help with that anymore, but would be happy to help you of course 16:16 < reiffert> aircrack before, configuring the WEP and open Accesspoints around my place, so that I have a free Wifi CHannel. 16:16 < krzie> nice 16:16 < znh> I'm using OpenVPN (server: win2k3) and experiencing high latency with protocols such as IRC. 16:17 < krzie> oh and reif, you have experience with bc relays right? i think freaky_t could use help with making one instead of using wins if you do 16:17 < krzie> znh, 16:17 < krzie> !configs 16:17 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:17 -!- jeiworth [n=jeiworth@189.163.140.114] has joined ##openvpn 16:17 < reiffert> bcrelay -i eth0 -o tun0 16:17 < reiffert> bcrelay -o eth0 -i tun0 16:17 < freaky_t> reiffert when do i have to execute that? 16:17 < reiffert> when eth0 and tun0 is up 16:18 < freaky_t> so it automatically does that 16:18 < znh> krzie, i'd rather not. My photo memory can answer all your questions :) 16:18 < freaky_t> do i have to do it after every reboot? 16:18 < krzie> znh, well hopefully it can guess my questions too, cause i dont feel like asking them all 16:19 < krzie> but basically, make sure you're using udp, with compression, and check your MTU and make sure you dont have MTU settings messing anything up 16:19 < krzie> and good luck =] 16:20 < reiffert> doh 16:20 < reiffert> Authentication with 00:24:fe:01:bc:1f timed out. 16:20 < reiffert> Association request to the driver failed 16:20 < krzie> locked to the chan? 16:20 < reiffert> but it was working minutes ago ... 16:20 < reiffert> bound to 192.168.179.25 -- renewal in 375469 seconds. 16:20 < krzie> i believe thats done with iwconfig 16:21 < reiffert> wlan0 IEEE 802.11bg ESSID:"breadboard" 16:22 < znh> I love the SSID 16:22 < freaky_t> reiffert how do u run these commands? i mean did u put them in some file to automatically start the relaying? 16:22 < reiffert> freaky_t: I were using them when playing around on pptp, so a totally different piece of vpn software 16:22 < krzie> freaky_t, test them manually, if it works how you want run them in an up script 16:22 < reiffert> do as krzie says 16:23 < krzie> reiffert, does he only need that on the server? 16:23 < reiffert> good question. 16:24 < reiffert> Associated with 00:24:fe:01:bc:1f 16:24 < reiffert> WPA: Key negotiation completed with 00:24:fe:01:bc:1f [PTK=CCMP GTK=TKIP] 16:24 < reiffert> CTRL-EVENT-CONNECTED - Connection to 00:24:fe:01:bc:1f completed (auth) [id=0 id_str=] 16:24 < krzie> woohoo! 16:24 < freaky_t> ok ill test it now 16:24 < reiffert> http://snap.reifferscheid.org/1242163470.png 16:25 < reiffert> bound to 192.168.179.25 -- renewal in 335713 seconds. 16:25 < reiffert> doesnt look that stable to me. 16:26 < reiffert> now I'm online via WPA wifi 16:26 < viric> How do you usually start openssh for it to rest in background? 16:26 < viric> openvpn I mean 16:26 < krzie> openssh? 16:26 < reiffert> sshd & 16:26 < viric> :) 16:26 < krzie> ahh 16:26 < krzie> --daemon or put daemon in the config 16:26 < viric> as non root? 16:26 < krzie> you MUST start openvpn as root 16:26 < viric> really? 16:26 < krzie> you can drop privs after 16:27 < viric> mmm 16:27 < krzie> it adds routes and changes if stuff 16:27 < viric> ah yes for the routes. 16:27 < krzie> and to set ips and whatnot... 16:27 < viric> right. 16:27 < freaky_t> im running both bcrelay commands atm. how do i test if it works? ping master says it cant find host. and trying to access \\10.8.0.1\\ also doesnt work 16:27 < viric> ok. 16:27 < krzie> and hopefully to read your keys, which should only be readable by root... 16:27 < viric> :) 16:28 < freaky_t> i can connect to a friend 16:28 < viric> ok. 16:28 < reiffert> Now I switched from psk="plaintext" to psk=whatwpa_passphrase puts out, and it associates with the AP within milliseconds. 16:28 < viric> openvpn won't die unless something very bad happens, right? 16:28 < reiffert> allright, time to hack the neighbour-LAN, I saw his WPA password last time on his router. 16:29 < viric> so I can simply start it once at the boot scripts 16:29 < krzie> catching the 4-way handshake can be a PITA 16:30 < krzie> but its easy to do, just need really good signal and a few tries 16:30 < reiffert> krzie: I already saw his password. 16:30 < reiffert> krzie: after some disassoc requests and some time you'll pretty soon get the 4 data packets. but what follows is just password attack 16:30 < freaky_t> if i have server 10.8.0.0 255.255.255.0 in the server.conf ... i get 10.8.0.6 and a friend gets 10.8.0.14 ... are we in different subnets? i dont think so? oO 16:31 < freaky_t> windows file sharing should work or? 16:31 < krzie> right but you said you wanna hack it, makes me think you mean you wanna capture his 4-way handshake and put his PW in your brute force dict file 16:32 < reiffert> I should gain access to his wifi, his LAN will be the next target 16:34 < reiffert> WPA: 4-Way Handshake failed - pre-shared key may be incorrect 16:34 < reiffert> hrmn 16:34 < reiffert> CTRL-EVENT-CONNECTED - Connection to 00:0c:f6:21:64:c9 completed (auth) [id=0 id_str=] 16:34 < krzie> once you have his wifi you have his LAN 16:34 < krzie> just poison the arp cache 16:34 < reiffert> 23:34:40.224435 ARP, Request who-has 192.168.0.101 tell 192.168.0.1, length 28 16:34 < reiffert> 23:34:41.554164 ARP, Request who-has 192.168.0.101 tell 192.168.0.1, length 28 16:35 < krzie> then run some driftnet for fun ;] 16:35 < reiffert> 64 bytes from 192.168.0.1: icmp_seq=2 ttl=255 time=3.07 ms 16:35 < krzie> watch every image go over his network on the fly ;] 16:35 < krzie> then you can play with cookie theft and whatnot if you like 16:36 < krzie> plenty of fun to be had, lol 16:36 < freaky_t> krzee doesnt work the bcrelay :( 16:37 < krzie> sux 16:39 < freaky_t> !wins 16:39 < vpnHelper> freaky_t: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 16:41 < viric> --daemon works well. Thanks :) 16:41 < krzie> yw 16:42 < viric> reiffert: here is the udp forwarder I use. It works great: http://nopaste.org/p/aLJvvzbj5 16:42 -!- megaflow [n=multiver@209.147.114.155] has joined ##openvpn 16:43 < freaky_t> brb restart 16:49 < freaky_t> krzee to let this bcast work, do i have to disable the wins server? 16:49 < freaky_t> or can it still run? 16:50 < krzie> back to me having never ran wins, or a bc relay 16:50 < krzie> i dont use windows * 16:50 < krzie> including filesharing 16:50 < freaky_t> ok :}\ 16:50 < freaky_t> :\ 16:50 < freaky_t> sorry 16:50 < freaky_t> ^^ 16:51 -!- multiverse [n=multiver@209.147.120.138] has quit [Read error: 110 (Connection timed out)] 16:53 < reiffert> viric: looks sane. 16:54 < reiffert> viric: nah, it doesnt. 16:54 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 16:54 < reiffert> put lines before the for loop: 16:54 < reiffert> int res; 16:54 < reiffert> FD_ZERO(&readfds); 16:54 < reiffert> FD_SET(s1, &readfds); 16:54 < reiffert> FD_SET(s2, &readfds); 16:55 < reiffert> just the FD_ZERO, FD_SET ones. 16:55 < reiffert> add some error checking on bindport() 16:59 -!- baby_jeebus [n=multiver@209.147.120.138] has joined ##openvpn 16:59 -!- epaphus [n=unix3@190.10.68.227] has joined ##openvpn 17:01 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 17:06 -!- megaflow [n=multiver@209.147.114.155] has quit [Read error: 110 (Connection timed out)] 17:06 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 17:09 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [Client Quit] 17:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:15 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 17:22 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Read error: 54 (Connection reset by peer)] 17:22 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 17:29 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 17:29 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 17:39 -!- c64zottel [n=hans@p5B17AE45.dip0.t-ipconnect.de] has quit ["Leaving."] 17:39 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 17:42 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 17:42 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 17:47 < feinoM> !redirect 17:47 < vpnHelper> feinoM: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 17:48 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 17:48 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 17:56 -!- jeiworth [n=jeiworth@189.163.140.114] has quit [Read error: 110 (Connection timed out)] 18:07 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 18:07 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 18:13 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 18:13 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 18:19 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 18:19 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 18:37 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Read error: 54 (Connection reset by peer)] 18:37 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 18:49 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 18:49 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 19:10 -!- epaphus [n=unix3@190.10.68.227] has quit [Read error: 110 (Connection timed out)] 19:11 -!- Delf [n=Eldkraft@c-89-160-11-82.cust.bredband2.com] has quit [Remote closed the connection] 19:12 -!- Delf [n=Eldkraft@36-171-96-87.cust.blixtvik.se] has joined ##openvpn 19:14 -!- Delf1 [n=Eldkraft@c-89-160-11-82.cust.bredband2.com] has joined ##openvpn 19:26 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 19:32 -!- Delf [n=Eldkraft@36-171-96-87.cust.blixtvik.se] has quit [Read error: 110 (Connection timed out)] 19:39 -!- muh2000_ [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 19:40 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Read error: 54 (Connection reset by peer)] 19:40 -!- oc80z [i=oc80z@root.servergirl.net] has joined ##openvpn 19:44 -!- baby_jeebus [n=multiver@209.147.120.138] has quit ["Leaving"] 19:58 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 19:59 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 20:05 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit [Read error: 104 (Connection reset by peer)] 20:06 -!- Delf1 is now known as Delf 20:14 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 20:22 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:22 -!- muh2000_ [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 20:22 -!- muh2000_ [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 20:27 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 20:35 -!- muh2000_ [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 20:35 -!- muh2000_ [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 20:41 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has joined ##openvpn 20:46 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 20:51 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 20:52 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 20:57 -!- Celsiux-Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Read error: 110 (Connection timed out)] 22:03 -!- Celsiux|Nulled [n=Nullesd@ip-67-205-89-132.static.privatedns.com] has quit [Connection timed out] 22:17 < theDoc> Question guys, what does this directive do? crl-verify keys/crl.pem 22:17 < krzie> !man 22:17 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 22:20 < theDoc> hehehe 22:39 -!- mRCUTEO [i=cuteo@ns.dave.sidma.edu.my] has joined ##openvpn 22:39 < mRCUTEO> hiya all 22:45 -!- Stanlin1 [n=steelgun@89.250.5.159] has joined ##openvpn 22:45 < Stanlin1> HALP!!! 22:46 < Stanlin1> how to get the list of the sessions that are open? 22:47 -!- mRCUTEO [i=cuteo@ns.dave.sidma.edu.my] has quit [] 22:49 -!- albech_ [n=albech@119.42.76.84] has joined ##openvpn 22:57 < theDoc> Stanlin1: Try /etc/openvpn/openvpn-status or something :) 22:58 < Stanlin1> theDoc: thank you doctor 22:58 < Stanlin1> ill try now 22:59 < krzie> theres also a signal to update the status file 22:59 < krzie> theres also a management interface you can telnet into if you set it up 23:01 < Stanlin1> cat: /etc/openvpn/openvpn-status.log: Permission denied 23:01 < krzie> be root 23:01 < krzie> or use sudo 23:01 < Stanlin1> krzie: what is that management tool? 23:01 < Stanlin1> yeah, i can be root, but i need to delegate to normal users 23:02 < krzie> its not heavily documented, but its in the manual 23:02 < krzie> and its CLI only 23:02 < theDoc> Stanlin1: chmod 744 23:02 < theDoc> is your friend. 23:02 < krzie> why would you need normal users to see the status file? 23:03 < Stanlin1> krzie: i want a normal user, to connect to a remote client, however he doesnt know the remote client opened in the VPN server, how he can know the current list of IP's available for connection? 23:04 < theDoc> Stanlin1: Why should he know? 23:04 < theDoc> You can configure an avaliable pool of ip's for use. 23:04 < theDoc> ccd is your friend too. 23:05 < Stanlin1> well the remote user opened an OpenVpn conextion to the ServerA, now the user in ServerA wants to SSH into the remote computer? 23:06 < Stanlin1> openvpn opened an session with an ip like 10.9.4.45 to the serverA, the user on ServerA needs to SSH 10.9.4.45, but the problem is, how does he know that ip? 23:06 < theDoc> Stanlin1: Why don't you look into reverse ssh for that? 23:06 -!- albech [n=albech@119.42.76.84] has quit [Read error: 110 (Connection timed out)] 23:06 < krzie> !static 23:06 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 23:06 < krzie> machines that will be connected to should have static ips 23:07 < krzie> kinda like in your home or office network 23:07 < theDoc> krzie: I run dhcp everywhere :p 23:07 < Stanlin1> but i cant use static, many users will connect at the same time, generating ramdom ips 23:07 < theDoc> Stanlin1: How many users? 23:07 < krzie> umm 23:07 < Stanlin1> 100 at the same time, from everywhere 23:07 < krzie> that doesnt matter 23:07 < krzie> its not based on when 23:07 < krzie> its based on who 23:08 < krzie> bbl 23:08 < Stanlin1> so how the ServerA operator, know the 100 ip's? 23:08 -!- albech_ [n=albech@119.42.76.84] has quit [Read error: 110 (Connection timed out)] 23:11 < theDoc> Sorry, was sending out emails about ospf fucking up ^^; 23:11 < pekster> Personally I'd look at either static IPs for each CN connecting (not sure if that's based on the cert or auth user in your case), or do something like create a *.vpn.yourcompany.com DNS subdomain that the VPN server owns and have it update records when clients connect, so like jdoe.vpn.yourcompany.com resolves to that client's IP 23:13 < Stanlin1> mhhh, i just need something line 23:13 < Stanlin1> what is the name of the CLI for openvpn? 23:13 < pekster> "the CLI" ? 23:14 < Stanlin1> ermm.. okey... 23:14 * Stanlin1 types cli ..... waits.... nothing happens 23:15 < pekster> What are you referring to when you ask for the CLI for openvpn? My openvpn is at /usr/sbin/openvpn since it was compiled to go there. Or do you mean the management interface over telnet? 23:15 < Stanlin1> well im looking for anything at /usr/sbin as normal user.... nothing showing up 23:16 < pekster> On a Unix-like system I presume? By convention binaries are owned by root:root, and usually have mode 755 so anyone can run them 23:16 < Stanlin1> centos 23:16 < Stanlin1> ok found it 23:16 < pekster> 'which openvpn' should help there 23:17 < Stanlin1> found it /usb/sbin/openvpn --list-connections 23:18 < Stanlin1> dang no such option 23:18 < Stanlin1> what is the option to get the connections list 23:19 < pekster> There is none. If you have set your configuration to generate a status file you can find a list of active connections in that file, or if you have the management interface enabled you can telnet to it and query the connections that way 23:20 < pekster> Or you can send a SIGUSR2 to the openvpn process and it will send the status output to the logging facility as configured in the openvpn configuration (and potentially sending it to your system logger unless you redirected output to a file) 23:20 < pekster> All of which is described very well in the manpage 23:20 < Stanlin1> ok ill figure out 23:20 < Stanlin1> i guess 23:21 < Stanlin1> chmod 744 23:21 < pekster> Try searching for the --status option, the text "SIGUSR2" or the --management options for starters 23:21 < pekster> (in the manpage, in case that wasn't clear) 23:21 -!- slestak [n=sromanow@c-71-205-162-193.hsd1.mi.comcast.net] has joined ##openvpn 23:22 < pekster> And executables are usually 755 so that people other than root may run them 23:22 < pekster> Otherwise _only_ root will be able to run them (or whoever the owner is) 23:26 < theDoc> Hmm, this is odd 23:26 < theDoc> ooo. 23:26 < theDoc> It's half working 23:26 < theDoc> hmac issues 23:26 < theDoc> >_> 23:26 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 23:31 < slestak> does this sound like an appropriate use for openvpn? i cannot vpn (cisco ssl vpn) from favorite wifi spot to work because of ip conflict. but i can from home. can i use openvpn to route from wifi spot to home, bring up cisco vpn from home to work? 23:33 < theDoc> I'm wondering if I should implement HMAC for openvpn. 23:33 * theDoc frowns. 23:34 < pekster> slestak: That would work, sure. Or talk the admin at the office to use a different IP range less likely to conflict with public wifi 23:35 < pekster> theDoc: HMAC issues? Unless you're willing to trade authenticity for a resolution to your problem turning it off is usually a Bad Idea 23:35 < slestak> pekster: the range that conflicts is our largest division, i think i'll get plenty of kickback 23:35 < pekster> Yea, I sort of figured 23:36 < pekster> Your other option would be a VM or something, so your VM doesn't conflict with the wifi even though your host does 23:36 < theDoc> pekster: I rent out anonymous vpn tunnels. 23:36 < slestak> i tought about that, but i use a netbook most of the time 23:37 < theDoc> pekster: I'm saying that because I'm wondering if it's too much of a hassel to be sending out ta.key files to people. 23:38 < slestak> might still be an idea, the vm. wonder if kvm would work on this atom processor 23:38 < pekster> Oh, you're talking the extra authentication - yea, I don't bother with that generally given the hassle, and it's really only useful to prevent dDoS (in which case that's not the proper solution anyway) or if you want protection in case the cipher you use is cryptographically compromised 23:38 < theDoc> Yeah, I was talking about that extra rubber padding. 23:39 < theDoc> Which would actually be too much of a bloody hassel if you ask me. 23:39 < pekster> Indeed. And I don't see the point (except perhaps to reduce the pMTU, which is a negative point IMHO) 23:39 < theDoc> I don't reckon you can make openvpn work without the ca.crt file eh? 23:40 < pekster> Not unless you use static (non-TLS) encryption, and then you only get 2 hosts and no perfect-forward-secrecy 23:40 < theDoc> Yeah, that's a bitch. 23:40 < theDoc> I'll force a roll out of ca.crt. It's just one fucking file anyway. Clients with a clue can deal with it ;p 23:40 < pekster> You can get by without client keypairs if you have a user-auth-pass script, although then you're trusting that authentication with your network access 23:41 < theDoc> pekster: I use that. It's really too much of a hassel for end users to be using certs and stuff, when half of them don't even know what it's for. 23:41 < theDoc> ;( 23:41 < theDoc> So the easy way out would be to use a user/pass. 23:42 < pekster> If you already have the authentication infrastructure (Active Directory, RADIUS, LDAP, whatever) in theory it's all logged & audited there too, not that an audit does much good after some idiot used p@ssw0rd as the credentials 23:43 < pekster> Strong passwords, good social policies, employee training, and required password changes can help there 23:44 < pekster> Tehnical limits sort of help, but take the Active Directory "complexity requirements" - the password "Password1" meets those as it has upper/lower/number (no need for a symbol since you have the other 3 categories) 23:44 < pekster> Clearly social policies are also important to prevent that 23:44 < theDoc> Indeed. 23:44 < theDoc> pekster: Security is all encompassing. 23:45 < theDoc> It's not just big evil passwords 23:45 -!- slestak [n=sromanow@c-71-205-162-193.hsd1.mi.comcast.net] has left ##openvpn [] 23:47 < pekster> Sure, but evil-doers take the easy way out. Why break into a safe when someone will happily give you the combination if they think you're there to help. Humans are frequently the weakest element, and thus security systems need to be designed with that in mind. Such is the danger of using --client-cert-not-required with OpenVPN, although it does save headache deploying, installing, and maintaining employee certs 23:48 < theDoc> pekster: Unfortunately, that's the case. 23:49 < theDoc> pekster: There has to be a trade off between usability and security. 23:51 < Stanlin1> dammit openvpn aint working 23:52 < Stanlin1> oh this is ridiculous 23:52 < Stanlin1> i cant SSH if im not a root 23:53 < theDoc> Hm, anyone knows where the openvpn config file is stored in gnome-network-manager? 23:53 < pekster> Perhaps ##linux or #centos would be better suited to that 23:53 < Stanlin1> lol i can 23:53 < Stanlin1> sorry im the idiot one 23:54 < Stanlin1> it was ssh root@windows7.storage.microsoft.com 23:54 < Stanlin1> i forgot to add, "root" 23:54 < pekster> theDoc: Heh, a co-worker who uses Ubuntu spent quite a while hunting that down; IIRC there's some config burred in the gnome configuration file that you can access with gconfmanager or whatever it's called 23:55 < theDoc> Jesus :p 23:55 < pekster> TBH I think NetworkManger can rot and be eaten by crows, especially for the crappy OpenVPN support, but if you get it working all the better 23:56 < theDoc> pekster: Yeah, I'm not sure why it refuses to read from /etc/openvpn/client.conf 23:56 < theDoc> :) 23:56 < pekster> It uses its own leet configuration 23:56 < pekster> Almost as bad as using a registry under "other" OS's 23:56 < theDoc> Yeah, this is a horror. 23:56 < pekster> Try a serach for openvpn in the gnome configuration manger app and that should get you started anyway 23:57 < pekster> Or just go back to using a terminal :P 23:57 * pekster likes his '/etc/init.d/openvpn.home start' syntax 23:57 < theDoc> lmao, I just want to click my way through this. 23:57 < theDoc> pekster: Since this is like, making it work for end users, I wouldn't expect a single one of them to find their way around a console. 23:58 < Stanlin1> thank you guys, have a lovely evening 23:59 < pekster> Or just write a wrapper that uses python or something to draw a user/password prompt and feed it to the openvpn process --- Day changed Wed May 13 2009 00:00 < pekster> Add 2 buttons to the window-manager app bar for "connect" and "disconnect" and call it good 00:00 < theDoc> pekster: I'm no programmer :p 00:06 < pekster> Google can probably give you what you need for a simple user: password: prompt, and then just write it to /dev/shm or somewhere sane, chmod 600, feed it to openvpn via the --auth-user-pass option and then destroy it 00:07 < pekster> Time for me to grab some sleep. Good luck! 00:45 -!- Stanlin1 [n=steelgun@89.250.5.159] has left ##openvpn [] 01:03 -!- mattock [n=mattock@195.236.127.254] has joined ##openvpn 01:24 -!- albech [n=albech@119.42.76.84] has joined ##openvpn 01:24 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 01:35 -!- muh2000_ [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 01:35 -!- muh2000_ [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 01:41 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 01:42 < dan__t> Hi. 01:42 < dan__t> Welp, its been fun. 01:43 < reiffert> moin 01:43 < dan__t> I apprecaite all your help, especially you krzie and reiffert and ecrist 01:43 < dan__t> Looks like this customer decided to stop funding my project. 01:44 < dan__t> I just moved, so I'll need a bit to find all my code and assemble it, but I'll hand it over to you all shortly. 01:44 < theDoc> dan__t: Which project is it? 01:45 < dan__t> eh automated generation of a pre-packaged Windows installer of OpenVPN 01:45 < theDoc> ah. 01:45 < dan__t> Taking the Windows source, rebuilding it with nsis while incorporating a configuration and tls keypairs 01:45 < dan__t> well, key, rather. 01:45 < theDoc> How much funding were you getting? I could help fund it to keep it going ;p 01:45 < dan__t> Nothing fancy, but there's some neat SQL stuff in there. 01:46 < dan__t> Wasn't so much the money, but the market to sell this service to 01:46 < dan__t> And to be honest I don't think OpenVPN is the most appropriate tool for it. 01:47 < theDoc> dan__t: I think one of the biggest issues which I face as a vpn provider for end users is the whole package which they have to deal with. 01:47 -!- master_of_master [i=master_o@p549D669D.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:48 < dan__t> Yea... the idea is solid from a technical perspective. Almost. 01:48 -!- muh2000_ [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 01:48 < dan__t> But expecting people to install some software on their machine to use said service kind of kills the idea. 01:48 -!- muh2000_ [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 01:48 < theDoc> dan__t: Some people can deal with it, others don't. 01:48 < dan__t> Exactly. 01:49 < dan__t> Too bad though, I fucking love OpenVPN. 01:49 < dan__t> Amazing piece of software for sure. 01:49 < theDoc> dan__t: Infact, most end users don't want to install another software. Well, those whom know the value of the vpn will use it, those whom don't, simply don't. 01:49 -!- master_of_master [i=master_o@p549D2EF4.dip.t-dialin.net] has joined ##openvpn 01:49 < theDoc> It's pretty much like teaching people how to setup home-based routers. 01:49 < theDoc> Some people just can't do it. 01:50 < dan__t> Yes exactly - the people who understand the value of installing it. 01:50 < dan__t> Yep. 01:50 < theDoc> I'm getting quite ticked off with this customer. 01:50 < dan__t> What kind of business are you in, if you don't mind me asking? 01:50 < theDoc> They want a revamp of their network but they want me to justify buying a Cisco. 01:50 < dan__t> You provide this as a service? 01:50 * theDoc shakes a fist. 01:50 < theDoc> dan__t: Yep. 01:50 < theDoc> dan__t: on-demand vpn service. no logs, nothing. 01:51 < theDoc> You come in, pop your stuff, throw me the cash and off you go. 01:51 < theDoc> It's a don't ask, don't tell approach. 01:52 < dan__t> Understood. 01:52 < dan__t> Which geographical markets? 01:53 < theDoc> dan__t: asia for now. 01:53 < dan__t> Very nice. 01:53 < theDoc> The EU/US markets have their own ipvpn providers. I don't have to be there. 01:53 < dan__t> Mind me asking what your pricing model is? 01:53 < theDoc> dan__t: Sorry, :p I'd have to pass on that. 01:53 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 01:53 < dan__t> Understood. 01:54 < dan__t> adito looked pretty neat. 01:54 < theDoc> dan__t: I wouldn't say it's used for neferious purposes, it's just really, would you want your details to be floating on public networks? 01:54 < dan__t> If it wasn't a wrapped-up piece of shit. 01:54 -!- muh2000_ [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 01:54 -!- muh2000_ [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 01:54 < theDoc> dan__t: I somehow dislike ssl-browsers which claim to be vpns. 01:55 < dan__t> I had nothing but good experiences with the Juniper VPN. 01:55 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 01:55 < dan__t> Do you know of any others such as that? 01:56 < theDoc> Not really. 01:56 < theDoc> Cisco VPN is a total mess. 01:56 < theDoc> I'd avoid those. 01:56 < theDoc> What I would be interested in would be running my own mplsvpn network which carries a multitude of vpn traffic over it 02:03 -!- muh2000_ [n=muh2000@unaffiliated/muh2000] has quit [Remote closed the connection] 02:03 < dan__t> Yeah that would be pretty rad. 02:04 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:04 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 02:04 < theDoc> I wonder if I were to try to build something like that, how fast would it be before everyone starts screaming their heads off and yelling, ZOMG! CHILD PORN NETWORK! 02:06 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 02:07 < krzee> CHILD PORN NETWORK 02:07 < theDoc> I believe the stigma of vpn's in the common man's eye is that it's probably going to be used for neferious means like child porn. 02:07 < theDoc> See, I told you. 02:07 < theDoc> >:) 02:07 < krzee> see, i disagree 02:07 < krzee> i dont think the common person thinks that 02:07 < dan__t> haha 02:07 < krzee> just the media / gov 02:07 < theDoc> krzee: Tell that to the common man in the parliament ;p 02:07 < krzee> exactly 02:07 < theDoc> If we can't see what you send, it MUST be child porn! 02:08 < krzee> they dont have that thought because they are common men, they have them because they're the gov 02:08 < dan__t> idunno, either way, I'm done. 02:08 < dan__t> heh 02:09 < krzee> done with what dan 02:12 < theDoc> All that media hype. 02:12 < theDoc> The most I can see is that the vpn is abused to bypass government filters 02:13 < krzee> but thats not new 02:13 < krzee> so can socks, ssh tunnels, etc 02:14 < krzee> by not new i meant not unique 02:14 < krzee> do you like to tell everyone everything you say? 02:15 < krzee> cause if not you understand privacy and should be able to want that on the inet if you want! 02:15 < krzee> (im not talking to you specificly) 02:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:30 < Bushmills> gpg has the reputation of being used by terrorists only. even though, german ministry of trade and economics financially supported the development, by donation. sue them for 9/11! 02:30 < Bushmills> well, scrap the "only" 02:31 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 02:33 < Bushmills> what i mean to say is, their position can not credibly be changed when a different means of secure communiation is the subject. 04:12 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 04:38 -!- albech [n=albech@119.42.76.84] has quit [Read error: 104 (Connection reset by peer)] 04:57 -!- albech [n=albech@119.42.76.84] has joined ##openvpn 05:17 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["Lost terminal"] 06:29 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:09 -!- albech [n=albech@119.42.76.84] has quit [Read error: 104 (Connection reset by peer)] 07:25 -!- albech [n=albech@119.42.76.84] has joined ##openvpn 07:30 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 07:30 < ecrist> morning, fuckers 07:30 < ecrist> krzee: I suck, and haven't shipped that box yet. 07:31 < ecrist> I should send it this week. 07:41 < mattock> Can't resist taking part in the conversation :)... Child porn/terrorism/whatever is a convenient excuse to limit freedom in the internet. We have a "child porn law" here in Finland. As an end result the police has a secret list of blocked sites. Fortunately it's not mandatory for the ISP's to block those. Those who opposed the law were naturally labeled as promoters of child porn, even though circumventing the blockage is trivial for anyone with little 07:41 < mattock> ... and now I got to split :) 07:42 < mattock> bye 07:42 -!- mattock [n=mattock@195.236.127.254] has left ##openvpn [] 08:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 08:10 < krzee> !ssl-admin 08:10 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 08:10 < krzee> ecrist, no worries bro =] 08:31 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:31 -!- bassliner [n=armin@deepbass.org] has quit ["leaving"] 09:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:56 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 10:08 < rreyes> Hi all... I am trying to configure openVPN but I am getting a ""Please edit the vars script to reflect your configuration, then source it with "source ./vars" message eventhough I sourced the vars file 10:09 < Bushmills> and? 10:09 < ecrist> rreyes: I'd do what it says. 10:09 < rreyes> I did what it said and still get the message 10:10 < ecrist> did you edit the script? 10:10 < rreyes> yeap 10:10 < rreyes> I did 10:11 < Bushmills> do you source the script from the same command line where, und just before, you try to generate keys? 10:15 < rreyes> yes 10:16 < rreyes> that's what I am doing 10:16 < ecrist> despite the number of 'yes I did,' you missed something 10:16 < ecrist> rreyes: what OS you using? 10:16 < rreyes> Ubuntu 10:16 < rreyes> 9.04 10:18 < ecrist> what shell? 10:18 < rreyes> I am very new to openVPN but all I want is to connect to a Sonicwall 2400 vpn 10:19 < ecrist> rreyes: you can't use openvpn to connect to sonicwall vpn 10:19 < rreyes> mmmmm... what should I use then? 10:19 < rreyes> openswan? 10:20 < Bushmills> vpn is a generic term, almost like "program" 10:21 < Bushmills> openvpn isn't. that's a specific implementation of a vpn 10:21 < rreyes> I see 10:21 < rreyes> mmmm... 10:21 < Bushmills> to connect to the sonicwall vpn, you'd use the client software which works with ut 10:21 < Bushmills> it 10:21 < rreyes> interesting 10:31 < theDoc> There's sslvpn, ipsec vpn and some other propietary vpn implementations like cisco, juniper. 10:31 < theDoc> I don't think there's outright interopability with all of them at the moment. 10:32 < ecrist> *and* ssl vpns aren't all the same 10:35 < rreyes> wow 10:35 < rreyes> ok... thanks, guys 10:35 < rreyes> I will try to use the client for windows 10:35 < ecrist> cisco has an ssl vpn, which is incompat with openvpn 10:36 < rreyes> and see if I can make it work in Linux since linux is on a VM over Windows now 10:36 < ecrist> my guess is the sonic wall vpn is a PPTP, which has an included client in both Windows and Mac 10:36 < rreyes> do you think that will work? 10:36 < theDoc> Doesn't pptp have some security flaws? 10:36 < ecrist> yes 10:37 < theDoc> The only issue with vpn implementations is the lack of multi-vendor support. 10:38 -!- rodrigo__ [n=rodrigo@76-222-222-201.adsl.terra.cl] has joined ##openvpn 10:39 < rodrigo__> in my specific case, that means I might now be able to connect directly from Linux 10:50 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:56 -!- rreyes [n=rodrigo@76-222-222-201.adsl.terra.cl] has quit [Read error: 110 (Connection timed out)] 11:04 -!- rodrigo__ [n=rodrigo@76-222-222-201.adsl.terra.cl] has quit [Read error: 110 (Connection timed out)] 11:05 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 11:11 -!- throughnothing [n=will@74.205.24.229] has quit ["leaving"] 11:15 -!- jeiworth [n=jeiworth@189.177.122.84] has joined ##openvpn 11:28 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 12:09 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 12:20 -!- epaphus [n=unix3@190.10.68.228] has quit [Remote closed the connection] 12:32 -!- ke4qqq [n=ke4qqq@fedora/ke4qqq] has left ##openvpn [] 12:36 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 12:42 -!- bigjohnto [n=bigjohnt@68.147.24.5] has joined ##openvpn 12:42 < bigjohnto> vista 32bit and 64bit both need the route-exe lines in the config ifle correct? 12:42 < ecrist> i believe so 12:43 < bigjohnto> cool thanks :) 12:43 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 12:45 -!- bigjohnto [n=bigjohnt@68.147.24.5] has left ##openvpn [] 13:08 -!- SM2k [n=stu@68-25-30-233.pools.spcsdns.net] has joined ##openvpn 13:13 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 13:16 -!- jeiworth [n=jeiworth@189.177.122.84] has quit [Read error: 110 (Connection timed out)] 13:30 -!- SM2k [n=stu@68-25-30-233.pools.spcsdns.net] has quit [Read error: 110 (Connection timed out)] 13:32 -!- SM2k [n=stu@68-25-30-233.pools.spcsdns.net] has joined ##openvpn 13:32 < SM2k> hey gang, been struggling with what appears to be a routing issue and openVPN 13:33 < SM2k> I'm using the openVPN server on the pfSense, and I can connect with a (linux) openVPN client, but can't reach machines behind the pfSense. 13:34 < SM2k> running wireshark I can see packets arriving at the target machine on the LAN, and responses going out. 13:35 < SM2k> so somehow the packets are being dropped on the way back out of the pfSense. I've checked the routing table and there's a proper looking route for tun1 13:36 < ecrist> pfsense... shudder 13:36 < SM2k> so my guess is I'm missing something with NAT or filter 13:36 < ecrist> my guess is you're missing an allow rule 13:37 < SM2k> well... I've tried everything I can think of in terms of allow rules. 13:37 -!- jeiworth [n=jeiworth@189.163.185.99] has joined ##openvpn 13:43 < ecrist> SM2k: pfSense is really just FreeBSD + PF + crappy web gui to manage it 13:43 < ecrist> I'd have to point you to the pfsense folks, really. 13:43 < SM2k> aye 13:43 < ecrist> I *am* proficient in FreeBSD + PF, but not their web gui 13:43 < ecrist> sorry 13:43 < ecrist> !freebsd 13:43 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 13:44 < ecrist> if you care to see how to do it for yourself. 13:44 < ecrist> though, I don't think I cover PF in that howto 13:45 < SM2k> understood that it's a web GUI on top of the real deal. 13:49 -!- viric [n=viric@62.57.137.96] has left ##openvpn [] 14:21 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:22 < ecrist> SPOOOOON 14:22 -!- c64zottel [n=hans@p5B17B18F.dip0.t-ipconnect.de] has joined ##openvpn 14:31 -!- SM2k1 [n=stu@68-25-30-233.pools.spcsdns.net] has joined ##openvpn 14:33 -!- SM2k [n=stu@68-25-30-233.pools.spcsdns.net] has quit [Read error: 110 (Connection timed out)] 15:04 -!- SM2k1 [n=stu@68-25-30-233.pools.spcsdns.net] has quit [Read error: 110 (Connection timed out)] 15:06 -!- SM2k [n=stu@68-25-30-233.pools.spcsdns.net] has joined ##openvpn 15:13 < SM2k> ecrist: http://slexy.org/view/s2O5UT4HMH I'm getting that when running route monitor on the pfsense box while pinging from the openvpn client 15:13 < vpnHelper> Title: Paste // Slexy 2.0 (at slexy.org) 15:14 < SM2k> I assume this means pfSense is doing something bizarre instead of setting up routing rules correctly... 15:30 < ecrist> SM2k: !configs and !logs would help 15:49 -!- c64zottel [n=hans@p5B17B18F.dip0.t-ipconnect.de] has left ##openvpn [] 15:57 -!- SM2k1 [n=stu@68-25-30-233.pools.spcsdns.net] has joined ##openvpn 15:57 -!- SM2k [n=stu@68-25-30-233.pools.spcsdns.net] has quit [Read error: 110 (Connection timed out)] 15:57 < SM2k1> I've been having crappy connectivity all week due to WiMAX sucking. not sure if any of my posts actually made it here 16:00 < SM2k1> not sure how much of this actually posted: http://pastebin.eu/pastebin.php?show=236263 16:02 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 16:03 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 16:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:36 -!- SM2k1 [n=stu@68-25-30-233.pools.spcsdns.net] has quit ["Leaving."] 16:37 -!- viric [n=viric@62.57.137.96] has joined ##openvpn 16:37 < viric> Hallo 16:37 < viric> I have routing problems... 16:39 < viric> the communication between the two openvpn hosts goes fine 16:39 < viric> but between one of those hosts, and the rest of the net... bad. 16:39 < krzie> !configs 16:39 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:39 < viric> ook 16:39 < viric> thanks 16:39 < viric> I'm pasting to nopaste 16:42 < viric> http://nopaste.org/p/a7RFYiPdc 16:42 < viric> here are the routing tables 16:43 < viric> A packet from 10.0.0.1 to 192.168.0.xx in 10.0.0.1, passes into the other end's tun device, and then to the other end's br0, and then the tcp server answers back from 192.168.0.xx to 10.0.0.1, this gets into the tun device, but this doesn't reach the original end. 16:44 < krzie> i dont remember asking for the routing tables, you plan on doing what !configs said? 16:45 < krzie> you said tun, and br0 16:45 < krzie> you bridging or routing... 16:45 < viric> both 16:45 < krzie> actually dont answer that, see !configs 16:45 < viric> but the bridge doesn't have any relationship with the openvpn 16:45 < viric> it's for qemu tap devices 16:48 < viric> http://nopaste.org/p/agGrJVrg4 now 16:51 < krzie> ya i dunno if you can do that with a ptp vpn 16:51 < krzie> use client/server and it'll work easier 16:51 < krzie> !sample 16:51 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 16:51 < krzie> !route 16:51 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:51 < viric> I'll play a bit more with my actual config 16:52 < krzie> the thing is, openvpn doesnt know about the route 16:52 < viric> should it know? 16:52 < krzie> so it gets to the tun, but openvpn doesnt route it over the tunnel 16:52 < krzie> thats why iroute exists for client/server mode 16:52 < krzie> !iroute 16:52 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 16:53 < viric> aha, here it is. I'll try 16:53 < krzie> iroute can only be used in client/server, and then only in a ccd entry for the client who has the lan 16:53 < viric> ouch. 16:53 < krzie> sample is a client/server config 16:54 < krzie> route is my walktrhough to know everything you could want about connecting lans in openvpn 16:54 < krzie> not walktrhough really, but something like that 16:54 < krzie> its not to give you your exact setup, its to teach you * about lans behind openvpn 16:55 < viric> ok 16:59 < viric> can I use '--remote' in server mode? 16:59 < krzie> do you see it in my !sample? 16:59 < viric> no 16:59 < viric> it's only in the client 17:02 < viric> :( I'd like to set up internal routing without client/server mode... 17:04 < krzie> good luck to you then 17:06 < viric> both of my openvpn machines are behind firewals+nat, and I can't control the routing/nat in the firewalls 17:06 < krzie> so? 17:07 < viric> so I don't know how to connect to an openvpn server 17:07 < krzie> same way as now... 17:07 < viric> hummm 17:07 < viric> well. I'm using a trick. 17:07 < viric> I have a public machine available 17:08 < viric> I wrote a udp-forwarding program in that public machine. 17:08 < krzie> suonds like public machine is your server 17:08 < viric> my openvpn1 talks to the public machine, openvpn2 too, and the public machine forwards the packets conviniently as if openvpn1 and openvpn2 were connected 17:08 < viric> well... I don't trust my public machine much, and I don't want the traffic to be decrypted there. 17:09 < krzie> dunno dude 17:09 < viric> I've seen the "client-to-client" parameter 17:09 < krzie> client-to-client bypasses the kernel by letting openvpn route the traffic between clients internally 17:10 < viric> I suppose I have no choice other than running openvpn in the public machine. 17:10 < viric> and using the client-to-client 17:11 < krzie> could always get a cheap vps 17:11 < krzie> Dougy_ sells them for real cheap 17:11 < viric> vps? 17:11 < krzie> virtual private server 17:12 < viric> ah 17:12 < viric> that's the public machine I don't trust. A vps. 17:12 < viric> Maybe I should trust it more. 17:12 < krzie> basically your own machine, but many of them on 1 hardware 17:13 < viric> ok, I'll battle more tomorrow. 17:13 < viric> Thank you for your time 17:15 < krzie> yw 17:37 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 17:47 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 17:59 < reiffert> moin 18:00 < reiffert> I got openvpn running on my Cable Modem - Router, ar7 hardware, avm fritzbox 7270 18:00 < reiffert> works like a charme. Bridged setup of course (of course) :) 18:01 < reiffert> 4 port ethernet switch, bgn wifi, annex a/b DSL, ISDN and 2times analog telefon connectors. Internal Answering machine, facsimile receiving, facs. sending via remote capi. 18:02 < reiffert> 350Mhz Mipsel, 64MB Ram, 16MB Flash, and USB Connector 18:02 < reiffert> 10W Power Consumption ag 18:02 < reiffert> avg 18:06 < krzie> moin 18:06 < krzie> my osx86 box is gangster 18:06 < krzie> all hax are in the hidden EFI partition that osx ignores 18:06 < krzie> my bootloader reads * from there and prefers the stuff there to the main install 18:07 < krzie> so i can update using software update and worry about nothing 18:09 < reiffert> hax? hidden partition? why is that? 18:10 < krzie> osx isnt supposed to run on PC 18:10 < krzie> so you need special bootloader and kexts for the HW 18:10 < krzie> so my kexts and other stuff i need special for osx because of my HW are in the hidden EFI partition 18:10 < reiffert> what kind of processors do you need to run osx on x86? 18:11 < krzie> GPT spec has a 200MB EFI partition which apple never uses, but honors 18:11 < krzie> so my stuff is there 18:11 < krzie> ideally a core proc, but AMD works with voodoo and SSE2 works too 18:11 < krzie> but ideally a core proc with SSE3 18:11 < reiffert> even ancient amd athlon 3200+? 18:12 < krzie> honestly i dunno, but likely yes 18:12 < krzie> when i say with voodoo i mean a special kernel 18:12 < krzie> the voodoo kernel 18:12 < reiffert> sounds really intresting. 18:12 < reiffert> any bookmarkable howto? 18:13 < krzie> the entire insanelymac forum 18:13 < reiffert> I *hate* forums ... 18:13 < reiffert> I always end up in reading long shitty bullshit bla bla 18:13 < krzie> *shrug* thats where the info is 18:14 < reiffert> any detailed step 1 to 10 around there? 18:17 < krzie> negative, its more complicated than that 18:18 < krzie> need to know exactly what mobo you have for anything like that 18:18 < krzie> then you'll still be reading multiple howto's 18:18 < reiffert> Think I'll stick to my ibook then 18:19 < krzie> but if you get a DG35EC i can give you what you need 18:19 < krzie> you can build a badass box with that for around 600 18:19 < krzie> 8GB ram, quad core q9400 18:20 < krzie> 1.5TB hd 18:21 < reiffert> every time I hit a online configurator I end up around 2.500 - 3.000 EUR .. which is a dual quad core xeon with plenty of RAM. 18:21 < krzie> you gotta build it yourself bro 18:22 < krzie> just grab a DG35EC mobo, a q9400, seagate 1.5TB, 8GB ram 18:22 < krzie> i just got the mobo, ram, HD for $300 US 18:22 < krzie> then you need a supported vid card, i chose a nvidia 9400 GT 18:22 < krzie> i suggest sticking to nvidia pci-e 18:23 < reiffert> When I compare the total price against the single component prices I end up in 1:1 18:23 < reiffert> ack on nvidia 18:24 < reiffert> however, not enough money atm and a working machine under my desk = Im happy 18:25 < krzie> wered 18:26 < krzie> werd 19:11 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:11 < Dougy> hey all 19:18 < ecrist> it's, "hey ya'll" 19:19 < Dougy> lol 19:19 < Dougy> sorry eric 19:21 < ecrist> so, when are you going to get around to sprucing up the ovpnforum site? 19:21 < Dougy> hmm 19:21 < ecrist> some graphics, ranking, etc? 19:21 < Dougy> graphics i fail at 19:21 < Dougy> so never 19:21 < Dougy> ranking not sure what you mean 19:21 < Dougy> when i stop being bombarded with projects at school ill look into it some 19:30 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 19:30 < Dougy> krzie: hi 19:31 < krzie> high 19:32 < Dougy> hi 19:32 < Dougy> uh 19:32 < Dougy> you still want that colo right 19:33 < krzie> i paid for the box right...? 19:33 < Dougy> yes 19:33 < krzie> so umm 19:33 < krzie> of course 19:33 < Dougy> lol ok 19:33 < Dougy> i faxed in the final paperwork about 3pm 19:33 < krzie> cool, im in no rush 19:33 < Dougy> i am going to rack all 7 of these boxes at 3pm on saturday 19:34 < krzie> i still need to format/reinstall 2 servers in cali, 19:34 < Dougy> krzie guess what 19:34 < Dougy> im lead bidder on another 19:34 < Dougy> P4 2.8 ghz, 3gb, 2x120gb sata (2 hotswap) 19:34 < Dougy> current bid - $1 19:34 < Dougy> :) 19:34 < krzie> how rare! 19:34 < krzie> lol 19:34 < krzie> til someone snipes 19:34 < Dougy> and it comes with a spare 250w psu also 19:35 < Dougy> fuck that 19:35 < Dougy> max bid is 100 on this boy 19:35 < Dougy> lol 19:35 < Dougy> snipers can kiss my arse 19:35 < krzie> sniped by 101! 19:35 < Dougy> ill be watching 19:35 < Dougy> when it ends 19:35 < Dougy> 19:41:21 on may 16 my time 19:35 < Dougy> saturday at 7pm 19:36 < Dougy> man, i cant believe the damn colo is full 19:37 < krzie> you pre-sold the whole thing? 19:37 < Dougy> lets see 19:37 < Dougy> ive sold 4 19:37 < Dougy> 5* 19:37 < Dougy> out of the 7 19:37 < Dougy> 2 are just other servers i built with parts i had (2xCore2duo E6750, 2gb ram, 2x250gb sata) 19:38 < Dougy> but yes, as of right now, its 100% covered (the space) 19:39 < Dougy> http://www.upload3r.com/serve/130509/1242261584.jpg 19:52 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:03 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: kala, Solvik, feinoM, M06w, Typone 20:03 -!- Netsplit over, joins: M06w, Typone 20:04 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: boojit, js_, HardDisk_WP, flokuehn, Kevin`, worch 20:05 -!- Netsplit over, joins: Kevin`, worch, flokuehn 20:05 -!- Netsplit over, joins: boojit, HardDisk_WP, js_ 20:06 < Dougy> Anyone need any colo? 20:16 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 20:16 -!- feinoM [n=feinom@svale.hia.no] has joined ##openvpn 20:16 -!- Solvik [n=solvik@oxyradio.com] has joined ##openvpn 20:27 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 21:08 -!- jeiworth [n=jeiworth@189.163.185.99] has quit [Remote closed the connection] 21:10 -!- jeiworth [n=jeiworth@189.163.185.99] has joined ##openvpn 21:10 -!- jeiworth [n=jeiworth@189.163.185.99] has quit [Read error: 104 (Connection reset by peer)] 22:03 -!- albech [n=albech@119.42.76.84] has quit [Read error: 110 (Connection timed out)] 22:08 -!- albech [n=albech@119.42.76.101] has joined ##openvpn 22:29 -!- albech [n=albech@119.42.76.101] has quit [Read error: 110 (Connection timed out)] 22:30 -!- albech [n=albech@119.42.76.101] has joined ##openvpn 22:32 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 23:11 -!- theDoc_ [n=andelyx@119.73.165.162] has joined ##openvpn 23:19 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 23:26 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 23:27 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 23:36 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 23:42 -!- albech_ [n=albech@119.42.76.101] has joined ##openvpn 23:47 -!- bk [n=bk@c-98-193-243-188.hsd1.tn.comcast.net] has joined ##openvpn 23:47 < bk> i need help 23:47 < bk> in ubuntu 9.04 23:47 < bk> on finding the file "myvpn.conf" 23:54 -!- albech__ [n=albech@119.42.76.101] has joined ##openvpn 23:59 -!- albech [n=albech@119.42.76.101] has quit [Read error: 110 (Connection timed out)] --- Day changed Thu May 14 2009 00:03 -!- albech [n=albech@119.42.76.101] has joined ##openvpn 00:04 -!- bk is now known as bk|away 00:04 -!- bk|away [n=bk@c-98-193-243-188.hsd1.tn.comcast.net] has left ##openvpn [] 00:10 < theDoc_> Anyone knows if openvpn can deal with /31 point-to-point address assignments? 00:11 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 00:11 < gebura> hi 00:12 < theDoc_> hehehe! 00:14 -!- albech_ [n=albech@119.42.76.101] has quit [Read error: 110 (Connection timed out)] 00:14 -!- albech__ [n=albech@119.42.76.101] has quit [Success] 00:25 < gebura> i am looking for an information about ipv6 & openvpn 00:27 < gebura> is there a way to add route or address without directly in the config file (without using --up) ? 00:27 < gebura> it seems that --ifconfig $ipv6_1 $ipv6_2 don't work 00:28 < gebura> thanks in advance :) 00:28 -!- albech [n=albech@119.42.76.101] has quit [Read error: 110 (Connection timed out)] 00:39 -!- albech [n=albech@119.42.77.164] has joined ##openvpn 00:51 < gebura> !ipv6 00:51 < vpnHelper> gebura: "ipv6" is http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_OpenVPN_Tunnelbroker.php?lang=en to learn how to setup openvpn to be an ipv6 tunnel broker 01:02 -!- albech_ [n=albech@119.42.77.164] has joined ##openvpn 01:14 -!- albech__ [n=albech@119.42.77.164] has joined ##openvpn 01:18 -!- albech [n=albech@119.42.77.164] has quit [Read error: 110 (Connection timed out)] 01:21 -!- albech_ [n=albech@119.42.77.164] has quit [Connection timed out] 01:34 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 01:47 -!- master_of_master [i=master_o@p549D2EF4.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:49 -!- albech__ [n=albech@119.42.77.164] has quit [Read error: 54 (Connection reset by peer)] 01:50 -!- master_of_master [i=master_o@p549D470E.dip.t-dialin.net] has joined ##openvpn 01:50 -!- theDoc_ [n=andelyx@119.73.165.162] has quit [Read error: 110 (Connection timed out)] 02:01 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 02:25 -!- albech [n=albech@119.42.76.205] has joined ##openvpn 02:28 -!- albech [n=albech@119.42.76.205] has quit [Read error: 104 (Connection reset by peer)] 02:36 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 02:44 -!- albech [n=albech@119.42.79.172] has joined ##openvpn 03:03 -!- albech_ [n=albech@119.42.79.196] has joined ##openvpn 03:10 -!- Isen [n=marcus@pub.sizeit.se] has quit [Remote closed the connection] 03:11 -!- albech [n=albech@119.42.79.172] has quit [Read error: 110 (Connection timed out)] 03:55 -!- xor| [n=xor@asmodeus.ost.sgsnet.se] has quit [Read error: 60 (Operation timed out)] 04:35 -!- theDoc [n=andelyx@116.197.252.9] has joined ##openvpn 04:35 < theDoc> !route 04:35 < vpnHelper> theDoc: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 04:35 < theDoc> !nat 04:35 < vpnHelper> theDoc: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 04:35 < theDoc> !linnat 04:35 < vpnHelper> theDoc: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 04:37 -!- theDoc [n=andelyx@116.197.252.9] has quit [Read error: 104 (Connection reset by peer)] 04:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:50 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 04:55 -!- nosSmS [n=marc@212.Red-80-32-237.staticIP.rima-tde.net] has joined ##openvpn 05:05 -!- theDoc [n=andelyx@bb116-15-188-180.singnet.com.sg] has joined ##openvpn 05:05 < theDoc> !linnat 05:05 < vpnHelper> theDoc: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 05:06 < theDoc> !nat 05:07 < vpnHelper> theDoc: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 05:12 < theDoc> Hmm. 05:12 < theDoc> This is very odd. 05:14 -!- albech_ [n=albech@119.42.79.196] has quit [Connection timed out] 05:16 -!- albech_ [n=albech@119.42.79.196] has joined ##openvpn 05:34 -!- theDoc [n=andelyx@bb116-15-188-180.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 05:36 -!- krzie_ [i=krzee@joogot.noskills.net] has joined ##openvpn 05:36 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Nick collision from services.] 05:37 -!- albech_ [n=albech@119.42.79.196] has quit [Read error: 110 (Connection timed out)] 05:37 -!- krzie [i=krzee@joogot.noskills.net] has quit [Read error: 104 (Connection reset by peer)] 05:39 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 05:41 -!- albech [n=albech@119.42.79.196] has joined ##openvpn 05:50 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 05:50 < theDoc> Anyone around? 05:50 -!- albech_ [n=albech@119.42.79.196] has joined ##openvpn 05:51 -!- albech__ [n=albech@119.42.79.196] has joined ##openvpn 05:52 -!- alinuxskyper99 [n=admin@193.227.191.91] has joined ##openvpn 05:52 < alinuxskyper99> hi 05:53 < theDoc> 'sup? 05:53 < alinuxskyper99> I am on my local network and I want to access my office network using openvpn ...the problem is that the local network is 192.168.0.0/24 and the same goes for the office network 05:54 < theDoc> alinuxskyper99: I *think* that will be a problem, you have overlapping network addresses in a discontigious network. 05:54 < alinuxskyper99> theDoc, indeed 05:54 < alinuxskyper99> it is a problem 05:54 < alinuxskyper99> theDoc, anyway to solve this ? without having to chagne networks ? 05:54 < theDoc> Hm, I have a NAT problem at the moment. 05:54 < theDoc> alinuxskyper99: No, not that I'm aware of. 05:54 < theDoc> I'm wondering why my vpn traffic isn't being NAT'ed to the eth0 address. 05:54 < theDoc> :/ 05:55 < alinuxskyper99> theDoc, it works with my cisco client though... 05:55 < theDoc> [root@vpn1 openvpn]# iptables -t nat -A POSTROUTING -s 10.97.58.0/24 -o eth0 -j MASQUERADE 05:55 < alinuxskyper99> theDoc, and ipforwarding is set to 1 ? 05:55 < theDoc> alinuxskyper99: Which vpn solution are you using? 05:55 < alinuxskyper99> theDoc, CiscoVPN client and OpenVPN..OpenVPN with 64 bit cients 05:56 < theDoc> alinuxskyper99: I don't think openvpn and ciscovpn are compatible. That being said, I do not have any experience in dealing with Cisco's vpn solutions. 06:05 -!- albech [n=albech@119.42.79.196] has quit [Read error: 110 (Connection timed out)] 06:10 -!- albech_ [n=albech@119.42.79.196] has quit [Read error: 110 (Connection timed out)] 06:10 -!- albech__ [n=albech@119.42.79.196] has quit [Read error: 110 (Connection timed out)] 06:18 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 06:21 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 06:32 -!- nosSmS [n=marc@212.Red-80-32-237.staticIP.rima-tde.net] has left ##openvpn [] 06:36 -!- sehh [n=sehh@cust-224-67.on1.ontelecoms.gr] has joined ##openvpn 06:36 < sehh> hey people 06:37 < sehh> q: can OpenVPN as a client connect to a CISCO VPN? 06:40 < sehh> the remote CISCO device is a DSL modem/router running IOS 06:42 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 07:09 < Bushmills> sehh, if you convince cisco to use openvpn, it will be able to. 07:09 < sehh> :) 07:13 -!- Delf [n=Eldkraft@c-89-160-11-82.cust.bredband2.com] has quit [Read error: 60 (Operation timed out)] 07:14 -!- sehh [n=sehh@cust-224-67.on1.ontelecoms.gr] has quit ["Fedora Condom Linux - "shinny, rubbery and roundish...""] 07:21 < feinoM> Are there any OpenVPN clients for Symbian? I haven't been able to find any, but maybe you guys know of one :) 07:23 < ecrist> I'm not aware of one. If you find one, please let us know so we know about it. 07:28 < feinoM> will do.. 07:29 < reiffert> feinoM: there has been something on the mailinglist some time ago... 07:30 < reiffert> IIRC a job offer for porting openvpn to symbian. 07:33 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:41 * ecrist just had one of the tastiest apples *ever* 07:41 < ecrist> crisp, just the right combination of sweet and tart. 07:53 -!- albech [n=albech@119.42.79.196] has joined ##openvpn 08:11 -!- admin__ [n=admin@212.28.233.21] has joined ##openvpn 08:24 -!- alinuxskyper99 [n=admin@193.227.191.91] has quit [Read error: 113 (No route to host)] 08:29 -!- xororand [n=xororand@unaffiliated/xororand] has joined ##openvpn 08:30 < xororand> Hello. Can OpenVPN 2.1.x forward IPv6 in server mode? Do I have to use tun or tap for that? 08:41 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: disco-, viric, `Ned 08:43 -!- Netsplit over, joins: viric, `Ned, disco- 08:46 < ecrist> xororand: 2.0.9 or 2.1, either can do IPv6 traffic with tap mode 08:46 < ecrist> 2.1, otherwise 08:46 < ecrist> specifics are discussed on the 2.1 man page 08:47 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has joined ##openvpn 08:49 < KaiForce> what is a good verb level for troubleshooting client connection issues? 08:49 < ecrist> 6 08:49 < ecrist> it's what we ask for here 08:49 < ecrist> !logs 08:49 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 08:50 < KaiForce> ecrist: muchas gracias 08:50 < ecrist> no problem 08:51 < xororand> okay thanks, ecrist. i'll use tap then 08:55 < xororand> Are there any downsides with TAP? 08:56 < ecrist> it's a pain to setup, and you can't use Macs as a VPN server 09:06 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [Read error: 60 (Operation timed out)] 09:06 < KaiForce> ok, the problem my client appears to be having is in adding the route after connecting. They are getting "The object already exists" when it tries to add the route. 09:07 < ecrist> sounds like you have IP address conflicts 09:07 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 09:17 -!- acton [n=tyler@li4-115.members.linode.com] has joined ##openvpn 09:18 < acton> hello; I've got a quick question. I'm looking at the static key howto, it is takling about establishing a tunnel with 10.0.0.x etc. I just want to connect, do I need to make a tunnle? 09:18 < acton> tunnel** 09:18 < ecrist> a VPN *is* a tunnel 09:19 < acton> do I need to do the tunnel from 10.0? or can I just connect after I follow the howto and set up my static key 09:20 < acton> o, got it. 09:20 < acton> I need to go look at the config to figure out what else I can do, but I've got the basic idea, I think 09:22 -!- clustermagnet [n=vasiliy@75.101.158.130] has joined ##openvpn 09:23 < KaiForce> ecrist - where should I look for the address conflict? the user has a unique VPN address, the client IP is on a different subnet than the host network, and he is the only one connecting from that public IP. 09:24 < KaiForce> is it possible that after a disconnection from the OpenVPN server, some residual route is being left and causing this? 09:24 < acton> I have multiple places where I will connect from. do I need the ifconfig x.x.x.x to x.x.x.x? 09:27 < acton> I'm trying to just let myself connect, through the pks. not sure if the ifconfig is really needed, though. 09:31 < acton> any ideas? 09:38 < acton> My vpn server's IP will be static, but my IP is dynamic. 09:38 < acton> so I can't use ifconfig x.x.x.x to x.x.x.x... is there another form of authentication? 09:38 < theDoc> Doesn't matter. 09:38 < theDoc> Use the pam module where you can login using a user/pass 09:40 < acton> nods, I'll see if I can figure out how to do that... thanks 09:42 < theDoc> <3 09:44 < acton> ... 09:44 < theDoc> According to the beatles, all you need is <3 09:44 -!- jeiworth [n=jeiworth@189.177.122.84] has joined ##openvpn 09:46 < acton> And we actually listen to them? they suck for a reason. 09:47 < theDoc> acton: I'm sure they do but they make plenty of $$ 09:49 < ecrist> all I need is less than three? 09:49 < acton> well, there's a point there. :p 09:50 < theDoc> ecrist: Maybe. 09:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 10:26 -!- BadSector [n=BadSecto@mail.aidcoint.com] has joined ##openvpn 10:26 < BadSector> !howto for beginners 10:26 < vpnHelper> BadSector: Error: "howto" is not a valid command. 10:26 < BadSector> oops 10:28 -!- Roman123 [n=Roman123@xchg.fiss-oeaw.at] has joined ##openvpn 10:29 < BadSector> I have created my client1.csr and my client1.key ... could someone tell me where to place those files in Ubuntu 9.04? I had thought I could put them in /etc/openvpn and then just terminal to /etc/openvpn and type in "openvpn client" ... but it doesn't seem to find the client.1crt... so i'm thinkint it doesn't see it? or I have wrong directory.. 10:32 < BadSector> nvm.. found it 10:48 -!- BadSector [n=BadSecto@mail.aidcoint.com] has left ##openvpn [] 11:03 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.10/2009042316]"] 11:09 -!- Roman123 [n=Roman123@xchg.fiss-oeaw.at] has quit ["Leaving"] 11:18 * ecrist sings, 'Bat Fight! Takin' a chance! A game of skill, it's easy to do. Bat Fight! A gentleman's game, Bat Fight!" 11:18 < ecrist> http://www.funnyordie.com/videos/426608ab8c/bat-fight#player 11:18 < vpnHelper> Title: BAT FIGHT with Will Ferrell from Will Ferrell, Craig Robinson, and Jake (at www.funnyordie.com) 11:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:45 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: disco-, clustermagnet, viric, `Ned 11:47 -!- clustermagnet [n=vasiliy@ec2-75-101-158-130.compute-1.amazonaws.com] has joined ##openvpn 11:50 -!- viric [n=viric@62.57.137.96.dyn.user.ono.com] has joined ##openvpn 11:53 < ecrist> Hey there little red riding hood, you sure are looking good! you're everything a big bad wolf could want... 11:53 < theDoc> o-o; 12:03 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 12:04 < ecrist> I told the witch doctor I was in love with you, and then the witch doctor told me what to do. He said OOO EEE OOO AHHH AHH Bing Bang WALLA WALLA BANG BANG 12:07 -!- jeiworth [n=jeiworth@189.177.122.84] has quit [Read error: 104 (Connection reset by peer)] 12:07 -!- jeiworth [n=jeiworth@189.234.37.185] has joined ##openvpn 12:14 -!- BadSector [n=BadSecto@mail.aidcoint.com] has joined ##openvpn 12:27 -!- jeiworth [n=jeiworth@189.234.37.185] has quit [Read error: 104 (Connection reset by peer)] 12:27 -!- jeiworth [n=jeiworth@189.234.37.185] has joined ##openvpn 12:33 -!- albech [n=albech@119.42.79.196] has quit [Read error: 110 (Connection timed out)] 12:35 < jeiworth> hi all, i am struggeling to install openvpn gui on a vista 64 bit machine, so far so good, installed as admin but it tries to install a 32bit tap device, which obviously wont run. i am googleing around but it seems to be a still unresolved problem, any ides? 12:37 < BadSector> I have managed to setup a OpenVPN and connect between 2 laptops using a patch cable to the nic. The server is an WinXP machine that is connected to the internet via wireless nic. How do I share that internet connection w/ the VPN connection? (When I try to bridge the two, I lose the Wifi conn. If I tried to share the wifi to the VPN conn. it changes the VPN conn. to 192.168.0.1) 12:42 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 12:43 -!- `Ned [n=Ned@cpe-98-155-203-22.hawaii.res.rr.com] has joined ##openvpn 12:43 -!- gtlz [n=gtlz@unaffiliated/gtlz] has joined ##openvpn 12:44 < gtlz> i have a freebsd router/openvpn endpoint that I just set up at one of our new datacenters... there's only about 26ms of latency between my office and the DC. for some reason, openssh sessions over the openvpn tunnel have some extra latency. at another DC, i have pfsense set up in a similar manner and the ssh-over-vpn sessions there do not exhibit the same latency. any ideas? no altq or qos, very simple pf rules. 12:44 < gtlz> the configuration files are nearly identical 12:45 < svenx> how do you measure the ssh latency? 12:45 < gtlz> perceived keystrokes registering in the terminal 12:45 < gtlz> it "feels" like the freebsd box is 150ms away 12:45 < svenx> okay.. hm 12:46 < svenx> i'd go for some tcpdumping to see where the delay might be incurred 12:47 < gtlz> hm? you think i'm losing/dropping packets? 12:48 -!- BadSector1 [n=BadSecto@mail.aidcoint.com] has joined ##openvpn 12:49 < BadSector1> was there any answer for my queston above? (got disconnected trying to change bridging) 12:49 -!- BadSector [n=BadSecto@mail.aidcoint.com] has quit [Read error: 104 (Connection reset by peer)] 12:50 -!- digii [n=digii@81-235-171-229-no44.tbcn.telia.com] has joined ##openvpn 12:51 < digii> hmm, what dist do u guys recomment if im going to set-u a openvpn sulotion for multi-users and cert-authentication 12:52 < ecrist> gtlz: same hardware and load between the systems? 12:52 < gtlz> ecrist: load yes, slightly different hardware. the freebsd system is a dual core 2.8ghz intel (non cely), 2GB ram, intel server gigabit nics 12:53 < ecrist> and the pf rules are the same between the boxes? 12:53 < ecrist> is pfsense doing any shaping? 12:55 < gtlz> no shaping, the rules on the pfsense box are more complex as its used in production 12:56 < gtlz> the freebsd box just has simple block rules and pass in quick rules for vpn traffic 12:57 < ecrist> it's hard to diagnose the latency issue. are your disks and RAM OK in the 'slow' box? 12:57 < gtlz> AFAIK yes 12:57 < gtlz> i was thinking maybe the pfsense team introduced some latency reducing tuning or changes, but the config files are the same, so unless they patched the source, idk what would be going on here 12:59 < ecrist> are you dropping packets on the slower box? is your ISP on that box shaping UDP traffic, to thwart P2P users? 13:00 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Connection timed out] 13:00 < gtlz> no way, it's a legit datacenter. it's also a tcp tunnel. 13:00 < ecrist> that might be your problem 13:00 < ecrist> !tcp 13:00 < gtlz> let me check pflog, though i doubt it 13:00 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 13:00 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 13:00 < gtlz> i was having stability issues with udp tunnels 13:00 < gtlz> not at this DC, but at another 13:00 < ecrist> use UDP tunnels, unless you cannot for some reason (escpaing a draconian firewall) 13:01 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Read error: 104 (Connection reset by peer)] 13:03 < gtlz> well i guess it's time to try udp? :\ 13:03 < ecrist> I'd suggest it 13:10 < gtlz> ecrist: i wonder if it's the blowfish cipher? is AES or 3des less costly? 13:10 < ecrist> that question is above my pay-grade, sorry 13:11 < ecrist> I use blowfish, and we don't have any problems. 13:11 < gtlz> ah ok 13:11 < ecrist> where I work, we have staff connecting from T1, cable internet, DSL, ISDN, dial up, and cellular broadband. all have no complaints on VPN quality 13:13 < gtlz> well the pfsense tcp based ovpn tunnel is perfect... which is why i first asked the fbsd and pfs channels as i thought htere might be an OS discrepency or some code changes by either team 13:13 < gtlz> perfect as in no perceived latency, etc etc 13:14 < ecrist> pfsense is just freebsd + pf, with a bunch of scripts and a web gui 13:14 < ecrist> it's crappy, because they do so many tweaks to sysctls and configs, out of the norm 13:14 < ecrist> which is why I just use freebsd + pf 13:14 < ecrist> and carp, firewall redundancy with carp is the shit 13:15 < gtlz> well i totally agree 13:16 < gtlz> which is why i'm trying to avoid using pfsense at the new DC 13:16 < jeiworth> FYI to get openvpn client running on a vista 64bit box use: http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe 13:16 < ecrist> http://www.secure-computing.net/wiki/index.php/CARP 13:16 < vpnHelper> Title: CARP - Secure Computing Wiki (at www.secure-computing.net) 13:16 < gtlz> i vastly prefer the flexibility of fbsd 13:16 < gtlz> ecrist: i know all about it, thx tho. 13:17 < gtlz> i've deployed redundant firewalls/gateways a dozen times.. pfsync and carp = sweetness 13:17 < ecrist> :) 13:23 -!- countd [n=countd@unaffiliated/countd] has joined ##openvpn 13:43 -!- BadSector1 [n=BadSecto@mail.aidcoint.com] has quit [Read error: 104 (Connection reset by peer)] 13:43 -!- BadSector [n=BadSecto@mail.aidcoint.com] has joined ##openvpn 13:44 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 13:46 < BadSector> !redirect for sending inet traffic through server 13:46 < vpnHelper> BadSector: Error: "redirect" is not a valid command. 13:46 < BadSector> humm 13:51 < BadSector> can anyone tell me how to get to these help guides? Don't know where to find the info on "!redirect for sending inet traffic through server " 13:53 < ecrist> !redirect 13:53 < vpnHelper> ecrist: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 13:53 < ecrist> commands for bots are only one word, prepended by a ! 13:54 < BadSector> thanks 13:56 < BadSector> just not understanding this last point :( lol, finally got the two machines connected... but the client cannot reach the internet.. will keep reading :) 13:56 < BadSector> !def1 13:56 < vpnHelper> BadSector: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 13:57 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: disco- 13:59 < plaerzen> !dance 13:59 < vpnHelper> plaerzen: Error: "dance" is not a valid command. 13:59 * BadSector wiggles... 14:12 -!- BadSector1 [n=BadSecto@mail.aidcoint.com] has joined ##openvpn 14:15 -!- BadSector2 [n=BadSecto@mail.aidcoint.com] has joined ##openvpn 14:15 -!- BadSector1 [n=BadSecto@mail.aidcoint.com] has quit [Read error: 104 (Connection reset by peer)] 14:21 -!- BadSector1 [n=BadSecto@mail.aidcoint.com] has joined ##openvpn 14:21 -!- BadSector2 [n=BadSecto@mail.aidcoint.com] has quit [Read error: 104 (Connection reset by peer)] 14:21 -!- BadSector [n=BadSecto@mail.aidcoint.com] has quit [Read error: 104 (Connection reset by peer)] 14:23 < BadSector1> blah, aggrivating lol... everytime I try to create a bridge I lose Internet Connection. I even tried to setup the Network Bridge TCP/IP properties to the same values that was in the Wireless NIC properties but still no internet while bridge is active... 14:23 < ecrist> rather than do bridge, do routed 14:24 -!- alinuxskyper99 [n=admin@212.28.233.21] has joined ##openvpn 14:24 < ecrist> I'm not a windows wiz, though 14:24 -!- admin__ [n=admin@212.28.233.21] has quit [Read error: 104 (Connection reset by peer)] 14:26 < BadSector1> yeah, i was trying routed at first, until i was reading and they said kinda easier to do w/ bridge because you don't need to put in the routes.. And I don't really know what kind of IP range I have avaliable here at work :( 14:32 < BadSector1> I think my problem is that I'm trying to connect the two laptop with the lan NIC's thru OpenVPN and share my Wireless NIC to the virutal tap... humm.. but I would think would still work... oh well.. 14:33 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:37 -!- lepine [n=lmacguir@modemcable093.36-59-74.mc.videotron.ca] has joined ##openvpn 14:38 -!- BadSector [n=BadSecto@mail.aidcoint.com] has joined ##openvpn 14:39 -!- chrisbdaemon [n=chrisbda@unaffiliated/chrisbdaemon] has joined ##openvpn 14:40 < lepine> Hey guys, i'm trying to connect to a server which is behind NAT. 14:40 < chrisbdaemon> are there any alternatives to easy-rsa to handle my keys for openvpn? 14:40 < lepine> chrisbdaemon: tinyca 14:40 < chrisbdaemon> I remember I heard about one in here but I forget what its called 14:41 -!- admin__ [n=admin@193.227.191.90] has joined ##openvpn 14:41 < ecrist> ssl-admin 14:41 < ecrist> !ssl-admin 14:41 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 14:41 < lepine> the port forwarding on the router works, it's port 8080 ... and works fine when i bind apache to that port. 14:41 < chrisbdaemon> ssl-admin, thats what its called 14:41 < chrisbdaemon> thanks 14:41 < lepine> however, openvpn keeps sending ACKs for reasons unknown ... 14:41 < ecrist> lepine: make sure it's UDP you're forwarding, not just TCP 14:42 -!- chrisbdaemon [n=chrisbda@unaffiliated/chrisbdaemon] has quit [Client Quit] 14:42 < lepine> ecrist: i set the server to use tcp 14:42 < ecrist> ick 14:42 < ecrist> !tcp 14:42 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 14:42 < lepine> here is a log, verb 9 ... http://pastebin.ca/1422951 14:42 < lepine> reading ... 14:43 < lepine> ecrist: Im not in the greatest position to edit that router 14:44 < lepine> hence, switch to udp 14:44 < ecrist> lepine: does it work, outside the NAT? 14:44 < lepine> haven't tried ... give me a minute 14:45 < lepine> should have done so beforehand 14:48 -!- BadSector2 [n=BadSecto@mail.aidcoint.com] has joined ##openvpn 14:49 -!- BadSector [n=BadSecto@mail.aidcoint.com] has quit [Read error: 104 (Connection reset by peer)] 14:49 < gtlz> so ecrist, udp tunnels do not experience the same perceived keystroke lag... so now the question becomes, how is pfsense mitigating the tcp-induced latency? 14:50 < ecrist> my guess, is they're don't tcp window resizing in the firewal 14:50 < ecrist> OR, the client config on that end is configured for a smaller window size 14:50 < ecrist> !mss 14:50 < vpnHelper> ecrist: Error: "mss" is not a valid command. 14:50 < ecrist> !mss-fix 14:50 < vpnHelper> ecrist: Error: "mss-fix" is not a valid command. 14:50 < ecrist> !mssfix 14:50 < vpnHelper> ecrist: Error: "mssfix" is not a valid command. 14:51 < ecrist> !mtu 14:51 < vpnHelper> ecrist: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 14:52 < gtlz> hrm, well tunnel mtu is set by default 14:52 < gtlz> at least according to the client connect output 14:53 < lepine> ecrist: it seems to work, when not going through NAT. 14:53 < gtlz> aand the link you sent me is using the dos cmd prompt, definitely not something i have access to (i'm proud to say) 14:53 < ecrist> lepine, I'm sorry to say your problem isn't OpenVPN, then. 14:53 < lepine> stupid csco router 14:54 -!- jeiworth [n=jeiworth@189.234.37.185] has quit [Read error: 110 (Connection timed out)] 14:54 < ecrist> gtlz: --mtu-test is your config will get you the answer, then. 14:54 < lepine> back to plan B, running a server on the net, and having a client share a subnet ... 14:56 -!- BadSector1 [n=BadSecto@mail.aidcoint.com] has quit [Read error: 110 (Connection timed out)] 14:58 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit [Read error: 113 (No route to host)] 14:58 -!- alinuxskyper99 [n=admin@212.28.233.21] has quit [Read error: 110 (Connection timed out)] 15:00 < gtlz> ecrist: 15:00 < gtlz> Thu May 14 12:59:45 2009 us=439144 NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1541,1541] remote->local=[1541,1541] 15:00 < gtlz> ecrist: i'm going to follow some tcp tuning guides for freebsd and see what happens 15:01 < ecrist> okie 15:01 < gtlz> i don't have much to lose as i plan on scrapping this box in the next week or so anyway 15:01 < ecrist> I'd just switch to udp and be done with it, if it were me. 15:05 < gtlz> yeah but i want to make sure i can use tcp if i need to, 15:05 < gtlz> and i'm bored at work 15:05 < gtlz> so i might as well figure it out 15:07 < gtlz> also i want to make sure there are no tcp performance "issues" when i put freebsd live 15:08 < gtlz> or i definitely just borked it... methinks it should be online by now. 15:09 < gtlz> well, i was planning on going to the DC today anyway... i just sealed my fate. 15:14 < digii> Can someone tell my what i need to do when im setting up openvpn and im just using 1 nic? 15:14 < digii> or help me is a btter word 15:19 -!- BadSector2 [n=BadSecto@mail.aidcoint.com] has quit ["Leaving."] 15:27 < digii> if im using one nic do i hafto bridge that? 15:28 < ecrist> yeah, because there is still a virtual NIC 15:28 < digii> what? 15:28 < ecrist> tun or tap adapter 15:28 < digii> u mean i need to create a virtualnic? 15:29 < digii> or does openvpn creates a own virtualnix? 15:36 < ecrist> perhaps you should read how openvpn operates, first? 15:37 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:44 -!- jeiworth [n=jeiworth@189.177.136.65] has joined ##openvpn 16:30 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 16:30 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 16:31 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 16:33 -!- nico__ [n=tuxsmouf@37.218.81-79.rev.gaoland.net] has joined ##openvpn 16:34 -!- tuxsmouf [n=tuxsmouf@105.197.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 16:34 -!- tjz [n=tjz@bb121-6-114-207.singnet.com.sg] has quit [Connection timed out] 16:34 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 16:39 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 16:40 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [Client Quit] 16:43 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: xororand, M06w, Typone 16:45 -!- Netsplit over, joins: xororand, M06w, Typone 16:48 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 16:48 -!- viric [n=viric@62.57.137.96.dyn.user.ono.com] has left ##openvpn [] 16:52 -!- admin__ [n=admin@193.227.191.90] has quit [Read error: 113 (No route to host)] 16:56 -!- BadSector [n=BadSecto@cpe-75-185-235-61.cinci.res.rr.com] has joined ##openvpn 17:03 < digii> when im bridging virtual-nic to my real nic to use for openbox, should my real-nic have static ip first? 17:04 < digii> or can it still be dhcp? or is that not such a good idea? 17:06 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 17:07 < jeiworth> digii: what os? i just installed openvpn on an ubuntu system and defined tap0 and br0 in /etc/networking/interfaces, tap0 and eth0 i gave static ip 0.0.0.0, br0 has the static ip of the server, and no problem since then 17:07 < digii> im using debian 17:07 < digii> so its probably the same 17:07 < jeiworth> digii: well then its actually exactly the same ;) 17:08 < digii> do u mind posting your interfaces file on some pastebin site? 17:09 < digii> i dont have tap u only got /dev/net/tun but i guess thats the same 17:09 < jeiworth> http://pastebin.ubuntu.com/172634/ 17:10 < jeiworth> in that case you are routing not bridging 17:10 < digii> what? 17:10 < digii> did u route? 17:11 < jeiworth> no, i bridge, bridge uses tap device, route uses tun device 17:11 < digii> how do i create tap then? 17:12 < digii> by creating br0 whit brctl? 17:12 < jeiworth> by defining it in /etc/network/interfaces 17:13 < jeiworth> i was using the scripts provided by the openvpn howto bridge-start and bridge-stop and am calling them within /etc/init.d/openvpn 17:13 < jeiworth> i dont know if that is necesary now, i was experimenting a lot during installation 17:14 < digii> http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html#linuxscript 17:14 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 17:14 < digii> u mean that script? 17:14 < jeiworth> yup 17:15 < digii> u just changes the ip in eth_ip netmask and bcast? 17:15 < digii> and then just ran it? 17:15 < jeiworth> basically yes 17:15 < digii> ok =) 17:15 < digii> why is your eth0 ip set to 0.0.0.0? 17:16 < digii> doesent it hafto have a ip? :S 17:17 < jeiworth> because the server responds on the br0 interface, which is bridging the eth0 with tap0, so neither of the latter 2 need ip. actually, i read its a good thing to put them in promiscous mode (0.0.0.0) to catch _all_ traffic 17:17 < digii> ok =) 17:17 < digii> hmm still dont know how to get tap? 17:18 -!- tuxsmouf [n=tuxsmouf@139.170.81-79.rev.gaoland.net] has joined ##openvpn 17:19 < jeiworth> well, define it in /etc/network/interfaces or have the brdige-start-script create it or create it manually: 17:19 < jeiworth> sudo mkdir -p /dev/net 17:19 < jeiworth> sudo mknod /dev/net/tun c 10 200 17:19 < jeiworth> sudo chmod 600 /dev/net/tun 17:19 < jeiworth> well, using debian just do it as root without the sudo 17:19 < digii> ah ok =) 17:19 < jeiworth> ah wait, that was tun 17:19 < jeiworth> hmm 17:19 < digii> yea 17:20 < jeiworth> hmm then i suppose interfaces or the bridge-start script will suffize 17:21 < digii> i wounder if that actually creates tap :S 17:21 < digii> nothing in the script is saying it will 17:21 < jeiworth> bridge-start definitely does 17:21 -!- BadSector [n=BadSecto@cpe-75-185-235-61.cinci.res.rr.com] has left ##openvpn [] 17:22 < digii> oh ok 17:22 < jeiworth> just adjust it to your network topology, make it executable and try 17:22 < digii> network topology? u mean the ip adresses and stuff? 17:22 < jeiworth> yes 17:23 < jeiworth> your local network environment 17:23 < digii> ok =) 17:37 -!- tuxsmouf [n=tuxsmouf@139.170.81-79.rev.gaoland.net] has quit [Read error: 60 (Operation timed out)] 17:37 -!- tuxsmouf [n=tuxsmouf@60.210.81-79.rev.gaoland.net] has joined ##openvpn 17:37 -!- nico__ [n=tuxsmouf@37.218.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 17:40 -!- nico__ [n=tuxsmouf@93.4.117.153] has joined ##openvpn 17:50 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:52 -!- krzie [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 17:59 -!- tuxsmouf [n=tuxsmouf@60.210.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 17:59 -!- tuxsmouf [n=tuxsmouf@79.81.207.105] has joined ##openvpn 18:04 < digii> someone here? 18:10 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 18:10 < jeiworth> here, drinking beer 18:10 < digii> the script didnt work creating tap 18:10 < jeiworth> hmm strange 18:11 < digii> is there a packade whit tap i need first? 18:11 < jeiworth> well, you need the package bridge-utils as discribed in the howto 18:11 < digii> yea, i got that :S 18:12 -!- nico__ [n=tuxsmouf@93.4.117.153] has quit [Read error: 110 (Connection timed out)] 18:12 < jeiworth> ok....do you get an error?? 18:12 -!- nico__ [n=tuxsmouf@39.58.204-77.rev.gaoland.net] has joined ##openvpn 18:12 < digii> im remote using ssh from server 18:12 < digii> so i dont know :/ 18:12 < digii> got thrown out 18:13 < jeiworth> that is bad 18:14 < digii> yea 18:14 < digii> might do it manualy 18:14 < jeiworth> did you adjust your /etc/network/interfaces file]? 18:14 < digii> tap is a virtual-nix right? 18:14 < digii> nic* 18:14 < jeiworth> i think so 18:14 < digii> and br0 is also that :S 18:14 < digii> hmm 18:14 < digii> why do u need 2 :S 18:15 -!- tjz [n=tjz@bb116-15-40-199.singnet.com.sg] has joined ##openvpn 18:15 < jeiworth> well, as i understand it, openvpn communicated through tun/tap so to route the traffic to openvpn you need to make a brdige from the physical device, e.g. eth0, and route all that traffic to tap 18:16 < digii> if u copy your interfaces and change the if to my network and then try the script again, it might work 18:17 < digii> last time i just changed it myself :D might wrote something bad 18:17 < jeiworth> hehe 18:17 < jeiworth> actually there is a typo in the interfaces i posted you, on ..uhm... tap0 i think it says addressa instead of address 18:18 < digii> yea :D ok 18:18 < digii> change that 18:22 -!- tuxsmouf [n=tuxsmouf@79.81.207.105] has quit [Read error: 110 (Connection timed out)] 18:24 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 18:24 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 18:26 -!- countd [n=countd@unaffiliated/countd] has quit [Read error: 110 (Connection timed out)] 18:26 -!- smerz [n=daniel@smerz.demon.nl] has quit [Client Quit] 18:26 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 18:27 -!- smerz [n=daniel@smerz.demon.nl] has left ##openvpn ["Ex-Chat"] 18:29 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 18:36 < reiffert> moin 18:39 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 18:43 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 18:46 -!- digii [n=digii@81-235-171-229-no44.tbcn.telia.com] has quit ["Lost terminal"] 18:46 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: disco- 18:48 -!- digii [n=digii@81-235-171-229-no44.tbcn.telia.com] has joined ##openvpn 19:07 -!- nico__ [n=tuxsmouf@39.58.204-77.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 19:08 -!- nico__ [n=tuxsmouf@238.146.204-77.rev.gaoland.net] has joined ##openvpn 19:28 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:28 < Dougy> ayooo 19:41 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 20:02 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 20:03 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 20:05 -!- tuxsmouf [n=tuxsmouf@35.172.81-79.rev.gaoland.net] has joined ##openvpn 20:06 -!- digii [n=digii@81-235-171-229-no44.tbcn.telia.com] has quit ["Lost terminal"] 20:06 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 20:09 -!- nico__ [n=tuxsmouf@238.146.204-77.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 20:19 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 21:06 -!- nico__ [n=tuxsmouf@239.174.81-79.rev.gaoland.net] has joined ##openvpn 21:27 -!- tuxsmouf [n=tuxsmouf@35.172.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 21:41 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 21:55 -!- jeiworth [n=jeiworth@189.177.136.65] has quit [Connection timed out] 22:00 -!- tuxsmouf [n=tuxsmouf@103.179.81-79.rev.gaoland.net] has joined ##openvpn 22:10 < theDoc> How can ... a SSL browser connection be advertised as a vpn connection 22:10 < theDoc> >_> 22:10 < theDoc> Jesus. 22:11 < frankS2> it can? 22:11 < theDoc> frankS2: Sure, the interweb is plentiful of companies advertising browser based SSL vpns which aren't actually vpns :o 22:12 < frankS2> haha 22:12 < theDoc> Download moar activeX controls and you get super SSL security! 22:12 < frankS2> oh yay! I must get that 22:12 < theDoc> http://www.slickyproxy.com/Technical_Background.htm 22:12 < vpnHelper> Title: Techical Background of Proxies and SSL VPNs (at www.slickyproxy.com) 22:13 -!- albech [n=albech@119.42.79.196] has joined ##openvpn 22:13 < theDoc> All that hype, no base. 22:17 < theDoc> lol@# 22:17 < theDoc> # Poor, intermittent and disrupted connections won't cause the VPN to fail. 22:17 < theDoc> Does that mean, if my interweb connection breaks down, I can still use the vpn? 22:17 < theDoc> Sorry, :) Couldn't resist that 22:20 -!- nico__ [n=tuxsmouf@239.174.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 22:44 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 22:48 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: disco- 22:54 -!- albech [n=albech@119.42.79.196] has quit [Read error: 110 (Connection timed out)] 22:57 -!- albech [n=albech@119.42.79.196] has joined ##openvpn 23:05 -!- nico__ [n=tuxsmouf@24.236.204-77.rev.gaoland.net] has joined ##openvpn 23:07 -!- albech [n=albech@119.42.79.196] has quit [Read error: 60 (Operation timed out)] 23:07 -!- albech [n=albech@119.42.79.196] has joined ##openvpn 23:09 -!- albech [n=albech@119.42.79.196] has quit [Client Quit] 23:27 -!- tuxsmouf [n=tuxsmouf@103.179.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 23:40 -!- Netsplit over, joins: disco- 23:44 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: disco- --- Day changed Fri May 15 2009 00:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:09 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:18 -!- dan__t [n=dant@vpn.withparity.net] has left ##openvpn ["Leaving"] 01:26 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 01:29 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 01:33 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 01:35 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:36 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: disco- 01:47 -!- master_of_master [i=master_o@p549D470E.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:50 -!- tuxsmouf [n=tuxsmouf@127.168.81-79.rev.gaoland.net] has joined ##openvpn 01:50 -!- master_of_master [i=master_o@p549D31B2.dip.t-dialin.net] has joined ##openvpn 01:52 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 01:53 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [Client Quit] 01:54 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 01:57 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [Client Quit] 02:02 -!- Netsplit over, joins: disco- 02:10 -!- nico__ [n=tuxsmouf@24.236.204-77.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 02:11 -!- nico__ [n=tuxsmouf@88.141.4.192] has joined ##openvpn 02:14 -!- tuxsmouf [n=tuxsmouf@127.168.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 02:21 -!- tuxsmouf [n=tuxsmouf@195.170.81-79.rev.gaoland.net] has joined ##openvpn 02:46 -!- nico__ [n=tuxsmouf@88.141.4.192] has quit [Read error: 110 (Connection timed out)] 02:46 -!- nico__ [n=tuxsmouf@3.181.81-79.rev.gaoland.net] has joined ##openvpn 02:48 -!- tuxsmouf [n=tuxsmouf@195.170.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 02:54 -!- nico__ [n=tuxsmouf@3.181.81-79.rev.gaoland.net] has quit [Read error: 104 (Connection reset by peer)] 02:59 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 03:10 -!- nico__ [n=tuxsmouf@88.141.4.178] has joined ##openvpn 03:28 -!- c64zottel [n=hans@p5B178C22.dip0.t-ipconnect.de] has joined ##openvpn 03:52 -!- tuxsmouf [n=tuxsmouf@88.141.31.21] has joined ##openvpn 03:52 -!- xor| [n=xor@asmodeus.ost.sgsnet.se] has joined ##openvpn 03:54 -!- nico__ [n=tuxsmouf@88.141.4.178] has quit [Read error: 110 (Connection timed out)] 04:04 < reiffert> moin 04:05 -!- nico__ [n=tuxsmouf@42.200.81-79.rev.gaoland.net] has joined ##openvpn 04:07 -!- troy- [n=troy@worldnet.tauri.ca] has quit [Read error: 113 (No route to host)] 04:15 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:23 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 04:26 -!- tuxsmouf [n=tuxsmouf@88.141.31.21] has quit [Read error: 110 (Connection timed out)] 04:38 -!- nico__ [n=tuxsmouf@42.200.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 04:40 -!- tuxsmouf [n=tuxsmouf@210.59.204-77.rev.gaoland.net] has joined ##openvpn 04:52 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: lepine, krzie_ 04:55 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 04:56 -!- Netsplit over, joins: lepine, krzie_ 04:56 < Bushmills> moiners 04:57 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 04:59 < gebura> hi 05:00 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: lepine, krzie_ 05:03 -!- albech [n=albech@119.42.76.61] has joined ##openvpn 05:05 -!- krzie_ [i=krzee@joogot.noskills.net] has joined ##openvpn 05:05 -!- albech_ [n=albech@119.42.76.61] has joined ##openvpn 05:06 -!- nico__ [n=tuxsmouf@144.180.81-79.rev.gaoland.net] has joined ##openvpn 05:06 -!- lepine [n=lmacguir@modemcable093.36-59-74.mc.videotron.ca] has joined ##openvpn 05:07 -!- tuxsmouf [n=tuxsmouf@210.59.204-77.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 05:08 -!- tuxsmouf [n=tuxsmouf@86.239.81-79.rev.gaoland.net] has joined ##openvpn 05:09 -!- c64zottel [n=hans@p5B178C22.dip0.t-ipconnect.de] has quit ["Leaving."] 05:19 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:20 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: xororand, M06w, Typone 05:21 -!- Netsplit over, joins: xororand, M06w, Typone 05:23 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:23 -!- albech [n=albech@119.42.76.61] has quit [Read error: 110 (Connection timed out)] 05:23 -!- bandini [n=bandini@host30-23-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 05:28 -!- nico__ [n=tuxsmouf@144.180.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 05:29 -!- nico__ [n=tuxsmouf@31.232.81-79.rev.gaoland.net] has joined ##openvpn 05:40 -!- znh [n=znh@unaffiliated/znh] has quit [Connection reset by peer] 05:44 -!- tuxsmouf [n=tuxsmouf@86.239.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 05:44 -!- tuxsmouf [n=tuxsmouf@21.225.81-79.rev.gaoland.net] has joined ##openvpn 05:55 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 05:59 -!- nico__ [n=tuxsmouf@31.232.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 06:01 -!- Fallenou [n=Fallen@sionneau2.maisel.int-evry.fr] has joined ##openvpn 06:01 < Fallenou> hi 06:01 < Fallenou> i just created a point-to-point vpn 06:02 < Fallenou> each side can ping the other side 06:02 < Fallenou> but i cannot establish a TCP connection through the vpn 06:02 -!- nico__ [n=tuxsmouf@67.195.81-79.rev.gaoland.net] has joined ##openvpn 06:05 < Fallenou> ok nevermind it works now 06:05 -!- Fallenou [n=Fallen@sionneau2.maisel.int-evry.fr] has left ##openvpn ["So long, and thanks for all the Fish !"] 06:26 -!- tuxsmouf [n=tuxsmouf@21.225.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 06:27 -!- nico__ [n=tuxsmouf@67.195.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 06:27 -!- nico__ [n=tuxsmouf@181.201.81-79.rev.gaoland.net] has joined ##openvpn 06:38 -!- tuxsmouf [n=tuxsmouf@79.81.229.65] has joined ##openvpn 06:57 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 07:00 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Client Quit] 07:00 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 07:02 -!- nico__ [n=tuxsmouf@181.201.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 07:02 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Client Quit] 07:03 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 07:04 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Client Quit] 07:04 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 07:09 -!- Alagar [n=helpdesk@95.154.197.29] has quit ["Leaving."] 07:10 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 07:24 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 07:50 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Read error: 104 (Connection reset by peer)] 07:56 -!- albech_ [n=albech@119.42.76.61] has quit [Client Quit] 07:56 -!- albech [n=albech@119.42.76.61] has joined ##openvpn 07:59 -!- tjz [n=tjz@bb116-15-40-199.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 08:13 -!- tjz [n=tjz@bb116-15-40-199.singnet.com.sg] has joined ##openvpn 08:15 -!- Fallenou [n=Fallen@sionneau2.maisel.int-evry.fr] has joined ##openvpn 08:42 -!- mattock [n=mattock@gw.tietoteema.fi] has quit ["Leaving."] 08:50 -!- bandini [n=bandini@host30-23-dynamic.20-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 08:56 -!- bandini [n=bandini@host30-23-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 08:56 -!- tuxsmouf [n=tuxsmouf@79.81.229.65] has quit [Read error: 110 (Connection timed out)] 08:57 -!- tuxsmouf [n=tuxsmouf@79.81.229.205] has joined ##openvpn 09:00 -!- albech [n=albech@119.42.76.61] has quit [Read error: 110 (Connection timed out)] 09:01 -!- Solver_ [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has joined ##openvpn 09:02 -!- Solver [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has quit [Read error: 104 (Connection reset by peer)] 09:03 -!- albech [n=albech@119.42.76.61] has joined ##openvpn 09:23 -!- albech [n=albech@119.42.76.61] has quit [Connection timed out] 09:33 -!- albech [n=albech@119.42.76.61] has joined ##openvpn 09:34 -!- c64zottel [n=hans@p5B178C22.dip0.t-ipconnect.de] has joined ##openvpn 09:35 -!- nico__ [n=tuxsmouf@131.202.81-79.rev.gaoland.net] has joined ##openvpn 09:36 -!- jeiworth [n=jeiworth@189.234.37.185] has joined ##openvpn 09:37 -!- tuxsmouf [n=tuxsmouf@79.81.229.205] has quit [Read error: 110 (Connection timed out)] 09:46 < Fallenou> is it possible to redirect all traffic through a VPN ? 09:46 < Fallenou> i have 2 interfaces , tun0 (the vpn) and eth0, the actual internet connection 09:46 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 104 (Connection reset by peer)] 09:47 < Fallenou> i can add hosts that pass through the VPN doing route add -host ip_address gw 192.168.42.1, and it works well 09:47 < Fallenou> (192.168.42.1 is the VPN server ip, in the VPN) 09:48 < Fallenou> but i would like to make all my traffic goes into the VPN, not only several ip adress i have to add 09:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:50 < reiffert> Fallenou: yes, it's possible 09:50 -!- znh [n=znh@a12248.upc-a.chello.nl] has joined ##openvpn 09:51 < reiffert> !def1 09:51 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 09:51 -!- znh [n=znh@a12248.upc-a.chello.nl] has quit [SendQ exceeded] 09:52 -!- znh [n=znh@a12248.upc-a.chello.nl] has joined ##openvpn 09:53 -!- znh [n=znh@unaffiliated/znh] has quit [SendQ exceeded] 09:53 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 09:53 -!- znh [n=znh@a12248.upc-a.chello.nl] has joined ##openvpn 09:54 -!- znh [n=znh@a12248.upc-a.chello.nl] has quit [SendQ exceeded] 09:54 -!- znh [n=znh@a12248.upc-a.chello.nl] has joined ##openvpn 09:54 -!- znh [n=znh@a12248.upc-a.chello.nl] has quit [Success] 09:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:57 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 10:07 -!- Solver_ is now known as Solver 10:07 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 10:10 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 10:11 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 10:17 -!- tuxsmouf [n=tuxsmouf@94.169.81-79.rev.gaoland.net] has joined ##openvpn 10:33 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 10:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:35 -!- Lilarcor [n=Lilarcor@57.sub-97-164-229.myvzw.com] has joined ##openvpn 10:38 -!- nico__ [n=tuxsmouf@131.202.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 10:42 < Fallenou> ok good thanks reiffert :) 10:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection reset by peer] 10:56 -!- tuxsmouf [n=tuxsmouf@94.169.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 10:56 -!- tuxsmouf [n=tuxsmouf@105.181.81-79.rev.gaoland.net] has joined ##openvpn 11:02 -!- rotty` [n=user@83-215-154-5.hage.dyn.salzburg-online.at] has joined ##openvpn 11:14 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:22 -!- Lilarcor [n=Lilarcor@57.sub-97-164-229.myvzw.com] has quit ["The Lord of Murder Shall Perish."] 11:24 < rotty`> i have a little problem with my openvpn setup (bridge): I can access the internet and hosts in the LAN (including te ovpn server) from openvpn clients, but trying to ping or connect to other clients doesn't work. 11:25 < rotty`> the packets won't even show up with tcpdump on the 'tap0' device when I try to ping other clients... 11:29 < rotty`> any ideas of what might be the issue? 11:51 -!- nico__ [n=tuxsmouf@29.208.81-79.rev.gaoland.net] has joined ##openvpn 11:51 -!- tuxsmouf [n=tuxsmouf@105.181.81-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 11:54 -!- gtlz [n=gtlz@unaffiliated/gtlz] has left ##openvpn [] 12:10 * ecrist sings, "Boats and Hos" 12:21 < reiffert> !client-to-client 12:21 < vpnHelper> reiffert: Error: "client-to-client" is not a valid command. 12:21 < reiffert> --client-to-client 12:23 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 12:24 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 12:30 -!- jeiworth [n=jeiworth@189.234.37.185] has quit [Read error: 110 (Connection timed out)] 12:33 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 12:37 < ecrist> !learn client-to-client as To enable client-to-client communictions, add the client-to-client option to the server configuration. 12:37 < vpnHelper> ecrist: Joo got it. 12:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 12:52 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 13:17 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 13:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:53 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:09 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 14:13 < Fallenou> rotty` < reiffert answered you "client-to-client" (in case you didn't notice) 14:16 -!- c64zottel [n=hans@p5B178C22.dip0.t-ipconnect.de] has quit ["Leaving."] 14:25 < reiffert> In order to drive a car, get in an launch the motor? 14:26 < reiffert> learn client-to-client as When this option is used, each client will "see" the other clients which are currently connected. Otherwise, each client will only see the server. Don't use this option if you want to firewall tunnel traffic using custom, per-client rules. 14:26 < reiffert> See !man for details 14:28 -!- jeiworth [n=jeiworth@189.177.136.65] has joined ##openvpn 14:29 < ecrist> !forget client-to-client 14:29 < vpnHelper> ecrist: Joo got it. 14:29 < ecrist> !learn client-to-client as When this option is used, each client will "see" the other clients which are currently connected. Otherwise, each client will only see the server. Don't use this option if you want to firewall tunnel traffic using custom, per-client rules. 14:30 < vpnHelper> ecrist: Joo got it. 14:30 < ecrist> !client-to-client 14:30 < vpnHelper> ecrist: "client-to-client" is When this option is used, each client will see the other clients which are currently connected. Otherwise, each client will only see the server. Don't use this option if you want to firewall tunnel traffic using custom, per-client rules. 14:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 14:47 -!- chrisbdaemon [n=chrisbda@unaffiliated/chrisbdaemon] has joined ##openvpn 14:49 < chrisbdaemon> hey, I need some help. I'm trying to use ssl-admin to get my keys setup for openvpn on openbsd 4.5, I created the keys and everything and i copied them to the client computer and setup the config file but when I try to connect I get a "Authenticate/Decrypt packet error: packet HMAC authentication failed" 14:49 < chrisbdaemon> i've checked the md5's are the keys on the server and client are identical, the cipher in the configuration is the same 14:49 < chrisbdaemon> and the keys* 14:50 < chrisbdaemon> i'm using the ta.key feature as well and those match as well 14:50 < chrisbdaemon> any idea what else could have gone wrong or is there some way to manually verify the keys/certificates? 14:58 < ecrist> !logs 14:58 < vpnHelper> ecrist: "logs" is is please pastebin your logfiles from both client and server with verb set to 6 14:58 < ecrist> !config 14:58 < vpnHelper> ecrist: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 14:58 < ecrist> !configs 14:58 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:58 < chrisbdaemon> k, one sec 15:03 < chrisbdaemon> does it matter what i use for the ca's owner id? 15:04 < chrisbdaemon> i know the server key is supposed to using server as the common name doesn't it? 15:05 < ecrist> not really 15:06 < ecrist> there is a thread, found via google, which may help you 15:06 < ecrist> http://openvpn.net/archive/openvpn-users/2004-05/msg00289.html 15:06 < rotty`> ecrist: thanks! 15:06 < vpnHelper> Title: Re: [Openvpn-users] Authenticate/Decrypt packet error: packet HMAC authentication failed (at openvpn.net) 15:06 < ecrist> what did I do? 15:07 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 15:08 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 15:17 < chrisbdaemon> server log is at http://pastebin.com/d2d5e56ce client/server configs: http://pastebin.com/d95c1e56 15:18 < chrisbdaemon> do you need logs from the client machine also? 15:18 < ecrist> might, looking at server now 15:19 < chrisbdaemon> and i see the error opening the logfiles btw, that was my next step after getting the vpn working 15:20 < ecrist> yes, client logs, please 15:21 < chrisbdaemon> full logs or just errors/warnings? 15:22 < ecrist> full, at verb 6, please 15:22 < ecrist> your client config is set for verb 3 15:22 < chrisbdaemon> hmm, thats annoying, tunnelblick won't let me copy the logs from the log view window :\ 15:22 < ecrist> you can, you need to right=click and select copy 15:23 * krzie_ streaks across the channel 15:23 < chrisbdaemon> ah, hotkeys just didn't work 15:23 -!- krzie_ is now known as krzie 15:23 < ecrist> !learn logs as In Tunnelblick, right-click and select copy to copy log text to clipboard. 15:23 < vpnHelper> ecrist: Joo got it. 15:24 < ecrist> at first, I thought you were a girl, but with the realization they were simply EXTREMELY small nuts, I knew it to be you, krzie 15:24 -!- bandini [n=bandini@host30-23-dynamic.20-79-r.retail.telecomitalia.it] has quit [Read error: 113 (No route to host)] 15:25 < chrisbdaemon> http://pastebin.com/d40a4fd22 15:26 < chrisbdaemon> thats not the exact same connection as the server logs btw, but it is the same problem 15:26 < chrisbdaemon> just incase that matters 15:27 < ecrist> the log looks truncated 15:27 < chrisbdaemon> it never finishes the connection, it just stops 15:27 < chrisbdaemon> waiting for server response 15:28 < chrisbdaemon> it gets to line 126 then repeats the errors at 128 over and over 15:32 < ecrist> try removing the tls-auth line in the client config 15:32 < chrisbdaemon> server also? 15:32 < ecrist> yeah 15:32 < ecrist> just for giggles 15:33 < chrisbdaemon> hmm, that worked it looks like 15:33 < chrisbdaemon> or not 15:33 < chrisbdaemon> let me paste new logs.. 15:40 < ecrist> I'm out for the night. 15:40 < chrisbdaemon> server: http://pastebin.com/da81c9c8 client: http://pastebin.com/d240531da 15:40 < chrisbdaemon> ah, ok 15:41 < chrisbdaemon> ah, i think i might have found it, one sec 15:42 < chrisbdaemon> bah, i had AES-256-CBC on the client and AES-128-CBC on the server :\ 15:42 < chrisbdaemon> thanks for the help :P 15:43 -!- nico__ [n=tuxsmouf@29.208.81-79.rev.gaoland.net] has quit [Remote closed the connection] 15:47 < krzie> ecrist, so you recognized me by my balls? 15:50 < krzie> i dont think even i could pick my balls out of a lineup 15:58 -!- chrisbdaemon [n=chrisbda@unaffiliated/chrisbdaemon] has left ##openvpn ["Leaving"] 16:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:07 < gebura> !time 16:07 < vpnHelper> gebura: Error: "time" is not a valid command. 16:07 < gebura> urf 16:12 < gebura> !timezone 16:12 < vpnHelper> gebura: Error: "timezone" is not a valid command. 16:12 < gebura> i ve got this error: TLS Error: Unroutable control packet received from $ip1197 (si=3 op=P_CONTROL_V1) 16:13 < gebura> somebody tell me that i should change the timezone, is that the only was ? 16:14 < krzie> timezone does not matter at all 16:14 < krzie> that both are set to the correct time does 16:14 < krzie> ntpdate time.nist.gov 16:15 < krzie> times are compared in GMT, timezones dont come into effect 16:16 < gebura> thanks :) 16:16 < krzie> yw 16:47 -!- Fallenou [n=Fallen@sionneau2.maisel.int-evry.fr] has quit ["So long, and thanks for all the Fish !"] 16:49 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 16:56 < krzie> hey ecrist, i gave you the new address to send that computer to right? 16:58 < ecrist> I got one address, initially from you. 16:58 < ecrist> plan on sending it tomorrow or monday 17:00 < krzie> lets make sure you have the right one, 1 sec 17:02 < krzie> i think you had his old address, thats his new one 17:02 < krzie> he just moved 17:45 -!- sprax [n=rob@65.127.188.10] has joined ##openvpn 17:46 < sprax> I have a satellite office with just 3 clients and a printer. Rather than setup a separate network with DHCP, DNS, etc, I would like to just "extend" my main office to this remote office. The remote clients would get their IP from DHCP at the main site, etc. Is this something openVPN can do? I'm not really sure what I need to google to find out. 17:49 < sprax> A layer-2 based ethernet TAP eh? Yay Wikipedia to the rescue! 17:55 < sprax> And the ethernet briding how-to 17:55 < sprax> lol, an exciting friday night awaits! 17:59 < feinoM> :) 18:01 < krzie> sprax 18:02 < krzie> you totally dont need layer2 18:02 < krzie> read the topic 18:02 < Bushmills> sprax, if dhcp is the only reason for a bridging configuration with tap interfaces, consider the alternative of a routing config, and running something like a dhcp forwarder on that gatewa 18:02 < Bushmills> y 18:02 < krzie> after that, type !route because it fits what yuou said 18:02 < krzie> he doesnt even need DHCP 18:02 < Bushmills> g'd evening 18:02 < krzie> he just wants to push DNS 18:02 < krzie> g'evening to you too =] 18:03 < Bushmills> well, no need for dhcp just for obtaining ip adresses. but dhcp can be used for more than just that. 18:04 < krzie> i understand why youd want to networks together, dont understand why youd want it for DHCP 18:04 < Bushmills> so i am not in the position that i can say "you don't need dhcp" 18:04 < krzie> since the other router can do DHCP itself, and point clients to DNS / WINS over the VPN 18:04 < krzie> etc etc 18:05 < krzie> as long as it has a route for clients to the vpn like in my writeup under the picture, it just works 18:05 < Bushmills> one could obtain for example the ntp server(s) to be used by client from dhcp 18:06 < reiffert> moin Bushmills 18:06 < Bushmills> ha. 18:06 < Bushmills> hi reiffert 18:07 < Bushmills> but one way or another, bridging is probably not needed 18:08 < reiffert> Downloading Google Earth from google.com + installation: 30 seconds 18:08 < reiffert> using the google way, called "google updater": 5 minutes 18:08 < reiffert> sigh. 18:10 < Bushmills> sounds like stress 18:10 < Bushmills> no time for a cup of tea 18:11 < sprax> actually 18:12 < sprax> the main reason is to be able to PXE boot machines at the satellite 18:12 < sprax> when the PXE on the NIC comes up it needs to lease an IP from my M$ DC running Windows Deployment Services 18:13 < sprax> then do the TFTP magic and finally a whole mess of CIFS 18:13 < sprax> add all that to the Active DNS/DHCP hassle from bill 18:14 < sprax> it makes my life easier if the clients are ignorant to the fact that there is some cable internet between them and the main office 18:15 < reiffert> does it make your life easier when the sattelite system is not able to work when the cable internet link is down? 18:16 < sprax> and I'm sorry for not discovering this on my own first. I'm not adverse to RTFM, but I didn't even know where to start. I was actually surprised to read the infomration on the FAQ. 18:17 < sprax> Well, if the cable goes down then remote users won't have access to files, databases or network applications regardless of which VPN/router magic I cast on them 18:19 -!- troy- [n=doc@216.185.67.154] has joined ##openvpn 18:19 < reiffert> They might contintue using their local net and internet instead of drinking coffee for hours. 18:19 < Bushmills> a replicating network files system which handles dis/reconnect elegantly might help. maybe something coda-like 18:20 < troy-> hello i have an openvpn tunnel setup between a windows laptop and a linux server without issue but i want the windows client vpn to connection share with another system via the ethernet port 18:20 < troy-> how can i somehow bridge the ethernet interface to the vpn? 18:21 < krzie> i agree with bushmills 18:21 < sprax> troy- http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html 18:21 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 18:21 < krzie> you're going to be sending every ethernet broadcast over the bridge and every arp etc for 1 feature 18:21 < krzie> a dhcp-bridge over tun would work, but bushmills approach is what ild use 18:22 < reiffert> internet connections sharing does not require bridging. 18:22 < sprax> yeah, if i had the budget for a replicated file system, I could setup a DC on site with it's own DNS and DHCP 18:23 < troy-> sprax, does it matter that the windows machine is a client not the server? 18:23 < krzie> troy: you saying youd like the machine in same lan as windows client to access the vpn through the windows client? 18:23 < krzie> replicating stuff requires a budget? 18:23 < troy-> krzie, the device accessing the vpn via the windows client will be a cisco ip phone 18:23 < krzie> troy, totally doesnt matter 18:23 < krzie> see !route 18:23 < troy-> okay but is what i want doable? 18:24 < krzie> absolutely, and its in the topic where it says: 18:24 < krzie> "lans behind openvpn? see !route " 18:24 < krzie> !route 18:24 < sprax> krzie yep 18:24 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 18:24 < sprax> troy- what do you mean? 18:24 < Bushmills> more an issue of windows connection sharing, me seems 18:25 < krzie> he means he has a machine on the same lan as the client which he wants to access the VPN 18:25 < troy-> sprax, Cisco IP phone [ethernet] -> [ethernet] windows client [VPN] -> [VPN] linux server 18:25 < krzie> Bushmills, nah... no ICS needed since windows is the client and not server 18:25 < troy-> the phone and windows client are directly connected via an ethernet cable 18:25 < reiffert> krzie: sure sure. why not? 18:26 < krzie> because it doesnt need to be NAT'ed on the client side 18:26 < krzie> only on the server side if the vpn is its default gateway to the inet 18:26 < reiffert> right, just routing. 18:26 < krzie> ICS is the windows term for NAT 18:27 < sprax> troy- sorry man, I lost track of whats going on. No worries, I think I found what I need. It may not be the best solution in the world, but it's going to be one scope to rule them all, and for a couple of PCs I'm not too worried about it. 18:27 < sprax> Thanks to everyone! 18:27 < troy-> np 18:27 < Bushmills> probably depends on whether the other machine sits on the same network/interface as the vpn link does 18:30 < Bushmills> or you're doing a better job at second-guessing the actual intentions :D 18:31 < reiffert> gn8 18:32 < krzie> nah, that would be for ip forwarding bush 18:32 < krzie> it wouldnt need ICS to reach the vpn through the client 18:33 < krzie> just ip forwarding 18:33 < krzie> regardless of intentions 18:33 < troy-> krzie, i bridged the virtual and physical adapter on my windows client and added "dev tap & dev-node tap-bridge" 18:33 < troy-> to the config 18:34 < troy-> should my ethernet interface have an IP address now? 18:34 < krzie> oh you're bridging, i wont be of much help with that 18:34 < krzie> i would do it with routing 18:34 < troy-> well whats the best solution? 18:34 < krzie> i already said everything 18:34 < troy-> hmmm 18:35 < troy-> is it possible to route traffic from the virtual tun interface to the physical interface? 18:35 < troy-> without a bridge 18:35 < krzie> what do you mean... like is it possible to access a machine behind the client over the vpn and visa versa? 18:35 < troy-> correct 18:36 < krzie> yes, which i thought i said 18:36 < troy-> okay 18:36 < krzie> okay but is what i want doable? 18:36 < krzie> absolutely, and its in the topic where it says: 18:36 < krzie> "lans behind openvpn? see !route " 18:36 < krzie> !route 18:36 < troy-> !route 18:36 < vpnHelper> troy-: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 18:37 < krzie> basically it boils down to an iroute and !winipforward 18:37 < troy-> !winipforward 18:37 < vpnHelper> troy-: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 18:37 < krzie> will the voip phone be using the vpn endpoint as its pbx 18:37 < krzie> ? 18:37 < troy-> yes 18:37 < krzie> ya, simple then really 18:38 < krzie> the server gets a route entry for the phone 18:38 < krzie> a ccd in server for the client gets an iroute 18:38 < krzie> ip forwarding enabled on client machine 18:38 < troy-> alright, so first step is enable forwarding in windows? 18:38 < krzie> ...??? 18:38 < krzie> ...profit 18:38 < krzie> doesnt really matter which step is in which order 18:39 < krzie> until ??? and profit 18:39 < krzie> those are always the last 2 ;] 18:41 < troy-> alrite enabled that 18:50 < troy-> krzie, since the phone and windows client are directly connected do i make the default gateways eachother? 19:00 -!- troy__ [n=doc@216.185.67.154] has joined ##openvpn 19:00 -!- troy- [n=doc@216.185.67.154] has quit [Read error: 54 (Connection reset by peer)] 19:05 -!- troy__ is now known as troy- 19:06 -!- rotty` [n=user@83-215-154-5.hage.dyn.salzburg-online.at] has quit [Remote closed the connection] 19:09 < krzie> troy, the voip phone can just use the win machine as default gateway 19:09 < krzie> the windows machine does not require a change to that 19:26 -!- albech [n=albech@119.42.76.61] has quit [Read error: 104 (Connection reset by peer)] 19:37 < krzie> !ask 19:37 < vpnHelper> krzie: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/, or (#3) http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help 19:49 < krzie> (that wasnt @ anyone here, i just wanted a link from there) 19:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 20:00 -!- jeiworth [n=jeiworth@189.177.136.65] has quit [Read error: 104 (Connection reset by peer)] 20:02 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:19 -!- sprax [n=rob@65.127.188.10] has quit ["changing servers"] 20:30 -!- troy- [n=doc@216.185.67.154] has quit [Read error: 110 (Connection timed out)] 21:15 -!- qknight [n=joachim@serverkommune.de] has quit [Read error: 60 (Operation timed out)] 21:15 -!- qknight [n=joachim@serverkommune.de] has joined ##openvpn 21:16 -!- gebura [n=nnnnnnnn@lescigales.org] has quit ["Getting off stoned server - dircproxy 1.2.0"] 21:17 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:18 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:19 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:20 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:21 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:22 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:23 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:24 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:25 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:26 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:27 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:28 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:29 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:30 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:31 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:32 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:33 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:34 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:35 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:36 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:37 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:38 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:39 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:40 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:41 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:42 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:43 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:44 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:45 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:46 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:47 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:48 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:49 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:50 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:51 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 22:08 -!- zrin [n=chatzill@chello062178201205.6.15.tuwien.teleweb.at] has joined ##openvpn 22:10 < zrin> I'd like to connect an otherwise unused local NIC (eth1) as a virtual NIC in a remote machine - is it possible for openvpny to use the local nic directly or is it necessary to create a local bridge 22:24 -!- albech [n=albech@119.42.76.61] has joined ##openvpn 22:33 < zrin> Is it possible to configure simple p2p bridge with a static key? I'm looking for a configuration which would use an otherwise unused local NIC as a virtual NIC in a single remote machine. 22:53 -!- Vesayth [n=vesayth@67.23.119.70.cfl.res.rr.com] has joined ##openvpn 22:55 < Vesayth> Hello! Is there anyone here who could possibly guide me in setting up a vpn server on my box? I'm running Ubuntu 8.10 64-bit. I've tried reading the guides that are out there but I think I'm just totally lost at this point. 22:55 < Vesayth> These guides appear to assume that I'm using my desktop as my network's router, whereas I'm using a Linksys router with DD-WRT firmware 23:23 -!- Vesayth [n=vesayth@67.23.119.70.cfl.res.rr.com] has left ##openvpn [] 23:30 -!- Dougy_ [i=doug@64-18-144-18.ip.bergenhosting.com] has quit [Read error: 60 (Operation timed out)] 23:31 -!- Dougy [i=doug@64.18.144.18] has joined ##openvpn --- Day changed Sat May 16 2009 00:01 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:02 < Alagar> good morning all 00:10 -!- troy__ [n=doc@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 00:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 01:46 -!- master_of_master [i=master_o@p549D31B2.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:50 -!- master_of_master [i=master_o@p549D39CF.dip.t-dialin.net] has joined ##openvpn 02:37 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 02:49 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 02:55 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 02:57 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has joined ##openvpn 02:57 -!- albech [n=albech@119.42.76.61] has quit [Read error: 54 (Connection reset by peer)] 03:08 -!- silents [n=vesayth@67.23.119.70.cfl.res.rr.com] has joined ##openvpn 03:09 < silents> Hello! Is there anyone here that can assist me in setting up a VPN server on Ubuntu 8.10 64-bit? 03:10 -!- silents [n=vesayth@67.23.119.70.cfl.res.rr.com] has left ##openvpn [] 03:16 -!- Tatster [n=tatster@94-193-48-42.zone7.bethere.co.uk] has quit [] 03:16 -!- albech [n=albech@119.42.76.61] has joined ##openvpn 03:28 -!- alaif [n=alaif@dejvice.peering.junix.cz] has joined ##openvpn 03:35 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit ["No Ping reply in 90 seconds."] 03:35 -!- floyd_n_milan_ [n=mrugesh@203.129.237.147] has joined ##openvpn 04:00 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:28 -!- alaif [n=alaif@dejvice.peering.junix.cz] has left ##openvpn [] 04:33 -!- carpe_ [n=carpe@vip1.tundraeng.com] has joined ##openvpn 04:35 -!- plaerzen [n=carpe@66.11.76.242] has quit [Read error: 110 (Connection timed out)] 05:22 -!- albech [n=albech@119.42.76.61] has quit [Read error: 110 (Connection timed out)] 05:23 -!- albech [n=albech@124.157.237.211] has joined ##openvpn 05:40 < APTX|> !topology 05:40 < vpnHelper> APTX|: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 05:45 -!- albech [n=albech@124.157.237.211] has quit [Read error: 110 (Connection timed out)] 05:45 -!- albech [n=albech@119.42.76.61] has joined ##openvpn 06:00 -!- albech [n=albech@119.42.76.61] has quit [Read error: 60 (Operation timed out)] 06:16 -!- albech [n=albech@124.157.239.149] has joined ##openvpn 06:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 07:25 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 07:28 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 07:29 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 07:44 -!- BasketCase_EEE [n=kmk@140.207.27.24.cfl.res.rr.com] has joined ##openvpn 07:44 < BasketCase_EEE> anyone run NFS over OpenVPN over the internet? works but wondering if anyone already worked out optimal settings. 07:53 -!- albech [n=albech@124.157.239.149] has quit [Read error: 110 (Connection timed out)] 07:54 -!- zrin [n=chatzill@chello062178201205.6.15.tuwien.teleweb.at] has quit [Remote closed the connection] 07:55 < BasketCase_EEE> I appear to be doing about 160KB/sec 08:02 -!- albech [n=albech@119.42.76.61] has joined ##openvpn 08:16 -!- c64zottel [n=hans@p5B17B6C6.dip0.t-ipconnect.de] has joined ##openvpn 08:46 -!- c64zottel [n=hans@p5B17B6C6.dip0.t-ipconnect.de] has quit ["Leaving."] 08:49 < reiffert> nfs via tcp or udp? 08:49 < reiffert> openvpn proto udp or tcp? 08:51 < BasketCase_EEE> I was trying it with openvpn tcp and nfs udp 08:51 < BasketCase_EEE> but my real question is if anyone has worked out what the best settings are 08:51 < reiffert> Sounds sane. You might wanna try upside down 08:52 < BasketCase_EEE> I just turned on comp-lzo. not sure why I didn't have that before 08:52 -!- albech [n=albech@119.42.76.61] has quit [Read error: 110 (Connection timed out)] 08:52 < reiffert> Client/Server directly connected via switch/media Gbit Link? 08:53 < BasketCase_EEE> the server end is gig-e. the client end is coffee shop wifi 08:54 < BasketCase_EEE> I get 210KB/sec with http, 180KB/sec with http over vpn, and 160KB/sec with nfs over vpn 08:55 -!- albech [n=albech@119.42.76.61] has joined ##openvpn 09:06 < reiffert> BasketCase_EEE: would you please connect server and client via a cable to switch of media dependent influences (wifi), just for some testing. 09:07 < reiffert> s,of,off, 09:10 < BasketCase_EEE> NFS works nice and fast when I am at home and connected that way or through my wifi 09:10 < BasketCase_EEE> I don't have actual benchmarks but it is fast enough 09:11 < BasketCase_EEE> I just want to be able to optimize for a slower connection for when I am not at home 09:22 < reiffert> see, wifi is not a reliable media when it comes to bandwidth. 09:23 < BasketCase_EEE> I know. neither is the internet 09:24 < BasketCase_EEE> but if I was on my LAN I wouldn't need a VPN :P 09:25 -!- albech_ [n=albech@58.147.47.215] has joined ##openvpn 09:25 < reiffert> it would give you upper limits, that is you know about the optimization maximum. 09:26 < BasketCase_EEE> I just hoped to find someone who had tried the multitude of NFS setting to find the optimal balance for what I am doing. 09:28 < reiffert> try to get some bandwidth values for your wifi first. 09:29 < BasketCase_EEE> that would mostly depend on where I am but I believe the bottleneck right now is the upload speed of my cable modem which is capping me at about 210KB/sec 09:30 < BasketCase_EEE> that is pretty much the same speed I get from work without involving wifi 09:30 < reiffert> so 160KB/s look almost perfect then. 09:30 < BasketCase_EEE> 160 is a lot lower than 210 09:30 < reiffert> it's not. 09:32 < reiffert> try to get some ethernet statistics and have a look on fragmentation of your udp packets. 09:33 < reiffert> fragmentation in the tcp containers. 09:34 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 09:34 < BasketCase_EEE> yeah, I know how to optimize networking I just hoped someone in here had already done it because it is pretty tedious with NFS 09:35 < reiffert> if you already know how to optimize networking, why dont you just start by now? 09:35 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 09:36 < BasketCase_EEE> as I said, I hoped someone had already figured it out and I am working on something else right now 09:39 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 09:40 -!- albech [n=albech@119.42.76.61] has quit [Read error: 110 (Connection timed out)] 09:50 < Bushmills> a friend of mine has done so, and got an impressive gain of transfer speed 10:09 -!- Dougy [i=doug@64.18.144.18] has quit [Remote closed the connection] 11:01 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 11:04 -!- xororand [n=xororand@unaffiliated/xororand] has quit [] 11:10 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 104 (Connection reset by peer)] 11:23 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 11:54 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 12:00 -!- tjz [n=tjz@bb116-15-40-199.singnet.com.sg] has quit [Connection timed out] 12:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 12:55 -!- BasketCase_EEE [n=kmk@140.207.27.24.cfl.res.rr.com] has quit ["Client exiting"] 12:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:39 -!- Kevin` [n=kevin@rrcs-67-52-47-69.west.biz.rr.com] has quit [Read error: 104 (Connection reset by peer)] 13:41 -!- tjz [n=tjz@bb116-15-73-8.singnet.com.sg] has joined ##openvpn 14:07 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:16 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 14:25 -!- bandini [n=bandini@host30-23-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 14:43 -!- BasketCase_EEE [n=kmk@asylum.sanitarium.net] has joined ##openvpn 15:10 -!- bandini [n=bandini@host30-23-dynamic.20-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 15:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:12 -!- troy__ is now known as troy- 16:38 -!- Vesayth [n=vesayth@67.23.119.70.cfl.res.rr.com] has joined ##openvpn 16:38 < Vesayth> Hello! Is there anyone who can assist me in setting up an OpenVPN server on Ubuntu 8.10? 16:38 < krzie> what problem are you having... 16:38 < Vesayth> I've followed all the guides, and on some i have been able to connect with the client but I can't access anything on the network 16:39 < troy-> hello krzie 16:39 < krzie> by network you mean LAN or internet? 16:39 < krzie> sup troy 16:39 < Vesayth> LAN 16:39 < krzie> network behind the client? 16:39 < krzie> or behind the server 16:39 < Vesayth> For instance, I have a samba file server on this machine as well, and I want to be able to access it from outside of my local network 16:40 < troy-> krzie, messing with voip 16:40 < Vesayth> My machine is behind a Linksys router with DD-WRT firmware 16:40 < krzie> network behind the client? 16:40 < krzie> or behind the server 16:41 < Vesayth> let me start over, I want to be able to use my client machine (say, at my college campus) 16:41 < Vesayth> to be able to vpn in to my home network, and access the machines on it 16:41 < krzie> so the LAN is behind the server 16:41 < krzie> right...? 16:41 < Vesayth> yes 16:42 < krzie> ok, you using server config option in your config? 16:42 < Vesayth> I've used probably about 20 different configs floating around on guides, but they were all server configs yes 16:43 < krzie> just push a route 16:43 < krzie> whats the lan subnet behind the server? 16:44 < Vesayth> I think that's the part where I may be messing things up ^^ 16:44 < Vesayth> My gateway is 192.168.1.1, and my server's local ip is 192.168.1.1 16:44 < Vesayth> subnet mask is 255.255.255.0 16:44 < Vesayth> err sorry 16:44 < krzie> you should change the subnet 16:44 < Vesayth> server local ip is 192.168.1.50 16:45 < krzie> with 192.168.1.x you cant use the lan from any network with that same very very common subnet 16:45 < Vesayth> in my config file I am using this line 16:45 < Vesayth> server 10.8.0.0 255.255.255.0 16:46 < krzie> right 16:46 < krzie> with 192.168.1.x you cant use the lan from any network with that same 16:46 < krzie> very very common subnet 16:46 < krzie> the client cant add a route to the lan behind the server if it already has a route for that for the lan its on 16:46 < krzie> and if it could it would get knocked offline 16:47 < Vesayth> So you're saying change the subnet on the router and not in the config file? 16:47 < krzie> but for the sake of answering the question now instead of waiting for you to fix that... 16:47 < krzie> push "route 192.168.1.0 255.255.255.0" 16:47 < krzie> yes, that is what im saying 16:47 < krzie> change your whole network to be on an uncommon LAN 16:48 < Vesayth> alright, give me a few moments to do that, thanks for your help thus far ^^ 16:48 < krzie> yw 16:48 < Vesayth> should i change it to that 10.8.0.0 subnet? 16:49 < krzie> absolutely not 16:49 < krzie> just something less used 16:49 < krzie> like 192.168.74.x or something 16:50 < krzie> it must not be something that conflicts with a lan the client will or may connect from, it must also not be = to the VPN network 16:52 < krzie> then you tell the server to push a route to its lan to clients 16:53 -!- Vesayth1 [n=vesayth@67.23.119.70.cfl.res.rr.com] has joined ##openvpn 16:53 < Vesayth1> Alright I changed it to 192.168.10. 16:53 < Vesayth1> .0* 16:53 < Vesayth1> will that work? 16:54 < krzie> you tell me, i told you what you needed 16:54 < krzie> how could i know what lans you'll see 16:54 < krzie> i know seeing .1.x and .0.x is damn near garunteed 16:55 < Vesayth1> ok, well assuming I use 192.168.10.0 (192.168.10.1 is my gateway) 16:55 < Vesayth1> I should push "route 192.168.10.0 255.255.255.0" correct? 16:55 < krzie> yes 16:56 < Vesayth1> awesome, I will see what I can do with this setup, thanks again 16:56 -!- Vesayth1 [n=vesayth@67.23.119.70.cfl.res.rr.com] has left ##openvpn [] 17:06 -!- Vesayth [n=vesayth@67.23.119.70.cfl.res.rr.com] has quit [Read error: 110 (Connection timed out)] 17:11 -!- alami [n=up@unaffiliated/alami] has joined ##openvpn 18:58 -!- Vesayth [n=vesayth@67.23.119.70.cfl.res.rr.com] has joined ##openvpn 19:00 < Vesayth> Hello all. I finally got my VPN setup working (thanks krzie). I have one more small thing I want to do. Is it possible to access the samba server through the vpn using the Samba's netbios name? In other words, if I want to map a network drive, I want to be able to use \\servername\share instead of \\serverip\share 19:21 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 19:28 < krzie> yes 19:28 < krzie> you need a WINS server 19:28 < krzie> then the machine connecting needs to know to be using that WINS server (which can also be pushed to the client) 19:28 < krzie> !wins 19:28 < vpnHelper> krzie: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 19:28 < Vesayth> I have a wins server 19:29 < krzie> cool, use it ;] 19:29 < Vesayth> If I'm connecting the machine to my network at home (without the vpn) the netbios name resolves as normal 19:29 < Vesayth> it's just not doing it with this vpn connection ^^ 19:29 < krzie> because the client machine isnt using the wins server when connecting from remote 19:29 < krzie> its a dhcp-option 19:29 < krzie> !man 19:29 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 19:30 < Vesayth> I'll look into it! thanks ^^ 19:30 < krzie> --dhcp-option 19:33 < krzie> yw =] 19:34 < alami> krzie: any way to connect with pptp vpn server with openvpn? 19:34 < krzie> !notcompat 19:34 < vpnHelper> krzie: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 19:35 < alami> allright, thanks 19:35 < krzie> np 19:36 < alami> the manual in the man page is too big, can i have any small guide to configure openvpn? 19:37 < krzie> its big because theres a lot to it 19:37 < krzie> !sample 19:37 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 19:37 < krzie> for a very basic setup that should work out 19:37 < alami> thanks 19:39 < krzie> np 19:39 < krzie> !man 19:39 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 19:39 < krzie> i recommend reading about each of those options 19:41 -!- Vesayth [n=vesayth@67.23.119.70.cfl.res.rr.com] has left ##openvpn [] 20:08 -!- mRCUTEO [n=IRCLUNAT@118.100.168.105] has joined ##openvpn 20:17 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:26 -!- troy__ [n=doc@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 20:35 -!- troy- [n=doc@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 104 (Connection reset by peer)] 20:43 -!- mRCUTEO [n=IRCLUNAT@118.100.168.105] has quit [Read error: 110 (Connection timed out)] 20:47 -!- albech_ [n=albech@58.147.47.215] has quit [Remote closed the connection] 20:53 -!- troy__ [n=doc@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 20:53 -!- troy__ [n=doc@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 22:06 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 22:43 -!- BasketCase_EEE [n=kmk@asylum.sanitarium.net] has left ##openvpn ["Client exiting"] 22:51 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 22:52 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 23:13 -!- albech [n=albech@119.42.76.61] has joined ##openvpn 23:31 -!- albech [n=albech@119.42.76.61] has quit [Read error: 60 (Operation timed out)] 23:39 -!- troy__ [n=doc@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 104 (Connection reset by peer)] 23:39 -!- troy__ [n=doc@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 23:45 -!- albech [n=albech@58.147.47.215] has joined ##openvpn --- Day changed Sun May 17 2009 00:19 -!- Digital7 [n=Owner@207-119-9-196.dyn.centurytel.net] has joined ##openvpn 00:20 < Digital7> If I create an OpenVPN server in Linux, do all of the client machines need to have OpenVPN installed, or can they simply use the built-in Windows VPN connection client? 00:29 < Digital7> Anyone? 00:35 -!- Digital71 [n=Owner@207-119-9-196.dyn.centurytel.net] has joined ##openvpn 00:38 -!- floyd_n_milan_ is now known as floyd_n_milan 00:52 -!- Digital7 [n=Owner@207-119-9-196.dyn.centurytel.net] has quit [Read error: 110 (Connection timed out)] 01:00 -!- Digital71 [n=Owner@207-119-9-196.dyn.centurytel.net] has quit [Read error: 110 (Connection timed out)] 01:13 -!- epaphus [n=unix3@201.199.62.74] has quit ["Leaving"] 01:39 -!- ddpd2 [n=ddpd2@211.208.147.205] has joined ##openvpn 01:39 < ddpd2> !howto 01:39 < vpnHelper> ddpd2: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 01:39 < ddpd2> Hi folks! 01:40 < ddpd2> Anyone here familiar with installing/configuring an OpenVPN server on OSX? 01:46 < ddpd2> Most specifically, configuring those darn certificate files. I just can't for the life find a way to configure these suckers 01:47 -!- master_of_master [i=master_o@p549D39CF.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:50 -!- master_of_master [i=master_o@p549D394E.dip.t-dialin.net] has joined ##openvpn 02:07 -!- ddpd2 [n=ddpd2@211.208.147.205] has quit [Read error: 110 (Connection timed out)] 03:03 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:42 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 03:43 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 03:45 -!- gallatin [n=gallatin@dslb-092-073-113-033.pools.arcor-ip.net] has joined ##OpenVPN 03:47 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 04:00 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 04:01 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 04:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:39 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 05:25 -!- gallatin [n=gallatin@dslb-092-073-113-033.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)] 05:55 -!- simontwo [n=simon@cl-79.cph-01.dk.sixxs.net] has joined ##openvpn 05:57 < simontwo> hi. I get the error SIOCADDRT: File exists 05:58 < reiffert> means you try to add a route that already exists. 05:59 < simontwo> I had my LAN on 192.168.2.0/24, but I just moved that to .3. maybe my Linux is caching that? 05:59 < theDoc> Maybe:) 06:00 < simontwo> I restarted the box, though. hrm, *digs on* 06:01 < reiffert> bullshit. 06:02 < simontwo> huh? 06:06 < simontwo> $ route | grep 192.168.2 06:06 < simontwo> 192.168.2.5 * 255.255.255.255 UH 0 0 0 tun0 06:06 < simontwo> 192.168.2.0 192.168.2.5 255.255.255.0 UG 0 0 0 tun0 06:44 -!- simontwo [n=simon@cl-79.cph-01.dk.sixxs.net] has quit ["If there's one thing you can say about mankind, there's nothing kind about man."] 06:57 -!- Solver [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 07:01 -!- albech [n=albech@58.147.47.215] has quit ["Leaving"] 07:27 -!- Solver [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has joined ##openvpn 07:33 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 08:02 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 08:03 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 08:21 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 08:22 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 09:14 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 09:36 -!- eightfold [n=qwerty@85.249.223.23] has joined ##openvpn 09:37 < eightfold> is it possible to only go through a vpn in certain programs (like a traditional socks proxy), or is it always system wide. this is in windows xp, but also on os x. 09:37 < eightfold> ? 09:48 < reiffert> openvpn creates an interface. Normal firewalling and routing rules apply. 10:07 < Bushmills> means, if you can direct some traffic to one, and other to another ip address, some can go through openvpn, and some won't 10:09 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 10:10 < Bushmills> there isn't never a time for not no coffee 10:10 < reiffert> :) 10:20 -!- albech [n=albech@119.42.76.61] has joined ##openvpn 10:22 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 60 (Operation timed out)] 10:25 < Bushmills> bots flying like dice 10:25 < Bushmills> ehm 10:26 < Bushmills> dieing like flies 10:36 -!- krzie [i=krzee@unaffiliated/krzee] has quit [Read error: 110 (Connection timed out)] 10:42 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Read error: 60 (Operation timed out)] 10:48 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 11:52 -!- alami_ [n=up@p57A7595E.dip.t-dialin.net] has joined ##openvpn 11:52 -!- Digital7 [n=Owner@207-119-9-196.dyn.centurytel.net] has joined ##openvpn 11:52 < Digital7> If I create an OpenVPN server in Linux, do all of the client machines need to have OpenVPN installed, or can they simply use the built-in Windows VPN connection client? 11:58 < reiffert> OpenVPN requires OpenVPN. 12:03 -!- alami [n=up@unaffiliated/alami] has quit [Read error: 110 (Connection timed out)] 12:08 < Digital7> reiffert: thanks 12:14 -!- troy__ [n=doc@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 12:15 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:15 -!- troy__ [i=troy-wht@72.37.245.28] has joined ##openvpn 12:16 < Bushmills> Digital7, they don't need all openvpn installed 12:17 < Bushmills> one openvpn client machine on your local net which serves as gateway to a remote openvpn server would work.. 12:29 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 12:39 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 12:42 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 12:43 -!- troy__ is now known as troy- 13:14 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 13:23 -!- c64zottel [n=hans@p5B17B879.dip0.t-ipconnect.de] has joined ##openvpn 13:43 -!- c64zottel [n=hans@p5B17B879.dip0.t-ipconnect.de] has quit [Read error: 60 (Operation timed out)] 13:51 -!- c64zottel [n=hans@p5B17B879.dip0.t-ipconnect.de] has joined ##openvpn 13:54 < Digital7> Bushmills: interesting concept -- do you mean by sharing that network? 13:55 < pekster> Sure. You can have any system on a network act as a gateway to another network (or networks) by establishing a VPN and then having clients route through that local host 13:56 < Bushmills> i mean, on a gateway which sits on your LAN, and can be accessed by your local machines. what do you mean by "sharing"? 13:56 < pekster> It doesn't even need to be the gateway :) 13:56 < Bushmills> as gateway to vpn. 13:57 < pekster> Ah, yes, in that sense it is a gateway, but it could be different from the network's default gateway if it was desirable 13:57 < Bushmills> agree, you can have multiple gateways 13:57 < pekster> The advantage there is that you only need 1 VPN tunnel and can offer network access to any client machines set up with a route to that VPN gateway 14:14 -!- rio [n=rio@eta-ori.net] has joined ##openvpn 14:15 -!- x29a [n=x29a@unaffiliated/x29a] has joined ##openvpn 14:17 < rio> hi, my client and server configs are http://gist.github.com/113118 http://gist.github.com/113119 - my client gets some weird routes: http://gist.github.com/113122 14:17 < rio> what is this .5-adress? 14:18 < reiffert> !net30 14:19 < rio> the .5 doesnt respond to pings 14:19 < x29a> is some bot supposed to jump in on the net30 trigger? 14:20 < pekster> .5 won't respond to pings; it's part of a /30 subnet allocated for tun setups (that aren't using the "--topology subnet" directive) to maintain compatibility for Windows & *nix clients without newer ifconfig support 14:21 < pekster> .6 won't respond to pings either, but .1 will, which is the "real" IP of the VPN peer 14:21 < reiffert> x29a: the bot is called vpnhelper, and it looks like it's gone. On the other hand pekster acts as an replacement. 14:21 < rio> .6 is me, that responds of course 14:21 < pekster> If all your clients are going to be OpenVPN 2.1 series clients you might consider using the subnet topology since you don't waste a /30 for each connecting client 14:22 < pekster> (and the server, of course) 14:22 < rio> okay, now .1 responds fine, it wasnt responding, so it works now, thanks :) 14:22 < pekster> Of course, if you have the IP space to waste it really doesn't matter :P 14:23 -!- c64zottel [n=hans@p5B17B879.dip0.t-ipconnect.de] has quit ["Leaving."] 14:32 -!- epaphus [n=unix3@201.199.62.74] has left ##openvpn ["Leaving"] 14:33 -!- Eragon [n=unix3@201.199.62.74] has joined ##openvpn 14:34 < Eragon> Hello.. I have setup a vpnserver, and a VPN client with redirect-gateway. It works perfect.. however when I try to browse the neighbor servers in the /24 network of my openvpnserver....... it seems packets get lost.. anybody know why? 14:35 < pekster> Eragon: What type of browsing are we talking about? Is this Windows file-sharing, aka NBNS or CIFS/SMB? 14:36 < Eragon> SOrry for not being specific, no filesharing. No windows specific protocols.. just a plain ping would fail 14:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 14:38 < pekster> Eragon: For packets to make it to the remote network and back you'll need a few things. 1) A route pushed to VPN clients for the remote network via the VPN server. 2) A return-route on the destination sytem on the remote network so the packets from VPN clients can be routed back. 3) All involved routers to be routing the traffic and have firewall rules to allow it 14:38 < pekster> In place of #2 you could also SNAT the packets from VPN clients on the LAN IP of the VPN peer on your remote network if setting up bi-directional routing is not desirable 14:40 < Eragon> I have #1 and #2.. everything works.. just that i cant send packets to the openvpnservers /24 public network 14:42 < pekster> Try tracing the flow of the packets then. If you tcpdump on the target system do you see the ICMP request? And then check for a reply and see if it's sent, and so on 14:46 < Eragon> pekster, ill do that... its the first time i use tcpdump.. is there a more practical way of filtering from a specific IP? 14:46 < Eragon> to much data 14:46 < pekster> If you want to check pings, try 'tcpdump -i $your_interface icmp' 14:48 -!- Gnoxter1 [n=gnoxter@252-236-dsl.kielnet.net] has joined ##openvpn 14:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 14:50 -!- rio [n=rio@eta-ori.net] has left ##openvpn [] 14:53 < Eragon> pekster, hmm... it seems that tcpdump doesnt register any ICMP packets when I ping a neighbor 14:53 < Eragon> when i ping yahoo it does though or anyuthing else 14:53 < pekster> Let's back up a step here. By "neighbor" are you referring to another host on the public Internet side of the vpn server? 14:54 < pekster> Or the private LAN side? 14:55 < Eragon> public side of the internet of the vpn server 14:55 < Eragon> if i do a traceroute to a neighbor, it says the packet reaches the endpoint (10.0.1.1) but then its lost 14:55 < pekster> You'll need to NAT the packets to the public IP of the vpn server then, so insure the rules are set up to do that from the VPN interface and/or IP range 14:56 < Eragon> yup, this is what i have: 14:56 < pekster> You might also consider using a proxy instead of redirect-gateway if it meets your needs since that's a bit simplier 14:56 < pekster> Well, simplier in the sense that not all traffic goes to the VPN server, only traffic configured to use the proxy 14:57 < Eragon> nat on re0 inet from 10.0.1.0/24 to any -> 78.46.79.226 14:57 < Eragon> for now id prefer to set this up correctly.. :) 14:57 < Eragon> i think the problem is exactly on that line hmm 14:57 < pekster> Are you also allowing the forwarded traffic in the firewall? (ipf, or whatever you're using) 14:58 < pekster> That line looks correct (with my rather limited knowledge of ipnat) assuming re0 is your public interface 14:58 < Eragon> correct 14:58 < Eragon> hmm 14:59 < pekster> If you dump packets on re0 (again, probably just icmp packets) do you see the request for google but not for the neighbor? 14:59 < Eragon> pekster, exactly 14:59 < pekster> Sounds like a firewall issue to me 14:59 -!- Gnoxter1 [n=gnoxter@252-236-dsl.kielnet.net] has left ##openvpn ["Leaving."] 14:59 < pekster> What about dumping on the tun interface? 14:59 < pekster> (on the sever) 14:59 < Eragon> good point, let me see 15:01 < Eragon> 22:02:10.680601 10.0.1.10 > 78.46.79.230: icmp: echo request 15:01 < Eragon> 22:02:10.680616 10.0.1.1 > 10.0.1.10: icmp: host 78.46.79.211 unreachable 15:01 < Eragon> thats the prob.. 15:02 < pekster> The client should have displayed that message, assuming the client firewall (the one sending the pings) is inproperly blocking that 15:02 < pekster> It's a rather important message :) 15:02 < pekster> isn't improperly blocking, that is 15:02 < Eragon> yeah, again if i ping anything in else in the world.. 22:02:10.680601 10.0.1.10 > 78.46.79.230: icmp: echo request 15:02 < Eragon> 22:02:10.680616 10.0.1.1 > 10.0.1.10: icmp: host 78.46.79.230 unreachable 15:03 < Eragon> err 15:03 < Eragon> 22:03:47.671673 10.0.1.10 > 143.166.224.244: icmp: echo request 15:03 < Eragon> 22:03:47.821372 143.166.224.244 > 10.0.1.10: icmp: echo reply (DF) [tos 0x20] 15:03 < Eragon> goes fine 15:03 < Eragon> so yes, someting in the firewall 15:03 < Eragon> i just dont know what 15:03 < pekster> That host-unreach message could mean that the host in question is offline and not responding to the ARP request since it's on the same subnet as your vpnserver 15:04 < Eragon> its online 15:04 < pekster> You can ping that same IP from the vpnserver directly? 15:04 < Eragon> doucle checknig.. 15:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:05 < Eragon> woah..!! i cannot 15:05 < pekster> So the host really is offline 15:05 < Eragon> offline to its neighbor.. 15:05 < Eragon> but me from a remote location it isnt 15:05 < Eragon> :) 15:07 < Eragon> so the problem is not on the openvpnserver/client.. its actually a firewall in the neighbots 15:07 < Eragon> neighbors 15:08 < Eragon> pekster, thank you for your kind help 15:09 < pekster> host-unreachable usually means that the last-hop router (ie: your vpn server) couldn't get an ARP reply from the host. Given that your server is on the same public-IP subnet, that probably shouldn't be happening if the host is really up, but at any rate it's not an OpenVPN problem 15:09 < pekster> Sure 15:09 < pekster> For clarification, I base my above statmenet on the fact that the host-unreach reply came from the vpn server's IP, not the host in question 15:13 < reiffert> !firewall 15:14 < Eragon> pekster, you mean from the vpnserver gateway 15:15 < Eragon> or router 15:15 < Eragon> :) 15:15 < pekster> The vpn server. The line '10.0.1.1 > 10.0.1.10: icmp: host 78.46.79.230 unreachable' shows that 10.0.1.1 was unable to contact the specified host 15:16 < pekster> Technically a firewall on that box could also have sent a host-unreach reply, but you would have had to request that behavior and would probably remember doing so 15:16 < pekster> (it would be rather broken to do that in any normal configuration) 15:17 < Bushmills> pekster, was the specified host 10.0.1.10 or 78.46.79.230? 15:19 < Bushmills> also note that hetzner (your host) sets up a netmask of 255.255.255.255, not 255.255.255.0 15:20 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 15:20 < pekster> Specified host? He (or so I presume from the nick) is trying to ping the .230 address from the 10.0.1.10 VPN client 15:22 < Bushmills> do, on the vpn server machine, ifconfig eth0, and look for Mask 15:23 < pekster> It's re0 for the public side 15:24 < pekster> And the public netmask cannot be /32 because that would imply no routing access :). He can get to google, so it's a /30 at the very least 15:24 < Bushmills> freebsd? 15:24 < pekster> (if an ISP issued /30's to customers they ought to be shot as well) 15:24 < pekster> Some BSD I presume given re0 and the use of ipnat 15:25 < Bushmills> and it can be /32, with pointtopoint gateway configuration 15:26 < pekster> True, but then it would be highly unlikely to get a host-unreach back 15:26 < Bushmills> anyway, hetzner does usually not provide machines with /24. unless you have changed it, you probalby don't have a /24 neighbourhood 15:28 < reiffert> http://www.youtube.com/watch?v=N7IZmRnAo6s 15:31 < Bushmills> reiffert, look at the shadow on the wall, looks like this is not only the result of music 15:32 < Bushmills> starting at about 1:40 15:33 < Bushmills> at 2:15 it becomes very obvious 15:35 -!- Eragon [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 15:38 < reiffert> after all it's the bird that is dancing :) 15:54 -!- epaphus [n=unix3@201.199.62.74] has quit [Connection timed out] 16:09 -!- Wofl__ [n=nils@ip68-97-12-78.ok.ok.cox.net] has joined ##openvpn 16:10 -!- xororand [n=xororand@2001:5c0:1501:f900:0:0:0:1] has joined ##openvpn 16:13 < xororand> how can you push IPv6 addresses to the VPN clients? i'm using --server for IPv4. 16:15 < xororand> nevermind. i found http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_OpenVPN_Tunnelbroker.php?lang=en 16:30 -!- Wofl__ [n=nils@ip68-97-12-78.ok.ok.cox.net] has quit [" got rick rolled"] 16:40 -!- brzfw [n=qwerty@c213-89-114-114.bredband.comhem.se] has joined ##openvpn 16:41 -!- brzfw [n=qwerty@c213-89-114-114.bredband.comhem.se] has left ##openvpn [] 16:47 -!- eightfold [n=qwerty@85.249.223.23] has quit [Read error: 60 (Operation timed out)] 16:49 < x29a> hey there, i want to use openvpn on a nokia n810 with maemo running. the version is 2.0.1 and it claims it cant find the default gw so it can change it to the one i push. fine. compiling a new version is out of my scope so i want to manually add my routes, how would i get the ip of server running openvpn? its not $4 or $5 17:00 -!- x29a [n=x29a@unaffiliated/x29a] has quit ["tiuQ"] 17:22 -!- rio [n=rio@eta-ori.net] has joined ##openvpn 17:23 < rio> using redirect-gateway, openvpn can't find the default route when the route is using dev ppp0 17:23 < rio> is this a known problem? 17:24 -!- x29a [n=x29a@unaffiliated/x29a] has joined ##openvpn 17:25 < rio> hi 17:25 < x29a> hi 17:29 -!- troy- [i=troy-wht@72.37.245.28] has quit [Read error: 110 (Connection timed out)] 17:29 -!- boney_ [n=boney@81-235-226-119-no91.tbcn.telia.com] has quit [Read error: 104 (Connection reset by peer)] 17:43 -!- boney_ [n=boney@81-235-226-119-no91.tbcn.telia.com] has joined ##openvpn 17:54 -!- tin0x3cc [n=tin0x3cc@caiqin.tonghua.li] has joined ##openvpn 17:55 < tin0x3cc> hello 17:55 < tin0x3cc> I just setup an openvpn server on a Linode, but once I'm connected to it (using Viscosity on OSX), I get extremely slow transfer speeds. What could be the problem? 17:56 < tin0x3cc> an ssh tunnel gives me 600KB/s throughput, while the ovpn connection paimfully reaches a very unstable 90KB/s 17:57 < x29a> tin0x3cc: tun/tap? 17:57 < tin0x3cc> both 17:57 < tin0x3cc> oh sorry 17:57 < tin0x3cc> tun 17:57 < tin0x3cc> but both udp and tcp are slow 17:58 < tin0x3cc> tried a few different ciphers also, which had no effect at all. 17:58 < tin0x3cc> !redirect 18:00 < tin0x3cc> I also played with a few tun settings like tun-mtu, fragment, but that had extremely limited effect 18:00 < tin0x3cc> what could be the problem? 18:02 < x29a> what the cpu load on your "linode"? 18:04 < tin0x3cc> mostly idle really 18:06 < x29a> hm, dunno 18:06 < x29a> im actually new to openvpn and struggling myself 18:07 < tin0x3cc> the setup was pretty simple, really can't understand why the thing is so slow 18:08 < x29a> is the server dropping alot? 18:08 < x29a> do you have verbose mode on? 18:08 < tin0x3cc> i don't. let me try that 18:14 -!- tin0x3cc [n=tin0x3cc@caiqin.tonghua.li] has left ##openvpn [] 18:17 < Bushmills> x29a, you can let a connection script run, which can read the information you seek from environment variables 18:19 < x29a> Bushmills: yeah, thats what im doing, im using up/down scripts, but the problem is somewhere deeper as it seems 18:19 < x29a> Bushmills: im on a ppp0 (umts) connection 18:19 < x29a> research shows that thats a problematic setup 18:20 < Bushmills> x29a, that's ppp up/down scripts? or openvpn client connect scripts? 18:20 < x29a> i cant take the ppp0 default gw and replace it with tun since then the umts is not available and therefore no vpn is there 18:20 < x29a> Bushmills: openvpn 18:20 < x29a> up ./manual-routes.sh 18:20 < x29a> but the connection is over umts which makes a ppp0 device 18:21 < x29a> everything works fine when using wlan0 18:24 < x29a> when not assigning a new default route i can ping within the vpn but traffic goes "the normal way" 18:24 < Bushmills> x29a, did you try redirect-gateway in client config? 18:25 < Bushmills> (assuming you intended to run all your traffic through vpn server) 18:27 < Bushmills> seems more a ppp connection/client configuration problem, which doesn't add the gateway as default route, nothing openvpn specific, right? 18:29 < x29a> Bushmills: yes, but it says it cant find the gateway to replace 18:29 < x29a> Bushmills: no, it works perfectly fine without openvpn 18:30 < Bushmills> does your gateway happen to be 10.64.64.64? 18:30 < x29a> why? 18:30 < Bushmills> mine is, when connecting through umts 18:31 < Bushmills> to compare setups 18:31 < x29a> lemme check 18:31 < x29a> 10.6.6.6 18:31 < x29a> Bushmills: so you are running openvpn through umts? 18:32 < Bushmills> yes 18:32 < x29a> lemme paste my config 18:33 < Bushmills> doing nothing special. just pppd call connectscript for establishing config, and using redirect-gateway on vpn client 18:34 < Bushmills> but otoh, the gateway i use is added to route, as default, when connected 18:34 < x29a> how? 18:35 < Bushmills> using replacedefaultroute in connect script 18:35 < x29a> hm 18:35 < x29a> NOTE: unable to redirect default gateway -- Cannot read current default gateway from system 18:35 < Bushmills> i have these in script: 18:35 < Bushmills> replacedefaultroute 18:35 < Bushmills> defaultroute 18:36 < x29a> in your ppp script, right? 18:36 < Bushmills> actually, ppp config, not script. to avoid confusion with the chat script executed on connect 18:37 < Bushmills> in the config in /etc/ppp/peers/ 18:38 < x29a> im too tired now, thanks for your help, ill have to investigate later 18:38 < Bushmills> np 18:39 < x29a> i dont get it, its just openvpn refusing to replace my ppp0 default route properly 18:39 < Bushmills> it sounded as there wasn't any, therefore nothing to replace 18:39 < x29a> can you paste me your "ip r" or "route -n" whilst connected and in vpn-tunnel? 18:40 < x29a> since its only a routing issue, so i can compare and maybe set it up manually 18:40 < Bushmills> yes, but another time. right now i'm connected through cable 18:40 < x29a> yeahl, ill be around 18:40 < x29a> so thanks again, take care 18:40 < Bushmills> u2 18:57 -!- troy__ [n=doc@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 19:14 -!- albech [n=albech@119.42.76.61] has quit [Read error: 110 (Connection timed out)] 19:14 -!- troy__ [n=doc@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 19:14 -!- troy__ [i=troy-fre@72.37.245.28] has joined ##openvpn 19:22 -!- sond [n=sond@203-184-54-221.callplus.net.nz] has joined ##openvpn 19:30 < sond> anyone home ? 19:35 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 19:40 -!- sond [n=sond@203-184-54-221.callplus.net.nz] has quit ["Leaving"] 19:47 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 19:47 -!- epaphus [n=unix3@ip29-33-241-190.ct.co.cr] has joined ##openvpn 19:49 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:49 < Dougy> krzie 19:54 < Dougy> there? 20:00 -!- x29a_ [n=x29a@unaffiliated/x29a] has joined ##openvpn 20:06 < Dougy> nop 20:06 < Dougy> o sign of te foo 20:12 -!- epaphus [n=unix3@ip29-33-241-190.ct.co.cr] has quit ["Leaving"] 20:16 -!- x29a [n=x29a@unaffiliated/x29a] has quit [Read error: 110 (Connection timed out)] 21:00 < Dougy> blah 21:00 < Dougy> ecrist: you still around ? 21:01 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 21:39 -!- ylon [n=ylon@rrcs-74-218-223-178.central.biz.rr.com] has joined ##openvpn 21:40 < ylon> just configured openvpn-bridge mode and am running into an error 21:40 < ylon> Cannot load private key file priv/key.pem 21:40 < ylon> ... 21:40 < ylon> Error: private key password verification failed 21:40 < ylon> and then it exits 21:40 < ylon> i need some assistance urgently on this issue if anyone around could advise 21:43 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:43 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 21:44 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:45 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:46 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:46 < ylon> hello? 21:47 < ylon> the contents of /etc/openvpn/bridge/priv/key.pem seem fine 21:47 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:48 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:49 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:50 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:52 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 21:54 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 21:58 -!- albech [n=albech@119.42.76.61] has joined ##openvpn 21:59 < ylon> anyone? 22:00 < ylon> very desperate here on a timeframe 23:15 -!- Wofl [n=nils@ip68-97-12-78.ok.ok.cox.net] has joined ##openvpn 23:15 < Wofl> hey guys, i am somewhat confused when it comes to ethernet bridging 23:25 -!- ylon [n=ylon@rrcs-74-218-223-178.central.biz.rr.com] has quit [] 23:37 -!- albech [n=albech@119.42.76.61] has quit [Read error: 60 (Operation timed out)] 23:51 -!- albech [n=albech@119.42.76.61] has joined ##openvpn --- Day changed Mon May 18 2009 00:14 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:48 -!- Alagar [n=helpdesk@95.154.197.29] has quit ["Leaving."] 00:48 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 01:14 -!- Wofl [n=nils@ip68-97-12-78.ok.ok.cox.net] has quit [Remote closed the connection] 01:31 -!- troy__ [i=troy-fre@72.37.245.28] has quit ["Leaving"] 01:39 -!- endschranz [n=endschra@mail.htl-vil.ac.at] has joined ##openvpn 01:40 < endschranz> Hi, I am using openvpn with a bridged network, can I set two dns server , one for my home network, one for the other? 01:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:47 -!- master_of_master [i=master_o@p549D394E.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:50 -!- master_of_master [i=master_o@p549D358C.dip.t-dialin.net] has joined ##openvpn 01:50 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 01:51 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 01:52 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 01:59 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 02:03 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Read error: 104 (Connection reset by peer)] 02:12 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 02:14 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 02:16 -!- albech [n=albech@119.42.76.61] has quit [Read error: 113 (No route to host)] 02:19 -!- celsiux [n=Nullesd@189.152.145.84] has joined ##openvpn 02:19 -!- celsiux [n=Nullesd@189.152.145.84] has left ##openvpn [] 02:34 < Bushmills> endschranz, just the same as if you used a wire instead of openvpn 02:46 < endschranz> Bushmills: ok thx 02:47 < endschranz> is there a tool to fast revoke client and add them again later? 02:48 < x29a_> Bushmills: hey there, good morning. could you lead me to understanding the routinglayout? 02:48 -!- x29a_ is now known as x29a 02:48 < Bushmills> i could try after a coffee 02:49 < x29a> sure, no rush, ill be around 02:51 < Bushmills> endschranz, mv client_key somewhere_else_to should do (unless already connected) 02:54 -!- albech [n=albech@119.42.76.165] has joined ##openvpn 02:55 < endschranz> Bushmills: trying 02:59 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 03:08 -!- alami_ [n=up@unaffiliated/alami] has quit [] 03:10 < endschranz> Bushmills, doesn't seem to work 03:12 < Bushmills> what file did you move? 03:12 < endschranz> client.key to somewere 03:13 < Bushmills> that's the private key, which should only be on the client machine. 03:13 < Bushmills> try moving the associated .pem file 03:14 < Bushmills> # 03:14 < endschranz> is there a system which client is assoicated to a pem? 03:15 < Bushmills> yes, an index file 03:16 < Bushmills> index.txt in your keys directory (assuming easy-rsa) 03:17 < endschranz> Bushmills: thx works like a charm 03:17 < Bushmills> great 03:17 < endschranz> hm strange i could reconnect 03:18 < Bushmills> not so great 03:18 < endschranz> does i have to restart the daemon? 03:18 < Bushmills> i wouldn't have thought so 03:24 < endschranz> hm strange 03:24 -!- mikeage [n=mmiller@mikeage.net] has joined ##openvpn 03:26 < endschranz> i removed the pem the key and the crt 03:26 < endschranz> and i can still connect 03:26 < Bushmills> that's rather surprising 03:26 < mikeage> Are there any known issues using dev tap and a routed (server x.x.x.x) configuration instead of bridged? I'm having a lot of trouble getting routing from my openvpn clients to the internet via the openvpn server.... 03:27 < Bushmills> mikeage, http://scarydevilmonastery.net/masq 03:28 < mikeage> bushmills: I did that, but it's not helping. do you have a few minutes? 03:28 < Bushmills> mikeage, nobody knows when his time has come 03:29 < mikeage> lol. can I take that as a yes? 03:29 < Bushmills> just try. if i'm around, i might answer. 03:29 -!- albech [n=albech@119.42.76.165] has quit [Read error: 60 (Operation timed out)] 03:31 < mikeage> ok. I'm trying to set up a VPN between a bunch of random machines floating around on the internet and a server, which is a VPS hosted in the US. My server has one physical interface, eth0, with a public IP address. I'm using a routed config for openvpn, on the 192.168.2.x subnet. Originally, I was using dev tun, but I switched to tap since I found the allocation of a /30 to each machine to be a bit of a headache. My clients can connect to the server just f 03:32 < mikeage> however, I'm trying to forward certain packets (not all traffic) from the clients to it's final destination via the openvpn server, using iptables and ip route 03:33 < mikeage> the packets reach the server, and appear to be sent out to the internet, but they don't seem to be returned. furthermore, their source address ing not 192.168.2.x, but the actual IP they got in their own subnet (e.g., 192.168.1.100) 03:33 < reiffert> are you using openvpn 2.0.9 or 2.1_r15? 03:33 < Bushmills> "using a routed config" - "Originally, I was using tun" - "switched to tap" sounds a bit like a contradiction to me 03:33 < mikeage> 2.1_r15 03:34 < mikeage> well, I have a line in my config file "server 192.168.2.0 255.255.255.0" 03:34 < reiffert> mikeage: readup the manpage, especially --topology and change that behaviour. After that, switch back to dev tun. 03:34 < mikeage> not server-bridge 03:35 < mikeage> I have no real objection to dev tun, but I found that remembering which IP address (of the 4 on the /30) to use to be somewhat annoying 03:35 < Bushmills> "source address ing not 192.168.2.x, but the actual IP they got in their own subnet" indicates the packets are not NATted 03:35 < mikeage> do I need to NAT twice: once from 192.168.1.x to 192.168.2.x, and then once to the public IP? 03:35 < mikeage> s/2.x/2.1/ 03:36 < reiffert> mikeage: man page --topology 03:36 < mikeage> ok... if you said it twice, I probably should try :) here goes.... 03:36 < Bushmills> "remembering which IP address" that's what DNS are for. or look in ccd or openvpn-status.log 03:37 < Bushmills> moin reiffert 03:37 < reiffert> moin 03:37 < Bushmills> early 03:38 < reiffert> early? 03:38 < mikeage> bushmills -- I wasn't sure how to integrate the ip allocations from openvpn (either dynamic or via ipp) with DHCP, and I figured I'd tackle that one later. in the meantime, I'm going to try the topology options.... subnet looks promising 03:38 < Bushmills> i'm not used seeing you that early in the morning 03:39 < reiffert> Bushmills: although I'm up from 8 regulariliy 03:39 < reiffert> mikeage: man page --topology 03:39 < mikeage> thanks for the help; I'll be back 03:39 < Bushmills> mikeage, "DHCP" - use a different subnet for openvpn clients, no need for dhcp or avoiding conflicts with it 03:40 < Bushmills> ah. that's a leftover from bridged config 03:42 < Bushmills> reiffert, do you observe some kind of brain lag that early? 03:43 < reiffert> ? 03:43 -!- albech [n=albech@119.42.76.165] has joined ##openvpn 03:43 < Bushmills> asking, because i do. it's quite funny actually, monitoring that. 03:44 < Bushmills> two separate phases detected as far. 03:44 < Bushmills> first is when words are converted to meaning. 03:46 -!- floyd_n_milan_ [n=mrugesh@203.129.237.147] has joined ##openvpn 03:47 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Read error: 104 (Connection reset by peer)] 03:51 -!- floyd_n_milan_ is now known as floyd_n_milan 03:54 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:56 < endschranz> Bushmills: any idea why blocking doesn't work? 03:56 < Bushmills> not really, no. 03:57 < Bushmills> sounds a bit like "i changed the lock but i still can get in" 03:57 -!- mazzachre [n=mazzachr@194.152.38.14] has joined ##openvpn 03:58 < endschranz> :) 03:58 < mazzachre> Will a "Hi/fn 7955" chip help the performance of openvpn? 04:01 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 04:02 -!- albech [n=albech@119.42.76.165] has quit ["Leaving"] 04:10 -!- mikeage1 [n=mmiller@mikeage.net] has joined ##openvpn 04:10 -!- mikeage [n=mmiller@mikeage.net] has quit [Nick collision from services.] 04:11 -!- mikeage1 is now known as mikeage 04:12 < mazzachre> Anybody who have a clue? As I am about to order some boxes, either with or without these chips... plz! 04:14 < krzee> no clue here 04:14 < krzee> you plan on having a ton of connections? 04:14 < mazzachre> No... probably 2... But on a 500MHz Geode processor 04:18 < Bushmills> mazzachre, openvpn uses ssl. so if ssl supports the 7955 (which seems it does), so should openvpn 04:18 < krzee> 500mhz is more than fine for 2 clients 04:18 < krzee> and what Bushmills said ;] 04:19 < mazzachre> OK... thx... I will check the load of the machines and add the card if nessecary... (only problem is that it is about 12hours in flight and car to get to one of the boxes...) 04:20 < endschranz> Is there a good method to temporary revoke a clients crt? 04:33 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 04:39 < mikeage> wow... that worked! 04:39 < mikeage> thanks a lot! 04:40 < krzee> endschranz, i believe its disable in a ccd 04:40 < krzee> something like that 04:40 < krzee> !man 04:40 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 04:40 < endschranz> krzee: trying 04:41 < reiffert> ah, vpnHelper is back 04:41 < krzee> ya the box went down 04:42 < krzee> --disable 04:42 < krzee> Disable a particular client (based on the common name) from connecting. Don't use this option to disable a client due to key or password compromise. Use a CRL (certificate revocation list) instead (see the --crl-verify option). 04:42 < krzee> This option must be associated with a specific client instance, which means that it must be specified either in a client instance config file using --client-config-dir or dynamically generated using a --client-connect script. 04:42 < krzee> nice, i was right 04:42 < krzee> !ccd 04:42 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 04:46 < Bushmills> krzee, openvpn config will need reload after changing options in ccd files, i reckon? 04:46 < krzee> negative 04:46 < Bushmills> ok 04:46 < krzee> ccd files are read on client connect 04:47 < Bushmills> " basically included into server.conf" was confusing 04:47 < krzee> could be a lang issue, makes perfect sense to me 04:48 < krzee> ild ask my girlfriend who is laying by me but her english isnt very good 04:48 < endschranz> krzee: and howto block a client with ccd? 04:49 < krzee> in its ccd entry put the word disable 04:49 < endschranz> --ccd-exclusive ? 04:49 < Bushmills> don't worry. if it was confusing me, that doesn't mean that it will confuse anybody else. 04:49 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 04:49 < krzee> Bushmills, if you come up with a way to word it better without losing meaning feel free to tell me and ill switch it 04:50 < krzee> endschranz, i even pasted the man entry 04:50 < endschranz> krzee: sry overread it 04:50 < krzee> -disable 04:50 < krzee> [05:42] Disable a particular client (based on the common name) from connecting. ... 04:50 < krzee> np =] 04:52 < Bushmills> !meta 04:52 < vpnHelper> Bushmills: Error: "meta" is not a valid command. 04:53 < Bushmills> !meta is 'is "is asking a metaquestion a metaquestion?" a metaquestion?' 04:53 < vpnHelper> Bushmills: Error: "meta" is not a valid command. 04:54 < Bushmills> hrmpf 04:54 < endschranz> krzee: thx works like expected 04:54 -!- endschranz [n=endschra@mail.htl-vil.ac.at] has quit [] 05:00 -!- c64zottel [n=hans@p5B17B11C.dip0.t-ipconnect.de] has joined ##openvpn 05:16 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 05:42 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:04 -!- tekk [n=me@cpc2-shep11-2-0-cust540.8-3.cable.virginmedia.com] has joined ##openvpn 06:04 < tekk> hey guys, i have a quick question, whenever i connect a client to my vpn they are always assigned the same ip, so if i connect 2 clients to same server, the first one stops working when the second connects 06:04 < tekk> they are both using hte same client certificate, is that why? 06:05 < tekk> server 10.1.1.0 255.255.255.0 06:05 < tekk> they all get 10.1.1.6 06:05 < Bushmills> tekk, use different keys/certificate requests 06:06 < Bushmills> create on set for each client 06:06 < Bushmills> one 06:07 < tekk> ok thought so, thanks Bushmills 06:16 < krzee> reiffert, turns out my gigaswitch doesnt suck 06:16 < krzee> i get 60MB/s between my macbook pro and my hackintosh 06:16 < krzee> so i blame the realtek chipset and freebsd 8's support of it 06:30 < tekk> ok, i signed a new client cert using ./build-key client2 06:30 < tekk> but same problem still exists 06:34 < tekk> hmm, generataed another cert once again and problem solved 06:34 < Bushmills> have you moved those to client? 06:34 < tekk> seems if i generate a cert with same fields, it has same value 06:34 < tekk> yea using scp 06:35 < Bushmills> ah, right. the cn "common name" is needs to be client specific 06:37 < tekk> ah k 06:37 < tekk> thanks 06:56 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 06:58 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 07:04 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 07:05 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 07:06 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 07:07 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 07:08 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 07:09 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 07:10 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 07:11 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 07:12 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 07:13 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 07:14 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 07:15 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 07:30 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has joined ##openvpn 08:00 -!- tekk [n=me@cpc2-shep11-2-0-cust540.8-3.cable.virginmedia.com] has quit [Read error: 60 (Operation timed out)] 08:13 < ecrist> good morning, folks. 08:17 -!- c64zottel [n=hans@p5B17B11C.dip0.t-ipconnect.de] has quit ["Leaving."] 08:22 -!- mazzachre [n=mazzachr@194.152.38.14] has quit [Remote closed the connection] 08:23 -!- mazzachre [n=mazzachr@194.152.38.14] has joined ##openvpn 08:54 -!- mikeage [n=mmiller@mikeage.net] has quit [Nick collision from services.] 08:54 -!- mikeage1 [n=mmiller@mikeage.net] has joined ##openvpn 08:54 -!- mikeage1 is now known as mikeage 09:09 < rio> &wc 09:09 < rio> whoops 09:09 -!- rio [n=rio@eta-ori.net] has left ##openvpn [] 09:13 -!- jeiworth [n=jeiworth@189.234.36.231] has joined ##openvpn 09:20 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:22 -!- w00ted [n=w00ted@bre44-1-88-177-20-76.fbx.proxad.net] has joined ##openvpn 09:22 < w00ted> !redirect 09:22 < vpnHelper> w00ted: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 09:23 < w00ted> !ipforwad 09:23 < vpnHelper> w00ted: Error: "ipforwad" is not a valid command. 09:23 < w00ted> !ipforward 09:23 < vpnHelper> w00ted: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 09:23 < w00ted> !def1 09:23 < vpnHelper> w00ted: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 09:23 < mikeage> !nat 09:23 < vpnHelper> mikeage: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 09:24 < mikeage> !linnat 09:24 < vpnHelper> mikeage: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 09:24 -!- mattock [n=mattock@gw.tietoteema.fi] has quit ["Leaving."] 09:24 < w00ted> 09:24 < w00ted> hello, a question for the pros openvpn 09:25 < w00ted> 09:25 < w00ted> I openvpn server creates a connection between the client and the server running 09:25 < w00ted> against by my access to internet why? 09:26 < Bushmills> pardon? 09:27 < w00ted> huhu 09:27 < w00ted> speak french ? 09:27 < Bushmills> happen to 09:28 < ecrist> w00ted: are you trying to route internet traffic through your VPN? 09:29 < w00ted> 09:29 < w00ted> ping vers vpn est bon 09:29 < w00ted> ping -> vpn is good 09:29 < Bushmills> not a lot of other folks will understand. try english again 09:29 < w00ted> vpn -> client is good 09:29 < mikeage> Does anyone know why I can't forward traffic over my vpn using "ip route" and iptables to mark certain packets? it works just fine it I use "route add ...." 09:30 < mikeage> log at http://pastebin.linode.com/2483 : I was trying to telnet to the remote site (74.125.45.100) on port 80 as a test, which is what the tcpdump shows 09:31 < ecrist> mikeage: what are you trying to forward, and how is it not working? 09:31 < mikeage> all port 80 traffic only 09:31 < mikeage> if I set up a route using route add -host etc, it works just fine 09:32 < mikeage> if I try and mark packets and then use ip route, it doesn't; I see a bunch of packets being sent from the remote site with the SYN flag set, but I don't see any ACK from my site 09:32 < mikeage> I suspect it's a NAT issue, not openvpn, but I'm not sure 09:32 < mikeage> the basic openvpn works just fine; I can access the server from the client w/o any problems 09:33 < ecrist> well, if you do this with policy-routing in the firewall, it should work. 09:33 < mikeage> in the log above, 192.168.2.x is the VPN, and 74.125.45.100 is a random site on the internet (google, actually) 09:33 < ecrist> not sure about all the 'marking' packet stuff 09:33 < mikeage> that's what I'm trying to do 09:33 < mikeage> how else do you do policy routing on linux? 09:33 < ecrist> firewall 09:33 < Bushmills> "can access the server from the client" .. that's no indication for NAT working fine 09:33 < mikeage> bushmills: right; it's an indication that openvpn is 09:34 < Bushmills> true 09:34 < mikeage> ecrist: what do you mean "firewall"? 09:34 < ecrist> um, firewall 09:35 < mikeage> right; firewalls don't just implement policy routing; you need some software... e.g., iptables, iproute2, etc 09:35 -!- albech [n=albech@119.42.76.165] has joined ##openvpn 09:36 < ecrist> not sure what your point is. 09:36 < ecrist> if you're doing it with iptables, it should work 09:36 < ecrist> we do that exact thing with pf here. 09:37 < Bushmills> mikeage, eliminate problem potential. does it NAT without packet marking? 09:37 < mikeage> you suggested I should do policy routing in the firewall. that's what I'm doing, using iptables and iproute2. but it (or something else) is not working... hence the question. 09:38 < mikeage> on the server, yes. if I use a route designated by route add -host etc, the packet gets sent through the openvpn server to the internet, and responses get back 09:39 < mikeage> I'm _also_ using NAT on the client, though, to make sure that the packets have a source address of 192.168.2.5 (my VPN addr) and not 192.168.1.100 (the address of eth0) 09:39 < Bushmills> how are marking of packets and adding a route related to each other? 09:40 < mikeage> that seemed a little strange, but without it, the packets went out with the wrong source addr, and the openvpn server didn't seem to know what to do with them responses 09:40 < mikeage> the route is dependant on the markings 09:40 < Bushmills> does the vpn server have a route even when you don't add one? 09:41 < mikeage> the vpn routers aren't affect; the route is on the client, to tell it to go via the server, instead of via the default gateway (which is on the local network) 09:42 < Bushmills> describe your problem in a text file, and upload it. there are too many variables seemingly affecting operation and preventing your setup to have the desired outcome 09:44 -!- mazzachre [n=mazzachr@194.152.38.14] has quit [Remote closed the connection] 09:47 < Bushmills> mikeage, my feeling is, your setup is more complicated than needed, and that is biting you now. 09:47 < mikeage> could be; I'm writing up a summary. I'd love to simplify, but I haven't found the right way yet 09:48 -!- mikeage [n=mmiller@mikeage.net] has left ##openvpn ["Leaving."] 09:48 -!- mikeage [n=mmiller@mikeage.net] has joined ##openvpn 09:50 < Bushmills> for most cases, openvpn can conceptionally be replaced against two NICs and a cable. what works with one, works with the other. 09:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:54 < mikeage> any suggestions for a good place to put it? 09:55 < Bushmills> http://pastebin.com 09:55 < mikeage> http://pastebin.com/d6f2f04f0 09:56 < mikeage> I actually have to sign off; I'm at work now, and about to leave. I'll try and sign back on when I get home (~ 1 hour). time flies when you're... well... not having fun, but really confused! 09:57 < Bushmills> why do you masquerade on the client? 09:57 < Bushmills> oh sorry. server that is. 09:57 < mikeage> I do both 09:58 < mikeage> without it, the source IPs on the outgoing packets are the local address (when using iproute2) 09:58 < mikeage> and the server doesn't forward them back properly 10:03 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: kala, carpe_ 10:04 -!- Netsplit over, joins: carpe_, kala 10:04 < Bushmills> mikeage, "I want to send web (port 80 and 443) traffic from the client to the internet via the openvpn server, but have all other traffic leave the client via the default route" - running a web proxy, such as squid, on the openvpn server machine, and tell your client to use openvpn server as proxy should simplify that 10:07 < Bushmills> making "If I set up a fixed route to an internet site, I can get to the internet via the vpn" unnecessary 10:09 < Bushmills> and "and just mark the packets intended for port 80, and port 443 (right now I'm just doing 80), and create a route just for them" that too 10:09 < Bushmills> and no NAT on client nor server needed 10:20 -!- mikeage [n=mmiller@mikeage.net] has quit [Remote closed the connection] 10:31 -!- Wofl__ [n=nils@ip68-97-12-78.ok.ok.cox.net] has joined ##openvpn 10:32 < Wofl__> hey, i got some questions about ethernet bridgeing 10:33 < ecrist> we got some answers 10:48 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 10:56 -!- c64zottel [n=hans@p5B17B11C.dip0.t-ipconnect.de] has joined ##openvpn 11:15 -!- mikeage [n=mmiller@mikeage.net] has joined ##openvpn 11:21 < mikeage> hi bushmills 11:22 < Bushmills> mikeage, do you have logs? 11:22 < mikeage> what kind of logs? I have the tcpdump there 11:22 < mikeage> I can create any others, if you think it would help 11:22 < Bushmills> irc logs 11:22 < mikeage> yes 11:23 < Bushmills> ok 11:24 -!- c64zottel [n=hans@p5B17B11C.dip0.t-ipconnect.de] has quit ["Leaving."] 11:27 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 12:12 -!- oc80z [i=oc80z@root.servergirl.net] has quit [Remote closed the connection] 12:14 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 12:24 -!- bandini [n=bandini@host30-23-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 12:54 -!- bandini [n=bandini@host30-23-dynamic.20-79-r.retail.telecomitalia.it] has quit [Read error: 113 (No route to host)] 13:06 -!- KaiForce [n=chatzill@adsl-70-228-91-75.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.10/2009042316]"] 13:21 < reiffert> http://www69.wolframalpha.com/input/?i=gang+bang 13:21 < vpnHelper> Title: gang bang - Wolfram|Alpha (at www69.wolframalpha.com) 13:35 < w00ted> iop all 13:35 < w00ted> just question 13:35 < w00ted> warnig potential route subnet conflict between local lan 192.168.1.0/255.255.255.0 and remote vpn 192.168.1.0/255.255.255.0 ???? 13:36 -!- throughnothing [n=will@74.205.24.229] has joined ##openvpn 13:36 < throughnothing> is there dhcp.leases file or similar for the dhcp program that openvpn runs to assign ips dynamically to clients? 13:37 < ecrist> there are a couple files 13:37 < ecrist> !ip-order 13:37 < vpnHelper> ecrist: Error: "ip-order" is not a valid command. 13:37 < jeiworth> w00ted: are you by any chance routing and have configured the same ip subnet for the vpn-clients that you are already using in your lan? 13:37 < ecrist> !search factiods ip 13:37 < vpnHelper> ecrist: (search ) -- Searches for in the current configuration variables. 13:37 < ecrist> !search ip 13:37 < vpnHelper> ecrist: supybot.commands.nested.pipeSyntax and supybot.externalIP 13:37 < ecrist> hrm 13:37 < ecrist> throughnothing: ipp, ccd 13:37 < throughnothing> ecrist: ? 13:37 < ecrist> if you're using tap, you can use a regular ol' dhcp, though 13:38 < throughnothing> im using tun 13:38 < ecrist> ok, ipp and cdd files 13:38 < Wofl__> ecrist: sorry, was gone for a while 13:38 < throughnothing> ecrist: sorry, but where are these files? 13:38 < ecrist> w00ted: you have conflicting address spaces, fix it 13:39 < throughnothing> ecrist: nm, thx 13:39 < ecrist> throughnothing: on the server 13:39 < Wofl__> anyways, so i want to bridge eth0 on the server with tap0 and have tap0 then be the vpn interface 13:39 < ecrist> sounds normal. 13:39 < throughnothing> ecrist: hmm, i have an /etc/openvpn/ipp.txt file but it is empty, i see no cdd file 13:39 < throughnothing> *ccd 13:39 < Wofl__> eth0 is configured to 192.168.2.123, vpn will be 10.x.x.x later on 13:40 < ecrist> ok 13:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:40 < Wofl__> when i create the bridge, eth0 loses its configuration, how do i set it all up then? 13:40 < ecrist> that's going to be somewhat based on what OS and kernel you're using 13:40 < ecrist> in FreeBSD, the config doesn't go away 13:41 < ecrist> in Linux, it might. 13:41 < Wofl__> gentoo linux, with 2.6.27 13:41 < ecrist> Wofl__: really, you should have a new bridge0 interface or something, I think, set the IP on that interface. 13:41 < Wofl__> set it to the old ip of the ethernet? 13:41 < ecrist> yep 13:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 13:41 < Wofl__> ok, hold on 13:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:44 < throughnothing> ecrist: any idea why it would be empty? 13:44 < Wofl__> still unable to ping router 13:44 < ecrist> throughnothing: nope, I'm not your VPN admin 13:45 < ecrist> Wofl__: what are you expecting to ping? 13:45 < ecrist> IOW, I've got a car, turned the key, but it won't start. I know it's the right key, though. 13:47 < Wofl__> the router the computer is connected via ethernet 13:48 < ecrist> you're not explaining, exactly, what you're trying to do. 13:49 < Wofl__> the router is connected to the server, and the server cannot ping the router. i think its the route messed up 13:50 < ecrist> ok, I'd look at the routing table, then. did the eth0 IP get removed at the same time tap0 was removed? 13:51 < ecrist> you're testing the ping from the server, right? 13:51 < ecrist> and when you bridged interfaces, you lost internet connectivity? 13:52 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 13:52 < Wofl__> yes, when i bridge, i lose the connection 13:52 < Wofl__> right now i am disabling them all, and then i will try to just bring up vr0 and have eth0 come up as a dependency 13:56 < Wofl__> it lists br0 as having the same ip as eth0 did before, but still no connection 13:56 < ecrist> firewall? 13:56 < ecrist> do you have ip_forward enabled? 13:58 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 13:59 < Wofl__> ah, got it working now, thanks 13:59 < Wofl__> was a combination of the ip_forward and the messed up route 13:59 < Wofl__> thanks again 13:59 < ecrist> np 14:02 < Wofl__> quick question, if i change smething in /proc, how do i make it permanent? 14:06 < Wofl__> ecrist: actually, i still have a little hiccup 14:06 < Wofl__> now i i run /etc/inint.d/net.br0 start, the first time it fails, but rerunning makes it work 14:07 < Wofl__> actually, let me ask in gentoo 14:12 < reiffert> Wofl__: /etc/sysctl.conf 14:17 < Wofl__> thanks, just drew a blank... 14:22 -!- jeiworth_ [n=jeiworth@189.177.27.178] has joined ##openvpn 14:23 -!- jeiworth [n=jeiworth@189.234.36.231] has quit [Read error: 110 (Connection timed out)] 14:29 -!- jeiworth_ [n=jeiworth@189.177.27.178] has quit [Read error: 104 (Connection reset by peer)] 14:35 -!- jeiworth [n=jeiworth@189.177.35.174] has joined ##openvpn 14:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:43 -!- Wofl__ [n=nils@ip68-97-12-78.ok.ok.cox.net] has quit [" got rick rolled"] 14:48 -!- bandini [n=bandini@host30-23-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 15:00 -!- krzie [i=krzee@unaffiliated/krzee] has joined ##openvpn 15:00 -!- lazarus477 [n=lazarus@81-231-99-230-no47.tbcn.telia.com] has joined ##openvpn 15:00 < lazarus477> Is there an official OpenVPN Web based frontend available? 15:01 < krzie> official? no 15:01 < lazarus477> Ok 15:01 < krzie> i believe there is projects tho 15:02 < lazarus477> krzie: In the past I have managed it over a console but read a romour of an official web GUI suposed to come soon. 15:02 < krzie> ive heard nothing of the sort 15:02 < krzie> unless thats the thing they sell 15:02 < lazarus477> krzie: I have looked at all the 3rd party ones though. 15:02 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 15:02 < lazarus477> krzie: I think it is the thing they sell, typically enough. 15:03 < reiffert> I was close on hitting the reply button on the last recent openvpn announcement, asking when he is going to release 2.1 15:03 < reiffert> argueing that vendors and distributors only put 2.0.9 into place for stability reasons .. 15:03 < krzie> not exactly rapidly developed, i agree 15:04 -!- deception [i=oc80z@quad.efnet.pe] has joined ##openvpn 15:04 < reiffert> development is fast, release cycles are not. 15:04 < lazarus477> Well I used OpenVPN for about two and a half years, worked like a dream. Ran it for a customer who loved it. 15:04 < krzie> but then again, it doesnt really require rapid devel 15:05 < krzie> its stable and has much functionality 15:05 < reiffert> lazarus477: check out openvpn web gui, it's the one you see on openvpn.net 15:05 < lazarus477> I once tried it out on a long train trip. Kept me hooked to my home office LAN the entire trip over mobile broadband. 15:05 < reiffert> main page, upper left 15:05 < lazarus477> reiffert: Thank you, I think that is the one I am seeking. 15:05 < krzie> reiffert, damn i never seen that, i guess that means there IS an official web gui 15:05 < krzie> i had no clu 15:05 < reiffert> krzie: guess what, there isnt even a link on openvpn.net to openvpn web gui. 15:06 < lazarus477> reiffert: This one: http://openvpn-web-gui.sourceforge.net/ 15:06 < vpnHelper> Title: OpenVPN Web GUI 0.3.x (at openvpn-web-gui.sourceforge.net) 15:06 < reiffert> http://openvpn.net/index.php/documentation/graphical-user-interface.html 15:06 < vpnHelper> Title: Graphical User Interface (at openvpn.net) 15:06 < reiffert> no link to openvpn-web-gui 15:06 < reiffert> lazarus477: correct link, yeah 15:07 < krzie> oh i thought you said there was 15:07 < lazarus477> reiffert: Thanks 15:07 < reiffert> lazarus477: be warned, you will protect your vpn by 128bit htpasswd password. 15:07 < lazarus477> Yea this is the Web-GUI I have been waiting to see 8-) 15:08 < lazarus477> reiffert: What are you warning me about, something bad or something good? 15:08 < reiffert> something really really bad. 15:08 < lazarus477> reiffert: Enlighten me. 15:08 < reiffert> I'd recommend to gain access to 127.0.0.1 only. 15:08 < lazarus477> reiffert: To low encryption strength? 15:09 < reiffert> yap 15:09 < lazarus477> reiffert: Well firefox over ssh works, hehe. 15:09 < lazarus477> reiffert: Gotcha 15:09 < krzie> openvpn has very very strong encryption options 15:09 < reiffert> krzie: but openvpn web gui doesnt. 15:09 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 15:09 < krzie> by running a web interface protected only by htpasswd means you compromise that 15:09 < reiffert> krzie: means, gain access to web gui == gain access to network 15:09 < krzie> weakest link scenerio 15:09 < krzie> reiffert i know im agreeing with you 15:10 < krzie> i also agree 127.0.0.1 access for gui 15:10 < lazarus477> reiffert: I get the point, thanks for pointing it out to me. 15:10 < krzie> (only) 15:10 < krzie> reiffert: Well firefox over ssh works, hehe. 15:10 < krzie> you arent configuring sshd by web ui 15:11 < krzie> just connecting to it, very different 15:11 < reiffert> firefox over ssh works but sucks due to bandwidth reasons. Be sure to keep it that way over a long period. 15:11 < lazarus477> krzie: I ment I can ssh to the openvpn server and run a remote firefox session. 15:11 < lazarus477> I am all about headless setups. 15:12 < krzie> ok 15:12 < krzie> i just script anything i need 15:12 < krzie> no reason for a web-ui for me 15:12 < reiffert> same for me. 15:12 < lazarus477> krzie: Script me a cup of coffee, please :-) 15:12 < krzie> sure, install netbsd on your coffee machine and gimme root 15:12 < reiffert> __ __ __ 15:12 < reiffert> ___ _ _ _ __ ___ / _| ___ ___ / _|/ _| ___ ___ 15:12 < reiffert> / __| | | | '_ \ / _ \| |_ / __/ _ \| |_| |_ / _ \/ _ \ 15:12 < reiffert> | (__| |_| | |_) | | (_) | _| | (_| (_) | _| _| __/ __/ 15:12 < reiffert> \___|\__,_| .__/ \___/|_| \___\___/|_| |_| \___|\___| 15:12 < reiffert> |_| 15:13 < krzie> install it on your toaster too while you're in there 15:14 < reiffert> _ _ 15:14 < reiffert> ___| | | | 15:14 < reiffert> / __| | | | 15:14 < reiffert> | (__| | | | 15:14 < reiffert> \___| |_____| | 15:14 < reiffert> |_|_____|_| 15:14 < reiffert> :p 15:14 < reiffert> /exec -o echo "c|_|" | figlet 15:15 < krzie> i still cant figure out why i cant do this: 15:16 < lazarus477> reiffert: lol, thanks. Love ASCI Art. 15:16 < krzie> ./exec echo "$RANDOM%2" | bc 15:16 < krzie> (standard_in) 1: syntax error 15:17 < lazarus477> I was at FSCONS 2008 held in Gothenburg Sweden. Two guys there demonstrated a nice public key infrastructure management software, web gui based. It works nicelly with OpenVPN for certificate management. 15:17 < krzie> !ssl-admin 15:17 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 15:17 < krzie> nice perl script to manage them as well 15:18 < lazarus477> Ah just found the guys website: http://www.ejbca.org/ 15:18 < vpnHelper> Title: EJBCA - The J2EE Certificate Authority - Home (at www.ejbca.org) 15:18 < reiffert> openssl x509 is all you really need. 15:18 < reiffert> j2ee? sigh. sigh. 15:18 < reiffert> sigh. 15:18 < lazarus477> vpnHelper: Yep thats the one. 15:18 < vpnHelper> lazarus477: Error: "Yep" is not a valid command. 15:18 < reiffert> most probably running on a virtual machine. 15:19 < reiffert> high performance. 15:19 < reiffert> sigh 15:20 < reiffert> EJBCA 3.7 contains support for CVC CAs used for EU EAC ePassports. This development was sponsored and contributed by the Swedish National Police Board. 15:20 < lazarus477> Hmm. Looks Java based, did not notice that before. 15:20 < reiffert> How many backdoors? 15:21 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Read error: 104 (Connection reset by peer)] 15:22 < lazarus477> It is my personal opinion that there is no such thing as a 100% secure system, haha. 15:22 < krzie> sure there is, the one with no NIC 15:22 < krzie> like my CA 15:22 < lazarus477> A lot of security comes from proper access restrictions. 15:22 < krzie> and physical security = gun 15:22 < lazarus477> krzie: Yea but even withou NIC you can still do local attacks, haha. 15:23 < krzie> yes, and hope to hell i dont walk in and shoot you 15:23 < lazarus477> krzie: Hahahaha 15:23 < krzie> not because you're at my computer, because you're in my house 15:24 < krzie> ;] 15:24 < lazarus477> krzie: I will wear my Linux BulletProof IP-Tables vest when you come to snuff me out :-) 15:24 < krzie> haha 15:24 < krzie> my house is linux resistant, should wear your pf-vest 15:24 < lazarus477> krzie: Perhaps I will simply drop by for coffee. 15:24 < Bushmills> krzie, echo $((RANDOM... 15:24 < Bushmills> )) 15:24 < krzie> Bushmills ahh 15:25 < lazarus477> krzie: Or perhaps I should do some KGB/CIA style remote wire listening on your electronic emissions, lol. 15:25 < krzie> ./exec echo $((RANDOM))%2|bc 15:25 < krzie> works =] 15:25 < Bushmills> krzie, what for do you pipe it to bc? 15:25 < krzie> lazarus477 good luck finding what country im in 15:25 < krzie> bc = bitcalc 15:26 < Bushmills> what for? 15:26 < krzie> %2 makes it output the remainder after /2 15:26 < krzie> so i get a 0 or 1 15:26 < Bushmills> you can just drop the |bc part for the same effect 15:26 < krzie> for making random unimportant decisions 15:26 < lazarus477> krzie: Looks around. I shall start searching in my local area and later expand my search outwards till I covered the whole globe or find you on the way. 15:26 < lazarus477> haha 15:26 < Bushmills> bash knows modulus (remainder) too 15:26 < krzie> Bushmills, try it 15:26 -!- bandini [n=bandini@host30-23-dynamic.20-79-r.retail.telecomitalia.it] has quit [Read error: 113 (No route to host)] 15:26 < krzie> 0%2 15:27 < Bushmills> krzie, try echo $((RANDOM%2)) 15:27 < krzie> krzee@hemp:~> echo $RANDOM%2 15:27 < krzie> 20446%2 15:27 < krzie> krzee@hemp:~> echo $((RANDOM%2)) 15:27 < krzie> 0 15:27 < krzie> heh no kidding 15:27 < krzie> i never seen using parens on shell vars 15:27 < Bushmills> that'S why i ask "why bc" 15:28 < krzie> gotchya, cause thats how i knew how to do it ;] 15:28 < krzie> your way is better 15:28 < Bushmills> between $(( )) is arithmetic expression 15:28 < krzie> time to read on parens on vars 15:28 < krzie> ohhh i gotchya 15:28 < krzie> thats coolness 15:28 < Bushmills> want to look at a very far out bash script? 15:29 < krzie> i seen that one you made to program roms 15:29 < krzie> it was nuttier than the professor 15:29 < Bushmills> ever seen a compiler and interpreter written in bash? 15:30 < krzie> lol 15:30 < krzie> shit no 15:30 < Bushmills> incremental compiler + interactive interpreter 15:30 < Bushmills> http://www.forthfreak.net/bashforth 15:30 < reiffert> Bushmills: good luck! 15:30 < Bushmills> :D 15:30 < reiffert> krzie: macports: ports install bashforth 15:30 < Bushmills> reiffert, no indoctrination 15:31 < Bushmills> reiffert, but that's just a one magnitude more complex bash script then most people call "complex" 15:31 < krzie> Bushmills, you're hardcore bro 15:32 < reiffert> krzie: it's pure fun, enjoy forth! 15:32 < Bushmills> though for running it i'd suggest the javascript version - faster and more standard compliant 15:33 < krzie> i thought i was dope with scripting in bash until i saw the last script Bushmills showed me 15:33 < Bushmills> that one can be intimidating 15:34 < krzie> reiffert i wont be on apple for awhile 15:34 < krzie> til night time 15:34 < reiffert> krzie: you own an ibook as well, do you? 15:34 < Bushmills> though i like the geekness factor of it. 15:34 < reiffert> Bushmills: whats the key combination again? 15:35 < Bushmills> apple? i think you need to push during start. apple-apple-f iirc 15:35 < Bushmills> or apple-apple-o 15:36 -!- w00ted [n=w00ted@bre44-1-88-177-20-76.fbx.proxad.net] has quit [] 15:36 < Bushmills> * Command-Option-O-F 15:39 < Bushmills> krzie, btw, reiffert knows that script - he introduced it to macports 15:40 < krzie> reiffert i have a macbookpro 15:41 < krzie> but my main box is now my hackintosh 15:41 < reiffert> http://trac.macports.org/browser/trunk/dports/lang/bashforth/Portfile 15:41 < vpnHelper> Title: /trunk/dports/lang/bashforth/Portfile – MacPorts (at trac.macports.org) 15:41 < krzie> quad core q9400 8gb ram 1.5TB hd 15:41 < krzie> running retail 10.5.7 15:41 < krzie> with all kexts etc in the hidden EFI partition for simple upgrading 15:42 < krzie> (guid spec says there should be a hidden EFI partition, which apple doesnt use but does respect) 15:43 < Bushmills> same CMD-OPT-O-F . the prompt is more or less compatible with that bash script :) 16:14 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 16:15 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 16:19 -!- jeiworth [n=jeiworth@189.177.35.174] has quit [Read error: 110 (Connection timed out)] 16:22 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit [Connection timed out] 16:23 -!- Kreg-Work [n=kreg@208.98.188.95] has joined ##openvpn 16:28 -!- jeiworth [n=jeiworth@189.177.221.191] has joined ##openvpn 16:48 -!- jeiworth_ [n=jeiworth@189.177.35.134] has joined ##openvpn 16:49 -!- jeiworth [n=jeiworth@189.177.221.191] has quit [Read error: 104 (Connection reset by peer)] 16:56 -!- oc80z [i=oc80z@root.servergirl.net] has joined ##openvpn 17:05 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 17:05 < Dougy> krzie 17:05 < Dougy> krzie 17:05 < Dougy> krzie 17:05 < Dougy> krzie 17:06 < reiffert> http://www38.wolframalpha.com/input/?i=happy%2Fhappy 17:06 < vpnHelper> Title: happy/happy - Wolfram|Alpha (at www38.wolframalpha.com) 17:06 < reiffert> Dougy: Dougy Dougy Dougy Dougy 17:06 < krzie> ~dougy 17:06 < krzie> ~dougy 17:06 < krzie> ~dougy 17:06 < krzie> ~dougy 17:06 < Dougy> your server is online 17:10 -!- oc80z [i=oc80z@root.servergirl.net] has quit [Remote closed the connection] 17:13 -!- deception [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 17:14 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:14 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 17:15 < krzie> what paypal do i send at? 17:15 < Dougy> you didnt pm 17:27 < reiffert> want another root server in germany? 17:27 < krzie> im sure not against the idea 17:28 < reiffert> I can recommend hetzner.de 17:28 < Dougy> hetzner 17:28 < Dougy> blah 17:28 < Dougy> those buggers 17:28 < krzie> if you can find me a decent price in china im in 17:28 < krzie> hehe 17:28 < reiffert> :) 17:29 < reiffert> I like hetzner, they gimme all I need. 17:29 < Dougy> i love my work connection 17:29 < Dougy> i am such an asshole 17:29 < krzie> 2 in cali, 1 in NY, 1 in minn, 1 in chicago, soon 1 in reno 17:29 < Dougy> on my one box there 17:29 < xororand> hetzner is okay. i know several guys who have one or more servers there. noone ever complained. i'm content after 2 years as well 17:29 < Dougy> krzie 17:29 < Dougy> my box at work 17:29 < Dougy> i have a 1 gbit port.. i pay $0 17:30 < krzie> for someone who doesnt do any business with his servers i seem to be going overboard 17:30 < Dougy> im using 17:30 < Dougy> like 450 MBps 17:30 < Dougy> lol 17:30 < krzie> lol 17:31 < Dougy> krzie 17:31 < Dougy> http://www.upload3r.com/serve/180509/1242685902.png 17:31 < Dougy> lol 17:32 < Dougy> if only Ihad that in NYC 17:33 < reiffert> Dougy: wtf? 17:33 < Dougy> reiffert: ? 17:33 < reiffert> Dougy: 450MBps what for? 17:34 < Dougy> random shit 17:34 < Dougy> i gave all my friends access 17:34 < Dougy> they are abusing it 17:34 < Dougy> lol 17:34 < reiffert> send me some openvpn client certs then. 17:34 < krzie> shit ya 17:34 < Dougy> Naw, hahaha 17:35 < krzie> lemme run rtorrent on it 17:35 < Dougy> im considering adding two more gbit nics 17:35 < Dougy> in it 17:35 < reiffert> I'd watch some tv caps from fox.com or similar. 17:35 < krzie> send a couple TB and raise my ratio a bit 17:35 < reiffert> :p 17:37 < Dougy> haha 17:38 < reiffert> watching TV caps from fox.com is all I really like to do with a link to US 17:38 < Dougy> reiffert: get a free shell 17:38 < Dougy> and ssh tunnel 17:39 < reiffert> I'll try that, right 17:39 < Dougy> http://sdf.lonestar.org/ 17:39 < vpnHelper> Title: SDF Public Access UNIX System - Free Shell Account and Shell Access (at sdf.lonestar.org) 17:41 < reiffert> thanks 17:41 < Dougy> try that 17:43 < krzie> i cant believe prison break is over 17:44 < reiffert> How did it finish, all people alive or dead? in prison again? 17:44 < krzie> only 1 is dead from main group 17:44 < krzie> all free 17:44 < krzie> they took down the company 17:44 < krzie> (secret gov org gone kinda rouge) 17:44 < reiffert> I must admit that I never watched a single episode :) 17:45 < krzie> the leader of the company fries on the electric chair 17:46 < krzie> i got into it season 1 17:46 < krzie> saw every single episode 17:46 < Dougy> man 17:46 < Dougy> so glad to finally be getting clients live in NYC 17:46 < reiffert> 4] Kristin Dos Santos of E! has reported that there may be several extra episodes following the remaining six. Reilly has also confirmed that the series will end with a two-hour finale, rather than a rumored TV movie. Regarding the finale, Reilly says, "They have a really cool ending, actually. I know where they end, and it's a hell of an idea."[24] 17:47 < krzie> hrm, i think i found the name for the NY box 17:47 < krzie> it will be named kief 17:48 < Dougy> krzie: you're on solid hardware 17:48 < Dougy> sm chassis sm motherboard 17:48 < Dougy> hm 17:48 < Dougy> im gonna upgrade you to 7.2 now, k krzie? 17:51 < krzie> umm, sure =] 17:51 * Dougy wants to play with the freebsd-update tool 17:52 < krzie> are you joking!? 17:52 < krzie> nah ill update it 17:52 < Dougy> haha okay 17:52 < krzie> freebsd-update is binary 17:52 < Dougy> as opposed to doing by hand? 17:52 < krzie> cvsup the src, make buildworld, make buildkernel KERNCONF=config 17:52 < Dougy> btw, does anyone here need a server? renting out one 17:52 < krzie> etc 17:53 < Dougy> P4 3.0, 2gb ram, 120gb drive for $75 17:53 -!- endschranz [n=Adium@195.16.244.188] has joined ##openvpn 17:53 < krzie> yes, as opposed to compiled for my hardware after i play with make.conf 17:53 < krzie> you redhat user, lol 17:53 < Dougy> lol 17:54 < Dougy> its so much fun to be able to say i have my own colo 17:54 < Bushmills> Dougy, hetzner consideraby cheaper ... 17:54 < Dougy> Bushmills: ? 17:54 -!- endschranz [n=Adium@195.16.244.188] has left ##openvpn [] 17:55 < Bushmills> Dougy, 65 $ for 2x400 gig 17:55 < Dougy> yes there is a difference 17:55 < Dougy> if i colocated in other places in the usa that it cost me $20 per server 17:55 < Dougy> then i could do a lot less 17:56 < Dougy> but this is right next to wall street in nyc 17:56 < Dougy> so its not so cheap 17:57 * Dougy makes about $2 on hardware on that p4 17:58 < Bushmills> 64 X2 5600+Dual Core, also 2 gig RAM there. 17:58 < Dougy> Bushmills: same thing applies 17:58 < Dougy> they get space cheaper 17:58 < Dougy> and bandwidth too 17:59 < Dougy> and im sure hw cheaper too 17:59 < reiffert> Bushmills: time to get some colo in NYC, eh? 18:00 < Bushmills> in fact, a box across the border can have its uses 18:00 < Dougy> krzee has colo in nyc 18:00 < reiffert> Bushmills: allright, then who is going to get some cheap machine with plenty of GIG and CPU for us? 18:01 < Dougy> what kind of box do you want 18:01 < Bushmills> cpu doesn't really need to be ultrafast 18:01 * Dougy can maybe find some old parts 18:01 < Bushmills> lots of ram makes more sense 18:01 < reiffert> Bushmills: dual core sounds nice, but single core will do of course. Preferrable Intel. 18:01 < reiffert> Lots of RAM .. lets say 4GB? 18:01 < Bushmills> how much effort/costs are involved when upgrading the box with larger hard disk later? 18:02 < Dougy> well 18:02 < Dougy> i have 3 pentium d 3.0 ghz 18:02 < Dougy> and 1 3.2 ghz 18:02 < Dougy> sitting here 18:02 < Dougy> i can build you a box with that 18:02 < reiffert> Bushmills: 2 x 1TB? 18:02 < Bushmills> need to check with reiffert - i'm not cgi-intense. 18:03 < reiffert> we are talking about 20$ per month, right? 18:03 < Dougy> lol 18:04 < Dougy> just the power that would dra 18:04 < Dougy> w 18:04 < Dougy> would be more than $20 for me 18:07 < Bushmills> luckily the CPU doesn't need to be power hungry :) 18:07 < Dougy> everyone in this channel is cheap 18:07 < Dougy> cant do prices you want 18:09 < Bushmills> i do run 4 server. paying more for smaller hardware or connection wouldn't make a lot of sense, would it? 18:09 < reiffert> Dougy: Would please sum up the monthly fee and the tech. specs like peerings and physical location for us .. 18:09 < reiffert> +you 18:11 < Bushmills> so we need to look where this can beat what we got. there's potentiall a: disk capacity, and b: different country. 18:11 < Dougy> reiffert: rented or colocated 18:12 < Bushmills> (of course 120 gb doesn't beat 2x400 gb) 18:12 < reiffert> Dougy: both please. 18:15 < Dougy> reiffert: colo is $20/u $25/amp $12/Mbps 18:15 < Dougy> right now its just Cogent's bandwidth but may become Level3/Cogent/Internap/Sprint/SAVVIS 18:16 < Dougy> servers vary a lot 18:16 < reiffert> $12 per Mbps per Month? 18:16 < Dougy> Megabit per second, 95% 18:16 < Dougy> should have said Mbit 18:16 < reiffert> so 450Mbps = 450 * 12 $US? 18:17 < Dougy> yes 18:17 < Dougy> lol 18:17 < reiffert> and you call that cheap. Intresting different opinions between old europe and western world ... 18:18 < Dougy> $12/Mbit is cheap especially for New york city 18:18 < Dougy> for anything less than 100 Mbit, if you get under $18 for any decent bandwidth, you are a lucky soul 18:18 < reiffert> hetzner: 100Mbps, 30TB incl per month 18:18 < Dougy> heh 18:18 < krzie> umm, how much reif? 18:18 < Dougy> i don't know how they sustain that 18:18 < Dougy> not a clue 18:18 < Bushmills> (only the first terabyte 100 mbit, per month) 18:19 < reiffert> Bushmills: first 30 TB per month IIRC. 18:19 < krzie> dougy, BW is diff outside the usa 18:19 < krzie> some places cheaper, some places more expensive 18:19 < reiffert> krzie: 5600 AMD X2, 2 x 400GB, about 80$US/month 18:19 < krzie> shit its normal to have 100mbit to the house in some places 18:19 < reiffert> 4GB RAM 18:19 < krzie> damn thats badass reif 18:19 < Dougy> krzie:yes i know 18:19 < Bushmills> oh, have they upgraded again? was last year that after 1 terabyte they throttled to 10 mbit/sec 18:20 < reiffert> 59EUR should be 80 $US atm 18:20 < Dougy> i would love to see you guys get boxes in australia 18:20 < Dougy> ;) 18:20 < Dougy> where 100GB sets you back over 100 18:20 < krzie> i was supposed to have one in AU 18:20 < krzie> but my boy fell through 18:20 < krzie> with MUCH better pricing than you speak of 18:20 < krzie> MUCH MUCH 18:20 < Bushmills> krzie: 5600 AMD X2, 2 x 400GB, about 80$US/month ... actually 65$/m 18:20 < Dougy> bandwidth in Australia, is absurd 18:21 < krzie> dougy, depends who you know i guess 18:21 < reiffert> Bushmills: 59 EUR = 80 $US 18:21 < Dougy> i know a whole lot of people there 18:21 < Bushmills> reiffert, but it's 49EUR only 18:21 < krzie> dougy, i was supposed to get a badass deal in the same building as the au stock exchange 18:21 < krzie> but my boys contact doesnt work there anymore 18:21 < krzie> its not quantity of who you know, its quality of who 18:21 < Dougy> meh 100gb for $100 was a bit of a stretch 18:21 < krzie> ;] 18:22 < Dougy> The specifications of this machine are: 18:22 < Dougy> - Intel Dual Xeon 2.4Ghz 18:22 < Dougy> - 4GB Ram 18:22 < Dougy> - 2x73GB SCSI drives (RAID1) 18:22 < Dougy> - Linux CentOS 5.2 18:22 < Dougy> - 50GB Data Per Month 18:22 < Dougy> - cPanel/WHM 11 18:22 < Dougy> - Virtualisation Layer 18:22 < Dougy> - Fully Managed Server including server monitoring and SMS notifications 18:22 < Dougy> - No Contract Terms 18:22 < Dougy> Cost Per Month: $199 inc GST FULLY MONITORED AND MANAGED 18:22 < Dougy> ^ 18:22 < krzie> you lost me at centos 18:22 < reiffert> Bushmills: u sure u owe a 5600X2 with 2 x 400GB? 18:22 < krzie> *gag* 18:22 < Dougy> krzie: look at cpu, drives, bw, and price 18:22 < Dougy> nothing else 18:22 < reiffert> Bushmills: ah, 2GB RAM 18:22 < Dougy> meh 18:22 < Dougy> i guess europe is cheap 18:23 < Bushmills> reiffert, 59 is 4 gig ram 18:23 < reiffert> http://www.hetzner.de/hosting/produktmatrix/rootserver-produktmatrix/ 18:23 < vpnHelper> Title: Hetzner Online AG: Root Server ProduktmatrixHetzner Online AG (at www.hetzner.de) 18:23 < Dougy> i pay $349 a month for 2.4 GHZ quadcore / 8 gb ram / 4x750gb in rai 10 18:23 < Dougy> raid 18:23 < reiffert> Bushmills: however, new pricing, new root servers from 1st of June 2009: http://www.hetzner.de/hosting/produkte_rootserver/ds5000/ 18:23 < vpnHelper> Title: Hetzner Online AG: DS 5000Hetzner Online AG (at www.hetzner.de) 18:23 < Bushmills> Dougy, that's 130$ here 18:24 < Bushmills> includes unlimited traffic 18:24 < Bushmills> oh. sorry. 2x750 gb only 18:24 < krzie> only thing is dougys customer base is from usa 18:24 < krzie> so he needs something low latency to them 18:25 < Bushmills> Dougy, what netmask on those? 18:25 < Bushmills> i.e. come with how many ip addresses? 18:25 < Dougy> i got a /26 18:26 < reiffert> backbone list: http://wiki.hetzner.de/index.php/Rechenzentren_und_Anbindung 18:26 < Bushmills> that's decent 18:26 < vpnHelper> Title: Rechenzentren und Anbindung – Hetzner DokuWiki (at wiki.hetzner.de) 18:26 < krzie> my buddy has direct fiber from LA to peru, like 5 hops from him to my SD boxes, unfortunately he doesnt wanna allow a colo =[ 18:26 < krzie> i want more foreign servers 18:26 < krzie> preferrably in countries that dont like talking to the usa like china 18:26 < krzie> im tired of usa sniffing * 18:27 < krzie> they think they own the internet 18:27 < Dougy> they invented it 18:27 < krzie> thank them for me 18:27 < krzie> and tell them its out of their hands now 18:27 < krzie> and btw colleges invented it, not the gov 18:28 < krzie> iirc the gov was happy with decnet 18:28 < Bushmills> hm. more like "put it to civil use" 18:28 < reiffert> krzie: gimme something to trace on ... 18:29 < krzie> ircpimps.org 18:29 < krzie> thats san diego, CA 18:29 < reiffert> 18 hops, 100ms between frankfurt and washington 18:29 < Dougy> wow 18:29 < Dougy> crpapy latency 18:30 < Dougy> level3 from here to there, getting 60 ms on an edge level3 router 18:30 < reiffert> but still no satellite connection involved, is it? 18:30 < Dougy> 13 * SUAVEMENTE.car1.SanDiego1.Level3.net (4.79.33.194) 66.408 ms !A * 18:30 < Dougy> 14 * SUAVEMENTE.car1.SanDiego1.Level3.net (4.79.33.194) 66.555 ms !A 18:30 < Dougy> keeps dying there 18:30 < Bushmills> a bit less even. 94 ms 18:31 < reiffert> http://snap.reifferscheid.org/3.txt 18:32 -!- lazarus477 [n=lazarus@81-231-99-230-no47.tbcn.telia.com] has quit ["leaving"] 18:32 < reiffert> Additional 40ms from Wash to Atlanta 18:32 < Dougy> http://rafb.net/p/3vDoZK31.html 18:32 < vpnHelper> Title: Nopaste - No description (at rafb.net) 18:32 < reiffert> nah, atlanta to dallas 18:32 < Bushmills> ae-4-4.car2.SanDiego1.Level3.net is very wobbly 18:33 < Dougy> yay 40GB rsync 18:33 < krzie> holy shit 18:33 < krzie> 66ms 18:33 < Dougy> krzie ? 18:33 < krzie> his trace 18:33 < Dougy> ah 18:33 < krzie> oh no that was you 18:33 < krzie> nm 18:34 < Dougy> lol 18:34 < reiffert> Bushmills: looks like hetzner <-> level3 is doable, if its in washington 18:36 < Bushmills> reiffert, but will cost 20 times more, 1200$ instead 65$ for 100 mbit. 18:37 < reiffert> Totally crazy, indeed. 18:37 < reiffert> 27.000 km's between Frankfurt and Washington 18:37 < Bushmills> plus, that's 50 gig traffic 18:37 < reiffert> let's see what google earth thinks about that distance 18:38 < reiffert> 27.000 when calculating with 90ms 18:38 < Bushmills> my ntp alone gets 10 gig/month 18:38 < reiffert> direct line is 7.000km 18:39 < reiffert> that would make 20.000km in house wiring? 18:39 < reiffert> allright, let's say some router cpu time ... 18:40 < Bushmills> probably repeater latency 18:40 < reiffert> which brings us down to 15.000 unknown kilometers... 18:40 < reiffert> cnn.com? 18:41 < reiffert> same wash.level3 18:41 < Bushmills> 109 ms 18:41 < Bushmills> total 18:42 < reiffert> hey guys, please name some big ISP's in .US 18:42 < Dougy> www.rr.com 18:42 < Dougy> www.comcast.net 18:42 < Dougy> im assuming you mean residential? 18:42 < Bushmills> reiffert, your box is 1 ms from mine 18:42 < reiffert> looks like hetzner got a fixed peering with level3 when it wants to get to .US 18:43 < Bushmills> and 300 microsecs from another :) 18:43 < Bushmills> 3 hops 18:43 < reiffert> we could bring up an additional phone link :) 18:43 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 18:44 < reiffert> (MULTIPLE) 18:45 < reiffert> would you please pastebin: mtr reifferscheid.org 18:45 < Bushmills> sell vpn access to chinese? 18:47 < Dougy> reiffert 18:47 < Dougy> who 18:48 < reiffert> Dougy: you and krzie 18:48 < Dougy> how many do u want me to run 18:48 < Dougy> how many times 18:48 < krzie> ok 18:48 < krzie> how many?! 1 should be fine 18:48 < Dougy> just one? 18:48 < Dougy> ok 18:48 < krzie> im installing it now 18:48 < Dougy> ill do 20 18:49 < Dougy> krzie: what box are you doing it from 18:49 < krzie> ircpimps 18:49 < Dougy> k ill do from NYC too then 18:49 < krzie> i guess i could do it from hash as well 18:50 < krzie> i dont even remember what hostname i gave to the box in minn 18:50 < krzie> hehe 18:50 < Dougy> http://rafb.net/p/bUvcLN61.html 18:50 < vpnHelper> Title: Nopaste - No description (at rafb.net) 18:51 < krzie> oh i see what you meant 18:51 < krzie> 1 per box is what i was saying, lol 18:52 < krzie> i thought you asked how many from 1 box, hehehe 18:52 < Dougy> nah lol 18:52 < Dougy> man 18:52 < Dougy> i am using a shit pile of bw atm 18:52 < Dougy> anohter 100 mbps spike 18:52 < Dougy> :X 18:52 < Dougy> another 18:53 < reiffert> Frankfurt is 50km next to me 18:53 < reiffert> Duesseldorf is 200km 18:53 < reiffert> and Berlin approx 450 18:53 < reiffert> thats insane. 18:54 < reiffert> nyc looks nice 18:54 < Dougy> ? 18:55 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit [Read error: 113 (No route to host)] 18:57 < krzie> im still compiling mtr + deps 18:57 < reiffert> Though I dont understand 87 ms before packets reach boston 18:58 < reiffert> 87 to 101 look like the atlantic... 18:59 < Bushmills> reiffert, i have latency history of several us sites. 19:00 < reiffert> since? 19:00 < Bushmills> M.I.T, Berkeley, Xerox and Indiana University 19:00 < Bushmills> 2 years 19:00 < Bushmills> http://ping.verhau.de/?target=NorthAmerica 19:00 < vpnHelper> Title: SmokePing Latency Page for North America (at ping.verhau.de) 19:00 < reiffert> how much did they increase over the years? 19:01 < Bushmills> click on any graph for details 19:02 < Bushmills> sorry, one year only 19:03 < reiffert> .. 19:03 < Bushmills> there are also european and asian sites 19:09 < reiffert> September 2008 looks like a bad month. 19:11 < Bushmills> wasn't that when - again - a few submarine cables had been damaged? 19:12 < Bushmills> a lot of asia was rerouted then, the other way around 19:17 < reiffert> time for bed, good night guys 19:39 -!- jeiworth_ is now known as jeiworth 19:54 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 20:00 -!- albech [n=albech@119.42.76.165] has quit [Remote closed the connection] 20:00 -!- x29a_ [n=x29a@unaffiliated/x29a] has joined ##openvpn 20:14 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 20:16 -!- x29a [n=x29a@unaffiliated/x29a] has quit [Read error: 113 (No route to host)] 20:21 -!- mRCUTEO [i=IRCLUNAT@ns.dave.sidma.edu.my] has joined ##openvpn 20:22 < mRCUTEO> hey all 20:27 -!- mRCUTEO [i=IRCLUNAT@ns.dave.sidma.edu.my] has quit [] 20:32 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 20:34 < xororand> it's not possible to use DHCP over OpenVPN tun-devices, correct? 20:34 < xororand> DHCPv6 20:35 < krzie> correct 20:35 < krzie> tun is for layer3 20:35 < krzie> dhcp is layer2 20:36 -!- jeiworth [n=jeiworth@189.177.35.134] has quit [Read error: 110 (Connection timed out)] 20:36 < xororand> thanks for the confirmation :) 20:36 < krzie> np 20:37 < xororand> as --server is IPv4 only, i'm afraid that i have no choice but tap networking + DHCPv6 20:38 < krzie> theres some sort of ipv6 options, might be tun-ipv6 or something 20:38 < krzie> its in the man 20:38 < xororand> yes, --tun-ipv6 works 20:38 < krzie> you you *really* need dhcp? 20:38 < xororand> i have IPv6 working over OpenVPN + tun, but the server can't distribute IP adresses and routes, like it's possible with IPv4 20:39 < xororand> you can use a client-side "up" script, but that's platform dependent 20:40 < krzie> ahh 20:40 < xororand> i want it to work with linux, mac and windows client 20:40 < xororand> with one single config set 20:41 < krzie> didnt realize you couldnt push stuff 20:41 < krzie> like: 20:41 < krzie> !static 20:41 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 20:41 < krzie> but i dont use ipv6 so i believe you 20:41 < xororand> i'm not sure krzie 20:41 < xororand> at least --server doesn't work 20:41 < xororand> like "server 10.20.0.0 255.255.255.0" 20:41 < theDoc> Until the world decides that v4 is dead and gone, I honestly do not see alot of customers migrating to v6. 20:42 < theDoc> and hello folks. 20:43 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 20:43 < xororand> hello theDoc 20:43 < xororand> End users shouldn't have to notice the migration, theDoc 20:50 < krzie> Dougy, didnt you say this was gunna be that dual xeon? not that it matters to me much 20:51 < Dougy> someone rang 20:52 < Dougy> no i didn't lol 20:52 < krzie> oh ok 20:52 < Dougy> you paid me $175 to build you that celly box 20:52 < Dougy> 'member? 20:52 < krzie> OH right you sold that dual zeon 20:52 < krzie> xeon 20:52 < krzie> forgot bout that 20:52 < Dougy> nope i didnt 20:53 < Dougy> the buggers decided not to buy it 20:53 < krzie> yes 20:53 < Dougy> so its sitting under me 20:53 < Dougy> but you did buy the celly 20:53 < krzie> oh, lol 20:53 < krzie> yes, i did 20:53 < krzie> cause you said you had sold that dual xeon that you got cause you only wanted the case 20:53 < Dougy> yea then i found out its semi proprietary 20:53 < Dougy> so gotta keep it together 20:53 < krzie> remember you were gunna kick that down free at first cause you only got it for the case 20:53 < Dougy> yeah then i noticed the PSU was proprietary to a few select old mobos 20:54 < Dougy> so i was stuck with it 20:54 < krzie> doh! 20:54 < Dougy> that dual xeon thing drew 2 amps on post 20:54 < Dougy> first boot 20:54 < Dougy> lol 20:54 < Dougy> Bahahaha ,krzie, my provider just emailed me 20:54 < Dougy> Hi Douglas 20:54 < Dougy> We got a bandwidth alert but ignored it. After a second check shows that you're using 94.39Mbps right now. Is everything OK? 20:54 < krzie> reply: 20:54 < krzie> everything is great, thanx for the excellent bandwidth 20:54 < Dougy> bahahah 20:55 < Dougy> naw 20:55 < Dougy> i told him it was a short spike while i rsync'd like 30gb of data 20:55 < krzie> "sorry i was dos attacking some kid on irc" 20:55 < Dougy> lmfao 20:55 < Dougy> some skiddie tried to mess with me so i was blasting him 20:56 < krzie> "i was testing your response time, well done" 20:56 < Dougy> lmao 20:56 < krzie> and did you say rsync!? 20:56 < krzie> lulz 20:56 < Dougy> yes 20:56 < Dougy> i did 20:56 < Dougy> why? 20:57 < Dougy> krzie, this is what made them shit their pants: http://www.upload3r.com/serve/180509/1242698212.png 20:57 < krzie> they went poopy? 20:57 < Dougy> i guess 20:58 < krzie> doesnt rsync require its own daemon which has had a long long history of insecurities? 20:58 < krzie> i use scp 20:59 < Dougy> not that i know of 20:59 < Bushmills> xororand, there exist dhcp forwarders 20:59 < Dougy> it uses ssh 21:00 < krzie> oh ok 21:00 < krzie> i musta been thinkin of something else then 21:00 < Dougy> yeah 21:00 < Dougy> guess so 21:08 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 60 (Operation timed out)] 21:19 -!- sam_ [n=sam@222.66.224.108] has joined ##openvpn 21:23 -!- troy [n=troy@worldnet.tauri.ca] has joined ##openvpn 21:24 < sam_> Hi, all, my server only accept 1024 clients access, how to change the limit? 21:24 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 21:41 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 21:43 -!- jeiworth [n=jeiworth@189.163.143.208] has joined ##openvpn 22:04 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 22:04 -!- sam_ [n=sam@222.66.224.108] has quit [Remote closed the connection] 22:05 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 22:38 -!- troy is now known as troy- 22:39 -!- troy- is now known as troy 22:44 -!- jeiworth [n=jeiworth@189.163.143.208] has quit [Read error: 110 (Connection timed out)] 23:18 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 23:18 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 23:18 < ecrist> sup, fuckers? 23:19 < theDoc> lmao. 23:19 < theDoc> New certification course for you guys, http://web.uct.ac.za/depts/commnetwork/networklab.html HCNE :) 23:19 < vpnHelper> Title: UCT Network Laboratory (at web.uct.ac.za) 23:19 < theDoc> cisco certified? juniper certified? extreme networks certified? 23:19 < theDoc> now get yourself certified by huawei. 23:19 < theDoc> xD 23:19 < theDoc> jesus christ. 23:22 * ecrist *was* a CCNA at one point. 23:22 < theDoc> was! 23:22 < theDoc> is too! 23:30 < theDoc> lmao 23:30 < theDoc> ecrist: http://forum.huawei.com/jive4/thread.jspa?threadID=320730&tstart=50&orderStr=9 23:30 < theDoc> epic win. 23:45 -!- mikeage [n=mmiller@mikeage.net] has quit [Remote closed the connection] --- Day changed Tue May 19 2009 00:02 -!- troy is now known as troy- 00:05 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has joined ##openvpn 00:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:29 -!- troy- is now known as troy 01:47 -!- master_of_master [i=master_o@p549D358C.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:50 -!- master_of_master [i=master_o@p549D33D7.dip.t-dialin.net] has joined ##openvpn 01:58 -!- x29a_ [n=x29a@unaffiliated/x29a] has quit ["tiuQ"] 03:18 -!- vho [i=viktor@holmlund.it] has joined ##openvpn 04:25 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["-galaxynet"] 04:26 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 04:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:55 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 05:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:27 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:40 -!- The_Faithful [n=Mak@wana-15-237-12-196.wanamaroc.com] has joined ##openvpn 05:40 < The_Faithful> Hi all 05:40 < The_Faithful> How can I block vpn connections from my LAN ? 05:43 < reiffert> variouses methods: --local , a firewall, or plug the cable. 05:43 < reiffert> unplug 05:48 < The_Faithful> I need to filter the data packets not just looking up ports or protocols.. so using a firewall it's not the best solution 05:49 < The_Faithful> I wanna just know if a solution exists for solving this problem ? 05:51 < reiffert> what is it you didnt understand in 05:51 < reiffert> 12:43 < reiffert> variouses methods: --local , a firewall, or plug the cable. 05:53 < The_Faithful> everything unless firewall :P 05:54 < reiffert> see manpage for the --local option 05:54 < reiffert> !man 05:54 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 05:55 < The_Faithful> thank you brotha 05:56 < reiffert> the 3rd option was: unplug the LAN cable. 05:57 < The_Faithful> ok that's the easiest 05:58 < reiffert> Running Linux? 06:01 < The_Faithful> of course yes 06:01 < The_Faithful> I think that I got another solution.. filtring packets with wireshark 06:02 < The_Faithful> and writing patterns protocols and block it with L7-filter 06:02 < reiffert> iptables -I INPUT -i laninterface -p udp --dport 1194 -j REJECT 06:02 < reiffert> laninterface eth0 or eth1 or similar 06:02 < reiffert> l7-filter? sigh sigh sigh. 06:03 < The_Faithful> right ! but blocking this thing by port is insufficient 06:03 < The_Faithful> the same for the protocols 06:03 < reiffert> dude: your question was: 06:04 < reiffert> 12:40 < The_Faithful> How can I block vpn connections from my LAN ? 06:04 < The_Faithful> yes I said for blocking that.. I have to look up the packets data 06:04 < reiffert> so what you want is to filter openvpn connections with source LAN to destination LAN-Router or destination world? 06:04 < The_Faithful> not just ports or protocls (udp/1194) 06:05 < The_Faithful> reiffert, the both I wanna block that from and to the internet 06:05 < reiffert> in short: you cant. 06:05 < reiffert> it even works with a http proxy. 06:06 < The_Faithful> ok 06:06 < The_Faithful> you mean squid for example ? 06:06 < reiffert> so what your l7 filter will see is a http request. 06:06 < reiffert> so people will setup a proxy on port 443 and there you are. 06:07 < reiffert> eg squid 06:08 < The_Faithful> ok 06:08 < The_Faithful> I see now 06:08 < The_Faithful> thank you 06:09 < Bushmills> moinmoin 06:09 * Bushmills visualizes The_Faithful with a jet of water squirting out of his head periodically 06:11 < The_Faithful> Bushmills, LOL 06:11 < The_Faithful> thank you it's useful :P 06:11 -!- digii [n=digii@153.205.181.62.in-addr.dgcsystems.net] has joined ##openvpn 06:12 < Bushmills> would definitely draw attention when walking in the street 06:12 < digii> hi, in in openvpn /easy-rsa/vars, when im changning export email, if im not using any email service, can i just put root@hostname? 06:14 < Bushmills> digii, the mail address is written for informal reasons into .crt file. if you can live with the older of the file not able to contact you by email, after obtaining the adress from that file, you can put any address you want there. 06:15 < digii> aah ok =) 06:15 < Bushmills> though putting a real address there probably makes most sense 06:15 < Bushmills> s/older/holder/ 06:15 < The_Faithful> reiffert, people in my LAN can make a vpn connection without caring my proxy ? or they can't ? 06:15 < digii> well its only for personal use, so u guess the email doesent matter then 06:16 < Bushmills> digii, if you don't forget your email address when you want to contact yourself by email, it's ok. 06:17 < digii> hehe ;) guess that is not a risk im going to email myself :D 06:17 < digii> but thx 06:18 < digii> btw, if im following a guide for ubuntu, but my system is debian, it will pretty much be the same coz ubuntu builds on debian? 06:21 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 06:35 -!- onats_ [n=onats@unaffiliated/onats] has quit [Read error: 104 (Connection reset by peer)] 06:37 < digii> hmm 06:37 < digii> i just did the config file to openvpn and tryed loading it 06:38 < digii> but got some errors about non existing files? 06:38 < digii> can i post the error here? its about 4-5 lines long 06:40 -!- roffe [n=rofe@83.221.146.177] has joined ##openvpn 06:41 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 06:43 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit [Client Quit] 06:43 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 06:47 -!- roffe is now known as rofe 07:05 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 07:33 -!- enriq_ [n=enriq@33-138-235-201.fibertel.com.ar] has joined ##openvpn 07:34 < enriq_> hello 07:35 < enriq_> I need to make openvpn create the connection with 3 dns suffixes to append 07:35 < enriq_> is there any way to do that? 07:40 -!- rofe [n=rofe@83.221.146.177] has quit [Read error: 113 (No route to host)] 07:47 -!- digii [n=digii@153.205.181.62.in-addr.dgcsystems.net] has quit ["Lost terminal"] 08:21 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 08:28 -!- eliasp_ [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 08:41 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Connection timed out] 08:57 < reiffert> Error when installing OpenVPN on Windows XP 08:58 < reiffert> The installer you are trying to is corrupted or incomplete 08:58 < reiffert> This could be the result of a damanged disk, a failed download or a virus 08:58 < reiffert> NSIS ERROR 08:58 < reiffert> Anyone 08:58 < reiffert> ? 09:01 < reiffert> ah, broken download, 1.1MB 09:01 -!- The_Faithful [n=Mak@wana-15-237-12-196.wanamaroc.com] has left ##openvpn ["Leaving"] 09:03 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [No route to host] 09:04 < ecrist> good morning folks. 09:05 < Bushmills> reiffert, i'd say it is a NSA enforced feature in windows to prevent installation of openvpn 09:07 < Bushmills> enriq_, client can execute script when connected 09:14 -!- onats_ is now known as onats 09:17 -!- flujan [n=flujan@189.111.254.251] has joined ##openvpn 09:17 < flujan> hello guys, I need to redirect a port let me say 8888 on my openvpn server to a cliente connected through the vpn 09:17 < flujan> 200.190.125.69:8888 to 172.27.7.14:80 09:17 < flujan> is it possible? 09:19 < enriq_> Bushmills: do you have a reference? 09:21 -!- enriq_ [n=enriq@33-138-235-201.fibertel.com.ar] has quit ["Leaving"] 09:26 * Bushmills will never understand why somebody asks a question, and then leaves. 09:28 < ecrist> flujan: yes, you need to use another piece of software for it, though. A firewall with policy routing would be the ticket. 09:28 < flujan> ecrist: iptables will do it? 09:29 < ecrist> should, I couldn't tell you how, I'm not a linux user 09:36 < flujan> ok thank you. 09:43 -!- jeansch [n=jeansch@216.252.79.95] has joined ##openvpn 09:43 < jeansch> !/30 09:43 < vpnHelper> jeansch: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 09:45 < jeansch> Hi, i have a question about openvpn scalability: can a server handle more that 500 clients at the same time, and if yes, with which requirments ? 09:46 < ecrist> jeansch: it depends on a lot of things 09:46 < ecrist> 1) what's the bandwidth utilization 09:46 < ecrist> 2) what's the hardware 09:46 < ecrist> 3) what's the OS 09:47 < jeansch> The bandwith will be not very huge, only one web page per client, time from time 09:47 < jeansch> the hardware, ... a xen vm 09:48 < jeansch> running debian gnu/linux 09:48 < jeansch> the vm will be setup depending of the usage 09:48 < ecrist> jeansch, that's not the hardware 09:48 < ecrist> that's a vm 09:48 < jeansch> ok 09:48 < ecrist> all I can tell you is try test, test, test 09:50 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Connection timed out] 09:50 < jeansch> i guess that the hardware used on the vm host is 'good' as it's an hosting provider (gandi). Can i verify that throug the vm ? 09:51 < ecrist> lol 09:51 < ecrist> no, you can't. test it, see what happens. 09:51 < ecrist> if load becomes to great, you'll need to add another server 09:52 -!- enriq [n=enriq@33-138-235-201.fibertel.com.ar] has joined ##openvpn 09:52 < jeansch> ok, i understand. but is 500 client a 'common' case ? 09:53 < enriq> i need to create my openvpn connection including a search path of 3 dns suffixes... anyone knows how? 09:53 < ecrist> no, it's not 'common' but it's been done before 09:53 < ecrist> enriq: yep 09:54 < ecrist> everythign you need is covered in the man page or in the how to 09:54 < enriq> I found that adding dhcp-option DOMAIN could do the trick 09:55 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 09:55 < enriq> but i haven´t found how to specify many suffixes 09:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:57 < enriq> am i explaining myself ecrist ? 09:57 < ecrist> yes 10:02 < enriq> any clue? 10:03 < ecrist> enriq: DNS search list is DHCP option 119, you may be able to do a dhcp-option 119 "foo.com bar.org baz.net" 10:03 < ecrist> but not sure 10:04 < ecrist> even if you do, I'm not sure the client on the other end will know what to do with it. 10:04 < ecrist> for non-windows systems, it would appear a script is needed to apply the settings. 10:04 < ecrist> this is covered in the man pages. 10:05 < ecrist> see RFC 3397 for information on option 119 10:05 < enriq> I´m hacking this into the client side script... let me try I let you know 10:09 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 104 (Connection reset by peer)] 10:09 < enriq> i get ¨unknown option 119¨ 10:11 < ecrist> sounds like a question for the mailing list 10:12 < enriq> ok, i thought it was just that I´m newbie 10:12 < enriq> thanks 10:17 < vho> good evening 10:21 < vho> lets say I have 3 different OpenVPN servers. Users use the same cert and auth via username and passwor. How to prevent users to log in to three different instances of OpenVPN? 10:21 < vho> Set up a radius server? 10:22 < theDoc> vho: ccd is your friend. 10:24 < vho> theDoc, and then nfs share with the servers? 10:24 < theDoc> vho: I don't even know your setup but my best guess is ccd. 10:26 < vho> theDoc, ok, thanks, because simultaneous-use += 1 doesn't work in radius due to the radius plugin for openvpn. 10:26 < theDoc> vho: I'm not sure about RADIUS but yeah, if you say so ;) 10:28 < vho> theDoc, but does this ccd work, even if I use radius for only auth? 10:28 < vho> but use username as common name on the server side 10:28 < theDoc> vho: I have no idea. I'm not familiar with radius. 10:29 < vho> ok, thanks anyway :) 10:48 -!- enriq_ [n=enriq@33-138-235-201.fibertel.com.ar] has joined ##openvpn 10:50 -!- enriq [n=enriq@33-138-235-201.fibertel.com.ar] has quit [Read error: 104 (Connection reset by peer)] 11:38 -!- lepine [n=lmacguir@modemcable093.36-59-74.mc.videotron.ca] has quit [Remote closed the connection] 11:48 -!- jeansch [n=jeansch@216.252.79.95] has quit ["Ex-Chat"] 12:01 -!- flujan [n=flujan@189.111.254.251] has quit [] 12:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:15 -!- jeiworth [n=jeiworth@189.177.35.134] has joined ##openvpn 12:21 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has left ##openvpn [] 12:43 -!- HardDisk_WP [n=Marco@wikipedia/harddisk] has quit ["killed"] 12:44 -!- HardDisk_WP [n=Marco@velirat.de] has joined ##openvpn 13:00 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: Kreg-Work, Gumbler, vho, throughnothing, Intensity, dmarkey 13:00 -!- vho\ [i=viktor@holmlund.it] has joined ##openvpn 13:00 -!- dmarkey_ [n=dmarkey@dmarkey.xen.prgmr.com] has joined ##openvpn 13:00 -!- Netsplit over, joins: throughnothing 13:00 -!- Netsplit over, joins: Gumbler 13:00 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 13:21 -!- vho\ [i=viktor@holmlund.it] has left ##openvpn [] 13:22 -!- vho\ [i=viktor@holmlund.it] has joined ##openvpn 13:22 -!- vho\ is now known as vho 13:23 < krzie> ecrist here bud 13:23 < krzie> ? 13:24 < ecrist> yep 13:24 * ecrist wonders what his 'bud' wants. ;) 13:24 < krzie> aww, im not your bud? 13:25 < krzie> i want to pay you 13:25 < krzie> am i your bud now? lol 13:25 < krzie> ill msg 14:13 -!- Intensity [i=[MEAfCQR@panix1.panix.com] has joined ##openvpn 14:32 -!- carpe_ is now known as Plaerzen 14:33 < Plaerzen> do you guys think the online searchable knowledge bases for Linux are degrading due to the massive influx of idiots into the Linux-user demographic ? 14:34 < krzie> no clu personally, i dont use them 14:35 < krzie> but i wouldnt argue against the statement, sounds very plausible 14:40 -!- bafman [n=none@81.90.250.239] has joined ##openvpn 14:41 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:42 < Plaerzen> mostly I was referring to tldp and google. But I'm just frustrated. Anyway, maybe I'll blog about it 14:42 < bafman> hello, using secret option means that TSL will be enabled too (o SSL certificates 14:44 -!- bafman [n=none@81.90.250.239] has quit [Client Quit] 14:44 -!- bafman [n=none@81.90.250.239] has joined ##openvpn 14:44 < krzie> --secret file [direction] 14:44 < krzie> Enable Static Key encryption mode (non-TLS). Use pre-shared se- 14:44 < krzie> cret file which was generated with --genkey. 14:44 < bafman> sorry had connection problem 14:46 < bafman> I have read the man page, but was not sure if they both can be used together 14:47 < krzie> why would they? 14:47 < krzie> use this for what you're thinking 14:47 < krzie> !hmac 14:47 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 14:47 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 14:48 -!- endschranz [n=Adium@195.16.244.188] has joined ##openvpn 14:49 < bafman> ok this is what I wanted, I have read this "additional signature" and thought that secret is the one. Thanks for your telepathy 14:49 < krzie> yw ;] 14:49 < endschranz> Hi, I have a bridged vpn. When I create a server (wc3) everyone 14:50 < endschranz> can see the server. But when a client opens a server only player outside of the vpn can see it. 14:50 < endschranz> Does anyone has an idea? 14:51 < krzie> i dont even have an idea what you meant 14:53 < endschranz> when a player in the LAN creates a server: everyone can see the game; when a vpn client creates a server: only people in the real lan can see the server other vpn-clients doesn't see the game 14:54 < bafman> bye 14:54 -!- bafman [n=none@81.90.250.239] has quit ["leaving"] 14:56 < Plaerzen> oh dear 14:57 -!- bafman [n=none@81.90.250.239] has joined ##openvpn 14:57 < bafman> !hmac 14:57 < vpnHelper> bafman: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 14:57 < vpnHelper> bafman: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 14:58 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit ["No Ping reply in 90 seconds."] 15:11 -!- floyd_n_milan [n=mrugesh@203.129.237.147] has joined ##openvpn 15:14 -!- vho [i=viktor@holmlund.it] has left ##openvpn [] 15:14 < bafman> ok works as expected. thanks again and bye 15:14 -!- bafman [n=none@81.90.250.239] has quit ["leaving"] 15:16 < krzie> endschranz, have try enabling client-to-client 15:16 < endschranz> krzie: yes 15:16 < krzie> whoa my english was broken there, and its my native lang 15:16 < krzie> lol 15:26 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 15:27 < Dougy> heyo 15:27 -!- flokuehn [n=flokuehn@62.111.103.27] has quit [Remote closed the connection] 15:27 < Dougy> krzie: ping 15:27 < krzie> pong 15:27 < Dougy> everything is good with that box so far? 15:27 < krzie> aye, recompiling kernel now 15:27 < Dougy> good 15:27 < Dougy> dont break 15:27 < Dougy> it 15:28 < Dougy> i dont want to go to nyc this afternoon 15:28 < Dougy> lol 15:28 < krzie> lol 15:28 < krzie> hopefully i wont ;] 15:28 < Dougy> well if you do, you're sol 15:28 < Dougy> for a bit 15:28 < krzie> i only disabled raid stuff and wireless stuff (and cddl) 15:28 < krzie> oh and non 686 cpu stuff 15:28 < krzie> but that should all be rather safe 15:28 < Dougy> datacenter emailed me today 15:28 < Dougy> well last night 15:28 < Dougy> they thought one of my boxes got rooted, lol 15:29 < Dougy> i told you about that 15:29 < Dougy> but they emailed me today making sure i didnt get rooted 15:29 < krzie> the rsync? 15:29 < Dougy> yeah 15:29 < Dougy> haha 15:29 < Dougy> i said i was rsyncin and they were like are you sure you didn't get hacked? 15:29 < Dougy> i was like yes you dip shit 15:34 -!- flokuehn [n=flokuehn@62.111.103.27] has joined ##openvpn 15:42 < Dougy> Anyone need any hostings 15:57 -!- bandini [n=bandini@host173-5-dynamic.6-79-r.retail.telecomitalia.it] has joined ##openvpn 15:57 -!- bandini [n=bandini@host173-5-dynamic.6-79-r.retail.telecomitalia.it] has quit [Read error: 54 (Connection reset by peer)] 16:05 < Dougy> krzie 16:05 < Dougy> i just bid on a server 16:05 < Dougy> dual amd opt 2.8 ghz dualc ore, 32gb ram, 2x320gb sata for $0.99 currently, bahaha 16:05 < krzie> you need to be sniping 16:05 < krzie> im tellin ya 16:05 < Dougy> my max bid is $275 atm 16:06 < krzie> 320 sata... 10k disks? 16:06 < Dougy> naw 16:06 < Dougy> 7200 16:07 -!- ralmar [n=john@200.25.129.80] has joined ##openvpn 16:07 < ralmar> Hey guys I installed the package to use Cisco vpns directly in the network manager but I need to import a certificate. How can I do this? Thanks. Im on 9.04 16:08 < krzie> !notopenvpn 16:08 < vpnHelper> krzie: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 16:08 < krzie> !notcompat 16:08 < vpnHelper> krzie: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 16:10 < Dougy> OMG 16:10 < Dougy> spamming bastards 16:10 < Dougy> FFFFFFFFFFF 16:14 < ralmar> Can anyone help me out please? 16:15 < Dougy> ralmar: we dont do cisco vpn here 16:15 < Dougy> #ubuntu 16:16 < ralmar> Sigh, I know Im sorry but I cant find anyone who can help on #ubuntu. I just want to use the network manager to edit a cisco vpn connection and import a .509 certificate 16:17 < ralmar> No one will even help me out in #cisco 16:17 < Dougy> I don't know jack about Ubuntu anymore or I would help you 16:40 < Dougy> http://www.amazon.com/gp/product/0345518764 16:40 < Dougy> hah 16:51 -!- ralmar [n=john@200.25.129.80] has quit ["Leaving"] 17:02 -!- eliasp_ is now known as eliasp 17:15 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 17:15 < xp_prg> hi all, I have the client connecting to the server 17:16 < xp_prg> it can't ping any of the ip's the server can ping though 17:16 < xp_prg> is that a route issue on the client? 17:16 -!- endschranz [n=Adium@195.16.244.188] has left ##openvpn [] 17:16 < krzie> pls explain that better 17:16 < krzie> maybe add an example 17:17 < xp_prg> like the box the openvpn server is running can ping 10.5.5.118 17:17 < krzie> and where is 10.5.5.118 17:17 < xp_prg> if I try to ping that ip address from the client it can't 17:17 < krzie> i cant magically understand your network 17:17 < xp_prg> on the network that the server is on 17:18 < krzie> did you push a route to the clients? 17:18 < xp_prg> I don't think so, sorry I am a little new to this 17:18 < krzie> push "route 10.5.5.0 255.255.255.0" 17:18 < krzie> in server config 17:18 < krzie> then restart both ends 17:19 < xp_prg> krzie can I just to via the command line on the client right now? 17:19 < xp_prg> why do I have to restart everything? 17:19 < krzie> because you didnt set it up right! 17:19 < xp_prg> it can ping the server's ip 17:20 < krzie> listen or dont 17:20 < krzie> but i expect you came for help 17:20 < xp_prg> ok yes I did 17:20 < xp_prg> it is not clear to me what config file to add that line to 17:20 < krzie> in server config 17:25 < xp_prg> well I added that to the config file, client still can't ping that 17:25 < krzie> !configs 17:25 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 17:29 < xp_prg> sorry meeting, I will get that too you in like 30 - 60 minutes 17:42 -!- dupondje [n=kvirc@235.167-78-194.adsl-static.isp.belgacom.be] has joined ##openvpn 17:42 < dupondje> !route 17:42 < vpnHelper> dupondje: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:42 < krzie> holy balls this buildworld takes FOREVER 17:44 < dupondje> I did setup openVPN server on a dedicated server, setup a client on a dd-wrt router and one on my laptop, from the router i can ping the server, from my laptop I can ping the server, but can't connect from laptop to router 17:44 < dupondje> any id's ? :) 17:46 < krzie> the server needs a ccd entry with an iroute for the client with lan behind it 17:47 < krzie> the server also must push a route to that network 17:47 < krzie> which will only be pushed to the other client 17:47 < krzie> as fully explained in my routing writeup you saw at !route 17:47 < dupondje> push "route 192.168.3.0 255.255.255.0" 17:47 < dupondje> i have this on server config 17:47 < krzie> you also need an iroute 17:47 < krzie> !iroute 17:47 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 17:48 < dupondje> yea, the router (wich contains network 192.168.3.*) has an iroute 17:48 < krzie> in a ccd entry? 17:48 < dupondje> yep 17:48 < krzie> is there another 192.168.3.x network anywhere? 17:48 < dupondje> no 17:48 < krzie> !configs 17:48 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 17:50 < dupondje> http://pastebin.com/d4ad3dc36 17:51 < krzie> you dont need # 17:51 < krzie> route 10.10.0.0 255.255.255.0 17:51 < krzie> which is implied by --server 17:51 < krzie> gimme logs from all 3 17:51 < krzie> !logs 17:51 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 17:53 < krzie> also im assuming that the router is the default gateway for the machines you are trying to access behind it 17:53 < krzie> also, the file kot_router is in ccd/kot_router, right? 17:54 < dupondje> yes 17:54 < dupondje> http://pastebin.com/d24a27bd9 17:54 < dupondje> this is log from my laptop 17:55 < dupondje> Wed May 20 00:53:49 2009 us=870846 laptop/194.78.167.235:44588 MULTI: Learn: 192.168.3.1 -> kot_router/194.78.167.235:2049 17:55 < dupondje> get this on server, seems nice no ? :x 17:55 < krzie> i need the log from when it starts 17:55 < krzie> the log you gave meant nothing 17:55 < dupondje> there is restarted the connection ... :p 17:56 < krzie> from start 17:56 < krzie> kill it, start it, send log 17:57 < dupondje> http://pastebin.com/d7149d165 17:59 < krzie> interesting 18:00 < krzie> try sniffing at the router, server, and box you are trying to access, then ping the machine you are trying to access 18:00 < krzie> see where it stops 18:00 < krzie> sounds like a firewall 18:01 < dupondje> only 1 port needs to be open @ server right ? 18:03 < dupondje> brb going to connect to router 18:03 -!- |dupondje| [n=kvirc@235.167-78-194.adsl-static.isp.belgacom.be] has joined ##openvpn 18:04 -!- dupondje [n=kvirc@235.167-78-194.adsl-static.isp.belgacom.be] has quit [Read error: 104 (Connection reset by peer)] 18:04 -!- _dupondje_ [n=kvirc@235.167-78-194.adsl-static.isp.belgacom.be] has joined ##openvpn 18:05 < krzie> oh on boxen with openvpn sniff the tun dev 18:05 < krzie> forgot to mention that 18:10 -!- _dupond3 [n=kvirc@235.167-78-194.adsl-static.isp.belgacom.be] has joined ##openvpn 18:11 -!- |dupondje| [n=kvirc@235.167-78-194.adsl-static.isp.belgacom.be] has quit [Read error: 113 (No route to host)] 18:13 -!- _dupond3 [n=kvirc@235.167-78-194.adsl-static.isp.belgacom.be] has quit [Read error: 104 (Connection reset by peer)] 18:27 -!- _dupondje_ [n=kvirc@235.167-78-194.adsl-static.isp.belgacom.be] has quit [Read error: 110 (Connection timed out)] 18:39 -!- sprax [n=rob@65.127.188.10] has joined ##openvpn 18:44 < sprax> so my client is connecting to the server and leasing an IP but it isn't getting any gateway. Is that what "push route" is for? 18:45 < krzie> it shouldnt have a gateway being set unless you use --redirect-gateway 18:45 < krzie> !push 18:45 < vpnHelper> krzie: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 18:45 < krzie> so pushing a route would just add a route on the machine(s) it is pushed to 18:46 < sprax> I ran this on my client "route add 192.168.0.0 mask 255.255.255.0 192.168.0.1" and I can now ping 192.168.0.1 18:46 < sprax> I'm trying to figure out the push route command but the two examples I'm looking at have different numbers of parameters 18:46 < krzie> i highly doubt you needed 192.168.0.1 in that command 18:47 < sprax> probably not 18:47 < sprax> I'm not a routing wizard, but the command syntax said specify a gateway for a network address so I did it 18:47 < krzie> you should be looking at the manual for how many params, not examples from the web 18:47 < krzie> !man 18:47 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 18:47 < krzie> shouldnt the gateway be the vpn itself... 18:48 < krzie> or do you actually want the route you add with your vpn to not go over the vpn 18:48 < sprax> thanks krzie no man pages in win32 18:50 < sprax> does push make the remote client execute the command which preceeds it? 18:50 < sprax> ok I think I bollocksed my grammar there... 18:50 < krzie> !push 18:50 < vpnHelper> krzie: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 18:51 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 18:53 < sprax> looks like route-gateway is my friend 18:55 -!- Digital7 [n=Owner@207-119-9-196.dyn.centurytel.net] has left ##openvpn [] 18:57 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 18:59 < krzie> not likely 18:59 < krzie> whats your actual goal 19:00 < sprax> I'm following the ethernet bridging mini-howto 19:00 < sprax> I need to distant and separate networks to appear as one 19:01 < krzie> oh you're bridging 19:01 < sprax> but right now I would settle for being able to ping the remote VPN gateway without having to manually enter a route statement 19:01 < krzie> i cant be much help there 19:01 < sprax> no worries 19:02 < sprax> I think I've got it actually but I wont know for sure till I get to work tomorrow 19:02 < sprax> they ban IRC obviously and I'm still looking for a decent shell provider 19:02 < krzie> web irc 19:02 < sprax> web sense is satan 19:03 < sprax> (its a web content filtering service) 19:03 < krzie> by ip address 19:03 < sprax> denied 19:03 < sprax> proxied into oblivion 19:04 < sprax> anyway, worse things have happened. My own lame ISP has a monopoly over the building i'm in. They have me behind a giant NAT and wont even sell me a public IP 19:04 < sprax> otherwise I would just put my debian box up and that would be that 19:34 < krzie> gotchya 19:34 < krzie> weaksauce 19:38 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 19:43 -!- blkry [n=blkry@97.95.233.232] has joined ##openvpn 20:23 < krzie> ohhhh actually i have a US postal order for $130 20:23 < krzie> doh /q 20:25 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:27 -!- enriq_ [n=enriq@33-138-235-201.fibertel.com.ar] has quit [Read error: 104 (Connection reset by peer)] 20:27 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 20:28 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 20:28 -!- endschranz [n=Adium@195.16.244.188] has joined ##openvpn 20:32 < endschranz> Hi, again I have bridged VPN. I seems that a broadcast from one client doenst reach the other clients in the VPN. Does anyone has an idea? 20:36 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 20:48 -!- jeiworth [n=jeiworth@189.177.35.134] has quit [Read error: 54 (Connection reset by peer)] 21:00 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 21:48 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 21:59 -!- blkry [n=blkry@97.95.233.232] has left ##openvpn [] 22:44 -!- xororand [n=xororand@2001:5c0:1501:f900:0:0:0:1] has quit ["bbl"] 22:59 -!- troy is now known as troy- 23:00 -!- troy- is now known as troy 23:06 -!- Plecebo [n=larry@c-67-185-160-62.hsd1.wa.comcast.net] has joined ##openvpn 23:08 -!- Plecebo [n=larry@c-67-185-160-62.hsd1.wa.comcast.net] has left ##openvpn ["Leaving"] 23:12 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn --- Day changed Wed May 20 2009 00:04 -!- endschranz [n=Adium@195.16.244.188] has quit ["Leaving."] 00:12 -!- rofe [n=rofe@83.221.146.177] has joined ##openvpn 00:20 -!- rofe [n=rofe@83.221.146.177] has quit ["Leaving"] 00:20 -!- rofe [n=rofe@83.221.146.177] has joined ##openvpn 00:24 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has joined ##openvpn 00:41 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 00:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:54 -!- sam_ [n=sam@222.66.224.110] has joined ##openvpn 01:02 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 01:33 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 01:35 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 01:35 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 01:37 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 01:37 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 01:39 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 01:39 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 01:41 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 01:41 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 01:43 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 01:43 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 01:45 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 01:46 -!- master_of_master [i=master_o@p549D33D7.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:50 -!- master_of_master [i=master_o@p549D33E8.dip.t-dialin.net] has joined ##openvpn 02:21 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 02:23 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 02:23 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 02:25 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 02:25 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 02:27 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 02:27 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 02:29 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 02:29 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 02:31 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 02:31 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 02:33 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn --- Log opened Wed May 20 07:04:02 2009 07:04 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 07:04 -!- Irssi: ##openvpn: Total of 68 nicks [0 ops, 0 halfops, 0 voices, 68 normal] 07:04 -!- Irssi: Join to ##openvpn was synced in 17 secs 07:08 < ecrist> morning, fuckers 07:19 -!- ashley_ [n=ashley@91-115-23-91.adsl.highway.telekom.at] has quit ["Leaving"] 07:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:04 -!- mattock [n=mattock@gw.tietoteema.fi] has quit ["Leaving."] 08:07 -!- rofe [n=rofe@83.221.146.177] has quit [Read error: 113 (No route to host)] 08:39 -!- troy is now known as troy- 09:01 -!- kyrix [n=ashley@91-115-23-91.adsl.highway.telekom.at] has joined ##openvpn 09:04 -!- Hydrant [n=aj@CPE0011950c737b-CM0012c90d1420.cpe.net.cable.rogers.com] has joined ##openvpn 09:05 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 09:05 < Hydrant> hello all... I'm looking at setting up some static IP's for vpn clients... I saw that I have to use the ccd directory... but I want to use static IPs from the same IP pool that dynamic IPs are drawn from, namely 10.8.x... is openvpn smart enough to not give an IP if it's static in one of the ccd files? 09:14 < Bushmills> Hydrant, seems so. i haven't had collisions 09:15 < ecrist> Hydrant: it probably is, but it's just as easy to add another subnet for the static IPs 09:15 < Hydrant> it looks smart from the logs 09:15 < ecrist> I've got two /24 subnets at our office, one is for dynamic IPs and the other is used for the static IPs. 09:16 < Hydrant> I kinda want all VPN clients to be static 09:16 < Hydrant> so I might just go that route 09:16 < Hydrant> I have been pretty impressed by how reliable openvpn is so far 09:16 < Hydrant> I've been making changes to openvpn configs (carefully) remotely and reloading them, and things have recovered well 09:17 < Hydrant> I have noticed that TTL=61 for some packets going through the VPN 09:17 < Hydrant> I wonder if that's a cause for concern or not 09:17 < Hydrant> there shouldn't be that many hops :-( 09:30 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 09:33 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has quit [Client Quit] 09:49 -!- martinvw [n=mwittich@193.175.26.176] has joined ##openvpn 09:52 < martinvw> Regarding the float option: what does it do in a client config? Will it cause the client to ignore server IP changes, will it cause the server to ignore client IP changes, or won't do it anything at all? Config looks like this atm: http://pastie.org/private/bed2r7w9weilsjmyj5xxva 09:59 -!- martinvw [n=mwittich@193.175.26.176] has left ##openvpn [] 10:06 -!- jeiworth [n=jeiworth@189.177.35.174] has joined ##openvpn 10:16 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Excess Flood] 10:17 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 10:32 -!- Hydrant [n=aj@CPE0011950c737b-CM0012c90d1420.cpe.net.cable.rogers.com] has left ##openvpn ["Konversation terminated!"] 10:37 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 60 (Operation timed out)] 10:38 -!- endschranz [n=Adium@195.16.244.188] has left ##openvpn [] 10:39 -!- troy- is now known as troy 10:39 -!- kyrix [n=ashley@91-115-23-91.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 10:40 -!- kyrix [n=ashley@188-23-180-163.adsl.highway.telekom.at] has joined ##openvpn 10:43 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 11:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:10 -!- jeiworth [n=jeiworth@189.177.35.174] has quit [Read error: 54 (Connection reset by peer)] 11:13 -!- floyd_n_milan [n=mrugesh@unaffiliated/floydnmilan/x-000001] has left ##openvpn ["Brain damage."] 11:14 -!- jeiworth [n=jeiworth@189.177.35.174] has joined ##openvpn 11:46 -!- jeiworth [n=jeiworth@189.177.35.174] has quit [Read error: 60 (Operation timed out)] 12:14 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 12:23 -!- jeiworth [n=jeiworth@189.234.82.72] has joined ##openvpn 12:25 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 12:28 -!- kyrix [n=ashley@188-23-180-163.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 12:29 -!- kyrix [n=ashley@188-23-180-163.adsl.highway.telekom.at] has joined ##openvpn 12:36 -!- bandini [n=bandini@host173-5-dynamic.6-79-r.retail.telecomitalia.it] has joined ##openvpn 12:45 -!- troy is now known as troy- 12:47 -!- BoomerET [n=TheRealF@74.85.24.234] has joined ##openvpn 12:48 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 12:48 < BoomerET> I need to stop a user from using openvpn. The prior admin removed the .crt/csr/key files from easy-rsa/keys, but the user still gets in, how do I revoke this user? 12:59 < nate> http://openvpn.net/index.php/documentation/howto.html#revoke 13:00 < vpnHelper> Title: HOWTO (at openvpn.net) 13:00 < nate> been over that? 13:04 < reiffert> Landon Fuller was releasing an unpatched java exploit for OS X, jesus! 13:04 < reiffert> Hopefully we'll get a recent java on 10.4 now 13:04 < BoomerET> nate, thanks, but I get the error that the certificate can't be found, because it was deleted 13:05 < BoomerET> Yes, I'm on that page right now ( and have been for the past 20 mins or so) 13:05 < nate> mark it down as another "WTF" of ovpn.. 13:05 < nate> my list is getting quite large 13:10 < reiffert> BoomerET: check your backup for the deleted .crt and .key file. 13:10 < reiffert> nate: it's a matter of openssl and not a WTF ovpn question. 13:12 < BoomerET> Ahh 13:12 < BoomerET> Thank you 13:12 < reiffert> nate: while waiting for BoomerET's backup please tell me about your wtf list.. 13:13 < BoomerET> Ok, I found a few of the deleted files :) 13:14 < BoomerET> Hmm, there's a bunch of .pem files in the keys dir. 13:15 < BoomerET> Maybe I should learn more about this OpenVPN stuff :) 13:16 < reiffert> OpenSSL. 13:16 < BoomerET> Ok, I got most of them, but didn't have backups for certificates issued over 2 months ago 13:16 < BoomerET> Thanks 13:16 < reiffert> Especially the x509 part. 13:20 < reiffert> However, revoking a certificate where you dont have the crt file sounds quite impossible to me, but feel welcome to stay and await answers from people with more experience. 13:22 < reiffert> BoomerET: you might want to check /usr/share/doc/openvpn/examples/easy-rsa/**/keys/ as well 13:23 < ecrist> you don't need the CRT to revoke the certificate 13:27 -!- BadPtr [n=Mathieu@66-254-37.66.altaspectra.com] has joined ##openvpn 13:27 < BoomerET> Well, it's saying it's unable to load the certificate, so how do I revoke access without it? 13:27 < BadPtr> !configs 13:27 < vpnHelper> BadPtr: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:27 < ecrist> BoomerET: you need the CA certificate and the CA key 13:27 < ecrist> not the client certificate 13:28 < BoomerET> I have those of course 13:28 < reiffert> ecrist: from what I read you need the crt file: openssl ca -revoke bad_crt_file -keyfile ca_key -cert ca_crt 13:31 < BadPtr> is there any option to specify the DHCP range to push to clients? 13:31 < BadPtr> I have a few clients with their own CCDs but others are using a shared key and are getting issued already assigned IPs 13:31 < ecrist> reiffert: you're right, I was reading another part of my code. :( 13:31 < ecrist> BoomerET: pull the certificate out of backups and you're good to go 13:32 < BoomerET> ecrist, I don't have them all, only a couple 13:32 < BoomerET> This goes back to the admins before me. 13:32 < ecrist> ah, that would be a mistake on your part 13:32 < ecrist> or the other admins 13:32 < BoomerET> Both 13:33 < ecrist> in your case, you need to create a new CA, and reissue certificates 13:33 < ecrist> *or* also use a secondary authentication method 13:34 < BoomerET> not as easy as just create new certificate w/ same name, and revoke that :( 13:34 < ecrist> nope 13:34 < ecrist> well, you probably could do some fiddling with the index file, but you'd have to know the serial number of the certificate you wanted to revoke. 13:34 < BoomerET> I do 13:34 < ecrist> and I'm not sure that'll even work. 13:35 < ecrist> could give it a try 13:35 < ecrist> create a new certificate with the serial number in question, and revoke that. 13:36 < ecrist> the CRL really just tracks serial number and date revoked. 13:36 < BoomerET> The serial # is in the .pem files, and it also contains my user names 13:36 < ecrist> BoomerET: what OS? 13:36 < BoomerET> FreeBSD 13:37 < ecrist> there's an app some guy wrote that'll manage your keys for you 13:37 < ecrist> it's in ports, security/ssl-admin 13:37 < ecrist> it keeps all the certificates, keys, and will even zip them and a config up for your users. 13:38 < BoomerET> Thakns 13:39 < BoomerET> I'm not real strong on FreeBSD, more of a Redhat/Debian guy. 13:39 < ecrist> can't expect everyone to be perfect. :) 13:45 -!- endschranz [n=Adium@195.16.244.188] has joined ##openvpn 13:46 -!- endschranz [n=Adium@195.16.244.188] has left ##openvpn [] 13:46 -!- bb_1 [n=Adium@195.16.244.188] has joined ##openvpn 13:47 < bb_1> Hi, can anyone help me redirecting 255.255.255.255 on the client to the vpn broadcast? 13:47 -!- c64zottel [n=hans@p5B17AEA4.dip0.t-ipconnect.de] has joined ##openvpn 13:49 < bb_1> I need this because of some lan games. 13:57 < ecrist> bb_1 sure, use TAP 13:57 < ecrist> not TUN 13:57 < bb_1> ecrist: I am using tap 13:57 < bb_1> ecrist: when i ping 10.8.0.255 (vpn broadcast) the clients answer 13:58 < bb_1> when i ping 255.255.255.255 only the lan clients answer 13:58 < BoomerET> Ahhh, the XX.pem seems to be the .crt files I need!!! 13:58 < BoomerET> Success, thanks for the help. 13:58 -!- jackc [n=jackc@ma.us.nanog.net] has joined ##openvpn 13:59 -!- dazo_ [n=dazo@nat/redhat/x-df041390ac41a126] has joined ##openvpn 14:00 < jackc> what's the "right" way to setup the init scripts and confs on a debian box term'ing $several tunnels? 14:03 < ecrist> bb_1: what other clients are you expecting to answer? 14:03 < bb_1> all other clients in the vpn 14:03 < ecrist> do you have client-to-client on the server config? 14:04 < bb_1> yes 14:04 < ecrist> is the firewall allowing such traffic? 14:04 < bb_1> every client can ping every other client 14:04 < bb_1> ecrist yes 14:04 < BoomerET> ecrist, thanks so much, certs revoked, crl.pem copied to appropriate place, user not allowed in. 14:04 < ecrist> BoomerET: I'd still recommend that port, btw 14:04 < ecrist> glad you got it figured out 14:05 < BoomerET> I'll definately look into it, appreciate the help. 14:05 < ecrist> bb_1: something's blocking the traffic 14:06 < bb_1> ecrist: when i ping 10.8.0.255 everybody in the network answers 14:06 < bb_1> ecrist: but ping 255.255.255.255 fails 14:06 < bb_1> ecrist: or doenst effect the tap device 14:08 < ecrist> is your firewall completely disabled? 14:08 < bb_1> ecrist: yes 14:09 -!- dazo_ [n=dazo@nat/redhat/x-df041390ac41a126] has quit ["Leaving"] 14:09 -!- dazo_ [n=dazo@nat/redhat/x-642e619ee5b4898c] has joined ##openvpn 14:10 < ecrist> bb_1: either the kernel or the firewall would be blocking those packets, I think 14:10 < ecrist> !configs 14:10 < ecrist> !logs 14:10 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:10 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 14:10 -!- kyrix [n=ashley@188-23-180-163.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 14:11 -!- dazo_ [n=dazo@nat/redhat/x-642e619ee5b4898c] has quit [Client Quit] 14:11 -!- dazo_ [n=dazo@nat/redhat/x-0bac23b51de2d650] has joined ##openvpn 14:11 -!- kyrix [n=ashley@188-23-65-177.adsl.highway.telekom.at] has joined ##openvpn 14:11 < bb_1> server.conf 14:11 < bb_1> http://pastebin.com/m1b672300 14:11 -!- dazo [n=dazo@nat/redhat/x-1f91edc3c30070cd] has quit [Read error: 113 (No route to host)] 14:12 -!- troy- is now known as troy 14:12 < bb_1> client.conf http://pastebin.com/m19a03a06 14:14 -!- dazo_ is now known as dazo 14:14 -!- kyrix [n=ashley@188-23-65-177.adsl.highway.telekom.at] has quit [Client Quit] 14:16 < bb_1> openvpn.log http://pastebin.com/d5558566a 14:16 < ecrist> bb_1: can you give me the output for the tap device on the client, please 14:16 < bb_1> ecrist: one moment pls 14:17 < bb_1> ecrist: http://pastebin.com/d39837cf8 14:20 -!- bb_1 [n=Adium@195.16.244.188] has quit ["Leaving."] 14:20 -!- bb_2 [n=Adium@195.16.244.188] has joined ##openvpn 14:20 < bb_2> ecrist: any ideas? 14:21 -!- bb_2 [n=Adium@195.16.244.188] has left ##openvpn [] 14:21 -!- bb_2 [n=Adium@195.16.244.188] has joined ##openvpn 14:22 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 14:22 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:23 < xp_prg> hi all, I have a client that is connecting to a server, they can ping each other, yet the client can't ping 10.5.5.118 but the server can, I put push "route 10.5.5.0 255.255.255.0" in the server and route shows this on the client, I am confused what the issue is, any ideas? 14:23 < ecrist> bb_2: researching 14:23 -!- BoomerET [n=TheRealF@74.85.24.234] has left ##openvpn [] 14:25 < bb_2> bb_2: seem to be a client problme 14:27 < ecrist> bb_2: from the man page: 14:27 < ecrist> Don't use --server if you are ethernet bridging. Use --server-bridge instead. 14:28 < bb_2> ecrist: ok good to know, just did it for testing had server-bridge before 14:28 < ecrist> that might be your problem 14:29 < xp_prg> ecrist can you help me too? :> 14:29 < ecrist> xp_prg: I don't have nearly enough information about your config 14:29 < ecrist> what address range is your vpn using for clients? 14:29 < xp_prg> ok let me pastebin it, one sec 14:31 -!- bb_1 [n=Adium@195.16.244.188] has joined ##openvpn 14:31 -!- bb_2 [n=Adium@195.16.244.188] has quit [Read error: 104 (Connection reset by peer)] 14:31 < xp_prg> http://pastebin.com/d6c3ee8a5 14:32 < ecrist> xp_prg: you need to enable ip forwarding on the server, and make sure the traffic is allowed through the firewall 14:32 < xp_prg> ecrist how do I enable ip forwarding on the server, is that in the openvpn config? 14:33 < ecrist> no, it's an OS config 14:33 < ecrist> what OS are you using? 14:33 < xp_prg> centos/linux 14:33 < xp_prg> that is an iptables command right? 14:33 < ecrist> no 14:33 < xp_prg> is it a route command? 14:33 < ecrist> in /proc, enable ip_forwarding 14:33 < ecrist> !ipforward 14:33 < vpnHelper> ecrist: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 14:34 < ecrist> !linipforward 14:34 < vpnHelper> ecrist: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 14:34 < xp_prg> awsome, I will try that :> 14:34 < xp_prg> ecrist if I want my openvpn clients to use dhcp I need to use bridged mode right? 14:34 < ecrist> yes 14:34 < xp_prg> would I still need forwarding if I am doing that? 14:35 < ecrist> but simply for DHCP is a silly reason to use bridged vpn 14:35 < xp_prg> oh ok, brb, sorry 14:35 < ecrist> xp_prg: no, but bridged is harder to configure 14:47 < xp_prg> can non-bridged to dhcp? 14:48 < xp_prg> to = do 14:50 < xp_prg> well I added the 1 to ip_forward, still can't ping that server, I guess it is a firewall issue 15:13 < Bushmills> xp_prg, yes. if really necessary, check out dhcp3-relay 15:13 < xp_prg> Bushmills I am so lost with this network route stuff, can you assist? 15:14 < Bushmills> but ecrist did already. first of all, he recommended routed setup, not bridged setup. 15:14 < xp_prg> yes I am using routed setup 15:14 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 15:14 < Bushmills> oh, ok. i misread. 15:14 < xp_prg> I can ping the server from the client but not an external host that the server can ping 15:14 < Bushmills> !route 15:14 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:14 < xp_prg> I setup ip forwarding on the server as ecrist suggested 15:15 < xp_prg> ok 15:15 < Bushmills> http://scarydevilmonastery.net/masq 15:15 < bb_1> ecrist: thx for your help, i fixed the issue 15:19 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 15:36 -!- c64zottel [n=hans@p5B17AEA4.dip0.t-ipconnect.de] has quit ["Leaving."] 15:47 -!- BadPtr [n=Mathieu@66-254-37.66.altaspectra.com] has left ##openvpn ["Quitte"] 16:01 -!- bb_1 [n=Adium@195.16.244.188] has left ##openvpn [] 16:14 < xp_prg> got it to work :> 16:14 < xp_prg> thanks all who helped :> 16:18 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 16:34 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 16:38 -!- jeiworth_ [n=jeiworth@189.177.124.10] has joined ##openvpn 16:38 -!- jeiworth [n=jeiworth@189.234.82.72] has quit [Read error: 54 (Connection reset by peer)] 16:45 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 16:46 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 16:56 -!- troy is now known as troy- 17:00 -!- reiffert changed the topic of ##openvpn to: OpenVPN 2.1rc16 out. Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || !redirect for sending inet traffic through server || Also interesting: !man !/30 !topology !iporder || http://lmgtfy.com/ 17:08 < krzie> whoaaa 17:08 < krzie> r16 is out... 17:08 < krzie> ill hafta checkout the changelog when i get a min 17:08 < krzie> was that today? 17:08 < reiffert> and the usual promise to get 2.1 out soon 17:08 < reiffert> 2 days ago IIRC 17:08 < krzie> nice 17:09 < krzie> thx for the headsup =] 17:09 < krzie> havnt read my email for a lil 17:11 < krzie> i pulled a straight dumbass manuever 17:11 < krzie> forgot my pw into one of my servers 17:12 < krzie> i set it up a couple months ago and hadnt logged in since... i really should be storing them encrypted somewhere 17:13 -!- jeiworth_ [n=jeiworth@189.177.124.10] has quit [Read error: 60 (Operation timed out)] 17:13 < krzie> for someone like me who would tease someone for that, thats pretty bad 17:13 -!- troy- is now known as troy 17:13 < krzie> so i feel a need to tease myself for it, lol 17:14 < reiffert> ssh agent 17:16 < reiffert> if such a thing occurs at one of my hetzner.de servers, I could reboot the machine, boot int a rescue system with a one time password and regain whatever it needs. 17:16 < reiffert> s,int,it into, 17:17 < krzie> right, im gunna need ecrist to do that for me now, but it sucks to be a pita 17:17 < krzie> cause hes local and my only ipkvm is in san diego 17:18 < reiffert> so he's installing kernel modules that grab all your tty strokes? 17:18 < krzie> and since im in no hurry im sure he wont be mad or anything, but still i dont like to pull lameness like that 17:18 < krzie> lol nah if i didnt trust him it wouldnt be there 17:18 < project2501a> hey guys 17:19 < krzie> sup project2501 17:19 < project2501a> just to confirm please: does a timeout count as a disconnect? 17:19 < project2501a> hey krzie 17:19 < krzie> what do you mean by timeout 17:19 < reiffert> project2501a: it does not. 17:19 < project2501a> damn 17:19 < krzie> reiffert, even when its caused by a keepalive? 17:19 < project2501a> reiffert, krzie : i wanna use the --connect-client and --disconnect-client options 17:19 < project2501a> to log connections and disconnections into a database 17:20 < reiffert> e.g. "Hey girl, bring me some coffee within the next 5 minutes" and she times out, that doesnt mean that my coffee is disconnected. 17:20 < krzie> lol! 17:20 < project2501a> heh 17:20 < project2501a> sexist comment :P 17:20 < krzie> ya we dont get many girls in here tho 17:20 < project2501a> my all-wise supervisor said that i should grep the log for connections and timeouts 17:20 < project2501a> "that is reliable" 17:20 < project2501a> i was like wtf 17:21 < reiffert> tell him to learn about the openvpn log. 17:21 < project2501a> he doesn't want to 17:21 < reiffert> and tell him further to get rid of his ancient 2.0.9 openvpn. 17:21 < krzie> thats why he pays people to do the work =] 17:21 < project2501a> hehehe 17:21 < project2501a> reiffert: abou to do a dist-upgrade 17:21 < reiffert> project2501a: 2.0.9 is stable since ... 4 years. 17:22 < reiffert> 3.5? 17:22 < project2501a> reiffert: apparently he says "you don't upgrade production machines, because they are stable!" 17:22 < project2501a> reiffert: 3.5 ? 17:22 < krzie> true for many things, not for openvpn 17:22 < krzie> 3.5 yrs 17:22 < project2501a> i have been trying to introduce a 6-month upgrade cycle 17:22 < reiffert> project2501a: hell yeah, I keep an ancient 3.5 year old software just because it's stable and I need to write all scripts around missing features! 17:22 < project2501a> reiffert: hehehehee, welcome where i work 17:23 < krzie> in openvpn the latest rc is stable (in my experience, rc16 is only out for 2 days so i cant speak on that yet) 17:23 < project2501a> the other excuse is "security reasons!" 17:23 < reiffert> project2501a: 3.5 years with no security update. 17:23 < reiffert> improvement 17:23 < krzie> run 3.5 yr old software for security reasons!? 17:23 < project2501a> ok, let me give you some intro 17:23 < reiffert> openssl was broken like hell these days. 17:24 < project2501a> basically he's wonder boy for the company 17:24 < project2501a> or at least that's what he projects 17:24 < reiffert> so am I. I'm using 2.1rc15. 17:24 < project2501a> kind of guy that says "losers try, winers take home the prom queen and fuck her" 17:24 < project2501a> etc etc etc 17:24 < project2501a> very showy 17:24 < krzie> i figure real winners take her the next day when the guy who took her home is at work 17:25 < project2501a> hehe :D 17:25 < project2501a> krzie: that's what i figure as well 17:25 < krzie> the "winner" can deal with her on a dialy basis, real winner just pops in on occasion ;] 17:25 < project2501a> the best description for this guy is "i am" 17:25 < project2501a> ego the size of jupiter 17:25 < krzie> hehe 17:25 < project2501a> exactly 17:25 < project2501a> i mean, ok, i undestand i'm not the best out there 17:26 < project2501a> and i try to learn 17:26 < project2501a> and i don't have an elite attitude 17:26 < project2501a> no reason to 17:26 < project2501a> anyway 17:26 < project2501a> --client-connect 17:26 < project2501a> if i add client-connect to the server will the timeout count as a disconnection? 17:26 * reiffert doesnt support 2.0.9 17:27 < krzie> i think reif answered your question 17:27 < krzie> reif, what would he use in latest RC? 17:27 < reiffert> "Hey boss, they dont support 2.0.9"? 17:29 < reiffert> krzie: didnt they add some env variables to connect disconnect scripts? "script security" they were... 17:29 < krzie> i believe they did 17:30 < project2501a> i'll have to upgrade the damn thing 17:30 < project2501a> but 17:30 < project2501a> in the meantime, can you please save my ass? :D 17:30 < krzie> reiffert, but didnt you say that the timeout wouldnt trigger disconnect? 17:30 < krzie> so those scripts wouldnt run 17:30 < reiffert> krzie: you call 911 and I'll get a new superman shirt. 17:30 < project2501a> LOL 17:31 < krzie> i dunno if 911 does anything here 17:31 < project2501a> can i have indiana jones instead? 17:31 * project2501a is dead tired after 2 hours of karate practice 17:31 < project2501a> *sigh* 17:31 < project2501a> i'll just go ahead and test them 17:31 < krzie> i just asked someone from here and he said "i think it is" 17:31 < krzie> lol 17:31 < krzie> then he said "not sure if it works tho" 17:31 < krzie> (referring to 911) 17:32 < reiffert> hehe 17:32 < krzie> ive only been here 2 yrs, and i am the type to grab a gun not call 911 17:32 < project2501a> me too 17:33 < project2501a> the place i work is a very "now now now" workplace 17:33 < project2501a> maintability is something they laugh at 17:33 < reiffert> ah, thats why Peter Tosh had to die, eh? 17:33 < project2501a> peter tosh? 17:33 < project2501a> did he die for my sins, as well? 17:34 < krzie> didnt he sing reggae? 17:34 < reiffert> read up his death, it's funny. 17:34 < project2501a> ah! steppin' razior! 17:35 < project2501a> http://www.youtube.com/watch?v=mQdui7PIgpo 17:35 < vpnHelper> Title: YouTube - Damian Marley ft Stephen Marley & Capleton - It Was Written (at www.youtube.com) 17:35 < project2501a> win 17:35 < reiffert> Legalize it ... 17:35 < reiffert> most famous Peter Tosh song ever 17:36 < reiffert> but now back to what I was about to do hours ago 17:36 < reiffert> get my last beer and smoke a cigarette and watch the sky. 17:37 < krzie> nice 17:37 * krzie switches the cig for a blunt 17:37 < krzie> in honor of the peter tosh song of course ;] 17:38 * reiffert raises the original LP 17:38 < krzie> you blaze reif? 17:39 * project2501a smoked a Cohiba Siglo II today 17:39 < project2501a> listening to righteous dub 17:39 < project2501a> no booze though 17:39 < project2501a> can't drink 17:39 < reiffert> my translator doesnt give me good explanation for to blaze? 17:39 < krzie> werd, i live in the caribbean so a cohiba is easy to get 17:39 < krzie> ahh, smoke weed 17:39 < project2501a> to toke 17:40 < krzie> its slang, i forget english isnt your first lang cause you speak it so well 17:40 < project2501a> hail mary 17:40 < project2501a> krzie: where are you from? 17:40 < reiffert> Let's say every odd year nowadays 17:40 < reiffert> +once 17:40 < krzie> california orig 17:40 < project2501a> <-- new jeruz 17:40 < krzie> ahh cool 17:40 < project2501a> newark <3 17:40 < krzie> reif, if i ever make it to .de we gotta blaze one ;] 17:41 < reiffert> sure we do! 17:41 < krzie> and drink some of Bushmills's homebrew 17:41 < krzie> !! 17:41 < vpnHelper> krzie: Error: "!" is not a valid command. 17:41 < krzie> ild like to make it to .de, its on the list 17:41 < project2501a> ich moochte Bushmill beir nicht 17:41 < project2501a> !-2 17:42 < vpnHelper> project2501a: Error: "-2" is not a valid command. 17:42 < krzie> whoa you speak german!? 17:42 < project2501a> I speak Greek, English, Spanish, Italian, German and some japanese 17:42 < krzie> damn, impressive 17:42 < project2501a> nah 17:42 < project2501a> just things i picked up 17:42 < project2501a> when you're a geek ;) 17:42 < project2501a> i call it lack of gf 17:42 < krzie> lol 17:43 < krzie> my gf is the main reason my spanish is so good 17:43 < project2501a> oy, papi 17:43 < krzie> then again she speaks spanish and we live in a spanish speaking area 17:44 < project2501a> i need some trinidad 17:44 < project2501a> especially the no 3 17:44 < project2501a> but i don't need any trinidadian women 17:44 < project2501a> away! 17:46 < reiffert> Bier, "Beir" is more like the "Bi" just like in "Bicycle" and would sound like "Bavarian" 17:47 < reiffert> "He is a real bavarian guy" - "Er ist ein Bayer" 17:47 < krzie> from what ive read german is the lang english most resembles 17:47 < krzie> in regards to sentance structure and whatnot 17:49 < reiffert> Oh should have seen Netherlands then! 17:49 < reiffert> It's a total mixture from both 17:49 < reiffert> Bushmills's talking netherlands perfectly. 17:49 < reiffert> almost 17:51 < krzie> that dude is smart as hell 17:51 < krzie> you guys met online orig? 17:51 < reiffert> jup 17:51 < project2501a> german is english + ancient greek 17:51 < project2501a> and very orthogonal. 17:51 < reiffert> when I was teaching myself programming microcontrollers, Bushmills was helping me quite a lot 17:52 -!- acton [n=tyler@li4-115.members.linode.com] has quit [Remote closed the connection] 17:53 < krzie> im careful not to say german is like english since i believe english took from german and nt the other way 17:53 < reiffert> uh, time for the beer and cig now 17:53 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 17:54 < krzie> enjoy 18:04 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has quit [Read error: 60 (Operation timed out)] 18:04 -!- project2501b [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has quit [Read error: 60 (Operation timed out)] 18:17 -!- boney_ [n=boney@81-235-226-119-no91.tbcn.telia.com] has quit [Remote closed the connection] 18:25 -!- jeiworth [n=jeiworth@189.163.143.208] has joined ##openvpn 18:39 < krzie> !route 18:39 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 18:44 < krzie> !tcp 18:44 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 18:44 < reiffert> !factoids search * 18:44 < vpnHelper> reiffert: More than 100 keys matched that query; please narrow your query. 18:44 < reiffert> !factoids search ** 18:44 < vpnHelper> reiffert: More than 100 keys matched that query; please narrow your query. 18:44 < reiffert> !factoids search % 18:44 < vpnHelper> reiffert: More than 100 keys matched that query; please narrow your query. 18:44 < krzie> =/ 18:44 < reiffert> !factoids search . 18:44 < vpnHelper> reiffert: "2.1-winpass-script" is http://article.gmane.org/gmane.network.openvpn.user/24575 18:44 < reiffert> hehe 18:45 < krzie> !factoids search win 18:45 < vpnHelper> krzie: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', 'win7', 'winnat', and 'win_ipfail' 18:46 < reiffert> !factoids search a 18:46 < vpnHelper> reiffert: 'faq', 'sample', 'insanity', 'mail', 'ask', 'winpass', 'pastebin', 'lans', 'netman', 'path', 'ssl-admin', 'tls-auth', 'samba', 'betaman', 'download', 'tap', 'mac', 'win_noadmin', 'static', 'dynamicfirewall', 'nat', 'hmac', 'winipforward', 'fragment', '2.1-winpass-script', 'activedirectory', 'iptables', 'all', 'mactuntap', 'easy-rsa-unix', 'linipforward', 'linnat', 'man', 'wintaphide', 18:46 < vpnHelper> reiffert: 'firewall', 'solaris', 'lintrafaccnt', 'fbsdjail', 'local', 'tunortap', 'shorewall', 'broadcast-relay', 'password', 'authpass', 'firestarter', 'interface', 'allinfo', 'obsdtap', 'notcompat', 'fbsdnat', 'ipforward', 'fbsdipforward', 'eurephia', 'winnat', 'samesubnet when a machine on a lan much be accessed over openvpn but sits on the same lan subnet', 'samesubnet', 'access-server', and 18:46 < vpnHelper> reiffert: 'win_ipfail' 18:46 < reiffert> we should transfer the factoid results to privmsg, shouldnt we? 18:47 < krzie> feel free to code it =] 18:47 < krzie> its running supybot with factoids plugin 18:47 < krzie> python 18:47 < krzie> but you can get them in msg 18:47 < krzie> just need to ask the bot in msg 18:48 < krzie> and its really made for outputting to channel in most cases 18:48 < krzie> since we most often use the commands to say something to others 18:48 * reiffert = no python 18:48 < reiffert> os.exec.system("/usr/bin/perl -wle 'do whatever it take'"); 18:49 < krzie> so really what you requested already exists 18:50 < krzie> you just have to use it the way you want it 18:50 < reiffert> 7topic please dont use !factoids search on the channel, use /msg vpnHelper !hi instead? 18:50 < krzie> [msg(vpnHelper)] factoids search ##openvpn win 18:50 < krzie> [vpnHelper(i=vpn@unaffiliated/krzee/bot/vpnhelper)] 'winroute', 'winpass', 18:50 < krzie> 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', 18:50 < krzie> 'wintaphide', 'wins', 'win7', 'winnat', and 'win_ipfail' 18:53 < krzie> nobody but us use factoids search anyways 18:53 < krzie> at least not that ive ever seen 18:54 * krzie expects a flood of randoms to use it once they read that 18:54 < krzie> lol 20:00 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 20:00 < Dougy> hey 20:06 < krzie> heyyyyyy 20:06 < krzie> hoooo 20:07 < krzie> heyyyyyy 20:07 < Dougy> :( 20:07 < krzie> hoooo 20:07 * krzie waves his arms in the air 20:07 < Dougy> i have the flu 20:07 < Dougy> :< 20:07 < krzie> swine flu? 20:07 < Dougy> i hope not 20:07 < krzie> you know it hit NY 20:07 < Dougy> nj too 20:07 < krzie> at least made it there 20:08 < Dougy> http://bergennow.com/index.php/20090520321/Fort-Lee/Fort-Lee-NJ-New-Jersey-swine-flu-school-closed-closing-Board-of-Education.html 20:08 < vpnHelper> Title: Fort Lee school shut due to swine flu to remain closed past Memorial Day | Fort Lee : Bergen County News : New Jersey : NJ : Bergen County Newspapers (at bergennow.com) 20:08 < Dougy> thats only a few mins away 20:08 < krzie> so THATS what bergen is 20:08 < Dougy> ?? 20:09 < krzie> bergenhosting 20:09 < krzie> i had no clue what bergen was 20:09 < Dougy> oh 20:09 < Dougy> you couldof asked 20:09 < Dougy> lol 20:09 < krzie> i also coulda googled 20:09 < krzie> but yanno, didnt matter 20:09 < Dougy> box still runnin? 20:09 < krzie> aye 20:09 < Dougy> good 20:09 < krzie> slowly installing my mailserver 20:09 < Dougy> decently quick ? 20:10 < krzie> its as good as it needs to be 20:10 < krzie> buildworld took like all day, but its not like that matters 20:10 < krzie> not exactly a daily activity 20:10 < Dougy> its an old celeron, what do you expect 20:10 < Dougy> lol 20:10 < krzie> right 20:10 < krzie> and honestly i could run the mailserver on a p1 and it would be fine 20:11 < Dougy> p1 lol 20:11 < Dougy> i think build world would break it 20:11 < krzie> umm, no 20:11 < krzie> i ran fbsd on p1 20:11 < krzie> works fine 20:11 < Dougy> oO 20:11 < Dougy> omg :( 20:11 < Dougy> i have this nasty cough that hurts like a mfoo 20:11 < Dougy> mofo 20:11 < krzie> hehe you're too young to remember when p1 was the best around 20:12 < Dougy> wasnt p1 befor eme 20:12 < Dougy> before me 20:12 < krzie> but it was once like "ooooo thats a pentium!" 20:12 < krzie> hrm, it very well may have been 20:12 < Dougy> there's a commodore 32 in my attic 20:35 -!- troy is now known as troy- 20:35 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 20:51 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:51 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 20:51 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:54 -!- troy- is now known as troy 20:55 -!- FirstSgt [n=chris@68-118-209-12.dhcp.omak.wa.charter.com] has joined ##openvpn 20:55 < FirstSgt> !howto 20:55 < vpnHelper> FirstSgt: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 20:56 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 21:00 -!- mRCUTEO [i=IRCLUNAT@58.26.212.155] has joined ##openvpn 21:01 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 21:01 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 21:01 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 21:09 < mRCUTEO> hiya all 21:09 < mRCUTEO> tjz :D 21:09 < mRCUTEO> krzie 21:09 < mRCUTEO> L:D 21:11 -!- mRCUTEO [i=IRCLUNAT@58.26.212.155] has quit [] 21:13 < FirstSgt> i can't ping the tun0 (server's) ip. it says operation not permitted 21:18 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 21:53 -!- Solver [n=robert@CPE0050fcc6a940-CM001cea35fd4e.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 23:28 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 23:29 -!- troy [n=troy@worldnet.tauri.ca] has quit [Read error: 110 (Connection timed out)] 23:31 -!- troy [n=troy@worldnet.tauri.ca] has joined ##openvpn --- Day changed Thu May 21 2009 00:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:17 -!- jeiworth [n=jeiworth@189.163.143.208] has quit [Read error: 60 (Operation timed out)] 00:19 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 00:49 -!- endra [n=endra@unaffiliated/endra] has joined ##openvpn 00:49 < endra> hey 00:49 < endra> !logs 00:49 < vpnHelper> endra: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 00:49 < endra> !configs 00:49 < vpnHelper> endra: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 00:50 < endra> !redirect 00:50 < vpnHelper> endra: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 00:50 < endra> !ipforward 00:50 < vpnHelper> endra: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 00:50 < endra> !linipforward 00:50 < vpnHelper> endra: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 00:50 < endra> mattafucka 00:50 < endra> i knew my config was right 00:50 < endra> this is the most helpful bot i've ever seen. 00:52 < endra> !nat 00:52 < vpnHelper> endra: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 00:52 < endra> !linnat 00:52 < vpnHelper> endra: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 00:53 < endra> sweet, trying now, brb 00:53 -!- endra [n=endra@unaffiliated/endra] has quit [Client Quit] 01:05 -!- endra [n=endra@unaffiliated/endra] has joined ##openvpn 01:05 < endra> hey 01:05 < endra> is anyone around at this time 01:05 < endra> someone once told me openvpn would work on port 53 (udp) wherever you are able to resolve hosts using a custom DNS server 01:06 < endra> like nslookup google.com 4.2.2.1 01:07 < endra> openvpn works great now but when I try it on this one specific wireless connection, which does allow such a dns lookup, I get these errors in client console: Authenticate/Decrypt packet error: missing authentication info 01:07 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has joined ##openvpn 01:13 < dan__t> openvpn[26575]: client1/70.190.236.151:41501 MULTI: bad source address from client [192.168.143.128], packet dropped 01:13 < dan__t> hmmm 01:13 < dan__t> Yet I don't want to use redirect-gateway 01:13 < dan__t> I just want this one specific route through openvpn 01:24 < dan__t> Yep that blows. 01:30 < dan__t> What the FUCK. 01:30 < dan__t> Thank you, ambiguity. 01:31 -!- endra [n=endra@unaffiliated/endra] has quit [Read error: 110 (Connection timed out)] 01:36 < dan__t> krzzzzieieiziezieieiee wake up. 01:46 -!- master_of_master [i=master_o@p549D33E8.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:50 -!- master_of_master [i=master_o@p549D3D3D.dip.t-dialin.net] has joined ##openvpn 02:01 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 02:22 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 02:31 < dan__t> Just read your article at http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing, krzie. Does not appear to help my particular situation. 02:31 < dan__t> Even when using iroute 02:32 < tjz> hey guys 02:34 < dan__t> Hi. 02:39 < dan__t> Fuckit. Bedtime. 02:39 < dan__t> Later. 02:45 < dan__t> Or not. God damnit. 02:47 < dan__t> So... 02:59 < tjz> lol 03:30 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:32 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 03:41 -!- aditsu [n=aditsu@aworklan002071.netvigator.com] has joined ##openvpn 03:42 < aditsu> hi, what is a "challenge password"? (when running build-key) 03:49 < dazo> aditsu: a password so difficult it will challenge you for the rest of your life whenever you need to remember it? :-P 03:52 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has joined ##openvpn 03:54 < aditsu> har har 04:05 < aditsu> nobody knows? 04:05 < aditsu> another question: how can I delete a certificate? 04:32 < aditsu> what is the "database" that it updates everytime I build a new client key? 04:46 -!- c64zottel [n=hans@p5B17B1A8.dip0.t-ipconnect.de] has joined ##openvpn 04:46 -!- aditsu [n=aditsu@aworklan002071.netvigator.com] has quit ["Chatzilla 0.9.75.1 [SeaMonkey 1.1.16/2009040213]"] 04:46 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 04:48 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 05:19 -!- aditsu [n=aditsu@aworklan002071.netvigator.com] has joined ##openvpn 05:20 < aditsu> how can I add, change or remove a client password in linux? 05:26 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 05:26 -!- theDoc [n=andelyx@208.99.194.194] has quit [Read error: 110 (Connection timed out)] 05:29 < Bushmills> aditsu, without auth-user-pass-verify i assume your password is simply the key phrase the private key is protected with. 05:29 < Bushmills> means, those aren't stored on the server at all 05:29 < Bushmills> to change those, issue a new key 05:31 < aditsu> Bushmills: isn't there a way to just change it on the client side? 05:31 < Bushmills> i am not aware of one, try #ssl or #tls 05:31 < aditsu> I think the windows openvpn gui does it 05:46 -!- alpha_one_x86 [n=user@213.151.167.252] has joined ##openvpn 05:47 < alpha_one_x86> Hello, where I can found more information about server and push option? Because I have not understand what's it's 05:53 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:53 -!- aditsu [n=aditsu@aworklan002071.netvigator.com] has quit ["Chatzilla 0.9.75.1 [SeaMonkey 1.1.16/2009040213]"] 05:56 < krzee> !man 05:56 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 05:56 < krzee> !push 05:56 < vpnHelper> krzee: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 05:57 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 06:01 < Bushmills> hi krzee 06:09 < alpha_one_x86> Can you see if my config file seem correct: http://pastebin.com/m20c6b25 ? 06:17 < krzee> moin Bushmills 06:17 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has quit ["Leaving."] 06:18 < krzee> alpha_one_x86, if 192.168.0.x is a lan behind the server thats right 06:19 < krzee> in which case, if openvpn is not running on the router you must add a route to the router 06:19 < krzee> can be seen under the network diagram in: 06:19 < krzee> !route 06:19 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 06:20 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 06:21 < alpha_one_x86> I just want do vpn without gateway and full closed, with ip 192.168.165.X 06:24 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 06:37 < alpha_one_x86> I not see and found dh1024.pem and openvpn too, why? 06:37 < Bushmills> alpha_one_x86, in subdir /easy-rsa/keys of openvpn 06:39 < Bushmills> sry, me wrong 06:39 < Bushmills> supposed to be in openvpn dir 06:40 < alpha_one_x86> in the folder keys I have *.key *.csr *.crt *.pem but no dh1024.pem 06:43 < Bushmills> alpha_one_x86, create it. search for "diffie-hellmann" in tutorial, it is probably described there how to generate it 06:44 < alpha_one_x86> ok, I reading it... 06:45 < alpha_one_x86> Generating DH parameters, 4096 bit long safe prime, generator 2 06:45 < alpha_one_x86> This is going to take a long time 06:45 < krzee> !dh 06:45 < vpnHelper> krzee: "dh" is build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN 06:45 < Bushmills> sounds right 06:45 < alpha_one_x86> 5min after allways in working... 06:47 < alpha_one_x86> for 1024 key how many time need to wait? 06:48 < Bushmills> for sorting 1 million items, a computer needs how long? 06:49 < alpha_one_x86> Because it's really long... then I wait... 06:49 < Bushmills> i'd do the same 06:49 < krzee> not to mention keygen'ing is largely based on luck 06:49 < krzee> roll of the dice 06:49 < Bushmills> maybe you can wish the machine to be faster 06:49 < Bushmills> concentrate and focus on its speed 06:50 < alpha_one_x86> It's allready phenom 2 @ 2.8GHz 06:51 < Bushmills> what? you're generating dh keys on a home computer? 06:52 < Bushmills> i thought everybody would use 2^16 node clusters for that nowadays 06:53 * Bushmills is mentally preparing for putting together an 48 node cluster machine 06:53 < Bushmills> correction. 64 nodes 06:54 < alpha_one_x86> Yes I had just my home computer for do it 06:54 < alpha_one_x86> How many time estimated I need wait? 06:54 < Bushmills> then estimation is easy. about 15 months 06:56 < Bushmills> it might help to encrease entropy of your computer a bit 07:07 < ecrist> morning, kids 07:09 < ecrist> krzee: I understand you need a pw reset on your box 07:09 < ecrist> I can do that now. 07:16 < alpha_one_x86> it's done 07:16 < alpha_one_x86> thanks and bye, I will try all it 07:16 -!- alpha_one_x86 [n=user@213.151.167.252] has quit ["using sirc version 2.211+KSIRC/1.3.12"] 08:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:29 -!- dexterr [i=dexter@skitan.us] has joined ##openvpn 08:29 < dexterr> !logs 08:29 < vpnHelper> dexterr: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 08:36 < dexterr> http://pastebin.com/d6ca2ea98 <- Okay, that's my log. I don't get the "Expected Remote Options hash (VER=V4): 'a8f55717'" part to be honest :/ 08:36 < dexterr> Why is that happening? 08:36 < dexterr> the first part is the server 08:36 < dexterr> the second is the client 08:37 < ecrist> don't worry about that part. what problem are you actually having? 08:37 < dexterr> been googling around for a while but found nothing :/ 08:39 < dexterr> ecrist: ehm.. 08:40 < dexterr> That is kills my connection :) 08:40 < dexterr> I assumed it was because of that 08:47 -!- alpha_one_x86 [n=user@213.151.167.252] has joined ##openvpn 08:49 < alpha_one_x86> re, my vpn not work, client seam connected, on serveur I can see: UP POINTOPOINT RUNNING NOARP MULTICAST and inet addr:192.168.165.1 P-t-P:192.168.165.2, I want multiple client connected 08:49 < dexterr> ecrist: Well, you wanna see my configs? :) 08:51 < ecrist> !configs 08:51 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 08:54 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 08:54 < dexterr> ecrist: http://pastebin.com/d46f020e server config 08:55 < dexterr> http://pastebin.com/m39e7c222 client config 08:57 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 08:58 < ecrist> dexterr: I'd recommend removing all the cert-type config options, and get it working. from there, add them in until it breaks 08:59 < dexterr> ecrist: on the client part? 08:59 < ecrist> yes 08:59 < dexterr> Well, added them to see if it would work :) 08:59 < dexterr> Didn't work before I added them 08:59 < ecrist> also, remove the word mode in 'mode server' in the server config 08:59 < dexterr> Yeah, right 09:00 < dexterr> hmm 09:01 < dexterr> Okay... where did tun0 go? 09:01 < dexterr> :D 09:02 < theDoc> Into my pocket! 09:02 < theDoc> ^^; 09:02 < dexterr> Seriously! It went away :D 09:02 < dexterr> That's odd 09:03 < theDoc> I'm not sure what you did! 09:03 < ecrist> dexterr: sorry, remove that whole line 09:03 < ecrist> it's redundant 09:11 < dexterr> ecrist: Okay 09:11 < dexterr> ecrist: What line? : 09:11 < dexterr> :;) 09:11 < dexterr> :) 09:11 < ecrist> 6 09:12 < dexterr> On the client or the server? 09:12 < dexterr> The server I assume 09:12 < alpha_one_x86> Somebody can help my? 09:12 < ecrist> well, the client shouldn't have a server line... 09:12 < dexterr> Hehe 09:12 < ecrist> alpha_one_x86: sure, if you ask your question 09:12 -!- Skered [n=dereks@c-24-3-205-125.hsd1.pa.comcast.net] has joined ##openvpn 09:13 < Skered> !redirect 09:13 < vpnHelper> Skered: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 09:13 < Skered> !ipforward 09:13 < vpnHelper> Skered: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 09:13 < dexterr> And do you know why Vista is reporting that openvpn.exe crashes? I assume that it's because openvpn quits - but why in heaven is it reporting a crash? 09:14 < Skered> Well right now I have all traffic redirected through the VPN. However is it possible to redirect one external IP through the VPN? 09:15 < Skered> I thought "route ip" might do the trick but I guess it's not that easy 09:15 < ecrist> dexterr: no idea. I don't use vista 09:16 < ecrist> Skered: push "route 100.101.102.103 255.255.255.255" 09:16 < ecrist> note the 32-bit subnet mask 09:16 < alpha_one_x86> client seam connected, on serveur I can see: UP POINTOPOINT RUNNING NOARP MULTICAST and inet addr:192.168.165.1 P-t-P:192.168.165.2, I want multiple client connected 09:16 < Skered> I thought that was the default netmask 09:16 < Skered> so 'route ip' would be the same 09:17 < ecrist> sure, what do I know? 09:17 < ecrist> I'm simply telling you what *does* work, and you're telling me what doesn't. senseless argument, IMHO 09:18 < alpha_one_x86> I can see Mask:255.255.255.255 09:18 < ecrist> alpha_one_x86: we need your config 09:18 < ecrist> !configs 09:18 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:19 < alpha_one_x86> http://pastebin.com/m5178bb36 09:20 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:23 < theDoc> ahh, a porsche 09:25 < dexterr> ecrist: still won't work :/ 09:26 < dexterr> http://pastebin.com/m7801fb4a <- Client config 09:26 < ecrist> dexterr, how about full logs 09:26 < ecrist> !logs 09:26 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 09:26 < dexterr> http://pastebin.com/m4a5aa1f7 <- server cofnig 09:26 < dexterr> ecrist: Sure 09:28 < dexterr> http://pastebin.com/m57cea2b <- client log 09:29 < Skered> Ok. Some errors on my part. 09:29 < Skered> push "route host"; <--- needs to be an ip. doh 09:29 < Skered> opps 09:30 < dexterr> ecrist: http://www.skitan.us/openvpn.log 09:30 < dexterr> server log 09:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:32 < alpha_one_x86> No idea for my problem? 09:33 < ecrist> dexterr: client log seems truncated 09:34 -!- jeiworth [n=jeiworth@189.177.131.27] has joined ##openvpn 09:35 < dexterr> ti does? 09:35 < dexterr> it* 09:35 < ecrist> alpha_one_x86: you don't need line 9 (it's assumed, since its the IP space for the clients. remove it 09:35 < ecrist> dexterr: yes 09:35 < dexterr> It's from the GUI - but I can paste thel og file too 09:36 < dexterr> Hr 09:36 < dexterr> Hrm 09:36 < dexterr> it isn't truncated 09:36 < dexterr> It ends with Thu May 21 16:35:04 2009 us=676000 VERIFY OK: depth=1, /C=SE/ST=Vastmanland/L=Vasteras/O=skitan.us/OU=VPN/CN=vpn.skitan.us/emailAddress=admin@skitan.us 09:36 < ecrist> is the server log truncated? 09:36 < ecrist> dexterr: did the program die after that? 09:37 < ecrist> after the 'VERIFY OK' you're missing all the handshake stuff 09:38 < alpha_one_x86> Line 9 removed 09:44 < dexterr> ecrist: Yep 09:44 < dexterr> Perhaps that's why Vista is reporting a crash :D 09:44 < alpha_one_x86> What do after? 09:45 < ecrist> run openvpn 09:45 < alpha_one_x86> yes, restarted 09:49 < alpha_one_x86> But not work 09:50 < dexterr> ecrist: Any ideas? 10:14 -!- Skered [n=dereks@c-24-3-205-125.hsd1.pa.comcast.net] has left ##openvpn [] 10:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:22 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 10:27 < alpha_one_x86> No idea? 10:35 < ecrist> dexterr: as I said above, I don't use vista, sorry --- Log closed Thu May 21 10:44:52 2009 --- Log opened Thu May 21 10:44:57 2009 10:44 -!- ecrist_ [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 10:44 -!- Irssi: ##openvpn: Total of 68 nicks [0 ops, 0 halfops, 0 voices, 68 normal] 10:45 -!- Irssi: Join to ##openvpn was synced in 22 secs 10:45 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has quit [Nick collision from services.] 10:45 -!- You're now known as ecrist 10:48 < dexterr> Hrm 10:48 < dexterr> Been googling for a while now but haven't found something good about it yet (Yes, I'm new to openvpn :P); How can I remove the need of certificates and allow usernames and passwords? 10:49 < dexterr> I got some configuration options but I haven't figured out where and how to add a couple of users :P 10:57 < Bushmills> dexterr, openvpn gives host level connection, not on user level. 10:57 < dexterr> http://openvpn.net/archive/openvpn-users/2004-10/msg00418.html 10:57 < vpnHelper> Title: [Openvpn-users] New Username/Password Authentication Mode (at openvpn.net) 10:58 < Bushmills> you can configure to let the server use an authenticator of your chouce 10:58 < dexterr> Oh really? 10:58 < dexterr> cool 10:59 < Bushmills> look at --auth-user-pass-verify 11:12 -!- alpha_one_x86 [n=user@213.151.167.252] has quit [Remote closed the connection] 11:16 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 12:14 -!- jeiworth_ [n=jeiworth@189.163.255.69] has joined ##openvpn 12:15 -!- jeiworth [n=jeiworth@189.177.131.27] has quit [Connection reset by peer] 12:18 -!- jeiworth_ [n=jeiworth@189.163.255.69] has quit [Read error: 54 (Connection reset by peer)] 12:21 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:22 -!- jeiworth [n=jeiworth@189.177.138.218] has joined ##openvpn 12:26 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 12:26 < Dougy> hey 12:27 -!- dKingston [n=TheKing@unaffiliated/dkingston] has joined ##openvpn 12:27 < Dougy> look at that loser 12:27 < dKingston> o.o 12:30 < Dougy> sup all 12:35 -!- msshams1 [n=shams@213.207.216.163] has joined ##openvpn 12:36 < Dougy> krzie 12:36 < Dougy> my doctor told me to get high till i feel better 12:36 < Dougy> lol 12:37 < msshams1> hi, i installed openvpn successfully. now, how can i connect to it as a client and use web surfing anonymously? 12:42 < Dougy> you installed it, yes 12:43 < Dougy> did you create the certificate(s)? 12:45 -!- deever [n=deever@static.172.68.46.78.clients.your-server.de] has joined ##openvpn 12:46 < deever> hi... 12:46 < Dougy> hi 12:46 < ecrist> hi 12:46 < Dougy> msshams1: if you ask for help, you should be here fo your answer 12:46 < Dougy> hey ecrist :) 12:46 < deever> anyone here used openvpn from tunisia and was having problems with censorship? 12:47 < msshams1> Dougy: what? 12:48 < Dougy> msshams1: you installed openvpn, yes? 12:48 < msshams1> Dougy: yes 12:48 < Dougy> OK. Did you sign the certificates yet? 12:48 < Dougy> sign/create 12:48 < msshams1> Dougy: yes 12:48 < Dougy> So you have it set up to what point? 12:48 < Dougy> The server is up and running? 12:49 < msshams1> Dougy: hey, i doing all of this how to: http://www.throx.net/2008/04/13/openvpn-and-centos-5-installation-and-configuration-guide/ 12:49 < vpnHelper> Title: OpenVPN and CentOS 5 Installation and Configuration Guide | Throx Blog (at www.throx.net) 12:49 < msshams1> and successfully finished 12:49 < Dougy> Hold on 12:49 < Dougy> That site is dreadfully slow 12:50 < Dougy> Still has not loaded 12:50 < msshams1> Dougy: but end of that how to, help for installing windows client. i want to know, how can i run a linux client, and how can i surf anonymously on the internet via that. 12:51 < msshams1> Dougy: !wow, here loaded very soon! 12:51 < ecrist> msshams1: you may be confused 12:51 < ecrist> tor allows you to surf anonymously 12:51 < ecrist> openvpn allows you to create a secure connection between various numbers of systems 12:51 < Dougy> msshams1: maybe this is the setting you are looking for 12:51 < Dougy> !redirect-gateway 12:51 < vpnHelper> Dougy: Error: "redirect-gateway" is not a valid command. 12:51 < msshams1> ecrist: i know. i want use my server ip for surfing internet 12:51 < Dougy> err 12:52 < Dougy> !help 12:52 < vpnHelper> Dougy: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 12:52 < Dougy> !man 12:52 < vpnHelper> Dougy: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 12:52 -!- dexterr [i=dexter@skitan.us] has left ##openvpn ["I'm outta here"] 12:52 < Dougy> msshams1: on there, look at redirect-gateway 12:54 < Dougy> msshams1: a SSH tunnel would have the same end result, by the way 12:54 < ecrist> http://www.secure-computing.net/wiki/index.php/Secure_browsing 12:54 < vpnHelper> Title: Secure browsing - Secure Computing Wiki (at www.secure-computing.net) 12:55 < ecrist> !secure-browsing 12:55 < vpnHelper> ecrist: Error: "secure-browsing" is not a valid command. 12:55 -!- deever [n=deever@static.172.68.46.78.clients.your-server.de] has left ##openvpn [] 12:55 -!- TonyDanza [n=alan@76-10-157-245.dsl.teksavvy.com] has joined ##openvpn 12:55 < ecrist> !learn secure-browsing as You can securely browse the internet with a simple SSH tunnel and a properly configured web browser. http://www.secure-computing.net/wiki/index.php/Secure_browsing 12:55 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 12:56 < ecrist> msg vpnHelper login yuf9898a 12:56 < Dougy> ough 12:56 < Dougy> ouch 12:56 < Dougy> silly ecrist 12:56 < ecrist> goddam 12:56 < Dougy> whoops 12:56 < Dougy> haha 12:57 < dazo> this one is priceless! 12:58 * dazo hopes this was not a password he uses a lot of places .... 12:58 < ecrist> dazo, nope 12:58 < dazo> :) 12:58 < ecrist> only for vpnHelper 12:58 < dazo> lucky you ;-) 12:58 < Dougy> i bet ecrist has a diff password for eveything he does 12:58 < ecrist> and that password was one of my shorter, simpler ones 12:58 < dazo> well ... of course, it would silly to admit it on the irc channel that ..... "Hey, that was my master password" :-P 12:59 * dazo decides to go home .... before he does a similar mistake :-P 13:00 -!- dKingston [n=TheKing@unaffiliated/dkingston] has quit [" HydraIRC -> http://www.hydrairc.com <- s0 d4Mn l33t |t'z 5c4rY!"] 13:00 -!- troy is now known as troy- 13:00 < TonyDanza> hey all, I'm looking to automate openVPN installation for some employees in my company. It'll be a simple script that will just copy the .conf, .crt and .key files. can someone give me a hand with that? 13:01 < TonyDanza> I've already made similar scripts for windows and osx but i havnt used the linux client before 13:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:04 < TonyDanza> right now i've got it setup and working using network-manager-openvpn but ideally i'd like ot do it all thru terminal 13:08 < ecrist> TonyDanza: take a look at my script, ssl-admin 13:08 < ecrist> !ssl-admin 13:08 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 13:08 < ecrist> that handles certificate generation, and such 13:08 < Dougy> my boss is a bonehead 13:08 < Dougy> cant even set up ports right on the switch sometimes 13:08 < Dougy> [root@cyberteamusa ~]# mii-tool 13:08 < Dougy> eth0: 10 Mbit, half duplex, link ok 13:10 < TonyDanza> Thanks, i'll take a look 13:10 < TonyDanza> !ssl-admin 13:10 < vpnHelper> TonyDanza: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 13:15 < Dougy> Anyone need any hosting? Got some servers I want to rent out and get in use already :( 13:15 < ecrist> nope 13:15 < Dougy> ecrist: you have a datacenter in your basement 13:15 < ecrist> you should work on that site you started a while back 13:15 < Dougy> wasn't even asking you 13:15 < Dougy> the forum? 13:15 < ecrist> ;) 13:15 < Dougy> it's actually open in the tab behind hte one i'm in right now 13:15 < Dougy> ;) 13:15 < Dougy> the 13:16 * Dougy has been spam pruning lately 13:17 < Dougy> TonyDanza: you should join the openvpn forum 13:27 < TonyDanza> Thanks, I'll do that. I just came onto irc hoping for a quick fix 13:28 < ecrist> http://en.wikipedia.org/wiki/OpenVPN#Community 13:28 < vpnHelper> Title: OpenVPN - Wikipedia, the free encyclopedia (at en.wikipedia.org) 13:29 < TonyDanza> thanks! 13:30 -!- msshams1 [n=shams@213.207.216.163] has left ##openvpn [] 13:31 < TonyDanza> Ok so i've read the article that ecrist reccomended and i dont think it applies to my situation.... or maybe i'm looking at it wrong.... 13:32 < TonyDanza> i've got a preexisiting .conf file, .crt, and CA that i've used with windows and osx. I'm trying to import this into openvpn without using the GUI. Sorry for the ignorance but i'm just getting my feet wet into the linux flavour of openvpn 13:34 < ecrist> TonyDanza: those files don't need to be installed *anywhere*, really 13:34 < ecrist> you just run openvpn --config 13:34 < TonyDanza> sorry, should have also menitoned that i'm just trying to add additional clients. the server is already setup and the head admin gave me the key/ca/crt 13:35 < ecrist> make sure the full path is listed in teh config for the key files 13:35 < TonyDanza> hm, that looks alot easier than expected.... great, i'll try that out and come bcak 13:35 < TonyDanza> thanks! 13:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:40 < TonyDanza> http://pastebin.com/d67d92ce0 ----hrm 13:40 < ecrist> ah, see you're trying to set user to a user that doesn't exist on that system 13:41 < TonyDanza> hm... yeah the VPN connection uses my domain creds. i'm on a linux sandbox laptop right now with a generic login 13:41 < ecrist> no, what I'm saying is, openvpn requires root privs to run, initially 13:42 < TonyDanza> oh... haha forgot to sudo 13:42 < ecrist> it's got the ability to 'dumb down' it's privs, onces it's done the stuff which needs root privs 13:42 < TonyDanza> wait. i was root... 13:42 < TonyDanza> (am) 13:43 < TonyDanza> yeah i set it to do that on OSX when i set it up. i just checked the .conf and its set to do that on this system as well 13:43 < TonyDanza> hold on i'll PB my .conf 13:43 < ecrist> don't need your config 13:43 < ecrist> I know what the problem is 13:43 < TonyDanza> k 13:43 < ecrist> ther is a 'user' and 'group' option defined in the config 13:44 < TonyDanza> mhm. right now its "nobody" for both 13:44 < ecrist> either set those to a user/group that exists on your local client machine, or remove those two options 13:44 < TonyDanza> k, i'll have to remove it. this config will be distributed to multiple computers 13:44 < TonyDanza> once i've modified the config can i just "openvpn --config" again to overwrite or is there a separate command to purge the current config 13:46 < ecrist> there's no such thing as purge the current config 13:46 < TonyDanza> is there a way to plug in a currentuser wildcard instead? 13:46 < ecrist> hrm, I believe so, use shell variables 13:47 < ecrist> I'm sure the man page would give you clues. ;) 13:47 < TonyDanza> indeed 13:50 < ecrist> at the very least, you could write a wrapper script, which would generate a config and execute accordingly 13:51 < ecrist> an actual config *file* isn't necessary, all options are available directly on the command line 13:51 < TonyDanza> thats what i ended up doing for the osx version..... 13:51 < TonyDanza> hmm 13:51 < TonyDanza> so prehaps one script could accomplish everything i'm looking for? 14:00 < ecrist> could 14:01 < TonyDanza> meh. so i talked to the boss and apparantly for what we're using it for downgrading privs isnt important so i've just commented it out... i do what i'm told, heh 14:01 < TonyDanza> once it was commented out everything worked perfectly. thanks for all your help! 14:17 -!- TonyDanza [n=alan@76-10-157-245.dsl.teksavvy.com] has left ##openvpn ["Leaving"] 14:29 -!- jeiworth [n=jeiworth@189.177.138.218] has quit [Read error: 110 (Connection timed out)] 14:30 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Remote closed the connection] 14:36 -!- dexterr [i=dexter@skitan.us] has joined ##openvpn 14:46 -!- atlas95 [n=ladmin@mlv95-3-88-168-37-51.fbx.proxad.net] has joined ##openvpn 14:48 < dexterr> Hey, got it working! 14:49 < dexterr> my question now is: How can I limit the VPN to certain people? 14:49 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 14:49 < Dougy> dexterr: its limited by certs, is it not? 14:50 < dexterr> Dougy: Well.. I'm getting the feeling anyone can generate a certificate and connect? 14:50 < Dougy> not realy 14:50 < Dougy> really 14:50 < dexterr> no? 14:50 < ecrist> no 14:50 < dexterr> Oh wait :) 14:51 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:51 < ecrist> the only certificates openvpn will validate are once signed with the CA certificate 14:51 < dexterr> Yeah, that's right 14:51 < ecrist> but krzee's a bitch anyways 14:51 < dexterr> Huh? 14:51 < dexterr> :p 14:52 < krzee> lol 14:52 < dexterr> ecrist: Btw, are you the one who helped me before? 14:52 < ecrist> *shrug* 14:52 < Dougy> krzee :> 14:52 < Dougy> sup 14:54 < ecrist> dougy, I put a link to the ovpnforum.com site on wikipedia, by the way 14:54 < Dougy> Win 15:04 * ecrist is out 15:06 -!- keri [n=keri@catv-86-101-107-99.catv.broadband.hu] has joined ##openvpn 15:08 < keri> hi, i got some error when trying to connect to openvpn server from freebsd: Cannot allocate TUN/TAP dev dynamically, any id on this? 15:30 -!- keri is now known as keriati 15:41 -!- keriati is now known as keriati_ 15:41 -!- keriati_ is now known as keriati 15:51 -!- troy- is now known as troy 16:00 -!- keriati [n=keri@unaffiliated/keriati] has quit ["leaving"] 16:17 -!- jeiworth [n=jeiworth@189.163.143.208] has joined ##openvpn 16:25 -!- c64zottel [n=hans@p5B17B1A8.dip0.t-ipconnect.de] has quit ["Leaving."] 16:38 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:09 -!- bandini [n=bandini@host173-5-dynamic.6-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 17:12 -!- jeiworth [n=jeiworth@189.163.143.208] has quit [Read error: 60 (Operation timed out)] 17:25 < xp_prg> hi all, I have been getting openvpn to work correctly using tun and ifconfig, I am now looking for a semi-easy way to assign dynamic ip's to clients, this blog describes a way but it is not clear to me what approach this is using: http://blog.foppiano.org/2008/07/24/how-to-openvpn-over-proxy/ 17:25 < vpnHelper> Title: How to OpenVPN over Proxy « fucking the white bunny rabbit (at blog.foppiano.org) 17:25 < xp_prg> anyone know? 18:01 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 18:02 < reiffert> !howto 18:02 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 18:04 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 18:04 -!- jeiworth [n=jeiworth@189.163.143.208] has joined ##openvpn 18:05 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 18:06 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 18:11 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 18:11 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 18:11 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Connection reset by peer] 18:15 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 18:16 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 18:27 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 18:27 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 18:27 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 18:32 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 18:36 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 18:37 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 18:37 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 18:42 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 18:47 -!- jeiworth [n=jeiworth@189.163.143.208] has quit [Read error: 60 (Operation timed out)] 18:54 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 18:56 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 19:07 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 19:10 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 19:15 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 19:18 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 19:20 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 19:22 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 19:25 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 19:26 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 19:28 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 19:30 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 19:33 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 19:35 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 19:53 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 19:53 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 19:53 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 54 (Connection reset by peer)] 19:58 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 20:00 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Connection reset by peer] 20:07 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 20:10 -!- lesterc [n=lesterc@vl10.gw.ok-labs.com] has joined ##openvpn 20:31 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 20:31 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:31 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 20:31 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Read error: 104 (Connection reset by peer)] 20:33 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 20:36 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 20:37 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit [Client Quit] 21:15 -!- theDoc_ [n=andelyx@208.99.194.194] has joined ##openvpn 21:21 -!- xp_prg [n=xp_prg3@dsl092-008-180.sfo1.dsl.speakeasy.net] has joined ##openvpn 21:27 -!- theDoc [n=andelyx@119.73.165.162] has quit [Read error: 110 (Connection timed out)] 22:57 -!- xp_prg [n=xp_prg3@dsl092-008-180.sfo1.dsl.speakeasy.net] has quit ["This computer has gone to sleep"] 23:14 -!- xp_prg [n=xp_prg3@dsl092-008-180.sfo1.dsl.speakeasy.net] has joined ##openvpn 23:58 < dan__t> Hello. --- Day changed Fri May 22 2009 00:00 -!- fog_proxy [n=user@58.208.231.141] has joined ##openvpn 00:02 < fog_proxy> Hi all. I installed tap-win32 driver in windows xp, and it looks fine. But when I try to use the interface, I found it exit at CreateFile call with no error message, any idea? 00:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:32 < dan__t> krzee, joo around? 00:42 -!- rofe [n=rofe@83.221.146.177] has joined ##openvpn 01:11 -!- rofe [n=rofe@83.221.146.177] has quit ["Leaving"] 01:12 -!- rofe [n=rofe@83.221.146.177] has joined ##openvpn 01:14 -!- Silas-2 [n=Silas-2@123.252.146.52] has joined ##openvpn 01:15 < Silas-2> Hello............. 01:15 < dan__t> HI. 01:15 < dan__t> May 21 23:15:19 plesk-01 openvpn[25228]: client1/70.190.236.151:33792 MULTI: bad source address from client [192.168.143.128], packet dropped 01:15 < dan__t> I'm still having issues with that one. krzee, I saw an article you wrote on that problem. Unfortunately your solution doesn't seem to help. 01:16 < dan__t> I've created a ccd file named DEFAULT (and also the name of the client's CN) with an iroute statement in it. 01:16 < Silas-2> I am new to VPN..........Can someone guide me. how to setup the Nortel VPN Client for the LFS box..................? 01:20 < Silas-2> I am new to VPN..........Can someone guide me. how to setup the Nortel VPN Client for the LFS box..................? 01:20 -!- xp_prg [n=xp_prg3@dsl092-008-180.sfo1.dsl.speakeasy.net] has quit ["This computer has gone to sleep"] 01:23 -!- Silas-2 [n=Silas-2@123.252.146.52] has quit ["Leaving"] 01:25 -!- fog_proxy [n=user@58.208.231.141] has quit [Read error: 60 (Operation timed out)] 01:40 -!- fog_proxy [n=user@58.208.231.141] has joined ##openvpn 01:46 -!- master_of_master [i=master_o@p549D3D3D.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:51 -!- master_of_master [i=master_o@p549D3D9D.dip.t-dialin.net] has joined ##openvpn 02:05 < dan__t> hrm. 02:11 -!- lolipop [n=quassel@149.21.95.219.cbj01-home.tm.net.my] has joined ##openvpn 02:21 -!- lesterc [n=lesterc@vl10.gw.ok-labs.com] has quit [] 02:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:57 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 02:58 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 03:05 < reiffert> moin 03:22 < Bushmills> moin 03:26 -!- troy is now known as troy- 04:19 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 04:20 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 04:20 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 04:26 -!- Alagar [n=helpdesk@95.154.197.29] has quit ["Leaving."] 04:26 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 04:31 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 04:37 -!- atlas95 [n=ladmin@mlv95-3-88-168-37-51.fbx.proxad.net] has quit [Read error: 113 (No route to host)] 04:50 -!- atlas95 [n=ladmin@mlv95-3-88-168-37-51.fbx.proxad.net] has joined ##openvpn 05:11 -!- EvilRick [i=chatzill@uni-238-1.uninet.co.za] has joined ##openvpn 05:11 < EvilRick> hey, any idea why auth-user-pass-verify no longer pases the password to teh script it calls? 05:13 -!- fog_proxy [n=user@58.208.231.141] has quit [Read error: 104 (Connection reset by peer)] 05:13 < EvilRick> works on 2.1rc7 but does not work on 2.1rc11. I am using the same server config on both machines and on rc7 I can see the password variable in the environment but in rc11 its missing. 05:15 -!- matt7676 [n=komplekt@213-168-9-194-dsl.lsn.estpak.ee] has joined ##openvpn 05:18 -!- theDoc_ [n=andelyx@208.99.194.194] has quit [Read error: 110 (Connection timed out)] 05:19 -!- lolipop [n=quassel@149.21.95.219.cbj01-home.tm.net.my] has quit [Read error: 104 (Connection reset by peer)] 05:25 < EvilRick> so via-env does not pass the password and via-file sets the user and pass in the file but fails to pass the filename as a var to the auth script. 05:27 < Bushmills> EvilRick, reading environment variable "password" 05:28 < Bushmills> not passed as argument, but script needs to do string substitution 05:30 < EvilRick> well, my point is that I try to read $password but its empty. the setup used to work but its not working on a new server. I put a debug line in my auth script "export > /tmp/debug" and there is no mention of password in the output. 05:31 < EvilRick> same thing if I use via-file.. I dont get passed the filename in the auth script from teh server 05:32 < Bushmills> via-file is required for password in environment. if it still isn't, then i can't tell why why not 05:32 < Bushmills> sry. via-env i mean 05:33 -!- lesterc [n=lesterc@178.80.233.220.exetel.com.au] has joined ##openvpn 05:39 < EvilRick> I did that but its not there. It is in rc7 but not in rc11 05:42 < Bushmills> tried any later version? rc15 is latest afaik 05:46 < Bushmills> 16 actually 05:48 < Bushmills> no mention of any change in changelog though 06:12 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:12 -!- mikkel [n=mikkel@84.238.113.66] has joined ##openvpn 06:20 -!- smellynoser [n=ashley@87-194-183-38.bethere.co.uk] has joined ##openvpn 06:20 < smellynoser> Hi, is there anyway to use openvpn on an unrooted G1? 06:22 < Bushmills> afaik, unlikely. root privs needed for creating and configuring the virtual devices. 06:23 < svenx> there's a kernel 'capability' thing that you can assign to users through pam, so that they can create network devices 06:24 < svenx> but last time i tried it, i couldn't get it to work 06:24 < svenx> wait, g1? osx? 06:25 < Bushmills> maybe you could pop up openboot, and change owner in a shell credentials structure to root :) 06:26 < EvilRick> I'm stumped, is there any logical reason $password would not get passed in the environment vars for "auth-user-pass-verify script.sh via-env". everything else is there, common_name tls_id_0 username 06:26 < EvilRick> just not password 06:29 < Bushmills> username there too? 06:31 < EvilRick> yup it is definitely there 06:33 < EvilRick> and its value is what I'm expecting. 06:34 < Bushmills> using --script-security 3 ? 06:36 < Bushmills> compatibility with pre-rc9 would be through use of --script-security 3 system 06:37 < EvilRick> looking into it 06:37 < Bushmills> but system is deprecated. without system should do 06:40 < EvilRick> I cant seem to specify that in the server.conf 06:45 < EvilRick> interesting, its seems you need to specify "--script-security 3" in the config nor "script-security 3" 06:45 < Bushmills> hm 06:46 < Bushmills> maybe an oversight 06:46 < Bushmills> better be prepared to change it, in a future release 06:47 < EvilRick> does not look like its working :/ 06:47 < Bushmills> do you have a debian, or debian based linux as server? 06:47 < EvilRick> still not getting the password. its probably ignoring the -- in the config file 06:47 < EvilRick> yes.. its ubuntu 06:48 < Bushmills> edit /etc/defaults/openvpn 06:48 < Bushmills> add it to OPTARGS="" 06:49 < Bushmills> restart with /etc/init.d/openvpn restart 06:50 < EvilRick> still no password :/ 06:50 < EvilRick> wait, something is settign it already 06:51 < EvilRick> in a ps I see "/usr/sbin/openvpn --script-security 3 --writepid /var/run/openvpn.server.pid --daemon ovpn-server --cd /etc/openvpn --config /etc/openvpn/server.conf --script-security 2" 06:52 < Bushmills> 2 is not what you want 06:52 < Bushmills> it prevents setting $password 06:52 < EvilRick> yup.. but I dont know whats injecting that param at the moment 06:54 < Bushmills> i compared against debian. no --script-security 2 there. 06:54 < Bushmills> !blame ubuntu 06:54 < vpnHelper> Bushmills: Error: "blame" is not a valid command. 06:54 < EvilRick> its happening in the init script :/ in ubuntu 06:54 < EvilRick> if test -z $( grep '^[[:space:]]*script-security[[:space:]]' $CONFIG_DIR/$NAME.conf ) ; then 06:55 < EvilRick> if thats true it sets it to 2.. comment says its for backward compatibility 06:55 < ecrist> morning, kids 06:56 < EvilRick> I think it checks the config for teh script-security keyword and then forces it to 2 06:56 -!- c64zottel [n=hans@p5B17B028.dip0.t-ipconnect.de] has joined ##openvpn 06:56 < Bushmills> ingenious way to break your setup 06:57 < matt7676> I have a fallowing network configuration: 1 Debian DHCP/firewall/OpenVPN machine <--> L2 switch <--> LAN(10 nodes). I would like to use OpenVPN because in our small company we have 5 laptop users, who connect to the RDP server in LAN often over unencrypted public WIFI networks. Those 5 laptop users use Windows XP or Vista operating system. Is it a goog idea to use OpenVPN for a such network? 06:58 < matt7676> *good 06:58 < EvilRick> actually I think it checks the config for the keyword and then if its not set sets it to 2.. so its a default override. 06:58 < EvilRick> aaaahhh. 06:59 < EvilRick> when I specified script-security in the config file I got a startup error.. I assumed it was from openvpn.. its actualy from the init script 06:59 < EvilRick> that line must be faulty 06:59 < EvilRick> as in teh init line 06:59 < EvilRick> I'll pass it on to ubuntu 07:01 < Bushmills> matt7676, makes sense IMHO 07:04 < matt7676> Bushmills: thanks. One more question- is SMB available over VPN? I mean if we have folders on Windows machines shared on LAN, then are they accessible using openVPN over Internet? 07:06 < Bushmills> SMB is obsoleted and is now CIFS which should be routable. but i'm no expert on windows protocols. 07:06 < ecrist> yes, you can access it over the VPN 07:12 < matt7676> ok, thanks Bushmills and ecrist! 07:12 < Bushmills> np 07:15 < matt7676> one more thing- if Debian is properly configured, is it as secure as OpenBSD. I am familiar with Linux, but never tried OpenBSD. However, it seems that OpenBSD is kind a defacto platform for OpenVPN. Is it OK to stick with Linux or should I move on to OpenBSD? 07:17 < Bushmills> matt7676, most remote exploits are problems in programs and services, not in the OS itself. 07:17 < Bushmills> matt7676, if you offer shell access to users, consider the system compromised, regardless of what OS 07:24 -!- lesterc [n=lesterc@178.80.233.220.exetel.com.au] has quit [] 07:27 < matt7676> Bushmills: ok, I'll be the only user in this firewall/router/DHCP-server/OpenVPN machine. However, I'll stivk with Debian then if there isn't basically no difference :) 07:28 < matt7676> *stick 07:28 < Bushmills> your abilities as sysadmin have a much greater effect on the security of the system than the choice of either of these OSses 07:31 < ecrist> what Bushmills said, but I'd go with FreeBSD 07:33 < matt7676> ecrist: why? 07:34 < ecrist> OpenBSD has a shitty installer, for one, and FreeBSD is better supported, and has most of the greatest parts of OpenBSD,already, like pf 07:40 -!- EvilRick [i=chatzill@uni-238-1.uninet.co.za] has quit [Read error: 110 (Connection timed out)] 07:40 < matt7676> ecrist: ok. Hopefully it is not offtopic, but has iptables/netfilter some feature advantages over pf? As much I have read about pf, it seems a lot more simple and straight-forward, but does this simplicity come with price at features? 07:41 < ecrist> from my limited experience, iptables is crap 07:41 < ecrist> pf is more full-featured than any other firewall setup I'm aware of. 07:45 < matt7676> ecrist: in my opinion it has rather many features, but it is quite complicated to configure if you would like to set up a little bit advanced configuration. All those chains and stuff.. 07:46 < ecrist> what chains? 07:49 < matt7676> ecrist: prerouting, postrouting, input, output, forward and all the tables in those chains 07:49 < ecrist> oh, it is why I'm not an iptables fan 07:57 -!- EvilRick [i=chatzill@uni-238-1.uninet.co.za] has joined ##openvpn 07:57 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 07:57 < Dougy> :( 08:01 < dazo> matt7676: I like iptables 08:02 < ecrist> Dougy: what's your issue? 08:02 < Dougy> ecrist, woke up this morning with a 105.8 fever 08:02 < Dougy> i was sick yesterday, but my temp stayed around 102 ish 08:03 < dazo> Dougy: you need to reroute some of your tempered traffic to /dev/null ... not to the rest of the network! ;-) 08:04 < Dougy> Bahah 08:04 < Dougy> i didnt take advil before bed last night like dr said 08:04 < Dougy> 3 every 6 hours 08:04 * Dougy should have listened 08:05 -!- rofe [n=rofe@83.221.146.177] has quit [Read error: 113 (No route to host)] 08:07 < Bushmills> dougy, temperature/fever is a defense mechanism. not always good to suppress that. 08:08 < Dougy> Bushmills, when i'm baking to the point that i cant even open my eyes 08:08 < Dougy> suppression is a great thing 08:09 < Bushmills> think of the poor germs being stewed now 08:10 < Dougy> oh well 08:10 < matt7676> dazo: I nothing against iptables as well. However, I feel that pf is better. Or what are your arguments agains pf? Or why do you like iptables/netfilter? 08:11 < ecrist> Dougy: with a temp of 105, get to the hospital, NOW 08:11 < Dougy> ecrist, i took the advil and now im down to 101 08:11 < Dougy> so ill manage 08:12 < ecrist> ok, if your temp gets anywhere close to 104+, that's ER-worthy stuff 08:12 < Dougy> yeah 08:12 < ecrist> at those temps, your body, literally, cannot function 08:12 < dazo> matt7676: well, I do not have much experience at all with pf ... but I know it the iptables rules can really be a big nest ... but I've found a way how to use a lot of my own chains in addition, and in that way very easily having a very good overview over all rules .... it's quite comprehensive, but advanced setups usually requires more work 08:12 < Dougy> i woke up this morning like a zombie 08:12 < Dougy> had trouble opening mah eyes 08:15 -!- dexterr [i=dexter@skitan.us] has quit [Read error: 60 (Operation timed out)] 08:20 < Dougy> brb 08:20 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit [Remote closed the connection] 08:29 -!- solexious|netbk [n=solexiou@89.193.40.36] has joined ##openvpn 08:30 < solexious|netbk> Hello, All looks good in my logs but when I ping a ip that should be on the other side of the bridge I get cannot reach 192.168.5.50 (the ip the client is assigned on the other network) any ideas? 08:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 08:32 -!- matt7676 [n=komplekt@213-168-9-194-dsl.lsn.estpak.ee] has left ##openvpn [] 08:37 < solexious|netbk> http://pastebin.com/m21901182 is the log 08:38 < solexious|netbk> Odd, dissabling wireless (wasnt connected though it but though wired) and now its fine... 08:40 -!- lesterc [n=lesterc@178.80.233.220.exetel.com.au] has joined ##openvpn 08:41 -!- solexious|netbk [n=solexiou@89.193.40.36] has quit [Remote closed the connection] 08:43 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 08:43 < Dougy> woot 08:44 < Dougy> got compiz and nvidia drivers working on my debian 08:44 < Dougy> victory 08:47 -!- lesterc [n=lesterc@178.80.233.220.exetel.com.au] has quit [] 08:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:15 < Dougy> so ecrist, what's up 09:15 < ecrist> nm 09:15 < ecrist> going to apply for my carry permit in an hour 09:15 < Dougy> a what? 09:15 < ecrist> working on writing a pam module right now to properly create user home directories and set custom permissions 09:16 * Dougy is debating whether to install gdesklets, avant, or both 09:16 < ecrist> carry permit, a permit to carry (legally) an open or concealed weapon in the state of minnesota 09:16 < Dougy> oh 09:16 < Dougy> a weapons permit 09:16 < Dougy> a customer of mine gave me a copy of his concealed weapons permit for photo ID 09:16 < ecrist> no, a carry permit 09:16 < Dougy> well 09:16 < Dougy> a permit for weapons 09:16 < Dougy> lol 09:17 < ecrist> no, there's a minor difference 09:17 < ecrist> I have a gun I carry in my home, legally. no permit required. I don't need a permit to acquire guns, either. 09:17 < ecrist> this permit simply allows me to carry guns in public places, loaded. 09:18 < Dougy> nice 09:18 < Dougy> why do you want to do that? 09:18 < ecrist> 1) I live is a 'diverse' part of Minneapolis. 2) I'm legally entitled to do so. 09:19 < Dougy> What do you mean in point #1? 09:19 * Dougy coughs up a lung 09:19 < ecrist> we bought our house a little over two years ago. since then, we've had two fleeing felons run through our front yard (literally). there were followed by squads and a state patrol helicopter 09:20 < ecrist> a few months ago, a gentleman two blocks away was the victim of a home invasion/execution 09:20 < Dougy> ah 09:20 < Dougy> Fair enough 09:20 < Dougy> I thought you were implying something racist 09:20 * Dougy shrugs 09:20 < ecrist> not at all. 09:21 < Dougy> my ISP is doing DOCSIS 3.0 now 09:21 < Dougy> :) 09:21 < Dougy> 101Mbps 09:21 < ecrist> simply stating that there's a lot of crime in my area 09:21 < ecrist> Dougy: nice. Minneapolis was the first roll-out for Comcast 09:21 < Dougy> Yeah. 09:21 < Dougy> 101Mbps down 15 mbps up no caps for $99/m 09:21 < ecrist> I've not got 101Mbps, though. I've got 16/2 09:21 < ecrist> not bad 09:22 < Dougy> i want it 09:22 < Dougy> lol 09:23 < ecrist> you don't have it? 09:23 < Dougy> nope 09:23 < Dougy> I have 15 down 2 up 09:23 < Dougy> sometimes I can pull off 20 down 09:24 < Dougy> usually I get between 12-15 09:24 < ecrist> we don't test ours that often 09:24 < Dougy> http://www.speedtest.net/result/479231737.png 09:24 -!- dazo [n=dazo@nat/redhat/x-0bac23b51de2d650] has quit [Remote closed the connection] 09:24 < Dougy> that's right now 09:24 < Dougy> http://www.speedtest.net/result/348419462.png 09:24 < Dougy> that was in november 09:24 -!- dazo [n=dazo@nat/redhat/x-fde5944adb80cacc] has joined ##openvpn 09:25 < Dougy> wb dazo 09:25 < dazo> Dougy: :) .... xchat decided to die ..... grrrr .... 09:26 < ecrist> http://secure-computing.net/cacti/graph_image.php?local_graph_id=64&rra_id=0&view_type=tree&graph_height=85&graph_width=350&graph_nolegend=Y&super_duper_kludge=.png 09:26 < ecrist> that's the last 24 hours of network traffic at my place 09:26 < Dougy> nice 09:26 < ecrist> not exactly a 'heavy' user 09:30 < Dougy> http://www.upload3r.com/serve/220509/1243002606.png 09:30 < Dougy> my last 4 days 09:41 -!- jeiworth [n=jeiworth@189.177.138.218] has joined ##openvpn 09:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:52 < svenx> so 10:03 -!- solexious|netbk [n=solexiou@89.193.40.36] has joined ##openvpn 10:05 < solexious|netbk> Hia, what should I be looking for to setup my client to only forward traffic to my openvpn server thats for the ip range the server is on? i.e. all packets for 192.168.5.0*24 goes over the vpn link and all else not? 10:07 < ecrist> push "route 192.168.5.0 255.255.255.0" 10:07 < ecrist> it's covered in the man page 10:12 -!- solexious|netbk [n=solexiou@89.193.40.36] has quit [Remote closed the connection] 10:13 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 10:20 -!- sigmonsays [n=sig@ip65-46-255-194.z255-46-65.customer.algx.net] has joined ##openvpn 10:20 < sigmonsays> Hi 10:22 < Dougy> hi 10:22 < sigmonsays> i am contemplating upgrading to 2.x 10:22 < sigmonsays> one of the bigger issues I want to solve is a design issue 10:23 < sigmonsays> everyone has a .exe installer generated with their own key. I don't like that :) 10:23 < sigmonsays> is there a way to do it by any group mechanism? 10:23 < sigmonsays> so you would have far less installers 10:27 -!- EvilRick_ [n=chatzill@uni-226-26.uninet.co.za] has joined ##openvpn 10:34 -!- jeiworth [n=jeiworth@189.177.138.218] has quit [Operation timed out] 10:35 < sigmonsays> Yah that's a tough issue :) 10:37 -!- EvilRick [i=chatzill@uni-238-1.uninet.co.za] has quit [Read error: 113 (No route to host)] 10:46 -!- dexterr [i=dexter@217.78.31.33] has joined ##openvpn 10:46 < ecrist> sure 10:46 < ecrist> use a secondary authentication method 10:53 < sigmonsays> I assume it's some sort of script? 10:53 < sigmonsays> I will have to read up on that. sounds interesting 10:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:03 -!- EvilRick_ [n=chatzill@uni-226-26.uninet.co.za] has quit [Read error: 110 (Connection timed out)] 11:04 < sigmonsays> ecrist, do you have a document on that? 11:06 < Dougy> http://www.newegg.com/Product/ComboDealDetails.aspx?ItemList=Combo.194454 11:06 < vpnHelper> Title: Newegg.com - Computer Parts, PC Components, Laptop Computers, Digital Cameras and more! (at www.newegg.com) 11:12 < ecrist> sigmonsays: no, I don't, but it's covered in the manual for openvpn 11:15 -!- jeiworth [n=jeiworth@189.177.125.126] has joined ##openvpn 11:18 -!- troy- is now known as troy 11:18 < Dougy> http://consumerist.com/5265953/comcast-threatens-to-cut-you-off-unless-you-pay-000 11:18 < vpnHelper> Title: Comcatastrophe: Comcast Threatens To Cut You Off Unless You Pay $0.00 (at consumerist.com) 11:30 < ecrist> lol 11:59 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 12:16 < svenx> anyone looked into client-side software compliance stuff? i.e. verify that a certain antivirus is running and is updated before allowing the vpn connection 12:17 < svenx> i really dislike stuff like that, but it's useful for places where users have no clue what they are doing 12:17 < svenx> should be an easily scriptable system for it, but i doubt there's anything openly available 12:27 -!- Simonare [n=simonare@dyres229-69.surrey.ac.uk] has joined ##openvpn 12:28 < Simonare> hello, i would like to ask if OpenVPN has speed and bandwidth management for multiple clients. 12:28 < Simonare> i would like to write a web interface that interacts with openvpn for bandwitdh, speed and more management options. 12:29 < svenx> you can do this with most firewalls 12:29 < Simonare> can u give me such software examples. and how will be the web interface then 12:30 < Simonare> i mean firewall example 12:30 < svenx> i don't know about web interfaces, but i would guess some halfway ones exist 12:30 < svenx> firewall tools like iptables+tc and pf (in bsd) do the trick with bandwidth management 12:31 < svenx> some nice interface for it can probably be found in m0n0wall (pf based) or some other firewall system 12:31 < Simonare> ok i will look at them. thank you very much. 12:31 < svenx> sure 12:39 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 13:04 -!- xattack [n=xattack@132.248.108.234] has joined ##openvpn 13:11 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 13:24 -!- asdf [n=wtf@pessa.net] has joined ##openvpn 13:24 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 13:25 < asdf> how do i push out routes to clients using the openvpn access server? 13:29 < xattack> asdf:http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 13:29 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 13:30 < asdf> xattack: is that for the access server? 13:31 < asdf> http://beta.openvpn.net/index.php/access-server/download-openvpn-as.html 13:31 < vpnHelper> Title: Access Server Downloads (at beta.openvpn.net) 13:31 < asdf> that thingy 13:33 < ecrist> asdf: not a lot of people are using the access server at this point 13:34 < asdf> ecrist: k, any secret docs you can point me to? 13:35 < xattack> asdf: ....about 13:36 < asdf> anything, i really didn't find much 13:38 < ecrist> asdf: from what I understand, the access server is really just a web interface for certificate generation and some configuration for a core OpenVPN. you should be able to find a standard VPN config file somewhere 13:38 -!- c64zottel [n=hans@p5B17B028.dip0.t-ipconnect.de] has quit ["Leaving."] 13:42 < xattack> asdf: about routing, you just need the man pages and some understanding about routing and ip addresses 13:55 -!- bandini [n=bandini@host173-5-dynamic.6-79-r.retail.telecomitalia.it] has joined ##openvpn 14:05 -!- Lilarcor [n=Lilarcor@208-59-127-107.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has joined ##openvpn 14:05 -!- mikkel [n=mikkel@84.238.113.66] has quit ["Leaving"] 14:09 -!- xattack [n=xattack@132.248.108.234] has quit [Read error: 104 (Connection reset by peer)] 14:13 -!- xattack [n=xattack@132.248.108.234] has joined ##openvpn 14:13 -!- xattack [n=xattack@132.248.108.234] has left ##openvpn [] 14:14 -!- xattack [n=xattack@132.248.108.234] has joined ##openvpn 14:17 -!- hagbard__ [n=hagbard@vpn8.hotsplots.net] has joined ##openvpn 14:17 < hagbard__> Hi. 14:18 < xattack> hi hagbard__ 14:25 -!- hagbard__ [n=hagbard@vpn8.hotsplots.net] has quit [Read error: 60 (Operation timed out)] 14:48 -!- Lilarcor [n=Lilarcor@208-59-127-107.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has quit ["The Lord of Murder Shall Perish."] 14:53 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 14:55 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 14:55 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 14:57 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 14:57 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 14:59 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 14:59 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 15:00 -!- jeiworth [n=jeiworth@189.177.125.126] has quit [Read error: 60 (Operation timed out)] 15:01 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 15:17 -!- xattack [n=xattack@132.248.108.234] has left ##openvpn [] 15:22 -!- jeiworth [n=jeiworth@189.234.8.169] has joined ##openvpn 15:37 -!- Lilarcor [n=Lilarcor@208-59-127-107.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has joined ##openvpn 15:37 -!- Lilarcor [n=Lilarcor@208-59-127-107.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has quit [Remote closed the connection] 16:17 -!- code- [i=code@antenora.aculei.net] has joined ##openvpn 16:32 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit ["Leaving"] 16:51 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 16:53 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 17:21 -!- dexterr [i=dexter@217.78.31.33] has quit [Read error: 60 (Operation timed out)] 17:38 -!- jeiworth [n=jeiworth@189.234.8.169] has quit [Read error: 60 (Operation timed out)] 18:08 -!- dexterr [i=dexter@217.78.31.33] has joined ##openvpn 18:20 -!- asdf [n=wtf@pessa.net] has left ##openvpn [] 18:29 < Simonare> hello. i need to create VPN server. of course, i need to use firewall too. beside of these i want to write web interface for my VPN, where users can see their available bandwidth, credit and so forth. could anyone give me some suggestions about the vpn server choices, firewall choices and some more. PS: i already asked similar question but i got some standalone firewall suggestions. here is the thing. i saw ivacy.com website and this site ha 18:30 < krzie> well for vpn, you happen to be in ##openvpn so we will of course say openvpn 18:30 < krzie> firewall, 100% up to you 18:30 < krzie> for web interface you will need to teach yourself the highly undocumented management interface 18:30 < krzie> you can see how to enable it here: 18:30 < krzie> !man 18:30 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 18:31 < krzie> you then telnet into it (it should only run on localhost if you're smart) 18:31 < krzie> i think the help command when telnet'ed in is the only docs on it 18:32 < Bushmills> why does one need "of course" a firewall on a vpn server? 18:33 * Bushmills seems not binding services to public interface beats firewall 18:33 < krzie> good question, i read that wrong the first time to say i need to create VPN server, of course. 18:33 < krzie> in which case it made since, but the way he said it, it did not 18:34 < krzie> however, a firewall isnt a bad idea... just not "of course" 18:34 < Bushmills> can be failsafe for misconfiguration 18:34 < krzie> and the same box may need external services as well 18:35 < Bushmills> that's assumption. 18:35 < krzie> yes, it is 18:36 < krzie> moin moin Bushmills 18:36 < Bushmills> oh, right. forgive my neclectancy 18:36 < krzie> ;] 18:37 < krzie> hows it goin 18:37 < Bushmills> relaxed day today 18:37 -!- dexterr [i=dexter@217.78.31.33] has quit [Read error: 60 (Operation timed out)] 18:37 < krzie> nice 18:37 < krzie> wish i could say the same 18:38 < Bushmills> some exploring of the surrounding and sampling the produce of local ice cream outlets 18:38 < krzie> gunna open one or just wanted ice cream? 18:39 < Bushmills> pure consumerism 18:39 < krzie> where did you learn your english dude? 18:39 < Bushmills> school 18:40 < krzie> both you and reif, english isnt your first langs and you both type better on irc than most of us natives 18:40 < Bushmills> on the way back i came across this remarkable tree: http://photo.verhau.de/new/bridge_saulheim.jpg 18:41 < Bushmills> english is probably my third language (of four) 18:41 < krzie> fourth 18:41 < krzie> ahh an eucalyptus tree, those grow fast 18:42 < krzie> at least i *think* thats what it is 18:42 < Bushmills> this is an estimated 2 miles from the house where i live 18:43 < krzie> you guys dont use kilometers there? 18:43 < Bushmills> not sure - i think the tree behind is a willow 18:43 < Bushmills> yes, we do. but you don't 18:43 < krzie> ahh 18:43 < krzie> actually i do 18:43 < krzie> i didnt when i lived in usa tho 18:43 < Simonare> sorry for late reply. so what you are saying is.. i can create web interface which will include bandwidth shaping, quota limit, actual usage, and more information by using Telnet of OpenVPN 18:44 < Simonare> so. if i will interact with openVPN's telnet. i can get what i want? 18:44 < krzie> bandwidth shaping is built in see --shaper 18:44 < Bushmills> i was contemplating to use attoparsec 18:44 < krzie> quota is NOT built in 18:44 < krzie> but maybe you can hack something up 18:44 < krzie> actual usage i think can be accessed from management interface, but i have no experience with the management interface 18:45 < krzie> and you dont telnet to openvpn, you telnet to openvpn's management interface 18:46 -!- dexterr [n=dexter@225.cust.hostit.se] has joined ##openvpn 18:46 < Simonare> hmm.. ok i think i need to read some more. because i dont know how can i work with openvpns management interface. but i got the general idea. 18:47 < krzie> you wont find much docs on the management interface 18:47 < krzie> you will need to start it, connect to it, and type help 18:47 < krzie> i believe thats where most of the reading you will find exists 18:49 < Simonare> ok. i am going to try. thank you mate. and one more question. i though to use firewall to be able to analyze speed of connected clients, their actual usage, (especially for) port forwarding. 18:49 < Simonare> i dont want to open all the ports for VPN users. just i want to open some of it. 18:49 < Simonare> limited number of ports 18:49 < Simonare> and not for everyone. for some users 18:50 < Simonare> is that possible with firewalls. or what do i need for it 18:51 < Bushmills> that's one way to do it, yes 18:52 < krzie> i dont want to open all the ports for VPN users. just i want to 18:52 < krzie> open some of it. 18:52 < krzie> yes, that is the way 18:52 < krzie> you use static vpn ips for users, then firewall based on that 18:52 < krzie> !iporder 18:52 < vpnHelper> krzie: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 18:53 < krzie> if its not too many you can use #2 18:53 < krzie> if its large groups of users you should prolly use #1 and let your script assign ips 18:53 < Bushmills> consider to group you users according privileges, and assign ip addresses from ranges which reflect these privileges 18:53 < krzie> so you can config firewall based on groups of users 18:53 < krzie> exactly 18:53 < krzie> like bush said 18:54 < Bushmills> same thought 18:54 < Simonare> yes 1 seems good choice now. could anyone suggest me a firewall? 18:55 < Simonare> by the way. thank you this really helped me. 18:55 < krzie> firewall is whatever you are comfortable with 18:55 < krzie> also depends on OS 18:55 < krzie> if you use linux iptables is all i know of 18:55 < krzie> for BSD i personally like PF 18:57 < Simonare> hmm. this is my second time that i am hearing PF.i am going to look at all these issues. thank you for your helps. really appreciate. 18:57 < krzie> yw 18:59 < Bushmills> i have a pic of the vicinity where i lived before. when you open it, look the people on the path, next to the edge, first. only then, start to scroll down, slowly: http://photo.verhau.de/places/ireland/cliffsofmohair/IMG_7484.jpg 19:01 -!- Lilarcor [n=Lilarcor@208-59-127-107.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has joined ##openvpn 19:03 < krzie> its high quality and im on a slow link 19:03 < krzie> i have no choice but to see the top first and see lower slowly 19:03 < Bushmills> good :) 19:04 < Bushmills> actually, reiffert took that photo 19:06 < krzie> how deep is the ocean there? can you jump off and live? 19:06 < Bushmills> that's > 200 m down, you wouldn't survive that fall 19:07 < Bushmills> more than 50 meters is potentially fatal 19:07 -!- dexterr [n=dexter@225.cust.hostit.se] has quit [Read error: 60 (Operation timed out)] 19:07 < krzie> damn 19:08 < Bushmills> highest cliffs there are about thrice that high 19:08 < Bushmills> but not that accessable. and no nice path right at the edge 19:10 -!- dexterr [n=dexter@217.78.29.234] has joined ##openvpn 19:10 -!- Lilarcor [n=Lilarcor@208-59-127-107.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has quit ["The Lord of Murder Shall Perish."] 19:24 < reiffert> :) 19:26 < Bushmills> recognize it? 19:26 < reiffert> for sure, as if it took place today 19:28 < Bushmills> the adrenalin rush may have caused that, from getting close to the edge, while trying not to fall over 19:30 < reiffert> Chances are, yea 19:30 < Bushmills> and trying to avoid the potholes in the top grass layer, cause you didn't want to slip through one of those :D 19:37 < Dougy> mother fucker 19:37 < Dougy> ugh 19:37 < Dougy> i feel like im dying 19:39 < Bushmills> relenza is said to work better than tamiflu 19:41 < Bushmills> that's zaminivir, a neuraminidase-blocker 19:44 * xp_prg hugs Dougy 19:52 < xp_prg> any of you guys use this: http://search.cpan.org/~grm/App-CamelPKI-0.07/ ? 19:52 < vpnHelper> Title: Jeremie Klein / App-CamelPKI-0.07 - search.cpan.org (at search.cpan.org) 19:57 < Dougy> thanks xp_prg 19:57 * xp_prg makes Dougy some chicken noodle soup 19:58 < Dougy> win 19:58 < xp_prg> Dougy have you used the Certificate Authority approach with openvpn? 19:59 < Dougy> no sir 19:59 < krzie> dougy, you dont use client/server? 19:59 < Dougy> krzie im so feverish i barley know my fykin name 19:59 < Dougy> fuckin 19:59 < Dougy> i dont know 19:59 < krzie> sweet! 20:00 < krzie> in that case, write down that i paid for 2 yrs in advance 20:00 < Dougy> k 20:00 < krzie> lol 20:01 < xp_prg> Dougy do you have he mexican flu? 20:01 < Dougy> no 20:01 < Dougy> just the regular flu 20:01 < krzie> ya he has the swine flu 20:01 * xp_prg tucks Dougy in his bed 20:01 < Dougy> nooo 20:01 < Dougy> too hot 20:03 * xp_prg takes the covers off of Dougy and puts a fan on him 20:05 < Dougy> ty hah 20:09 -!- orangey [n=orangey@tarek.org] has joined ##openvpn 20:09 < orangey> hey all. 20:09 < orangey> I'm trying to figure out a couple of things.. 20:09 < orangey> I'm behind a firewall at the moment, and trying to break out of it. I only have access to tcp, so I setup the openvpn server on port 443 20:10 < orangey> I can telnet into the port and see what appears to be VPN stuff.. 20:10 < orangey> however, I can't seem to connect. 20:10 < orangey> so, to start with the basics here, is there a good "idiot's guide" to make sure my config is all right? 20:10 -!- troy is now known as troy- 20:11 < krzie> no, openvpn wasnt made to be used by idiots =[ 20:11 < krzie> the firewall you are behind, does it force traffic to use a proxy normally? 20:12 < krzie> are you only using openvpn to do things like surf the web without originating from inside the firewall? 20:12 < orangey> it's not perfectly clear, but I believe not. I believe it only blocks ports. 20:12 < orangey> actually, I'm trying to do it to use UDP remotely for my SIP client. 20:13 < krzie> is this firewall at your work? 20:13 < orangey> since I can't get that to work with SSH tunneling 20:13 < orangey> yep, work firewall kind of . 20:13 < orangey> it's work housing. 20:14 < xp_prg> ssh port forwarding is your friend orangey 20:15 < orangey> xp_prg: as I understand it, it doesn't do UDP easily 20:15 < orangey> I'd have to use socat and all this. 20:16 < orangey> so why not just get openvpn set up? 20:16 < xp_prg> why do you "need" to use udp? 20:16 < orangey> xp_prg: well, I guess I don' t"need" anything.. but the UDP is so my SIP can work 20:16 < krzie> ya sip is UDP 20:17 < krzie> ok so now try this orangey 20:17 < krzie> are you using linux/bsd? 20:17 < xp_prg> SIP is voip right? 20:17 < krzie> yes 20:18 < krzie> so if he uses a tcp based vpn like he was talking about he will run into a pitfall 20:18 < xp_prg> ok 20:18 < xp_prg> I guess ssh port forarding won't route udp through it? 20:19 < krzie> right 20:19 < krzie> if he tells me what os he is on we can go further 20:19 < krzie> i wanna see if he can directly contact NS servers 20:19 < krzie> ie: host ircpimps.org ns1.doeshosting.com 20:20 < krzie> if he can directly ask ns1.doeshosting.com for dns for ircpimps.org then he can run his server on udp 53 20:20 < krzie> very common hole in firewalls that block outbound udp 20:20 < xp_prg> oh cool! 20:20 < Dougy> hmmm 20:20 < Dougy> supermicro has atom motherboards now 20:20 < Dougy> win 20:20 < xp_prg> what are atom motherboards and why are they cool? 20:21 < Dougy> motherboards with intel atom's in them 20:21 < orangey> I'm using ubuntu 20:21 < orangey> 9.04 20:21 < krzie> if his firewall blocks outbound web surfing unless through their proxy, then he can tell openvpn to use the proxy 20:21 < krzie> orangey: host ircpimps.org ns1.doeshosting.com 20:21 < orangey> aaah.. excellent. let me check it out 20:21 < krzie> tell me if it works 20:21 < orangey> krzie: works! 20:21 < krzie> ok, so use udp 53 20:22 < orangey> krzie: will do.. but what's the difference between doing that and using tcp 443? 20:22 < krzie> btw that is FAR better than tcp 443 20:22 < krzie> !tcp 20:22 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 20:22 < orangey> I've read UDP is faster for some operations.. 20:22 < krzie> for a tunneling protocol tcp is no bueno 20:23 < code-> damn, you have a !tcp function 20:23 < code-> that's sweet k 20:24 < krzie> whoa 20:24 < krzie> wassup code 20:24 < code-> chillin buddy 20:24 < krzie> didnt see ya in here 20:24 < Dougy> ohai 20:24 < code-> yeah i just joined a lil while ago, i am gonna setup a vpn soon and figured this is probably a good place to be in case i do something idiotic 20:24 < code-> ;) 20:24 < krzie> ;] 20:24 < krzie> feel free to hit me up for anything buddy 20:24 < krzie> you'll want this: 20:25 < krzie> !ssl-admin 20:25 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 20:25 < krzie> its in fbsd ports, nice cert managing system 20:25 < Dougy> fuckin ecrist 20:25 < Dougy> is everywher 20:25 < code-> i'll install it via ports 20:25 < Dougy> e 20:25 < Dougy> lol 20:25 -!- mode/##openvpn [+v code-] by ChanServ 20:26 < krzie> ;] 20:26 -!- mode/##openvpn [-v code-] by ChanServ 20:26 < orangey> krzie: OK, I think we have progress.. it still won't connect though, so I actually suspect that my problem is that I don't have things properly setup, especially from the client end.. At this point, I get a "connection timeout" through network manager. 20:26 < krzie> !ubuntu 20:26 < vpnHelper> krzie: "ubuntu" is dont use network manager! 20:26 < orangey> ah 20:27 < Dougy> rofl krzie 20:27 < Dougy> you have everything in that bot 20:27 < krzie> yes 20:27 < Dougy> hey, didn't you have a !redirect-gateway at some point? 20:27 < krzie> it is the openvpn oracle 20:27 < krzie> !redirect 20:27 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 20:27 < xp_prg> Before you use the sample configuration file, you should first edit the ca, cert, key, and dh parameters to point to the files you generated 20:27 < code-> !nat 20:27 < vpnHelper> code-: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 20:27 -!- troy- is now known as troy 20:28 < xp_prg> it says ca ca.crt right now, so would I change it to: ca /etc/openvpn/easy-rsa/keys/ca.crt? 20:28 < krzie> or you can use: 20:28 < krzie> cd /etc/openvpn/easy-rsa/keys 20:28 < krzie> assuming everything after the cd line is in that dir 20:28 < krzie> but yes, i always use full paths, as seen here: 20:28 < krzie> !sample 20:28 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 20:29 < xp_prg> krzie a cd in the server.conf? 20:29 < xp_prg> it can handle that? 20:29 < krzie> sure can 20:29 < xp_prg> ok thanks 20:29 < krzie> every --command can be a option in config file 20:29 < krzie> but remember that from then on in the config it is in that dir 20:30 < krzie> i really only use cd when im lazy fixing a config 20:30 < krzie> usually i stick to full paths 20:30 < krzie> gets you in less trouble 20:32 < krzie> !irclogs 20:32 < xp_prg> ok thanks 20:32 < vpnHelper> krzie: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 20:36 < orangey> OK, so I think I have some other problem here.. 20:37 < orangey> essentially I am getting timeouts 20:37 < orangey> oh! failed TLS handshake.. 20:37 < orangey> but what if I don't want TLS? 20:37 < krzie> oh but you do 20:37 < krzie> :p 20:37 < krzie> look at your logs 20:37 < orangey> hehe ; ) 20:37 < krzie> they tell you whats wrong 20:38 < orangey> TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 20:38 < orangey> but I have no TLS configuration set 20:38 < krzie> thats not it 20:38 < krzie> look above 20:38 < krzie> READ them 20:38 < orangey> which? 20:38 < krzie> fine.. 20:38 < krzie> !logs 20:38 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 20:40 < orangey> sorry, what pastebin service do we use? pastebin.com doesn't have anything like "verb" that I see. 20:41 < krzie> lol 20:41 < krzie> verb 6 is for your config files 20:41 < krzie> i only want logs at verb 6, and they must be from start to TLS Error: TLS key negotiation failed to occur within 60 seconds 20:42 < krzie> not from retry, from START 20:45 -!- troy is now known as troy- 20:51 < xp_prg> got it to work! 20:52 < krzie> =] 20:53 < xp_prg> thanks all who assisted! 20:54 < xp_prg> that wasn't even that hard! 20:54 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 20:55 -!- troy- is now known as troy 20:55 < orangey> xp_prg: congrats! 20:57 < orangey> krzie: Did you get the private message? 20:59 < krzie> by giving it private you bypass all the other very knowledgeable people in here 20:59 < krzie> and i dont have much time til i leave 20:59 < orangey> http://pastebin.com/dc740c10 21:00 < krzie> you are using rc11 which has known bugs 21:00 < krzie> you should be using rc16 21:00 < krzie> you also failed to paste the server's log 21:02 < orangey> no idea how to manipulate that.. I'm using the stock client config from your link (ircpimps). 21:05 < orangey> yeah, it really looks like a TLS error.. 21:05 < orangey> it keeps repeating: TLS Error: cannot locate HMAC in incoming packet from IP:13221 21:08 < krzie> there you go 21:08 < krzie> thats a real error 21:08 < krzie> !hmac 21:08 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 21:08 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 21:09 < krzie> you are using that, but either dont have the file there or not in the right place 21:11 < orangey> I appear to have my ta.key on the server 21:11 < orangey> but not on the client 21:12 -!- troy is now known as troy- 21:16 < krzie> bbl 21:20 < orangey> krzie: well, one step ahead, but still not working. Thank you! I think I have to give up for the night.. 21:25 -!- orangey [n=orangey@tarek.org] has quit [Remote closed the connection] 21:37 -!- svenx [n=sveniu@pat-tdc.opera.com] has quit [Read error: 60 (Operation timed out)] 21:41 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] 22:18 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 22:54 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit ["Leaving"] 23:00 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has joined ##openvpn 23:27 < Simonare> hi. how can i connect my openvpn server management interface? 23:28 < Simonare> they told me that i need to connect with telnet but by which address and which port? 23:30 -!- mRCUTEO [n=IRCLUNAT@118.100.170.34] has joined ##openvpn 23:37 -!- Jameno123 [n=jreno@38.219.68.216.DED-DSL.fuse.net] has joined ##openvpn 23:38 < Jameno123> So, does anyone know of any HARDWARE device that supports SSL VPN, with OpenVPN :( besides a custom hacked WRT linksys 23:39 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 23:39 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 23:39 < Jameno123> Ive got a openvpn based vpn, with many users, and i want to link an entire network ;( a small office, to the VPN 23:55 -!- troy- is now known as troy --- Day changed Sat May 23 2009 00:13 -!- Simonare [n=simonare@dyres229-69.surrey.ac.uk] has quit [] 00:15 -!- mRCUTEO [n=IRCLUNAT@118.100.170.34] has quit [] 01:28 < dan__t> Hi! 01:29 < dan__t> ANy tips for making a script inside of the OpenVPN config file for a client, if possible, so that it will auto map a drive to a samba share when the client connects? 01:32 < reiffert> #!/bin/bash 01:33 < reiffert> mount -t cifs whatever comes here 01:33 < reiffert> /mntpoint 01:33 < dan__t> yea, the client is a wintendo 01:33 < dan__t> So I guess I wanted to run 'net use' on the client per the config file when the connection is established 01:33 < dan__t> from the client side 01:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:35 < dan__t> HAH 01:35 < dan__t> OpenVPN GUI -> Run Connect/Disconnect/Preconnect Scripts 01:36 < reiffert> !man 01:36 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 01:38 < dan__t> yea... openvpn != openvpn gui 01:38 < dan__t> Now I'm getting a TTL expired in transit error when pinging, from the client 01:40 < reiffert> you have no idea how openvpn and openvpn_gui interact, do you? 01:40 < reiffert> oh really? then please get to openvpn-gui irc channel and ask the author. hahaha. 01:41 < dan__t> You're right, OpenVPN has an argument like "Preconnect". 01:41 < dan__t> I forgot. 01:41 < dan__t> My bad. 01:41 < dan__t> Yea, I do have quite a good idea of how they interact. 01:42 < dan__t> Thanks for trying though. 01:47 -!- master_of_master [i=master_o@p549D3D9D.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:51 -!- master_of_master [i=master_o@p549D4CA6.dip.t-dialin.net] has joined ##openvpn 01:53 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 01:55 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 02:37 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: xor|, dmarkey, SuperEvildeath 02:38 -!- Netsplit over, joins: dmarkey, xor|, SuperEvildeath 03:04 -!- deception [i=oc80z@root.servergirl.net] has joined ##openvpn 03:20 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 04:05 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has joined ##openvpn 04:16 -!- c64zottel [n=hans@p5B17B557.dip0.t-ipconnect.de] has joined ##openvpn 04:19 -!- carpe_ [n=carpe@vip1.tundraeng.com] has joined ##openvpn 04:21 -!- Plaerzen [n=carpe@vip1.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 04:28 -!- atlas95 [n=ladmin@mlv95-3-88-168-37-51.fbx.proxad.net] has quit [Read error: 113 (No route to host)] 06:27 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:38 -!- `Ned [n=Ned@cpe-98-155-203-22.hawaii.res.rr.com] has quit ["Leaving"] 06:41 -!- feinoM [n=feinom@svale.hia.no] has quit [Client Quit] 06:42 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit [Read error: 113 (No route to host)] 07:00 -!- dexterr [n=dexter@217.78.29.234] has quit [Client Quit] 07:16 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 07:19 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has quit [Remote closed the connection] 07:39 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 08:15 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has quit [Read error: 54 (Connection reset by peer)] 08:16 -!- Dougy is now known as Douglas 08:16 -!- Douglas is now known as Dougy 08:24 < Dougy> System Information for debian: CPU: GenuineIntel 08:24 < Dougy> woot 08:24 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 08:24 < Dougy> Welcome Gumbler! You have achieved a new peak of 63 users for ##openvpn! 08:31 -!- LHC [n=Administ@cpc1-glen1-0-0-cust66.belf.cable.ntl.com] has joined ##openvpn 08:31 < Dougy> Welcome LHC! You have achieved a new peak of 64 users for ##openvpn! 08:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:35 < Dougy> Welcome roentgen! You have achieved a new peak of 65 users for ##openvpn! 08:36 < roentgen> cool 08:40 < Bushmills> Dougy, among the living again? 08:40 < LHC> ha 08:40 < Dougy> Bushmills, thank god 08:40 < Dougy> woke up feverless 08:40 < LHC> wow i live near the bushmills distillery, nice stuff 08:40 < Bushmills> that was quick. good. 08:41 < Bushmills> LHC, lucky you :) 08:41 < Dougy> that script i think is going to bug me 08:41 < LHC> well its not like it runs outta my taps, tho that would be nice 08:42 < Bushmills> so I guess when they ask for volunteers, when showing around visitors, one better applies 08:43 < LHC> haha 08:45 < Bushmills> (in fact one should, because those who do get to sample twice the amount) 08:45 < Dougy> win 08:45 < Bushmills> for a direct comparison with competing products 08:50 < LHC> you alcoholic haha 08:50 < LHC> anyways what is open vpn like. Im looking to install a vpn on my server 08:51 < Bushmills> lhc, it is like a wire. but without the metal. 08:52 < LHC> a riddle see, let me figure that one out see xD 08:53 < Dougy> Quagmire: I felt guilty once, but she woke up halfway through. 08:53 < LHC> haha 08:59 < Dougy> Farmers wife:(talking to stewie) I bet your hungry. Stewie: Yes and i bet you lost your viginity to a mechanical bull...NOW CHANGE ME! 09:06 -!- LHC [n=Administ@cpc1-glen1-0-0-cust66.belf.cable.ntl.com] has quit [Read error: 54 (Connection reset by peer)] 10:32 -!- clyons [n=clyons@unaffiliated/clyons] has joined ##openvpn 10:32 -!- MauS [n=lolmaus@lolmaus.static.corbina.ru] has joined ##openvpn 10:32 < MauS> !logs 10:32 < vpnHelper> MauS: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 10:41 -!- jeiworth [n=jeiworth@189.163.143.208] has joined ##openvpn 10:45 < MauS> Oh i fixed it ^_^ 10:51 -!- clyons [n=clyons@unaffiliated/clyons] has quit ["Leaving"] 10:55 -!- clyons [n=clyons@unaffiliated/clyons] has joined ##openvpn 11:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:37 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 11:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:52 -!- jackc [n=jackc@ma.us.nanog.net] has left ##openvpn [] 12:32 < dan__t> HI. 12:36 < Dougy> HI 13:14 -!- deception [i=oc80z@root.servergirl.net] has quit [Remote closed the connection] 13:26 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 14:11 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit [Remote closed the connection] 14:29 -!- atlas95 [n=ladmin@mlv95-3-88-168-37-51.fbx.proxad.net] has joined ##openvpn 14:57 < dan__t> waddup g. 15:00 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 15:16 < Bushmills> ceiling is 15:38 -!- Solvik [n=solvik@oxyradio.com] has quit [SendQ exceeded] 15:38 -!- Solvik [n=solvik@oxyradio.com] has joined ##openvpn 16:55 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 18:06 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 18:06 -!- oc80z [i=oc80z@root.servergirl.net] has joined ##openvpn 18:07 -!- oc80z [i=oc80z@root.servergirl.net] has quit [Remote closed the connection] 18:07 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 18:29 < krzie> servergirl? lol 18:33 -!- tob79 [n=tm@0x573c0549.boanqu2.dynamic.dsl.tele.dk] has joined ##openvpn 19:35 -!- jeiworth [n=jeiworth@189.163.143.208] has quit ["No Ping reply in 90 seconds."] 19:36 -!- jeiworth [n=jeiworth@189.163.143.208] has joined ##openvpn 19:58 -!- jeiworth_ [n=jeiworth@189.163.143.208] has joined ##openvpn 19:58 -!- jeiworth [n=jeiworth@189.163.143.208] has quit [Read error: 104 (Connection reset by peer)] 19:59 -!- jeiworth_ is now known as jeiworth 20:01 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 20:01 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 20:06 -!- c64zottel [n=hans@p5B17B557.dip0.t-ipconnect.de] has quit ["Leaving."] 20:37 < reiffert> mms://wm.wige.jet-stream.nl/wige=live3 20:37 < reiffert> 24h rennen nuerburgring live stream 20:37 < reiffert> 24h race 20:37 < reiffert> a must see 20:40 < krzie> a must see is tonights UFC 20:40 < krzie> machida vs evans 20:41 < krzie> my $ is on machida 20:41 < reiffert> doh, thats excellent german language 20:41 < reiffert> and it's brroooom brooooom 21:01 -!- Haraken [i=ryuk@unaffiliated/haraken] has joined ##openvpn 21:02 < Haraken> I just got done setting up openvpn on my windows machine as a client, and as a server on my ubuntu jaunty server. when I try to connect it seems to connect just fine, but I can't ping any of the servers on the local network. it also seems to kill my network on the client machine so I no longer have internet access. 21:04 < krzie> i take it you are using redirect-gateway 21:04 < krzie> OR, your client and server are on the same subnet on their LANs and your server pushes a route to its LAN 21:05 < Haraken> redirect-gatewa? 21:06 < krzie> im thinking its the second thing i said 21:06 < Haraken> my openvpn server is also a gateway for the office. so it is forwarding the internet connection to the local ips 21:06 < Haraken> at first, I had the openvpn on the same subnet as the local network 21:07 < Haraken> 10.1.1.0 21:07 < Haraken> then i realized this might not work, so I changed openvpn to 10.1.1.2 with the same results 21:07 < Haraken> er 21:07 < Haraken> 10.1.2.0 21:07 < krzie> im not talking bout openvpn 21:07 < krzie> im talking about their LAN subnets 21:08 < krzie> are those the same 21:08 < Haraken> for the external network? 21:09 < Haraken> yes, my client has a different external ip though 21:09 < Haraken> same subnet 21:09 < krzie> theres your problem 21:09 < krzie> the client sets its route for that subnet to go over the vpn 21:09 < krzie> then it can no longer reach its gateway to the inet 21:09 < krzie> so it goes POOF 21:10 < Haraken> ah 21:10 < Haraken> is there a better way to get access to the local network using a computer on the same subnet? 21:12 < krzie> change your subnet on 1 side 21:12 < krzie> bblk 21:12 < Haraken> thanks 23:32 -!- voipuser [n=voipuser@24-180-125-183.dhcp.aldl.mi.charter.com] has joined ##openvpn 23:33 < voipuser> !howto 23:33 < vpnHelper> voipuser: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 23:35 < voipuser> Okay, I was wondering if anyone here might know of a link to a page thwt ould explain what I need to do, since the almighty Google is being a bit unyielding tonight... 23:36 < voipuser> I have set up an OpenVPN *server* on a Linux box, have tested it using a VPN client and it works... 23:37 < voipuser> Now what I want to to is that an Asus WL-520GU router and use it as a VPN *client", so that anything plugged into a LAN port on the router will use the VPN tunnel 23:37 -!- jeiworth [n=jeiworth@189.163.143.208] has quit [Connection timed out] 23:38 < voipuser> I can find all sorts of instructions for flashing the router with DD-WRT and setting it up as a *server*, but that's not what I want to do... 23:39 < voipuser> I want the router to be at the far end of the tunnel, acting as the client. And setup instructions for THAT are like trying to find the needle in the haystack. 23:40 -!- tjz [n=tjz@bb116-15-73-8.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 23:54 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 23:54 < theDoc> !upgrade 23:54 < vpnHelper> theDoc: Error: "upgrade" is not a valid command. 23:54 < theDoc> Hm, is there a trigger around which gives information on upgrading to another openvpn version? --- Day changed Sun May 24 2009 00:41 < dan__t> hi. 00:47 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 00:49 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 00:49 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 00:51 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 01:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:26 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 01:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:47 -!- master_of_master [i=master_o@p549D4CA6.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:47 < reiffert> moin 01:47 < dan__t> moin 01:50 -!- master_of_master [i=master_o@p549D7D07.dip.t-dialin.net] has joined ##openvpn 01:50 < dan__t> !porder 01:50 < vpnHelper> dan__t: Error: "porder" is not a valid command. 01:50 < dan__t> oih duh 01:50 < dan__t> hm i need to stop drinking beer or get off of the computer. 02:17 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 02:17 -!- albech [n=albech@119.42.77.82] has joined ##openvpn 03:57 -!- c64zottel [n=hans@p5B1789A0.dip0.t-ipconnect.de] has joined ##openvpn 04:49 -!- tjz [n=tjz@bb116-15-73-8.singnet.com.sg] has joined ##openvpn 04:51 -!- albech [n=albech@119.42.77.82] has quit [Read error: 60 (Operation timed out)] 05:11 -!- albech [n=albech@119.42.77.82] has joined ##openvpn 05:14 -!- albech [n=albech@119.42.77.82] has quit [Client Quit] 05:21 -!- neteffect [n=yeah@pool-72-77-249-154.tampfl.fios.verizon.net] has joined ##openvpn 05:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:30 < neteffect> hi 05:38 -!- tob79 [n=tm@0x573c0549.boanqu2.dynamic.dsl.tele.dk] has left ##openvpn [] 05:46 -!- feinoM [n=feinom@svale.hia.no] has joined ##openvpn 05:46 -!- vadi01 [n=quassel@81.18.134.4] has joined ##openvpn 05:47 < vadi01> guys i have a problem. In Vista the users cannot get the gateway from the linux vpn server. The gateway come to 0.0.0.0 05:47 < vadi01> any idea how to solve this? 05:48 -!- w00ted [n=w00ted@bre44-1-88-177-20-76.fbx.proxad.net] has joined ##openvpn 05:50 < Bushmills> !configs 05:50 < vpnHelper> Bushmills: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 05:51 < Bushmills> 0.0.0.0 is default gateway 05:52 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:52 < Bushmills> ehm. dest 0.0.0.0 is default route i mean. not gateway. 05:52 < Bushmills> *coffee+ 05:58 < vadi01> Bushmills: no 05:59 < vadi01> Bushmills: this is what the ipconfig in vista is 05:59 < vadi01> Bushmills: http://pastie.org/487959 05:59 < vadi01> Bushmills: clients with XP get the default gateway. Is there something else i need to configure in the server? 06:00 < feinoM> !redirect 06:00 < vpnHelper> feinoM: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 06:01 < neteffect> hi. im trying to connect two computers. both are behind embarq modem/routers. 06:01 < feinoM> vadi01: do you get any error messages on the vista client? 06:02 < vadi01> feinoM: nope. the vpn actually connects. user name and password verifies 06:02 < vadi01> feinoM: but because the gateway is 0.0.0.0 traffic does not go to the internet 06:02 < neteffect> so it says to open 1194 and also to forward incoming 1194 -> openvpn server box 06:02 < feinoM> yes, but some times there are error messages anyway :) 06:06 < Bushmills> vadi01, i'm not aware of anything vista-specific. but otoh, i'm no windows expert neither. is your server pushing routes? 06:06 < feinoM> vadi01: have you tried running the client as administrator? 06:06 -!- lolmaus__ [n=lolmaus@lolmaus.static.corbina.ru] has joined ##openvpn 06:06 -!- MauS [n=lolmaus@lolmaus.static.corbina.ru] has quit [Read error: 104 (Connection reset by peer)] 06:06 < vadi01> Bushmills: routing is all okay. its only vista clients who have this prob. 06:07 < vadi01> feinoM: no let me try 06:08 < Bushmills> "routing ok but gateway not" ... gateway is part of a route specification 06:08 < vadi01> Bushmills: command to know if the server is pushing routes? 06:09 < Bushmills> push-route in server config 06:09 < Bushmills> push "route..." i mean 06:13 < vadi01> Bushmills: eeem actually am using roaring pengiun vpn for now. Any push route command for it or similar? 06:14 < Bushmills> thats pppoe? 06:14 < Bushmills> rppppoeß 06:14 < Bushmills> rppppoe? 06:14 < vadi01> pppoe 06:14 < vadi01> yea 06:14 < Bushmills> not related to openvpn 06:15 < vadi01> nope. cause i cant find a channel with pppoe 06:15 < vadi01> support 06:15 < vadi01> or is there? 06:15 < Bushmills> openvpn answers to your problem won't help. 06:15 < vadi01> yea i noticed that. 06:16 < vadi01> is there a vpn channel for roaring pengiun? 06:16 < Bushmills> /list 06:17 -!- vadi01 [n=quassel@81.18.134.4] has quit [Success] 06:17 -!- vadi01 [n=quassel@81.18.134.4] has joined ##openvpn 06:18 -!- vadi01 [n=quassel@81.18.134.4] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 06:19 < Bushmills> neteffect, yes, assuming you want to stick to the default ports 06:30 -!- c64zottel [n=hans@p5B1789A0.dip0.t-ipconnect.de] has quit ["Leaving."] 06:53 < neteffect> cool 06:56 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:48 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 07:49 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 07:50 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 07:51 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 07:52 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 07:53 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 07:54 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 07:55 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 08:27 -!- w00ted [n=w00ted@bre44-1-88-177-20-76.fbx.proxad.net] has quit [] 09:58 < neteffect> hi 09:59 < neteffect> i need to connect two computers, both are behind those embarq modem/routers 09:59 -!- jeiworth [n=jeiworth@189.163.143.208] has joined ##openvpn 10:03 < neteffect> can openvpn help me ? 10:06 < project2501a> you'll need a young priest and an old priest 10:06 < neteffect> heh 10:08 -!- c64zottel [n=hans@p5B1789A0.dip0.t-ipconnect.de] has joined ##openvpn 10:08 < neteffect> why do you say that? 10:08 < neteffect> nat? 10:09 < ecrist> neteffect: you'll need to do port-forwarding or DMZ of some sort to get the connection to go through 10:09 < neteffect> yeah incoming 1194 -> vpn server box, right? 10:09 < ecrist> yep 10:10 < neteffect> i don't need to map anyting on the way out? 10:10 < Bushmills> neteffect, yes you need to. 10:10 < ecrist> why would you? 10:11 < neteffect> heh 10:11 < neteffect> i was thinking, right, i shoudln't need to 10:11 < Bushmills> all your outbound internet traffic should go to the gateway 10:11 < neteffect> ok 10:14 < neteffect> i don't need a special router 10:19 < neteffect> when i am in there next time, if i see pptp, do i open that, gre too? 10:19 < ecrist> if you're going to use pptp and gre, sure. if you're going to use openvpn, open 1194 10:19 < neteffect> oh 10:26 < neteffect> so i gotta put my server config file in program files/openvpn/config next apparently 10:29 < neteffect> if im going over modem/routers, am i going to use bridging mode or routing mode? 10:33 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 10:45 < neteffect> in windows i don't see an option to create a tun device, just tap 11:17 -!- zealxy [n=zxy@remote3.student.chalmers.se] has joined ##openvpn 11:38 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 11:45 -!- w00ted [n=w00ted@bre44-1-88-177-20-76.fbx.proxad.net] has joined ##openvpn 11:46 < w00ted> hello guys 11:47 < w00ted> i'm probleme connection vpn good and internet no good ? because 11:47 < Bushmills> neteffect, sounds right (no tun), tap used under windows. routing preferred over bridging. 11:48 < w00ted> client linux and server 11:48 < w00ted> :) 11:48 < w00ted> no windows 11:49 < w00ted> look at http://pastebin.com/m6592fb32 11:49 < w00ted> server.conf 11:50 < w00ted> !redirect 11:50 < vpnHelper> w00ted: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 11:51 < w00ted> !def1 11:51 < vpnHelper> w00ted: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 11:51 < w00ted> !man 11:51 < vpnHelper> w00ted: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 11:51 < w00ted> !nat 11:51 < vpnHelper> w00ted: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 11:52 < w00ted> !configs 11:52 < vpnHelper> w00ted: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:56 < w00ted> ?? 11:57 -!- jeiworth [n=jeiworth@189.163.143.208] has quit ["No Ping reply in 90 seconds."] 11:59 -!- jeiworth [n=jeiworth@189.163.143.208] has joined ##openvpn 12:08 < Bushmills> w00ted, if your vpn connection is good, congratulations. if your internet connection isn't, it may be a problem with your internet access provider. 12:17 -!- jeiworth [n=jeiworth@189.163.143.208] has quit ["No Ping reply in 90 seconds."] 12:17 -!- jeiworth [n=jeiworth@189.163.143.208] has joined ##openvpn 14:06 < neteffect> im in the sample server config file, i have to change dev tun to dev tap? 14:11 < neteffect> i have to generate dh1024.pem file? im on windows 14:12 < neteffect> so i am installing openssl for windows 14:17 < neteffect> cannot load certificate file server.crt 14:19 < Bushmills> !man 14:19 < vpnHelper> Bushmills: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 14:19 < neteffect> oh 14:21 < Bushmills> you know that one can search man pagesß 14:21 < Bushmills> when i did that on dh1024, first hit it shows is http://forthfreak.net/snap/dh.png 14:22 < neteffect> cool i got that done 15:47 < neteffect> where does index.txt get generated? 15:50 -!- c64zottel [n=hans@p5B1789A0.dip0.t-ipconnect.de] has left ##openvpn [] 15:59 < neteffect> heh 16:24 -!- w00ted [n=w00ted@bre44-1-88-177-20-76.fbx.proxad.net] has quit [] 16:26 -!- Nandeesh [n=user@122.167.43.127] has joined ##openvpn 16:33 < voipuser> Anyone a genius in setting up an OpenVPN *client* (not server) on a router with dd-wrt firmware? Problem description in this post: http://www.elastix.org/index.php?option=com_fireboard&Itemid=55&func=view&catid=25&id=16398&limit=10&limitstart=30#24629 16:33 < vpnHelper> Title: Elastix - The reliable PBX appliance software - Re:Remote extension questions - Elastix Forum (at www.elastix.org) 16:47 -!- troy is now known as troy- 16:52 < neteffect> i am setting up a server, still at the beginning 17:03 -!- Nandeesh [n=user@122.167.43.127] has left ##openvpn [] 17:05 < neteffect> do i need this x509 certificate stuff? 17:09 < reiffert> I guess you'll need to read the howto. 17:14 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Connection timed out] 17:14 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 17:24 -!- NetAffect [n=yeah@pool-72-77-249-154.tampfl.fios.verizon.net] has joined ##openvpn 17:28 < NetAffect> heh :) looks like i got the server up and running 17:40 < zealxy> Hi, I have a 100Mbit link, but I don't get the performance I would like, which parameters should I play with 17:40 < zealxy> besisdes recv and send buffers 17:40 < zealxy> I got a ping time of 50ms over the tunnel 17:41 -!- neteffect [n=yeah@pool-72-77-249-154.tampfl.fios.verizon.net] has quit [Read error: 110 (Connection timed out)] 17:51 -!- bandini [n=bandini@host173-5-dynamic.6-79-r.retail.telecomitalia.it] has quit [Read error: 54 (Connection reset by peer)] 18:55 < krzie> zealxy, make sure you are using udp, check what --mtutest on the client does while connecting to the server 18:55 < krzie> if you need to modify mtu that will tell you 18:56 < krzie> if you are using tcp instead of udp see !tcp 18:56 < zealxy> hmm 18:56 < krzie> feel free to play with --comp-lzo settings, default is adaptive 18:56 < zealxy> Im using udp 18:56 < zealxy> 1sec 18:57 < zealxy> http://img36.imageshack.us/img36/1931/200905250137411280x1024.pn 18:57 < zealxy> tcpdump graph, of an ftp transfer 18:57 < zealxy> Im using udp I suppuse, havn't changed to tcp and udp is default? 18:57 < krzie> right 18:57 < krzie> !configs 18:58 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:58 -!- tob79 [n=tm@0x573c0549.boanqu2.dynamic.dsl.tele.dk] has joined ##openvpn 18:59 < zealxy> 1 sec 19:02 < zealxy> can't copy and paste from my xterm :/ 19:02 < NetAffect> does "Initialization Sequence Complete" mean my server is up? 19:05 < krzie> yes and no 19:05 < NetAffect> heh 19:05 < krzie> you'll still get that message if routes couldnt be added 19:05 < krzie> pinging acrossed the tunnel means your vpn is up 19:05 -!- tob79 [n=tm@0x573c0549.boanqu2.dynamic.dsl.tele.dk] has left ##openvpn [] 19:05 < zealxy> http://pastebin.com/m43cf72ed 19:05 < krzie> NetAffect, are you having a problem? 19:06 < NetAffect> no i am just starting out 19:06 < NetAffect> my first time 19:07 < krzie> zealxy, that was only the server 19:08 < krzie> but assuming the client doesnt have stuff like mssfix etc it looks fine 19:08 < NetAffect> i don't have any routes 19:08 < krzie> check the mtu by adding mtu-test to the clients config 19:08 < zealxy> http://pastebin.com/m1ff425d 19:09 < krzie> NetAffect openvpn adds routes by default, but if you dont have any problem then theres nothing i need to help you with ;] 19:09 < NetAffect> well. what do i type to ping? ping 10.8.0.2? 19:10 < krzie> zealxy nice config, 100% unrelated to your speed issue but check out !hmac 19:10 < zealxy> !hmac 19:10 < vpnHelper> zealxy: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 19:10 < vpnHelper> zealxy: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 19:10 < krzie> NetAffect, that depends on your setup 19:11 < krzie> but with a normal setup have the client ping 10.8.0.1 19:11 < krzie> in a default setup (topology net30) 10.8.0.2 isnt a real ip, its a virtual ip inside openvpn 19:12 < krzie> !/30 19:12 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 19:12 < zealxy> NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1541,1541] remote->local=[1541,1541] 19:15 < zealxy> hmm 19:15 < zealxy> krzie: do you get anything out of http://img36.imageshack.us/img36/1931/200905250137411280x1024.png ? 19:16 < krzie> ok that test means to not change anything 19:16 < krzie> i get no info from that test 19:16 < krzie> err png 19:17 < zealxy> :p 19:17 < NetAffect> http://pastebin.com/mfd53f6b this is from the client, what is wrong? 19:18 < NetAffect> server certificate verification? 19:18 < krzie> well you're using a 4 year old version of openvpn 19:18 < krzie> for 1 19:18 < NetAffect> oh heh 19:18 < zealxy> the png as you prolly know is a throuput graph, blue is avarge, yellow are the samples, and red binds the yellow dots 19:18 < krzie> zealxy looks like you're peaking at 15MB/s, right? 19:19 < zealxy> ye, should be something like that, it's a 100Mbit line 19:19 < krzie> NetAffect, how bout the logs from server when the client connects... 19:19 < krzie> zealxy so whats the problem... 19:19 < zealxy> but the avarage is 10Mbit 19:19 < NetAffect> ok 19:19 < krzie> umm no zealxy 19:19 < krzie> those are BYTES / sec 19:19 < krzie> not bits 19:20 < krzie> avg is 10MB/s 19:20 < krzie> which is 80mbit 19:20 < krzie> which is pretty damn nice avg for a vpn link on 100mbit 19:20 < krzie> or is the blue line an avg? 19:21 < zealxy> the blue is avarage 19:21 < krzie> ahh 19:21 < krzie> dunno then dude 19:21 < NetAffect> http://pastebin.com/m32ab5108 this is my server log. what did i do wrong? 19:21 < zealxy> I can peek close to 100Mbit without vpn and 4 paralell ftp streams 19:21 < zealxy> peak 19:22 < krzie> NetAffect the log needs to be when the client connects too 19:22 < krzie> zealxy hows cpu load on the 2 boxes during these xfers? 19:23 < NetAffect> server.log is the only file in there 19:23 < zealxy> no load to mention 19:24 < zealxy> quite fun looking at them graphs though :p 19:24 < krzie> NetAffect it means nothing if it doesnt contain the connection attempt 19:27 < krzie> NetAffect: 19:27 < krzie> !configs 19:27 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 19:27 < NetAffect> ok 19:29 < NetAffect> http://pastebin.com/mf6219cd here is the server config, there are comments, sorry 19:29 < krzie> welp 19:29 < krzie> you can get rid of them, or not 19:30 < krzie> but i wont be reading it with them 19:31 < NetAffect> great 19:31 < krzie> (which is why my bot says to get rid of them) 19:31 < NetAffect> how do i do it in windows? 19:32 < krzie> i dont use windows 19:32 < zealxy> krzie: I will try using tcp 19:32 < krzie> zealxy 19:32 < krzie> !tcp 19:32 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 19:33 < krzie> (the link was taken from the man page) 19:33 < krzie> NetAffect what are you using the tunnel for? 19:33 < krzie> err no not NetAffect i mean zealxy 19:34 < krzie> zealxy what are you using the tunnel for? 19:34 < zealxy> encrypted ftp and http 19:34 < zealxy> fast ftp transfers and not critical http 19:35 < krzie> ftp for others or is this something you could just as easily solve with scp / rsync 19:35 < zealxy> ye 19:35 < NetAffect> http://pastebin.com/m698077c3 krzie i took out almost all the comments, this is my servers config 19:36 < zealxy> hmm 19:36 < krzie> is it really too much to ask that you remove them all for pastebin NetAffect ? 19:36 < krzie> NetAffect why are you using tap? 19:37 < NetAffect> i shouldn't be using tap? 19:37 < krzie> not if you cant tell me why you are 19:38 < krzie> http://pastebin.com/m1d53ef6b 19:38 < krzie> THERE is what your server config paste should have came to me looking like 19:38 < krzie> make the client config look like that when you paste it 19:38 < NetAffect> ok 19:38 < krzie> theres no reason i should have to look over 100 lines to see 15 lines that matter 19:38 < NetAffect> heh 19:39 < NetAffect> i remember reading that tun was for ip and tap was for ethernet 19:39 < krzie> correct 19:40 < krzie> and the rest of your config is routed config 19:40 < krzie> meaning theres only 1 possible advantage to your config, which you dont know about so you have no reason to do it 19:40 < NetAffect> ok i shall but it back to tun 19:40 < krzie> i say you dont know about it because you would have given that as your answer 19:40 < NetAffect> networking browsing and such? 19:40 < krzie> since its not what you need, you are wasting the overhead of xfering ethernet frames 19:41 < NetAffect> ok 19:41 < krzie> no, you would need to bridge or run a WINS server for that 19:41 < NetAffect> oh 19:41 < krzie> tap would be needed for a bridge, but tap + routed setup wont cut it for that 19:42 < krzie> zealxy hows the bw graph with scp 19:43 < zealxy> dunno, exactly, but scp without tunnel is like 30Mbit 19:44 < NetAffect> ok i put it to tun and started it again 19:45 < NetAffect> what do i type at the client to test it? 19:46 < krzie> huh? 19:46 < NetAffect> how do i ping the server? 19:47 < krzie> umm, with ping 19:47 < krzie> i dont get the questioj 19:47 < krzie> n 19:47 < NetAffect> oh do i type like ping 10.8.0.2 ? 19:47 < krzie> is your server 10.8.0.2? 19:47 < krzie> (no) 19:47 < NetAffect> actually it says this 19:48 < krzie> do you plan on pasting the client config? 19:48 < NetAffect> oh i thought it was maybe 10.8.0.4 19:48 < krzie> !/30 19:48 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 19:48 < NetAffect> ok 19:48 < theDoc> krzie: Is there a !trigger for upgrading yet? 19:48 < dan__t> WHAT 19:48 < krzie> for upgrading? 19:49 < theDoc> Say, from an old version of openvpn to a newer one. 19:49 < krzie> just upgrade 19:49 < krzie> * will work 19:49 < theDoc> ah, ok. 19:49 < krzie> you'll get more options, but the old stuff works fine 19:49 < krzie> unless you use scripts, then you may need to use --script-security 19:49 < krzie> but the logs would have told you about that 19:50 < theDoc> nah, no scripts atm 20:02 < NetAffect> http://pastebin.com/m4360747 this is what i see at the client now 20:06 < krzie> NetAffect, you plan on continuing to give me everything except what i ask for? 20:06 < krzie> i asked for server logs and client config 20:06 < krzie> so i get client logs again 20:06 < NetAffect> ok let me get it sorry 20:06 < krzie> np 20:06 < krzie> # 20:06 < krzie> Sun May 24 20:46:43 2009 UDPv4 link remote: 10.8.0.2:1194 20:06 < krzie> i have a fealing your client config is fubar'ed 20:07 < krzie> but ill tell you about that after you paste it 20:13 < NetAffect> http://pastebin.com/m6e5dc056 ok here's the clients config 20:17 < krzie> *sigh* 20:17 < NetAffect> what?? :) 20:17 < krzie> ill ignore the comments since theres few 20:17 < NetAffect> oh sorry heh 20:17 < krzie> remote 10.8.0.4 1194 20:18 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 20:18 < krzie> what do you think this line does 20:18 < NetAffect> tells the address of the remote server? 20:18 < krzie> tells the client where to connect to 20:18 < NetAffect> ok 20:18 < krzie> http://pastebin.com/m7773e1dc <-- that is what i wanted 20:19 < NetAffect> ok 20:19 < krzie> i assume you are only using the addresses 10.8.0.x inside the vpn... am i right 20:19 < krzie> ? 20:19 < NetAffect> yeah 20:20 < NetAffect> we have a subnet that is 192.168 should i be using that? 20:22 < NetAffect> oh i should be using my 192 address shouldn't i? 20:28 < NetAffect> hey i put my 192.168 address in there and now i can ping 10.8.0.1 :) woo hoo 20:30 < NetAffect> how do i use this connection now? 20:37 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 20:44 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] 20:47 < NetAffect> i see remote 10.10.10.103, etc... for examples for the remote statements 20:51 < NetAffect> just wondering how come i needed my 192.168 address 21:25 < NetAffect> Sun May 24 22:10:05 2009 Common/192.168.1.3:4425 MULTI: bad source address from 21:25 < NetAffect> client [192.168.1.3], packet dropped 21:35 -!- tjz [n=tjz@bb116-15-73-8.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 21:35 < NetAffect> what do i do next? 21:36 -!- tjz [n=tjz@bb116-15-190-45.singnet.com.sg] has joined ##openvpn 22:37 -!- jeiworth_ [n=jeiworth@189.163.143.208] has joined ##openvpn 22:38 -!- jeiworth [n=jeiworth@189.163.143.208] has quit [Read error: 104 (Connection reset by peer)] 23:07 -!- lolmaus__ [n=lolmaus@lolmaus.static.corbina.ru] has quit [] --- Day changed Mon May 25 2009 00:05 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 00:05 -!- rofe [n=rofe@83.221.146.177] has joined ##openvpn 00:07 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 00:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:28 -!- rofe [n=rofe@83.221.146.177] has quit [Read error: 113 (No route to host)] 01:29 -!- jeiworth_ [n=jeiworth@189.163.143.208] has quit ["No Ping reply in 90 seconds."] 01:35 -!- jeiworth [n=jeiworth@189.163.143.208] has joined ##openvpn 01:47 -!- master_of_master [i=master_o@p549D7D07.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:51 -!- master_of_master [i=master_o@p549D445D.dip.t-dialin.net] has joined ##openvpn 01:58 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit [Read error: 54 (Connection reset by peer)] 01:58 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 02:37 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:43 -!- fad_xxx [n=fad@95.84.1.13] has joined ##openvpn 02:53 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has joined ##openvpn 02:56 -!- gebura [n=nnnnnnnn@lescigales.org] has quit [Remote closed the connection] 02:57 -!- gebura [n=nnnnnnnn@lescigales.org] has joined ##openvpn 03:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:15 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:16 -!- jeiworth [n=jeiworth@189.163.143.208] has quit [Read error: 60 (Operation timed out)] 03:23 -!- gebura [n=nnnnnnnn@lescigales.org] has left ##openvpn ["Quitte"] 03:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Success] 03:58 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 04:58 -!- womble [n=mjp16@sasquatch.hezmatt.org] has joined ##openvpn 05:02 < womble> !interface 05:02 < vpnHelper> womble: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 05:04 -!- smellynoser [n=ashley@87-194-183-38.bethere.co.uk] has quit ["leaving"] 05:05 < womble> I'm getting "write to TUN/TAP : Invalid argument (code=22)". Google is amazingly quiet on the subject. What little I can tell from the code doesn't mean much. Config/logs at http://pastie.org/488878. Any ideas for debugging or InstaDiagnosis? 05:16 < reiffert> womble: openvpn Version? 05:17 < womble> reiffert: 2.1rc11 05:17 < womble> Running on an x86_32 system, Debian Lenny, Atom N270 CPU. 05:18 < reiffert> ls -al /dev/net/tun 05:18 < womble> crw-rw-rw- 1 root root 10, 200 2009-05-24 18:56 /dev/net/tun 05:19 < reiffert> did it ever work before? 05:19 < womble> Not on *this* machine, but I've got others with the same config that are working fine. 05:20 < reiffert> chmod 644 /dev/net/tun 05:20 < womble> It's weird -- the only difference I can identify is the CPU architecture, of all things -- the working machine is x86_64, another Debian Lenny box. 05:22 < womble> No love on that, unfortunately. 05:25 < reiffert> decrease verbose level to 6, repaste logs please 05:29 < womble> OK 05:30 < womble> reiffert: Do you want the entire process log, from the start? 05:30 < reiffert> sure 05:33 < womble> reiffert: http://pastie.org/488894 05:35 < womble> reiffert: Found it. comp-lzo differences. Sorry for wasting your time. 05:36 < womble> *Weirdest* error message, though. 05:38 < reiffert> k 05:39 < reiffert> WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo' 05:51 -!- MRCUTEO [n=IRCLUNAT@124.13.94.169] has joined ##openvpn 05:54 < MRCUTEO> yo tjz 05:54 < MRCUTEO> u there mamen 05:54 -!- MRCUTEO is now known as mRCUTEO 05:56 < womble> reiffert: Yeah, don't know why I missed that initially. Producing EINVAL while writing to the tun device is an odd failure mode, though. 06:03 < reiffert> womble: another line of trouble is the one above the comp-lzo warning: 06:03 < reiffert> WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542' 06:04 < womble> Yeah, I've pounded on that one, too, but it doesn't completely kill the connection like the comp-lzo problem does. 06:40 < Bushmills> moinmoin 06:50 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 06:54 -!- mRCUTEO [n=IRCLUNAT@124.13.94.169] has quit [] 07:20 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:25 < NetAffect> hello 07:25 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 08:15 -!- royalhort [n=stephen@82-69-169-148.dsl.in-addr.zen.co.uk] has joined ##openvpn 08:15 < royalhort> Hello - where does openvpn log to? I'm using stock packages on Debian 08:15 < royalhort> One of my users claims they can't get onto the vpn; I'm on the vpn box now, and would like to watch her try. 08:21 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 08:22 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:25 -!- smerz [n=daniel@83.160.155.152] has joined ##openvpn 08:31 < Bushmills> royalhort, grep log /etc/openvpn/server.conf 08:34 < royalhort> Bushmills: yes - looked there, expecting it to say it logs to syslog 08:34 < royalhort> That's what it says... 08:34 < royalhort> But I don't see any entries in syslog 08:34 < Bushmills> grep for "ovpn" in syslog, or maybe in daemon.log 08:36 < krzie> if it is started with --daemon is auto logs to syslog 08:37 < krzie> otherwise it outputs to screen 08:37 < krzie> it may also log to specific log file if --log is specified 08:37 < Bushmills> debian logs to file by default 08:37 < krzie> or to syslog under what you specify if you give --syslog 08:37 < Bushmills> only i'm not sure what file to, because i specified a log file in the config 08:38 < krzie> well should be easy enough to know, he just needs to check his config file 08:38 < Bushmills> krzee, i'm running debian. 08:38 < krzie> if it doesnt have --log --syslog and does have --daemon it is going through syslog 08:38 < krzie> werd, but debian only changes tyhat by changing the logfile 08:38 < krzie> ovpn is the same in every os 08:39 < Bushmills> (and had logs in file also before i changed server config) 08:39 < krzie> err not the logfile, i meant by changing the config 08:40 < tjz> eg. openvpn server.conf --log=mylog.txt 08:40 < tjz> am i correct? 08:40 < krzie> best to specify full path 08:40 < krzie> and you cant just use openvpn file.conf unless the .conf is the ONLY thing given 08:41 < krzie> so youd need --config 08:41 < krzie> or you could put log=/path/to/logfile inside the config 08:41 < krzie> then you could use openvpn server.conf without --config 08:43 < tjz> cool 08:44 < tjz> is it : 08:45 < tjz> log "/path/to/logfile" inside the config ? 08:45 < tjz> or.. it is log=/path/to/logfile ? 08:45 < krzie> !man 08:45 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 08:46 < krzie> there is a place they explain that 08:46 < krzie> for every single command openvpn handles 08:46 < krzie> welcome to the manual 08:46 < krzie> ;] 08:46 < tjz> lol 08:46 < tjz> will investigate and report back 08:46 < tjz> hehehe 08:46 < tjz> meanwhile, gonna check some youtube vid :P 09:21 -!- jeiworth [n=jeiworth@189.177.125.126] has joined ##openvpn 09:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:27 -!- digii [n=digii@81-235-171-229-no44.tbcn.telia.com] has joined ##openvpn 09:29 < digii> Hi, after i confed the server and client conf and tryied starting the server openvpn server.conf.. i got this error msg: http://pastebin.com/m816788e 09:29 < digii> can anyone help me whit this 09:30 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:40 < krzie> # 09:40 < krzie> Mon May 25 16:25:21 2009 Cannot open /etc/openvpn/examples/easy-rsa/keys/dh2048.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file 09:40 < krzie> you should edit your config file instead of using the default 09:41 < krzie> rc11 has known bugs, upgrade to rc16 09:41 < krzie> # 09:41 < krzie> Mon May 25 16:25:21 2009 PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-auth-pam.so '[/usr/lib/openvpn/openvpn-auth-pam.so] [login]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY 09:41 < krzie> you will likely need a --script-security setting to use that, be sure to read up on that in the manual 09:41 < krzie> are you bridging? if so please say why 09:45 < digii> im bridging coz im just 1 nic 09:45 < krzie> you dont need to bridge for that 09:45 < krzie> i have no clue why people think that, you arent the first 09:46 < digii> i cont? 09:46 < digii> dont* 09:46 < krzie> no, you dont 09:46 < digii> hm 09:46 < digii> ok 09:46 < krzie> !tunortap 09:46 < vpnHelper> krzie: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 09:47 < digii> oh, so i might just redo it all? 09:47 < krzie> aye 09:47 < krzie> what is your goal? 09:47 < digii> its something im doing for school 09:47 < krzie> so just a basic vpn? 09:47 < digii> just to setup a openvpn server whit ca and get it to work for 5 persons 09:48 < krzie> !sample 09:48 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 09:48 < krzie> you use freebsd?> 09:48 -!- scudette [n=mic@austra2173.lnk.telstra.net] has joined ##openvpn 09:48 < digii> im using a debian server 09:48 < digii> my friend is hosting it for me 09:48 < krzie> do you have a fbsd box to use for CA machine? 09:49 < krzie> if so you just portinstall ssl-admin, edit 1 file, and you have your 5 certs in no time at all 09:49 < krzie> much easier / nicer than easy-rsa which comes with ovpn 09:49 < scudette> hi - is p2p mode actually supported any more? 09:49 < krzie> sure 09:49 < scudette> there seem to be no documentation anywhere about it 09:50 < krzie> umm, theres simple examples in the manual 09:50 < digii> krzie: so if im not going to brigde it, i really dont change anything? just set a static ip and use tun? 09:50 < krzie> where do you expect the documentation scudette ? 09:50 < scudette> http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html 09:50 < vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net) 09:50 < krzie> digii, yes, tun is much easier to setup than tap 09:50 < scudette> perhaps 09:50 < krzie> scudette, see EXAMPLES there 09:51 < krzie> its not only documented, they hand you the entire setup 09:51 < digii> krzie: do u know anywhere there is some sort of howto setup tun working whit openvpn? 09:51 < krzie> !howto 09:51 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:51 < scudette> it only says By default, OpenVPN runs in point-to-point mode ("p2p"). 09:51 < krzie> !sample 09:51 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 09:51 < scudette> thats about the only mention on p2p mode 09:52 < krzie> Example 1: A simple tunnel without security 09:52 < krzie> On may: 09:52 < krzie> openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 9 09:52 < krzie> On june: 09:52 < krzie> openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 9 09:52 < krzie> that is a p2p setup without encryption 09:52 < krzie> Example 2: A tunnel with static-key security (i.e. using a pre-shared secret) 09:52 < krzie> thats WITH encryption, static key 09:52 < krzie> also a p2p setup 09:52 < scudette> ok thnks 09:52 < krzie> Example 3: A tunnel with full TLS-based security 09:52 < krzie> also p2p 09:52 < scudette> i think i need to use p2p mode because the standard client/server is giving me a hard tim 09:53 < scudette> of course - since p2p is default they dont mention it 09:53 < scudette> so searching for p2p doesnt hit :-) 09:53 < krzie> right =] 09:54 < krzie> the way to pick out p2p mode is no --server and just an ifconfig statement 09:54 < scudette> im trying to set up rip on the vpns 09:54 < krzie> although server mode can be used without --server its not common 09:54 < scudette> anyone try anything like that? 09:54 < krzie> plenty of people have, im not one of them tho 09:54 < krzie> the mail list archives should have info 09:54 < krzie> !mail 09:54 < vpnHelper> krzie: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 09:55 < scudette> thanks - i spent ages searching with google and found lots of questions 09:55 < scudette> no solutions 09:56 < krzie> np 09:56 < scudette> the problem seems to be with the weird tunner end points that client/server mode make 09:56 < scudette> the server has a ptp x.x.x.1 -> x.x.x.2 09:56 < scudette> the client has x.x.x.6 -> x.x.x.5 09:57 < scudette> so when rip announcements come over the tunnel quagga thinks they come from a different subnet 09:57 < scudette> it gets confused 09:57 < krzie> you dont need it to be that way 09:57 < krzie> !/30 09:57 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 09:57 < krzie> !topology 09:57 < vpnHelper> krzie: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 09:57 < scudette> i found i needed to ifconfig tun0 netmask 255.255.255.0 09:58 < krzie> you just need to use topology subnet 09:58 < scudette> hmm ok 09:58 < krzie> =] 09:58 < scudette> thats v2.1? 09:58 < krzie> yes 09:58 < krzie> rc16 is latest 09:58 < scudette> ok i will need to recompile then 09:58 < krzie> 2.0.9 is like 4 yrs old 09:59 < scudette> yeah im using on embedded debian stable 10:00 < scudette> another question - with iroutes 10:00 < scudette> it seems that if you dont specify iroutes for the client, packets that go into the tun on the server end dont get forwarded 10:01 < scudette> i guess i just want everything that goes into the server tun interface to pop out the other side on the client 10:01 < scudette> and vice versa 10:01 < scudette> im looking for p2p mode right? 10:01 -!- jeiworth [n=jeiworth@189.177.125.126] has quit [Read error: 104 (Connection reset by peer)] 10:02 -!- jeiworth [n=jeiworth@189.177.24.155] has joined ##openvpn 10:03 < krzie> no iroute in p2p mode 10:03 < krzie> !iroute 10:03 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 10:03 < krzie> you must use client/server for iroute 10:04 < scudette> i think i dont want iroute - because i want to handle my own routing with rip 10:04 < scudette> so looks like p2p is what im looking for 10:04 < scudette> i will give it a try tomorrow 10:04 < scudette> thanks for the help :-) 10:04 < krzie> iroute isnt routing 10:04 < krzie> its internal to openvpn 10:04 < scudette> yeah i understand that 10:04 < krzie> ok 10:05 < scudette> its the way openvpn knows which tunnel to direct packets to based on the clients which connect on the other end 10:05 < krzie> but ya i believe you're right 10:05 < krzie> you'll need p2p 10:05 < krzie> oh and please please 10:05 < krzie> if you get it working how you want 10:05 < krzie> please come back and put it on the wiki 10:05 < krzie> !wiki 10:05 < vpnHelper> krzie: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN 10:05 < krzie> i wrote !route 10:05 < krzie> !route 10:05 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:05 < krzie> ecrist wrote everything else on the wiki 10:05 < scudette> yeah - trust me with the amount of googling ive been doing i wished someone else did that 10:06 < krzie> it would be AWESOME if you could make a lil howto for rip 10:06 < krzie> on the wiki 10:06 < scudette> thanks i will try 10:06 < krzie> sweet 10:06 < krzie> much appreciated 10:07 < scudette> cool - thanks for your help - might need it along the way :-) 10:07 < krzie> np =] 10:07 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 10:11 -!- fad_xxx [n=fad@95.84.1.13] has quit [Read error: 54 (Connection reset by peer)] 10:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:42 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 10:43 < digii> krzie: how do i do if im not using bridged then? is there noting to change really? 10:43 < digii> just install openvpn set the right ip in the conf and so? 10:46 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 10:47 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:53 < krzie> if by right ip you mean in remote option for client config, yes 10:54 < krzie> of course, that is only if you want the clients to reach the server machine over the vpn 10:54 < krzie> many people have other goals such as reach the lan behind server 10:54 < krzie> or reach inet through server 10:54 < krzie> but for basic setup, you are correct 10:55 < krzie> with --client-to-client in the server config note that the packets will never pass through the kernel when going from 1 client to another 10:55 < krzie> which means you cant use firewall rules on them 10:55 < krzie> so that must be disabled if you want to set policies for that stuff 10:57 < digii> ok =) 10:58 < digii> dont have such goals as to reach the lan behind the server, just want a normap vpn 10:58 < digii> normal* 10:58 < digii> then i dont need to change anything reagarding the bridges and so, just install and config openvpn? 11:02 < krzie> correct 11:02 < krzie> basically, if thats your only goal, just use my samples and setup certs 11:02 < krzie> then gen your static key with !hmac and your dh files with !dh 11:02 < digii> aah =) 11:02 < krzie> err dh file 11:03 < digii> ? 11:03 < krzie> just type !hmac and !dh 11:03 < digii> hehe 11:03 < digii> k 11:03 < krzie> (here) 11:03 < digii> !hmac 11:03 < vpnHelper> digii: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 11:03 < digii> ?? 11:03 < vpnHelper> digii: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 11:04 < krzie> =] 11:05 < digii> !dh 11:05 < vpnHelper> digii: "dh" is build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN 11:05 < digii> !sample 11:05 < vpnHelper> digii: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 11:18 -!- jeiworth_ [n=jeiworth@189.177.24.155] has joined ##openvpn 11:18 -!- jeiworth [n=jeiworth@189.177.24.155] has quit [Read error: 54 (Connection reset by peer)] 11:26 < digii> krzie: in your server.conf, there is a client-config-dir is that the dir where client.conf is? 11:26 < digii> coz my is just in openvpn/ 11:26 < digii> same as server.conf 11:28 < digii> an what is that ta.key 0 and in client.conf ta.key 1? :S 11:29 < digii> i dont have any of thouse 11:29 -!- c64zottel [n=hans@p5B17B335.dip0.t-ipconnect.de] has joined ##openvpn 11:35 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 11:36 < krzie> you can remove that line for client-config-dir 11:36 < krzie> ta.key you saw when you typed !hmac 11:37 < krzie> it must be the same file on server as all clients 11:37 < krzie> its a tls static key for hmac signatures 11:37 < krzie> not mandatory, but recommended 11:37 < krzie> !ccd 11:37 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 11:37 < digii> so if i dont want it i can comment it out? 11:37 < krzie> correct 11:37 < digii> ah 11:37 < krzie> might as well have it therre 11:37 < krzie> impress the teacher ;] 11:37 < digii> !hmac 11:38 < vpnHelper> digii: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 11:38 < vpnHelper> digii: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 11:38 < krzie> openvpn --genkey --secret ta.key 11:38 < krzie> then have that same exact file on the clients and server 11:38 < digii> ah =) 11:38 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 11:38 < krzie> xfer it over secure channel tho 11:38 < krzie> like sftp 11:39 < NetAffect> oh man i have to keep working on this connection thing i found out today 11:39 < krzie> NetAffect, remote should specify the real ip of the server 11:39 < krzie> you were trying to reach it on non-existant ips 11:39 < NetAffect> oh 11:39 < NetAffect> oh wow cool 11:40 < krzie> which should be pretty obvious if you read --remote in the manual 11:40 < digii> krzie: but why is there a "0" after ta.key in server, and a "1" in client? 11:40 < NetAffect> yeahi got it up, can ping it, but can't get it to work 11:40 < krzie> NetAffect define "work" 11:40 < krzie> digii, direction for encryption 11:40 < NetAffect> why can't i map like \\10.8.0.1\\share ? 11:40 < NetAffect> er one \ i mean doh 11:40 < krzie> you can 11:41 < digii> ah, so just keep it there then+ 11:42 < krzie> digii, correct 11:42 < krzie> digii, for any of those options, the manual gives full explanation 11:42 < krzie> !man 11:42 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 11:43 < krzie> anything that can be specified on commandline can be specified in config by dropping the -- 11:43 < krzie> (which it mentions in the manual too) =] 11:44 < krzie> NetAffect, you can... if you use samba see that it is setup to allow the vpn subnet to connect if that needs to be done 11:44 < krzie> i dont use windows filesharing but i know NFS would require that 11:45 -!- cherwin [n=cherwin@ip56583c1f.direct-adsl.nl] has joined ##openvpn 11:46 -!- cherwin [n=cherwin@ip56583c1f.direct-adsl.nl] has left ##openvpn [] 11:56 < digii> krzie: sorry to distrub u again, but i got an error when i tryied to start the server: http://pastebin.com/m7466dde7 the error is the bottom 2 lines 11:57 < digii> might it be becouse i in server.conf at "local" added the ip of the server :S 11:59 < krzie> is 192.168.0.50 the ip of the NIC? 11:59 < digii> yea 11:59 < digii> eth0 11:59 < krzie> local is the ip to bind to, must be a listening device 11:59 < krzie> in that case you are already running openvpn 11:59 < krzie> kill the old one before starting the new one 12:00 < digii> what should i change it to :S 12:00 < krzie> same type of error you'd get with any service 12:00 < krzie> ie: if you tried to start sshd when its already running, it'll give you an error that it cant bind to address and die 12:01 < krzie> if thats the address your nic listens on you shouldnt change it at all 12:01 < krzie> you should just kill the old openvpn process 12:01 < krzie> ps auxw|grep openvpn 12:01 < digii> there is no openvpn process running 12:01 < krzie> show me the output of these: 12:01 < krzie> ps auxwww|grep openvpn 12:01 < krzie> ifconfig -a 12:02 < krzie> (pastebin) 12:02 < digii> http://pastebin.com/m649b2991 12:02 < digii> should i have a virtual eth1 or something? 12:02 < reiffert> ps auxwww | [o]penvpn | wc -l <- is that 0 or 1? 12:03 < reiffert> damn. 12:03 < reiffert> ps auxwww | grep [o]penvpn | wc -l <- is that 0 or 1? 12:18 < digii> krzie: did u see my pastebin? 12:21 < theDoc> I think I just found a hacked nix box. 12:23 < theDoc> reiffert: I believe that's a L in lower case. 12:29 -!- digii [n=digii@81-235-171-229-no44.tbcn.telia.com] has quit [Read error: 104 (Connection reset by peer)] 12:42 -!- tekk [i=mike@cpc2-shep11-2-0-cust540.8-3.cable.virginmedia.com] has joined ##openvpn 12:43 < Bushmills> theDoc, i suppose he meant "what's the output of executing this command" 12:43 < tekk> hey guys, does openvpn support concurrent connections to >1 vpn servers? 12:43 < theDoc> ah. 12:44 < Bushmills> tekk, there's a way to do connection balancing, if that qualifies 12:45 < reiffert> tekk: one client instance per connection. 12:45 < Bushmills> hi limpfoot 12:46 < reiffert> still walking carefully 12:47 < tekk> i mean, i have 2 servers, i want to connect to them both at the same time from 1 client, is this possible? they are on different subnets 12:48 < reiffert> tekk: 12:48 < reiffert> tekk: one client instance per connection. 12:48 < Bushmills> "at the same time" not to my knowledge 12:50 < krzie> digii, could you possibly not be starting openvpn as root? 12:50 < krzie> cause its either that or you have openvpn running already 12:50 < krzie> netstat -l|grep 1194 12:51 < krzie> in fact nevermind on the root thing, you have openvpn running already 12:52 < Bushmills> krzee, "* digii has quit " 12:52 < krzie> doh my bad 12:52 < krzie> what a quitter! 12:52 < krzie> ;] 12:52 < Bushmills> no, it is fun listening to you 12:52 < krzie> hah 12:54 < Bushmills> reiffert, i stuck some ginger into soil today. if prices don't go down, i'm going to use my own. 12:55 < reiffert> I have no idea what my ginger is doing beneath surface .. 12:55 < Bushmills> growing, i hope 12:55 < Bushmills> or fertilizing, by decomposing 12:55 < reiffert> hope so too, above surface is just some green weed 12:56 < krzie> mmmm, weed 12:56 < reiffert> :) 12:56 < Bushmills> 3.5 hours over time here 12:56 < reiffert> need a time machine? 12:56 < Bushmills> it's past ten to eight already 12:57 < reiffert> and you are waiting for..? 12:57 < Bushmills> hm. 3.5 hours ago it was about 4:20 12:57 < krzie> =] 12:58 < krzie> so germany celebrates 420 too? 12:58 < Bushmills> i admit that was a complicated one 13:00 < Bushmills> krzee, i'm not sure how much the 420 has penetrated the local scene 13:01 < Bushmills> most of them seem to be more .. pragmatic 13:06 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 14:14 -!- bandini [n=bandini@host173-5-dynamic.6-79-r.retail.telecomitalia.it] has joined ##openvpn 14:15 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has joined ##openvpn 14:24 -!- xattack [n=enrique@rompope.fi-b.unam.mx] has quit ["leaving"] 14:25 -!- atlas95 [n=ladmin@mlv95-3-88-168-37-51.fbx.proxad.net] has quit ["leaving"] 15:00 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Connection timed out] 15:01 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 15:23 -!- oc80z [i=oc80z@204.8.219.178] has joined ##openvpn 15:25 -!- digii [n=digii@81-235-171-229-no44.tbcn.telia.com] has joined ##openvpn 15:27 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:30 < digii> hmm when im trying to start openvpn like "openvpn server.conf" i get : 15:30 < digii> Mon May 25 22:29:15 2009 us=432154 failed to find GID for group vpn 15:30 < digii> anyone know whats wrong there? 15:30 < krzie> you dont have a group named vpn but you told it to drop privs to group vpn 15:32 < digii> oooh 15:32 < digii> i commend out the user and group in the config 15:32 < digii> worked then 15:32 < krzie> right 15:32 < digii> or i think it works :D 15:32 < krzie> but you should tell it to drop privs 15:32 < krzie> just make sure you use a user/group that exists 15:32 < digii> now it halted after us=935588 Initialization Sequence Completed 15:33 < digii> is that correkt? 15:33 < krzie> try actually reading everything 15:33 < krzie> then you can tell us if its correct 15:33 < digii> dont get any errors 15:33 < digii> =) 15:33 < krzie> then try pinging 10.8.1.1 from client 15:34 < digii> u mean i need to connect using vpn and ping it? 15:34 < krzie> pinging over the vpn is how you know it works 15:35 < digii> tun0 is atleast up on the server =) 15:35 < krzie> oh 15:35 < digii> and it has 10.8.1.1 15:35 -!- loca|host [n=tux@196.203.53.221] has joined ##openvpn 15:35 < loca|host> !howto 15:35 < vpnHelper> loca|host: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:36 < loca|host> how to install an openvpn server wich behaves like a cisco vpn server ? 15:37 < krzie> !notcompat 15:37 < vpnHelper> krzie: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 15:38 < loca|host> thanks man 15:38 < krzie> np 15:40 -!- smerz [n=daniel@83.160.155.152] has quit ["Ex-Chat"] 16:02 < digii> hmm 16:02 < digii> when im trying to setup the client for openvpn i cant find vpn0.conf :S 16:02 < digii> why is that 16:02 < digii> :d 16:06 < krzie> maybe you didnt name the config file vpn0.conf 16:06 < krzie> do you plan on reading any docs at all? 16:06 < krzie> im thinking your teacher should give me your credit 16:07 < digii> yea ;) u probably should 16:07 < digii> but now im acctually reading a doc 16:08 < digii> and is says "install openvpn just as u do whit the server, and copy som stuff from the server, and then change some things in vpn0.conf 16:08 < krzie> lol 16:08 < krzie> thats not a doc, its a walkthrough 16:08 < digii> but the thing is vpn0.conf doesent exist :D 16:08 < digii> yea, well ;) almost the same :D haha 16:08 < krzie> you used my sample configs right? 16:09 < krzie> the only thing you should need to change in the client config is the paths, make sure you drop permissions to a user that exists (which should have been 100% obvious) and the remote statement 16:09 < digii> yea sure 16:09 < krzie> (which should also be obvious) 16:10 < krzie> lets put it this way... 16:11 < krzie> if you take my sample configs, and lookup every command in them in the manual, you will understand everything you need to for your configuration 16:11 < krzie> the command being the first word in each line 16:12 < digii> hehe :P 16:13 < Bushmills> docs are for weenies who can't make sense of the provided sample configs 16:13 < Bushmills> :P 16:13 < krzie> and for the record, walkthroughs are nothing like docs 16:14 < krzie> docs are for understanding, walkthroughs are for people who want something to work without understanding it 16:14 < krzie> which leads people here wondering why nothing works 16:14 < krzie> Bushmills =[ 16:14 < Bushmills> if should have put tags around 16:14 < krzie> ;] 16:14 < dan__t> mmmm bushmills 16:15 < Bushmills> http://photo.verhau.de/drink/bushmills.jpg 16:16 < krzie> haha whats in the glasses? 16:16 < krzie> if i met you with your eyes lookin like that ild be scared of you i think, and i dont scare easily :-p 16:17 < Bushmills> methanol spiked stale beer 16:17 < krzie> ewww 16:19 < digii> !sample 16:19 < vpnHelper> digii: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 16:23 -!- loca|host [n=tux@196.203.53.221] has quit [Read error: 113 (No route to host)] 16:26 -!- loca|host [n=tux@196.203.53.221] has joined ##openvpn 16:26 -!- neteffect [n=yeah@pool-72-77-249-154.tampfl.fios.verizon.net] has joined ##openvpn 16:29 < krzie> lucky fugger 16:29 < krzie> i wish i could have fios =[ 16:31 < Bushmills> because of service integration, or of fiber? 16:33 < krzie> cheap BW (fiber) 16:33 < Bushmills> yes. cheaper than dsl, here, too. 16:34 < Bushmills> 30 mbit + flat telephone is about 40 $ p.m. I'm on 6 mbit, for promotional 20 $ p.m for period of 1 year. 16:35 < krzie> p.m? 16:35 < Bushmills> per month 16:35 < krzie> ahh 16:36 < krzie> shiet 16:36 < krzie> i pay ~90 usd /mo for 1.5 mbit down 16:36 < krzie> 768 up 16:36 < Bushmills> rather expensive 16:36 < Bushmills> even in ireland (which i found steep prices) i paid less 16:37 < krzie> ya 16:37 < Bushmills> (65$ for 3 mbit down) 16:37 < krzie> sux 16:37 < krzie> oh and thats not including taxes + cheapest phone plan 16:37 < krzie> thats the actual advertised rate 16:38 < digii> hehe :D now i only get connection refuesed when trying to connect :D 16:38 < digii> i consider that a big step D. 16:38 < digii> haha 16:40 < Bushmills> approaching 1 $ per mbit/sec per month now, which i find fair price 16:40 < krzie> wow, i find that more than fair 16:42 < Bushmills> but temperature here aren't tropical 16:43 < Bushmills> well, maybe today it was. 16:43 -!- NetAffect [n=yeah@pool-72-77-249-154.tampfl.fios.verizon.net] has quit [Read error: 110 (Connection timed out)] 16:53 -!- c64zottel [n=hans@p5B17B335.dip0.t-ipconnect.de] has quit ["Leaving."] 16:54 -!- loca|host [n=tux@196.203.53.221] has quit ["./configure pasta; make pranzo; make install sex"] 16:57 -!- jeiworth_ [n=jeiworth@189.177.24.155] has quit [Read error: 110 (Connection timed out)] 16:57 -!- disco- [n=disco@andromeda.h4xed.com] has quit [Read error: 110 (Connection timed out)] 17:02 < digii> krzie: when i can ping 10.8.1.1 from my client after connected to the server 17:02 < digii> the vpn tunnel is a succses? 17:07 < dan__t> Hello. 17:09 -!- bandini [n=bandini@host173-5-dynamic.6-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:48 -!- jeiworth [n=jeiworth@189.163.143.208] has joined ##openvpn 18:07 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 18:43 < krzie> krzie: when i can ping 10.8.1.1 from my client after connected to the server 18:43 < krzie> the vpn tunnel is a succses? 18:43 < krzie> yes, if you can ping over the tunnel you have a vpn 18:43 < digii> ah sweet =) 18:44 < digii> then it actually works :D 18:45 < Bushmills> digii, running traceroute or mtr to the other end may be more informative 18:45 < digii> thats true 18:45 < krzie> Bushmills, how so? 18:45 < Bushmills> (by showing that the server appears to be local 18:45 < Bushmills> ) 18:46 < krzie> oh ok 18:46 < Bushmills> rather than all the hops away, when connecting non-vpn 18:46 < krzie> i guess i just take that as given, but ya i guess you're right 18:47 < digii> yea, but if im not connected i cant ping the ip, get no respons, but when i fire it up, i can =) so thats some sort evedence it works =) i guess 18:49 < krzie> and the fact that that ip only exists in the vpn 18:50 < digii> yea =) 18:50 < digii> tryied traceroute 18:50 < digii> that doesent give me anything execpt 1 hop 18:50 < digii> and thats normal coz im in the same net 18:50 < krzie> right, thats why Bushmills said to do it 18:51 < digii> =) 18:51 < krzie> it would be 1 hop if the computers were acrossed the world 18:51 < digii> yea 18:52 < digii> as default no traffic goes trough vpn right? 18:52 < digii> thats for me to configure 18:52 < krzie> i asked your goal 18:52 < digii> yea i know =) 18:52 < krzie> you said only to have a vpn 18:52 < digii> yes =) 18:52 < digii> it is =) 18:52 < digii> just woundering 18:52 < krzie> any traffic headed for vpn ip goes over vpn 18:54 < digii> yup =) yea, the goal isnt to get all traffic over vpn 18:54 < neteffect> krzie did u ever use hamachi? 18:54 < krzie> no 18:54 < digii> just be able to access the vpn and the other users using vpn 18:54 < digii> and right now it works =) 18:55 < neteffect> can i bridge two networks with openVPN? 18:55 < krzie> yes 18:55 < krzie> why do you want to? 18:56 < neteffect> i want to access the two Adaptec Snap Servers at work, behind an embarq cable modem/router thing. 18:56 < krzie> using samba? 18:56 < neteffect> and im behind fios modem/router 18:57 < neteffect> files are on this device http://www.practicallynetworked.com/review.asp?pid=668 18:57 < vpnHelper> Title: Adaptec Snap Server 210 - PracticallyNetworked.com (at www.practicallynetworked.com) 18:57 < krzie> using samba? 18:57 < neteffect> um 18:57 < neteffect> no? 18:57 < krzie> what protocol for accessing...? 18:57 < neteffect> i wanted vpn 18:58 < krzie> bleh 18:58 < krzie> you access files on the snap server, right...? 18:58 < neteffect> yes 18:58 < krzie> using what protocol? 18:58 < neteffect> it's a local ethernet network 18:58 < krzie> in other words you have no clue what protocol 18:59 < neteffect> dang 18:59 < krzie> right? 18:59 < Bushmills> s/protocol/service/ 19:00 < krzie> if you were to sniff your traffic while grabbing files from the snap server, what port would it be using? 19:00 < neteffect> 1194? 19:00 -!- digii [n=digii@81-235-171-229-no44.tbcn.telia.com] has quit ["Lost terminal"] 19:00 < Bushmills> grin 19:00 < krzie> umm, no that port is reserved for openvpn 19:00 < krzie> lol 19:01 < krzie> immediately accessible through Windows file sharing, Apple file sharing, and anonymous FTP. 19:01 < krzie> there 19:02 < krzie> i officially know more about it than you now :-p 19:02 < krzie> which of those 3 do you plan on using? 19:02 < krzie> SMB, AFP, FTP (in order from above) 19:02 < neteffect> the windows yeah 19:02 < krzie> ok, you dont need to bridge 19:02 < krzie> you need a WINS server 19:03 < krzie> but for your question, yes openvpn can bridge 19:03 < krzie> !bridge 19:03 < vpnHelper> krzie: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for anything where the protocol uses MAC addresses instead of IP addresses. 19:03 < vpnHelper> krzie: (but not samba, see !wins) 19:03 < krzie> !wins 19:03 < vpnHelper> krzie: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 19:03 < Bushmills> sounds sort of threatening 19:04 < Bushmills> maybe because i pronounce it like "wince" 19:04 < neteffect> heh 19:04 < krzie> lol 19:04 < krzie> smb in general makes me wince 19:06 < Bushmills> "see, I've ass" they call it now 19:11 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 19:17 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 19:23 < krzie> oh and you can also access it by IP with no wins and no bridge 19:23 < krzie> with a very simple tun setup 19:23 < neteffect> really? 19:23 < neteffect> neato 19:24 < neteffect> what chapter is that? 19:24 < krzie> wins is only to translate netbios name and ip, much like a nameserver for netbios 19:24 < neteffect> oh 19:24 < krzie> so if you just want access to the files and dont need to browse the network / access by netbios name, you need nothing special 19:25 < krzie> you can set up the network to automaticly map those network drives too 19:25 < krzie> which makes life pretty easy 19:29 < neteffect> ok 19:29 < krzie> !sample 19:29 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 19:29 < krzie> thats a basic tun setup 19:30 < neteffect> excellent 19:30 < krzie> then, is your snap stuff behind the server or client? 19:30 < krzie> because you have 1 more step to share that lan with the vpn 19:30 < neteffect> adaptec snap server 210 is a raid server 19:31 < krzie> is it on the same lan as the vpn client or server 19:31 < neteffect> it sits on the network with other machines 19:31 < neteffect> the vpn server, yes, that is to say the 210 is on the same network as the vpn server 19:33 < krzie> ok 19:33 < krzie> and what subnet is that lan? 19:33 < krzie> ie: 192.168.10.x 19:33 < neteffect> i don't remember, i see again tomorrow 19:34 < krzie> will you be using clients in random locations? (road warriors) 19:34 < neteffect> yes this is what it's for 19:35 < krzie> make sure the server's lan isnt a common subnet like 192.168.1.x or 192.168.0.x 19:35 < neteffect> but i want to make it mapped and stuff for us, there's 2 of us now soon to be more 19:35 < krzie> if it is, change it 19:35 < neteffect> ok 19:35 < krzie> lets say for fun that it is 192.168.10.x 19:35 < neteffect> hehe 19:35 < krzie> the server would have this in its config: 19:36 < krzie> push "route 192.168.10.0 255.255.255.0" 19:36 < neteffect> ok 192 is the destination and 255 is the mask 19:37 < krzie> the router on the servers network will need to know that all packets headed for vpn network (in my sample thats 10.8.1.0 255.255.255.0) must go to VPN server's lan ip 19:37 < krzie> if the vpn server is the router for its lan you can ignore that 19:37 < neteffect> no it's not :/ 19:37 < krzie> and boom, thats your whole setup 19:37 < neteffect> it's just gonna be some box cuz the snaps are just nas 19:37 < krzie> if you dont understand why that route is needed on the router than type !route and read what i wrote under the network diagram 19:38 < neteffect> ok 19:38 < krzie> where it says "ROUTES TO ADD OUTSIDE OPENVPN" 19:38 < neteffect> !route 19:38 < vpnHelper> neteffect: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 19:52 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 19:55 < neteffect> hey krzie this was written by you? cool 19:55 < krzie> yup 19:57 -!- jeiworth_ [n=jeiworth@189.163.143.208] has joined ##openvpn 19:58 -!- jeiworth [n=jeiworth@189.163.143.208] has quit [Read error: 104 (Connection reset by peer)] 20:01 -!- tob79 [n=tm@0x573c0549.boanqu2.dynamic.dsl.tele.dk] has joined ##openvpn 20:02 < tob79> hey all.. anyone from Denmark ?? 20:04 < Bushmills> tob, i know a danish person. so, the answer is "yes". at least one. 20:04 < krzie> ya i was thinking they prolly had at least a million people there 20:04 < krzie> but definitely more than 1 20:04 < tob79> :-) oki 20:05 < tob79> anyone that have experience in a install on win xp ?? 20:06 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 20:06 < krzie> tob79, why dont you skip straight to your real question 20:06 < Bushmills> tob, microsoft has sold millions. therefore, at least one person has, yes. 20:10 < tob79> I am looking for someone to set up openvpn on a box a have ... dont know how much work it is ??? 20:10 < womble> Usually only a few minutes. 20:10 < neteffect> hmmm server.conf 20:10 < krzie> its actually not very hard, if it wasnt windows ive been known to do those setups for cheap 20:11 < krzie> im sure someone here would be willing to do it for you cheap 20:12 < Bushmills> tob79, you'd set up vpn in security sensitive environments. why would you trust anybody here? 20:12 < tob79> oki .. what wood be an ok price for the few minutes :-) 20:12 < krzie> its not so much a few minutes, it took whoever you pay a lot longer than a few minutes to learn what they will be doing 20:13 < krzie> Bushmills, i trust you to work on his network ;] 20:13 < Bushmills> krzie, you're more experienced to set openvpn installations up. 20:14 < tob79> yes a know it takes skills .. and that has taken a lot of work .. 20:14 < krzie> i havnt used windows in years, and im on such a slow link i cant use remote desktop 20:14 < tob79> krzie -- oki 20:15 < krzie> but the vpn side is simple 20:16 < Bushmills> krzie, my last windows installation was the one which came integrated with os/2 20:19 < neteffect> server.conf is different than server.ovpn ? 20:21 < neteffect> i didn't have a server.conf before 20:23 < neteffect> my printer is so slow 20:27 < tob79> any one that will conf a install on a win xp box ... can pay some over paypal... 20:35 < tob79> If I whant to be able to run LAN games and stream from a shred folder it has to be Ethernet Bridging right ?? 20:35 -!- epaphus [n=unix3@201.199.62.74] has quit [Remote closed the connection] 20:37 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:37 -!- tob79 [n=tm@0x573c0549.boanqu2.dynamic.dsl.tele.dk] has left ##openvpn [] 20:41 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 20:56 < neteffect> iroute ok 21:07 < krzie> neteffect extensions (.conf .ovpn) dont matter in unix 21:07 < krzie> in windows the .ovpn extention is used by openvpn for configs 21:08 < neteffect> so they are the same? 21:08 < krzie> yes 21:08 < neteffect> ok 21:08 < krzie> ovpn is for configs 21:08 < krzie> .conf i would assume is for a config 21:08 < neteffect> its the article u wrote heh 21:08 < krzie> i dont use windows 21:08 < krzie> but i was trying to help you use common sense ;] 21:09 < neteffect> ok 21:17 < neteffect> ccd? heh 21:20 < neteffect> where are these ccd directories? on the server or the client? 21:21 < krzie> !ccd 21:21 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 21:21 < neteffect> oh 21:21 < krzie> so the dir is on the server 21:22 < neteffect> oh 21:32 -!- tjz [n=tjz@bb116-15-190-45.singnet.com.sg] has quit [Read error: 60 (Operation timed out)] 22:16 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:00 < dan__t> hrm....... 23:01 < dan__t> Anyone really familiar with openvpn gui under Windows? I'm trying to somehow capture the username/password that the client would type in when using auth-user-pass-verify 23:04 < dan__t> I see a few forum posts and stuff by people wanting to know if this is possible, but no answers on the subject, which leads me to believe that it is not possible 23:06 -!- lazin [n=tm@0x573c0549.boanqu2.dynamic.dsl.tele.dk] has joined ##openvpn 23:09 < lazin> Is is possible to set op a openvpn server and let clients connect to it.. and the browes network shares and play lan games ??? 23:10 < dan__t> Why wouldn't it be? 23:12 < lazin> just read some thing about the types of servers there are ... routing or etherchannel I think 23:12 < dan__t> routed or bridged 23:13 < lazin> yes 23:13 < dan__t> either would accomplish the goal of being able to browse shares and play lan games. 23:13 < lazin> oki tnx.. 23:14 < lazin> then I just need someone to set it up on my xo box ;.) 23:15 -!- lazin [n=tm@0x573c0549.boanqu2.dynamic.dsl.tele.dk] has left ##openvpn [] 23:19 < dan__t> Pussy. 23:25 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["Lost terminal"] 23:26 -!- tjz [n=tjz@219.74.242.146] has joined ##openvpn 23:58 -!- fad_xxx [n=fad@95.84.1.13] has joined ##openvpn --- Day changed Tue May 26 2009 00:06 -!- jeiworth_ [n=jeiworth@189.163.143.208] has quit [Read error: 60 (Operation timed out)] 00:20 -!- sam_ [n=sam@222.66.224.110] has joined ##openvpn 01:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:25 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 01:27 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:30 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 01:37 -!- sam_ [n=sam@222.66.224.110] has quit [Remote closed the connection] 01:47 -!- master_of_master [i=master_o@p549D445D.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:51 -!- master_of_master [i=master_o@p549D3433.dip.t-dialin.net] has joined ##openvpn 01:54 -!- Skered [n=dereks@c-24-3-205-125.hsd1.pa.comcast.net] has joined ##openvpn 01:54 < Skered> I think this is a client thing however I'll ask: Can you append DNS to the clients current DNS name servers? 01:55 < Skered> I see the --dhcp-option however I would expect this to overwrite the current DNS settings. 01:56 < Skered> I'm checking out tunnelblick's actions on Mac OS X and I guess it's handling these as foreign_options? 02:12 < reiffert> :/Applications/Tunnelblick.app/Contents/Resources/client.up.osx.sh 02:13 < reiffert> that script got some bugs: 02:13 < Skered> reiffert: Yeah 02:13 < reiffert> http://code.google.com/p/tunnelblick/issues/list 02:13 < vpnHelper> Title: Issues - tunnelblick - Google Code (at code.google.com) 02:14 < reiffert> Bug 8, 72 02:15 < Bushmills> Skered, appending is not too useful, given that the first is used for general resolving, and the next from the list only when the first timeouts. 02:16 < reiffert> Bushmills: Apple took some version of libc and implemented several features to the resolver part. 02:16 < reiffert> e.g. a nameserver per domain 02:17 < Bushmills> is that wise to rely on client characteristics, rather than solve that server side? 02:18 < reiffert> who does rely on client charactersitics? 02:22 < Bushmills> when an OS X machine, on a network, gets instructed remotely to change setup of its local resolver in an OSX specific way, clearly that would work on OSX machines only. so the answer to your "Who" is probably, "thpse who set that up" 02:23 < Bushmills> i'm not sure whether you were asking me, your question sounds more like a poll :) 03:09 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 03:42 -!- ITguru [n=ITGuru@webfax.impactteachers.com] has joined ##openvpn 03:42 < ITguru> !logs 03:42 < vpnHelper> ITguru: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 03:44 < ITguru> !configs 03:44 < vpnHelper> ITguru: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 03:44 < ITguru> !interface 03:44 < vpnHelper> ITguru: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 04:33 < tjz> A woman has been arrested after she tied firecrackers to her boyfriend¡¯s penis whilst he was sleeping and set them off, as she was enraged that he turned down her offer of marriage. 04:34 < Bushmills> no wonder he turned her down 04:36 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 04:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:53 -!- fad_xxx [n=fad@95.84.1.13] has quit [Client Quit] 04:57 -!- royalhort [n=stephen@82-69-169-148.dsl.in-addr.zen.co.uk] has quit ["leaving"] 05:17 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["leaving"] 06:19 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:24 -!- JulienLanglois [n=juju@lord.phyrexia.org] has joined ##openvpn 06:27 < JulienLanglois> i have issue with rooting and openvpn, I'm tring to do that: http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html#lbBC 06:27 < vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net) 06:28 < JulienLanglois> this example is exactly what i want to do but i have more than only one client 06:28 < JulienLanglois> and i don't understand how this solution could work with 2 client 06:28 < JulienLanglois> someone could try to explain to me please ? :) 06:31 < JulienLanglois> in fact i'm not sure to understant the "ifconfig" option on server side 06:42 -!- JulienLanglois [n=juju@lord.phyrexia.org] has quit [Read error: 104 (Connection reset by peer)] 06:58 -!- JulienLanglois [n=juju@lord.phyrexia.org] has joined ##openvpn 07:01 -!- JulienLanglois [n=juju@lord.phyrexia.org] has left ##openvpn ["Parti"] 07:12 < reiffert> Jameno123: 07:17 < ecrist> good morning, folks 07:20 < reiffert> !route 07:20 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 07:44 -!- ITguru [n=ITGuru@webfax.impactteachers.com] has quit ["Leaving"] 07:50 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 07:55 < theDoc> Anyone has managed to make a openvpn server bridge with an openswan server? 07:55 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 08:01 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 08:25 < ecrist> not i 08:36 < theDoc> ecrist: By that, you mean you've not tried it or you have never managed to get it working? 08:42 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 08:45 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:04 < ecrist> theDoc: I've not tried it 09:04 < ecrist> what is openswan? 09:14 < feinoM> openswan is an IPsec implementation for Linux 09:22 < ecrist> oh, well, OpenVPN != IPsec 09:24 < theDoc> ecrist: I've heard that people managed to interope them. 09:24 < theDoc> I'm wondering if anyone in here has tried that 09:28 < ecrist> theDoc: if openswan is IPsec, I really doubt it. 09:28 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 09:29 < theDoc> ecrist: I'll have to double check with that person again. 09:29 < theDoc> Hm 09:37 -!- TheDarkOne [n=tdo@70.52.124.124] has joined ##openvpn 09:38 < TheDarkOne> i'm trying to setup a second openvpn client on a windows machine, using the exact same config, key, and certs as a working config, i get an error of error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib, any obvious reasons for this? 09:38 < TheDarkOne> er ue May 26 10:31:27 2009 Cannot load private key file client.key: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib 09:39 < ecrist> TheDarkOne: it appears as though OpenVPN cannot find your private key file 09:40 < TheDarkOne> all the files are in the C:\Program Files\OpenVPN\config directory... hmm 09:42 < TheDarkOne> ah ok i got it 09:42 < TheDarkOne> i had the .key on a webserver and i just did save link as, but the permissions on the file were wrong >.> 09:42 < TheDarkOne> thanks 09:42 -!- TheDarkOne [n=tdo@70.52.124.124] has quit [] 09:55 -!- jeiworth [n=jeiworth@189.134.9.4] has joined ##openvpn 10:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:37 -!- jeiworth [n=jeiworth@189.134.9.4] has quit [Read error: 104 (Connection reset by peer)] 10:39 < Jameno123> reiffert: thx but thats not what i was asking -- i want a hardware solution not a software one. 10:40 < Jameno123> the location isnt so great on linux, so it would be nice to have an embedded device there that i could just ship to them. 10:40 < Jameno123> w/o having to send an entire pc :( 10:45 -!- clyons_ [n=clyons@unaffiliated/clyons] has joined ##openvpn 10:48 -!- c64zottel [n=hans@p5B17AF77.dip0.t-ipconnect.de] has joined ##openvpn 10:59 < ecrist> Jameno123: what are you looking for? an OpenVPN embedded device? 11:00 < Jameno123> yes 11:00 < ecrist> you can do that with any broadband router that has support for DD-WRT 11:00 < ecrist> or openwrt 11:00 < ecrist> http://blog.wtip.net/index.php/2009/03/24/openvpn-client-on-embedded-devices/ 11:01 < vpnHelper> Title: Openvpn client on embedded devices (at blog.wtip.net) 11:03 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 11:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:28 -!- clyons_ [n=clyons@unaffiliated/clyons] has quit ["Leaving"] 11:38 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:39 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:04 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 12:04 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 12:29 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has quit [] 12:29 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:30 -!- cpm_ is now known as cpm 12:33 -!- jeiworth [n=jeiworth@189.134.9.4] has joined ##openvpn 12:38 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Connection timed out] 12:39 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 12:45 -!- disco- [n=disco@andromeda.h4xed.com] has quit [Remote closed the connection] 12:55 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 13:14 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 13:52 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 13:57 < carpe_> hey guys, long time 13:57 -!- carpe_ is now known as plaerzen 14:07 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 14:07 < xp_prg> hi all, I am using the cert approach, it assigns a dynamic ip, but how can I assign a host name to that dynamic ip in a logical way? 14:08 < ecrist> xp_prg: that's a loaded question 14:08 < ecrist> you'd need a shell script to do this, I think it's called client_connect or similar 14:08 < ecrist> there are a few env vars which are set for the execution of the script 14:09 < xp_prg> so openvpn will call that script upon a connection? 14:09 < ecrist> from there, you'd need to set a manual DNS update to set it accordingly 14:09 < ecrist> yes 14:09 < xp_prg> so that is a setting in the server.conf or something? 14:13 < ecrist> !man 14:13 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 14:13 < ecrist> it's covered there 14:13 < xp_prg> ok thanks 14:16 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 14:20 -!- bandini [n=bandini@host173-5-dynamic.6-79-r.retail.telecomitalia.it] has joined ##openvpn 14:24 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:35 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 14:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 14:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:18 -!- smerz [n=daniel@smerz.demon.nl] has quit [Remote closed the connection] 15:26 -!- disco- [n=disco@andromeda.h4xed.com] has quit [Remote closed the connection] 15:29 -!- disco- [i=bnc@andromeda.h4xed.com] has joined ##openvpn 15:48 -!- c64zottel [n=hans@p5B17AF77.dip0.t-ipconnect.de] has quit ["Leaving."] 16:10 -!- bandini [n=bandini@host173-5-dynamic.6-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 16:43 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 16:47 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:33 -!- jeiworth [n=jeiworth@189.134.9.4] has quit [Read error: 113 (No route to host)] 17:46 -!- thomas_78 [n=tm@0x573c0549.boanqu2.dynamic.dsl.tele.dk] has joined ##openvpn 17:57 < thomas_78> hey there ... any one up for conf. a win xp install .. need to be abble to run lan games and use shares over it .. I am willing to pay of course. 17:58 < krzie> ill be busy for about 10min 17:58 < krzie> if nobody speaks up by then we'll talk 17:58 < thomas_78> oki tnx 18:07 * Bushmills hides 18:28 < thomas_78> krzie - still up for it ??? 18:53 < thomas_78> anyone up for conf. a win xp as server ... I am willing to pay of course ... 19:00 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:00 * Dougy waves 19:01 < Dougy> hello krzie krzee and ecrist 19:03 < tjz> hey guys 19:03 < tjz> anyone come across this error before? client side 19:03 < tjz> The requested address is not valid in its context. (code=10049) 19:04 < xp_prg> I have a weird problem where when a client connects via trusted cert I want to give them a dns name for the dynamic ip given, is there some easy way to do that anyone knows about? 19:06 < Bushmills> xp_prg, client-config-dir 19:06 < Dougy> !ccd 19:06 < vpnHelper> Dougy: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 19:07 < Dougy> allo Bushmills 19:07 < Bushmills> hi Dougy. dead man walking again :) 19:07 < xp_prg> oh ok! 19:07 * xp_prg hugs Bushmills 19:07 < Dougy> Bushmills, indeed 19:07 < Dougy> fever is awol 19:07 < Dougy> amen 19:07 < Dougy> :> 19:08 * Dougy chugs a beer 19:08 < xp_prg> Bushmills but how do I make the dns entry do you think? 19:08 < Bushmills> xp_prg, add an A record to zone 19:09 < xp_prg> oh wait, every dynamic client that connects will have the same cn 19:09 < xp_prg> but maybe I can make it work somehow 19:09 < Bushmills> using ccd, you can assign fixed ip addresses to clients 19:10 < xp_prg> but what happens when 2 clients with the same cn connect? 19:10 < xp_prg> an ip conflict would occur 19:10 < Bushmills> i assume their keys differ 19:11 < xp_prg> they don't 19:14 < thomas_78> any one up for conf. a win xp install .. need to be abble to connect clients and run lan games and use shares over it .. I am willing to pay of course. 19:15 < Bushmills> xp_prg, update dns with client connect script, which can read assigned ip address from environment 19:17 < xp_prg> hmm... ok 19:18 < xp_prg> ok another weird question, I am connecting to a network and I want to get the ip address I am assigned on that network on a seperate network adapter on the same box, can I pass an arg to my openvpn connect somehow? 19:19 -!- thomas_78 [n=tm@0x573c0549.boanqu2.dynamic.dsl.tele.dk] has left ##openvpn [] 19:27 < krzie> lol he left right as i got back 19:28 < krzie> but what happens when 2 clients with the same cn connect? 19:28 < krzie> you shouldnt be allowing that 19:28 < krzie> unless you specificly allow it, its not allowed 19:29 < xp_prg> it is allowed in my current setup, standard config is used to scale 19:29 < xp_prg> krzie is there a way to send args to the client_connect script? 19:29 < xp_prg> from the client? 19:30 -!- disco- [i=bnc@andromeda.h4xed.com] has quit [Remote closed the connection] 19:30 < krzie> no 19:30 < krzie> what do you mean standard config is used to scale 19:30 < xp_prg> a base iamge 19:30 < krzie> i have no clue what you mean by that 19:31 < krzie> and if your current setup allows same cert to connect multiple times, you're doing it wrong 19:31 < krzie> !factoids search dup 19:31 < vpnHelper> krzie: No keys matched that query. 19:31 < krzie> !factoids search mult 19:31 < vpnHelper> krzie: "multi" is please see !iroute 19:31 < krzie> heh 19:32 < krzie> !forget multi 19:32 < vpnHelper> krzie: Joo got it. 19:33 -!- thomas_78 [n=tm@0x573c0549.boanqu2.dynamic.dsl.tele.dk] has joined ##openvpn 19:34 -!- thomas_78 [n=tm@0x573c0549.boanqu2.dynamic.dsl.tele.dk] has left ##openvpn [] 19:35 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 19:36 < krzie> why do you have duplicate-cn 19:38 < Bushmills> !gingerbeer 19:38 < vpnHelper> Bushmills: Error: "gingerbeer" is not a valid command. 19:39 < xp_prg> well maybe a bind slave will work 19:39 < Bushmills> :( 19:40 < krzie> I have a weird problem where when a client connects via trusted cert 19:40 < krzie> I want to give them a dns name for the dynamic ip given, is there 19:40 < krzie> some easy way to do that anyone knows about? 19:40 < krzie> a specific dns name based on which client? 19:41 < krzie> or you just want dns for each ip that can be handed out 19:41 < krzie> or are you using pw-auth and thats why you allow duplicate-cn 19:41 -!- freysteinn [n=freystei@ailab-gw.ru.is] has joined ##openvpn 19:41 < freysteinn> Hello. 19:42 < krzie> greetings 19:42 < freysteinn> When I use the OpenVPN Auth-LDAP Plugin, is it possible for me to have per user keys? 19:42 < krzie> keys as in certificates? 19:43 < freysteinn> krzie: Yes. 19:43 < krzie> sure, you can auth based on certs AND pw no problem 19:43 < krzie> in fact its one less command for what you want than otherwise 19:43 < xp_prg> krzie a dns name for each ip handed out 19:44 < krzie> xp_prg then just setup all dns beforehand, if it doesnt need to be a special dns name for specific clients you have no reason to do it on the fly 19:44 < krzie> it just wont always match up to a specific user.. 19:44 < krzie> xp_prg are you using password auth, and thats why you allow everyone to use same cert? 19:44 < xp_prg> krzie how can I setup dns before hand, I don't know how many clients I will have 19:45 < xp_prg> no I am must using trust cert 19:45 < krzie> just setup dns for every ip 19:45 < freysteinn> krzie: Great, thanks for your help. 19:45 < xp_prg> krzie that is not efficient plus dns name will vary based on the type of client connecting 19:45 < krzie> np freysteinn 19:45 < krzie> xp_prg, your setup is highly flawed 19:45 < krzie> you should consider doing it right instead 19:46 < xp_prg> krzie I wish I understood why you think it is flawed, I don't dictate this approach 19:46 < xp_prg> an image is static and will simply load with a dynamic ip 19:46 < xp_prg> I can't do anything very custom to it beforehand 19:46 < krzie> because you're bypassing the security of certs by allowing different classes of users to use the same one 19:47 < krzie> i dunno who dictated it, but they dunno what they're doing 19:47 < krzie> the ONLY way you should have multiple users with same cert is if you use secondary auth 19:48 < krzie> like passwords 19:48 < xp_prg> the cert will not athuenticate if it is not signed by the servers private key, how is that bad? 19:48 < krzie> thats not true 19:48 < krzie> learn how PKI works 19:48 -!- jeiworth [n=jeiworth@189.163.143.208] has joined ##openvpn 19:48 < xp_prg> wow I am confused now 19:48 < xp_prg> that is not true? 19:49 < krzie> it gets signed by the CA not the server 19:49 < freysteinn> Can I control using LDAP defined groups which networks the user will have access to? 19:49 < krzie> freysteinn kinda 19:49 < krzie> you can give them ips based on it with a --client-connect script 19:49 < krzie> and then firewall accordingly 19:49 < krzie> but dont use --client-to-client or the firewall wnont be used 19:49 < krzie> !iporder 19:49 < vpnHelper> krzie: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 19:50 < ecrist> hello Dougy 19:50 < xp_prg> krzie right but that is enough to authenticate the client in itself 19:50 < krzie> sup eric 19:50 < krzie> joo seen i changed your pass and showed ya howto change it once identified? 19:51 < freysteinn> krzie: Thanks again. 19:51 < krzie> xp_prg, i have no clue how that applies to what i told you was wrong bout your setup 19:51 < krzie> freysteinn, np =] 19:52 < xp_prg> krzie if I don't use multiple clients my security is appropriate right? 19:52 < ecrist> krzie: you want your password? 19:52 < krzie> ecrist, yes pls =/ 19:53 < krzie> xp_prg, each user should have their own cert, which should never be shared with others 19:53 < krzie> then if one is leaked, you add it to a CRL 19:53 < krzie> once you do it that way, you can use internal static ips (see !static) 19:53 < xp_prg> krzie but if I am only using one client with one cert my security is right is it not?! 19:53 < krzie> if each person has their own cert, it is better 19:54 < xp_prg> yes just answer my question yes or no pleasea 19:54 < ecrist> xp_prg: NO 19:54 < krzie> theres other things in ovpn that can be done for security as well, but what i said solves the problem i pointed out 19:54 < xp_prg> ecrist what is wrong with it? 19:55 < ecrist> it could be more secure. 19:55 < ecrist> krzie: told you what you could fix. fix it 19:55 < xp_prg> *sigh*, he said use passwords but only if I am multiple clients using the same cert 19:56 < xp_prg> if I have only one client using one unique cert I don't need that right? 19:56 < ecrist> each client should have their own cert 19:56 < krzie> correct 19:56 < krzie> once each client has their own cert, you fixed the problem 19:56 < xp_prg> well I am using aws 19:56 < krzie> then you can give them static internal ips 19:56 < xp_prg> there is dynamic scaling 19:56 < krzie> krzee 19:56 < xp_prg> it violates your approach all together krzie 19:57 < krzie> well 19:57 < krzie> it violates proper security too 19:57 < xp_prg> I am open to suggestions 19:57 < xp_prg> I am constrainted by aws 19:57 < krzie> i have no clue what aws is 19:58 < xp_prg> amzone web services 19:59 < freysteinn> What would you recommend if I have many networks behind my VPN and some users need access to a few of them at the time. If I have 10 networks, then I would need 3628800 IP ranges and rules. 20:00 < xp_prg> fregysteinn that is what I am trying to solve right now too 20:00 < xp_prg> you have to create dyamic dns entries 20:01 < freysteinn> xp_prg: Do I then create rules from them? 20:01 < ecrist> freysteinn: then create 3628800 proper rules 20:01 < xp_prg> freeystein you create a dynamic dns entry for the new client that connects 20:01 < ecrist> OR, *gasp*, fix your damn config 20:01 < xp_prg> then everyone can see it 20:03 < freysteinn> xp_prg: Can I restrict which users can access which networks that way? I'm not sure I'm following you. 20:05 < xp_prg> that is a tough question, can iptable rules deny based on dns name? 20:05 < xp_prg> I bet they can 20:05 < Dougy> who rang 20:05 < Dougy> hello ecrist bud 20:06 < krzie> freysteinn dont listen to him, lol... ill help ya in a sec ;] 20:07 -!- johny-b-goode [n=bobby@adsl-76-249-227-12.dsl.rcsntx.sbcglobal.net] has joined ##openvpn 20:07 < johny-b-goode> Hello People. 20:08 < krzie> ok im back 20:08 < johny-b-goode> I am having an issue connecting with OpenVPN after following the wiki for gentoo. 20:08 < krzie> I have a weird problem where when a client connects via trusted cert 20:08 < krzie> I want to give them a dns name for the dynamic ip given, is there 20:08 < krzie> some easy way to do that anyone knows about? 20:08 < krzie> damn, misfire 20:08 < krzie> freysteinn, how many clients do you expect? 20:08 < johny-b-goode> i says warning: no server certificate verfication method has been enabled. 20:08 < freysteinn> krzee: Not that many 10-40. 20:08 < krzie> johny-b-goode instead of following some wiki, see the openvpn howto 20:09 < krzie> freysteinn than you definitely dont need many ips to hand out 20:09 < freysteinn> krzee: I could do it manually for now, yes. 20:09 < krzie> freysteinn just give them static ips in the subnet you define for VPN 20:09 < krzie> then setup the firewall rules accordingly 20:09 < Dougy> johny-b-goode, 20:09 < Dougy> !howto 20:09 < vpnHelper> Dougy: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 20:09 < krzie> to allow them to the networks they need 20:09 -!- disco- [n=disco@andromeda.h4xed.com] has quit [Remote closed the connection] 20:10 < johny-b-goode> krzie: ok, I'm reading the howto. the setup is almost complete. I thought if someone recognizes the error, it willh elp. :) 20:10 < krzie> sure, it means you have followed a wiki that did not give you any sort of authentication method 20:10 < krzie> which could be password, certificate (recommended), static key 20:10 < krzie> or password AND cert even 20:11 < Dougy> krzie 20:11 < Dougy> not even a hello? 20:11 < Dougy> some friend you are 20:11 < krzie> hi dougy ;] 20:11 < Dougy> hi cutie ;) 20:11 < krzie> hehe 20:12 < krzie> OHHH wait johny-b-goode 20:12 < krzie> i read the error wrong 20:12 < freysteinn> krzie: Thanks again. You have been most helpful. 20:12 < krzie> it says no SERVEr cert verification method 20:12 < krzie> !servercert 20:12 < vpnHelper> krzie: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mitm 20:12 < krzie> !mitm 20:12 < vpnHelper> krzie: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config 20:12 < krzie> johny-b-goode see those 20:12 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 20:12 < johny-b-goode> krzie: cool. :) thanks. 20:13 < krzie> freysteinn np man, do you see what im saying? 20:13 < krzie> freysteinn you can see the basic idea for that in the howto under: Configuring client-specific rules and access policies 20:13 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 20:14 < johny-b-goode> LOL, it says certifiate is not yet valid. As if mysteriously, it will become valid...? 20:14 < freysteinn> krzee: That's great. Thanks. 20:14 < krzie> make sure all computers including the CA machine are set to the right time 20:15 < johny-b-goode> krzie: intersetingly, my server might be off. checking.... 20:15 < Dougy> teets 20:15 < Dougy> hmm 20:15 < Dougy> ecrist, are you around 20:16 < krzie> he went to the gym 20:16 < Dougy> oh 20:16 < Dougy> i wanted to ask if i can bring my own bot here to play with 20:17 < krzie> for what? 20:18 < johny-b-goode> krzie: ok, the time was incorrect. :) Corrected that. Should I re-genrate the certs? 20:18 < krzie> was it wrong on CA or others? 20:18 < johny-b-goode> it was wrong on server where certs were generated. 20:19 < johny-b-goode> I think that's what the error is saying until the future time that the server was set to is reached the certs aren't valid. 20:19 < Dougy> how wrong 20:19 < johny-b-goode> like one in future. 20:19 < krzie> should be fine then 20:20 < Dougy> krzie - sent over a pm oO 20:20 < johny-b-goode> ok, one question I have: when the openvpn is setup does it VPN me into the server? or would I be able to setup it so that I can VPN to the entire network? 20:20 < krzie> im on the phone 20:22 < Dougy> no probs 20:22 < krzie> johny-b-goode, both 20:22 < krzie> !route 20:22 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:23 < krzie> dougy, seems pointless for here, vpnhelper causes enough noise 20:23 < Dougy> fair enough 20:23 * Dougy will find someone else to bother 20:23 < krzie> but if reif or eric want it here thats fine of course 20:24 < johny-b-goode> krzie: ok, even more eager now. :) 20:27 < johny-b-goode> krzie: it worked. it was the timestamp. thanks for helping me resolve it quickly. :) 20:35 < krzie> freysteinn also, you will want to see !static 20:35 < krzie> johny-b-goode, yw 20:35 < krzie> freysteinn, i just saw that in the howto they give seperate ranges for each policy, you dont need to do that 20:36 < krzie> they did that for easier firewall rule managing 20:36 < krzie> that is up to you 20:36 < krzie> and when doing static you may find it easier to avoid the /30 stuff, see !/30 and !topology for more info on that 20:44 < krzie> dougy, but im down to join a chan with you for testing your bot if you wanna 20:44 < krzie> ill only be here bout 30min more tho 20:45 < Dougy> wasnt going to do it tonight 20:45 < Dougy> tomorrow i may 20:46 < Dougy> organising my network atm 20:47 < krzie> werd 20:51 < freysteinn> krzee: Thanks jet again. :-) 20:52 < krzie> =] 20:53 < krzie> no worries man, i enjoy a well thought out question, especially when it seems the person did all the reading they should have 20:53 < krzie> wooo i also enjoy a nice fast buildworld 20:54 < krzie> dual 3ghz pentium 20:55 < tjz> it is still a decent cpu 20:55 < tjz> better than celeron 20:55 < krzie> ya, its nice 20:55 < tjz> i heard Atom pwn pentium 4? 20:55 < krzie> sure i have faster, but i have nothing against a dual pentium 3ghz 20:55 < tjz> as long as it get the work done 20:56 < tjz> :P 20:56 < tjz> of course, you can't play modern game on this.. 20:56 < tjz> gonna burn out the cpu in no time with all the fanciful graphic intensive game 20:56 < krzie> i dont play games 20:56 < tjz> hehe 20:56 < krzie> and it has no GUI 20:56 < tjz> is it loaded on linux? 20:57 -!- disco-_ [n=disco@andromeda.h4xed.com] has joined ##openvpn 20:57 < krzie> freeBSD 20:57 < krzie> i dont run linux in any real environment 20:57 < krzie> i do have it in VMs tho 20:58 < krzie> but only at home, and only for testing 20:58 < tjz> any advantage to use freeBSD over popular OS like centos? 20:58 < tjz> seldom see freeBSD around 20:59 < krzie> in my opinion yes, but in reality its whatever you are good enough with to use correctly 20:59 < krzie> many big companies run freebsd 20:59 -!- disco- [n=disco@andromeda.h4xed.com] has quit [Read error: 60 (Operation timed out)] 21:00 < tjz> cool 21:01 < tjz> jeff, have you come across this error before? 21:01 < tjz> The requested address is not valid in its context. (code=10049) 21:01 < tjz> it is found in client log 21:01 < krzie> are you assigning static ips? 21:02 < krzie> btw you can see what os companies use with netcraft.com 21:02 < krzie> http://uptime.netcraft.com/up/graph?site=yahoo.com 21:02 < vpnHelper> Title: Netcraft What's That Site Running Results (at uptime.netcraft.com) 21:02 < krzie> example ^ 21:02 < tjz> lol 21:02 < krzie> yahoo runs freebsd 21:02 < tjz> interesting 21:03 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 21:03 < tjz> i bet google run own some self-customised gool-linux 21:04 < krzie> i believe you are right 21:04 < krzie> def linux 21:04 < tjz> I did not get the error when i tried it on my pc 21:04 < tjz> but the other guy get that error 21:05 < tjz> obviously, there is something "extra" on his pc setup that caused that problem 21:05 < krzie> are you pushing a route to clients? 21:05 < krzie> is he on the same subnet as the vpn? 21:05 < krzie> look around, you will find some sort of conflict 21:05 < krzie> also, right above that error you should get a hint as to what caused it 21:06 < krzie> also see server log for that connection 21:06 < tjz> ah 21:06 < tjz> haven't check the server log yet 21:06 < tjz> will do 21:06 < tjz> btw, brb 21:06 < tjz> gonna fix something 21:06 -!- disco-_ is now known as disco- 21:07 -!- disco- is now known as disco-_ 21:07 -!- disco-_ is now known as disco- 21:11 < tjz> back 21:12 < krzie> ill be leaving in a min 21:12 < tjz> ok 21:13 < Dougy> krzie 21:13 < Dougy> hit the road 21:14 < tjz> lol 21:14 < tjz> hi dougy 21:14 < tjz> ^_^ 21:14 < Dougy> allo 21:14 < krzie> for sure dougy 21:14 < krzie> i will do that in just a min 21:14 < Dougy> krzie, throw me a beer first 21:16 < krzie> *throw* 21:16 < krzie> adios buddy 21:16 * Dougy catch 21:16 < Dougy> win 21:16 < Dougy> adios 21:17 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 21:31 -!- scudette_ [n=mic@austra2173.lnk.telstra.net] has joined ##openvpn 21:32 -!- xp_prg [n=xp_prg3@98.234.52.78] has joined ##openvpn 21:41 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit [Remote closed the connection] 21:46 -!- scudette [n=mic@austra2173.lnk.telstra.net] has quit [Read error: 110 (Connection timed out)] 22:17 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: pa 22:17 -!- Netsplit over, joins: pa 22:49 -!- scudette [n=mic@austra2173.lnk.telstra.net] has joined ##openvpn 22:49 -!- albech [n=albech@119.42.76.60] has joined ##openvpn 23:04 -!- scudette_ [n=mic@austra2173.lnk.telstra.net] has quit [Read error: 110 (Connection timed out)] 23:06 -!- scudette_ [n=mic@203.45.20.190] has joined ##openvpn 23:11 -!- jeiworth [n=jeiworth@189.163.143.208] has quit [Operation timed out] 23:16 < johny-b-goode> fellas, openvpn is installed and working. Client connects fine. But no pinging back and forth. 23:17 < theDoc> Yep. 23:18 < johny-b-goode> I hear about iptables. is iptables necessary for a proper setup? 23:18 < johny-b-goode> and how does one configure it. 23:18 < theDoc> Almost. 23:18 < theDoc> !nat 23:18 < vpnHelper> theDoc: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 23:18 < theDoc> ^ 23:18 < johny-b-goode> so I will read that for setup. 23:19 < johny-b-goode> can i ask you about the general setup tho? 23:19 < johny-b-goode> does it basically allow a client connection, and then you have to setup rules to route the data packets correctly? 23:19 < theDoc> johny-b-goode: Bingo. 23:19 < johny-b-goode> to and from the server, correct? 23:20 < theDoc> Depends on what you want to do with it 23:20 < johny-b-goode> basically, I want to setup a VPN setup so I can VPN to home network and see all the machines. 23:20 -!- scudette [n=mic@austra2173.lnk.telstra.net] has quit [Read error: 110 (Connection timed out)] 23:22 < johny-b-goode> I guess the concept is easier to understand than the iptables commands. It will take some time to understand them. 23:33 -!- xp_prg [n=xp_prg3@98.234.52.78] has quit ["This computer has gone to sleep"] 23:42 -!- scudette [n=mic@austra2173.lnk.telstra.net] has joined ##openvpn 23:57 -!- scudette_ [n=mic@203.45.20.190] has quit [Read error: 110 (Connection timed out)] 23:58 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn --- Day changed Wed May 27 2009 00:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:54 -!- johny-b-goode [n=bobby@adsl-76-249-227-12.dsl.rcsntx.sbcglobal.net] has quit [Nick collision from services.] 00:59 -!- xp_prg [n=xp_prg3@98.234.52.78] has joined ##openvpn 01:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:47 -!- master_of_master [i=master_o@p549D3433.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:51 -!- master_of_master [i=master_o@p549D3A97.dip.t-dialin.net] has joined ##openvpn 01:52 -!- SuperEvildeath [n=death@212.206.209.177] has quit [Read error: 104 (Connection reset by peer)] 01:56 -!- SuperEvilDeath17 [n=death@212.206.209.177] has joined ##openvpn 02:07 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:05 -!- Sparxz [n=mark@89.124.68.18] has joined ##openvpn 03:13 -!- Sparxz [n=mark@89.124.68.18] has left ##openvpn ["Konversation terminated!"] 03:15 -!- c64zottel [n=hans@p5B17B73F.dip0.t-ipconnect.de] has joined ##openvpn 03:28 -!- hd|laptop [n=marco@ppp-93-104-37-75.dynamic.mnet-online.de] has joined ##openvpn 03:30 < hd|laptop> Hi! 03:30 < hd|laptop> I run a openvpn daemon in bridged mode at home 03:30 < hd|laptop> and now I am on public Wifi 03:30 < hd|laptop> how do I route my entire traffic throug the tunnel (Client: Windows, Server: Debian) 03:32 < hd|laptop> Segment of public wifi is 172.16.2.XXX, home lan is 172.16.1.XXX 03:40 < reiffert> !def1 03:40 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 03:41 < hd|laptop> I use push "redirect-gateway def1 bypass-dhcp" 03:41 < hd|laptop> in the server.conf 03:41 < hd|laptop> but it doesnt work 03:41 < hd|laptop> do I have to change gateway / IP settings on client or server? 03:41 < reiffert> "it does not work" = no error description 03:42 < hd|laptop> traceroute and web-based "show my ip" services give the IP of the public WLAN 03:42 < hd|laptop> hold short, I'll pastebin server config and client config... 03:43 < reiffert> better have a look on whats going on on the client side, so what does your client do with the redirect-gateway def1 line? 03:43 < reiffert> Be sure to read about the "local" option to redirect-gateway. 03:44 < reiffert> client OS? 03:44 < hd|laptop> Windows 03:44 < hd|laptop> XP Home SP2 03:45 < hd|laptop> Client IP config: http://pastebin.com/m785dd01e client openvpn config: http://pastebin.com/m131478c3 03:45 < Bushmills> moinmoin 03:46 < hd|laptop> Server IP config: http://pastebin.com/m440ad0b4 server openvpn config: http://pastebin.com/m771810b 03:46 < hd|laptop> Moin Bushmills 03:47 < hd|laptop> reiffert: hast Du eine Idee? 03:49 < reiffert> hd|laptop: plenty. Already typed them. You could start reading them. 03:56 < hd|laptop> i gonna try the nat approach, seems like this is what i forgot. 03:56 < hd|laptop> what is the netmask for 172.16.1.xxx? 04:18 -!- albech [n=albech@119.42.76.60] has quit [Remote closed the connection] 04:19 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["Lost terminal"] 04:58 -!- mattock [n=mattock@195.236.127.254] has joined ##openvpn 05:37 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Read error: 110 (Connection timed out)] 05:54 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:01 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 06:54 < ecrist> morning folks 07:24 -!- thomas_78 [n=tm@0x573c0549.boanqu2.dynamic.dsl.tele.dk] has joined ##openvpn 07:40 < thomas_78> hi all.... I am looking for someone to conf. a win xp box so that my frinds can connect and play LAN games over the connections.. what is a fair price for the help ??? 07:41 -!- thomas_78 [n=tm@0x573c0549.boanqu2.dynamic.dsl.tele.dk] has left ##openvpn [] 07:58 < ecrist> I start at $4000 per hour, plus a night with your mother. 08:42 -!- jeiworth [n=jeiworth@189.177.122.6] has joined ##openvpn 09:01 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 09:02 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 09:11 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Success] 09:31 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has quit [Success] 09:44 -!- mattock [n=mattock@195.236.127.254] has left ##openvpn [] 10:18 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:24 -!- benedictus [i=chatzill@d51A5A4D1.access.telenet.be] has joined ##openvpn 10:34 -!- nate [n=nate@vodka.booze.org] has left ##openvpn [] 10:38 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 10:38 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 11:08 -!- c64zottel [n=hans@p5B17B73F.dip0.t-ipconnect.de] has quit ["Leaving."] 11:15 -!- benedictus [i=chatzill@d51A5A4D1.access.telenet.be] has left ##openvpn [] 11:33 -!- xp_prg [n=xp_prg3@98.234.52.78] has quit ["This computer has gone to sleep"] 11:38 < HardDisk_WP> !redirect 11:38 < vpnHelper> HardDisk_WP: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 11:38 < HardDisk_WP> !ipforward 11:38 < vpnHelper> HardDisk_WP: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 11:38 < HardDisk_WP> !winipforward 11:38 < vpnHelper> HardDisk_WP: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 11:38 < HardDisk_WP> !linipforward 11:38 < vpnHelper> HardDisk_WP: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 11:38 < HardDisk_WP> !nat 11:38 < vpnHelper> HardDisk_WP: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 11:38 < HardDisk_WP> !def1 11:39 < vpnHelper> HardDisk_WP: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 11:39 < HardDisk_WP> !man 11:39 < vpnHelper> HardDisk_WP: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 11:47 -!- bandini [n=bandini@host173-5-dynamic.6-79-r.retail.telecomitalia.it] has joined ##openvpn 12:00 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:02 -!- lazin [n=tm@0x573c0549.boanqu2.dynamic.dsl.tele.dk] has joined ##openvpn 12:03 -!- scudette_ [n=mic@austra2173.lnk.telstra.net] has joined ##openvpn 12:08 < plaerzen> Is there something like noatime option for NTFS? I doubt it, just wondering. 12:10 < lazin> krzie - are u there ??? 12:10 < plaerzen> oh sorry, wrong channel 12:11 < lazin> !howto for beginners 12:11 < vpnHelper> lazin: Error: "howto" is not a valid command. 12:13 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 12:16 -!- scudette [n=mic@austra2173.lnk.telstra.net] has quit [Read error: 110 (Connection timed out)] 12:18 < lazin> I have a win xp that I want to run as bridge vpnserver: 2 nic's called WAN LAN, I have made a bridge between LAN and the tap adapter and added IP settings to the new bridge. Can someone help me get from here .. cant find setup in howto... 12:23 < lazin> anyone that want to help.. can pay for your help .... 12:41 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 12:52 < lazin> any one that can setup a bridge server on a windows box now .. I will of course pay you for the work ... 12:53 < ecrist> lazin: there are many documents on how to create a bridged VPN available on the internet 12:53 < ecrist> !howto 12:53 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:56 < lazin> ecrist - yes i know .. have read many now .. but cant seem too get a clear picture of the setup I need .. Are up for it ?? 12:58 < ecrist> no, and please quit soliciting for someone to do it for you. 12:59 < lazin> oki sorry .. cant see whats rong with asking its not for free.... 13:00 < ecrist> you were in here before, under a different name, asking for the same thing 13:01 < lazin> yes just updated to real info ... 13:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:27 -!- googleman [n=zaeaze@41.221.27.254] has joined ##openvpn 13:28 < googleman> hi all 13:30 -!- googleman is now known as ReacTor 13:38 < ReacTor> any one here ? 13:43 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has quit [Read error: 60 (Operation timed out)] 13:44 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 13:58 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 14:17 < HardDisk_WP> hey ecrist are you alive? 14:18 < ecrist> yes 14:18 < HardDisk_WP> good :) first, thanks for your help with getting my vpn bridge running 14:18 < HardDisk_WP> second... it works, but only half. i can wonderfully access the vpn from outside and contact LAN machines 14:19 < HardDisk_WP> but what does not work, is traffic routing through the VPN server's internet connection, despite push "redirect-gateway def1 bypass-dhcp" being set 14:20 < HardDisk_WP> i mean, the network is bridged on server side, but why is all traffic on client still flowing through unsecure open WLAN? 14:20 < ecrist> do you have NAT configured on the internet gateway for the VPN-local LAN? 14:20 < HardDisk_WP> nope... 14:21 < HardDisk_WP> is it iptables -t nat -A POSTROUTING -s 172.16.1.48/29 -o br0 -j MASQUERADE ? 14:21 < HardDisk_WP> I tried it, this didnt work 14:21 < ecrist> !linnat 14:21 < vpnHelper> ecrist: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 14:21 * ecrist isn't a linux user 14:21 < HardDisk_WP> exactly... this didn't work. I think it's some damn windows bug 14:22 < HardDisk_WP> I mean, Windows doesnt even TRY to route any non-172.16.1.xxx traffic through the vpn 14:22 < ecrist> I think your -o is wrong 14:22 < ecrist> is you're internet connection a component of the bridge? 14:22 < HardDisk_WP> yes 14:22 < HardDisk_WP> the machine i use as openvpn gate has only a single ethernet connection 14:23 < HardDisk_WP> eth0 and tap1 are bridged to br0 14:23 < ecrist> ok, you're still going to want to use eth0, I think. 14:23 < ecrist> but, someone who's versed in linux would be better suited to solve this dilema 14:23 < HardDisk_WP> it's ifconfig down'd in the bridge script 14:23 < HardDisk_WP> kk 14:24 < HardDisk_WP> so then, anyone here who knows how to properly NAT on Linux? 14:28 < Bushmills> NAT on bridge? sounds a bit contradictive. 14:30 < HardDisk_WP> Yep, but this is what the Howtos say ^^ 14:30 < HardDisk_WP> I mainly think it's a routing problem 14:30 < Bushmills> http://scarydevilmonastery.net/masq <- NAT on linux 14:30 < HardDisk_WP> but if I'd set the default gateway of Windows to the router also serving the openvpn machine 14:30 < HardDisk_WP> then no packets would arrive any more 14:30 < HardDisk_WP> as the openvpn data packets will be trying to be sent over the openvpn link 14:31 < HardDisk_WP> which creates a loop 14:31 < HardDisk_WP> echo 1 > /proc/sys/net/ipv4/ip_forward # forwarding 14:31 < HardDisk_WP> Heh, I missed this one 14:32 < HardDisk_WP> Bushmills, the only remaining question is... What to choose for -s parameter? 14:32 < HardDisk_WP> the IP range of DHCP is 172.16.1.100-150, the IP range of ovpn is .50-.70 14:32 < Bushmills> MYNET="10.86.80.0/24" 14:32 < Bushmills> that's the VPN network 14:33 < HardDisk_WP> yeah... I'm not familiar with CIDR ^^ 14:35 < Bushmills> i *think* you can specify address ranges in iptables, with colon. but you better read the iptables man page to be sure of that. 14:39 < HardDisk_WP> nope, doesnt say anything in manpage 14:39 < HardDisk_WP> i'll try tomorrow with forward enabled 14:40 < Bushmills> i might be wrong. was assuming one can because ports allow that kind of specification 14:40 < HardDisk_WP> yet the most important issue is still not solved... 14:40 < HardDisk_WP> how to tell Crapdows to route all traffic through vpn?! 14:40 < Bushmills> !def1 14:40 < vpnHelper> Bushmills: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 14:41 < HardDisk_WP> yeah, it is already enabled... but as said, windows didnt even try to route traffic through openvpn ./ 14:41 < HardDisk_WP> :/ 14:41 < HardDisk_WP> why must windows be so complex. 14:42 < Bushmills> i have redirect-gateway in my client config, which works fine. but no windows here. 14:43 < HardDisk_WP> which is the problem, I think :D 14:43 < Bushmills> ehm .. 172.16... 14:43 < HardDisk_WP> screw this os1 14:44 < HardDisk_WP> Bushmills, yeah, what's with it? it's unusual for networks, but a perfectly valid private scope 14:45 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:46 < Bushmills> yes, those are rfc1918 addresses alright. i'm trying to remember what was special about those 14:49 < HardDisk_WP> http://en.wikipedia.org/wiki/Private_network 14:49 < vpnHelper> Title: Private network - Wikipedia, the free encyclopedia (at en.wikipedia.org) 14:49 < HardDisk_WP> nice bot 14:50 < HardDisk_WP> Bushmills, seems like they aren't special 14:50 < HardDisk_WP> only very rare 14:50 < HardDisk_WP> which is why i chose them, because most public wlans and networks use either 10.x or 192.168.x net 14:53 -!- barefoot [n=magic@gprs02.rb.mtnns.net] has joined ##openvpn 14:53 < barefoot> hi all 14:53 -!- jeiworth [n=jeiworth@189.177.122.6] has quit [Operation timed out] 14:54 -!- barefoot is now known as magic_1 14:54 < Bushmills> HardDisk_WP, does a route show for your 172.16 address in the routing table? 14:55 < HardDisk_WP> i'm not connected to the VPN currently... that will take me some time till I dig out the second LAN cable 14:58 -!- ReacTor [n=zaeaze@41.221.27.254] has quit [Read error: 110 (Connection timed out)] 14:59 < magic_1> hi guys, how would i be able to make openvpn server listen on 2 network interfaces, all help is greatly appreciated 14:59 < HardDisk_WP> magic_1, you can start two openvpn services, listening on different ports 14:59 < HardDisk_WP> and bridge their tun/tap devices 15:00 < magic_1> sorry for my ignorance but how would i start 2 instances on the same machine in linux 15:00 < magic_1> thanks for the help HardDisk_WP 15:01 < HardDisk_WP> magic_1, two separate config files 15:01 < HardDisk_WP> one for each instance 15:02 < magic_1> so in /etc/openvpn/server.conf i just create one being server2.conf 15:02 < HardDisk_WP> yes 15:02 < HardDisk_WP> Debians init.d script cares about that automatically and starts 1 process per config file 15:02 < HardDisk_WP> dunno how other distros handle this 15:03 < magic_1> awesome , thanks big time HardDisk_WP 15:03 < HardDisk_WP> np 15:07 < magic_1> HardDisk_WP would be alright for me to pm quick 15:07 < HardDisk_WP> yea 15:13 < magic_1> just to make sure, how would i bridge my tun/tap 15:14 < HardDisk_WP> there is a script in the openvpn directory 15:14 < HardDisk_WP> it's called "bridge"... 15:14 < magic_1> let me check quick 15:15 < krzie> did you just say bridge your tun/tap? 15:15 * krzie blows a wtfbubble 15:15 < magic_1> i know i know 15:15 < magic_1> badly put on my site 15:15 < magic_1> side 15:16 < HardDisk_WP> you have to change your vpn to a tap-based ("real" bridged) 15:16 < krzie> tun is ip traffic only, bridging it will help nothing whatsoever 15:16 < HardDisk_WP> krzie, hey, nice to see you. do you know how to make windows route traffic through vpn tunnel? 15:16 < krzie> and 90% of people that come here asking for help bridging dont have a good reason why and should instead be using tun 15:16 < HardDisk_WP> def1 doesnt help 15:16 < magic_1> i would do that on both scripts 15:17 < HardDisk_WP> windope doesnt even try to route traffic through vpn 15:17 < krzie> HardDisk_WP, sure... the same way as any other OS 15:17 < HardDisk_WP> that would be? 15:17 < krzie> use def1 and show me the log 15:17 < krzie> i bet you're getting a winroute error 15:17 < magic_1> krzie, i need to run 2 instances openvpn 15:17 < krzie> magic_1, why? (sometimes that IS needed) 15:18 < HardDisk_WP> differnet port numbers he said 15:19 < krzie> umm, why? 15:19 < magic_1> cause i need to run openvpn from 2 different lines, i have the routing setup, but i need ppl to vpn on both eth interfaces 15:19 < magic_1> eth1(isp1) eth2(isp2) 15:19 < krzie> ok so you have 2 links to the net and you want people connecting via both 15:19 < krzie> gotchya, yup you want 2 instances 15:19 < krzie> now whyd you mention bridging>? 15:20 < magic_1> would i need to change my tun settings at all? 15:20 < HardDisk_WP> krzie, it was me who suggested it... correct me if I'm wrong 15:20 < krzie> nah as long as they dont use static tuns its fine as is 15:20 < HardDisk_WP> but how else could clients from isp1 reach those connected from isp2? 15:20 < krzie> umm, they would be on diff vpn networks and youd treat each like a lan behind the server 15:21 < magic_1> well in this case its not needed, but i would definitely like to know how they would 15:21 < krzie> aka youd simply push a route to each to know bout the other 15:21 < HardDisk_WP> ah ok... 15:21 < magic_1> aahh i thought that would work 15:21 * HardDisk_WP hates routing stuff 15:21 < krzie> HardDisk_WP, read !route 15:21 < magic_1> so in this case i just run 2 diff instances 15:21 < HardDisk_WP> krzie, I don't need it, I run bridged ^^ 15:22 < HardDisk_WP> it's simply i dont like routing stuff in general... 15:22 < krzie> ahh 15:22 * krzie hacks 1 node on HardDisk_WP's vpn and then runs arp poison attacks on his whole network using his VPN 15:22 < krzie> layer2 is inherently insecure 15:23 < HardDisk_WP> oh, ARP poisoning. Used this in school, with great effect. 15:23 < krzie> opening your whole vpn to layer2 is something i steer clear of 15:23 < HardDisk_WP> We had a nice laugh when porn pics came instead of the images on the Wikipedia article :D 15:23 < krzie> ahh you were changing images mid-stream 15:23 < HardDisk_WP> Exactly... 15:24 < krzie> that can be a chuckle 15:24 < krzie> you were also running driftnet i assume 15:24 < HardDisk_WP> Nah, i was using some ettercap command 15:24 < krzie> right 15:24 < krzie> but driftnet will show you every image and media file that goes over the wire 15:24 < HardDisk_WP> LOL nice 15:25 < HardDisk_WP> I'd be more interested in a HTTP POST data grabber 15:25 < krzie> whereas ettercap will grab passes, packet streams, and let you modify streams on the fly 15:25 < HardDisk_WP> .oO( running driftnet in school would show 90% porn I'm sure) 15:26 < HardDisk_WP> I'd like to have your hacker skills 15:27 < HardDisk_WP> I'm only skilled at web application security 15:29 < magic_1> guys i am getting the following when i try to restart 15:29 < magic_1> Shutting down openvpn: [ OK ] 15:29 < magic_1> Starting openvpn: SIOCADDRT: File exists 15:29 < magic_1> [ OK ] 15:33 < krzie> im only familiar with openvpn, not the linux wrappers 15:33 < krzie> i use freebsd, and i dont use the freebsd wrappers either 15:34 < krzie> it could have simply been when trying to readd a route that was already active from the last instance, and been nothing to worry bout 15:35 < krzie> Thu Sep 21 20:51:56 2006 /sbin/ifconfig tun0 10.0.1.42 pointopoint 10.0.1.41 mtu 1500 15:35 < krzie> SIOCADDRT: File exists 15:35 < krzie> Thu Sep 21 20:51:56 2006 ERROR: Linux route add command failed: shell command exited with error status: 7 15:35 < krzie> Thu Sep 21 20:51:56 2006 Initialization Sequence Completedlike that 15:35 < krzie> like that 15:36 < magic_1> hhmm , yea it seems to work still 15:37 < magic_1> thank big time guys for all the help 15:38 < krzie> yw 15:51 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: Bushmills, freaky_t 15:52 -!- Netsplit over, joins: Bushmills, freaky_t 16:06 -!- dollabill [n=mike@97.66.26.10] has quit [No route to host] 16:13 -!- lazin [n=tm@0x573c0549.boanqu2.dynamic.dsl.tele.dk] has quit [] 17:14 -!- hd|lapto1 [n=marco@ppp-93-104-110-65.dynamic.mnet-online.de] has joined ##openvpn 17:30 -!- hd|laptop [n=marco@wikipedia/harddisk] has quit [Read error: 110 (Connection timed out)] 17:30 -!- lazin [n=tm@0x573c0549.boanqu2.dynamic.dsl.tele.dk] has joined ##openvpn 17:31 -!- bandini [n=bandini@host173-5-dynamic.6-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 17:38 < lazin> Hi all ... I have set up a bridge server and connectet 2 clients they can ping and see shares ... is it possible to get broadcasts from clients to each other so thy can run LAN games and brows the network ??? 18:00 < krzie> i would have expected it to do that already 18:00 < krzie> did you try client-to-client? 18:05 < lazin> yes its on 18:07 < lazin> here is my conf ... 18:07 < lazin> local xxx.xxx.xxx.xxx 18:07 < lazin> port 50000 18:07 < lazin> proto udp 18:07 < lazin> dev tap 18:07 < lazin> dev-node openVPN 18:07 < lazin> ca C:\\vpn\\ca.crt 18:07 < lazin> cert C:\\vpn\\server.crt 18:07 < lazin> key C:\\vpn\\server.key # This file should be kept secret 18:07 < lazin> dh C:\\vpn\\dh1024.pem 18:07 < lazin> ifconfig-pool-persist C:\\vpn\\ipp.txt 18:07 < lazin> server-bridge 192.168.100.1 255.255.255.0 192.168.100.10 192.168.100.20 18:08 < lazin> client-to-client 18:08 < lazin> keepalive 10 120 18:08 < lazin> comp-lzo 18:08 < lazin> persist-key 18:08 < lazin> persist-tun 18:08 < lazin> status C:\\vpn\\openvpn-status.log 18:08 < lazin> verb 3 18:14 < lazin> krzie - can you see any thing rong with that conf ??? 18:17 < Bushmills> http://pastebin.com/ ... 18:18 < Bushmills> !paste 18:18 < vpnHelper> Bushmills: Error: "paste" is not a valid command. 18:19 < Bushmills> vpnHelper, paste is "don't paste long sections of text in this channel. paste them to http://pastebin.com instead, und copy the URL into the channel 18:19 < vpnHelper> Bushmills: Error: No closing quotation 18:20 < Bushmills> vpnHelper, paste is "don't paste long sections of text in this channel. paste them to http://pastebin.com instead, und copy the URL into the channel." 18:20 < vpnHelper> Bushmills: Error: "paste" is not a valid command. 18:21 < lazin> sorry ... 18:23 < lazin> please see http://pastebin.com/d72042f14 .. cant get lan games and network browsing to work .. 18:25 < lazin> clients can ping and connect to shares ..... 18:33 < Bushmills> lazin, it might be that it is not a server configuration issue. 18:34 < Bushmills> you should check whether clients send their broadcast packets to the tun/tap device. if those are only sent to eth, the von server won't see them (and therefore not route them to other clients) 18:41 -!- lazin [n=tm@0x573c0549.boanqu2.dynamic.dsl.tele.dk] has quit [Read error: 60 (Operation timed out)] 18:41 -!- lazin [n=tm@0x573c0549.boanqu2.dynamic.dsl.tele.dk] has joined ##openvpn 18:48 -!- jeiworth [n=jeiworth@189.163.172.4] has joined ##openvpn 18:52 < lazin> any one that have some thing I can try working with from the conf link ??? 18:55 < krzie> i dont really support bridges 18:55 < krzie> as i dont use them, and likely never will 18:57 < xp_prg> the conf link? 18:57 < lazin> oki .. but I need it to get a virtual lan for the clients right ??? 18:58 < lazin> xp_prg - http://pastebin.com/d72042f14 19:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 19:11 < lazin> any suggestions is appreciated .... 19:25 < pekster> lazin: You can have a "virtual" network for the clients either way. A bridge only makes sense if you A) actually need to transport non-IP protocols (NBNS, IPX, etc) or B) have a very good reason to make the network setup more complicated 19:25 < pekster> Actually, in mose cases you need A and B to justify using a bridged setup 19:26 < pekster> Ah, I just read up a bit - in your case it might be justified if you want browsing and some L2 network game protocols to "just work" 19:27 -!- hd|laptop [n=marco@ppp-93-104-98-53.dynamic.mnet-online.de] has joined ##openvpn 19:28 < pekster> lazin: You say you can't get broadcasts between clients; what type of broadcasts are you talking about here? 19:38 < lazin> pekster: tnx for the help ... I just think its the broadcasts that is not getting from client to client .. becuse it must be briadcasts when in game looking for other players on the LAN... did not know that games used L2 protocols ... 19:39 < pekster> Most modern day games don't anymore because they're a PITA 19:40 < pekster> What broadcasts? TCP/IP traffic send to the broadcasat address? That should be easy to track with tcpdump / Wireshark as Bushmills outlined above: first verify it's going out the interface you expect, then watch where it's going 19:41 < pekster> If you don't see anything being picked up by the tap adapter on the server or clients, check the physical network since the application may assume that it's the only interface and ignore the rest, in which case it's an issue you need to resolve in the app itself 19:43 < lazin> oki will sniff for the traffic ... tnx for our help 19:43 -!- hd|lapto1 [n=marco@ppp-93-104-110-65.dynamic.mnet-online.de] has quit [Read error: 110 (Connection timed out)] 19:44 < pekster> You can also test that correctly addressed broadcasts go where they should by pinging the broadcast address 19:45 < lazin> oki .... 19:46 -!- xattack [n=enrique@132.248.59.73] has joined ##openvpn 19:50 -!- lazin [n=tm@0x573c0549.boanqu2.dynamic.dsl.tele.dk] has left ##openvpn [] 20:59 -!- xattack [n=enrique@132.248.59.73] has quit ["leaving"] 21:00 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 21:00 -!- zheng [n=zheng@114.92.132.65] has joined ##openvpn 21:50 < scudette_> krzie: thanks for your help the other day 21:51 < scudette_> worked like a charm... its good when you know how to do things much easier 21:51 < scudette_> tried to document it here http://www.secure-computing.net/wiki/index.php/OpenVPN/RIPRouting 21:51 < vpnHelper> Title: OpenVPN/RIPRouting - Secure Computing Wiki (at www.secure-computing.net) 21:54 -!- zheng [n=zheng@114.92.132.65] has quit ["Leaving"] 21:59 -!- Skered [n=dereks@c-24-3-205-125.hsd1.pa.comcast.net] has left ##openvpn [] 22:02 -!- jeiworth [n=jeiworth@189.163.172.4] has quit ["No Ping reply in 90 seconds."] 22:04 -!- jeiworth [n=jeiworth@189.163.172.4] has joined ##openvpn 22:07 -!- sond [n=sond@203.109.171.72] has joined ##openvpn 22:18 < sond> hi all i need some help with my iptables on the gateway -> prob is can not ping lan hosts 22:18 < sond> i have a route for 10.8.0.0/24 pointing to the openvpn box 22:21 < sond> should i preroute all internal established traffic to 10.8.0.0/24 to the openvpn box ? 22:21 < sond> *for 10.8.0.0/24 22:23 < sond> had it working yesterday .. i could ssh internal clients but was getting ping redirects probs 22:45 -!- xp_prg [n=xp_prg3@99.23.56.166] has joined ##openvpn 22:50 -!- sond [n=sond@203.109.171.72] has quit ["Leaving"] 23:09 -!- xp_prg [n=xp_prg3@99.23.56.166] has quit [Read error: 110 (Connection timed out)] 23:13 -!- xp_prg [n=xp_prg3@98.234.52.78] has joined ##openvpn 23:51 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 23:53 -!- deception [i=oc80z@quad.efnet.pe] has joined ##openvpn 23:58 -!- xp_prg [n=xp_prg3@98.234.52.78] has quit ["This computer has gone to sleep"] 23:58 -!- oc80z [i=oc80z@204.8.219.178] has quit [Remote closed the connection] --- Day changed Thu May 28 2009 00:09 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has joined ##openvpn 00:43 -!- pekster [n=pekster@c-76-113-143-76.hsd1.mn.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 00:43 -!- pekster [n=pekster@76.113.143.76] has joined ##openvpn 00:44 -!- pekster is now known as Guest6062 00:45 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [] 01:05 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:26 -!- jeiworth [n=jeiworth@189.163.172.4] has quit [Read error: 60 (Operation timed out)] 01:44 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has quit [Remote closed the connection] 01:47 -!- master_of_master [i=master_o@p549D3A97.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:51 -!- master_of_master [i=master_o@p549D3563.dip.t-dialin.net] has joined ##openvpn 02:30 -!- neteffect [n=yeah@pool-72-77-249-154.tampfl.fios.verizon.net] has quit [Read error: 113 (No route to host)] 03:19 -!- neteffect [n=yeah@pool-72-77-249-154.tampfl.fios.verizon.net] has joined ##openvpn 03:54 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:26 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 04:40 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 05:00 -!- kyrix [n=ashley@188-23-182-38.adsl.highway.telekom.at] has joined ##openvpn 05:19 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:28 -!- Haraken [i=ryuk@unaffiliated/haraken] has quit [SendQ exceeded] 05:31 -!- Haraken [i=ryuk@unaffiliated/haraken] has joined ##openvpn 06:00 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 06:45 -!- kyrix [n=ashley@188-23-182-38.adsl.highway.telekom.at] has quit ["Leaving"] 06:51 -!- achilles [n=achilles@62-90-200-222.alami.net] has joined ##openvpn 06:52 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 06:52 < achilles> hello all, I'm trying to start my openvpn server, here is the log please help http://pastebin.com/m5417f88e 06:52 < achilles> while ca.key is exists and has only root permission 06:56 -!- Solvik [n=solvik@oxyradio.com] has left ##openvpn ["Quitte"] 07:04 -!- note [n=note@85-125-189-220.static.sdsl-line.inode.at] has joined ##openvpn 07:04 -!- note [n=note@85-125-189-220.static.sdsl-line.inode.at] has left ##openvpn ["Verlassend"] 07:18 < achilles> guys, it seems openvpn need ca to be in .pem format, but in the documentation the easy-rsa scripts generate .key format ! 07:21 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 07:21 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 07:25 < scudette_> achilles: normally the .key is the private key 07:25 < scudette_> the ca is a pem certificate 07:25 < scudette_> they are two different things 07:26 < scudette_> openvpn does not use the ca key (thats only used to sign certs) 07:26 < achilles> okay, the scripts provided by easy-rsa supposed to generate the .pem files right ? 07:26 < scudette_> it needs the ca cert which is in pem 07:26 < scudette_> look for a .crt file 07:26 < scudette_> which is in .pem format i think 07:27 < achilles> oh yeah it worked 07:27 < achilles> thank you very much 07:27 < scudette_> np 07:27 < achilles> just please, what is the different ? 07:27 < scudette_> the difference between what/ 07:27 < scudette_> the .key file is the private key - which is private 07:27 < achilles> what is pem 07:27 < scudette_> its used to sign certificates 07:28 < scudette_> pem is a format for encoding the certigicate 07:28 < achilles> a 07:28 < achilles> ah 07:28 < achilles> ca.crt supposed to be the same for both server and client right ? 07:28 < achilles> I mean, the client should has the ca.crt file also 07:29 < scudette_> yes 07:29 < scudette_> the ca.crt just tells you which ca signed the certs 07:29 < scudette_> which both client and server must trust 07:29 < scudette_> you can look in the cert using 07:29 < scudette_> openssl x509 -text -in /etc/openvpn/ca.crt 07:29 < scudette_> to read the .pem file 07:29 < ecrist> good morning, folks 07:29 < scudette_> hi 07:30 < achilles> thank you very much scudette_ 07:30 < scudette_> np 07:38 -!- jeiworth [n=jeiworth@189.163.172.4] has joined ##openvpn 07:56 -!- ttf [n=tom@unaffiliated/ttf] has joined ##openvpn 07:57 < ttf> hi.. is it possible to permanently set the the username in the config file? 07:57 < ttf> I can see I can use --auth-user-pass to store the username/password combination but in my case the username is permanent but the password is based on one-time-passwords 07:57 < ttf> so it would be handy to store the username but make openvpn ask me for the password 07:57 < ttf> I'm using openvpn=2.1~rc11-1 debian version 07:57 < ecrist> yes, it's covered in the man pages 07:57 < ecrist> !betaman 07:57 < vpnHelper> ecrist: "betaman" is http://www.openvpn.net/man-beta.html 07:58 < ttf> ecrist: I checked the manpage but couldn't find what I am looking for 07:59 < ttf> I didn't read the whole manpage thoroughly I admit. There's too much stuff coverd there which I don't understand as I'm new to openvpn 07:59 < ttf> thus it's hard to find what I am looking for 07:59 < ttf> I'm not the admin in this case - just a user :) 07:59 < ttf> what would I search for in the manpage? 08:00 < ttf> I looked at everything containg "user" - which didn't help me further 08:01 < ecrist> !howto 08:01 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:01 < ecrist> look at the section 'Using alternative authentication methods' 08:12 -!- Guest6062 is now known as pekster 08:15 -!- SuperEvilDeath17 [n=death@212.206.209.177] has quit [Client Quit] 08:20 -!- n0g0 [n=n0g0@85-125-189-220.static.sdsl-line.inode.at] has joined ##openvpn 08:21 -!- n0g0 [n=n0g0@85-125-189-220.static.sdsl-line.inode.at] has left ##openvpn ["Verlassend"] 08:42 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 08:45 -!- Llama [n=bogdan@84.201.239.103] has joined ##openvpn 08:46 < Llama> Hello. Can I use 'iroute' option twice, for two different subnets ? 08:46 < ecrist> sure, as far as I know 08:52 -!- SuperEvilDeath17 [n=death@212.206.209.177] has joined ##openvpn 09:04 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 09:43 -!- freysteinn [n=freystei@ailab-gw.ru.is] has quit [Read error: 113 (No route to host)] 10:09 -!- achilles [n=achilles@62-90-200-222.alami.net] has quit [No route to host] 10:31 -!- david [n=david@unaffiliated/mtrh] has joined ##openvpn 10:31 < david> hay 10:33 < david> !howto 10:33 < vpnHelper> david: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:05 -!- Intensity [i=[MEAfCQR@unaffiliated/intensity] has quit [Remote closed the connection] 11:09 -!- kyrix [n=ashley@91-115-187-188.adsl.highway.telekom.at] has joined ##openvpn 12:29 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:52 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 12:54 -!- Intensity [i=[U2T8Dt5@unaffiliated/intensity] has joined ##openvpn 13:07 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 13:08 -!- xattack [i=xattack@132.248.108.239] has left ##openvpn [] 13:20 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:32 -!- hd|lapto1 [n=marco@ppp-93-104-123-111.dynamic.mnet-online.de] has joined ##openvpn 13:48 -!- hd|laptop [n=marco@ppp-93-104-98-53.dynamic.mnet-online.de] has quit [Read error: 110 (Connection timed out)] 13:53 -!- hd|laptop [n=marco@ppp-93-104-54-8.dynamic.mnet-online.de] has joined ##openvpn 13:58 -!- hd|lapto2 [n=marco@ppp-93-104-48-1.dynamic.mnet-online.de] has joined ##openvpn 14:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:07 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 14:07 -!- ReacTor [n=zaeaze@41.221.19.202] has joined ##openvpn 14:07 -!- deception [i=oc80z@quad.efnet.pe] has quit [Success] 14:08 -!- hd|lapto1 [n=marco@ppp-93-104-123-111.dynamic.mnet-online.de] has quit [Read error: 110 (Connection timed out)] 14:14 -!- hd|laptop [n=marco@ppp-93-104-54-8.dynamic.mnet-online.de] has quit [Read error: 110 (Connection timed out)] 14:51 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:19 -!- ReacTor [n=zaeaze@41.221.19.202] has quit [Remote closed the connection] 16:05 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 113 (No route to host)] 16:05 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:27 -!- atlas95 [n=ladmin@mlv95-3-88-168-37-51.fbx.proxad.net] has joined ##openvpn 16:29 -!- Brack10 [n=tbracket@mail.midcoforklift.com] has joined ##openvpn 16:43 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 16:45 -!- kyrix [n=ashley@91-115-187-188.adsl.highway.telekom.at] has quit ["Leaving"] 16:54 -!- Brack10 [n=tbracket@mail.midcoforklift.com] has left ##openvpn [] 17:17 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 17:35 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 104 (Connection reset by peer)] 17:35 -!- eliasp_ [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 17:37 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] 18:10 -!- holycow [n=new@mail.wjsgroup.com] has joined ##openvpn 18:10 < holycow> hi guys 18:11 < holycow> does anyone here use tunneldigger? does anyone know HOW to use it? i installed it but i bloody can't find either a website or info on how to use it from ubuntu 18:11 < holycow> thoughts? 18:13 < xp_prg> what does tunneldigger do? 18:14 < holycow> supposedly its a gui for managing openvpn connections 18:17 < holycow> oh its not a gui. it generates per user configs as .deb files 18:17 < holycow> weird 18:18 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 18:20 -!- epaphus [n=unix3@190.10.68.228] has quit [Client Quit] 18:34 -!- Mal3ko [i=Maleko@115.132.13.219] has joined ##openvpn 18:34 < Mal3ko> !howto 18:34 < vpnHelper> Mal3ko: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 18:35 < Mal3ko> what setting determine whether or not all client traffics are routed through vpn gateway? 18:36 < Mal3ko> never mind.. 18:37 < Mal3ko> so its server side setting 18:37 < Mal3ko> push "redirect-gateway def1" 18:37 < Mal3ko> is there way for client to override that? 18:41 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 18:41 < reiffert> Back 18:42 < scudette_> Mal3ko: the client can set whatever routes it wants through up scripts for example 18:43 < Mal3ko> scudette_ how would i do that? 18:44 < scudette_> you would write a script and then run it with the --up directive 18:44 < scudette_> you can put any routing stuff you want there like set gateways etc 18:44 < Mal3ko> the vpn im provided with is routing all my traffic through the vpn server 18:44 < scudette_> thats because it installs a default route 18:44 < scudette_> so you can always remote the default route and install another one 18:44 < scudette_> remove 18:46 < scudette_> why are you trying to route your traffic not thourh the vpn? doesnt it defeat the whole point of having a vpn? 18:47 < Mal3ko> scudette_: i'd like to use with some application only 18:47 < Mal3ko> http://pastebin.com/d130abeb 18:47 < reiffert> !def1 18:47 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 18:50 < Mal3ko> so.. 18:50 < Mal3ko> def1 0.0.0.0/1 128.0.0.0/1 ? 18:52 < reiffert> !man 18:52 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 18:53 < reiffert> !redirect-gateway 18:53 < vpnHelper> reiffert: Error: "redirect-gateway" is not a valid command. 19:05 -!- hardwire [n=hardwire@216-67-98-253.static.acsalaska.net] has joined ##openvpn 19:05 < hardwire> ahoy good folk 19:05 < hardwire> and folkette 19:22 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 19:22 -!- Maleko [n=Maleko@sd-15832.dedibox.fr] has joined ##openvpn 19:22 -!- Mal3ko [i=Maleko@115.132.13.219] has quit [Nick collision from services.] 19:22 < Maleko> nope..it still redirect all traffic 19:23 < Maleko> redirect-gateway "def1" 19:25 < Maleko> eh 19:28 -!- amystrat [n=amystrat@c-24-18-231-244.hsd1.wa.comcast.net] has joined ##openvpn 19:29 < amystrat> quick question, I am using ipcop/zerina successfully for a couple of years 19:29 < amystrat> how can I route all traffic over the vpn connection? 19:29 < reiffert> Quick answer: no. 19:30 < amystrat> haha 19:30 < reiffert> !def1 19:30 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 19:31 < amystrat> is this something I only need to do on the clients? or is there something I need to do on the server side? 19:31 -!- MRCUTEO [n=IRCLUNAT@89.149.194.94] has joined ##openvpn 19:31 < MRCUTEO> y0 tjz 19:31 < MRCUTEO> :D 19:31 < reiffert> This depends on your setup. Add some basic logic, routing basics and switch on your brain. 19:33 < amystrat> ok.... I see what type of personality this irc room has...... 19:33 < amystrat> sorry for asking for help.... 19:35 -!- amystrat [n=amystrat@c-24-18-231-244.hsd1.wa.comcast.net] has quit [] 19:36 -!- Maleko [n=Maleko@sd-15832.dedibox.fr] has quit [Read error: 60 (Operation timed out)] 19:36 < reiffert> Yeah, this is no fucking we rob on the knees to make you give us more pieces of information - my crystall ball is broken - shitty forum. 19:40 -!- MRCUTEO [n=IRCLUNAT@89.149.194.94] has quit [] 19:45 -!- xp_prg [n=xp_prg3@adsl-99-165-28-65.dsl.pltn13.sbcglobal.net] has joined ##openvpn 19:47 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit ["leaving"] 19:52 -!- xp_prg [n=xp_prg3@adsl-99-165-28-65.dsl.pltn13.sbcglobal.net] has quit ["This computer has gone to sleep"] 20:00 -!- hd|laptop [n=marco@ppp-93-104-35-193.dynamic.mnet-online.de] has joined ##openvpn 20:16 -!- hd|lapto2 [n=marco@ppp-93-104-48-1.dynamic.mnet-online.de] has quit [Read error: 110 (Connection timed out)] 20:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 20:33 -!- freysteinn [n=freystei@ailab-gw.ru.is] has joined ##openvpn 20:49 -!- FirstSgt [n=chris@68-118-209-12.dhcp.omak.wa.charter.com] has quit [Read error: 104 (Connection reset by peer)] 20:49 -!- FirstSgt [n=chris@68-118-209-12.dhcp.omak.wa.charter.com] has joined ##openvpn 21:00 -!- jeiworth [n=jeiworth@189.163.172.4] has quit [Read error: 60 (Operation timed out)] 21:04 -!- jeiworth [n=jeiworth@189.163.147.89] has joined ##openvpn 21:59 -!- Hydrant [n=aj@CPE0011950c737b-CM0012c90d1420.cpe.net.cable.rogers.com] has joined ##openvpn 22:00 < Hydrant> hey all.. how does OpenVPN compare with ipsec? I have openvpn up, but some devices prefer ipsec... but I don't want to compromise the high-security of openvpn 22:10 < reiffert> totally different concepts. 22:12 < Hydrant> I'm actually finding that my iphone (which has ipsec, which is why I wanted it installed too) might have crappy vpn support anyways 22:22 -!- tekk [i=mike@cpc2-shep11-2-0-cust540.8-3.cable.virginmedia.com] has quit [Read error: 110 (Connection timed out)] 22:30 -!- Hydrant [n=aj@CPE0011950c737b-CM0012c90d1420.cpe.net.cable.rogers.com] has left ##openvpn ["Konversation terminated!"] 22:44 -!- FlyingSquirrel31 [n=jared@190.87.146.128] has joined ##openvpn 22:45 < FlyingSquirrel31> I think I know the answer to this question, but does openvpn work smoothly with windows vpn client? 22:45 < FlyingSquirrel31> !howto 22:45 < vpnHelper> FlyingSquirrel31: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 22:49 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 60 (Operation timed out)] 22:52 < FlyingSquirrel31> Do I need to have two nics on my vpn server? 23:43 -!- xp_prg [n=xp_prg3@dsl092-008-180.sfo1.dsl.speakeasy.net] has joined ##openvpn --- Day changed Fri May 29 2009 00:08 -!- Lilarcor [n=Lilarcor@208-58-210-118.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has joined ##openvpn 00:08 -!- Lilarcor [n=Lilarcor@208-58-210-118.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has quit [Read error: 54 (Connection reset by peer)] 00:24 -!- xp_prg [n=xp_prg3@dsl092-008-180.sfo1.dsl.speakeasy.net] has quit ["This computer has gone to sleep"] 00:36 -!- stephenh_ [i=stephenh@69.30.200.88] has joined ##openvpn 00:47 -!- stephenh [i=stephenh@69.30.200.88] has quit [Read error: 110 (Connection timed out)] 00:47 -!- FlyingSquirrel31 [n=jared@190.87.146.128] has left ##openvpn [] 00:57 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 01:00 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 01:01 -!- stephenh [i=stephenh@69.30.200.88] has quit [Read error: 60 (Operation timed out)] 01:02 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 01:04 -!- stephenh_ [i=stephenh@69.30.200.88] has quit [Read error: 110 (Connection timed out)] 01:04 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has joined ##openvpn 01:15 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 01:38 -!- stephenh [i=stephenh@69.30.200.88] has quit [Read error: 104 (Connection reset by peer)] 01:47 -!- master_of_master [i=master_o@p549D3563.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:48 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 01:51 -!- master_of_master [i=master_o@p549D3404.dip.t-dialin.net] has joined ##openvpn 01:59 -!- stephenh [i=stephenh@69.30.200.88] has quit [Read error: 60 (Operation timed out)] 01:59 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 02:06 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:19 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 02:34 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:35 -!- stephenh [i=stephenh@69.30.200.88] has quit [Read error: 110 (Connection timed out)] 02:43 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 02:44 < krzee> !ssl-admin 02:44 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 02:49 -!- stephenh [i=stephenh@69.30.200.88] has quit [Remote closed the connection] 02:51 -!- tjz [n=tjz@219.74.242.146] has quit [Read error: 110 (Connection timed out)] 03:04 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 03:05 -!- Llama [n=bogdan@84.201.239.103] has left ##openvpn ["÷ÙÈÏÄÖÕ"] 03:07 -!- SuperEvilDeath17 [n=death@212.206.209.177] has quit [Read error: 104 (Connection reset by peer)] 03:08 -!- SuperEvilDeath17 [n=death@212.206.209.177] has joined ##openvpn 03:17 -!- stephenh [i=stephenh@69.30.200.88] has quit [Read error: 60 (Operation timed out)] 03:18 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 03:27 -!- zheng [n=zheng@114.92.132.65] has joined ##openvpn 03:28 -!- stephenh [i=stephenh@69.30.200.88] has quit [Remote closed the connection] 03:38 -!- mattock [n=mattock@gw.tietoteema.fi] has left ##openvpn [] 03:47 < reiffert> moin 03:48 -!- lazin [n=tobiasme@0x573c0549.boanqu2.dynamic.dsl.tele.dk] has joined ##openvpn 03:50 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 03:50 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 03:56 -!- zheng [n=zheng@114.92.132.65] has quit ["Leaving"] 03:59 -!- mattock [n=mattock@195.236.127.254] has joined ##openvpn 04:32 -!- tjz [n=tjz@bb121-7-13-192.singnet.com.sg] has joined ##openvpn 04:34 -!- krzie [i=krzee@unaffiliated/krzee] has quit [Read error: 110 (Connection timed out)] 04:35 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 110 (Connection timed out)] 04:38 -!- lazin [n=tobiasme@0x573c0549.boanqu2.dynamic.dsl.tele.dk] has quit [Read error: 110 (Connection timed out)] 04:54 < HardDisk_WP> Hi all! 04:54 < HardDisk_WP> I finally managed to route traffic through the VPN :) 04:54 < HardDisk_WP> Problem is, how do I tell OpenVPN to route everything to 10.97.36.XXX NOT through the tunnel? 04:55 < reiffert> you add a route for 10.97.36.xxx to the gateway of 10.97.36.xxx. 04:56 < HardDisk_WP> yep, done 04:56 < HardDisk_WP> any way to automatize this within the openvpn conf? 04:56 < reiffert> !client-connect 04:57 < reiffert> HardDisk_WP: plenty of ways. Depends on your setup. 04:57 < reiffert> e.g. will it happen on the client side or on the server side? 04:57 < HardDisk_WP> the route change should happen on the clients 04:58 < HardDisk_WP> i think i'll do me a hotlink in the quicklaunch bar... 04:58 < reiffert> Why is it important to reach 10.97.36.xxx? 04:58 < HardDisk_WP> this is the school network 04:59 < HardDisk_WP> so I can access the school shares while being able to edit wikipedia through my home internet 04:59 < reiffert> I dont care if its in school or at your local drug dealer, try to be more specific in terms of "client", "server" and other openvpn terms. Thanks. 05:00 < reiffert> Why do you need to replace the default gateway? 05:00 < HardDisk_WP> Ah okay... client is 1 laptop, windows xp. it is attached to a pocket wlan router, which in turn is attached to the school network 05:01 < HardDisk_WP> server is a NSLU2, it is at my home 05:01 < HardDisk_WP> and the school network is proxy-ed, and the proxy is banned on wikipedia for vandalism 05:01 < HardDisk_WP> well, it works everything now... thanks for all of your support in the last weeks 05:01 < reiffert> :) 05:02 < reiffert> why not add a route to wikipedia over the tunnel? 05:02 < HardDisk_WP> tons of different IPs 05:03 < HardDisk_WP> afk, lesson is over... cya 06:02 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 06:19 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:09 < ecrist> good morning, folks 07:09 < reiffert> moin ecrist 07:27 -!- greg1979 [n=greg1979@84.203.208.34] has joined ##openvpn 07:28 < greg1979> hi everybody 07:28 < greg1979> is anybody online? 07:40 < Bushmills> /userlist 07:41 < Bushmills> Current global users: 52335 Max: 57353 07:43 -!- jeiworth [n=jeiworth@189.163.147.89] has quit [Read error: 60 (Operation timed out)] 07:52 -!- stephenh [i=stephenh@69.30.200.88] has quit [Read error: 60 (Operation timed out)] 07:53 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 08:02 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 08:20 -!- mattock [n=mattock@195.236.127.254] has quit ["Leaving."] 08:48 -!- greg1979 [n=greg1979@84.203.208.34] has quit ["Leaving"] 08:48 -!- Alagar1 [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has joined ##openvpn 08:49 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Read error: 104 (Connection reset by peer)] 08:59 -!- jeiworth [n=jeiworth@189.177.122.6] has joined ##openvpn 09:09 -!- albech [n=albech@124.157.211.138] has joined ##openvpn 09:22 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 09:24 < magic_1> hi guys, hoping for some info,i got a remote user that has now quite by use, would use revoke-crt to stop him from being able log onto the vpn 09:24 < magic_1> all help is greatly appreciated 09:27 < reiffert> !revoke 09:27 < reiffert> Check out the howto, http://openvpn.net/index.php/open-source/documentation/howto.html 09:27 < ecrist> just revoke the certificate and source the CRL in your openvpn config 09:28 -!- Alagar1 [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 09:28 < magic_1> awesome thanks 10:09 < magic_1> is there any specific place where i need to put crl-verify crl.pem in server.conf 10:09 < ecrist> nope 10:09 < magic_1> to make sure that the revoked cert would stop working 10:14 < magic_1> awesome thanks , works like a charm 10:16 < magic_1> hhmm, okay only problem now, none of my connections work 10:16 < ecrist> !logs 10:17 < ecrist> o.O where's vpnHelper? 10:17 < ecrist> magic_1: please post your logs to pastebin, from the server 10:17 < magic_1> will do 10:18 < magic_1> start what i did was run ./revoke-full user1 10:18 < magic_1> then out crl-verify crl.pem at the bottom on my server.conf file 10:19 < magic_1> i did restart openvpn 10:20 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:24 < ecrist> start with logs 10:24 -!- breeze [n=breeze@82.113.121.149] has joined ##openvpn 10:38 < magic_1> got it working, had to copy crl.pem to a folder that openvpn had access to, thought by default it should have acces to keys 10:45 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:14 < freysteinn> How would you create certificates for students in a school? 11:14 -!- breeze [n=breeze@82.113.121.149] has quit [Remote closed the connection] 11:14 -!- breeze [n=breeze@82.113.121.149] has joined ##openvpn 11:15 < freysteinn> I have heard of universities providing a SSL enabled wabpage which creates them for the users. 11:15 < freysteinn> Do you know of any good solutions to this problem? 11:16 < reiffert> suicide. 11:25 -!- mRCUTEO [n=IRCLUNAT@124.13.183.103] has joined ##openvpn 11:26 -!- mRCUTEO [n=IRCLUNAT@124.13.183.103] has quit [Nick collision from services.] 11:26 -!- mRCUTEO [n=IRCLUNAT@89.149.194.94] has joined ##openvpn 11:26 < mRCUTEO> hiya all 11:26 < mRCUTEO> :D 11:27 < mRCUTEO> hiya krzee 11:27 < mRCUTEO> hiya tjz 11:28 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 11:28 < holycow> guys, i have a win2k3 server on which i installed open vpn to vpn into another server. i have a bunch of local machines that rdp into that server but when openvpn is turned on the rdp connection errors out with 'rpc server is unavailable'. that looks like some sort of dns/routing issue ... would anyone have any suggestions? 11:28 < holycow> google isn't revealing too much about this 11:29 < ecrist> freysteinn: develope a webpage that generates them 11:38 < freysteinn> ecrist: The short answer, there is now ready package to do that, you have to create your own. ;-) Thanks. 11:38 < freysteinn> s/now/no/ 11:38 < ecrist> freysteinn: not true 11:38 < ecrist> there are packages out there. there's even one specifically for OpenVPN 11:38 < ecrist> openvpn.net look at access server 11:39 < freysteinn> ecrist: That looks great. Thanks. 11:40 < freysteinn> ecrist: How much does it cost? 11:42 < freysteinn> ecrist: It says $5 for each connection, but is that per year? 11:44 < freysteinn> ecrist: Well, I might create my own. 11:44 < freysteinn> ecrist: Thanks for your help. 11:45 -!- mRCUTEO [n=IRCLUNAT@89.149.194.94] has quit [] 11:53 -!- jeiworth [n=jeiworth@189.177.122.6] has quit [Read error: 110 (Connection timed out)] 12:07 -!- breeze [n=breeze@82.113.121.149] has quit [Remote closed the connection] 12:08 -!- breeze [n=breeze@82.113.121.149] has joined ##openvpn 12:11 -!- jeiworth [n=jeiworth@189.177.122.6] has joined ##openvpn 12:18 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 12:19 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:44 -!- breeze [n=breeze@82.113.121.149] has quit [Remote closed the connection] 12:45 -!- breeze [n=breeze@82.113.121.149] has joined ##openvpn 13:07 -!- hd|lapto1 [n=marco@ppp-93-104-37-42.dynamic.mnet-online.de] has joined ##openvpn 13:10 -!- clyons [n=clyons@unaffiliated/clyons] has quit ["Leaving"] 13:16 -!- hd|lapto2 [n=marco@ppp-93-104-40-190.dynamic.mnet-online.de] has joined ##openvpn 13:16 -!- hd|lapto1 [n=marco@ppp-93-104-37-42.dynamic.mnet-online.de] has quit [Read error: 54 (Connection reset by peer)] 13:23 -!- FirstSgt [n=chris@68-118-209-12.dhcp.omak.wa.charter.com] has quit [Client Quit] 13:24 -!- hd|laptop [n=marco@ppp-93-104-35-193.dynamic.mnet-online.de] has quit [Read error: 110 (Connection timed out)] 13:34 -!- breeze [n=breeze@82.113.121.149] has quit [Remote closed the connection] 13:35 -!- jeiworth [n=jeiworth@189.177.122.6] has quit [Read error: 60 (Operation timed out)] 13:35 -!- breeze [n=breeze@82.113.121.149] has joined ##openvpn 13:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:56 -!- jeiworth [n=jeiworth@189.177.37.65] has joined ##openvpn 14:10 -!- jeiworth [n=jeiworth@189.177.37.65] has quit [Read error: 54 (Connection reset by peer)] 14:12 -!- jeiworth [n=jeiworth@189.177.37.65] has joined ##openvpn 14:25 -!- jeiworth_ [n=jeiworth@189.177.37.65] has joined ##openvpn 14:26 < freysteinn> Using the push command: push "route 192.168.0.0 255.255.255.0" - Is it possible to create these commands using a script? 14:28 -!- c64zottel [n=hans@p5B17B6DC.dip0.t-ipconnect.de] has joined ##openvpn 14:38 -!- jeiworth [n=jeiworth@189.177.37.65] has quit [Read error: 110 (Connection timed out)] 14:49 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Connection timed out] 14:50 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 14:56 -!- holycow [n=new@mail.wjsgroup.com] has left ##openvpn ["Konversation terminated!"] 15:38 < Bushmills> freysteinn, echo ' push "route 192.168.0.0 255.255.255.0"' >> server.conf 15:43 -!- jeiworth_ [n=jeiworth@189.177.37.65] has quit [Operation timed out] 15:58 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 60 (Operation timed out)] 16:13 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 16:15 -!- fkr [i=fkr@news.bytemine.net] has joined ##openvpn 16:15 < fkr> good evening 16:17 -!- tekk [n=me@cpc2-shep11-2-0-cust540.8-3.cable.virginmedia.com] has joined ##openvpn 16:18 < tekk> hey guys, i have 5 static ip's from my isp, is it possible to route each of them to different clients on my vpn? 16:18 < tekk> instead of say 10.1.1.5 etc 16:23 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 16:31 < Bushmills> tekk, openvpn server runs on a linux machine? 16:34 < tekk> yes 16:34 < Bushmills> a bit of iptables magic can do that.. 16:34 -!- ovnicraft [n=ovnicraf@190.154.63.55] has joined ##openvpn 16:34 < Bushmills> look at SNAT or DNAT target 16:34 < ovnicraft> !howto 16:34 < tekk> yea but i actually want the vpn client to receive one of my static wan ip's 16:35 < tekk> rather than a local ip with the static one routed to it 16:35 < Bushmills> yes. server will nat traffic for clients, incoming on public address, to their vpn addresses 16:35 < ovnicraft> hi folks, maybe stupid question, but how use openvpn command to connect to my vpn-server? 16:36 -!- neteffect [n=yeah@pool-72-77-249-154.tampfl.fios.verizon.net] has quit [Read error: 113 (No route to host)] 16:36 < tekk> so the client will actually get the ip and then the server running the vpn will deal with how to route it? 16:36 < tekk> ovnicraft openvpn --config yourconf.conf/ovpn 16:36 < Bushmills> no. the server will keep the ip. but sends traffic to those ips on to the clients. 16:36 < tekk> ok 16:37 < ovnicraft> tekk, i did but nothing can i show you my myconf.conf file? 16:37 < tekk> openvpn requires more than just editing the conf file, you have to create a certificate authority, and then generate client certificates based upon that authority 16:39 < ovnicraft> tekk, http://pastebin.ca/1440175 16:40 < Bushmills> ovnicraft, linux client? 16:40 < ovnicraft> yes, slackware 16:40 < Bushmills> /etc/init.d/openvpn start 16:41 < tekk> before you do that, it might be worth testing just by using openvpn --config .... as you will get log information on STDOUT then... 16:41 < tekk> upto you though 16:41 < ovnicraft> Bushmills, i didnt write that daemon 16:42 < ovnicraft> STOUT is empty 16:42 < ovnicraft> just exec nothing happnes 16:42 < ovnicraft> happens* 16:42 < Bushmills> probably configuration not completed. configure, then start again. 16:43 < Bushmills> or., check whether it actually connected. ifconfig 16:43 < Bushmills> (should show a tun device, probably tun0) 16:46 < ovnicraft> i am going to check it, thx 16:51 < ovnicraft> tun device is created by openvpn or i must to create it? 16:51 < tekk> created my openvpn when it starts 16:51 < tekk> however 16:51 < tekk> lsmod | grep tun 16:51 < tekk> if you dont see one 16:51 < tekk> then you have to modprobe tun 16:52 < tekk> it is likely however that it was preloaded at boot 16:52 < Bushmills> (often it gets autoloaded on demand) 16:53 < tekk> woops 17:02 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: pa, magic_1, SuperEvilDeath17 17:03 -!- Netsplit over, joins: magic_1, SuperEvilDeath17, pa 17:07 < ovnicraft> tekk, stout continue empty but dmesg give me this, UDP: bad checksum. From 190.94.134.34:37366 to 192.168.0.134:8355 ulen 106 17:22 -!- sprax [n=rob@65.127.188.10] has left ##openvpn [] 17:34 < fkr> there is no src-changes mailing list for openvpn, is there? 17:34 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [] 17:48 -!- krzie [n=krzee@unaffiliated/krzee] has joined ##openvpn 17:50 -!- jeiworth [n=jeiworth@189.163.147.89] has joined ##openvpn 18:09 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 18:21 < reiffert> re 18:30 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 60 (Operation timed out)] 19:00 -!- cpeterson [n=cpeterso@adsl-99-158-155-195.dsl.pltn13.sbcglobal.net] has joined ##openvpn 19:05 < cpeterson> hey guys, mailing list archives didn't really seem to help on this one. I have a openVPN server set up, can connect fine, it pushes routes, etc., but when I try and connect to internet IPs (it's pushing default-gatway by design), I get an error: 19:05 < cpeterson> openvpn[12451]: honkey/99.158.155.195:1194 MULTI: bad source address from client [172.21.1.120], packet dropped 19:05 < cpeterson> any advice on where to start? mailing list archives only showed similar things for setups that did 2 layers of NAT, which isn't applicable here 19:09 < krzie> i take it honkey's ip on it's lan is 172.21.1.120 19:09 < krzie> right? 19:10 < cpeterson> yep 19:10 < cpeterson> I already enabled IPv4 forwarding in the kernel on the server (centOS5) 19:12 < cpeterson> client is OSX 10.5.7, I'm no stranger to the CLI at all, just new to ovpn 19:20 < krzie> for some reason your OS is sending traffic over its tun interface using its ip from eth interface 19:20 < krzie> i dont know why some machines do this, ive seen it before 19:20 < krzie> ive never had it happen to me tho 19:20 < cpeterson> yeah, I saw a lot of hits for that error on google, not many solutions 19:21 < krzie> if your client will always be on that lan ip i can tell you a workaround 19:21 < krzie> but since you are redirecting i figure its road warrior 19:21 < cpeterson> but now that you point it out, the default route is set to use en1 as it's interface 19:21 < cpeterson> yeah, it is 19:22 < cpeterson> whoops, scratch the comment about using en1 19:23 < cpeterson> it's using tun0 19:23 < cpeterson> but now I at least know the problem in better detail 19:23 -!- hd|laptop [n=marco@ppp-93-104-51-153.dynamic.mnet-online.de] has joined ##openvpn 19:24 < krzie> heres why it happens: 19:24 < krzie> (on the ovpn side) 19:24 < krzie> your client sends packets with src address of 172.21.1.120 19:25 < krzie> openvpn can send them out to where they should go, but will have no way of knowing where to send them back to 19:25 < cpeterson> yeah, I get that much, I'm reasonably fluent in networking 19:25 < krzie> that same error would be seen if you had lans behind your client, and set that up correctly, but without an iroute 19:26 < krzie> (which is the most common reason to see that error) 19:26 < cpeterson> alright, thanks for the help, time to go mess with my local net configs 19:27 < krzie> if you cant figure out why your os does that, since you seem to have some networking knowledge... 19:27 < krzie> you could NAT your lan network when headed out the tun interface to your TUN ip 19:27 < krzie> ugly, but would accomplish what you need 19:28 < cpeterson> yeah, but I'd really rather not have that crazy of an ipfw setup on my macbook 19:28 < krzie> agreed 19:28 < cpeterson> I'm going to go mess with it, if I get it working then I'll report back 19:28 < krzie> oh and 1 more option 19:28 < krzie> here is what i use on my macbook 19:28 < krzie> instead of redirecting gateway 19:28 < krzie> i run a socks daemon on tun ip of server 19:29 < krzie> then i use proxifier to selectively route stuff over the vpn based on ip/port/application or any combo 19:29 < krzie> so i tell transmission and nessus to not go over my vpn 19:29 < krzie> but safari and xchat aqua for example, do 19:29 < cpeterson> very nice 19:29 < krzie> ya, i like it a lot 19:30 < cpeterson> is it smart enough to do something like [if ovpn running] -> route over oVPN 19:31 < cpeterson> otherwise direct connect? 19:31 < krzie> just dont start the proxifier app if its not running 19:31 < krzie> or do like i do: 19:31 < krzie> make a shell script that opens the proxifier AND your vpn connection 19:31 < krzie> then name it .command 19:31 < krzie> and toss it in a stacks 19:31 < krzie> click it, type in the pasword since you needed to start ovpn in sudo, and booya 19:32 < cpeterson> thanks for the tips, going to go try them out 19:32 < krzie> np =] 19:33 -!- cpeterson [n=cpeterso@adsl-99-158-155-195.dsl.pltn13.sbcglobal.net] has quit [] 19:36 -!- hd|lapto2 [n=marco@ppp-93-104-40-190.dynamic.mnet-online.de] has quit [Read error: 110 (Connection timed out)] 19:48 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 19:57 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:10 -!- c64zotte1 [n=hans@p5B1791CC.dip0.t-ipconnect.de] has joined ##openvpn 20:10 -!- c64zottel [n=hans@p5B17B6DC.dip0.t-ipconnect.de] has quit [Read error: 60 (Operation timed out)] 20:33 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 20:57 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit [Nick collision from services.] 20:57 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 20:58 -!- tekk [n=me@cpc2-shep11-2-0-cust540.8-3.cable.virginmedia.com] has quit [] 21:52 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 22:05 -!- jeiworth [n=jeiworth@189.163.147.89] has quit [Operation timed out] 22:27 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 22:28 -!- Lilarcor [n=Lilarcor@208-58-210-118.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has joined ##openvpn 22:30 -!- Lilarcor [n=Lilarcor@208-58-210-118.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has quit [Client Quit] 22:56 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] 22:58 -!- albech [n=albech@124.157.211.138] has quit [Remote closed the connection] 23:03 -!- sirus [i=scott@gotpot.org] has joined ##openvpn 23:04 < sirus> Hello i'm using OpenVPN + FreeBSD + PF I can connect to the vpn I can even ping the gateway of the vpn but I can not access the internet 23:04 < sirus> any pointers? 23:24 < womble> sirus: So many possibilities. 23:27 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 23:30 < sirus> I can connect now I realize things only work by ip 23:39 -!- womble [n=mjp16@sasquatch.hezmatt.org] has left ##openvpn ["Oooh! Shiny!"] --- Day changed Sat May 30 2009 00:11 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 00:11 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 00:33 -!- albech [n=albech@124.157.201.5] has joined ##openvpn 01:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:47 -!- hd|lapto1 [n=marco@ppp-93-104-52-160.dynamic.mnet-online.de] has joined ##openvpn 01:47 -!- master_of_master [i=master_o@p549D3404.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:49 -!- hd|laptop [n=marco@ppp-93-104-51-153.dynamic.mnet-online.de] has quit [Read error: 60 (Operation timed out)] 01:51 -!- master_of_master [i=master_o@p549D5D83.dip.t-dialin.net] has joined ##openvpn 02:14 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 02:20 -!- hd|laptop [n=marco@ppp-62-216-218-197.dynamic.mnet-online.de] has joined ##openvpn 02:25 -!- hd|lapto2 [n=marco@ppp-93-104-98-108.dynamic.mnet-online.de] has joined ##openvpn 02:36 -!- hd|lapto1 [n=marco@ppp-93-104-52-160.dynamic.mnet-online.de] has quit [Read error: 110 (Connection timed out)] 02:37 -!- hd|laptop [n=marco@ppp-62-216-218-197.dynamic.mnet-online.de] has quit [Read error: 110 (Connection timed out)] 03:50 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has joined ##openvpn 04:05 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 04:19 -!- carpe_ [n=carpe@vip1.tundraeng.com] has joined ##openvpn 04:21 -!- plaerzen [n=carpe@vip1.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 04:29 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 04:33 -!- hd|lapto2 [n=marco@ppp-93-104-98-108.dynamic.mnet-online.de] has quit [Remote closed the connection] 04:57 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 05:01 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 05:20 -!- sirus [i=scott@gotpot.org] has left ##openvpn [] 05:35 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 06:08 -!- Eric_InSF [n=Eric@209.220.168.194.ptr.us.xo.net] has joined ##openvpn 06:08 < Eric_InSF> just a question. im connected to my openvpn, I added push "redirect-gateway def1" to my server configuration file. 06:09 < Eric_InSF> but my remote traffic is still flowing normally rather than going through the VPN 06:09 < Eric_InSF> halp 06:13 < reiffert> client side: verbose 6 and paste complete logs. 06:13 < reiffert> as well as client and server config 06:13 < reiffert> !logs 06:13 < reiffert> !configs 06:13 < reiffert> mhm, no bot/. 06:16 < Eric_InSF> the only thing thats a little weird about my networking is I have a br0 for virtual machines on that box to get outside Ip addresses 06:19 < Eric_InSF> http://pastebin.com/d697545db is my client log 06:20 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 06:20 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 06:25 < Eric_InSF> wondering if my hotel room firewall is blocking udp 06:25 < Eric_InSF> if I type proto tcp in the server conf it doesnt like it 06:26 < Eric_InSF> is there some other lingo? 06:29 < Eric_InSF> tcp-server ok...doc out of date 06:38 < Eric_InSF> on tcp i just keep getting connect failed 06:41 < reiffert> Are you sure http://pastebin.com/d697545db is the client log? 06:41 < reiffert> I'm missing stuff you normally get after the connection has been established successfully. 06:54 -!- niceuser [n=j@adsl-76-255-237-57.dsl.lsan03.sbcglobal.net] has joined ##openvpn 06:54 < niceuser> hi 07:00 < niceuser> anyone alive 07:07 -!- clyons [n=clyons@unaffiliated/clyons] has joined ##openvpn 07:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:11 < Bushmills> niceuser, about 6 billion, last count 07:13 < niceuser> If I have two locations and each location has two internet connections can I use both and balance the vpn traffic? 07:13 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 07:13 < niceuser> I think its called trunking? 07:13 < niceuser> like two DSL lines at each site 07:14 < Bushmills> Eric_InSF, you could try to set, on both server and client side, tcp 443, as port and protocol. but make you are really not connected. look at list of devices on client, and route. 07:15 < Eric_InSF> Bushmills, what do you mean look at list of devices on client? 07:15 < Bushmills> niceuser, balancing, no. round robin connection, yes 07:15 < Eric_InSF> i just keep getting connect failed 07:15 < Bushmills> Eric_InSF, network interfaces 07:15 * Bushmills gives a "no-coffee-yet" warning 07:17 < niceuser> a round robin per connection? 07:18 < niceuser> what is a connection exactly or an example of one 07:19 < Bushmills> clients connects to one of many. 07:19 < Bushmills> with many clients, you get an approximation of load balancing that way 07:20 < niceuser> whats a client? 07:20 < Bushmills> with one client, you don#t 07:21 < Bushmills> http://scarydevilmonastery.net/dict.cgi?client 07:22 < Eric_InSF> argh whats an easy way on windows to check if a remote host has a port open 07:22 < niceuser> one end of the vpn ? 07:23 < Bushmills> yes. the not-the-server end 07:33 < Eric_InSF> am i connected 07:34 < Bushmills> Eric_InSF, check route 07:35 < Eric_InSF> my vpn is connected now but push "redirect-gateway def1" 07:35 < Eric_InSF> isnt sending all my traffic there 07:35 < Eric_InSF> do i need to specify something on the client side? 07:35 < Bushmills> Eric_InSF, check route 07:36 < Bushmills> nope. either redirect-gateway on client, or push "..." on server. 07:36 < Eric_InSF> http://pastebin.com/d256fd316 07:36 < Eric_InSF> thats my route 07:37 < Eric_InSF> i dont completely understand it 07:37 < Bushmills> restart openvpn client-side 07:37 < Bushmills> (and check route again) 07:38 -!- c64zotte1 [n=hans@p5B1791CC.dip0.t-ipconnect.de] has quit ["Leaving."] 07:38 < Eric_InSF> no change 07:39 < Bushmills> unusual indeed 07:39 < Bushmills> try redirect-gateway in client config 07:39 < Eric_InSF> kk 07:41 < Eric_InSF> this from my logs (successfully connected): http://pastebin.com/d76f7f31 07:41 < Bushmills> (result of redirect-gateway should be: 1. an additional route to the gateway through physical device, 2. your vpn server as gateway for default route 07:43 < Eric_InSF> http://pastebin.com/d29ef7811 07:44 < Eric_InSF> (post redirect-gateway) 07:44 < Bushmills> "One or more arguments are not correct." it says 07:46 < Eric_InSF> yes 07:49 < Bushmills> what is the ip address of your gateway to world (the machine which is currently in default route)? 07:49 < Eric_InSF> tricorder.homeip.net 07:52 < Eric_InSF> i just found something ...(trying) 07:53 < Eric_InSF> am i still here 07:58 < Eric_InSF> hmmm 07:58 < Eric_InSF> am i here? 08:03 < Eric_InSF> hello? 08:03 < Eric_InSF> hello? 08:04 < Bushmills> don't panic 08:04 < Eric_InSF> :) I have connectivity now, i can ping vpn server client frome ach other 08:05 < Eric_InSF> but it looks like all my client side traffic is disappearing into a black hole 08:05 < Eric_InSF> i cant ping outside hosts from the client 08:05 < Eric_InSF> or do dns resolution 08:08 < Eric_InSF> might pop offline again for a sec 08:11 < Eric_InSF> Bushmills, i feel like ive made progress but not sure what the next step is 08:16 < Eric_InSF> dump vista obviously 08:17 < Eric_InSF> this is what I did before for interest: http://stateless.geek.nz/2008/03/09/openvpn-gui-client-and-windows-vista/ 08:20 < Eric_InSF> i might be loosing comments. the last 2 i have from you are don't panic; what is the ip address 08:21 < Eric_InSF> argh. 08:26 -!- dollabill [n=mike@c-68-59-71-29.hsd1.fl.comcast.net] has joined ##openvpn 08:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 08:29 < Bushmills> i'm handling solder iron 2 meters away from terminal, so i'm intermittently present and gone 08:46 < Eric_InSF> i gotta go fly to vegas anyhow. its not working but ill be back tommorow trying to get it working 08:46 < Eric_InSF> thanks for your help sof ar 08:46 -!- Eric_InSF [n=Eric@209.220.168.194.ptr.us.xo.net] has quit ["Leaving"] 08:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:04 < Bushmills> !vista 09:05 < Bushmills> bot possumized? 09:05 < reiffert> 11:35 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 110 (Connection timed out)] 09:06 < Bushmills> ah 09:29 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 09:51 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 09:58 -!- breeze_ [n=breeze@82.113.121.86] has joined ##openvpn 10:01 -!- breeze [n=breeze@82.113.121.149] has quit [Read error: 60 (Operation timed out)] 10:17 -!- breeze_ [n=breeze@82.113.121.86] has quit ["Lost terminal"] 10:24 < krzee> =[ 10:29 -!- unix3 [n=unix3@201.199.62.74] has joined ##openvpn 10:29 -!- unix3 [n=unix3@201.199.62.74] has quit [Client Quit] 10:55 < Bushmills> moin krzee, what's the problem with the bot? network or stability? 10:57 < krzee> seems running rtorrent on the box crashes it after a lil bit 10:57 < krzee> i think ill move the bot to ecrist's network 10:58 < Bushmills> ah. maybe it's a RIAA-approved bot 10:58 < krzee> haha 10:59 < Bushmills> try to turn on "comply" mode 10:59 < Bushmills> (then it will kick the torrent client) 11:20 -!- dollabill [n=mike@c-68-59-71-29.hsd1.fl.comcast.net] has quit [Read error: 113 (No route to host)] 12:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 13:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:51 -!- dollabill [n=mike@c-68-59-71-29.hsd1.fl.comcast.net] has joined ##openvpn 13:55 -!- dollabilll [n=mike@c-68-59-71-29.hsd1.fl.comcast.net] has joined ##openvpn 14:10 -!- dollabill [n=mike@c-68-59-71-29.hsd1.fl.comcast.net] has quit [No route to host] 14:17 -!- dollabilll [n=mike@c-68-59-71-29.hsd1.fl.comcast.net] has quit [No route to host] 15:19 -!- epaphus [n=unix3@201.199.62.74] has quit ["Leaving"] 17:05 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:17 -!- xp_prg [n=xp_prg3@98.234.52.78] has joined ##openvpn 17:22 < reiffert> OpenVPN 2.1rc17 out. Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || !redirect for sending inet traffic through server || Also interesting: !man !/30 !topology !iporder || http://lmgtfy.com/ 17:23 < reiffert> rc17 17:25 < Bushmills> reiffert, moinmoin. poison delivered. 17:26 < reiffert> parcel dropped by bike? 17:27 < Bushmills> yes. 17:27 < reiffert> one way only? 17:27 < Bushmills> also delivered message to reduce the dose 17:27 < Bushmills> so the whole population can be treated 17:27 < reiffert> Should I order more poison for the neighbours? 17:28 < Bushmills> we could wait to monitor efficiency first 17:30 < reiffert> Any chance of a direct measurement or indirect only? 17:30 < Bushmills> applicant is not persuaded yet 17:31 < Bushmills> indirect will have to do. reduced activity would be a good sign 17:33 < Bushmills> evaluation deployment probably tomorrow. tea time. 17:33 < reiffert> Thats what I was expecting :) 18:13 -!- jeiworth [n=jeiworth@189.163.132.133] has joined ##openvpn 18:37 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 18:37 < Dougy> hola amigos 18:37 -!- Dougy is now known as Douglas 18:38 -!- Douglas is now known as Dougy 18:38 < Dougy> krzie, there? 18:51 -!- xp_prg [n=xp_prg3@98.234.52.78] has quit ["This computer has gone to sleep"] 18:54 -!- epaphus [n=unix3@201.194.13.22] has joined ##openvpn 19:22 -!- mRCUTEO [n=IRCLUNAT@89.149.194.94] has joined ##openvpn 19:22 < mRCUTEO> hiya all 19:22 < mRCUTEO> :LD 19:24 < Dougy> bahahhaah 19:24 < Dougy> http://img32.imageshack.us/img32/7625/googlec.jpg 19:24 < code-> !topology 19:25 < code-> well damn 19:25 < Dougy> what? 19:34 -!- mRCUTEO [n=IRCLUNAT@89.149.194.94] has quit [] 20:11 -!- epaphus [n=unix3@201.194.13.22] has quit [Connection timed out] 20:26 -!- carpe_ [n=carpe@vip1.tundraeng.com] has quit [Remote closed the connection] 20:45 < krzie> ya my bot is down =[ 20:45 < krzie> joogot isnt giving video on reboot 20:46 < krzie> my buddy will be at the DC on monday and see if he has whatever parts i need 20:46 < krzie> wassup dougy 20:46 < krzie> i was gunna hit you up too! 20:46 < Dougy> sup? 20:46 < krzie> i wanna get an RDNS entry 20:46 < Dougy> was gonna ask if your box was down 20:46 < Dougy> i was messing with the ethernet cables this afternoon 20:47 < Dougy> and racking 4 more 20:47 < krzie> hrm, lemme check 20:47 < krzie> negative 20:47 < krzie> up and good 20:47 < Dougy> k 20:47 < krzie> you run your own RDNS? 20:47 < Dougy> naw, its cogent owned ips 20:47 < Dougy> so my provider has to 20:47 < Dougy> once they get their own, i will 20:47 < krzie> kief.ircpimps.org has address 38.108.110.58 20:48 < krzie> pls request reverse for that 20:48 -!- albech_ [n=albech@119.42.78.98] has joined ##openvpn 20:48 < niceuser> you can tell cogent to let you do your own rdns 20:48 < niceuser> just like any carrier 20:48 < krzie> ya but his block is too small 20:48 < niceuser> no its not... 20:48 < krzie> if his provider requested delegation that would be diff 20:48 < krzie> but hes a customer of their customer 20:48 < niceuser> you can always get sub delegation with cogent no matter how small your block is 20:49 < krzie> so his odds of getting delegation arent very hot 20:49 < niceuser> oh he's not a cogent customer then? 20:49 < niceuser> nevermind 20:49 < krzie> ya 20:50 < Dougy> it goes 20:50 < Dougy> cogent -> my provider -> me 20:50 < krzie> but maybe if he had a big ass block his isp would request delegation for him 20:50 < Dougy> subdelegation is a bitch 20:50 < krzie> nah its very easy 20:50 < Dougy> not with cogent/these fools 20:50 < krzie> its just the red tape of having the middleman 20:50 < krzie> its more a people problem that a tech one 20:51 -!- tekk [n=me@eduroam-175-21.lut.ac.uk] has joined ##openvpn 20:51 < tekk> hey guys, i have a ipv6 tunnel on my openvpn server box, is it possible, to give clients ipv6 connectivitiy and an ipv6 address upon connection? 20:52 < tekk> (they connect to the vpn using ipv4 though) 20:52 -!- albech_ [n=albech@119.42.78.98] has quit [Client Quit] 20:52 < krzie> see --tun-ipv6 in manual 20:53 < krzie> while ive never done it (i dont use ipv6) i believe it to be possible 20:53 < tekk> ok thanks krzie 20:53 < krzie> np =] 20:53 -!- albech [n=albech@124.157.201.5] has quit [Connection timed out] 20:54 < tekk> hmm... 2 lines in the man page about it :x 20:55 < tekk> i found: http://www.6journal.org/archive/00000051/01/Howto_OpenVPN_Tunnelbroker.pdf but it seems a bit overkill for what i actually want 20:55 < krzie> more info is better than not enough 20:57 < tekk> i suppose yea :) 20:58 < krzie> but ya ild expect something in the howto or more in the manual on that subject 20:58 < krzie> maybe if you get it working you could add something to our wiki... 20:58 < krzie> that would be awesome 21:04 < tekk> heh 21:04 < tekk> almost getting there 21:04 < tekk> just having a lil issue 21:04 < tekk> !configs 21:04 < tekk> ah its not there lol 21:07 < tekk> i have a point-to-point tunnel vpn running and working now 21:07 < tekk> for ipv4 at least... 21:08 < tekk> tun-ipv6 is in there, but the only ifconfig line i have is for ipv4, i wonder.... 21:09 < tekk> nope that didnt work, apparently you cannot specify an ipv6 address in ifconfig 21:10 < Dougy> krzie 21:10 < Dougy> send in a support ticket with that 21:10 < Dougy> so i can document 21:11 < tekk> ah seeems i have to use bridge mode 21:13 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 21:13 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 21:25 < niceuser> hi nemysis 21:55 -!- tekk [n=me@eduroam-175-21.lut.ac.uk] has quit [Read error: 110 (Connection timed out)] 22:13 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit ["Hi, I'm a quit message virus. Please replace your old line with this line and help me take over the world of IRC."] 22:25 -!- ovnicraft [n=ovnicraf@190.154.63.55] has quit [Read error: 110 (Connection timed out)] 22:52 -!- jeiworth [n=jeiworth@189.163.132.133] has quit [Read error: 60 (Operation timed out)] 23:00 -!- albech [n=albech@124.157.206.140] has joined ##openvpn 23:43 -!- pmo [n=dark@unaffiliated/pmo] has joined ##openvpn 23:45 < pmo> hey guys, im more a linux guy so i fail badly on windows.. anyways i set openvpn up on my linux server.. easy and smooth.. but then i got to the windows part of it and im confused and dont know how to configure it, so i was wondering if some friendly soul here would guide me trugh the windows part? 23:54 < niceuser> dont you just configure the network ? 23:55 < niceuser> what do you have setup ? 23:59 < pmo> well trying to setup a client on windows :) --- Day changed Sun May 31 2009 00:00 < pmo> i cant even answer more than that since i dont know what to do hehe 00:00 < pmo> i tried to follow a guide for it, they used the same version of openvpn, but their dirs werent the same 00:00 < pmo> and stuff they did dint work here 00:00 < pmo> didnt* 00:12 -!- albech_ [n=albech@124.157.206.140] has joined ##openvpn 00:15 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [] 00:19 -!- albech [n=albech@124.157.206.140] has quit [Read error: 60 (Operation timed out)] 00:47 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 01:22 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 01:27 < pmo> wait a sec do i need to do something special to run openvpn on vista and win7 ? 01:29 -!- tjz [n=tjz@bb121-7-13-192.singnet.com.sg] has quit [Read error: 60 (Operation timed out)] 01:45 -!- albech__ [n=albech@124.157.206.152] has joined ##openvpn 01:47 -!- master_of_master [i=master_o@p549D5D83.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:51 -!- master_of_master [i=master_o@p549D448B.dip.t-dialin.net] has joined ##openvpn 01:52 -!- albech_ [n=albech@124.157.206.140] has quit [Read error: 104 (Connection reset by peer)] 03:24 -!- tjz [n=tjz@bb121-6-113-205.singnet.com.sg] has joined ##openvpn 03:41 -!- mindframe [n=mindfram@unaffiliated/mindframe] has joined ##openvpn 04:42 < krzee> pmo, no 04:42 < krzee> openvpn is the same in win and lin and bsd 04:42 < krzee> only diff thing is the double \\ in win 04:42 < krzee> like in the sample howto 04:42 < krzee> well that and possible things to fix like if windows route cant be added, but if that was the case you would have asked about it 04:43 < krzee> aka, go try it THEN ask 05:49 -!- mindframe [n=mindfram@unaffiliated/mindframe] has quit [Remote closed the connection] 06:38 -!- achilles [n=achilles@62-90-200-222.alami.net] has joined ##openvpn 06:40 < achilles> hello all, my server pushes dns server to the client as it appears on the log, but my clients don't my dns server, here is the loghttp://pastebin.com/m46f17910 06:40 < achilles> thank you very much 06:49 -!- bandini [n=bandini@host173-5-dynamic.6-79-r.retail.telecomitalia.it] has joined ##openvpn 06:49 -!- c64zottel [n=hans@p5B17AF60.dip0.t-ipconnect.de] has joined ##openvpn 07:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 07:28 < reiffert> Who was resetting the topic to rc16? 07:28 < reiffert> I'm pretty sure I was setting it to rc17 yesterday. 07:28 -!- reiffert changed the topic of ##openvpn to: OpenVPN 2.1rc16 out. Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || !redirect for sending inet traffic through server || Also interesting: !man !/30 !topology !iporder || http://lmgtfy.com/ 07:28 -!- reiffert changed the topic of ##openvpn to: OpenVPN 2.1rc17 out. Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || !redirect for sending inet traffic through server || Also interesting: !man !/30 !topology !iporder || http://lmgtfy.com/ 07:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:47 -!- c64zottel [n=hans@p5B17AF60.dip0.t-ipconnect.de] has quit ["Leaving."] 08:02 -!- dollabill [n=mike@fl-67-235-202-159.dhcp.embarqhsd.net] has joined ##openvpn 08:06 < pmo> hehe krzee if it was the same it would have been setup within 3 mins ;) 08:10 < Bushmills> reiffert, re. 08:10 < Bushmills> substances deployed ... 08:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 08:22 -!- dollabill [n=mike@fl-67-235-202-159.dhcp.embarqhsd.net] has quit [Read error: 110 (Connection timed out)] 08:32 -!- tjz [n=tjz@bb121-6-113-205.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 08:33 -!- albech__ [n=albech@124.157.206.152] has quit ["Leaving"] 08:34 -!- albech [n=albech@124.157.206.152] has joined ##openvpn 08:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:52 < achilles> hello, is there a way to stop a user's cert from logging in my vpn server ? 08:52 < achilles> I mean, if a use got fired, is there a way to be his account expired ? 08:54 < fkr> revoke the cert 08:54 < fkr> remove the user from the vpn server 08:54 -!- siOuX_ [n=sioux@201-95-224-112.dsl.telesp.net.br] has joined ##openvpn 08:55 < siOuX_> !howto 08:55 < achilles> fkr, but uhm .. when we create his cert, do we add it into the server ? 09:00 < fkr> yes 09:00 < fkr> you don't? how does your server verify the certs? 09:08 < achilles> fkr, I re-read the tutorial, I sign it and that's it 09:08 < achilles> fkr, I use the easy-rsa tools, and it builds the key of the clients 09:17 < achilles> fkr, thank you, I will check it later. 09:17 -!- achilles [n=achilles@62-90-200-222.alami.net] has quit ["Leaving"] 09:20 < fkr> crl is the keyword 09:20 < fkr> ah 09:20 < fkr> already gone 09:52 -!- tjz [n=tjz@bb121-6-18-126.singnet.com.sg] has joined ##openvpn 10:39 -!- Dougy [i=doug@64-18-144-3.ip.bergenhosting.com] has joined ##openvpn 10:39 -!- Dougy [i=doug@64-18-144-3.ip.bergenhosting.com] has left ##openvpn [] 10:43 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 10:53 -!- acoc [n=acoc@71.230.188.90] has joined ##openvpn 11:01 -!- acoc_ [n=acoc@71.230.188.90] has joined ##openvpn 11:02 < acoc_> hey guys, I'm trying to set up a bridged vpn and am a little confused about how to set up the router 11:03 < acoc_> I have port 1149 forwarded to the ip of the server, but do I need a static route? 11:03 < acoc_> here is my server.conf : http://pastebin.com/m1d2adcb2 11:07 < acoc_> currently I can connect if I set the client directly to the ip while in the lan, but from another network I can't get past the router 11:09 < pmo> i think i have found my issue by using 2.1rc instead of latest stable 11:16 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] 11:17 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has joined ##openvpn 11:17 -!- acoc [n=acoc@71.230.188.90] has quit [Read error: 110 (Connection timed out)] 11:21 < pmo> Extract all zip'd files to the OpenVPN home directory, 11:21 < pmo> including the openssl.cnf file from the top-level 11:21 < pmo> "easy-rsa" directory. 11:21 < pmo> what does this mean? 11:21 < pmo> that i should only move openss.conf over? 11:32 < pmo> worked making keys, but cant seem to figure out how to make my client connect to my vpn server 11:44 -!- acoc_ [n=acoc@71.230.188.90] has quit ["Leaving"] 11:48 -!- Dougy [i=doug@64-18-144-3.ip.bergenhosting.com] has joined ##openvpn 11:52 -!- albech_ [n=albech@124.157.207.111] has joined ##openvpn 11:58 -!- albech [n=albech@124.157.206.152] has quit [Read error: 60 (Operation timed out)] 12:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 12:38 -!- pmo [n=dark@unaffiliated/pmo] has quit [".die"] 12:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:47 < Dougy> Wow 12:51 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 12:55 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 13:29 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] 13:30 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has joined ##openvpn 13:49 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] 13:49 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has joined ##openvpn 14:33 -!- siOuX_ [n=sioux@201-95-224-112.dsl.telesp.net.br] has left ##openvpn ["Saindo"] 14:46 -!- xp_prg [n=xp_prg3@98.234.52.78] has joined ##openvpn 14:52 -!- lataffe [n=lars@135.80-202-77.nextgentel.com] has joined ##openvpn 15:17 -!- _tld [i=tld@c-24-8-35-16.hsd1.co.comcast.net] has joined ##openvpn 15:18 < _tld> !redirect 15:21 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 15:28 < krzie> bot is down =[ 15:28 < krzie> my buddy is going to the DC tomorrow to see whats wrong with the box 15:44 < Dougy> nice 15:44 < Dougy> krzie, im gonna have to move all my shit soon 15:44 < Dougy> =/ 15:44 < Dougy> the company i have the colo from seems very iiresponsbile and i dont trust them 15:50 < Dougy> krzie 15:50 < Dougy> m gonna have to move all my shit soon 15:50 < Dougy> 16:45 < Dougy> =/ 15:51 < Dougy> er 15:51 < Dougy> Options error: On Windows, --ifconfig is required when --dev tun is used 15:51 < Dougy> what is this 15:51 < Dougy> i have never seen this 15:53 < krzie> that sucks 15:53 < Dougy> new thing i think 15:53 < Dougy> krzie: pm 15:54 < krzie> =/ 15:54 < krzie> know when the move happens? 15:55 < krzie> Options error: On Windows, --ifconfig is required when --dev tun is 15:56 < krzie> pastebin config without comments 15:56 < krzie> client and server 16:00 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 16:18 < _tld> bleh 16:18 < _tld> finally figured out how toe redirect traffic :P 16:18 < _tld> to* 16:27 < _tld> if anyone is having problems redirecting all their internet traffic through the VPN, these two commands saved me: 16:28 < krzie> nat and ip forwarding? 16:28 < _tld> iptables -t nat -A POSTROUTING -d 192.168.42.0/255.255.255.0 -j RETURN 16:28 < _tld> iptables -t nat -A POSTROUTING -s 192.168.42.0/255.255.255.0 -j SNAT --to-source EXTERNAL_IP_ADDRESS 16:28 < _tld> :P 16:28 < _tld> i had ip forwarding set 16:49 -!- _tld [i=tld@c-24-8-35-16.hsd1.co.comcast.net] has quit [] 17:15 -!- loca|host [n=tux@41.226.98.83] has joined ##openvpn 17:16 < loca|host> openvpn failed to start, where can i view logs to check what was the reason for that ? 17:18 < Bushmills> loca|host, where you like. at home, or in the office 17:19 < loca|host> on the server 17:19 < loca|host> (office) 17:20 < Bushmills> do you have packet internet? that would allow you to view the logs also at the beach. 17:22 < loca|host> hehe 17:22 < loca|host> i've started it 17:22 < loca|host> Initialization Sequence Completed 17:22 < loca|host> i mismatched the ta.key path 17:22 < loca|host> i've activated the log 17:22 < loca|host> its my first instal :) 17:23 < loca|host> and its ok: udp 0 0 0.0.0.0:1194 17:23 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Connection timed out] 17:24 < loca|host> i'm gonna test my windows client, but i dont know how to use it ... i got the keys ... where i shall put them ? 17:24 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 17:36 < krzie> wherever your config points to 17:39 < loca|host> krzie, i have Ubuntu 9.04 as the server, should i create the bridge script ? because after starting openvpn, i got the tun0 interface ... is it all ? or should i continue creating the bridge thing ? 17:41 < Bushmills> krzee, your turn to discourage. after all, it us you specifically who has been asked. 17:41 < krzie> lol 17:41 < krzie> loca|host why do you want a bridge? 17:43 < loca|host> my openvpn server has no public routable IP, its behind a firewall wich is nating the 1194 udp port for it, i thought the bridge style is for this kind of cases, and the routed style is for public openvpn servers 17:44 < krzie> no 17:44 < krzie> bridging is only for sending layer2 over vpn 17:45 < krzie> aka any protocol that communicates using MAC address instead of IP address 17:45 < krzie> if you dont need that you should be using TUN / routed 17:45 < loca|host> ok 17:45 < loca|host> clear 17:46 < loca|host> am switching to routed 17:46 < loca|host> my server is up and running 17:46 < krzie> am switching to routed 17:46 < krzie> my server is up and running 17:46 < krzie> wow that was FAST 17:49 < loca|host> but on the config folder of my windows folders, the README says i should put the .ovpn file there, but i have only the ca.crt and the client.* (cer/csr/key), ithought those files were the ones i should give to my clients ... 17:49 < loca|host> :) 17:49 < krzie> it does matter where the config is 17:49 < krzie> because the gui looks for them in a certain dir 17:49 < krzie> it does NOT matter where the crt and key are 17:50 < krzie> csr does not need to be on client, only CA 17:50 < loca|host> ok but i dont have the ovpn file .... how to get that file ? 17:50 < krzie> the ovpn file is your config 17:50 < krzie> rename it to have ovpn extension 17:50 < krzie> the reason location of keys doesnt matter is you tell the config where to find them 17:50 < loca|host> i give only the ca.crt to the client ? 17:50 < loca|host> ok i understand that for the conf 17:51 < krzie> see the howto, it has a table of which files are needed on client/server/ca 17:55 < krzie> or see my config at www.ircpimps.org/openvpn.configs 17:59 < loca|host> ca.crt, client.crt & client.key are needed client side 17:59 < loca|host> from this http://openvpn.net/index.php/open-source/documentation/howto.html#examples 18:01 < krzie> yup 18:16 -!- c64zottel [n=hans@p5B17AF60.dip0.t-ipconnect.de] has joined ##openvpn 18:44 < Dougy> krzie 18:44 < Dougy> di you miss the pm 18:44 < Dougy> did 18:45 < krzie> nah i saw the pic 18:46 < krzie> unless there was another 18:48 < Dougy> nop 18:48 < Dougy> you didnt comment tho 18:48 < Dougy> :p 18:48 < Dougy> so i didnt know if you sawed 18:48 < krzie> hehe 18:48 < krzie> ya i had nothing to say bout it really 18:48 < krzie> lol 18:48 < Dougy> lol 18:51 < Dougy> hmm 18:51 * Dougy thinks he is gonna build himself a mess around with box 18:54 < Dougy> krzie.. sed question for oyyu 18:54 < Dougy> you 18:54 < krzie> sup 18:54 < Dougy> if i want to replace /'s.. like "/home/tmp/folder" to "home tmp folder" 18:54 < Dougy> how do i do that 18:55 < krzie> you dont need to use s// 18:55 < krzie> you can use most chars 18:55 < Dougy> what do you mean 18:55 * Dougy is clueless 18:55 < krzie> so like s+/+\+ 18:55 < krzie> would switch the first / with a \ 18:55 < krzie> so like s+/+\+g 18:55 < Dougy> well, the path in question here is "/home/vent/filename" 18:55 < krzie> would switch the all / with a \ 18:55 < Dougy> need to somehow print just "filename 18:55 < Dougy> " 18:56 < krzie> sounds like a job for awk 18:56 < krzie> use / as your seperator and just print $3 18:56 < Dougy> yah 18:56 < Dougy> that was my plan 18:56 < Dougy> replace /'s with spaces and awk it 18:56 < krzie> umm why replace with space 18:56 < krzie> just use / as your seperator 18:56 < Dougy> so i could awk '{print $3}' 18:57 < Dougy> s+/+\+g 18:57 < Dougy> er 18:57 < Dougy> cant paste over rdp 18:57 < Dougy> fail 18:57 < krzie> 1sec 18:58 < krzie> awk -F"/" '{print $3}' 18:58 < Dougy> ls | sed s+/+\ +g | awk '{print $3}' 18:58 < Dougy> hm 18:58 < krzie> might be $4 tho 18:59 < krzie> will the quotes be there as well? 18:59 < krzie> if so you might need to pipe it to sed to remove the " 18:59 < krzie> or to cut 18:59 < krzie> whatever makes you happy 19:01 < Dougy> k 19:01 < Dougy> im doing this for someone else 19:01 < Dougy> dipstick oesnt know wtf he wants 19:01 < krzie> its not possible to help someone with something when they dunno what they want 19:06 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 19:06 -!- epaphus [n=unix3@190.10.68.228] has quit [Client Quit] 19:06 < Dougy> krzie you da man 19:06 < Dougy> i gave him the awk, and apparently he made it work 19:06 < krzie> =] 19:06 < Dougy> i never knew awk could truncate 19:06 < krzie> truncate? 19:07 < krzie> that wasnt truncating 19:07 < Dougy> sorry, wrong term 19:07 < Dougy> heh 19:07 < Dougy> strip characters out 19:07 < Dougy> :p 19:07 < krzie> truncate is when you cut off text after a limit 19:07 < krzie> it wasnt stripping either 19:07 < Dougy> what exactly did it do then 19:07 < Dougy> lol 19:07 < krzie> you simply changed the field seperator 19:07 < krzie> from whitespace to / 19:07 < krzie> then you selected the field you wanted to print 19:07 < Dougy> fair enough 19:08 < Dougy> awk -F"-f/home/vent/" '{print $3}' or something of the sort worked 19:08 < Dougy> it was $12 i think 19:13 -!- xp_prg [n=xp_prg3@98.234.52.78] has quit ["This computer has gone to sleep"] 19:39 -!- Melmoth [n=melmoth@host121-60-static.34-79-b.business.telecomitalia.it] has joined ##openvpn 19:40 < Melmoth> !howto 19:40 < Melmoth> good evening 19:41 < Melmoth> anyone here can answer a little question? i'm a bit confused 19:43 < krzee> a good rule of thumb in help channels is to just ask your question 19:43 < krzee> and good evening =] 19:43 < Melmoth> : ) sorry i've been so long far from ircnet that i forgot netiquette : ) 19:44 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit [Read error: 113 (No route to host)] 19:44 -!- albech_ [n=albech@124.157.207.111] has quit [Client Quit] 19:44 < krzee> =] 19:44 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 19:45 < Melmoth> i'm not a linux expert, just an amatour, and i've a problem at work. Basically i've a small office that work for a bigger one. Insurance things. They are chaning our software from one that was in dos to one in windows. Now for this one we need some crappy configuration like few static ips, a router, firewall, and so on 19:46 < Melmoth> i've looked for openvpn and i think that it can save me a lot of money, but one thing is not clear to me: can openvpn do some dhcp relay or the ip it will assing me will be "pool based" 19:46 < Melmoth> ? 19:47 < Melmoth> (maybe i was not so clear, my english is bad so please apologize) 19:47 < Dougy> Melmoth: i saw you !howto'd 19:47 < Dougy> the bot is borked 19:47 < Dougy> http://openvpn.net/howto.html 19:49 < Melmoth> i saw that it explain that openvpn can push some dhcp info, like dns, but it doestn't mention ip 19:50 < Melmoth> basically i need to get an ip from the dhcp, not from openvpn 19:52 -!- loca|host [n=tux@41.226.98.83] has quit [Read error: 110 (Connection timed out)] 20:07 -!- c64zotte1 [n=hans@p5B17B6C9.dip0.t-ipconnect.de] has joined ##openvpn 20:09 -!- c64zotte1 [n=hans@p5B17B6C9.dip0.t-ipconnect.de] has left ##openvpn [] 20:21 -!- c64zottel [n=hans@p5B17AF60.dip0.t-ipconnect.de] has quit [Read error: 101 (Network is unreachable)] 20:57 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 21:08 < krzee> Melmoth, why would you require your IP from dhcp? 21:08 < krzee> i understand why youd need other things like dns / wins 21:09 < Melmoth> my ip has to be authorized by dhcp 21:09 < Melmoth> otherwise i cannot enter my software 21:09 < krzee> and how does your software know it was authed 21:09 < krzee> cause im willing to bet you can auth it manually via openvpn script hook 21:10 < Melmoth> mhhhh 21:10 < Melmoth> i think is simply say something "if mac xx:xx:xx:xx:xx has requested an ip, that ip is ok for working" 21:11 < Melmoth> i was checking if in bridge mode dhcp request are passed 21:11 < krzee> so your software has a built in dhcp server which serves your lans dhcp? 21:12 < Melmoth> i think so, it's not my software, i'm just trying to use openvpn in place of other expensive hardware firewall 21:12 < Melmoth> but i know for sure that if i put a static ip address the software doesn't let me in 21:13 < krzee> ok well 21:13 < krzee> yes a bridge can do dhcp, as explained in the howto 21:13 < Melmoth> ok perfect 21:13 < krzee> but you're better off not doing it that way for a couple reasons 21:14 < krzee> 1) you will be using more overhead simply because you dont want to figure out how your software works 21:14 < krzee> 2) you will be opening yourself up to layer2 attacks 21:15 < Melmoth> mhhhh 21:15 < Melmoth> that doesn't sound too good to me 21:15 < krzee> bridge should be used only when you actually need layer2 protocols ver the vpn 21:15 < krzee> over 21:16 < Melmoth> well i've to use the same subnet, so i think bridge was a must 21:16 < krzee> i bet you dont 21:16 < krzee> you need to figure out how your software learns the ip is ok 21:16 < krzee> is it on the same machine as your dhcp server? 21:17 < Melmoth> no, dhcp server are cisco router i think, machine are far away, in a data center 21:17 < krzee> see 21:17 < krzee> if dhcp and your software are on seperate machines it cant be that it gets auth from dhcp 21:18 < krzee> does your software have a manual... 21:18 < krzee> figure out how it auths an ip 21:18 < Melmoth> negative, it's a pretty closed source software : / 21:18 < krzee> insert your own auth at the shell 21:18 < Melmoth> i've to use the software through rdp :| 21:18 < krzee> then script it and tell ovpn to run it 21:19 < Melmoth> ok, i'll try 21:19 < Melmoth> thank for the help krzee 21:19 < krzee> welp if you cant figure it out go ahead and bridge, but much better to figure it out 21:19 < Melmoth> i'll try! 21:19 < Melmoth> : ) 21:19 < krzee> =] 21:19 < krzee> time for movie 21:19 < Melmoth> this'll be a LONG night for me ; ) 21:19 < Melmoth> hope a good time for you 21:35 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 21:36 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 21:45 -!- albech [n=albech@124.157.207.111] has joined ##openvpn 22:00 -!- niceuser [n=j@adsl-76-255-237-57.dsl.lsan03.sbcglobal.net] has quit [Read error: 113 (No route to host)] 22:01 -!- niceuser [n=j@adsl-76-255-237-57.dsl.lsan03.sbcglobal.net] has joined ##openvpn 22:29 -!- vitaliy [n=vitaliy@packetroute.net] has joined ##openvpn 22:30 < vitaliy> hello 22:30 < vitaliy> trying to get OpenVPN configured, something is broken, and I have no idea what; the client connects but once it is connected I am unable to connect to anything 22:31 < vitaliy> the only thing that responds to ICMP is the external address of the OpenVPN server and thats it 22:31 < vitaliy> any ideas? 22:45 -!- niceuser [n=j@adsl-76-255-237-57.dsl.lsan03.sbcglobal.net] has quit [Read error: 60 (Operation timed out)] 23:28 -!- xp_prg [n=xp_prg3@98.234.52.78] has joined ##openvpn 23:48 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has joined ##openvpn 23:51 < krzee> vitaliy, yes 23:51 < krzee> check through your logs 23:53 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] --- Day changed Mon Jun 01 2009 00:04 < Bushmills> vitaliy, firewall 00:07 < krzee> aye 00:08 < krzee> if nothing is in logs 00:08 < krzee> but for now, not enough info 00:10 < Bushmills> in fact, in case of firewall, it would not be a sign of something being broken, but of something working as intended. 00:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:12 < Bushmills> except for the bit where the openvpn client is allowed to connect 00:12 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: Alagar, kala, freysteinn 00:12 -!- Netsplit over, joins: Alagar, freysteinn, kala 00:47 -!- h1d [n=h1d@61-123-195-192.ipp.jp] has joined ##openvpn 00:48 < h1d> hi. i set up 2.1 openvpn server and a 2.1 client can successfully connect. but as soon as it does it, server responds 'bad source address from client', but how can i fix this? 00:48 < h1d> the server mode is in tap 00:49 < h1d> the log includes the global IP of the client and not the server side local IP but is that correct? 00:49 < h1d> i mean, server side local IP range given by the server to the client 00:50 -!- niceuser [n=j@69-224-214-185.bn02583.irvnca.wayport.net] has joined ##openvpn 00:53 -!- h1d [n=h1d@61-123-195-192.ipp.jp] has quit [Read error: 104 (Connection reset by peer)] 00:53 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 00:53 -!- h1d [n=h1d@61-123-195-192.ipp.jp] has joined ##openvpn 00:59 < dan__t> fix your retarded NAT by telling the client which network it actually routes for 01:00 < dan__t> or you can just log off, that's cool, too. 01:01 < h1d> what do you mean by that? on the client machine, the routing goes to tap0 for vpn network and in fact, packets are getting to the server, except openvpn rejects it saying bad source address, from the client that just successfully connected 01:02 < dan__t> I know. 01:02 < dan__t> Hold on. 01:02 < dan__t> shit, krzee wrote a good article on it 01:02 < dan__t> I can't find it right now. 01:02 < dan__t> Search the exact error plus krzee or krzie 01:03 < h1d> k 01:04 < h1d> do i have to put this ccd/iroute thing? it wasnt necessary before 01:04 < dan__t> You do. 01:04 < dan__t> Then something changed. 01:05 < h1d> interesting. i used a 2.1 on a linux, works. now i put 2.1 on os x, it wont 01:05 < h1d> i mean the server 01:06 < dan__t> Not sure. I've only encountered the error once myself, last week. 01:06 < dan__t> Been using OpenVPN for like two years. 01:06 < h1d> so, you fixed by ccd/iroute? 01:07 < dan__t> I did. 01:07 < dan__t> I pushed the route which was local for the client. 01:07 < h1d> are you talking about tun config? 01:08 < dan__t> I'm talking about the client's config. 01:08 < h1d> probably this, for if anyone else needs it : http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 01:08 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 01:08 < dan__t> The client's OS gets confused. 01:09 < h1d> yeah, but usually pushing route means, tun but i'm on tap bridge 01:09 < dan__t> oooh 01:09 < dan__t> I missed that. 01:09 < dan__t> In that case you're completely fucked, I have no idea. 01:10 < h1d> tx 01:10 < h1d> in one of the google hit, it said 'tap is more permissive and doesn't check for source address' but it apparently does 01:13 < h1d> Also, if anyone knows much about os x openvpn, I've run one from macports and the one bundled in TunnelBlick and both shows that "write to TUN/TAP : Input/output error" but with the official tarball compiled, it won't say that, with same server/client config/machines. 01:14 < h1d> these are all 2.1rcX. hope the problem isn't because of the binary or OS environment 01:25 < h1d> i guess i'll just flip to use tun then... when i think about it, i dont know how to make a bridged interface on os x... 01:32 -!- h1d [n=h1d@61-123-195-192.ipp.jp] has quit [Read error: 54 (Connection reset by peer)] 01:35 -!- h1d [n=h1d@61-123-195-192.ipp.jp] has joined ##openvpn 01:38 -!- h1d [n=h1d@61-123-195-192.ipp.jp] has quit [Remote closed the connection] 01:38 -!- h1d [n=h1d@61-123-195-192.ipp.jp] has joined ##openvpn 01:40 -!- h1d [n=h1d@61-123-195-192.ipp.jp] has quit [Client Quit] 01:42 -!- flaccid [n=chris@127.185.233.220.exetel.com.au] has joined ##openvpn 01:42 < flaccid> you can't do a multiple user vpn with bridged openvpn can you ? 01:43 < flaccid> needs to be routed ? 01:44 -!- niceuser [n=j@69-224-214-185.bn02583.irvnca.wayport.net] has quit [Read error: 113 (No route to host)] 01:47 -!- master_of_master [i=master_o@p549D448B.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:52 -!- master_of_master [i=master_o@p549D397A.dip.t-dialin.net] has joined ##openvpn 02:04 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:05 < krzee> server-bridge can do it 02:06 -!- niceuser [n=j@adsl-76-255-237-57.dsl.lsan03.sbcglobal.net] has joined ##openvpn 02:09 < flaccid> krzee thats an openvpn config directive? 02:10 < krzee> see manual =] 02:10 < krzee> (yes) 02:10 < flaccid> okies 02:11 < flaccid> and if i want to connect two networks together so to speak, it should be ok? ie. 2x freebsd servers connected via vpn = lan clients on both LANs can access each other ? 02:12 < krzee> you dont need a bridge for that 02:12 < krzee> you only need a bridge for layer protocols 02:12 < krzee> layer2 02:13 < krzee> http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 02:13 < krzee> thats how to do it for a tun setup 02:13 < krzee> giving an example where 3 networks will all be accessible by each other using tun 02:13 < krzee> 1 network behind the server and 1 behind each of 2 clients 02:15 < flaccid> right krzee but either bridged or routed will do right? 02:15 < flaccid> preferably routed. i should just do http://www.section6.net/wiki/index.php/Setting_up_OpenVPN_in_FreeBSD then do the extra routes right? 02:17 < krzee> if you have no reason for bridged you should use routed 02:17 < krzee> www.ircpimps.org/openvpn.configs 02:17 < krzee> read each of those commands in the manual 02:18 < krzee> edit as necessary from knowing about the options from the manual 02:19 < flaccid> what could be some of the reasons for bridged? which one does smb work with? 02:19 < krzee> smb uses layer3 except for discovery 02:20 < krzee> which can be layer3 if you use WINS 02:20 < krzee> otherwise it can only be accessed by ip: \\IP\share 02:21 < flaccid> so under routed it should work fine except NetBT is that what you are saying ? 02:21 < krzee> yes 02:23 < flaccid> the discovery seems to work fine under microsoft and cisco vpns, why is this ? 02:23 < krzee> i dont use pptp or ipsec 02:24 < krzee> so i cant really answer that 02:24 < flaccid> okies np 02:24 < flaccid> you have been very helpful so far :) 02:24 < krzee> but if discovery works fine without WINS ild assume that means they pass layer2 (which i thought they dont) 02:26 < flaccid> ah okies 02:29 < krzee> instead of easy-rsa 02:29 -!- Melmoth [n=melmoth@host121-60-static.34-79-b.business.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 02:29 < krzee> check out ssl-admin in freebsd ports for your CA 02:29 < krzee> its much nicer for managing your certs 02:30 < flaccid> ah sweet 02:30 < flaccid> thanks 02:30 < krzee> np, but the thanx go to ecrist for making it 02:30 < flaccid> i'm real shite at ssl 02:30 < flaccid> cools 02:30 < krzee> he talks about it here: http://www.secure-computing.net/wiki/index.php/FreeBSD_OpenVPN_Server/Routed 02:31 < flaccid> sweet 02:32 < flaccid> ah that seems much better to follow 02:39 < flaccid> one other question.. considering that i'm linking up 2 servers. it kind of poses which one should be client and which one should be server ..? 02:41 < krzee> you will join any additional clients? 02:41 < krzee> maybe your laptop when on the road... 02:42 < flaccid> yep for sure. this is basically for access to development resources as i'm a developer with 2 locations of my dev servers 02:42 < flaccid> maybe its server on both hmm 02:42 < flaccid> but means a dif port is required for 1 server 02:43 < flaccid> just 2 servers would save a hop etc. if using a server on the other LAN 02:44 < krzee> the locations also need access to eachother? 02:44 < krzee> or just you to both 02:44 < flaccid> yeah. hook both lans up for lan clients on either side + random remote clients 02:46 < krzee> one have a better link than other? 02:46 < flaccid> yep 02:47 < flaccid> one is about 4mbps/1mbps 02:47 < krzee> all random remote clients can access both? 02:47 < flaccid> the other is only 1.5mbps/256kbps 02:47 < flaccid> yes that would be ideal 02:47 < krzee> server on 4mbit 02:48 < krzee> or will it be heavy traffic to 1.5 mbit? 02:48 < krzee> how much vpn traffic you expecting to each? 02:48 < flaccid> in terms of traffic load it will vary but im not worried if they get choked up sometimes. the crappy connection exists because of the sad state of internet in australia 02:49 < flaccid> it will idle most of the time 02:49 < flaccid> and when using it will be pretty low level traffic ie. ascii scripts 02:54 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 02:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:03 -!- c64zottel [n=hans@p5B17B6C9.dip0.t-ipconnect.de] has joined ##openvpn 03:08 < krzee> ok 03:09 < krzee> so ya 03:09 < krzee> 4mbit is server 03:23 -!- melmoth_ [n=melmoth@host220-130-static.39-79-b.business.telecomitalia.it] has joined ##openvpn 03:31 -!- eliasp_ is now known as eliasp 03:33 -!- melmoth_ [n=melmoth@host220-130-static.39-79-b.business.telecomitalia.it] has quit ["Sto andando via"] 03:46 -!- flaccid [n=chris@127.185.233.220.exetel.com.au] has quit [Read error: 110 (Connection timed out)] 04:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 04:33 -!- tokyoahead [i=tokyoahe@207.106.6.147] has joined ##openvpn 04:33 < tokyoahead> Hi all, I used openVPN to connect to the vpn provided by my server-provider, and the client (vista) reported that the connect succeeded. How cna I check that my traffic is routed through the VPN now? 04:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:13 -!- Zordrak [n=jaz@zelda.tpa.me.uk] has joined ##openvpn 05:18 < Zordrak> Im implementing OpenVPN in a small corporate environment. Im using tap and have successfully tested it using Passworded certificate authentication. Im looking into the possibility of using LDAP authentication, howeverl the finer details are not clear. For example, this is what I have gathered and would appreciate being corrected if I am wrong: In order to continue using a single UDP port for all connections, I must still maintain a PKI and, in order to all 05:30 < atlas95> Hi 05:30 < atlas95> I search a solution for bypass a proxy, i have only one server at home with 80 and 443 listening for apache 05:31 -!- zheng [n=zheng@222.66.224.110] has quit [Connection timed out] 05:31 < atlas95> only 80 and 443 are open 05:31 < atlas95> and so my openvpn didn't work, how can i do? 05:31 < krzee> you can openvpn over the proxy 05:31 < krzee> and udp 53 is often allowed out 05:32 < krzee> which is easily tested in linux/bsd/osx with host ircpimps.org ns1.doeshosting.com 05:32 < krzee> if you can query my NS directly, you can access port 53 udp 05:33 < krzee> hey Bushmills you here? 05:33 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:42 -!- achilles [n=achilles@62-90-200-222.alami.net] has joined ##openvpn 05:44 < achilles> hello everybody, I asked yesterday a question about preventing a fired employee from logging into our network, fkr told me to remove his cert, I tested that, but nothing the deleted user still can access the network, the question is, where in the server side we list/define the users ? 05:45 < krzee> he was wrong 05:45 < krzee> you must add the user to a CRL 05:45 < krzee> see manual: --crl-verify 05:46 < krzee> or --verify-crl , i forget 05:46 < achilles> krzee, oh yeah .. thank you, let me check 05:46 < achilles> just please what CRL stands for > 05:46 < krzee> certificate revokation list 05:47 < achilles> thank you let me look about it 05:47 < krzee> yw 05:48 < krzee> that is the forever way 05:49 < krzee> if you simply want to disable his cert but leave the door open for if you want him back in (maybe a temp employee that will be on call or who knows what) 05:49 < krzee> you would use --disable in a ccd entry 05:49 < achilles> ah I see , cool :) 05:49 < krzee> but if a cert was stolen or employee fired, you want to use the CRL 05:50 < achilles> yes that is the scenario, most sales people lose their devices .. 05:50 < krzee> reiffert or Bushmills around? 05:50 < krzee> right 05:50 < krzee> lost cert DEFINITELY = CRL 05:51 < krzee> also, let me recommend ssl-admin for your cert management =] 05:51 < krzee> its sweetness 05:51 < krzee> and you can easily manage the CRL from it too 05:51 < krzee> its in freeBSD ports 06:00 < Zordrak> krzee: are you able to confirm/deny my description above? 06:01 < krzee> i can deny it 06:01 < Zordrak> where did i go wrong? 06:01 < krzee> you can use --username-as-commonname 06:01 < krzee> and something else to disable certs 06:02 < krzee> but you still use --server so it still goes multi-client 06:02 < Zordrak> and still allow multiple concurrent access on single port? 06:02 < krzee> my bot is down so i dont have all the args handy 06:02 < Zordrak> *nod* 06:02 < krzee> --server takes care of that 06:02 < Zordrak> funky :) 06:02 < krzee> hopefully the server will be back up soon, my boy is headed to the DC today 06:03 < Zordrak> great, thanks.. will do what i can to read up in the meantime 06:03 < Zordrak> gotta get the PSU for the box replaced and get it planted in a server room anyway 06:03 < krzee> however 06:03 < krzee> i would still force certs 06:03 < Zordrak> orite? 06:04 < krzee> you can remove the pw from them tho 06:04 < krzee> ya, cert auth is strong 06:04 < krzee> add ldap pass and its badass 06:04 < krzee> remove the certs now and you have less than you started with 06:05 < krzee> now your whole vpn is as strong as a password 06:05 < Zordrak> the only difficulty is it makes it a lot more difficult to manage if i have to generate a cert for each and every user and provide it to them 06:05 < krzee> vs a cert + password 06:05 < krzee> get ssl-admin 06:05 < Zordrak> rather than a package and intructions 06:05 < Zordrak> will google 06:05 < krzee> it makes your CA stuff easyness 06:05 < krzee> and it can output your config for the user and all cert files into a zip 06:06 < krzee> if you use freebsd its in ports 06:06 < Zordrak> perhaps if i were able to provide a way for users inside the network to generate their own via a WebUI... 06:06 < krzee> its really easy to do 06:06 < Zordrak> orite... using slackware but makes no diff 06:06 < krzee> then you give them that zip with a batchfile or script to move files into the right place 06:07 < krzee> slack will work fine its just a perl script 06:07 < Zordrak> krzee: cool... will investigate 06:07 < Zordrak> *nod* 06:07 < Zordrak> perl++ :) 06:07 < krzee> but i dunno if my Makefile stuff i added will work right 06:07 < krzee> so ./configure and make might not work right 06:07 < Zordrak> is it your script? 06:07 < krzee> but if you look at them, you'll see what they want to do 06:07 < krzee> just move files into the right places basically 06:08 < krzee> nah its ecrist's 06:08 < Zordrak> *nod* 06:08 < Zordrak> kk 06:08 < krzee> i tried to make it put itself in the right place for linux (worked for most, some report it doesnt) and i added support for it signing a servercert specially 06:11 < reiffert> krzee: . 06:12 < krzee> hey reif 06:12 < vitaliy> good morning 06:12 < reiffert> moin moin 06:12 < krzee> i got a sh/bash ? for you if you are down 06:12 < krzee> moin 06:12 < vitaliy> just saw the responces from yesterday about the issue being with firewal, anyone cares to take a look to see if they see anything obviously broken? :) 06:13 < krzee> vitaliy, could be firewall could be an error during startup 06:13 < krzee> look at logs on both server and client 06:13 < vitaliy> there are no errors at startup, at least not in the logs 06:13 < krzee> and make sure both are allowing ALL traffic over tun interface 06:13 < krzee> in and out 06:13 < vitaliy> I am not sure if I am allowing it correctly, heh 06:14 < krzee> reiffert, can i msg? 06:14 < vitaliy> the only thing that I have in the firewall about tun is iptables -t nat -A PREROUTING -i tun0 -d ${WAN} -j ACCEPT 06:14 < krzee> see the manual 06:15 < krzee> has a section on firewalls 06:15 < krzee> even gives iptables examples 06:15 < vitaliy> oh, awesome, thanks 06:16 < krzee> btw there can be errors and it still says sucessful 06:16 < krzee> comon one is windows adding routes to connect to vpn with 06:21 < vitaliy> ha! got it 06:21 < vitaliy> was missing iptables -A FORWARD -i tun+ -j ACCEPT 06:27 < Zordrak> krzee: ive heard mention of some WebUIs for managing certs on openvpn.. any comments or pointers? 06:27 < Zordrak> worth knowing about them whether i use one or not 06:30 < krzee> my comment would be to make sure to only allow it on localhost 06:30 < krzee> because your CA is the most important part in the chain 06:30 < Zordrak> *nod* 06:30 < krzee> ANY way of automating that should be thought 2x about 06:30 < krzee> imho 06:30 < Zordrak> kk will think & investigate 06:32 < Zordrak> oo i like the status reporting 06:33 < Zordrak> O_O .. no update since 2005 06:37 < Zordrak> Any UIs that are in active development? 06:37 -!- vitaliy [n=vitaliy@packetroute.net] has left ##openvpn [] 06:41 < reiffert> back .. 06:41 < reiffert> krzee: feel free to 07:21 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has joined ##openvpn 07:48 < ecrist> morning, folks 07:52 -!- niceuser [n=j@adsl-76-255-237-57.dsl.lsan03.sbcglobal.net] has quit [Read error: 60 (Operation timed out)] 08:01 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 09:03 -!- achilles [n=achilles@62-90-200-222.alami.net] has quit ["Leaving"] 09:17 -!- endschranz [n=Adium@80-121-109-115.adsl.highway.telekom.at] has joined ##openvpn 09:17 -!- endschranz [n=Adium@80-121-109-115.adsl.highway.telekom.at] has left ##openvpn [] 10:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 10:06 -!- jeiworth [n=jeiworth@189.177.37.65] has joined ##openvpn 10:09 -!- kyrix [n=ashley@91-115-180-52.adsl.highway.telekom.at] has joined ##openvpn 10:11 < Zordrak> any suggestions on debugging ldap auth? 10:12 < Zordrak> without wireshark hopefullf 10:14 < Zordrak> nowait 10:14 < Zordrak> it feckin works! 10:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:27 -!- tjz [n=tjz@bb121-6-18-126.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 10:29 -!- mattock [n=mattock@gw.tietoteema.fi] has quit ["Leaving."] 10:33 -!- grendal_prime [n=grendal_@dsl-12-44-166-053.arpa2.caltel.com] has joined ##openvpn 10:33 < grendal_prime> hey peoples.. hows it hanging? 10:35 < grendal_prime> Hey I was working on a connection issue last week with our senior nnetwork engineer (envolving an openvpn connection) He was confused because there was actually data exchanged but then the client would time out. It looked like something that I had happen some time back when I forgot to include an iptables rule that is basically "allow all established or related" He says that would not be it because there actually was data 10:35 < grendal_prime> exchanged. When I pointed this out to the customer though...the porchlight suddenly started working (AND WOULD YOU BELIEVE THEY DIDN'T ADJUST ANYTHING!!) 10:35 < grendal_prime> I say that with slight sarcasm. 10:37 < dazo> heh 11:06 < grendal_prime> Alrighty then...well im out...snooch to the nooch..see ya in 40 min. 11:06 -!- grendal_prime [n=grendal_@dsl-12-44-166-053.arpa2.caltel.com] has quit [Remote closed the connection] 11:09 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:10 < Zordrak> so.. openvpn works perfectly on a test laptop.. go to get it going on the laptop of the user who really needs it and the connection is initiated perfectly... but windows wont send one single packet over the tap adapter... everything still goes out via the default gw even though the route for the vpn subnet looks ok 11:11 < Zordrak> WTF? now im getting WSAECONNRESET on the test laptop(!) 11:12 < Zordrak> no wait.. actually THAT bits my fault 11:20 < Zordrak> ohffs.. the test laptop IS sending packets to the vpn route... but it's not receiving any 11:36 -!- xp_prg [n=xp_prg3@98.234.52.78] has quit ["This computer has gone to sleep"] 11:42 * ecrist thinks firewall 11:51 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 12:07 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:09 -!- kyrix [n=ashley@91-115-180-52.adsl.highway.telekom.at] has quit [Read error: 60 (Operation timed out)] 12:15 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 12:18 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Connection timed out] 12:22 -!- kyrix [n=ashley@91-115-180-52.adsl.highway.telekom.at] has joined ##openvpn 12:23 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has quit [Remote closed the connection] 12:26 -!- tjz [n=tjz@bb116-15-133-118.singnet.com.sg] has joined ##openvpn 12:32 -!- kyrix [n=ashley@91-115-180-52.adsl.highway.telekom.at] has quit ["Leaving"] 12:36 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 12:37 -!- jeiworth_ [n=jeiworth@189.177.37.65] has joined ##openvpn 12:37 -!- jeiworth [n=jeiworth@189.177.37.65] has quit [Read error: 110 (Connection timed out)] 13:10 -!- albech_ [n=albech@124.157.207.11] has joined ##openvpn 13:29 -!- albech [n=albech@124.157.207.111] has quit [Connection timed out] 13:54 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 14:01 -!- tjz [n=tjz@bb116-15-133-118.singnet.com.sg] has quit [Connection timed out] 14:13 -!- JavaAtom [n=zilla@75-151-74-9-Independence.hfc.comcastbusiness.net] has joined ##openvpn 14:15 < JavaAtom> !howto 14:15 < reiffert> openvpn.net/howto 14:15 < JavaAtom> ... oh. 14:16 -!- darknighter [n=darknigh@mail.heedcom.com] has joined ##openvpn 14:18 < JavaAtom> Howdy. I'm trying to set up an openvpn server for my work in order to replace our PPTP vpn. I'm running OpenBSD for the server and Windows / Mac for the clients. 14:18 < JavaAtom> I have about 15 clients I need to manage -- does the multi-client howto handle setting all that up, soup-to-nuts style? 14:18 < reiffert> openvpn.net/howto 14:20 < JavaAtom> Fair enough. 14:22 -!- remiel [i=remiel@unaffiliated/remiel] has joined ##openvpn 14:22 -!- JavaAtom [n=zilla@75-151-74-9-Independence.hfc.comcastbusiness.net] has left ##openvpn [] 14:32 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 14:40 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 15:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 15:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:12 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Connection timed out] 15:13 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 15:14 -!- boojit [n=boojit@gw.carter.to] has quit [Read error: 110 (Connection timed out)] 15:24 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit [Remote closed the connection] 15:34 < krzie> wtf is soup-to-nuts style? 15:34 < krzie> lol 15:36 < reiffert> I translate it by cooking recipe 15:38 < krzie> it makes me think of pain, personally 15:38 < krzie> hot soup falling on the nuts 15:38 < reiffert> :) 15:41 -!- tjz [n=tjz@bb116-15-73-38.singnet.com.sg] has joined ##openvpn 15:42 < krzie> so my problem last night was that i had been nesting some for loops above 15:42 < krzie> i realized i could bust it in 1 loop 15:42 < krzie> but i only removed 1/2 of it 15:43 < krzie> i was doing it one-liner style and didnt catch it 15:43 < krzie> and the fact i hadnt slept and it was like 10:30am didnt help 15:43 < krzie> lol 15:43 < krzie> the error was popping up like 20 lines later 15:44 < krzie> i turned it into awk scripts to stop using pipes cause then it moved the error lower, thought i was onto the problem for some reason, obviously was wrong 15:45 < krzie> but your solution using cut was more elegant, only reading each line 1x instead of 2 15:45 < krzie> and even tho i use a pipe now, echo and cut are more lightweight than awk 15:48 -!- bandini [n=bandini@host173-5-dynamic.6-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 15:48 < reiffert> it should work even without IFS 15:48 < reiffert> s,cut,IFS, 15:48 < reiffert> checkout while read line together with changing IFS to : 15:53 < Bushmills> soup? 15:53 < reiffert> while IFS=: read user undef undef undef undef hdd; do echo $user $hdd; done < /etc/passwd 15:54 < krzie> whoa 15:54 < krzie> crazy 15:54 < krzie> i knew i was asking the right guy 15:54 < reiffert> add an additional undef after hdd 15:54 < reiffert> while IFS=: read user undef undef undef undef hdd undef; do echo $user $hdd; done < /etc/passwd 15:54 < krzie> shiet i thought i was savage on the shell til i got to know you and bush 15:54 < Bushmills> what kind of soup? 15:54 < reiffert> a nut soup 15:55 < Bushmills> sounds good. with a hint of asperge? 15:55 < reiffert> Bushmills: you'll have to ask JavaAtom.. 15:56 < Bushmills> he likes to cook too? 15:57 < krzie> either likes to cook or likes the cock 15:57 < krzie> we're still not sure what exactly he was saying 15:58 < reiffert> 21:15 < JavaAtom> !howto 15:58 < reiffert> 21:15 < reiffert> openvpn.net/howto 15:58 < reiffert> 21:18 < JavaAtom> I have about 15 clients I need to manage -- does the multi-client howto handle setting all that up, soup-to-nuts style? 15:58 < reiffert> 21:18 < reiffert> openvpn.net/howto 15:58 < reiffert> 21:20 < JavaAtom> Fair enough. 16:03 < Bushmills> ah. "from A to Z", "all included" or in this case "comprehensive" that should mean 16:21 -!- mr_mustard [n=thiago@189.124.226.48] has joined ##openvpn 16:21 < mr_mustard> !howto for beginners 16:23 -!- c64zottel [n=hans@p5B17B6C9.dip0.t-ipconnect.de] has quit ["Leaving."] 16:35 < krzie> openvpn.net/howto 16:37 < mr_mustard> in windows I only use server, name and password to connect to a remote vpn... I use no explicit ssl or something 16:37 < mr_mustard> how do I connect to that same vpn in linux, keeping it simple? 16:41 < mr_mustard> even using a gui I'm presented to lots of options, when in windows I only use server address, name and password 16:44 < krzie> screw a gui 16:45 < krzie> just use the config files 16:45 < krzie> they're almost 100% the same 16:45 < krzie> paths are different, sometimes windows has specific stuff to work around win-lameness 16:45 < krzie> but other than that, they're = 16:48 < mr_mustard> I've got a config file that runs with ssl, using certificate files. but to connect to that other vpn I don't use any certificate... so what example could I use? 16:48 < krzie> read the manual 16:48 < krzie> and i have no cluye what you're trying to say 16:50 < mr_mustard> I've got an openvpn config file that uses crt, key and cert files (ssl). but the vpn I'm trying to connect doesn't need that. 16:50 < krzie> ok, so make your client config like your server config 16:51 < mr_mustard> is there something really simple, that I could do right away without having to read the whole manual? I've got no clue about the server's config... but I only use a server name, user and password 16:52 < krzie> thing is, i dunno if your password is for --secret or for something else like ldap 16:52 < krzie> and if you cant access the server, your admin should give you a config 17:01 < Bushmills> mr_mustard, connecting is even simpler with key rather than password. no need to type in user name or password ... 17:11 -!- mius [n=miusf@earthtomoon.net] has joined ##openvpn 17:11 < mius> hey 17:15 < mius> hm i setupped an openvpn server.. tun0 initialises correctly.. i configured iptables to accept all traffic on tun0.. and masquerade.. but ping doesnt work 17:15 < mius> but tcpdump shows icmp request 17:16 < mius> http://pastebin.com/m615d8a72 17:16 < krzie> even pinging internal ip? like 10.8.0.1 17:16 < mius> that works 17:16 < krzie> then whats the problem? 17:16 < mius> can ping client side 17:17 < mius> or server from client 17:17 < mr_mustard> Bushmills, it might be simpler, but the authentication type I need for now doesn't use keys. my password can't be --secret if the server doesn't use that... in windows I simply create a connection, type the server name and the user/password... no need for anything else. I'd rather go with keys, but the current need for me is not that 17:17 < mius> seems ping goes out correct but does not come bac 17:17 < krzie> when you can ping across the vpn with internal ips, thats the end of your vpn's duty 17:18 < mius> no.. i cant.. sry misunderstood u 17:18 < mr_mustard> if you try to see it as a non-technical user my case gets very simple... I'm a web programmer trying to access my client's vpn... if I don't get that, I'll have to dual boot into windows just to do that. I wish I had the time NOW to learn all that stuff 17:18 < mius> can u look at my pastebin post? 17:19 < Bushmills> mr_mustard, i simply boot the machine 17:19 < mius> 3 packets transmitted, 0 received, 100% packet loss, time 2015ms 17:19 < Bushmills> i suppose you can passphrase the keys for the same effect 17:20 < Bushmills> (i.e. being allowed to type in a password) 17:20 < krzie> ya the thing is theres multiple ways to have passwords 17:20 < krzie> and the admin should have given you a config file 17:21 < mr_mustard> krzee, if you create a vpn connection in windows like I said, what would be the type of password? 17:22 -!- lazin [n=tobiasme@0x573c0549.boanqu2.dynamic.dsl.tele.dk] has joined ##openvpn 17:23 < Bushmills> mr_mustard, does your client use openvpn? 17:23 < krzie> its no different in windows than unix, like i said 17:24 < mr_mustard> no... my client's server is windows 2000, unfortunately 17:24 < Bushmills> so what do you want to use openvpn for, then? 17:25 < mr_mustard> I thought it would connect to windows vpn servers... 17:25 < Bushmills> no, openvpn connects to openvpn 17:25 < mr_mustard> ok, sorry... what would you recommend for me? 17:26 < Bushmills> the client, matching your client's vpn 17:26 < mr_mustard> isn't there any open source software to do that? 17:26 < Bushmills> your client might be able to tell you 17:28 < krzie> sure theres opensource pptp software 17:28 < krzie> i know nothing about it, but i believe it exists 17:37 < mr_mustard> thanks... sorry for misunderstanding you all 17:39 < lazin> hi there... if I just whant to use shares on the server from the clients and stram video.. then "tun" do the job right ?? 17:44 < krzie> here it comes... 17:44 < krzie> ! 17:44 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 17:44 < krzie> yayyyy 17:45 < mr_mustard> I'm now connected :) 17:47 < lazin> !howto 17:47 < vpnHelper> lazin: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:47 < krzie> lazin, yes 17:47 < krzie> smb shares work over layer3 17:47 < krzie> its the discovery and windows share names that wont work over tun unless you run WINS 17:47 < krzie> but by IP is no problem 17:47 < krzie> like \\IP\share 17:48 < lazin> kazie - tnx so ip the clients just use the IP to map the share there is to probs 17:51 < krzie> is to probs? 17:51 < lazin> sorry ... is no problems ? 17:52 < krzie> if you can handle mapping using IP, theres no problem and no additional effort required 17:52 < krzie> if you MUST have names, you must run wins 17:52 < krzie> but often people are fine with just using IP to map 17:54 -!- Dougy[Home] [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 17:54 * Dougy[Home] waves 17:55 -!- Dougy[Home] is now known as Douglas 17:56 < lazin> oki tnx.. last what about "comp-lzo" does that just give me less traffic ? what is best for thruput if wan speed is no issue ?? 17:57 < krzie> !man 17:57 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 17:57 < krzie> you already know the config option, just search for i t in manual 17:57 < krzie> sup dougy 17:57 < krzie> checkout how cool my SD colo is man 17:58 < krzie> the server with vpnHelper completely died 17:58 < lazin> oki :-) tnx krzie 17:58 < krzie> they took my hd out, gave me another box, popped it in there and booya im back 17:58 < krzie> stronger HW too even ;] 18:02 < krzie> but i known him awhile in person and whatnot too 18:02 < krzie> hes a good dude 18:08 -!- derek_ [n=derek@199.85.8.1] has joined ##openvpn 18:10 < derek_> Hello, a while a go a rather smart guy directed me to his site which I should follow to setup a linux openvpn router to my openvpn server. However I cannot remember his name, website, nor the instructions detailed within. Can anybody direct me? Thank you. 18:12 < krzie> its the same on a linux router as a linux machine 18:12 < krzie> aka same as just about any computer 18:12 < krzie> was there maybe something more specific? 18:12 < derek_> er sorry not linux a linksys 18:13 < krzie> ya, but a linksys running linux 18:13 < krzie> openwrt or something of that nature im sure 18:13 < Bushmills> openwrt? 18:13 < derek_> yes tomato 18:13 < derek_> tomato firmware 18:13 < krzie> so ya, thats linux 18:13 < Douglas> shit 18:13 < Douglas> wth 18:13 < derek_> sure is, I have been away from this project for a while and was trying to find the website 18:13 < Douglas> my desktop zoomed in 18:13 < Douglas> stupid compiz 18:13 < Douglas> how do i "un-zoom"? 18:13 < derek_> lean far back 18:14 < krzie> LOL 18:14 < Douglas> cuter 18:14 < Douglas> cute 18:14 < Douglas> thanks 18:14 < Douglas> this is weird and annoying 18:14 -!- darknighter [n=darknigh@mail.heedcom.com] has quit [] 18:14 < krzie> aq my desktop zoomed in stupid compiz 18:14 < krzie> how do i "un-zoom"? lean far back LOL 18:14 < krzie> Inserted quote #4747. 18:14 < Douglas> thanks rzie 18:15 < Douglas> krzie 18:15 < Douglas> i love you too 18:15 < krzie> np, you are now immortalized 18:15 < Douglas> haha 18:15 < Douglas> mf 18:15 < Douglas> this is annoying 18:15 < Douglas> xchat is taking up all 17" 18:15 < Douglas> er 20" 18:21 < derek_> you dont have a website with a bunch of tutorials on it do you krzie? 18:22 -!- lazin [n=tobiasme@0x573c0549.boanqu2.dynamic.dsl.tele.dk] has quit [] 18:22 < Douglas> !wiki 18:22 < vpnHelper> Douglas: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN 18:22 < derek_> there we go 18:22 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 18:24 -!- Douglas [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit ["There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence."] 18:24 < krzie> derek, if you were talking about lans behind openvpn, then it was my doc 18:24 < krzie> !route 18:24 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 18:24 -!- Dougy[Home] [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 18:25 -!- Dougy[Home] is now known as Douglas 18:25 -!- Douglas is now known as Dougy[Home] 18:28 < derek_> I have a couple routers each with a couple clients that need to connect back to my home. I think if I remember I needed to use tap and reserve 4 ip addresses per client. The router I think was just to be a blackbox passing all info back to vpn server including webtraffic. I wanted the boxes to behave like they were on the local lan. 18:32 < derek_> I believe site to site is what im looking for? 18:33 < krzie> do you need layer2 protocols specificly? 18:34 < derek_> The server is running the SME server http://wiki.contribs.org/Main_Page I am going to be using filesharing 18:34 < vpnHelper> Title: SME Server (at wiki.contribs.org) 18:36 < reiffert> filesharing is a layer2 protocol. 18:36 < derek_> ok so lapd is a layer2 protcol and yes I would like to use that as I have security running OpenLDAP 18:36 < reiffert> so is surfing. 18:36 < reiffert> lapd? layer2? 18:36 < derek_> so yes I would like layer2 support 18:36 < derek_> http://en.wikipedia.org/wiki/List_of_network_protocols#Layer_2_protocols_.28Data_Link_Layer.29 18:36 < vpnHelper> Title: List of network protocols - Wikipedia, the free encyclopedia (at en.wikipedia.org) 18:36 < derek_> im looking off of there 18:38 < reiffert> derek_: and since when do you send ISDN frames over your ethernet wire? 18:38 < derek_> since I dont know what isdn frames are 18:38 < krzie> lapd, los angeles police department? 18:38 < reiffert> derek_: ANNEX B telephone frames on a digital basis, 64khz. 18:39 < derek_> yeah they are going to taser my shit 18:39 < derek_> I missread it 18:40 < derek_> I thought it said ldap sorry 18:40 < krzie> dont taze me bro 18:40 < reiffert> allright, how about Ethernet then? 18:40 < derek_> ? 18:41 < krzie> so 18:41 < krzie> you said "filesharing" 18:41 < krzie> that means nothing 18:41 < krzie> theres quite a few ways to share files 18:41 < krzie> smb, afp, nfs, ftp, etc 18:41 < reiffert> send them to the multicast address 18:41 < derek_> ok I would like domain login 18:42 < derek_> and I think sme uses samba 18:42 < krzie> samba doesnt require layer2 18:42 < krzie> only the network discovery part does 18:42 < krzie> that and the name translation 18:42 < krzie> which can be done over tcp/ip (layer3) by using WINS 18:43 < reiffert> (which does not work by design) 18:43 < krzie> but without wins it can be done by simply using the IP instead of netbios name 18:43 < derek_> thanks for being patient Im more green then #00FF00 18:43 < krzie> reiffert that can be said for * windows 18:43 < reiffert> :) 18:43 < Bushmills> reiffert, you're home tomorrow? 18:44 < derek_> anyways anything you can paste here will be good, I have to go eat before the kitchen closes and then I'll be back in 1 hour 18:44 < derek_> that site is still what im looking for right krzie 18:44 < reiffert> Bushmills: I'm doing my explanation on taxes for 2008, I should be at home, visit the girl who knows much more about taxex stuff in wiesbaden.. Bushmills yes/no/maybe 18:44 < krzie> derek_, what site? 18:44 < Bushmills> i'll climb my bike tomorrow, and head homewards. will probably ride through your town 18:45 < derek_> your wiki 18:45 < krzie> only if you are using routed (layer3) 18:45 < krzie> then yes, my routed writeup will help you connect the lans 18:45 < derek_> k 18:45 < reiffert> Bushmills: sure, just try and get a coffee on luck or else :) 18:45 < derek_> ill start there tonight then if your not on 18:45 < derek_> thanks for the help 18:46 < krzie> np 18:48 < reiffert> Bushmills: any schedule yet? 18:49 < Bushmills> not really. not before breakfast. probably not before lunch even 18:50 < Bushmills> and if it's going to be a hot day, maybe later, when it has cooled a bit 18:56 < Bushmills> new servers available at provider ... 8 gig ram, 1.5 terabyte harddisks. 49 EUR per month 18:56 < reiffert> Wind is still comingdown from the north 18:56 < Bushmills> the new entry class server 18:56 < reiffert> oh, really 18:56 < Bushmills> quad coere 18:56 < Bushmills> core 18:57 < Bushmills> or 12 gig ram with 3 tera disks for 69 EUR 18:57 < reiffert> i7 920 18:57 < Bushmills> sounds ... affordable 18:57 < reiffert> 150EUR setup once, I call that expensive. 18:58 < Bushmills> true. could almost buy such a machine for that amount :D 18:58 < reiffert> I'll have to talk to guenter... 18:59 < Bushmills> i'd upgrade if my upgrade fees are waived 18:59 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 18:59 < Dougy[Home]> meh 18:59 < Dougy[Home]> damnit 18:59 * Dougy[Home] needs to sell these core2duos 18:59 < Dougy[Home]> meh 18:59 * Dougy[Home] goes to email clients 19:01 < Bushmills> acceptable platform to xenify, it seems 19:02 < Dougy[Home]> Xen is win 19:02 < Dougy[Home]> wait a sec 19:02 < Dougy[Home]> Bushmills 19:02 < Dougy[Home]> i7 920 with 12gb ram for 69 eor? 19:02 < Dougy[Home]> eur 19:02 < Bushmills> right 19:02 < Dougy[Home]> wtf 19:02 < Bushmills> plus 3 terabyte hard disks 19:02 < Dougy[Home]> thats like a 800 euro server 19:03 < Bushmills> and unlimited traffic 19:03 < Dougy[Home]> crazy 19:03 < Bushmills> was about time to improve server specs again 19:04 < reiffert> 69 EUR per month 19:04 < Bushmills> these are the two smallest servers 19:04 < reiffert> 8GB: 49 EUR per month 19:04 < Bushmills> the entry models 19:05 < Bushmills> just good enough to run a DNS on, and a tad more 19:05 < Bushmills> :D 19:06 < Dougy[Home]> god damnit 19:06 < Dougy[Home]> An Arkansas man was arrested Monday in connection with a shooting at a Little Rock military recruiting center that killed one soldier and wounded another, authorities said. Abdulhakim Mujahid Muhammad -- a 24-year-old Little Rock resident formerly known as Carlos Bledsoe -- faces charges including first-degree murder, police said 19:06 < reiffert> i7 965 is an extreme CPU 19:07 < Dougy[Home]> expensive as hell 19:07 < Bushmills> yeah. 19:07 < Dougy[Home]> $1000 19:07 < Bushmills> almost unaffordable. 99 EUR per month 19:07 < Dougy[Home]> i can build a core2quad with 8gb ram and 2x500gb drives 19:07 < Dougy[Home]> for that 19:07 < Bushmills> that'S the cpu of the server just above the entry class models 19:08 < Bushmills> single-CPU only 19:08 < Dougy[Home]> wow 19:08 < Dougy[Home]> i7 920's on sale here 19:08 < Dougy[Home]> for $230 19:09 < Bushmills> power hungry device 19:09 < Dougy[Home]> wow 19:09 < Dougy[Home]> Amd phenom II X4 955 19:09 < Dougy[Home]> only $239 19:09 < Dougy[Home]> $250 on newegg 19:09 < Bushmills> but farm soothes conscience 19:09 < reiffert> AMD was releasing a 6 core CPU today. 19:09 < reiffert> "Istanbul" 19:09 < Dougy[Home]> hmm 19:09 < Dougy[Home]> nice 19:10 < Dougy[Home]> lets see 19:10 < Bushmills> (by using electricity from replenishable resources) 19:10 < Dougy[Home]> Q8200.. $150.. Q9400.. $180 19:10 < Dougy[Home]> nice 19:10 < Dougy[Home]> E8400 $150 19:10 < Dougy[Home]> cheapos 19:12 < reiffert> but southbridge. 19:13 < krzie> i run q9400 on my desktop 19:13 < krzie> its niiice 19:14 < krzie> $1000 19:14 < krzie> i can build a core2quad with 8gb ram and 2x500gb drives 19:14 < Dougy[Home]> more lol 19:14 < Dougy[Home]> thats all enterprise grade hw 19:14 < krzie> you can build a q9400 + 8gb ram + 1.5TB for like $700 19:14 < Dougy[Home]> if i use desktop, that box would be 700 19:14 < Dougy[Home]> yea 19:14 < krzie> with DG35EC board 19:14 < Dougy[Home]> krzie, not if i use real fancy grade hw 19:14 < Dougy[Home]> thats what i use in my servers i rent out 19:14 < Dougy[Home]> dg35ec's rock 19:14 < Dougy[Home]> but i was talking about using like SM X7SBi 19:14 < krzie> agreed 19:16 < Dougy[Home]> krzie: 19:16 < Dougy[Home]> [root@nyc01-01-07 ~]# dmidecode -t 2 | grep Product && cat /proc/cpuinfo | grep Core 19:16 < Dougy[Home]> Product Name: DG35EC 19:16 < Dougy[Home]> model name : Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz 19:16 < Dougy[Home]> model name : Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz 19:19 < Dougy[Home]> krzie, did i tell you about the domains i snatched up last night 19:19 < Dougy[Home]> got my hands on some nice ones, i think 19:19 < krzie> nope 19:19 < krzie> did you get noskills.net? 19:19 < Dougy[Home]> UnmeteredXeons UnmeteredOpterons UnmeteredPentiums UnmeteredPhenoms and UnmeteredNehalems 19:19 < Dougy[Home]> .com 19:19 < krzie> oh wait no you didnt, cause thats mine! 19:20 < Dougy[Home]> haha 19:20 < krzie> ;] 19:20 < Dougy[Home]> man 19:20 < Dougy[Home]> noskills.. 19:20 < Dougy[Home]> i know a zer0skill 19:21 < Bushmills> reiffert, there's a "but" with the new servers: only 4 ip addresses now, not 1 plus a /29 anymore 19:21 -!- krzy [i=krzee@joogot.noskills.net] has joined ##openvpn 19:21 < krzy> high 19:21 -!- krzy [i=krzee@joogot.noskills.net] has quit [Client Quit] 19:23 < Dougy[Home]> 1 Pentium 4 3.0, with a 250gb sata & 10mbps unmetered for $70 if anyone feels spendy today 19:23 < Bushmills> limits its usefulness as xen host 19:24 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 19:26 < Dougy[Home]> damn 19:26 < Dougy[Home]> http://cgi.ebay.com/Silicon-Mechanics-2-x-AMD-Opteron-246-2-0-GHz-1U-Server_W0QQitemZ190289678460QQcmdZViewItemQQptZCOMP_EN_Servers?hash=item2c4e26107c&_trksid=p3286.c0.m14&_trkparms=72%3A1205|66%3A2|65%3A12|39%3A1|240%3A1318|301%3A1|293%3A1|294%3A50 19:26 < vpnHelper> Title: Silicon Mechanics 2 x AMD Opteron 246 2.0 GHz 1U Server - eBay (item 190289678460 end time Jun-25-09 19:30:54 PDT) (at cgi.ebay.com) 19:27 < krzie> you should build some sort of scraper bot dougy 19:27 < krzie> then just idle in some channel watching the scroll 19:27 < krzie> you could start #homeshoppingnetwork or something, lol 19:28 < Dougy[Home]> lol 19:28 < Dougy[Home]> why would i do that 19:28 < Dougy[Home]> cuz i find good dealS? ;p 19:28 < krzie> cause of how much time you spend looking for them 19:28 < Dougy[Home]> meh 19:28 < krzie> you could have them go to you instead 19:28 < Dougy[Home]> krzie, new billing system soon i think 19:28 * Dougy[Home] is liking freshbooks 19:28 < krzie> cool, ill continue to not use it 19:28 < krzie> lol 19:29 < Dougy[Home]> haha 19:29 < Dougy[Home]> :p 19:40 -!- sigmonsays [n=sig@ip65-46-255-194.z255-46-65.customer.algx.net] has quit ["Leaving"] 19:41 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 19:52 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 19:59 -!- albech_ [n=albech@124.157.207.11] has quit [Client Quit] 20:17 < ecrist> hey bitches 20:17 < ecrist> Dougy[Home]: you pinged me last week, what did you want? 20:17 < krzie> sup man 20:18 < krzie> vpnHelper is back 20:18 < vpnHelper> krzie: Error: "is" is not a valid command. 20:18 < krzie> ild tell him to die, but he'ld listen 20:18 < ecrist> lol 20:18 < krzie> the box died 20:18 < Dougy[Home]> who dingmed me 20:18 < Dougy[Home]> hi eric 20:18 < Dougy[Home]> i just wanted to say hi 20:18 < krzie> but the guy i colo with gave me another, just tossed my HD in and booya im back 20:19 < krzie> i think ill migrate him to butters sometime soon tho 20:20 < ecrist> you can change that hostname, btw - let me know what you want reverse DNS to show and I'll get it changed. 20:20 < ecrist> or I'll keep it the same, I'm easy 20:20 < krzie> ya its cool as is 20:20 < krzie> i almost decided to change it to mrhankey 20:20 < krzie> but its good 20:21 -!- jeiworth_ [n=jeiworth@189.177.37.65] has quit [Read error: 110 (Connection timed out)] 20:25 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: isox, code-, Haraken, Gumbler, js_, HardDisk_WP, flokuehn, tarbo2, zheng, dazo, (+6 more, use /NETSPLIT to show all of them) 20:26 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: Zordrak 20:26 -!- Netsplit over, joins: Gumbler, Jameno123, dazo, HardDisk_WP, qknight, tarbo2, isox, kaii 20:26 -!- Netsplit over, joins: lataffe, Haraken, flokuehn, js_, zheng, atlas95, code-, worch 20:26 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: krzie 20:26 -!- Netsplit over, joins: Zordrak, krzie 20:28 < krzie> hey its code- ! 20:28 < krzie> i didnt see you were still in here til my netsplit 20:29 -!- niceuser [n=j@12.119.249.30] has joined ##openvpn 20:31 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 20:35 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit ["leaving"] 20:43 < Dougy[Home]> krzie, your getting a new email soon 20:43 < Dougy[Home]> ish 20:47 -!- zheng [n=zheng@222.66.224.110] has quit ["Leaving"] 21:01 -!- niceuser [n=j@12.119.249.30] has quit [Read error: 110 (Connection timed out)] 21:04 -!- niceuser [n=j@12.119.249.30] has joined ##openvpn 21:14 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 21:25 -!- niceuser [n=j@12.119.249.30] has quit [Read error: 60 (Operation timed out)] 21:44 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 21:49 -!- c64zottel [n=hans@p5B17A9E2.dip0.t-ipconnect.de] has joined ##openvpn 22:05 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 22:19 -!- c64zottel [n=hans@p5B17A9E2.dip0.t-ipconnect.de] has quit ["Leaving."] 22:24 -!- mr_mustard [n=thiago@189.124.226.48] has quit ["..."] 22:31 < derek_> oh the camp life so exhilarating 22:46 < derek_> well looks like i managed to lock up my server and can no longer ssh into it 22:47 < derek_> sigh, guess Ill have to wait a couple days 22:47 -!- derek_ [n=derek@199.85.8.1] has quit ["confrustrated"] 23:00 -!- derek [n=derek@199.85.8.1] has joined ##openvpn 23:01 < derek> see girlfriends are good for something, hitting the reset button when you are away from home. 23:17 < theDoc> derek: Pretty awesome. I should get one myself too. 23:29 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has joined ##openvpn 23:31 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: master_of_master, krzee, troy-, feinoM, hardwire, david, sigius, M06w, Dougy[Home], Typone 23:34 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 23:35 -!- Lilarcor [n=Lilarcor@208-59-127-143.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has joined ##openvpn 23:37 -!- Dougy[Home] [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 23:37 -!- master_of_master [i=master_o@p549D397A.dip.t-dialin.net] has joined ##openvpn 23:37 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 23:37 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 23:37 -!- hardwire [n=hardwire@216-67-98-253.static.acsalaska.net] has joined ##openvpn 23:37 -!- david [n=david@unaffiliated/mtrh] has joined ##openvpn 23:37 -!- feinoM [n=feinom@svale.hia.no] has joined ##openvpn 23:37 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 23:37 -!- Typone [n=itsme@195.197.184.87] has joined ##openvpn 23:37 -!- master_o1_master [n=master_o@84.157.57.122] has joined ##openvpn 23:37 -!- david [n=david@unaffiliated/mtrh] has quit [Read error: 104 (Connection reset by peer)] 23:37 -!- niceuser [n=j@12.126.132.230] has joined ##openvpn 23:38 -!- david [n=david@ip3-83.bon.riksnet.se] has joined ##openvpn 23:39 -!- david is now known as Guest98870 23:44 -!- feinom_ [n=feinom@svale.hia.no] has joined ##openvpn 23:47 -!- master_of_master [i=master_o@p549D397A.dip.t-dialin.net] has quit [Connection timed out] 23:49 -!- feinoM [n=feinom@svale.hia.no] has quit [Read error: 113 (No route to host)] --- Day changed Tue Jun 02 2009 00:22 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:37 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 01:10 -!- bandini [n=bandini@host173-5-dynamic.6-79-r.retail.telecomitalia.it] has joined ##openvpn 01:17 -!- Lilarcor [n=Lilarcor@208-59-127-143.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has quit ["The Lord of Murder Shall Perish."] 01:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:35 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 01:36 -!- master_of_master [i=master_o@p549D3860.dip.t-dialin.net] has joined ##openvpn 01:47 -!- master_o1_master [n=master_o@84.157.57.122] has quit [Read error: 110 (Connection timed out)] 02:01 -!- tom-w [i=tom-w@dslb-088-065-051-150.pools.arcor-ip.net] has joined ##openvpn 02:02 < tom-w> !route 02:02 < vpnHelper> tom-w: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 02:10 -!- tom-w is now known as omega42 02:15 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:32 -!- niceuser [n=j@12.126.132.230] has quit [Read error: 110 (Connection timed out)] 02:45 -!- remiel [i=remiel@unaffiliated/remiel] has left ##openvpn [] 02:56 -!- c64zottel [n=hans@p5B17A9E2.dip0.t-ipconnect.de] has joined ##openvpn 02:57 -!- niceuser [n=j@adsl-76-255-237-57.dsl.lsan03.sbcglobal.net] has joined ##openvpn 03:03 -!- c64zottel [n=hans@p5B17A9E2.dip0.t-ipconnect.de] has quit ["Leaving."] 03:53 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: feinom_, sigius, Dougy[Home], hardwire, M06w, master_of_master, troy-, Typone, Guest98870 03:54 -!- Netsplit over, joins: master_of_master, feinom_, Guest98870, Dougy[Home], M06w, sigius, hardwire, troy-, Typone 04:26 -!- kyrix [n=ashley@91-115-28-24.adsl.highway.telekom.at] has joined ##openvpn 04:40 < Zordrak> I have openvpn 2.0.9 configured for tap using both ssl and ldap auth. Linux server, windows clients( x2 for testing). Both clients can establish a VPN connection that is fullf recognised by both sides... but one client wont send packets over the tap interface, and one client is not receiving any packets over the vpn 04:40 < Zordrak> neither servers nor client log anything untoward 04:42 < Zordrak> no iptables rules.. all default policies are ACCEPT 04:42 < Zordrak> ip_forwarding is on 04:49 < Zordrak> im totally stumped 04:51 < dazo> Zordrak: you are trying to pass traffic between the clients? 04:51 < dazo> Zordrak: then you might need to look at --client-to-client 04:51 < dazo> (on the server) 05:09 -!- kyrix [n=ashley@91-115-28-24.adsl.highway.telekom.at] has quit [Read error: 60 (Operation timed out)] 05:12 < Zordrak> no not at all 05:12 < Zordrak> just trying to get access to the lan the vpn is serving 05:13 < Zordrak> everything looks ricght.. it just aint working 05:13 < Zordrak> client list on server is updated right, server routing table is right... 05:13 < Zordrak> i can only think it's a clint routing thing... but it doesnt make sense 05:14 < Zordrak> seems reasonable for the one not sending packets over tap to be a win routincg issue... but the config is IDENTICAL to the ether box 05:14 < Zordrak> and the other box IS sending data over tap... it's just not getting anything back 05:14 < Zordrak> btw im testing these sequentially.. not running both connected at once 05:16 < reiffert> Zordrak: upgrade to 2.1rc17 05:16 < reiffert> 2.0.9 is 3 years old crap with security holes. 05:17 < Zordrak> i may consider that.. but at this point i just want to get this working again 05:17 < reiffert> and be sure to add the client-to-client option to the server config. 05:17 < Zordrak> FYI it was working the very first time i tried it 05:17 < Zordrak> i dont care about client to client 05:17 < Zordrak> although it may already be set 05:18 < reiffert> allright, fire up tcpdump or wireshark and watch whats on the interfaces. 05:18 < reiffert> check routing tables as well, in short: I dont care. 05:18 < Zordrak> then why bother? 05:20 < Zordrak> hmmm tshark labelling all server->client packets with UDP Checksum Incorrec 05:24 -!- kyrix [n=ashley@91-115-28-24.adsl.highway.telekom.at] has joined ##openvpn 05:45 -!- clyons [n=clyons@unaffiliated/clyons] has quit [Read error: 110 (Connection timed out)] 05:46 -!- clyons [n=clyons@unaffiliated/clyons] has joined ##openvpn 06:00 -!- jeiworth [n=jeiworth@189.163.132.133] has joined ##openvpn 06:10 -!- jeiworth [n=jeiworth@189.163.132.133] has quit [Read error: 60 (Operation timed out)] 06:14 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:15 -!- Dougy[Home] [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit ["IRC is just multiplayer notepad"] 06:26 < Zordrak> OK... something is going awry during boot 06:26 < Zordrak> if i stop openvpn, stop tap, start tap, start openvpn it all works 06:27 < Zordrak> if i diff `ifconfig -a` after boot and after manual ov/tap restarts.. the ONLY diff is that the working one shows an ipv6 address line for tap0 06:45 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 06:59 < dazo> Zordrak: which distro are you on? 07:00 < Zordrak> slackware 07:00 < Zordrak> i think ive found the problem 07:01 < Zordrak> the initialisation of the tap interface needs some "sleep"s to give it time to bring things up 07:01 < Zordrak> just testing it now 07:11 < ecrist> morning, folks 07:12 < Zordrak> echo $TIMEOFDAY, to you too ecrist 07:13 -!- kyrix [n=ashley@91-115-28-24.adsl.highway.telekom.at] has quit ["Leaving"] 07:18 -!- SuperEvilDeath17 [n=death@212.206.209.177] has quit [Read error: 104 (Connection reset by peer)] 07:19 -!- SuperEvilDeath17 [n=death@212.206.209.177] has joined ##openvpn 08:01 -!- albech [n=albech@124.157.207.11] has joined ##openvpn 08:24 < derek> hwo forgot to turn this off lasat night 08:24 < ecrist> what? 08:25 < derek> indeed what, I forgot to turn this off last night, but none the less I am where I needed to be 08:25 < ecrist> lol 08:25 < Zordrak> damnnit... no joy.. ive added a sleep 1 after every command in the tap startup and a sleep 5 before starting openvpn.. still the same 08:25 < ecrist> tap is the devil 08:26 < ecrist> so, after a full day of tweaking FancyIndexing in apache, I really like the feature. 08:26 < Zordrak> i just hate that im SO damned close 08:27 < Zordrak> all im trying to do is get openvpn to start on boot 08:27 < Zordrak> the same scripts run manually do the job.. just not on boot 08:27 < ecrist> php scripted header and footer, custom icons for most file types 08:28 < ecrist> Zordrak: what errors are you getting in the system logs? 08:28 < Zordrak> none 08:28 < Zordrak> which makes it harder 08:28 < ecrist> if the scripts aren't running, there's gotta be a log somewhere. 08:28 < Zordrak> they *are* running 08:29 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 08:29 < Zordrak> VPN comes up perfertly and connections initiate... but the return packets never make it to the client 08:30 < Zordrak> its *something* to do with the initiation of the tap device or the binding openvpn to it 08:30 < Zordrak> i compared ifconfig -a output after boot and after manual script restart 08:30 < ecrist> what OS? 08:31 < Zordrak> the only relevant difference was that when its working theres an inet6 line for tap0 08:31 < Zordrak> slackware 08:32 < Zordrak> looking at the ifconfig output now (after cold boot and initiated vpn connection - the non working state) tap0 has a load of Rx parkets... but no Tx packets 08:32 < ecrist> ack, linux, I can't really help you 08:33 < Zordrak> like it hasnt set up its own to-client route properly 08:40 -!- mattock [n=mattock@gw.tietoteema.fi] has quit ["Leaving."] 08:49 < kaii> Zordrak: try out the "route-delay" keywoard 08:49 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 08:49 < kaii> Zordrak: do you load openvpn via init.d ? 08:50 < kaii> if yes: what services are starting _after_ openvpn? 08:51 < magic_1> hi guys, how would i create new keys 08:51 < magic_1> this is after i have already created keys 08:51 < kaii> magic_1: google for "easy-rsa" 08:51 < kaii> !howto 08:51 < vpnHelper> kaii: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:51 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 08:52 < magic_1> thanks i will try 08:52 < Zordrak> kaii: it,s not quite init.d but its the bsd style equivalent 08:52 < Zordrak> tap and openvpn are the *last* things to start 08:53 < magic_1> hhmmm 08:53 < magic_1> would have thought it would just be the same as to create certs 08:53 < derek> ahh my Nemesis I see we meet again vpnhelper 08:56 -!- achilles [n=achilles@62.90.200.222] has joined ##openvpn 08:56 < achilles> hello, I have made configuration file for openvpn clients, for windows they place the config file company.ovpn in the program files, but for ubuntu, we use network-manage-openvpn plugin, where the file should be placed ? 08:58 < derek> /etc/openvpn/keys/easy-rsa 08:58 < derek> i think 08:58 < derek> dig around in /etc/openvpn 08:58 < Zordrak> surely /etc/openvpn or /etc/openvpn/conf 08:58 < Zordrak> or config 09:03 < achilles> derek, Zordrak at the client side also ? 09:03 < achilles> even though, I've created a connection using the plugin but I don't see anything in there 09:05 < derek> yeah client and server use the same directory/files/ its just initialization thats different 09:05 < derek> well mostly same files 09:05 < derek> it should be 09:05 < derek> in your ubuntu box just do a updatedb 09:05 < derek> then locate openvpn 09:06 < derek> and it dosnt have jackass fido asking you questions! 09:06 < Zordrak> kaii: i think ive found the reason for the problem.. so that i can now find and resolve tha cause 09:06 < achilles> derek, I understand, but when client wants to connect to the remote server, normally they go to network-manager > vpn connection > openvpn > then the configure the settings, I want them to place single configuration file beside the certs 09:06 < Zordrak> brtcl shows the tap interface is not getting bound to the bridge interface 09:07 < derek> wouldnt know then dont use it, sorry 09:08 < derek> if thats your problem jsut make an icon on the desktop that runs openvpn yourclientconfig.conf 09:17 < kaii> Zordrak: i see 09:20 < Zordrak> also a manual brctl addif br0 tap0 doesnt solve it after boot.. the tap if has to be killed and rebuilt 09:21 < Zordrak> now thats interesting 09:22 < Zordrak> if i add tap0 to br0... and then restart openvpn, it drops out of the bridge again 09:22 < derek> achilles, did it work out using a shortcut the way you intended? 09:23 < achilles> derek, no it didn't 09:23 < achilles> I need to manage shell scripts, permission and all of that stuff 09:25 < derek> openvpn --config youropenvpnconfig.ovpn 09:25 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:26 < Zordrak> WTF 09:26 < Zordrak> killing the openvpn process actually destroys the tap0 interface(!) 09:31 < achilles> derek, I know .. okay then let them use commands 09:31 < achilles> derek, Zordrak thank you very much 09:36 < derek> sorry couldnt help you out more 09:36 < derek> im stil ltrying to get basic server client connection going 09:39 -!- albech [n=albech@124.157.207.11] has quit [Remote closed the connection] 09:40 < Zordrak> what the hell... in the bridging documentation it says to NOT add eth0 to br0 before setting the IP addr etc of br0... and then RIGHT undurnuath is the sample start script which first adds eth0 to br0 and THEN sets br0's IP addr etc 09:41 < achilles> derek, no no it's okay :) 09:41 < achilles> derek, I'm going 09:41 < achilles> bye 09:41 -!- achilles [n=achilles@62.90.200.222] has quit ["Leaving"] 09:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:44 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 09:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 09:58 < magic_1> i cant believe how difficult it is to create new clients certs in openvpn 09:58 < magic_1> to create yea sure its easy 09:59 < magic_1> but after the initial stage 09:59 < magic_1> quite a mission it seems 10:03 < Zordrak> . vars 10:03 -!- jeiworth [n=jeiworth@189.134.126.162] has joined ##openvpn 10:03 < Zordrak> ./build-key $foo 10:03 < Zordrak> $foo y y 10:05 < magic_1> tried that 10:05 < magic_1> comes up with error 10:05 < derek> I cant belive its not butter 10:05 < magic_1> thanks for the help theough 10:05 < derek> what error 10:06 < derek> PEBKAC ? 10:08 < magic_1> Zordrak, thanks seems to be working 10:08 < magic_1> go figure 10:11 * Zordrak bets he fofgot to source vars :) 10:14 < magic_1> yep sounds right 10:26 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:27 < reiffert> up foo.sh 10:27 < reiffert> #!/bin/bash 10:27 < reiffert> brctl addif br0 tap0 10:37 -!- jeiworth [n=jeiworth@189.134.126.162] has quit [Read error: 113 (No route to host)] 10:37 -!- barefoot [n=magic@gprs02.rb.mtnns.net] has joined ##openvpn 10:39 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has quit [Remote closed the connection] 10:53 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 110 (Connection timed out)] 10:53 < derek> brain imploding 10:55 < ecrist> derek: why are you using tap rather than tun? 10:57 < derek> ? 10:57 < derek> where did you see that 10:57 < ecrist> nm 10:58 < derek> from yesterday? what is the command to empty out a log file without deleting the filename, im trying to clear our my openvpn log file 10:58 < ecrist> echo "" > logfile 10:58 < derek> thank you 10:59 < reiffert> echo -n 10:59 < ecrist> echo "" > logfile && kill -1 `echo /var/run/openvpn.pid` 10:59 < derek> Im working blind I left my book with all my usefull tips and server configs at home 11:00 < derek> and i have been away from this project for 11 weeks while in school 11:00 < derek> so its kinda fuzzy :( 11:01 < derek> rport 1194 11:01 < derek> proto udp 11:01 < derek> dev tap 11:01 < derek> nobind 11:01 < derek> remote mainserver.apttest.kicks-ass.net 11:01 < derek> tls-client 11:01 < derek> tls-auth takey.pem 1 11:01 < derek> ns-cert-type server 11:01 < derek> # Replace user.p12 with the certificate 11:01 < derek> # bundle in PKCS12 format 11:01 < derek> pkcs12 user.p12 11:01 < derek> # You can replace the pkcs12 11:01 < derek> # directive with the old ones 11:01 < derek> #ca cacert.pem 11:01 < derek> #cert user.pem 11:01 < derek> #key user-key.pem 11:01 < derek> tun-mtu 1500 11:01 < derek> fragment 1400 11:01 < derek> mssfix 11:01 < derek> comp-lzo 11:01 < derek> pull 11:02 < derek> whoops 11:02 < derek> sorry about that 11:02 * derek apologieseses 11:23 -!- trkemist [n=trkemist@unaffiliated/trkemist] has joined ##openvpn 11:24 < trkemist> anyone here ever had issues with openvpn where under a tap0 it cannot pass layer 2 arps? 11:25 < theDoc> trkemist: Is there a reason for you to be sending l2 arps? Are you having the clients talk to each other? 11:25 < trkemist> well 11:25 < trkemist> let me backtrack 11:25 < trkemist> I am running an openvpn server, single interface 11:25 < trkemist> so i am running a tap0 interface on debian lenny 11:25 < trkemist> its bridged to eth0 11:25 < trkemist> but I can't ping the server 11:26 < trkemist> so I figured something is wrong with the bridge, i did a tcpdump and I see that it has a ton of arp who-has 11:26 < theDoc> trkemist: No sorry, I don't have an idea on that at the moment. 11:28 -!- barefoot [n=magic@gprs02.rb.mtnns.net] has quit [Read error: 110 (Connection timed out)] 11:36 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 11:37 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 11:43 -!- magic_1 [n=magic@gprs02.rb.mtnns.net] has joined ##openvpn 11:51 -!- pa [n=pa@unaffiliated/pa] has quit ["Sto andando via"] 11:58 -!- trkemist [n=trkemist@unaffiliated/trkemist] has quit ["#openvpn"] 11:59 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 12:07 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:10 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 12:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:22 -!- magic_1 [n=magic@gprs02.rb.mtnns.net] has quit [Read error: 60 (Operation timed out)] 12:39 -!- clustermagnet [n=vasiliy@ec2-75-101-158-130.compute-1.amazonaws.com] has left ##openvpn [] 12:40 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has left ##openvpn [] --- Log closed Tue Jun 02 12:40:03 2009 --- Log opened Tue Jun 02 13:09:02 2009 13:09 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 13:09 -!- Irssi: ##openvpn: Total of 75 nicks [0 ops, 0 halfops, 0 voices, 75 normal] 13:09 -!- Irssi: Join to ##openvpn was synced in 0 secs 13:10 -!- jeiworth [n=jeiworth@189.134.126.162] has joined ##openvpn 13:13 * ecrist sets Home page for ##openvpn to: EatADick.com 13:21 -!- jeiworth_ [n=jeiworth@189.134.126.162] has joined ##openvpn 13:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:35 -!- jeiworth [n=jeiworth@189.134.126.162] has quit [No route to host] 13:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:42 -!- The_Entropy [n=entropy@212.36.208.1] has joined ##openvpn 13:44 -!- jeiworth_ [n=jeiworth@189.134.126.162] has quit [No route to host] 14:04 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 14:15 < The_Entropy> hey everyone 14:15 < The_Entropy> I'm having some weird issues on vista with the newest rc 14:15 < The_Entropy> (it doesn't work at all with the stable branch) 14:15 < The_Entropy> the routes don't get added properly 14:16 < The_Entropy> rather, it adds all the routes properly except the default one 14:16 < The_Entropy> which has the wrong gateway 14:16 < The_Entropy> my server pushes route-gateway, and the log shows that the push is received, and it then adds(and says while doing so) the wrong gateway 14:17 < The_Entropy> any ideas what is going on? 14:17 < The_Entropy> redirect-gateway, sorry 14:27 < derek> http://wiki.contribs.org/OpenVPN bottom of the page runnign with vista in faq 14:27 < vpnHelper> Title: OpenVPN - SME Server (at wiki.contribs.org) 14:27 < derek> could that be your problem? 14:36 -!- The_Entropy [n=entropy@212.36.208.1] has quit [Read error: 110 (Connection timed out)] 14:42 -!- pubwashroom [n=pubwashr@96.48.128.233] has joined ##openvpn 14:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:43 < pubwashroom> im trying to download openvpn 2.1 but i cant find it in the access server downloads page. where is it? tks. 14:43 < pubwashroom> the web site looks really nice now by-the-way so i guess it was time for an overhaul 15:01 -!- niceuser [n=j@adsl-76-255-237-57.dsl.lsan03.sbcglobal.net] has quit [Read error: 113 (No route to host)] 15:07 -!- pubwashroom [n=pubwashr@96.48.128.233] has quit ["Leaving"] 15:10 -!- Googleman [n=azer@41.105.122.203] has joined ##openvpn 15:10 < Googleman> hi all 15:11 < Googleman> how to set linux to use openvpn tunnel in internet connection 15:17 -!- Lilarcor [n=Lilarcor@208-59-127-143.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has joined ##openvpn 15:54 -!- niceuser [n=j@12.119.249.30] has joined ##openvpn 15:58 < Bushmills> Googleman, booting it is a good initial condition 15:59 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 104 (Connection reset by peer)] 15:59 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 16:00 < Bushmills> other than that, kernel should be compiled with CONFIG_TUN=m (or y) 16:00 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 54 (Connection reset by peer)] 16:01 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 16:03 -!- magic_1 [n=magic@gprs02.rb.mtnns.net] has joined ##openvpn 16:15 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 54 (Connection reset by peer)] 16:16 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 16:16 < derek> make up your mind kreg :P 16:31 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 16:31 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 16:32 < derek> anyone in here familiar with busybox for the linksys routers, Im trying to view a logfile for it and it has a very limited command base that eludes me 17:03 < Bushmills> derek, busybox has cat and less 17:05 < derek> k 17:06 < derek> ill look up how to use those bad boys 17:09 -!- niceuser [n=j@12.119.249.30] has quit [Read error: 110 (Connection timed out)] 17:20 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 110 (Connection timed out)] 17:25 < krzie> those are the same tools ild use on any machine 17:25 < krzie> normally 17:26 < krzie> also you can ls bin and see all your tools 17:26 < krzie> i believe busybox only has 1 bindir 17:26 < krzie> bin-dir 17:27 < reiffert> wrong 17:27 < krzie> ahh 17:27 < krzie> its all i saw last night when i hopped on one 17:27 < krzie> but i didnt look around too much 17:27 < reiffert> hopped on? 17:27 < krzie> ssh'ed in... 17:28 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:28 < reiffert> into/onto what exactly? 17:28 < krzie> busybox router 17:28 < reiffert> /var/mod/root # uptime 00:28:50 up 4:59, load average: 0.07, 0.03, 0.00 17:28 < reiffert> /var/mod/root # uname -a 17:28 < reiffert> Linux fritz.fonwlan.box 2.6.19.2 #2 Wed Feb 18 15:14:11 CET 2009 mips unknown 17:28 < reiffert> /var/mod/root # 17:29 < krzie> ahh cool 17:29 < reiffert> /var/mod/root # ls -al /usr/bin/wget /bin/rm 17:29 < reiffert> lrwxrwxrwx 1 root root 7 Jun 2 19:10 /bin/rm -> busybox 17:29 < reiffert> lrwxrwxrwx 1 root root 17 Jun 2 19:10 /usr/bin/wget -> ../../bin/busybox 17:29 < krzie> ahh cool 17:29 < krzie> ill ssh into it later and check it out 17:29 < krzie> obviously i didnt look well enough yesterday 17:30 < reiffert> /var/mod/root # less 17:30 < reiffert> -sh: less: not found 17:30 < reiffert> /var/mod/root # 17:30 < reiffert> /var/mod/root # ls -al /sbin/sysctl 17:30 < reiffert> lrwxrwxrwx 1 root root 14 Jun 2 19:10 /sbin/sysctl -> ../bin/busybox 17:30 < reiffert> /var/mod/root # 17:30 < krzie> seems odd to have seperate bin dirs on such a tiny os, especially when most the apps are really symlinks to a single app 17:30 < reiffert> are we talking about a special/particular "busybox router"? 17:32 < krzie> not really 17:32 < krzie> i just didnt look around much, i evidently was very wrong 17:33 < reiffert> busybox is highly configurable 17:34 < derek> im still having trouble getting my busybox to connect to my openvpn 17:34 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: theDoc 17:35 < derek> my fault though because im trying to use the bridged mode via sme server config because I like the nice certificate viewer 17:36 -!- loca|host [n=tux@41.226.116.11] has joined ##openvpn 17:37 -!- Netsplit over, joins: theDoc 17:37 < Bushmills> derek, you wouldn't use busybox to connect to openvpn, instead, you'd use openvpn 17:37 < derek> its the tomato mod with openvpn built into it 17:37 < derek> based on busybox 17:39 < Bushmills> busybox is just a command shell 17:40 < krzie> derek, it will be exactly like using a linux machine 17:41 < krzie> (because it is) 17:41 < reiffert> ah well, after all it depends on a ssl library and liblzo 17:41 < krzie> with liblzo being optional 17:41 < derek> well it dosnt give me any commands I cant do a dir to list directory contents and stuff 17:41 < krzie> dir? 17:41 < krzie> this isnt windows 17:42 < derek> lol well its been working for me so far :P 17:42 < derek> shows how much I know man, thats bubkiss 17:42 < derek> My computer always locks up with ID 10 T errors 17:43 < reiffert> derek: enter: ls 17:43 < derek> hey look magic 17:43 < derek> how do I read a file 17:44 * krzie changes the channel's name to ##linuxhelp 17:44 < derek> cat right 17:44 < derek> lol thanks krzie 17:44 < krzie> cat, yes 17:44 < derek> Im trying here :P 17:44 < derek> Hey I know a lot about nothing alright, its hard to keep that much information in my head 17:45 < krzie> openvpn is kinda advanced, using linux AND openvpn for your first time together will not be easy 17:45 < krzie> like both for your first time at the same time 17:45 < derek> I had openvpn going fine, and I can beat around the bush in linux alittle ubuntu is pretty forgiving regarding commands 17:46 < derek> I equate it to saying I can handle 2 horny swiss supermodels at the same time because I masturbate a lot 17:46 < derek> probably going to be laughed at but hey I'll give anything a shot :P 17:46 < krzie> aq I equate it to saying I can handle 2 horny swiss 17:46 < krzie> supermodels at the same time because I masturbate a lot 17:46 < krzie> Inserted quote #4748. 17:46 < reiffert> vi file 17:47 < krzie> oh god, have fun showing him vi commands reif 17:47 < derek> i can use vi a bit 17:47 < reiffert> there you are. 17:47 < derek> ive delt with that devil 17:47 < reiffert> and the devil won ... 17:47 < derek> yes 17:47 < derek> but I can half ass play a fiddle now 17:47 < reiffert> :q! 17:47 < reiffert> :wq 17:47 < reiffert> :wq! 17:48 < reiffert> :u 17:48 < reiffert> :undo 17:48 * Bushmills wonders how somebody can know linux but not cat or less 17:48 < reiffert> ctrl-u 17:48 < derek> yep 17:48 < derek> quit 17:48 < derek> write quit 17:48 < derek> insert mode, commadn mode 17:48 < reiffert> :%s,replace,that,g 17:48 < krzie> :x = :wq 17:48 < derek> hey i stick to the first 3 :P 17:48 < reiffert> :set paste 17:49 < derek> A long time ago I used to know some of that, but it has been many years 17:49 < krzie> Bushmills even more so, someone who knows how to use vi but tries dir instead of ls 17:49 < reiffert> nano pico ed joe 17:49 < derek> lol 17:50 < derek> i use pico 17:50 < krzie> i used joe the other day 17:50 < krzie> pretty nice for code 17:50 < Bushmills> krzie, that's still something i could understand - ls is sometimes aliased to dir 17:50 < krzie> ahh 17:50 -!- atlas95 [n=ladmin@mlv95-3-88-168-37-51.fbx.proxad.net] has quit [Read error: 110 (Connection timed out)] 17:50 < krzie> i stick to fbsd, no dir there 17:51 < Bushmills> but cat usally not to type :) 17:51 < reiffert> debian linux: 17:51 < reiffert> /bin/dir 17:51 < reiffert> might be a hardlink to /bin/ls 17:52 < reiffert> -rwxr-xr-x 1 root root 101992 Apr 4 2008 /bin/dir 17:52 < reiffert> -rwxr-xr-x 1 root root 101992 Apr 4 2008 /bin/ls 17:52 < derek> I use the dur command, you know where you type in dur a bunch of times until your computer fixes itself. 17:52 < loca|host> i've set up my first VPN tunnel and its up and running, that's greeaaaat :) 17:52 < loca|host> but i can only ping the server 17:52 < loca|host> and not the office's network 17:52 < reiffert> loca|host: thats it. 17:52 < reiffert> congrats. 17:53 < reiffert> openvpn doesnt support more than pinging the vpn server. 17:53 < krzie> !route 17:53 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:53 < Bushmills> reiffert, not right. it also supports traceroute to the server 17:53 < loca|host> the office network is at 192.168.100.0 255.255.255.0 and the vpnserver server 10.8.0.0 255.255.255.0 17:53 < loca|host> hahaha reiffert :) 17:54 < reiffert> Bushmills: depends. 17:54 < Bushmills> on openvpn? 17:54 -!- voipuser [n=voipuser@24-180-125-183.dhcp.aldl.mi.charter.com] has quit [] 17:54 < loca|host> krzie, thx for the shar 17:54 < loca|host> e 17:54 < reiffert> Bushmills: actually ... maybe. 17:54 < krzie> yw 17:54 -!- Lilarcor [n=Lilarcor@208-59-127-143.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has quit ["The Lord of Murder Shall Perish."] 17:54 < krzie> note, you wont need most of that 17:54 < krzie> it explains a lot 17:54 < reiffert> push "route 192.168.100.0 255.255.255.0" 17:54 < krzie> but when you understand whats going on there, you know what you need to do 17:55 < krzie> that and possibly a route outside openvpn 17:55 < krzie> depending if his server is the router for its lan 17:55 < reiffert> yep 17:55 < krzie> yupyup! 17:55 < reiffert> 17:55 < reiffert> _ _ _ _ _ __ _ _ _ _ _ __ _ _ _ _ _ __ 17:55 < reiffert> | | | | | | | '_ \| | | | | | | '_ \| | | | | | | '_ \ 17:55 < reiffert> | |_| | |_| | |_) | |_| | |_| | |_) | |_| | |_| | |_) | 17:55 < reiffert> \__, |\__,_| .__/ \__, |\__,_| .__/ \__, |\__,_| .__/ 17:55 < reiffert> |___/ |_| |___/ |_| |___/ |_| 17:56 < krzie> hehehe 17:57 < reiffert> thomas@mail:~$ md5sum /bin/dir /bin/ls 17:57 < reiffert> 83dbc3072a6143263685b287ca3472c2 /bin/dir 17:57 < reiffert> 5ddd8a0077ab52dd2b63423d0a0800a5 /bin/ls 17:57 < krzie> interesting 17:57 < krzie> manpage for dir? 17:57 < krzie> (i dont have any linux handy) 17:57 < krzie> my debian vm is only at home 17:57 < reiffert> thomas@mail:~$ strings /bin/dir > /tmp/d 17:57 < reiffert> thomas@mail:~$ strings /bin/ls > /tmp/l 17:57 < reiffert> thomas@mail:~$ diff -u /tmp/d /tmp/l 17:57 < reiffert> thomas@mail:~$ 17:58 < reiffert> thomas@mail:~$ hd /bin/dir > /tmp/d 17:58 < reiffert> thomas@mail:~$ hd /bin/ls > /tmp/l 17:58 < reiffert> thomas@mail:~$ diff -u /tmp/d /tmp/l 17:58 < reiffert> -00018690 ff ff ff ff ff ff ff ff 01 00 00 00 02 00 00 00 |................| 17:58 < reiffert> +00018690 ff ff ff ff ff ff ff ff 01 00 00 00 01 00 00 00 |................| 17:58 < reiffert> thats all. One byte off. 18:00 < derek> krzie I think I have a config that you provided my a while back may I try sending it to you for you to skim over? 18:02 < loca|host> reiffert, ok now, from my client i can only ping 192.168.100.2 wich is the openvpn server's IP, and i cant ping any other hosts than that 18:02 < reiffert> what is the default gw on 100.0/24? 18:03 < reiffert> however, you have several option here: 18:03 < loca|host> .1 18:03 < reiffert> NAT or routing 18:03 < Bushmills> reiffert, difference is probably a switch initialized diferently: "`dir' is equivalent to `ls -C -b'" 18:03 < Bushmills> differently 18:04 < reiffert> for routing you tell .1: route add -net 192.168.123.0 netmask 255.255.255.0 gw 192.168.100.2 18:04 < reiffert> for NAT you tell 100.2 to NAT everything that comes across the tunnel and leaves on eth0. 18:04 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 18:04 -!- epaphus [n=unix3@190.10.68.228] has quit [Client Quit] 18:05 < reiffert> where 123.0 is the client net. 18:05 < loca|host> let me try routing 18:05 < loca|host> i have to activate the ipv4 forwarding or not ? 18:06 < reiffert> yes you have to. 18:09 < reiffert> !route should cover that all 18:09 < vpnHelper> reiffert: Error: "route" is not a valid command. 18:09 < reiffert> !route 18:10 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 18:10 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit [Connection reset by peer] 18:10 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 18:19 < derek> be ack in a while going to go eat some nasty cafeteria food yum yum 18:21 < loca|host> reiffert, is there any possibility to bypass that route on the office's gw ? because its a proprietary gw and i cant add any route there 18:22 < reiffert> loca|host: no. 18:22 < reiffert> no chance to add static routing information? 18:22 < loca|host> no 18:23 < reiffert> then NAT is a working solution for you. 18:23 < reiffert> OS of .2? 18:25 < loca|host> OS ? 18:25 < loca|host> what do you mean by OS ? 18:25 < reiffert> Operating System 18:30 < loca|host> reiffert, is there any basic iptables configuration for that ? 18:31 < reiffert> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 18:32 < reiffert> http://netfilter.org/documentation/HOWTO//NAT-HOWTO-4.html#ss4.1 18:32 < vpnHelper> Title: Linux 2.4 NAT HOWTO: Quick Translation From 2.0 and 2.2 Kernels (at netfilter.org) 18:32 < reiffert> echo 1 > /proc/sys/net/ipv4/ip_forward 18:36 < reiffert> !linnat 18:36 < vpnHelper> reiffert: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 18:36 < reiffert> !factoids search nat 18:36 < vpnHelper> reiffert: 'nat', 'linnat', 'fbsdnat', and 'winnat' 18:36 < reiffert> !nat 18:36 < vpnHelper> reiffert: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 18:37 < reiffert> !winnat 18:37 < krzie> but also, if theres not many machines in the lan to access, you can simply add the route on them instead of the gateway 18:37 < vpnHelper> reiffert: "winnat" is http://support.microsoft.com/kb/306126 for windows nat (windows calls it internet connection sharing aka ICS) 18:37 < reiffert> !fbsdnat 18:37 < vpnHelper> reiffert: "fbsdnat" is http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html 18:37 < reiffert> !factoids search . 18:37 < vpnHelper> reiffert: "2.1-winpass-script" is http://article.gmane.org/gmane.network.openvpn.user/24575 18:37 < reiffert> !factoids search % 18:37 < vpnHelper> reiffert: More than 100 keys matched that query; please narrow your query. 18:37 < reiffert> !factoids search %%% 18:37 < vpnHelper> reiffert: More than 100 keys matched that query; please narrow your query. 18:37 < reiffert> !factoids search %a% 18:37 < vpnHelper> reiffert: 'faq', 'sample', 'insanity', 'mail', 'ask', 'winpass', 'pastebin', 'lans', 'netman', 'path', 'ssl-admin', 'tls-auth', 'samba', 'betaman', 'download', 'tap', 'mac', 'win_noadmin', 'static', 'dynamicfirewall', 'nat', 'hmac', 'winipforward', 'fragment', '2.1-winpass-script', 'activedirectory', 'iptables', 'all', 'mactuntap', 'easy-rsa-unix', 'linipforward', 'linnat', 'man', 'wintaphide', 18:37 < vpnHelper> reiffert: 'firewall', 'solaris', 'lintrafaccnt', 'fbsdjail', 'local', 'tunortap', 'shorewall', 'broadcast-relay', 'password', 'authpass', 'firestarter', 'interface', 'allinfo', 'obsdtap', 'notcompat', 'fbsdnat', 'ipforward', 'fbsdipforward', 'eurephia', 'winnat', 'samesubnet when a machine on a lan much be accessed over openvpn but sits on the same lan subnet', 'samesubnet', 'access-server', and 18:37 < vpnHelper> reiffert: 'win_ipfail' 18:38 < krzie> same thing shows up without the %'s 18:38 < reiffert> !samesubnet when a machine on a lan much be accessed over openvpn but sits on the same lan subnet 18:38 < vpnHelper> reiffert: "samesubnet when a machine on a lan much be accessed over openvpn but sits on the same lan subnet" is (#1) the other machine that needs to access it, and you dont have access to change the lan subnet: add a second IP address to the machines on the lan that need to be accessed using a rare subnet. Then give the machine running openvpn an ip on the same subnet and use that as the default 18:38 < vpnHelper> reiffert: gateway for the machines you added IPs to. Now tell openvpn to, or (#2) the other machines that needs to access it, and you dont have access to change the lan subnet: add a second IP address to the machines on the lan that need to be accessed using a rare subnet. Then give the machine running openvpn an ip on the same subnet and use that as the default gateway for the machines you added IPs 18:38 < vpnHelper> reiffert: to. 18:39 < krzie> oh god, who added that 18:39 < reiffert> my wild guess is ecrist, dougy or you. 18:39 < krzie> dougy has no access 18:39 < krzie> but there was a time everyone did 18:40 < krzie> had to be removed cause of all the bs and dupes being added 18:40 < reiffert> !samesubnet 18:40 < vpnHelper> reiffert: "samesubnet" is Now tell openvpn to use the new ips as the lan to route to. 18:40 < reiffert> ? 18:40 < krzie> bleh ill fix it 18:50 -!- Dougy[Home] [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 18:50 < Dougy[Home]> hey all 18:52 < krzie> !factoids search samesubnet 18:52 < vpnHelper> krzie: "samesubnet when a machine on a lan much be accessed over openvpn but sits on the same lan subnet" is (#1) the other machine that needs to access it, and you dont have access to change the lan subnet: add a second IP address to the machines on the lan that need to be accessed using a rare subnet. Then give the machine running openvpn an ip on the same subnet and use that as the default gateway 18:52 < vpnHelper> krzie: for the machines you added IPs to. Now tell openvpn to, or (#2) the other machines that needs to access it, and you dont have access to change the lan subnet: add a second IP address to the machines on the lan that need to be accessed using a rare subnet. Then give the machine running openvpn an ip on the same subnet and use that as the default gateway for the machines you added IPs to. 18:53 < krzie> !forget samesubnet when a machine on a lan much be accessed over openvpn but sits on the same lan subnet 18:53 < vpnHelper> krzie: Error: 2 factoids have that key. Please specify which one to remove, or use * to designate all of them. 18:53 < krzie> !forget samesubnet when a machine on a lan much be accessed over openvpn but sits on the same lan subnet * 18:53 < vpnHelper> krzie: Joo got it. 18:53 < krzie> .!learn howto add a factoid 18:53 < krzie> heheh 18:53 < krzie> !learn samesubnet is when a machine on a lan much be accessed over openvpn but sits on the same lan subnet as the other machines that needs to access it, and you dont have access to change the lan subnet: add a second IP address to the machines on the lan that need to be accessed using a rare subnet. Then give the machine running openvpn an ip on the same subnet and use that as the default gateway for the machines 18:53 < vpnHelper> krzie: Joo got it. 18:54 < krzie> you added IPs to. make sure to turn on ip forwarding on the machine running openvpn. 18:54 < krzie> shit 18:54 < krzie> !forget samesubnet 18:54 < vpnHelper> krzie: Error: There is no such factoid. 18:54 < krzie> BLEH 18:56 < krzie> !forget samesubnet is when a machine on a lan much be accessed over openvpn but sits on the same lan subnet 18:56 < vpnHelper> krzie: Joo got it. 18:57 < krzie> !learn samesubnet as when a machine on a lan much be accessed over openvpn but sits on the same lan subnet as the other machines that needs to access it, and you dont have access to change the lan subnet: add a second IP address to the machines on the lan that need to be accessed using a rare subnet. Then give the machine running openvpn an ip on the same subnet and use that as the default gateway for the machines you added IPs to. 18:57 < vpnHelper> krzie: Joo got it. 18:57 < krzie> !learn samesubnet as make sure to turn on ip forwarding on the machine running openvpn. 18:57 < vpnHelper> krzie: Joo got it. 18:58 < krzie> there, all better, sorry for the scroll 19:03 < krzie> sup dougy 19:05 -!- loca|host [n=tux@41.226.116.11] has quit [Read error: 60 (Operation timed out)] 19:12 -!- Googleman [n=azer@41.105.122.203] has quit [Read error: 110 (Connection timed out)] 19:39 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 19:42 < Dougy[Home]> hey krzie 19:42 < Dougy[Home]> :) 19:54 -!- tekk [n=me@eduroam-175-21.lut.ac.uk] has joined ##openvpn 19:54 < tekk> hi guys, i'm really interested in the concept of tunneling ipv6 over an openvpn connection so i can give connected clients a real ipv6 address, i've tried using limited documentation from searching google, but i am not succeeding, i have an alternate method im thinking about though, but i dunno if it will work 19:55 < tekk> what if i set radvd to advertise on the tun0 interface that openvpn is using, and then it would advertise the route over the openvpn and give addresses? 19:55 < tekk> or is that likely to fail? 20:02 < krzie> no clue, please advise if it works 20:02 < krzie> i know nothing about radvd but depending how it works you may need a bridge for that 20:03 < krzie> or possibly thats what tun-ipv6 is for, no idea 20:04 < krzie> http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_OpenVPN_Tunnelbroker.php?lang=en 20:04 < vpnHelper> Title: JOIN Homepage -- Howto: OpenVPN IPv6 Tunnel Broker Guide (at www.join.uni-muenster.de) 20:04 < krzie> thats not what you want? 20:06 < krzie> looks like it has everything you need to me... 20:06 < krzie> it was also hit #1 20:06 < krzie> !google ipv6 openvpn 20:06 < vpnHelper> krzie: JOIN Homepage -- Howto: OpenVPN IPv6 Tunnel Broker Guide: ; SixXS - IPv6 Deployment & Tunnel Broker :: Forum - Direct IPv6 ...: ; IPv6 Eprints Archive - OpenVPN IPv6 Tunnel Broker Guide / OpenVPN ...: 20:08 < krzie> if that guide is hard to understand feel free to write a more simple one when you're done, we have a wiki open to public at !wiki for stuff like that 20:16 < Dougy[Home]> krzie likes boys 20:17 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 20:20 < tekk> krzie, sorry for long reply, i've been reading that JOIN page i found also 20:28 < tekk> yea the first part of that guide in unneccesary, those googling openvpn ipv6 broker surely know how to setup a ca etc 20:40 < krzie> unneccesary parts of a guide are fine, its when theres neccesary parts missing that you run into problems 21:07 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 21:27 -!- tekk [n=me@eduroam-175-21.lut.ac.uk] has quit [] 21:29 < hardwire> heya.. anybody here ever configured openvpn so that it didn't hand out IP's at all? 21:29 < hardwire> just brought up the interface with no IP address on both sides. 21:30 < hardwire> I'm hoping to let ISIS do all the work. 21:34 < Dougy[Home]> for fucks sake 21:35 < Dougy[Home]> someone just sent me a message, asking if they could get 10 servers with a /23 each 21:54 -!- tokyoahead [i=tokyoahe@207.106.6.147] has quit ["leaving"] 22:13 -!- Jameno123 [n=jreno@38.219.68.216.DED-DSL.fuse.net] has quit [Read error: 113 (No route to host)] 22:19 -!- jreno_ [n=jreno@38.219.68.216.DED-DSL.fuse.net] has joined ##openvpn 22:28 < derek> falright lets try this junk again 22:51 -!- Hydrant [n=aj@CPE0011950c737b-CM0012c90d1420.cpe.net.cable.rogers.com] has joined ##openvpn 22:51 < Hydrant> what can I do to reduce openvpn latency ? 22:58 -!- magic_1 [n=magic@gprs02.rb.mtnns.net] has joined ##openvpn 23:08 < derek> anyone want to check over my tun server config to offer tips and tell me if im an idiot before I attempt to implement it? 23:09 < derek> I will through in a cookie from www.hothothotboxes.com 23:09 < derek> throw 23:19 -!- magic_1 [n=magic@gprs02.rb.mtnns.net] has quit [Read error: 110 (Connection timed out)] 23:33 -!- Dougy [i=doug@64-18-144-3.ip.bergenhosting.com] has quit ["Lost terminal"] --- Day changed Wed Jun 03 2009 00:14 < derek> Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server' 00:14 < derek> Tue Jun 2 23:14:56 2009 us=680328 199.85.8.1:43612 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client' 00:15 < derek> Is that serious I think I do have some of those options in the router hmm 00:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:15 < derek> its getting hung up at the tls:initial packet from ip address 00:32 -!- xp_prg [n=xp_prg3@98.234.52.78] has joined ##openvpn 00:54 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has joined ##openvpn 00:58 -!- magic_1 [n=magic@gprs02.rb.mtnns.net] has joined ##openvpn 01:04 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 01:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:11 -!- derek [n=derek@199.85.8.1] has quit [Read error: 110 (Connection timed out)] 01:27 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 01:51 -!- master_of_master [i=master_o@p549D3860.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:51 -!- master_of_master [i=master_o@p549D38FB.dip.t-dialin.net] has joined ##openvpn 01:57 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [] 02:08 < reiffert> are we going to get a rc18 soon... :) 02:14 < reiffert> Why is Yonan taking openvpn development not as serious as he needs to? 02:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 02:29 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:30 < fkr> reiffert: good quqestions 02:30 < fkr> reiffert: the rc game is insane 02:42 -!- xp_prg [n=xp_prg3@98.234.52.78] has quit ["This computer has gone to sleep"] 02:45 < reiffert> time for a fork maybe. 02:47 < fkr> na 02:57 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:11 < reiffert> krzee: lets fork openvpn. 03:14 * krzee spoons it instead 03:26 < dazo> reiffert: +1 03:27 < reiffert> At lease have Yonan open a svn trunk version to anyone willing to commit. 03:27 < dazo> reiffert: I've been thinking the same thought as well ... I've also lately had a little discussion with him regarding threading vs forking and the current implementation ... I really don't follow his way of thinking 03:28 * dazo already got a public git tree with openvpn releases ... containing one patch I need for one of my OpenVPN projects 03:30 < krzee> reiffert, i dont have any real coding skills to help with that 03:30 < krzee> although i do have resources, and am willing to help any way i can 03:31 < krzee> ecrist has a svn server up where he hosts ssl-admin and some of his nagios code, im sure he'ld be down to use that 03:31 < reiffert> Allright, How do we name the bunny? 03:31 < reiffert> "openvpn2" ? 03:31 < krzee> i have an idea for a feature tho 03:31 < krzee> its in a feature request in the forum 03:31 < krzee> !forum 03:31 < dazo> openvpn-fusion :-P 03:31 < vpnHelper> krzee: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 03:32 < krzee> "##openvpn" ? 03:32 < krzee> haha 03:32 < krzee> openvpn-fn? 03:32 < reiffert> -ng 03:32 < krzee> that worx 03:33 < krzee> what do you wanna add? threading? 03:33 < reiffert> development - possibility. 03:33 < reiffert> allow people to develop the bunny. 03:34 < dazo> reiffert: I'm so in! 03:36 < Bushmills> moinmoin 03:36 < krzee> moin 03:38 < reiffert> Yonan forgets patches, doesnt do cleanup, doesnt test changes and so on. 03:38 < reiffert> that will make us get rc16, rc17 and rc18 in just one week., 03:39 < reiffert> (wasnt it the same for rc13, rc14 and rc15?) 03:39 < krzee> hah i didnt even notice r17 came out 03:40 < krzee> http://www.ovpnforum.com/viewtopic.php?f=10&t=141 03:40 < vpnHelper> Title: OpenVPN Forum View topic - Idea for direct connections (at www.ovpnforum.com) 03:41 < krzee> Many people have wondered if 2 clients connected through a server can connect directly using openvpn. 03:41 < krzee> No they can't. 03:41 < krzee> I think they could, without even forwarding a port on NAT, but it would take some code. 03:41 < krzee> Here is a way I think it could be done. The downside is the clients would either require root or a suid script. 03:41 < dazo> reiffert: you're absolutely right .... and rc14 and and rc15 was even worthy the "brown paper bag patch" label ... it broke the plug-in API even though the rc13-rc14 was not even supposed to touch that code, iirc 03:47 < dazo> krzee: that forum seems to be great! 03:50 < krzee> it needs a friggen captcha 03:51 < dazo> krzee: have you considered such kind of picture captcha? (showing 9 pictures of different random things, and a dynamic question like 'mark all pictures of cats') ... they're usually much better than a "scrambled" text 03:51 * dazo presumes krzee is behind the forum .... 03:52 < krzee> i dont have access to the box 03:52 < krzee> nope, not mine 03:52 < krzee> its dougy's and ecrist hosts it 03:52 < dazo> ahh 03:52 < reiffert> http://www.explosionsandboobs.com/ 03:52 < vpnHelper> Title: Explosions and Boobs (at www.explosionsandboobs.com) 03:53 < dazo> reiffert: heh .... as a captcha? ;-) 03:55 < dazo> reiffert: where/how did you catch that rc18 might be on the way? 03:55 * dazo just skimmed quickly through the openvpn mailing lists 03:55 < reiffert> dazo: openvpn-devel, last two posts 03:55 < reiffert> forgot to delete .bak files 03:56 < dazo> heh ... yeah, thats a pretty stunning performance 03:57 < reiffert> somebody should tell him, that svn/cvs would make him have a stable and recent version, a unstable version and not 3 years old stable and neverreleasing recent version. 04:02 < dazo> well, the problem is, at least that's my feeling, that people have told him that for the 2 last years ... 04:02 < dazo> And even Red Hat Enterprise Linux which is soooo conservative about implementing new packages ship OpenVPN 2.1 RC15 .... that says a lot to me 04:04 < reiffert> Debian does as well... 04:05 < reiffert> though rc11 04:05 < krzee> fbsd still uses 2.0.8 (since .0.9 had no benefit to fbsd) 04:10 < reiffert> will a fork succeed? 04:13 < dazo> ? 04:31 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 04:52 < Bushmills> ~rc15 here 04:52 < Bushmills> (mix of squeeze and sid) 04:55 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 05:01 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 05:04 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 05:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 05:17 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 05:42 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:06 -!- Dougy[Home] [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit [Remote closed the connection] 06:52 -!- |Xabbu [n=Miranda@p5B25D8C1.dip.t-dialin.net] has joined ##openvpn 06:56 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 06:56 < |Xabbu> Hi @all, I just set up openvpn between an openwrt-Box (Server) and my WinXP-Laptop (client). I can connect to every Box in my VPN, but unfortunatly my copnnections to the Internet are still routed through the "normal" internetconnection. "route PRINT" on my WinXP-box gives me two default gateways. Does anyone know which config I will have to change for the default gateway to be replaced instead of just added? 06:59 < |Xabbu> Oh, I forgot: It is a bridged network setup. 07:00 -!- dok_ [n=andelyx@208.99.194.194] has joined ##openvpn 07:06 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 07:07 -!- keriati [n=keri@unaffiliated/keriati] has joined ##openvpn 07:07 < keriati> hi 07:14 < |Xabbu> hi keriati 07:15 -!- Hydrant [n=aj@CPE0011950c737b-CM0012c90d1420.cpe.net.cable.rogers.com] has left ##openvpn ["Konversation terminated!"] 07:18 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 07:27 -!- mattock [n=mattock@gw.tietoteema.fi] has quit ["Leaving."] 07:29 < ecrist> good morning 07:34 -!- niceuser [n=j@adsl-76-255-237-57.dsl.lsan03.sbcglobal.net] has joined ##openvpn 07:37 < dok_> Anyone has tried load balancing for 2 openvpn servers? 07:44 < ecrist> I'm sure there quite a few people who do it 07:47 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 07:48 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 07:49 -!- |Xabbu [n=Miranda@p5B25D8C1.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 07:56 < dok_> ecrist: What I want clients to do is to connect to a single IP and have a cluster behind which does load balancing. 07:56 < dok_> ecrist: I know how to configure the client files to select from a randomized pool of servers. 07:57 < ecrist> dok_: your 'cluster' idea would work fine, if there was a reliable way to keep the selected server for subsequent communication 07:59 < dok_> ecrist: Is that saying, there isn't a reliable way to do that now? 07:59 < ecrist> it depends on your clustering, not openvpn 08:00 < ecrist> if you switch from one openvpn server to another after you've connected, the connection will drop and reinitialize 08:00 < dok_> ecrist: Yes, I understand that. I'm wondering if there's a way of randomizing and balancing it all out somehow. 08:00 < ecrist> unfortunately, openvpn doesn't currently have any features to synchronize communication state between instances, as in pfsync 08:01 < ecrist> dok_: there is, you'd need to create a dynamic rule in the firewall upon connection (after a server had been selected) which provided a policy route to the selected server 08:01 < ecrist> IMHO, too much a pain in the ass. 08:04 < dok_> ecrist: Yeah, that's a problem 08:04 < dok_> :/ 08:12 -!- elbenfreund [i=elbenfre@dot1x0107.rz.uni-leipzig.de] has joined ##openvpn 08:13 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 113 (No route to host)] 08:17 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 08:49 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: CybDev 08:49 -!- Netsplit over, joins: CybDev 08:53 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: CybDev 08:55 -!- Netsplit over, joins: CybDev 08:55 -!- CyberDevil [i=cybdev@unaffiliated/cybdev] has joined ##openvpn 08:57 -!- CybDev [i=cybdev@unaffiliated/cybdev] has quit [Nick collision from services.] 08:57 -!- CyberDevil is now known as CybDev 09:01 < keriati> hey, i got a router with az openvpn client connectiong to another one 09:01 < keriati> is the only way for the clients to see the other lan, with snat on the router, 09:01 < keriati> ? 09:02 < keriati> i mean, is this how openvpn should work?:] 09:02 < ecrist> a tap-based vpn (bridged) 09:03 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 09:04 < keriati> well and this shouldn't be a transparent bridge 09:04 -!- dok_ is now known as theDoc 09:04 < keriati> right? 09:05 < Bushmills> keriati, no. not only way. setting routes on openvpn machines is an alternative 09:05 < Bushmills> in fact, preferable alternative. nat you'd use with many networks behind openvpn machine, too many to enumerate 09:06 < keriati> hm 09:08 < keriati> and how could this work? 09:08 < reiffert> "clients to see other lan" especially "see"? 09:08 < keriati> well i mean 09:09 < keriati> pc's---router with vpn client ---------- vpn server this is the setup 09:10 < reiffert> several possibilities: bridged (tap), routed setup (tun) without NAT or WITH nat and WITH WINS-Server or without. 09:10 < keriati> and the pc should be able to get to the vpn lan 09:11 < reiffert> routed. 09:11 -!- Hydrant2 [n=aj@murray2.civ.utoronto.ca] has joined ##openvpn 09:11 < Hydrant2> Hello all... I'm trying to tune my VPN to make it as fast as possible... I've set TCP_NODELAY and reniced the process to -15 09:11 < Hydrant2> I'm looking at mlock now... what else can I do ? 09:12 < ecrist> hrm, I'm un-nice the process 09:13 < reiffert> Hydrant2: "fast as possible" = bandwidth, amount of users, with or with compression, payload is udp or tcp? 09:13 < Hydrant2> tcp... no compression 09:14 < reiffert> proto udp 09:14 < Hydrant2> right now bandwidth is 10BaseT... upgrading to 100BaseT today... old silly switch 09:14 < Hydrant2> but still the transfer speed between two nodes was about 400kb/s 09:14 < theDoc> Hydrant2: You might want to turn on lzo-compression 09:14 < Hydrant2> the switch might be the source of the problem 09:15 < Hydrant2> theDoc: but... encrypted transfers would be slower then 09:15 < Hydrant2> is udp really that much faster? 09:15 < theDoc> TCP has generally higher overhead. 09:15 < theDoc> Higher overhead = more bandwidth consumption = bigger latency. 09:15 < theDoc> Also, TCP has error checking. 09:16 -!- ENenEN [n=ryan@cpe-065-184-172-078.ec.res.rr.com] has joined ##openvpn 09:16 < theDoc> So if a packet arrives half fucked, it gets resent by the source. 09:16 < Hydrant2> what are the disadvantages of TCP though 09:16 < Hydrant2> doens't the vpn have to re-order the packets? 09:16 < ENenEN> I am trying to allow traffic connected to my vpn to access a server on the other side of my vpn server. Do I need to have iptables running for this? 09:16 < theDoc> Hydrant2: TCP packets have a seq number. 09:17 < theDoc> UDP on the other hand, doesn't. 09:17 < Bushmills> Hydrant2, faster network connection, speedier CPU 09:17 < ENenEN> I I have enabled ipfordwoading 09:17 < ENenEN> ip_forwarding 09:17 < ENenEN> rather 09:17 < Bushmills> Hydrant2, encrypted != compressed 09:18 < Hydrant2> the current CPU is a P4 at 2.2GHz dedicated to VPN 09:18 < Hydrant2> now, the interconnect between the CPU and Network card ought to be fast enough 09:19 < Hydrant2> with the vpn process reniced it seems pretty fast, not sure if a faster CPU would help or not 09:19 < Bushmills> for compression, encryption, and a bit less so for decompression, decryption, faster cpus are always a plus. 09:19 < theDoc> Out of curiosity, has anyone ever managed to make openvpn play nice with DNS round robin, mapping a single domain to multiple addresses for load balancing. 09:19 < Bushmills> but when network speed gets too low, you'll reach the point of no return, eventually 09:20 < ENenEN> my setup is as such -internet-<{static ip} openvpn server 192.168.1.244>- I can ping .244 but not .230. any ideas? 09:20 < Bushmills> (then it's only slightly lower latency, but not increased bandwidth anymore) 09:20 < Hydrant2> I have to try upgrading the switch, and I'll try udp...have others done speed benchmarking? 09:20 < Hydrant2> How much of the potential line speed to you get? 09:20 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:21 < ENenEN> I tried to setup up using iptables but it was not working so i turned off iptables and it still does not work. 09:21 < Bushmills> Hydrant2, my atom 270 is on par with my 6 mbit bandwidth :) 09:21 < Hydrant2> what about 100mbits ? 09:21 < Hydrant2> I'm attempting to get as much of the 100mbits as possible out of it 09:22 < Bushmills> would probably cause my wire to overhead 09:22 < Bushmills> heat 09:22 -!- elbenfreund [i=elbenfre@dot1x0107.rz.uni-leipzig.de] has quit [Read error: 110 (Connection timed out)] 09:22 < ecrist> Hydrant2: here 09:22 < ecrist> !tcp 09:22 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 09:23 < ENenEN> I am not trying to be an ass but does anyone see my posts?? I am thinking that I have not gotten the -e when i logged in? 09:23 -!- elbenfreund [i=elbenfre@wlan0869.rz.uni-leipzig.de] has joined ##openvpn 09:23 < ecrist> ENenEN: yes, we see your posts. 09:23 < ecrist> You've been in here for 7 minutes. 09:23 < ecrist> have some patience 09:23 < ENenEN> ok, thanks. 09:24 < ecrist> no, you don't need iptables, but you do need ipforwarding (which you say you have) and proper routing (the machines on the other side of the vpn server need to know how to route packets destined for the VPN, or the VPN needs to be routable from your default gateway 09:28 < ENenEN> ecrist, so if i setup my lan side server with a route table anything going to the vpn ip to route through the vpn server it should work? 09:41 < ecrist> yep 09:42 -!- elbenfreund [i=elbenfre@wlan0869.rz.uni-leipzig.de] has quit [Read error: 60 (Operation timed out)] 09:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:48 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 09:49 -!- derek [n=derek@199.85.8.1] has joined ##openvpn 09:49 < derek> morning 09:49 < derek> !configs 09:49 < vpnHelper> derek: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:50 < derek> !logs 09:50 < vpnHelper> derek: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 09:52 -!- elbenfreund [i=elbenfre@dot1x0107.rz.uni-leipzig.de] has joined ##openvpn 10:21 -!- da_tux [n=ryan@rrcs-70-63-90-226.midsouth.biz.rr.com] has joined ##openvpn 10:23 < da_tux> I have had issues with getting vpn's connected from Mexico to the us due to encryption level. Will the same issue apply to france? 10:24 < da_tux> from what I understand you have to use less than 128Bit encryption accessing to us via vpn's. is this true? 10:30 < ecrist> no 10:30 < ecrist> there *used* to be an export restriction for encryption software 10:35 < theDoc> ecrist: I believe there still is? It's still on the Cisco IOS EULA ;p 10:36 < ecrist> regardless, there's no problem in setting up an encrypted tunnel 10:36 < ecrist> it's not exporting anything 10:37 < ecrist> even if it *was* the origin is from the OpenVPN folks, in Canada, which has nothing to do with us export restrictions 10:38 -!- jeiworth [n=jeiworth@189.177.37.65] has joined ##openvpn 10:39 < theDoc> ecrist: How about if you have a server in the US running 128bit encryption and sending traffic out. Any idea if that is considered exporting encryption software? 10:39 < ecrist> as far as I know, no 10:40 < elbenfreund> i dont think so, export restrictions used to regulate the export of the technologie, not using it. so you couldt transfer the code but sure you could use it 10:41 < ecrist> I routinely make much higher-level encrypted connections to non-export countries with simple SSH 10:41 < elbenfreund> :) 10:41 < theDoc> Ah, ok. 10:41 < theDoc> Unless you're under some major hack attempts or else is there really a requirement to be using 128+ bit encryptions? 10:41 < theDoc> That seems like an overkill. 10:42 < ecrist> theDoc: the NSA has the current stance, according to wikipedia, that it's an unenforable regulation, and has had that opinion since 1997 10:42 < theDoc> ah yes. It's not really enforcable. 10:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:27 -!- derek [n=derek@199.85.8.1] has quit [Read error: 110 (Connection timed out)] 11:28 -!- derek [n=derek@199.85.8.1] has joined ##openvpn 11:40 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has left ##openvpn [] 11:48 -!- derek [n=derek@199.85.8.1] has quit [Read error: 60 (Operation timed out)] 11:56 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 11:59 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:03 -!- derek [n=derek@199.85.8.1] has joined ##openvpn 12:03 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 12:03 -!- elbenfreund [i=elbenfre@dot1x0107.rz.uni-leipzig.de] has quit [Read error: 60 (Operation timed out)] 12:08 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:16 -!- Guest98870 is now known as david 12:19 -!- llIl|IlI|0III0 [n=adsf@196.203.207.37] has joined ##openvpn 12:19 < llIl|IlI|0III0> Hey 12:19 < llIl|IlI|0III0> Could anyone help me out with a cisco device 12:21 -!- llIl|IlI|0III0 [n=adsf@196.203.207.37] has quit [K-lined] 12:21 -!- LoRez [i=lorez@freenode/staff/lorez] has joined ##openvpn 12:33 -!- xp_prg [n=xp_prg3@99.2.31.217] has left ##openvpn ["Leaving"] 12:33 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:33 < xp_prg> anyone good at bind here? 12:34 -!- Intensity [i=[U2T8Dt5@unaffiliated/intensity] has quit [Remote closed the connection] 12:42 < fkr> xp_prg: sure 12:43 < xp_prg> I am trying to find out how a delegated domain can hookup two physical netowrks if you will 12:44 < xp_prg> can't seem to find the documentation I read yesterday about that 12:48 -!- elbenfreund [n=elbenfre@f048054060.adsl.alicedsl.de] has joined ##openvpn 12:49 -!- jeiworth [n=jeiworth@189.177.37.65] has quit ["No Ping reply in 90 seconds."] 12:50 -!- jeiworth [n=jeiworth@189.177.37.65] has joined ##openvpn 12:57 -!- jeiworth [n=jeiworth@189.177.37.65] has quit ["No Ping reply in 90 seconds."] 12:58 -!- jeiworth [n=jeiworth@189.177.37.65] has joined ##openvpn 13:14 -!- obleskie [n=obleskie@pcp060214pcs.wireless.calpoly.edu] has joined ##openvpn 13:15 < obleskie> hello, I'm using openvpn on fedora. my question is, when i'm done with my vpn connection, the only way i know how to "hang up" with is Ctrl-C. the problem is that it doesn't fix the routing table to how it was before 13:15 < obleskie> is there anyway to close openvpn more gracefully so it fixes the routing table? 13:18 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 13:18 < magic_1> hi all 13:18 < obleskie> basically i'm just wondering if there's another way to close the connection other than Ctrl-C 13:19 -!- david [n=david@unaffiliated/mtrh] has left ##openvpn [] 13:31 < krzee> obleskie, see the manual under "signals" 13:31 < krzee> !man 13:31 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 13:35 -!- keriati [n=keri@unaffiliated/keriati] has left ##openvpn [] 13:35 < derek> is there a pgrep type command for linux (linksys router) 13:36 < krzee> derek, dont they have help channels for that? 13:36 < Bushmills> derek, yes. it is called pgrep 13:36 -!- elbenfreund1 [n=elbenfre@f048027161.adsl.alicedsl.de] has joined ##openvpn 13:36 < obleskie> thank you 13:36 < krzee> yw 13:37 < derek> # pgrep 13:37 < derek> -sh: pgrep: not found 13:37 < derek> is why i asked 13:37 < obleskie> krzee, when issuing the right signal SIGINT to tear down gracefully, it still doesn't fix my routing table. i even set it up as a service, and doing service openvpn stop doesn't fix the routing table either 13:38 -!- niceuser [n=j@adsl-76-255-237-57.dsl.lsan03.sbcglobal.net] has quit [Read error: 60 (Operation timed out)] 13:38 -!- elbenfreund2 [n=elbenfre@f053019190.adsl.alicedsl.de] has joined ##openvpn 13:41 < krzee> obleskie, are you using redirect-gateway? 13:42 < krzee> and when you kill it you cant route to the inet...? 13:42 < obleskie> krzee that is correct. i just use the "redirect-gateway" command inthe config file 13:42 < krzee> !def1 13:42 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 13:43 < obleskie> wait i'm confused 13:44 < obleskie> oh ok so i should use "redirect-gateway def1" 13:45 < krzee> did you ever read the manual for redirect-gateway ? 13:45 < krzee> and yes 13:45 < obleskie> oh ok 13:45 < obleskie> let me try 13:45 < krzee> reading the manual wouldnt hurt either 13:45 < krzee> there are other options to redirect-gateway too 13:46 < Bushmills> derek, install it 13:49 < derek> a 13:50 -!- elbenfreund2 [n=elbenfre@f053019190.adsl.alicedsl.de] has quit [Read error: 60 (Operation timed out)] 13:51 -!- elbenfreund [n=elbenfre@f048054060.adsl.alicedsl.de] has quit [Read error: 113 (No route to host)] 13:51 -!- elbenfreund [n=elbenfre@f053024082.adsl.alicedsl.de] has joined ##openvpn 13:52 < derek> k I just was not sure if it was a different command or to use that command 13:54 -!- elbenfreund1 [n=elbenfre@f048027161.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 14:00 -!- elbenfreund1 [n=elbenfre@g228216254.adsl.alicedsl.de] has joined ##openvpn 14:05 -!- obleskie [n=obleskie@pcp060214pcs.wireless.calpoly.edu] has quit [Read error: 110 (Connection timed out)] 14:08 -!- niceuser [n=j@adsl-76-255-237-57.dsl.lsan03.sbcglobal.net] has joined ##openvpn 14:14 -!- jeiworth [n=jeiworth@189.177.37.65] has quit [Operation timed out] 14:23 -!- elbenfreund [n=elbenfre@f053024082.adsl.alicedsl.de] has quit [Read error: 113 (No route to host)] 14:26 -!- derek [n=derek@199.85.8.1] has quit [Read error: 110 (Connection timed out)] 14:27 -!- elbenfreund [n=elbenfre@f048063117.adsl.alicedsl.de] has joined ##openvpn 14:29 -!- elbenfreund2 [n=elbenfre@f048254008.adsl.alicedsl.de] has joined ##openvpn 14:41 -!- dollabill [n=mike@97.66.26.10] has quit [No route to host] 14:42 -!- Googleman [n=azer@41.105.75.26] has joined ##openvpn 14:43 -!- elbenfreund [n=elbenfre@f048063117.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 14:43 -!- elbenfreund1 [n=elbenfre@g228216254.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 14:46 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 60 (Operation timed out)] 14:49 -!- elbenfreund2 [n=elbenfre@f048254008.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 14:54 -!- elbenfreund [n=elbenfre@f048254008.adsl.alicedsl.de] has joined ##openvpn 14:55 -!- whocares [n=elbenfre@f048254008.adsl.alicedsl.de] has joined ##openvpn 14:57 -!- Shnitzer [n=Shnitzer@cpe-76-168-103-208.socal.res.rr.com] has joined ##openvpn 14:58 < Shnitzer> Hi...! 14:58 < Shnitzer> I'm trying to configure my iPHONE's VPN client to traffic through my work network..... 14:59 < Shnitzer> thing is...I can't decipher what the Group Name Password is... 14:59 < Shnitzer> how can I get that...? 15:02 < whocares> hi @ all 15:12 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 60 (Operation timed out)] 15:14 -!- clyons [n=clyons@unaffiliated/clyons] has quit [Read error: 104 (Connection reset by peer)] 15:14 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 15:16 -!- clyons [n=clyons@unaffiliated/clyons] has joined ##openvpn 15:21 -!- elbenfreund1 [n=elbenfre@e181181142.adsl.alicedsl.de] has joined ##openvpn 15:21 -!- elbenfreund2 [n=elbenfre@e181181142.adsl.alicedsl.de] has joined ##openvpn 15:22 < krzie> very very unfortunately Shnitzer... 15:22 -!- jeiworth [n=jeiworth@189.177.37.65] has joined ##openvpn 15:22 < krzie> iphone cant use openvpn 15:22 < krzie> theres no tuntap for iphone =[ =[ 15:22 < krzie> ild love to get that too 15:23 < reiffert> start porting the kernel module 15:23 -!- whocares [n=elbenfre@f048254008.adsl.alicedsl.de] has quit [Read error: 60 (Operation timed out)] 15:23 < krzie> lol 15:23 < krzie> remember when i said i didnt have the skills to help fork ovpn... 15:23 < reiffert> source code is available. 15:23 < krzie> porting a kernel module for tuntap would require more, not less 15:23 < reiffert> you can try a "make" at least. 15:23 < krzie> ive tried that stuffs 15:23 < krzie> it requires actual work 15:24 < reiffert> no iphone here. 15:24 < krzie> to get the tuntap to work 15:24 < krzie> shit ild have no problem giving you root on an ipod touch 15:24 < krzie> if its something you cared to work on 15:25 < krzie> although if you have no iphone i dont see why youd care to 15:25 < reiffert> inventing wheels is fun. 15:26 < reiffert> there s n iphone dev kit on apple.com IIRC 15:26 < reiffert> tried compiling with that? 15:26 < krzie> not the new one 15:27 < Shnitzer> sorry..I meant: REALTEK RTL8187 15:28 < Shnitzer> with a unidirectional long distance antenna and I can't seem to crack a clientless WAP.... 15:28 < krzie> this is ##openvpn 15:28 < krzie> not #aircrack-ng 15:28 < Shnitzer> I airodump, aireplay, and aircrack for a week and it doesn't work.... 15:28 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 15:28 < krzie> but ya thats a good adapter 15:28 < Shnitzer> oh shit..sorry...getting my channels mixed up... 15:29 < krzie> sounds like you got the alfa 15:29 < Shnitzer> I do.... 15:29 < krzie> =] 15:29 < krzie> best card avail imho 15:29 < Shnitzer> it was about 60 bucks and can do it all.... 15:30 < Shnitzer> jsut don't knwo what I'm doing wrong...when I'm using it that I can't crack a simpl 64 bit WEP key... 15:30 < Shnitzer> anyway... 15:30 < krzie> yupyup 15:30 < krzie> just be careful if you use it for everyday inet 15:30 < krzie> i had to for its distance for a week 15:30 < krzie> burnt out my xmit 15:30 < krzie> oh high power the whole time tho (only way i could get signal) 15:30 < Shnitzer> I'm trying to see if anybody has any idea on how to retreive the asterisked concealed Group Name password for my company's VPN authentication... 15:31 < krzie> this is only for openvpn 15:31 < krzie> you arent asking an openvpn related question 15:31 < Shnitzer> yes...I understand that... 15:31 < Shnitzer> but, disregard my question...I know what you mean... 15:31 < krzie> openvpn doesnt even have group name passwords 15:31 < Shnitzer> thanks for the convo, though...! Peace! 15:32 < krzie> sounds like you're using other software 15:32 -!- Shnitzer [n=Shnitzer@cpe-76-168-103-208.socal.res.rr.com] has left ##openvpn ["Leaving"] 15:32 < krzie> np, adios 15:32 -!- Googleman [n=azer@41.105.75.26] has quit [Read error: 110 (Connection timed out)] 15:36 -!- Googleman [n=azer@41.105.86.132] has joined ##openvpn 15:36 -!- elbenfreund3 [n=elbenfre@f051149124.adsl.alicedsl.de] has joined ##openvpn 15:38 -!- elbenfreund4 [n=elbenfre@f051149124.adsl.alicedsl.de] has joined ##openvpn 15:38 -!- elbenfreund [n=elbenfre@f048254008.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 15:43 -!- LoRez [i=lorez@freenode/staff/lorez] has left ##openvpn [] 15:50 -!- elbenfreund2 [n=elbenfre@e181181142.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 15:52 -!- elbenfreund1 [n=elbenfre@e181181142.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 16:08 -!- Googleman [n=azer@41.105.86.132] has quit [Read error: 110 (Connection timed out)] 16:19 -!- elbenfreund [n=elbenfre@f048179118.adsl.alicedsl.de] has joined ##openvpn 16:20 -!- elbenfreund4 [n=elbenfre@f051149124.adsl.alicedsl.de] has quit [Read error: 60 (Operation timed out)] 16:23 < elbenfreund> . 16:26 -!- elbenfreund1 [n=elbenfre@f048179118.adsl.alicedsl.de] has joined ##openvpn 16:27 < elbenfreund> although it sound like a rooky problem that has been aswered by dozends of howtos/discriptions available via goole i just kan not manage to ping my ovpn server after an successfull connection 16:27 < elbenfreund> most likly because there is a iptables problem im missing 16:28 < elbenfreund> basicly all answers i found in the past 48h deal with setting up a static route 16:28 < reiffert> allright. 16:28 -!- Dougy[Home] [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 16:28 < elbenfreund> in order to tell the vpn-server where the gw is 16:28 < reiffert> client OS, server OS? 16:28 < Dougy[Home]> anyone here speak german? 16:28 * elbenfreund does 16:28 < Dougy[Home]> Ich will Sie immer und ewig 16:28 < Dougy[Home]> translate -> english 16:28 < Dougy[Home]> please 16:28 < reiffert> allright, those german bunnies fix their problems for themself :) 16:29 < elbenfreund> its kinde incorret grammar 16:29 < reiffert> I want you forever and ... 16:29 < reiffert> eternally 16:29 < Dougy[Home]> what's incorrect about it 16:29 < reiffert> oh, right, a word is missing: 16:29 < elbenfreund> lacks the proper preposition equivalent to the english "for" 16:29 < reiffert> "Ich will Sie _fuer_ immer und ewig" 16:29 < elbenfreund> Ich will sie _für_ immer und eqig 16:29 < elbenfreund> :) 16:30 < reiffert> I want you _for_ ever and all times. 16:30 < elbenfreund> or i think there is the english expression "for ever and ever"? 16:30 -!- derek [n=derek@199.85.8.1] has joined ##openvpn 16:31 -!- Hydrant2 [n=aj@murray2.civ.utoronto.ca] has quit [Remote closed the connection] 16:31 < reiffert> ever ever? 16:31 < derek> Thanks krzee looks like my tun is somewhat working so far 16:31 < elbenfreund> which makes no sense in german of cause 16:31 < Dougy[Home]> "I want you forever and ever" i believe was the desired end result 16:31 < reiffert> elbenfreund: client OS, server OS? 16:31 < Dougy[Home]> someone i know is trying to flirt with me in german, to bust my balls, except i don't speak it 16:32 < elbenfreund> client debian lenny or lenny/sid 16:32 < elbenfreund> server asus 500gP running openWRT 8.09 (kamikaze) 16:32 < elbenfreund> 2.4 kernel 16:32 < reiffert> elbenfreund: client: iptables -L -v -n | pastebin 16:32 < elbenfreund> sure thing 16:32 < reiffert> and: elbenfreund: client: iptables -t nat -L -v -n | pastebin 16:33 < reiffert> and: route -n 16:33 < reiffert> for when your connection is up. 16:33 < reiffert> and: ifconfig -a 16:33 -!- elbenfreund3 [n=elbenfre@f051149124.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 16:34 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:35 < reiffert> elbenfreund: same goes out for the server side on a new pastebin page please. 16:37 < elbenfreund> server: http://pastebin.com/d4f21795d 16:37 < reiffert> Dougy[Home]: MEANwhile, please have us some fun from your german girl please 16:37 < derek> I typed in echo "$V1p0" > somefile and it only gives me $ in some file is there something im missing? 16:37 < Dougy[Home]> reiffert, lol 16:38 < reiffert> elbenfreund: is this iptables or ipfwadm? 16:38 < reiffert> elbenfreund: server: route -n and iptables -a is missing. 16:38 < reiffert> # 16:38 < reiffert> 0 0 MASQUERADE all -- * tap+ 0.0.0.0/0 0.0.0.0/0 16:38 < reiffert> bullshit 16:39 -!- loca|host [n=tux@196.203.53.221] has joined ##openvpn 16:39 < reiffert> where is -t filter INPUT chain? 16:41 < reiffert> btw, brctl show please. 16:41 < reiffert> are you typing every line from terminal into pastebin? 16:41 < elbenfreund> hehe 16:43 < elbenfreund> http://pastebin.com/m44d467b 16:43 -!- dollabill [n=mike@c-68-59-71-29.hsd1.fl.comcast.net] has joined ##openvpn 16:43 < reiffert> cat /proc/net/vlan/config 16:43 < reiffert> is m44d467b client or server? 16:43 < elbenfreund> server 16:44 < elbenfreund> VLAN Dev name | VLAN ID 16:44 < elbenfreund> Name-Type: VLAN_NAME_TYPE_RAW_PLUS_VID_NO_PAD 16:44 < elbenfreund> eth0.0 | 0 | eth0 16:44 < elbenfreund> eth0.1 | 1 | eth0 16:44 < reiffert> ifconfig -a 16:44 < reiffert> still missing 16:45 < reiffert> you didnt establish the openvpn connection, did you? 16:45 < reiffert> line 18, 19, bullshit 16:45 < elbenfreund> http://pastebin.com/d50ec94f2 ifconfig -a 16:45 < reiffert> line 28, 29 same 16:45 < reiffert> 38 same 16:45 < Dougy[Home]> where is a - on a german keyboard 16:45 < Dougy[Home]> how do i do it 16:45 < Dougy[Home]> im using a giga-international kvm and i cant type anything on this mother f 16:46 < reiffert> Dougy[Home]: where / is on english 16:46 < Dougy[Home]> the / produces a ^ 16:46 < reiffert> : is shift . 16:46 < Dougy[Home]> er 16:46 < Dougy[Home]> & 16:46 < reiffert> ; is shit , 16:46 < reiffert> shift 16:47 < elbenfreund> well server and client claim that the init seq is completet 16:47 < reiffert> should produce a - on a US keyboard with german layout 16:47 < elbenfreund> and client got an ip from the range 16:47 < reiffert> / should produce a - on a US keyboard with german layout 16:47 < Dougy[Home]> this is a german keyboard layout 16:47 < Dougy[Home]> or something 16:47 < Dougy[Home]> pressing the - here makes a / 16:47 < reiffert> elbenfreund: enter: 16:47 < Dougy[Home]> on there 16:47 < reiffert> ifconfig tap0 up 16:47 < reiffert> elbenfreund: done. 16:48 < reiffert> elbenfreund: maybe brctl addif br-lan tap0 16:48 < reiffert> Dougy[Home]: so you got a german keyboard with US layout? 16:48 < Dougy[Home]> i have no idea what it is 16:48 < Dougy[Home]> its a clients kvm 16:48 < Dougy[Home]> pressing - gives me a /. pressing z gives me a y 16:48 < Dougy[Home]> pressing y gives me a z 16:49 < reiffert> normal. 16:49 < reiffert> try two keys next left to backspace 16:49 < reiffert> should give you a - 16:49 < Dougy[Home]> two keys left of backspace gives / 16:49 < reiffert> wtf? 16:49 < Dougy[Home]> shift and that key gvies me a question mark 16:49 < reiffert> this is totally fucked up. 16:50 < reiffert> crazy 16:50 < reiffert> insane 16:50 < reiffert> stupid 16:50 < reiffert> ill. 16:51 < Dougy[Home]> ffs 16:51 < krzie> dougy, get a usa keyboard / charmap 16:51 < Dougy[Home]> i dont know how to change it 16:51 < Dougy[Home]> this is the biggest POS kvm 16:51 < Dougy[Home]> ive ever seen 16:51 < Dougy[Home]> its java vnc 16:51 < krzie> lol 16:51 < reiffert> get a real vnc client. 16:51 < Dougy[Home]> i cant connect with the one built into my gnome 16:51 < Dougy[Home]> it invalid auths me 16:52 < reiffert> or teamviewer 16:52 < elbenfreund> im not quite sure whats different to my previous tries, but thanks a lot :) it works 16:52 < reiffert> or rdesktop 16:52 < reiffert> elbenfreund: this can be done automatically from server.conf: 16:52 < reiffert> up foo.sh 16:52 < Dougy[Home]> rdesktop doesnt work for vnc 16:52 < Dougy[Home]> does it? 16:52 < krzie> dougy, 1 left of the shift will be - 16:52 < reiffert> in foo.sh do: 16:52 < reiffert> #!/bin/bash 16:52 < krzie> the right shift i mean 16:52 < reiffert> ifconfig tap0 up 16:52 < reiffert> brctl addif br-lan tap0 16:52 < Dougy[Home]> krzie, it gives me a _ 16:52 < Dougy[Home]> not a - 16:52 < krzie> hold shift then 16:52 < elbenfreund> sure thing 16:52 < Dougy[Home]> thats how i get the _ 16:53 < krzie> then stop holding shift! 16:53 < Dougy[Home]> just / key gives me a & 16:53 < reiffert> shirt - is _ 16:53 < elbenfreund> Dougy[Home]: sound like us charmap on a german keyboard layout 16:53 < reiffert> Dougy[Home]: at what keyboard are you sitting at? 16:53 < reiffert> your local PC 16:53 < krzie> i was thinking spanish charmap, sounded like it at frist 16:53 < krzie> first 16:54 < Dougy[Home]> normal us 16:54 < Dougy[Home]> just some nomral us microsoft keyboard 16:54 -!- ciappo [n=ciappo@adsl-ull-232-23.51-151.net24.it] has joined ##openvpn 16:54 < reiffert> Dougy[Home]: press the / key on your keyboard. what char do you get? 16:54 < ciappo> hi all 16:54 < Dougy[Home]> i get / 16:54 < reiffert> fucked. 16:54 < reiffert> press - on your keyboard 16:54 < Dougy[Home]> - 16:54 < reiffert> what char do you get? 16:54 < krzie> LOL 16:55 < Dougy[Home]> :p 16:55 < reiffert> so after all, what your problem? 16:55 < krzie> now im really confused 16:55 < Dougy[Home]> emtoo 16:55 < Dougy[Home]> metoo 16:55 < reiffert> elbenfreund: btw, I was searching the exact same problem for over 30 minutes at home .. it was soo frustrating. 16:56 < ciappo> i followed this: http://openvpn.net/index.php/open-source/documentation/howto.html at the end it says: "The final step in the key generation process is to copy all files to the machines which need them". My question is: can i copy on client's machine only: client1.* to client1 machine, client2.* to client2, and so on? 16:56 < vpnHelper> Title: HOWTO (at openvpn.net) 16:57 < krzie> ciappo did youi happen to see the table on that page where they say exactly where easch file belongs? 16:57 < krzie> s/easch/each 16:57 < ciappo> and secondly how can i run a client openvpn? i tried with this command: "openvpn --client --port 1240 --dev tun --ca /etc/openvpn/privnet/ca.crt --cert /etc/openvpn/privnet/cronos.csr --key /etc/openvpn/privnet/cronos.key" but i get an error: "Wed Jun 3 23:53:50 2009 Cannot load certificate file /etc/openvpn/privnet/cronos.csr: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD0 16:57 < reiffert> ciappo: short answer is yes. Long answer is: look at that table. 16:57 < krzie> you dont load a CSR 16:57 < krzie> a CSR is an unsigned cert 16:57 < reiffert> --cert is .crt, not .csr 16:57 < reiffert> krzie: wrong. 16:57 < reiffert> krzie: csr is a request. 16:57 < krzie> the CA signs the CSR and gives you a signed CRT 16:58 < krzie> well ya, i was simplifying 16:58 < krzie> but the CSR does nothing cause it has yet to be signed 16:58 < reiffert> jup. 16:59 < reiffert> ciappo is close to a propper solution I think. 16:59 < ciappo> so this is right command: "openvpn --client --port 1240 --dev tun --ca /etc/openvpn/privnet/ca.crt --cert /etc/openvpn/privnet/cronos.crt --key /etc/openvpn/privnet/cronos.key", right? 16:59 < reiffert> looks ok. 16:59 < ciappo> ok...another question: after that? :P 16:59 < reiffert> ciappo: --remote is missing 16:59 < reiffert> ciappo: however, you can put it in a file, so called config file. 17:00 < ciappo> with --remote i get: Options error: Unrecognized option or missing parameter(s) in [CMD-LINE]:1: remote (2.0.7) 17:00 < krzie> 2.0.7!? 17:00 < elbenfreund> reiffert: well, it took me bit longer as i didnt do masq for br<->tap0, just allowing trafic betrween as mentioned in the howto 17:00 < krzie> hi welcome to 2009 17:00 < ciappo> a script file? with that command... 17:00 < reiffert> 2.0.7? 17:00 < elbenfreund> reiffert: when i eventually noticed my mistake my current setup messed up the bringing up of tap0 as it seems 17:00 < ciappo> i wrote: openvpn --client --remote --port 1240 --dev tun --ca /etc/openvpn/privnet/ca.crt --cert /etc/openvpn/privnet/cronos.crt --key /etc/openvpn/privnet/cronos.key 17:00 < reiffert> Day changed to 04 Jun 2009 17:01 < reiffert> ciappo: get a recent version, 2.1.rc17 17:01 < elbenfreund> classic case of creating a new problem while trying to solve an old one 17:01 < ciappo> it surely works anyway ;) 17:01 < reiffert> elbenfreund: just one? I saw 5 at least :) 17:01 < elbenfreund> :9 17:01 < ciappo> i'm going to update it after understood how does it work 17:02 < elbenfreund> well, i think those are defaults given by the openWRT team 17:02 < reiffert> ciappo: however, you have to tell the client that it should connect to a server 17:02 < elbenfreund> might be worth checking in the next hours 17:02 < ciappo> anyway without --remote it looks work.... 17:02 < reiffert> ciappo: on recent versions you do that by --remote foo.bar 1194 or similar 17:02 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 60 (Operation timed out)] 17:03 < ciappo> excuse me, but foo.bar is the client hostname or server hostname? 17:03 < ciappo> i can't understand that... 17:03 < ciappo> ok it's client ;) 17:03 < elbenfreund> the relevant parts you critizied are the ones given here right? http://luci.freifunk-halle.net/UserDocs/OpenVPN#Preparethefirewall 17:03 < vpnHelper> Title: UserDocs/OpenVPN - LuCI Project (at luci.freifunk-halle.net) 17:03 < ciappo> now i get: Thu Jun 4 00:03:28 2009 TLS Error: client->client or server->server connection attempted from 127.0.0.1:1240 17:04 < reiffert> ciappo: wrong. 17:04 < ciappo> ok it's server :P 17:04 < reiffert> ciappo: you tell the client: hey client, connect to a server. 17:05 < ciappo> wow...now it works 17:05 < reiffert> ciappo: just follow the howto :p 17:05 < ciappo> i get a tun0 dev... 17:05 < reiffert> whoohoooo 17:05 < ciappo> reiffert: thank you very much for your patience ;) 17:05 < reiffert> Dougy[Home]: come one, give us some german porn! 17:05 < Dougy[Home]> ffs 17:05 < elbenfreund> hehe 17:05 < Dougy[Home]> stil dont have a working - 17:05 < reiffert> Dougy[Home]: Bushmills can translate it to netherlands afterwards 17:05 < elbenfreund> *g* 17:06 -!- Googleman [n=azer@41.105.66.88] has joined ##openvpn 17:06 < ciappo> reiffert: last question when you told me to put all that command into a config file: how can i do to specify that options? 17:06 < reiffert> ciappo: howto ... example config file 17:07 < ciappo> reiffert: ok :P thanks 17:07 < reiffert> http://openvpn.net/index.php/open-source/documentation/howto.html#examples 17:07 < vpnHelper> Title: HOWTO (at openvpn.net) 17:08 < reiffert> ciappo: how comes you are at 2.0.7? 17:08 < derek> Ok I have my vpn working on a tun connection between my linksys box and my openvpn server. However I still cannot join the domain from a computer behind the linksys client. 17:08 < ciappo> reiffert: i installed it on a gentoo box 17:09 < reiffert> how many years ago? 17:09 < ciappo> today 17:09 < ciappo> :) 17:09 < reiffert> recent gentoo? 17:09 < ciappo> :D gentoo is always recent. you update software list with: --sync 17:09 < ciappo> and you can do that every day...if you want 17:09 < reiffert> 2.0.7 is 5 years old. 17:10 < reiffert> btw, http://en.gentoo-wiki.com/wiki/OpenVPN 17:10 < vpnHelper> Title: OpenVPN - Gentoo Linux Wiki (at en.gentoo-wiki.com) 17:10 < ciappo> anyway newer openvpn version are marked unstable on gentoo 17:10 < ciappo> Available versions: 2.0.6 2.0.7-r2!t ~2.0.9!t ~2.1_rc15 {examples iproute2 minimal pam passwordsave pkcs11 selinux ssl static threads userland_BSD} 17:10 < reiffert> sigh sigh sigh. 17:10 < reiffert> gentoo sucks. 17:10 < elbenfreund> because I was unsure before: http://www.dict.cc/?s=for%20ever%20and%20ever 17:10 < ciappo> reiffert: what's your distro? 17:10 < vpnHelper> Title: dict.cc | for ever and ever | Deutsch-Wörterbuch (at www.dict.cc) 17:10 < reiffert> oh, its r2, with an additional ! and a t! 17:11 < reiffert> ciappo: A mix from various different distributors, a freebsd kernel with debian linux mostly, some SuSE packages and some OSX PPC packages. 17:12 < ciappo> argh suse :D 17:12 < elbenfreund> sounds like a lot of effort went into this one 17:12 < ciappo> anyway linux is linux...the software is always the same. distros can only dictact on what is stable or not... 17:13 < ciappo> adding sometime some little patch 17:16 < elbenfreund> brb 17:16 < loca|host> !route 17:16 < vpnHelper> loca|host: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:17 < reiffert> ciappo: note, it's a freebsd kernel. 17:18 < loca|host> i still have routing problem :( 17:18 < krzie> loca|host, you might need to be more descriptive 17:18 < reiffert> 127.0.0.1 17:18 < reiffert> route add default gw 127.0.0.1 17:19 -!- elbenfreund2 [n=elbenfre@f051170105.adsl.alicedsl.de] has joined ##openvpn 17:19 < ciappo> reiffert: don't be concerned. nobody is perfect! ;) 17:19 < krzie> osx does not use a fbsd kernel 17:19 < loca|host> client is establishing the tunnel, i can ping the vpn ip (10.8.0.1) and (10.10.1.130), but i cant ping other hosts (10.10.1.252 for example) even when pushing the route 10.10.1.0 255.255.255.0 to the client 17:19 < krzie> they do use a lot of userland apps tho 17:20 < loca|host> i made the route on the office's gateway (route 10.8.0.0/24 > 10.10.1.130) 17:20 < reiffert> loca|host: was that you who said it's impossible to add a route on the office gateway? 17:20 < loca|host> the problem is, when i ping from my client to 10.10.1.252, this one doesnt receive the ping request at all 17:20 < krzie> check ip forwarding is enabled on the server 17:21 < loca|host> reiffert, yes it was yesterday :) today i've installed my own iptables gateway ;) 17:21 < krzie> check the servers firewall allows what you want 17:21 < reiffert> kernel .. 17:22 < loca|host> cat /proc/sys/net/ipv4/ip_forward 17:22 < loca|host> = 1 17:22 < loca|host> anything else ? 17:22 < reiffert> iptables -t filter -L FORWARD -v -n | pastebin 17:22 < krzie> check the servers firewall allows what you want 17:22 < krzie> ya, what he said 17:22 < krzie> =] 17:22 < loca|host> krzie, iptables is not set 17:23 < loca|host> :) nothing in my iptables 17:23 < reiffert> dont belive you. 17:23 < krzie> nor do i 17:24 < loca|host> hehe 17:24 < reiffert> maybe ecrist does. 17:24 < krzie> lol 17:24 < loca|host> i thought there were nothing to do there lol 17:24 < loca|host> i missed something ? loool 17:25 < loca|host> nothing here http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 17:25 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 17:25 < reiffert> loca|host: probably. 17:26 < krzie> run sniffers on the server and machine on the lan 17:26 < krzie> on the server it should be sniffing tun interface 17:26 < krzie> then run the ping 17:26 < reiffert> why is that, he didnt proofe his firewall yet. 17:26 < krzie> see where it gets to and where the response gets to 17:26 < krzie> and prove you have no firewall by using reif's command 17:26 < krzie> iptables -t filter -L FORWARD -v -n | pastebin 17:26 < loca|host> krzie, i did that 17:26 < loca|host> nothing 17:26 < reiffert> the proof, to prove? 17:27 < krzie> you prove something by showing proof 17:27 < loca|host> i have these two line 17:27 < loca|host> Chain FORWARD (policy ACCEPT 2120 packets, 177K bytes) 17:27 < loca|host> pkts bytes target prot opt in out source destination 17:27 < krzie> prove being a verb, proof being a noun 17:27 < loca|host> :) 17:27 -!- elbenfreund3 [n=elbenfre@f051170105.adsl.alicedsl.de] has joined ##openvpn 17:27 < reiffert> I cant remember on where to put two o's ... 17:28 < reiffert> however .. 17:28 < krzie> ya understandable 17:28 < reiffert> loca|host: on server: tcpdump -n -i tun0 proto ICMP 17:28 < reiffert> loca|host: on client: ping 10.10.1.252 17:28 < reiffert> see something? 17:28 < loca|host> lemme check that 17:29 < krzie> also sniff 10.10.1.252 at the same time 17:30 < reiffert> nah, thats expert. 17:30 < reiffert> krzie: because he will mix up telling us who sees what ... 17:30 < krzie> doh, good call reif 17:31 < loca|host> reiffert, i've already sniffed on the 252 and didnt receive any thing, but i didnt already checked the tcpdump on server 17:31 < loca|host> ok 17:31 < loca|host> so here's the result 17:31 < loca|host> ping 10.10.1.130 = i see it on the dump 17:31 < reiffert> did I say anything about 10.10.1.130? 17:31 < loca|host> ping 10.10.1.252 = nothing on the dump 17:31 < loca|host> just for checking :) 17:32 < reiffert> allright, you fucked up the routing table on the client. 17:32 < krzie> client is windows? 17:32 < loca|host> reiffert, i did nothing on the client routing table, i just did the push from openvpn server 17:32 -!- elbenfreund [n=elbenfre@f048179118.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 17:32 < loca|host> now, client is win, and i already tested a linux client, same behaviour 17:32 < reiffert> yeah, you fucked it up. 17:33 -!- elbenfreund1 [n=elbenfre@f048179118.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 17:33 < loca|host> lol 17:33 < loca|host> with my push ? 17:33 < reiffert> put the _recent_ server.conf online to pastebin. 17:33 < loca|host> ok 17:34 < reiffert> whats the LAN IP of the CLIENT btw? 17:34 < loca|host> http://pastebin.com/m125b85f4 17:35 < krzie> in fact how bout !interface for the client 17:35 -!- derek_ [n=derek@199.85.8.1] has joined ##openvpn 17:35 < krzie> !interface 17:35 < vpnHelper> krzie: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 17:35 -!- derek [n=derek@199.85.8.1] has quit [Read error: 110 (Connection timed out)] 17:35 < reiffert> :p 17:36 < loca|host> okay :) 17:36 * krzie quickly closes the pastebin for being mostly comments 17:36 < reiffert> I think the windows client didnt set the routing table .. or is within the same subnet. 17:36 -!- elbenfreund3 [n=elbenfre@f051170105.adsl.alicedsl.de] has quit [Read error: 60 (Operation timed out)] 17:36 -!- elbenfreund [n=elbenfre@g229219119.adsl.alicedsl.de] has joined ##openvpn 17:37 < derek_> krzie, I got my tun working on my linksys router thanks. but now I have a couple questions. Do I run my router in gateway or router mode. I ask this because I cant log into the domain from my windows client behind the linux client. But I can ping the server just fine 17:37 -!- elbenfreund1 [n=elbenfre@g229219119.adsl.alicedsl.de] has joined ##openvpn 17:39 -!- ciappo [n=ciappo@adsl-ull-232-23.51-151.net24.it] has quit [Read error: 110 (Connection timed out)] 17:40 < loca|host> reiffert, am doing the !interface process ... 17:40 < krzie> derek_ i dont fully understand the question 17:41 < reiffert> loca|host: great. meanwhile I'll 127.0.0.1 17:42 < derek_> ok I got my linksys router to connect via tun to my openvpn server. But I cannot connect to the domain server on the openvpn server from behind the linksys router. My linksys has an option to run in gateway or routed mode. Which do I need to use and is there anything else I could try. 17:43 < krzie> can you ping the AD server? 17:43 < krzie> or domain server i mean 17:43 < derek_> yep 17:44 < Dougy[Home]> krzie is a tool what? 17:44 < derek_> i used your howto, and I can ping the address 192.168.100.1 which is the domain and openvpn server as well as 192.168.11.1 which is the servers local network 192.168.12.1 is the router 17:44 < krzie> is it DNS or is it active directory? 17:44 < krzie> dougy make yourself useful and grab me some coffee 17:44 < krzie> =] 17:45 < krzie> you say domain, is it dns or AD? 17:45 < Dougy[Home]> pfft 17:45 < derek_> DNS its the sme server http://wiki.contribs.org/Main_Page 17:45 < Dougy[Home]> coffee is for people who are old 17:45 < vpnHelper> Title: SME Server (at wiki.contribs.org) 17:45 < krzie> derek, by cant contact do you mean manually or by pushing dns? 17:45 < krzie> dougy, everyone is old to you! 17:47 < loca|host> before VPN: (IP: http://pastebin.com/m3540450c ROUTES http://pastebin.com/m5ce38326) 17:47 < Dougy[Home]> krzie, shut up 17:47 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 17:47 < Dougy[Home]> you're jealous 17:47 < loca|host> after VPN: (IP: http://pastebin.com/m52e41f3d ROUTES http://pastebin.com/m3f55fb66) 17:47 < derek_> I just tried joining via the windows computer name change dialog box... I know I have the domain right because I joined by going openvpn gui from it to my server. 17:51 -!- Googleman [n=azer@41.105.66.88] has quit [Read error: 110 (Connection timed out)] 17:51 -!- elbenfreund2 [n=elbenfre@f051170105.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 17:52 < krzie> derek_ i thought you said it was DNS 17:53 < krzie> now it sounds like you're talking bout active directory 17:53 < krzie> pls clarify 17:53 < loca|host> same thing on linux client: 17:53 < loca|host> before VPN: http://pastebin.com/m47e3be6b 17:53 < loca|host> after VPN: http://pastebin.com/m4b2b4254 17:54 -!- freysteinn [n=freystei@ailab-gw.ru.is] has quit [Read error: 110 (Connection timed out)] 17:55 -!- freysteinn [n=freystei@gw.cs.ru.is] has joined ##openvpn 17:55 < loca|host> any idea ? 17:58 < derek_> krzie, It is the NT4 style domain controller but it will be active directory in the future once it gets updated 17:59 < derek_> http://www.pastebin.ca/1446887 is my server config 17:59 < derek_> there are some unsures in there 17:59 < krzie> ok so DNS was the wrong answer 17:59 < krzie> domain controller / AD was what i was lookin for there 17:59 < derek_> sorry dude, I'm pretty inexperianced when it comes to this 17:59 < krzie> im not sure if that requires a bridge or not, maybe reif knows 18:00 < krzie> basically, i have no clue if that works over tcp/ip or requires layer2 18:01 < derek_> when i bypass the router and connect via the openvpn gui using tap it works 18:01 < derek_> i have two instances running openvpn one tap and one tun 18:01 < krzie> tap is layer2 18:01 < krzie> tun is layer3 18:03 < derek_> is there any issues on setting my router to be a tap device to try it out? 18:03 < derek_> that you know of 18:04 < reiffert> loca|host: linux client 18:04 < reiffert> loca|host: no route to 10.10.1.0/24 18:04 < reiffert> loca|host: forget the last line, I was blind. 18:05 < loca|host> :) 18:05 < loca|host> line 46 18:05 < reiffert> loca|host: uh, vmware involved 18:06 < reiffert> loca|host: vmware seems to break openvpn 18:06 < loca|host> known issue ? 18:07 < derek_> reiffert, do I need layer 2 for domain controller connections 18:08 < reiffert> derek_: dunno. 18:09 < reiffert> loca|host: I remember at least 4 people over the last 6 months who were running vmware on a machine where openvpn was not working and us not finding the cause. 18:09 < loca|host> okay 18:09 < loca|host> lemme check without vmware 18:10 < reiffert> without vmware kernel drivers 18:10 < reiffert> without vmware network interfaces 18:12 < reiffert> I think I was creating !interface during one of this vmware bunnies. 18:15 < loca|host> am uninstalling the vmware 18:16 < reiffert> do I get this right, windows is the server? 18:16 < reiffert> !factoids search forward 18:16 < vpnHelper> reiffert: 'winipforward', 'linipforward', 'ipforward', and 'fbsdipforward' 18:16 -!- krzie_ [n=krzee@butters.secure-computing.net] has joined ##openvpn 18:16 < reiffert> !winipforward 18:16 < vpnHelper> reiffert: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 18:17 < reiffert> Ah, windows is the client, forget winipforward. 18:17 -!- krzie [n=krzee@unaffiliated/krzee] has quit [Nick collision from services.] 18:17 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: elbenfreund1, da_tux, jreno_ 18:17 -!- krzie_ is now known as krzie 18:17 -!- krzie [n=krzee@unaffiliated/krzee] has left ##openvpn [] 18:17 -!- krzie [n=krzee@unaffiliated/krzee] has joined ##openvpn 18:19 < reiffert> got a linux client around? 18:21 < loca|host> reiffert, no, linux is the server 18:21 < loca|host> server = (10.10.1.30 & 10.8.0.1) 18:21 < loca|host> i meant 10.10.1.130 18:22 < xp_prg> --duplicate-cn 18:22 < xp_prg> where do I specify this? 18:23 < krzie> you shouldnt 18:23 < krzie> give each client their own cert instead 18:24 < krzie> but it would go in server config without the -- 18:25 -!- elbenfreund [n=elbenfre@g229219119.adsl.alicedsl.de] has quit [Read error: 113 (No route to host)] 18:28 < loca|host> reiffert, i've uninstalled the vmware, same behaviour 18:28 < loca|host> reiffert, need proff on pastebin ? :) 18:29 < loca|host> reiffert, http://pastebin.com/m2fea5c4c 18:30 < loca|host> that's really strange :( 18:30 -!- Netsplit over, joins: jreno_ 18:31 < loca|host> do you think it is ? or am i lonely lost :) 18:31 < reiffert> ipconfig /all 18:34 < reiffert> however, fire up wireshark on windows and watch the ping to leave the tap adapter on windows. 18:34 < loca|host> ok lemme do that 18:35 < krzie> i believe he needs firewall rules 18:36 < krzie> to allow the other subnet over tun 18:36 < krzie> cause that routing table looks good 18:37 < loca|host> krzie, the tcpdump showd nothing 18:37 < krzie> right 18:37 < reiffert> but 10.10.1.130 18:37 -!- da_tux [n=ryan@rrcs-70-63-90-226.midsouth.biz.rr.com] has joined ##openvpn 18:38 -!- elbenfreund [n=elbenfre@g229219119.adsl.alicedsl.de] has joined ##openvpn 18:42 -!- elbenfreund1 [n=elbenfre@g229219119.adsl.alicedsl.de] has joined ##openvpn 18:44 < krzie> try doing what i said.... 18:46 < reiffert> fire up a linux client? 18:47 -!- cj [i=cjac@173-10-126-202-BusName-Washington.hfc.comcastbusiness.net] has joined ##openvpn 18:47 < cj> any help here? 18:47 < cj> Error parsing PKCS#12 file /etc/openvpn/certificate.p12: error:06074079:lib(6):func(116):reason(121): error:23077073:lib(35):func(119):reason(115): error:2306A075:lib(35):func(106):reason(117): error:23076072:lib(35):func(118):reason(114): error:06074079:lib(6):func(116):reason(121): error:23077073:lib(35):func(119):reason(115): error:2306A075:lib(35):func(106):reason(117): error:23076072:lib(35):func(118):reason(114) 18:47 < cj> it says something about the password being wrong, but it's not 18:50 < ENenEN> I have an openvpn firewall that goes around my default gateway so on my internal network my gateway is 192.168.1.1 and the openvpn server is 192.168.1.244. I am trying to give access to a client on the web to an internal server. right now I have turned off my fire wall and I have enabled ip_forwarding I can run tcpdump on the openvpn server and see ping comming to the openvpn server from the client but they never make it to the interna 18:50 < ENenEN> l server. can I get some help?? 18:52 < ENenEN> here is what my network looks like. -- -- -- 18:53 < ENenEN> and ping from client gets to the openvpn server but not to the internal server. 18:55 < krzie> client on the web? 18:56 < ENenEN> road worrier 18:56 < krzie> ENenEN are both sides of the vpn using lan 192.168.1.x? 18:56 < ENenEN> no. 18:56 < krzie> a road warrior setup accessing 192.168.1.x lan is bad idea 18:56 < krzie> and did you push a route to the lan to clients? 18:56 < loca|host> krzie, on wireshark, i have the icmp request, but not the response 18:56 < krzie> is the lan behind the openvpn server?> 18:57 < krzie> loca|host, no shit, did you do what i said? 18:57 < loca|host> when i ping 10.10.1.130, i get the request and the response 18:57 < krzie> oh wait you do get the request 18:57 < krzie> on the internal machine? 18:57 < ENenEN> yes I know. That we are going to change but we are waiting on the alarm people to change their crap 18:57 < loca|host> krzie, on the client, yes i get the request on wireshark, on the tap iface 18:57 < ENenEN> no the openvpn server is on the lan 18:58 < ENenEN> is address is 192.168.1.244 18:58 < krzie> loca|host, do you get the request on the internal lan machine which you are pinging? 18:58 < ENenEN> no 18:58 < loca|host> NO 18:58 < krzie> ENenEN, i am speaking to loca|host 18:58 < ENenEN> o sorr 18:58 < ENenEN> y 18:58 < krzie> loca|host, so you fired up a sniffer on the internal lan machine? 18:59 < krzie> ENenEN, did you push a route to vpn clients for the internal lan>? 18:59 < ENenEN> yes 18:59 < krzie> show me what it looks like 18:59 < krzie> (@ ENenEN) 18:59 < ENenEN> push "route 192.168.1.0 255.255.255.0" 19:00 < loca|host> krzie, ahh sorry 19:00 < loca|host> i got the request on the internal machine 19:00 < loca|host> shit 19:00 < krzie> ok you did 19:00 < krzie> so your gateway route is wrong 19:01 < krzie> sniff on the gateway now 19:01 < krzie> see if it sees the reply attempt 19:01 < krzie> when you sniffed on the internal lan machine i assume you saw a reply attempted 19:01 < krzie> which never made it to the openvpn machine 19:01 < loca|host> yes 19:01 < krzie> now look at the gateway 19:02 < krzie> either iptables blocks it or the route is wrong 19:02 < loca|host> on the gateway, i have this route: 10.8.0.0 10.10.1.130 255.255.255.0 UG 0 0 0 eth1 19:02 < loca|host> eth1 = 10.10.1.254 19:02 < loca|host> that seems okay 19:02 < loca|host> nothing echoed from: tcpdump icmp 19:02 < loca|host> on the gateway 19:03 < ENenEN> krzie, does my push look ok? 19:03 < krzie> are you sure the internal lan machine has that machine as its gateway 19:03 < krzie> ? 19:03 < krzie> ENenEN, yup it does 19:04 < krzie> ENenEN, are you running openvpn on the gateway for its lan on the server side? 19:04 < Dougy[Home]> woot 19:04 < Dougy[Home]> krzie 19:04 < Dougy[Home]> just had a $2000 offer for those unmetered domains 19:04 < Dougy[Home]> lol 19:04 < ENenEN> yes. 19:04 < loca|host> krzie, lemme check all these 19:05 < krzie> ENenEN, openvpn is running on the router on server side? 19:05 < krzie> Dougy[Home], badass man! 19:05 < Dougy[Home]> yeah 19:05 < Dougy[Home]> i know 19:05 < Dougy[Home]> hahaha 19:05 < Dougy[Home]> i told him id think on it 19:05 < krzie> THINK!? 19:05 < krzie> wtf, get that $ 19:05 < Dougy[Home]> krzie, the first person i told about it 19:05 < Dougy[Home]> offered me $2000 19:05 < Dougy[Home]> that makes me wonder if im undercutting it 19:05 < ENenEN> no it goes client gateway openvpn 19:06 < krzie> ENenEN forget about the vpn 19:06 < ENenEN> the openvpn is on the same lan as the server to be accesses 19:06 < krzie> is openvpn running on the lan router? 19:06 < ENenEN> no 19:06 < krzie> ok 19:06 < krzie> you must add a route onto that router 19:06 < Dougy[Home]> krzie, i think i can get more ;) 19:06 < krzie> telling it that the vpn network is behind the machine running openvpn 19:08 < krzie> ENenEN if you want a detailed explanation as to why, type !route then look below the network diagram 19:08 < loca|host> krzie, ok, now i have some news :) 19:08 < loca|host> i still cant get ping response on the client 19:08 < ENenEN> k 19:08 < ENenEN> !route 19:08 < vpnHelper> ENenEN: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 19:08 < loca|host> the client has the 10.8.0.6 ip, and i can ping it from the lan 19:09 < loca|host> so my gateway is routing that network successfully on the 10.10.1.130 gateway 19:09 < krzie> ok so its a firewall somewhere 19:09 < loca|host> shit 19:15 < ENenEN> krzie, if i understand this correct I need to add a rout on my office router for my vpn lan. ie 172.16.0.0/24 to point to my openvpn server 192.168.1.244. is that right? 19:17 -!- cj [i=cjac@173-10-126-202-BusName-Washington.hfc.comcastbusiness.net] has quit [Read error: 60 (Operation timed out)] 19:19 -!- cj [i=cjac@173-10-126-202-BusName-Washington.hfc.comcastbusiness.net] has joined ##openvpn 19:41 < ENenEN> krzie, are you still here? 19:41 < Dougy[Home]> no hes not 19:41 < Dougy[Home]> leave a ms 19:41 < Dougy[Home]> g 19:42 * Dougy[Home] gets pen+pad out 19:42 < ENenEN> Dougy[Home], haha 19:43 < ENenEN> I am still having issue with my routing.. i think. 19:45 < ENenEN> my network is as follows internet - firewall - openvpn server and another server i need to access on the same network. Krzie said that i need to add a route on the firewall for the vpn network. I think does that sound right> 19:45 < ENenEN> ? 19:47 < ENenEN> or do i need to add a route from my openvpn server> 19:49 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 19:54 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: Bushmills, freaky_t 19:54 -!- Netsplit over, joins: Bushmills, freaky_t 20:04 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit [Read error: 104 (Connection reset by peer)] 20:13 < loca|host> krzie, things are working now, but somehow in the ugly way ... 20:14 < loca|host> every LAN server shall add a route like this "route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.10.1.130" to permit vpn clients to see them 20:14 < loca|host> i have that route on the gateway, but it does not let LAN servers to respond over it ... i dont know why 20:15 < loca|host> its not a firewall thing, iptables is set to permit all trafic 20:17 < derek_> a 20:18 -!- loca|host [n=tux@196.203.53.221] has quit ["./configure pasta; make pranzo; make install sex"] 20:18 < derek_> Ok I converted my server to a tap to try to see if that would work with the AD server, I can ping the server from the linksys router, but I cant ping it from behind it however I can ping the openvpn address the openvpn server assigned the router... am i missing a routing table config in my linksys router? 20:21 < derek_> http://pastebin.com/d3ab06dd6 20:22 < derek_> that is !route from my router 192.168.100.1 is my openvpn server ip 192.168.12.1 is my openvpnserver/samba server 192.168.11.1 is my router 20:25 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 20:26 -!- freysteinn [n=freystei@gw.cs.ru.is] has quit [Read error: 110 (Connection timed out)] 20:27 -!- freysteinn [n=freystei@ailab-gw.ru.is] has joined ##openvpn 20:33 < derek_> bah 20:46 < derek_> a 20:48 -!- elbenfreund [n=elbenfre@g229219119.adsl.alicedsl.de] has quit [Remote closed the connection] 20:52 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 20:57 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit ["leaving"] 21:10 < derek_> l 21:13 -!- Major_Tom [i=tom-w@dslb-088-065-059-208.pools.arcor-ip.net] has joined ##openvpn 21:13 -!- omega42 [i=tom-w@dslb-088-065-051-150.pools.arcor-ip.net] has quit [Nick collision from services.] 21:14 -!- Major_Tom is now known as omega42 21:27 -!- dollabill [n=mike@c-68-59-71-29.hsd1.fl.comcast.net] has quit [Read error: 113 (No route to host)] 21:38 < derek_> ? 22:01 -!- jeiworth [n=jeiworth@189.177.37.65] has quit [Read error: 60 (Operation timed out)] 22:06 -!- siOuX_ [n=sioux@200-232-182-22.dsl.telesp.net.br] has joined ##openvpn 22:09 < siOuX_> I have a client that uses a vpn private (with Checkpoint software) in Windows XP, would implement this in openvpn? where is the documentation? 22:15 -!- derek__ [n=derek@199.85.8.1] has joined ##openvpn 22:23 -!- derek_ [n=derek@199.85.8.1] has quit [Read error: 110 (Connection timed out)] 22:28 < derek__> anyone on yet, that could help, I can ping my server from my router, but not from a computer behind the router 22:28 < derek__> orrr I can get everything working hunky dory with tun but I cant join a active directory domain 22:34 -!- flaccid [n=chris@220.233.185.127] has joined ##openvpn 22:40 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 22:56 -!- magic_1 [n=magic@gprs02.rb.mtnns.net] has joined ##openvpn 23:09 < krzee> derek__, 23:10 -!- kronos003 [n=kronos00@viggo.hefnerlabs.com] has joined ##openvpn 23:10 < krzee> !configs 23:10 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 23:11 < derek__> ah your back 23:11 < kronos003> how hard is it to set up a vpn server that connects peers to each other and nothing else 23:11 < krzee> not hard 23:11 < derek__> easy 23:11 < derek__> alright krzee ill get you those configs 23:11 < krzee> very easy 23:11 < krzee> !sample 23:11 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 23:11 < kronos003> is the a centos5.3 walkthrough for it 23:11 < krzee> basically, that does it 23:12 < kronos003> are the client ips static or dynamic? 23:12 < kronos003> would be nice to have as few steps as possible and not have to remember what ips are in use 23:12 < derek__> is there a commadn to export a file from ssh into pastebin website krzee just to make it easier? 23:13 < krzee> i believe its called pastebin 23:14 < derek__> id have to install it i guess 23:15 < krzee> in fbsd is pastebinit 23:15 < kronos003> basicly what i want is an ecapsulated network that multiple clients can connect to and do things like printer sharing and other things 23:18 -!- magic_1 [n=magic@gprs02.rb.mtnns.net] has quit [Read error: 110 (Connection timed out)] 23:24 < derek__> client http://pastebin.com/d5ab7a262 23:25 < derek__> server http://pastebin.com/dd675576 has a lot of comments in it that I left in because some of them are for the tun and I;d like you to see what I dont need and what to uncomment please 23:26 < derek__> Thank you 23:26 < derek__> would you like the router !route when connected? 23:28 < derek__> this is the openvpn.up script the other two are for user login http://pastebin.com/dcf73ef1 23:29 < derek__> kronos003, there are tons of examples of that step by step ones too 23:34 < derek__> krzee, need anything else while your reading over 23:41 < derek__> dang must have lost him 23:49 < derek__> ahh cars greatist hits cd just qued up time to go into relax mode =D --- Day changed Thu Jun 04 2009 00:02 -!- xp_prg [n=xp_prg3@98.234.54.62] has joined ##openvpn 00:04 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 00:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:08 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has joined ##openvpn 00:18 < derek__> 00:18 < derek__> 00:23 < derek__> 00:31 < derek__> 00:36 -!- xp_prg [n=xp_prg3@98.234.54.62] has quit ["This computer has gone to sleep"] 01:04 < derek__> night 01:11 -!- mattock [n=mattock@195.236.127.254] has joined ##openvpn 01:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:23 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:28 < reiffert> loca|hosts solution does not fit to "not seeing pings on the tun0 interface". 01:38 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 01:46 < krzee> ya i caught that too 01:47 < krzee> if bypassing the gateway fixed it, his gateway was the issue 01:47 < krzee> either its firewall or routing table 01:47 < reiffert> He should see incoming ping requests on tun0 ... 01:48 -!- master_of_master [i=master_o@p549D38FB.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:48 < krzee> yup 01:51 -!- master_of_master [i=master_o@p549D3DF3.dip.t-dialin.net] has joined ##openvpn 01:55 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 02:39 -!- c64zottel [n=hans@p5B17AD90.dip0.t-ipconnect.de] has joined ##openvpn 02:44 -!- iylea [i=ia@corp.efnet.net] has joined ##openvpn 02:44 -!- iylea [i=ia@corp.efnet.net] has quit [Client Quit] 02:47 -!- iylea [i=iylea@marauder.culprits.org] has joined ##openvpn 02:49 < krzee> !redirect 02:49 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 02:49 < krzee> !def1 02:49 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 02:50 < krzee> !fbsdipforward 02:50 < vpnHelper> krzee: "fbsdipforward" is is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd 02:51 < krzee> !fbsdnat 02:51 < vpnHelper> krzee: "fbsdnat" is http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html 02:51 < krzee> !nat 02:51 < vpnHelper> krzee: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 02:52 < krzee> !linnat 02:52 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 02:52 < krzee> !hmac 02:52 < vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 02:52 < vpnHelper> krzee: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 02:58 < krzee> !vps 02:58 < vpnHelper> krzee: Error: "vps" is not a valid command. 02:58 < krzee> bleh 02:58 < krzee> !forum 02:58 < vpnHelper> krzee: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 03:00 -!- siOuX_ [n=sioux@200-232-182-22.dsl.telesp.net.br] has quit [Remote closed the connection] 03:10 -!- iylea [i=iylea@marauder.culprits.org] has quit ["leaving"] 03:13 < krzee> !factoids search vps 03:13 < vpnHelper> krzee: No keys matched that query. 03:13 < krzee> !factoids search --value vps 03:13 < vpnHelper> krzee: No keys matched that query. 03:20 -!- surki [n=surki@gek7.kyla.fi] has joined ##openvpn 03:33 < krzee> derek__, looks like you're bridging the client, you want the server bridge and lose the ifconfig/ifconfig-pool 03:33 < krzee> in the server 03:34 < krzee> and: client-to-client #Allow computers to see each other 03:34 < krzee> the comment is wrong 03:34 < krzee> this allows them to see eachother internally to openvpn (which bypasses it needing to hit the kernel and firewall for internal vpn traffic 03:35 < krzee> you may omit it if youd like to use the firewall on internal traffic 03:40 -!- Sl5avka- [i=dabomb69@free.dancing.bot.at.shellium.org] has joined ##openvpn 03:50 -!- Sl5avka- [i=dabomb69@free.dancing.bot.at.shellium.org] has left ##openvpn [] 03:57 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 04:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 04:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:39 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:47 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 05:47 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 05:51 -!- cj [i=cjac@173-10-126-202-BusName-Washington.hfc.comcastbusiness.net] has quit [Remote closed the connection] 06:07 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 06:16 -!- Dougy[Home] [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit [Remote closed the connection] 06:45 -!- derek__ [n=derek@199.85.8.1] has quit [Read error: 60 (Operation timed out)] 06:59 -!- derek__ [n=derek@199.85.8.1] has joined ##openvpn 07:02 -!- jfkw [n=jtk@75.94.107.246] has joined ##openvpn 07:07 < ecrist> good morning 07:10 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has joined ##openvpn 07:29 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 07:37 -!- Nirkus [i=rmf2mlh@about/pxe/Nirkus] has joined ##openvpn 07:38 < Nirkus> hi! are there any projects/documents/features to manage OpenVPN configuration and certificates within LDAP? 07:42 -!- bandini [n=bandini@host173-5-dynamic.6-79-r.retail.telecomitalia.it] has quit [Read error: 60 (Operation timed out)] 07:44 -!- bandini [n=bandini@host173-5-dynamic.6-79-r.retail.telecomitalia.it] has joined ##openvpn 07:47 < ecrist> Nirkus: yes/no 07:47 < ecrist> certificates aren't really handled in LDAP 07:47 < ecrist> the OpenVPN doesn't really care about the certificates themselves, other than they're signed by the same CA as it's own certificate, and it's not on the certificate revokation list 07:48 < ecrist> as far as using LDAP, you can enable a secondary authentication and use LDAP as the backend (user/password) 08:05 -!- x29a [n=x29a@unaffiliated/x29a] has joined ##openvpn 08:08 < derek__> morning 08:16 -!- mattock [n=mattock@195.236.127.254] has quit ["Leaving."] 08:20 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 08:55 -!- x29a [n=x29a@unaffiliated/x29a] has quit ["tiuQ"] 09:01 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 09:03 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 09:20 < theDoc> !win7 09:20 < vpnHelper> theDoc: "win7" is http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 09:24 -!- pa [n=pa@unaffiliated/pa] has quit [Connection timed out] 09:30 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 09:35 -!- jeiworth [n=jeiworth@189.177.28.191] has joined ##openvpn 09:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:03 < derek__> krzie, you back? 10:07 < theDoc> Hi all, any idea what might be causing openvpn to not see the ca.crt even if it's the same folder? the client.ovpn file points to the right directory. 10:08 < derek__> permissions on that file? 10:08 < derek__> how do you know that it dosn 10:08 < derek__> t see the ca.crt 10:09 < theDoc> derek__: Because it throws up an error which goes, Cannot load CA certificate file ca.crt path (null) (SSL_CTX_load_verify_locations): error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib 10:10 < derek__> theDoc, check permissions on it and in your config try pointing right to the file PATH/ca.crt 10:11 < Zordrak> theDoc: Your path has speces in it right? 10:11 < Zordrak> *spaces 10:12 < theDoc> Zordrak: Yes but it's in the "default" directory of C:\ProgramFiles\OpenVPN\config\ca.crt 10:12 < theDoc> So on a similar system, I do not have to specify the path, just ca ca.crt 10:12 < theDoc> Since openvpn should look into the config folder for it. 10:14 < Zordrak> try putting the whole path and escaping the spaces "\ " 10:14 < Zordrak> if it works then its a path problem, if it doesnt its a file problem 10:15 < theDoc> Zordrak: I can just ""'s to get around the spaces right? 10:15 < Zordrak> not sure.. personall I: C:\Program\ Files\OpenVPN\config 10:15 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 10:15 < Zordrak> as I would in linux 10:16 < theDoc> Hmm. 10:16 < derek__> I would also try making a folder in yoru config folder ..\OpenVPN\config\myvpn and put all your riles in there 10:16 < derek__> your config, crts, keys 10:16 < theDoc> Oh doh 10:16 < theDoc> derek__: Don't worry about it, user is on Win7. 10:16 < theDoc> That might explain stuff. 10:16 < theDoc> !win7 10:16 < vpnHelper> theDoc: "win7" is http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 10:16 < Zordrak> >.< 10:16 < derek__> ah 10:25 -!- albech [n=albech@124.157.206.160] has joined ##openvpn 10:28 < theDoc> This is stumping me. 10:29 < theDoc> Like no tomorrow. 10:29 < derek__> !ifconfig 10:29 < vpnHelper> derek__: "ifconfig" is usage: ifconfig l rn | Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices, rn is the IP address of the remote VPN endpoint. For TAP devices, rn is the subnet mask of the virtual ethernet segment which is being created or connected to. 10:29 < derek__> !vpnHelperfixitforme 10:29 < vpnHelper> derek__: Error: "vpnHelperfixitforme" is not a valid command. 10:30 < derek__> fucker 10:30 < derek__> still the same problem doc? 10:30 < theDoc> Yes, it's Win7. 10:31 < theDoc> I suspect it could be a permissions issue. 10:33 < derek__> maybe point your %PATH% to it 10:34 < derek__> I Havnt even touched vista let along 7 so sorry I cant help you out 10:34 < theDoc> doh. 10:34 < theDoc> User fails to differentiate between Win7 and XP. 10:34 * theDoc slits his throat. 10:35 < derek__> who me? 10:35 < theDoc> derek__: The user trying to get connected to my vpn 10:36 < derek__> are you saying there is no %PATH% in vista and win7? I wouldnt know I havnt even installed them 10:36 < derek__> and its snowing outside so im pissed 10:43 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has joined ##openvpn 10:44 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has quit [Remote closed the connection] 10:45 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has quit [Remote closed the connection] 10:46 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has joined ##openvpn 10:50 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 104 (Connection reset by peer)] 11:00 -!- antgel [n=topdog@82-68-107-174.dsl.in-addr.zen.co.uk] has joined ##openvpn 11:00 < antgel> !howto 11:00 < vpnHelper> antgel: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:03 < antgel> hi - i'm an openswan "veteran" going back some years - have to deploy a simple vpn for a new client and looking at openvpn as openswan is so complicated. just one question which i'm not quite sure about. if their wan router can't assign the WAN IP address to one of the LAN interfaces, will openvpn work if i just forward the relevant ports from the Internet to the openvpn box on the LAN? 11:03 < antgel> sorry if it's been answered, i'm reading the docs but haven't seen what i'm looking for yet. 11:05 < antgel> ah. 11:05 < antgel> !route 11:05 < vpnHelper> antgel: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:06 < antgel> nope, that wasn't what i wanted 11:07 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 11:07 -!- derek__ [n=derek@199.85.8.1] has quit [Read error: 110 (Connection timed out)] 11:08 -!- derek__ [n=derek@199.85.8.1] has joined ##openvpn 11:18 < derek__> Using TAP I can get my linksys router to connect to my Active Directory server and a laptop behind the router CANT ping the server but CAN ping the ip address that the router was assigned on the servers network. Using TUN I can get the client behind the router to ping the server but cannot join the domain. Anyone have a solution to either of these problems. Sorry if this is a double post but the client said I was disconnected so I wasnt sure 11:18 < derek__> if it got posted. 11:19 < derek__> Destination Gateway Genmask Flags Metric Ref Use Iface 11:19 < derek__> 192.168.12.0 * 255.255.255.0 U 0 0 0 br0 11:19 < derek__> 192.168.11.0 * 255.255.255.0 U 0 0 0 tap0 11:19 < derek__> 10.190.5.0 * 255.255.255.0 U 0 0 0 vlan1 11:19 < derek__> 127.0.0.0 * 255.0.0.0 U 0 0 0 lo 11:19 < derek__> default 10.190.5.254 0.0.0.0 UG 0 0 0 vlan1 11:20 < derek__> wow that is nothing like how it looked in terminal 11:20 < derek__> sorry about that, thats the routers route 11:24 < ecrist> derek__: if you can get connectivity, we can't really help you with authenticating to a domain, out of the scope for OpenVPN 11:26 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 54 (Connection reset by peer)] 11:27 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 11:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:27 < derek__> no no I cant ping my domain server using TAP and when using TUN I can ping the domain server but I cant log into it. I know the credentials are right because when I use OPENVPN GUI in tap mode I can connect using the same credentials 11:28 < derek__> Im wondering if TUN allows Active Directory / NT4 domain logins, or what my TAP problem is 11:28 < ecrist> derek__: TAP requires a bunch of other configuration. You can set it up fine with tun, but you need to push a WINS server to your clients 11:28 < ecrist> tun doesn't allow/restrict anything. 11:28 < ecrist> !tunortap 11:28 < vpnHelper> ecrist: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 11:32 < derek__> ok so the problem is not TUN when it comes to my computer not being able to login to the domain 11:33 < theDoc> Question, 2.09 doesn't have the redirect-gateway parameter? I have a 2.09 client logging into the vpn and it seems that it doesn't support the redirect-gateway parameter? 11:34 < derek__> I was just kindof leary of TUN because all the openvpn tutorials that are associated with SME Linux server use tap 11:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:35 < theDoc> !win7 11:35 < vpnHelper> theDoc: "win7" is http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 11:35 < ecrist> theDoc: why do you think 2.0.9 doesn't have redirect-gateway? 11:36 < ecrist> !man 11:36 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 11:38 < theDoc> ecrist: Throwing up an error for me for 2.0.9 with the GUI front end. 11:38 < theDoc> ecrist: A quick google shows someone having the same problem but it's in french and I don't understand french :/ 11:44 < derek__> je ne parle pas le francais 11:44 < theDoc> !win7 11:44 < vpnHelper> theDoc: "win7" is http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 11:50 -!- tompaw [n=tompaw@slave20.tesserakt.eu] has joined ##openvpn 11:50 < tompaw> Hello 11:50 < tompaw> If I got an error "error=certificate is not yet valid", is the word *yet* somehow important? 11:51 < tompaw> PS: I checked my cert's validity dates. 11:51 < ecrist> tompaw: yes, it means the time on the system that created the certificate was wrong, and set to a time/date in the future, or the time/date on the system you're using it on, is set to a date/time in the past 11:54 < tompaw> ecrist: that is very strange, I have checked the dates on both ends and they all fall into Not Before -- Not After borders. 12:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:02 < tompaw> ok, so I switched to shared key. almost there - now it's crying about "Authenticate/Decrypt packet error: cipher final failed" :-) 12:02 < tompaw> which I suppose means that there are 2 different ciphering methods on both ends 12:03 < tompaw> yeap. 12:05 -!- dok_ [n=andelyx@bb116-15-14-29.singnet.com.sg] has joined ##openvpn 12:05 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 12:05 < tompaw> ecrist: thank you for help 12:05 -!- tompaw [n=tompaw@slave20.tesserakt.eu] has left ##openvpn [] 12:05 -!- dok_ [n=andelyx@bb116-15-14-29.singnet.com.sg] has quit [Client Quit] 12:06 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:09 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has quit [Remote closed the connection] 12:09 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has joined ##openvpn 12:21 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Connection timed out] 12:21 -!- Ahri [n=adam@93-97-29-15.zone5.bethere.co.uk] has joined ##openvpn 12:21 < Ahri> hi, i'm trying to configure openvpn with a TAP (as i need broadcast for gaming). i have an active connection on eth0, a virtual tap0 from openvpn, a bridge device br0 (i have bridge and tap/tun in the kernel) but as soon as i type "brctl addif br0 eth0" i lose my connection to my headless gentoo box.... what am i doing wrong? 12:43 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has left ##openvpn [] 12:47 -!- tompaw [n=tompaw@slave20.tesserakt.eu] has joined ##openvpn 12:47 < tompaw> Hello again. 12:47 < tompaw> Is there a way to define a route policy based on a source ip address as a part of openvpn config 12:47 < tompaw> ? 12:55 < derek__> I think you could look at adding ccd entries to define per client rules 12:55 < derek__> !ccd 12:55 < vpnHelper> derek__: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 13:01 -!- derek__ [n=derek@199.85.8.1] has quit [Read error: 60 (Operation timed out)] 13:07 -!- cj [i=cjac@173-10-126-202-BusName-Washington.hfc.comcastbusiness.net] has joined ##openvpn 13:12 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:15 -!- derek__ [n=derek@199.85.8.1] has joined ##openvpn 13:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 13:23 -!- Ahri [n=adam@93-97-29-15.zone5.bethere.co.uk] has quit ["going out to eat..."] 13:28 < derek__> :/ 13:36 < derek__> I still cant connect on the domain via tun it must be a routing firewall issue or some other problem :( 13:42 < tompaw> derek__: thanks 13:42 < derek__> for what 13:57 < ecrist> derek__: it's either WINS or firewall 13:57 < ecrist> probably both 13:57 -!- niceuser [n=j@adsl-76-255-237-57.dsl.lsan03.sbcglobal.net] has quit [Read error: 113 (No route to host)] 13:59 -!- c64zottel [n=hans@p5B17AD90.dip0.t-ipconnect.de] has quit ["Leaving."] 13:59 < derek__> k 14:00 -!- niceuser [n=j@adsl-76-255-237-57.dsl.lsan03.sbcglobal.net] has joined ##openvpn 14:00 < derek__> is it something to do with my push domain even though I am pushing domain and dns for some reason it dosnt use the vpn tunnelll and goes out through the routers wan connection 14:00 < ecrist> no idea, not a windows guy 14:01 < derek__> yeah, but on my ubuntu same thing 14:01 < derek__> if im pushing dns shouldnt the local domain pop up from 192.168.11.1 which is my local network 14:03 -!- omega42 [i=tom-w@dslb-088-065-059-208.pools.arcor-ip.net] has quit [Read error: 104 (Connection reset by peer)] 14:03 -!- omega42 [i=tom-w@dslb-088-065-059-208.pools.arcor-ip.net] has joined ##openvpn 14:03 -!- plaerzen [n=carpe@vip1.tundraeng.com] has joined ##openvpn 14:03 * plaerzen waves 14:03 -!- x29a [n=x29a@unaffiliated/x29a] has joined ##openvpn 14:19 -!- niceuser [n=j@adsl-76-255-237-57.dsl.lsan03.sbcglobal.net] has quit [Read error: 113 (No route to host)] 14:20 -!- x29a [n=x29a@unaffiliated/x29a] has quit [Read error: 110 (Connection timed out)] 14:22 -!- x29a [n=x29a@unaffiliated/x29a] has joined ##openvpn 14:31 -!- omega42 [i=tom-w@dslb-088-065-059-208.pools.arcor-ip.net] has quit [Read error: 104 (Connection reset by peer)] 14:31 -!- omega42 [i=tom-w@dslb-088-065-059-208.pools.arcor-ip.net] has joined ##openvpn 14:36 -!- derek__ [n=derek@199.85.8.1] has quit ["Leaving"] 14:39 -!- x29a [n=x29a@unaffiliated/x29a] has quit [Read error: 110 (Connection timed out)] 14:41 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 14:41 * ecrist waves at plaerzen 14:42 < plaerzen> long time no irc, irc. 14:46 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 14:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:16 -!- x29a [n=x29a@unaffiliated/x29a] has joined ##openvpn 15:32 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 15:44 -!- troy- is now known as troy 16:18 -!- x29a [n=x29a@unaffiliated/x29a] has left ##openvpn ["evaeL"] 16:29 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 113 (No route to host)] 16:37 < tompaw> hello again 16:38 < tompaw> could you please consider the following scenario: http://www.tompaw.pl/iptables.txt 16:39 < tompaw> so I got this /24 LAN of mine 16:39 < tompaw> and its GW running pfsense 16:39 < tompaw> I have set up an openvpn tunnel between my gateway and some remote location 16:40 < tompaw> and have convinced the GW to normally NAT the whole /24 lan *BUT* one lucky IP address 16:40 < tompaw> this one lucky ip address gets forwarded onto the tunnel 16:40 < tompaw> so when I run tcpdump at tun0 (remote location) I can see the packets like: 10.48.1.148 -> google.com 16:41 < tompaw> so far, does anyone understand what I'm saying? ;> 16:42 < tompaw> anyway, my question right now is: what kind of rules do I need on that 5.0.0.2/6.7.8.9 PC so it acts as a gateway for 10.48.1.148? 16:43 -!- nowen [n=nowen@adsl-219-227-19.asm.bellsouth.net] has joined ##openvpn 16:43 < tompaw> is it even possible to make it work? 16:46 < magic_1> hhhmmmm 16:47 < magic_1> sorry but im not entirely sure i understand the question 16:47 < tompaw> I have just completed the .txt file if you care to refresh. 16:47 < tompaw> The question is: How to configure iptables @ 5.0.0.2/6.7.8.9 PC, so that 10.48.1.148 can access 16:47 < tompaw> the Internet without even realising it's going through a remote gateway. 16:48 < magic_1> well that would happen in your routing table 16:48 < tompaw> I have spent the last 3 hours upgrading my gateway to a Release Candidate version, cause that was the only way to make it work in terms of forwarding the whole lucky ip traffic to an openvpn interface. 16:48 < magic_1> you are going to have to setup a gateway that can route the way you want it to happen 16:49 < tompaw> So now if I get it right, this remote end of the tunnel has to do the nat, am I correct? 16:49 < magic_1> well yes if that is where you wanna break out to the net 16:49 -!- nowen [n=nowen@adsl-219-227-19.asm.bellsouth.net] has left ##openvpn [] 16:49 < tompaw> yes, that is the whole point. 16:50 < magic_1> or to what ever network that is different 16:50 < tompaw> it's all about the Internet and Microsoft stupid Xbox Live policy... 16:50 < tompaw> some stuff cannot be legally *purchased* if your ip does not belong to a country blessed by the MS. 16:50 < magic_1> hhhmm, well i run my xbox live through a couple of vpns 16:51 < tompaw> a couple? why isn't one enough? 16:51 < magic_1> i manage alot of networks so alot of times when im testing the routings i use the xbox alot 16:52 < tompaw> whoa, nice :-) 16:53 < tompaw> so my set up has a small chance of working? 16:54 < tompaw> actually, I just ran my tcpdump on the eth0 of the remote pc 16:54 < magic_1> yes by all means if you configure your routing correctly 16:55 < tompaw> and it looks like the packages are properly routed that way 16:56 < tompaw> hm... but they don't seem to be returning to my external interface 16:57 < tompaw> probably because the source IP is note replaced with a proper external IP and the ping'd host cannot respond to it. 16:57 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 16:57 < tompaw> so now the question to you... how many trillion lines of rules do I have to write to make it work? 17:04 < tompaw> ha, added a SNAT rule, and the source address is being translated 17:04 < tompaw> and the pings come back to the remote server 17:04 < tompaw> now the last question: 17:04 < tompaw> how do I send them back to 10.48.1.148? 17:04 -!- flaccid [n=chris@220.233.185.127] has quit [Read error: 60 (Operation timed out)] 17:06 -!- flaccid [n=chris@127.185.233.220.static.exetel.com.au] has joined ##openvpn 17:07 < tompaw> magic_1: could you please have another look at my text file? http://www.tompaw.pl/iptables.txt 17:10 < tompaw> got it! now I need to permit it on my GW :-) 17:17 < tompaw> whoa! it works! :-) 17:20 < tompaw> hm... almost 17:20 < tompaw> ping works 17:20 < tompaw> and nothing else :P 17:24 < tompaw> hm... it looks like nothing else but icmps is forwarded from tun0 to eth0 17:32 < tompaw> yeah! it is now 17:32 < tompaw> thanx for help :-) 17:37 -!- elbenfreund [n=elbenfre@f049040216.adsl.alicedsl.de] has joined ##openvpn 17:43 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 60 (Operation timed out)] 17:53 -!- elbenfreund1 [n=elbenfre@g229219119.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 17:57 -!- Shinu [n=Shinu@unaffiliated/shinu] has joined ##openvpn 17:57 -!- Shinu [n=Shinu@unaffiliated/shinu] has quit [Client Quit] 18:13 -!- ^scott^ [n=scott@stthom.org] has joined ##openvpn 18:15 -!- jeiworth [n=jeiworth@189.177.28.191] has quit [Read error: 60 (Operation timed out)] 18:15 < ^scott^> Hi! I'm trying to use --udp on a server and I've found that when a client connects to a secondary IP address on the OpenVPN server, the server responds from the main IP address of the server. It doesn't behave like this on TCP. Is there a way around this? 18:18 < ^scott^> Well, it works fine if I use --tcp, or if I use --remote. I really want to be using UDP here, because I'm tunneling VoIP. And I don't want to use --remote becase I'm doing advanced routing rules based on IP addresses, so it's important that the IP addresses stay distinct. 18:19 < ^scott^> And I don't want to have to start a daemon for each IP address, not to mention having to route packets at the OS layer between each daemon. 18:23 < reiffert> have a look at the --local option. 18:24 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit ["leaving"] 18:25 < ^scott^> Yea, I'll need to bind to multiple local addresses. Lemme see if I can start openvpn with multiple --local's 18:25 < ^scott^> Nooo, that was too easy. 18:26 < ^scott^> This could be working. Exciting!!! 18:31 < ^scott^> Oh this is great. I feel stupid for not thinking of multiple --local's. Thank you reiffert! 18:36 < reiffert> yw 18:47 < ^scott^> Awww man. Nevermind, that didn't work 18:47 * flaccid installs ssl-admin from freebsd ports 18:47 < ^scott^> It seems that OpenVPN is only listening on the last --local option in the config file. 19:09 < reiffert> ^scott^: whats your openvpn version? 19:10 < reiffert> anyway, upgrade to 2.1rc17 19:20 < flaccid> anyone use ssl-admin? it seems very um buggy 19:23 < flaccid> ecrist are you alive ?? 19:24 < flaccid> http://www.secure-computing.net/wiki/index.php/FreeBSD_OpenVPN_Server/Routed ironically fails to make the process easy as it doesn't mention what to run with ssl-admin after first time creating CA 19:24 19:26 < flaccid> should i just do 4) Perform a one-step request/sign ? 19:36 00:30 < ecrist> Nirkus: there's is an OpenLDAP user/path authentication script included with OpenVPN source. 00:35 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] 00:38 -!- project2501a [n=gmarseli@93.97.20.215] has joined ##openvpn 00:42 -!- jfkw [n=jtk@75.94.107.246] has quit ["leaving"] 01:08 -!- magic_1 [n=magic@gprs02.rb.mtnns.net] has joined ##openvpn 01:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:36 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 01:47 -!- master_of_master [i=master_o@p549D3DF3.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:52 -!- master_of_master [i=master_o@p549D3ABC.dip.t-dialin.net] has joined ##openvpn 02:11 -!- sam_ [n=sam@222.66.224.110] has quit [Remote closed the connection] 02:17 -!- maxagaz [n=maxagaz@soho2.i-xanadu.com] has joined ##openvpn 02:17 < maxagaz> hi 02:17 < flaccid> rightio ^scott^ i think i worked out ssl-admin just testing the client now 02:18 -!- mattock [n=mattock@195.236.127.254] has joined ##openvpn 02:18 < maxagaz> is it a problem if the version of openvpn isn't the same between the server (on ubuntu) and a client (on xp) ? 02:19 < flaccid> shouldn't be maxagaz but it is possible there could be a problem; see logs if so 02:19 < maxagaz> ok thanks 02:23 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has joined ##openvpn 02:24 < flaccid> np 02:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 02:26 -!- magic_1 [n=magic@gprs02.rb.mtnns.net] has quit [] 02:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:50 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 02:51 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 02:56 < maxagaz> once the vpn works, how to allow a user to open its samba profile on the server ? 03:07 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:07 -!- ttf [n=tom@unaffiliated/ttf] has left ##openvpn [] 03:20 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has quit [Remote closed the connection] 03:45 < maxagaz> it's solved 03:45 < maxagaz> how to allow a user (not the administrator) on xp to use openvpn ? 03:47 < flaccid> good question 03:48 < flaccid> a limited user? 03:50 < maxagaz> flaccid, yes 03:50 < flaccid> whats the error message you get when trying ? 03:50 < maxagaz> it seems to work now... 03:51 < flaccid> rightio 04:21 < flaccid> what is a CRL ie. crl.pem ? 04:21 < Bushmills> oh. flaccid, here as well :) 04:22 < flaccid> yeah i guess so 04:28 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:33 < flaccid> ok cool i got a connection now 04:44 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: Nirkus, sfire 04:45 -!- Netsplit over, joins: sfire 04:50 < dazo> For those of you who got some time to spend working on an open source project related to OpenVPN .... https://sourceforge.net/people/?group_id=236344 04:50 < vpnHelper> Title: SourceForge.net: eurephia: Help Wanted (at sourceforge.net) 04:51 < flaccid> can someone give me a hand with routing? i don't seem to be able to ping between the client and server 04:59 < flaccid> hmm thats a big mystery 04:59 < reiffert> did you ever manage to ping the server? 05:00 < flaccid> not through vpn. this is first time running 05:02 < reiffert> !configs 05:02 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 05:04 < flaccid> reiffert: http://pastie.org/501451 thank you 05:04 < flaccid> note client nic for lan is on 192.168.0.5 05:04 < flaccid> server lan nic ip is 10.1.1.20 05:05 * dazo just discovered ... http://adito.wiki.sourceforge.net/what_is_adito 05:05 < Bushmills> flaccid, how do you know that you have a connection? 05:05 < flaccid> logs 05:05 < Bushmills> ifconfig shows tun devices? 05:06 < flaccid> yep at the top of the pastie above 05:06 < reiffert> flaccid: server LAN NIC IP is 10.1.1.20 and the VPN tunnel got an IP in the SAME subnet? 05:07 < flaccid> yeah thats at the top of the paste too 05:07 < reiffert> this will not work. 05:07 < reiffert> you will have to use a differen subnet for the VPN tunnel. 05:07 < reiffert> go back to 05:07 < reiffert> !howto 05:07 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 05:07 < flaccid> okies 05:09 < flaccid> i'll go the example one server 10.8.0.0 255.255.255.0 05:09 < flaccid> is ; a comment as well as # ? 05:14 -!- Nirkus [i=rmf2mlh@bussle.hadiko.de] has joined ##openvpn 05:14 < flaccid> i'm assuming so 05:25 -!- tjz [n=tjz@bb116-15-73-38.singnet.com.sg] has quit ["bbl"] 05:34 < flaccid> ok cool i think i got it now 05:34 < flaccid> cool looks like i can smb sweet 05:37 < flaccid> ok now just gotta route the server's lan subnet 05:49 < flaccid> reiffert could you help me with that ? 05:53 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 05:57 < flaccid> do i need to use client-config-dir ccd to do that ? 05:57 < flaccid> is routes not suffice? 06:08 -!- c64zottel [n=hans@p5B17AEE8.dip0.t-ipconnect.de] has joined ##openvpn 06:14 -!- sukriN [i=rmf2mlh@bussle.hadiko.de] has joined ##openvpn 06:14 -!- Nirkus [i=rmf2mlh@about/pxe/Nirkus] has quit [Read error: 113 (No route to host)] 06:23 -!- tjz [n=tjz@bb116-15-73-38.singnet.com.sg] has joined ##openvpn 06:23 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 06:29 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: worch, code- 06:30 < antgel> hi - i'm an openswan "veteran" going back some years - have to deploy a simple vpn for a new client and looking at openvpn as openswan is so complicated. just one question which i'm not quite sure about. if their wan router can't assign the WAN IP address to one of the LAN interfaces, will openvpn work if i just forward the relevant ports from the Internet to the openvpn box on the LAN? sorry if it's been answered, i'm reading the 06:31 -!- Netsplit over, joins: code-, worch 06:32 -!- maxagaz [n=maxagaz@soho2.i-xanadu.com] has quit ["Leaving"] 06:45 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: worch, code- 06:45 -!- Netsplit over, joins: code-, worch 06:48 < cpm> antgel, I think so. I know how to find out 06:49 < cpm> that's kinda kludgy though, best to have the openvpn 'server' directly accessible. 06:49 < cpm> what is a wan router? 06:53 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: worch, code- 06:55 -!- Netsplit over, joins: code-, worch 07:02 < antgel> cpm: thanks for answering - t's a box that on one hand has an ADSL connection to the WAN, and on the other hand has ethernet ports for machines on the LAN 07:04 < antgel> i did some more reading - i don't see why it's a bad solution to install openvpn on the actual samba server they need access to, and then just forward port 1194 from the Internet 07:04 < flaccid> im confused on what directives to server client and server so they can access each other's local lan subnets. server is 10.8.0.0 with local lan 10.1.1.0 and client is local lan 192.168.0.0/24. what do i need to set so it works? 07:05 < flaccid> antgel the answer is yes 07:07 < antgel> flaccid: thanks. certainly a convenient approach for a simple setup 07:07 < flaccid> thats the idea 07:08 < flaccid> its client-server model 07:08 < flaccid> nothing special about it 07:08 < antgel> i'm looking forward to trying the windows client and config - this was always a pain with openswan and x.509 certs *shudder* 07:09 < flaccid> will openvpn is x.509 certs as well 07:12 -!- Lilarcor [n=Lilarcor@216-15-44-102.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has joined ##openvpn 07:12 -!- Lilarcor [n=Lilarcor@216-15-44-102.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has quit [Client Quit] 07:37 -!- |Xabbu [n=snafu@p5B25D338.dip.t-dialin.net] has joined ##openvpn 07:40 -!- sukriN is now known as Nirkus 07:41 < |Xabbu> Hi @ll, can anyone help me to troubleshoot an openvpn-setup? I have the openvpn-Connection running, but the internet-traffic is not routed thourgh my VPN. 07:43 < ecrist> |Xabbu: redirect-gateway, setup NAT on the VPN server 07:45 -!- mattock [n=mattock@195.236.127.254] has quit ["Leaving."] 07:45 < |Xabbu> ecrist: does that work with TAP as well? 07:47 < antgel> flaccid: yes, but doesn't openvpn have some software to make configuring windows clients easy? 07:48 < |Xabbu> ecrist: This is my server.ovpn: http://pastebin.com/d1cb957c2 and here is my Client: http://pastebin.com/d315c868d 07:49 < |Xabbu> as you see, I have redirect-gateway enabled. But it does not work. 07:56 < |Xabbu> !redirect 07:56 < vpnHelper> |Xabbu: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 07:59 < |Xabbu> ecrist: Those are my routes with and without the openvpn connection: http://pastebin.com/pastebin.php?diff=d18393d6a 08:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 08:11 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has joined ##openvpn 08:12 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has left ##openvpn [] 08:24 -!- sfire [n=sfire@businessservers.info] has quit [Read error: 113 (No route to host)] 08:25 -!- elbenfreund [n=elbenfre@f049040216.adsl.alicedsl.de] has quit [Read error: 113 (No route to host)] 08:33 -!- sfire [n=sfire@204.11.33.83] has joined ##openvpn 08:51 -!- pekster [n=pekster@76.113.143.76] has quit [Read error: 113 (No route to host)] 08:54 -!- elbenfreund [n=elbenfre@f049040216.adsl.alicedsl.de] has joined ##openvpn 08:57 < flaccid> antgel not required. there is not really anything to do. there is easy-rsa or ssl-admin or openssl direct for doing the ssl/tls part 08:58 < flaccid> ecrist wouldn't mind a nag to get my client to client going 08:58 < flaccid> well client access to server lan subnet and vice versa. im using route and push route with no luck 09:16 < ecrist> flaccid: have you read the docs? 09:16 < ecrist> !freebsd 09:16 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 09:16 < ecrist> that's nearly a complete walk-through on freebsd 09:17 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 09:22 < |Xabbu> ecrist: Do you have any idea why I the traffic is not routed through my VPN although I have the redirect-gateway option enabled? 09:34 < cpm> what's your routing table look like? 09:42 -!- jeiworth [n=jeiworth@189.177.28.191] has joined ##openvpn 09:44 < |Xabbu> cpm: http://pastebin.com/pastebin.php?diff=d18393d6a 09:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:22 -!- bandini [n=bandini@host251-108-dynamic.25-79-r.retail.telecomitalia.it] has quit [Read error: 113 (No route to host)] 10:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:32 < |Xabbu> cpm? Are you still there? 10:55 -!- jeiworth_ [n=jeiworth@189.177.18.48] has joined ##openvpn 11:04 -!- plaerzen is now known as serten 11:10 -!- jeiworth [n=jeiworth@189.177.28.191] has quit [Read error: 110 (Connection timed out)] 11:10 -!- serten is now known as plaerzen 11:34 -!- jeiworth_ [n=jeiworth@189.177.18.48] has quit [Read error: 104 (Connection reset by peer)] 11:35 -!- nutellaz [i=iylea@infinite.alien.net] has joined ##openvpn 11:35 < nutellaz> is there any software i could use to route all my traffic through the vpn? 11:35 < nutellaz> im on windows 11:36 -!- flaccid [n=chris@127.185.233.220.static.exetel.com.au] has quit [Read error: 113 (No route to host)] 11:37 -!- jeiworth [n=jeiworth@189.177.18.48] has joined ##openvpn 11:38 < nutellaz> !configs 11:38 < vpnHelper> nutellaz: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:45 < |Xabbu> nutellaz: Welcome to the club. I'm actually looking for the same answer. Could you post your server and client-config to pastebin.com? I might be able to help you out. 11:59 < nutellaz> brb 11:59 -!- nutellaz [i=iylea@infinite.alien.net] has quit ["leaving"] 12:00 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 12:08 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:19 -!- c64zottel [n=hans@p5B17AEE8.dip0.t-ipconnect.de] has quit ["Leaving."] 12:20 < Bushmills> !def1 12:21 < vpnHelper> Bushmills: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 12:35 < |Xabbu> Bushmills: if that was for me, it did not do the trick. The routing did not change. 12:45 -!- jeiworth_ [n=jeiworth@189.177.34.159] has joined ##openvpn 12:47 -!- jeiworth [n=jeiworth@189.177.18.48] has quit [Read error: 104 (Connection reset by peer)] 12:55 -!- Hydrant [n=aj@CPE0011950c737b-CM0012c90d1420.cpe.net.cable.rogers.com] has quit [Remote closed the connection] 12:59 -!- Kreg-Work_ [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 12:59 < reiffert> |Xabbu: is there any vmware involved? 13:00 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit [Success] 13:00 < |Xabbu> reiffert: No. I just conect to my OpenWRT-Box over the Internet and start my OpenVPN-Client on my Windows-Box. 13:01 < ecrist> |Xabbu: 13:01 < ecrist> !configs 13:01 < reiffert> Uh, openwrt. paste: ifconfig -a 13:01 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:01 < |Xabbu> But I fear that either me having a static IP @work or using the normal DHCP-Server in my LAN @home might be a problem. 13:01 < reiffert> |Xabbu: from the server, while beeing connected, paste: ifconfig -a 13:03 < |Xabbu> reiffert: ifconfig -a gives me: http://pastebin.com/d7b373a88 13:04 < |Xabbu> reiffert: did you see my pastebins with the configuration? 13:09 -!- Intensity [i=[1ShoZMA@unaffiliated/intensity] has joined ##openvpn 13:09 < reiffert> paste: brctl show 13:09 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 13:13 < |Xabbu> reiffert: here is brctl: http://pastebin.com/d7cbe6f12 13:16 < |Xabbu> reiffert: Don't get me wrong (I am german, so my english might not be the best), but, actually: I _can_ connect to the LAN, I get an IP and can access any server in my HomeLAN. I just have this small little problem of getting the routing on my Windows-Box ("Road-Warrior") to use the VPN instead of the "normal" Internetconnection. OR: I just did not understand as much as I thought about VPN and you knew all along that I have the Connect 13:17 -!- xattack [i=xattack@132.248.108.239] has quit [] 13:18 < reiffert> |Xabbu: ah. 13:18 < reiffert> !def1 13:18 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 13:19 < reiffert> been there? 13:20 < reiffert> using "dev tap" in client.conf? 13:21 < reiffert> paste route before openvpn and after on windows 13:21 < reiffert> paste complete client log verb 3 13:24 < |Xabbu> route before and after: http://pastebin.com/pastebin.php?diff=d18393d6a, I tried redirect-gateway with and without def1, Config is here: server.ovpn: http://pastebin.com/d1cb957c2 and here is my Client: http://pastebin.com/d315c868d , and client-log is http://pastebin.com/d9df721 13:25 < reiffert> http://pastebin.com/pastebin.php?diff=d18393d6a is this with def1? 13:26 < |Xabbu> the output of route PRINT on my windows box does not change wheter I use def1 in my serverconfig or not. 13:27 < |Xabbu> Yes it is with def1 13:27 < reiffert> client log with def1? 13:29 < |Xabbu> Jup. 13:29 < reiffert> # 13:29 < reiffert> push "redirect-gateway" # leitet den Internettraffic am Client zum Server um 13:30 < reiffert> def1 is missing. 13:30 < reiffert> set it, restart ovpn 13:30 < |Xabbu> *g* Yes it does. That actually is the one config without def1. 13:31 < reiffert> server: a line with server-bridge is missing 13:32 < |Xabbu> After I posted it, I set the option in my serverconfig, closed the Connection and restarted the Server. Then I connected again. The Log and routing pastebin is the result of the connection with def1. 13:32 < reiffert> read stop 13:32 < reiffert> stop 13:32 < reiffert> solution: 13:32 < reiffert> add "client" to client.conf 13:33 < reiffert> --pull This option must be used on a client which is connecting to a multi-client server. It indicates to OpenVPN that 13:33 < |Xabbu> anywhere in the config, or does it have to be before (or after) dev tap? 13:33 < reiffert> --pull This option must be used on a client which is connecting to a multi-client server. It indicates to OpenVPN that it should accept options pushed by the server, provided they are part of the legal set of pushable options (note 13:33 < reiffert> that the --pull option is implied by --client ). 13:33 < reiffert> read this. 13:33 < reiffert> In particular, --pull allows the server to push routes to the client, so you should not use --pull or --client in 13:33 < reiffert> situations where you don't trust the server to have control over the client's routing table. 13:35 < reiffert> no difference 13:35 < reiffert> dont forget to add server to server.conf 13:35 < reiffert> btw 13:36 < reiffert> !howto covers example configs 13:36 < vpnHelper> reiffert: Error: "howto" is not a valid command. 13:36 < reiffert> even bridging 13:36 < reiffert> have a nice day. 13:36 < reiffert> !howto 13:36 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:36 < |Xabbu> Ok, I just tried to add "client2 to my client.conf and got the following error: Options error: specify only one of --tls-server, --tls-client, or --secret 13:37 -!- bandini [n=bandini@host251-108-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 13:49 < reiffert> client2? 13:50 < reiffert> I'd propose to better readup stuff in the manpage, howto and in the example configs (howto). 13:55 -!- c64zottel [n=hans@p5B17AEE8.dip0.t-ipconnect.de] has joined ##openvpn 13:56 < |Xabbu> reiffert: Just a typo. I meant "client" (on my keyboard the " is above the 2). I just started to read, I found out, that I cannot use "server-bride" and "secret" together. 13:57 < |Xabbu> I'm setting up the certs right now. 14:07 -!- jeiworth_ [n=jeiworth@189.177.34.159] has quit [Success] 14:11 -!- |Xabbu1 [n=snafu@buero.tvollmer.de] has joined ##openvpn 14:11 < |Xabbu1> hey reiffert: thanks for the help. It works! 14:12 < reiffert> yw 14:13 < |Xabbu1> Hav a nice Day (or night, whatever it is)! 14:15 -!- |Xabbu1 [n=snafu@buero.tvollmer.de] has quit [Client Quit] 14:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:22 -!- Ahri [n=adam@93-97-29-15.zone5.bethere.co.uk] has joined ##openvpn 14:23 < Ahri> hi guys, can i get some help with an openvpn bridging issue? i need a bridge for broadcast repeats across the network, a tunnel won't cut it. when i add my (currently used) eth0 to the bridge my connection dies (which is a bit of an issue for a headless server!) 14:26 < Ahri> do i need to reconfigure my eth0 (down/up) after adding it to a bridge? 14:28 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:29 -!- |Xabbu [n=snafu@p5B25D338.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 14:34 < reiffert> Ahri: the bridge itself is a network interface 14:34 < reiffert> Ahri: the bridge itself will need an ipaddress. 14:35 < reiffert> Ahri: all interfaces that belong to a bridge do NOT carry an ip address. 14:35 < reiffert> hamburg:~# brctl show 14:35 < reiffert> bridge name bridge id STP enabled interfaces 14:35 < reiffert> br0 8000.0002b302faf7 no eth1 tap0 14:35 < reiffert> eth1 and tap0: no ip address. 14:36 < reiffert> br0: got one. 14:39 < Ahri> reiffert: oh..... hmmm right 14:39 < Ahri> obviously i have a big misunderstanding here then 14:40 < Ahri> so eth0 becomes merely a device to communicate over, and br0 becomes the working network "adapter" 14:40 < reiffert> yes 14:41 < Ahri> reiffert: thanks for explaining that; i've spent hours reading, tweaking, recompiling, asking, and you just saved the day :) 14:41 < reiffert> want my paypal address? 14:42 < Ahri> sure :) 14:44 < Ahri> (i'm not joking :P) 14:44 < reiffert> Lemme remember the account name .. 14:44 < reiffert> I think it's thomas@reifferscheid.org 14:45 -!- throughnothing [n=will@74.205.24.229] has quit [Read error: 60 (Operation timed out)] 14:46 < Ahri> ok, so bearing in mind i'm shelled into the box right now; i'm going to: create the bridge, take down eth0, add eth0 to the bridge, add tap0 to the bridge, bring up br0... or should i do something else with tap0 first? 14:46 < reiffert> personally I bring up the bridge, add eth0 and add the tap adapter within server config like this: 14:47 < reiffert> up foo.sh 14:47 < reiffert> and within foo.sh: 14:47 < reiffert> #!/bin/bash 14:47 < reiffert> ifconfig tap0 up 14:47 < reiffert> brctl addif br0 tap0 14:47 < reiffert> exit 0 14:47 < Ahri> Adam, you have sent £5.00 GBP to Thomas. 14:47 < Ahri> so's you knows 14:48 < reiffert> Muchas Gratias! 14:48 < reiffert> .oO Insert coin to continue :ppp 14:48 -!- throughnothing [n=will@74.205.24.229] has joined ##openvpn 14:48 < Ahri> let's hope the email address is right ;D 14:48 < Ahri> hrm, ok i'll have a think about this then 14:49 < Ahri> how do you mean "within server config"? 14:49 < reiffert> within the server config file 14:49 < reiffert> server.config or whatever its name is .. 14:50 < reiffert> are we talking 'bout client or server side? 14:50 < Ahri> server side 14:50 < reiffert> linux? 14:50 < Ahri> yup 14:50 < reiffert> /etc/openvpn/server.config or similar then 14:50 < reiffert> What linux distribution you got? 14:51 < Ahri> gentoo 14:51 < reiffert> ah well, I have no idea how to bring up a bridge the gentoo way... 14:51 < reiffert> brctl addbr br0 14:51 < Ahri> i'll get it done manually and then worry about the gentoo way ;) 14:52 < reiffert> ifconfig br0 192.156.7.8 whatever it needs 14:52 < reiffert> brctl addif br0 eth0 14:52 < reiffert> ifconfig eth0 0.0.0.0 promisc up 14:52 < Ahri> so i can't allocate the bridge an ip by dhcp? 14:53 < reiffert> feel free to... 14:53 < reiffert> dhclient br0 IIRC 14:54 < reiffert> I'd recommend the gentoo way ... 14:54 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 14:54 < Ahri> hm, ok, i'll do some more research on the gentoo way then since you think it's a better idea 14:56 < reiffert> you might try the manual approach first, hacking strange command lines into your shell 14:56 < reiffert> and setitup once you have it up n running 14:56 < Ahri> out of interest, how can br0 be allocated a dhcp ip prior to having eth0 added to it? 14:56 < reiffert> Your logic analyzer is working correctly, congrats. 14:57 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 14:59 < Ahri> woo hoo, i shelled into the box on its br0 static ip 15:00 < Ahri> heh, i notice the br0 device has a different MAC from my ethernet device 15:01 < reiffert> yup 15:02 < Ahri> i find all this quite fascinating :) 15:03 < reiffert> And on top of this you look like you pick up this new stuff very quickly! 15:03 < Ahri> so after i've brought up the bridge and everything, that's presumably the time that i actually start up openvpn? 15:03 < Ahri> thanks ;) 15:03 < reiffert> "and everything"? 15:04 < Ahri> s/ and everything// :) 15:05 < reiffert> yup 15:05 < reiffert> go ahead 15:05 < reiffert> infact there are two ways of adding the tap adapter: before openvpn get's started and after that. You already should know how to do the latter 15:17 < Ahri> well, thanks a lot reiffert, i'm gonna watch a movie now, but i guess i'll be back over the course of the weekend when i run into further difficulties ;) thank you very much for your help 15:17 < reiffert> welcome 15:17 -!- Ahri [n=adam@93-97-29-15.zone5.bethere.co.uk] has quit ["Trek time!"] 15:25 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 113 (No route to host)] 15:32 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 15:41 -!- bandini [n=bandini@host251-108-dynamic.25-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 15:54 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 16:03 -!- flokuehn [n=flokuehn@62.111.103.27] has quit [Remote closed the connection] 16:04 -!- jeiworth [n=jeiworth@189.177.37.65] has joined ##openvpn 16:22 -!- ovnicraft [n=ovnicraf@190.154.63.55] has joined ##openvpn 16:22 -!- ovnicraft [n=ovnicraf@190.154.63.55] has left ##openvpn ["Saliendo"] 16:36 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 16:48 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit [Read error: 104 (Connection reset by peer)] 17:15 < krzie> moinmoin 17:16 < troy> if i bridge a physical interface with a tun interface will the a device connected to the physical interface pull an IP from DHCP like normal? 17:16 < troy> DHCP server being on the other side of the tunnel 17:16 < krzie> i believe server-bridge can specify dhcp 17:16 < krzie> lets check... 17:16 < krzie> !man 17:16 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 17:18 < krzie> If --server-bridge is used without any parameters, it will enable a DHCP-proxy mode, where connecting OpenVPN clients will receive an IP address for their TAP adapter from the DHCP server running on the OpenVPN server-side LAN. Note that only clients that support the binding of a DHCP client with the TAP adapter (such as Windows) can support this mode. The optional nogw flag (advanced) indicates that gateway information should not be pushed to the clien 17:18 < krzie> thats what you wanted? 17:20 < krzie> troy...? 17:25 < troy> not quite sure yet 17:26 < krzie> but that was basically your question, right? 17:26 < krzie> if a bridged client can get ip via dhcp 17:26 < krzie> and if so, how 17:26 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 17:26 < krzie> or did i answer something you didnt ask? 17:27 < troy> ah, yes you answerd it 17:27 < krzie> cool =] 17:28 < troy> krzie, but should i need that flag if clients are receiving IPs already 17:28 < troy> what i'm trying to do is just pass through an IP from the tap adapter to the physical adapter 17:30 < krzie> no such thing 17:30 < krzie> after you bridge them theres 1 ip for the bridge adapter 17:30 < krzie> and that bridge adapter respresents both, if i understand it correctly 17:30 < krzie> hopefully if im wrong reiffert will correct me 17:30 < krzie> i havnt bridged in a long long time 17:31 < troy> ah, i would have thought the bridge adapter wouldnt get an IP 17:31 < troy> since its passive 17:34 < krzie> yes the bridge adapter gets the ip 17:34 < krzie> which counts for tap AND physical 17:34 < krzie> in my understanding 17:34 < krzie> but hell, i admit to not knowing too much bout bridging 17:35 < krzie> in fact i think i have to be wrong cause then it couldnt contact its gateway 17:35 < krzie> so maybe reif is better suited to give the right answer when he pops back in 17:37 -!- elbenfreund1 [n=elbenfre@f051103192.adsl.alicedsl.de] has joined ##openvpn 17:37 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 17:47 -!- master_of_master [i=master_o@p549D3ABC.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 17:49 -!- master_of_master [i=master_o@p549D7E8C.dip.t-dialin.net] has joined ##openvpn 17:54 -!- elbenfreund [n=elbenfre@f049040216.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 18:02 -!- Haraken [i=ryuk@unaffiliated/haraken] has quit [Excess Flood] 18:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Excess Flood] 18:05 -!- Haraken [i=ryuk@unaffiliated/haraken] has joined ##openvpn 18:15 -!- jeiworth [n=jeiworth@189.177.37.65] has quit [Remote closed the connection] 18:15 -!- jeiworth [n=jeiworth@189.177.37.65] has joined ##openvpn 18:28 -!- dollabill [n=mike@c-68-59-71-29.hsd1.fl.comcast.net] has joined ##openvpn 18:38 -!- c64zottel [n=hans@p5B17AEE8.dip0.t-ipconnect.de] has left ##openvpn [] 18:50 -!- S1lv3R [n=No@S3SYSTEM.Net] has joined ##openvpn 18:51 < S1lv3R> hello 18:51 < S1lv3R> !howto 18:51 < vpnHelper> S1lv3R: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 18:51 -!- pekster [n=pekster@c-76-113-143-76.hsd1.mn.comcast.net] has joined ##openvpn 18:52 -!- pekster is now known as Guest21947 18:52 < S1lv3R> VERIFY ERROR: depth=0, error=self signed certificate: - Whats wrong ? 18:53 < krzie> you made the certs wrong 18:53 < krzie> most likely, unless theres another error above 18:55 < S1lv3R> i was try this HowTo = wiki.openvpn.eu/index.php/Config_ServerNET_Routing 18:55 < krzie> try this one: 18:55 < krzie> !howto 18:55 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 19:03 < krzie> also if you run freebsd you have ssl-admin in ports 19:03 < krzie> great CA management tool 19:03 < krzie> for generating/signing your certs with a nice lil CLI interface 19:06 < reiffert> more command line interface than openssl? 19:08 < krzie> well i mean like a menu driven cli interface 19:08 < krzie> i said it wrong 19:09 < krzie> it very much simplifies openssl cert generating for openvpn 19:09 < krzie> you havnt checked it out reif? 19:10 * reiffert master of openssl :p 19:18 < S1lv3R> ohh cool its working 19:18 < S1lv3R> Ure Howtos are great 19:18 < S1lv3R> thank you so much 19:25 < reiffert> S1lv3R: that's the official openvpn howto :) 19:27 < S1lv3R> (o; When i change the the local ip to url i have access from outside ? 19:27 < S1lv3R> in the server server.conf 19:32 -!- dollabill [n=mike@c-68-59-71-29.hsd1.fl.comcast.net] has quit [Read error: 113 (No route to host)] 19:45 < krzie> S1lv3R i dont understand the question 20:11 -!- jeiworth [n=jeiworth@189.177.37.65] has quit [Read error: 110 (Connection timed out)] 20:15 -!- flaccid [n=chris@127.185.233.220.static.exetel.com.au] has joined ##openvpn 20:16 < flaccid> anyone alive that can help me with routes? i have successful client-server connection but failing get each side to reach each other's LAN subnets 20:16 < krzie> !route 20:16 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:16 < krzie> thank you drive through 20:17 < flaccid> thanks krzie i'll go over it 20:19 < flaccid> oh that document krzie i followed, but no luck. could you look for me ? 20:20 < krzie> ok 20:20 < krzie> but if its spelt out in my doc im sending you back to it 20:21 < krzie> !configs 20:21 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 20:22 < flaccid> krzie let me just confirm. the doc is not entirely clear tbh. is iroute/ccd required? it kind of reads that only the push and route directives are 20:22 < flaccid> hmm maybe i do 20:22 < krzie> !iroute 20:22 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 20:23 < flaccid> !ccd 20:23 < vpnHelper> flaccid: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 20:23 < flaccid> yeah i don't need ccd 20:24 < krzie> note, the exact words from !iroute are in my doc 20:24 < krzie> (i know this because i made them both) 20:24 < krzie> ok, no lan behind your client? 20:25 < flaccid> there is a lan yes but it says ccd is only for specified client base. in this case there is only 1 client so i don't need ccd 20:25 < krzie> yes, you do 20:25 < krzie> This is only needed when connecting a 20:25 < krzie> LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route 20:25 < krzie> is there somewhere there where i say "unless you only have 1 client" ? 20:25 < krzie> or did you add that in your head 20:26 < flaccid> no but ccd says 'but only for the specified client based on common-name' 20:26 < flaccid> so i don't need to use ccd 20:26 < krzie> yes, the specified client is the client connecting with a lan behind it 20:26 < flaccid> you need to ccd to be able to use iroute? 20:26 < krzie> YES 20:26 < krzie> !iroute 20:26 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 20:27 < krzie> and therefor belongs in a ccd entry. 20:27 < krzie> is english your first language? 20:28 < flaccid> the manual says "This option must be specified either in a client instance config file using --client-config-dir or dynamically generated using a --client-connect script." 20:28 < krzie> is there part of that which doesnt make sense? 20:29 < krzie> it says MUST 20:29 < flaccid> it says 'client instance config file' . which indicates to me i can put it in client.ovpn 20:29 < krzie> dude 20:29 < krzie> it goes on to say what it can be used in 20:29 < krzie> are you being serious? 20:30 < krzie> a client instance config file using --client-config-dir 20:30 < krzie> aka a ccd entry 20:30 < krzie> just like !iroute and my doc say 20:30 < krzie> is there a reason you think the bot, my doc, me, and the manual are lying to you? 20:30 < flaccid> so a ccd is a client instance config file ? 20:30 < krzie> cause we're all telling you the same thing 20:31 < krzie> yes! 20:31 < flaccid> then what does ccd stand for ? 20:31 < krzie> client config dir 20:31 < krzie> --client-config-dir 20:31 < flaccid> rightio 20:31 < krzie> my turn... whats the square root of pie squared? 20:32 < flaccid> are you usually this rude ? 20:32 < krzie> nah, bad day 20:32 < krzie> taking it out on everyone who interacts with me 20:32 * flaccid gives you a check your head pill 20:32 < krzie> a blunt would be more effective 20:33 < krzie> but im at work so no blunt for me =/ 20:33 < flaccid> ah thats a shame coz i could make you one haha 20:34 < flaccid> ok so i'll do client-config-dir ccd 20:34 < flaccid> when you just specify no path for a config directive param, is that relative to the config directory of openvpn ie. /usr/local/etc/openvpn in my case? 20:36 < krzie> ok so i'll do client-config-dir ccd 20:36 < krzie> that would make ccd/ the dir 20:36 < krzie> you have 2 good choices to make there 20:36 < krzie> you can either use --cd above to let it know what working dir to be in 20:36 < krzie> or you can use full paths 20:37 < krzie> only reason to ever use --cd is portability really 20:37 < krzie> full paths is what ild recommend 20:39 < flaccid> and ccd/ is relative to what ? 20:39 < krzie> no idea, l;ikely the dir you are in when you start openvpn 20:39 < flaccid> rightio 20:39 < krzie> s/;// 20:39 < krzie> you should ALWAYS use fully paths or cd 20:40 < krzie> s/ly/l/ 20:40 < krzie> bleh cant type either 20:40 < flaccid> In the above directive, ccd should be the name of a directory which has been pre-created in the default directory where the OpenVPN server daemon runs. 20:40 < krzie> let me make this easy on you... 20:41 < krzie> client-config-dir /usr/local/etc/openvpn/ccd 20:41 < krzie> in the shell mkdir /usr/local/etc/openvpn/ccd 20:41 < krzie> then put your ccd entries in there 20:42 < flaccid> so looking in ps i have --cd /usr/local/etc/openvpn so yeah my assumption was correct 20:42 < krzie> you gunna be starting this in daemon mode? 20:42 < krzie> or are you doing so now? 20:42 < flaccid> (i like to create more portable configs that can be copied between OS more easily) 20:42 < flaccid> yeah daemon freebsd port rc 20:43 < flaccid> what does --config / mean in my ps ? 20:43 < krzie> more portable config would be to put keyfiles and ccd/ in same dir, then use --cd in the top of your config 20:43 < krzie> --config is how you specify a config file, as seen in manual 20:44 < flaccid> yeah thats what im doing 20:45 < krzie> oh you have cd in your config? 20:45 < flaccid> hmm but why would it be set to --config / 20:45 < flaccid> yeah 20:45 < flaccid> the freebsd service runs like: /usr/local/sbin/openvpn --cd /usr/local/etc/openvpn --daemon openvpn --config / 20:45 < krzie> you prolly need another w on your ps command 20:46 < krzie> the more w's the more it shows 20:46 < krzie> you got truncated 20:46 < krzie> ie: ps auxwwwww|grep openvpn 20:47 < flaccid> ah mad, thanks forgot about that w thing. so its /usr/local/sbin/openvpn --cd /usr/local/etc/openvpn --daemon openvpn --config /usr/local/etc/openvpn/server.conf --writepid /var/run/openvpn.pid 20:47 < flaccid> sweet as.. 20:47 < krzie> *shrug* 20:47 < flaccid> ok so on this puter im on 192.168.0.0 network 20:47 < krzie> ild put all of that bs in the config 20:47 < krzie> and just have openvpn /usr/local/etc/openvpn/server.conf 20:47 < krzie> but thats just me, i like a clean setup 20:48 < krzie> (and it would be more portable) 20:48 < flaccid> yeah in this case i'm just obeying the freebsd port so i can portupgrade 20:48 < krzie> it would still work 20:48 < flaccid> so yeah i got client-config-dir ccd 20:49 < krzie> those are optional config statements for rc.conf 20:49 < krzie> i also use freebsd 20:49 < flaccid> yeah thats true, but i aint changing the rc script 20:49 < krzie> umm no 20:49 < krzie> you wouldnt need to change it 20:49 < krzie> you only define what you must in rc.conf 20:49 < flaccid> tahts what i'm doing 20:49 < krzie> you currently have all those defined, no? 20:50 < flaccid> note command_args="--cd ${dir} --daemon ${name} --config ${configfile} --writepid ${pidfile}" in /usr/local/etc/rc.d/openvpn . do they get these from the server.conf ? 20:50 < krzie> hrm, ok 20:50 < krzie> i must not be using that script then 20:51 < flaccid> yeah 20:52 < flaccid> anyway. the client is me at home and i'm on 192.168.0.5 so i do route 192.168.0.0 255.255.255.0 in server.conf and iroute 192.168.0.0 255.255.255.0 in ccd/flaccid right? 20:52 < flaccid> my cert is CN flaccid 20:53 < krzie> 1sec 20:53 < krzie> phone 20:54 < flaccid> k 20:56 < krzie> ok 20:56 < krzie> yup thats right 20:57 < krzie> now, you wont have any road warriors on this setup? 20:57 < krzie> just flaccid and server? 20:57 < flaccid> well it will end up being for everything so yeah. i connected and my client can ping the server's 10.1.1.20 but for some reason it cannot ping other lan clients such as 10.1.1.1 20:58 < krzie> the server should be .1 20:58 < krzie> if thats your vpn subnet 20:58 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 20:58 < krzie> as i have no idea what 10.1.1.x is i can only guess 20:59 < krzie> i also dont know what you meant by "everything" 20:59 < krzie> but i do know i will only be here 10min more so we gotta be quick 20:59 < flaccid> vpn subnet is 10.8.0.0 so 10.8.0.1 is the server vpn ip 20:59 < krzie> oh ok 21:00 < krzie> also, be sure you saw in !route the section ROUTES TO ADD OUTSIDE OPENVPN 21:00 < krzie> under the network diagram 21:00 < flaccid> sorry everything as in i'll be mainting a permanent vpn link plus ad hoc connections 21:00 < krzie> ohhh ok 21:00 < krzie> you likely want to change the clients lamn 21:00 < krzie> lan 21:00 < krzie> and you also want to push route for the clients lan 21:01 < krzie> you want to change the lan the client is on because anyone connecting on the same subnet will get routing problems 21:01 < krzie> either they wont be able to reach the clients lan, or they will be disconnected from their lan / inet 21:02 < krzie> but ya, if the openvpn machine with a lan behind it (flaccid and server in this case) is not the router for its LAN, you must add more routes outside openvpn 21:02 < flaccid> well i believe i set the right routes but yeah client can ping 10.1.1.1 and the 10.8.0.1 but not 10.1.1.x 21:02 < krzie> as fully explained in detail in !route under that diagram, 21:02 < flaccid> right 21:02 < flaccid> yes it is not the router, so i assume thats the issue 21:02 < flaccid> !route 21:02 < vpnHelper> flaccid: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 21:02 < krzie> very common issue 21:03 < krzie> my doc explains whats happening now, and 2 ways to fix it 21:03 < krzie> the right way and the ugly ass hack way 21:04 < krzie> since im bout to go ill say it now 21:04 < krzie> sorry for being a dick 21:04 < krzie> lol 21:04 < flaccid> sorry where is the solution on your page? 21:04 < flaccid> heh np 21:05 < krzie> under the network diagram 21:05 < flaccid> what "the annoying work-around would be to add the route to every box on the LAN, in which case step 3 above would work." 21:06 < flaccid> well i guess it says to add a route, but how to add the route it doesn't say 21:07 < krzie> depends on router 21:07 < flaccid> well in this case the vpn server is behind a soho router 21:07 < krzie> simply adding a route to a router could be a 2 page howto 21:07 < krzie> for fbsd/linux/linksys/netgear/etc/etc 21:08 < krzie> so basically, you get to figure that part out yourself 21:08 < flaccid> so i should set up a natd on the vpn server 21:08 < krzie> but thats what must be done 21:08 < krzie> umm, no 21:08 < krzie> you should configure your router 21:08 < krzie> but feel free to do whatever makes you feal happy 21:08 < flaccid> static routes on the router should be enough? 21:08 < krzie> all i can do is point you the right way 21:09 < krzie> exactly 21:09 < krzie> thats exactly what you want, a static route 21:09 < krzie> for all networks not native to your lan but existing over the vpn to go to the vpn machine 21:09 < krzie> ie: 10.8.0.x / 192.168.0.x in your example 21:10 < flaccid> but i still have to get my vpn server to route back to the router internally right? 21:11 -!- Major_Tom [i=tom-w@dslb-088-065-214-194.pools.arcor-ip.net] has joined ##openvpn 21:11 < krzie> umm, huh? 21:11 -!- omega42 [i=tom-w@dslb-088-065-059-208.pools.arcor-ip.net] has quit [Nick collision from services.] 21:11 -!- Major_Tom is now known as omega42 21:11 < flaccid> the wan router port forwards 1194 to the vpn server internal on lan 10.1.1.20 21:11 < krzie> you only do what i said in my !route doc 21:11 < krzie> time for me to go 21:11 < krzie> adios 21:12 < flaccid> right well i don't see how the router will do it when the traffic is forwarded to the vpn server in passthrough 21:12 < flaccid> there is no hop to the router in the vpn channel 21:13 < flaccid> damn so close 21:18 < flaccid> rightio so 10.1.1.20 gets routed through the vpn but not 10.1.1.1 hmm 21:18 < flaccid> i have push "route 10.1.1.0 255.255.255.0" so why isn't that working ? 21:19 < flaccid> awww i need another helper :O! 21:21 -!- zhaena [n=zhaena@cpe-066-026-043-219.nc.res.rr.com] has joined ##openvpn 21:35 -!- zhaena [n=zhaena@cpe-066-026-043-219.nc.res.rr.com] has quit ["Leaving"] 21:53 -!- dazo [n=dazo@nat/redhat/x-fde5944adb80cacc] has quit [Read error: 110 (Connection timed out)] 21:57 -!- jeiworth [n=jeiworth@189.163.132.133] has joined ##openvpn 22:29 -!- jeiworth [n=jeiworth@189.163.132.133] has quit [Success] 22:32 -!- dazo [n=dazo@nat/redhat/x-3a32d28d1f3b7d09] has joined ##openvpn 23:43 -!- elbenfreund1 [n=elbenfre@f051103192.adsl.alicedsl.de] has quit [Read error: 113 (No route to host)] 23:55 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 23:56 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn --- Day changed Sat Jun 06 2009 00:03 < project2501a> yay! failover box upgraded from potato famished peasantry into communism! 00:04 < project2501a> i can haz openvpn 2.1 ! 00:09 -!- freysteinn [n=freystei@ailab-gw.ru.is] has quit [Remote closed the connection] 00:39 -!- freysteinn [n=freystei@ailab-gw.ru.is] has joined ##openvpn 00:49 -!- Skiff [n=skiff@unaffiliated/skiff] has joined ##openvpn 00:55 < Skiff> hello, IM trying to forward port 55555 to my client machine (10.8.0.6) via iptables while conncted through openvpn (which otherwise works fine), but port forwarding to the client machine doesnt work for some reason. I can make it work if Im not connected through vpn through iptables as well, but Id rather have it work through openvpn. my iptables script http://pastebin.com/d5f7976d 01:21 -!- Skiff [n=skiff@unaffiliated/skiff] has quit [Remote closed the connection] 01:22 -!- Skiff [n=skiff@unaffiliated/skiff] has joined ##openvpn 01:38 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:01 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 02:43 -!- pexy [n=pexyyy@36.51.196.88.dyn.estpak.ee] has joined ##openvpn 02:52 -!- pexy [n=pexyyy@36.51.196.88.dyn.estpak.ee] has left ##openvpn [] 03:01 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 60 (Operation timed out)] 03:20 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 03:23 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:24 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 03:31 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 04:19 -!- carpe_ [n=carpe@vip1.tundraeng.com] has joined ##openvpn 04:21 -!- plaerzen [n=carpe@vip1.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 05:22 -!- c64zottel [n=hans@p5B179069.dip0.t-ipconnect.de] has joined ##openvpn 05:26 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 06:34 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 06:40 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Connection reset by peer] 06:40 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 07:18 -!- dollabill [n=mike@c-68-59-71-29.hsd1.fl.comcast.net] has joined ##openvpn 07:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:24 -!- zealxy [n=zxy@remote3.student.chalmers.se] has left ##openvpn [] 08:24 -!- gambl0r [i=lmartin@CPE-124-190-137-146.vic.bigpond.net.au] has joined ##openvpn 08:36 -!- clyons [n=clyons@unaffiliated/clyons] has quit ["Leaving"] 09:09 -!- project2501a [n=gmarseli@93.97.20.215] has quit [Read error: 110 (Connection timed out)] 09:38 -!- kiddd [n=kid@72.19.129.138] has joined ##openvpn 09:38 < kiddd> hi there. 09:40 < kiddd> can any1 help me with a issue ? I installed openvpn on my linux centos 5.3 server and configured a client for winxp. I made everything work, I can ping my vpn but I need to use my linux server IP instead of my windows one. 09:40 < kiddd> any ideeas ? 09:42 < kiddd> !redirect 09:42 < vpnHelper> kiddd: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 09:42 < kiddd> !def1 09:42 < vpnHelper> kiddd: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 09:42 < kiddd> !ipforward 09:42 < vpnHelper> kiddd: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 09:42 < kiddd> !linipforward 09:43 < vpnHelper> kiddd: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 09:43 < kiddd> !nat 09:43 < vpnHelper> kiddd: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 09:48 -!- Lilarcor [n=Lilarcor@208-59-127-132.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has joined ##openvpn 09:51 -!- kiddd [n=kid@72.19.129.138] has left ##openvpn [] 09:55 -!- Lilarcor [n=Lilarcor@208-59-127-132.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has quit ["The Lord of Murder Shall Perish."] 10:08 -!- clyons [n=clyons@unaffiliated/clyons] has joined ##openvpn 10:35 < S1lv3R> !howto 10:35 < vpnHelper> S1lv3R: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:55 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 11:05 -!- Zordrak [n=jaz@zelda.tpa.me.uk] has quit ["Server Maintenance Time"] 11:39 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 11:46 < S1lv3R> When i connect with more clients why i have the same ip ? 11:52 < reiffert> Because you are using the same client certificate. 11:52 < reiffert> the same certificate for each client. 11:52 < reiffert> You will have to create one cert per client. 11:53 < reiffert> s,will have to,want to, 12:02 < S1lv3R> ahh new cert new ip ? 12:02 < S1lv3R> reiffert 12:09 < reiffert> jup 12:11 < S1lv3R> i mus create Master CA Agin ? 12:11 < S1lv3R> again 12:12 < reiffert> !howto 12:12 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:13 < reiffert> Generate certificates & keys for 3 clients 12:13 < reiffert> Generating client certificates is very similar to the previous step. On Linux/BSD/Unix: 12:13 < reiffert> ./build-key client1 ./build-key client2 ./build-key client3 12:13 < reiffert> also have a look at that table: 12:13 < reiffert> Key Files 12:13 < reiffert> Now we will find our newly-generated keys and certificates in the keys subdirectory. Here is an explanation of the relevant files: 12:31 < S1lv3R> reiffert client common name is the same as server common name ? 12:38 -!- Skiff [n=skiff@unaffiliated/skiff] has quit [Remote closed the connection] 12:39 -!- troy is now known as troy- 12:42 -!- jeiworth [n=jeiworth@189.163.132.133] has joined ##openvpn 12:50 < S1lv3R> check ure system time is correct ? 13:19 -!- flokuehn [n=flokuehn@62.111.103.27] has joined ##openvpn 13:43 < reiffert> S1lv3R: read the fucking howto. 13:43 < reiffert> READ 13:43 < reiffert> stupid 13:44 < Bushmills> are there howtos for that too? 14:24 -!- c64zottel [n=hans@p5B179069.dip0.t-ipconnect.de] has left ##openvpn [] 14:48 < krzie> reiffert client common name is the same as server common name ? 14:48 < krzie> wow 14:48 < krzie> thats a first for that question 14:49 < krzie> moin moin german friends 14:49 < krzie> hehe =] 14:49 < S1lv3R> moin 14:52 -!- S1lv3R [n=No@S3SYSTEM.Net] has quit [Read error: 104 (Connection reset by peer)] 14:56 < HardDisk_WP> moin krzie 14:56 < HardDisk_WP> wer is alles deutsch hier? 14:57 < krzie> bush and reif do 14:57 < HardDisk_WP> .oO( I am, and reiffert and Bushmills also according to their hostmask ) 14:57 < krzie> i only speak english and spanish 14:57 < HardDisk_WP> ah k 14:57 < Bushmills> i'm using an irc bouncer 14:57 < HardDisk_WP> ah 14:57 < HardDisk_WP> k 14:58 < krzie> Bushmills speaks every language on earth tho 14:58 < Bushmills> connecting to it though openvpn :D 14:58 < Bushmills> nodonya krmsol 14:59 < HardDisk_WP> I can't use openvpn on my server, no tun/tap 14:59 < HardDisk_WP> uh.. can I use the server at least as a traffic hub and outpoint for connections to the internet? 14:59 < krzie> your server is an iphone? 14:59 < HardDisk_WP> krzie, no, uber-cheap german vServer 14:59 < krzie> what OS? 15:00 < HardDisk_WP> linux 15:00 < HardDisk_WP> debian 15:01 < krzie> dougy sells cheap vps? 15:01 < krzie> s/?/!/ 15:02 < HardDisk_WP> hey, they have good service (they changed some config in the dns for me at sunday morning, 3 o'clock, even though i had marked it least priority) 15:02 < HardDisk_WP> and this for 5€ / month 15:03 < Bushmills> probably no human involved 15:03 -!- flokuehn [n=flokuehn@62.111.103.27] has quit [Remote closed the connection] 15:03 < krzie> agreed 15:07 -!- dollabill [n=mike@c-68-59-71-29.hsd1.fl.comcast.net] has quit [Read error: 113 (No route to host)] 15:33 < HardDisk_WP> Bushmills, I submitted the request via RT => human involved 15:34 < HardDisk_WP> this is their only lack: you have to submit tickets to configure DNS 15:34 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has joined ##openvpn 15:34 < HardDisk_WP> yet it has its upsides: they can help you with DNS stuff and check(!) stuff before they apply it... saved me once from breaking my mail 15:42 -!- troy- is now known as troy 16:05 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] 16:08 -!- S1lv3R [n=No@S3SYSTEM.Net] has joined ##openvpn 16:12 < S1lv3R> !logs 16:12 < vpnHelper> S1lv3R: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 16:13 < S1lv3R> !interface 16:13 < vpnHelper> S1lv3R: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 16:13 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has joined ##openvpn 17:10 -!- dollabill [n=mike@c-68-59-71-29.hsd1.fl.comcast.net] has joined ##openvpn 17:25 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: roentgen, CybDev 17:26 -!- Netsplit over, joins: roentgen, CybDev 17:44 -!- dollabill [n=mike@c-68-59-71-29.hsd1.fl.comcast.net] has quit [Read error: 113 (No route to host)] 17:48 -!- master_of_master [i=master_o@p549D7E8C.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 17:48 -!- master_of_master [i=master_o@p549D40B4.dip.t-dialin.net] has joined ##openvpn 17:49 -!- master_of_master [i=master_o@p549D40B4.dip.t-dialin.net] has quit [Client Quit] 17:50 -!- master_of_master [i=master_o@p549D40B4.dip.t-dialin.net] has joined ##openvpn 19:39 -!- chinsan_ [i=chuck-th@chinsan.info] has joined ##openvpn 19:39 -!- chinsan_ is now known as chinsan 19:46 < chinsan> hi, is there anyone use FreeBSD as OpenVPN server successfully? 19:51 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 19:58 < flaccid> chinsan sure 20:30 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 20:52 < krzie> ya many of us do 20:53 < krzie> taking a survey or have a question? 20:53 < krzie> sup flaccid ;] 20:53 < krzie> flaccid you get all done last night? 21:11 -!- Major_Tom [i=tom-w@dslb-088-065-216-125.pools.arcor-ip.net] has joined ##openvpn 21:11 -!- omega42 [i=tom-w@dslb-088-065-214-194.pools.arcor-ip.net] has quit [Nick collision from services.] 21:11 -!- Major_Tom is now known as omega42 22:42 < dan__t> WHAT 22:42 < dan__t> man i was going to work on a project tonight 22:42 < dan__t> but this 30pk of miller high life looked soooooooo good 22:56 -!- sam__ [n=sam@114.92.132.65] has joined ##openvpn 23:02 -!- sam__ [n=sam@114.92.132.65] has quit [Remote closed the connection] 23:04 < flaccid> krzie hey mate. i will probably have to nag you again soon. i push routes but they don't work and seem to create routes based on 10.8.0.5 which doesn't exist 23:12 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 23:59 -!- kronos003 [n=kronos00@viggo.hefnerlabs.com] has quit ["Lost terminal"] --- Day changed Sun Jun 07 2009 00:06 -!- M07w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 00:19 < gambl0r> hi, i'm running openvpn on a wrt54g, i can connect to the vpn but i get a 169.254.255.* ip address via dhcp when i need it to be getting a 192.168.1.* address. not sure if this is normal, but my br0 ip address is 169.254.255.1 00:19 < gambl0r> my wan ip is an external ip address 00:19 < gambl0r> any ideas? 00:20 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has quit [Read error: 110 (Connection timed out)] 01:05 -!- project2501a [n=gmarseli@93-97-20-215.zone5.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] 01:37 -!- epaphus [n=unix3@201.199.62.74] has quit [Success] 01:43 -!- M07w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has left ##openvpn [] 02:04 -!- sam__ [n=sam@114.92.132.65] has joined ##openvpn 02:05 -!- sam__ [n=sam@114.92.132.65] has quit [Remote closed the connection] 02:23 -!- troy is now known as troy- 03:02 -!- tompaw [n=tompaw@slave20.tesserakt.eu] has quit [Remote closed the connection] 04:40 -!- gambl0r [i=lmartin@CPE-124-190-137-146.vic.bigpond.net.au] has quit [Read error: 110 (Connection timed out)] 05:02 < reiffert> hahahahah. 05:02 < reiffert> 2009.06.07 -- Version 2.1_rc18 05:06 -!- reiffert changed the topic of ##openvpn to: OpenVPN 2.1rc17 out. Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || !redirect for sending inet traffic through server || Also interesting: !man !/30 !topology !iporder || http://lmgtfy.com/ 05:06 -!- reiffert changed the topic of ##openvpn to: OpenVPN 2.1rc18 out. Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || !redirect for sending inet traffic through server || Also interesting: !man !/30 !topology !iporder || http://lmgtfy.com/ 05:07 -!- reiffert changed the topic of ##openvpn to: OpenVPN 2.1rc18 out. Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || !redirect for sending inet traffic through server || Also interesting: !man !/30 !topology !iporder || http://live.lmgtfy.com/ 05:12 -!- Shinu [n=Shinu@unaffiliated/shinu] has joined ##openvpn 05:14 < flaccid> krzie ping 05:35 -!- tompaw [n=tompaw@slave20.tesserakt.eu] has joined ##openvpn 05:53 -!- c64zottel [n=hans@p5B17BA06.dip0.t-ipconnect.de] has joined ##openvpn 05:53 -!- c64zottel [n=hans@p5B17BA06.dip0.t-ipconnect.de] has left ##openvpn [] 06:21 -!- flaccid [n=chris@127.185.233.220.static.exetel.com.au] has quit [Remote closed the connection] 06:22 -!- flaccid [n=chris@127.185.233.220.static.exetel.com.au] has joined ##openvpn 07:00 -!- S1lv3R [n=No@S3SYSTEM.Net] has quit [Read error: 131 (Connection reset by peer)] 07:33 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 08:21 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 08:22 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 08:33 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 09:13 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: cj, da_tux, Pagautas, frankS2 09:39 -!- cj [i=cjac@173-10-126-202-BusName-Washington.hfc.comcastbusiness.net] has joined ##openvpn 09:39 -!- da_tux [n=ryan@rrcs-70-63-90-226.midsouth.biz.rr.com] has joined ##openvpn 09:39 -!- frankS2 [i=nobody@algorit.me] has joined ##openvpn 09:39 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has joined ##openvpn 10:41 -!- jeiworth [n=jeiworth@189.163.132.133] has quit [Read error: 110 (Connection timed out)] 10:49 -!- troy- is now known as troy 11:00 -!- dollabill [n=mike@c-68-59-71-29.hsd1.fl.comcast.net] has joined ##openvpn 11:46 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 11:52 -!- magic_1 [n=magic@gprs02.rb.mtnns.net] has joined ##openvpn 12:29 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 12:35 -!- bandini [n=bandini@host251-108-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 13:04 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 13:10 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Connection reset by peer] 13:13 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 14:06 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 104 (Connection reset by peer)] 14:06 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 14:07 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has quit [Client Quit] 15:01 -!- S1lv3R [n=No@S3SYSTEM.Net] has joined ##openvpn 15:04 < krzie> flaccid yoh 15:04 < krzie> pong 15:44 -!- troy is now known as troy- 16:24 -!- troy- is now known as troy 16:29 < reiffert> krzie: rc18 out 16:33 < S1lv3R> reiffert danke fuer info 16:34 < reiffert> ? 16:34 < S1lv3R> thx 4 info 16:38 -!- troy is now known as troy- 16:39 < krzie> ahh werd 16:50 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 16:51 < krzie> reiffert was rc18 simply fixing the bak files in the package you mentioned? 16:51 < krzie> or was there actual code change 16:59 -!- jeiworth [n=jeiworth@189.163.132.133] has joined ##openvpn 17:09 < reiffert> krzie: sure it was 17:09 < reiffert> also: 17:09 < reiffert> * Fixed compile error on ./configure --enable-small 17:09 < reiffert> * Fixed issue introduced in r4475 (2.1-rc17) where cryptoapi.c change does not build on Windows on non-MINGW32. 17:18 -!- Gast59825 [n=No@S3SYSTEM.Net] has joined ##openvpn 17:18 -!- S1lv3R [n=No@S3SYSTEM.Net] has quit [Read error: 104 (Connection reset by peer)] 17:18 -!- magic_1 [n=magic@gprs02.rb.mtnns.net] has quit [Read error: 110 (Connection timed out)] 17:20 < krzie> ahh 17:45 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 17:48 -!- master_of_master [i=master_o@p549D40B4.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 17:51 -!- master_of_master [i=master_o@p549D71FB.dip.t-dialin.net] has joined ##openvpn 18:06 -!- Gast59825 is now known as S1lv3R 18:50 -!- bandini [n=bandini@host251-108-dynamic.25-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 19:53 < flaccid> krzie ping again 19:57 < reiffert> flaccid: you might wanna ask and talk to other people as well. 19:57 < flaccid> true. that would just mean i would have to repeat it all again 19:57 < flaccid> i guess i could 19:57 < krzie> ya, its usually the best way 19:58 < krzie> especially cause theres others here who know a ton 19:58 < krzie> (for example, reiffert) 19:58 < krzie> oh, and... pong 20:00 < flaccid> yeah but im hoping to not annoy them in my newbie fashion like i have you hahah 20:00 < flaccid> can i get that factoid that has that grep to get directives and i'll paste client and server ? 20:00 * reiffert sits back :) 20:01 < flaccid> !config 20:01 < vpnHelper> flaccid: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 20:01 < flaccid> !paste 20:01 < vpnHelper> flaccid: Error: "paste" is not a valid command. 20:01 < reiffert> !configs 20:01 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 20:01 < reiffert> anyway, I'm off to bed 20:02 < reiffert> !nopaste 20:02 < vpnHelper> reiffert: Error: "nopaste" is not a valid command. 20:02 < flaccid> g/night reiffert 20:02 < flaccid> brb 20:02 < reiffert> krzie: !paste !nopaste ... 20:02 < krzie> !pastebin 20:02 < vpnHelper> krzie: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 20:03 < krzie> night reiof 20:03 < krzie> reif 20:05 < reiffert> make nopaste and paste an alias to pastebin pls 20:06 < reiffert> pls make .. 20:06 < krzie> umm, o...k... 20:07 < krzie> !learn paste as [pastebin] 20:07 < vpnHelper> krzie: Joo got it. 20:07 < krzie> !learn nopaste as [pastebin] 20:07 < vpnHelper> krzie: Joo got it. 20:07 < krzie> !paste 20:07 < vpnHelper> krzie: "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 20:07 < krzie> there ya go 20:08 < reiffert> thanks! 20:09 < krzie> np =] 20:13 < flaccid> server is http://pastie.org/504046 and client is http://pastie.org/504047 . still can't get client or server to reach behind each other's lan. what am i missing ? 20:13 < krzie> your client file will be ignored for comments 20:14 < flaccid> are you serious ? 20:14 < flaccid> well im sorry that grep is not native to windows; i will have to install it 20:14 < krzie> ya im not reading 150 lines to pick out the 10 that matter 20:14 < krzie> but it likely doesnt matter anyways (client config) 20:14 < flaccid> rightio 20:14 < krzie> 192.168.0.x is behind the client 20:14 < krzie> 10.1.1.x is behind the server 20:15 < flaccid> yeps 20:15 < krzie> ccd/client's-common-name has: iroute 192.168.0.0 255.255.255.0 20:15 < flaccid> ccd file on server has iroute 192.168.0.0 255.255.255.0 20:15 < flaccid> yep 20:15 < krzie> openvpn is running on the routers for both lans? 20:16 < flaccid> no openvpn is running on a server that gets 1194 from wan via port forward 20:16 < flaccid> the router is a d-link soho job that can't do openvpn 20:19 < krzie> cool 20:19 < krzie> did you add routes like i said last time? 20:20 < krzie> !route 20:20 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:20 < krzie> read my explanation under the network diagram 20:20 < flaccid> the configs have the routes in it 20:20 < krzie> read my explanation 20:21 < krzie> your openvpn config cant add a route on your router 20:21 < krzie> my explanation tells you EXACTLY whats happening for you right now 20:21 < krzie> im surprised you still havnt read it 20:21 < flaccid> i have read your document dozens of times 20:22 < krzie> evidently you missed the part that says ROUTES TO ADD OUTSIDE OPENVPN 20:22 < krzie> ROUTES TO ADD OUTSIDE OF OPENVPN 20:22 < krzie> If you are not running openvpn on the router for each lan, you have some more routes to add. 20:22 < flaccid> the vpn server is behind the router.. 20:22 < krzie> THATS WHY YOU NEED TO ADD ROUTES! 20:22 < flaccid> so what you are saying is that i add routes on the vpn server not the router 20:22 < krzie> your lan uses the router as their default gateway 20:23 < krzie> your router doesnt know that those networks are onj the other side of a vpn 20:23 < krzie> you must tell it so 20:23 < krzie> otherwise it tries to send the traffic bound for them to its default gateway (aka your ISP) 20:23 < flaccid> yes 20:23 < krzie> (i fully walk you through whats happening in my writeup) 20:23 < flaccid> i've tried adding routes on the vpn server and the client with no success 20:23 < krzie> If you fail to add this route, here is what would happen if a VPN client (for example, 10.8.0.6) wanted to send traffic to 192.168.2.20: 20:23 < krzie> NO SHIT 20:23 < krzie> ON THE ROUTER 20:24 < krzie> this is not a vpn issue 20:24 < krzie> its a general networking issue 20:24 < krzie> the machines in the lan have no route back to the vpn 20:24 < krzie> until you give them one, they cant communicate with machines on the other side of the vpn 20:24 < flaccid> the vpn tunnel is established between the client and the vpn server via port forwarding. it doesn't route through the wan router's routes as a result 20:25 < flaccid> yes so i add the routes on the vpn server and not its default gateway 20:25 < krzie> who said vpn server 20:25 < krzie> forget about the vpn machine 20:25 < krzie> you need to add routes to the ROUTER 20:26 < krzie> READ THAT SECTION OF MY WRITEUP 20:26 < flaccid> dude like i said i have read it dozens of times 20:26 < krzie> If you fail to add this route, here is what would happen if a VPN client (for example, 10.8.0.6) wanted to send traffic to 192.168.2.20: 20:26 < krzie> 1) The vpn client sends traffic to 192.168.2.20, with a source address of 10.8.0.6 20:26 < krzie> 2) The vpn server (10.8.0.1 and 192.168.2.10) receives the traffic, has IP forwarding enabled, and passes the traffic to 192.168.2.20 20:26 < krzie> 3) 192.168.2.20 gets it and tries to respond to 10.8.0.6 but has no entry in its routing table 20:26 < krzie> 4) Because 192.168.2.20 has no route for 10.8.0.6, it sends the traffic to its default gateway which is 192.168.2.1 20:26 < krzie> 5) 192.168.2.1 checks its routing table, has no route for 10.8.0.6, and sends the traffic to its default gateway which is likely its ISP 20:26 < krzie> 6) The ISP ignores it, because it is a RFC 1918 ip (aka lan only) 20:26 < flaccid> so you are saying it goes to the default router and then the default router routes it back to the vpn server then back through the tunnel 20:27 < krzie> thats how it works when you configure it correctly, yes 20:27 < krzie> in your setup, it does what i pasted above, and therefor does not work 20:27 < flaccid> so the vpn server has a defaultrouter in rc.conf of 10.1.1.1 so i hadd a route of 10.8.0.0 to go through 10.8.0.1 ? 20:28 < krzie> the vpn server is fine 20:28 < krzie> the machine on the same lan as it dont know how to reach the vpn networks (10.8.0.x and 192.168.0.x) 20:28 < flaccid> yes i am saying adding the route on the default router 20:28 < krzie> so they send the responses to their default gateway (your router) 20:28 < krzie> if you add the routes there, it works 20:29 < flaccid> then that should route 10.8.0.0 and 192.168.0.0 through 10.8.0.1 gateway ? 20:29 < krzie> how could it know about 10.8.0.1 20:29 < krzie> it must point at the LAN ip of that box 20:29 < krzie> time for me to go 20:29 < krzie> later 20:29 < flaccid> so it goes to 10.1.1.20 20:29 < krzie> gl 20:29 < krzie> yes 20:29 < krzie> BOTH sides 20:29 < flaccid> right i will try it 20:30 < krzie> so other side needs to know bout 10.1.1.x and 10.8.0.x 20:30 < krzie> adios 20:30 < flaccid> that makes a huge caveat for clients 20:30 < flaccid> i thought thats what push and route was for 20:30 < flaccid> and iroute 20:43 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:43 < flaccid> krzie i did what you said. no difference!! 20:47 < flaccid> so who is alive that can help me with this problem? 20:48 -!- theDoc [n=theDoc@119.73.165.162] has joined ##openvpn 20:48 < theDoc> !win7 20:48 < vpnHelper> theDoc: "win7" is http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 20:49 -!- theDoc [n=theDoc@119.73.165.162] has quit [Client Quit] 20:54 * flaccid pulls his hair out 21:07 -!- theDoc [n=theDoc@unaffiliated/thedoc] has joined ##openvpn 21:09 -!- Major_Tom [i=tom-w@dslb-088-065-063-153.pools.arcor-ip.net] has joined ##openvpn 21:09 -!- omega42 [i=tom-w@dslb-088-065-216-125.pools.arcor-ip.net] has quit [Nick collision from services.] 21:09 -!- Major_Tom is now known as omega42 21:16 < ecrist> flaccid, did you read the wiki route page? 21:16 < ecrist> !route 21:16 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 21:16 < flaccid> yep been over it many times 21:17 < flaccid> on the server side i have static routes set on the router and no luck 21:21 < flaccid> krzie said to make routes from the router back to the vpn server although there is route 192.168.0.0 255.255.255.0 on the server 21:21 < flaccid> so it will already be routed through the vpn subnet 21:22 < flaccid> which i can see in the routing table of the vpn server 192.168.0.0 10.8.0.2 UGS 0 6657 tun0 21:23 < flaccid> tun0 is inet 10.8.0.1 --> 10.8.0.2 21:23 < flaccid> so i don't get why it added the gw as 10.8.0.2 as that is not even reachable by icmp ping 21:23 < flaccid> 10.8.0.1 21:23 < flaccid> is reachable 21:40 -!- theDoc [n=theDoc@unaffiliated/thedoc] has quit [] 21:42 -!- dollabill [n=mike@c-68-59-71-29.hsd1.fl.comcast.net] has quit [Read error: 113 (No route to host)] 21:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 21:45 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 22:02 < theDoc> imo, openvpn could use some new artwork for their icons. 22:02 < theDoc> It looks terrible 22:10 < flaccid> me nearly giving up here! 22:36 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 22:46 < onats> hello 23:18 < flaccid> am i meant to be able to ping the ip addresses of the TUN iface on the server locally ? 23:20 < theDoc> flaccid: Yes 23:21 < theDoc> or at least, on my box 23:22 < flaccid> my routing is stuffed it seems 23:24 < theDoc> What? --- Day changed Mon Jun 08 2009 00:01 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:14 -!- sam_ [n=sam@222.66.224.110] has joined ##openvpn 00:16 < flaccid> i can't ping the server ip on the server 00:17 < theDoc> flaccid: Just a moment, let me check 00:18 < theDoc> flaccid: Yes, it works on my end. 00:18 < theDoc> $ ping 10.97.58.1 00:18 < theDoc> PING 10.97.58.1 (10.97.58.1) 56(84) bytes of data. 00:18 < theDoc> 64 bytes from 10.97.58.1: icmp_seq=1 ttl=64 time=0.101 ms 00:18 < theDoc> 64 bytes from 10.97.58.1: icmp_seq=2 ttl=64 time=0.038 ms 00:18 < theDoc> 64 bytes from 10.97.58.1: icmp_seq=3 ttl=64 time=0.033 ms 00:18 < flaccid> sure it does. you are not the one with the problem are you, no. 00:19 < flaccid> routes for the tun exist: 10.8.0.0 10.8.0.2 and 10.8.0.2 10.8.0.1 00:19 < theDoc> flaccid: Is your tun0 up in the first place? 00:19 < flaccid> yes 00:19 < theDoc> flaccid: NAT statements right? 00:19 < theDoc> !nat 00:19 < vpnHelper> theDoc: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 00:19 < theDoc> !linnat 00:19 < vpnHelper> theDoc: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 00:19 < flaccid> i don't use linux 00:20 < flaccid> and this is not nat as it is local 00:20 < theDoc> Windows? 00:20 < theDoc> Which platform is this? 00:20 < flaccid> freebsd 00:20 < theDoc> Oh sorry, no experience on bsd ;p 00:20 < flaccid> okies 00:21 < flaccid> pretty sure i was able to initially 00:24 < flaccid> i guess i'll try another server 00:32 -!- myself_ [n=myself@74-132-91-61.dhcp.insightbb.com] has joined ##openvpn 00:59 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Read error: 104 (Connection reset by peer)] 01:18 -!- sam_ is now known as alipapa 01:23 -!- mattock [n=mattock@195.236.127.254] has joined ##openvpn 01:39 -!- myself_ [n=myself@74-132-91-61.dhcp.insightbb.com] has left ##openvpn ["Leaving"] 01:47 -!- alipapa [n=sam@222.66.224.110] has quit ["Leaving"] 02:14 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has joined ##openvpn 02:22 < flaccid> what does ERIFY ERROR: depth=1, error=self signed certificate in certificate chain: mean ? 02:23 < theDoc> Your certificate is wrong. 02:24 < flaccid> thought that would be the case but what exactly is wrong 02:24 < theDoc> Not sure really, maybe the wrong certificate? 02:25 < flaccid> nope 02:25 < flaccid> works on a dif server 02:28 < theDoc> Hm. 02:28 < theDoc> Something is definately wrong here. 02:28 < theDoc> flaccid: You copied the ca.crt over? 02:28 < flaccid> yep 02:28 < theDoc> No idea on that. Hm. 02:29 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:51 < flaccid> half of my problems on 1 of the servers could be that openvpn needs root on freebsd to do the routes 02:51 -!- kala [i=kala@uba.linux.ee] has quit ["leaving"] 02:52 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 02:58 < flaccid> meh still can't ping the server ip on the server. this is ridiculous heh 02:59 < flaccid> meh 03:02 < flaccid> i will reboot this server and check all the default routes first i guess 03:02 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 113 (No route to host)] 03:03 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 04:35 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 04:35 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 05:08 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 05:24 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 05:32 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:33 -!- theDoc [n=andelyx@bb220-255-233-113.singnet.com.sg] has joined ##openvpn 05:33 -!- theDoc [n=andelyx@bb220-255-233-113.singnet.com.sg] has quit [Client Quit] 05:33 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 05:47 -!- chinsan_ [i=chuck-th@chinsan.info] has joined ##openvpn 05:48 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 05:59 < theDoc> This is odd, anyone has ever seen openvpn assign the *same* ip address to two difference clients? 06:03 -!- chinsan [i=chuck-th@chinsan.info] has quit [Read error: 110 (Connection timed out)] 06:17 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 06:25 < Bushmills> theDoc, yes 06:59 -!- lataffe [n=lars@135.80-202-77.nextgentel.com] has quit [Read error: 104 (Connection reset by peer)] 06:59 -!- lataffe [n=lars@135.80-202-77.nextgentel.com] has joined ##openvpn 07:19 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit [Read error: 54 (Connection reset by peer)] 07:20 -!- Timpa [i=timpa@193.13.142.250] has joined ##openvpn 07:20 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: SuperEvilDeath17, tompaw, clyons, jreno_ 07:21 -!- Netsplit over, joins: tompaw, clyons, jreno_, SuperEvilDeath17 07:22 -!- madzi [n=madzi@216-164-54-54.c3-0.ses-ubr2.lnh-ses.md.cable.rcn.com] has joined ##openvpn 07:23 < madzi> I am a beginner with openvpn and would like to use it to explore freenet. Any suggestions 07:25 -!- mattock [n=mattock@195.236.127.254] has quit ["Leaving."] 07:33 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: SuperEvilDeath17, tompaw, clyons, jreno_ 07:33 -!- Netsplit over, joins: tompaw, clyons, jreno_, SuperEvilDeath17 07:37 < Bushmills> madzi, reading the howto is a good thing to do. 07:37 < Bushmills> this suggestion was entirely free 07:37 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 07:41 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 07:46 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: clyons, tompaw, SuperEvilDeath17, jreno_ 07:47 -!- Netsplit over, joins: tompaw, clyons, jreno_, SuperEvilDeath17 08:01 -!- madzi [n=madzi@216-164-54-54.c3-0.ses-ubr2.lnh-ses.md.cable.rcn.com] has left ##openvpn [] 08:08 -!- SuperEvilDeath18 [n=death@212.206.209.177] has joined ##openvpn 08:08 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: clyons, tompaw, SuperEvilDeath17, jreno_ 08:08 -!- Netsplit over, joins: tompaw, clyons, jreno_, SuperEvilDeath17 08:08 -!- clyons [n=clyons@unaffiliated/clyons] has quit [SendQ exceeded] 08:09 -!- clyons [n=clyons@unaffiliated/clyons] has joined ##openvpn 08:10 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: tompaw, SuperEvilDeath17, jreno_ 08:15 -!- jeiworth [n=jeiworth@189.163.132.133] has quit [Read error: 110 (Connection timed out)] 08:33 -!- jeiworth [n=jeiworth@189.177.34.159] has joined ##openvpn 08:36 -!- ewook [n=ewook@thales.fluffis.se] has joined ##openvpn 08:36 < ewook> !route 08:36 < vpnHelper> ewook: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 08:37 < ewook> !redirect 08:38 < vpnHelper> ewook: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 08:39 < ewook> grpfm. I need a 'best approach guide' or something, can't decide to setup routed or bridged between multiple servers with lan's behind 'em. 08:47 < ecrist> routes 08:47 < ecrist> routed! 08:47 < ecrist> !tunortap 08:47 < vpnHelper> ecrist: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 08:47 < ecrist> ~routed 08:47 < ecrist> !routed 08:47 < vpnHelper> ecrist: Error: "routed" is not a valid command. 08:47 < ecrist> !route 08:47 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:01 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:29 < ecrist> echo "(17000000000-14848462438)/125225800" | bc 09:29 -!- lataffe [n=lars@135.80-202-77.nextgentel.com] has quit ["Leaving"] 09:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:42 -!- b0fh_ua [n=b0fh_ua@89.162.215.37] has joined ##openvpn 09:43 < b0fh_ua> Hello! Can somebody please explain how is it possible to check if the connection with client is still alive? 09:44 < ewook> well, the routing-faq-howto-link is great. but, does it exists one with dito-info regadring bridged? 09:44 < b0fh_ua> I've sent SIGUSR2 to the openvpn process, and it reports there is the client connected - however looks like the client does not respond to any of ports supposed to be opened on firewall as well as it is not reponds to ICMP echo requests 09:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:49 < ecrist> b0fh_ua: if openvpn says a client is connected, they are 09:50 < ecrist> the client computer could be blocking the requests on it's own firewall 09:55 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 10:03 < b0fh_ua> okay 10:03 < b0fh_ua> I restarted VPN server and client did not reconnect 10:04 < b0fh_ua> looks like there are some problems on another side 10:07 -!- b0fh_ua [n=b0fh_ua@89.162.215.37] has quit ["leaving"] 10:07 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:20 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 10:36 -!- cj [i=cjac@173-10-126-202-BusName-Washington.hfc.comcastbusiness.net] has quit [Read error: 60 (Operation timed out)] 10:44 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 10:46 -!- Haraken [i=ryuk@unaffiliated/haraken] has quit [Read error: 113 (No route to host)] 10:55 -!- cj [i=cjac@173-10-126-202-BusName-Washington.hfc.comcastbusiness.net] has joined ##openvpn 11:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:21 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has left ##openvpn [] 11:22 -!- Haraken [i=ryuk@unaffiliated/haraken] has joined ##openvpn 11:23 -!- Irssi: ##openvpn: Total of 76 nicks [0 ops, 0 halfops, 0 voices, 76 normal] 11:48 -!- Chaot_s [n=Chaot_s@d54C0C5DB.access.telenet.be] has joined ##openvpn 11:49 < Chaot_s> Hi all, i have a question about remote vpn clients 11:52 < ecrist> ok 11:53 < Chaot_s> i have 3 server on 3 different locations, they run dev tun to the other endpoints, works just fine all clients / lans communicate happy :) 11:53 < Chaot_s> so open VPN is great :) now i have a laptop.. i use it on all sort of locations i don't manage.... 11:54 < Chaot_s> reading manuals and so on i always need to set a remote location... how can i setup without the info? 11:54 < Chaot_s> sorry for the slow type, i'm not 100% healthy heavy upset stommach :) 11:57 < Chaot_s> i most of the time read and then do, though i cannot find info that i think represents my whished setup 12:01 < Chaot_s> is there someone who can help me on my way connecting the laptop to my home gateway-server/lan (centos 5.3) 12:04 -!- Haraken [i=ryuk@unaffiliated/haraken] has quit [Read error: 60 (Operation timed out)] 12:05 < Chaot_s> i have no idea how to make the server wait for a connection from my laptop while i don't know where the client will be connecting from 12:05 < Chaot_s> maybe i'm just to stuppid :) 12:11 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 110 (Connection timed out)] 12:12 -!- Haraken [i=ryuk@sigh.haraken.dozo.jp] has joined ##openvpn 12:14 -!- Haraken [i=ryuk@unaffiliated/haraken] has quit [Remote closed the connection] 12:15 < ecrist> Chaot_s: not sure what you mean with 'how can I setup without the info' 12:22 -!- Haraken [i=ryuk@unaffiliated/haraken] has joined ##openvpn 12:24 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 12:26 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:51 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 12:53 -!- john1000 [n=magic@gprs02.rb.mtnns.net] has joined ##openvpn 12:57 -!- john1000 [n=magic@gprs02.rb.mtnns.net] has quit [Client Quit] 13:00 < krzie> krzie said to make routes from the router back to the vpn server 13:00 < krzie> although there is route 192.168.0.0 255.255.255.0 on the server 13:00 < krzie> so it will already be routed through the vpn subnet 13:00 < krzie> that guy has NO clue how to listen 13:03 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 13:22 < ecrist> hehe 13:25 < krzie> wassup bro 13:25 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 13:26 < krzie> its taking me too long to send that $ the old fassioned way, pls msg me paypal email and ill get it out that way today 13:27 -!- tompaw [n=tompaw@slave20.tesserakt.eu] has joined ##openvpn 13:27 -!- jreno_ [n=jreno@38.219.68.216.DED-DSL.fuse.net] has joined ##openvpn 13:43 -!- Totic [n=federico@212.Red-80-34-164.staticIP.rima-tde.net] has joined ##openvpn 13:44 < Totic> is there a way to add exceptions to open VPN so not all traffic is sent over the vpn 13:46 < ecrist> no 13:46 < krzie> it has nothing to do with openvpn really 13:46 < ecrist> you can only include traffic you want 13:46 < krzie> it has to do with how you setup your routes 13:47 -!- hgimenez [n=hgimenez@c-65-96-170-173.hsd1.ma.comcast.net] has joined ##openvpn 13:47 < krzie> but yes, there is very much a way 13:47 < krzie> run a proxy inside the openvpn 13:47 < krzie> then proxify only what you want to go over the vpn 13:47 < Totic> so I have to run a proxy before I run openvpn 13:47 < krzie> i personally do that 13:48 < Totic> what proxy? 13:48 < krzie> the proxy would be started after openvpn, and would run on the openvpn ip 13:48 < krzie> (on server side) 13:48 < krzie> this also eliminates the need for NAT 13:48 < krzie> i use dante socks proxy 13:48 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 13:48 < Totic> the thing is I am in this company and they have a super secure network with deep packat inspeccion and another one that has everything open 13:48 < krzie> dont expect help from me troubleshooting your proxy tho 13:49 < Totic> so I want to use ssh in there supersecure.. since that is were my server is, and then go on IRC, adium using the other one 13:50 < krzie> welp, you have 2 options 13:50 < Totic> wait that doesnt seem right... your approach.. 13:50 -!- epaphus [n=unix3@190.10.68.228] has quit [Client Quit] 13:50 < Totic> since if I use the openvpn and then the proxy.. the data would already be on there side.. 13:50 < krzie> dont specify redirect-gateway and instead only set routes for what to go over vpn 13:50 < krzie> OR 13:51 < krzie> send data over an internal vpn proxy like 10.8.0.1 13:51 < krzie> Totic i dont get what you mean 13:52 < krzie> 10.8.0.1 is my vpn ip for my vpn server 13:52 < Totic> OK, so I have two networks one, is secure, with DPI, the other over wifi is open 13:52 < krzie> i run a socks proxy which listens on that ip for connections 13:52 < Totic> so I can use the wifi, and then VPN to the secure one 13:52 < krzie> i connect to vpn 13:52 < krzie> then i have a route to 10.8.0.1 over the vpn 13:52 < Totic> what I want to do is only tunnel ssh over VPN 13:52 < krzie> i setup proxifier for osx to route whatever i want over the socks proxy on 10.8.0.1 13:53 < krzie> to only tunnel a specific app you must do my method 13:53 < krzie> to do it based on ip, you can use either 13:53 < Totic> so using Proxifier? 13:53 < krzie> what os you use? 13:53 < Totic> OS X 13:53 < krzie> yup 13:53 < krzie> proxifier works, that im SURE of 13:54 < krzie> since i use it 13:54 < Totic> oh its not free... 13:54 < krzie> no, its like 10 13:54 < Totic> well if I get to work I'll gladly pay 13:54 < krzie> it has a trial 13:57 < Totic> ok its installed.. 13:58 < krzie> main thing is you gotta setup the proxy on the server side 13:58 < krzie> i know dante can listen to 1 ip and output via another 13:58 < Totic> ... but I dont access to the vpn server.. 13:58 < krzie> and since its internal only you can skip auth and all that 13:58 < krzie> oh well that changes everything 13:58 < Totic> I mean I dont have access to add code to it... 13:58 < krzie> if you cant access the server there is no way to change it based on app 13:58 < Totic> fuck... 13:59 < krzie> you can selectively route via ip 13:59 < krzie> like ecrist was saying 13:59 < krzie> my way can do based on ip/subnet/app or any combo 14:00 < Totic> yes but I need access to the server... 14:00 < Totic> which I dont 14:00 < krzie> right 14:00 < Totic> oh.. working for companies suck... I miss MIT... 14:00 < krzie> do you have redirect-gateway pushed to you or is it in your client config? 14:01 < Totic> what do you mean pushed to me? 14:01 < krzie> !push 14:01 < vpnHelper> krzie: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 14:01 < Totic> dont know.. I just setup the vpn by putting in the IP, and giving it my certificate 14:04 < Totic> I was thinking then of just getting in the secure network and then doing tunnelling ssh through https 14:04 < krzie> do you even know if your traffic flows over the vpn when you connect? 14:04 < krzie> it does not by default... 14:05 < Totic> yes it does 14:05 < Totic> irc stops working 14:05 < krzie> so when you goto whatismyip.com it shows vpn servers ip? 14:05 < Totic> let me check.. 14:06 < krzie> even better, pastebin your routing table after connecting 14:08 < Totic> oh fuck! 14:08 < Totic> it works 14:08 < Totic> somehow this works.. 14:08 < Totic> wifi+vpn allows me to ssh inside and outside.. 14:09 < Totic> and stay connected here.. 14:09 < krzie> ild expect so... 14:09 < ecrist> krzie: fwiw, I've enabled message queuing on ovpnforum.com for all users with less than 5 posts 14:09 < ecrist> spam was waaaaay too heavy 14:16 < krzie> seriously! 14:16 < krzie> any chance of getting a signup captcha? 14:16 < krzie> or something of that sort? 14:16 < krzie> !forum 14:16 < vpnHelper> krzie: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 14:16 < krzie> i spent a couple nights just deleting spam users/posts 14:17 < krzie> hey looks like you finished the job! 14:17 < krzie> i know i didnt get them all 14:17 < krzie> oh i saw your reply to my wishlist idea for direct connections 14:18 < krzie> i dont agree that its a bad idea because it can bypass policies 14:18 < krzie> but i TOTALLY agree that its a HUGE amount of code and will not likely ever happen 14:18 < krzie> lol 14:18 < krzie> HUUUGE amount of code 14:22 < ecrist> lol 14:24 < krzie> maybe if i had the required skill to work on it ild do something twords it 14:25 < krzie> but since i dont, i very much expect it to never happen 14:26 < krzie> but since its heavily requested functionality, maybe someone with the skills will see that idea and work on it (who knows) 14:27 < krzie> lol the forum says we're openvpn n00bs 14:34 -!- xattack [i=xattack@132.248.108.239] has quit [] 14:35 -!- Totic [n=federico@212.Red-80-34-164.staticIP.rima-tde.net] has quit [Read error: 113 (No route to host)] 14:41 < krzie> oh we do have captcha 14:42 < krzie> dunno if you recently enabled that or not, but i just saw its enabled 14:44 < Chaot_s> ecrist still here? 14:45 < krzie> he pops in and out, if you have a question for him just ask it 14:48 < ecrist> I am 14:48 < Chaot_s> i think i'll restart from the beginning. 14:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:49 < ecrist> krzie: yeah, I put some rudimentary ranking (based on post count) in there. 14:49 < krzie> nice, i just found where you did it, looks good 14:49 < ecrist> in 10 mins and 30 seconds, I start the drive home... 14:49 < krzie> i was looking to change us, but now that i saw what you did i like it 14:49 < krzie> so i wont touch 14:50 < ecrist> krzie: I've done more work on that forum than it's, uh, founder. :) 14:50 < krzie> lol 14:50 < krzie> totally 14:50 < krzie> to me he owns the domain name and you are the founder 14:50 < ecrist> krzie: you can create some custom or 'special' ranks, if you like, and tag us at those ranks manually. 14:50 < ecrist> lol 14:51 < krzie> and im the content monkey 14:51 < krzie> lol 14:51 < ecrist> btw, for 9 days straight I pulled 10Mb/s down my comcast pipe, and nary a word from them. :) 14:51 < krzie> damn man, badass 14:51 < krzie> im so jealous of the inet you guys get out there 14:51 < krzie> im still paying over $100/mo for 1.5mbit down 14:51 < krzie> dsl, not even a t1 14:52 -!- jeiworth [n=jeiworth@189.177.34.159] has quit [Read error: 104 (Connection reset by peer)] 14:52 < Chaot_s> first of all, i have 3 servers all Centos 5.3, they run openvpn in dev tun mode to each other of the two servers. this works fine after spending allot of time on the firewalls and stuff :) now i would like to make it possible to have my laptop connected to the vpn network. i have been looking on the internet, and cannot find info in the situation i would like to create. 14:54 < Chaot_s> in short: i would like to be able to connect to my server with openvpn and then browse network and stuff. problem is, the laptop will connect from nummerous locations, and i won't be in controll of those locations. 14:54 < krzie> by browse network what do you mean? 14:54 < krzie> and why does each location connect to other 2? 14:55 < krzie> all you need is 1 server, the rest are all clients 14:55 < Chaot_s> as far as i know now i need to configure my VPN server with the remote location 14:55 < krzie> only if you are sharing the lan behind the remote location 14:55 < Chaot_s> the 3 servers ar running home lan's all in differen ip ranges :) 14:55 < krzie> thats fine 14:56 < krzie> !route 14:56 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:56 < krzie> thats an example of how to do it with a lan behind the server, and 2 clients each with lans behind them 14:56 < Chaot_s> that is done and running just fine :) 14:57 < krzie> with that setup, you can add a few road warriors simply by giving them certs and letting them connect 14:57 < krzie> 1 caveat tho: 14:57 < Chaot_s> except for the one client that "roams" around the world :) 14:57 < krzie> you MUST be using lan subnets that your client will not be on 14:57 < krzie> so use very uncommon ones for your lans 14:57 < krzie> ie: not 192.168.0.x 14:58 < Chaot_s> lol, i run in 192.168.10.x, 192.168.11.x, 192.168.12.x for the lan ranges, and 192.168.40.x for the tunnel interfaces 14:58 < krzie> fine to me 14:58 < krzie> you'll only have a problem when road warrior ends up on one of those lans 14:58 -!- jeiworth [n=jeiworth@189.234.7.181] has joined ##openvpn 14:59 < krzie> now you just let road warrior connect, if you setup everything right already it'll just work 14:59 < krzie> ie: if its like !route, it will work 14:59 < krzie> client will be able to connect to all lans 14:59 < krzie> thats dependant on the push routes all being there 15:00 < Chaot_s> i can push the route's around to, i won't have a problem with that i think :) 15:01 < krzie> you dont have push routes in there now? 15:01 < krzie> lemme see your configs, something dont sound right 15:01 < krzie> !configs 15:01 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:01 < Chaot_s> sorry for my poor english, i think i'm not explaining myself right. 15:02 < krzie> if you setup everything right, it will just work when you connect with the laptop 15:02 < krzie> if you post your configs ill let you know if you in fact did set it up right 15:05 < Chaot_s> okay i have the 3 tunnels with the lan's working fine, route add and iptables masquerade and stuff work fine, i can connect in all ways i'll post my configs in a minute 15:05 < Chaot_s> wht i would like to have is a add-on for the current working situation, meaning a laptop that can connect to one of the servers. 15:06 < krzie> iptables masquerade?? 15:06 < krzie> that shouldnt be needed 15:06 < krzie> 3 tunnels? 15:06 < krzie> you should have 1 server, 2 clients 15:07 < Chaot_s> wait i'll post a litle drawing in a minute 15:07 < krzie> gliffy.com should help you make a nice diagram if you like 15:07 < krzie> thats how i made the one in !route 15:09 < Chaot_s> lol looks good indeed :) 15:12 < krzie> Chaot_s, if you setup your setup according to !route you didnt need ip masquerading and your setup is currently ready for additional clients to connect and access any of the lans 15:15 < Chaot_s> hmm 15:16 < Chaot_s> okay... now i need a place to put the image :) 15:17 < krzie> !google image upload 15:17 < vpnHelper> krzie: ImageShack® - Image Hosting: ; TinyPic - Free Image Hosting, Photo Sharing & Video Hosting: ; Myspace Image Hosting - Free Image Hosting - Image Upload ...: 15:18 < Chaot_s> lol, i knew :) 15:18 < Chaot_s> more like okay need to signup somewhere to put the image :) 15:18 < krzie> tinypic doesnt look like it requires signup 15:20 < Chaot_s> http://i39.tinypic.com/5ebpg6.jpg 15:21 -!- hgimenez [n=hgimenez@c-65-96-170-173.hsd1.ma.comcast.net] has left ##openvpn ["Leaving"] 15:21 < Chaot_s> lan A B and C work fine the square's are the centos server / gateway's 15:22 < Chaot_s> i can acces all clients in every segment just fine (though the connections apear as if they came from the server (that is why i masq) 15:23 < Chaot_s> tun 1 2 and 3 work also, i choose a 3 tunnel config because of the 3 lan endpoint's 15:24 < Chaot_s> i want to keep ping low so routing all via 1 server would mean i have double the delay :) 15:24 < krzie> someone skipped network diagram class ;] 15:24 < Chaot_s> i did indeed :) 15:24 < Chaot_s> lol 15:24 < Chaot_s> sorry for that :) 15:24 < krzie> gimme a min to try to understand 15:24 < krzie> where is the server? 15:25 < krzie> a b or c 15:25 < krzie> wait wait, you really have 3 diff tuns? 15:25 < krzie> you're a masochist 15:25 < Chaot_s> the square's represent the servers there are 3 diffenrt all hooked up with a different internet connection :) 15:25 < krzie> why!? 15:26 < Chaot_s> cause the have different home's 15:26 < Chaot_s> :) 15:26 < krzie> you turned a SIMPLE setup into something difficult 15:27 < Chaot_s> lol :) now i only have to mess with the servers :) the lan clients behind the server don't need any config now :) 15:27 < krzie> they wouldnt have anyways 15:27 < krzie> youd only add a route for each foreign vpn subnet on each router 15:27 < krzie> and booya * works 15:28 < krzie> if you look at your setup, and mine in !route 15:28 < krzie> we were doing the EXACT same thing 15:28 < krzie> 3 networks where each needed to be accessed by eachother 15:29 < krzie> you made 3 seperate vpns, i used 1 15:29 < Chaot_s> indeed :) i have 2 tun dev's on all locations :) 15:29 < krzie> thats more administration than you need to use 15:30 < Chaot_s> and i push the routes trough the aproriate shortest route :) 15:30 < krzie> well now you need a ccd entry on C for your road warrior 15:30 -!- kala_ [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 15:31 < krzie> that ccd entry should have push routes for all 3 lans 15:31 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 60 (Operation timed out)] 15:31 < krzie> !ccd 15:31 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 15:31 < krzie> !push 15:31 < vpnHelper> krzie: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 15:32 < Chaot_s> that is indeed what i'm looking for... 15:34 < Chaot_s> okay so i can just make roadwarrior connect to the server while its connected to another endpoint? 15:35 < Chaot_s> remote otherlocation.dyndns.org 15:35 < Chaot_s> float 15:35 < Chaot_s> port 9002 15:35 < Chaot_s> dev tun 15:35 < Chaot_s> ifconfig 192.168.40.20 192.168.40.3 15:35 < Chaot_s> persist-tun 15:35 < Chaot_s> persist-local-ip 15:35 < Chaot_s> persist-remote-ip 15:35 < Chaot_s> comp-lzo 15:36 < Chaot_s> ping 15 15:36 < Chaot_s> secret /etc/openvpn/vpn.key 15:36 < krzie> DUDE 15:36 < Chaot_s> route 192.168.12.0 255.255.255.0 15:36 < Chaot_s> chroot /var/empty 15:36 < Chaot_s> user nobody 15:36 < krzie> DO NOT PASTE HERE 15:36 < Chaot_s> log /etc/openvpn/some.logfile 15:36 < Chaot_s> verb 4 15:36 < Chaot_s> sorry 15:36 < Chaot_s> pastebin was copy in wrong window 15:36 < krzie> !pastebin 15:36 < vpnHelper> krzie: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 15:36 < Chaot_s> i don't like flood kick eighter :) 15:36 < Chaot_s> only paste in the wrong window :) 15:37 < krzie> oh you're using a ptp setup 15:37 < Chaot_s> http://pastebin.com/m797eec03 15:37 < krzie> your setup is a PITA 15:37 < krzie> set it up client/server 15:37 < krzie> basically: 15:37 < krzie> !sample 15:37 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 15:38 < krzie> and 15:38 < krzie> !route 15:38 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:38 < krzie> then it'll just work 15:38 < krzie> you're doing it the right way like 6 yrs ago 15:38 < krzie> before openvpn 2 came out 15:38 < Chaot_s> hmm okay... 15:40 < Chaot_s> that means all traffic will be routed through 1 location... and means that location if A hosts all the VPN, and i am a B and want to acces somthing on location C i have upload AND download traffic on location A... 15:40 < krzie> that is true 15:41 < krzie> but to add your road warrior there will be some work needed, more than i really feel like getting into because the setup is hella ugly 15:41 < krzie> would require yet another openvpn instance 15:41 < krzie> a route added to each router on each lan for the new vpn lan 15:42 < krzie> and push routes for every lan on the new server 15:43 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 113 (No route to host)] 15:44 < Chaot_s> we run games in this setup... and at first we did run with all clients connecting to 1 location... it gave pings of 45+ constant due to the up and download to the other locations.. in this setup ping normaly stay's under 25ms :) 15:45 < krzie> cool 15:45 < krzie> well ya thats what ya gotta do 15:45 < Chaot_s> that is why i created this "old-fashion" setup :) 15:45 < Chaot_s> speed seems to be in the old fashion :) 15:45 < krzie> i guess you used ip masquerading instead of adding routes to each router 15:46 < krzie> which you can also do for the new vpn network 15:46 < krzie> i suggest client/server setup for the road warrior, that way you can have multiple 15:46 < krzie> and push routes on it for every lan 15:47 < Chaot_s> the masq is there actualy for one reason :) there are game relay's on the servers... 15:47 < Chaot_s> and when the game thinks the original network is the server it will respond back :) 15:48 < Chaot_s> i have the route's in all routers to0 15:48 < Chaot_s> for gaming masq... sharing... disable masq... 15:50 < Chaot_s> so i have and old fashion setup with more then needed stuff... and faster responses... i think i did well :) 15:50 < Chaot_s> i would like to thank you for all kind help krzie :) 15:50 < Chaot_s> i realy apreciate it! 15:51 < Chaot_s> and once again sorry for my bad english :) 15:51 < krzie> np man 15:51 < krzie> actually your english is good 15:51 < krzie> and your vpn seems well thought out for your needs 15:51 < krzie> you know how to do the rest now? 15:52 < Chaot_s> jep i think so :) i didn't know i could leave out "remote 1194 15:52 < Chaot_s> " 15:52 < Chaot_s> in the server configuration... i was thinking i needed that :) 15:53 < Chaot_s> and that was the actual problem remaining... roadwarrior is in an unknow location... how can i tell the server config where roadwarrior wil be connecting from... 15:54 < Chaot_s> it turns out i don't have to tell the server who / where remote is :) 15:57 < Chaot_s> and in about 90% of the sample config's i saw... that info was given... 15:58 < krzie> you dont need to 15:58 < krzie> unless he has a lan behind him 15:58 < krzie> which he wont 15:59 < krzie> may i suggest a real server/client for road warrior... 15:59 < krzie> your setup is ptp, NOT server/client 15:59 < krzie> i suggest making the road warrior vpn server/client 15:59 < krzie> so you may have multiple road warriors later if you choose 15:59 < Chaot_s> i'll try the configs on the page you sent me earlier 16:00 < Chaot_s> so it will be client-->>server :) 16:00 < Chaot_s> i have enough point to point now :) 16:00 < Chaot_s> lol 16:01 < krzie> right 16:02 < krzie> and that vpn subnet needs to have a route in each lan router 16:02 < krzie> and each openvpn box needs to know about it too 16:02 < krzie> and then you need to push a route to every lan from new server to vpn clients 16:02 < krzie> (road warriors) 16:03 < Chaot_s> hmm so i have yet another range :) roadwarriors in range 192.168.100.xx 16:03 < krzie> werd 16:19 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has joined ##openvpn 16:20 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has quit [Remote closed the connection] 16:21 -!- elventear_ [n=elventea@telsasoft-host81.dsl.visi.com] has joined ##openvpn 16:21 -!- elventear_ [n=elventea@telsasoft-host81.dsl.visi.com] has quit [Remote closed the connection] 16:23 < reiffert> moin 16:26 -!- Totic [n=federico@89.129.147.34] has joined ##openvpn 16:26 < krzie> moin moin 16:27 < reiffert> A friend has handing me an iphone (not the 3G). Thought I'd port the tun/tap driver to iphone and sell it on the app.store 16:28 < krzie> gangster! 16:28 < reiffert> 0.79 16:28 < krzie> you will forever be remembered as the hero who brought tuntap to iphone 16:29 < reiffert> ah well, maybe write a nonuseful-everybody-needs-it additionally and sell this one instead 16:30 < reiffert> however, today I was refusing to take the iphone because I'm busy like hell for the next 6 weeks. 16:30 < reiffert> Has the GSOC 2009 already been set up? 16:31 < reiffert> oh, friend _was_ handing me an iphone... 16:31 < krzie> doh, no more? 16:33 < reiffert> I'm trying to guess the right english grammar .. 16:34 < reiffert> was handing me, has been handing me, is about to hand me? 16:34 < krzie> was going to hand me 16:34 < krzie> wanted to hand me 16:35 < krzie> is about to hand me 16:35 < krzie> depending on the situation, im not sure which fits this situation 16:35 < reiffert> he was offering it for free and I refused because I'm busy like hell. We will meet again in 6 weeks 16:38 < krzie> was going to hand me 16:38 < krzie> or even better 16:38 < krzie> was going to give me (or lend me) 16:39 < krzie> lend if you had to give it back 16:39 < krzie> give if it would be yours forever 16:41 < reiffert> allright, he was going to lend me an iphone ... 16:41 < reiffert> I should start reading english books. 16:42 < krzie> nah man your english is great 16:42 < krzie> in the 10mo+ we've talked on here thats the first time i could help you at all 16:43 < reiffert> There have been so many situations where I was not able to tell wether it's right what I was typing or not ... 16:43 < reiffert> English books would not harm I guess 16:44 < reiffert> will not 16:44 < krzie> would not hurt 16:44 < krzie> would or will could work, would sounds like what ild say 16:44 < krzie> but s/harm/hurt/ 16:45 < reiffert> allright .. now let's have a look on books ... no scientific, no technical 16:48 < reiffert> That one was great fun: http://www.amazon.com/White-Line-Fever-Lemmy-Kilmister/dp/0806525908/ref=sr_1_1?ie=UTF8&s=books&qid=1244497661&sr=8-1 16:58 < reiffert> looks funny: http://www.amazon.de/Androids-Dream-John-Scalzi/dp/0765348284/ref=sr_1_1?ie=UTF8&s=books-intl-de&qid=1244498056&sr=8-1 17:04 < krzie> androids dream, i have that on audio book on my nfs 17:11 < reiffert> I guess reading is better than listening ... 17:12 < krzie> for typing, absolutely 17:12 < krzie> english is fubar for knowing how to type from listening 17:27 -!- Totic [n=federico@89.129.147.34] has quit [Remote closed the connection] 17:28 -!- Totic [n=federico@89.129.147.34] has joined ##openvpn 17:48 -!- master_of_master [i=master_o@p549D71FB.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 17:52 -!- master_of_master [i=master_o@p549D3EA3.dip.t-dialin.net] has joined ##openvpn 17:53 -!- kala_ [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 60 (Operation timed out)] 17:53 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 18:10 -!- dollabill [n=mike@c-68-59-71-29.hsd1.fl.comcast.net] has joined ##openvpn 18:19 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 18:38 -!- theDoc [n=andelyx@bb116-15-9-82.singnet.com.sg] has joined ##openvpn 18:39 -!- theDoc [n=andelyx@bb116-15-9-82.singnet.com.sg] has quit [Client Quit] 18:39 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 18:46 -!- Totic [n=federico@89.129.147.34] has quit [Read error: 110 (Connection timed out)] 19:28 -!- jeiworth [n=jeiworth@189.234.7.181] has quit [Read error: 110 (Connection timed out)] 19:40 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 19:44 < krzee> !irclogs 19:44 < vpnHelper> krzee: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 19:53 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 20:07 -!- antgel [n=topdog@82-68-107-174.dsl.in-addr.zen.co.uk] has quit [Remote closed the connection] 20:20 -!- theDoc [n=andelyx@119.73.165.162] has joined ##openvpn 20:20 -!- theDoc [n=andelyx@119.73.165.162] has quit [Remote closed the connection] 20:21 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 20:25 -!- Chaot_s [n=Chaot_s@d54C0C5DB.access.telenet.be] has quit [Read error: 60 (Operation timed out)] 20:45 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 20:50 -!- mRCUTEO [i=IRCLUNAT@ns.dave.sidma.edu.my] has joined ##openvpn 20:53 < mRCUTEO> !man 20:53 < vpnHelper> mRCUTEO: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 20:54 < mRCUTEO> anyone from germany here? 20:56 -!- dollabill [n=mike@c-68-59-71-29.hsd1.fl.comcast.net] has quit [Read error: 113 (No route to host)] 21:06 -!- mRCUTEO [i=IRCLUNAT@ns.dave.sidma.edu.my] has quit [] 21:09 -!- Major_Tom [i=tom-w@dslb-088-065-213-251.pools.arcor-ip.net] has joined ##openvpn 21:09 -!- omega42 [i=tom-w@dslb-088-065-063-153.pools.arcor-ip.net] has quit [Nick collision from services.] 21:09 -!- Major_Tom is now known as omega42 21:13 < flaccid> krzie i did exactly what you said 21:44 -!- Major_Tom [i=tom-w@dslb-088-065-213-251.pools.arcor-ip.net] has joined ##openvpn 21:44 -!- omega42 [i=tom-w@dslb-088-065-213-251.pools.arcor-ip.net] has quit [Read error: 54 (Connection reset by peer)] 21:44 -!- Major_Tom is now known as omega42 22:16 -!- Chaot_s [n=Chaot_s@d54C0C5DB.access.telenet.be] has joined ##openvpn 22:21 -!- lolipop [n=quassel@149.21.95.219.cbj01-home.tm.net.my] has joined ##openvpn 22:47 -!- Chaot_s [n=Chaot_s@d54C0C5DB.access.telenet.be] has quit [Read error: 60 (Operation timed out)] 23:58 -!- chinsan_ is now known as chinsan 23:59 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] --- Day changed Tue Jun 09 2009 00:03 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 00:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:18 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:38 -!- Chaot_s [n=Chaot_s@d54C0C5DB.access.telenet.be] has joined ##openvpn 00:38 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 00:39 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 01:00 -!- mattock [n=mattock@195.236.127.254] has joined ##openvpn 01:28 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [] 01:54 -!- Totic [n=federico@89.129.140.162] has joined ##openvpn 02:10 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:53 -!- Totic [n=federico@89.129.140.162] has quit [Remote closed the connection] 02:57 -!- kyrix [n=ashley@91-115-177-133.adsl.highway.telekom.at] has joined ##openvpn 03:09 -!- SuperEvilDeath18 [n=death@212.206.209.177] has quit [Read error: 113 (No route to host)] 03:10 -!- SuperEvilDeath18 [n=death@212.206.209.177] has joined ##openvpn 03:15 -!- kyrix [n=ashley@91-115-177-133.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 03:49 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 04:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:46 < flaccid> ecrist alive by any chance? i think i need some ssl-admin assistance ie. ETCDIR 04:53 -!- zheng [n=zheng@222.66.224.110] has quit [Read error: 104 (Connection reset by peer)] 04:58 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 05:03 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: Kreg-Work_, Nirkus, omega42 05:05 < flaccid> can anyone help with routes? i have a route 10.8.0.0 gw 10.1.1.20 but it still wants to route through the default gw. why ? 05:08 -!- zheng [n=zheng@222.66.224.110] has quit [Read error: 104 (Connection reset by peer)] 05:08 -!- omega42 [i=tom-w@dslb-088-065-213-251.pools.arcor-ip.net] has joined ##openvpn 05:08 -!- Kreg-Work_ [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 05:08 -!- Nirkus [i=rmf2mlh@about/pxe/Nirkus] has joined ##openvpn 05:26 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Read error: 104 (Connection reset by peer)] 05:31 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:31 -!- lolipop [n=quassel@149.21.95.219.cbj01-home.tm.net.my] has quit [Read error: 104 (Connection reset by peer)] 05:34 < reiffert> flaccid: because vmware is involved somewhere? 05:41 < flaccid> reiffert no vmware. i fixed that one up. now i gotta fix it locally on the server 05:45 < flaccid> my server uses tun0 inet 10.8.0.1 --> 10.8.0.2 netmask 0xffffffff. what are the correct routes that should be in the route table for this? 05:50 < flaccid> krzie hey mate. found out half the problem was that freebsd needs root user to do routes 06:12 -!- sukriN [i=rmf2mlh@bussle.hadiko.de] has joined ##openvpn 06:13 -!- Nirkus [i=rmf2mlh@about/pxe/Nirkus] has quit [Read error: 104 (Connection reset by peer)] 06:16 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 113 (No route to host)] 06:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:36 -!- sukriN is now known as Nirkus 06:52 -!- Timpa [i=timpa@193.13.142.250] has quit [Read error: 104 (Connection reset by peer)] 06:54 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 06:55 < flaccid> anyone alive who can help me with my routing problems ? i seem to have correct routes but 1 fails 07:08 < reiffert> paste routing table 07:11 < flaccid> reiffert http://pastie.org/505611 07:12 < flaccid> so 10.8.0.0 10.8.0.2 UGS 0 6 tun0 and 10.8.0.2 10.8.0.1 UH 2 3 tun0 07:12 < flaccid> is that right ? 07:12 < flaccid> i can't reach 10.8.0.2 or 10.8.0.1 07:12 < flaccid> but i can reach the client at 10.8.0.6 wtf 07:12 < reiffert> paste with -n again pls 07:13 < flaccid> reiffert http://pastie.org/505613 07:14 < reiffert> paste: ifconfig -a 07:14 < flaccid> reiffert http://pastie.org/505615 07:14 < flaccid> not sure what plip0: flags=108810 metric 0 mtu 1500 is hmm 07:15 < reiffert> fromon 10.8.0.1 paste firewall, routing table and ifconfig -a 07:16 < flaccid> !configs 07:16 < vpnHelper> flaccid: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:16 < flaccid> whats that grep for the configs ? 07:16 < reiffert> on 10.8.0.1 paste firewall, routing table and ifconfig -a 07:17 < flaccid> reiffert as you can see its the same box 07:17 < flaccid> no firewall 07:17 < flaccid> and i gave the routing table 07:18 < flaccid> reiffert this is the server.conf http://pastie.org/505620 07:19 < reiffert> how about: 07:19 < reiffert> push "dhcp-option DNS 10.1.1.20" 07:19 < flaccid> that will help for dns yeah true 07:20 < flaccid> but the client cannot reach it yet 07:20 < flaccid> i was able to get it to reach it earlier by setting a route manually. but i mean this should all be done by openvpn 07:20 < reiffert> and just out of curiosity, how about topology net30? 07:21 < flaccid> whats that 07:21 < reiffert> I mean Microsoft Windows should just work, but it does not. so whats your point? 07:21 < reiffert> thats something to read up and try out./ 07:22 < flaccid> my point is that openvpn is not setting the routes 07:22 < reiffert> sure it is. 07:22 < reiffert> Line 20 on http://pastie.org/505613 07:23 < flaccid> true 07:23 < flaccid> so you think the routes and all is good ? 07:23 < reiffert> zeah. 07:23 < reiffert> y 07:24 < flaccid> because i can't ping shite all 07:24 -!- Ahri [n=Ahri@93-97-29-15.zone5.bethere.co.uk] has joined ##openvpn 07:24 < flaccid> i can't even ping 10.8.0.1 on the vpn server 07:24 < flaccid> i can't ping anything 07:24 < reiffert> flaccid: however, have to run to bring stuff to the finance office ... 07:24 < reiffert> bbl 07:25 < Bushmills> usr mtr to see where your packets go. if those take te vpn route, the problem must be something else 07:25 < flaccid> rigt 07:25 < reiffert> flaccid: well, thats bad. 07:25 < reiffert> not beeing able to ping the server's ip when on the server. 07:25 < flaccid> yep 07:25 < Ahri> hi everyone, i have a working openvpn setup with bridging (tunnelling is not an option -- gaming needs broadcasts). i'm having a problem though that two clients are fighting over the same IP (the first one that should be allocated; 192.168.1.50) -- here's my config: http://pastebin.com/m7143496e 07:26 < Bushmills> Ahri, those clients use the same cert? 07:26 < ecrist> morning, bitches 07:26 < Ahri> Bushmills: different client certs, same ca.crt 07:27 < Ahri> well, i'm pretty sure they're different, i'll just check on that to make sure! 07:27 < reiffert> The server log tells you. 07:28 < Bushmills> unusual. try to fix clients addresses with ifconfig-push 07:28 < reiffert> flaccid: just for testing, remove the route and push options. 07:28 * Ahri checks the logs carefully 07:29 < flaccid> reiffert yeah tried that too before 07:30 < flaccid> what does Need IPv6 code in mroute_extract_addr_from_packet mean ? 07:30 < reiffert> flaccid: it means that you are reading the openvpn source code? 07:30 < Bushmills> Ahri, when you created the certs, did you use different "common name" per client? 07:31 < flaccid> reiffert its in the server log 07:31 < reiffert> Bushmills: which is what Ahri is reading the logfile for. 07:31 < Ahri> Bushmills: i was just reading the log and thought "oh shit" when that occurred to me 07:31 < reiffert> flaccid: no idea at all 07:31 < Ahri> hehe cheers, guys, think you've probably cracked it 07:31 < flaccid> i'll reboot this server me thinks 07:31 < reiffert> yw 07:32 < flaccid> it will be a mystery if the problem still occurs because the config is all good etc. 07:32 < reiffert> however, & 07:33 < Ahri> how can i "unsign" these certs before i generate new ones? 07:35 < Ahri> i was following a guide when i generated the certs and now i thoroughly regret following the bolded "leave the common name as server and client in each instance" :\ i think i'll jsut start from scratch and generate new certs all round 07:35 < Ahri> *just 07:36 < flaccid> rightio i rebooted the box. same frikken issue 07:36 < flaccid> this is just bullshit 07:42 < ecrist> flaccid: what did you want at 4:46 this am? 07:43 < flaccid> a solution would be nice 07:43 < flaccid> but since this must be some freebsd problem who knows 07:44 < flaccid> all the routes are fine and i've checked the log etc. no ping 07:46 < ecrist> hello? 07:46 < flaccid> i also just took out all the extra route options and i still cannot ping the vpn server ip 07:46 < flaccid> hi ecrist 07:53 < flaccid> hmm do i need ip forwarding turned on ? 07:53 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Remote closed the connection] 07:53 < flaccid> hmm that doesn't make a dif. a lot of people have reported this problem hmm 07:55 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 07:57 < flaccid> i also just changed the server ip to a dif subnet. same shit 07:57 < flaccid> i give up. 08:00 < ecrist> flaccid: you need ip forwarding turned on 08:00 < ecrist> you're trying to setpu a routed vpn on freebsd, right? 08:01 < flaccid> ecrist i just turned it on and makes no difference 08:01 < flaccid> yeah 08:01 < ecrist> !freebsd 08:01 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 08:01 < ecrist> everything you need, right there 08:01 < flaccid> done that. 08:01 < ecrist> if you followed it, you'd have a working vpn 08:01 < ecrist> trust me, I wrote it. 08:02 < flaccid> yes i know that 08:02 < ewook> I don't like the word trust :) 08:02 < flaccid> the vpn connects, does the right thing but can't ping on the server. funny thing is the client can 08:04 < flaccid> ecrist i wouldn't mind it if you could ist order of steps for ssl-admin (sidenote) that would be awesome 08:05 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 08:07 < flaccid> 10.9.0.0 10.9.0.2 UGS 0 15 tun0 08:07 < flaccid> 10.9.0.2 10.9.0.1 UH 1 62 tun0 08:08 < ecrist> flaccid: if you're connected to the vpn, and you can't ping, it's a firewall issue 08:08 < flaccid> can't ping 10.9.0.1 or 10.9.0.2 on the server. its just crazy 08:08 < flaccid> ecrist client pings fine. server cannot locally and the server has no firewall 08:14 < ecrist> wtf does that mean? 08:14 < ecrist> 'server cannot locally' 08:15 < flaccid> in a shell of the server it cannot ping the vpn server IP ie. the tun 08:18 < flaccid> i changed it to a tap interface to test. and using tap i can ping the vpn server IP (tap) on teh server 08:21 < ecrist> flaccid: I can't ping my own ip on the server on any of the openvpn networks I have 08:21 < ecrist> what led you to believe you'd be able to? 08:21 < flaccid> so on the vpn server, you can't ping the vpn server IP ? 08:22 < flaccid> someone here told me should be able to ping both IPs in the tun 08:22 < ecrist> your clients should be able to ping the server IP, and the server should be able to ping the client ips 08:22 < ecrist> flaccid: the server cannot ping it's own VPN IP 08:22 < flaccid> ok 08:22 < flaccid> thats only for tunnels ? 08:24 < ecrist> yep 08:24 < flaccid> okies 08:26 < flaccid> ecrist so server can ping a client IP and a client can ping the server vpn IP right? 08:27 < flaccid> thats working fine then. 08:28 < flaccid> ok ecrist client can ping 10.1.1.20 and not any other clients on the server's lan also server cannot ping lan clients on the client's lan 08:28 -!- mattock [n=mattock@195.236.127.254] has left ##openvpn [] 08:28 < flaccid> the routes have been correctly set 08:29 < flaccid> ecrist so on the server, it has 192.168.0.0 10.9.0.2 UGS 0 92 tun0 from the openvpn server.conf yet pinging 192.168.0.5 which is a connected client fails. 08:37 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 08:38 < ecrist> flaccid: I already told you 08:38 < ecrist> your clients should be able to ping the server IP, and the server should be able to ping the client ips 08:39 < Ahri> i've connected into my home vpn from work, and my mate's connected in from his home. i shell into either of my home linux boxes and i can ping both friend@home and me@work... yet from work i can't ping my friend.... 08:40 < flaccid> ecrist yes that is the case. but i was referring to the lan subnets behind each side. my client can reach 10.1.1.20 but not 10.1.1.1 so dns forwarding fails through the vpn. i would also like the vpn server to be able to access client subnets 08:42 < Ahri> can anyone explain to me why this might be the ase? 08:42 < Ahri> *case 08:44 -!- n5 [n=nop@78-60-192-103.static.zebra.lt] has joined ##openvpn 08:44 < n5> !howto 08:44 < vpnHelper> n5: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:47 < n5> !redirect 08:47 < vpnHelper> n5: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 08:47 < n5> !def1 08:47 < vpnHelper> n5: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 08:48 < n5> well 08:49 < n5> Hello everybody, i need a bit help. My server have 2 IP's. What to write in config, that server will use one IP for VPN and other to let be like it is without it? 08:50 < n5> Now it uses both ips and transfers all trafic trough vpn server 08:52 < n5> Or other soliution is to leave atleast one port, wich will not use openvpn, but how? 08:54 < flaccid> m5 you use the server directive to set the subnet of the service 08:54 < ecrist> Ahri: you need the client-to-client option in the openvpn server config 08:54 < flaccid> !server 08:54 < vpnHelper> flaccid: Error: "server" is not a valid command. 08:54 < ecrist> flaccid: you need iroute 08:54 < ecrist> !iroute 08:54 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 08:55 < ecrist> n5, look at the local option in the server config 08:55 < flaccid> oh yeah local to bind it 08:55 < flaccid> ecrist yep got my iroute going 08:56 < ewook> yay. this is gonna be fun. one 'bridge'-server with at least two clients connecting with lan behind 'em. *_* 08:56 < ewook> smells like issues since it's gonna be used over dynamic-ip's. 08:57 < n5> I have tryed with ;local a.b.c.d but without ; do i need to leave ; in front? 08:57 < flaccid> n5 you replace a.b.c.d with the ip address to bind to 08:58 < flaccid> ; is comment so is ignored just like # 08:58 < n5> hmz, i tryed to do what, but it didint worked 08:58 < ecrist> the ; in front means it's a comment, and it will be ignored 08:59 < flaccid> n5 read the log 08:59 < flaccid> ecrist any advice on where to go now? 09:00 < n5> ok, thanks 09:01 < flaccid> ecrist ah i think the iroute is failing via ccd as the client is using the wrong CN. it seams to be using the server CN 09:04 < ecrist> then fix your certificates 09:04 < flaccid> ecrist yep ok. any chance you could outline the ssl-admin steps to create the server ca, server key, client key? 09:05 < flaccid> do you create the server cert first then the client? 09:05 < ewook> you just said the order. 09:06 < flaccid> ok thanks. and i populate ssl-admin.conf only with the server details right ? 09:06 < flaccid> then when i generate a client cert i just choose a CN being the name of the client yeah ? 09:08 < flaccid> also ecrist on my debian server, i checked out svn ssl-admin and i get ~~~ETCDIR~~~/ssl-admin/ssl-admin.conf doesn't exits. Did you copy the sample from ~~~ETCDIR~~~/ssl-admin/ssl-admin.conf.sample? at ./ssl-admin line 39. 09:09 < flaccid> im a bit confused as towards where it wants ssl-admin.conf 09:16 -!- theDoc [n=andelyx@bb121-6-58-27.singnet.com.sg] has joined ##openvpn 09:16 < ecrist> *grumble* 09:16 < ecrist> did you run the configure script? 09:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:17 -!- theDoc [n=andelyx@bb121-6-58-27.singnet.com.sg] has quit [Client Quit] 09:17 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [] 09:18 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 09:22 < Ahri> ecrist: client-to-client eh? thanks for that (sorry, been away doing this pesky "work" i've been given) 09:24 < Ahri> ecrist: i see that http://www.shorewall.net/OPENVPN.html mentions client-to-client and enabling routeback on a tun+ device. given that i have a tap device, is this neccessary? 09:24 < vpnHelper> Title: OpenVPN Tunnels and Bridges (at www.shorewall.net) 09:24 < Ahri> heh, interesting function of the bot there ;) 09:24 < Ahri> umm to clarify i'm not using shorewall 09:25 < Ahri> just googling around ;) 09:29 < flaccid> ecrist sure did 09:31 < flaccid> do i need to install it or something 09:31 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 09:32 < ecrist> flaccid: yes, the configre script replaces all the ~~~ETCDIR~~~ key words and such 09:33 < ecrist> Ahri: routeback, no, client-to-client 09:33 < Ahri> ecrist: thanks a lot, that works like a charm 09:36 < ecrist> np 09:37 < Chaot_s> ecrist is a good one :) 09:39 -!- carpe_ is now known as plaerzen 09:44 * Ahri adds wins and dns pushing via dhcp \o/ 09:44 < Ahri> this openvpn stuff is great 09:45 < Chaot_s> hmm offtopic, coolers for dual intel xeon are getting rare and very high priced. 70euro for 1... i need 2! 09:46 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 09:52 -!- jeiworth [n=jeiworth@189.234.35.254] has joined ##openvpn 09:58 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 10:10 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:23 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:26 -!- epaphus [n=unix3@190.10.68.228] has quit [Remote closed the connection] 10:31 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:32 -!- jeiworth_ [n=jeiworth@189.234.35.254] has joined ##openvpn 10:32 -!- jeiworth [n=jeiworth@189.234.35.254] has quit [Read error: 104 (Connection reset by peer)] 10:33 < Ahri> i was thinking; without this client-to-client option; does it only prevent traffic communicating where that traffic is connected to the same vpn device? i.e. if i created a second openvpn instance that did not have client-to-client set up, would i be able to communicate with the machines connected to the vpn device that does have client-to-client set up? 10:34 < Ahri> so that's VPN X (with client-to-client), VPN Y (without client-to-client). clients A, B connect to X and ping eachother, all is well, client C connects to Y. can A, B, C all ping eachother? 10:37 < krzee> lol ecrist 10:38 < krzee> Ahri, 10:38 < krzee> every single option is explained in the manual 10:38 < krzee> client-to-client lets traffic flow from client to other client inside the openvpn process 10:39 -!- Thomaschaaf [n=thomasch@193.175.26.68] has joined ##openvpn 10:39 < krzee> without it every packet will need to go through the kernel 10:39 < Thomaschaaf> Hey guys I'm getting the tls error message how can I debug whether the port is still closed? 10:39 < krzee> so with client-to-client traffic between clients will not go through the firewall, but will be quicker 10:41 < krzee> ecrist, im pretty sure flaccid's certs are fine, he just really doesnt understand that when i tell him he needs to add a route to his router, that im telling the truth 10:44 < krzee> no matter how many times i explain what he must do he points out that he set the routes in the server config 10:44 < krzee> like he doesnt understand what a router is and how his server cant change the route on his router 10:47 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 10:58 < ecrist> yeah, I'm getting the impression he doesn't actually *read* what's in front of him 11:06 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:06 < krzee> aye 11:07 < krzee> after he said he read !route dozens of times i pasted the section below my network diagram and he still argued he didnt need routes on his router because he set them in his server config 11:07 < krzee> i did a triple take 11:11 < ecrist> oh, shoot him, next time. :) 11:13 < Thomaschaaf> I can't get openvpn to run on one of my debian boxes :( 11:13 < Thomaschaaf> how can I debug the TLS Error? 11:23 -!- Thomaschaaf [n=thomasch@193.175.26.68] has quit ["Java user signed off"] 11:43 -!- jeiworth_ [n=jeiworth@189.234.35.254] has quit ["No Ping reply in 90 seconds."] 11:43 -!- jeiworth [n=jeiworth@189.234.35.254] has joined ##openvpn 11:50 < ecrist> !logs 11:50 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 11:54 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 12:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:02 < Ahri> how come the manual on bridging says i need to run some iptables commands "to permit packets to flow freely over the newly created tap0 and br0 interfaces" yet it seems to work fine without my doing that? even when i did it manually (without letting gentoo set it up) it worked without the iptables commands. am i missing something? 12:26 -!- epaphus [n=unix3@190.10.68.228] has quit [Client Quit] 12:28 < reiffert> which manual on bridging? 12:30 < HardDisk_WP> I think i know what he means... 12:31 < HardDisk_WP> Ahri, if it runs fine now, then leave it so ^^ 12:36 < reiffert> Ahri: those iptables rules will grant the packages to travel over the interfaces, in case the default firewall policy is DROP. 12:36 < reiffert> Ahri: as you dont need them, your default policy might be ACCEPT. 12:37 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 13:04 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 13:08 -!- jeiworth_ [n=jeiworth@189.234.35.254] has joined ##openvpn 13:24 -!- jeiworth [n=jeiworth@189.234.35.254] has quit [Read error: 110 (Connection timed out)] 13:38 < Ahri> reiffert: i see, so if i meddle with my firewall settings at any point (to harden up security) i should bear that in mind. thanks again :) 13:41 -!- jeiworth [n=jeiworth@189.234.35.254] has joined ##openvpn 13:56 -!- jeiworth_ [n=jeiworth@189.234.35.254] has quit [Read error: 110 (Connection timed out)] 14:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 14:06 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 14:15 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 14:18 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 14:18 < Dougy> hey 14:18 < Dougy> Anyone happen to need a Xen VPS? 14:29 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 14:35 * ecrist looks around, looks at topic, looks at channel name. 14:36 < ecrist> nope, didn't think this was #dougy's_pimping_and_whoring_channel 14:36 < Dougy> ecrist, damn it 14:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:45 < ecrist> :P 14:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Remote closed the connection] 14:51 < HardDisk_WP> Dougy, need == yes, afford == no ;) 14:53 < Dougy> True story 14:56 < ecrist> Dougy: need == no, afford == yes >:) 14:57 < Dougy> ecrist, wealthy bastard 14:58 < ecrist> hah, no where near wealthy 14:58 < Dougy> shh 14:58 < Dougy> make yourself sound like super rich hot shit 14:58 < Dougy> :) 14:58 < Dougy> it is nicer that way 15:00 -!- ecrist changed the topic of ##openvpn to: ecrist is a rich bastard 15:00 < ecrist> how about that? 15:01 -!- ecrist changed the topic of ##openvpn to: OpenVPN 2.1rc18 out. Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || !redirect for sending inet traffic through server || Also interesting: !man !/30 !topology !iporder || http://live.lmgtfy.com/ 15:01 * ecrist goes home. 15:02 -!- Intensity [i=[1ShoZMA@unaffiliated/intensity] has quit [Remote closed the connection] 15:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 15:08 < Dougy> hahaha 15:08 < Dougy> ecrist, wins 15:11 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 60 (Operation timed out)] 15:15 -!- Intensity [i=[AOwW3yl@unaffiliated/intensity] has joined ##openvpn 15:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:34 -!- Intensity [i=[AOwW3yl@unaffiliated/intensity] has quit [Remote closed the connection] 15:49 -!- dollabill [n=mike@c-68-59-71-29.hsd1.fl.comcast.net] has joined ##openvpn 16:27 -!- Ahri [n=Ahri@93-97-29-15.zone5.bethere.co.uk] has quit ["zZzz"] 16:46 -!- tompaw [n=tompaw@slave20.tesserakt.eu] has left ##openvpn [] 16:56 -!- dollabill [n=mike@c-68-59-71-29.hsd1.fl.comcast.net] has quit [Read error: 113 (No route to host)] 17:08 -!- flaccid [n=chris@127.185.233.220.static.exetel.com.au] has quit [Remote closed the connection] 17:08 -!- flaccid [n=chris@127.185.233.220.static.exetel.com.au] has joined ##openvpn 17:25 < flaccid> krzie i did add the route on the router. i did that nearly 2 days ago. 17:26 < flaccid> krzie maybe you miss half of what i say? 17:26 < flaccid> ecrist i read and did everything that you and krzie said to do. its done. so perhaps you should note that. 17:27 < flaccid> so hopefully today someone here will help me and listen as well! 17:42 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:43 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: flaccid, jfkw, Kreg-Work_, Nirkus, omega42, Timpa 17:43 -!- Netsplit over, joins: Timpa, flaccid, jfkw, Nirkus, omega42, Kreg-Work_ 17:48 -!- master_of_master [i=master_o@p549D3EA3.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 17:50 < flaccid> my client does seem to be able to reach 10.1.1.1 on the server lan but but fails with 10.1.1.3 although they have the same net route. what could the problem be there? 17:51 -!- master_of_master [i=master_o@p549D3750.dip.t-dialin.net] has joined ##openvpn 18:25 < HardDisk_WP> flaccid, firewall 18:25 < HardDisk_WP> bad iptables rules 18:25 < HardDisk_WP> forget to enable tcp ip forward 18:25 < HardDisk_WP> and .1 is normally the gateway 18:26 < flaccid> there is no firewall and i don't use linux and ip forwarding is on 18:51 -!- n5 [n=nop@78-60-192-103.static.zebra.lt] has quit [Read error: 110 (Connection timed out)] 18:53 < flaccid> im getting closer 18:54 < flaccid> the problem does seem to be my two routers are not static routing their lan clients ie. the static routes only work locally for itself on the router 18:56 < flaccid> AHAHAH! route add fails to add routes on the client router!! 18:56 < flaccid> must be a dd-wrt bug 19:26 -!- flaccid_ [n=chris@127.185.233.220.static.exetel.com.au] has joined ##openvpn 19:26 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 19:28 < krzie> so funny when you tell someone their problem over and over again 19:28 < krzie> then eventually they realize you are right 19:30 < Dougy> hah 19:30 -!- flaccid0 [n=chris@127.185.233.220.static.exetel.com.au] has joined ##openvpn 19:31 < theDoc> hey all. 19:31 < theDoc> Time for work, bbl! :) 19:31 < krzie> wassup doc 19:32 < krzie> cool, later 19:32 < theDoc> Time for work, be back in 20. 19:32 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 19:32 < krzie> either he'll be IRCing from work or he has very little work to do 19:32 < krzie> lol 19:32 -!- flaccid0 [n=chris@127.185.233.220.static.exetel.com.au] has quit [Client Quit] 19:33 -!- flaccid0 [n=chris@127.185.233.220.static.exetel.com.au] has joined ##openvpn 19:35 -!- flaccid_ [n=chris@127.185.233.220.static.exetel.com.au] has quit [Read error: 60 (Operation timed out)] 19:37 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 19:39 -!- flaccid [n=chris@127.185.233.220.static.exetel.com.au] has quit [Read error: 110 (Connection timed out)] 19:53 -!- ENenEN [n=ryan@cpe-065-184-172-078.ec.res.rr.com] has quit [Remote closed the connection] 19:58 < flaccid0> !howto 19:58 < vpnHelper> flaccid0: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 19:58 -!- zheng [n=zheng@222.66.224.110] has quit ["Leaving"] 20:00 < flaccid0> does Diffie-Hellman use any config files or keys related to openvpn to generate. or is dh merely an openssl generated thing 20:00 < krzie> !dh 20:00 < vpnHelper> krzie: "dh" is build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN 20:00 < krzie> openssl generated 20:01 < krzie> only thing openvpn generates itself is a static TLC hmac key 20:01 < krzie> TLS 20:01 < flaccid0> cool 20:06 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 20:10 -!- S1lv3R [n=No@S3SYSTEM.Net] has quit [Read error: 104 (Connection reset by peer)] 20:10 < flaccid0> i just regenerated some certs and the client has this problem http://openvpn.net/archive/openvpn-users/2005-12/msg00279.html 20:11 < vpnHelper> Title: Re: [Openvpn-users] openvpn[521] error, need help ! (at openvpn.net) 20:13 < krzie> lol, you went backwards 20:14 < krzie> you were 100% done 20:14 < krzie> all you had to do is add routes on your router 20:14 < krzie> like i been saying for days now 20:15 < flaccid0> i added them 2 days ago. 20:16 < krzie> Thu Dec 15 12:03:45 2005 us=106215 VERIFY nsCertType ERROR: /C=CA/ST=QC/O=Meteor_Studios/OU=MIS/CN=WRT/emailAddress=kenj@xxxxxxxxxxxxxxxxx, require nsCertType=SERVER 20:16 < flaccid0> ok so had to comment ns-cert-type server. seems ssl-admin doesn't do that 20:16 < krzie> you didnt sign the servercert 20:16 < flaccid0> or i did it wrong 20:16 < krzie> ssl-admin DOES do that 20:16 < krzie> i added it myself 20:16 < flaccid0> right 20:17 < krzie> you made the server cert by selecting S for server cert? 20:17 < flaccid0> i think i did CA 20:17 < krzie> thats good for making a CA... 20:17 < flaccid0> no sorry 4) 20:17 < flaccid0> Perform a one-step request/sign 20:17 < krzie> well, if you want a cert signed as a server, try selecting SERVER 20:18 < krzie> lol 20:18 < krzie> it will never get easier than that man 20:18 < flaccid0> i must be stoned 20:19 < krzie> thats no excuse, i was stoned out of my head when i added the S option 20:19 < krzie> lol 20:19 < flaccid0> Turn on Intermediate CA certificate signing? (y/n) 20:19 < krzie> n 20:21 < flaccid0> so CA, S, 4 ? 20:21 -!- xor| [n=xor@asmodeus.ost.sgsnet.se] has quit ["leaving"] 20:21 < flaccid0> actually CA, S, 1, 4 20:21 < krzie> then you put on your right sock 20:22 < krzie> then you put on your right shoe 20:22 < krzie> to tie the laces take one in each hand... 20:22 < flaccid0> rightio 20:22 < krzie> make a loop with one 20:22 * Dougy sneaks up behind krzie and ties a rope around his neck 20:23 < krzie> haha 20:23 < krzie> sup dougy 20:23 < Dougy> nothing 20:23 < Dougy> just launched some new vps offers 20:23 * Dougy shrug 20:23 < krzie> nice 20:23 < Dougy> gonna start em up again 20:23 < Dougy> yea 20:23 < Dougy> 15/monthers 20:24 < Dougy> hope they sell 20:24 < theDoc> Dougy: Got a link to it? :) 20:25 < Dougy> bah 20:25 < Dougy> didnt want to make this into a sales pitch 20:25 < theDoc> Any chance I could run a seedbox on it? 20:25 < Dougy> erm 20:25 < theDoc> rofl 20:25 < Dougy> what would you be seeding 20:25 < theDoc> Dougy: Mainly dvd rips ;p 20:25 < Dougy> bah 20:25 < Dougy> i'll get in trouble 20:25 < krzie> lol 20:26 < krzie> scardy pants 20:26 < theDoc> lol 20:29 < flaccid0> ok back up and running haha 20:29 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 20:31 < flaccid0> krzie can i confirm the routes required on the routers ? 20:35 < flaccid0> i would like to show you my routing tables for each router 20:36 < theDoc> krzie: Are you one of the openvpn devs? 20:39 < flaccid0> krzie: routing tables: http://pastie.org/506669 20:40 < krzie> doc: no 20:40 < flaccid0> should i add 10.1.1.0 gw 192.168.0.5 on the client router as well ? 20:40 < krzie> doc: this chan has no official openvpn team support 20:40 < krzie> which is why its ## 20:40 < krzie> flaccid0 !route 20:40 < krzie> ive helped you for too many days now with the EXACT same problem 20:41 < krzie> when it was spelt out VERY plainly in !route the whole time 20:41 < theDoc> Kreg-Work_: ah, ok. 20:41 < krzie> !route 20:41 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:41 < flaccid0> yes and thats what i've done krzie if you look 20:43 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit [Remote closed the connection] 20:50 -!- freysteinn [n=freystei@ailab-gw.ru.is] has quit [Read error: 110 (Connection timed out)] 20:50 -!- freysteinn [n=freystei@gw.cs.ru.is] has joined ##openvpn 20:59 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 20:59 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 21:04 * theDoc waves 21:04 < theDoc> Breakfast time! 21:04 * theDoc chuckles 21:05 < flaccid0> when i traceroute from the vpn server to a lan ip behind the client i see it in tcpdump routing to the client vpn ip, but not responding 21:07 -!- Major_Tom [i=tom-w@dslb-088-065-048-020.pools.arcor-ip.net] has joined ##openvpn 21:07 -!- omega42 [i=tom-w@dslb-088-065-213-251.pools.arcor-ip.net] has quit [Nick collision from services.] 21:07 -!- Major_Tom is now known as omega42 21:20 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 21:38 -!- zheng [n=zheng@222.66.224.110] has quit [Read error: 104 (Connection reset by peer)] 21:38 -!- zheng_ [n=zheng@222.66.224.110] has joined ##openvpn 22:36 -!- zheng_ [n=zheng@222.66.224.110] has quit [Read error: 113 (No route to host)] 22:36 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 22:38 -!- zheng [n=zheng@222.66.224.110] has quit [Read error: 104 (Connection reset by peer)] 22:39 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 22:43 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 22:49 -!- zheng [n=zheng@222.66.224.110] has quit [Read error: 54 (Connection reset by peer)] 22:50 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 22:53 -!- zheng [n=zheng@222.66.224.110] has quit [Read error: 104 (Connection reset by peer)] 22:55 < krzee> !learn bot as I'm a bot.. just a bot. krzee is my maintainer, and I haven't "said" anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P 22:55 < vpnHelper> krzee: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 22:55 < krzee> !learn bot as I'm a bot.. just a bot. krzee is my maintainer, and I haven't "said" anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P 22:55 < vpnHelper> krzee: Joo got it. 23:13 -!- jeiworth [n=jeiworth@189.234.35.254] has quit [Read error: 110 (Connection timed out)] 23:31 < flaccid0> rightio all fixed up 23:31 < flaccid0> for some reason the static routes on the routers don't hop its clients. so i add the route back to the vpn subnet on the clients and now can reach 23:34 -!- flaccid0 is now known as flaccid 23:39 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 23:44 < krzee> !hmac 23:44 < vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 23:44 < vpnHelper> krzee: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 23:48 < krzee> !mitm 23:48 < vpnHelper> krzee: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config 23:53 -!- n5 [n=nop@78-60-192-103.static.zebra.lt] has joined ##openvpn 23:54 -!- n5 [n=nop@78-60-192-103.static.zebra.lt] has quit [Read error: 104 (Connection reset by peer)] 23:57 -!- n5 [n=nop@78-60-192-103.static.zebra.lt] has joined ##openvpn --- Day changed Wed Jun 10 2009 00:04 -!- zheng [n=zheng@222.66.224.110] has quit [Read error: 104 (Connection reset by peer)] 00:04 -!- zheng [n=zheng@222.66.224.110] has joined ##openvpn 00:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:23 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [] 00:24 -!- flaccid_ [n=chris@127.185.233.220.static.exetel.com.au] has joined ##openvpn 00:26 -!- freysteinn [n=freystei@gw.cs.ru.is] has quit [Remote closed the connection] 00:28 -!- zheng_ [n=zheng@222.66.224.110] has joined ##openvpn 00:43 -!- flaccid [n=chris@127.185.233.220.static.exetel.com.au] has quit [Read error: 110 (Connection timed out)] 00:46 -!- zheng [n=zheng@222.66.224.110] has quit [Connection timed out] 00:46 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 00:46 -!- g`` [n=nop@78-60-192-103.static.zebra.lt] has joined ##openvpn 01:00 -!- n5 [n=nop@78-60-192-103.static.zebra.lt] has quit [Read error: 110 (Connection timed out)] 01:07 -!- sfire [n=sfire@204.11.33.83] has quit ["ZNC - http://znc.sourceforge.net"] 01:25 < krzee> reiffert or Bushmills here? 01:27 < flaccid_> how can i confirm if iroutes are being initiated client-side? i can't see anything in logs 01:27 < krzee> client-side, you cant 01:27 < krzee> its internal to server 01:28 < krzee> well i guess, if a machine on that clients lan can ping the openvpn server ip 01:28 < krzee> but theres other reasons it couldnt, so thats not fool-proof 01:29 < krzee> but if it could, iroute was definitely added 01:30 < reiffert> krzee: no, I'm still sleeping 01:31 < krzee> moin moin! 01:31 < reiffert> moin :-) 01:32 < krzee> you know a way in the shell to insert text to be first line in a file? 01:32 < reiffert> I'm about to leave my place, customer was calling :) 01:32 < reiffert> yeah. 01:32 < reiffert> echo test > tmpfile 01:32 < krzee> or am i best off making a new file with the text, then cat >> the file into the newfile 01:32 < reiffert> cat file >> tmpfile 01:32 < reiffert> mv tmpfile file 01:32 < krzee> hehe werd 01:33 < krzee> figured maybe you had some ninja technique for it or somethin 01:33 < krzee> seeing as i had never thought of while read line > file 01:33 < krzee> ;] 01:33 < reiffert> or head -20 file > tmpfile; 01:33 < reiffert> echo foo >> tmpfile 01:34 < reiffert> tail -20 file >> tmpfile; 01:34 < reiffert> mv tmpfile file 01:34 < krzee> yupyup 01:34 < krzee> thx, enjoy the customer =] 01:35 < reiffert> thanks :) 01:35 < krzee> i gave then girlfriend a blindfold so my 42" monitor doesnt bug her while i script 01:35 < krzee> what a good boyfriend i am ;] 01:35 < reiffert> :p 01:36 < reiffert> somebody is writing "ed" and "heredoc" 01:37 < krzee> nah, much less useful 01:37 < krzee> lol 01:38 -!- zheng [n=zheng@222.66.224.108] has joined ##openvpn 01:46 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 01:46 < flaccid_> krzee thanks. can i get it to output something in logs ? 01:47 < krzee> flaccid_, it does, but only on the server 01:47 < krzee> its not something the client would know about, or need to know about 01:48 < flaccid_> its not in my server log 01:50 -!- zheng [n=zheng@222.66.224.108] has quit ["Leaving"] 01:50 < krzee> *shrug* ild look but im busy scripting 01:50 < krzee> 3am and have work tomorrow 01:53 -!- zheng_ [n=zheng@222.66.224.110] has quit [Read error: 110 (Connection timed out)] 02:02 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: theDoc, Kreg-Work_, Nirkus, Timpa 02:02 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:07 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 02:07 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 02:07 -!- Nirkus [i=rmf2mlh@about/pxe/Nirkus] has joined ##openvpn 02:07 -!- Kreg-Work_ [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 02:11 -!- n5 [n=nop@78-60-192-103.static.zebra.lt] has joined ##openvpn 02:30 -!- g`` [n=nop@78-60-192-103.static.zebra.lt] has quit [Read error: 110 (Connection timed out)] 02:44 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 02:52 -!- zheng [n=zheng@222.66.224.108] has joined ##openvpn 03:23 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 04:00 -!- flokuehn [n=flokuehn@globalways/developer/flokuehn] has joined ##openvpn 04:04 -!- Alex_I [i=dragity@ip-88-119-229-139.static.b4net.lt] has joined ##openvpn 04:23 -!- Alagar1 [n=helpdesk@95.154.197.29] has joined ##openvpn 04:24 -!- Alagar1 [n=helpdesk@95.154.197.29] has left ##openvpn [] 04:24 -!- Alagar1 [n=helpdesk@95.154.197.29] has joined ##openvpn 04:28 -!- zheng [n=zheng@222.66.224.108] has quit [Remote closed the connection] 04:35 -!- flaccid_ [n=chris@127.185.233.220.static.exetel.com.au] has quit [] 04:41 -!- Alagar1 [n=helpdesk@95.154.197.29] has quit ["Leaving."] 04:42 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 04:53 < Bushmills> krzie, not without rewriting the file 04:54 < Bushmills> i.e. rename, create head, append rest 04:55 < Bushmills> whereof creating head and appending rest can be done with one single redirection to file. 05:08 -!- Shinu [n=Shinu@unaffiliated/shinu] has quit [Read error: 54 (Connection reset by peer)] 05:16 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 05:48 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:54 -!- ashley_ [n=ashley@87-194-183-38.bethere.co.uk] has joined ##openvpn 05:55 -!- ashley_ is now known as smellynoser 06:11 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:19 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit [Remote closed the connection] 06:23 -!- SuperEvilDeath18 [n=death@212.206.209.177] has quit ["Nettalk6 - www.ntalk.de"] 06:24 -!- datenritter [n=datenrit@dslc-082-082-248-044.pools.arcor-ip.net] has joined ##openvpn 06:27 < datenritter> hi! openvpn tells me it would be ifconfig-ureing tap0 on start, but it doesn't. (i set delays and checked ifconfig. it comes up withoud address.) so, when it runs update-resolv-conf, setting the routes fails with "SIOCADDRT: Network is unreachable". if i remove the "up /etc/openvpn/update..." line, tap0 gets configured - i have to setup routes manually then. any ideas why? 06:29 < datenritter> http://pastebin.com/ddb29ed2 06:30 -!- SuperEvilDeath18 [n=death@212.206.209.177] has joined ##openvpn 06:55 -!- g`` [n=nop@78-60-192-103.static.zebra.lt] has joined ##openvpn 07:02 -!- Alex_I [i=dragity@ip-88-119-229-139.static.b4net.lt] has left ##openvpn [] 07:14 -!- n5 [n=nop@78-60-192-103.static.zebra.lt] has quit [Read error: 110 (Connection timed out)] 07:29 -!- g`` [n=nop@78-60-192-103.static.zebra.lt] has quit [Read error: 54 (Connection reset by peer)] 07:31 -!- n5 [n=nop@78-60-192-103.static.zebra.lt] has joined ##openvpn 07:31 < ecrist> morning, fuckers 07:35 < ewook> good day to you to. 07:38 < ecrist> datenritter: it would appear as though you're configs are a bit wonky 07:38 < ecrist> !config 07:38 < vpnHelper> ecrist: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 07:38 < ecrist> !configs 07:38 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:41 < datenritter> ecrist: k, i will pastebin my configs...hold on... 07:42 < datenritter> http://pastebin.com/m5e036807 <-- this is my client-config at the moment. 07:44 < datenritter> http://pastebin.com/m9e7eff6 <-- my server-config. i could swear it worked like this a few months ago... 07:45 < datenritter> http://pastebin.com/d2207e9e8 <-- log as a reminder. the "/sbin/ifconfig ..." line doesn't really seem to be executed. 07:45 < datenritter> unless i remove the "up /etc/openvpn/update-..." line from the client config. but then i have to set the routes by hand. 07:45 < datenritter> if i do that, everything's fine. no tls problems or stuff like that. 07:46 < ecrist> datenritter: you can't have an ifconfig and server-bridge in the config. 07:46 < datenritter> just updated openvpn (debian testing) also. 07:46 < datenritter> uh oh 07:46 < ecrist> server-bridge is telling it to set 192.168.115.10 and your ifconfig is setting 192.168.115.9 07:46 < datenritter> ah 07:46 < datenritter> *facepalm* 07:49 < datenritter> hmm 07:49 < datenritter> that's not the problem. 07:52 < datenritter> ifconfig is not set on the client side 07:52 < datenritter> tap is still not beeing configured 07:53 -!- smellynoser [n=ashley@87-194-183-38.bethere.co.uk] has quit ["leaving"] 07:53 < datenritter> and let me remind you that it does work with this config, if i remove the "up..." line and manually set the routes. 07:53 < datenritter> my only problem is that the routes are not set, because client's tap0 is not set up properly. 07:53 < datenritter> also, from the man page, it is possible to set ifconfig and server-bridge in the server's config. 07:53 < datenritter> i think. 07:54 < datenritter> ifconfig should configure the server's tap device 07:54 < datenritter> if you leave it out, tap won't come up on openvpn start 07:55 < datenritter> server-bridge doesn't do that 08:11 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 08:28 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 08:44 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 08:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:13 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 09:16 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 09:39 -!- tjz [n=tjz@bb116-15-73-38.singnet.com.sg] has quit ["bbl"] 09:40 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 09:41 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 09:48 -!- empiric1 [n=empiric@116.71.60.85] has joined ##openvpn 09:49 < empiric1> guys i am doing open vpn of Virtual server 09:49 < empiric1> vmware ESX server 09:49 < empiric1> i am able to make tunnel 09:49 < empiric1> band ping both ends but no 09:49 < empiric1> behind vpn server and vpn client 09:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:54 -!- empiric [n=empiric@116.71.61.30] has joined ##openvpn 09:56 -!- tjz [n=tjz@bb116-15-73-38.singnet.com.sg] has joined ##openvpn 09:58 < datenritter> ok, i removed the "ifconfig" line from my server-config (http://pastebin.com/m9e7eff6 ) as it is bridged anyway. i also removed the "up", "down", and all delay-settings from my client-config. (http://pastebin.com/m5e036807 ). now i get this: http://pastebin.com/m3d3dbc63 . "route -n" says the routes are *not* set. tap0 ist not configured. 09:58 < datenritter> so either the log reports are just wrong... 09:59 < datenritter> ...or something deconfigures tap0 after the whole init-sequence. 09:59 -!- nibu [n=abululul@unaffiliated/nibu] has joined ##openvpn 09:59 < nibu> hi, some one can tell me how can I use openvpn-auth-pam on OpenBSD? 10:00 < ecrist> datenritter: do you have the bridge properly setup on the server between the tap device and your LAN ethernet device? 10:00 < nibu> I checked out that I have to install pam-devel, but this package don't exist on openbsd ports 10:00 < ecrist> nibu: sorry, I don't know. 10:01 < datenritter> ecrist: the bridge is properly set up. 10:02 -!- empiric1 [n=empiric@116.71.60.85] has quit [Read error: 60 (Operation timed out)] 10:02 < datenritter> ecrist: if i put route-delay 5 in the client config, i get the error messages from setting the routes again. 10:02 < datenritter> only if i leave out the delays there are no errors in the log. 10:02 < datenritter> i did a "watch -n1 ifconfig tap0" in another windows to see if tap0 (client side) is configured at all. it's not. 10:03 -!- nibu [n=abululul@unaffiliated/nibu] has quit ["Leaving"] 10:03 < datenritter> that's why i believe "sbin/ifconfig tap0 192.168.115.200 netmask 255.255.255.0 mtu 1500 broadcast 192.168.115.255" actually never happens. 10:03 < datenritter> or - maybe - immediatly after that, tap0 is deconfigured again. 10:04 < datenritter> which would explain why update-resolv-conf doesn't fail when there are not delays. 10:04 < datenritter> i.e. with delays: tap0 brought up -> tap0 configured -> routes set -> tap0 deconfigured (but still up) 10:04 < datenritter> i meant withOUT delays, sorry 10:05 < datenritter> with delays: tap0 brought up -> tap0 configured -> tap0 deconfigured ---- (delay) --> routes not set (error) 10:05 < datenritter> i know openvpn setup can be hard, but this is the weirdest thing i've ever seen. 10:06 < datenritter> it must be a problem on the client side. 10:06 < datenritter> iirc it works fine with a windows client... 10:06 < datenritter> hmm, maybe network-manager is interfering? 10:07 < datenritter> hmm, no, it's not allowed to touch tap0 10:08 -!- jeiworth [n=jeiworth@189.234.35.254] has joined ##openvpn 10:09 < datenritter> when i put in the delay and run ifconfig my self at the right moment, it works fine: tap0 brought up -> tap0 configured -> manual ifconfig on tap0 ---- (delay) --> routes set 10:11 < ecrist> are you running openvpn as root? 10:13 < datenritter> yes 10:14 < ecrist> unfortunately, I don't know what else to tell you. I'm not a linux user and I don't ever bother with bridged vpns 10:14 < datenritter> :( 10:15 < ecrist> krzee or reiffert would probably be more helpful, but they're in and out all day 10:17 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:17 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 10:25 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:26 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 10:27 < empiric> does vmware ESX have virual ethernet prb with openvpn 10:32 < empiric> any idea 10:32 < empiric> guys 10:33 < empiric> tun is up 10:34 < empiric> but i can not ping behind vpn server 10:40 < datenritter> empiric: what do you mean with prb? 10:41 < empiric> yes 10:41 < empiric> its stariangs 10:41 < empiric> strange 10:41 < datenritter> what? 10:41 < empiric> tum is up at clent n server 10:41 < empiric> i can ping both 10:41 < datenritter> can you watch your spelling please? 10:41 < empiric> but can not ping behind vpn server and vpn clinets 10:42 < datenritter> what does your interface setup look like? do you have a firewall? 10:42 < empiric> yes 10:42 < empiric> but its stop right now 10:42 < empiric> can i send u server.conf and clinet.conf 10:44 < datenritter> use pastebin 10:47 < datenritter> empiric: still there? 10:48 < empiric> see http://pastebin.com/m57a74775 cleint.conf 10:49 < empiric> here http://pastebin.com/m754d144 server.conf 10:49 < empiric> see wth is the prb 10:50 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 10:50 < datenritter> ok, first of all: remove all comments before pasting the config files 10:50 < datenritter> second: please stop using abbreviations except very common ones 10:50 < datenritter> third: type carefully 10:50 < datenritter> for a non-native speaker it's hard to get what you mean... 10:52 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 10:53 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 10:54 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 10:55 < datenritter> hmm, strace doesn't show a call to /sbin/ifconfig, even openvpn reports it... 11:00 -!- empiric111 [n=empiric@116.71.37.211] has joined ##openvpn 11:00 < empiric111> dateritter 11:00 < empiric111> u there 11:00 < empiric111> any idea 11:00 < empiric111> sorry i was DC 11:01 < empiric111> does this log means any thng 11:01 < empiric111> Jun 10 21:59:20 server-isb ovpn-server[18504]: UDPv4 link remote: [undef] 11:01 < empiric111> Jun 10 21:59:20 server-isb ovpn-server[18504]: MULTI: multi_init called, r=256 v =256 11:01 < empiric111> Jun 10 21:59:20 server-isb ovpn-server[18504]: IFCONFIG POOL: base=12.14.0.4 siz e=62 11:01 < empiric111> Jun 10 21:59:20 server-isb ovpn-server[18504]: IFCONFIG POOL LIST 11:01 < empiric111> Jun 10 21:59:20 server-isb ovpn-server[18504]: testsrv,12.14.0.4 11:01 < empiric111> Jun 10 21:59:20 server-isb ovpn-server[18504]: Initialization Sequence Completed 11:03 < reiffert> log mns nt antng 11:03 < datenritter> empiric111: put your logs into pastebin 11:03 < reiffert> jt ntr vmr prb 11:05 < datenritter> reiffert: do you hav any idea about my ifconfig-problem? 11:06 < datenritter> damn, at least openvpn manages to disconnect me from my wlan. *grind* 11:07 < reiffert> m sry cnt hlp y 11:09 -!- empiric [n=empiric@116.71.61.30] has quit [Read error: 110 (Connection timed out)] 11:10 -!- empiric111 [n=empiric@116.71.37.211] has quit [Read error: 60 (Operation timed out)] 11:13 -!- empiric111 [n=empiric@116.71.39.93] has joined ##openvpn 11:16 < plaerzen> !pastebin 11:16 < vpnHelper> plaerzen: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 11:17 < datenritter> damn, i new it. copied the config to another client - and it works. 11:17 < plaerzen> reiffert, kb prbl? I ha th sme prbl 11:17 < Bushmills> khlyant prblm 11:18 < datenritter> are you purposely leaving out letters? 11:18 < plaerzen> n 11:18 < datenritter> fnny 11:18 < datenritter> gng 2 b a nw mem 11:20 -!- supercatfrog [n=bob@87-194-183-38.bethere.co.uk] has joined ##openvpn 11:21 < supercatfrog> hi - ive got openvpn setup, and connected, but I cant ping the server. Its given me an IP from the CCD file and created tap0 with that ip on my client, but its not working 11:21 < supercatfrog> also a route has been added to send 10.98.76.* down tap0 11:21 < supercatfrog> ( 10.98.76 is our vpn ip range ) 11:23 < supercatfrog> on the client, the last line of the logs is WrWrWrWrWrWrWrWrWrWRrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWrWRrWRrWrWrWrWrWRWRWRWRWRWrWRrWrWrWrWrWRWRWRWRWRWrWRrWrWrWrWrWRWWR 11:24 < datenritter> your loglevel is to high 11:24 < datenritter> put it to 3 11:24 < supercatfrog> ok 11:24 < datenritter> s/put/set 11:25 < datenritter> great, my setup works great with the test box, but not with my notebook. openvpn-version is the same. *pain* 11:26 < supercatfrog> here's the output : http://pastebin.com/m24531baf 11:27 < datenritter> Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:1: default_gateway=10.98.76.2 (2.1_rc11) 11:27 < datenritter> quite obvious, i'd say. 11:27 < supercatfrog> yes, sorry - missed that 11:27 < supercatfrog> that was just something i was messing about with before 11:27 -!- empiric [n=empiric@116.71.57.35] has joined ##openvpn 11:27 < supercatfrog> removed it, restarted server, restarted client, and its the same 11:27 < supercatfrog> http://pastebin.com/m3098f2d 11:29 < supercatfrog> and the config: http://pastebin.com/m25131fb8 11:29 < datenritter> so, your client's tap has the ip 10.98.76.53 11:29 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 11:29 < datenritter> and you want to do what? 11:30 < datenritter> ping the server? 11:30 < datenritter> did you set up your bridge properly? 11:30 < datenritter> the config you pasted - is that the server side? 11:30 < supercatfrog> im not using bridging, as far as i know 11:30 < supercatfrog> yes thats the server config 11:31 < datenritter> why did you comment out server-bridge? 11:31 < supercatfrog> i was under the impression its routed 11:31 < datenritter> oh 11:31 < datenritter> hmm 11:31 < supercatfrog> ive been commenting stuff out and changing stuff for ages 11:31 < datenritter> i think your server needs an ip on the tap device then 11:32 < supercatfrog> and it works 11:32 < supercatfrog> thanks 11:32 < datenritter> you're welcome 11:32 < supercatfrog> any idea how to make it do that when it starts up? 11:33 < datenritter> and i for my part will try windows now, as my linux is somehow rotten... *grmbl*... 11:33 < supercatfrog> as openvpn creates tap0 11:33 < datenritter> with the ifconfig-option 11:33 < datenritter> i think 11:33 -!- empiric111 [n=empiric@116.71.39.93] has quit [Read error: 60 (Operation timed out)] 11:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:35 < cj> hey folks 11:36 < cj> if I use the ccd directory to manually assign IPs from a pool to particular hosts, will openvpn be smart enough to not provision those IPs? 11:36 -!- datenritter [n=datenrit@dslc-082-082-248-044.pools.arcor-ip.net] has quit ["Leaving."] 11:36 < cj> ie, is there a step in ip selection where the daemon attempts to detect whether the addr is in use before handing it out? 11:40 < ecrist> yep 11:40 -!- empiric111 [n=empiric@116.71.52.7] has joined ##openvpn 11:40 < ecrist> cj, my recommendation, though, is to use separate pools. 11:40 < empiric111> guys any one help me? 11:41 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 11:41 < ecrist> I do this by server 172.30.0.1 255.255.255.0 and adding a route for 172.30.1.0/24, and using the second pool in my ccd entries 11:43 < cj> ecrist: cool. that helps a lot. 11:44 < cj> ecrist: what's the syntax for adding a route to the second prefix look like? 11:45 < cj> ecrist: ip route add ... dev ... ? 11:46 < ecrist> let me go actually look at it. :) 11:46 < empiric111> hey cj can u help me 11:47 < ecrist> server 172.30.0.0 255.255.255.0 11:47 < ecrist> route 172.30.1.0 255.255.255.0 11:47 < empiric111> my client.cong 11:47 < empiric111> http://pastebin.com/m754d144 11:47 < ecrist> the first sets up my dynamic range, and give tun interface teh 172.30.0.1 address 11:47 < ecrist> the route line tells OpenVPN to route for that address space. 11:48 < ecrist> on the rest of the network, I've got 172.30.0.0/23 to get but subnets 11:48 < ecrist> s/but/both/ 11:48 < ecrist> empiric111: you haven't told us your problem. 11:49 < empiric111> well tun0 is up at both end i can not ping machines behind server and also behind client 11:49 < empiric111> both clint n server are ping 11:49 < empiric111> wht to do 11:49 < ecrist> !route 11:49 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:50 < empiric111> server.conf http://pastebin.com/mcbf3939 11:50 < cj> ecrist: cool beans. I'm setting up a couple of servers... one tap the other tun. I was going to put the tap manually-assigned subnet between the tun auto subnet and the tun manual subnet. you just saved me a bunch of headache :) 11:50 < ecrist> empiric111: read teh link vpnHelper posted 11:50 < empiric111> ecrist wht route 11:50 < cj> empiric111: not right now, but I'll take a look when I get these servers functioning. 11:50 < ecrist> cj, glad to help 11:51 < empiric111> i ahve done this can u check my conf files 11:51 < empiric111> plz 11:51 < ecrist> !configs 11:51 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:51 < empiric111> am stuck may be u can slove in 5mins 11:53 -!- jeiworth_ [n=jeiworth@189.234.35.254] has joined ##openvpn 11:54 -!- jeiworth [n=jeiworth@189.234.35.254] has quit [Read error: 104 (Connection reset by peer)] 11:59 -!- empiric [n=empiric@116.71.57.35] has quit [Read error: 110 (Connection timed out)] 12:00 -!- empiric [n=empiric@116.71.32.253] has joined ##openvpn 12:05 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Connection timed out] 12:12 -!- empiric111 [n=empiric@116.71.52.7] has quit [Read error: 110 (Connection timed out)] 12:13 < empiric> ectist? 12:13 < empiric> u thee 12:13 < empiric> did u check my conf files 12:26 -!- Ragnar [i=heimdall@shell.ankeborg.nu] has joined ##openvpn 12:27 < Ragnar> whats up with openvpn easy-rsa and permission denied? 12:31 < empiric> Ragnar? 12:31 < empiric> who me 12:31 < reiffert> Ragnar: whats the matter, easy-rsa is telling you: permission denied because openssl is not able to create files, because of Permissions/Ownership. 12:32 < empiric> ecrist? 12:34 < reiffert> empiric? 12:36 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:40 -!- empiric111 [n=empiric@116.71.48.228] has joined ##openvpn 12:44 -!- empiric [n=empiric@116.71.32.253] has quit [Read error: 60 (Operation timed out)] 12:45 -!- xattack [i=xattack@132.248.108.239] has joined ##openvpn 12:46 < ecrist> empiric111: if you're not going to fucking read what I tell/ask you, I'm not going to help you. 12:47 < ecrist> post your configs without comments 12:47 < empiric111> i did 12:47 < empiric111> here 12:47 < empiric111> http://pastebin.com/m20dd677a 12:47 < empiric111> see i kno abt routing 12:47 < empiric111> its anothr issue 12:47 < empiric111> read my conf 12:47 < empiric111> is there any mistake 12:48 < empiric111> here are logs 12:48 < empiric111> Jun 10 23:32:59 server-isb ovpn-server[18682]: /sbin/route add -net 12.14.0.0 ne tmask 255.255.255.0 gw 12.14.0.2 12:48 < empiric111> Jun 10 23:32:59 server-isb ovpn-server[18682]: Data Channel MTU parms [ L:1538 D :1450 EF:38 EB:135 ET:0 EL:0 AF:3/1 ] 12:48 < empiric111> Jun 10 23:32:59 server-isb ovpn-server[18690]: Socket Buffers: R=[111616->131072 ] S=[111616->131072] 12:48 < empiric111> Jun 10 23:32:59 server-isb ovpn-server[18690]: UDPv4 link local (bound): 192.168 .2.1:1194 12:48 < empiric111> Jun 10 23:32:59 server-isb ovpn-server[18690]: UDPv4 link remote: [undef] 12:48 < empiric111> Jun 10 23:32:59 server-isb ovpn-server[18690]: MULTI: multi_init called, r=256 v =256 12:48 < empiric111> Jun 10 23:32:59 server-isb ovpn-server[18690]: IFCONFIG POOL: base=12.14.0.4 siz e=62 12:48 < empiric111> Jun 10 23:32:59 server-isb ovpn-server[18690]: IFCONFIG POOL LIST 12:48 < empiric111> Jun 10 23:32:59 server-isb ovpn-server[18690]: testsrv,12.14.0.4 12:48 < empiric111> Jun 10 23:32:59 server-isb ovpn-server[18690]: Initialization Sequence Completed 12:48 < ecrist> please don't post them here 12:48 < empiric111> ok 12:48 < empiric111> sorry 12:48 < ecrist> !logs 12:48 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 12:50 < ecrist> I don't have time right now to help you. just got busy at work, sorry 12:54 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 13:00 < empiric111> hey does IFCONFIG POOL has sm meaning 13:02 < xattack> empiric111: it means thats the pool where you can take addresses , the space you have to take it ............am i right, guys? 13:02 -!- zeba [n=Spidi@93-136-65-76.adsl.net.t-com.hr] has joined ##openvpn 13:02 < zeba> hi 13:03 < reiffert> xattack: "IFCONFIG POOL" sounds like two words from a log file. 13:03 < reiffert> xattack: I think empiric111 is mixing up everzthing that can be done wrong. 13:03 < zeba> Is it possible to share one VPN connection on Mac and Win2000? 13:04 < reiffert> xattack: he should just follow the fucking howto from openvpn.net 13:04 < reiffert> zeba: define "share". 13:05 < xattack> reiffert: thats right , the howto is clear for begginners 13:06 < zeba> The only way I can get on the Net is through encrypted VPN connection... I would like the other comp to simultaneously access Internet 13:06 < zeba> with the current setup I can use it either with one or the other comp 13:07 < reiffert> zeba: do I get you right: one computer should establish the VPN connection and the other computer should send all packets to this computer, who will handle them (e.g. send them over the vpn tunnel)? 13:08 < zeba> if that is the only way to share the connection, yes 13:08 < reiffert> zeba: the answer is quite simple: yes, it is possible. 13:09 < zeba> :) can you refer me to some info pls? 13:09 < reiffert> zeba: a more clean approach would be asking the openvpn administrator for another set of certificate files, so that you can establish two connections. 13:10 < reiffert> !factoids search forward 13:10 < vpnHelper> reiffert: 'winipforward', 'linipforward', 'ipforward', and 'fbsdipforward' 13:10 < reiffert> !winipforward 13:10 < vpnHelper> reiffert: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 13:10 < reiffert> !ipforward 13:10 < vpnHelper> reiffert: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 13:10 < zeba> thanks 13:10 < reiffert> !fbsdipforward 13:10 < vpnHelper> reiffert: "fbsdipforward" is is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd 13:10 < reiffert> the latter applys to mac. 13:10 < reiffert> ah well, natd stuff and such. 13:10 < reiffert> maybe "connection sharing". didnt try that. 13:12 -!- bandini [n=bandini@host251-108-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 13:12 -!- zeba [n=Spidi@93-136-65-76.adsl.net.t-com.hr] has quit [Read error: 104 (Connection reset by peer)] 13:15 < Ragnar> reiffert: nods 13:15 -!- zeba_away [n=Spidi@93-136-65-76.adsl.net.t-com.hr] has joined ##openvpn 13:16 < zeba_away> I'll try... 13:21 -!- empiric111 [n=empiric@116.71.48.228] has quit [Read error: 110 (Connection timed out)] 13:26 -!- g`` [n=nop@78-60-192-103.static.zebra.lt] has joined ##openvpn 13:45 -!- n5 [n=nop@78-60-192-103.static.zebra.lt] has quit [Read error: 110 (Connection timed out)] 13:45 -!- n5 [n=nop@78-60-192-103.static.zebra.lt] has joined ##openvpn 13:56 -!- g`` [n=nop@78-60-192-103.static.zebra.lt] has quit [Read error: 110 (Connection timed out)] 14:06 -!- zeba_away_ [n=Spidi@93-136-65-76.adsl.net.t-com.hr] has joined ##openvpn 14:21 -!- zeba_away__ [n=Spidi@93-136-65-76.adsl.net.t-com.hr] has joined ##openvpn 14:23 -!- zeba_away [n=Spidi@93-136-65-76.adsl.net.t-com.hr] has quit [Read error: 110 (Connection timed out)] 14:24 -!- temba [n=okotoba@91.65.23.247] has joined ##openvpn 14:27 -!- zeba_away_ [n=Spidi@93-136-65-76.adsl.net.t-com.hr] has quit [Read error: 60 (Operation timed out)] 14:31 < cj> hmm, so I hear that a subnet on an openvpn client is not visible from the subnet that the vpn server is in when using tun... is this correct? 14:32 -!- zeba_away__ is now known as zeba 14:32 < xattack> cj:depends on your config files 14:33 < cj> xattack: alrighty. can you help me get it working? 14:34 < cj> xattack: (ie, do you have the time to work on it with me?) 14:34 < xattack> cj:first... what do you want to do? 14:35 < cj> allow communication between 172.16.10.32/28 (vpn client subnet) and 172.16.9.0/24 (main intranet) 14:36 < xattack> as allways ....logs, pastebind and all that stuff, please 14:36 < cj> http://pastebin.ca/1455730 14:37 < cj> server config ^^ 14:37 < cj> http://pastebin.ca/1455735 <- client config 14:38 < cj> http://pastebin.ca/1455705 <- vpn server routing table, addrs 14:39 < cj> http://pastebin.ca/1455709 <- vpn client routing table, addrs 14:40 < cj> http://pastebin.ca/1455712 <- routint table of host on the /24 14:40 -!- zeba [n=Spidi@93-136-65-76.adsl.net.t-com.hr] has quit [Read error: 104 (Connection reset by peer)] 14:40 < cj> server = vpn, client = wuh-wall-e, host on intranet = fw 14:41 < cj> fw can ping vpn (and vice versa), wuh-wall-e can ping vpn (and vice versa) 14:41 -!- nibu [n=bau@unaffiliated/nibu] has joined ##openvpn 14:41 < cj> vpn can ping both the p-t-p addr (172.16.10.2) and the addr on the /28 (172.16.10.33) 14:42 < nibu> some one knows how can I install the openvpn-auth-pam module on OpenBSD? 14:44 < xattack> nibu:ports maybe? 14:44 < nibu> xattack, I did not found any ports for it... 14:45 < xattack> nibu:so then just compile it .. 14:46 < nibu> on the directory of openvpn (plugins/auth-pam) have the .c file and on the README - on the same dir - says that it have the pam-devel like a dependency, but I can't find any package with this name on ports 14:48 -!- g`` [n=nop@78-60-192-103.static.zebra.lt] has joined ##openvpn 14:50 < xattack> nibu:download source code and compile it your self , it's no so hard 14:59 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:59 < krzie> if you aint comfy with source openbsd isnt the OS for you 15:02 < nibu> krzie, xattack , the problem is not that, like I read in some foruns, OpenBSD don't use PAM so I get confused 15:02 < krzie> if obsd doesnt use pam why are you trying to use it? 15:03 < krzie> i dont use openbsd, so i dunno if it does or not 15:03 < krzie> but freebsd does, that i know 15:03 < nibu> cause, it is the module described by the openvpn howto... 15:04 < nibu> and I read too about make some work around the PAM on OpenBSD 15:04 -!- nibu [n=bau@unaffiliated/nibu] has quit ["Saindo"] 15:04 < krzie> so is the problem that you dunno if your OS has pam or not? 15:06 -!- n5 [n=nop@78-60-192-103.static.zebra.lt] has quit [Read error: 110 (Connection timed out)] 15:06 < krzie> PAM is currently supported in the AIX operating system, DragonFly BSD[1], FreeBSD, HP-UX, Linux, Mac OS X, NetBSD and Solaris. PAM was later standardized as part of the X/Open UNIX standardization process, resulting in the X/Open Single Sign-on (XSSO) standard. 15:06 < krzie> i wish him luck 15:07 < xattack> right .. 15:11 -!- xattack [i=xattack@132.248.108.239] has quit [] 15:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 15:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:53 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [] 16:01 < krzie> cj: you get that taken care of yet? 16:01 < krzie> i just scrolled up a lil 16:05 -!- n5 [n=nop@78-60-192-103.static.zebra.lt] has joined ##openvpn 16:10 -!- g`` [n=nop@78-60-192-103.static.zebra.lt] has quit [Read error: 60 (Operation timed out)] 16:15 < cj> krzie: nope. if you can help it'd be appreciated 16:16 < krzie> sure, but ild like to start from the beginning with ya if thats cool 16:16 < krzie> whats your goal? 16:19 < cj> krzie: I've got a subnet on the vpn client that I want to be visible to the core intranet subnet 16:19 < krzie> ok 16:19 < krzie> have you read my writeup at: 16:19 < krzie> !route 16:19 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:19 < krzie> ? 16:19 < cj> krzie: I'll read through it. thanks. 16:20 < krzie> np, feel free to ask more after thoroughly reading it 16:20 < cj> thanks 16:21 < krzie> for many reading that doc is enough, but many seem to have a problem with the fact that it explains more than they need 16:21 < krzie> (since it talks about 2 clients and a server all with lans behind them) 16:22 < krzie> and many just skim it and wonder why it doesnt magicly enter their brain ;] 16:38 -!- loca|host [n=loca|hos@41.226.214.239] has joined ##openvpn 16:38 < loca|host> hello all 16:38 < krzie> hello 16:39 < loca|host> i have an openvpn client configuration file, i've installed the network-manager-openvpn on my ubuntu9.04, and it requests me to fill the inputs one by one ... is there any place to use my config file ? 16:39 < krzie> !ubuntu 16:39 < vpnHelper> krzie: "ubuntu" is dont use network manager! 16:39 < loca|host> lol 16:39 < loca|host> lool 16:39 < krzie> ;] 16:40 < loca|host> so why the hell i only find network manager howtos around when googling ... 16:40 < loca|host> thx anyway man 16:40 < krzie> cause 90% of the openvpn tutorials you will find via google suck bigtime 16:40 < krzie> !howto 16:40 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:40 < loca|host> thx 16:40 < krzie> np 16:40 < krzie> but btw 16:41 < krzie> some people have reported success with network manager 16:41 < krzie> so i guess it can work for some 16:41 < krzie> but you arent likely to get help with it here 16:41 < loca|host> ok 16:41 < loca|host> i'll try that 16:41 < krzie> but the openvpn side of things, feel free to ask 16:41 < krzie> my suggestion for that would be this 16:41 < krzie> make a BS config using network manager, find where it stores it 16:42 < krzie> then replace that with the real config you made manually 16:42 < krzie> cant garuntee that will work since ive never used network manager, but ild expect it to 16:42 -!- bandini [n=bandini@host251-108-dynamic.25-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 16:42 < loca|host> good idea 16:42 < loca|host> i'll check that 16:57 -!- zeba_away [n=Spidi@93-136-65-76.adsl.net.t-com.hr] has joined ##openvpn 17:09 < cj> krzie: hurm.. I must be doing something wrong... 17:09 -!- loca|host [n=loca|hos@41.226.214.239] has quit ["Quitte"] 17:09 < krzie> ok, so what did you do? 17:09 < krzie> and what are all involved subnets? 17:09 < krzie> ie: both lans and the vpn 17:09 < cj> the subnet behind the ovpn server is 172.16.9.0/24 17:10 < cj> the subnet behind the ovpn client is 172.16.10.32/28 17:10 < cj> or is it 27? something like that... 17:10 < cj> 172.16.10.32/27 17:11 < krzie> ok, but less than /24, thats cool 17:11 < cj> p-t-p is 172.16.10.1 (server) <-> 172.16.10.2 17:11 < krzie> p-t-p? not client/server? 17:11 < cj> # ip addr show dev tun0 17:11 < cj> 24: tun0: mtu 1500 qdisc pfifo_fast qlen 100 link/[65534] inet 172.16.10.6 peer 172.16.10.5/32 scope global tun0 17:11 < cj> POINTOPOINT 17:11 < krzie> lets see these: 17:11 < krzie> !configs 17:11 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 17:12 < cj> 12:36 < cj> http://pastebin.ca/1455730 <- server config 17:12 < cj> 12:37 < cj> http://pastebin.ca/1455735 <- client config 17:12 < cj> 12:38 < cj> http://pastebin.ca/1455705 <- vpn server routing table, addrs 17:12 < cj> 12:39 < cj> http://pastebin.ca/1455709 <- vpn client routing table, addrs 17:12 < cj> 12:40 < cj> http://pastebin.ca/1455712 <- routint table of host on the /24 17:12 < cj> 12:40 < cj> server = vpn, client = wuh-wall-e, host on intranet = fw 17:13 < krzie> yay you didnt have comments! 17:14 < cj> you'll want the ccd, too... 17:14 < krzie> lets see cdd/wuh-wall-e 17:14 < cj> cjac@vpn:/etc/openvpn$ grep -v -e '^;' -e '^#' -e '^ *$' ccd/wuh-wall-e.colliertech.org 17:14 < cj> iroute 172.16.10.32 255.255.255.224 17:14 < krzie> yupyup 17:15 < krzie> i wonder if the problem is the netmask, do you need to route to other hosts in 172.16.10.x from the server / other clients? 17:15 < cj> /27 is 255.255.255.224, isn't it? 17:15 < krzie> or if you use /24 just for openvpn internal will it break something for you? 17:15 < krzie> (for the server internal) 17:15 < krzie> lets check 17:15 < krzie> !google cidr cheatsheet 17:15 < vpnHelper> krzie: CIDR SUBNET MASK CHEATSHEET & ICMP TYPE CODES: ; IPv4 CIDR notation cheat sheet: ; Subnet Cidr Cheat Sheet: 17:15 < cj> I was thinking I'd have the server hand out /27s to future clients 17:16 < cj> but 172.16/12 is pretty big, so I don't have to 17:16 < krzie> i dont get what you mean 17:16 < krzie> the lan behind the client is 255.255.255.224 17:16 < cj> /27 32 255.255.255.224 Eighth of a /24 17:16 < krzie> but do any other lans your openvpn server must know about already use other subnets in the same /24? 17:17 < krzie> try using 255.255.255.0 in your iroute and see if it works 17:17 < cj> no, this is the first subnet in 172.16.10/24 17:17 < krzie> OHHH also 17:17 < krzie> 1 other thing before you do that 17:17 < krzie> is openvpn client on the router for its lan? 17:17 < cj> I'm pulling the p-t-p addrs from the first /28 dynamically and was thinking of assigning p-t-p addrs from the second /28 statically 17:18 < cj> no, but I've added a route to 172.16.10/24 through 172.16.9.2 (vpn) 17:18 < krzie> # 17:18 < krzie> server 172.16.10.0 255.255.255.240 17:18 < krzie> make that something 100% different 17:18 < krzie> and use a /24 for it 17:18 < cj> alright. 17:18 < krzie> like 10.8.0.0 255.255.255.0 17:18 < cj> righty-o 17:18 < krzie> AND 17:18 < krzie> did you add routes on the router for each lan? 17:18 < krzie> if not, you need to 17:19 < krzie> you must add routes to each router telling it that vpn_subnet and other_lan_subnet sit behind local_lan_ip_of_vpn_machine 17:19 < cj> yeah, I've done that :) 17:20 < krzie> cool =] 17:20 < cj> I think the server line may be what was causing the problems 17:20 < krzie> i think so too 17:20 < krzie> make sure to update the route entries on routers after fixing that 17:20 < krzie> both routers will need to know about it 17:27 < cj> http://pastebin.ca/1455924 17:27 < cj> still no love. vpn server can't ping 172.16.10.36 (the laptop I'm typing on) 17:28 < cj> vpn client can ping 172.16.9.2 (vpn server's addr on the remote subnet) 17:28 -!- zeba_away_ [n=Spidi@93-136-65-76.adsl.net.t-com.hr] has joined ##openvpn 17:28 < cj> but not 172.16.9.1 17:28 < krzie> can vpn client ping another host on 172.16.9.x lan? 17:29 < krzie> ok... 17:29 < cj> I think so, but I'll verify :) 17:29 < cj> verified 17:29 < cj> er, sorry. mis-read 17:29 < krzie> so vpn client can ping another host on .9.x? 17:29 < cj> thought you said vpn server 17:29 < cj> no. 172.16.10.36 cannot reach 172.16.9.1 17:29 < krzie> ahh 17:29 < cj> or 9.2 17:30 < krzie> can the laptop ping 10.8.0.1? 17:30 < cj> no 17:30 < krzie> can the vpn client ping 10.8.0.1? 17:30 < cj> yes 17:30 < cj> but look at this... 17:31 < cj> root@wuh-wall-e:/etc/openvpn# ip addr show dev tun0 17:31 < cj> 27: tun0: mtu 1500 qdisc pfifo_fast qlen 100 link/[65534] inet 10.8.0.6 peer 10.8.0.5/32 scope global tun0 17:31 < cj> how'd that happen, I wonder? 17:31 < krzie> yup, perfect 17:31 < krzie> !/30 17:31 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 17:31 < cj> 30: tun0: mtu 1500 qdisc pfifo_fast qlen 100 link/[65534] inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0 17:31 < krzie> the client is 10.8.0.6 17:31 < krzie> yup, thats a workaround for windows lameness, they found a new way around it tho 17:31 < krzie> !topology 17:31 < vpnHelper> krzie: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 17:31 < cj> why does the client think it's .6 with a peer of .5 while the server thinks it's .1 with a peer of .2? 17:32 < krzie> read !/30 and !topology 17:32 < krzie> the links 17:32 < krzie> and it will make sense 17:32 < krzie> thats how topology net30 works (default) 17:32 < krzie> topology subnet will become default at some point 17:33 -!- zeba_away__ [n=Spidi@93-136-65-76.adsl.net.t-com.hr] has joined ##openvpn 17:34 < cj> alrighty... so, the client and server can ping eachother, so we're at least somewhere :) 17:34 < krzie> ok 17:34 < krzie> check firewalls are set to allow those other subnets 17:35 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 17:35 < krzie> over tun interface 17:35 < cj> you're going to laugh at me... but 17:35 < cj> cjac@vpn:/etc/openvpn$ cat /proc/sys/net/ipv4/ip_forward 17:35 < cj> 0 17:35 < krzie> ahhhh 17:35 < krzie> right 17:35 * cj puts head in hands 17:35 < krzie> lol, i have no room to laugh at you, i totally forgot too 17:35 < krzie> plus you followed directions PERFECTLY 17:35 < krzie> you should teach classes on that in here ;] 17:35 < cj> luckily, that didn't help 17:36 < krzie> ok, check firewalls 17:36 < krzie> both sides will need ip forwaring on 17:36 < cj> oh, great. I didn't realize it but the client has firewall rules 17:36 < krzie> !linipforward 17:36 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 17:36 < cj> I checked the server, and it's clear. 17:37 < krzie> alright, once making sure ip forwarding and firewalls are all good, lets move on to some packet sniffing 17:37 < krzie> normally we sniff 1 at a time 17:37 < krzie> but i can tell you know your shit 17:37 < cj> alrighty. the client is an openwrt and I'm crunched for space, so we gots no tcpdump there 17:38 < krzie> so start up tcpdump on both vpn machines, sniffing tun for icmp 17:38 < krzie> ok skip that one then 17:38 < krzie> also fire up tcpdump on a lan machine on each side 17:38 < krzie> or wireshark, whatever 17:39 < krzie> so the client is the router for its lan? 17:39 < cj> I'm not so good with iptables... could you help me put something together to allow packets on the subnet? I'll give you an iptables-save via pastebin... 17:39 < krzie> !iptables 17:39 < vpnHelper> krzie: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall 17:39 < cj> suck. openwrt doesn't have it... iptables -L it is :) 17:39 < cj> http://pastebin.ca/1455934 17:40 < krzie> tbh i dont use linux 17:40 < krzie> but you wanna allow each subnet over tun interface 17:40 < krzie> !man 17:40 < cj> ah. :) 17:40 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 17:40 < krzie> manual has examples for you 17:40 < krzie> under FIREWALLS section or somethin like that 17:40 < krzie> best to give that a peek 17:41 < cj> cjac@fw:~$ ping 172.16.10.33 17:41 < cj> PING 172.16.10.33 (172.16.10.33) 56(84) bytes of data. 17:41 < cj> 64 bytes from 172.16.10.33: icmp_seq=1 ttl=63 time=28.0 ms 17:41 < cj> tada 17:41 < cj> thank you very much 17:41 < krzie> ok so thats from where to where? 17:41 < krzie> from 1 lan to other? 17:42 < krzie> vpn server to client lan? 17:42 < krzie> nice ping time btw! 17:43 < cj> that's from server's subnet to client's addr on its subnet 17:43 < cj> can't get past there... more reading 17:43 < krzie> sorry i didnt catch that 17:43 < cj> krzie: yeah, I don't think there are too many hops between my two locations 17:43 < krzie> thats a machine on server lan to a machine on client lan? 17:44 < cj> 172.16.9.1 -> 172.16.9.2/10.8.0.1 -> 10.8.0.6/172.16.10.33 17:44 < krzie> ahh ok 17:44 < krzie> a machine on server lan to the vpn client 17:44 < cj> 172.16.9.1 -> 172.16.9.2/10.8.0.1 -> 10.8.0.6/172.16.10.33 !> 172.16.10.36 17:44 < cj> right 17:44 < krzie> but not just any machine, the router itself on server lan 17:44 < krzie> now try from some other machine on server lan to same ip 17:44 < cj> one of the routers, si 17:45 < krzie> ahh hablas espanol tambien? 17:45 < cj> yep. works from 172.16.9.3, tambien 17:45 < cj> un poco :) 17:45 < krzie> ;] 17:45 -!- zeba_away [n=Spidi@93-136-65-76.adsl.net.t-com.hr] has quit [Read error: 110 (Connection timed out)] 17:46 < krzie> ok cool so server side is good 17:46 < krzie> now 17:46 < krzie> can vpn client ping 172.16.9.3? 17:47 < cj> iptables -A FORWARD -i tun+ -j ACCEPT 17:47 < cj> 172.16.9.3 -> 172.16.9.2/10.8.0.1 -> 10.8.0.6/172.16.10.33 -> 172.16.10.36 17:47 < cj> let's see if we can reverse that... 17:47 < krzie> 1min, phone 17:48 < cj> np 17:48 -!- master_of_master [i=master_o@p549D3750.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 17:50 < krzie> did that ping work? 17:52 < krzie> besides FORWARD you may need something in INPUT 17:52 < krzie> not sure 17:52 < krzie> i believe the firewall section of manual will tell ya, they get specific with iptables 17:52 -!- master_of_master [i=master_o@p549D3BD6.dip.t-dialin.net] has joined ##openvpn 17:52 < krzie> in fact iptables is the only firewall they get specific about 17:53 -!- zeba_away_ [n=Spidi@93-136-65-76.adsl.net.t-com.hr] has quit [Connection timed out] 17:53 < cj> yeah, I did add a rule to INPUT as well 17:53 < cj> that was what allowed 9.1 to reach 10.33 17:53 < krzie> cool 17:54 < cj> now 10.33 is dropping packets from 10.36 destined for 9.2 and 9.3 17:54 < krzie> nice, you found the problem 17:54 < cj> I added a rule to the OUTPUT chain to accept outbound packets on tun+ 17:55 < cj> that didn't do it... 17:55 < cj> iptables -A OUTPUT -o tun+ -j ACCEPT # btw 17:55 < krzie> werd 17:55 < cj> I'm going to look through iptables -L again... 17:55 < krzie> did you look through the firewall section of manual? 17:57 < cj> bah. I read the whole iptables howto and it all still looks like a mess to me... 17:57 < cj> yeah, but the recommendations didn't help 17:57 < krzie> lol no kidding 17:57 < krzie> thats totally what i think of iptables too 17:57 < krzie> mess 17:57 < cj> they were just adding ACCEPT rules to the FORWARD and INPUT chains for tun+ 17:59 -!- temba [n=okotoba@91.65.23.247] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 17:59 < cj> well, I've got to get out of here. the fam was invited to one of the wife's friends' place and we're going to be late if I don't hurry. 17:59 < krzie> right on man 17:59 < cj> thanks for the tips. I'm a lot closer than I was before. 17:59 < krzie> gl with the setup 17:59 < krzie> np, i think you'll have it soon 18:00 < krzie> pleasure helping someone who helps themselves as well 18:00 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Connection timed out] 18:01 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 18:02 -!- jeiworth_ [n=jeiworth@189.234.35.254] has quit [Read error: 60 (Operation timed out)] 18:02 -!- zeba_away__ [n=Spidi@93-136-65-76.adsl.net.t-com.hr] has quit [Read error: 110 (Connection timed out)] 18:23 < reiffert> openvpn with http-proxy 18:24 < reiffert> proxy denied CONNECT's 18:24 < reiffert> What chances do I still have? udp/53 and tcp/443 connections refused .. 18:24 < krzie> i cant believe openvpn socks support doesnt work with login/password auth 18:24 < reiffert> I ever thought openvpn is working on GET/POST requests when using http-proxy. 18:24 < krzie> like anyone who is in their right mind has public socks running 18:25 < reiffert> the 'proxy' I was mentioning is a http proxy "squid" 18:25 < krzie> hrmz 18:26 < reiffert> http://openvpn.net/archive/openvpn-devel/2004-07/msg00044.html 18:26 < vpnHelper> Title: [Openvpn-devel] Change Connect to POST/GET in Proxy.c (at openvpn.net) 18:27 < krzie> i dont see why server-side would need modifying 18:29 < krzie> !factoids search vista 18:29 < vpnHelper> krzie: No keys matched that query. 18:29 < krzie> !winroute 18:29 < vpnHelper> krzie: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 18:30 -!- Intensity [i=[1quCYO1@unaffiliated/intensity] has joined ##openvpn 18:30 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 18:30 < |Mike|> Moin! 18:30 < krzie> moin moin 18:30 < |Mike|> Hello krzie 18:30 < krzie> sup mike 18:31 < reiffert> krzie: cause CONNECT != GET/POST 18:31 < |Mike|> strugglin with the vista client stuff. 18:31 < krzie> reiffert, but doesnt that only matter for the client starting the connection? 18:32 < krzie> ild expect the server responding doesnt need to know its a proxy... 18:32 < krzie> mike: 18:32 < krzie> !configs 18:32 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:32 < krzie> !logs 18:32 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 18:33 < |Mike|> i'm a master in regex sir :) 18:33 < krzie> ;] 18:33 < krzie> and yesi know it should be more efficient, but the bot doesnt like [] 18:34 < |Mike|> http://pastebin.ca/1455976 18:34 < |Mike|> config 18:34 < krzie> cause [] is for encapsulating output from another command 18:34 -!- jwz [n=jwz@99.23.162.153] has joined ##openvpn 18:34 < jwz> cat: drugtest.txt: No such file or directory 18:34 -!- jwz [n=jwz@99.23.162.153] has left ##openvpn [] 18:34 < krzie> hahahah 18:34 < krzie> spambot fail 18:35 < |Mike|> http://pastebin.ca/1455978 18:35 < |Mike|> client config 18:35 < krzie> for the pushing of dns, read this: 18:35 < krzie> !pushdns 18:35 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit 18:35 < krzie> for ipp.txt, read this: 18:35 < krzie> !ipp 18:35 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 18:35 < |Mike|> i haven't used a descent vpn program since '98 18:35 < |Mike|> bare with me :) 18:36 < krzie> for sure, im just giving the any info i think you need as we go 18:36 < |Mike|> ya 18:36 < krzie> 2 things for hardening your vpn, but we'll go over them when its working 18:36 < |Mike|> i'm aware of the MITM 18:36 < krzie> yup, that was 1 18:37 < |Mike|> and the TLS key exchange 18:37 < krzie> lol 18:37 < krzie> ok you got it 18:37 < |Mike|> (part of MITM) 18:37 < krzie> no, not part of MITM 18:37 < krzie> but werd 18:38 < |Mike|> http://pastebin.ca/1455982 18:38 < krzie> configs are good, time for logs 18:38 < krzie> thats not your logs 18:38 < |Mike|> it is 18:38 < krzie> i want the log at verb 6 from starting vpn to connection 18:39 < krzie> from both sides 18:39 < krzie> oh that IS part of a log... 18:40 < krzie> they must have updated some stuff or you're using a verb higher than i use 18:40 < krzie> i havnt updated from rc15 yet 18:40 < |Mike|> http://pastebin.ca/BDwwQW0M 18:40 < krzie> msg pw? 18:40 < |Mike|> that's serverside ( you know the channel ) 18:40 < |Mike|> #t.. 18:40 < krzie> cool 18:41 < |Mike|> i'm using the -current (dev) client on this vista machine 18:41 < krzie> i need it from when you start the proc man 18:42 < |Mike|> # ./openvpn forcestart 18:42 < |Mike|> Starting openvpn. 18:42 < |Mike|> add net 10.8.0.0: gateway 10.8.0.2 18:42 < |Mike|> pom pom pom, recon. 18:43 < |Mike|> Tun/tap is havin issue's 18:43 < krzie> at verb 6 there should be a shitton of stuff at the top 18:43 < |Mike|> verb6 ? 18:43 < krzie> # 18:43 < krzie> verb 3 18:43 < krzie> krzie: "logs" is (#1) is please pastebin your logfiles from both 18:43 < krzie> client and server with verb set to 6, 18:44 < |Mike|> sec. 18:44 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: CybDev 18:47 < |Mike|> http://pastebin.ca/MpXwhCNX 18:48 < krzie> there we go! 18:48 < krzie> other side too pls 18:49 -!- Netsplit over, joins: CybDev 18:49 < krzie> route-delay in client config 18:49 < krzie> try again 18:50 < krzie> starting it as admin in windows? 18:50 < krzie> i havnt used windows in yrs but i know thats common issue on vista 18:50 < krzie> pops up on mail list every now and then 18:52 < |Mike|> lets look at the logs on the server side 18:52 < krzie> actually i dont think i need them after all 18:52 < krzie> try what i said real quick 18:52 < krzie> and post the log 18:53 < |Mike|> it's started as windows admin 18:53 -!- p3ri0d [i=p3ri0d@200.2.154.153] has joined ##openvpn 18:54 < krzie> sup p3ri0d 18:54 < p3ri0d> nm krzie 18:54 < |Mike|> we would like to see 1400 clients connecting over 1 server krzie :) 18:55 < p3ri0d> just thought that I'd give you a visit in here ;) 18:55 < krzie> gl mike 18:55 < |Mike|> s/0/\/ 18:55 < |Mike|> 140 is enough :) 18:55 < krzie> that could happen =] 18:55 < krzie> 1400 was overshooting 18:55 < krzie> lol 18:55 < |Mike|> at first it was just a database what they needed, but now we'd like to see their e-mail and other http(s) going trough the vpn 18:56 < krzie> lets do 1 thing at a time 18:56 < |Mike|> i'm a lazy guy what uses ip over dns :P 18:56 < |Mike|> (insecure) 18:56 < krzie> first we fix the vista route 18:56 < krzie> ya i wrote the route script on iodine webpage\ 18:56 < krzie> you prolly noticed if you use IPoDNS 18:57 < |Mike|> nope :) 18:57 < krzie> what you use nstx? 18:57 < |Mike|> :P 18:57 < |Mike|> yep 18:57 < krzie> dude 18:57 < krzie> look into iodine 18:57 < krzie> its far > 18:58 < krzie> ip-o-dns is bad unless needed 18:58 < |Mike|> ok, 'll do :) 18:58 < krzie> terrible mtu issues 18:58 < krzie> should not be used unless its the only way to get online 18:58 < |Mike|> most of the time, yes. 18:58 < |Mike|> bad habbits-- 19:01 < |Mike|> i should comment ipp out of the config tbh. 19:01 < krzie> if you need static vpn ips, type !static 19:02 < krzie> ipp doesnt do that, in fact it doesnt garuntee anything at all 19:02 < krzie> its basically a suggestion based on past ip assignments 19:02 < |Mike|> i prefer dhcp 19:02 < krzie> dhcp wont be happening 19:02 < krzie> this is a tun device, layer3 only 19:03 < |Mike|> since people wich are connecting to the VPN can access the database and check their e-mail and an internal website to check some proforma's etc 19:03 < krzie> (which is what you should be using) 19:03 < |Mike|> i'm using tun :) 19:04 < krzie> yup 19:04 < krzie> which is why you wont have dhcp 19:04 < krzie> but its exactly what you should be using 19:05 < krzie> just let openvpn set the ips like you have in your configs =] 19:05 < krzie> did you add route-delay yet? 19:05 < krzie> im waiting on the log after you set that 19:06 < |Mike|> http://pastebin.ca/Xpm76Enf 19:06 < krzie> erm that was server config 19:06 < |Mike|> yep 19:06 < |Mike|> the logs are full with crap tbh. 19:06 < |Mike|> serverside 19:07 < |Mike|> Jun 11 02:00:05 dedi14 openvpn[64245]: client1/213.51.118.15:31966 UDPv4 WRITE [53] to 213.51.118.15:31966: P_DATA_V1 kid=0 DATA len=52 19:07 < krzie> ya i dont need serverside afterall 19:07 < krzie> but i want you to add route-delay to client side and send me the new log from client side 19:08 < |Mike|> euh, route-delay in the config is enough ? 19:08 < krzie> i wouldnt know yet 19:08 < krzie> comment out push "route-gateway line for now 19:08 < krzie> we'll handle that after 19:08 < krzie> theres a bit more to that part 19:08 < |Mike|> at the client ? 19:08 < krzie> lets do 1 thing at a time 19:08 < krzie> comment that line off the server 19:09 < krzie> then add the route-delay to the client 19:09 < krzie> then reconnect and send me client logs 19:09 < krzie> when you can get the vpn routes added on client we'll worry bout redirect-gateway 19:10 < |Mike|> :%s/gateway/delay 19:10 < |Mike|> meh. 19:10 < krzie> huh?? 19:10 < |Mike|> wrong window. 19:12 < |Mike|> what would be the right syntax for the client 19:12 < krzie> route-delay 19:12 < |Mike|> "route-delay" ? 19:12 < krzie> right there in the client config 19:14 < |Mike|> http://pastebin.ca/DFAP68al 19:19 < krzie> booya 19:19 < krzie> from client, ping 10.8.0.1 19:19 < krzie> does it work? 19:19 < |Mike|> nope 19:19 < krzie> turn off firewall for tap device 19:20 < |Mike|> recheck, it works now 19:20 < krzie> ok 19:20 < krzie> so now we fixed the route issue 19:20 < krzie> time to handle the redirect 19:20 < krzie> !redirect 19:20 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 19:20 < krzie> !def1 19:20 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 19:21 < krzie> you will need to NAT 10.8.0.0/24 on your server 19:21 < krzie> just like it was a LAN and that was your gateway 19:21 < krzie> you will need ip forwarding on your server 19:21 < krzie> you will want push "route-gateway 10.8.0.1 def1" 19:21 < |Mike|> net.inet.ip.forwarding: 1 19:21 < krzie> otherwise, when the client disconnects from vpn it will have no gateway 19:22 -!- g`` [n=nop@78-60-192-103.static.zebra.lt] has joined ##openvpn 19:24 < |Mike|> weirdness. 19:24 < krzie> whats weird? 19:24 < |Mike|> sysctl -s net.inet.ip.forwarding = 1 19:24 < |Mike|> (nat) 19:25 < krzie> thats not NAT 19:25 < krzie> which os you on? 19:25 < |Mike|> fbsd. 19:25 < krzie> !fbsdnat 19:25 < vpnHelper> krzie: "fbsdnat" is http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html 19:25 < krzie> that was: 19:25 < krzie> !fbsdipforward 19:25 < vpnHelper> krzie: "fbsdipforward" is is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd 19:25 < krzie> NAT is very different 19:26 < |Mike|> true dat. 19:26 < |Mike|> it's 02:30 am here 19:26 < krzie> net.inet.ip.forwarding says that packets can pass through interfaces 19:26 < |Mike|> i'll fix that in the morning :d 19:26 < |Mike|> indeed. 19:26 < krzie> NAT says to translate the packets to have a new src ip as they pass through 19:26 < krzie> (and remember the association for return trip) 19:27 < |Mike|> v0 is needed to adjust my rc.conf :) 19:28 < |Mike|> ya. 19:28 < krzie> werd =] 19:28 -!- n5 [n=nop@78-60-192-103.static.zebra.lt] has quit [Read error: 60 (Operation timed out)] 19:28 < |Mike|> p0 can't touch rc.* :p 19:28 < |Mike|> nor flushing a firewall :-) 19:28 < krzie> v0 / p0? 19:28 < krzie> ohhh local 19:28 < krzie> gotchya 19:28 < |Mike|> indeed. 19:28 < |Mike|> kvm ++ :) 19:28 < krzie> ;] 19:28 < |Mike|> thanks for your help sir ! 19:28 < krzie> np man 19:28 < krzie> p3ri0d, did you need help too? 19:28 < |Mike|> its time to sleep for a while, enjoy your day off tomorrow :) 19:28 < krzie> or just sight seeing ;] 19:29 < |Mike|> p3ri0d is a gangsta from #hack 19:29 < krzie> right on thx 19:29 < krzie> ya i know him 19:29 < krzie> gnite man 19:29 < |Mike|> nitenite. 19:31 -!- mode/##openvpn [+o p3ri0d] by ChanServ 19:31 < krzie> woot woot 19:39 <@p3ri0d> nah krzie 19:39 <@p3ri0d> like I said, just visiting you haha 19:39 <@p3ri0d> sigh seeing yup ;) 19:40 <@p3ri0d> oh thx for op btw 19:42 < krzie> ;] 19:42 -!- mode/##openvpn [-o p3ri0d] by ChanServ 19:43 < krzie> hows it goin man? 19:46 < p3ri0d> pretty good 19:46 < p3ri0d> you? 19:47 < krzie> good, lil tired from staying up too late 19:47 < krzie> forgot i had to get up early to look at houses 19:47 < krzie> but i got most of v0.2 of that script done 19:47 < krzie> im just stuck at 1 lil part, cant figure out how i wanna deal with 1 thing 19:47 < krzie> the code is no problem, im stuck on the concept 19:49 < p3ri0d> ah, pm ? 19:50 < krzie> sure 19:52 < krzie> no chat? 19:54 < p3ri0d> not sure it works 19:54 < p3ri0d> try again 20:09 -!- frankS2 [i=nobody@algorit.me] has quit ["leaving"] 20:53 -!- flaccid [n=chris@127.185.233.220.static.exetel.com.au] has joined ##openvpn 21:00 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 21:06 -!- Major_Tom [i=tom-w@dslb-088-065-057-185.pools.arcor-ip.net] has joined ##openvpn 21:06 -!- omega42 [i=tom-w@dslb-088-065-048-020.pools.arcor-ip.net] has quit [Nick collision from services.] 21:07 -!- Major_Tom is now known as omega42 21:07 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has joined ##openvpn 21:23 < L|NUX> hello 21:23 < L|NUX> any one arround ? 21:27 < L|NUX> can some one tell me why i keep getting this error 21:27 < L|NUX> TLS Auth Error: Auth Username/Password verification failed for peer 21:27 -!- troy- is now known as troy 21:28 < L|NUX> any one ? 21:28 < L|NUX> Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA 21:38 < p3ri0d> I'm not expert. Not even a "beginner" as such. But I'd say that you are using a wrong username or password. 21:39 < L|NUX> user/pass is right 21:42 < p3ri0d> Tried google? 21:44 < L|NUX> yes 21:44 < L|NUX> checking hold on 21:53 < L|NUX> now getting different error 21:53 < L|NUX> Jun 10 19:54:52 vpn openvpn[3758]: 221.132.115.22:4444 TLS: Initial packet from 221.132.115.22:4444, sid=f4f96daf a94db151 21:53 < L|NUX> Jun 10 19:54:54 vpn openvpn[3758]: 221.132.115.22:4444 TLS Auth Error: Auth Username/Password verification failed for peer 21:53 < L|NUX> Jun 10 19:54:54 vpn openvpn[3758]: 221.132.115.22:4444 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA 21:53 < L|NUX> however password is right 21:53 < L|NUX> test farrukh 21:55 < p3ri0d> Wait for someone knowledgeable...I know nothing about that, sorry :) 21:55 < L|NUX> humm 21:55 < L|NUX> ok 21:55 < L|NUX> np 22:02 < L|NUX> i think its script problem 22:10 < L|NUX> fixed 22:10 < L|NUX> :) 22:11 < L|NUX> env bug in rc18 22:21 -!- Xen^ [n=linux@unaffiliated/lnux/x-10290] has joined ##openvpn 22:21 < p3ri0d> :) 22:21 < p3ri0d> Good 22:36 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has quit [Read error: 104 (Connection reset by peer)] 22:43 -!- Xen^ [n=linux@unaffiliated/lnux/x-10290] has quit [Read error: 54 (Connection reset by peer)] 23:02 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has joined ##openvpn 23:18 -!- Lilarcor [n=Lilarcor@208-58-210-70.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has joined ##openvpn 23:28 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 23:29 < oc80z> just found a nugget , windows media player sharing is not compatible over ipsec/pptp, works smooth over openvpn :) --- Day changed Thu Jun 11 2009 00:01 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:24 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has quit [Read error: 54 (Connection reset by peer)] 00:28 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [] 01:09 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:21 < oc80z> wdup 01:21 < oc80z> pplz 01:47 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 01:47 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 02:01 -!- Chaot_s [n=Chaot_s@d54C0C5DB.access.telenet.be] has quit [Read error: 54 (Connection reset by peer)] 02:08 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:44 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 02:58 -!- troy is now known as troy- 03:22 < supercatfrog> hi - i got openvpn working last night, and I can ping the openvpn server's vpn IP fine, but when I try to ping one of the other boxes on the vpn, it looks like this: http://pastebin.com/m5d80b569 - any ideas? 03:24 < HardDisk_WP> routing messed up 03:24 < HardDisk_WP> !config 03:24 < vpnHelper> HardDisk_WP: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 03:24 < HardDisk_WP> !configs 03:24 < vpnHelper> HardDisk_WP: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 03:25 < HardDisk_WP> !interface 03:25 < vpnHelper> HardDisk_WP: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 03:27 < HardDisk_WP> @ supercatfrog read the above, follow it and then maybe I can help yer 03:27 < supercatfrog> ok thanks 03:36 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 03:40 < supercatfrog> config: http://pastebin.com/m47d976d2 my ccd entry: ifconfig-push 10.98.76.53 255.255.255.0 version 2.1_rc11 03:41 < supercatfrog> client config: http://pastebin.com/m2db1cc86 03:42 < supercatfrog> client routing tables: http://pastebin.com/m719f2119 03:44 < HardDisk_WP> I think you want tun devices - tap is for bridging 03:58 -!- zeba_away [n=Spidi@78-0-213-135.adsl.net.t-com.hr] has joined ##openvpn 04:22 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 04:25 -!- tim-ct [n=p@dsl-145-70-224.telkomadsl.co.za] has joined ##openvpn 04:29 < tim-ct> hi 04:32 < tim-ct> as a newbie to openvpn I need some info. Can traffic flow both ways across a VPN link ie from clien to server and from server to client 04:33 < dazo> tim-ct: yes, it cal 04:33 < dazo> s/cal/can 04:36 < tim-ct> so client can also allocate IP ro browse itself 04:40 < reiffert> what does the former has to do with the latter? 04:41 < reiffert> tim-ct: in openvpn both ends get a new interface. You can do routing over them, or even use them for a bridge. 04:42 < tim-ct> thank you for the info 04:42 < reiffert> more info is available on the homepage. 04:43 < reiffert> http://openvpn.net/index.php/open-source/documentation/howto.html 04:43 < vpnHelper> Title: HOWTO (at openvpn.net) 04:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:11 -!- tim-ct [n=p@dsl-145-70-224.telkomadsl.co.za] has quit ["Leaving"] 05:34 -!- cpm [n=Chip@67.111.249.135] has joined ##openvpn 05:38 < Bushmills> traffic flowing in one direction only would be kind of useless, if the client could send a request, but never receive a reply. 05:39 < Bushmills> ehm 05:39 < Bushmills> 'morning 05:43 -!- damentz [i=damentz@support.team.at.shellium.org] has quit [Remote closed the connection] 05:47 -!- datenritter [n=datenrit@dslc-082-082-245-049.pools.arcor-ip.net] has joined ##openvpn 05:49 < datenritter> i have found the problem on my notebook. the network-manager controls *all* interfaces which are not configured in /etc/network/interfaces. so, when tap0 is created and configured by openvpn, nm deconfigures it immediately. so the connection fails. 05:49 < datenritter> adding "iface tap0 inet dhcp" to /etc/network/interfaces helped 05:49 < reiffert> you might wanne try "auto" instead of "inet dhcp" 05:50 < reiffert> oh, forget my last line. Made a mistake. 05:50 < datenritter> auto would make nm control the if 05:50 < datenritter> ;) 05:50 < datenritter> it's important to leave out the "auto" line. 05:50 < reiffert> inet manual 05:51 < reiffert> check man interfaces for the manual Method. 05:53 < datenritter> oh, right. 05:53 < datenritter> doesn't make a difference without the "auto"-line though, or does it? 05:56 -!- zeba_away [n=Spidi@78-0-213-135.adsl.net.t-com.hr] has quit [Read error: 60 (Operation timed out)] 05:57 -!- zeba_away [n=Spidi@78-0-213-135.adsl.net.t-com.hr] has joined ##openvpn 05:59 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 06:02 -!- zeba_away [n=Spidi@78-0-213-135.adsl.net.t-com.hr] has quit [Read error: 54 (Connection reset by peer)] 06:13 -!- gallatin [n=gallatin@dslb-092-073-122-094.pools.arcor-ip.net] has joined ##OpenVPN 06:18 -!- Zordrak [n=jaz@zelda.tpa.me.uk] has joined ##openvpn 06:18 < Zordrak> will auth-nocache make any difference to function? ie force user to reenter credentials after a given timeout or sthg..? 06:19 -!- polaru_ [n=polaru@93.113.192.70] has joined ##openvpn 06:31 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 113 (No route to host)] 06:35 < reiffert> Zordrak: it's covered in the manpage. 06:37 < Zordrak> well yeah.. but the crux is... what is that timeout 06:37 < Zordrak> what is it that requires reauth to occur+? 06:40 -!- polaru__ [n=polaru@93.113.192.70] has joined ##openvpn 06:45 -!- datenritter [n=datenrit@dslc-082-082-245-049.pools.arcor-ip.net] has quit ["Leaving."] 06:46 < reiffert> I think you didnt read it. 06:49 -!- zeba_away [n=Spidi@78-0-213-135.adsl.net.t-com.hr] has joined ##openvpn 06:51 -!- c64zottel [n=hans@p5B17AEBD.dip0.t-ipconnect.de] has joined ##openvpn 06:53 -!- polaru_ [n=polaru@93.113.192.70] has quit [Read error: 113 (No route to host)] 06:55 < ecrist> good morning, fuckers 07:10 -!- zeba_away_ [n=Spidi@78-0-213-135.adsl.net.t-com.hr] has joined ##openvpn 07:14 -!- Thralas [n=thralas@unaffiliated/thralas] has joined ##openvpn 07:16 -!- da_tux [n=ryan@rrcs-70-63-90-226.midsouth.biz.rr.com] has quit ["Leaving"] 07:19 < Thralas> !route 07:19 < vpnHelper> Thralas: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 07:21 -!- zeba_away [n=Spidi@78-0-213-135.adsl.net.t-com.hr] has quit [Read error: 110 (Connection timed out)] 07:22 -!- zeba_away_ [n=Spidi@78-0-213-135.adsl.net.t-com.hr] has left ##openvpn [] 07:22 < Thralas> that looks broken 07:23 < Thralas> perhaps someone could push me in the right direction 07:27 < Thralas> i have an openvpn server with X available (static, non-DHCP'ed) IPs which I'd like to assign to X clients (as in, traffic sent by client to example.com originates from that IP) 07:28 < Thralas> currently im assigning static 10.8.* IPs to each client (ifconfig-push) from which traffic is forwarded on the server using NAT 07:29 < Thralas> im sure theres a better, more robust, solution - bridging/tap might be the keywords im looking for perhaps? 07:32 < |Mike|> w0rd, i'm stuck. 07:36 -!- Lilarcor [n=Lilarcor@208-58-210-70.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has quit ["The Lord of Murder Shall Perish."] 07:49 -!- p3ri0d [i=p3ri0d@200.2.154.153] has quit [Connection timed out] 07:55 -!- p3ri0d [i=p3ri0d@200.2.148.160] has joined ##openvpn 07:58 < ecrist> Thralas: what looks broken? 08:13 -!- TheNano [n=shwan@83.248.235.22] has joined ##openvpn 08:14 < TheNano> I have tried to set up an openvpn tunnel to my Android Magic phone today , it works but I don't know any proper way to disconnect the vpn, if I close the terminal , the route tables are not restored and tap0 device is still up and running , Is there any other way to stop the tunnel so it cleans after itself ? 08:15 < TheNano> using linux, ubuntu 9.04 08:24 -!- gallatin [n=gallatin@dslb-092-073-122-094.pools.arcor-ip.net] has quit ["Client exiting"] 08:24 -!- mattock [n=mattock@gw.tietoteema.fi] has quit ["Leaving."] 08:26 < reiffert> kill openvpn. 08:29 < Thralas> ecrist: the url the bot passed me 08:30 < tjz> is Android Magic phone free of charge? 08:30 < TheNano> reiffert: I did more research and saw ctrl-c and works now, but I need to add the dns server by myself, why not openvpn does it? how do I tell linux what dns server to use from the terminal 08:30 < tjz> i heard of android, free open source software by google 08:31 < TheNano> tjz: Yes I have an unlimited data plane from Three in Sweden 08:31 < TheNano> and it was free as well 08:31 < tjz> cool 08:32 < tjz> my country, singapore, is always the last.. probably one fhte last few to get these new gadget 08:32 < tjz> :D 08:32 < tjz> i like OSS alot 08:32 < tjz> :) 08:32 < TheNano> maybe , I don't know , we got it last week here so not the first ether 08:33 < tjz> we have iphone 3GS coming this week, i think 08:33 < tjz> but it is costly 08:33 < tjz> and you are require to subscribe 2 year of service 08:33 < tjz> yucks 08:34 < flaccid> TheNano ctrl+c is how you kill any foreground process. there is a config directive in openvpn to change client dns setting in the dhcp 08:34 < flaccid> !dns 08:34 < vpnHelper> flaccid: "dns" is Level3 open recursive DNS server at 4.2.2.1 08:35 < flaccid> eg. push "dhcp-option DNS 10.1.1.20" 08:41 -!- g`` [n=nop@78-60-192-103.static.zebra.lt] has quit [Read error: 104 (Connection reset by peer)] 08:41 -!- n5 [n=nop@78-60-192-103.static.zebra.lt] has joined ##openvpn 08:42 -!- SuperEvilDeath18 [n=death@212.206.209.177] has quit [Read error: 60 (Operation timed out)] 08:44 -!- barbosa [n=barbosa@189.114.39.67] has joined ##openvpn 08:44 -!- SuperEvilDeath18 [n=death@212.206.209.177] has joined ##openvpn 08:49 -!- loca|host [n=tux@196.203.53.221] has joined ##openvpn 08:56 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Remote closed the connection] 08:57 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 08:59 -!- jeiworth [n=jeiworth@189.234.7.181] has joined ##openvpn 09:03 < ecrist> Thralas: the site seems fine from here, and from http://downforeveryoneorjustme.com/www.secure-computing.net 09:03 < vpnHelper> Title: It's just you. (at downforeveryoneorjustme.com) 09:04 < Thralas> think it gave a 404 09:04 < Thralas> The requested URL /wiki/index.php/OpenVPN/Routing was not found on this server. 09:04 < ecrist> !route 09:04 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:04 < ecrist> http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 09:05 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 09:05 < ecrist> I can see it just fine, and so can vpnHelper 09:10 < krzee> [10:03] Title: It's just you. (at downforeveryoneorjustme.com) 09:11 < krzee> hahahah 09:11 < krzee> never seen that, but my bot made it cool 09:13 < flaccid> that was cool haha 09:13 < Thralas> ecrist: that sounds rather odd 09:14 < flaccid> i'd say Thralas that your dns is giving a dif IP address thus a dif http server 09:14 < Thralas> Address: 173.8.118.210 09:15 < flaccid> then perhaps packets are being forwarded? 09:15 < Thralas> same query result from a different box - does it resolve to the same IP for you? 09:15 < Thralas> flaccid: forwarded? huh? how? 09:16 < ecrist> Thralas: that is my webserver, and that is the correct IP address 09:16 < Thralas> aha 09:16 < flaccid> yes it does 09:17 < flaccid> thus why i suggested that something being forwarded 09:17 < Thralas> perhaps my browser caching some odd dns query result 09:19 -!- plundra [i=404@article.se] has joined ##openvpn 09:19 < plundra> Nice, hello there :) 09:21 < plundra> Is there any common way to do a port-share (with http-server) and pass along the original source-address? 09:22 < plundra> I assume there isn't :-P But never hurts to ask I figure. 09:22 < plundra> Currently I'm using https, but with a http OpenVPN probably could, in theory, just add the X-Forwarded-for header, or whatever it's called. 09:26 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 09:27 < plundra> Ok, this is just a wild guess I just got from 2 seconds of research, does OpenVPN-packets ALWAYS start with 0x45, 0x00, 0x00? Because I was thinking that you could match new tcp-sessions in iptables and redirect them to either Apache or OpenVPN? (Pulling the port-sharing part out of OpenVPN, that is) 09:28 < flaccid> i don't get what you are trying to do tbh 09:28 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 09:28 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 09:28 < flaccid> i assume you want to circumvent firewalls to run a vpn and share it with a httpd 09:29 < flaccid> ie. running both on 80 or 443 09:29 < plundra> Yeah, and the port-share feature works just great, BUT, since openvpn proxies all the stuff that gets through, apache sees the traffic as coming from localhost. 09:29 -!- jeiworth_ [n=jeiworth@189.177.16.17] has joined ##openvpn 09:30 < Thralas> aha! 09:30 < flaccid> hmm no idea on that one, out of my league 09:30 -!- TheNano [n=shwan@83.248.235.22] has quit ["Ex-Chat"] 09:31 < Thralas> ecrist: Your vhosts are just horribly broken I guess ;) 09:31 < Thralas> http://[2001:470:1f11:463::210]/wiki/index.php/OpenVPN/Routing 09:31 < plundra> But what about the protocol, are the first bytes of the initial handshake-packet always predictable? 09:31 < flaccid> either that or mediawiki 09:31 < flaccid> plundra they are at least for TLS 09:32 < flaccid> probably for openvpn too but i wouldn't know 09:32 < Thralas> flaccid: his apache instance isn't serving the same content over ipv6, but the domain does resolve to an ipv6 address as well 09:32 < flaccid> maybe you could ignore it if its a STARTTLS otherwise do vpn hmm 09:33 < flaccid> Thralas check the http 1.1 header(s) 09:33 -!- jeiworth [n=jeiworth@189.234.7.181] has quit [Read error: 104 (Connection reset by peer)] 09:33 < plundra> I really suck at ssl vs. tls, but I haven't configured anything with tls in openvpn, so it's not used there. And https, I have no idea... :-) 09:34 < flaccid> well ssl is old, its tls now 09:34 < flaccid> either way they have standard handshakes 09:34 < Thralas> flaccid: Nothing special about that, 404.. The webserver just isn't ipv6 proof 09:34 < plundra> I feel my self drifting away into non-essential land now :-P I'll just put OpenVPN on port 80, with portsharing, and use https by it self for the traffic (where I need the source-address) 09:35 < flaccid> Thralas if the http 1.1 is not available then the name-based vhost will fail to and fallback to the default vhost.. just an idea 09:35 < plundra> And save this hacking for later :-) 09:35 < flaccid> cool 09:36 < Thralas> flaccid: HTTP/1.1 works fine, http://173.8.118.210/wiki/index.php/OpenVPN/Routing does too ;) 09:36 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at 173.8.118.210) 09:37 < plundra> The coolest thing, although it bloats up OpenVPN, would to add actual http-proxy functionality, that can add headers etc. 09:37 < plundra> Oh well, thanks so far, I'll stick around 8-) 09:37 < flaccid> Thralas you said you got a 404 09:38 < Thralas> Yes. 09:38 < Thralas> Over IPv6. His server supports IPv6, so do I - just his webserver is misconfigured 09:38 < flaccid> then how do you know the problem is not http 1.1 considering thats how name-based vhosts work? 09:39 < flaccid> how is it misconfigured then 09:39 < flaccid> client needs to successfully send http 1.1. host header 09:39 < Thralas> Well, my client does 09:40 < Thralas> But the server cant seem to find that vhost on the IPv6 address 09:40 < Thralas> Seems its just configured for the IPv4 address 09:40 < flaccid> ecrist what do you think? 09:42 < Thralas> oh, theres no vhosting at all it seems, since it works without the hostname as well (else the ipv4 link wouldnt work) 09:45 < |Mike|> !route 09:45 < vpnHelper> |Mike|: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:46 < ecrist> oh, my ipv6 is probably broken 09:48 < ecrist> Thralas: I'll fix my ipv6 09:49 < |Mike|> native v6++ 09:49 < Thralas> :) 09:49 < flaccid> you guys are way behind 09:49 < flaccid> i use ipv7000 09:54 < ecrist> my ipv6 config is fixed now 09:55 < ecrist> way OT for here, but bang bus is the shit. 09:55 < Thralas> obviously theres a need for downforeveryoneonipv6orjustme.com ;) 09:56 < ecrist> Thralas: that wouldn't have solved the issue 09:56 < ecrist> that vhost was still serving pages, just not my scn content. :) 09:56 < Thralas> it would of course report any 404 errors 09:56 < Thralas> yeah ;) 10:01 * ecrist goes back to his job 10:02 -!- polaru__ [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:51 -!- Zordrak [n=jaz@zelda.tpa.me.uk] has quit ["restarting irssi"] 10:51 -!- reiffert [n=thomas@mail.webersheim.de] has quit ["Lost terminal"] 10:55 < ecrist> WTF, I've gotten hits on my website from Nintendo Wiis. 10:55 < supercatfrog> ecrist: nintendo wii has opera 10:55 < supercatfrog> used to be a free download 10:55 < supercatfrog> think you have to pay for it now though 10:57 < HardDisk_WP> ecrist, bangbus? you have an account? 10:57 < ecrist> aye 10:58 < ecrist> wget = ~500GB of bb data on my local disk, too. :) 10:59 < HardDisk_WP> omg hoooooly shit 11:00 < HardDisk_WP> I used hacked accounts some years ago 11:00 < HardDisk_WP> until the site providing them closed down 11:00 < ecrist> ah. I'm an adult, so I'm willing to pay for my adult content. :) 11:00 < HardDisk_WP> Too bad ^^ 11:00 < HardDisk_WP> hmm... I guess I'll stay at youporn^^ 11:00 < ecrist> I let wget run for about 6 days. 11:01 < HardDisk_WP> Lol I hosted a houseparty week ago 11:01 < HardDisk_WP> 3 at night and totally drunk we (5 guys) decided to put p0rn on the big tv and let the audio over the full 7.1 speaker set 11:02 < HardDisk_WP> well, neighbor from above yelled down the balcony "nice when you fuck, but can you please make this not THAT lout?!" 11:02 < ecrist> 5 guys watching porn together? not *my* idea of a good time. heh 11:03 < HardDisk_WP> heh, nothing is worse than james bond or saw 4 running on the big screen and porn on the laptop haha 11:03 < HardDisk_WP> was kinda funny 11:03 < HardDisk_WP> (no one of us is gay, btw :D) 11:04 -!- troy- is now known as troy 11:04 < HardDisk_WP> y' know, I got a rapidshare premium acc... now I let my nslu2 d/l for the last week and now I have ALL simpsons episodes :D 11:04 < HardDisk_WP> Only problem is the friggin' ntfs-3g - it's slow as hell. 300kbyte/sec max dl rate, opposed to 1,5MB/sec on ext3 11:05 < ecrist> that doesn't sound right 11:05 < HardDisk_WP> it is an embedded device 11:05 < HardDisk_WP> ntfs-3g explicitly say the driver isn't optimized at all... 11:06 < HardDisk_WP> they sell an highly-optimized version for embedded devices 11:06 < HardDisk_WP> ecrist, http://www.mosnews.com/weird/2009/05/25/1909/ LOLOLOL 11:16 < |Mike|> you don't have to be gay to put a penis in someone his ass HardDisk_WP 11:16 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:18 -!- vvpalin [n=vvpalin@fay.dreamhost.com] has joined ##openvpn 11:49 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 12:06 -!- loca|host [n=tux@196.203.53.221] has quit ["./configure pasta; make pranzo; make install sex"] 12:18 -!- CybDev [i=cybdev@unaffiliated/cybdev] has quit [Read error: 60 (Operation timed out)] 12:18 -!- CybDev [i=cybdev@unaffiliated/cybdev] has joined ##openvpn 12:54 -!- ringgo [n=i@114.59.12.82] has joined ##openvpn 12:55 < ringgo> !howto 12:55 < vpnHelper> ringgo: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:56 -!- bandini [n=bandini@host251-108-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 13:05 -!- ringgo [n=i@114.59.12.82] has quit [] 13:45 < |Mike|> that's the easy part :p 14:10 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 14:11 -!- jicallero [n=jcallero@r200-40-206-246.ae-static.anteldata.net.uy] has joined ##openvpn 14:17 -!- n5 [n=nop@78-60-192-103.static.zebra.lt] has quit [Read error: 104 (Connection reset by peer)] 14:18 -!- n5 [n=nop@78-60-192-103.static.zebra.lt] has joined ##openvpn 14:22 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 14:22 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 14:23 -!- g`` [n=nop@78-60-192-103.static.zebra.lt] has joined ##openvpn 14:33 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:41 -!- n5 [n=nop@78-60-192-103.static.zebra.lt] has quit [Read error: 110 (Connection timed out)] 14:51 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 15:00 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Read error: 104 (Connection reset by peer)] 15:14 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 15:15 -!- loca|host [n=tux@41.226.104.115] has joined ##openvpn 15:16 < loca|host> hello all 15:17 < loca|host> now i have openvpn tunnel up, i've pushed the right routes to the client so he can access office's LAN and DMZ networks ... the problem is, on my client i get no more internet access, when i check my route table, i discover a default route made to the vpn server ... how to preserve default routes on the client ? 15:22 < loca|host> as from the openvpn log, i get this PUSH_REPLY,route 10.10.1.0 255.255.255.0,route 10.10.2.0 255.255.255.0,dhcp-option DNS 10.10.1.254,route 10.10.4.1,topology net30,ping 10,ping-restart 120,ifconfig 10.10.4.6 10.10.4.5 15:22 < loca|host> all this is right, except the "route 10.10.4.1" 15:22 < loca|host> how can i avoir openvpn from sending that route ? 15:30 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 15:30 < loca|host> anyone ? 15:43 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 16:29 < |Mike|> nope, sorry 16:35 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Remote closed the connection] 16:35 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 16:50 -!- jicallero [n=jcallero@r200-40-206-246.ae-static.anteldata.net.uy] has quit ["using sirc version 2.211+KSIRC/1.3.12"] 17:00 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Remote closed the connection] 17:16 -!- troy is now known as troy- 17:27 -!- theDoc [n=andelyx@208.99.194.194] has quit [Remote closed the connection] 17:27 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 17:27 -!- c64zottel [n=hans@p5B17AEBD.dip0.t-ipconnect.de] has quit ["Leaving."] 17:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:37 -!- bandini [n=bandini@host251-108-dynamic.25-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:49 -!- master_of_master [i=master_o@p549D3BD6.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 17:52 -!- master_of_master [i=master_o@p549D4344.dip.t-dialin.net] has joined ##openvpn 18:00 -!- jeiworth [n=jeiworth@189.177.16.17] has joined ##openvpn 18:07 -!- jeiworth_ [n=jeiworth@189.177.16.17] has quit [Read error: 110 (Connection timed out)] 18:30 -!- jeiworth [n=jeiworth@189.177.16.17] has quit [Read error: 110 (Connection timed out)] 18:30 -!- damentz [i=damentz@free.dancing.bot.at.shellium.org] has joined ##openvpn 18:30 -!- damentz [i=damentz@free.dancing.bot.at.shellium.org] has quit [Remote closed the connection] 18:34 -!- damentz [i=damentz@free.dancing.bot.at.shellium.org] has joined ##openvpn 18:37 -!- theDoc [n=andelyx@208.99.194.194] has quit [Remote closed the connection] 18:37 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 19:02 -!- Gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 19:03 -!- theDoc [n=andelyx@208.99.194.194] has quit [Read error: 60 (Operation timed out)] 19:05 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 19:16 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 19:35 -!- theDoc [n=andelyx@208.99.194.194] has quit [Remote closed the connection] 19:35 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 19:38 -!- loca|host [n=tux@41.226.104.115] has quit [Read error: 110 (Connection timed out)] 19:40 -!- loca|host [n=tux@41.226.199.54] has joined ##openvpn 19:46 -!- theDoc [n=andelyx@208.99.194.194] has quit [Remote closed the connection] 19:46 -!- theDoc [n=andelyx@208.99.194.194] has joined ##openvpn 19:52 -!- derek [n=derek@199.85.8.1] has joined ##openvpn 19:52 < derek> hello 19:52 < flaccid> openid.net says it supports Mac OS X. Where is it then ? its not on the download page 19:54 -!- troy- is now known as troy 19:57 < Bushmills> flaccid, unlikely that you'll find openvpn there. try http://www.viscosityvpn.com/ for an os x client. 19:57 < vpnHelper> Title: Viscosity - OpenVPN Client for Mac (at www.viscosityvpn.com) 19:57 < flaccid> thanks bushells 19:57 < flaccid> i mean mills 20:02 < flaccid> Bushmills any server for os x? 20:08 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit [Read error: 54 (Connection reset by peer)] 20:15 -!- theDoc [n=andelyx@208.99.194.194] has quit [Read error: 110 (Connection timed out)] 20:17 -!- derek_ [n=derek@199.85.8.1] has joined ##openvpn 20:18 -!- derek [n=derek@199.85.8.1] has quit [Read error: 110 (Connection timed out)] 20:20 < derek_> someone on that could possibly help with my linksys router running linux routing table. I can ping my server from the router but clients behind the router cannot 20:21 < derek_> sorry If i asked that earlier it said I timed out so I was not sure if it was posted 20:23 < derek_> http://pastebin.com/d37e5d9b8 is the routing table 20:33 < flaccid> !route 20:33 < vpnHelper> flaccid: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:33 < flaccid> derek_ did you do ^^ ? 20:36 < derek_> yep 20:38 < flaccid> im probably in a similar position 20:39 < flaccid> i did all of that too, but lan clients can't even hop through the route to the vnc client on the lan 20:39 < derek_> I had it working before I just dont know what went wrong I think its a problem on my router with the routing table. 20:40 < flaccid> same with me 20:41 < flaccid> its been hard for me to get help here on this topic, so im going over this whole thing with a comb then going to try to get help with a network diagram which shows all routes, maybe we should both do that then compare and then nag the helpers here 20:41 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:42 < derek_> what are you connecting to, I couldnt get my domain users through my linksys router to the domain. thats my end goal. The help here is usually pretty good just depends on the time of day 20:43 < flaccid> yes 20:43 < flaccid> mine is just the usual situation of hooking up two lans at two different locations 20:44 < flaccid> that static routes i add to each router on each side don't work for the lan clients 20:48 < derek_> can your router boxes ping each other 20:51 < derek_> can you make a pastebin of your cfg files please 21:00 < flaccid> they can't i dont think 21:00 < flaccid> give me a little bit just on something atm 21:03 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 21:05 -!- Major_Tom [i=tom-w@dslb-088-065-215-090.pools.arcor-ip.net] has joined ##openvpn 21:05 -!- omega42 [i=tom-w@dslb-088-065-057-185.pools.arcor-ip.net] has quit [Nick collision from services.] 21:05 -!- Major_Tom is now known as omega42 21:20 -!- p3ri0d [i=p3ri0d@200.2.148.160] has quit ["Leaving"] 21:23 -!- timburke [n=timburke@173-15-103-174-Illinois.hfc.comcastbusiness.net] has joined ##openvpn 21:43 < derek_> I used the domain-push option and specified a dns server in my openvpn but my client still wants to go over the internet to get to a local server 21:44 -!- troy is now known as troy- 21:51 < derek_> 21:55 < flaccid> dns != routes 21:55 < derek_> I know 21:55 < derek_> I think I found my problem 21:55 < derek_> I am wanting to use the dhcp-options to non windows client 21:55 < derek_> thats where I'm at 21:58 < derek_> i got my client to client working 21:58 < derek_> my clients behidn the router can now ping the srever 21:59 < flaccid> dhcp-options is used to give clients dns server setting but not routes 22:08 < derek_> yes i knwo that my routes are fine now 22:08 < derek_> but i was using dhcp-options to push dns to my router which is linksys which is a non windows client 22:09 < flaccid> just depends what your dns requirement is 22:09 < flaccid> you couldn't feel like showing me your configs and routest etc. ? sorry that i have not, but you managed to fix your routing heh 22:09 < derek_> well im going to be using domain login so I need to push dns to look through my vpn tunnel 22:10 < derek_> post yours and I'll try to help you 22:10 < flaccid> yeah cool 22:10 < derek_> !pastebin 22:10 < vpnHelper> derek_: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 22:10 < flaccid> if you don't mind hanging around for a bit, i'll finish the network diagram 22:10 < derek_> dont ind 22:11 < flaccid> okies won't be too long 22:11 < flaccid> thanks 22:12 -!- scudette_ [n=mic@austra2173.lnk.telstra.net] has quit [Read error: 60 (Operation timed out)] 22:25 -!- Guest21947 is now known as pekster 22:35 < derek_> I need dhcp-options help please the client-side up script for linux clients thanks 22:37 < flaccid> derek_ its a server setting that the clients initiate. if there is a problem then check the logs on the client 22:39 < derek_> flaccid, you cannot use the push option to non-windows clients you need a script thats what I'm looking for help on 22:39 < flaccid> serious? where does it say that 22:40 < derek_> The OpenVPN server can push DHCP options such as DNS and WINS server addresses to clients (some caveats to be aware of). Windows clients can accept pushed DHCP options natively, while non-Windows clients can accept them by using a client-side up script which parses the foreign_option_n environmental variable list. See the man page or openvpn-users mailing list archive for non-Windows foreign_option_n documentation and script examples. 22:40 < flaccid> oh right 22:41 < pekster> Open up the scripts that ship with the sources for an example on how to use them 22:41 < flaccid> didn't realise that 22:42 < derek_> thanks 22:43 -!- epaphus [n=unix3@201.199.62.74] has quit ["Leaving"] 22:43 < derek_> hmm nwo to find where I put that folder 22:46 < pekster> Conceptually, you loop through the foreign_option_x variables, parse them to see if it's of interest, and then take action depending on it 22:46 < derek_> no sample script in /usr/share/doc/openvpn 22:47 < derek_> push "dhcp-option DNS 192.168.100.1" #All DNS lookup to main server 22:47 < derek_> push "dhcp-option WINS 192.168.100.1" #ALL WINS lookup to main server 22:47 < derek_> push "dhcp-option DOMAIN apttest.kicks-ass.net" # push the DNS domain 22:47 < derek_> push "dhcp-option DOMAIN advanced-power.ca" # push the DNS domain 22:47 < derek_> those are what I would like to push 22:48 < pekster> So view the sample files 22:48 < pekster> contrib/pull-resolv-conf/client.up in case you're still claiming they don't exist 22:49 < derek_> thats supposed to be on my computer right 22:49 < derek_> there it is thank you 22:49 < derek_> i will look into it pekster thanks 22:49 < pekster> That depends entierly on how the distro packager put it together, but I'm glad you found it 22:50 < derek_> i did a locate client.up for it 22:51 < derek_> hopefully my router can store that script 22:51 < pekster> The file is in the source tarball at the path I specified; it's up to any binary package maintainer to determine what sample files they wish to include 22:52 < derek_> it was right where you sadi it was 22:52 < pekster> Yup, that's the typical way of packaging a binary, but not all distros do things the 'typical' way ;) 22:59 < derek_> well 22:59 < derek_> going to restart fingers crossed lol 22:59 < flaccid> !configs 23:00 < vpnHelper> flaccid: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 23:01 < pekster> Since when is '$' a comment character? 23:02 < pekster> Options error: Unrecognized option or missing parameter(s) in foo.conf:1: $dev (2.1_rc15) 23:02 < pekster> :) 23:19 < flaccid> derek_ you still there ? 23:22 < derek_> sort of 23:25 < derek_> 23:25 < derek_> flaccid, 23:25 < flaccid> ok i got a dodgy diagram to show 23:27 < derek_> ? do you have your cfg files 23:30 < flaccid> yep i'll get that too 23:31 < derek_> how do I exit out of echo 23:32 < derek_> im stuck in there ;P 23:33 < flaccid> ctrl + c ? 23:33 < derek_> didnt work 23:34 < derek_> you got a config file yet i need to go to bed sooon 23:36 < flaccid> derek_ config files: http://pastie.org/509315 ; network diag: http://hardtrance.biz/temp/vpn-network-diag.jpg 23:37 < flaccid> basically if you could confirm the routes required on both routers, i'll check that i added them correctly. or i can show you their route tables 23:38 < derek_> do they connect to each other properly? 23:40 < flaccid> yep 23:41 < derek_> so your problem is only pinging the other server? 23:41 < derek_> and you made the ccd file correctly? 23:43 < flaccid> vpn server and client can ping each other and each other's lan ips 23:43 < flaccid> its the clients reaching through the additional routes that seems to be the problem 23:44 < derek_> can the clients on the client side ping each other without going through the vpn tunnel 23:44 -!- troy- is now known as troy 23:45 < derek_> ill post my config then Im going to bed 23:45 < flaccid> client's can't reach each other no 23:46 < flaccid> say 192.168.0.5 can't reach 10.1.1.1 23:46 < flaccid> 10.1.1.3 can't reach 192.168.0.6 23:46 < flaccid> i can see the requests in tcpdump on the server and client but no reply 23:48 < derek_> http://pastebin.com/d27dd5d27 23:48 < derek_> i would suggest not running it as a deamon, ssh into both servers and run it manually so you can watch them talk 23:48 < flaccid> thanks. can you confirm the additional routes you used on your default routers? 23:48 < derek_> on verb 6 23:49 < flaccid> okies i will try that too 23:49 < derek_> no additional routes 23:49 < flaccid> hmm dang 23:49 < derek_> whats there works 23:49 < derek_> and in the ccd i have the iroute 23:49 < flaccid> do you see iroute in logs ? 23:49 < flaccid> like the word 'iroute' ? 23:49 < derek_> dunno 23:50 < derek_> to far back and I cant reconnect right nwo because i in the middle of something and about to go to bed 23:51 < derek_> make sure in your ccd folder your file matches whatever your cert name is 23:51 < derek_> IE in mine I have a VPNRouter1 cert and in the ccd the file is called VPNRouter1 23:51 < flaccid> yes i have ccd/flaccid 23:51 < flaccid> cert used is flaccid.crt with CN=flaccid 23:51 < derek_> set both of your configs to verb 6 23:52 < flaccid> okies 23:52 < derek_> and start them via ssh in your box openvpn yourconfigfile.config 23:52 < derek_> its pretty good at telling you if your missing crap 23:52 < derek_> good luck 23:52 -!- derek_ is now known as Derek_ZZZZ 23:52 < flaccid> yeah i don't get any errors but thanks 23:53 < Derek_ZZZZ> well if your on a client and you ping remote network you should see them trying to talk 23:53 < Derek_ZZZZ> in both windows 23:54 < Derek_ZZZZ> I dont know if this is a problem but your one internal network is a 10.* and the other is 192.168.* and your subnet mask is set to 255.255.255.0 23:55 < Derek_ZZZZ> from what i see you are missing the part where you assign your remote vpn address pool 23:55 < Derek_ZZZZ> if you look in my server config youll see that there 23:55 < Derek_ZZZZ> where I put the server on 192.168.100.0 network 23:55 < Derek_ZZZZ> and thats where my pool starts 23:55 < Derek_ZZZZ> youll need something liek that 23:56 < Derek_ZZZZ> !sample 23:56 < vpnHelper> Derek_ZZZZ: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 23:56 < Derek_ZZZZ> there is krzies sample and that works 23:56 < Derek_ZZZZ> he assigns his server to 10.8.1.0 23:57 < Derek_ZZZZ> ahh I see you ahve that 23:57 < Derek_ZZZZ> well nevermind good luck 23:57 < Derek_ZZZZ> later --- Day changed Fri Jun 12 2009 00:01 < flaccid> ok 00:01 < flaccid> im running the server ad hoc with openvpn --config ./server.conf and it doesn't return anything to sdout 00:02 < flaccid> ah need to turn log off 00:30 < flaccid> ok clients are coming through the vpn client's lan iface but not reaching the vpn tunnel 00:34 < flaccid> the icmp echo gets through eventually from the router; weird 00:53 < flaccid> ok so a peer client to the vpn client say 192.168.0.2 reaches the vpn client via their lan iface and route 10.1.1.0 192.168.0.9/255.255.255.0. the vpn client has 10.1.1/24 10.9.0.5 tun0 but fails to pass the packet on to the tunnel. what have i done wrong there ? 00:54 < flaccid> the vpn client can reach 10.1.1.0 via this route 00:54 < flaccid> ah ip forwarding is off again for some reason 01:02 < flaccid> lol i think that may have been the problem all along 01:03 < flaccid> now i'll do the server side 01:04 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [] 01:18 < flaccid> ah rightio and i assume the other problem on the other side is that my mate's router has ip forwarding turned off 01:22 < flaccid> ah scores!! 01:23 < flaccid> ecrist krzee that was the problems all along 01:25 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 01:27 < flaccid> ok confirmed the problem is my mate's router. it is not ip forwarding. my router is which is good 01:29 -!- troy is now known as troy- 01:35 < flaccid> routing is working well now. its just a pity about his router. i'll have to see what i can do about that 01:59 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:14 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 02:17 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 02:17 -!- samferry [n=samuel@unaffiliated/samferry] has joined ##openvpn 02:33 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has joined ##openvpn 02:33 < Rajko> hello, is there a channel for pptp 02:33 < Rajko> or can i ask pptp questions here 03:06 -!- flaccid [n=chris@127.185.233.220.static.exetel.com.au] has quit [Read error: 110 (Connection timed out)] 03:07 -!- timburke_ [n=timburke@173-15-103-174-Illinois.hfc.comcastbusiness.net] has joined ##openvpn 03:08 -!- flaccid [n=chris@127.185.233.220.static.exetel.com.au] has joined ##openvpn 03:31 -!- timburke [n=timburke@173-15-103-174-Illinois.hfc.comcastbusiness.net] has quit [Connection timed out] 03:41 < dazo> Rajko: pptp here is like swearing badly, really badly, in church ;-) ... sorry, we only know openvpn here, nothing else 03:41 * dazo is not aware of any particular pptp channels, but I can't speak for the others on this channel 03:41 < Rajko> doesnt matter 03:42 < Rajko> my question applies to all vpn i guess 03:42 < dazo> hmm 03:42 < Rajko> well, when openvpn has proper signed drivesr for vista 64bit, then i might use it 03:42 < Rajko> i wanted to use it, installed openvpn, and it couldnt load the TAP driver 03:42 < Rajko> so i used pptp 03:42 < dazo> aha 03:43 < dazo> I don't think it should be that difficult to get Vista64 up'n'running with openvpn? ... I haven't tried it myself, only on XP and Vista32 ... but the latest 2.1_rc18 should be able to run just fine, even with TAP 03:44 < dazo> openvpn is also safer than pptp as well 03:48 < Rajko> the driver is unsigned. 03:48 < Rajko> vista 64 only loads signed drivers 03:48 < Rajko> dazo, can you turn off all encryption and compression with openvpn ? 03:49 < Rajko> thing is, i have to run it on a router, which is 333mhz only, so turning off MPPE and MPPC with pptp gives me a 300% speed increase 03:49 < dazo> Rajko: yeah ... with --cipher and and not using --comp-lzo .... but if you want VPN, that usually include encrypting traffic ... or else what's the point? 03:49 < Rajko> access the network from outside 03:50 < dazo> Rajko: for browsing only? 03:50 < Rajko> and network play 03:50 < Rajko> can you restrict a users upload/download with openvpn? 03:52 < dazo> Rajko: yes, that's usually done via iptables .... but you'll need to implement some scripts to do that .... depends on what kind of restrictions you want ... just access to network segments or bandwidth in addtion 03:52 < Rajko> total bandwidth limit 03:53 < dazo> Rajko: I've been working on this project which does authentication and access control using iptables rules ... http://www.eurephia.net/ ... not sure if that would fit your shoes 03:53 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) 03:53 < Rajko> openvpn does not have username and password auth by default ? 03:53 < dazo> no 03:53 < Rajko> well that wold have set me back a bunch 03:53 < dazo> that's why I started this project :) 03:54 < Rajko> people dont really like carrying files around 03:54 < Rajko> if they can remember a pass 03:55 < Rajko> does openvpn use GRE 47 ? 03:55 < Rajko> this seems to be an issue with some clients 03:55 < Rajko> routers messing up gre 47 03:56 < dazo> well, VPNs main purpose is to create secure network links over insecure channels .... so it's actually harder to make VPN products weaker than what they are aimed at than to make them stronger 03:56 < Rajko> . In such a regime, you can easily make sure that empty passwords or too simple passwords are used. 03:57 < Rajko> not used 03:57 < dazo> Reg. GRE ... I don't think so at all ... as openvpn is pure SSL over udp (or tcp) only ... so it do not do any magic on the insecure transport level at all ... 03:57 < Rajko> :D 03:57 < Rajko> bah i cant use openvpn then 03:57 < dazo> Rajko: doing that ... usually classifies as stupidity too ... and screams out "hack me and abuse my connection!" 03:58 < Rajko> im going to be using it as part of wifi 03:58 < Rajko> access point 03:59 < dazo> Rajko: to say it simple ... if you can have a stable streaming with https ..... openvpn will work flawlessly as well 04:02 < dazo> if it was the udp/tcp thing which is the reason why you can't use openvpn ... I don't understand why .... 04:02 < Rajko> i need just user/pass 04:04 < dazo> plain user/pass without encryption and encryption ... then pptp might serve you very well then ... openvpn is aimed at much more secure environments than that 04:05 < Rajko> and i use RADIUS with pptp, which is nice 04:20 -!- Thralas [n=thralas@unaffiliated/thralas] has left ##openvpn [] 05:01 -!- flaccid_ [n=chris@127.185.233.220.static.exetel.com.au] has joined ##openvpn 05:05 -!- flaccid [n=chris@127.185.233.220.static.exetel.com.au] has quit [Read error: 60 (Operation timed out)] 05:17 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 05:25 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:01 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 06:01 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 06:04 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 06:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:22 -!- lataffe [n=lars@cm-84.211.147.71.getinternet.no] has joined ##openvpn 06:32 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has quit [Read error: 54 (Connection reset by peer)] 06:33 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has joined ##openvpn 06:36 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 06:37 -!- loca|host [n=tux@41.226.199.54] has quit [Client Quit] 06:37 -!- bitrot [n=Rajko@cable-87-116-183-232.dynamic.sbb.rs] has joined ##openvpn 06:40 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has quit [Read error: 104 (Connection reset by peer)] 06:40 -!- bitrot [n=Rajko@cable-87-116-183-232.dynamic.sbb.rs] has quit [Read error: 104 (Connection reset by peer)] 06:41 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has joined ##openvpn 06:44 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 06:45 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has quit [Read error: 54 (Connection reset by peer)] 06:46 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has joined ##openvpn 07:03 -!- bitrot [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has joined ##openvpn 07:03 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has quit [Read error: 54 (Connection reset by peer)] 07:05 -!- Delf [n=Eldkraft@c-89-160-11-56.cust.bredband2.com] has joined ##openvpn 07:06 < Delf> What would happen if there are many "remote adress" lines in the config that connect to same network? 07:08 < Delf> Client A connects to Server A. Client A has a network bridge with Server B (two instances of OpenVPN, one Client, one Server). And Client B Connects to Server A and Server B. How will the packets be routed? 07:09 < Delf> Client B is NOT Server B 07:11 -!- bitrot [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has quit [Read error: 104 (Connection reset by peer)] 07:12 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has joined ##openvpn 07:13 -!- Delf [n=Eldkraft@c-89-160-11-56.cust.bredband2.com] has quit [Remote closed the connection] 07:16 -!- deception [i=oc80z@quad.efnet.pe] has joined ##openvpn 07:20 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Read error: 104 (Connection reset by peer)] 07:53 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 07:57 -!- Timpa [n=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 08:08 -!- flaccid_ [n=chris@127.185.233.220.static.exetel.com.au] has quit [Read error: 110 (Connection timed out)] 08:08 -!- Derek_ZZZZ is now known as Derek 08:12 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 08:13 -!- Derek is now known as DerekL 08:15 < DerekL> Morning 08:19 < ecrist> howdy 08:20 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 104 (Connection reset by peer)] 08:21 < DerekL> Trying to figure out this contrib/pull-resolv-conf/client.up 08:21 < DerekL> my linksys router does not like the script though 08:22 -!- mattock [n=mattock@gw.tietoteema.fi] has quit ["Leaving."] 08:26 < DerekL> http://pastebin.com/df267378 if you can help ecrist 08:35 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: polaru, APTX|, dan__t, nemysis 08:36 -!- Netsplit over, joins: APTX| 08:38 -!- dan__t [n=dant@vpn.withparity.net] has joined ##openvpn 08:45 -!- Timpa [n=timpa@chuck.bartowski.skalet.org] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 08:53 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 09:02 -!- cdc [n=cdc@modemcable005.157-56-74.mc.videotron.ca] has joined ##openvpn 09:03 < cdc> hi! anyone can tell me where I can find an easy, newbie-ish openvpn tutorial on debian ? 09:04 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 09:05 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 09:13 < Bushmills> !howto 09:13 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:24 -!- MrPockets [n=Jimmy@unaffiliated/mrpockets] has joined ##openvpn 09:25 < MrPockets> well hello! 09:27 -!- cdc [n=cdc@modemcable005.157-56-74.mc.videotron.ca] has quit [Remote closed the connection] 09:28 < DerekL> http://pastebin.com/df267378 cannot get the contrib/pull-resolv-conf/client.up script to work on my linksys box 09:28 < DerekL> anyhelp from those more familiar with linux 09:40 -!- plaerzen [n=carpe@vip1.tundraeng.com] has quit [Remote closed the connection] 09:48 -!- c64zottel [n=hans@p5B17ADA8.dip0.t-ipconnect.de] has joined ##openvpn 09:55 -!- troy- is now known as troy 09:57 < DerekL> bah 10:01 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 10:02 -!- ewook [n=ewook@thales.fluffis.se] has quit [Remote closed the connection] 10:15 < Gorkhaan> What's this "echo" stuff? Why dont u use a text editor, called: nano 10:16 < DerekL> because I have to write it in a scipt on the router startup because only the script is stored upon restart 10:17 < DerekL> vi gives me the same error when I try to run the script 10:17 -!- troy is now known as troy- 10:17 < Gorkhaan> then use EOT, that's better 'cos u dont have to escape apostrofes and etc. 10:17 < DerekL> /tmp/client.up: 8: Syntax error: Bad substitution 10:19 < Gorkhaan> tell me what are u planning to do with this plz 10:19 < DerekL> the problem is my linksys isnt processing the script it gives me that error 10:20 < DerekL> push "dhcp-options DNS and DOMAIN" to my linksys router 10:20 < DerekL> here is the orig script http://code.google.com/p/tunnelblick/source/browse/trunk/third_party/openvpn/contrib/pull-resolv-conf/client.up?spec=svn57&r=57 10:20 < vpnHelper> Title: client.up - tunnelblick - Google Code (at code.google.com) 10:24 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has quit [Read error: 104 (Connection reset by peer)] 10:24 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has joined ##openvpn 10:25 < Gorkhaan> This script runs fine in terminal, so you want to run this script on yout Linsys router? 10:26 < Gorkhaan> I'm using BASH instead of SH 10:26 < Gorkhaan> SH gives error what U've got too 10:26 < Gorkhaan> so Use BASH, not SH 10:27 < Gorkhaan> that's all what can cause your error 10:28 < Gorkhaan> 1, save this script to a file for example: script1.sh 10:28 < Gorkhaan> 2, chmod +x script1.sh OR bash script1.sh will run this script. 10:29 < Gorkhaan> u can runt it without the first "bash" command, because the default shell is BASH, so u dont have to use "bash" command in front of "script1.sh" 10:31 < DerekL> k ill try 10:31 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 10:32 < DerekL> er, the script is called from within the openvpn.conf using the up command though 10:33 < Gorkhaan> what's your default SHELL ? 10:33 < DerekL> busybox ? 10:33 < Gorkhaan> SH, BASH, KSH, etc. 10:33 < Gorkhaan> I saw your error message 10:34 < Gorkhaan> it shows me it's SH, u gotta have to change that to BASH 10:34 < Gorkhaan> -sh: Syntax error: Bad substitution 10:35 < DerekL> yeah but thats when it calls it from the openvpn.conf 10:35 < DerekL> Fri Jun 12 09:34:56 2009 us=289334 /sbin/ifconfig tun0 192.168.100.6 pointopoint 192.168.100.5 mtu 1500 10:35 < DerekL> Fri Jun 12 09:34:56 2009 us=350179 /tmp/client.up tun0 1500 1542 192.168.100.6 192.168.100.5 init 10:35 < DerekL> /tmp/client.up: /tmp/client.up: 8: Syntax error: Bad substitution 10:35 < DerekL> Fri Jun 12 09:34:56 2009 us=443432 script failed: shell command exited with error status: 2 10:35 < DerekL> Fri Jun 12 09:34:56 2009 us=444220 Exiting 10:36 < Gorkhaan> can u send me the whole LINE where the error happens? 10:36 < Gorkhaan> in your config file 10:36 < DerekL> up /tmp/client.up 10:37 < Gorkhaan> try this: up "bash /tmp/client.up" 10:37 < DerekL> k 10:39 < DerekL> sh: bash: not found 10:39 < Gorkhaan> damn, w8 10:39 < Gorkhaan> do u have terminal access? 10:39 < DerekL> terminal? im sshd into the router 10:39 < Gorkhaan> run: echo $SHELL plz 10:39 < DerekL> k 10:40 < DerekL> /bin/sh 10:40 < Gorkhaan> that's why the error. can u install programs to your router? 10:41 < DerekL> no I think I have to rebuild it or something 10:42 < DerekL> http://www.linksysinfo.org/forums/showthread.php?t=53233 10:42 < Gorkhaan> then I think you have 2 choises: 1 set the default shell to BASH OR rewrite the script to be compatible with SH shell. 10:43 < ecrist> make it executable and set the shBANG to bash 10:43 < krzee> SHBANG!!! 10:43 < DerekL> 4. cry? 10:44 < ecrist> shBANG is #! /path/to/parser 10:44 < DerekL> hey krzee i think i figured out my problem from the other week but as always 2 problems pop up in the place of one, the reason my domain wasnt working is because I wasnt pushing dns and domain to my router which is linux on the linksys router 10:45 < krzee> i love that word SHBANG! 10:45 < DerekL> thats what gorkhaan is trying to help me out with now 10:45 < Gorkhaan> GangBang :D 10:45 < krzee> !pushdns 10:45 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit 10:46 < MrPockets> Do i need to download OpenVPN for windows, as well as OpenVPN GUI for the front-end? 10:46 < DerekL> yeah but you cant use push to non windows client iwthout that script 10:47 < MrPockets> or does OpwnVPN GUI install both front and back? 10:47 < DerekL> both from the website !openvpngui 10:47 < Gorkhaan> yep, and you have some gr8 envinromental variables too ( 10:47 < DerekL> hey i didnt write the script its in the contribs 10:48 < DerekL> http://openvpn.se/ for openvpn gui 10:48 < vpnHelper> Title: OpenVPN GUI for Windows (at openvpn.se) 10:48 < DerekL> so whats the next step in this confusing puzzle 10:48 < DerekL> i already cried 10:50 < Gorkhaan> I have a question too: I'd like to use "auth-user-pass C:\\bla bla bla\autologin" on windows, but the windows version of OpenVPN isnt compiled that way. Any possibilities, how can I use it? 10:50 < Gorkhaan> I need to recompile it, but damn it's hard on windows.. XD 10:50 < MrPockets> Life is hard on windiws.. 10:51 < Gorkhaan> yes it is, but my clients dont care about that. :D 10:51 < DerekL> i have one 10:51 < DerekL> whats your email 10:52 < Gorkhaan> on linux it work like charm. 10:52 < DerekL> ill send you it 10:52 < Gorkhaan> gorkhaan at gmail dot com 10:52 < Gorkhaan> witch version? 10:55 < DerekL> it has been sent 10:55 < DerekL> 2.1.13 10:55 < DerekL> the other option is you have to re-compile it 10:55 < DerekL> which is beyond me so I left it 10:56 < DerekL> there was a couple pages on how to do it though if you google it 10:56 < Gorkhaan> thanx mate. i look onto it later 10:56 < DerekL> no problem 10:56 < DerekL> i wish i could get dns push issue sorted though 10:56 < DerekL> so frustrating 10:57 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 10:57 < Gorkhaan> I still dont get this, why do u need script... sry 10:57 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 10:57 < DerekL> because you cant use dhcp-options on non windows clients 10:57 < DerekL> it gets stored in an array 10:58 < DerekL> and the script loops through the array and picks the options out then writes them to resolve.config 11:01 < Gorkhaan> can you change your default shell with this? --> chsh 11:01 < Gorkhaan> BASH is here: /bin/bash 11:02 < Gorkhaan> First of all: chsh --list-shells 11:02 < Gorkhaan> see if you have BASH there 11:02 < DerekL> -sh: chsh: not found :P 11:03 < Gorkhaan> :D that's sad 11:03 < DerekL> ash date grep mdu ntpsync rmdir tar zcat 11:03 < DerekL> busybox dd gunzip mkdir nvram rstats touch 11:03 < DerekL> cat df gzip more pidof run-parts umount 11:03 < DerekL> chgrp dmesg kill mount ping sed uname 11:03 < DerekL> chmod echo ln mv ps sh usleep 11:03 < DerekL> chown egrep login netstat pwd sleep vi 11:03 < DerekL> cp fgrep ls ntpc rm sync watch 11:03 < DerekL> thats what I got 11:03 < Gorkhaan> I see. 11:05 < DerekL> how do I echo to the end of a file I can cheat it because im never going to change the dns and domain so I'm just going to write a script to write it into resolve.config 11:05 < Gorkhaan> >> 11:05 < Gorkhaan> but backup it first 11:06 < Gorkhaan> echo "some string 11:06 < Gorkhaan> even 11:06 < Gorkhaan> more 11:06 < Gorkhaan> Lines" >> something 11:06 < Gorkhaan> >> ( append, create ) 11:06 < Gorkhaan> > ( Rewrite , create ) 11:06 < DerekL> ok 11:07 < DerekL> and then when the vpn connection is down how would I remove those lines 11:08 < Gorkhaan> because u have too few commands here, the easiest is I think to have a default copy from the original 11:09 < Gorkhaan> and if the conn. is down, u should replace it 11:09 < Gorkhaan> with "cp" 11:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:38 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has quit [Remote closed the connection] 11:43 -!- n5 [n=nop@78-60-192-103.static.zebra.lt] has joined ##openvpn 11:48 -!- g`` [n=nop@78-60-192-103.static.zebra.lt] has quit [Read error: 60 (Operation timed out)] 11:55 -!- c64zottel [n=hans@p5B17ADA8.dip0.t-ipconnect.de] has left ##openvpn [] 11:57 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:57 -!- Gorkhaan [n=gorkhaan@87.229.108.75] has quit ["Leaving."] 12:04 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 12:04 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 12:04 < DerekL> well looks like i cant do that 12:04 < DerekL> chmod: resolv.conf: Read-only file system 12:15 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 12:24 -!- jeiworth [n=jeiworth@189.234.35.254] has joined ##openvpn 12:53 < Bushmills> DerekL, it got there, so the device is potentially writable. check in /etc/fstab whether there's a reason why it is read-only. confirm with mount (no args). in addition, mount allows you to remount a file system, making it writable. 12:55 < Bushmills> in case of file system errors, a file system may also be remounted read-only. if that's the reason, don't remount the file system, but see that it gets checked for errors. 13:07 < DerekL> there is no fstab 13:07 < DerekL> its on my stupid linksys router 13:08 < DerekL> but it has to be writable somewhere because I can write the static dns configuration in the gui 13:08 < DerekL> so frustrating 13:14 < Bushmills> #openwrt might be able to tell you 13:15 < MrPockets> Does OpenWRT support OpenVPN? 13:15 < Bushmills> renamed -- dd-wrt it is now 13:15 < MrPockets> right 13:23 -!- da_tux [n=ryan@rrcs-70-63-90-226.midsouth.biz.rr.com] has joined ##openvpn 13:24 < da_tux> I have openvpn setup and a client connecting to it. the client connection keeps going form green to yellow. They can connect but the connection is very slow, 13:24 < da_tux> what could make this happen 13:28 -!- ElectricBill [n=bill@smtpv2.cosi.net] has joined ##openvpn 13:28 < Bushmills> an addition of red to green, maybe? 13:29 < ElectricBill> anyone know about a bug in late release that causes the "up" config option to fail thusly... 13:29 < ElectricBill> script failed: could not execute external program 13:29 < ElectricBill> ? 13:32 < krzee> make sure its +x 13:35 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 13:35 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 13:35 < ElectricBill> It is. There is conflicting info about why this is happening on the net. 13:35 < ElectricBill> Was hoping someone has more current info. 13:35 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 104 (Connection reset by peer)] 13:37 < da_tux> I currently have openvpn running as tcp would I be better to use udp? 13:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 13:37 < krzee> yes 13:37 < krzee> !tcp 13:37 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 13:39 < da_tux> krzee, this could be why things are running so slow and my connections keep dropping out? 13:40 < krzee> could be 13:40 < krzee> definitely could be 13:41 -!- bitrot [n=Rajko@cable-87-116-183-232.dynamic.sbb.rs] has joined ##openvpn 13:42 < DerekL> k ill try i just had lunch so I have calmed down a bit :P 13:44 < krzee> =] 13:54 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has quit [Read error: 110 (Connection timed out)] 13:54 < ecrist> I *still* think duals on my MBP is teh sexy 14:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:06 -!- bandini [n=bandini@host251-108-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 14:15 * ecrist is buying a boat this weekend. :P 14:19 < krzee> niiice 14:19 < krzee> pics when you get it! 14:22 < ecrist> hell yeah 14:25 * da_tux is in the process on restoring a 38' Bristol.. Put it in the water last weekend. :) 14:46 < DerekL> come sail away come sail away with ecrist 14:47 * DerekL in the process of folding a paper boat... damn it turned into a pirate hat instead 14:57 -!- MrPockets [n=Jimmy@unaffiliated/mrpockets] has quit [No route to host] 14:59 -!- timburke_ [n=timburke@173-15-103-174-Illinois.hfc.comcastbusiness.net] has quit [Read error: 104 (Connection reset by peer)] 15:04 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Success] 15:11 -!- Rajko [n=Rajko@cable-87-116-183-232.dynamic.sbb.rs] has joined ##openvpn 15:11 -!- bitrot [n=Rajko@cable-87-116-183-232.dynamic.sbb.rs] has quit [Read error: 54 (Connection reset by peer)] 15:19 -!- Rajko [n=Rajko@cable-87-116-183-232.dynamic.sbb.rs] has quit [Read error: 54 (Connection reset by peer)] 15:19 -!- Rajko [n=Rajko@cable-87-116-183-232.dynamic.sbb.rs] has joined ##openvpn 15:27 -!- xeroOTG [n=BSoD_Gue@70.90.206.16] has joined ##openvpn 15:28 < xeroOTG> !route 15:28 < vpnHelper> xeroOTG: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:28 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 113 (No route to host)] 15:39 -!- MrPockets [n=Jimmy@unaffiliated/mrpockets] has joined ##openvpn 15:39 < MrPockets> hello! 15:40 < MrPockets> SO i've got OpenVPN up and running, but when i specify the netmask to distribute IPs, it assigns 192.168.1.1 to my server 15:40 < MrPockets> which is my gateway 15:40 < MrPockets> and drops the connection 15:40 -!- infinitesteps [n=chatzill@69.5.35.162] has joined ##openvpn 15:42 -!- MrPockets [n=Jimmy@unaffiliated/mrpockets] has quit [Client Quit] 15:44 < infinitesteps> I would like to configure openldap to authenticate against LDAP and not require a per client certificate. However, I would like to use a shared secret/key of some sort. I already have a PKI. Should I just generate a "static" key and share it with all clients then enable auth-user-pass-verify? 15:45 < infinitesteps> I am just looking for an easy way to manage many clients and we already use centralized authentication 15:45 < infinitesteps> er 15:45 < infinitesteps> I mean openvpn not openldap 15:56 -!- Rajko [n=Rajko@cable-87-116-183-232.dynamic.sbb.rs] has quit [Read error: 104 (Connection reset by peer)] 15:56 -!- Rajko [n=Rajko@cable-87-116-183-232.dynamic.sbb.rs] has joined ##openvpn 16:04 < krzie> well 16:04 < krzie> if you are using ldap auth 16:05 < krzie> you can use 1 cert for all users, thats somewhat like a static key 16:05 < krzie> plus you can use TLS static key 16:05 < krzie> !factoids search pw 16:05 < vpnHelper> krzie: "pwfile" is OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h 16:05 < krzie> grr 16:05 -!- bitrot [n=Rajko@cable-87-116-183-232.dynamic.sbb.rs] has joined ##openvpn 16:05 < krzie> !factoids search auth 16:05 < vpnHelper> krzie: 'tls-auth' and 'authpass' 16:05 -!- Rajko [n=Rajko@cable-87-116-183-232.dynamic.sbb.rs] has quit [Read error: 54 (Connection reset by peer)] 16:05 < krzie> !authpass 16:05 < vpnHelper> krzie: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 16:06 -!- MrPockets [n=Jimmy@unaffiliated/mrpockets] has joined ##openvpn 16:06 < MrPockets> okay 16:06 < MrPockets> hello! 16:07 < krzie> werd 16:07 -!- infinitesteps [n=chatzill@69.5.35.162] has quit [Remote closed the connection] 16:07 < MrPockets> so i'm a little confused. I've got the VPN setup and i'm able to conect to it from outside. 16:07 < MrPockets> Except, when i connect, nothing is handing out DHCP. Do i need to configure OpenVPN to be handing out DHCP? 16:08 < krzie> !configs 16:08 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:08 < MrPockets> k hold up. 16:09 < MrPockets> brb 16:09 -!- MrPockets [n=Jimmy@unaffiliated/mrpockets] has quit [Client Quit] 16:19 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has joined ##openvpn 16:19 -!- bitrot [n=Rajko@cable-87-116-183-232.dynamic.sbb.rs] has quit [Read error: 104 (Connection reset by peer)] 16:23 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has quit [Read error: 104 (Connection reset by peer)] 16:23 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has joined ##openvpn 17:06 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:17 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:24 < xeroOTG> im having difficulties getting routes functioning. Network 1 is at 192.168.10.0, vpn is at 10.8.0.0, network 2 is at 192.168.0.0. config @ http://pastebin.com/m50733990 17:24 -!- DerekL [n=derek@199.85.8.1] has quit [Read error: 113 (No route to host)] 17:25 < xeroOTG> when i attempt to ping network 2 from network 1 i got nothing 17:28 < krzie> !route 17:28 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:29 < xeroOTG> did you read my config? 17:29 < krzie> 1min and ill tell you some stuff to rm from your config 17:29 < xeroOTG> ok thanks 17:29 < krzie> i did, did you read my writeup on how to do what you're asking about? 17:29 < xeroOTG> im going crosseyed so it helps to have two pairs of eyes. and yes i read that particular writeup. 17:30 < krzie> remove this: 17:30 < krzie> ifconfig 10.8.0.1 10.8.0.2 17:30 < krzie> in this line: 17:30 < krzie> ifconfig 10.8.0.1 10.8.0.2 17:30 < krzie> remove 10.8.0.2 17:31 < krzie> tell server to use dev tun 17:31 < krzie> proto should be udp 17:33 < krzie> you have ccd commented out, so you have no chance of the clients network working 17:33 < krzie> because you dont have iroute 17:34 < xeroOTG> in ccd i have the i routes correct? 17:34 < krzie> as the doc you read (!route) says 17:34 < xeroOTG> *iroute 17:34 < krzie> !iroute 17:34 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 17:34 < xeroOTG> !ccd 17:34 < vpnHelper> xeroOTG: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 17:37 < krzie> also 17:37 < krzie> if you plan on connecting to this from a 2nd client, road warrior style 17:37 -!- bandini [n=bandini@host251-108-dynamic.25-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:37 < krzie> you will find issues when you end up on a lan on 192.168.0.0 17:37 < krzie> oh and i made a mistake earlier 17:37 < krzie> ifconfig 10.8.0.1 10.8.0.2 17:37 < krzie> in this line: 17:37 < krzie> ifconfig 10.8.0.1 10.8.0.2 17:37 < krzie> remove 10.8.0.2 17:38 < krzie> remove that line 17:38 < krzie> # 17:38 < krzie> route 10.8.0.0 255.255.255.0 10.8.0.2 17:38 < krzie> remove 10.8.0.2 17:38 < krzie> thats what i meant, misfired on the second paste 17:38 < xeroOTG> gotcha 17:39 < xeroOTG> the push option is correct though? 17:39 < krzie> yes 17:40 < krzie> however 17:40 < krzie> if you plan on having a second client to access both lans 17:40 < krzie> you need to push both lans 17:40 < krzie> you sure you read my writeup and didnt just skim it? 17:40 < xeroOTG> ok. im positive, i just have read so many writeups that it all blends together 17:41 < krzie> gotchya 17:42 < krzie> i dont think there is any comparable to mine on the lan behind vpn topic 17:42 < krzie> although if there is ild like to see it 17:42 < krzie> i only wrote mine because i couldnt find anything worthy of sending people to 17:42 < krzie> half the attempts to help people with openvpn i can find o google suck terribly =/ 17:43 < krzie> s/ o / on / 17:44 < krzie> after you make all the changes i said, lets get another paste of your configs 17:44 < krzie> includeing ccd entries 17:45 -!- bitrot [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has joined ##openvpn 17:45 < xeroOTG> you got it. im re reading your writeup too. 17:46 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has quit [Read error: 54 (Connection reset by peer)] 17:46 -!- jeiworth [n=jeiworth@189.234.35.254] has quit [Read error: 110 (Connection timed out)] 17:49 -!- master_of_master [i=master_o@p549D4344.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 17:50 < xeroOTG> krzie: changes: http://pastebin.com/m689ccadf 17:52 < krzie> for why you commented the ifconfig, see --server in the manual 17:52 -!- master_of_master [i=master_o@p549D4930.dip.t-dialin.net] has joined ##openvpn 17:52 < krzie> it expands to have an ifconfig already 17:53 < xeroOTG> if its commented out, its unread 17:53 < xeroOTG> am i missing something? 17:53 < krzie> no, im aware its not active 17:53 < krzie> just thought maybe you wanted to know why you commented it out 17:53 < xeroOTG> ok 17:58 < xeroOTG> krzie: the route command in server, should it read route 10.8.0.0 255.255.255.0 or should it read route 192.168.0.0 255.255.255.0 17:59 < krzie> !route 17:59 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:59 < krzie> oops 18:00 < krzie> you dont need to ask that when you know what the route command does 18:00 < krzie> it adds an entry into the local routing table telling it that the network you specify needs to go through openvpn 18:01 < krzie> since 10.8.0.x is the vpn lan, thats already handled 18:01 < krzie> since its lan already has a route, thats already handled 18:01 < krzie> so you add a route for every lan behind VPN clients 18:01 < krzie> then you push a route for every lan that will be accessed by vpn clients 18:01 < krzie> (so both lans) 18:01 < xeroOTG> ok 18:02 < xeroOTG> so im missing a pushed route 18:02 < krzie> and in a ccd entry you put an iroute for every lan behind a client, in a file named exactly as the clients common-name 18:02 < krzie> then if openvpn isnt running on the router for each lan, you have to add a route to their routers 18:02 < krzie> as explained in my writeup 18:02 < krzie> ROUTES TO ADD OUTSIDE OF OPENVPN 18:02 < krzie> under the picture 18:03 < krzie> will you have more than 1 client? 18:03 < xeroOTG> no 18:03 < krzie> ok so ONLY 1 client 18:04 < krzie> basically connecting 2 offices, with NO REMOTE ACCESS CLIENTS 18:04 < krzie> right? 18:04 < xeroOTG> roger that. i have exactly your config. i still pingout. 18:04 < krzie> can the client ping 10.8.0.1? 18:04 < xeroOTG> yes 18:04 < krzie> can the server ping 10.8.0.6? 18:05 < xeroOTG> let me check real quick 18:05 < xeroOTG> no 18:06 < krzie> is it using 10.8.0.6? 18:06 < xeroOTG> no 18:06 < krzie> hehe 18:06 < xeroOTG> 10.8.0.10 18:06 < krzie> ok 18:06 < krzie> can the server ping 10.8.0.10? 18:06 < xeroOTG> no 18:06 < krzie> can the client ping 10.8.0.10? 18:07 < xeroOTG> yes 18:07 < krzie> client is windows i take it...? 18:07 < xeroOTG> yes 18:07 < krzie> disable firewall on TAP adapter 18:07 < krzie> then can the server ping 10.8.0.10? 18:08 < xeroOTG> its off, has been off 18:09 18:09 18:09 18:09 18:09 18:09 08:43 < ecrist> YOU ARE THE ONES THAT ARE THE *BALL* LICKERS! 08:45 < flaccid_> i resemble that 08:47 -!- Gnutoo [n=gnutoo@host248-84-dynamic.51-79-r.retail.telecomitalia.it] has joined ##openvpn 08:59 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 09:00 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 09:37 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has quit ["Leaving"] 09:51 -!- lataffe [n=lars@cm-84.211.147.71.getinternet.no] has joined ##openvpn 09:51 < Gnutoo> hi, I've tried mssfix 1200 in my config from the client...I use gprs on the client and pppoe on the server 09:52 < Gnutoo> but it still doesn't work on heavy loads 09:52 < Gnutoo> ( "No buffer space available (code=105)" ) 09:52 < Gnutoo> what should I try now 09:53 < Gnutoo> note that the following iptables command was issued on the server: 09:53 < Gnutoo> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 09:53 < Gnutoo> but openvpn is udp 09:53 < Gnutoo> and sip too 10:03 < Gnutoo> krzee, hi do you think that "iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" on the openvpn server is messing things? 10:12 < Gnutoo> krzee, with wifi+openvpn+sip it works fine...but not with gprs+openvpn+sip 10:12 < Gnutoo> wifi has an mtu of 1500 10:14 -!- lataffe [n=lars@cm-84.211.147.71.getinternet.no] has quit [Read error: 110 (Connection timed out)] 10:16 < Bushmills> Gnutoo, i had a problem with gprs/umts that provider blocked return packets. i was able to work around by having openvpn run over tcp/443 10:16 < Gnutoo> Bushmills, ok thanks I'll try 10:16 < Gnutoo> Bushmills, I tried udp/443 and it didn't work...I'll try tcp 10:23 < Gnutoo> Bushmills, but it worked ...only that if I called or received a sip call it broke the tunnel and the internet connection 10:25 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has joined ##openvpn 10:25 < Rajko> anyone know a VPN hosting provider in europe that gives internet 10:25 < Rajko> can achieve 20mbps 10:26 < Rajko> can be pptp or openvpn or even unencrypted 10:28 -!- derek [n=derek@199.85.8.1] has joined ##openvpn 10:29 < Bushmills> Gnutoo, make sure that your SIP calls are actually routed over VPN - not that they are routed over ppp, and provider drops connection because they filter voice over ip (which the provider usually disallows with mobile data connections) 10:29 < derek> ahh its good to be back after bricking my router 10:30 < Bushmills> Rajko, how much would that be worth to you? 10:30 < Gnutoo> Bushmills, they are routed over vpn...it uses the ip of the vpn for registering 10:30 < Rajko> Bushmills, i dont know, i just want to use my internet anonymously 10:30 < Gnutoo> Bushmills, the asterisk server is on the same machine than the openvpn server 10:30 < Rajko> my internet is 20mbps 10:30 < Bushmills> Rajko, doing it yourself would cost you about .. starting with 40 EUR. 10:31 < Rajko> 40eur a month ? 10:31 < Bushmills> yes 10:31 < Rajko> so much 10:31 < Bushmills> that involves renting a dedicated server and setting up openvpn yourself 10:31 < Rajko> it must be cheaper if someone else does it 10:31 < Rajko> just for vpn 10:32 < Rajko> since then it doesnt have to be "dedicated" 10:32 < Rajko> just needs about 800mhz 10:32 < Rajko> for 20mbps 10:32 < Gnutoo> Bushmills, works with tcp port 443 but it's so slow... 10:33 < Bushmills> consider that the openvpn server side is owned by somebody you will have to trust. where the anonymous access then? 10:33 < Rajko> its mostly about just having a IP thats not from my country... 10:33 < Bushmills> so better trust yourself :) 10:34 < Rajko> im not that paranoid 10:34 < Rajko> as long as isp cant throttle me im good 10:35 < Rajko> openvpn traffic appears as completely random data to them, right ? 10:35 < Bushmills> only between server and client 10:35 < Bushmills> but if they own server, that's also the endpoint of encryption 10:36 < Rajko> my isp doesnt own the server 10:36 < Bushmills> so just run an openvpn link between server und your machine, ignore the access provider. 10:37 < Rajko> yeah but i dont need a "fully trusted server" 10:37 < Rajko> it can be handled by someone else 10:37 < flaccid_> Rajko can i ask why ? 10:37 < Rajko> public ip/no throttling/no banning 10:38 < Bushmills> Rajko, but what for are you looking for a VPN provider then? 10:38 < Rajko> so that isp cant throttle and so i can get public ip ? 10:38 -!- barbosa [n=barbosa@189.114.38.97] has quit [Read error: 60 (Operation timed out)] 10:38 < flaccid_> Rajko well your isp does public ip too, your isp can still throttle your connection and why bans are you trying to evade - for doing what ? 10:39 < Rajko> they restirct some websites... 10:39 < Rajko> thats what i meant by bans 10:39 < flaccid_> well they can still throttle you 10:39 < flaccid_> you are best getting a shell account somewhere where you can successfully host a vpn. you may need to get a vps 10:40 < Bushmills> Rajko, my understanding is, you have a server, and it's not you provider's server. so you can run openvpn between your box and the server. 10:40 < Rajko> i dont have a server 10:40 < Rajko> i just want a vpn provider 10:40 -!- barbosa [n=barbosa@189.27.48.13] has joined ##openvpn 10:40 < Bushmills> what difference, in terms of throttling ... 10:40 < Rajko> so i can use the internet like a normal person 10:40 < Bushmills> my isp doesnt own the server 10:40 < flaccid_> Rajko thats why i suggested, what i suggested. 10:41 < Rajko> flaccid_, arent there sites that do JUST vpn 10:41 < flaccid_> Rajko i'll be doing that one day but i havnt seen any personally 10:42 < Bushmills> yes, but usually not as service to others. though i think i have seen one, maybe i have bookmarked it. 10:42 < Rajko> ive seen tons but they all seem shady 10:43 < Gnutoo> Bushmills, mmm the openvpn connection is gone with tcp too but the internet connection remains 10:44 < Gnutoo> but nothing in the logs... 10:45 < Gnutoo> of openvpn 10:45 < Rajko> http://www.witopia.net/index.php/products/#matrix 10:45 < Rajko> says 60$ a year 10:45 < Rajko> for openvpn 10:46 < flaccid_> Rajko is that redirect-gateway included? 10:46 < Rajko> ? 10:46 < flaccid_> !redirect-gateway 10:46 < vpnHelper> flaccid_: Error: "redirect-gateway" is not a valid command. 10:47 < flaccid_> ie. it routes you the client through their gateway 10:47 < Rajko> http://www.vpnaccounts.com/german-vpn-accounts.html 10:47 < vpnHelper> Title: German VPN Accounts (at www.vpnaccounts.com) 10:47 < flaccid_> it says gateways available so i assume so 10:47 < Rajko> witopia works with full intenret access 10:48 < flaccid_> yes 10:48 < flaccid_> thats what a gateway is :) 10:48 < Gnutoo> does anyone knows how to make openvpn work on a gprs network? 10:48 < Gnutoo> using udp 10:48 < Gnutoo> so it would be faster 10:48 < Gnutoo> for sip 10:49 -!- lataffe [n=lars@cm-84.211.147.71.getinternet.no] has joined ##openvpn 10:52 -!- Gnutoo [n=gnutoo@host248-84-dynamic.51-79-r.retail.telecomitalia.it] has quit ["Leaving"] 10:54 -!- Gnutoo [n=gnutoo@host248-84-dynamic.51-79-r.retail.telecomitalia.it] has joined ##openvpn 10:54 < Rajko> how CPU intensive is openvpn ? 11:01 < Rajko> https://www.santrex.net/vps.php 11:01 < Rajko> would that be good enough ? 11:01 < vpnHelper> Title: vps hosting, vds hosting, virtual server, irc allowed, vds, vps at Santrex (at www.santrex.net) 11:01 < Rajko> the 10$ plan ? 11:04 < Gnutoo> anyone for sip(udp)+openvpn+gprs 11:04 < Gnutoo> a tcp connection in openvpn works 11:04 < Gnutoo> but not the udp connection 11:05 < Gnutoo> is it because of tcpmss that is set on the server? 11:05 < Gnutoo> ("iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu") 11:07 < Gnutoo> I even transfered files via scp inside openvpn 11:13 < Gnutoo> mmm I'll try fragment 11:13 < Gnutoo> but which value should I set? 11:39 -!- chomas_001 [n=chomas_0@190.95.162.216] has joined ##openvpn 11:39 -!- chomas_001 [n=chomas_0@190.95.162.216] has left ##openvpn ["Saliendo"] 11:41 < Bushmills> Gnutoo, test with nc on both sides, server and client, first whether udp is actually passed through. 11:41 < Gnutoo> ok thanns 11:43 < Bushmills> nc -u -l -p 1194 on listener side, echo test | nc -u remote_ip 1194 on other side 11:43 < Bushmills> other direction too 11:44 < Gnutoo> ok thanks a lot 11:45 < Gnutoo> I fix a tun problem and I try 11:49 -!- vvpalin [n=vvpalin@fay.dreamhost.com] has quit [Remote closed the connection] 11:49 -!- vvpalin [n=vvpalin@fay.dreamhost.com] has joined ##openvpn 11:52 < Gnutoo> Bushmills, but openvpn work for tcp... 11:52 < Gnutoo> tcp inside the openvpn 11:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:55 < Gnutoo> I've FRAG_IN error spurrious FLAG_WHOLE glags 11:55 < Gnutoo> with fragmentation on 11:58 < Gnutoo> Bushmills, if I can ping each other if I don't set fragmentation should I still try nc instead of openvpn? 11:59 < Gnutoo> I've been trying to resolve this the whole day... 12:01 < Bushmills> oh, ok. if openvpn connects, there is no need to test that 12:02 < Bushmills> my problem was that it wouldn't even connect, using udp 12:02 < Gnutoo> should I re-explain my problem? would it help 12:02 < Gnutoo> Bushmills, what doesn't work is udp inside the openvpn tunnel 12:02 < Gnutoo> not the udp of the vpn tunnel itself 12:03 < Gnutoo> for example a sip application makes the tunnel crash 12:03 < Gnutoo> but scp doesn't 12:03 < Bushmills> hm. in fact, for tunneling udp, using tcp for openvpn is preferable 12:03 < Gnutoo> Bushmills, ah tcp works...but is slow... 12:04 < Bushmills> idea is to use them such that only and not more than one uses error checking and resend. 12:04 < Gnutoo> Bushmills, so are there any modes for obtimising this? or should I still use udp...I'm on gprs 12:04 < Bushmills> i'd make that dependent on what you used mostly 12:04 < Gnutoo> Bushmills, for now I've only one use 12:04 < Gnutoo> s/use/user 12:05 < Bushmills> tcp over udp is fine, so is udp over tcp. other combinations are less recommended 12:06 < Gnutoo> ok thanks a lot 12:07 < Gnutoo> the strange thing is that udp over udp works with wifi but not with gprs 12:11 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 12:15 < Bushmills> Gnutoo, yes. upgrade to umts instead of gprs. or see that you can run it with EDGE when only GRPS is available. 12:16 < Gnutoo> that would be hard... 12:16 < Bushmills> GPRS gives me about 10 kb/sec, EDGE around 25, HSDPA about 300 12:16 < Gnutoo> I would need to change phone 12:16 < Bushmills> kbyte, that is 12:17 < Bushmills> (though GPRS should be > 8 kb, i suppose compression gives a bit more) 12:17 < Bushmills> <8 kb ... 12:17 < Gnutoo> maybe the palm pre if you have enough freedom with it 12:17 < Gnutoo> ok 12:24 < Rajko> which is the fastest mode of openvpn ? 12:24 < Rajko> udp ? 12:24 < derek> !howto 12:24 < vpnHelper> derek: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:41 < Gnutoo> Bushmills, when I place a the tunnel connection disapear... 12:42 < Gnutoo> Bushmills, and there is no error message and the internet connection is still there... 12:43 < Bushmills> so something kills your tunnel when you place a 12:43 < Gnutoo> it seems that I've pings like 333045.298ms 12:44 < Bushmills> run openvpn on console, not as daemon. see whether it gives you more info. 12:44 < Gnutoo> I run it in console 12:44 < Bushmills> (unless the reason is already written to log) 12:44 < Gnutoo> on the device 12:44 -!- derek_ [n=derek@199.85.8.1] has joined ##openvpn 12:44 < Gnutoo> I've loglevel set to 3 12:44 < Gnutoo> s/3/4 12:45 < Gnutoo> (verb 4) 12:45 < Gnutoo> all is related to MTU and similar things 12:46 < Bushmills> have you tried running openvpn with --mtu-test ? 12:47 -!- derek [n=derek@199.85.8.1] has quit [Read error: 110 (Connection timed out)] 12:47 < Bushmills> !mtu-test 12:47 < vpnHelper> Bushmills: "mtu-test" is you can just use --mtu-test on the client to see what the best mtu for your connection is 12:47 < Gnutoo> yes but with udp 12:52 < Gnutoo> Bushmills, doesn't work with tcp 12:56 -!- troy- is now known as troy 13:06 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: stephenh, disco-, ElectricBill 13:06 -!- Netsplit over, joins: ElectricBill, stephenh, disco- 13:07 -!- bitrot [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has joined ##openvpn 13:09 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has quit [Read error: 104 (Connection reset by peer)] 13:16 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 13:22 < Gnutoo> I'll try with a 3g card 13:22 < Gnutoo> on my laptop 13:23 -!- Gnutoo [n=gnutoo@host248-84-dynamic.51-79-r.retail.telecomitalia.it] has quit ["Leaving"] 13:43 < bitrot> # Our OpenVPN peer is the office gateway. 13:43 < bitrot> remote 1.2.3.4 13:43 < bitrot> whatis this ? 13:50 -!- epaphus [n=unix3@201.199.62.74] has quit ["Leaving"] 13:50 < Bushmills> an ip address 13:52 < Bushmills> actually, a reserved ip address 14:01 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 15:13 -!- jeiworth [n=jeiworth@189.163.132.133] has joined ##openvpn 15:22 -!- derek_ [n=derek@199.85.8.1] has quit [Read error: 110 (Connection timed out)] 15:23 -!- derek_ [n=derek@199.85.8.1] has joined ##openvpn 15:59 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 16:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:31 -!- p3ri0d [i=p3ri0d@200.2.152.23] has joined ##openvpn 16:39 -!- p3ri0d [i=p3ri0d@200.2.152.23] has quit ["Leaving"] 16:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:10 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 17:28 < ElectricBill> Looking for insight on an interesting discovery about 2.1 rc11... 17:28 < ElectricBill> Some old configs stopped working because the config "up" directive failed. 17:29 < ElectricBill> After compiling from source so I could get more trace info and examining execve docs, I discovered that my script didn't run because... 17:29 < ElectricBill> it didn't have a shebangoid line at the top like #! /bin/bash... 17:30 < ElectricBill> so why did it work in the past? 17:34 -!- high_roller [n=heath@74-213-200-228-price-cable.etv.net] has joined ##openvpn 17:35 < high_roller> Are there some docs on how to write a vpn client for openvpn? I'm trying to figure out how to write a client for blackberry 17:35 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 17:48 -!- master_of_master [i=master_o@p549D4930.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 17:52 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 17:52 -!- master_of_master [i=master_o@p549D77F1.dip.t-dialin.net] has joined ##openvpn 18:13 -!- jeiworth [n=jeiworth@189.163.132.133] has quit ["No Ping reply in 90 seconds."] 18:15 -!- jeiworth [n=jeiworth@189.163.132.133] has joined ##openvpn 18:26 < derek_> for WINS can I use TUN or do I have to use TAP? 18:32 < reiffert> TUN 18:33 < derek_> thanks 19:02 -!- traceroute [n=tracerou@190-39.104-92.cust.bluewin.ch] has joined ##openvpn 19:10 < flaccid_> derek_ oh yeah so i should set up WINS on my Samba server on my vpn side so my clients to can see the windows network via NetBT ? 19:11 < reiffert> flaccid_: you should start reading the samba docs. 19:11 < flaccid_> reiffert no thanks 19:11 < traceroute> Hi 19:12 < flaccid_> my samba is fine. i just don't use wins because it is not required 19:12 < traceroute> Look webbased vpn client brandnew! 19:12 < traceroute> http://bit.ly/u9tu2 19:12 < vpnHelper> Title: Diese Tussi Elke (at bit.ly) 19:14 < flaccid_> link us to some real porn, ya wanker 19:15 < traceroute> ;) 19:16 < flaccid_> no i mean it 19:17 -!- traceroute [n=tracerou@190-39.104-92.cust.bluewin.ch] has quit [Client Quit] 19:17 < flaccid_> sounds like that guy has time to read the samba docs 19:18 -!- hellohere [n=tracerou@190-39.104-92.cust.bluewin.ch] has joined ##openvpn 19:18 -!- hellohere [n=tracerou@190-39.104-92.cust.bluewin.ch] has quit [Client Quit] 19:19 -!- hellohere [n=tracerou@190-39.104-92.cust.bluewin.ch] has joined ##openvpn 19:25 < reiffert> flaccid_: pornoamateurs.be 19:26 < flaccid_> ta 19:26 -!- hellohere [n=tracerou@190-39.104-92.cust.bluewin.ch] has quit [Client Quit] 19:29 < krzie> derek_ oh yeah so i should set up WINS on my Samba server on my vpn 19:29 < krzie> side so my clients to can see the windows network via NetBT ? 19:29 < krzie> flaccid_: you should start reading the samba docs. 19:30 < krzie> sounds like reiffert is right 19:30 < krzie> and that i shoulda added that ignore on my screen too 19:32 < flaccid_> whats the point of this channel if you guys just act like elite m0r0ns and don't help 19:32 < flaccid_> sounds like flaccid is right 19:32 < flaccid_> haha you didn't add the ignore 19:32 < krzie> i did on my other client 19:33 < krzie> but watch this, ill do it one better 19:33 -!- mode/##openvpn [+o krzie] by ChanServ 19:33 -!- mode/##openvpn [-o+b flaccid_ *!*n=chris@220.233.185.*] by krzie 19:34 -!- mode/##openvpn [-o krzie] by krzie 19:34 < krzie> much better 19:34 < krzie> that lameass wont learn howto listen 19:36 -!- flaccid_ [n=chris@220.233.185.127] has left ##openvpn [] 19:37 < reiffert> banning is lame. 19:37 < reiffert> beeing an elite m0r0n >> ban 19:40 < krzie> hah 19:41 < krzie> im still not 100% if hes a troll or actually thatc dumb 19:41 < krzie> -c 19:41 -!- p3ri0d [n=p3ri0d@200.2.152.23] has joined ##openvpn 19:42 < reiffert> in case of doubt .. both 19:42 < krzie> for real 19:42 < krzie> dunno if you saw the scroll, but he told me this: 19:42 < krzie> my problem was my router didnt have ip-forwarding, so i just had to add the routes 19:43 < krzie> after i was saying to add routes the whole time, days 19:43 < reiffert> :) 19:43 < krzie> a router without ip-forwarding... would be pretty useless 19:43 < krzie> wouldnt be a router, lol 19:45 < reiffert> to me it looks like he is mixing up technical terms all day long.. 19:46 < krzie> happy to remove the ban if you like, but i think i did the right thing 19:46 < krzie> (not that i think you want that, but figured ild say it) 19:46 < reiffert> Maybe cause of that thin line between guessing and knowing. 19:47 < krzie> ok 19:47 < reiffert> ban: I dont care :) 19:47 < krzie> ahh ok 19:47 < krzie> and i was just bout to unban 19:47 < krzie> lol 19:48 < reiffert> feel free to .. or dont :) 19:48 < krzie> i just hate when people dont care to listen when they ask for help 19:53 -!- bob_sinclair [n=flaccid@ec2-174-129-210-128.compute-1.amazonaws.com] has joined ##openvpn 19:54 -!- mode/##openvpn [+o krzie] by ChanServ 19:55 -!- mode/##openvpn [+b *!*flaccid*@*] by krzie 19:55 -!- bob_sinclair was kicked from ##openvpn by krzie [bibi] 19:56 -!- mode/##openvpn [-o krzie] by krzie 19:58 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 19:59 < reiffert> :) 20:09 < krzie> !route 20:09 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:10 < krzie> i guess cool-guy decided to deface !route 20:10 < krzie> if that didnt prove my bad should stay forever i dunno what would 20:12 < krzie> there we go, fixed 20:12 < krzie> s/bad/ban/ 20:20 -!- p3ri0d [n=p3ri0d@200.2.152.23] has quit [Read error: 60 (Operation timed out)] 20:23 < high_roller> to create a vpn client for openvpn, do I just open an ssl socket with the server? 20:27 < krzie> sorry, i dont understand the question 20:53 -!- jeiworth_ [n=jeiworth@189.163.184.25] has joined ##openvpn 20:54 -!- jeiworth [n=jeiworth@189.163.132.133] has quit [Read error: 110 (Connection timed out)] 20:57 < high_roller> krzie, I'm trying to figure out if I can write a openvpn client for blackberry 20:57 < high_roller> using java me 20:59 < krzie> oh no idea 20:59 < krzie> know you'll need tun/tap drivers first and foremost 21:02 -!- Major_Tom [i=tom-w@dslb-088-065-208-248.pools.arcor-ip.net] has joined ##openvpn 21:02 -!- omega42 [i=tom-w@dslb-088-065-057-187.pools.arcor-ip.net] has quit [Nick collision from services.] 21:02 -!- Major_Tom is now known as omega42 21:14 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 21:16 < high_roller> krzie, well how I understand how it works, is that the openvpn client just gets the packets from the tun driver, then stuffs them into an ssl socket that is connected to the server 21:17 < high_roller> err, I mean an udp ssl socket 21:18 < high_roller> so I just want to get my email on my phone, so I was going to write a pop client in the vpn client 21:18 < high_roller> that's how I was going to get around the no tun/tap driver 21:18 -!- derek_ [n=derek@199.85.8.1] has quit [Read error: 104 (Connection reset by peer)] 21:34 -!- derek_ [n=derek@199.85.8.1] has joined ##openvpn 21:55 < derek_> bah disconnected 21:58 < krzee> high_roller, ya you're beyond my skillset bro, goodluck on it tho, sounds like a cool project 21:58 < derek_> hey krzee thank you for all your help I finally managed to get domain logins 21:58 < derek_> :) 21:59 < derek_> one more question for you 21:59 < krzee> cool 21:59 < derek_> can I change the /etc/rc.d/init.d/openvpn script to working directory /etc/openvpn/ to make it only run config file from that dir 21:59 < derek_> i got disconnected I assumed it probably got answered 22:02 < krzee> right on 22:02 < krzee> thats not really an openvpn question 22:03 < derek_> sorry I was hoping you knew but I guess that probably dosnt come installed in the openvpn package and the special one I downloaded 22:04 < krzee> its OS specific 22:04 < krzee> but its really just a script 22:04 < krzee> im sure you can change it however you like 22:05 < pekster> high_roller: OpenVPN doesn't just "stuffs them into an ssl socket" - the socket between client & server multiplexes the OpenVPN control channel with the data channel with an application-specific protocol 22:06 < pekster> Not to mention if you're using staic-key encryption there's actually no SSL happening, just encryption with the specified cipher 22:06 < pekster> In fact, even with TLS modes, that only governs the data channel anyway 22:08 < pekster> derek_: Take a look at what Gentoo does with many of their service scripts; rather than starting all *.conf files in /etc/openvpn, you can symlink files to the 'worker' script in /etc/init.d so that you can start, f.eg, /etc/init.d/openvpn.config1 or whatever name you choose 22:09 < pekster> Basically, it boils down to getting ${0##*.} to obtain the requested configuration, and then starting that 22:09 < pekster> (plus a unique PID file for that instance) 22:11 < derek_> oh sorry I forgot to mention its cent0S 22:11 < pekster> That doesn't stop you from writing an initscript that has real flexibility ;) 22:12 < pekster> config=${0##*.}; ... ; /usr/sbin/openvpn --config /etc/openvpn/${config}.conf --pidfile /var/run/openvpn.${config} 22:12 < pekster> Adjust and expand to taste 22:12 < pekster> Gentoo just happens to do it "out of the box" which makes it an excellent distro to copy from when you wish to emulate its behaviour 22:13 < derek_> I know it dosn't stop me from writing an initscript but my incompetance does 22:14 < derek_> I know just enough linux to be extreamly dangerous to myself. 22:14 < pekster> A more crude way to do the same thing is copy the openvpn init script and rip out the looping that starts all *.conf files and reference just the 1 you want to start; you loose the flexibility to make changes to 1 script only in the future, but it'll basically do the same thing 22:14 < pekster> Well, make a backup before you tamper then ;) 22:14 < derek_> I did 22:14 < derek_> lol 22:15 < derek_> all i did was change the working directory to /etc/openvpn/routetun which is the directory of the config file I want 22:15 < derek_> hopefully that works 22:16 < derek_> My profession is high voltage electrician / lineman so I am a little out of my element here 22:16 < pekster> I don't think it's the most elegant solution, but if you do that before it loops through avialble config files it might work - it's been a while since I've looked at the Redhat-style init script since I try to avoid them when possible :P 22:17 < derek_> couldnt have done it without #Openvpn :) 22:17 < pekster> ## actually 22:17 < derek_> I coughed while typing :P 22:18 < derek_> Money clouds are rolling in 22:20 < derek_> good thing the gf was at home I just issued ifconfig eth0 down not realizing I was sshd into my server at home :/ 22:33 < high_roller> pekster, thanks for the info, this project may be quite a bit harder than I thought 22:34 < pekster> Without tun support OpenVPN plain doesn't work 22:35 < pekster> See the file 'PORTS' in the source archive for details of porting the application to a new platform 22:39 < high_roller> pekster, I'm pretty sure that blackberry doesn't have tun, just because they want you to use the BES service (i.e. $$$$) 22:50 -!- mrpockets [n=mrpocket@unaffiliated/mrpockets] has joined ##openvpn 22:50 < mrpockets> hello! 22:53 < mrpockets> I followed this tutorial on how to setup OpenVPN, and it's working marvelously 22:53 < mrpockets> http://www.itsatechworld.com/2006/01/29/how-to-configure-openvpn/ 22:53 < vpnHelper> Title: Its A Tech World | How to configure OpenVPN (at www.itsatechworld.com) 22:54 < mrpockets> however, i only created one client key (just wanted to see if i could get it up and running) Now when i cd into c:/program files/OpenVPN/easy-rsa and do build-key client2 I get errors 22:55 < derek_> what error 22:56 < mrpockets> connecting to the server to get exact error... 22:56 < derek_> db error while generating key? 22:57 < mrpockets> Give me the help or man page 22:57 < mrpockets> and at the bottom says Could Not Find C:\*.old 22:57 < derek_> hmm never ran into that 22:58 < mrpockets> Is there a way i can use a single .key and .crt for multiple clients? 22:58 < pekster> Perhaps you forgot to run the vars script to set the correct enviromental variables? 22:58 < derek_> yes but I would advise against it 22:59 < mrpockets> pek not sir 22:59 < mrpockets> no* 22:59 < mrpockets> unless I need to run it again, before adding build-key client2 ? 22:59 < mrpockets> i ran it the first time, when i set it up and build-key client1 22:59 < pekster> You'll need to run it again if this is a different command prompt window as variables don't stay set across prompts 22:59 < derek_> make sure you give client2 a different common name as well 22:59 < mrpockets> kk 23:00 < derek_> in regards to client1 23:00 < mrpockets> wonderful 23:00 < mrpockets> thanks! 23:00 < mrpockets> I've just been using client1 for the common name of client1 and ect... is that a poor practice? 23:01 < pekster> Only if you think it is; the common name is a name you need to understand, not the computer 23:01 < mrpockets> k 23:02 < mrpockets> oh dammit. I think that just broke shit. Now there's only Key2 in the keys directory 23:02 < mrpockets> client2* ..cilent1 is no longer 23:03 < pekster> If you ran the clean script (whatever that's called) it deletes the old data 23:03 < mrpockets> gyah 23:03 < pekster> the var script is the only one you need if you have an existing PKI set up 23:03 < mrpockets> piss 23:04 < mrpockets> herm.. 23:04 < pekster> I believe the docs cover this. In the meantime, you do have backups, yes? If not, you'll need to re-issue certs to existing devices (including the server) and have them all use the new CA public certificate 23:05 < mrpockets> no, this setup isn't production yet so I havent implimented a backup solution. 23:05 < mrpockets> think what ima do though is reinstall and start over. 23:05 < mrpockets> knowing that i should make more than one client key this time 23:05 < derek_> dont reinstall just redo all the crts 23:06 < derek_> get it all right then reinstall :P 23:07 < mrpockets> lol 23:07 < derek_> well the more you screw up now without going to reinstall the better you can fix in the future when you cant afford to reinstall 23:08 < mrpockets> true 23:08 < mrpockets> and i had thought about tha 23:22 < mrpockets> so in the future 23:22 < mrpockets> to add a new user, run the vars script 23:23 < mrpockets> to set the veriables in the shell, then i shoudl be able to build-key client* 23:51 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn --- Day changed Sun Jun 14 2009 00:02 -!- bitrot [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has quit [Read error: 104 (Connection reset by peer)] 00:02 -!- bitrot [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has joined ##openvpn 00:10 < mrpockets> ping mrpockets 00:10 < mrpockets> deal. 00:10 < thedoc> ding. 00:11 < bitrot> any way to do multilink ? 00:11 < bitrot> for bonding 00:26 -!- myself_ [n=myself@74-132-91-61.dhcp.insightbb.com] has joined ##openvpn 00:26 < myself_> !howto 00:26 < vpnHelper> myself_: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 00:41 -!- vvpalin [n=vvpalin@fay.dreamhost.com] has quit [Remote closed the connection] 00:42 -!- vvpalin [n=vvpalin@fay.dreamhost.com] has joined ##openvpn 01:33 -!- jeiworth_ [n=jeiworth@189.163.184.25] has quit [Read error: 110 (Connection timed out)] 01:44 -!- theDoc- [n=andelyx@208.99.194.194] has joined ##openvpn 01:49 -!- myself_ [n=myself@74-132-91-61.dhcp.insightbb.com] has quit ["Leaving"] 01:51 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 01:51 -!- theDoc- is now known as thedoc 02:11 < bitrot> i dont get the "route" keyword, shouldnt i be able to use iptables to route ? 02:19 < bitrot> when i browse the docs, all i get are 404 on the links 02:19 -!- c64zottel [n=hans@p5B09DE77.dip.t-dialin.net] has joined ##openvpn 02:31 < bitrot> unencrypted ? 03:05 < reiffert> routing with iptables? 03:05 < reiffert> sure. 03:06 < reiffert> patch-o-matic 03:06 < reiffert> http://netfilter.org/projects/patch-o-matic/pom-external.html#pom-external-ROUTE 03:06 < vpnHelper> Title: netfilter/iptables project homepage - netfilter/iptables - Patch-o-Matic Listing - external (at netfilter.org) 03:18 < bitrot> i have a point to point link going with openvpn 03:18 < bitrot> now, i want to be able to use the servers internet 03:22 < bitrot> also, is there a way to do multilink 03:22 < bitrot> and i have some problems with mtu/mss 03:23 < reiffert> multilink? sure. 03:23 < reiffert> http://lartc.org/ 03:23 < reiffert> servers internet? 03:23 < reiffert> !def1 03:23 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 03:24 < bitrot> server is openvpn host with fast pipe 03:24 < bitrot> 100mbit 03:24 < bitrot> i want to be able to acheive 60mbit using 2x 30mbit calbe modems 03:24 < reiffert> bbl, breakfast. 03:24 < bitrot> from my home 03:26 < bitrot> The server at lartc.org is taking too long to respond. 03:26 < reiffert> google cache. 03:27 < bitrot> ah, but i dont want to bond it client side 03:27 < bitrot> i want it to be transparent, same as if i accessed it through 1x 60mbit calbe connection 03:27 < bitrot> PPP can do this 03:29 < reiffert> wysinwyg 03:29 < reiffert> however, gtg now 03:30 < bitrot> wysinwyg ? 03:38 < bitrot> i see that it could be done with bond0 03:49 -!- troy is now known as troy- 04:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:22 < Bushmills> bitrot, http://scarydevilmonastery.net/masq 05:22 < bitrot> if using TAP mode, should the tap0 adapter appear in ifconfig ? 05:22 < thedoc> hmm, def1 could be useful. 05:24 < bitrot> because it doesnt in my case 05:24 < thedoc> bitrot: It should. 05:24 < thedoc> This is on your server or client? 05:24 < bitrot> server 05:24 < thedoc> I believe it comes up when you fire up the ovpn daemon? 05:25 < bitrot> does nothing 05:25 < thedoc> hm. 05:25 < thedoc> What do your ovpn logs show you? 05:25 < bitrot> dev tap 05:25 < bitrot> server-bridge 172.16.0.1 255.255.255.0 172.16.0.10 172.16.0.20 05:25 < bitrot> and when i connect 05:25 < bitrot> i do get .10 ip 05:25 < bitrot> but cant ping 0.1 05:26 < thedoc> bitrot: I'm not familiar with bridging mode, maybe someone else could help you 05:27 < bitrot> http://codepad.org/H7HoR96z 05:27 < vpnHelper> Title: Plain Text code - 17 lines - codepad (at codepad.org) 05:28 < bitrot> wsWhLSix 05:28 < bitrot> http://codepad.org/wsWhLSix 05:28 < vpnHelper> Title: Plain Text code - 22 lines - codepad (at codepad.org) 05:31 < bitrot> thedoc, what about tun mode 05:31 -!- c64zottel [n=hans@p5B09DE77.dip.t-dialin.net] has quit ["Leaving."] 05:31 < thedoc> bitrot: tunmode comes up for me when I fire up the vpndaemon 05:32 < bitrot> what is the mtu/mss for tunmode 05:32 < thedoc> 1492 for me. 05:32 < thedoc> or so I think 05:32 < thedoc> 1500 05:32 < bitrot> well it must be lower than that... 05:32 < bitrot> 1500 is for ethernet 05:33 < thedoc> 1500. 05:34 < bitrot> - 20 for ip, 8 for udp 05:36 < bitrot> every packet will fragment if you put it too high 05:37 < thedoc> bitrot: That's right. 05:37 < thedoc> 1500 should be fine though. 05:37 < bitrot> not really 05:37 < bitrot> cuz every packet will fragment into a bigger one and a smaller one then 05:38 < bitrot> if http/ftp/ whatever 05:50 < bitrot> with TUN the PPP link works 05:50 < bitrot> and i get tun0 device 05:51 < bitrot> in ifconfig 05:52 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 05:53 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 05:58 < bitrot> so now i can route internets and masquerate to that network as normal, do do i need some special parameters 06:00 < Bushmills> just pretend that tun0 is like any other old NIC 06:07 < bitrot> what is the "route" option for then 06:30 < Bushmills> akin to executing a script upon connection, which sets routes 06:34 < bitrot> do i need it to get internet to my ppp ? 06:34 < bitrot> it has no gateway atm 06:34 < bitrot> on the client 06:35 < Bushmills> nobody needs internet 06:36 < Bushmills> oh, misread. no, for internet on ppp, you don't even need openvpn 06:36 < bitrot> sorry, when i say ppp, i mean point tp point, i should say ptp 06:38 < Bushmills> internet over openvpn? 06:38 < bitrot> yes 06:39 < Bushmills> redirect-gateway on the client (or push it to client, with server) 06:39 < Bushmills> and configure server to do NAT 06:39 < Bushmills> !redirect-gateway 06:39 < vpnHelper> Bushmills: Error: "redirect-gateway" is not a valid command. 06:39 < Bushmills> hm 06:40 < Bushmills> !redirect 06:40 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 06:40 < bitrot> so just push "redirect-gateway def1" 06:40 < Bushmills> looks good 06:41 < bitrot> or just push "redirect-gateway" without def 1 06:44 -!- samferry [n=samuel@unaffiliated/samferry] has quit [Remote closed the connection] 06:46 -!- albech [n=albech@124.157.238.9] has joined ##openvpn 06:47 -!- troy- is now known as troy 06:49 -!- p3ri0d [i=p3ri0d@200.2.150.81] has joined ##openvpn 06:50 -!- albech [n=albech@124.157.238.9] has quit [Client Quit] 07:01 -!- p3ri0d [i=p3ri0d@200.2.150.81] has quit ["Leaving"] 07:28 -!- damentz [i=damentz@free.dancing.bot.at.shellium.org] has quit ["ZNC - http://znc.sourceforge.net"] 07:29 -!- damentz [i=damentz@free.dancing.bot.at.shellium.org] has joined ##openvpn 07:37 < Bushmills> yes, good too. def1 is of use when you want original default routes restored on disconnect 07:37 < Bushmills> without causes less clutter in the routing table 07:57 < bitrot> its a windows client 07:57 < bitrot> i still dont see anything defined as gateway or dns 08:13 < Bushmills> redirect-gateway has no effect on the DNS 08:13 < Bushmills> (other that resolving will use the vpn route) 08:14 < Bushmills> but a new default route should show 08:23 -!- dollabilll [n=mike@fl-67-235-202-159.dhcp.embarqhsd.net] has joined ##openvpn 08:25 -!- Gorkhaan [n=Gorkhaan@87.229.108.75] has joined ##openvpn 08:29 < bitrot> i set dns 08:29 < bitrot> push dns 08:32 < Bushmills> does client happen to run vista? 08:32 < bitrot> xp 08:33 < Bushmills> i've seen people here with problems, getting their gateway set with vista, but not with xp 08:34 < bitrot> should it appear in the TUN adapters status page 08:34 < bitrot> default gateway: 08:34 < bitrot> because it doesnt access the internet with it 08:34 < bitrot> same as if i didnt have that option 08:35 < bitrot> id like for it to be the same as with pptp, when VPN is active, EVERYTHING goes through it 08:35 < Bushmills> don't know about that. it should show in route, at least 08:36 < Bushmills> there's one thing which can't go through it: packets to the vpn server 08:36 < Bushmills> but redirect-gateway takes care of that 08:39 < krzee> ive seen winroute problems in XP too 08:39 < bitrot> windows pptp client is quite good 08:39 < Bushmills> sounds like saying "windows is great" 08:40 < bitrot> when you connect, everything still works, but everything goes through vpn as well 08:40 < Bushmills> on a BSD channel :P 08:40 < bitrot> !redirect 08:40 < vpnHelper> bitrot: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 08:40 < bitrot> !ipforward 08:40 < vpnHelper> bitrot: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 08:40 < bitrot> !linipforward 08:40 < vpnHelper> bitrot: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 08:40 < Bushmills> !pptp 08:40 < vpnHelper> Bushmills: Error: "pptp" is not a valid command. 08:40 < krzee> !notcompat 08:40 < vpnHelper> krzee: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 08:41 < bitrot> id use pptp, but my VPS does not allow ppp module to be loaded 08:51 -!- Timpa [n=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 08:52 -!- derek__ [n=derek@199.85.8.1] has joined ##openvpn 08:53 -!- derek_ [n=derek@199.85.8.1] has quit [Read error: 110 (Connection timed out)] 08:54 -!- Timpa [n=timpa@chuck.bartowski.skalet.org] has quit [Client Quit] 08:56 -!- Timpa [n=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 08:57 -!- Timpa [n=timpa@chuck.bartowski.skalet.org] has quit [Read error: 54 (Connection reset by peer)] 08:57 -!- Timpa [n=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 08:59 -!- Timpa [n=timpa@chuck.bartowski.skalet.org] has quit [Client Quit] 09:01 -!- Timpa [n=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 09:16 < bitrot> !nat 09:16 < vpnHelper> bitrot: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 09:16 < bitrot> !linnat 09:16 < vpnHelper> bitrot: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 09:16 -!- alpha_one_x86 [n=alpha_on@213.151.167.252] has joined ##openvpn 09:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:17 -!- Gorkhaan [n=Gorkhaan@87.229.108.75] has left ##openvpn [] 09:17 < alpha_one_x86> Hello I need help to finish the setup of openvpn, can you help my? 09:17 < thedoc> alpha_one_x86: depends really. 09:19 < krzee> !ask 09:19 < vpnHelper> krzee: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/, or (#3) http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help 09:20 < thedoc> hello krzee;) 09:20 < krzee> hey whats up doc 09:20 < krzee> ;] 09:20 < krzee> 09:20 < thedoc> More servers and stuff:) 09:20 < krzee> cool 09:20 < krzee> im playing in opensolaris 09:21 < krzee> its kinda cool 09:21 < alpha_one_x86> I have setup all, but no communication is possible 09:21 < thedoc> alpha_one_x86: no, that doesn't tell me about what you have running, topology and configs 09:21 < thedoc> krzee, production server? 09:22 < krzee> nah, VM 09:22 < thedoc> oh. 09:22 < krzee> i have 4 VMs, fbsd8 64bit (which i also run on my lan NFS) debian 64bit, opensolaris x86, winxp 64bit 09:23 < alpha_one_x86> My config file: http://pastebin.com/m1705ffdb I want that's allow multiple computer go on this network 09:23 < thedoc> krzee: good god, how many computers do you own? 09:23 < krzee> should i count colo's? 09:23 < krzee> and laptops? 09:23 * thedoc doesn't understand french 09:23 < thedoc> >_> 09:23 < thedoc> krzee: sure, why not? 09:24 < krzee> home, 1 desktop, 2 laptops, 2 servers i use for NFS 09:24 < krzee> colo, 5 09:25 < krzee> that i own the HW 09:25 < thedoc> oh nice. 09:25 < thedoc> I'm thinking of selling off this mac and buying another mac. 09:25 < alpha_one_x86> It think have foudn where is the problem, I can see tun0 in P-t-P mode 09:26 < thedoc> alpha_one_x86: and why would that be wrong? 09:27 < alpha_one_x86> Because I want contect 2 computer or more on this vpn server 09:28 < thedoc> alpha_one_x86: nope, point-to-point mode can support multiple clients. 09:29 < alpha_one_x86> oki 09:29 < krzee> !sample 09:29 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 09:29 < alpha_one_x86> But ip is specified: inet addr:192.168.165.1 P-t-P:192.168.165.2 09:29 < krzee> you arent using ptp mode 09:30 < krzee> you used server stetment 09:30 < krzee> statement 09:30 < krzee> you just need other clients to have certs 09:30 < krzee> and they can connect 09:30 < alpha_one_x86> Yes but that's not work 09:30 < thedoc> krzee, have you tried openvpn-access server? 09:30 < krzee> no 09:30 < krzee> i dont want gui's tbh 09:31 < krzee> imho its for corp windows types 09:31 < alpha_one_x86> The P-t-P:192.168.165.2 seam good for you? 09:31 < mrpockets> tbh 09:31 < thedoc> krzee, i was thinking of using it to rapidly deploy anonymous vpn accounts for my clients. just wondering if anyone has tried it. 09:31 < mrpockets> openVPN gui isn't really a gui 09:32 < mrpockets> in the traditional sense 09:32 < krzee> mrpockets, im talkin bout openvpn-access server 09:32 < mrpockets> ah 09:32 < krzee> their corp pay project 09:32 < krzee> like for profit 09:33 < thedoc> krzee, nothing wrong with for-profit really. we all need to eat ;p 09:35 < krzee> i totally agree 09:35 < krzee> and it was a totally seperate project 09:36 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 09:36 < krzee> its not like they turned ovpn into for profit closed source or anything 09:36 < thedoc> and that's really fine. i personally think that those guys at openvpn have done a great job there. 09:37 < krzee> alpha_one_x86, yes, see !/30 to understand 09:37 < thedoc> alpha_one_x86, no, not really. 09:37 < thedoc> If 192.168.165.2 is on the server, that's not right is it? if it's a /30. 09:38 < krzee> thedoc, and why is that 09:38 < thedoc> from what i understand, the server takes the first ip in the subnet and shouldn't that fall as .1? 09:38 < thedoc> with 0 as subnetid 09:38 < krzee> you use openvpn thedoc? 09:38 < krzee> lol 09:38 < alpha_one_x86> 192.168.165.1 is the ip of the server (pingable) 09:38 < krzee> alpha_one_x86, thats exactly how it should look 09:38 < thedoc> krzee, yeah. i think i might be missing something here ;p 09:38 < krzee> thedoc, you use bridge or something then? 09:39 < krzee> or maybe you use topology subnet 09:39 < thedoc> krzee, topology subnet, not bridging anything 09:39 < thedoc> not at the moment. 09:39 < krzee> but for topology net30 (default) for a tun, thats exactly how it should look 09:39 -!- Timpa [n=timpa@chuck.bartowski.skalet.org] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 09:39 < krzee> ahh you use topology subnet, thats why 09:39 < thedoc> let me take a quick peek at my config ;p 09:39 * thedoc suspects he might have misread something 09:40 < alpha_one_x86> Then what edit for that's work? 09:41 < krzee> alpha_one_x86, you trying to use the same certs for your second client as the first? 09:43 < krzee> alpha_one_x86, .2 is internal to the server side, will never be able to ping 09:43 < krzee> first client will get .6 as his real ip 09:43 < krzee> second will get .10 09:43 < krzee> goes up by 4 09:43 < krzee> !/30 09:43 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 09:43 -!- Timpa [n=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 09:43 < thedoc> 0-4, 5-8, 9-12 etc etc.. 09:43 < alpha_one_x86> No, 1 certifcat by client 09:44 < krzee> 1 each client? 09:44 < krzee> well, you might have to start reading through logfiles then 09:45 < alpha_one_x86> My logs is: http://pastebin.com/m180ee541 09:45 < thedoc> alpha_one_x86, that just shows an empty openvpn-client logfile. 09:45 < krzee> not even a logfile 09:45 < krzee> a status-file 09:45 < thedoc> that too. 09:45 < thedoc> status. 09:46 < alpha_one_x86> Where found that's for show to you? 09:46 < krzee> what is your first language? 09:47 < alpha_one_x86> My native language? French 09:47 < krzee> AHH 09:47 < krzee> oops 09:47 < krzee> capslock 09:54 < alpha_one_x86> Can you give my config file which work? 09:56 < alpha_one_x86> failed to update database TXT_DB error number 2 09:56 < krzee> i dont believe your config is your problem 10:00 < alpha_one_x86> I will all restart 10:00 < alpha_one_x86> have you good howto for diag the problem step by step? 10:00 < krzee> no 10:00 < krzee> find your logs 10:00 < krzee> and use them 10:01 < alpha_one_x86> The client need by in ip dhcp or fixed? 10:02 < krzee> i dont understand you 10:03 < alpha_one_x86> I have only locate /var/log/openvpn-status.log 10:03 < krzee> thats not it 10:03 < krzee> check your messages file 10:03 < reiffert> syslog 10:03 < krzee> or some other syslog file 10:03 < alpha_one_x86> On client wich connect to vpn, the interface need by in dhcp or with fixed ip 10:04 < thedoc> all clients regardless can connect to the vpn server. 10:04 < alpha_one_x86> Then I will setup syslog 10:04 < thedoc> It's really a matter of making sure you can authenticate to the box. 10:05 < alpha_one_x86> The log is locate ;) 10:08 -!- dollabilll [n=mike@fl-67-235-202-159.dhcp.embarqhsd.net] has quit [Read error: 110 (Connection timed out)] 10:10 < thedoc> anyone knows how to "cap" traffic for clients connecting to the vpn? 10:10 < krzee> tcpdump? 10:11 < alpha_one_x86> wirewhark? 10:11 < alpha_one_x86> wireshark? 10:11 < Bushmills> tshark - console app 10:12 < thedoc> krzee: cap, as in .. set a hard limit for how much b/w each user can use ;) 10:12 < thedoc> not as in capture. 10:13 < Bushmills> thedoc, check out the tc utility (form QoS) in conjunction with iptables 10:13 < reiffert> hi Bushmills 10:13 < thedoc> Bushmills, thanks. 10:13 < Bushmills> np thedoc, hi reifff 10:14 -!- alpha_one_x86 [n=alpha_on@213.151.167.252] has quit ["KVIrc Insomnia 4.0.0, revision: , sources date: 20090520, built on: 2009/06/14 08:33:08 UTC http://www.kvirc.net/"] 10:16 < thedoc> Bushmills, from documentation, it seems that tc only deals with egress traffic and not ingress. 10:24 < thedoc> question here guys, anyone has ever seen ifconfig reset the total amount of b/w sent with regards to openvpn? 10:27 -!- Timpa [n=timpa@chuck.bartowski.skalet.org] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 10:30 -!- alpha_one_x86 [n=alpha_on@213.151.167.252] has joined ##openvpn 10:31 < alpha_one_x86> Re, my client log: http://pastebin.com/m7b4ef3ff and server: http://pastebin.com/m7bcbb597 10:31 < krzee> no clue, but like Bushmills said that kinda stuff belongsa in iptables 10:32 < thedoc> hm 10:32 < krzee> alpha_one_x86, 10:32 < krzee> check the route actually succeeded 10:32 < thedoc> time for more investigation 10:32 < krzee> netstat -rn 10:35 < thedoc> this is very odd. i could have sworn that i had something like 2.xgb transferred in my previous check of ifconfig and now it's only at 200mb. 10:35 < thedoc> does it reset itself every 4gb or something? 10:36 < alpha_one_x86> client seam can ping server, but serveur can't ping client 10:36 < Bushmills> thedoc, script up something. one traffic counting netfilter rule per user, send each user traffic through the rule of the corresponding user, check periodically, deny when limit reached 10:38 < thedoc> Bushmills: I guess that's one way to do it. I'll have to look at that when I get back nextweek. 10:38 < thedoc> As of now, I'm stumped to as to why ifconfig resets the stats on tx/rx on it's own. 10:38 < thedoc> I just noticed that on 2 servers. 10:38 < Bushmills> maybe 2^31 overflow 10:39 < thedoc> Bushmills: I guess so. 10:40 < krzee> alpha_one_x86, thats points to firewall issue on client 10:40 < krzee> turn off firewall on tap adapter 10:40 < Bushmills> likely. i remember from a munin plugin which used iptables rules to measure traffic, that it was unsuited for 100 mbit nics with permanent full load - acquisition took place every 300 secs 10:40 < alpha_one_x86> I will try 10:41 < Bushmills> which would be 3 gigabyte. ergo overflow. 10:41 < thedoc> ouch. 10:41 < thedoc> I would probably just get another syslog server to poll all my servers and it's traffic load. 10:41 < alpha_one_x86> It seam work 10:42 -!- jeiworth [n=jeiworth@189.163.184.25] has joined ##openvpn 10:50 < alpha_one_x86> But second client no: http://pastebin.com/m5e288671 10:53 < krzee> time is wrong on the click 10:53 < krzee> clock 10:54 < krzee> Sun Jun 14 15:48:04 2009 VERIFY ERROR: depth=1, error=certificate is not yet valid: /C=FR/ST=FR/L=Paris/O=amber/CN=_/emailAddress=admin@first-world.info 11:05 < alpha_one_x86> The client1 can't connect to client2 with firewall turned off 11:08 < alpha_one_x86> And ping after sometime not work and after rework 11:16 -!- Timpa [n=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 11:31 < alpha_one_x86> How allow connection between client1 and client2 ? 11:47 < krzee> --client-to-client 11:47 < krzee> client-to-client in server config 12:06 < alpha_one_x86> Ping sometime not work 12:06 < alpha_one_x86> I'm in local lan in tcp 12:22 < alpha_one_x86> The vpn work only some time, why? 12:23 < krzee> !tcp 12:23 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 12:24 < alpha_one_x86> Yes but upd have same problem, sometime work, sometime not wrok 12:25 < bitrot> curse the internet for being unreliable somewhat 12:26 < bitrot> is there a way of running openvpn over RAW ip 12:26 < bitrot> no udp 12:27 < alpha_one_x86> I do my test in local network! What I should do? 12:29 < alpha_one_x86> I have switch to udp 12:29 -!- koma5 [n=tracerou@gprs13.swisscom-mobile.ch] has joined ##openvpn 12:30 -!- koma5 [n=tracerou@gprs13.swisscom-mobile.ch] has left ##openvpn [] 12:38 < krzee> bitrot, no 12:53 -!- jeiworth [n=jeiworth@189.163.184.25] has quit [Connection timed out] 13:09 -!- dollabilll [n=mike@c-68-59-71-29.hsd1.fl.comcast.net] has joined ##openvpn 13:12 -!- alpha_one_x86 [n=alpha_on@213.151.167.252] has quit ["KVIrc Insomnia 4.0.0, revision: , sources date: 20090520, built on: 2009/06/14 08:33:08 UTC http://www.kvirc.net/"] 13:43 < derek__> yes 13:58 -!- troy is now known as troy- 14:10 -!- a0n [n=aar0n@g226244078.adsl.alicedsl.de] has joined ##openvpn 14:12 -!- a0n [n=aar0n@g226244078.adsl.alicedsl.de] has left ##openvpn [] 14:13 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 14:14 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has left ##openvpn [] 14:15 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 14:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:55 -!- Gh0sty00 [n=casper@server1.rootforce.nl] has joined ##openvpn 14:56 < |Mike|> Gh0sty00: hi! 14:57 < Gh0sty00> hi |Mike| 14:57 < Gh0sty00> was just writing my question lol 14:57 < |Mike|> good luck :) 14:58 < |Mike|> !logs 14:58 < vpnHelper> |Mike|: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 14:58 < |Mike|> !configs 14:58 < vpnHelper> |Mike|: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:58 < |Mike|> read that :) 14:58 * |Mike| & 14:58 < Gh0sty00> oke :) 15:07 -!- eggdude35348 [n=spam4204@24.63.14.123] has joined ##openvpn 15:08 < eggdude35348> can anyone give me some advice on an openvpn issue? 15:09 < eggdude35348> I have an openvpn server setup, i am able to connect on the client-side successfully, but i can not access any of the network 15:13 < eggdude35348> !route 15:13 < vpnHelper> eggdude35348: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:14 < eggdude35348> !configs 15:14 < vpnHelper> eggdude35348: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:19 < Gh0sty00> hmz online need the client log :/ 15:19 < Gh0sty00> only* 15:21 < eggdude35348> !howto 15:21 < vpnHelper> eggdude35348: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:21 -!- troy- is now known as troy 15:24 < Gh0sty00> hmz anyway to easy log the console to a file on a windows client 15:24 < Gh0sty00> i don't use any interface 15:28 -!- Delf [n=Eldkraft@c-89-160-11-83.cust.bredband2.com] has joined ##openvpn 15:28 < Delf> Anyone around to help? 15:28 < reiffert> ecrist is.# 15:29 < Delf> when running scripts on "up" 15:29 < Delf> up online.bat 15:29 < Delf> how do i get the virables? 15:30 < Delf> echo %dev% does not work :( 15:31 < reiffert> where did you read about %dev%? 15:32 < Delf> http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html 15:32 < vpnHelper> Title: OpenVPN 2.1 (at openvpn.net) 15:32 < Delf> Nevermind, im a idiot, its working now 15:33 < reiffert> I'm sorry, but I cant find %dev% on this page. 15:33 < Delf> it was a simple typo 15:33 < Delf> Environmental Variables 15:33 < Delf> dev 15:33 < Bushmills> !abuse 15:33 < vpnHelper> Bushmills: Error: "abuse" is not a valid command. 15:33 < Bushmills> grin 15:34 < reiffert> Delf: what is your solution now? 15:34 < Gh0sty00> Oke got everything now i geuss: http://pastebin.com/m7fc8446d My client can connect and ping the server but cannot ping the rest of the subnet. The server cant ping the client either 15:34 < Delf> echo %dev% does work, but i had it set in offline.bat instead of online.bat 15:34 < Gh0sty00> i used the manuals that are located at the openvpn site 15:34 < Delf> reiffert: i'm just testing the variables 15:35 < reiffert> Delf: ouch. 15:35 < Gh0sty00> |Mike|: you there ? and willing to help :) ? 15:36 < Gh0sty00> i replaced some info though but that is not relevant to the issue (certificate and server ip) 15:37 -!- c64zottel [n=hans@p5B09DE77.dip.t-dialin.net] has joined ##openvpn 15:39 < Gh0sty00> brb 15:40 < Gh0sty00> oh yeah during the build up of the connection i am able to ping the client twice on a certain moment 15:40 -!- Delf [n=Eldkraft@c-89-160-11-83.cust.bredband2.com] has quit [Remote closed the connection] 15:46 -!- Delf [n=Eldkraft@c-89-160-11-83.cust.bredband2.com] has joined ##openvpn 15:53 < Gh0sty00> anyone ? :( 15:54 < Delf> Gh0sty00: I assume you have firewall off? 15:54 < Gh0sty00> yeah 15:54 < Gh0sty00> no firewall 15:55 < Gh0sty00> i've added the 3 rules that are mentioned at the site though but still no effect 15:55 < Gh0sty00> and the 1195 port is forwarded from the gateway to the vpn server 15:57 < Gh0sty00> i've also added de following rule: echo 1 > /proc/sys/net/ipv4/ip_forward 15:59 < Gh0sty00> From 192.168.0.8 icmp_seq=41 Destination Host Unreachable 15:59 < Gh0sty00> From 192.168.0.8 icmp_seq=42 Destination Host Unreachable 15:59 < Gh0sty00> 64 bytes from 192.168.0.149: icmp_seq=43 ttl=128 time=646 ms 15:59 < Gh0sty00> ^C 15:59 < Gh0sty00> that is what i get from the server if my client connect 16:00 < Gh0sty00> it can ping it once or twice and then nothing 16:00 < Gh0sty00> no destination host unreachable or anything 16:02 -!- c64zottel [n=hans@p5B09DE77.dip.t-dialin.net] has quit ["Leaving."] 16:02 < Bushmills> "Destination Host Unreachable" sign of routing problem 16:02 < Gh0sty00> yeah that is before it connects :P 16:03 < Gh0sty00> but once it is connected i can ping the client 1 and then it stopts 16:03 < Gh0sty00> stops* 16:03 < Gh0sty00> its really weird :S 16:03 < Gh0sty00> and i can'f find any simmilar problem on the web 16:03 < Bushmills> tshark/tcpdump on client whether the icmp echo request arrives there 16:04 < Gh0sty00> and if not where should i look ? 16:04 < Gh0sty00> if it doesn't arrives* 16:04 < Bushmills> then there's only host route, tun interface, openvpn left 16:05 < Bushmills> server route, i mean 16:05 < Gh0sty00> :S 16:05 < Gh0sty00> but its weird that the client can ping the server 16:05 < Gh0sty00> but not the other way arround 16:06 < krzie> that points to firewall issue 16:06 < Bushmills> dividing the potential error set into two sets, and discard the one which you can exclude 16:06 < krzie> if by client you mean the machine running openvpn connecting to server 16:06 < krzie> (people often use that word wrong for some reason) 16:07 < krzie> but its weird that the client can ping the server 16:07 < Bushmills> by repeating, you can successively approximate to the problem cause 16:07 < Gh0sty00> yeah the openvpn client can ping the openvpn server but the openvpn server cannot ping the openvpn client 16:07 < krzie> openvpn client runs windows? 16:07 < Gh0sty00> yes 16:07 < Gh0sty00> vista 16:07 < krzie> turn off firewall on tap device 16:07 * Bushmills pukes a bit 16:07 < Gh0sty00> firewall is turned of 16:08 < Gh0sty00> off* 16:08 < krzie> double check that, reboot, try again 16:08 < Gh0sty00> k 16:08 < krzie> also look at its log when it connects, make sure it added the route ok, vista usually needs route-delay to successfully add routes 16:09 < krzie> at least ive seen a lot of people need it 16:09 < Gh0sty00> k 16:09 < krzie> i personally have never, and will never run vista 16:09 < Gh0sty00> will look at that too 16:09 < krzie> i guess simply netstat -rn should show if it added the routes ok 16:09 < krzie> but the log couldnt hurt to look at 16:10 < Gh0sty00> i personally use mac but the people where i'm configuring openvpn for are using windows 16:10 < krzie> gotchya 16:10 < krzie> im so glad i dont need to support win anymore 16:10 < krzie> it used to be one of my primary sources of income, very glad to no longer do it 16:14 < Bushmills> windows blackens peoples' souls 16:16 -!- p3ri0d [n=p3ri0d@200.2.153.148] has joined ##openvpn 16:16 < Gh0sty00> lol 16:16 < Gh0sty00> firewall is turned of at the client and route is added correctly 16:16 < Gh0sty00> :( 16:16 < eggdude35348> I have a tunnel configured, up and running from client to server, but on client side i can't start RDP, and all firewalls are off...any ideas? 16:16 < Gh0sty00> anyway's i'm off for now. getting late here. thanks for the help 16:17 -!- Gh0sty00 [n=casper@server1.rootforce.nl] has quit ["Lost terminal"] 16:19 < krzie> yes egg 16:19 < krzie> make sure the RDP is listening on vpn ip 16:31 < krzie> (assuming you can ping) 16:52 -!- eggdude35348 [n=spam4204@24.63.14.123] has quit [Read error: 60 (Operation timed out)] 16:58 -!- p3ri0d [n=p3ri0d@200.2.153.148] has quit ["Leaving"] 17:24 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 17:49 -!- master_of_master [i=master_o@p549D77F1.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 17:52 -!- master_of_master [i=master_o@p549D4F5E.dip.t-dialin.net] has joined ##openvpn 17:55 -!- dollabilll [n=mike@c-68-59-71-29.hsd1.fl.comcast.net] has quit [No route to host] 18:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 18:23 -!- troy is now known as troy- 19:11 < |Mike|> moo 20:09 -!- Delf [n=Eldkraft@c-89-160-11-83.cust.bredband2.com] has quit ["I quit IRC"] 20:16 < derek__> moo arrrhhnn 21:10 < derek__> My vpn stopped working after I finally got it going last night. I noticed when I start it I get this 21:11 < derek__> Sun Jun 14 20:10:45 2009 us=94510 /sbin/ip route add 192.168.12.0/24 via 192.168.100.2 21:11 < derek__> RTNETLINK answers: File exists 21:11 < derek__> Sun Jun 14 20:10:45 2009 us=108801 ERROR: Linux route add command failed: shell command exited with error status: 2 21:11 < derek__> Sun Jun 14 20:10:45 2009 us=109088 /sbin/ip route add 192.168.14.0/24 via 192.168.100.2 21:11 < derek__> Sun Jun 14 20:10:45 2009 us=122030 /sbin/ip route add 192.168.100.0/24 via 192.168.100.2 21:11 < derek__> RTNETLINK answers: File exists 21:11 < derek__> Sun Jun 14 20:10:45 2009 us=135331 ERROR: Linux route add command failed: shell command exited with error status: 2 21:11 < derek__> what does that mean 21:40 -!- mrpockets [n=mrpocket@unaffiliated/mrpockets] has quit ["bbl: Feds at the door."] 21:44 -!- high_roller [n=heath@74-213-200-228-price-cable.etv.net] has quit ["Leaving"] 21:46 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 21:57 -!- omega42 [i=tom-w@dslb-088-065-208-248.pools.arcor-ip.net] has quit [Read error: 104 (Connection reset by peer)] 21:59 -!- omega42 [i=tom-w@dslb-088-065-053-206.pools.arcor-ip.net] has joined ##openvpn 22:03 < derek__> ? 22:43 -!- troy- is now known as troy 23:11 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [] 23:20 -!- Lilarcor [n=Lilarcor@208-59-127-253.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has joined ##openvpn 23:30 < derek__> where is the routeing table file located, if i wanted to write a script to inject a route 23:33 < dan__t> depends on your distro? 23:33 < dan__t> What are you using? 23:33 < derek__> centos 23:34 < dan__t> you can set it per route, per interface, per global - best to let openvpn handle that though. 23:34 < derek__> I cant 23:34 < dan__t> beef up your debug to see what the deal is from your ip command. 23:34 < derek__> its not that 23:34 < dan__t> Why can't you? 23:34 < dan__t> Then what is it? 23:34 < derek__> ill post in forum and send the link 23:34 < dan__t> Ok. 23:36 < derek__> ok how would I add this 23:36 < derek__> 192.168.100.0 mainserver.aptt 255.255.255.0 UG 0 0 0 br0 23:36 < derek__> thatswhat I need to add to my routing table manualy 23:59 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn --- Day changed Mon Jun 15 2009 00:01 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 00:01 < Alagar> good morning all 00:01 < derek__> i figured out the route table and good morning 00:12 < derek__> http://forums.contribs.org/index.php/topic,44285.new.html#new is my problem for those who want to give it a crack 00:12 < vpnHelper> Title: Trusted network problem with open vpn (at forums.contribs.org) 01:01 -!- derek__ is now known as derek_zzzzzzzzzz 01:26 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [] 01:28 < reiffert> "trusted networks"? 01:54 -!- kevin_ [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has joined ##openvpn 01:55 < kevin_> Whos here? 01:55 < reiffert> ecrist is. 02:17 -!- c64zottel [n=hans@p5B09C91B.dip.t-dialin.net] has joined ##openvpn 02:50 -!- troy is now known as troy- 02:50 -!- c64zottel [n=hans@p5B09C91B.dip.t-dialin.net] has quit [Read error: 113 (No route to host)] 03:00 -!- surki [n=surki@gek7.kyla.fi] has left ##openvpn [] 03:06 -!- kevin_ [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has quit ["http://quassel-irc.org - Chat comfortably. Anywhere."] 03:10 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 03:10 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 03:24 -!- bootlaces [n=david@222-152-146-89.jetstream.xtra.co.nz] has joined ##openvpn 03:32 -!- bootlaces [n=david@222-152-146-89.jetstream.xtra.co.nz] has quit ["Leaving..."] 03:41 -!- bootlaces [n=david@222-152-146-89.jetstream.xtra.co.nz] has joined ##openvpn 03:46 -!- bootlaces [n=david@222-152-146-89.jetstream.xtra.co.nz] has quit [] 03:49 -!- bootlaces [n=david@222-152-146-89.jetstream.xtra.co.nz] has joined ##openvpn 03:51 -!- bootlaces [n=david@222-152-146-89.jetstream.xtra.co.nz] has quit [Client Quit] 04:08 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 04:25 -!- c64zottel [n=hans@p5B09C91B.dip.t-dialin.net] has joined ##openvpn 04:33 -!- Delf [n=Eldkraft@c-89-160-11-83.cust.bredband2.com] has joined ##openvpn 04:50 -!- c64zottel [n=hans@p5B09C91B.dip.t-dialin.net] has quit [Read error: 113 (No route to host)] 05:09 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 05:33 -!- Lilarcor [n=Lilarcor@208-59-127-253.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has quit [Remote closed the connection] 05:46 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 05:46 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has left ##openvpn [] 05:54 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 06:13 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:48 -!- dollabilll [n=mike@97.66.26.10] has joined ##openvpn 07:26 < ecrist> morning, folks 07:29 -!- Delf [n=Eldkraft@c-89-160-11-83.cust.bredband2.com] has quit [Remote closed the connection] 08:06 < cpm> morn'n 08:15 < derek_zzzzzzzzzz> morning 08:15 < derek_zzzzzzzzzz> oops looks like I'm still sleeping 08:15 -!- derek_zzzzzzzzzz is now known as Derek 08:16 -!- Derek is now known as Derek__ 08:23 < Derek__> http://forums.contribs.org/index.php/topic,44285.0.html if you want to try to help maybe if you can give me commands to look at iptables and stuff so I can compair before and after 08:23 < vpnHelper> Title: Trusted network problem with open vpn (at forums.contribs.org) 08:44 -!- c64zottel [n=hans@p5B09C91B.dip.t-dialin.net] has joined ##openvpn 08:46 -!- c64zottel [n=hans@p5B09C91B.dip.t-dialin.net] has quit [Client Quit] 08:54 -!- jeiworth [n=jeiworth@189.177.29.7] has joined ##openvpn 09:12 -!- p3ri0d [i=p3ri0d@200.2.153.148] has joined ##openvpn 09:26 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:34 < ecrist> !iptables 09:34 < vpnHelper> ecrist: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall 09:35 < Derek__> i found otu what i need to add i think 09:35 < Derek__> i foudn this command iptables-save -c 09:35 < Derek__> and I compaired the too 09:35 < Derek__> [0:0] -A local_chk_8501 -s 192.168.100.0/255.255.255.0 -j ACCEPT is the line that is missing 09:35 < Derek__> how do I add that command into iptables 09:36 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 09:52 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 10:18 -!- HeyHo [n=heyho@cbs212.cbs.dtu.dk] has joined ##openvpn 10:26 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:31 -!- p3ri0d [i=p3ri0d@200.2.153.148] has quit ["Leaving"] 10:34 -!- HeyHo [n=heyho@cbs212.cbs.dtu.dk] has left ##openvpn [] 10:36 -!- troy- is now known as troy 10:43 -!- mRCUTEO [n=IRCLUNAT@115.134.239.71] has joined ##openvpn 10:48 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit ["I am off"] 10:49 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 10:53 -!- sibiria [n=sibiria@ua-83-227-160-33.cust.bredbandsbolaget.se] has joined ##openvpn 10:53 < sibiria> hello 10:54 < sibiria> i'm looking for some help on how to make the windows version of openvpn perform a route change command 10:54 < sibiria> in specific, i want the config file to perform "route delete 0.0.0.0" as the very first thing 10:54 < sibiria> i've looked around in the documentation and examples, but i find nothing 10:54 < sibiria> any help is appreciated 10:56 -!- barbosa [n=barbosa@189.27.48.13] has quit [Read error: 110 (Connection timed out)] 10:56 -!- barbosa [n=barbosa@189.27.56.94.dynamic.adsl.gvt.net.br] has joined ##openvpn 10:57 -!- mRCUTEO [n=IRCLUNAT@115.134.239.71] has left ##openvpn [] 10:57 < Bushmills> sibiria, is your idea to route traffic through vpn instead? 10:58 < sibiria> that is what i'm doing, but, the original default route has a prioritized metric, so everything i do _first_ tries to go through that route, _then_ through the vpn 10:59 < sibiria> so right now i manually delete the original route before connecting to my vpn 10:59 < sibiria> it's a bit clonky. i'd like openvpn to do that part for me :) 11:00 < Bushmills> !redirect 11:00 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 11:00 < Bushmills> that should be able to replace it 11:01 < reiffert> !def1 11:01 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 11:01 < reiffert> --route network/IP [netmask] [gateway] [metric] 11:01 < reiffert> --route-metric m 11:01 < reiffert> Specify a default metric m for use with --route. 11:01 < sibiria> i use "route 0.0.0.0 0.0.0.0 ..." right now 11:01 < sibiria> thanks for those hints, gonna see if i can make it replace the default one 11:02 < reiffert> push "redirect-gateway def1" 11:02 < reiffert> and you are done 11:03 < sibiria> i do that on the server config, sort of 11:03 < sibiria> i thought pushing was not to be done on the client? 11:04 < reiffert> you do that in the server conf, right. 11:05 < sibiria> it's the client's default gateway i want replace, though 11:05 < sibiria> replaced* 11:05 < reiffert> yeah. 11:05 < reiffert> see !man 11:05 < reiffert> for details. 11:05 < reiffert> !man 11:05 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 11:05 < reiffert> server is pushing options to the client. 11:07 < reiffert> client is pulling them, if the word "client" can be found in client config 11:08 < reiffert> else you can pull them manually with the "pull" keyword 11:09 < sibiria> replacing my "route 0.0.0.0 ..." with "redirect gateway" did the trick 11:09 < sibiria> thanks again 11:10 < reiffert> yw 11:12 < sibiria> have a good day :) 11:12 -!- sibiria [n=sibiria@ua-83-227-160-33.cust.bredbandsbolaget.se] has quit ["[BX] Its not TV. Its BitchX."] 11:13 -!- infinitesteps [n=chatzill@c-98-223-147-94.hsd1.in.comcast.net] has joined ##openvpn 11:25 -!- eggdude35348 [n=spam4204@24.63.14.123] has joined ##openvpn 11:44 -!- Haraken [i=ryuk@unaffiliated/haraken] has left ##openvpn ["Leaving"] 11:52 -!- kevin_ [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has joined ##openvpn 11:53 -!- kevin_ is now known as | 11:53 -!- | is now known as canadaeh 11:56 -!- albech [n=albech@124.157.238.9] has joined ##openvpn 11:59 -!- Alagar [n=helpdesk@95.154.197.29] has left ##openvpn [] 12:03 -!- eggdude35348 [n=spam4204@24.63.14.123] has quit [] 12:17 -!- troy is now known as troy- 12:20 -!- canadaeh [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has quit [Read error: 104 (Connection reset by peer)] 12:22 -!- Netsplit brown.freenode.net <-> irc.freenode.net quits: Intensity 12:22 -!- Kreg-Work_ [n=kreg@208-98-188-95.directcom.com] has quit [Remote closed the connection] 12:26 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 12:29 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 12:31 -!- kevin_ [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has joined ##openvpn 12:54 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 13:06 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 13:07 -!- p3ri0d [n=p3ri0d@200.2.153.148] has joined ##openvpn 13:07 -!- p3ri0d [n=p3ri0d@200.2.153.148] has quit [Connection reset by peer] 13:07 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit ["I am off"] 13:22 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 13:23 -!- eggdude35348 [n=spam4204@24.63.14.123] has joined ##openvpn 13:23 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 13:24 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 13:24 < eggdude35348> can anyone give some advice on an openvpn setup? I have it all configured and working, but i can only rdp onto default port 3389 on server machine's rdp, made a rule in my firewall for port 3390 on another machine but no luck 13:24 < infinitesteps> I am configuring openswan + xl2tpd + pppd on an OpenSuse machine with intention of connecting native OSX clients 13:25 < infinitesteps> I seem to have ipsec working correctly 13:25 < infinitesteps> but the client is failing to connect, I suspect my xl2tpd and ppp configuration 13:25 < infinitesteps> one question I had is does pppd need to be started or is it handled by xl2tpd? 13:32 -!- g`` [n=nop@78-60-192-103.static.zebra.lt] has joined ##openvpn 13:32 -!- eggdude35348 [n=spam4204@24.63.14.123] has quit [Read error: 54 (Connection reset by peer)] 13:37 -!- n5 [n=nop@78-60-192-103.static.zebra.lt] has quit [Read error: 60 (Operation timed out)] 13:39 -!- eggdude35348 [n=spam4204@24.63.14.123] has joined ##openvpn 13:39 < eggdude35348> > I am configuring openswan + xl2tpd + pppd on an OpenSuse machine with intention of connecting native OSX clients 13:39 < eggdude35348> I seem to have ipsec working correctly 13:39 < eggdude35348> but the client is failing to connect, I suspect my xl2tpd and ppp configuration 13:39 < eggdude35348> one question I had is does pppd need to be started or is it handled by xl2tpd? 13:39 < eggdude35348> whoops 13:40 < infinitesteps> does xl2tpd initialize ppd in some way 13:41 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 13:43 < infinitesteps> I commented out the listen-addr in xl2pd.conf and it started working, I guess I don't know what address is supposed to go in there 13:44 < infinitesteps> I had it set to the internal interface IP address 13:44 < infinitesteps> should it be the public interface instead? 13:48 -!- Irssi: ##openvpn: Total of 75 nicks [0 ops, 0 halfops, 0 voices, 75 normal] 13:50 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 13:51 < ecrist> krzee: you around? 13:52 -!- throughnothing [n=will@74.205.24.229] has quit ["leaving"] 13:54 < infinitesteps> I have successfully configured openswan + xl2tpd ... there are a lot of coinfiguration options, I seemed to have configured the pertinent ones... what I am wondering now is, is it stable? 13:54 < infinitesteps> Once configured is this a pretty stable and maintenance free setup? Will I have to babysit it? 13:54 < ecrist> krzee: when you're around: http://www.secure-computing.net/wiki/index.php/Special:Contributions/Flaccid 13:54 < vpnHelper> Title: User contributions for Flaccid - Secure Computing Wiki (at www.secure-computing.net) 13:55 < ecrist> infinitesteps: should not need to babysit, aside from adding users and such 13:55 < infinitesteps> I haven't gotten to this step yet, but I am assuming that I can authenticate PPP using LDAP or PAM 14:03 -!- Gud [n=erik@1-2-5-7b.mal.sth.bostream.se] has joined ##openvpn 14:13 < Bushmills> infinitesteps, do you also have an openvpn question? 14:13 < infinitesteps> doah, I am sorry wrong channel - I was intending to be in openswan, my bad 14:14 < infinitesteps> I configured openvpn last week 14:14 < infinitesteps> :-/ 14:14 -!- infinitesteps [n=chatzill@c-98-223-147-94.hsd1.in.comcast.net] has left ##openvpn [] 14:26 -!- HeyHo [n=heyho@ip26.ds1-ly.adsl.cybercity.dk] has joined ##openvpn 14:26 -!- HeyHo [n=heyho@ip26.ds1-ly.adsl.cybercity.dk] has left ##openvpn [] 14:41 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 14:48 -!- eggdude35348 [n=spam4204@24.63.14.123] has left ##openvpn [] 14:59 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [] 15:17 -!- kevin_ [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has quit ["http://quassel-irc.org - Chat comfortably. Anywhere."] 15:25 -!- jeiworth [n=jeiworth@189.177.29.7] has quit [Read error: 110 (Connection timed out)] 15:32 -!- jeiworth [n=jeiworth@189.234.35.254] has joined ##openvpn 15:51 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 15:53 < krzee> ecrist, ya i saw he defaced the routing doc, didnt catch the others =/ 15:54 < krzee> rather mature of him ild say 15:55 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 15:57 -!- omega42 [i=tom-w@dslb-088-065-053-206.pools.arcor-ip.net] has quit [] 16:01 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 16:20 -!- dollabilll [n=mike@97.66.26.10] has quit [Read error: 113 (No route to host)] 16:27 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 16:30 -!- HeyHo [n=heyho@ip26.ds1-ly.adsl.cybercity.dk] has joined ##openvpn 16:31 -!- HeyHo [n=heyho@ip26.ds1-ly.adsl.cybercity.dk] has quit [Client Quit] 16:33 -!- HeyHo [n=heyho@ip26.ds1-ly.adsl.cybercity.dk] has joined ##openvpn 16:33 -!- HeyHo [n=heyho@ip26.ds1-ly.adsl.cybercity.dk] has left ##openvpn [] 16:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:50 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:13 -!- danskmand1 [n=Administ@p5B27F857.dip.t-dialin.net] has joined ##openvpn 17:13 < danskmand1> !route 17:13 < vpnHelper> danskmand1: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:17 -!- briz [n=briz@host238-198-dynamic.8-79-r.retail.telecomitalia.it] has joined ##openvpn 17:22 < Derek__> How do I add the following option to my iptable in centos if anyone knows I know this is offtopic for openvpn but you guys are really helpful. 17:22 < Derek__> [0:0] -A local_chk_8501 -s 192.168.100.0/255.255.255.0 -j ACCEPT 17:33 -!- briz [n=briz@host238-198-dynamic.8-79-r.retail.telecomitalia.it] has quit [Client Quit] 17:33 -!- danskmand1 [n=Administ@p5B27F857.dip.t-dialin.net] has quit ["Leaving."] 17:49 -!- master_of_master [i=master_o@p549D4F5E.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 17:52 -!- master_of_master [i=master_o@p549D659A.dip.t-dialin.net] has joined ##openvpn 17:57 -!- dollabilll [n=mike@c-68-59-71-29.hsd1.fl.comcast.net] has joined ##openvpn 18:12 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 18:15 -!- mRCUTEO [i=IRCLUNAT@ns.dave.sidma.edu.my] has joined ##openvpn 19:26 -!- dollabilll [n=mike@c-68-59-71-29.hsd1.fl.comcast.net] has quit [] 19:32 -!- jeiworth [n=jeiworth@189.234.35.254] has quit [Read error: 110 (Connection timed out)] 19:36 -!- operezo [n=obleskie@astound-69-42-6-40.ca.astound.net] has joined ##openvpn 19:36 < operezo> I'm having a problem where the client can't connect, and i have a feeling it has to do something with tls-authentication. the error in the server log is "TLS Error: cannot locate HMAC in incoming packet" and it repeats that over and over 19:37 < operezo> both the client and server have the shared tls key 19:38 -!- g`` [n=nop@78-60-192-103.static.zebra.lt] has quit [Read error: 60 (Operation timed out)] 19:39 < bitrot> how do i put shrimp on the barby with openvpn 19:51 -!- mRCUTEO [i=IRCLUNAT@ns.dave.sidma.edu.my] has quit [] 20:02 -!- kevin_ [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has joined ##openvpn 20:03 -!- kevin_ is now known as canadaeh 20:05 < Derek__> same time, same tls key, same ca cert, server cert and client certs where they should be 20:05 < Derek__> check all that 20:06 < operezo> ok it looks like i had sha512 on the server conf, and sha256 on the client conf 20:06 < operezo> it's always something simple :) 20:10 < Derek__> there you go :) 20:11 < Derek__> see you in 10 minutes lol 20:26 -!- operezo [n=obleskie@astound-69-42-6-40.ca.astound.net] has quit ["Leaving"] 20:28 -!- n5 [n=nop@78-60-192-103.static.zebra.lt] has joined ##openvpn 20:58 -!- troy- is now known as troy 21:10 -!- canadaeh [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has quit [Remote closed the connection] 21:14 < Derek__> anyone around to help me with iptabes 21:16 -!- jeiworth [n=jeiworth@189.163.184.25] has joined ##openvpn 21:57 -!- Hydrant [n=aj@CPE001d7e684fa2-CM001e6b194216.cpe.net.cable.rogers.com] has joined ##openvpn 21:57 < Hydrant> hey all... I'm having a strange issue with udp packets, and I'm not sure if there is a simple way to trace them to see where they are being dropped 22:08 < Derek__> well an easy way is to launch your openvpn from prompt and then the server will tell you, verbos set to 6 22:08 < Derek__> if all is working you should see something like 22:08 < Derek__> Mon Jun 15 21:08:45 2009 us=173071 VPNRouter2/199.85.8.1:13174 UDPv4 WRITE [53] to 199.85.8.1:13174: P_DATA_V1 kid=0 DATA len=52 22:08 < Derek__> Mon Jun 15 21:08:45 2009 us=430870 VPNRouter2/199.85.8.1:13174 UDPv4 READ [133] from 199.85.8.1:13174: P_DATA_V1 kid=0 DATA len=132 22:08 < Derek__> Mon Jun 15 21:08:45 2009 us=430870 VPNRouter2/199.85.8.1:13174 TUN WRITE [96] 22:08 < Derek__> Mon Jun 15 21:08:45 2009 us=431861 VPNRouter2/199.85.8.1:13174 TUN READ [90] 22:08 < Derek__> notice tun read/write and udpv4 read/write 22:09 < Derek__> check your firewall logs as well /turn off disable any firewall you have and check it that way 22:25 -!- jeiworth [n=jeiworth@189.163.184.25] has quit [Read error: 60 (Operation timed out)] 22:29 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 22:38 < Hydrant> I'm getting: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 22:38 < Hydrant> I don't see any firewall enabled on this side on the router I have between me and the internet 22:38 < Hydrant> this is an issue with a new router I think, it worked fine before 22:38 < Hydrant> but I'm lost as to what else can be wrong with it 22:42 < Derek__> make sur 1194 udp is forwarded 22:43 < Hydrant> on the client side? 22:43 < Hydrant> on the server side it's fine 22:44 < Hydrant> there are other clients on, it's mine that's screwing up somehow 22:48 < Derek__> on your router forward 1194 upd to your ip 22:49 < Hydrant> same thing --- Day changed Tue Jun 16 2009 00:27 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 00:27 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 00:46 < oc80z> would you if you could, use openvpn on your cellphone 01:11 -!- bitrot [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has quit [Read error: 104 (Connection reset by peer)] 01:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:44 -!- dazo|h [n=davids@r9dm48.net.upc.cz] has joined ##openvpn 01:45 -!- dazo|h [n=davids@r9dm48.net.upc.cz] has quit [Client Quit] 01:47 -!- dazo|h [n=davids@r9dm48.net.upc.cz] has joined ##openvpn 01:50 -!- troy is now known as troy- 01:53 -!- danskmand [n=Administ@p508BC98D.dip.t-dialin.net] has joined ##openvpn 01:58 < danskmand> Hi :-) - I've got a VPN running between my notebook (W.Vista) and my server back at home (Linux). Works wonderfull :-) - The only thing is that when I am connected to back home, I cannot use the browser. I am able to talk to you (IRC works), just the browser wont do it.... 01:58 < danskmand> I think its a routing problem.. 02:00 < danskmand> Tue Jun 16 08:50:15 2009 ROUTE: route addition failed using CreateIpforwardentry: Das Objekt ist bereits vorhanden. [status=5010 if_index=12] 02:00 < danskmand> Tue Jun 16 08:50:15 2009 Route addition via IPAPI failed [adaptive] 02:00 < danskmand> Tue Jun 16 08:50:15 2009 Route addition fallback to route.exe 02:00 < danskmand> Is someone allready awake *enough* to read all this ? 02:08 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:24 -!- dazo|h [n=davids@r9dm48.net.upc.cz] has quit [] 02:24 -!- danskmand [n=Administ@p508BC98D.dip.t-dialin.net] has left ##openvpn [] 02:34 < reiffert> !configs 02:34 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 02:35 -!- HeyHo [n=heyho@cbs212.cbs.dtu.dk] has joined ##openvpn 02:41 -!- HeyHo [n=heyho@cbs212.cbs.dtu.dk] has quit [Remote closed the connection] 02:48 -!- HeyHo [n=heyho@cbs212.cbs.dtu.dk] has joined ##openvpn 02:56 -!- SuperEvilDeath18 [n=death@212.206.209.177] has quit [Read error: 54 (Connection reset by peer)] 02:57 -!- SuperEvilDeath18 [n=death@212.206.209.177] has joined ##openvpn 03:04 -!- briz [n=briz@host186-91-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 04:21 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 04:31 -!- meglo [n=meglo@unaffiliated/meglo] has joined ##openvpn 04:32 -!- meglo [n=meglo@unaffiliated/meglo] has left ##openvpn ["part"] 04:36 -!- seeezz [n=martin@82.113.106.146] has joined ##openvpn 04:49 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 04:57 -!- briz [n=briz@host186-91-dynamic.16-79-r.retail.telecomitalia.it] has quit [Client Quit] 05:05 -!- seeezz [n=martin@82.113.106.146] has quit [Read error: 110 (Connection timed out)] 05:09 -!- seeezz [n=martin@82.113.121.145] has joined ##openvpn 05:19 < seeezz> hello has anyone heard of downloadproblems with the dem package from the openvpn website? 05:19 < seeezz> i tried now 4 times and it always breaks up after 2 mb 05:34 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 05:41 < seeezz> hello jfkw i could need some help with the openvpn 05:41 < seeezz> do u have 2 min? 05:48 -!- seeezz [n=martin@82.113.121.145] has left ##openvpn ["Verlassend"] 06:53 -!- barbosa [n=barbosa@189.27.56.94.dynamic.adsl.gvt.net.br] has quit [Read error: 110 (Connection timed out)] 06:54 -!- barbosa [n=barbosa@189.27.52.245.dynamic.adsl.gvt.net.br] has joined ##openvpn 07:04 -!- HeyHo [n=heyho@cbs212.cbs.dtu.dk] has quit ["Leaving."] 07:06 -!- eoch [n=eoch@64.126.117.142] has joined ##openvpn 07:40 -!- da_tux [n=ryan@rrcs-70-63-90-226.midsouth.biz.rr.com] has quit ["Leaving"] 07:42 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 07:45 -!- whitefox [n=kaido@61.141.158.178] has joined ##openvpn 07:46 < whitefox> does anyone know if using vpn actually makes the packet go faster between two distributed boxes ? 07:49 < Bushmills> depends on contents and bandwidth 07:49 < Bushmills> if you gain more by less traffic through compression than lose by compression/decompression overhead, it is going to be faster. 07:50 < Bushmills> for a single packet, regardless of contents, no. 07:51 -!- eoch [n=eoch@64.126.117.142] has quit ["KVIrc Insomnia 4.0.0, revision: , sources date: 20090115, built on: 2009/03/07 00:45:02 UTC http://www.kvirc.net/"] 07:52 < whitefox> Bushmills: if I need to do file upload, does it help to use openvpn? 07:52 < ecrist> *sigh* 07:52 < whitefox> in the sense that I want to try increase the upload performance 07:52 < ecrist> thanks, krzee. I'm still getting all sorts of hate from flaccid. :) 07:53 < Bushmills> whitefox, a file of 10 mb, containing zeroes only, yes. 07:53 < Bushmills> a file containing white noise, no 07:54 < Bushmills> an ascii file on a gigabit link, unlikely. same file on 300 baud, very likely 07:54 < whitefox> Bushmills: right now I need to upload big files from one country to another and it is taking long time. 07:55 < whitefox> cuz there are many firewalls in between. 07:55 < whitefox> if I use vpn, does it help for the packet to go direct? 07:55 < Bushmills> no 07:55 < whitefox> does the encryption even gets the file to get bigger then? 07:56 < Bushmills> depends on encryption. usually not. 07:57 < whitefox> if one box also hosts a website, and people from the other box ( located in another county ) is getting slow performance. Does it help to have vpn in between these boxes to improve the page loading experience? 07:59 < Bushmills> may help. not guaranteed 07:59 < whitefox> I don't understand why it may help since the packets still need to go through all those hops 08:00 < Bushmills> a: compression potential. b: firewalls may treat vpn packets different than http packets 08:01 < whitefox> even country-wide firewalls would treat packets differently too? 08:01 < Bushmills> you need to ask that the firewall admin 08:04 < Bushmills> for example, if there are a lot of filters examining http traffic, vpn packets are not likely to be subjected to the same filtering 08:04 < Bushmills> (for such a filter, vpn traffic would appear as noise) 08:06 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 08:06 < whitefox> right, that makes sense 08:08 < Bushmills> i heard the the green wall protests sort some effect, and the government has taken a step back. do you have updates on that? 08:08 < whitefox> no not at all 08:09 < whitefox> it is worst for the key month 08:09 < Bushmills> then i'll update you :) 08:09 < whitefox> now is key month 08:09 < whitefox> you know what key month means right? 08:10 < whitefox> but the traffic from US to China should not be filtered right? only the other side. 08:10 < Bushmills> government says "users are not required to install. sold pc don't need to have software installed, coming on cd will be fine, and it is up to the user whether he wants to install it or not" 08:10 < whitefox> therefore, I am wondering if having a vpn is going to help US to access website hosted in China 08:10 < Bushmills> no, what does key month mean? 08:10 < whitefox> trust me, they will find ways to put it there 08:11 < whitefox> PHS with 70M users are just get shut down when it is asked to shut down 08:12 < whitefox> oh key month is referring to the month when a big event happened long time back in a XXXsquare 08:12 < Bushmills> ah, right 08:12 < Bushmills> aware of that 08:12 < whitefox> with or without of vpn, http visitors are not going to get any benefit right? 08:13 < Bushmills> well.. vpn obscures the nature of traffic 08:13 < Bushmills> not just the contents. also what kind of connection 08:14 < whitefox> yes, but it is just that people are not allowed to see some particular contents, and it probably won't filter on traffice coming from US, i just think. 08:14 < whitefox> if it is slow, then it is slow 08:15 < Bushmills> traffic could be email, http, DNS requests and replies, telnet ... for a man in the middle there is no way to tell 08:15 < whitefox> i am just trying to think if it justify to get vpn setup 08:15 < whitefox> it may make it worst 08:15 < Bushmills> it may attract some attention, if you keep it running on the default ports 08:16 < Bushmills> but you can change the to less conspicious ports 08:17 < whitefox> our content is ok, i just want some people from our US team to access faster 08:17 -!- albech [n=albech@124.157.238.9] has quit ["Leaving"] 08:17 < Bushmills> compressing files with the tightest compression may be more beneficial 08:17 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:18 < Bushmills> zip7, or p7zip may be a good candidate 08:19 < whitefox> for the upload traffic, it is already gz, so probably not much for compress more 08:19 < whitefox> but for web, probably 08:20 < Bushmills> http://p7zip.sourceforge.net/ 08:20 < vpnHelper> Title: P7ZIP (at p7zip.sourceforge.net) 08:20 < whitefox> is it just yet another compression tool?or a better one? 08:20 < Bushmills> it packs tighter than zip 08:21 < whitefox> is there such thing for http ? 08:23 -!- whitefox [n=kaido@61.141.158.178] has left ##openvpn [] 08:23 -!- whitefox [n=kaido@61.141.158.178] has joined ##openvpn 08:23 < whitefox> I need to drop off 08:23 < whitefox> it is getting late here. 08:23 < whitefox> thanks for all your help. 08:24 -!- whitefox [n=kaido@61.141.158.178] has quit [] 08:30 -!- vvpalin [n=vvpalin@fay.dreamhost.com] has quit [Remote closed the connection] 08:30 -!- vvpalin [n=vvpalin@fay.dreamhost.com] has joined ##openvpn 08:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Success] 09:32 -!- jeiworth [n=jeiworth@189.234.35.254] has joined ##openvpn 09:33 -!- jkimball4 [n=jerrid@pdpc/supporter/professional/jkimball4] has joined ##openvpn 09:33 -!- jkimball4 [n=jerrid@pdpc/supporter/professional/jkimball4] has quit ["Reconnecting"] 09:35 -!- jkimball4 [n=jerrid@pdpc/supporter/professional/jkimball4] has joined ##openvpn 09:36 < jkimball4> hi 09:37 < jkimball4> i'm trying to connect to a host on my company's vpn which has been connected to on my local router box. i need machines served by the router to be able to access machines on the vpn (through the router), but i'm not sure where to go from here and can't seem to find any info related to my situation 09:37 < jkimball4> any pointers? 09:38 < Bushmills> jkimball4, company vpn is openvpn? 09:39 < jkimball4> Bushmills: yes 09:40 < jkimball4> the vpn connection is setup, just not sure how to get ny machines to get traffic through 09:40 < Bushmills> in that case, the openvpn traffic goes through a virtual interface on your route. you can route through it as you would if it was a physical interface 09:40 < Bushmills> router 09:41 < jkimball4> on the router, right? 09:41 < Bushmills> means, if the router knows what ip addresses to route though openvpn, nothing at all needs to be done on the clients 09:42 < Bushmills> (assuming that router is their default gateway) 09:42 < jkimball4> ok, that's what i was leaning towards 09:42 < jkimball4> yes, it is 09:42 < jkimball4> so i just need to configure my pf then most likely 09:42 < jkimball4> the hole issue stems from openvpn being a bit wonky on solaris and me not wanting to deal with it 09:42 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 09:45 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 09:51 < jkimball4> heh, the whole** issue 09:51 < jkimball4> thanks Bushmills. I'll see what I can make of it 10:01 < krzee> ecrist, cant you just firewall him off? 10:02 < krzee> ecrist, or if hes really pissing you off, gimme his ips hes connecting to your site from 10:16 -!- HeyHo [n=heyho@cbs212.cbs.dtu.dk] has joined ##openvpn 10:17 -!- HeyHo [n=heyho@cbs212.cbs.dtu.dk] has left ##openvpn [] 10:43 < ecrist> /whois flaccid 10:43 < ecrist> that's his IP 10:43 < ecrist> he spammed the site using his own username 10:46 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:47 -!- Irssi: ##openvpn: Total of 68 nicks [0 ops, 0 halfops, 0 voices, 68 normal] 10:49 < oc80z> +-(root@pre)-> 10:49 < oc80z> +-(/var/home/box)--> # ipkg-opt list | grep vpn 10:49 < oc80z> openvpn - 2.1_rc15-1 - SSL based VPN server with Windows client support 10:49 < oc80z> openvpn on the Palm Pre 10:50 < krzee> wow that was quick 10:50 < oc80z> :D 10:50 < oc80z> i did an scp on the WAN, pushed 10mbit+ 10:51 < oc80z> Great device. 11:01 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 11:23 < krzee> weird they used rc15 11:53 < jkimball4> Bushmills: looks like setting up nat on the vpn interface did the trick, if you were at all curious. :) 12:01 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has joined ##openvpn 12:01 < Rajko> how do i make internet go through vpn 12:01 < Rajko> ive set up nat and everything 12:02 < Rajko> just need to tell client to use tun0 for internet 12:03 < jkimball4> heh, i had similar issue just a little bit ago 12:03 < jkimball4> not internet but netowrk traffic 12:04 < jkimball4> i just turned on nat to do nat on the vpn interface for traffic from my lan subnets 12:07 < jkimball4> as was explained earlier to me, the client doesn't need to know about the vpn so long as your router does 12:08 < Rajko> how do i make everything go through tun0 12:10 < Bushmills> !redirect 12:10 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 12:10 < Bushmills> Rajko, ^^^^ 12:10 < Rajko> does not work 12:10 < Rajko> i have that in my server config 12:10 < Bushmills> works here 12:11 < Rajko> push "redirect-gateway" 12:11 < Rajko> push "dhcp-option DNS 172.16.0.1" 12:11 < Bushmills> vista client? 12:11 < Rajko> linux client 12:12 < Bushmills> what's the route on client? 12:12 -!- jkimball4 [n=jerrid@pdpc/supporter/professional/jkimball4] has left ##openvpn [] 12:12 < Rajko> just my normal isp one 12:12 < Rajko> same as if the option wasnt there 12:13 < Bushmills> try to not push it, but just redirect-gateway in client config 12:15 < reiffert> !def1 12:15 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 12:15 < Rajko> either of them does nothing for me 12:16 < Rajko> ok, doing it on the client instead of push made it work. 12:16 < Rajko> why doesnt push work 12:16 < Bushmills> no idea 12:16 < Rajko> my stuff goes through tunnel now 12:16 < Rajko> traceroute to 4.2.2.2 (4.2.2.2), 30 hops max, 38 byte packets 12:16 < Rajko> 1 172.16.0.1 (172.16.0.1) 41.560 ms 44.578 ms 46.468 ms 12:16 < Rajko> 2 93.174.93.52 (93.174.93.52) 43.170 ms 43.832 ms 43.295 ms 12:17 < Rajko> should i use def1 ? 12:17 < Bushmills> if you want to be able to stop openvpn, it may make sense 12:17 < Bushmills> otherwise it just adds clutter to the routing table 12:20 < Rajko> still can access internet the normal way once openvpn shuts down 12:21 < Bushmills> then your stop script may restore the old default route 12:21 < Rajko> i just press CTRL C in the openvpn 12:21 < Rajko> window 12:22 < Rajko> no scripts yet 12:26 < Bushmills> well, i suppose in that case def1 isn't terribly useful to you. 12:27 < Bushmills> maybe it has other uses besides keeping the old default route of which i am unaware 12:28 < reiffert> Rajko: paste your client config please. 12:30 < Rajko> hmm, after the route added 12:30 < Rajko> i cant ping 176.16.0.1 (the other vpn peer) 12:34 < Rajko> http://codepad.org/VOwivjnp 12:34 < vpnHelper> Title: Plain Text code - 294 lines - codepad (at codepad.org) 12:35 < reiffert> Add the line "client" to your client config somewhere. 12:35 < reiffert> and pushing routes will work. 12:35 < Rajko> doesnt ork. 12:35 < reiffert> See manpage for pull, push and client. 12:35 < Rajko> client does not work with secret. 12:35 < reiffert> allright, then have a look at the manpage to what --client expands normally to. 12:36 -!- albech [n=albech@124.157.238.9] has joined ##openvpn 12:40 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has quit [Read error: 54 (Connection reset by peer)] 12:40 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has joined ##openvpn 12:52 -!- c64zottel [n=hans@p5B178D20.dip0.t-ipconnect.de] has joined ##openvpn 13:02 -!- HeyHo [n=heyho@ip26.ds1-ly.adsl.cybercity.dk] has joined ##openvpn 13:12 -!- kevin_ [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has joined ##openvpn 13:12 -!- kevin_ is now known as canadaeh 13:14 -!- HeyHo [n=heyho@ip26.ds1-ly.adsl.cybercity.dk] has left ##openvpn [] 13:53 -!- tech_sam [n=dshackel@70-91-214-68-MichiganL.hfc.comcastbusiness.net] has joined ##openvpn 14:14 -!- Ahri [n=adam@93-97-29-15.zone5.bethere.co.uk] has joined ##openvpn 14:15 -!- Irssi: ##openvpn: Total of 74 nicks [0 ops, 0 halfops, 0 voices, 74 normal] 14:15 < Ahri> hi guys, i'm trying to get my bridged devive (br0=tap0/eth0) to broadcast for a dhcp lease, and instead of getting a 192.168.1.* ip it's receiving 169.254.23.146 from god knows where -- how can i fix this? 14:16 < ecrist> the 169 address is an auto-assigned address because it's not getting a response via DHCP 14:16 < Ahri> hmm ok 14:17 < ecrist> are you talking a server or a client? 14:17 < Ahri> a dhcp client 14:17 < ecrist> an openvpn client? 14:17 < Ahri> oh sorry, no, it's an openvpn server 14:18 -!- gogloomdude [n=gogloomd@mtka.claimlynx.com] has joined ##openvpn 14:18 -!- gogloomdude [n=gogloomd@mtka.claimlynx.com] has quit [Client Quit] 14:18 < Ahri> if i ditch the bridge and just do dhcp on the eth0 it'll work fine 14:18 < ecrist> hrm 14:18 < Ahri> and if i manually assign an ip to the br0 device that works too 14:18 < ecrist> what OS, can you post an ifconfig output? 14:18 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:19 < ecrist> my guess is it's not passing the packets out on either interface 14:19 < ecrist> br0 comes up before you try dhcp, irght? 14:19 < Ahri> yeah 14:19 < ecrist> did you try manually to do dhclient br0? 14:19 < Ahri> yeah, but i'll try again, i think i used dhcpcd actually 14:20 -!- tech_sam [n=dshackel@70-91-214-68-MichiganL.hfc.comcastbusiness.net] has left ##openvpn [] 14:20 < ecrist> that might be the linux client, I"m a freebsd guy, that's the freebsd command. 14:20 < Ahri> hang on, will brb, i need to stick this session in screen so i can get back to it 14:20 < ecrist> !irclogs 14:20 < vpnHelper> ecrist: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 14:21 -!- Ahri [n=adam@93-97-29-15.zone5.bethere.co.uk] has quit ["brb"] 14:21 -!- Ahri [n=adam@93-97-29-15.zone5.bethere.co.uk] has joined ##openvpn 14:22 < Ahri> right, i'll just try some more dhcp config of br0 14:27 < Ahri> hmm well it did work after i killed off the dhcpcd proccess and re-did it 14:27 < Ahri> and it even worked after rebooting... 14:27 < Ahri> but it took a long time to get the address where usually it's perfect 14:28 < Ahri> it seems a little unpredictable since i didn't actually change anything 14:30 -!- Ahri [n=adam@93-97-29-15.zone5.bethere.co.uk] has quit ["leaving"] 14:31 -!- Ahri [n=adam@93-97-29-15.zone5.bethere.co.uk] has joined ##openvpn 14:54 -!- canadaeh [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has quit [Read error: 104 (Connection reset by peer)] 15:10 -!- Ahri [n=adam@93-97-29-15.zone5.bethere.co.uk] has quit [Remote closed the connection] 15:10 -!- Ahri [n=adam@93-97-29-15.zone5.bethere.co.uk] has joined ##openvpn 15:17 -!- MrPockets [n=Jimmy@unaffiliated/mrpockets] has joined ##openvpn 15:17 < MrPockets> How do you guys easily (if possible?) push out OpenVPN Client for a somewhat easy end-user setup? 15:20 < Bushmills> MrPockets, just pass key, certs and conf to client 15:21 < MrPockets> keep cers in the same directory as the conf so that there isn't anything that has to be directory specific? 15:21 < Bushmills> that's determined in the conf 15:22 < Bushmills> of course you want instructions where to copy to match the conf 15:22 < MrPockets> right 15:22 < MrPockets> I'm just thinking, if i've got 50 boxes to setup 15:22 < MrPockets> and each needs their own key and cert 15:22 < MrPockets> theres no easy way to do that 15:22 < Bushmills> script it 15:34 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:35 < MrPockets> with a veryable for the client1 client2 client* ect.. ? 15:39 < Bushmills> depends on your local setup 15:41 < krzie> ssl-admin will zip it up with config for you for easy distribution 15:48 -!- BozoClown [n=Extra@S0106001cf0b93f82.ed.shawcable.net] has joined ##openvpn 15:49 -!- BozoClown [n=Extra@S0106001cf0b93f82.ed.shawcable.net] has left ##openvpn ["Gone, baby gone."] 15:53 < krzie> !ccd 15:53 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 15:55 < krzie> !route 15:55 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:56 -!- Timpa [n=timpa@chuck.bartowski.skalet.org] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 16:01 -!- Timpa [n=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 16:05 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 16:05 < Dougy> http://cgi.4chan.org/s/src/1245175418314.jpg 16:05 -!- ubsafder [n=ubsafder@bdy93-10-88-185-29-167.fbx.proxad.net] has joined ##openvpn 16:05 < ubsafder> hello 16:06 < Dougy> hi 16:14 < krzie> sup doug 16:14 < krzie> !iroute 16:14 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 16:15 < Dougy> krzie, 4chan link 16:15 < Dougy> lol 16:15 -!- bitrot [n=Rajko@93.174.88.10] has joined ##openvpn 16:18 -!- ubsafder [n=ubsafder@bdy93-10-88-185-29-167.fbx.proxad.net] has quit [Remote closed the connection] 16:21 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has quit [Read error: 113 (No route to host)] 16:21 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has joined ##openvpn 16:22 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:23 < krzie> !/30 16:23 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 16:24 < krzie> !winipforward 16:24 < vpnHelper> krzie: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 16:27 -!- bitrot [n=Rajko@93.174.88.10] has quit [Read error: 60 (Operation timed out)] 16:35 -!- netnoodle [n=obleskie@astound-69-42-6-40.ca.astound.net] has joined ##openvpn 16:36 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:36 < netnoodle> hello all, the vpn connection succeeds on my client with "Initialization Sequence Completed". however, the routing table hasnt changed at all and i don't think the client has been "assigned" an ip address 16:36 < netnoodle> so the tunnel is there but it isnt. what should; i do? 16:36 < krzie> client is windows? 16:37 < netnoodle> krzie, client is fedora 16:37 < krzie> started openvpn as root in fedora? 16:37 < netnoodle> yes 16:37 < krzie> ie: sudo 16:37 < krzie> !logs 16:37 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 16:37 < netnoodle> ok let me look for the logs 16:38 < Dougy> krzie 16:38 < Dougy> oh nvm 16:38 < Dougy> its !configs 16:38 < Dougy> was thinking logs had comments 16:38 < krzie> ahh =] 16:38 < Dougy> krzie - did you get the email 16:38 < Dougy> about thursday 16:38 < krzie> ya 16:38 < krzie> gunna change kvm ups, etc 16:39 < Dougy> yea 16:39 < krzie> werd 16:39 < netnoodle> krzie, i'm copying the log now 16:39 < reiffert> bet he didnt add "client" to client.conf 16:39 < krzie> im a lazy fuck 16:39 < krzie> still havnt finished setting it up to be my mailserver 16:40 < reiffert> Recently I was setting up openvpn on my home-router who is sending nameservice requests to my root-server in outer world. Provider-Redirections do suck. 16:41 -!- c64zottel [n=hans@p5B178D20.dip0.t-ipconnect.de] has quit ["Leaving."] 16:41 < netnoodle> reiffert, guilty :(. it's fixed now. thanks for you intuition 16:41 < krzie> wow 16:41 < krzie> the amazing reiffert 16:41 < netnoodle> it's always something simple 16:41 < reiffert> krzie: he's the 3rd person without "client" within 2 days I think. 16:42 < netnoodle> thanks krzie for your help as well 16:42 < krzie> ahh, must be another poorly written howto floating to the top of google 16:42 < krzie> netnoodle np, although i didnt do anything, you're welcome anyways ;] 16:42 < reiffert> or bad bad config examples given by linux distributor 16:43 < krzie> ahh 16:45 -!- bitrot [n=Rajko@93.174.88.10] has joined ##openvpn 16:46 < netnoodle> if im on the same subnet as the openvpn server, is there something special i have to do to get the ips to work? for instance, 192.168.1.110 is both the direct ip to the vpn server and the ip that i want to tunnel through to it. i think the client is getting confused 16:49 < reiffert> yeah, there is something pretty special you have to do. 16:49 < reiffert> RTFH! 16:49 < reiffert> !howto 16:49 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:50 -!- MrPockets is now known as cafguest 16:50 < netnoodle> k 16:50 -!- cafguest [n=Jimmy@unaffiliated/mrpockets] has quit [Nick collision from services.] 16:50 -!- cafguest [n=Jimmy@CPE-67-48-252-32.new.res.rr.com] has joined ##openvpn 16:51 -!- cafguest is now known as MrPockets 16:51 -!- netnoodle [n=obleskie@astound-69-42-6-40.ca.astound.net] has quit ["Leaving"] 16:51 < reiffert> Uh, reading sucks. 16:59 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has quit [Read error: 104 (Connection reset by peer)] 17:00 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has joined ##openvpn 17:01 -!- MrPockets [n=Jimmy@unaffiliated/mrpockets] has quit ["Has he quit, or has he simply become sneekier?..."] 17:04 < Rajko> any way to make OPENVPN FASTER ? 17:04 < Rajko> i turned off encryption and hmac 17:05 < Rajko> like, with a kernel module ? 17:05 < Rajko> that will do packet copying in kernel mode 17:07 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 17:09 -!- bitrot [n=Rajko@93.174.88.10] has quit [Read error: 104 (Connection reset by peer)] 17:10 -!- bitrot [n=Rajko@93.174.88.10] has joined ##openvpn 17:10 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has quit [Read error: 104 (Connection reset by peer)] 17:10 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has joined ##openvpn 17:14 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 17:18 < Rajko> whats the fixmss option for 17:18 < krzie> !fbsdnat 17:18 < vpnHelper> krzie: "fbsdnat" is http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html 17:18 < krzie> !fbsdipforward 17:18 < vpnHelper> krzie: "fbsdipforward" is is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd 17:19 < Dougy> krzie 17:19 < Dougy> i might build/rent out amd server 17:19 < Dougy> s 17:21 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Connection reset by peer] 17:21 < krzie> right on 17:21 < Dougy> krzie, i can build 17:21 < Dougy> 2.6 ghz athlon, 2gb ram, 320gb hd 17:21 < Dougy> for 359 and change 17:21 < krzie> i believe it 17:21 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 17:21 < krzie> computers are cheap now 17:22 < krzie> you know the specs of my badass desktop, only $650 17:22 < Dougy> mine is on "hot" parts 17:22 < Dougy> mobo / cpu / ram are "hot" 17:22 < krzie> "hot"? 17:22 < Dougy> stolen 17:22 < krzie> well you arent getting a very good deal then 17:22 < Dougy> what do you mean 17:23 < krzie> i bought mine legit 8gb ram 4core 2.66 1.5TB 17:23 < krzie> case, vid card, power supply 17:23 < krzie> $650 total 17:23 < Dougy> nice 17:23 < Dougy> the amd box 17:23 < Dougy> chassis - 100 17:23 < Dougy> mobo - 55 17:23 < Dougy> cpu - 55 17:23 < Dougy> ram - 25 17:23 < Dougy> hdd - 55 17:23 < krzie> so if those parts are hot, you're getting ripped 17:23 < Dougy> heatsink - 30 17:23 < Dougy> no 17:23 < Dougy> the parts in my desktop are hot 17:23 < Dougy> not those servers 17:23 < krzie> ahh 17:24 < Dougy> the parts in my desktop are parts ive snatched from bins 17:24 < Dougy> etc 17:24 < Dougy> ie stuff that nobdoy cared about 17:24 < Dougy> and just threw aside 17:24 < Dougy> i have a pile of old xeons in my room that igot last month 17:24 < Dougy> that had been sitting in abandoned motherboards in the datacenter for 11 months 17:27 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Connection reset by peer] 17:27 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 17:30 -!- bitrot [n=Rajko@93.174.88.10] has quit [Connection timed out] 17:34 < krzie> !forget fbsdnat 17:34 < vpnHelper> krzie: Joo got it. 17:34 < krzie> !learn fbsdnat as see http://cavanantha.wordpress.com/2007/09/16/nat-on-freebsd-using-pf/ for a basic howto for NAT on FreeBSD 17:34 < vpnHelper> krzie: Joo got it. 17:36 < Dougy> hm 17:49 -!- master_of_master [i=master_o@p549D659A.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 17:52 -!- master_of_master [i=master_o@p549D5D20.dip.t-dialin.net] has joined ##openvpn 18:05 < |Mike|> omg ! 18:08 < Dougy> wut ! 18:14 -!- jeiworth [n=jeiworth@189.234.35.254] has quit [Read error: 110 (Connection timed out)] 18:21 < Derek__> !forget Derek__ 18:21 < vpnHelper> Derek__: Error: There is no such factoid. 18:21 < Derek__> !forget vpnHelper 18:21 < vpnHelper> Derek__: Error: There is no such factoid. 18:25 -!- dddd [n=omg@cpe-71-79-155-189.neo.res.rr.com] has joined ##openvpn 18:27 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 110 (Connection timed out)] --- Log opened Tue Jun 16 19:03:22 2009 19:03 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 19:03 -!- Irssi: ##openvpn: Total of 68 nicks [0 ops, 0 halfops, 0 voices, 68 normal] 19:03 -!- Irssi: Join to ##openvpn was synced in 17 secs 19:10 -!- krzie [n=krzee@unaffiliated/krzee] has joined ##openvpn 19:13 < krzie> http://live.lmgtfy.com/ is lulz 19:13 < vpnHelper> Title: LMGTFY Live (at live.lmgtfy.com) 19:13 < Dougy> lol krzie 19:13 < Dougy> what is a mil 19:13 < Dougy> flolol 19:13 < Dougy> milf 19:14 -!- rawDawg [n=omg@cpe-71-79-155-189.neo.res.rr.com] has joined ##openvpn 19:15 < krzie> mine hasnt scrolled by 19:15 < krzie> so im wondering if its really live 19:15 < Dougy> doubt it 19:15 < Dougy> hmm 19:15 < Dougy> so much work to do 19:15 < Dougy> finals tomorrow 19:16 < Dougy> TITS 19:16 < Dougy> krzie, think i could sell an E6750 with 25Mbps bandwidth for $200-250? 19:17 -!- rawDawg [n=omg@cpe-71-79-155-189.neo.res.rr.com] has quit [Client Quit] 19:17 < krzie> no idea 19:18 < krzie> i am clueless as to what goes for what 19:18 < krzie> spoiled might be the right word 19:18 < Dougy> haha 19:19 < Derek__> bitches lol 19:20 < Dougy> Excuse me? 19:20 < Dougy> Do I have to choke a hoe? 19:20 < krzie> ok wayne brady 19:20 < Dougy> hahaha 19:21 < Dougy> krzie got it 19:21 < Dougy> krzie++ 19:21 < Derek__> why am i such a dick? 19:22 < krzie> no clue, google it 19:22 < Derek__> dont need to someone created the lmgtfy link for me already :) 19:23 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit [Remote closed the connection] 19:32 -!- dddd [n=omg@cpe-71-79-155-189.neo.res.rr.com] has quit [Read error: 110 (Connection timed out)] 19:37 -!- bitrot [n=Rajko@93.174.88.10] has joined ##openvpn 19:41 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has quit [Read error: 104 (Connection reset by peer)] 19:41 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has joined ##openvpn 19:43 < krzie> haha 19:58 -!- bitrot [n=Rajko@93.174.88.10] has quit [Read error: 110 (Connection timed out)] 20:06 -!- bitrot [i=bitrot@95.168.182.101] has joined ##openvpn 20:10 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has quit [Read error: 104 (Connection reset by peer)] 20:10 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has joined ##openvpn 20:25 -!- bitrot [i=bitrot@95.168.182.101] has quit [Read error: 104 (Connection reset by peer)] 20:38 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has quit [Read error: 54 (Connection reset by peer)] 21:15 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 21:24 -!- albech_ [n=albech@58.147.43.251] has joined ##openvpn 21:28 -!- albech [n=albech@124.157.238.9] has quit [Read error: 60 (Operation timed out)] 21:45 -!- jeiworth [n=jeiworth@189.163.149.149] has joined ##openvpn 22:30 -!- code- [i=code@antenora.aculei.net] has quit [Remote closed the connection] 22:30 -!- code- [i=code@antenora.aculei.net] has joined ##openvpn 23:09 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 23:11 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:35 -!- code- [i=code@antenora.aculei.net] has quit [Remote closed the connection] 23:41 -!- code- [i=code@antenora.aculei.net] has joined ##openvpn --- Day changed Wed Jun 17 2009 00:02 < Derek__> !offlinesync 00:02 < vpnHelper> Derek__: Error: "offlinesync" is not a valid command. 00:02 < Derek__> !sync 00:02 < vpnHelper> Derek__: Error: "sync" is not a valid command. 00:03 < Derek__> anyone off the top of thier head know how to sync a windows xp computer back into the domain using openvpn gui as the connection 00:03 < Derek__> or set it up 00:14 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:18 < Alagar> Good Morning All 00:28 < oc80z> morning 01:51 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:53 -!- DevilsPGD [n=dave@S0106000423cb2cbc.ok.shawcable.net] has joined ##openvpn 01:53 -!- lolipop [n=quassel@149.21.95.219.cbj01-home.tm.net.my] has joined ##openvpn 01:53 < DevilsPGD> !howto 01:53 < vpnHelper> DevilsPGD: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 01:57 -!- dpalic [n=dpalic@p50817678.dip.t-dialin.net] has joined ##openvpn 01:58 < dpalic> hello 01:58 < dpalic> is there any howto, how to configure a site2site vpn? 01:58 < dpalic> maybe I have an other problem 01:59 < dpalic> I want my existing and running configuration to route traffic between the opevpn server and client 01:59 < dpalic> so the clients can access the server's network and also the server can access the clients network (classically a site2site) 01:59 < dpalic> but now my config doesn't allow pinging from the server's network to the client's network 02:02 < dpalic> !route 02:02 < vpnHelper> dpalic: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 02:06 < dpalic> !ccd 02:06 < vpnHelper> dpalic: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 02:24 -!- dpalic [n=dpalic@p50817678.dip.t-dialin.net] has quit ["Leaving."] 02:25 -!- kyrix [n=ashley@188-23-65-157.adsl.highway.telekom.at] has joined ##openvpn 02:31 -!- kyrix [n=ashley@188-23-65-157.adsl.highway.telekom.at] has quit [Read error: 60 (Operation timed out)] 02:48 -!- kyrix [n=ashley@188-23-65-157.adsl.highway.telekom.at] has joined ##openvpn 02:55 -!- kyrix [n=ashley@188-23-65-157.adsl.highway.telekom.at] has quit [Read error: 60 (Operation timed out)] 03:04 -!- HeyHo [n=heyho@ip26.ds1-ly.adsl.cybercity.dk] has joined ##openvpn 03:04 -!- HeyHo [n=heyho@ip26.ds1-ly.adsl.cybercity.dk] has left ##openvpn [] 03:10 -!- kyrix [n=ashley@188-23-65-157.adsl.highway.telekom.at] has joined ##openvpn 03:22 -!- SuperEvilDeath18 [n=death@212.206.209.177] has quit [Read error: 104 (Connection reset by peer)] 03:22 -!- SuperEvilDeath18 [n=death@212.206.209.177] has joined ##openvpn 03:35 -!- kyrix [n=ashley@188-23-65-157.adsl.highway.telekom.at] has quit [Read error: 60 (Operation timed out)] 03:39 -!- rubin110 [n=rubin110@70.36.142.11] has joined ##openvpn 03:40 < rubin110> Hi there, newb question. When I setup openvpn on my debian server about a year ago, I generated files for a cert for just a single client. I want to add a second client now, but when I user ./built-key it yells at me about running ./vars again, but I already built certs for the server. What am I doing wrong? 03:50 -!- kyrix [n=ashley@188-23-65-157.adsl.highway.telekom.at] has joined ##openvpn 03:53 < reiffert> source the vars file, then run build-key. 03:55 < Bushmills> rubin110, you're not doing what servers tells you to. 03:56 < Bushmills> (having built certs already before is no substitute for running ./vars) 04:10 -!- kyrix [n=ashley@188-23-65-157.adsl.highway.telekom.at] has quit ["Leaving"] 05:18 -!- albech_ [n=albech@58.147.43.251] has quit [Client Quit] 05:21 -!- fbe [n=fbe@reverse-82-141-45-121.mmlab.de] has joined ##openvpn 05:28 -!- lolipop [n=quassel@149.21.95.219.cbj01-home.tm.net.my] has quit [Read error: 104 (Connection reset by peer)] 05:32 < fbe> Hi, I use route-nopull in the client config file, all works as expected but I get messages about 'Options error: option 'route' cannot be used in this context' But I did not specify that option, just route-nopull 05:38 -!- p3ri0d [i=p3ri0d@200.2.153.148] has joined ##openvpn 05:39 -!- p3ri0d [i=p3ri0d@200.2.153.148] has quit [Client Quit] 05:57 -!- js_ [n=js@193.0.253.161] has left ##openvpn [] 06:12 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 06:13 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 06:55 -!- albech [n=albech@58.147.43.251] has joined ##openvpn 07:02 < ecrist> morning, folks 07:12 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:56 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:58 < Derek__> morning 07:58 < Derek__> anyone off the top of thier head knwo how to sync a windows xp computer offline mode back into the domain using openvpn as the connection or link on how to set it up 07:59 < ecrist> not I 08:05 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 08:47 -!- rmull [n=rmull@acsx02.bu.edu] has joined ##openvpn 08:56 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 09:04 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has joined ##openvpn 09:05 < Rajko> is there a page that lists ALL the settings and what tehy do ? 09:05 < Derek__> yes 09:05 < Derek__> !man 09:05 < vpnHelper> Derek__: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 09:13 < Rajko> what does openvpn do by default, does it set the mtu to standard 1500, ignoring the overhead, so everything that is near 1500, when added overhead, will become ip fragmented ? 09:16 < Derek__> 1500 you can specify if you want differnt 09:16 < Derek__> !howto 09:16 < vpnHelper> Derek__: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:17 < krzie> you dont need to specify a diff mtu usually tho 09:18 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:18 < krzie> !mtu 09:18 < vpnHelper> krzie: "mtu" is (#1) you may find help finding the right MTU with this method: http://help.expedient.com/broadband/mtu_ping_test.shtml, or (#2) you can just use --mtu-test on the client as well 09:18 < krzie> !forget mtu * 09:18 < vpnHelper> krzie: Joo got it. 09:18 < Derek__> is vpnhelper italian ? 09:18 < krzie> !learn mtu as see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test on the client as well 09:18 < vpnHelper> krzie: Joo got it. 09:19 < krzie> well, i guess he is 09:19 < krzie> since i made him, and im part italian 09:19 < Derek__> hmm imagine that 09:19 * Derek__ refrains 09:20 < Rajko> my network is cable, so my MTU is 1500 09:27 < krzie> !forget mtu 09:27 < vpnHelper> krzie: Joo got it. 09:27 < ecrist> forget krzie 09:27 < krzie> !learn mtu as see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config 09:27 < vpnHelper> krzie: Joo got it. 09:27 < krzie> wassup eric 09:29 < rmull> Hello 09:34 < rmull> Been a while 09:35 < ecrist> nm, krzie 09:35 < ecrist> heya rmull 09:35 < Rajko> mtu-test would give me what 09:36 < krzie> try it 09:36 < krzie> it wont bite you 09:36 < Rajko> in both client and server ? 09:36 < Rajko> its a shared key config 09:36 < krzie> !mtu 09:36 < vpnHelper> krzie: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config 09:36 < Rajko> justi in client ? 09:36 < Rajko> k 09:37 < Rajko> Wed Jun 17 16:37:07 2009 NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes. 09:37 < Derek__> im betting 1504 09:38 < Rajko> how cna it be MORE 09:38 < Rajko> than 1500 09:38 < krzie> openvpn has overhead too 09:38 < Rajko> yes, which would make it less 09:39 < krzie> ya, tbh i dont understand the tweaking of mtu settings, but over 1500 is normal 09:39 < krzie> i read about why it ends up being 1500 really before, but didnt retain the info 09:39 < krzie> its prolly in the manual somewhere 09:39 < Rajko> is there a openvpn packet format doc somewhere 09:39 < krzie> yes there is 09:39 < krzie> somwhere on openvpn.net 09:40 < Rajko> openvpn.net is full of 404s 09:40 < Rajko> they migrated doc system or something 09:40 < krzie> oh god 09:40 < krzie> i hope our static links on the bot work 09:41 < ecrist> most of them seem to, krzie 09:41 < ecrist> I had to ask francis to fix some of them a few weeks ago 09:41 < krzie> ahh nice man 09:41 < Rajko> local->remote=[1508,1508] remote->local=[1508,1508] 09:41 < Rajko> HOW CAN THIS BE TRUE 09:42 < krzie> google it? 09:42 < krzie> check manual? 09:43 < Rajko> i tried 09:45 < Rajko> i am running openvpn in tun mode 09:45 -!- jeiworth [n=jeiworth@189.163.149.149] has quit [Operation timed out] 09:45 < Rajko> so the udp packets being sent to openvpn server would be: OpenVpn header, then IP packet 09:46 < Rajko> in tap mode this would be, openvpn header, then ethernet frame, rightg 09:46 < krzie> correct 09:46 < Rajko> how big is the openvpn header with no crypto, no auth 09:47 < Rajko> the .edu page that i got while googling is 404 now 09:49 < krzie> http://openvpn.net/index.php/open-source/documentation/security-overview.html 09:49 < vpnHelper> Title: Security Overview (at openvpn.net) 09:50 < krzie> best i got for ya 09:50 < Rajko> are there any tables, drawings ? 09:51 < krzie> dunno 09:51 < ecrist> Rajko - you could probably look around their site yourself... 09:57 -!- HeyHo [n=heyho@cbs212.cbs.dtu.dk] has joined ##openvpn 09:58 -!- HeyHo [n=heyho@cbs212.cbs.dtu.dk] has left ##openvpn [] 10:06 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 10:08 < Rajko> screw it, ill just use wireshark 10:09 < krzie> there ya goes! 10:14 < Rajko> does MTU include ethernet ? 10:14 < Rajko> it seems that it doesnt, just ip and down 10:15 < Rajko> up* 10:25 -!- albech [n=albech@58.147.43.251] has quit [Success] 10:28 < Rajko> openvpn overhead is 28 bytes 10:28 < Rajko> + 8 for udp 10:29 < Rajko> 20 of those 28 are the ip header sorry, so overhead is 8 bytes 10:34 < Rajko> so my mtu-tun should be 1464 ? 10:39 < ecrist> Rajko: do you currently have MTU issues, or is this an intellectual exercise? 10:40 < Rajko> i do not want fragmenting 10:40 < Rajko> unnecessary fragmenting 10:40 < ecrist> do you currently have fragmentation issues? 10:41 < ecrist> most properly written applications have a method for testing MTU to prevent packet fragmentation. 10:42 < Rajko> well, now if i send a ping with DF set, it will still fragment, sending 1 udp packet (ip fragmented) to openvpn server 10:43 < Rajko> i want it to report DF set, but packet too big, as it would on a normal network 10:43 < Rajko> because otherwise, tcp applications will constantly send 1500 byte packets, which will end up being sent as a fragmented udp packet to openvpn server 10:45 < krzie> if you completely figure out the magic of mtu settings, please make a writeup on our wiki 10:45 < krzie> would be cool 10:45 < krzie> i know i personally would enjoy reading it 10:45 < Rajko> it is necessary for very high speed links 10:45 < krzie> !wiki 10:46 < vpnHelper> krzie: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN 10:46 < Rajko> like 20mbit 10:46 < krzie> on the mail list archives i know james and others have talked in some depth about mtu settings 10:46 < krzie> james being the main dev 10:47 < Rajko> well i know that i would like tcp applications only fragmenting in tcp 10:47 < Rajko> segmenting* 10:47 < krzie> !mail 10:47 < vpnHelper> krzie: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 10:47 < Rajko> not all over the place 10:49 -!- MrPockets [n=mrpocket@unaffiliated/mrpockets] has joined ##openvpn 10:49 < MrPockets> so lets say i walk into a network with 30 some OpenVPN users 10:50 < Rajko> a guy walks into a network 10:50 < ecrist> how many does it take to change a light bulb? 1 10:50 < MrPockets> other'n looking at each user's setup to see whichi client key they've got 10:50 < MrPockets> you know? 10:53 < Rajko> so this is why people are getting > 1500 mtu 10:53 < Rajko> because it sends it as one udp packet, and relies on the clients internet ocnnection to fragment them 10:57 < Rajko> so if i download something with http, my client internet connection will reiceve a big ip packet, then 36 byte ip packet...etc 11:06 -!- fbe [n=fbe@reverse-82-141-45-121.mmlab.de] has quit [Read error: 110 (Connection timed out)] 11:08 < Rajko> well.. 11:08 < Rajko> now it just does this 11:08 < Rajko> C:\Documents and Settings\Rajko>ping google.com -f -l 1472 11:08 < Rajko> Pinging google.com [74.125.45.100] with 1472 bytes of data: 11:08 < Rajko> Request timed out. 11:08 < Rajko> instead of telling me 11:08 < Rajko> Packet needs to be fragmented but DF set. 11:12 < Rajko> ah, seems to require a LINUX client 11:12 < Rajko> the interface MTU on windows must be set via registry hacks or something 11:22 -!- Ahri [n=adam@93-97-29-15.zone5.bethere.co.uk] has quit ["leaving"] 11:25 < Rajko> yeah, registry hack sorted it 11:27 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:29 < Rajko> no more fragmented udp packets on my client connection 11:32 -!- troy- is now known as troy 11:38 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 11:41 < Rajko> well. all and all, i dunno lol. 11:43 -!- jeiworth [n=jeiworth@189.177.29.7] has joined ##openvpn 11:49 -!- troy is now known as troy- 11:54 < krzie> Rajko, 11:54 * krzie points at wiki 11:54 < krzie> ;] 11:54 < |Mike|> hi! 11:54 < krzie> sup mike 11:54 < Rajko> openvpn seems to WANT to fragment on clients network 11:54 < Rajko> its like PLEASE LET ME DO IT 11:54 < krzie> stop refusing openvpn! 11:54 < krzie> ;] 11:54 < |Mike|> reading reading reading krzie :) 11:54 < Rajko> but worse performance 11:55 < krzie> mike, thats always a good thing 11:55 < |Mike|> I'm learning Debian :$ 11:55 * |Mike| port/pkgsrc guru 11:55 < krzie> ya thats no fun 11:55 < |Mike|> *ports 11:55 < krzie> for us fbsd guys 11:55 < |Mike|> apt-get crappppppp other-crap-pkgs 11:55 < |Mike|> no rc.conf 11:56 < krzie> cause you learn the debian way and you're like "but i like the freebsd way!!!" 11:56 < |Mike|> yeh 11:56 < |Mike|> the companie where i'm going to work only has debian servers :P 11:56 < krzie> like trying to uaw windows after using osx 11:57 < Rajko> is there a way to do openvpn in KERNEL mode ? 11:58 < |Mike|> that would be insecure. 12:00 < Rajko> i just want speed 12:00 < Rajko> there is a pptpd kernel accelerator 12:02 < krzie> that wont help you any 12:03 < Rajko> means, i can accelerate pptp almost 2x ! 12:07 < Rajko> i ended up using 12:07 < Rajko> link-mtu 1472 12:07 < Rajko> mssfix 1472 12:11 < krzie> you thoroughly read the manual on those, right? 12:13 < Rajko> yes 12:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:15 -!- g`` [n=nop@78-60-192-103.static.zebra.lt] has joined ##openvpn 12:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 12:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:18 -!- mfranklin [n=pudding@dsl-146-103-168.telkomadsl.co.za] has joined ##openvpn 12:18 -!- jeiworth [n=jeiworth@189.177.29.7] has quit [Read error: 110 (Connection timed out)] 12:19 < mfranklin> Hi guys 12:19 < mfranklin> !howto 12:19 < vpnHelper> mfranklin: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:19 < mfranklin> I really think they need to update the openvpn.net website. I had to go to wikipedia to understand what the hell it is 12:19 < mfranklin> ...and I still don't quite understand 12:20 < ecrist> mfranklin: they *did* just update the website 12:20 < krzie> what it i...? 12:20 < krzie> is... 12:20 < mfranklin> like, what can it do for me? 12:20 < krzie> it i vpn software which uses openssl 12:20 < ecrist> right from the main page: 12:20 < ecrist> Supports scalable and secure VPN services across Internet 12:20 < ecrist> Works with existing enterprise applications 12:20 < ecrist> Enables real-time interactive collaboration applications 12:20 < mfranklin> yes but let's pretend I don't have a BSC 12:21 < ecrist> BSC? 12:21 < ecrist> Remote and secure access to your network and application resources 12:21 < ecrist> Secure and scalable Site-to-Site VPN 12:21 < ecrist> Wireless security 12:21 < krzie> bsc? 12:21 < mfranklin> Bachelor in Computer Science 12:21 < mfranklin> It's like the number one rule in marketing... 12:21 < krzie> hrm 12:21 < ecrist> don't you mean Bachelor in Science Computer? 12:21 < mfranklin> ...don't say what it's features are... 12:21 < mfranklin> ...say what it will actually DO... what problems it will solve 12:21 < krzie> i got an associates degree, and have no certs 12:21 < mfranklin> how it will make my life easier 12:22 < ecrist> Remote and secure access to your network and application resources 12:22 < ecrist> Secure and scalable Site-to-Site VPN 12:22 < ecrist> Wireless security 12:22 < krzie> *shrug* 12:22 < mfranklin> and then put all the advanced mumbo jumbo in the fineprint 12:22 < mfranklin> I don't understand half of all that stuff 12:22 < ecrist> all three, right there, main page. 12:22 < krzie> tbh openvpn isnt exactly for beginners to networking 12:22 < ecrist> then maybe you don't need it. ;) 12:22 < mfranklin> i do need it. 12:22 < mfranklin> I'm the underqualified IT manager of a small to medium enterprise 12:22 < krzie> whats your goal? 12:23 < ecrist> heh, I'm the over-qualified IT manager of an extremely small company. 12:23 < mfranklin> I've set up Windows Server 2008 with Routing and Remote Access Server and using Network Policy Services to authenticate users. but only sometimes can they "dial in" 12:23 < krzie> LOL 12:23 < mfranklin> hehe 12:24 < krzie> so... whats your goal? 12:24 < mfranklin> my goal is to allow remote users to access network resources 12:24 < mfranklin> such as a file server 12:24 < krzie> whole lan or single machine 12:24 < mfranklin> in this case the Windows Server will authenticate them to the network 12:24 < mfranklin> so at least just a machine 12:25 -!- bitrot [i=bitrot@93.174.88.10] has joined ##openvpn 12:25 < mfranklin> Does this sound like something openvpn can do? 12:25 < mfranklin> Also, how big is it's footprint? 12:25 < mfranklin> will it be something client users will HATE or loath to install? 12:26 < mfranklin> is it a standalone executable? 12:26 < mfranklin> Of course... I will download it and give it a try. But I still think the website needs to be more newb-friendly ;) 12:26 < krzie> this isnt an app for newbs 12:26 < krzie> seriously 12:27 < mfranklin> what about your clients? 12:27 < bitrot> there is openvpn gui on openvpn.se 12:27 < krzie> clients? 12:27 < mfranklin> client users will need to be able to use it 12:27 < bitrot> but you still have to have a config file... 12:27 < mfranklin> so I will deploy a config file 12:27 < krzie> clients dont set it up 12:27 < rmull> You can bundle the config in with the installer 12:27 < mfranklin> sounds good 12:27 < krzie> but the person who admins it should understand networking well 12:28 < mfranklin> ahh.. that's where we have a problem 12:28 < krzie> and expect to read a lot of docs 12:28 < mfranklin> aww 12:28 < mfranklin> Okay, let me dive into it now... 12:28 < krzie> you stumbled upon the mo0st secure and flexible vpn, not the easiest 12:28 < krzie> -0 12:28 < mfranklin> lol.. as long as it has a small footprint I'm happy 12:29 < ecrist> krzie: it's not the most difficult, either. ;) 12:29 < ecrist> try setting up Cisco IPSec sometime 12:29 -!- n5 [n=nop@78-60-192-103.static.zebra.lt] has quit [Read error: 110 (Connection timed out)] 12:29 < krzie> werd 12:29 < mfranklin> "Access Server Downloads " does this mean the downloads for the server only (not the client) or does this mean it's a download server? 12:29 < krzie> ild rather not ;] 12:30 < ecrist> one you have one, the rest are easy. 12:30 < ecrist> mfranklin: that's a 'package' 12:30 < ecrist> try reading about it - it might suit your needs 12:30 < mfranklin> Oh so it's a thing called "Access Server" and that's where you download the "Access Server" ? 12:31 < mfranklin> Okay well I went to "Open Source Project" and downloaded OpenVPN 2.0.9 instead 12:31 < krzie> 2.0.9 is like 4 yrs old 12:32 < reiffert> is it 5? 12:32 < krzie> maybe 12:32 < reiffert> 2006.10.01 12:32 < mfranklin> Okay I'll d/l OpenVPN 2.1_rc18 instead 12:32 -!- bitrot [i=bitrot@93.174.88.10] has quit [Read error: 54 (Connection reset by peer)] 12:32 < krzie> oh 3 yrs old then 12:32 < reiffert> getting close to 3 years then. 12:33 < mfranklin> yeah you can tell by it's icon when you download it that it's 3 years old ;) 12:34 < krzie> !download 12:34 < vpnHelper> krzie: "download" is http://www.openvpn.net/index.php/downloads.html 12:34 < krzie> you can tell by the real dl link by seeing the date 12:35 < krzie> bleh 12:35 < krzie> broken link 12:36 < krzie> omg that new site sucks 12:36 < ecrist> yeah, it does 12:36 < krzie> !forget download 12:36 < vpnHelper> krzie: Joo got it. 12:36 < mfranklin> yeah they should update it :p 12:36 < rmull> It used to be nice... 12:37 < krzie> !learn download as http://www.openvpn.net/index.php/open-source/downloads.html to download 12:37 < vpnHelper> krzie: Joo got it. 12:37 < krzie> mfranklin they just updated it 12:37 < krzie> thats the update 12:37 < rmull> What is that, joomla or something? 12:37 < mfranklin> I don't know what the old one looked like. This one looks okay except it doesn't explain what it is 12:37 < mfranklin> ...for people like me 12:38 < mfranklin> too much "prior knowledge" required 12:38 < krzie> thats true, much prior knowledge is required 12:38 < krzie> welcome to being a network admin 12:38 < krzie> it requires knowledge 12:39 < mfranklin> Right.. So I've installed Open VPN, I have the icon in the system tray. Now what? How to create certificates? How to deploy to clients? Where is this "GUI? 12:39 < krzie> !howto 12:39 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:39 < krzie> the gui is that icon, and its only for starting / stopping ovpn 12:39 < krzie> you must config manually 12:40 < mfranklin> i see. well that helps cos it's way better than using command lines 12:40 < krzie> if you think you're gunna get around reading a shitton, stop now 12:40 < krzie> cause it wont happen 12:41 < rmull> You have to understand it so that you can make your clients happy. Your clients don't necessarily have to understand it, but you must know how it works front to back. 12:41 < krzie> yes 12:41 < krzie> exactly what he said 12:41 < mfranklin> Well it says "This HOWTO assumes that readers possess a prior understanding of basic networking concepts such as IP addresses, DNS names, netmasks, subnets, IP routing, routers, network interfaces, LANs, gateways, and firewall rules. 12:41 < mfranklin> ...and I do pretty much understand all of this 12:42 < mfranklin> not at a very advanced level, but I know the concepts 12:43 -!- Rajko [n=Rajko@cable-87-116-183-225.dynamic.sbb.rs] has quit [Read error: 110 (Connection timed out)] 12:46 < mfranklin> Yeah... this isn't the quick fix I was looking for 12:46 < mfranklin> back to Windows RRAS. 12:46 < mfranklin> Thanks for all your help guys 12:46 < krzie> np man 12:50 -!- firecrotch [n=nick@207-67-115-235.static.twtelecom.net] has joined ##openvpn 12:50 -!- DevilsPGD [n=dave@S0106000423cb2cbc.ok.shawcable.net] has left ##openvpn ["Leaving."] 12:51 < firecrotch> !route 12:51 < vpnHelper> firecrotch: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 12:57 -!- firecrotch [n=nick@207-67-115-235.static.twtelecom.net] has left ##openvpn [] 12:57 < krzie> sweet! 12:57 < krzie> he came, he read, he didnt need to ask anything 12:58 < krzie> ++!route 13:04 < MrPockets> lol @ nick. 13:08 -!- mfranklin [n=pudding@dsl-146-103-168.telkomadsl.co.za] has quit [] 13:13 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 104 (Connection reset by peer)] 13:17 -!- g`` [n=nop@78-60-192-103.static.zebra.lt] has quit [Read error: 110 (Connection timed out)] 13:25 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 13:28 -!- c64zottel [n=hans@p5B17AD1C.dip0.t-ipconnect.de] has joined ##openvpn 13:28 -!- jeiworth [n=jeiworth@189.234.35.254] has joined ##openvpn 13:33 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 13:36 -!- epaphus [n=unix3@190.10.68.228] has quit [Client Quit] 13:36 -!- seva [n=seva@glivorem.com] has joined ##openvpn 13:36 < seva> is it possible to use tap/briding on the server and tun on the client? 13:37 < Derek__> two different protocols its like apples and oranges 13:37 < seva> i guess what i want to do is bridge the client to the local lan 13:37 < seva> i would just use tap then? 13:37 < Derek__> yes 13:37 < Derek__> !howto 13:37 < vpnHelper> Derek__: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:39 -!- barefoot [n=magic@gprs02.rb.mtnns.net] has joined ##openvpn 13:42 -!- c64zottel [n=hans@p5B17AD1C.dip0.t-ipconnect.de] has left ##openvpn [] 13:43 < krzie> !bridge 13:43 < vpnHelper> krzie: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for anything where the protocol uses MAC addresses instead of IP addresses. 13:43 < vpnHelper> krzie: (but not samba, see !wins) 13:43 < krzie> !tunortap 13:43 < vpnHelper> krzie: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 13:46 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 13:49 -!- Belgarat1 [i=belgarat@banda.pl] has joined ##openvpn 13:49 < Belgarat1> hi 13:51 < Belgarat1> I have a problem that probably is ealsy solved I just overlooked something 13:51 < Belgarat1> I have a openvpn conection client->server working fine 13:51 < Belgarat1> but any device that are behind client and have the client as the gateway cannot connect to server or anything on it 13:51 < krzie> !route 13:52 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:52 < krzie> READ IT DONT SKIM IT ;] 13:52 < Belgarat1> thank you 13:52 < krzie> np 13:57 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 110 (Connection timed out)] 14:08 < reiffert> krzie: openvpn.net/download is working as well 14:08 < reiffert> so does openvpn.net/faq 14:08 < reiffert> /howto andsoon 14:08 -!- Timpa [n=timpa@chuck.bartowski.skalet.org] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 14:09 < reiffert> /man 14:09 < krzie> ohcool 14:09 < krzie> !download 14:09 < vpnHelper> krzie: "download" is http://www.openvpn.net/index.php/open-source/downloads.html to download 14:09 < krzie> !forget download 14:09 < vpnHelper> krzie: Joo got it. 14:09 < seva> well, i've read the howto, the vpn is up but i can't seem to ping across 14:09 < krzie> !learn download as www.openvpn.net/download to download openvpn 14:09 < vpnHelper> krzie: Joo got it. 14:09 < reiffert> no idea how to get to man-2.1 14:09 < krzie> seva, define ping across 14:10 < seva> ping from client ot the server's ip 14:10 < krzie> should be beta-man or somethin 14:10 < krzie> !man 14:10 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 14:10 < krzie> man-beta 14:10 < krzie> and works 14:10 < seva> # ifconfig tap0 | grep inet 14:10 < seva> inet addr:10.78.1.180 Bcast:10.78.1.255 Mask:255.255.255.0 14:10 < seva> # ip route | grep 10.78 14:10 < seva> 10.78.1.0/24 dev tap0 proto kernel scope link src 10.78.1.180 14:10 < krzie> seva, lets see: 14:10 < krzie> !configs 14:10 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:10 < reiffert> openvpn.net/man-beta works 14:11 < krzie> oh you're doing bridging? 14:11 < krzie> i wont be useful to you with bridging, but maybe reif or someone can help with thatt 14:11 < seva> server: http://pastebin.com/d479fd87 14:12 < krzie> !tcp 14:12 < seva> client: http://pastebin.com/m690cb0d7 14:12 < reiffert> seva: whats your payload, mostly tcp or udp? 14:12 < reiffert> !tcp 14:12 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 14:12 < vpnHelper> reiffert: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 14:12 < seva> reiffert: it's going to be mostly tcp, yes 14:12 < krzie> you definitely want proto udp 14:13 < reiffert> seva: for testing: remove comp-lzo and mssfix 14:13 < reiffert> seva: change proto to udp 14:13 < seva> ok 14:13 < reiffert> seva: when conntected paste: 14:13 < reiffert> client: ifconfig -a 14:13 < reiffert> client-OS: Linux? 14:14 < seva> yes, linux, fedora 10 x86_64 14:14 < reiffert> paste: brctl show 14:14 < reiffert> seva: when conntected paste from the client: ifconfig -a and brctl show 14:15 < seva> i assume i don't need to bridge tap0 to br0 on the client? 14:15 < seva> (i've tried both ways though) 14:15 < seva> hang on, catching up on prev suggestions though 14:15 < reiffert> also please change the server-bridge line to: 14:15 < reiffert> server-bridge 10.78.1.1 255.255.255.0 10.78.1.180 10.78.1.181 14:15 < reiffert> sure, go ahead. 14:15 < krzie> and if you disable comp-lzo in server, make sure to do it in client 14:16 < krzie> i assume i don't need to bridge tap0 to br0 on the client? 14:16 < reiffert> as well, yes. 14:16 < reiffert> seva: oh, you'll have to. something like 14:16 < krzie> vprrect, tap 14:16 < krzie> correct, tap 14:16 < krzie> oh to bridge, my bad, i meant tap0 in config was right 14:17 < seva> on the server i use: openvpn-startup: 14:17 < seva> openvpn --mktun --dev tap0 14:17 < seva> sleep 1 14:17 < seva> brctl addif br0 tap0 14:17 * krzie shuts up and gets outta the way 14:17 < seva> do i need the same on the client? i assume no 14:17 -!- Timpa [n=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 14:17 < reiffert> in client.conf: 14:18 < reiffert> up /usr/local/sbin/ovpnup.sh 14:18 < reiffert> put in that script something like: 14:18 < reiffert> #!/bin/bash 14:18 < reiffert> #./askl.sh tap1 1500 1573 192.168.0.167 255.255.255.0 init 14:18 < reiffert> device=$1 14:18 < reiffert> mtu=$2 14:18 < reiffert> mru=$3 14:18 < reiffert> ip=$4 14:18 < reiffert> mask=$5 14:18 < reiffert> cmd=$6 14:18 < reiffert> ifconfig $device 0.0.0.0 promisc up 14:18 < reiffert> brctl addif br0 $device 14:18 < reiffert> ifconfig br0 $ip up 14:18 -!- Rajko [n=Rajko@93.174.88.10] has joined ##openvpn 14:18 < reiffert> ah well. maybe just: 14:18 < reiffert> ifconfig tap0 0.0.0.0 promisc up 14:18 < reiffert> brctl addif br0 tap0 14:18 < seva> i assume the first line is the same as doing openvpn --mktun --dev tap0 14:19 < Rajko> openvpn kernel mode plz 14:19 < krzie> Rajko DOESNT EXIST! 14:19 < Rajko> plz maek 14:19 < reiffert> Rajko: openssl kernel mode plz. 14:19 < reiffert> plz make! 14:19 < reiffert> plz plz plz! 14:19 < krzie> Rajko its open source, feel free 14:19 < Rajko> i dont use encryption 14:19 < seva> it seems like part of the problem is my 2wire 2701hg-b router 14:19 < reiffert> go ahead plz 14:19 < Rajko> so, the openssl things could be userland 14:19 < Rajko> packet mangling kernellad 14:20 < seva> it's a pos 14:20 < seva> port forwarding breaks sometime after i bring vpn up as it moves the ip from the mac of the eth0 to some weird mac (tap0?) 14:20 < Rajko> my routers cpu is @ 99% 14:20 < Rajko> cuz of openvpn 14:21 < krzie> how many clients? 14:21 < reiffert> mine isnt. 14:21 < krzie> ive never heard that complaint before 14:21 < krzie> and ive seen many use ovpn on their routers with encryption and compression 14:21 < krzie> (which you said you disabled) 14:22 < krzie> maybe you have a bad compile or some sort of routing loop 14:22 < krzie> ive seen a routing loop cause 100%cpu usage 14:23 < reiffert> I've seen 2800KB/s on my router will cause it 10% CPU. 14:23 < reiffert> with encryption, without compression. 14:31 < seva> ok, so i've removed compression and mssfix and switched to udp 14:31 < seva> same result 14:31 < seva> can't ping across 14:32 < krzie> why do you need bridge? 14:32 < seva> i want easy access to remove client from local lan pcs 14:32 < krzie> (i ask every tap user this, most end up switching to tun) 14:32 < krzie> ya thats a bad reason, easier to do tun 14:32 < seva> and route? 14:33 < krzie> you basically want this: 14:33 < krzie> !sample 14:33 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 14:33 < krzie> !route 14:33 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:33 < krzie> !tunortap 14:33 < vpnHelper> krzie: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 14:34 < seva> yeah, i could try that, i don't have much traffic and logically it makes sense to me to keep it bridged 14:34 < seva> but no, i don't have a need for l2 traffic over vpn 14:36 < krzie> then having a bridge logically makes no sense 14:36 < seva> by logically i mean how it makes sense in my head, i am not saying it's technically better 14:36 < krzie> extra overhead, vuln to layer2 attacks, and more difficult setup 14:36 < seva> the other pc is basically part of the local lan 14:36 < seva> it just happens to be at remote location 14:37 < krzie> in !route i give an example of hooking up a server and 2 clients, each with their lans available to the others and any road warriors 14:37 < seva> i have to use separate ip subnet though, right? 14:37 < krzie> aye 14:38 < seva> which means i'll have to figure out how to add static routes to the stupid 2wire router 14:38 < krzie> aye 14:38 < seva> or manually add static routes to each pc 14:38 < krzie> correct 14:38 < seva> i just find that a bit .. icky ;) 14:38 < krzie> thats normal networking ;] 14:38 < seva> except if it was bridged ;) 14:38 < krzie> i find layer2 attacks and extra overhead icky 14:39 < seva> i can understand that 14:39 < krzie> which do you find ickier? 14:39 < krzie> cause that answer leads to your solution 14:39 < seva> i am pretty sure i prefer bridged solution from a sanity point of view, but again, i don't want to argue which is better 14:40 < krzie> cool, no need to argue, you're aware of the cons, and you understand networking clearly as you pointed out where routes would need to be added 14:40 < krzie> so you obviously know enough to make your decision =] 14:41 < seva> i def know enough to shoot myself in the foot 14:42 < krzie> ;] 14:43 < seva> ok, switched to tun, still can't ping across ... 14:43 < seva> er.. wait what 14:43 < seva> server: inet addr:10.78.2.1 P-t-P:10.78.2.2 Mask:255.255.255.255 14:43 < seva> client: inet addr:10.78.2.6 P-t-P:10.78.2.5 Mask:255.255.255.255 14:44 < seva> i think i need to read that route doc, this is not how i assumed the p-t-p would be 14:44 < seva> i assumed server would be .1 to .2 and client would be .2 to .1 14:45 < seva> oh, forgot to uncommend compression on client 14:45 < seva> it works, thanks 14:45 < seva> still, that's strange ip assignment 14:51 -!- jeiworth [n=jeiworth@189.234.35.254] has quit [Connection reset by peer] 14:53 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Remote closed the connection] 15:03 < reiffert> !route 15:03 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:17 < dazo> seva: yeah, those IP's are kind of confusing ... iirc, I think using --topology net30 solves that 15:19 < seva> dazo: cool, or topology p2p looks pretty normal as well 15:19 < seva> http://openvpn.net/archive/openvpn-users/2005-09/msg00079.html 15:19 < vpnHelper> Title: [Openvpn-users] New subnet topology feature ready for testing (at openvpn.net) 15:19 < dazo> seva: p2p is deprecated though 15:20 < seva> ah 15:30 < reiffert> For the first time in my life I am using iroute. Amazing. 15:34 < reiffert> when I want to add a route back for a particular client, let's say: 15:34 < reiffert> route add -host 192.168.179.225/32 10.8.0.2 15:34 < reiffert> how can I do that in the nobody context openvpn is running under? 15:34 < seva> (guessing) it probably does that before dropping privs 15:35 < Bushmills> if everything else fails, sudo 15:36 < reiffert> seva: the server drops privs very early :) 15:47 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 15:58 < krzie> reiffert what are you tryin to do? 15:58 < krzie> trying to give the server a route to the clients lan 15:59 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 16:02 < reiffert> krzie: something like this, zes. 16:03 < reiffert> from within the ccd/CN file 16:03 < krzie> gotchya 16:04 < krzie> you add the route to the server in the normal config 16:04 < krzie> so it gets added on load before permission droppage 16:04 < krzie> the iroute is internal so does not need elevated perms 16:04 < krzie> you also push the route in the normal config to all clients, the client with the iroute will ignore it 16:04 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 16:05 -!- MrPockets [n=mrpocket@unaffiliated/mrpockets] has quit ["Lost terminal"] 16:08 < reiffert> krzie: look: 16:09 < reiffert> route to the server is fine. PC from LAN behind Client can ping the server. But the server cant send a reply to the ping. 16:09 < reiffert> what has to be done on server-side is: 16:09 < reiffert> to add a route back to the LAN behind the client like this: 16:09 < reiffert> route add -net 192.168.whatever/24 10.8.0.2 16:11 < reiffert> Calling --client-connect script from the ccd/CN brings up: Options error: option 'client-connect' ca 16:11 < reiffert> nnot be used in this context 16:12 < reiffert> ah, manpage tells something about --up, lets see. 16:12 < krzie> im tellin ya 16:13 < krzie> you add the route in server.conf 16:13 < krzie> the route only says that that lan goes to openvpn 16:13 < krzie> the iroute tells openvpn who to send it to 16:13 < krzie> its all in !route 16:13 < krzie> ive done it many times, that is how its done 16:14 < krzie> you can hack up some suid script if it makes you happy, but what i said is right 16:14 < reiffert> I have different route's per CN. 16:14 < krzie> you just use: 16:14 < krzie> route subnet 255.255.255.0 16:14 < krzie> in server config 16:14 < reiffert> I have different route's per CN. 16:14 < krzie> it will make the lans point to openvpn in its routing table 16:14 < krzie> the CN part is handled via iroute 16:15 < krzie> forget about who is who when adding the kernel routes 16:15 < reiffert> look. 16:15 < krzie> seriously, !route is not lying to you bro 16:15 < krzie> just try what im saying, then argue 16:15 < krzie> pls 16:15 < reiffert> ok, please step back, take a deep breath and try to follow me. 16:15 < krzie> i 100% understand you 16:15 < reiffert> Sure. 16:16 < krzie> you have 2 clients, each with their own lan 16:16 < reiffert> CN1 needs "route 123.123.123.123/24" 16:16 < reiffert> CN2 needs "route 2.2.2.2/24" 16:16 < krzie> on so check this out 16:16 < krzie> in server config, 16:16 < krzie> route 123.123.123.0 255.255.255.0 16:16 < reiffert> Why not in ccd/CN1 and ccd/CN2? 16:16 < krzie> route 2.2.2.0 255.255.255.0 16:16 < krzie> then 2 iroutes 16:16 < krzie> in the files you just mentioned 16:16 < krzie> cause thats how it works 16:16 < reiffert> iroutes in ccd/CN1/CN2 works, been there. 16:17 < krzie> then just add those routes in server config 16:17 < reiffert> but I want the routes to 2.2.2.2/24 _only_ to exist when CN2 is connected. 16:17 < krzie> and it will work 16:17 < krzie> the thing you're missing is this 16:17 < krzie> the kernel routing table has no clue what client they go to 16:17 < krzie> it blindly sends them to openvpn 16:17 < reiffert> ha, another restriction: I'm running multiple openvpn instances. One is bound to tun0 and the other is bound to tun1. 16:18 < krzie> openvpn knows what to do cause of the iroute 16:18 < krzie> whys that a restriction? 16:18 < Derek__> say do one of you know how to sync offline files to a domain using openvpn 16:18 < krzie> ive done this in that situation, works fine 16:18 < ecrist> reiffert: inter-process you need to involve the kernel 16:18 < reiffert> I cant tell to which instance CN1 will connect to. 16:18 < krzie> ohhh 16:18 < krzie> ya that sucks 16:18 < ecrist> reiffert: bridge tun0 and tun1 16:18 < reiffert> And I even cant tell to which on CN2 will connect to. 16:19 < ecrist> put them on the same subnet, restrict auto-assigns to a subnet of the overall vpn subnet 16:19 < reiffert> ecrist: tun0 is p2p, you cant bridge them. Thanks. 16:19 < krzie> so shouldnt you know which it will connect to then if 1 is ptp? 16:19 < krzie> wont they both always connect to the other one which is a server 16:19 < krzie> ? 16:19 < reiffert> no. 16:19 < krzie> you cant even use iroutes in p2p 16:20 < reiffert> one is listening on udp/53, one on tcp/443 and one on udp/1194 16:20 < krzie> oh, theres 3 16:20 < reiffert> ya,. 16:20 < krzie> dunno bro 16:20 < reiffert> Time to call mutliple bind()'s in the server process, dont you think? 16:20 < krzie> but with the simple problem from before, that was your solution 16:21 < krzie> with this one, ya got me 16:21 < krzie> maybe some sort of routing daemon or like you said multiple binds 16:21 < reiffert> I think my --client-connect script will parse ccd/CN, take the iroute line from there and add a route by sudo. 16:21 < reiffert> that will work. 16:21 < krzie> which i dont understand why it doesnt already exist 16:22 < krzie> make sure to have a corresponding --client-disconnect then 16:22 < reiffert> jup. 16:22 < krzie> !forum 16:22 < vpnHelper> krzie: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 16:22 < reiffert> let's take a look at the code(). 16:22 < krzie> im putting multiple bind()'s into wishlist on forum 16:23 < reiffert> parse config file for multiple "local" lines and/or proto lines. 16:23 < reiffert> make it an array of struct 16:24 < reiffert> walk the array, call bind/listen whatever 16:24 -!- seva [n=seva@glivorem.com] has left ##openvpn [] 16:24 < reiffert> put all filedescriptors to the RFDS_SET and WFDS_SET 16:24 < reiffert> done. 16:25 < krzie> Post subject: bind to multiple ports 16:25 < krzie> i would like to see openvpn able to listen to multiple ports possibly on both udp and tcp 16:25 < krzie> example: udp 53 / tcp 443 16:25 < krzie> I do not understand why this does not exist yet, seems like it should be much easier than my other request was. 16:25 < krzie> http://www.ovpnforum.com/viewtopic.php?f=10&t=383 16:25 < vpnHelper> Title: OpenVPN Forum View topic - bind to multiple ports (at www.ovpnforum.com) 16:26 < reiffert> allright, do you feel that you can handle any of the given tasks above? 16:28 < krzie> as in the coding? 16:28 < reiffert> yup 16:28 < krzie> my coding stops at shell script unfortunatly =/ 16:29 < reiffert> did you ever try to read C code? 16:29 < krzie> yup, im somewhat literate 16:29 < krzie> but nowhere near modding real code 16:29 < krzie> i can get an idea of whats going on 16:29 < reiffert> Allright, I'll start that particular topic somewhere next week. 16:31 -!- zebedeee [n=neil@ecmluk.plus.com] has joined ##openvpn 16:31 < zebedeee> !howto 16:31 < vpnHelper> zebedeee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:33 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 16:49 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:53 -!- BSoD_Guest835 [n=BSoD_Gue@71-222-227-252.albq.qwest.net] has joined ##openvpn 16:53 < BSoD_Guest835> !route 16:53 < vpnHelper> BSoD_Guest835: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:55 -!- Rajko [n=Rajko@93.174.88.10] has quit [Read error: 104 (Connection reset by peer)] 16:55 < BSoD_Guest835> xeroOTG 16:55 -!- BSoD_Guest835 is now known as xeroOTG 16:56 < xeroOTG> krzie are you around? 16:56 < krzie> yup, wassup 16:57 < xeroOTG> got connectivity issues in relation with voip 16:57 < krzie> sucks =/ 16:57 < xeroOTG> lol ok 16:57 < xeroOTG> ill forget it and keep doing nat 16:57 < krzie> if you want help you'll need to be far more specific tho 16:58 < xeroOTG> i dont know if i did my routing correctly though 16:58 < krzie> nor do i, as you have yet to get more specific 16:58 < krzie> know what i mean? 16:58 < xeroOTG> im working on that... 16:58 < xeroOTG> yeah 16:58 < krzie> cool 16:59 < xeroOTG> ok. in the routing table on the 'nat boxes' i need the route established to every network correct? ie net d needs to have the routes to a,b and c. 17:00 < xeroOTG> and in the config i have the push routes to a b and c 17:00 < xeroOTG> if the server is on network a, then i need the routes commands to include routes to b and c. 17:00 < xeroOTG> does any of that make sense? 17:01 < krzie> ill be slow for a min 17:01 < Bushmills> does a route to the server exist, which doesn't go through openvpn? 17:02 < xeroOTG> i dont believe so 17:02 -!- Rajko [n=Rajko@93.174.88.10] has joined ##openvpn 17:02 < Bushmills> thorugh what interface will packets to the server be routed? 17:02 < Bushmills> through ... 17:03 < xeroOTG> on the server, eth0 via static public ip over a 1 to 1 nat. 17:03 < Bushmills> no. *to* the server. 17:04 < xeroOTG> mind explaining? vpn is still new to me... 17:04 < krzie> xeroOTG 17:04 < krzie> have you read !route? 17:04 < krzie> !route 17:04 < xeroOTG> yes 17:04 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:05 < xeroOTG> you know what... i think my issue is running xp as a router... 17:05 < krzie> what part of !route did you not understand then? 17:05 < krzie> you are using xp as a router!? 17:05 < krzie> the first router in the world that needs a weekly reboot, LOL 17:05 < xeroOTG> its a one man operation, with a 7960... 17:06 < xeroOTG> lol 17:06 * krzie decides to use his iphone as a router... it would be more strable 17:06 < krzie> stable 17:06 < Bushmills> computers need downtime. it is good for them. 17:06 < xeroOTG> im using what i have avalable. unless i can get openvpn on an actiontec adsl gateway 17:07 < krzie> then what do you mean you're using it as a router...? 17:08 < krzie> you just mean you're using it as the vpn node for its LAN? 17:08 < xeroOTG> yes 17:09 < krzie> thats not a problem 17:09 < xeroOTG> like we did for server 2003 on thursday 17:09 < krzie> just make sure it has ip forwarding enabled 17:09 < krzie> !winipforward 17:09 < vpnHelper> krzie: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 17:09 < krzie> ya i dont remember who i helped with what, i help too many people for that 17:09 < krzie> =/ 17:09 < xeroOTG> ok. lol 17:09 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:09 < krzie> we'll likely start over every time 17:10 < xeroOTG> haha! well im going to blame xp on this one, everything else works fine. i can ping from one network to another just fine. 17:10 < krzie> so wheres the actual problem? 17:11 < xeroOTG> never mind.... i had someone else add the route on one of the routers and they messed up. the packet is going to the wrong place. 17:13 < xeroOTG> the problem is going form 192.168.65.0 to 192.168.10.0. the gateway is at 192.168.10.115 and 192.168.65.1. when i ping 192.168.65.5 from 192.168.10.200 i get From 192.168.10.201: icmp_seq=11 Redirect Host(New nexthop: 192.168.10.115) 17:13 < xeroOTG> the vpn node is at 192.168.10.201 and 192.168.65.2 17:14 < Bushmills> oh, and when it stopped working, after somebody else added a route, the idea that that modification might be somehow related didn't jump to mind 17:14 < xeroOTG> am i reading that ping correctly? 17:14 < krzie> xeroOTG, well it sounds like you know the problem 17:15 < krzie> just gotta fix it now i assume 17:15 < xeroOTG> yeah, thanks again! 17:15 < krzie> make sure those machines arent getting dhcp ips or you will have it going to the wrong ip at next ip change 17:15 < xeroOTG> the nodes are static 17:16 < xeroOTG> krzie would you agree the issue is a bad route? 17:17 < krzie> it started acting funky when a route was added to a router... im gunna hafta agree with Bushmills 17:18 < krzie> im kinda lost in the whole setup, but that sounds like the right place to look 17:18 * Bushmills wonders whether i simple traceroute would have shown the cause of the problem 17:19 * Bushmills recommends mtr 17:23 < xeroOTG> bushmills http://pastebin.com/md6a43c6 17:24 < krzie> did you check the route on that router? 17:24 < krzie> why troubleshoot when you have an idea of what to check... 17:25 < xeroOTG> i cant get anyone on the other side to answer the phone and i cant log into the router 17:25 < xeroOTG> bushmills asked for a traceroute 17:26 < Bushmills> that was meant as hint that traceroute is an appropriate tools for getting a rough idea what might be wrong in case of .. "connectivity problems". often, even a quite accurate idea. 17:27 < xeroOTG> oh ok 17:28 < Bushmills> nice thing about traceroute is, it doesn't need a lot of explaining the setup to 17:29 < Bushmills> in that respect, people here don't score very high 17:29 < krzie> lol 17:30 < Bushmills> i'm not rude, am i? 17:31 < krzie> well i 100% understand what you said and agree 17:31 < krzie> so if you are, i am as well 17:32 < Bushmills> no, you are the shiny light of helpfulness here 17:33 < krzie> lol 17:34 < Bushmills> an outstanding example of a person with a lot of patience unless the nick of the person you're helping begins with f 17:34 < Bushmills> hehe 17:35 < krzie> haha 17:35 -!- dstufft [n=dstufft@pool-173-59-16-32.phlapa.fios.verizon.net] has joined ##openvpn 17:35 < dstufft> is there a way with openvpn to allow anyone to connect without a pw or anything but still ecnrypt it? 17:36 < krzie> i just cant stand when i tell someone their problem with total confidence for a week, then they come back saying they finally did what i said, but claim its not what i said and that it was because of a problem that cannot possibly exist 17:36 < krzie> which is what that guy had done, then came back doing more of the same, then wanted to start flaming 17:36 < Bushmills> dstufft, does "anyone with a valid key" qualify? 17:36 < krzie> and after i banned him, he proved i was right to ban him 17:37 < krzie> dstufft standard openvpn setup requires no password 17:37 < krzie> you must add pw auth is you want it 17:37 < krzie> if you want it 17:37 < krzie> standard is to use ssl certs 17:38 < krzie> Bushmills, and the funny thing regarding that guy is that he defaced the whole wiki (which is ecrists, not mine) 17:38 < krzie> that guy came into a channel full of network security people and defaced stuff, complete LOL 17:38 < Bushmills> i noticed. couldn't help to have a look 17:39 < krzie> with his full info avail on the web 17:39 < krzie> i have no plans on doing anything, but its total lulz 17:39 < Bushmills> captchas are ineffctive against human defacers 17:40 < krzie> ya but it was simple to rollback all his changes 17:41 < dstufft> krsie: tbh i dont know a lot about VPn, howeever i have a dedi i just installed squid on and will be allowing iranians to use it to bypass the gov, wanted to setup a vpn so they can encrypt their traffic to it as well, don't want to have to setup accounts or hand out a pw or anything if at all possible 17:41 < dstufft> will that do that ? 17:42 < krzie> hrm 17:42 < Bushmills> i was wondering that if he had spent 20% of the time he was bickering here in solving his problem, he might have gotten there much earlier (if he ever did) 17:42 < krzie> you will need to hand out certs dstufft 17:42 < krzie> or passwords, buts certs are better 17:42 < krzie> you also dont need a proxy 17:42 < krzie> you can simply setup NAT on the server instead, and push a new default route to them for when they are connected 17:42 < krzie> !redirect 17:43 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 17:43 < dstufft> ah 17:43 < dstufft> ok 17:43 < krzie> OR 17:43 < krzie> you can simply setup socks and not use a vpn 17:43 < krzie> but you will NEED to setup login/pass for that 17:43 < krzie> or you will be highly abused by the whole inet 17:44 < krzie> socks is an encrypted proxy 17:44 < krzie> dante is a nice package for socks 17:44 < dstufft> ok 17:45 < krzie> i believe the login/pass approach with socks would be less overhead 17:45 < krzie> as you can let them share it 17:45 < krzie> and not need to pass out certs 17:45 < Bushmills> probably preferable as it doesn't require installation of openvpn, client side 17:45 < krzie> but of course, thats up to you, and if you choose openvpn you can get some help here ;] 17:45 < krzie> Bushmills has a good point there as well 17:45 < krzie> very good point 17:46 < dstufft> ok 17:46 < dstufft> thanks guys, i will look into socks then, dante in particular 17:47 < krzie> np man 17:49 -!- master_of_master [i=master_o@p549D5D20.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 17:50 < xeroOTG> ok, krzie all routes are correct as far as i can tell. im going to pastebin my config 17:50 < krzie> in that case, 17:50 < krzie> !configs 17:50 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 17:52 < Bushmills> dstufft, tor is another option 17:52 < Bushmills> the onion router 17:52 < dstufft> alot of them are using tor already ya 17:53 < Bushmills> 'k 17:53 -!- master_of_master [i=master_o@p549D635F.dip.t-dialin.net] has joined ##openvpn 17:58 < krzie> tor is iffy tho 17:58 < krzie> you can sniff traffic over it 17:58 < xeroOTG> krzie, bushmills do you see any typos that im missing? http://pastebin.com/m4b3609a7 17:58 < Bushmills> yes 17:58 < Bushmills> im -> i'm 17:58 < Bushmills> I'm even 17:59 < xeroOTG> lol 17:59 < xeroOTG> in the config 17:59 < krzie> cant look for a few mins, busy 17:59 < xeroOTG> im no english major to say the least 17:59 < xeroOTG> krzie take your time! 18:05 -!- davidisko [i=davidisk@nte.sk] has joined ##openvpn 18:06 < davidisko> hi guys, i have unknown troubles with openvpn... we want to play games with friend trought ovpn, but we can't see others hosted games in vlan... isn't it some broadcast problem or something like that? 18:06 < davidisko> *in lan 18:07 < Bushmills> davidisko, routed or bridged config? 18:08 < xeroOTG> brb 18:08 < davidisko> routed.. but we don't use redirect-gateway.. just want to have som private lan for gaming 18:08 -!- xeroOTG [n=BSoD_Gue@71-222-227-252.albq.qwest.net] has quit [] 18:08 < Bushmills> that may be the problem 18:08 < davidisko> why do you think? 18:09 < Bushmills> some games need bridging config. so do broadcasts 18:09 < davidisko> ah.. hmm 18:09 < davidisko> i'll try that, hold on 18:14 < krzie> ok looks like i mfree again for a couple 18:14 < krzie> ill take a look now 18:16 -!- Rajko [n=Rajko@93.174.88.10] has quit [Read error: 54 (Connection reset by peer)] 18:16 -!- bitrot [n=Rajko@93.174.88.10] has joined ##openvpn 18:17 -!- Timpa [n=timpa@chuck.bartowski.skalet.org] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 18:20 < reiffert> krzie: what is it that keeps you from writing C, now that you can read it *and* on top of it understand what's going on? 18:20 -!- ryan8403 [n=ryan8403@70.62.254.122] has joined ##openvpn 18:20 -!- Timpa [n=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 18:21 -!- xeroOTG [n=BSoD_Gue@71-222-227-252.albq.qwest.net] has joined ##openvpn 18:21 < xeroOTG> krzie did you by chance get a sec to look at that pastebin? 18:22 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [No route to host] 18:24 < davidisko> !route 18:24 < vpnHelper> davidisko: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 18:26 < davidisko> !redirect 18:26 < vpnHelper> davidisko: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 18:29 < krzie> hey xeroOTG , for clarification could you tell me where each lan exists? 18:29 < krzie> # 18:29 < krzie> push "route 192.168.10.0 255.255.255.0" 18:29 < krzie> # 18:29 < krzie> push "route 192.168.0.0 255.255.255.0" 18:29 < krzie> # 18:29 < krzie> push "route 192.168.65.0 255.255.255.0" 18:29 < krzie> eacho of those 18:30 < krzie> reiffert thats a good question, my prior attempts at learning came from books, which got boring as shit 18:30 < reiffert> I stopped at K&R page 55 IIRC :) 18:31 < krzie> but writing C is a goal of mine, seems like i never get time 18:31 < krzie> haha ya im somewhere in chap 2 of K&R for months 18:31 < krzie> i even did every excersize 18:31 < krzie> til like 23 18:31 < xeroOTG> server vpn is 192.168.10.0 client server3 is 192.168.0.0 client holiday is 192.168.65.0 18:32 < reiffert> Openvpn is lying in front of you, take it and fix it, play that little girl :) 18:33 < krzie> now i just gotta get the real girls that lay in front of me away from me for a bit to actually get to work on it ;] 18:33 < Bushmills> reiffert, first results: wheat: not very effective. carbide: effective 18:34 < krzie> sounds like someone is homebrewing more goodstuff! 18:34 * Bushmills is not going to brew anything from that stuff 18:34 < krzie> xeroOTG thanx, plus i just noticed you gave me their lan ips too 18:34 < krzie> ahh whatchya making bush? 18:34 < reiffert> Bushmills: measured with the background of thinking that wheat is not that effective, or? 18:35 < krzie> xeroOTG, do you plan on also having road warrior style clients? 18:35 < Bushmills> after application of a), digging continued. applying b) stops it 18:36 < reiffert> Intresting. Any relation to weather or seasons? 18:36 < Bushmills> none discoverable 18:37 < reiffert> like e.g. when you were applicating carbide I remember a totally dry month 18:37 < krzie> oh to see if it would grow well by burying cuttings? 18:37 < Bushmills> krzie, but i did brew some stuff up again 18:38 < Bushmills> carbide works actually better with humid soil 18:38 < krzie> xeroOTG i have a couple questions for you 18:39 -!- jeiworth [n=jeiworth@189.234.35.254] has joined ##openvpn 18:39 < krzie> line 55, Routes on Client 2 net gateway 18:39 < Bushmills> krzie, ginger again 18:39 < krzie> by client 2 gateway i take it to mean the router on the lan that server3 sits on 18:39 < krzie> xeroOTG is that correct? 18:39 < reiffert> Bushmills: I could imagine that the voles multiply themselfes with the help of fork() 18:40 < xeroOTG> krzie yes 18:40 < krzie> # 18:40 < krzie> 192.168.0.0 255.255.255.0 192.168.0.200 18:40 < krzie> that cant possibly be right 18:40 < Bushmills> reiffert, possibilty is that b) affects group, and a) individual 18:40 < reiffert> Bushmills: one should get in touch with a biologist. 18:41 < krzie> xeroOTG line 55 and 58 of your pastebin 18:41 < Bushmills> reiffert, you have a certain biologist lady in mind? 18:41 < reiffert> Bushmills: The question will be kill or ban temporariliy 18:41 < krzie> in fact xeroOTG, i think you made massive typos on the routes on those routers 18:42 < reiffert> Bushmills: I dont know any that is into voles. 18:42 < Bushmills> reiffert, unluckily, it's the end of the strawberry season 18:42 * xeroOTG is looking into it 18:42 < krzie> client1 and client2 both route 3 networks to 192.168.0.200 18:42 < krzie> but .0.200 can only be on one 18:42 < krzie> also, please dont switch you naming convention in the middle 18:43 < krzie> if you wanna call it server3, continue calling it that 18:43 < reiffert> http://en.wikipedia.org/wiki/Arvicolinae 18:43 < vpnHelper> Title: Arvicolinae - Wikipedia, the free encyclopedia (at en.wikipedia.org) 18:43 < krzie> if you wanna call it client1, continue doing that 18:43 < reiffert> http://en.wikipedia.org/wiki/Vole 18:43 < vpnHelper> Title: Vole - Wikipedia, the free encyclopedia (at en.wikipedia.org) 18:43 < xeroOTG> krzie: the name openvpn uses, is that the one from building the certificate? 18:43 < reiffert> Wow. The average life of a vole is 3?6 months. Voles rarely live longer than 12 months 18:43 < krzie> yes, the common-name 18:44 < Bushmills> reiffert, how many cars did you count? 18:44 < xeroOTG> thats auctually explainable, i was trying to keep the computer name matched to the common-name 18:44 < reiffert> Bushmills: 0 for today. Car counting will take place tomorrow 18:45 < reiffert> Bushmills: I might be intresting to know which particular tribe your parents got. 18:45 < reiffert> s,I,It, 18:46 < Bushmills> hm. they're sort of .. evasive 18:46 < reiffert> wiki knows about 20 at least. 18:46 < xeroOTG> krzie: the routing was a typo on the pastebin. the routes go to where they are supposed to. 18:46 < reiffert> Think you can catch one? 18:46 < krzie> xeroOTG if they go where they should then your setup is fine 18:46 < reiffert> take some photos? Would be a big improvement.. 18:47 < Bushmills> could try 18:47 < krzie> of course i assumed you only pasted that for me to check if they went where they should ;] 18:47 < xeroOTG> im a dyslexic computer user... stuff happens 18:47 < Bushmills> do they need to be in one piece? 18:48 < krzie> but your routes, push routes, and iroutes are correct, if the routes on router are correct you're good to go 18:48 < xeroOTG> my next assumption is that the vpn node, windows xp, is the issue 18:48 < krzie> they all need ip forwarding enabled 18:48 < krzie> !winipforward 18:48 < vpnHelper> krzie: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 18:48 < krzie> and windows has a nasty habit of firewalling the tap interface, make sure thats off 18:49 < krzie> many times after disabling that, you need a reboot for stuff to work 18:49 < reiffert> Bushmills: taking photos will do help the biologists in mind tell who is who. 18:49 < krzie> cause thats how windows gets down 18:49 < krzie> so xeroOTG, lets do this: 18:49 < Bushmills> i'll put forward the suggestion 18:50 < krzie> from a machine on the servers lan, try to ping a machine on each of the clients lan (not their router, not the vpn node) 18:50 < krzie> tell me if that works 18:50 < xeroOTG> ok 18:50 < krzie> on each of them 18:50 < krzie> i will be disapeering shortly 18:50 < Bushmills> but inform biologist that there'll be no strawberries 18:51 < xeroOTG> from 192.168.10.0, i can ping 192.168.0.0, i can not ping 192.168.65.0 18:51 < reiffert> didnt survive the invasion? 18:51 < Bushmills> out of season now 18:52 < xeroOTG> on 192.168.0.0 i can ping 192.168.10.0 i can not ping 192.168.65.5 18:52 < xeroOTG> *192.168.65.0 18:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 18:53 < krzie> why would you be pinging 192.168.65.0 18:53 < krzie> i said ping a lan ip, not the subnet address 18:53 < xeroOTG> i have no other devices on the i was talking about that section of the network 18:53 < xeroOTG> bleh... 18:53 < krzie> you have no other devices on that lan? 18:53 < krzie> seems silly to be setting up routing for a lan with no devices 18:53 < krzie> also seems impossible to troubleshoot 18:54 < xeroOTG> on the 65 network i only have 2 voip phones 18:54 < krzie> well, ping one of them 18:54 < xeroOTG> i get no response from ether of the other two networks 18:55 < krzie> ping the lan ips of both vpn clients 18:55 < krzie> from a machine on the server lan 18:55 < krzie> (NOT THE SERVER, NOT FROM THE ROUTER) 18:55 < krzie> =] 18:55 < Bushmills> krzie raising voice?? 18:55 * Bushmills hides 18:56 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 18:56 < xeroOTG> from 192.168.10.200 i can ping both clients 18:56 < krzie> haha no just making sure it was seen 18:56 < krzie> xeroOTG you can ping both clients by their lan ip, right? 18:56 < xeroOTG> yes 18:57 < krzie> ok, heres the thing 18:57 < krzie> we dont know if those voip phones respond to pings normally 18:57 < krzie> try to ping them from their own vpn nodes 18:57 < krzie> most do, but lets check 18:57 < xeroOTG> the cisco phone does, it also has a web server inbuilt 18:58 < xeroOTG> its ip is 192.168.65.5 18:58 < krzie> ok 18:58 < xeroOTG> i cant ping it from anywhere in the vpn but local 18:58 < krzie> ok 18:58 < krzie> and the vpn node on 192.168.65 lan runs windows? 18:58 < xeroOTG> unfortunately 18:59 < xeroOTG> i think its failing at forwarding the packets 18:59 < krzie> have you checked to be sure it has ip forwarding enabled, windows firewall (and ANY other software firewall) disbaled, and rebooted? 18:59 < xeroOTG> yes 18:59 < krzie> you can simply disable those firewalls for the tap device, can still run it like normal for real device 19:00 < krzie> but may as well fully disable while testing 19:00 < xeroOTG> its disabled systemwide 19:00 < krzie> well, its either 1 of those 2 things, or your routes on the gateway are wrong 19:00 < krzie> so those are the 3 possible problems 19:00 < xeroOTG> ok 19:00 < xeroOTG> i am 100% positive that its the node, not the routes 19:01 < krzie> also interesting is to know if a device on that lan can ping the other 2 lans? 19:01 < krzie> err no ?... 19:01 < krzie> heh 19:01 < xeroOTG> ill have to bring my laptop tomorrow tomorrow 19:01 < xeroOTG> unless the local nat box is failing at static routes 19:02 < xeroOTG> the cisco 7960's are supposed to behave well in vpn environments 19:03 < xeroOTG> i should be able to ping it from anywhere, i asked someone else 19:03 < xeroOTG> ill tell you what krzie, i have had enough fun for one day. why dont we call it quits for now. 19:04 < krzie> works for me, ill be gone soon anyways 19:04 < krzie> and you know where your problem is 19:04 < krzie> only really 3 options 19:04 < xeroOTG> ok, thanks for you help! 19:04 < krzie> vpn endpoint ip forwarding, firewall, or its gateway 19:05 < krzie> by its gateway i mean routes on the router 19:05 < krzie> also, if its a nice router (you mentioned cisco, it could need firewall rules to allow those subnets to pass 19:05 < krzie> s/,/,)/ 19:05 < xeroOTG> its a pos actiontec adsl gateway/firewall 19:05 < krzie> bleh, that matches the wrong comma, but screwit 19:05 < krzie> ahh 19:06 < xeroOTG> ill look into ist firewall though 19:06 < krzie> could be another firewall 19:07 < krzie> like norton or mcafee 19:07 < krzie> common issue 19:07 < Bushmills> reiffert, any use in lasering you from gonsenheim side? 19:07 < xeroOTG> all this particular machine has is windows and the firewall on the router 19:07 < krzie> also helpful is if you could sniff packets while on that lan 19:08 < xeroOTG> when i get my laptop here tomorrow i can 19:08 < krzie> to see if they make it to you, but you cant reply 19:08 < xeroOTG> standard wireshark? 19:08 < krzie> yup 19:09 < krzie> if you get the packets and reply, but the guy pinging doesnt get the reply.. 19:09 < krzie> then its the router 19:09 < xeroOTG> hokay. when do you usually get on? 19:09 < krzie> if you dont get them, its the vpn endpoint 19:09 < krzie> im random 19:09 < xeroOTG> ok 19:09 < krzie> no telling when ill be on 19:09 < xeroOTG> cool 19:09 < krzie> but you dont need me anymore 19:09 < xeroOTG> lol, i understand 19:09 < krzie> you know what to do, and what it means 19:09 < xeroOTG> yes. thanks so much! 19:09 < krzie> np 19:10 < xeroOTG> one last question... samba and vpn? 19:11 < xeroOTG> eh... nvm 19:11 -!- xeroOTG [n=BSoD_Gue@71-222-227-252.albq.qwest.net] has quit [] 19:12 < krzie> hehe 19:13 * |Mike| moo's 19:51 < davidisko> hi guys, i have unknown troubles with openvpn... we want to play games with friend trought ovpn, but we can't see others hosted games in vlan... isn't it some broadcast problem or something like that? 19:51 < davidisko> i tried both routed, bridged configurations 20:01 -!- Rajko [n=Rajko@93.174.88.10] has joined ##openvpn 20:01 -!- bitrot [n=Rajko@93.174.88.10] has quit [Read error: 54 (Connection reset by peer)] 20:15 -!- barefoot [n=magic@gprs02.rb.mtnns.net] has quit [] 20:17 -!- Rajko [n=Rajko@93.174.88.10] has quit [Read error: 104 (Connection reset by peer)] 20:17 -!- Rajko [n=Rajko@93.174.88.10] has joined ##openvpn 20:23 -!- Rajko [n=Rajko@93.174.88.10] has quit [Read error: 54 (Connection reset by peer)] 20:23 -!- Rajko [n=Rajko@93.174.88.10] has joined ##openvpn 20:24 -!- zebedeee [n=neil@ecmluk.plus.com] has quit ["Ex-Chat"] 20:32 < rmull> davidisko: Bridged should pass broadcasts fine. 20:32 < rmull> If you want a quick-and-dirty solution for gaming, Hamachi would be easier. 20:32 < rmull> Rather than openvpn. 20:32 < rmull> Unless you have your heart set on openvpn 20:32 < rmull> ;) 20:50 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 21:02 -!- Rajko [n=Rajko@93.174.88.10] has quit [Read error: 104 (Connection reset by peer)] 21:03 -!- Rajko [n=Rajko@93.174.88.10] has joined ##openvpn 21:10 -!- voipuser [n=voipuser@24-180-125-183.dhcp.aldl.mi.charter.com] has joined ##openvpn 21:12 < voipuser> I have been trying for the better part of a month to get OpenVPN to work between a client on a router (w/ Tomato firmware) and an OpenVPN server. I FINALLY have it all working, but I can only have it work one way at a time... 21:14 < voipuser> If, at the server, I include the directive push "route-gateway 192.168.0.1" then I can get out to the Internet from a computer connected to the router, but can't ping that computer from the rest of the network... 21:15 < voipuser> But if I leave out that directive then I can ping that computer, but then the computer can't get to the Internet or any other location on the other side of the tunnel. 21:16 < voipuser> I have to say that trying to get OpenVPN to work has been one of the most frustrating experiences of my life! 21:17 -!- jeiworth [n=jeiworth@189.234.35.254] has quit [Read error: 110 (Connection timed out)] 21:18 -!- Rajko [n=Rajko@93.174.88.10] has quit [Read error: 113 (No route to host)] 21:22 -!- Rajko [n=Rajko@93.174.88.10] has joined ##openvpn 21:22 -!- dstufft [n=dstufft@pool-173-59-16-32.phlapa.fios.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 22:10 -!- troy- is now known as troy 22:14 -!- zheng [n=zheng@222.66.224.108] has joined ##openvpn 22:33 -!- zheng [n=zheng@222.66.224.108] has quit [Read error: 113 (No route to host)] 22:38 < Derek__> voipuser what woudl you like to do with your openvpn 22:38 < Derek__> would you like the router to be able to surf internet on its own or pass all information to the server 22:39 < Derek__> It just so happens I just got this working with tap and tun. 22:40 < voipuser> Create a tunnel between a couple of devices at a remote location and a server on the local network, but be able to "see" the opposite end of the tunnel from either side (and from the client side, be able to get to the rest of the local network and the Internet) 22:41 < Derek__> ok for your tomato firmware use http://tomatovpn.keithmoyer.com/ 22:41 < vpnHelper> Title: TomatoVPN (at tomatovpn.keithmoyer.com) 22:41 < voipuser> IDEALLY I'd like to be able to assign router ports, so if you plug into port 1 or 2 you go through the tunnel but if you plug into 3 or 4 you go directly to the Internet, or something like that... 22:41 < Derek__> !tomatovpn 22:41 < vpnHelper> Derek__: Error: "tomatovpn" is not a valid command. 22:42 < Derek__> !tomato 22:42 < vpnHelper> Derek__: Error: "tomato" is not a valid command. 22:42 < Derek__> after you have that set up let me know i will help you with your configs 22:43 < voipuser> I believe that's what I have… it has the VPN Tunneling Server and Client sections 22:44 < Derek__> does yoru about have Tomato Firmware v1.25vpn3.3.4a23156e 22:46 < voipuser> Actually it says Tomato version 1.25.8632 vpn3 - we got that because it specifically enables the USB port on the Asus router, is there a difference? 22:50 -!- eoch [n=eoch@64-126-117-142.dyn.everestkc.net] has joined ##openvpn 22:58 < voipuser> We got it from here: http://www.linksysinfo.org/forums/showthread.php?t=60185 23:01 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 23:01 < voipuser> And reading the feature list on the link you sent, it sure looks the same… I don't know. 23:04 < voipuser> Thanks anyway. 23:08 < Derek__> I cant help you then 23:09 < Derek__> but I will try :) 23:09 < Derek__> I need your config files 23:09 < Derek__> !config 23:09 < vpnHelper> Derek__: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 23:12 < Derek__> server and client 23:15 < Derek__> sorry voipuser I was on the phone you still here? 23:19 -!- texel [n=june@c-98-232-95-0.hsd1.wa.comcast.net] has joined ##openvpn 23:20 < texel> !route 23:20 < vpnHelper> texel: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 23:30 -!- texel [n=june@c-98-232-95-0.hsd1.wa.comcast.net] has quit ["WeeChat 0.2.6"] 23:59 -!- Hydrant [n=aj@CPE001d7e684fa2-CM001e6b194216.cpe.net.cable.rogers.com] has quit [Remote closed the connection] --- Day changed Thu Jun 18 2009 00:00 -!- troy is now known as troy- 00:06 -!- dazo|h [n=dazo@r9dm48.net.upc.cz] has joined ##openvpn 00:06 -!- dazo|h [n=dazo@r9dm48.net.upc.cz] has left ##openvpn ["Leaving"] 00:06 < voipuser> Sorry, it's worse than I thought… it turns out I can ping from the server to client via the tunnel but when I try to ping from client to server the packets just go nowhere… before when I had thought it was working it turns out the packets were taking a different route (NOT via the tunnel)… and now I can't understand why this stupid tunnel is working in one direction only. 00:07 -!- dazo|h [n=dazo@r9dm48.net.upc.cz] has joined ##openvpn 00:24 < voipuser> Specifically I can ping 10.8.0.10 from the server but I cannot ping 10.8.0.0 from the client 00:42 -!- eoch [n=eoch@64-126-117-142.dyn.everestkc.net] has quit [Read error: 110 (Connection timed out)] 00:44 -!- kevin__ [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has joined ##openvpn 02:08 -!- kevin__ is now known as canadaeh 02:09 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:34 -!- canadaeh [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has quit [Remote closed the connection] 02:35 -!- kevin__ [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has joined ##openvpn 02:38 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 02:38 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 03:05 -!- voipuser [n=voipuser@24-180-125-183.dhcp.aldl.mi.charter.com] has left ##openvpn [] 03:24 -!- kevin__ is now known as canadaeh 03:26 -!- canadaeh [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has quit [Remote closed the connection] 03:27 -!- troy- is now known as troy 03:32 -!- kyrix [n=ashley@188-23-76-214.adsl.highway.telekom.at] has joined ##openvpn 03:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 04:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:18 -!- troy is now known as troy- 04:23 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 04:39 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:42 -!- kyrix [n=ashley@188-23-76-214.adsl.highway.telekom.at] has quit ["Leaving"] 04:55 -!- dazo|h [n=dazo@r9dm48.net.upc.cz] has quit ["Leaving"] 05:33 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 05:34 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 06:33 -!- rmull [n=rmull@acsx02.bu.edu] has quit [Read error: 110 (Connection timed out)] 06:34 -!- Rajko [n=Rajko@93.174.88.10] has quit [Read error: 60 (Operation timed out)] 06:43 -!- barbosa [n=barbosa@189.27.52.245.dynamic.adsl.gvt.net.br] has quit [Read error: 104 (Connection reset by peer)] 06:54 -!- martin_ [n=martin@82.113.106.84] has joined ##openvpn 06:55 -!- martin_ is now known as guanoo 06:58 -!- barbosa [n=barbosa@189.27.49.223] has joined ##openvpn 06:59 < guanoo> hello, i am using vista home premium and openvpn to connect to work. it is a wiki with a dashboard function and i can log in. but when i go to the dashboard, the "google api" is not loading and i get connection timed-out. 07:01 < guanoo> i tried it many times and like one out of fifty times it is loading, but very slow. does nayone know this problem. thank you. 07:16 -!- pa_ [n=pa@87.1.69.132] has joined ##openvpn 07:16 -!- pa_ [n=pa@87.1.69.132] has quit [Read error: 104 (Connection reset by peer)] 07:20 < ecrist> guanoo: your question is not OpenVPN-specific 07:20 < ecrist> on top of that, we have no where near enough information to troubleshoot your issues. 07:26 < guanoo> ok i think i found the problem. i want to change the client config file and add "route method exe" and "route-delay" i tried to open this config file but it didnt work. ecrist: if you want you can ask me specific questions 07:28 -!- eoch [n=eoch@64.126.117.142] has joined ##openvpn 07:32 < guanoo> but u are right, because probably i would not understand your questions. i will tell my boss to change this config file., thank you 07:33 -!- guanoo [n=martin@82.113.106.84] has quit ["Verlassend"] 07:44 -!- geye [n=geye@gatekeeper.d2000.com] has joined ##openvpn 07:44 < geye> !route 07:44 < vpnHelper> geye: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 07:57 < geye> !/30 07:57 < vpnHelper> geye: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 07:59 -!- eoch [n=eoch@64.126.117.142] has quit ["KVIrc Insomnia 4.0.0, revision: , sources date: 20090115, built on: 2009/03/07 00:45:02 UTC http://www.kvirc.net/"] 08:18 -!- dazo [n=dazo@nat/redhat/x-3a32d28d1f3b7d09] has quit [Read error: 104 (Connection reset by peer)] 08:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Success] 08:36 -!- dazo [n=dazo@nat/redhat/x-c132d9b0f43d418c] has joined ##openvpn 09:04 -!- jeiworth [n=jeiworth@189.163.149.149] has joined ##openvpn 09:06 -!- Rajko [n=Rajko@93.174.88.10] has joined ##openvpn 09:33 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 09:46 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 09:46 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 09:53 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 10:01 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:06 -!- dan__t [n=dant@vpn.withparity.net] has quit [Excess Flood] 10:07 -!- dan__t [n=dant@vpn.withparity.net] has joined ##openvpn 10:08 -!- dan__t [n=dant@vpn.withparity.net] has quit [Excess Flood] 10:08 -!- dan__t [n=dant@vpn.withparity.net] has joined ##openvpn 10:09 -!- dan__t [n=dant@vpn.withparity.net] has quit [Excess Flood] 10:09 -!- dan__t [n=dant@vpn.withparity.net] has joined ##openvpn 10:10 -!- dan__t [n=dant@vpn.withparity.net] has quit [Excess Flood] 10:10 < ecrist> DOUGY 10:11 -!- dan__t [n=dant@vpn.withparity.net] has joined ##openvpn 10:11 -!- dan__t [n=dant@vpn.withparity.net] has quit [Excess Flood] 10:12 -!- dan__t [n=dant@vpn.withparity.net] has joined ##openvpn 10:12 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:12 < ecrist> krzee: ovpnforum.com is down because dougy's DNS servers are shit 10:13 < krzee> lol 10:13 -!- dan__t [n=dant@vpn.withparity.net] has quit [Excess Flood] 10:13 < krzee> \well we told him we could do it 10:13 < krzee> *shrug* 10:13 < krzee> you can only lead a man to buds, you cant smoke them for him 10:13 -!- dan__t [n=dant@vpn.withparity.net] has joined ##openvpn 10:14 < ecrist> lol 10:14 < krzee> funny tho since the combined total of stable dns servers between us and the other trusted people here is probably very high 10:14 -!- dan__t [n=dant@vpn.withparity.net] has quit [Excess Flood] 10:14 < ecrist> dan__t: I'd suggest not 'excess flooding' 10:14 < krzee> but he uses those weak ones 10:14 < ecrist> indeed. 10:14 -!- dan__t [n=dant@vpn.withparity.net] has joined ##openvpn 10:15 < ecrist> yet, I host the site. 10:15 < ecrist> I sent him an email - maybe that's still got working DNS 10:15 < krzee> would only make sense to have you host the dns, 1 is down both are down 10:15 < ecrist> yep - my DNS doesn't go down. 10:15 -!- dan__t [n=dant@vpn.withparity.net] has quit [Excess Flood] 10:15 < ecrist> even when I'm down. 10:15 < krzee> and if it did, the website would be down anyways 10:15 < ecrist> off-site hosting for that, nameserverexchange.com or soemthing 10:16 -!- dan__t [n=dant@vpn.withparity.net] has joined ##openvpn 10:16 < ecrist> dude in WI and I swap zones. 10:16 < krzee> oh 10:16 < krzee> ya i swap zones with a guy in europe 10:16 < krzee> .uk 10:16 -!- dan__t [n=dant@vpn.withparity.net] has quit [Excess Flood] 10:16 < krzee> a very skilled bleeding edge fbsd guy 10:17 < ecrist> those are the best. 10:17 -!- dan__t [n=dant@vpn.withparity.net] has joined ##openvpn 10:17 < ecrist> one of my buddies is the lead dev for PC BSD 10:17 < krzee> nice 10:17 < krzee> isnt that the 4.x fork? 10:17 < ecrist> no 10:18 < ecrist> it's the 'desktop freebsd' distribution 10:18 < krzee> ahh 10:18 < ecrist> I think dragonfly BSD might be the 4.x fork 10:27 -!- Derek__ [n=derek@199.85.8.1] has quit ["Leaving"] 10:34 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:36 -!- firecrotch [n=nick@207-67-115-235.static.twtelecom.net] has joined ##openvpn 10:36 < firecrotch> !route 10:36 < vpnHelper> firecrotch: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:45 < dan__t> Well. I apologize for my connection flapping this morning. I don't know what the deal was. Sorry for the annoyance, folks. 10:49 -!- Rajko [n=Rajko@93.174.88.10] has quit ["Leaving"] 10:50 < ecrist> we were getting 'Excess Flood' for your quit reason 10:50 < ecrist> 10:16 -!- dan__t [n=dant@vpn.withparity.net] has quit [Excess Flood] 10:50 < dan__t> Got it. 10:50 < dan__t> Must be from #httpd, they had a little flood action going on. 10:53 < ecrist> those bastards. 10:54 * ecrist sets topic to: ##openvpn at war with #httpd since 18-Jun-2009 1053CDT 10:59 < krzee> lol 11:08 -!- geye [n=geye@gatekeeper.d2000.com] has quit [] 11:10 -!- dli_ [n=dli@adsl-75-22-203-148.dsl.chcgil.sbcglobal.net] has joined ##openvpn 11:10 < dli_> I'm running server-client mode, but I couldn't ping between two clients. 11:15 < dli_> http://pastebin.ca/1464992 11:17 -!- firecrotch [n=nick@207-67-115-235.static.twtelecom.net] has left ##openvpn [] 11:25 < ecrist> !client-to-client 11:25 < vpnHelper> ecrist: "client-to-client" is When this option is used, each client will see the other clients which are currently connected. Otherwise, each client will only see the server. Don't use this option if you want to firewall tunnel traffic using custom, per-client rules. 11:26 < dli_> ecrist, so I should add a line of "client-to-client" to the server's openvpn.conf, right? 11:26 -!- feinom_ [n=feinom@svale.hia.no] has quit [Remote closed the connection] 11:26 < ecrist> yep 11:26 < ecrist> covered in the man page. 11:26 -!- feinoM [n=feinom@svale.hia.no] has joined ##openvpn 11:27 < dli_> ecrist, thanks, and it's a new feature of rc18 11:27 < ecrist> no it's not 11:27 < ecrist> it goes back *years* 11:28 < dli_> ecrist, weird then, I didn't set this option, but client-to-client worked 11:28 < ecrist> I'd recommend trying harder, but glad you got it working. ;) 11:30 < dli_> ecrist, I will report how it works with rc18 11:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:02 -!- magic_1 [n=magic@gprs02.rb.mtnns.net] has joined ##openvpn 12:23 -!- jeiworth [n=jeiworth@189.163.149.149] has quit [Read error: 110 (Connection timed out)] 12:23 -!- MrPockets [n=Jimmy@unaffiliated/mrpockets] has joined ##openvpn 12:28 -!- MrPockets is now known as pure_evil 12:35 -!- _dan__t [n=dant@vpn.withparity.net] has joined ##openvpn 12:38 -!- pure_evil is now known as MrPockets 12:40 -!- _dan__t is now known as dan___t 12:42 -!- zagibu [n=zagibu@adsl-84-227-182-244.adslplus.ch] has joined ##openvpn 12:43 < zagibu> do I strictly need a tun device on the host, or could I use a real device instead? 12:43 < MrPockets> OH 12:43 < MrPockets> why would you want to? 12:44 < magic_1> true true 12:44 < zagibu> i'm not sure if I can create a tun device on my vhost 12:45 < MrPockets> ...are you being coy with me? 12:47 < zagibu> very 12:47 < zagibu> but still... 12:47 < zagibu> i'm always coy 12:47 < MrPockets> !reditect 12:47 < vpnHelper> MrPockets: Error: "reditect" is not a valid command. 12:47 < MrPockets> !redirect 12:47 < vpnHelper> MrPockets: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 12:49 < MrPockets> !def1 12:49 < vpnHelper> MrPockets: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 12:50 < zagibu> okay, thanks, I'm reading the openvpn howto naouvw 12:52 -!- troy- is now known as troy 13:16 < zagibu> hmmm, i've set up a static tunnel, and I see "initialization sequence completed" on both client and server, but I can't ping either from both 13:19 < zagibu> ah, it's the firewalls blocking icmp, ssh works 13:22 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 110 (Connection timed out)] 13:22 * ecrist motions toward topic 13:25 < MrPockets> !topology 13:25 < vpnHelper> MrPockets: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 13:29 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 13:46 -!- zagibu [n=zagibu@adsl-84-227-182-244.adslplus.ch] has left ##openvpn [] 13:48 -!- vaq [n=c99@83.136.90.2] has joined ##openvpn 13:48 < vaq> Is it possible to disable the clock check of the client? 13:53 < vaq> i mean the certificate time check 13:53 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 14:06 -!- tjz [n=tjz@bb116-15-73-38.singnet.com.sg] has quit [Read error: 54 (Connection reset by peer)] 14:08 -!- MrPockets [n=Jimmy@unaffiliated/mrpockets] has quit ["Has he quit, or has he simply become sneekier?..."] 14:12 -!- kevin__ [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has joined ##openvpn 14:12 -!- jeiworth [n=jeiworth@189.177.202.150] has joined ##openvpn 14:12 -!- kevin__ is now known as canadaeh 14:13 -!- jeiworth [n=jeiworth@189.177.202.150] has quit [Remote closed the connection] 14:30 -!- canadaeh [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has quit [Read error: 104 (Connection reset by peer)] 14:43 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 14:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:51 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 14:53 -!- kevin__ [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has joined ##openvpn 14:53 -!- kevin__ is now known as canadaeh 14:56 -!- hardwire` [n=hardwire@39.183.dowl.anc.borealisbroadband.net] has joined ##openvpn 14:59 -!- canadaeh [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has quit [Read error: 104 (Connection reset by peer)] 15:00 -!- kevin__ [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has joined ##openvpn 15:11 -!- hardwire [n=hardwire@216-67-98-253.static.acsalaska.net] has quit [Read error: 110 (Connection timed out)] 15:16 -!- hardwire` is now known as hardwire 15:21 -!- dli_ [n=dli@adsl-75-22-203-148.dsl.chcgil.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 15:23 -!- kevin__ [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has quit [Read error: 104 (Connection reset by peer)] 15:23 -!- kevin__ [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has joined ##openvpn 15:24 -!- kevin__ [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has quit [Read error: 104 (Connection reset by peer)] 15:24 -!- kevin__ [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has joined ##openvpn 15:24 -!- kevin__ [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has quit [Read error: 104 (Connection reset by peer)] 15:25 -!- kevin__ [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has joined ##openvpn 15:25 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Nick collision from services.] 15:25 -!- carpe_ [n=carpe@vip2.tundraeng.com] has joined ##openvpn 15:25 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 15:27 < plaerzen> ? 15:31 < plaerzen> I am trying ircii again. 15:33 -!- plaerzen [n=carpe@vip2.tundraeng.com] has left ##openvpn [] 15:53 -!- dli_ [n=dli@wireless-230-201.uchicago.edu] has joined ##openvpn 16:01 -!- carpe_ is now known as plaerzen 16:04 -!- jeiworth [n=jeiworth@189.234.35.254] has joined ##openvpn 16:08 -!- Timpa [n=timpa@chuck.bartowski.skalet.org] has quit [Nick collision from services.] 16:08 -!- Timpa_ [n=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 16:12 -!- kevin__ is now known as canadaeh 16:28 -!- hardwire` [n=hardwire@216-67-98-253.static.acsalaska.net] has joined ##openvpn 16:33 -!- hardwire [n=hardwire@39.183.dowl.anc.borealisbroadband.net] has quit [Connection reset by peer] 16:38 -!- hardwire` is now known as hardwire 16:39 -!- hardwire is now known as hardwirealphapri 16:40 -!- hardwirealphapri is now known as hardwireprime 16:43 -!- hardwireprime is now known as hardwireusmaximu 16:43 -!- hardwireusmaximu is now known as hardwirusmaximus 16:48 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:01 -!- canadaeh [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has quit [Read error: 104 (Connection reset by peer)] 17:07 -!- rubin110 [n=rubin110@70.36.142.11] has left ##openvpn [] 17:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:24 -!- hardwirusmaximus is now known as hardwire 17:26 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 17:35 < |Mike|> smerz! 17:35 < smerz> hello 17:39 < |Mike|> hoi :) 17:50 -!- master_of_master [i=master_o@p549D635F.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 17:53 -!- master_of_master [i=master_o@p549D5C14.dip.t-dialin.net] has joined ##openvpn 18:13 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 18:16 -!- epaphus [n=unix3@190.10.68.227] has joined ##openvpn 18:32 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 18:44 -!- jeiworth [n=jeiworth@189.234.35.254] has quit [Read error: 110 (Connection timed out)] 19:02 -!- dli_ [n=dli@wireless-230-201.uchicago.edu] has quit [Remote closed the connection] 19:04 -!- epaphus [n=unix3@190.10.68.227] has quit [Read error: 60 (Operation timed out)] 20:01 -!- p3ri0d [n=p3ri0d@200.2.153.20] has joined ##openvpn 20:26 -!- kdub [n=kdub@fw.arb.zattoo.com] has joined ##openvpn 20:26 < kdub> i have a ca.crt, but dont know how to use it 20:26 < kdub> i try 'openvpn --ca ca.crt settings.conf' and it tells me i need a tun/tap device 20:37 -!- dan___t is now known as dan__t 20:39 -!- kdub [n=kdub@fw.arb.zattoo.com] has quit ["leaving"] 20:46 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 21:00 -!- p3ri0d [n=p3ri0d@200.2.153.20] has quit ["Leaving"] 21:08 < reiffert> moin 22:22 < krzee> reiffert, i decided i must have the lady you were talking about the other day 22:22 < krzee> moin 23:06 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 23:06 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 23:33 -!- tjz [n=tjz@bb116-15-73-38.singnet.com.sg] has joined ##openvpn 23:46 -!- kevin__ [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has joined ##openvpn 23:46 -!- kevin__ is now known as canadaeh --- Day changed Fri Jun 19 2009 00:00 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 00:02 -!- damentz [i=damentz@free.dancing.bot.at.shellium.org] has quit [Remote closed the connection] 00:03 -!- damentz [n=damentz@free.dancing.bot.at.shellium.org] has joined ##openvpn 00:20 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [] 00:32 < vaq> Error in script "openvpn-gui.nsi" on line 221 -- aborting creation process 00:33 -!- ryan8403 [n=ryan8403@70.62.254.122] has quit ["I'm out of here!"] 00:55 -!- Guest621 [n=Guest621@adsl-074-183-167-075.sip.bhm.bellsouth.net] has joined ##openvpn 00:55 < Guest621> krzie: you around? 01:05 -!- canadaeh [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has quit [Read error: 104 (Connection reset by peer)] 01:06 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 01:10 -!- hkais1 [n=xenoadmi@p50814004.dip.t-dialin.net] has joined ##openvpn 01:32 -!- voipuser [n=voipuser@24-180-125-183.dhcp.aldl.mi.charter.com] has joined ##openvpn 01:33 < voipuser> I THINK I may finally have OpenVPN tunnel up and working, using Asus router and Tomato firmware as client. But, only one thing bothers me… when I use the route command with no arguments, the topmost default line I see looks like this: 01:33 < voipuser> default 10.8.0.9 128.0.0.0 UG 0 0 0 tun11 01:34 < voipuser> Shouldn't the mask be 0.0.0.0 rather than 128.0.0.0, or doesn't that matter? 01:35 < voipuser> BTW we are having storms rumbling around here so if I happen to drop offline, that may be why. 01:58 < dazo> voipuser: that's indeed a very big netmask you got there 02:11 < dazo> voipuser: you are right, that netmask should have been 0.0.0.0 .... can you post configs? 02:11 < dazo> s/post/pastebin/ 02:13 < voipuser> Ummm, what exactly do you want to see? 02:19 -!- Piter [n=piter@87-98-134-239.ovh.net] has joined ##openvpn 02:19 < Piter> hi 02:21 < hkais1> hi 02:22 < Piter> i have shell 02:22 < Piter> and openvpn 02:22 < Piter> www works but mirc not 02:22 < Piter> in dns i have message: dns pool 02:22 < Piter> i used my isp dns or opendns and it doesnt work 02:23 < Piter> what's wrong ? 02:26 -!- ng_ [n=ng@cpc4-stkp4-0-0-cust205.manc.cable.virginmedia.com] has joined ##openvpn 02:29 < hkais1> Piter? 02:29 < hkais1> what are you doing? 02:30 < Piter> i am trying to ran mirc when i use openvpn on my desktop 02:30 < Piter> run* 02:30 < Piter> from shell 02:30 < hkais1> but why do you need openvpn for mirc? 02:31 < Piter> because i need :) 02:31 < hkais1> okay you do not provide infos what you are doing, then fix it your self 02:32 < Piter> i give you infos 02:32 < Piter> what's the metter ? 02:33 < hkais1> I have a pain. and I sit on my chair. please help me. 02:34 < hkais1> enough info? 02:34 < Piter> what do you need yet ? 02:35 < hkais1> your network your need, your concrete problem 02:36 < Piter> ... 02:37 < Piter> my problem is on top 02:37 < Piter> www works but mirc not 02:37 < Piter> firewire is off 02:37 < ng_> hello, i'm trying to set up openvpn server on 'os x' but seem to be having problems tun 02:38 < hkais1> Piter: I donot know what you want from openvpn 02:39 < Piter> i want to connect with mirc 02:40 < hkais1> then fix mirc. it is not a openvpn problem 02:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:42 < Piter> !howto 02:42 < vpnHelper> Piter: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:42 < Piter> !route 02:42 < vpnHelper> Piter: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 02:53 -!- Guest621 [n=Guest621@adsl-074-183-167-075.sip.bhm.bellsouth.net] has quit [Read error: 60 (Operation timed out)] 02:59 -!- ng_ [n=ng@cpc4-stkp4-0-0-cust205.manc.cable.virginmedia.com] has quit [Read error: 104 (Connection reset by peer)] 03:00 -!- ng_ [n=ng@cpc4-stkp4-0-0-cust205.manc.cable.virginmedia.com] has joined ##openvpn 03:19 < dazo> voipuser: server and client configs (openvpn) ... and also ccd configs 03:21 < dazo> hkais1: calm down! 03:21 < voipuser> hkais1: STFU 03:22 < dazo> Piter: if you first pastebin your config files, that'll help 03:22 < dazo> !pastebin 03:22 < vpnHelper> dazo: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 03:22 < dazo> !configs 03:22 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 03:22 < voipuser> It's none of your business WHY he wants it to work! 03:22 -!- pa [n=pa@unaffiliated/pa] has quit ["Sto andando via"] 03:23 < hkais1> dazo: I asked him to provide me more infos. this wsa not done 03:23 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 03:23 < dazo> hkais1: but your attitude was NOT helping him on how to do that 03:23 < dazo> hkais1: consider yourself warned 03:23 < hkais1> dazo: sure it was 03:23 < voipuser> hkais1: No, you asked him why he needed OpenVPN for mirc, and that's none of your damn business! 03:24 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Client Quit] 03:25 < voipuser> dazo: I'm not ignoring you, I'm just trying to figure out how to get to the files on the client 03:25 < voipuser> It might take me a bit 03:26 < voipuser> (Tomato has a nice GUI that you set everything in) 03:26 < Piter> dazo: i just fixed problem 03:26 -!- dazo_ [n=dazo@nat/redhat/x-8a53d108aaa472cb] has joined ##openvpn 03:27 < dazo_> grrrrr ... electricity breakdown for some seconds .... 03:28 -!- dazo [n=dazo@nat/redhat/x-c132d9b0f43d418c] has quit [Nick collision from services.] 03:28 -!- dazo_ is now known as dazo 03:31 -!- troy is now known as troy- 03:38 < vaq> Are there any issues in building a custom installer within Linux using makensis? - I'm getting this error when running makensis openvpn-gui.nsi - "Error in script "openvpn-gui.nsi" on line 221 -- aborting creation process" 03:41 < dazo> vaq: not afaik ... but I would check this out on the mailing lists, probably the openvpn-devel mailing list first of all 03:42 < dazo> Piter: I'm not sure if you responded to the pastebin of configs I asked for ... I lost my connection for a few minutes 03:42 < voipuser> dazo, he answered: Piter: dazo: i just fixed problem 03:43 < dazo> voipuser: thx! 03:43 < dazo> Piter: Very good! :) 03:43 < voipuser> And I don't know if you missed where I said I'm not ignoring you, just can't figure out how to get to the config files on this router, they have everything locked up so tight! 03:44 < voipuser> (They have a nice GUI to set up OpenVPN) 03:44 < dazo> heh ... you said you're running Tomato? 03:44 < voipuser> Obviously this is new to me. 03:44 < voipuser> Yes 03:45 < dazo> I haven't tried that one .... but I'm very well contempt with X-WRT, if that's an option for you (based on openWRT) 03:45 < voipuser> FTP server won't let me into /etc/openvpn 03:45 < voipuser> Neither will SAMBA 03:45 < dazo> no ssh access? 03:46 < voipuser> I can ssh but am not much of a command line user.. if it had Midnight Commander or something... 03:46 < dazo> cd /etc/openvpn ? 03:47 < dazo> which desktop OS are you using? 03:47 < voipuser> Yeah I can do that 03:47 < voipuser> Windows on client side 03:48 < dazo> aha 03:48 < dazo> If Linux ... it might have worked by using sshfs .... kind of mounting a directory over ssh ... but not a go now ;-) 03:49 < dazo> you might be able to use sftp as well 03:49 < voipuser> Hmmmm.... 03:51 < voipuser> Says host is not running a SFTP server 03:52 < dazo> ugh 03:52 < dazo> then you only got scp left :) 03:54 < dazo> you could create an empty dir on your win box ... and then do scp -r :/etc . .... then you get the complete /etc locally 03:54 < voipuser> Okay, I think we are getting somewhere.. hang on... 03:55 < dazo> cool! 03:55 < voipuser> I have WinSCP, nice dual-pane interface! 03:57 < dazo> ahh :) then you're safe ;-) 04:00 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 04:21 < voipuser> dazo: Still there? 04:22 < dazo> voipuser: yeah, I'll be around for about an hour :) 04:22 < voipuser> Okay look at http://www.pastebin.ca/1466044 04:23 * dazo looks 04:23 < voipuser> Don't know if that's all you need but I'm working in a somewhat unfamiliar environment for me, so it took me that long to cut and paste those three items! 04:25 < dazo> do you have anything in /etc/openvpn/servers/NewVPN/ccd on the router? 04:26 < dazo> ahh sorry! 04:26 < dazo> I missed the last line :-P 04:26 < voipuser> That last line is actually in a file on the server, not the client (to me router=client) 04:27 < dazo> I'm wondering ..... push redirect-gateway .... maybe try to change that to say: push "redirect-gateway def1" 04:27 < dazo> aha 04:27 < dazo> I thought router was server 04:27 < voipuser> No router is client, and that's where the route table looks funny 04:27 < dazo> aha 04:28 < dazo> which openvpn version is used? 04:28 < voipuser> How can I tell? 04:28 < dazo> /usr/sbin/openvpn --version 04:29 < voipuser> Server: OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar 8 2007 04:29 < dazo> and the client? 04:30 < voipuser> OpenVPN 2.1_rc15 mipsel-unknown-linux-gnu [SSL] [LZO2] built on Jun 13 2009 04:30 < dazo> oki 04:30 < dazo> try upgrading to 2.1_rc15 on the server ... it might be that's the issue 04:30 < dazo> rc15 is default on RHEL now 04:31 < voipuser> Hold on... 04:32 < voipuser> Trying yum update openvpn 04:32 < voipuser> Could not find update match for openvpn 04:32 < dazo> which RHEL version? 04:33 < voipuser> It's CentOS actually 04:33 < voipuser> CentOS Linux 5.2 04:33 < dazo> ahh ... well, that's just "almost" RHEL :) 04:34 < voipuser> Linux 2.6.18-53.1.19.el5 on i686 04:34 < dazo> that's odd ... because RHEL5 now ships with 2.1_rc15 04:34 < voipuser> Hmmm 04:34 * dazo double checks 04:36 < voipuser> I'm showing 2.0.9-1.el5.rf in the repository... 04:36 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 04:43 < dazo> this is confusing ... I don't even find openvpn in the i386 repos for centos 04:43 < dazo> not even in 5.3 04:44 < dazo> huh?!? http://www.google.cz/search?hl=en&num=100&q=site%3Amirror.centos.org+openvpn&btnG=Search 04:44 < vpnHelper> Title: site:mirror.centos.org openvpn - Google Search (at www.google.cz) 04:45 < voipuser> That is very odd 04:46 < voipuser> When I search "rpmfind" in Webmin I see all sorts of versions of OpenVPN but none specifically maked for CentOS 04:48 < dazo> exactly ... well, it's easy to make one :) 04:48 < dazo> http://rpm.pbone.net/index.php3/stat/3/srodzaj/2/search/openvpn-2.1-0.29.rc15.fc8.src.rpm 04:48 < vpnHelper> Title: RPM Search openvpn-2.1-0.29.rc15.fc8.src.rpm (at rpm.pbone.net) 04:48 < dazo> download that one 04:48 < dazo> rpmbuild --rebuild openvpn-2.1-0.29.rc15.fc8.src.rpm 04:48 < dazo> voila! You got CentOS5 RPMs 04:50 < dazo> the location of the rpms depends on your configs ... but look for "Wrote: " lines at the end of the script 04:50 < dazo> result 04:51 < voipuser> I don't understand… I just downloaded openvpn-2.1-0.29.rc15.fc8.src.rpm 04:51 < dazo> that's a source RPM ... so that's just the source code 04:51 < voipuser> And you are saying I can do rpmbuild --rebuild openvpn-2.1-0.29.rc15.fc8.src.rpm 04:52 < dazo> rpmbuild --rebuild ... well make binaries 04:52 < dazo> yeah 04:52 < voipuser> Should I do this in any particular directory or will /tmp work? 04:52 < dazo> wherever 04:53 < voipuser> Ummmmm.… -bash: rpmbuild: command not found 04:53 < dazo> on some distroes ... it will create ~/rpmbuild directory .... often if doing this as root, it will show up under /usr/src/redhat ... 04:53 < dazo> hmm 04:53 < dazo> yum install rpm-build 04:56 < voipuser> Did that, ran pmbuild --rebuild openvpn-2.1-0.29.rc15.fc8.src.rpm again, this time got Installing openvpn-2.1-0.29.rc15.fc8.src.rpm error: openvpn-2.1-0.29.rc15.fc8.src.rpm cannot be installed 04:56 < voipuser> that was rpmbuild, I just missed first char on cut/paste 04:57 < voipuser> This, by the way, is what ALWAYS happens to me when I try to do anything from Linux command line, especially with regard to installing software! ;) 04:57 < dazo> heh 04:58 < dazo> can you pastebin what comes to the screen? from you start running rpmbuild until it stops? 04:59 < voipuser> That was IT… just those two lines! 04:59 < voipuser> Look at http://notes.brooks.nu/2008/08/openvpn-setup-on-centos-52/ 04:59 < vpnHelper> Title: Notes » Blog Archive » OpenVPN setup on Centos 5.2 (at notes.brooks.nu) 04:59 < dazo> ahh! 05:00 < dazo> EPEL! Of course! Why didn't I think about that .... sorry! 05:00 < dazo> sudo rpm -ihv http://download.fedora.redhat.com/pub/epel/5/x86_64/epel-release-5-2.noarch.rpm 05:00 < dazo> yum install openvpn 05:00 < dazo> that should do the trick then 05:02 < voipuser> No problem… but wouldn't I yum update rather than install, since I already have earlier version? 05:03 < dazo> install will do an upgrade, iirc 05:03 < voipuser> Yeah, I don't want to lose all my configurations, let's try that first... 05:04 < dazo> sure :) 05:05 < voipuser> Package openvpn.i386 0:2.1-0.29.rc15.el5 set to be updated 05:05 < dazo> neat! 05:05 < ng_> hello i'm having problems with tun tap interface this is the log message 05:05 < ng_> ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address 05:06 < ng_> NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure 05:06 < ng_> this on 'os x' 05:06 < voipuser> Okay, not sure what this means: warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 217521f6 Importing GPG key 0x217521F6 "Fedora EPEL " from /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL Is this ok [y/N]: 05:07 < voipuser> Is that just a key from the repository or something? 05:08 * voipuser will press y and hope nothing blows up! 05:10 < voipuser> Oh crap, now openvpn won't start! 05:14 < voipuser> THAT was strange... 05:16 -!- db8 [n=db8@88.203.247.111] has joined ##openvpn 05:16 < dazo> that warning is just that you did not have the signing pubkey ... I can confirm it's the right key 05:16 < voipuser> I had a PRE command route add -net 192.168.5.0 netmask 255.255.255.0 gw 10.8.0.2 tun0 worked fine in old version, new doesn't like it... 05:17 < dazo> you might need to look at --script-security now 05:17 < dazo> security is improved in 2.1 05:17 < db8> i am considering to buy a WRT54G and installing dd-wrt on it in order to establish a VPN tunnel with a company that runs Cisco7140, the requirements that i need to fill in are as follows: Authentication Type: Preshared Key, Hash Algorithm: SHA/HMAC-160, Encryption Algorithm:3DES, Diffie-Helman Group:2, IKE SAs:86400 seconds, IPSEC Protocol:ESP, Mode: Tunnel, Authentication Hash: SHA/HMAC-160, Encryption Protocol:3DES, IPSEC SAs Lifetime: 28800 seconds - could 05:18 < dazo> db8: sounds good ... but I'd reconsider dd-wrt .... try X-WRT instead .... dd-wrt is sloppy in regards to security issues, and they have had a history of hardcoding IP addresses into the firmware which is then opened in the firewall 05:19 < dazo> but! 05:19 < voipuser> logs aren't indicationg any security problem 05:19 < db8> dazo: oh but, where should all these parameters go? 05:19 < dazo> db8: but! you cannot use openvpn ..... you must use vpnc instead 05:19 < voipuser> I couldn't get dd-wrt to work, that's why we tried Tomato, but it may not have been issue with dd-wrt 05:20 < db8> i see 05:20 < db8> dazo: does vpnc support those parameters? 05:21 < voipuser> I actually wish that tomato would let you assign different lan ports differently (such as 1 and 2 go through tunnel, 3 and 4 don't). I think dd-wrt might have permitted that. 05:21 < dazo> db8: vpnc is the Cisco client, that's all I know .... and it does most of that automatically ... you just need a few parameters in a config file 05:21 < dazo> voipuser: that's doable in all of these if you do it via ssh ;-) 05:22 < voipuser> That would require knowing HOW, which I don't. :) 05:22 < dazo> voipuser: I need to run now .... travelling this weekend .... but I would anyway double check the --script-security option ... that's needed now for sure to make things working as in the 2.0 series 05:22 < voipuser> But if you know of a handy page that explains it, I'm all ears. 05:23 < voipuser> Okay, thanks, it does seem to be working so far 05:23 < voipuser> Thanks much for your help dazo 05:23 < dazo> voipuser: man openvpn 05:24 < voipuser> OK 05:30 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:33 < voipuser> Rats, still didn't fix the strange route table issue. 05:38 -!- T-J [n=t-j@dsl-087-195-229-067.solcon.nl] has joined ##openvpn 05:39 < T-J> Hi 05:40 < T-J> Need some help with my OpenVPN server 05:40 < T-J> It always worked before a router reset 05:40 < db8> could someone please tell me if openVPN can hndle these parameters? - Authentication Type: Preshared Key, Hash Algorithm: SHA/HMAC-160, Encryption Algorithm:3DES, Diffie-Helman Group:2, IKE SAs:86400 seconds, IPSEC Protocol:ESP, Mode: Tunnel, Authentication Hash: SHA/HMAC-160, Encryption Protocol:3DES, IPSEC SAs Lifetime: 28800 seconds 05:40 < T-J> But now, i can only reach 1 host in the network 05:40 < T-J> But i can ping all hosts 05:41 < T-J> I reconfigured the router, readded the route to the VPN subnet, but it doesnt work 05:53 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 05:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 06:20 < db8> anyone around? 06:56 < T-J> db8: don't think so :P 06:56 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:00 < db8> heh 07:11 < ecrist> I'm here. 07:12 < db8> could someone please tell me if openVPN can hndle these parameters? - Authentication Type: Preshared Key, Hash Algorithm: SHA/HMAC-160, Encryption Algorithm:3DES, Diffie-Helman Group:2, IKE SAs:86400 seconds, IPSEC Protocol:ESP, Mode: Tunnel, Authentication Hash: SHA/HMAC-160, Encryption Protocol:3DES, IPSEC SAs Lifetime: 28800 seconds 07:12 < db8> ecrist: dont suppose you know about dd-wrt running openvpn? 07:19 < ecrist> yes, it does run, but they bastardize it a bit. 07:19 < ecrist> db8, the parameters your posting above are IPSec params, not OpenVPN params. 07:23 < ecrist> db8, please don't PM me about VPN stuff. 07:23 < ecrist> OpenVPN is an SSL VPN, which is different from IPSec. 07:23 < db8> i see 07:25 < db8> thanks ecrist :) 07:26 < ecrist> no problem. 07:53 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 07:54 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has left ##openvpn [] 08:04 -!- db8 [n=db8@88.203.247.111] has quit [Read error: 104 (Connection reset by peer)] 08:04 -!- db9 [n=db8@88.203.247.111] has joined ##openvpn 08:05 -!- db8 [n=db8@88.203.247.111] has joined ##openvpn 08:05 -!- db9 [n=db8@88.203.247.111] has quit [Read error: 104 (Connection reset by peer)] 08:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:07 -!- db8 [n=db8@88.203.247.111] has quit [Client Quit] 08:34 -!- Piter [n=piter@87-98-134-239.ovh.net] has quit [Read error: 110 (Connection timed out)] 08:53 -!- Piter [n=piter@87-98-134-239.ovh.net] has joined ##openvpn 09:18 -!- youngpro [n=pro@teamaustralia.net.au] has joined ##openvpn 09:20 -!- youngpro is now known as prxtien 09:22 -!- geye [n=geye@208.32.117.78] has joined ##openvpn 09:22 < geye> morning all! 09:23 < geye> is the openvpn forum down? 09:27 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:34 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 09:43 < oc80z> oc80z 09:44 < oc80z> nick 09:44 < oc80z> bbl 09:54 -!- Guest864 [n=Guest864@adsl-074-183-167-075.sip.bhm.bellsouth.net] has joined ##openvpn 09:54 < Guest864> krzie, you around? 09:58 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 10:15 < ecrist> geye, yes, there are DNS issues. I run the server for the forum, someone else is running DNS. they're supposed to transfer to me today. 10:15 < ecrist> (many problems) 10:24 < geye> lol I thought so thanks for the info 10:40 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:58 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 11:01 -!- Guest864 [n=Guest864@adsl-074-183-167-075.sip.bhm.bellsouth.net] has quit [Read error: 60 (Operation timed out)] 11:07 -!- geye [n=geye@208.32.117.78] has quit [] 11:16 -!- T-J [n=t-j@dsl-087-195-229-067.solcon.nl] has quit [Remote closed the connection] 12:27 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 12:34 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 12:35 -!- kevin__ [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has joined ##openvpn 12:47 < ecrist> ovpnforum.com is back online 13:22 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 13:32 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 13:32 < Dougy> krzie, hihi 13:32 < ecrist> Dougy: zone is up 13:32 < Dougy> ecrist, kewl 13:32 < Dougy> :D 14:16 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:22 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:41 < krzie> Name Servers: 14:41 < krzie> pri-ns.secure-computing.net 14:41 < krzie> sec-ns.secure-computing.net 14:41 < krzie> looks like someone upgraded NS 14:41 < krzie> =] 14:47 -!- voipuser_ [n=voipuser@24-180-125-183.dhcp.aldl.mi.charter.com] has joined ##openvpn 14:48 < Dougy> krzie, 14:48 < Dougy> i got kvm hooked up to your shit 14:48 < Dougy> its tight 14:48 < krzie> cool 14:50 < krzie> werd 14:51 -!- Timpa [n=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 14:52 -!- hardwire is now known as hardwire|Twinkie 14:52 -!- hardwire|Twinkie is now known as hardwire 14:54 -!- Belgarat1 [i=belgarat@banda.pl] has quit [Read error: 60 (Operation timed out)] 14:55 < krzie> was that noobuntu you are using? 14:56 < Dougy> no it isnt 14:56 < Dougy> it would be Debian lenny 14:56 < krzie> ah 14:56 < Dougy> & avant 14:56 -!- voipuser [n=voipuser@24-180-125-183.dhcp.aldl.mi.charter.com] has quit [Read error: 110 (Connection timed out)] 14:56 < krzie> + k???dock 14:57 < krzie> i forget the name 14:57 < krzie> i like that dock app 14:57 < krzie> + compiz? 14:57 < Dougy> yeah 14:57 < Dougy> Avant is the dock 14:57 < krzie> nice 14:57 < Dougy> and compiz 14:57 < krzie> oh ok 14:58 < krzie> compiz is nice 14:58 < Dougy> indeed 14:58 < Dougy> its buggy as shit in ubuntu 14:58 < Dougy> i refuse to use ubuntu 14:58 < Dougy> too buggy 14:58 < krzie> has some lil things ild like to see jacked by apple 14:58 < Dougy> debian is running like a champion 14:58 < krzie> ya i like debian better too 15:01 < ecrist> Mac OS X for desktop, FreeBSD for servers 15:01 < ecrist> 'nuff said 15:01 * ecrist is out 15:02 < krzie> lol i agree with eric 15:03 < Dougy> blah 15:03 < Dougy> os x can kiss my ass 15:04 < krzie> but ild like to see osX jack some small stuffs from compiz 15:04 < krzie> namely, snapping windows 15:04 < krzie> the cube effect is cool too 15:05 < krzie> mainly snapping windows tho, thats handy shit 15:05 < Dougy> that is nice 15:05 -!- Timpa_ [n=timpa@chuck.bartowski.skalet.org] has quit [Read error: 110 (Connection timed out)] 15:10 -!- hkais1 [n=xenoadmi@p50814004.dip.t-dialin.net] has left ##openvpn [] 15:14 -!- c64zottel [n=hans@p5B17AF9C.dip0.t-ipconnect.de] has joined ##openvpn 15:17 < krzie> im bored 15:17 < krzie> who needs help with something 15:19 < Dougy> i need a new job 15:19 * Dougy starts looking around on linkedin 15:20 < krzie> and you just perfectly displayed the big difference between me and most people 15:20 < krzie> everyone else says "i need a job" 15:20 < krzie> i say "i need to get some money" 15:20 < Dougy> heh 15:20 < Dougy> i have money if i really really need 15:20 < Dougy> but i like a job 15:21 < krzie> of course i have accepted jobs before 15:21 < krzie> but i normally chose to get $ instead 15:21 < Dougy> hoes not paying up, krzie ? 15:21 < krzie> haha theres legal ways to get $ too 15:21 < krzie> hell i was getting $50 - $100 /hr setting up business networks and phone systems 15:22 < Dougy> that's a job 15:22 < krzie> same $ for just removing viruses and making systems work how they should 15:22 < krzie> its a job if you do it for someone else 15:22 < Dougy> lthats what i should be doing 15:22 < krzie> its getting $ if you do it for yourself 15:22 * Dougy should go on craigslist and sell PC repair 15:22 < Dougy> man i just nearly said something very racist in here 15:22 < Dougy> that would have been bad 15:23 < krzie> no reason for racism bro 15:23 < Dougy> indeed 15:23 < Dougy> so 15:23 < Dougy> the pieces of shit up the street. 15:23 < Dougy> they charge literally ten times what i would 15:23 < Dougy> its absurd 15:23 < Dougy> 1gb ddr2 800 ram 15:23 < Dougy> 50 dollars 15:23 < Dougy> to put it in.. 100 dollars 15:24 < krzie> then the guy who puts it in is some $10/hr noc-monkey 15:24 < krzie> its great 15:24 < krzie> you see, the guy who started that gets $ 15:24 < krzie> and the guy who puts the stick of ram in... has a job 15:24 -!- zhaena [n=zhaena@cpe-066-026-043-219.nc.res.rr.com] has joined ##openvpn 15:24 < krzie> ;] 15:25 < zhaena> :) 15:25 < zhaena> no valid vpn secrets?? 15:25 < krzie> huh? 15:26 < krzie> please state your question in the form of a valid english sentance 15:26 < zhaena> my buntu spit this back at me when i tried 2 enable openVPN via the network manager.. 15:26 < krzie> !ubuntu 15:26 < vpnHelper> krzie: "ubuntu" is dont use network manager! 15:27 < zhaena> dont use it...? :o 15:27 < krzie> correct 15:27 -!- kevin__ is now known as canadaeh 15:27 < zhaena> what is the alternative 15:28 < krzie> openvpn 15:28 < zhaena> yes :) but that is what i tried to do, via the network manager as there is no openvpn gui in buntu 15:28 < krzie> why do you need a gui? 15:29 < zhaena> why not? :) 15:29 < krzie> cause theres no openvpn gui in linux 15:29 < krzie> as you said 15:29 < zhaena> :) 15:30 < zhaena> could u walk me thru it krzie? 15:30 < krzie> !howto 15:30 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:31 < krzie> i can help answer specific questions 15:31 < krzie> whats your goal with your vpn? 15:31 < krzie> i can also lead you the right direction 15:32 < krzie> but it will require an understanding of networking and a willingness to read a lot of docs 15:32 < zhaena> ok :) 15:33 < zhaena> alright. 15:34 < krzie> so the goal...? 15:34 < zhaena> before i ask, can you tell me what it means to have "no VPN secrets" when one tries to connect somewhere via openVPN? 15:35 < krzie> it doesnt mean anything to me, its a network manager error 15:35 < zhaena> ah. 15:35 < zhaena> well... 15:35 < krzie> if you want help with network manager i suggest a linux help chan 15:35 < zhaena> my goal is to connect to one of the darknets. 15:35 < krzie> namely an ubuntu one 15:35 < zhaena> :) 15:35 < zhaena> anoNet to be exact 15:36 < krzie> never heard of it 15:36 < krzie> do they give you an openvpn config? 15:36 < zhaena> yes - i've done all of this....uploaded openVPN into my OS etc 15:37 < zhaena> i've successfully loaded the config files, keys, ca.crt all of that 15:37 < krzie> they gave you a config and certs? 15:37 < krzie> ok, then just run openvpn 15:37 < krzie> with the certs in the dir your config says they should be in 15:37 < zhaena> and by opening openvpn how is that done? is there some kind of command or..? 15:37 < krzie> yes, the command is... 15:38 < krzie> openvpn 15:38 < krzie> lol 15:38 < zhaena> ha 15:38 < krzie> openvpn 15:38 < krzie> or openvpn --config 15:42 < zhaena> Options error: Unrecognized option or missing parameter(s) in [CMD-LINE]:1: 15:42 < zhaena> ?? 15:43 < krzie> post the config 15:43 < krzie> and type openvpn --cersion 15:43 < krzie> err 15:43 < krzie> openvpn --version 15:44 < zhaena> OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Mar 9 2009 15:44 < zhaena> Developed by James Yonan 15:44 < zhaena> Copyright (C) 2002-2008 Telethra, Inc. 15:44 < krzie> why do you have rc11? 15:44 < krzie> we are on rc18 15:44 < zhaena> *shrugs* i dunno 15:44 < krzie> rc11 has known problems 15:45 < krzie> !download 15:45 < vpnHelper> krzie: "download" is www.openvpn.net/download to download openvpn 15:45 < zhaena> yes but i dont have an amd64 architecture... i already tried all that with the whole "free license key" etc which i dont know what to do with now 15:46 < krzie> huh? 15:46 < krzie> you dont need amd64 or any license key 15:46 < zhaena> my reaction exactamundo! lol 15:46 < krzie> you just download the source, and install it 15:46 < krzie> you must not have gone to the link i gave you 15:46 < krzie> http://www.openvpn.net/release/openvpn-2.1_rc18.tar.gz 15:47 < zhaena> i was jee-ust about to ask which one lol 15:47 -!- hardwire [n=hardwire@216-67-98-253.static.acsalaska.net] has quit [Read error: 113 (No route to host)] 15:48 < zhaena> how do i replace this version of openVPN i have with this new one? 15:48 < krzie> by installing the new one 15:48 < krzie> lol 15:48 < zhaena> lol 15:48 < zhaena> :) 15:49 < zhaena> no i mean should i do the whole apt-get remove openvpn? 15:49 < krzie> go for it 15:49 < krzie> this is only an openvpn help channel 15:49 < zhaena> ok 15:50 < zhaena> its all so bureaucratized these channels lol 15:50 < Dougy> nah 15:50 < Dougy> krzie's just a bastard 15:50 < zhaena> LOL 15:50 < krzie> what dougy means is that he would like to help you 15:50 * krzie watches silently 15:50 < Dougy> NOU 15:50 < zhaena> he's a helpful barsty narstard tho 15:51 < Dougy> ecrist is on call tonight 15:52 < zhaena> i'm really miffed now i thought the network manager would make this easier *sigh* let me upload it all one sec 15:52 < krzie> dougy, you can totally help him! 15:52 < krzie> he has a config and keyfiles supplied to him 15:52 < krzie> and hes a linux user like you 15:53 < krzie> if you cant help this guy you wont find anyone you can help 15:53 -!- hardwire [n=hardwire@216-67-98-253.static.acsalaska.net] has joined ##openvpn 15:53 < zhaena> krzie i am actually very thankful that you took the time to help me as u have :) 15:53 < krzie> np man, now that you know not to use network manager you should have no problem 15:54 < krzie> just make sure all files in the config use full paths 15:54 < Dougy> zhaena, that will be $20 for the use of my slave for assistance 15:55 < krzie> your slave, LOL 15:55 < Dougy> haha 15:55 < zhaena> tee hee 15:57 * Dougy whip 15:59 < krzie> ill pay you $20 if i see you actually help someone 15:59 < krzie> how bout that 15:59 < krzie> HEHE 16:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:09 < zhaena> wow this is alot 16:11 -!- thermoman [n=thermoma@84.201.90.210] has joined ##openvpn 16:12 < thermoman> the box openvpn "server" runs on has eth0 with multiple alias IPs. how do i tell openvpn to use IP $foo as source for packets routed from the tun-device to the outside world? 16:13 < krzie> thermoman you already had NAT setup? 16:13 < krzie> you just wanna change which ip it uses, right? 16:13 < thermoman> yes, masquerading via iptables 16:13 < krzie> np 16:13 < krzie> !linnat 16:13 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 16:13 < krzie> #2 16:13 < krzie> thank you drive through 16:13 < zhaena> god ur so smart!! 16:14 < krzie> hah 16:14 < thermoman> should have known SNAT target 16:14 < thermoman> :) 16:14 < krzie> =] 16:15 < thermoman> wood, trees, ... you know 16:17 < krzie> i dont get it 16:18 -!- p3ri0d [n=p3ri0d@200.2.152.41] has joined ##openvpn 16:19 < krzie> sup p3ri0d 16:19 -!- mode/##openvpn [+o p3ri0d] by ChanServ 16:22 < thermoman> krzie: not to see the wood for the trees 16:22 < krzie> ohhh right 16:22 < thermoman> :)= 16:22 < krzie> havnt heard that one in a longtime 16:22 -!- mode/##openvpn [-o p3ri0d] by ChanServ 16:23 -!- p3ri0d [n=p3ri0d@200.2.152.41] has quit [Read error: 104 (Connection reset by peer)] 16:23 < Dougy> wut 16:23 < Dougy> why he has ops 16:24 < Dougy> i want vops 16:24 -!- mode/##openvpn [+o Dougy] by ChanServ 16:24 -!- mode/##openvpn [-o Dougy] by ChanServ 16:25 < thermoman> Dougy: happy? :) 16:25 -!- p3ri0d [n=p3ri0d@200.2.152.41] has joined ##openvpn 16:25 < Dougy> i didnt ask for ops mang i wanted vops 16:25 < Dougy> +v 16:25 < Dougy> :p 16:25 -!- canadaeh [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has quit [Read error: 104 (Connection reset by peer)] 16:25 -!- mode/##openvpn [+v Dougy] by ChanServ 16:25 < krzie> thats called voice btw 16:25 < krzie> not vops 16:25 < krzie> its only use is to give someone the ability to talk when you mute a channel 16:26 < krzie> hence the name voice 16:26 -!- mode/##openvpn [-v Dougy] by ChanServ 16:26 < Dougy> krzie, on anope its aop vop sop hop etal 16:26 < Dougy> et al* 16:26 < Dougy> and trust me 16:27 < krzie> anope? 16:27 < Dougy> i have been on IRC for goddamn near 10 years 16:27 < Dougy> i know what +v does 16:27 < krzie> yo ubeen on irc since you were 5? 16:27 < Dougy> 7 16:27 < krzie> almost 17 now? 16:27 < krzie> damn time flies 16:27 < Dougy> sept 23 16:27 < Dougy> er 16:27 < Dougy> 21 16:27 < Dougy> oO 16:27 < krzie> HAHAH 16:27 < Dougy> 23 is driving test. whoop 16:27 * Dougy only thinks about the 23 16:28 * krzie tatoos dougy's bday on dougy's wrist for him 16:28 < Dougy> can it be a cool font 16:28 < krzie> any font you choose 16:28 < krzie> so long as you can read it so you can remember 16:28 < Dougy> i need something bamf 16:30 < Dougy> going to pwn n00bs in AAO - later 16:35 -!- dKingston [n=dKingsto@unaffiliated/dkingston] has joined ##openvpn 16:36 -!- Dougy [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit [Remote closed the connection] 16:51 < HardDisk_WP> krzie, hehe lol that's when $other_irc_net noobs come to freenode and miss their twenty levels of chan ops :D 16:51 < krzie> haha 16:52 < krzie> aye 16:52 < HardDisk_WP> it's childish, IMO 16:52 < HardDisk_WP> either you trust ur ops, or not 16:52 < krzie> i have no clue what all those things are 16:52 < krzie> im from efnet, we keep it simple 16:52 < krzie> you can be oped, or not 16:52 < HardDisk_WP> like in FN 16:53 < krzie> and if we +m, you can have +v, or not 16:53 < krzie> yup 16:53 < HardDisk_WP> I only know the excessive use of tons of chanop kinds of warez networks / channels 16:54 < HardDisk_WP> I wonder where he comes from :D 16:54 < krzie> no clue, there were a bunch of nets since '99 16:54 < krzie> when i started there were far far less options 16:55 < krzie> but hes on whtirc.net, dunno how long thats been around... 16:55 < krzie> i know that cause of a screenshot he sent 16:56 -!- hardwire is now known as snickersnack 16:57 < krzie> hes a good guy tho, we just like to mess with eachother 16:58 -!- snickersnack is now known as hardwire 17:00 -!- c64zottel [n=hans@p5B17AF9C.dip0.t-ipconnect.de] has quit ["Leaving."] 17:10 < HardDisk_WP> krzie, btw, I even managed to have IPv6 on the VPN :D 17:10 < HardDisk_WP> the only thing: the vpn connection gets lost when heavy traffic runs over it 17:10 < krzie> nice 17:10 < krzie> write for the wiki??? 17:10 < HardDisk_WP> is this because the host is overloaded? 17:10 < HardDisk_WP> krzie, i'll publish on my blog as CC-BY-SA 17:11 < krzie> i dunno why it gets lost with heavy traffic 17:11 < krzie> maybe an mtu issue that compounds with sustained traffic 17:11 < krzie> maybe im way off 17:12 < HardDisk_WP> maybe it's because of our crappy connection - or because the host is an embedded machine (NSLU2) 17:12 < krzie> ahh hah 17:12 < krzie> maybe the cpu cant handle 17:13 < krzie> does the proc actually disappear? 17:13 < HardDisk_WP> no idea, how do I find out? 17:13 < krzie> ps? 17:13 < HardDisk_WP> ah, no it does not 17:13 < HardDisk_WP> because it reconnects ten secs later 17:14 < krzie> anything in logs? 17:14 < HardDisk_WP> but of course, all connections drop. 17:14 < HardDisk_WP> have to look... 17:14 < krzie> using udp? 17:14 < HardDisk_WP> screw it, got destroyed. 17:14 < HardDisk_WP> krzie, no, tcp 17:15 < krzie> ahh 17:15 < krzie> there we goes 17:15 < krzie> !tcp 17:15 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 17:15 < HardDisk_WP> krzie, problem is our dsl connection - it tends to lose packets 17:15 < krzie> yup 17:15 < HardDisk_WP> i dunno if this is a good idea 17:15 < krzie> that along with tcp over tcp 17:15 < krzie> is a garunteed way for what you're saying 17:15 < HardDisk_WP> ah, openvpn drops connection when failed packet rate is too high? 17:15 < krzie> read the link 17:15 < krzie> !tcp 17:16 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 17:16 < HardDisk_WP> k 17:16 < krzie> that link is from the manual 17:17 < HardDisk_WP> k 17:18 < HardDisk_WP> krzie, i'll test it next monday 17:18 < HardDisk_WP> when i'm at school again 17:18 < krzie> werd 17:18 < HardDisk_WP> krzie, btw, you ever heard of a working Win mobile openvpn client? 17:18 < krzie> yup 17:18 < HardDisk_WP> i have of one, but it's broken on WM6 17:18 < HardDisk_WP> as the author says 17:18 < krzie> dunno about WM6 tho 17:18 < HardDisk_WP> it can't ping the host ^^ 17:19 < krzie> i think the ones i seen work were WM5 17:19 < HardDisk_WP> exactly - and i unfortunately have a WM6 device and too few skills (and especially: no legit VS2008 :p) to fix it up 17:27 < HardDisk_WP> heh, that's d/l speeds now. i switched from wlan to cable,and now have 1,1MB/s from rapidshare instead of 100KB/s 17:27 < HardDisk_WP> do you know why a WRT54GS can be so extraordinary slow on WLAN even if laptop is 1m away? 17:28 < krzie> my WRT54G doesnt have that problem 17:28 < krzie> maybe your laptops wlan drivers suck 17:29 < krzie> my gigabit network card (realtek) only gets me 12MB/s at home in freebsd8 17:29 < krzie> but 2 other devices get over 50MB/s sustained with intel nics 17:29 < krzie> realtek is known to blow 17:31 < HardDisk_WP> intel 4965 agn 17:31 < HardDisk_WP> and on other networks, at waaay greater distances I get even higher dl speed# 17:31 < HardDisk_WP> physical NIC is broadcom netlink extreme, it even runs gigabit. nice is, it can even check lan cables 17:31 < HardDisk_WP> it actually shows a correct length for the attached cable... really accurate. 17:31 < krzie> wow 17:31 < krzie> thats rather awesome 17:31 < HardDisk_WP> yep. if you ever get hands to a netlink extreme, they're cool. 17:32 < HardDisk_WP> *aaaaaargggh* my blog had no posts for 14 days and 10 spam comments. today 3 new posts, and 30 spams -.- 17:33 < krzie> hehe 17:33 < krzie> you shoulda seen our forum until recently 17:33 < krzie> ecrist made some changes to curb spam 17:35 < HardDisk_WP> heh krzie you helped me with setting up the cert stuff, right? 17:36 < HardDisk_WP> this is the only thing i do NOT remember how I did it 17:38 < krzie> maybe ssl-admin 17:39 < HardDisk_WP> yep.. 17:42 < HardDisk_WP> krzie, oh, another thing: if it is really a bridge, why has openvpn its own DHCP server? 17:43 < krzie> it doesnt need to 17:43 < krzie> if you look at server-bridge you see it can get a dhcp option to let a dhcp server handle the ips 17:43 < krzie> (in manual) 17:49 -!- master_of_master [i=master_o@p549D5C14.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 17:53 -!- master_of_master [i=master_o@p549D5719.dip.t-dialin.net] has joined ##openvpn 18:07 -!- hardwire is now known as studmuffin 18:08 -!- p3ri0d [n=p3ri0d@200.2.152.41] has quit ["Leaving"] 18:10 -!- studmuffin is now known as hardwire 18:11 -!- ng_ [n=ng@cpc4-stkp4-0-0-cust205.manc.cable.virginmedia.com] has quit ["Leaving"] 18:12 < HardDisk_WP> krzie, http://blog.harddisk.is-a-geek.org/index.php/net/netbridging-extreme/ 18:12 < vpnHelper> Title: /net/bridging_extreme | hard.blog (at blog.harddisk.is-a-geek.org) 18:12 < HardDisk_WP> krzie, oh, wrong link: http://blog.harddisk.is-a-geek.org/index.php/net/bridging-extreme/ 18:12 < vpnHelper> Title: /net/bridging_extreme | hard.blog (at blog.harddisk.is-a-geek.org) 18:31 < krzie> ahh werd 18:31 < krzie> i figured it was gunna be something specific about tunneling ipv6 18:34 < HardDisk_WP> it's easy ^^ 18:34 < HardDisk_WP> just set up ipv6 as normal, simply fix radvd and the forwarding 18:34 < krzie> ahh gotchya 18:34 < HardDisk_WP> when ive got some time i code some config generator 18:34 < krzie> ive never setup ipv6, and dont plan on doing it, but its a topic that comes up from time to time 18:35 < HardDisk_WP> you can choose modules... ipv6, openvpn and bluetooth ap 18:35 < HardDisk_WP> you enter your current settings and it'll give you config files 18:37 < HardDisk_WP> krzie, whats the easiest way to test if broadcasting works through openvpn? 18:37 < krzie> a packet sniffer 18:37 < HardDisk_WP> ok, and what on nslu side? 18:37 < krzie> nslu? 18:39 < HardDisk_WP> the server ^^ 18:39 < HardDisk_WP> nslu is http://en.wikipedia.org/wiki/NSLU2 18:39 < vpnHelper> Title: NSLU2 - Wikipedia, the free encyclopedia (at en.wikipedia.org) 18:39 < krzie> a ping to a machine on the other side that is not yet in that machines arp table 18:39 < krzie> so that it must arp to find the mac address to ping 18:40 < krzie> or you could use nmap to ping the whole subnet 18:40 < krzie> that should generate a nice sized storm of arps for you 18:43 < HardDisk_WP> k 18:43 < HardDisk_WP> thx 18:43 < krzie> np 18:47 -!- zhaena [n=zhaena@cpe-066-026-043-219.nc.res.rr.com] has quit ["Leaving"] 19:00 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 19:18 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 19:18 < xp_prg> can openvpn throttle traffic? 19:27 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 19:28 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 19:31 -!- vvpalin [n=vvpalin@fay.dreamhost.com] has quit [Remote closed the connection] 19:33 < krzie> xp_prg yes 19:33 < krzie> see --shaper 20:58 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 21:07 -!- dKingston [n=dKingsto@unaffiliated/dkingston] has quit [Remote closed the connection] 21:46 -!- neteffect [n=yeah@pool-71-251-75-77.tampfl.fios.verizon.net] has joined ##openvpn 21:46 < neteffect> hi 23:26 -!- xp_prg [n=xp_prg3@99.23.56.166] has joined ##openvpn 23:33 -!- oc80z [i=oc80z@blea.ch] has joined ##openvpn 23:44 -!- kevin__ [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has joined ##openvpn 23:45 -!- kevin__ is now known as canadaeh --- Day changed Sat Jun 20 2009 00:26 -!- mwdmeyer [n=mwdmeyer@marian.lttd.net] has joined ##openvpn 00:26 -!- canadaeh [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has quit [Read error: 104 (Connection reset by peer)] 00:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 00:33 -!- xp_prg [n=xp_prg3@99.23.56.166] has quit ["This computer has gone to sleep"] 00:35 -!- mwdmeyer [n=mwdmeyer@marian.lttd.net] has quit [Client Quit] 00:35 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 02:51 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 04:04 -!- c64zottel [n=hans@p5B17959A.dip0.t-ipconnect.de] has joined ##openvpn 04:19 -!- firespeaker [n=jonathan@77-235-31-6.mega.kg] has joined ##openvpn 04:20 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 60 (Operation timed out)] 04:20 < firespeaker> !howto 04:20 < vpnHelper> firespeaker: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 04:34 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 05:07 < firespeaker> how would I open a port for vpn in debian? 05:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:19 -!- bob__ [n=bob@87-194-183-38.bethere.co.uk] has joined ##openvpn 05:20 < bob__> hi - i'm having loads of trouble setting up openvpn. We have a server with a single network interface, and we're trying to connect multiple remote clients to multiple remote servers 05:20 < bob__> is there anything in parciular i need to google for 05:20 < bob__> ive been through the howto's, but I cant get it working 05:21 < bob__> we have an existing openvpn deployment, but thats bridging internal/external interfaces, so it wasn't difficult to setup, but we need another deployment for another site 05:24 < bob__> oh, just read all the topic 05:24 < bob__> !route 05:24 < vpnHelper> bob__: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 05:25 < bob__> !howto 05:25 < vpnHelper> bob__: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 05:36 < krzee> you just make another client for the new location, and use !route to make the whole lan accessible 05:36 < krzee> time for me to sleep tho 05:41 < bob__> got it working, thanks 05:42 < bob__> is there any way to tell openvpn to run a script once it has connected, and another when it has disconnected? 05:42 < bob__> there's up and down, but as far as i can tell, thats pre-connect and pre-disconnect 05:42 < bob__> not sure though 06:08 -!- lost_and_unfound [n=chatzill@dsl-247-86-38.telkomadsl.co.za] has joined ##openvpn 06:12 < lost_and_unfound> greetings all, I have 2 pppoe connections, I use /usr/sbin/ppp and it's(ppp) native nat function. I can successfully connect to an outside OpenVPN server. I do however have problems trying to access the external VPN server from a node inside my network. It appears like a NAT type problem. What would you suggest for nat routing? i cannot use IP tables, as I ab running FreeBSD 06:31 < Bushmills> lost_and_unfound, from internal net, NAT shouldn't be required. having a proper route on gateway/openvpn client should do. 06:32 < Bushmills> if openvpn client is also gateway, that's the only machine in need of a route. if gateway and openvpn client are different machines on the same network, preferably clients clients 06:32 < Bushmills> .. client need a route with openvpn client as gateway to the net behind openvpn server 06:34 < lost_and_unfound> Bushmills: thanks for the input, would like to run a few things past you, just going to double check with all the configs I have and your statements here to ensure I am on the same page 06:38 < lost_and_unfound> Bushmills: this is a breakdown of the setup i have: [node1 node2] -> gateway/openvpn client -> *internets* <- openvpn server <- [nodeX nodeY ]... gateway / open VPN can communicate with nodeX and nodeY ... but node1 and node2 cannot connect to nodeX/Y ... that is why i tought is might be a nat problem 06:39 < Bushmills> lost_and_unfound, use traceroute or mtr, to see where packets get stuck 06:41 < lost_and_unfound> Bushmills: tracert on the gateway -> nodeX is fine. tracert from node1 to nodeX gets lost at gateway. To is is if the gaeway is not routing it correctly. 06:43 < Bushmills> but gateway can talk to server or nodeX, nodeY? 06:43 < lost_and_unfound> yes it can 06:43 < Bushmills> you may have forgotten to enable ip forwarding 06:45 < lost_and_unfound> I have not enabled any ipforwarding since i installed the ovpn. Are there any prefernses for FreeBSD ? 06:45 < lost_and_unfound> I thought that the IP would be routed throu the route tables 06:46 < lost_and_unfound> http://www.pastie.org/518463 here is a snippet of my routhing table 06:47 < Bushmills> can't tell you where to enable ip forwarding on BSD. if there's any similarity to the proc file system as it exists on Linux, it could be echo 1 > /proc/sys/net/ipv4/ip_forward 06:47 < Bushmills> routing seems ok, as the gateway does route through openvpn 06:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:48 < lost_and_unfound> Bushmills: thanks I will look and find out how to enable it on FreeBSD, however, was I wrong in my assumption about the routing ? that is IP is in routing table it would / should use a interface ? 06:49 < Bushmills> there probably are, at the end of the truncated lines 06:50 < Bushmills> oh right, they're not truncated, I had to scroll the screen 06:52 < lost_and_unfound> ok, I just checked, my ipforwarding is enabled... hmmm... ok... thanks for the help, going to see if there is not any stupid i did / missed in the configs before i continue on a wild goose chase.. thanks for the input sofar =] 06:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 06:53 < Bushmills> also, disable firewall completely while testing 06:56 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has joined ##openvpn 06:58 -!- firespeaker [n=jonathan@77-235-31-6.mega.kg] has left ##openvpn [] 06:58 -!- barbosa [n=barbosa@189.27.49.223] has quit [Read error: 110 (Connection timed out)] 06:58 -!- barbosa [n=barbosa@189.114.39.39] has joined ##openvpn 06:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 07:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:12 < neteffect> hi 07:13 < neteffect> i have to access an nas device at work. 07:15 * Bushmills isn't sure whether cheering, applauding or starting La'Ola would be the most appropriate response 07:19 < neteffect> heh 07:22 < thedoc> i've had 2 different hosts run nmap on a remote host and both outputs are different, anyone might have an idea why one host is showing ms-rpc services in it's output and the other doesn't? said target box is running linux. 07:22 < thedoc> anyone can help on the above scenario? 07:22 -!- c64zottel [n=hans@p5B17959A.dip0.t-ipconnect.de] has left ##openvpn [] 07:26 < neteffect> so i want a tap device? 07:32 < Bushmills> nas is tcp. default tcp/8000 iirc? 07:34 < neteffect> oh i mean nas is network accessible storage 07:34 < neteffect> is that what u meant? 07:34 < neteffect> it's one of those snap servers, they used to be made by adaptec 07:36 < Bushmills> no, i thought you meant network audio system 07:37 < neteffect> heh sorry 07:37 < Bushmills> but it's also an acronym for network attached storage is another 07:37 < Bushmills> not sure whether you network accessible ... is same as network attached ... 07:43 < neteffect> heh 07:43 < neteffect> it's just a server we have at work 07:43 < neteffect> i was able to browse its network but couldn't connect with it 07:43 < neteffect> i had a general question... this snap server, if it's address is 192.168.2.1, will it serve soemone from 192.168.3.x? 07:44 < neteffect> or do those kinds of things just serve their own network type deal? 07:52 < neteffect> bbl take care man 08:26 < lost_and_unfound> Bushmills: would you have a few minutes spare ? just would like to run something past you? 08:27 < Bushmills> do you need a signed contract? 08:27 < lost_and_unfound> na, just a second opinion =] 08:27 < Bushmills> without contract, I won't commit to anything 08:28 * lost_and_unfound passes contract with heads of agreement. LOI and estimated ROI stats 08:28 < Bushmills> geschreven in afrikaans :) 08:29 < lost_and_unfound> geskryf in afrikaans =] 08:29 < Bushmills> ga ik akkord mee 08:31 < lost_and_unfound> i am very noob at openvpn.. last night was first encounter... the server i am connection to assigns me an IP 10.1.1.6 when i connect. The VPN itself as (nodeX) runs on IP 10.0.0.100 ... nou on my personal network i can ping 10.1.1.6, but cannot ping 10.0.0.100 ... is it the server that assigns the IP icorrdctly ? 08:32 < Bushmills> indeed 08:33 < Bushmills> what's the netmask? 08:33 < lost_and_unfound> so the open vpn with 1 scopes... 10.1.1.6(subnet 255.255.255.252) not sure about the 10.0.0.0 scope 08:33 < lost_and_unfound> 1 - 2 scopes 08:34 < lost_and_unfound> i dont understand why the server assigns 2 ip scopes... and it 2 differnt netmasks as well 08:35 < Bushmills> server has an vpn ip address which appear to be outside the net which client sees as vpn net 08:35 < Bushmills> (which is not necessarily wrong but may introduce complications) 08:36 < lost_and_unfound> ok.. so if i understand this correct, the vpn has 2 ip scopes .. like a "WAN and LAN" <-- in concept 08:37 < Bushmills> no, not necessarily. actually, not even usually 08:37 < Bushmills> common config has vpn server and clients within the same net 08:38 < lost_and_unfound> hmmm... so it _could_ be a incorrect config on the server side ... or and 'more complex' setup 08:38 < Bushmills> (net as "range of ip addresses", not as in "on the same wire") 08:38 < Bushmills> yes, that is quite possible 08:38 < lost_and_unfound> hmmm... ok... 08:39 < Bushmills> try to assign client address which are in the same subnet as the vpn net and server 08:39 < Bushmills> chances are that your problems evaporate 08:40 < Bushmills> ehm stop. not clients. 08:40 < lost_and_unfound> ok, will give it a try... i have not touched the server side itself, but the ips assigned, is that given by a dhcp server or the openvpn server ? 08:40 < Bushmills> *the* client, i.e. your local gateway 08:40 < Bushmills> addresses assigned by openvpn server 08:41 < Bushmills> matter of config 08:41 < Bushmills> !ccd 08:41 < vpnHelper> Bushmills: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 08:41 < Bushmills> for fixing them per client 08:42 < lost_and_unfound> Bushmills: thanks, let me first have a look with the current info you provided, I have a better understanding of the VPN now, that generally makes configin easier as well =] 08:43 < lost_and_unfound> ek bedank u vir u tyd en energie =] 08:43 < Bushmills> geen dank, sterkte 08:43 < lost_and_unfound> hehehe.. gaan sterkte nodig hê =] 09:35 -!- slind [n=slind@85.220.138.38] has joined ##openvpn 09:35 < slind> !logs 09:35 < vpnHelper> slind: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 09:37 < slind> Hello. I'm trying to setup a openvpn in bridge mode (on debian lenny) ... after executing the sample script "bridge-start" the server is no longer accessible :-( 09:38 < slind> ..but on local lan i'm still able to connect via ssh 09:40 < slind> now i realized that the server cannot reach the internet :-/ after a reboot everything is ok until i rerun "bridge-start" 09:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 09:45 -!- hkais [n=xenoadmi@p5B20790D.dip.t-dialin.net] has joined ##openvpn 09:46 < hkais> hello 09:46 < slind> hello 09:46 < hkais> I am struggeling with openvpn and a vmware 09:47 < slind> no export seems to read here atm 09:47 < slind> i also have a problem 09:47 < hkais> I have a vmware server running on a rootserver. I am connecting with openvpn to the vmware-servers eth0 (official IP). I have additionally a vmnet1 (hostonly) interface. Now I want to be able to reach also the net on the vmnet1 09:48 < hkais> vmnet1: 10.100.1.0/24. || my client: 10.11.12.180/24 connected with openvpn 09:48 < hkais> but I cannot ping the 10.100.1.10 which is a vmware-guest on the root-server 09:58 < Bushmills> hkais, you may have to enable ip forwarding on the host. 09:58 < Bushmills> assuming it has a route to the vmware guest already 09:59 < hkais> Bushmills: already activated 10:02 < hkais> and a route on the vmware-host: 10:02 < hkais> 10.100.1.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1 10:02 < Bushmills> if you traceroute the vmware guest from the openvpn client, where does it end? 10:04 < Bushmills> (and, does traceroute go through openvpn?) 10:05 < hkais> ahh good point moment 10:06 < slind> Bushmills, can you help me to? 10:07 < Bushmills> slind, sorry, i'm pretty short with cash myself 10:07 < slind> ok 10:09 < hkais> http://pastebin.com/m25a32e6 10:09 < hkais> here the setup 10:10 < hkais> the traceroute ends at 10.200.1.1 or 10.100.1.1 10:12 < Bushmills> hkais, does client have a route to vmware guest, using openvpn server as gateway? 10:12 < hkais> 10.100.1.0 10.200.1.17 255.255.255.0 UG 0 0 0 tun0 10:13 < hkais> this is the route of the client 10:13 < hkais> 10.200.1.0 10.200.1.17 255.255.255.0 UG 0 0 0 tun0 10:13 < hkais> 10.200.1.17 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 10:13 < hkais> and this 10:14 < Bushmills> "openvpn-net 10.200.1.1" .. why 10.200.1.17? 10:14 < hkais> and here the traceroute output 10:14 < hkais> traceroute to 10.100.1.10 (10.100.1.10), 30 hops max, 60 byte packets 10:14 < hkais> 1 10.200.1.1 (10.200.1.1) 19.280 ms 20.880 ms 22.415 ms 10:14 < hkais> 2 * * * 10:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:15 < hkais> sorry bullshit on my figure in pastebin. the clients ip is 10.200.1.17 10:16 < Bushmills> ehm.. that's the client peer address, i think 10:16 < Bushmills> i.e. server 10:16 < hkais> yes: tun0 inet addr:10.200.1.18 P-t-P:10.200.1.17 Mask:255.255.255.255 10:17 < Bushmills> ehm. "the clients ip is 10.200.1.17" i'm a bit confused now 10:18 < hkais> okay sorry for the confusion: ifconfig reports tun0 inet addr:10.200.1.18 P-t-P:10.200.1.17 Mask:255.255.255.255 10:18 < hkais> And i am now also a little bit confused, due to a not running vpn/vmnet1. 10:19 < hkais> I think I have setup the vpn incl. the routes properly on the client, but ... 10:21 < Bushmills> yes, seems right on client. you could verify, by pinging vmware client from openvpn client, and observer incoming packets on openvpn server tun0 interface 10:21 < Bushmills> observe 10:22 < Bushmills> if those show there, client routes should be fine 10:24 < hkais> here an update: http://pastebin.com/m54f091b1 10:24 < Bushmills> in which case i'd disable firewall on server completely, for testing purposes. if that's not possible, block incoming eth0 only, except openvpn traffic. allow all remaining traffic 10:25 < hkais> I already watched the tun0 on the root-server, no packets if I ping from openvpn-client. If I ping from locally the pakets arrive at tun0 10:27 < hkais> the link now has also all routes (client and server) 10:28 < Bushmills> but traceroute from openvpn client indicates that packets reach openvpn server: 1 10.200.1.1 (10.200.1.1) 10:29 < Bushmills> i wonder why you shouldn't see echo requests there 10:30 < Bushmills> firewall, possibly 10:30 < hkais> Bushmills: there is a firewall setup. moment 10:35 < hkais> autsch. here is a autogenerated firewall. aweful to read 10:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:54 < hkais> pretty strange. just restarting the machine, due to missconfigurations my me right now. pings from vmnet1 to tun0 and vice versa are not going through... 11:06 < hkais> seems as i am too stupid... 11:06 < hkais> cannot figure it out 12:19 -!- Rajko [n=Rajko@cable-87-116-183-140.dynamic.sbb.rs] has joined ##openvpn 12:19 < Rajko> how good is the ipv6 support in openvpn 12:20 < Rajko> because my openvpn server has native ipv6 connectivity, could the openvpn client receive that connectivity as well ? 12:20 < ecrist> yes, but you need to use dev tap, not dev tu 12:20 < ecrist> tun* 12:22 < Rajko> but dev tap doesnt work. 12:23 < ecrist> ok, whatever. you can't use tun devices in openvpn for IPv6 connectivity. You need to use tap (bridged). whether you say it works or not, that's how you've got to do it. 12:24 < ecrist> unless you want to build a gif tunnel over your gif tunnel to tunnel traffic over another tunnel. 12:24 < Rajko> http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_OpenVPN_Tunnelbroker.php?lang=en 12:24 < vpnHelper> Title: JOIN Homepage -- Howto: OpenVPN IPv6 Tunnel Broker Guide (at www.join.uni-muenster.de) 12:24 < Rajko> says there that either will work 12:25 < ecrist> then why the fuck are you asking here? 12:25 < Rajko> isnt ipv6 supported on ptp interfaces ? 12:26 < ecrist> yes, but it's not supported in openvpn yet. 12:26 < ecrist> the page you link above indicates bridged interfaces. 12:27 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 12:27 < ecrist> let me rephrase. they mention tun and tap, but the rest of the documentation reference configuration scripts usually associated with bridged interfaces. 12:28 < Rajko> dev tun 12:28 < Rajko> tun-ipv6 12:28 * ecrist leaves 12:28 < Rajko> im confused ? 12:32 < Rajko> it says that tun-ipv6 device supports both ipv4 and ipv6 12:41 < neteffect> hello 12:41 < neteffect> i need to access snap server 110 at work 12:48 < neteffect> it's like 192.168.4.1 12:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:51 -!- hkais [n=xenoadmi@p5B20790D.dip.t-dialin.net] has left ##openvpn [] 12:53 < neteffect> so how do i hook this up? 13:02 < neteffect> so ok keys and stuff are in c:\Program Files\OpenVPN\log\ 13:03 < neteffect> er config 13:03 < neteffect> ok gonna downlaod it now 13:05 < neteffect> http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe 13:05 < neteffect> right? 13:07 -!- barbosa [n=barbosa@189.114.39.39] has quit [Read error: 60 (Operation timed out)] 13:13 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 13:21 -!- barbosa [n=barbosa@201.86.188.166.dynamic.adsl.gvt.net.br] has joined ##openvpn 13:30 < slind> ecrist: When i start my bridged openvpn-server, my routes are corrupt: http://paste.debian.net/39769/ 13:31 < slind> ecrist: do you have an idea why this happens? 13:49 -!- zhaena [n=zhaena@cpe-066-026-043-219.nc.res.rr.com] has joined ##openvpn 13:49 < zhaena> :) 14:21 < krzie> your bridge vpn should do nothing to routes 14:23 < zhaena> thanks again krzie :) 14:24 < krzie> for what? 14:24 < krzie> sorry the memory aint all that great 14:24 < zhaena> yesterday's help with upgrading my openvpn, silly! 14:24 < krzie> ahh =] 14:24 < zhaena> it was for this purpose http://www.anonet.org 14:24 < vpnHelper> Title: anoNet: Cooperative Chaos - now with added IPv6 goodness! (at www.anonet.org) 14:25 < zhaena> but the keys and all seem to have expired on me :-( 14:26 < zhaena> hey! how'd that vpnHelper know that???? 14:27 < krzie> your CA machine or one of the boxes have their time off 14:27 < krzie> try sudo ntpdate time.nist.gov 14:27 < zhaena> *pulling out my hair* arrrgggghhhh!!!! 14:28 < krzie> im a lil buzzed from the wedding party i was just at 14:28 < zhaena> oh cool! :) 14:28 < zhaena> who got hitched? :) 14:28 < krzie> 2 people i didnt know 14:28 < krzie> but my gf did 14:28 < zhaena> lol oh dear 14:28 < krzie> ya but they were cool 14:29 < zhaena> well there's always champagne 14:29 < zhaena> my time is off? 14:29 < krzie> well its all based on time 14:29 < krzie> double check the time on every machine involved including CA signing machine 14:29 < zhaena> hmm....i sense an openVPN lesson a'comin....... 14:30 < krzie> one is off, or was off 14:30 < krzie> if it is was, then you need to re-make your certs 14:30 -!- epaphus [n=unix3@201.199.62.74] has quit [Remote closed the connection] 14:30 < zhaena> dood - i'll take ya word for it hold on - and i need to erase all these saved certs and all of that 14:30 < krzie> well first wait 14:31 < krzie> it might not have been the CA 14:31 < krzie> check all the times before deleting anything 14:31 < krzie> you only need new certs if the CA signing box was off 14:32 -!- slind [n=slind@85.220.138.38] has quit [Read error: 110 (Connection timed out)] 14:38 < zhaena> 20 Jun 15:37:46 ntpdate[17836]: the NTP socket is in use, exiting 14:44 < zhaena> this is what it says 14:44 < zhaena> i'll put it in the pastebin instead 14:45 < krzie> is ntpd already running? 14:45 < krzie> ps auxw|grep ntp 14:46 < zhaena> yes i stopped via killall and re-initialized 14:46 < zhaena> killall ntpd 14:46 < krzie> if ntpd was running that box is fine 14:46 < krzie> or at least should be 14:46 < krzie> unless its set to sync to a dead server or something 14:47 < zhaena> it re-init'd just fine, but the pastebin shows the output 14:47 < zhaena> of the openvpn 14:47 < krzie> ok ill look when its pastebin'ed 14:47 < krzie> and thx for using pastebin and not flooding 14:48 < zhaena> :) i am an avid learner who pays much attention ;-) 14:50 < krzie> =] 14:51 < krzie> there is no better way to be 14:55 < zhaena> http://pastebin.com/m14606ab3 14:55 < krzie> # 14:55 < krzie> Sat Jun 20 15:42:42 2009 us=788474 Cannot load certificate file client.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib 14:55 < krzie> you must point to the right file 14:56 < zhaena> hmm.....i only did what they said to do on the site :-( 14:56 < zhaena> one mome 14:58 < krzie> then you may have made the cert right 14:58 < krzie> you just need to point to it in the config 14:58 < krzie> try using full paths to the file 14:58 < krzie> i always do 15:00 < zhaena> i'm gonna sound like a bigger dunce than i already do 15:01 < zhaena> but could u show me what you mean? :-o 15:01 < krzie> !sample 15:01 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 15:01 < zhaena> ok 15:03 < zhaena> hmm, am i to write this in the old config of the site? 15:03 < krzie> just look how i specify files 15:03 < krzie> i start from root dir 15:03 < zhaena> oh! ok 15:04 < krzie> instead of client.crt its /path/to/client.crt 15:04 < zhaena> ohhh!! :)) 15:06 < krzie> =] 15:11 < zhaena> lots of RWWWWW goin on 15:12 < krzie> R = read, W = write 15:12 < zhaena> ok 15:12 < krzie> only happens with high level verbosity 15:12 < krzie> good for debug 15:14 < zhaena> is it normal for it to repeat it over and over? 15:15 < krzie> yes 15:15 < zhaena> ok :)) 15:15 < krzie> somewhere in there it either succeeded or failed 15:15 < krzie> a ping can tell you 15:15 < zhaena> ok 15:16 < krzie> and when we finish, lower the verb in the config 15:16 < krzie> you are at at least 5 or 6 15:16 < krzie> after we finish, take it to 4 15:16 < zhaena> ok 15:22 < zhaena> it keeps saying this over and over and over 15:22 < zhaena> http://pastebin.com/m77ab222d 15:22 < krzie> have you tested with ping yet? 15:22 < zhaena> ups lemme do that 15:23 < krzie> and look at server log 15:23 < krzie> ping wont work 15:33 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 15:37 < zhaena> is it ok to ask which folder holds the server log? 15:37 < krzie> prolly logs through syslog 15:37 < krzie> oh wait you dont run the server 15:37 < zhaena> syslog...ok...... 15:37 < zhaena> no 15:37 < krzie> i have no clue what the problem is if i cant see the servers log 15:38 < krzie> the error will be there 15:38 < zhaena> ah well *shrugs* 15:38 -!- Gorkhaan [n=Gorkhaan@87.229.108.75] has joined ##openvpn 15:50 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 15:50 -!- zhaena [n=zhaena@cpe-066-026-043-219.nc.res.rr.com] has quit ["Leaving"] 16:06 < neteffect> hi :) 16:07 < neteffect> so can openvpn help me access the server at work? 16:07 -!- gabriel25ny [n=gabe@pool-96-250-54-238.nycmny.fios.verizon.net] has joined ##openvpn 16:08 < krzie> did the admin give permission? 16:08 < neteffect> yes i am the admin 16:08 < krzie> cause you will need him to add a route to the router or the server 16:08 < krzie> then yes 16:08 < krzie> !route 16:08 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:08 < neteffect> cool. the server at work is like 192.168.4.1 16:09 < neteffect> hehe 16:21 < neteffect> it's a network storage device 16:22 < krzie> oh was that you who pasted the link to that NAS that runs linux that they run ovpn on 2 days ago? 16:22 < krzie> thing looked decent 16:22 < krzie> like a lil linksys type deal with usb ports 16:22 < krzie> that can be modded a bit 16:22 < neteffect> "snap server 110" we have 16:22 < krzie> ahh thats something else 16:23 < krzie> but ya ive played with some snap 16:23 < krzie> hate them, lol 16:23 < neteffect> oh cool tho 16:23 < krzie> they hold back the hardware on purpose to stop serious upgrades 16:25 < neteffect> will i be able to access the snap server? 16:26 < krzie> sure 16:26 < krzie> whether its SMB or NFS, it will work 16:26 < krzie> although with SMB you'll need wins or use ip address to use tun (which you should use) 16:26 < neteffect> windows xp 16:27 < neteffect> ok 16:31 -!- Gorkhaan [n=Gorkhaan@87.229.108.75] has left ##openvpn [] 16:33 < pekster> No need for WINS if DNS is set up 16:33 < krzie> smb doesnt use dns 16:33 < pekster> Funny, at the office the corporate VPN works just fine with \\servername\share when I don't push WINS 16:33 < krzie> at least to my knowledge 16:33 < krzie> ok then 16:34 < krzie> i dont use windows, ill trust ya 16:42 < Rajko> my smb server cant be related by name :( 16:42 < Rajko> or be visible in workgroup 16:45 -!- Rajko [n=Rajko@cable-87-116-183-140.dynamic.sbb.rs] has quit [Read error: 54 (Connection reset by peer)] 16:46 -!- Diddi [i=diddi@zebra.bsnet.se] has joined ##openvpn 16:47 -!- Rajko [n=Rajko@cable-87-116-183-140.dynamic.sbb.rs] has joined ##openvpn 16:48 < Diddi> hi there! I'm a bit curious about how my setup will work, if at all, then how. Scenario: I want to have multiple openvpn-servers, each connected with eachother. all roadwarriors shall have their own key for connection, as usual. But I want the roadwarrior to be able to connect to any of these openvpn-servers. 16:49 < Diddi> so my question really is, how does key-authentication works for more than one server? is it possible? 16:49 < Diddi> i'm a bit new to the concept (: 16:50 < krzie> im staying away from that scenario 16:51 < Diddi> I guess it has to do with having a centralized CA. but I don't know how to make this setup.. is it openvpn-specific or openssl-specific? (making out-of-the-blue thought) 16:51 < Diddi> krzie: why is that? 16:52 < krzie> cause you want every location to be a server, and interconnected 16:52 < krzie> which is a PITA unless you already know openvpn 16:52 < krzie> and would most often be pointless 16:53 < Diddi> I rather want nodes to be servers.. and then having clients connect to their closest node, which in turn is interconnected 16:53 < krzie> right 16:53 < krzie> have fun with that 16:53 < krzie> im staying away from that scenario 16:53 < Diddi> (: 16:54 < krzie> can it be done? yes 16:54 < krzie> is it how openvpn was made to work? no 16:54 < krzie> you'd basically have 2 completely seperate networks 16:54 < krzie> 1 for linking the server machines 16:55 < krzie> well no i take that back 16:55 < krzie> youd have 1 network for that 16:55 < krzie> and then 1 each for each server for road warriors 16:55 < krzie> then you get to make sure each can communicate with others through routing techniques 16:55 < krzie> for that you can see !route 16:55 < krzie> but dont expect me personally to help at all with that 16:56 < krzie> maybe others will tho 16:56 < Diddi> oh no, that I'll figure myself 16:56 < krzie> each server will get a ptp link with other server(s) 16:56 < Diddi> what I don't seem to find an answer to, is how a client could connect to different servers using the same key 16:57 < Diddi> and having those keys nicely synced 16:57 < krzie> umm, if each server uses the same certs, it will allow the same certs 16:57 < krzie> the server cert was signed by same CA as client, it connects 16:57 < Diddi> oh, i see 16:57 < krzie> even with multiple servers signed as servers by the CA 16:57 < krzie> and client signed by same CA can connect 16:57 < krzie> s/and/any 16:57 < Diddi> that was a bit simpler than I thought 16:58 < krzie> ya, thats simple because of how PKI works 16:58 < krzie> but the rest of what you want will make up for the simpleness of that 16:59 < Diddi> nah, it's not that hard to make... bridging and routing will help me with that (: 17:00 < krzie> remember bridging opens you up to layer2 attacks 17:00 < krzie> as well as extra overhead 17:00 < krzie> and anything you need to know for routing with ovpn is in !route 17:00 < krzie> !route 17:00 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:00 < Diddi> yeah, that I'm aware of (: 17:01 < Diddi> thanks for the help, krzie 17:01 < krzie> yw 17:04 < neteffect> i dont understand what to do next 17:08 < neteffect> i need to use tun, and that is for bridging? 17:11 < krzie> !tunortap 17:11 < vpnHelper> krzie: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 17:13 < neteffect> oh 17:16 < neteffect> well im trying to access a server at work 17:16 < neteffect> do i need level2 traffic? 17:23 < neteffect> it says bridging is the solution for road warriors 17:24 < krzie> "it" must not be the openvpn howto 17:24 < krzie> because bridging is only the solution when you need layer2 17:24 < krzie> aka a protocol destined for mac address as opposed to IP address 17:24 < neteffect> http://openvpn.net/index.php/open-source/faq.html#bridge1 17:24 < vpnHelper> Title: FAQ (at openvpn.net) 17:25 < neteffect> so you don't favor bridging? 17:25 < krzie> because bridging is only the solution when you need layer2 17:25 < krzie> i favor it when you need layer2 traffic ONLY 17:25 < neteffect> oh 17:28 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 17:28 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 17:30 < neteffect> so bridging allows netbios filesharing and network neighborhood browsing to work 17:33 < krzie> yes, so does running wins 17:33 < neteffect> i wonder if we need that 17:34 < krzie> and according to Rajko so does correctly configuring DNS 17:34 < Rajko> what 17:34 < Rajko> i never said anything 17:34 < pekster> NBNS is a L2 protocol; WINS / DNS are not 17:36 < krzie> Rajko my bad it was pekster 17:36 < krzie> right pekster, which is why ild suggest setting up wins or dns over going to bridged 17:36 < pekster> Indeed 17:36 < krzie> same goal, less overhead 17:36 < krzie> and more secure imho 17:38 < neteffect> nah we don't need to browse 17:42 < krzie> you gunna run ovpn on the server you need to access? 17:42 < neteffect> um it's just a device 17:42 < krzie> will the openvpn node on that lan be server or client? 17:43 < neteffect> server 17:43 < krzie> so you just push a route to the lan 17:43 < krzie> and make sure its router has a route back to vpn 17:43 < krzie> as shown in !route 17:43 < neteffect> !route 17:43 < vpnHelper> neteffect: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:44 < neteffect> so the lan will send me 192.168.4.1 packets and think that i'm on that network and serve me? 17:44 < krzie> it wont think you're on that network 17:44 < krzie> but it will serve you 17:44 < neteffect> ok 17:44 < krzie> because you will have setup all routes correctly 17:47 < neteffect> so remotely i can map a network drive like \\server\share? 17:47 < krzie> \\192.168.4.1\share 17:49 < neteffect> so packets will come from the server/device thing, and go through the vpn of the box i can access? 17:49 < krzie> huh? 17:49 < neteffect> the server is just a device thing. it's not a computer. 17:49 < krzie> does not matter 17:49 < neteffect> k 17:49 -!- master_of_master [i=master_o@p549D5719.dip.t-dialin.net] has quit [Connection timed out] 17:50 < krzie> it still works on networks 17:50 < krzie> meaning routing will effect it 17:50 < neteffect> cool 17:50 < neteffect> yeah i have access to this one box, 192.168.4.100 17:50 < neteffect> gonna put vpn on that and my home box 17:53 -!- master_of_master [i=master_o@p549D51C6.dip.t-dialin.net] has joined ##openvpn 18:00 < neteffect> where does the internet ip address go in config? 18:01 < krzie> !sample 18:01 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 18:01 < neteffect> k 18:01 -!- tjz [n=tjz@bb116-15-73-38.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 18:01 -!- tjz [n=tjz@bb116-15-73-38.singnet.com.sg] has joined ##openvpn 18:12 < neteffect> this server is behind a modem router 18:17 < neteffect> so on the box at work i can access, i'd put local 192.168.4.100 18:25 < neteffect> route-gateway 192.168.4.1 18:25 -!- Diddi [i=diddi@zebra.bsnet.se] has left ##openvpn [] 18:26 < neteffect> it says that's the gateway in ipconfig... but we have comcrap at work, so that's not it 18:27 -!- Gorkhaan [n=Gorkhaan@87.229.108.75] has joined ##openvpn 18:27 < krzie> route-gateway 192.168.4.1 18:27 < krzie> leave that out 18:27 < krzie> you dont need it 18:27 < neteffect> oh 18:28 < krzie> you need !sample and !route 18:28 < neteffect> k 18:33 < neteffect> remote 66.249.82.82 18:34 < neteffect> is that how you specify the ip for the server? 18:34 < krzie> you're wasting your questions on overly documented stuff 18:35 < neteffect> oh 18:45 < neteffect> where does the internet address go? 18:49 < krzie> well 18:50 < krzie> local can only be an ip the machine using it can bind to 18:50 < krzie> and remote can only be the ip that can be reached over the internet 18:50 < krzie> local goes on server 18:50 < krzie> remote goes on client to connect to the server 18:50 < krzie> so remote 18:50 < krzie> local 18:51 < krzie> !man 18:51 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 18:51 < neteffect> k 18:54 < krzie> dont mind me, im just in one of my moods ;] 18:54 < neteffect> sok ur good, thx 18:54 < krzie> been happening lately, thats how i know its time for me to take another vacation 18:56 < neteffect> ok the server is behind a comcast modem/router, so it's not directly on the internet 18:57 < neteffect> so there must be nat going on, does that matter? 19:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 19:27 < neteffect> so at work will i have to open port 1194 and send packets to that openvpn server box? 19:32 < neteffect> like at work, a packet is gonna come in from my house, and it's gonna be port 1194... so how does the modem/router know to send it to my 192.168.4.100 box at work there? 19:36 -!- bitrot [n=Rajko@wan.rajko.info] has joined ##openvpn 19:36 < neteffect> hi 19:38 -!- troy- is now known as troy 19:41 < krzie> port forwarding 19:42 < krzie> that is a VERY basic networking question 19:42 < neteffect> ok 19:42 < krzie> which would be the same for any service whatsoever 19:42 < neteffect> so i do have to forward 1194 to my box inside the work network? 19:42 < krzie> what you will be doing is advanced networking, and didnt you say you're the admin? 19:42 < neteffect> yeah 19:42 < krzie> if you arent the admin, you wont be able to do this without access to add a route on the gateway for that network 19:43 < neteffect> yeah i can login to router 19:43 < neteffect> np 19:44 < neteffect> so... then i was right? log in to router at work, forward all 1194 to my 192.168.4.100 box? 19:45 < neteffect> lessee won't have to do outgoing then 19:45 < neteffect> ah and my modem/router here at home, must have to do the same 19:53 -!- Rajko [n=Rajko@cable-87-116-183-140.dynamic.sbb.rs] has quit [Read error: 110 (Connection timed out)] 19:54 < krzie> only the side recieving incoming connections needs an open port 19:54 < neteffect> ok 19:54 < krzie> how big is your office? 19:55 < neteffect> just 5 computers 19:55 < krzie> ahh ok 19:57 < neteffect> i don't need 1701 right, i need 1194 19:58 < krzie> doesnt matter 19:58 < krzie> i dont think you're ready for openvpn to be honest 19:58 < neteffect> why do you say that 19:59 < krzie> we;ve been talking at least an hour and we have not got past the idea of port forwarding 19:59 < krzie> this is NOT a point and click application 19:59 < krzie> and it requires semi-advanced knowledge of networking 20:00 < neteffect> it's not that bad 20:00 < krzie> how would you know? 20:00 < krzie> hehe 20:00 < neteffect> heh 20:01 < neteffect> i'll keep trying oh well 20:02 < krzie> sure, cant hurt 20:02 < neteffect> thx tho for ur help 20:02 < krzie> worst thing that will happen is it takes you awhile but you learn a bit 20:02 < krzie> !howto 20:02 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 20:02 < krzie> !man 20:03 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 20:03 < krzie> those will help 20:03 < neteffect> cool 20:03 < krzie> in the manual, you will want to read every option from my cample configs 20:03 < krzie> sample configs 20:03 < neteffect> sure, ok 20:07 < neteffect> ok so anyway, i do need to open 1194 at work? 20:08 < krzie> if thats the port you forward to the box 20:08 < neteffect> yeah 20:08 < neteffect> 1194 packets will be forwarded to my openvpn box 192.168.4.100 at work 20:16 < neteffect> woo hoo 21:16 -!- xp_prg [n=xp_prg3@dsl081-249-107.sfo1.dsl.speakeasy.net] has joined ##openvpn 21:17 -!- xp_prg [n=xp_prg3@dsl081-249-107.sfo1.dsl.speakeasy.net] has quit [Client Quit] 21:28 -!- xp_prg [n=xp_prg3@dsl081-249-107.sfo1.dsl.speakeasy.net] has joined ##openvpn 21:29 -!- p3ri0d [i=p3ri0d@200.2.152.41] has joined ##openvpn 21:40 -!- p3ri0d [i=p3ri0d@200.2.152.41] has quit ["Leaving"] 22:07 -!- troy is now known as troy- 22:46 -!- Gorkhaan [n=Gorkhaan@87.229.108.75] has quit [Read error: 110 (Connection timed out)] 23:06 -!- jfkw [n=jtk@75-94-107-246.roc.clearwire-dns.net] has quit ["leaving"] 23:07 -!- hookdr_ [n=robin@static24-72-14-254.reverse.accesscomm.ca] has joined ##openvpn 23:10 -!- hookdr_ [n=robin@static24-72-14-254.reverse.accesscomm.ca] has quit ["Ex-Chat"] 23:10 -!- hookdr_ [n=robin@static24-72-14-254.reverse.accesscomm.ca] has joined ##openvpn 23:12 -!- hookdr_ [n=robin@static24-72-14-254.reverse.accesscomm.ca] has quit [Client Quit] 23:12 -!- hookdr_ [n=robin@static24-72-14-254.reverse.accesscomm.ca] has joined ##openvpn 23:13 -!- hookdr_ [n=robin@static24-72-14-254.reverse.accesscomm.ca] has quit [Client Quit] 23:13 -!- hookdr_ [n=robin@static24-72-14-254.reverse.accesscomm.ca] has joined ##openvpn 23:13 < neteffect> i'm watching The Holy Mountain 23:13 < hookdr_> good show 23:13 < neteffect> it's weird 23:14 < hookdr_> a continuing point less journey 23:14 < neteffect> heh 23:39 -!- troy- is now known as troy 23:50 -!- hookdr_ [n=robin@static24-72-14-254.reverse.accesscomm.ca] has quit ["Ex-Chat"] 23:50 -!- Gorkhaan [n=Gorkhaan@87.229.108.75] has joined ##openvpn --- Day changed Sun Jun 21 2009 00:36 -!- bootlaces [n=david@222-152-146-89.jetstream.xtra.co.nz] has joined ##openvpn 00:53 -!- xp_prg [n=xp_prg3@dsl081-249-107.sfo1.dsl.speakeasy.net] has quit ["This computer has gone to sleep"] 00:57 -!- bootlaces [n=david@222-152-146-89.jetstream.xtra.co.nz] has quit ["Leaving..."] 02:53 -!- c64zottel [n=hans@p5B17B003.dip0.t-ipconnect.de] has joined ##openvpn 03:05 -!- bootlaces [n=david@222-152-146-89.jetstream.xtra.co.nz] has joined ##openvpn 03:19 -!- bootlaces [n=david@222-152-146-89.jetstream.xtra.co.nz] has quit [] 03:32 < Gumbler> hm 03:32 < Gumbler> jemand hier der deutsch kann? :p 03:33 < magic_1> some some 03:34 < magic_1> i am afrikaans 03:34 < magic_1> it is derived from duetsch 03:34 < magic_1> pm me 03:49 -!- Folko [n=quassel@static.15.33.40.188.clients.your-server.de] has joined ##openvpn 03:50 < Folko> Hi, can anyone tell me the difference between client-connect/disconnect and learn-address, i.e. when should I use which? 04:04 -!- bob__ [n=bob@87-194-183-38.bethere.co.uk] has left ##openvpn ["Konversation terminated!"] 04:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 04:31 -!- gelbasack [n=gelbasac@2002:5c3f:dd98:0:0:0:0:1] has joined ##openvpn 04:40 < gelbasack> !route 04:40 < vpnHelper> gelbasack: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 04:45 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [] 04:45 < gelbasack> any ideas why openvpn server might ignore a configuration within the ccd-directory (seems right in openvpn.log) when CN matches? I assume, when ipp.txt writes an entry with the same name as the filename in ccd/ the CN does match? 04:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:16 -!- Gorkhaan [n=Gorkhaan@87.229.108.75] has quit [Read error: 110 (Connection timed out)] 05:58 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 06:11 -!- Folko [n=quassel@static.15.33.40.188.clients.your-server.de] has quit ["http://quassel-irc.org - Chat comfortably. Anywhere."] 06:30 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:33 -!- TolYan [n=Miranda@lan-84-240-38-218.vln.skynet.lt] has joined ##openvpn 06:33 < TolYan> !redirect 06:33 < vpnHelper> TolYan: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 06:44 -!- eliasp_ [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 06:47 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: magic_1, c64zottel, master_of_master, Piter, eliasp 06:47 -!- Netsplit over, joins: magic_1, c64zottel, master_of_master, Piter 06:50 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 06:59 -!- TolYan [n=Miranda@lan-84-240-38-218.vln.skynet.lt] has quit ["Bye, cya"] 07:29 -!- eoch [n=eoch@64-126-117-142.dyn.everestkc.net] has joined ##openvpn 07:45 < neteffect> hello 07:48 -!- zheng [n=zheng@114.92.132.65] has joined ##openvpn 07:49 -!- zheng [n=zheng@114.92.132.65] has quit [Client Quit] 07:50 -!- zheng [n=zheng@114.92.132.65] has joined ##openvpn 07:53 -!- troy is now known as troy- 08:09 -!- freaky_t is now known as c1|freaky 08:11 -!- zheng [n=zheng@114.92.132.65] has quit ["Leaving"] 08:28 < neteffect> hi im trying to access a server at work 08:49 < Bushmills> that's nice 08:49 < Bushmills> i'm putting the kettle on the fire, for a tea 08:51 < neteffect> :) 08:51 < neteffect> how r u doing Bushmills? 08:55 < Bushmills> fine, thanks. better now. 09:04 < neteffect> Bushmills 09:05 < neteffect> can u look at my config and tell me stuff? 09:06 -!- bitrot [n=Rajko@wan.rajko.info] has quit [Read error: 54 (Connection reset by peer)] 09:06 -!- bitrot [n=Rajko@wan.rajko.info] has joined ##openvpn 09:06 < neteffect> can i take out the x509 cert stuff from the sample config? 09:09 < neteffect> like ca 09:09 < neteffect> ? 09:13 < ecrist> no 09:13 < ecrist> OpenvPN is an SSL vpn 09:14 < ecrist> well, let me take that back. there is a static key option 09:14 < ecrist> all of this is covered in the howto and man pages, though 09:16 < neteffect> yeah i was reading. yes i was kinda wondering if i could just use static key 09:21 -!- chrisss404_ [n=chris@84-119-52-58.dynamic.xdsl-line.inode.at] has joined ##openvpn 09:23 < neteffect> no? 09:24 < ecrist> read the docs 09:25 < neteffect> yeah i am :) 09:32 -!- eoch [n=eoch@64-126-117-142.dyn.everestkc.net] has quit ["KVIrc Insomnia 4.0.0, revision: , sources date: 20090115, built on: 2009/03/07 00:45:02 UTC http://www.kvirc.net/"] 09:36 < neteffect> ecrist 09:42 < ecrist> what? 09:42 < neteffect> what r u doing? 09:42 < ecrist> what business is it of yours? 09:42 < neteffect> just wondering. say, how do you use openvpn? 09:42 < neteffect> for work, gaming, etc? 09:43 < ecrist> work 09:43 < neteffect> oh 09:45 < neteffect> will i be able to use it to access a server at work? the server isn't a computer, its one of those appliances you attach to yoru network...? 09:46 < ecrist> neteffect: how would I know? is OpenVPN running on the appliance? 09:46 < neteffect> no 09:49 < neteffect> so don't u use it to access stuff at work? 09:49 < thedoc> openvpn is only compatible with openvpn at the moment 09:49 < thedoc> server/client setup 09:49 < neteffect> ok 09:50 < neteffect> hi thedoc 09:50 < thedoc> hello. 09:52 < neteffect> thedoc i have this server at work, its one of those appliance things, you hook it up to your network... the server is 192.168.4.1, and i have a box on there 192.168.4.100... 09:52 < neteffect> i was wondering how to use the server with openvpn and my box so i could have the remote people map like \\server\share in windows 09:52 -!- Dougy [n=doug@160.79.78.34] has joined ##openvpn 09:52 < Dougy> who was that really cheap eurpoean provider 09:53 < Dougy> european 09:53 < Dougy> you people use 09:53 * Dougy pokes reiffert 09:53 < thedoc> neteffect, build an openvpn server and read the how-to. 09:53 < thedoc> there's a documentation on accessing LAN's behind the ovpn server 09:53 < neteffect> cool 09:54 < neteffect> k 10:01 < thedoc> question on ssh2 keys guys. 10:01 < Dougy> !notopenvpn 10:01 < vpnHelper> Dougy: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 10:01 < Dougy> =P 10:01 < thedoc> :/ 10:01 < Dougy> im just busting 10:01 < Dougy> ask 10:01 < thedoc> i just had my ssh2 keys to my openvpn server change. any idea what could have changed that? the only thing that has changed on the sshd_conf is the port number. 10:01 < Dougy> neg 10:02 < thedoc> i don't recall changing the port number would change the ssh2 keys 10:02 < Dougy> shouldnt 10:03 < thedoc> and the odd thing here is, both rootkit scanners aren't throwing up anything odd, neither is tcpdump 10:03 < thedoc> i'm quite stumped. 10:03 -!- temba [i=pommes@91-65-23-247-dynip.superkabel.de] has quit [Read error: 104 (Connection reset by peer)] 10:12 < ecrist> thedoc: it's because of the new port that you're being asked to re-affirm the keys 10:12 < ecrist> the keys are stored as IP:port in the know_hosts file, iirc 10:12 < thedoc> ecrist, ahhh. ok. 10:12 < thedoc> thanks:) 10:13 * thedoc was panicking and running around scanning the box 10:13 < thedoc> >_> 10:13 < neteffect> u got some sharp eyeballs there 10:14 < krzee> btw anyone with skills isnt using rootkits that scanners would find 10:14 < Dougy> lol 10:14 < krzee> scanners for rootkits are reactive, they can only find what they know about 10:14 < krzee> like a virus scanner 10:14 < thedoc> krzee, indeed 10:14 < thedoc> ;( 10:15 -!- troy- is now known as troy 10:15 < thedoc> krzee, i don't have any services running except sshd/openvpn and it's on randomized ports 10:15 < thedoc> just in case, you know, just in case ;p 10:15 < Dougy> port 8586 10:15 < thedoc> above 30000 10:15 < thedoc> i'm contemplating on dropping all traffic on port 111 though 10:16 < krzee> doc, you could always secure sshd by openvpn 10:16 < krzee> ive been meaning to do that on a couple servers 10:16 < thedoc> krzee, you can? 10:16 < krzee> sure, run sshd only on the openvpn internal ip 10:16 < thedoc> krzee, as in, only allowing ssh access via the vpn ip? 10:16 < krzee> then unless in the vpn, no sshd =] 10:16 < Dougy> unless openvpn dies 10:17 < krzee> openvpn has never died on me 10:17 < thedoc> krzee, i could do that but if ovpn dies, doesn't that mean i just got screwed royally? :) 10:17 < krzee> yes 10:17 < krzee> exactly what it would mean 10:17 < krzee> but does yours die? 10:17 < Dougy> thedoc: see.. thats the beauty of kvm over ip : 10:17 < krzee> i mean... 10:17 < Dougy> :) 10:17 < krzee> if sshd dies, same problem right? 10:17 < thedoc> well, yes. 10:17 < thedoc> same problem really. 10:18 < krzee> in which case youd say 10:18 < krzee> HEY DOUGY 10:18 < krzee> reboot it! 10:18 < krzee> (jk dougy, pls dont reboot my box) 10:18 < thedoc> lol, if the server has to reboot, something is broken:p 10:18 < krzee> agreed 10:18 < Dougy> haha krzee 10:18 < Dougy> well if it ever does die or sshd dies or you get locked out 10:18 < Dougy> i can fix 10:18 * thedoc is in the process of building more openvpns for iranians:) 10:19 < krzee> werd 10:19 < Dougy> whats on your box that you dont want rebooted? 10:19 < Dougy> :p 10:19 < krzee> technology making speech free 10:19 < krzee> dougy, good point 10:19 < krzee> reboot it if you want 10:19 < krzee> lol 10:19 < Dougy> hahaha 10:19 < Dougy> naw 10:20 < Dougy> im just bustin' 10:20 < Dougy> decent speed for you? 10:20 < thedoc> krzee, what's weird about technology making speech free? 10:20 < krzee> not weird 10:20 < krzee> werd 10:20 < krzee> like right on 10:20 < thedoc> oh, right. 10:20 < thedoc> damn you and your slangs ;p 10:20 < Dougy> hah 10:20 < ecrist> our openvpn server is the only system we allow ssh to without being connected to the vpn 10:21 < ecrist> because openvpn does crash, occaisionally 10:21 < thedoc> ecrist, by occasionally, how occasional is that? 10:22 < krzee> ecrist, why no crontab to check that its up? 10:22 < krzee> basically same crontab eggdrop used for yrs, check the pid and run if needed 10:22 < ecrist> krzee: because I like to know when it dies and go and look at why. 10:23 < ecrist> for example, we have /var/log fill up, openvpn died because it couldn't write the log file 10:23 < ecrist> a restart wouldn't have fixed it. 10:24 < Dougy> why not have a check for the logfile folder ? 10:24 * Dougy does 10:24 < ecrist> Dougy: you can't fathom the nagios setup I have. 10:24 < Dougy> oh dear 10:24 < Dougy> lol 10:24 < ecrist> trust me, I'm aware of file system status. 10:25 < Dougy> then you are lazy :P 10:25 < ecrist> for some things, particularly crashing VPN software, I prefer hands-on 10:25 < Dougy> fair nuff 10:25 < krzee> makes sense 10:25 < ecrist> Dougy: for being a lazy SOB, I sure spend a lot of time administering a certain forum that doesn't belong to me... 10:25 < Dougy> LOL 10:26 < Dougy> i do look at it at least 3 or 4 days a week 10:26 < ecrist> o.O 10:26 < ecrist> *cough*bullshit*cough* 10:26 < Dougy> i do 10:26 < Dougy> lol 10:26 < Dougy> just not logged in 10:26 < krzee> HAHAHAH 10:26 < ecrist> Dougy: from where? 10:26 < krzee> ZING 10:26 < ecrist> gimme ip or rang 10:26 < ecrist> range* 10:26 < Dougy> theres a bunch lol 10:27 < Dougy> dont know my schools ip block 10:27 < krzee> uhhh huh 10:27 < krzee> a bunch 10:27 < krzee> always changes 10:27 < Dougy> sec 10:27 < krzee> logs wont show it 10:27 < ecrist> http://www.secure-computing.net/awstats/awstats.pl?config=ovpnforum.com 10:27 < krzee> *grin* 10:27 < vpnHelper> Title: Statistics for ovpnforum.com (2009-06) - main (at www.secure-computing.net) 10:27 < Dougy> nice traffic 10:27 < Dougy> dam 10:27 < krzee> i love awstats 10:27 < Dougy> except its inaccurate 10:27 < Dougy> from my exp 10:27 < krzee> [11:27] * [AW_BOT] (i=vpn@unaffiliated/krzee/bot/aw-bot): Awstats helper bot 10:27 < ecrist> it's inaccurate? 10:28 < krzee> ;] 10:28 < krzee> inaccurate!? 10:28 < krzee> dougy, how so 10:28 < krzee> i find it EXTREMELY accurate 10:28 < krzee> as in, it only does what you tell it, and does a damn fine job at it 10:29 < Dougy> okay, let me rephrase this 10:29 < Dougy> awstats in cpanel is buggy as shit 10:29 < krzee> HAHAHA 10:29 < krzee> s/awstats in // 10:30 < ecrist> cpanel is crap 10:30 < krzee> complete and utter crap 10:30 < krzee> i was offered 6 figures to work for them 10:30 < krzee> said hell no 10:30 < Dougy> lol 10:31 < Dougy> cpanel? 10:31 < krzee> ya they were looking for a new captain a couple yrs back and i knew some of the guys 10:32 < Dougy> nice 10:32 < krzee> told me i should be in the running for it, i said ild rather smoke a cigarette through my eye socket after carving out the eye 10:32 < krzee> and i stick to that answer 10:32 < Dougy> why 10:32 < Dougy> that is some pretty fine money 10:33 < krzee> if your job is all about the money you are in the wrong job 10:33 < thedoc> surprising, iran is blocking all encrypted traffic. 10:33 < krzee> plus i have a very special hate for texas 10:33 < thedoc> must be some heavy filtering in place. 10:34 < Dougy> wow 10:34 < krzee> thedoc, it can connect through http proxy 10:34 < Dougy> even ssl? 10:34 < ecrist> cpanel is bad mostly because of how deep one need to install it into the system. 10:34 < thedoc> Apparently. 10:34 < ecrist> the general idea of a web management interface is sound, imho 10:35 < Dougy> ie webmin 10:35 < Dougy> if only webmin was pretty 10:35 < Dougy> it would be kick ass 10:35 < thedoc> krzee, yes, even that seems to be filtered 10:35 < ecrist> webmin is OK. they've got the right idea about how to go about it. 10:35 < krzee> ecrist, i dont like the idea of a web management interface at all 10:35 < ecrist> I prefer using LDAP for everything, myself. :) 10:35 < krzee> no website should do root functions imho 10:36 < thedoc> krzee, agreed. 10:36 < ecrist> krzee: you've never had to delegate user administration to non-tech people, have you? 10:36 < krzee> yes i have 10:36 < krzee> i shell script it all 10:36 < krzee> make a nice easy menu for them 10:36 < thedoc> ecrist, why do non-tech people have to do user administration? ;p 10:36 < ecrist> at my job, LDAP manages jabber, user accounts, and SUDO 10:37 < krzee> a case statement is a good menu 10:37 < krzee> and requires you to get in normally as root 10:37 < krzee> much better to me than web admin stuff 10:37 < krzee> but hell, ive been accused of paranoia a few times 10:37 < krzee> *shrug* 10:37 < ecrist> krzee: I can, with LDAP, allow our non-tech people to admin client file transfer accounts, and only those accounts 10:38 < ecrist> the web interface uses a hard-coded authentication pair which only has access to one subtree 10:38 < ecrist> the root dn and admin dns have full rw access to the entire tree. 10:38 < krzee> thats cool 10:39 < krzee> closest to LDAP ive played with is active directory 10:39 < krzee> which i must say is actually pretty nice 10:39 < ecrist> active directorty =~ LDAP with a microsoft twist (not bad, imho) 10:39 < krzee> anyone who knows me knows thats quite a statement for someone who normally talks down on windows 10:39 < krzee> i know, and i agree its not bad 10:39 < ecrist> they add a lot of stuff to the structure, by default. 10:40 < ecrist> the biggest problem with active directory is it requires a windows server. 10:40 < ecrist> krzee: you would appreciate my LDAP setup at the office. 10:41 < krzee> ya im quite sure i would 10:41 < krzee> from what ive heard of it 10:41 < krzee> [11:40] the biggest problem with active directory is it requires a windows server. 10:41 < krzee> amen 10:41 < krzee> to me thats the only valid excuse for a windows server 10:42 < ecrist> see, in my case, if we had a windows server with active directory, the windows GUI would replace the website interface I speak of. 10:42 < ecrist> website interface > windows GUI for reasons of customization and rulesets. 10:42 < ecrist> it allows me to fit the interface to our application. 10:43 < krzee> ok and your website interface is internal LAN away from DMZ only, right? 10:43 < ecrist> at some point, I'm going to be playing with LDAP and DNS/BIND to see how easy it is to integrate. 10:44 < ecrist> of course. 10:44 < krzee> well ok 10:44 < krzee> i can deal with that 10:44 < ecrist> website interface doesn't require root or sudo privs, either. 10:44 < krzee> but webmin / cpanel are usually exposed to the net and have elevated privledges 10:44 < ecrist> witch makes it +1 for security in my book. 10:44 < krzee> since they can add accounts, change groups, etc 10:44 < krzee> yes 10:45 < krzee> i like your version much more than what i was referring to 10:47 < krzee> haha in your awstats 10:47 < krzee> looks like someone ran a lil scan on you 10:47 < krzee> in the 404's 10:47 < ecrist> http://img.skitch.com/20090621-g9b9dkdsey1rdshcb25s1jtgmt.png 10:48 < krzee> looks nice 10:48 < ecrist> we have non-encrypted/hashed passwords for client accounts 10:48 < krzee> erm 10:48 < ecrist> we need to actually be able to recover their passwords due to scripting and such 10:48 < krzee> but umm 10:49 < ecrist> staff and special accounts have hashed passwords 10:49 < krzee> something just strikes me as 'NOOOOOOOOOOOOOOOOO' about that 10:49 < ecrist> krzee: took me a long time to come to this decision. 10:51 < ecrist> the problem is the medical providers have a ton of turn-over. They access, manually, the same account their scripting does. the scripting takes place 5 or 6 pay-grades above the high turnover. 10:51 -!- p3ri0d [n=p3ri0d@200.2.148.98] has joined ##openvpn 10:51 < krzee> medical providers 10:52 < ecrist> we can't hold up 15,000 medical claims becuase jane doe needs to change the password to fix one of those claims 10:52 < krzee> are we getting into Sarb/oxley territory? 10:52 < ecrist> that's 15,000 claims per month, for some clients. 10:52 < ecrist> no, HIPPA 10:52 < ecrist> HIPAA 10:52 < krzee> ahh right 10:52 < krzee> and hipaa is cool with that? 10:53 < ecrist> sure. HIPAA says we need to know 1) who as access, 2) when they accessed, and 3) unauthorized people don't get access (i.e. encryption) 10:53 < krzee> werd 10:53 < krzee> brb 10:54 < ecrist> if you know knew the tangle-web of VPNs and PVCs we had coming/going from our network. 10:54 < ecrist> brb, as well 11:10 -!- p3ri0d [n=p3ri0d@200.2.148.98] has quit [Success] 11:14 -!- chrisss404_ [n=chris@84-119-52-58.dynamic.xdsl-line.inode.at] has quit ["Ex-Chat"] 11:23 -!- clyons [n=clyons@unaffiliated/clyons] has quit ["Leaving"] 11:24 -!- p3ri0d [n=p3ri0d@200.2.150.43] has joined ##openvpn 11:26 -!- Dougy [n=doug@160.79.78.34] has left ##openvpn [] 11:27 -!- Dougy [n=doug@160.79.78.34] has joined ##openvpn 11:29 < Dougy> krzee, sent you an /invite 11:29 < Dougy> thedoc, ping 11:29 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 110 (Connection timed out)] 11:43 < thedoc> ping? 11:43 < thedoc> what about? 11:43 < Dougy> didnt you talk to me about servers one day 11:44 < thedoc> Dougy, indeed. i'll pop you an email later in the day. it's 1am and i'm not about to draft emails which require me to think 11:44 < Dougy> oh no, wasnt even wondering what the outcome of that was 11:44 < thedoc> we'll be getting something from you for sure, just a matter of when ;p 11:44 < Dougy> i was just making sure i had the right guy in mind 11:44 < Dougy> :) 11:44 < thedoc> oh, right. 12:20 -!- c64zottel [n=hans@p5B17B003.dip0.t-ipconnect.de] has quit ["Leaving."] 12:20 -!- c64zottel [n=hans@p5B17B003.dip0.t-ipconnect.de] has joined ##openvpn 12:21 -!- no_maam [n=no_maam@130.83.167.54] has joined ##openvpn 12:21 < no_maam> hi 12:21 < no_maam> !route 12:21 < vpnHelper> no_maam: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 12:23 < no_maam> got a little routing-problem with openvpn and vista 12:23 < no_maam> I have openvpn in a bridging scenario, I am bridged in a class-C net 12:24 < no_maam> there is a gateway to the whole class-B net, where the class-C is in 12:24 < no_maam> so for example I am 1.2.3.23, and 1.2.3.254 is a gateway for 1.2.0.0/16 12:24 < krzie> if you're bridging, you dont have a routing problem 12:24 < krzie> and why are you bridging? 12:24 < no_maam> krzie: sometimes, I got my laptop directly connected, sometimes it is birdged 12:25 < krzie> why bridged? 12:25 < no_maam> krzie: if I change from a direct connection to openvpn, tcp-sessions are still alive and I keep my ip 12:25 < krzie> what layer2 protocol do you need over the vpn? 12:26 < no_maam> krzie: no layer 2 protocol, excecpt that I sometimes like to start a connection like a vnc session or a download in my lan, and I am then forced to move to another room 12:26 < no_maam> krzie: so the strange problem now is, when I add a route, my vpn connection seems to go down 12:27 < no_maam> krzie: not completely, the connection is still there, but I don't reach any hosts on the other side anymore 12:27 < no_maam> krzie: so I start openvpn, everything works 12:27 < no_maam> krzie: then I execute a "route.exe add 1.2.0.0 mask 255.255.0.0 1.2.3.254" 12:27 < krzie> ya i never use bridging, maybe someone else can help ya 12:27 < no_maam> krzie: then, even 1.2.3.4 is unreachable 12:28 < krzie> im the one who always tells 90% of people not to use bridging 12:28 < no_maam> krzie: do you know anything about routing? 12:28 < krzie> that route makes no sense 12:28 < krzie> how can you reach 1.2.0.0 mask 255.255.0.0 through 1.2.3.254, when you need that route to reach itself 12:29 < no_maam> roentgen: 1.2.3.23/24 is allready on a local interface 12:29 < krzie> do you have a more specific route to 1.2.3.254? 12:29 < no_maam> krzie: 1.2.3.23/24 is allready on a local interface 12:29 < krzie> oh 12:29 < krzie> ip forwarding enabled? 12:29 < no_maam> krzie: on the gateway 1.2.3.254? yes, of course 12:30 < krzie> dunno dude, i stay away from bridge setups 12:30 < no_maam> krzie: the question is, does vista always evauate the target and the netmask, when it looks up the route? 12:30 < krzie> i also stay away from windows 12:30 < krzie> ESPECIALLY vista 12:30 < krzie> never used it, never will 12:30 < no_maam> krzie: or does it sometimes take a less specific route, if it has a better metric 12:30 < krzie> but i bet you there is docs on windows route command 12:33 < no_maam> krzie: there is, but there is a fancy feature for automatically determining the right connection 12:33 < no_maam> krzie: the idea is, you can have a default route on our ethernet interface and at the same time one on your wlan-connection 12:34 < no_maam> krzie: and windows will always determine the best connection, depending on which is currently available 12:34 < krzie> cool 12:34 < krzie> *shrug* 12:35 < no_maam> which might be partially responseable for that 12:46 < ecrist> krzie: about an hour ago, I accidentally unplugged the ethernet cable to butters. 12:48 < krzie> ahh weird, its still here 12:48 < krzie> unless i rejoined 12:48 < ecrist> it was only down for a min or so 12:49 < krzie> ahh 12:49 < krzie> freenode has a forgiving timeout 12:49 < ecrist> am messing around with another box and there was a twist in two network cables, yours and the one on the box I'm messing with. 12:49 < krzie> all good 12:49 < ecrist> krzie: have you run freebsd on vmware esxi? 12:49 < krzie> feel free to unplug it again if you need to clean up cables or whatev 12:49 < krzie> nah never used esxi yet 12:50 < krzie> although i do run fbsd8 in vmware fusion 12:50 < Dougy> i have but only with windows and centos 12:50 < ecrist> playing with it now. trying to figure out how to install a guest OS 12:50 < ecrist> there was nothing obvious after install saying, click here to boot CDROM for install or anything 12:51 < krzie> youd expect it to be quite obvious 12:51 < ecrist> yep 12:51 < krzie> since thats the obvious first thing someone will wanna do 12:51 < krzie> esxi is one of those things i been meaning to do for a long time 12:51 < ecrist> I'm looking at it to replace jails 12:52 < krzie> ya its supposed to kick much ass 12:52 < ecrist> only one problem - for anything production-like, it requires hardware RAID 12:52 < ecrist> a lot of our systems have gone the route of gmirror 12:53 < krzie> really? 12:53 < krzie> you like that for production? 12:53 < ecrist> gmirror? hell yes 12:53 < krzie> i figured you for a HW-raid or bust kinda guy 12:53 < ecrist> no way 12:53 < ecrist> anything more than a mirror, hardware raid for sure 12:53 < krzie> you will bust nuts all over zfs when its ready for production 12:53 < ecrist> for a straight mirror, software raid is awesome. 12:53 < ecrist> krzie: absolutely 12:54 < ecrist> we played with it about a year and a half ago, some frankenstein-esk method of booting zfs (ide->CF adapter, 2gb RO boot part on CF) to load ZFS 12:54 < ecrist> without 64bit, ZFS sucks 12:54 < ecrist> and you need lots of RAM 12:54 < krzie> agreed there 12:55 < krzie> yup 12:55 < krzie> i have 2 zfs boxen 12:55 < krzie> 1 is 32bit with 3gigs ram running fbsd-7 (so old version of zfs) 12:55 < krzie> other is dual core 64bit with 8gigs ram 12:55 < krzie> running fbsd8, so zfs v13 12:55 < krzie> and let me speak for how right you are 12:56 < krzie> lotsa ram and 64bit makes zfs a happy panda 12:57 < Dougy> haha 12:57 < Dougy> bqbackup uses zfs 12:57 < Dougy> iirc 12:57 < krzie> opensolaris seems to use it by default 13:00 < krzie> ill take another look when i get home 13:00 < krzie> but when it boots it says 7/7 zfs partitions loaded 13:00 < krzie> and i never setup zfs on it 13:02 < ecrist> the sux 13:03 < ecrist> ESXi requires a windows computer to manage the virtual machines. 13:03 < Dougy> fail 13:03 < Dougy> virtualbox <3 13:04 < krzie> are you serious eric? 13:04 < krzie> and are you sure? 13:04 < krzie> thats very hard to believe 13:05 < krzie> but if you say you're sure i believe ya 13:05 < ecrist> krzie: yes. There's a remote command-line option, but it requires a special client, which is available for linux. 13:05 < krzie> hah 13:05 < krzie> thats serious weaksauce 13:06 < ecrist> from the 'getting started guide' in the section on how to create a virtual machines, under 'requirements': 13:06 < ecrist> At least one other computer to act as a management station. This computer must  13:06 < ecrist> be running Windows, have network access to the ESXServer3i, and have Internet  13:06 < ecrist> access.  13:06 < krzie> wow 13:06 < krzie> thats crazy 13:07 < ecrist> yeah 13:07 < ecrist> I suppose it's one way they can make the foot print on the host so small 13:07 < krzie> by forcing another host to use the os with largest footprint avail 13:07 < krzie> lol 13:08 < ecrist> yeah 13:12 < ecrist> I'm going to go watch some TV for a while. see you guys later. 13:13 < Dougy> see ya 13:14 < ecrist> oh, woot 13:14 < ecrist> http://www.bluebearllc.net/kodiak/ 13:14 < vpnHelper> Title: BlueBear > Kodiak (at www.bluebearllc.net) 13:14 * Dougy look 13:14 < Dougy> win 13:52 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Connection timed out] 13:53 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 14:23 -!- xp_prg [n=xp_prg3@98.234.52.78] has joined ##openvpn 14:25 -!- p3ri0d [n=p3ri0d@200.2.150.43] has quit ["Leaving"] 14:29 -!- epaphus [n=unix3@201.199.41.166] has joined ##openvpn 14:45 -!- epaphus [n=unix3@201.199.41.166] has quit [Remote closed the connection] 15:06 -!- cookakk [i=cookakk@87-198-60-76.ptr.magnet.ie] has joined ##openvpn 15:12 < cookakk> Hi All, is it ok to ask some OpenVPN ALS questions on the channel? 15:12 < Dougy> anything openvpn related 15:13 < cookakk> Cool, im in the process of customizing the OpenVPN ALS logos, colors etc. Do you know where I can edit the text on the login page "Welcome to Adito! A secure gateway to your network." 15:13 < krzie> whats ALS? 15:13 < krzie> oh that for profit app? 15:14 < cookakk> no way krzie 15:14 < cookakk> is for my own job 15:14 < krzie> whats ALS? 15:15 < cookakk> krzie http://tinyurl.com/cryf4v 15:15 < vpnHelper> Title: SourceForge.net: OpenVPN ALS (at tinyurl.com) 15:15 < cookakk> The only reference I can find is in loginContent_jspf.java 15:16 < krzie> heh, no kidding 15:16 < krzie> first time ive ever heard of that 15:16 < krzie> and im rather active here 15:17 < cookakk> Only found it myself 2 days ago 15:17 < krzie> but if its on sourceforge its opensourc so it shouldnt be TOO hard to mod 15:17 < krzie> as for logos, find what the filename of the logo you wanna change is 15:17 < krzie> and replace the file with your own 15:17 < krzie> should be easy enough 15:17 < cookakk> yes logos no problem, editing css etc.. no probs 15:17 < krzie> and as for text, open the file and search for the text 15:17 < cookakk> its just the text content on the pages 15:18 < cookakk> cant find it anywhere 15:18 < Dougy> i assume you ran a grep? 15:18 < krzie> grep the whole dir and subdirs for the text 15:18 < cookakk> yes did it but im on windoz 15:19 < cookakk> opened every .jsp , jspf , .java file in notepad++ searched for keywords 15:19 < Dougy> http://sourceforge.net/project/screenshots.php?group_id=228294 15:19 < krzie> try looking from a unix box 15:19 < vpnHelper> Title: SourceForge.net: OpenVPN ALS: Screenshots (at sourceforge.net) 15:19 < Dougy> krzie 15:19 < krzie> more power 15:19 < Dougy> that looks nice 15:19 < krzie> ya if you trust the code 15:19 < krzie> personally i dont see a need to use web based 15:19 < krzie> especially if its doing away with the need for certs 15:20 < Dougy> yeah 15:20 < krzie> bypassing all the security built into ovpn and replacing with a simple web login 15:24 -!- epaphus [n=unix3@201.199.41.166] has joined ##openvpn 15:29 -!- eliasp_ is now known as eliasp 15:55 -!- Piter [n=piter@87-98-134-239.ovh.net] has left ##openvpn [] 16:00 -!- epaphus [n=unix3@201.199.41.166] has quit [Read error: 60 (Operation timed out)] 16:08 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:12 -!- Diddi [i=diddi@zebra.bsnet.se] has joined ##openvpn 16:17 -!- c64zottel [n=hans@p5B17B003.dip0.t-ipconnect.de] has quit ["Leaving."] 16:19 -!- cookakk [i=cookakk@87-198-60-76.ptr.magnet.ie] has left ##openvpn [] 16:27 -!- xp_prg [n=xp_prg3@98.234.52.78] has quit ["This computer has gone to sleep"] 16:48 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 16:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:04 -!- lost_and_unfound [n=chatzill@dsl-247-86-38.telkomadsl.co.za] has quit [Remote closed the connection] 17:29 -!- epaphus [n=unix3@201.199.41.166] has joined ##openvpn 17:49 -!- master_of_master [i=master_o@p549D51C6.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 17:53 -!- master_of_master [i=master_o@p549D546B.dip.t-dialin.net] has joined ##openvpn 18:18 -!- bitrot [n=Rajko@wan.rajko.info] has quit [Read error: 104 (Connection reset by peer)] 18:31 -!- epaphus [n=unix3@201.199.41.166] has quit ["Leaving"] 18:41 -!- p3ri0d [i=p3ri0d@200.2.150.43] has joined ##openvpn 18:50 -!- xp_prg [n=xp_prg3@98.234.52.78] has joined ##openvpn 19:00 -!- epaphus [n=unix3@201.199.41.166] has joined ##openvpn 19:48 < neteffect> hi 19:48 -!- epaphus [n=unix3@201.199.41.166] has quit ["Leaving"] 19:51 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 19:54 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:03 -!- thedoc [n=andelyx@208.99.194.194] has joined ##openvpn 20:04 -!- doug__ [i=doug@64.18.144.3] has joined ##openvpn 20:04 < neteffect> hi 20:22 -!- troy is now known as troy- 20:24 -!- doug__ [i=doug@64.18.144.3] has quit ["Lost terminal"] 20:27 < thedoc> morn' folks. 20:27 < thedoc> o/ 20:27 < neteffect> hi 20:28 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Remote closed the connection] 20:43 -!- p3ri0d [i=p3ri0d@200.2.150.43] has quit ["Leaving"] 20:48 -!- prxtien [n=pro@teamaustralia.net.au] has quit ["changing servers"] 20:49 -!- prxtien [n=pro@teamaustralia.net.au] has joined ##openvpn 20:52 -!- master_of_master [i=master_o@p549D546B.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:57 -!- master_of_master [i=master_o@p549D4AE6.dip.t-dialin.net] has joined ##openvpn 22:07 -!- betabot [n=betabot@li20-55.members.linode.com] has quit ["Coyote finally caught me"] 22:32 -!- troy- is now known as troy 22:48 -!- darius [n=darius@207.229.123.5] has joined ##openvpn 22:49 < darius> any chance there's an openvpn client for a blackberry? 23:03 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 23:35 < thedoc> hm, openvpn-as comes only in 64bit? --- Day changed Mon Jun 22 2009 00:25 < krzee> darius, what os is the blackberry running? 00:25 < krzee> there is a windows mobile client 00:39 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:42 -!- tje [i=QoEJeyQV@71-14-68-144.dhcp.stls.mo.charter.com] has joined ##openvpn 00:42 < tje> !howto 00:42 < vpnHelper> tje: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 00:44 < tje> Can someone provide me a link to a good HOWTO for a host-to-net configuration? 00:44 < tje> I'm looking to set up OpenVPN on my internal firewall iface and have wireless clients (on the inside of the firewall) to have to connect to the VPN. 00:45 < tje> kind of a "road warrior" setup, though I'm not sure that's the correct terminology 00:45 < tje> !redirect 00:45 < vpnHelper> tje: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 00:47 -!- tje [i=QoEJeyQV@71-14-68-144.dhcp.stls.mo.charter.com] has quit ["Leaving"] 01:07 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 01:44 -!- Gorkhaan [n=Gorkhaan@87.229.108.75] has joined ##openvpn 01:44 -!- vaq [n=c99@83.136.90.2] has quit [Read error: 104 (Connection reset by peer)] 01:48 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:59 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Client Quit] 02:15 -!- elvisthedj [n=kris@67-60-37-186.cpe.cableone.net] has joined ##openvpn 02:16 -!- elvisthedj [n=kris@67-60-37-186.cpe.cableone.net] has left ##openvpn [] 02:47 < reiffert> # 03:03 < dan__t> WHAT 03:03 -!- simplechat [n=simplech@unaffiliated/simplechat] has joined ##openvpn 03:05 < simplechat> hey, are there any good guides to installing openvpn on debian 5.0? 03:10 < gelbasack> I'd just take the howto.. 03:12 < simplechat> ? 03:13 < gelbasack> http://openvpn.net/index.php/open-source/documentation/howto.html 03:13 < vpnHelper> Title: HOWTO (at openvpn.net) 03:14 < gelbasack> not debian specific but that's just an apt-get, aptitude, whatever 03:39 -!- mattock [n=mattock@gw.tietoteema.fi] has left ##openvpn [] 04:26 < simplechat> wow, this is failing horribly 04:26 < simplechat> atm i'm setting up openvpn on debian 5.0 stable 04:26 < simplechat> and i'm getting lots of Mon Jun 22 09:25:56 2009 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 04:26 < simplechat> errors 04:26 < simplechat> and it just locks into a continuous restart cycle 04:29 -!- zheng [n=zheng@222.66.224.106] has joined ##openvpn 04:39 -!- zheng [n=zheng@222.66.224.106] has quit [Remote closed the connection] 04:43 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 04:44 -!- zheng [n=zheng@222.66.224.106] has joined ##openvpn 05:14 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:26 -!- thedoc [n=andelyx@bb116-15-7-215.singnet.com.sg] has joined ##openvpn 05:40 -!- RexMundi [n=RexMundi@77.95.99.166] has joined ##openvpn 05:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:45 -!- |ns|nR8 [n=doof@CPE-124-185-168-81.qld.bigpond.net.au] has joined ##openvpn 05:45 < |ns|nR8> how can i set gateway address on ubuntu client 05:46 < |ns|nR8> i can ping gateway from client but i cant seem to get it to use it as a gateway 05:46 < |ns|nR8> ive set tap0 gateway in network manager but it doesnt work 05:47 < Gorkhaan> push "redirect-gateway def1" 05:47 < Gorkhaan> search on Manual with this key: redirect-gateway 05:47 < Gorkhaan> Maybe this will help 05:47 < |ns|nR8> thankyou 05:51 -!- zheng [n=zheng@222.66.224.106] has quit [Remote closed the connection] 05:53 -!- zheng [n=zheng@222.66.224.106] has joined ##openvpn 05:56 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:02 -!- zheng [n=zheng@222.66.224.106] has quit [Remote closed the connection] 06:12 -!- zheng [n=zheng@222.66.224.106] has joined ##openvpn 06:16 < |ns|nR8> hmm wont work grrr 06:24 < Gorkhaan> Then let's start from the beginning. What are you planning to do exactely? :) 06:30 < |ns|nR8> ok...i have a wep wireles network that must stay wep...i want to roam around and be secure so i connect over wireless to a wired machine (bridged) 06:31 < |ns|nR8> so ive bridged on server to the wired network card 06:31 < |ns|nR8> i can ping the server fine..and can ping the gateway 06:31 < |ns|nR8> i just cant seem to push the gateway address 06:32 < |ns|nR8> to the client 06:32 < |ns|nR8> ive been configuring this for 3 days 06:32 < |ns|nR8> everything that could go wrong has 06:32 < Gorkhaan> Using NAT is easier imho. what if you add your gateway to your client manually? 06:32 < |ns|nR8> this is the last hudle 06:33 < |ns|nR8> well ive tried that but it wont stick...it still gets the ip address etc from the server at connect time 06:34 < Gorkhaan> is the server give to your client any gateway address? 06:34 < |ns|nR8> both machines are ubuntu 06:34 < Gorkhaan> if yes, what is it 06:34 < |ns|nR8> no 06:35 < Gorkhaan> what's your openvpn server's IP? 06:35 < Gorkhaan> 10.8.0.1 ? 06:35 < |ns|nR8> well im not reall sure if it gets any 06:35 < |ns|nR8> because ifconfig wont list gateways 06:35 < |ns|nR8> 192.168.0.54 06:35 < Gorkhaan> route -n lists gw-s 06:36 < Gorkhaan> but this is NAT 06:36 < |ns|nR8> noop 06:37 < |ns|nR8> no gateways at all on client 06:37 < |ns|nR8> on server it has gateway set 06:37 < Gorkhaan> Internet <--> LAN ( 192.168.0.54 ) <--> OpenVPN Server ( 10.8.0.1 ) <---> ||| <--> OpenVPN Client ( 10.8.0.0/24 ) 06:37 < |ns|nR8> its bridged 06:37 < |ns|nR8> not tunnel 06:37 < Gorkhaan> so your LAN + TAP interface is in bridge 06:37 < |ns|nR8> yes 06:38 < Gorkhaan> k. sry for misunderstanding. 06:38 < Gorkhaan> does your client has any IP? 06:38 < |ns|nR8> i tried tunnel but internet connection sharing wouldnt allow it 06:38 < |ns|nR8> yes it has ip 06:38 < Gorkhaan> what's that plz? 06:38 < |ns|nR8> i can ping server and gateway..they respond 06:38 < |ns|nR8> 192.168.0.100 06:38 < |ns|nR8> is the client 06:39 < Gorkhaan> what's the server? 06:39 < |ns|nR8> 192.168.0.54 06:39 < Gorkhaan> 54? 06:39 < Gorkhaan> yes, this in on LAN right? 06:39 < |ns|nR8> gateway is 192.168.0.1 06:39 < |ns|nR8> yep 06:39 < |ns|nR8> ummm 06:40 < Gorkhaan> well I think you should do this with NAT 06:40 < Gorkhaan> let's say internet comes from ETH0 06:40 < Gorkhaan> your LAN iface is ETH1 06:41 < Gorkhaan> there is no connections between them ( No NAT, no Bridge ), that's fine 06:41 < Gorkhaan> you should have DHCP on ETH1, to give clients on LAN - > IP, Mask, Default gw 06:42 < Gorkhaan> the internet sharing gonna be here: ETH0 <--NAT--> TUN0 06:42 < |ns|nR8> yeah maybe i should do that 06:42 < Gorkhaan> Masquerading 06:42 < |ns|nR8> turn off assigned by openvpn and run a dhcp server 06:42 < |ns|nR8> thats a good idea 06:42 < Gorkhaan> it's the easiest. 06:42 < |ns|nR8> internet connection sharing does not like tnneling 06:42 < |ns|nR8> i tried it 06:43 < Gorkhaan> it have to:D I'm using it. 06:43 < |ns|nR8> k gave me an idea anyway 06:43 < |ns|nR8> already got dhcp installed somewhere 06:43 < |ns|nR8> hmm actually 06:43 < |ns|nR8> maybe thats why 06:43 < Gorkhaan> u can use DHCP or static ip for the moment 06:43 < |ns|nR8> maybe it is using my dhcp server 06:45 < Gorkhaan> on server: for LAN interface: ifconfig eth1 192.168.0.1 06:45 < Gorkhaan> on Client: for LAN interface: ifconfig eth0 192.168.0.10 06:45 < Gorkhaan> on client: route add default-gateway 192.168.0.1 06:45 < Gorkhaan> These are static configs, without DHCP 06:45 < Gorkhaan> http://stuffz.darkhole.hu/configs/ I've got here an easy and simple DHCP config check it out 06:45 < vpnHelper> Title: Index of /configs (at stuffz.darkhole.hu) 06:46 < |ns|nR8> thanks 06:46 < Gorkhaan> you have to change the listening interface when u'd like to use DHCP 06:48 < Gorkhaan> nano /etc/default/dhcp3-server 06:49 < Gorkhaan> INTERFACES="" -> LAN Interface there like ( eth1, wlan0, etc ) 06:50 -!- thedoc [n=andelyx@bb116-15-7-215.singnet.com.sg] has quit [] 06:52 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 06:52 < Gorkhaan> the config what I gave you --> you should place it here -> nano /etc/dhcp3/dhcpd.conf But make a backup first. 06:53 < |ns|nR8> yeah i did that 06:53 < |ns|nR8> its still not using my server 06:53 < |ns|nR8> think ive had enogh for one day 06:54 < Gorkhaan> yeah. Well anyway, the easiest is doing NAT. The point is on every clients Default Gateway have to be 06:54 < Gorkhaan> I'll be here. I think 06:54 < Gorkhaan> :D 06:54 < |ns|nR8> thanks for the help 06:55 < Gorkhaan> u're welcome 06:55 < neteffect> hi 06:56 < Gorkhaan> hi 06:56 < |ns|nR8> well if it redirects gateway...maybe i need a gateway on client set just on a different device 06:57 < Gorkhaan> the gateway needed on physical, real interface 06:57 < Gorkhaan> not on TUN or TAP 06:57 < neteffect> i have a server at work im trying to access 06:58 < neteffect> it's one of those Network Accessible Storage things you just hook up to your network. 06:58 < neteffect> will i be able to access it? 06:59 < Gorkhaan> if you can access it normally, then the OpenVPN server should PUSH a route, to your NAS 06:59 < Gorkhaan> !route 06:59 < vpnHelper> Gorkhaan: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 06:59 < neteffect> ok 07:00 < neteffect> k thx 07:00 < Gorkhaan> nm 07:01 < neteffect> nm? 07:02 < Gorkhaan> sry, I'm from hungary it means, You are welcome, not at all, 07:02 < Gorkhaan> :D 07:02 < neteffect> oh heh 07:04 < thedoc> does this iptables rule looks right to drop all tcp traffic coming from port 111? 07:04 < thedoc> iptables -A INPUT -s 0/0 -i eth0 -p tcp --sport 111 -j DROP 07:05 < Gorkhaan> well -s doesnt needed, if you skip that, it means the same, it looks good btw 07:06 < thedoc> aye! 07:06 -!- |ns|nR8 [n=doof@CPE-124-185-168-81.qld.bigpond.net.au] has quit [Read error: 54 (Connection reset by peer)] 07:08 < thedoc> Gorkhaan, do you have any idea if you drop all traffic on that port, does iptables show it as closed/filtered/open? 07:08 < Gorkhaan> iptables -L INPUT should show u. 07:09 < thedoc> iptables -L INPUT 07:09 < thedoc> Chain INPUT (policy ACCEPT) 07:09 < thedoc> target prot opt source destination 07:09 < thedoc> DROP tcp -- anywhere anywhere tcp spt:sunrpc 07:09 < thedoc> DROP udp -- anywhere anywhere udp spt:sunrpc 07:09 < thedoc> seems right to me. 07:09 < Gorkhaan> but first input your rules, then DROP everything else 07:10 < thedoc> Gorkhaan, i have no services running on that and it's specifed for port 111. 07:10 < Gorkhaan> seems right here too :) it should work 07:10 * thedoc still can get openvpn to work, so it should be ok:) 07:10 < Gorkhaan> sure, openvpn's default port is 1194 07:11 < thedoc> yep. 07:11 < thedoc> i just don't want people to try to be exploiting port 111 ;p 07:11 < Gorkhaan> :D 07:11 < thedoc> even though rpcinfo -p doesn't throw up anything which looks dangerous to me. 07:11 < thedoc> what do i know, i could be wrong. 07:11 < Gorkhaan> why dont u accept the things you need, and drop everything else? 07:12 < thedoc> Gorkhaan, is there a difference if you only have ovpn service running on a randomized port and nothing else and having accept rules and dropping everything else? 07:12 < thedoc> i *think*, and might be quite wrong here that if you don't have the service running, there's nothing to exploit? 07:13 -!- zheng [n=zheng@222.66.224.106] has quit [Read error: 54 (Connection reset by peer)] 07:13 < Gorkhaan> well if OpenVPN'c comes to "--up" you can run a script there. you can open up a port on your firewall 07:14 < thedoc> hmm 07:14 -!- zheng [n=zheng@222.66.224.106] has joined ##openvpn 07:15 < Gorkhaan> But I donno what would u like to do exactely, so it's hard to answer. BTW check this out, maybe helps : http://www.debuntu.org/iptables-how-to-share-your-internet-connection 07:15 < vpnHelper> Title: Iptables: How-to Share your internet connection | Debian/Ubuntu Tips & Tricks (at www.debuntu.org) 07:16 < thedoc> Gorkhaan, I'm trying to lock the server down better, that's all. 07:17 < Gorkhaan> I see. IMHO if you have Ubuntu ( i know this only, and Debian ) you can try to "steal" Rules from a GUI made firewalls, like Firestarter, Gufw. I prefer Firestarter. 07:17 < Gorkhaan> iptables-save myfirewall - to get the rules 07:18 < Gorkhaan> iptables-restore < myfirewall - to restore from myfirewall file. 07:18 < thedoc> hmm 07:19 < Gorkhaan> If I were you I'll do it with Virtualbox + ubuntu desktop, to try out . I'm not pro in this really 07:19 < Gorkhaan> :D 07:19 -!- zheng [n=zheng@222.66.224.106] has quit ["Leaving"] 07:19 < thedoc> hehe 07:19 < thedoc> I'll give it a go. 07:19 < thedoc> This is like a demo box. 07:20 < thedoc> more like a sandbox, the actual production stuff are on it's way 07:20 < Gorkhaan> ok. :) Yes, exactely! :) 07:20 * thedoc would like a serverfarm running openvpn with redundancy and stuff:) 07:20 < Gorkhaan> Search for firewall tips on Google, there are millions of it 07:21 < Gorkhaan> lol, nice. I've got only 1 server 07:21 < Gorkhaan> In our High School there is a Transparent Proxy, width 443 opened port. :P 07:21 < thedoc> ahh. 07:21 < thedoc> tunnel all your vpn traffic over 443. 07:21 < Gorkhaan> :D yep 07:21 < thedoc> like they say, if you can find your way out, you deserve to stay out ;p 07:22 < Gorkhaan> so torrent, games, stuffz works again. ;) 07:22 < Gorkhaan> :D 07:22 < Gorkhaan> They really dont care. and that's good 4 me. XD 07:22 < thedoc> awesome. 07:22 < thedoc> i use vpn basically to bounce around the place for torrents ;p 07:23 < thedoc> who cares! 07:23 < Gorkhaan> yeah. I've got ubuntu 9.04 server. 07:23 < Gorkhaan> :D 07:23 < Gorkhaan> where r u from? :) 07:23 < thedoc> asia:) 07:24 < Gorkhaan> I'm from middle Europe --> Hungary 07:25 < Gorkhaan> I need to do shopping, BBL 07:25 < neteffect> ta ta 07:25 < Gorkhaan> :D Does your NAS works neteffect? 07:25 < neteffect> work? yes it serves nice files 07:26 < Gorkhaan> gr8 07:26 < neteffect> im just wondering how to access it remotely 07:26 < neteffect> we have remote desktop setup but boss said the screen is too slow heh 07:26 < Gorkhaan> I meant, if that PUSH option helped. 07:26 < neteffect> oh sorry no didn't try it yet 07:26 < Gorkhaan> it's okay. 07:26 < neteffect> will this week though 07:27 < neteffect> still reading and absorbing stuff a little :( 07:27 < Gorkhaan> :D I thought "ta ta" meant that 07:27 < Gorkhaan> :D 07:27 < neteffect> oh no sorry it meant "bye, see ya" 07:27 < Gorkhaan> ah, k. :D so brb later then. ;) 07:27 < neteffect> have fun shopping 07:33 -!- |ns|nR8 [n=doof@CPE-124-180-51-211.vic.bigpond.net.au] has joined ##openvpn 07:37 -!- zheng [n=zheng@222.66.224.106] has joined ##openvpn 07:38 -!- zheng [n=zheng@222.66.224.106] has quit [Remote closed the connection] 07:43 < ecrist> good morning 07:57 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:58 -!- gelbasack [n=gelbasac@2002:5c3f:dd98:0:0:0:0:1] has quit [Remote closed the connection] 08:13 < Gorkhaan> re 08:13 < dazo> morning! 08:14 < Gorkhaan> yeah, that's depends on where do we live. :D here is afternoon. :D 08:14 < Gorkhaan> GMT + 2 08:15 -!- gelbasack [n=gelbasac@gw6.gelbasack.net] has joined ##openvpn 08:15 < dazo> heh ... or just when you appear at work :-P 08:15 < Gorkhaan> lolz. Indeed. :D 08:19 -!- simplechat [n=simplech@unaffiliated/simplechat] has quit [Remote closed the connection] 08:25 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 08:46 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 08:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:48 -!- |ns|nR8 [n=doof@CPE-124-180-51-211.vic.bigpond.net.au] has quit [Read error: 110 (Connection timed out)] 08:50 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 09:16 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:53 -!- thedoc [n=andelyx@208.99.194.194] has joined ##openvpn 10:09 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:20 -!- epaphus [n=unix3@190.10.68.228] has left ##openvpn ["Leaving"] 10:23 -!- thedoc [n=andelyx@208.99.194.194] has quit [Read error: 110 (Connection timed out)] 10:29 -!- thedoc [n=andelyx@208.99.194.194] has joined ##openvpn 10:50 < krzie> hey everyone 10:50 < krzie> come quick 10:50 < krzie> look how good i look 10:50 < thedoc> wut? 10:50 < krzie> (quote from anchorman 10:50 < krzie> ) 10:51 < thedoc> i have no idea what that is but .. ;p 10:51 < krzie> that is a FUNNY AS FUCK movie 10:51 < krzie> http://www.youtube.com/watch?v=Ip6GolC7Mk0 10:52 < vpnHelper> Title: YouTube - Anchorman Trailer (at www.youtube.com) 11:07 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:17 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 11:18 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 11:32 -!- xp_prg [n=xp_prg3@98.234.52.78] has quit ["This computer has gone to sleep"] 11:42 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 12:01 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:48 -!- jeiworth [n=jeiworth@189.234.80.103] has joined ##openvpn 12:53 < dazo> this might be even funnier .... http://www.youtube.com/watch?v=4ORcL2Yit14&feature=related 12:53 < vpnHelper> Title: YouTube - Anchorman Burrito scene - high speed (at www.youtube.com) 12:57 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 13:01 -!- kevin__ [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has joined ##openvpn 13:02 -!- kevin__ is now known as canadaeh 13:04 < krzie> hey ecrist you here? 13:05 -!- barbosa [n=barbosa@201.86.188.166.dynamic.adsl.gvt.net.br] has quit [Read error: 104 (Connection reset by peer)] 13:14 -!- ebil|work [n=andy@216.64.93.22] has joined ##openvpn 13:15 < ebil|work> Hi, I think I finally almost fixed my openvpn issues, but right now my client side has decided that tun0 is in use and it keeps using tun1 instead. I don't want to open up my firewall to tun+ so how do I get it to go back to tun0 (or is there a way to force it to always use tun0) 13:15 < krzie> check that openvpn isnt already running 13:15 < krzie> ps auxww 13:15 < krzie> ps auxww|grep vpn 13:17 < ebil|work> nope, but the tun0 device is still there (not running, but it's there) 13:17 < krzie> yes you can force a specific dev 13:20 < krzie> --dev tunX | tapX | null 13:20 < krzie> TUN/TAP virtual network device ( X can be omitted for a dynamic device.) 13:20 < krzie> first, paste the tun0 part of ifconfig -a 13:21 < krzie> or at least be sure there is no openvpn pid attached to it 13:21 < krzie> i dunno that linux would show that, but i know fbsd does 13:21 -!- barbosa [n=barbosa@189.27.53.70] has joined ##openvpn 13:22 < krzie> cause ive never seen openvpn use tun1 when tun0 is free 13:23 < ebil|work> tun0 isn't free for some reason 13:23 < ebil|work> and I can't seem to kill it :P 13:23 < krzie> right, i believe something is using it 13:23 < krzie> my suggestion is to find out what 13:23 < krzie> maybe a GRE tunnel, maybe openvpn, maybe a NStunnel 13:24 < ebil|work> nm my bad. 13:24 < ebil|work> :) 13:25 < krzie> ahh found it i take it 13:25 < krzie> what was it? 13:35 < ecrist> krzie: sup? 13:35 < krzie> which email do you use for paypal 13:35 < krzie> the one in whois info? 13:35 < ecrist> no 13:35 < ecrist> my personal one 13:35 < krzie> i still havnt gotten that $ to you, right? 13:35 < ecrist> nope, haven't seen it 13:35 < ebil|work> krzie, a hiding openvpn instance :( 13:36 < krzie> cool, lemme get the email and consider it done 13:36 < krzie> ebil|work, hiding as in didnt show up in ps auxww|grep vpn ? 13:36 < ebil|work> anyhow, I narrowed down my main problem to this: noodles/138.88.x.x:33447 MULTI: bad source address from client [192.168.173.3], packet dropped 13:36 < ebil|work> krzie, hiding as in I'm an idiot ;) 13:36 < krzie> heheh 13:37 < krzie> ebil|work trying to connect a lan behind the client? 13:37 < ebil|work> but this other problem is interesting. I have the client-config dir set up , and the correct route and the ccd file with the matching iroute directive 13:37 < ebil|work> yes, network behind the client 13:37 < krzie> !configs 13:37 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:37 < ebil|work> so my dad can access the webserver at my house 13:38 < ebil|work> krzie, I gotta run home, but I'll do that as soon as I get there... 13:38 < krzie> cool 13:38 < ebil|work> but at least now the packets are actually making it across the tunnel AND showing up at the other end :) 13:38 < krzie> =] 13:38 < ebil|work> now I just have to get them to be accepted lol 13:38 < krzie> that error points to a problem with your iroute 13:38 < krzie> be sure the ccd file is EXACTLY like the common name 13:39 < krzie> and in server log you should see the ccd file was found and iroute was used on connection 13:39 < ebil|work> krzie, common name = the name in that error message? 13:40 < krzie> ya i guess it would be noodles 13:40 < ebil|work> it's an old system :) when I was a freshman in college, it lived in a ramen noodles box because I didn't have a case for it... 13:40 < ebil|work> it also has 6 ethernet interfaces, so it has noodles of wires coming out the back of it 13:40 < ebil|work> hence the name 13:41 < krzie> good name =] 13:41 < krzie> 6 nics... its yourrouter? 13:41 < ebil|work> yeah 13:41 < krzie> nice 13:41 < krzie> home made routers are fun 13:41 < ebil|work> eth0->dsl, eth1->my stuff, eth2->my test network, eth3-> my dad's stuff eth4-> wireless (trusted) eth5-> wireless (honeypot) 13:42 < ebil|work> but yeah, anyhow, gotta run, thanks for the help! 13:46 < krzie> np 13:46 < krzie> wireless honeypot... nice 13:47 < krzie> thats been on my back shelf of stuff to do for awhile 13:47 < krzie> seems to always be a few things in front of it 13:58 -!- canadaeh [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has quit [Read error: 104 (Connection reset by peer)] 13:58 -!- kyrix [n=ashley@188-23-69-58.adsl.highway.telekom.at] has joined ##openvpn 14:02 -!- seva [n=seva@glivorem.com] has joined ##openvpn 14:03 < seva> i am having problems routing traffic from server's LAN to an IP only reachable by the client 14:03 < seva> servier is 10.78.2.1, client is 10.78.2.4 14:03 < krzie> servier is 10.78.2.1, client is 10.78.2.4 14:03 -!- ebil|work [n=andy@216.64.93.22] has quit [Read error: 110 (Connection timed out)] 14:03 < krzie> that makes no sense 14:03 < krzie> those are the VPN ips? 14:03 -!- tjz [n=tjz@bb116-15-73-38.singnet.com.sg] has quit [Connection timed out] 14:03 < seva> yes 14:04 < seva> topology subnet 14:04 < krzie> you sure client is .4? 14:04 < krzie> oh ok 14:04 < krzie> thx =] 14:04 < krzie> have you read !route ? 14:04 < seva> yeah, i think so 14:04 < seva> !route 14:04 < vpnHelper> seva: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:04 < seva> let me double check 14:04 < seva> yes 14:04 < seva> i only have 1 client 14:05 < seva> so i am not using iroute at all 14:05 < krzie> doesnt matter 14:05 < krzie> you must use iroute 14:05 < seva> hrm 14:05 < seva> iroute is just to tell the client which ips it routes? 14:05 < krzie> tells the server which client the route goes to 14:05 < krzie> kernel route only routes to the openvpn dev 14:06 < krzie> without iroute it goes nowhere 14:06 < seva> ah 14:06 < seva> that's prob the problem 14:06 < seva> my CN has spaces in it 14:06 < krzie> its definitely 1 problem 14:06 < seva> i am not sure that's working :) 14:06 < krzie> i dont think spaces are legal, lets check 14:06 < krzie> !man 14:06 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 14:07 < krzie> By default, OpenVPN will remap any character other than alphanumeric, underbar ('_'), dash ('-'), dot ('.'), and slash ('/') to underbar ('_'). The X509 Subject string as returned by the tls_id environmental variable, can additionally contain colon (':') or equal ('='). 14:07 < krzie> so the ccd files will likely be looking for the " " to be a _ 14:07 < krzie> im guessing 14:08 < krzie> !learn remap as By default, OpenVPN will remap any character other than alphanumeric, underbar ('_'), dash ('-'), dot ('.'), and slash ('/') to underbar ('_'). 14:08 < vpnHelper> krzie: Joo got it. 14:10 < seva> how could i check that it's finding the ccd 14:10 < seva> (because it doesn't seem to) 14:12 < krzie> server log when the client connects 14:14 < seva> what am i looking for? 14:14 < seva> it seems like it should the CN= in the logs matches what the file is called in /etc/openvpn/ccd (with undersrcores) 14:15 < seva> but instead the client is adding those IPs to it's routing table back to the server 14:15 < seva> (i want the opposite) 14:15 < seva> oh i named it CN.conf not CN 14:16 < seva> same result 14:17 < krzie> you can see if its using the ccd files cause when the client connects it says so 14:17 < krzie> then it says something about adding the iroute if it was supposed to 14:17 < krzie> and yes, ild also expect CN= to be exactly as the ccd/ should be 14:18 < krzie> but my common names always obey what openvpn wants anyways 14:18 < krzie> in fact i hate spaces in things like filenames and all that anyways 14:19 < krzie> ecrist, sent =] 14:19 < seva> ok yeah it'a getting the CD but doing the exact opposite what i expect 14:19 < seva> OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd//OpenVPN_Client_1 14:20 < seva> it adding the REMOTEIP route back via VPN on the client 14:20 < seva> i want to route my server's LAN PCs via VPN to REMOTEIP 14:20 < krzie> show me the contents of the ccd 14:20 < seva> just iproute REMOTEIP 14:21 < krzie> umm 14:21 < krzie> show me the contents of the ccd 14:21 < seva> er iroute 14:21 < seva> iroute 10.140.18.67 255.255.255.255 14:21 < krzie> well ya that wont work 14:21 < seva> then i am confused 14:21 < krzie> try 255.255.255.0 14:21 < seva> it's a host 14:22 < seva> i just need 1 IP 14:22 < krzie> any objection to trying it 14:22 < krzie> ? 14:22 < seva> no 14:22 < krzie> then try it 14:23 < seva> well it didn't add the route back on the client, let me add route on the server by hand and see if it works 14:23 < krzie> it shouldnt add anything on the client 14:23 < krzie> !iroute 14:23 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 14:23 < krzie> !configs 14:23 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:25 < seva> server: http://pastebin.com/d3de099a4 14:25 < seva> client: http://pastebin.com/m3625f1b9 14:26 < krzie> ill be a couple mins 14:26 < seva> the only ccd entry is about: iroute 10.140.18.67 255.255.255.0 14:26 < krzie> workin 14:26 < seva> thanks 14:28 < krzie> 10.78.1.0 255.255.255.0 is behind the server 14:28 < krzie> 10.135.70.92 is behind some other client 14:28 < krzie> right? 14:29 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:29 < krzie> ok so now go over to 10.140.18.67 and add a route 14:29 < krzie> that machine needs to know how to return packets 14:30 < krzie> tell it that for 10.78.2.0 255.255.255.0 it should route to its local LAN vpn endpoint 14:31 < seva> hang on, just made some changes that appear to setup routes correctly, let me pastebin it 14:31 < seva> server: http://pastebin.com/m4a9edbf3 14:31 < seva> client the same 14:31 < seva> now the routes in kernel routing are correctly setup when i start openvpn 14:32 < seva> ip route 14:32 < seva> ah, it's sort of working, i can see incoming ICMP on the tun0 on client 14:32 < seva> but client is not routing (ipv4_forward is enable), double checking 14:33 < seva> yeah, so at least now i can see icmp packets coming in via tun0 on client 14:33 < seva> but i am not getting icmp replies back 14:34 < seva> thoughts? 14:35 < krzie> yup 14:35 < krzie> ok so now go over to 10.140.18.67 and add a route 14:35 < krzie> that machine needs to know how to return packets 14:35 < krzie> tell it that for 10.78.2.0 255.255.255.0 it should route to its local 14:35 < krzie> LAN vpn endpoint 14:35 < krzie> aka "ROUTES TO ADD OUTSIDE OPENVPN" in !route under the picture 14:35 < seva> oh man 14:35 < seva> i think i need to masq that 14:35 < krzie> full explanation of what is currently happening in !route 14:35 < seva> that's not my machine 14:35 < seva> i think i understand 14:36 < krzie> not your machine, you have access to the router tho? 14:36 < seva> no 14:36 < krzie> to that machines default gateway 14:36 < seva> perhaps 14:36 < krzie> you can add it there 14:36 < seva> i don't think i do actually 14:36 < krzie> or you can nat the packets to look like they came from you inside the lan 14:36 < seva> it's basically my server at firm2 routing to firm3's IPs 14:36 < seva> yeah, i think i'll have to NAT 14:37 < seva> no prob, thanks for the VPN help 14:37 < krzie> you're ewlcome 14:37 < krzie> welcome =] 14:38 < seva> if i looked at tcpdump on eth0 it would have been obvious (the NAT point) 14:38 < krzie> or if you read over !route again 14:38 < seva> :) 14:38 < krzie> since i go over exactly what is going on in your situation 14:38 < krzie> ;] 14:39 < seva> !route 14:39 < vpnHelper> seva: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:39 < seva> there is no mention of NAT there :) 14:39 < krzie> this is true 14:39 < krzie> because i dont want people thinking thats the right way 14:39 < krzie> ;] 14:40 < krzie> but once you understood the problem you knew the solution yourself 14:40 < seva> it depends on the situation, i am quite sure NAT is the only option for me 14:40 < krzie> i agree, sounds like your only solution (other than getting permission from the people who run the computer) 14:40 < seva> although i think they firm2 pushes routes via BGP to firm3 14:40 < seva> so i can prob ask them to add my server's LAN 14:41 < seva> but it's not worth the trouble 14:41 < seva> if firm2 was a bit more responvive and capable i would have had this done on a pair of 2600s a long time ago 14:41 < krzie> haha 14:42 < seva> (they happen to have a stack of them just sitting there) 14:42 < krzie> but then youd be using ipsec 14:42 < krzie> sounds like you scored ;] 14:42 < seva> but all they could do is give me port 22 access 14:43 < krzie> also 1 other thing 14:43 < krzie> i see you are pushing dns 14:43 < krzie> you may need this: 14:43 < krzie> !pushdns 14:43 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit 14:43 < seva> i usually deal with cisco 2(68)00, 3800, and 6500sbut i am a linux guy so it's no prob to DIY 14:43 < krzie> it will require an external script on unix, and a regedit in widnows 14:43 < krzie> windows 14:43 < seva> yeah pushdns didn't work :) i just statically put the DNS in anyhow 14:44 -!- Timpa [n=timpa@chuck.bartowski.skalet.org] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 14:44 < seva> since i want my DNS over theirs due to kerberos5 14:45 -!- jeiworth [n=jeiworth@189.234.80.103] has quit [Read error: 104 (Connection reset by peer)] 14:46 -!- jeiworth [n=jeiworth@189.234.80.103] has joined ##openvpn 14:48 < seva> it's been so long since i've done iptables NAT, go to go read up 14:49 < krzie> !linnat 14:49 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 14:49 < krzie> thats how its normally used, slight change should do it 14:49 < krzie> by normally used i mean when people default route over server 14:49 < krzie> (which is the common reason to use nat for your vpn) 14:50 < seva> heh, thanks 14:51 < krzie> np =] 14:51 < seva> that works 14:52 -!- zhaena [n=zhaena@cpe-066-026-043-219.nc.res.rr.com] has joined ##openvpn 14:52 < zhaena> :-p 14:54 < krzie> seva, so you're all set? 14:56 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 14:58 < seva> yeah, thanks, just adding static routes to my server LAN's el cheapo 2wire router 14:58 < seva> firefox over ssh tunnel dsl is really slow 14:58 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 14:59 < krzie> hehe ya 15:01 < seva> now just need to save iptables state for restarts, but yeah, thanks krzie 15:01 < krzie> np man 15:02 < seva> you (and the rest of ##openvpn) have been more then helpful today and last week 15:02 < krzie> thx, we got a pretty good crew here ;] 15:02 < krzie> (imo) 15:04 < ecrist> krzie: got it, thanks! 15:05 < krzie> and thank you too =] 15:05 < seva> take care 15:05 -!- seva [n=seva@glivorem.com] has left ##openvpn [] 15:08 < gelbasack> well, for the good crew :) : any ideas why openvpn might ignore a ccd-file? ccd-entry is in the log file and CN matches 15:08 < gelbasack> configuration is pretty the same as in openvpn howto 15:08 < krzie> gelbasack: 15:08 < krzie> !configs 15:08 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:12 < gelbasack> sorry, just wanted to start with a list of logs :) server.conf: http://pastebin.com/m6fa3ac0, ccd/mauer: http://pastebin.com/m7e70d550, client.conf: http://pastebin.com/m576d7a96 15:13 < gelbasack> 2.1 rc7 (from Ubuntu repository) 15:15 < krzie> rc7 has known problems 15:15 < krzie> which is why we're on rc18 15:16 < krzie> umm, iroute'ing a inet routable ip? 15:16 < krzie> thats not very normal... 15:16 < gelbasack> the subnet is firewalled 15:17 < gelbasack> so I'd like to route to like to a local net 15:17 < gelbasack> via VPN 15:18 < gelbasack> I thought there was no technical difference between routing 10.* or routing 92.* for OpenVPN 15:18 < krzie> not really, but i seem to see a lot of problems with non /24 subnets 15:19 < krzie> not sure where the line is or what causes it 15:19 < gelbasack> oh 15:19 < krzie> also, see !route and read "ROUTES TO ADD OUTSIDE OPENVPN" under the picture 15:19 < krzie> and to check if the ccd is being read, look in server log 15:19 < krzie> when the client connects it will say it read the ccd file and used the iroute 15:20 < krzie> also 15:20 < krzie> you are pushing an ifconfig thats not in the --server range 15:20 < krzie> which i dont expect to be handled well 15:20 < krzie> not to mention .1 is for the server even if it was in the right range 15:21 < gelbasack> well, if you mention known problems of rc7, I maybe should upgrade first 15:22 < gelbasack> I didn't mention yet, but I'm running a similar setup at the moment which works fine 15:22 < gelbasack> there are about 4 networks conntected 15:23 < krzie> you also didnt mention what your problem actually is 15:23 < gelbasack> sorry, I sound confusing, you're right 15:23 < gelbasack> problem is: ccd file is not read 15:23 < gelbasack> also tried with DEFAULT file which isn't read either 15:23 < krzie> if thats true, luck for you 15:23 < krzie> because your ifconfig-push would screw you right up 15:24 < gelbasack> yeah, but it would tell me that any file is read :) 15:26 -!- kyrix [n=ashley@188-23-69-58.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 15:26 < krzie> show me the line where it says CN= 15:27 < gelbasack> /C=AT/ST=***/L=N***/O=gelbasack.net/OU=mauer/CN=mauer/emailAddress=g*** 15:28 < krzie> cat /etc/openvpn/ccd/mauer 15:28 < gelbasack> http://pastebin.com/m7e70d550 15:28 < krzie> that was the EXACT command i just typed? 15:29 < gelbasack> well, nearly, I inserted xx.yy 15:29 < krzie> if you need to obfuscate, go hire someone you trust 15:29 < gelbasack> but command c+p from irssi, no typing errors or anything 15:30 < krzie> i understand sometimes security is so important you cant trust strangers with an ip address 15:30 < krzie> but in those situations you should hire someone when you need help 15:31 < gelbasack> I'm sorry you think so, it's nothing that I don't trust you or anything other and it's nothing with security - I just don't like if someone can google sth about me 15:33 < krzie> switch to pastebin.ca and use the encrypted post feature 15:34 < gelbasack> http://pastebin.com/mac0c3e8 - it's ok... 15:34 < krzie> # 15:34 < krzie> ifconfig-push 10.2.100.1 10.2.100.2 15:35 < krzie> still didnt fix that or explain it 15:37 < gelbasack> still didn't fix.. but tried with other values before that also didn't work 15:37 < gelbasack> I assume you wanted me to try .5 .6 ? 15:37 < krzie> umm no 15:37 < krzie> how about something in the right subnet 15:37 < gelbasack> or something within the servers subnet? 15:37 < gelbasack> tried both, but try again 15:37 < krzie> yes tho, you cant use 1 and 2 15:37 < krzie> !/30 15:37 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 15:42 < gelbasack> no different results... 15:42 < krzie> be back in a min 15:42 < krzie> also check that nobody/nogroup has access to the dir / file 15:44 < gelbasack> mh, good point, access to dir/file itself, yes, but not to /etc/openvpn, I'll try that... 15:44 < krzie> dir file itself should be enough ild think 15:45 < gelbasack> don't know if you define an absolute path 15:45 -!- tjz [n=tjz@bb116-15-41-73.singnet.com.sg] has joined ##openvpn 15:45 < gelbasack> which shouldn't be necessary, was just me trying around 15:45 < gelbasack> yes, no change 15:46 < gelbasack> maybe I really should upgrade before annoying you too much 15:46 < gelbasack> didn't think so much about as I thought Ubuntu would come with a rather recent version and I must have done something wrong 16:00 < krzie> thats more openvpn's fault than anything to be honest 16:00 < krzie> but im bout to be busy for a few 16:00 < krzie> bbiaf 16:02 < gelbasack> I'm away, too. Thank you for your time! rc18 does not work either. I'll have a closer look at it again and maybe file a bug report if I can't find an error on my side 16:04 -!- jeiworth_ [n=jeiworth@189.177.24.140] has joined ##openvpn 16:08 -!- jeiworth [n=jeiworth@189.234.80.103] has quit [Read error: 54 (Connection reset by peer)] 16:24 -!- Gorkhaan [n=Gorkhaan@87.229.108.75] has left ##openvpn [] 16:29 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit [Nick collision from services.] 16:29 -!- Timpa_ [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 16:52 -!- zhaena [n=zhaena@cpe-066-026-043-219.nc.res.rr.com] has quit ["Leaving"] 16:59 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:16 < krzie> baq 17:17 -!- jeiworth_ [n=jeiworth@189.177.24.140] has quit [Read error: 54 (Connection reset by peer)] 17:21 -!- jeiworth [n=jeiworth@189.177.133.193] has joined ##openvpn 18:06 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 18:09 -!- ebil [n=ebil@ip70-174-136-104.dc.dc.cox.net] has joined ##openvpn 18:11 < ebil> !logs 18:11 < vpnHelper> ebil: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 18:11 < ebil> !configs 18:11 < vpnHelper> ebil: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:11 < ebil> there we go... 18:20 -!- jeiworth [n=jeiworth@189.177.133.193] has quit [Read error: 110 (Connection timed out)] 18:45 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 18:55 -!- thedoc [n=andelyx@bb116-15-7-215.singnet.com.sg] has joined ##openvpn 19:19 -!- Timpa_ is now known as Timpa 19:23 -!- thedoc [n=andelyx@bb116-15-7-215.singnet.com.sg] has quit [Read error: 113 (No route to host)] 19:58 -!- barbosa [n=barbosa@189.27.53.70] has quit [Client Quit] 20:01 -!- mrmorris [n=User@cpe-71-72-205-107.cinci.res.rr.com] has joined ##openvpn 20:22 -!- Gorkhaan [n=Gorkhaan@87.229.108.75] has joined ##openvpn 20:40 -!- mrmorris [n=User@cpe-71-72-205-107.cinci.res.rr.com] has left ##openvpn ["Leaving"] 20:47 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 21:04 -!- master_of_master [i=master_o@p549D4AE6.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:08 -!- master_of_master [i=master_o@p549D4518.dip.t-dialin.net] has joined ##openvpn 21:15 -!- macly [n=andy@ip70-174-136-104.dc.dc.cox.net] has joined ##openvpn 21:15 -!- macly [n=andy@ip70-174-136-104.dc.dc.cox.net] has quit [Client Quit] 21:20 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 21:21 -!- ball [n=ball@adsl-99-142-40-139.dsl.emhril.sbcglobal.net] has joined ##openvpn 21:32 -!- epaphus [n=unix3@201.199.62.74] has quit ["Leaving"] 21:37 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 21:49 -!- ball [n=ball@adsl-99-142-40-139.dsl.emhril.sbcglobal.net] has quit ["leaving"] 21:59 -!- epaphus [n=unix3@201.199.62.74] has quit ["Leaving"] 22:55 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit [Nick collision from services.] 22:55 -!- Timpa_ [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 23:15 -!- |Mike|_ [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 23:15 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Read error: 60 (Operation timed out)] 23:19 < ebil> Anyone still awake? 23:19 < ebil> I finally got my logs/configs together lol 23:22 -!- flokuehn [n=flokuehn@globalways/developer/flokuehn] has quit [Remote closed the connection] 23:22 -!- flokuehn [n=flokuehn@94.186.154.83] has joined ##openvpn 23:27 -!- troy is now known as troy- 23:35 < ebil> Oh well, it'll be waiting when people arrive tomorrow morning --- Day changed Tue Jun 23 2009 00:02 < krzee> just paste them 00:05 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:17 < ebil> people are alive... 00:17 < ebil> http://gunmetal.eeble.net:8080/~andy/openvpn_troubleshoot.html 00:17 < vpnHelper> Title: OpenVPN Troubleshooting logs/configs (at gunmetal.eeble.net:8080) 00:17 < ebil> has all of it 00:22 < krzee> nice man 00:23 < krzee> client-config-dir ccd 00:23 < krzee> change ccd to /path/to/ccd 00:23 < krzee> like /home/krzee/vpn/ccd 00:23 < ebil> Oh, that would make sense 00:23 < krzee> or whatev 00:23 < ebil> I figured it would be relative :) 00:24 < krzee> it would if preceded by a cd 00:24 < ebil> heh 00:24 < krzee> serious, theres a --cd 00:24 < ebil> yeah, I saw that somewhere and I guess I assumed I had one 00:24 < ebil> :) 00:24 < ebil> besides, absolute paths are better anyhow 00:25 < krzee> im not sure thats it but its a great place to start 00:25 < krzee> i know the ccd isnt being read 00:25 < ebil> that's what I was wondering 00:25 < ebil> because the name appears to be coming across correctly 00:25 -!- troy- is now known as troy 00:26 < krzee> and the error points to missing iroute as well 00:27 < krzee> Mon Jun 22 18:14:18 2009 us=135510 cd_dir = '/etc/openvpn' 00:27 < krzee> is it /etc/openvpn/ccd ? 00:27 < ebil> yeah 00:28 < krzee> did making it full path help? 00:28 < ebil> doesn't appear so... 00:29 < ebil> the iroute would happen when the client connects? 00:29 < krzee> it must 00:29 < krzee> yes 00:29 < ebil> yeah, not happening :( 00:30 < krzee> ls -la /etc/openvpn 00:30 < ebil> root:root rwx for all 00:31 < krzee> soo root:root 700 ? 00:31 < ebil> yeah 00:31 < krzee> and openvpn drops privs to nobody:nogroup 00:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:31 < krzee> cant read inside ccd/ 00:31 < ebil> yeah\ 00:31 < ebil> carp 00:31 < ebil> you're right 00:32 < krzee> =] 00:32 < krzee> good, its easier when that happens 00:33 < ebil> let's see if that works... I bet I screwed something else up, but we'll see 00:34 < krzee> actually it looks pretty good to me 00:34 < krzee> although you may not have a return route on the router 00:34 < krzee> but thats not internal to openvpn 00:34 < ebil> Ooo! 00:35 < ebil> new messages! 00:35 < ebil> Jun 22 19:58:05 udon ovpn-server_udp[13905]: noodles/141.156.223.225:38024 MULTI: internal route 192.168.173.0/24 -> noodles/141.156.223.225:38024 00:35 < ebil> I bet that's the one I wanted :) 00:35 < krzee> yup 00:35 < ebil> AWESOME! 00:35 < ebil> I'm delerious from lack of sleep, but you have made my day 00:35 < ebil> (I had to set ccd to 755 AND /etc/openvpn to 711 00:36 < ebil> I didn't do the 711 the first time around 00:36 < krzee> ohhhh 711 00:36 < krzee> good call 00:36 < krzee> i totally forgot bout that 00:36 < ebil> yep. 00:36 < krzee> was that you i was talking to earlier that knew he couldnt read his ccd files? 00:36 < ebil> I'm ebil, ebil|work, evil_andy 00:37 < ebil> you've been helping me with this problem (on and off) for... months 00:37 < krzee> haha whoa 00:37 < krzee> !logs 00:37 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 00:37 < krzee> err 00:37 < krzee> !irclogs 00:37 < vpnHelper> krzee: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 00:38 < ebil> ok, I lied. I started this project back in october :P 00:38 < ebil> so... yeah, almost a year on and off 00:38 < ebil> I was the person with the problem where I could ping the other router over the vpn tunnel IP, but regular IP packets were going in one side of the tunnel, but never coming out the other side 00:38 < ebil> I finally had time off work/life to rebuild the router at my parents house 00:39 < ebil> cleared out the years of botched firewall rules and such, and that helped a ton 00:39 < ebil> now I just need to fix the dhcp leases to include the DNS servers on BOTH sides of the tunnel, and I should be good to go! 00:40 < ebil> and look at that, it even now automatically works in the other direction too 00:40 < ebil> sweet 00:40 < krzee> real quick tho 00:40 < krzee> you have 2 lans, right? 00:40 < ebil> yes 00:40 < ebil> 1@parents 1@home 00:41 < ebil> and each of those has 2 lans behind the router 00:41 < krzee> from a machine on each lan (not the one running openvpn, not the router) ping the other side of vpn, and a machine on other lan 00:41 < ebil> works :) 00:41 < ebil> perfectly 00:41 < krzee> werd 00:41 < ebil> almost zero lag too 00:41 < krzee> then im off to script 00:41 < krzee> =] 00:41 < ebil> I appreciate the help 00:41 < krzee> yw man 00:41 < ebil> now I can pull my webserver off the internet proper 00:42 < krzee> good work on the configs/logs post 00:42 < krzee> made it easy 00:42 < ebil> all this so my dad could access the recipe wiki on my webserver. 00:42 < ebil> without having to remember a big long address with ports and paths and such 00:42 < krzee> hahah 00:42 < ebil> but it's worth it. 00:42 < ebil> g'night 00:42 < krzee> that and for learning im sure ;] 00:43 * ebil emails tarred config directories to himself... (I learned that a while ago) 00:45 < krzee> 2245 "network" ebil|work 22.6 13:41 00:45 < krzee> you made the stats page 00:45 < krzee> 2245 times saying "network" 00:45 < krzee> hehe 00:46 < krzee> 2nd highest count, first being me and OpenVPN 00:46 < krzee> hahah 01:07 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 01:10 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 60 (Operation timed out)] 01:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:58 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 60 (Operation timed out)] 01:58 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 02:13 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 02:43 -!- sum [n=_root_@fiesta.cs.tu-berlin.de] has joined ##openvpn 02:43 < sum> !howto 02:43 < vpnHelper> sum: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:46 < sum> i have to enter username and password on openvpn startup. how do i put that information into the configuration file? is secret file.key the correct approach? 02:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:56 < sum> ok, --auth-user-pass file.pass does the trick 03:08 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 03:16 -!- lilalinux [n=lilalinu@ist.deswahnsinns.de] has joined ##openvpn 03:16 < lilalinux> hey guys 03:27 < lilalinux> I have 2 VPNs the one in my company with openvpn and the one in university with cisco vpn client 03:27 -!- |ns|nR8 [n=doof@CPE-144-131-86-219.nsw.bigpond.net.au] has joined ##openvpn 03:27 < lilalinux> First I connect the cisco vpn and then use openvpn over the cisco vpn 03:27 < lilalinux> this already works for connecting to my company from the campus 03:28 < lilalinux> however, I would like to use the openvpn as the default route 03:28 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Client Quit] 03:28 < lilalinux> But simply adding the default route to the openvn doesn't work 03:29 < lilalinux> btw: how do I print the routing table on os x? 03:30 < |ns|nR8> sudo netstat -rn 03:31 < |ns|nR8> ive having the same prob basically....trying to set default gateay on client 03:31 < |ns|nR8> gateway 03:31 < lilalinux> were you able to solve it? 03:32 < |ns|nR8> noop....i tried for awhile last night but i got tired and went to bed 03:32 < |ns|nR8> been doing other things today 03:32 < lilalinux> this is my ipv4 routing table: http://pastebin.com/m6a01114b 03:32 < |ns|nR8> think im going to try push "route-gateway 192.168.0.1" in server.conf 03:34 < lilalinux> will that work? 03:35 < lilalinux> do you mean redirect-gateway? 03:36 < |ns|nR8> i tried that 03:36 < |ns|nR8> didnt work 03:36 < lilalinux> did you read the "caveat note"? 03:37 < |ns|nR8> i probably havent read something i need to 03:37 < |ns|nR8> thats why it doesnt work 03:37 < lilalinux> May break client's network config if client's local DHCP server packets get routed through the tunnel. Solution: make sure client's local DHCP server is reachable via a more specific route than the default route of 0.0.0.0/0.0.0.0. 03:39 < |ns|nR8> dunno if ill touch it today 03:39 < |ns|nR8> spent many hours over 3 days doing it 03:42 < lilalinux> redirect-gateway in client config works 03:48 < |ns|nR8> in client...and whats that do ? 03:48 < |ns|nR8> hat dos it set the gateway address to 03:48 < |ns|nR8> what does 03:48 < |ns|nR8> the same as the servers ? 03:53 < lilalinux> what didn't work however, is dns 03:54 < lilalinux> what didn't work however, is dns"outside" 03:54 < lilalinux> I get "WARNING: recursion requested but not available" 03:55 < lilalinux> |ns|nR8: it sets such a route: 0/1 10.20.39.9 UGSc 7 102 tun0 03:55 < lilalinux> the default route is still: default 130.xxx.111.254 UGSc 2 6 en1 03:59 < lilalinux> any idea how I add a dns server manually besides the dhcp dns? If I do that via the gui (in osx) it will be appended at the end of the dns list and never used 04:03 < |ns|nR8> nuh sorry 04:03 < |ns|nR8> never used macos before 04:12 < dazo> lilalinux: dns do not have anything to do with routing tables 04:12 < dazo> lilalinux: on most unix based OS .... DNS is configured in /etc/resolv.conf 04:13 < lilalinux> dazo: I know, but apparently the uni's dns doesn't like to be used from outside the campus 04:13 < lilalinux> and if I use the openvpn's gateway, it appears like I'm coming from the outside 04:15 < dazo> lilalinux: I see ... I'm confused about your setup .... you use both openvpn and cisco vpn in parallel? 04:17 < dazo> lilalinux: a quick fix could be .... route add -host gw 04:18 < dazo> so if uni DNS = 111.222.1.10 .... and if your uni VPN gw = 10.8.0.1 .... it will be route add -host 111.222.1.10 gw 10.8.0.1 04:18 < dazo> just as an example 04:18 < dazo> then the OS and the VPN software will take care of routing stuff through the right channels 04:18 < dazo> and interfaces 04:23 < lilalinux> yeah, that works 04:23 < lilalinux> can I put that in my client conf? 04:30 -!- sum [n=_root_@fiesta.cs.tu-berlin.de] has left ##openvpn [] 04:55 -!- drcode [i=user1@bzq-84-108-250-27.cablep.bezeqint.net] has joined ##openvpn 04:55 < drcode> hi all 04:55 < drcode> I try to use ultravpn under linux beind restricted firewall 04:55 < drcode> I understand openvpn work under port 443 04:56 < drcode> with stunnel I can connect to myserver and bypass this restricted firewall 04:56 < drcode> openvpn can also bypass restricted firewall? 04:58 < drcode> any idea? 05:04 < drcode> any one here? 05:16 < |ns|nR8> restricted firewall , you mean like a proxy ? 05:17 < |ns|nR8> try google openvpn over proxy 05:17 < |ns|nR8> first result talks about Openvpn uses default port 1194 (TCP or UDP), to pass over a proxy you must use the 443 05:18 < drcode> k 05:18 < drcode> let me check it 05:18 < drcode> 1 min 05:18 < drcode> it act as ssl ? 05:19 < drcode> like in stunnel? 05:19 < Bushmills> drcode, yes. unless the firewall doesn't allow openvpn client to server connection. 05:20 < drcode> let me check 05:20 < |ns|nR8> some proxy's you must have a valid http header and stuff...dunno if openvpn can do that.. 05:20 < |ns|nR8> reading up a bit it appears it can do it 05:20 < |ns|nR8> it can even appear to be firefox 05:20 < |ns|nR8> and not openvpn 05:21 < drcode> no lack 05:21 < drcode> TLS Error: TLS key negotiation failed to occur within 15 seconds (check your network connectivity) 05:21 < drcode> I did tell open vpn to use port 443 05:21 < |ns|nR8> read this http://blog.foppiano.org/2008/07/24/how-to-openvpn-over-proxy/ 05:21 < vpnHelper> Title: How to OpenVPN over Proxy « fucking the white bunny rabbit (at blog.foppiano.org) 05:21 < |ns|nR8> you have to do more than that 05:22 < drcode> k 05:22 < |ns|nR8> it will have to be tcp not udp 05:22 < drcode> thanx |ns|nR8 05:22 < |ns|nR8> plus you must specify alot of other stuff 05:22 < drcode> hmm 05:22 < drcode> not easy 05:22 < |ns|nR8> not that hard either 05:22 < drcode> I try to use ultravpn 05:23 < drcode> under linux , it uses openvpn 05:23 < drcode> I took there configure from windows and use it under linux 05:23 < |ns|nR8> ubuntu ? 05:24 < drcode> yep 05:24 < |ns|nR8> there is some good tutorials for dong it under linux 05:24 < |ns|nR8> ive been playing with openvpn on ubuntu for last 3 days 05:24 < drcode> I didn't found , I did try it by hands 05:24 < drcode> nice 05:24 < drcode> did U try ultravpn? 05:24 < |ns|nR8> nuh 05:24 < drcode> its great vpn and free too 05:25 < |ns|nR8> cool..might try it if i cant get this working they way i want it to 05:25 < drcode> I hope someone will write tut to it in ubuntu 05:26 < |ns|nR8> im on call to fix computers and most of the time i get called up on weekends, public holidays or nightime 05:27 < |ns|nR8> what is wrong with people 05:28 < drcode> k 05:29 < |ns|nR8> job i had then was to bad tho...coupe hotties sitting around in PJ's 05:29 < |ns|nR8> ok off topic worry 05:29 < |ns|nR8> hehe 05:29 < |ns|nR8> sorry 05:41 -!- LONGCAT [n=andy@ool-457bc7e4.dyn.optonline.net] has joined ##openvpn 05:44 < LONGCAT> If I use my own CA used for signing ssl certs as the openvpn's ca any cert made by the ca can be used to connect? 05:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection reset by peer] 05:46 < drcode> I think I know why it blocked 05:46 < drcode> thay use udp 05:46 < drcode> I don't know but mybe in restricted firewall udp is blocked 05:46 < drcode> and tcp is refused... 05:46 < drcode> this is way it didn't work 05:47 < |ns|nR8> it wont allow secure connections ? 05:47 < |ns|nR8> cant check your web email ? 05:48 < drcode> gmail worke 05:48 < drcode> work 05:48 < drcode> gmail uses ssl 05:49 < drcode> I think this is the problem, prot tcp-client and ultravpn uses prot udp 05:49 < drcode> I don't think udp it open in 443 05:49 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 05:49 < |ns|nR8> so use tcp 05:50 < drcode> ultravpn servers are on udp 05:50 < |ns|nR8> use openvpn ? 05:50 < drcode> if thay where on tcp it will work 05:51 < drcode> k 05:51 < drcode> I will check it 05:52 < drcode> thnx again |ns|nR8 05:52 < |ns|nR8> i think udp is better 05:52 < drcode> faster? 05:53 < drcode> well ultravpn is good if someone want to be anonymos 05:53 < |ns|nR8> since tcp is encapsulated inside udp anyway..when you start getting retransmissions...it can get both layers of tcp retransmitting 05:53 < drcode> thay are fast vpn servers 05:53 < |ns|nR8> so its better to use udp 05:53 < drcode> I see 05:53 < |ns|nR8> its still a reliable connection cause tcp is inside the udp packets 05:54 < |ns|nR8> so it still requests retransmissions just inside udp packets 05:54 < |ns|nR8> plus theres prolly less overhead 05:54 < drcode> nice 05:59 -!- drcode [i=user1@bzq-84-108-250-27.cablep.bezeqint.net] has quit ["leaving"] 06:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:08 < dazo> lilalinux: sorry ... I got busy ... not sure if you figured it out how to put routing in the client config ... but yes, you can ... syntax: route 06:09 < lilalinux> dazo: thx 06:10 < dazo> LONGCAT: yes, you can use your own CA for signing SSL certs .... the OpenVPN server certificate must then also be signed by a the same CA (or be signed by a CA in the cert chain for more advanced setups) 06:10 < dazo> lilalinux: no prob! 06:11 < lilalinux> will the route be deleted automatically? 06:11 -!- neteffect [n=yeah@pool-71-251-75-77.tampfl.fios.verizon.net] has left ##openvpn [] 06:12 < dazo> lilalinux: yes, openvpn will clean it up when closing 06:13 < dazo> lilalinux: and that's especially true when the route goes over the openvpn interface ;-) 06:13 < Bushmills> !def1 may be needed 06:13 < vpnHelper> Bushmills: Error: "def1" is not a valid command. 06:13 < Bushmills> !def1 06:13 < vpnHelper> Bushmills: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 06:13 < Bushmills> (or it'd have to get the default gateway from other resources) 06:13 < LONGCAT> dazo: Can I sign a cert with my root ca, and use that as a ca to generate openvpn certs? 06:14 < LONGCAT> If I do that, will certs made from the root ca work with openvpn?, or only with the second ca? 06:14 < lilalinux> redirect-gateway def1 06:14 < lilalinux> route 130.83.0.0 255.255.0.0 130.83.111.254 06:14 < dazo> LONGCAT: yes, that's also possible .... I have no experience with it, but this is a part of the certificate chains SSL supports 06:14 < lilalinux> this is what I got 06:17 < dazo> LONGCAT: IIRC ... if you have root-ca cert, and sub-ca certificate and your openvpn servers certificate is signed by the sub-ca, clients must be signed by the sub-ca only .... of the openvpn server is signed by the root-ca, clients can be signed with either root-ca or sub-ca 06:18 < LONGCAT> I'll try that then 06:32 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:41 -!- Gorkhaan [n=Gorkhaan@87.229.108.75] has quit [Read error: 104 (Connection reset by peer)] 06:41 -!- Gorkhaan1 [n=Gorkhaan@87.229.108.75] has joined ##openvpn 06:41 -!- djc [n=djc@xavamedia.nl] has joined ##openvpn 06:42 < djc> is there a mechanism in openvpn to e.g. redirect hostnames while connected to the VPN? 06:42 < djc> (other than using a startup script that modifies /etc/hosts or something) 06:54 < ecrist> good mornning, bitches 07:08 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 07:18 -!- Dougy [n=doug@160.79.78.34] has quit [Nick collision from services.] 07:18 -!- Dougy [i=doug@64.18.144.3] has joined ##openvpn 07:18 -!- Douglas [n=doug@160.79.78.34] has joined ##openvpn 07:18 < ecrist> morning, dougy 07:18 < Dougy> hey ecrist 07:18 < Dougy> how are you 07:18 < ecrist> alright 07:19 * Dougy is sitting in class :/ 07:20 * ecrist is working. 07:22 < Dougy> win 07:24 < Dougy> bbl 07:56 -!- davidisk1 [i=davidisk@nte.sk] has joined ##openvpn 07:56 -!- davidisko [i=davidisk@nte.sk] has quit [Read error: 104 (Connection reset by peer)] 07:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:05 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has quit [] 08:06 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:10 -!- ebil|work [n=andy@216.64.93.22] has joined ##openvpn 08:11 < Dougy> blah 08:11 < Dougy> boredom 08:16 < ecrist> hah! I'm tweaking my jabber bot today. :) 08:21 < Dougy> win 08:21 < Dougy> im sitting here in spanish 08:21 < Dougy> 4 monitors/keyboards/stations using 1 pc 08:21 < Dougy> ;/ 08:21 < Dougy> laggy as shit 08:35 < Dougy> http://www.speedtest.net/result/299060864.png 08:35 < Dougy> :> 08:36 < |ns|nR8> oh you poor thing..only 70Mb/s upload 08:37 < |ns|nR8> are you on the same LAN as the test server ? 08:37 < |ns|nR8> 27ms ..prolly not 08:41 < |ns|nR8> working at RackVibe would prolly do it 08:49 -!- |Mike|_ is now known as |Mike| 08:53 -!- |ns|nR8 [n=doof@CPE-144-131-86-219.nsw.bigpond.net.au] has quit ["Leaving"] 09:06 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 09:06 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:06 < epaphus> Hello.. 09:06 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 09:34 -!- ebil|work [n=andy@216.64.93.22] has quit [Read error: 104 (Connection reset by peer)] 09:43 < ecrist> hello. 09:50 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 10:14 -!- Kreg-Work is now known as Kreg 10:17 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has joined ##openvpn 10:18 -!- M06w [n=Greys@c-76-112-59-149.hsd1.mi.comcast.net] has left ##openvpn [] 10:45 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:49 -!- p3ri0d [i=p3ri0d@200.2.153.59] has joined ##openvpn 11:00 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 11:01 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:01 -!- Gorkhaan1 [n=Gorkhaan@87.229.108.75] has left ##openvpn [] 11:05 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 11:10 < LONGCAT> So if I have a multiple level CA structure, with root CA signing openvpn CA, the "ca" openvpn should load is the "openvpn CA" and the clients should get ... the root and openvpn ca? 11:11 -!- Gorkhaan [n=Gorkhaan@87.229.108.75] has joined ##openvpn 11:11 -!- djc [n=djc@xavamedia.nl] has left ##openvpn [] 11:12 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:14 < LONGCAT> It seems I accidentally self signed my server cert. 11:18 < LONGCAT> No heh 11:21 -!- Timpa_ [i=timpa@chuck.bartowski.skalet.org] has quit [Read error: 60 (Operation timed out)] 11:24 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 11:38 -!- jeiworth [n=jeiworth@189.234.35.254] has joined ##openvpn 11:48 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["This computer has gone to sleep"] 11:59 < LONGCAT> Hmm so I have ca /path/to/ca.crt and ca.crt has the server.crt's CA, and also that CA's CA concatenated together. openssl verify -CAfile ca.crt server.crt says it verifies ok, but it doesnt look like openvpn is looking at both CA certs when verifying the trust 12:07 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:09 < ecrist> LONGCAT: I don't think it ever will ( at least for the current iteration of code) 12:10 < LONGCAT> It says so in the man page that they CA's can be concatenated 12:29 < LONGCAT> ecrist: I'm interested in knowing why you think it never will... that means you've tried? 12:34 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Client Quit] 13:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 13:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:33 -!- p3ri0d [i=p3ri0d@200.2.153.59] has quit ["Leaving"] 13:58 -!- troy is now known as troy- 14:07 -!- maxagaz [n=g@124.193.68.11] has joined ##openvpn 14:07 < maxagaz> hi 14:08 < maxagaz> someone? 14:08 -!- troy- is now known as troy 14:09 < reiffert> just ask and wait. 14:43 -!- xero [n=IceChat7@c-98-230-218-19.hsd1.nm.comcast.net] has joined ##openvpn 14:46 < xero> I need some help troubleshooting using openvpn as an endpoint for a network. On two seperate networks, i have xp configured as the endpoint for their respective network. I can ping outside networks from the endpoint but can not ping outside networks from any device within that network. 14:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:53 < reiffert> !route 14:53 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:54 < xero> i have thouroughly read this document at least 10 times... 15:03 < xero> krzie do you have a minute? 15:03 < maxagaz> starting openvpn on ubuntu jaunty fails, i get this in the logs: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 15:04 < LONGCAT> I get that message but it doesnt fail for me 15:06 < maxagaz> my key's name should be ca.key ? 15:07 < maxagaz> are those name good ? => ca.crt ca.key client.conf ta.key 15:07 < maxagaz> s/names 15:07 < LONGCAT> ca.key is never used by the server or client 15:07 < LONGCAT> ca.key should be kept very secret 15:07 < maxagaz> why does it exist then ? 15:08 < LONGCAT> For generating certs 15:08 < maxagaz> ok 15:09 < maxagaz> i followed a doc to install openvpn as a client, and it said at some point: copy /etc/openvpn/.../client.conf on the /etc/openvpn/ 's client directory and edit it to adapt the keys names 15:09 < maxagaz> i don't understand what i should edit to adapt the keys names 15:10 < maxagaz> i found nothing clear about changes to do in client.conf 15:11 < krzie> krzie do you have a minute? 15:11 < krzie> wassup 15:11 < LONGCAT> If you call your client's certs "boxxy.crt and boxxy.key" then you'll want to make sure the client.conf knows that 15:11 < krzie> why does it exist then ? 15:11 < krzie> For generating certs 15:11 < krzie> ca.key is for signing certs 15:11 < xero> you have helped me alot in the past, i was wondering if you could help me troubleshoot running xp as a network endpoint 15:12 < maxagaz> i just noticed one thing, there's a line in client.conf which is "key client.key", but I don't have this file in my /etc/openvpn 15:12 < krzie> the csr can be generated on a seperate box, it gets signed and the crt (csr which has been signed) exists 15:12 < LONGCAT> You skipped a step then :-) 15:12 < LONGCAT> Skipped at least client cert generation, if not server and CA 15:12 < krzie> xero: break out the packet sniffers, see if the endpoint is recieving the ping 15:13 < maxagaz> krzie, ok 15:13 < xero> ok 15:13 < LONGCAT> xero: break out the packet sniffers, see if the endpoint? 15:13 < LONGCAT> nm 15:13 < krzie> maxagaz if you use freebsd grab ssl-admin from ports 15:14 < krzie> its the easiest way ive seen for cert generation 15:14 < maxagaz> krzie, i use ubuntu jaunty 15:14 < LONGCAT> krzie: easier than following the openvpn howto and using their scripts? 15:14 < krzie> ok then follow the howto for generating the certs 15:14 < krzie> yes, much easier LONGCAT 15:14 < krzie> easy-rsa kinda sucks 15:14 < maxagaz> krzie, i've used build-key 15:14 < krzie> which is why ecrist made ssl-admin 15:15 < krzie> !ssl-admin 15:15 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 15:15 < xero> "ttl expired in transit" 15:16 < krzie> xero, so did the machine recieve the icmp echo? 15:16 < krzie> im not asking if the reply made it back 15:16 < LONGCAT> Maybe you can assist me too krzie... I tried to set up a 2 tier (or however it's called) CA heirarchy, and signed my server and client certs using the second CA. I conlongcatnated the CA pem files together into one ca.pem, but it seems the openvpn client only parses the first entry in ca.crt so it cant ever auth 15:16 < krzie> im asking if when sniffing on the endpoing you saw the requests 15:16 < LONGCAT> I could openssl verify -CAfile ca.crt server.crt just fine 15:17 < krzie> LONGCAT, yes, you cant do that in openvpn, nor is there a real reason to 15:17 < xero> krzie, no, i do not see anything in the log 15:17 < krzie> log? 15:17 < krzie> packet sniffer! 15:17 < xero> wireshark 15:17 < krzie> oh 15:17 < |Mike|> ssl-admin, wth. 15:18 -!- gelbasac1 [n=gelbasac@gw6.gelbasack.net] has joined ##openvpn 15:18 < xero> ok, im not sniffing on the endpoint 15:18 < xero> ill have to install wireshark on the endpoint 15:18 < krzie> right.. 15:19 < LONGCAT> krzie: If you already have a CA it makes sense to use it... But it doesnt make sense to use that CA for generating client certs. That's just my take on it. 15:19 < krzie> ca's dont generate client certs 15:19 < krzie> they sign them 15:20 < LONGCAT> Yes... To sign them... Sorry 15:23 < krzie> LONGCAT, in the mail archives you will see this has come up before 15:23 < krzie> and in the channel logs 15:24 < krzie> !irclogs 15:24 < vpnHelper> krzie: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 15:24 < krzie> !mail 15:24 < vpnHelper> krzie: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 15:24 < krzie> the short of it, you cant 15:27 < krzie> shit shit shit 15:27 < krzie> i didnt upload my newest version of my script to a server 15:27 < krzie> so i cant work on it right now without starting over =/ 15:29 < xero> krzie i forgot to restart the service on the server 15:29 < krzie> so it works now? 15:29 < xero> yes 15:29 < xero> thanks 15:30 < krzie> werd 15:30 < krzie> np 15:30 < xero> yes, you are telling me... lol 15:30 < krzie> huh? 15:31 < krzie> ohh 15:31 < krzie> not weird, werd... means cool 15:31 < xero> werd = cool, it is very cool 15:31 < xero> lol 15:33 -!- xero [n=IceChat7@c-98-230-218-19.hsd1.nm.comcast.net] has quit ["OUCH!!!"] 15:33 < maxagaz> could my problem come from the fact i'm behind a modem/routeur ? 15:33 < krzie> maxagaz whats your problem? 15:33 < maxagaz> krzie, openvpn fails to start 15:34 < krzie> what do the logs tell you 15:34 < maxagaz> WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 15:34 < krzie> thats not it 15:34 < krzie> thats just a warning, not fatal 15:34 < krzie> !logs 15:34 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 15:35 -!- gelbasack [n=gelbasac@gw6.gelbasack.net] has quit [Read error: 111 (Connection refused)] 15:36 < maxagaz> krzie: the full log is here: http://paste2.org/p/280218 15:36 < krzie> # 15:36 < krzie> Jun 24 04:35:03 asus ovpn-client[10405]: Cannot load certificate file client.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib 15:36 < krzie> use full paths to your files 15:37 < krzie> it cant find your client.crt 15:38 < maxagaz> krzie, full path, where ? in client.conf ? 15:39 < krzie> in all configs 15:39 < krzie> for every file or dir you specify any any of them 15:40 < maxagaz> krzie, so it doesn't know that my files are in /etc/openvpn ? 15:40 < maxagaz> i thought it was a default directory 15:40 < krzie> just use full paths dude 15:41 < LONGCAT> From the mailing list it looks like stacked ca's work for old/new CA (not necessarily chained) 15:42 < krzie> maybe you can do what you want 15:42 < krzie> but ive seen it tried, never seen it accomplished 15:42 * LONGCAT has tried it, has not accomplished 15:43 < krzie> and every time the subject came up nobody understood a real reason to do it that way 15:43 < krzie> so im saying just do it the normal way 15:43 < krzie> but feel free to not listen to me 15:43 < Gorkhaan> maxagaz: Dude, post your config if you have any. ( pastebin.com ) 15:44 < krzie> Gorkhaan first thing he needs to do is try it with full paths 15:44 < LONGCAT> I am doing it the "normal" way. It's just a workaround though until I can do it the "right" way 15:44 < krzie> cause thats certainly the problem he had when he pasted that log 15:44 < krzie> LONGCAT what you call the 'right' way isnt how it works, but ok 15:48 -!- p3ri0d [i=p3ri0d@200.2.153.59] has joined ##openvpn 15:52 < maxagaz> krzie, i tried with full path, but actually i don't have client.crt 15:53 < Gorkhaan> !howto 15:53 < vpnHelper> Gorkhaan: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:53 < maxagaz> krzie, i only have ca.crt 15:53 < krzie> well theres your problem 15:54 < maxagaz> krzie, how to solve it ? 15:55 < maxagaz> krzie, what should generate this file ? 15:55 < krzie> when you follow the howto and make the certs 15:55 < krzie> keep following the howto and put all files where they belong 15:55 < krzie> the howto is rather clear about all of it 15:55 < krzie> !howto 15:55 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:00 < krzie> hey reiffert you here? 16:01 < krzie> if [ "$OS" = "FreeBSD|Linux" ]; then echo yes; else echo no; fi 16:02 < krzie> yanno how to make something like that work? i do i need to use case 16:02 < krzie> or do i need to 16:03 < Gorkhaan> krzie: what is the real problem? :) 16:03 < krzie> its not really a problem, just wondering if i can use 'this or that' in if syntax 16:04 < krzie> and the then will be huge so i cant just use [ test1 ] || [ test2 ] 16:04 < maxagaz> ok, it looks to works now 16:05 < Gorkhaan> if [ "string" == "string" ]; then; 16:05 < maxagaz> and i can see some changes with ifconfig 16:05 < maxagaz> but how to access servers ? 16:05 < krzie> Gorkhaan where the or in that? 16:05 < Gorkhaan> if [ $Number1 -eq $Number2 ]; then 16:05 < krzie> krzee@hemp:~> if [ "$OS" = "FreeBSD" ]; then echo yes; else echo no; fi 16:05 < krzie> yes 16:05 < Gorkhaan> in bash OR is || and is && 16:05 < krzie> that works fine 16:05 < krzie> i know dude, but not in a test 16:06 < maxagaz> using ssh ? 16:06 < maxagaz> ssh keeps asking me passwords 16:06 < krzie> why do you expect it not to? 16:06 < Gorkhaan> what do u like to "test"? 16:06 < krzie> Gorkhaan nm dude 16:06 < Gorkhaan> k 16:07 < maxagaz> how to switch my terminal to the vpn connection ? 16:07 < reiffert> krzie: C: int a=6; if (a = 5) printf("yes"); will print yes as well. 16:08 < krzie> well ya cause that will set the var 16:09 < krzie> which succeeded so its yes 16:09 < krzie> krzee@hemp:~> if [ "$OS" = "FreeBSD" ]; then echo yes; else echo no; fi yes 16:09 < krzie> krzee@hemp:~> OS=Darwin 16:09 < krzie> krzee@hemp:~> if [ "$OS" = "FreeBSD" ]; then echo yes; else echo no; fi 16:09 < krzie> no 16:09 < krzie> not the same in shell script as C 16:10 < reiffert> yup 16:10 -!- LONGCAT [n=andy@ool-457bc7e4.dyn.optonline.net] has left ##openvpn [] 16:10 < krzie> but the == is fine too 16:10 < maxagaz> nobody to guide me ? 16:11 < krzie> im wondering if you know how to do something like this: 16:11 < krzie> if [ "$OS" == "FreeBSD" || "Linux" ] 16:11 < krzie> || and -o dont work 16:11 < krzie> i can just use case, but figured maybe you or bush would know to to do what i was trying 16:11 < reiffert> [] || [] 16:12 < krzie> ohhh put both tests inside the if 16:12 < krzie> duh why didnt i think of that! 16:12 < reiffert> (.) (.) 16:12 < krzie> i usually do that for one liners, but without the if... was thinking i couldnt do that cause of the long then 16:12 < krzie> thanx ;] 16:13 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 16:13 < krzie> works perfect =] 16:14 < reiffert> Half Perfect? 16:14 < krzie> fully perfect 16:15 < reiffert> You know "Advanced bash scripting guide" | google? 16:15 < krzie> ahh nice thanx 16:15 < reiffert> In case of doubt I like scripts and examples from /etc/init.d/ 16:16 < krzie> my search strings always come up with too much simpleness 16:16 < reiffert> Scripting guide nice for Arrays and String manipulation 16:16 -!- troy is now known as troy- 16:17 < reiffert> And for IO Redirection. 16:18 < krzie> io redirection is like the most important thing in scripting 16:18 < krzie> imho 16:18 < reiffert> yup 16:18 < krzie> how to switch my terminal to the vpn connection ? 16:18 < krzie> that question makes no sense 16:18 < krzie> all you have is a secure network connection to the machine 16:18 < krzie> using the vpn subnet 16:19 < maxagaz> ok 16:19 < krzie> its not like a remote desktop or anything 16:19 < maxagaz> i'm reading the howto... 16:19 < krzie> you can ssh to the box using vpn ip 16:19 < krzie> and it will go over the vpn 16:19 < krzie> but it will still want a password unless you did something to tell ssh not to need one 16:19 < krzie> like sshkeys for example 16:20 < krzie> but thats outside the scope of openvpn or any vpn 16:20 < maxagaz> th thing is i'm behind a routeur/modem, my ip is 192.168.1.3 here, and 192.168.1... is also used in the lan i'mconnecting too 16:20 < maxagaz> the thing 16:20 < krzie> you sharing either LAN? 16:20 < maxagaz> krzie, does it make a conflict ? 16:20 < krzie> that depends 16:21 < maxagaz> krzie, yes(?) 16:21 < krzie> you trying to have either lan route with the vpn? 16:21 < krzie> or just client connects to server, normal 16:21 < maxagaz> client connect to srever 16:21 < krzie> no conflict 16:21 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 16:21 < krzie> cause you cant use lan ips anyways 16:21 < krzie> you use the vpn ips 16:22 < krzie> in the howto that would be 10.8.0.1 for the server and 10.8.0.6 for the first client 16:22 < maxagaz> when i type 'route', i can see new route, but none is pingable 16:22 < maxagaz> 10.8.0.1 is not pingable 16:22 < krzie> then you have a problem 16:22 < krzie> !configs 16:23 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:23 < krzie> !logs 16:23 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 16:23 < maxagaz> ok 16:23 < reiffert> !factoids search interface 16:23 < vpnHelper> reiffert: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 16:29 -!- p3ri0d_ [i=p3ri0d@200.2.142.61] has joined ##openvpn 16:37 -!- p3ri0d [i=p3ri0d@200.2.153.59] has quit [Connection timed out] 16:59 -!- jeiworth [n=jeiworth@189.234.35.254] has quit [Read error: 60 (Operation timed out)] 17:07 < Gorkhaan> Modem Internet Dial-up: http://www.youtube.com/watch?v=FG1AQcGGSec&feature=related 17:07 < vpnHelper> Title: YouTube - Dial Up Internet Sound ( Funny) (at www.youtube.com) 17:07 < Gorkhaan> lmao 17:12 -!- CybDev [i=cybdev@unaffiliated/cybdev] has quit [Read error: 104 (Connection reset by peer)] 17:15 -!- CybDev [i=cybdev@unaffiliated/cybdev] has joined ##openvpn 17:33 < ebil> krzie, If you want, I can *fully* sanitize that webpage I made if you want to use it as an example (maybe sanitize/compress it). just a thought. it helped me get my problem solved :D 17:34 < krzie> while it sounds like a good idea, you just completely followed directions that already exist, i have a fealing that an example of those directions wouldnt help the people that bother looking at it 17:34 < krzie> because those that would look at it would likely already follow directions like you did 17:35 < krzie> yanno what i mean? 17:35 < krzie> with that said, if you would like to, feal free 17:35 < krzie> and if you do, i will make the bot know about it 17:36 < ebil> cool. and yes, I know EXACTLY what you mean lol 17:37 -!- barefoot [n=magic@gprs02.rb.mtnns.net] has joined ##openvpn 17:42 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 60 (Operation timed out)] 17:44 -!- barefoot [n=magic@gprs02.rb.mtnns.net] has quit [] 17:59 -!- troy- is now known as troy 18:00 -!- lataffe [n=lars@cm-84.211.147.71.getinternet.no] has quit [Read error: 113 (No route to host)] 18:17 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 18:37 -!- jeiworth [n=jeiworth@189.234.97.227] has joined ##openvpn 18:37 -!- lataffe [n=lars@cm-84.211.147.71.getinternet.no] has joined ##openvpn 19:03 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit ["- nbs-irc 2.39 - www.nbs-irc.net -"] 19:09 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 19:10 -!- p3ri0d_ [i=p3ri0d@200.2.142.61] has quit [Client Quit] 19:49 -!- maxagaz [n=g@124.193.68.11] has quit ["Leaving"] 20:08 -!- thedoc [n=andelyx@119.73.165.162] has joined ##openvpn 20:15 -!- zhaena [n=zhaena@cpe-066-026-043-219.nc.res.rr.com] has joined ##openvpn 20:16 < zhaena> :) 20:21 -!- jeiworth [n=jeiworth@189.234.97.227] has quit [Read error: 110 (Connection timed out)] 20:53 -!- jeiworth [n=jeiworth@189.234.97.227] has joined ##openvpn 21:04 -!- master_of_master [i=master_o@p549D4518.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:06 < ecrist> krzie: did you get your test problem from 16:01 fixed? 21:07 -!- master_of_master [i=master_o@p549D4A4B.dip.t-dialin.net] has joined ##openvpn 21:08 < ecrist> |Mike|: I didn't understand your comment about ssl-admin. wth? 21:08 < krzie> yup yup 21:08 < krzie> reif was right 21:09 < ecrist> btw, the comparison of strings is -eq, not == 21:09 < ecrist> with test, anyways 21:09 < krzie> == worked, -eq didnt 21:09 < krzie> i expected -eq too 21:09 < ecrist> doh, you're right 21:09 < ecrist> it's perl that does eq 21:09 < krzie> same with shell 21:10 < ecrist> I've been *heavy* in perl land these last few days. 21:10 < krzie> maybe only with numbers or something 21:10 < ecrist> no, what I mean is, in perl, == compares integers, eq compares strings, in test/[ it's the other way around. 21:10 < krzie> ohh ok 21:10 < krzie> time for me to roll out 21:11 < krzie> ill bbl 21:11 < ecrist> l8r 21:24 < zhaena> bye krzie 21:24 < zhaena> :) 21:55 -!- prxtien [n=pro@teamaustralia.net.au] has quit [Read error: 104 (Connection reset by peer)] 21:55 -!- prxtien [n=pro@teamaustralia.net.au] has joined ##openvpn 22:07 -!- ebil is now known as ebil|afk 22:12 -!- zhaena [n=zhaena@cpe-066-026-043-219.nc.res.rr.com] has quit ["Network Terminated."] 22:21 < ecrist> fuckers. 22:21 < ecrist> craigslist stopped allowing CSS 22:21 < ecrist> :( 22:35 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: isox, qknight, Gumbler, HardDisk_WP, kaii, lataffe 22:35 -!- Netsplit over, joins: lataffe, Gumbler, HardDisk_WP, qknight, isox, kaii 22:36 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: gabriel25ny, tarbo2, xp_prg, Ragnar, worch 22:36 -!- Netsplit over, joins: gabriel25ny, tarbo2, Ragnar, worch, xp_prg 22:56 -!- zhaena [n=zhaena@cpe-066-026-043-219.nc.res.rr.com] has joined ##openvpn 23:11 -!- zhaena [n=zhaena@cpe-066-026-043-219.nc.res.rr.com] has quit ["Network Terminated."] 23:13 -!- ebil|afk is now known as ebil 23:25 -!- thedoc_ [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 23:42 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] --- Day changed Wed Jun 24 2009 00:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:31 -!- Douglas [n=doug@160.79.78.34] has quit [Read error: 110 (Connection timed out)] 00:32 -!- Douglas [n=doug@160.79.78.34] has joined ##openvpn 00:35 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 00:59 -!- Douglas [n=doug@160.79.78.34] has quit [Read error: 110 (Connection timed out)] 01:02 -!- Douglas [n=doug@160.79.78.34] has joined ##openvpn 01:13 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 01:41 -!- thedoc_ [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 01:47 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 01:50 -!- daya [n=daya@202.63.242.211] has joined ##openvpn 01:51 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:52 < daya> can I set up Remote Access VPN with openvpn 01:56 < cj> what is Remote Access VPN? 01:56 < cj> you mean MS's RAS stuff? 01:57 < daya> cj, I mean to remotely dial the VPN server, and get connected to it 01:58 < cj> uhm, you mean dial with a rotary phone? 01:58 < cj> define "remotely dial" 02:00 < daya> cj, hh, I mean to distinguish point-to-point and remote-access VPN t 02:01 < cj> ah. yeah, I guess you could consider tun point-to-point and tap remote-access 02:18 -!- dazo|h [n=dazo@mail.umc.cz] has joined ##openvpn 02:19 -!- dazo|h is now known as dazo|laptop 02:28 -!- dazo|laptop [n=dazo@mail.umc.cz] has quit ["Leaving"] 02:30 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 02:30 < joel_> hello.. anyone has experience configuring OpenVPN so that for authentication it uses a digital certificate and also a user/pass? 02:36 < Gorkhaan> uuum... yes? 02:36 < thedoc> !howto 02:36 < vpnHelper> thedoc: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:41 < joel_> wtf? er.. how does not says anything about that situation as far as i saw 02:42 < joel_> well.. wait i think i saw something 02:44 < thedoc> I'm sure it did. 02:46 < Gorkhaan> find manual with keywords: ca, dh, key, crt, auth-user-pass 02:51 < |Mike|> openssl uses certificates, no user/password needed :) 02:58 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 03:22 < joel_> |Mike|: i know but i want dual authentication: certificates + auth/pass 03:22 < joel_> login* 03:29 < |Mike|> why would you like that, it's insecure... 03:36 -!- daya [n=daya@202.63.242.211] has quit ["Leaving"] 03:56 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 04:15 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Remote closed the connection] 04:28 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:45 -!- Gorkhaan [n=Gorkhaan@87.229.108.75] has quit [Read error: 110 (Connection timed out)] 04:53 -!- Gorkhaan [n=Gorkhaan@87.229.108.75] has joined ##openvpn 05:06 < joel_> |Mike|: ?? why is it insecure? 05:06 < joel_> |Mike|: it has two layers of security, that they have something (the certificate) and that they know their user/pass 05:07 < |Mike|> and you count that as 2 ? :) 05:07 < joel_> |Mike|: aren't they? 05:08 < |Mike|> You can add keypass phrases on the certs :) 05:08 < joel_> yes but that do would be insecure. 05:08 < joel_> if the cert get lost.. 05:09 < joel_> before you know about it, somebody can connect 05:09 < joel_> without need to know the passwd, or not? 05:10 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 05:10 -!- daya [n=daya@202.63.242.211] has joined ##openvpn 05:16 -!- prospo [n=emil@251-81-ftth.onsneteindhoven.nl] has joined ##openvpn 05:16 * Bushmills wonders whether no authentication would be a good idea - in the case that the password is forgotten 05:19 -!- daya_ [n=daya@202.63.242.211] has joined ##openvpn 05:19 < daya_> cj, hi, I got read UDPv4 [EHOSTUNREACH]: No route to host (code=113) from client 05:20 < daya_> cj, I am setting it on same LAN for test purpose 05:20 < daya_> cj, and disabled the firewall on both 05:22 -!- prospo [n=emil@251-81-ftth.onsneteindhoven.nl] has left ##openvpn [] 05:24 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:31 -!- eliesainfeld [n=eliesain@c-24-6-70-242.hsd1.ca.comcast.net] has joined ##openvpn 05:32 < eliesainfeld> hi 05:32 < Gorkhaan> hi * 05:32 < |Mike|> joel_: the client certs are all stored on the server 05:33 < eliesainfeld> I am looking to use the VPN feature of my FVS338 firewall router. 05:34 < eliesainfeld> I am having difficulties juggling all the info necessary to do it properly 05:35 < eliesainfeld> do you or anyone here has don so 05:35 < eliesainfeld> ? 05:35 -!- thedoc [n=andelyx@208.99.194.194] has joined ##openvpn 05:35 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 05:35 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 05:40 < eliesainfeld> Gorkhaan are you still here ? 05:40 < eliesainfeld> anyone one here listening ? 05:47 < Bushmills> eliesainfeld, does you route run openvpn? 05:47 < Bushmills> router 05:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:54 -!- daya_ [n=daya@202.63.242.211] has quit [Read error: 113 (No route to host)] 05:56 < Gorkhaan> I'm here yep 05:59 < Gorkhaan> What's your exactely problem? 06:07 -!- |ns|nR8 [n=doof@144.131.184.63] has joined ##openvpn 06:10 -!- AlexJ^ [n=alexj@unaffiliated/alexj/x-000001] has joined ##openvpn 06:11 < AlexJ^> hello... i have a vpn connection with a linux server and a linux client... can i also have a Windows client in this network..if yes, how? (my google searches didn't turn out with any tutorials on how to do this) 06:11 < thedoc> !howto 06:11 < vpnHelper> thedoc: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 06:14 -!- daya [n=daya@202.63.242.211] has quit ["Leaving"] 06:20 < Bushmills> AlexJ^, yes, possible 06:21 < Bushmills> either set up windows as openvpn client, so it can connect to openvpn server, or let windows machine use your other openvpn client as gateway 06:26 -!- eliesainfeld [n=eliesain@c-24-6-70-242.hsd1.ca.comcast.net] has quit [] 06:45 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 06:46 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 06:48 -!- mattock [n=mattock@gw.tietoteema.fi] has quit [Read error: 60 (Operation timed out)] 06:48 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 06:59 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 07:00 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: tarbo2, worch, gabriel25ny, Ragnar 07:00 -!- Netsplit over, joins: gabriel25ny, tarbo2, Ragnar, worch 07:08 -!- lataffe [n=lars@cm-84.211.147.71.getinternet.no] has quit [Read error: 104 (Connection reset by peer)] 07:08 -!- lataffe [n=lars@cm-84.211.147.71.getinternet.no] has joined ##openvpn 07:13 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: tarbo2, worch, gabriel25ny, Ragnar 07:14 -!- Netsplit over, joins: gabriel25ny, tarbo2, Ragnar, worch 07:15 -!- thedoc [n=andelyx@208.99.194.194] has joined ##openvpn 07:36 -!- zhaena [n=zhaena@cpe-066-026-043-219.nc.res.rr.com] has joined ##openvpn 07:36 < zhaena> :) 07:37 < thedoc> :) 07:38 < zhaena> i luv openvpn 07:53 -!- thedoc_ [n=andelyx@208.99.194.194] has joined ##openvpn 07:53 < zhaena> when i get the message "Initialization Sequence Completed" does that mean i am now inside of a tunnel via openVPN? 08:02 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 08:16 < ebil> zhaena, as I understand it, that means that the tunnel has been created... you still have to route packets through the tunnel for it to 'work' 08:16 < ebil> what are you trying to do? 08:18 < zhaena> yay!!! i learned how to do something!!! :-))) *happy dance* 08:18 < ebil> cool :) So are packets being routed across the tunnel yet? or is that the next step? 08:19 < zhaena> hmm i THINK that's like the next part ? 08:19 < zhaena> god i'm SO DUMB in computers 08:20 < zhaena> i'm reading this tutorial thing, ebil, and i just typed "iptables -F" 08:20 < zhaena> ?? 08:20 < ebil> ack gotta run and drop off my girlfriends mom at the airport, but I'll be back later today. the guys here are very helpful, just remember to read the topic :) 08:20 < zhaena> ok 08:20 < zhaena> :) 08:20 < ebil> zhaena, Hmmm... iptables -F isn't the best command to use unless you know what it does :) 08:20 < zhaena> *waves* bye! 08:20 < ebil> you just removed your firewall rules 08:20 < zhaena> oh shit! 08:20 < ebil> what distro are you using? 08:21 < zhaena> jaunty 08:21 < ebil> ubuntu? 08:21 < ebil> ok 08:21 < ebil> do you use ummm... 08:21 < thedoc_> iptables -F will flush all your iptable rules. 08:21 < ebil> zhaena, it's the desktop version of jaunty? 08:21 < thedoc_> USE WITH CAUTION! 08:21 < zhaena> its saying here that i have to now type "iptables -P OUTPUT DROP" 08:21 < zhaena> ? 08:22 < zhaena> yes its desktop 08:22 < zhaena> i'm pulling my hair out but i am gonna get this if its the last thing i do!!! 08:22 < ebil> zhaena, wait a second befoire you do that 08:23 < ebil> you are connected to the system locally? (not over ssh?) 08:23 < zhaena> to tell the truth i have no idea i just joined the darknet conglomeration 08:23 < ebil> because, I guarantee you, if you do iptables -P OUTPUT DROP, we're not going to see you anymore :) (your computer will no longer send packets to the internet) 08:24 < zhaena> it says after that to type "iptables -P INPUT DROP" 08:24 < no_maam> hi 08:24 < zhaena> and then "iptables -P FORWARD ACCEPT" 08:24 < zhaena> ? 08:24 < no_maam> small problem with openvpn on vista 08:24 < thedoc_> zhaena, are you connected via ssh or are you infront of the physical computer at the moment? 08:25 < no_maam> I am using bridged mode, and the tap interface doesn't get an ip address assigned 08:25 < zhaena> in front of my computer 08:25 < no_maam> I assume I may fix the problem with ip-win32 08:25 < no_maam> any recomandations for ip-win32 and vista? 08:29 < zhaena> then it says to type "iptables -A INPUT -i eth0 -p udp -s 100.0.0.1 -d 50.0.0.1 --sport 2001 --dport 2000 -j ACCEPT" 08:29 < zhaena> ? 08:30 < Gorkhaan> UAC may f*ck up it, on Vista, try to run OpenVPN GUI with Administrator privileges, or turn off UAC 08:39 -!- jeiworth [n=jeiworth@189.234.97.227] has quit [Read error: 60 (Operation timed out)] 08:59 < oc80z> hmm? 09:00 < Dougy> wassup 09:00 < Dougy> thedoc_: hey hey 09:00 < thedoc_> 'sup man:) 09:00 < Dougy> just got ripped a new a-hole by my datacenter 09:01 < thedoc_> ouch, what happened? 09:01 < Dougy> $100 for them to buy a 2GB RAMM DIMM 09:01 < Dougy> and put it in your server 09:01 < Dougy> the ram dimm costs them $24 09:01 < Dougy> =/ 09:01 < thedoc_> Yep. 09:01 -!- joel [n=joel@193.145.14.94] has joined ##openvpn 09:01 < thedoc_> Ouch 09:02 < Dougy> yeah 09:02 < Dougy> memtest really screwed up on that box 09:02 < Dougy> so i decided to replace ram 09:02 < Dougy> it looks so weird 09:02 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:02 < thedoc_> memtest86? 09:02 < thedoc_> lewlz. 09:02 < Dougy> yes 09:02 < Dougy> http://www.upload3r.com/serve/240609/1245852159.png 09:02 < Dougy> last time i saw that happen the RAM was bad 09:03 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 09:03 < thedoc_> Nice, welcome to bad ram 09:03 < Dougy> its ok 09:03 < Dougy> i got a nice shiny 2gb kingston dimm going in there 09:03 < Dougy> should be today 09:03 < thedoc_> ding-a-ling:) 09:04 < Dougy> so should have yours today ready togo 09:10 -!- jeiworth [n=jeiworth@189.234.35.254] has joined ##openvpn 09:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:19 < ebil> zhaena, hi sorry, the openvpn howto uses iptables for firewall rules, I believe that ubuntu desktop defaults to using something else 09:22 < ebil> zhaena, read this (all of it) before you start playing with iptables, it's got a decent bit of information and some of it is ubuntu specific. unfortunately I'm out for the rest of the day, but this should help a bit: https://help.ubuntu.com/community/IptablesHowTo 09:22 < vpnHelper> Title: IPTables HowTo - Community Ubuntu Documentation (at help.ubuntu.com) 09:45 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 09:45 -!- zhaena [n=zhaena@cpe-066-026-043-219.nc.res.rr.com] has quit [Read error: 110 (Connection timed out)] 09:47 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 09:47 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:51 -!- mattock [n=mattock@gw.tietoteema.fi] has left ##openvpn [] 10:15 -!- eliesainfeld [n=eliesain@c-24-6-70-242.hsd1.ca.comcast.net] has joined ##openvpn 10:21 -!- joel [n=joel@193.145.14.94] has quit [Nick collision from services.] 10:21 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 10:22 -!- zheng [n=zheng@114.92.132.65] has joined ##openvpn 10:24 -!- eliesainfeld [n=eliesain@c-24-6-70-242.hsd1.ca.comcast.net] has left ##openvpn [] 10:39 -!- zheng [n=zheng@114.92.132.65] has quit [Remote closed the connection] 10:44 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 11:01 -!- uberlord`- [n=uberlord@p5B0FAC74.dip.t-dialin.net] has joined ##openvpn 11:23 -!- Alagar [n=helpdesk@95.154.197.29] has joined ##openvpn 11:37 -!- geye [n=geye@gatekeeper.d2000.com] has joined ##openvpn 11:37 < geye> hi all 11:38 < geye> I have an issue with openvpn when using the service command in opensuse11.1 11:38 < geye> service openvpn reload fails and the service status show dead 11:41 -!- Folko [n=quassel@static.15.33.40.188.clients.your-server.de] has joined ##openvpn 11:53 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:55 -!- thedoc- [n=andelyx@bb220-255-255-8.singnet.com.sg] has joined ##openvpn 12:05 -!- joel__ [n=joel@193.145.14.94] has joined ##openvpn 12:06 -!- thedoc- [n=andelyx@bb220-255-255-8.singnet.com.sg] has quit [Read error: 60 (Operation timed out)] 12:06 -!- thedoc- [n=andelyx@208.99.194.194] has joined ##openvpn 12:07 -!- thedoc_ [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 12:07 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 12:08 < geye> this happens intermittenly 12:49 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 12:53 -!- |ns|nR8 [n=doof@144.131.184.63] has quit ["Leaving"] 13:01 -!- troy [n=troy@worldnet.tauri.ca] has quit [Nick collision from services.] 13:02 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 13:07 -!- Folko [n=quassel@static.15.33.40.188.clients.your-server.de] has quit [Remote closed the connection] 13:16 -!- AlexJ^ [n=alexj@unaffiliated/alexj/x-000001] has left ##openvpn ["Leaving"] 13:33 -!- finalbeta [n=finalbet@ip-83-134-140-182.dsl.scarlet.be] has joined ##openvpn 13:33 < finalbeta> !howto 13:33 < vpnHelper> finalbeta: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:39 < finalbeta> are there any example of the webinterface presented to the end user? 13:43 < cpm> what web interface would that be? 13:45 < finalbeta> ah, that's what I thought :p. cpm, when talking sslvpn sollutions, end users usually surf to a website where after logging in they download a sslvpn client, or a java applets that secures the link and just forwards some points. 13:45 < finalbeta> ports* 13:45 -!- Alagar [n=helpdesk@95.154.197.29] has quit [Read error: 104 (Connection reset by peer)] 13:50 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 13:55 -!- uberlord`- [n=uberlord@p5B0FAC74.dip.t-dialin.net] has quit [] 14:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:10 -!- geye [n=geye@gatekeeper.d2000.com] has quit [] 14:20 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:32 -!- Gorkhaan [n=Gorkhaan@87.229.108.75] has left ##openvpn [] 14:38 -!- zhaena [n=zhaena@cpe-066-026-043-219.nc.res.rr.com] has joined ##openvpn 14:38 < zhaena> :o) 14:38 < zhaena> alright alright - i give up!!! 14:39 < zhaena> how the heck do i push eerything thru my VPN channel - all my internet traffic?? 14:41 < gelbasac1> set the VPN gateway as default route and setup masquerading on the gateway 14:42 < zhaena> hmm...that sounds hard, gelbasac1 :-o 14:43 < zhaena> can u walk me thru it? :) 14:43 < gelbasac1> you once setup masquerading yet? 14:43 < gelbasac1> e.g. for a local lan? 14:43 < zhaena> ok i admit it - no i dont know what that means :-( 14:44 < gelbasac1> NAT? 14:44 < zhaena> NAT...let me go google it real quick... 14:44 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 14:45 < gelbasac1> well... if you have a local lan you have private addresses... and the gateway has a public one... all traffic is routed by the gateway which translates the addresses so they are valid outside your lan 14:45 < gelbasac1> that's called NAT (network address translation) or masquerading (that's what it is called by iptables) 14:46 < zhaena> ok :) is there some kind of super-duper package i can download that does this in a jiffy? 14:47 < gelbasac1> the super-duper package is called iptables 14:47 < zhaena> oh :-o 14:47 < gelbasac1> on the gateway it's something like: 14:48 < gelbasac1> iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o tun0 -j MASQUERADE 14:49 < gelbasac1> where 10.0.0.0/24 is the network that should be routed through the tunnel and tun0 is the tunnels device 14:49 < zhaena> ok so i have to go in there and mess around with the numbers? :-o 14:49 < gelbasac1> well... yes 14:49 < zhaena> ok....does openVPN show me what numbers to fiddle with, or...? 14:50 < gelbasac1> well... did you setup OpenVPN...? 14:50 < zhaena> yes :-) and i am sitting at the whole "initialization cycle complete" part 14:50 < zhaena> but it won't open the pages to the network when i click on it in my firefox!! 14:51 < zhaena> ooh! wait a minute let me read this thing i see here in google... 14:53 < zhaena> it says to do this "net.ipv4.ip_forward=1" 14:53 < zhaena> ? 14:54 < gelbasac1> yes, that's necessary 14:54 < gelbasac1> otherwise your gateway won't forward any traffic 14:54 < zhaena> or wait i should go in and uncomment some kind of line in sysctl.conf?? 14:55 < gelbasac1> yes 14:56 < zhaena> this helps me gelbasac1 thank you :) 14:56 < zhaena> wait what if i used tap0 not tun? 15:00 < gelbasac1> never used that - but as far as I know you should be able to use it the same way (as long as you don't want to use the distinctive features) 15:03 -!- c64zottel [n=hans@p5B17B291.dip0.t-ipconnect.de] has joined ##openvpn 15:07 < zhaena> hey! it says here i can do alot of this stuff thru Firestarter GUI on buntu :o))) 15:09 -!- Kreg [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 110 (Connection timed out)] 15:10 -!- Kreg [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 15:33 -!- jeiworth [n=jeiworth@189.234.35.254] has quit [Read error: 110 (Connection timed out)] 15:41 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 15:42 -!- barracuda [n=barracud@adsl-76-254-94-214.dsl.pltn13.sbcglobal.net] has joined ##openvpn 15:44 < barracuda> hello all. I am trying to install openvpn server on a ubuntu guest server which run on ESX 3i. I got vpn connection from client but can ping other hosts on openvpn server 15:44 < barracuda> can some one help??? 15:45 < krzie> that made no sense to me 15:45 < plaerzen> ESX is a virtualization hypervisor 15:45 < krzie> right 15:45 < krzie> vmware, right? 15:45 * plaerzen nods. 15:46 < krzie> but the rest of what he said... 15:46 < barracuda> ESX is VMWARE ESX server for running virtual machine 15:46 < plaerzen> I assume s/can/can't 15:46 < barracuda> right I can not ping other hosts 15:46 < krzie> is it bridged to the same network as the other hosts, or is it a vmware nat? 15:46 < barracuda> bridge 15:47 < krzie> !configs 15:47 -!- joel__ [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 15:47 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:47 * plaerzen & 15:49 * plaerzen just likes to take any opportunity to say hypervisor. It sounds like something Geordi LaForge would wear on his face. 15:49 -!- joel__ [n=joel@193.145.14.94] has joined ##openvpn 15:49 < krzie> hahahah 15:52 < barracuda> here is server.conf 15:53 < barracuda> local 10.10.10.47 15:53 < barracuda> port 1194 15:53 < barracuda> ;proto tcp 15:53 < barracuda> proto udp 15:53 < barracuda> dev tap0 15:53 < barracuda> ;dev tun 15:53 < barracuda> ca /etc/openvpn/examples/easy-rsa/2.0/keys/ca.crt 15:53 < plaerzen> !pastebin 15:53 < barracuda> cert /etc/openvpn/examples/easy-rsa/2.0/keys/cwscap.crt 15:53 < vpnHelper> plaerzen: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 15:53 < barracuda> key /etc/openvpn/examples/easy-rsa/2.0/keys/cwscap.key # This file should be kept secret 15:53 < barracuda> dh /etc/openvpn/examples/easy-rsa/2.0/keys/dh1024.pem 15:53 < barracuda> ;server 10.8.0.0 255.255.255.0 15:53 < barracuda> ifconfig-pool-persist ipp.txt 15:53 < plaerzen> barracuda, stop 15:53 < barracuda> server-bridge 10.10.10.47 255.255.255.0 10.10.10.151 10.10.10.159 15:53 < barracuda> ;learn-address ./script 15:53 < barracuda> ;push "redirect-gateway" 15:53 < barracuda> ;push "dhcp-option DNS 206.13.28.12" 15:53 < barracuda> ;push "dhcp-option WINS 10.8.0.1" 15:53 < barracuda> client-to-client 15:53 < barracuda> ;duplicate-cn 15:53 < barracuda> keepalive 10 120 15:53 -!- mode/##openvpn [+o krzie] by ChanServ 15:53 < barracuda> tls-auth /etc/openvpn/examples/easy-rsa/2.0/keys/ta.key 0 # This file is secret 15:53 < barracuda> cipher BF-CBC # Blowfish (default) 15:53 < barracuda> ;cipher AES-128-CBC # AES 15:53 < barracuda> ;cipher DES-EDE3-CBC # Triple-DES 15:53 < barracuda> comp-lzo 15:53 < barracuda> max-clients 10 15:53 < barracuda> ;fragment 1400 15:53 < plaerzen> hello? 15:53 -!- barracuda was kicked from ##openvpn by krzie [Abandon hope, all ye who enter here.] 15:53 -!- mode/##openvpn [-o krzie] by krzie 15:54 < plaerzen> Anyway, been a while since I have really stopped by here - how is business ? 15:54 < krzie> meh, pretty normal 15:55 < krzie> listen for a question, give the bot a few commands 15:55 < krzie> and hope people read what you told them 15:55 < krzie> krzie: "configs" is (#1) please pastebin your client and server 15:55 < krzie> like that 15:55 < krzie> hahah 15:56 < plaerzen> lol 15:56 < plaerzen> selective reading 15:56 -!- barracuda_ [n=barracud@adsl-76-254-94-214.dsl.pltn13.sbcglobal.net] has joined ##openvpn 15:56 < plaerzen> He didn't see the bin part 15:57 < krzie> barracuda_ 15:57 < krzie> krzie: "configs" is (#1) please pastebin your client and server 15:57 < krzie> !pastebin 15:57 < plaerzen> Pretty good here. I'm beginning work on a replacement for AD to provide directory services. Then we will be a 100% foss platform. Probably not many companies in my town who can say that. 15:57 < vpnHelper> krzie: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 15:57 * plaerzen & 15:57 < krzie> and you might have noticed the onjoin says to pastebin everything over 5 lines too 16:02 < barracuda_> guys apologize don't use this chat often don't know the rule 16:02 < barracuda_> http://pastebin.com/m185e8383 16:03 < krzie> main thing is read everything fully 16:03 < krzie> do not skim anything 16:06 < krzie> oh you're bridging 16:06 < krzie> i wont be of any help to you 16:10 < barracuda_> ok thanks any way 16:11 -!- barracuda_ [n=barracud@adsl-76-254-94-214.dsl.pltn13.sbcglobal.net] has quit ["Leaving"] 16:21 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 16:25 -!- epaphus [n=unix3@190.10.68.228] has quit [Client Quit] 16:26 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 16:32 < zhaena> how do i connect eth0 to tap0 since that seems the only way to use my vpn tunnel? 16:34 < a0n> zhaena br-utils 16:34 < a0n> zhaena: you connect both devices to a bridge interface e.g. br0 16:35 < zhaena> will this work with the new build? the dependencies are listed as "blacklisted"?? 16:37 < a0n> you need openvpn and the bridge-utils (when your on linux, any other operating system is unfamiliar to me) 16:39 < zhaena> oh yes i have openvpn etc its all up and running - i have 2 different vpn's sitting here but none of my internet traffic is going thru them 16:42 < a0n> you have to push a route in the openvpn con f 16:43 < zhaena> ok 16:47 -!- c64zottel [n=hans@p5B17B291.dip0.t-ipconnect.de] has quit ["Leaving."] 16:48 < krzie> internet traffic doesnt flow over a vpn by default 16:48 < krzie> for that yuoud need to see !redirect 16:48 < zhaena> !redirect 16:48 < vpnHelper> zhaena: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 16:49 < zhaena> i could just KISS you krzie :-) LOL 16:49 < krzie> if you're a girl bring it on 16:49 < krzie> haha 16:49 < zhaena> ur in luck :) 16:50 < zhaena> ur SO SMART are u simplfy things so well :o) 16:50 < zhaena> are = and 16:51 < krzie> ;] thx 16:53 < zhaena> !def1 16:53 < vpnHelper> zhaena: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 16:55 < zhaena> !ipforward 16:55 < vpnHelper> zhaena: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 16:55 < krzie> ya i know its a long chain of commands, but it was then only way, lol 16:56 < zhaena> :o) 16:57 < krzie> s/then/the/ 16:58 < zhaena> its just so hard! 16:59 < zhaena> so what would be the first thing you would do? 17:00 < krzie> what os is the server? 17:01 < ecrist> krzie: my wife popped the kid out at 218 this am. 17:01 < ecrist> going afk again 17:01 < krzie> oh shit!!! 17:01 < krzie> the baby crist has been born! 17:01 < krzie> congrats bro! 17:01 < krzie> <-- looks forward to the pix 17:02 < gabriel25ny> hey congrats ecrist !!!! 17:02 < zhaena> it's 2 diff networks: darknet conglomeration, and (finally) anonet.....i'm just trying to connect my ethernet thing to these 2 tunnels 17:02 < krzie> oh noes 17:02 < krzie> do NOT bridge into one of those 17:03 < zhaena> ? 17:03 < krzie> you will open yourself up to layer2 attacks 17:03 < krzie> sniffing your stuff 17:03 < zhaena> :-o 17:03 < krzie> also do NOT default route over it 17:03 < krzie> or same deal, you are sniffable 17:03 < zhaena> that sounds bad 17:04 < krzie> would you like the person who runs the server to have access to all of your inet data? 17:04 < zhaena> no....i just wanted to check out their tunnel because it's free :-o 17:05 < krzie> if you do either of those 2 things, whoever runs the server has access to anything you do unencrypted on the inet 17:05 < zhaena> congratulations on the small joy, ecrist :o) 17:05 < krzie> and possibly encrypted too, depending on some factors 17:05 < zhaena> oh dear! so what good are they?? 17:06 < krzie> they probably host stuff inside the darknet 17:06 < krzie> stuff you can only access once inside 17:06 < zhaena> its says they do yes.... 17:06 < krzie> but honestly, ild expect you to tell me what they are good for since you know of them 17:06 < krzie> and ive never hearda them 17:06 < krzie> ahh ok 17:06 < zhaena> i'm new to linux so i dont know what i am doing 17:06 < krzie> then ya, thats what its good for 17:07 < krzie> openvpn runs in most OS's 17:07 < krzie> including windows 17:07 < krzie> or osx 17:07 < zhaena> yes i think i might go back to windows, this is all very confusing 17:08 < krzie> openvpn is advanced networking software 17:08 -!- uberlord [n=uberlord@p5B0FCDA2.dip.t-dialin.net] has joined ##openvpn 17:08 < krzie> to try to use openvpn for your first time while using an OS for your first time is kinda... good luck 17:08 < krzie> heh 17:08 < zhaena> :-( 17:16 -!- uberlord [n=uberlord@p5B0FCDA2.dip.t-dialin.net] has quit [] 17:32 -!- troy- is now known as troy 17:59 -!- onats_ [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 18:05 < Dougy> hm 18:05 < Dougy> zhaena: what distro 18:05 * Dougy throws a tennis ball at troy 18:05 < |Mike|> shush ! 18:05 < krzie> sup mike 18:05 < |Mike|> it's 1 AM and i had a few beers :D 18:06 < Dougy> |Mike|: get out of here 18:06 < Dougy> :D 18:06 < |Mike|> ok d o g. 18:06 < krzie> Dougy, mike is a friend 18:06 < Dougy> so? 18:06 < krzie> so you get out of here! :-p 18:06 < reiffert> friends pay us beer. 18:07 < reiffert> Much of it. 18:07 < krzie> mmmm beer 18:07 * |Mike| cuddles Dougy & krzie 18:07 < |Mike|> reiffert: meet me at HAR :D 18:07 < krzie> dude im gunna try to make it there 18:07 < reiffert> Belgium? 18:07 < krzie> amnsterdam 18:07 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 110 (Connection timed out)] 18:07 < reiffert> Ah, Netherlands 18:07 < krzie> aug 13-16 18:08 < reiffert> quanta costa? 18:08 < |Mike|> 150 ? 18:08 < krzie> haha i forgot that it could even cost $ 18:08 < reiffert> No discount for students :( 18:08 < krzie> haha 18:08 < krzie> waitwait, you're a student? 18:08 < reiffert> 185 EUR ~ 250 $US 18:09 < reiffert> Sure :) 18:09 < krzie> haha 18:09 < reiffert> 260 $US 18:10 < |Mike|> not that much. 18:10 < |Mike|> you can meet us at the BBQ village :D 18:10 < reiffert> I'm outta this. Might be that I stay in the netherlands during that period as well. My girls friend girls friend happens to live in .nl 18:10 < krzie> ill be the broke guy only doing the social aspect because of how much it would cost me to get there 18:11 < |Mike|> what city reiffert ? :) 18:11 < |Mike|> how much would it cost ya krzie ? 18:11 < reiffert> Near Waaringen 18:11 -!- jetole is now known as Guest68383 18:12 < krzie> shit like over 2000 18:12 < krzie> but i need to talk to my homie at american airlines and check if i can use my free ticket for that 18:12 < krzie> he has me on the list for a buddy pass 18:12 < |Mike|> ic. 18:12 < reiffert> Wageningen 18:12 < |Mike|> i'm meeting up with a shitload of people at har 18:13 < |Mike|> even phrack dudes :D 18:13 < krzie> gunne bring the THC for THC? 18:13 < krzie> ;) 18:13 < |Mike|> shrooms and some spacecake aswell :D 18:13 < krzie> sweet 18:13 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 18:15 < |Mike|> sure thing :d 18:15 -!- joel__ [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 18:18 < Bushmills> Wageningen university of agriculture has developed an interesting item: a portable weed cultivator, in a suitcase. operates the minifarm for 2 weeks unattended. 18:19 < Bushmills> (dimensioned for 5 plants as that is/was the allowed maximum for home growers) 18:19 < reiffert> AFAIR they build stuff for housetops and insulating material by that. 18:19 < reiffert> Made of he,p. 18:19 < reiffert> m 18:21 < Bushmills> lots of uses. with alternative clothing manufacturers, hemp seems to be quite popular too 18:24 < krzie> hemp is the best fiber known 18:30 < Bushmills> clothes are said to be quite rugged 18:30 < krzie> because the people who go for that alternative clothing (their market) like that 18:30 < Bushmills> and productions seems to be far less insecticide intense than cotton clothing 18:31 < krzie> they can make it be however they like tho 18:31 < krzie> ya not just insecticide but many polutants like 18:31 < krzie> the bs they put in the dirt, bleach, etc 18:32 < Bushmills> though hemp clothing may be itch or scratch a bit 18:32 < Bushmills> may itch .... 18:32 < krzie> because of how they choose to make them 18:32 < krzie> but that is a choice 18:33 < Bushmills> doesn't seem to have the softness of cotton, but that might merely be a process issue 18:33 < krzie> exactly, its a matter of what they are aiming for 18:33 < krzie> kinda like how the first hybrid cars looked FUCKING UGLY 18:33 < krzie> they didnt have to, but thats how they chose to make them at first 18:33 < Bushmills> the Prius? 18:34 < krzie> prius is a great example of that 18:34 < krzie> that thing looked like a fuckin UFO when they could have made it look like a supra 18:34 < Bushmills> the more recent Honda look quite nifty, actually 18:34 < krzie> ya, i had a 04 honda hybrid 18:35 < krzie> it looked just like any other 4 door civic 18:35 < reiffert> Bushmills: you've got E-Mail 18:35 < krzie> you could tell if you knew what to look for, but otherwise it was normal 18:35 < Bushmills> Nissan is preparing for mass production of Ecars 18:35 < Bushmills> reiffert, indeed. 18:36 < krzie> when reiffert said that i heard the AOL you've got mail voice in my head 18:36 < krzie> which is weird cause i never used AOL before 18:36 < Bushmills> yes, i wonder how he knew 18:36 * Bushmills checks local machine for possible intruders 18:36 < krzie> check sender for it being him 18:37 < krzie> hehe 18:37 < Bushmills> http://forthfreak.net/snap/bird.png <- fail 18:37 < Dougy> hah 18:37 < Dougy> ow 18:39 < Bushmills> bypassers were looking at me in curiosity when i started to take photos at that 18:39 < Bushmills> must have been some morbid attraction causing me to 18:42 < Bushmills> reiffert, you'll do some shooting up tomorrow? 18:42 < krzie> i have a fealing you were looking for another term 18:42 < krzie> shooting up is when someone uses IV drugs 18:44 < reiffert> Bushmills: yup, 10:00 = goal 18:44 < Bushmills> that's one of the four translations, my dictionary says. i intended the meaning as in http://e3.gamespot.com/story/6209951/apb-shooting-up-e3 18:44 < vpnHelper> Title: APB shooting up - News GameSpot E3 2009 (at e3.gamespot.com) 18:45 < krzie> ahh i see 18:49 < Dougy> anyone wanna rent a p4? :p 18:49 < krzie> is this a best offer situation? 18:49 * krzie offers $5 18:50 < Bushmills> does it still work on steam? 18:51 < Dougy> krzie: $5 payments per month.. min 1 year prepayment.. services guaranteed for 1 month 18:51 < krzie> hahah 18:51 < krzie> services guaranteed for 1 month 18:51 < krzie> heh 18:51 < Dougy> then you might need to prepay another12 months 18:51 < Dougy> for 1 more guaranteed month 18:55 -!- p3ri0d [i=p3ri0d@200.2.142.61] has joined ##openvpn 18:55 -!- p3ri0d [i=p3ri0d@200.2.142.61] has left ##openvpn ["Leaving"] 19:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 19:27 -!- damentz [n=damentz@free.dancing.bot.at.shellium.org] has quit ["ZNC - http://znc.sourceforge.net"] 19:51 -!- Gorkhaan [n=Gorkhaan@87.229.108.75] has joined ##openvpn 20:05 -!- thedoc- [n=andelyx@208.99.194.194] has quit [Read error: 110 (Connection timed out)] 20:41 -!- zhaena [n=zhaena@cpe-066-026-043-219.nc.res.rr.com] has quit ["Network Terminated."] 21:04 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 21:04 -!- master_of_master [i=master_o@p549D4A4B.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:06 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 21:07 -!- master_of_master [i=master_o@p549D46AB.dip.t-dialin.net] has joined ##openvpn 21:07 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 21:11 -!- zheng [n=zheng@222.66.224.106] has joined ##openvpn 21:12 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 60 (Operation timed out)] 21:12 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 21:34 -!- maodun [n=stopgo@114.243.125.8] has joined ##openvpn 21:36 < maodun> stuck behind the chinese firewall but have a us server. am i correct in my assumption that i can use openvpn to tunnel through it? 21:43 < maodun> !howto 21:43 < vpnHelper> maodun: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 21:46 -!- zheng [n=zheng@222.66.224.106] has quit ["Leaving"] 21:47 -!- maodun [n=stopgo@114.243.125.8] has left ##openvpn [] 22:15 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 22:28 -!- epaphus [n=unix3@201.199.41.166] has joined ##openvpn 22:46 -!- damentz [n=damentz@cpe-66-68-38-214.austin.res.rr.com] has joined ##openvpn 23:18 -!- daya [n=daya@202.63.242.211] has joined ##openvpn 23:25 -!- p3ri0d [n=p3ri0d@200.2.142.61] has joined ##openvpn 23:25 -!- epaphus [n=unix3@201.199.41.166] has quit [Read error: 110 (Connection timed out)] 23:32 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 23:34 -!- daya [n=daya@202.63.242.211] has quit [Remote closed the connection] 23:54 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] --- Day changed Thu Jun 25 2009 00:46 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 01:19 -!- joel_ [n=joel@193.145.14.94] has left ##openvpn ["Saliendo"] 02:05 -!- RexMundi [n=RexMundi@77.95.99.166] has quit ["Ik ga weg"] 02:05 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:14 -!- Ragnar [i=heimdall@shell.ankeborg.nu] has quit ["Rebooting."] 02:40 -!- lolipop [n=quassel@149.21.95.219.cbj01-home.tm.net.my] has joined ##openvpn 02:57 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 03:10 -!- Gud [n=erik@1-2-5-7b.mal.sth.bostream.se] has quit [Read error: 110 (Connection timed out)] --- Log closed Thu Jun 25 03:36:02 2009 --- Log opened Thu Jun 25 03:36:40 2009 03:36 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 03:36 -!- Irssi: ##openvpn: Total of 73 nicks [0 ops, 0 halfops, 0 voices, 73 normal] 03:37 -!- Irssi: Join to ##openvpn was synced in 23 secs 03:37 -!- cj [i=cjac@173-10-126-202-BusName-Washington.hfc.comcastbusiness.net] has quit [Remote closed the connection] 03:38 -!- pekster [n=pekster@c-76-113-143-76.hsd1.mn.comcast.net] has quit [Remote closed the connection] 03:38 -!- cj [i=cjac@173-10-126-202-BusName-Washington.hfc.comcastbusiness.net] has joined ##openvpn 03:38 -!- pekster [n=pekster@c-76-113-143-76.hsd1.mn.comcast.net] has joined ##openvpn 03:39 -!- pekster is now known as Guest24938 03:48 -!- cj [i=cjac@173-10-126-202-BusName-Washington.hfc.comcastbusiness.net] has quit [Remote closed the connection] 03:48 -!- cj [i=cjac@173-10-126-202-BusName-Washington.hfc.comcastbusiness.net] has joined ##openvpn 04:03 -!- lataffe [n=lars@cm-84.211.147.71.getinternet.no] has quit [Read error: 113 (No route to host)] 04:05 -!- lolipop [n=quassel@149.21.95.219.cbj01-home.tm.net.my] has quit [Read error: 104 (Connection reset by peer)] 04:15 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 04:15 -!- Gorkhaan [n=Gorkhaan@87.229.108.75] has left ##openvpn [] 04:15 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 04:19 -!- c1|freaky is now known as freaky[t] 05:01 -!- antgel [n=topdog@82-68-107-174.dsl.in-addr.zen.co.uk] has joined ##openvpn 05:03 < antgel> hi all. i'm reading the howto to setup my first openvpn install. it states: "The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files over a secure channel." fine - but for a client, which files are necessary to copy? presumably client1.crt and client1.key, but do i also need to copy the server.crt and ca.crt to each client? 05:03 < antgel> ah, i've just seen the "needed by" column - ignore me please :) 05:05 -!- lataffe [n=lars@cm-84.211.147.71.getinternet.no] has joined ##openvpn 05:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:21 -!- cj [i=cjac@173-10-126-202-BusName-Washington.hfc.comcastbusiness.net] has quit [Remote closed the connection] 05:23 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:29 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 05:37 -!- antgel [n=topdog@82-68-107-174.dsl.in-addr.zen.co.uk] has quit ["leaving"] 06:16 -!- ||arifaX [n=||arifaX@unaffiliated/arifax/x-427475] has joined ##openvpn 06:17 < ||arifaX> Hi, I have a perfectly working openvpn server with radius auth. I need local user auth for 1 user. the radius is not on the same machine. how can I allow this one user authenticate via local credentials instead of radius? 07:28 -!- kaushal [n=kaushal@125.18.21.18] has joined ##openvpn 07:28 < kaushal> hi 07:28 < kaushal> when i start openvpn i get 07:28 < kaushal> PLUGIN_INIT: plugin initialization function failed: /usr/lib/openvpn/openvpn-auth-pam.so 07:28 < kaushal> i do have that file under /usr/lib/openvpn/ 07:28 < kaushal> whats causing the issue ? 07:29 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has joined ##openvpn 07:32 < Bushmills> kaushal, what setup and configuration of openvpn have you done before you tried to start it? 07:33 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 113 (No route to host)] 07:36 -!- lataffe [n=lars@cm-84.211.147.71.getinternet.no] has quit [Read error: 60 (Operation timed out)] 07:40 < ||arifaX> I have want to use plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn-radius and plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn-localusers If one of both succeeds user should login. openvpn-radius works. How has my openvpn-localusers to look that I can use local users OR radius one of both must succeed? 07:42 < ||arifaX> current openvpn-radius is on http://pastebin.com/d3a2fca79 07:43 -!- lataffe [n=lars@cm-84.211.147.71.getinternet.no] has joined ##openvpn 07:44 -!- zhaena [n=zhaena@cpe-066-026-043-219.nc.res.rr.com] has joined ##openvpn 07:44 < zhaena> :o) 07:44 < kaushal> Bushmills: its ok, I will fix it 07:44 < kaushal> I have a another query 07:45 < zhaena> so i got the network manager to connect the openvpn channels, but when they are up and running, i cannot connect to the internet! 07:46 < kaushal> how can i start multiple configs by using init script ? 07:46 < kaushal> I have example.conf and test.conf under /etc/openvpn 07:48 < kaushal> i got it that too 07:48 < kaushal> it starts both 07:48 < kaushal> :) 07:56 -!- cj [i=cjac@173-10-126-202-BusName-Washington.hfc.comcastbusiness.net] has joined ##openvpn 07:57 < Bushmills> kaushal, " NAME=${CONFIG%%.conf}; for NAME in $AUTOSTART ; do ... does the magic. have one .conf file only. or specify with --config 07:58 < Bushmills> actually, these two lines aren't related ... they were concatenated because of me grepping 08:03 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 08:06 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 08:08 < ||arifaX> how can I authenticate either with local user or radius? need some help from someone pushing me through my files. 08:09 -!- zhaena [n=zhaena@cpe-066-026-043-219.nc.res.rr.com] has left ##openvpn ["Switching Channels"] 08:16 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 60 (Operation timed out)] 08:18 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 09:03 < Dougy> krzie likes boys 09:03 < Dougy> ...whaaaaaaaaaaaaat? 09:16 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:23 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 09:50 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 09:57 < ecrist> good morning, folks. 09:57 -!- kaushal [n=kaushal@125.18.21.18] has quit ["leaving"] 10:05 -!- thedoc [n=andelyx@208.99.194.194] has joined ##openvpn 10:19 -!- eliasp_ [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 10:20 -!- Netsplit jordan.freenode.net <-> irc.freenode.net quits: eliasp 10:23 < ||arifaX> how can I authenticate either with local user or radius? need some help from someone pushing me through my files. 10:24 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 10:28 -!- ||arifaX [n=||arifaX@unaffiliated/arifax/x-427475] has quit [Remote closed the connection] 10:30 -!- thedoc [n=andelyx@208.99.194.194] has quit ["Leaving"] 10:31 -!- nemysis [n=nemysis@138-185.3-85.cust.bluewin.ch] has joined ##openvpn 10:57 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 104 (Connection reset by peer)] 10:58 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 11:03 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 104 (Connection reset by peer)] 11:03 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 11:06 < plaerzen> ecrist, good mornign 11:06 -!- onats_ [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 11:06 < ecrist> howdy 11:08 < plaerzen> how're things? 11:08 < ecrist> had baby yesterday 11:08 < ecrist> wife should come home today or tomorrow 11:08 < plaerzen> oh wow. Congrats 11:09 < plaerzen> I have a friend who just had one on friday 11:19 -!- c64zottel [n=hans@p5B17B0F2.dip0.t-ipconnect.de] has joined ##openvpn 11:25 -!- tjz [n=tjz@bb116-15-41-73.singnet.com.sg] has quit ["bbl"] 11:25 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:29 -!- jeiworth [n=jeiworth@189.177.126.18] has joined ##openvpn 11:42 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 11:52 -!- _UsUrPeR_ [n=jsass@69.14.191.146] has joined ##openvpn 11:52 < _UsUrPeR_> good afternoon all 12:00 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 12:04 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:17 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:25 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 12:27 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 12:28 -!- Gorkhaan [n=Gorkhaan@adsl-101-115.globonet.hu] has joined ##openvpn 13:14 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Connection timed out] 13:16 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit [Read error: 113 (No route to host)] 14:04 -!- barracuda [n=barracud@adsl-76-254-94-214.dsl.pltn13.sbcglobal.net] has joined ##openvpn 14:04 < barracuda> hello All 14:06 < barracuda> After installed and set up openvpn server on my ubuntu . Then I try to run it but it gives me this error: * Autostarting VPN 'server.192' 14:07 < barracuda> does any body know why: my command is "sudo /etc/init.d/openvpn start" 14:07 < Bushmills> what configuration steps did you do after installation? 14:08 < barracuda> I did "sudo apt-get install openvpn" on ubuntu. then go through the normal process of creating certificate etc... 14:08 < Bushmills> did you edit the openvpn configuration? 14:09 < barracuda> if I do "sudo openvpn /etc/openvpn/server.conf" nthen it works 14:09 < barracuda> but the start up script in /etc/init.d/openvpn doesn't work 14:09 < Bushmills> sounds like your ... yes, that's what i wanted to say 14:09 < barracuda> what configuration?? 14:10 < Bushmills> /etc/openvpn/server.conf 14:11 < barracuda> this config file is correct since I was able to run it with sudo openvpn /etc/openvpn/server.conf 14:11 < barracuda> however it is just the script /etc/init.d/openvpn start doesn't work 14:11 < Bushmills> "but the start up script in /etc/init.d/openvpn doesn't work" there seems to be your problem 14:12 < barracuda> well this script was part of the installation by ubuntu 14:12 < Bushmills> does that mean that it works? 14:12 < Gorkhaan> check : sudo nano /etc/default/openvpn 14:13 < Gorkhaan> however I've did this with Crontab. It checks every 5 minutes, if openvpn runs. if it's not then Cron start it. 14:15 < barracuda> I check in /etc/default/openvpn and it looks for additional command argument 14:16 < barracuda> what should I put in there 14:28 -!- barracuda [n=barracud@adsl-76-254-94-214.dsl.pltn13.sbcglobal.net] has quit ["Leaving"] 14:30 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:32 < Bushmills> barracuda, are you sure that "Autostarting VPN 'server.192'" is actually an error? 14:33 < Bushmills> oh 14:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:52 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 14:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 14:55 -!- isox [n=dacurmud@rvd1901f0a.sprocketnetworks.com] has quit [Nick collision from services.] 14:55 -!- isox [n=dacurmud@rvd1901f0a.sprocketnetworks.com] has joined ##openvpn 14:55 -!- isox is now known as Guest32245 14:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 15:13 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 15:19 -!- c64zottel [n=hans@p5B17B0F2.dip0.t-ipconnect.de] has left ##openvpn [] 15:49 < finalbeta> Hello, does openvpn support sslvpn? are there applets available? Full tunnel client? 15:51 < Bushmills> finalbeta, check other way around: does sslvpn support openvpn connections? 15:52 < Bushmills> (openvpn knows nothing of or about sslvpn) 15:53 < magic_1> hahahahha 15:53 < finalbeta> That's not right :P 15:53 < finalbeta> ssl vpn = vpn over a single ssl tcp connection. 15:53 < Bushmills> ah, SSL-VPN 15:54 < Bushmills> generic "vpns over ssl" 15:54 < Bushmills> i thought "vpnssl" as in "the program with that name" 15:54 < Bushmills> well, in that respect, openvpn *is* an ssl-vpn 15:56 < Bushmills> whether those applets support openvpn is probably told in their docs 15:57 < finalbeta> I see, just found a sans paper where I read that. so openvpn is the server supporting the sslvpn and nothing more. 15:58 < finalbeta> You have to understand where I'm comming from,I've used ssl-vpn's with firewall products like juniper, netasq or cisco. they support ssl-vpn. They generally have a webinterface where you can log in. download a simple java applet that forwards ports, or download a full client. 16:00 < Bushmills> openvpn supports only openvpn, right. but there are a few non-openvpn clients which support openvpn too 16:00 < krzee> correct 16:00 < krzee> !notcompat 16:00 < vpnHelper> krzee: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 16:01 < krzee> when you have a web interface you can use to gain access, you break down the openvpn security model 16:01 < krzee> now all of a sudden a simple web pass is access to the vpn 16:01 < krzee> VERY much weaker than openvpn's security model 16:02 < krzee> with my vpn, you need a cert signed by the ca, and the tls preshaed key (4096bit) 16:03 < krzee> you can choose to additionally password protect your client.key so it cant be accessed locally without a pw, and/or password protect the vpn, reading passes from a file, db, active-directory, ldap, pam, or anything you can code up 16:03 < krzee> but having a simple web interface to gain access is a bad call 16:04 < krzee> <\rant> 16:04 < finalbeta> krzee, the point in most businesses when talking ssl-vpn is to connect end users. they do simply log into a web interface with user/passwor where they run an applet or client. that applet then exposes a few services from the intern network, while a client usually can add the remote client to the network. The username and pass can ofcourse be local or active dir, whatever... 16:07 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 16:07 < finalbeta> That simple web interface can be active dir integrated, vasco enabled etc. 16:07 < Hink> is it possible to have openvpn auth with ldap without a plugin 16:09 < Bushmills> finalbeta, connection can be done completely transparently for users, through a gateway/router 16:10 < Bushmills> no need to log into vpn. just into remote services, if needed. 16:11 < finalbeta> Bushmills, yes, I think that's how it is best used. But that is not what I'm looking for. My firewalls can all handle IPSec tunnels between them. 16:12 < finalbeta> I was looking for something like this. But barracuda closed them up : http://sourceforge.net/projects/sslexplorer/ 16:12 < Bushmills> well, accept or deny. what else to handle? 16:12 < vpnHelper> Title: SourceForge.net: SSL-Explorer (at sourceforge.net) 16:12 < finalbeta> vpnHelper, I know. that's what I need :). but that project is abandoned. 16:12 < vpnHelper> finalbeta: Error: "I" is not a valid command. 16:13 < finalbeta> oh, that was automated, lol. 16:14 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:19 < krzee> !bot 16:19 < vpnHelper> krzee: "bot" is I'm a bot.. just a bot. krzee is my maintainer, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P 16:19 < krzee> hehe 16:20 < krzee> finalbeta, i understand what you are saying 16:20 < krzee> but what i am saying is that you are giving up security simply because you dont want to pass out passwords 16:20 < krzee> err 16:20 < krzee> pass outy certs 16:21 < finalbeta> It is a choise I make, yes. 16:21 < krzee> just give them the certs, with a script to install openvpn, and the certs in the right place, with a shortcut on their desktop to start/stop it 16:22 < krzee> they unzip, click your script, and ready to rock 16:22 < krzee> and you get to be the guy who did something secure 16:26 < finalbeta> krzee, no, that's not good for me at all. for example. I have 5 users groups, going from sales to tech. they need one or multiple applications in the inside network. no matter where they are. no matter what computer they are on. these services range from terminal/citrix to owa or web pages. In the past, the company has 10 ip's in use, all of them had open ports, for rdp, websites etc. Now the end user has a" vasco token. " (read, va 16:26 < finalbeta> that is secure, way, way more flexible and fast. 16:27 < finalbeta> depending on the group the user is in, he is assigned a profile and he has his own open ports on the network. 16:28 < finalbeta> he then needs to authenticate to the services behind them. 16:28 < krzee> then just use passwords with no certs and screw web based 16:28 < krzee> since they have a token which gives them a secure password 16:28 < finalbeta> wow, you managed to mis the point. 16:28 < krzee> and im sure you can script something to use it 16:28 -!- epaphus [n=unix3@190.10.68.228] has left ##openvpn ["Leaving"] 16:29 < krzee> you can auth in openvpn with ANYTHING you can script up 16:29 < finalbeta> the web password, that's something you talk about. the web password is the users active directory name and the password/token combination. 16:29 < krzee> cool, then screw web 16:29 < finalbeta> krzee , after the login, the user automatically open a java applet. 16:29 < krzee> use a script to auth the user 16:29 < krzee> !factoids search auth 16:29 < finalbeta> the point is. the user does not need software at the client side. < 16:29 < vpnHelper> krzee: 'tls-auth' and 'authpass' 16:30 < krzee> well, you dont want openvpn then 16:30 < krzee> !authpass 16:30 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 16:30 < finalbeta> just a java enabled browser. 16:31 < krzee> you're welcome to code that up 16:31 < krzee> or use something besides openvpn which was made for what you want 16:32 < krzee> or you can have the users use openvpn and do what you want via an auth script 16:34 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Remote closed the connection] 16:44 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 16:49 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 16:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:58 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 104 (Connection reset by peer)] 17:00 -!- eliasp_ is now known as eliasp 17:08 < Dougy> well 17:08 < Dougy> everyone say goodbye to michael jackson 17:10 < Dougy> hmm 17:10 -!- ponyofdeath [n=vladi@cpe-75-80-161-192.san.res.rr.com] has joined ##openvpn 17:11 < ponyofdeath> hi, im wondering what the best way to link two of my home networks together is with a bridged or router openvpn tunnel? any suggestions please? 17:15 < Gorkhaan> imho: TUN 17:16 < ponyofdeath> yeah reading the faq now. i guess il need to set up a wins server. 17:17 < ponyofdeath> i wonder if the domain auth will work without the broadcast 17:19 < krzee> for just auth ild expect it to 17:21 < ponyofdeath> cool thx guys il get started and see where i get stuck 17:25 < Dougy> krzee: MJ is gone 17:25 < Dougy> lol 17:27 < Gorkhaan> owned 17:32 < Bushmills> cardiopulmonary arrest 17:32 < Bushmills> synonymous with clinical death 18:04 < Dougy> yupp 18:04 -!- Amanda [i=afolson@amanda.anope.org] has joined ##openvpn 18:05 < Amanda> hi Dougy 18:05 -!- Amanda [i=afolson@amanda.anope.org] has left ##openvpn [] 18:09 < Hink> if i'm authenticating via ldap do i still need a challenge password for keys i generate for the clients 18:15 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 60 (Operation timed out)] 18:17 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Nick collision from services.] 18:18 < krzee> Hink, unrelated 18:18 < Hink> krzee, figured as much.... gracias 18:19 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 18:19 < krzee> de nada 18:28 -!- tjz [n=tjz@bb116-15-41-73.singnet.com.sg] has joined ##openvpn 18:29 < tjz> omg.. 18:29 < tjz> really love mj's music 18:29 < tjz> now he is gone 18:29 < tjz> :( 18:30 < tjz> was looking forward to his upcoming concert 18:30 < Bushmills> he didn't contribute a lot to open source, afaik 18:32 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 18:34 < tjz> lol 18:34 < tjz> darn it 18:34 < tjz> hahah 18:35 < Gorkhaan> xD 18:38 -!- jeiworth [n=jeiworth@189.177.126.18] has quit [Connection timed out] 18:41 < Gorkhaan> offtopic: http://www.youtube.com/watch?v=nFSCrcqebVg&feature=PlayList&p=F48E6CBD665DF231&index=17 18:41 < vpnHelper> Title: YouTube - Emoticon War: SuperNews! (at www.youtube.com) 18:41 < Gorkhaan> lmao 18:54 -!- gelbasack [n=gelbasac@gw6.gelbasack.net] has joined ##openvpn 18:54 -!- gelbasac1 [n=gelbasac@gw6.gelbasack.net] has quit [Read error: 104 (Connection reset by peer)] 19:07 -!- jeiworth [n=jeiworth@189.163.189.34] has joined ##openvpn 19:47 < Dougy> i need thedoc 19:47 < Dougy> :( 20:04 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 20:06 < tjz> he is here 20:06 < tjz> lol 20:10 < Dougy> ohh hey 20:10 < Dougy> thedoc: jsent you a memo 20:10 < Dougy> like 20:10 < tjz> mj is gone.. 20:10 < Dougy> five minutes ago 20:14 < thedoc> indeed:) 20:18 < Dougy> you got it? 20:18 < thedoc> Yep. 20:18 < thedoc> I was reading the news. 20:19 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 60 (Operation timed out)] 20:19 < Dougy> rgr. 20:19 < Dougy> as it says, just let me know :) 20:40 -!- magic_1 [n=magic@gprs02.rb.mtnns.net] has joined ##openvpn 21:00 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 21:04 -!- master_of_master [i=master_o@p549D46AB.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:07 -!- master_of_master [i=master_o@p549D4648.dip.t-dialin.net] has joined ##openvpn 21:18 < ebil> LOL! My log file was getting FILLED with these messages: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 21:19 < ebil> I just realized it was because I plugged my work laptop in and it was desperately trying to connect to the VPN from the same network subnet... 21:19 < ebil> doesn't work so well 21:32 < Dougy> lol 21:32 < Dougy> ouch 21:38 < ebil> well I was trying to debug my OTHER vpn connection 21:38 < ebil> which was working perfectly :P 21:38 < ebil> so I was really confused. 21:43 -!- RancidLM [n=RancidLM@S0106001c101b3ad3.cg.shawcable.net] has joined ##openvpn 21:44 < RancidLM> hey all i have a few questions about setting up a open vpn, i have a scenario and i would like to know if i could use a open vpn solution 21:44 -!- zheng [n=zheng@222.66.224.106] has joined ##openvpn 21:45 < RancidLM> is this possible : have a router with SSH portfarward to a pc that has a open vpn server? 21:45 < RancidLM> *forward 21:47 < RancidLM> so {internet} ----[router (with ssh)]---(internal network)--[PC running openVPN] ? 21:48 < RancidLM> and with this setup.. if possible.. i would only need 1nic card correct? 21:56 -!- zheng [n=zheng@222.66.224.106] has quit ["Leaving"] 21:58 -!- zheng [n=zheng@222.66.224.106] has joined ##openvpn 22:02 < RancidLM> any 1? 22:03 -!- RancidLM [n=RancidLM@linuxfordummies/RancidLM] has left ##openvpn [] 22:07 -!- zheng [n=zheng@222.66.224.106] has quit [Remote closed the connection] 22:09 -!- Svart_Skygge [n=IceChat7@ti0204a340-0212.bb.online.no] has joined ##openvpn 22:47 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 23:24 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Nick collision from services.] 23:24 -!- tjz2 [n=tjz@bb116-15-41-73.singnet.com.sg] has joined ##openvpn 23:26 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 23:26 -!- damentz [n=damentz@cpe-66-68-38-214.austin.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 23:27 -!- tjz [n=tjz@bb116-15-41-73.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 23:27 -!- tjz2 is now known as tjz 23:28 < tjz> transformers 2 is a sex movie 23:28 < tjz> it make your dick erect 23:28 < thedoc> tar.gz? 23:28 < thedoc> mischan 23:40 -!- p3ri0d [n=p3ri0d@200.2.142.61] has quit [Read error: 110 (Connection timed out)] 23:41 -!- p3ri0d [i=p3ri0d@200.2.158.125] has joined ##openvpn 23:44 -!- p3ri0d [i=p3ri0d@200.2.158.125] has quit [Client Quit] --- Day changed Fri Jun 26 2009 00:17 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has joined ##openvpn 00:18 -!- berto- [n=berto@ip98-182-30-75.sb.sd.cox.net] has joined ##openvpn 00:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:39 -!- zheng [n=zheng@222.66.224.106] has joined ##openvpn 00:46 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 00:47 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 00:50 -!- Zar [n=Vladimir@94.230.114.225] has joined ##openvpn 00:50 < Zar> hi all 00:51 -!- Zar [n=Vladimir@94.230.114.225] has left ##openvpn ["WeeChat 0.2.6.1"] 00:51 -!- Zar [n=Vladimir@94.230.114.225] has joined ##openvpn 00:52 < Zar> Does anyone know why Outlook packet loss occurs when, through openvpn? 00:52 -!- berto- [n=berto@ip98-182-30-75.sb.sd.cox.net] has quit ["."] 00:58 < krzee> Zar, you using tcp? 01:00 -!- magic_1 [n=magic@gprs02.rb.mtnns.net] has quit [] 01:08 < Zar> krzee: yes 01:09 < Zar> krzee: i set mtu 1500 mssfix 1500 - not work 01:09 < Zar> than i set 1450/1450 - not work 01:09 < Zar> krzee: now testing 1412/1412 01:11 < Zar> krzee: I heard that I need to set mtu 1500 Required for outlook. This outlook bug of working it under openvpn 01:12 < Zar> krzee: sorry for my english, i'm Russian 01:23 -!- zheng [n=zheng@222.66.224.106] has quit ["Leaving"] 01:56 -!- Zar [n=Vladimir@94.230.114.225] has left ##openvpn ["WeeChat 0.2.6.1"] 02:00 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 02:07 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:07 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit [Read error: 60 (Operation timed out)] 02:27 < ponyofdeath> are open vpn 2.0.X and 2.1.X compatible? 02:27 < ponyofdeath> im geting TLS handshake failed 02:28 < reiffert> X, X? 02:31 < ponyofdeath> reiffert: 2.1_rc15 , 2.0.9 02:31 < ponyofdeath> reiffert: getting this "TLS Error: incoming packet authentication failed from" at server end 02:32 < reiffert> It should work. 02:33 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 02:53 -!- jeiworth_ [n=jeiworth@189.163.193.8] has joined ##openvpn 03:04 -!- Diddi_ [i=diddi@zebra2.bsnet.se] has joined ##openvpn 03:13 -!- jeiworth [n=jeiworth@189.163.189.34] has quit [Read error: 110 (Connection timed out)] 03:17 -!- Diddi [i=diddi@zebra.bsnet.se] has quit [Read error: 113 (No route to host)] 04:31 -!- |ns|nR8 [n=doof@CPE-124-187-21-13.qld.bigpond.net.au] has joined ##openvpn 05:02 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:05 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 05:14 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 05:24 -!- Diddi_ [i=diddi@zebra2.bsnet.se] has quit [Read error: 113 (No route to host)] 05:37 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 05:37 -!- mattock [n=mattock@gw.tietoteema.fi] has left ##openvpn [] 07:17 -!- Svart_Skygge [n=IceChat7@ti0204a340-0212.bb.online.no] has left ##openvpn [] 07:38 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:54 -!- SuperEvilDeath18 is now known as SuperEvilDeath 08:04 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 08:23 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 08:37 -!- |ns|nR8 [n=doof@CPE-124-187-21-13.qld.bigpond.net.au] has quit ["Leaving"] 09:00 < ebil> ponyofdeath, 2.0 and 2.1 are very compatible. that's the setup I'm using very successfully 09:03 -!- AlexJ [n=alexj@p6.eregie.pub.ro] has joined ##openvpn 09:03 < AlexJ> hello 09:03 < ebil> hi 09:03 < AlexJ> what is the difference between a TAP and a TUN connection? 09:03 < ebil> bridged vs routed 09:03 < ebil> the howto I think has a pretty good explanation... 09:04 < AlexJ> ok..thanks 09:04 < AlexJ> !howto 09:04 < vpnHelper> AlexJ: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:06 < AlexJ> tap is bridged, right? 09:07 < Gorkhaan> yes 09:07 < Dougy> tits 09:07 < ebil> A TAP device is a virtual ethernet adapter, while a TUN device is a virtual point-to-point IP link. 09:07 < ebil> there, that's the actual difference 09:08 -!- Gorkhaan [n=Gorkhaan@adsl-101-115.globonet.hu] has left ##openvpn [] 09:09 < ecrist> hello, people. 09:09 < ebil> !faq 09:09 < vpnHelper> ebil: "faq" is http://openvpn.net/index.php/documentation/faq.html 09:09 < ebil> AlexJ, the faq has a great section on tun/tap 09:13 < Dougy> ebil++ 09:18 < ebil> Just a thought, I don't know who's in charge of it, but it might be good to add something in the howto/faq about the CCD dir 09:18 < ebil> and that it needs to actually be r/w by nobody 09:18 < ebil> I ran into that problem (and it's a nasty one) 09:19 < ecrist> !faq 09:19 < vpnHelper> ecrist: "faq" is http://openvpn.net/index.php/documentation/faq.html 09:19 < Dougy> ecrist: ! 09:19 < ecrist> !learn faq as http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ 09:19 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 09:19 < ecrist> bah 09:19 < Dougy> bot own 09:20 < ebil> /etc/openvpn needs to be chmod 711 and the ccd dir needs 711 and then the files inside need 622 (or the like) 09:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:21 < ecrist> !learn faq as http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ 09:21 < vpnHelper> ecrist: Joo got it. 09:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 09:22 < ecrist> ebil: you're incorrect 09:22 < ecrist> my ccd dir is 755 09:23 < ecrist> and the files are 644 09:23 < ecrist> the CCD entries should not be executable 09:24 < ebil> ecrist, 622 is rw r r 09:24 < ebil> isn't it?? 09:24 < ebil> nm 09:24 < ebil> 644 you're right 09:24 < ebil> brain fart 09:25 < ebil> 622 is rw w w 09:25 < ebil> which doens't do ovpn much good :) 09:25 < ecrist> 1 = exec, 2 = write, 4 = read 09:25 < ebil> yeah, why do you have ccd 755? nobody needs to do anything but read from it (and get into it) 09:26 < ecrist> 755, x is change-into for dirs, read write, so the owner (root) can read and write to the dir. all others can cd and read 09:26 < ebil> ecrist, but ovpn doesn't need to list the directory 09:26 < ebil> it knows what file it's looking for right? 09:27 < ecrist> ebil, perhaps man chmod would be useful to you 09:27 < ecrist> in theory, yes 09:28 < ecrist> the way I operate, a x always goes with r for directories 09:28 < ebil> sorry, I prefer when security is at stake to have the least permissive options. (and it works for me) 09:28 < ecrist> what's so secure in your CCD entries? 09:28 < ebil> networks on the other end of the VPN 09:28 < ecrist> ebil, it's not recommended, and we're not going to change FAQs for such. 09:30 < ebil> well, let me rephrase then, if you set up openvpn as any other user than nobody, you have to sure to either make the ccd dir owned by nobody, or increase permissions so it's readable by nobody (because ovpn drops root once it's started and ccd is read at connection time) 09:30 < ebil> that's what I was trying to convey. it's not *terribly* obvious from the howto/faq 09:30 < ebil> I wasn't trying to suggest specific permissions 09:30 < ebil> :) 09:30 < ebil> I guess it did come across as that 09:32 < ecrist> it *is* obvious that the user openvpn runs as needs to be able to read the configuration files... 09:37 < ebil> I just figured it did all that at startup, not at runtime. in any case, it was just my $0.02 09:39 < ecrist> naw, if it did that, it would be required to maintain all configs in memory the entire time. 09:39 < ecrist> only looking at a few bytes per config for static IPs, but there can be a lot of configs 09:43 -!- jeiworth_ [n=jeiworth@189.163.193.8] has quit [Operation timed out] 09:45 -!- cpm_ is now known as cpm 10:12 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:25 -!- jeiworth [n=jeiworth@189.234.35.254] has joined ##openvpn 10:28 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:43 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 10:43 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 10:43 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 10:46 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 10:48 < Dougy> wow 10:48 < Dougy> cool 10:48 < Dougy> i cant lay down without arms going numb 10:50 < Hink> i set up an openvpn server, however I can't connect 10:50 < Hink> i get these messages in my syslog on the server 10:50 < Hink> Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server' 10:50 < Hink> Jun 26 05:49:07 OFFICE-VPN-01 ovpn-server[4076]: 70.122.236.67:15341 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client' 10:50 < Hink> Jun 26 05:49:07 OFFICE-VPN-01 ovpn-server[4076]: 70.122.236.67:15341 Local Options hash (VER=V4): '360696c5' 10:50 < Hink> Jun 26 05:49:07 OFFICE-VPN-01 ovpn-server[4076]: 70.122.236.67:15341 Expected Remote Options hash (VER=V4): '13a273ba' 10:50 < Hink> any ideas 10:52 < Dougy> !logs 10:52 < vpnHelper> Dougy: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 10:52 < Dougy> erm 10:52 < Dougy> ^ 10:52 < Dougy> !configs 10:52 < vpnHelper> Dougy: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:53 < Hink> apologies Dougy 10:53 < Hink> http://pastie.org/525556 10:54 < Dougy> that isnt the whole log 10:54 < Dougy> not even close 10:54 < Dougy> and i still don't see configs 10:54 < Dougy> bleh damnit afk 11:03 < ecrist> Hink, post configs and logs, someone will help you 11:12 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 11:13 < Hink> ecrist: thanks 11:13 < Hink> Here are my configs and my logs. server.conf : http://hink.pastebin.com/m3f992ab5 | syslog : http://hink.pastebin.com/m79bccc8d | Viscosity Config : http://hink.pastebin.com/m55d6aa48 11:18 < Hink> any ideas why i can't connect 11:23 < ecrist> Hink: that doesn't look like the entire log from the server, and I'm still missing client logs 11:23 < ecrist> I notice your server config states a private IP address, I'm guessing you're doing port-forwarding on the firewall or something similar? 11:25 < Dougy> morning ecrist 11:25 < ecrist> howdy 11:26 < Hink> ecrist: its a 1-1 nat 11:27 -!- epaphus [n=unix3@190.10.68.228] has left ##openvpn ["Leaving"] 11:27 -!- Irssi: ##openvpn: Total of 72 nicks [0 ops, 0 halfops, 0 voices, 72 normal] 11:33 < Hink> ecrist: here's my client log 11:33 < Hink> http://hink.pastebin.com/m2f9f487f 11:33 < Hink> TSL Handshake failed it looks like 11:35 < ecrist> I'd check your certificates 11:40 < Hink> md5 comparisons for the user specific cert and key as well as the server cert and the ta.key all match up ecrist 12:07 -!- Netsplit jordan.freenode.net <-> irc.freenode.net quits: oc80z, AlexJ, fkr, jeiworth 12:07 -!- fkr [i=fkr@134.106.146.207] has joined ##openvpn 12:08 -!- Netsplit over, joins: AlexJ 12:08 -!- Netsplit over, joins: jeiworth 12:09 -!- oc80z [i=oc80z@blea.ch] has joined ##openvpn 12:31 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 12:33 < plaerzen> harro 12:42 < ebil> herro indeed 12:43 < ebil> or is it hurro? 12:53 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 12:54 < ecrist> I think it's harro 13:04 -!- finalbeta [n=finalbet@ip-83-134-140-182.dsl.scarlet.be] has left ##openvpn [] 13:04 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:27 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 13:28 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 13:30 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has left ##openvpn [] 13:34 -!- unixSnob_ [n=jj@starfury.spearlink.com] has joined ##openvpn 13:35 < unixSnob_> Are there any openVZ templates out there containing openVPN? 13:44 -!- Guest68383 [n=Joe@204.13.0.100] has quit [Remote closed the connection] 13:48 -!- epaphus [n=unix3@190.10.68.228] has quit [Connection timed out] 14:02 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 14:02 * ecrist does not know what openVZ is 14:09 -!- jetole_ [n=Joe@204.13.0.100] has joined ##openvpn 14:11 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 14:12 < AlexJ> is there a way i can configure two vpn servers for the same network for redundancy? 14:12 < ponyofdeath> hi, i have the folloing server/client config http://pastebin.com/md6fa89d and when the tunnel comes up i try to ping a machine on the other end and i can see the icmp packets going through the tunnel on the client but not on the server. firewalls not showing that are blocking anything in the logs. can someone please help? also i added the route one the vpn server to access clients on the client vpn side but no go on that either :( 14:16 < ponyofdeath> an i get bad source address in the openvpn logs 14:17 < ecrist> AlexJ: yes, it's a fairly common thing. 14:18 < ecrist> each server would need to use separate ip space, but you can get them to coexist. 14:19 < AlexJ> hmm...so i can't make them in the same broadcast domain (with tap interfaces)? 14:21 < ecrist> sure, you can. 14:21 < ecrist> what I mean, if you're going to use tap interface (bridged) and have the VPN server assign the IP, you need to use separate ranges. If you've got a separate DHCP server, you don't need to worry about that. 14:23 < AlexJ> but are the servers going to communicate with eachother? 14:24 < ecrist> nope 14:24 < ecrist> not at all 14:24 < AlexJ> hmm..but i want them to see eachother 14:25 < ecrist> why? 14:25 < Hink> anyone in here familiar with openvpn-auth-ldap 14:25 < Hink> ./configure --prefix=/usr/local --with-openldap=/usr/local --with-openvpn=/usr/ports/security/openvpn/work/openvpn-2.0.2 14:26 < Hink> where does the --with-openldap= point to 14:26 < Hink> should that be wher eyour openldap library is 14:26 < ecrist> more than likely 14:26 < ecrist> why are you using 2.0.2? 14:27 < Hink> im not 14:27 < Hink> that's an example configure line 14:27 < Hink> btw ecrist, my cert issue was because the server.key had a challenge pass 14:33 < ecrist> ponyofdeath: check your firewall 14:33 < ecrist> and look at 14:34 < ecrist> !iroute 14:34 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 14:42 -!- epaphus [n=unix3@190.10.68.228] has quit [Success] 14:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:56 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 15:08 < ponyofdeath> ecrist: ok did the ccd and fix that part. having an issue now with ping from openvpn server to the subnet behind the client vpn 15:15 < krzie> ponyofdeath did you add a route to the router in client lan? 15:18 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 15:19 < krzie> as explained in !route under the image 15:19 < krzie> in "ROUTES TO ADD OUTSIDE OPENVPN" 15:22 < ponyofdeath> krzie: ok il take a look at that thx 15:22 < krzie> !route 15:22 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:53 -!- AlexJ [n=alexj@p6.eregie.pub.ro] has left ##openvpn ["Leaving"] 16:05 -!- Gorkhaan [n=Gorkhaan@adsl-101-115.globonet.hu] has joined ##openvpn 16:19 -!- epaphus [n=unix3@190.10.68.228] has quit [Connection timed out] 16:21 -!- epaphus [n=unix3@190.10.68.227] has joined ##openvpn 16:34 -!- epaphus [n=unix3@190.10.68.227] has quit [Read error: 104 (Connection reset by peer)] 16:37 -!- unixSnob_ [n=jj@starfury.spearlink.com] has quit ["leaving"] 16:45 -!- jeiworth [n=jeiworth@189.234.35.254] has quit ["No Ping reply in 90 seconds."] 16:45 -!- jeiworth [n=jeiworth@189.234.35.254] has joined ##openvpn 16:49 -!- c64zottel [n=hans@p5B17B1D8.dip0.t-ipconnect.de] has joined ##openvpn 16:52 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 16:52 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 16:59 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 16:59 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 17:00 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:01 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 17:04 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:04 -!- epaphus [n=unix3@190.10.68.228] has quit [Success] 17:12 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 17:13 -!- yowlst [n=yowlst@host-84-222-53-193.cust-adsl.tiscali.it] has joined ##openvpn 17:14 < yowlst> hi to all, im trying to make "tun" works on arm in a small small linux system 17:14 < yowlst> someone can help me? 17:14 < krzie> what is the small linux system which runs on arm that you are using? 17:14 < krzie> something like openwrt? 17:14 < yowlst> LESS 17:15 < yowlst> sorry, less 17:15 < yowlst> a linux from scratch 17:15 < yowlst> but a 2.6.26 17:15 < yowlst> so 17:16 < yowlst> i ve the kernel in a flash 17:16 < yowlst> and a filesystem 17:16 < krzie> see 9if you can directly compile tuntap into the kernel 17:16 < yowlst> i ve compiled 2.6 for the tun/tap support 17:16 < yowlst> sure 17:16 < yowlst> then, 17:16 < krzie> oh its already compiled in? 17:17 < yowlst> yes 17:17 < krzie> sorry maybe i didnt catch the problem then 17:18 < yowlst> for example, i moved into filesystem and created device with "mknod /dev/net/tun c 10 200" 17:18 < yowlst> is it right? 17:18 < krzie> you dont need to make it with that 17:18 < yowlst> so how? 17:18 < krzie> you can simple use openvpn to make the tun device 17:18 < krzie> 1) staticly using a command to openvpn 17:19 < krzie> 2) dynamicly by just running openvpn 17:19 < yowlst> isnt static like i ve made? 17:19 < yowlst> with mknod? 17:20 < krzie> TUN/TAP persistent tunnel config mode: 17:20 < krzie> Available with linux 2.4.7+. These options comprise a standalone mode of OpenVPN which can be used to create and delete persistent tunnels. 17:20 < krzie> --mktun 17:20 < krzie> (Standalone) Create a persistent tunnel on platforms which support them such as Linux. Normally TUN/TAP tunnels exist only for the period of time that an application has them open. This option takes advantage of the TUN/TAP driver's ability to build persistent tunnels that live through multiple instantiations of OpenVPN and die only when they are deleted or the machine is rebooted. 17:20 < krzie> One of the advantages of persistent tunnels is that they eliminate the need for separate --up and --down scripts to run the appropriate ifconfig(8) and route(8) commands. These commands can be placed in the the same shell script which starts or terminates an OpenVPN session. 17:20 < krzie> Another advantage is that open connections through the TUN/TAP-based tunnel will not be reset if the OpenVPN peer restarts. This can be useful to provide uninterrupted connectivity through the tunnel in the event of a DHCP reset of the peer's public IP address (see the --ipchange option above). 17:20 < krzie> One disadvantage of persistent tunnels is that it is harder to automatically configure their MTU value (see --link-mtu and --tun-mtu above). 17:20 < krzie> On some platforms such as Windows, TAP-Win32 tunnels are persistent by default. 17:21 < krzie> -rmtun 17:21 < krzie> (Standalone) Remove a persistent tunnel. 17:21 < krzie> im not a linux user much, but i do know the openvpn way 17:23 < yowlst> is the syntax "openvpn --mktun" only? 17:23 < krzie> openvpn [ --mktun ] [ --rmtun ] [ --dev tunX | tapX ] [ --dev-type device-type ] [ --dev-node node ] 17:24 < krzie> yes, but you can give it a name with --dev, and if that dev doesnt start with tun* or tap* you must yse --dev-type to tell it which it is 17:25 < yowlst> nice 17:25 < krzie> also check that the module is loaded 17:25 < krzie> lsmod should do for that 17:25 < krzie> lsmod|grep tun 17:25 < krzie> if not, locate tun.o and insmod it 17:26 < yowlst> module is loaded 17:26 < yowlst> but 17:26 < yowlst> /sbin/openvpn --mktun --dev tun0 17:26 < yowlst> give me an error 17:26 < krzie> so /dev/net/tun exists 17:26 < krzie> ? 17:27 < yowlst> no 17:27 < yowlst> have i do mknod? 17:27 < krzie> seems you have a problem with your tun driver 17:27 < krzie> no, that file exists when you load the module because of devfs 17:27 < yowlst> Module Size Used by Not tainted 17:27 < yowlst> tun 9636 0 17:29 < krzie> dunno man, seems like a linux/less/arm issue more than a openvpn issue 17:30 < yowlst> why? 17:30 < krzie> because your tuntap isnt working 17:30 < krzie> openvpn uses tun, but tun is not part of openvpn 17:30 < yowlst> i know 17:31 < yowlst> is tun/tap the only module to enable for openvpn? 17:31 < krzie> yes 17:31 < krzie> comp-lzo is somewhat a requirement, but you can compile without it if you say so 17:31 < krzie> but if you choose to, you cant use compression 17:31 < krzie> but thats also not a module 17:32 < yowlst> i ve done --disable-lzo 17:32 < yowlst> or something like that 17:33 < yowlst> so you mean is a driver problem 17:33 < krzie> yes 17:33 < krzie> although the word driver is windows specific 17:34 < yowlst> yes but you mean, when module works, /dev/net/tun appear? 17:34 < krzie> if you have devfs, yes 17:34 < yowlst> i dont have devfs 17:35 < krzie> then i dunno dude 17:35 < krzie> im no linux guy, and especially not your version 17:35 < krzie> i just know you dont have an openvpn problem 17:35 < yowlst> really thanks for your attention 17:35 < krzie> and while we'll try to help ya in here, you'll be better off seeking help from a channel more geered twords what your problem is 17:36 < yowlst> good 17:36 < yowlst> thanks again 17:36 < krzie> but of course, when you get past that and you're on to openvpn, this is the place to get help ;] 17:36 < krzie> np 17:36 < yowlst> :) 17:37 < yowlst> i really like openvpn 17:37 < krzie> me too 17:37 < yowlst> i ve wrote a tutorial in the past 17:37 < krzie> me too, i wrote this: 17:37 < krzie> !route 17:37 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:37 < yowlst> but now with this linux from fucking scratch i ve problem to understand some mechanism 17:37 < yowlst> anyway 17:38 < yowlst> night guys 17:38 < krzie> gnite 17:38 -!- yowlst [n=yowlst@host-84-222-53-193.cust-adsl.tiscali.it] has quit ["Leaving"] 17:49 -!- c64zottel [n=hans@p5B17B1D8.dip0.t-ipconnect.de] has quit ["Leaving."] 17:59 -!- jeiworth [n=jeiworth@189.234.35.254] has quit [Operation timed out] 18:10 -!- Hydrant2 [n=aj@74.198.8.70] has joined ##openvpn 18:10 < Hydrant2> hello all... I'm having nothing but problems with UDP.... I keep getting read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 18:11 < krzie> !logs 18:11 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 18:11 < Hydrant2> I think I'm going to setup TCP on the same port maybe 18:11 < krzie> you dont want tcp 18:12 < Hydrant2> http://pastebin.com/d7605941e 18:12 < Hydrant2> TCP was way more reliable... 18:12 < krzie> good job on not following directions 18:12 < krzie> wanna try again? 18:12 < Hydrant2> after replacing a router at home I can't use UDP.... I'm tethering with my cell phone right now and same thing 18:13 < krzie> is home your server? 18:14 < Hydrant2> http://pastebin.com/d23d99e75 18:15 < Hydrant2> no, server is somewhere else... other people are using it daily... I seem to be the only one with the issue 18:15 < Hydrant2> I can use it when I'm on other networks 18:15 < krzie> umm 18:16 < krzie> you stopped openvpn and restarted for that log? 18:16 < krzie> seems like it was already running 18:16 < Hydrant2> yup 18:16 < Hydrant2> for the verb setting to get picked up 18:16 < krzie> you just sent it a sigterm or completely killed and restarted? 18:16 < Hydrant2> I used the init.d script 18:16 < Hydrant2> I'm not sure how it's setup, it's on ubuntu 18:17 < krzie> you told it to restart? 18:17 < krzie> using that script 18:17 < Hydrant2> yup 18:17 < krzie> tell it to stop 18:17 < Hydrant2> /etc/init.d/openvpn restart 18:17 < krzie> then tell it to start 18:17 < krzie> then paste the log 18:17 < krzie> (my directions were not clear on that, not your fault) 18:19 < Hydrant2> http://pastebin.com/d62a665ae 18:20 < Hydrant2> I'm not sure if there is some tool or other method to test udp connections... I don't think telnet will do it, but netcat would 18:20 < krzie> ok 18:20 < krzie> now i need the server log 18:20 < Hydrant2> ... unfortunately there is on way to get that without VPN... I don't have an SSH backdoor 18:21 < krzie> you mentioned others are using it without issue, any of them root? 18:21 < Hydrant2> no way :-) 18:21 < krzie> hehe i feel ya on that one 18:21 < krzie> but ya, thats where the info will be 18:21 < krzie> its refusing the connection, and it should say why 18:22 < krzie> but its writing and getting a response 18:22 < Hydrant2> okay... I'll have to hope that I can get that info with the router I have at my parents 18:22 < krzie> so its not a firewall 18:22 < Hydrant2> okay that's good 18:22 < Hydrant2> I thought it was a router problem 18:22 < krzie> i dont think so 18:22 < krzie> could be something like your TLS static file is not right 18:22 < krzie> assuming you use that 18:23 < Hydrant2> the ca.crt ? 18:23 < krzie> or it could be other stuff, the server log should shed insight 18:23 < Hydrant2> I have a ca.crt file, and the actuak keys 18:23 < krzie> nah i mean this: 18:23 < krzie> !hmac 18:23 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 18:23 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 18:23 < Hydrant2> okay, hopefully I can get it tonight... 18:23 < Hydrant2> at least we know it's not the router... directly at least 18:23 < krzie> well unless your router is somehow mangling the packets 18:24 < krzie> but packets are definitely getting to the server 18:24 < krzie> and a response is coming back saying "NO WAY" 18:24 < Hydrant2> well.. what are the chances of the packets getting mangled on both my home network, and cell 18:24 < Hydrant2> it's strange though that I can get on just fine when I'm on the wireless in the office 18:24 < Hydrant2> which is not on the same network, I have to use the VPN there too 18:24 < krzie> what are the chances that your router could be messing with your packets from your cell? 18:25 < Hydrant2> very high 18:25 < krzie> oh your cell is connecting through the router? 18:25 < Hydrant2> I had to tether my iphone via a virtual windows... then add a route from linux 18:25 < krzie> gotchya, figured you meant gprs/edge/3g 18:25 < krzie> well in the router 18:26 < krzie> just for the hell of it 18:26 < krzie> look for things like vpn passthrough etc 18:26 < Hydrant2> yah, I am on 3g right at this moment... but don't have proper linux support / drivers so I'm going through windows network sharing 18:26 < krzie> and enable them 18:26 < Hydrant2> k, I'll try that 18:26 < krzie> and you said it works fine from office wifi 18:26 < Hydrant2> yup 18:26 < krzie> so that kinda rules out things i was expecting 18:26 < Hydrant2> it's a strange problem 18:27 < krzie> makes it seem like it has to be some setting on the router 18:27 < Hydrant2> I seriously figured it the router 18:27 < Hydrant2> yah, kinda disappointing 18:27 < krzie> what kinda router? 18:27 < Hydrant2> it's a linksys, $80 router, they are usually good 18:27 < Hydrant2> wrt-54g 18:27 < krzie> i have one 18:27 < krzie> works fine for me 18:27 < Hydrant2> yah 18:27 < krzie> but i also always change settings 18:27 < Hydrant2> well there are like a hundred million revisions f tha tone 18:27 < krzie> so who knows what i changed 18:27 < krzie> ya that too 18:27 < krzie> those are good routers tho 18:28 < Hydrant2> yah 18:28 < krzie> well good nat-boxes, yanno what i mean 18:28 < krzie> heheh 18:28 < Hydrant2> the old one was a dlink I think, that worked fine 18:28 < Hydrant2> then I moved, left the old router in place for a roommate still living there, and the new one sucks :-( 18:28 < krzie> haha 18:28 < krzie> that sux 18:28 < Hydrant2> I don't like the fact that my router doesn't let me set static IPs through DHCP anymore... 18:29 < krzie> well if worst comes to worst 18:29 < Hydrant2> I did try setting my client system as DMZ btw 18:29 < krzie> since you're a linux guy 18:29 < krzie> you could always load up something like openWRT firmware on it 18:29 < Hydrant2> yah, I thought about that 18:29 < krzie> and have a fully functional linux router 18:29 < Hydrant2> or setup clark connect or whatever 18:29 < krzie> i dunno what that is 18:30 < krzie> but ya theres a ton of firmwares for those 18:30 < krzie> very popular router 18:30 < Hydrant2> it's just a simple router 18:30 < Hydrant2> router distro 18:30 < krzie> try bypassing the router just for the fuck of it 18:30 < Hydrant2> yah, someone suggested that I just ditch the wrt... use it as a switch / wap and put up a linux box for a real router 18:30 < krzie> unplug the router from dsl modem and plug in direct 18:30 < Hydrant2> yah, I should try that 18:31 < krzie> just to test openvpn 18:31 < Hydrant2> didn't think of that actually :-( 18:31 < krzie> ya, that happens to everyone 18:31 < krzie> a second set of 'eyes' comes in handy ;] 18:31 < Hydrant2> that's what IRC is for 18:31 < Hydrant2> that and flaming 18:31 < krzie> lol 18:32 < krzie> wanna see a flame wait til the next person joins to ask about bridging ;] 18:32 < Hydrant2> okay, well my train stop is coming up... I'm going to try it out in a couple hours tonight... hopefully I can get into the VPN to setup an ssh backdoor into the system 18:32 < Hydrant2> later 18:32 < krzie> adios 18:35 -!- tjz [n=tjz@bb116-15-41-73.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 18:56 -!- Hydrant2 [n=aj@74.198.8.70] has quit [Read error: 110 (Connection timed out)] 20:13 -!- gelbasack [n=gelbasac@gw6.gelbasack.net] has quit [Read error: 110 (Connection timed out)] 20:33 -!- tjz [n=tjz@bb121-7-98-33.singnet.com.sg] has joined ##openvpn 20:50 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [Read error: 110 (Connection timed out)] 20:55 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 20:55 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 21:00 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 21:04 -!- master_of_master [i=master_o@p549D4648.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:07 -!- master_of_master [i=master_o@p549D4A7D.dip.t-dialin.net] has joined ##openvpn 21:16 -!- Hink [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has joined ##openvpn 21:17 -!- Hink [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has quit [SendQ exceeded] 21:19 -!- Hink [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has joined ##openvpn 21:20 -!- Hink [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has quit [SendQ exceeded] 21:22 -!- Hink [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has joined ##openvpn 21:24 -!- Hink [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has quit [SendQ exceeded] 21:25 -!- Hink [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has joined ##openvpn 21:35 -!- Guest24938 is now known as pekster 21:36 -!- Hink [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has quit [] 21:37 -!- Hink [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has joined ##openvpn 21:57 -!- lowValueTarget [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has joined ##openvpn 21:58 -!- Hink [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has quit [Read error: 60 (Operation timed out)] 22:41 -!- Hink [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has joined ##openvpn 22:41 -!- Hink [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has quit [Remote closed the connection] 22:54 -!- lowValueTarget [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has quit [Success] 22:58 -!- troy [n=troy@worldnet.tauri.ca] has quit [Nick collision from services.] 22:59 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 23:00 -!- Hink [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has joined ##openvpn 23:09 -!- lowValueTarget [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has joined ##openvpn 23:11 -!- xp_prg [n=xp_prg3@99.23.56.166] has joined ##openvpn 23:22 -!- Hink [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 23:38 -!- Hink [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has joined ##openvpn 23:39 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has joined ##openvpn 23:40 -!- xp_prg2 [n=xp_prg3@99.23.56.166] has joined ##openvpn 23:49 -!- xp_prg [n=xp_prg3@99.23.56.166] has quit [Connection timed out] 23:53 -!- lowValueTarget [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has quit [Read error: 110 (Connection timed out)] --- Day changed Sat Jun 27 2009 00:07 -!- xp_prg2 [n=xp_prg3@99.23.56.166] has quit ["This computer has gone to sleep"] 00:36 -!- Hink [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has quit [] 00:37 -!- Hink [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has joined ##openvpn 00:48 -!- Hink [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 00:50 -!- hardwire [n=hardwire@216-67-98-253.static.acsalaska.net] has left ##openvpn ["Ex-Chat"] 00:51 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 00:58 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [] 01:02 -!- master_of_master [i=master_o@p549D4A7D.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:24 -!- master_of_master [i=master_o@p549D3093.dip.t-dialin.net] has joined ##openvpn 01:31 < reiffert> ,pom 01:31 < reiffert> moin :) 01:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 02:11 -!- c64zottel [n=hans@p5B17990B.dip0.t-ipconnect.de] has joined ##openvpn 02:11 -!- c64zottel [n=hans@p5B17990B.dip0.t-ipconnect.de] has left ##openvpn [] 02:23 -!- albech [n=albech@58.147.43.240] has joined ##openvpn 02:24 -!- albech [n=albech@58.147.43.240] has quit [SendQ exceeded] 02:25 -!- albech [n=albech@58.147.43.240] has joined ##openvpn 03:00 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 04:33 -!- carpe_ [n=carpe@66.11.76.242] has joined ##openvpn 04:35 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 04:37 -!- drumjak1 [n=q1@host68-218-dynamic.55-82-r.retail.telecomitalia.it] has joined ##openvpn 04:47 -!- drumjak1 [n=q1@host68-218-dynamic.55-82-r.retail.telecomitalia.it] has left ##openvpn [] 05:48 -!- Gorkhaan [n=Gorkhaan@adsl-101-115.globonet.hu] has quit [Read error: 104 (Connection reset by peer)] 05:59 -!- Gorkhaan [n=Gorkhaan@adsl-101-115.globonet.hu] has joined ##openvpn 06:13 -!- scyld [n=krajcong@unaffiliated/wasyl] has joined ##openvpn 06:16 < scyld> Hi, question about OVPN-AS. I'm to run this stuff on gentoo box (not supported) and have a problem installing license key. Maybe it will tell you something: chain_add_license_key: as it doesn't for me. Any ideas? 06:33 -!- |ns|nR8 [n=doof@CPE-124-185-184-87.qld.bigpond.net.au] has joined ##openvpn 06:48 -!- flokuehn_ [n=flokuehn@94.186.154.83] has joined ##openvpn 06:48 -!- flokuehn [n=flokuehn@94.186.154.83] has quit [Read error: 104 (Connection reset by peer)] 06:51 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit [Read error: 113 (No route to host)] 07:07 -!- thedoc [n=andelyx@208.99.194.194] has joined ##openvpn 07:11 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 07:46 < Dougy> thedoc: ! :) 07:50 < thedoc> hey Dougy :) 07:50 * thedoc is quite miffed. 07:50 < thedoc> Someone on the forums was proclaiming that Windows is more secured than Linux because everyone can see the source code in Linux and it's easier to hack. 07:51 < Dougy> LOOL 07:51 < thedoc> Apparently a 15 year++ experience Windows sysadmin 07:51 < thedoc> :( 07:51 < Dougy> Hey. 07:51 * Dougy is a 16 year old sysadmin 07:51 * thedoc is about to try. 07:51 * Dougy is competent 07:51 < Dougy> so ner 07:51 < thedoc> s/try/cry 07:55 -!- |ns|nR8 [n=doof@CPE-124-185-184-87.qld.bigpond.net.au] has quit [Read error: 110 (Connection timed out)] 08:05 * ecrist is a 29 y/o sysadmin 08:15 -!- CybDev [i=cybdev@unaffiliated/cybdev] has quit [Read error: 110 (Connection timed out)] 08:32 -!- thedoc_ [n=andelyx@bb116-14-219-134.singnet.com.sg] has joined ##openvpn 08:33 -!- thedoc- [n=andelyx@208.99.194.194] has joined ##openvpn 08:34 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 08:53 -!- albech [n=albech@58.147.43.240] has quit [Remote closed the connection] 08:54 -!- thedoc_ [n=andelyx@bb116-14-219-134.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 09:10 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has left ##openvpn [] 09:20 -!- thedoc- [n=andelyx@208.99.194.194] has quit [Read error: 110 (Connection timed out)] 09:41 < Dougy> . 09:48 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 60 (Operation timed out)] 10:55 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has joined ##openvpn 11:19 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 11:46 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 12:12 -!- c64zottel [n=hans@p5B17990B.dip0.t-ipconnect.de] has joined ##openvpn 13:01 -!- thedoc- [n=andelyx@bb116-14-219-134.singnet.com.sg] has joined ##openvpn 13:02 -!- madduck [n=madduck@debian/developer/madduck] has joined ##openvpn 13:02 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 13:04 < madduck> i have two clients, both with identical configs (http://stikked.com/view/5735159) and one complains "WARNING: No server certificate verificat 13:04 < vpnHelper> Title: Stikked | Paste: Untitled (at stikked.com) 13:04 < madduck> ion method has been enabled. See http://openvpn.net/howto.html#mitm for more info." 13:04 < madduck> while the other does not 13:08 < madduck> both are running 2.1~rc11-1 (Debian lenny) 13:08 < madduck> what could be the reason? 13:08 < madduck> (both are talking to the same server) 13:20 -!- thedoc- [n=andelyx@bb116-14-219-134.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 14:10 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 14:49 -!- scyld [n=krajcong@unaffiliated/wasyl] has quit ["leaving"] 14:51 -!- linux_manju [n=Manjunat@115.108.23.36] has joined ##openvpn 14:51 < linux_manju> Hi All.. 14:52 < linux_manju> I am getting write UDPv4 [ECONNREFUSED]: Connection refused (code=146) 14:52 < linux_manju> Can anyone tell me what does that mean? 14:52 < linux_manju> I am sure Firewall ports are open 14:53 < ecrist> ball lickers 14:56 -!- vaq [i=c99@vaq/unaffiliated] has joined ##openvpn 14:56 -!- xp_prg [n=xp_prg3@mea0f36d0.tmodns.net] has joined ##openvpn 14:56 < vaq> Hello, does anybody have problems with building a custom openvpn installer? I just retrieved the latest source and I get a compile error: 14:56 < vaq> gui-1.0.3\openvpn-gui.nsi" on line 221 -- aborting creation process 14:58 < vaq> I'm using: openvpn_install_source-2.0.9-gui-1.0.3.zip 15:03 < vaq> Ah 15:03 < vaq> it was due to the nullsoft version 15:13 -!- Michael` [n=michael`@p3EE0DA6E.dip.t-dialin.net] has joined ##openvpn 15:14 < Michael`> !logs 15:14 < vpnHelper> Michael`: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 15:14 < Michael`> !howto 15:14 < vpnHelper> Michael`: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:14 < Michael`> !route 15:14 < vpnHelper> Michael`: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:15 < Michael`> !redirect 15:15 < vpnHelper> Michael`: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 15:16 -!- Netsplit jordan.freenode.net <-> irc.freenode.net quits: no_maam, _UsUrPeR_, ebil, chinsan, ^scott^, code- 15:16 -!- Netsplit over, joins: _UsUrPeR_, ebil, no_maam, code-, chinsan, ^scott^ 15:16 < krzie> i love to see someone doing the reading, need help with anything? 15:19 -!- Netsplit jordan.freenode.net <-> irc.freenode.net quits: no_maam, _UsUrPeR_, ebil, chinsan, ^scott^, code- 15:22 -!- Netsplit over, joins: _UsUrPeR_, ebil, no_maam, code-, chinsan, ^scott^ 15:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:34 < krzie> wassup roentgen 15:35 < roentgen> nothing special :P 15:35 < roentgen> getting bored? :) 15:36 < krzie> haha yupyup 15:42 -!- Michael` [n=michael`@p3EE0DA6E.dip.t-dialin.net] has quit ["Nettalk6 - www.ntalk.de"] 15:44 -!- Michael` [n=michael`@p3EE0DA6E.dip.t-dialin.net] has joined ##openvpn 15:46 -!- Michael` [n=michael`@p3EE0DA6E.dip.t-dialin.net] has quit [Client Quit] 15:46 -!- Michael` [n=michael`@p3EE0DA6E.dip.t-dialin.net] has joined ##openvpn 15:54 -!- xp_prg [n=xp_prg3@mea0f36d0.tmodns.net] has quit ["This computer has gone to sleep"] 16:08 -!- xp_prg [n=xp_prg3@mf20f36d0.tmodns.net] has joined ##openvpn 16:26 -!- linux_manju [n=Manjunat@115.108.23.36] has quit [Read error: 110 (Connection timed out)] 16:34 < reiffert> moin 16:34 < krzie> moinmoin 16:38 < reiffert> how goes it? 16:39 < krzie> good man, just chillen 16:40 < reiffert> plenty of beer and meeting friends today, selfmade pizza, everything s ok 16:40 < krzie> hell yes 16:40 < krzie> sounds like a good day 16:41 < vaq> :) 17:03 < reiffert> :) 17:40 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 17:40 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 17:57 < krzie> thx for the link reif, im learning a bit 18:00 < krzie> # Replace first occurrence of substring with replacement. 18:00 < krzie> echo ${arrayZ[@]/fiv/XYZ} # one two three four XYZe 18:01 < krzie> never knew such a thing existed, thought i had to sed it 18:01 < krzie> could simplify some old scripts with that knowledge if i cared to go back 18:49 -!- denon [i=denon@synapse.subneural.net] has joined ##openvpn 18:50 < denon> !route 18:50 < vpnHelper> denon: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 18:58 < denon> is it possible to have the OpenVPN-AS client save the password in it's config? 19:04 < denon> or does AS support something like cryptoapicert? 19:04 < denon> not sure how you're "supposed" to do that in AS 19:36 -!- c64zottel [n=hans@p5B17990B.dip0.t-ipconnect.de] has quit ["Leaving."] 19:40 -!- xp_prg [n=xp_prg3@mf20f36d0.tmodns.net] has quit ["This computer has gone to sleep"] 19:53 -!- SYST3M32 [n=Admin@ns303573.ovh.net] has joined ##openvpn 19:53 < SYST3M32> damn there are alot of you in here 19:54 < SYST3M32> i have a problem anyone wanna lend a hand? 19:59 -!- Admin_ [n=Admin@74-140-153-125.dhcp.insightbb.com] has joined ##openvpn 20:05 < Admin_> So anyone got some time to try and help me work a issue out that i'm having? 20:12 -!- Admin__ [n=Admin@74-140-153-125.dhcp.insightbb.com] has joined ##openvpn 20:18 -!- SYST3M32 [n=Admin@ns303573.ovh.net] has quit [Read error: 110 (Connection timed out)] 20:25 < krzie> only if youd like to explain the problem 20:25 < krzie> DENON 20:25 < krzie> denon WHATS UP BRO!!! 20:25 < krzie> ltns 20:27 < krzie> what exactly is openvpn-as 20:28 < krzie> ohhh that for-profit app 20:30 < krzie> ive never seen openvpn-as, but the client side should just be openvpn 20:30 -!- Admin_ [n=Admin@74-140-153-125.dhcp.insightbb.com] has quit [Read error: 110 (Connection timed out)] 20:30 < krzie> so you CAN save the passwords 20:30 < krzie> !factoids search pass 20:30 < vpnHelper> krzie: 'winpass', '2.1-winpass-script', 'password', and 'authpass' 20:30 < krzie> !password 20:30 < vpnHelper> krzie: Error: That operation cannot be done in a channel. 20:30 < krzie> !factoids search password 20:30 < vpnHelper> krzie: "password" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 20:31 < krzie> hrmz 20:31 < krzie> !authpass 20:31 < vpnHelper> krzie: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 20:31 < krzie> !forget password 20:31 < vpnHelper> krzie: Error: 3 factoids have that key. Please specify which one to remove, or use * to designate all of them. 20:31 < krzie> !forget password * 20:31 < vpnHelper> krzie: Joo got it. 20:31 < krzie> !pwfile 20:31 < vpnHelper> krzie: "pwfile" is OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h 20:31 -!- tjz2 [n=tjz@bb121-7-98-33.singnet.com.sg] has joined ##openvpn 20:31 < krzie> there we go! 20:32 < krzie> denon, thats your answer 20:32 < krzie> and msg me for the new key to the other channel 20:33 < krzie> Admin__ would you like to explain your problem? 20:34 < Admin__> msn does not work with this 20:34 < krzie> Admin__ i dont understand... 20:35 < krzie> whats msn have to do with openvpn? 20:35 < Admin__> well i run vpn to proxy 20:35 < Admin__> yet my browsers work fine 20:35 < krzie> you sure your browsers are going over the vpn? 20:35 < Admin__> but when i try to sign into msn it does not connect 20:35 < Admin__> yep 20:35 < Admin__> i ip tested them 20:35 < krzie> !configs 20:35 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 20:45 < krzie> gotta hurry too, i leave in about 15 mins 20:47 < Dougy> hey krzie 20:47 < Dougy> gonna be another short outage coming up 20:47 < krzie> sup dougy 20:47 * Dougy is replacing his switch 20:47 < krzie> powr outage or inet outage? 20:47 < Dougy> inet 20:47 < krzie> ahh cool 20:48 < Dougy> cisco 2950 -> 3548xl 20:48 < Dougy> i am tired of those fucks screwing up my routing 20:48 < Dougy> so im getting a cheaper layer3 20:48 < krzie> getting rid of the cisco? 20:48 < Dougy> going to a layer3 cisco 20:48 < Dougy> 3548 20:48 < krzie> the 2950 tho 20:48 < krzie> what are you doing with it? 20:49 < krzie> leave it around as a spare? 20:49 < krzie> those are nice switches 20:49 -!- tjz [n=tjz@bb121-7-98-33.singnet.com.sg] has quit [Connection timed out] 20:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 20:54 < Dougy> krzie: selling it 20:55 < krzie> how much? 20:55 < Dougy> 50 20:55 < Dougy> id prefer 75 20:55 < Dougy> but 50 will do 20:55 < krzie> sold for 50, save it for me 20:55 < krzie> ill give you an address and payment later 20:55 < krzie> =] 20:56 < Dougy> lol 20:56 < Dougy> k 20:56 < Dougy> gimmie 60 :p 20:56 < Dougy> fwiw, 24 ports, good condition 20:56 < krzie> shit you dunno how raped ill be getting at customs 20:56 < Dougy> lol 20:56 < Dougy> oh 20:56 < Dougy> its leaving the usa 20:56 < krzie> they stick it right up the butt 20:56 < krzie> ya but you'll be shipping inside the usa 20:57 < krzie> it'll get forwarded ;] 20:57 < Dougy> sneaky bastard 20:57 < krzie> yanno ;] 20:57 -!- Admin__ [n=Admin@74-140-153-125.dhcp.insightbb.com] has quit ["Leaving"] 21:01 -!- chinsan [i=chuck-th@chinsan.info] has quit [Read error: 104 (Connection reset by peer)] 21:01 -!- chinsan [i=chuck-th@chinsan.info] has joined ##openvpn 21:01 < krzie> it will be fun to play with tho 21:02 < Dougy> 2950s are fun 21:02 < Dougy> its layer2 only though, no routing 21:02 < krzie> yup 21:02 < krzie> switch, not router 21:02 < Dougy> yea 21:02 < Dougy> i thought about getting a 3550 21:02 < krzie> ive played with them before 21:03 < Dougy> http://cgi.ebay.com/Cisco-Catalyst-3550-48-Port-Switch-WS-C3550-48-SMI_W0QQitemZ370221236538QQcmdZViewItemQQptZCOMP_EN_Hubs?hash=item5632e7c13a&_trksid=p3286.c0.m14&_trkparms=65%3A12|66%3A2|39%3A1|72%3A1205|240%3A1318|301%3A0|293%3A1|294%3A50#ebayphotohosting 21:03 < vpnHelper> Title: Cisco Catalyst 3550 48 Port Switch, WS-C3550-48-SMI - eBay (item 370221236538 end time Jul-26-09 18:30:23 PDT) (at cgi.ebay.com) 21:03 < Dougy> expensive 21:04 < Dougy> i'm only pushing 4mbps right now anyway.. if i was pushing a few hundred i would buy a decent switch 21:07 < krzie> it ... brin [brin@go.eat.some.fuckingshit.org] has joined #thc 21:07 < krzie> ... SignOff brin: #thc (Excess Flood) 21:07 < krzie> why dont people learn howto make vhosts that dont suck 21:07 < krzie> go.eat.some.fuckingshit.org 21:07 < krzie> if i had that domain ild use anal.is.fuckingshit.org 21:07 < krzie> cause... anal is fucking shit 21:07 < krzie> heh 21:07 < Dougy> lol 21:09 < Dougy> krzie: who am i shipping the switch to? 21:09 < Dougy> who's your 'person'? 21:09 < Dougy> eric? lol 21:12 < krzie> ill give you a name tomorrow 21:12 < krzie> time for me to go 21:12 < krzie> =] 21:12 < Dougy> lol 21:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 21:39 -!- StormWlf [i=Silent1_@adsl-76-192-208-209.dsl.okcyok.sbcglobal.net] has joined ##openvpn 21:52 -!- voipuser_ [n=voipuser@24-180-125-183.dhcp.aldl.mi.charter.com] has quit [] 22:21 -!- Guest32245 [n=dacurmud@rvd1901f0a.sprocketnetworks.com] has quit [Client Quit] 22:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 23:50 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn --- Log closed Sun Jun 28 00:08:05 2009 --- Log opened Sun Jun 28 00:08:11 2009 00:08 -!- ecrist_ [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 00:08 -!- Irssi: ##openvpn: Total of 70 nicks [0 ops, 0 halfops, 0 voices, 70 normal] 00:08 -!- Irssi: Join to ##openvpn was synced in 27 secs 00:09 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: ecrist, flokuehn_, Kreg, pekster, carpe_, lataffe 00:10 -!- Netsplit over, joins: pekster 00:11 -!- pekster is now known as Guest35500 00:11 -!- flokuehn [n=flokuehn@94.186.154.83] has joined ##openvpn 00:11 -!- Guest35500 is now known as pekster 00:14 -!- freaky[t] [i=alpha@member.team-box.net] has quit [Remote closed the connection] 00:14 -!- denon [i=denon@synapse.subneural.net] has quit [Remote closed the connection] 00:23 -!- carpe_ [n=carpe@vip2.tundraeng.com] has joined ##openvpn 00:23 -!- Kreg [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 00:25 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 00:59 < madduck> I have two clients, both with identical configs (http://stikked.com/view/5735159), both running 2.1~rc11-1 on Debian lenny, and both connecting to the same server. 00:59 < madduck> One keeps warning me about "No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info." The other does not. 00:59 < vpnHelper> Title: Stikked | Paste: Untitled (at stikked.com) 00:59 < madduck> What could be the reason? 01:37 -!- mRCUTEO [n=IRCLUNAT@115.132.122.81] has joined ##openvpn 01:37 < mRCUTEO> hi i tried to connect to my openvpn from the client but i get error certificate not yet valid.. i think this is because of the time genrate in the certificate how can i bypass this? 01:38 -!- master_of_master [i=master_o@p549D3093.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:41 -!- mRCUTEO [n=IRCLUNAT@115.132.122.81] has quit [] 01:42 -!- master_of_master [i=master_o@p549D3E7C.dip.t-dialin.net] has joined ##openvpn 02:11 < madduck> !logs 02:11 < vpnHelper> madduck: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 02:11 < madduck> !config 02:11 < vpnHelper> madduck: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 02:11 < madduck> hm... 02:11 < madduck> !loogs > mRCUTEO 02:11 < vpnHelper> madduck: Error: "loogs" is not a valid command. 02:11 < madduck> !logs > mRCUTEO 02:11 < vpnHelper> madduck: Error: "logs" is not a valid command. 02:11 < madduck> i don't like bots 02:14 -!- mRCUTEO [n=IRCLUNAT@115.132.122.81] has joined ##openvpn 02:14 < mRCUTEO> hi i try to connect to my openvpn server but SSL date is still not valid yet.. 02:14 < mRCUTEO> how can i bypass this or any other way around to activate the ssl the time i created it? 02:14 < madduck> mRCUTEO: show your config and your logs 02:15 < madduck> !pastebin 02:15 < vpnHelper> madduck: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 02:15 < mRCUTEO> okay 02:19 < vaq> Isn't OpenVPN on Vista x64 possible? 02:21 < mRCUTEO> madduck: http://www.pastebin.ca/1477210 02:22 < madduck> mRCUTEO: i don't have time to debug this, but the logs you provide have nothing to do with openvpn 02:22 < mRCUTEO> oh my sorry i paste the wrong one 02:23 < madduck> !/30 02:23 < vpnHelper> madduck: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 02:23 < madduck> !topology 02:23 < vpnHelper> madduck: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 02:24 < mRCUTEO> madduck: http://www.pastebin.ca/1477214 02:24 < mRCUTEO> this is the log 02:24 < mRCUTEO> it just looks fine 02:24 < mRCUTEO> but i dunno the certificate says it is not activate yet 02:26 < mRCUTEO> i use: openssl x509 -in -noout -text and found out that the cert only activate after 2 hours 02:26 < mRCUTEO> anyway to change the date of activiation of the cert 02:31 -!- mRCUTEO [n=IRCLUNAT@115.132.122.81] has quit [] 03:00 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 03:06 -!- linux_manju [n=Manjunat@115.108.23.36] has joined ##openvpn 03:12 -!- linux_manju [n=Manjunat@115.108.23.36] has quit [] 03:19 -!- tjz2 [n=tjz@bb121-7-98-33.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 03:23 < Michael`> When i create a new certificate, than it`s activation date is today 03:47 -!- tjz [n=tjz@bb219-74-135-197.singnet.com.sg] has joined ##openvpn 04:06 -!- Michael` [n=michael`@p3EE0DA6E.dip.t-dialin.net] has quit ["Nettalk6 - www.ntalk.de"] 04:16 -!- zheng [n=zheng@114.92.132.65] has joined ##openvpn 04:16 -!- Michael` [n=michael`@p3EE0DA6E.dip.t-dialin.net] has joined ##openvpn 04:19 -!- Timpa [i=timpa@chuck.bartowski.skalet.org] has quit [Read error: 113 (No route to host)] 05:01 -!- zheng [n=zheng@114.92.132.65] has quit ["Leaving"] 05:16 -!- Michael` [n=michael`@p3EE0DA6E.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 05:25 -!- c64zottel [n=hans@91.23.141.205] has joined ##openvpn 05:53 -!- mRCUTEO [n=IRCLUNAT@124.13.181.151] has joined ##openvpn 05:53 < mRCUTEO> hi 05:53 < mRCUTEO> !configs 05:53 < vpnHelper> mRCUTEO: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 05:53 < mRCUTEO> !howto 05:53 < vpnHelper> mRCUTEO: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 05:54 < mRCUTEO> i have setup openvpn but when i try to connect the certificate client says the certificate is not yet valid 05:54 < mRCUTEO> is there a way to set the certificate date? 05:57 < mRCUTEO> anyone 06:03 < mRCUTEO> my error says certificate is not yet valid 06:22 -!- mRCUTEO [n=IRCLUNAT@124.13.181.151] has quit [] 06:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:48 -!- Gorkhaan [n=Gorkhaan@adsl-101-115.globonet.hu] has left ##openvpn [] 06:49 -!- gorkhaan_ [n=gorkhaan@87.229.108.75] has joined ##openvpn 06:51 < gorkhaan_> quit 06:51 -!- gorkhaan_ [n=gorkhaan@87.229.108.75] has quit [Client Quit] 06:51 -!- ashley_ [n=ashley@87-194-183-38.bethere.co.uk] has joined ##openvpn 06:51 < ashley_> http://pastebin.com/m2026b5f0 06:52 < ashley_> Helpplzkthx! 06:52 < ashley_> I tried sudo route del default gw 10.98.76.133 06:52 < ashley_> but it doesn't work 07:02 -!- ashley_ [n=ashley@87-194-183-38.bethere.co.uk] has quit ["leaving"] 07:35 -!- Axet [n=no@vshost1.nurvnet.org] has joined ##openvpn 07:36 < Axet> hi all, is it possible to have clients connecting to an instance of openvpn using different ciphers ? I'm using per client conf files 07:40 -!- Michael` [n=michael`@62.224.181.171] has joined ##openvpn 08:04 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 08:26 -!- Gorkhaan [n=Gorkhaan@adsl-101-115.globonet.hu] has joined ##openvpn 08:36 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 08:41 -!- Axet [n=no@vshost1.nurvnet.org] has quit [] 08:51 -!- darius [n=darius@207.229.123.5] has quit ["That's it for today"] 09:12 -!- Gorkhaan [n=Gorkhaan@adsl-101-115.globonet.hu] has quit [Read error: 110 (Connection timed out)] 09:37 -!- Michael`2 [n=michael`@p3EE0B8C8.dip.t-dialin.net] has joined ##openvpn 09:54 -!- Michael` [n=michael`@62.224.181.171] has quit [Read error: 110 (Connection timed out)] 09:56 -!- solvik [i=solvik@oxyradio.com] has joined ##openvpn 10:32 -!- Michael` [n=michael`@p3EE0B8C8.dip.t-dialin.net] has joined ##openvpn 10:48 -!- Michael`2 [n=michael`@p3EE0B8C8.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 10:52 -!- Folko [n=quassel@static.15.33.40.188.clients.your-server.de] has joined ##openvpn 10:59 -!- Folko [n=quassel@static.15.33.40.188.clients.your-server.de] has quit [Read error: 104 (Connection reset by peer)] 11:02 -!- Michael` [n=michael`@p3EE0B8C8.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 11:34 -!- vlt [n=dm@suez.activ-job.com] has joined ##openvpn 12:13 -!- p3ri0d [i=p3ri0d@200.2.159.161] has joined ##openvpn 12:36 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 12:59 -!- jasonbourne [n=jasonbou@pool-173-67-248-152.rcmdva.fios.verizon.net] has joined ##openvpn 12:59 < jasonbourne> can anyone help me config openvpn for linux 13:00 < reiffert> !howto 13:00 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:06 -!- jeiworth [n=jeiworth@189.217.159.218] has joined ##openvpn 13:22 -!- jasonbourne [n=jasonbou@pool-173-67-248-152.rcmdva.fios.verizon.net] has quit ["Leaving"] 13:23 -!- Michael` [n=michael`@f051033252.adsl.alicedsl.de] has joined ##openvpn 13:25 -!- epaphus [n=unix3@201.199.41.166] has joined ##openvpn 13:41 -!- jeiworth [n=jeiworth@189.217.159.218] has quit [Read error: 110 (Connection timed out)] 13:45 -!- Ypsy [n=ypsy@geekpadawan.de] has joined ##openvpn 13:45 < Ypsy> !howto 13:45 < vpnHelper> Ypsy: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:47 < Ypsy> Hi, I just configured openVPN on my vserver using this german howto: http://wiki.ubuntuusers.de/OpenVPN 13:47 < vpnHelper> Title: OpenVPN › Wiki › ubuntuusers.de (at wiki.ubuntuusers.de) 13:48 < Ypsy> when I now try to restart the daemon it simply says "failed!" :/ no errors 13:48 < Ypsy> could it maybe be some usual problem? 13:53 -!- bandini [n=bandini@host54-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 13:58 < vlt> Ypsy: a) What does syslog say? b) Is the tun/tap module available on your vserver (I had to activate it first on my HE vserver)? 13:59 < Ypsy> b) I dont know. Thought about that but in some howto I read there was a error when that was the case. And the daemon was already running for once afaik (dunno if it can run without the modules) 13:59 < Ypsy> ill check the syslog 14:03 < vlt> Hello. I have three tap mode tunnels between two servers. When I try to aggregate the devices to one bond0 device (mode=0) the resulting bandwidth is only three times the slowest line's. Any better idea how to solve this? Is there something built into ovpn I could use? 14:09 -!- ebil [n=ebil@ip70-174-136-104.dc.dc.cox.net] has quit [Remote closed the connection] 14:16 -!- epaphus [n=unix3@201.199.41.166] has quit [Read error: 110 (Connection timed out)] 14:23 -!- Michael` [n=michael`@f051033252.adsl.alicedsl.de] has quit ["Nettalk6 - www.ntalk.de"] 14:28 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 14:35 -!- Douglas [n=doug@160.79.78.34] has quit [Read error: 60 (Operation timed out)] 14:42 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 14:43 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 14:54 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 15:15 -!- davidisk1 is now known as davidisko 15:28 -!- jasonbourne [n=jasonbou@pool-173-67-248-152.rcmdva.fios.verizon.net] has joined ##openvpn 15:36 < ponyofdeath> hi, wondering what routes i have to add to my default gateway if the vpn server is different from the default gateway? do i need the remote subnet as well as the vpn tunnels subnet routing to the vpn router's internal ip? 15:39 < Bushmills> ponyofdeath, no need to add routes yourself, as you can ask client to do that for you. or, even tell server to ask client to add the routes to vpn server. 15:39 < Bushmills> !redirect 15:39 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 15:39 < Bushmills> (that assumes, *all* traffic) 15:40 < ponyofdeath> Bushmills: well what if the vpn server is not the default gateway for the subnet 15:40 < Bushmills> well, all traffic over default route, actually, to vpn server instead 15:42 < Bushmills> if it isn't, also no need: route to vpn server is added automatically 15:42 < Bushmills> (while your default gateway remains default, in that case) 15:42 < ponyofdeath> Bushmills: well i want the subnet on the other side to see the subnet on the client side 15:44 < Bushmills> in that case you need to add a route to the net behind the one end to the other end. 15:46 < ponyofdeath> Bushmills: yeah im adding the clients net to the default router to point to the vpn server but doesnt seem to work. i see using a traffic sniffer that the ping is 10.98.98.2 > 10.7.7.1 15:47 < Bushmills> you also may have to enable ip forwarding. 15:47 < Bushmills> that's probably mentioned in ... 15:47 < Bushmills> !route 15:47 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:47 < ponyofdeath> so i have client ( 10.6.6.0/24 ) > vpn server ( 10.7.7.2 ) 15:47 < ponyofdeath> Bushmills: its enabled 15:47 < ponyofdeath> on the vpn server and on the default router 15:50 -!- jasonbourne [n=jasonbou@pool-173-67-248-152.rcmdva.fios.verizon.net] has quit ["Leaving"] 15:56 -!- jasonbourne [n=jasonbou@pool-173-67-248-152.rcmdva.fios.verizon.net] has joined ##openvpn 16:10 < krzie> what is 10.98.98.2? 16:22 -!- jasonbourne [n=jasonbou@pool-173-67-248-152.rcmdva.fios.verizon.net] has quit [Read error: 110 (Connection timed out)] 16:24 -!- Michael` [n=michael`@f051033252.adsl.alicedsl.de] has joined ##openvpn 16:25 -!- c64zottel [n=hans@91.23.141.205] has quit ["Leaving."] 16:28 < krzie> Bushmills: yeah im adding the clients net to the default router 16:28 < krzie> to point to the vpn server but doesnt seem to work. i see using 16:28 < krzie> you need to do that for the lan subnet on the other side of the vpn too 16:29 < krzie> assuming 10.98.98.2 is 10.98.98.0/24 on the other lan, you must point that subnet to the vpn endpoint on local lan as well 16:38 -!- jasonbourne_ [n=jasonbou@bucharest.perfect-privacy.com] has joined ##openvpn 16:42 -!- jasonbourne_ [n=jasonbou@bucharest.perfect-privacy.com] has quit ["Leaving"] 16:56 -!- StormWlf [i=Silent1_@adsl-76-192-208-209.dsl.okcyok.sbcglobal.net] has quit [] 16:58 -!- StormWlf [i=stormwlf@adsl-76-192-208-211.dsl.okcyok.sbcglobal.net] has joined ##openvpn 16:59 < StormWlf> !howto 16:59 < vpnHelper> StormWlf: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:01 < StormWlf> !configs 17:01 < vpnHelper> StormWlf: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 17:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 18:05 -!- Ypsy is now known as YpsyZNC 18:22 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 18:29 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 18:30 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Client Quit] 19:13 -!- p3ri0d [i=p3ri0d@200.2.159.161] has left ##openvpn ["Leaving"] 20:13 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 21:35 -!- jasonbourne [n=jasonbou@paris.perfect-privacy.com] has joined ##openvpn 21:36 < jasonbourne> can anyone tell me what replay-window backtrack occurred means 21:36 < jasonbourne> and if it is a problem 21:36 < jasonbourne> I ask because i am still leaking DNS while connected to openvpn 21:38 < thedoc> jasonbourne, How do you know you're leaking DNS? 21:38 < jasonbourne> i went to whoer.net 21:38 < jasonbourne> dns is still mine 21:39 < jasonbourne> or USA 21:39 < jasonbourne> while the server is in paris 21:41 < thedoc> i'm no expert at DNS but i haven't seen anything like that on my ovpn boxes 21:41 < jasonbourne> thedoc ok well thanks anyways 21:42 < jasonbourne> you should check out whoer.net because it will let you know if you are leaking 21:43 < jasonbourne> i did all kinds of dns tests and this one will always tell you if you are leaking 21:43 < thedoc> Thanks;) 21:43 < jasonbourne> indeed 21:44 -!- You're now known as ecrist 21:44 < thedoc> Not leaking ;p 21:44 < jasonbourne> its killing me though man i switched to linux from windows because windows always leaks dns 21:44 * thedoc would be surprised to find out if he was 21:44 < thedoc> :D 21:44 < jasonbourne> lol 21:44 < jasonbourne> no this does but i guess it could be my vpn provider 21:45 < thedoc> jasonbourne, ah, which provider? 21:45 < jasonbourne> perfect-privacy 21:45 * thedoc provides vpns too :) 21:45 < ecrist> what do you mean, leaking? 21:45 < thedoc> ecrist, whoer.net is showing his ip and not the vpn tunnel ip 21:46 < jasonbourne> i mean when i go to whoer.net location in france and then in dns i get usa 21:46 < jasonbourne> indeed only under dns though 21:46 < jasonbourne> what is your vpb doc 21:46 < jasonbourne> vpn* 21:46 < thedoc> jasonbourne, me? We're just starting out ;) 21:46 < jasonbourne> thedoc you have a site? 21:47 < thedoc> jasonbourne, Not yet, 2advanced is working on it ;D 21:48 < thedoc> New startups, so god-damn slow. 21:48 < jasonbourne> thedoc lol well any details where are the servers located etc 21:48 < thedoc> jasonbourne, mainly in the US. 21:48 < thedoc> at the moment, probably getting more in scandinavia and uk 21:48 < jasonbourne> thedoc i see..... 21:49 < jasonbourne> yeah scandinavia would be better :) 21:49 < jasonbourne> i just didnt think linux leaked dns 21:49 < thedoc> jasonbourne, could be on the server end? 21:50 < jasonbourne> i had it running fine in XP but it leaked and i had to fix it with netsetman application 21:50 < jasonbourne> thedoc could be iguess 21:50 < thedoc> Maybe:) 21:51 < thedoc> jasonbourne, how much do you pay for perfect-privacy vpns? 21:51 < jasonbourne> i pay 35 euro a month and i get too many server locations to mention 21:52 < thedoc> Ouch, 35 euros a month 21:52 < jasonbourne> if this dns leak keeps up i am about to just donate my account to some iranian journalist 21:52 < jasonbourne> acutally its 35 dollars sorry 21:52 < jasonbourne> its 24.95 euro 21:53 < jasonbourne> yeah i was using swissvpn for 5$ a month 21:53 < thedoc> 5 bucks a month? Sounds like it was crappy. 21:53 < jasonbourne> well it wasnt that bad 21:53 < jasonbourne> i think they retain data though 21:54 < Dougy> thedoc: there? 21:54 < thedoc> Dougy, indeed:) 21:54 < Dougy> any update? 21:54 * Dougy has box ready 21:55 < thedoc> Dougy, yep. I just cancelled one box. Give me a few days and I'll take yours ;p 21:55 < jasonbourne> so nobody has an idea how to fix this dns leak aside from thedoc 21:55 < thedoc> Like 2 days or so. 21:55 < thedoc> jasonbourne, I have no idea either. I don't usually see this issue come up. 21:55 < Dougy> thedoc: pm 21:57 -!- jasonbourne [n=jasonbou@paris.perfect-privacy.com] has quit ["Leaving"] 22:08 -!- Michael` [n=michael`@f051033252.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 22:17 < krzee> [22:49] i just didnt think linux leaked dns 22:17 < Dougy> WTF 22:17 < krzee> is that an os specific thing? 22:17 < Dougy> lol 22:17 < Dougy> he left 22:17 < krzee> my understanding of that term is when DNS gives away your real location when you tunnel your connections over vpn 22:17 < krzee> which is 100% settings related, not OS 22:18 < ecrist> thedoc: whoer.net shows the authoritative DNS for the IP address, not the DNS the client is using. 22:18 -!- jasonbourne [n=jasonbou@paris.perfect-privacy.com] has joined ##openvpn 22:18 < jasonbourne> bleh 22:18 < ecrist> jasonbournec: whoer.net shows the authoritative DNS for the IP address, not the DNS the client is using. 22:18 < ecrist> jasonbourne* 22:19 < jasonbourne> ecrist so why is it still showing up as usa when my server is in france 22:19 < thedoc> ecrist, ahh, sorry. my bad there 22:19 < ecrist> because my guess is whoever owns the IP space uses a US DNS server? 22:19 < jasonbourne> so that means my provider is based out of the USA 22:19 < jasonbourne> ecrist ok cool 22:19 < ecrist> no, it means the DNS server is in the USA 22:19 < thedoc> It means that your provider is using a DNS server in US 22:20 < jasonbourne> ok 22:22 < jasonbourne> ecrist how do you know that just curious? 22:22 < jasonbourne> all i see it say is DNS 22:22 < ecrist> i tested 22:22 < jasonbourne> cool 22:22 < jasonbourne> thx 22:22 < ecrist> get full whois information for the ip, will show auth dns server list 22:22 < jasonbourne> well i know i windows when i would be connected to a server in say france 22:23 < jasonbourne> sometimes usa would show up in the DNS 22:23 < jasonbourne> and when i entered the IP it gave it went to a login at verizon.com which is my isp 22:25 < ecrist> my guess is you're not verizon's only client 22:25 -!- Michael` [n=michael`@f051033252.adsl.alicedsl.de] has joined ##openvpn 22:25 < jasonbourne> well it is common knowledge that windows leaks DNS so i dont think that is correct 22:26 < jasonbourne> there are actually many fixes for it 22:26 < ecrist> OSes don't 'leak' DNS, it's more about the settings. 22:26 < ecrist> and, why the hell do you care if your DNS is leaked? 22:27 < jasonbourne> well i mean i could be an iranian journalist 22:27 < jasonbourne> and i dont want to give away my position 22:27 < jasonbourne> many reasons 22:28 < jasonbourne> the point is that i want all traffic encrypted 22:28 < ecrist> so, manually change it to a DNS server if France 22:28 < ecrist> so encrypt all traffic. 22:28 < ecrist> it's very easy 22:29 < jasonbourne> well according to what you are telling me it should be already 22:29 < ecrist> what? 22:30 < jasonbourne> you are telling me that the DNS being in USA is not a problem 22:30 < jasonbourne> and that it has no relation to me 22:30 < ecrist> no 22:30 < ecrist> I told you that your test data was faulty 22:31 < jasonbourne> ecrist> no, it means the DNS server is in the USA 22:31 < ecrist> yep. not your DNS server, which you are questioning me about now. 22:32 < jasonbourne> ok well earlier in windows whoer.net was picking up my dns 22:33 < ecrist> my guess is your local IP has authoritative DNS which matches the DNS servers you were using. 22:33 < ecrist> pretty easy, particularly with small ISPs 22:33 < ecrist> what does all this have to do about OpenVPN? this isn't ##whoer.net 22:34 -!- troy- is now known as troy 22:34 < jasonbourne> dude clearly it has SOMETHING to do with Openvpn 22:34 < ecrist> it does? 22:35 < jasonbourne> i try not to answer questions twice in a row 22:35 < Dougy> afk 22:35 < ecrist> jasonbourne: ask your OpenVPN questions, please 22:35 < thedoc> jasonbourne, you're sure that it's not your provider that has something broken? 22:36 < jasonbourne> no im not sure 22:36 < jasonbourne> thats why i came here to see if anyone had a quick fix or an idea 22:36 < ecrist> if your DNS query is routed to an IP address across the VPN, the query will be encrypted, and from the server across the VPN connection 22:37 < jasonbourne> ecrist so yeah thats what i was saying i should be encrypted correct 22:38 < ecrist> this can be accomplished with a proper PUSH option in the OpenvPN server config. 22:38 < ecrist> jasonbourne: no idea. You haven't shown me configs. 22:38 < thedoc> ecrist, he's a customer with a vpn company. 22:38 < thedoc> he wouldn't have server configs now ;p 22:38 < ecrist> oh, then I would talk to the VPN company 22:38 < ecrist> nothing we can do for you. 22:39 < jasonbourne> awesome 22:39 < jasonbourne> well thanks anyways 22:40 < jasonbourne> peace 22:40 -!- jasonbourne [n=jasonbou@paris.perfect-privacy.com] has quit ["Leaving"] 22:40 < ecrist> what a tool 22:42 < thedoc> ecrist, end users really ;) 22:42 < ecrist> lol, for sure. 22:42 < ecrist> with that, I'm off to bed. see you folks on the other side! 22:43 < thedoc> ta! --- Day changed Mon Jun 29 2009 00:01 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has joined ##openvpn 00:12 -!- Michael` [n=michael`@f051033252.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 00:13 -!- jeiworth [n=jeiworth@189.217.12.238] has joined ##openvpn 00:14 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 00:16 -!- jasonbourne [n=jasonbou@202.71.103.246] has joined ##openvpn 00:16 < jasonbourne> what command can i put in terminal to stop my openvpn connection 00:16 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 00:17 < jasonbourne> hey doc 00:17 < thedoc> hello. 00:17 < jasonbourne> thedoc can you tell me what command i can use to stop my openvpn connection 00:17 < thedoc> jasonbourne, Which OS? 00:17 < jasonbourne> linuxmint 00:18 < thedoc> jasonbourne, How did you configure it? Did you start it via gnome-network-manager? 00:18 < jasonbourne> no i just go sudo openvpn --config Paris.ovpn 00:18 < thedoc> I'd go with killall openvpn 00:19 < jasonbourne> yeah 00:19 < jasonbourne> going to try that 00:42 -!- jasonbourne [n=jasonbou@202.71.103.246] has quit [Read error: 110 (Connection timed out)] 00:43 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [] 00:45 -!- troy is now known as troy- 01:18 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 01:19 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Read error: 104 (Connection reset by peer)] 01:19 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 01:28 < reiffert> http://www.titanic-magazin.de/uploads/pics/0628-jackson.jpg 01:38 -!- master_of_master [i=master_o@p549D3E7C.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:42 -!- master_of_master [i=master_o@p549D3629.dip.t-dialin.net] has joined ##openvpn 01:46 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 01:59 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:12 -!- jeiworth [n=jeiworth@189.217.12.238] has quit [Read error: 110 (Connection timed out)] 02:22 -!- mattock [n=mattock@gw.tietoteema.fi] has quit [Remote closed the connection] 02:24 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 02:42 -!- troy- is now known as troy 02:46 -!- Michael` [n=michael`@p54A4862B.dip0.t-ipconnect.de] has joined ##openvpn 02:53 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 104 (Connection reset by peer)] 03:16 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 03:16 -!- Michael`2 [n=michael`@p54A4862B.dip0.t-ipconnect.de] has joined ##openvpn 03:33 -!- Michael` [n=michael`@p54A4862B.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 03:36 -!- Michael`2 [n=michael`@p54A4862B.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 04:12 -!- Michael` [n=michael`@p54A4EC2F.dip.t-dialin.net] has joined ##openvpn 04:20 -!- fryfrog [n=fryfrog@poopfarts.luna.tk] has joined ##openvpn 04:20 < fryfrog> !route 04:20 < vpnHelper> fryfrog: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 04:27 -!- zheng [n=zheng@222.66.224.106] has joined ##openvpn 04:31 -!- Michael`2 [n=michael`@p54A4EC2F.dip.t-dialin.net] has joined ##openvpn 04:32 -!- Michael` [n=michael`@p54A4EC2F.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 04:47 -!- benedikt_ [n=benedikt@fw0.keilir.net] has joined ##openvpn 04:48 < benedikt_> I am having difficulties with configuring openvpn. I can connect to my server but nothing further. I am using the "push default-gateway" option, as it is the whole point of this VPN. 04:48 < benedikt_> I have tried to flush iptables but that does not change anything 05:07 < Bushmills> !route 05:07 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 05:07 < Bushmills> benedikt_, ^^^^^ 05:09 < benedikt_> Bushmills: allright 05:09 < Bushmills> what is it you want to do, besides connecting to server (i was assuming, talking to machines behind the server) 05:10 < benedikt_> there are no machines behind the server, it has no local subnet. I want to route all my network traffic through this machine (saves me money) 05:10 < Bushmills> !redirect 05:10 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 05:10 < benedikt_> I have nat enabled, ip forwarding and the redirect-gateway statement 05:10 < benedikt_> This is what i use for NAT, might not be enough though: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 05:11 < Bushmills> "push default-gateway" != "redirect-gateway" 05:11 < benedikt_> ah 05:11 < Bushmills> http://scarydevilmonastery.net/masq 05:12 < benedikt_> looks the same, except that one is missing -o 05:12 < Bushmills> also, redirect-gateway may fail when there is no default route. 05:12 < benedikt_> on the server? 05:12 < Bushmills> but that could be in conjunction with def1 only. not sure yet 05:13 < Bushmills> no. client. 05:13 < Bushmills> or push it, from server 05:14 < benedikt_> both have default gateways 05:14 < benedikt_> http://pastebin.com/m31a0a89c 05:15 -!- Michael`2 [n=michael`@p54A4EC2F.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 05:15 < Bushmills> I'd fix WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo' 05:16 < Bushmills> client route seems ok 05:16 < benedikt_> yey! 05:16 < benedikt_> thanks :-) 05:17 < Bushmills> what was the problem? 05:17 < benedikt_> compression was turned on server-side 05:17 < Bushmills> ok 05:29 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:36 -!- benedikt1 [n=benedikt@agurka.gurkubondi.net] has joined ##openvpn 05:42 -!- benedikt1 [n=benedikt@agurka.gurkubondi.net] has quit ["leaving"] 05:45 -!- Michael` [n=michael`@p54A4EC2F.dip.t-dialin.net] has joined ##openvpn 05:54 -!- benedikt_ [n=benedikt@fw0.keilir.net] has quit [Read error: 110 (Connection timed out)] 06:10 -!- Michael` [n=michael`@p54A4EC2F.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 06:12 -!- Michael` [n=michael`@p4FD9FC9D.dip.t-dialin.net] has joined ##openvpn 06:16 -!- thedoc [n=andelyx@208.99.194.194] has joined ##openvpn 06:29 -!- Michael` [n=michael`@p4FD9FC9D.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)] 07:14 < thedoc> !win7 07:14 < vpnHelper> thedoc: "win7" is http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 07:20 -!- mRCUTEO [n=IRCLUNAT@124.82.99.80] has joined ##openvpn 07:20 < eliasp> i have trouble with some of my OpenVPN clients... they all have the same config, but some of them have strange problems with the connection... e.g. an SSH connection is most of the time stuck and just sends all ~4-5 minutes a bunch of packets... when setting 'verb 4' i can see a lot of lines like these: Mon Jun 29 14:15:57 2009 us=562760 read UDPv4 [EHOSTUNREACH]: No route to host (code=113) 07:20 < eliasp> how do i get more information which host it can't reach? 07:25 < eliasp> what does the "us=$NUMBER" part tell? is this a TCP seq number? 07:28 < Bushmills> eliasp, do those machines have an extra route to the vpn server set up, which does not go through the vpn? 07:28 -!- mRCUTEO [n=IRCLUNAT@124.82.99.80] has left ##openvpn [] 07:31 < eliasp> no, there isn't a direct route additional to the one set up by OpenVPN... 07:31 < eliasp> just the usual route for having a default GW 07:32 < eliasp> the routing table looks like this when the VPN is running: http://dpaste.com/61092/ 07:32 -!- zeddd [n=doof@124.184.92.114] has joined ##openvpn 07:32 < Bushmills> that means, the server can still be reached after openvpn has connected? 07:32 < eliasp> Bushmills: yes 07:34 < eliasp> as i'm just using the VPN as a management backbone for all servers it shouldn't be the case that the VPN route overrides the default route... the servers still need to be able to connect directly to the internet withouth going through the VPN 07:36 < Bushmills> i think that us is used as an attempt to abbreviate microseconds 07:37 < eliasp> ah, ok... a non-utf8 version of µs ;-) 07:37 < eliasp> hmm... found another hint for the connection drops: Mon Jun 29 14:20:40 2009 MULTI: new connection by client 'evsrvmgmt' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. 07:38 < eliasp> but i can't imagine there's another client with the same cert... i've re-created the cert 3h ago as i've thought the cert would be probably borked 07:38 < Bushmills> using a different common name for the new cert? 07:40 < eliasp> hmm, no... that's probably the problem... 07:40 < Bushmills> it is. 07:41 < eliasp> ok, so i'd just have to create another cert but using a uniq CN this time ;-) 07:41 < Bushmills> indeed 07:41 < eliasp> ok, thx a lot... i'll do ... let's see whether it helps 07:42 < Bushmills> no prob. hier werden sie geholfen 07:42 < eliasp> 11 88 3 07:42 < eliasp> ;-) 07:42 < Bushmills> :D 07:43 < eliasp> hmm, just had a look at the index.txt ... the CN= part is the one which should be unique, right? this one is definitely uniq for both certificates... 08:04 -!- troy is now known as troy- 08:07 -!- zheng [n=zheng@222.66.224.106] has quit [Remote closed the connection] 08:13 -!- zeddd [n=doof@124.184.92.114] has quit ["Leaving"] 08:25 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 08:26 -!- mattock [n=mattock@gw.tietoteema.fi] has quit ["Leaving."] 08:54 < ecrist> bitches 08:55 < thedoc> What the slut 08:55 < thedoc> ? 08:57 -!- jeiworth [n=jeiworth@189.217.237.14] has joined ##openvpn 08:59 -!- YpsyZNC is now known as Ypsy 09:15 -!- jeiworth [n=jeiworth@189.217.237.14] has quit [Read error: 110 (Connection timed out)] 09:16 -!- jeiworth [n=jeiworth@189.217.97.131] has joined ##openvpn 09:34 -!- RexMundi [n=RexMundi@77.95.99.166] has joined ##openvpn 09:44 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 10:04 -!- thedoc_ [n=andelyx@bb116-14-219-134.singnet.com.sg] has joined ##openvpn 10:07 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:10 -!- ciphyre [n=ciphyre@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has joined ##openvpn 10:23 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 10:55 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 10:56 -!- carpe_ is now known as plaerzen 10:56 * plaerzen waves. 11:04 -!- SparFux [n=raoul@e182030202.adsl.alicedsl.de] has joined ##openvpn 11:04 < SparFux> Hi all. 11:12 < SparFux> Anybdoy online who would like to try to setup a vpn connection to me? 11:23 < ecrist> I'm online, but I don't want to connect to your vpn. 11:24 < SparFux> I don't have a vpn. I am looking for a novice who would like to setup one, too. :-) 11:25 < SparFux> Which makes it LOOK PRO! 11:27 * plaerzen is offline, sorry. 11:28 < |Mike|> n 11:29 < |Mike|> plaerzen: get rid of that msg ktnx :) 11:29 < |Mike|> SparFux: what would you like to do with the VPN? 11:29 < SparFux> Nothing special. Just try it out. 11:29 < SparFux> ping and http perhaps. 11:30 < |Mike|> And you have a server (colo/dedi) ? 11:31 < SparFux> what is colo/dedi? I have a standard home internet computer on a DSL line. 11:49 < SparFux> Is it possible to use OpenVPN to have a peer to peer style setup? 11:55 -!- lataffe [n=lars@cm-84.211.147.71.getinternet.no] has joined ##openvpn 11:55 -!- jeiworth [n=jeiworth@189.217.97.131] has quit [Read error: 104 (Connection reset by peer)] 12:11 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has quit [Remote closed the connection] 12:11 -!- lataffe_ [n=lars@cm-84.211.147.71.getinternet.no] has quit [Read error: 110 (Connection timed out)] 12:11 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:14 < krzee> SparFux, yes and the manual gives exact examples of how 12:14 < krzee> !man 12:14 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 12:17 < SparFux> As far as I can see, I would say I have to setup a seperate vpn for each client to have some p2p character in it. 12:26 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 12:27 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 12:29 -!- SparFux [n=raoul@e182030202.adsl.alicedsl.de] has left ##openvpn ["Leaving."] 12:30 -!- albech [n=albech@119.42.76.200] has joined ##openvpn 12:36 -!- troy- is now known as troy 14:31 -!- Gorkhaan [n=Gorkhaan@adsl-101-103.globonet.hu] has joined ##openvpn 14:38 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 14:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:55 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 14:55 -!- unix3 [n=unix3@190.10.68.228] has quit [Success] 16:05 -!- russo [n=russo@p579F6E47.dip.t-dialin.net] has joined ##openvpn 16:05 < russo> hi all i got a question 16:05 < russo> waht does the iroute directive do 16:06 < krzie> !iroute 16:06 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 16:06 < russo> i'm tryin to secure wifi access by connecting through an openvpn on my vserver 16:06 < krzie> vserver? 16:06 < russo> virtualserver 16:06 < russo> i.e. hosting 16:06 < krzie> ahh ok 16:06 < krzie> unless the client has a lan behind it, you dont need iroute 16:07 < krzie> if the client does have a lan behind it which you want connected to the vpn, see !route 16:07 < russo> !route 16:07 < vpnHelper> russo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:09 < russo> but that doesn't really say how to add a default route 16:09 < russo> i'm trying to access the internet through vpn 16:09 < krzie> i never said it would tell you that 16:09 < russo> :P 16:09 < russo> but thats my question 16:09 < krzie> i said that is for if you have a lan behind the vpn endpoint 16:10 < krzie> !redirect 16:10 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 16:10 < russo> is ther a way to write a small for do loop in irc :P 16:10 < russo> !def1 16:10 < vpnHelper> russo: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 16:10 < russo> !ipfoward 16:10 < vpnHelper> russo: Error: "ipfoward" is not a valid command. 16:10 < russo> !ipforward 16:10 < vpnHelper> russo: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 16:11 < russo> !linipforward 16:11 < vpnHelper> russo: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 16:11 < krzie> !linnat 16:11 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 16:11 < russo> okay 16:12 < russo> i got that one too 16:12 < russo> how can i flus the rules though 16:12 < russo> or restart them 16:12 < krzie> try man iptables 16:12 < russo> i'll just restart networking :P 16:12 < krzie> (this channel is for openvpn, not basic linux administration, i would tell you if i knew, but i dont use linux) 16:13 < russo> yeah i mostly use mac :/ 16:13 < russo> although i have linux server :P 16:13 < russo> but i haven't played around with iptables enough to have needed it 16:13 < krzie> i also mostly use mac (for desktop) 16:13 < krzie> and freebsd for servers 16:13 < russo> ah n1 16:14 < Gorkhaan> iptables -F; iptables -X; you can clear the nat table: iptables -t nat -F; iptables -t nat -X 16:14 < Gorkhaan> sry for interrupt 16:14 < Gorkhaan> :) 16:14 < krzie> interrupt? nah man feel free to answer anything you know! 16:14 < krzie> =] 16:14 < Gorkhaan> 8-) 16:14 < russo> :D 16:14 < Gorkhaan> :D 16:14 < russo> i just got a witopia renewal reminder today 16:15 < russo> and i thought... $40/yaer witopia, or $7 per month vserver :P 16:15 < russo> or 6 actually 16:15 < Gorkhaan> whaz that? :D 16:16 < russo> i also am gonna set it up for more than one user at somepoint 16:16 < russo> witopia is the cheapest vpn sollution i found 16:16 < russo> witopia.net 16:16 < russo> they use openvpn 16:16 < Gorkhaan> I see! 16:16 < russo> its quite okay 16:16 < russo> sometimes its really slow though 16:19 < Gorkhaan> not bad, but nowadays internet connections are speeding up like hell. Everyone can create VPNserver easily :D I just bought an Asus router, I'm planning to install on it DD-WRT. And later OpenVPN too ;) Sharing Internet on VPN ( and Wireless ) is great. :D 16:20 < krzie> aye 16:20 < krzie> its also possible to locally secure your wifi with ovpn 16:20 < krzie> !local 16:20 < vpnHelper> krzie: "local" is a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless. 16:21 < Gorkhaan> yeah, That's it! ;) 16:21 < krzie> that bot knows a lot ;] 16:21 < Gorkhaan> d*mn! I love OpenVPN. :D 16:22 < krzie> ya me too, sweet app 16:22 < krzie> very versatile 16:22 < Gorkhaan> can be scriptable with _anything_ wohoo. :D 1 thing bothered me only 16:22 < russo> bbiab 16:22 < Gorkhaan> I had to use PortForwarding 16:23 < russo> am i still here? 16:23 < Gorkhaan> but when My clients disconnected (badly ), client-disconnect script did not run ( which cleared my iptables portforward rule ) 16:23 < Gorkhaan> yes you are definetly here. :D 16:24 < russo> :D 16:24 < russo> no just witopia resets my default route 16:24 < russo> i didn't know it was possible to get connected through a vpn without that hapenning 16:24 < russo> now 16:24 < russo> the real test 16:24 < russo> hulu.com :P 16:24 < russo> lol 16:24 < russo> thats what i fight for 16:24 < Gorkhaan> lolz 16:25 < Gorkhaan> Do u know TOR? 16:25 < russo> yeah 16:25 < russo> but... i also stream nhl 16:25 < russo> thats like 2mbit/s 16:25 < Gorkhaan> okay then.;) :D 16:25 < russo> why did i close my US bank account 16:25 < russo> i could be amazoning... :( 16:26 < russo> even using kindle :o 16:26 * russo studies in germany 16:26 * Gorkhaan is hungarian. ( unfortunately ) xD 16:37 -!- rusos [n=russo@66.160.197.162] has joined ##openvpn 16:37 -!- rusos [n=russo@66.160.197.162] has quit [Remote closed the connection] 16:38 -!- rusos [n=russo@p579F6972.dip.t-dialin.net] has joined ##openvpn 16:38 < rusos> okay 16:38 -!- rusos is now known as russo_ 16:39 < russo_> well 16:39 < russo_> after several disconnects :P 16:39 < russo_> i mean by my irc client 16:39 < russo_> but the perforamnce is quite impressiv 16:39 -!- russo_ [n=russo@p579F6972.dip.t-dialin.net] has quit [Client Quit] 16:42 -!- Ypsy is now known as YpsyZNC 16:44 -!- russo [n=russo@p579F6E47.dip.t-dialin.net] has quit [Read error: 101 (Network is unreachable)] 16:44 -!- bandini [n=bandini@host54-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 16:56 -!- Ypsy_ [n=ypsy_@frnk-590df4cc.pool.einsundeins.de] has joined ##openvpn 16:56 < Ypsy_> Good evening 16:57 < Ypsy_> I've got a problem! When trying to "/etc/init.d/restart" the output is always "failed!". Syslog says: ovpn-server[24309]: Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file 16:58 < Ypsy_> I've triple checked the path. The file is there. 16:59 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 17:05 < Gorkhaan> privileges are okay? are u using full path? 17:06 < Gorkhaan> I meant permissions, sry 17:06 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:06 < Ypsy_> not sure about the permissions 17:07 < Ypsy_> and im not using the full path, just ./easy-rsa... 17:07 < Ypsy_> should I use a full path? 17:08 < Gorkhaan> yeah, you should try the full paths, in the config. or where you call openvpn, you can cd into the config's dir 17:08 < Gorkhaan> for instance: cd /etc/openvpn/server 17:08 < Gorkhaan> the server dir has the certificates, and the config too. 17:09 < Gorkhaan> so it can be loaded from there by this command: openvpn --config ./vpnserver.conf 17:10 < Gorkhaan> that's where you dont need to use full path... 17:10 < Ypsy_> dont have the folder /etc/openvpn/server :o 17:11 < Gorkhaan> well, where do you have your stuffz? :D 17:11 < Ypsy_> but tried it from the /etc/openvpn/ 17:11 < Gorkhaan> certificates, configs 17:11 < Ypsy_> there is the server.conf 17:11 < Ypsy_> and in it there is the easy-rsa folder 17:11 < Ypsy_> there is a keys folder in it containing the certificates 17:12 < Gorkhaan> If I were you I should copy them to here: /etc/openvp/server 17:12 < Ypsy_> its only possible to view that folder as su, maybe thats it? 17:12 < Gorkhaan> along with needed stuffz, like the howto says on openvpn.net 17:12 < Gorkhaan> you can check it: ls -l /etc/openvpn/ 17:13 < Ypsy_> done it via a german howto from ubuntuusers.de :P ill have a look at the openvpn.net one 17:13 < Ypsy_> drwxr-xr-x 3 root root 4096 Jun 28 17:54 easy-rsa2 17:13 < Gorkhaan> okay then, openvpn.net has incredibly great howto 17:14 < Ypsy_> okies 17:14 < Gorkhaan> If I were you I should copy them ( server certificates, and the server config ) to here: /etc/openvp/server 17:15 < Gorkhaan> are you familiar with GNU/Linux systems? 17:16 < |Mike|> doesn't seem so :x 17:17 < Gorkhaan> yeah, but never is too late to learn 'em. :D ( man X where X = cp, mv, ls, sudo, chmod, mkdir, rm ) 17:17 < |Mike|> lol 17:17 < |Mike|> man man 17:17 < |Mike|> start from there ;) 17:18 < Ypsy_> :P I am not that unfamiliar with Linux systems 17:19 < Ypsy_> Using nothing but Arch but dont have much experience with servers 17:19 < Gorkhaan> Mike: lol 17:20 < Gorkhaan> okay then. Well I started from the beginning too. If I were you I should start with: Debian --> ubuntu systems 17:20 < Ypsy_> So if Im using the static key mini-howto now. Is there a way to reset all the stuff i've done with my first howto? guess there will be conflicts if I just start again 17:20 < Gorkhaan> later on Gentoo, etc. 17:20 < Ypsy_> Used Ubuntu 2 years and moved to Arch half a year ago :p 17:20 < |Mike|> you did add the clients already? 17:20 < Gorkhaan> I see. okay :D 17:21 < Gorkhaan> !keys 17:21 < vpnHelper> Gorkhaan: "keys" is http://openvpn.net/howto#pki 17:21 < |Mike|> o i see what your issue is 17:21 < |Mike|> use the whole path to those certs 17:21 < |Mike|> No such file or directory: error:2006D080:BIO routines:BIO_new_fil*snip* 17:21 < |Mike|> you generated those ? 17:22 < Gorkhaan> yeah I told that already. any luck with that Ypsy_ ? 17:22 < Ypsy_> Yep they should be generated 17:22 < Gorkhaan> k 17:22 < Gorkhaan> bring it on mate! :D 17:23 < Ypsy_> http://wiki.ubuntuusers.de/OpenVPN?highlight=openvpn 17:23 < vpnHelper> Title: OpenVPN › Wiki › ubuntuusers.de (at wiki.ubuntuusers.de) 17:23 < Ypsy_> Ive done that stuff with first editing the vars file 17:23 < Ypsy_> and then generating all the keys etc 17:23 < krzie> !howto 17:23 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:24 < Ypsy_> yeah I know but I've started using the ubuntuusers one :P Perhaps theres a way to sort it out without starting again 17:24 < Ypsy_> the openvpn one seems to be a bit different 17:25 < Gorkhaan> Try the openvpn.net howto plz. U just have to copy-paste everything, with a little bit of reading 17:25 < Ypsy_> Ill try moving the keys now 17:25 < Gorkhaan> ;) 17:26 < Gorkhaan> copy them imho. 17:26 < Gorkhaan> Kilobytes of files wont bother you... but it can save you from regenerating if something bad comes up. 17:30 -!- troy is now known as troy- 17:31 < Ypsy_> Gorkhaan can you help me with removing those restrictions on the keys? ive got an idea why this all happened 17:32 < Gorkhaan> because you generated them with root privileges 17:32 < Ypsy_> I was su when making the directory and perhaps thats why its only readable by root 17:32 < Ypsy_> yep 17:32 < Ypsy_> Im not really familiar with chmod though :/ 17:32 < Gorkhaan> if you call openvpn server with root privileges it have to workm BUT let's do this 17:32 < Gorkhaan> chmod yeah 17:32 < Gorkhaan> and chown 17:33 < Gorkhaan> what user is who calls the script to openvpn come up? 17:33 < Ypsy_> ypsy^^ 17:33 < Ypsy_> or wait 17:33 < Ypsy_> think I can only start is as root 17:33 < Gorkhaan> xD. Well you should use root privileges, because it have tu set up an virtual interface ( TUN/TAP ) 17:34 < Gorkhaan> this requires root privileges 17:34 < Ypsy_> okay 17:34 < Gorkhaan> so let's do this: 17:34 < |Mike|> give the whole path to the certs and your problem will be fixed :) 17:34 < Gorkhaan> cd /etc/openvpn/where-my-config-and-certificates-are 17:34 < Gorkhaan> sudo openvpn --config ./myserverconfig.conf 17:34 < Ypsy_> done that mike, didnt work :P 17:34 < Gorkhaan> and yeah, As Mike told u, use full paths 17:35 < |Mike|> then you made a typo or something. 17:35 < Ypsy_> hmmm 17:35 < |Mike|> !logs 17:35 < vpnHelper> |Mike|: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 17:35 < |Mike|> !log 17:35 < vpnHelper> |Mike|: Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 17:35 < Gorkhaan> Yeah, and be aware: everything is Case Sensitive. But I wont tell you any news with this I hope. 17:36 < Ypsy_> Okay so heres the output again when trying to start openvpn with the server.conf 17:36 < Ypsy_> ypsy@s15307534:/etc/openvpn$ sudo openvpn --config server.conf Mon Jun 29 22:35:59 2009 OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008 Mon Jun 29 22:35:59 2009 Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file Mon Jun 29 22:35:59 2009 Exiting 17:37 -!- victor- [n=victor@rrcs-71-41-16-46.sw.biz.rr.com] has joined ##openvpn 17:37 < victor-> does openvpn support connecting to a cisco ASA for client to site vpn? 17:38 < Gorkhaan> Ypsy_: can you upload your server.conf to http://pastebin.com I wanna have a look 17:38 < Gorkhaan> and tell me exactely where did you put your certificates too 17:38 < Ypsy_> ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key # This file should be kept secret dh /etc/openvpn/keys/dh1024.pem 17:38 < Ypsy_> guess thats the relevant part :P 17:39 < krzie> victor- 17:39 < krzie> !notcompat 17:39 < vpnHelper> krzie: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 17:40 < victor-> thanks 17:40 < krzie> np 17:47 < krzie> Gorkhaan when you want configs you can type !configs to have the bot tell them 17:47 < krzie> if you like 17:48 < Gorkhaan> well I only wanted to help to Ypsy. I donno if he modified anything what can everything do not work. 17:48 -!- victor- [n=victor@rrcs-71-41-16-46.sw.biz.rr.com] has left ##openvpn [] 17:48 < Gorkhaan> exspecially with certificate paths. that was the original problem 17:49 < Ypsy_> well, my original certificate path was /etc/openvpn/easy-rsa2/keys and not its /etc/openvpn/keys but I dont think that changed anything as it kept the restrictions 17:50 < Ypsy_> I just tried changing the restrictions of the folder and the .pem file to 644 but it didnt change anything obviously 17:51 < Gorkhaan> but your full paths are all right in your config file? 17:52 < Ypsy_> yep Im sure about that 17:54 < Ypsy_> got it! 17:54 < Ypsy_> :D 17:54 < Gorkhaan> Well I dont know then. Howto and we helped quite a lot. Something is ... 17:54 < Gorkhaan> great. xD 17:54 < Ypsy_> should have pasted you the whole config, you might have noticed :P 17:54 < Gorkhaan> what went wrong? 17:54 < Gorkhaan> Yeah, maybe. :D 17:54 < Ypsy_> i just grep'd ".pem" to check the path again 17:55 < StormWlf> guys br0 should have an internal address and tap0 should be the external right? 17:55 < Ypsy_> and discovered that it was in the config multiple times 17:55 < Ypsy_> and one of the entries had a wrong path 17:55 < Ypsy_> just removed it 17:55 < Ypsy_> *gg* too simple 17:56 < Ypsy_> Thanks guys =) now I can move on 17:57 < Gorkhaan> U're welcome. :) 17:57 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 18:04 -!- epaphus [n=unix3@190.10.68.228] has quit [Connection timed out] 18:07 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 18:19 < Ypsy_> Gorkhaan, still here? :P 18:19 < Gorkhaan> yes. :D 18:19 < Ypsy_> I moved all the needed .key and .crt filed onto my laptop 18:19 < Gorkhaan> yep. 18:20 < Ypsy_> And startet openvpn using the example conf 18:20 < Ypsy_> Seems to work fine 18:20 < Ypsy_> So... am I connected now? *g* 18:20 < Ypsy_> Didnt notice any change yet :D 18:20 < Gorkhaan> try it with command: ping 18:21 < Gorkhaan> on client: ping openvpn.server.ip.here 18:21 < Ypsy_> Its on this right computer here 18:22 < Ypsy_> Getting a response of the server but thats just usual I think 18:22 < Gorkhaan> how do u mean is the usual?:D 18:22 < Ypsy_> well Im chatting with you :P sure my server is responding 18:23 < Gorkhaan> Then what's wrong?:D 18:24 < Ypsy_> Guess its still just my usual WLAN connection :p the same as before 18:24 < Gorkhaan> I see, so u want to share internet to OpenVPN 18:24 < Ypsy_> Oh, yes 18:24 < Ypsy_> :P 18:25 < Gorkhaan> hell yeah. Then I'd like to see your config, plz upload to http://pastebin.com 18:25 < Gorkhaan> I'll send you the needed stuff 18:25 < Ypsy_> client or server or both? 18:26 < Gorkhaan> server would be enough 18:26 < Ypsy_> ok 18:28 < StormWlf> !interface 18:28 < vpnHelper> StormWlf: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 18:28 < Ypsy_> http://pastebin.com/d17d3a8a0 18:29 -!- earthian [n=earthian@fostral.net] has joined ##openvpn 18:29 < Gorkhaan> I'll delete the commented lines and send you what I modify it in so you can share internet with VPN 18:29 < Ypsy_> okies 18:30 < StormWlf> Gorkhaan would You mind looking at some of what i have when You finish with Ypsy_ if You have the time? 18:30 < Gorkhaan> yeah I think 18:30 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 18:30 < StormWlf> k 18:31 < StormWlf> Thanks 18:32 < earthian> Hello, i am lost a little bit. I am a total newbie in vpn kind of connections, and I am trying to make several computers to connect to a server. I have modified the example server config files and client files also generated all the certificates as in website, the client "kinda" connects to the server however there are a lot of issues: on server tun0 has address 10.0.0.1 and p-t-p address 10.0.0.2.. when client connects it gets IP 10.0.0.6 and it says 18:32 < earthian> that the gateway is 10.0.0.5... and nothing works. Any idea what am I missing where or what? 18:32 < Gorkhaan> Ypsy_ : http://pastebin.com/md9adbc3 18:32 < Gorkhaan> I modified 2 things 18:32 < Gorkhaan> ;push "redirect-gateway def1" 18:32 < Gorkhaan> well here I left this in: ";" remove it :D 18:33 < Gorkhaan> push "dhcp-option DNS 10.8.0.1" 18:33 < Gorkhaan> If you are ready we can continue 18:34 < Ypsy_> sec ill change it :) 18:34 < Gorkhaan> earthian: try: topology subnet 18:34 < Gorkhaan> read and Search Manual 18:34 < Gorkhaan> !topology 18:34 < vpnHelper> Gorkhaan: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 18:35 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 18:35 < Gorkhaan> yeah Ypsy_ add this line too to server config: topology subnet it's easier to handle with this kind of topology 18:35 < Ypsy_> ok 18:35 < Gorkhaan> can we continue? 18:35 < Ypsy_> the redirect-gateway part... shall I keep the "bypass-dhcp"? 18:35 < Gorkhaan> nope. 18:36 < Gorkhaan> U can try it later 18:36 < Gorkhaan> with it, but I can do without it 18:36 < Ypsy_> ok 18:36 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 18:36 < Gorkhaan> Can we continue? 18:36 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 18:36 < Ypsy_> yep 18:37 < Gorkhaan> we need a packet: dnsmasq 18:37 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 18:37 < Gorkhaan> install it. I know the command for ubuntu systems 18:37 < Gorkhaan> sudo apt-get install dnsmasq 18:37 < Ypsy_> kk 18:39 -!- Z_God [i=_ejabber@server1.videre.net] has joined ##openvpn 18:39 < Gorkhaan> notify me if we can move forward 18:40 -!- Z_God2 [n=julius@wlan139187.mobiel.utwente.nl] has joined ##openvpn 18:40 -!- Z_God [i=_ejabber@server1.videre.net] has left ##openvpn [] 18:40 < Ypsy_> its taking some time at starting dhcp server 18:40 < Z_God2> what option do I need to set when I want to verify the server cert against the hostname? 18:43 < StormWlf> tls-auth ta.key 1 in client 18:43 < StormWlf> tls-auth ta.key 0 in server 18:43 < StormWlf> ? 18:44 < Ypsy_> hmmm its still stuck at "starting dns forwarder and dhcp server" 18:45 < Gorkhaan> Hit enter 18:45 < Gorkhaan> anything happens? 18:45 < Ypsy_> nope 18:45 < Gorkhaan> ctrl + c ? 18:46 < Gorkhaan> never mind we will need dnsmasq later. 18:46 < Ypsy_> dpkg: error processing dnsmasq (--configure): subprocess post-installation script killed by signal (Interrupt) 18:46 < Gorkhaan> dpkg-reconfigure dnsmasq 18:46 < Gorkhaan> with sudo of course 18:46 < Ypsy_> broken or not fully installed :( 18:46 < Ypsy_> oh debian oh debian :P 18:47 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 18:47 < Gorkhaan> yeah well remove it than 18:47 < Gorkhaan> :D 18:47 < Ypsy_> ill try to install it again 18:47 < Gorkhaan> k 18:48 < Ypsy_> hm same 18:48 < Ypsy_> pity 18:48 < earthian> ok. it worked. 18:48 < earthian> thank yoU" 18:48 < earthian> ! 18:48 < earthian> ;) 18:48 < earthian> now another problem - when i connect to the server it seems that all my traffic gets routed through the vpn... however what i want is only the vpn server available as another computer on another network that is accessible with an ip address.. 18:49 < earthian> is there any document that is not howto that explains in some order what commands are available for server and for client and what they do with examples? 18:50 < Gorkhaan> Ypsy_ : just remove it, just continue 18:50 < Ypsy_> ok 18:50 < Ypsy_> its removed 18:51 < Gorkhaan> let's modify our config 18:51 < Gorkhaan> the DNS option there 18:51 < Gorkhaan> add there your Primary DNS ip address 18:51 < Ypsy_> client.conf? 18:51 < Gorkhaan> dnsmasq packet only could have one purpose: masquerade and cache the DNS names. 18:51 < Gorkhaan> nope 18:51 < Ypsy_> ok 18:51 < Gorkhaan> push "dhcp-option DNS 10.8.0.1" 18:52 < Gorkhaan> what you "push" in the server conf is equal to when you add to your client config 18:52 < Gorkhaan> push "dhcp-option DNS MyPrimary.dns.ip.address" 18:53 < Ypsy_> that would be "geekpadawan.de", right? 18:53 < Gorkhaan> I donno. :D an you check it? 18:53 < Gorkhaan> can 18:53 < Ypsy_> well that forwards to my ip :P 18:53 < Ypsy_> ok 18:54 < Gorkhaan> u need DNS 18:54 < Gorkhaan> usually is 2 DNS 18:54 < Gorkhaan> Primary and Secondary ( if primary fails ) 18:54 < Gorkhaan> cat /etc/resolv.conf 18:55 < Ypsy_> theres a list of nameservers 18:55 < Gorkhaan> that's what I ( and hopefully ) you want 18:55 < Gorkhaan> :D the first "nameservers" ip address 18:55 < Ypsy_> ok 18:56 < Ypsy_> k put it in the config 18:56 -!- ciphyre [n=ciphyre@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 18:56 < Gorkhaan> okay 18:57 < Gorkhaan> next, try to connect server <--> client 18:57 < Gorkhaan> if something goes wrong send me the error messages 18:57 < Ypsy_> how do i connect them? :P 18:57 < Gorkhaan> do u have client config? 18:57 < Ypsy_> yep 18:58 < Gorkhaan> which OS is your Client? 18:58 < StormWlf> inet6 addr: fe80::250:4ff:fe83:196e/64 Scope:Link 18:58 < StormWlf> doh 18:58 < Ypsy_> archlinux 18:58 < Gorkhaan> then the usually: openvpn --config /somewhere/tomy/client.conf 18:58 < Gorkhaan> and use full paths. 18:58 < StormWlf> inet6 addr: fe80::250:4ff:fe83:196e/64 Scope:Link 18:59 < StormWlf> http://pastebin.com/d7518c21d 19:00 < Gorkhaan> StormWlf: do u really need Bridge? :) 19:00 < StormWlf> yeah 19:00 < StormWlf> 3 networks i'm trying to bridge together 19:01 < StormWlf> and need the ability to use samba shares 19:01 < Ypsy_> Gorkhaan: http://pastebin.com/d32e787e2 19:02 -!- Z_God2 [n=julius@wlan139187.mobiel.utwente.nl] has quit [Remote closed the connection] 19:02 < Gorkhaan> Ypsy_ this sux, do you have TUN/TAP kernel modula? 19:02 < Gorkhaan> Vtun 19:02 < Gorkhaan> module 19:02 < Gorkhaan> Why are you using this "old" version of it ?OpenVPN 2.0.9 19:03 < Gorkhaan> use 2.1_rc18 :D 19:03 < Gorkhaan> on both sides 19:04 < Ypsy_> hmm dont know :D thats the one in the repos 19:04 < Ypsy_> well seemingly I dont have that module 19:04 < Ypsy_> :( 19:05 < thedoc_> Ypsy_, which distro? 19:05 -!- thedoc_ is now known as thedoc 19:05 < thedoc> 2.0.9 is old ;p 19:05 < Ypsy_> arch thedoc :P 19:05 * thedoc makes a mental note to avoid arch 19:06 < Ypsy_> arch is super :P 19:06 * Gorkhaan thinks thedoc is right 19:06 < Gorkhaan> :D 19:06 < Ypsy_> but yeah :D dunno why its such an old version 19:06 < thedoc> I'm sure it's super, if it was as super as it was made to be, you wouldn't be here now? ;p 19:06 < StormWlf> hehe 19:06 < Ypsy_> :P 19:06 < thedoc> I mean, <3 19:06 < Ypsy_> but would a new version solve my problem? :P 19:07 < thedoc> Ypsy_, Can you use the redhat repos? 19:07 < thedoc> I *think* they both use rpms, feel free to correct if I'm wrong. 19:07 < Ypsy_> I could use a newer version using the community repositories I think 19:07 < Ypsy_> nono arch is using something own 19:07 < thedoc> Oh, ok. 19:07 < thedoc> I don't know, I don't use arch 19:07 < Ypsy_> source based 19:07 < Ypsy_> :) 19:08 < Gorkhaan> to compile openvpn you need 2 things: libssl-dev, and lzo 19:08 * Gorkhaan speaking from experience during compiling on ubuntu server. xD 19:09 < Ypsy_> sadly cant start compiling that now :( its 2 o clock here in germany and i need to stand up in 4 hours *g* 19:09 < Ypsy_> will you guys be here tomorrow? 19:10 < Gorkhaan> http://vtun.sourceforge.net 19:10 < vpnHelper> Title: VTun - Virtual Tunnels over TCP/IP networks (at vtun.sourceforge.net) 19:10 < Ypsy_> thats in the repos :p 19:10 < Gorkhaan> Yeah, but donno when. 19:10 < Gorkhaan> :D 19:10 < Ypsy_> Okay ill just try to catch you :) 19:10 < Gorkhaan> Anyway I made a firewall for you 19:10 < Gorkhaan> http://stuffz.darkhole.hu/ 19:10 < vpnHelper> Title: Index of / (at stuffz.darkhole.hu) 19:10 < Gorkhaan> it should work. 19:10 < Gorkhaan> vpnfirewall.sh30-Jun-2009 01:43 1.2K 19:11 < thedoc> I'm *usually* here, unless I'm passed out on the bed with another teddy bear 19:11 < Ypsy_> *gg* 19:11 < Gorkhaan> lolz 19:11 < Ypsy_> okay ill also have a look on that tomorrow Gorkhaan :P thanks a lot! 19:11 < Ypsy_> sleep well, or whatever you'll be doing now :D 19:12 < Gorkhaan> np. And get back to Ubuntu, for your sake! :D 19:12 < Gorkhaan> xD 19:12 -!- Ypsy_ [n=ypsy_@frnk-590df4cc.pool.einsundeins.de] has quit ["Java user signed off"] 19:12 < Gorkhaan> why the hell is he using Arch, when he cant install a freaking vpnserver... 19:13 < thedoc> lol 19:13 < Gorkhaan> Well I go to sleep, cu mates! good night! :) 19:13 < krzie> you have no clue how often i ask myself similar questions 19:13 < Gorkhaan> xD 19:13 < StormWlf> starts with an A is first in alphabetical list? 19:13 < krzie> people come in running openbsd not knowing how to compile something 19:13 < StormWlf> Take Care Gorkhaan 19:14 < Gorkhaan> omg 19:14 < krzie> later Gorkhaan 19:14 < Gorkhaan> yep. thx. cu ;) 19:14 < thedoc> krzee, that would be me ;p 19:15 < krzie> haha nah i dont think i was thinkin of you 19:15 < krzie> iirc you're well beyond the skill level of compiling something 19:16 < thedoc> Oh what? Was that a self-admission of guilt, no certainly not! 19:16 * thedoc stifles a chuckle 19:16 < krzie> haha 19:16 < krzie> well maybe you were one of them then, but you definitely werent alone if so 19:16 < krzie> :-p 19:17 < thedoc> I don't use obsd ;p 19:17 < thedoc> Maybe for gns3 but not ovpn 19:23 < krzie> =] 19:23 < krzie> i dont run it either 19:23 < krzie> although im thinking ill insteall open and net BSD in vm's 19:27 < thedoc> krzie, have you ever done clustering/load balancing for ovpn? 19:27 < krzie> negative 19:27 < thedoc> Do you have an idea if it's possible? 19:27 < krzie> with lans behind clients or not? 19:27 < thedoc> or I'd have to go with DNS round-robin. ;p 19:27 < thedoc> With no LANs behind 19:28 < thedoc> Just routable boxes. 19:28 < krzie> yes, easily 19:28 < krzie> with blocks 19:28 < krzie> !man 19:28 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 19:28 < thedoc> Heh 19:28 < krzie> im finding something in the man for you to search for 19:29 < thedoc> Thanks 19:29 < krzie> heres one 19:29 < krzie> --remote-random 19:29 < krzie> When multiple --remote address/ports are specified, initially randomize the order of the list as a kind of basic load-balancing measure. 19:30 < krzie> ok its 2.1 19:30 < krzie> not in 2.0 19:30 < krzie> look for 19:30 < krzie> 19:31 < thedoc> hm, ok 19:32 < krzie> each connection block can get some of their own settings 19:32 < krzie> as shown in the examples in the manual 19:32 < thedoc> Yep. 19:42 < earthian> How could i limit a client to see and connect only to the server via vpn while the client would have its own internet connection and other services available there? 19:43 < earthian> or in other words how could i make server be like any external site accessible via IP address only and via vpn. as I want the clients to have their own internet (not via vpn) and use vpn only for some services that are available on the server.. 19:43 < krzie> earthian i dont understand the question 19:43 < krzie> oh 19:43 < earthian> :) 19:44 < krzie> you just use a normal vpn set and have them connect by VPN ip 19:44 < krzie> for example 19:44 < krzie> !sample 19:44 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 19:44 < krzie> all clients in that vpn would connect to 10.8.1.1 for any services on the server 19:47 < earthian> thanks!! 19:47 < krzie> np =] 19:47 -!- earthian [n=earthian@fostral.net] has quit ["Leaving"] 19:51 -!- epaphus [n=unix3@201.199.41.166] has joined ##openvpn 19:52 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["This computer has gone to sleep"] 19:55 < StormWlf> has anyone here gotten bridgeing working? 19:55 < Dougy> krzie: ping 19:55 < krzie> sup dougy 19:56 < Dougy> ever heard Monzy on his process song/ 19:56 < krzie> StormWlf why do you want bridging? 19:56 < Dougy> ? 19:56 < Dougy> "Kill dash nine" 19:56 < Dougy> ? 19:56 < krzie> yes 19:56 < Dougy> dam 19:56 < Dougy> that song is fresh 19:56 < Dougy> lol 19:56 < krzie> and hella old 19:56 < Dougy> so? 19:56 < Dougy> its hella good 19:56 * Dougy said hella 19:56 * Dougy suicides 19:56 < StormWlf> because i have 3 networks i want to combine 19:56 < krzie> you cant say hella! 19:56 < krzie> StormWlf: you mean like this? 19:56 < StormWlf> and network shares 19:56 < krzie> !route 19:56 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 19:56 < krzie> !bridge 19:56 < vpnHelper> krzie: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for anything where the protocol uses MAC addresses instead of IP addresses. 19:57 < vpnHelper> krzie: (but not samba, see !wins) 19:57 < krzie> !wins 19:57 < vpnHelper> krzie: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 19:57 -!- warptrosse [n=warptros@host133.190-31-158.telecom.net.ar] has joined ##openvpn 19:57 -!- ciphyre [n=ciphyre@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 19:58 -!- zheng [n=zheng@222.66.224.106] has joined ##openvpn 19:58 < krzie> my doc on !route uses combining 3 networks as its example 19:59 -!- skarufue [n=skarufue@vie-078-142-128-119.dsl.sil.at] has joined ##openvpn 20:00 < krzie> !tunortap 20:00 < vpnHelper> krzie: "tunortap" is you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead. 20:00 < Dougy> krzie: wanna buy a 3548 instead? 20:00 < Dougy> :p 20:00 < krzie> !learn tunortap and if your reason for wanting tap is windows shares, see !wins 20:00 < vpnHelper> krzie: Invalid arguments for learn. 20:00 < krzie> !learn tunortap as and if your reason for wanting tap is windows shares, see !wins 20:00 < vpnHelper> krzie: Joo got it. 20:01 < krzie> nope, i specificly want a 2950 =] 20:01 < krzie> i <3 it 20:01 < krzie> shit i forgot to send that $ today 20:01 < krzie> ill hafta wait til tomorrow 20:03 < krzie> why you decided to keep the 2950 in production after all? 20:04 < Dougy> krzie: i donno 20:04 < Dougy> actually krzie 20:04 < Dougy> 50+shipping to where ever 20:04 < Dougy> ;) 20:04 < krzie> isnt the 3548 what you recently bought to replace the 2950 20:04 < krzie> ? 20:04 < Dougy> yes 20:04 < krzie> so you dont want to use it anymore? 20:04 < Dougy> i donno 20:04 < krzie> lol 20:04 * Dougy bought it and was like wait 20:05 < Dougy> maybe i should just get a 48 port 2950 20:05 < Dougy> lol 20:05 < krzie> i thought the problem was you wanted to do your own routing so needed a layer3 device 20:05 < Dougy> yeh 20:05 < Dougy> except afaik 3548 doesnt od that 20:05 < Dougy> do 20:05 < Dougy> etiher 20:05 < Dougy> either 20:05 < krzie> really? i thought it was a router 20:06 * Dougy googles 20:06 < krzie> oh no it IS a switch 20:07 < Dougy> the 3548? 20:07 < krzie> ya 20:07 < Dougy> yeah 20:07 < Dougy> i know 20:07 < krzie> ahh 20:07 * Dougy would have been better off with a 48port 2950 20:07 * Dougy goes to WHT to sell the 3548 too 20:08 < krzie> when you said it was a layer3 i figured it was a router 20:08 < krzie> and didnt bother to check google 20:08 < skarufue> i am using a tun interface server and client side. the client connects fine and gets a ip of the right range... but i cannot see the server side ips (from client side obvsly). what i noticed during startup of the server is the following line: TUN/TAP device tap1 opened. which is strange cause the tap device i created with openvpn -mktun -dev tap0 is called tap0... . so how to fixes it? 20:09 < Dougy> krzie: i should have check google too 20:09 < krzie> you said you use tun, then you say you use tap 20:09 < krzie> (@ skarufue) 20:10 < skarufue> oh yes which is of course stupid... i use tap all the way through 20:11 < krzie> you are trying to bridge? 20:11 < skarufue> yes 20:11 < krzie> why 20:11 < skarufue> i need layer 2 20:12 < krzie> what layer2 protocol? 20:12 < skarufue> ipx 20:12 < krzie> like netbios? 20:12 < krzie> windows sharing? 20:12 < skarufue> no more like old games 20:12 -!- warptrosse [n=warptros@host133.190-31-158.telecom.net.ar] has left ##openvpn ["Leaving"] 20:12 < krzie> ohh gotchya 20:13 < krzie> in the config do you use dev tap0? 20:13 < krzie> or just dev tap 20:13 < skarufue> no only tap 20:13 < krzie> theres your prob 20:13 < skarufue> ok uses tap0 now 20:14 < krzie> read on --dev in manual for info on why 20:15 < skarufue> thankyou 20:18 -!- thedoc [n=andelyx@208.99.194.194] has joined ##openvpn 20:20 < thedoc> Dougy, you there? 20:24 < Dougy> who dinged me 20:24 < Dougy> yo 20:25 < Dougy> lucky i had this screen open 20:25 < thedoc> Dougy, awesome. I need to update my email. 20:25 < Dougy> pm 20:38 -!- ciphyre [n=ciphyre@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 60 (Operation timed out)] 21:02 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 21:02 < Dougy> krzie: i just won 21:02 < Dougy> epic hard 21:02 < Dougy> just sold a guy a box.. parts are: Total Order: $ 388.62  ......... he paid $550 21:04 < StormWlf> krzie thanks for the info 21:04 < StormWlf> I believe i have what i need now d;o) thank You again. 21:08 -!- troy- is now known as troy 21:38 -!- ciphyre [n=ciphyre@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 21:55 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 22:37 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 22:38 < onats> hi, is it correct to say that for PKI, there can be multiple public keys, and the messages that are encrypted using these public keys can be decrypted by a single private key? 22:41 -!- epaphus [n=unix3@201.199.41.166] has quit [Read error: 60 (Operation timed out)] 22:58 -!- albech [n=albech@119.42.76.200] has quit [Remote closed the connection] 23:09 -!- mnm [n=quassel@c-71-194-110-41.hsd1.il.comcast.net] has joined ##openvpn 23:10 -!- mnm [n=quassel@c-71-194-110-41.hsd1.il.comcast.net] has quit [Remote closed the connection] 23:10 -!- mnm [n=quassel@c-71-194-110-41.hsd1.il.comcast.net] has joined ##openvpn 23:33 < ecrist> fuckers 23:36 < thedoc> fuckees --- Day changed Tue Jun 30 2009 00:06 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:54 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 01:14 -!- ciphyre [n=ciphyre@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 01:17 -!- ciphyre [n=ciphyre@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 01:32 -!- mnm [n=quassel@c-71-194-110-41.hsd1.il.comcast.net] has quit [Remote closed the connection] 01:38 -!- master_of_master [i=master_o@p549D3629.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:40 -!- lepine1 [n=leprecha@ip-70-38-54-219.static.privatedns.com] has joined ##openvpn 01:41 < lepine1> Hey guys, quick question, perhaps not strictly openvpn related but ... 01:41 < lepine1> I've got an openvpn client setup with network manager, through gnome's ui. The applet says i'm connected, going to whatismyip.com tells me i'm connected "push 'redirect-gateway'" ... 01:42 < lepine1> but ifconfig nor route mention anything about the tunnel. What could this be? 01:42 -!- master_of_master [i=master_o@p549D3643.dip.t-dialin.net] has joined ##openvpn 01:44 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 01:47 -!- lepine1 [n=leprecha@ip-70-38-54-219.static.privatedns.com] has left ##openvpn [] 02:18 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:23 -!- ciphyre [n=ciphyre@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 03:40 -!- Grapsus [n=grapsus@62.244.93.104] has joined ##openvpn 03:42 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [] 03:50 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 04:07 -!- mrtn123 [n=martin@213-168-9-194-dsl.lsn.estpak.ee] has joined ##openvpn 04:15 -!- zheng [n=zheng@222.66.224.106] has quit [Remote closed the connection] 04:18 -!- zheng [n=zheng@222.66.224.106] has joined ##openvpn 04:59 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 04:59 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 04:59 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 04:59 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Remote closed the connection] 05:00 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 05:02 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 05:13 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:31 -!- |ns|nR8 [n=doof@CPE-124-185-184-31.qld.bigpond.net.au] has joined ##openvpn 05:51 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 05:58 -!- |ns|nR8 [n=doof@CPE-124-185-184-31.qld.bigpond.net.au] has quit ["Leaving"] 06:11 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit ["Leaving"] 06:13 -!- mattock [n=mattock@gw.tietoteema.fi] has quit ["Leaving."] 06:16 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 06:16 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 06:17 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Client Quit] 06:17 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Client Quit] 06:17 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 06:19 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Client Quit] 06:19 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 06:29 -!- |ns|nR8 [n=doof@CPE-124-185-184-31.qld.bigpond.net.au] has joined ##openvpn 06:35 -!- Grapsus [n=grapsus@62.244.93.104] has quit [Read error: 113 (No route to host)] 06:41 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 06:43 -!- YpsyZNC is now known as Ypsy 06:46 -!- Footman [n=Footman@gwdev.creape.unilim.fr] has joined ##openvpn 06:46 < Footman> hello 06:47 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 07:01 < ecrist> hello 07:01 < |ns|nR8> hi 07:04 < Footman> !howto 07:04 < vpnHelper> Footman: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:05 < mrtn123> !howto 07:05 < vpnHelper> mrtn123: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:06 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 07:08 -!- mrtn123 [n=martin@213-168-9-194-dsl.lsn.estpak.ee] has left ##openvpn [] 07:09 < Footman> do you know if ipp.txt is a good way for clients to keep their ip address ? some people seems to have problems with that 07:10 < Footman> is there an other solution to assign always the same ip to the client ? 07:10 < thedoc> ccd 07:11 -!- mattock [n=mattock@gw.tietoteema.fi] has left ##openvpn [] 07:11 -!- zheng [n=zheng@222.66.224.106] has quit [Remote closed the connection] 07:12 < Footman> thedoc: i see that, thanks :) 07:13 < Dougy> hm 07:17 -!- n0g0 [n=n0g0@85-125-189-220.static.sdsl-line.inode.at] has joined ##openvpn 07:17 -!- troy is now known as troy- 07:40 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 07:40 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 07:42 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 08:16 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 08:16 -!- sigius [n=sigius@93.125.185.45] has joined ##openvpn 08:18 -!- Footman1 [n=Footman@gwdev.creape.unilim.fr] has joined ##openvpn 08:18 -!- Footman [n=Footman@gwdev.creape.unilim.fr] has quit [Read error: 104 (Connection reset by peer)] 08:20 -!- sigius [n=sigius@93.125.185.45] has quit [Remote closed the connection] 08:20 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 08:21 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 08:23 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 08:24 -!- |ns|nR8 [n=doof@CPE-124-185-184-31.qld.bigpond.net.au] has quit [Read error: 110 (Connection timed out)] 08:24 < Dougy> thedoc: there? 08:33 < ecrist> hi, Dougy 08:41 < Dougy> hey ecrist 08:41 < Dougy> how are you 08:41 < ecrist> good. 08:41 < Dougy> glad to haer 08:41 < Dougy> s/haer/hear/ 08:41 < Dougy> how's mrs. crist 08:41 < ecrist> does openvpn have an RSS feed for their SVN repo? 08:42 < ecrist> good, was up often with the new kid last night. 08:44 < Dougy> no good 08:45 < thedoc> Dougy, how can I help you? 08:45 < Dougy> thedoc: does the page load now 08:45 < Dougy> they blamed it on rackspace being a fail 08:45 < thedoc> hm 08:48 < Dougy> thedoc: y/n? 08:49 < Dougy> i wish fedex would get here already 08:51 -!- StarShuffle [n=Administ@41.240.65.231] has joined ##openvpn 08:52 < StarShuffle> I have the wierdest situation with my openvpn. I connect to my openvpn server with almost minimal settings on both sides. the range is just 10.20.60.0/255.255.255.255 08:53 < StarShuffle> but it gives me 10.20.60.6 08:53 < StarShuffle> and it says dhcp server 10.20.60.5 08:53 < StarShuffle> and it says server IP is 10.20.60.1 08:53 < StarShuffle> i can ping 10.20.60.1 08:53 < StarShuffle> which is perfect 08:54 < StarShuffle> except that for some reason it adds routes that says to get to 10.20.60.1 i have to go through 10.20.60.5 which is the dhcp server of openvpn 08:54 < StarShuffle> so i cant add a direct route to 10.20.60.1 from my ip 10.20.60.6 cos its trying to go through the "DHCP-server" of 10.20.60.5 08:54 < StarShuffle> wth? 08:56 < StarShuffle> how do i get rid of this fake dhcp server thing thats messing me around 08:57 < StarShuffle> this is Fedora 11 server and XP SP3 client with GUI 09:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:19 -!- Hink [n=Hink@71.164.255.85] has joined ##openvpn 09:24 < n0g0> StarShuffle, openvpn has for each client an own subnet in TUN mode. This is normal, the first client has .6, the second .10 and so on. The gateway for each subnet is always client address - 1. You can't add a direct route to .1 09:25 < StarShuffle> ok 09:25 < n0g0> if you have linux clients only, you may set ifconfig-pool-linear in your server config file. 09:25 < StarShuffle> but when i set redirect gateway 09:26 < StarShuffle> and dns push 09:26 < StarShuffle> it still doesnt work 09:26 < StarShuffle> I have set up ipv4 forwarding 09:26 < StarShuffle> and NAT 09:27 < n0g0> most times it's a firewall issue 09:27 < StarShuffle> on server or client side 09:27 < n0g0> do a tracepath / traceroute on your client to a public ip address 09:27 < StarShuffle> I have this also running on a different subnet with PPTP 09:27 < StarShuffle> through vpn? or normal dsl? 09:28 < n0g0> when openvpn is running with enabled redirect-gateway 09:28 < n0g0> you should see where the packet dies. 09:28 -!- Hink [n=Hink@71.164.255.85] has quit [] 09:29 < StarShuffle> ok 09:29 < StarShuffle> lemme try 09:32 -!- StarShuffle [n=Administ@41.240.65.231] has quit [Read error: 104 (Connection reset by peer)] 09:33 -!- StarShuffle [n=Administ@41.240.65.231] has joined ##openvpn 09:33 < StarShuffle> n0g0 09:33 < StarShuffle> it times out immediately 09:33 < StarShuffle> doesn't go anywhere 09:34 < n0g0> does your openvpn connection work when redirect-gateway is enabled ? (i.e. can you ping the server at .1 ?) 09:34 < StarShuffle> yes 09:34 < StarShuffle> i can ping the server 09:35 < n0g0> then redirect-gateway should be fine. the problem might be a missing firewall rule (FORWARD chain) 09:35 < n0g0> or your SNAT / MASQ rule is limited to your pptp subnet 09:36 -!- lizone [n=vadim@user-0ccejib.cable.mindspring.com] has joined ##openvpn 09:36 < StarShuffle> ye checking that out now 09:36 < StarShuffle> Nat seems fine. rest of FW is set to accept all 09:37 < StarShuffle> i have IF source 10.20.60.0/24 then Masq... 09:38 < n0g0> do a "tcpdump -i tun0 icmp" on server and do a ping at the client to a public ip. you should see the packet. if so, do a "tcpdump -i ethX icmp" and try again, you should see the packet comming out of your public interface (ethX) 09:38 < StarShuffle> ok 09:39 < StarShuffle> is my NAt rule fine like that or should it also be 10.20.60.0/24 going out on WAN interface 09:41 < n0g0> it should be something like this: iptables -t nat -A POSTROUTING -o ethX -s 10.20.60.0/24 -j MASQUERADE 09:42 -!- StarShuffle [n=Administ@41.240.65.231] has left ##openvpn [] 09:50 -!- StarShuffle1 [n=Administ@41.240.65.231] has joined ##openvpn 09:50 < StarShuffle1> n0g0 09:50 < StarShuffle1> its not coming out of the WAN 09:50 < StarShuffle1> so its obviously not openvpn but the server 09:50 < n0g0> yes 09:50 < StarShuffle1> think i can figure it out from here 09:50 < StarShuffle1> thanks for your time 09:50 < n0g0> np 09:56 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 09:56 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 09:58 -!- StarShuffle [n=Administ@9com.co.za] has joined ##openvpn 09:58 < ecrist> Dougy: what page? 09:58 < StarShuffle> it works 09:58 < StarShuffle> stupid me didnt restart networking after editing sysctl.conf 09:58 < n0g0> =) 10:00 < StarShuffle> having problems in linux is so much more fun than xp 10:00 < StarShuffle> feels like u actually learn something 10:00 -!- Footman1 [n=Footman@gwdev.creape.unilim.fr] has quit [Remote closed the connection] 10:00 < n0g0> haha, yes 10:01 -!- ciphyre [n=ciphyre@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has joined ##openvpn 10:07 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:16 -!- StarShuffle1 [n=Administ@41.240.65.231] has quit [Read error: 110 (Connection timed out)] 10:22 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 10:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:27 -!- unix3 [n=unix3@190.10.68.228] has quit [Client Quit] 10:39 -!- Z_God [i=_ejabber@server1.videre.net] has joined ##openvpn 10:40 -!- jeiworth [n=jeiworth@189.134.129.192] has joined ##openvpn 10:41 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 10:41 -!- Z_God [i=_ejabber@server1.videre.net] has left ##openvpn [] 10:42 -!- Z_God [n=julius@wlan139187.mobiel.utwente.nl] has joined ##openvpn 10:42 < Z_God> I'm using openvpn with the pam module and the login service 10:42 < Z_God> this works well, but all my users can access openvpn now 10:42 < Z_God> is there an easy to limit this to a specific group? 10:43 -!- StarShuffle [n=Administ@9com.co.za] has left ##openvpn [] 10:54 < vaq> Could I specify what IP address a specific user should have? I can't seem to find any parameter for the client configuration that can do this on: http://openvpn.net/index.php/open-source/documentation/howto.html#examples 10:54 < vpnHelper> Title: HOWTO (at openvpn.net) 11:03 -!- russo [n=russo@p579F6972.dip.t-dialin.net] has joined ##openvpn 11:09 -!- nibbler_ [n=Nibbler@p5499EE86.dip.t-dialin.net] has joined ##openvpn 11:15 < nibbler_> hi. i have a openvpn server running on windows. this worked quiet a while, and now suddenly it does not anymore. the vpn is successfully created, but i cannot ping, rdp or whatever the remote host, which is the vpn server itself. here is conf/log: http://pastebin.com/m743d2590 11:15 < Bushmills> what causes the noise? 11:16 * nibbler_ does 11:17 < Bushmills> how does the server sound now when it makes noises? 11:19 -!- vaq [i=c99@vaq/unaffiliated] has quit [] 11:19 < nibbler_> any idea about the problem? 11:20 < Bushmills> run dig or traceroute on the client, with the server ip address 11:20 < Bushmills> ehm.. not dig.. mtr 11:21 < nibbler_> tracepath 172.17.19.1 -n 11:21 < nibbler_> 1: 172.17.19.26 0.172ms pmtu 1500 11:21 < nibbler_> 1: no reply ...... 11:21 < nibbler_> so i'd say it enters the tunnel.... 11:23 < ecrist> nibbler_: did you install SP2? 11:24 < nibbler_> 2003/sp2 11:24 < nibbler_> but i dont know when sp2 was installed 11:24 < nibbler_> if before or after openvpn stopped working 11:25 < nibbler_> ah, the server tracert does not enter the tunnel.... 11:26 < nibbler_> ...got it... 11:26 < nibbler_> for what reason ever, the route has a /30 netmask 11:29 < nibbler_> adding another route didnt help :( but still this is strange 11:30 < nibbler_> ecrist: any known problems with sp2? 11:33 < ecrist> not on 2003, on XP, yes 11:35 < nibbler_> ah ok :| 11:36 -!- lizone [n=vadim@user-0ccejib.cable.mindspring.com] has quit [Client Quit] 11:37 < nibbler_> http://pastebin.com/m409c48f7 routingtable server 11:38 < nibbler_> http://pastebin.com/m2e2289fe this one... 11:45 < nibbler_> well..... 11:46 < nibbler_> restarting the service solved it.... 11:57 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 11:57 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 12:12 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:37 -!- nibbler_ [n=Nibbler@p5499EE86.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 12:39 < ecrist> lick on these nuts and suck a d... 12:51 * plaerzen sucks a dongle. mmmm usb. 12:55 -!- Michael` [n=michael`@g227024040.adsl.alicedsl.de] has joined ##openvpn 12:57 -!- troy- is now known as troy 13:32 -!- nibbler__ [n=Nibbler@p5499B988.dip.t-dialin.net] has joined ##openvpn 13:45 -!- c64zottel [n=hans@p5B17ABC0.dip0.t-ipconnect.de] has joined ##openvpn 13:48 -!- c64zottel [n=hans@p5B17ABC0.dip0.t-ipconnect.de] has quit [Client Quit] 14:00 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has quit [Read error: 113 (No route to host)] 14:12 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 14:16 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [Client Quit] 14:17 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 14:35 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 104 (Connection reset by peer)] 14:55 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 14:55 -!- unix3 [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 14:56 -!- troy is now known as troy- 15:05 -!- KarlHungus [i=ssanders@for.my.n1gs.net] has joined ##openvpn 15:05 < KarlHungus> ok. interesting situation that i have yet to encounter. i have two networks. 192.168.1/24 and 192.168.131/24 15:05 < KarlHungus> the endpoints are 192.168.1.1 and 192.168.131.54 15:06 < KarlHungus> the tun* is 10.0.0.1 on the 192.168.1 side and 10.0.0.2 on the 192.168.131 side 15:06 < KarlHungus> all the routes are built and every host on the 192.168.131 network includes a static route that passes traffic destined for 192.168.1/24 back to 192.168.131.54 as the gateway 15:07 < KarlHungus> i can ping both enpoints from either endpoint 15:07 < KarlHungus> from 192.168.131/24 any host can talk to any host on the the 192.168.1/24 network 15:08 < KarlHungus> any host in the 192.168.1/24 network can talk to any host on the 192.168.131/24 network 15:08 < KarlHungus> however, the 192.168.1.1 (10.0.0.1) gateway for the 192.168.1/24 can only talk to *some* of the hosts in 192.168.131/24 15:09 < KarlHungus> for example, from 192.168.1.1 i can ping 192.168.131.5, but i cannot ping 192.168.131.48 15:10 < KarlHungus> but, on a host in the 192.168.1/24 network (192.168.1.99 for example) i can ping both hosts on the 192.168.131 network (.5 and .48) 15:17 -!- bandini [n=bandini@host54-110-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 15:20 < KarlHungus> oh..... BLAH 15:20 < KarlHungus> i had a rouge box with 10.0.0.1 sitting on a connected switch 15:21 < KarlHungus> damn it. well, problem solved ;) arping to the right NIC is important. haha 15:21 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:22 < KarlHungus> thanks ;) 15:22 -!- KarlHungus [i=ssanders@for.my.n1gs.net] has left ##openvpn [] 15:31 -!- _UsUrPeR_ [n=jsass@69.14.191.146] has quit ["Ex-Chat"] 15:43 -!- n0g0 [n=n0g0@85-125-189-220.static.sdsl-line.inode.at] has quit ["quit"] 15:47 -!- Ypsy is now known as YpsyZNC 15:49 -!- troy- is now known as troy 16:04 -!- hotdog003 [n=michael@c-75-71-222-111.hsd1.co.comcast.net] has joined ##openvpn 16:05 < hotdog003> I have a question. Why do I have to echo 1 > /proc/sys/net/ipv4/ip_forward if I'm using ethernet bridging? Wouldn't the bridge be on the ethernet level instead of the IP level? 16:09 -!- jeiworth [n=jeiworth@189.134.129.192] has quit [No route to host] 16:10 < hotdog003> Oh well. 16:10 -!- hotdog003 [n=michael@c-75-71-222-111.hsd1.co.comcast.net] has quit ["leaving"] 16:37 -!- nibbler__ [n=Nibbler@p5499B988.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)] 16:38 -!- rusos [n=russo@p579F6DB9.dip.t-dialin.net] has joined ##openvpn 16:46 -!- russo [n=russo@p579F6972.dip.t-dialin.net] has quit [Network is unreachable] 16:56 < krzie> dougy here? 17:09 < reiffert> No. 17:20 < StormWlf> hey krzie 17:26 -!- bandini [n=bandini@host54-110-dynamic.31-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:46 -!- skarufue [n=skarufue@vie-078-142-128-119.dsl.sil.at] has left ##openvpn [] 17:48 < krzie> hey 18:14 -!- Michael` [n=michael`@g227024040.adsl.alicedsl.de] has quit [Connection timed out] 18:23 < StormWlf> wanted to say thanks for the info i have the vpn up 18:25 < StormWlf> though i'm still haveing issues with the clients connecting to the internal network 18:25 < StormWlf> the wins server just takes care of the nameing right? 18:25 < StormWlf> i can ping both ways rdp works fine both ways shares i can access from the lan side to the clients but not the other way around 18:28 < krzie> np man 18:28 < krzie> 1 sec lemme digest that for a minute 18:28 < krzie> and yes, wins only has to do with resolving netbios names 18:28 < StormWlf> k 18:29 -!- Z_God [n=julius@wlan139187.mobiel.utwente.nl] has quit [Remote closed the connection] 18:29 < krzie> ok 18:29 < krzie> so you are saying the server's lan can reach clients, but the clients cant reach servers lan? 18:30 < krzie> (with a simple ping) 18:30 < StormWlf> i have communications both ways without issues 18:30 < StormWlf> except when i hit the ip directly for smb 18:31 < krzie> so you're saying you can ping but not use smb by ip? 18:31 < StormWlf> if i try to browse network shares on the internal machine directly to the ip it times out 18:31 < StormWlf> yes 18:31 < krzie> by using which ip? 18:31 < StormWlf> if i go from the lan to the client side i can browse files via smb 18:31 < krzie> the vpn ip? 18:32 < StormWlf> 10.10.1 <-- internal i cant browse 10.10.1.50 18:32 < StormWlf> however 10.10.1.50 can see 10.10.2.50 <-- client address 18:32 < krzie> those little arrows dont help it make sense 18:32 < krzie> explain where those subnets are 18:32 < StormWlf> both are 255.255.255.0 18:33 < krzie> 10.10.1.0 is where? 18:33 < krzie> 10.10.2.0 is where? 18:33 < StormWlf> 10.10.1 is my internal lan 10.10.2 is my vpn client network 18:33 < krzie> ok and theres no other lan connected, right? 18:33 < StormWlf> the public ip on the gateway 18:34 < StormWlf> eth0 public ip 18:34 < krzie> theres no other lan communicating over the vpn 18:34 < StormWlf> yes 18:34 < krzie> ok 18:34 < StormWlf> sorry mind is swimming a bit 18:34 < krzie> so how does your client have 10.10.2.50 18:35 < krzie> normal first client is .6 18:36 < StormWlf> i'm not sure 18:37 < krzie> the only way its ip is .50 is if you specificly did something to make it .50 18:37 < krzie> unless you have a bunch of clients 18:37 < StormWlf> Yeah i setup the bridge mode 18:37 < krzie> oh you're using a bridge? 18:37 < StormWlf> the ipp.txt held the info give me a moment to reconnect 18:37 < StormWlf> No 18:37 < krzie> why even use ipp.txt? 18:37 < krzie> !ipp 18:37 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 18:39 < StormWlf> ok now ive got 10.10.2.6 18:39 < krzie> ahh ok 18:40 < krzie> that didnt matter, was just throwing me off 18:40 < krzie> ok so 18:40 < StormWlf> well apparently it was throwing other things off i can get to the shares now 18:41 < StormWlf> LOL krzie You rock 18:41 < krzie> heh, coolness 18:41 < krzie> now you may want static for that client 18:41 < krzie> because you will likely be staticly mapping network drives 18:41 < krzie> based on ip 18:41 < krzie> !static 18:41 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 18:42 < StormWlf> !ccd 18:42 < vpnHelper> StormWlf: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 18:42 < StormWlf> !iporder 18:42 < vpnHelper> StormWlf: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 18:42 < StormWlf> thats where i was heading now that i can see things 18:42 < StormWlf> thanks again 18:43 < krzie> np man 18:51 -!- ciphyre [n=ciphyre@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 19:03 < Dougy> krzie: 19:03 < Dougy> sup 19:03 < krzie> waddddup 19:03 < krzie> got any 2950 cisco switches youd like to sell? 19:03 < krzie> or shall i wait to send the $ 19:06 < Dougy> not quite yet.. why not feebay it? 19:27 -!- rusos [n=russo@p579F6DB9.dip.t-dialin.net] has quit [] 19:57 -!- zheng [n=zheng@222.66.224.106] has joined ##openvpn 20:19 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:48 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 20:49 < thedoc> God damn, I hate my server host. 20:49 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 20:49 < thedoc> What the fuck is it with rebooting my server at random. 20:49 < krzie> sry 21:09 -!- ciphyre [n=ciphyre@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 21:37 -!- jeiworth [n=jeiworth@189.163.151.98] has joined ##openvpn 21:38 -!- jreno [n=jreno@38.219.68.216.DED-DSL.fuse.net] has quit [Read error: 113 (No route to host)] 21:45 -!- jreno [n=jreno@38.219.68.216.DED-DSL.fuse.net] has joined ##openvpn 22:05 -!- epaphus [n=unix3@201.199.62.74] has quit [Connection timed out] 22:14 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 22:33 -!- Michael` [n=michael`@e179055022.adsl.alicedsl.de] has joined ##openvpn 22:34 < thedoc> Dougy!! 22:35 < thedoc> HALP! 22:39 -!- jeiworth [n=jeiworth@189.163.151.98] has quit [Read error: 60 (Operation timed out)] 22:45 -!- sander^ [n=sander@c-66-235-35-214.sea.wa.customer.broadstripe.net] has joined ##openvpn 22:45 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 22:46 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 23:19 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 23:31 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 23:46 -!- Michael` [n=michael`@e179055022.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 23:46 -!- p3ri0d [i=p3ri0d@200.2.156.98] has joined ##openvpn 23:47 -!- p3ri0d [i=p3ri0d@200.2.156.98] has quit [Connection reset by peer] --- Day changed Wed Jul 01 2009 00:24 -!- zheng [n=zheng@222.66.224.106] has quit [Read error: 110 (Connection timed out)] 00:25 -!- zheng [n=zheng@222.66.224.106] has joined ##openvpn 00:33 -!- ciphyre [n=ciphyre@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 00:35 -!- ciphyre [n=ciphyre@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 01:05 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 01:20 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [] 01:26 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 01:39 -!- master_of_master [i=master_o@p549D3643.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:42 -!- master_of_master [i=master_o@p549D31E4.dip.t-dialin.net] has joined ##openvpn 02:08 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:11 -!- nibbler__ [n=Nibbler@p5499B9EC.dip.t-dialin.net] has joined ##openvpn 02:43 -!- lilalinux is now known as lilaloet 03:20 -!- nibbler__ [n=Nibbler@p5499B9EC.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 03:23 -!- n0g0 [n=nogo@85-125-189-220.static.sdsl-line.inode.at] has joined ##openvpn 03:56 -!- nibbler__ [n=Nibbler@p5499E97A.dip.t-dialin.net] has joined ##openvpn 04:03 < onats> krzie 04:03 < onats> buzz 04:27 -!- nibbler__ [n=Nibbler@p5499E97A.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 04:49 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 05:07 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 05:17 -!- Super_Cat_Frog [n=bob@87-194-183-38.bethere.co.uk] has joined ##openvpn 05:17 < Super_Cat_Frog> hi - i'm getting this error from one of our windows clients: 05:17 < Super_Cat_Frog> Wed Jul 01 10:54:09 2009 Warning: route gateway is not reachable on any active network adapters: 10.98.76.141 05:17 < Super_Cat_Frog> Wed Jul 01 10:54:09 2009 Route addition via IPAPI failed 05:17 < Super_Cat_Frog> Wed Jul 01 10:54:09 2009 Initialization Sequence Completed With Errors ( see http://openvpn.net/faq.html#dhcpclientserv ) 05:17 < vpnHelper> Title: FAQ (at openvpn.net) 05:18 < Super_Cat_Frog> and nothing relating to 10.98.76.* in the routing tables, but we have another client running windows just fine ( same config except the keys ) 05:18 < Super_Cat_Frog> any ideas? 05:19 < Gorkhaan> Do u have any phsyhical default gateway? :) 05:24 < Super_Cat_Frog> Gorkhaan: i dont know what you mean 05:24 < Super_Cat_Frog> here's the users routing table: http://pastebin.com/m180a5d54 05:25 -!- zheng [n=zheng@222.66.224.106] has quit [Remote closed the connection] 05:25 < Gorkhaan> U'd like to NAT right? 05:25 < Super_Cat_Frog> no, its routed 05:26 < Super_Cat_Frog> and works fine on the linux clients, and the other windows clients 05:26 < Super_Cat_Frog> i need access to the lan behind the openvpn server ( also working on other clients ) 05:26 < Gorkhaan> then what's wrong? :D 05:27 < Super_Cat_Frog> the error above, cant ping any ip's, and nothing in the routing table referring to the 10.98.76.0/24 network 05:29 < Super_Cat_Frog> i mean from the one windows box 05:29 < Super_Cat_Frog> the other windows box is completely fine, as are all the linux boxes 05:30 < Gorkhaan> So everything is fine, except for 1 PC. 05:30 < Super_Cat_Frog> yes 05:30 < Super_Cat_Frog> and its config is an exact copy of one of the linux boxes, except using different files for the key/ca.crt, etc 05:30 < Gorkhaan> Try compare your Routing table, use the newest openvpn version. 05:31 < Gorkhaan> sometimes Route rules get stucked on windows --> reboot it. 05:31 < Super_Cat_Frog> will do ta 05:32 < Gorkhaan> I remember I had the same problem once. 05:32 < Gorkhaan> and what version is your windows? 05:32 < Gorkhaan> xp, vista, win7? 05:33 < Gorkhaan> Because UAC don't always let to modify the routing table. 05:33 < Gorkhaan> so if you using openvpn gui, try to launch it with Administration privileges. 05:33 < Gorkhaan> administrator. xD 05:35 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has joined ##openvpn 05:35 -!- nibbler__ [n=Nibbler@84.153.235.83] has joined ##openvpn 05:37 < lclimber> hello guys, i have a vpn, with a linux server and a windows client, my problem is that i can not reach the clients from the network connected to the server, even the server can't reach the address given to the client even though the clients can reach the network connected to the server side, what am i doing wrong? 05:39 -!- nibbler__ [n=Nibbler@84.153.235.83] has left ##openvpn ["Ex-Chat"] 05:40 < lclimber> the server has a network 192.168.1.x the vpn is 10.1.1.0, the vpn clients can reach 192.168.1.x but the hosts on 192.168.1.x can't reach 10.1.1.x 05:42 < Super_Cat_Frog> its XP I think 05:42 < Super_Cat_Frog> i'll make sure, thanks 05:42 < Gorkhaan> np. 05:43 < Gorkhaan> lclimber: well the point of VPN is not to "see" from 192.168.1.X to 10.1.1.X, however you can still create a route rule I think, as U did it when you made sure "the vpn is 10.1.1.0, the vpn clients can reach 192.168.1.x " 05:46 < lclimber> but how come, that the server can't see the clients on 10.1.1.x 05:49 < Gorkhaan> Server can't see ( ping ) them on his own vpn connection? 05:50 < Gorkhaan> Maybe a firewall blocking ICMP packets. 05:58 < lclimber> no, no firewall, and the wried thing is that the 10.1.1.x clients can reach 192.168.1.x hosts 06:00 < lclimber> sorry, windows firewall messing with my head!, fixed 06:03 < lclimber> thanks a lot 06:03 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has quit ["Ex-Chat"] 06:05 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:14 -!- SuperEvilDeath [n=death@212.206.209.177] has quit [Read error: 104 (Connection reset by peer)] 06:16 -!- russo [n=russo@p579F6DB9.dip.t-dialin.net] has joined ##openvpn 06:22 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has joined ##openvpn 06:23 -!- Gorkhaan1 [n=Gorkhaan@adsl-101-103.globonet.hu] has joined ##openvpn 06:35 -!- Gorkhaan [n=Gorkhaan@adsl-101-103.globonet.hu] has quit [Read error: 110 (Connection timed out)] 06:36 -!- Gorkhaan1 [n=Gorkhaan@adsl-101-103.globonet.hu] has left ##openvpn [] 06:36 -!- Gorkhaan1 [n=Gorkhaan@adsl-101-103.globonet.hu] has joined ##openvpn 06:42 < ecrist> good morning, folks. 06:45 < Gorkhaan1> hi mate! :) 06:46 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Read error: 60 (Operation timed out)] 06:46 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 07:07 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 07:10 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Remote closed the connection] 07:19 -!- dazo_ [n=dazo@nat/redhat/x-6fb11294412736be] has joined ##openvpn 07:20 -!- dazo [n=dazo@nat/redhat/x-8a53d108aaa472cb] has quit [Nick collision from services.] 07:20 -!- dazo_ is now known as dazo 07:24 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 07:24 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 07:30 -!- Super_Cat_Frog [n=bob@87-194-183-38.bethere.co.uk] has quit [Remote closed the connection] 07:32 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 07:49 -!- antii [n=rw@unaffiliated/antii] has joined ##openvpn 07:49 < antii> hell0 07:50 < antii> having some problems with my vpn service, when i stat openvpn like /etc/init.d/openvpn start im asked for username/password. I can enter the username information, but not the password information (i cant see any letters) in password thingy 07:52 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 07:56 < n0g0> it's the same as any unix login, you won't see the letters typed but they are accepted 07:56 < n0g0> @ antii 07:57 < antii> n0g0: but its odd, getting logged in failed, have tried like 5 times, wrote all letters myself and even copied 07:58 < n0g0> if you've got access to the server, create a auth-user-pass-verify script that will output the username/password to the log and try again 07:58 < n0g0> but before that, try running openvpn directly 07:59 < n0g0> /usr/sbin/openvpn --config /etc/openvpn/myconfig.conf 08:01 < antii> odd :S 08:01 < antii> Wed Jul 1 14:59:41 2009 Cannot load certificate file aw-client.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib Wed Jul 1 14:59:41 2009 Exiting 08:01 < Dougy> . 08:01 < Dougy> missing something antii 08:01 < Dougy> paths must be off 08:01 < antii> have all the files in the /etc/openvpn 08:01 < antii> hmm 08:01 < Dougy> antii: 08:01 < antii> ok 08:01 < Dougy> where are the keys 08:01 < antii> same folder 08:02 < Dougy> cd /etc/openvpn 08:02 < Dougy> then run the command 08:02 < antii> im running it in /etc/openvpn/ 08:03 < antii> it shall all have root permissions right? 08:03 < n0g0> yes 08:03 < antii> hm what could it be then 08:03 < n0g0> sure that you are in /etc/openvpn and the files are all there ? 08:03 -!- jeiworth [n=jeiworth@189.163.151.98] has joined ##openvpn 08:05 < antii> aha! 08:05 < antii> was a wrong thing with a big letter :P 08:07 < n0g0> login now working ? 08:09 -!- antii [n=rw@unaffiliated/antii] has quit [Read error: 104 (Connection reset by peer)] 08:12 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 08:28 -!- ciphyre [n=ciphyre@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 08:31 -!- unix3_ [n=unix3@190.10.68.228] has joined ##openvpn 08:45 -!- mattock [n=mattock@gw.tietoteema.fi] has quit ["Leaving."] 08:49 -!- l2trace99 [n=jr@205.245.6.162] has joined ##openvpn 08:53 < l2trace99> can some point out what I am missing 08:53 < l2trace99> my clients fail to connect 08:53 < l2trace99> the only message I am getting is "TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned" 08:53 < l2trace99> on the server 08:59 < dazo> l2trace99: check if the client config is correct ... esp. in regards to the cert statements 08:59 -!- lilaloet is now known as lilalinux 09:00 < l2trace99> ca points to the server ca.crt 09:00 < l2trace99> cert points to the client crt 09:00 < l2trace99> key points to the client key 09:00 < l2trace99> any thing I am missing ? 09:01 < l2trace99> when I do a verb 5 09:01 < dazo> l2trace99: then check if tls-auth is correctly setup .... one side needs 0 and the other side 1 ... forgot which side was which number 09:01 < dazo> if you are using tls-auth 09:01 < l2trace99> it looks like it never connects 09:01 < dazo> yeah, because the server rejects the connection due to missing certificate from the client side 09:02 < dazo> that can be that the ca config options is pointing at the wrong place, tls-auth failing or different ciphers between client and server 09:03 < dazo> l2trace99: the ssl handshake involves the client to send it's certificate to the server ... and the server validates the certificate 09:04 -!- KaiForce [n=chatzill@adsl-70-228-64-69.dsl.akrnoh.ameritech.net] has joined ##openvpn 09:05 < l2trace99> is it that message the same if the cert is bad ? or just that the client has not sent a cert ? 09:06 < l2trace99> i am wondering if the cert's I generated w/ easy-rsa on the box is bad 09:07 < dazo> l2trace99: I would expect an invalid certificate error if there was some troubles with the certfile .... but it might be that the client can't read the certfile 09:08 < dazo> l2trace99: if you increase logging on the client, you might get a better clue 09:08 -!- stephbul [n=stephbul@bulot.org] has joined ##openvpn 09:09 < l2trace99> thanks 09:11 -!- KaiForce [n=chatzill@adsl-70-228-64-69.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.0.11/2009060215]"] 09:12 -!- jeiworth [n=jeiworth@189.163.151.98] has quit [Read error: 110 (Connection timed out)] 09:29 -!- jeiworth [n=jeiworth@189.177.126.18] has joined ##openvpn 09:32 -!- unix3_ [n=unix3@190.10.68.228] has quit [Client Quit] 09:34 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 09:48 -!- zheng [n=zheng@114.92.132.65] has joined ##openvpn 09:54 -!- ciphyre [n=ciphyre@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has joined ##openvpn 10:05 -!- zheng [n=zheng@114.92.132.65] has quit ["Leaving"] 10:07 -!- rudeboy_xix [n=rudeboy@202.124.139.109] has joined ##openvpn 10:09 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:28 -!- russo [n=russo@p579F6DB9.dip.t-dialin.net] has quit [] 10:30 -!- russo [n=russo@p579F63DA.dip.t-dialin.net] has joined ##openvpn 10:36 -!- rudeboy_xix [n=rudeboy@202.124.139.109] has quit [Remote closed the connection] 10:47 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: RexMundi, tjz, Alagar 10:47 -!- Netsplit over, joins: Alagar, RexMundi, tjz 10:51 -!- jeiworth_ [n=jeiworth@189.177.126.18] has joined ##openvpn 10:51 -!- jeiworth [n=jeiworth@189.177.126.18] has quit [Read error: 60 (Operation timed out)] 11:01 -!- jeiworth_ [n=jeiworth@189.177.126.18] has quit [Read error: 60 (Operation timed out)] 11:05 -!- jeiworth [n=jeiworth@189.177.126.18] has joined ##openvpn 11:19 -!- jeiworth [n=jeiworth@189.177.126.18] has quit [Read error: 104 (Connection reset by peer)] 11:19 -!- jeiworth [n=jeiworth@189.177.126.18] has joined ##openvpn 11:25 -!- YpsyZNC is now known as Ypsy 11:29 -!- RexMundi [n=RexMundi@77.95.99.166] has quit [Read error: 104 (Connection reset by peer)] 11:29 -!- Irssi: ##openvpn: Total of 74 nicks [0 ops, 0 halfops, 0 voices, 74 normal] 11:29 -!- mius [n=miusf@earthtomoon.net] has quit [Read error: 60 (Operation timed out)] 12:00 -!- Ypsy is now known as YpsyZNC 12:05 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has quit [Excess Flood] 12:05 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 12:07 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:08 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 104 (Connection reset by peer)] 12:11 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 12:23 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 12:59 -!- unixSnob [n=jj@starfury.spearlink.com] has joined ##openvpn 13:03 * unixSnob wants to run an openvpn server within a VPS -- is that possible, without having control over the kernel? 13:03 < ecrist> sure 13:03 < ecrist> you have control, usually, over the child system 13:04 < plaerzen> happy canada day 13:04 * plaerzen waves from the great white north 13:05 * ecrist laughs at Canadians. 13:05 < unixSnob> ecrist: I have control over what i'll call the "zone" (not sure what the openvz term is), but I don't control the real kernel, or the physical machine 13:05 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:05 < ecrist> there are lots of people running OpenVPN within virtual private servers. 13:07 < unixSnob> ecrist: i suspect they also control the underlying kernel, no? 13:07 < ecrist> within the VPS 13:08 < ecrist> unixSnob: I think you're terminology (or understanding of it) is skewed a bit. 13:08 < ecrist> I've never used OpenVZ, but VPS is a generic term. I can setup ESXi on a box and install 50 different child machines, each their own VPS 13:08 < ecrist> each in control of it's own kernel 13:09 < unixSnob> ecrist: i'm a bit familiar w/ Sun Zones... but i've only started playing with openvz today 13:10 < unixSnob> i don't think end users get to control the kernel.. that would be dangerous 13:11 < unixSnob> I certainly wouldn't trust other users on the system to not hose the kernel 13:11 < Dougy> grmbl 13:12 < xp_prg> hi all, I am trying to understand vpn bind name server resolution, anyone know that? 13:12 < xp_prg> do I simply add an entry to /etc/resolv.conf ? 13:16 < n0g0> what is "vpn bind name server resolution" ? 13:17 < krzee> you talking about pushing a new NS to clients? 13:22 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 60 (Operation timed out)] 13:26 -!- rudeboy_xix [n=rudeboy@ded-139-109.eglobalreach.net] has joined ##openvpn 13:27 -!- rudeboy_xix [n=rudeboy@ded-139-109.eglobalreach.net] has left ##openvpn [] 13:34 < ecrist> unixSnob: what I said has nothing to do with Sun 13:35 < ecrist> in vmware, for example, each child machine has it's own kernel and is, from it's own point of view, on it's own piece of hardware. 13:38 < krzee> in openvz the host does need to do a thing or 2 tho 13:38 < krzee> i just dont know exactly what they are 13:38 < krzee> cause everytime someone figures it out they stop caring about others and dont make a writeup on the wiki 13:39 < ecrist> starting to sound like the entire LDAP community 13:40 < xp_prg> I mean how to connect two different bind servers together 13:40 < xp_prg> on each side of the openvpn connection 13:40 -!- c64zottel [n=hans@p5B17A738.dip0.t-ipconnect.de] has joined ##openvpn 13:42 < krzee> umm 13:42 < n0g0> as primary / slave ? 13:42 < krzee> just setup the slave to connect to the master by its vpn ip 13:42 < krzee> and make sure the master listens for it on that ip 13:42 < xp_prg> yes that is what I am going to do :> 13:42 < krzee> that is SO not an openvpn question 13:42 < krzee> haha 13:43 < xp_prg> but, you have to make sure the ip that servers connects with is always the same 13:43 < ecrist> xp_prg: try #BIND or #dns or #not_opevpn 13:43 < n0g0> haha 13:43 < krzee> !static 13:43 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 13:43 < xp_prg> yes that is what I am going to do :> 13:54 < l2trace99> can I put different dns and routes into the client config file ? 13:57 < ecrist> l2trace99: in the CCD, yes. 13:58 < xp_prg> how do I find the common name of the ssl key on the client to name my ccd file? 13:59 < ecrist> easiest is to look in the logs when the client connects 13:59 < xp_prg> cool thanks! 13:59 < krzee> sure 13:59 < krzee> you can also push them to diff clients 13:59 < krzee> using ccd entries 13:59 < krzee> !ccd 13:59 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 13:59 < krzee> thats second easiest 13:59 < krzee> first is by knowing ehat you did when you made them ;] 13:59 < krzee> heheh 13:59 < xp_prg> heh ya its been a while 14:02 < xp_prg> I did it!!! 14:02 < xp_prg> thanks for the help all :> 14:02 < xp_prg> I heart you 14:03 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 14:10 -!- SuperEvilDeath18 [n=death@212.206.209.177] has joined ##openvpn 14:21 -!- n0g0 [n=nogo@85-125-189-220.static.sdsl-line.inode.at] has quit ["quit"] 14:21 < Dougy> krzie 14:21 < Dougy> there? 14:21 * ecrist guesses no 14:21 < ecrist> 14:03 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer) 14:22 < Dougy> i saw that 14:22 < Dougy> krzee 14:22 < Dougy> but was wodnering about krzie 14:22 < Dougy> wondering 14:24 < krzie> ya 14:31 -!- bandini [n=bandini@host91-109-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 14:32 < krzie> you just checking or had something to say? 14:33 -!- lataffe [n=lars@cm-84.211.147.71.getinternet.no] has quit ["Leaving"] 14:35 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 14:41 -!- kevin__ [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has joined ##openvpn 14:43 -!- kevin__ [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has quit [Read error: 104 (Connection reset by peer)] 14:43 < Dougy> krzie yea 14:43 < Dougy> had something to say 14:43 < Dougy> hence the pm 14:43 -!- kevin__ [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has joined ##openvpn 14:44 < krzie> right but i responded to the pm too and no reply there either, lol 14:44 < krzie> i thought maybe it was a survey ;] 14:44 -!- kevin__ is now known as Roppongi 14:45 -!- Roppongi is now known as kevin__ 14:46 -!- kevin__ is now known as Roppongi 14:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:55 -!- Kreg [n=kreg@208-98-188-95.directcom.com] has quit [Remote closed the connection] 15:01 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 15:02 -!- unixSnob [n=jj@starfury.spearlink.com] has quit ["leaving"] 15:05 -!- epaphus [n=unix3@190.10.68.228] has quit [Client Quit] 15:18 -!- Roppongi [n=quassel@XPLR-TS-10-WPG-67-201-138-23.barrettxplore.com] has quit [Read error: 104 (Connection reset by peer)] 15:20 -!- lataffe [n=lataffe@cm-84.211.147.71.getinternet.no] has joined ##openvpn 15:20 -!- lataffe_ [n=lataffe@cm-84.211.147.71.getinternet.no] has joined ##openvpn 15:21 -!- lataffe_ [n=lataffe@cm-84.211.147.71.getinternet.no] has quit [Connection reset by peer] 15:26 -!- panta [n=panta@vie-078-142-128-212.dsl.sil.at] has joined ##openvpn 15:26 -!- VenomX [n=venomx@201-0-178-106.dial-up.telesp.net.br] has joined ##openvpn 15:41 < panta> hallo! 15:41 < panta> can anybody tell me ... 15:41 < panta> if i want to connect multiple subnets via a layer 3 tunnel, do i nead a separate tun device for every subnet? 15:41 < panta> or does openvpn consult the routing table to determine which client the packet should be sent to? 15:44 < panta> or ask differently, what happens if the server sends a packet to some arbitrary ip through the tun device. which client gets the packet? 15:48 -!- svenwiesner [n=svenwies@vie-078-142-128-212.dsl.sil.at] has joined ##openvpn 15:48 < svenwiesner> hallo friedl 15:48 < panta> seas malte 15:48 < svenwiesner> i am sorry, but i can not helo you with your problems 15:49 < svenwiesner> maybe someone else here is able to help you out 15:51 < krzie> panta 15:51 < krzie> !route 15:51 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:51 < krzie> !iroute 15:51 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 15:52 < krzie> read !route very good, its exactly your scenerio 15:52 < krzie> the answer to your final question is explained in !iroute 15:52 < panta> thanks, i will look at it! 15:52 < krzie> and good call on realizing something would have to happen for openvpn to know where to send it to =] 15:54 -!- Gorkhaan1 [n=Gorkhaan@adsl-101-103.globonet.hu] has left ##openvpn [] 15:55 < svenwiesner> !ccd 15:55 < vpnHelper> svenwiesner: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 15:58 -!- russo [n=russo@p579F63DA.dip.t-dialin.net] has quit [] 16:03 -!- lataffe [n=lataffe@cm-84.211.147.71.getinternet.no] has quit ["Leaving"] 16:04 < panta> it seems to me that tunneling layer 2 would make life easier. is there any reason why i should not do this? 16:04 < krzie> yes 16:04 < krzie> more overhead (especially if bridging 3 networks) and becoming vulnerable to layer2 attacks over the internet 16:04 < krzie> such as arp poisoning 16:05 < krzie> and imo a bridge setup is actually more difficult to setup 16:05 < krzie> why do you believe that it would make life easier? 16:05 < panta> hmm, but the arp poisoning, thats interesting 16:06 < krzie> from your original question i believe you have all the knowledge needed for !route type setup 16:06 < krzie> and im willing to help ya 16:06 < panta> thanks a lot 16:06 < krzie> np 16:06 -!- russo [n=russo@p579F6EA5.dip.t-dialin.net] has joined ##openvpn 16:07 < panta> to be honest, i am writing an application that tunnels traffic over ping. and i am thinking about whether to use tun or tap ;) 16:07 < krzie> that already exists 16:07 < krzie> icmptx 16:07 < panta> yeah, i know 16:07 < krzie> ahh ok 16:07 < krzie> well tun of course 16:07 < panta> but it doesn't work when your router allows only one packet 16:07 < panta> and it doesn't support authentication 16:07 < krzie> tap would be an odd way to xfer icmp-only traffic 16:07 < panta> but i was inspired by icmptx 16:08 < krzie> ahh so you wanna make icmptx into what iodine did to nstx 16:08 < krzie> very cool 16:08 < panta> yeah, i try to ;) 16:08 < panta> the thing is, that when i use tap, i don't have to worry about the routing 16:08 < krzie> see my routing script for iodine 16:08 < panta> but on the other hand, who would ever want to tunnel a whole subnet via ping anyway 16:08 -!- YpsyZNC is now known as Ypsy 16:08 < krzie> it may give you inspiration for a similar script for your icmptx variant 16:09 < krzie> lemme grab a link 16:09 < panta> okay 16:09 < krzie> http://dev.kryo.se/iodine/wiki/TipsAndTricks 16:09 < vpnHelper> Title: TipsAndTricks – iodine (at dev.kryo.se) 16:09 < krzie> Routing script for OS X, Linux and FreeBSD ¶ 16:09 < krzie> http://www.doeshosting.com/code/NStun.sh 16:09 < panta> yeah, great, i will definitly have a look at that! 16:11 < krzie> it definitely simplifies things 16:11 < krzie> the iodine author was happy to recieve it and link to it 16:13 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 16:16 -!- c64zottel [n=hans@p5B17A738.dip0.t-ipconnect.de] has quit ["Leaving."] 16:23 -!- svenwiesner [n=svenwies@vie-078-142-128-212.dsl.sil.at] has quit [] 16:28 -!- lataffe_ [n=lataffe@cm-84.211.147.71.getinternet.no] has joined ##openvpn 16:29 < panta> i just looked at the iodine code and i think i will handle it the same way and ignore the possibility to add a subnet to the tunnel 16:29 < panta> it would be quite useless anyway 16:29 < krzie> iodine adds a subnet 16:30 < panta> yeah, but it doesn't seem to support more ip's behind a single client 16:30 < panta> like openvpn using iroute 16:31 < krzie> ohhh right 16:31 < krzie> but ya that seems pointless 16:31 < krzie> icmptx and similar apps are only useful when on rouge wifi where icmp is allowed but nothing else is until paying $ 16:32 < panta> exactly ;) 16:32 < panta> or on certain college networks 16:33 < panta> well, thanks for pointing me in the right direction! 16:33 < krzie> np msn 16:33 < krzie> man 16:38 -!- rusos [n=russo@p579F6EA5.dip.t-dialin.net] has joined ##openvpn 16:38 -!- russo [n=russo@p579F6EA5.dip.t-dialin.net] has quit [] 16:39 -!- rusos is now known as russo 16:44 -!- tr4sk [n=tr4sk@sd-17871.dedibox.fr] has joined ##openvpn 16:44 < tr4sk> Hi :) 16:45 < ecrist> sup? 16:46 < krzie> dedibox.fr ... good company 16:47 < krzie> unmetered 100mb/s and good prices 16:47 < ecrist> my employer = the suxorz 16:47 < krzie> really? i thought they were good 16:47 < krzie> from what they let you do in the tech side 16:48 < ecrist> no. there are aspects from a technical side, but the policies and such HR wise blow balls. 16:48 < krzie> ahh 16:48 < ecrist> big, fat, sweaty, hairy, cheesy balls 16:48 < krzie> cheesy balls! 16:57 -!- Ypsy is now known as YpsyZNC 17:05 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 17:05 -!- panta [n=panta@vie-078-142-128-212.dsl.sil.at] has quit [] 17:06 < l2trace99> do I have to multiple virtual endpoints for multiple subnets 17:06 < l2trace99> ? 17:08 < krzie> i dont understand the reason for the question 17:08 < krzie> why would you want multiple subnets? 17:10 -!- lataffe_ [n=lataffe@cm-84.211.147.71.getinternet.no] has quit [Read error: 104 (Connection reset by peer)] 17:10 < l2trace99> windows clients and need to go beyond the /24 i originally allocated 17:10 < l2trace99> plus for ACLs on the inside 17:10 < krzie> !topology 17:10 < vpnHelper> krzie: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 17:10 < l2trace99> i would like to have just 1 network for these uses 17:11 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 17:13 < l2trace99> well side from redoing what I already have 17:14 < krzie> that wouldnt be cause for redoing anything 17:15 < krzie> unless you used the 3 year old 2.0 version 17:16 -!- lataffe [n=lataffe@cm-84.211.147.71.getinternet.no] has joined ##openvpn 17:18 < StormWlf> would running wins or dnsmasq be a better choice or does dnsmasq take care of nameing like wins in samba? 17:18 < krzie> dunno what dnsmasq is 17:19 < StormWlf> if i'm reading this right its a replacement for dhcpd for smaller networks and takes care of some name resolution 17:21 < StormWlf> http://linux.about.com/cs/linux101/g/dnsmasq.htm 17:22 < vpnHelper> Title: dnsmasq - What is dnsmasq (at linux.about.com) 17:22 < ecrist> l2trace99: you can span larger than a /24, if you need to 17:22 < ecrist> the network I admin is a /23 17:22 < krzie> ecrist on the vpn subnet? 17:23 < ecrist> yep 17:23 < krzie> ive seen people have problems with subnets smaller than /24, didnt know how bigger would behave 17:23 < krzie> good to know 17:23 < ecrist> I split it into two /24, one for static and one for dynamic 17:23 < ecrist> from there, subnet those down for firewalling 17:24 < krzie> but by subnetting them and whatnot you mean manually giving those ips, not actual subnetting, right? 17:24 < krzie> or like a --client-connect script? 17:24 < ecrist> ccds for the two /24, the smaller (sub-/24) exist in firewall only 17:25 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 60 (Operation timed out)] 17:25 < Dougy> krzie: my colo pisses me off 17:25 < ecrist> there is no problem with subnets smaller than /24, you just need to use compliant boundaries on your subnets. 17:25 -!- tr4sk [n=tr4sk@sd-17871.dedibox.fr] has quit [Read error: 104 (Connection reset by peer)] 17:25 < krzie> cool, thats what i was thinking 17:25 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 17:25 < ecrist> Dougy: I've been telling you for quite some time your colo sucks. 17:25 < ecrist> :) 17:26 < krzie> ecrist are you sure? a number of people have had problems without manually giving out ips or anything, which were fixed by simply going to /24 17:26 < ecrist> there aren't any *good* reasons not to have a /24 or larger 17:27 < krzie> true 17:27 < krzie> but theres also no 'good' reason not to use toplogy subnet 17:27 < krzie> it should and will become the default 17:27 < ecrist> sure is. 17:27 < krzie> is? 17:27 < ecrist> I don't have the ability to update some 2.0.9 clients at this time 17:27 < krzie> ahh 17:27 < ecrist> which means I can't do it 17:28 < krzie> i bet if you update you'll have someone contact you to get the upgrade ;] 17:29 < ecrist> yeah, small company, the one that would contact me would be my boss 17:29 < ecrist> when I approach him to upgrade it, his reply is, if it isn't broken, don't fix it. 17:29 < ecrist> *sigh* 17:29 * ecrist shoots self in face 17:29 -!- Ypsy_ [n=ypsy_@frnk-5f74021a.pool.einsundeins.de] has joined ##openvpn 17:29 < krzie> haha 17:30 < krzie> oh and another possible downside 17:30 < Ypsy_> Howdy :) 17:30 < krzie> with net30 client cant change ip 17:30 < krzie> im thinking with subnet they prolly could 17:30 < krzie> but i havnt tested that 17:30 < Ypsy_> Gorkhaan: Remember me? :P 17:30 < krzie> ypsy_, moinmoin 17:30 < Gorkhaan> sure. :D hi! 17:31 < Ypsy_> :D 17:31 < Gorkhaan> what's up yooo xD 17:31 < Ypsy_> Something possibly good happened with my client.conf problem 17:31 < Gorkhaan> that's nice to hear 17:31 < Ypsy_> I installed the vtup thing, nothing happened but now after rebooting the error disappeared 17:32 < Ypsy_> http://pastebin.com/d56cb22cb Thats the output now 17:32 < Gorkhaan> xD U could installed the VTUN ( TUN/TAP ) device, that's quite needed to use OpenVPN. 17:32 < Gorkhaan> OpenVPN 2.0.9 17:32 < Gorkhaan> man, wtf. Install openvpn-2.1_rc18 instead of OpenVPN 2.0.9 17:33 < Gorkhaan> :D 17:33 < Gorkhaan> everything looks fine btw 17:33 < Ypsy_> I dont mind as long as its working for now :P perhaps Ill upgrade if everything runs 17:33 < Ypsy_> So whats next on this road to internet-sharing? :P 17:33 < Gorkhaan> you really should! :) rc18 rocks 17:34 < krzie> !redirect 17:34 < Gorkhaan> plz upgrade now. I donno if every command exists in 2.0.9. 17:34 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 17:34 < Ypsy_> Okay 17:34 < Gorkhaan> but yeah krzie is right. 17:35 < Ypsy_> Server and Client? 17:35 < Gorkhaan> I'll send you a firewall 17:35 < Gorkhaan> write into server config 17:35 < Ypsy_> Ive dl'd your script 17:35 < Gorkhaan> push "redirect-gateway def1" 17:36 < Gorkhaan> But I showed you this as i remember 17:36 < Gorkhaan> I sent you the server/client configs. 17:36 < krzie> But I showed you this as i remember 17:36 < krzie> hehe 17:37 < Gorkhaan> ? :D 17:37 < krzie> that will become a common thing you will be saying if you stick around ;] 17:37 < Ypsy_> you're a meanie krzie :P 17:37 < Gorkhaan> xD 17:37 < krzie> haha 17:37 < Ypsy_> Yes already got it in there Gorkhaan 17:37 < Gorkhaan> I like being here. xD 17:37 < krzie> =] 17:38 < Gorkhaan> then change the IP in your server config, because it's probably 10.8.0.0/24 17:38 < Gorkhaan> and I sent you the firewall script there is 10.80.0.0/24 17:38 < Ypsy_> Got rc11 on the server. Think that's fine? 17:38 < Gorkhaan> you can either change in the openvpn config or in the firewall script 17:39 < krzie> rc11 has known issues 17:39 < krzie> whats why theres a rc12-rc18 17:39 < Gorkhaan> yeah, why dont you upgrade to rc18 :D 17:39 < Ypsy_> thats the one in the debian repos :( 17:39 < krzie> !download 17:39 < vpnHelper> krzie: "download" is www.openvpn.net/download to download openvpn 17:39 < Gorkhaan> can you compile it? 17:40 < Ypsy_> yep 17:41 < Gorkhaan> okay. do it then. :) 17:41 < Gorkhaan> I've just bought an Asus WL500G Premium v2 Router 17:41 < Gorkhaan> it's freakin' great! 17:42 < Gorkhaan> with dd-wrt of course. :D there is a Built in OpenVPN for instance. 17:42 < Ypsy_> Shall I rather compile it as a normal user in my home directory or as root? 17:43 < Gorkhaan> root of course 17:44 < krzie> compile can be either, install must be root 17:45 < Gorkhaan> yes, thx. ☺ 17:46 -!- russo [n=russo@p579F6EA5.dip.t-dialin.net] has quit [] 17:48 < Dougy> ecrist: heh 17:49 * Dougy is gonna go to a nice dc 17:49 * ecrist has a nice dc 17:50 < Ypsy_> okay got rc18 on my server now 17:51 < Ypsy_> now replace 10.8.0.0 with 10.80.0.0 in the cfg? 17:52 < Gorkhaan> yes 17:52 < Ypsy_> the "push "dhcp-option DNS..." part? the ip's in the config multiple times 17:53 < Dougy> ecrist: your basement is a fai 17:53 < Dougy> l 17:53 < krzie> his basement is a win 17:53 < Dougy> meh 17:53 < Gorkhaan> well try that to write to your own DNS Server IP address 17:53 < krzie> !pushdns 17:53 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit 17:54 < ecrist> *click* ovpnforum.com is offline 17:54 < Dougy> oh teh noes 17:54 -!- jeiworth [n=jeiworth@189.177.126.18] has quit [Read error: 110 (Connection timed out)] 17:54 < Gorkhaan> what you can find on the VPN Server here: cat /etc/resolv.conf 17:55 < Gorkhaan> However I'm using dnsmasq 17:55 < ecrist> say nice things and I'll turn it back on, Dougy 17:57 < ecrist> . . . 18:00 < ecrist> nm 18:00 < Ypsy_> Gorkhaan okay changed that stuff 18:01 < Ypsy_> what do I need to do with your script? 18:01 < Gorkhaan> Just read through it, and try to run it 18:01 < Gorkhaan> it should work. 18:01 < Ypsy_> kk 18:03 < Ypsy_> iptables: No chain/target/match by that name 18:04 < |Mike|> lal. 18:04 < Gorkhaan> that's strange. 18:04 < Gorkhaan> xD 18:04 < Gorkhaan> there is 3 default chains, input, forward, output.... 18:04 < |Mike|> ipchains are so '98 18:04 < Gorkhaan> maybe something is mistyped there, check it 18:05 < Gorkhaan> iptables --version ? 18:05 < Ypsy_> 1.4.2 18:05 < Gorkhaan> lol, i've got older. wait 18:06 < Gorkhaan> well it worked for me... 18:06 < Ypsy_> =( 18:06 < Gorkhaan> anyway you need 2 lines 18:06 < Gorkhaan> $IPTABLES -t nat -A POSTROUTING -s 10.80.0.0/24 -o eth0 -j MASQUERADE 18:07 < Gorkhaan> but every chain's policy must be ACCEPT. you really should change this later 18:07 < Gorkhaan> 2nd : echo "1" > /proc/sys/net/ipv4/ip_forward 18:07 < Gorkhaan> eth0 is the device where your "internet is coming from" xD 18:08 -!- l2trace99 [n=jr@205.245.6.162] has quit [Read error: 110 (Connection timed out)] 18:08 -!- l2trace99 [n=jr@70-11-3-235.pools.spcsdns.net] has joined ##openvpn 18:09 < Ypsy_> same error when entering them by hand :( 18:09 < |Mike|> lal. 18:10 < Gorkhaan> then what are your chains name? 18:10 < Gorkhaan> iptables -L 18:11 < Ypsy_> http://pastebin.com/d7136e24d 18:13 < Gorkhaan> iptables -t nat -L 18:13 < Gorkhaan> ? 18:13 < Gorkhaan> we need this 18:13 < krzie> !linnat 18:13 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 18:14 < Ypsy_> http://pastebin.com/d2d9bae7e 18:15 < Gorkhaan> and it's till doesn't works? 18:15 < Gorkhaan> iptables -t nat -A POSTROUTING -s 10.80.0.0/24 -o eth0 -j MASQUERADE 18:16 < Ypsy_> no, not working 18:16 < Gorkhaan> wait 18:17 < Ypsy_> different error now, after entering the right interface *gg* 18:17 < Ypsy_> iptables -t nat -A POSTROUTING -s 10.80.0.0/24 -o venet0 -j MASQUERADEi iptables v1.4.2: Couldn't load target `MASQUERADEi':/lib/xtables/libipt_MASQUERADEi.so: cannot open shared object file: No such file or directory 18:18 -!- jeiworth [n=jeiworth@189.177.128.171] has joined ##openvpn 18:18 < Gorkhaan> xD 18:18 < Gorkhaan> you have to get iptables Masquerade module 18:19 < Gorkhaan> damn your Arch! 18:19 < Gorkhaan> xD 18:20 < Ypsy_> no, its debian on the server :p 18:20 < Ypsy_> and the version you recommended :( 18:21 < Ypsy_> do I need to recompile it? 18:21 < Gorkhaan> no no no. 18:21 < Gorkhaan> venet0 ? it's a VPS? 18:21 < Ypsy_> yep 18:22 < Gorkhaan> omg. your kernel module is missing I think. 18:22 < Gorkhaan> I'm not an expert in this 18:22 < Ypsy_> ohnoes :( 18:22 < Ypsy_> read about it 18:22 < Ypsy_> need to request it then, do I? 18:23 < Gorkhaan> Donno mate. you can ask it anyway... 18:23 < Gorkhaan> :S 18:23 < Ypsy_> kk 18:23 < krzie> you dont NEED nat 18:23 < krzie> you can run a socks daemon on the vpn ip with external ip set to your real inet ip 18:24 < krzie> and then socksify connections you want to go over the vpn using the internal ip 18:24 < krzie> thats actually how my setup works, i dont want things like torrents going over my vpn 18:24 < Gorkhaan> wow. donno anything like this 18:25 < Gorkhaan> can you send any readme/howto about this krzie? 18:25 < krzie> nope 18:25 < Gorkhaan> :( 18:25 < krzie> but its pretty easy in dante 18:25 < krzie> i can send you a very basic, no auth socks config 18:25 < Ypsy_> okay I'll have a look at it tomorrow... too late again *g* 18:25 < Ypsy_> see you :) thanks again 18:25 < krzie> no auth since its only for over the vpn 18:25 < Gorkhaan> np. 18:25 < Gorkhaan> what is "dante"? 18:25 -!- Ypsy_ [n=ypsy_@frnk-5f74021a.pool.einsundeins.de] has quit ["Java user signed off"] 18:25 < krzie> a socks daemon 18:26 < Gorkhaan> hm looks difficult. :D 18:28 < Gorkhaan> I'll check it out tnx 4 sharing. 18:29 < krzie> want me to grab you the config? 18:30 < krzie> the one i use for internal only (DONT USE THIS ON EXTERNAL IP) 18:30 < Gorkhaan> yeah thx! I'd like to learn stuffz like this 18:34 < |Mike|> i wonder how many people have LIR's here... 18:40 < krzie> !configs 18:40 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:41 < krzie> Gorkhaan 18:41 < krzie> http://www.ircpimps.org/sockd.conf 18:41 < Gorkhaan> thx! :) 18:41 < krzie> DO NOT RUN THAT ON EXTERNAL IP 18:42 < Gorkhaan> Okay I've got it! understood :) 18:42 < krzie> =] 18:43 < Gorkhaan> I dont have much idea what this is about really... yet! :);) thx 4 sharing. 18:52 < krzie> the rules are kinda like a firewall 18:52 < krzie> passing and blocking stuff based on ip and what its trying to do 18:53 < krzie> this config is configed to pass everything 18:53 < krzie> because the clients are already in via vpn 19:04 -!- ciphyre [n=ciphyre@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 19:05 < krzie> the sample config will come with comments and whatnot 19:09 -!- thedoc_ [n=andelyx@bb220-255-197-45.singnet.com.sg] has joined ##openvpn 19:12 -!- l2trace99 [n=jr@70-11-3-235.pools.spcsdns.net] has quit [Read error: 110 (Connection timed out)] 19:16 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 60 (Operation timed out)] 19:19 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 113 (No route to host)] 19:28 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 19:30 -!- lataffe [n=lataffe@cm-84.211.147.71.getinternet.no] has quit [Read error: 60 (Operation timed out)] 19:30 < Dougy> thedoc_: man 19:31 < Dougy> where is your friend at 19:31 < thedoc_> brb. 19:31 < thedoc_> shower and rushing to office! 19:31 < Dougy> bah 19:31 < Dougy> ok 19:31 < Dougy> catch me there 19:35 -!- jeiworth [n=jeiworth@189.177.128.171] has quit [Read error: 60 (Operation timed out)] 19:41 -!- thedoc_ [n=andelyx@bb220-255-197-45.singnet.com.sg] has quit ["This computer has gone to sleep"] 19:44 -!- lowValueTarget [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has joined ##openvpn 19:45 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 104 (Connection reset by peer)] 19:46 -!- lowValueTarget [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has quit [SendQ exceeded] 19:46 -!- lowValueTarget [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has joined ##openvpn 19:46 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 19:48 -!- lowValueTarget [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has quit [SendQ exceeded] 19:49 -!- lowValueTarget [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has joined ##openvpn 19:50 -!- lowValueTarget [n=Hink@static-71-164-255-82.dllstx.fios.verizon.net] has quit [SendQ exceeded] 19:52 -!- lowValueTarget [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 19:52 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 19:53 -!- lowValueTarget [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [SendQ exceeded] 19:54 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 19:56 -!- zheng [n=zheng@222.66.224.106] has joined ##openvpn 19:56 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [SendQ exceeded] 19:58 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 20:00 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [SendQ exceeded] 20:01 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 20:03 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [SendQ exceeded] 20:05 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 20:08 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [SendQ exceeded] 20:10 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 20:12 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [SendQ exceeded] 20:14 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 110 (Connection timed out)] 20:14 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 20:17 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [SendQ exceeded] 20:19 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 20:22 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [SendQ exceeded] 20:24 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 20:28 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [SendQ exceeded] 20:30 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 20:32 -!- thedoc_ [n=andelyx@119.73.165.162] has joined ##openvpn 20:33 < thedoc_> o/ 20:38 < thedoc_> Funny, ipredator service by tpb is running on pptp. 20:39 < thedoc_> Quite surprising, considering that pptp is flawed by design 21:12 -!- Hink is now known as LowValueTarget 21:13 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 21:49 < Dougy> thedoc_: well? 21:58 < thedoc_> Dougy, ? 22:10 -!- ciphyre [n=ciphyre@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 22:37 -!- adb [n=hic@orb-rem-catv-c100-p100.vtx.ch] has joined ##openvpn 22:37 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 22:38 < ksnp> hi, 22:38 < ksnp> i have an openvpn related question, anyone here ? 22:41 < adb> `anyone here ?` is a bad beginning 22:42 < adb> counted ~70 ppl here 22:43 < ksnp> yes 22:43 < ksnp> looks no one else though :) 22:44 < ksnp> adb : do all tar.gz also come with make file that can simply be used as opposed to deb packages ? 22:44 < adb> try it 22:44 < ksnp> ok.. 22:45 < ksnp> thing is this : with rpm or deb packages, dependencies are automatically taken care of 22:45 < ksnp> but what about with make files - they don't take care of that right 22:45 < ksnp> ? 22:46 < adb> try it 22:47 < ksnp> lol 22:48 < ksnp> is that your answer for everything ;-) ? 22:48 < ksnp> j/k 22:48 < ksnp> i have only one machine 22:49 < ksnp> so i am tring ot minimize any unwanted files/deps clutter that might be hard to clean up later 22:51 < adb> instaling from tar.gz is much harder than .deb anyways 22:58 < ksnp> ok 22:58 < ksnp> most of the tutorials talk about static keys 22:59 < ksnp> and also client to server without talking about client to server + server LAN 23:00 < ksnp> in case you have used this before can you tell me if the simply push command suffices 23:00 < ksnp> this is suggested in the main open vpn site which does address this issue but is not clear if two way traffic works 23:01 < ksnp> like client wants to talk to a different machine on the server LAN side can this different machine send back packets ? 23:01 < ksnp> does the openvpn server take care of all this ? 23:01 < ksnp> ""irst, you must advertise the 10.66.0.0/24 subnet to VPN clients as being accessible through the VPN. This can easily be done with the following server-side config file directive: 23:01 < ksnp> push "route 10.66.0.0 255.255.255.0" 23:01 < ksnp> Next, you must set up a route on the server-side LAN gateway to route the VPN client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary if the OpenVPN server and the LAN gateway are different machines). 23:02 < ksnp> i guess the last part after Next is doing "port forwarding" only correct ? 23:16 -!- SuperEvilDeath18 [n=death@212.206.209.177] has quit [Read error: 110 (Connection timed out)] 23:33 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has left ##openvpn [] --- Log closed Thu Jul 02 00:17:15 2009 --- Log opened Thu Jul 02 07:22:09 2009 07:22 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 07:22 -!- Irssi: ##openvpn: Total of 74 nicks [0 ops, 0 halfops, 0 voices, 74 normal] 07:22 -!- Irssi: Join to ##openvpn was synced in 0 secs 07:40 < dazo> tompaw: if you want to use other names than tunX ... you can use that as well, but then you need '--dev-type tun' in addition in your config 07:55 -!- adb [n=hic@orb-rem-catv-c100-p100.vtx.ch] has left ##openvpn ["."] 08:11 < tompaw> dazo: thanks for the tip, actually tunX is fine. 08:12 < tompaw> just needed something static to address with iptables. 08:12 < dazo> tompaw: no prob :) 08:13 -!- ciphyre [n=ciphyre@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 60 (Operation timed out)] 08:35 -!- troy is now known as troy- 09:00 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 09:00 < thedoc> blah, where did dougy go? 09:00 < thedoc> :| 09:05 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: YpsyZNC, StormWlf, sander^, dazo, plaerzen 09:06 -!- Netsplit over, joins: dazo, sander^, StormWlf, YpsyZNC, plaerzen 09:23 -!- russo [n=russo@p579F6EA5.dip.t-dialin.net] has joined ##openvpn 09:29 -!- lataffe [n=lataffe@cm-84.211.147.71.getinternet.no] has joined ##openvpn 09:38 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:40 -!- russo [n=russo@p579F6EA5.dip.t-dialin.net] has quit [] 09:59 -!- Ypsy_ [n=ypsy_@frnk-5f743de7.pool.einsundeins.de] has joined ##openvpn 09:59 < Ypsy_> Gorkhaan, alive? :P 09:59 < Gorkhaan> yes, hi 09:59 < Ypsy_> Hey :) 09:59 < Ypsy_> I think I made a very fatal mistake yesterday 09:59 < Ypsy_> The first commands of your script worked 10:00 < Ypsy_> And blocked all the ports except the vpn ones and 80 or some others 10:00 < Ypsy_> But the ssh port, the ftp port etc. etc. 10:00 < Ypsy_> Is blocked I think :((((((((((( 10:00 < Ypsy_> Is there a way to save my server? 10:01 < Gorkhaan> what else ports do you need? :) 10:02 < Gorkhaan> but it's easy to flush iptables rules: iptables -F 10:02 < Gorkhaan> and, reset the INPUT policy: iptables -P INPUT ACCEPT 10:02 < Ypsy_> I would need to connect to the server to do that :( 10:02 < Ypsy_> I only have ssh access 10:04 < Gorkhaan> any web interfaces? 10:04 < Ypsy_> hmmm 10:04 < Gorkhaan> to reboot the server 10:04 < Ypsy_> reboot yes 10:04 < Ypsy_> but would that fix it? 10:05 < Gorkhaan> that 'll flush iptables rules 10:05 < Gorkhaan> but mate 10:05 < Gorkhaan> I thought you know what we are doing 10:05 < Ypsy_> :D yes I did 10:05 < Gorkhaan> :D 10:05 < Ypsy_> but then this error appeared 10:05 < Ypsy_> and I closed the ssh connection 10:05 < Ypsy_> and then I was like oh shit 10:05 < Ypsy_> :D 10:05 < Gorkhaan> yeah, in some way it's my bad 10:06 < Gorkhaan> I changed my sshport to 62 10:06 < Gorkhaan> from default 22, because bots always tried to login to my server, who needs that. 10:06 < Ypsy_> I also need some ports for mumble, znc (irc bouncer), ftp and some stuff 10:06 < Ypsy_> think I also have a different one than 22, but obviously not 62 *g* 10:06 < Gorkhaan> Copy-paste some rules and change ports, it will work 10:06 < Gorkhaan> :D 10:08 < Ypsy_> hmm cant reboot it through the interface 10:08 < Ypsy_> ill call the hotline :P 10:09 < Gorkhaan> :( 10:09 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 10:12 -!- ciphyre [n=ciphyre@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has joined ##openvpn 10:13 < Ypsy_> ah nice, virtuozzo is still working 10:13 < Ypsy_> can reboot it through that =) 10:14 < Gorkhaan> ;) okay 10:18 -!- YpsyZNC [n=ypsy@geekpadawan.de] has quit ["Oh noes! My ZNC obviously just shut down :("] 10:19 < Ypsy_> haha 10:19 < Ypsy_> that was my server rebooting 10:19 < Gorkhaan> :D 10:19 < Gorkhaan> everything okay?:) 10:19 < Ypsy_> nope I think it saved it *g* 10:20 < Ypsy_> but I've got ftp access 10:20 < Ypsy_> is there any file I can delete or change? 10:21 < Gorkhaan> well, it have to auto input the rules every startup 10:21 < Gorkhaan> from somewhere 10:22 < Gorkhaan> do you have any startup script, for firewall? 10:24 < Ypsy_> hmmm should be in /etc/init.d/, should it? 10:27 < Gorkhaan> hey, change you SSHD port to 62 10:28 < Gorkhaan> then reboot 10:28 < Gorkhaan> after it you can log in 10:28 < Ypsy_> where can I do that? :P 10:30 < Gorkhaan> a moment 10:30 < Ypsy_> yep 10:31 < Gorkhaan> sudo nano /etc/ssh/sshd_config 10:31 < Gorkhaan> port 62 10:31 < Gorkhaan> I hope so 10:32 < Gorkhaan> or Portscan your server, to get opened ports 10:32 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has left ##openvpn [] 10:32 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 10:36 < Ypsy_> are you sure it opened 62? 10:36 < Ypsy_> your script says in the #sshd part port 22 10:37 < Gorkhaan> What was your SSH port? 10:38 < Gorkhaan> Maybe I rewritted my script to default ports 10:38 < Ypsy_> ive got port 2200 10:38 < Gorkhaan> change back to PORT 22, then u'll be able to connect 10:38 < Ypsy_> okay 10:38 < Gorkhaan> on port 22 10:38 < Gorkhaan> ;) 10:38 < Ypsy_> =) 10:40 < Ypsy_> okay rebooting 10:42 < Gorkhaan> :) 10:43 < Ypsy_> hmm i edited the /etc/ssh/sshd_config to port 22 10:43 < Ypsy_> and my local ssh.conf also to port 22 10:43 < Ypsy_> but it says connection refused :/ 10:43 < Gorkhaan> damn, nmap your server for opened ports 10:45 < Gorkhaan> nmap -p20-100 10:45 < Gorkhaan> Search for opened ports 10:47 < Ypsy_> kk 10:49 < Ypsy_> all 81 scanned ports are down :D 10:49 < Ypsy_> shite 10:49 < Ypsy_> 135/tcp, 139/tcp, 445/tcp, 8443/tcp 10:49 < Ypsy_> nothing more 10:51 < Gorkhaan> so u dont have any opened? 10:51 < Ypsy_> seems so, why ever 10:51 < Ypsy_> perhaps because of the different iptables version and the error 10:51 < Ypsy_> maybe it just closed all ports and opened none 10:52 < Gorkhaan> :S donno mate, try to locate the iptables file which contains the rules, and modify it 10:52 < Ypsy_> yep 10:53 < Gorkhaan> do you have up script in your interfaces file? 10:53 < Gorkhaan> /etc/network/interfaces 10:53 < Gorkhaan> that's where "we" usually load the firewall rules 10:56 < Ypsy_> the file exists 10:56 < Ypsy_> but it contains nothing port/iptables related 10:56 < Ypsy_> just the basic connect to interface stuff 10:56 < Gorkhaan> any "up" script 10:56 < Gorkhaan> ? 10:58 < Ypsy_> there is a folder /if-up.d 10:58 < Ypsy_> but it only contains mountnfs openssh-server and openvpn 10:58 < Ypsy_> no iptables 11:01 < Gorkhaan> search futher, it got to be something. 11:03 < n0g0> grep -r "iptables" /etc 11:04 < Ypsy_> ha ha ;) 11:06 -!- m4r71x [n=mgarcia@mail.maestro.com.pe] has joined ##openvpn 11:06 < m4r71x> hey guys 11:06 < m4r71x> Im having troubles revoking certs 11:06 < m4r71x> error 3 at 0 depth lookup:unable to get certificate CRL 11:07 < m4r71x> Ive been looking on google but I didnt found many useful stuffs 11:07 < m4r71x> what this issue is related to? 11:17 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 11:25 -!- russo [n=russo@p579F6EA5.dip.t-dialin.net] has joined ##openvpn 11:27 < Ypsy_> Gorkhaan! 11:27 < Ypsy_> It was something different 11:27 < Ypsy_> The dmasq thing we started yesterday caused all that 11:27 < Gorkhaan> That's strange 11:27 < Ypsy_> Dunno why but I discovered that it was running as a process and killed it to see what happens 11:28 < Ypsy_> and now the ports are opened again 11:28 < Gorkhaan> well dnsmasq didn't finish completly as I remember 11:28 < Gorkhaan> maybe that caused all of this 11:29 < Gorkhaan> :S 11:29 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit ["I am off"] 11:30 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 11:30 < Ypsy_> yep thats possible 11:31 < Ypsy_> i removed it now 11:31 < Ypsy_> aint got time to complete my vpn plans anyways as im in the netherlands for the weekend :P 11:31 < Ypsy_> so ill just make sure the server's running now 11:31 < Gorkhaan> Good for you :D 11:31 < Gorkhaan> Here is damn hot! 11:31 < Ypsy_> :P 11:31 < Ypsy_> where are you from? 11:32 < Gorkhaan> Hungary ( mid europe ) 11:32 < Ypsy_> Ah 11:32 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:32 < Ypsy_> <- germany 11:32 < Gorkhaan> not too far then. 1.5 hour by plane xD 11:32 < Ypsy_> yep :p 11:35 < m4r71x> <-- Peru 11:36 < m4r71x> (quite far, almost 16hours from Europe) 11:36 < m4r71x> XD 11:36 < Ypsy_> :D 11:37 < Gorkhaan> lolz 11:37 < Ypsy_> isnt freenode mainly used by europs? 11:37 -!- Ypsy [n=ypsy@geekpadawan.de] has joined ##openvpn 11:38 < Ypsy> :) 11:38 -!- Ypsy_ [n=ypsy_@frnk-5f743de7.pool.einsundeins.de] has quit ["Java user signed off"] 11:39 < m4r71x> Ypsy: dont think so, Im conneected to irc to some linux channels 11:40 < Ypsy> kk 11:42 < ecrist> afternoon, fuckers 11:42 < Gorkhaan> :D 11:42 < Gorkhaan> hi 11:45 -!- jeiworth [n=jeiworth@189.163.254.76] has joined ##openvpn 11:49 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 11:57 < nemysis> ack 11:58 -!- unix3 [n=unix3@190.10.68.228] has quit [Client Quit] 12:00 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 12:09 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has quit [Remote closed the connection] 12:13 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:24 -!- jeiworth_ [n=jeiworth@189.163.254.76] has joined ##openvpn 12:29 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 12:37 -!- jeiworth [n=jeiworth@189.163.254.76] has quit [Read error: 110 (Connection timed out)] 12:58 -!- Gorkhaan1 [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 13:13 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Connection timed out] 13:49 -!- troy- is now known as troy 13:54 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit [Remote closed the connection] 14:22 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 14:22 < xp_prg> hi all, I am trying to figure out how to throttle the data speeds 14:22 < xp_prg> anyone know? 14:23 < Gorkhaan1> How do you mean? :) 14:23 < xp_prg> how much bandwidth is uses 14:24 < Gorkhaan1> You mean you'd like to see your traffic? 14:24 < xp_prg> no I want to control the transfer speed 14:24 < Gorkhaan1> !shaper 14:24 < vpnHelper> Gorkhaan1: Error: "shaper" is not a valid command. 14:24 < xp_prg> how fast data moves between the openvpn connection points 14:25 < Gorkhaan1> http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html 14:26 < vpnHelper> Title: OpenVPN 2.1 (at openvpn.net) 14:26 < Gorkhaan1> keyword to search: --shaper 14:26 < Gorkhaan1> --shaper n Limit bandwidth of outgoing tunnel data to n bytes per second on the TCP/UDP port. If you want to limit the bandwidth in both directions, use this option on both peers. 14:28 < Gorkhaan1> is this okay for you? 14:28 < xp_prg> yes very thanks! 14:28 < Gorkhaan1> You can use this with CCD, or globally "push" to clients 14:29 < Gorkhaan1> ;) U're welcome! 14:29 < xp_prg> in the client.conf in /etc/openvpn, how do you put shaper in there? 14:30 < Gorkhaan1> Did you find the Maunal page? 14:30 < xp_prg> yes but that doesn't explain the conf 14:30 < xp_prg> those are command lines to openvpn 14:31 < Gorkhaan1> syntax is easy: in client.conf ( but hey they can change this! ) shaper 14:31 < Gorkhaan1> !ccd 14:31 < vpnHelper> Gorkhaan1: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 14:31 < xp_prg> oh ok thanks! 14:31 < Gorkhaan1> or 14:31 < Gorkhaan1> !push 14:31 < vpnHelper> Gorkhaan1: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 14:32 < Gorkhaan1> You can define other Shaping nubers / client 14:32 < Gorkhaan1> with ccd. 14:33 < xp_prg> Options error: --shaper cannot be used with --mode serve 14:33 < xp_prg> r 14:34 < Gorkhaan1> mate, you are editing your server conf 14:34 < Gorkhaan1> you have 3 choises: 14:34 < Gorkhaan1> 1, push "shaper " this will push the "shaper" command to every client 14:35 < Gorkhaan1> 2: Client-Config-Dir - you can use different traffic shaping number for each clients 14:35 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Remote closed the connection] 14:36 < Gorkhaan1> 3: you can directly write into your Client's config, but clients can Change this if they know what are they doing! :D 14:36 < xp_prg> ok I did a push 14:36 < xp_prg> any idea how I know if it worked? 14:36 < xp_prg> many thanks for your help by the way :> 14:36 < Gorkhaan1> try to copy a huge file through the VPN Tunnel 14:36 < Gorkhaan1> Samba/windows sharing. FTP, etc. 14:37 < Gorkhaan1> you name it 14:37 < xp_prg> can I see the shaper command has been activated? 14:37 < xp_prg> on the client somehow? 14:37 < Gorkhaan1> yes, if verb has been corretly set up 14:37 < Gorkhaan1> verb 5 should probably show it 14:38 < Gorkhaan1> maybe verb 3 shows too. Try out 'em 14:38 < xp_prg> ok thanks :> 14:38 < xp_prg> the documentation says the server can control the bandwidth as well 14:38 < xp_prg> it is not clear how it does that besides push 14:40 < Gorkhaan1> Just try it. It have to work, once I used it. 15:05 -!- n0g0 [n=nogo@85-125-189-220.static.sdsl-line.inode.at] has quit ["quit"] 15:22 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 15:27 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 15:34 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [] 15:42 < reiffert> !factoids search nat 15:42 < vpnHelper> reiffert: 'nat', 'linnat', 'winnat', and 'fbsdnat' 15:42 < reiffert> !winnat 15:42 < vpnHelper> reiffert: "winnat" is http://support.microsoft.com/kb/306126 for windows nat (windows calls it internet connection sharing aka ICS) 15:43 < reiffert> !win route 15:43 < vpnHelper> reiffert: Error: "win" is not a valid command. 15:43 < reiffert> !factoids search win router 15:43 < vpnHelper> reiffert: No keys matched that query. 15:43 < reiffert> !factoids search win route 15:43 < vpnHelper> reiffert: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 15:43 < reiffert> !factoids search win 15:43 < vpnHelper> reiffert: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', 'win7', 'winnat', and 'win_ipfail' 15:43 < reiffert> !winroute 15:43 < vpnHelper> reiffert: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 15:43 < reiffert> !winipforward 15:43 < vpnHelper> reiffert: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 15:44 < reiffert> !win_ipfail 15:44 < vpnHelper> reiffert: "win_ipfail" is if the adapter fails to set the IP properly check that DHCP client service, and tap-win32 is enabled. 15:44 < reiffert> !factoids search forward 15:44 < vpnHelper> reiffert: 'winipforward', 'linipforward', 'ipforward', and 'fbsdipforward' 15:44 < reiffert> !ipforward 15:44 < vpnHelper> reiffert: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 15:45 < reiffert> !fuckoff 15:45 < vpnHelper> reiffert: Error: "fuckoff" is not a valid command. 15:45 < reiffert> !shutdown 15:45 < vpnHelper> reiffert: Error: "shutdown" is not a valid command. 15:45 < reiffert> !shutup 15:45 < vpnHelper> reiffert: Error: "shutup" is not a valid command. 15:51 < xp_prg> Options error: --shaper cannot be used with --mode server 15:52 < xp_prg> how do I do traffic shaping on the server then? 15:55 < Gorkhaan1> you can use TC only on the server. 15:55 < Gorkhaan1> Traffic Control on a whole port, do you want the script? 16:00 -!- russo [n=russo@p579F6EA5.dip.t-dialin.net] has quit [] 16:10 -!- Ypsy is now known as YpsyZNC 16:24 < xp_prg> yes badly! 16:29 < xp_prg> Gorkhaan1 hello you here? 16:29 < Gorkhaan1> yes 16:29 < Gorkhaan1> a mom and I'll find it for you 16:30 < xp_prg> thanks! 16:31 < Gorkhaan1> http://pastebin.com/m72c1b4f1 16:31 < Gorkhaan1> I'm not an expert in this. but for me this TC is hard to understand. :D 16:32 < Gorkhaan1> find the command how you can Flush TC rules! 16:32 < Gorkhaan1> man tc 16:36 < xp_prg> cool thanks! :> 16:36 < xp_prg> I wish I could find a tutorial on using it with openvpn, not too lucky with that yet :( 16:41 < Gorkhaan1> How do you mean? :) What would you like to do? 16:45 -!- sander^ [n=sander@c-66-235-35-214.sea.wa.customer.broadstripe.net] has quit ["Leaving"] 16:47 -!- Gorkhaan1 [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 54 (Connection reset by peer)] 16:48 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 16:57 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["Leaving."] 16:58 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 17:04 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:08 < tompaw> hello again. 17:08 < tompaw> I have successfully set up a tun-type openvpn tunnel between my centos server and windows xp client. Is it possible now to set windows' default gw to this tunnel's far end? 17:09 < tompaw> I tried using 0.0.0.0 0.0.0.0 remote-tun-addr 17:09 < tompaw> but it kills all traffic. 17:12 < Gorkhaan> !redirect-gateway 17:12 < vpnHelper> Gorkhaan: Error: "redirect-gateway" is not a valid command. 17:12 < Gorkhaan> !redirect 17:12 < vpnHelper> Gorkhaan: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 17:15 < tompaw> thanks! 17:18 < Gorkhaan> plz read the manual for futher instructions, you need to use push "redirect-gateway def1" 17:20 < tompaw> ok, ip forwarding and nat have been taken care of already 17:21 < Gorkhaan> watch out for DNS . I prefer a packet called: dnsmasq 17:21 < tompaw> I'd rather configure them statically to opendns if poss 17:22 < Gorkhaan> okay;) that's probably better way. 17:22 < tompaw> thanks for help! 17:23 < Gorkhaan> you're welcome. :) 17:30 < tompaw> hm... this redirect-gateway seems to be doing... nothing :P 17:31 < Gorkhaan> well, you need to have a physical default gateway on clients. a gateway to your server 17:31 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:31 < Gorkhaan> or just a Router 17:31 < tompaw> I do have them on both client and server 17:31 < tompaw> I'd expect this command to change client's routing table 17:31 < Gorkhaan> ping working? 17:31 < tompaw> and replace its old gateway with the tunnel 17:32 < tompaw> well, it does work with openvpn addresses 17:32 < tompaw> it also works for the internet 17:32 < tompaw> but it doesn't go through the vpn 17:32 < tompaw> the old gateway on the client is not replaced with vpn ip. 17:32 < Gorkhaan> it should, can I see your server config? 17:32 < tompaw> of course, just a sec 17:32 < Gorkhaan> k 17:33 < tompaw> http://pastebin.com/m4d3888b8 17:34 < Gorkhaan> well I think it's good, but I show mine. A sec 17:34 < tompaw> ok 17:35 < tompaw> there are no errors or warnings on the client's side during the vpn setup 17:35 < tompaw> but default gateway remains unchanged :-( 17:36 < tompaw> Gorkhaan: http://pastebin.com/m414b3026 17:36 < tompaw> here is my client conf, too. 17:36 < Gorkhaan> My Server: http://pastebin.com/d6c34f91a 17:36 < Gorkhaan> I've commented out what you probably wont need 17:38 < tompaw> hmmm 17:38 < tompaw> no idea why mine doesn't work :< 17:38 < Gorkhaan> My Client: http://pastebin.com/d47d2b47f 17:38 < Gorkhaan> wel use only: dev tun 17:38 < Gorkhaan> Your system will count it auto 17:39 < Gorkhaan> tun1, tun2, etc 17:39 < tompaw> but I want it to be static, this helps later with iptables 17:40 < tompaw> is there a --debug option I can add to my openvpn client call? 17:40 < Gorkhaan> !verb 17:40 < vpnHelper> Gorkhaan: Error: "verb" is not a valid command. 17:40 -!- m4r71x [n=mgarcia@mail.maestro.com.pe] has left ##openvpn [] 17:40 < Gorkhaan> ahh, Verbosity 17:40 < tompaw> !verbocity 17:40 < vpnHelper> tompaw: Error: "verbocity" is not a valid command. 17:40 < Gorkhaan> :D 17:40 < tompaw> :< 17:40 < Gorkhaan> !verbosity 17:40 < vpnHelper> Gorkhaan: Error: "verbosity" is not a valid command. 17:40 < Gorkhaan> never mind 17:40 -!- jeiworth_ [n=jeiworth@189.163.254.76] has quit [Read error: 110 (Connection timed out)] 17:40 < Gorkhaan> it's : verb 17:41 < Gorkhaan> 9 is the max afaik 17:41 < tompaw> verb 9 17:41 < tompaw> Im gonna try it now 17:41 < Gorkhaan> it shows deeper log 17:41 < Gorkhaan> maybe you'll get an idea what's wrong 17:41 < Gorkhaan> but try to use just: dev tun 17:42 < Gorkhaan> persist-key persist-tun 17:42 < tompaw> ok 17:42 < Gorkhaan> must be enabled on Client too I think. 17:42 < Gorkhaan> and you should push some DNS IP down to clients 17:44 < Gorkhaan> as you can see in my server conf 17:44 < tompaw> yup 17:44 < tompaw> ok, I need to find the part that should be responsible for this redirect-gateway 17:44 < Gorkhaan> If you are up to a short reading: http://ocsovszki-dorian.darkhole.hu/ 17:44 < vpnHelper> Title: Ocsovszki Dorián (at ocsovszki-dorian.darkhole.hu) 17:44 < Gorkhaan> Maybe you'll get some idea from there 18:28 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 54 (Connection reset by peer)] 18:29 -!- jeiworth [n=jeiworth@189.163.136.89] has joined ##openvpn 18:29 < |Mike|> AHOYYYYYYYYYYYY :-) 18:35 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 18:50 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 104 (Connection reset by peer)] 19:03 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 60 (Operation timed out)] 19:08 -!- ciphyre [n=ciphyre@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has quit [Read error: 60 (Operation timed out)] 19:09 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 19:59 -!- epaphus [n=unix3@201.199.41.166] has joined ##openvpn 20:00 -!- thedoc [n=andelyx@119.73.165.162] has joined ##openvpn 20:03 < ksnp> anyone ever talk here ? 20:18 -!- LowValueTarget [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [] 20:26 < ksnp> when i do ifocnfig with openvpn i see two addresses : inet addr and P-t-P - i read the openvpn.net but couldn't quite figure out the p-t-p 20:26 < ksnp> can anyone tell 20:42 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 20:48 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has quit [Read error: 110 (Connection timed out)] 20:56 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 21:12 -!- epaphus [n=unix3@201.199.41.166] has quit [Read error: 60 (Operation timed out)] 21:15 -!- jeiworth [n=jeiworth@189.163.136.89] has quit [Read error: 60 (Operation timed out)] 21:24 -!- tjz [n=tjz@bb219-74-135-197.singnet.com.sg] has joined ##openvpn 21:26 -!- troy is now known as troy- 21:30 < ksnp> anyone know whats the p-t-p in the ifconfig ? 21:47 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 21:56 < ksnp> anyone know whats the p-t-p in the ifconfig ? 22:00 -!- jeiworth [n=jeiworth@189.163.254.243] has joined ##openvpn 22:02 -!- tjz [n=tjz@bb219-74-135-197.singnet.com.sg] has quit ["bbl"] 22:13 -!- tjz [n=tjz@bb219-74-135-197.singnet.com.sg] has joined ##openvpn 22:15 -!- zheng [n=zheng@222.66.224.106] has joined ##openvpn 22:16 < ksnp> anyone know whats the p-t-p in the ifconfig ? 22:18 < tjz> hmm 22:23 < zheng> P-t-p means it's a PPP device 22:23 < zheng> Peer to Peer 22:28 < ksnp> i figure that - but what is it for ? 22:28 < ksnp> server ip is 10.8.0.1 and ptp is 10.8.0.2 22:28 < ksnp> why there is a ptp? openvpn.net says its like a connetion between openvpn and os 22:50 < ecrist> ksnp: we all saw the question the first time... 22:50 < ecrist> VPNs, are, by nature, point-to-point tunnel connections. 23:00 < ksnp> so when a client tries to connect 23:00 < ksnp> does it try to connect to 0.2 or something like that ? 23:13 -!- unix3 [n=unix3@201.199.62.74] has joined ##openvpn 23:13 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has quit [" Try HydraIRC -> http://www.hydrairc.com <-"] 23:14 -!- epaphus [n=unix3@201.199.62.74] has quit [Success] 23:15 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 23:15 -!- unix3 [n=unix3@201.199.62.74] has quit [Client Quit] 23:18 -!- SuperEvilDeath18 [n=death@212.206.209.177] has quit ["Nettalk6 - www.ntalk.de"] 23:26 -!- alohas [n=opera@pD9E316EF.dip.t-dialin.net] has joined ##openvpn 23:35 -!- alohas [n=opera@pD9E316EF.dip.t-dialin.net] has left ##openvpn [] 23:43 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] --- Day changed Fri Jul 03 2009 00:08 -!- thedoc [n=andelyx@119.73.165.162] has quit [Read error: 60 (Operation timed out)] 00:08 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 00:09 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 00:10 -!- thedoc [n=andelyx@119.73.165.162] has joined ##openvpn 00:19 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has joined ##openvpn 00:32 -!- lilalinu- [n=lilalinu@ist.deswahnsinns.de] has joined ##openvpn 00:32 -!- lilalinux [n=lilalinu@ist.deswahnsinns.de] has quit ["deswahnsinns.de"] 00:32 -!- lilalinu- is now known as lilalinux 00:51 -!- jeiworth [n=jeiworth@189.163.254.243] has quit ["No Ping reply in 90 seconds."] 00:52 -!- jeiworth [n=jeiworth@189.163.254.243] has joined ##openvpn 01:21 -!- SuperEvilDeath18 [n=death@212.206.209.177] has joined ##openvpn 01:35 -!- ciphyre [n=ciphyre@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 01:39 -!- master_of_master [i=master_o@p549D3680.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:42 -!- master_of_master [i=master_o@p549D48B1.dip.t-dialin.net] has joined ##openvpn 01:58 -!- jeiworth [n=jeiworth@189.163.254.243] has quit [Read error: 110 (Connection timed out)] 02:12 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:15 -!- russo [n=russo@p579F65FA.dip.t-dialin.net] has joined ##openvpn 02:23 -!- jeiworth [n=jeiworth@189.163.145.225] has joined ##openvpn 02:23 -!- n0g0 [n=nogo@85-125-189-220.static.sdsl-line.inode.at] has joined ##openvpn 02:37 -!- vlt [n=dm@suez.activ-job.com] has left ##openvpn [] 02:38 -!- SuperEvilDeath18 is now known as SuperEvilDeath 02:50 -!- jeiworth [n=jeiworth@189.163.145.225] has quit [Read error: 110 (Connection timed out)] 02:58 -!- troy- is now known as troy 03:09 -!- russo [n=russo@p579F65FA.dip.t-dialin.net] has quit [] 03:10 -!- russo [n=russo@p579F65FA.dip.t-dialin.net] has joined ##openvpn 03:15 -!- russo [n=russo@p579F65FA.dip.t-dialin.net] has quit [] 03:28 -!- YpsyZNC is now known as Ypsy 03:38 -!- Ypsy is now known as YpsyZNC 04:57 -!- thedoc [n=andelyx@119.73.165.162] has quit [Read error: 60 (Operation timed out)] 04:58 -!- thedoc [n=andelyx@119.73.165.162] has joined ##openvpn 05:07 -!- thedoc [n=andelyx@119.73.165.162] has quit ["Leaving"] 05:09 -!- bestgs [n=kaan@85.105.168.61] has joined ##openvpn 05:10 < bestgs> hello 05:11 < bestgs> I am implementing an openvpn failover for the client. I want the client to go back to remote1 when it is active again. Is there a way to do this? 05:18 < bestgs> anyone? 05:53 < n0g0> not with openvpn directly 05:53 < n0g0> you may write a script / program to do this 05:54 -!- n0g0 [n=nogo@85-125-189-220.static.sdsl-line.inode.at] has quit ["quit"] 05:55 -!- n0g0 [n=nogo@85-125-189-220.static.sdsl-line.inode.at] has joined ##openvpn 06:22 -!- bestgs [n=kaan@85.105.168.61] has quit [] 06:37 -!- n0g0 [n=nogo@85-125-189-220.static.sdsl-line.inode.at] has quit ["quit"] 06:39 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 06:40 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 06:42 -!- SuperEvilDeath [n=death@212.206.209.177] has quit ["Nettalk6 - www.ntalk.de"] 06:44 -!- SuperEvilDeath [n=death@212.206.209.177] has joined ##openvpn 06:46 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 06:47 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 06:47 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 06:48 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 06:57 -!- SuperEvilDeath [n=death@212.206.209.177] has quit [Read error: 113 (No route to host)] 06:58 -!- SuperEvilDeath [n=death@212.206.209.177] has joined ##openvpn 07:13 -!- zheng [n=zheng@222.66.224.106] has quit [Remote closed the connection] 07:18 -!- zheng [n=zheng@222.66.224.106] has joined ##openvpn 07:26 -!- RexMundi [n=RexMundi@77.95.99.166] has quit ["Ik ga weg"] 07:26 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 07:29 -!- zheng [n=zheng@222.66.224.106] has quit [Remote closed the connection] 07:40 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 07:40 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 07:48 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 07:48 -!- sigius [n=sigius@93.125.185.45] has joined ##openvpn 08:12 -!- sigius [n=sigius@93.125.185.45] has quit [Remote closed the connection] 08:12 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 08:41 -!- Nirkus [i=rmf2mlh@about/pxe/Nirkus] has quit [Read error: 104 (Connection reset by peer)] 08:41 -!- Nirkus [i=rmf2mlh@bussle.hadiko.de] has joined ##openvpn 08:51 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 08:55 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["This computer has gone to sleep"] 09:06 < ecrist> morning, fuckers. 09:09 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:39 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 09:39 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 09:50 -!- jeiworth [n=jeiworth@189.163.254.76] has joined ##openvpn 10:14 -!- jeiworth [n=jeiworth@189.163.254.76] has quit [Read error: 104 (Connection reset by peer)] 10:15 -!- jeiworth [n=jeiworth@189.163.254.76] has joined ##openvpn 10:21 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 10:21 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 10:21 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 10:21 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 10:24 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 10:24 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 10:28 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 10:28 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 10:29 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 10:29 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 10:29 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 10:29 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 10:30 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 10:31 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 10:34 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 10:35 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 10:37 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 10:39 < reiffert> !route 10:39 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:41 -!- bandinia [n=bandini@host5-22-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 10:42 -!- bandini [n=bandini@host91-109-dynamic.31-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 10:42 < |Mike|> ecrist: word. 10:51 -!- rob_ [n=rob@dust.cx] has joined ##openvpn 10:51 < rob_> hi 10:51 < rob_> why is this happening: 10:51 < rob_> Fri Jul 3 16:50:58 2009 Linux ifconfig failed: could not execute external program 10:51 < rob_> i have just installed ifconfig into /opt and linked /usr/sbin/ifconfig to /opt/net-tools/sbin/ifconfig 10:52 < rob_> im not sure what else to try to get rid of this error? where is it trying to find the command? 10:56 -!- rob_ [n=rob@dust.cx] has quit ["leaving"] 11:13 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 11:14 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:15 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 11:53 -!- rob_ [n=rob@dust.cx] has joined ##openvpn 11:53 < rob_> hi 11:54 < rob_> im trying to use openvpn in an openvz VE, how can i test if tun is working properly? 11:59 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 12:13 -!- rob_ [n=rob@dust.cx] has quit ["leaving"] 12:18 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 13:06 < Nirkus> rob_: ifconfig should usually be placed within /sbin/ AFAIK 13:07 -!- lataffe [n=lataffe@cm-84.211.147.71.getinternet.no] has quit ["Leaving"] 13:25 -!- troy is now known as troy- 14:26 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 14:45 -!- jeiworth [n=jeiworth@189.163.254.76] has quit [Remote closed the connection] 15:11 -!- jeiworth [n=jeiworth@189.163.254.76] has joined ##openvpn 15:16 -!- redfox [n=redfox2@ns351996.ovh.net] has joined ##openvpn 15:18 < redfox> !redirect 15:18 < vpnHelper> redfox: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 15:19 < redfox> is chatting with this bot desired here? 15:20 < redfox> !def1 15:21 < vpnHelper> redfox: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 15:21 < redfox> !nat 15:21 < vpnHelper> redfox: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 15:29 < krzie> redfox, absolutely 15:29 < krzie> if you can manage to get answers from the bot, it completely served its purpose =] 15:29 < redfox> krzie: it does, thanks :;) 15:30 < krzie> np man 15:49 -!- unixSnob [n=jj@starfury.spearlink.com] has joined ##openvpn 16:03 -!- Kryczek [i=kryczek@2001:470:1f0b:23e:0:0:0:4] has joined ##openvpn 16:06 < Kryczek> Hi everybody! I have a tiny problem with my OpenVPN setup, could somebody please help? I'm using a tun device with "server 10.6.0.0 255.255.255.0" and a client-config-dir/myclient with "ifconfig-push 10.6.0.2 10.6.0.1"... The server correctly assigns 10.6.0.2 to myclient on its side, but on the client side the tun device never comes up (and never gets its IP) 16:07 < krzie> !configs 16:07 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:07 < krzie> !logs 16:07 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 16:08 < unixSnob> will a vpn server function purely w/ openvpn configuration... or does the nat table need to be played with? 16:09 < Kryczek> krzie: there is nothing of relevance in them besides what I said (the rest is from the howto) 16:13 < krzie> unixSnob nat is only needed in certain situations, so it depends on your goal 16:14 < krzie> Kryczek, post them if youd like me to try to help 16:14 -!- jeiworth [n=jeiworth@189.163.254.76] has quit [Read error: 110 (Connection timed out)] 16:14 < krzie> oh 16:14 < krzie> Kryczek 16:14 < krzie> "ifconfig-push 16:15 < krzie> 10.6.0.2 10.6.0.1" 16:15 < krzie> is wrong 16:15 < krzie> see: 16:15 < krzie> !/30 16:15 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 16:15 < unixSnob> krzie: the goal is to tunnel to access the internet 16:15 < krzie> unixSnob, nat is the easier way to do it, but there is one other way 16:15 < krzie> see this: 16:15 < krzie> !redirect 16:15 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 16:15 < krzie> if you CANNOT do the nat ill tell ya the other method 16:17 < Kryczek> krzie: yeah, at first I tried putting 255.255.255.0 instead of 10.6.0.1... but I just found my solution: added --pull to the client. Thanks anyway :) 16:17 < unixSnob> well, i can probably do the nat changes. i'm new to this 16:17 < unixSnob> krzie: i was thinking it would be easier if I could just add a couple lines to the config file 16:18 < unixSnob> right now I get => MULTI: bad source address from client 16:18 < unixSnob> does that mean I need to set up nat? 16:19 < krzie> are you trying to connect a lan which is behind the client? 16:19 < unixSnob> The client is on a lan, behind a router 16:20 < krzie> right, are you trying to have that lan communicate over the vpn? 16:20 < unixSnob> so the client has an ip like 192.168.1.33 16:20 < unixSnob> krzie: eventually, but for now, just one machine 16:20 < krzie> well 16:21 < unixSnob> eventually a dd-wrt router will run the openvpn client 16:21 < unixSnob> and that will tunnel the whole lan 16:21 < krzie> if its a plan to do it, might as well fix that error and do 1 step of what youd need to do in 1 step 16:21 < krzie> !iroute 16:21 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 16:21 < krzie> add an iroute entry for the lan in a ccd entry for the client 16:22 < unixSnob> krzie: i did that... that's what some articles suggested for the issue 16:22 < unixSnob> krzie: i still have the problem. 16:22 < unixSnob> i added "client-config-dir ccd" and "route 10.10.1.0 255.255.255.0" 16:22 < unixSnob> Then I created a ccd folder 16:22 < unixSnob> I created a file called "client1" 16:23 < unixSnob> and it contains the line "iroute 10.10.1.0 255.255.255.0" 16:23 < krzie> client1 is the common-name of the client? 16:23 < unixSnob> probably not 16:24 < unixSnob> i named it huey when I created the key 16:24 < krzie> then you probably need to rename that file 16:24 < krzie> if unsure of the common-name see the server logfile when the client connects 16:24 < krzie> CN= 16:24 < unixSnob> i'll check 16:25 < unixSnob> okay, cn=huey... but I already tried naming the file huey 16:25 < krzie> it MUST be named EXACTLY as the common-name 16:25 -!- SuperEvilDeath [n=death@212.206.209.177] has quit [Success] 16:26 < krzie> then when it connects you should see something bout the ccd file being found and the iroute being added 16:26 < krzie> in the log 16:26 < krzie> (server log) 16:30 < unixSnob> doesn't work 16:30 < unixSnob> i see MULTI: internal route 10.10.1.0/24 -> huey/212.117.162.26:44075 16:30 < krzie> do you see the iroute get added? 16:30 < unixSnob> no 16:30 < krzie> ok 16:30 < krzie> thats it being added 16:30 < krzie> so yes =] 16:30 < unixSnob> ah 16:31 < krzie> still getting multi errors? 16:31 < unixSnob> okay.. not sure why it still fails 16:31 < unixSnob> yeah 16:31 < unixSnob> MULTI: bad source address from client 16:31 < krzie> paste the whole error 16:31 < unixSnob> huey/212.117.162.26:44075 MULTI: bad source address from client [192.168.1.37], packet dropped 16:32 < krzie> so what is 10.10.1.0/24 16:32 < krzie> ? 16:32 < unixSnob> not sure.. I was following some canned solutions, and tweaking them 16:32 < unixSnob> i guess that's the lan of the vpn 16:33 < krzie> well 16:33 < krzie> read this again 16:33 < krzie> !iroute 16:33 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 16:33 < krzie> aka, it should be the lan of the client 16:33 < krzie> 192.168.1.0/24 16:33 < unixSnob> ah, ok 16:33 < unixSnob> thanks 16:33 < krzie> however, in the future if you have a road warrior client as well 16:33 < krzie> and you start pushing that lan over the vpn 16:34 < krzie> you really must change the subnet of that lan 16:34 < krzie> cause any time the road warrior connects from 192.168.1.0/24 (1 of the 2 most common subnets) shit will break 16:37 < krzie> note, we did not fix your real problem just now, we worked around it 16:37 < krzie> the real problem is that your OS for some reason is using a source address of ethernet device when sending traffic out via tun device 16:37 < krzie> i have seen it before, have no clue why some peoples setups do it 16:39 < unixSnob> the real fix is to configure NAT? 16:39 < unixSnob> ah, i just recalled.. lol. I can't get online still 16:39 < unixSnob> the error is gone.. but I guess I still need to do the nat config 16:40 < krzie> right 16:40 < krzie> they were unrelated 16:40 < redfox> krzie: i tried to establish a simple server-client connection and used a pretty default config for that case. the connection works flawlessly but im not able to ping each other (no firewall issue), i think my client is getting a wrong subnet mask (10.x.x.x), any suggestions on fixing this? 16:42 < krzie> redfox 16:42 < krzie> !configs 16:42 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:42 < krzie> unixSnob, you using linux? 16:42 < unixSnob> yeah 16:42 < krzie> on your server: 16:42 < krzie> !def1 16:42 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 16:43 < krzie> !linipforward 16:43 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 16:43 < krzie> !linnat 16:43 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 16:43 < krzie> thats everything you should need 16:45 < unixSnob> thanks! 16:45 < krzie> np 16:47 < redfox> krzie: http://pastebin.org/86 16:47 < krzie> 86? really? 16:47 < krzie> wow 16:47 < krzie> never seen such a small # on pastebin 16:48 < redfox> hmm, i think they started a new counter 16:48 < krzie> you have dev tun on server and dev tap on client 16:48 < krzie> you should make both tun 16:48 < krzie> also: 16:48 < redfox> argh 16:48 < krzie> !tcp 16:48 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 16:50 < redfox> krzie: they now ping, thanks :) 16:50 < krzie> np =] 16:50 < krzie> you really want to use udp if you can 16:50 < krzie> also 16:50 < krzie> push "route 0.0.0.0 255.255.255.0" 16:50 < krzie> is that serious? 16:50 < redfox> already switched to udp 16:51 < redfox> nope, that was commented ealier... just a test. forget about that :) 16:51 < krzie> ok 16:51 < krzie> would you like some other tips? 16:51 < krzie> 2 related to hardening security 16:51 < krzie> 1 not 16:51 < redfox> of course, anytime 16:52 < redfox> (just started with openvpn) 16:52 < krzie> !hmac 16:52 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 16:52 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 16:52 < krzie> !mitm 16:52 < vpnHelper> krzie: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config 16:52 < krzie> those are security related 16:52 < krzie> !ipp 16:52 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 16:52 -!- unixSnob [n=jj@starfury.spearlink.com] has quit ["leaving"] 16:52 < krzie> thats just letting you know your ipp command prolly doesnt do what you thought 16:57 < redfox> the first two: wow, i thought ssl already provides signature checking via MAC or other authentication algorithms. thanks for that one. mitm: does openvpn not notice about changed fingerprints of certificate? if it does, why is additional security needed? 16:57 < redfox> @ipp: thanks, will read. 16:58 < krzie> @ mitm... 16:58 < krzie> all it checks is if the cert was signed by same CA key 16:59 < krzie> with the info from !mitm the client checks that the server cert was signed AS a server cert 16:59 < krzie> you can use !servercert to see how to sign the server cert that way 17:00 < redfox> i understand, will look at it :) 17:00 < krzie> and ssl does provide some goodness for that, but HMAC sigs make it so packets can be dropped with no processing if they dont bear the hmac sig 17:00 < krzie> good for DOS prevention 17:04 < redfox> well, i also have a additional security layer to filter unwanted peers via firewall, i think (hope) this should be safe enougth 17:06 < redfox> krzie: @tcp: a friend of mine told me to configure openvpn to use briged ethernet, is that really a better way? 17:06 -!- Kryczek [i=kryczek@2001:470:1f0b:23e:0:0:0:4] has left ##openvpn ["thx"] 17:08 < krzie> no 17:08 < krzie> never use bridge unless you specificly need a layer2 protocol 17:09 < krzie> netbios for samba shares doesnt count as you should use wins for that 17:10 < redfox> ok, but why is it so bad? 17:10 < krzie> extra overhead, and opens vulnerability to layer2 attacks over the internet 17:10 < krzie> such as arp poisoning 17:11 < krzie> generally people who have no idea think bridging is the way to go, they are wrong 17:11 < krzie> you should always use routed unless you need a layer2 protocol 17:11 < krzie> !tunortap 17:11 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 17:12 < redfox> thats very interesting, thanks, i will tell him :) 17:12 < krzie> np =] 17:12 < redfox> !redirect 17:12 < vpnHelper> redfox: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 17:13 < krzie> you use linux? 17:13 < redfox> on server side 17:13 < krzie> !linnat 17:13 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 17:13 < krzie> !linipforward 17:13 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 17:14 < redfox> ok, but how to tell the client to use that routes? 17:14 -!- sth [n=sth@vor.thulbourn.com] has joined ##openvpn 17:14 < krzie> !def1 17:14 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 17:14 < sth> !howto 17:14 < vpnHelper> sth: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:14 < redfox> hehe, your bot it great ;) 17:14 < krzie> yup =] 17:14 < sth> I've managed to setup openvpn fine and I can connect, except I can't get to the outside world when connected 17:15 < sth> How do I solve this issue? 17:15 < krzie> sth: 17:15 < krzie> !redirect 17:15 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 17:15 < krzie> its not an issue, connecting to the outside world over the vpn isnt default 17:15 < krzie> you just need to configure for it =] 17:16 < sth> !def1 17:16 < vpnHelper> sth: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 17:17 < sth> !ipforward 17:17 < vpnHelper> sth: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 17:17 < sth> !linipforward 17:17 < vpnHelper> sth: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 17:17 < krzie> !linnat 17:17 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 17:20 < sth> mmm, I still don't understand how I add --redirect-gateway, I'm running openvpn from a init.d script 17:21 < krzie> umm 17:21 < krzie> like everything else in your openvpn 17:21 < krzie> in the config file 17:21 < krzie> here do this: 17:21 < krzie> push "redirect-gateway def1" 17:21 < krzie> in server.conf 17:22 < sth> mmm, still doesn't go to the outside world. 17:22 < krzie> you setup NAT? 17:23 < krzie> (on the server machine) 17:23 < sth> yup 17:23 < krzie> you restarted the server and client after adding that push? 17:23 < sth> yup 17:24 < krzie> !configs 17:24 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 17:24 < sth> http://pastebin.com/m5a43ad66 17:24 < krzie> thats one... 17:24 < sth> debian lenny, openvpn latest from apt 17:25 < sth> OpenVPN 2.1_rc7 i486-pc-linux-gnu 17:25 < krzie> latest from apt means nothing, openvpn is out of sync in most distros 17:25 < krzie> ahh there we go 17:25 < krzie> update that from source 17:25 < krzie> we use rc18 17:25 < krzie> !download 17:25 < vpnHelper> krzie: "download" is www.openvpn.net/download to download openvpn 17:26 < sth> Does the version really matter? 17:26 < krzie> lol 17:26 < krzie> if it didnt, why would they make new ones? 17:26 < sth> The issue would still be present. 17:26 < krzie> thanx for your expert opinion on that 17:26 < krzie> but these RC candidates are bugfixes 17:26 < krzie> your version has known bugs 17:27 < krzie> so theres no garuntee that you were right about that 17:29 < krzie> also you are using tcp, i recommend using udp instead 17:29 < krzie> !tcp 17:29 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 17:29 < sth> UDP is closed here 17:29 < krzie> ok 17:29 < krzie> even port 53? 17:30 < sth> Probably not on that port 17:30 < krzie> right =] 17:30 < krzie> if you will be sending tcp traffic over the vpn, you will get a good benefit from changing to udp 17:30 < krzie> for the tunnel proto 17:32 < sth> I'll give it a go when this is done compiling 17:35 < krzie> and why is duplicate-cn enabled? 17:36 < sth> Is there a init.d script for debian, I see one for redhat, but not debian 17:37 < krzie> i dont even use linux 17:37 < krzie> and thats OS specific, not openvpn related really 17:50 < sth> port 53 is closed apparently 17:50 < krzie> we're talkin outbound, right? 17:50 < sth> yup 17:50 < krzie> gotchya 17:50 < sth> ...and my issue is still here. 17:50 < krzie> ok 17:50 < krzie> !logs 17:50 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 17:52 < sth> With verb set 6, I can't even connect to the vpn 17:52 < redfox> i have to say, i followed exactly the steps and the gateway is now working fine. sth: i suggest you check your firewall settings 17:53 < krzie> sth, then you cant connect with it set to anything else 17:53 -!- Snadder [i=sander@39.178.251.212.customer.cdi.no] has joined ##openvpn 17:53 < krzie> because verb only changes logging verbosity 17:53 < sth> krzie: connected fine with 3. 17:53 < krzie> verb only changes logging verbosity 17:54 < krzie> maybe you still have 1 set to udp 17:55 < sth> Nope. 17:55 < krzie> well post the logs 17:58 < sth> mm 17:58 < sth> It's not connecting with verb 3 either 17:58 < krzie> no shit 17:58 < krzie> verb only changes logging verbosity 17:58 < redfox> lol 17:58 < redfox> funny =) 17:58 < krzie> heh 17:58 < sth> It was connecting before I changed it 17:59 < redfox> obv not 17:59 < Snadder> Whould it be usefull with a script which automaticly creates the neseserry keys for a server and all clients and copy them to each client over ssh?.. the script also adds each client to /etc/hosts automaticly, with both the internal and external ip of clients. 17:59 < Snadder> I have such a script, and maybe want to improve it abit more and "release" it.. 18:00 < krzie> im sure some would get use from it 18:00 < krzie> personally my CA box never connects to any networks 18:00 < krzie> but its a matter of how serious someone takes security 18:01 < krzie> i know ild link some people to it 18:01 < Snadder> I could make it so that there is a seperate command of generating the ca's and copying them 18:01 < Snadder> cool. 18:01 < Snadder> Then i'll do it 18:02 < krzie> also you may like this: 18:02 < krzie> !ssl-admin 18:02 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 18:03 < krzie> a nice perl script for generating certs and whatnot 18:09 < Snadder> Thanks. alot of tips in this script 18:09 < krzie> np 18:10 < krzie> the real thx there goes to ecrist 18:10 < krzie> that was his creation 18:16 < sth> http://pastebin.com/m10ae4d69 18:16 < sth> that's my log 18:17 < krzie> i thought you said you upgraded... 18:17 < krzie> thats rc7 still 18:17 < sth> I did, then I downgraded again since it wasn't the problem 18:18 < krzie> let me get this straight 18:18 < krzie> you downgraded to a version with known bugs 18:18 < krzie> is that right? 18:18 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 18:18 < sth> Yes, because this version has an init.d script. 18:18 < krzie> that same script will work for any version 18:19 < krzie> its just a wrapper script given to you by your distro's packager 18:19 < krzie> and you're getting compression errors 18:19 < krzie> i see 18:19 < krzie> comp-lzo is enabled on the server 18:19 < krzie> check if it is enabled on the client 18:21 < |Mike|> Heya krzie :) 18:21 < krzie> sup mike 18:21 < krzie> hows it goin 18:22 < |Mike|> chillin last days 18:22 < |Mike|> friggin 35C 18:22 < redfox> |Mike|: here too, where do you live? 18:22 < krzie> we use celsius here, but i havnt gotten used to it yet 18:22 < |Mike|> redfox: netherlands 18:22 < krzie> and its hot as shit out here 18:22 < |Mike|> 80 / 90 F 18:22 < krzie> 80-90 is nice weather 18:22 < redfox> |Mike|: hello neighbour :) 18:23 < |Mike|> german or belgium ? :) 18:23 < redfox> ger =) 18:23 < |Mike|> krzie: too hot here 18:23 < |Mike|> it was 18C a week ago 18:23 < redfox> but this evening was a heavy storm, did u got that too? 18:23 < |Mike|> now it's 35 / 36 C 18:23 < krzie> redfox we have a couple people here that help a lot from germany 18:23 < |Mike|> redfox: no, i'm located in the south of netherland (near maastricht) 18:23 < krzie> moin moin! 18:23 < |Mike|> only the north parts had to deal with it 18:24 < sth> with r18: http://pastebin.com/m13d2897c 18:24 < sth> except with this version it doesn't connect at all 18:24 < redfox> ah, ok... well its over now, but it was really like a world ending 18:24 < redfox> krzie: moin :) nice to hear that 18:24 < |Mike|> redfox: you're in the north part of germany ? 18:25 < krzie> sth, that log doesnt have a connection attempt in it... 18:25 < redfox> |Mike|: no, living currently near your border, in the west part (nordrhein-westfalen). 18:25 < |Mike|> aachen ? ;) 18:25 < redfox> quite... bochum :) 18:25 < |Mike|> that's close 18:26 < redfox> *close i ment 18:26 < |Mike|> 160km :p 18:26 < redfox> do you have buisness here? 18:26 < krzie> sth, but im guessing you'll still get this error: Bad LZO decompression header byte: 69 18:26 < krzie> and i told you what to look for 18:27 < krzie> i would be able to say for sure but you never pastebin'ed the client config as requested 18:28 < sth> ehttp://pastebin.com/m4181ae1d 18:28 < redfox> sth: thats a log 18:28 < sth> Client config is a simple, cert.crt, simon.crt, simon.key going to my server on port 1194 18:28 < |Mike|> redfox: it's really low atm. 18:29 < krzie> sth, well it has the error i expected 18:29 < redfox> |Mike|: you mean temperature? 18:29 < |Mike|> work. 18:29 < krzie> so do what i said since you havnt posted your client config 18:29 < krzie> or stop assuming what i ask for doesnt matter and post it... either way 18:30 < sth> And what did you suggest? 18:30 < krzie> well i have the server config and i see comp-lzo is enabled 18:30 < krzie> check the client has it enabled 18:30 < redfox> |Mike|: know what you mean... same here 18:30 < krzie> and either enable on both or remove it from both, just make sure they match 18:31 < sth> it does and it's enabled 18:31 < krzie> try disabling on both then 18:31 < |Mike|> redfox: i lost my job currently due the financial state. Job market is really low.... 18:32 < krzie> and if theres something wrong with your client config, i hope you find it yourself 18:32 < redfox> |Mike|: thats bad news... :( im currently studying, but also did a job as a developer besides... also lost it the same reason 18:32 < krzie> mike, you ever fully finish that vpn? 18:33 < |Mike|> krzie: yes, works fine now :d 18:34 < krzie> =] 18:34 < krzie> good 18:34 < redfox> also for me, fyi =) 18:34 < |Mike|> fixed the TLS / certs etc and the gateway issue on the box 18:34 < krzie> ya the gateway issue was the final piece iirc 18:35 < |Mike|> yep, i had to recompile the kernel etc 18:35 < reiffert> moin 18:35 < krzie> oh right, for NAT 18:35 < krzie> thats what it was 18:35 < krzie> moin reif! 18:35 < redfox> you need to recompile a kernel for nat? 18:35 < redfox> hi reiffert 18:36 < krzie> redfox, reif is one of the germans i was referring to 18:36 < krzie> thats helps in here 18:36 < |Mike|> on a custom FreeBSD kernel yes :) 18:36 < krzie> that* 18:36 < redfox> i see :) 18:36 < |Mike|> i hate default stuff 18:36 < krzie> even in linux NAT requires a recompile 18:36 < krzie> at least in gentoo 18:36 < redfox> |Mike|: dito, but i enable netfilter for default =) 18:36 < krzie> cant say ive ever ran a live server in any other linux 18:36 < |Mike|> pf++ 18:37 < krzie> pf ftw! 18:37 < reiffert> grezzee 18:37 < |Mike|> krzie: i met peter postma 18:37 < |Mike|> ( pf dev!) 18:37 < krzie> never hearda him 18:37 < krzie> oh shit 18:37 < krzie> coolness 18:37 < krzie> smoke one with him? 18:37 < redfox> krzie: did you said you dont use linux? 18:38 < |Mike|> krzie: a few beers :d 18:38 < krzie> redfox, not much 18:38 < krzie> redfox, ive had gentoo live before, and i have a debian virtual machine 18:38 < krzie> i prefer freebsd 18:38 < redfox> apple guy? 18:38 < |Mike|> i haven't ran linux since 2000 18:38 < redfox> ah. bsd 18:38 < krzie> and osX for desktop, yes 18:38 < krzie> if i want a mouse, osX 18:38 < |Mike|> net/freebsd unf unf 18:38 < krzie> server, freebsd 18:39 < redfox> bsd is indeed very secure 18:39 < |Mike|> not on default 18:39 < |Mike|> it runs sendmail. 18:39 < |Mike|> (open relay) 18:39 < krzie> does it run on external interface tho? 18:39 < redfox> did u confed or deleted it? =) 18:40 < krzie> i havnt looked around a default install without changing stuff right away in a long time 18:40 < |Mike|> krzie: lo0 :p 18:40 < krzie> hows that an open relay then? 18:40 < redfox> wasnt it lo ? 18:41 < |Mike|> you can talk on lo0 aswell :) 18:41 < reiffert> it's sendmail and people dont like to learn m4. 18:41 < krzie> |Mike|, from the inet? 18:41 < |Mike|> krzie: no, only local. 18:41 < reiffert> apropos freebsd is secure: 18:41 < krzie> |Mike| then its not an open relay 18:42 < |Mike|> but if you add an IP on bge0 or smt it links automaticley 18:42 < |Mike|> reiffert: securelevel 3 ? ;) lol 18:42 < reiffert> FreeBSD 7.0-RELEASE (GENERIC) #0: Sun Feb 24 19:59:52 UTC 2008 18:42 < krzie> anyone can relay with any mail server on their box if they have local access 18:42 < reiffert> reiffer@informatix$ 18:42 < redfox> reiffert: my gentoo machine is running since 2006. so no argument =) 18:43 < |Mike|> FreeBSD 6.3-RELEASE i386 18:43 < krzie> bad uptime non-kernel patchers! 18:43 < reiffert> reiffer@informatix$ telnet 18:43 < reiffert> telnet> auth disable SRA 18:43 < redfox> hrhr :> 18:43 < |Mike|> ./exec - -o uname -srm 18:43 < reiffert> telnet> environ define LD_PRELOAD /tmp/libno_ex.so.1.0 18:43 < reiffert> telnet> open localhost 18:43 < reiffert> Trying 127.0.0.1... 18:43 < reiffert> Connected to localhost. 18:43 < reiffert> # whoami 18:43 < reiffert> root 18:43 < reiffert> # 18:43 < krzie> 7.2-RELEASE FreeBSD 7.2-RELEASE #0: Wed May 27 10:13:01 CDT 2009 18:44 < |Mike|> this box had 400 days uptime and due some powerfail @ leaseweb it crashed :P 18:44 < |Mike|> 1:43AM up 30 days, 18:12, 1 user, load averages: 0.02, 0.01, 0.00 18:44 < reiffert> so shutup. 18:44 < |Mike|> it's secure as hell :-) 18:44 < krzie> nice reif 18:45 < reiffert> http://www.milw0rm.com/exploits/8055 18:45 < vpnHelper> Title: FreeBSD 7.0-RELEASE Telnet Daemon Local Privilege Escalation Exploit (at www.milw0rm.com) 18:45 < |Mike|> users can't run ssh / telnet etc 18:45 < redfox> reiffert: i said nothing :x 18:45 < |Mike|> if you aint in the wheel groupstar 18:45 < reiffert> give wheel to every user, yeah! 18:46 < |Mike|> hahaha 18:46 < |Mike|> no cookies? 18:53 * krzie gives mike a cookie 18:53 < |Mike|> aww.. 19:12 < krzie> sth, did you disable comp-lzo on both sides and try again? 19:13 < krzie> i have a fealing you're either missing lzo headers on one or have a corrupted one or wrong version of one 19:31 -!- jeiworth [n=jeiworth@189.163.145.225] has joined ##openvpn 19:42 -!- carcara [n=claudemi@200-181-171-73.ctame705.dsl.brasiltelecom.net.br] has joined ##openvpn 19:42 < carcara> hi people, 19:45 < carcara> I have one server openvpn, and i dont know what is the difference the TUN and TAP? 19:48 -!- carcara [n=claudemi@200-181-171-73.ctame705.dsl.brasiltelecom.net.br] has left ##openvpn ["Konversation terminated!"] 20:33 < krzie> someone didnt read the man page... 20:51 -!- Douglas [n=doug@64.18.154.245] has joined ##openvpn 20:51 < Douglas> hai 20:51 < krzie> hai@u 20:52 < Douglas> sup krzie 20:54 < krzie> bored for about 15 more mins 20:57 < Douglas> ah 20:57 < Douglas> krzie: colo contracts suck 20:57 < Douglas> to move to the provider i want 20:57 < Douglas> i need to ink a 1 year contract 20:59 < krzie> thats pretty normal... 20:59 < krzie> didnt know that? 20:59 < Douglas> i know it 20:59 < Douglas> i just hate it 20:59 * Douglas is on a 3 month contract in NYC 20:59 < Douglas> 3 months i can dea.. 20:59 < Douglas> deal.. 20:59 < Douglas> 6 is pushing it 20:59 < Douglas> 12 fuck you 21:09 -!- jeiworth [n=jeiworth@189.163.145.225] has quit [Read error: 60 (Operation timed out)] 21:09 < krzie> so just stay put 21:11 < Douglas> krzie: i hate the plce i am now 21:11 < Douglas> did itell you how long i have waited to get in ther? 21:11 < Douglas> there 21:25 < Douglas> bastardds made me wait 3 hours one time 21:35 -!- xp_prg [n=xp_prg3@mec0f36d0.tmodns.net] has joined ##openvpn 21:52 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 21:52 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 22:37 < xp_prg> hi ksnp :> 22:37 < xp_prg> did you get the help you needed? 22:56 -!- memiux [n=memiux@pool-96-248-226-89.snloca.dsl-w.verizon.net] has joined ##openvpn 23:04 < memiux> How can setup my VPN server, I have followed this article http://nielsvz.com/2009/02/running-openvpn-on-ubuntu-810-server/ but i can't connect to my server 23:04 < vpnHelper> Title: Running OpenVPN on Ubuntu 8.10 Server (at nielsvz.com) 23:05 -!- jeiworth [n=jeiworth@189.163.145.225] has joined ##openvpn 23:15 -!- jeiworth [n=jeiworth@189.163.145.225] has quit [Remote closed the connection] 23:17 -!- jeiworth [n=jeiworth@189.163.145.225] has joined ##openvpn --- Day changed Sat Jul 04 2009 00:06 -!- xp_prg [n=xp_prg3@mec0f36d0.tmodns.net] has quit ["This computer has gone to sleep"] 00:24 < StormWlf> !multi 00:24 < vpnHelper> StormWlf: Error: "multi" is not a valid command. 00:24 -!- memiux [n=memiux@pool-96-248-226-89.snloca.dsl-w.verizon.net] has quit [] 00:24 < StormWlf> !help 00:24 < vpnHelper> StormWlf: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 00:25 < StormWlf> !dnsmasq 00:25 < vpnHelper> StormWlf: Error: "dnsmasq" is not a valid command. 00:25 < StormWlf> !plugin dnsmasq 00:25 < vpnHelper> StormWlf: Error: "plugin" is not a valid command. 00:25 < StormWlf> !learn-address 00:25 < vpnHelper> StormWlf: Error: "learn-address" is not a valid command. 00:37 -!- memiux [n=memiux@pool-96-248-226-89.snloca.dsl-w.verizon.net] has joined ##openvpn 00:37 -!- memiux [n=memiux@pool-96-248-226-89.snloca.dsl-w.verizon.net] has left ##openvpn [] 01:37 < reiffert> !factoids search multi 01:37 < vpnHelper> reiffert: No keys matched that query. 01:37 < reiffert> !factoids search dns 01:37 < vpnHelper> reiffert: 'pushdns' and 'dns' 01:37 < reiffert> !factoids search learn 01:37 < vpnHelper> reiffert: No keys matched that query. 01:37 < reiffert> !factoids search address 01:37 < vpnHelper> reiffert: No keys matched that query. 01:38 < reiffert> !dns 01:38 < vpnHelper> reiffert: "dns" is Level3 open recursive DNS server at 4.2.2.1 01:38 < reiffert> !pushdns 01:38 < vpnHelper> reiffert: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit 01:39 -!- master_of_master [i=master_o@p549D48B1.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:42 -!- master_of_master [i=master_o@p549D4931.dip.t-dialin.net] has joined ##openvpn 02:12 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 02:26 -!- Snadder [i=sander@39.178.251.212.customer.cdi.no] has quit [Remote closed the connection] 02:45 -!- sth [n=sth@vor.thulbourn.com] has left ##openvpn [] 02:50 -!- thedoc_ [n=andelyx@38.108.110.106] has joined ##openvpn 03:02 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 03:11 -!- linux_manju [n=manju@119.82.98.161] has joined ##openvpn 03:12 < linux_manju> hi all 03:12 < linux_manju> How do I disbale access to a specific client? 03:13 < linux_manju> for eg.. if I have client1 to client10 .. and I would like to disable access to client1 without affecting other users.. How do I do that 03:17 -!- c64zottel [n=hans@p5B17A1F6.dip0.t-ipconnect.de] has joined ##openvpn 03:36 < reiffert> !revoke 03:36 < vpnHelper> reiffert: Error: "revoke" is not a valid command. 03:36 < reiffert> linux_manju: you revoke the cert. 03:36 < reiffert> it's covered in the howto. 03:36 < reiffert> !howto 03:36 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 03:47 < linux_manju> reiffert: If I am creating certs and keys in a different PC other than the Openvpn Server 03:47 < linux_manju> reiffert: After revoke what are all the things I need to copy back to the server? 03:47 < linux_manju> reiffert: Only server.crt would do? 03:49 < reiffert> How about you create a fresh certificate and try it out? 03:49 < linux_manju> reiffert: I Have already done that.. Trying now. thanks 03:50 < reiffert> You will also need the crl at least. 03:53 -!- SuperEvilDeath [n=death@212.206.209.177] has joined ##openvpn 03:55 < linux_manju> reiffert: No luck with revoke 03:55 < linux_manju> reiffert: Looks like revoke only works if the certificate is about to expire it will change the time stamp 03:56 < linux_manju> correct me if I am wrong 03:59 -!- zheng [n=zheng@114.92.132.65] has joined ##openvpn 04:31 -!- zheng_ [n=zheng@114.92.132.65] has joined ##openvpn 04:34 -!- carpe_ [n=carpe@vip2.tundraeng.com] has joined ##openvpn 04:36 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 04:55 -!- |ns|nR8 [n=doof@CPE-124-185-216-147.qld.bigpond.net.au] has joined ##openvpn 04:56 -!- zheng [n=zheng@114.92.132.65] has quit [Success] 05:09 -!- zheng_ [n=zheng@114.92.132.65] has quit [Read error: 60 (Operation timed out)] 05:16 -!- SuperEvilDeath [n=death@212.206.209.177] has quit [Connection timed out] 05:58 < linux_manju> For anyone facing the same problem.. This is what works.. revoke-full client1 and then copy keys/crl.pem openvpn keys directory.. Add a line in openvpn crl-verify /path/to/crl.pem 06:03 -!- SuperEvilDeath [n=death@212.206.209.177] has joined ##openvpn 06:11 -!- steve__ [n=doof@CPE-124-185-216-147.qld.bigpond.net.au] has joined ##openvpn 06:12 -!- steve__ [n=doof@CPE-124-185-216-147.qld.bigpond.net.au] has quit [Client Quit] 06:21 -!- SuperEvilDeath [n=death@212.206.209.177] has quit [Success] 06:23 -!- unixSnob_ [n=jj@starfury.spearlink.com] has joined ##openvpn 06:23 -!- c64zottel [n=hans@p5B17A1F6.dip0.t-ipconnect.de] has left ##openvpn [] 06:24 < unixSnob_> krzie: the other day you said there was a complicated way to route traffic to the internet on the server side without using NAT 06:24 < unixSnob_> krzie: can you give any hints? I don't have the option of using iptables 06:29 < unixSnob_> does anyone know? 06:37 < linux_manju> unixSnob_: Can you explain your problem? 06:47 < unixSnob_> linux_manju: the openvpn server runs inside an openvz node (a VE), so the server does not have permission to mess with the NAT table 06:47 < unixSnob_> otherwise, I could simply run "sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" 06:48 < unixSnob_> I'm thinking the "route" command might work.. no? 07:15 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 07:48 -!- |ns|nR8 [n=doof@CPE-124-185-216-147.qld.bigpond.net.au] has quit [Remote closed the connection] 08:04 < Douglas> thedoc_: ping 08:05 < thedoc_> Douglas, pong! 08:06 < Douglas> thedoc_: box ok? 08:06 < thedoc_> Excellent 08:06 < thedoc_> :) 08:06 < Douglas> going to pm oyu.. 08:06 < Douglas> you 08:09 < thedoc_> !win7 08:09 < vpnHelper> thedoc_: "win7" is http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 08:48 -!- thedoc_ [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 08:50 -!- zheng [n=zheng@114.92.132.65] has joined ##openvpn 08:54 -!- thedoc [n=andelyx@bb116-14-185-132.singnet.com.sg] has joined ##openvpn 08:54 < thedoc> Douglas, ping 08:54 < Douglas> hi 08:54 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 08:54 < thedoc> \o 08:54 < thedoc> o/ 08:57 < Douglas> hi hi 08:58 -!- linux_manju [n=manju@119.82.98.161] has quit ["leaving"] 08:59 -!- thedoc [n=andelyx@bb116-14-185-132.singnet.com.sg] has quit ["Leaving"] 09:11 < Douglas> freebsd wins 09:11 * Douglas loves the watch command 09:28 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 09:31 < Douglas> hey krzee 09:32 < krzee> sup man 09:32 < Douglas> nada 09:32 < Douglas> waiting for my provider to email me back for thedoc 09:32 < Douglas> lol 09:34 < krzee> im waiting on my girl to get done in the salon so we can get outta town 09:34 < krzee> for the afternoon 09:35 < Douglas> sweet 09:42 < krzee> make sure you've updated to the lastest openssh release - OpenSSH 4.3* is vulnerable to a remote root exploit (if you're using Debian Etch, you'll be running a vulnerable version).. 09:42 -!- zheng [n=zheng@114.92.132.65] has quit ["Leaving"] 09:44 < Douglas> fuck 09:45 < Douglas> krzee: did they release a patch? 09:45 < Douglas> or do i need to compile 09:45 < krzee> apt-get install zlib1g zlib1g-dev libwrap0 libwrap0-dev libssl-dev 09:45 < krzee> wget http://mirror.mcs.anl.gov/openssh/portable/openssh-5.2p1.tar.gz && tar zxvf openssh-5.2p1.tar.gz && cd openssh-5.2p1 && ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-tcp-wrappers && make && make install && /etc/init.d/ssh stop; /etc/init.d/ssh start 09:46 < krzee> or if you use freebsd, portinstall openssh-portable 09:46 < Douglas> krzee: where did you get this from 09:46 < krzee> or portupgrade 09:46 < krzee> from a friend 09:46 * Douglas saves 09:46 < krzee> i dont have the sploit yet tho =/ 09:46 * Douglas starts upgradig all boxes 09:47 * Douglas wonders if redhat boxes are vulnerable 09:49 < krzee> its not the distro 09:49 < krzee> its the sshd 09:49 < Douglas> yes i know 09:50 < Douglas> but i was referring to the stock sshd version on red hat 09:50 < krzee> well gimme an ip 09:50 < krzee> ill pull the banner for ya 09:50 < Douglas> haha 09:50 < Douglas> i can just telnet to it 09:50 < Douglas> right 09:50 < Douglas> SSH-2.0-OpenSSH_4.3 09:50 < Douglas> ouch 09:51 < krzee> hehe 09:51 < krzee> http://www.webhostingtalk.com/showthread.php?t=873387 09:51 < vpnHelper> Title: SSANZ - Server Systems Administration NZ. - Web Hosting Talk (at www.webhostingtalk.com) 09:51 < krzee> you'll like that one 09:53 < Douglas> well krzee 09:53 < Douglas> time to write a script to recompile latest for centos 09:53 < Douglas> and send out an email to all clients 09:54 -!- p3ri0d [i=p3ri0d@200.2.147.155] has joined ##openvpn 10:04 < Douglas> lool 10:04 < Douglas> krzee my friend is running openssh 3.9 10:04 -!- jeiworth [n=jeiworth@189.163.145.225] has quit [Read error: 110 (Connection timed out)] 10:06 < krzee> hah 10:07 < Douglas> centos 4 stil 10:07 < Douglas> l 10:07 < krzee> centos* is the lulz 10:07 < Douglas> centos is okay 10:07 < Douglas> not great 10:07 < Douglas> its okay 10:07 < krzee> if by okay you mean weaksauce 10:07 < Douglas> krzee: what's the file for debian that has teh debian version 10:08 < Douglas> so i can do an if [ -e] it 10:08 < krzee> *shrug* i dont use linux dude 10:08 < krzee> you'll figure it out 10:09 < Douglas> loolk 10:09 -!- jeiworth [n=jeiworth@189.163.255.127] has joined ##openvpn 10:21 -!- p3ri0d [i=p3ri0d@200.2.147.155] has quit [Connection timed out] 10:27 -!- p3ri0d [i=p3ri0d@200.2.155.237] has joined ##openvpn 10:29 < Douglas> for any lazy people on centos or debian who want a scripted patch 10:29 < Douglas> http://mirror.bergenhosting.com/scripts/sshd.sh 10:44 -!- unixSnob_ [n=jj@starfury.spearlink.com] has quit [Read error: 110 (Connection timed out)] 10:45 -!- unixSnob [n=jj@starfury.spearlink.com] has joined ##openvpn 10:48 -!- p3ri0d [i=p3ri0d@200.2.155.237] has quit ["Leaving"] 10:52 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 11:26 -!- toehio [n=toehio@dyn.83-228-186-105.dsl.vtx.ch] has joined ##openvpn 11:27 < toehio> Hello. To use openVPN,does the client need it as well? 11:28 < redfox> toehio: Yes. 11:28 < toehio> redfox: Oh. 11:28 < toehio> redfox: I was looking for an opensource alternative to Hamachi. Do you know of any? 11:28 < redfox> You need the openVPN client (which is the server as well), it just depends on the configuration. 11:29 < redfox> openVPN is what you searching for. 11:29 < redfox> Instead of using the Hamachi client, u use the openVPN client :) 11:29 < toehio> redfox: Oh, OK! 11:29 < redfox> But your peers need openVPN as well, or alternative, you need a central server. 11:29 < toehio> Ah, I just managed to install openvpn on my mac, so I guess it's problem solved! 11:30 < redfox> well done :) 11:30 < redfox> you may want to read this 11:30 < redfox> !howto 11:30 < vpnHelper> redfox: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:30 < toehio> Is there an easier way of creating VPNs through SSH tunnels? 11:31 < redfox> i find no difficulty in that... what is your difficulty? 11:31 < redfox> or what do you wanna do? 11:32 < toehio> I have a fileserver running at home on a ubuntu server 11:32 < toehio> actually, a torrent tracker 11:32 < toehio> and was looking for a secure way of using it 11:32 < redfox> well, i think a ssh tunnel should be sufficient for this purpose 11:33 < toehio> I managed to do it with hamachi, but I don't like hamachi anymore 11:33 < redfox> if you want tu tunnel a single port, ssh tunneling is the perface technique to do that (in my opinion) 11:33 < toehio> redfox: No, I was having problems with the tracker because when I tunnel in the tracker see's both the torrent clients coming from localhost 11:33 < redfox> VPNs are mainly used to connect so secure networks 11:34 < redfox> toehio, explain... 11:34 < redfox> dont understand that 11:35 < toehio> redfox: I made a torrent with the tracker "localhost:6969/announce". I upload it to my server and to a client on a different network. Both clients can connect to the tracker and see that there is another seeder/leecher. However the torrent isn't transfered! 11:37 < redfox> but the tracker is using only one port and has nothing to do with the transfer itself, does it? 11:37 < redfox> (im not familiar with the bittorrent protocol) 11:37 < toehio> yeah 11:37 < toehio> the tracker is just supposed to show each client where the other clients are 11:37 < redfox> so if you are connecting to the tracker, thr problem is somewhere else 11:38 < toehio> and since i tunneled, the tracker must have seen two clients on the same box! 11:38 < toehio> when I did it with hamachi, it worked well 11:40 < redfox> ah, i think i know what you mean... the torrent includes the adress of the tracker 11:40 < redfox> well, as its "localhost", its no wonder it wont work 11:40 < redfox> you may add the external adress of it 11:40 < redfox> or, are your peers in the same local network as your tracker? 11:41 < redfox> it that what you used vpn for? 11:42 < redfox> ok wait... you locally tunneled port 6969 of the tracker to your machine, right? 11:48 < redfox> toehio? 11:48 < toehio> redfox: sorry, was on the phone 11:49 < redfox> no prob 11:49 < toehio> redfox: there is one peer on the same box as the server and one peer on a different network 11:50 < redfox> i c 11:50 < redfox> then the "other" peer has to tunnel the tracker port to this machine 11:50 < redfox> then a "localhost" torrent would work 11:50 < toehio> yes, i tunneled port 696 to the tracker localhost:6969 --> server:6969 11:51 < toehio> both peers recognized the tracker and the tracker recognized that there were two peers 11:51 < redfox> you should do that the other way, server:6969 --> localhost:6969 (so that port 6969 listens on your machine) 11:51 < redfox> oh, ok 11:52 < toehio> I'm working on setting up openVPN now 11:52 < redfox> okay 11:52 < toehio> I have a dir "/etc/openvpn/easy-rsa/2.0/" where all the keys stuff is 11:53 < toehio> in the "vars" file, should export = D=/etc/openvpn/easy-rsa/2.0/ ? 11:54 < redfox> i dont know about any "vars" file, but this directory is usually only used once (to create keys and certificates) 11:54 < toehio> yeah 11:55 < toehio> where do I put the keys once I've made them? 11:55 < redfox> in a directory of your choice, /etc/openvpn/certs for example (u name the path in your config) 11:56 < redfox> ok, now i know which vars file u meant 11:56 < redfox> thats the file where u usually only adjust CA names and stuff 11:56 < redfox> the rest should be set properly 11:57 < toehio> OK, I made the keys 11:57 < toehio> now I just need to copy them to the client 11:58 < redfox> exactly 11:59 < toehio> Oh boy, there is no /etc/openvpn in Mac OS X! 11:59 < redfox> no matter, you can put them on any place you like 11:59 < redfox> (which should be safe of couse :) 12:03 < toehio> what port does openvpn run on? 12:04 < toehio> is 1194 the default port? 12:06 < redfox> yep 12:06 < redfox> but you can easly adjust it via config 12:06 < redfox> in openvpn, everthing is set in the config 12:07 < toehio> yeah, I see 12:16 < toehio> I am following this tutorial: http://www.ventanazul.com/webzine/articles/openvpn-ubuntu-and-hulu 12:17 < vpnHelper> Title: Install OpenVPN on Ubuntu, Hulu Outside the US and Network Security | Ventanazul (at www.ventanazul.com) 12:19 < redfox> toehio: looks like it should be sufficient for what you intend to do 12:19 < toehio> yeah 12:20 < toehio> Now that i have it all configured, I am strugling to start it up 12:20 < redfox> whats the matter? 12:20 < redfox> it just dont start? 12:21 -!- unixSnob [n=jj@starfury.spearlink.com] has quit [Read error: 104 (Connection reset by peer)] 12:22 -!- unixSnob [n=jj@starfury.spearlink.com] has joined ##openvpn 12:22 < unixSnob> is there a verbosity level that shows each packet going out? 12:23 < toehio> OK, the server started without an error. But the client gives an error 12:23 < redfox> toehio: !logs and !configs :) 12:23 < toehio> yeah 12:23 < redfox> !logs 12:23 < vpnHelper> redfox: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 12:23 < redfox> !configs 12:23 < vpnHelper> redfox: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:28 < toehio> http://pastebin.com/d50c3b344 12:30 < toehio> redfox: When I load the client I do: openvpn --config openvpn.conf and I get error on line 2: Unrecognized option or missing parameter(s) in /Users/username/.openvpn/openvpn.conf:2: clent 12:31 < toehio> nice! I found tunnelblick: openvpn client for mac! 12:34 < unixSnob> does the server need to know the ip address of the clients gateway? 12:36 < redfox> unixSnob: i dont think so, why should he? 12:37 < redfox> toehio: config seems to be ok on the first look, but you should use udp instead of tcp 12:38 < toehio> I am trying tunnelblick, I will see if it works better than my install of openvpn 12:38 < redfox> ok 12:39 < redfox> but you should switch to udp anyway :) 12:41 < toehio> noooo! It was a typo! client != clent 12:41 < redfox> wow, missed it, sorry :-( 12:43 < toehio> It keeps on timing out for some reason 12:44 < redfox> as you configured your server to tell the client about new routes, did you configured your firewall properly? 12:44 < redfox> !redirect 12:44 < vpnHelper> redfox: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 12:44 < redfox> !nat 12:44 < vpnHelper> redfox: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 12:44 < toehio> I think so 12:44 < toehio> it appears the server is not running! 12:45 < redfox> do you connect each other? 12:46 < toehio> when I do "nmap localhost" on the server, I don't see port 1194 12:47 < toehio> how do I check that my configuration works? 12:47 < toehio> when I start my server, I don't get an error. Does that mean it works? 12:53 -!- plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has joined ##openvpn 12:54 < plt> hi, i am able to get ip address from windows client to linux server, but can't ping 13:03 -!- unixSnob [n=jj@starfury.spearlink.com] has quit ["leaving"] 13:22 < redfox> toehio: try netstat to see if the port is open. after connecting each other, ping the peers to see if its working 13:22 < redfox> plt: 13:22 < redfox> !configs 13:22 < vpnHelper> redfox: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:24 < plt> redfox : i am on it 13:31 < plt> i put at http://pastebin.com/m4bd0bb4c 13:32 < plt> the client gets ip address as 10.8.0.10 13:33 < plt> but can't ping 13:37 < plt> redfox ? 13:38 < redfox> yeah 13:38 < redfox> wait 13:39 < redfox> ok 13:40 < redfox> config seems ok 13:40 < redfox> client is running winXP? 13:42 -!- unixSnob [n=jj@starfury.spearlink.com] has joined ##openvpn 13:42 < plt> yes 13:42 < plt> i updated the pastebing with the ipconfig and route printo n the windows xp 13:42 < plt> http://pastebin.com/m7858e9b0 13:42 < redfox> plt: tried to ping the 10.8.0.10 from server side? 13:43 < plt> yes, it doesn't ping 13:43 < plt> i noticed in the ipconfig on the winxp - i don't see a gateway defined 13:43 < plt> could that be the problem ? or is that expected sort of a thing ? 13:43 < redfox> thats not the default behaviour of openvpn 13:43 < redfox> but thats also not the problem of pinging 13:43 < redfox> did u configured your firewall? 13:44 < plt> i disabled firewall on windows, and enabled on debian server 13:44 < plt> sorry disabled on server too 13:44 < unixSnob> My logs show UDPv4 WRITE, UDPv4 READ, TUN WRITE, and TUN READ... what does those mean? My tunnel is udp, so I'm not sure why they are logged as separate networks 13:45 < redfox> plt: client pinging 10.8.0.1 doesnt work either? 13:45 < plt> yes 13:45 < plt> i can ping 10.8.0.10 (i.e. iteself) from the client and also 10.8.0.1 (itself) from the server 13:45 < plt> iptables has : 6465 4077K ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0 13:45 < plt> so i guess firwall is disabled ? 13:46 < redfox> can u post the output of iptables -L ? 13:46 < plt> (to confirm) 13:46 < redfox> unixSnob: what do you want to know? a connection over tun is tunneled via UDP... 13:47 < plt> http://pastebin.com/m24b3dced - i put under word "Firewall" 13:48 < unixSnob> redfox: right.. i know the connection is udp. Now when I'm looking at the log (verbosity 6), I see UDPv4 WRITE and UDPv4 READ even when I'm not sending traffic over the tunnel 13:48 < unixSnob> redfox: then when I put traffic on the tunnel, the log shows TUN WRITE, and TUN READ lines 13:48 < redfox> unixSnob: dont know the exact specifications, but i would say that are kind of keep alive packets or something... would not worry about it 13:48 < redfox> plt: 13:48 < redfox> !logs 13:48 < vpnHelper> redfox: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 13:48 < unixSnob> redfox: so I don't understand what it means to have UDP traffic in the logs 13:49 < unixSnob> okay 13:49 < plt> maybe it does the ping keepalive as redfox says : check your config for # 13:49 < plt> keepalive 10 120 13:49 < plt> redfox : you get a chance to see my pastebin - firewall does look disabled correct ? 13:49 < unixSnob> ah, yes, I do have a keep alive setting in there 13:50 < redfox> unixSnob: may be some protocol overhead. the UDP write messages means that the protocol is doing transfers. the TUN write messages means that data is transferred over the tunnel. if you wanna read more, you should read the protocol specifications 13:50 < redfox> plt: firewall seems ok, yes. 13:51 < redfox> plt: please post you logs as i cant see any misconfiguration 13:51 -!- toehio [n=toehio@dyn.83-228-186-105.dsl.vtx.ch] has quit ["ZNC - http://znc.sourceforge.net"] 13:51 < unixSnob> redfox: i'm only examining this because I've been unable to access the internet via the tunnel. The TUN log records show that the data makes it over the tunnel, but gets lost on the server side 13:52 < unixSnob> I'm trying to use the 'route' command on the server to route the packets to the internet, but I wonder if I must use iptables. I really don't want to use iptables 13:53 < redfox> unixSnob: if you want to tunnel traffic over the VPN, you have to use some sort of network adress translation. netfilter (iptables) for linux will do that fine, thats the easiest way i know of. 13:54 < redfox> !linnat 13:54 < vpnHelper> redfox: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 13:54 < plt> redfox : brb 13:54 -!- plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has quit [" HydraIRC -> http://www.hydrairc.com <- Now with extra fish!"] 13:54 < unixSnob> redfox: iptables is not easy for me, because i have the added complication of running the server on an openvz VE, which means I can't access the kernels routing table 13:55 < unixSnob> redfox: I can twist the arm of those who control the kernel.. but i'd like to avoid that 13:55 < redfox> unixSnob: i understand. i head about another way, but im not shure which that it. let me look... 13:55 < unixSnob> they would run an iptables command for me, if I want to make a support ticket 13:55 < redfox> !redirect 13:55 < vpnHelper> redfox: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 13:56 < redfox> !ipforward 13:56 < vpnHelper> redfox: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 13:56 < redfox> !linipforward 13:56 < vpnHelper> redfox: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 13:56 < redfox> hm 13:56 < redfox> krzie: youre there? 13:56 < unixSnob> redfox: my /proc/sys/net/ipv4/ip_forward file already has a "1" in it.. apparently that's not enough 13:57 < redfox> yes, you need NAT. krzie said yesterday something about another way. 13:58 < unixSnob> redfox: does the 'route' command give me NAT? 13:58 -!- plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has joined ##openvpn 13:58 < unixSnob> maybe i'm just not using the route command properly 13:58 < plt> redfox : the log is at the bottom of http://pastebin.com/m6547de11 (search for LOG, SERVER LOG, CLIENT LOG to reach faster) 13:59 < unixSnob> route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.0.2.1 <= that's the route command I tried 13:59 -!- toehio [n=toehio@dyn.83-228-186-105.dsl.vtx.ch] has joined ##openvpn 13:59 < plt> redfox : the route print on the winxp shows it has to use the gateway but the gateway is missing - maybe that's the problem ? 13:59 < redfox> unixSnob: your client needs to ajust the routing table to use the server ones. the server itself _needs_ NAT to route the packets over the other interface 14:00 < plt> redfox : also I see "NOTE: FlushIpNetTable failed on interface [196614] {12A56C14-0796-40C9-BCFD-E4AA17D39E24} (status=1413) : Invalid index. " on the winxp - but when i searched online it says you can ignore this. I got rid of this line too however by shopping the RRA service on windows, but still can't ping 14:01 < redfox> plt: that should not be the explanation of why you are failing to ping each other. 14:01 < redfox> plt: i use the same setup as you do and i did not have any problems like that. 14:01 < plt> ok 14:01 < redfox> (and i dont used gateway redirection) 14:02 < redfox> plt: will now look at the logs 14:02 < plt> well i don't understand that part (gateway redirection) - its just normally i see a gateway in ipconfig in windows 14:02 < plt> ok 14:03 < toehio> redfox: Hello! 14:04 < toehio> redfox: I found ssh_VPN! https://help.ubuntu.com/community/SSH_VPN 14:04 < vpnHelper> Title: SSH_VPN - Community Ubuntu Documentation (at help.ubuntu.com) 14:05 < toehio> redfox: that did the trick for me. It set up some new interfaces. When I have more time I will try setting up openVPN though. Thank you for helping me! 14:07 < redfox> toehio: very well, im glad if you found your solution 14:08 < redfox> plt: the log says the client ip is 10.8.0.6 14:08 < plt> toehio : 14:08 < toehio> plt: Yes? 14:09 < plt> toehio : in your case the Machine A is acting as NAT ? because the network A is accessing Machine B by putting dest ip as machine A's ip, not Machine's B - which means machine A is doing NAT for machine A 14:09 < plt> ? 14:10 < plt> redfox : let me check 14:10 < toehio> plt: My machine A is a server sitting behind a router 14:10 < plt> redfox : sorry, i tihnk i copied one part from different test machine, i'll update the pastebin 14:11 < redfox> ok 14:11 < plt> redfox : http://pastebin.com/m4f1175f6 14:13 < plt> toehio : i know, i saw the link - what i am curious is that you did not change the static routes on network A's router correct ? so machines on network A are reaching machine B via machine A : and their des ip in their packets must be machine A's not machine B - which means machine A is acting as a NAT for Machine B 14:13 < plt> Machine A: 14:13 < plt> sudo arp -sD 10.0.0.200 eth0 pub 14:13 < plt> This ensures that other machines plugged into Network A will know to send packets destined for 10.0.0.200 to Machine A (so that it can forward them back to Machine B). 14:14 < toehio> plt: I didn't complete the tutorial. All I did was to connect Computer A <--> Computer B. 14:14 < toehio> plt: I didn't go as far as that 14:14 < toehio> plt: I didn't go as far as connecting other computers on network A to network B 14:15 < plt> machines on network A have their gateway as 192.168.0.1 - which means all their packets are first sent to 192.168.0.1 which then forwards appropriately. If machines on A destine their packet to machine B, how will the gateway know where to route it unless you change its static routes ? 14:15 < toehio> plt: Yeah, I see your point 14:16 < redfox> plt: still 10.8.0.6 as the client ip. can you re check your ip settings? 14:16 < plt> toehio : ok you might want to do something differently perhps : instead of doing what the tutorial suggests, if you have access to 192.168.0.1 gateway/router - add a static route there to machine B, and skip the step "sudo arp -sD 10.0.0.200 eth0 pub' 14:17 < plt> redfox : did you see updated link : http://pastebin.com/m4f1175f6 14:17 < toehio> that's beyond what I set out to do; I only wanted to create a VPN between two computers. 14:17 < plt> sorry, nevermind 14:17 < toehio> plt: it's OK 14:17 < plt> toehio : ok, try it though by changing the static routes - then you will have machine -> site vpn 14:18 < plt> toehio : istead of machine to machine vpn 14:18 < toehio> plt: I'm far away from home and can't turn on my other computers :( 14:19 < plt> redfox : http://pastebin.com/m67efb236 is the winxp client log 14:20 < toehio> I was wondering, If, let's say, computer C enters the scene, and connects to computer A (the same way computer B connected), what would happen? 14:22 < plt> redfox : http://pastebin.com/m9dd1538 - now has both the logs - sorry for the confusion 14:22 < toehio> well, I'm off 14:23 < toehio> Thanks for all your help! bye. 14:23 < plt> toehio : C needs to be setup as different client - different keys/certs, if you use static key - you can have only one client, but otherwise you can have as many clients as needed, except they must use different keys / certs : use ./build-key to create new client keys 14:23 < plt> bye 14:23 < redfox> plt: no prob 14:23 < plt> redfox : your win client is win xp pro too ? 14:24 < toehio> plt: I was talking about the SSH_VPN, not openVPN 14:24 < toehio> ok, bye 14:24 < plt> tohio : ok, ya forgot that for a second, for multiple clients stuff 14:24 < redfox> plt: the route command on your linux machine fails 14:24 < redfox> did you tried to flush the route first? 14:25 < plt> redfox : Sat Jul 4 12:20:38 2009 ERROR: Linux route add command failed: external program exited with error status: 7 14:25 < plt> ? 14:25 < redfox> yep 14:25 < redfox> SIOCADDRT: File exists 14:25 < redfox> means that the route already exists 14:25 < plt> i c 14:26 < plt> just route flush ? 14:26 < plt> # route flush 14:26 < plt> Flushing `inet' routing table not supported 14:27 < plt> can you tell me the command ? i guess i have to stop openvpn server first ? 14:28 < redfox> plt: stopping openvpn and restarting your interface (or network) should be enough 14:28 < plt> eth0 itself you mean right ? 14:28 < redfox> yep 14:29 < plt> redfox : i am trying that. But if i am sshed to the server is there a different way to do the same ? 14:29 < plt> without loosin gthe ssh i mean 14:30 < plt> i did ifconfig eth0 down - still see the error when i start openvpn 14:30 < plt> i am going to reboot for now, just to test, but tell me a nice way to do it 14:31 < plt> i need to go back to the server room - brb 14:31 < redfox> re 14:31 < redfox> plt: you wont loose your ssh connection 14:32 < redfox> i think 14:37 < plt> ok 14:38 < plt> i rebooted the server will try via ssh next 14:38 < plt> Sat Jul 4 12:38:28 2009 TCP/UDP: Socket bind failed on local address [undef]:10068: Address already in use 14:38 < plt> sorry s/10068/1194 14:39 < plt> this is after reboot ! 14:39 < plt> and i did shutdown openvpn before 14:39 < redfox> did you added an init script to a runlevel? 14:39 < plt> no i was doing openvpn --config openvpn.conf 14:39 < plt> to start and ctrl-c to stop 14:39 < plt> because i am still in testing stage 14:40 < plt> (openvpn.net/howto was suggesting that i was following the stepst here) 14:40 < plt> is there a way to take care of this socket thing ? strange that reboot also did not fix, maybe reset ?! 14:45 < redfox> did you look at ps output? 14:45 < redfox> is the process running? 14:46 -!- [1]plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has joined ##openvpn 14:46 < [1]plt> redfox : sorry got disconnected 14:47 < redfox> np 14:47 < redfox> is your process still running? 14:47 < redfox> and youre sure you rebooted? 14:48 < [1]plt> looks like it is still running 14:48 < redfox> is it openvpn? 14:48 < [1]plt> i don't think i setup daemon but it looks it is allready setup 14:48 < [1]plt> yes 14:49 < StormWlf> !topology 14:49 < vpnHelper> StormWlf: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 14:50 < [1]plt> redfox : i can ping now ! 14:50 < redfox> great! 14:50 < redfox> you changed your configurations? 14:50 < [1]plt> nope, just reset 14:50 -!- plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has quit [Read error: 60 (Operation timed out)] 14:50 -!- [1]plt is now known as plt 14:50 < plt> and strangely the thing started as dameon 14:51 < plt> can you tell me for a sec how to remove/add this daemon ? 14:51 < redfox> maybe your package manager did that 14:51 < redfox> which distribution you are running? 14:51 < plt> debian and i did install using aptitude install openvpn 14:51 < redfox> ok, i guess aptitude automatically add the init scripts in the runlevel 14:52 < redfox> you can control that via update-rc.d 14:52 < plt> how can i remove it or better disable it ? 14:52 < redfox> update-rc.d openvpn remove 14:52 < redfox> (if i remind correctly) 14:52 < plt> ok 14:52 < redfox> and the same with "defaults" to add it again 14:53 < plt> ok, cool 14:53 < redfox> i think it was a routing issue 14:53 < plt> redfox : is there a way to make the client see all the network of the server and vice-versa ? 14:53 < plt> ya, the error as you said, mbight have been it 14:54 < redfox> plt, that should be default 14:54 < plt> i figured adding a static route on the gateway will do it 14:54 < plt> but defalt i thouth is only between client and server - not serversnetwork ? how will machines on the server LAN know how to send packet to the client ? 14:55 < plt> redfox : brb, my network is cranky, and i need to reset, brb 14:55 -!- plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has quit [" HydraIRC -> http://www.hydrairc.com <- \o/"] 14:56 -!- plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has joined ##openvpn 14:56 < plt> sorry, back 14:57 < plt> if another machine on the server side LAN wants to talk to 10.8.0.10 its gateway must do the routing correct ? 14:57 < plt> i guess the default thing is as you are saying, but we need to add static route in gateway ? 15:00 < redfox> also back 15:00 < plt> ok 15:01 < plt> is there a command ti display all the assigned ips and client names ? 15:02 < redfox> hmm. i dont know. @routes: could be, thought this would be default behaviour. to be honest, im using openvpn since yesterday, so i dont know exactly if this is the case 15:04 < redfox> but if you want to use the server as a internet gateway, i would suggest to take a look at 15:04 < redfox> !redirect 15:04 < vpnHelper> redfox: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 15:05 < plt> ok 15:05 < plt> !def1 15:05 < vpnHelper> plt: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 15:06 < plt> i guess redirect gateway only affects the client routing table correct ? to make it send everything thru the VPN ? 15:07 < plt> !nat 15:07 < vpnHelper> plt: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 15:07 < redfox> yes, redirect def1 is a server setting 15:07 < redfox> you have to set the NAT routing additionally in your firewall 15:07 < plt> but affects only client routing table right - if i manually change the route table on the winxp it should achieve the same effect ? 15:07 < redfox> !linnat 15:07 < vpnHelper> redfox: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 15:08 < redfox> plt: absolutly corret, the client has to be notified about the new routing, thats what this setting originally does. 15:08 < redfox> and yes, you _could_ do this manually 15:08 < redfox> (if you set up your firewall properly) 15:08 < plt> ok 15:08 < plt> firweall ? where ? 15:09 < redfox> your server. he has to do the translation between vpn and eth packets 15:09 < redfox> that what nat is used for in this case 15:11 < plt> ok ya, i meant the first part can be done manually on the client, and i will have to do only ip forwarding and nat on the server - is that right ? 15:12 < redfox> yes, thats right. 15:12 < plt> ok, cool 15:12 < plt> earlier you said that the default setup is such that client can see all of the LAN of the server ? 15:13 < redfox> did you tried to reach the local network of the server/client over vpn? 15:13 < redfox> plt: yes, i think so 15:13 < plt> i guess if we dont do the first part - redirect gateway stuff, but do only the second it achieves this ? 15:13 < redfox> second? 15:13 < plt> no i haven't tried that 15:13 < plt> second : ip forwarding + nat 15:14 < plt> openvpn howto says : setup openvpn, do ip forwarding on the server and change server gateway static route (more or less) to access server side LAN 15:15 < redfox> oh, well.. then forget what ive said and believe the howTo :> 15:15 < plt> but if you setup ip forwarding + nat, you can do pretty much same, except server side machines can't reach client unless some portforwarding is done on the openvpn server, but client can reach the server side machines including ping 15:15 < redfox> ah, i know what you mean 15:15 < redfox> yes, of couse 15:15 < plt> cool 15:16 < redfox> because VPN ist nothing more then a simple new network interface 15:16 < redfox> the routing stuff can always be done by hand 15:16 < plt> ok. i know how to change routing on winxp, but not on linux 15:16 < plt> i'll checkout !linnat 15:17 < plt> fbsdnat doesn't apply to debian i guess ? 15:17 < plt> only 15:17 < plt> !linnat 15:17 < vpnHelper> plt: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 15:18 < redfox> plt: yes, !linnat is the way to go on linux 15:18 < plt> redfox : how have you setup nat ? 15:18 < plt> you setup openvpn, then ip forwarding and then nat correct ? 15:18 < redfox> exactly as it stands there :) 15:18 < redfox> yep. 15:18 < plt> and for nat you used ifirst command or the second ? 15:19 < plt> (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to 15:19 < redfox> the second one is for forwarding from a special ip adress 15:19 < redfox> the first one is just forwardning tun0 to eth0 15:19 < plt> you mean for specific client right ? 15:19 < redfox> rough said 15:19 < redfox> for example, yes 15:20 < plt> you don't mean forwarding tun0 to eth0 cos ip forwarding does that - you mean NAT for eth0 to clients behind tun0 ? 15:20 < redfox> correct 15:21 < plt> ok, cool 15:21 < plt> so you can ping from your client to the server side LAN now ? 15:21 < redfox> plt: i cannot really test that because my server has no "lan" in this way. they are all accessible externally 15:22 < redfox> but i read anywhere that "ping machines in lan" was a test case after setting up openvpn 15:22 < plt> ok 15:22 < plt> really ? 15:22 < plt> after setting up openvpn + ip forwarding + nat OR just after setting up openvpn ? 15:23 < redfox> openvpn 15:23 < redfox> wait, maybe i can get that link again 15:23 < plt> that'll help a lot 15:23 < plt> cos i can make sure i understand all this stuff properly - i do a bit now i guess but some holes here and there 15:24 < redfox> same here... i guess 15:25 < plt> i don't know much about linux too :) 15:26 < plt> guess you do a lot more on that, and definitely on the openvpn, but hopefully this discussion is making your openvpn stuff also a little tighter :) 15:26 < redfox> no problem, i dont know much about windows :> 15:26 < plt> are you a sys admin or just hacker or just plaing with openvpn ? 15:27 < redfox> actually that should not be a case of VPN itself, but computer networks and routing stuff 15:28 < redfox> hmmm... not really.. playing with openvpn, yes, but also wanted to get a working gateway (as you trying to do).. was curious. im just interested in that stuff :) 15:28 < plt> true 15:28 < redfox> still looking for that article... 15:29 < plt> yep i find this whole stuff interesting too 15:29 < plt> ok.. 15:29 < plt> http://openvpn.net/index.php/open-source/documentation/howto.html#scope - seems to say you have to change gateway on server side 15:29 < vpnHelper> Title: HOWTO (at openvpn.net) 15:29 < plt> just see it once 15:30 < redfox> let me test smth, brb 15:31 < plt> ok 15:33 < Douglas> goddamn 15:33 < Douglas> its awkward without krzee's weird ass p in here 15:33 < Douglas> up 15:33 < plt> redfox : also http://www.linuxquestions.org/questions/linux-networking-3/openvpn-conencts-but-cant-ping-servers-on-the-other-network.-660610/ seems to say you need router static routes 15:33 < vpnHelper> Title: OpenVPN conencts but can't ping servers on the other network. - LinuxQuestions.org (at www.linuxquestions.org) 15:34 < redfox> plt: yes, i can confirm that 15:35 < plt> ok, cool 15:36 < plt> i am going to try the openvpn + ip forwarding + nat without static routes on gateway for ping from client to server side entire LAN 15:37 < plt> is there a way to undo the nat part after testing ? 15:37 < redfox> yes, del the route 15:37 < plt> yes, but can you tell the command ? 15:38 < plt> i can do via man, nevermind that 15:38 < redfox> :) 15:38 < redfox> replace "del" with "add" :> 15:38 < plt> :) better to ask the ones i can't :) - tell me if you tried ccd with client specific ip's 15:38 < redfox> ccd? 15:41 < plt> client specific ip assignment and directories i guess 15:41 < plt> its there in the conf file 15:41 < plt> commented though 15:42 < StormWlf> !topology subnet 15:42 < vpnHelper> StormWlf: Error: "topology" is not a valid command. 15:42 < StormWlf> !topology 15:42 < vpnHelper> StormWlf: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 15:46 < redfox> !ipp 15:46 < vpnHelper> redfox: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 15:46 < plt> k 15:47 -!- rizet [n=chatzill@user-0ccejib.cable.mindspring.com] has joined ##openvpn 15:48 < plt> btw you tried to understand what the p-t-p is all about in the ifconfig on the tun0 ? 15:48 < redfox> p-t-p = peer-to-peer? 15:49 < rizet> anyone could tell me where are the logs in debian for openvpn? 15:49 < redfox> plt: i found that page again. you are right, you have to set the routes + ip forwarding in order to reach the local network 15:49 < rizet> p-t-p stands for point to point 15:50 < plt> redfox : but do we need routes in the gateway/router for ping alone if we have NAT enabled on the server ? i guess not ? if we don't have NAT then we add static route and that does it correct ? 15:50 < plt> rizet : i know that but what are the details, why does it need a tun0 ip and then also a p-t-p ip ? 15:51 < plt> rizet : see your conf file it tells you otherwise in the syslog 15:52 < plt> rizet : you can define in the openvpn.conf otherwise you can put in syslog - see /var/log/syslog or grep for openvpn on it 15:52 < redfox> plt: i assume that would be correkt. 15:52 < redfox> *c 15:52 < rizet> plt: thanks -- as to your question, I think point to point means from tun to tun, and tun needs a private ip -- it's just my guess 15:53 < plt> redfox : what do you use for ip forwarding, the openvpn says echo 1 > /proc/sys/net/ipv4/ip_forward 15:53 < plt> redfox : but i have seen /etc/systctrl etc. 15:53 < plt> redfox : i think the best way is something that allows which interfce from and which interface to forward if it allows such finer control 15:54 < redfox> plt: yes, thats the way to dynamically enable forwarding on linux. sysctl is used to keep this setting at a reboot 15:54 < rizet> plt: where should I put the default log file in? (server.conf) 15:54 < redfox> plt: thats what NAT is for (i guess) 15:56 < plt> redfox : i think ip forwarding and NAT are different - or which one you mean ? 15:56 < plt> redfox : oh i see what you rae saying, i guess with nat you don't need ip forwarding 15:56 < plt> redfox : is that you are saying ? 15:57 < plt> btw, i see this http://openvpn.net/index.php/open-source/faq.html#firewall giving how to do forwarding for interfaces i think 15:57 < vpnHelper> Title: FAQ (at openvpn.net) 15:57 < plt> rizet : just uncomment the log file : ;log openvpn.log 15:57 < plt> ;log-append openvpn.log 15:57 < plt> whichever you wish 15:57 < plt> append or not append 15:57 < plt> rizet : uncomment in the conf file i mean, sorry 15:58 < plt> redfox : do you have any IM account ? or pidgin ? 16:00 < rizet> plt: is a tun kind of an interface with an assigned ip? 16:03 -!- malibu [n=kvirc@S0106001310429722.wp.shawcable.net] has joined ##openvpn 16:03 < malibu> Hi there... 16:04 < malibu> Does anyone happen to know how to change the login screen to the openvpn-sa client console? 16:04 < malibu> I would like NOT to advertise to everyone that I have openvpn there 16:04 < malibu> but I would like to be able to sign in when I want to 16:04 < plt> rizet : checkout wikipidea on tun / tap 16:05 < rizet> plt: I've read it, there was no clear answer 16:06 < plt> malibu : try the portable openvpn client - it has all you need and you can disable the screen 16:06 < plt> malibu : and you can take all your settings and keys with you 16:13 < plt> rizet : try search - you should find enough 16:14 -!- toehio [n=toehio@dyn.83-228-186-105.dsl.vtx.ch] has quit ["ZNC - http://znc.sourceforge.net"] 16:16 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 104 (Connection reset by peer)] 16:17 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 16:27 < rizet> plt: I'm just curious whether the private ips --we assign to each machine on the VPN-- are assigned to those tuns/taps or they serve other purposes? 16:30 -!- lataffe_ [n=lataffe@cm-84.211.147.71.getinternet.no] has joined ##openvpn 16:41 < plt> only tuns/taps but you can do whatever you can with them just as regular interface 16:43 -!- unixSnob [n=jj@starfury.spearlink.com] has quit ["leaving"] 16:49 -!- malibu [n=kvirc@S0106001310429722.wp.shawcable.net] has quit ["When two people dream the same dream, it ceases to be an illusion. KVIrc 3.4.2 Shiny http://www.kvirc.net"] 16:56 -!- rizet [n=chatzill@user-0ccejib.cable.mindspring.com] has quit ["ChatZilla 0.9.85 [Firefox 3.0.11/2009060215]"] 17:16 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 17:20 < StormWlf> !conf 17:20 < vpnHelper> StormWlf: Error: "conf" is not a valid command. 17:20 < StormWlf> !help 17:20 < vpnHelper> StormWlf: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 17:21 < StormWlf> !iporder 17:21 < vpnHelper> StormWlf: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 17:21 < StormWlf> anyone here gotten dnsmasq and topology subnet working? 17:31 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 18:17 -!- [1]plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has joined ##openvpn 18:17 -!- plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 18:17 -!- [1]plt is now known as plt 19:04 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 19:05 -!- plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has quit [Read error: 110 (Connection timed out)] 19:05 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 19:18 -!- j03 [n=j03@unaffiliated/j03] has joined ##openvpn 19:31 -!- plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has joined ##openvpn 19:35 -!- plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has quit [Client Quit] 20:34 -!- j03 [n=j03@unaffiliated/j03] has quit ["Leaving"] 20:35 -!- plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has joined ##openvpn 20:36 < plt> anyone here have not just client to server but client to server's lan working 20:57 -!- c64zotte1 [n=hans@p5B17B7A6.dip0.t-ipconnect.de] has joined ##openvpn 21:02 -!- lataffe_ [n=lataffe@cm-84.211.147.71.getinternet.no] has quit ["Leaving"] 21:03 -!- xp_prg [n=xp_prg3@c-76-21-115-162.hsd1.ca.comcast.net] has joined ##openvpn 21:05 -!- [1]plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has joined ##openvpn 21:05 -!- plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 21:05 -!- [1]plt is now known as plt 21:53 -!- plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has quit [" HydraIRC -> http://www.hydrairc.com <- IRC with a difference"] 21:56 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 22:02 < reiffert> moin 22:21 -!- jeiworth [n=jeiworth@189.163.255.127] has quit [Read error: 110 (Connection timed out)] 23:08 -!- albech [n=albech@119.42.76.157] has joined ##openvpn 23:36 -!- albech [n=albech@119.42.76.157] has quit [Remote closed the connection] --- Day changed Sun Jul 05 2009 01:39 -!- master_of_master [i=master_o@p549D4931.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:42 -!- master_of_master [i=master_o@p549D4DB0.dip.t-dialin.net] has joined ##openvpn 01:44 -!- carpe_ [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 02:00 -!- c64zotte1 [n=hans@p5B17B7A6.dip0.t-ipconnect.de] has left ##openvpn [] 02:06 -!- unixSnob [n=jj@starfury.spearlink.com] has joined ##openvpn 02:15 < unixSnob> what does it mean when TUN WRITE appears in the logfile? 02:16 < unixSnob> one would think it means something is being written to the tunnel 02:16 < unixSnob> but TUN WRITE appears in the servers log file when the client sends a ping 02:17 < unixSnob> and TUN READ (which would make more sense) does not appear 02:42 -!- tjz [n=tjz@bb219-74-135-197.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 02:43 -!- tjz [n=tjz@bb219-74-135-197.singnet.com.sg] has joined ##openvpn 03:07 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["This computer has gone to sleep"] 03:26 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 04:11 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 04:18 -!- no_maam [n=no_maam@130.83.167.54] has quit [Read error: 104 (Connection reset by peer)] 04:19 -!- n0g0 [n=nogo@85-125-189-220.static.sdsl-line.inode.at] has joined ##openvpn 04:32 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 04:39 -!- maxagaz [n=g@222.128.36.151] has joined ##openvpn 04:39 < maxagaz> hi 04:41 < maxagaz> when i start openvpv i get this message : * openvpn (OK) * server (FAILED) ...done. 04:41 < maxagaz> what does it mean ? 04:42 < n0g0> your config called server.conf does not start, maybe syntax error. 04:42 < n0g0> look into your logs to see what failed 04:54 -!- unixSnob_ [n=jj@ip-94-140-188-166.reverse.destiny.be] has joined ##openvpn 04:55 -!- VenomX [n=venomx@201-0-178-106.dial-up.telesp.net.br] has quit ["Leaving"] 05:06 -!- unixSnob [n=jj@starfury.spearlink.com] has quit [Read error: 110 (Connection timed out)] 06:03 -!- SuperEvilDeath [n=death@212.206.209.177] has joined ##openvpn 06:05 -!- unixSnob [n=jj@starfury.spearlink.com] has joined ##openvpn 06:11 < unixSnob> krzie: you around? 06:17 -!- unixSnob_ [n=jj@ip-94-140-188-166.reverse.destiny.be] has quit [Read error: 110 (Connection timed out)] 06:21 -!- unixSnob [n=jj@starfury.spearlink.com] has quit [Read error: 104 (Connection reset by peer)] 06:21 -!- SuperEvilDeath [n=death@212.206.209.177] has quit [Connection timed out] 06:26 -!- unixSnob [n=jj@starfury.spearlink.com] has joined ##openvpn 06:34 -!- unixSnob_ [n=jj@starfury.spearlink.com] has joined ##openvpn 06:46 -!- unixSnob [n=jj@starfury.spearlink.com] has quit [Read error: 110 (Connection timed out)] 07:01 -!- n0g0 [n=nogo@85-125-189-220.static.sdsl-line.inode.at] has quit ["quit"] 07:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 07:33 -!- thedoc [n=andelyx@bb116-14-185-132.singnet.com.sg] has joined ##openvpn 07:39 -!- p3ri0d [n=p3ri0d@200.2.149.120] has joined ##openvpn 08:39 -!- thedoc [n=andelyx@bb116-14-185-132.singnet.com.sg] has quit [Read error: 54 (Connection reset by peer)] 08:41 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 09:31 -!- diepes [n=diepes@dsl-246-144-148.telkomadsl.co.za] has joined ##openvpn 09:41 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 09:50 < diepes> Hi i have been using openvpn for a while, and was pondering if traffic reduction could be easily added to a vpn tunnel ? 10:23 -!- p3ri0d [n=p3ri0d@200.2.149.120] has quit [Read error: 110 (Connection timed out)] 10:30 -!- diepes [n=diepes@dsl-246-144-148.telkomadsl.co.za] has quit [Read error: 110 (Connection timed out)] 11:09 -!- maxagaz [n=g@222.128.36.151] has quit ["Leaving"] 11:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:32 -!- Douglas [n=doug@64.18.154.245] has quit [Remote closed the connection] 11:54 -!- tjz [n=tjz@bb219-74-135-197.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 13:08 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 13:08 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 13:15 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 13:18 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 13:34 -!- tjz [n=tjz@bb121-6-15-48.singnet.com.sg] has joined ##openvpn 13:42 -!- Dougy [i=doug@64.18.144.2] has joined ##openvpn 13:57 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:04 < krzee> !/30 14:04 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 14:04 < krzee> !topology 14:04 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 14:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:00 -!- epaphus [n=unix3@201.199.62.74] has left ##openvpn ["Leaving"] 15:11 -!- unixSnob_ [n=jj@starfury.spearlink.com] has quit ["leaving"] 16:03 -!- plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has joined ##openvpn 16:03 < plt> hi i am trying to setup ccd to provide fixed ips 16:03 < krzie> !static 16:03 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 16:03 < krzie> !/30 16:03 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 16:04 < plt> krzie : i am trying to use the config file 16:04 < plt> and followed the howto : 16:04 < krzie> well 16:04 < krzie> what are you trying to say 16:04 < krzie> ? 16:04 < plt> earlier i had server 10.8.0.x and using that subnet to connect 16:05 < krzie> krzie : i am trying to use the config file 16:05 < plt> i think i know what the problem is already - but not sure abt the deteails : 16:05 < krzie> ok well check this out 16:05 < plt> basically i have client1.crt,key,csr files 16:05 < krzie> you're trying to give clients static ips 16:05 < krzie> internal vpn ips 16:05 < plt> krzie : let me ask this first :) 16:05 < krzie> you do what !static says, and it works 16:06 < krzie> especially since you said youd like to do it via ccd entries 16:06 < plt> cos that's the only thing that's unclear to me at the memont atleast 16:06 < plt> ya i am doing it 16:06 < plt> the issue is with the crt,key,csr files - i have files named client1.* and client2.* 16:06 < plt> in the ccd i put ifconfig-push in the file names with client1 and client2 16:06 < krzie> the filenames dont matter 16:06 < krzie> its the common-names 16:06 < krzie> !ccd 16:06 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 16:07 < plt> the CN (common name) in client1 and client2 is not client1 and clinet2 16:07 < krzie> CN is all that matters 16:07 < krzie> filename doesnt matter what so ever 16:07 < plt> ok, that's what i tht 16:07 < plt> ok 16:07 < krzie> in fact the server doesnt know or care what the clients filenames are 16:07 < plt> now if i want ot change the CN - the only change is in the crt file correct ? 16:07 < plt> i c, ok.. 16:07 < krzie> you cant change the CN 16:07 < krzie> you would generate a new cert to do that 16:07 < plt> well i was wanting to change in the client and the server 16:07 < plt> oh.. 16:08 < plt> i have to regenerate the keys ? :( 16:08 < krzie> of course 16:08 < plt> can't just edit the crt file ? 16:08 < plt> the filed called CN ? 16:08 < plt> field called CN 16:08 < krzie> if you could edit the CRT file after the CA signed it, it wouldnt be a good thing 16:08 < krzie> you cant change the CN 16:08 < krzie> you would generate a new cert to do that 16:08 < plt> ahh ok.. 16:08 < plt> the signing part is what screws up ha ? 16:08 < plt> ok.. 16:09 < krzie> ok think about it this way 16:09 < plt> i got it i think.. 16:09 < krzie> you give me a cert signed by your CA 16:09 < krzie> then you block my access 16:09 < plt> ya, it would verify the signtature 16:09 < krzie> i modify the CRT and have access again 16:09 < krzie> not a good thing 16:09 < plt> ok.. got it 16:09 < plt> is there a way to see all the clients currently cconnected along with thier Cn and IP ? 16:10 < plt> ipp.txt shows past and inactive too i guess ? 16:10 < krzie> !ipp 16:10 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 16:10 < krzie> a status file MIGHT show what you want, i dont use it 16:10 < plt> ok.. thought so 16:10 < plt> ok.. 16:10 < krzie> and theres a management interface that is not extremely documented that can definitely give you that info 16:11 < plt> if i change config is there a way to make the server see it without turning off the openvpn server ? 16:11 < krzie> both can be found in the manual 16:11 < plt> ok.. 16:11 < plt> don't want to mess with it if it is not documented well 16:11 < krzie> yes, see the section on SIGNALS in the manual 16:11 < krzie> !man 16:11 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:11 < plt> SIGNALS for the making the serve rsee a change in the config ? 16:12 < krzie> one of them is im sure 16:12 < plt> how about just see the version of the openvpn (if it is running using the daemon - or init script) ? 16:12 < plt> ok 16:12 < krzie> (same as almost every unix app i believe) 16:13 < krzie> version of openvpn, prolly -v or --version, its also in the manual 16:13 < krzie> i have a feeling you need to read the manual 16:13 < krzie> its a huge wealth of info 16:14 < plt> ok.. will read it 16:14 < plt> i read the howto 16:14 < krzie> thats good 16:14 < krzie> very good 16:15 < plt> very useful got everything working except one though 16:15 < krzie> do you have any additional goals to just setting up a vpn? 16:15 < krzie> like connecting lans, redirecting inet traffic through it, etc 16:15 < plt> connecting lans ! 16:15 < krzie> !route 16:15 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:15 < plt> i saw that krzie : 16:15 < plt> but the howto says : 16:16 < krzie> good, thats everything you need to know bout connecting lans 16:16 < plt> to make the client see all the server side LAN - do push route, ip forwarding and put static routes in the router/gateway of the server 16:16 < krzie> correct 16:16 < krzie> my !route doc says the same thing 16:16 < plt> i have static routes added in my router 16:17 < plt> but when i do ping from a serverside lan machine to a client it doesn't work 16:17 < krzie> run packet sniffers on the vpn server, vpn client 16:17 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Connection timed out] 16:17 < krzie> and on the router if you're able to on it 16:18 < plt> using ngrep ? 16:18 < krzie> find out where its getting stopped, report back 16:18 < krzie> ngrep? 16:18 < krzie> tcpdump 16:18 < plt> ok 16:18 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 16:18 < plt> i think my push route is bad, i am checking it.. 16:18 < krzie> i can check if you like 16:18 < krzie> !configs 16:18 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:18 < plt> btw, do you know a good way to setup proxy (without full redirect) on the server ? 16:18 < krzie> yes, thats what i do 16:19 < krzie> for redirecting only certain things 16:19 < krzie> based on ip port or application 16:19 < krzie> very nice =] 16:19 < plt> i'll try to get it to work first if i don't work i'll ask again - don't wanna ask stuff i can try myself, more useful to ask stuff i can't :) 16:19 < plt> how do you do it ? 16:19 < krzie> personally i choose to use a socks5 daemon for that, only running on the internal vpn ip 16:19 < plt> redirecting only certain things ? 16:19 < plt> say with winxp client ? 16:19 < krzie> i use dante with this config: www.ircpimps.org/sockd.conf 16:19 < plt> socks can do http also ? 16:19 < krzie> i use an app called proxifier 16:20 < krzie> socks can do anything 16:20 < plt> you are using a windows client ? 16:20 < plt> ok 16:20 < krzie> and that app is GREAT 16:20 < krzie> hell no, no windows for me 16:20 < krzie> but proxifier exists for windows 16:20 < plt> lol 16:20 < krzie> there MAY be free alternatives, thats for you to figure out if you want 16:20 < plt> i have the server on linux too 16:20 < plt> but want to access the proxy from windows like firefox 16:20 < krzie> that config i gave you offers no login/password stuff 16:21 < krzie> SO DONT RUN IT ON EXTERNAL IP 16:21 < krzie> as i have it setup it only listens on vpn ip, so you must start it after openvpn 16:21 < plt> oh.. 16:21 < plt> the name of the proxy server is proxifier ? 16:21 < krzie> no 16:21 < krzie> personally i choose to use a socks5 daemon for that, only running on 16:21 < krzie> the internal vpn ip 16:21 < krzie> i use dante with this config: www.ircpimps.org/sockd.conf 16:22 < plt> dante ok let me search 16:22 -!- tjz [n=tjz@bb121-6-15-48.singnet.com.sg] has quit [Connection timed out] 16:22 < krzie> proxifier is the app i use to socksify based on ip/port/application/or any combo of those 16:22 < krzie> which runs on the client 16:22 < krzie> tells the os which stuff to send through socks (which is the vpn ip, so it goes over the vpn) 16:22 < plt> oh ok 16:23 < plt> i have two sort of clinets, one calls sysadmin which can access server side LAN, another only the server 16:23 < plt> the howto says to use push and ip forwarding 16:23 < plt> if you want server side lan to be accessible 16:24 < plt> but how to do this separately between the two types of users ? 16:24 < krzie> you can put the push in a ccd entry 16:24 < plt> can i put push command in the ccd ? 16:24 < plt> ok, cool 16:24 < krzie> or you can firewall the client out of the lan 16:24 < plt> which is better ? 16:24 < krzie> cause that user could still add the route manually and get access if he knows 16:24 < krzie> but with firewall, he cant 16:24 < plt> ahh ok.. 16:24 < plt> cool ! 16:24 < plt> makes sense :) 16:25 < plt> is this firewall check pretty cpu intensive ? 16:25 < plt> at least < 1 % ? 16:25 < krzie> its just a firewall 16:25 < plt> ok 16:25 < plt> how to see the table of things inside iptables ? 16:26 < krzie> seems to be a question for a linux channel 16:26 < plt> #linux ? 16:26 < krzie> but i believe its -L or something 16:26 < krzie> i dunno, i dont even use linux 16:26 < plt> ok.. 16:26 < plt> really ? 16:26 < plt> what then ? 16:26 < krzie> but im sure man iptables would be happy to tell you everything about iptables 16:26 < krzie> i use freebsd and osx 16:28 < plt> ok.. 16:28 < plt> i am on #iptables now.. 16:28 < krzie> why not ask the manual? 16:28 < krzie> the programmers wrote all that documentation for you 16:28 < krzie> and they HATE to do it, but they want you to be able to use it 16:29 < krzie> seems almost disrespectful to them to not give it a look 16:29 < krzie> (when you have a question about it) 16:30 < plt> i am using the manual :) 16:30 < plt> -L -v -n 16:30 < krzie> =] 16:30 < Bushmills> often missed are the nat chains: iptables -t nat -nL 16:30 < plt> i don't have any nat yet 16:31 < krzie> moin moin Bushmills 16:31 < plt> or guess hopeuflly not need 16:31 < krzie> i was chillen with some germans last night 16:31 < Bushmills> hi krzie 16:31 < krzie> i said moinmoin and they got all happy 16:31 < krzie> and started rambling at me in german 16:31 < krzie> hahaha 16:31 < Bushmills> plt, often, when people say "firewall is disabled" but a problem appears to be firewall related, it is because of those 16:31 < krzie> "whoa whoa whoa, all i know is moinmoin" 16:31 < Bushmills> hehe 16:32 < plt> ok. 16:32 < Bushmills> there's even a wikipedia entry for moin 16:32 < krzie> yup 16:32 < krzie> when kraut was saying moin every day i googled it 16:32 < krzie> thats how i know what it means ;] 16:32 < Bushmills> i see 16:33 < Bushmills> helps that he was writing it so you knew how it was spelled 16:33 < krzie> i thought he was a bot cause he never spoke that i saw except for everyday at the same time he'ld say moin 16:33 < krzie> haha 16:33 -!- plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has left ##openvpn [] 16:34 < Bushmills> a frenchman would pronounce it differently to a spanish speaker 16:34 < Bushmills> it's just pronounced as single syllable, like moyn 16:34 < krzie> good, thats how i say it 16:35 < Bushmills> or, like maw-een without separating into two syllables 16:53 -!- lilalinux [n=lilalinu@ist.deswahnsinns.de] has quit [Read error: 104 (Connection reset by peer)] 16:53 -!- lilalinu- [n=lilalinu@ist.deswahnsinns.de] has joined ##openvpn 16:53 -!- lilalinu- is now known as lilalinux 16:55 < redfox> krzie: in fact, moin is slang :> 16:55 < krzie> we get more .de in here than anywhere else ive hung out on IRC 16:55 < krzie> which ild have to say says something good about the people in .de 16:56 < krzie> since the most likely people to end up here are the people who care about security 16:58 < redfox> well.. thanks.. i guess :) 16:58 < Bushmills> a possible reason could be that here on freenode, a lot of linux folks are hanging out. 16:58 < Bushmills> and germany is one of the countries with the highest linux acceptance worldwide 16:59 < redfox> really? 16:59 < redfox> good2know 16:59 < krzie> ahh good point, ive only been on freenode for a couple yrs 16:59 < krzie> my main network is efnet 16:59 < Bushmills> japan is another country with high linux pervasion 16:59 < krzie> and what you said about linux acceptance backs up what i said 17:00 < krzie> about people caring about security 17:00 -!- [1]plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has joined ##openvpn 17:00 < krzie> not to say its automaticly secure or anything... but i think you know what i mean 17:01 < Bushmills> these figures are pre-netbooks though, and presumable since the rise of netbooks, their value has been diluted a bit 17:01 < [1]plt> how to change the number of days for certificate expire ? i changed 365 to 36500 and it sort of wraps around gives expiry date of 1973 when i view the cert in windows 17:01 < krzie> maybe back off a 0 17:01 < krzie> 2650 should be fine... 10 yrs 17:01 < [1]plt> i need more then 10 years :) 17:01 < krzie> 3650 17:02 < [1]plt> atleast 50 years 17:02 < krzie> lol 17:02 < krzie> i think within 10 yrs you should be updating * 17:02 < [1]plt> yep ! :::) 17:02 < [1]plt> well.. 17:02 < [1]plt> anyway i'll back off to 50 and try 17:03 < krzie> haha within 50 we might have quantum computing which would make all existing PKI very useless 17:04 < Bushmills> do you know that about two years ago, all german embassies changed the operating systems of the machines doing satellite communications to linux? 17:05 < Bushmills> within half a year, all embassies were updated. 17:06 < Bushmills> unluckily i don't know what secure communication software they use. 17:06 < redfox> krzie: true 17:07 < krzie> maybe they use openvpn... 17:07 < krzie> would make sense, its more secure than any other vpn software i know of 17:07 < Bushmills> that's why i regret not knowing what they use 17:08 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:08 < krzie> and if they accept linux (which is open source), we know they are not against the idea 17:09 < Bushmills> actually, GPG received some sponsoring by a ministry (of economics, i believe) 17:09 < krzie> within 6months is rather impressive too 17:09 < krzie> for a gov 17:10 < krzie> many corporations dont move that fast on a complete migration 17:10 < Bushmills> i found that sponsoring remarkable, because in some countries thee was the movement towards restricting general use, and thereore of free strong encryption. 17:10 < krzie> good point 17:10 < krzie> although if i remember correctly i was rather unimpressed when germany outlawed pen-testing tools 17:10 < krzie> i dunno if they changed their view on that tho 17:10 < Bushmills> yes, legislation is somewhat ambiguous 17:11 < krzie> i do remember a few sites moving away from .de because of that 17:11 < Bushmills> by having programs like traffic monitors, or packet dumpers on my machine, i am, according the letter of the law, already in violation. 17:12 < krzie> hrm 17:12 < krzie> like tcpdump? 17:12 < Bushmills> for example 17:13 < krzie> which comes stock on almost every linux distro (im sure the gov doesnt use gentoo) 17:13 < krzie> would mean THEY are in violation 17:13 < redfox> even telnet would be illegal 17:13 < redfox> that law is simple dumb. 17:13 < krzie> extremely dumb 17:13 < krzie> especially since germany has good security researchers 17:14 < krzie> they should be WELCOMING the security community, especially with their other stances (sponsoring gpg, using linux) 17:14 < Bushmills> it according law was then conceived as a means to get an additional handle on cybercrime 17:15 < Bushmills> but they definitely overdid it 17:15 < redfox> its the exact opposite here 17:16 < redfox> now they released a law which records access to special ips via nameserver (childporn) .. so if someone sends you a link and the ip is on that list, you are a criminal 17:16 < [1]plt> hey redfox 17:16 < redfox> hi ple 17:16 < redfox> plt 17:16 < Bushmills> and availability of strong encryption also creates some backlash too 17:16 < [1]plt> i am trying to setup key expiry as long as possible - what's the max ? 17:16 < [1]plt> anyone know ? 17:17 < [1]plt> 100 years makes it expire in 1973 17:17 < [1]plt> strangely 17:17 < Bushmills> for example, that authorities have now legal permission to break into houses of "suspects" and install monitoring programs on their computers, to intercept data before it gets encrypted (or after its decryption) 17:18 < redfox> Bushmills: its true but i never heard about a case 17:19 < Bushmills> i suppose didn't broadcasting it when/if they did 17:19 < redfox> could be 17:19 < krzie> [1]plt i have no clue because i think anything over 10 yrs isnt a good idea 17:20 < krzie> the odds of you not knowing about a leaked cert grow with every piece of time... 17:20 < krzie> 10 years is a long time 17:21 < [1]plt> ok.. i'll add to crl anyway, i am doing a trial and error 17:21 < Bushmills> try 32767 days 17:21 < krzie> no matter how vigilant you are about security, you will likely be running vulnerable software without knowing it at times, for example the 0day openssh4.3 sploit thats out there in the wild right now 17:21 < krzie> you might be able to get 100 yrs with 64bit 17:22 < [1]plt> ok 17:22 < krzie> 1973 is the start of unix time, you are going beyond the 32bit timeline with 100yrs 17:22 < Bushmills> but with certificates, it isn't as it is with wine 17:22 < Bushmills> they don't tend to become better over time 17:22 < krzie> haha exactly 17:23 < krzie> when you said wine i thought you meant windows emulation, and couldnt find the relevance 17:23 < redfox> :> 17:23 < krzie> til you said better over time, lol 17:24 < Bushmills> they're more like stock options 17:24 < Bushmills> the close they are to expiration date, the less they are worth 17:24 < Bushmills> closer 17:24 < krzie> hahaha 17:24 < krzie> nice 17:25 -!- [1]plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has quit [" HydraIRC -> http://www.hydrairc.com <- IRC with a difference"] 17:31 < Bushmills> krzee, you happen to be into motorcycling? 17:32 < krzie> nope 17:33 < Bushmills> or cartoons? 17:33 < krzie> i LOVE pixar movies 17:34 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 17:45 -!- plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has joined ##openvpn 17:45 < plt> is the CN (common name) sent in clear ? i guess so ? 17:46 < krzie> im not 100% sure, but a packet sniffer would be 17:46 < redfox> it is. 17:46 < plt> ok 17:47 < plt> what's a good way to identify a client at your server if you don't wnat the client's name to go in the clear ? 17:47 < plt> i guess the filename is one option - any others ? 17:47 < plt> identify as in for your book keeping 17:48 < krzie> i dont understand the question 17:48 < redfox> me too 17:48 < plt> let's say i am the sys admin of the openvpn server 17:48 < krzie> ok 17:48 < plt> i create two clients redfox and krzie 17:48 < plt> and give you the crt/keys etc 17:48 < krzie> yay im a client! 17:48 < redfox> weee 17:48 < plt> lol 17:48 < plt> anyway, when you connect to me 17:48 < Bushmills> plt, use a garbage name as CN 17:49 < plt> the CN comes in clear 17:49 < Bushmills> suggestion: blerb 17:49 < plt> sorry one for bushmills too ;-) 17:49 < redfox> plt go on 17:49 < plt> ok lets say junk CN 17:49 < plt> at my server i want a way to keep track of whose cert is who's 17:49 < plt> how do i do that - i guess filename is the way everyone does ? 17:49 < plt> like redfox.crt, etc. with junk CN ? 17:50 < plt> or is there any other way / field of the cert ? 17:50 < krzie> i think theres like a comment section 17:50 < krzie> which is unused 17:50 < plt> comment in which file ? 17:50 < krzie> that what you are looking for? 17:51 < krzie> in the crs file (therefor in the crt after its signed) 17:51 < plt> comment is not transmitted in the clear or transmitted at all ? 17:51 < redfox> plt, certs are combination of public key and signature. public keys are always individual and yes there is also a comment section 17:51 < krzie> but ya, usually the common-name is chosen as a way to know who will be using it or what machine will be 17:51 < plt> ok.. 17:51 < plt> is there a way for the ccd to use filename instead of CN ? 17:51 < krzie> for example i have 2 machines which i run a vpn on, hemp and joogot 17:52 < krzie> so the common-names i chose were: hemp and joogot 17:52 < plt> but let's say you don't want these names to go on the clear 17:52 < krzie> no, filename doesnt exist to the server 17:52 < krzie> the client knows the filename, but sends the data 17:52 < plt> no i meant filenams on the server 17:52 < krzie> ccd entries are based on client CN 17:52 < plt> i need filenames on the server too correct ? at least the client.crt ? 17:52 < plt> ok 17:52 < krzie> so what you're saying would need to be CLIENTS filename 17:52 < krzie> but it cant happen that way 17:53 < plt> i don't need any client files on the server after i create the keys correct ? 17:53 < krzie> MAYBE a tls static key would help guard CN= 17:53 < krzie> since it signs the packet with an hmac sig 17:53 < plt> tls static key ? ok will look that up 17:53 < krzie> dunno if that encrypts the packet or just adds a field tho 17:53 < krzie> !hmac 17:53 < plt> ok 17:53 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 17:53 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 17:54 < plt> ok 17:54 < plt> i don't need any client files on the server after i create the keys correct ? 17:54 < krzie> server gets server files, client gets client files 17:54 < krzie> both were signed by same CA, thats how its verified 17:54 < plt> ok 17:54 < krzie> the howto has a table of which files go where 17:55 < krzie> under the cert generating section 17:55 < krzie> and ssl-admin will even zip them up for transport 17:55 < krzie> along with the client config 17:55 < krzie> !ssl-admin 17:55 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 17:55 < plt> saw that 17:55 < plt> ssl-admin - ok looking 17:55 < plt> ok, i guess i have to create junk CNs and have a mapping for them 17:55 < krzie> its a nice alternative to easy-rsa 17:56 < krzie> i dont use easy-rsa ever now that i know about ssl-admin (made by ecrist) 17:56 < krzie> why junk CN's? 17:56 < plt> ssl-admin is substitue for easy-rsa but both with openvpns ? 17:56 < krzie> just name them something that is unique and identifies what you need to know 17:56 < krzie> its not like a CN is a password 17:56 < plt> junk CN cos i don't want any way to identify te client 17:56 < plt> let's say CN=krzie - i dont want to know its krzie that connected to me 17:57 < plt> a little beyond openvpn's main goals 17:57 < krzie> ssl-admin was made for generating certs for openvpn like easy-rsa was, but it could be used to generate certs for anything as well 17:57 < krzie> ohhh 17:57 < krzie> what is your actual goal? 17:57 < redfox> plt: a CN should not provide any authentication 17:57 < plt> CN is being used in ccds 17:57 < plt> i understand there are no security implications of CN 17:58 < krzie> sounds like a public vpn to me... 17:58 < krzie> is that what the case is? 17:58 < plt> yes sort of 17:58 < krzie> you might want to switch to passwords instead of certs for simpler management 17:58 < krzie> depending on your needs... 17:58 < krzie> you can still use ccd entries with no certs if you use login/passes 17:59 < krzie> !factoids search cert 17:59 < vpnHelper> krzie: 'servercert', 'certs', and 'nocert' 17:59 < krzie> !nocert 17:59 < vpnHelper> krzie: "nocert" is (#1) to use login and pass (NO CERTS) for auth in server setup, you want --username-as-common-name --auth-user-pass-verify --client-cert-not-required, or (#2) to know more, read about those config options in the manual (!man) 17:59 < plt> i saw the login pass stuff 17:59 < krzie> i always recommend certs, more secure 17:59 < krzie> but you know your specific needs better than me 18:00 < plt> thing is i dont want the user to have to enter anything, just run a exe or batch file on their win xp 18:00 < krzie> !pwfile 18:00 < vpnHelper> krzie: "pwfile" is OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h 18:00 < plt> ok, cool 18:00 < plt> i guess BOTH the username AND password are encrypted in this case ? 18:00 < krzie> packet sniffing would know for sure 18:01 < krzie> i would assume it is, but dont take an assumption as the final answer 18:01 < plt> ok.. 18:01 < krzie> so what is your actual goal? 18:01 < plt> just openvpn without revealing even who is connecting 18:02 < plt> and just dabbling iwth it now :) 18:02 < krzie> my common-names tell me who is connecting, but nobody in the middle would have a clue what they mean 18:02 < redfox> krzie: why do you feel passwords weaker then certs? 18:02 < krzie> its not like my certs are FirstnameLastnameSocialsecurity 18:02 < plt> ok, so you have a mapipng from "username" to CN ? 18:02 < plt> ok 18:02 < krzie> redfox, password sniffing is easier than cert theft, people tend to reuse passwords 18:03 < plt> i'll have a mapping and use it - i am redoing my keys now 18:03 < redfox> krzie: thats correct. but the encryption strength is ecactly the same :) 18:03 < redfox> but your right. 18:04 < krzie> right, you get the exact same communication-channel encryption 18:04 < krzie> (blowfish by default) 18:04 < |Mike|> blow me fish ! 18:04 < redfox> no rijandael? 18:05 < krzie> you can use anything your openssl supports 18:05 < krzie> (if both sides support it) 18:05 < redfox> i see 18:05 < krzie> so yes, AES is avail, but its not default 18:05 < |Mike|> it are all serverside generated certs krzie :-) 18:05 -!- plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has quit [Read error: 54 (Connection reset by peer)] 18:05 -!- plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has joined ##openvpn 18:05 < krzie> what mike? 18:06 < |Mike|> client certs (the public ones) 18:06 -!- plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has quit [Client Quit] 18:06 < krzie> i dont understand what you're tryin to say 18:06 < |Mike|> all certificates are beeing generated on the "server" 18:06 < krzie> you talking bout my comment that both openssl's need to support it? 18:07 < redfox> i guess he means that you still have to transport the certs of unsecure channel 18:07 < krzie> the cert has no security implication, the key does 18:08 < redfox> sorry, ment the key 18:08 < krzie> i THINK he was talking about my comment about openssl on both sides needing to support the encryption method 18:08 < krzie> but i was only talking about communication-channel encryption, nothing to do with certs 18:08 < krzie> and aes/blowfish are not options for cert generation 18:09 < |Mike|> ya 18:10 < krzie> and the client key can be generated on the client machine 18:11 < krzie> with the resulting csr sent to the CA 18:11 < krzie> and crt sent back 18:11 < krzie> CA never needs to see the client key 18:12 < krzie> (over insecure channels is fine in this case as long as sigs are checked) 18:12 < |Mike|> Yeap, that would be the most secure way 18:14 < redfox> thats how ssl works 18:14 < krzie> yupyup 18:15 < krzie> some people dont understand it tho, they just manage to make some certs by following the howto (which is fine i guess) 18:15 < krzie> i dont need to know what my washing machine is doing on the inside to get clean clothers if i follow the directions ;] 18:16 < krzie> (although it sure helps if something happens to it) 18:16 < krzie> although to be honest, my maid does my laundry anyways ;] 18:16 < redfox> but that should be enougth for most common people 18:16 < redfox> (even i would like to know how a washing machine works :>) 18:17 < |Mike|> it abuses a lot of water redfox ;) 18:17 < krzie> !google howstuffworks washing machine 18:17 < vpnHelper> krzie: HowStuffWorks "How Washing Machines Work": ; HowStuffWorks "How to Repair a Washing Machine: Tips and Guidelines": ; HowStuffWorks "How Washing Machines Work": 18:17 < krzie> =] 18:18 < redfox> now try that with PKI :> 18:19 < krzie> !google howstuffworks ssl 18:19 < vpnHelper> krzie: HowStuffWorks "SSL and TLS": ; HowStuffWorks "How Encryption Works": ; HowStuffWorks Videos "SSL VPNs": 18:21 < redfox> thats pretty general :) 18:22 < |Mike|> blame the dunkbot ;) 18:22 < krzie> !google how work pki 18:22 < vpnHelper> krzie: How PKI systems work: ; Understanding the Role of the PKI: ; How PKI Works: 18:22 < |Mike|> krzie: how many mem uses the bot atm ? ;) 18:23 < |Mike|> 248 M ? 18:23 < krzie> lemme check 18:24 < krzie> 16M 18:24 < |Mike|> not bad. 18:24 < |Mike|> I know the guy behind dunkbot ;d 18:24 < redfox> which language is it written in? 18:24 < |Mike|> IRL 18:24 < krzie> its not a dunkbot 18:24 < krzie> python 18:24 < |Mike|> eggie ? 18:24 < krzie> supybot 18:24 < |Mike|> it's a dunkbot krzie 18:24 < |Mike|> :P 18:24 < krzie> *shrug* ok 18:24 < |Mike|> the base is. 18:25 < |Mike|> dunker at freebsd.nl ++ 18:25 < |Mike|> !v 18:25 < vpnHelper> |Mike|: Error: "v" is not a valid command. 18:25 < |Mike|> lol 18:26 < krzie> !version 18:26 < vpnHelper> krzie: The current (running) version of this Supybot is 0.83.3. The newest version available online is 0.83.4.1. 18:26 < |Mike|> baahhooo 18:27 < redfox> supybot is a funny name :) 18:28 < krzie> its a commonly used helper bot here on freenode 18:31 < |Mike|> based on gozerbot :p 18:32 < krzie> haha the imp idea come right from the flinstones 18:32 < krzie> oops misfire 18:34 < |Mike|> WTF my new dog (pup) eats cat grid lol 18:34 < krzie> grid = shit? 18:35 < |Mike|> nah, the suff where cats pie / shit on 18:35 < krzie> ohh, kitty litter 18:35 < |Mike|> Yes 18:35 < |Mike|> we have 2 dogs here 18:36 < |Mike|> always have 18:36 < krzie> s/pie/piss || s/pie/pee 18:36 < |Mike|> last friday we did put a needle in the 13 year old (heart / vane problems, could bareley move etc) 18:37 < |Mike|> and we bought a new dog, cross between a dutch herder and a frys stabbei 18:38 < |Mike|> 4 months old 18:38 < |Mike|> (female) 18:45 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 19:29 -!- cj [i=cjac@173-10-126-202-BusName-Washington.hfc.comcastbusiness.net] has quit [Read error: 110 (Connection timed out)] 19:53 < redfox> 13 years is a great age for a dog 19:53 < redfox> and 3am is a great time for being awake... 19:53 < redfox> with this in mind... sleep well everyone ;) 20:11 -!- lizone [n=vadim@user-0ccejib.cable.mindspring.com] has joined ##openvpn 20:16 < lizone> I've set up OpenVPN and almost everything works as planned except browsing -- any help would be appreciated 20:19 < StormWlf> Your useing a bridged setup? 20:21 < StormWlf> can You ping an ip directly? inside and outside 20:21 < StormWlf> or do the domain names resolve at all? 20:22 < lizone> StormWlf: routing, and yes I can ping the server 20:23 < StormWlf> from the client what happens when You ping google.com? 20:23 < lizone> one sec 20:23 < StormWlf> then try to ping 74.125.45.100 and see what You get 20:24 < lizone> i'll check it out 20:24 < StormWlf> k 20:25 < lizone> from the client (XP) I can ping google.com but it's from my external ip 20:26 < lizone> when I ping my server which is 10.0.69.1 it seems it responds correctly 20:27 < lizone> my client has a local ip assigned 10.0.69.2 20:28 < StormWlf> ok so the client cant browse the web 20:29 < StormWlf> Your not pushing all traffic through the vpn 20:29 < lizone> yes, but I'd like to do that thru the proxy which is on my vpn server 20:30 < lizone> I did that by putting ' push "10.0.69.1 255.255.255.0" but it's not working 20:32 < lizone> to be clear, I've add it to the server.conf 20:33 < StormWlf> k 20:35 < StormWlf> do a route on your client and stick it on pastebin 20:35 < StormWlf> !help 20:35 < vpnHelper> StormWlf: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 20:35 < StormWlf> !pastebin 20:35 < vpnHelper> StormWlf: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 20:36 < lizone> OK 20:36 < StormWlf> route print 20:37 < lizone> do you mean: netstat -r (route table)? 20:38 < StormWlf> both give the same thing 20:38 < StormWlf> route print or netstat -r 20:43 -!- rizet [n=chatzill@user-0ccejib.cable.mindspring.com] has joined ##openvpn 20:43 < rizet> it's http://pastebin.ca/1485208 20:46 < lizone> rizet = lizone 20:59 < rizet> I've tried to add 'push "redirect-gateway def1" ' to the server.conf to no avail 21:17 -!- lizone [n=vadim@user-0ccejib.cable.mindspring.com] has quit [Client Quit] 21:18 -!- rizet [n=chatzill@user-0ccejib.cable.mindspring.com] has quit ["ChatZilla 0.9.85 [Firefox 3.0.11/2009060215]"] 21:50 -!- lataffe_ [n=lataffe@cm-84.211.147.71.getinternet.no] has joined ##openvpn 22:00 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 22:01 -!- rizet [n=chatzill@user-0ccejib.cable.mindspring.com] has joined ##openvpn 22:02 -!- rizet [n=chatzill@user-0ccejib.cable.mindspring.com] has left ##openvpn [] 22:14 -!- missnebun [n=gabe@pool-96-250-54-238.nycmny.fios.verizon.net] has joined ##openvpn 22:22 -!- gabriel25ny [n=gabe@pool-96-250-54-238.nycmny.fios.verizon.net] has quit [Read error: 110 (Connection timed out)] 22:29 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 22:33 -!- missnebun is now known as gabriel25ny 22:36 -!- thedoc [n=andelyx@38.108.110.106] has joined ##openvpn 23:39 -!- ciphyre [n=ciphyre@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 23:41 -!- ciphyre [n=ciphyre@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 23:50 -!- floyd_n_milan_ [n=mrugesh@203.129.237.147] has joined ##openvpn --- Day changed Mon Jul 06 2009 00:29 -!- zheng [n=zheng@222.66.224.106] has joined ##openvpn 00:40 -!- zheng [n=zheng@222.66.224.106] has quit ["Leaving"] 00:43 -!- vpn [n=vpn@dxb-as18417.alshamil.net.ae] has joined ##openvpn 00:43 < vpn> hi all 00:43 -!- oc80z [i=oc80z@blea.ch] has quit ["ZNC - http://znc.sourceforge.net"] 00:43 < vpn> i ahd configured openvpn on fedora n its working fine 00:44 < vpn> i had created 3 different client certificates n installed all 3 certificates at clients laptop 00:44 < vpn> but problem is this 00:45 < vpn> when all 3 clients login at same time than they cant connect to vpn machine 00:45 -!- oc80z [i=oc80z@blea.ch] has joined ##openvpn 00:48 -!- floyd_n_milan_ [n=mrugesh@unaffiliated/floydnmilan/x-000001] has quit [Remote closed the connection] 00:50 -!- zheng [n=zheng@222.66.224.106] has joined ##openvpn 01:02 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has joined ##openvpn 01:09 -!- vpn [n=vpn@dxb-as18417.alshamil.net.ae] has quit ["Leaving"] 01:12 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [] 01:31 -!- SuperEvilDeath [n=death@212.206.209.177] has joined ##openvpn 01:39 -!- master_of_master [i=master_o@p549D4DB0.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:43 -!- master_of_master [i=master_o@p549D6A38.dip.t-dialin.net] has joined ##openvpn 02:03 -!- thedoc_ [n=andelyx@38.108.110.106] has joined ##openvpn 02:04 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 104 (Connection reset by peer)] 02:14 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:32 -!- zheng [n=zheng@222.66.224.106] has quit ["Leaving"] 02:37 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 02:38 -!- n0g0 [n=nogo@85-125-189-220.static.sdsl-line.inode.at] has joined ##openvpn 03:09 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 113 (No route to host)] 03:17 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 03:23 -!- scfe_ [n=scfe_@67.159.26.22] has joined ##openvpn 03:25 < scfe_> Hi - I have a problem related to openvpn client connecting through a socks proxy. Basically I use SSH to forward a connection to a remote server. 03:25 < scfe_> I added socks-proxy to my openvpn.conf 03:25 < scfe_> But for every connection request I see on the command line "recv_socks_reply: TCP port read failed on recv(): Operation now in progress (errno=115)" 03:25 < scfe_> afterwards openvpn terminates. 03:25 < scfe_> what can I do? 03:26 < scfe_> I'm in one of those countries where internet is filtered and I want to get out of this... 03:30 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:40 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has left ##openvpn [] 03:43 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 04:06 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has left ##openvpn [] 04:27 -!- tompaw_ [n=tompaw@slave20.tesserakt.eu] has joined ##openvpn 04:38 -!- tompaw [n=tompaw@slave20.tesserakt.eu] has quit [Read error: 110 (Connection timed out)] 05:08 -!- thedoc_ [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 05:09 -!- scfe [n=scfe@mail1.junkkiller.de] has joined ##openvpn 05:09 -!- scfe [n=scfe@mail1.junkkiller.de] has left ##openvpn [] 05:25 -!- scfe_ [n=scfe_@67.159.26.22] has quit ["CGI:IRC"] 05:46 -!- ElectricBill [n=bill@smtpv2.cosi.net] has quit ["Leaving"] 06:19 -!- YpsyZNC is now known as Ypsy 06:49 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 06:56 -!- SuperEvilDeath [n=death@212.206.209.177] has quit [Client Quit] 07:01 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 07:03 -!- laeg [n=laeg@unaffiliated/laeg] has joined ##openvpn 07:03 < laeg> could somebody point me in the right direct for setting up an openvpn on my ubuntu box to tunnel http/im traffic through for a windows box? 07:04 < thedoc> !howto 07:04 < vpnHelper> thedoc: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:08 < laeg> vpnHelper: ty 07:08 < vpnHelper> laeg: Error: "ty" is not a valid command. 07:08 < laeg> uhm thedoc even 07:10 -!- scfe [n=scfe@mail1.junkkiller.de] has joined ##openvpn 07:11 -!- scfe [n=scfe@mail1.junkkiller.de] has left ##openvpn [] 07:11 -!- scfe [n=scfe@mail1.junkkiller.de] has joined ##openvpn 07:15 < l2trace99> can anyone point me to why I would get "TLS Error: Cannot accept new session request [client] due to session context expire or --single-session" errors 07:15 < l2trace99> when I am not using the same certs for client auth 07:36 < n0g0> l2trace99, do you use single-session or max-clients in your server config ? 07:37 < l2trace99> no 07:38 < l2trace99> i do not have duplicate-cn 07:38 < l2trace99> but it shouldn't matter 07:38 < l2trace99> because I have separate certs per user 07:39 < n0g0> yes, that's better than duplicate-cn 07:39 < n0g0> so the error happens when you try to connect with a second cert ? 07:45 < n0g0> l2trace99, in 2.0.9 source there are only two lines where this error is thrown and both require the option "single-session" to be set. 07:46 < l2trace99> would be in the server logs if the client set it >? 07:49 < n0g0> the error may only occur on the server if single-session is set in the server.conf 07:52 < l2trace99> here is my server config 07:52 < l2trace99> http://pastie.org/535585 07:53 < ecrist> good morning, bitches. 07:54 < n0g0> l2trace99, try removing inactive. 07:55 < l2trace99> but then the client session is just in active. Right ? 07:55 < n0g0> it will be removed after 60 seconds of inactivity (keepalive) 08:03 < l2trace99> signal SIGHUP will drop all sessions won't it ? Is there an other way ? 08:03 < krzie> l2trace99 do the different certs have differet common-names? 08:04 < l2trace99> yes 08:09 < n0g0> you mean another way to reload the config or what ? 08:11 < l2trace99> reload the config 08:11 < l2trace99> w/o droping sessions 08:11 < krzie> !man 08:11 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 08:11 < krzie> see section on SIGNALS 08:12 < n0g0> just looked there, seems to be no chance to do that 08:12 < krzie> ya looks that way to me too 08:13 < krzie> (just looked after the bot gave the link) 08:13 < l2trace99> that's why I asked 08:14 < l2trace99> I read before but I was looking to see if anyone had different experiences 08:14 < krzie> nah if it existed thats where it would be 08:14 < l2trace99> i'll wait then 08:15 < l2trace99> thanks 08:15 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has quit ["Quit"] 08:23 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:31 -!- ciphyre [n=ciphyre@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 08:44 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 08:54 -!- scfe [n=scfe@mail1.junkkiller.de] has quit [Remote closed the connection] 09:01 -!- jeiworth [n=jeiworth@189.163.254.76] has joined ##openvpn 09:11 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 09:11 -!- Gumbler [n=Gumbler@unaffiliated/gumbler] has joined ##openvpn 09:15 < ecrist> l2trace99: the only way to reload config without dropping connections is within mgmt interface 09:16 < krzie> ohhhh 09:16 < krzie> i forgot about that 09:16 < krzie> good call eric 09:17 < krzie> you played with that much? i never have 09:21 < ecrist> a couple times 09:21 < ecrist> don't use it regularly, not much need to. 09:28 < l2trace99> that was how I was planing on sending the signals 09:28 < l2trace99> telnet 127.0.0.1 3334 09:28 < l2trace99> signal SIGHUP 09:33 < krzie> ahh 09:33 < krzie> type help in there 09:36 -!- SuperEvilDeath [n=death@212.206.209.177] has joined ##openvpn 09:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:43 < ecrist> l2trace99: signal SIGHUP wouldn't be the method to use, iirc. 09:44 < ecrist> there is a reload command 09:44 < ecrist> sending 'signal SIGHUP' is the same as kill -1 from outside the mgmt interface. 09:45 < l2trace99> help doesn't show a reload command 09:45 < l2trace99> reload is unknown command 09:46 < krzie> listen to ecrist, if he sounds confident its because he knows what hes talking about ;] 09:46 < l2trace99> http://pastie.org/535700 09:46 < l2trace99> that is the output of help 09:46 < l2trace99> and the reload command 09:47 < ecrist> http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn/management/management-notes.txt 09:51 < ecrist> l2trace99: I could have sworn there was a reload command, but it's apparent I'm incorrect. 09:51 * ecrist sets mode +dunce_cap ecrist 09:51 -!- ciphyre [n=ciphyre@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has joined ##openvpn 09:52 < l2trace99> yeah I don't even see the phrase reload in that document 09:53 < ecrist> me either 09:53 < ecrist> try the SIGHUP or SIGUSR1 for the reload 09:56 < ecrist> !learn mgmt as http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn/management/management-notes.txt 09:56 < vpnHelper> ecrist: Joo got it. 10:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:15 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:28 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:28 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 10:43 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 60 (Operation timed out)] 11:01 < ecrist> NagVis looks pretty tight 11:07 -!- madduck [n=madduck@debian/developer/madduck] has quit [Read error: 113 (No route to host)] 11:09 -!- Hink is now known as LowValueTarget 11:12 -!- madduck [n=madduck@2001:1620:2018:2:0:0:4d6d:8b54] has joined ##openvpn 11:12 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:16 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:16 -!- jeiworth [n=jeiworth@189.163.254.76] has quit [Read error: 110 (Connection timed out)] 11:21 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 11:23 -!- carpe_ [n=carpe@vip2.tundraeng.com] has joined ##openvpn 11:23 -!- carpe_ is now known as plaerzen 11:30 -!- albech [n=albech@119.42.76.157] has joined ##openvpn 11:31 -!- n0g0 [n=nogo@85-125-189-220.static.sdsl-line.inode.at] has left ##openvpn ["part"] 11:32 -!- n0g0 [n=nogo@85-125-189-220.static.sdsl-line.inode.at] has joined ##openvpn 11:37 -!- xp_prg [n=xp_prg3@c-76-21-115-162.hsd1.ca.comcast.net] has quit ["This computer has gone to sleep"] 11:40 -!- Pickenzak [n=VSAA@ip-174-37-149-91.dialup.ice.net] has joined ##openvpn 11:43 < Pickenzak> Can i server more then 254 hosts using the server-bridge directive and one server-instance ? 11:43 < Pickenzak> i server/i serve 11:52 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 11:52 -!- jeiworth [n=jeiworth@189.163.255.127] has joined ##openvpn 11:59 < n0g0> Pickenzak, yes you can. 11:59 < Pickenzak> can you tell me how ? 11:59 < n0g0> change the subnet mask 11:59 < n0g0> e.g. 10.8.0.0 255.255.0.0 12:00 < Pickenzak> This is "Perfect!" :) 12:00 < n0g0> then you've got 65k hosts 12:00 < Pickenzak> 172.16.0.0 ... would provide the most private address space ? 12:01 < Bushmills> 10.x.x.x provides more 12:01 < n0g0> 10.0.0.0/255.0.0.0 is private too 12:01 < Pickenzak> Hehe, cool. Will add this 12:02 < Pickenzak> Hmm, but arent some isps dns:s on 10.0.0 ? 12:02 < Bushmills> rfc 1918 12:02 < n0g0> would be bad for them =) 12:02 < Pickenzak> Ah, bad then 12:02 < Pickenzak> :) 12:02 < Pickenzak> RaZER 12:04 < Pickenzak> thanks Bushmills and n0g0 12:04 < Bushmills> no pain 12:06 < Pickenzak> We are making some things called gadmin-openvpn-/server/client. Maybe these settings would be a very good standard setting ? 12:07 < Pickenzak> the standard now is to use 255.255.255.0 .. and that would only support 254 simultaneous vpn tunnels 12:08 < Pickenzak> on the 192.168.10.0 network 12:08 < n0g0> for most home users that's enough 12:08 < Pickenzak> Yeah, but we like to make it as good as possible. 12:09 < n0g0> but be aware that big networks are sometimes worse than more small nets 12:09 < Pickenzak> I know of that. 12:10 < n0g0> Windows likes broadcasting and with a 255.0.0.0 network it will produce a lot of traffic 12:11 < Pickenzak> Hmm, so that would saturate the pipes if many smb clients are used ? 12:11 < n0g0> using TAP, yes 12:12 < n0g0> TUN won't allow broadcasting 12:12 < Pickenzak> and tap is used with the bridge, yes 12:12 < Pickenzak> thats why i like the tap 12:12 < Pickenzak> To support broadcast 12:13 < n0g0> but broadcasts don't scale well... 12:13 < Pickenzak> (Yeah, not the best way of networking but...) 12:13 < Pickenzak> Naah, broadcast is crap really, only endusers like it 12:13 < n0g0> that's the reason why big networks use other types of name resolution 12:14 < n0g0> wins, dns, etc. 12:14 < Pickenzak> Yeah but with this setting they could block the broadcastings with firewall rules 12:15 < n0g0> but that makes only sense when done on the server, before the broadcasts are distributed to the clients 12:16 < Pickenzak> samba is meant to be able to list the servers and shares etc. Its not a bad ideea but should not be broadcasted. I remember back in 94 or something. with the coax cables and that it used to take up to 30 minutes to collect all servers in a net /LOL! 12:16 < n0g0> if each individual client has to block the packets, they will still be transferred over the tunnels. 12:16 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:16 < Pickenzak> Yeah, its a server and client gui 12:17 < Pickenzak> so the server will decide 12:17 < n0g0> that's okay 12:17 < Pickenzak> seen the guis btw ? 12:17 * n0g0 is out for lunch 12:17 < Pickenzak> cya 12:29 < Pickenzak> Hmm, watching cops on tv. A guy who was fishing coins in a fountain. The guy had lived in that city for for 17 years, had worked for 4 years. Got arrested, was let loose, got arrested agagin by the same cop, on the same night. If i was the cop id have given the guy some more money instead. 12:29 < Pickenzak> 11 dollars :P 12:29 < Pickenzak> Thats just sad 12:32 < Pickenzak> the cops must arrest alot of people, even if its for nothing, to keep themselves employed. Theres an animal species that prey on other animals like that. :) 12:33 < Pickenzak> matrix ref. 12:33 -!- Andy1978 [n=andy@p5B32F23D.dip.t-dialin.net] has joined ##openvpn 12:34 < Andy1978> !howto 12:34 < vpnHelper> Andy1978: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:36 < Pickenzak> !Andy 12:36 < vpnHelper> Pickenzak: Error: "Andy" is not a valid command. 12:36 < Pickenzak> :) 12:37 < Andy1978> hm, is there a howto with 2 NIC on the server side? 12:38 < Pickenzak> whats the benefit ? / broadcastOVERHEAD ? :) 12:39 < Andy1978> one NIC is connected to the private LAN, the other in a public LAN with internet gateway 12:39 < Pickenzak> Tex: subnetting or supernetting for low smb-queries 12:41 < Pickenzak> Public LAN... (Local area Network) .. hows that local/private ? 12:41 < Pickenzak> But more interrestingly, how are those ip's connected ? 12:42 < Pickenzak> IE: Dont connect a LAN to bypass the local gateway 12:43 -!- SuperEvilDeath [n=death@212.206.209.177] has quit [Success] 12:46 -!- RethinalX [n=Rethinal@ip-141-200-241-92.dialup.ice.net] has joined ##openvpn 12:50 < Andy1978> Pickenzak: I'm not a pro... one network 192.168.10.192/24 is private, there is no possibility for a user to physically connect to this network. 12:50 < Andy1978> I'm sorry, /26 12:51 < Pickenzak> Andy1978: No, an IPv4 network would be: 192.168.0.0 or 192.168.1.2 etc 12:51 < Pickenzak> Andy1978: No, an IPv4 network would be: 192.168.0.0 or 192.168.1.0 etc 12:51 < Pickenzak> The last octet depicts a host on the network 12:52 < Andy1978> the other network 192.168.250.0/24 is public, different user could connect to this network via WLAN an there is a gateway to the internet 12:52 < Pickenzak> Andy1978: No, an IPv4 network would be: 192.168.0.0 or 192.168.0.0 etc 12:52 < Pickenzak> Andy1978: No, an IPv4 network would be: 192.168.0.0 or 192.168.1.0 etc 12:52 < Pickenzak> Andy1978: No, an IPv4 network would be: 192.168.0.0 or 192.168.2.0 etc 12:52 < Pickenzak> etc, sorry.. :) 12:52 < Pickenzak> Andy1978: it cant be public 12:53 < Pickenzak> Public is a net reaclable by others from the public net 12:53 < Pickenzak> reachable 12:53 < Andy1978> hm? if the subnetmask is /26, a possible net would be 192.168.10.192, the first possible host adress is 192.168.10.192, the broadcast is 192.168.10.255 12:54 < Andy1978> up, first host adress 192.168.10.193 12:54 < Andy1978> Am I wrong? 12:54 < Pickenzak> 192.168.x.x is private 12:55 < Andy1978> Ahhh... now I understand what you are talking.... 12:55 < Andy1978> public in the term, that ordinary user can connect to that net... 12:57 < Pickenzak> 169.254.x.x is also local 12:57 < Pickenzak> http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing 12:57 < vpnHelper> Title: Classless Inter-Domain Routing - Wikipedia, the free encyclopedia (at en.wikipedia.org) 12:57 < Andy1978> You are talking from 192.168.x, 172.16.x, 10.x 12:58 < Andy1978> but thats not the point.... 12:58 < Pickenzak> and 169.254.x 12:59 < Andy1978> RFC330, I know "Link Local" 12:59 < Andy1978> RFC3330... 13:00 < Pickenzak> Assuredly so 13:04 < Pickenzak> Pretty cool this openvpn, right Andy ? 13:04 < Pickenzak> I like it alot 13:06 < krzee> !1918 13:06 < vpnHelper> krzee: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 13:07 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 13:07 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 13:10 < Pickenzak> 169.254.x is a microsoft added thing, but still a valid waypoint. 13:10 < Pickenzak> But, very unnessesary 13:11 < Pickenzak> Andy1978: here ? 13:16 < ecrist> 169.254 is *not* a microsfot added thing 13:16 < ecrist> they just happened to be the first to implement, and is most publicly noted for it 13:25 < Andy1978> but the LAN vs. WAN vs. public, private IP Ranges is not really the problem 13:32 < ecrist> Andy1978: I read back a bit, don't fully understand your problem. 13:34 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:42 < Pickenzak> Perhaps, later on, our GAdmin-OpenVPN things can co-mingle on your site ? 13:42 < Pickenzak> I like when server and gui coders do these things 13:52 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 13:52 < ksnp> j freeswitch 14:04 < ecrist> no 14:04 < ecrist> k freeswitch 14:05 < ecrist> Pickenzak: what/who are you talking to? 14:06 < Pickenzak> Mr.KillChrist :) 14:08 < Pickenzak> ecrist: Its a microsoft added thing. You must be a small child 14:17 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has quit [Read error: 110 (Connection timed out)] 14:21 < krzee> Pickenzak, not only is ecrist no small child, hes also one of the main helpers here and knows his shit 14:21 < krzee> maybe rethink your approach to being new in a channel 14:23 < ecrist> Pickenzak: insults go elsewhere, please. your only warning. 14:26 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 14:27 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 14:27 < Pickenzak> ecrist: SuckamaCristyPole 14:27 < Pickenzak> we make the apps you use, be nice now 14:27 < krzee> you are an ovpn dev? 14:27 < krzee> ive never seen you on the lists... 14:28 < Pickenzak> Kinga are not on any lists 14:28 < krzee> so what do we use of yours? 14:28 < Pickenzak> None of the befallenz 14:29 < Pickenzak> go waya 14:29 < krzee> if i were to go away there would be somewhat less help going on in here 14:29 < krzee> !irclogs 14:29 < vpnHelper> krzee: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 14:29 -!- mode/##openvpn [+o ecrist] by ChanServ 14:29 < Pickenzak> What requiem est, to be nice and friendly. 14:29 -!- mode/##openvpn [+b *!*n=VSAA@*.dialup.ice.net] by ecrist 14:29 -!- Pickenzak was kicked from ##openvpn by ecrist [ecrist] 14:29 -!- mode/##openvpn [-o ecrist] by ecrist 14:30 < krzee> solves that one 14:30 < krzee> haha 14:30 < ecrist> lol 14:30 < ecrist> my banhammer was getting dusty anyways 14:31 < RethinalX> Maybe the coders where never allowed here to begin with ? 14:31 < krzee> that guy has nothing to do with the ovpn project 14:31 < ecrist> on the contrary. I know the coders to a degree, and they've expressed a disinterest from attending this IRC channel. 14:31 < krzee> and anyone is allowed here if they know how to talk to people 14:32 < RethinalX> I think you just kicked a coder legend 14:32 < krzee> i think he needs to learn how to enter a new channel 14:32 < ecrist> the OpenVPN developers (Francis, et al) are busy trying to make a money-making enterprise with support and add-on features (see OpenVPN Access Server for reference), and are content to allow the community to help itself. 14:33 < RethinalX> By my take he was here since 09:00 this morning 14:33 -!- wire [n=Guest_rk@unaffiliated/wireddd] has joined ##openvpn 14:33 < RethinalX> Good work 14:33 < krzee> and we 14:33 < RethinalX> ? 14:33 < krzee> ve been here since ##openvpn existed 14:33 < krzee> helping people damn near everyday 14:33 < ecrist> FWOW, RFC 3330 has no mention of Microsoft. 14:33 < ecrist> http://www.rfc-editor.org/rfc/rfc3330.txt 14:33 < ecrist> FWIW* 14:33 < RethinalX> I suspect you code alot on it / or noot ? 14:33 < krzee> maybe not the people to just come in and blindly insult 14:34 < krzee> RethinalX, what code from ovpn do you think he made? 14:34 < RethinalX> Half the work 14:34 < krzee> orly 14:34 < krzee> !mail 14:34 < vpnHelper> krzee: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 14:34 < RethinalX> He said it was required and so it was done 14:35 < krzee> http://news.gmane.org/gmane.network.openvpn.devel 14:35 < vpnHelper> Title: Gmane Loom (at news.gmane.org) 14:35 < krzee> lets find him 14:35 < RethinalX> Sure, his nick is magnus-swe 14:35 < wire> ok so I am trying to route between two subnets seperated by two routers that are connected with a vpn, 10.0.1.0 (vpn 10.0.254.2) and 192.168.1.0 (vpn 10.0.254.1), what do I need to add to the iptables rules to allow traffic to pass? 14:36 < krzee> but regardless, i dont go to where he helps people and try to insult him 14:36 < krzee> wire: 14:36 < krzee> !route 14:36 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:36 < ecrist> first off, the OpenVPN servers are sitting in a well-connected datacenter, I doubt the core team would be connecting to IRC via a dialup account in Sweden, particularly when the core developers are from California. 14:37 < RethinalX> Have you freaked out ? 14:37 < RethinalX> Wireless dialup 14:37 < RethinalX> We are testing new longrange wireless technonogies 14:37 < krzee> and...? 14:38 < RethinalX> Its working as expected, very well 14:38 < RethinalX> Why are you feeling aggitated ? 14:38 < ecrist> ah, you share an ISP. 14:38 < RethinalX> Relax man 14:38 < RethinalX> Share, no 14:39 < krzee> i know im not agitated, but i also know that if you join a channel and insult the people who run it, you get kicked 14:39 < RethinalX> Im just an onlooker that decided you have a bloodsugar issue, perhaps 14:39 < krzee> thats how its been on IRC since i joined 14:39 < krzee> and it will remain that way 14:39 < krzee> (early 90's in case you're curious) 14:39 < RethinalX> What was his insult you think ? 14:39 < ecrist> 14:27 < Pickenzak> ecrist: SuckamaCristyPole 14:39 < ecrist> for one 14:40 < ecrist> 14:06 < Pickenzak> Mr.KillChrist :) 14:40 < ecrist> for two 14:40 < wire> krzee I already have the routes in there 14:40 < RethinalX> We worked with rolls on honeywell and sandvik. We where the first to make "computer tape" 14:40 < RethinalX> And the first computers 14:40 < krzee> [15:08] ecrist: Its a microsoft added thing. You must be a small child 14:40 < krzee> thats one 14:40 < krzee> but ya, time for me to roll, bbiaf 14:41 < ecrist> regardless, this is off topic. we are done. 14:41 < RethinalX> Are you ? 14:41 < krzee> wire, ill be back in a few minutes, if you wanna type !configs to see what ill want when i get back 14:41 < krzee> prolly like 10-15 mins or so 14:41 < RethinalX> Your a politically appointed entity. Probably because youre angry 14:42 < RethinalX> You dont know it yet 14:42 < RethinalX> . 14:42 < ecrist> please stop, now. 14:42 < krzee> RethinalX, are you trying to prove your point by getting banned? let the topic die 14:42 < RethinalX> Alright 14:42 < RethinalX> t 14:42 < RethinalX> t 14:43 < RethinalX> Ok, let these new people rule some. (Im game) 14:43 -!- mode/##openvpn [+o ecrist] by ChanServ 14:43 -!- mode/##openvpn [-b *!*n=VSAA@*.dialup.ice.net] by ecrist 14:43 -!- mode/##openvpn [+b *!*@ice.net] by ecrist 14:44 -!- mode/##openvpn [-o ecrist] by ecrist 14:44 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:45 -!- Pickenzak [n=VSAA@ip-174-37-149-91.dialup.ice.net] has joined ##openvpn 14:46 -!- mode/##openvpn [+o ecrist] by ChanServ 14:46 -!- mode/##openvpn [-b *!*@ice.net] by ecrist 14:46 -!- mode/##openvpn [+b *!*@*.ice.net] by ecrist 14:46 -!- mode/##openvpn [-o ecrist] by ecrist 14:55 < krzie> RethinalX maybe take a look at !irclogs 14:55 < krzie> we're here helping people every day, never seen you before 14:56 < krzie> wire: you still here? 14:56 < wire> yes 14:56 < krzie> !configs 14:56 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:58 < wire> http://www.pastebin.ca/1486048 14:58 -!- bandinia [n=bandini@host5-22-dynamic.20-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 14:58 -!- bandini [n=bandini@host5-22-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 14:59 < wire> the server is kamikaze 7.10, and the client is 8.09.1, r16278 14:59 < wire> the vpn is up and I can ping across it just fine, I am pretty sure it is a firewall issue 14:59 < krzie> those arent client / server 15:00 < krzie> that is point to point 15:00 < krzie> have you enabled ip forwarding on both sides? 15:00 < krzie> !linipforward 15:00 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 15:01 < krzie> as for firewall issue, see Firewall in the manual 15:01 < krzie> just enabling all traffic to pass/forward through tun interface should be cool 15:01 < krzie> no nat needed for this type of setup 15:01 < wire> ip forwarding was already enabled 15:01 < krzie> ok 15:01 < krzie> you dont want any additional clients? 15:02 < krzie> like maybe your laptop when you are gone, etc 15:02 < wire> no, just linking these two networks 15:02 < krzie> ok, ive never done that with a ptp style setup, but i dont see why it shouldnt work if setup right 15:02 < krzie> both vpn endpoints are the routers for their lan? 15:03 < wire> yes 15:03 < krzie> 192.168.1.x and 2.x are lans behind the "server" ? 15:04 < wire> 192.168.1.x is directly behind it and 192.168.2.x is linked to 192.168.1.x via a ptp t1 15:04 < wire> I know I am going to have to change some things on those routers, but for now I just want to be able to get 192.168.1.x working 15:04 < krzie> ok, but the 'server' has a route to it? 15:04 < krzie> ok ya i was gunna say that 15:05 < wire> yes, but not back atm 15:05 < wire> at least not all the way to 10.0.1.x 15:05 < krzie> 10.0.1.0 is the network behind 'client'? 15:07 -!- n0g0 [n=nogo@85-125-189-220.static.sdsl-line.inode.at] has quit ["quit"] 15:07 < wire> yeah 15:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 15:09 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 15:09 < wire> i'm guessing that I need to add some stuff to the iptables rules to let the traffic pass, but it has been so long since I have really messed with iptables 15:10 < krzie> ok, now do each of these things and tell me if they work or not, do not use past answers but actually try what i say:!iptables 15:10 < krzie> oops 15:10 < krzie> !iptables 15:10 < krzie> brb 15:10 < vpnHelper> krzie: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall 15:19 -!- Pickenzak [n=VSAA@ip-174-37-149-91.dialup.ice.net] has left ##openvpn [] 15:28 < krzie> wire 15:28 < krzie> now do each of these things and tell me if they work or not, do not use past answers but actually try what i say: 15:29 < krzie> from the server: ping the client by vpn address, ping the client by its LAN address, ping a machine on the clients lan 15:29 < krzie> from the client: do the same but for the server 15:29 < krzie> tell me which of those work and which not 15:30 < wire> hmm I have bigger problems at the moment 15:31 -!- RethinalX [n=Rethinal@ip-141-200-241-92.dialup.ice.net] has quit [Client Quit] 15:36 -!- wire [n=Guest_rk@unaffiliated/wireddd] has quit [] 15:42 -!- Andy1978 [n=andy@p5B32F23D.dip.t-dialin.net] has left ##openvpn [] 16:03 -!- troy- is now known as troy 16:39 -!- ciphyre_ [n=ciphyre@173-15-94-113-Illinois.hfc.comcastbusiness.net] has joined ##openvpn 16:42 -!- ciphyre [n=ciphyre@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has quit [Read error: 60 (Operation timed out)] 16:47 -!- Ypsy is now known as YpsyZNC 16:56 -!- ciphyre_ is now known as ciphyre 16:57 -!- StormWlf [i=stormwlf@adsl-76-192-208-211.dsl.okcyok.sbcglobal.net] has quit [] 17:00 -!- GloFF [n=gloff@ti0006a380-0061.bb.online.no] has joined ##openvpn 17:03 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:11 -!- troy is now known as troy- 17:16 -!- |newbie| [n=MikeMmm@96.237.168.243] has joined ##openvpn 17:16 < |newbie|> !logs 17:16 < vpnHelper> |newbie|: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 17:16 < |newbie|> !howto 17:16 < vpnHelper> |newbie|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:17 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 104 (Connection reset by peer)] 17:18 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 17:27 -!- bandini [n=bandini@host5-22-dynamic.20-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:29 -!- Dougy[home] [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 17:29 < Dougy[home]> damnit 17:29 < Dougy[home]> need thedoc up in this plaec 17:29 < Dougy[home]> place 17:33 < GloFF> !route 17:33 < vpnHelper> GloFF: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:38 -!- jeiworth [n=jeiworth@189.163.255.127] has quit [Remote closed the connection] 17:41 -!- jeiworth [n=jeiworth@189.163.255.127] has joined ##openvpn 17:46 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has left ##openvpn [] 17:46 -!- |newbie| [n=MikeMmm@96.237.168.243] has quit [Read error: 110 (Connection timed out)] 17:47 -!- troy- is now known as troy 17:47 -!- |newbie| [n=MikeMmm@96.237.168.243] has joined ##openvpn 17:53 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 17:54 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 17:55 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 17:56 -!- |newbie| [n=MikeMmm@96.237.168.243] has quit ["KVIrc Insomnia 4.0.0, revision: , sources date: 20090224, built on: 2009/04/10 00:10:11 UTC http://www.kvirc.net/"] 18:11 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 18:23 -!- jeiworth [n=jeiworth@189.163.255.127] has quit [Read error: 60 (Operation timed out)] 18:46 -!- jeiworth [n=jeiworth@189.234.97.109] has joined ##openvpn 18:49 -!- code- [i=code@antenora.aculei.net] has quit [Remote closed the connection] 19:17 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 19:18 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 19:22 < ksnp> hi, i have setup openvpn with two special ccd entries on 10.8.1.x, while the main network is on 10.8.0.x and have client-to-client uncommented in the conf file. i am unable to ping from 10.8.1.x client to another 10.8.1.x client 19:22 < ksnp> is this expected or could this be to due to firewall or is it that client-to-clinet in conf only applies to 10.8.0.x 19:23 < krzie> client-to-clinet bypasses the firewall, so thats not it 19:24 < ksnp> ok. 19:24 < krzie> heres my question 19:24 < ksnp> i have the ifconfig-push in the ccd entrie for 10.8.1.x 19:24 < ksnp> ok 19:24 < krzie> why are those ccd entries giving ips in diff subnet? 19:26 < ksnp> i want these special clients to be able access entire server LAN 19:26 < ksnp> as opposed to the others 19:26 < ksnp> and these are fixed ips 19:26 < ksnp> the 10.8.0.x are not fixed ips and those clients would get access only to server not entire server side LAN (was planning to use iptables ot set these access policies) 19:27 < krzie> you dont need to put them in a diff subnet 19:27 < krzie> but you do need to give them static ips 19:27 < krzie> like you did 19:27 < krzie> then you remove client-to-client 19:27 < krzie> so the packets pass through the kernel 19:27 < krzie> then your firewall rules have effect on them 19:29 < Dougy[home]> KRZIE 19:29 * Dougy[home] highfive 19:29 < Dougy[home]> dude, my 3548 came today 19:29 < Dougy[home]> its huge. 19:30 < Dougy[home]> its bigger than these server chassis i have.. 19:30 < krzie> haha 19:30 < Dougy[home]> its more than 14" deep 19:30 < Dougy[home]> i think its 16 orso 19:37 -!- laeg [n=laeg@unaffiliated/laeg] has quit ["Lost terminal"] 19:40 < ksnp> krzie : "then you remove client-to-client so packets pass through the kerner" 19:41 < krzie> client-to-client makes packets pass through the openvpn process without touching the kernel 19:41 < ksnp> didn't get that : basically i want 2 types of users, one that can access all LAN and other clients and another type that can access only server 19:41 < ksnp> i see 19:41 < krzie> removing it allows you to use firewall rules on the traffic 19:42 < ksnp> hm.. so if i have client-to-client enabled, then irrespective of firewalls, client to client will work ? 19:42 < krzie> i cant speak for your setup (giving them an ip outside of the subnet) 19:42 < krzie> can those clients even ping the server? 19:43 < ksnp> let's just say that i am using only 10.8.0.x that's in the config and ntohing else, then is the above question's answer true ? 19:43 < ksnp> and no ccd's 19:44 < krzie> yes 19:44 < krzie> client-to-client bypasses packets from 1 client to another hitting the kernel 19:44 < krzie> firewall happens in kernel 19:48 < redfox> !man 19:48 < vpnHelper> redfox: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 19:51 < redfox> krzie: i wonder what "script-security" is for.. man page tells about disallowing execution of programs, but where do openvpn allows execution of programs? 19:52 < krzie> ahh its in 2.1 only 19:52 -!- ciphyre [n=ciphyre@173-15-94-113-Illinois.hfc.comcastbusiness.net] has quit [Read error: 113 (No route to host)] 19:52 < krzie> --script-security level [method] 19:52 < krzie> This directive offers policy-level control over OpenVPN's usage of external programs and scripts. Lower level values are more restrictive, higher values are more permissive. Settings for level: 19:52 < krzie> 0 -- Strictly no calling of external programs. 19:52 < krzie> 1 -- (Default) Only call built-in executables such as ifconfig, ip, route, or netsh. 19:52 < krzie> 2 -- Allow calling of built-in executables and user-defined scripts. 19:52 < krzie> 3 -- Allow passwords to be passed to scripts via environmental variables (potentially unsafe). 19:52 < Dougy[home]> FLOOD 19:52 < Dougy[home]> LRN2BAN 19:52 * krzie arp poisons dougy 19:52 < Dougy[home]> F***ER 19:53 < Dougy[home]> krzie, come idle on my network 19:53 < Dougy[home]> o.O 19:53 < krzie> im on enough networks 19:53 < krzie> 4 19:54 < Dougy[home]> :< 19:54 < redfox> krzie: as i said, i read the man page but i dont really get the meaning 19:54 < krzie> ohhh 19:54 < krzie> where does it allow execution of programs 19:54 < krzie> gotchya 19:54 < krzie> many places really 19:54 < krzie> up script 19:54 < krzie> client-connect script 19:54 < krzie> down 19:54 < krzie> client-disconnect 19:54 < krzie> theres a whole list 19:54 < redfox> didnt know that they exists, thanks... 19:55 < krzie> find this in the manual: 19:55 < krzie> Script Order of Execution 19:55 < krzie> 9 places to call external scripts 19:55 < krzie> depending on what you need done 19:55 < redfox> i c 19:55 < redfox> now makes sense :) 19:56 -!- hoops125 [n=hoops125@CPE001839c147df-CM001a7008191a.cpe.net.cable.rogers.com] has joined ##openvpn 19:57 < hoops125> Does anyone know if openvpn can work with Elliptic Curve TLS negotiation, or does the code have to be altered to allow this? 19:58 < Dougy[home]> http://www.ovpnforum.com/viewtopic.php?f=6&t=391&sid=cfed7ded0e0681ed8dd8b1e5020c1374 19:58 < Dougy[home]> if anybody knows 19:58 < vpnHelper> Title: OpenVPN Forum View topic - OpenSUSE 11.1 service command issues (at www.ovpnforum.com) 19:58 < krzie> hoops125 very easy to answer 19:58 < krzie> does openssl support it? 19:58 < hoops125> yes 19:58 < krzie> then you can 19:58 < hoops125> the new snapshots 19:59 < krzie> openvpn doesnt do encryption 19:59 < krzie> it forks that off to openssl 19:59 < hoops125> but the ecc certificate don't work 19:59 < hoops125> I must be doing it wrong then 19:59 < krzie> oh for the certs? 19:59 < hoops125> yes 19:59 < krzie> i have no clue then 19:59 < krzie> heheh 19:59 < krzie> openvpn does need to grab info from certs 20:00 < krzie> so its not as blind as i was saying in that department 20:00 < hoops125> I read a post on the mailing list, about a user who got ECC working on apache and said ECC certificates are generated differently than regular ones 20:00 < hoops125> but no replies.. I guess it is too new to be known :) 20:00 < hoops125> perhaps I can make the discovery then? 20:01 < krzie> possibly 20:06 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:07 < Dougy[home]> krzie, guess what im doing 20:08 < krzie> typing with 1 hand 20:08 -!- albech [n=albech@119.42.76.157] has quit [Read error: 104 (Connection reset by peer)] 20:09 < Dougy[home]> krzie, nope 20:09 -!- hoops125 [n=hoops125@CPE001839c147df-CM001a7008191a.cpe.net.cable.rogers.com] has quit [] 20:09 * Dougy[home] is snooping around the forum 20:10 < Dougy[home]> #15 on google for openvpn forum 20:11 < krzie> right on 20:11 < Dougy[home]> over 225 members now too 20:11 < Dougy[home]> 20:11 < Dougy[home]> Total posts 100 | Total topics 122 | Total members 229 | Our newest member neraAsceniVes 20:12 < Dougy[home]> lol 20:12 < krzie> i wonder how many of those were spambots 20:12 < Dougy[home]> probably 3/4 20:12 < Dougy[home]> lol 20:12 < krzie> me and ecrist both cleared a shitton of spam out 20:12 < Dougy[home]> i did a few times as well 20:12 * Dougy[home] is going to try and come back into it again and start working on it again 20:12 * Dougy[home] did neglect it for too long 20:12 < krzie> too long as in from the start? 20:12 < Dougy[home]> well for the first few weeks i worked on it 20:12 < Dougy[home]> but pretty much 20:12 < Dougy[home]> lol 20:13 < Dougy[home]> theres a bunch of legit threads popping up now though, hopefully it catches on.. 20:13 < krzie> *shrug* im fine with it either way 20:13 < krzie> its there if people wanna use it 20:13 < krzie> thats what matters 20:13 < krzie> (to me) 20:13 < Dougy[home]> hopefully it does pick up 20:13 < Dougy[home]> it is a good tool to have 20:17 < krzie> agreed it is 20:17 < krzie> and the community could use a central forum 20:17 * Dougy[home] couldn't have done it without krzie and ecrist 20:17 < Dougy[home]> for sure 20:18 < krzie> =] 20:18 < Dougy[home]> how was getting out of town, btdubs 20:19 < krzie> huh? 20:19 < Dougy[home]> you said you were waitin for the missus to get home 20:19 < Dougy[home]> so you could get outta town 20:19 < krzie> nah musta been someone else 20:19 < Dougy[home]> no, was you 20:19 < Dougy[home]> she was at nail salon or some shi 20:19 < Dougy[home]> t 20:19 < krzie> ohh 20:19 < krzie> that shit took way too long 20:19 < Dougy[home]> loool 20:19 < krzie> gunna go some day this week 20:20 < Dougy[home]> ah 20:20 < Dougy[home]> damn.. this 3548 is huge 20:21 < Dougy[home]> krzie - hows da celly 20:21 < Dougy[home]> (celeron) 20:23 < krzie> its doing well 20:23 < krzie> i hope ;] 20:23 < krzie> havnt logged in for awhile 20:23 < krzie> too many projects 20:23 < krzie> i still need to move my damn email server to it 20:24 < Dougy[home]> lol 20:27 -!- albech [n=albech@119.42.76.157] has joined ##openvpn 20:35 -!- thedoc [n=andelyx@38.108.110.106] has joined ##openvpn 20:35 < thedoc> Dougy, ping! 20:35 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has quit [" HydraIRC -> http://www.hydrairc.com <- Now with extra fish!"] 20:42 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 21:07 < ksnp> kryzie are you around ? 21:07 < krzie> sure am 21:08 < ksnp> i am trying to get 10.8.1.x to talk to each other - both are set via ccd - reason i defined 1.x instead of 0.x is for easy separation between 0.x and 1.x and the ifrewalling rules 21:09 < krzie> right 21:09 < Dougy[home]> omg 21:09 < ksnp> you said if client-to-client is enabled it actually ignores the firewall right ? 21:09 < krzie> yes but can those clients even ping the server? 21:09 < Dougy[home]> i was just describing my girlfriend and her ass to someone. and i compared her ass to like a server on its side on your lap 21:09 < Dougy[home]> cuz its sharp and pointy 21:09 * Dougy[home] suicide 21:10 < ksnp> they can ping 10.8.0.1 21:10 < krzie> ohh 21:10 < krzie> you prolly need to give each a route to the other 21:11 < krzie> try adding push "route 10.8.1.0 255.255.255.0" 21:11 < krzie> to server.conf 21:11 < krzie> or at least to those ccd entries 21:12 < ksnp> i have : 21:12 < ksnp> ifconfig-push 10.8.1.5 10.8.1.6 21:12 < ksnp> push "route 10.8.1.9 255.255.255.252" 21:12 < ksnp> on complementary one in the other ccd 21:12 < krzie> try push "route 10.8.1.0 255.255.255.0" 21:12 < ksnp> wouldn't that somehow effect 10.8.1.5 itself ? 21:13 < ksnp> i guess not ? 21:13 < ksnp> trying it.. 21:13 < krzie> no because 10.8.1.5 has a more specific route 21:13 < krzie> most specific route always goes first 21:13 < krzie> which is why your default gateway is 0.0.0.0 21:14 < krzie> least specific possible 21:14 < ksnp> ok 21:14 < ecrist> evening 21:15 < Dougy[home]> YOOOOOOO 21:15 < ksnp> i tried that and i see in the routing table - its not getting into it 21:15 < ecrist> after tomorrow, I may not have my job. 21:15 < Dougy[home]> ecrist, why ???? 21:15 < ecrist> If I'm lucky, I'll get laid off. 21:15 < ecrist> my boss is a fuck-tard 21:15 < Dougy[home]> what did (s)he do 21:15 < ecrist> long story 21:15 < krzie> ksnp, try using the same subnet and removing client-to-client and adding firewall rules for your policy stuff 21:15 < Dougy[home]> no good ecrist no good 21:22 < ksnp> same subnet as in you mean dont change it ? 21:22 < ksnp> from 10.8.1.x ? 21:48 -!- code- [i=code@antenora.aculei.net] has joined ##openvpn 21:51 < Dougy[home]> ecrist, good luck 21:52 < ecrist> tx 21:53 < code-> krzie: ping 21:53 < Dougy[home]> krzie: ding 21:53 < thedoc> o/ 21:53 < thedoc> Yay! 21:53 < thedoc> I'm flying to the Uk on the new airbus A380 21:53 < thedoc> woot woot. 21:54 < thedoc> to and fro' 21:54 < Dougy[home]> ooo 22:01 < ksnp> krzie if you are there : it works if i manually add a route, not sure why the push route in ccd is not taking effect in the client (win xp) 22:06 -!- zheng [n=zheng@222.66.224.106] has joined ##openvpn 22:30 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 22:30 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 22:32 < Dougy[home]> AYYYYYYYYOOOOOOOOOOOOOOOOO 22:32 < Dougy[home]> sup thedoc 22:32 < thedoc> Looking at A380 pictures 22:32 < thedoc> :P 22:34 < krzee> code-, whats up brother 22:34 < krzee> ksnp, did you change it to /24 like i said? 22:34 < krzee> 255.255.255.0 22:35 < krzee> also im not 100% push route can be done from ccd, lets check 22:35 < krzee> !man 22:35 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 22:35 < krzee> !push 22:35 < vpnHelper> krzee: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 22:36 < krzee> so ya 22:36 < Dougy[home]> krzee's a p1mp 22:43 < krzee> whoa why have i never played with --learn-address 22:44 < krzee> just stumbled upon it in the manual earlier 22:44 < thedoc> --learn-whos-address? 22:44 -!- Dougy[home] [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit [Remote closed the connection] 22:44 < krzee> --learn-address cmd 22:44 < krzee> Run script or shell command cmd to validate client virtual addresses or routes. 22:46 < krzee> ksnp, it looks like a way for you to do policy firewalling on clients without even using static ip for them 22:47 < krzee> if you are comfortable scripting 22:47 < krzee> static entries and static ips work fine tho 22:48 < krzee> this would be handy for that type of thing but in large setups for like departments 22:48 < krzee> cause you could make a nice file or database with the employees, which department they are in, what access they get, etc 22:48 < krzee> then have the script read from it and set rules accordingly 22:49 < krzee> on the fly 22:49 < ksnp> krzee : it works now ! thanks 22:50 < ksnp> i didn't do anything with the firewall, guess it was disabled by default 22:50 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 23:01 -!- straterra [n=straterr@fuhell.com] has joined ##openvpn 23:01 < straterra> I'm trying to do a simple point to point vpn..but get an error about bad source address...here are my configs 23:01 < straterra> http://pastebin.ca/1486487 23:11 -!- GloFF [n=gloff@ti0006a380-0061.bb.online.no] has quit ["http://www.againsttcpa.com/"] 23:16 < ksnp> straterra wha'ts ur client 23:16 < ksnp> windows ? 23:18 < straterra> No 23:18 < straterra> Both linux 23:18 -!- gabriel25ny [n=gabe@pool-96-250-54-238.nycmny.fios.verizon.net] has quit [] 23:25 < ksnp> ok 23:25 < straterra> so..any ideas? 23:27 -!- ciphyre [n=ciphyre@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 23:27 < ksnp> not sure if this might work : but try 23:28 < ksnp> remote serverip port on the client insted of ifconfig 23:28 < ksnp> and on the server, 23:28 < ksnp> server 10.151.99.1 255.255.255.252 23:28 < ksnp> instead of ifconfig 23:37 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 23:57 -!- IncredibleHink [n=Hink@cpe-173-173-76-122.tx.res.rr.com] has joined ##openvpn 23:57 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:58 < IncredibleHink> so is it possible to connect to an openvpn server with ldap auth and NO cert 23:58 < IncredibleHink> s --- Day changed Tue Jul 07 2009 00:04 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has joined ##openvpn 00:11 < ksnp> i have openvpn configured and working, however i did not have to touch iptables, anyone know if in debian the firewalls are disabled for newly created interfaces or even existing eth0 by default ? 00:12 -!- |ns|nR8 [n=doof@CPE-124-180-20-120.vic.bigpond.net.au] has joined ##openvpn 00:20 -!- |Mike|_ [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 00:20 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Read error: 54 (Connection reset by peer)] 00:29 -!- ponyofdeath [n=vladi@cpe-75-80-161-192.san.res.rr.com] has quit ["leaving"] 00:47 -!- albech [n=albech@119.42.76.157] has quit [Remote closed the connection] 01:19 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 01:26 < redfox> ksnp: check it via 01:26 < redfox> !iptables 01:26 < vpnHelper> redfox: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall 01:26 < redfox> or, for just looking at the rules: iptables -L 01:33 < reiffert> be sure to add -v -n 01:39 -!- master_of_master [i=master_o@p549D6A38.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:39 < ksnp> ok 01:40 < ksnp> what's a good front end for iptables ? with text only ? 01:40 < ksnp> or do most people simply not use any front end like guard dog or sth ? 01:41 < reiffert> There are frontends to iptables? 01:43 -!- master_of_master [i=master_o@p549D55BF.dip.t-dialin.net] has joined ##openvpn 01:52 -!- IncredibleHink [n=Hink@cpe-173-173-76-122.tx.res.rr.com] has quit [Client Quit] 02:12 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:12 -!- feinoM [n=feinom@svale.hia.no] has left ##openvpn [] 02:13 < ksnp> sorry was awway 02:13 < ksnp> i meant like for firewalls 02:13 < krzee> sorry for what? 02:13 < krzee> you are up and running 02:13 < krzee> right? 02:14 < krzee> iptables defaults to pass all until you play with it 02:16 -!- iamamoron [n=iamamoro@210.238.181.188] has joined ##openvpn 02:16 < iamamoron> hi there 02:16 < krzee> hey 02:16 < iamamoron> from other pc i can ping the ethernet ip 10.8.3.221 but i cannot ping 10.9.0.1 my tun ip 02:17 < iamamoron> any ideas? what i am missing arround? 02:17 < krzee> by other pc you mean a machine on the same lan as it? 02:17 < iamamoron> i already set route if destination is 10.9.0.0/24 gw should be 10.8.3.221 02:17 < iamamoron> yes 02:18 < iamamoron> the same lan with 10.8.3.221 02:18 < krzee> ok that route is what i was gunna say 02:18 < iamamoron> i am at 10.8.3.22 02:18 < krzee> does the vpn machine have ipforwarding enabled? 02:19 < iamamoron> cat /proc/sys/net/ipv4/ip_forward 02:19 < iamamoron> 1 02:19 < iamamoron> is that what you mean? 02:19 < krzee> does it have a firewall enabled? 02:19 -!- troy is now known as troy- 02:19 < krzee> yes thats what i meant 02:19 < iamamoron> yes it has 02:19 < iamamoron> it is 1 02:19 < krzee> make sure you are allowing that subnet to come over that interface 02:20 < iamamoron> i keep on isolating it but no luck 02:20 < krzee> input and forward 02:20 < krzee> or default to allow to test if its firewall 02:20 < krzee> !iptables 02:20 < vpnHelper> krzee: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall 02:21 < iamamoron> i already disabled the firewall 02:21 < iamamoron> but still no luck 02:21 < iamamoron> i cannot hit 10.9.0.1 02:21 < iamamoron> 10.8.3.221 and 10.9.0.1 is on the same machine 02:21 < krzee> give !route a thorough read while i work on a hackintosh im selling 02:21 < krzee> !route 02:21 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 02:21 < krzee> bbiaf 02:22 < ksnp> krzee : 02:22 < krzee> also 02:22 < ksnp> i tried iptables -A INPUT -p tcp -i tun0 --dport 10060 -j ACCEPT but when i telnet to that port it doesn't work 02:22 < ksnp> can you tell if i am doing something wrong ? 02:22 < ksnp> ping works 02:22 < iamamoron> i am on the same lan 02:22 < reiffert> !interfaces 02:22 < vpnHelper> reiffert: Error: "interfaces" is not a valid command. 02:22 < krzee> instead of trying to ping an ip you will never access, try to ping other ways 02:22 < reiffert> !interface 02:22 < vpnHelper> reiffert: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 02:22 < krzee> client and server are on same lan? 02:23 < iamamoron> this is not client and server issue 02:23 < krzee> yay reif is here! 02:23 < reiffert> krzee: where's there part of "paste your firewall" gone to from !interface? 02:23 < iamamoron> 10.8.3.221 is the server 02:23 < ksnp> krzee : no, but i am trying with same lan aslo 02:23 * krzee goes for a few 02:23 < krzee> ok ill add that for ya reif 02:23 < krzee> !firewall 02:23 < reiffert> krzee: "here" for a sec 02:23 < vpnHelper> krzee: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. 02:23 < iamamoron> 10.8.3.221 and 10.9.0.1 is of the same machine 10.8.3.221 eth1 address 10.9.0.1 is the tun address 02:23 < reiffert> krzee: breakfast && gone 02:23 < iamamoron> now i am on 10.8.3.22 02:24 < krzee> bleh already have the mouse in the other room 02:24 < iamamoron> the same lan with 10.8.3.221 02:24 < iamamoron> same subnet 02:24 < reiffert> :) 02:24 < krzee> paste what you want added to !interface and ill add it when im baq 02:24 < iamamoron> i can only ping 10.8.3.221 02:24 < iamamoron> but i cant ping 10.9.0.1 02:24 < reiffert> !factoids search iptables 02:24 < vpnHelper> reiffert: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall 02:24 < iamamoron> that is my problem 02:24 < reiffert> there we are. 02:24 < krzee> iamamoron, iand the other endpoint of the vpn... same lan as well? 02:24 < ksnp> guys : can anyone tell why i can't telnet to my vpn server ip with thefollowing iptables : ? 02:24 < ksnp> 12 612 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0 02:24 < ksnp> 0 0 ACCEPT udp -- tun0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10060 02:24 < ksnp> 0 0 ACCEPT tcp -- tun0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10060 02:24 < iamamoron> 10.9.0.1 is the tun address 02:25 < reiffert> krzee: because telnetd doesnt listen on that if. 02:25 < iamamoron> i want to ping the tun address from 10.8.3.22 the same subnet of 10.8.3.221 02:25 < reiffert> s,krzee,iamamoron 02:25 < iamamoron> krzee: : can you see the poicture now? 02:25 < iamamoron> i can only ping 10.8.3.221 not 10.9.0.1 02:26 < ksnp> nevermind 02:26 < iamamoron> which is the tun address 02:26 < reiffert> s,iamamoron,ksnp, 02:26 < krzee> thats actually your entire goal? 02:26 < iamamoron> at 10.8.3.22 i already created a route 02:26 < krzee> if so, you dont need a vpn 02:26 < iamamoron> route add -net 10.9.0.0 netmask 255.255.255.0 gw 10.8.3.221 02:26 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:26 < reiffert> krzee: have fun with the girl next room, I'm & 02:26 < iamamoron> but i cannot ping it 02:26 < iamamoron> yeah my damn goal 02:26 < krzee> thanx, shes in the same room as me tho, the $ is in the next room 02:27 < krzee> sold a hackintosh 02:27 < iamamoron> krzee: ? 02:27 < reiffert> lying on the table as white powder ... ;) 02:27 < iamamoron> any ideas? 02:27 < krzee> iamamoron, if thats your only goal add a second ip to your eth0 interface and drop the vpn 02:27 < krzee> bbl 02:27 < iamamoron> no 02:27 < iamamoron> there are vpn connecting to that tunnel 02:28 < iamamoron> i mean 02:28 < iamamoron> tothat tun 02:28 < iamamoron> i cannot make an alias network 02:28 < iamamoron> forwarding is already on 02:28 < iamamoron> but it doesnt went through 02:30 < iamamoron> shed some light pls 02:33 < iamamoron> any ideas? 02:36 < iamamoron> my setup is i run openvpn on tcp port 443 02:36 < iamamoron> doest it matter? 03:00 -!- Marquel [n=Flinx@port-14900.pppoe.wtnet.de] has joined ##openvpn 03:00 < Marquel> morning 03:02 -!- tompaw_ [n=tompaw@slave20.tesserakt.eu] has quit [Remote closed the connection] 03:02 < iamamoron> ? 03:02 < iamamoron> krzee: ? 03:03 -!- Marquel [n=Flinx@port-14900.pppoe.wtnet.de] has quit [Remote closed the connection] 03:03 -!- Marquel [n=Flinx@port-14900.pppoe.wtnet.de] has joined ##openvpn 03:03 < Marquel> *sigh* morning agaim 03:08 -!- n0g0 [n=nogo@85-125-189-220.static.sdsl-line.inode.at] has joined ##openvpn 03:09 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has quit [Read error: 110 (Connection timed out)] 03:09 < Marquel> i have a little problem w/ my openvpn installation: it worked very well. until yesterday. now it fails as soon as i try to transmit more than irc-traffiic. what can be wrong? 03:15 -!- iamamoron [n=iamamoro@210.238.181.188] has quit [Read error: 104 (Connection reset by peer)] 03:21 < dazo> Marquel: which knob did you turn yesterday ;-) anyway ... log files .... verb 4 or more might give you a better indication 03:21 -!- tompaw [n=tompaw@slave20.tesserakt.eu] has joined ##openvpn 03:21 < Marquel> dazo: all i get is a stalled connection and a restart after configured ping timeout (keep-alive 5 30) 03:23 < Marquel> dazo: and i didn't turn any knobs on any configuration. but if you count "surfing" over vpn as "turning knobs" i sure did. ;) 03:27 < dazo> Marquel: from my experience, when something stops working ... it's because something changed ... some knobs must have been turned, with or without your knowledge .... it could even be an automatic update 03:28 < dazo> Marquel: and I did not count "surfing" over vpn as turning knobs ;-) 03:28 < Marquel> dazo: i'm afraid it has been my isp. 03:28 < dazo> Marquel: I'd advise you first to increase verbosity to the log files .... and go carefully through them on both server and client 03:29 < dazo> Marquel: that could be as well 03:29 < dazo> Marquel: reg. to log files ... a couple of minutes before the error appears and until the connection is restarted are very much interesting in this scenario ... 03:30 < dazo> Marquel: then doing a tcpdump on the server side on both the eth interface (the physical one) which your openvpn client connects to and one tcpdump of the vpn interface (tun/tap device) might give you further information 03:30 < Marquel> dazo: oh, i don't need "couple of minutes" - i can have a very stable connection. as long as i don't do anything. and i can crash it within seconds by just firing google. 03:31 < Marquel> tried both, nothing. 03:31 < dazo> Marquel: are you using tcp or udp for you connection? 03:31 < Marquel> tcp 03:32 < dazo> Marquel: hmm .... that really sounds odd 03:33 < dazo> Marquel: but to be honest .... I really doubt that there are no indications in neither log files nor tcpdumps ... it must be a clue somewhere .... 03:33 < dazo> Marquel: which openvpn version are you running? client and server 03:33 < Marquel> dazo: i have another machine and now i'll try and set up the very same vpn-endpoint there and connect there. if that one works i know who to blame ;) 03:33 < Marquel> 2.0.7 03:33 -!- iamamoron [n=iamamoro@210.238.181.188] has joined ##openvpn 03:33 < iamamoron> any ideas? 03:33 < iamamoron> on my probs? 03:34 < Marquel> i tried 2.0.9 but that failed too. (whereas: i downgraded from 2.0.9 thinking that was the problem) 03:34 < dazo> Marquel: hmmm .... well, that's an incredibly old version .... 03:34 < dazo> Marquel: go for the latest 2.1_rc18 ... or rc15 03:34 < Marquel> dazo: though that old 2.0.7 worked stable for months? 03:36 < dazo> Marquel: if your isp has done some network changes (replacing routers, switches, whatever) which then does things differently with network packages, it might be that a version 2 years newer might have fixes against such network behaviour 03:37 < dazo> hmmm ... it's soon 3 years since 2.0.9 was released .... OpenVPN 2.0.9 -- released on 2006.10.01 03:38 < Marquel> dazo: right. i'll try 2.1.x then. but i'm a little afraid about reconfiguring - or didn't that change at all= 03:38 < Marquel> ? 03:38 < n0g0> Marquel, I saw this before when the packet sizes are too large for your connection. You could try to tune the tun-mtu and fragment settings. 03:38 < dazo> Marquel: that's actually a good point from n0g0! 03:38 < Marquel> did that too. nothing. 03:41 < dazo> Marquel: regarding to 2.0 -> 2.1 upgrade .... it might be a few parameters have changed .... --script-security is one I recall right now .... but if you read the log files carefully, you'll get the indication very quickly 03:41 < dazo> Marquel: it's not a brand new config style in 2.1 compared to 2.0 03:42 < dazo> Marquel: anyway ... backup of config files are mandatory as well, as with any updates ;-) 03:42 < Marquel> dazo: of course 03:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:18 < iamamoron> any ideas why i cant ping the tun address in the same subnet? 04:18 < iamamoron> i already enabled ip forwarwrding 04:19 -!- tristan_1 [n=tristan@62.140.137.157] has joined ##openvpn 04:19 < tristan_1> any creative people here? 04:19 < n0g0> you mean the gateway (.5, .10 and so on) ? 04:19 < tristan_1> my openvpn client needs to send some random crap before doing it's stuff 04:19 < n0g0> you can't ping that, only the server at .1 if it lets you ping 04:20 < tristan_1> and a wrapper using netcat which pipes some random data doesn't work, since netcat doesn't send the rest of the data anymore then :( 04:24 < iamamoron> hellllllllllio?_ 04:24 < iamamoron> anybody? 04:26 < n0g0> tristan_1, maybe something like this: perl -e 'for($i=0;$i<100;$i++){ printf("%c", rand()*100); }' | nc 127.0.0.1 8080 04:26 < n0g0> iamamoron, look at my responses above 04:28 < iamamoron> what? 04:28 < tristan_1> n0g0: dat works, but I run nc in listening mode and run another instance of it with -c which connects to te server 04:28 < iamamoron> n0g0: ? 04:28 < tristan_1> and when I pipe data to it, it doesn't do anything else anymore 04:28 < tristan_1> it's also impossible to pipe more then one thing to it :( 04:29 < iamamoron> n0g0: ? 04:29 < n0g0> iamamoron, you mean the gateway (.5, .10 and so on) ? you can't ping that, only the server at .1 if it lets you ping. 04:29 < iamamoron> i dont see anythging 04:29 < iamamoron> no 04:29 < Marquel> dazo: i'm currently ping-flooding openvpn-2.0.9 on "the other endpoint" i mentioned earlier. and it floods, floods, floods... my problematic vpn would long have failed. 04:29 < iamamoron> i have an openvpnserver that has lan ip 10.8.3.221(eth1) and 10.9.0.1(tun) 04:30 < iamamoron> eth0 is public ip 04:30 < iamamoron> now 04:30 < dazo> Marquel: sounds like you've found a solution somehow ... 04:30 < iamamoron> in the same lan i have a pc 10.8.3.22 i already set route to route add -net 10.9.0.0 netmask 255.255.255.0 gw 10.8.3.221 04:31 -!- vvpalin [n=vvpalin@unaffiliated/vvpalin] has joined ##openvpn 04:31 -!- tjz [n=tjz@bb121-6-15-48.singnet.com.sg] has joined ##openvpn 04:31 < iamamoron> from 10.8.3.22 pc i cannot ping 10.9.0.1 04:31 < Marquel> dazo: well... the "other endpoint" is my public webserver located in a room near germany's biggest commercial internetswitch... 04:31 < iamamoron> any ideas why? 04:31 < n0g0> iamamoron, firewall ? 04:31 < iamamoron> none 04:31 < dazo> iamamoron: checked your routing table and/or firewall? 04:31 < iamamoron> no firewall at all 04:31 < iamamoron> thats the only routing i have 04:31 < dazo> iamamoron: server is running on Linux? 04:32 < iamamoron> yes 04:32 < iamamoron> do i need to bind eth1 to tun? 04:32 < dazo> Marquel: aha ... so it's another end-point than the one you got issues with 04:32 < Marquel> dazo: right. 04:32 < dazo> iamamoron: nope ... using tun or tap? 04:32 < iamamoron> yes 04:32 < iamamoron> i am wondering why i cant ping it 04:32 < dazo> iamamoron: tun OR tap? 04:32 < iamamoron> tun 04:33 < vvpalin> question, is there an easy way i tunnel my tap0 so i can access my vpn on another pc within my local net 04:33 < dazo> iamamoron: goodie! cat /proc/sys/net/ipv4/ip_forward .... does that one say 1 or 0 ? 04:33 < iamamoron> 1 04:33 < iamamoron> [root@vpnserver rc.d]# cat /proc/sys/net/ipv4/ip_forward 04:33 < iamamoron> 1 04:33 < dazo> vvpalin: it's called routing .... route command will be your friend 04:34 < dazo> iamamoron: goodie ... and what does your routing table on your vpn client say? does it route 10.9.0.1 via the VPN? 04:34 < dazo> !routing 04:34 < vpnHelper> dazo: Error: "routing" is not a valid command. 04:34 < dazo> !route 04:34 < vpnHelper> dazo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 04:34 < dazo> vvpalin: ^^^ 04:34 < vvpalin> thanks 04:34 < vvpalin> =] 04:35 < iamamoron> 10.9.0.0 10.8.3.221 255.255.255.0 UG 0 0 0 eth1 04:35 < iamamoron> 10.8.3.221 is eth0 at the server 04:35 < dazo> iamamoron: okey ... here you might have some issues .... what's the network segments on your client and server side? 04:36 < iamamoron> actually 04:36 < iamamoron> i have no issues on client-server vpn 04:36 < vvpalin> dazo just real fast so i make sure, this is possible if i dont have access to the server correct ? 04:36 < iamamoron> my issue is on the same subnet at 10.8.3.0/24 i cannot ping 10.9.0.1 04:37 * vvpalin apologizes for his noobness 04:37 < dazo> iamamoron: okey ... then you also should read !route as well 04:37 < dazo> !route 04:37 < vpnHelper> dazo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 04:37 < iamamoron> 10.9.0.1 is the tun ip of 10.8.3.221 04:37 < iamamoron> i already put route at client 04:37 < dazo> iamamoron: this document also sets up how to access clients subnet as well 04:37 < iamamoron> i mean the pc in the same network 04:38 < n0g0> iamamoron, you don't need to put in an own route, delete it. Reconnect to your server and you should get a 10.9.0.1 route 04:38 < dazo> vvpalin: hmmm .... then you might have a bigger challenge ... but it is doable as long as the server do not have any firewalling blocking .... or the IP forwarding is disabled on the server 04:38 < iamamoron> the url is for client openvpn to server openvpn 04:38 < iamamoron> my issue is different 04:38 < iamamoron> the url doesnt help 04:39 < iamamoron> the is the same subnet issue of 10.8.3.0/24 04:39 < dazo> vvpalin: but it still is the matter of using route 04:39 < iamamoron> 10.8.3.221 has a tun address of 10.9.0.1 04:39 < iamamoron> thats the bottom line 04:39 < vvpalin> ok i will read up then 04:39 < iamamoron> pls do not think of client vpn 04:39 < iamamoron> there is no issue on that 04:40 < iamamoron> i just want on the same subnet i can ping the tun address of 10.8.3.221 04:40 < iamamoron> have picture it now dazo? 04:40 < dazo> iamamoron: you are very vague .... because I had the impression you had troubles with client->server->subnet .... but you said that worked ... but server->client->subnet does not work .... which one is it? 04:40 < iamamoron> here 04:40 < n0g0> iamamoron, so all you are trying to do is a simple tunnel between your client 10.8.3.22 and your server 10.8.3.221 ? 04:41 < iamamoron> 10.8.3.22 and 10.8.3.221 is on the same subnet 04:41 < dazo> iamamoron: and I really need to know which subnets are where? what is client subnets, both physical and VPN .... and the same for the server 04:41 < iamamoron> 10.8.3.22 is not connecting as client of 10.8.3.221 04:44 < n0g0> so you try to route between the 10.8.3.0/24 subnet and the vpn subnet 10.9.0.0/24 ? 04:46 < iamamoron> yes 04:46 < n0g0> ok now I understand your situation 04:46 < iamamoron> thanks 04:46 < iamamoron> at last 04:46 < n0g0> =) 04:46 < iamamoron> can u shed a light? 04:47 < n0g0> you should try "tcpdump -i eth1 icmp" on the server and ping 10.9.0.1 from 10.8.3.22 04:47 < n0g0> can you see the packets ? 04:47 < iamamoron> wait 04:48 < iamamoron> in the server it is eth0 04:48 < n0g0> ok then eth0 04:48 -!- laeg [n=laeg@unaffiliated/laeg] has joined ##openvpn 04:48 < laeg> is there no howto on tunneling say http/im trafic from a windows pc through a ubuntu box? 04:49 < laeg> i'm looking at your howtos and they're quite extensive 04:49 < n0g0> !redirect 04:49 < vpnHelper> n0g0: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 04:49 < laeg> http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html is this what i'm looking for? 04:49 < vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 04:49 < iamamoron> n0g0 04:49 < iamamoron> n0g0: : i cant see anything 04:50 < laeg> 1DEF1 04:50 < laeg> !def1 04:50 < vpnHelper> laeg: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 04:50 < Marquel> dazo: my isp will look into the issue. i suspect an outage on their router or something ;) 04:50 < n0g0> iamamoron, .22 is linux too ? try tcpdump there too while pinging, are they leaving the box ? 04:50 < iamamoron> yes 04:50 < iamamoron> ok wait 04:50 < laeg> !ipforward 04:50 < vpnHelper> laeg: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 04:51 < laeg> n0g0? 04:51 < n0g0> yes, laeg ? 04:51 < laeg> which one should i see? 04:51 < laeg> and ty 04:51 -!- tristan_1 [n=tristan@62.140.137.157] has quit [Read error: 60 (Operation timed out)] 04:52 < n0g0> laeg, you should start out by a simple server client connection using certificates (TLS mode). 04:52 < laeg> n0g0: like http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html ? 04:52 < vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 04:52 < laeg> if not have you a link? 04:53 < laeg> i know what subnetting etc is, but i'm new to this 04:53 < iamamoron> n0g0: :18:52:49.707626 IP 10.8.3.22 > 10.9.0.1: icmp 64: echo request seq 0 04:53 < iamamoron> 18:52:50.706467 IP 10.8.3.22 > 10.9.0.1: icmp 64: echo request seq 1 04:53 < iamamoron> 18:52:51.706412 IP 10.8.3.22 > 10.9.0.1: icmp 64: echo request seq 2 04:53 < iamamoron> 18:52:52.706344 IP 10.8.3.22 > 10.9.0.1: icmp 64: echo request seq 3 04:53 < iamamoron> 18:52:53.706286 IP 10.8.3.22 > 10.9.0.1: icmp 64: echo request seq 4 04:53 < iamamoron> 18:52:54.706222 IP 10.8.3.22 > 10.9.0.1: icmp 64: echo request seq 5 04:53 < n0g0> laeg, http://openvpn.net/index.php/open-source/documentation/howto.html 04:53 < vpnHelper> Title: HOWTO (at openvpn.net) 04:54 < laeg> n0g0: like i said that guide is extensive, there are many links on it 04:54 < iamamoron> n0g0: ? 04:54 < iamamoron> they are not leaving 04:54 < iamamoron> as you can see it 04:54 < iamamoron> any ideas? 04:54 < n0g0> iamamoron, make sure that "iptables -nvL FORWARD" on server is empty and policy is ACCEPT 04:55 -!- tristan_ [n=tristan@62.140.137.157] has joined ##openvpn 04:56 < iamamoron> Chain FORWARD (policy ACCEPT 14G packets, 8986G bytes) 04:56 < iamamoron> pkts bytes target prot opt in out source destination 04:56 < iamamoron> 437K 129M ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0 04:56 < iamamoron> 0 0 ACCEPT all -- tap+ * 0.0.0.0/0 0.0.0.0/0 04:56 < iamamoron> is this the cause? 04:57 < n0g0> seems to be okay. what about INPUT chain ? 04:57 < n0g0> as 10.9.0.1 is the server itself, the packet will go through INPUT 04:58 < iamamoron> Chain INPUT (policy ACCEPT 4982M packets, 5935G bytes) 04:58 < iamamoron> pkts bytes target prot opt in out source destination 04:58 < iamamoron> 0 0 ACCEPT tcp -- eth1 * publicIP 0.0.0.0/0 tcp spt:443 dpt:443 04:58 < iamamoron> 1 68 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0 04:58 < iamamoron> 0 0 ACCEPT all -- tap+ * 0.0.0.0/0 0.0.0.0/0 04:58 < iamamoron> 5780 991K ACCEPT all -- * * 10.8.3.0/24 0.0.0.0/0 04:58 < iamamoron> 36 2960 ACCEPT all -- * * 10.9.0.0/24 0.0.0.0/0 04:59 < n0g0> ok firewall is disabled at all 05:00 < n0g0> then the issue must be at .22 05:00 < n0g0> silly question, is your openvpn server running ? =) 05:02 < n0g0> laeg, quick and dirty: install openvpn, create certificates, use default configuration and try to connect 05:04 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 05:05 < iamamoron> yes of course 05:06 < iamamoron> 22556 pts/0 S 0:11 openvpn server.conf 05:06 < iamamoron> 23128 pts/1 R+ 0:00 grep openvpn 05:07 < iamamoron> any ideas? 05:08 < iamamoron> the issue i guess is in 221 05:08 -!- zheng [n=zheng@222.66.224.106] has quit [Remote closed the connection] 05:08 < iamamoron> most probably but dont know how 05:09 < n0g0> well, firewall seems to be okay 05:09 < n0g0> server is running 05:10 < n0g0> what is route -n saying on server ? 05:10 < iamamoron> in where? 05:10 < iamamoron> server? 05:10 < n0g0> yes server 05:10 < iamamoron> what do you want to see? 05:10 < iamamoron> which subnet? 05:10 < n0g0> output of "route -n" 05:10 < n0g0> vpn 05:11 < n0g0> just want to see if tun is set up correctly 05:11 < iamamoron> [root@vpnserver rc.d]# netstat -nr | grep 10.9.0.0 05:11 < iamamoron> 10.9.0.0 10.9.0.2 255.255.255.0 UG 0 0 0 tun0 05:13 < n0g0> and a 10.9.0.2 route is there too ? 05:14 < iamamoron> non 05:14 < iamamoron> none 05:14 < iamamoron> that only 05:14 < n0g0> there should be a route like this: 10.9.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 05:14 < laeg> n0g0: kk ty, installing it now, do i wanting routing vpn right? 05:15 < iamamoron> [root@vpnserver rc.d]# netstat -nr | grep 10.9.0.2 05:15 < iamamoron> 10.9.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 05:15 < iamamoron> 10.9.0.0 10.9.0.2 255.255.255.0 UG 0 0 0 tun0 05:15 -!- tristan_ [n=tristan@62.140.137.157] has quit [Read error: 110 (Connection timed out)] 05:15 < iamamoron> sorry 05:15 < iamamoron> that is the route 05:16 < n0g0> laeg, if you don't want to access a LAN behind the server, no. Don't set up routes or use push "route" commands. 05:16 < iamamoron> n0g0: ? 05:16 < n0g0> laeg, the default configuration should be okay. 05:16 < n0g0> iamamoron, okay, the server looks fine to me. 05:17 < iamamoron> hmmm 05:17 < iamamoron> seems hopeless now 05:17 < n0g0> what is the subnet mask for your 10.8.3.0 network 05:17 < n0g0> ? 05:18 < laeg> n0g0: sorry i'm going through the guide and it mentions routing/bridging 05:18 < laeg> saying i need to decide 05:18 < laeg> http://openvpn.net/index.php/open-source/documentation/howto.html#quick 05:18 < vpnHelper> Title: HOWTO (at openvpn.net) 05:19 < iamamoron> 255.255.255.0 05:19 < iamamoron> 10.8.3.0/24 05:19 < n0g0> laeg, stick with routing but don't to the "expanding the scope of vpn" things 05:20 < n0g0> iamamoron, ok lets see. .22 is pinging, but the packets don't arrive. Firewall on server doesn't block them. 05:20 < iamamoron> so where is the problem? 05:21 < n0g0> on .22 05:21 < iamamoron> 22 has no firewall 05:21 < iamamoron> Chain FORWARD (policy ACCEPT 1199K packets, 615M bytes) 05:21 < iamamoron> pkts bytes target prot opt in out source destination 05:21 < iamamoron> Chain INPUT (policy ACCEPT 649M packets, 112G bytes) 05:21 < iamamoron> pkts bytes target prot opt in out source destination 05:21 < iamamoron> Chain OUTPUT (policy ACCEPT 951M packets, 1010G bytes) 05:21 < iamamoron> pkts bytes target prot opt in out source destination 05:21 < iamamoron> Chain RH-Firewall-1-INPUT (0 references) 05:21 < iamamoron> pkts bytes target prot opt in out source destination 05:22 < n0g0> what is the output to "route -n" ? 05:22 < oc80z> morning. 05:23 < iamamoron> going to 10.9.0.0? 05:23 < iamamoron> netstat -nr | grep 10.9.0.0 05:23 < iamamoron> 10.9.0.0 10.8.3.221 255.255.255.0 UG 0 0 0 eth1 05:25 < n0g0> strange issue 05:25 < n0g0> should be okay that way 05:25 < iamamoron> it should but not working 05:25 < iamamoron> i dont understand why also 05:26 < n0g0> the ping just times out or gives back any other error ? 05:26 < iamamoron> timesout 05:27 < iamamoron> n0g0: i need to catch the train now 05:27 < iamamoron> thanks a lot 05:27 < n0g0> sorry that nothing worked 05:28 < n0g0> bye 05:33 -!- iamamoron [n=iamamoro@210.238.181.188] has quit [Read error: 104 (Connection reset by peer)] 05:36 < laeg> n0g0: i'll give it a shot after work, thanks 05:40 -!- Alagar [n=helpdesk@pool-173-55-152-86.lsanca.fios.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 05:55 -!- lilalinux is now known as lilaloet 05:56 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 06:01 < Marquel> byebye 06:01 -!- Marquel [n=Flinx@port-14900.pppoe.wtnet.de] has quit [Remote closed the connection] 06:03 -!- SuperEvilDeath [n=death@212.206.209.177] has joined ##openvpn 06:23 -!- SuperEvilDeath [n=death@212.206.209.177] has quit [Success] 06:24 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 06:25 -!- |Mike|_ is now known as |Mike| 07:15 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 07:22 < ecrist> good morning. 07:25 -!- onats_ is now known as onats 07:35 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:09 < ecrist> krzee: your payment last week bought me a new holster for my Glock, btw. :) 08:09 < ecrist> should have it in the next couple days. 08:09 < ecrist> http://www.crossbreedholsters.com/IWB/tabid/56/CategoryID/1/List/0/Level/1/ProductID/1/Default.aspx?SortField=ProductName,ProductName 08:09 < vpnHelper> Title: SuperTuck Deluxe (at www.crossbreedholsters.com) 08:28 -!- troy- is now known as troy 08:31 -!- lilaloet is now known as lilalinux 08:38 < straterra> I'm trying to do a point to point vpn..but no network flows..here are my configs 08:38 < straterra> http://pastebin.ca/1486487 08:41 < straterra> Any ideas? 08:44 < straterra> The error I get is MULTI: bad source address from client 08:44 < n0g0> straterra, mode server is for multi-client, so use "server 10.151.99.0 255.255.255.0" instead of ifconfig and remove ifconfig from client config 08:45 < straterra> shouldn't I use 255.255.255.254 or something? 08:45 < straterra> Cause point to point is a /32 08:46 < n0g0> the server will split the /24 network in 64 /30 networks 08:46 < n0g0> and give them to the clients 08:47 < straterra> weir 08:47 < straterra> weird 08:47 < straterra> I'm going to do ospf across the openvpn link..so..should I be specifying /24 or /32 in ospf? 08:50 < n0g0> as 10.151.99.0/24 is "connected" to the vpn server, I would specify this. 08:50 < straterra> But the tun interfaces are /32..and I think that causes an issue with ospf 08:50 < straterra> -_- 08:51 < n0g0> openvpn will create a proper route for 10.151.99.0/24 08:51 < straterra> Ok..I suppose that'll work 08:51 < n0g0> so I think, you don't need to think about tun devices 08:51 < straterra> Now I just have to somehow set in the client/server config a static IP 08:52 < straterra> The client keeps getting 10.151.0.99.5 and I want it to get .2 08:52 < straterra> -_- 08:52 < n0g0> it should get .6 08:52 < straterra> Why? 08:52 < n0g0> .5 is it's gateway 08:52 < straterra> And..is there any way to set this static so there isn't a possibility to change? 08:53 < n0g0> yes 08:53 < n0g0> look at --client-config-dir and --ifconfig-push 08:53 < straterra> I have client config dir set up 08:54 < n0g0> --ifconfig-push local remote-netmask 08:54 -!- troy is now known as troy- 08:54 < n0g0> the ifconfig-push must be placed in the correct client-config file 08:54 -!- thedoc [n=andelyx@38.108.110.106] has joined ##openvpn 08:54 < straterra> Right 08:55 < n0g0> but you can't set .2 as this is reserved by the server per default 08:55 < straterra> That's fine 08:55 < straterra> I can use .6 08:55 < straterra> I just need to make sure it doesn't change on me 09:00 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has left ##openvpn [] 09:00 -!- hkais [n=xenoadmi@p5B207928.dip.t-dialin.net] has joined ##openvpn 09:00 < hkais> hello 09:01 < hkais> I am struggeling with openvpn or maybe vmware 09:01 < straterra> n0g0: This isn't working well 09:01 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:01 < straterra> The route is for a /24, yet the link is for a /32..and ospf is getting crazy confused 09:01 < hkais> I have a opvn tunnel. At the end i have a vmware with vmnet8 09:02 < hkais> a ping from a opvn client to the vmnet8 IP 10.100.1.10 is answered by vmware properly 09:02 < hkais> but onyl on vmnet8. tun0 doesn't get the icmp reply?!?! 09:02 < ecrist> !ping 09:02 < vpnHelper> pong 09:04 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:05 < n0g0> straterra, I'm no ospf expert, I used it only once with openvpn. 09:05 -!- abel408 [i=42a2b66c@gateway/web/freenode/x-a267bc685c261c0c] has joined ##openvpn 09:06 < n0g0> I remember that I set tun0 as passive interface 09:06 -!- jetole_ [n=Joe@204.13.0.100] has quit [Remote closed the connection] 09:06 < straterra> But then ospf won't broadcast over it 09:07 < n0g0> i thought it's using multicast 09:09 < straterra> Yeah, but passive interface tells ospf not to broadcast/listen on that interface 09:09 < abel408> Hello everyone! I'm trying to set up openvpn on ubuntu. I have viscosity on my mac. All viscosity says is connecting. It never connects. The server I installed openvpn on is on an excrypted connection. You can't even ping it. Would this be the reason why it cannot connect? All I did was follow this guide: http://nielsvz.com/2009/02/running-openvpn-on-ubuntu-810-server/. I checked wireshark while trying to connect and all I get 09:09 < ecrist> abel408: 09:09 < ecrist> !configs 09:09 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:09 < ecrist> !logs 09:09 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 09:10 < ecrist> once you've posted, I'll get back to you 09:10 < hkais> http://pastebin.com/d78d11603 09:10 < hkais> this is my setup 09:11 < n0g0> straterra, yes you are right. What happens if you let it multicast over tun0 ? 09:12 < hkais> my ping gos from the client to the vmware-servers-guest. but backwards the imcp reply gots lost. I can see it on vmnet8 but the icmps do not reach the tun0? 09:13 < n0g0> straterra, if this won't work, just use tap instead of tun, that should be more clear to zebra. 09:13 < straterra> Can I use tap with point to point? 09:13 < straterra> If I could...that'd be great 09:14 < ecrist> hkais: have you checked your firewall? 09:14 < n0g0> why must it be p2p ? 09:15 < hkais> ecrist: yes I have enabled every drop to be logged 09:15 < straterra> It doesn't, I suppose 09:15 < ecrist> n0g0: why would you recommend a bridged tunnel, becuase someone is having ping issues? 09:15 < straterra> It's just going to be one server to another though 09:15 < straterra> ecrist: I'm not having ping issues 09:16 < n0g0> ecrist, he got troubles with ospf 09:16 < hkais> ecrist: I tried to deactivate the fw. also no success 09:16 < hkais> ecrist: I am using vmnet8 (vmware-nat-device) 09:17 < ecrist> hkais: what OS? 09:17 < ecrist> ew 09:17 < ecrist> bastardization on top of bastardization 09:17 < hkais> ubuntu vmware-host 09:17 < hkais> windows2008 vmware-guest 09:17 < hkais> win2k8 sends the icmp-reply but it get lost 09:17 < n0g0> straterra, I know what you mean. :) You should be able to do multicasting with tun. But if it fails, try tap. 09:22 -!- mario__ [n=mario@projekte.imos.net] has joined ##openvpn 09:22 < mario__> hello! 09:23 < ecrist> hello! 09:23 < mario__> i am trying to use auth-user-pass-verify with a bash script, but i am able to log in, even if i return exit 1 09:24 < mario__> #!/bin/bash 09:24 < mario__> echo "exit 1" 09:24 < mario__> exit 1 09:24 < mario__> but the authentiation is stull successfull (with certs) 09:25 -!- ciphyre [n=ciphyre@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 09:25 < n0g0> do you see the echo line in your server log when you connect ? 09:27 < n0g0> mario__, are you using openvpn 2.1 and have you set "script-security 3" in your server.conf ? 09:28 < ecrist> mario__: 09:28 < ecrist> !logs 09:28 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 09:30 -!- |ns|nR8 [n=doof@CPE-124-180-20-120.vic.bigpond.net.au] has quit ["Leaving"] 09:32 < abel408> Hello everyone! I'm trying to set up openvpn on ubuntu. I have viscosity on my mac. All viscosity says is connecting. It never connects. The server I installed openvpn on is on an excrypted connection. You can't even ping it. Would this be the reason why it cannot connect? All I did was follow this guide: http://nielsvz.com/2009/02/running-openvpn-on-ubuntu-810-server/. Here is my config: http://pastebin.com/d38d9c4e5 09:34 < ecrist> your redirect-gateway line is not complete, likely 09:34 -!- jeiworth [n=jeiworth@189.234.97.109] has quit [Read error: 110 (Connection timed out)] 09:34 < abel408> ecrist: me? 09:35 < ecrist> yes, you 09:35 < abel408> how could I make it complete? 09:36 < ecrist> we need your server logs, too, please 09:36 < abel408> where are my server logs? 09:36 < ecrist> I had already asked for those 09:36 < ecrist> !logs 09:36 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 09:37 -!- YpsyZNC is now known as Ypsy 09:37 < abel408> Where are the logs located? I couldn't find them 09:38 < ecrist> often in /var/log 09:39 < abel408> yea I checked there. not there 09:41 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 09:41 < ecrist> well, how could I know where the logs are? I'm not your admin. :) 09:41 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 09:42 < ecrist> abel408: try adding this to your server log: log-append /var/log/openvpn.log 09:42 < ecrist> touch /var/log/openvpn.log 09:42 < ecrist> chwon openvpn:openvpn /var/log/openvpn.log 09:42 < ecrist> chmod 660 /var/log/openvpn.log 09:43 < ecrist> assuming openvpn is the user openvpn runs as. 09:44 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 09:44 < abel408> found it thanks :). Here it is: http://pastebin.com/d567aeca1 09:47 -!- jeiworth [n=jeiworth@189.163.255.127] has joined ##openvpn 09:48 < abel408> And here it is with openvpn.log http://pastebin.com/d730e5c0 09:51 < abel408> says I must define a tun/tap device, but I did in my server.conf. "dev tun". I also see tun0 in ifconfig 09:57 -!- Marquel [n=Flinx@port-14900.pppoe.wtnet.de] has joined ##openvpn 09:57 < Marquel> morning 09:58 < Marquel> dazo: kay tried w/ openvpn-2.1_rc15. flood ping survived a little longer but the real issue didn't change :( 09:58 -!- abel408_ [i=48e076c5@gateway/web/freenode/x-c7d63b609e5b17d4] has joined ##openvpn 09:59 < dazo> Marquel: since you got things running to another host with the same old config ... your ISP somehow must have messed up something .... 09:59 -!- abel408 [i=42a2b66c@gateway/web/freenode/x-a267bc685c261c0c] has quit [Ping timeout: 180 seconds] 09:59 < Marquel> phoned them already. hopefully they fix it soon ;) 10:00 < dazo> :) 10:01 < Marquel> at least they promised to look into it. that's more than i got from another isp with essentially the same problem, only it's not openvpn but sonicwall.... 10:02 < ecrist> abel408_: try defining tun0, instead of just tun 10:02 < straterra> My openvpn tunnel just..dies about a minute or two after I start it 10:02 < straterra> I have to stop the client and restart it for the data to pass again :/ 10:03 < hkais> my ping goes from the client to the vmware-servers-guest. but backwards the imcp reply gots lost. I can see it on vmnet8 but the icmps do not reach the tun0? http://pastebin.com/d78d11603 10:03 -!- plaerzen [n=carpe@vip2.tundraeng.com] has joined ##openvpn 10:03 < plaerzen> morning 10:03 < ecrist> hkais: firewall 10:04 < Marquel> maybe the outtage of a nuclear power plant near this city didn't have no sideeffects... but then there were 1500 traffic lights off and the city suffered from 14 breakages of water pipes... 10:04 < hkais> ecrist: I deactivated the fw and the pings goes not through... 10:05 < ecrist> if they go one way, and not the other, it's a firewall issue 10:06 < hkais> ecrist: maybe I am too stupid, but how to figure out, if my firewall is still active? 10:07 < ecrist> you never answered my question about what OS you're using, earlier 10:07 < hkais> ecrist: sure 10:07 < hkais> (04:17:33 PM) hkais: ubuntu vmware-host 10:07 < hkais> (04:17:33 PM) hkais: windows2008 vmware-guest 10:07 < hkais> (04:17:52 PM) hkais: win2k8 sends the icmp-reply but it get lost 10:07 < ecrist> hkais: the firewall 10:07 < hkais> ubuntu 8.04 LTS to be preciese 10:08 < hkais> the firewall is on the ubuntu 10:08 < hkais> iptables 10:08 < ecrist> !iptables 10:08 < vpnHelper> ecrist: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall 10:10 < hkais> ecrist: same problem as before 10:10 -!- n0g0 [n=nogo@85-125-189-220.static.sdsl-line.inode.at] has quit [Read error: 110 (Connection timed out)] 10:10 < ecrist> break out wireshark, then. 10:11 -!- abel408 [i=42a2b66c@gateway/web/freenode/x-cd7f847db3ac5967] has joined ##openvpn 10:11 < hkais> ping goes to the vmnet8 (vmware-nat-device) the vmware-guest replys it but it does not reach the tun0 10:11 < hkais> ecrist: on which device? 10:11 < hkais> I am already watching with tcpdump 10:11 < hkais> tcpdump -i vmnet8 proto ICMP respectively tcpdump -i tun0 proto ICMP 10:12 -!- abel408_ [i=48e076c5@gateway/web/freenode/x-c7d63b609e5b17d4] has quit [Ping timeout: 180 seconds] 10:16 < abel408> ecrist: Thanks, I just tried setting it to tun0 with no luck. I still have the same error in the log file after restarting openvpn 10:18 < straterra> Grrr 10:18 < straterra> This stupid tunnel keeps just stop working after like 30 seconds 10:19 < straterra> Which is when the keep alive value is set to restart the tunnel 10:19 < straterra> There aren't network issues between the two networks 10:21 < hkais> no hints for my problem? 10:24 < ecrist> abel408: how are you starting openvpn? 10:24 < ecrist> are you referencing the config file? 10:24 < ecrist> openvpn -config 10:25 < ecrist> straterra: !logs 10:26 < abel408> ecrist: "/etc/init.d/openvpn restart" My server.conf file is in /etc/openvpn and I was told that any conf file in that directory will be loaded 10:26 < ecrist> who told you that? 10:26 < ecrist> I wouldn't know, without reading the init.d script 10:26 < abel408> http://nielsvz.com/2009/02/running-openvpn-on-ubuntu-810-server/ 10:26 < vpnHelper> Title: Running OpenVPN on Ubuntu 8.10 Server (at nielsvz.com) 10:27 < abel408> Any .conf file in /etc/openvpn will be automatically loaded. 10:27 < straterra> ecrist: http://pastebin.ca/index.php 10:27 < straterra> err 10:27 < ecrist> well, from the error, it would appear that your config file isn't being read. 10:27 < straterra> http://pastebin.ca/1486972 10:28 < ecrist> straterra: it looks like it could possibly be a firewall issue, which is closing the connection after a time. 10:28 < ecrist> try disabling the firewall, see if the problem goes away. 10:28 < ecrist> (could be either client or server side) 10:30 < straterra> There is no firewall 10:30 < plaerzen> There is no spoon. 10:30 < abel408> erist: ok well when I try "openvpn --config server.conf" I get this http://pastebin.com/d240a4342 It must be reading it because it setup the interface tun0 with the ip I set in server.conf for me. I did not have that before 10:30 < abel408> erist: I'm going to check my firewall 10:31 < straterra> ecrist: I notice it dies like right after OSPF finds a neighbor 10:32 < ecrist> could be 10:33 < straterra> Then the connection dies..then ospf 'loses' the route (like it should) 10:33 < straterra> then everything works again 10:33 < ecrist> I can't/won't support the OSPF stuff here. If you are doing OSPF, I'd suggest using tap for a bridged tunnel. 10:43 -!- ciphyre [n=ciphyre@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has joined ##openvpn 10:43 < straterra> Anyone have any ideas on how I can prevent this? 10:44 < straterra> Oops 10:50 -!- mario__ [n=mario@projekte.imos.net] has quit ["Ex-Chat"] 10:54 -!- vvpalin [n=vvpalin@unaffiliated/vvpalin] has quit ["Leaving"] 10:59 -!- abel408 [i=42a2b66c@gateway/web/freenode/x-cd7f847db3ac5967] has quit [Ping timeout: 180 seconds] 11:11 -!- albech [n=albech@119.42.76.157] has joined ##openvpn 11:21 -!- abel408 [i=42a2b66c@gateway/web/freenode/x-275d7ed7695748a5] has joined ##openvpn 11:22 < abel408> ecrist: It was the firewall. I allowed udp traffic from port 1194 and voala, it worked. The vpn status shows connected and I am given an ip, but I cannot connect to anything on the network. What can I check now? 11:24 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 11:47 < ecrist> abel408: now you need to make sure your VPN ips are routable across the rest of your network. 11:47 < ecrist> either that, or you need to setup NAT on you VPN box so that all your VPN clients are NAT'd to it's accessible IP 11:50 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 11:56 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:22 -!- Marquel [n=Flinx@port-14900.pppoe.wtnet.de] has quit [Read error: 104 (Connection reset by peer)] 12:24 -!- abel408 [i=42a2b66c@gateway/web/freenode/x-275d7ed7695748a5] has quit [Ping timeout: 180 seconds] 12:28 -!- madduck [n=madduck@debian/developer/madduck] has left ##openvpn [] 12:30 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 12:48 -!- antii [n=rw@unaffiliated/antii] has joined ##openvpn 12:48 < antii> Gah, why do I get this when im trying to connect to my Ivacy vpn, it seems like i cant enter my password. http://pastebin.com/m143853f7 12:56 -!- abel408 [i=42a2b66c@gateway/web/freenode/x-cd601545a6a562ff] has joined ##openvpn 12:58 -!- kezhi [i=moneybag@has.no.info.tm] has joined ##openvpn 13:09 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 13:20 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 13:34 -!- KaiForce [n=chatzill@adsl-70-228-64-69.dsl.akrnoh.ameritech.net] has joined ##openvpn 13:36 -!- KaiForce [n=chatzill@adsl-70-228-64-69.dsl.akrnoh.ameritech.net] has quit [Remote closed the connection] 13:38 -!- abel408 [i=42a2b66c@gateway/web/freenode/x-cd601545a6a562ff] has quit [Ping timeout: 180 seconds] 13:39 < ecrist> antii: looks like a permissions problem, or an invalid certificate 13:40 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 13:40 < antii> hmpf... :-> 13:40 < antii> it works on my windows & osx machine.. 13:55 -!- kezhi [i=moneybag@has.no.info.tm] has quit [Remote closed the connection] 13:57 < ecrist> sure, check permissions. 13:57 < ecrist> also, it does help if you post your entire log file 13:57 < ecrist> !logs 13:57 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 14:03 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 14:07 -!- abel408 [i=42a2b66c@gateway/web/freenode/x-53684bdf9ad0b7bf] has joined ##openvpn 14:09 < abel408> I have openvpn server configuredon an ubuntu machine. My vpn clients connect through dd-wrt. I want to designate a different subnet for each client. example: 10.133.0.0 -> client1 | 10.133.1.0 -> client2 and so on... How can I do this? 14:10 < abel408> currntly I just have server 10.133.0.0 255.255.255.0 on my server config. Can I add another ip? 14:11 < ecrist> yes, 14:11 < ecrist> simply add a route statement to the server config, push the route to other clients 14:11 < ecrist> !routing 14:11 < vpnHelper> ecrist: Error: "routing" is not a valid command. 14:11 < ecrist> !route 14:11 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:11 < abel408> thanks 14:12 < abel408> ecrist: btw the problem I was having before with not being able to ping anything on the network was because the client side did not have comp-lzo enabled 14:17 -!- bandini [n=bandini@host5-22-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 14:41 < abel408> The ccd directory was not created automatically for me. Would it be fine if I just created it? I added "client-config-dir ccd" to my server.conf 14:44 -!- abel408 [i=42a2b66c@gateway/web/freenode/x-53684bdf9ad0b7bf] has quit [Ping timeout: 180 seconds] 14:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:45 -!- abel408 [i=42a2b66c@gateway/web/freenode/x-6fa4323300740932] has joined ##openvpn 14:50 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:53 -!- Flumdahl [n=n30@auth.se] has joined ##openvpn 14:53 < Flumdahl> openvpn --genkey <-- how do i get it to create a key with 1024 bits ? 14:53 < Flumdahl> its automaticly creating a 2048 bits 14:55 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has joined ##openvpn 15:01 -!- jeiworth [n=jeiworth@189.163.255.127] has quit [Success] 15:06 -!- abel408 [i=42a2b66c@gateway/web/freenode/x-6fa4323300740932] has quit ["Page closed"] 15:06 -!- abel408 [i=48e076c5@gateway/web/freenode/x-c53d242dea977c7a] has joined ##openvpn 15:09 < abel408> ecrist: I have subnets behind the server. DO I also have to include those subnets in the server.conf if I dont have push "redirect-gateway" enabled? Would I just include a push "route x.x.x.x x.x.x.x" for each subnet that is behind the openvpn server so my clients can communicate with them? 15:16 < abel408> Once I disabled push "redirect-gateway" I can no longer ping things on the network. How can I make this work without enabling redirect-gateway 15:16 < krzie> abel408 yes, you push the subnet to clients 15:16 < krzie> as shown in: !route 15:16 < krzie> !route 15:16 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:17 -!- tompaw_ [n=tompaw@slave20.tesserakt.eu] has joined ##openvpn 15:17 < krzie> tompaw, you arent the same as tomaw right? 15:19 < abel408> Ok. I saw that and saw the configuration for subnets behind clients and wanted to make sure it was the same for subnets behind the server 15:19 < krzie> in that example theres 3, 2 behind clients and 1 behind server 15:19 < krzie> focus on what happens for the one behind the server 15:19 < krzie> but ya its just a push route 15:20 < krzie> and of course ip forwarding must be enabled on it 15:20 < krzie> (the server) 15:21 < abel408> yup. Got that 15:25 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 15:26 -!- tompaw [n=tompaw@slave20.tesserakt.eu] has quit [Read error: 104 (Connection reset by peer)] 15:36 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 15:39 -!- unix3 [n=unix3@190.10.68.228] has left ##openvpn ["Leaving"] 15:39 -!- GloFFLap [n=gloff@ti0006a380-0061.bb.online.no] has joined ##openvpn 15:51 -!- abel408 [i=48e076c5@gateway/web/freenode/x-c53d242dea977c7a] has quit ["Page closed"] 16:34 < GloFFLap> Hi! I'm trying to reach my LAN behind a pfsense router. I've gotten so far as being able to log into my pfsense via the OpenVPN tunnel. My LAN consists of static IPs on 1 subnet. I guess I lack some ifconfig or push or something in the pfsense config.. could someone assist me in this matter? 16:36 < krzie> !route 16:36 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:42 < krzie> thats for your GloFFLap 16:42 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has quit [Read error: 104 (Connection reset by peer)] 16:43 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 16:44 -!- ploo [n=lbz@fw1.aspsys.com] has joined ##openvpn 16:44 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 16:45 < ploo> v2.0.6 pretty stable? 16:45 < krzie> thats sooo old 16:45 < krzie> 2.0.9 is over 3 yrs old 16:45 < krzie> use 2.1 rc18 16:45 < krzie> !download 16:45 < vpnHelper> krzie: "download" is www.openvpn.net/download to download openvpn 16:45 < ploo> lol after about 40-50 days uptime it started acting silly :) 16:46 < krzie> let me guess, freebsd ports? 16:46 < ploo> yeah 16:46 < krzie> go from source 16:46 < krzie> theres also an openvpn-devel but i bet its outdated too 16:47 < krzie> and since you use freebsd 16:47 < krzie> you may love ssl-admin (in ports) for cert management for your CA 16:49 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:51 < ploo> ok 16:53 -!- [1]ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 16:55 -!- tjoff [n=a@c213-89-131-87.bredband.comhem.se] has joined ##openvpn 16:57 < tjoff> !route 16:57 < vpnHelper> tjoff: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:01 -!- seba_ [n=seba@static-87-79-236-180.netcologne.de] has joined ##openvpn 17:01 < seba_> hi 17:01 < krzie> hi 17:05 -!- [1]ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has left ##openvpn [] 17:06 < seba_> i want to tunnel ipv4 and ipv6 through my vpn, is this possible trough a tun setup= 17:06 < krzie> it is 17:06 < seba_> cool, thx :) 17:07 < krzie> although you cant hand out ipv6 ips via openvpn built in stuff, you can tunnel the traffic 17:07 < krzie> tun devices encapsulate IPv4 or IPv6 (OSI Layer 3) while tap devices encapsulate Ethernet 802.3 (OSI Layer 2). 17:07 < krzie> --tun-ipv6 17:07 < krzie> Build a tun link capable of forwarding IPv6 traffic. Should be used in conjunction with --dev tun or --dev tunX. A warning will be displayed if no specific IPv6 TUN support for your OS has been compiled into OpenVPN. 17:07 < krzie> look for every instance of ipv6 in the manual 17:07 < seba_> yeah, thats what i read in the manual 17:07 < krzie> !man 17:07 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 17:07 < krzie> oh ok 17:07 < krzie> then you knew you could 17:08 < seba_> i wasnt sure if it'll work, afaik there was a point when it wasnt possible 17:08 -!- temba [n=okotoba@91-65-23-247-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 17:09 < seba_> my main problem is that i want assign ips from my 10.xx.xx.* subnet and allow the first half of the subnet (255.255.255.128) to route into different subnets 17:09 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has quit [No route to host] 17:10 < krzie> i dont understand 17:10 < seba_> until now i've been using tap for my vpn, but my users could easily change their ip to the first "half" of the subnet and access these subnets 17:10 < krzie> oh ok 17:10 < krzie> well with tun you give them ips in a vpn-only subnet 17:11 < krzie> use net30 (default topology) 17:11 < krzie> can assign static ips via !static or via --client-connect-script (depending on number of users one is easier than other) 17:11 < krzie> then create firewall rules for the policies 17:12 < seba_> every user gets an own subnet? 17:13 < krzie> yes, a /30 17:13 < krzie> !/30 17:13 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 17:13 < seba_> ah, okay, 2 ips per host 17:13 < krzie> 1 ip per host 17:13 < krzie> other 3 wasted 17:13 < krzie> 2 for server, 2 for host, but 2 of those are internal to openvpn only, 1 on each side 17:14 < seba_> network and broadcast afaik? 17:14 < krzie> why 3 explained in above link 17:14 < krzie> * 192.168.1.4/30 17:14 < krzie> * 192.168.1.4 -- Network address 17:14 < krzie> * 192.168.1.5 -- Virtual IP address in the OpenVPN Server 17:14 < krzie> * 192.168.1.6 -- Assigned to the client 17:14 < krzie> * 192.168.1.7 -- Broadcast address. 17:15 < krzie> As 192.168.1.5 is only a virtual IP address inside the OpenVPN server, used as an endpoint for routes, OpenVPN doesn't bother to answer pings on this address, while the 192.168.1.1 is a real IP address in the servers O/S, so it will reply to pings. 17:15 < krzie> It does cause a little waste of IP addresses, but it's the best way to allow a consistent configuration that works on all O/S supported by OpenVPN. 17:15 < krzie> btw that WAS the best way to do that, they found a new way in 2.1 17:16 < krzie> but i have yet to verify that the new way cant change ips 17:16 < krzie> i would assume they can because they're all in the same subnet, and thats what stops them from doing it in net30 17:19 < seba_> whats the new way? 17:20 < krzie> !topology 17:20 < vpnHelper> krzie: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 17:21 -!- troy- is now known as troy 17:23 < ecrist> krzie: you're a bitch 17:24 < krzie> =[ 17:24 < ecrist> lol, I'm just kidding. 17:24 < ecrist> pm? 17:24 < krzie> i gno 17:24 < krzie> sure 17:33 < seba_> is there a way to use a tapped vpn but prevent the user from changing their ip? 17:33 < krzie> not that i know of, you could try static arpping 17:33 < krzie> arp'ing 17:34 < krzie> like give every client a static arp and static arp the rest to garbage 17:34 < krzie> so they cant arp to the new ip 17:34 < krzie> not really an ovpn thing, more of a layer2 networking thing 17:34 < krzie> added advantage, that stops arp poisoning 17:35 -!- lkjasas [n=lbz@fw1.aspsys.com] has joined ##openvpn 17:35 < seba_> hm, maybe i just have to use 2 openvpn servers for this problem 17:35 < krzie> *shrug* my way should work fine 17:35 < krzie> and is pretty auto-mateable 17:35 < seba_> static arping? 17:36 < krzie> you are familiar with arp, right? 17:36 < seba_> yes 17:36 < seba_> when a users connects i'd have to get his mac adress and write it into my arp cache 17:37 < krzie> --client-connect script 17:37 < krzie> i believe 17:37 -!- ploo [n=lbz@fw1.aspsys.com] has quit [Read error: 110 (Connection timed out)] 17:37 < krzie> possibly --up 17:37 < krzie> easy to find out which script to use from manual 17:37 < krzie> lemme find the section to seek out 17:38 < krzie> Script Order of Execution 17:38 < krzie> --learn-address 17:38 < krzie> Executed in --mode server mode whenever an IPv4 address/route or MAC address is added to OpenVPN's internal routing table. 17:38 < krzie> that might be the right one... 17:38 < krzie> then see: 17:38 < krzie> Environmental Variables 17:38 < krzie> Once set, a variable is persisted indefinitely until it is reset by a new value or a restart, 17:42 < krzie> ya, see --learn-address cmd 17:42 < seba_> okay, I'll 17:42 < krzie> you can add/remove firewall rules on the fly from the script, and can also deny the connection 17:42 < krzie> and it has access to the MAC 17:42 < krzie> so your firewall could get set to only allow that MAC from that IP 17:43 < krzie> err i said that very poorly, but i think you understand 17:43 < krzie> firewall based on MAC instead of IP 17:43 < krzie> so if they change their ip, who cares 17:44 < krzie> if you're comfy scripting you can bust out your goal from there 17:44 < krzie> note, if you use --client-to-client firewall rules wont be used between client traffic to other clients 17:44 < krzie> if you do not, firewall rules WILL be used for such connections 17:46 -!- LowValueTarget [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [Remote closed the connection] 17:50 < tjoff> I'm trying to set up an openvpn-bridge, and in most guides you are advised to use theese firewall rules: 17:50 < tjoff> iptables -A INPUT -i tap+ -j ACCEPT 17:50 < tjoff> iptables -A FORWARD -i tap+ -j ACCEPT 17:51 < tjoff> makes sense, so that data can be accepted from the openvpn network, but how about if a client wan'ts to send something (that will get routed through the vpn) - won't you need to configure for that as well? 17:52 < krzie> you mean they want the reach the inet via vpn? 17:52 < krzie> also, why do you want a bridge 17:52 < tjoff> no, if a client want to reach a client thats on the other side of a bridged network 17:53 < tjoff> after reading the howto a bridge seemed to fit me the most 17:53 < krzie> oh ya? what layer2 protocol do you need? 17:53 < krzie> or you just have lans on other side of vpn 17:54 -!- lkjasas [n=lbz@fw1.aspsys.com] has quit [Read error: 110 (Connection timed out)] 17:54 -!- lkjasas [n=lbz@fw1.aspsys.com] has joined ##openvpn 17:55 < tjoff> I have two lans, that I try to bridge - I was under the impression that a bridged network was easier when it comes to windows shares (between the different LANs) 17:55 < krzie> !tunortap 17:55 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 17:56 < krzie> ;] 17:56 < krzie> as you can see from the prepared answer, that is a common question 17:56 < krzie> and for the routing of lans, 17:56 < krzie> !route 17:56 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:57 < krzie> that example assumes 3 lans, 2 behind clients and 1 behind server 17:57 < tjoff> thanks, I'll check that out. I'm sure it's a common question but I'd like to experiment with IPX and such as well 17:57 < krzie> wins will be faster 17:57 < krzie> better performance 17:57 < krzie> also, you can handle the lookups with dns 17:57 < krzie> but wins will be better 17:57 < krzie> !wins 17:57 < vpnHelper> krzie: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 17:58 -!- lkjasas [n=lbz@fw1.aspsys.com] has quit [Client Quit] 17:58 < tjoff> is there really a noticeable difference between routing and bridging? 17:58 < tjoff> (performance) 17:59 < krzie> every single packet has added overhead 17:59 < krzie> if you've ever sniffed traffic you know a single connection is comprised of MANY packets 17:59 < krzie> unless its like a ping or something 17:59 < tjoff> yeah, but if it's only 1% it wouldn't really matter for the most part 18:00 < krzie> *shrug* do what you like 18:00 < tjoff> performance is not of the up most importance 18:00 < krzie> but i assume you're here to get advice from people who are more familiar with openvpn than you, right? 18:00 -!- antii [n=rw@unaffiliated/antii] has left ##openvpn [] 18:00 < krzie> ok, is security of importance 18:00 < krzie> as tap opens you up to layer2 attacks from any machine connected 18:00 < tjoff> yeah sure, but I'd like to know why as well :) 18:01 < krzie> not just you, but your whole lan 18:01 < krzie> all lans involved actually 18:01 < tjoff> good point, although my enviroment is quite restricted so I felt that that alone wasn't a dealbreaker 18:03 < krzie> i know that when friends are hacking they LOVE to find a tap bridge open 18:03 < krzie> its access to own a whole other network 18:03 < krzie> *shrug* 18:03 < tjoff> thanks, I'll look more into that 18:03 < tjoff> and a routed approach 18:04 < krzie> np 18:04 < krzie> i wont say more about that, i said everything you needed to hear 18:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 18:47 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 18:52 -!- Ypsy is now known as YpsyZNC 19:14 -!- wire [n=Guest_rk@unaffiliated/wireddd] has joined ##openvpn 19:15 -!- wire [n=Guest_rk@unaffiliated/wireddd] has left ##openvpn [] 19:16 -!- ciphyre [n=ciphyre@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 19:28 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Remote closed the connection] 19:47 -!- tjoff [n=a@c213-89-131-87.bredband.comhem.se] has quit [] 20:06 -!- seba_ [n=seba@static-87-79-236-180.netcologne.de] has quit ["..."] 20:08 -!- albech [n=albech@119.42.76.157] has quit [Read error: 104 (Connection reset by peer)] 20:18 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 20:18 < thedoc> Dougy, ping. 20:27 -!- albech [n=albech@119.42.78.28] has joined ##openvpn 20:38 < krzie> !irclogs 20:38 < vpnHelper> krzie: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 20:44 -!- laeg [n=laeg@unaffiliated/laeg] has quit ["Lost terminal"] 21:19 -!- |ns|nR8 [n=doof@123.211.73.125] has joined ##openvpn 21:19 < |ns|nR8> my guess is if i sit in this chan long enough i might learn something 21:28 -!- ciphyre [n=ciphyre@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 22:40 -!- zheng [n=zheng@222.66.224.106] has joined ##openvpn 22:40 -!- zheng [n=zheng@222.66.224.106] has quit [Remote closed the connection] 22:45 -!- zheng [i=de42e06a@gateway/web/freenode/x-5bcb102944b02745] has joined ##openvpn 22:47 -!- tjz2 [n=tjz@bb121-7-60-156.singnet.com.sg] has joined ##openvpn 22:51 -!- zheng [i=de42e06a@gateway/web/freenode/x-5bcb102944b02745] has quit ["Page closed"] 22:52 -!- zheng [i=de42e06a@gateway/web/freenode/x-b402c08646f37d5e] has joined ##openvpn 22:53 -!- Fitzsimmons [n=justin@unaffiliated/fitzsimmons] has joined ##openvpn 22:54 < Fitzsimmons> on a tun-type client-server mode connection, what is needed for a client to assign an IP to its tun interface? 22:55 < Fitzsimmons> currently the server has an address, and appears to be assigning one to the client, but ifconfig tun0 shows that the client has not set one 22:58 -!- tjz [n=tjz@bb121-6-15-48.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 23:20 -!- troy is now known as troy- 23:33 -!- GloFFLap [n=gloff@ti0006a380-0061.bb.online.no] has quit [Read error: 60 (Operation timed out)] 23:34 -!- zheng [i=de42e06a@gateway/web/freenode/x-b402c08646f37d5e] has quit [Ping timeout: 180 seconds] 23:39 -!- hkais1 [n=xenoadmi@p5B207329.dip.t-dialin.net] has joined ##openvpn 23:39 -!- troy- is now known as troy 23:41 -!- rodpod [n=rod@74-133-38-196.dhcp.insightbb.com] has joined ##openvpn 23:55 -!- hkais [n=xenoadmi@p5B207928.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] --- Day changed Wed Jul 08 2009 00:48 -!- zheng [i=413102ab@gateway/web/freenode/x-29b91dff18c1cc2c] has joined ##openvpn 00:51 -!- zheng [i=413102ab@gateway/web/freenode/x-29b91dff18c1cc2c] has quit [Ping timeout: 180 seconds] 01:04 -!- c64zottel [n=hans@91.23.173.197] has joined ##openvpn 01:04 -!- c64zottel [n=hans@91.23.173.197] has quit [Client Quit] 01:12 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 110 (Connection timed out)] 01:19 -!- Fitzsimmons [n=justin@unaffiliated/fitzsimmons] has quit ["Ex-Chat"] 01:28 -!- master_o1_master [n=master_o@84.157.53.55] has joined ##openvpn 01:28 -!- SuperEvilDeath [n=death@212.206.209.177] has joined ##openvpn 01:39 -!- stephbul [n=stephbul@bulot.org] has left ##openvpn [] 01:39 -!- master_of_master [i=master_o@p549D55BF.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:45 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 02:12 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:35 -!- alkemir [n=alkemir@pc-80-157-239-201.cm.vtr.net] has joined ##openvpn 02:35 < alkemir> hi, is anybody there with some spare time? 02:39 < alkemir> !route 02:39 < vpnHelper> alkemir: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 02:40 < alkemir> !redirect 02:40 < vpnHelper> alkemir: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 02:46 < alkemir> !def1 02:46 < vpnHelper> alkemir: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 02:46 < alkemir> !ipforward 02:46 < vpnHelper> alkemir: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 02:46 < alkemir> !winipforward 02:46 < vpnHelper> alkemir: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 02:47 < alkemir> !nat 02:47 < vpnHelper> alkemir: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 03:04 -!- Sloan [i=Sloan@r74-192-170-187.gtwncmta01.grtntx.tl.dh.suddenlink.net] has joined ##openvpn 03:04 < Sloan> hi all 03:04 < Sloan> !route 03:04 < vpnHelper> Sloan: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 03:06 < Sloan> i was wondering if anyone would be willing to help me test my OpenVPN setup for a lan connection behind my openvpn server 03:07 < Sloan> the person i was testing with has flaked out 03:07 < Sloan> hah 03:09 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 54 (Connection reset by peer)] 03:10 < alkemir> Hi Sloan 03:10 < Sloan> hi alkemir 03:11 < alkemir> Would you help me with a cpomplicated situation? 03:11 < Sloan> i can try 03:11 < Sloan> what's up? 03:12 < alkemir> great! 03:12 < alkemir> I have a Windows VIsta server (cant change it) 03:12 < alkemir> and i need remote clients (like me at my home) to be able to access the web through that server 03:13 < Sloan> ok 03:13 < Sloan> 1 second 03:13 < Sloan> like pushing DNS? 03:14 < Sloan> first, have you been able to get the clients to connect to the server? 03:14 < alkemir> yes.. but the server goes out through a gateway 03:14 < alkemir> ok, i have a basic setup running 03:14 < alkemir> the clients are able to connect to the server 03:15 < alkemir> ping doesnt work, but i guess its because of the firewall 03:15 < alkemir> i was getting a lot of "bad source address" errors.. 03:15 < Sloan> have you tried making exceptions in the firewall? 03:15 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 03:16 < alkemir> i can try, is it important? because the server is not mine, i just got permission to stablish the vpn server 03:16 < alkemir> i should leave everything else untouched 03:17 < Sloan> wait 03:17 < Sloan> can you ping the server 03:17 < Sloan> from the client? 03:17 < alkemir> yes, but not through the vpn interface 03:17 < alkemir> mh, i guess it's not the firewall then 03:18 < alkemir> wait, i cannot 03:18 < Sloan> does the client say anything suspicious when you connect to the server? 03:18 < alkemir> ok, so the firewall is dumping ping packets 03:18 < Sloan> some kind of error message or something? 03:18 < alkemir> nothing 03:19 < alkemir> ok 03:19 < alkemir> i changed the rule in the firewall 03:19 < alkemir> and now i am able to ping it 03:19 < Sloan> ok.. 03:19 < Sloan> hey great 03:21 < alkemir> hellow? 03:21 < Sloan> yes? 03:22 < alkemir> i just tested the vpn (caused me a bit of downtime) and i cannot ping 10.8.0.1 03:22 < Sloan> what is 10.8.0.1? 03:22 < Sloan> the server ip? 03:22 < Sloan> through vpn 03:22 < alkemir> exactly 03:22 < alkemir> i can ping out using the external ip 03:22 < Sloan> check the device on the server too 03:23 < Sloan> it might have a firewall on 03:23 < Sloan> are you using TAP? 03:23 < alkemir> but once the vpn connection is succesfully established, i cannot ping it from the inside 03:23 < alkemir> tun 03:23 < alkemir> ill check it 03:23 < Sloan> ok 03:26 < alkemir> I am sorry i am taking this long, i am not able to find it in vista 03:29 < Sloan> ah yes 03:29 < Sloan> i cant recall off the top of my head how to get to it either 03:29 < alkemir> windows firewall is deactivated 03:29 < alkemir> i am checking the kaspersky settings 03:30 < alkemir> ok 03:31 < alkemir> there is no firewall 03:34 < alkemir> nope, no ping response (ping 10.8.0.1 -I tun0 03:34 < alkemir> ) 03:38 < alkemir> should i enable ICS on the VPN device? 03:39 < Sloan> you should be able to ping the server from the client without actually tunneling the internet connection through it 03:39 < alkemir> yes i should 03:39 < alkemir> i dont see why i am not able 03:40 < Sloan> is the server behind a router? 03:40 < alkemir> possibly 03:40 < alkemir> i am sorry to give such vague information 03:41 < alkemir> it is a university network 03:41 < Sloan> i'd double check that the server's router is forwarding the port correctly to the server 03:41 < alkemir> it is, i can see myself conecting to it 03:44 < Sloan> hmm 03:45 < Sloan> i wish i knew more 03:45 < Sloan> all i can say is double check your server config file and your client config file 03:46 < Sloan> i just downloaded this myself a day or so ago 03:46 < alkemir> ok 03:46 < alkemir> thank you very much 03:46 < Sloan> sorry i couldnt help 03:47 < alkemir> thanks a lot 03:48 -!- |ns|nR8 [n=doof@123.211.73.125] has quit ["Leaving"] 03:51 < Sloan> alkemir 03:51 < Sloan> just for fun you might try tap 03:51 < alkemir> yes? 03:51 < Sloan> i've never actually tried tun 03:51 < alkemir> i guess 03:51 < Sloan> so i didnt troubleshoot for it at all 03:51 < alkemir> hey 03:52 < alkemir> can i ask you about tap? 03:52 < Sloan> you can try 03:52 < Sloan> hah 03:52 < alkemir> haha 03:52 < alkemir> is it harder to setup on the client side? this server is supposed to be used by many many students which are not tech-friendly 03:53 < Sloan> i think it's the same 03:53 < alkemir> ok 03:53 < Sloan> you need the certificate files 03:53 < Sloan> and the client.ovpn 03:53 < alkemir> doesnt windows have a ready-t-go vpn client? 03:53 < Sloan> i think so 03:53 < Sloan> never messed with it 03:53 < alkemir> ok 03:54 < Sloan> someone i know started to use it 03:54 < Sloan> but 03:54 < Sloan> it didnt really work for our purposes 03:54 < Sloan> playing games 03:54 < alkemir> why not? it would be cool to have that too 03:54 < Sloan> i mean 03:54 < Sloan> it just didnt work 03:54 < Sloan> apparently they tried starcraft 03:54 < Sloan> didnt work 03:54 < Sloan> whereas i've gotten a starcraft game to work through openvpn 03:54 < alkemir> haha, very windows-like 03:55 < Sloan> also they said something about having a 1 client limit 03:55 < alkemir> ! 03:55 < Sloan> using the VPN server for windows 03:55 < Sloan> i dont really know though, didn't look into it 03:55 < alkemir> if i use openvpn as a server, cant i use windows client? 03:55 < alkemir> arent they compatible? 03:56 < Sloan> i have no idea 03:56 < Sloan> i'd bet not 03:56 < Sloan> but it'd be worth looking into 03:56 < alkemir> ok 03:56 < alkemir> thanks again Sloan 03:56 < Sloan> sure 03:56 < Sloan> wish i had all the answers 03:56 < Sloan> then again, if i did 03:57 < Sloan> i wouldnt even be in here right now 03:57 < Sloan> i'd be playing starcraft 03:57 < Sloan> haha 03:57 < alkemir> haha 03:57 < alkemir> hey, should i have port forwarding for ping to work? 03:58 < Sloan> i believe you just need to have your port fowarded to the server 03:58 < Sloan> i could be wrong 03:58 < alkemir> ok 04:06 < alkemir> damn 04:07 < alkemir> i left myself out of the server now 04:12 -!- Flumdahl [n=n30@auth.se] has left ##openvpn [] 04:15 < alkemir> good bye! 04:16 -!- alkemir [n=alkemir@pc-80-157-239-201.cm.vtr.net] has quit [Remote closed the connection] 04:22 -!- n0g0 [n=nogo@85-125-189-220.static.sdsl-line.inode.at] has joined ##openvpn 04:29 -!- YpsyZNC is now known as Ypsy 04:43 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["This computer has gone to sleep"] 04:54 -!- tjz [n=tjz@bb121-7-60-156.singnet.com.sg] has joined ##openvpn 04:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Success] 05:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:12 -!- tjz2 [n=tjz@bb121-7-60-156.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 05:13 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:34 -!- tjoff [n=a@c213-89-131-87.bredband.comhem.se] has joined ##openvpn 05:37 -!- daya [n=daya@202.63.242.211] has joined ##openvpn 06:27 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 06:27 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 06:34 -!- thedoc [n=andelyx@38.108.110.106] has joined ##openvpn 06:45 -!- daya [n=daya@202.63.242.211] has quit [Read error: 110 (Connection timed out)] 06:50 -!- CaMason [n=CaMason@93-97-245-22.zone5.bethere.co.uk] has joined ##openvpn 06:51 < CaMason> hi guys. I've got a virtual machine running XP and I'm connected to a VPN. Is it possible for me to connect to this network from another machine? (namely the host of the VM) 07:10 -!- oligo [n=oligo@vps257.xlshosting.net] has joined ##openvpn 07:20 -!- hkais1 [n=xenoadmi@p5B207329.dip.t-dialin.net] has left ##openvpn [] 07:34 -!- ciphyre [n=ciphyre@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Connection timed out] 07:37 -!- ciphyre [n=ciphyre@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 08:18 < Bushmills> does "connected to a VPN" mean "have OpenVPN running"? 08:20 -!- ciphyre [n=ciphyre@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 08:37 -!- tompaw_ is now known as tompaw 09:09 -!- jeiworth [n=jeiworth@189.163.255.127] has joined ##openvpn 09:11 -!- Golem [n=fanty@p57AD7B39.dip.t-dialin.net] has joined ##openvpn 09:13 -!- Golem [n=fanty@p57AD7B39.dip.t-dialin.net] has quit ["Konversation terminated!"] 09:16 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:17 -!- sander_ [i=sander@084202100202.customer.alfanett.no] has joined ##openvpn 09:17 < sander_> !howto 09:17 < vpnHelper> sander_: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:25 -!- elventear [i=elventea@angband.ipv6.antropoide.net] has joined ##openvpn 09:28 < elventear> I am using some Client Specific configs and where I assing an IP statically to each client using ifconfig-push. I would like to use the push-reset to erase the routes set in the global configuration. When I do that client is not routing packets any more. What else am I missing? I tried adding a push route but wasn't enough? Do I need to add an iroute? 09:28 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:34 < Bushmills> elventear, presumably def1 09:34 < Bushmills> !def1 09:34 < vpnHelper> Bushmills: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 09:37 < elventear> I am not using redirect-gateway in the global settings. In this VPN I don't want to override the default gateway 09:52 -!- ciphyre [n=ciphyre@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has joined ##openvpn 09:53 < Bushmills> then compare client routes before and after, see what the difference is. 10:22 < elventear> Bushmills: thanks. I figured it out. Missing a few routes 10:24 -!- Super_Cat_Frog [n=bob@87.194.183.38] has joined ##openvpn 10:24 < Super_Cat_Frog> hi - i want all our internal boxes to beable to talk to all of our remote boxes ( openvpn server being on the internal network ) - any ideas how i can do this 10:26 -!- elventear [i=elventea@angband.ipv6.antropoide.net] has quit ["!@#$*$ NO CARRIER"] 10:27 < Super_Cat_Frog> !man !/30 10:27 < Bushmills> have two gateways, one runnung openvpn server, the other openvpn client. have remote boxes use machine with openvpn client as gateway. use machine with openvpn server as gateway for local machines. read !route 10:27 < Super_Cat_Frog> !route 10:27 < vpnHelper> Super_Cat_Frog: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:28 < Bushmills> thus (local machines) - LAN - openvpn server - tunnel - openvpn client - (remote machines) 10:31 < Super_Cat_Frog> Bushmills: thats right 10:31 < Super_Cat_Frog> eh - i thought you were a bot, i'm quite confused now 10:32 < Bushmills> can't parse 10:32 < Super_Cat_Frog> oh i see 10:32 < Super_Cat_Frog> the second thing you said 10:32 < Super_Cat_Frog> (local machines) - LAN - openvpn server - tunnel - openvpn client - (remote machines) 10:39 -!- smellynoser [n=ashley@87-194-183-38.bethere.co.uk] has joined ##openvpn 10:43 < Super_Cat_Frog> i figured it out, sort of, by adding a route for openvpn in my local routing table, then adding an individual vpn client, and i could ping it 10:43 < Super_Cat_Frog> by setting the gateway to the openvpn server 10:44 < Super_Cat_Frog> but i'm trying to add "route add 10.98.76.128/27 gw 10.98.76.129" but route is telling me "route: netmask 0000001f doesn't make sense with host route" 10:44 < Super_Cat_Frog> but ipcalc agree's thats a valid network - any ideas? 10:48 -!- _impuls [n=m@gateway.theta.stoerimpuls.net] has joined ##openvpn 10:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:01 -!- troy is now known as troy- 11:05 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:12 -!- MadTBone [n=bruce@160.39.238.200] has joined ##openvpn 11:13 < MadTBone> !route 11:13 < vpnHelper> MadTBone: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:14 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 11:15 -!- CaMason [n=CaMason@93-97-245-22.zone5.bethere.co.uk] has quit ["Leaving"] 11:31 -!- flokuehn [n=flokuehn@94.186.154.83] has quit [Read error: 60 (Operation timed out)] 11:33 -!- flokuehn [n=flokuehn@94.186.154.83] has joined ##openvpn 11:42 -!- abel408 [i=42a2b66c@gateway/web/freenode/x-73901c5964f9b451] has joined ##openvpn 11:44 -!- flokuehn [n=flokuehn@94.186.154.83] has quit [Read error: 104 (Connection reset by peer)] 11:52 < MadTBone> this is probably a classic problem, but I have OpenVPN server on Linux, OpenVPN GUI as a Windows client. Client can connect to server and get's an IP address. Client can NOT ping server or other clients. Client log shows several lines of "No Route to Host" after connection. 11:57 -!- flokuehn [n=flokuehn@94.186.154.83] has joined ##openvpn 12:04 -!- abel408 [i=42a2b66c@gateway/web/freenode/x-73901c5964f9b451] has quit ["Page closed"] 12:06 < MadTBone> routes on the client seem to be listed properly by 'route print' 12:07 -!- SuperEvilDeath [n=death@212.206.209.177] has quit [Connection timed out] 12:13 < MadTBone> !logs 12:13 < vpnHelper> MadTBone: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 12:14 < MadTBone> !configs 12:14 < vpnHelper> MadTBone: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:14 < MadTBone> !interface 12:14 < vpnHelper> MadTBone: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 12:23 < sander_> When I run the command: cd /etc/openvpn/easy-rsa; source ./vars; openssl req -days 3650 -nodes -new -x509 -keyout ca.key -out ca.key -config $KEY_CONFIG -subj /C=${KEY_COUNTRY}/ST=${KEY_PROVINCE}/O=${KEY_ORG}/CN=${KEY_CITY}/emailAddress=${KEY_EMAIL}/passin=thePassword ....I get out: 25330:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 145 12:23 < sander_> Why's that? 12:24 -!- albech [n=albech@119.42.78.28] has quit [Remote closed the connection] 12:51 -!- KaiForce [n=chatzill@adsl-70-228-64-69.dsl.akrnoh.ameritech.net] has joined ##openvpn 12:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:07 -!- abel408 [i=48e07512@gateway/web/freenode/x-ad966beb8da35562] has joined ##openvpn 13:09 < abel408> hey everyone! I'm trying to get openvpn to work on my router. I have openvpn server installed on an ubuntu machine and the client installed on a router with packetprotector firmware. I can connect and ping everything on my network from the router, but I can only ping up to the openvpn server from a computer attached to the router. What am I doing wrong? 13:11 < ecrist> abel408: I linked to you the route wiki page which shows you how to do that yesterday 13:20 < abel408> ecrist: Yea I added the push route statement already. Still doesn't seem to work. I created the ccd directory and pointed the server.conf file to that directory and added a file for each client for it 13:24 < MadTBone> Client (WinXP SP3 - OpenVPN 2.0.9) can connect, but can't ping server (Linux 2.6.29 - OpenVPN 2.0.9)... anyone see the problem? -- logs, configs, and iface/routes as requested in topic: http://pastebin.com/m328f75b4 http://pastebin.com/m63caf20c http://pastebin.com/m7a6cd3ce http://pastebin.com/m22fdd7cb http://pastebin.com/m56c8df23 http://pastebin.com/m4a533407 13:24 -!- albech [n=albech@119.42.78.28] has joined ##openvpn 13:44 < sander_> Anyone have an guide to how to generate certs for a client/server setup? 13:47 -!- albech [n=albech@119.42.78.28] has quit [Remote closed the connection] 13:49 -!- j3g [n=andrer@200.130.18.1] has joined ##openvpn 13:50 < j3g> anyone know what kind of hardware would be necessary to do openvpn on a gigabit connection? would a quad cpu xeon 2.8GHZ handle it? 13:55 -!- c64zottel [n=hans@p5B17ADC5.dip0.t-ipconnect.de] has joined ##openvpn 13:59 < |Mike|> j3g: depends on your security level and the amount of traffic 14:00 -!- KaiForce [n=chatzill@adsl-70-228-64-69.dsl.akrnoh.ameritech.net] has quit [Read error: 104 (Connection reset by peer)] 14:00 -!- abel408 [i=48e07512@gateway/web/freenode/x-ad966beb8da35562] has quit [Ping timeout: 180 seconds] 14:02 < |Mike|> sander_: kidding me ? 14:05 < sander_> |Mike|, sorry.. I meant a guide to how to use openssl for generating certs. 14:09 < |Mike|> you can use the easyrsa tools :-) 14:10 < j3g> mike: 1GB, regular 1024 bit aes encription 14:11 < |Mike|> how many clients ~ ? 14:12 < j3g> 1 14:12 < j3g> just a point to point 14:13 < |Mike|> with 2+gb of memory, would be no problem 14:15 < sander_> |Mike|, I want to create a tool which can replace pkitool 14:15 < |Mike|> why would you like to replace pkitool in general ? 14:16 < sander_> |Mike|, because pkitool asks too many questions 14:16 < |Mike|> lol 14:16 < j3g> anyone know which one is the fastest crypto for openvpn? (less secure, but faster) 14:17 < sander_> |Mike|, it whould be nice with a tool which generates all certs automaticly.. without typing too many commands and answering lots of question double up. 14:17 < |Mike|> sander_: you have to sign it, otherwise it's pretty useless :P 14:18 < sander_> |Mike|, sign the tool? 14:18 < |Mike|> the questions. 14:18 < |Mike|> j3g: DES-CFB 64 bit 14:19 < j3g> thank you 14:21 < sander_> |Mike|, sure I will sign the certs properly.. But I will have one command which generates ca, server key, dh key.. and clients keys 14:21 < sander_> !ssl-admin 14:21 < vpnHelper> sander_: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 14:22 < sander_> Something which will replace ssl-admin too 14:27 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 14:40 -!- flokuehn [n=flokuehn@94.186.154.83] has quit [Read error: 110 (Connection timed out)] 14:40 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 14:41 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:43 < j3g> |Mike|: i'm getting bad speeds even without encription (cipher = none) ... iperf = 940MBITS/s, iperf tunnel_ip = 224 (cipher none) or 140 (blowfish). do you have any ideias what could be causing this? 14:45 -!- abel408 [i=42a2b66c@gateway/web/freenode/x-8816c8fe53ca4492] has joined ##openvpn 14:51 -!- ciphyre [n=ciphyre@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has quit ["Leaving"] 14:51 -!- ciphyre [n=ciphyre@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has joined ##openvpn 14:51 < abel408> Hello! I have been trying to figure this out for a day now. I have the openvpn server on ubuntu and my openvpn client on a router with packetprotector firmware. The router can ping everything on the network, but anything on the lan of that router cannot. I have rechecked my settings many times. Maybe if someone else looked at them for me they could figure it out. http://pastebin.com/d6d405897 Thanks! 14:52 -!- ciphyre is now known as mblt86 14:59 < abel408> ecrist: http://pastebin.com/d6d405897 Thats where I got after reading the route wiki. I have also tried to set the openvpn server as the default gateway with no luck 14:59 < krzie> abel408 read !route 14:59 < krzie> !route 14:59 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:59 < krzie> oh you did 14:59 < abel408> krzie: Already did, which is why I'm here 15:00 -!- mblt86 is now known as jdchrist 15:00 < abel408> kryzi :) 15:00 < krzie> ahh, you found it from google? 15:00 < krzie> thats a ton of push routes 15:00 < krzie> you have that many lans behind the server? 15:01 < krzie> (only 3 are behind clients from the looks of your config) 15:01 < abel408> no, I was here yesturday when I was just trying to get openvpn to work with my mac client. I ended up getting it to work. Now I'm working on getting it to work with the client on a router and a lan behind it 15:01 < |Mike|> j3g: already tried without encryption? 15:01 < abel408> yup 15:02 < abel408> well I plan to have 3 routers with lans behind them for now 15:04 < j3g> |Mike|: i did 15:04 < j3g> |Mike|: cipher = none 15:04 < |Mike|> linux / bsd? 15:04 < j3g> linux 15:04 < abel408> kryzie: I shouldn't need to do anything on the computer that is on the router correct? That would defeat the purpose of putting the client on the router 15:05 < |Mike|> I get around 940Mbit/s atm, with DES=CFB 15:05 < krzie> of course you do 15:05 < |Mike|> (load ~2.0) 15:05 < krzie> you must make sure ip forwarding is enabled 15:06 < |Mike|> j3g: do you have a shared uplink ? 15:06 < abel408> i have enabled ip fowarding on the server and client and "sysctl net.ipv4.ip_forward" confirms this 15:07 < j3g> |Mike|: i'm testing on a LAN before setting up on the uplink (which will be dedicated) 15:07 < j3g> using the non-vpn ip = 940mbits / s using openvpn I get 224 without ciphers, 140 with blowfish 15:07 < krzie> and you must make sure the firewall allows every src address that it will be passing 15:07 < j3g> |Mike|: high cpu usage when using ciphers 15:07 < |Mike|> how high ? 15:08 < abel408> krzie: and I think "iptables -A FORWARD -i br0 -o tun0 -j QUEUE; iptables -A FORWARD -i tun0 -o br0 -j QUEUE" is the correct way to do it 15:08 < krzie> well you found your limiting factor then j3g 15:08 < j3g> withotou encription = 80% , with = 100% 15:08 < |Mike|> so load 1.0 ? :) 15:08 < krzie> abel408 15:08 < j3g> krzie: i know... but it is a fast cpu ... it should handle it (2.8GHZ xeon) 15:08 < krzie> you're using a bridged setup? 15:08 < krzie> j3g, well it seems not to be handling it 15:09 < krzie> so your "should" seems invalid 15:09 < krzie> unless you caused a routing loop or something... 15:09 < j3g> |Mike|: which hardware are you using to handle those 940mbit? 15:10 < |Mike|> Let me seek. 15:10 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 15:10 < j3g> krzie: openvpn is single-threaded afaik, so more CPUs won't help.. only a faster cpu... but how fast could one go if 2.8ghz only gets you to 140mbits? 15:11 < krzie> so its the openvpn proc alone which is taking up all 80? 15:11 < krzie> personally i noticed openvpn is one 1 of my procs, openssl a different one 15:11 < j3g> i have larger machines here (up to 32 cpus opteron 16 cpu xeons) but those won't help 15:11 < |Mike|> Sun Fire X2100 with 4gb mem 15:11 < j3g> X2100 uses niagara? 15:11 < j3g> X is for X86 line right? 15:12 < j3g> which cpu does it have/ 15:12 < |Mike|> x64 15:12 < j3g> niagaras have a special encription offloader which is supposed to handle up to 40gbits of encription 15:12 < abel408> kryzie: no I'm using a routed setup 15:12 < j3g> mine is x64 as well but not as new as yours... but your's can't be 8x faster just for nothing 15:13 < |Mike|> AMD opteron 146 15:15 < krzie> abel408 15:15 < krzie> !iptables 15:16 < vpnHelper> krzie: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall 15:16 < krzie> make sure to backup your current rules first 15:16 < krzie> i dont use linux, so double-check that doesnt wipe your NAT stuff 15:16 < krzie> !firewall 15:16 < vpnHelper> krzie: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. 15:17 < abel408> ok 15:17 < j3g> |Mike|: have you tweaked the tcp parameters on that box? 15:18 -!- flokuehn [n=flokuehn@94.186.154.83] has joined ##openvpn 15:18 < |Mike|> it's fully tweaked, runs freebsd 15:22 < krzie> abel408 15:22 < krzie> # 15:22 < krzie> push "route 10.133.0.0 255.255.255.0" 15:22 < krzie> you dont need that, as its your vpn subnet 15:22 -!- jdchrist [n=ciphyre@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has quit [Remote closed the connection] 15:26 < abel408> Kryzie: that wouldn't be causing the problem would it? 15:28 < krzie> no, its just redundant 15:29 < krzie> and you can only push a certain number of things 15:29 < krzie> !factoids search lim 15:29 < vpnHelper> krzie: "pushlimit" is This is a limitation of OpenVPN: the push block cannot exceed a maximum of about 1 KB 15:31 < abel408> kryzie: You know why they limit it? 15:32 < krzie> its not like they made extra code to stop it from going over that 15:32 < abel408> oh 15:32 < krzie> but no im not familiar with the exact reason in the code 15:32 < krzie> but its open source, you're free to look 15:33 < krzie> and from my experience, its nice and commented too 15:38 < abel408> yea theres a reason why I switched my major from cs... haha 15:39 -!- plaerzen [n=carpe@vip2.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 15:44 -!- c64zottel [n=hans@p5B17ADC5.dip0.t-ipconnect.de] has quit ["Leaving."] 15:54 -!- elenril [n=wiskas@ip-241-138.pel.cz] has joined ##openvpn 16:00 < elenril> hi 16:01 < elenril> it seems i have misconfigured a remote client so it tries to connect to my server and then TLS handshake fails http://pastebin.ca/1488830 16:01 < elenril> can i somehow let it connect anyway so i can reconfigure it? 16:02 < abel408> krzie: I completly turned off my firewall and was not able to solve my problem :( 16:02 < krzie> elenril i need your server logs 16:02 < krzie> your client log doesnt say whats wrong 16:03 < elenril> krzie: that's server log 16:03 < elenril> i don't have access to the client, that's the whole problem 16:03 < krzie> oh so it is 16:04 < elenril> http://pastebin.ca/1488839 << my server config 16:05 < krzie> im sure i need the client config then 16:05 < krzie> err client log i mean 16:05 < elenril> i wish i could get that 16:05 < krzie> well, theres not enough info to help you 16:06 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 16:06 -!- unix3 [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 16:07 -!- n0g0 [n=nogo@85-125-189-220.static.sdsl-line.inode.at] has quit ["quit"] 16:07 < elenril> :( 16:10 -!- epaphus [n=unix3@190.10.68.228] has left ##openvpn ["Leaving"] 16:14 -!- abel408 [i=42a2b66c@gateway/web/freenode/x-8816c8fe53ca4492] has quit ["Page closed"] 16:28 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:32 < sander_> What does ./revoke-full do? 16:41 < krzie> creates a CRL 16:43 < krzie> see --crl-verify in the manual for more info 16:43 < krzie> !crl 16:43 < vpnHelper> krzie: "crl" is (#1) --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) 16:43 < vpnHelper> krzie: that will create the CRL file for you. ssl-admin will also build a crl for you 16:49 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 17:02 -!- Sloan_ [i=Sloan@r74-192-170-187.gtwncmta01.grtntx.tl.dh.suddenlink.net] has joined ##openvpn 17:02 -!- Sloan [i=Sloan@r74-192-170-187.gtwncmta01.grtntx.tl.dh.suddenlink.net] has quit [Read error: 104 (Connection reset by peer)] 17:06 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 17:51 < sander_> krzie, in which manual? 17:51 < krzie> !man 17:51 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 17:52 < sander_> What does CN stand for?. Common name? 17:52 < krzie> yes 17:52 < sander_> And what is it supposed to mean? 17:52 < sander_> What kinda text strings should I use as common name? 17:52 < krzie> you gave each cert a common name when making the cert 17:53 < krzie> it should be unique to the cert you are making 17:53 < sander_> even the server cert? 17:53 < krzie> identifies the machine using it 17:53 < sander_> Ok 17:53 < krzie> EVERY cert has a common name 17:54 < krzie> but the server cert has 1 extra thing 17:54 < krzie> !mitm 17:54 < vpnHelper> krzie: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config 17:54 < krzie> !servercert 17:54 < vpnHelper> krzie: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mitm 17:57 -!- Ypsy is now known as YpsyZNC 17:57 < sander_> Yeah.. i'm using ns-cert-type already 17:58 < krzie> cool 17:58 < sander_> Almost done with a script which generates client/server certs from scratch using openssl :-) 17:58 < krzie> !ssl-admin 17:58 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 17:58 < krzie> that script exists ;] 17:58 < sander_> Yeah. But mine is better I belive 17:58 < krzie> oh so you've looked at that? 17:58 < sander_> Yep 17:58 < krzie> it was made by one of our ops here 17:59 < krzie> so what suggestions would you have for him for the script then? 17:59 < sander_> Well.. My script is done in bash.. not in perl 17:59 < krzie> that somehow matters? 17:59 < sander_> its made to replace pkitool 18:00 < krzie> so what suggestions would you have for him for the script then? 18:00 < sander_> I've actually never tried to run ssl-admin. 18:00 < krzie> thats what i thought 18:00 < sander_> I've only looked at the code 18:01 < sander_> Got some installation errors.. so I just skipped it.. Maybe I should look at it again 18:01 < krzie> linux? 18:01 < sander_> Yeo 18:01 < sander_> debian 18:01 < krzie> i made that weak attempt at getting it to install in linux 18:02 < krzie> i should learn howto make a Makefile sometime ;] 18:05 < sander_> The wheele group dosnt exist at linux 18:05 < sander_> so I had to create it.. to make it work 18:05 -!- Dougy[home] [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 18:07 < sander_> krzie, I got one improvment 18:07 -!- troy- is now known as troy 18:08 -!- |ns|nR8 [n=doof@124.179.89.69] has joined ##openvpn 18:08 < sander_> krzie, To make the ssl-admin script so you can do everything from a single command. 18:08 < sander_> krzie, instead of a menu based config 18:09 < sander_> krzie, that way its easy to generate lots of certs from a script 18:09 < sander_> If I want to generate 20 client certs.. I dont want to push a button 20*5 times 18:10 < sander_> And thats one thing my script does 18:10 < krzie> cool 18:11 < krzie> seems easier to add a cli option to that script to call the functions than to rebuild the wheel, but feel free 18:12 < sander_> I'm already done with it.. just missing revoking of certs and maybe a few other small things 18:12 < sander_> ANother improvment.. is that you only should set a password once for every session 18:31 < krzie> what do you mean 18:32 < sander_> You get asked for a password twice.. when you generate the ca.. and when you generate the client cert 18:32 < sander_> There should be enough to ask once 18:32 < krzie> only if you had set a pw on the ca key 18:33 < krzie> and if you want to set a pw on the client key 18:33 < krzie> which should NOT be the same 18:33 < krzie> so no, you should NOT only enter it once 18:33 < sander_> Hm.. Ok! 18:33 < krzie> that pw makes the key unaccessible from the local machine without the pw 18:58 -!- jeiworth [n=jeiworth@189.163.255.127] has quit [Read error: 110 (Connection timed out)] 19:01 < reiffert> I were switching from bridged setup to routed setup. 19:02 < krzie> s/were/am/ ? 19:02 < krzie> either am or was, depending on tense 19:02 < reiffert> unfourtunatly the damn fucking gateway in place doesnt send icmp redirect messages that often. 19:02 < reiffert> what happens then is, that connection establishments fail as this damn fucking gateway in place swallows the returning SYN-ACKs 19:03 < reiffert> I was. 19:03 < reiffert> It's a fortinet fortigate 100A 19:04 < reiffert> sigh. 19:04 < krzie> hrm 19:04 < krzie> ive never heard of anything remotely similar to that 19:04 < reiffert> 192.168.0.0/24 19:04 < reiffert> .1 is the fortinet/gateway 19:04 < reiffert> .215 is the openvpn gateway 19:05 < reiffert> 0.1 gets a static route: 192.168.1.0/24 192.168.0.215 19:05 < reiffert> which ends in sending icmp redirect messages to hosts from 0.0/24 subnet trying to communicate with 1.0/24 hosts 19:05 < reiffert> ever saw such? 19:06 < krzie> ohhh ok so the connection did get made 19:06 < krzie> you're on to !route stuff now 19:06 < krzie> .1.x is the other lan on other side of ovpn...? 19:06 < krzie> so you're connecting 2 lans, right? 19:06 -!- bandinia [n=bandini@host151-110-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 19:07 < reiffert> ja 19:07 < krzie> whats the vpn subnet? 19:07 < reiffert> 10.8. 19:07 < krzie> ok 19:07 < krzie> and that router also has a route to 10.8 via .0.215 ? 19:08 < krzie> btw 215 is a favorite number of mine =] 19:08 < reiffert> he doesnt need to. 19:08 < reiffert> and it doesnt matter if he has or not, tried either way. 19:08 < krzie> do it anyways, i want to see if you can ping a 10.8 ip 19:08 < reiffert> I can ping. 19:08 < krzie> the router on the other side has a similar route for .1.x? 19:09 < reiffert> The router on the other side is my pentium 1 -233Mhz running Linux, it behaves fine. 19:09 -!- troy is now known as troy- 19:09 < krzie> you said you can ping, what can you ping? 19:09 < reiffert> everything. 19:09 < krzie> erm 19:10 < krzie> so ping works and tcp doesnt? 19:10 < reiffert> ping works and tcp works when that fortigate machine 192.168.0.1 sends an icmp redirect message as it should. 19:11 < krzie> why should it be sending an icmp redirect? 19:11 < krzie> shouldnt it simply route the packets? 19:11 < reiffert> think! 19:11 < reiffert> 0.215 is on the same subnet 19:12 < reiffert> no icmp redirect message: 19:12 < reiffert> gserve:~ root# traceroute -I -n 192.168.1.110 19:12 < reiffert> traceroute to 192.168.1.110 (192.168.1.110), 64 hops max, 60 byte packets 1 192.168.0.1 0.792 ms 0.297 ms 0.278 ms 2 192.168.0.215 0.423 ms 0.423 ms 0.407 ms 3 10.8.0.6 49.589 ms 48.212 ms 48.080 ms 4 192.168.1.110 48.101 ms 52.155 ms 48.175 ms 19:12 < reiffert> gserve:~ root# 19:12 -!- bandini [n=bandini@host5-22-dynamic.20-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 19:12 < reiffert> fuck. 19:12 < reiffert> traceroute to 192.168.1.110 (192.168.1.110), 64 hops max, 60 byte packets 19:12 < reiffert> 1 192.168.0.1 0.792 ms 0.297 ms 0.278 ms 19:12 < reiffert> 2 192.168.0.215 0.423 ms 0.423 ms 0.407 ms 19:12 < reiffert> 3 10.8.0.6 49.589 ms 48.212 ms 48.080 ms 19:12 < reiffert> 4 192.168.1.110 48.101 ms 52.155 ms 48.175 ms 19:12 < reiffert> with icmp: 19:12 < reiffert> 1 192.168.0.215 0.968 ms 0.275 ms 0.245 ms 19:12 < reiffert> 2 10.8.0.6 52.798 ms 48.027 ms 52.219 ms 19:12 < reiffert> 3 192.168.1.110 48.095 ms 48.140 ms 48.383 ms 19:13 < krzie> very interesting 19:13 < krzie> im out of my element with that one 19:14 < reiffert> however, tcp fails as fortigate is eating SYN-ACK's 19:14 < krzie> maybe some sort of passthrough option 19:15 < Dougy[home]> can someone ping 64.18.128.134 like 50 times 19:15 < Dougy[home]> tell me if you see weird spikes / packet loss 19:16 < krzie> pinging 19:16 < krzie> VERY little jitter from ircpimps.org 19:16 < Dougy[home]> i got a few complaints of quadrupled latecy 19:16 < Dougy[home]> latency 19:16 < Dougy[home]> and other stuff 19:16 < krzie> like the perfect voip connection between those 2 19:16 < krzie> my side is san diego 19:17 < Dougy[home]> hm 19:17 < reiffert> krzie: been there, it just sucks. ever see a fortigate? 19:17 * Dougy[home] tests from nyc 19:17 < krzie> --- 64.18.128.134 ping statistics --- 19:17 < krzie> 50 packets transmitted, 48 packets received, 4% packet loss 19:17 < krzie> round-trip min/avg/max/stddev = 69.487/69.840/71.651/0.346 ms 19:17 < Dougy[home]> 4% loss 19:17 < Dougy[home]> hmm 19:17 < krzie> look at that stddev too tho 19:18 < krzie> thats savage non-jitter 19:18 < Dougy[home]> dont even know what that is to be honest 19:18 < reiffert> Dougy[home]: http://snap.reifferscheid.org/1247098689.png 19:18 < krzie> the amount of change between round trip times 19:18 < Dougy[home]> krzie, wanna run a mtr for me 19:18 < krzie> i dont have mtr, it depends on too much BS gui shit 19:18 < Dougy[home]> redfox, you are the bomb 19:18 < Dougy[home]> er 19:18 < Dougy[home]> reiffert, 19:18 * Dougy[home] tab fail 19:20 < reiffert> krzie: 02:20:08.183451 IP 192.168.0.1 > 192.168.0.19: ICMP redirect 192.168.1.110 to host 192.168.0.215, length 72 19:21 < tjoff> !route 19:21 < vpnHelper> tjoff: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 19:21 < krzie> reiffert, oh i see why, so it doesnt need to waste cpu on redirecting every packet itself 19:22 < krzie> it can let the traffic skip it and just travel over the switch by sending a icmp redir 19:22 < krzie> gotchya 19:23 < reiffert> jup 19:24 < Dougy[home]> ahaha 19:27 < reiffert> krzie: I was trying to add virtual interfaces to fortigate and openvpn gateway, but that was just wasted time as nothing ever changed. 19:28 < reiffert> means ping/traceroute showed up that virtual if's, but still fortigate to eat SYN-ACKs and sending icmp redirects much too spare. 19:36 < krzie> are IOS firewalls first match or last match? 19:43 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 19:43 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Client Quit] 19:51 -!- |ns|nR8 [n=doof@124.179.89.69] has quit [Read error: 104 (Connection reset by peer)] 19:52 < tjoff> http://privat.bahnhof.se/wb895093/ovpnh/ovpnh.txt anyone got a clue as to what I've done wrong? 19:53 < krzie> laptop is the vpn client inside LAN2, right 19:53 < krzie> ? 19:54 < krzie> oh it looks like thats a no, and also your problem 19:54 < krzie> but ill wait for your answer to go on 19:54 < tjoff> I'm trying to bridge the two LANs, the laptop is just residing onLAN2 19:55 -!- rodpod [n=rod@74-133-38-196.dhcp.insightbb.com] has quit [Read error: 104 (Connection reset by peer)] 19:55 < krzie> ok so laptop is just a machine on lan2, no direct connection to the vpn 19:55 < tjoff> yep 19:55 < krzie> have you made any new routes on your router? 19:56 < krzie> the default gateway for the lan 19:57 < krzie> push "route 10.8.0.0 255.255.255.0" 19:57 < krzie> that is redundant, can be removed 19:57 < krzie> it is already happening because of --server 19:57 < krzie> wtf is ifconfig 10.8.0.2 10.8.0.3 19:58 < tjoff> I've read that that was needed to specify (if one wanted to) the endpoints of a tunnel 19:58 < krzie> no, the ifconfigs will happen as they should from --server 19:58 < krzie> remove that line 19:58 < tjoff> ok 19:59 -!- p3ri0d [i=p3ri0d@200.2.149.236] has joined ##openvpn 19:59 < krzie> sup p3ri0d 19:59 < krzie> i have a couple more things to say after we get you up and working 19:59 < krzie> so first... 19:59 < krzie> have you made any new routes on your router? 20:00 < p3ri0d> DONE WITH MY EXAMS!! 20:00 < p3ri0d> :D 20:00 < p3ri0d> you? 20:00 < krzie> congrats brutha 20:00 < krzie> im just chillen 20:00 < krzie> gunna script up the setup of my hackintosh machines im selling 20:00 < tjoff> note sure, well - other than those specified in the server.conf I haven't added any - but the openvpn client is a router (WRT54GL running openwrt) so dunno if that already had any additional routes 20:00 < krzie> so it'll be install, run script, done 20:01 < krzie> oh ok if the client is the router you are cool for that lan 20:01 < krzie> did you tell that router to accept packets in the firewall from the 2 new source addresses? 20:02 < Dougy[home]> ecrist, poke 20:02 < krzie> being 10.8.0.x and 192.168.5.x 20:02 < tjoff> I've added theese lines: 20:02 < tjoff> #iptables -A INPUT -i tun+ -j ACCEPT 20:02 < tjoff> #iptables -A FORWARD -i tun+ -j ACCEPT 20:02 < krzie> also, i see this: remote 192.168.100.223 1194 20:02 < krzie> are these on the same lan? 20:03 < tjoff> yeap both the server and client are on that (192.168.100.0) lan (temporarily) 20:03 < krzie> well, that could be your problem 20:03 < tjoff> oh 20:04 * Dougy[home] arp poisons ##openvpn 20:04 < tjoff> I could move the server to an external ip, worth a shot? 20:04 < krzie> you can run openvpn on the same lan np (can be used to secure wifi for example) but funny stuff can start to happen when you start playing with routes 20:04 < krzie> yes, worth a shot for sure 20:04 < tjoff> ok, brb 20:04 < krzie> dougy, ild be using a static route but you play with the setup too much and i dont wanna go down when you put me in a diff port 20:05 < krzie> err static arp i mean 20:05 < krzie> (on your lan) 20:08 -!- Hink is now known as LowValueTarget 20:11 < tjoff> doesn't seem to be any difference after moving the server to an external ip 20:11 < krzie> server still cant ping laptop? 20:12 < tjoff> nope 20:12 < krzie> but it can ping client? 20:12 < tjoff> yeah 20:12 < krzie> do this: 20:12 < krzie> run tcpdump on the server, tun interface of client, and laptop 20:12 < krzie> then ping laptop from server 20:12 < krzie> only need type icmp 20:14 < krzie> oh when i say server i mean tun interface there too 20:14 < krzie> we're looking for where it gets stopped 20:14 < krzie> whether the ping makes it to laptop, and if so where the response makes it to 20:15 < tjoff> I don't think tcpdump is available on the openvpn client :\ 20:15 < krzie> sure it is, you need to go get it 20:15 < krzie> others with openwrt have used it before... 20:16 < tjoff> ok :) 20:20 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 20:20 < tjoff> ehum, I don't have space for it :o and all I've installed so far is openvpn (new versions of the router has less memory :() 20:20 < thedoc> Dougy, ping! 20:20 < krzie> ok well i guess run it on the other 2 20:21 < thedoc> krzie:) 20:21 < krzie> if it gets to laptop and laptop replies, but reply doesnt get to server, we know its at the router 20:21 < krzie> wassup doc 20:21 < thedoc> new servers:) 20:22 < tjoff> and the laptop runs XP :P tcpdump on sever doesn't see anything if I'm pinging it from the though 20:23 < tjoff> I could install ethereal on it though 20:24 < tjoff> *pinging it from the laptop 20:27 < krzie> wireshark for the laptop 20:27 < krzie> with a filter for icmp 20:32 < tjoff> ok, nothing from the laptop arrives at the server and nothing from the server arrives to the laptop 20:34 < krzie> so your router is blocking stuffs 20:35 < krzie> oh wait a sec 20:35 < krzie> in your ccd 20:35 < krzie> ifconfig-push 10.8.0.2 10.8.0.1 20:35 < krzie> remove that 20:35 < krzie> that has no business there 20:35 < tjoff> heh oki 20:39 < tjoff> made no difference (except for that the client got another IP) 20:43 < tjoff> iptables -I INPUT -j ACCEPT 20:43 < tjoff> iptables -I FORWARD -j ACCEPT 20:43 < tjoff> adding those lines two the client did it :) 20:43 < krzie> werd 20:44 < krzie> so its good now? 20:45 < tjoff> yeah, just need to find out which rules blocked the traffic before but openvpn works perfectly :) 20:45 < tjoff> thanks alot 20:45 < krzie> yw 20:49 -!- Dougy[home] [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit [Remote closed the connection] 20:53 -!- p3ri0d [i=p3ri0d@200.2.149.236] has quit ["Leaving"] 21:18 -!- Dougy[home] [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 21:19 < sander_> Thu Jul 9 04:16:28 2009 0: Unrecognized option or missing parameter(s) in client.conf:16: client 21:19 < sander_> Thu Jul 9 04:16:28 2009 1: Use --help for more information 21:19 < sander_> I get the error message when I start the client openvn like this: openvpn --config client.conf 21:20 < sander_> My client.conf looks like this: http://pastebin.ca/1489090 21:20 < sander_> Anyone know whats wrong with the config file? 21:21 < Dougy[home]> grrrrrrr 21:21 < Dougy[home]> !configs 21:21 < vpnHelper> Dougy[home]: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 21:21 < Dougy[home]> sander_, follow vpnHelper's advice 21:21 < Dougy[home]> then link to pastebin'd file after doing so 21:22 < sander_> ok 21:22 < sander_> http://pastebin.ca/1489095 21:23 -!- tjoff [n=a@c213-89-131-87.bredband.comhem.se] has quit [] 21:23 < Dougy[home]> hm 21:23 < Dougy[home]> !howto 21:23 < vpnHelper> Dougy[home]: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 21:24 < Dougy[home]> er 21:24 < Dougy[home]> !man 21:24 < vpnHelper> Dougy[home]: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 21:24 * Dougy[home] click 21:25 < Dougy[home]> what v are you using 21:25 < sander_> OpenVPN 1.4.3 21:26 < Dougy[home]> old wtf 21:26 < Dougy[home]> why so old 21:26 < sander_> Ops 21:26 < sander_> Hmm. Let me check it up 21:28 < sander_> Seems like I had an old version of openvpn laying around in /usr/local/sbin/openvpn 21:28 < sander_> Cool.. the error dissapeard now 21:29 < Dougy[home]> what version do you have now 21:29 < sander_> OpenVPN 2.1_rc11 21:29 < Dougy[home]> voila 21:30 < sander_> Thanks :-) 21:33 < sander_> Dougy[home], now this is happening: http://pastebin.ca/1489104 21:33 < Dougy[home]> cant say i have ever seen that one before 21:34 < sander_> Hehe.. I think its because of my script 21:36 < tjz> hmm 21:36 < tjz> why not use OpenVPN 2.1_rc18 21:36 < tjz> :D 21:36 < sander_> Because I use debian lenny.. And dont see the point installing from source or backports 21:37 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 21:37 < tjz> don't think it will affect you with the rc18 21:37 < tjz> :) 21:37 < sander_> Is there alot of things which is fixed or new in 2.1_rc18? 21:37 < tjz> actually rc11 will works 21:37 < tjz> fix for windows etc 21:38 < tjz> if you are just using linux, shouldn't be much problem 21:38 < tjz> you can read the changelog for details 21:45 -!- Sloan_ [i=Sloan@r74-192-170-187.gtwncmta01.grtntx.tl.dh.suddenlink.net] has quit [Read error: 104 (Connection reset by peer)] 21:58 < Dougy[home]> hii tjz 22:03 -!- jeiworth [n=jeiworth@189.234.97.109] has joined ##openvpn 22:13 -!- Sloan [i=Sloan@r74-192-170-187.gtwncmta01.grtntx.tl.dh.suddenlink.net] has joined ##openvpn 22:13 < Sloan> hi again everyone 22:27 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 22:30 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 22:34 < Dougy[home]> thedoc, they seem to have messed it up i think 22:34 < Dougy[home]> nope, apparently not 23:22 -!- Dougy[home] [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit ["Ex-Chat"] 23:26 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 23:27 < ksnp> anyone know how make the openvpn server as a NAT to reach the server side LAN without using static routes in the router/gateway 23:34 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has quit [" Want to be different? Try HydraIRC -> http://www.hydrairc.com <-"] 23:42 -!- jeiworth [n=jeiworth@189.234.97.109] has quit [Read error: 110 (Connection timed out)] --- Day changed Thu Jul 09 2009 00:08 < sander_> http://pastebin.ca/1489237 <-- I'm trying to start a client and a server.. and ping between them.. but I get 100% packetloss.. here are both the client and server output. 00:09 < sander_> Anyone know what could be wrong? 00:11 < ecrist> Dougy: pong 00:16 * ecrist goes to bed. 00:36 -!- mnm [n=quassel@c-71-194-110-41.hsd1.il.comcast.net] has joined ##openvpn 01:00 -!- tororm [n=m@123-243-52-165.tpgi.com.au] has joined ##openvpn 01:01 < tororm> !route 01:01 < vpnHelper> tororm: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 01:07 -!- mnm [n=quassel@c-71-194-110-41.hsd1.il.comcast.net] has quit [Remote closed the connection] 01:13 -!- tororm [n=m@123-243-52-165.tpgi.com.au] has quit [] 01:16 -!- zheng [n=zheng@222.66.224.106] has joined ##openvpn 01:19 < zheng> Can openvpn support udp proxy? 01:27 -!- SuperEvilDeath [n=death@212.206.209.177] has joined ##openvpn 01:28 -!- master_of_master [i=master_o@84.157.58.76] has joined ##openvpn 01:39 -!- master_o1_master [n=master_o@84.157.53.55] has quit [Read error: 110 (Connection timed out)] 01:41 -!- Advo [n=AdvoHome@unaffiliated/advo] has joined ##openvpn 01:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:58 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:41 < reiffert> krzie: passing fortigate: SYN, SYN ACK, but not the following ACK. 02:41 -!- oligo [n=oligo@vps257.xlshosting.net] has left ##openvpn [] 02:43 < thedoc> reiffert, via a http tunnel? 02:44 < reiffert> happens with static routing. 02:45 < reiffert> no openvpn, no http tunnel involved. 02:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:47 < thedoc> Your fortigate is broken:) 02:48 < reiffert> I'm trying to explain that to my customer since yesterday. "But it was working without any problem for years" :) 02:48 < thedoc> reiffert, but people work for years and they die suddenly! people should not die:) 02:49 < thedoc> reiffert, bring a new fortigate down to them and prove it? 02:50 < reiffert> let's try a recent software upgrade first. 02:50 < thedoc> reiffert, but that wouldn't explain why it would drop part of a 3 way handshake process. 02:52 < reiffert> why wouldnt it? 02:52 < thedoc> reiffert, presuming that nothing has changed 02:53 -!- rodpod [n=rod@74-133-38-196.dhcp.insightbb.com] has joined ##openvpn 03:01 < smellynoser> exit 03:01 -!- smellynoser [n=ashley@87-194-183-38.bethere.co.uk] has quit ["leaving"] 03:02 < reiffert> id=20085 trace_id=50 msg="vd-root received a packet(proto=6, 192.168.0.19:63508->192.168.1.110:22) from internal." 03:02 < reiffert> id=20085 trace_id=50 msg="Find an existing session, id-00003859, original direction" 03:02 < reiffert> id=20085 trace_id=50 msg="replay packet, drop" 03:07 -!- kyrix [n=ashley@91-115-178-117.adsl.highway.telekom.at] has joined ##openvpn 03:19 -!- |ns|nR8 [n=doof@CPE-138-130-109-78.nsw.bigpond.net.au] has joined ##openvpn 03:24 < thedoc> Question here, if anyone knows. 03:25 < thedoc> Can I copy a ca.crt to another server if I'm doing a migration and I don't want to recreate the server keys? 03:26 < dazo> thedoc: yes you can 03:26 < thedoc> Excellent, thank you daz:) 03:26 < thedoc> dazo, just as long as the keys are kept secret yes? 03:27 < dazo> thedoc: if you are migrating a server, you can copy all server keys over .... but ... the best way, is to just create a new pair of server keys, with the same CA ... it will still work then 03:27 < thedoc> dazo, I have to let all the users use the new ca.crt in that case. 03:27 < dazo> thedoc: yeah, keep secret keys secret ... ;-) 03:27 < thedoc> Pushing it downstream --HAHA, can be a problem :) 03:28 < dazo> thedoc: no no! You have 2 server keys, kind of ..... 1 key is for the CA, which is the most holy of all keys .... then you have openvpn server keys, and the openvpn certificates is signed by the CA keys 03:28 < thedoc> ahh 03:30 < dazo> thedoc: so that's why you can create new openvpn server certificate and keys, and by using the same CA ... it will work without any problems .... when you then turn off the old OpenVPN server, you can revoke the certificate for that old server - which renders it useless 03:30 < dazo> (if you have configured CRL) 03:31 < thedoc> dazo, client wise, I have to send them the new ca.crt files which is generated right? 03:31 < dazo> thedoc: only if you generate or replace the CA .... if the CA remains the same, nothing needs to be change on the clients 03:32 < thedoc> dazo, ahh, ok 03:32 < thedoc> thank you for clarifying 03:32 < dazo> actually .... the CA keys should be located on a box which is off-line .... that way, you are sure that nobody hacks in and creates new certificates with your CA 03:33 < dazo> ca.crt can be publicly downloadable, if you want .... but the CA keys, are the most sacred keys of all keys 03:33 < dazo> the CA is the third part in a PKI ... which role is to approve that the certificate and keys used are from a known server or client 03:34 < thedoc> yes.. 03:34 * thedoc is mucking around with openvpn-as 03:35 < thedoc> dazo, the ca keys is the ca.key file right? 03:35 -!- kyrix [n=ashley@91-115-178-117.adsl.highway.telekom.at] has quit [Remote closed the connection] 03:35 < dazo> thedoc: yeah 03:36 < thedoc> dazo, got it. thanks for explaining:) 03:36 < dazo> thedoc: you're welcome :) 03:49 -!- kyrix [n=ashley@91-115-178-117.adsl.highway.telekom.at] has joined ##openvpn 03:51 < dazo> thedoc: http://www.slideshare.net/smaret/introduction-to-pki-technology ... from slide 121, you get a pretty good explanation of PKI and the CA role, and how CRL works as well 03:55 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 03:55 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 03:57 -!- zheng [n=zheng@222.66.224.106] has quit ["Leaving"] 04:01 < thedoc> dazo, thank you. I'll take a look at that 04:01 -!- ashley_ [n=ashley@dsl-82-184.utaonline.at] has joined ##openvpn 04:04 -!- tjoff [n=a@c213-89-131-87.bredband.comhem.se] has joined ##openvpn 04:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 04:11 -!- kyrix [n=ashley@91-115-178-117.adsl.highway.telekom.at] has quit [Read error: 104 (Connection reset by peer)] 04:21 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Connection timed out] 04:26 -!- Marquel [n=Flinx@port-14967.pppoe.wtnet.de] has joined ##openvpn 04:26 < Marquel> morning 04:27 < Marquel> dazo: i'm back with an update: my isp changed my account and it works again. at least via umts... 04:27 -!- ashley_ [n=ashley@dsl-82-184.utaonline.at] has quit [Read error: 110 (Connection timed out)] 04:27 < dazo> Marquel: morning! :) Good news! :) 04:28 < Sloan> morning 04:28 < dazo> Marquel: do you know what they had done with your account? 04:28 < Marquel> dazo: and the other provider(TM) which it doesn't work with will change the main router by tomorrow... 04:29 -!- ashley_ [n=ashley@91-115-178-117.adsl.highway.telekom.at] has joined ##openvpn 04:29 < Marquel> dazo: nope. i can only guess our secretary of censorship^Wfamily mrs. Ursula von der Leyen forced them to dislike my running bittorrent-client ;) 04:30 < dazo> heh 04:30 < Marquel> unluckily for her i do not intend to stop it. 04:40 < Marquel> i hope my vpn will still work at my gf's provider... 04:42 < Sloan> dazo 04:45 < dazo> Sloan: yeah? 04:47 < Sloan> do you happen to know an easy way to test if subnet routing is working correctly without actually needing to be at another computer on the other end? 04:48 < dazo> ping? 04:48 < dazo> tcptraceroute? 04:48 < Sloan> ok let me rephrase 04:48 < Sloan> i mean without another client actually being connected 04:48 < Sloan> for example 04:48 < Sloan> i have a subnet behind my server 04:48 < Sloan> and i am physically at the server 04:49 < Sloan> but the people who will be clients are computer illiterate 04:49 < Sloan> and i cant have their computers connected in order to test 04:49 < Sloan> i *think* i have everything set up correctly 04:49 < Sloan> just no way to test without having somebody connect 04:50 < Sloan> that i know of 04:50 -!- ashley_ [n=ashley@91-115-178-117.adsl.highway.telekom.at] has quit ["Leaving"] 04:51 < Bushmills> and so? if nobody connects, you don't need a VPN 04:52 < Sloan> ok nevermind 04:52 < Sloan> i'll figure it out on my own 04:52 < Sloan> thanks 04:52 < Sloan> sorry to bother 04:54 < dazo> Sloan: sorry, got a call .... and will have another call soon again 04:54 < Sloan> no problem don't worry about it :) 04:55 < dazo> Sloan: to test it and to be very sure, you in general need to connect from the "outside" 04:55 < Sloan> i thought as much 04:55 < Sloan> thanks for your time dazo 04:55 < dazo> Sloan: if you have access to a box on the internet with openvpn installed, that's probably the easiest way how to do it 04:56 < Sloan> roger that 04:57 < dazo> Sloan: it's not easy to test this from the inside at all, since you need pretty complex routing and some tweaking on your openvpn server, adding another network segment which your "inside" computer will use .... but it's more a hassle and can break your initial setup, or even give you a false validation 04:57 < thedoc> < ccna, coming np for hire :) 04:58 < thedoc> can deal with ospf/eigrp/isis:) 04:58 -!- Super_Cat_Frog [n=bob@87.194.183.38] has quit [Remote closed the connection] 04:58 < Sloan> dazo: thank you, i'll work with it. not really a necessary feature, but it would be nice to have. 05:03 < dazo> Sloan: and for the record ... your question is not silly or stupid or anything like that .... this is something most people who implement VPN solutions struggles with from time to time ... how to be sure it really works :) 05:05 < Sloan> dazo: well it is a little stupid - obviously the best way would be to test from an outside connection - however as that really isn't an option at the moment, here we are. Just hoping to make sure it works before everyone needs to connect to the server. That would be nice, haha. 05:07 < dazo> Sloan: exactly :) I've been there many times, myself .... and then I began to setup a couple of boxes which I can access via SSH on the net ... that has been as saver for me :) .... Is it possible for you to test this via a mobile Internet connection? (GPRS/UMTS) 05:07 * dazo just trows out some ideas into the air 05:08 < Sloan> i really don't have access to anything but the server and one computer behind the server's subnet 05:12 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: master_of_master, tompaw, Dougy, solvik, pa, Kreg-Work, freaky[t], redfox, elenril 05:12 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: bandinia, _impuls, thermoman, tjoff, MadTBone, Advo, krzie, qknight, davidisko, code-, (+46 more, use /NETSPLIT to show all of them) 05:13 -!- Netsplit over, joins: pa, freaky[t], solvik, redfox, Dougy, Kreg-Work, tompaw, master_of_master, Advo, thedoc (+24 more) 05:13 -!- chinsan_ [i=chuck-th@chinsan.info] has joined ##openvpn 05:13 -!- Netsplit over, joins: Marquel, tjoff, nemysis, |ns|nR8, rodpod, polaru, SuperEvilDeath, Sloan, bandinia, sigius (+20 more) 05:15 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:16 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 05:16 -!- davidisko [i=davidisk@nte.sk] has quit [Remote closed the connection] 05:17 -!- davidisko [i=davidisk@nte.sk] has joined ##openvpn 05:29 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: tompaw, Dougy 05:29 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: master_of_master, MadTBone, solvik, Marquel, pa, Kreg-Work, chinsan_, freaky[t], redfox, dazo, (+2 more, use /NETSPLIT to show all of them) 05:29 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: bandinia, _impuls, thermoman, tjoff, Advo, krzie, qknight, davidisko, code-, |Mike|, (+40 more, use /NETSPLIT to show all of them) 05:30 -!- Netsplit over, joins: davidisko, Pagautas, plundra, reiffert, APTX|, HardDisk_WP, qknight, kaii, tarbo2, worch (+54 more) 06:23 -!- n0g0 [n=nogo@85-125-189-220.static.sdsl-line.inode.at] has joined ##openvpn 06:24 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:28 -!- Sloan [i=Sloan@r74-192-170-187.gtwncmta01.grtntx.tl.dh.suddenlink.net] has quit ["Leaving"] 06:37 -!- SuperEvilDeath [n=death@212.206.209.177] has quit [Client Quit] 07:00 -!- |ns|nR8 [n=doof@CPE-138-130-109-78.nsw.bigpond.net.au] has quit [Remote closed the connection] 07:06 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 07:11 < _impuls> Hello guys! 07:11 < _impuls> If I use vpn over TCP I only need one open port instead of the 3 with UDP, right? 07:13 < thedoc> openvpn uses only 1 port. 07:13 < _impuls> thedoc: do you happen to know how it is with cisco's? 07:14 < _impuls> I'm talking of the client -only one open outbound port 07:14 < thedoc> Try #Cisco 07:15 < _impuls> thx 07:39 < dazo> _impuls: openvpn still only uses one port, not matter how you twist it .... 3 ports do not sound like openvpn at all 07:48 -!- YpsyZNC is now known as Ypsy 07:59 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 08:01 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit ["Leaving"] 08:24 < MadTBone> Sorry if this was already answered...I was away for the night and my IRC client's scrollback buffer overflowed since I posted... 08:24 < MadTBone> Client (WinXP SP3 - OpenVPN 2.0.9) can connect, but can't ping server (Linux 2.6.29 - OpenVPN 2.0.9)... anyone see the problem? -- logs, configs, and iface/routes as requested in topic: http://pastebin.com/m328f75b4 http://pastebin.com/m63caf20c http://pastebin.com/m7a6cd3ce http://pastebin.com/m22fdd7cb http://pastebin.com/m56c8df23 http://pastebin.com/m4a533407 08:27 -!- straterra [n=straterr@fuhell.com] has left ##openvpn [] 08:35 < sander_> http://pastebin.ca/1489237 <-- I'm trying to start a client and a server.. and ping between them.. but I get 100% packetloss.. here are both the client and server output. 08:44 < Marquel> sander_: did you activate both interfaces? does the firewall on both sides accept packets from them and allow to send to them? 08:46 < ecrist> sander_: have you checked your firewall? 08:46 < sander_> Marquel, how do I activate both interfaces? 08:46 < Marquel> sander_: ifconfig up 08:47 < sander_> actually.. I think I have input policy to DROP in the firewall..so I guess thats the problem :-) 08:47 < Marquel> which ifname is in the logs of openvpn starting (at least at log level 3 or greater) 08:47 < Marquel> yep. 08:48 < ecrist> MadTBone: have you checked the firewall? 08:49 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has joined ##openvpn 08:56 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 08:58 -!- jeiworth [n=jeiworth@189.234.97.109] has joined ##openvpn 08:59 -!- nogo [n=nogo@85-125-189-220.static.sdsl-line.inode.at] has joined ##openvpn 09:00 -!- n0g0 [n=nogo@85-125-189-220.static.sdsl-line.inode.at] has quit [Read error: 110 (Connection timed out)] 09:04 -!- cpm_ is now known as cpm 09:05 -!- zheng [n=zheng@114.92.132.65] has joined ##openvpn 09:05 -!- rodpod [n=rod@74-133-38-196.dhcp.insightbb.com] has quit [Read error: 54 (Connection reset by peer)] 09:14 -!- SuperEvilDeath [n=death@212.206.209.177] has joined ##openvpn 09:16 -!- SuperEvilDeath [n=death@212.206.209.177] has quit [Client Quit] 09:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:30 -!- j3g [n=andrer@200.130.18.1] has quit ["Lost terminal"] 09:31 < sander_> ecrist, how can I check that my firewall aint blocking the pings 09:32 < sander_> Marquel, The ifconfig interfaces is up 09:33 < sander_> ..and I had a line in my firewall that enabled all incoming packets.. so the input drop policy aint the problem. 09:34 < Marquel> sander_: does this line apply to all interfaces? 09:34 < Marquel> sander_: and then do you allow outgoing packets on the interfaces in question? 09:35 < sander_> Marquel, actually.. thats not the case. let me check it up 09:36 < sander_> Marquel, thanks alot.. sweet.. now it works :-) 09:44 -!- zheng [n=zheng@114.92.132.65] has quit ["Leaving"] 09:58 -!- plaerzen [n=carpe@vip1.tundraeng.com] has joined ##openvpn 10:07 < sander_> Now i'm pretty much done with a script which automaticly generates certs for a client/server setup: http://frekk.linux.dk/gen_certs-0.1.tgz 10:07 < sander_> Anyone want to try it out, and give me some feedback on it? 10:08 < sander_> Its very easy to use 10:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:11 -!- kyrix [n=ashley@93-82-2-161.adsl.highway.telekom.at] has joined ##openvpn 10:16 < sander_> http://frekk.linux.dk/gen_certs/README <-- Its this easy to use 10:17 -!- Marquel [n=Flinx@port-14967.pppoe.wtnet.de] has quit [Remote closed the connection] 10:31 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:37 -!- pronoy [n=pronoy@unaffiliated/pronoy] has joined ##openvpn 10:39 < pronoy> i have a question regarding the application of OpenVPN. Suppose say I require a connection to the internet from a location X and am unable to do so (for a certain reason) so can i connect through my home PC using OpenVPN ? 10:39 < pronoy> !howto 10:39 < vpnHelper> pronoy: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:43 < pronoy> anyone ? 10:43 < sander_> pronoy, I didnt get what you where saying. 10:45 < pronoy> sander_: suppose i want to connect to internet and am stuck behind a firewall or something like that so can i use OpenVPN to connect the internet...? 10:45 < pronoy> as in connect to my home first and then route it to the internet 10:45 < sander_> Can you only reach some IP's? 10:46 < sander_> You can reach your home computer, but not the internet? 10:46 < pronoy> have you heard of cyberroam ? 10:46 < sander_> no 10:47 < pronoy> ok its a piece of software that restricts internet usage so tunnelilng through that using openvpn and then connecting to my home is what i meant 10:48 < sander_> Yes. That should work 10:48 < pronoy> and one more thing once the connection to the home pc is established is it dedicated and secure ? 10:49 < sander_> What do you mean with dedicated? 10:51 < pronoy> as in under what circumstances can that connection be terminated apart from removing the actual link to the transmission media 10:51 < sander_> Its atleast secure 10:51 -!- C4colo [n=DJpyro@66.185.111.33] has joined ##openvpn 10:51 < C4colo> morning ... this is my first time setting up openvpn using tap / bridge interfaces ... the odd thing is that server-client ping/ssh works fine, server-localnet pings work to 10:52 < C4colo> morning ... this is my first time setting up openvpn using tap / bridge interfaces ... the odd thing is that server->client ping/ssh works fine, server->localnet ping/ssh works too ... but client to localnet doesn't talk 10:53 < C4colo> arp packets on the local net show up on the server's br0 but not out to the client, and client arp packets show up on the server's br0 but not out to the network 10:55 < C4colo> although this could be an issue with the switch/lan past the server since I have tried to ping a client IP from another system on the lan and the arp never gets to the server's br0 nor the client ... so the network doesn't know to send the arp to the server's bridged interface for some reason 10:57 < sander_> C4colo, have you checked your firewall settings? 10:57 < C4colo> I've been working on this for two days, reading the faq, the bridge mini-howto and all that, really trying to figure this out. I've wiresharked the hell out of it and still have no idea why the bridge isn't getting basic arp packets for the client IP addresses. The bridge's interface address is pingable from the network, but none of the clients, even though the interface with the addresses bridged to it should be advertising for the tap addresses (alth 10:57 < C4colo> ough it's not getting the ARP from what I can tell) 10:57 < C4colo> yea, iptables -F (for testing) 10:58 < C4colo> I have all the br0 and tap0 iptables rules in there, but just to make sure I killed iptables 10:58 < C4colo> selinux is disabled 10:59 < sander_> have you checked your openvpn logs? 10:59 < C4colo> no errors 11:00 < sander_> is the default input policy set to ACCEPT? 11:00 < C4colo> yes 11:01 < C4colo> right now all iptables rules are flushed and default accept 11:03 < sander_> The bridge's interface address is pingable from the network, but none of the clients<-- What do you mean with this? 11:03 < C4colo> I just saw an arp from another server on the same switch for a client IP address and it went unanswered ... so even if ARP is getting to the server's br0 it is not being forwarded out to the client so that the client can respond 11:03 < C4colo> ok, when I set up the bridge I gave it 10.1.0.239 11:03 < C4colo> if I go to another system on the network and ping 10.1.0.239 it gets responses 11:05 < C4colo> I have a client behind the 10.1.0.239 bridge over the tap0 interface using openvpn (sucessfully connected I can ping from server to client, and ssh, etc) ... it is assigned 10.1.0.227 from a config file using ifconfig-push 10.1.0.227 255.255.255.0 11:05 < C4colo> that client system will not respond to ping requests from the same host that can talk to the server's 10.1.0.239 address 11:06 < C4colo> so the server system responds, but the clients connected (bridged) to the server are not responding to pings 11:07 < sander_> What do you really mean.. that you cant ping one client from another client? 11:07 < C4colo> no, that a system on the "local" network (the one I want the clients bridged to) cannot ping the remote clients, while it can ping the interface address assigned to the bridge interface on the server 11:12 < sander_> I have no idea. 11:12 < C4colo> yea, that's where I'm ending up too... it's got to be something simple 11:13 < sander_> I've actually never set up a bridged enviroment tho. 11:13 < sander_> Which manual have you followed? 11:13 < sander_> *howto* 11:14 < C4colo> in the openvpn documentation there are two sections that talk about bridging 11:15 < C4colo> there is the faq that has a section "bridging vs routing" and has some good info there ... then there is a bridging "mini-howto" linked from the normal setup page 11:15 < sander_> http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html <- This one? 11:15 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 11:15 < C4colo> yes 11:17 -!- qhartman [n=qhartman@74-93-188-113-Oregon.hfc.comcastbusiness.net] has joined ##openvpn 11:18 < C4colo> I'll keep poking at it ... there must be some goofy little "obvious" concept I missed along the way ... or was omitted for being too "obvious" 11:31 -!- jeiworth [n=jeiworth@189.234.97.109] has quit [Operation timed out] 11:42 -!- jeiworth [n=jeiworth@189.163.255.127] has joined ##openvpn 11:48 -!- brad__ [n=brad@12.48.121.170] has joined ##openvpn 11:48 < brad__> lol, nevermind 12:05 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 12:08 -!- brad__ [n=brad@12.48.121.170] has quit [Remote closed the connection] 12:15 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:16 -!- kyrix [n=ashley@93-82-2-161.adsl.highway.telekom.at] has quit [Read error: 60 (Operation timed out)] 12:21 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 12:25 -!- pronoy [n=pronoy@unaffiliated/pronoy] has quit [Read error: 110 (Connection timed out)] 12:31 -!- kyrix [n=ashley@93-82-2-161.adsl.highway.telekom.at] has joined ##openvpn 12:41 -!- epaphus [n=unix3@190.10.68.228] has left ##openvpn ["Leaving"] 12:56 -!- kiwi_ [n=kiwi@ks359129.kimsufi.com] has joined ##openvpn 13:05 -!- aia [n=aia@64-135-203-23.FoxValley.net] has joined ##openvpn 13:07 -!- aia [n=aia@64-135-203-23.FoxValley.net] has quit [Client Quit] 13:34 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 13:39 < xp_prg> anyone used traffic cop here? 13:46 < ecrist> not i 13:57 -!- emod [n=emoderat@sage.emoderation.net] has joined ##openvpn 13:59 < emod> Setting up OpenVPN and Squid (transparent/cache) - should I put them on the same slice or separate slices? 14:00 < emod> Oops, wrong window 14:04 < ecrist> better not happen again, fucker. 14:11 < emod> I cannot guarantee it. 14:16 < ecrist> awww. 14:30 -!- c64zottel [n=hans@p5B17AC8F.dip0.t-ipconnect.de] has joined ##openvpn 14:35 -!- ikla [n=lbz@67.174.119.168] has joined ##openvpn 14:36 < ikla> is 2.1.rcX more stable than 2.0.9? 14:38 < Gorkhaan> Definetly 14:38 < ikla> or 2.0.6 haha 14:39 < Gorkhaan> I'm using RC18. It's fine ;) 14:39 -!- elenril [n=wiskas@ip-241-138.pel.cz] has quit [Read error: 104 (Connection reset by peer)] 14:41 -!- elenril [n=wiskas@ip-241-138.pel.cz] has joined ##openvpn 14:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:02 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 15:11 -!- qhartman [n=qhartman@74-93-188-113-Oregon.hfc.comcastbusiness.net] has quit ["Ex-Chat"] 15:14 -!- emod [n=emoderat@sage.emoderation.net] has quit [] 15:21 -!- dazo|h [n=dazo@ip4-83-240-69-215.cust.cust.nbox.cz] has joined ##openvpn 15:30 -!- tjoff [n=a@c213-89-131-87.bredband.comhem.se] has quit [] 15:31 -!- kyrix [n=ashley@93-82-2-161.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 15:32 -!- kyrix [n=ashley@93-82-2-161.adsl.highway.telekom.at] has joined ##openvpn 15:38 -!- emod [n=emoderat@sage.emoderation.net] has joined ##openvpn 15:41 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 15:53 -!- Dougy[home] [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 16:20 -!- Advo [n=AdvoHome@unaffiliated/advo] has quit [] 16:22 < ecrist> ikla: it's not more stable, otherwise it would be a release, not a release-candidate. 16:22 -!- crunge [n=Crunge@dsl093-034-021.snd1.dsl.speakeasy.net] has joined ##openvpn 16:23 < ecrist> is it stable enough for production? most would argue yes. 16:24 -!- jeiworth [n=jeiworth@189.163.255.127] has quit [Read error: 110 (Connection timed out)] 16:26 < crunge> anyone know of numbers comparing OpenVPN over TCP, PPP+SSL, and SSH Tun? 16:27 < crunge> throughput I mean 16:30 < crunge> I have a lab environment where I'm comparing different simple VPNs. I've got a 128MB data file from urandom. HTTP directly pulls it in about 12 seconds, HTTP over SSH Tun takes about 18, and PPP+stunnel takes about 26 16:32 < Dougy[home]> ecrist, 16:32 < Dougy[home]> how did it go 16:35 -!- jeiworth [n=jeiworth@189.163.254.76] has joined ##openvpn 16:37 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:37 < |Mike|> crunge: ipsec? 16:37 < |Mike|> encryption level does mather. 16:53 -!- kiwi_ [n=kiwi@ks359129.kimsufi.com] has quit ["Leaving."] 16:53 -!- kyrix [n=ashley@93-82-2-161.adsl.highway.telekom.at] has quit ["Leaving"] 16:55 -!- dazo|h [n=dazo@ip4-83-240-69-215.cust.cust.nbox.cz] has quit ["Leaving"] 16:57 < crunge> |Mike|: my situation requires that the VPN be over TCP 16:57 < crunge> |Mike|: I very much prefer IPSec 17:08 < |Mike|> ssh, openvpn etc use diff encryption levels tbh. 17:09 -!- victor_ [i=victor@jerl.in] has joined ##openvpn 17:10 < crunge> I know OpenSSH can use AES256/CBC. I would expect OpenVPN to be able to do that as well 17:11 < |Mike|> Yep. 17:11 -!- elenril [n=wiskas@ip-241-138.pel.cz] has quit [Connection timed out] 17:18 -!- kiwi_ [n=kiwi@ks359129.kimsufi.com] has joined ##openvpn 17:24 -!- c64zottel [n=hans@p5B17AC8F.dip0.t-ipconnect.de] has quit [Read error: 104 (Connection reset by peer)] 17:48 -!- emod_ [n=emoderat@S0106001ec21749d5.gv.shawcable.net] has joined ##openvpn 17:48 -!- emod_ [n=emoderat@S0106001ec21749d5.gv.shawcable.net] has quit [Remote closed the connection] 17:51 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 17:51 -!- unix3 [n=unix3@190.10.68.228] has quit [Read error: 54 (Connection reset by peer)] 18:02 -!- kiwi_ [n=kiwi@ks359129.kimsufi.com] has quit ["Leaving."] 18:05 -!- emod [n=emoderat@sage.emoderation.net] has quit [Read error: 110 (Connection timed out)] 18:11 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 18:14 -!- crunge [n=Crunge@dsl093-034-021.snd1.dsl.speakeasy.net] has left ##openvpn [] 18:27 -!- LowValueTarget [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [] 18:33 -!- pi31415 [n=chatzill@75-145-67-114-Oregon.hfc.comcastbusiness.net] has joined ##openvpn 18:35 < pi31415> I tried to install developent and stable openvpn-gui in 32bit vista and it said something like tap-win32 blocked due to incompatibility. 18:38 < krzee> !vista 18:38 < vpnHelper> krzee: Error: "vista" is not a valid command. 18:38 < krzee> hrmz 18:40 < krzee> you used rc18? 18:41 < pi31415> http://openvpn.se/files/install_packages/openvpn-2.1_beta7-gui-1.0.3-install.exe 18:42 < krzee> http://openvpn.net/release/openvpn-2.1_rc18-install.exe 18:42 < pi31415> Thank you, I will test that. 18:45 < krzee> np 18:45 < krzee> also you could try winxp compat mode ordisable << Program Compatibility Assistant>> 18:59 -!- chinsan_ is now known as chinsan 19:02 -!- jeiworth [n=jeiworth@189.163.254.76] has quit [Read error: 60 (Operation timed out)] 19:07 -!- pi31415 [n=chatzill@75-145-67-114-Oregon.hfc.comcastbusiness.net] has quit ["ChatZilla 0.9.85 [Firefox 3.0.11/2009060214]"] 19:28 -!- Ypsy is now known as YpsyZNC 19:39 -!- macly [n=andy@ip70-174-136-104.dc.dc.cox.net] has joined ##openvpn 19:40 < macly> can the push "dhcp-options ..." lines be put into a client ccd file? 20:07 -!- macly [n=andy@ip70-174-136-104.dc.dc.cox.net] has quit ["This computer has gone to sleep"] 20:27 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 21:17 < Dougy[home]> thedoc, ! 21:17 < Dougy[home]> can i pm you 21:23 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 104 (Connection reset by peer)] 21:25 -!- niew [n=exec-kul@adsl-99-135-37-190.dsl.wlfrct.sbcglobal.net] has joined ##openvpn 21:25 < niew> Is there any good tutorials for getting routing to work to get traffic from the VPN to the subnet it's attached to? 21:27 < niew> !route 21:27 < vpnHelper> niew: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 21:37 < ecrist> Dougy[home]: what's up? 21:37 -!- fryfrog [n=fryfrog@poopfarts.luna.tk] has left ##openvpn [] 21:37 < Dougy[home]> ecrist, how did it go at work 21:38 < ecrist> same as any day, nothing different 21:38 < Dougy[home]> didnt get canned? 21:40 < ecrist> nope, was hoping for it, though. :) 21:40 < Dougy[home]> why? 21:41 < ecrist> dont' wanna rehash. developing pron site 21:41 < Dougy[home]> ah 21:44 -!- thedoc [n=andelyx@vpn1.edgewire.sg] has joined ##openvpn 21:45 < krzee> [22:25] Is there any good tutorials for getting routing to work to get traffic from the VPN to the subnet it's attached to? 21:45 < krzee> [22:27] !route 21:45 < krzee> that was awesome 21:45 < krzee> made writing the doc worth it =] 21:45 < krzee> bbl 21:45 < Dougy[home]> thedoc, ! 21:45 < Dougy[home]> haha krzee 21:46 < thedoc> Greetings Comrade! *best russian voice* 21:49 < niew> krzee: unfortunately it didn't help :( 21:56 -!- Thomas [n=tom@cpc3-warr6-2-0-cust184.1-1.cable.virginmedia.com] has joined ##openvpn 21:56 < Thomas> . 21:57 < Dougy[home]> ohai thar 22:05 < niew> I am getting confused, from the client I am pinging the ip of the NIC that is attached to my lan and I am getting a response, but when I try to ping something else on the route that I pushed to the client from the client I can't ping anything. Internally though I can ping the vpn client from another host on the lan. I did check to make sure the host can receive pings on the server's lan too. Am I just missing a route that I sh 22:05 -!- Dougy[home] [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit ["Never look down on someone unless you're helping them up."] 22:06 -!- thedoc_ [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 22:23 -!- thedoc [n=andelyx@vpn1.edgewire.sg] has quit [Read error: 110 (Connection timed out)] 22:40 < niew> okay: 1. I am retarded 2. why doesn't it say anywhere that you enable mangling/proxy of packets on the openvpn.net pages for forwarding to local lan 22:41 < niew> even if it mentioned it I would have made the connection 23:16 -!- kursadk [n=kursad@CPE-72-128-65-111.wi.res.rr.com] has joined ##openvpn 23:19 < kursadk> Hi, I have installed openvpn(windows) and I would like to add user-password authentication on the client side. Does anyone know lead me a tutorial or a web page that might explain how to do it? I am not very literate about openvpn, I just followed a well written tutorial. thanks 23:21 -!- niew [n=exec-kul@adsl-99-135-37-190.dsl.wlfrct.sbcglobal.net] has quit [Remote closed the connection] 23:33 -!- denon [i=denon@synapse.subneural.net] has joined ##openvpn --- Day changed Fri Jul 10 2009 00:11 < denon> anyone have any pointers for a OpenVPN-as install that the clients just keep "Reconnecting" on 00:11 < denon> and can never get a connection 00:39 -!- tjoff [n=a@c213-89-131-87.bredband.comhem.se] has joined ##openvpn 00:42 -!- pa [n=pa@unaffiliated/pa] has quit [Remote closed the connection] 00:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:01 -!- rodpod [n=rod@74-133-38-196.dhcp.insightbb.com] has joined ##openvpn 01:08 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 01:36 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 01:36 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 01:39 -!- master_of_master [i=master_o@84.157.58.76] has quit [Read error: 110 (Connection timed out)] 01:42 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 01:43 -!- master_of_master [i=master_o@p549D646A.dip.t-dialin.net] has joined ##openvpn 01:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:02 -!- elenril [n=wiskas@ip-241-138.pel.cz] has joined ##openvpn 02:03 -!- SuperEvilDeath [n=death@212.206.209.177] has joined ##openvpn 02:09 -!- kursadk [n=kursad@CPE-72-128-65-111.wi.res.rr.com] has quit [" HydraIRC -> http://www.hydrairc.com <- *I* use it, so it must be good!"] 02:37 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:46 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 02:47 < onats1> hello 03:04 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:09 -!- krzy [i=nobody@hemp.ircpimps.org] has joined ##openvpn 03:09 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 03:15 -!- krzy is now known as krzee 03:16 < krzee> hey hey i see denon 03:16 < krzee> whats up dude 03:16 < denon> hey krzee 03:16 < denon> just battling openvpn :) 03:16 < denon> openvpn is winning 03:16 < krzee> ahh, whats the problem? 03:17 < krzee> im battling chameleon 2 EFI bootloader and its winning 03:17 < denon> ah, I dunno exactly. openvpn-as .. one client's working fine, the other connects for a few seconds, then the the TUN adapter shows the cable unhooked.. 03:17 < krzee> but in a confusing ass way 03:17 < denon> and connection is dropped 03:17 < krzee> you reading the logs? 03:17 < denon> sure, if there was anything in them to read 03:17 < krzee> !logs 03:18 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 03:18 < denon> yeah, Im running some updates on that box at the moment, so it'll have to wait now 03:19 < denon> hey, do you know if AS allows you to bind it to two ports out of the box? 03:19 < krzee> if you need to wait too long you'll need to catch me tomorrow 03:19 < denon> doesnt seem like the gui's really set up for it 03:19 < krzee> AS is just some frontend shit 03:19 < krzee> its the same opensource app in the core 03:19 < krzee> so no 03:19 < krzee> but running it 2x would make that a yes 03:19 < denon> well, I thought i'd try to get familiar with AS and see if it'd be a good replacement for commercial stuff 03:20 < krzee> you code tho dont you? 03:20 < denon> yeah, but then you lose gui management right? 03:20 < denon> sure I do .. 03:20 < denon> doesn't mean every one of our customers wants to :) 03:20 < krzee> cause thats a request of mine 03:20 < krzee> !forum 03:20 < vpnHelper> krzee: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 03:20 < krzee> http://www.ovpnforum.com/viewtopic.php?f=10&t=383&sid=75676fd0b800ccc7c636f2f673711602 03:21 < vpnHelper> Title: OpenVPN Forum View topic - bind to multiple ports (at www.ovpnforum.com) 03:21 < denon> yeah, that's exactly what I want to do 03:22 < krzee> if you code it ill make sure it gets to the devs 03:22 < krzee> ;] 03:22 < krzee> !download 03:22 < vpnHelper> krzee: "download" is www.openvpn.net/download to download openvpn 03:22 < krzee> rc18 would be the version to make a patch for 03:22 < denon> you're missing the point - I dont want to put additional effort into it :) 03:23 < krzee> werd, then no 03:23 < denon> that's the whole point of me jackin with AS at all :) 03:23 < krzee> ive never looked at AS, dont plan on it either 03:23 < krzee> ssl-admin is good enough for my cert management 03:23 < krzee> !ssl-admin 03:23 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 03:23 < krzee> iirc you use fbsd 03:23 < denon> it's kinda nice - no need to touch anything 03:23 < denon> we run a lot of stuff .. 03:24 < denon> but yeah, I like fbsd for hefty stuff 03:24 < krzee> any GUI will be missing shittons of features 03:24 < denon> true .. 03:24 < krzee> openvpn is too burly for a GUI 03:24 < krzee> !sample 03:24 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 03:24 < denon> but dpkg -i openvpn.pkg 03:24 < denon> and it's done 03:24 < krzee> but theres a basic config, that + ssl-admin and you're in the game 03:24 < denon> that's hard to beat 03:25 < krzee> it even zips up the client config with the certs you generate 03:25 < krzee> for quick and painless cert sending 03:25 < denon> but does it jack with your network for bridge and stuff :) 03:25 < krzee> !tunortap 03:25 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 03:25 < krzee> you dont want a bridge anyways 03:25 < krzee> most likely 03:25 < denon> some people do -- ie when they need to share a brodcast domain 03:26 < krzee> for them you just toss a bridge script in --up 03:27 < krzee> actually, as a wrapper that starts ovpn after is better 03:27 < krzee> been a long time since i used a bridge 03:27 < krzee> its so rarely the right solution 03:27 < denon> nod 03:27 < krzee> (for vpn) 03:28 < denon> though I've seen some legacy stuff that requires ugly crap like appletalk that would make your head spin 03:29 < krzee> yup 03:29 < krzee> but even for that, you just code up a lil bridge script and forget about it 03:29 -!- kyrix [n=ashley@91-115-182-56.adsl.highway.telekom.at] has joined ##openvpn 03:30 < krzee> no reason to go paying for something that is free imho 03:31 < denon> unless you want to set it up in a hurry, and walk away, handing someone a url to manage it 03:31 < denon> someone who doesn't know ssh from gopher 03:31 < krzee> ahh 03:32 < krzee> yup, i guess thats what AS was made for 03:33 < denon> in the time we're talking, I just cloned the OpenVPN VM.. 03:33 < denon> changed port to 53/udp 03:33 < denon> changed IP 03:33 < denon> and done 03:33 < denon> ugly .. but.. 03:33 < denon> easier than thinking :) 03:36 < krzee> yupyup 03:36 < krzee> thats the only way until someone codes that wishlist item up 03:37 < denon> interesting 03:37 < denon> so on udp, that client stays connected 03:37 < denon> just no traffic passes 03:38 < krzee> can they ping eachother via vpn ip? 03:38 < denon> doesnt look like it 03:38 < krzee> also, you should always use UDP when possible 03:38 < krzee> !tcp 03:38 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 03:38 < krzee> ping each sides vpn ip from the other 03:38 < denon> nod 03:38 < denon> timing out 03:38 < krzee> should be like .1 and .6 03:39 < krzee> or .10 03:39 < krzee> assuming tun setup without topology subnet 03:39 < denon> 10.9.0.1 (server) and .2 (client) in this case 03:40 < krzee> umm 03:40 < krzee> how do you know its .2? 03:40 < denon> 'cause that's the IP the interface got issued from the server 03:40 < krzee> can the client ping itself at .2? 03:40 < krzee> so you're using a bridge or topology subnet...? 03:41 < denon> yeah, it can ping itself - both sides can 03:41 < krzee> cause default tun cant give out .2 03:41 < denon> subnet 03:41 < krzee> ok 03:41 < krzee> niether side can ping the other? 03:41 < denon> AS may be configured a little differently - but keep in mind, one client is working, the other is not 03:41 < krzee> is it a windows client? 03:41 < denon> so we know the server-side is likely ok 03:41 < denon> both are 03:41 < krzee> !winroute 03:41 < vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 03:41 < denon> and right, neither side can 03:41 < krzee> thats a likely suspect 03:42 < krzee> but you havnt posted logs so all i can do is guess 03:42 < krzee> you can change that if you like 03:42 < denon> the route is getting added .. no rras installed .. 03:42 < denon> not sure about route-delay 03:43 < denon> but again, the route is getting added 03:43 < krzee> logs or bust 03:43 < denon> wouldnt really matter, in this case - no need for a route just to ping interface ips 03:43 < krzee> with verb 6 03:43 < krzee> thats not true 03:43 < krzee> tun works via routes 03:43 < krzee> no route no connection 03:44 < krzee> it'll claim theres a connection, but there wont be 03:44 < denon> ah, even for "direct attached" huh? 03:44 < denon> ic 03:44 < krzee> whats "direct attached" ? 03:44 < denon> um, kinda cisco talk I guess 03:44 < denon> routes that it learns via interface attachments 03:45 < denon> anywho, I'll figure out how to configure logs on AS 03:45 < krzee> --logfile 03:45 < krzee> AS is still making config files... 03:45 < denon> sure, wherever they are 03:45 < krzee> its still just openvpn 03:45 < krzee> ps auxw|grep openvpn 03:45 < krzee> it will tell ya 03:45 < krzee> possibly gotta add some extra w's to the ps 03:46 < krzee> depending how they do it 03:46 < denon> errors to stderr 03:46 < denon> config stdin 03:46 < denon> heh 03:46 < krzee> huh?? 03:47 < denon> that's whats in the process list 03:47 < denon> looks like it's using /usr/local/openvpn_as/etc though 03:47 < krzee> hah nvr seen that, but never used AS either 03:47 < krzee> doubt i will either 03:48 < denon> looks like configs are in sqlite 03:48 < krzee> you ever talk to josh anymore? 03:48 < denon> yeah 03:48 < krzee> wtf, they db'ed the configs? lameness 03:48 < denon> certs too 03:48 < krzee> hah 03:49 < krzee> feel free to stick around and be the resident AS expert when you master it 03:49 < krzee> cause i dont think any of us use it or plan on using it 03:49 < krzee> ;] 03:49 -!- sander_ [i=sander@084202100202.customer.alfanett.no] has quit [Read error: 60 (Operation timed out)] 03:50 -!- mode/##openvpn [+o denon] by ChanServ 03:50 <@denon> hah 03:50 <@denon> what if I dont wanna be :) 03:51 -!- mode/##openvpn [-o denon] by ChanServ 03:51 < krzee> :-p 03:51 < denon> kidding .. 03:51 -!- sander_ [i=sander@084202100202.customer.alfanett.no] has joined ##openvpn 03:51 < denon> you can @ me up, I'll hang around 03:51 < denon> I might even figure out how this silly app works 03:52 -!- thedoc_ [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 03:58 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 03:58 < thedoc> o/ 04:07 < krzee> yay! 04:07 < krzee> i got the solution to my osx86 chameleon2 EFI kext issue 04:08 < krzee> my script to auto-setup these boxes is moments from completion 04:08 < krzee> which is a big ++ when its 5am and i wanna sleep 04:10 < dazo> krzee: I believe I read somewhere that if code was written at night, it was written more quickly .... but might also have more bugs :-P 04:11 < krzee> if you ever see me write something in the day, be scared to run it 04:11 < krzee> it will likely explode and kill your cat 04:11 < dazo> heh ... sounds like my coding as well :-P 04:38 -!- Marquel [n=Flinx@port-14023.pppoe.wtnet.de] has joined ##openvpn 04:39 < Marquel> dazo: i'm here with another update and more details: my isp is currently changing routing to provide every customer a 100mbit/s downlink. now they asked for daily updates every morning so they can bugfix the new systems for me and others ;) 04:40 < krzee> that is badass 04:40 < krzee> i wish i had a cool ISP 04:43 < dazo> Marquel: who's this ISP? ;-) 04:43 < Marquel> whois dazo 04:43 < Marquel> dazo: wilhelm.tel 04:43 < dazo> potential customer? :;-) 04:44 < Marquel> *g* 04:44 < Marquel> i doubt it. 04:46 < dazo> unfortunately, they're only a traditional ISP .... not a server hosting company .... But I'll remember this for my German friends :) 04:49 < Marquel> they're very limited in range, so if you don't live in a certain village (or in certain buildings) you won't be able to get their service ;) 04:50 < dazo> Marquel: hmm :( But with such service, they're planning to grow 04:51 < Marquel> indeed. 04:52 < Marquel> they plan to connect the entire city next to that village as the city itself proved to be unable to do so properly. 04:55 < Marquel> dazo: i also know of a server hoster with a quite good connection to the net... 04:56 < dazo> Marquel: I'm all ears 04:56 < Marquel> (that's where my other endpoint is located with which i tested my configuration ;) ) 04:56 < Marquel> netdirekt.de 04:56 < Marquel> but they don't do domain service, only hosting. 05:02 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 05:14 < dazo> Marquel: that suits me even better! 05:16 < Marquel> dazo: for what? rule teh world(tm)? 05:16 < dazo> Marquel: think SkyNet(tm) :-P 05:19 < denon> krzee: still awake? 05:21 < krzee> aye 05:24 < denon> so the normal windows client is barfing too 05:24 < denon> (they are supposed to be compatible afaik) 05:30 < denon> hm 05:30 < denon> so it doesnt barf until the client-side routes are added 05:33 < mlaci> hi guys! mod_rewrite should keep the anchor which isn't the case currently based on the http://openvpn.net/howto.html#mitm url 05:33 < tompaw> Hi. 05:33 < tompaw> With openvpn-as, is there a way to assign a static ip to one particual client? 05:34 < krzee> i can tell you for openvpn 05:34 < krzee> for AS, gl to ya 05:34 < krzee> mlaci, we have no control over their site, but if ecrist sees your message he'll let them know im sure 05:34 < krzee> he has contact with them 05:34 < mlaci> cool 05:35 < denon> tompaw: people in here are a little bitter about AS and making money on stuff .. 05:35 < krzee> their redesign of the page fubar'ed a bunch of stuff 05:35 < denon> best open a ticket :) 05:35 < krzee> denon, nobody minds them making $, im actually happy for them 05:35 < krzee> i just dont like that they dont let you manually edit configs 05:35 < krzee> thats serious lamesauce 05:35 < krzee> if they manually let you, i could fix both of your issues 05:36 < krzee> youd need !winroute and he'ld need !static 05:36 < krzee> :p 05:36 < krzee> AS should be GUI, not a complete redesign so that people keep coming here asking stuff we know but we cant help them 05:37 < tompaw> well, I actually thought it was gui when I installed it 05:37 < tompaw> wasn't aware that it completely changes the way you work with it 05:37 < krzee> i thought it was until denon's issues this evening 05:37 < krzee> the configs are now sqlite so i cant help anyone 05:38 < krzee> *shrug* let them support it 05:40 < tompaw> are there any similar guis that preserve the original structure of openvpn server? 05:41 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:42 < krzee> nothing worth while, but i believe theres a free one or 2 out there 06:05 -!- SuperEvilDeath [n=death@212.206.209.177] has quit [Client Quit] 06:30 -!- Assos [n=Assos@62.248.6.46] has joined ##openvpn 06:31 -!- Assos [n=Assos@62.248.6.46] has left ##openvpn ["Konversation terminated!"] 06:37 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 06:48 -!- kyrix [n=ashley@91-115-182-56.adsl.highway.telekom.at] has quit ["Leaving"] 06:51 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:06 -!- sander_ [i=sander@084202100202.customer.alfanett.no] has quit [Read error: 60 (Operation timed out)] 07:08 -!- sander_ [i=sander@084202250202.customer.alfanett.no] has joined ##openvpn 07:08 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 60 (Operation timed out)] 07:12 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 07:16 < ecrist> morning 07:23 -!- kiwi_ [n=kiwi@ks359129.kimsufi.com] has joined ##openvpn 07:24 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has quit ["Leaving"] 07:53 -!- cpm_ is now known as cpm 08:02 -!- dundel [n=dundel@200.2.161.143] has joined ##openvpn 08:02 < dundel> if got a little question 08:02 < ecrist> shoot 08:02 < dundel> is an openvpn hackable? 08:03 < ecrist> everything is hackable 08:03 < dundel> oke, but it isn't that easy i hope 08:04 < ecrist> not that I'm aware of. 08:04 < dundel> if would tunnel voip traffic, it's not sniffable right? 08:04 < dundel> just want to be sure 08:04 < ecrist> it's far more secure than open traffic 08:04 < dundel> great 08:13 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Read error: 60 (Operation timed out)] 08:24 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["Tiplizek"] 08:36 -!- Br4z3r [n=boyko@83.228.122.198] has joined ##openvpn 08:36 -!- Br4z3r [n=boyko@83.228.122.198] has left ##openvpn ["Leaving"] 08:37 -!- Br4z3r [n=boyko@83.228.122.198] has joined ##openvpn 08:37 -!- Br4z3r [n=boyko@83.228.122.198] has left ##openvpn ["Leaving"] 08:38 -!- Br4z3r [n=boyko@83.228.122.198] has joined ##openvpn 08:42 < Br4z3r> Hi All, If I want to make a bridge like VPN should I have two physical network interfaces ? 08:42 < Br4z3r> on the server side 08:47 -!- Thomas [n=tom@cpc3-warr6-2-0-cust184.1-1.cable.virginmedia.com] has quit [] 08:49 < Marquel> well, i think, i need more vpn tunnels. our country has just received a law for dns-censorship. yay. 08:57 -!- p3ri0d [i=p3ri0d@200.2.155.54] has joined ##openvpn 09:07 < kiwi_> Marquel: what country ? 09:19 < Marquel> kiwi_: germany 09:20 < Marquel> kiwi_: looks like those summits between germany and china did indeed serve for exchange: germany gave valuable technology away while china told germany's politicians how to filter the web. 09:21 < kiwi_> lol 09:22 < Marquel> no i can't find a reason why our politicians shouldn't be shot on the spot. 09:25 < Marquel> at least there should be a law against incompetence in politics. the - i can't find a word for it, it looks like a female human but lacks the brain - german secretary of justice doesn't even know what a "browser" is good for and talks for laws filtering dns queries and tells fairytales about them being effective against websites... 09:26 < kiwi_> i didnt know this dns censorship was around in countries like norway too 09:27 < kiwi_> anyway, did they say what site / type of site will be targeted by this censorship in germany ? 09:29 < Marquel> european union is a great thing. at least if you're a minister in a government and have to be afraid of elections. since electronic elections are forbidden now that there's prove nedap doesn't do its job right ;) 09:30 < Marquel> jep. childporn. now. but the law isn't yet valid and they want to extend it to hatred and racist websites. and killergames of course. 09:30 < Marquel> "we can't let them decide what's good for them, they might figure out to not vote for us anymore." 09:32 < Marquel> (sorry, i'm ranting and i know it, but i can't find words for a country calling itself free and democratic and at the same time establishing laws and technology former comunist regimes dreamt of in their wet dreams at night....) 09:37 < Marquel> from 9/11 it was terrorism. now that terrorism is obviously not working as there were no bombs exploding in germany, they found childporn. tomorrow it'll be radiation (our nuclear power plants have "numerous security weaknesses", surprise!) which will force us to stay inhouse and not protest against them... 09:37 < kiwi_> :) 09:37 < kiwi_> anyway, i think we are so much that dont know what's good for us, even more about a political matter =) 09:38 < kiwi_> one thing i know, openvpn is good for me .. i hope ;p 09:38 < Marquel> now that i think of it it makes sense... one power plant failing repeatedly of the same reason. three days later power plants at the other end of the country have security weaknesses their owner was blackmailed with... 09:40 < Marquel> well, i suppose i'll be put down by the great words "conspiracy theorists are always wrong"... 09:43 < kiwi_> and what will you do about it 09:44 < Marquel> i think i'll work around what my government (i didn't vote for them!) has put up to turn my eyes away from what they don't want me to see... that includes tunnels and dns servers ;) 09:48 < tjoff> Marquel: terrorism is still a valid reason to justify stupid laws here in Sweden. The last terrorist attack here was in 1908 - one man died. 09:50 < Marquel> tjoff: if terrorism is a valid reason for stupid laws, cars have to be forbidden by yesterday. ;) 09:50 < tjoff> (the last attack where at least one died) 09:51 < tjoff> :) 09:54 < Marquel> i'm a terrorist in that sense too. i point my car at pedestrians... at least before the turn... 09:57 < ecrist> wow, this is a little off topic 09:58 < Marquel> just a little 09:58 < ecrist> Br4z3r: no, you don't need two different interfaces. 10:00 < Br4z3r> ecrist, thanks for the answer 10:06 -!- chandoo [n=chandoo@67.83.185.120] has joined ##openvpn 10:06 < chandoo> hi 10:07 < chandoo> i use cisco vpn from windows box connecting to office network 10:12 < ecrist> ok 10:14 < chandoo> how do i do that from linux 10:14 < chandoo> my cisco vpn is installed and configured by windows group, so i dont put any server name which connecting vpn 10:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection reset by peer] 10:42 < dazo> chandoo: sorry, but this channel knows primarily things about the OpenVPN solution and not too much about Cisco based VPN 10:48 < |Mike|> run an emulator with windows :p 10:49 < |Mike|> 10:53 < Marquel> byebye 10:53 -!- Marquel [n=Flinx@port-14023.pppoe.wtnet.de] has quit [Remote closed the connection] 10:53 < chandoo> dazo:) i want to use openvpn, 10:54 < chandoo> my question is what information i need to know in using openvpn connecting to my office network over vpn 10:54 < dazo> chandoo: cool! But then you'll need to install an openvpn server on the network you want to access ... and deploy openvpn clients 10:54 < dazo> chandoo: cisco vpn and openvpn do not talk together 10:55 < chandoo> dazo:) so i cannot connect to office network from linux machine 10:55 < chandoo> using vpn 10:55 < dazo> chandoo: yes, you need the vpnc package then, to connect to Cisco VPNs 10:55 < dazo> chandoo: but you cannot use openvpn 10:56 < dazo> chandoo: http://www.unix-ag.uni-kl.de/~massar/vpnc/ 10:56 < vpnHelper> Title: vpnc - client for cisco vpn concentrator (at www.unix-ag.uni-kl.de) 10:58 < dazo> chandoo: if you're using NetworkManager .... there's also a plug-in here called NetworkManager-vpnc, iirc ... which gives you a GUI for the vpnc config and also start/stop of the vpn connection 11:00 < |Mike|> can't you use the client to connect to the cisco VPN ? 11:00 < |Mike|> (since you can use usernames & passwords aswell) 11:02 < ikla> 2.0.6 -> 2.0.9 only fixes windows issues? 11:02 < dazo> ikla: 2.0.9 -> 2.1_rc18 fixes even more bugs 11:06 -!- atmosx [n=osx@ppp-94-69-190-131.home.otenet.gr] has joined ##openvpn 11:06 < atmosx> hello 11:06 < atmosx> can someone help me a bit here, because I'm confused on a matter and the documentation does not help a lot 11:07 < atmosx> I created a cert for my stable computer using pkitool and it's all fine. Then I created a cert for my laptop which I wanted to user password auth 11:07 < atmosx> so I created a cert using --pass option. pkitool prompted me for a password at the time of creation and everything was fine 11:08 < atmosx> now when I try connect from my macbook, I used a front-end called viscosity (ovpn client). It does not prompt me for a password and when I use the user/pass auth method it prompts for username also, but I have not specified any username at the time of cert creation 11:08 < atmosx> can someone explain me what is happening? :-( 11:09 -!- kursadk [n=kursad@CPE-72-128-65-111.wi.res.rr.com] has joined ##openvpn 11:17 -!- c64zottel [n=hans@p5B17AD37.dip0.t-ipconnect.de] has joined ##openvpn 11:25 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:28 -!- atmosx [n=osx@ppp-94-69-190-131.home.otenet.gr] has quit ["leaving"] 11:32 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:41 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 11:46 -!- jeiworth [n=jeiworth@189.234.97.109] has joined ##openvpn 11:56 -!- jdchrist [n=jdchrist@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has joined ##openvpn 12:07 -!- jeiworth [n=jeiworth@189.234.97.109] has quit [Read error: 110 (Connection timed out)] 12:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:44 -!- rodpod [n=rod@74-133-38-196.dhcp.insightbb.com] has quit [Connection timed out] 12:50 < chandoo> dazo:) i just installed vpnc, but i see ADD button disabled in NetworkManager 12:51 < chandoo> do i need to logout/login to see the changes in NM 12:51 < dazo> probably 12:51 < chandoo> okay let me try that 12:51 -!- chandoo [n=chandoo@67.83.185.120] has quit ["Leaving"] 12:54 -!- chandoo [n=chandoo@ool-4353b978.dyn.optonline.net] has joined ##openvpn 12:54 < chandoo> dazo:) after installing NM plugin for vpnc i am able to see without relogin 12:55 < chandoo> dazo:) i need help now, 12:56 < dazo> chandoo: on the NetworkManager icon, you can now click on it, choose "Configure network" .... might be right click .... and then you get a new window, where you have different network groups .... "VPN" should be the group (tab) you're looking for 12:57 < chandoo> i am in the VPN tab and i clicked on ADD 12:57 < chandoo> i got new window 12:58 < chandoo> asking for Gateway 13:01 < chandoo> what parameters are important to make sucessful connection dazo 13:01 < dazo> chandoo: good! I don't know that .... it should be similar to how you configured it in Windows, though 13:02 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 13:02 < dazo> chandoo: fill out all the fields which matches the information you got ... and leave the rest unchanged ... that's usually a good starting point 13:02 < chandoo> dazo:) i dont do any configurations in windows, when i get laptop it is already configured, what i do is select a connection and provide the login credentials 13:03 < dazo> chandoo: then you need to figure out what the VPN parameters are .... I can't help you finding that :( 13:03 -!- brah [n=asdfaf@190.16.126.86] has joined ##openvpn 13:03 < brah> ~howto 13:03 < brah> !howto 13:03 < vpnHelper> brah: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:04 < brah> !route 13:04 < vpnHelper> brah: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:04 < brah> cool story bro 13:04 -!- brah [n=asdfaf@190.16.126.86] has left ##openvpn ["Leaving"] 13:08 < chandoo> dazo:) looks like i cannot make it work 13:08 < chandoo> in windows machine, under Authentication there is Group Authentication 13:09 < chandoo> i can see name , but password is stars 13:09 < chandoo> i can also see the host 13:09 < dazo> chandoo: without any information, it's not easy to make anything work .... and I haven't used Windows on the desktop the last 12 years, so I'm not much updated on such things 13:09 < chandoo> there is no certificate authentication 13:09 < dazo> chandoo: you'll need to ask for that information where you got it from 13:10 < chandoo> okay i will see how to make it work 13:10 < dazo> (got the computer) 13:10 < chandoo> dazo:) office computer 13:10 < chandoo> everything is setup and delivered, 13:10 < chandoo> from image 13:10 < chandoo> so no way i can get that info 13:10 < chandoo> nor i can just ask some one 13:11 < dazo> chandoo: then you're screwed .... if you can't ask your IT admins .... there's no hope 13:11 < chandoo> all i do in windows is copy the whole cisco vpn diretory and run executable and make it work on my desktop 13:11 < chandoo> obviously they dont want you to use linux machine and connect 13:12 < chandoo> i got an idea 13:12 < chandoo> may be i can do the same in linux and run the thing with wine 13:15 < chandoo> dazo:) i made all the possible entries and i am trying to connect , it says there is no valid vpn secrets 13:15 < chandoo> what is that 13:15 < dazo> chandoo: that's the information which is "written in stars" 13:15 < chandoo> is it my password or something else 13:16 < chandoo> but i dont see a colum for password while adding vpn 13:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 13:17 < dazo> it is most probably a so called shared secret ... a kind of a "group password" 13:17 < dazo> you'll enter your password when you try to connect later on 13:20 < chandoo> so no way i can know that 13:20 < chandoo> :( 13:21 < Br4z3r> Hi I made a route openVPN. My winXP client connects but after less then min don't have ping to it. What could be the problem ? 13:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:27 -!- EvilRoey [n=roey@wsip-98-172-31-179.dc.dc.cox.net] has joined ##openvpn 13:27 < EvilRoey> hello 13:37 -!- brah [n=asdfaf@190.16.126.86] has joined ##openvpn 13:42 < brah> I can't get openvpn to autostart on Gentoo, I already checked all the bash scripts, but I only get 13:43 < brah> * Starting openvpn ... * Check your logs to see why startup failed 13:43 < brah> And there are no logs. 13:47 < ecrist> brah: did you configure openvpn? 13:48 < dazo> brah: try adding log explicit in your config file ... are you using chroot btw? 13:48 < brah> Nope, no chroot 13:48 < brah> Status you mean_ 13:48 < brah> ? 13:48 < dazo> brah: --log ... normally, I think it defaults to syslog 13:49 < brah> Wrong arg 13:49 < dazo> brah: which version of openvpn? 13:49 < brah> 2.1_rc7 13:49 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["Tiplizek"] 13:50 < dazo> (ugh .... when will Gentoo update with the more recent ebuild ... I've submitted an updated one to their bugzilla) 13:50 < dazo> brah: can you pastebin your config? 13:50 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 13:50 < brah> Sure 13:51 < brah> oops, the --log argument just wiped it :) 13:51 < brah> One second 13:52 < brah> http://pastebin.com/d2a56837e 13:52 * dazo looks 13:53 < dazo> try this one: http://pastebin.com/d78c12fbe 13:54 -!- dundel [n=dundel@200.2.161.143] has quit ["if i no lob fa mi de, i kan nang mi mars - iem sabi"] 13:56 < brah> rebooting 13:57 < brah> Fri Jul 10 15:56:59 2009 failed to find GID for group openvpn 13:57 < brah> I think I know what the problem is, let's see 13:58 < brah> user nobody group nobody perhaps 13:58 < ecrist> getent group nobody 13:59 < brah> It's there 14:00 < brah> Well, at least it's not erring anymore. I still have to start it manually, yet. 14:00 < brah> nobody 3325 0.0 0.0 3376 772 ? Ss 15:59 0:00 /usr/sbin/openvpn --config /etc/openvpn/openvpn.conf --writepid /var/run/openvpn.pid --daemon --cd /etc/openvpn 14:00 < dazo> brah: did you put openvpn to start in default ... or in boot? 14:00 < dazo> (softlevel, that is) 14:00 < brah> Well, it's in init.d 14:01 < dazo> yeah I know .... but when you did rc-update -a openvpn .... 14:03 < dazo> brah: using rc-status .... does it show up here? 14:03 < brah> Hold on, I'm waiting for the machine to boot up 14:03 < dazo> heh ... I don't have time to wait for you box to boot :-P time is money! :-P 14:03 < brah> openvpn | 14:04 < brah> I had done rc-update add openvpn default 14:04 < dazo> okey ... what's the location of your config file? 14:05 < brah> But shouldn't it be showing 'default' after the pipe? 14:05 < dazo> and the file name 14:05 < brah> /etc/openvpn/openvpn.conf 14:05 < dazo> good 14:05 < dazo> yeah, I would expect that actually, when you say it ... 14:06 < brah> I just added it to boot runlevel, see what happens 14:06 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:06 < dazo> that's not clever 14:06 < dazo> because networking is not started during boot 14:06 < dazo> which will cause some challenges now 14:07 < dazo> it sounds like your first rc-update add openvpn did not work 14:07 < brah> Well, it still doesn't show 'boot' after openvpn | 14:08 < dazo> I'm just wondering ..... 14:08 < dazo> I'm using a similar setup myself on one of my boxes 14:08 < dazo> try renaming the openvpn.conf to tap0.conf 14:08 < dazo> and then in /etc/init.d do: ln -s openvpn openvpn.tap0 14:09 < dazo> then try: rc-update add openvpn.tap0 default 14:09 < dazo> and: rc-update -d openvpn 14:09 < brah> But how will it know to look for tap0.conf? 14:09 < brah> I know it's supposed to load all the .conf files, but I didn't get that to work. 14:10 < dazo> the init.d script is clever enough to figure that out, when it is started as openvpn.tap0 14:10 < dazo> it's to support multiple instances of openvpn 14:11 < dazo> and that's why you need to make a symlink for openvpn.tap0 to openvpn 14:12 < brah> rc-update might be broken 14:12 < brah> Because `rc-update -d openvpn` still gives "openvpn |" 14:13 < brah> * openvpn not found in any of the specified runlevels. 14:13 < dazo> that's expected .... rc-update -d openvpn .... deletes openvpn from all configs 14:13 < dazo> and that's why: rc-update -a openvpn.tap0 will be used 14:13 < brah> But openvpn is still listed on `rc-update show` 14:14 < dazo> yes, because show lists all executable scripts in /etc/init.d 14:15 < brah> If this doesn't work I'll make my own autostart script 14:16 < dazo> you can just add a line in /etc/conf.d/local.start ... which will be executed by /etc/init.d/local during boot 14:16 < dazo> but that's really just a hack 14:17 < dazo> I presume you do all these rc-* commands as root 14:18 < brah> Yeah 14:20 < brah> Still no luck, what the... 14:20 < dazo> brah: I need to go soon ... but on #gentoo here, you might get more help 14:20 < dazo> brah: this is actually more a gentoo issue than an openvpn issue 14:20 < brah> It's okay, thanks for the help. 14:20 < brah> Yeah, I thought so. 14:21 < dazo> you're welcome .... sorry I couldn't help you further now 14:24 < brah> Eh 14:24 < brah> Adding the absolute path seemed to work 14:24 < brah> In local.start 14:25 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 14:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:51 -!- Br4z3r [n=boyko@83.228.122.198] has quit [Remote closed the connection] 15:15 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 16:21 -!- nogo [n=nogo@85-125-189-220.static.sdsl-line.inode.at] has quit ["quit"] 17:18 -!- kiwi_ [n=kiwi@ks359129.kimsufi.com] has quit ["Leaving."] 17:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:34 -!- Douglas [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 17:42 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:42 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 17:51 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has left ##openvpn ["Tiplizek"] 17:52 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 18:22 -!- tjoff [n=a@c213-89-131-87.bredband.comhem.se] has quit [] 18:24 -!- c64zottel [n=hans@p5B17AD37.dip0.t-ipconnect.de] has quit ["Leaving."] 18:28 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 18:31 -!- p3ri0d [i=p3ri0d@200.2.155.54] has left ##openvpn ["Leaving"] 18:59 -!- troy- is now known as troy 19:20 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 19:21 -!- jdchrist [n=jdchrist@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 20:40 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 21:18 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 21:18 < thedoc> Dougy, ping 21:19 < Douglas> you are lucky memoserv told me you read my memo 21:19 < Douglas> i dont have highlights 21:33 -!- mRCUTEO [n=NIX@asia.asia-internet.com] has joined ##openvpn 21:34 < mRCUTEO> hiya all 21:34 < mRCUTEO> hi tjz 21:34 < Douglas> hayyy 21:35 < mRCUTEO> !iporder 21:35 < vpnHelper> mRCUTEO: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 21:37 -!- mRCUTEO [n=NIX@asia.asia-internet.com] has quit [Client Quit] 21:39 < Douglas> krzie 21:39 < Douglas> hihi 21:45 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has joined ##openvpn 21:48 < CamargoBP-Mobile> !howto 21:48 < vpnHelper> CamargoBP-Mobile: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 22:22 -!- Ammyia [n=Ammyia@99.135.242.178] has joined ##openvpn 22:28 -!- Douglas is now known as Doug[sleep] 22:30 -!- Ammyia [n=Ammyia@99.135.242.178] has quit [Remote closed the connection] 22:38 -!- chandoo [n=chandoo@ool-4353b978.dyn.optonline.net] has quit ["Leaving"] 22:48 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 22:48 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 23:47 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] --- Day changed Sat Jul 11 2009 00:50 -!- zheng [n=zheng@114.92.146.182] has joined ##openvpn 00:51 -!- zheng [n=zheng@114.92.146.182] has quit [Client Quit] 01:40 -!- master_of_master [i=master_o@p549D646A.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:43 -!- master_of_master [i=master_o@p549D4661.dip.t-dialin.net] has joined ##openvpn 01:49 -!- jdchrist [n=jdchrist@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 01:52 -!- c64zottel [n=hans@p5B178F25.dip0.t-ipconnect.de] has joined ##openvpn 01:59 -!- troy is now known as troy- 02:06 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: stephenh, disco- 02:09 -!- c64zottel [n=hans@p5B178F25.dip0.t-ipconnect.de] has left ##openvpn [] 02:09 -!- Netsplit over, joins: stephenh, disco- 03:06 -!- jdchrist [n=jdchrist@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 03:09 -!- jdchrist [n=jdchrist@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 03:19 -!- AlHafoudh [n=AlHafoud@chello089173071159.chello.sk] has joined ##openvpn 03:19 < AlHafoudh> hi al 03:19 < AlHafoudh> anyone can help? i can ping other openvpn clients but i cannot ping the openvpn server nor the clients from the server :( i use tap 03:39 < krzee> why do you use tap? 03:53 -!- AlHafoudh [n=AlHafoud@chello089173071159.chello.sk] has quit [Remote closed the connection] 04:18 -!- carpe_ [n=carpe@vip1.tundraeng.com] has joined ##openvpn 04:21 -!- plaerzen [n=carpe@vip1.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 05:28 -!- YpsyZNC is now known as Ypsy 05:36 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 06:03 -!- kiwi_ [n=kiwi@ks359129.kimsufi.com] has joined ##openvpn 06:07 < Bushmills> we'll never know 06:36 -!- kiwi_ [n=kiwi@ks359129.kimsufi.com] has quit ["Leaving."] 06:39 -!- elenril [n=wiskas@ip-241-138.pel.cz] has quit ["for the lulz"] 07:08 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 07:49 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 08:27 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 08:27 -!- TomJ [i=TomJ@115.240.61.84] has joined ##openvpn 08:28 < TomJ> I have a strange Windows OpenVPN issue. My OpenVPN is failing on the client with: "Sat Jul 11 18:51:51 2009 openvpn_execve: CreateProcess C:\WINDOWS\system32\netsh.exe failed: The system cannot find the path specified. (errno=3)" . Now, that's correct, my Windows directory is actually d:\windows\. What's odd is that OpenVPN was working just fine on this desktop for ages, I dont know what's changed to make it break now 08:29 < TomJ> so either I want to work out what changed, or as a workaround I suppose I could simply find out why it's executing c:\windows\system32\netsh.exe and not D:\windows\system32\netsh.exe and change that, maybe it would then work 08:33 < TomJ> Version is: OpenVPN 2.1_rc15 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Nov 19 2008 08:35 < TomJ> full logs here: http://pastebin.com/d4ac4a717 08:38 < Doug[sleep]> XP? 08:38 < TomJ> Yeah XP SP3 08:38 * Doug[sleep] is clueless with openvpn let alone openvpn windows 08:38 * Doug[sleep] think 08:43 < bsdbandit> good morning 08:43 < bsdbandit> all 08:45 < bsdbandit> im trying to start up openvpn on an openbsd 4.5 box when running openvpn server.conf command with 9 for verbose mode openvpn just stops at the following Wed Dec 31 19:00:00 1969 us=694741 OpenVPN 2.0.9 sparc64-unknown-openbsd4.5 [SSL] [LZO] built on Jul 10 2009 08:45 < bsdbandit> Wed Dec 31 19:00:00 1969 us=851999 Diffie-Hellman initialized with 1024 bit key 08:45 < bsdbandit> Wed Dec 31 19:00:00 1969 us=956945 Control Channel Authentication: using '/etc/openvpn/keys/ta.key' as a OpenVPN static key file 08:46 < bsdbandit> Wed Dec 31 19:00:00 1969 us=958362 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 08:46 < bsdbandit> Wed Dec 31 19:00:00 1969 us=959060 Outgoing Control Channel Authentication: HMAC KEY: 38e988db 0bc3a36f c243d471 2e876aff 2f120c56 08:46 < bsdbandit> Wed Dec 31 19:00:00 1969 us=959816 Outgoing Control Channel Authentication: HMAC size=20 block_size=64 08:46 < bsdbandit> Wed Dec 31 19:00:00 1969 us=960465 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication 08:46 < bsdbandit> Wed Dec 31 19:00:00 1969 us=961159 Incoming Control Channel Authentication: HMAC KEY: bd395d8a d4198015 26ca4591 8087e691 3c0ff86f 08:46 < TomJ> use a pastebin, bsdbandit 08:46 < bsdbandit> Wed Dec 31 19:00:00 1969 us=961747 Incoming Control Channel Authentication: HMAC size=20 block_size=64 08:46 < bsdbandit> Wed Dec 31 19:00:00 1969 us=971660 MTU DYNAMIC mtu=0, flags=1, 0 -> 166 08:46 < bsdbandit> ok 08:46 < bsdbandit> Wed Dec 31 19:00:00 1969 us=972279 TLS-Auth MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ] 08:46 < bsdbandit> Wed Dec 31 19:00:00 1969 us=972925 MTU DYNAMIC mtu=1450, flags=2, 1542 -> 1450 08:46 < bsdbandit> this is what i get 08:46 < bsdbandit> 1 sec 08:47 < bsdbandit> hey TomJ http://pastebin.com/d742122da 08:49 < bsdbandit> and the date in openvpn logs keeps showing Wed Dec 31 19:00:00 1969 08:49 < bsdbandit> how do i get rid of that 08:52 < Doug[sleep]> whoooa. 08:52 < Doug[sleep]> bsdbandit 08:52 < Doug[sleep]> !paste 08:52 < vpnHelper> Doug[sleep]: "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 08:53 < Doug[sleep]> gonna get yerself thrown outta here 08:53 < bsdbandit> im sorry guys 08:54 < bsdbandit> i did go back paste it in pastebin 08:54 < bsdbandit> here is my pastebin http://pastebin.com/d742122da 08:58 * Doug[sleep] isnt BSD guy 08:58 < Doug[sleep]> people to wait for are like ecrist and krzie 09:02 < sander_> bsdbandit, Can you pastebin your server.conf too? 09:07 < bsdbandit> ok 09:14 -!- TomJ [i=TomJ@115.240.61.84] has quit [Read error: 60 (Operation timed out)] 09:14 -!- TomJ [i=TomJ@115.240.57.118] has joined ##openvpn 09:14 < bsdbandit> ok sander 09:14 < bsdbandit> http://pastebin.com/d742122da 09:14 < bsdbandit> here ya go 09:15 < sander_> bsdbandit, Thats the same paste as before 09:15 < Doug[sleep]> lol 09:15 -!- Doug[sleep] is now known as Douglas 09:17 < bsdbandit> i know i put the server conf at the top of the paste 09:17 < sander_> bsdbandit, I cant see it 09:17 < Douglas> nor can i 09:19 < bsdbandit> http://pastebin.com/d49ae26df 09:20 < bsdbandit> this is the new one sander_ sorry about that 09:20 < Douglas> grrrrr 09:20 < Douglas> !configs 09:20 < Douglas> er 09:20 < vpnHelper> Douglas: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:20 < Douglas> yes 09:20 < Douglas> bsd, do as that says please 09:20 * Douglas grunt 09:20 < Douglas> (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`) 09:21 < Douglas> specifically that 09:21 -!- Douglas [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 09:22 < bsdbandit> ok 09:24 < sander_> I have to go. 09:26 < bsdbandit> ok 09:26 < bsdbandit> http://pastebin.com/m35253cec 09:26 < bsdbandit> here is it 09:26 < bsdbandit> without comments 09:34 -!- kiwi_ [n=kiwi@91.121.155.197] has joined ##openvpn 09:40 -!- fred^^ [n=a@87.3.87.30] has joined ##openvpn 09:40 < fred^^> !route 09:40 < vpnHelper> fred^^: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:41 < fred^^> hi to all! 09:44 < fred^^> !howto 09:44 < vpnHelper> fred^^: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:52 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: tarbo2, worch, _impuls, kala, pekster 09:54 -!- Netsplit over, joins: _impuls, kala, pekster, tarbo2, worch 10:02 < bsdbandit> http://pastebin.com/m35253cec 10:09 < sander_> bsdbandit, can you paste me the output of /var/log/openvpn.log ? 10:10 -!- Ypsy is now known as YpsyZNC 10:13 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["Tiplizek"] 10:51 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has quit [Read error: 110 (Connection timed out)] 10:55 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has joined ##openvpn 11:02 -!- Douglas [i=doug@64.18.144.4] has joined ##openvpn 11:02 < Douglas> !configs 11:02 < vpnHelper> Douglas: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:09 < Douglas> !howto 11:09 < vpnHelper> Douglas: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:10 < Douglas> !ccd 11:10 < vpnHelper> Douglas: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 11:16 < ecrist> morning, fuckers 11:18 < Douglas> heyyyyyyyyyyyyyyyy mr crist 11:18 < Douglas> what u 11:18 < Douglas> p 11:20 < fred^^> !configs 11:20 < vpnHelper> fred^^: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:24 -!- skarab [n=skarab@bb-87-80-113-141.ukonline.co.uk] has joined ##openvpn 11:26 -!- denon [i=denon@synapse.subneural.net] has quit ["Elvis has left the building"] 11:31 < skarab> Is it necessary for two OpenVPN server instances to be on separate networks? 11:31 < skarab> e.g. daemon 1 is UDP (tun0), daemon 2 is TCP (tun1) 11:37 < sander_> Douglas, ecrist could you do me a favor? 11:38 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has quit [Read error: 110 (Connection timed out)] 11:39 < sander_> http://frekk.linux.dk/easy_ssl-0.1.tgz <-- To test out this script for generating ssl certs. 11:39 < sander_> Its very easy to generate certs for a client/server setup.. with lots of clients 11:40 < sander_> Douglas, ecrist: I need some feedback, so I can improve this script even more. 11:42 < ecrist> Douglas: working on developing a website. 11:43 < ecrist> sander_: don't have time. I spent time writing my own script. 11:43 < sander_> ssl-admin ? 11:44 < sander_> ecrist, any script you could share with me? 11:47 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 12:09 < ecrist> sure 12:10 < ecrist> it's in freebsd ports, ssl-admin, or it's on my svn server 12:10 < ecrist> !ssl-admin 12:10 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 12:10 < sander_> Ok.. I've already checked out ssl-admin. 12:12 < ecrist> ah, well, it's my script, so you asked for mine. ;) 12:13 < sander_> Yeah. Someone else told me about it some time ago. 12:13 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 12:14 < sander_> ecrist, my script can generate certs with only one command line.. (no menus).. 12:14 < sander_> Makes it easy to generate lots of certs automaticly.. for many clients at a time. 12:16 < fred^^> hi 12:16 < fred^^> can i ask a little question please ? 12:16 < sander_> Youve already asked one 12:16 < fred^^> i ? 12:16 < sander_> ;-) 12:16 < sander_> sure 12:17 < fred^^> i've read a lot of docs about openvpn conf 12:17 < fred^^> it work between linux and win vista using dev tap 12:17 < fred^^> but if i use dev tun 12:17 < fred^^> the connection is estabilished 12:17 < fred^^> but the two machine not ping 12:17 < fred^^> what's the problem? 12:19 < sander_> I have no idea what the diffrence on tun and tap is. 12:19 < fred^^> : ( 12:20 < sander_> fred^^, why cant you use tap? 12:21 < fred^^> i must make 12:21 < fred^^> various examples 12:21 < Douglas> !tap 12:21 -!- jdchrist [n=jdchrist@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 12:21 < vpnHelper> Douglas: "tap" is "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, 12:21 < vpnHelper> Douglas: anything where the protocol uses MAC addresses instead of IP addresses. 12:21 < Douglas> tap is usually a bad thing 12:21 < fred^^> i've read 12:21 < fred^^> but with tun i've this problem 12:21 < fred^^> i'm make my test with firewalls stopped 12:22 < fred^^> so i don't know why it don't work 12:22 < sander_> !logs 12:22 < vpnHelper> sander_: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 12:22 < sander_> !configs 12:22 < vpnHelper> sander_: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:22 < fred^^> in server i'read Connection instan.... 12:22 < fred^^> but 12:22 < fred^^> the machine don't ping 12:23 < fred^^> and in my 1 client i receive the ip 10.8.0.6 12:23 < fred^^> while with tap i receive 10.8.0.2 12:23 < fred^^> using openvpn site's examples 12:23 < sander_> fred^^, You need to provide logs and config files 12:24 < fred^^> i can paste conf here ? 12:24 < sander_> use a pastebin 12:30 < fred^^> http://pastebin.com/m75ba59a8 12:31 < fred^^> these are my files 12:33 < sander_> fred^^, and logs 12:34 < sander_> fred^^, You should have diffrent cert and key's on the server and client 12:35 < fred^^> for test i've used the same 12:35 < fred^^> with tap it works 12:36 < sander_> fred^^, Then you should add "duplicate-cn" in your server config file 12:37 < sander_> fred^^, I need the logs of the client and server 12:37 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has joined ##openvpn 12:38 < fred^^> ok 12:38 < fred^^> i now make log 12:47 < fred^^> sander_ 12:47 < fred^^> here the complete log http://pastebin.com/m78239d92 with config files 12:51 < sander_> !interface 12:51 < vpnHelper> sander_: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 12:52 < sander_> Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:2: topology (2.0.9)<-- I dont know what this error message means 12:53 < sander_> Anyone else know about that? 12:59 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 13:06 -!- ponyofdeath [n=vladi@cpe-75-80-161-192.san.res.rr.com] has joined ##openvpn 13:09 < ponyofdeath> hi, i have 3 net's connected via routed vpn's and am now wondering how i can set up the wins servers. i have samba boxes at each net. should i pass the samba boxes ips to each net's dhcp servers as wins? 13:11 < fred^^> sander_ i've resolved my problem 13:12 < fred^^> the problem was the openvpn version on win vista 13:12 < fred^^> now it works very well with dev tun 13:12 < fred^^> :) 13:17 < skarab> I'm running a working daemon on UDP 1194 and I want an identical one for TCP 1194 (at the same time). Is this possible? 13:18 < Douglas> question 13:18 < Douglas> if i use the easy rsa, make 10 certs, then build dh 13:18 < Douglas> if i want to add new certs, do i just build them and rebuild dh? 13:19 < fred^^> no 13:19 < fred^^> you don't rebuild dh 13:19 < Douglas> it didnt work for me last time without rebuilding dh so i didnt know 13:20 < fred^^> mmm 13:28 < Douglas> http://www.cnn.com/video/#/video/us/2009/07/11/vanderveen.ladybug.infestation.kusa 13:28 < Douglas> o.O 13:28 < vpnHelper> Title: Video - Breaking News Videos from CNN.com (at www.cnn.com) 13:28 < Douglas> COOOOOOOOOOOOOOOOO;L 13:37 < fred^^> Douglas 13:37 < fred^^> have you used route sometimes ? 13:38 < fred^^> if i've a server end i set the route to a lan behind a client 13:38 < fred^^> it can work ? 13:38 < Douglas> i am not a vpn guy 13:38 * Douglas doesnt know much 13:38 < Douglas> i just run the forum 13:38 < fred^^> okokokk 13:41 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has quit [Read error: 110 (Connection timed out)] 13:59 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has joined ##openvpn 14:10 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has quit ["Leaving..."] 14:12 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has joined ##openvpn 14:15 -!- TomJ- [n=tomj@121.243.61.66] has joined ##openvpn 14:17 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has quit ["Leaving..."] 14:31 -!- TomJ [i=TomJ@115.240.57.118] has quit [Read error: 110 (Connection timed out)] 14:42 -!- fred^^ [n=a@87.3.87.30] has quit [] 14:49 -!- TomJ- is now known as TomJ 14:58 < Douglas> can you only have one "route" line 14:58 < Douglas> or as many as yo uant 14:58 < Douglas> you want 15:13 < krzie> as many as you want 15:13 < krzie> but theres a limit to the ones you push 15:13 < Douglas> well im doing 7 clients 15:13 < krzie> the route line just adds the route to the local kernel 15:13 < Douglas> what's the limit 15:13 < krzie> !pushlim 15:13 < vpnHelper> krzie: Error: "pushlim" is not a valid command. 15:13 < krzie> !factoids search lim 15:13 < vpnHelper> krzie: "pushlimit" is This is a limitation of OpenVPN: the push block cannot exceed a maximum of about 1 KB 15:13 < Douglas> per ccd entry? or in total 15:14 < krzie> per client 15:14 * Douglas is experimenting with ccd 15:14 < Douglas> thats fine lol 15:14 < krzie> regardless if its from ccd or not 15:14 < Douglas> for example krzie.. 15:14 < Douglas> client-config-dir ccd 15:14 < Douglas> route 172.18.154.4 255.255.255.252 15:14 < Douglas> that 15:14 < krzie> i dont need an example, i understand 15:14 < Douglas> nono 15:14 < krzie> except thats not a push 15:14 < Douglas> i want to make sure im donig it right 15:14 < Douglas> doing 15:14 < ecrist> 12:14 ##openvpn: < sander_> ecrist, my script can generate certs with only one command line.. (no menus).. 15:14 < ecrist> whoopdy fucking-doo 15:14 < krzie> lol 15:15 < Douglas> krzie, if i put "ifconfig-push 172.18.154.5 172.18.154.6" in the ccd/client1 entry 15:15 < krzie> cant easy-rsa generate certs with only commandline? 15:15 < Douglas> and the route line 15:15 < Douglas> is that correct? 15:15 < ecrist> openssl can generate certs with only one command line, too 15:15 < Douglas> route in server.conf, that in ccd 15:15 < krzie> !static 15:15 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 15:15 < Douglas> hrmm 15:16 < krzie> douglas, are you trying to rebuilt --server? 15:16 < Douglas> what? 15:16 < Douglas> lol 15:16 < krzie> if so, see --server, it will tell you exactly what it does 15:16 < krzie> sounds like your doing exactly what --server natrually does 15:16 < Douglas> !man 15:16 < vpnHelper> Douglas: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 15:17 < Douglas> krzie, that just dhcp's basically 15:17 < Douglas> doesnt it? 15:17 < krzie> see --server 15:17 < Douglas> im reading it 15:17 < Douglas> A helper directive designed to simplify the configuration of OpenVPN's server mode. This directive will set up an OpenVPN server which will allocate addresses to clients out of the given network/netmask. The server itself will take the ".1" address of the given network for use as the server-side endpoint of the local TUN/TAP interface. 15:17 < Douglas> sounds dhcp 15:17 < Douglas> kinda 15:17 < Douglas> if it just hands out 15:21 < Douglas> ill test this 15:26 < krzie> and what exactly do you think your ifconfig-push / push route does...? 15:26 < Douglas> doesnt that give a specific ip 15:26 < Douglas> every time 15:26 < Douglas> ? 15:27 < krzie> (btw dhcp does a lot more than just hand out an ip) 15:27 < krzie> yes, for that you still use --server, and !static) 15:27 -!- tjoff [n=a@c213-89-131-87.bredband.comhem.se] has joined ##openvpn 15:28 < Douglas> !static 15:28 < vpnHelper> Douglas: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 15:28 < Douglas> ohh, wait 15:28 < Douglas> --server 15:28 < Douglas> yes 15:28 < Douglas> i have that specified already 15:28 < Douglas> !paste 15:28 < vpnHelper> Douglas: "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 15:28 < krzie> server 10.8.0.0 255.255.255.0 15:28 < Douglas> yes 15:28 < Douglas> hold 15:28 < Douglas> let me pastebin 15:28 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 15:29 < krzie> ccd file / ifconfig-push 10.8.0.6 255.255.255.0 15:29 < Douglas> krzie: http://pastebin.ca/index.php 15:29 < Douglas> each ccd entry is like this: 15:29 < Douglas> (20:29:18) [root@nyc01-01-05] /etc/openvpn/ccd cat doug 15:29 < Douglas> ifconfig-push 172.18.154.2 255.255.255.0 15:29 < Douglas> but with each ip increasing by 1, like .2 .3 .4 .5 ec 15:29 < Douglas> etc* 15:29 < Douglas> err 15:29 < Douglas> wrong paste url 15:29 < Douglas> http://pastebin.ca/1491992 15:29 < Douglas> there 15:32 < krzie> you cant do numbering like that unless you use topology subnet and every client and the server is 2.1 15:33 < Douglas> topology subnet is enabled 15:33 < Douglas> as shown in config 15:33 < krzie> cool 15:33 < krzie> i didnt bother looking 15:33 < krzie> but ill take a look for ya 15:33 < Douglas> lo 15:33 < Douglas> l 15:34 < krzie> you dont need ANY of those route entries 15:34 < Douglas> thats why they hav the ; 15:34 < Douglas> have 15:34 < krzie> as shown in --server 15:34 < Douglas> oh wait, the noe is there 15:34 < Douglas> one 15:34 * Douglas fix 15:34 < krzie> you dont have ; in front of the /24 route entry 15:34 < krzie> just remove them all 15:35 < krzie> 3072? 15:35 < krzie> stay within X^2 15:35 < krzie> so 2048 or 4096 15:35 < Douglas> why 15:36 < krzie> have you EVER seen encryption that didnt follow that rule? 15:36 < Douglas> no 15:36 < Douglas> but why not do 3072/ 15:36 < Douglas> is there a flaw in it? 15:36 < krzie> im not sure, do you want to be the one who finds out the hard way? 15:36 < krzie> or maybe do things like the rest of the world 15:36 < Douglas> no but i dont wanna resign all the certs :( 15:37 < krzie> maybe you shoulda done it normal from the start then 15:39 < Douglas> lol 15:39 < Douglas> yes sir 15:42 < Douglas> krzie: you move that mailserver yet/ 15:42 < krzie> nah 15:42 < krzie> too many projects not enough time 15:43 < krzie> i just finished coding up my hackintosh setup 15:43 < krzie> now i just install osx, run my program, and its done 15:43 < Douglas> win 15:43 < krzie> ya its a nice win 15:43 < Douglas> are you gonna cancel the colo since you havent gotten to it yet? (dont think im asking you to, its quite the opposite :P) 15:43 < krzie> and it sets it up so i can use software update like normal 15:44 < krzie> nah, no plans on doing that 15:44 < Douglas> uber 15:44 < krzie> im paid up for a bit arent i? 15:44 < Douglas> i may be upgrading colo space soon 15:44 < Douglas> 1/2 cab win 15:44 < Douglas> krzie: i think another monh 15:44 < Douglas> month 15:44 < Douglas> 1 or 2 more months 15:44 < krzie> shit 15:44 < krzie> i should start using that damn thing 15:44 < krzie> lol 15:44 < Douglas> lmao 15:44 * Douglas only did 3mos prepay 15:44 < Douglas> i dont like doing more 15:44 < Douglas> makes me have to be responsible 15:45 * krzie normally does yr at a time 15:45 < krzie> it makes me not need to worry about bills 15:45 < krzie> makes me have to be responsible 15:45 < krzie> ;] 15:46 < Douglas> yeah well i dont wanna have you prepay a year 15:46 < Douglas> and have me fuck up the biz 7 motnhs in 15:46 < Douglas> cuz then i cant give ya colo if i dont have the biz anymore 15:46 < krzie> ya i hear ya 15:46 < Douglas> 3 months i can survive on the savings in my bank account if need be at least 15:46 < Douglas> but thats it 15:46 < Douglas> so the 3072bit build dh took 190 minutes.. hope 2048 isnt as bad 15:51 < krzie> hehe 15:51 < krzie> i use 4096 15:51 < krzie> if you like i can gen them for you when im at home on a quad core 15:51 < krzie> but doing it now yourself would result in a faster finish since i wont be home til night 15:52 < krzie> i dont leave a way into my home network tho, so cant access from here 15:52 < Douglas> im doing it on a 478 p4 15:52 < Douglas> lol 15:52 < Douglas> krzie, where is "here" 15:52 < krzie> work 15:55 < krzie> you like the UFC? 15:55 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has joined ##openvpn 15:56 < Douglas> krzie: i havent seen it in ages 15:56 < Douglas> never was too into it 15:57 < krzie> im very very into it 15:57 < krzie> but i also wrestled through highschool, spent yrs in tae kwon do, and trained some jiu jitsu 15:57 < krzie> and have always loved to fight 15:58 < krzie> so i guess it makes sense 15:58 < krzie> there is gunna be a BADASS night of UFC tonight 15:58 < krzie> i will be winning $500 on it ;] 15:58 < krzie> (its legal to bet here) 16:00 < Douglas> uber 16:00 < Douglas> colo fees 16:01 < krzie> actually 16:01 < krzie> imma need that for vacation 16:01 < krzie> im going going back back to cali cali 16:01 < Douglas> o shit 16:01 < Douglas> win 16:04 < Douglas> krzie, my ccd/server.conf are correct to do what i want, right? 16:05 < krzie> paste them again, with client too pls 16:06 < Douglas> http://pastebin.ca/1492009 16:06 < Douglas> everything connects fine nad works 16:06 < Douglas> and 16:06 < Douglas> only tried w/1 client tho 16:06 < krzie> wow the new dh params already gen'ed? 16:06 < Douglas> the 2048 yes 16:07 < Douglas> about 5mins ago 16:07 < krzie> coolness 16:07 < krzie> welp 16:07 < krzie> thats a good looking config 16:07 < Douglas> should work? 16:07 < krzie> you even did the tls static key and server cert signed right 16:07 < Douglas> lol 16:08 < krzie> not just should work, is perfect 16:08 < Douglas> ive set up enough vpns i should be able to do the basics 16:08 < Douglas> god damn 16:08 < krzie> i have no suggestions 16:08 < Douglas> this is like my 20th 16:08 < Douglas> all usually stay up like 1 week 16:08 < Douglas> then i rm 16:08 < Douglas> Im gonna lock down ssh like you had said a while back, sshd over vpn only 16:08 < krzie> ay3 16:08 < krzie> aye 16:08 < Douglas> it works out well for me since i have kvm to every box, and serial console to every vps 16:08 < Douglas> so if it breaks, i can fix right away 16:08 < krzie> especially with the new ssh sploit rumors 16:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:09 < Douglas> i think that's a fallacy 16:09 < krzie> i dont 16:09 < Douglas> i upgraded regardless 16:09 < krzie> they say its against 4.3, which is very old 16:09 < krzie> i didnt need to upgrade, i never run that old shit 16:09 < Douglas> esc 16:09 < Douglas> sec 16:09 * Douglas is dancing to the kill dash nine son 16:09 < Douglas> g 16:09 < krzie> one of the first things i always do is install openssh-portable from ports 16:10 < Douglas> i need to buy a half cabinet 16:10 * Douglas doesnt have enough money though 16:11 < krzie> well 16:11 < krzie> put what you have on st pierre tonightin UFC 16:11 < krzie> and you'll be all good 16:12 < Douglas> k 16:12 < Douglas> 2500 on thebig guy 16:12 < Douglas> if i lose, i have 0 savings 16:12 < krzie> shit, if i lose tonight i have negative savings 16:13 < Douglas> rofl 16:13 < krzie> 1470 to win 500 16:13 < krzie> hes a big favorite 16:14 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has quit ["Leaving..."] 16:24 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] 16:31 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has joined ##openvpn 16:33 -!- troy- is now known as troy 16:34 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has quit [Client Quit] 16:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:44 -!- kyrix [n=ashley@91-115-187-248.adsl.highway.telekom.at] has joined ##openvpn 16:56 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 17:01 -!- Douglas [i=doug@64.18.144.4] has quit [] 17:03 -!- kyrix [n=ashley@91-115-187-248.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 17:04 -!- kyrix [n=ashley@188-23-188-51.adsl.highway.telekom.at] has joined ##openvpn 17:13 -!- xp_prg [n=xp_prg3@c-76-21-115-162.hsd1.ca.comcast.net] has joined ##openvpn 17:19 -!- kiwi_ [n=kiwi@91.121.155.197] has quit ["Leaving."] 17:24 -!- bandinia [n=bandini@host151-110-dynamic.16-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 17:27 -!- p3ri0d [i=p3ri0d@200.2.154.225] has joined ##openvpn 17:27 -!- p3ri0d [i=p3ri0d@200.2.154.225] has quit [Read error: 54 (Connection reset by peer)] 17:30 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has joined ##openvpn 17:42 -!- kyrix [n=ashley@188-23-188-51.adsl.highway.telekom.at] has quit [Read error: 113 (No route to host)] 17:56 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has quit ["Leaving..."] 17:56 -!- troy is now known as troy- 18:05 -!- skarab [n=skarab@bb-87-80-113-141.ukonline.co.uk] has quit ["rcirc on GNU Emacs 23.0.91.1"] 18:20 -!- Dougy[home] [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 18:20 < Dougy[home]> does openvpn create a file when it starts 18:20 < Dougy[home]> somewhere 18:20 < Dougy[home]> and remove it when it dies/stops? 18:20 < krzie> --pid ild assume 18:21 < krzie> nope, lemme check 18:21 -!- IncredibleHink [n=Hink@cpe-173-173-76-122.tx.res.rr.com] has joined ##openvpn 18:21 < Dougy[home]> want to make it create some kind of file and remove it when it does 18:21 < Dougy[home]> dies 18:21 < Dougy[home]> so i can run a cron to make sure it works 18:22 < krzie> couldnt your cron check if openvpn is running in ps? 18:23 < krzie> if !(ps auxww|grep openvpn|grep -v grep) then; openvpn command 18:23 < krzie> fi 18:23 < krzie> or soemthing of that nature 18:24 < Dougy[home]> thats above me 18:24 < Dougy[home]> hmm 18:24 < krzie> 1sec ill make the 1liner for you 18:24 < Dougy[home]> that would work too 18:24 < krzie> since you're such a nice guy 18:24 < Dougy[home]> so krzie 18:24 < Dougy[home]> i could do like 18:24 < Dougy[home]> #!/bin/bash 18:25 < Dougy[home]> openvpn=`ps auxf|grep openvpn|grep -v grep` 18:25 < Dougy[home]> er 18:25 < Dougy[home]> yeah, then do like wc, and if it returns 1 then nothing, and if it returns 0, start it? 18:25 < krzie> no need for a var 18:28 < krzie> (! ps auxw|grep 'openvpn') && 18:28 < krzie> thats the whole script 18:28 < krzie> assuming only 1 openvpn instance 18:30 < krzie> oh wait a sec 18:30 < krzie> i gotta redirect output 18:30 < krzie> or you'll be getting emails 18:30 < Dougy[home]> lol 18:30 < Dougy[home]> nice 18:31 < Dougy[home]> what redirects output to /dev/null 18:32 < krzie> (! ps auxw|grep 'openvpn')&> /dev/null && 18:32 < krzie> that says: 18:33 < Dougy[home]> is that /bin/sh ? 18:33 < krzie> if the opposite of `ps auxw|grep 'openvpn'` is 1, run the without ANY output 18:33 < krzie> when a command runs successfully, it exist with exit code 1 18:34 < krzie> when not, 0 usually 18:34 < krzie> exits 18:34 < krzie> the ! flips it 18:34 < Dougy[home]> nice 18:34 < krzie> i need it to be 1 to run the thing after && 18:34 < Dougy[home]> i thought of a long complicated way todo it 18:34 < krzie> so i take the opposite 18:35 < Dougy[home]> s/of a/of the/ 18:35 < krzie> of a was right 18:35 < krzie> theres many many ways of course 18:35 < krzie> --writepid file 18:35 < krzie> Write OpenVPN's main process ID to file. 18:35 < krzie> thats what you were looking for 18:35 < krzie> (fyi) 18:35 < Dougy[home]> yeah, i dont even need that if i have something to check ps 18:35 < Dougy[home]> but danke 18:35 < krzie> yup, was just fyi 18:39 < krzie> and yes it will work in sh or bah 18:39 < krzie> bash 18:40 < krzie> you can just crontab that line if you use full paths or set path in crontab 18:40 < krzie> the joy of 1 liners 18:40 < krzie> but dont forget to test it 18:40 < Dougy[home]> yeah 18:43 < Dougy[home]> #!/bin/bash 18:43 < Dougy[home]> openvpn=`ps auxf|grep openvpn|grep -v grep|wc -l` 18:43 < Dougy[home]> if [ "$openvpn" == "0" ]; then 18:43 < Dougy[home]> cd /etc/openvpn ; /usr/local/sbin/openvpn client.ovpn > /dev/null & 18:43 < Dougy[home]> fi 18:43 < Dougy[home]> perfect 18:44 < krzie> umm 18:44 < Dougy[home]> sup? 18:44 < krzie> you just turned a 1 liner into 5 lines with adding NOTHING 18:44 < Dougy[home]> hahaha 18:44 < krzie> did you see a reason to doing that? 18:44 < victor_> ps -C openvpn &> /dev/null || { cd /etc/openvpn ; /usr/local/sbin/openvpn client.ovpn > /dev/null & } 18:44 < Dougy[home]> but i understand the 5liner 18:44 < Dougy[home]> thats the difference 18:44 < Dougy[home]> lol 18:45 < victor_> mine's nicer! 18:45 < krzie> first of all, you dont need to cd 18:45 < Dougy[home]> krzie, my config cheaps out 18:45 < Dougy[home]> its just keys/ca.crt etc 18:45 < Dougy[home]> not the full path 18:45 < victor_> and it will probably daemonize automatically? 18:45 < krzie> then use cd in the config file 18:45 < krzie> victor_ if he has daemon in the config file it will 18:45 < Dougy[home]> ffs 18:45 < Dougy[home]> !man 18:46 < vpnHelper> Dougy[home]: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 18:46 < krzie> victor_ and && is usually safer than || 18:46 < krzie> other things can cause a fail ;] 18:46 < krzie> in my experience at least 18:46 < victor_> in what way is && safer than ||? 18:46 < victor_> the reason || exists is for this exact reason 18:47 -!- TomJ [n=tomj@121.243.61.66] has quit [] 18:47 < krzie> *shrug* ive seen unexpected results in weird conditions with || whereas && has always behaved 18:47 < victor_> that sounds like sbs 18:47 < krzie> cool, i dont have a reason to try to convince you of anything 18:50 < victor_> especially since the only thing that would convince me is proof 18:51 < victor_> it's probably some other factor in the script that worked out in such a way that it seemed like it was || / && that was acting up. 18:51 < krzie> could be 18:51 < krzie> when i rewrote for && i never saw it again 18:51 < krzie> but that is entirely possible 18:53 < krzie> ps -C tho... 18:53 < krzie> -C Change the way the CPU percentage is calculated by using a 18:53 < krzie> ``raw'' CPU calculation that ignores ``resident'' time (this nor- 18:53 < krzie> mally has no effect). 18:53 < victor_> what system are you running? 18:53 < krzie> FreeBSD 18:54 < krzie> my way with grep adds a command, but works across OS's 18:54 < victor_> ok, given, i only linux. 18:54 < victor_> does the grep version that comes with freebsd support -q ? 18:55 < krzie> i stick to darwin/fbsd, but my scripts always aim to support darwin/fbsd/linux/opensol 18:55 < krzie> lemme check 18:55 < krzie> Pattern not found (press RETURN) 18:55 < krzie> nope 18:55 < victor_> you're messing out 18:55 < victor_> *missing 18:56 < krzie> whats it do? im not home so no lin VM handy 18:56 < victor_> but your script will always return true 18:56 < victor_> -q doesn't output anything to stdout, but returns true if the pattern matched 18:56 < krzie> no it wont 18:56 < victor_> ps auxf|grep openvpn should always return true since the "grep openvpn"-process will be shown? 18:57 < krzie> if that command returns true ! flips it to false 18:57 < krzie> thats why it was 'openvpn' 18:57 < krzie> that removes the grep 18:57 < krzie> =] 18:57 < victor_> uhm, no? 18:57 < krzie> umm, try it 18:57 < victor_> i just did 18:57 < victor_> openvpn still matches the string 'openvpn' 18:57 < krzie> for the grep command? 18:57 < victor_> and 'openvpn' will still be sent to the program as just the string openvpn because it's the shell that interprets the argument 18:58 < krzie> root@hemp:~> (! ps auxw|grep 'openvpn')&> /dev/null && echo no 18:58 < Dougy[home]> is there a commandline tool 18:58 < krzie> root@hemp:~> 18:58 < Dougy[home]> to print list of openvpn's connected clients 18:58 < Dougy[home]> and their ip(s) 18:58 < krzie> root@hemp:~> ( ps auxw|grep 'openvpn')&> /dev/null && echo no 18:58 < krzie> no 18:58 < krzie> root@hemp:~> 18:58 < krzie> see? 18:58 < Dougy[home]> that'd be useful 18:58 < victor_> krzie: run the following: ps auxw|grep 'openvpn' 18:58 < krzie> dougy, management interface, see manual 18:59 < Dougy[home]> screw that 18:59 < krzie> root@hemp:~> ps auxw|grep 'openvpn' 18:59 < krzie> vpn 885 0.0 0.2 3680 2580 ?? Ss 10Jun09 35:27.87 /usr/local/sbin/openvpn --cd /home/krzee/vpn --daemon openvpn --con 18:59 < krzie> nobody 1037 0.0 0.2 3600 2352 ?? Ss 10Jun09 9:11.09 /usr/local/sbin/openvpn --daemon --config /home/krzee/VPN/bridge.co 18:59 < krzie> root@hemp:~> 18:59 < Dougy[home]> i just want a quick commandline go 18:59 < krzie> dougy, youd make it, based on communicating with management interface 18:59 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has joined ##openvpn 18:59 < victor_> victor@zum:~$ ps auxw|grep 'openvpn' 18:59 < victor_> victor 27320 0.0 0.0 7524 908 pts/12 S+ 02:00 0:00 grep openvpn 18:59 < krzie> interesting 18:59 < victor_> that's how it should be 19:00 < victor_> it happens ~50% of the times i run it though 19:00 < victor_> so i assume it's a race condition 19:00 < krzie> root@hemp:~> ps auxwww|grep openvn 19:00 < krzie> root 20661 0.0 0.1 1600 1028 p4 S+ 5:00PM 0:00.00 grep openvn 19:00 < krzie> root@hemp:~> ps auxwww|grep 'openvn' 19:00 < krzie> root@hemp:~> 19:00 < victor_> but usually one would use ps aux|grep '[o]penvpn' to mitigate that 19:00 < krzie> oh THATS right 19:00 < krzie> thats what i was tryin to think of 19:00 < krzie> thanx 19:00 < victor_> :) 19:01 < victor_> i actually learned that trick from one of the stupidest guys i've ever met 19:01 < krzie> =] 19:01 < victor_> that was pretty embarrassing :) 19:01 < krzie> i learned it from a very smart guy 19:01 < krzie> our very own reiffert 19:01 < krzie> and you seem smart, so no embarrasment here 19:02 < victor_> if there's one thing i know, it's how to write fast bash-scripts... however... they never work on any other platform that linux :) 19:02 < krzie> ya i write them quick, but then i need to test them on my VM's for compat 19:02 < krzie> lil things always pop up 19:03 < krzie> like crontab -l -u krzee in fbsd/darwin/linux 19:03 < krzie> but in opensolaris its -l krzee 19:03 < krzie> no -u 19:04 < krzie> end up with case $OS in 19:04 < krzie> hehe 19:04 < krzie> *shrug* 19:04 < krzie> did you catch that dougy? 19:05 < krzie> you should grep [o]penvpn 19:05 < krzie> you should grep '[o]penvpn' rather 19:15 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 19:16 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 19:17 < Dougy[home]> !vista 19:17 < vpnHelper> Dougy[home]: Error: "vista" is not a valid command. 19:17 < Dougy[home]> !windows 19:17 < vpnHelper> Dougy[home]: Error: "windows" is not a valid command. 19:17 < Dougy[home]> KRZIE HELP 19:18 < Dougy[home]> what do you need to do to make redirect-gateway work on windows 19:18 < Dougy[home]> vista 19:25 < krzie> is it having problems adding routes in general 19:25 < krzie> ? 19:25 < krzie> otherwise you need the exact same stuff as other OS's (!redirect) 19:26 < krzie> logs will tell you if its having problems adding routes (i guess routing table would too) 19:26 < krzie> if it IS in fact having problems with that, !winroute 19:26 < Dougy[home]> no idea, its not for me 19:26 < Dougy[home]> its for my friend 19:26 < krzie> well he should be in here then 19:26 < Dougy[home]> i gave him my piece of crap centos single client openvpn script 19:26 < krzie> i dont do troubleshooting by proxy 19:26 < Dougy[home]> im not asking you to 19:26 < Dougy[home]> just asking what mods were needed for vista 19:26 < krzie> none 19:27 < Dougy[home]> ie anything other (normally) besides route-method exe 19:27 < krzie> !winroute 19:27 < vpnHelper> krzie: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 19:27 < krzie> !redirect 19:27 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 19:27 < krzie> the second and third part of redirect are only for the server 19:28 < krzie> well i guess if you push the redirect-gateway, all 3 are on the server 19:32 -!- celsiux- [n=Nullesd@174.36.119.228-static.reverse.softlayer.com] has joined ##openvpn 19:35 < celsiux-> !route 19:35 < vpnHelper> celsiux-: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 19:42 -!- xp_prg [n=xp_prg3@c-76-21-115-162.hsd1.ca.comcast.net] has quit ["This computer has gone to sleep"] 19:44 -!- IncredibleHink [n=Hink@cpe-173-173-76-122.tx.res.rr.com] has quit [Client Quit] 19:47 < celsiux-> Hello, I need some help I have installed succesfully openvpn and I can connect and ping but not access to internet this is using a VPS , I have installed and configured correctly before openvp but on a dedicated server and routing using iptables and nat but doesnt seem to work in the VPS , somebody with experience on that who can help? I am willing to pay to solve the issue 19:50 < celsiux-> !redirect 19:50 < vpnHelper> celsiux-: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 19:50 < celsiux-> !nat 19:50 < vpnHelper> celsiux-: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 19:50 < krzie> the server is on the vps? 19:51 < celsiux-> it is a vps from vpsville.com 19:51 < krzie> i have seen users that had to get their vps companies to modify their kernels to make it work 19:51 < celsiux-> all works on the openvpn side but cannot make work the routing so it has internet connection 19:51 < krzie> but nobody reported back on our wiki as requested =[ 19:51 < celsiux-> ya it supports it 19:51 < celsiux-> the issue is that some dont have enabled dev/tun 19:52 < celsiux-> on vpsville you can enable it and is enabled now 19:52 < Dougy[home]> vpsville 19:52 < Dougy[home]> they are familiar 19:53 < Dougy[home]> arent they the provider who only does like 1 ip 19:53 < celsiux-> the only thing is that by example I do this on a normal server sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 19:53 < Dougy[home]> vpsville.net? 19:53 < Dougy[home]> oh .com 19:53 < krzie> but maybe you cant make your NAT work 19:53 < krzie> !linnat 19:53 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 19:53 < krzie> yup, looks right 19:53 < celsiux-> but I have not eth0/1 19:53 < krzie> and ipforwarding is enabled>? 19:53 < celsiux-> I have venet0 19:54 < celsiux-> and throws an error 19:54 < celsiux-> ya 19:54 < krzie> well obviously, change -o 19:54 < celsiux-> set to 1 19:54 < krzie> to venet0 19:54 < celsiux-> you mean like sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE 19:54 < celsiux-> I did that 19:54 < Dougy[home]> anyone wanna rent a pentium 4 for 60bones? 19:55 < victor_> bones is not a controlled currency 19:55 < Dougy[home]> s/bones/us dollars/ 19:55 < celsiux-> when I do the above with venet0 says : iptables: No chain/target/match by that name 19:55 < Dougy[home]> venet0 ewwwww 19:56 < krzie> celsiux- you dont have NAT enabled in your kernel 19:56 < celsiux-> damm :/ 19:56 < krzie> try enabling it 19:56 < krzie> VPS you have control over your kernel 19:57 < celsiux-> oh let me see if I have access to that on vpsville control panel 19:57 < celsiux-> or I can do it on ssh command line? 19:57 < Dougy[home]> no 19:57 < Dougy[home]> you dont 19:57 < Dougy[home]> not in openvz you dont 19:57 < Dougy[home]> xen yes 19:57 < Dougy[home]> celsiux-, you need to contact your provider 19:58 < Dougy[home]> they may even need to reboot the hostnode to accommodate your request 19:58 < celsiux-> so I only have to request nat enable? is it a module i guess 19:58 < Dougy[home]> yes it is 19:58 < Dougy[home]> ipt_nat 19:58 < Dougy[home]> http://wiki.openvz.org/Using_NAT_for_VE_with_private_IPs 19:58 < vpnHelper> Title: Using NAT for container with private IPs - OpenVZ Wiki (at wiki.openvz.org) 19:58 < celsiux-> whats the command who tells you if a module is enabled? 19:58 < krzie> dougy, why dont you write a writeup on the wiki for that 19:58 < krzie> you can plug your company in it too ;] 19:58 < celsiux-> because actually vpsville offer some vps openvpn ready 19:59 < Dougy[home]> krzie, im lazy 19:59 < krzie> like "if you wanna avoid this, get a vps from bergenhosting.com" 19:59 < Dougy[home]> lmfao 19:59 < Dougy[home]> thats douchey 19:59 < krzie> *shrug* it would lead to you being advertised 19:59 < Dougy[home]> and i dont sell vps's anymore really 19:59 < Dougy[home]> just servers 19:59 < krzie> oh 19:59 < Dougy[home]> vps's are a pain in the ass 19:59 < krzie> i bet 20:00 < krzie> well if you dont do VPS's and someone asks you for one, send them to my buddy at nerios 20:00 < krzie> hes in #nerios on efnet, named array, anyone who knows me gets a discount 20:00 < celsiux-> krzie: site? 20:00 < krzie> nerios.net 20:01 < celsiux-> all they come with all needed for openvpn? 20:01 < krzie> and he does way more support than any vps should 20:01 < krzie> yes they do 20:01 < krzie> and ive even seen him setup sql/apache/phpmyadmin/etc for people 20:01 < krzie> upon request 20:01 < celsiux-> oh cool 20:01 < krzie> basically, hes not afraid to hold someones hand 20:01 < Dougy[home]> krzie, i know them 20:01 < Dougy[home]> he was on my IRC net last wee 20:01 < Dougy[home]> k 20:01 < Dougy[home]> systeminplace owns them, dont they? 20:01 < krzie> not owns 20:02 < krzie> but yes, thats who he works with 20:02 < Dougy[home]> yes 20:02 < Dougy[home]> nenolod is the shit 20:02 < krzie> ya man, hes cool 20:02 < Dougy[home]> i am a client of his 20:02 < krzie> lol no kiddin 20:02 < Dougy[home]> he and i go back.. 20:02 < Dougy[home]> 5 years? 20:02 < Dougy[home]> maye 6 20:02 < Dougy[home]> maybe 20:02 < krzie> i have a vps with array even 20:02 < krzie> only vps ive ever had 20:02 < krzie> i use it to monitor stuff with zabbix 20:02 < Dougy[home]> nice 20:02 < Dougy[home]> zabbix.. never could make it work right 20:03 < krzie> thats what everyone tells me when i say i use it 20:03 < krzie> it wasnt 'that' complicated... 20:04 < Dougy[home]> i could never make zenoss work 20:04 < Dougy[home]> zabbix confused me to death 20:04 < Dougy[home]> nagios i made work after 6 hours or so 20:04 < krzie> nagios cant do a simple icmp check 20:04 < krzie> which is all i really wanted 20:04 < Dougy[home]> yes it can.. 20:04 < Dougy[home]> it does for me 20:04 < Dougy[home]> check_ping 20:04 < krzie> heh, thats what i had read when looking into both 20:04 < Dougy[home]> krzie, write a zabbix guide and put me in the credits anyway 20:04 < Dougy[home]> ROFL 20:04 < krzie> but screw it, zabbix is working great 20:05 < krzie> shit no, zabbix is setup and working, im never looking at it again 20:05 < Dougy[home]> lmfao 20:05 < Dougy[home]> was that much of a pain in the ass eh 20:05 < krzie> nah but im done with it 20:05 < Dougy[home]> i wrote a nagios device config generator 20:06 < Dougy[home]> Block has been created: 20:06 < Dougy[home]> define host{ 20:06 < Dougy[home]> use 20:06 < Dougy[home]> host_name l3ns 20:06 < Dougy[home]> alias l3ns 20:06 < Dougy[home]> address 4.2.2.2 20:06 < Dougy[home]> } 20:06 < Dougy[home]> uber 20:07 < Dougy[home]> wow 20:07 < Dougy[home]> i7 920s on sale for cheap 20:08 < krzie> nice 20:08 < Dougy[home]> $200 20:08 < Dougy[home]> for i7 920 20:08 < krzie> as for the zabbix thing 20:08 < krzie> you know how many projects i have going... 20:08 < krzie> i still havnt even moved that mail server fully 20:08 < Dougy[home]> lol 20:09 < krzie> so screw going back to old projects to document them 20:09 < krzie> there is TONS of zabbix docs 20:09 < krzie> people just dont read them enough 20:09 < Dougy[home]> i dont have time to sit and read docs 20:09 < krzie> (reminds me of openvpn) 20:09 < Dougy[home]> just like people wanted me to read the 400 page fucking manual for iptables 20:09 < Dougy[home]> screw you 20:09 < krzie> ya pf > iptables 20:09 < krzie> iptables gets confusing 20:10 < krzie> pf is just nice 20:10 < Dougy[home]> lol 20:10 < krzie> but hey, im just a bsd guy, im sure plenty of people fully disagree, and niether of us are right or wrong really 20:10 < Dougy[home]> indeed 20:10 < Dougy[home]> ipfw annoys me 20:10 < krzie> why? ipfw is easy 20:10 < Dougy[home]> i donno 20:10 < krzie> i used to use it yrs ago 20:10 < Dougy[home]> it just does 20:11 < krzie> is iptables first match or last match? 20:11 < Dougy[home]> what? 20:11 < krzie> ipfw is first match, ipf/pf is last match... that confuses some 20:11 < krzie> ipfw the first rule matched is used 20:12 < krzie> ipf/pf keeps a record of if the packet will pass or be blocked, and goes down all the rules, last thing it matched is what happens 20:12 < krzie> unless quick is in the command, which makes it stop there 20:23 < celsiux-> krzie: btw thanks I contacted array he seems really helpful 20:24 < celsiux-> getting a vps tomorrow with him 20:24 < celsiux-> but still have this one which need to setup so from what you see the thing is the lack of nat module right? 20:27 < krzie> np man, hes the shit 20:29 < Dougy[home]> celsiux-, fwiw 20:29 < Dougy[home]> any xen vps host (any proper one) 20:29 < Dougy[home]> wont have any iptables/nat/tun issues 20:32 < celsiux-> ya I am getting one from array but I have already the one in vpsville which has tun tap enabled 20:32 < celsiux-> so want to get that up too 20:32 < celsiux-> is not xen tho 20:33 < Dougy[home]> ah 20:34 < celsiux-> also is supposed to work because they do support openvpn 20:34 < celsiux-> but the thing is that I am not openvpn or sys admin expert 20:38 -!- tjoff [n=a@c213-89-131-87.bredband.comhem.se] has quit [] 20:46 -!- c64zotte1 [n=hans@p5B17AD68.dip0.t-ipconnect.de] has joined ##openvpn 20:49 -!- troy- is now known as troy 21:34 < sander_> ecrist, I meant... that my script can generate all certs neceserry for an advanced client/server setup with only one command. 21:59 -!- troy is now known as troy- 22:26 < Dougy[home]> krzie, im watching ufc 22:26 < Dougy[home]> over a stream 22:42 -!- Dougy[home] [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit ["Nice Scotty, now beam my clothes up too!"] 22:44 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 22:46 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 22:55 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:04 -!- YpsyZNC is now known as Ypsy 23:15 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 23:27 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:34 -!- Ypsy is now known as YpsyZNC 23:35 -!- kursadk [n=kursad@CPE-72-128-65-111.wi.res.rr.com] has left ##openvpn [] 23:46 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn --- Day changed Sun Jul 12 2009 01:39 -!- xp_prg [n=xp_prg3@c-76-21-115-162.hsd1.ca.comcast.net] has joined ##openvpn 01:40 -!- master_of_master [i=master_o@p549D4661.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:43 -!- master_of_master [i=master_o@p549D46AC.dip.t-dialin.net] has joined ##openvpn 01:55 -!- c64zotte1 [n=hans@p5B17AD68.dip0.t-ipconnect.de] has quit [Remote closed the connection] 02:03 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["This computer has gone to sleep"] 02:05 -!- c64zottel [n=hans@p5B17AD68.dip0.t-ipconnect.de] has joined ##openvpn 02:05 -!- c64zottel [n=hans@p5B17AD68.dip0.t-ipconnect.de] has left ##openvpn [] 03:11 -!- onats1 [n=15172@221.121.120.254] has quit [Read error: 104 (Connection reset by peer)] 03:11 -!- onats [n=15172@221.121.120.254] has joined ##openvpn 03:28 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 03:28 -!- onats [n=15172@unaffiliated/onats] has quit [Read error: 113 (No route to host)] 04:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:38 -!- barefoot [n=magic@gprs02.rb.mtnns.net] has joined ##openvpn 04:45 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 60 (Operation timed out)] 04:54 -!- barefoot is now known as magic_1 04:55 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 05:07 -!- tjoff [n=a@c213-89-131-87.bredband.comhem.se] has joined ##openvpn 05:27 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has quit ["Leaving..."] 05:56 -!- thedoc [n=andelyx@bb116-15-82-30.singnet.com.sg] has joined ##openvpn 06:03 -!- thedoc_ [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 06:05 -!- thedoc [n=andelyx@bb116-15-82-30.singnet.com.sg] has quit [Read error: 60 (Operation timed out)] 06:35 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Remote closed the connection] 06:36 -!- n0g0 [n=nogo@85-125-189-220.static.sdsl-line.inode.at] has joined ##openvpn 06:38 -!- |ns|nR8 [n=doof@124.184.17.207] has joined ##openvpn 07:02 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Success] 07:12 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [] 07:18 -!- dazo [n=dazo@nat/redhat/x-6fb11294412736be] has quit [Read error: 110 (Connection timed out)] 07:21 -!- YpsyZNC is now known as Ypsy 07:50 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has joined ##openvpn 08:20 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 08:22 -!- |ns|nR8 [n=doof@124.184.17.207] has quit [Remote closed the connection] 08:28 -!- TomJ [n=tomj@121.243.61.66] has joined ##openvpn 08:36 < TomJ> my Windows OpenVPN client is failing to connect with the following errors: 08:36 < TomJ> Sun Jul 12 19:05:42 2009 NETSH: C:\WINDOWS\system32\netsh.exe interface ip set address Local Area Connection 6 dhcp 08:36 < TomJ> Sun Jul 12 19:05:42 2009 openvpn_execve: CreateProcess C:\WINDOWS\system32\netsh.exe failed: The system cannot find the path specified. (errno=3) 08:36 < TomJ> Sun Jul 12 19:05:42 2009 ERROR: netsh command failed: external program did not execute -- returned error code -1 08:36 < TomJ> the error is correct. my windows directory is d:\Windows not c:\windows 08:36 < TomJ> but what I dont understand is that this OpenVPN client worked just fine for some time, I dont know what has changed to cause it to stop with these errors now 08:37 < TomJ> also I dont know why it seems to have a hardcoded check for c:\windows instead of using the windows %%SYSTEMROOT%% variable or whatever it is called (which would give it hte correct d:\windows path) 09:12 -!- p3ri0d [i=p3ri0d@200.2.154.225] has joined ##openvpn 09:21 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has quit ["He who laughs last, thinks slowest"] 09:22 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has joined ##openvpn 09:31 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has quit ["Leaving..."] 09:33 -!- p3ri0d [i=p3ri0d@200.2.154.225] has left ##openvpn ["Leaving"] 09:33 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has joined ##openvpn 09:44 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has quit ["Leaving..."] 10:00 -!- troy- is now known as troy 10:13 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 11:05 < ecrist> sander_: great, congratulations 11:11 -!- epaphus [n=unix3@201.199.62.74] has quit [Success] 11:22 -!- n0g0 [n=nogo@85-125-189-220.static.sdsl-line.inode.at] has quit ["quit"] 11:56 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:57 -!- unix3_ [n=unix3@190.10.68.228] has joined ##openvpn 11:57 -!- unix3_ [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 11:59 < krzee> TomJ, 11:59 < krzee> --win-sys path|'env' 11:59 < krzee> Set the Windows system directory pathname to use when looking for system executables such as route.exe and netsh.exe. By default, if this directive is not specified, the pathname will be set to "C:\WINDOWS" 11:59 < krzee> The special string 'env' indicates that the pathname should be read from the SystemRoot environmental variable. 12:00 < krzee> the manual is the first thing to look at for a question like that 12:00 < krzee> !man 12:00 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 12:01 < krzee> =] 12:06 -!- thedoc_ [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 12:10 < TomJ> krzee: ok thank you, so I just add "win-sys env" to my .ovpn file? 12:10 < TomJ> i'm still baffled why this worked before and then stopped working (my windows path did not change), but i wont care much if this works! 12:10 < TomJ> trying it now 12:11 < TomJ> worked! thank you very much. 12:24 -!- tjoffet [n=a@c213-89-131-87.bredband.comhem.se] has joined ##openvpn 12:27 -!- tjoff [n=a@c213-89-131-87.bredband.comhem.se] has quit [Read error: 110 (Connection timed out)] 12:59 < krzee> np 12:59 < krzee> and i agree, env should be default 13:00 < krzee> or at least failover if the static didnt work 13:07 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 13:08 -!- unix3 [n=unix3@190.10.68.228] has quit [Client Quit] 13:08 -!- jeiworth [n=jeiworth@189.234.97.109] has joined ##openvpn 13:34 -!- Ypsy is now known as YpsyZNC 14:10 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has joined ##openvpn 14:19 -!- ikla [n=lbz@67.174.119.168] has quit ["ZNC - http://znc.sourceforge.net"] 14:19 -!- ikla [n=lbz@67.174.119.168] has joined ##openvpn 14:33 -!- TomJ [n=tomj@121.243.61.66] has quit [Read error: 110 (Connection timed out)] 14:45 -!- kyrix [n=ashley@93-82-13-190.adsl.highway.telekom.at] has joined ##openvpn 14:45 -!- bret [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has joined ##openvpn 14:50 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["Tiplizek"] 14:53 -!- kyrix [n=ashley@93-82-13-190.adsl.highway.telekom.at] has quit [Remote closed the connection] 15:04 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has quit [Read error: 113 (No route to host)] 15:26 -!- troy is now known as troy- 15:49 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 15:50 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 15:54 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has quit ["Lost terminal"] 16:09 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has quit [] 16:30 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 16:34 -!- bret is now known as CamargoBP-Mobile 16:44 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 16:47 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 16:50 -!- troy- is now known as troy 16:56 -!- xrx1 [n=xorsch@46.Red-83-36-42.dynamicIP.rima-tde.net] has joined ##openvpn 16:56 -!- tjoff [n=a@c213-89-131-87.bredband.comhem.se] has joined ##openvpn 17:14 -!- tjoffet [n=a@c213-89-131-87.bredband.comhem.se] has quit [Read error: 110 (Connection timed out)] 17:15 -!- xrx1 [n=xorsch@46.Red-83-36-42.dynamicIP.rima-tde.net] has left ##openvpn [] 17:23 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Remote closed the connection] 17:33 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 18:04 -!- xp_prg [n=xp_prg3@c-76-21-115-162.hsd1.ca.comcast.net] has quit ["This computer has gone to sleep"] 18:21 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 18:42 -!- xp_prg [n=xp_prg3@adsl-76-199-100-115.dsl.pltn13.sbcglobal.net] has joined ##openvpn 19:01 -!- xp_prg [n=xp_prg3@adsl-76-199-100-115.dsl.pltn13.sbcglobal.net] has quit [Connection timed out] 19:06 -!- Douglas [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:10 < Douglas> I got some spare parts I'm gonna put into servers and build. Anyone wanna buy an old P4 server for 250bux? 19:10 * ecrist appends topic: This is not Dougy's 'Pimp my stuff' channel. 19:13 -!- |ns|nR8 [n=doof@CPE-124-180-84-51.vic.bigpond.net.au] has joined ##openvpn 19:14 < Douglas> ecrist, :( 19:14 < Douglas> but p4's aren't pimping 19:14 < Douglas> they are more like dumpster diving 19:19 < ecrist> lol 19:19 < Douglas> i thought that was a good comeback 19:19 * Douglas laughed 19:22 -!- troy is now known as troy- 19:30 -!- celsiux- [n=Nullesd@174.36.119.228-static.reverse.softlayer.com] has quit [Connection timed out] 19:54 -!- celsiux [n=Nullesd@174.36.119.228-static.reverse.softlayer.com] has joined ##openvpn 19:59 -!- celsiux- [n=Nullesd@174.36.119.228-static.reverse.softlayer.com] has joined ##openvpn 20:00 -!- tjoff [n=a@c213-89-131-87.bredband.comhem.se] has quit [] 20:07 -!- celsiux [n=Nullesd@174.36.119.228-static.reverse.softlayer.com] has quit [Remote closed the connection] 20:18 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 20:18 < thedoc> Douglas, got your message, tuesday is fine. o/ 20:19 < Douglas> excellent 20:19 < Douglas> the other client still hasnt gotten back to me 20:19 < Douglas> so now he doesn't have a say 20:19 < thedoc> \o/ 20:28 < ecrist> I'm tired of IE6 bullshit 20:28 -!- |ns|nR8 [n=doof@CPE-124-180-84-51.vic.bigpond.net.au] has quit ["Leaving"] 20:28 < Douglas> ecrist, lol 20:29 < ecrist> too many fucking people still use it, and it doesn't support *any* of the heavily used CSS 20:30 < Douglas> :( 20:30 < ecrist> god forbid i want to float or inline-block an element. 20:30 < thedoc> ecrist, why are you using ie6? 20:30 < ecrist> thedoc: i'm not 20:30 < ecrist> users are 20:30 < ecrist> when one codes a site for the general populous, one must support what the general populous does. 20:30 < thedoc> ecrist, hammer and pliers. start pulling their fingernails out and beating their toes. 20:31 < thedoc> they'll stop doing it soon enough 20:31 < thedoc> that's what we do in asia anyway. 20:31 < thedoc> in all seriousness, ie6 is shit 20:31 < ecrist> I'm developing an adult site for someone, all their complaints stem from problems they see because they're using IE6 20:32 < thedoc> doh 20:32 < thedoc> ecrist, oooo, adult site. 20:32 < thedoc> :) 20:32 < thedoc> i love free porn. 20:32 < thedoc> \o/ 20:32 * ecrist has ~600GB of bangbus and related videos. 20:32 < ecrist> plus another ~20GB of random porn. 20:32 < Douglas> ecrist wins. 20:33 < thedoc> ecrist, Care to share? :P 20:34 < ecrist> and about 5GB of Douglas' mom porn. 5GB not because there's that much video, but because there's that much of Dougy's mom. 20:34 < ecrist> BURN! 20:34 < Douglas> ROFL 20:34 < thedoc> ecrist, share porn pretty plz? :P 20:34 < ecrist> thedoc: remind me later this week. 20:34 < thedoc> ecrist, ding:) 20:34 < ecrist> the bangbus stuff is essentially offline from my webserver, as it's on an NFS share that's borked. 20:35 < ecrist> I need to fix it,and I'm too busy atm. 20:35 < thedoc> ah. 20:35 < thedoc> what other genre do you have? 20:35 < ecrist> well, bang bros has a slew of sister sites they do. 20:35 < thedoc> true that. 20:35 < ecrist> so, the ~600GB is an assortment of their stuff. 20:37 < thedoc> \o/ ecrist 20:39 < ecrist> looks like I need to update the .htaccess for my icon sets 20:40 < ecrist> done 20:43 * ecrist goes back to work. 20:53 < Douglas> good 20:53 < Douglas> thats where you belong 20:53 < Douglas> stay working 20:53 < Douglas> bye 20:53 < Douglas> lol 21:18 -!- xp_prg [n=xp_prg3@c-76-21-115-162.hsd1.ca.comcast.net] has joined ##openvpn 21:26 < Douglas> http://www.newegg.com/Product/Product.aspx?Item=N82E16819117176 21:26 < Douglas> somebody buy me 4 21:26 < vpnHelper> Title: Newegg.com - Intel Xeon E7450 Dunnington 2.4GHz 3 x 3MB shared L2 Cache 12MB L3 Cache Socket 604 90W Six-Core Server Processor - Processors - Servers (at www.newegg.com) 22:23 -!- Douglas [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit [Remote closed the connection] 22:26 -!- SkippyX [n=tor@adsl-99-166-179-232.dsl.hstntx.sbcglobal.net] has joined ##openvpn 22:28 < SkippyX> Is this a fairly active channel? I've got a buddy that's having problems getting it going. He's an Admin at a school district. 22:30 -!- SkippyX [n=tor@adsl-99-166-179-232.dsl.hstntx.sbcglobal.net] has quit [Client Quit] 22:33 < ecrist> wow 22:33 < ecrist> he was in here for about 4 minutes. 22:33 < ecrist> we're not *that* active 22:38 < thedoc> ecrist, you up for helping me scan a box for vulns? :P 23:01 -!- troy- is now known as troy 23:01 < ecrist> thedoc: not now. just finishing something, then hitting the sack. 23:01 < ecrist> tomorrow, for sure. 23:01 < thedoc> ecrist, aye, thanks :) 23:01 < thedoc> <3 23:16 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has quit ["Leaving..."] 23:45 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 23:52 -!- hackeron [n=hackeron@gentoo/user/hackeron] has joined ##openvpn 23:53 < hackeron> hey, I've just set up openvpn and it works beautifully - but the first client to connect got an IP of 10.8.0.6 - can I safely assume every time I will connect with this client, it will get this IP again? - if not, how can I make sure it's client gets its own static IP? 23:53 < hackeron> s/it\'s/each --- Day changed Mon Jul 13 2009 00:17 -!- jeiworth [n=jeiworth@189.234.97.109] has quit [Read error: 60 (Operation timed out)] 00:19 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 00:35 -!- Gorkhaan_ [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 00:42 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 110 (Connection timed out)] 00:45 < thedoc> ccd 00:50 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 110 (Connection timed out)] 00:52 -!- Gorkhaan_ [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["Tiplizek"] 00:52 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 01:40 -!- master_of_master [i=master_o@p549D46AC.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:43 -!- master_of_master [i=master_o@p549D37C6.dip.t-dialin.net] has joined ##openvpn 01:46 -!- troy is now known as troy- 02:23 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:29 -!- celsiux [n=Nullesd@pool-71-107-254-183.lsanca.dsl-w.verizon.net] has joined ##openvpn 02:35 -!- celsiux [n=Nullesd@pool-71-107-254-183.lsanca.dsl-w.verizon.net] has quit [Remote closed the connection] 02:42 -!- c64zottel [n=hans@p5B17AF39.dip0.t-ipconnect.de] has joined ##openvpn 02:42 -!- c64zottel [n=hans@p5B17AF39.dip0.t-ipconnect.de] has left ##openvpn [] 02:45 -!- dazo [n=dazo@nat/redhat/x-e22aadae28953346] has joined ##openvpn 02:52 -!- celsiux- [n=Nullesd@174.36.119.228-static.reverse.softlayer.com] has quit [Success] 03:02 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Remote closed the connection] 03:08 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 03:23 -!- skarab [n=skarab@host217-45-151-133.in-addr.btopenworld.com] has joined ##openvpn 04:26 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Remote closed the connection] 05:01 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 05:28 -!- |ns|nR8 [n=doof@CPE-124-180-84-51.vic.bigpond.net.au] has joined ##openvpn 06:20 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Remote closed the connection] 06:24 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 06:26 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Remote closed the connection] 06:26 -!- eliasp_ [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 06:38 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:00 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 07:11 < ecrist> morning, folks 07:12 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 07:24 -!- |ns|nR8 [n=doof@CPE-124-180-84-51.vic.bigpond.net.au] has quit ["Leaving"] 07:34 -!- EvilRoey [n=roey@wsip-98-172-31-179.dc.dc.cox.net] has quit [Read error: 104 (Connection reset by peer)] 07:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:02 -!- K10 [n=roidal@85-125-37-226.static.xdsl-line.inode.at] has joined ##openvpn 08:03 < K10> hi 08:03 < K10> is there no implementation for udp6-protokoll? 08:03 < K10> or ipv6-remotes 08:03 < K10> ? 08:04 < ecrist> nope 08:05 < K10> is it planed to insert it? 08:07 < ecrist> eventually 08:08 -!- |ns|nR8 [n=doof@58.168.60.45] has joined ##openvpn 08:17 < K10> hm. 08:24 < K10> ok, thank you 08:39 -!- jeiworth [n=jeiworth@189.163.254.76] has joined ##openvpn 08:41 -!- |ns|nR8 [n=doof@58.168.60.45] has quit ["Leaving"] 08:51 -!- eliasp_ is now known as eliasp 08:54 < hackeron> hey, I've just set up openvpn and it works beautifully - but the first client to connect got an IP of 10.8.0.6 - can I safely assume every time I will connect with this client, it will get this IP again? - if not, how can I make sure each client gets its own static IP? 08:58 -!- skarab [n=skarab@host217-45-151-133.in-addr.btopenworld.com] has left ##openvpn ["Killed buffer"] 08:58 < MadTBone> OK...one more time.... was away from computer for the weekend, and didn't get to respond earlier..... 08:58 < MadTBone> Client (WinXP SP3 - OpenVPN 2.0.9) can connect, but can't ping server (Linux 2.6.29 - OpenVPN 2.0.9)... anyone see the problem? -- logs, configs, and iface/routes as requested in topic: http://pastebin.com/m328f75b4 http://pastebin.com/m63caf20c http://pastebin.com/m7a6cd3ce http://pastebin.com/m22fdd7cb http://pastebin.com/m56c8df23 http://pastebin.com/m4a533407 08:58 < MadTBone> Firewall accepts all packets from interface tun0 09:00 < MadTBone> hackeron: I believe that the first client connected will get the xxx.xxx.xxx.6 address..... I don't think it will associate an IP with a unique client (eg. by MAC address...) 09:01 -!- carpenike [n=ryan@c-98-218-119-237.hsd1.md.comcast.net] has joined ##openvpn 09:02 < carpenike> Hi everyone. I'm looking for a tutorial on using Windows Certificate Services with Openvpn. Anybody know of one? seen some mailing list entries but haven't found any myself. 09:05 < ecrist> hackeron: no, you can't safely assume that. 09:06 < ecrist> you should look into IPP, and CCD entries. 09:06 < ecrist> they're both covered in the man page. 09:07 < ecrist> carpenike: I'm not aware of one, sorry. 09:07 < ecrist> if you *do* find one, please let mek now so we can record it. 09:08 < carpenike> okay will do. 09:08 < carpenike> Thanks. 09:08 < hackeron> ecrist: thanks, I'll have a look 09:12 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:14 -!- rodpod [n=rod@74-133-38-196.dhcp.insightbb.com] has joined ##openvpn 09:27 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: plundra 09:28 -!- Netsplit over, joins: plundra 09:37 < carpenike> have another question... Looking to seamlessly deploy a pre-configured installation package to windows clients w/ the GUI. What would be the best way to go about that? 09:40 -!- jeiworth [n=jeiworth@189.163.254.76] has quit [Remote closed the connection] 09:44 -!- YpsyZNC is now known as Ypsy 09:54 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 09:55 -!- jeiworth [n=jeiworth@189.163.254.76] has joined ##openvpn 09:57 -!- ikla [n=lbz@67.174.119.168] has quit [Read error: 113 (No route to host)] 09:58 -!- K10 [n=roidal@85-125-37-226.static.xdsl-line.inode.at] has quit ["cu"] 10:00 -!- jdchrist [n=jdchrist@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has joined ##openvpn 10:13 < krzee> carpenike, no reason you cant script that up with a batch script... 10:13 < krzee> a zip file that they open, with a INSTALL.bat 10:15 < carpenike> ah, good idea. 10:15 < krzee> and on your CA box you can even automate the generation of the bat file ;) 10:16 < carpenike> serious? 10:16 < krzee> *shrug* why not? 10:19 -!- kyrix [n=ashley@91-115-23-75.adsl.highway.telekom.at] has joined ##openvpn 10:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:23 -!- epaphus [n=unix3@190.10.68.228] has left ##openvpn ["Leaving"] 10:24 < carpenike> Mmm. 10:24 < carpenike> So I use, "START openvpn.exe" to install the app 10:24 < krzee> i dunno, google for help on batch scripting 10:24 < carpenike> Then after that is done I move all files to the correct directory 10:24 < krzee> i dont use windows 10:24 < krzee> but ya thats the idea 10:24 < carpenike> okay cool. 10:25 < krzee> also disable windows firewall on tap dev 10:25 < carpenike> Yeah, that should be disabled on all my clients anyway. 10:25 < krzee> and any other software firewall 10:25 < krzee> norton and mcafee, etc like to add another 10:27 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 10:28 < ecrist> I need LDAP at home. 10:28 < carpenike> OpenLDAP is pretty easy. Specially with smbldap scripts. 10:28 < carpenike> And then something like Apache DS to view it. 10:28 < ecrist> carpenike: I built the LDAP stuff at work, I am just too lazy to build it into my home network. 10:29 < carpenike> ah. :) 10:29 < ecrist> just, finally, rolled wiki authentication to ldap at work. 10:29 < ecrist> tweaking the config now to support some preferences and honor group memberships 10:29 < ecrist> and, for the record, I deal directly in LDIFs 10:29 < carpenike> heh heh, I'm too lazy to bother w/ those. 10:30 < ecrist> I had to get familiar, I wrote the company web front end for our directory. 10:32 < krzee> haha when you change jobs and the next admin cant figure it out you can charge up the ass to help them on contract basis 10:32 < krzee> ;] 10:34 < reiffert> smbk5pwd is nice working 10:34 < reiffert> mysql backend sucks as mysql doesnt support indeces on views. 10:35 < reiffert> got some little patch for smbk5pwd 10:35 < reiffert> http://134.93.168.49/~reiffert/smbk5pwd.html 10:35 < vpnHelper> Title: Thomas Reifferscheid (at 134.93.168.49) 10:45 < ecrist> krzee: it's a fair amount of custom schema, too. :) 10:46 < ecrist> wiki, jabber, freebsd servers, ftp and sftp file transfer for clients, and sudo are all integrated into LDAP at this point. 10:46 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:47 < ecrist> now to roll our svn and trac stuff into it. 10:47 < ecrist> then, the day I'm fired, rm -rf on the ldap servers. 10:47 < ecrist> muahahahaha! 10:48 < reiffert> get in touch with sync replication and slave directories. 10:49 < ecrist> got a 3-master system 10:50 < ecrist> one of the 3 only replicates a portion of the directory. 10:55 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 11:05 -!- carpe_ is now known as plaerzen 11:09 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has joined ##openvpn 11:10 < ivenkys> !howto 11:10 < vpnHelper> ivenkys: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:33 -!- kyrix [n=ashley@91-115-23-75.adsl.highway.telekom.at] has quit [Remote closed the connection] 11:42 -!- xp_prg [n=xp_prg3@c-76-21-115-162.hsd1.ca.comcast.net] has quit ["This computer has gone to sleep"] 12:10 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:11 -!- tjz [n=tjz@bb121-7-60-156.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 12:38 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 12:43 -!- solvik [i=solvik@oxyradio.com] has quit [Remote closed the connection] 12:52 -!- solvik [n=solvik@oxyradio.com] has joined ##openvpn 12:54 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 12:55 -!- celsiux [n=Nullesd@174.36.119.228-static.reverse.softlayer.com] has joined ##openvpn 12:58 -!- celsiux- [n=Nullesd@174.36.119.228-static.reverse.softlayer.com] has joined ##openvpn 12:59 -!- celsiux [n=Nullesd@174.36.119.228-static.reverse.softlayer.com] has quit [Remote closed the connection] 13:15 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 13:16 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 13:23 -!- emod [n=emod@sage.emoderation.net] has joined ##openvpn 13:28 -!- unixSnob [n=jj@starfury.spearlink.com] has joined ##openvpn 13:30 < unixSnob> suppose you have multiple tunnels going to different continents. Are there any issues with running multiple instances of openvpn clients, and having a way to route packets that selects the tunnel based on where the destination is? 13:35 -!- jeiworth [n=jeiworth@189.163.254.76] has quit [Read error: 110 (Connection timed out)] 13:38 < ecrist> unixSnob: there are people that do that with OSPF and other routing protocols, though we don't support it, specifically, here. 13:39 < unixSnob> ecrist: thanks for the tip 13:39 < ecrist> no problem. 13:41 -!- unixSnob [n=jj@starfury.spearlink.com] has quit ["leaving"] 14:06 -!- tjz [n=tjz@bb116-15-64-10.singnet.com.sg] has joined ##openvpn 14:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 14:33 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:47 -!- StormWlf [i=stormwlf@adsl-76-192-208-211.dsl.okcyok.sbcglobal.net] has joined ##openvpn 14:48 < StormWlf> !howto 14:48 < vpnHelper> StormWlf: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:48 < StormWlf> !route 14:48 < vpnHelper> StormWlf: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:47 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:48 -!- jeiworth [n=jeiworth@189.234.97.109] has joined ##openvpn 15:51 -!- CamargoBP-Mobile [n=CamargoB@23.sub-75-216-137.myvzw.com] has joined ##openvpn 15:58 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 15:58 < ksnp> nel created at Sat Jul 14 00:20:20 2007 15:58 < ksnp> [13:58] -ChanServ- [#openwrt] NEW! http://irc.openwrt.org/ 15:58 < ksnp> [13:58] hi anyone tried openvpn on dd-wrt ? 15:58 < ksnp> oops 15:58 < vpnHelper> Title: OpenWrt (at irc.openwrt.org) 15:59 < ksnp> hi anyone tried openvpn on dd-wrt ? 16:01 -!- emod [n=emod@sage.emoderation.net] has quit [] 16:07 < Gorkhaan> ksnp yes 16:08 < Gorkhaan> It's little bit different. 16:12 < ksnp> as in ? 16:12 < ksnp> can you use the same client and settings ? 16:13 < ksnp> or can you explain a bit in what way please ? 16:13 < Gorkhaan> I'm using ipkg-opt openvpn version 16:13 < Gorkhaan> and you? 16:14 < Gorkhaan> "OpenVPN 2.1_rc15 mipsel-linux" 16:15 < ksnp> i haven't tried yet 16:16 < ksnp> i am thinking between tomato, dd-wrt (and possibly openwrt) and want to know beforehad 16:16 < ksnp> but i did try on debian 16:16 < ksnp> you are using that package on dd-wrt ? 16:16 < Gorkhaan> I see. It's working for me fine 16:16 < Gorkhaan> yes, wit ipkg-opt 16:16 < Gorkhaan> ipkg has much older openvpn version 16:17 < Gorkhaan> but it's only peer-to-peer mode 16:17 < Gorkhaan> with static IP 16:18 < Gorkhaan> but that's fine, Dont want to hang on VPN all-day. 16:18 < Gorkhaan> I have an ASUS WL500g Premium V2 Router 16:19 < ksnp> static IP ? 16:19 < Gorkhaan> With an USB PenDrive, that's where ipkg-opt comes in 16:19 < Gorkhaan> !ifconfig 16:19 < vpnHelper> Gorkhaan: "ifconfig" is usage: ifconfig l rn | Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices, rn is the IP address of the remote VPN endpoint. For TAP devices, rn is the subnet mask of the virtual ethernet segment which is being created or connected to. 16:19 < Gorkhaan> ifconfig A-machine-ip B-machine-ip on the server side 16:19 < ksnp> peer-to-peer mode : as in ? you mean you can't do site to site ? 16:20 < Gorkhaan> ifconfig B-machine-ip A-machine-ip on the client side 16:20 -!- CamargoBP-Mobile [n=CamargoB@23.sub-75-216-137.myvzw.com] has quit [Read error: 110 (Connection timed out)] 16:20 < ksnp> didn't get abt the ifconfig - i use it to see the status/information about the interfaces 16:20 < ksnp> when you say static ip - you mean the ip of the tun ? 16:20 < ksnp> or the ip of the server ? 16:20 < Gorkhaan> mate: 16:20 < ksnp> ya ? :) 16:20 < Gorkhaan> openvpn has a command: ifconfig 16:21 < ksnp> oh ok that one.. ok got it 16:21 < Gorkhaan> GNU/Linux has other ifconfig. 16:21 < ksnp> ya ya 16:21 < ksnp> but i dodn't get what you meant by static ip 16:21 < Gorkhaan> you can set in the config file your interfaces configuration like Point-to-Point 16:21 < ksnp> ya ok 16:21 < Gorkhaan> static ip means --> not DHCP Assigned 16:22 < ksnp> ok, so you are saying you can't push dhcp ? 16:22 < Gorkhaan> you set it manualli with ifconfig 16:22 < Gorkhaan> Well yes, I couldnt do it. 16:22 < ksnp> right now the client gets the ip address automatically, so with ddwrt as server a client connecting to it, you are saying it wouldn't get an ip correct ? 16:22 < Gorkhaan> ifconfig worked like charm. Dhcp doest. But I'm using NAT, you can do bridging, maybe DHCP Works on that 16:22 < ksnp> ok 16:23 < Gorkhaan> but I'm fine with static ip, without dhcp 16:23 < ksnp> ya, i guess tha't shouldn't be big deal 16:23 < ksnp> can you do site to site vpn wth the ddwrt ? 16:23 < Gorkhaan> uum, how do u mean? 16:23 < Gorkhaan> site? 16:25 < ksnp> like : 16:25 < ksnp> LAN1 ---- DDWRT1 <-------------> DDWRT2 ---- LAN 2 16:25 < ksnp> lan1 and lan2 now connected completely 16:26 < Gorkhaan> so you'D like to connect 2 Router with VPN ? 16:26 < ksnp> i know its possible to do with the regular openvpn by changing the static routes on the router/gateway and using some push commands, one side acts as client, other as server 16:26 < ksnp> yes 16:26 < ksnp> what did you mean by peer 2 peer ? 16:26 < Gorkhaan> I think you can do it sure 16:26 < Gorkhaan> I was mistaken about "peer 2 peer" I wanted to write: Point-to-Point :D sry 16:27 < ksnp> ok 16:27 < Gorkhaan> yeah, and I couldnt push any commands 16:27 < ksnp> oh so the push thing did not work with the ddwrt ? 16:27 < Gorkhaan> yes 16:27 < ksnp> ahh, looks its bad then for openpvn atleast 16:27 < ksnp> did you consier or try openwrt or tomato ? 16:27 < Gorkhaan> or maybe I did something wrong 16:28 < Gorkhaan> no, not really. I saw dd-wrt and it's perfect for me. :) 16:28 < Gorkhaan> it's well documentated 16:28 < Gorkhaan> easy to flash the FirmWare. 16:28 < ksnp> ok, how about updates ? 16:28 < ksnp> is it good ? 16:28 < Gorkhaan> Firmwares? 16:29 < ksnp> i see the ddwrt channel atleast has not activity 16:29 < ksnp> yes 16:29 < ksnp> firmware updates / package updates etc 16:29 < Gorkhaan> Well the Mega Generic Firmware has a bug: I cant use JFFS2 support 16:29 < Gorkhaan> jffs2 is a built in Router memory space 16:29 < ksnp> oh really ? 16:30 < ksnp> did you report the bug ? 16:30 < Gorkhaan> but I change to Generic Firmware ( usb version ), and it's work like charm 16:30 < Gorkhaan> No I didn't but many forum topic is about this "bug" 16:30 < ksnp> usb version ? you mean instead of jffs2 ? 16:30 < Gorkhaan> nope 16:30 < ksnp> then ? 16:30 < Gorkhaan> there is ~ 6 versions of Firmware for my Router 16:30 < ksnp> what if the router had no usb ? just plan wrt54gl 16:31 < Gorkhaan> asus wl500gp v2 16:31 < ksnp> oh ok 16:31 < Gorkhaan> My Router has 2USB Ports 16:31 < Gorkhaan> It's sooo gr8 :D 16:31 < Gorkhaan> U can share printer, for instance 16:31 < ksnp> its a regular box that looks like linksys ? 16:31 < ksnp> i don't see asus routers in dept stores 16:31 < Gorkhaan> a mom 16:31 < ksnp> ? 16:32 < Gorkhaan> moment 16:32 < Gorkhaan> http://ocsovszki-dorian.darkhole.hu/?page_id=397 16:32 < vpnHelper> Title: Ocsovszki Dorián » Asus WL500gP v2 (at ocsovszki-dorian.darkhole.hu) 16:32 < Gorkhaan> here is my blog, it's hungarian. I'm planning to translate it later if I'm ready with my howtos, if you click on the first link you can see my Router 16:33 < Gorkhaan> or this: http://images.google.hu/images?hl=hu&q=asus%20WL500g%20Premium%20V2&um=1&ie=UTF-8&sa=N&tab=wi 16:33 < vpnHelper> Title: asus WL500g Premium V2 - Google Képkereső (at images.google.hu) 16:34 < ksnp> ok, cool 16:35 < Gorkhaan> Do you have a compatible router? 16:35 < ksnp> actually i have a wrt54g2 16:35 < ksnp> and i am trying to see wha'ts best, but i want to be sure i can revert to factory f/w if needed 16:36 < Gorkhaan> aha. :) If you check my Router on dd-wrt homepage "supported hadrware" you can see the results. 16:36 < Gorkhaan> Linksys routers are great too 16:37 < Gorkhaan> I was searching for weeks before I bought this WL500g Premium V2 16:38 < ksnp> why you chose this ? 16:39 < Gorkhaan> 240Mhz "cpu" 32 MB Memory, 2 USB ports, fully compatible with dd-wrt firmwares 16:40 < ksnp> ok 16:40 < Gorkhaan> for example I'm using a PenDrive on one of it's USB port 16:40 < ksnp> oh ok 16:40 < ksnp> so that's for exra storage ? 16:40 < Gorkhaan> I created Swap partition 16:40 < ksnp> as opposed to jffs2 ? 16:40 < Gorkhaan> yes 16:40 < Gorkhaan> jffs2 is an internal 32mb stuff 16:40 < Gorkhaan> my PenDrive has 4GB 16:40 < Gorkhaan> I can install anything on it 16:40 < ksnp> oh cool 16:40 < ksnp> so i guess it loads what's needed onto the router memory 16:41 < ksnp> cool 16:41 < Gorkhaan> openvpn, nano text editor apache webserver, mysql, torrent client 16:41 < Gorkhaan> samba 16:41 < ksnp> cool - all run at the same time ? 16:41 < ksnp> i mean you can use all at the same time ?? 16:41 < Gorkhaan> only: openvpn, samba, torrentclient 16:41 < Gorkhaan> they are demonalized 16:41 < Gorkhaan> xinetd helps a lot 16:45 < Gorkhaan> So... I'm happy with this Router! ;) 16:46 < ksnp> you can't run apache at the same time ? 16:47 < ksnp> did you try email server as well ? 16:47 < ksnp> or know if there's a pakage ? 16:47 < Gorkhaan> Yes I can. But I dont need to use it, I've got a Server for Webhosting :) 16:47 < Gorkhaan> a moment 16:47 < Gorkhaan> Here are the ipkg-opt packages: http://www.dd-wrt.com/wiki/index.php/Quick_list_of_Optware_packages 16:47 < vpnHelper> Title: Quick list of Optware packages - DD-WRT Wiki (at www.dd-wrt.com) 16:48 < Gorkhaan> but you need to know, you have to have an external disk to install 16:48 < Gorkhaan> so you need an USB port for this 16:48 < Gorkhaan> and for the usb ports, you need WL500gP V2 :D 16:49 < ksnp> ok 16:49 < ksnp> i'll look for that model of router, definitely not stored in the usual stores here i think 16:49 < StormWlf> Gorkhaan have You got any good tutorials on dnsmasq with openvpn? 16:49 < ksnp> i dont know what's dnsmasq 16:49 < ksnp> but openvpn howto is pretty good 16:49 < Gorkhaan> well, no not really. it works out-of-the-box on my ubuntu 9.04 server 16:50 < StormWlf> k 16:50 < Gorkhaan> only thing you should push "dhcp-option DNS 10.40.0.1" 16:50 < StormWlf> ok kewl 16:50 < StormWlf> static ip's regular dhcpd expressions? 16:50 < Gorkhaan> so the VPN server IP can masquerade DNS records 16:50 < ksnp> storm you may waht to checkout http://74.125.95.132/search?q=cache:s0uc3pnCJwYJ:www.annoying.dk/2007/10/14/quick-simple-tutorialhowto-on-openvpn-with-debian/comment-page-1/+openvpn+debian+pki&cd=7&hl=en&ct=clnk&gl=us 16:50 < vpnHelper> Title: Quick simple tutorial/howto on OpenVPN with Debian | www.annoying.dk (at 74.125.95.132) 16:51 < Gorkhaan> StormWlf : what do you mean? 16:51 < StormWlf> i need to assign some statics to vpn clients that will be linked networks 16:51 < StormWlf> want to 16:52 -!- bardyr [n=bardyr@88.85.43.80] has joined ##openvpn 16:52 < Gorkhaan> you can use dhcp-like stuff, and you can set your clients IP with ccd ( Client-config dir ) 16:52 < StormWlf> ok 16:53 < Gorkhaan> if you have less clients ( like 1-4 ) you can use ifconfig point-to-point mode 16:53 < StormWlf> thanks Gorkhaan sorry was only here for a few seconds 16:53 < Gorkhaan> if you have many clients ( as I, ~40-60 ) I'm using "topology subnet" 16:53 < StormWlf> yeah i got topology subnet working too 16:54 < Gorkhaan> ;) 16:54 < bardyr> Hey, can someone help me out with some understanding, i want to do a couple of encrypted IP tunnels from a few public servers to a private server, the private server is going to run webserver and the public servers should forward all the traffic to the private server, should the openvpn server be installed on the private server or what? can this be done without too much hacking? 16:54 < StormWlf> thought that the internal dhcpd would take care of address assignments but i guess ccd works too 16:54 < StormWlf> Thanks bud will catch ya later 16:55 -!- StormWlf [i=stormwlf@adsl-76-192-208-211.dsl.okcyok.sbcglobal.net] has left ##openvpn [] 16:55 < Gorkhaan> k, see ya :) 16:56 < Gorkhaan> If you want to forward your network traffic, clients must pull a command from the server: "redirect-gateway def1" 16:56 < Gorkhaan> !redirect 16:56 < vpnHelper> Gorkhaan: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 16:57 < Gorkhaan> OpenVPN's howto is quite readeable ! ;) 16:59 < bardyr> Gorkhaan, Okay, thanks 16:59 < Gorkhaan> u're welcome. 16:59 < bardyr> !def1 16:59 < vpnHelper> bardyr: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 17:00 < bardyr> !howto 17:00 < vpnHelper> bardyr: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:06 < ksnp> Gorkhaan : can i try your ddwrt openvpn ? 17:06 < ksnp> i mean connecting to it 17:06 < Gorkhaan> Can I connect to your PC? :D 17:07 < ksnp> sure 17:07 < ksnp> i mean you can restrict the access using ccd/ 17:08 < Gorkhaan> xD here is a Demo site, if you would like to try: http://www.informatione.gmxhome.de/DDWRT/Standard/V23final/ 17:08 < ksnp> ok cool 17:08 < vpnHelper> Title: WRT54G - Info (at www.informatione.gmxhome.de) 17:09 < Gorkhaan> 90% the same what I've got, I'm pretty sure it's great to review dd-wrt WebInterface 17:09 < Gorkhaan> But the most powerful will be the terminal. :D 17:12 < ksnp> ok 17:12 < ksnp> do you have an im 17:15 < ksnp> IM ? 17:15 < Gorkhaan> I've got MSN account 17:15 < Gorkhaan> that's what you mean? 17:22 < ksnp> yes 17:22 < ksnp> can you tell your account ? i am going to try this f/w thing and in case i have questions 17:23 < ksnp> sorry for late responses, I was working on sth else also 17:25 < Gorkhaan> I sent you, PM 17:28 < ksnp> cool thanks 17:28 < ksnp> bbl 17:29 < ksnp> i have wrt54g2 17:30 < ksnp> and i am going to try apache etc. and see 17:30 < ksnp> bbl 17:32 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has left ##openvpn [] 17:58 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Remote closed the connection] 18:42 -!- jdchrist [n=jdchrist@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has quit [Read error: 60 (Operation timed out)] 18:43 -!- celsiux [n=Nullesd@pool-71-107-254-183.lsanca.dsl-w.verizon.net] has joined ##openvpn 19:03 -!- celsiux- [n=Nullesd@174.36.119.228-static.reverse.softlayer.com] has quit [Connection timed out] 19:04 -!- lilalinux [n=lilalinu@ist.deswahnsinns.de] has quit [Read error: 60 (Operation timed out)] 19:07 -!- lilalinux [n=lilalinu@ist.deswahnsinns.de] has joined ##openvpn 19:15 -!- celsiux- [n=Nullesd@174.36.119.228-static.reverse.softlayer.com] has joined ##openvpn 19:25 -!- celsiux [n=Nullesd@pool-71-107-254-183.lsanca.dsl-w.verizon.net] has quit [Read error: 110 (Connection timed out)] 19:34 < ecrist> fuckers 20:09 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 20:16 -!- bardyr [n=bardyr@88.85.43.80] has quit [Read error: 110 (Connection timed out)] 20:23 -!- master_of_master [i=master_o@p549D37C6.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 20:24 -!- master_of_master [i=master_o@p549D37C6.dip.t-dialin.net] has joined ##openvpn 20:36 -!- Ypsy is now known as YpsyZNC 20:37 -!- p3ri0d [n=p3ri0d@200.2.152.115] has joined ##openvpn 20:47 -!- troy- is now known as troy 20:59 -!- anything3 [i=efilesoo@user-12hdvan.cable.mindspring.com] has joined ##openvpn 20:59 < anything3> hey 21:02 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 21:03 -!- anything3 [i=efilesoo@user-12hdvan.cable.mindspring.com] has left ##openvpn [] 21:05 -!- [1]ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 21:07 -!- [2]ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 21:07 -!- [1]ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has quit [Read error: 104 (Connection reset by peer)] 21:08 -!- darkdrgn2k3 [n=darkdrgn@bas2-toronto44-1176438572.dsl.bell.ca] has joined ##openvpn 21:08 < darkdrgn2k3> is there a way to initiate a VPN connection without punching a hole in the firewall? 21:08 < darkdrgn2k3> udb 21:08 < darkdrgn2k3> uhh udp 21:09 -!- [2]ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has quit [Read error: 104 (Connection reset by peer)] 21:09 -!- [1]ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 21:10 -!- mikeage [n=mmiller@mikeage.net] has joined ##openvpn 21:11 -!- mikeage [n=mmiller@mikeage.net] has left ##openvpn ["Leaving."] 21:23 -!- [1]ksnp is now known as ksnp 21:38 < darkdrgn2k3> can i specify local ports? 21:44 -!- p3ri0d [n=p3ri0d@200.2.152.115] has left ##openvpn ["Leaving"] 21:45 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has left ##openvpn [] 22:00 -!- darkdrgn2k3 [n=darkdrgn@bas2-toronto44-1176438572.dsl.bell.ca] has quit [Connection timed out] 22:03 -!- [1]ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 22:03 -!- [1]ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has left ##openvpn [] 22:17 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has joined ##openvpn 22:37 -!- troy is now known as troy- 23:00 -!- jdchrist [n=jdchrist@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 23:17 -!- darkdrgn2k3 [n=darkdrgn@bas2-toronto44-1176438572.dsl.bell.ca] has joined ##openvpn --- Day changed Tue Jul 14 2009 00:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:22 -!- troy- is now known as troy 01:36 -!- jeiworth [n=jeiworth@189.234.97.109] has quit [Read error: 60 (Operation timed out)] 01:39 -!- master_of_master [i=master_o@p549D37C6.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 01:42 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 01:43 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 01:43 -!- master_of_master [i=master_o@p549D33F4.dip.t-dialin.net] has joined ##openvpn 01:49 -!- darkdrgn2k3 [n=darkdrgn@bas2-toronto44-1176438572.dsl.bell.ca] has quit [] 02:24 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:58 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has quit ["Leaving..."] 04:03 -!- skyion [n=bradc@ns.clubleisure.co.za] has joined ##openvpn 04:04 < skyion> Hello, is it possible to specify more than 1 static route to bring up with openvpn 04:04 < reiffert> yes. 04:04 < reiffert> !factoids search limit 04:04 < vpnHelper> reiffert: "pushlimit" is This is a limitation of OpenVPN: the push block cannot exceed a maximum of about 1 KB 04:06 -!- SuperEvilDeath [n=death@212.206.209.177] has joined ##openvpn 04:12 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 04:14 -!- nicorac [n=nicorac@mitrol.it] has joined ##openvpn 04:15 < nicorac> hello everyone 04:16 < nicorac> may I ask a question about SSL? 04:20 < onats> i suggest you just post the question... someone will answer if they know it 04:21 < nicorac> right, ok, I'll try to explain as clearer as possible (I'm a noob on SSL) 04:22 < nicorac> I set up a OpenVPN server accepting connections from a large number of clients (say a few hundreds) 04:24 < nicorac> since these clients are cloned from a default image, I choose to not authenticate clients with private/public cert 04:24 < nicorac> but with username/password 04:24 < nicorac> this is not a security risk because each client connection is "locked", it can do nothing but receive incoming connections. 04:25 < nicorac> That said, I created my own CA and the ca.crt file is included in each client. 04:26 < nicorac> Now comes the question: my fault was to generate ca.cert with a validity of (only) 10 years. 04:28 < nicorac> This could be ok for road warriors but not in my case, because clients are used by non technical users and (also) they cannot change anything on them. 04:29 < nicorac> I know these machines will not be allowed to connect after 2019, but now I'm going to release an update for the new version 04:30 < nicorac> I'll generate another certificate, valid for 100 years (!) 04:30 < nicorac> but I need to know how to allow access to both of classes: the ones with the old certificate (valid till 2019) and the ones with 04:31 < nicorac> the newer certificate (which will expire in 2109, when I suppose I'll be dead :)) 04:32 < nicorac> Is there a way, on server side, to allow more than one ca.crt? 04:32 < nicorac> Or, is there a way to extend the validiti of an already released certificate, allowing the ones using the old one, which is still valid, to connect till it expires? 04:33 < nicorac> Sorry for being so long... 04:39 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 04:41 -!- onats [n=onats@unaffiliated/onats] has quit ["This computer has gone to sleep"] 04:41 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 04:48 < reiffert> nicorac: care about the problem in 2019. 04:48 < reiffert> You might wanna try chained ca's here. 04:48 < nicorac> :-) I can't 04:48 < nicorac> can you please elaborate? 04:49 < nicorac> reiffert: what do you mean with "chained"? 04:58 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 05:08 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 05:16 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:23 < nicorac> up 05:26 -!- celsiux [n=Nullesd@174.36.119.228-static.reverse.softlayer.com] has joined ##openvpn 05:35 -!- celsiux- [n=Nullesd@174.36.119.228-static.reverse.softlayer.com] has quit [Read error: 110 (Connection timed out)] 05:36 -!- |Mike|_ [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 05:37 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Nick collision from services.] 05:37 -!- |Mike|_ is now known as |Mike| 05:42 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has quit [Read error: 60 (Operation timed out)] 05:43 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Read error: 60 (Operation timed out)] 05:43 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has joined ##openvpn 05:44 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 05:45 < Gorkhaan> http://www.youtube.com/watch?v=43_3R5SVTe8&annotation_id=annotation_680732&feature=iv 05:45 < vpnHelper> Title: YouTube - !!!Partywagon Wooha !!!! http://www.facebook.com/pages/Partywagon-Whooha/75847473742 (at www.youtube.com) 05:47 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:49 -!- |Mike|_ [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 05:50 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Read error: 60 (Operation timed out)] 05:55 -!- |Mike|_ [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Read error: 60 (Operation timed out)] 05:55 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 06:07 -!- troy is now known as troy- 06:21 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has quit [Remote closed the connection] 06:22 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has joined ##openvpn 06:27 -!- tjz [n=tjz@bb116-15-64-10.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 06:28 < nicorac> could someone please elaborate what reiffert meant with "chained ca's"... 06:40 -!- tjz [n=tjz@bb121-6-135-189.singnet.com.sg] has joined ##openvpn 06:52 -!- skyion [n=bradc@ns.clubleisure.co.za] has left ##openvpn [] 07:04 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 07:16 < ecrist> good moring. 07:16 < ecrist> morning* 07:18 < reiffert> good moroning. 07:22 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:24 -!- oligo [n=oligo@vps257.xlshosting.net] has joined ##openvpn 07:27 -!- nicorac [n=nicorac@mitrol.it] has quit [Remote closed the connection] 07:37 -!- YpsyZNC is now known as Ypsy 07:39 < dazo> morning! 07:46 -!- ivenkys_ [n=ivenkys@unaffiliated/ivenkys] has joined ##openvpn 07:46 < ecrist> Mafia Wars is addicting 08:01 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has quit [Connection timed out] 08:28 < dazo> facebook? 08:30 -!- lataffe__ [n=lataffe@cm-84.211.147.71.getinternet.no] has joined ##openvpn 08:36 -!- troy- is now known as troy 08:37 -!- jdchrist [n=jdchrist@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 60 (Operation timed out)] 08:46 -!- lataffe_ [n=lataffe@cm-84.211.147.71.getinternet.no] has quit [Read error: 110 (Connection timed out)] 09:08 -!- ivenkys_ [n=ivenkys@unaffiliated/ivenkys] has quit [Read error: 60 (Operation timed out)] 09:31 -!- carpenike [n=ryan@c-98-218-119-237.hsd1.md.comcast.net] has quit [Read error: 110 (Connection timed out)] 09:41 -!- CamargoBP-Mobile [n=CamargoB@129.sub-70-192-116.myvzw.com] has joined ##openvpn 09:58 -!- jeiworth [n=jeiworth@189.163.255.127] has joined ##openvpn 10:01 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit ["Reconnecting"] 10:01 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 10:07 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has joined ##openvpn 10:08 < mlaci> hi guys! i've just tried to connect to an openvpn server from vista and after starting openvpn on the .ovpn file all i see is a blank console and no logs (despite specifying a logfile) 10:08 < mlaci> the server is correctly configured and works with ubuntu and xp clients 10:08 < mlaci> moreover there is no sign of the vista client being logged in on the server 10:08 < mlaci> any ideas? 10:10 -!- brad_ [n=quassel@12.48.121.170] has joined ##openvpn 10:11 < brad_> hey I'm trying to route between two networks, but it's not goin well 10:11 < ecrist> !route 10:11 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:11 < brad_> it looks like the servers are not routing. 10:12 < ecrist> mlaci: what openvpn client version are you running on vista? 10:12 < ecrist> you should not be running anything less that latest RC release 10:13 < brad_> I'll read 10:16 -!- MRCUTEO [n=IRCLunat@115.134.239.163] has joined ##openvpn 10:16 -!- MRCUTEO is now known as mRCUTEO 10:20 -!- mRCUTEO [n=IRCLunat@115.134.239.163] has quit [Client Quit] 10:20 -!- troy is now known as troy- 10:23 -!- jdchrist [n=jdchrist@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has joined ##openvpn 10:26 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 10:42 -!- disposable [i=disposab@blackhole.sk] has joined ##openvpn 10:43 < mlaci> ecrist, i've just tried with the latest OpenVPN 2.1_rc18, but same thing happens 10:44 < ecrist> not sure then, I don't run Vista, sorry. 10:44 < mlaci> ecrist, no problem, thanks anyways 10:45 < mlaci> anyone knows anything about windows 7 compatibility? 10:47 < mlaci> openvpn said this on windows 7: http://pastebin.com/m73516047 10:47 < disposable> i have an openvpn server (with public IP) and two clients(A and B) in different locations. is it possible to use client A as a dhcp server for both the server and client B? I want client B and server to be part of the lan client A is on (where it is the dhcp server). i just need to know if it's possible, not how to do it. 10:47 < mlaci> the same configuration worked well under ubuntu and xp 11:00 -!- tjz [n=tjz@bb121-6-135-189.singnet.com.sg] has quit [Connection timed out] 11:04 < ecrist> disposable: it is possible, but you may run into problems 11:04 < ecrist> you will need to use a tap (bridged) vpn type 11:10 -!- troy- is now known as troy 11:21 -!- troy [n=troy@worldnet.tauri.ca] has quit [Nick collision from services.] 11:22 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 11:28 -!- jeiworth [n=jeiworth@189.163.255.127] has quit [Read error: 104 (Connection reset by peer)] 11:31 -!- jeiworth [n=jeiworth@189.163.255.127] has joined ##openvpn 11:33 < brad_> I've read, and read, and read, and I'm still having problems 11:34 < brad_> my packets aren't reaching where they are supose to go, 11:41 < brad_> http://pastebin.org/1537 11:41 < brad_> debian to debian 11:51 < brad_> both of my networks can reach there local vpn connection 192.168.25.x, but not the remote 11:54 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:02 -!- c64zottel [n=hans@p5B17AD03.dip0.t-ipconnect.de] has joined ##openvpn 12:02 -!- c64zottel [n=hans@p5B17AD03.dip0.t-ipconnect.de] has left ##openvpn [] 12:07 -!- firecrotch [n=nick@207.67.115.235] has joined ##openvpn 12:08 < firecrotch> I figured this would be a good place to ask this: Do you know of any out-of-band management cards that have the ability to be an OpenVPN client? 12:15 < MadTBone> Client (WinXP SP3 - OpenVPN 2.0.9) can connect, but can't ping server (Linux 2.6.29 - OpenVPN 2.0.9)... anyone see the problem? -- logs, configs, and iface/routes as requested in topic: http://pastebin.com/m328f75b4 http://pastebin.com/m63caf20c http://pastebin.com/m7a6cd3ce http://pastebin.com/m22fdd7cb http://pastebin.com/m56c8df23 http://pastebin.com/m4a533407 12:15 < MadTBone> Firewall accepts all packets from interface tun0 12:36 < ecrist> brad_: 12:36 < ecrist> !iroute 12:36 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 12:37 < ecrist> firecrotch: not that I'm aware of. 12:37 -!- SH4|Gast457 [n=Gast428@i577A490A.versanet.de] has joined ##openvpn 12:43 < firecrotch> ecrist: Thanks 12:46 -!- SH4|Gast457 [n=Gast428@i577A490A.versanet.de] has quit [Read error: 104 (Connection reset by peer)] 12:59 -!- celsiux [n=Nullesd@174.36.119.228-static.reverse.softlayer.com] has quit [Remote closed the connection] 13:07 -!- firecrotch [n=nick@207.67.115.235] has left ##openvpn [] 13:24 -!- Ypsy is now known as YpsyZNC 13:26 -!- CamargoBP-Mobile [n=CamargoB@129.sub-70-192-116.myvzw.com] has quit [Read error: 110 (Connection timed out)] 13:33 -!- davidc_ [n=davidc@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has joined ##openvpn 13:36 -!- jdchrist [n=jdchrist@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has quit ["Leaving"] 13:36 -!- davidc_ is now known as jdchrist 13:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:47 -!- davidc_ [n=davidc@173-15-94-113-Illinois.hfc.comcastbusiness.net] has joined ##openvpn 13:59 -!- davidc_ [n=davidc@173-15-94-113-Illinois.hfc.comcastbusiness.net] has quit [Read error: 104 (Connection reset by peer)] 14:00 -!- davidc_ [n=davidc@173-15-94-113-Illinois.hfc.comcastbusiness.net] has joined ##openvpn 14:04 -!- jdchrist [n=davidc@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 14:06 -!- davidc_ is now known as jdchrist 14:14 -!- jeiworth [n=jeiworth@189.163.255.127] has quit [Remote closed the connection] 14:19 -!- jeiworth [n=jeiworth@189.163.255.127] has joined ##openvpn 14:29 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: Pagautas 14:45 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:52 < MadTBone> OK.... if I start openvpn server without pushing any routes (other than the default to the server), I can ping the server. If I push a route to another subnet (routable from the server), I can *not* ping the server (or the clients on the other subnet) 14:53 < MadTBone> anyone know what's up there? 14:55 < ecrist> MadTBone: without seeing your routing tables and configs, it's hard to say. 14:55 < ecrist> my guess is you're pushing conflicting IP spaces across the vPN 14:56 < ecrist> it is the usual cause of the symptoms you describe. 14:57 < MadTBone> ecrist: http://pastebin.com/m328f75b4 http://pastebin.com/m63caf20c http://pastebin.com/m7a6cd3ce http://pastebin.com/m22fdd7cb http://pastebin.com/m56c8df23 http://pastebin.com/m4a533407 14:58 < MadTBone> ecrist: have to go for an hour... will be back... If you see anything, please let me know! 15:09 * krzie bets the route being pushed conflicts with the subnet hes on 15:10 < krzie> oh wait ecrist said that 15:10 < krzie> well, ya i agree with ecrist 15:10 < krzie> ;] 15:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 15:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:36 -!- bandini [n=bandini@host218-108-dynamic.7-79-r.retail.telecomitalia.it] has joined ##openvpn 15:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 15:43 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:43 -!- renar [i=bc9b687a@gateway/web/freenode/x-054161e35d288cf1] has joined ##openvpn 15:43 < renar> hello 15:49 < renar> !howto 15:50 < vpnHelper> renar: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:50 < renar> I received client.csr/.crt/.key files instead of the ca.crt and client.crt /.key files required by the client.conf. I've read the howto 15:50 < renar> (I'm a client only) 15:57 < krzie> so do you have a question? 15:58 < krzie> cause it sounds lik you already know what the problem is 15:59 < krzie> like 15:59 < renar> yes, my question is what I'm supposed to do with the csr file 16:00 < renar> it's a "certificate request"; can I request a CA certificate with it? 16:01 < krzie> you delete it 16:01 < krzie> a csr gets signed by CA who generates the crt from signing it 16:03 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["See you later!"] 16:03 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 16:03 < renar> you mean it's not meant that I get to see it? 16:04 < krzie> well heres what it was designed for... 16:04 < krzie> client generates a csr and .key 16:04 < krzie> he sends his csr to the CA 16:05 < krzie> CA signs it with his ca.key, then passes the crt to the client 16:06 < renar> ah. hm. I got premade csr and key files 16:06 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 54 (Connection reset by peer)] 16:06 < renar> *crt 16:06 < krzie> well you already know your problem 16:06 < krzie> it was part of your question 16:06 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 16:07 < krzie> so go talk to the guy who gave you the files 16:07 < krzie> you wont get a ca.crt any other way 16:07 < renar> thanks! 16:07 < krzie> np 16:47 -!- jeiworth_ [n=jeiworth@189.163.255.127] has joined ##openvpn 16:48 -!- jeiworth [n=jeiworth@189.163.255.127] has quit [Read error: 104 (Connection reset by peer)] 17:15 < MadTBone> ecrist: 17:15 < krzie> MadTBone: 17:18 -!- renar [i=bc9b687a@gateway/web/freenode/x-054161e35d288cf1] has quit ["Page closed"] 17:19 < krzie> what are all involved subnets? 17:21 < MadTBone> ecrist and krzee: The route being pushed shouldn't conflict. Route is to a public address range (123.123.123.192/26), while the client is on a private subnet (10.2.1.0/24). Even if I push a route to another private subnet (10.0.3.0/24 -- also routable from the server), I can't ping the server. 17:23 < krzie> windows client? 17:23 < MadTBone> krzee: 10.3.0.0/24 (where server lives, as well as others) ---- 10.254.254.0/24 (VPN addresses) ---- 123.123.123.192/26 (public addresses, routable by server -- actually, server has 2nd NIC on this range) 17:24 < MadTBone> yes. Windows client 17:24 < krzie> try this 17:24 < krzie> !winroute 17:24 < vpnHelper> krzie: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 17:25 < MadTBone> already using route-method exe and route-delay (for config see: http://pastebin.com/m22fdd7cb ) ... will try #3 17:26 < krzie> well how bout this too 17:26 < krzie> !logs 17:26 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 17:26 < MadTBone> http://pastebin.com/m328f75b4 http://pastebin.com/m63caf20c http://pastebin.com/m7a6cd3ce http://pastebin.com/m22fdd7cb http://pastebin.com/m56c8df23 http://pastebin.com/m4a533407 17:27 < krzie> 6 pastebins? 17:27 < MadTBone> those are logs, configs, and routing tables for server & client 17:27 < MadTBone> slightly different configs, but basically the same. 17:29 < MadTBone> only push "route 10.0.3.0 255.255.255.0" was added 17:30 < krzie> and the logs are from WITH that push added? 17:31 < MadTBone> no....sorry.... give me a minute and I'll re-post. Also, "Routing and remote access" is alrerady off. 17:36 < MadTBone> OK...something funky is going on. I didn't change the config and now I can ping.... 17:38 < krzie> hehe sounds like windows 17:38 < krzie> i shoulda just said to reboot ;) 17:39 < MadTBone> now I've restarted both client and server and can't ping... :( 17:40 < krzie> lol 17:40 < MadTBone> rebooting windows now 17:40 < krzie> what version ovpn you using? 17:42 < MadTBone> Client - WinXP SP3 - OpenVPN 2.0.9 --- Server - Linux 2.6.29 - OpenVPN 2.0.9 17:43 < krzie> thats like 3 yrs old 17:43 < krzie> why not goto 2.1rc18 17:47 < MadTBone> 2.0.9 is what was marked as stable in my Linux distro. Will try 2.1rc18 17:47 < krzie> that is the 'stable' version, but RC is quite stable 17:50 -!- lilalinux [n=lilalinu@ist.deswahnsinns.de] has quit [No route to host] 17:55 < |Mike|> lol 17:55 < krzie> sup mike 17:55 -!- lilalinux [n=lilalinu@ist.deswahnsinns.de] has joined ##openvpn 17:55 < |Mike|> openvpn rocks krzie :)) 17:56 < |Mike|> puppet, openvpn, no more weirdo IP's and broken route's 17:56 < krzie> =] 17:56 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["See you later!"] 17:57 < krzie> so ill be seeing you soon 17:57 < krzie> i won my airplane money on the st pierre fight on sat 17:58 < |Mike|> You're visiting HAR ? 17:58 < krzie> aye 17:58 < krzie> is there some sort of entry efee i should know bout? 17:58 < krzie> entry fee 17:59 < |Mike|> If you have a ticket, there are no more fee's 17:59 < krzie> ticket as in airplane? 17:59 < krzie> or ticket to enter 17:59 < |Mike|> Yes 18:00 < |Mike|> costs around 185 E (euro) 18:00 < krzie> ahh as in airplane, kickass 18:00 < krzie> oh to enter 18:00 < krzie> damn 18:00 < |Mike|> enter. 18:00 < |Mike|> but 18:00 < |Mike|> a friend of mine can't go, maybe i can get you an offer :) 18:00 < krzie> hell ya 18:01 < |Mike|> 150E 18:01 < |Mike|> they are for sail for 185E atm. 18:02 < krzie> hey you dont have a floor i can crash on do ya? im suffering from funds-r-low 18:02 < krzie> ;] 18:02 < |Mike|> village bbq ? :) 18:02 < |Mike|> you just need a tent :p 18:02 < krzie> oh hell ya! 18:02 < krzie> i can do that! 18:02 < |Mike|> it's from 13/ 16th of august 18:03 < krzie> as for buds, you do recommend i buy from a coffee shop or should i hit you up? 18:03 < |Mike|> 2009/07/15 01:01:42 well, in that case I am satisfied with 135EUR 18:03 < MadTBone> hmm.... same result w/ 2.1rc18 18:03 < |Mike|> I paid 185E 2 weeks ago 18:03 < krzie> MadTBone verb 6 logs 18:04 < krzie> |Mike| is cash when i get there good for him? im for sure going 18:04 < krzie> if so, sold 18:04 < MadTBone> coming up 18:04 < |Mike|> no idea, probably paypall, since he's from sweden 18:04 < krzie> ohhh right 18:04 < |Mike|> tickets are digital aswell 18:04 < krzie> ok that works too 18:05 < krzie> hrm, so how do i get it from him and how do i know its legit? 18:05 < |Mike|> see msg 18:06 < krzie> tx 18:06 < krzie> thx 18:06 < |Mike|> np 18:06 < MadTBone> krzee: you know...something weird I just noticed, and it would explain the issue...10.254.254.0/24 isn't in the client's routing table when I push another route... 18:06 -!- lilalinu- [n=lilalinu@ist.deswahnsinns.de] has joined ##openvpn 18:07 < krzie> logs... 18:08 < |Mike|> set your log level to verb 6 MadTBone 18:08 < krzie> yupyup 18:09 -!- lilalinux [n=lilalinu@ist.deswahnsinns.de] has quit [Connection reset by peer] 18:10 < krzie> so you not far from there? i have no idea where im going or anything, mind if i hit you up when i touch down and we chill? 18:10 < krzie> this is me btw, www.ircpimps.org/pics/krzee 18:10 < krzie> many of those are old, im 27 now 18:13 < MadTBone> krzee: you know....this is getting ridiculous... cleared logs and restarted and now I can ping :( 18:14 < krzie> well to figure out your problem you'll need to start reading your logs 18:14 -!- lilalinu- [n=lilalinu@ist.deswahnsinns.de] has quit [Excess Flood] 18:15 < MadTBone> yeah, I know. but when I go to replicate the problem, it seems to go away (I know.... ) 18:15 -!- lilalinux [n=lilalinu@ist.deswahnsinns.de] has joined ##openvpn 18:15 < MadTBone> does openvpn cache routs/clients/etc... over restarts? 18:16 < krzie> it wouldnt be openvpn doing that, it would be your os 18:16 < krzie> but with persist-tun or something like that (see manual) it doesnt close the device so it doesnt clear that stuff 18:17 < krzie> unless by restart you mean kill -9 and starting it again 18:20 < MadTBone> not using kill -9... but am using persist tun 18:20 < |Mike|> how so? 18:21 < krzie> mike you see my ? about hitting you up when i get in? i dunno how busy you stay and how far you are from airport / HAR location 18:21 < krzie> in fact i know nothing about that area whatsoever 18:21 < |Mike|> airport to har is ~130 km 18:21 < krzie> except that they dont speak either of my languages 18:22 < |Mike|> most dutch people speak english as second language :) 18:23 < |Mike|> there are a lot of people ariving at 13th of august to visit HAR 18:23 < |Mike|> I'm not sure if there are direct trains / busses to get people from schiphol to har 18:24 < krzie> ya im either rollin in on 12th or 13th 18:24 < |Mike|> kewl ! 18:24 < krzie> depends on what my homie the pilot for american air pulled off for me 18:38 < MadTBone> ok...was able to replicate... verb 6 gives around 2.5MB of client logs for just a few seconds connected with a ping attempt.... will pastebin take that much? 18:38 < krzie> umm, verb6 gives me WAY less than that 18:39 < MadTBone> nope 18:39 < krzie> you sure thats not hella logs combined? 18:39 < MadTBone> deleted log on client prior to connecting 18:40 < krzie> interesting 18:40 < MadTBone> got lots of "UDPv4 READ" and UDPv4 WRITE" lines....that's the bulk of the log 18:41 < krzie> 2.5 megs of text is fuckin huge 18:41 < krzie> ok its getting read and write? 18:41 < krzie> go down to verb 5 then 18:42 < |Mike|> echo bla > openvpn.log 18:42 < |Mike|> and restart the daemon and clients 18:49 < MadTBone> done.... now client log getting lots of RWRWRWRWRWRWRW..... 18:49 < krzie> much smaller? 18:49 < MadTBone> yes...around 140k 18:49 < krzie> there we go 18:52 < MadTBone> client log: http://pastebin.com/m1c0dc0fa 18:57 < MadTBone> server log: http://pastebin.com/m67d97f38 19:00 -!- jdchrist [n=davidc@173-15-94-113-Illinois.hfc.comcastbusiness.net] has quit [Read error: 113 (No route to host)] 19:04 < |Mike|> you can't ping your 10.8.0.x right ? 19:04 < krzie> do you have a keepalive? 19:04 < MadTBone> 10.8 ??? 19:04 < MadTBone> can't ping 10.254.254.1 19:05 < MadTBone> krzee: howkeepalive 10 120 19:06 < krzie> route-delay 2 is small 19:07 < krzie> default is 30 19:07 < krzie> if you just remove the 2 19:10 < krzie> put that keepalive in the client config too 19:10 < MadTBone> you mean remove the route-delay line, right? Not just the "2" 19:10 < krzie> or push it 19:10 < krzie> no i mean the 2 only 19:10 < krzie> which will make it default to 30 19:10 < MadTBone> ok 19:10 < krzie> 2 is basically like why even do it 19:12 < MadTBone> I assume that -- push "keepalive 10 120" -- on server will work 19:13 < krzie> if not, it'll tell you so 19:13 < krzie> oh sorry you dont need to do that 19:13 < krzie> For example, --keepalive 10 60 expands as follows: 19:13 < krzie> if mode server: 19:13 < krzie> ping 10 19:13 < krzie> ping-restart 120 19:13 < krzie> push "ping 10" 19:13 < krzie> push "ping-restart 60" 19:13 < krzie> else 19:13 < krzie> ping 10 19:13 < krzie> ping-restart 60 19:13 < krzie> its already pushing the stuff 19:14 < krzie> double check that the windows firewall and any software that wants to be a firewall (norton, mcafee, whatever) is NOT enabled for the tap adapter 19:15 < krzie> also do this: 19:15 < krzie> start both, start pinging each from the other right away 19:15 < krzie> and leave the pings running 19:16 < krzie> i have a feeling they always ping, until it for some reason disconnects 19:16 < krzie> or that 1 side can never ping the other, and thats why it disconnects 19:18 < MadTBone> I see that if I repeatedly use "route print" in windows terminal during the vpn login sequence, I see my routes get added, then they all dissappear, then routes to 10.254.254.6 and 10.254.254.4 come back... but not 10.254.254.0/24 19:18 < MadTBone> will try pinging immediately... 19:22 < krzie> well ya your logs show that too 19:22 < krzie> that it adds the routes, then disconnects 19:23 < krzie> not sure why youonly get back some of the routes 19:23 < MadTBone> nada on the pinging 19:33 < MadTBone> this is really stumping me.... I want to try w/ a linux client.... 19:35 < krzie> ya ild like to see win taken outta the picture too 19:35 < krzie> unfortunatly im about to be on my way out 19:36 < krzie> well unfortunatly depending on your angle... 19:36 < krzie> im kinda looking forward to getting off work and getting some liquor in me 19:37 -!- Dougy[home] [n=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:37 * Dougy[home] grunt 19:37 < MadTBone> ha! I wish I could do the same....as it is, I'm already here 3 hours past closing 19:37 < Dougy[home]> MadTBone, where's ere 19:37 < Dougy[home]> here 19:37 < MadTBone> New York 19:37 < krzie> hah same with dougy 19:38 < Dougy[home]> i was in new york city 19:38 < Dougy[home]> just got home 20 minutes ago 19:38 < Dougy[home]> i was so frustrated in the datacenter today i nearly jumped infront of the fuckin subway car 19:38 < Dougy[home]> god damn 19:38 < MadTBone> I know the feeling! 19:39 < Dougy[home]> i have the WORST cabling you've ever seen 19:39 < MadTBone> I wish I could head home, but I need to have this up and running asap 19:39 < Dougy[home]> i am using 20 10foot ethernets in the space of 10U.. 3footers would be too long, let alone 10footers.. 19:39 < Dougy[home]> its a disaster 19:39 < MadTBone> I can definately top you on the cables..... 19:40 < Dougy[home]> no, you really couldn't 19:40 < Dougy[home]> i cant even see the back of my cabinet 19:40 < Dougy[home]> space 19:40 < Dougy[home]> its just a cable forest 19:40 < Dougy[home]> thats why i bought a kvm, to add to the mess, so i dont need a crash cart 19:40 < MadTBone> we actually had to move a rack about 3 feet further from the wall because of excess cable.... it literally wouldn't fit 19:40 < Dougy[home]> hah 19:41 < Dougy[home]> nice 19:42 < MadTBone> we have several of these thick multi cable snakes...about 15 cat-6 worth of cable in each snake 19:42 < Dougy[home]> MadTBone, what datacente 19:42 < Dougy[home]> r 19:42 < Dougy[home]> cat6 nice 19:42 < MadTBone> not cat-6, but around the same bulk x 15 in each snake 19:42 < Dougy[home]> oh 19:42 < Dougy[home]> http://www.upload3r.com/serve/140709/1247618554.png <-- uber 19:42 < MadTBone> the distance is the killer.... 19:42 < Dougy[home]> im hovered over krzie's server, lmao 19:43 < krzie> haha 19:43 < krzie> that makes me wanna make it start beeping 19:43 < Dougy[home]> why 19:43 < Dougy[home]> if you break it its not getting fixed until next week 19:43 < MadTBone> they were specced for around a 60ft run....now it's only about 8ft 19:43 < krzie> umm, you can make it beep with a command 19:43 < krzie> not only by breaking it 19:43 < Dougy[home]> im nowhere near itn ow 19:43 < Dougy[home]> it now 19:44 < Dougy[home]> 25 miles awa 19:44 < Dougy[home]> y 19:45 < MadTBone> Dougy: not at a datacenter. I run IT/audio/video for a school in upper manhattan 19:45 < krzie> echo $'\a' in bash 19:45 < krzie> the alarm escape 19:45 < Dougy[home]> MadTBone, ah 19:45 < Dougy[home]> I was on whitehall street 19:45 < krzie> of course printf '\a' works too 19:58 * Dougy[home] tired 20:05 < Dougy[home]> anyone here a cisco guru 20:05 < Dougy[home]> i need some halp 20:05 < Dougy[home]> before i rip my hair out of my scalp 20:15 -!- frewsxcv [n=farwell@adsl-75-18-207-100.dsl.pltn13.sbcglobal.net] has joined ##openvpn 20:16 < frewsxcv> what is the most popular thing done with openvpn for end users? I have no idea what it does 20:22 < MadTBone> krzie: interesting....a linux client can't ping either... 20:22 < Dougy[home]> frewsxcv, a lot of people use it as a "proxy" 20:22 < Dougy[home]> redirect all traffic through 20:22 < Dougy[home]> i use it to provide a private place to bind sshd to on my servers 20:23 < frewsxcv> Dougy, anything else? How do you set it up as a proxy? 20:24 < Dougy[home]> !redirect-gateway 20:24 < vpnHelper> Dougy[home]: Error: "redirect-gateway" is not a valid command. 20:24 < Dougy[home]> m 20:24 < Dougy[home]> hm 20:24 < Dougy[home]> krzie, what's the entry in vpnhelper for that 20:24 < Dougy[home]> frewsxcv, like i said, i use it as a private network to bind sshd on, so only users on VPN can ssh to my servers 20:25 < MadTBone> krzie: strike that.... stupid mistake. client was on same subnet as being pushed... 20:25 < frewsxcv> anything else Dougy ? 20:27 < Dougy[home]> nothing i do with it 20:27 < Dougy[home]> maybe other people have other reasons 20:27 < frewsxcv> Dougy[home], could i use it with bittorrent or something? 20:28 < Dougy[home]> if you use "redirect-gateway" you can route all traffic encrypte dthrough you server 20:28 < Dougy[home]> to torrent 20:28 < Dougy[home]> encrypted 20:30 -!- master_of_master [i=master_o@p549D33F4.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:40 < MadTBone> krzee: if I define the routes in the client config and don't push routes, I have the same issue... 20:46 < MadTBone> ok....I'm out.... good night everyone 20:52 < Dougy[home]> goodnight 20:53 -!- master_of_master [i=master_o@p549D3D7F.dip.t-dialin.net] has joined ##openvpn 20:57 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 21:00 -!- jeiworth_ [n=jeiworth@189.163.255.127] has quit [Read error: 110 (Connection timed out)] 21:16 -!- frewsxcv [n=farwell@adsl-75-18-207-100.dsl.pltn13.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 21:29 -!- jdchrist [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 21:41 -!- onats1 [n=15172@221.121.120.254] has quit ["Leaving."] 21:48 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 22:36 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 22:37 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 22:40 -!- cvance [n=cvance@ip98-163-220-242.no.no.cox.net] has joined ##openvpn 22:42 < cvance> Okay, I have installed an openvpn on two machines and I am having problems with the client accessing the server's subnet. I was able to get the client and server to connect properly to each other but the client can only connect to the server. I have echoed 1 for the ip_forward in /proc on the server and I had to setup a route in the client as such: route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.11 dev tun0. It does not wor 22:42 < cvance> k. 22:43 < cvance> A little bit of background information: the openvpn server/client are setup with a static key. The server is on the 192.168.1.0/24 subnet and the client is on the 192.168.2.0/24 subnet. The server ip is 192.168.1.11 and the client receives 192.168.1.51 as its ip address. 22:52 < Dougy[home]> (740): my lips still taste like vagina 22:52 < Dougy[home]> (1-740): so you liked breakfast? 22:52 < Dougy[home]> (740): ehh, still wish we woulda went to IHOP instead 22:53 -!- cvance [n=cvance@ip98-163-220-242.no.no.cox.net] has quit ["Ex-Chat"] 22:55 -!- Dougy[home] [n=Douglas@ool-43503ed4.dyn.optonline.net] has quit ["Never look down on someone unless you're helping them up."] 23:14 -!- lolipop [n=soontak@219.95.197.122] has joined ##openvpn 23:32 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 23:33 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has quit [Client Quit] 23:52 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 23:57 -!- p3ri0d [n=p3ri0d@200.2.150.11] has joined ##openvpn --- Day changed Wed Jul 15 2009 00:18 -!- davidc_ [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 00:31 -!- jdchrist [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 00:39 -!- c64zottel [n=hans@p5B17ACEB.dip0.t-ipconnect.de] has joined ##openvpn 00:42 -!- lilalinux [n=lilalinu@ist.deswahnsinns.de] has quit [No route to host] 00:52 -!- davidc_ is now known as jdchrist 01:03 -!- lilalinux [n=lilalinu@ist.deswahnsinns.de] has joined ##openvpn 01:17 -!- mRCUTEO [i=IRCLunat@58.26.212.4] has joined ##openvpn 01:17 < mRCUTEO> hiya all 01:17 < mRCUTEO> hiya krzee 01:18 < mRCUTEO> hiya tjz 01:18 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 01:23 -!- mRCUTEO [i=IRCLunat@58.26.212.4] has quit [] 01:35 < reiffert> good moroning! 01:42 -!- thedoc_ [n=andelyx@119.73.165.162] has joined ##openvpn 01:52 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 02:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:10 -!- thedoc- [n=andelyx@vpn1.edgewire.sg] has joined ##openvpn 02:20 -!- thedoc_ [n=andelyx@119.73.165.162] has quit [Read error: 110 (Connection timed out)] 02:25 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has joined ##openvpn 02:30 -!- flokuehn [n=flokuehn@94.186.154.83] has quit [Read error: 110 (Connection timed out)] 02:33 -!- flokuehn [n=flokuehn@94.186.154.83] has joined ##openvpn 02:58 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 02:59 -!- kaushal [n=kaushal@125.18.21.18] has joined ##openvpn 02:59 < kaushal> hi 03:00 < kaushal> can i do High Availability for openvpn ? 03:00 < kaushal> I mean running openvpn service on both the cluster nodes primary and secondary 03:03 < dazo> kaushal: should be doable .... depends on which HA solution you use, and it's features to activate another openvpn server 03:05 < dazo> kaushal: but ... connected clients will need to reinitialise the connection to the new server 03:05 < dazo> kaushal: there's no failover feature inside openvpn 03:06 < kaushal> dazo: great 03:06 < kaushal> I am using Heartbeat 03:06 < kaushal> do you have a use case of it ? 03:08 < dazo> no, I don't ... but I probably then would recommend to add more "remote" configs in the client configs instead ... as they will then loop around until it finds an accessible server 03:08 < kaushal> ok 03:09 < kaushal> dazo: i have one service IP 03:09 < dazo> it might be more "noise" on the newly available openvpn server, due to wrong encryption keys ... and clients might be confused until they renegotiate the connection .... using more --remote's will then do this client side automatically 03:09 < dazo> aha 03:10 < dazo> it will most probably work somehow ... but when one of the server dies .... it will be confusion, until connections are re-established against a new server 03:10 < kaushal> that service IP moves around two nodes 03:10 < dazo> ouch 03:10 < dazo> you're doing load balancing in addition? 03:11 < kaushal> is that required ? 03:11 < dazo> no 03:11 < kaushal> so I am doing a failover 03:11 < dazo> I was afraid if it was load balancing in addition, this will not work .... where service IP node moves the traffic to the least used internal IP 03:11 < kaushal> yeah 03:12 < dazo> if it's only failover ... with one master and one or more backups .... this should work fine 03:12 < kaushal> sure 03:12 < kaushal> dazo: I get disconnected 03:12 < dazo> but renegotiation might take longer time 03:12 < kaushal> do you want me to pastebin the configs ? 03:12 < dazo> sure 03:13 < kaushal> can i pvt msg you ? 03:13 < dazo> pastebin is better .... and a lot quicker 03:13 < dazo> logs with verb 4 (or more) would be good as well 03:14 < kaushal> dazo: which configs do you need to look over ? 03:14 < kaushal> is it openvpn.conf or ha.cf ? 03:14 < kaushal> or haresources ? 03:14 < dazo> kaushal: client logs 03:14 < kaushal> ah ok 03:14 < dazo> and openvpn server and client configs 03:18 < dazo> it might be that you'll need to look at --ping-restart on client configs 03:18 < dazo> or the --keepalive option 03:20 < kaushal> keepalive 10 120 ? 03:21 < kaushal> in both the nodes ? 03:21 < kaushal> in server.conf ? 03:25 < dazo> client side 03:26 < dazo> keepalive 10 120 ... gives that it sends a "keep alive ping" to the server every 10 second .... and if no response for 120 seconds, it tries to restart 03:26 < dazo> iirc 03:26 < kaushal> ok 03:27 < dazo> so for your case .... I'd probably push this a bit harder .... keepalive 5 15 03:28 < dazo> but that can backfire, if you're on a slow network link .... 03:28 < kaushal> dazo: http://openvpn.net/index.php/open-source/documentation/howto.html 03:28 < vpnHelper> Title: HOWTO (at openvpn.net) 03:28 < kaushal> says its on server side 03:29 < dazo> man openvpn 03:29 < dazo> ;-) 03:29 < dazo> --keepalive n m 03:29 < dazo> A helper directive designed to simplify the expression of --ping 03:29 < dazo> and --ping-restart in server mode configurations. 03:29 < dazo> For example, --keepalive 10 60 expands as follows: 03:29 < dazo> if mode server: 03:29 < dazo> ping 10 03:29 < dazo> ping-restart 120 03:29 < dazo> push "ping 10" 03:29 < dazo> push "ping-restart 60" 03:29 < dazo> else 03:29 < dazo> ping 10 03:29 < dazo> ping-restart 60 03:30 < kaushal> dazo: bit confused there 03:31 < dazo> so you can use it on server side as well .... but, it behaves differently then 03:31 < kaushal> so use keepalive 5 15 in client configs ? 03:31 < kaushal> right 03:32 < dazo> yeah .... you can also do this on the server: push "ping 5" push "ping-restart 15" ..... which will push this when clients connect 03:32 < kaushal> got it 03:49 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:54 -!- thedoc- is now known as thedoc 04:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 04:09 -!- kursad [n=kursad@CPE-72-128-65-111.wi.res.rr.com] has joined ##openvpn 04:27 -!- kursad is now known as kursadk 04:28 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 05:07 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 05:28 -!- |ns|nR8 [n=doof@124.184.100.153] has joined ##openvpn 05:28 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:56 -!- fred [n=fred@slamd64/fred] has joined ##openvpn 05:57 < fred> Hi; I've got a bridged openvpn; everthing on the physical network can reach every openvpn client, and vice-versa - however, openvpn clients can't reach other openvpn clients - how do I fix this? 05:58 < reiffert> !factoids search client 05:58 < vpnHelper> reiffert: 'someclient2client' and 'client-to-client' 05:58 < reiffert> !client-to-client 05:58 < vpnHelper> reiffert: "client-to-client" is When this option is used, each client will see the other clients which are currently connected. Otherwise, each client will only see the server. Don't use this option if you want to firewall tunnel traffic using custom, per-client rules. 05:58 < fred> cheers 06:05 -!- c64zottel [n=hans@p5B17ACEB.dip0.t-ipconnect.de] has quit ["Leaving."] 06:40 -!- kaushal [n=kaushal@125.18.21.18] has quit ["leaving"] 06:41 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 54 (Connection reset by peer)] 06:41 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 06:43 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 104 (Connection reset by peer)] 06:47 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 06:48 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 07:11 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: MadTBone, chinsan, oligo, sigius, |ns|nR8, mikkel 07:11 -!- chinsan_ [i=chuck-th@chinsan.info] has joined ##openvpn 07:11 -!- Netsplit over, joins: MadTBone, mikkel, |ns|nR8 07:11 -!- Netsplit over, joins: sigius 07:16 -!- |ns|nR8 [n=doof@124.184.100.153] has quit ["Leaving"] 07:18 < ecrist> morning, folks. 07:21 < thedoc> o/ ecrist 07:23 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 07:59 -!- lolipop [n=soontak@219.95.197.122] has quit ["Leaving"] 08:12 -!- bandinia [n=bandini@host74-22-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 08:27 -!- bandini [n=bandini@host218-108-dynamic.7-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 08:46 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 08:49 < MadTBone> krzee: you still around? 08:53 -!- p3ri0d_ [i=p3ri0d@190.120.193.170] has joined ##openvpn 08:56 -!- p3ri0d [n=p3ri0d@200.2.150.11] has quit [Connection timed out] 09:03 -!- jeiworth [n=jeiworth@189.163.165.116] has joined ##openvpn 09:06 -!- jdchrist [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 09:38 -!- Napsi [n=Napsi@ti311110a080-0849.bb.online.no] has joined ##openvpn 09:39 < Napsi> hello i get message 09:39 < Napsi> WARNING: 'ifconfig' is present in remote config but missing in local config 09:39 < Napsi> how can i fix it? 09:40 < MadTBone> post your configs and logs as the channel topic states 09:40 -!- p3ri0d_ [i=p3ri0d@190.120.193.170] has left ##openvpn ["Leaving"] 09:41 < Napsi> client : http://pastebin.ca/1495829 09:41 < Napsi> server : http://pastebin.ca/1495832 09:42 < Napsi> logs : http://pastebin.ca/1495833 09:43 < MadTBone> !logs 09:43 < vpnHelper> MadTBone: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 09:44 < Napsi> hmm 09:48 < MadTBone> Napsi: you're trying to set static IP for your client, but you're setting server to act as dhcp. Read the sample configs for static ip. They're called "static-home.conf" and "static-office.conf" 09:48 < Napsi> hmm how can i set my client to get ip from dhcp? 09:49 < MadTBone> basically, either remove the "ifconfig" line in the client.conf .... OR .... replace the "server" line with an appropriate "ifconfig" line in the server.conf 09:49 < MadTBone> replacing line in server will kill dhcp all around 09:50 < Napsi> i prefer to remove the ifconfig from the client 09:51 < MadTBone> you should read the man page.... look for the --server flag 09:52 < Napsi> hmm 09:52 < Napsi> k 09:52 < Napsi> thx 09:53 < Napsi> so now it suppose to have 10.8.0.1 server ip and 10.8.0.2 client ip 09:53 < Napsi> but i cannot ssh from one to the other one directly.. 09:58 < Napsi> fixed it :D 10:00 -!- jdchrist [n=davidc@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has joined ##openvpn 10:02 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 10:02 < ecrist> MadTBone: krzee pops in and out 10:03 -!- jeiworth_ [n=jeiworth@189.163.165.116] has joined ##openvpn 10:04 -!- jeiworth [n=jeiworth@189.163.165.116] has quit [Read error: 104 (Connection reset by peer)] 10:16 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:17 * ecrist writes nagios plugin and nagvis gadget for printer supply levels 10:19 < Napsi> now i can connect both sides but i cannot get to ping each other directly from vpn network.. 10:25 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Client Quit] 10:35 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 104 (Connection reset by peer)] 10:36 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 10:42 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 104 (Connection reset by peer)] 10:42 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 10:44 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 10:44 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 54 (Connection reset by peer)] 10:45 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 10:50 -!- sander_ is now known as Snadder 10:50 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 101 (Network is unreachable)] 10:51 -!- Gorkhaan [n=Gorkhaan@89.186.101.16] has joined ##openvpn 10:59 -!- Gorkhaan [n=Gorkhaan@89.186.101.16] has quit [Read error: 104 (Connection reset by peer)] 10:59 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 11:10 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 11:16 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has joined ##openvpn 11:34 < Napsi> anyone can help me why my server and client gets differnt ips? 11:39 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:51 < Napsi> anyone? 11:54 -!- p3ri0d [n=p3ri0d@190.120.193.170] has joined ##openvpn 11:55 -!- p3ri0d [n=p3ri0d@190.120.193.170] has left ##openvpn ["Leaving"] 11:58 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Client Quit] 12:07 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:10 -!- flokuehn [n=flokuehn@94.186.154.83] has quit [Read error: 60 (Operation timed out)] 12:15 < MadTBone> Napsi: post your configs and logs (current ones...make sure you follow instructions at !configs and !logs ) 12:18 < Napsi> !configs 12:18 < vpnHelper> Napsi: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:20 < Napsi> here's my configs 12:20 < Napsi> http://pastebin.ca/1495994 12:21 < Napsi> http://pastebin.ca/1495995 12:21 < Napsi> my logs from the server side.. 12:21 < Napsi> it was suppose to get tun0 10.8.0.1 and 10.8.0.2 and client side 10.8.0.2 and 10.8.0.1 ? 12:22 < Napsi> because my client side gets 10.8.0.5 and 10.8.0.6 12:23 -!- flokuehn [n=flokuehn@94.186.154.83] has joined ##openvpn 12:30 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 12:34 < Napsi> how can i check which clients are connected? 12:37 < Napsi> ? 12:52 -!- kala [i=kala@uba.linux.ee] has quit ["leaving"] 12:52 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 13:00 -!- kala [i=kala@uba.linux.ee] has quit ["leaving"] 13:00 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 13:03 -!- kala [i=kala@uba.linux.ee] has quit [Client Quit] 13:03 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 13:12 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 13:18 < ecrist> Napsi: through the openvpn-status log 13:18 < ecrist> which you can set within your server config 13:24 < Napsi> hmm 13:53 -!- c64zottel [n=hans@p5B17ACEB.dip0.t-ipconnect.de] has joined ##openvpn 13:53 -!- c64zottel [n=hans@p5B17ACEB.dip0.t-ipconnect.de] has left ##openvpn [] 14:04 -!- chezgi [n=zahra@91.98.167.141] has joined ##openvpn 14:05 < chezgi> how can i create an openvpn network at same machine? 14:10 < xp_prg> anyone done traffic shaping here? 14:12 < Gorkhaan> yes 14:12 < Gorkhaan> check manual 2.1 for this 14:13 < Gorkhaan> keyword: "--shaper" 14:13 < xp_prg> yes I am using shaper but it doesn't limit traffic on the server just the clients 14:13 < xp_prg> how do you handle the server issue? 14:14 < Gorkhaan> tc 14:15 < xp_prg> I am trying to use that right now, oh man is that difficult, can you please help me to understand a very basic setup? 14:15 < xp_prg> when using tc am I limiting the upload or download or both? 14:16 < Gorkhaan> yeah well it's hard to read, wait I'll find you something 14:16 < xp_prg> I really appreciate it 14:16 < chezgi> how can i test a tunnel with one machine. 14:17 < Gorkhaan> http://pastebin.com/mb3cdd00 14:17 < Gorkhaan> Try this xp_prg 14:17 < chezgi> client and server at same machine? 14:17 < Gorkhaan> but watch out 14:17 < Gorkhaan> find the command what can flush these rules 14:18 < xp_prg> so I want to use ethernet device tun0 right? 14:18 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Connection timed out] 14:19 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 14:19 < Gorkhaan> Well I'm using NAT - Internet connection sharing 14:19 < Gorkhaan> openvpn server port is 443 14:19 < Gorkhaan> I'm shaping ETH0 with port 443 14:19 < xp_prg> tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 14:22 < Gorkhaan> Wondershaper: http://ubuntuforums.org/showthread.php?t=25911 14:22 < vpnHelper> Title: HOWTO improving your internet connection using wondershaper - Ubuntu Forums (at ubuntuforums.org) 14:23 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Remote closed the connection] 14:23 < Gorkhaan> chezgi : What do you like to do? 14:23 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 14:23 < Gorkhaan> what would you like to do :D 14:24 < chezgi> Gorkhaan: i want to test my changes to openvpn on my system. 14:24 < chezgi> i want to emulate an openvpn network at one machine. 14:25 < Gorkhaan> Virtualbox : http://www.virtualbox.org/ 14:25 < vpnHelper> Title: VirtualBox (at www.virtualbox.org) 14:25 < Gorkhaan> or VmWare 14:26 < Gorkhaan> create 1 or more virtualised OS 14:26 < Gorkhaan> imho that will do it... or use 2 PC somehow 14:26 < chezgi> Gorkhaan: but i want it be very light and automated. 14:27 < Gorkhaan> automated for testing? 14:27 < Gorkhaan> you need a Server + Client, 2 machines. 14:27 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Remote closed the connection] 14:27 < Gorkhaan> at least 1 server and 1 client. 14:27 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 14:28 < Gorkhaan> or I'm still dont have any idea what would you like to do. :) 14:29 < chezgi> Gorkhaan:because i want to do some tests on the vpn tunnel at one machine (both side of tunnel is at same machine). [ source <--> tun0 <-->OVPN <--> tun1 <--> sink] 14:30 < Gorkhaan> Then yes, Try Virtualbox or vmWare 14:30 < Gorkhaan> You should install some clients on Virtualbox, Windows / Linux 14:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:31 < Gorkhaan> then you create on the Hardware Node the OpenVPN Server 14:31 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Remote closed the connection] 14:32 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 14:32 < Gorkhaan> And the clients should be on the virtualized side. 14:32 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:33 < chezgi> Gorkhaan:it seems that there is no way doing this on the same machine. i must use some VMs. thank you. 14:34 < Gorkhaan> u're welcome. :) 14:34 -!- chezgi [n=zahra@91.98.167.141] has left ##openvpn [] 14:36 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Remote closed the connection] 14:36 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 14:39 -!- p3ri0d [i=p3ri0d@190.120.193.170] has joined ##openvpn 14:39 -!- p3ri0d [i=p3ri0d@190.120.193.170] has left ##openvpn ["Leaving"] 14:39 -!- kursadk [n=kursad@CPE-72-128-65-111.wi.res.rr.com] has quit [" HydraIRC -> http://www.hydrairc.com <- The alternative IRC client"] 14:40 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Remote closed the connection] 14:40 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 14:49 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 14:57 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Connection timed out] 14:57 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 14:58 < xp_prg> Gorkhaan check this out! http://www.geek-pages.com/articles/latest/dd-wrt_-_multiple_ssids_-_1_for_fon_-_1_for_private_network_6.html 14:58 < vpnHelper> Title: DD-WRT - Multiple SSIDs - 1 for FON - 1 for Private Network - Geek Pages -- Information on how to do geeky things... (at www.geek-pages.com) 15:01 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 15:01 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Remote closed the connection] 15:01 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 15:04 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 15:05 < ksnp> hi, anyone know if the openvpn traffic looks exactly like httpS traffic except for amount of traffic / rate of traffic ? 15:05 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Remote closed the connection] 15:06 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 15:06 < Gorkhaan> xp_prg : Okay I've read it. :) 15:06 < Gorkhaan> I'm using dd-wrt. :( 15:06 < Gorkhaan> not :( 15:07 < Gorkhaan> * :) 15:07 < xp_prg> what is dd-wrt? 15:10 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Remote closed the connection] 15:10 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 15:14 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Read error: 54 (Connection reset by peer)] 15:15 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 15:19 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Remote closed the connection] 15:19 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 15:23 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Remote closed the connection] 15:23 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 15:27 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Read error: 54 (Connection reset by peer)] 15:28 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 15:41 < Gorkhaan> its a Linux Based Router Firmware 15:42 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 15:42 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 15:44 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Success] 15:44 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 15:48 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Read error: 54 (Connection reset by peer)] 15:48 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 15:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:52 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Remote closed the connection] 15:53 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 16:00 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 60 (Operation timed out)] 16:01 -!- lataffe__ [n=lataffe@cm-84.211.147.71.getinternet.no] has quit ["Leaving"] 16:09 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Connection timed out] 16:09 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 16:13 < ksnp> hi, anyone know if the openvpn traffic looks exactly like httpS traffic except for amount of traffic / rate of traffic ? 16:14 -!- lataffe [n=lataffe@cm-84.211.147.71.getinternet.no] has joined ##openvpn 16:19 -!- Napsi [n=Napsi@ti311110a080-0849.bb.online.no] has quit [] 16:33 -!- lataffe [n=lataffe@cm-84.211.147.71.getinternet.no] has quit [Read error: 104 (Connection reset by peer)] 16:40 -!- lataffe [n=lataffe@cm-84.211.147.71.getinternet.no] has joined ##openvpn 16:57 < Gorkhaan> what's wrong with that? :) 17:13 -!- lataffe_ [n=lataffe@cm-84.211.147.71.getinternet.no] has joined ##openvpn 17:31 -!- lataffe [n=lataffe@cm-84.211.147.71.getinternet.no] has quit [Read error: 110 (Connection timed out)] 17:48 -!- YpsyZNC is now known as Ypsy 18:07 -!- Ypsy is now known as YpsyZNC 18:13 -!- jdchrist [n=davidc@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has quit [Read error: 60 (Operation timed out)] 18:16 -!- jdchrist [n=davidc@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has joined ##openvpn 18:19 -!- charley1 [n=valce@CPE001c102325f8-CM00186851e9cc.cpe.net.cable.rogers.com] has joined ##openvpn 18:21 < charley1> Hi... can openvpn handle special characters in the password string? 18:21 < charley1> I'm unable to connect right now, and I'm wondering if this is because I have an @ in my password 18:26 < charley1> !howto 18:26 < vpnHelper> charley1: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 18:29 < charley1> the howto page is broken :( 18:34 -!- jdchrist [n=davidc@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 18:43 -!- DeathWolf [i=yggdrasi@saber.kawaii-shoujo.net] has joined ##openvpn 18:43 < DeathWolf> hello, I have a working openvpn(tun) but the windows client is not getting any default gateway 18:44 < DeathWolf> push "redirect-gateway" did not seem to help 18:46 < ksnp> hi, anyone know if the openvpn traffic looks exactly like httpS traffic except for amount of traffic / rate of traffic ? 18:52 < charley1> If anybody knows what the cause of http://pastebin.com/m616e0d26 is, that would be hugely appreciated... I suspect it is a problem with the special characters in my password, but I'm not sure... 18:53 < |Mike|> charley1: openvpn works like a charm with certificates.. 18:54 < |Mike|> .Jul 15 19:51:53 localhost nm-openvpn[4902]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/ 18:54 < vpnHelper> Title: Welcome to OpenVPN (at openvpn.net) 18:54 < |Mike|> 9.ore info 18:54 < |Mike|> word, colors. 18:54 < charley1> |Mike|: sorry, I'm not quite sure I understand - I'll keep searching the site, but 9.ore info? (thanks for replying :)) 18:55 < |Mike|> 10.Jul 15 19:51:53 localhost nm-openvpn[4902]: NOTE: the current --script-security setting may allow this configuration to call user-defined 18:55 < |Mike|> openvpn works with client certificates ( public / private key pairs etc) 18:56 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 18:57 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 18:57 < |Mike|> DeathWolf: did you push the gateway ? 19:00 < |Mike|> ksnp: depends on the crypto level ( 1024 / 2048 ....) :) 19:06 < charley1> |Mike|: I'm using a provided .conf file and .pem (certificate?), I thought I was supposed to be prompted for a PIN/tokencode, but the only thing that happens when I attempt to log on is those error messages... I looked through the site and I'm still a little lost :( 19:06 < |Mike|> you should have generated those, i don't trust others people's certificate(s) 19:07 < charley1> So is it a problem with the certificate I have that's preventing me from logging on? 19:07 < charley1> I thought it may have been a password fail :( 19:08 < |Mike|> did you generate client certs ? 19:10 < charley1> I'm just trying to connect, I don't run the server :( 19:11 < |Mike|> did he provide you with a private key pair ? (asin signed certs) 19:16 < charley1> |Mike|: Yeah, I have a .pem certificate 19:17 < charley1> I found a bug about the use of special characters (like @, $) in passwords - would you happen to know if this is still a problem? The status says Open, but it's been nearly a year :S 19:18 < |Mike|> never seen that bug before charley1 19:18 < ksnp> Mike : why should it depend on the crypto level ? can you expand a bit please ? 19:18 < |Mike|> ksnp: * bits encryption. 19:19 < |Mike|> if you encrypt "echo blablabla" with 256 bits or 2048 bits encryption, it doesn't look similar :) (basicly) 19:24 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [Remote closed the connection] 19:25 < ksnp> ok 19:25 < ksnp> so let's say the lenght is same as what https uses 19:25 < ksnp> then one can't distinguish between the two ? 19:26 < ksnp> and say i use TCP and same port 19:27 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 19:27 < |Mike|> openvpn uses udp on default tbh. 19:39 < ksnp> tbh ? anyway config file allows to change to tcp, in order to make it look like https traffic i guess we have to chagne to tcp ? 19:39 < |Mike|> to be honest. 19:40 < |Mike|> Yep. 19:45 < ksnp> ok 19:45 < ksnp> cool 19:46 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has left ##openvpn [] 19:49 < |Mike|> lol ? 19:54 < DeathWolf> mmm, gateway problem solved(manually force pushed a route with metrics) 19:54 < DeathWolf> now, new question, is it possible to make the vpn use more than one tcp connection? 19:55 < DeathWolf> as in, for the date transfer 19:55 < DeathWolf> *data 19:55 < |Mike|> why not ? :) 19:56 < DeathWolf> what option would that be? 19:56 < |Mike|> client to vpn server uses udp on default tho 19:57 < DeathWolf> right. 19:57 < DeathWolf> I forgot about that bit. 19:57 * DeathWolf hopes there isnt too much udp loss around his place 19:57 < |Mike|> i'm not sure about the max sessions per ip etc 19:58 < |Mike|> anyway, it's 3 AM, time to visit a bed :D 19:58 < |Mike|> g'nite. 20:10 -!- Dougy [i=doug@64.18.144.2] has quit [Remote closed the connection] 20:21 < DeathWolf> mmmm 20:21 < DeathWolf> my vpn speeds are fairly erratic... is there anything that can be done to diagnose/solve that? 20:21 < DeathWolf> (and it seems to generate a lot of up-traffic too) 20:38 < charley1> gnite Mike, thanks for the help earlier 20:39 -!- jeiworth_ [n=jeiworth@189.163.165.116] has quit ["No Ping reply in 90 seconds."] 20:40 -!- jeiworth [n=jeiworth@189.163.165.116] has joined ##openvpn 20:43 < DeathWolf> yeah... Speeds are quite bad for 2k sized packets... 20:43 < DeathWolf> sending to the server seems fast and constant 20:44 < DeathWolf> receiving is really bad though 20:45 < DeathWolf> My connection does 500KB/s Rx, 90KB/s Tx to that serv with ftp, yet there: Packet size 1k bytes: 89698 Byte/s Tx, 320 KByte/s Rx. Packet size 16k bytes: 98830 Byte/s Tx, 99 KByte/s Rx. 20:47 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 21:07 -!- master_of_master [i=master_o@p549D3D7F.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:10 -!- master_of_master [i=master_o@p549D3E07.dip.t-dialin.net] has joined ##openvpn 21:12 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 21:45 < DeathWolf> so there's no mtu size issue according to the test.... 21:47 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 21:48 < bsdbandit> openvpn is showing a timestamp of Wed Dec31 1969 how do i get rid of this 21:48 < bsdbandit> oerr 21:50 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 21:51 -!- frewsxcv [n=farwell@adsl-68-126-182-222.dsl.pltn13.pacbell.net] has joined ##openvpn 21:52 < frewsxcv> !howto 21:52 < vpnHelper> frewsxcv: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 21:54 < frewsxcv> how do you setup openvpn as a http proxy? 21:54 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 104 (Connection reset by peer)] 21:59 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 22:03 * DeathWolf gives up on trying to use openvpn to transfer anything... at best ok for some browsing and irc'ing:/ but otherwise... far too much overhead and variation:/ 22:04 < charley1> I keep getting "Received AUTH_FAILED control message" - does anybody know if openvpn can handle '@' characters in the passwords? 22:04 < bsdbandit> openvpn is showing a timestamp of Wed Dec31 1969 how do i get rid of this 22:05 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has quit [Client Quit] 22:05 < frewsxcv> DeathWolf, how did you set it up as a proxy? 22:20 < DeathWolf> what do you mean frewsxcv? 22:20 < ecrist> you are the ones who are the ball lickers! 22:20 < DeathWolf> openvpn isnt an http proxy 22:20 < frewsxcv> DeathWolf: " at best ok for some browsing" 22:21 < ecrist> DeathWolf: we use OpenVPN to route entire networks securely across the internet. 22:21 < ecrist> Any issue you may be experiencing is purely you getting in your own way. ;) 22:23 < frewsxcv> DeathWolf, well what did you mean then? 22:24 < ecrist> DeathWolf: are you using tcp or udp? 22:29 < DeathWolf> tried both 22:29 < DeathWolf> I tried modifying mtu in quite a few possible ways 22:29 < ecrist> !tcp 22:29 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 22:29 < DeathWolf> the end result is always the same... the speed varies a lot 22:30 < ecrist> I consistently push 10Mb through our OpenVPN connection. 22:34 < DeathWolf> I'm not saying it's openvpn's fault... 22:34 < ecrist> 22:03 * DeathWolf gives up on trying to use openvpn to transfer anything... at best ok for some browsing and irc'ing:/ but otherwise... far too much overhead and variation:/ 22:34 < DeathWolf> It's just direct connection, socks5(both sshd and real socks server), and ftp are giving me 390KB/s stable(my connection's speed) 22:34 * ecrist points to 'far too much overhead and variation' 22:35 -!- jdchrist [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 22:35 < DeathWolf> and openvpn is playing yoyo between 290 and 350 22:35 < DeathWolf> Also the overhead is quite visible... about 20KB/s as soon as I transfer through the vpn. 22:35 < ecrist> DeathWolf: I still posit that your problem lies in your config. Here, I get the same connection speed/latency with OpenVPN as I do with ssh, to the same host. 22:36 < DeathWolf> Well help me, I really want that. 22:36 < DeathWolf> should I paste server and client config somewhere you can see? 22:36 < ecrist> tell you what, it's 22:36 here now, come back in the AM, 9 hours from now. 22:36 < ecrist> I'll be more than happy to review your configs, logs, and try to help you sort it out. 22:36 < DeathWolf> 'k 22:37 -!- charley1 [n=valce@CPE001c102325f8-CM00186851e9cc.cpe.net.cable.rogers.com] has left ##openvpn [] 22:38 < frewsxcv> what is the difference between csr and crt file? 22:40 < DeathWolf> http://saber.kawaii-shoujo.net/Various/vpn.txt for later ref so I dont forget it when poking ecrist ;) 22:40 < ecrist> frewsxcv: CSR is a Certificate signing request, CRT is the signed certificate. You give a CSR to the CA Root and they sign it, giving you back a CRT 22:42 < frewsxcv> ecrist, ubuntu asks for user CA certificate....does taht go there? 22:43 < ecrist> your openvpn administrator should have given you a CRT 22:44 < frewsxcv> ecrist, found it, nevermind. 22:45 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit ["No Ping reply in 90 seconds."] 22:47 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 22:47 -!- Irssi: ##openvpn: Total of 71 nicks [0 ops, 0 halfops, 0 voices, 71 normal] 22:49 -!- DeathWol1 [i=yggdrasi@saber.kawaii-shoujo.net] has joined ##openvpn 22:51 -!- DeathWolf [i=yggdrasi@saber.kawaii-shoujo.net] has quit [Read error: 104 (Connection reset by peer)] 23:14 -!- frewsxcv [n=farwell@adsl-68-126-182-222.dsl.pltn13.pacbell.net] has quit [Read error: 110 (Connection timed out)] --- Day changed Thu Jul 16 2009 00:17 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:44 -!- nsgn [n=brandonb@cpe-24-27-55-224.austin.res.rr.com] has joined ##openvpn 00:45 < nsgn> if someone would take a few moments to help me i'd be very appreciative. i've been working with openvpn for the past two days and can't get a freaking connection from site A to site B 00:45 < nsgn> i've got CentOS running as the server and dd-wrt on a linksys router as the client 00:45 < nsgn> error is on the client end, "cannot load certificate file" 00:46 < nsgn> yet the file is in the proper place and is valid 01:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:54 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 02:14 -!- jeiworth [n=jeiworth@189.163.165.116] has quit [Read error: 110 (Connection timed out)] 02:19 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:28 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Success] 02:58 -!- gnr [n=gnr@203.82.91.103] has joined ##openvpn 02:58 < gnr> Can ovpn 2.0.9 support pkcs11? 03:00 < gnr> !howto 03:00 < vpnHelper> gnr: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 03:00 < gnr> !pkcs11 03:00 < dazo> gnr: you mean smart card/chip cards? 03:00 < vpnHelper> gnr: Error: "pkcs11" is not a valid command. 03:01 -!- p3ri0d [i=p3ri0d@200.2.153.109] has joined ##openvpn 03:01 < gnr> dazo:yup 03:01 < dazo> gnr: I believe it does support it, yes ... there are some arguments for it, and I've seen people discussing how to make it work on the mailing list 03:03 < gnr> i did see the options for pkcs11 for 2.1 version... want to verify for 2.0.9... 03:03 < dazo> gnr: I believe you need 2.1 for it 03:04 < dazo> gnr: I don't believe it is supported in 2.0 ..... but why not upgrade to 2.1_rc18? it's the latest one, which seems to be rock solid to me 03:04 * dazo is using 2.1_rc18 and rc15 in production environments 03:04 < gnr> dazo:if the server runs on 2.0.9 and the client runs on 2.1_rc18... mixed version shouldn't be an issue right? 03:05 < gnr> because the client need to use pkcs11 while the server are not... 03:06 < dazo> gnr: well, the smart card is just another storage for the certificates ... so I don't believe that would be any problem initially .... but there are some features which do not work well between 2.0 and 2.1 series .... I've upgraded servers and clients to rc15 and rc18, just to have less challenges 03:07 < dazo> gnr: I'd give it a shot ... and if you get issues, I'd try to upgrade the server .... it's mostly a clean upgrade, --script-security is the thing I know you'll need to look at in addition 03:07 -!- nsgn [n=brandonb@cpe-24-27-55-224.austin.res.rr.com] has quit [Read error: 60 (Operation timed out)] 03:07 < dazo> 2.1 is better at security and has fixed a lot of bugs 03:12 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has quit [Remote closed the connection] 03:22 -!- nsgn [n=brandonb@cpe-24-27-55-224.austin.res.rr.com] has joined ##openvpn 03:29 < gnr> dazo:thanks 03:30 < dazo> gnr: you're welcome! :) 03:32 -!- lataffe_ [n=lataffe@cm-84.211.147.71.getinternet.no] has quit [Read error: 113 (No route to host)] 03:36 -!- c64zottel [n=hans@91.23.176.154] has joined ##openvpn 03:42 -!- frewsxcv [n=farwell@adsl-75-18-207-100.dsl.pltn13.sbcglobal.net] has joined ##openvpn 03:43 -!- nsgn [n=brandonb@cpe-24-27-55-224.austin.res.rr.com] has quit ["Ex-Chat"] 04:33 < gnr> i'm having download problem with ovpn 2.1rc18... anyone having the same problem? 04:47 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 04:56 * dazo checks 04:57 -!- gnr [n=gnr@203.82.91.103] has quit [Read error: 60 (Operation timed out)] 04:57 * dazo notices rc19 has been released recently 04:57 -!- gnr [n=gnr@203.82.91.103] has joined ##openvpn 04:57 < dazo> today actually 04:58 < dazo> gnr: http://www.openvpn.net/release/openvpn-2.1_rc18.tar.gz ... should work 04:59 -!- dazo changed the topic of ##openvpn to: OpenVPN 2.1rc19 released 2007-07-16 || Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || !redirect for sending inet traffic through server || Also interesting: !man !/30 !topology !iporder || http://live.lmgtfy.com/ 05:01 < gnr> the windows version? 05:14 < dazo> gnr: ahh ... sorry! I'm a coder ... I only understand source code :-P 05:14 * dazo looks up again 05:15 < dazo> gnr: http://www.openvpn.net/release/openvpn-2.1_rc18-install.exe .... but you might consider to test the rc19 if you're on windows, as it seems to have an important fix, especially if you're using Vista 05:22 < Gorkhaan> yay! rc19! :) thx 05:25 < gnr> thanks 05:26 < Gorkhaan> Let's install it from source with the power of blessed trinity. ( configure, make, make install ) :D 06:07 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:12 -!- SuperEvilDeath [n=death@212.206.209.177] has quit ["Nettalk6 - www.ntalk.de"] 06:23 -!- Gorkhaan_ [n=Gorkhaan@87.229.108.75] has joined ##openvpn 06:23 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 110 (Connection timed out)] 06:23 -!- Gorkhaan_ [n=Gorkhaan@87.229.108.75] has quit [Client Quit] 06:24 -!- Gorkhaan [n=Gorkhaan@87.229.108.75] has joined ##openvpn 06:24 -!- jdchrist [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 60 (Operation timed out)] 06:25 -!- Gorkhaan [n=Gorkhaan@87.229.108.75] has quit [Client Quit] 06:26 -!- jdchrist [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 06:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 06:35 -!- SuperEvilDeath [n=death@212.206.209.177] has joined ##openvpn 06:37 -!- gnr [n=gnr@203.82.91.103] has quit [Read error: 110 (Connection timed out)] 06:39 -!- gnr [n=gnr@203.82.79.103] has joined ##openvpn 06:49 < reiffert> hehe, 19 out. 06:50 * DeathWol1 pokes ecrist with http://saber.kawaii-shoujo.net/Various/vpn.txt 06:50 < DeathWol1> so yeah help me now;) 06:59 < DeathWol1> !redirect 06:59 < vpnHelper> DeathWol1: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 06:59 < DeathWol1> *curious* 07:00 < DeathWol1> yawn, nothing surprising there 07:00 < DeathWol1> anyway, still stuck with the bad perfs:/ 07:13 -!- gnr [n=gnr@203.82.79.103] has quit [Read error: 110 (Connection timed out)] 07:16 < DeathWol1> mmmm, vpn on windows is slower 07:16 < DeathWol1> (~20%) 07:20 -!- p3ri0d [i=p3ri0d@200.2.153.109] has left ##openvpn ["Leaving"] 07:23 < dazo> DeathWol1: there's been some discussion about that on the mailing list the couple of last days .... you might want to peek into the archives 07:27 < DeathWol1> aha 07:27 < DeathWol1> ok 07:27 < DeathWol1> opevpn-users? 07:30 < DeathWol1> aha... disabling the global auto tuning helped 07:35 < DeathWol1> though not that much... 07:52 -!- jeiworth [n=jeiworth@189.163.165.116] has joined ##openvpn 08:09 < ecrist> good morning, fuckers. 08:12 < DeathWol1> good morning 08:12 < ecrist> I see daza was helping you a bit. 08:13 < DeathWol1> yeah, rec'ed me checking the ml 08:13 < DeathWol1> so far no luck though. 08:13 < ecrist> can you post your configs and logs? 08:13 -!- Gorkhaan [n=Gorkhaan@89.186.101.16] has joined ##openvpn 08:13 < DeathWol1> http://saber.kawaii-shoujo.net/Various/vpn.txt for config 08:13 < DeathWol1> let me post log 08:14 < DeathWol1> http://saber.kawaii-shoujo.net/Various/logvpn.txt for the log 08:15 < ecrist> what is this line supposed to be doing for you: 08:15 < ecrist> push "route 0.0.0.0 0.0.0.0 10.8.0.5 286" #needed for windows 08:16 < DeathWol1> allows me to actually use the vpn for internet as a secondary routing 08:16 < DeathWol1> otherwise there's no gateway setup. 08:16 < DeathWol1> (and all I can do is communicate with 10.8.0.1) 08:16 < ecrist> push "redirect-gateway def1" 08:18 < ecrist> this could be a large part of your problem: Thu Jul 16 15:08:28 2009 WARNING: potential route subnet conflict between local LAN [172.16.2.0/255.255.255.0] and remote VPN [0.0.0.0/0.0.0.0] 08:18 < ecrist> and you said you'd already run the mtu tests, right? 08:19 < DeathWol1> ok, now removed the manual route and added def1 gw, will try again 08:20 < DeathWol1> not looking so good(actually almost looking worse) 08:21 < DeathWol1> http://saber.kawaii-shoujo.net/Various/logvpn2.txt for the log ecrist 08:22 < DeathWol1> and it's still slow: 1 file(s) - Total: 18.9 M byte(s) in 01:34 (it should be around 55s) 08:22 < DeathWol1> (direct to that ftp is 50s, ftp->socks on the vpn serv is 55s, ftp->ftp proxy on the vpn serv is 54s) 08:22 < brah> "kawaii-shoujo"? 08:22 < brah> lol 08:23 < DeathWol1> yeah, been my domain forever brah 08:23 < ecrist> what's funny about it? 08:23 < brah> supa kawaii 08:24 < ecrist> DeathWol1: you did the mtu tests, and you're not doing any sort of traffic shaping on your firewalls, right? 08:24 < DeathWol1> no shaping 08:24 < DeathWol1> it's direct through a dsl router with no shaping 08:24 < DeathWol1> but let me do the mtu-test 08:25 < DeathWol1> have to wait 3mins 08:28 < |Mike|> DeathWol1: what encryption level are you using ? 08:28 < DeathWol1> Thu Jul 16 15:28:05 2009 NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1541,1541] remote->local=[1541,1541] 08:28 < DeathWol1> |Mike|: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key 08:29 < ecrist> do you see a heavy processor load when you're transferring files? 08:29 < ecrist> our office server is a meek 2xP3 933 with 512MB of RAM, and it pushes 10Mb without an issue. 08:30 < |Mike|> DeathWol1: and you're on 100mbit or smt? 08:30 < |Mike|> n/m i see 500kb/s 08:31 < DeathWol1> no ecrist 08:31 < DeathWol1> everything's zippy cpu wise(not even noticeable) 08:31 < DeathWol1> the serv's a dual xeon with 8GB of ram... 08:31 < DeathWol1> and my comp is a quad core@2.4ghz with 8GB of ram too. 08:32 < DeathWol1> So I dont think the issue is cpu wise. 08:32 < |Mike|> Thu Jul 16 15:18:55 2009 UDPv4 link remote: a.b.c.d:1194 08:34 < DeathWol1> yes? 08:34 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 08:35 < ecrist> fwiw: 08:35 < ecrist> ecrist@Swordfish:~-> scp fesecurity_qb.qb2007 represa:~/ 08:35 < ecrist> Password: 08:35 < ecrist> fesecurity_qb.qb2007 100% 11MB 404.6KB/s 00:27 08:35 < ecrist> ecrist@Swordfish:~-> scp fesecurity_qb.qb2007 ocelot:~/ 08:35 < ecrist> fesecurity_qb.qb2007 100% 11MB 390.1KB/s 00:28 08:35 < ecrist> represa is an office system, not routed over the VPN, ocelot is an office system routed over the VPN 08:36 < DeathWol1> well my issue seems to be about data coming from the server to me 08:36 < DeathWol1> me to the server seems fairly efficient. 08:37 < DeathWol1> though my line is asymetric so me to server is much smaller. 08:37 < ecrist> krzee should be around soon, he's great at figuring things like this out. 08:37 < DeathWol1> great;) 08:42 -!- Gorkhaan [n=Gorkhaan@89.186.101.16] has quit [Client Quit] 08:54 -!- jdchrist [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 09:00 < brah> ecrist, is the connection to ocelot compressed? 09:01 < DeathWol1> https://saber.kawaii-shoujo.net/Various/vpnbenchmarks.txt btw 09:03 < |Mike|> how big are your rx/tx buffers on your system? 09:04 < DeathWol1> log says Socket Buffers: R=[8192->8192] S=[8192->8192] if that's what you mean 09:11 -!- frewsxcv [n=farwell@adsl-75-18-207-100.dsl.pltn13.sbcglobal.net] has quit [Read error: 60 (Operation timed out)] 09:13 < ecrist> brah: no 09:14 < brah> Cool 09:14 < brah> I wonder how long it'd take with LZO compression 09:20 -!- deever [n=deever@static.172.68.46.78.clients.your-server.de] has joined ##openvpn 09:21 < deever> hi 09:23 < deever> how actually does openvpn SSL-over-UDP? 09:25 < deever> or does openvpn not have anything to do with SSL (the protocol) at all? 09:26 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 09:30 * DeathWol1 pokes krzee to see if he's alive 09:33 < ecrist> deever: OpenVPN uses SSL as it's encryption over a TCP or UDP channel 09:34 < dazo> !tunortap 09:34 < vpnHelper> dazo: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 09:35 < dazo> !udportcp 09:35 < vpnHelper> dazo: Error: "udportcp" is not a valid command. 09:35 < dazo> !tcporudp 09:35 < vpnHelper> dazo: Error: "tcporudp" is not a valid command. 09:35 < dazo> grrr 09:35 < ecrist> dazo, what you looking for? 09:35 < dazo> ecrist: you had a good link describing why not to use TCP for openvpn 09:35 * dazo can't find it 09:36 < ecrist> !tcp 09:36 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 09:36 < ecrist> 'twas krzee's link, not mine. ;) 09:36 < dazo> ahh! 09:36 < dazo> ecrist: thx! probably owe you a beer now ;-) 09:37 < ecrist> lots of people owe me a beer. lol 09:52 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 09:54 -!- jdchrist [n=davidc@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has joined ##openvpn 10:00 < deever> ecrist: SSL over TCP? 10:00 < deever> arrh! 10:00 < deever> over UDP, i mean 10:00 < deever> does that work? 10:06 < deever> http://marc.info/?l=openssl-users&m=110598313109383&w=2 10:06 < vpnHelper> Title: 'Re: SSL (or alike) over UDP' - MARC (at marc.info) 10:07 * DeathWol1 patiently waits meanwhile:( 10:11 < ecrist> deever: deever yes, it works. 10:12 < deever> ecrist: do you have some further info about, *how*? 10:12 < deever> is openssl in openvpn extended or how else? 10:13 < ecrist> deever, I'd suggest asking on the openvpn-devel mailing list, to get an answer. 10:13 < deever> ok 10:13 < ecrist> SSL is not a transport, it's an encapsulation, UDP is the transport. your linked message is wrong 10:13 -!- c64zottel [n=hans@91.23.176.154] has left ##openvpn [] 10:15 < DeathWol1> mmm odd, the openvpn speed seems quite... unstable 10:16 < DeathWol1> I wonder if odd stuff happens to udp around here:/ 10:17 < krzee> [10:36] 'twas krzee's link, not mine. ;) 10:17 < krzee> i cant take credit either 10:17 < krzee> that was taken from the manual =] 10:22 < ecrist> thedoc: i'm going to fix that nfs mount we talked about in a short while 10:26 < deever> ecrist: sure, but UDP doesn't implement restore the correct ordering of the data or even retransmission of lost packages, which must be before SSL can come into action.. 10:27 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 10:28 < ecrist> SSL handles it's own correction. 10:28 -!- jeiworth [n=jeiworth@189.163.165.116] has quit [Read error: 104 (Connection reset by peer)] 10:30 < thedoc> ecrist, what is wrong with that nfs mount? 10:30 < ecrist> the other 600GB of stuff. 10:31 < thedoc> ahh. 10:31 < thedoc> :) 10:31 < thedoc> ecrist, I noticed they all have a recurring theme 10:31 < ecrist> which is... 10:31 < DeathWol1> yep, openvpn is fine at times 10:31 < DeathWol1> but the speeds vary so much 10:32 < DeathWol1> that on average it's 20-40% slower than direct... 10:32 < thedoc> ecrist, all the ass :) 10:32 < ecrist> DeathWol1: is your provider shaping UDP traffic? 10:33 < DeathWol1> Not as far as I know 10:33 < thedoc> I would be odd for providers to shape UDP traffic 10:33 < ecrist> no, it wouldn't 10:33 < ecrist> it's becoming a common way to thwart P2P file sharing. 10:34 -!- jeiworth [n=jeiworth@189.163.165.116] has joined ##openvpn 10:34 < thedoc> I would be rather upset with my provider if they were shaping it to include vpn traffic 10:34 < DeathWol1> http://saber.kawaii-shoujo.net/Various/SS-16-Jul-09-5.34.10%20PM.png <- graph of openvpn speed 10:34 < ecrist> Comcast, here in the states, did it for about a year before too many people got pissed about it. 10:35 < deever> ecrist: ah, got some info about it now, thanks! :) 10:36 < ecrist> they accomplished it by sendint RST packets 10:36 < ecrist> sending* 10:37 < DeathWol1> so yeah, I think my graph kind of speaks of itelf 10:37 < reiffert> DeathWol1: your graph is missing everything. 10:38 < DeathWol1> as in? 10:39 < DeathWol1> http://saber.kawaii-shoujo.net/Various/SS-16-Jul-09-5.35.33%20PM.png if you want the legend. 10:39 < reiffert> labeling, bars. 10:40 < reiffert> and what should we see from your graph? 10:40 < DeathWol1> that the openvpn rx speed fluctuate massively? 10:40 < DeathWol1> since the only data xfer is through the vpn. 10:41 < DeathWol1> I didnt post the direct connection graph because it's an almost flat line at top. 10:41 < reiffert> I dont know any of your setup, nor the way you were transferring stuff nor what else was going on on your network, nor about your providers line. 10:41 < reiffert> please feel free to come back when you have managed to get reproducable data. 10:41 < DeathWol1> I'm not blaming openvpn 10:41 < DeathWol1> I'm trying to find why openvpn's slow on my setup 10:42 < DeathWol1> and I posted reproducable data earlier 10:42 < DeathWol1> I posted my conf too, and logs 10:42 < reiffert> ah, missed that. Using comp-lzo? 10:42 < DeathWol1> yes 10:42 < reiffert> turn it off. 10:42 < DeathWol1> ok 10:42 < reiffert> sending compressed payload over the tunnel? 10:42 < DeathWol1> yes 10:42 < DeathWol1> mostly binary data 10:43 < reiffert> turn it off as well, send a file of 0's 10:43 < reiffert> dd if=/dev/zero bs=1M count=1024 of=file.bin 10:43 < DeathWol1> yes I know how to create a 0'ed file 10:43 < reiffert> welcome 10:43 < DeathWol1> but you do realize that in the end my use of the openvpn will be binary data transfer mostly? 10:44 < reiffert> watch the WAN interface by a packet dumper and watch everything but openvpn packages. 10:44 < DeathWol1> (which is why I used a mix of binary & random data) 10:44 < DeathWol1> what am I supposed to see? 10:44 < DeathWol1> There's nothing but the openvpn(and this irc) running 10:44 < reiffert> you tell me. 10:45 < DeathWol1> (the graph's perfectly flat a a few dozen bytes per sec tops for irc) 10:45 < reiffert> then send the same data over a direct connection, also run some statistic tool like mtr for both things. 10:46 < reiffert> using proto udp? 10:46 < reiffert> sending payload via tcp? 10:46 < DeathWol1> yes udp 10:46 < DeathWol1> yes 10:46 < reiffert> ok, good. 10:46 < DeathWol1> ftp client->openvpn->ftp proxy->ftp server 10:46 < reiffert> mtr is well known? 10:46 < reiffert> uahrg. 10:47 < reiffert> get rid of the ftp proxy. 10:47 < reiffert> or try http for gathering the data 10:47 < reiffert> s,try,use, 10:48 < DeathWol1> also wouldnt mtr be icmp? 10:48 < DeathWol1> (at least in my memory it was) 10:48 < DeathWol1> icmp never was an issue. 10:49 < reiffert> mtr is for watching the times from hops inbetween 10:49 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: eliasp, flokuehn, rodpod, ^scott^ 10:50 < DeathWol1> I just wanted to know what you expected mtr to possibly show... massive sudden lag on some hops? 10:50 < DeathWol1> (not that there's many hops) 10:50 < reiffert> kind of. 10:51 < DeathWol1> to be honest, there's only one, the other end on the vpn 10:52 < DeathWol1> one 20.0 Mbytes/01:04(s)/328.76Kbps => no compression, direct ftpclient->openvpn->ftpserver 10:52 < DeathWol1> file full of zero's 10:52 < reiffert> with or without that ftp proxy? 10:52 -!- flokuehn [n=flokuehn@94.186.154.83] has joined ##openvpn 10:52 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 10:52 -!- ^scott^ [n=scott@stthom.org] has joined ##openvpn 10:53 < DeathWol1> as I said, direct 10:53 < DeathWol1> no ftp proxy(I'd have written it) 10:53 < reiffert> fine, let's see for the direct transfer without openvpn 10:53 -!- flokuehn_ [n=flokuehn@94.186.154.83] has joined ##openvpn 10:53 < DeathWol1> http://saber.kawaii-shoujo.net/Various/SS-16-Jul-09-5.53.26%20PM.png right most 10:53 < DeathWol1> (that's through openvpn) 10:53 < DeathWol1> now let me try direct 10:54 < reiffert> comp-lzo off? 10:54 < reiffert> (on both sides) 10:54 < DeathWol1> yes 10:54 < reiffert> regarding 5.53.26 .. which one is that 20 MB tranfer? 10:55 < DeathWol1> what do you mean? 10:55 < reiffert> I see three plateaus.. which of them is the 20MB tranfer? 10:55 < DeathWol1> the right most 10:56 < reiffert> just curious, what was causing the center plateau? 10:56 < DeathWol1> direct transfer. 10:56 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 10:56 < DeathWol1> (but of something else, so I didnt mention it) 10:57 < reiffert> looks fine to me then. let's say 10% overhead and a "not so flat" plateau for the use of openpvn. 10:57 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:58 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: eliasp, flokuehn, ^scott^ 10:58 < DeathWol1> the graph is error inducing, it's 390KB/s average (direct) vs 335KB/s(openvpn)(that's 15%) 10:58 < DeathWol1> and 10% overhead is quite massive if I may speak so. 10:59 < reiffert> think about 1500 bytes in a packet and openvpn headers. 10:59 < reiffert> would you mind trying ipsec and pptp, just for getting more numbers? 11:00 < DeathWol1> I... would need to setup ipsec and pptp for that. 11:00 < DeathWol1> pptp shouldnt be too hard I guess. 11:00 -!- rodpod [n=rod@74-133-38-196.dhcp.insightbb.com] has joined ##openvpn 11:00 < DeathWol1> my windows ipsec experience is nil though 11:01 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 11:01 -!- ^scott^ [n=scott@stthom.org] has joined ##openvpn 11:01 < reiffert> btw, how comes your link is that slow, 390KB/s when there is nothing inbetween? 11:01 < DeathWol1> because it's over internet and I'm on a dsl line? 11:01 < DeathWol1> and that I'm in the middle of ***** nowhere. 11:02 < reiffert> thats why I wanted you to run mtr. 11:02 < DeathWol1> 'k 11:02 < DeathWol1> let me do that, will 50 packets be enough? 11:02 < reiffert> during the whole 20MB transfer. 11:02 < DeathWol1> ok 11:03 < DeathWol1> so far no visible packet loss 11:03 < DeathWol1> (none that matters anyway) 11:05 < DeathWol1> sent you the mtr url in query reiffert 11:07 < reiffert> no stdev on winmtr, how sad. 11:07 < DeathWol1> sorry 11:07 < reiffert> just start another mtr on that line with nothing going over it 11:07 < DeathWol1> k 11:09 < DeathWol1> see query again 11:10 < reiffert> looks like 10.224.55.33 doesnt like much traffic. 11:10 < DeathWol1> that's my first node after dsl 11:11 < DeathWol1> and yes dsl can lose latency when pushing the line 11:11 < DeathWol1> but the packet loss didnt chance. 11:12 < reiffert> paket loss is fine. 11:12 < reiffert> however, I call it a normal bevahiour, even with 15%. whats the DSL mtu, 1492, 1452 or 1412ß 11:13 < reiffert> ? 11:13 < DeathWol1> 1452 I believe, but I dont have direct access to the dsl router's internal info 11:13 < reiffert> allright, you might want to change the openvpn mtu related things then 11:14 < DeathWol1> 1464 seems to be the max ping size I can use. 11:14 < DeathWol1> (without frag being reported) 11:14 < reiffert> as your ftp connection trys to send 1500 bytes per packet. dont forget openvpn headers, so after all that doesnt fit well into 1452/packet. 11:15 < reiffert> This might give you a smoother plateau, try it. 11:15 < DeathWol1> I cant change the ftp client's packet size. 11:15 < reiffert> right. 11:15 < DeathWol1> (I believe it uses 8k standard) 11:16 < reiffert> but you can tune on link-mtu and other mtu related stuff within openvpnm-. 11:16 < DeathWol1> yeah that I can 11:16 < DeathWol1> so let's 1452-32-8 11:16 < reiffert> sounds ok to me 11:17 < DeathWol1> oh and mtu-test reports: NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1541,1541] remote->local=[1541,1541] 11:17 < DeathWol1> but I'm not sure that actually matters 11:17 < reiffert> beats me, lets remember it for later theories. 11:18 < DeathWol1> so the question is which mtu settings to change 11:18 < DeathWol1> just link-mtu or the others too... 11:18 < reiffert> (how could it be 1541 when ping fragments occur for 1464?) 11:18 < reiffert> !factoids search mtu 11:18 < vpnHelper> reiffert: 'mtu-test' and 'mtu' 11:19 < reiffert> !mtu 11:19 < vpnHelper> reiffert: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config 11:19 < reiffert> hrmn. 11:19 < reiffert> !mtu-test 11:19 < vpnHelper> reiffert: "mtu-test" is you can just use --mtu-test on the client to see what the best mtu for your connection is 11:19 < reiffert> !factoids search link# 11:19 < vpnHelper> reiffert: No keys matched that query. 11:19 < reiffert> !factoids search link 11:19 < vpnHelper> reiffert: No keys matched that query. 11:19 < reiffert> DeathWol1: I'd start with link-mtu 11:19 < DeathWol1> yeah 11:19 < DeathWol1> am setting it to 1452 and trying 11:20 < reiffert> mssfix sounds nice as well 11:20 < reiffert> and fragment 11:22 < DeathWol1> zero 20.0 Mbytes/01:06(s)/316.83Kbps 11:22 < DeathWol1> great 11:22 < DeathWol1> worse:) 11:23 < reiffert> hang on, tel 11:23 < DeathWol1> 'k 11:24 < DeathWol1> the graph looks a little better though(though slower... so cant say I'm surprised) 11:29 < DeathWol1> sometimes I just wish they had made a socks6 protocol that supported more permanent and generic listen bind'ing. 11:43 -!- SuperEvilDeath [n=death@212.206.209.177] has quit [Connection timed out] 11:53 -!- frewsxcv [n=farwell@adsl-75-35-72-195.dsl.pltn13.sbcglobal.net] has joined ##openvpn 12:21 < ivenkys> !factoids dns 12:21 < vpnHelper> ivenkys: Error: The "Factoids" plugin is loaded, but there is no command named "dns" in it. Try "list Factoids" to see the commands in the "Factoids" plugin. 12:21 < ivenkys> list factoids 12:21 < ecrist> you need the ! 12:21 < ivenkys> ecrist: yup :-) 12:24 < ivenkys> i am not sure i am asking this correctly -i have a DNS server running on my VPN Server subnet -, i want to use that DNs server in addition to the "standard" DNs servers on my client . any pointers gents 12:25 < ivenkys> client is a OS X laptop - server is OpenBSD - mind you i dont want to wipe or override the DNS servers on my client - i just want to be able to "Add" to it - so to speak 12:31 < ecrist> ivenkys: that's kinda tricky 12:31 < ecrist> you'd need a custom up/down script on each client to append the DNS to existing DNS, and to only strip out the VPN DNS on disconnect 12:32 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 12:37 < ivenkys> ecrist: i feared as much - it is a bit nasty - i dont fully understand this as such , but will bridged VPN instead of routed VPN make a difference at all - my feeling is no... 12:44 -!- lataffe [n=lataffe@cm-84.211.147.71.getinternet.no] has joined ##openvpn 12:49 < reiffert> DeathWol1: back. 12:49 < reiffert> DeathWol1: any new stuff? 13:06 < DeathWol1> no, I was testing some other vpn solutions 13:07 < DeathWol1> though right now I'm finding that abusingly violently ssh -R and ssh -D might actually be lighter than a full vpn. Especially considering I just need TCP. 13:07 < DeathWol1> (lighter to setup) 13:09 -!- brendan0powers [n=brendan@72.15.28.7] has joined ##openvpn 13:13 < ecrist> ivenkys: no 13:13 < ecrist> DeathWol1: if all you need to do is file transfers, shell, and web browsing, all you need is SSH 13:14 < ecrist> http://www.secure-computing.net/wiki/index.php/Secure_browsing 13:14 < vpnHelper> Title: Secure browsing - Secure Computing Wiki (at www.secure-computing.net) 13:16 < DeathWol1> ecrist: what I need is for a few tcp apps to get better routing;) 13:16 < ecrist> you can do routing across ssh 13:17 < DeathWol1> yes, though it's a bit more verbose to setup 13:17 < ecrist> script it :P 13:17 < DeathWol1> that's what I just did :D 13:17 < DeathWol1> (well, 30 mins ago to be exact) 13:18 < DeathWol1> the perfs are not stellar, but I'm getting only a 5% difference 13:18 < DeathWol1> so I think I might stay that way. 13:18 < DeathWol1> I'm keeping the openvpn for those cases where I am in ... unsecured places though 13:18 < ecrist> it's unrealistic to expect 100% 13:19 < DeathWol1> like *cough* airports. 13:20 < DeathWol1> well I didnt expect 100%. 13:20 < ecrist> you're bitching about a 5% loss now... 13:20 < DeathWol1> nah I wasnt bitching 13:20 < DeathWol1> see the "only";) 13:22 < DeathWol1> anyway, thanks ecrist and reiffert for your help. 13:22 < DeathWol1> this was all instructive;) 13:22 < ecrist> np 13:25 -!- YpsyZNC is now known as Ypsy 13:35 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 14:07 -!- DeathWol1 is now known as DeathWolf 14:16 -!- swa_work [n=swa@swatteksystems.com] has quit ["Leaving"] 15:08 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:35 -!- o462 [n=jonathan@o462.fr] has joined ##openvpn 15:35 < o462> Hello 15:35 -!- bandinia [n=bandini@host74-22-dynamic.20-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 15:36 -!- bandinia [n=bandini@host92-105-dynamic.10-79-r.retail.telecomitalia.it] has joined ##openvpn 15:38 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 15:38 < o462> Someone knows the port to connect to a Juniper SA ? 15:40 < krzee> juniper can run openvpn? 15:41 < o462> No, but openvpn can connect to juniper 15:41 < krzee> umm no 15:41 < krzee> !notcompat 15:41 < vpnHelper> krzee: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 15:41 < krzee> see #2 15:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:42 < o462> Hmmm, weird, as I knows at least one person uses openvpn to connect to the SA, and it can do SSL VPN 15:43 < krzee> and you didnt think to ask him? 15:43 < krzee> *shrug* time for me to go anyways, bbl 15:44 < o462> The person has been fired, I replace him \o/ 15:44 < o462> Bye, and thanks anyway 15:59 < |Mike|> unf unf baby :d 16:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:05 -!- Spockz [n=spockz@71pc198.sshunet.nl] has joined ##openvpn 16:05 < Spockz> hello, I've a problem connecting with my just newly setup vpn 16:06 < Spockz> on the client side I get an hash mismatch on options and the server tells me 16:06 < Spockz> TLS Error: reading acknowledgement record from packet 16:07 < Spockz> http://spockz.pastebin.com/m3753ce76 16:08 < Spockz> I suspect it's an error with the tls key? 16:10 -!- lataffe [n=lataffe@cm-84.211.147.71.getinternet.no] has quit ["Leaving"] 16:17 -!- Ypsy is now known as YpsyZNC 16:22 -!- lataffe [n=lataffe@cm-84.211.147.71.getinternet.no] has joined ##openvpn 16:25 -!- frewsxcv [n=farwell@adsl-75-35-72-195.dsl.pltn13.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 16:43 -!- YpsyZNC is now known as Ypsy 16:44 -!- o462 [n=jonathan@o462.fr] has quit ["Quitte"] 16:45 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 16:46 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 16:54 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:27 < Spockz> I'm sorry for asking again, but does someone know how to solve this problem?: 17:27 < Spockz> http://spockz.pastebin.com/m3753ce76 17:52 -!- Ypsy is now known as YpsyZNC 17:57 < ecrist> Spockz: fix your certificates. 17:59 < Spockz> the tls I believe? 17:59 < Spockz> ecrist ^^ 18:01 -!- disposable [i=disposab@blackhole.sk] has quit ["leaving"] 18:11 < ecrist> yes 18:11 < Spockz> ok thanks 18:15 < |Mike|> toot. 18:16 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 18:30 -!- nexsja [i=corsair@78.84.161.18] has joined ##openvpn 18:31 < nexsja> ello, i'm using an ubuntu box, connected to offices' vpn. I've got a connection, though i can't open any web page. 18:31 < nexsja> there might be a problem of connecting to the dns server, or smtn. 18:31 < nexsja> How can i fix that? 18:33 < |Mike|> how is the server configurated ? 18:33 < Dougy> !configs 18:33 < vpnHelper> Dougy: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:33 < Dougy> !logs 18:33 < vpnHelper> Dougy: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 18:34 < |Mike|> pastie.org rules :) 18:35 < nexsja> |Mike| i have no idea... 18:35 < nexsja> i didn't configure it. I've just got some certs... and... umm... that's all i know %) 18:36 < |Mike|> not all servers allow clients to "nat" trough their gateway 18:37 < |Mike|> (not on default ) :) 18:37 < nexsja> well i didn't had any problems on my windows box, as far as i can remember 18:38 < |Mike|> you could surf trough the vpn before? 18:39 < nexsja> on my win box, yes 18:39 < nexsja> mm... 18:39 < nexsja> i think so 18:39 < nexsja> i can show you the ovpn config file, if that would help? 18:40 < |Mike|> Yes 18:41 < |Mike|> and the one from the win* client aswell :) 18:41 < nexsja> that's the same 18:43 < nexsja> http://pastebin.org/2623 18:44 < |Mike|> the certs are in the right place aswell ? 18:44 < |Mike|> (no tls ?) 18:45 < nexsja> tls 18:45 < nexsja> the certs are in place 18:45 < nexsja> if they weren't - i couldn't connect, could i? 18:45 < |Mike|> true dat, i don't see any error in your config. 18:46 < nexsja> mb i could change the dns server in the config? 18:46 < |Mike|> why not, if the aren't static (pushed) ? 18:47 < nexsja> mm... 18:47 < nexsja> dunno. i see in the console that i've been assigned a local dns server, the reuter 18:47 < nexsja> 192.168.1.1 18:48 < nexsja> i can change that just by adding dhcp-option in the config, right? 18:48 < |Mike|> you can set static dns servers in the openvpn.conf (serverside) 18:48 < |Mike|> Yes nexsja 18:48 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 18:48 < nexsja> i...m... don't have access to openvpn.conf, i think 18:48 < |Mike|> even on client side you can set that :) 18:49 < |Mike|> (as long as they aren't pushed etc) :d 18:51 < nexsja> h, 18:51 < nexsja> hm, i srsly think that the dns server isn't working as it should :/ 18:51 < |Mike|> you can't reach google.com ? 18:51 < nexsja> nope 18:52 < nexsja> i can't even reach any local server by their hostnames 18:52 < |Mike|> just 74.125.127.100 18:52 < |Mike|> ? 18:52 < nexsja> yup 18:53 < nexsja> only like that 18:54 < |Mike|> i would advise you to use the 192.x as dns and contact your admin about it :-) 18:54 -!- jeiworth [n=jeiworth@189.163.165.116] has quit [Read error: 110 (Connection timed out)] 18:56 < nexsja> hmm 18:56 < nexsja> perhaps i just need to add 192.168.1.1 to my DNS servers list 18:58 -!- kamalp [n=kamalpar@125.99.66.138] has joined ##openvpn 18:58 < nexsja> lol 18:58 < nexsja> worked 18:59 < nexsja> just added 192.168.1.1 to /etc/resolv.conf and everything worked %)) 19:01 -!- jeiworth [n=jeiworth@189.163.255.127] has joined ##openvpn 19:11 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: bandinia, _impuls, qknight, dazo, |Mike|, deever, nemysis, brendan0powers, worch, kaii, (+15 more, use /NETSPLIT to show all of them) 19:11 -!- Corsair^^away [i=corsair@78.84.161.18] has joined ##openvpn 19:11 -!- Netsplit over, joins: deever, nemysis, bandinia, brendan0powers, ^scott^, eliasp, rodpod, thedoc, APTX|, kala (+15 more) 19:12 -!- Corsair^^away [i=corsair@78.84.161.18] has quit [Client Quit] 19:12 -!- nexsja [i=corsair@78.84.161.18] has quit [Killed by ballard.freenode.net (Nick collision)] 19:12 -!- nexsja [i=corsair@78.84.161.18] has joined ##openvpn 19:17 -!- p3ri0d [i=p3ri0d@200.2.159.76] has joined ##openvpn 19:17 -!- epaphus [n=unix3@190.10.68.228] has quit [No route to host] 19:45 -!- p3ri0d [i=p3ri0d@200.2.159.76] has left ##openvpn ["Leaving"] 19:47 -!- nexsja [i=corsair@78.84.161.18] has quit [Client Quit] 19:52 -!- woody_sud [n=raul@customer-200-79-2-170.uninet.net.mx] has joined ##openvpn 19:53 < woody_sud> !howto 19:53 < vpnHelper> woody_sud: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 20:02 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 20:09 -!- woody_sud [n=raul@customer-200-79-2-170.uninet.net.mx] has left ##openvpn [] 20:15 -!- thedoc [n=andelyx@vpn1.edgewire.sg] has joined ##openvpn 20:34 -!- jdchrist [n=davidc@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has quit [Read error: 113 (No route to host)] 20:55 -!- master_o1_master [n=master_o@84.157.59.225] has joined ##openvpn 21:07 -!- master_of_master [i=master_o@p549D3E07.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:35 -!- tjz [n=tjz@bb121-6-135-189.singnet.com.sg] has joined ##openvpn 22:14 -!- jeiworth [n=jeiworth@189.163.255.127] has quit [Read error: 110 (Connection timed out)] 22:25 -!- jreno [n=jreno@38.219.68.216.DED-DSL.fuse.net] has quit [Read error: 113 (No route to host)] 22:28 -!- frewsxcv [i=45b55263@gateway/web/freenode/x-f857034e85f15e7a] has joined ##openvpn 22:30 -!- jdchrist [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 22:31 < frewsxcv> all i see is a taskbar icon for this: http://www.openvpn.se/ .....is there any gui client for openvpn for windows? 22:31 < vpnHelper> Title: OpenVPN GUI for Windows (at www.openvpn.se) 22:59 -!- jreno [n=jreno@38.219.68.216.DED-DSL.fuse.net] has joined ##openvpn 23:03 -!- rodpod [n=rod@74-133-38-196.dhcp.insightbb.com] has quit [Remote closed the connection] 23:05 -!- rodpod [n=rod@74-133-38-196.dhcp.insightbb.com] has joined ##openvpn 23:25 -!- tjz2 [n=tjz@bb121-6-135-189.singnet.com.sg] has joined ##openvpn 23:44 -!- tjz [n=tjz@bb121-6-135-189.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 23:44 -!- tjz [n=tjz@121.6.135.189] has joined ##openvpn 23:45 -!- jeiworth [n=jeiworth@189.163.165.116] has joined ##openvpn --- Day changed Fri Jul 17 2009 00:00 < krzee> frewsxcv, that link is the gui 00:00 -!- tjz2 [n=tjz@bb121-6-135-189.singnet.com.sg] has quit [Success] 00:00 < krzee> what exactly do you expect from it? 00:00 < krzee> it just starts the vpn for you 00:00 < krzee> (and stops it iirc) 00:01 -!- tjz2 [n=tjz@bb121-6-135-189.singnet.com.sg] has joined ##openvpn 00:10 -!- tjz2 [n=tjz@bb121-6-135-189.singnet.com.sg] has quit [Read error: 60 (Operation timed out)] 00:10 -!- tjz2 [n=tjz@bb121-6-135-189.singnet.com.sg] has joined ##openvpn 00:19 -!- tjz [n=tjz@121.6.135.189] has quit [Success] 00:28 -!- frewsxcv [i=45b55263@gateway/web/freenode/x-f857034e85f15e7a] has quit [Ping timeout: 180 seconds] 00:32 -!- tjz [n=tjz@121.6.135.189] has joined ##openvpn 00:52 -!- tjz2 [n=tjz@bb121-6-135-189.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 01:17 -!- tjz [n=tjz@121.6.135.189] has quit [Read error: 110 (Connection timed out)] 01:27 -!- SuperEvilDeath [n=death@212.206.209.177] has joined ##openvpn 01:28 -!- debayan [n=debayan@anubhav.deeproot.co.in] has joined ##openvpn 01:28 -!- medhu [n=medhamsh@support.deeproot.co.in] has joined ##openvpn 01:29 < medhu> could i please get help for configuring tinyca? 01:30 < krzee> try this instead maybe 01:30 < krzee> !ssl-admin 01:30 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 01:39 -!- Phoenixfire159 [n=kaitocra@cpe-098-122-181-242.nc.res.rr.com] has joined ##openvpn 01:39 < Phoenixfire159> hi I've three servers in a cluster, and I'd like to encrypt all communication between them, is openvpn right for the job or would ipsec be better? 01:40 -!- rawDawg [n=omglol@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 01:40 < krzee> in a cluster as in directly connected? 01:41 < Phoenixfire159> they're on the same network, as well as many other servers 01:41 < Phoenixfire159> I want communications between these three particular ones to be encrypted 01:41 < Phoenixfire159> it's part of my VPS setup 01:42 < rawDawg> im trying to figure out how to get my dd-wrt router to be a client 01:43 < rawDawg> i put in the ip and the keys, but it doesnt seem to connect 01:43 < rawDawg> !route 01:43 < vpnHelper> rawDawg: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 01:44 < krzee> !configs 01:44 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 01:44 < krzee> rawDawg, only diff between server and client is the config 01:44 < krzee> oops instead of configs i meant sample 01:44 < krzee> !sample 01:44 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 01:44 < krzee> in that sample you can see a client and server basic config 01:45 < krzee> the !route is for after that basicness is done, connecting lans into the mix 01:45 < krzee> Phoenixfire159, i guess it doesnt matter much which you go with then, advantage of ipsec in that case is clients can directly connect to eachother, not with openvpn 01:46 < krzee> and since you dont need high security, that could make ipsec better for you i guess 01:46 < krzee> (first time ive ever said that) 01:52 -!- Phoenixfire159 [n=kaitocra@cpe-098-122-181-242.nc.res.rr.com] has left ##openvpn [] 01:53 < rawDawg> cant openvpn hosts connect directly? 01:54 < krzee> hosts? sure 01:54 < krzee> 2 clients connecting without going through the server, no 01:55 < rawDawg> couldnt they just use a different tunnel tho? 01:55 < dazo> rawDawg: last time I tried openvpn on dd-wrt .... it was at best partly working via webui config ... try starting openvpn via ssh session against your dd-wrt ... that way you'll see the errors immediately 01:56 < rawDawg> dazo: have you had success with dd-wrt running openvpn? 01:56 < krzee> rawDawg, yes, they could 01:56 < krzee> in his situation it seemed easier that way tho 01:56 < dazo> rawDawg: yes ... well, right now, I'm using x-wrt with openvpn 01:56 < krzee> if it was over the inet ild still use ovpn 01:56 < rawDawg> hmm i havent heard of x-wrt, is it better than dd-wrt? 01:57 < rawDawg> krzee: gotcha 01:57 < dazo> rawDawg: I ditched dd-wrt due to some security concerns I had which wasn't resolved properly by the upstream developers 01:57 < dazo> rawDawg: x-wrt is OpenWRT with webui 01:57 < rawDawg> i think i need to learn linux 01:57 < dazo> rawDawg: http://www.x-wrt.org/ 01:57 < vpnHelper> Title: Web interface for OpenWrt and more - X-Wrt.org (at www.x-wrt.org) 01:57 < rawDawg> i just read the openvpn book 01:57 < krzee> yes, you do if you plan on using linux 01:57 < krzee> you're firmware is linux 01:58 < krzee> s/you're/your/ 01:58 < rawDawg> right 01:58 < rawDawg> and i dont know how to access or edit the config in the nvram i guess you would call it 01:58 * dazo has not upgraded to the latest x-wrt yet .... waiting for a rainy day to do that :-P 01:58 < rawDawg> because i am that much of a linux newb 01:58 < dazo> rawDawg: no prob :) 01:59 < reiffert> nvram show |grep -i whatever 01:59 < dazo> rawDawg: it's not difficult ... as long as the thought of a command line doesn't freak you out :-P 01:59 < reiffert> nvram set foo=bar 01:59 < reiffert> nvram commit 01:59 < dazo> nvram get foo 01:59 < rawDawg> no i use windows commands all the time 01:59 < reiffert> excel.exe 01:59 < rawDawg> lol 01:59 < dazo> heh 01:59 < reiffert> winword.exe 01:59 < krzee> mspaint 01:59 < krzee> (you dont need the .exe) 02:00 < rawDawg> yeah like those :) 02:00 < reiffert> calc.exe cmd.exe msconfig gpedit.msc 02:00 < dazo> calling cmd.exe ... from cmd.exe ....hmmmmmmmmmm 02:00 < reiffert> shutdown -t 01 -s 02:02 < krzee> Kid Cudi - Day And Night .... addicting song 02:02 < dazo> rawDawg: anyway ... the main difference between dd-wrt and x-wrt/OpenWRT .... dd-wrt stores most of its config in nvram .... OpenWRT saves it in files on the internal flash .... so you don't need to worry too much about nvram 02:03 < rawDawg> i might take a look at it later then 02:03 < rawDawg> you mind if i pm you dazo? 02:04 < dazo> rawDawg: sure do :) I might not be responsive all the time (as I'm at work) ... but I'll help out as much as possible 02:04 < dazo> even though, I might be more offline today .... as I'm considering to upgrade my workstation to Fedora 11 02:04 < krzee> note, there are help channels for those linux firmwares 02:04 < krzee> (with this being the openvpn help channel) 02:05 -!- gnr [n=gnr@112.52.50.60.cbj05-home.tm.net.my] has joined ##openvpn 02:07 < gnr> i'm having issue with pkcs11... TLS Error: TLS handshake failed 02:07 -!- kamalp [n=kamalpar@125.99.66.138] has quit [] 02:20 -!- rawDawg2 [n=rawDawg@76.188.26.242] has joined ##openvpn 02:23 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:23 -!- kaushal [n=kaushal@125.18.21.18] has joined ##openvpn 02:23 < kaushal> hi 02:24 < kaushal> I have setup a openvpn tunnel between two networks. The issue is that I am unable to ping the LAN IP from either of the networks 02:25 < kaushal> anyone here need my configs ? 02:29 < kaushal> is there a Howto for setting up openvpn tunnel ? 02:29 < kaushal> just to ensure if i am doing it correct 02:31 < gnr> kaushal:check the routing table 02:31 < kaushal> gnr: is it route -n ? 02:32 < gnr> yup.. for both server and client 02:32 < gnr> sometimes the routing table is not pushed to the client 02:34 < kaushal> gnr: bit confused there :( 02:34 < kaushal> shall i pastebin the configs ? 02:36 -!- rawDawg [n=omglol@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 113 (No route to host)] 03:19 -!- kaushal [n=kaushal@125.18.21.18] has quit ["leaving"] 03:55 -!- kladizkov [n=fabin@117.196.133.152] has joined ##openvpn 03:57 < kladizkov> i installed and configured openVPN in my server... and openVPN client could connect to the server and tun0 is up on both machines.. but when i do a telnet to tun0 IP address, its connecting to my local machine instead of the openVPN server.. any idea why? 04:03 -!- kekko [n=kekko@host26-12-static.187-82-b.business.telecomitalia.it] has joined ##openvpn 04:04 < kekko> is bridging on the server side (TAP) necessary if you are going to have windows clients? 04:04 < kekko> !topology 04:04 < vpnHelper> kekko: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 04:05 < Bushmills> kladizkov, telnet to the ip address of the server tun0 interface instead 04:06 < kladizkov> oh 04:06 < kladizkov> Bushmills: its working now.. 04:06 < kladizkov> Thanks :) 04:06 < Bushmills> (as a side note, you might prefer ssh over telnet) 04:06 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 04:07 < kladizkov> telnet was a test.. ssh is also working.. 04:14 -!- kladizkov [n=fabin@117.196.133.152] has quit ["Ex-Chat"] 04:17 -!- flokuehn_ [n=flokuehn@94.186.154.83] has quit ["leaving"] 04:53 -!- kladizkov [n=fabin@117.196.133.152] has joined ##openvpn 04:54 < kladizkov> is there anyway i could allow a client from a certain IP only? 05:02 < krzee> by using a firewall? 05:02 < krzee> you could also do it in a script i guess 05:03 < krzee> see EXECUTION ORDER in the manual to see all times you can run a script 05:03 < krzee> one of them can selectively deny clients based on whatever you say 05:03 < krzee> kekko, no, bridging is ONLY needed when you want layer2 protocols to flow over the vpn 05:04 < krzee> in windows its called a tap device, but it does tun just fine 05:04 < krzee> *sleep* 05:32 < kladizkov> i was looking at firewall for this.. something like a user account ( client certificate ) which gets authenticated only if its from a particular IP address registered by him at server end.. like that? is this possible using openvpn? 05:33 < kladizkov> sorry, i was *NOT* looking for firewall 05:35 -!- kladizkov_ [n=fabin@61.17.22.142] has joined ##openvpn 05:40 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 05:41 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Client Quit] 05:42 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 05:43 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Remote closed the connection] 05:51 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:52 < kekko> thx krzee 05:53 -!- kladizkov [n=fabin@117.196.133.152] has quit [Read error: 110 (Connection timed out)] 06:06 -!- kekko [n=kekko@host26-12-static.187-82-b.business.telecomitalia.it] has quit [Remote closed the connection] 06:08 -!- kladizkov_ [n=fabin@61.17.22.142] has quit ["Ex-Chat"] 06:20 -!- gnr [n=gnr@112.52.50.60.cbj05-home.tm.net.my] has quit [Read error: 110 (Connection timed out)] 06:47 -!- debayan is now known as veniki 06:47 -!- veniki is now known as venki 06:48 -!- venki is now known as supreetha 06:49 -!- supreetha is now known as Ganesh 06:49 -!- Ganesh is now known as shiva 06:50 -!- shiva is now known as venki 06:50 -!- venki is now known as debayan 06:51 -!- GuilhermeCunha [n=falecom@unaffiliated/guilhermecunha] has joined ##openvpn 06:51 < GuilhermeCunha> please 06:51 < GuilhermeCunha> help me 06:51 < GuilhermeCunha> http://tinypic.com/r/281xwr7/3 06:51 < vpnHelper> Title: openvpn Pictures, openvpn Images, openvpn Photos, openvpn Videos - Image - TinyPic - Free Image Hosting, Photo Sharing & Video Hosting (at tinypic.com) 06:54 < |Mike|> logs please. 06:54 < |Mike|> !logs 06:54 < |Mike|> !log 06:54 < vpnHelper> |Mike|: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 06:54 < vpnHelper> |Mike|: Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 06:54 < |Mike|> !configs 06:54 < vpnHelper> |Mike|: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 06:54 < |Mike|> all that :) 06:56 < dazo> GuilhermeCunha: have you read the error message carefully? 06:57 < dazo> GuilhermeCunha: your problem is spelt out pretty clearly on the 4th line from the top 06:59 < |Mike|> you have some good eyes dazo :P 07:00 < dazo> |Mike|: I hope you figured out you could click on the image ;-) 07:00 < |Mike|> Yeah, but it's still uber-tiny 07:01 < dazo> |Mike|: maybe my old 19" screen with 1280x1024 resolution .... which enlarges it pretty well :-P 07:01 < |Mike|> hehe 07:02 * dazo seriously need to a new monitor at work ... 07:04 < ecrist> good morning 07:07 < dazo> g'day! 07:14 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 07:15 -!- YpsyZNC is now known as Ypsy 07:50 < ecrist> our backup server is having disk issues this AM 07:50 < ecrist> fsck on 3.2TB in process. 08:06 -!- jeiworth [n=jeiworth@189.163.165.116] has quit [Read error: 110 (Connection timed out)] 08:23 -!- debayan [n=debayan@anubhav.deeproot.co.in] has quit [Read error: 110 (Connection timed out)] 08:32 < dazo> ouch 08:37 -!- jeiworth [n=jeiworth@189.177.231.62] has joined ##openvpn 08:52 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit ["leaving"] 08:53 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 08:54 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Client Quit] 08:54 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 08:54 -!- Abel408 [i=42a2b66c@gateway/web/freenode/x-0b4a06d41cbb4189] has joined ##openvpn 08:54 < |Mike|> ecrist: have fun :P 08:55 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 08:58 -!- epaphus [n=unix3@190.10.68.228] has quit [Client Quit] 09:01 -!- rawDawg2 [n=rawDawg@76.188.26.242] has quit [] 09:09 -!- medhu [n=medhamsh@support.deeproot.co.in] has quit [Client Quit] 09:13 -!- jdchrist [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 09:18 < Abel408> How much memory is needed to start a vpn connection? Everytime I successfully establish a vpn connection my router crashes and I think it is because there is not enough memory 09:19 < ecrist> never measured it 09:20 < ecrist> not much 09:20 < ecrist> enough to load your key and their key into memory, plus any additional ccd directives. 09:20 < ecrist> +/- 5% for processing 09:22 < Abel408> Everytime A successful vpn connection is established the router seems to crash. The computers get a self assigned ip and I can no longer ping the router. The only way to get it working again is to reboot the router without the wan cable pluggd in. I have openvpn setup fine on a different router though... Just can't get this one setup. Anything it could be? 09:23 < Abel408> but if I put the incorrect settings in then the router won't crash 09:24 < Abel408> I have looked at the logs while starting openvpn and everything seems to be ok. It just stops working when it gets to the line that says something like "initiated successfully" 09:27 < ecrist> horray! done with fsck 09:28 < ecrist> 3.2TB in about an hour and a half 09:30 < Abel408> yay! any problems? 09:30 < Gorkhaan> Nice. :) 09:34 < ecrist> none 09:47 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 09:51 -!- simply [n=kacper@79.185.68.227] has joined ##openvpn 09:51 < simply> hi all i have problem with openvpn 09:52 < simply> i can connect to server but i cant ping server or clinet from server 09:52 < Gorkhaan> Firewall? 09:52 < simply> but i open 1194 under server and client 09:56 < Gorkhaan> that's enough for getting the vpn connection, you need to accept ICMP packets in your firewall 09:59 < |Mike|> ecrist: ssd ? :) 09:59 -!- jdchrist [n=davidc@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has joined ##openvpn 10:00 < |Mike|> !configs 10:00 < vpnHelper> |Mike|: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:00 < |Mike|> !logs 10:00 < vpnHelper> |Mike|: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 10:00 < |Mike|> simply: ^ 10:00 -!- Abel408 [i=42a2b66c@gateway/web/freenode/x-0b4a06d41cbb4189] has quit ["Page closed"] 10:01 -!- GuilhermeCunha [n=falecom@unaffiliated/guilhermecunha] has quit ["Saindo"] 10:04 < ecrist> |Mike|: no, SATA2, 7200RPM x 12 10:04 < ecrist> SAS 10:04 < rawDawg> !configs 10:04 < vpnHelper> rawDawg: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:04 < rawDawg> !howto 10:04 < vpnHelper> rawDawg: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:05 -!- pumbac [n=mla@pc01.kabinet.iasi.rdsnet.ro] has joined ##openvpn 10:10 -!- simply [n=kacper@79.185.68.227] has quit ["Leaving"] 10:10 -!- NfNitLoop [n=bip@cl-852.chi-02.us.sixxs.net] has joined ##openvpn 10:11 < NfNitLoop> Hi. I've been using an ipv6 openvpn for a while with no problems. 10:11 < NfNitLoop> A friend wants to connect exactly the same way I do, so I generated keys for him, and it works... 10:11 < NfNitLoop> but it seems only one of us can be connected at a time? 10:12 < NfNitLoop> this is using tun-ipv6 and tls-server. 10:12 < NfNitLoop> I'm poking through documentation to see if there's something I need to do to enable multiple connections. 10:15 < Gorkhaan> Common name is the same? 10:15 < NfNitLoop> Nope. 10:15 < Gorkhaan> hm 10:15 < Gorkhaan> well you can try it anyway 10:15 < Gorkhaan> !duplicate-cn 10:15 < vpnHelper> Gorkhaan: Error: "duplicate-cn" is not a valid command. 10:15 < Gorkhaan> xD 10:16 < NfNitLoop> I can try what? 10:16 < Gorkhaan> find it in the manual, maybe it helps: --duplicate-cn 10:19 < NfNitLoop> Nope, doesn't work. Our cn's are different. 10:19 < Gorkhaan> how do you give IP address to him? 10:19 < Gorkhaan> ifconfig? 10:20 < NfNitLoop> Yeah, we both have scripts that set unique ipv6 addresses for us. 10:20 < NfNitLoop> since server mode doesn't seem to support ipv6 yet. :( 10:21 -!- brad_ [n=quassel@12.48.121.170] has quit [Read error: 104 (Connection reset by peer)] 10:22 < dazo> NfNitLoop: have you enabled an IP address pool? 10:22 < dazo> ahh true 10:22 < Gorkhaan> hm, I'm not an expert in ipv6 really. but: 10:22 < Gorkhaan> --tun-ipv6 10:22 * dazo read the complete dialogue 10:22 < Gorkhaan> are you using both sides? 10:22 < rawDawg> hi dazo 10:23 < dazo> rawDawg: hi'ya! 10:23 < rawDawg> im working on this wrt again 10:23 < Gorkhaan> hi :) 10:23 < dazo> rawDawg: found your issues with openvpn? 10:23 < rawDawg> i can get openvpn running on the wrt now 10:24 < rawDawg> i just cant seem to get a config that works right yet 10:24 < rawDawg> this is the output from telnet 10:24 < rawDawg> http://pastebin.com/m227ec3b 10:24 < NfNitLoop> Gorkhaan: yes, I'm using --tun-ipv6 10:24 < NfNitLoop> dazo: No, I don't have an ip address pool. I tried giving it a pool ov v6 addresses, but it just silently failed. 10:24 < NfNitLoop> (IIRC. It's been a while.) 10:25 < Gorkhaan> "certificate is not yet valid:" 10:25 < dazo> NfNitLoop: yeah, I'm sorry .... I brought up my thoughts before reading all 10:25 < dazo> rawDawg: setup ntp-client on your router ... that'll solve it most probably 10:26 < Gorkhaan> NfNitLoop : Do you must use a static ipv6 ip address? 10:26 < NfNitLoop> The issue is that OpenVPN just *refuses* another connection, so we're not even getting to authentication conflicts or anything. 10:26 < rawDawg> an ntp-client would be what? 10:26 < NfNitLoop> it's like it only listens for one incoming connection. 10:26 < NfNitLoop> and then everything else is refused. 10:26 < pumbac> who can enlight me regarding the routes in this config: http://pastebin.com/d640d6924 i want to reach PC1 from vpn 10:26 < NfNitLoop> Gorkhaan: I don't have to. But it's easy... 10:27 < Gorkhaan> NfNitLoop : try: topology subnet 10:27 < dazo> rawDawg: ntp will adjust the clock .... you can use 1.pool.ntp.org as server 10:27 < dazo> rawDawg: it's a config option in the webui 10:27 < rawDawg> ok 10:27 < Gorkhaan> then wait for DHCP 10:27 < rawDawg> thanks dazo 10:27 < dazo> rawDawg: no prob :) 10:27 < Gorkhaan> that's how I'm using it... on IPv4 10:28 < NfNitLoop> "topology subnet"? 10:28 < Gorkhaan> yes 10:28 < NfNitLoop> is that a config option? 10:28 < Gorkhaan> check the Manual too for futher info 10:28 < NfNitLoop> I don't see a --topology. :p 10:28 < Gorkhaan> yes 10:28 < NfNitLoop> I'm using 2.0 10:28 < Gorkhaan> but there is 10:28 < dazo> NfNitLoop: it was introduced in 2.1, iirc 10:28 < Gorkhaan> 2.0? :s 10:28 < Gorkhaan> sry then 10:28 < NfNitLoop> 'k. I'll read up on 2.1 10:28 < Gorkhaan> I thought you have the latest OpenVPN 10:28 < NfNitLoop> 2.0 is just what came with this Debian. 10:28 < dazo> NfNitLoop: for ipv6 .... I'd probably consider to upgrade to 2.1_rc18 or rc19 10:29 < NfNitLoop> dazo: why's that? It's working fine for one connection. :) 10:29 < Gorkhaan> Read changelog 10:29 < pumbac> !route 10:29 < vpnHelper> pumbac: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:29 < Gorkhaan> many many upgrades/updates 10:29 < dazo> NfNitLoop: because your issues can most probably be related to bugs ..... 2.0 is 3 years old or so 10:30 < rawDawg> i set the right time settings and added the ntp server 10:31 < dazo> NfNitLoop: I've been running 2.1_rc15, rc_18 and rc_19 in production .... upgraded to rc19 on the server yesterday .... and it works very well ..... and rc_15 was unchanged for quite some time 10:31 < rawDawg> but the time is still off 10:31 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 10:31 < dazo> rawDawg: you might need to reboot it .... but remember to put your configs into nvram ... and nvram commit 10:31 * dazo don't remember how to adjust the clock via ntp manually on dd-wrt 10:31 < rawDawg> dazo: k rebooting 10:31 < dazo> might be the dd-wrt wiki says something 10:33 < Gorkhaan> ntpclient -u 10:33 < dazo> Gorkhaan: dd-wrt ships ntpclient? 10:33 < Gorkhaan> Yep. :) I have an dd-wrt firmwared router 10:34 < rawDawg> Summer Time (DST) for EST would be - "2nd sun mar 1st sunday nov" right? 10:34 < NfNitLoop> Ok. I'll upgrade and give it a try later. Thanks for the help. 10:34 < Gorkhaan> maybe not "-u" it's "-h" 10:35 < Gorkhaan> but it can be changed on the dd-wrt web Interface too 10:35 < dazo> Gorkhaan: -u is usually to use unprivileged port on client side 10:35 < Gorkhaan> yeah, sry then. :) 10:35 < NfNitLoop> Oh, I had another question whlie I'm here: Is there a way to revoke a key I've signed? Say I want to revoke someone's access to my vpn? 10:36 < Gorkhaan> it's 35'C in my room >.> 10:36 < dazo> Gorkhaan: -u is usually clever, especially if the box you're running ntpclient also runs ntpd 10:36 < dazo> NfNitLoop: yes, you'll need to configure CRL on the server .... and standard certificate tools for revoking certs does everything 10:37 < Gorkhaan> root@DD-WRT:~# ntp 10:37 < Gorkhaan> ntpclient ntpd 10:38 < NfNitLoop> I need to read up on openssh key management. PGP I understand. openssh always makes me scratch my head till things start working and I stop bothering with it. :p 10:38 * dazo ditched dd-wrt in favour of x-wrt about a year ago or so 10:41 < Gorkhaan> :D 10:41 < pumbac> who can enlight me regarding the routes in config below; i want to reach PC1 from vpn 10:41 < pumbac> http://pastebin.com/d640d6924 10:42 * Gorkhaan Just bough asus wl500gP v2 ( 2 weeks ago ) 10:42 < Gorkhaan> bought 10:44 -!- swa_work [n=swa@swatteksystems.com] has quit ["Leaving"] 10:45 < rawDawg> how do i check the time on dd-wrt? 10:45 < Gorkhaan> date 10:45 < dazo> Gorkhaan: I left dd-wrt after some bad handling of some security issues .... it had hard coded 2 IP addresses, which granted them free access to the router .... 10:45 < rawDawg> thanks Gorkhaan 10:46 < Gorkhaan> dazo : that's bad. Can you tell me which Firmware was it? 10:47 < dazo> Gorkhaan: many .... it had been latent in the code for a couple of years .... I jumped of at 2.4 at some point 10:47 < rawDawg> i havent noticed that in the version i am running 10:47 < dazo> or was it 2.3? .... I discovered after upgrading to the latest version 10:47 < Gorkhaan> rawDawg : I created my certs on my Laptop, then copied back to the router. Generating certs took ages 10:47 < dazo> they said they would fix it .... but they didn't see the point of informing it's users about this issue 10:48 < ecrist> well, I've done my contributions for Nagios and NagVis for the day. 10:48 < Gorkhaan> well yesterday I had an DHCP Issue too 10:48 < ecrist> s/day/week/ 10:48 < rawDawg> got the date to update :) 10:48 < Gorkhaan> If I wanted to get an IP address on my laptop with windows it worked 10:48 < Gorkhaan> linux not 10:49 < Gorkhaan> I said wtf. then I resetted the router, it went back normal again... strange 10:50 < dazo> http://www.dd-wrt.com/phpBB2/viewtopic.php?t=35783 ... here's the thread of the problem 10:50 < Gorkhaan> dazo : I've got this: Firmware: DD-WRT v24-sp2 (05/21/09) mini-usb 10:51 < Gorkhaan> thx checking it out 10:51 -!- NfNitLoop [n=bip@cl-852.chi-02.us.sixxs.net] has left ##openvpn [] 10:51 < dazo> Gorkhaan: they probably fixed it ... they said they would .... but they didn't want to inform it's users at all that that release, and earlier had an issue 10:51 < Gorkhaan> yeah. 10:52 < dazo> Gorkhaan: for me, that's an unacceptable attitude to security issues .... so I ditched them 10:52 < Gorkhaan> First I tried Mega Generic. but it couldnt handle the JFFS2 storage 10:52 < Gorkhaan> then I decided to use the "usb" version 10:53 < Gorkhaan> Now it's everything works. My Router is for home use, with LAN only. 10:55 < rawDawg> now that i got the time updated, it looks like it is working better 10:55 < rawDawg> here is the output 10:55 < rawDawg> http://pastebin.com/m943d1b4 10:59 < Gorkhaan> it looks okay. Try to connect 11:01 < dazo> rawDawg: congrats! Seems to work! 11:01 < dazo> rawDawg: "Fri Jul 17 11:49:17 2009 Initialization Sequence Completed" 11:03 < dazo> rawDawg: now it is just to setup proper routing for your clients which you want to grant access, then to enable --daemon mode in the openvpn.sh script .... and put those three last lines into the nvram rc_startup variable ... and it'll start up automatically upon boot 11:03 < rawDawg> only problem is i cant ping the endpoint 11:04 < rawDawg> Fri Jul 17 11:49:17 2009 /sbin/ifconfig tun0 10.8.0.6 pointopoint 10.8.0.5 mtu 1500 11:04 < dazo> rawDawg: from the router? 11:04 < rawDawg> the server is 10.8.0.1 11:04 < rawDawg> im confused why it says .5 11:04 < rawDawg> yes dazo: from the router 11:05 < dazo> rawDawg: yeah, that's confusing .... that's the tun p-t-p setup .... you should be able to ping 10.8.0.5, I believe 11:05 < dazo> rawDawg: just trust it to be correct ... this is normal setup 11:07 < rawDawg> i cant ping .6 from the server 11:07 < dazo> rawDawg: on the server, you should probably ping 10.8.0.2 11:08 < rawDawg> i can ping the server from the router 11:08 < Gorkhaan> rawDawg : why dont you post your client/server config ? :) it should be easier to help, no? 11:08 < rawDawg> ok i will 11:08 < dazo> rawDawg: you want traffic to be initiated from both sides of the network? 11:09 -!- SuperEvilDeath [n=death@212.206.209.177] has quit ["Nettalk6 - www.ntalk.de"] 11:09 < dazo> rawDawg: you might also want to have a look at !route 11:09 < dazo> !route 11:09 < vpnHelper> dazo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:09 < rawDawg> yes i am going to get to that as soon as i get these working on the same network 11:11 < rawDawg> here are my configs: http://pastebin.com/m6f895081 11:13 < Gorkhaan> rawDawg : so you are using dd-wrt ( dont want to tell you stupid things ) 11:13 < Gorkhaan> ? 11:13 < rawDawg> yes for the client 11:13 < rawDawg> the server is running on windows 11:13 < Gorkhaan> I see, okay. 11:13 < rawDawg> dazo helped me get openvpn working on dd-wrt last night :) 11:14 < Gorkhaan> nice. :D with ipkg-opt? 11:14 < rawDawg> no i used the vpn build of the firmware 11:14 < rawDawg> and just copied the config and crts to nvram 11:15 < Gorkhaan> yeah, okay. :) I was just curious. 11:15 < rawDawg> im a linux newb 11:15 < rawDawg> i got my first lesson 11:15 -!- cvance [n=cvance@ip98-163-220-242.no.no.cox.net] has joined ##openvpn 11:15 < dazo> Gorkhaan: unfortunately .... the webui is not too good on the openvpn part .... very buggy ... so I helped to hack him around those issues 11:16 < rawDawg> :) 11:16 < Gorkhaan> dazo : yeah it was horrible to see. I have a PenDrive connected to my router, so I Could install it with ipkg-opt. :) 11:17 < cvance> I have a question about routing. I have an openvpn server whose ip is in the 192.168.1.0/24 subnet and the vpn pool is in the 192.168.3.0/24 subnet. The server gets 192.168.3.1 and a client gets 192.168.3.6. The route that gets added is to -net 192.168.3.0 with the gw being 192.168.3.5 should that gateway not be 192.168.3.1? 11:17 < Gorkhaan> rawDawg : I Do with Tux only since 7.04 ( I remember only the ubuntu release ) 11:17 < Gorkhaan> :D 11:17 < cvance> The result being that the client cannot access any of the resources on the server's subnet 11:18 < dazo> cvance: sounds like an error in server config .... 11:18 < dazo> cvance: would you mind sharing configs? 11:18 < rawDawg> Tux? 11:18 < dazo> !configs 11:18 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:18 < cvance> let me go through and see if I can post the relevant line 11:19 < dazo> cvance: please, let's see the whole config ... sometimes, this behaviour might be normal and expected 11:19 < cvance> pastebinning one moment 11:20 < cvance> http://pastebin.com/m52f420d3 11:20 < dazo> cvance: I'm guessing it is right .... on your server, you'll have 192.168.3.1 and .2 .... and on the client side 192.168.3.5 and .6 11:20 < cvance> that is correct dazo 11:20 < cvance> however when i ping 192.168.3.5 from the client i get no response and the server as ip forwarding enabled 11:21 < dazo> cvance: You are using device tun .... which creates point-to-point connections .... this is correct behaviour 11:21 < cvance> well I am glad that I didn't mess that part up ;) 11:21 < cvance> but I did mess something up because the client cannot... 11:21 < cvance> wait 11:21 < cvance> hold on let me check the routing table 11:21 < cvance> :( 11:21 < dazo> cvance: that's where I was about to point you to 11:22 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:22 < cvance> yeah, I had a route pushed to the client but I commented it b/c it was not working at the time, I have since changed some options on the server and forgot to uncomment the line. 11:22 < dazo> cvance: !route is usually a good starting point for understanding the routing in OpenVPN perspective 11:22 < dazo> !route 11:22 < vpnHelper> dazo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:22 < cvance> Thank you dazo for giving me a hand with this 11:23 < cvance> let me read it 11:23 < dazo> cvance: no prob :) Glad to help :) 11:23 < cvance> I will read the article and incorporate the suggestions, if I still have problems I will come back 11:23 < cvance> thanks again 11:24 < dazo> cvance: you're welcome! 11:39 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Remote closed the connection] 11:56 < rawDawg> dazo did you get a chance to look at my configs 11:56 < rawDawg> im still not sure why i cant ping the client end point from the server 12:06 < dazo> rawDawg: I'm sorry I haven't managed that .... and it's getting late for me right now, need to run from work .... there might be others here as well who can help you out .... now you're back on a pure OpenVPN issue, so this is the place :) 12:07 * dazo just completed several end-of-week tasks before headed home 12:09 < rawDawg> i appreciate all the help you have given 12:35 -!- Ypsy is now known as YpsyZNC 12:53 < Nirkus> hey! how am i supposed to copy my certs and configuration to c:\program files\OpenVPN\config on Vista? Vista places them in the VirtualStore which is "Local" to my user account. 13:03 < ecrist> with the copy command? 13:15 < Nirkus> copy on the command line is not affected by vistas virtual folders? 13:16 < ecrist> Nirkus: what makes you think *any* copy would be? the file exists, and you can copy it. 13:17 < Nirkus> ecrist: i get access denied 13:18 < ecrist> you need to be an admin 13:18 < Nirkus> ecrist: Vista uses "VirtualStore" which redirects write accesses within program files to a folders within c:\users\user\appdata\local\virtualstore\.. 13:19 < ecrist> as an admin, you should still be able to copy files around 13:19 < Nirkus> my user account is of type "Administrator" - do i need to get additional priviledges? 13:19 < ecrist> this isn't #windows, if you need Windows help, ask there. 13:20 -!- Irssi: ##openvpn: Total of 73 nicks [0 ops, 0 halfops, 0 voices, 73 normal] 13:21 < Nirkus> ecrist: no, this is OpenVPN and this piece of software requires me to copy files to c:\program files\OpenVPN\config\ - so my first clue was to ask in #openvpn 13:21 < Nirkus> since the website clains the beta version runs on vista? 13:21 < ecrist> sure, but your question is windows related. 13:22 < Nirkus> ecrist: maybe, but it should be at least mentioned in the README or FAQ of OpenVPN how to do this since the virtual store is default vista configuration? 13:22 < ecrist> I only have limited experience with vista. my guess would be most folks in here who don't just idle, use linux, *BSD, or Macs primarily. 13:22 < ecrist> Nirkus: possibly. I don't write those docs, or maintain them. 13:22 < ecrist> if you'd like, figure it out, and I'll create a doc for it. 13:22 -!- abel408 [i=42a2b66c@gateway/web/freenode/x-3dcad2347912abe9] has joined ##openvpn 13:23 < ecrist> there are many docs we create and manage ourselves in here, and we'd be happy to add that data to our repo 13:23 < ecrist> !vista 13:23 < vpnHelper> ecrist: Error: "vista" is not a valid command. 13:23 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 13:23 < Nirkus> ecrist: im a linux debian/gentoo/ubuntu user, too.. but got my vista license for free - so i want to give it a try on the new pc ;) 13:23 < Nirkus> hehe 13:23 < Nirkus> ecrist: k, ill try to figure it out 13:24 < abel408> Is it possible to delay the time the router initiates the openvpn connection or try to reestablish the vpn connection after a few mins? My router doesn't display the correct date and time tilla few minutes after it's been booted up. Since my openvpn connection tries to establish at startup it fails because the date is set to Jan 1999. Thanks! 13:24 < Nirkus> ecrist: my guess is, OpenVPN for Vista should provide some GUI to import the configuration files into that folder claiming the required autorization of vistas UAC 13:29 < krzee> lol 13:29 < krzee> guess is wrong 13:29 < ecrist> Nirkus: no, it's not an OpenVPN issue. 13:29 < ecrist> honestly, if you need a GUI to copy or move a file, you need more help than we can or are willing to provide. 13:29 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 13:29 < Gorkhaan> omg 13:30 < Nirkus> ecrist: careful. i suggested that tool because of Vistas security tecniques, which prevent users from copying stuff to c:\program files\ 13:31 < ecrist> Nirkus: there are *tons* of people who've come in here, using vista, and not had the issue for which you complain. 13:31 < Nirkus> interesting 13:31 < Nirkus> maybe they all disabled vistas UAC 13:32 < ecrist> *shrug* 13:32 < Nirkus> or im doing something wrong 13:32 < ecrist> don't know, don't really care. 13:32 < ecrist> please take your question to #windows 13:32 < Nirkus> ecrist: already did 13:32 < krzee> vista is the super squirrel crap 13:32 < Gorkhaan> what's wrong with Vista? :) 13:33 < krzee> where do i begin? 13:33 * Gorkhaan not protecting it. 13:33 < Gorkhaan> :D 13:33 < ecrist> s/s w/ not / 13:33 < ecrist> there, fixed that for you 13:33 < krzee> they changed their already lame gui to be worse, have to relearn their lameness 13:33 < krzee> for 1 13:34 < krzee> well i dont have to 13:34 < krzee> but some do 13:34 < abel408> anyone know how to delay the openvpn connection at startup? I keep having to drive all the way down to start openvpn myslef 13:34 < Gorkhaan> abel408 : man at 13:34 < krzee> abel408, what os? 13:34 < Gorkhaan> or you are the Vista guy? 13:35 < Gorkhaan> or crontab + script 13:35 < abel408> I'm using openvpn on a small router WNR834b 13:35 < krzee> and when it starst on its own, whats the problem which requires it to be a delayed start? 13:36 < Gorkhaan> sleep 15; openvpn --config /where/the/config/is/openvpnserver.conf 13:36 < krzee> openvpn has some ways to delay internally depending on what your problem actually is 13:36 < krzee> but ya my first thought is what Gorkhaan said too 13:37 < abel408> Gorkhaan: Ahhhh... thats it. I kept trying a script like that and it wouldn't work. I forgot the --config option 13:37 < Gorkhaan> do u need a script abel408 I have one 13:37 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 13:37 < krzee> you only need --config if you have more than 1 arg 13:38 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 13:38 < Gorkhaan> krzee is right, but I'm get used to it xD 13:39 < krzee> ;] 13:39 < abel408> well when I try "openvpn /where/the/config/is/openvpnserver.conf" it doesn't work. I have to actually cd to the directory and do "openvpn client.conf" 13:39 < krzee> but ya, theres a few ways to make ovpn wait internally too 13:39 < krzee> depending on what the real problem was 13:39 < ecrist> abel408: that's because your config file doesn't have full paths to the files it needs 13:39 < ecrist> you have relative paths. 13:39 < Gorkhaan> good point! 13:40 * ecrist slaps abel408 upside the head 13:40 < abel408> damnit, good call 13:40 < Gorkhaan> :D 13:42 < jeiworth> hi all! say what are the security implications if i set the SUID on a clients ovpn? i am trying to figure out a good way to be able to start it with my normal user account, but sinice ovpn is both client and server this enables a user to start ovpn as a server if he provides a server.conf file, right? are there any other (better) solutions for realizing this? 13:43 < ecrist> jeiworth: OpenVPN needs root for two purposes, first, to write to the network device and routing tables, two, to de-escalate it's own privileges. 13:44 < ecrist> you *could* setup sudo for that user 13:44 < ecrist> which is what I would do 13:44 < jeiworth> ecrist: exactly, i also was thinking if it was a possible solution to create a static tap device in interfaces but it still has to set the ip and routes... 13:44 < ecrist> specify the specific command, not ALL 13:45 < ecrist> jeiworth: you can, with configuration, give write access to anyone for a given device (dialer group accomplishes this on some systems) 13:45 < ecrist> routing tables are what I'm not sure of. 13:45 < ecrist> setup sudo to accept no password, and alias the command for the user in their .profile/.cshrc/etc 13:46 < jeiworth> ecrist: hmmmmm interesting aproach 13:47 < Gorkhaan> He can use another rc level, can't he? 13:47 -!- abel408 [i=42a2b66c@gateway/web/freenode/x-3dcad2347912abe9] has quit ["Page closed"] 13:48 * ecrist doesn't dabble in run-levels 13:48 < jeiworth> Gorkhaan: uhm how does that affect it when started manually? i thought rc is for the boot sequence? 13:49 < Gorkhaan> yes, sorry my bad, I thought you'd like to auto run it 13:49 < Gorkhaan> never rmind 13:49 < ecrist> if he was auto-running it, it could be done as root 13:49 < Gorkhaan> what ecrist told you should work 13:51 < Nirkus> ecrist: i figured it out. i was able to create a link to windows explorer and activate 'run as administrator' within the 'advanced' context menu. using an windows explorer started by that link i was able to write files to c:\program files (x86)\OpenVPN\config\ 13:52 < ecrist> !learn vista as 13:51 < Nirkus> ecrist: i figured it out. i was able to create a link to windows explorer and activate 'run as administrator' within the 'advanced' context menu. using an windows explorer started by that link i was able to write files to c:\program files (x86)\OpenVPN\config\ 13:52 < vpnHelper> ecrist: Joo got it. 13:52 < ecrist> !vista 13:52 < vpnHelper> ecrist: "vista" is 13:51 < Nirkus> ecrist: i figured it out. i was able to create a link to windows explorer and activate 'run as administrator' within the 'advanced' context menu. using an windows explorer started by that link i was able to write files to c:\program files (x86)\OpenVPN\config\ 13:52 < jeiworth> ok, thanks guys, the idea with sudo enabled without password and just for ovpn looks like the thing i need. but here also, how do i prevent a user from starting ovpn as server? hmm probably allow sudo for the script that starts ovpn with client.conf and not ovpn itself..... :D 13:52 < ecrist> krzee: feel free to fix that if it's too gross for your liking. 13:52 < Nirkus> ecrist: maybe that hint could be included in the README of the OpenVPN 2.1 release readme and the FAQ? 13:52 < ecrist> jeiworth: like this 13:52 < Nirkus> ecrist: thx 13:53 < ecrist> in sudo config, set the command to literally be 'openvpn /path/to/config' 13:53 -!- garaden [n=garaden@64.206.83.177] has joined ##openvpn 13:53 < ecrist> set the path and config to be readable by all, writable by only root 13:53 < ecrist> then, the user must use that config, and cannot edit it. 13:54 < jeiworth> ecrist: aah ok, and then i alias openvpn or e.g. vpn to be openvpn /path/to/config? 13:55 < ecrist> no 13:55 < jeiworth> :( 13:55 < ecrist> you alias vpn or openvpn to 'sudo openvpn /path/to/config' 13:55 < ecrist> or another command 14:00 < jeiworth> aaaah yes of course, forgot the sudo :) 14:00 < jeiworth> ecrist: thanks! :D 14:01 < garaden> anyone up for some connection bizarreness? 14:01 < garaden> Everyone else on the team at work is able to vpn into the server using the same configuration... 14:01 < Gorkhaan> let's see what u've got 14:02 < garaden> http://fpaste.org/paste/19063 14:02 < garaden> http://fpaste.org/paste/19064 14:02 < garaden> Fedora 11, incidentally 14:03 < garaden> This was working yesterday, and I didn't make any changes 14:03 < garaden> Though I have been having connection issues 14:03 < garaden> This doesn't work even when I can ping and ssh the server 14:04 < Gorkhaan> UDPv4 link remote: [correct address]:1194 14:04 < jeiworth> This was working yesterday, and I didn't make any changes <-- haha heard that before ;oD (no offense intended) 14:04 < Gorkhaan> correct address ? 14:05 < garaden> lol jeiworth 14:05 * garaden shrugs 14:05 < garaden> I just cleaned the hostname out of paranoia 14:05 < garaden> no offense 14:05 < garaden> it's public anyway, suppose there's no harm 14:05 < garaden> I know it's the right one because I didn't modify the config file we were sent by email 14:06 < garaden> and everyone else was able to connect today 14:06 < garaden> hostname gtt.keywcorp.com 14:06 < garaden> ip (this may be internal) 172.16.1.240 14:08 < garaden> I was able to use this configuration yesterday 14:08 < ecrist> garaden: *something* changed. 14:09 < ecrist> if it worked yesterday, and doesn't today, something changed. 14:09 < ecrist> I'd suggest changing it back 14:09 < garaden> agreed, if I knew what it was 14:10 < garaden> I unpacked the zip again just to be certain 14:10 < ecrist> !logs 14:10 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 14:11 < garaden> lemme try verb 6 for client (I can't restart the server) 14:11 < garaden> is that simply "verb 6" in the configuration? 14:11 < ecrist> yes 14:14 < garaden> http://fpaste.org/paste/19070 14:15 -!- Utopiah [n=libre@rps7452.ovh.net] has joined ##openvpn 14:15 -!- Utopiah [n=libre@rps7452.ovh.net] has left ##openvpn [] 14:33 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 14:34 -!- cvance [n=cvance@ip98-163-220-242.no.no.cox.net] has quit [Remote closed the connection] 14:53 -!- garaden [n=garaden@64.206.83.177] has quit ["Leaving."] 14:55 -!- jeiworth [n=jeiworth@189.177.231.62] has quit [Read error: 110 (Connection timed out)] 15:08 < rawDawg> Warning: route gateway is not reachable on any active network adapters: 192.168.x.x 15:09 < rawDawg> what does that Warning mean? 15:10 < krzie> did you manually specify route-gateway>? 15:11 < rawDawg> i did have push route-gateway on there 15:11 < krzie> if so, try not doing it 15:12 < rawDawg> took it off, and i dont get the warning 15:12 < rawDawg> ty 15:13 < krzie> np 15:38 -!- kc8pxy [n=gecko@65.100.249.52] has joined ##openvpn 15:39 -!- Nirkus [i=rmf2mlh@about/pxe/Nirkus] has left ##openvpn [] 15:50 -!- bandinia [n=bandini@host92-105-dynamic.10-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 16:02 -!- kc8pxy_ [n=gecko@65.100.249.52] has joined ##openvpn 16:03 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [] 16:03 -!- kc8pxy [n=gecko@65.100.249.52] has quit [Read error: 104 (Connection reset by peer)] 16:05 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 16:27 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 16:27 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Success] 16:36 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 110 (Connection timed out)] 16:44 -!- ubsafder [n=ubsafder@bdy93-10-88-185-29-167.fbx.proxad.net] has joined ##openvpn 16:45 -!- ubsafder [n=ubsafder@bdy93-10-88-185-29-167.fbx.proxad.net] has left ##openvpn ["Konversation terminated!"] 16:53 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 16:54 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Connection reset by peer] 16:57 -!- tarbo2_ [n=me@unaffiliated/tarbo] has joined ##openvpn 17:03 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 110 (Connection timed out)] 17:13 -!- kc8pxy [n=gecko@65.100.249.52] has joined ##openvpn 17:17 -!- kc8pxy_ [n=gecko@65.100.249.52] has quit [Read error: 104 (Connection reset by peer)] 17:24 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 17:25 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Connection reset by peer] 17:32 -!- kc8pxy_ [n=gecko@65.100.249.52] has joined ##openvpn 17:34 -!- dimedo [n=dimedo@88.198.50.133] has joined ##openvpn 17:34 -!- kc8pxy_ [n=gecko@65.100.249.52] has quit [Client Quit] 17:34 -!- kc8pxy [n=gecko@65.100.249.52] has quit [Read error: 60 (Operation timed out)] 17:44 < dimedo> i, i try to push routes from my openvpn server to the client. the routes get registered on the client but i can't reach the hosts in there. but i can reach the server host through the vpn. any ideas? 17:44 < krzie> what are the routes to? 17:45 < krzie> the inet? 17:45 < krzie> or the server lan? 17:45 < dimedo> inet 17:45 < krzie> did you setup NAT on the server? 17:45 < dimedo> no 17:45 < dimedo> ip forwarding is active 17:46 < krzie> guess its time to setup your NAt then 17:46 < krzie> NAT 17:46 < krzie> !redirect 17:46 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 17:46 < krzie> to selectively do it, dont use --redirect-gateway but instead push the routes as you said, the rest remains true 17:47 < dimedo> i surely don't want all inet traffic to go through the vpn 17:47 < krzie> to selectively do it, dont use --redirect-gateway but instead push the 17:47 < krzie> routes as you said, the rest remains true 17:48 < krzie> so go setup your nat and watch it work =] 17:48 < krzie> !nat 17:48 < vpnHelper> krzie: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 17:50 < dimedo> krzie: can openvpn by itself setup a nat, or do i have to do that manually with iptables? 17:51 < krzie> !linnat 17:51 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 17:51 < krzie> its not openvpn's job 18:07 -!- jdchrist [n=davidc@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has quit [Read error: 60 (Operation timed out)] 19:02 < |Mike|> tootttttttttttttttttttt :D 19:05 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 60 (Operation timed out)] 19:18 < krzie> sup mike 19:18 < krzie> im reading zf04, never saw it before 19:19 < |Mike|> url? 19:19 < krzie> http://www.milw0rm.com/papers/199 19:19 < vpnHelper> Title: [ezine] ZFO 4 (at www.milw0rm.com) 19:20 < |Mike|> milcrap 19:20 < krzie> *shrug* thats where its at 19:20 < |Mike|> another anti-sec lecture ? 19:21 < krzie> nah 19:21 < krzie> other groups 19:24 < |Mike|> i see mad edditing 19:26 < |Mike|> they have never heard about ssh keys :P 19:28 < krzie> that name clorox is familiar 19:28 < krzie> was he in... fuck i cant remember the name 19:28 < krzie> rolex was the leader 19:28 < krzie> from the days when they and madcrew ran the biggest efnet chans 19:28 < krzie> like mid 90's 19:29 < |Mike|> cat g00ns-forum.net.log | grep 403 19:29 < |Mike|> like grep 403 g00ns* wouldn't apply :) 19:29 < krzie> hehe ya thats pretty commonly done 19:29 < krzie> hell i did it that way many yrs ago 19:30 < |Mike|> halfdead used the nick rolex on efnet for a while 19:30 < krzie> im talkin bout the original rolex 19:30 < |Mike|> host ? 19:30 < krzie> im talkin bout the mid 90's, i sure dont remember a host 19:31 < krzie> http://www.efnet.org/oldforum/cgi-bin/YaBB.pl?board=general&action=display&num=999812042 19:31 < vpnHelper> Title: remember rolex? (at www.efnet.org) 19:31 < |Mike|> cp rosec.tar.gz /home/admin/domains 19:31 < |Mike|> fail fail fail. 19:33 < krzie> damn now i wanna know that group name 19:34 < |Mike|> rosec used to be active around 2002 / 2004 19:35 < krzie> conflict 19:35 < krzie> thats the name 19:36 < |Mike|> i wonder wich group released that fan-by article 19:37 < krzie> fan-by? 19:37 < krzie> what article? 19:37 < |Mike|> fan-boy 19:38 < krzie> what, zf0 4? 19:41 < |Mike|> it's another ridicilous article 19:41 < |Mike|> imho. 19:43 < |Mike|> anyway, /me & 19:43 * |Mike| & 19:43 < krzie> werd 19:43 < |Mike|> it's 02:52 :P 19:44 < krzie> shit i was up til 7:30am last night 19:44 < |Mike|> lol 19:44 < |Mike|> g'nite mr krzie :) 19:44 < |Mike|> see you at HAR ! 19:45 < krzie> hells yes 20:09 -!- YpsyZNC is now known as Ypsy 20:37 -!- tjz [n=tjz@bb121-6-135-189.singnet.com.sg] has joined ##openvpn 20:37 < tjz> konnichiwa 20:43 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 20:46 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 20:55 -!- master_of_master [i=master_o@p549D6E79.dip.t-dialin.net] has joined ##openvpn 21:07 -!- master_o1_master [n=master_o@84.157.59.225] has quit [Read error: 110 (Connection timed out)] 21:08 -!- xp_prg [n=xp_prg3@99.23.56.166] has joined ##openvpn 21:14 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 21:16 -!- Douglas [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 21:16 < Douglas> krzee 21:16 < Douglas> krzie 21:17 < Douglas> whichever one you are at 21:22 -!- swa_work [n=swa@swatteksystems.com] has quit ["Leaving"] 21:35 -!- xp_prg [n=xp_prg3@99.23.56.166] has quit ["This computer has gone to sleep"] 22:03 -!- Ypsy is now known as YpsyZNC 23:04 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 23:08 -!- thedoc [n=andelyx@vpn1.edgewire.sg] has joined ##openvpn 23:13 -!- frewsxcv [n=frewsxcv@adsl-75-35-72-195.dsl.pltn13.sbcglobal.net] has joined ##openvpn 23:15 -!- jdchrist [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 23:15 < frewsxcv> i'm connected to a remote server via networkmanager (ubuntu) using openvpn...and it works and is great. how is this different than setting up a proxy? 23:56 -!- thedoc [n=andelyx@vpn1.edgewire.sg] has quit ["Leaving"] --- Day changed Sat Jul 18 2009 00:11 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 00:30 -!- kreg [n=kreg@208-98-186-225.directcom.com] has joined ##openvpn 00:31 -!- kreg [n=kreg@208-98-186-225.directcom.com] has quit [Read error: 104 (Connection reset by peer)] 00:31 -!- kreg [n=kreg@208-98-186-225.directcom.com] has joined ##openvpn 01:24 -!- frewsxcv [n=frewsxcv@adsl-75-35-72-195.dsl.pltn13.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 03:52 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 04:06 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 04:19 -!- carpe_ [n=carpe@vip1.tundraeng.com] has joined ##openvpn 04:21 -!- plaerzen [n=carpe@vip1.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 04:31 -!- debayan [n=debayan@support.deeproot.co.in] has joined ##openvpn 04:32 -!- debayan [n=debayan@support.deeproot.co.in] has quit [Client Quit] 04:37 -!- Qantouri1c [n=Qantouri@d54C49D91.access.telenet.be] has joined ##openvpn 04:37 < Qantouri1c> Can i disable ICMP port detection for UDP ? 04:37 < Gorkhaan> iptables 04:38 < Qantouri1c> what i mean 04:38 < Qantouri1c> the client is trying to connect 04:38 < Qantouri1c> but all it does is sent ICMP 04:38 < Qantouri1c> iptables responds: get lost 04:38 < Qantouri1c> and client stops trying 04:39 < Gorkhaan> I Think client is pinging through the TUN 04:40 < Qantouri1c> nea 04:40 < Gorkhaan> ? 04:40 < Qantouri1c> 11:39:59.606749 IP 84.196.157.145 > xxx.xxx.xxx.xxx: ICMP xxx.xxx.xxx.xxx udp port 5000 unreachable, length 50 <= 04:40 < Qantouri1c> is not a ping 04:42 < Gorkhaan> it seems it's rejected 04:42 < Qantouri1c> hmmm odd 04:42 < Qantouri1c> indeed 04:42 < Qantouri1c> it's replying to pings .. 04:42 < Qantouri1c> wtf 04:44 < Gorkhaan> :S 04:44 < Qantouri1c> ok now it's not replying as it should :D 04:44 < Qantouri1c> grrr 04:44 < Qantouri1c> what it's still answering ? 04:45 < Gorkhaan> why is it checking port 5000 ? 04:46 < Qantouri1c> i don't know 04:46 < Qantouri1c> ask openvpn ? 04:46 < Qantouri1c> what i'm even more concerend about 04:46 < Qantouri1c> why is my computer responding to the ICMP requests? 04:48 < Gorkhaan> why dont you Reject 'em ?:D 04:48 < Qantouri1c> yes i don't know why i'm not 04:48 < Qantouri1c> could you ping me ? 04:48 < Qantouri1c> and see if i reply ? 04:48 < Gorkhaan> 84.196.157.145 this? 04:48 < Qantouri1c> yes 04:49 < Gorkhaan> nothing happened yet 04:49 < Qantouri1c> so why is it replying on 04:49 < Qantouri1c> 11:44:25.186628 IP 84.196.157.145 > 91.180.59.69: ICMP 84.196.157.145 udp port 5000 unreachable, length 50 04:50 < Qantouri1c> 11:44:27.573685 IP 91.180.59.69.2378 > 84.196.157.145.5000: UDP, length 14 04:50 < Qantouri1c> confusing 04:50 < Gorkhaan> I didnt get a reply. :) 04:50 < Qantouri1c> i know 04:52 < Qantouri1c> a right 04:52 < Qantouri1c> becuase 5000 is accepted ! 04:53 < Qantouri1c> there we go 04:53 < Qantouri1c> proto udp had to be on on server 04:54 < Gorkhaan> iptables -A INPUT -p ICMP -j REJECT 04:54 < Gorkhaan> should reject everything 04:56 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 04:57 < Qantouri1c> Gorkhaan: wrong apreantly as just proven by this case :D 04:57 < Qantouri1c> btw can openvpn both use TCP and UDP at the same time ? 04:57 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Success] 04:57 < Gorkhaan> with 2 servers can be 04:57 < Gorkhaan> 1 tcp, 2 udp 04:58 < Gorkhaan> on the same port from rc18 as I remember 04:58 < Gorkhaan> check the change log 04:58 < Qantouri1c> hmmm isee 04:58 < Qantouri1c> thanks 04:58 < Qantouri1c> so i can if i REALLY want :) 04:58 < Qantouri1c> ok now to shape the trafic 04:59 < Qantouri1c> otherwise the road wariors are going to kill our upload :D 05:02 < Gorkhaan> :D 05:03 < Gorkhaan> " --shaper " 05:04 < Qantouri1c> PS do you know a good website to test upload speed ? 05:04 < Gorkhaan> speedtest.net 05:04 < Gorkhaan> Flash site 05:05 < Qantouri1c> and is it correct ? 05:05 < Qantouri1c> cause i need to know my upload speed accuretly :D 05:05 < Gorkhaan> u can choose closest servers 05:05 < Gorkhaan> Yes I think 05:05 < Qantouri1c> if it doesn't get me to my max ... 05:05 < Qantouri1c> then my bandwith limit is costing me upload speed :) 05:05 < Qantouri1c> as you always need to put the QOS lower or equal to the output speed 05:06 < Gorkhaan> aha. :) TC is hard to read. :o 05:12 < Qantouri1c> hehe 05:19 < Qantouri1c> Gorkhaan: speedtest is not accurate ! 05:19 < Gorkhaan> how fast is your connection? :D 05:20 < Qantouri1c> i recomment 0.12MB/s 05:20 < Qantouri1c> witch is WRONG 05:20 < Qantouri1c> Max: 1.71 MBit/s 05:20 < Qantouri1c> according to the box itself ! 05:20 < Qantouri1c> so i've been crippeling my network for 50% ! :/ 05:21 < Gorkhaan> Here are some Dummy files: http://ftp.fsn.hu/testfiles/ 05:21 < vpnHelper> Title: Index of /testfiles/ (at ftp.fsn.hu) 05:21 < Gorkhaan> For download testing 05:21 < Gorkhaan> but it's hungarian. so I donno :D 05:21 < Qantouri1c> need upload test :) 05:21 < Qantouri1c> wait 05:21 < Qantouri1c> i can just cram random info to my remote server :) 05:23 < Gorkhaan> :D 05:23 < Qantouri1c> nope doesn't even get near max :D 05:23 < Gorkhaan> :S 05:24 < Qantouri1c> 153.0KiloByte/s 05:24 < Qantouri1c> odd 05:24 < Qantouri1c> starting to not trust the meter :/ 05:25 < Qantouri1c> 1.73MBit the meter claims 05:25 < Qantouri1c> (meter is nload) 05:25 < Gorkhaan> well, I donno. :s 05:25 < Gorkhaan> I've got 512/128 Kbit/s internet at home :( 05:25 < Gorkhaan> Down/up 05:25 < Qantouri1c> :) 05:27 < Qantouri1c> ok so i got 1.5 mbit 05:28 < Gorkhaan> :D 05:28 < Qantouri1c> and they advertise 05:28 < Qantouri1c> 1.25 mbit 05:28 < Qantouri1c> hey nice :) 05:28 < Qantouri1c> i'll take 1.25 mbit just in case :) 05:30 -!- stephenh [i=stephenh@69.30.200.88] has quit [Remote closed the connection] 05:30 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 06:02 < Spockz> hmm, 100/100 mbit here :) 06:02 < Spockz> where are you guys from? 06:07 < Bushmills> sol 3, milky way. 06:10 < Qantouri1c> Spockz: from expesnive ISP belium 06:18 < Spockz> Qantouri1c: aha, that explains :) 06:20 -!- sigius [n=sigius@93.125.185.45] has joined ##openvpn 06:53 -!- sigius [n=sigius@93.125.185.45] has quit [Read error: 104 (Connection reset by peer)] 06:55 < Qantouri1c> hmmm i just discovered that we might be burning 750€ each year on electrictiy 06:58 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 07:03 -!- bctrainers [i=bc@unaffiliated/bctrainers] has joined ##openvpn 07:06 -!- anwoke8204 [n=anwoke82@65.100.249.52] has joined ##openvpn 07:07 -!- tjz [n=tjz@bb121-6-135-189.singnet.com.sg] has quit ["bbl"] 07:10 < anwoke8204> hi all have a question really quick 07:14 < anwoke8204> why when I connect to my open VPN server can I ping the server, but I can't get online, can't ping any other computers on the same network, or ping the default gateway. 07:14 < anwoke8204> but once I disconnect from openvpn I can ping just fine 07:17 < Bushmills> anwoke8204, client routing 07:18 < anwoke8204> how would I resovle that issue 07:18 < Bushmills> probalby configured redirect-gateway, and server not set up for NAT 07:18 < anwoke8204> sorry I am new to linux, my friend started configuring the server, but then had to take of 07:18 < anwoke8204> so I am attempting to pick up where he left of 07:18 < Bushmills> either drop redirect-gateway, or set up NAT on server 07:19 < Bushmills> http://scarydevilmonastery.net/masq for NAT 07:20 < anwoke8204> ok, how do I drop the redirect-gateway? 07:24 < anwoke8204> i've found how to drop it if I am running the server on windows xp, but I am not, it is running on debian 07:55 -!- epaphus [n=unix3@201.199.62.74] has quit [Success] 08:02 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 08:02 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 08:02 -!- sigius [n=sigius@93.125.185.45] has joined ##openvpn 08:03 -!- sigius [n=sigius@93.125.185.45] has quit [Connection reset by peer] 08:03 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 08:05 < Qantouri1c> anwoke8204: first, what method are you using ? second, iirc there was a condig option: disable remote gateway settings 08:05 < Qantouri1c> iirc 08:05 < Qantouri1c> not sure 08:18 -!- jdchrist_ [n=davidc@99.128.202.138] has joined ##openvpn 08:27 -!- j_dchrist [n=davidc@99.128.202.138] has joined ##openvpn 08:32 -!- jdchrist [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 08:33 -!- Douglas [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 08:40 -!- jdchrist_ [n=davidc@99.128.202.138] has quit [Read error: 113 (No route to host)] 08:47 -!- jd_christ [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 08:48 -!- jd_christ is now known as jdchrist 08:52 -!- jdchrist_ [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 08:59 -!- j_dchrist [n=davidc@99.128.202.138] has quit [Read error: 113 (No route to host)] 09:04 -!- YpsyZNC is now known as Ypsy 09:05 -!- jdchrist [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 113 (No route to host)] 09:07 -!- j_dchrist [n=davidc@99.128.202.138] has joined ##openvpn 09:12 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit ["Leaving"] 09:12 -!- Micxs [n=blues@p548AC562.dip.t-dialin.net] has joined ##openvpn 09:15 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 09:17 -!- jd_christ [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 09:17 < |Mike|> Morning. 09:18 < Gorkhaan> Afternoon! :D 09:19 -!- jdchrist_ [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 113 (No route to host)] 09:22 -!- jdchrist [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 09:27 -!- jdchrist_ [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 09:29 -!- j_dchrist [n=davidc@99.128.202.138] has quit [Read error: 113 (No route to host)] 09:35 -!- jd_christ [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [No route to host] 09:39 -!- jdchrist [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 113 (No route to host)] 09:47 -!- j_dchrist [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 09:51 -!- Micxs [n=blues@p548AC562.dip.t-dialin.net] has quit ["Ciao"] 09:55 -!- Micxs [n=Micxs@84.138.197.98] has joined ##openvpn 09:59 -!- jdchrist_ [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 113 (No route to host)] 10:03 -!- j_dchrist is now known as jdchrist 10:16 -!- jeiworth [n=jeiworth@189.163.165.116] has joined ##openvpn 10:17 -!- jdchrist_ [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 10:24 < dimedo> hi, is it possible to get tcp and udp listeners in one single openvpn server process? 10:27 -!- j_dchrist [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 10:28 -!- jdchrist_ [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 60 (Operation timed out)] 10:30 -!- jdchrist [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 113 (No route to host)] 10:30 < Qantouri1c> dimedo: i asked the same question today, the answer then was run 2 serveres 10:39 -!- jd_christ [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 10:41 -!- jd_christ [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Remote closed the connection] 10:53 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["Távozom"] 10:54 -!- j_dchrist [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 113 (No route to host)] 10:54 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 10:55 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 10:58 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 11:16 -!- Douglas [i=doug@64.18.144.2] has joined ##openvpn 11:16 < Douglas> !configs 11:16 < vpnHelper> Douglas: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:16 < Douglas> !logs 11:16 < vpnHelper> Douglas: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 11:24 -!- kreg [n=kreg@208-98-186-225.directcom.com] has quit [Remote closed the connection] 11:37 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 13:01 -!- c64zottel [n=hans@p5B17A2AF.dip0.t-ipconnect.de] has joined ##openvpn 13:13 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 13:18 -!- xp_prg [n=xp_prg3@c-76-21-115-162.hsd1.ca.comcast.net] has joined ##openvpn 13:42 -!- Ypsy is now known as YpsyZNC 14:17 -!- rawDawg [n=omglol@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 14:19 -!- swa_work [n=swa@swatteksystems.com] has quit [Remote closed the connection] 14:29 -!- bandini [n=bandini@host161-110-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn 14:49 < ecrist> mother fuckers 14:50 < Douglas> what the hell 14:50 < Douglas> what? 14:53 < rawDawg> dazo are you around? 14:58 < ecrist> Douglas: when you going to start doing stuff to ovpnforum.com/ 14:58 < ecrist> ? 14:58 < Douglas> ecrist: like? 14:58 -!- c64zottel [n=hans@p5B17A2AF.dip0.t-ipconnect.de] has left ##openvpn [] 14:58 * Douglas has been reading it nearly every day 14:58 < Douglas> well, checking it 14:58 < ecrist> graphics, some ranks 14:58 < ecrist> ah, but you've not been moderating 14:58 < Douglas> what's there to moderate? 14:58 < ecrist> forum is moderated for all users with less than 2 posts 14:58 < Douglas> i haven't seen anything 14:58 < Douglas> oh 14:58 * Douglas didn't notice that 14:58 * Douglas will have to sort it 14:58 < Douglas> I tried giving the user Douglas admincp access, and forum editing access 14:59 < Douglas> still havent figured it out 14:59 < ecrist> you need to click on [Moderater Control Panel] link 14:59 < Douglas> let me log in 14:59 < Douglas> ecrist: if you want to call my bluff btw 14:59 < Douglas> check access from ips 67.80.62.212 14:59 < Douglas> gah whats the office ip 14:59 < Douglas> here 15:00 < Douglas> 160.79.78.34 15:00 < Douglas> :. 15:00 < Douglas> :>* 15:00 < Douglas> ecrist: 15:00 < Douglas> [ Administration Control Panel ] 15:00 < Douglas> thats all i see 15:00 < Douglas> . 15:01 < ecrist> ecrist@kenny:~-> grep '67.80.62.212' /var/log/ovpnforum.com-access.log | grep index.php | wc -l 817 15:01 < ecrist> 817 times since Nov 20, 2008 15:01 < Douglas> yeah 15:01 < Douglas> i meant lately 15:01 * Douglas has been going there nearly daily 15:01 < ecrist> 477 since Jan 1st 15:02 < Douglas> and how about in the last 3-4 weeks 15:02 < Douglas> ah ha 15:02 < Douglas> i fixed it 15:02 < Douglas> wonderful 15:04 < ecrist> 139 times you've accessed index.php since Jun 1st 15:05 < ecrist> ecrist@kenny:~-> grep '67.80.62.212' /var/log/ovpnforum.com-access.log | grep index.php | grep '[Jul|Jun]/2009:' | wc -l 139 15:05 < Douglas> see 15:05 < Douglas> ive been looking more 15:05 < Douglas> . 15:05 < ecrist> ecrist@kenny:~-> grep '173.8.118.221' /var/log/ovpnforum.com-access.log | grep index.php | grep '[Jul|Jun]/2009:' | wc -l 280 15:05 < ecrist> :P 15:05 * Douglas snaps fingers 15:05 < Douglas> . 15:06 < Douglas> well, i expected to see you there more 15:06 < Douglas> god knows im nowhere near as good as the ecrist 15:06 < ecrist> lol 15:06 < Douglas> hes a few levels above me 15:07 < Douglas> imho ecrist the forum looks fine now 15:07 < Douglas> 15:07 < Douglas> Total posts 106 | Total topics 125 | Total members 234 | Our newest member Cobeuntolonse 15:07 < Douglas> i wonder how many of them are spam bots 15:07 < ecrist> 99.9% of them. 15:07 < Douglas> lol 15:08 < ecrist> check out the ban list. 15:08 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 15:08 * Douglas afraid 15:08 < ecrist> I should build a query to clear them out. 15:08 < Douglas> for anyone lurking here reading 15:08 < Douglas> !forum 15:08 < vpnHelper> Douglas: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 15:09 < Douglas> ecrist, does it email when there are posts pending approval 15:09 < Douglas> email the mods, i mean 15:09 < ecrist> don't know 15:09 < Douglas> can it? 15:09 * Douglas wouldn't mind 15:09 < ecrist> I put a false email in for me so I don't get bothered 15:09 < ecrist> check out the config 15:09 < ecrist> I"m sure it can. 15:09 * Douglas goes to search 15:09 < ecrist> wouldn't be that hard to write a mysql query and a crontab to do so, either way. 15:10 < Douglas> fair enough 15:10 < Douglas> ecrist 15:10 < Douglas> Your config file (config.php) is currently world-writable. We strongly encourage you to change the permissions to 640 or at least to 644 (for example: chmod 640 config.php). 15:10 < ecrist> everyone in this channel should join my Mafia Wars family on FB 15:10 < ecrist> o.O 15:10 < ecrist> where do you see that? 15:10 < Douglas> /adm/index.php 15:10 * ecrist fixes 15:10 < Douglas> ecrist++ 15:11 < Douglas> i don't see an option to email under "Post Settings" fwiw 15:12 -!- cvance [n=cvance@ip98-163-220-242.no.no.cox.net] has joined ##openvpn 15:16 -!- rawDawg [n=omglol@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 113 (No route to host)] 15:16 < ecrist> iirc, you have shell access, write a mysql query and crontab it 15:18 < Douglas> i don't have, you took it back, and i don't know sql at all 15:20 < cvance> I am having a little trouble with my routing setup and I have sneaky suspicion it is because my openvpn server is not forwarding IP packets correctly. How would I check to make sure that IP forwarding is working properly. Is there a kernel entry? I did echo 1 into the ip_forward in /proc... 15:21 < ecrist> gimme a sec, dougy 15:21 < cvance> !route 15:21 < vpnHelper> cvance: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:21 < cvance> ~redirect 15:21 < Douglas> ecrist, you got it sir 15:21 < cvance> !redirect 15:21 < vpnHelper> cvance: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 15:21 < cvance> !ipforward 15:21 < vpnHelper> cvance: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 15:21 < cvance> !linipforward 15:21 < vpnHelper> cvance: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 15:21 < cvance> !nat 15:21 < vpnHelper> cvance: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 15:22 < cvance> !linnat 15:22 < vpnHelper> cvance: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 15:22 < cvance> hooray for bot, I'll be back 15:24 < ecrist> Douglas: register a new account, and submit a test post, please 15:24 < ecrist> I think I've got a query 15:25 * Douglas commadeers a spammers accnt 15:27 < cvance> :) 15:27 < Douglas> will do in 5 ecrist in mi dof something 15:27 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 15:27 < cvance> It didn't work because I did not have NAT enabled :( I feel silly 15:28 < ecrist> Douglas: did you post about rimnton slive 22 rifle? 15:29 < Douglas> no 15:29 < ecrist> someone just did 15:29 < ecrist> the query sorta works 15:29 < Douglas> lool 15:29 < Douglas> that new user 15:29 < Douglas> Cobeuntolonse 15:32 < ecrist> select post_id, post_username, post_subject from dougy_forum.phpbb_posts WHERE post_approved != 1; 15:32 < ecrist> there's your query 15:33 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has left ##openvpn [] 15:33 < Douglas> nice 15:33 < Douglas> i dont know what to do with it 15:33 < Douglas> lmao 15:34 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 15:35 < ecrist> I'll work on it. 15:36 < Douglas> thank you, sir 15:36 < Douglas> :) 15:40 -!- jeiworth [n=jeiworth@189.163.165.116] has quit [Read error: 110 (Connection timed out)] 15:43 < ecrist> i'll jjust sendit you 15:43 < Douglas> what 15:43 < Douglas> . 15:44 < ecrist> email, daily unapproved posts 15:44 < Douglas> ahh 15:44 < Douglas> yy 15:44 < Douglas> yay 15:51 < ecrist> you should get an email in a minute, please check. 15:51 < ecrist> probably have it by now. 15:51 < ecrist> ... 15:52 < Douglas> yeah 15:52 < Douglas> i got it 15:52 < ecrist> someone's using google apps for their domain... 15:52 < Douglas> sorry on phone 15:52 < Douglas> yeah 15:52 < Douglas> i am indeed 15:52 < Douglas> why 15:52 < ecrist> just noticed. 15:52 < ecrist> meet your criteria? 15:53 < Douglas> aside from the /notice i sent you 15:53 < Douglas> yessir 15:53 < Douglas> that ill do 15:53 -!- kyrix [n=ashley@91-115-181-103.adsl.highway.telekom.at] has joined ##openvpn 15:54 < ecrist> sent another in about 4 seconds 15:54 < ecrist> and now reset to run 00 00 * * * 15:55 < Douglas> mail: You must specify direct recipients with -s, -c, or -b. 15:55 < ecrist> doh 15:56 < ecrist> again in 34 seconds 15:59 < Douglas> ecrist: voila 16:00 < ecrist> ok, now I reset the run time 16:21 -!- kyrix [n=ashley@91-115-181-103.adsl.highway.telekom.at] has quit [Read error: 60 (Operation timed out)] 16:34 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 113 (No route to host)] 16:37 -!- kyrix [n=ashley@91-115-181-103.adsl.highway.telekom.at] has joined ##openvpn 17:08 -!- cvance [n=cvance@ip98-163-220-242.no.no.cox.net] has quit ["Ex-Chat"] 17:44 -!- kyrix [n=ashley@91-115-181-103.adsl.highway.telekom.at] has quit [Remote closed the connection] 17:53 -!- Micxs [n=Micxs@84.138.197.98] has left ##openvpn ["...."] 18:24 -!- frewsxcv [n=farwell@yellow.feralhosting.com] has joined ##openvpn 18:24 < frewsxcv> how is openvpn different than a proxy? 18:25 < Bushmills> like a wire is different from a machine 18:36 < frewsxcv> Bushmills, explain.... 18:37 < Bushmills> a proxy is or runs on a computer. a cable connects two computers. 18:42 < krzie> openvpn CAN be used like a proxy, but thats not its main function 18:43 < krzie> its main function is to securely connect to computers (and optionally networks) over an insecure network (like the internet) 18:43 < krzie> aka, a VPN 18:44 < frewsxcv> krzie, Bushmills: I understand. I'm connected right now to an OpenVPN server, and whenever I browse the web, it acts like a proxy... 18:44 < krzie> it CAN be used that way 18:44 < krzie> but thats not what it was made for specificly 18:44 < krzie> in fact setup outside openvpn is required to do that 18:45 < frewsxcv> krzie, so all my traffic is rerouted to my OpenVPN server? Why does it do that? 18:46 < frewsxcv> How is hamachi different than openvpn? 18:46 < krzie> it does that because they used: 18:46 < krzie> !redirect 18:46 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 18:46 < krzie> its different in many ways, try learning about both for your answer 18:46 < krzie> i dont use and dont plan on using hamachi 18:47 < krzie> nor do i care to learn much about it 18:48 < frewsxcv> krzie, so if you were to connect onto my openvpn server, would we be in a LAN? 18:48 < krzie> in a manner of speaking, yes 18:49 < krzie> however, it would only be layer3 traffic if in a tun vpn 18:49 < krzie> if tap it would be layer2 just like a normal lan 18:49 < frewsxcv> krzie: tap vs. tun? 18:51 < Bushmills> !factoid search tap 18:51 < vpnHelper> Bushmills: Error: "factoid" is not a valid command. 18:51 < Bushmills> no? 18:51 < frewsxcv> !tap 18:51 < vpnHelper> frewsxcv: "tap" is "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, 18:51 < vpnHelper> frewsxcv: anything where the protocol uses MAC addresses instead of IP addresses. 18:51 < krzie> !tunortap 18:51 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 18:51 < krzie> its factoids 18:51 < krzie> with s 18:51 < Bushmills> ah 18:52 < Bushmills> pluralitism 18:52 < krzie> ;] 18:52 < frewsxcv> what is layer2 or layer3? 18:53 < krzie> it explains it in that same factoid 18:53 * Bushmills prefers tapping a tune over tuning a tap 18:55 -!- rodpod [n=rod@74-133-38-196.dhcp.insightbb.com] has quit [Read error: 113 (No route to host)] 19:14 < krzie> from the OSI model, layer2 would connect via mac address, layer3 would connect via IP address 19:15 < krzie> so ethernet traffic is layer2, IP traffic (tcp,udp) is layer3 20:10 < Douglas> hi 20:10 < Douglas> . 20:32 -!- c-monkey [n=c-monkey@unaffiliated/c-monkey] has joined ##openvpn 20:32 < c-monkey> anyone around familiar with how /dev/net/tun works ? ( the tun/tap driver on linux ) ... im having problems without answers, and thought someone in here might know 20:34 < krzie> not i, but the source is open 20:35 < c-monkey> krzie, yeah ... im no expert on udev / kernel device driver code 20:36 < krzie> nor am i 20:37 < krzie> especially since im a fbsd user as opposed to linux 20:37 < krzie> but either way im sure understanding that code is beyond my skill level 20:38 < krzie> are you trying to understand it to code something that uses it? 20:38 < krzie> if so, openvpn code is very commented and clean, maybe you can find your problem from seeing how ovpn interacts with it 20:44 < c-monkey> i think i may have just gotten an answer from the ##kernel channel 20:45 < c-monkey> it seems at some point, the behavior of the /dev/net/tun linux driver changed ... and noone bothered to change the docs 20:45 < krzie> ahh good idea of where to ask 20:59 < c-monkey> well thanks krzie for your suggestions ... i may look at openvpn at some point soon ... atm .. im trying to get a custom local lan only 'extremely insecure' protocol stack working ... its kind of the opposite of openvpn ;) 20:59 < krzie> hehe werd 21:00 < c-monkey> or maybe ... "really open vpn" ;) 21:00 < krzie> bazzaro-openvpn 21:00 < c-monkey> its essentially a peer to peer, raw ethernet, load balanced thing ... for maximum throughput over multiple nics 21:01 < c-monkey> thanks again 21:01 -!- c-monkey [n=c-monkey@unaffiliated/c-monkey] has left ##openvpn ["Leaving"] 21:07 -!- master_of_master [i=master_o@p549D6E79.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:10 -!- master_of_master [i=master_o@p549D5438.dip.t-dialin.net] has joined ##openvpn 21:30 < frewsxcv> what would be real world examples of layer 2,3,and4 of the OSI model 21:55 -!- farwell_ [n=farwell@yellow.feralhosting.com] has joined ##openvpn 21:56 -!- frewsxcv [n=farwell@yellow.feralhosting.com] has quit [Read error: 104 (Connection reset by peer)] 22:03 -!- farwell_ is now known as frewsxcv 22:06 < ecrist> asdfasfasga 22:06 -!- frewsxcv [n=farwell@yellow.feralhosting.com] has quit ["Leaving"] 22:24 -!- frewsxcv [n=farwell@adsl-75-18-161-211.dsl.pltn13.sbcglobal.net] has joined ##openvpn 23:12 -!- frewsxcv [n=farwell@adsl-75-18-161-211.dsl.pltn13.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 23:12 -!- frewsxcv [n=farwell@yellow.feralhosting.com] has joined ##openvpn 23:14 < frewsxcv> are OSI layers relevent to packets? 23:18 < anwoke8204> I was wondering if somone could give me a hand with openvpn 23:18 < anwoke8204> my friend started setting it up, but then had to leave, so I would like to try to pick up where he left off and finish setting it up 23:19 < anwoke8204> we can connect to the server but we can't ping or connect to any of the computers on the network, just the vpn server 23:20 < anwoke8204> !howto 23:20 < vpnHelper> anwoke8204: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 23:50 < frewsxcv> does OpenVPN reroute only http traffic? or all internet traffic? 23:52 < anwoke8204> not sure how he set it up, when we connect we can ping the server but can't ping anything else or get online 23:52 < anwoke8204> I believe it reroutes all traffic 23:53 < anwoke8204> as when connected, I can't ping local ip's of where I am connected to locally, just ip's in the vpn 23:53 < anwoke8204> but only ip we can ping in the vpn is the debian server running openvpn 23:53 < frewsxcv> anwoke8204, which os are you running? 23:53 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 23:54 < anwoke8204> the clients are running windows vista ultimate or windows xp 23:54 < anwoke8204> but the server is debian 23:54 < anwoke8204> I have checked all of the ports in the router, and as far as I can tell the configs look fine 23:54 < anwoke8204> but I am new to this, so I wouldn't know, lol 23:55 < frewsxcv> anwoke8204, whenever i connect to a remote openVPN server, i can never access my router's web interface 23:55 < frewsxcv> i don't know if you are able to, i am new as well 23:55 < anwoke8204> let me try 23:56 < rawDawg> anyway to suppress the popup notification of the windows openvpn gui when connecting? 23:56 < anwoke8204> nope, but I can ssh into the serer 23:56 < frewsxcv> nevermind anwoke8204, yes i am 23:56 < frewsxcv> anwoke8204, i can access the router 23:56 < anwoke8204> server 23:56 < frewsxcv> rawDawg, for windows? 23:56 < anwoke8204> I can't access the router as right now even though I am connected to the remote vpn server I can't ping the router 23:56 < rawDawg> yes 23:57 < anwoke8204> just the debian server 23:58 < anwoke8204> the only way I can ssh into the server is through the vpn, I can't ssh in using the local address when I am on the local network 23:59 < anwoke8204> it was suggested that I turn off redirect gateway, but it looks like it was already commented out with a ; --- Day changed Sun Jul 19 2009 00:00 < frewsxcv> does an openvpn server require any firewall ports to be open? 00:01 < anwoke8204> yes, 1194 00:01 < anwoke8204> and it is already forwarded in the routers firewall 00:02 < frewsxcv> anwoke8204, so if i have bittorrent on my home machine using port 12345 going through a remote openvpn server, does the bittorrent data get routed through 1194? 00:03 < anwoke8204> i believe so, port 1194 would have to be open on the remote servers firewall (unless they changed the default port) 00:05 < anwoke8204> its as if the bridge on the debian box isn't working, but I am not sure how to fix it 00:09 -!- jdchrist [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 00:26 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 54 (Connection reset by peer)] 01:00 -!- ^scott^ [n=scott@stthom.org] has quit [Read error: 110 (Connection timed out)] 01:27 -!- frewsxcv [n=farwell@yellow.feralhosting.com] has quit [Remote closed the connection] 01:31 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 01:32 < rawDawg> i figured out how to disable balloon popups if anyone was interested 01:33 < anwoke8204> still trying to get my server to work 01:43 < anwoke8204> thought I had it, but apparently not, will try again after I get some sleep 01:46 -!- bandini [n=bandini@host161-110-dynamic.44-79-r.retail.telecomitalia.it] has quit [Read error: 60 (Operation timed out)] 01:46 -!- bandini [n=bandini@host161-110-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn 02:01 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: l2trace99 02:01 -!- Netsplit over, joins: l2trace99 02:05 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Remote closed the connection] 02:09 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 02:12 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Remote closed the connection] 02:12 -!- l2trace99 [n=jr@71.43.104.238] has joined ##openvpn 02:16 -!- l2trace99 [n=jr@71.43.104.238] has quit [Read error: 54 (Connection reset by peer)] 02:17 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 02:21 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Remote closed the connection] 02:21 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 02:25 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Remote closed the connection] 02:25 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 02:29 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Remote closed the connection] 02:30 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 02:34 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Remote closed the connection] 02:34 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 02:38 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Remote closed the connection] 02:38 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 02:44 -!- bctrainers [i=bc@unaffiliated/bctrainers] has left ##openvpn [] 02:55 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Success] 02:55 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 02:57 -!- rodpod [n=rod@74-133-38-196.dhcp.insightbb.com] has joined ##openvpn 02:59 -!- ^scott^ [n=scott@stthom.org] has joined ##openvpn 03:04 < rawDawg> !man 03:04 < vpnHelper> rawDawg: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 03:04 < rawDawg> site is down :S 03:05 < Spockz> hmm 03:06 < Spockz> didn't they go commercial? :P 03:11 -!- loulouloulou [n=laylaaaa@212.36.208.1] has joined ##openvpn 03:11 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Read error: 110 (Connection timed out)] 03:11 < loulouloulou> hi all is there a script that would allow to easily create a thousand client certificates ? 03:11 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has joined ##openvpn 03:12 < reiffert> !ssl-admin 03:12 < vpnHelper> reiffert: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 03:23 < Spockz> a gui for that would be handy :) 03:26 < reiffert> !openvpnvwebgui 03:26 < vpnHelper> reiffert: Error: "openvpnvwebgui" is not a valid command. 03:26 < reiffert> Spockz: there is a new "GUI" available on openvpn.net, requires purchasing. 03:29 < Spockz> reiffert: okay, I'll look into it when they are back online :P 03:31 < reiffert> "Access Server" IIRC 03:31 < Spockz> hmm, does the easy-keys 'program' also generate the tls key? 03:32 < Spockz> hmm, that name brings up bad memories 03:40 -!- |ns|nR8 [n=doof@CPE-124-180-114-216.vic.bigpond.net.au] has joined ##openvpn 04:05 -!- c64zottel [n=hans@p5B17BA97.dip0.t-ipconnect.de] has joined ##openvpn 04:23 -!- laylaaaaaaaaaaa [n=laylaaaa@212.36.208.1] has joined ##openvpn 04:26 -!- c64zottel [n=hans@p5B17BA97.dip0.t-ipconnect.de] has left ##openvpn [] 04:28 -!- loulouloulou [n=laylaaaa@212.36.208.1] has quit [Read error: 110 (Connection timed out)] 04:30 < rawDawg> !route 04:30 < vpnHelper> rawDawg: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 04:50 -!- onats_ [n=onats@unaffiliated/onats] has quit [Remote closed the connection] 05:12 < rawDawg> !/30 05:12 < vpnHelper> rawDawg: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 05:12 < rawDawg> !topology 05:12 < vpnHelper> rawDawg: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 05:14 < rawDawg> thanks for topology subnet :) 05:25 < |Mike|> Spockz: not on default 05:25 < Spockz> |Mike|: aah that's probably it then 05:25 < Spockz> brb 05:26 < |Mike|> !tls 05:26 < vpnHelper> |Mike|: Error: "tls" is not a valid command. 05:27 < |Mike|> hmz 05:40 < reiffert> !factoids search tls 05:40 < vpnHelper> reiffert: 'tls-verify', 'tls-cipher', and 'tls-auth' 05:44 < |Mike|> Spockz: see what vpnHelper just uttered :) 05:46 -!- laylaaaaaaaaaaa [n=laylaaaa@212.36.208.1] has quit [Read error: 110 (Connection timed out)] 05:46 < Spockz> tls-auth is a config keywoard I believe? 05:53 < |Mike|> !tls-verify 05:53 < vpnHelper> |Mike|: "tls-verify" is seems to be broken in 2.1rc9 and working in 2.1rc8 https://bugzilla.redhat.com/show_bug.cgi?id=458600 05:53 < |Mike|> !tls-cipher 05:53 < vpnHelper> |Mike|: "tls-cipher" is http://sourceforge.net/mailarchive/forum.php?thread_name=48B01B33.6030806%40usa.net&forum_name=openvpn-users 05:53 < |Mike|> !tls-auth 05:53 < vpnHelper> |Mike|: "tls-auth" is The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. see !secure for how 05:54 < |Mike|> !secure 05:54 < vpnHelper> |Mike|: "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 05:56 < Spockz> maybe we should update the vpnHelper :) 05:56 < Spockz> the first one is 'http://openvpn.net/index.php/open-source/documentation/howto.html#security' now 05:56 < vpnHelper> Title: HOWTO (at openvpn.net) 05:56 < |Mike|> hehe, yeah 05:56 < |Mike|> krzie: ! 06:03 -!- laylaaaaaaaaaaa [n=laylaaaa@212.36.208.1] has joined ##openvpn 06:11 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 06:12 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 06:14 -!- Micxs [n=Micxs@p548AE1AC.dip.t-dialin.net] has joined ##openvpn 06:25 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 06:32 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 60 (Operation timed out)] 06:39 -!- YpsyZNC is now known as Ypsy 06:43 -!- theTroy [n=troy@cpc4-cmbg3-0-0-cust523.cmbg.cable.ntl.com] has joined ##openvpn 06:44 < theTroy> could someone help please. I am running TomatoVPN on the router, and I have made the client config to route the traffic, but the openvpn adds interrupt to the eth0 and not the wlan0, effectively routing traffic going through ethernet, but not through wireless 06:52 -!- |ns|nR8 [n=doof@CPE-124-180-114-216.vic.bigpond.net.au] has quit [Read error: 110 (Connection timed out)] 06:54 < Bushmills> xlerb? 07:07 -!- RadarG [n=nightwol@98.115.35.178] has joined ##openvpn 07:07 < RadarG> hello all 07:07 -!- laylaaaaaaaaaaa [n=laylaaaa@212.36.208.1] has quit ["Leaving"] 07:08 -!- |ns|nR8 [n=doof@CPE-58-165-90-183.qld.bigpond.net.au] has joined ##openvpn 07:09 < RadarG> I need some help trying to configure an openvpn server. I have the server installed on a vista box and I'm trying to understand the configuration file so I can configure the server right I was wondering if somebody can help me out 07:10 < reiffert> !howto 07:10 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:11 < RadarG> Thanks but I have been reading this 07:16 < Qantouri1c> RadarG: maybe if you have a specific question, (witch is not clearly explained) someone might answer. 07:16 < Qantouri1c> The current information you provided boils down to "HELP" 07:16 < Qantouri1c> witch is ofcours not TOoo productive :) 07:16 < Qantouri1c> *which 07:17 < rawDawg2> how do i pass the ip of the connecting client into a script 07:18 < rawDawg2> i tried client-connect "SCRIPT trusted_ip" 07:18 < rawDawg2> didnt work out how i thought it would 07:21 < RadarG> Ok first off I have a smoothwall firewall with Zerina installed in Asia and a Desktop back in the states with OpenVPN installed on it. What I want to do is setup the server and have my firewall log in and route traffic back to the states. 07:22 < theTroy> could someone help please. I am running TomatoVPN on the router, and I have made the client config to route the traffic, but the openvpn adds interrupt to the eth0 and not the wlan0, effectively routing traffic going through ethernet, but not through wireless 07:22 < RadarG> is there a PDF format of the documentation? 07:23 < Qantouri1c> theTroy: are eth0 and wlan0 on the same network ? 07:23 < theTroy> eht0 is not connected 07:23 < Qantouri1c> RadarG: ferget your "goal" for a second 07:23 < Qantouri1c> RadarG: try getting a proper connection first between the 2 sites 07:23 < Qantouri1c> RadarG: also pick witch connection method you wish to use 07:24 < Qantouri1c> theTroy: what connection method are you using on the server ? 07:24 < theTroy> TAP UDP DHCP 07:24 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 07:24 < Qantouri1c> theTroy: then bridge tap0 properly 07:24 < theTroy> how? 07:25 < Qantouri1c> theTroy: brctrl add br0 iirc 07:25 < Qantouri1c> then add networks to brige 07:25 < Qantouri1c> that's the easiest way to do it 07:25 < Qantouri1c> NOTE: 07:25 < Qantouri1c> ALL the trafic will run trough it :) 07:25 < Qantouri1c> you might want to ROUTE the trafic instead 07:26 < Qantouri1c> bridge means all trafic runs trough it 07:26 < Qantouri1c> route means .. well router :) 07:26 < RadarG> ok I understand that i'm trying to figure out should I use bridge or route. I dont need all of my traffic to go across the link. I just need one host to go across the link the other hosts dont need the link. I'm sure I setup the iptable to route the traffic on the firewall I just need to get the server setup first. 07:26 < Qantouri1c> first pick the poison for your purpose then we get to configuring it 07:26 < theTroy> I do want all of my traffic to run through the openvpn 07:26 < Qantouri1c> RadarG: PS: does the traffic need to be encrypted ? 07:27 < Qantouri1c> theTroy: bridge it is then 07:27 < Qantouri1c> theTroy: NOTE: WHEN CREATING A BRIDGE your network will drop for a moment 07:27 < Qantouri1c> theTroy: to configure a bridge, first consult your OS way to set it up then consider custom script if your OS has no default way to do it 07:27 < RadarG> yes 07:29 < Qantouri1c> RadarG: ok then you need openvpng :) 07:29 < theTroy> Qantouri1c mind to go into private? I am quite newbie with openvpn and just dont want to spam this channel 07:29 < Qantouri1c> first determen what sort of connection you want radarg 07:29 < Qantouri1c> theTroy: i'm handling 4 cahnnels right now you where next :) 07:29 < theTroy> allright, thanks :) 07:32 < RadarG> routing I dont have a wins server 07:33 < Qantouri1c> RadarG: bridge then 07:33 * Qantouri1c personally prefers bridge because it's the easiest 07:33 < Qantouri1c> BUT also the slowest and least safe 07:34 < RadarG> what ever is easiest to set up 07:34 < Qantouri1c> tap 07:34 < Qantouri1c> atleast for me it was 07:34 < Bushmills> !redirect 07:34 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 07:34 < Bushmills> theTroy, ^^^^^ 07:35 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 07:35 < RadarG> ok fine bridge. Either way should be fine becuase I can turn off the link at the firewall when I'm not using it. 07:35 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 07:36 < RadarG> sorry gtg now 07:36 -!- RadarG [n=nightwol@98.115.35.178] has quit [] 08:31 < Douglas> god this customer is such a jackass 08:31 < Douglas> i hate him 08:33 < Douglas> krzie: there? 08:33 < Douglas> or ecrist 08:36 -!- |ns|nR8 [n=doof@CPE-58-165-90-183.qld.bigpond.net.au] has quit ["Leaving"] 09:28 -!- jdchrist_ [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 09:40 -!- jdchrist [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 10:34 -!- NfNitLoop [n=bip@cl-852.chi-02.us.sixxs.net] has joined ##openvpn 10:37 -!- jdchrist_ [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Remote closed the connection] 10:37 -!- jdchrist_ [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 11:01 -!- devzero__ [n=devzero@dslb-088-078-198-095.pools.arcor-ip.net] has joined ##openvpn 11:02 < devzero__> hey, i'm using openvpn as server on a linux box and as client on a windows xp box.. i've tried to push a dnsserver, but its not working. i find noting in logs 11:02 < devzero__> ive just added push "dhcp-option DNS 10.1.0.1" 11:03 < devzero__> on serverside 11:04 -!- kyrix [n=ashley@91-115-185-113.adsl.highway.telekom.at] has joined ##openvpn 11:37 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 12:19 -!- kyrix [n=ashley@91-115-185-113.adsl.highway.telekom.at] has quit [Read error: 104 (Connection reset by peer)] 12:29 -!- devzero__ [n=devzero@dslb-088-078-198-095.pools.arcor-ip.net] has quit ["Verlassend"] 12:35 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:03 -!- Blue_Fish [n=BlueFish@CPE001839c147df-CM001a7008191a.cpe.net.cable.rogers.com] has joined ##openvpn 13:03 < Blue_Fish> Hey everyone 13:04 < Blue_Fish> Does anyone know what the difference is between SSL certificates generated for Apache and OpenVPN? 13:04 < Blue_Fish> Could they be used interchangeably? 13:18 -!- Blue_Fish [n=BlueFish@CPE001839c147df-CM001a7008191a.cpe.net.cable.rogers.com] has quit [Remote closed the connection] 13:27 -!- theTroy [n=troy@cpc4-cmbg3-0-0-cust523.cmbg.cable.ntl.com] has quit ["Leaving."] 14:55 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 15:14 -!- jdchrist_ [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 15:19 -!- jdchrist_ [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 16:01 -!- Dougy [i=doug@64.18.144.2] has joined ##openvpn 16:02 < Dougy> ovpnforum is now #6 on google for openvpn forum 16:02 < Dougy> :) 16:03 < krzie> hehe 16:03 < krzie> anyone on there need help? 16:04 < Dougy> not at the moment 16:04 * Dougy just approved a post 16:04 < Dougy> solaris thign 16:04 < Dougy> thing 16:04 < krzie> !forum 16:04 < vpnHelper> krzie: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 16:04 < Dougy> however krzie 16:04 < Dougy> one thing 16:04 < krzie> ya? 16:04 < Dougy> a vpnhelper entry might be needed 16:04 < Dougy> for windows 2008 16:04 < krzie> !win7 16:04 < vpnHelper> krzie: "win7" is http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 16:04 < krzie> that? 16:04 < Dougy> read: http://www.ovpnforum.com/viewtopic.php?f=6&t=400&sid=1054b51101af3ad66802b428f3eeef0e 16:04 < vpnHelper> Title: OpenVPN Forum View topic - SERVER 2008 X64 SP2, OPENVPN 2.16RC18, (at www.ovpnforum.com) 16:13 < krzie> !learn win2k8 as Server 2008 assigns the OpenVPN TAP Adapter v9 as an Unidentified network which the default Local Security Policy of Server 2008 assigns as being a Public Interface with restricted access. To fix it do this: Go into Control Panel / Administrative Tools / Local Security Policy / Network List Manager Policies / Unidentified Networks. Set Location Type to Private. 16:13 < vpnHelper> krzie: Joo got it. 16:14 < Dougy> krzie da man 16:14 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:17 < Qantouri1c> need help but not with openvpn :) 16:22 < krzie> http://www.ovpnforum.com/viewtopic.php?f=6&t=393&p=560 16:22 < vpnHelper> Title: OpenVPN Forum View topic - Client cannot seem to connect to server (at www.ovpnforum.com) 16:22 < krzie> lol 16:23 < Dougy> krzie: more actual posts starting to show up 16:25 < Dougy> nobody happens to have a fresh install of arch 16:25 < krzie> Qantouri1c, out of curiosity... what is it? 16:26 < krzie> nah i never ran archlinux 16:26 < krzie> i use debian for my linux VM 16:26 < Qantouri1c> well i found it about 10 mins ago, a sas controller without raid :) 16:26 < Qantouri1c> apreantly it excists :) 16:26 < krzie> and if i actually had to use linux, ild go gentoo 16:27 < Dougy> krzie: i just lost some respect for you 16:27 < krzie> im very worried *chuckle* 16:27 < Dougy> gentoo is garbage 16:27 < Dougy> . 16:28 < krzie> dont you use centos? 16:28 < Dougy> only when i have to 16:28 < krzie> LOL 16:28 < Dougy> ie something like cpanel 16:28 < Dougy> not going to do that to freebsd 16:28 < Dougy> thats just cruel 16:28 < krzie> you use centos AND cpanel, and you say gentoo is garbage 16:28 < krzie> hahahaha 16:28 < Dougy> krzie: no 16:28 < krzie> if you are losing respect for me, im prolly doing the right thing 16:28 < Dougy> the datacenter iw ork for does 16:28 < Dougy> i work 16:29 * Dougy likes no control panel and debian/fsbd 16:29 < Dougy> fbsd 16:30 * Qantouri1c uses gentoo, and i agree it's garbage, but due a lack of an exually flexible alternative ... 16:31 < Dougy> Qantouri1c: indeed 16:32 -!- Micxs [n=Micxs@p548AE1AC.dip.t-dialin.net] has quit ["Ciao"] 16:41 < Qantouri1c> am i mad to use software raid instead of hardware ? 16:41 < Qantouri1c> (speed is not a real issue convencience is) 16:43 < Dougy> no 16:43 < Dougy> i know people running sw raid 5 that outperforms hw raid 5 16:45 < krzie> i stay away from software raid with the exception of ZFS 16:46 < Dougy> ZFS is bad ass 16:47 < krzie> yes, it is 16:47 < krzie> although it still has bugs to be worked out 16:49 < krzie> Qantouri1c if your worry is protecting data, use hardware raid over software raid 16:49 < krzie> if you cant afford hardware raid, software raid is better than nothing 16:50 < Qantouri1c> krzie: how is hardware raid better plz ? 16:50 < Qantouri1c> for protecting data 16:50 < krzie> server hiccups with software raid can lead to data loss 16:50 < Qantouri1c> krzie: well according to what i read, spindown control over driver is tacky ? 16:51 < Qantouri1c> define hiccups ? 16:51 < Qantouri1c> kernel crashing ? 16:51 < krzie> 1sec lemme find you a link 16:52 < krzie> http://www.pcguide.com/ref/hdd/perf/raid/conf/ctrlSoftware-c.html 16:52 < vpnHelper> Title: Software RAID (at www.pcguide.com) 16:54 < ecrist> gmirror ftw 16:55 < Qantouri1c> krzie: right now main concern for opting software vs hardware: i don't know what functions the hardware will have 16:55 < Qantouri1c> i have no clue when how devises will pop up in the kernel 16:55 < krzie> well what are your needs? 16:55 < Qantouri1c> nor do i know how it will handle randomly inserting disk in the wrong slots 16:56 < Qantouri1c> krzie: there is no real need for hardware raid in this case (other then reliabilty) 16:56 < krzie> business related, or for fun? 16:56 < Qantouri1c> other peqs (speed, boot etz) 16:56 < Qantouri1c> krzie: bith of both actually :) 16:56 < Qantouri1c> other peqs are a plus 16:56 < ecrist> gmirror and gstripe are awesome 16:56 < krzie> how big is your business? 16:57 < krzie> ecrist, ill admit i never used that 16:57 < Qantouri1c> if buisiness and fun collide ... the buisiness is VERRY small :) 16:57 < krzie> i take it you like it 16:57 < ecrist> krzie: we don't use hardware raid for mirrors anymore, only gmirror 16:57 < Qantouri1c> what i mean with that 16:57 < krzie> Qantouri1c hahahah tru 16:57 < krzie> good one 16:57 < Qantouri1c> there WILL be buisiness related servers on it 16:57 < Qantouri1c> that need to work 16:58 < Qantouri1c> since we use that server to store data 16:58 < Qantouri1c> buiness data 16:58 < ecrist> Qantouri1c: what is the purpose of your RAID, and what OS? 16:58 < Qantouri1c> purpose raid: store data 16:58 < Qantouri1c> I.E. backups 16:58 < krzie> raid != backups 16:58 < Qantouri1c> os: linux 16:58 < ecrist> RAID != BACKUPS 16:58 < Qantouri1c> i know that 16:58 < krzie> do not let raid replace a good backup solution 16:58 < Qantouri1c> i mean 16:58 < Qantouri1c> storing backups 16:58 < krzie> ohh 16:58 < Qantouri1c> well euu 16:59 < Qantouri1c> no backups is a bad worth here 16:59 < Qantouri1c> images of computer setups 16:59 < Qantouri1c> will also be used to snapshot stuff :) 16:59 < ecrist> Qantouri1c: I know nothing of linux software RAID, I would suggest FreeBSD + GEOM mirror 16:59 < ecrist> very reliable, and vetted. 16:59 < Qantouri1c> as said: main concernt for hardware: how will it work, how will it name devices etz 17:00 < krzie> and if it wasnt for work, ild suggest freebsd-8 with ZFS 17:00 < ecrist> why do you care how it names devices? 17:00 < krzie> but its not quite production ready yet 17:00 < krzie> just is a good thing to learn, cause once its production ready, it will be the best 17:00 < Qantouri1c> ecrist: well not that mutch, aslong as it's named the same :) 17:01 < ecrist> named the same as what? 17:01 < Qantouri1c> ecrist: as the last time the server was online :) 17:01 < ecrist> there is no way to know that, really 17:01 < krzie> i would assume as long as it works, who cares what the dev name is 17:01 < ecrist> without using the exact same OS and exact same hardware 17:01 < Qantouri1c> hmm should use labels then :) 17:02 < ecrist> I think you're worrying about silly/stupid/retarded/really-fucking-lame things. 17:02 * krzie agrees 17:02 < krzie> a rose is a rose by any name 17:02 < ecrist> a disk is a disk by any /dev/ 17:03 < krzie> ;] 17:03 < Qantouri1c> hmmm 17:03 < Qantouri1c> think your right :) 17:03 < Dougy> ecrist: ! 17:03 < Dougy> hihi 17:03 < Dougy> how are you 17:05 < ecrist> dougy, good 17:05 < Dougy> ecrist: how is mrs crist 17:05 < ecrist> good 17:05 < krzie> and hows baby crist? 17:05 < Qantouri1c> woooo 17:05 < Qantouri1c> this raid control also does lvm ??? 17:06 < Qantouri1c> that is starting to explain the bloody price :) 17:06 < krzie> Qantouri1c if ecrist speaks for that software raid, its prolly a safe bet 17:07 < krzie> he knows his shit and has much experience as a fbsd admin is business env 17:07 < krzie> in business env 17:07 < Qantouri1c> well i won't be running bsd i'm afraid :/ 17:07 < Qantouri1c> maybe i should though 17:07 < ecrist> krzie: all my firewalls use gmirror 17:07 < ecrist> which is about 7 right now 17:07 < krzie> even home? 17:07 < ecrist> all have been operational without issues for nearly 2 years. 17:07 < ecrist> yes, even home 17:07 < krzie> werd 17:08 < ecrist> gmirror has been used about 3 times at the office and once at home to recover a failing system 17:08 < ecrist> *and* I even wrote a Nagios plugin to monitor it. :) 17:09 < ecrist> krzee, you heard of NagVis? 17:09 < ecrist> I think I showed you the output for our office LAN 17:10 < ecrist> I wrote these: 17:10 < ecrist> http://www.nagios-portal.org/wbb/index.php?page=Thread&threadID=15217 17:10 < vpnHelper> Title: New NagVis Gadget - Thermometer - NagVis - Nagios-Portal (at www.nagios-portal.org) 17:10 < ecrist> http://www.nagios-portal.org/wbb/index.php?page=Thread&threadID=15297 17:10 < vpnHelper> Title: New NagVis Gadget - Printer Supplies - NagVis - Nagios-Portal (at www.nagios-portal.org) 17:11 < krzie> ya i heard of it through you 17:11 < krzie> and you did show me it for your office, it was badass 17:13 < ecrist> I wrote those two plugins, above. 17:13 < ecrist> office is tickled, they can see printer supply status on a our nagios page 17:14 < krzie> ya i thought that was badass too 17:14 < krzie> it never even occured to me to want that, or that it was possible 17:15 < ecrist> it's war-room type stuff, which is cool to most any geek. 17:16 < krzie> must be why i liked it ;] 17:17 < ecrist> the nagvis devs finally accepted my patch and committed it, too 17:17 < ecrist> their perfdata parsing was vastly incomplete. 17:20 < Qantouri1c> well time for bed, been interseting 17:20 < krzie> nite 17:31 < anwoke8204> anyone going to be on here in about 4 hours or so that could give me a hand? 17:32 < krzie> thats best asked in 4 hours or so 17:32 < krzie> but i know i wont be 17:32 < krzie> ill be gone in bout 1.5 hrs 17:33 < krzie> although if you want to now, im here to help 17:34 < anwoke8204> I am not at home with the server and right now I can't connect to it 17:34 < krzie> gotchya 17:34 < anwoke8204> it says I am connected, but I can't ping the server or anything 17:34 < krzie> windows? 17:34 < anwoke8204> yeah xp 17:34 < krzie> !winroute 17:34 < anwoke8204> was able to connect earlier 17:34 < vpnHelper> krzie: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 17:35 < krzie> also be sure the windows firewall is disabled 17:35 < krzie> on the tap interface 17:35 < krzie> it likes to re-enable itself 17:35 < anwoke8204> the firewall for the tap interfaceis already turned off' 17:35 < krzie> it likes to re-enable itself 17:35 < krzie> and if all else fails, reboot 17:35 < krzie> the first law of windows ;] 17:36 < anwoke8204> lol, that much is sooo true 17:36 < anwoke8204> it was working fine, but then I uploaded a new certificiate and key to try it and it didn't work so I changed back to my old cert and key and now can't do anything 17:37 < anwoke8204> let me reboot and see if that does anything 17:38 < krzie> make sure your paths and filenames are correct 17:41 -!- jeiworth [n=jeiworth@189.163.165.116] has joined ##openvpn 17:42 < anwoke8204> nogo 17:43 < krzie> your logfiles should help you find the problem 17:43 < anwoke8204> it says I am connected, but I can't ping anything, not even the server 17:43 < krzie> prolly gives an error when trying to add the routes, which youd see in the logfiles 17:43 < anwoke8204> so if I can't ping the server then I can't even ssh in to view the log files 17:44 < krzie> which is why i did: 17:44 < krzie> !winroute 17:44 < vpnHelper> krzie: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 17:44 < krzie> right 17:44 < krzie> but thats a good thing to check when you can get in 17:44 < anwoke8204> I will check the logs when I get local access to the server 17:45 < krzie> !factoids search win 17:45 < vpnHelper> krzie: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', 'win7', 'winnat', 'win_ipfail', and 'win2k8' 17:45 < anwoke8204> the server is debian based, but the clients are vista or xp 17:45 < krzie> well on the win client you're on, you looked at the logfile? 17:46 < anwoke8204> logfile on the client looks ok 17:46 < krzie> so it added the routes? 17:46 < anwoke8204> want me to pastebin it 17:47 < krzie> sure 17:48 < anwoke8204> http://pastebin.com/m777b6eb8 17:48 < anwoke8204> see routes in the log file so it looks like it added them 17:49 < krzie> netstat -rn 17:50 < krzie> ok looks like you already have route-method exe 17:50 < krzie> you have route-delay too? 17:51 < anwoke8204> http://pastebin.com/m75e40d18 17:51 < anwoke8204> that is the results of the netstat 17:51 < anwoke8204> no, how do I do the route delay 17:51 < krzie> it was rn not rm ;] 17:51 < krzie> n is no resolve 17:51 < krzie> but -r was fine 17:52 < |Mike|> unf unf krzie :d 17:52 < krzie> you just put in that config 17:52 < krzie> route-delay 17:52 < krzie> sup mike 17:52 < |Mike|> krzie: you want might to update !secure :) 17:52 < krzie> ok those routes were added 17:52 < krzie> !secure 17:52 < vpnHelper> krzie: "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 17:52 < |Mike|> http://openvpn.net/index.php/open-source/documentation/howto.html#security 17:52 < vpnHelper> Title: HOWTO (at openvpn.net) 17:53 < krzie> oh 17:53 < krzie> no i need to ask ecrist to email those choads to fix that 17:53 < |Mike|> Spockz did notice me with it 17:53 < krzie> they messed up a bunch on their new site design, we've been telling them bout them as we find them 17:53 < anwoke8204> route-delay 2 is already in there 17:53 < krzie> why 2? 17:53 < krzie> default is 30 17:54 < |Mike|> krzie: i prefer mod_rewrite for such stuff :P 17:54 < krzie> didnt i tell you that awhile ago? or was that someone else? 17:54 < anwoke8204> thats what my friend who started setting this up for us told us to put in 17:54 < krzie> someone had route-delay 2 awhile back as well 17:54 < anwoke8204> he started, but then had to go and he lives in another state 17:54 < krzie> using 2 is almost pointless 17:54 < krzie> remove the 2 17:55 < anwoke8204> so I am trying to pick up where he left off 17:55 < krzie> it will default to 30 17:55 < krzie> also, read the manual for every config option you use 17:55 < krzie> to have an idea of whats going on =] 17:55 < krzie> !man 17:55 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 17:55 < krzie> ecrist, can you email francis about what mike mentioned above? 17:56 < anwoke8204> so just route-delay no numbers right 17:56 < krzie> right 17:57 < anwoke8204> ok did that, reconnected now when I try to ping the server I am getting request timed out 17:57 < krzie> (#3) you may need to turn off routing and 17:57 < krzie> remote acess in administrative tools - routing and remote access 17:57 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 54 (Connection reset by peer)] 17:57 < krzie> checked that? 17:58 -!- bandini [n=bandini@host161-110-dynamic.44-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:58 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 17:58 < anwoke8204> so comment out the routing in the config file (the route delay and the route method) 17:59 < krzie> why? 17:59 < anwoke8204> you said to turn off the routing routing? 17:59 < krzie> !winroute 17:59 < vpnHelper> krzie: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 17:59 < krzie> see #3 17:59 < anwoke8204> oh duhhh 18:00 < anwoke8204> don't think windows xp home has routing and remote access 18:00 < anwoke8204> but will check 18:03 < anwoke8204> its already disabled 18:06 < anwoke8204> any other ideas 18:06 < krzie> be sure that some other software isnt firewalling 18:06 < krzie> like symantec, mcafee, etc 18:07 < anwoke8204> just windows firewall and it is not firewalling the tap adapter 18:07 < anwoke8204> don't have symantec or mcafee firewalls installed 18:10 < krzie> other clients are working? 18:10 < anwoke8204> now I am back to the destination host unreachable 18:10 < anwoke8204> no 18:10 < anwoke8204> I was the only one that could connect, but now I can't either 18:11 < krzie> im thinking its something server side then 18:11 < krzie> maybe the firewall there 18:12 < anwoke8204> could be will disable shorewall when I get home and then test 18:22 < |Mike|> can you ping 10.8.0.2 ? 18:23 < krzie> mike, .2 isnt a real ip 18:23 < krzie> you mean .6 18:23 < krzie> and he isnt using 10.8.0/24 18:23 < |Mike|> oic. 18:33 -!- NfNitLoop [n=bip@cl-852.chi-02.us.sixxs.net] has left ##openvpn [] 18:35 -!- jeiworth [n=jeiworth@189.163.165.116] has quit [Connection timed out] 18:57 -!- Dougy [i=doug@64.18.144.2] has quit ["leaving"] 19:02 < ecrist> krzie: what was !secure supposed to go to? 19:03 < krzie> their #security tag doesnt survive the rewrite 19:03 < krzie> !secure 19:03 < vpnHelper> krzie: "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 19:03 < krzie> #1 19:06 < ecrist> sure, which part of the page? 19:06 < ecrist> there's a secnotes tag now... 19:07 < krzie> http://openvpn.net/index.php/open-source/documentation/howto.html#security 19:07 < vpnHelper> Title: HOWTO (at openvpn.net) 19:07 < krzie> Hardening OpenVPN Security 19:09 < ecrist> sending a message now... 19:11 < ecrist> sent 19:22 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 19:23 -!- Kryczek [i=kryczek@about/security/staff/Kryczek] has joined ##openvpn 19:23 < rawDawg> are there any 2.1 versions that might be stable enough to run in production 19:24 < rawDawg> im running a windows server and I would really like to use topology subnet 19:24 < rawDawg> mainly so i can address the clients sequentially 19:26 < krzee> rc19 19:26 < rawDawg> the latest huh 19:27 < krzee> right 19:28 < krzee> but yes, thats exactly what ild use in production 19:28 < Kryczek> Hi! 19:28 < krzee> over the 'stable' release 19:28 < Kryczek> Do some OpenVPN developers hang around here perhaps? 19:28 < rawDawg> in that case, ill take your word for it 19:28 < rawDawg> i really like that feature 19:29 < Kryczek> cause I submitted a patch almost one month ago http://article.gmane.org/gmane.network.openvpn.devel/2700 and got absolutely no reply 19:29 < vpnHelper> Title: Gmane -- Mail To News And Back Again (at article.gmane.org) 19:29 < ecrist> Kryczek: not that we're aware of. 19:29 < Kryczek> ah :/ 19:29 < ecrist> the OpenVPN devs are a little premadonna 19:29 < ecrist> ;) 19:31 < Kryczek> heh, ok :) so what should I do in your opinion? bump my post in the mailing-list? 19:32 < |Mike|> i would confrontate em :) 19:33 < |Mike|> it's a specified SElinux issue ? 19:41 -!- Ypsy is now known as YpsyZNC 19:41 < Kryczek> what do you mean? 19:41 < Kryczek> I wouldn't call this an issue, it's not something broken 19:42 < Kryczek> (then again English is not my mother tongue :) 19:43 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Remote closed the connection] 19:49 < rawDawg> !man 19:49 < vpnHelper> rawDawg: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 20:01 < rawDawg> !route 20:01 < vpnHelper> rawDawg: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:05 < rawDawg> im am using topology subnet 20:05 < rawDawg> i want to add a route on the server to a remote client's network 20:06 < rawDawg> i am using client-config-dir 20:06 < rawDawg> my client is named "test" 20:07 < rawDawg> in my test file i have two lines: 20:07 < rawDawg> ifconfig-push 192.168.10.2 255.255.255.0 20:07 < rawDawg> iroute 192.168.85.0 255.255.255.0 20:07 < rawDawg> how do i add the route on the server 20:07 < rawDawg> the remote network is 192.168.85.0 /24 20:07 -!- rodpod [n=rod@74-133-38-196.dhcp.insightbb.com] has quit [Read error: 104 (Connection reset by peer)] 20:09 < rawDawg> would it be: route 192.168.85.0 255.255.255.0 192.168.10.2 ? 20:11 < rawDawg> the gateway parameter "vpn_gateway" does not work for me in this scenario 20:11 < rawDawg> so i would specify the vpn endpoint on the remote client's network? 20:12 -!- jeiworth [n=jeiworth@189.163.165.116] has joined ##openvpn 20:12 < rawDawg> or am i missing something here? 20:18 < krzee> route 192.168.85.0 255.255.255.0 20:18 < krzee> like seen in !route 20:18 < rawDawg> right but then, i got a message in the status windows that there was no gateway 20:20 < rawDawg> Sun Jul 19 21:19:35 2009 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a 20:20 < rawDawg> --route option and no default was specified by either --route-gateway or --ifcon 20:20 < rawDawg> fig options 20:20 < rawDawg> Sun Jul 19 21:19:35 2009 OpenVPN ROUTE: failed to parse/resolve route for host/n 20:20 < rawDawg> etwork: 192.168.85.0 20:20 < rawDawg> :S 20:22 < |Mike|> dot 6 20:24 < krzee> !configs 20:24 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 20:31 < rawDawg> krzee: here are my configs http://pastebin.com/mdae774c 20:32 < rawDawg> latest version of openvpn 20:32 < rawDawg> the server is Win2k3 the Client is WinXP 20:33 < krzee> interesting 20:34 < krzee> try route-gateway 192.168.10. 20:34 < krzee> err 20:34 < krzee> try route-gateway 192.168.10.1 20:34 < rawDawg> in the server config? 20:35 < krzee> yes 20:35 < rawDawg> ok i will try 20:38 < rawDawg> got this message: http://pastebin.com/m5766ae00 20:39 < krzee> !winroute 20:39 < vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 20:39 < krzee> #1 20:42 < rawDawg> krzee: i think that took care of my issue 20:42 < krzee> =] 20:42 < rawDawg> thanks for the help. i appreciate it alot 20:43 < krzee> yw 20:43 < krzee> time for me to watch a movie with the gf 20:43 < krzee> bbl 21:07 -!- master_of_master [i=master_o@p549D5438.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:10 -!- master_of_master [i=master_o@p549D3D2D.dip.t-dialin.net] has joined ##openvpn 22:07 < rawDawg> how do i ping another device (besides the remote host) on the remote client's network from the server?\ 22:07 < rawDawg> !route 22:07 < vpnHelper> rawDawg: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 22:13 < rawDawg> ok i figured that one out 22:13 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 22:14 < ecrist> with ping 22:15 < rawDawg> lol 22:15 < ecrist> ;) 22:15 < rawDawg> wont work without a certain route ;) 22:17 < rawDawg> ok here's another question: how do i pass the external ip of a client connection into a script? 22:18 < ecrist> you'd have to get that 22:18 < ecrist> there are websites out there that will discover that for you... 22:18 < ecrist> http://secure-computing.net/ip.php 22:22 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 22:39 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 23:09 < krzee> thats something like untrusted_ip 23:09 < krzee> you really should be consulting the mannual more than us 23:09 < krzee> !man 23:09 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 23:12 < rawDawg> yeah but how do i get that into a script? 23:13 < krzee> its an evironment variable 23:13 < krzee> read about it in the manual 23:14 < krzee> and the scripts section too 23:14 < rawDawg> i read both sections 23:14 < rawDawg> i am still unclear 23:15 < rawDawg> how do i pass untrusted_ip into a script? 23:16 < anwoke8204> vpn worked for a bit but now back to cant ping anything other then vpn server when connected 23:20 < anwoke8204> any ideas 23:45 -!- rodpod [n=rod@74-133-38-196.dhcp.insightbb.com] has joined ##openvpn --- Day changed Mon Jul 20 2009 00:09 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 110 (Connection timed out)] 00:15 -!- jdchrist_ [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 00:41 -!- jeiworth [n=jeiworth@189.163.165.116] has quit ["No Ping reply in 90 seconds."] 00:41 -!- jeiworth [n=jeiworth@189.163.165.116] has joined ##openvpn 01:13 -!- grim_fandango [n=grim_fan@BAS1-TORONTO10-1279748426.dsl.bell.ca] has joined ##openvpn 01:13 -!- grim_fandango [n=grim_fan@BAS1-TORONTO10-1279748426.dsl.bell.ca] has quit [SendQ exceeded] 01:13 -!- grim_fandango [n=grim_fan@BAS1-TORONTO10-1279748426.dsl.bell.ca] has joined ##openvpn 01:13 -!- grim_fandango [n=grim_fan@BAS1-TORONTO10-1279748426.dsl.bell.ca] has left ##openvpn ["Changed major mode"] 01:14 -!- grim_fandango [n=grim_fan@BAS1-TORONTO10-1279748426.dsl.bell.ca] has joined ##openvpn 01:14 < grim_fandango> I am having trouble assigning a static IP to a server. I am using OpenVPN in OpenBSD in routing mode. 01:15 < grim_fandango> I added client-config-dir and route directives but it looks like my ccd config file is not being picked up regardless of what I do. 01:15 < grim_fandango> I have ensured that the ccd config file is named after the name of the client cert. 01:15 < grim_fandango> Does anyone have any suggestions on what I should be checking to debug this problem? 01:15 < dazo> !factoids search * 01:15 < vpnHelper> dazo: More than 100 keys matched that query; please narrow your query. 01:16 < dazo> heh 01:16 < dazo> !factoids search tcp 01:16 < vpnHelper> dazo: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 01:16 < dazo> !factoids search *tcp* 01:16 < vpnHelper> dazo: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 01:16 < dazo> !factoids search *udp* 01:16 < vpnHelper> dazo: No keys matched that query. 01:16 < dazo> cool 01:16 * dazo just had to test it out 01:27 -!- flokuehn_ [n=flokuehn@globalways/developer/flokuehn] has joined ##openvpn 01:27 < krzee> grim, either it doesnt have access to read the file (remember it would read the file after dropping permissions) or the filename isnt EXACTLY what the common name is 01:27 -!- SuperEvilDeath [n=death@212.206.209.177] has joined ##openvpn 01:28 < krzee> grim_fandango, ^ 01:28 < krzee> anwoke8204, that description leads nobody anywhere, you' 01:29 < krzee> you'll need to do some troubleshooting, sniff the interface to see where packets make it and not, check/post logfiles, say what type of vpn you setup, etc 01:29 < krzee> simply saying "hey my setup doesnt work" wont help you at all 01:29 < krzee> g'nite =] 01:37 -!- grim_fandango [n=grim_fan@BAS1-TORONTO10-1279748426.dsl.bell.ca] has quit [Read error: 113 (No route to host)] 02:28 -!- Hyphenex [n=Hyphenex@nimue-37.its.uow.edu.au] has joined ##openvpn 02:31 < Hyphenex> G'Day, I'm running a VPN on a host with this as my server configuration: http://paste2.org/p/333001 02:32 < Hyphenex> is there a way to make it so I don't have to restart the vpn every time my client re-connects? 02:46 < dazo> Hyphenex: have you tried --daemon ? 02:47 * dazo might have misunderstood the question 02:55 -!- swa_work [n=swa@swatteksystems.com] has quit ["Leaving"] 03:07 < Hyphenex> dazo: I do /etc/intit.d/openvpn start 03:07 < dazo> Hyphenex: ahh ... then you're already running as daemon 03:07 < dazo> Hyphenex: then I haven't understood your question 03:08 < Hyphenex> dazo: yeah, when I close down the client, I need to restart the daemon before I can connect again, it comes up with 'can not connect' errors otherwise 03:08 < dazo> Hyphenex: aha ... well, that's very odd 03:08 * dazo thinks 03:08 < Hyphenex> that's not supposed to happen like that then I take it :P 03:09 < dazo> Hyphenex: not at all :) 03:09 < dazo> Hyphenex: which openvpn version are you using? 03:10 < dazo> Hyphenex: if you add verb 4 and checks the log files of the server, they might be able to give a better clue ... 03:12 < Hyphenex> on the server I'm using version 2.1_rc15 03:12 < dazo> Hyphenex: I'd consider that safe enough ... rc15 was rock solid, and I've used that for months in production environment 03:12 < dazo> Hyphenex: and your client? 03:13 < Hyphenex> umm, well, I just downloaded that today 03:13 < Hyphenex> so whatever the latest client is for windows :P 03:14 < dazo> Hyphenex: both 2.0.9 and 2.1_rc19, I believe are the ones available now .... if 2.0, that could maybe give some challenges - but should not in your setting ... 2.1_rc19 should work fine 03:14 < Hyphenex> dazo: how do I add that verb 4 thing? 03:14 < dazo> Hyphenex: your config which you put on paste2.org .... is that your complete config? 03:15 < dazo> Hyphenex: you just append 'verb 4' to your config file 03:15 < Hyphenex> dazo: sure is, it's not a very complicated setup (only needed so I can get an XBox to connect behind a HTTP proxy) 03:17 < dazo> Hyphenex: If you can manage to grab some log data from when you close a session and then try to reconnect, that'd be great .... preferably from both client and server 03:17 < Hyphenex> dazo: okie doke, where abouts might I find the log data created with echo 4? 03:17 < dazo> I'd like to see in the logs both the first working session ... and then the failure when reconnecting 03:18 < dazo> Hyphenex: echo 4? ... I presume you meant verb 4 03:18 < dazo> Hyphenex: probably in one of the files under /var/log .... /var/log/messages or /var/log/daemon would be my first guesses 03:19 < dazo> Hyphenex: or you can add --log as well 03:20 < Hyphenex> so /etc/init.d/openvpn start --log /tmp.log ?? 03:21 < dazo> Hyphenex: no, not quite that ..... in the config file add: log /tmp/logfile .... f.ex 03:22 < dazo> Hyphenex: btw, which distro are you running? 03:22 < Hyphenex> Gentoo 03:23 -!- pumbac [n=mla@pc01.kabinet.iasi.rdsnet.ro] has left ##openvpn ["screw you guys, I'm going home"] 03:23 * dazo thought so :) 03:25 < Hyphenex> dazo: well that solves the error... no idea how to fix it though 03:25 < Hyphenex> http://paste2.org/p/333014 03:26 * dazo believes he sees what's wrong 03:26 * dazo double checks against man pages 03:27 < dazo> Hyphenex: try adding persist-tun in your server config 03:27 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 03:27 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 03:28 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 03:29 < Hyphenex> dazo: I think that's working perfectly :) 03:29 < dazo> Hyphenex: from your log file: ""Mon Jul 20 08:23:41 2009 us=4355 WARNING: you are using user/group/chroot without persist-tun -- this may cause restarts to fail 03:30 < dazo> Hyphenex: you also have that warning in regards to --persist-key .... but as you're not using encryption at all, this makes no sense to activate 03:31 < Hyphenex> yep ;) 03:31 < Hyphenex> is there an easier way to adjust the client side route to use the VPN after it's connected? 03:31 < Hyphenex> as a default route? 03:31 < dazo> Hyphenex: Gentoo startup script by default adds 'user openvpn' and ' 03:32 < dazo> group openvpn' to the config ... so it removes privileges from the process 03:32 < dazo> Hyphenex: have a look at the man pages for openvpn .... redirect-gateway def1, is probably the keyword you want on the client 03:33 < dazo> (or you can push it from the server using push "" 03:33 < dazo> ) 03:33 < Hyphenex> the push thing sounds good :) 03:33 < dazo> Hyphenex: :) It's all described in the man pages 03:34 < Hyphenex> Thanks dazo :) 03:34 < Hyphenex> that problem was eating me 03:34 < dazo> Hyphenex: you're welcome! :) Glad it worked out :) 03:34 * dazo feels this can be a good Monday, for once :) 03:55 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: tarbo2_, master_of_master, anwoke8204, YpsyZNC, fkr 03:56 -!- Netsplit over, joins: master_of_master, anwoke8204, tarbo2_, YpsyZNC, fkr 04:00 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Connection timed out] 04:00 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 04:21 -!- wenzman [n=wenzman@unaffiliated/wenzman] has joined ##openvpn 04:27 < wenzman> hi @ all. it ist possible to change the timeout if TLS key negotiation failed? (the standard time is 60 sec, but i would like to change it, to a lower timeout....30 sec) 05:01 < dazo> wenzman: don't remember now ... but try searching for 'timeout' in the man pages ... if it is, it will definitely be mentioned there 05:14 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 110 (Connection timed out)] 05:35 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 05:45 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 05:50 -!- stephenh [i=stephenh@69.30.200.88] has quit [Read error: 104 (Connection reset by peer)] 05:50 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 05:58 -!- YpsyZNC is now known as Ypsy 06:05 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:30 -!- Hyphenex [n=Hyphenex@nimue-37.its.uow.edu.au] has left ##openvpn [] 06:55 -!- flokuehn_ [n=flokuehn@globalways/developer/flokuehn] has quit ["leaving"] 06:56 -!- flokuehn_ [n=flokuehn@globalways/developer/flokuehn] has joined ##openvpn 06:57 -!- flokuehn_ is now known as flokuehn 07:10 < kala> I'm getting lots of "Authenticate/Decrypt packet error: bad packet ID" errors from 2.1.RC15 07:10 < kala> could it be that this is a software bug? 07:34 -!- jeiworth [n=jeiworth@189.163.165.116] has quit [Remote closed the connection] 07:45 -!- DeathWolf [i=yggdrasi@saber.kawaii-shoujo.net] has quit [Remote closed the connection] 08:06 -!- DeathWolf [i=yggdrasi@saber.kawaii-shoujo.net] has joined ##openvpn 08:28 < kala> ugh. can anybody comment on the http://article.gmane.org/gmane.network.openvpn.devel/2503/match=bad+packet+id bug? 08:28 < vpnHelper> Title: Gmane -- Mail To News And Back Again (at article.gmane.org) 08:59 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 09:26 -!- wenzman [n=wenzman@unaffiliated/wenzman] has quit ["Verlassend"] 09:34 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:35 -!- Maleko [i=Maleko@115.132.15.50] has joined ##openvpn 09:39 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 09:47 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has joined ##openvpn 09:55 -!- gnr [n=gnr@203.82.79.101] has joined ##openvpn 09:56 < gnr> hi 09:56 < gnr> anybody with pkcs11 experiences? 09:57 < gnr> I'm having Error: private key password verification failed... how do i specify the token pin number? 10:08 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 10:09 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 10:17 < ecrist> morning 10:18 < ecrist> kala: not a software bug 10:18 < ecrist> rc15 was pretty stable, I have been using it for quite a while. 10:18 < ecrist> gnr: type it on the command line when it's asked for. 10:19 < ecrist> oh, reading the report, I've never used it like that. 10:19 < ecrist> try rc18 10:22 -!- FLeiXiuS [n=FLeiXiuS@64.206.83.177] has joined ##openvpn 10:22 < FLeiXiuS> Hello, 10:23 < FLeiXiuS> My clients connect and receive an IP as well as a route. 10:23 < FLeiXiuS> But, I'm not able to ping through the tunnel. 10:28 -!- gnr [n=gnr@203.82.79.101] has quit [Read error: 110 (Connection timed out)] 10:38 < ecrist> firewall 10:38 < ecrist> as stated in channel topic 10:40 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:44 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 10:54 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has joined ##openvpn 10:55 -!- SuperEvilDeath [n=death@212.206.209.177] has quit ["Nettalk6 - www.ntalk.de"] 10:57 -!- Micxs [n=Micxs@p548AD7E9.dip.t-dialin.net] has joined ##openvpn 11:01 -!- jdchrist [n=davidc@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has joined ##openvpn 11:06 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 11:07 -!- celsiux [n=Nullesd@174.36.119.228-static.reverse.softlayer.com] has joined ##openvpn 11:10 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:28 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 11:33 -!- xp_prg [n=xp_prg3@c-76-21-115-162.hsd1.ca.comcast.net] has quit ["This computer has gone to sleep"] 11:43 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 11:48 -!- NfNitLoo` [n=bip@2001:4978:f:353:0:0:0:2] has joined ##openvpn 11:53 -!- NfNitLoo` is now known as NfNitLoop 12:01 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:01 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 12:03 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 12:09 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 12:09 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 12:10 -!- Maleko [i=Maleko@115.132.15.50] has quit [] 12:12 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["Leaving"] 12:44 -!- holycow [n=new@69.67.174.130] has joined ##openvpn 12:44 < holycow> hi guys 12:44 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has quit ["Leaving..."] 12:45 < holycow> just reading the how to for no admin priviledges on windows xp on the openvpn.se website 12:46 < holycow> it is from 2005, does anyone know if it will ever be possible for non priviledged users to run the vpn client as restricted users? 12:48 < holycow> probably better to ask that project i guess 12:55 < kala> ecrist: ok, thanks for comments 13:01 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 60 (Operation timed out)] 13:05 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 13:13 -!- bandini [n=bandini@host161-110-dynamic.44-79-r.retail.telecomitalia.it] has joined ##openvpn 13:21 -!- Alfio [n=amunoz@75.112.88.200.m.sta.codetel.net.do] has joined ##openvpn 13:22 < Alfio> hi C4colo 13:22 -!- sbbackk [n=sbbackk@rocarsystem.com] has joined ##openvpn 13:32 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has joined ##openvpn 13:34 -!- loulouloulou [n=laylaaaa@212.36.208.1] has joined ##openvpn 13:35 < loulouloulou> hi when I do connect to my openvpn connection I can connect to remote servers using IPs but not using hostnames, in other words my ISP does not accept any more DNS queries from me because the query is coming from a network outside of the country....how can I fix this ? 13:41 -!- nebula- [n=nebula@s0up.digitalkharma.org] has joined ##openvpn 13:41 < nebula-> !howto 13:41 < vpnHelper> nebula-: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:42 < nebula-> !configs 13:42 < vpnHelper> nebula-: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:42 < nebula-> anyone around for a question? 13:43 < krzee> !factoids search dns 13:43 < vpnHelper> krzee: 'pushdns' and 'dns' 13:43 < ecrist> holycow: NO 13:43 < krzee> !dns 13:43 < vpnHelper> krzee: "dns" is Level3 open recursive DNS server at 4.2.2.1 13:43 < ecrist> it cannot happen 13:43 < krzee> thats for you loulouloulou 13:43 < krzee> nebula-, 13:43 < krzee> !ask 13:43 < vpnHelper> krzee: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/, or (#3) http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help 13:44 < krzee> http://www.google.com/search?q=halle%20berry%20bruce%20willis 13:44 < vpnHelper> Title: halle berry bruce willis - Google Search (at www.google.com) 13:44 < krzee> oops 13:44 < krzee> that was for me 13:44 < holycow> ecrist: cannot happen? so it will be required to eitehr run as a service or do the run/as thing for users? 13:44 < holycow> too bad windows doesn't have proper sudo 13:45 < nebula-> danka 13:45 < ecrist> http://sourceforge.net/projects/sudowin/ 13:45 < vpnHelper> Title: Sudo for Windows | Get Sudo for Windows at SourceForge.net (at sourceforge.net) 13:45 < ecrist> ^^^ for you, holycow 13:47 < ecrist> holycow, I found that here: http://tinyurl.com/kkjqaq 13:47 < vpnHelper> Title: Let me google that for you (at tinyurl.com) 13:47 < holycow> oh! 13:47 < holycow> huh 13:49 < nebula-> !man 13:49 < vpnHelper> nebula-: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 13:50 < holycow> ecrist: thank you very much for all your help today. thats quite cool 13:52 -!- nebula- [n=nebula@s0up.digitalkharma.org] has quit ["leaving"] 13:53 -!- neb_ [n=nebula@s0up.digitalkharma.org] has joined ##openvpn 13:53 -!- neb_ is now known as nebula- 13:53 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 14:01 < nebula-> hey guys, I'm having trouble getting ethernet bridging to work.. I can successfully connect and ping the internal IP of my OpenVPN server, however, I can't ping any other machines on the same network. Here's all my config info -> http://pastebin.com/d48952e2f .. any help is greatly appreciated. 14:03 < nebula-> so maybe i have a problem with my bridge, but everything look okay to me.. 14:07 < nebula-> !interface 14:07 < vpnHelper> nebula-: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 14:08 < nebula-> !topology 14:08 < vpnHelper> nebula-: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 14:08 < nebula-> !/30 14:08 < vpnHelper> nebula-: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 14:09 < nebula-> !howto 14:09 < vpnHelper> nebula-: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:16 < nebula-> nevermind.. i think it's because im running VMWare and the VM interface isn't going into promiscuous mode 14:16 < nebula-> thanks for listening :) 14:19 -!- nebula- [n=nebula@s0up.digitalkharma.org] has quit ["leaving"] 14:29 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 14:32 -!- ponyofdeath [n=vladi@cpe-75-80-161-192.san.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 14:33 -!- loulouloulou [n=laylaaaa@212.36.208.1] has quit [Read error: 110 (Connection timed out)] 14:34 -!- Alfio [n=amunoz@75.112.88.200.m.sta.codetel.net.do] has left ##openvpn ["Leaving"] 14:37 < reiffert> krzie: are you there/ 14:38 -!- loulouloulou [n=laylaaaa@212.36.208.1] has joined ##openvpn 14:42 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 14:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:52 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 14:59 -!- laylaaaaaaaaaaa [n=laylaaaa@212.36.208.1] has joined ##openvpn 15:00 -!- loulouloulou [n=laylaaaa@212.36.208.1] has quit [Read error: 110 (Connection timed out)] 15:04 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 15:09 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 15:10 -!- swa_work [n=swa@swatteksystems.com] has quit [Remote closed the connection] 15:16 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has quit [Read error: 113 (No route to host)] 15:17 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has joined ##openvpn 15:17 < krzie> sup bro 15:42 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.0.11/2009060215]"] 15:47 -!- Micxs [n=Micxs@p548AD7E9.dip.t-dialin.net] has quit ["Ciao"] 15:49 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 15:49 -!- davie [n=davie@unaffiliated/davie] has joined ##openvpn 15:51 -!- laylaaaaaaaaaaa [n=laylaaaa@212.36.208.1] has quit [Read error: 110 (Connection timed out)] 16:20 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 16:36 -!- bandini [n=bandini@host161-110-dynamic.44-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 16:38 -!- Kreg-Work_ [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 16:39 -!- Kreg-Work_ is now known as kreg 16:54 -!- IcyPolecat [n=IcyPolec@vm1.rubicon.je] has joined ##openvpn 16:55 -!- troy- is now known as troy 16:55 < IcyPolecat> hiya trying to setup openvpn from a router which is bridged across another lan but am getting a lot of MULTI: bad source address from client errors. I have the client-config-dir setup but am not sure if that's all I need to do - can anyone assist? 16:57 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:00 -!- kreg [n=kreg@208-98-188-95.directcom.com] has quit ["Leaving"] 17:05 < krzie> you're using tun, right? 17:05 < krzie> actually i think you have to be using tun to get that error... 17:05 < krzie> you need to give the other lan behind the client an iroute in a ccd entry 17:08 -!- sbbackk [n=sbbackk@rocarsystem.com] has quit [Read error: 113 (No route to host)] 17:09 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 17:11 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Client Quit] 17:11 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 60 (Operation timed out)] 17:11 < IcyPolecat> krzie: actually the client is behind the other lan 17:11 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 17:11 < krzie> this is the lan behind the server? 17:12 < IcyPolecat> so 10.0.0.0 is my lan 17:12 < krzie> this is a lan bridged into the lan behind the client, right? 17:12 < IcyPolecat> 192.168.1.0 is the lan I tunnel across to get to the internet gateway 17:12 < IcyPolecat> basically I'm (permitted to be) piggy backed on a Wifi Network 17:13 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 17:13 < IcyPolecat> I run my lan on a seperate subnet 17:13 < krzie> this is a lan bridged into the lan behind the client, right? 17:13 < IcyPolecat> krzie: nope 17:13 < IcyPolecat> the client (in this case my router) has an IP on both my lan and the internet enabled lan and is bridging the two 17:13 < krzie> gimme the exact error you get 17:14 < IcyPolecat> Mon Jul 20 22:10:48 2009 client/212.9.28.217:2053 MULTI: bad source address from client [10.0.0.30], packet dropped 17:14 < krzie> iroute the 10.0.0.30 lan for that client 17:15 < IcyPolecat> ok hang on will check the iroutes 17:15 < IcyPolecat> krzie: do I iroute it in the CCD file or the server.conf? 17:15 < krzie> ccd 17:15 < krzie> !iroute 17:15 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 17:16 < krzie> so its like iroute 10.0.0.0 255.255.255.0 17:16 < IcyPolecat> krzie: ok - not what it says in the HowTo 17:17 < krzie> try it and tell me how it works for you... 17:17 < IcyPolecat> krzie: of course! 17:17 < IcyPolecat> although I think I may have a secondary issue - brb 17:20 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 54 (Connection reset by peer)] 17:20 < IcyPolecat> Right - still getting bad source address messages and have now seen an error in the startup : http://pastebin.com/d1682f523 17:21 < IcyPolecat> krzie: re the iroute - should I remove the iroute 192.168.4.0 255.255.255.0 that I had in there previously? 17:21 < krzie> are you sharing the lan 192.168.4.0 which is behind that client with the vpn 17:22 < IcyPolecat> krzie: nope the lan 192.168.4.0 is a seperate subnet again for VPN traffic 17:22 < krzie> so server config says server 192.168.4.0 255.255.255.0 17:22 < krzie> ? 17:23 < IcyPolecat> yup 17:23 < krzie> definitely do NOT put that in a ccd entry 17:24 < krzie> thats for sure a problem 17:24 < IcyPolecat> oh ok 17:24 < krzie> read this well: 17:24 < krzie> !iroute 17:24 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 17:24 < IcyPolecat> makes sense but as I said - that's not what's in the howto! 17:24 < krzie> its in: !route 17:24 < krzie> !route 17:24 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:24 < krzie> and tell me whats in the howto 17:25 < krzie> cause i learned from the howto, manual, tiny bit of source 17:25 < krzie> and they all agree 17:25 -!- moocow [n=new@mail.fredcanhelp.com] has joined ##openvpn 17:28 < IcyPolecat> krzie: ah ... I may have just seen my mistake - you are absolutely right 17:28 < krzie> =] 17:29 < IcyPolecat> right - two ticks whilst I reconfigure the server ... brb 17:31 -!- c64zottel [n=hans@p5B179A0A.dip0.t-ipconnect.de] has joined ##openvpn 17:34 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:34 -!- holycow [n=new@69.67.174.130] has quit [Read error: 104 (Connection reset by peer)] 17:36 -!- holycow [n=new@69.67.174.130] has joined ##openvpn 17:40 < IcyPolecat> hmm - now the client on the router is failing to run at all 17:40 < krzie> !configs 17:41 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 17:44 -!- c64zottel [n=hans@p5B179A0A.dip0.t-ipconnect.de] has quit ["Leaving."] 17:47 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has quit ["Leaving..."] 17:48 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 17:48 -!- bret [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has joined ##openvpn 17:51 -!- moocow [n=new@mail.fredcanhelp.com] has quit [Connection timed out] 18:11 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 18:26 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 18:27 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 113 (No route to host)] 18:27 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 18:30 < Dougy> hmm 18:30 < Dougy> how do i tell my bosses i want them to buy me a blackberry, lol 18:31 < krzie> "buy me a fucking blackberry" 18:31 < Dougy> i wishi 18:31 < Dougy> wish 18:38 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 113 (No route to host)] 18:39 * Dougy approves forum posts 18:40 < Gorkhaan> :D 18:40 < Dougy> krzie 18:40 < Dougy> what a n00b 18:40 < Dougy> http://www.ovpnforum.com/viewtopic.php?f=5&t=404&sid=1d29a8080594ae45ff74de79cdc9d635 18:40 < vpnHelper> Title: OpenVPN Forum View topic - OpenSolaris prob (at www.ovpnforum.com) 18:43 < krzie> does opensol even have tuntap drivers? 18:43 < Dougy> hell if i know 18:45 < krzie> i guess i can check later if i get time 18:45 < Dougy> do you care? 18:45 < Dougy> lol 18:45 -!- bret [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has quit ["Leaving..."] 18:56 < krzie> well i guess not overly 18:56 < krzie> but i happen to have opensolaris 18:57 < krzie> so its not a biggie 18:57 < Dougy> ah 18:57 < Dougy> fair nuff 18:57 < krzie> did you bet that st pierre fight like i told you? 18:57 < Dougy> no sir 18:57 < Dougy> didnt even watch 18:57 < krzie> if so, congratulations on your victory 18:57 < krzie> oh 18:57 < krzie> well you can still get down on the aug 1st fight, another free money fight 18:58 < krzie> affliction 3 18:58 < krzie> Fedor vs Josh Barnett 18:58 < krzie> Fedor will fucking destroy barnett 18:58 < Dougy> lol 18:58 * Dougy doesnt know who those people are 18:58 < krzie> you dont need to 18:58 < krzie> i do 18:58 < Dougy> lmao 18:59 -!- Kacie [n=anwoke82@65.100.249.52] has joined ##openvpn 18:59 -!- jdchrist [n=davidc@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 19:00 -!- Kacie [n=anwoke82@65.100.249.52] has quit [Client Quit] 19:00 -!- Kacie [n=anwoke82@65.100.249.52] has joined ##openvpn 19:01 -!- Ypsy is now known as YpsyZNC 19:10 -!- epaphus [n=unix3@190.10.68.228] has quit [Connection timed out] 19:17 -!- anwoke8204 [n=anwoke82@65.100.249.52] has quit [Read error: 110 (Connection timed out)] 19:22 -!- prxtien [n=pro@teamaustralia.net.au] has quit [Read error: 110 (Connection timed out)] 19:25 -!- Kacie [n=anwoke82@65.100.249.52] has quit [Read error: 110 (Connection timed out)] 19:33 -!- kyrix [n=ashley@80-121-64-202.adsl.highway.telekom.at] has joined ##openvpn 19:48 -!- kyrix [n=ashley@80-121-64-202.adsl.highway.telekom.at] has quit ["Leaving"] 20:10 -!- agnel [n=user@c-76-102-15-136.hsd1.ca.comcast.net] has joined ##openvpn 20:12 < agnel> Hi, I have setup a VPN between 2 clients and 1 server. I would like to have the subnet on one of the clients accessible to the other. Is this possible? 20:12 < krzie> !route 20:12 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:13 < agnel> cool thanks, will look it up 20:14 < krzie> np 20:14 < krzie> that example assumed you want to connect all 3 lans 20:14 < krzie> (server and 2 clients) 20:14 < krzie> but you can ignore what doesnt apply 20:14 < krzie> (iroute DOES apply) 20:16 < agnel> ah ok 20:16 < agnel> by the way, I think openvpn rocks :) I used to setup routing and forwarding manually, but if this thing can automate it for me, then i have no words 20:16 < krzie> =] 20:16 < krzie> i agree 20:39 < ecrist> evening fuckers 20:41 < krzie> wassup man 20:41 < krzie> hey do you bet on fights eric? 20:41 < krzie> if so, i have a sure thing for ya 20:41 < ecrist> nope, not a betting man 20:41 < krzie> werd 20:44 -!- jeiworth [n=jeiworth@189.163.255.127] has joined ##openvpn 20:49 -!- agnel [n=user@c-76-102-15-136.hsd1.ca.comcast.net] has quit [Remote closed the connection] 20:50 -!- agnel [n=user@c-76-102-15-136.hsd1.ca.comcast.net] has joined ##openvpn 21:06 -!- master_of_master [i=master_o@p549D3D2D.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:07 < agnel> can anyone tell me the difference between routing and ip forwarding? 21:07 < Dougy> im sure vpnhelper has something 21:07 < Dougy> ask krzie 21:08 < ecrist> agnel: they are the same thing 21:08 < agnel> uhm, then why does /proc/sys/net/ipforward have to be 1, .. routing works even otherwise, what's the differnece? 21:08 < ecrist> ip forwarding generally refers to a sysctl on a linux or BSD operating system, which enables the passing of IP packets between interfaces. By default, the kernel blocks such transmission. 21:09 < ecrist> routing refers to passage of a packet destined for an interface for which the given system does not have a direct connection. 21:10 < ecrist> ip forwarding comes into play when building a router since the kernel will drop packets it receives, for which it does not have a direct connection. 21:11 < agnel> so ip forwarding is routing but routing is not always ip forwarding, right? 21:11 < ecrist> well... 21:11 -!- master_of_master [i=master_o@p549D3DBC.dip.t-dialin.net] has joined ##openvpn 21:11 < ecrist> routing is another way of saying ip forwarding. 21:11 < ecrist> ip forwarding, as a phrase, usually is talking specifically about the sysctl I mentioned above. 21:12 < ecrist> simply enabling ipforwarding on a host will not turn it into a router though. 21:13 < agnel> I see. so all routers should have forwarding if they're destinations are on another interface, .. right? 21:14 < agnel> makes sense. thanks.. :) 21:14 < ecrist> yep 21:14 < ecrist> if it's all on one interface, no need for ip forwarding. 21:14 < ecrist> another approach would be to bridge interfaces 21:15 < ecrist> the idea, in part, is to make things like vlans and such more secure on a *nix router 21:16 < agnel> ah I see 21:17 < ecrist> otherwise, if you had an office, and a unix system as the router, with two subnets, and ipforwarding was enabled by default, I could talk between the networks by simply setting a static route on my local machine. 21:18 < agnel> one more questions, does SNATing using iptables also translate it back when the packet is transmitted back? 21:18 < ecrist> or doing some simple spoofing. 21:18 < ecrist> i believe so 21:19 < agnel> because unfortunately I don't have access to the router of my subnet (that I'm trying to connect using openvpn), so I'm wondering if its enough if I SNAT on the machine which is a part of the subnet and the vpn (after setting up routing rules and stuff ofcourse) 21:21 < agnel> so I can turn this machine that is a part of the VPN into a little VPN-LAN router by SNATing.. would that work? 21:21 < ecrist> should be able to 21:22 < agnel> cool : 21:26 < agnel> yep worked, nice. thanks guys 21:34 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 21:38 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["Távozom"] 21:39 -!- FLeiXiuS [n=FLeiXiuS@64.206.83.177] has quit [Remote closed the connection] 21:46 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 60 (Operation timed out)] 22:13 -!- agnel [n=user@c-76-102-15-136.hsd1.ca.comcast.net] has left ##openvpn ["ERC Version 5.3 (IRC client for Emacs)"] 22:45 -!- texel [n=texel@c-76-121-187-249.hsd1.wa.comcast.net] has joined ##openvpn 22:47 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 22:48 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has joined ##openvpn 22:48 < ecrist> ah, the great state of Utah. 22:54 -!- neb_ [n=nebula@s0up.digitalkharma.org] has joined ##openvpn 22:54 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has quit ["Leaving..."] 22:54 < neb_> anyone have issues with an openvpn client disconnecting every 60 minutes 22:54 < ecrist> nope 22:54 < ecrist> well, not I. 22:55 < ecrist> I have a VPN client that's been online for months straight. 22:55 -!- superloader [i=1856a0fc@gateway/web/freenode/x-3b2012e5c9c468d2] has joined ##openvpn 22:55 < superloader> Hi. 22:55 < superloader> I am trying to download OpenVPN client from web site but when I click on DOWNLOAD it gives me access server and no more client. 22:56 < superloader> Is client gone? 22:56 < ecrist> no, let me get you the link 22:56 < ecrist> !download 22:56 < vpnHelper> ecrist: "download" is www.openvpn.net/download to download openvpn 22:56 < superloader> Do I need to set up access server now to access vpn at work? 22:56 < ecrist> hang on 22:56 < ecrist> http://openvpn.net/index.php/open-source/downloads.html 22:56 < vpnHelper> Title: Downloads (at openvpn.net) 22:56 < superloader> That link have waht I need thank you. 22:56 < ecrist> !learn download as http://openvpn.net/index.php/open-source/downloads.html 22:56 < vpnHelper> ecrist: Joo got it. 22:56 < superloader> Web site confusing. It wasn't used to be like this. 22:57 < ecrist> superloader: you're right. their new site sucks balls. 22:57 < superloader> What kind of balls? 22:57 < superloader> Oh. Do you mean it sucks? 22:57 < ecrist> yes 22:57 < ecrist> lol 22:57 < superloader> Ha ha. I think you mean testicles. 22:58 < superloader> Cryptic humor is the funniest! 22:58 < neb_> "Mon Jul 20 20:46:28 2009 TLS: tls_process: killed expiring key" <-- look familiar at all? 22:58 -!- ChanServ changed the topic of ##openvpn to: OpenVPN 2.1rc19 released 2007-07-16 || Check your firewall || We need !logs and !configs and maybe !interface || See !howto for beginners || See !route for lans behind openvpn || !redirect for sending inet traffic through server || Also interesting: !man !/30 !topology !iporder || http://live.lmgtfy.com/ | We know, the new site sucks. 22:59 < superloader> So thank you for finding link for me. I think the DOWNLOAD button on web site should have link for download client because other people may lost like me too. 22:59 < superloader> Thank you thank you thank you for your help! 22:59 < rawDawg> fix the date of the newest rls in the topic 22:59 < superloader> Your help so fast. This is very nice. 22:59 < superloader> Bye. 23:00 -!- superloader is now known as superloader-slee 23:01 < superloader-slee> 2.1_rc19 work excellent by-the-way and download successful. 23:01 < superloader-slee> Good night. 23:01 -!- ChanServ changed the topic of ##openvpn to: OpenVPN 2.1rc19 Released || CHECK YOUR FIREWALL || We need !logs and !configs and maybe !interface || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through server. || Also interesting: !man !/30 !topology !iporder || We know, the new site sucks. (We agree.) 23:01 -!- superloader-slee [i=1856a0fc@gateway/web/freenode/x-3b2012e5c9c468d2] has left ##openvpn [] 23:01 < ecrist> he got lucky 23:02 < ecrist> we're not usually so fast. :) 23:02 < rawDawg> or just take it out :) 23:02 < ecrist> lol 23:02 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 23:02 -!- neb_ [n=nebula@s0up.digitalkharma.org] has quit ["leaving"] 23:02 < ecrist> live.lmgtfy.com, someone searched for PEBKAC 23:03 < ecrist> rawDawg: lots of folks come in here and ask, what's the latest version 23:03 < rawDawg> i know 23:03 < rawDawg> i was just saying that the date was off by 2 years in the previous topic 23:03 < ecrist> oh, you mean the date 23:04 < ecrist> google: how to not be a douchebag 23:04 < ecrist> lol 23:07 < rawDawg> how can i config a client to always keep trying to reconnect if the lan connection goes down, so when it comes back up it will reconnect? 23:08 < ecrist> resolv-retry infinite 23:08 < ecrist> check spelling 23:08 < rawDawg> thats all i need? 23:08 < ecrist> to one-up that, you can put openvpn into a wrapper script which loops on the openvpn startup 23:08 < ecrist> yep 23:09 < rawDawg> ty 23:09 < ecrist> np 23:23 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:37 -!- texel [n=texel@c-76-121-187-249.hsd1.wa.comcast.net] has quit [Read error: 113 (No route to host)] 23:51 -!- epaphus [n=unix3@201.199.62.74] has quit [Remote closed the connection] 23:53 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 23:53 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 54 (Connection reset by peer)] 23:53 -!- rawDawg2 is now known as rawDawg --- Day changed Tue Jul 21 2009 00:32 -!- jeiworth [n=jeiworth@189.163.255.127] has quit [Read error: 110 (Connection timed out)] 01:07 -!- kaushal [n=kaushal@125.18.21.18] has joined ##openvpn 01:07 < kaushal> dazo: hi 01:09 < kaushal> I have set up a High Available openvpn setup. the setup works fine with tunnel, but not with client server configuration 01:09 < kaushal> when i do a failover, the session is not maintained on the client side. 01:09 < kaushal> it gets disconnected 01:10 < kaushal> any ideas as what is going wrong > 01:10 < kaushal> ?* 01:28 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 01:45 -!- anwoke8204 [n=anwoke82@65.100.249.52] has joined ##openvpn 01:55 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 01:56 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 01:59 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 01:59 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 02:05 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 02:05 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 02:14 < kaushal> checking in again for my query 02:26 < dazo> kaushal: that sounds pretty normal .... because of how the encryption layer works 02:26 < dazo> kaushal: the client and server, after it is authenticated, exchanges a temporary encryption key 02:27 < kaushal> ok 02:27 < dazo> kaushal: this temporary encryption key changes during a session (configured by the reneg-* options) 02:28 < dazo> kaushal: and unless openvpn gets native failover mechanism, there is no way that this temporary key will be transferred over to the slave in such a failover setup 02:28 < kaushal> so there is no workaround for this setup 02:29 < dazo> kaushal: no, not now .... the client will need to reestablish the connection with the new server when a failover happens 02:29 < kaushal> ok 02:33 < kaushal> when i do a failover, the session is not maintained on the client side, it gets disconnected 02:33 < kaushal> sorry 02:35 -!- lolipop [n=soontak@219.95.197.122] has joined ##openvpn 02:39 < dazo> kaushal: can you please pastebin then client log? (verb 4) 02:40 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 02:40 < kaushal> dazo: can i pvt message you ? 02:40 < kaushal> since i do not want to get exposed > 02:40 < kaushal> ?* 02:41 < dazo> kaushal: sure, but longer postings are still making irc slow 02:41 < kaushal> ah sure 02:41 < kaushal> will do it now 02:42 * dazo need to restart session .... back in a few minutes 02:42 -!- dazo [n=dazo@nat/redhat/x-e22aadae28953346] has quit ["Leaving"] 02:42 -!- vaq [n=c99@83.136.90.2] has joined ##openvpn 02:43 < vaq> Is it possible to have the TAP driver at 100mbit instead of 10mbit ? 02:43 < vaq> (Windows client) 02:45 -!- dazo [n=dazo@nat/redhat/x-63d29adcfa8e615f] has joined ##openvpn 02:46 * dazo is back 02:58 -!- Trevelyan [n=trevelya@unaffiliated/trevelyan] has joined ##openvpn 02:59 < Trevelyan> is it possible to have a vpn server listen on tcp and udp? or do i have to run two instances, which would mean adding another subnet. 03:15 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 110 (Connection timed out)] 03:17 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 03:19 -!- kyrix [n=ashley@80-121-55-50.adsl.highway.telekom.at] has joined ##openvpn 03:19 < kaushal> dazo: hi again 03:20 < kaushal> which is the stable release openvpn client for windows Vista ? 03:20 < dazo> kaushal: hi'ya 03:21 < dazo> Trevelyan: you need to run two different instances, not sure if you really need two different subnets though, you just need to assign a different IP address for the openvpn server in the same subnet 03:21 < dazo> kaushal: I've not seen anything from you yet .... :( 03:21 < kaushal> dazo: please give me a moment 03:22 < kaushal> I will defintely give you all the inputs for your query 03:22 < kaushal> dazo: which is the stable release openvpn client for windows Vista ? 03:22 < dazo> kaushal: 2.1_rc19 03:22 < kaushal> ok 03:23 < kaushal> dazo: is it http://openvpn.net/release/openvpn-2.1_rc19-install.exe ? 03:23 < dazo> kaushal: yup! 03:24 < kaushal> for windows vista 03:25 < vaq> Is it possible to have the TAP driver at 100mbit instead of 10mbit ? 03:25 < vaq> (Windows client) 03:27 < Trevelyan> dazo thanks 03:28 < dazo> vaq: You'd either have to look at 1) interface configuration (via DeviceManager), 2) registry, 3) the source code .... I've not heard about anyone tweaking this .... you may also ask on the openvpn-users mailing list as well 03:29 -!- celsiux [n=Nullesd@174.36.119.228-static.reverse.softlayer.com] has quit [Remote closed the connection] 03:33 -!- Ashetic [n=Ashetic@89.119.206.193] has joined ##openvpn 03:34 < Ashetic> helllo 03:34 < Ashetic> i have a simple ptp setup with a static key 03:34 < vaq> dazo: So the default TUN driver is infact 10mbit? 03:35 < dazo> vaq: afaik, yes, I believe so 03:35 < Ashetic> one end of the tunnel, (client) is behind a router that i cannot touch, so i cannot forward ports. Do the client need the udp port to be forwarded too? 03:35 < dazo> vaq: most users uses openvpn over xDSL connections .... and until recently, speeds over 10MB was not that common 03:36 < dazo> Ashetic: no, as long as you can connect to a server port outside, that's all you need .... no local router changes for initiating connection 03:36 < Ashetic> ok... i have a problem :D 03:36 < Ashetic> i can ping only one end of the tunnel 03:37 < Ashetic> uhm.. i cannot ping, actually... but i can fetch webpages from one end of the tunnel 03:48 < Ashetic> got it... as the documentation states... it was the firewall! :D 03:49 -!- kaushal [n=kaushal@125.18.21.18] has quit ["leaving"] 03:50 -!- Trevelyan [n=trevelya@unaffiliated/trevelyan] has quit [Remote closed the connection] 04:06 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:20 < vaq> dazo: http://osdir.com/ml/colinux.devel/2005-12/msg00009.html 04:20 < vpnHelper> Title: TAP-Win32 update version 8.3: msg#00009 (at osdir.com) 04:20 < vaq> dazo: I might be saved :) 04:23 < vaq> Oh damnit, none of those links works :( 04:23 < dazo> vaq: have you tried the 2.1_rc19 version? .... From changelog: "Updated TAP driver version number to 9.6." .... the mail you referenced to talks about TAP-Win32 v8.3 04:23 < dazo> vaq: and it is from 2005 04:23 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has joined ##openvpn 04:24 < vaq> oh 04:24 < mlaci> hi guys! i'm trying to install openvpn on a winxp laptop. the installation procedure says: "An error occurred installing the TAP device driver." anyone could shed some light on this issue? 04:25 < dazo> mlaci: do you got admin rights? 04:25 < dazo> mlaci: and which version are you installing? 04:26 < mlaci> dazo, i'm installing the latest rc version 04:26 < mlaci> dazo, i'm not sure i have admin rights (i'm not a windows guru :) how can i check that? 04:26 < dazo> mlaci: 2.1_rc19 I presume? .... I'd browse the mailing list .... 04:27 < dazo> mlaci: you can right click on the installation icon and select "Run as..." ... and then authenticate as administrator 04:27 < mlaci> dazo, i haven't found any related messages while googling 04:27 < dazo> then you're sure 04:28 < mlaci> dazo, thanks, i'll try running the installer this way 04:33 < dazo> vaq: I've looked into the tap-win32 driver which is included in the openvpn source code .... it seems like it's hard coded to be 100MBit in the AdapterQuery function .... but the DHCP repsonse seems to say 10Mbit .... 04:33 < dazo> case OID_GEN_LINK_SPEED: 04:33 < dazo> l_Query.m_Long = 100000; // rate / 100 bps 04:33 < dazo> break; 04:34 < dazo> (from tapdrv.c) 04:34 < dazo> and in dhcp.c: p->dhcp.htype = 1; .... from dhcp.h: UCHAR htype; /* hardware address type (e.g. '1' = 10Mb Ethernet) */ 04:35 < dazo> vaq: I'd say this is worthy a question on the mailing list .... I'm guessing that what's in tapdrv.c is the important stuff 04:36 < dazo> vaq: because the terminology used in dhcp.h .... seems to be a little bit far fetched from what it should be .... but I might be wrong, I'm not a Windows developer .... I'm Linux focused 04:39 < dazo> vaq: this code review is done against 2.1_rc19 04:46 < mlaci> here is the tap driver installation solution: http://openvpn.net/archive/openvpn-users/2004-09/msg00440.html 04:46 < vpnHelper> Title: Re: [Openvpn-users] tapinstall.exe failed on clean XP Home. (Fixed) (at openvpn.net) 04:46 < mlaci> it is amazingly nonintuitive 04:59 < dazo> mlaci: and this message is from 2004!!! 04:59 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 04:59 < dazo> mlaci: you're looking up way too old information 05:00 < dazo> mlaci: join the openvpn-users mailing list and send a request there if you can't find it .... it's a lot of windows users there ... you'll have an answer within tomorrow most probably 05:09 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 05:40 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 05:43 -!- thedoc [n=andelyx@vpn1.edgewire.sg] has joined ##openvpn 05:43 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 06:04 -!- lolipop [n=soontak@219.95.197.122] has quit [Remote closed the connection] 06:34 -!- zheng [n=zheng@210.73.203.83] has joined ##openvpn 07:05 -!- zheng [n=zheng@210.73.203.83] has quit [Remote closed the connection] 07:17 -!- Ashetic [n=Ashetic@89.119.206.193] has quit ["Leaving"] 07:38 -!- c64zottel [n=hans@p5B17A6AB.dip0.t-ipconnect.de] has joined ##openvpn 07:44 -!- YpsyZNC is now known as Ypsy 08:03 < Qantouri1c> Anyone knows what the purpose is of a quad nic ? 08:06 < vaq> It is to have four network cards in a server? 08:06 < Qantouri1c> yes :) 08:06 < Qantouri1c> but what's the purpose of that :D 08:07 < vaq> To have your server connected to four different networks? 08:07 < Qantouri1c> yea 08:07 < Qantouri1c> ok :) 08:07 < Qantouri1c> hmm 08:07 < Qantouri1c> i find it a tad to expensive though ... 08:07 < Qantouri1c> 200€ :) 08:09 < vaq> high-end server hardware ain't cheap ;) 08:09 -!- kyrix [n=ashley@80-121-55-50.adsl.highway.telekom.at] has quit [Read error: 60 (Operation timed out)] 08:12 -!- kyrix [n=ashley@80-121-26-140.adsl.highway.telekom.at] has joined ##openvpn 08:17 < Qantouri1c> vaq: serously, whats high end about sticking 4 nics on a 1 plate ? :D 08:17 < Qantouri1c> ofcours the nics ARE high end in reality :D 08:25 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:42 -!- kyrix [n=ashley@80-121-26-140.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 08:42 -!- kyrix [n=ashley@80-121-49-146.adsl.highway.telekom.at] has joined ##openvpn 08:43 < ecrist> Qantouri1c: we use such NICs where I work. 08:43 < ecrist> we use them in firewalls 08:56 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 08:56 -!- onats [n=15172@unaffiliated/onats] has quit [Read error: 104 (Connection reset by peer)] 08:58 < dazo> Qantouri1c: I have a box which got one on-board NIC and 2 dual port NICs, with a total of 5 NICs ... it's very convenient if you're setting up a firewall and want to do physical network segmentation ... you have internet connection, DMZ, internal net, wireless .... and viola! you'll need 4 NICs 09:02 < Qantouri1c> hmmm good point ! :) 09:06 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 09:08 < dazo> another use .... to bond network devices together .... f.ex. 4 x 1GB links .... 09:09 < dazo> if bandwidth is an issue, of course 09:12 -!- jdchrist [n=davidc@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has joined ##openvpn 09:20 < rawDawg> !configs 09:20 < vpnHelper> rawDawg: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:28 -!- C4colo [n=DJpyro@66.185.111.33] has left ##openvpn ["brb"] 09:33 < Qantouri1c> dazo: bandwith is ALWAYS an issue ... when you are copien big files :) 09:34 < dazo> Qantouri1c: then I want your Internet connection .... NOW! :-P 09:35 < Qantouri1c> you don't 09:35 < Qantouri1c> cause it sucks 09:35 < Qantouri1c> and i meant over the network :D 09:35 -!- Gorkhaan_ [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 09:35 < Qantouri1c> hmmmz 09:35 < Qantouri1c> quad is expensive :/ 09:37 < Qantouri1c> o well lets see :D 09:47 -!- Gorkhaan_ [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["Távozom"] 09:47 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 09:52 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 110 (Connection timed out)] 10:08 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 10:15 -!- j [n=j@91.192.120.55] has joined ##openvpn 10:30 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:33 -!- j [n=j@91.192.120.55] has quit [Read error: 60 (Operation timed out)] 11:13 -!- swa_work [n=swa@swatteksystems.com] has quit ["Leaving"] 11:27 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 11:29 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 12:00 -!- Ypsy is now known as YpsyZNC 12:01 -!- YpsyZNC is now known as Ypsy 12:11 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 12:12 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: nemysis, kala 12:14 -!- Netsplit over, joins: kala 12:23 -!- kyrix [n=ashley@80-121-49-146.adsl.highway.telekom.at] has quit [Remote closed the connection] 12:29 -!- sbbackk [n=sbbackk@host-200-93-194-213.manta.telconet.net] has joined ##openvpn 12:37 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: tarbo2_, master_of_master, fkr, Ypsy 12:38 -!- Netsplit over, joins: master_of_master, tarbo2_, Ypsy, fkr 12:41 -!- moocow [n=new@69.67.174.130] has joined ##openvpn 12:41 -!- carpe_ is now known as plaerzen 12:41 < plaerzen> hello 12:41 -!- holycow [n=new@69.67.174.130] has quit [Remote closed the connection] 12:47 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: mlaci, Gorkhaan, onats1, rawDawg 12:47 -!- Netsplit over, joins: rawDawg 12:49 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 12:49 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 12:49 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has joined ##openvpn 12:55 -!- plndra [i=404@article.se] has joined ##openvpn 12:55 -!- plundra [i=404@article.se] has quit [Read error: 104 (Connection reset by peer)] 13:00 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: Pagautas, dazo 13:03 -!- Netsplit over, joins: dazo, Pagautas 13:21 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: tarbo2_, master_of_master, fkr, Ypsy 13:21 -!- Netsplit over, joins: master_of_master 13:22 -!- fkr [i=fkr@news.bytemine.net] has joined ##openvpn 13:32 -!- moocow [n=new@69.67.174.130] has left ##openvpn ["Konversation terminated!"] 13:34 -!- Ypsy [n=ypsy@geekpadawan.de] has joined ##openvpn 13:34 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 13:35 -!- Ypsy is now known as YpsyZNC 13:35 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [No route to host] 13:36 -!- YpsyZNC is now known as Ypsy 13:38 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 13:55 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 14:00 < ecrist> wow, Douglas, you've been approving posts. :) 14:16 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has joined ##openvpn 14:22 -!- troy [n=troy@worldnet.tauri.ca] has quit [Nick collision from services.] 14:23 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 14:25 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 14:34 < MadTBone> anyone here a nsis expert? 14:35 < ecrist> NSIS? 14:36 < MadTBone> Nullsoft Scriptable Install System -- see http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package.html 14:36 < vpnHelper> Title: HowTo Roll Your Own OpenVPN Windows Installation Package (at openvpn.se) 14:37 < MadTBone> ecrist: I'm trying to roll my own using nsis 2.45 (not 2.05 as used in the link above) 14:38 < ecrist> oh, sorry, I'm not familiar 14:38 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:38 < ecrist> I've been blessed with not having to admin windows too heavily for many years 14:39 < MadTBone> well, I'm trying to get into the same situation.... I need to generate custom windows installers so I don't have to do as much hand holding... 14:40 < ecrist> oh, give them all macs. 14:40 < ecrist> :P 14:40 < MadTBone> Ha! I wish! 14:41 < MadTBone> I figured it would be fairly straight forward to script cert/key generation, config file, wrap it all up with nsis, and email them a link to the finished .exe 14:44 < MadTBone> I have a h.323 client that needs a vpn... so I thought I'd wrap it into the nsis script to install both openvpn and the h.323 in one go 14:46 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 14:58 < krzie> why not batch script it 14:59 < thedoc> and throw in 2 spoonfuls of cuddles 14:59 < thedoc> :) 14:59 < thedoc> o/ 14:59 < ecrist> thedoc: my NFS share is fixed, btw 14:59 < thedoc> ecrist, Awesome :) 14:59 < ecrist> I was off. Only 131GB 14:59 < thedoc> I'm in the uk at the moment and I'm not going to be able to grab anything yet. 14:59 < thedoc> Wifi is expensive here 14:59 < ecrist> ah 14:59 * ecrist goes home. 15:00 < thedoc> I'll be back home in about 8 days or so. 15:06 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 15:17 -!- Cardoe [n=Cardoe@gentoo/developer/Cardoe] has joined ##openvpn 15:17 < Cardoe> Having an issue with a site to site VPN setup. 15:17 -!- Ypsy is now known as YpsyZNC 15:18 < Cardoe> I've got a network that's running OpenVPN and then 2 remote routers which are able to have all their clients connect to the original network 15:18 < Cardoe> a 3rd remote router is setup, however only it can connect while the clients behind it can't 15:19 < Cardoe> The issue I believe is that the 3rd router is not getting it's tun0 Point to Point link setup correctly 15:19 < Cardoe> the others are using the ifconfig-push 10.220.0.x 10.220.0.x+1 IPs on their tun0 adapters just fine 15:19 < Cardoe> but the 3rd machine isn't 15:19 < Cardoe> the 3rd machine is using OpenVPN 2.1 while the others have a matching version of OpenVPN 2.0 15:20 < Cardoe> I'm wondering if there's some configuration directives that I'd need explicitly for OpenVPN 2.1 15:22 -!- plndra is now known as plundra 15:24 < krzie> instead of ifconfig-push 10.220.0.x 10.220.0.x+1 15:24 < krzie> ifconfig-push 10.220.0.x 255.255.255.0 15:24 < krzie> aka 15:24 < krzie> !static 15:24 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 15:28 < Cardoe> krzie: The other two are using 10.220.0.x 10.220.0.x+1 since its tun ptp 15:29 < Cardoe> which makes me think using a /24 isn't necessarily correct there 15:29 < Cardoe> since it would no longer be a point to point 15:32 < krzie> its ptp, not server? 15:40 -!- c64zottel [n=hans@p5B17A6AB.dip0.t-ipconnect.de] has left ##openvpn [] 15:53 -!- anwoke8204 [n=anwoke82@65.100.249.52] has quit [Read error: 104 (Connection reset by peer)] 15:54 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.0.11/2009060215]"] 16:22 < Cardoe> krzie: well it's routing 2 subnets to each other 16:27 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 16:30 < krzie> are you trying to say its server as opposed to ptp? 16:30 < krzie> ok check this out 16:30 < krzie> !configs 16:30 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:37 -!- sbbackk [n=sbbackk@host-200-93-194-213.manta.telconet.net] has quit [Read error: 113 (No route to host)] 16:54 < Cardoe> krzie: I figured it out. The guy that made the x509 cert fat fingered the host name of the machine so the CN didn't match the host name 16:54 < Cardoe> krzie: I appreciate your help 17:18 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 17:23 < krzie> np 17:23 < krzie> now that you mentioned certs, you are NOT using ptp 17:23 < krzie> ptp is 2 endpoints with no option for more 17:24 < krzie> you're using client/server 17:24 < krzie> but that doesnt matter, your vpn is fine =] 18:09 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has quit [Remote closed the connection] 18:13 -!- Cardoe [n=Cardoe@gentoo/developer/Cardoe] has quit [] 18:14 -!- swa_work [n=swa@swatteksystems.com] has quit ["Leaving"] 18:14 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 18:22 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 18:23 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 18:24 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 18:26 -!- davie is now known as DAVIE 18:28 -!- DAVIE is now known as davie 18:29 -!- davie [n=davie@unaffiliated/davie] has left ##openvpn [] 18:36 -!- Cardoe [n=Cardoe@76.73.170.250] has joined ##openvpn 19:06 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["Távozom"] 19:23 -!- Luria [n=notauser@cpe-74-66-17-216.nyc.res.rr.com] has joined ##openvpn 19:27 -!- jdchrist [n=davidc@adsl-99-18-155-202.dsl.emhril.sbcglobal.net] has quit [Read error: 113 (No route to host)] 19:42 -!- Douglas [i=doug@64.18.144.2] has quit [Remote closed the connection] 20:26 -!- swa_work [n=swa@swatteksystems.com] has quit [Remote closed the connection] 20:30 -!- jeiworth [n=jeiworth@189.163.150.110] has joined ##openvpn 21:04 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 21:07 -!- master_of_master [i=master_o@p549D3DBC.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:11 -!- master_of_master [i=master_o@p549D3A81.dip.t-dialin.net] has joined ##openvpn 21:55 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has joined ##openvpn 21:55 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 21:58 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has joined ##openvpn 22:04 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 22:31 < rawDawg> !faq 22:31 < vpnHelper> rawDawg: "faq" is (#1) http://openvpn.net/index.php/documentation/faq.html, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ 22:38 -!- jdchrist [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 22:40 -!- swa_work [n=swa@swatteksystems.com] has quit ["Leaving"] 22:40 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 22:41 -!- monkulus [n=notauser@cpe-74-66-19-101.nyc.res.rr.com] has joined ##openvpn 22:46 -!- jdchrist [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Client Quit] 22:52 -!- gnr [n=gnr@203.82.91.101] has joined ##openvpn 22:56 -!- Luria [n=notauser@cpe-74-66-17-216.nyc.res.rr.com] has quit [Read error: 110 (Connection timed out)] 23:02 < gnr> anybody with pkcs11 experiences? 23:20 -!- Cardoe [n=Cardoe@gentoo/developer/Cardoe] has quit [] 23:37 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 23:58 -!- gnr [n=gnr@203.82.91.101] has quit [Read error: 104 (Connection reset by peer)] 23:59 -!- gnr [n=gnr@203.82.91.101] has joined ##openvpn --- Day changed Wed Jul 22 2009 00:02 -!- phusion_ [n=phusion@S0106001562457756.gv.shawcable.net] has joined ##openvpn 00:02 < phusion_> !howto 00:02 < vpnHelper> phusion_: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 00:03 -!- monkulus [n=notauser@cpe-74-66-19-101.nyc.res.rr.com] has quit [Connection timed out] 00:06 < phusion_> hi guys. currently i have a vpn service im paying for and my goal is essentially to put a website behind it. my goal was basically to just have another network adapter on my nix box and just bind the httpd to it but this doesnt work like that. what's the next best option? i don't want to route all of my servers traffic through this vpn 00:09 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has quit ["Leaving..."] 00:09 < phusion_> !redirect 00:09 < vpnHelper> phusion_: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 00:10 < phusion_> :\ 00:10 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has joined ##openvpn 00:17 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has quit ["Leaving..."] 00:41 < gnr> !pkcs11 00:41 < vpnHelper> gnr: Error: "pkcs11" is not a valid command. 00:42 < gnr> !show-pkcs11-ids 00:42 < vpnHelper> gnr: Error: "show-pkcs11-ids" is not a valid command. 01:49 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 02:02 -!- gnr [n=gnr@203.82.91.101] has quit [Read error: 110 (Connection timed out)] 02:03 -!- gnr [n=gnr@203.82.91.102] has joined ##openvpn 02:03 -!- gnr [n=gnr@203.82.91.102] has quit [SendQ exceeded] 03:01 -!- gnr [n=gnr@203.82.79.102] has joined ##openvpn 03:07 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 03:13 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 03:25 -!- phusion_ [n=phusion@S0106001562457756.gv.shawcable.net] has quit ["Leaving"] 03:55 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:07 -!- swa_work [n=swa@swatteksystems.com] has quit ["Leaving"] 04:11 < dazo> !factoids search *pkcs11* 04:11 < vpnHelper> dazo: No keys matched that query. 04:12 < dazo> gnr: no pkcs11 stuff in our bot :( 04:12 < gnr> :) 04:14 < gnr> never mind i changed from pkcs11 to msoft crypto api 04:16 < gnr> pkcs11 with so called "standard" smart cards was just bitchy... the manufacturer didn't comply to actual pkcs11 04:20 -!- thedoc_ [n=andelyx@vpn1.edgewire.sg] has joined ##openvpn 04:29 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:02 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 05:15 -!- thedoc_ [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:18 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 05:29 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:49 -!- tjz [n=tjz@bb121-6-135-189.singnet.com.sg] has joined ##openvpn 05:56 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:27 < gnr> can i push an executable file and then execute it (on the clients machine) once the client connected to the server? 06:28 < Gorkhaan> u can push only commands 06:30 < gnr> that's via --client-connect ? 06:31 < Gorkhaan> push "somethingcommand" 06:31 < Gorkhaan> push "up myexecutable.exe" 06:31 < Gorkhaan> but you have to use script-security 2 06:31 < dazo> push "up shutdown -h now" :-P 06:31 < Gorkhaan> check the manual 06:31 < Gorkhaan> xD lol 06:32 < gnr> the manual says --client-connect cmd : Run script cmd on client connection. 06:32 < gnr> that's a good joke 06:32 < Gorkhaan> it runs on server, that's what you want? 06:33 < Gorkhaan> someone connect, a script runs on the server 06:33 < Gorkhaan> that's client-connect 06:33 < dazo> you can use --up / --down on client on client ... but --client-connect and --client-disconnect is server only 06:33 < gnr> aah.. i got it wrong 06:35 * dazo actually begins to think that ... push "up {command}" (or down) .... is quite a security prune configure parameter .... clients should not accept those at all 06:35 < gnr> actually i wanted to do Single Sign On (SSO) after VPN link is established 06:36 < gnr> so was hoping that the server can "push" a certificate (for SSO) to the client... 06:37 < vaq> gnr push a download cmd to the client taht will download the certificate from server within the LAN maybe? 06:37 < gnr> vaq:possible... 06:38 < gnr> but in this case the script must be on the client in the first place, right? 06:39 < dazo> Just tried push "up script.sh" on one of my setups ..... "Wed Jul 22 13:38:38 2009 Options error: option 'up' cannot be used in this context" 06:39 < dazo> so that's not going to work 06:39 * dazo is relieved 06:40 < gnr> dazo:--push "option" : Push a config file option back to the peer for remote 06:40 < gnr> execution. Peer must specify --pull in its config file. 06:40 < gnr> dazo:no "up" i guess? 06:41 < gnr> pluss pull on the client side... 06:42 < dazo> gnr: I do push DNS and routes without --pull 06:42 * dazo tries explicit --pull 06:43 < dazo> gnr: nope, not working with --pull 06:43 * dazo wonders if there are some discrepancies between documentation and behaviour now 06:44 < gnr> :) 06:44 < dazo> ahh ... --client == --pull + --tls-client 06:44 < dazo> gnr: so ... pushing --up or --down will not work :) 06:44 < dazo> which is a good thing, from a security perspective 06:45 < gnr> spot on 06:45 < ecrist> good morning 06:46 < dazo> good morning :) 06:46 < gnr> it's afternoon here... 06:46 < dazo> heh ... true enough :-P 07:13 -!- ez [n=ez@201-92-240-116.dsl.telesp.net.br] has joined ##openvpn 07:14 -!- ez [n=ez@201-92-240-116.dsl.telesp.net.br] has quit ["leaving"] 07:17 -!- YpsyZNC is now known as Ypsy 07:29 -!- j_ [n=j@91.192.120.55] has joined ##openvpn 07:46 -!- sbbackk [i=sbbackk@190.131.55.122] has joined ##openvpn 07:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:51 -!- j_ [n=j@91.192.120.55] has quit [Read error: 113 (No route to host)] 08:36 -!- thedoc [n=andelyx@vpn1.edgewire.sg] has joined ##openvpn 08:36 < thedoc> !iporder 08:36 < vpnHelper> thedoc: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 08:36 < thedoc> !redirect 08:36 < vpnHelper> thedoc: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 08:36 < thedoc> !man 08:36 < vpnHelper> thedoc: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 08:36 < thedoc> !route 08:36 < vpnHelper> thedoc: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 08:36 < thedoc> Where's that silly thing about not using tcp for the tunnel 08:37 -!- thedoc [n=andelyx@vpn1.edgewire.sg] has quit [Client Quit] 08:38 -!- Cardoe [n=Cardoe@76.73.170.250] has joined ##openvpn 08:41 < gnr> !route-up 08:41 < vpnHelper> gnr: Error: "route-up" is not a valid command. 08:45 -!- c64zottel [n=hans@p5B17B0BD.dip0.t-ipconnect.de] has joined ##openvpn 08:46 -!- c64zottel [n=hans@p5B17B0BD.dip0.t-ipconnect.de] has left ##openvpn [] 08:47 < gnr> if i ise the --route-up cmd ..... where supposed the "cmd" file is expected to be? 08:48 < Gorkhaan> use full path, or put your program next to the certificates, where the config is ( client.ovpn ) 08:50 -!- Cardoe [n=Cardoe@gentoo/developer/Cardoe] has quit [] 08:50 < gnr> Gorkhaan:thanks.. 08:51 < Gorkhaan> np. :) 08:52 -!- kyrix [n=ashley@188-23-76-239.adsl.highway.telekom.at] has joined ##openvpn 08:52 < gnr> and --down cmd2 for "undo" whatever is created by --route-up cmd 08:55 < gnr> am i correct? 08:55 < Gorkhaan> you can run there whatever you would like to 09:10 -!- Cardoe [n=Cardoe@hsv.pikewerks.com] has joined ##openvpn 09:11 -!- gnr [n=gnr@203.82.79.102] has quit [Read error: 104 (Connection reset by peer)] 09:11 -!- gnr [n=gnr@203.82.79.102] has joined ##openvpn 09:11 -!- gnr [n=gnr@203.82.79.102] has quit [SendQ exceeded] 09:12 -!- gnr [n=gnr@203.82.79.102] has joined ##openvpn 09:12 -!- sbbackk [i=sbbackk@190.131.55.122] has quit [Read error: 113 (No route to host)] 09:12 -!- gnr [n=gnr@203.82.79.102] has quit [SendQ exceeded] 09:13 -!- gnr [n=gnr@203.82.79.102] has joined ##openvpn 09:13 -!- gnr [n=gnr@203.82.79.102] has quit [SendQ exceeded] 09:14 -!- gnr [n=gnr@203.82.79.102] has joined ##openvpn 09:28 < gnr> can --up runs a batch (.bat) or .exe files? 09:29 < Gorkhaan> yep 09:33 < gnr> i kept getting script failed error 1 09:33 < gnr> where can i see more verbose log? 09:33 < Gorkhaan> verb 9 09:34 < Gorkhaan> do u have "script-security 2" ? 09:34 < gnr> yup 09:34 < Gorkhaan> try "script-security 3" 09:34 < Gorkhaan> I donno, check the corresponding manual 09:34 < Gorkhaan> there are writtend down the script-security levels 09:35 < gnr> ahhh yes i used env 09:35 < gnr> let me check now 09:48 < gnr> yeah.. it my script that screwed 09:48 < gnr> creating a simple script run 09:49 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:50 < gnr> but the --down-pre seems not working with rc18... 09:58 < ecrist> try rc19 10:05 -!- Ben3 [n=benthete@61.17.17.157] has joined ##openvpn 10:06 < Ben3> I want to make my server available for video streaming for my clients using vpn. I have configured vpn and squid in the serevr. I can now connect to vpn and browse when I add proxy settings in browser. Is it possible to configure so that end users need not configure their browser for proxy settings? 10:08 -!- Cardoe [n=Cardoe@gentoo/developer/Cardoe] has quit [] 10:10 < gnr> Ben3:use .pac file for proxy auto config 10:19 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 10:23 -!- loulouloulou [n=laylaaaa@212.36.208.1] has joined ##openvpn 10:24 < loulouloulou> hi is there a method to create client certificates in bulk mode without being prompted each time to answer the prompts 10:26 < gnr> there's auto-enrollment for windows environment 10:26 < gnr> in linux only novell edirectory supports auto-enrollment 10:27 < loulouloulou> I am using linux I was thinking about some method where i can create a script...if I can only come to a way where the script that creates the client reads from a file or all variables can be supplied in command line 10:28 < gnr> oh... i see.. then a simple bash script would do 10:29 < gnr> if you need interactive script use "expect" 10:33 < ecrist> you don't need expect for an interactive script. 10:34 < ecrist> loulouloulou: it wouldn't be too difficult to extend ssl-admin for such 10:37 < Ben3> gnr: is there any link that can help me to configure vpn with PAC? 10:39 < loulouloulou> hmm aparently I can do that using pkitool if the vars file is configured for ...the only problem I have is that pkitool puts them all in one dir while I want to put them in differnet dirs. 10:40 < loulouloulou> never mind 10:40 < loulouloulou> got that as well thanks 10:41 -!- gnr [n=gnr@203.82.79.102] has quit ["Leaving"] 10:42 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 10:46 < Ben3> can anybody advice a method to enable uninterupted streaming with vpn (provided with no configuration changes in the browser settings at end-user)? 10:48 -!- aditsu [n=aditsu@n219077072251.netvigator.com] has joined ##openvpn 10:49 < aditsu> hi, how does openvpn handle MTU? the howto is totally quiet about it 10:49 < aditsu> I'm having some issues with connections stopping for a while then working again 10:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 10:49 < aditsu> and I'm wondering if the MTU has anything to do with that 10:50 < aditsu> I found some pages talking about the "mssfix" and "fragment" options, but I can't find that information in the howto 10:51 < ecrist> !mtu 10:51 < vpnHelper> ecrist: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config 10:51 < aditsu> oh, there's a manual too 10:55 < aditsu> let's try this mtu-test.. 10:58 < aditsu> max 5 lines paste? this channel is lenient :) 10:59 < aditsu> NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1541,1541] remote->local=[1541,1541] 11:00 < aditsu> I suppose that means everything is working well? 11:07 -!- Cardoe [n=Cardoe@hsv.pikewerks.com] has joined ##openvpn 11:14 -!- sbbackk [n=sbbackk@proxy01.telmex.net.ec] has joined ##openvpn 11:19 -!- brendan0powers [n=brendan@72.15.28.7] has left ##openvpn ["Konversation terminated!"] 11:48 -!- sbbackk [n=sbbackk@proxy01.telmex.net.ec] has quit [Read error: 110 (Connection timed out)] 11:52 -!- NfNitLoop [n=bip@2001:4978:f:353:0:0:0:2] has quit [Read error: 60 (Operation timed out)] 11:54 -!- NfNitLoop [n=bip@cl-852.chi-02.us.sixxs.net] has joined ##openvpn 12:08 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 12:08 < ecrist> aditsu: yes 12:09 -!- kyrix [n=ashley@188-23-76-239.adsl.highway.telekom.at] has quit [Read error: 60 (Operation timed out)] 12:23 -!- kyrix [n=ashley@188-23-71-152.adsl.highway.telekom.at] has joined ##openvpn 12:34 -!- Ben4 [n=benthete@61.17.17.157] has joined ##openvpn 12:40 < MadTBone> what method do people normally use for user authentication with OpenVPN? 12:43 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 12:49 -!- laylaaaaaaaaaaa [n=laylaaaa@212.36.208.1] has joined ##openvpn 12:51 -!- Ben3 [n=benthete@61.17.17.157] has quit [Read error: 110 (Connection timed out)] 12:58 < reiffert> black people use certificates. white people dont. 12:58 < reiffert> green people use password 12:58 < reiffert> and red people are. 13:07 -!- loulouloulou [n=laylaaaa@212.36.208.1] has quit [Read error: 110 (Connection timed out)] 13:20 -!- loulouloulou [n=laylaaaa@212.36.208.1] has joined ##openvpn 13:23 -!- Ben5 [n=benthete@61.17.17.157] has joined ##openvpn 13:30 -!- Ben4 [n=benthete@61.17.17.157] has quit [Read error: 60 (Operation timed out)] 13:34 -!- jeiworth [n=jeiworth@189.163.150.110] has quit [Read error: 60 (Operation timed out)] 13:37 -!- laylaaaaaaaaaaa [n=laylaaaa@212.36.208.1] has quit [Read error: 110 (Connection timed out)] 13:41 < ecrist> MadTBone: certificates 14:01 -!- eZ [n=eZ@189.19.215.119] has joined ##openvpn 14:02 -!- jeiworth [n=jeiworth@189.177.231.62] has joined ##openvpn 14:07 -!- aditsu [n=aditsu@n219077072251.netvigator.com] has quit ["Chatzilla 0.9.75.1 [SeaMonkey 1.1.17/2009060609]"] 14:24 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:25 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 14:25 < MadTBone> ecrist: of course certs for authenticating, but I mean verifying the user himself... as in passwords matched against an auth server, or just passwords in the cert.... what's most robust in terms of security and ease of management (for around 10 to 40 clients) 14:26 < thedoc> MadTBone, cert + passwords 14:27 < MadTBone> thedoc: you mean password in the cert? 14:27 < thedoc> No, PAM module. 14:27 * ecrist agrees 14:27 < thedoc> o/ ecrist 14:27 < ecrist> though, I don't bother with user passwords, myself. 14:28 < reiffert> pam. 14:28 < MadTBone> ahh... didn't think about PAM 14:28 -!- nixcamic [n=nixcamic@d75-154-85-186.abhsia.telus.net] has joined ##openvpn 14:28 < ecrist> PAM + LDAP FTW 14:28 < reiffert> or ldap, or pam against ldap. 14:29 < krzee> !authpass 14:29 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 14:29 < ecrist> !kill_krzee 14:29 < vpnHelper> ecrist: Error: "kill_krzee" is not a valid command. 14:29 < ecrist> !"eat a dick" 14:29 < vpnHelper> ecrist: Error: "eat a dick" is not a valid command. 14:29 < nixcamic> hey everyone, have a question about server config pushing 14:29 < reiffert> !limit 14:29 < vpnHelper> reiffert: Error: You don't have the ##openvpn,op capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 14:29 < thedoc> !cuddles 14:29 < vpnHelper> thedoc: Error: "cuddles" is not a valid command. 14:29 < reiffert> !factoids search limit 14:29 < vpnHelper> reiffert: "pushlimit" is This is a limitation of OpenVPN: the push block cannot exceed a maximum of about 1 KB 14:29 < thedoc> >:o 14:29 < reiffert> !pushlimit 14:29 < vpnHelper> reiffert: "pushlimit" is This is a limitation of OpenVPN: the push block cannot exceed a maximum of about 1 KB 14:30 < reiffert> !whoami 14:30 < vpnHelper> reiffert: I don't recognize you. 14:30 < nixcamic> my server is currently pushing redirect-gateway, as I want it to be, but i want to be able to disable this from some of my client config files 14:30 < ecrist> subnetting is your friend. :) 14:30 < reiffert> fuckoff. 14:30 < reiffert> nixcamic: 14:30 < reiffert> !ccd 14:30 < vpnHelper> reiffert: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 14:30 < krzee> i believe that would be something like --nopull 14:30 < krzee> in the client config file 14:30 -!- loulouloulou [n=laylaaaa@212.36.208.1] has left ##openvpn ["Leaving"] 14:31 < krzee> but then you need to specify other stuff manually 14:31 < nixcamic> ok 14:31 < nixcamic> so there is no way to disable just a specific pull 14:31 < krzee> not from the client side 14:31 < nixcamic> ah, thats annoying 14:31 < nixcamic> thanks 14:32 < krzee> think how much more an annoying it would be to have a config option to not pull every single thing that can be pushed 14:32 < krzee> anyways, bbiaf 14:32 < nixcamic> well, not that bad 14:32 < thedoc> Any thoughts on what might be a good way to deploy a setup which requires encapsulating the vpn packets within a http header? 14:33 < nixcamic> you could have a nopull option 14:33 < nixcamic> then just do nopull redirect-gateway 14:33 < nixcamic> nopull nobind 14:33 < nixcamic> etc. 14:33 < krzee> thedoc, theres a web proxy option 14:33 < reiffert> thedoc: search google for it, use HTTP GET AND POST 14:33 < reiffert> krzee: it sucks. 14:33 < reiffert> it uses http CONNECT 14:33 < krzee> ahh, never used it 14:33 < krzee> the socks stuff sucks worse 14:33 < thedoc> reiffert, This is used mainly to try to fool some firewalls 14:33 < krzee> doesnt support auth 14:33 < reiffert> one could need a real HTTP GET/POST openvpn stuff. 14:34 -!- nixcamic [n=nixcamic@d75-154-85-186.abhsia.telus.net] has quit [] 14:34 < krzee> socks support without auth makes less than no sense 14:34 < reiffert> smth like GET somebase64encoded(binary data) and POST 14:35 -!- sbbackk [i=sbbackk@190.131.55.122] has joined ##openvpn 14:52 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 15:00 < ksnp> if i have a client on xp machine that works fine but now i want to make other machines on client LAN reachable do i need to enable tcp/ip forwarding on the xp machine ? 15:00 < ecrist> yes 15:00 < ksnp> by default this is disabled 15:00 < ksnp> the howto doesn't talk about forwarding on the client machine, only on the server machine why is that ? 15:00 < ecrist> and you need to setup routing for the other machines on the LAN for the VPN subnet 15:01 < ecrist> !iroute 15:01 < ecrist> !route 15:01 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 15:01 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:03 < ksnp> ecrist : i have the routing setup 15:04 < ksnp> nowhere i found that client needs to do ip forwarding although one might expect that is needed hence i was wondering 15:19 < ksnp> ecrist: i am trying to ping the server side LAN from the client but am unable to although i can ping from the server side LAN to the client's LAN (not vpn) ip 15:20 < ksnp> my ccd for the client is at http://pastebin.com/d15dded74 15:21 < ksnp> can anyone help ? 15:21 < ksnp> should probably double check my firewall ? 15:23 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 15:27 -!- Ben5 [n=benthete@61.17.17.157] has quit ["Nettalk6 - www.ntalk.de"] 15:44 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 16:13 -!- mooperd [n=somebody@adsl-76-233-236-102.dsl.pltn13.sbcglobal.net] has joined ##openvpn 16:13 < mooperd> where does openvpn do its logging on ubuntu? 16:14 < Gorkhaan> where you allowed to it in your server conf 16:14 < Gorkhaan> but: /var/log usually 16:15 < mooperd> root@admin2:~# /etc/init.d/openvpn start 16:15 < mooperd> * Starting virtual private network daemon(s)... 16:15 < mooperd> * Autostarting VPN 'server' 16:15 < mooperd> ...fail! 16:15 < mooperd> I think the conf file is borked 16:16 < mooperd> so it doesnt even get to that bit yet :) 16:18 < Gorkhaan> try to run it in terminal 16:18 < Gorkhaan> openvpn /go/to/my/server.conf 16:18 < mooperd> Im setting up a vpn in order to access a private management network. 16:18 < mooperd> server 192.168.99.10 255.255.255.0 16:19 < mooperd> should the server 192.168.99.10 reflect the servers ip address on this private network? 16:19 < Gorkhaan> that wont work 16:19 < Gorkhaan> --server 192.168.99.0 255.255.255.0 16:19 < Gorkhaan> the VPN Server will take the first IP: 192.168.99.1 16:19 < mooperd> ah, so you speciy the subnet 16:19 < Gorkhaan> the clients the rest 16:20 < Gorkhaan> control your clients number with: --max-clients n 16:20 -!- eZ [n=eZ@189.19.215.119] has quit [No route to host] 16:20 < Gorkhaan> not with mask. :) if you'd like to do that 16:21 < mooperd> thanks Gorkhaan 16:22 < Gorkhaan> np. :) 16:23 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 16:25 < ksnp> i am trying to setup a site to site, and so far can access server side lan from the client and vice-versa (but not other machines on client LAN) 16:26 < ksnp> i have static routes setup on both the lan routers/gateways 16:26 < ksnp> can anyone help ? 16:26 < ksnp> also hav ip forwarding enabled on the client (win xp pro) 16:28 < magic_1> what firewall are you using 16:28 < magic_1> as you will need to config your firewall to allow for the traffic 16:30 < ksnp> i have the TUN interface connections allowed to be forwarded thru other interfaces 16:31 < ksnp> 0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0 16:31 < ksnp> above was oputput of iptables under Chain INPUT 16:31 < ksnp> Chain FORWARD : 0 0 ACCEPT all -- tun0 * 0.0.0.0/0 0.0.0.0/0 16:34 < ksnp> from server LAn i can ping the LAN ip of the client, but not other machines on the client LAN 16:35 < ksnp> is ther ea way to see all the packets on the linxu machine arising from an ip ? 16:35 < ksnp> ngrep ? 16:35 < ksnp> tcpdump ? 16:36 < ksnp> nevermind that 16:36 < ksnp> anyone kknow the tradeoff between using udp and tcp for openvpn ? 16:36 < magic_1> havent tried myself but udp has worked perfect for me 16:36 < ksnp> ok 16:37 < ksnp> any comments on accessing the client side LAN issue aobve ? 16:37 < magic_1> yea 16:37 < Gorkhaan> Routes are fine? 16:39 < magic_1> well first in your config 16:39 < magic_1> you need to push routes 16:39 < magic_1> that is the first part 16:40 < ksnp> yes routes are fine, and i have pushed the routes 16:40 < magic_1> you also need to create a folder with file containing the ip range of the client 16:40 < ksnp> on the server side LAN i setup route for the 10.8.1.x adn the client side LAN subnet 16:40 < ksnp> on the server side LAN ROUTER i setup route for the 10.8.1.x adn the client side LAN subnet 16:40 < ksnp> on the client side ROUTER, i setup route for the server side LAN subnet 16:40 < ksnp> that's enought correct ? 16:41 < ksnp> i pushed the route to the client to reach the server LAN - i mean i can ping all the server side LAn from the client 16:41 < ksnp> i also have iroute for the server side LAN on the client 16:42 -!- Blu3` [i=david@blue-labs.org] has joined ##openvpn 16:47 -!- Blu3` [i=david@blue-labs.org] has left ##openvpn ["Leaving"] 16:48 < magic_1> have you got bothed routes pushed 17:04 < mooperd> so, I have my vpn setup on 192.168.98.0 and would like to be able to access hosts on a 192.168.99.0 network 17:04 < mooperd> what is the best way of accomlishing this? 17:04 < mooperd> iptables? 17:08 < ksnp> magic : both as in ? 17:08 < ksnp> sorry stepped away for a second 17:12 < ksnp> yeah i have route for 10.8.1. and the server side lan pushed 17:12 < ksnp> i can ping the server side entier lan from the client, which is not possible without botht the routes pushed 17:16 -!- mooperd [n=somebody@adsl-76-233-236-102.dsl.pltn13.sbcglobal.net] has quit ["This computer has gone to sleep"] 17:32 -!- kyrix [n=ashley@188-23-71-152.adsl.highway.telekom.at] has quit [Excess Flood] 17:33 -!- kyrix [n=ashley@188-23-71-152.adsl.highway.telekom.at] has joined ##openvpn 17:36 -!- rawDawg [n=rawDawg@adsl-76-241-85-69.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 17:39 < ksnp> is there a way to debug ipforwarding insdie the server ? 17:40 < rawDawg> im having trouble with one windows xp client 17:41 < rawDawg> im running the lastest rc19 of openvpn 17:41 < rawDawg> when i vnc into the box, the screen is black 17:41 -!- sbbackk [i=sbbackk@190.131.55.122] has quit [Read error: 113 (No route to host)] 17:42 < rawDawg> i have another vpn client (cisco) on the box and when I put that tunnel up and try vnc it works fine 17:43 < rawDawg> anyone have any ideas what the problem might be? 17:43 < rawDawg> i can ping back and forth 17:54 < Gorkhaan> PowerSaving mode? 17:54 < Gorkhaan> Windows needs, realy keypressing afaik 17:54 < Gorkhaan> really 17:54 < rawDawg> !mtu 17:54 < vpnHelper> rawDawg: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config 17:59 -!- urkonn [n=urkonn@201.155.124.232] has joined ##openvpn 18:01 -!- jeiworth [n=jeiworth@189.177.231.62] has quit [Read error: 104 (Connection reset by peer)] 18:02 -!- jeiworth [n=jeiworth@189.177.231.62] has joined ##openvpn 18:02 < rawDawg> i think it might be mty 18:02 < rawDawg> mtu 18:04 < rawDawg> !mssfix 18:04 < vpnHelper> rawDawg: Error: "mssfix" is not a valid command. 18:04 < urkonn> !route 18:04 < vpnHelper> urkonn: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 18:11 -!- rawDawg [n=rawDawg@adsl-76-241-85-69.dsl.bcvloh.sbcglobal.net] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 18:29 -!- urkonn [n=urkonn@201.155.124.232] has left ##openvpn ["Leaving"] 18:32 -!- jeiworth [n=jeiworth@189.177.231.62] has quit [Read error: 60 (Operation timed out)] 18:37 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 18:37 < rawDawg> the problem was infact mtu 18:37 < rawDawg> i tired mssfix 1200 on the client 18:37 < rawDawg> and now the vnc works ok 18:38 < rawDawg> but im wondering if i can raise this value? 19:00 < krzie> you can use trial and error of course 19:00 < krzie> you can also use mtutest in the client config 19:00 < krzie> !mtu 19:00 < vpnHelper> krzie: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config 19:00 < rawDawg> this client is on dsl 19:01 < rawDawg> i am under the impression that dsl uses an mtu of 1460, right? 19:08 < krzie> !mtu 19:08 < vpnHelper> krzie: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config 19:08 < krzie> :p 19:09 < rawDawg> ok i add that to the client 19:09 < rawDawg> 1 sec 19:11 < rawDawg> ok i added that a reconnected 19:12 < rawDawg> where is the output for this test? 19:12 < rawDawg> server or client? 19:13 -!- Cardoe [n=Cardoe@gentoo/developer/Cardoe] has quit [] 19:14 < rawDawg> Wed Jul 22 20:13:51 2009 NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1541,1237] remote->local=[1541,1437] 19:14 < rawDawg> Wed Jul 22 20:13:51 2009 NOTE: This connection is unable to accomodate a UDP packet size of 1541. Consider using --fragment or --mssfix options as a workaround. 19:15 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has left ##openvpn [] 19:17 < krzie> cool, i had never seen one report less than normal =] 19:18 < rawDawg> im not sure to make of all of this 19:19 < krzie> nor am i, ild like to play with that stuff sometime 19:19 < krzie> if you figure it all out, pls put something on our wiki about it 19:19 < krzie> !wiki 19:19 < vpnHelper> krzie: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN 19:19 < krzie> i have a fealing those numbers 1237 1437 are your max values for something tho ;] 19:20 < rawDawg> right 19:20 < rawDawg> well i tried mssfix 1200 19:20 < rawDawg> and it works 19:20 < rawDawg> then i tried mssfix 1300 and it doesnt work 19:21 < rawDawg> im gonna try mssfix 1238 and see 19:21 < krzie> exactly, test around, then pls detail the info on the wiki 19:21 < krzie> for the next guy 19:22 -!- swa_work [n=swa@swatteksystems.com] has quit [Remote closed the connection] 19:29 -!- kyrix [n=ashley@188-23-71-152.adsl.highway.telekom.at] has quit ["Leaving"] 19:34 -!- jeiworth [n=jeiworth@189.163.150.110] has joined ##openvpn 19:34 -!- Cardoe [n=Cardoe@76.73.170.250] has joined ##openvpn 19:36 -!- JyZyGyZyX [n=lol@a88-113-58-89.elisa-laajakaista.fi] has joined ##openvpn 19:37 < JyZyGyZyX> !howto 19:37 < vpnHelper> JyZyGyZyX: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 19:42 < JyZyGyZyX> sudo ./clean-all 19:42 < JyZyGyZyX> Please source the vars script first (i.e. "source ./vars") 19:42 < JyZyGyZyX> i did that 20:05 -!- Ypsy is now known as YpsyZNC 20:13 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 20:14 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 20:31 < JyZyGyZyX> !error 20:31 < vpnHelper> JyZyGyZyX: Error: "error" is not a valid command. 20:31 < JyZyGyZyX> !logs 20:32 < vpnHelper> JyZyGyZyX: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 20:34 < JyZyGyZyX> the verbosity is mind blowing 20:34 < JyZyGyZyX> Starting virtual private network daemon: client failed! 20:50 -!- l2trace99 [n=jr@rrcs-71-43-104-238.se.biz.rr.com] has quit [Read error: 104 (Connection reset by peer)] 21:01 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 21:07 -!- master_of_master [i=master_o@p549D3A81.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:11 -!- master_of_master [i=master_o@p549D3909.dip.t-dialin.net] has joined ##openvpn 21:23 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has joined ##openvpn 21:46 -!- toehio2 [i=43f229ea@gateway/web/freenode/x-c995d86e0e7936ac] has joined ##openvpn 21:50 < toehio2> Does it make sense that my openvpn UDP is slower than the TCP? 22:04 -!- toehio2 [i=43f229ea@gateway/web/freenode/x-c995d86e0e7936ac] has quit ["Page closed"] 22:04 -!- phyman [n=admin@219.236.217.7] has joined ##openvpn 22:34 -!- phyman [n=admin@219.236.217.7] has left ##openvpn [] 22:36 < JyZyGyZyX> clientWARN: could not open database for 512 bits. Skipped 22:36 < JyZyGyZyX> whats with that? 22:36 < JyZyGyZyX> both server and client give it 23:08 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has quit ["Leaving..."] 23:19 < oc80z> !push 23:19 < vpnHelper> oc80z: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 23:26 -!- Cardoe [n=Cardoe@gentoo/developer/Cardoe] has left ##openvpn [] --- Day changed Thu Jul 23 2009 00:00 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 00:44 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 00:45 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 00:48 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [SendQ exceeded] 00:50 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 00:54 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [SendQ exceeded] 00:56 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 01:00 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [SendQ exceeded] 01:03 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 01:06 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [SendQ exceeded] 01:09 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 01:13 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [SendQ exceeded] 01:16 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 01:18 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 01:20 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [SendQ exceeded] 01:23 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 01:27 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [SendQ exceeded] 01:29 -!- onats1 is now known as onats 01:30 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 01:35 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [SendQ exceeded] 01:38 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 01:42 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [SendQ exceeded] 01:45 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 01:50 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [SendQ exceeded] 01:52 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 02:02 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 02:06 -!- Ben5 [n=benthete@61.17.17.157] has joined ##openvpn 02:08 < Ben5> how to configre vpn for video streaming? please advise. 02:09 < Ben5> Like TV streaming.. 02:14 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 02:15 < ksnp> hi i am trying to ping a server side machine from the client and have setup the config and ccd to do this, also firewall is disbled 02:16 < rawDawg> Ben5: probably the same way you would configure it for anything else 02:16 < rawDawg> have you got a tunnel up? 02:16 < ksnp> when i try to ping from client to this server side lan machine the server side lan machines replies to the ping and it can see this in the tcpdump but i dn't see it reach the actual client, which means the server is not forwarding these packets back, although forwarded the packets to the server side LAN machine 02:16 < ksnp> yes i can ping the server form the client 02:17 < Ben5> rawDang: I have configure pptp and vpn is up. 02:17 < ksnp> and vice-versa, actually i am able to ping the client on its vpn ip as well as lan ip from other machines on the server side lan also 02:17 < ksnp> rawDawg : can you help me fix this ? 02:18 < rawDawg> open a port on the server gateway to whatever port the server is running 02:18 < rawDawg> Ben5: pptp is no good? 02:19 < ksnp> rawDawg, are you telling me ; open a port on the server ... 02:19 < rawDawg> !route 02:20 < vpnHelper> rawDawg: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 02:20 < rawDawg> there is a good explanation there 02:20 < ksnp> rawDawg, that's for me ? 02:20 < rawDawg> yeah 02:20 < ksnp> or for Ben5 ? 02:20 < ksnp> ok 02:20 < ksnp> i have read that article before already 02:20 < ksnp> have the route, iroute and ifconfig-push and push all setup 02:21 < rawDawg> is the server the gateway? 02:21 < ksnp> no, server is not the gateway, but the gateway has static routes to route the packets 02:21 < rawDawg> hmm 02:21 < ksnp> client's ping reaches the server side LAN (entire LAN) and the server side LAN machine is responding too ! 02:22 < ksnp> and when it responds server side gateway is routing to the openvpn server. BUT THE OPENVPN SERVER IS NOT SENDING THEM BACK TO THE CLIENT ! 02:22 < ksnp> I THINK, because i don't see the reply on the client 02:22 < rawDawg> you may need a route in the clients gateway 02:23 < Ben5> rawDawg: any other suggestions? 02:23 < ksnp> clients gateway also has route for the server slide LAN, but i think client gateway here doesn't have impact isn't it ? 02:23 < rawDawg> hmm if both gateways have routes you should be able to ping both ways 02:23 < ksnp> actually take that back - it does, i do have the route setup that's the reason it is reaching the server side lan in the first place 02:24 < ksnp> i can ping from server side entire LAN to the client and get response, just not in the reverse direction ! 02:24 < ksnp> well that is if i use the client side regular LAN ip, not the client side VPN ip (although static route exists on the server gateway for both) 02:25 < ksnp> hey actually nevrmind :) the route was wrong because the ip changed from last time 02:25 < ksnp> sorry :) 02:25 < rawDawg> :) 02:25 < ksnp> i can't ping the client side LAn though, only the client machine 02:26 < ksnp> i have following the instructions on the openvpn.net/howto for it, but doens't still work :( 02:26 < rawDawg> is the client machine forwarding packets? 02:26 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 02:27 < rawDawg> Ben5: get a working openvpn tunnel up and try it 02:27 < ksnp> rawDawg, its a win xp and i have setup ip forwarding by changing the registry and rebooting 02:28 < rawDawg> Ben5: i dont think you would need any special configuration 02:28 < rawDawg> !howto 02:28 < vpnHelper> rawDawg: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:28 < ksnp> i used the same method earlier on different xp mahine and was able to forward, but there was no way to test using different method if this machine is also working 02:28 < ksnp> i guess i can wireshark on the client and see 02:29 < rawDawg> you need a route in the clients gateway, and the client has to be forwarding packets 02:32 < Ben5> rawDawg: openvpn requeres client side setup right! Is there any method that can avoid configuring browser for proxy settings, once vpn is connected? 02:33 < ksnp> rawDawg, i have the route setup 02:33 < rawDawg> Ben5: http://blog.foppiano.org/2008/07/24/how-to-openvpn-over-proxy/ 02:33 < vpnHelper> Title: How to OpenVPN over Proxy « fucking the white bunny rabbit (at blog.foppiano.org) 02:33 < ksnp> and also forwarding but i wonder if there is a way to test the forwarding on the win xip differently 02:33 < ksnp> ? 02:35 < rawDawg> if IPEnableRouter is 1, routing should be working 02:39 < ksnp> ya i have that 02:40 < ksnp> is there an independent way to check it ? 02:40 < rawDawg> route print 02:41 < rawDawg> if you have routes to all interfaces it is working correctly 02:41 < rawDawg> also 02:41 < rawDawg> ipconfig /all should tell if routing is enabled 02:41 < rawDawg> only way to test would be to ping a "host" from one interface to another 02:42 < ksnp> i'll try ipconfig /all 02:42 < ksnp> i also just disabled firewall realized it was on 02:42 < ksnp> but still doens' twokr 02:43 < Ben5> rawDawg: MY aim is to enable video streaming for the customers though vpn. Is it advisable through openvpn-over-proxy setup? 02:43 < ksnp> rawDawg, it says NO ! 02:43 < ksnp> i guess that's the problem 02:43 < ksnp> but the IPenablerouter is set to 1 02:43 < ksnp> i guess i have to enable / disable form RRS services ? 02:44 < rawDawg> there is one more place to enable routing on xp 02:45 < rawDawg> goto tcp/ip options for any network adapter 02:45 < ksnp> ok.. 02:45 < rawDawg> click advanced 02:45 < rawDawg> goto the options tab 02:45 < ksnp> ok.. 02:45 < rawDawg> tcp/ip filtering 02:45 < rawDawg> click options 02:46 < ksnp> properties -> advanced -> ? 02:46 < ksnp> there's no options ? 02:46 < rawDawg> the properties specifically for tcp/ip 02:46 < ksnp> ya 02:47 < ksnp> ok i see options tab 02:47 < ksnp> TCP/IP filtering 02:47 < ksnp> the properties 02:47 < ksnp> and then ? 02:47 < ksnp> enable TCP/IP filtering is disabled 02:47 < rawDawg> check the box for tcp/ip filtering 02:48 < ksnp> ok done 02:48 < ksnp> trying now 02:48 < rawDawg> that should turn routing if IPEnableRouter doesnt 02:48 -!- Ben6 [n=benthete@61.17.17.157] has joined ##openvpn 02:48 < rawDawg> Ben5: im sorry i dont know 02:49 < ksnp> ok, rebooting and trying out.. 02:51 < ksnp> ip routing enabled : NO in ipconfig /all 02:52 < ksnp> IPEnablerouter is 1 also 02:53 < rawDawg> hmm 02:55 < rawDawg> tcp/ip filtering is enabled? (did you check the box and apply) 02:55 < ksnp> yes, double checking 02:55 < rawDawg> do you have another firewall besides windows? 02:56 < ksnp> no 02:56 < ksnp> double checked and it is there and also says for all adaptors (so guess covers both the vpn and the regular LAN adaptor) 02:57 < Ben6> Thanks for youir efforts rawDawg 02:57 < rawDawg> np, sorry i dont know much about streaming video 02:58 < rawDawg> yeah that enables for all adapters 02:58 < rawDawg> ksnp, the only thing i can think of... there is multiple contol sets in the registry 02:59 < rawDawg> HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\Tcpip \Parameters 02:59 < rawDawg> ControlSet001 and maybe ControlSet002 and/or ControlSet003 03:01 < ksnp> ya i saw that and tried to search but the serach does not even return the one that i can myself see there ! 03:01 < ksnp> saw that suggestion and tried to search (http://www.softwaretipspalace.com/MS_Windows_XP/Tips-and-Tricks/How_to_Enable_Router_in_Windows_XP_-_IPEnableRouter.html) 03:01 < vpnHelper> Title: How to Enable Router in Windows XP (IPEnableRouter)? (at www.softwaretipspalace.com) 03:03 < rawDawg> try navigating to the node without searching, and if the value is not there, add it yourself 03:04 < ksnp> i did that now, there was one of the places where it was 0 03:04 < ksnp> so i changed to 1 and also added at another place 03:04 < ksnp> did ipconfig /all but still same result 03:04 < ksnp> rebooting now to see if that helps 03:04 < rawDawg> strange 03:04 < ksnp> ya, on the other machine (server) side it worked fine 03:05 < rawDawg> is the XP box on a domain? 03:05 < ksnp> not sure what's wrong, hopeuflly its the rboot that was needed 03:05 < ksnp> checking.. 03:05 < ksnp> no its not 03:05 < ksnp> and reboot also does'nt help 03:05 < rawDawg> and you are logged on an admin account? 03:07 -!- Ben5 [n=benthete@61.17.17.157] has quit [Read error: 110 (Connection timed out)] 03:07 < ksnp> yes i think so but will check after reboot - i just started routing and remote servers service 03:07 < ksnp> and rebooted ot see if that helps 03:08 < ksnp> i think that is perhaps needed ?? 03:08 < ksnp> or not ? 03:08 < ksnp> hurray ipconfig /all now shows 03:09 < ksnp> hurray now it works ! 03:09 < rawDawg> interesting if that works 03:10 < rawDawg> i have routing and remote access disabled 03:11 < ksnp> and it still works ? 03:11 < rawDawg> in fact i ran into alot of problems with it enabled on server 2003 03:11 < ksnp> i can ping entire client lan now 03:11 < rawDawg> well whatever works :) 03:12 < ksnp> oh is it ? i think i read some things about it to be turned off for somethings dn't remember for what 03:12 < ksnp> yep ! 03:12 < ksnp> hey would you konw about cron job ? 03:12 < ksnp> i put a script to simply echo 1234 to a file made it +x and ran it in my local directory 03:12 < ksnp> then i copy the file to the /etc/cron.hourly 03:13 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 03:13 < ksnp> but in the /var/log/syslog i see cron error saying bad command or something like that 03:15 < ksnp> sorry not in /etc/cron.hourly, but cron.d 03:15 < rawDawg> 0 * * * * echo "1234" > /etc/cron.d 03:16 < ksnp> 0 ? 03:16 < ksnp> oh ok 03:16 < ksnp> i put */5 to do every 5 mins 03:16 < rawDawg> that should be for hourly 03:17 < ksnp> except i put echo "1234" > /root/test.log itself into a x file test 03:18 < ksnp> actually /root was missing 03:18 < ksnp> i guess it doesn't allow creating test.log in /etc/cron.d itself ? 03:19 < ksnp> i don't need to restart cron after making changes to files in /etc/cron* right ? 03:20 < ksnp> i tried now : 03:20 < ksnp> * * * * * echo "1234" > /root/test/log 03:20 < ksnp> i get bad username; while reading /etc/cron.d/test 03:22 -!- loulouloulou [n=laylaaaa@212.36.208.1] has joined ##openvpn 03:22 < rawDawg> make sure you have permission to read 03:22 < Gorkhaan> use full paths there :) 03:22 < loulouloulou> hi there..I got duplicate-cn commented out..however two clients with the same cert can connect 03:23 < Gorkhaan> * * * * * /bin/echo "`date`" >> /root/testdate 03:24 < rawDawg> ^ 03:24 < rawDawg> well im gonna try to sleep 03:27 < ksnp> i am using fill paths 03:27 < ksnp> i am going to copy that line and try again 03:27 < ksnp> good nite raw : thanks for thehelp on the forwarding 03:27 < ksnp> oh full path for echo you mean ! 03:27 < ksnp> got it ! 03:29 < ksnp> i get bad username; while reading /etc/cron.d/test again ! 03:31 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:32 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has quit [" HydraIRC -> http://www.hydrairc.com <- Go on, try it!"] 03:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:03 -!- loulouloulou [n=laylaaaa@212.36.208.1] has quit [Read error: 110 (Connection timed out)] 04:21 -!- kiwi_ [n=kiwi@ks359129.kimsufi.com] has joined ##openvpn 04:21 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:55 -!- swa_work [n=swa@swatteksystems.com] has quit [""sleep()""] 06:01 < |Mike|> unffffffff :) 06:02 < reiffert> u sure? 06:02 < |Mike|> Ofc :) 06:02 < |Mike|> wow, HAR tickets are reaching the 300E at the black market 06:07 < reiffert> :) 06:36 -!- jeiworth [n=jeiworth@189.163.150.110] has quit [Read error: 60 (Operation timed out)] 06:42 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 06:46 -!- Ben7 [n=benthete@61.17.17.157] has joined ##openvpn 06:48 -!- Ben8 [n=benthete@61.17.17.157] has joined ##openvpn 07:02 -!- Ben6 [n=benthete@61.17.17.157] has quit [Read error: 110 (Connection timed out)] 07:07 -!- Ben7 [n=benthete@61.17.17.157] has quit [Read error: 110 (Connection timed out)] 07:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 07:36 * dazo just stumbled upon http://www.openvpn.eu/ 07:36 < vpnHelper> Title: Home: OpenVPN e.V. (at www.openvpn.eu) 07:42 < |Mike|> deutch ? 07:46 < deever> |Mike|: ? 07:46 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 07:47 < |Mike|> the forum has an english and "german" section.. 07:48 < krzee> mike 07:48 < Bushmills> dict: "No definitions found for "deutch", perhaps you mean: 07:48 < Bushmills> gcide: Dutch" 07:48 < krzee> wassup from usa 07:48 < krzee> moin moin Bushmills 07:48 < |Mike|> yo krzee :-) 07:48 < Bushmills> hi krzee 07:48 < Bushmills> how's things? 07:49 < krzee> good man 07:49 < krzee> im at the airport in orlando 07:49 < Bushmills> travelling, or looking for scraps of food? 07:49 < krzee> lil of both ;] 07:50 < krzee> nah i just got to the usa, lil vacation 07:50 < Bushmills> i see. going to pity the locals 07:51 < krzee> i have fun out here, but every time i come back i like it less 07:51 < krzee> solidifies that im never moving back 07:52 < krzee> not to say ill always be in the caribbean, but i cant see myself moving back to usa 07:52 < krzee> who knows, maybe ill move out to where you or mike live 07:52 < krzee> ill be seeing mike soon, less than a month 07:53 < Bushmills> that's cool 07:54 < ecrist> morning. 07:54 < Bushmills> but climate won't be caribbean 07:54 < krzee> oh speaking of that 07:55 < krzee> |Mike|, hows the weather out there? 07:55 < krzee> mornin eric 07:55 < |Mike|> It's rainy :( 07:55 < |Mike|> it's pretty PITA that the HAR tickets are sold out krzee 07:56 < krzee> ya thats the weaksauce 07:56 < krzee> but fuck it, im going 07:56 < krzee> ill figure out something 07:56 < krzee> if my boy still comes through on my plane ticket, im going 07:57 < ecrist> HAR? 07:57 < |Mike|> hacking at random 07:57 < |Mike|> har2009.org 07:58 < |Mike|> http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=270431914502 07:58 < vpnHelper> Title: Hacking At Random Ticket, HAR 2009, www.har2009.org - eBay (item 270431914502 end time Jul-30-09 03:51:29 PDT) (at cgi.ebay.com) 07:59 < |Mike|> bbl 07:59 < krzee> hrm 07:59 < krzee> ill pay him 150 right now direct 08:00 < krzee> i wish i knew he was starting the bidding at 150 08:00 < krzee> i can pay him right now 08:00 < |Mike|> he's in #har2009 @ efnet 08:00 < krzee> ya we talked yesterday 08:00 < krzee> my screen is oped there 08:00 < |Mike|> ah, now i see you 08:01 -!- loulouloulou [n=laylaaaa@212.36.208.1] has joined ##openvpn 08:02 < krzee> once a auction is started it must be finished, right? 08:02 < ecrist> nope 08:03 < ecrist> they can pull the auction 08:03 < ecrist> provided nobody's bid 08:03 < krzee> ok i wont bid yet then 08:22 -!- otakun [n=otakun@75-147-206-201-Memphis.hfc.comcastbusiness.net] has joined ##openvpn 08:22 < otakun> !route 08:22 < vpnHelper> otakun: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 08:23 < otakun> !redirect 08:23 < vpnHelper> otakun: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 08:23 < otakun> !def1 08:23 < vpnHelper> otakun: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 08:25 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 08:28 < otakun> hello is anyone available? 08:33 -!- laylaaaaaaaaaaa [n=laylaaaa@212.36.208.1] has joined ##openvpn 08:35 -!- loulouloulou [n=laylaaaa@212.36.208.1] has quit [Read error: 110 (Connection timed out)] 08:37 -!- toehio2 [i=80fd9c4f@gateway/web/freenode/x-d0175d2c5a81a8d0] has joined ##openvpn 08:44 -!- AdvoWork [n=AdvoWork@unaffiliated/advowork] has joined ##openvpn 08:45 < AdvoWork> hi there, just tried to add a route on my system and it says: route: bad address: netmask but its the same line as I do on my other system.. 08:45 < AdvoWork> any ideas please, this is on a freenas box 08:46 < ecrist> I am, otakun - don't PM me again. 08:46 < ecrist> !ask 08:46 < vpnHelper> ecrist: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/, or (#3) http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help 08:48 < toehio2> When mutliple computers connect to an OpenVPN server and start communicating, is all the traffic going through the server (Client A ---> Server ---> Client B) or directly (Client A ---> Client B)? 08:49 < ecrist> yes, it all goes through the server. 08:49 < ecrist> that is how a traditional VPN operates. 08:49 < ecrist> aside from services such as tor, I'm not sure of any mainstream VPN solutions which use a true p2p topology. 08:56 -!- loulouloulou [n=laylaaaa@212.36.208.1] has joined ##openvpn 08:56 -!- laylaaaaaaaaaaa [n=laylaaaa@212.36.208.1] has quit [Read error: 110 (Connection timed out)] 08:59 < AdvoWork> even if i do: route add -net 10.8.0.0/24 gw 192.168.0.99 I get: route: bad address: gw any ideas please? 08:59 < toehio2> ecrist: with tor, is there a central server where all the peers get the location of eachother? 08:59 < ecrist> is 192.168.0.99 accessible from the local machine? 09:00 < ecrist> toehio2: the management is decentralized, from what I understand. 09:00 -!- loulouloulou [n=laylaaaa@212.36.208.1] has quit [Client Quit] 09:00 < AdvoWork> ecrist, yeah, and on another server on the same domain i run that exact same line, which ran fine 09:00 < ecrist> no idea, then, AdvoWork. 09:01 < AdvoWork> :s 09:01 < toehio2> ecrist: because some peers could be behind firewalls (inbound) so others wouldn't be able to connect to them unless they go through a server 09:02 < ecrist> toehio2: not all tor peers are entrance/exit nodes. those that are, are accessible outside firewalls 09:03 < toehio2> ecrist: I was looking for something that would alow some clients to use my internet connection. But since my network has a firewall, I can't have a proxy directly on my computer. 09:04 < ecrist> toehio2: nearly all networks have a firewall. punch the hole you need through it and you'll be fine. 09:04 < toehio2> ecrist: if a peer wants to act as proxy, does it neet ports forwarded to it? 09:04 < ecrist> of course 09:05 < AdvoWork> ecrist, does it make any difference its on a freebsd box? 09:05 < toehio2> on three different internet connections I have 2 clients (firewalled) and a server ( no firewall) 09:06 < ecrist> AdvoWork: I have more respect for you, one. ;) 09:06 < ecrist> two, I'd look to be sure the machine knows how to route 192.168.0.99 and it is next-hop 09:07 < toehio2> what do you mean? 09:08 < toehio2> nvm 09:08 < ecrist> toehio2: I was talking to AdvoWork, not you. 09:08 -!- ipod [n=otakun@75-147-206-201-Memphis.hfc.comcastbusiness.net] has joined ##openvpn 09:08 < AdvoWork> lol 09:09 < AdvoWork> ecrist, freebsd uses the format: route add -net 10.8.0.0/24 192.168.0.99 instead of: route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.0.99 which may have solved my issue :s 09:10 < ipod> any ideas setup i have vpn server i have a computer running directly from vpn server on 192.168.0.0 address any way to make clients talk to this computer behind vpn server? 09:10 < ecrist> AdvoWork: I would have run the command as 'route add 10.8.0.0/24 192.168.0.99 09:11 < AdvoWork> ecrist, ahh good point. can i undo that one i just did? 09:11 < ecrist> but, you could have written it as 'route add -net 10.8.0.0 -netmask 255.255.255.0 192.168.0.99' 09:11 < AdvoWork> ahh 09:12 < ecrist> AdvoWork: /me is a FreeBSD guy 09:12 < ipod> ? 09:12 < AdvoWork> heh 09:13 < ecrist> ipod: first, start by changing the IP network. 192.168.0.0 is going to cause all sorts of problems with conflicting addresses 09:13 < ipod> well i have the adapter on server set to 192.168.0.1 09:13 < ipod> do i need to change it still 09:13 < brah> I've got this VPN.. between 192.168.15.50 and 192.90.90.50.. and I want the former to be able to ping 192.90.90.51 09:14 < ecrist> ipod, yes. 09:14 < brah> So I've added push route 192.90.90.0 09:14 < brah> But it's still not working 09:14 < ipod> k 09:14 < brah> I think 192.90.90.51 doesn't know how to get to 10.0.10.0/24 but I don't know how to tell it how 09:14 < ecrist> 99.99999% of home routers use 192.168.0.0/24 for 192.168.1.0/24 as their subnet 09:14 < ecrist> your vpn will conflict, causing 'nothing' to be routable. 09:15 < ecrist> brah: 09:15 < ecrist> !route 09:15 < ecrist> and 09:15 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:15 < ecrist> !route 09:15 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:15 < ecrist> !iroute 09:15 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 09:15 < brah> Cool 09:16 -!- DeathWolf [i=yggdrasi@saber.kawaii-shoujo.net] has quit ["Reducing the world's load, age 25.996."] 09:16 < ipod> ok i have change the private address of the computer using the crossover cable to the vpnserver to network to 10.8.0.1 09:16 < ipod> is this ok? 09:16 < ecrist> sure 09:16 < ipod> ok 09:16 < ipod> now 09:17 < ipod> i have a client thats gonna connect to the vpn network on a 192.168.1.1 09:17 < ipod> how do i get these 2 computers to talk? 09:17 < ipod> thats where im lost 09:17 < ecrist> !howto 09:17 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:18 < ipod> lol read that dont mean to sound noobish im not afraid to admit that im still kinda confused 09:20 -!- otakun [n=otakun@75-147-206-201-Memphis.hfc.comcastbusiness.net] has quit [Read error: 110 (Connection timed out)] 09:25 < brah> ecrist, the problem with iroute is that I don't want to communicate to the real LAN, 192.168.15.0/24, but to the virtual one, 10.0.10.0/24 09:25 < toehio2> On three different internet connections I have two clients (firewalled) and one server (no firewall). I want client A to be able to use client B's internet connection as a proxy. Is this possible? 09:26 < brah> I don't want site-to-site, I want host to site. 09:26 < ecrist> route 09:35 -!- Douglas [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 09:35 < Douglas> krzie: there? 09:58 < ipod> ericst: general question how do i manually configure vpn ip w/o gui changing it back 09:58 < ipod> or anyone that can help 10:01 -!- brendan0powers [n=brendan@72.15.28.7] has joined ##openvpn 10:04 -!- Douglas [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 10:06 < brendan0powers> Hello, I'm trying to create an automated process to test to see what openvpn configuration will get past a firewall 10:06 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Nick collision from services.] 10:07 < brendan0powers> for example, udp, tcp, tcp on https port, or http-proxy 10:07 < brendan0powers> And I need a reliable way to tell if the connection came up or not 10:08 < brendan0powers> I have an up script that touches a file when its connected. So I start openvpn, and wait 15 secconds, then check to see if the file is there. 10:08 < brendan0powers> This seems to work, but I'd like to think there's a better way to do it 10:08 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: reiffert, Gumbler 10:08 -!- Gumbler_ [i=Gumbler@animux.de] has joined ##openvpn 10:08 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 10:08 < ipod> brendan 10:09 -!- YpsyZNC is now known as Ypsy 10:09 -!- reiffert [n=thomas@88.198.83.82] has joined ##openvpn 10:10 < brendan0powers> ipod? 10:20 < toehio2> When clients connect to eachother through OpenVPN, is the actual connection client A --> client B or is it client A --> server --> client B? 10:25 < brah> Weird, I had to specify 'mssfix 1200' on a client to make Apache behave correctly 10:28 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 10:34 -!- jeiworth [n=jeiworth@189.134.8.132] has joined ##openvpn 10:35 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 10:57 < ecrist> ping krzee/krzie 11:00 -!- Douglas [i=doug@64.18.144.2] has joined ##openvpn 11:09 -!- brah [n=asdfaf@190.16.126.86] has quit ["Leaving"] 11:16 < ecrist> ipod: I'm ignoring you, since you feel the need to ask me, directly, questions which should be posted here. 11:18 -!- jeiworth [n=jeiworth@189.134.8.132] has quit [Read error: 113 (No route to host)] 11:20 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 11:24 < Douglas> lol own by ecrist 11:24 < Douglas> krzie: ping 11:31 < ecrist> fuck my life 11:31 < ecrist> I've been fighting with a tap vpn for about 2 hours 11:32 < ecrist> all because I forgot 'ifconfig tap0 up' in my script 11:32 < Douglas> lmfao ecrist 11:32 < Douglas> ouch 11:38 < ecrist> still having ping issues, though. 11:38 < ecrist> *grumble* 11:39 < Douglas> ecrist, i found a cool frontend for snort 11:39 < Douglas> ever haerd of snorby? 11:39 < ecrist> nope 11:41 < Douglas> pm 11:41 < Douglas> ill shoot yuo a link 11:45 < ecrist> I've got a setup, VPN client <-> vpn server <-> client lan 11:45 < ecrist> client lan can ping VPN client, but VPN client cannot ping client lan 11:45 < ecrist> pf and ipfw are both disabled on the vpn server 11:51 < Douglas> is glass microwavable 11:52 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [Remote closed the connection] 11:56 * Douglas smacks krzie 12:13 < toehio2> Is there a way for clients on an OpenVPN server to connect directly to eachother? 12:22 < Douglas> yes 12:22 < Douglas> client-to-client 12:22 < Douglas> !man 12:22 < vpnHelper> Douglas: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 12:25 < toehio2> Douglas: thank you. 12:27 < toehio2> Douglas: does client-to-client have to be in both the server and the client configuration? 12:28 < Douglas> no 12:28 < Douglas> server only 12:29 < Douglas> ecrist: there still? 12:29 < toehio2> I already had that, but the traffic still goes through the server 12:32 < toehio2> I have two tabs open: one is direct and one is through the server. I can see a huge difference. Also, when I ping the other client, I can see it's going through the server. 12:32 < toehio2> Does it matter if I'm using tun or tap? 12:32 < Douglas> toehio2 12:32 < Douglas> of course it goes through the server 12:32 < Douglas> there is no direct connection between the clients 12:32 < Douglas> it is through the server 12:33 < toehio2> aha, that's what I thought 12:33 < toehio2> do you know if there is a way to make it 'direct'? 12:34 < toehio2> similarly to how hamachi does it 12:39 -!- Gumbler_ is now known as Gumbler 12:53 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 12:56 -!- toehio2 [i=80fd9c4f@gateway/web/freenode/x-d0175d2c5a81a8d0] has quit ["Page closed"] 12:58 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 13:01 < ecrist> Douglas: still here. 13:03 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 13:12 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 13:13 < Douglas> ecrist: pending post 13:13 < Douglas> idk what to do with 13:15 < ecrist> they need 2 for auto-allow, so I tend to approve the first, if it's a spam account, we can catch it on #2 13:15 < ecrist> OTH, that particular post I may decline as OT 13:16 < ecrist> took care of it. 13:16 < Douglas> wasnt sure if we wanted to make a welcome forum or some od 13:17 < ecrist> I would say sure, that way the 'meat' forums don't get clogged with 'Hi, I'm a NEWB!' 13:17 < Douglas> is it possible to "undecline" 13:17 < Douglas> a post 13:17 < ecrist> nope 13:18 < ecrist> well, of course, with a database edit. 13:18 < Douglas> question 13:18 < Douglas> do i make a separate category 13:18 < Douglas> or just add it into existing 13:18 < ecrist> I would create a separate category, "Off Topic, Related" 13:18 < ecrist> or something similar 13:19 < ecrist> make sure to copy perms from an existing forum, though 13:21 < Douglas> Off Topic, Related 13:21 < Douglas> or 13:21 < Douglas> Off Topic or Related (my choice) 13:21 < Douglas> ? 13:21 < ecrist> I'd go Off Topic, Related 13:21 < ecrist> otherwise, you convey that it's OK for discussions on macaroni and cheese 13:25 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 110 (Connection timed out)] 13:27 < Douglas> http://www.ovpnforum.com/viewforum.php?f=11&sid=5fa196556f771102e71624e87b877f8d 13:27 < vpnHelper> Title: OpenVPN Forum View forum - Introductions (at www.ovpnforum.com) 13:28 < ecrist> lemme post some rules 13:32 < Douglas> fun 13:54 -!- swa [n=swa@tuxhacker/swa] has joined ##openvpn 14:02 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 110 (Connection timed out)] 14:19 -!- chrisbdaemon [n=chrisbda@unaffiliated/chrisbdaemon] has joined ##openvpn 14:19 < chrisbdaemon> !route 14:19 < vpnHelper> chrisbdaemon: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:31 < chrisbdaemon> ok, I looked through the routing document.. if I have the openvpn server installed on a gateway to a lan (10.0.0.0) and I want clients to be able to contact the 10.0.0.0 network behind the vpn, do I have to use iroute entries for each client even if I don't want the lan behind the vpn to get to the lan that the client is on? 14:34 -!- DeathWolf [i=yggdrasi@saber.kawaii-shoujo.net] has joined ##openvpn 14:35 -!- swa [n=swa@tuxhacker/swa] has quit [Read error: 110 (Connection timed out)] 14:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:43 < chrisbdaemon> !configs 14:43 < vpnHelper> chrisbdaemon: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:48 < chrisbdaemon> heres my problem, I'm trying to setup openvpn on OpenBSD 4.5 using openvpn 2.1rc15. I get it running and the client can reach the server running openvpn just fine but it can't ping the lan behind it. tcpdump shows the packets in tun0 but they never reach the internal lan interface, heres the config files.. http://pastebin.com/d6daaa330 14:48 < chrisbdaemon> any ideas what the problem might be? 14:49 < ecrist> chrisbdaemon: you need to add a 'push "route 10.0.0.0 255.255.255.0"' 14:49 < ecrist> to your convig 14:49 < chrisbdaemon> its already there 14:50 < chrisbdaemon> let me clarify, the packets show up in tcpdump on the server's tun0 interface, so it gets to the openvpn server alright, it just never makes it to the internal lan interface of the vpn server 14:54 < Douglas> blah, my iptables is so rusty 14:55 < chrisbdaemon> so no ideas about how to fix my problem? 14:57 < ecrist> chrisbdaemon: ip_forwarding -> enabled on your server 14:58 < ecrist> don't block the packets on teh VPN interface in your firewall 14:58 < magic_1> and also make sure your firewall is set 14:58 < magic_1> you must allow traffic from vpn to internal lan 14:58 < chrisbdaemon> ecrist, hahaha, i didn't have forwarding enabled, thanks :) i feel like an idiot now lol 14:58 < magic_1> and vica versa 14:59 -!- Ben8 [n=benthete@61.17.17.157] has quit ["Nettalk6 - www.ntalk.de"] 15:09 -!- brendan0powers [n=brendan@72.15.28.7] has quit [Remote closed the connection] 15:24 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 15:29 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 15:37 -!- rodpod [n=rod@74-133-38-196.dhcp.insightbb.com] has quit [Remote closed the connection] 15:38 -!- rodpod [n=rod@74-133-38-196.dhcp.insightbb.com] has joined ##openvpn 15:41 -!- epaphus [n=unix3@190.10.68.228] has left ##openvpn ["Leaving"] 15:45 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["I ♥ GNU/Linux!"] 15:46 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 15:55 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:22 -!- kiwi_ [n=kiwi@ks359129.kimsufi.com] has quit ["Leaving."] 16:24 -!- Nullslash [n=ahmed@cpe-24-164-133-222.si.res.rr.com] has joined ##openvpn 16:27 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Connection timed out] 16:28 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 16:34 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 16:39 -!- kyrix [n=ashley@91-115-19-192.adsl.highway.telekom.at] has joined ##openvpn 16:50 -!- chrisbdaemon [n=chrisbda@unaffiliated/chrisbdaemon] has quit ["Leaving"] 17:08 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 17:08 -!- ipod [n=otakun@75-147-206-201-Memphis.hfc.comcastbusiness.net] has quit [Read error: 110 (Connection timed out)] 17:23 < |Mike|> krzie: i would bid :) 17:23 < Douglas> krzie: wake up 17:23 < Douglas> . 17:24 < |Mike|> you have a Q Douglas ? 17:25 < Douglas> no 17:25 < Douglas> i want to show krzie something 17:25 < |Mike|> ok. 17:25 < Douglas> i know the rule 17:25 < Douglas> ask the channel not the person 17:25 < |Mike|> mwa, i know krzie for a long while, no worries :-) 17:25 < |Mike|> i'm probably going to meet him at HAR 19:35 -!- Ypsy is now known as YpsyZNC 19:39 -!- Nullslash [n=ahmed@cpe-24-164-133-222.si.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 19:54 -!- Nullslash [n=ahmed@cpe-24-164-133-222.si.res.rr.com] has joined ##openvpn 20:05 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Remote closed the connection] 20:14 -!- Nullslash_ [n=ahmed@cpe-24-164-133-222.si.res.rr.com] has joined ##openvpn 20:15 -!- Nullslash [n=ahmed@cpe-24-164-133-222.si.res.rr.com] has quit [Connection timed out] 20:20 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:23 -!- kyrix [n=ashley@91-115-19-192.adsl.highway.telekom.at] has quit ["Leaving"] 20:41 -!- rodpod [n=rod@74-133-38-196.dhcp.insightbb.com] has quit [Read error: 113 (No route to host)] 20:47 -!- rodpod [n=rod@74-133-38-196.dhcp.insightbb.com] has joined ##openvpn 20:51 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has joined ##openvpn 20:54 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 21:02 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has quit [] 21:07 -!- master_of_master [i=master_o@p549D3909.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:10 -!- master_of_master [i=master_o@p549D5EF7.dip.t-dialin.net] has joined ##openvpn 21:55 -!- Nullslash_ [n=ahmed@cpe-24-164-133-222.si.res.rr.com] has quit [Client Quit] 22:12 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: krzie, worch, dmarkey, dimedo, Dougy, AdvoWork, oc80z, pekster, Gumbler, tarbo2, (+59 more, use /NETSPLIT to show all of them) 22:13 -!- Netsplit over, joins: AdvoWork, HardDisk_WP, master_of_master, swa_work, rodpod, epaphus, Dougy, nemysis, DeathWolf, Douglas (+59 more) 22:14 -!- epaphus [n=unix3@201.199.62.74] has quit ["Leaving"] 22:21 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: dazo, nemysis, vpnHelper, swa_work, eliasp, Pagautas, Gumbler, onats, magic_1, Qantouri1c 22:21 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: krzie, worch, dmarkey, dimedo, Dougy, AdvoWork, oc80z, pekster, tarbo2, ^scott^, (+46 more, use /NETSPLIT to show all of them) 22:22 -!- Netsplit over, joins: AdvoWork, deever, master_of_master, swa_work, Dougy, nemysis, Douglas, reiffert, vpnHelper, Gumbler (+56 more) 22:24 -!- swa [n=swa@tuxhacker/swa] has joined ##openvpn 22:24 -!- swa_work [n=swa@swatteksystems.com] has quit ["Leaving"] 22:24 -!- swa is now known as swa_mobil 22:25 -!- swa_mobil is now known as swa_work 22:32 -!- swa_work [n=swa@tuxhacker/swa] has quit ["Leaving"] 22:32 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 23:14 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 23:21 -!- Lilarcor [n=Lilarcor@208-58-211-56.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has joined ##openvpn --- Day changed Fri Jul 24 2009 00:22 -!- Nullslash [n=ahmed@cpe-24-164-133-222.si.res.rr.com] has joined ##openvpn 00:32 -!- Infinite [n=Infinite@S0106000625c1ed94.ed.shawcable.net] has joined ##openvpn 00:43 < Infinite> Hi could somebody offer any insight into why I'm receiving the following error: http://pastie.org/557388 ? I receive this error when I attempt to log into the web gui for the first time after completing the initial config script via CLI. I'm running Ubuntu 9.04 with the latest updates. I installed OpenVPN-AS v1.1.3 using the binary provided on openvpn.net. Thanks in advance! 01:07 -!- AdvoWork [n=AdvoWork@unaffiliated/advowork] has quit [Read error: 104 (Connection reset by peer)] 01:16 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [] 01:17 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 01:25 -!- AdvoWork [n=AdvoWork@unaffiliated/advowork] has joined ##openvpn 01:31 -!- phusion [n=phusion@S0106001562457756.gv.shawcable.net] has joined ##openvpn 01:34 < phusion> hello. could someone point me in the right direction for not making my VPN take over my connection in debian linux but rather just have an interface that I can tell say my httpd to bind to etc? 01:34 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 01:56 < Bushmills> !route 01:56 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 01:56 < Bushmills> ^^^^ phusion 01:58 < phusion> i dont believe thats what im wanting to do though 02:03 < dazo> phusion: what are you really asking about? do you want httpd to bind to the VPN interface? 02:04 < phusion> right, i just want to be able to bind to the ip, or some ip reflective of that vpn connection with my software.. namely httpd 02:04 < phusion> i dont want all my server traffic going over it 02:05 < phusion> i found in windows if i removed redirect-gateway def1 it stopped all my traffic going through the vpn.. however i cant bind anything to the adapter it seems 02:05 < dazo> phusion: that's no problem .... routing is the very best way to do it ... or else you need to start Apache after you have started openvpn .... httpd will not bind to a non-existing device, so openvpn must be running before apache 02:05 < phusion> so i should be able to bind to it no problem then? 02:06 < dazo> phusion: removing redirect-gateway, is correct when you only want the routed networks to go over the VPN, so that sounds sensible for you 02:06 < dazo> phusion: yes, it is possible, as long as the tun/tap device is configured before httpd starts .... meaning, openvpn must start before httpd 02:06 < phusion> hmm ok 02:07 < dazo> phusion: but! it is way more clever to use routing instead, and use the internal IP address of the web server 02:07 < dazo> phusion: you just need in the openvpn server config: push "route 255.255.255.255" 02:07 < phusion> well this is a production box so its kinda like.. ehhhh 02:08 < dazo> phusion: if httpd is access via an internal IP address which is routed .... or via the tun/tap device, makes no difference, in perspective of security 02:08 < dazo> phusion: the push config ... that pushes only a host routing ... meaning, only one IP address are routed 02:08 < phusion> should i be able to bind things the same way in windows, directly? 02:09 < dazo> phusion: I dunno ... I'm a Linux guy 02:09 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 60 (Operation timed out)] 02:09 * dazo have never configured http services on windows 02:09 < phusion> well i am too but i wanted to try this on something non-critical haha 02:09 < phusion> my own pc before a working server 02:10 < Bushmills> phusion, i misunderstood. thought you said that your problem was that openvpn gave you a new interface, but didn't "take over" which i thought was "didn't route your traffic through new interface" 02:11 < Bushmills> then your solution is probably "don't route" to prevent openoffice to "take over" 02:12 < phusion> har har 02:13 < Bushmills> seems to came to that same conclusion already 02:14 < Bushmills> you 02:19 < dazo> phusion: adding that push statement into the openvpn server config should not break anything at all. 02:20 < dazo> phusion: if it breaks something, you've most probably done something very wrong somewhere ... but if you pastebin configs, we can give you a risk evaluation 02:20 < phusion> removing the redirect line worked 02:35 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 02:45 < phusion> i added that push line and i still can't get access services trying to bind to it 02:46 < phusion> tried restarting it after openvpn etc 02:47 < reiffert> which services namely? 02:48 < phusion> apache 02:48 < reiffert> did they bind() successfully? 02:48 < phusion> it started :) 02:49 < reiffert> run nc -l -p 12345 on the openvpn server. on the client run: telnet vpn_server_ip 12345 02:49 < reiffert> then type some letters. 02:50 < reiffert> result prob is: binding works check your service. if not, check your firewall. 02:50 < phusion> no firewall 02:50 < phusion> turned it off 02:50 < reiffert> proove. 02:51 < phusion> wont connect 02:53 < phusion> when it starts in the log i see /sbin/ifconfig tap0 0.0.0.0 02:53 < phusion> is that right? 02:53 < phusion> oh sorry that was when i killed it 02:53 < phusion> hmm yeah i dont know :o 02:55 < phusion> iptables is flushed meng 02:58 < AdvoWork> hi there. ive just tried: Starting virtual private network daemon: client(FAILED) server(OK). by doing sudo /etc/init.d/openvpn restart. Any ideas please? 03:16 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 03:31 -!- thedoc_ [n=andelyx@vpn1.edgewire.sg] has joined ##openvpn 03:34 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 03:38 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 03:50 -!- RadarG [n=nightwol@pool-98-115-35-178.chi01.dsl-w.verizon.net] has joined ##openvpn 03:51 < RadarG> hello everyone 03:51 < RadarG> has anyone used zerina before 03:51 -!- thedoc_ [n=andelyx@vpn1.edgewire.sg] has quit [Read error: 110 (Connection timed out)] 03:53 < RadarG> !howto 03:53 < vpnHelper> RadarG: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 04:00 < RadarG> Hello i was wondering if somebody can please help me out in configuring a vpn. I tried a few time all ready and I must be getting something wrong. I'm in korea right now trying to tunnel back to the states. I'm using a Smoothwall with Zerina loaded on it trying to make a connection with a openvpn server (windows Vista) I just need help trying to configure the server and to make sure I have the config 04:10 -!- RadarG [n=nightwol@pool-98-115-35-178.chi01.dsl-w.verizon.net] has quit [Remote closed the connection] 04:15 -!- RadarG [n=nightwol@pool-98-115-35-178.chi01.dsl-w.verizon.net] has joined ##openvpn 04:17 < master_of_master> hi, how can I do push "redirect-gateway" but only for one certain client? 04:22 < dazo> master_of_master: you'll need to use ccd .... --client-config-dir on the server 04:24 < master_of_master> ok, thx. 04:27 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 04:28 -!- Infinite [n=Infinite@S0106000625c1ed94.ed.shawcable.net] has quit [] 04:33 < RadarG> Can someone explain to me how to configure a openvpn server on a wondpws system? I installed the GUI but its not being helpful. 04:34 -!- phusion [n=phusion@S0106001562457756.gv.shawcable.net] has quit ["Leaving"] 04:42 < RadarG> you can edit the config files with notepad right? 04:43 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit ["No Ping reply in 90 seconds."] 04:45 -!- eliasp [n=quassel@95.208.45.212] has joined ##openvpn 04:48 < RadarG> In the configuration file for the server what does ;local mean does that mean its an example? 04:50 < RadarG> Is there advantage using a UDP server vs a TCP? 04:50 < Gorkhaan> TCP can pass proxy. 04:52 < RadarG> I'm not sure if I need this or not. here is my setup xbox-Firewall--internet-router-vpn server 04:52 < RadarG> is this mainy if the ISP goes through a proxy 04:53 < dazo> !tcp 04:53 < vpnHelper> dazo: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 04:53 < dazo> RadarG: ^ ^ 04:54 < RadarG> I'm reading it now 04:58 < RadarG> UDP is is than 05:06 < RadarG> now since my goal is to force the xbox's connection to ride across the tunnel can I can be with only using a static generated key or should I create a server and cleint key? 05:17 < dazo> RadarG: static keys are, when it comes to encryption strength on the VPN tunnel, just as safe as certificates .... but certificates gives better authentication of clients and server (it's checked on both sides) ... and if you loose control over a static key, all users must get new static keys, while with certificates, you can revoke only that particular certificate without doing anything else with the rest of the clients 05:17 < dazo> RadarG: so if it's only you with one or two clients .... static keys are probably easier to maintain 05:18 * dazo is not sure though, if you can use --tls-auth + static keys in combination for higher security .... --tls-auth + certificates works very well though 05:19 * dazo guesses --tls-auth + static keys will not work 05:20 -!- thedoc_ [n=andelyx@vpn1.edgewire.sg] has joined ##openvpn 05:31 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:34 < RadarG> thats good to know. Zerina is a openvpn front end that I'm trying to configure on my firewall. But another guy is wanting the client to be in the states using a net2net configuration. I'm trying to figure out what is easier 05:36 < RadarG> refer to this post for more details http://community.smoothwall.org/forum/viewtopic.php?f=55&t=32324 05:36 < vpnHelper> Title: View topic - OpenVPN server with Zerina xbox live tunnel community.smoothwall.org (at community.smoothwall.org) 05:37 < RadarG> maybe you guys can read this and clarify 05:46 -!- thedoc_ [n=andelyx@vpn1.edgewire.sg] has quit ["Leaving"] 05:54 < Gorkhaan> Hi. I have a little question: "dhcp-option DOMAIN" What are the advantages if I Push this option to my clients? :) 05:54 < Bushmills> RadarG, why would you need a frontend to openvpn? 05:54 < Bushmills> RadarG, i mean, usually the client connects, and you're done with 05:57 < Gorkhaan> Anyone plz? :) 05:58 -!- RadarG [n=nightwol@pool-98-115-35-178.chi01.dsl-w.verizon.net] has quit [Remote closed the connection] 06:05 -!- RadarG [n=nightwol@pool-98-115-35-178.chi01.dsl-w.verizon.net] has joined ##openvpn 06:09 < RadarG> des anyone have any idea about my issue? 06:14 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:26 < Gorkhaan> Hi. I have a little question: "dhcp-option DOMAIN" What are the advantages if I Push this option to my clients? :) 06:32 < RadarG> Should I use a net2net configuration or a road warrior setup 06:41 -!- elegos [n=elegos@93-34-10-205.ip47.fastwebnet.it] has joined ##openvpn 06:41 < elegos> I've got a question about OpenVPN, DNS and Mac OS X 06:42 < elegos> the question is: why can't OpenVPN set a nameserver in Mac OS X when all the network devices are unplugged? 06:42 < elegos> /etc/resolv.conf is set just fine 06:43 < elegos> but Mac OS X seems to ignore it if all the devices are turned off 06:43 < elegos> I've got this problem using an USB link between me (Mac OS X) and an openvpn server. There is no network connection between us 06:51 < RadarG> ok I have created the adapter on the vista box and I have saved a config file plus the PKCS12 file has been saved to the desktop. Do I need to save this config file to a ovpn file? 06:56 < Bushmills> elegos, not sure whether i understand - the way i understand your question, the answer would be "if all network devices are turned off, openvpn client can't connect to server. but DNS is - optionally - set upon connection only" 06:58 < elegos> Bushmills: thanks for the reply. When I connect my USB device to my MacBook, I'm able to connect to it (connection is OK), internet is indeed shared too, but the DNS is not used. I can't set a custom DNS to a device I don't see in the Network devices list. Maybe an ifconfig setup may help me with. Do you know how to do that? 06:58 < Bushmills> (you try to set DNS with --dhcp-option DNS, i suppose 06:59 < Bushmills> ) 06:59 < |Mike|> you push the dns aswell ? 06:59 < elegos> ifconfig DEVICE --dhcp-options? 06:59 < elegos> yes 07:01 < elegos> http://azilink.googlecode.com/files/azilink.ovpn <-- this it the configuration file 07:01 < elegos> and I use Tunnelblick as OpenVPN GUI 07:01 < Bushmills> "set custom DNS to device not in network list?" hm .. have you tried setting DNS to an ip address? 07:01 < elegos> Bushmills: I hope it can be done via ifconfig, but I don't know how 07:02 < elegos> there is no network adapter for the USB device in the network preferences tab 07:02 < RadarG> I'm trying to install the certs onto the Vista box I have two of them a root and a host certificates which on should I use? 07:03 -!- elegos_ [n=elegos@93-33-242-165.ip46.fastwebnet.it] has joined ##openvpn 07:03 < elegos_> back 07:03 < Bushmills> in server config push "dhcp-option DNS ip.add.re.ss" should or might do. not sure whether that's the case with non-windows systems too. there's a bit a about windows systems in the doc. 07:03 < |Mike|> RadarG: the generated client certs 07:04 < |Mike|> wb elegos_ 07:05 < Bushmills> ah, it says " Note that if --dhcp-option is pushed via --push to a non-windows client, the option will be saved in the client's environment before the up script is called, under the name "foreign_option_{n}". 07:05 < elegos_> Bushmills: /etc/resolv.conf is correctly changed 07:05 < Bushmills> oh, ok 07:05 < elegos_> :) 07:05 < |Mike|> !client 07:05 < vpnHelper> |Mike|: Error: "client" is not a valid command. 07:05 < |Mike|> !clients 07:05 < vpnHelper> |Mike|: Error: "clients" is not a valid command. 07:05 < |Mike|> meh. 07:05 < Bushmills> and you can reach the DNS? 07:06 < elegos_> I reach it ofc 07:06 < elegos_> in fact if I create a network with my WiFi device and setup a custom DNS (pointing to the USB device's IP), it works 07:06 < elegos_> but I need to turn WiFi on 07:07 < Bushmills> sounds logical. without wifi on, a DNS on the ip address of wifi device can't be connected 07:08 < elegos_> I'm thinking that mac os x tries to see if any device is connected, if not it won't even load /etc/resolv.conf 07:08 < elegos_> that's a shame 07:09 < |Mike|> RadarG: http://openvpn.net/index.php/open-source/documentation/howto.html#pki 07:09 < vpnHelper> Title: HOWTO (at openvpn.net) 07:09 < Bushmills> ehm .. i remember that there's a difference in resolv.conf config with OSX .. it allows setting name servers on a per device base 07:09 < Bushmills> or on a per-domain base 07:09 < elegos_> those are deep waters for me :( 07:09 < Bushmills> but I'm not into the fineties of that config 07:10 < elegos_> I know Linux and Mac OS, but not that deep ^^ 07:10 < Bushmills> could be related to your problem, though 07:10 < Bushmills> i'd check on an OS/X channel 07:11 < elegos_> thanks 07:19 -!- elegos [n=elegos@93-34-10-205.ip47.fastwebnet.it] has quit [Read error: 110 (Connection timed out)] 07:21 -!- elegos_ is now known as elegos 07:22 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 07:27 < RadarG> hoe do I import a PCKS12 file into the Openvpn server? 07:30 -!- elegos [n=elegos@93-33-242-165.ip46.fastwebnet.it] has quit [Remote closed the connection] 07:30 -!- elegos [n=elegos@93-34-10-205.ip47.fastwebnet.it] has joined ##openvpn 07:34 < |Mike|> eh? 07:34 < |Mike|> http://openvpn.net/index.php/open-source/documentation/howto.html#pkcs11_about 07:34 < vpnHelper> Title: HOWTO (at openvpn.net) 07:36 -!- RadarG [n=nightwol@pool-98-115-35-178.chi01.dsl-w.verizon.net] has quit [Remote closed the connection] 07:55 -!- RadarG [n=nightwol@pool-98-115-35-178.chi01.dsl-w.verizon.net] has joined ##openvpn 07:55 < dazo> |Mike|: that's PKCS11 .... smart cards or such variants 07:55 < RadarG> Sorry guys I'm trying to get this to work on my firewall and when it doesnt my connection drops 07:56 < dazo> RadarG: You can use the --pkcs12 config options instead of --key and --crt 07:57 < dazo> RadarG: if you also have the CA certificate inside the pkcs12 file ... you can also skip --ca 07:57 < RadarG> do I need both of them install on the client 07:58 < dazo> RadarG: both what? 07:58 < RadarG> I think that I got confussed somewhere along the way let me explain 07:58 -!- Lilarcor [n=Lilarcor@208-58-211-56.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has quit ["The Lord of Murder Shall Perish."] 07:58 < dazo> RadarG: if your certificate and keys are in PEM/DER format ... you will need 3 files --ca ca.crt --cert user.crt --key user.key 07:59 < dazo> RadarG: These three files can be put into one PKCS#12 file ... (.p12) which means you can replace all of them with --pkcs12 user.p12 07:59 < dazo> RadarG: was that clearer? 08:00 < RadarG> oh that makes sense 08:00 < dazo> RadarG: there are some openssl commands which does this for you .... I can have a look for the URL if you want me too .... but it's pretty simple google query, and you'll find plenty of docs on this 08:00 < RadarG> I'm looking on the server(firewall) and I see three p12 files host, root and user 08:01 < RadarG> i imagine those are the three that i need 08:01 < dazo> ehh 08:01 < dazo> RadarG: which format are these files? 08:01 < dazo> RadarG: are they really PKCS#12 files? 08:02 < dazo> RadarG: the client will only need one .p12 file .... the one containing the client certificate, a ca certificate and an encryption key 08:02 < dazo> RadarG: the server key should only stay on the server 08:02 < dazo> RadarG: and the root .... I have no idea what that can be 08:03 < dazo> RadarG: and that's why I'm wondering about the format of these files 08:04 < dazo> RadarG: if you do: openssl pkcs12 -in user.p12 .... does it accept this file? 08:04 < dazo> (you might need to enter a password for three times, during this command) 08:05 < RadarG> ok the fog is better now on the server the host and root certs are listed under Certificate Authories 08:06 < Dougy> anyone in here use snort? 08:06 * dazo have no idea what RadarG is talking about now ... 08:07 < RadarG> I'm sure if you read the post that I put on the smoothwall it would make sense 08:08 < RadarG> I'm using Zerina which is a openvpn frontend app for my firewall 08:08 < RadarG> its the openvpn server and I'm trying to connect back to a client 08:13 < dazo> RadarG: I see the picture a little bit better now ... I'm still surprised you find both root and host certs listed as Certificate Authorities .... is this some kind of Windows GUI view of the .p12 file? 08:14 < RadarG> Zerina gets added to the admin page of the firewall. it makes the p12 and pem files for you 08:15 < RadarG> my goal is to my my xbox and others to connect back to the states 08:15 < dazo> RadarG: aha ... well, I've never met Zerina, but I then expect it to do the job properly 08:15 < dazo> you do need to have 2 certificates (user/host certificate and CA certificate) and a user/host key inside the .p12 .... then your config just need --pkcs12 <.p12 file> 08:15 < dazo> but anyway, it seems you're covered there ... afaik 08:16 < dazo> RadarG: if you can pastebin some openvpn logs .... with --verb 4 in the openvpn config .... it might be easier to help you out further 08:17 < dazo> RadarG: anyway, the errors there are not that difficult to spot ... and they are usually very conclusive in their messages 08:17 < RadarG> well I cant paste the vista logs but I should be able to paste the logs from the firewall 08:18 < dazo> RadarG: well, it can give some indication indeed 08:18 < dazo> seeing both sides might help even more .... especially if it's the server which closes the connection, the server logs are important 08:19 -!- ipod [n=otakun@75-147-206-201-Memphis.hfc.comcastbusiness.net] has joined ##openvpn 08:20 < RadarG> I'm having trouble finding the log files on the server what is the defualt file name for the log 08:20 < dazo> RadarG: you can explicit set the log destination with --log, iirc 08:21 < |Mike|> Dougy: #snort :) 08:24 < RadarG> ok that was fun I got my server openvpn log file saved as a txt file on my desktop 08:24 * dazo counts down ... 25 minutes to long weekend .... mini holiday! \o/ 08:25 < dazo> RadarG: that's the idea with --log ;-) 08:25 < RadarG> here you go dazo 08:26 < dazo> RadarG: not working .... probably the firewall at work restricting DCC file sharing 08:26 < dazo> RadarG: can you pastebin it? 08:27 < RadarG> how do I do that paste parts into here 08:27 < dazo> RadarG: !pastebin 08:27 < dazo> !pastebin 08:27 < vpnHelper> dazo: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 08:28 < ipod> anyone here knows how to assign manual ips to openvpn with windows gui it keeps setting it back to automatic 08:28 < RadarG> 1sec 08:28 < dazo> ipod: you'll need to setup --ccd on the server ... and assign the IP address from there, afaik 08:29 < ipod> ok 08:29 < dazo> --client-config-dir is the proper config option 08:30 < RadarG> http://pastebin.com/d5332c6ad 08:30 < RadarG> server log 08:30 * dazo looks 08:31 < ipod> so after this is added in i can got into my clients adapter and give it a manual address? 08:31 < dazo> ipod: you assign the ipaddress on the openvpn server 08:32 < dazo> RadarG: your client is reconnecting the whole time .... presumably because of some timeouts ..... 08:32 < ipod> ok check this out 08:32 < ipod> on windows xp i can go into the adapter give it a manual ip address no prob works 08:33 < dazo> RadarG: try configuring this as TCP .... it can be that there's some issues with UDP in the connections .... and please add 'verb 4' to the configs as well 08:33 < ipod> on vista i have to use the gui and when i use the gui it does this 08:33 < ipod> ok 08:33 < RadarG> I dont that that the client(Vista in states) is configured/runnig right 08:33 < dazo> ipod: guess what .... XP and Vista works differently on the network stack .... don't expect Vista to behave like XP 08:34 < ipod> i understand that 08:34 < ipod> just was wondering is there a work around in the client itself 08:34 < ipod> instead of doing this on server 08:35 < ecrist> ipod: not really 08:35 < ecrist> the proper way is to do it on the server 08:35 < Dougy> allo eridc 08:35 < Dougy> eric 08:35 < ecrist> otherwise, there's no guarantee the server won't issue that IP to another client 08:35 < ecrist> hey dougy 08:35 < dazo> ipod: not that I'm aware of .... well, of course, it depends on how you have configured openvpn .... if you use a p-t-p connection, you assign both local IP and end point separately on server and client ... but if you use ip address pool on the server, that's only assigned via DHCP requests, configured on the server 08:36 < ipod> ok 08:36 < ipod> thanks guys 08:36 < ipod> i understand 08:36 < dazo> ipod: you're welcome 08:36 < RadarG> could it be that the vista box isnt responding back 08:36 < ipod> it responds 08:37 < ipod> cleans the dhcp and give it the address the server wants it to have 08:37 < dazo> that's right 08:37 < dazo> and that sounds very sane 08:42 < Dougy> !logs 08:42 < vpnHelper> Dougy: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 08:42 < Dougy> we 08:42 < Dougy> er 08:42 < Dougy> !configs 08:42 < vpnHelper> Dougy: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 08:46 < RadarG> dazo still there 08:46 < dazo> RadarG: I am .... did you try to reconfig to use TCP? and increase logging to verb 4 .... 08:47 < dazo> RadarG: but I'm only here for 5 more minutes 08:47 < RadarG> no not yet I'm trying to get the certs transfered to the vista box 08:53 < RadarG> I have copied the cacert and the p12 file over to the desktop on the vista box 08:53 < RadarG> can I just place them in the openvpn folder or do they need to go into a certain one 08:53 < dazo> RadarG: sorry ... I need to run now 08:54 < RadarG> ok 09:21 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 09:27 < RadarG> is there anyone else that can help me configure this net2net link 09:32 < RadarG> Here is the conf that I'm suose to install on the vista box but I dont know if its right http://pastebin.com/d100c9dd8 10:10 -!- Dougy [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 10:12 -!- elegos [n=elegos@93-34-10-205.ip47.fastwebnet.it] has quit [] 10:19 -!- jeiworth [n=jeiworth@189.163.255.127] has joined ##openvpn 10:20 < RadarG> anybody know what could cause this error? 10:20 < RadarG> Fri Jul 24 11:18:33 2009 Cannot open dh1024.pem for DH parameters: error:02001002 ystem library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file 10:20 < RadarG> the client gave me this error 10:24 -!- AdvoWork [n=AdvoWork@unaffiliated/advowork] has quit ["Leaving"] 10:28 -!- onats_ [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 10:34 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 10:37 < plaerzen> g'morning guys 10:38 < RadarG> good night for me its going on 1am here 10:38 < RadarG> 1am Sat 10:40 < plaerzen> quite the difference 10:40 < plaerzen> 9:40 am fri 10:43 < RadarG> I'm in South Korea 10:45 -!- CoffeeIV_ [n=CoffeeIV@adsl-99-162-117-1.dsl.austtx.sbcglobal.net] has joined ##openvpn 10:57 < CoffeeIV_> I have a remote cluster of Linux machines behind 1 IP address that is a linux NATing gateway. I want to set up an VPN so I can access the group from anywhere. Should I install the OpenVPN on the linux gateway itself, or is there a way to forward a port and install it on a different machien behind the gateway ? 10:57 < CoffeeIV_> Are there big advantages to doing it either way ? 11:03 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:08 -!- jeiworth [n=jeiworth@189.163.255.127] has quit [Read error: 104 (Connection reset by peer)] 11:08 -!- jeiworth [n=jeiworth@189.163.255.127] has joined ##openvpn 11:17 -!- c64zottel [n=hans@p5B17AE91.dip0.t-ipconnect.de] has joined ##openvpn 11:18 -!- c64zottel [n=hans@p5B17AE91.dip0.t-ipconnect.de] has left ##openvpn [] 11:31 < RadarG> Can someone please look at this client log to see if everything is right http://pastebin.com/de77cce7 11:31 < ecrist> no 11:31 < ecrist> your TLS handshake isn't happening. 11:33 < RadarG> well its not going to yet I have configured the firewall yet. When I fire up the VPN link it drops all connection on green side. I need to setup the IP tables to route the traffic on Orange (DMZ) through the link without breaking the computers on green 11:34 < ecrist> why would you ask us to tell you it'snot working, when you know it'snot working? 11:34 < RadarG> I wanted to know if there was another noticable problem 11:35 * plaerzen does the ovpn dance 11:35 < RadarG> that and I have to figure out how to route the traffic through the client back in the states 11:35 < ecrist> RadarG: doing silly things makes helpful people not want to be helpful 11:36 < RadarG> i dont think its silly. you just have to know my goal and config 11:40 -!- Nullslash [n=ahmed@cpe-24-164-133-222.si.res.rr.com] has quit [] 11:40 < RadarG> Its simple when you think about I have 50 hosts total on this firewall on Orange(DMZ) I have 4 xboxs and others get pluged in as guests I need to be able to temporary connect the xboxs through a vpn link back to the states due to the limited bandwidth on the vpn link i dont want the boxs to be always connected. 11:41 < rawDawg> !route 11:41 < vpnHelper> rawDawg: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:42 < RadarG> thanks 11:44 < RadarG> xbox has this crazy thing were you cant get items suck as map packs if you are outside the country. Me and my peoples are US citizens that want the content back cant get it. 11:45 < RadarG> also I want to watch netflix vids on my xbox 11:46 < RadarG> it doesnt sound as crazy now does it? 11:47 < ecrist> who said anything was crazy? 11:47 < RadarG> ok silly than 11:47 < ecrist> what is silly is asking us to troubleshoot something you know is broken. 11:47 < ecrist> I was referring to you asking us to review your log files, when you already knew there were problems. 11:50 < RadarG> I'm sure there is 20 problems that I have to work out. I was hoping that everywhere here might be able to catch another possible issue. 11:51 < ecrist> my advice, work through everything, get yourself a working VPN. *if* you run into a problem you're not sure how to fix, ask. 11:52 < RadarG> oh I will if needed. I'm going back to fixing iptables on the server now. 12:03 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 12:17 -!- RadarG [n=nightwol@pool-98-115-35-178.chi01.dsl-w.verizon.net] has quit [] 12:19 -!- plaerzen [n=carpe@vip1.tundraeng.com] has quit [Remote closed the connection] 12:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 12:28 -!- mark___ [i=mark@94-168-244-59.cable.ubr10.shef.blueyonder.co.uk] has joined ##openvpn 12:30 < mark___> hi guys, got a problem. server 1 runs an openvpn server and server 2 connects to it as a client. server 2 also has an openvpn server on it and to which client 1 (desktop machine) connects to. is there any way client 1 can router to server 1? client 1 can currently route to server 2 but not server 1 12:30 < mark___> sorry for the confusion but i'm stuck 12:32 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 12:32 < mark___> on server 1 i'm getting MULTI: bad source address from client [192.168.10.6], packet dropped from client 1 12:34 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 12:34 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 12:35 < mark___> well for client 1 via server 2 12:47 -!- minyx [n=phusion@S0106001562457756.gv.shawcable.net] has joined ##openvpn 12:48 < minyx> hey guys. I'm having trouble getting my httpd to bind to the IP of my vpn. I do not want all of my server traffic routed through the VPN (I have removed the redirect-gateway line). Is this even possible? I have nothing in my iptables either. 12:50 < rawDawg> one of my clients is on a network 10.100.2.0 12:50 < rawDawg> the ip is 10.100.2.20 12:50 < rawDawg> there is a route in the clients table 12:51 < rawDawg> 10.100.2.0 255.255.255.0 10.200.2.20 12:51 < rawDawg> err 12:51 < rawDawg> 10.100.2.0 255.255.255.0 10.100.2.20 12:51 < rawDawg> sorry 12:52 < rawDawg> shouldnt the gateway be the router? which is 10.100.2.1 12:52 < minyx> hey, get in line :) 12:52 < minyx> haha 12:53 < rawDawg> sorry i just cant figure this out :( 12:53 < rawDawg> where this route came from 12:55 < rawDawg> minyx: use client-config-dir 12:55 < rawDawg> and add an iroute entry for the clients network in the client config file 12:59 < minyx> when you say the clients network, what do you mean 12:59 < minyx> this is just on my server and thats it 13:00 < rawDawg> !route 13:00 < vpnHelper> rawDawg: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:00 < rawDawg> that has a great explanation 13:02 < minyx> it still doesnt explain the client notation 13:03 < minyx> when it says lan im confused because all i want is to use this on my server 13:03 < rawDawg> you need two hosts to create a tunnel 13:03 -!- p2hicy [i=p2hicy@unaffiliated/p2hicy] has joined ##openvpn 13:04 < rawDawg> every host has an ip on a network "lan" = the network 13:06 < minyx> so you said to add an iroute entry for the clients network in the client config file.. the client network being the network of the main IP configured on my box, and the config file being openvpn.conf? 13:06 < minyx> i guess i have some reading to do.. i just dont have enough knowledge of routing to bridge the gap 13:07 < rawDawg> !route 13:07 < vpnHelper> rawDawg: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:07 < rawDawg> i had to read that a couple of times 13:07 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 13:08 < minyx> well its not even that.. when you dont understand enough about the terms used in general its cryptic :\ 13:08 < minyx> it's explaining all of this stuff, but what is it doing 13:08 < minyx> heh 13:09 < minyx> im trying to get this going on a production box so i dont exactly want it to crap out 13:10 < rawDawg> you should test it out in a lab first 13:10 < rawDawg> get a tunnel up between two hosts on the same network 13:10 * minyx cries 13:10 < rawDawg> so there is no routing issues 13:10 < rawDawg> then add the routes 13:11 < rawDawg> and move the client to a remote network 13:11 < minyx> heh i'll piss around with it 13:11 < minyx> would be nice to just know what to do.. seeing that im not going to need to do anything else with this software 13:12 < rawDawg> !howto 13:12 < vpnHelper> rawDawg: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:12 < rawDawg> it is pretty straight forward 13:19 < minyx> gah 13:19 < minyx> as much as i understand you want me to learn everything and read the whole article.. whats wrong with just stating what i need to do 13:19 < minyx> all i would like is clarification on your comment regarding the iroute 13:21 < ecrist> minyx, read the documentation, please. we're more than willing to help you, but we're not going to do it for you. 13:22 < minyx> well it seems clear that its like 1-2 lines i need to implement and you're refusing to help.. i'd probably understand it too 13:23 < ecrist> *shrug* 13:23 < minyx> if i were asking for help with a module in apache i'd certainly go look at the docs, but i require a complete understanding of all of this stuff just for noe task 13:23 < minyx> one* 13:24 < ecrist> *shrug* 13:26 < minyx> yeah, you're cool. 13:26 < ecrist> *shrug* 13:28 -!- dmarkey [n=dmarkey@dmarkey.xen.prgmr.com] has left ##openvpn [] 13:39 < MadTBone> is there a list of openvpn install options for the windows installer? 13:39 < MadTBone> command line options, I mean 13:39 < ecrist> not that I'm aware of. 14:08 -!- jeiworth [n=jeiworth@189.163.255.127] has quit [Read error: 110 (Connection timed out)] 14:10 -!- troy- [n=troy@worldnet.tauri.ca] has quit [Excess Flood] 14:11 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 14:11 -!- plaerzen [n=carpe@vip1.tundraeng.com] has joined ##openvpn 14:21 -!- Nahual [n=Nahual@c-76-16-154-107.hsd1.il.comcast.net] has joined ##openvpn 14:22 < Nahual> I've run into an interesting problem, one of my peers is giving me an authenticate packet error but he is also switching between the designated port 1199 and 49163, the configurations match all of my other clients minus the specific ones for the connection 14:23 < ecrist> there is a bug 14:23 < ecrist> I believe it's fixed in rc19 14:23 < ecrist> another user ran across it the other day 14:23 < ecrist> !irclogs 14:23 < vpnHelper> ecrist: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 14:24 < Nahual> Alright, I'll update, thank you sir 14:24 < ecrist> no problem 14:27 -!- Nahual [n=Nahual@c-76-16-154-107.hsd1.il.comcast.net] has left ##openvpn [] 14:28 -!- nentis [n=nentis@173-11-4-145-oregon.hfc.comcastbusiness.net] has joined ##openvpn 14:29 < nentis> Congrats to the OpenVPN folk for receiving an "A" rating from Veracode. 14:31 -!- neb_ [n=nebula@s0up.digitalkharma.org] has joined ##openvpn 14:31 -!- Nahual [n=Nahual@c-76-16-154-107.hsd1.il.comcast.net] has joined ##openvpn 14:31 < Nahual> ecrist: Unfortunately updating to rc19 did not solve my particular problem, he's still bouncing 14:32 < ecrist> Nahual: I posted links to the irc channel logs 14:32 < ecrist> I'd look through there and see if you can find the users' resolution 14:32 < Nahual> Can do 14:33 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:43 -!- Nahual [n=Nahual@c-76-16-154-107.hsd1.il.comcast.net] has left ##openvpn [] 14:59 -!- RadarG [n=nightwol@pool-98-115-35-178.chi01.dsl-w.verizon.net] has joined ##openvpn 15:02 < RadarG> ok I'm still troubleshooting my vpn server I fired up both side to see if they would take and here are the results that I got the first one is the log from the client http://pastebin.com/m41257e18 and the next one is the log from the server http://pastebin.com/m31915fd3 15:04 < RadarG> 98 network is in the states and 210 is in Asisa 15:07 < RadarG> I 'm having a problem trying to figure out where to go to from here 15:07 < ecrist> RadarG: looks like a firewalling issue. you still have TLS negotiation failure 15:07 -!- neb_ [n=nebula@s0up.digitalkharma.org] has quit ["leaving"] 15:08 < RadarG> what side do think? 15:08 < ecrist> server side 15:08 < ecrist> either that, or your client isn't sending a certificate 15:08 < ecrist> !configs 15:08 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:08 < ecrist> !logs 15:08 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 15:13 < RadarG> where is the server.conf stored on the server 15:14 < ecrist> where ever you put it 15:14 < ecrist> it could just be a long command line, as well 15:17 < RadarG> I found the server.conf 15:18 < RadarG> do you want a copy of the server.conf? 15:18 < RadarG> i changed the verb to 6 15:20 < MadTBone> if one is using --auth-user-pass-verify, is there a good reason to password protect the client keys? 15:21 -!- nentis [n=nentis@173-11-4-145-oregon.hfc.comcastbusiness.net] has left ##openvpn ["... packet dropped."] 15:29 < rawDawg> i cannot ping my clients lan ip 15:29 < rawDawg> i have ip routing enabled and i pushed the route to my server through the tunnel ip 15:30 -!- RadarG [n=nightwol@pool-98-115-35-178.chi01.dsl-w.verizon.net] has quit [Remote closed the connection] 15:36 -!- RadarG [n=nightwol@pool-98-115-35-178.chi01.dsl-w.verizon.net] has joined ##openvpn 15:37 < RadarG> hmm I chnaged the verb to 6 on both sides and opened the port on the clien TLS errors 15:41 < rawDawg> !howto 15:41 < vpnHelper> rawDawg: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:44 < RadarG> What does does this part of the log mean? 05:30:52 openvpnserver 98.115.x.x:50828 UDPv4 READ [114] from 98.115.x.x:50828: P_CONTROL_V1 kid=0 [ ] pid=21 DATA len=100 15:47 < RadarG> Could it be possible that the certs are notright on the client? 15:56 < RadarG> AFK 16:03 < rawDawg> does iroute still work, with topology subnet? 16:04 -!- onats [n=15172@unaffiliated/onats] has quit [Read error: 104 (Connection reset by peer)] 16:04 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 16:09 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit ["Leaving"] 16:17 < MadTBone> when adding a client key/cert, do you need to rebuild the dh(n).pem ? 16:17 < rawDawg> no 16:17 < rawDawg> you have to load vars though 16:18 < MadTBone> rawDawg: thanks 16:18 < rawDawg> np 16:36 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Connection timed out] 16:36 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 16:42 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 17:10 -!- swa_work [n=swa@swatteksystems.com] has quit ["Leaving"] 17:10 -!- swa [n=swa@tuxhacker/swa] has joined ##openvpn 17:12 -!- swa [n=swa@tuxhacker/swa] has quit [Client Quit] 17:12 -!- swa [n=swa@tuxhacker/swa] has joined ##openvpn 17:13 -!- swa [n=swa@tuxhacker/swa] has quit [Remote closed the connection] 17:13 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 17:15 < RadarG> How do you import certs to a windows openvpn server? 17:16 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 17:25 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 145 (Connection timed out)] 17:26 < ecrist> RadarG: what do you mean? 17:32 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:34 < RadarG> I'm thinking that the certs are not placed right. How would import the certs on the windows cleint 17:34 < RadarG> is there a certain folder that the certs should be placed in? 17:34 < ecrist> the only certs you need on the server are the server certificate, the server certificate key, and the ca public key 17:34 < ecrist> no, you reference them in your startup config 17:36 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 17:39 < RadarG> hmm I'm looking at the ovpn file on the client and it shows "pkcs12 link2in.p12" does that mean that the p12 file has to be in the same directory as the ovpn? 17:42 < ecrist> no, that means the file needs to be in what ever directory you're in when you start openvpn 17:42 < ecrist> also known as 'current working directory' 17:42 < ecrist> best to use full path 18:01 -!- oc80z [i=oc80z@blea.ch] has quit [Read error: 104 (Connection reset by peer)] 18:19 -!- RadarG [n=nightwol@pool-98-115-35-178.chi01.dsl-w.verizon.net] has quit [Remote closed the connection] 18:22 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 18:24 -!- RadarG [n=nightwol@pool-98-115-35-178.chi01.dsl-w.verizon.net] has joined ##openvpn 18:25 -!- RadarG [n=nightwol@pool-98-115-35-178.chi01.dsl-w.verizon.net] has quit [Client Quit] 18:41 -!- theTroy [n=troy@unaffiliated/thetroy] has joined ##openvpn 18:41 < theTroy> howcome when I modprobe for tun it is there, but tap is not? 18:41 < theTroy> ubuntu jauntry 18:43 < theTroy> and also, when using TAP DHCP I get error "no dynamic or static remote --ifconfig address is available for client" on server 18:54 < Gorkhaan> Ubuntu has TUN/TAP kernel module with it's default kernel 18:54 < Gorkhaan> !topology 18:54 < vpnHelper> Gorkhaan: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 18:55 < Gorkhaan> use topology subnet in the server config 18:55 < Gorkhaan> read the corresponding manual for futher info 18:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 19:04 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 60 (Operation timed out)] 19:04 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 19:09 -!- mark___ [i=mark@94-168-244-59.cable.ubr10.shef.blueyonder.co.uk] has quit [Read error: 104 (Connection reset by peer)] 19:20 -!- boswarrior [n=mrnice@chello062178009197.4.11.tuwien.teleweb.at] has joined ##openvpn 19:21 < boswarrior> !redirect 19:21 < vpnHelper> boswarrior: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 19:21 < boswarrior> !ipforward 19:21 < vpnHelper> boswarrior: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 19:21 < boswarrior> !linipforward 19:21 < vpnHelper> boswarrior: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 19:21 < boswarrior> !fbsdipforward 19:21 < vpnHelper> boswarrior: "fbsdipforward" is is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd 19:22 < boswarrior> !def1 19:22 < vpnHelper> boswarrior: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 20:15 -!- YpsyZNC is now known as Ypsy 20:39 -!- Ypsy is now known as YpsyZNC 21:03 < boswarrior> !howto 21:03 < vpnHelper> boswarrior: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 21:07 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [] 21:08 -!- master_of_master [i=master_o@p549D5EF7.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:11 -!- master_of_master [i=master_o@p549D5BCB.dip.t-dialin.net] has joined ##openvpn 22:04 -!- boswarrior [n=mrnice@chello062178009197.4.11.tuwien.teleweb.at] has quit ["Ex-Chat"] 22:56 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has joined ##openvpn 22:56 < kc8pxy> !logs 22:56 < vpnHelper> kc8pxy: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 22:59 < kc8pxy> !configs 22:59 < vpnHelper> kc8pxy: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 23:25 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Connection timed out] 23:27 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn --- Day changed Sat Jul 25 2009 01:07 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 01:35 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 02:18 -!- Douglas [i=doug@64.18.144.2] has quit [Remote closed the connection] 02:33 -!- RadarG [n=nightwol@pool-98-115-35-178.chi01.dsl-w.verizon.net] has joined ##openvpn 02:40 -!- swa_work [n=swa@swatteksystems.com] has left ##openvpn ["Leaving"] 02:45 -!- c64zottel [n=hans@p5B17BB92.dip0.t-ipconnect.de] has joined ##openvpn 02:58 < RadarG> thats strange.... 03:00 < RadarG> I type in "openvpn --dev tun4 --ping xxxxxx.dyndns.org" to test the connection 03:03 < RadarG> it came up and said that the sequence completed but where it says UDPv4 link local (bound): (undef):1194 and UDPv4 link remote is undef as well. Could this be why the TLS handshake is failing 03:32 < theTroy> I get error "no dynamic or static remote --ifconfig address is available for client" when I try to DHCP the incoming clients on TAP interface 03:33 < theTroy> moreover, modprobe returns false on the TAP, but positive for the TUN, and when connection is established, TAP interface is not in the ifconfig 03:33 < theTroy> ubuntu jauntry 03:46 < RadarG> ecrist are you there? 03:48 < RadarG> Could a TLS handshake error be caused by to great of a time difference between the client and the server? 03:58 -!- RadarG [n=nightwol@pool-98-115-35-178.chi01.dsl-w.verizon.net] has quit [] 04:02 -!- RadarG [n=nightwol@98.115.35.178] has joined ##openvpn 04:13 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:19 -!- carpe_ [n=carpe@vip1.tundraeng.com] has joined ##openvpn 04:20 -!- plaerzen [n=carpe@vip1.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 04:22 < RadarG> could a 12 hour timezone difference cause TLS handsahake errors? 04:41 -!- theTroy [n=troy@unaffiliated/thetroy] has left ##openvpn [] 04:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 131 (Connection reset by peer)] 04:54 < RadarG> !configs 04:54 < vpnHelper> RadarG: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 05:00 < RadarG> . 05:05 < RadarG> In the config file on the client where is says local and remote does it have to be IP addresses or can it be hostname.dyndns.org? 05:13 < RadarG> I think I might have found something here is a posting of the client.config http://pastebin.com/d3e35250e 05:14 < RadarG> under port it has 1197 shouldnt it be 1194 to match the server? 05:16 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 05:22 -!- c64zottel [n=hans@p5B17BB92.dip0.t-ipconnect.de] has left ##openvpn [] 05:36 -!- RadarG [n=nightwol@98.115.35.178] has quit [] 05:40 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["I ♥ GNU/Linux!"] 05:41 -!- RadarG [n=nightwol@pool-98-115-35-178.chi01.dsl-w.verizon.net] has joined ##openvpn 05:41 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 05:42 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has left ##openvpn ["I ♥ GNU/Linux!"] 05:42 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 05:46 -!- tjz [n=tjz@bb121-6-135-189.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 06:00 -!- tjz [n=tjz@bb121-6-115-182.singnet.com.sg] has joined ##openvpn 06:03 < RadarG> has anyone setup an openvpn cleint on windows and got it to work? 06:06 < Gorkhaan> Sure, what's wrong? 06:29 -!- RadarG [n=nightwol@pool-98-115-35-178.chi01.dsl-w.verizon.net] has quit [] 06:30 -!- tjz [n=tjz@bb121-6-115-182.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 06:42 -!- tjz [n=tjz@bb219-75-5-131.singnet.com.sg] has joined ##openvpn 06:56 -!- YpsyZNC is now known as Ypsy 07:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:16 -!- rodpod [n=rod@74-133-38-196.dhcp.insightbb.com] has quit [No route to host] 07:19 -!- RadarG [n=nightwol@pool-98-115-35-178.chi01.dsl-w.verizon.net] has joined ##openvpn 07:38 < RadarG> hmm the more I play with this the more I learn something anyone know what could cause the client to not to be able to open a p12 file "Error opening file Link2IN.p12 (OpenSSL)" 07:53 -!- RadarG [n=nightwol@pool-98-115-35-178.chi01.dsl-w.verizon.net] has quit [Remote closed the connection] 08:08 -!- RadarG [n=nightwol@pool-98-115-35-178.chi01.dsl-w.verizon.net] has joined ##openvpn 08:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:16 < RadarG> I feel better now at least I have a different error message 08:16 < RadarG> client "error opening SSL" 08:17 < RadarG> brb 08:18 -!- RadarG [n=nightwol@pool-98-115-35-178.chi01.dsl-w.verizon.net] has quit [] 08:41 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 08:41 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 09:23 -!- boswarrior [n=mrnice@chello062178009197.4.11.tuwien.teleweb.at] has joined ##openvpn 09:24 -!- kyrix [n=ashley@188-23-73-23.adsl.highway.telekom.at] has joined ##openvpn 09:30 -!- Douglas [i=doug@64.18.144.2] has joined ##openvpn 09:39 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 09:40 -!- dannyboy1121x [n=dan_cc_k@mail.silverlotus.co.uk] has joined ##openvpn 09:42 < dannyboy1121x> Hi .. quick question. I have a Nokia E71 phone with IPSEC support - and an endpoint with OpenVPN on it. The Nokia phone supports ipsec ... can OpenVPN work with ipsec? 09:51 -!- RadarG [n=nightwol@pool-98-115-35-178.chi01.dsl-w.verizon.net] has joined ##openvpn 09:52 < RadarG> Has anyone seen the following error "Error opening file C:\Program (OpenSSL)" 09:53 -!- dannyboy1121x [n=dan_cc_k@mail.silverlotus.co.uk] has quit [] 09:54 < kyrix> dannyboy1121x: IANAE, but i think no 09:55 -!- Douglas [i=doug@64.18.144.2] has quit [Remote closed the connection] 10:02 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 113 (No route to host)] 10:05 -!- xieles [n=paul@122.172.112.169] has joined ##openvpn 10:05 < xieles> hey 10:05 < xieles> I have configured openvpn in my server 10:06 < xieles> and installed client in my laptop 10:06 < xieles> now if I take a site in my browser , it should go through my server right ? 10:08 < boswarrior> xieles, what kind of traffic? without bridging or routing only the traffic towards the server is tunneld 10:09 < xieles> my requirement is this.. Once I connected through vpn, every traffic should be go through my server.. means I need to bypass my ISP's firewall 10:09 < xieles> is it possibe 10:09 < xieles> possible* 10:10 < boswarrior> it is 10:10 < boswarrior> i am working on the same thing here 10:10 < boswarrior> there are many ways to do it 10:10 < boswarrior> either routing/briding 10:10 < boswarrior> i got 5 ips at my server @ datacenter 10:11 < boswarrior> so i want to use one ip strictly for internet gateway 10:11 < boswarrior> u got one or more ips? 10:11 < xieles> how can I do that 10:11 < xieles> I got 1 IP now.. 10:11 < xieles> if need, I will get more IP 10:12 < boswarrior> its not a must 10:12 < boswarrior> but i guess this is the more clean solution 10:12 < boswarrior> so that all ports are directed to ur pc @ home 10:13 < boswarrior> xieles, as i see u speak german, try http://wiki.openvpn.eu/index.php/Konfiguration_eines_Internetgateways 10:13 < vpnHelper> Title: Konfiguration eines Internetgateways – OpenVPN Wiki (at wiki.openvpn.eu) 10:15 < xieles> boswarrior, I will check that.. thanks for the doc.. 10:15 < boswarrior> np 10:16 < boswarrior> if its not expensive try to get one ip extra 10:16 < boswarrior> so that u connect to ip1 for vpn, and the 2nd ip is there only for ur internet tunnel 10:17 -!- c64zottel [n=hans@p5B17BB92.dip0.t-ipconnect.de] has joined ##openvpn 10:17 -!- c64zottel [n=hans@p5B17BB92.dip0.t-ipconnect.de] has left ##openvpn [] 10:17 < boswarrior> xieles, http://wiki.ubuntuusers.de/OpenVPN is also quite informative 10:17 < vpnHelper> Title: OpenVPN › Wiki › ubuntuusers.de (at wiki.ubuntuusers.de) 10:23 -!- Douglas [i=doug@64.18.144.2] has joined ##openvpn 10:27 -!- kyrix [n=ashley@188-23-73-23.adsl.highway.telekom.at] has quit ["Leaving"] 10:27 -!- Darkclaw66 [n=portness@unaffiliated/darkclaw66] has joined ##openvpn 10:27 < Darkclaw66> hello, can someone tell me which device I should use to configure openvpn, tun or tap? I read pros/cons on each and still am unsure 10:29 < boswarrior> what do u wanna do? 10:30 < Darkclaw66> I have a server at home that has samba and other services that I would like another computer remotely to access 10:32 < boswarrior> one or more clients? and if more do u want to access their shared folders too? 10:33 < Darkclaw66> it might be more than one client and they should have access to their shared folder 10:33 < boswarrior> i would go with tun and routing 10:34 < boswarrior> since as an experienced user u can easy connect to a share like //10.8.0.4 10:34 < boswarrior> bridging is not so efficient as routing 10:34 < boswarrior> and with bridging u also transport ur broadcasts 10:34 < Darkclaw66> if I did tap, i wouldnt be able to do //ip ? 10:35 < boswarrior> which would waste ur bandwith 10:35 < boswarrior> with tap ist the same 10:35 < boswarrior> but u can use windows network places 10:35 < Darkclaw66> why would someone want to use tap though? 10:35 < boswarrior> for a complete layer 2 connection 10:36 < Darkclaw66> what advantage does that bring though 10:36 < boswarrior> if u want to play ipx network games 10:36 < Darkclaw66> oh so it thinks its truly in the same subnet? 10:36 < boswarrior> or that people can easy use windows filesharing 10:36 < boswarrior> as they were in the lan itself 10:36 < boswarrior> right 10:36 < boswarrior> same subnet 10:37 < Darkclaw66> oh okay I don't want that, I think it's good for it to be its own unique subnet 10:37 < boswarrior> in my view its nice for ppl who cannot remind ips 10:38 < Darkclaw66> okay great you truly helped me out, tun it is, thanks :) 10:38 < boswarrior> np 10:38 < boswarrior> i am fiddeling with openvpn too 10:39 < boswarrior> i want to route all my inet traffic through vpn 10:39 < boswarrior> also 4 different ways :) 10:39 < boswarrior> i found it nice with tun 10:40 < boswarrior> that every client gets a fixed ip, lets say 10.8.0.6 10:40 < boswarrior> and u can modify ur firewall 10:40 < Bushmills> !redirect 10:40 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 10:40 < Bushmills> boswarrior, ^^^ 10:40 < boswarrior> Bushmills, thx i already read that 10:40 < boswarrior> Bushmills, i got some questions, maybe u can help 10:40 < boswarrior> Bushmills, i got a server in a datacenter 10:41 < boswarrior> which got 5 ips 10:41 < boswarrior> and i want to use one ip soley for vpn internet gatway redirect 10:41 < boswarrior> i guess i should use tun /routing 10:42 < Douglas> Domain Name : ovpnforum.com 10:42 < Douglas> Registered on : 8/24/2008 7:33:57 PM 10:42 < Douglas> Registered for : 1 year(s) 10:42 < Douglas> Expires on : 8/24/2009 7:33:57 PM 10:42 < Douglas> Days to Expire : 30 10:42 < Douglas> shit 10:42 < Douglas> lol 10:42 * Douglas renews 10:42 < Douglas> or.. not 10:42 < Bushmills> those 5 ips are all bound to the same interface? 10:42 < Bushmills> or do you use them for, say, virtual machines? 10:42 < boswarrior> yeah they are, but a can put it also on an extra interface 10:42 < boswarrior> i use 4 of them for virtual mashines with openvz 10:43 < Bushmills> then you wouldn't want one of those 4 for your outgoing traffic 10:43 < boswarrior> why that? 10:43 < Bushmills> !nat 10:43 < vpnHelper> Bushmills: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 10:44 < boswarrior> i dont get it, i do nat allready 10:44 < boswarrior> i dont want every pc in my lan to get a real ip on the datacenter server 10:44 < RadarG> ? the cert on the server and the client can they be a different name as long as they are the same cert 10:44 < boswarrior> RadarG, guess so 10:45 < RadarG> thanks 10:45 < boswarrior> but not shure:) 10:45 < Douglas> Bushmills: do you have a bunch of serevrs? 10:45 < Douglas> servers * 10:46 < Darkclaw66> what is the difference between server and push in the config? 10:46 < boswarrior> Bushmills, now i understand u, i can spare one real ip for inet traffic forwarding 10:47 < Darkclaw66> I want to push the WAN ip of the box only 10:48 < RadarG> hmm I dont understand this problem that I'm having. When I connect with the client I get a "Error opening file C:\Program (OpenSSL)" 10:48 < Darkclaw66> i actually dont need the entire subnet pushed 10:49 < Darkclaw66> is that right? 10:49 -!- jeiworth [n=jeiworth@189.163.138.134] has joined ##openvpn 10:51 -!- Douglas [i=doug@64.18.144.2] has quit [] 10:53 < Darkclaw66> I guess I could push the entire subnet but use ipfw to not allow certain ports be open 10:54 < Darkclaw66> that's the right way, right?> 10:59 < RadarG> Ok guys I need to know which configuration I should go with. I'm Asia with the VPN server and the client is in the states I need to be able to take some hosts and connect back to the states. On zerina it gives me two options one is a road warrior setup and the other is a net2net connection. Which one should I use? 11:01 < Darkclaw66> you're Asia? 11:03 < RadarG> yes 11:03 < Darkclaw66> how do you live being a country 11:04 < RadarG> I think a net2net setup would be better, but what is the difference in this case 11:04 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:04 < RadarG> I'm in Korea its pretty cool here 11:09 < RadarG> Oh how am I living in another country? I'm a contractor 11:12 < Darkclaw66> sorry im new to this 11:16 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 11:20 < Darkclaw66> do I need to install any special software on the windows client computer to use the openvpn ? 11:33 < krzee> Darkclaw66, yes... openvpn 11:33 < krzee> !notcompat 11:33 < vpnHelper> krzee: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 11:33 < Darkclaw66> can I deselect a lot of the components to install? 11:33 < Darkclaw66> like the TAP-Win32 virtual ethernet adapter 11:34 < Darkclaw66> and OpenVPN User-Space Components 11:35 < krzee> no 11:35 < Darkclaw66> but im using a TUN implementation 11:35 < krzee> the first is the virtual adapter openvpn uses, second is openvpn itself 11:35 < krzee> the windows tap adapter does tun mode 11:35 < Darkclaw66> alrighty I'll leave everything as default and not deselect any of the options 11:36 < krzee> kinda like the tun kernel module in linu does tap mode 11:36 < krzee> linux 11:36 < Darkclaw66> i installed openvpn, how do I configure it? 11:37 < Darkclaw66> I guess I just copy the client sample to the config dir 11:39 < Darkclaw66> hmm where do I specify the server IP address in the config? 11:39 < Darkclaw66> nevermind 11:40 < krzee> !howto 11:40 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:40 < krzee> !sample 11:40 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 11:40 < krzee> !goal 11:40 < vpnHelper> krzee: Error: "goal" is not a valid command. 11:40 < Darkclaw66> I got the server running only thing left is the client 11:41 < krzee> !learn goal as Please clearly state your goal for your vpn: example, "I would like to access the lan behind the server", "I would like to access the internet over my vpn", "I just want a secure connection between 2 computers", etc 11:41 < vpnHelper> krzee: Joo got it. 11:42 < krzee> !goal 11:42 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 11:42 < Darkclaw66> what's the paramater to specify listen-address in the openvpn server? 11:42 < krzee> !sample 11:42 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 11:42 < krzee> local 11:42 < Darkclaw66> nice! 11:42 < Darkclaw66> I was close 11:43 < Darkclaw66> I had put listen-address 11:43 < krzee> why? 11:43 -!- brizly [n=brizly_v@p4FC9A23A.dip0.t-ipconnect.de] has joined ##openvpn 11:44 < Darkclaw66> did you have to give vpn group rights to root? 11:44 < RadarG> when configuring the client.ovpn, in the SSL section it has CA,client,and key, Do I need a key or can I make due with the CA, and client crt? 11:45 < Darkclaw66> reason im asking is because I am getting this error in the server config /sbin/route delete -net 172.30.0.0 172.30.0.2 255.255.255.0 11:45 < Darkclaw66> route: must be root to alter routing table 11:45 < krzee> you must start it as root 11:45 < Darkclaw66> hmm I am 11:45 < krzee> it can drop its perms via user a group commands in config 11:46 < brizly> hi there. I have a iptables question. my openvpn.server is on 192.168.23.27, behind a dsl-router, the router ist 192.168.23.254. the router has an interface to the internet, and an interface to wifi/wlan. the router runs openwrt. how do i have to set the routers firewall to allow wifi-clients to get to the openvpn-server? 11:46 < Darkclaw66> I think I started getting this error when I put in the local IP address 11:46 < krzee> Darkclaw66, 11:47 < krzee> !configs 11:47 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:47 < krzee> !goal 11:47 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 11:47 < brizly> ans, of cource, the router has an interface to the lan, where the openvpn-server is in 11:47 < Darkclaw66> krzee I get the error when I add the local ip thing in the config 11:49 < Darkclaw66> yikes was it supposed to be local or listen? 11:49 < krzee> !man 11:49 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 11:49 < Darkclaw66> that was my mistake, it was supposed to be local not listen 11:49 < krzee> do you plan on paying attention to the things my bot asks you? 11:50 < Darkclaw66> already have the documentation up 11:51 < Darkclaw66> I just overlooked the name but realized it afterwards 11:52 < krzee> brizly, 11:52 < krzee> !goal 11:52 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 11:52 < Darkclaw66> Options error: Unrecognized option or missing parameter(s) in client.ovpn:42: 11:53 < brizly> krzee: i would like to access the vpn-server behind the firewalling dsl-router from the wifi 11:54 < krzee> ok, securing your wifi connection using ovpn? 11:54 < brizly> no, want to reach the lan over ovpn 11:55 < Darkclaw66> hey krzee can you please tell me why I have to specify the certificate information in the client config? 11:55 < krzee> ok 11:55 < krzee> !linfw 11:55 < vpnHelper> krzee: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 11:55 < krzee> damn they broke the rewrite on that one too 11:56 < krzee> ecrist, can you tell francis they broke rewrite on the manpages? 11:57 < RadarG> what is the difference between a client crt and a client key? 11:57 < Darkclaw66> hey krzee do I copy the cert files from the server to the client? 11:57 < krzee> the key is secret, crt is public cert 11:58 < krzee> Darkclaw66, the howto has a table for where certs go 11:58 < Darkclaw66> sorry can you please tell me which howto has that information? 11:59 < krzee> !howto 11:59 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:00 < RadarG> the howto is not that great 12:00 < krzee> RadarG, i disagree 12:00 < krzee> the howto and manual is all i needed 12:00 < Darkclaw66> krzee I don't have the build-key-server the howto is referring to 12:00 < krzee> but you do, its part of easy-rsa 12:01 < Darkclaw66> hmm I dont have that either 12:01 < brizly> krzee: still don't understand how to set the PRE/POSTROUTING in iptables on the router :-( 12:01 < Darkclaw66> I am using freebsd 12:01 < krzee> Darkclaw66, 12:01 < krzee> !ssl-admin 12:01 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 12:02 < krzee> see #3 12:02 < Darkclaw66> gotcha 12:02 < Darkclaw66> thanks krzee you def know this 12:02 < krzee> yw 12:05 < RadarG> can someone tell me how I get a client key? My front end zerina created the crts&p12 files. I have refered the files on the client.ovpn I have a CA,server, and client p12 but I dont see a client key 12:06 < brizly> krzee: does the router have to masquerade the wifi-request like that? 12:06 < brizly> iptables -t nat -A PREROUTING -p udp --dport 1194 -j DNAT --to-destination 192.168.23.27 12:06 < brizly> iptables -t nat -A POSTROUTING -p udp --dport 1194 -d 192.168.23.27 -j MASQUERADE 12:06 < Darkclaw66> im guessing its a bad idea to have only one certificate for every user 12:07 < krzee> you only need nat if you need to access the inet over ovpn 12:07 < krzee> Darkclaw66, correct 12:07 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 12:08 < brizly> krzee: there ist no need to go over vpn, the wifi is allowed to use inet without vpn. 12:08 < minyx> Could someone assist me with setting up my vpn client to *not* route all my servers traffic thru it, but rather allow me to just bind services to the IP on the tap adapter or some IP equivalent to the VPN? im trying to bind an httpd to it.. i've read the howtos but i'm not proficient enough in networking to understand what's going on 12:08 < krzee> then you dont need nat 12:08 < brizly> krzee: i want to use vpn to access the local network (lan), which ist behind the router 12:09 < krzee> ok 12:09 < krzee> and lan is behind the server? 12:09 < krzee> and its a diff subnet? 12:09 < brizly> lan is behind the router. the vpn-server itself in in that lan 12:09 < krzee> ok 12:10 < brizly> it's that i can access my lan secure through the internet _or_ wifi 12:10 < krzee> and wifi is a diff subnet than the lan, right? 12:10 < brizly> yes 12:10 < RadarG> I might have figured it out. I think that the client key is included in the client.p12 file. How can I get the client.ovpn to use this key. 12:11 < krzee> dunno RadarG i use normal style files 12:11 < krzee> theres stuff in the manual for that style tho 12:11 < brizly> it's just that i can't find a running example in the inet. too often the iptables-rules are made for the openvpn-server itself. but openvpn-server is running well on lan (even if it's not need there, it was just for tests) 12:11 < krzee> brizly, and vpn subnet is different as well, right? 12:12 < brizly> yes 12:12 < krzee> ok 12:12 < krzee> so the firewall 12:12 < krzee> add a nat entry to port forward ovpn 12:12 < brizly> lan is 192.168.23.0 ## vpn is 192.168.24.0 ## wifi is 10.2.242.0 12:12 < krzee> so you can connect to router: port 12:12 < krzee> and it will connect to the ovpn server 12:12 < krzee> then push the route to the client for the lan 12:13 < krzee> if the lan vpn machine is the server, thats all you needs 12:13 < brizly> i added that line to the router: 12:13 < brizly> iptables -t nat -A PREROUTING -p udp --dport 1194 -j DNAT --to-destination 192.168.23.27 12:13 < brizly> and the vpn-client in wifi says "connection refused, code 111) 12:14 < krzee> what ip are you trying to connect to after that? 12:15 < brizly> i try to connect the router-wifi-ip. 12:15 < krzee> hrm 12:15 < brizly> the client should not know that the vpn-server is 'behind' him. 12:15 < krzee> then your port forward must not be working, or you arent allowing the wifi client to make a connection 12:15 < krzee> im no iptables guru 12:17 < brizly> is'nt the a need to add something in postrouting as well? 12:17 < krzee> could be 12:17 < krzee> i dont really use linux 12:17 < krzee> but 12:17 < krzee> !linnat 12:17 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 12:17 < krzee> see last link 12:18 < krzee> #3 12:18 < krzee> ignore the rest 12:18 < brizly> oh, wait. did i make a mistake above? 12:18 < brizly> shouldn't i reduce the prerouting to the destination-ip of the router? 12:19 < brizly> now _every request on dport 1194 is directed to 23.27., even his-self? 12:19 < krzee> ill wait for someone who knows iptables to get here and answer that 12:19 < krzee> since im pretty clear that im no iptables guy 12:20 < krzee> whatever it is, its standard port forwarding 12:20 < brizly> hm, i changed to iptables -t nat -A PREROUTING -p udp -d 10.2.242.65 --dport 1194 -j DNAT --to-destination 192.168.23.27 # nothing changes :-( 12:20 < brizly> ok, thanks, i will try some things 12:24 < RadarG> Does anyone know what could cause a OpenSSL error to popup when a cleint tries to connect? 12:24 < krzee> what would the error be... 12:26 < RadarG> 530204 Error opening file C:\Program (OpenSSL) 12:26 < krzee> RadarG, you dropping privs after the connection? 12:27 < krzee> try adding: persist-key and persist-tun 12:27 < RadarG> its not connecting. its a new install 12:27 < RadarG> its never connected before 12:27 < krzee> persist-key 12:27 < krzee> persist-tun 12:27 < krzee> oh 12:27 < krzee> then check your paths are right 12:27 < krzee> !configs 12:27 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:28 < RadarG> i'll check and get back with you 12:30 < RadarG> ok the persist-key and persist-tun arent set. how should I set these? 12:32 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 12:34 < RadarG> here is the server conf http://pastebin.com/d2a212a41 12:35 < krzee> [13:27] persist-key 12:35 < krzee> [13:27] persist-tun 12:35 < krzee> like that 12:35 < krzee> just toss those in the config 12:35 < krzee> but since it never connects, thats not your issue 12:35 < krzee> you either arent starting it as admin, or you have the path wrong 12:37 < krzee> thats your server config? 12:37 < krzee> try stealing from this: 12:37 < krzee> !sample 12:37 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 12:37 < krzee> you arent even handing out ips 12:38 < RadarG> http://pastebin.com/d4bf0424b server config 12:39 < RadarG> client 12:40 < krzee> pkcs12 C:\\Program Files\\OpenVPN\\config\\Link2IN.p12 12:40 < krzee> put the file in "'s 12:41 < krzee> pkcs12 "C:\\Program Files\\OpenVPN\\config\\Link2IN.p12" 12:41 < Darkclaw66> this certificate situation is driving me nuts krzee 12:41 < krzee> Remember on # 12:41 < krzee> # Windows to quote pathnames and use # 12:41 < krzee> # double backslashes, e.g.: # 12:41 < krzee> # "C:\\Program Files\\OpenVPN\\config\\foo.key" # 12:41 < Darkclaw66> the thing is, I already have a certificate created for my server, I just need to create client certificates and I dont know how to dot hat 12:41 < krzee> Darkclaw66, and you are now using ssl-admin...? 12:42 < krzee> !ssl-admin 12:42 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 12:42 < Darkclaw66> well no because I already have the server side certificates created 12:42 < RadarG> oh thanks 12:42 < Darkclaw66> I just need to create client certificates 12:46 < Darkclaw66> I need to have these scripts utilize my existing keys and not create new ones 12:48 < krzee> whatev Darkclaw66 12:48 < krzee> do it however you want then 12:48 < Darkclaw66> :( 12:48 < RadarG> holly crap I think that it connected!!! 12:48 < Darkclaw66> if I do what they say then I will lose the valid keys 12:48 < Darkclaw66> the ones that are legit 12:48 < Darkclaw66> I actually have a paid certificate from go-daddy 12:48 < krzee> Darkclaw66, you control both sides of the vpn? 12:48 < Darkclaw66> yes 12:48 < krzee> then why do you give a shit you are using their cert? 12:49 < krzee> a self signed cert is just as good if not better 12:49 < krzee> ild rather be in control of my own CA.key for a ovpn setup 12:49 < Darkclaw66> but if I have a paid ssl certificate from go-daddy, shouldnt I use that? 12:49 < RadarG> although it is saying something about the data area passed to a system call is too small. 12:49 < krzee> ca.key is the most valuable file in a ovpn setup (or any PKI setup) 12:49 < krzee> ild rather be the only one to ever use it 12:50 < Darkclaw66> youre recommending not to use the same certificate I am using for ssl web and just create my own? 12:51 < krzee> yup 12:51 < krzee> and keep your CA hella secret 12:51 < krzee> my ca box doesnt even have an ethernet cable 12:51 < krzee> ca.key is the keys to your kingdom 12:52 < krzee> why let godaddy have the keys to your ovpn kingdom 12:52 < krzee> ild rather own my own key, and be then only one to 12:52 < krzee> to have it 12:52 < Darkclaw66> oh I finally understand now, I totally agree 12:52 < Darkclaw66> I shouldn't mix it is what youre saying 12:52 < krzee> i wouldnt 12:52 < krzee> it has no advantage 12:53 < Darkclaw66> okay gotcha, I really appreciate you explaining it and glad I didnt follow the wrong path 12:53 < krzee> and if you decide that letting godaddy have complete ability to sign client keys for your vpn, it has a disadvantage 12:53 < krzee> err 12:53 < krzee> and if you decide that letting godaddy have complete ability to sign client keys for your vpn is bad, it has a disadvantage 12:53 < krzee> in fact, if you dont have access to your ca.key, you cant sign client certs anyways 12:54 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 12:54 < krzee> youd need godaddy to do it 12:54 < krzee> just grab ssl-admin from ports and make your stuff from scratch 12:54 < RadarG> krzee it connected and got an ip address. Now how can I test the connectivity? 12:54 < krzee> you just edit 1 config file and its done 12:54 -!- Ypsy is now known as YpsyZNC 12:54 < Darkclaw66> ca.key would be the file that has this: -----BEGIN RSA PRIVATE KEY----- ? 12:54 < krzee> RadarG, ping the ovpn ip 12:54 < krzee> by default server gets .1 and client1 gets .6 12:55 < krzee> Darkclaw66, dunno man, client.key server.key would look like that too 12:55 < krzee> you're the one who should be able to answer that Darkclaw66 12:56 < Darkclaw66> I have the following files in my ssl directory: server.cer, server.csr, and server.key and unfortunately I am not sure if they are correct 12:56 < krzee> Darkclaw66, start over 12:56 < Darkclaw66> hehe yeah 12:56 < krzee> use ssl-admin 12:56 < Darkclaw66> alright back to the drawing board 12:56 < krzee> !ssl-admin 12:56 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 12:56 < krzee> see link #1 12:56 < krzee> and snag it from ports 12:57 < RadarG> krzee time out on pinging the ip that was given. 12:57 < krzee> it was made by ecrist here in the chan, and it is much nicer than easy-rsa 12:57 < krzee> RadarG, what ip you pinging? 12:57 < RadarG> the ip that was given to the client 12:57 < krzee> RadarG, what ip you pinging? 12:57 < RadarG> 10.251.62.6 12:58 < krzee> !logs 12:58 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 12:58 < krzee> namely, client log 12:58 < RadarG> standby 13:02 < RadarG> the log its pretty big to put into pastebin is there a certain section your looking for 13:02 < krzee> when it connects and wants to add routes 13:02 < krzee> i want like 10 lines before and 10 after 13:05 -!- kyrix [n=ashley@188-23-71-165.adsl.highway.telekom.at] has joined ##openvpn 13:06 < RadarG> whats the best we to get it to you? its big log I have it saved onto my windows as a text file 13:08 < RadarG> route options modified is what you need 13:10 < krzee> pastebin 13:10 < krzee> maybe back it up to verb 5 13:10 < RadarG> http://pastebin.com/d5c583ab5 13:11 < RadarG> server and client both back to 5? 13:13 < krzee> ya then gimme it all 13:13 < krzee> remove the file before starting ovpn 13:15 < RadarG> stby 13:19 < RadarG> i sent it to you 13:19 < krzee> ok 13:19 < krzee> thats what i thought 13:19 < krzee> !winroute 13:20 < vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 13:20 < krzee> route-method exe 13:20 < krzee> route-delay 13:20 < krzee> toss those in 13:20 < RadarG> into the server config or client? 13:21 < RadarG> i'll have to read up those 13:22 < krzee> into the windows machine 13:22 < krzee> whatever config you gave me 13:23 < RadarG> is there any seting for those do I just dump it onto the bottom of the config 13:25 < krzee> dump it in 13:25 < krzee> first has 1 setting, which was exe 13:25 < krzee> second we want default setting, so like i gave you it 13:29 -!- RadarG1 [n=nightwol@pool-98-108-12-27.chi01.dsl-w.verizon.net] has joined ##openvpn 13:30 < RadarG1> hmm dropped off there 13:34 < Darkclaw66> hey krzee 13:35 < Darkclaw66> does "myserver" need to map to a reverse dnsfor it to be valid when doing this "./build-key-server myserver.example.com" ? 13:35 < krzee> still not using ssl-admin i see 13:36 < krzee> and no, that doesnt even need to be the hostname 13:36 < krzee> it can be anything unique 13:36 < Darkclaw66> since im using freebsd, I am using this tutorial http://www.freebsddiary.org/openvpn-easy-rsa.php 13:36 < vpnHelper> Title: The FreeBSD Diary -- Creating your own Certificate Authority (at www.freebsddiary.org) 13:36 < RadarG1> krzee entries add 13:36 < krzee> Darkclaw66, 13:36 < krzee> i gave you a link for ssl-admin howto 13:36 < krzee> !freebsd 13:36 < vpnHelper> krzee: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 13:36 < krzee> why do you ask me stuff if you dont listen to my answers? 13:37 < krzee> then you ask something you wouldnt need to ask if you paid attention to my earlier answers 13:37 < Darkclaw66> sorry 13:38 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 13:38 -!- swa_work [n=swa@swatteksystems.com] has quit ["Leaving"] 13:40 < RadarG1> krzee I still cant ping the ovpn ip I added the entries and restarted the link 13:40 < Darkclaw66> do I need to set a challenge password or should I leave it blank> 13:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:42 < Darkclaw66> I cant remember if I need to set a challenge password 13:42 -!- toehio [n=toehio@dyn.144-85-160-216.dsl.vtx.ch] has joined ##openvpn 13:42 < RadarG1> now both ends use the same 192.168.1.xxx could this be a issue? 13:42 < toehio> is UDP or TCP 'faster' in general? 13:43 < Darkclaw66> udp is faster 13:43 < toehio> thanks 13:43 < krzee> !tcp 13:43 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 13:43 < Darkclaw66> I guess I can leave the password blank 13:43 < Darkclaw66> in the openvpn.net howto, doesn't say I need to put in a password 13:44 < krzee> RadarG, only a problem if you want to use !route or !redirect 13:44 < krzee> corect, can be blank 13:44 < Darkclaw66> k cool 13:44 < krzee> its optional for pw protecting the .key 13:45 < Darkclaw66> did you set a password on yours? 13:45 < RadarG1> well me goal is to send traffic from my DMZ(xboxes) across the link to the states so I can download map packs 13:47 < RadarG1> !redirect 13:47 < vpnHelper> RadarG1: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 13:47 < RadarG1> !route 13:47 < vpnHelper> RadarG1: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:47 -!- RadarG [n=nightwol@pool-98-115-35-178.chi01.dsl-w.verizon.net] has quit [Read error: 110 (Connection timed out)] 13:48 < RadarG1> I'm thinking route would be best 13:48 < RadarG1> I dont need all traffic just a couple of ips 13:49 < RadarG1> i dont want to drain my connection here. My dsl is fat here 13:52 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 13:54 < rawDawg> how do you setup routes in the server config file using "topology subnet"? 13:55 < Darkclaw66> do i need to keep the client created certs on the server? 13:56 < Darkclaw66> or can i delete them? 13:58 < rawDawg> you dont need the client.crt or client.key on the server 13:58 < Darkclaw66> how about the .csr ? 13:58 -!- Nullslash [n=ahmed@cpe-24-164-133-222.si.res.rr.com] has joined ##openvpn 13:58 < rawDawg> you dont even need that on the client 13:59 < Darkclaw66> okay cool, so once the files are generated I can delete them from the server and copy them to the client machine 13:59 < rawDawg> it will be smart to make a backup offline of all your client certs 13:59 < Darkclaw66> the key and cert? 13:59 < rawDawg> you can always issue new ones 14:00 < rawDawg> but if you "lose" one, it might be easier to have a backup 14:01 < Darkclaw66> do I copy the ca.key also on the server? 14:01 < RadarG1> krzee should I have done a server to server connection instead of a server to client 14:02 < rawDawg> Darkclaw66 yes 14:02 < rawDawg> wait no 14:02 < Darkclaw66> I can't tell which .crt to copy over, ca.crt or vpn.server.crt 14:03 < rawDawg> ca.crt goes to client aswell 14:03 < Darkclaw66> weird, I have two different crts 14:03 < rawDawg> !howto 14:03 < vpnHelper> rawDawg: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:04 < Darkclaw66> nm 14:10 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 14:11 -!- jPalmPuck [n=portness@lan.akprofessionalconsulting.com] has joined ##openvpn 14:11 -!- Nullslash [n=ahmed@cpe-24-164-133-222.si.res.rr.com] has quit [Client Quit] 14:12 < RadarG1> still cant ping the distant end. I saw in the log file that the something needed permissions. I saw that I wasnt running the windows gui with administrator rights 14:12 -!- Nullslash [n=ahmed@cpe-24-164-133-222.si.res.rr.com] has joined ##openvpn 14:14 -!- Darkclaw66 [n=portness@unaffiliated/darkclaw66] has quit [Nick collision from services.] 14:14 -!- jPalmPuck is now known as Darkclaw66 14:15 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 14:26 -!- Nullslash [n=ahmed@cpe-24-164-133-222.si.res.rr.com] has quit [] 14:29 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 14:33 < RadarG1> krzee resolv-retry infinite entry in your client config does that force it to reconnet if it drops 14:34 < krzee> !an 14:34 < vpnHelper> krzee: Error: "an" is not a valid command. 14:34 < krzee> !man 14:34 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 14:35 < Darkclaw66> where the heck is crl.pem is supposed to be? 14:35 < Darkclaw66> guess I have to run revoke-full 14:36 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 14:39 -!- brizly [n=brizly_v@p4FC9A23A.dip0.t-ipconnect.de] has quit [Read error: 113 (No route to host)] 14:40 < Darkclaw66> hmm that didnt work 14:41 -!- brizly [n=brizly_v@p4FC9A23A.dip0.t-ipconnect.de] has joined ##openvpn 14:42 < Darkclaw66> anyone know? 14:42 < Darkclaw66> I can't seem to create a ctl.pem that the server config is looking for 14:44 < Darkclaw66> anyone know? 14:46 < Darkclaw66> CRL: cannot read: /etc/ssl/openvpn/keys/crl.pem: Permission denied 14:46 < Darkclaw66> its set to readable to everyone wtf? 14:49 < Darkclaw66> anyone here that can help me? 14:49 < Darkclaw66> im so close to getting this thing working but the ctl.pem is giving me problem 14:51 < Darkclaw66> I even set the permission to 777 and its still saying it cannot read it, permission denied 15:00 -!- boswarrior [n=mrnice@chello062178009197.4.11.tuwien.teleweb.at] has quit ["Ex-Chat"] 15:01 -!- boswarrior [n=mrnice@chello062178009197.4.11.tuwien.teleweb.at] has joined ##openvpn 15:02 -!- boswarrior [n=mrnice@chello062178009197.4.11.tuwien.teleweb.at] has quit [Client Quit] 15:03 -!- Darkclaw66 [n=portness@unaffiliated/darkclaw66] has quit [] 15:10 -!- kc8pxy_ [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has joined ##openvpn 15:15 -!- RadarG1 [n=nightwol@pool-98-108-12-27.chi01.dsl-w.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 15:17 -!- RadarG [n=nightwol@pool-98-108-12-27.chi01.dsl-w.verizon.net] has joined ##openvpn 15:19 -!- theTroy [n=troy@unaffiliated/thetroy] has joined ##openvpn 15:19 < theTroy> I get error "no dynamic or static remote --ifconfig address is available for client" when I try to DHCP the incoming clients on TAP interface 15:19 < theTroy> moreover, modprobe returns false on the TAP, but positive for the TUN, and when connection is established, TAP interface is not in the ifconfig 15:19 < theTroy> ubuntu jauntry 15:21 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has quit [Read error: 113 (No route to host)] 15:40 -!- RadarG [n=nightwol@pool-98-108-12-27.chi01.dsl-w.verizon.net] has quit [] 15:52 -!- xieles [n=paul@122.172.112.169] has quit ["Leaving"] 16:02 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 60 (Operation timed out)] 16:34 -!- CyBerNetX [n=jbm@APuteaux-755-1-5-155.w90-35.abo.wanadoo.fr] has joined ##openvpn 16:34 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 16:34 -!- CyBerNetX [n=jbm@APuteaux-755-1-5-155.w90-35.abo.wanadoo.fr] has left ##openvpn ["Leaving"] 16:45 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 16:46 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 54 (Connection reset by peer)] 17:08 -!- Darkclaw66 [n=portness@lan.akprofessionalconsulting.com] has joined ##openvpn 17:08 -!- kc8pxy_ [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 17:08 < Darkclaw66> my God I've been trying to get openvpn to work all day and im still not there yet 17:08 < Darkclaw66> the client can ping the server but Samba is not working 17:11 < Darkclaw66> hopefully someone can help me cause my hair is turning white 17:12 < Bushmills> so openvpn works 17:12 < Bushmills> you're looking for the problem at the wrong spot 17:13 < Bushmills> were i to say "i have been trying to get my network card up, but i can only ping other machines, but this and that service doesn't work", would you tell me that the problem is with the network card? 17:15 < Darkclaw66> im not sure I am following 17:16 < Darkclaw66> samba works perfectly but it doesnt work fine with openvpn 17:17 < Bushmills> "i have been trying to get my network card up, but i can only ping other machines, but samba doesn't work. what is wrong with my network card" 17:17 < Darkclaw66> I never said anything about my network card up 17:18 < Bushmills> substitute network card against openvpn 17:18 < Darkclaw66> Bushmills you arent really helping my situation 17:18 < Bushmills> you haven't described your problem yet 17:18 < Darkclaw66> samba does not work through openvpn 17:18 < Bushmills> other than "samba doesn't work" 17:18 < Darkclaw66> ... 17:19 < Darkclaw66> how can I verify if openvpn is setup properly? 17:19 < Bushmills> ping the server 17:19 < Darkclaw66> how can I verify the IP of the server 17:19 < Bushmills> ifconfig on the server, or look in server config 17:20 < Darkclaw66> inet 172.30.0.1 --> 172.30.0.2 17:20 < Darkclaw66> is the IP .1 or .2 17:20 < Bushmills> you tell me 17:20 < Darkclaw66> im asking you 17:20 < Bushmills> it is your server 17:21 < Darkclaw66> that is what is listed under tun0 17:21 < Bushmills> ok. 10.86.80.1 or 10.86.80.2 what is the ip addr of my server? 17:21 < Darkclaw66> tun0: flags=8051 metric 0 mtu 1500 17:21 < Darkclaw66> inet 172.30.0.1 --> 172.30.0.2 netmask 0xffffffff 17:21 < Darkclaw66> Opened by PID 39323 17:21 < Bushmills> just as difficult for you to tell than it is for me to tell which is yours 17:22 < Bushmills> ifconfig on mine says inet addr:10.86.80.1 17:22 < Darkclaw66> not mine 17:22 < Bushmills> and in server config, i set it to be 10.86.80.1 17:22 < Bushmills> so i know that server ip addr is 10.86.80.1 17:23 < Darkclaw66> server 172.30.0.0 255.255.255.0 17:23 < Bushmills> seems you're looking at client config 17:23 < Darkclaw66> nope thats server 17:23 < Darkclaw66> http://www.ircpimps.org/openvpn.configs 17:23 < Darkclaw66> this is how its supposed to be configured 17:24 < Bushmills> beg your pardon, you're right. that is server 17:24 < Darkclaw66> but your tunnel IP is being displayed differently than mine 17:26 < Bushmills> inet 172.30.0.1 that comes from your ifconfig output? 17:26 < Darkclaw66> yes 17:26 < Darkclaw66> mine is displayed differently 17:26 < Bushmills> well, on mine it says inet addr:10.86.80.1 17:26 < Darkclaw66> inet 172.30.0.1 --> 172.30.0.2 netmask 0xffffffff 17:27 < Bushmills> and you can ping from client 172.30.0.1 17:27 < Darkclaw66> yes 17:27 < Bushmills> congratulations 17:27 < Darkclaw66> the server can't ping the client but the client can ping the server 17:28 < Bushmills> your openvpn works 17:28 < Darkclaw66> I can ping it but I can't connect to any of the ports or anything with the ip 17:29 < Bushmills> does not look like an openvpn issue 17:29 < Bushmills> more like, firewall 17:29 < Darkclaw66> ay vay I figured out the problem 17:30 < Darkclaw66> its because samba was only listening on the WAN IP and not the VPN IP 17:31 < Bushmills> sounds like a samba issue to me 17:31 < Darkclaw66> yes, its working perfectly now thouh 18:25 -!- brizly1 [n=brizly_v@p4FC9961D.dip0.t-ipconnect.de] has joined ##openvpn 18:36 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 18:36 < ksnp> hi anyone know a good free portable openvpn client for mac ? 18:40 -!- brizly [n=brizly_v@p4FC9A23A.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 18:45 -!- [1]ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 18:50 -!- [2]ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 18:57 -!- [2]ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has left ##openvpn [] 19:03 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has quit [Read error: 110 (Connection timed out)] 19:05 -!- boswarrior [n=mrnice@chello062178009197.4.11.tuwien.teleweb.at] has joined ##openvpn 19:05 < theTroy> (21:19:14) theTroy: I get error "no dynamic or static remote --ifconfig address is available for client" when I try to DHCP the incoming clients on TAP interface 19:05 < theTroy> (21:19:19) theTroy: moreover, modprobe returns false on the TAP, but positive for the TUN, and when connection is established, TAP interface is not in the ifconfig 19:05 < theTroy> (21:19:24) theTroy: ubuntu jauntry 19:05 < theTroy> I do really need help with that 19:06 < theTroy> ksnp tunnelblick 19:06 < theTroy> but you can hardly call that portable 19:06 < theTroy> since mac by default does not have tun/tap 19:07 -!- [1]ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has quit [Read error: 113 (No route to host)] 19:08 -!- boswarrior [n=mrnice@chello062178009197.4.11.tuwien.teleweb.at] has quit [Client Quit] 19:13 -!- kyrix [n=ashley@188-23-71-165.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 19:14 -!- kyrix [n=ashley@91-115-16-184.adsl.highway.telekom.at] has joined ##openvpn 19:22 -!- boswarrior [n=mrnice@chello062178009197.4.11.tuwien.teleweb.at] has joined ##openvpn 19:25 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 19:31 < |Mike|> Hello 19:31 < |Mike|> theTroy: what's the issue ? 19:35 -!- boswarrior [n=mrnice@chello062178009197.4.11.tuwien.teleweb.at] has quit ["Ex-Chat"] 19:44 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 19:47 -!- YpsyZNC is now known as Ypsy 19:51 -!- boswarrior [n=mrnice@chello062178009197.4.11.tuwien.teleweb.at] has joined ##openvpn 19:53 -!- boswarrior [n=mrnice@chello062178009197.4.11.tuwien.teleweb.at] has quit [Client Quit] 20:00 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 20:00 -!- unix3 [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 20:01 < Darkclaw66> you know, it wasnt hard setting up openvpn 20:01 < Darkclaw66> the hardest part was setting up the certificates 20:01 < Darkclaw66> a very annoying process 20:03 < |Mike|> hardest ? 20:12 < Darkclaw66> frustrating 20:12 < Darkclaw66> because for each client, need to create a certificate 20:15 < |Mike|> that's so true. 20:16 < |Mike|> depends on how many clients you apply 20:17 -!- RadarG [n=nightwol@pool-98-108-12-27.chi01.dsl-w.verizon.net] has joined ##openvpn 20:17 < RadarG> morning all 20:18 < Darkclaw66> hello 20:19 < Darkclaw66> can I ask you guys something 20:20 < Darkclaw66> what's the point of doing push "route IP subnet" ? 20:21 < |Mike|> if you don't , it would never connect :) 20:21 < Darkclaw66> it basically gives network access to the clients that connect to it? 20:21 < |Mike|> Yes Darkclaw66 20:22 < Darkclaw66> but how does that work exactly? let's say for example we have push "route 77.14.11.50 255.255.255.248" what does that exactly give the clients access to? 20:23 < Darkclaw66> how would the clients access each of those ips in the network? 20:23 < Darkclaw66> it's the million dollar question 20:25 < Darkclaw66> mike where'd you go 20:25 < Darkclaw66> :( 20:29 < RadarG> If it will make you feel better i'm still trying to make client be a gateway. 20:29 < |Mike|> openvpn does handle clients with DHCP 20:30 < Darkclaw66> I got everything working but im questioning some of the logic 20:30 < |Mike|> if you have set up NAT, those clients would be able to access them 20:31 < Darkclaw66> well, right now tun0 is set to 172.30.0.1, how would the client access the other ips? 20:31 < |Mike|> client to client in the config would fix that 20:32 < Darkclaw66> client-to-client is in the config but im just wondering how the clients would access the other ips? 20:32 < |Mike|> define other ips ? 20:33 < Darkclaw66> so in the example, the WAN IP is 77.14.11.50 and part of the WAN subnet is 77.14.11.51, .52, .53, etc 20:33 < Darkclaw66> the client has access to .50 because it is mapped to 172.30.0.1 20:35 < Darkclaw66> i guess what im questioning is what is the point of giving it a subnet if the clients are only going to have access to one ip 20:37 -!- kyrix [n=ashley@91-115-16-184.adsl.highway.telekom.at] has quit [Remote closed the connection] 20:38 < RadarG> Can someone please take a took at this to ensure that the push route enties etc are going to do what I want. http://pastebin.com/d45e50a7c 20:39 < RadarG> Iwanting to take traffic on 192.168.2.x and push it down to the client 20:40 < Darkclaw66> RadarG you know 192.* is not recommended right? 20:42 < RadarG> I'm using 10.251.x.x for the link but I need to force the traffic here in that network down the pipe to the client 20:43 < Darkclaw66> oh i see 20:44 < Darkclaw66> it seems like what youre trying to do is a little more entailed than what I did 20:45 < Darkclaw66> I got it working but im questioning a couple of things 20:45 < RadarG> My server has three lans behind it 192.168.1.1 is green 2.1 is orange(DMZ) 3.1 Purple the client has 1.1 and I need to get 2.1 to talk to the cleints 1.1 20:45 < RadarG> that make sense 20:46 < Darkclaw66> that makes perfect sense 20:47 < Darkclaw66> are you using tunneling or tap? 20:47 < RadarG> tun 20:47 < Darkclaw66> are you able to get one of the clients connected to the vpn? 20:49 < RadarG> yes and no, I can get the client back in the states to connect but I'm not getting any traffic down the pipe. When the client connects to the vpn server it losses internet connectivity and dns, but I'm still remoted into it. I can turn the vpn connection off and the internet connection come back on the client 20:51 < Darkclaw66> any of the clients in the same country? 20:51 < RadarG> nope the server is in korea and the client is in the states 20:51 < RadarG> its a long haul 20:52 < Darkclaw66> yeah im thinking by going through all those routers it might not work okay 20:52 < Darkclaw66> i dont know enough to say for sure 20:52 < Darkclaw66> if you could test it by making it local that might be a good start 20:53 < Darkclaw66> you know, emulating the states server 20:53 < RadarG> I'm with some iptables and ipchains kung fu it can be done 20:53 < Darkclaw66> that way you know you are configuring it correctly 20:53 < Darkclaw66> that's what I'd do 20:53 < Darkclaw66> I feel your pain 20:54 < RadarG> the vpn or also a firewall so its not like I'm using three linksys routers or something 20:54 < Darkclaw66> I would disable all firewalls to make sure nothing is getting filtered 21:00 < Darkclaw66> well, my questioning was valid, the push "route ... " thing is unnecesssary 21:01 < Darkclaw66> without routing the subnet its worthless 21:04 < RadarG> but that entry in the server conf is needed for the subnetting to work right? 21:06 < Darkclaw66> yes 21:07 < RadarG> well at least I'm going in the right direction 21:08 -!- master_of_master [i=master_o@p549D5BCB.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:08 < RadarG> For the rest of the server config me and a buddy should be able to figure it out. Now I just need to figure out how to make the cleint bend to my will 21:11 -!- master_of_master [i=master_o@p549D7163.dip.t-dialin.net] has joined ##openvpn 21:12 < Darkclaw66> at least you got a friend to work with :) 21:13 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 21:22 -!- [1]ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 21:28 -!- Ypsy is now known as YpsyZNC 21:38 -!- [2]ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 21:40 -!- [2]ksnp is now known as ksnp 21:47 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 21:48 < Darkclaw66> hmm I dont think push "route.. " is working for me 21:49 < RadarG> krzie are you there? 21:51 -!- [2]ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 21:55 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 21:56 -!- [1]ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has quit [Read error: 110 (Connection timed out)] 21:58 < RadarG> hey Darkclaw66 did you figure out iroute? 21:58 < Darkclaw66> i did 21:58 < Darkclaw66> not working correctly but I am still workign on it 21:59 < RadarG> do i just place the entriy into my client.ovpn? 22:00 < RadarG> iroute 192.168.1.1 255.255.255.0 22:00 < Darkclaw66> that's what's stumping me, if we add the push "route ..." it should automatically add the route to the clients machines 22:00 < Darkclaw66> it doesnt make sense to me to do it on both places 22:01 < rawDawg> !route 22:01 < vpnHelper> rawDawg: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 22:01 < rawDawg> it does make sense if you read why 22:01 < rawDawg> its also in the manual 22:01 < rawDawg> !man 22:01 < vpnHelper> rawDawg: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 22:03 < Darkclaw66> hmm 22:04 < rawDawg> iroute goes into the file that is created inside the client-config-dir that has the same name as the common name you specified in the cert 22:04 < rawDawg> for that specific client 22:04 < Darkclaw66> I dont understand, so I have to specify the route subnet in the server config AND the client config? 22:05 < rawDawg> depends on the mode you are using 22:05 < Darkclaw66> client-to-client, tun 22:06 < rawDawg> then you just "ifconfig 10.8.0.1 10.8.0.2" 22:06 < rawDawg> and switch those ips on the other client 22:06 < Darkclaw66> the client is a windows machine 22:06 < RadarG> so is mine 22:06 < rawDawg> right you still use ifconfig in the config 22:07 < rawDawg> !howto 22:07 < vpnHelper> rawDawg: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 22:07 < Darkclaw66> it just stumping me.. what's the point of doing push "route ..." if I have to do it manually on the windows client machine 22:07 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has quit [Read error: 113 (No route to host)] 22:07 -!- [2]ksnp is now known as ksnp 22:07 < rawDawg> if you do manually on each side, then you dont have to push a route 22:08 < Darkclaw66> but I want to do a push route, it will make my life so much easier 22:08 < RadarG> ok here is another one what loads the config file that has the iroute command in it? 22:08 < rawDawg> its a convience for a multi client setup 22:08 < Darkclaw66> yes 22:08 < rawDawg> the server 22:08 < rawDawg> pushes those parameters to the client 22:08 < Darkclaw66> for some reason it's not pushing it 22:09 < rawDawg> you need the client parameter in the client 22:09 < rawDawg> or "pull" 22:09 < rawDawg> it's all in the manual 22:09 < RadarG> thats becuase he has to use the iroute right? 22:09 < Darkclaw66> im looking at the howto but im not sure which part youre referring to that talks about the client parameter 22:09 < rawDawg> !man 22:09 < vpnHelper> rawDawg: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 22:10 < RadarG> god i love irc 22:10 < Darkclaw66> route-method exe, is that what you mean? 22:10 < rawDawg> no thats for using route.exe to add routes 22:10 < Darkclaw66> isn't that what I want 22:10 < rawDawg> yeah that helps on windows 22:10 < Darkclaw66> okay will try brb 22:11 < rawDawg> search for "client mode" 22:11 < rawDawg> in the man 22:13 < Darkclaw66> I added pull that didnt fix it 22:13 < Darkclaw66> next one is tls-client 22:14 < rawDawg> !configs 22:14 < vpnHelper> rawDawg: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 22:14 < RadarG> ok let me see if i got this striaght i put "client-config-dir /path/to/ccd/" into my server.conf does it matter what i call the file that is on the client as long as I put the iroute line in there? 22:14 < rawDawg> the file will be on the server 22:15 < rawDawg> and yes the name of the file has to be the common name you specified when you created the client's cert 22:16 < rawDawg> please pastebin your configs, both client and server 22:16 < Darkclaw66> http://pastebin.com/m3ed3ee25 here is the client config 22:17 < RadarG> Darkclaw66 your client is a windows box right? 22:17 < Darkclaw66> yes 22:18 < Darkclaw66> the problem is in there right? 22:18 < rawDawg> you crt parameter is incorrect 22:19 < rawDawg> it should match the key 22:19 < rawDawg> com.crt* maybe 22:19 < Darkclaw66> oh, I changed the filenames 22:19 < rawDawg> ok 22:19 < Darkclaw66> the auth works okay 22:19 < rawDawg> ok 22:19 < rawDawg> that config looks good 22:19 < rawDawg> ill need the server 22:19 < Darkclaw66> kk 22:20 < RadarG> i had to put full paths in my client config in order to get it to work 22:20 < Darkclaw66> server config: http://pastebin.com/mae78507 22:21 < RadarG> and put "" around the full pathnames 22:23 < ksnp> anyone know a good client for MAC ? 22:24 < RadarG> take a look at tunnelblink 22:24 < Darkclaw66> rawDawg any luck? 22:25 < rawDawg> turn the verb to 6 22:25 < rawDawg> and paste the server logs 22:26 < Darkclaw66> k 22:29 < Darkclaw66> I found the line you are looking for 22:32 < Darkclaw66> Sat Jul 25 21:28:41 2009 us=263154 andre..com/70.140.20.120:2071 SENT CONTROL [andre.com]: 'PUSH_REPLY,route 70.140.20.120 255.255.255.248,route 172.30.0.0 255.255.255.0,ping 10,ping-restart 120,ifconfig 172.30.0.10 172.30.0.9' (status=1) 22:33 < Darkclaw66> then check this out 22:33 < Darkclaw66> Sat Jul 25 14:47:40 2009 us=296230 event_wait : Interrupted system call (code=4) 22:33 < Darkclaw66> Sat Jul 25 14:47:40 2009 us=296906 TCP/UDP: Closing socket 22:33 < Darkclaw66> Sat Jul 25 14:47:40 2009 us=296977 /sbin/route delete -net 172.30.0.0 172.30.0.2 255.255.255.0 22:33 < Darkclaw66> route: must be root to alter routing table 22:34 -!- RadarG [n=nightwol@pool-98-108-12-27.chi01.dsl-w.verizon.net] has quit [Remote closed the connection] 22:34 < rawDawg> you dont have permission to add a route 22:34 < Darkclaw66> on the server or client machine? 22:34 < rawDawg> that is the log for the server 22:34 < rawDawg> the server 22:35 < Darkclaw66> but the problem is the client not adding the route 22:36 < Darkclaw66> right? 22:37 < rawDawg> you might wanna try route-method exe on the client 22:37 < rawDawg> if its windows 22:37 < rawDawg> the server is sending the route 22:38 < Darkclaw66> i tried that too but no luck 22:38 < rawDawg> what do the logs say on the client? 22:38 < Darkclaw66> one sec will check 22:40 < Darkclaw66> its saying it received the push request but no errors 22:40 < rawDawg> try a route print 22:40 < rawDawg> and see if the route was added 22:41 < Darkclaw66> no luck 22:42 < rawDawg> add these to client 22:42 < rawDawg> route-method exe 22:42 < rawDawg> route-delay 2 22:43 < rawDawg> add this on the server 22:43 < rawDawg> route-gateway 172.30.0.1 22:44 < rawDawg> i think you are missing the gate way 22:44 < Darkclaw66> oh 22:44 < rawDawg> you can specify the gateway in the route parameter, or that ^ will set a default 22:48 < Darkclaw66> still no luck 22:48 < Darkclaw66> what does a status=1 mean for a push reply? 22:48 < rawDawg> not sure 22:48 < Darkclaw66> theres no errors 22:49 < rawDawg> are you on an admin account, on the client? 22:49 < Darkclaw66> yes 22:49 < Darkclaw66> i'll add it manually to see what happens 22:52 -!- RadarG [n=nightwol@pool-98-108-12-27.chi01.dsl-w.verizon.net] has joined ##openvpn 22:53 < RadarG> damn windows 7 22:53 < Darkclaw66> hmm its not liking it 22:53 < RadarG> could somebody please post that last pastebin link that I posted 22:54 < Darkclaw66> its saying the mask parameter is invalid 22:54 < Darkclaw66> whats wrong with 255.255.255.248 ? 22:54 < RadarG> my computer locked up thats way I lost it 22:54 < rawDawg> the ip - mask combo is invalid 22:54 < Darkclaw66> its saying destination & mask != Destination 22:55 < Darkclaw66> but its valid though 22:57 < RadarG> will that server conf that I post work? 22:57 < RadarG> posted i cant type today 22:58 < Darkclaw66> i still dont understand whats wrong with the subnet I am trying to use 22:58 < Darkclaw66> I checked and its correct 23:01 < RadarG> client-config-dir /var/smoothwall/ovpn/ccd/common name the right entry? 23:03 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has left ##openvpn [] 23:05 < Darkclaw66> k 23:06 < Darkclaw66> Sat Jul 25 22:05:25 2009 Warning: address 70.140.20.120 is not a network address in relation to netmask 255.255.255.248 23:06 < Darkclaw66> thats the problem 23:09 < Darkclaw66> 248 is a valid value 23:40 < Darkclaw66> openvpn doesn't accept .248 can someone help 23:40 < Darkclaw66> i am struggling 23:53 -!- Skiff [n=skiff@unaffiliated/skiff] has joined ##openvpn 23:55 -!- Skiff [n=skiff@unaffiliated/skiff] has left ##openvpn ["Leaving"] --- Day changed Sun Jul 26 2009 00:12 -!- Darkclaw66 [n=portness@unaffiliated/darkclaw66] has quit [] 00:13 < RadarG> what does this mean? SIGUSR1[soft,ping-restart] received, client-instance restarting 00:13 < RadarG> does this mean that the link dropped and restarted 00:17 -!- RadarG [n=nightwol@pool-98-108-12-27.chi01.dsl-w.verizon.net] has left ##openvpn [] 00:17 -!- RadarG [n=nightwol@pool-98-108-12-27.chi01.dsl-w.verizon.net] has joined ##openvpn 00:25 < RadarG> . 00:36 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 54 (Connection reset by peer)] 01:05 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: krzie, worch, dimedo, pekster, Gumbler, tarbo2, onats, sigi, carpe_, ^scott^, (+61 more, use /NETSPLIT to show all of them) 01:31 -!- Netsplit over, joins: eliasp 01:32 -!- Netsplit over, joins: deever, DeathWolf, RadarG, master_of_master, brizly1, theTroy, toehio, roentgen, Gorkhaan, jeiworth (+59 more) 01:52 -!- tjz [n=tjz@bb220-255-106-86.singnet.com.sg] has joined ##openvpn 01:54 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 01:56 < bsdbandit> openvpn timestamps showing dec 31 1969 in all the logs 01:56 < bsdbandit> anyone have this issue before 02:14 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 104 (Connection reset by peer)] 02:18 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 02:23 -!- bsdbandi1 [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 02:23 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 54 (Connection reset by peer)] 02:46 < rawDawg> bsdbandi1 are you running openvpn on a router? 02:49 < bsdbandi1> yes 02:50 < rawDawg> you might need to update the date 02:50 < rawDawg> type date 02:50 < rawDawg> and see what it returns 02:50 < bsdbandi1> yeah its off 02:51 < rawDawg> update the ntp client with a server's address 02:51 < bsdbandi1> but the date in the logs are showing dec 31 1969 02:51 < bsdbandi1> my server time is an hr off 02:52 < rawDawg> does "date" return dec31 1966? 02:52 < bsdbandi1> no 02:53 < bsdbandi1> Sun Jul 26 02:52:49 EST 2009 02:53 < bsdbandi1> that is what my server is 02:53 < rawDawg> not sure :S 02:53 < bsdbandi1> o 02:54 < rawDawg> i put openvpn on a linksys router 02:54 < rawDawg> and i had to update to ntp client to update the date 02:54 < bsdbandi1> oh ok 02:54 < bsdbandi1> im running openbsd 02:54 < bsdbandi1> 4.5 02:54 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 03:11 -!- brizly1 [n=brizly_v@p4FC9961D.dip0.t-ipconnect.de] has quit [Read error: 54 (Connection reset by peer)] 03:12 -!- brizly [n=brizly_v@p4FC9961D.dip0.t-ipconnect.de] has joined ##openvpn 03:17 -!- stephenh [i=stephenh@69.30.200.88] has quit [Read error: 110 (Connection timed out)] 03:21 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 03:27 -!- b0nn [n=shane@203-109-245-158.static.bliink.ihug.co.nz] has joined ##openvpn 03:28 < b0nn> !howto 03:28 < vpnHelper> b0nn: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 03:47 -!- k2s [n=Martin@static-dsl-201.87-197-105.telecom.sk] has joined ##openvpn 03:47 < k2s> !route 03:47 < vpnHelper> k2s: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 03:48 < b0nn> hmm 03:49 < b0nn> I'm wanting to setup a wifi link between my laptop and my server. I want that link to be secure, and only usable by my laptop (OpenVPN seems to fit there) 03:50 < b0nn> and all my traffic will be bridged wlan0 -> br0 -> eth1 03:50 < k2s> what exactly is eth_ip in bridge-start script ? is it default gateway or VPN server IP ? 03:50 < b0nn> will OpenVPN prevent other people using my wifi link? 04:02 < reiffert> yes. 04:03 < reiffert> k2s: the IP Adress of the eth interface prior to running the bridge script. 04:04 < k2s> reiffert: thank you, works now 04:11 -!- k2s [n=Martin@static-dsl-201.87-197-105.telecom.sk] has quit ["Leaving"] 04:23 -!- mmcji [n=mmcji@cpe-76-185-214-197.tx.res.rr.com] has joined ##openvpn 04:26 < mmcji> i am learning about openvpn. Most configurations I have seen so far require the client to have ca.crt, client.key and ca.key. 04:27 < mmcji> i am trying to figure out how to setup a client to provide access to all nodes on the local network to the remote network through openvpn. 04:28 < theTroy> |Mike|: the issue as was said. Connection is established, but virtual IP is not given out. As well as thatn tap device is not shown on ifconfig 04:29 < rawDawg> !route 04:29 < vpnHelper> rawDawg: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 04:29 < rawDawg> mmcji: read that 04:29 < mmcji> but, i only have the ca.crt cert. I use that with network-manager to connect to my companies network. This confuses me, because I have not seen any configuration examples that just use the ca.crt cert. 04:30 < mmcji> cool, thanks 04:30 < rawDawg> this article is good also: http://www.itsatechworld.com/2006/01/29/how-to-configure-openvpn/ 04:30 < vpnHelper> Title: Its A Tech World | How to configure OpenVPN (at www.itsatechworld.com) 04:30 < rawDawg> but it is geared toward windows 04:31 < mmcji> no windows here alas, just good old linux 04:31 < mmcji> but thank you 04:31 < mmcji> i am reading through the first url 04:39 -!- b0nn [n=shane@203-109-245-158.static.bliink.ihug.co.nz] has quit ["Lost terminal"] 04:45 -!- lilalinux is now known as lila_zoo 04:50 -!- lila_zoo is now known as lilalinux 05:05 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["I ♥ GNU/Linux!"] 05:06 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 05:06 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 05:21 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 05:26 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 05:30 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:31 -!- bsdbandi1 [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 110 (Connection timed out)] 06:00 -!- mmcji [n=mmcji@cpe-76-185-214-197.tx.res.rr.com] has quit ["Leaving"] 06:20 -!- boswarrior [n=mrnice@chello062178009197.4.11.tuwien.teleweb.at] has joined ##openvpn 06:25 -!- brizly [n=brizly_v@p4FC9961D.dip0.t-ipconnect.de] has quit [Read error: 113 (No route to host)] 06:28 -!- brizly [n=brizly_v@p4FC9961D.dip0.t-ipconnect.de] has joined ##openvpn 06:30 -!- boswarrior [n=mrnice@chello062178009197.4.11.tuwien.teleweb.at] has quit [K-lined] 06:45 -!- |ns|nR8 [n=doof@CPE-121-222-36-119.qld.bigpond.net.au] has joined ##openvpn 06:58 -!- kyrix [n=ashley@91-115-16-172.adsl.highway.telekom.at] has joined ##openvpn 07:03 -!- eliasp_ [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 07:04 -!- eliasp [n=quassel@95.208.45.212] has quit [Read error: 113 (No route to host)] 07:11 -!- eliasp_ [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit ["http://quassel-irc.org - Chat comfortably. Anywhere."] 07:35 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has joined ##openvpn 07:41 -!- |ns|nR8 [n=doof@CPE-121-222-36-119.qld.bigpond.net.au] has quit ["Leaving"] 07:55 -!- c64zottel [n=hans@p5B179886.dip0.t-ipconnect.de] has joined ##openvpn 08:02 -!- bsdbandit [n=csh11@wsip-24-249-123-207.hr.hr.cox.net] has quit [Read error: 60 (Operation timed out)] 08:08 -!- mrcool [n=chatzill@ns303573.ovh.net] has joined ##openvpn 08:08 < mrcool> hi all 08:08 < mrcool> whats up 08:09 < mrcool> I need help with openvpn and dhcp 08:09 < mrcool> it dosn't update the /etc/resolv.conf 08:09 < mrcool> it show the dns info 08:10 < RadarG> for some reason when I turn on the link the client losses internet conectivity. Can someone explain why it does this? 08:11 < mrcool> btw: I am behind openvpn client 08:17 -!- DeathWolf [i=yggdrasi@saber.kawaii-shoujo.net] has left ##openvpn [] 08:32 < kyrix> radarG: probably wrong configured routing. 08:40 < mrcool> kyrix: hi 08:41 < theTroy> (21:19:14) theTroy: I get error "no dynamic or static remote --ifconfig address is available for client" when I try to DHCP the incoming clients on TAP interface 08:41 < theTroy> (21:19:19) theTroy: moreover, modprobe returns false on the TAP, but positive for the TUN, and when connection is established, TAP interface is not in the ifconfig 08:41 < theTroy> (21:19:24) theTroy: ubuntu jauntry 09:03 < RadarG> kyrix can you help me with the routing for the client? 09:04 < mrcool> I have 1 problem 09:04 < mrcool> DNS 09:05 < mrcool> openvpn dosn't update /etc/resolv.conf file 09:05 < mrcool> all work perfect 09:10 < Bushmills> by pushing dhcp-option DNS? 09:14 < RadarG> how do I make a client provide internet services to the server? 09:15 < mrcool> I did 09:15 < mrcool> push "DNS [IP]" 09:15 < mrcool> didn't work 09:15 < mrcool> I am under linux 09:15 < Bushmills> on linux client? 09:15 < mrcool> yes 09:15 < mrcool> openvpn client under ubuntu 09:15 < Bushmills> ah. according docs, only window updates the corresponding config files directly. linux would need ifup 09:16 < Bushmills> look at man page, under --dhcp-option 09:17 < kyrix> !routing 09:17 < vpnHelper> kyrix: Error: "routing" is not a valid command. 09:17 < kyrix> !route 09:17 < vpnHelper> kyrix: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:18 < RadarG> I looked at the kyrix I set it right I think but I still dont have connectivity through the tunnel 09:19 < RadarG> looked at thesite 09:21 -!- mrcool [n=chatzill@ns303573.ovh.net] has quit ["ChatZilla 0.9.85 [Firefox 3.0.10/2009042316]"] 09:25 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 09:33 < kyrix> RadarG: paste your log file. 09:47 < RadarG> which on both? 10:18 < RadarG> I sent them to you 10:22 < RadarG> do you want the configs too? 10:23 < kyrix> yes plz 10:23 < RadarG> 1 sec 10:23 < kyrix> and your route output 10:24 < RadarG> route output how do I do that 10:24 < kyrix> windows? 10:25 < RadarG> yes the client is vista 10:25 < kyrix> open cmd and type route 10:35 < theTroy> (14:40:59) theTroy: (21:19:14) theTroy: I get error "no dynamic or static remote --ifconfig address is available for client" when I try to DHCP the incoming clients on TAP interface 10:35 < theTroy> (14:40:59) theTroy: (21:19:19) theTroy: moreover, modprobe returns false on the TAP, but positive for the TUN, and when connection is established, TAP interface is not in the ifconfig 10:35 < theTroy> (14:40:59) theTroy: (21:19:24) theTroy: ubuntu jauntry 10:35 < kyrix> RadarG: on what subnet is the client on? 10:35 < theTroy> am I doing something wrong? or the question does not have an answer? :( 10:35 < RadarG> 192.168.1.0 10:36 < RadarG> the server has 3 lans behind is 192.168.1.1, 2.1, and 3.1 10:39 < ecrist> good morning, bitches 10:40 < kyrix> RadarG: you mean 192.168.1.0 2.0 and 3.0 right? 10:40 < kyrix> or do you have some "strange" mask? using 255.255.255.0? 10:41 < kyrix> if the client is on 192.168.1.0, and you are pushing 192.168.1.0 from the server side, how is the client going to know how to find its own subnet? 10:42 < kyrix> client and server must not use overlapping subnets if you dont want to confuse your clients 10:42 < kyrix> hello crist 10:42 < kyrix> btw, is it on purpose that you are not using server mode? 10:43 < RadarG> I use 255.255.255.0 for the three lan behind the server, I want to push 192.168.2.0 to the client and tunnel the traffic to the client. I'm not sure about server mode should I? 10:43 < RadarG> should I have one of the 1.1 networks to 4.1? 10:45 < kyrix> RadarG: that will probably help 10:45 < kyrix> RadarG: will you have more than one client? 10:46 < RadarG> no not at this time 10:46 < RadarG> just the one connection back to the states 10:51 < kyrix> i havent done bridging, so im not sure what could be failing. it seems for sure that somehow as soon as the device is up, your computer doesnt know how to route to the internet anymore. 10:52 < kyrix> i might be wrong, but i think client-server mode is way easier, and routed instead of bridged 10:54 < kyrix> have to go now. good luck :D 10:54 -!- kyrix [n=ashley@91-115-16-172.adsl.highway.telekom.at] has quit ["Leaving"] 10:55 < RadarG> I tried setting up a net2net or server2server but when I fire up the link it kills my internet connection in Asia and forces all 3 lans across the pipe 10:56 < RadarG> I'm not sure how to make Zerina(frontend)openvpn to act like a client 11:09 < RadarG> anybody else want to take a crack at it? 11:14 < RadarG> would this command on the windows box work? route ADD 10.251.62.0 MASK 255.255.255.0 192.168.1.1 11:15 < RadarG> would that force everything across the client going through the tunnel to hit the 192.168.1.1 gateway 11:18 -!- RadarG [n=nightwol@pool-98-108-12-27.chi01.dsl-w.verizon.net] has quit [] 11:19 -!- RadarG [n=nightwol@pool-98-108-12-27.chi01.dsl-w.verizon.net] has joined ##openvpn 11:20 < RadarG> sorry guys do does anything think that will work? 11:30 -!- kursadk [n=kursad@CPE-72-128-65-111.wi.res.rr.com] has joined ##openvpn 11:30 -!- gallatin [n=gallatin@dslb-092-073-251-113.pools.arcor-ip.net] has joined ##OpenVPN 11:30 < kursadk> hi how can I add password protection on top of keys ? 11:59 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Connection timed out] 12:03 -!- kyrix [n=ashley@91-115-177-7.adsl.highway.telekom.at] has joined ##openvpn 12:16 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 12:16 < reiffert> kursadk: 12:16 < reiffert> !howto 12:16 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:26 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 12:27 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 12:28 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 12:30 -!- kyrix [n=ashley@91-115-177-7.adsl.highway.telekom.at] has quit [Remote closed the connection] 12:38 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit ["Leaving"] 12:38 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 12:43 -!- RadarG1 [n=nightwol@pool-98-108-4-245.chi01.dsl-w.verizon.net] has joined ##openvpn 12:53 -!- RadarG [n=nightwol@pool-98-108-12-27.chi01.dsl-w.verizon.net] has quit [Read error: 110 (Connection timed out)] 12:59 -!- gallatin [n=gallatin@dslb-092-073-251-113.pools.arcor-ip.net] has quit ["Client exiting"] 13:19 < theTroy> could someone help me 13:19 < theTroy> when I establish connection with TAP interface 13:19 < theTroy> its not in the ifconfig 13:19 < theTroy> ubuntu jauntry 9.04 13:26 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 13:42 -!- DeathWolf [i=yggdrasi@saber.kawaii-shoujo.net] has joined ##openvpn 13:42 < DeathWolf> what can I do to make openvpn use less cpu cycles? 13:42 < DeathWolf> (I am running it on my router and load is a little too high) 13:45 < Kryczek> buy a crypto acceleration card perhaps? 13:46 < DeathWolf> I dont have access to the router's hardware... it's a wrt54GL 13:47 < Kryczek> ah 13:47 < Kryczek> what's your setup? static key or TLS ? 13:47 < DeathWolf> TLS 13:48 < DeathWolf> maybe I should turn off lzo but I'm wondering if it's a good idea 13:48 < Kryczek> yeah turn that off, it's cpu intensive 13:48 < DeathWolf> I'm too sure if there's any noticeable gain with it either. 13:48 < Kryczek> and if you have broadband it's useless 13:50 < DeathWolf> I do 13:50 < kursadk> reiffer, I did read the how to, how else could I have a running VPN? 13:56 < theTroy> can someone actually read me? or am I asking impossible question? :( 13:56 < theTroy> I am going to start pulling my hair soon 13:56 -!- kursadk [n=kursad@CPE-72-128-65-111.wi.res.rr.com] has left ##openvpn [] 14:21 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 14:25 < pekster> DeathWolf: What cipher are you using? 14:26 < pekster> You might consider blowfish since it's a fairly fast cipher; only during re-keying is it slow, and there's a grace window there so it's not going to impact the flow of traffic then 14:26 < pekster> Obviously lower bits are faster too, but you sacrifice security there. 128 or 192 bits should be fine unless you have some governments after you or something 14:26 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 60 (Operation timed out)] 14:33 < DeathWolf> I shouldnt have any 14:33 -!- RadarG [n=nightwol@pool-98-108-10-178.chi01.dsl-w.verizon.net] has joined ##openvpn 14:33 < DeathWolf> Control Channel: TLSv1, cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSA 14:44 -!- RadarG1 [n=nightwol@pool-98-108-4-245.chi01.dsl-w.verizon.net] has quit [Read error: 110 (Connection timed out)] 15:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 15:02 -!- Nullslash [n=ahmed@cpe-24-164-133-222.si.res.rr.com] has joined ##openvpn 15:15 -!- Nullslash [n=ahmed@cpe-24-164-133-222.si.res.rr.com] has quit [] 15:23 -!- pa [n=pa@unaffiliated/pa] has quit ["Sto andando via"] 15:23 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 15:35 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 15:40 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 60 (Operation timed out)] 15:44 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 16:01 -!- raw2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 16:01 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 16:01 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 16:02 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 110 (Connection timed out)] 16:05 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 16:06 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 16:06 -!- raw2 is now known as rawDawg 16:07 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 16:08 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 16:10 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 16:10 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 16:14 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 16:14 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 16:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:19 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 110 (Connection timed out)] 16:21 -!- c64zottel [n=hans@p5B179886.dip0.t-ipconnect.de] has quit ["Leaving."] 16:25 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 16:28 -!- Skiff [n=skiff@unaffiliated/skiff] has joined ##openvpn 16:29 < Skiff> what does this mean in /var/log/messages: Jul 26 17:28:17 localhost openvpn[1816]: Invictus/10.0.1.2:52503 MULTI: bad source address from client [10.0.1.2], packet dropped where Invictus/10.0.1.2 is my client machine and I dont have any processes on that port 52503 16:30 -!- plundra [i=404@article.se] has quit [Remote closed the connection] 16:31 < Skiff> the thing is that connection works 16:31 < Skiff> and everything works 16:53 < RadarG> krzie are you there 17:10 -!- RadarG [n=nightwol@pool-98-108-10-178.chi01.dsl-w.verizon.net] has quit [Remote closed the connection] 17:10 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 17:21 -!- RadarG [n=nightwol@pool-98-108-10-178.chi01.dsl-w.verizon.net] has joined ##openvpn 17:27 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 110 (Connection timed out)] 17:28 -!- RadarG [n=nightwol@pool-98-108-10-178.chi01.dsl-w.verizon.net] has quit [] 17:39 -!- RadarG [n=nightwol@pool-98-108-10-178.chi01.dsl-w.verizon.net] has joined ##openvpn 18:16 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 18:24 -!- brizly1 [n=brizly_v@p4FC9A552.dip0.t-ipconnect.de] has joined ##openvpn 18:40 -!- RadarG [n=nightwol@pool-98-108-10-178.chi01.dsl-w.verizon.net] has quit [] 18:40 -!- brizly [n=brizly_v@p4FC9961D.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 19:03 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 113 (No route to host)] 19:19 -!- Nullslash [n=ahmed@cpe-24-164-133-222.si.res.rr.com] has joined ##openvpn 19:28 -!- teddy_ [n=teddy@208.92.235.227] has joined ##openvpn 19:28 -!- teddy_ [n=teddy@208.92.235.227] has left ##openvpn ["Ex-Chat"] 19:28 -!- teddy_ [n=teddy@208.92.235.227] has joined ##openvpn 19:30 < teddy_> I was going to replace our router with UnTangle for OpenVPN support. It has 3 cable connections, so I decided not to replace the Cisco Linksys router. Can I still make an OpenVPN (portforwarding?) 19:31 < teddy_> Install and configure OpenVPN on the LAN, and portforward 50 traffic to it? 19:32 < teddy_> sorry portforward openvpn's udp 1194 to the OpenVPN server on the LAN. Will that work? 19:35 -!- Nullslash [n=ahmed@cpe-24-164-133-222.si.res.rr.com] has quit [] 20:27 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["I ♥ GNU/Linux!"] 21:08 -!- master_of_master [i=master_o@p549D7163.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:11 -!- master_of_master [i=master_o@p549D3B73.dip.t-dialin.net] has joined ##openvpn 21:15 -!- nickol [n=kursad@CPE-72-128-65-111.wi.res.rr.com] has joined ##openvpn 21:16 < nickol> when I use auth-user-pass-verify method, it is asking for username password on the client which is what I want. But I cannot get the authentication work. I tried the suggested perl script. But I am not sure if the script is failing under Windows or I cannot figure out the the right user-pass. 21:17 < nickol> Is there a way to see the user-pass combination on the server side? 21:27 < nickol> basically I am trying to figure out where-how to set these username-passwords, the manual is kind of vague about this part, at least based on my own reading 21:41 -!- Skiff [n=skiff@unaffiliated/skiff] has left ##openvpn ["Leaving"] 22:47 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 23:05 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 113 (No route to host)] 23:26 -!- jeiworth [n=jeiworth@189.163.138.134] has quit [Read error: 110 (Connection timed out)] 23:58 < pekster> nickol: Debugging the user/pass on the server is easy; for the 'via-file' method just copy the first parameter to the script to a new destination (say, /tmp/auth) or for via-env echo $username and $password to some file 23:59 -!- kursad [n=kursad@CPE-72-128-65-111.wi.res.rr.com] has joined ##openvpn 23:59 < pekster> nickol: As for the "suggested" perl script, if you're referring to the PAM auth script, that uses PAM, which in turn authenticates against any one of a number of PAM modules. Unless you've set up special modules yourself that's probably just using the local system accounts for authentication --- Day changed Mon Jul 27 2009 00:14 -!- nickol [n=kursad@CPE-72-128-65-111.wi.res.rr.com] has quit [Read error: 110 (Connection timed out)] 00:14 -!- kursad is now known as nickol 00:22 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: dazo, nemysis, vpnHelper, Pagautas, Gumbler, stephenh, master_of_master 00:22 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: krzie, worch, dimedo, teddy_, pekster, tarbo2, onats, carpe_, ^scott^, minyx, (+52 more, use /NETSPLIT to show all of them) 00:28 -!- Netsplit over, joins: eliasp, rawDawg 00:28 -!- Netsplit over, joins: deever, nickol, master_of_master, teddy_, brizly1, DeathWolf, sigius, nemysis, stephenh, tjz (+56 more) 00:34 -!- kursad [n=kursad@CPE-72-128-65-111.wi.res.rr.com] has joined ##openvpn 00:38 -!- nickol [n=kursad@CPE-72-128-65-111.wi.res.rr.com] has quit [Read error: 110 (Connection timed out)] 00:38 -!- kursad is now known as nickol 00:41 -!- onats [n=15172@unaffiliated/onats] has quit ["Leaving."] 01:18 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 01:18 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 02:05 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:06 < |Mike|> morning. 02:14 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 02:16 -!- nickol [n=kursad@CPE-72-128-65-111.wi.res.rr.com] has quit [Read error: 110 (Connection timed out)] 02:37 -!- minyx [n=phusion@S0106001562457756.gv.shawcable.net] has quit ["Leaving"] 03:08 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 03:08 -!- mattock [n=mattock@gw.tietoteema.fi] has quit [Remote closed the connection] 03:08 -!- mattock [n=mattock@gw.tietoteema.fi] has joined ##openvpn 03:08 -!- mattock [n=mattock@gw.tietoteema.fi] has left ##openvpn [] 04:18 -!- blk [n=blk@cust.static.212-41-203-2.swisscomdata.ch] has joined ##openvpn 04:19 < blk> !route 04:19 < vpnHelper> blk: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 04:21 < blk> !redirect 04:21 < vpnHelper> blk: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 04:22 < blk> !def1 04:22 < vpnHelper> blk: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 04:34 -!- teddy_ [n=teddy@208.92.235.227] has quit [Read error: 113 (No route to host)] 04:37 -!- teddy_ [n=teddy@208.92.235.227] has joined ##openvpn 04:41 < blk> is there a way to delete the old gateway (problem is that VPN clients need to access a 192.168.1.0/24 network (there's a NAT to it from the VPN Network), and may themselves be on this network already, locally) .. but there still exists a local route 192.168.1.0/24 towards the local (non-VPN) IP -- i tried setting redirect-gateway without def1, pushing route 192.168.1.0 but it ends up with a higher metric and therefore not used.. 04:53 < blk> !topology 04:53 < vpnHelper> blk: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 04:55 < blk> !route 04:55 < vpnHelper> blk: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 05:08 -!- blk [n=blk@cust.static.212-41-203-2.swisscomdata.ch] has quit ["Segfault (0x0)"] 05:24 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: dazo, nemysis, vpnHelper, Pagautas, polaru 05:24 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: krzie, worch, dimedo, thedoc, teddy_, pekster, Gumbler, tarbo2, carpe_, ^scott^, (+52 more, use /NETSPLIT to show all of them) 05:26 -!- Netsplit over, joins: deever, eliasp, rawDawg, teddy_, thedoc, polaru, nemysis, master_of_master, brizly1, DeathWolf (+57 more) 05:37 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 05:49 -!- kyrix [n=ashley@91-115-27-70.adsl.highway.telekom.at] has joined ##openvpn 05:54 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 06:07 -!- RadarG [n=nightwol@pool-98-108-10-178.chi01.dsl-w.verizon.net] has joined ##openvpn 06:08 < RadarG> openvpn can give headaches 06:12 < RadarG> the guy that has been helping me on my firewall forums is insisting that I setup a net2net connection but when I do it kills all internet traffic on my 192.168.1.0 network and its not working can you guys make sense of these log files client http://pastebin.com/mec4d24 server http://pastebin.com/m30f2d07e 06:16 < kyrix> if you dont know why you are doing bridging, you should be doing routing 06:16 < kyrix> !howto 06:16 < vpnHelper> kyrix: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 06:17 < kyrix> RadarG: http://openvpn.net/index.php/open-source/faq.html#bridge1 06:17 < vpnHelper> Title: FAQ (at openvpn.net) 06:18 -!- kyrix [n=ashley@91-115-27-70.adsl.highway.telekom.at] has quit ["Leaving"] 06:21 < RadarG> Its bridging becuase becuase my 2.1 network needs to talk to the remote's 1.1 06:22 -!- Gorkhaan is now known as Gorkhaan_AFK 06:24 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:26 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 06:28 -!- Cedric_ [n=chatzill@196.91-66-87.adsl-dyn.isp.belgacom.be] has joined ##openvpn 06:28 < Cedric_> !howto 06:28 < vpnHelper> Cedric_: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 06:32 < Cedric_> my vpn client is connected to the server, but webtraffic isn't tunneled 06:32 < Cedric_> I added push "redirect-gateway def1", push "redirect-gateway local def1", push "dhcp-option DNS 10.8.0.1" to the config file 06:33 < |Mike|> does your server forward those packages ? :) 06:34 < |Mike|> net.inet6.ip6.forwarding: 0 06:34 < |Mike|> ip4, whatever you want :) 06:34 < Cedric_> i'm a linux noob i'm afraid 06:34 < |Mike|> kut 06:34 < Cedric_> isn't adding those things enough to forward packages? 06:34 < |Mike|> ahem, you need to set that value to 1 06:34 < |Mike|> !nat 06:34 < vpnHelper> |Mike|: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 06:35 < Cedric_> done the first step 06:36 < |Mike|> read #3 06:36 < |Mike|> !linnat 06:36 < vpnHelper> |Mike|: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 06:36 < Cedric_> but iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE failed 06:36 < |Mike|> you're using eth0 ? 06:36 < |Mike|> or some bge0 or something ? 06:37 < Cedric_> i believe i'm use venet0 06:37 < Cedric_> i'm using 06:37 < Cedric_> * 06:37 < Cedric_> it's a VPS 06:38 < |Mike|> ifconfig -a ? 06:38 < Cedric_> lo, tun0, venet0, venet0:0 06:39 < |Mike|> tun0 is the tun device from openvpn 06:39 < |Mike|> venet0 has an IP attached? 06:39 < Cedric_> one sec 06:40 < Cedric_> |Mike|: http://ce3c.be/tmp.txt 06:41 < |Mike|> looks that venet0:0 is your "eth0" 06:43 < Cedric_> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0:0 -j MASQUERADE 06:43 < Cedric_> Warning: weird character in interface `venet0:0' (No aliases, :, ! or *). 06:43 < Cedric_> bbl :) 06:43 < Cedric_> thanks for you help ;) 06:43 -!- RadarG [n=nightwol@pool-98-108-10-178.chi01.dsl-w.verizon.net] has quit [Remote closed the connection] 06:44 < |Mike|> venet0:0 is linked to venet0 06:46 -!- Gorkhaan_AFK [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Remote closed the connection] 06:54 -!- RadarG [n=nightwol@pool-98-108-10-178.chi01.dsl-w.verizon.net] has joined ##openvpn 07:10 < Cedric_> |Mike|: there is an error: iptables: No chain/target/match by that name when executing the command 07:10 < |Mike|> do you run a firewall ? 07:11 -!- RadarG [n=nightwol@pool-98-108-10-178.chi01.dsl-w.verizon.net] has quit [] 07:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 07:19 < |Mike|> Cedric_: 07:26 < Cedric_> |Mike|: ehm yes but the policy is to accept everything 07:30 < |Mike|> CSF / LFD ? 07:32 < |Mike|> what's the value of /proc/sys/net/ipv4/ip_forward ? 07:33 < |Mike|> it should be 1 to forward 07:33 < Cedric_> csf nor lfd i think ? 07:33 < Cedric_> its value is 1 07:33 < |Mike|> can you ping google.com trough the openvpon ? 07:34 < Cedric_> it doesn't use my vpn server's connection 07:34 < Cedric_> to ping or to access websites 07:35 < Cedric_> it's just the iptables firewall if that's possible 07:36 < Cedric_> but the iptables have the policy to accept everything 07:39 < |Mike|> you can ping your gateway ? (10.8.0.1 ) 07:40 < Cedric_> nope 07:40 < Cedric_> timeout 07:41 < Cedric_> ping 10.0.0.1 works from my client 07:41 < |Mike|> waar kan ik de "im stupid with" of een cluebat halen ? :) 07:41 < Cedric_> ik praat ook nl :p 07:42 < |Mike|> you have to be connected to the vpn network 07:42 < |Mike|> i know, we prefer english inhere. 07:42 < Cedric_> i am 07:42 < |Mike|> logs ? 07:42 < |Mike|> !logs? 07:42 < vpnHelper> |Mike|: Error: "logs?" is not a valid command. 07:42 < |Mike|> !logs 07:42 < vpnHelper> |Mike|: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 07:42 < Cedric_> you want the logs from the vpn client, the server, or both? 07:42 < |Mike|> don't forget to set "verb" to "6" 07:42 < |Mike|> both 07:42 < Cedric_> ok, i'll do that, and reconnect to the vpn 07:43 < Cedric_> i could give you the config files too 07:44 < |Mike|> you can paste in on pastie.org 07:44 < |Mike|> is your client behind a router or smt ? 07:44 < Cedric_> yes 07:45 < Cedric_> it connects succesfully to the vpn server, but the http traffic isn't routed through the vpn server 07:46 < |Mike|> but you can't ping your gateway ? heh (10.8.0.1 or whatever you set it) 07:46 < Cedric_> i can ping to 10.0.0.1 from my client 07:48 < |Mike|> your internal network behind the router has 10.0.0.0/ as subnet? 07:50 < Cedric_> my router network: 192.168.0.0 ;; my vpn network: 10.0.0.0 07:50 < Cedric_> |Mike|: http://ce3c.be/vpn 07:50 < vpnHelper> Title: Index of /vpn (at ce3c.be) 07:50 < Cedric_> oops 07:51 < Cedric_> readable 07:51 < |Mike|> you set up CCD aswell ? 07:51 < |Mike|> client config dir 07:53 < |Mike|> don't forget to set up tls aswell, otherwise you could get MITM'd 07:55 < Cedric_> nope, i didn't set up ccd 07:56 < Cedric_> i don't want files to be shared 07:56 < Cedric_> just the internet tunnel 07:57 < |Mike|> http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules <-- done that yet ? 07:57 < vpnHelper> Title: OpenVPN/FAQ - Secure Computing Wiki (at www.secure-computing.net) 07:59 < Cedric_> default policy is accept, so that shouldn't be an issue? 07:59 < |Mike|> you need the masq.. 08:01 < Cedric_> iptables -P OUTPUT DROP closed my ssh connection 08:03 < |Mike|> really ? 08:04 < ecrist> Cedric_: the entertainer? 08:05 < Cedric_> lol 08:05 < |Mike|> i was about to warn you for that 08:05 < |Mike|> but too late 08:06 < Cedric_> iptables -A INPUT tun0 -j ACCEPT 08:06 < Cedric_> Bad argument `tun0' 08:08 < Cedric_> bah :p 08:08 < |Mike|> ecrist: are you getting the cluebat or... ? 08:09 < Cedric_> they need 1 click installs for these 08:09 < |Mike|> i know 08:10 < Cedric_> |Mike|: i'm not familiar with linux ok, be patient with the nabs ;) 08:19 < Cedric_> !redirect 08:19 < vpnHelper> Cedric_: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 08:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:24 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 08:24 -!- Cedric_ [n=chatzill@196.91-66-87.adsl-dyn.isp.belgacom.be] has quit [Read error: 104 (Connection reset by peer)] 08:25 < |Mike|> lol 08:26 < ecrist> cluebat? 08:29 -!- teddy_ [n=teddy@208.92.235.227] has quit [Remote closed the connection] 08:33 -!- Cedric_ [n=chatzill@196.91-66-87.adsl-dyn.isp.belgacom.be] has joined ##openvpn 08:33 < Cedric_> !redirect 08:33 < vpnHelper> Cedric_: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 08:33 < Cedric_> !ipforward 08:33 < vpnHelper> Cedric_: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 08:33 < Cedric_> !linipforwar 08:33 < vpnHelper> Cedric_: Error: "linipforwar" is not a valid command. 08:33 < Cedric_> !linipforward 08:33 < vpnHelper> Cedric_: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 08:34 < Cedric_> !nat 08:34 < vpnHelper> Cedric_: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 08:34 < Cedric_> !linnat 08:34 < vpnHelper> Cedric_: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 08:36 -!- Cedric_ [n=chatzill@196.91-66-87.adsl-dyn.isp.belgacom.be] has quit [Client Quit] 08:44 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 08:45 -!- JyZyGyZyX is now known as JyZyXEL 08:57 -!- rawDawg2 [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 08:59 -!- Ben8 [n=benthete@61.17.17.157] has joined ##openvpn 09:01 -!- Ben8 [n=benthete@61.17.17.157] has left ##openvpn [] 09:04 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 09:05 -!- rawDawg2 is now known as rawDawg 09:10 -!- YpsyZNC is now known as Ypsy 09:13 < |Mike|> i wonder if he gets it now :) 09:14 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 09:15 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 09:35 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 104 (Connection reset by peer)] 09:36 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 09:37 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: Pagautas, dazo 09:37 -!- p2hicy [i=p2hicy@unaffiliated/p2hicy] has quit [Read error: 104 (Connection reset by peer)] 09:39 -!- p2hicy [n=p2hicy@unaffiliated/p2hicy] has joined ##openvpn 09:40 -!- carpe_ is now known as plaerzen 09:41 -!- eliasp_ [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 09:43 -!- Netsplit over, joins: dazo, Pagautas 09:47 -!- eliasp_ [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 104 (Connection reset by peer)] 09:47 -!- eliasp_ [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 09:50 -!- master_of_master [i=master_o@p549D3B73.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 09:54 -!- master_of_master [i=master_o@p549D3B73.dip.t-dialin.net] has joined ##openvpn 10:07 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Connection timed out] 10:24 -!- jeiworth [n=jeiworth@189.177.138.156] has joined ##openvpn 10:27 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 10:31 < rawDawg> im trying to get openvpn running on my wrt310n 10:31 < rawDawg> i keep getting this error: 10:31 < rawDawg> Cannot load certificate file client.crt: error:02001002:lib(2):func(1):reason(2): error:20074002:lib(32):func(116):reason(2): error:140AD002:lib(20):func(173):reason(2) 10:38 -!- Douglas [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 10:38 < Douglas> !logs 10:38 < vpnHelper> Douglas: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 10:38 < Douglas> !configs 10:38 < vpnHelper> Douglas: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:44 -!- Douglas [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 10:46 -!- kursad [n=kursad@CPE-72-128-65-111.wi.res.rr.com] has joined ##openvpn 10:53 -!- MONWAY [n=NIKOLAS_@94.75.220.13] has joined ##openvpn 10:53 < MONWAY> hi all 10:53 < ecrist> wtf is a cluebat? 10:53 < rawDawg> no cluebat 10:54 -!- mode/##openvpn [+o ecrist] by ChanServ 10:54 < MONWAY> google cluebat 10:54 < MONWAY> heh.. 10:55 <@ecrist> ah 10:56 -!- MONWAY [n=NIKOLAS_@94.75.220.13] has left ##openvpn ["farted so loud my grandma died."] 10:58 -!- mode/##openvpn [-o ecrist] by ChanServ 11:02 -!- kursad is now known as kursadk 11:05 -!- jeiworth_ [n=jeiworth@189.177.138.156] has joined ##openvpn 11:05 -!- Irssi: ##openvpn: Total of 75 nicks [0 ops, 0 halfops, 0 voices, 75 normal] 11:07 -!- jeiworth [n=jeiworth@189.177.138.156] has quit [Read error: 60 (Operation timed out)] 11:10 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 11:10 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 11:10 -!- brah [n=asdfaf@86-126-16-190.fibertel.com.ar] has joined ##openvpn 11:21 -!- Stanley_ [n=brad@S010600195b3059b4.gv.shawcable.net] has joined ##openvpn 11:22 < Stanley_> Are there any good tutorials on setting up openVPN? I'm a bit of a linux noob, only been using it for a couple months, and the tutorial on OpenVPN's site is kinda lacking majorly :( 11:28 < rawDawg> http://www.google.com/url?q=http://www.itsatechworld.com/2006/01/29/how-to-configure-openvpn/&sa=U&start=2&ei=ldVtStm3OpLENuq4gfkG&usg=AFQjCNFLwNzKIn1dyjnjBzm5W5lt1CO2WA 11:28 < vpnHelper> Title: Its A Tech World | How to configure OpenVPN (at www.google.com) 11:28 < rawDawg> whoops 11:28 < rawDawg> that should work for ya 11:29 < Stanley_> great thanks :D 11:29 < Stanley_> Tired of the ad's that come with hotspot shield! 11:30 < rawDawg> what is hotspot shield? 11:31 < Stanley_> http://hotspotshield.com/ 11:31 < vpnHelper> Title: Get Behind the Shield! Hotspot Shield by AnchorFree (at hotspotshield.com) 11:31 < Stanley_> VPN-ish program 11:32 < Stanley_> What I want to do is connect to my server with the VPN and then when I surf the internet an stuff it shows my IP as being my server's IP... 11:32 < |Mike|> !howto 11:32 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:32 < |Mike|> no adds :) 11:33 -!- rawDawg2 [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 11:49 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 11:49 -!- eliasp_ is now known as eliasp 11:58 -!- geaaru [n=geaaru@93-38-77-65.ip69.fastwebnet.it] has joined ##openvpn 12:03 -!- rawDawg [n=rawDawg@99.57.58.238] has joined ##openvpn 12:05 -!- geaaru [n=geaaru@93-38-77-65.ip69.fastwebnet.it] has quit ["Leaving"] 12:06 < Stanley_> Mike: Yea I found that how to not so hot-to-ish 12:09 -!- raw2 [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 12:16 -!- nickol [n=kursad@CPE-72-128-65-111.wi.res.rr.com] has joined ##openvpn 12:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 12:21 -!- rawDawg2 [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 12:24 -!- Stanley_ [n=brad@S010600195b3059b4.gv.shawcable.net] has quit [Read error: 110 (Connection timed out)] 12:26 -!- nickol [n=kursad@CPE-72-128-65-111.wi.res.rr.com] has quit [" HydraIRC -> http://www.hydrairc.com <- Chicks dig it"] 12:26 -!- Stanley_ [n=brad@S010600195b3059b4.gv.shawcable.net] has joined ##openvpn 12:27 -!- rawDawg [n=rawDawg@99.57.58.238] has quit [Read error: 110 (Connection timed out)] 12:29 -!- CoffeeIV [i=rgr@rrcs-71-42-183-82.sw.biz.rr.com] has joined ##openvpn 12:29 < CoffeeIV> !route 12:29 < vpnHelper> CoffeeIV: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 12:33 < CoffeeIV> I have set up an openvpn connecting from my home network, whcih is 192.168.1.*, to my work network, which is also 192.168.1.* 12:33 < CoffeeIV> the vpn endpoints have 10.8.* addresses 12:34 < CoffeeIV> obviously I can't generally route between two 192.168.1.* networks 12:34 < CoffeeIV> but presuming there is a specific IP at work that is not in use at my home network, can I route so I have access to just that IP ? 12:38 < ecrist> CoffeeIV: no, you can't 12:39 < ecrist> you can do some sort of forwarding on the vpn server 12:39 < ecrist> you should change the ip space of one of the networks. 12:39 < CoffeeIV> It's going to be difficult to change the ip space of either network 12:39 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:40 < CoffeeIV> but an iptables forwarding rule might do for now 12:40 < CoffeeIV> that's a good idea -- I'll give it a shot 12:41 < ecrist> good luck 12:41 -!- Traveler5 [n=traveler@Z43c5.z.pppool.de] has joined ##openvpn 12:42 -!- kursad [n=kursad@CPE-72-128-65-111.wi.res.rr.com] has joined ##openvpn 12:46 -!- rawDawg2 [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 12:49 < krzee> wassup vpn peoples 12:49 < rawDawg2> yo 12:49 < rawDawg2> krzee you any good on the wrt? 12:50 < krzee> ecrist, you noticed this chan has grown a bit? 12:50 < krzee> 80 in here now 12:50 < reiffert> 80 nicks, 90% idl. 12:50 < krzee> tru 12:50 < krzee> rawDawg2, never used it 12:50 < reiffert> rawDawg2: working on wrt. 12:51 < krzee> but its basically linux from my understanding of it... 12:51 < krzee> reiffert would know more than i 12:51 < rawDawg2> reiffert: i got openvpn working on it 12:51 < reiffert> welcome 12:52 < krzee> reiffert, i think 1 day we should make a helper flowchart on the wiki 12:52 < krzee> would take a bit to make, but once done it would be the most helpful thing on the net for ovpn 12:52 < reiffert> something like go to irc channel and enter: !howto 12:52 < krzee> hahah 12:52 -!- Traveler2 [n=traveler@Z5d87.z.pppool.de] has joined ##openvpn 12:52 < krzee> nah like: can you do this? yes then can you do this? else can you do this? etc 12:53 < ecrist> krzee: yes, I did 12:53 < Traveler2> is it posible to create a vpn network that tunnels only 10.0.0.0/8er connections 12:53 < krzee> like 95% of problems are repetitive 12:53 < krzee> Traveler, sure 12:53 < ecrist> Traveler2: yes 12:53 < Traveler2> how? 12:53 < reiffert> krzee: nobodys gonna read it, ppl like to get answers, perferrablly not by reading. 12:54 < krzee> reiffert, sad truth 12:54 < krzee> Traveler, what subnets are where that you want tunneled? 12:54 < krzee> ie: lan behind client, lan behind server, etc 12:54 < Traveler2> and all other connections will be over the normal internet connection 12:54 < reiffert> Traveler2: push "route 10.0.0.0 255.0.0.0" 12:55 < krzee> yup what reif said assuming 10/8 is all behind the server 12:55 < Traveler2> thx ok... 12:57 < rawDawg2> reiffert: i want to create 2 separate ssids - one secure and one public 12:58 < reiffert> and your openvpn question is? 12:58 < rawDawg2> and only give access to the tun from the secure ssid 12:58 < rawDawg2> its more of a wrt question 12:59 -!- kursadk [n=kursad@CPE-72-128-65-111.wi.res.rr.com] has quit [Read error: 110 (Connection timed out)] 12:59 -!- kursad is now known as kursadk 13:01 < krzee> the one ovpn thing you need to know 13:02 < krzee> !local 13:02 < vpnHelper> krzee: "local" is a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless. 13:03 -!- Traveler5 [n=traveler@Z43c5.z.pppool.de] has quit [Read error: 110 (Connection timed out)] 13:04 -!- raw2 [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 13:06 -!- kursadk [n=kursad@CPE-72-128-65-111.wi.res.rr.com] has quit [" HydraIRC -> http://www.hydrairc.com <- Go on, try it!"] 13:09 -!- rawDawg2 is now known as rawDawg 13:10 -!- raw2 [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 13:16 < theTroy> how to setup TAP interface on linux client? 13:21 < ecrist> !howto 13:21 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:24 < theTroy> I read it 13:24 < theTroy> and it still didnt help 13:24 < theTroy> all it says is that I need to set it up manually, but never says where 13:24 < theTroy> or how 13:24 < krzee> why do you want tap 13:24 < krzee> !tunortap 13:24 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 13:25 -!- rawDawg2 [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 13:26 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 13:27 -!- Traveler2 [n=traveler@Z5d87.z.pppool.de] has quit ["Java user signed off"] 13:32 -!- toehio [n=toehio@dyn.144-85-160-216.dsl.vtx.ch] has quit [Read error: 110 (Connection timed out)] 13:37 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 13:38 < theTroy> !wins 13:38 < vpnHelper> theTroy: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 13:38 < theTroy> krzee basically the trouble is that I cannot setup tun or tap to allow clients to see each other 13:39 -!- raw2 [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 13:39 < theTroy> I have router with TomatoVPN acting as VPN server, and clients from internal network, and from the internet, accessing it 13:39 < theTroy> I need to run file sharing services, such as samba or NFS 13:40 -!- kyrix [n=ashley@188-23-176-131.adsl.highway.telekom.at] has joined ##openvpn 13:41 -!- pipegeek [n=ptr@64.107.84.160] has joined ##openvpn 13:45 < krzee> theTroy, 13:45 < krzee> !route 13:45 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:45 < krzee> thats with a TUN setup 13:45 < pipegeek> I'm having difficulty explaining the behavior I'm encountering when attempting to connect to a certain vpn. The connection initially succeeds, and dhclient is able to obtain an address from the remote dhcp. All subsequent traffic over the vpn, however, seems to fall into a black hole 13:46 < krzee> i dont use tap, and you dont need tap 13:46 < theTroy> allright, I will try that krzee 13:46 < theTroy> thanks 13:46 < krzee> for samba, you can use by ip, or for netbios resolution see !wins 13:46 < krzee> np 13:47 < theTroy> krzee but I do not know the IPs/networks some clients will connect from? 13:49 < pipegeek> any idea why this might be? 13:50 < pipegeek> I should add that immediately after getting an address from the remote dhcp server, I get an inactivity timeout 13:51 < pipegeek> eventually the connection resets (though it takes several minutes), and everything is hunky dory going forward 13:58 < ecrist> theTroy: setup a tun-based vpn, samba, and a WINS server. 13:59 < theTroy> ecrist is it possible to do it on TAP? and itsnt it easier? 13:59 < ecrist> tun is easier 13:59 < theTroy> hmm, allright, thanks, a lot of reading to do :) 13:59 -!- Stanley_ [n=brad@S010600195b3059b4.gv.shawcable.net] has quit ["Ex-Chat"] 13:59 < theTroy> pipegeek would be useful to know your configs 13:59 < theTroy> pastebin them 14:00 < ecrist> krzee: I think it's funny, we tell everyeone to setup tun, yet the VPN I just configured is a TAP config. ;) 14:01 < theTroy> ecrist what is benefit of TAP? and how is it different from TUN? I have read a lot about it, and still dont really get it 14:02 < ecrist> tun is easier to setup. tun is a point-to-point IP subnetted VPN 14:02 < ecrist> tap is a point-to-point layer 2 VPN 14:02 < ecrist> layer 2 vs layer 3, really 14:02 < theTroy> and what does layer2 mean? 14:02 < ecrist> wow 14:03 -!- kezhi [i=moneybag@la.migra.armed.us] has joined ##openvpn 14:03 < theTroy> my knowledge is patchy :) 14:03 < ecrist> theTroy: http://lmgtfy.com/?q=OSI+Layers&l=1 14:03 < vpnHelper> Title: Let me google that for you (at lmgtfy.com) 14:03 -!- kezhi is now known as graffz 14:05 < theTroy> ecrist well it seems that TAP is a better option for me 14:05 < ecrist> no, it's not 14:05 < ecrist> setup tun with WINS 14:06 < CoffeeIV> I want to take all traffic destined for 10.8.0.103 and send it to 192.168.1.103. Is there an iptables one-liner to do that ? 14:06 < ecrist> CoffeeIV: http://www.linuxtopia.org/Linux_Firewall_iptables/x4508.html 14:06 < vpnHelper> Title: Linux Packet Filtering and iptables - REDIRECT target (at www.linuxtopia.org) 14:10 -!- deever [n=deever@static.172.68.46.78.clients.your-server.de] has left ##openvpn [] 14:10 < ecrist> CoffeeIV: you're really better off renumbering one of your networks, though. 14:12 < CoffeeIV> ecrist: thanks, I am looking at that. I will see about renumbering the networks, but the reality is it will not happen until we have to move to a different server room 14:13 -!- toehio [n=toehio@dyn.144-85-215-115.dsl.vtx.ch] has joined ##openvpn 14:19 < krzee> [14:47] krzee but I do not know the IPs/networks some clients will connect from? 14:20 < krzee> you only need to know that for networks where you will want the lan behind the client to be routable over the vpn 14:20 < theTroy> I do not want any lans to route. I just want all VPN clients to be on a single virtual LAN (10.8.1.0/24) 14:21 < theTroy> and none of the networks behind them need to be routed 14:21 < krzee> oh well thats a normal vpn 14:21 < krzee> !sample 14:21 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 14:21 < krzee> you dont need !route or anything very special for that 14:22 < krzee> thats as vanilla as it gets =] 14:22 < krzee> ecrist, the difference is you know when and why to use a tap vpn... not just doing it cause the first hit for your google search said to 14:23 < ecrist> heh 14:23 -!- chinsan_ is now known as chinsan 14:23 < krzee> so when you decide its the right setup for you, its because it actually is ;] 14:25 < theTroy> krzee the problem is, when I try to do that, my internet dies 14:25 < theTroy> the router vpn is rc15, ubuntu vpn is rc19 14:25 < theTroy> could it cause a problem? 14:26 < ecrist> !configs 14:26 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:27 < theTroy> http://www.ircpimps.org/openvpn.configs these are configs 14:27 < krzee> no they arent 14:27 < krzee> you cant possibly be using my EXACT configs 14:27 < theTroy> obviously I modified them to suit mine 14:27 < theTroy> but only the paths 14:27 < krzee> well, post them 14:27 < ecrist> theTroy: I need 'YOURS' 14:27 < ecrist> !logs 14:27 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 14:27 < ecrist> those too 14:27 < krzee> aye 14:28 < ecrist> as the channel topic states 14:28 < krzee> !factoids search all 14:28 < vpnHelper> krzee: 'dynamicfirewall', 'all', 'firewall', 'shorewall', and 'allinfo' 14:28 < krzee> !allinfo 14:28 < vpnHelper> krzee: "allinfo" is Please type !configs !logs and !interface to see all the info we want to be able to help you 14:30 -!- toehio [n=toehio@dyn.144-85-215-115.dsl.vtx.ch] has quit [Connection timed out] 14:30 < theTroy> http://paste.ubuntu.com/234717/ 14:31 < theTroy> need to connect again for the logs 14:31 -!- toehio [n=toehio@dyn.144-85-215-115.dsl.vtx.ch] has joined ##openvpn 14:34 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:37 < krzee> you sure its picking up all those files? i see you arent using full paths 14:38 < theTroy> it wouldv complained about it wouldnt it? :) 14:39 < theTroy> strange 14:39 < theTroy> this is where the problem is 14:39 < theTroy> WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0] 14:39 < krzee> ahh, they're on the same subnet 14:39 < theTroy> but I am using 10.8.1.0/24 14:39 < krzee> you can ignore that since you arent routing either lan 14:39 < theTroy> but when I connect 14:39 < theTroy> it just shuts off the internet 14:39 < krzee> just post the logs... 14:39 < theTroy> until I kill the vpn instance 14:41 < theTroy> http://paste.ubuntu.com/234719/ 14:42 < krzee> !logs 14:42 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 14:42 < krzee> Mon Jul 27 20:38:49 2009 /sbin/route add -net 192.168.1.0 netmask 255.255.255.0 gw 10.8.1.5 14:42 < krzee> that line points to a config option not in the configs you gave us 14:42 < theTroy> I do not have it 14:42 < krzee> please follow the instructions from !logs 14:43 < theTroy> Problem is TomatoVPN gives GUI VPN 14:43 < krzee> login ssh and run it manually 14:43 < theTroy> I set all of the options the way you told me, I will post verb6 logs 14:43 -!- rawDawg2 [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 14:43 < krzee> !router 14:43 < vpnHelper> krzee: "router" is if you are using one of those hacked up linksys linux routers, and you are not logging... dont expect help until you turn on logging so you can post them 14:45 < theTroy> allright, thank you, I think I will be able to manage it from here. Error is that router tries to push the routing to the client 14:45 < theTroy> which is not needed 14:47 -!- jeiworth_ [n=jeiworth@189.177.138.156] has quit [Read error: 104 (Connection reset by peer)] 14:51 < krzee> right 14:52 < krzee> seems like that log you sent was either fed route 192.168.1.0 255.255.255.0 14:53 < krzee> or if its a client it could be push "route 192.168.1.0 255.255.255.0" 14:53 < krzee> from server 14:53 -!- kyrix [n=ashley@188-23-176-131.adsl.highway.telekom.at] has quit ["Leaving"] 14:54 < theTroy> yep, trying to relay that to the author, seems to be a bug in firmware 14:54 -!- daemoen [n=daemoen@ct-unlimited.com] has joined ##openvpn 14:54 < daemoen> hey guys 14:55 < daemoen> getting ready to work on setting up openvpn, but not a single document tells you where to specify the certificate files and cert prive key if you have your own ssl cert 14:55 * daemoen thinks he has got to be missing something obvious somewhere... 14:55 < theTroy> in the config? 14:55 < theTroy> ca /path/ca.crt 14:55 < theTroy> etc 14:56 * daemoen snickers 14:56 < daemoen> figures id miss something obvious somewhere 14:56 < daemoen> so used to dealing with .pem files for everything, forget that they are also .crt 14:57 -!- Ypsy is now known as YpsyZNC 15:01 < reiffert> !howto 15:01 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:02 < daemoen> ive looked at that page so many times, and scrolled right past that paragraph, heh 15:02 * daemoen smacks self 15:05 -!- daemoen [n=daemoen@ct-unlimited.com] has quit ["WeeChat 0.3.0-rc2"] 15:14 < krzee> [15:54] yep, trying to relay that to the author, seems to be a bug in firmware 15:14 < krzee> i disagree 15:14 < krzee> seems to be a bug in your setup 15:15 < theTroy> negative 15:15 < krzee> you said you're using some sort of gui 15:15 < theTroy> yes 15:15 < krzee> find the actual config file 15:15 < theTroy> and I am not telling it to push any routes to the client 15:15 < krzee> the gui has to store it somewhere 15:15 < krzee> your config is wrong 15:15 < theTroy> my config is GUI config 15:15 < theTroy> I dont write a single line 15:15 < theTroy> just tick boxes 15:15 < krzee> no shit 15:15 < krzee> find the real config file 15:15 < krzee> that the gui writes 15:16 < theTroy> but if the gui writes wrong config 15:16 < krzee> openvpn doesnt read from some magic gui, it reads from a config file 15:16 < theTroy> I am not an idiot :) I understand what GUI is 15:16 < theTroy> obviously config is written 15:16 < krzee> ok, find the config file and we'll get you running right 15:16 < krzee> seems you checked something you shouldnt have 15:16 < krzee> and i dont troubleshoot that gui, i troubleshoot openvpn 15:16 < theTroy> there arent many boxes here to check 15:17 < theTroy> krzee I am not asking for help anymore, thank you :) I will figure out the rest with the author 15:17 < krzee> ok 15:17 < krzee> gl then 15:17 < theTroy> thanks! :) and thanks for the help 15:18 < krzee> np 15:20 -!- Kryczek is now known as meh 15:21 -!- meh is now known as Guest16625 15:22 -!- Guest16625 is now known as Kryczek`` 15:29 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 15:33 -!- toehio [n=toehio@dyn.144-85-215-115.dsl.vtx.ch] has quit [Connection timed out] 15:34 < pipegeek> theTroy: hold on 15:34 -!- Kryczek`` is now known as Kryczek 15:34 < pipegeek> (pardon my prolonged absence) 15:35 < krzee> pipegeek, are you using redirect-gateway? 15:36 < pipegeek> no 15:37 < pipegeek> http://pastebin.com/m5c89494d 15:40 -!- |Mike| is now known as ikzoekneukslet 15:40 -!- ikzoekneukslet is now known as |Mike| 15:40 < pipegeek> I'm probably going to drop off the internet in a moment 15:40 < pipegeek> back shortly 15:42 < pipegeek> back 15:42 < |Mike|> WB ! 15:43 < pipegeek> y thank u 15:46 -!- pipegeek [n=ptr@64.107.84.160] has quit [Remote closed the connection] 15:46 * |Mike| falls of his chair 15:47 -!- pipegeek [n=ptr@64.107.84.160] has joined ##openvpn 15:50 -!- theTroy [n=troy@unaffiliated/thetroy] has quit [Read error: 104 (Connection reset by peer)] 16:16 -!- ipod [n=otakun@75-147-206-201-Memphis.hfc.comcastbusiness.net] has quit [] 16:17 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has joined ##openvpn 16:18 < kc8pxy> !interface 16:18 < vpnHelper> kc8pxy: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 16:20 < kc8pxy> i need some help.. i can seem to get connected, that is i seem to have a successful handshake, and tun devices fire on both sides, but i can't ping anything on the vpn-side of the connection.. i have !config and !logs pastebinned if it will help. 16:21 < kc8pxy> i have setup 2 other poenvpn's, and i don't know why this one is not working as planned. 16:24 < krzee> what ip ya tryin to ping? 16:24 < krzee> and yes, pls pastebin them 16:24 < krzee> thats exactly what we need 16:24 < kc8pxy> 10.32.64.13, one of the internal ip's 16:24 < krzee> along with OS and version of ovpn 16:24 < krzee> .13 16:24 < krzee> hrm thats not a vpn ip 16:24 < krzee> its .6 .10 .14 16:25 < krzee> unless you are using topology subnet 16:25 < krzee> (or bridged) 16:25 < kc8pxy> krzee: i have a push for that subnet in the server conf. 16:25 < krzee> !/30 16:25 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 16:26 < krzee> !forget /30 16:26 < vpnHelper> krzee: Error: 2 factoids have that key. Please specify which one to remove, or use * to designate all of them. 16:26 < krzee> !forget /30 * 16:26 < vpnHelper> krzee: Joo got it. 16:26 < krzee> !learn /30 as http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips 16:26 < vpnHelper> krzee: Joo got it. 16:26 < krzee> !learn /30 as you can avoid this behavior with by reading !topology 16:26 < vpnHelper> krzee: Joo got it. 16:27 < krzee> .13 is the network address for .14 which is the clients vpn ip 16:27 < krzee> it is what the server routes to on its side 16:27 < krzee> go ahead and pastebin your stuffs 16:28 < krzee> but if you are pushing an ip to a client, be careful to use .6 .10 .14 etc etc 16:28 < kc8pxy> http://dpaste.com/72117/ <-client config 16:28 < krzee> !configs 16:28 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:28 < krzee> no comments pls 16:28 < kc8pxy> http://dpaste.com/72118/ 16:29 < kc8pxy> gar... kk 16:30 < kc8pxy> http://dpaste.com/72124/ 16:30 < kc8pxy> tha'ts client config w/o comments 16:30 < krzee> ok and server / ccd entries? 16:30 < kc8pxy> http://dpaste.com/72118/ is client log 16:31 < krzee> client config looks nice 16:31 < kc8pxy> kk 16:31 < kc8pxy> pasting server config and log 16:31 < krzee> nothing wrong with client log except you are using rc15, might as well use rc19 since you are currently setting it up 16:32 < krzee> rc19 has no currently known issues, the rc's before it must if there was a later released RC 16:32 < krzee> client log shows me you are using topology net30 (default) so i was right that you can NEVER ping .13 16:33 < kc8pxy> server is debian lenny is the server, and it's rc11, i just stuck with distro stock rev's. done that before with no issues. 16:33 < krzee> those RC's both have known issues 16:33 < krzee> feel free to leave yourself with the old ones if you like, but they both have known issues and i personally would use rc19 16:34 < krzee> SIMPLE to install from source 16:34 < krzee> make 16:34 < krzee> make install 16:34 < krzee> done 16:35 < krzee> anyways, server stuff 16:35 < krzee> although i can already tell you 1 issue is you said you are pushing .13 16:35 < krzee> which cant happen 16:35 < krzee> !static 16:35 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 16:35 < krzee> you must push .14, not .13 for that specific client 16:35 < krzee> oh you can use topology subnet 16:35 < kc8pxy> client is gentoo, I'm no stranger to source, but i have this client connecting to another rc11 debian lenny openvpn working 16:35 < krzee> !topology 16:35 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 16:36 < krzee> if you use topology subnet (only requirement being you use 2.1) you dont need to worry bout that bs 16:36 < krzee> you can hand out ANY ip in that case 16:36 < krzee> all you do is add topology subnet to the server config 16:36 < krzee> should fix your problem right up, and you even get MANY more available ips 16:37 < krzee> 1 per client as opposed to 4 per client 16:38 -!- code- [i=code@antenora.aculei.net] has quit [Read error: 110 (Connection timed out)] 16:38 < kc8pxy> i don't think you understand what i said. 16:38 < krzee> and of course remove the ipp file if you have one before changing topology modes 16:38 < krzee> how so? 16:38 -!- daemoen [n=daemoen@ct-unlimited.com] has joined ##openvpn 16:39 < krzee> and if you believe i dont understand, post the server config / ccd entries 16:39 < daemoen> Hey guys, I have actually read through the howto more carefully now, but it still has a few things in it that are not clear. 16:39 < kc8pxy> been trying to , as well as read what you're saying, 16:39 < daemoen> #1, DH is completely separate/unrelated to your server certificates themselves, correct? 16:39 < krzee> daemoen, correct 16:39 < krzee> !dh 16:39 < vpnHelper> krzee: "dh" is build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN 16:40 < kc8pxy> http://dpaste.com/72129/ 16:40 < kc8pxy> server config 16:40 < daemoen> ok. next. We have a wildcard ssl cert we had planned on using for our vpn (though im considering just getting a cacert.org one for explicit match).... When generating the client certs, are they in any way tied to the server cert? 16:41 < daemoen> or will it be fine to use our exisiting wildcard cert, and generate only the DH/client certs 16:41 < kc8pxy> http://dpaste.com/72130/ 16:41 < krzee> kc8pxy, oh you're pushing a route 16:41 < kc8pxy> server connection log 16:41 < krzee> i see, that is in fact not what i thought you meant 16:41 < kc8pxy> i said that to begin with 16:41 < krzee> thought you were pushing the ip 16:41 < krzee> ok so that lan is behind the server, right? 16:41 < kc8pxy> nope 16:41 < kc8pxy> yes 16:42 < krzee> is the server the router for its lan? 16:42 < kc8pxy> yes, ip is behind server. 16:42 < kc8pxy> yes 16:42 < kc8pxy> yes server is router. 16:42 < krzee> it IS the default gateway for its lan? 16:42 < kc8pxy> yes 16:42 < krzee> every lan machine uses it as default route 16:42 < krzee> ok 16:42 < krzee> client is on a diff lan subnet? 16:42 < kc8pxy> it's runnign the dhcp server, so it gets to say :) 16:43 < kc8pxy> yes 16:43 < krzee> 1min phone 16:43 < kc8pxy> client is on 10.0.1.x 16:43 < kc8pxy> kk 16:45 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 16:52 -!- Kacie [n=anwoke82@65.100.249.52] has joined ##openvpn 16:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:55 -!- Kacie [n=anwoke82@65.100.249.52] has left ##openvpn [] 17:03 < kc8pxy> krzee: back?> 17:04 < krzee> just got back 17:04 < krzee> for like 5min 17:04 < kc8pxy> what else should i check?? 17:04 < krzee> [17:40] ok. next. We have a wildcard ssl cert we had planned on using for our vpn (though im considering just getting a cacert.org one for explicit match).... When generating the client certs, are they in any way tied to the server cert? 17:05 < krzee> i would simple create your own CA and use those to sign server cert and client certs 17:05 < krzee> yes they are tied, they must be signed by same ca 17:05 < krzee> and that ca.key is the keys to your whole kingdom 17:05 < krzee> so using someone else' ca makes no sense to me 17:05 < krzee> makes much more sense to make your own 17:06 < krzee> kc8pxy, looks like firewall issue 17:07 < krzee> im no iptables guru, but make sure your firewall allows that subnet in accept and forward chains, over the tun device 17:08 < krzee> i dont really use linux, so i couldnt help with doing it, but you seem to know that side anyways 17:08 < kc8pxy> krzee: so it 17:08 < krzee> but ya, your problem seems to be the firewall 17:08 < krzee> you can ping vpn ip but not lan ip, right...? 17:08 < kc8pxy> :-( i thought i had that figure out. 17:09 < kc8pxy> krzee: i can ping my own, i can't ping my peer, or 1 17:10 < krzee> ahh you cant even ping 10.64.64.1 ?? 17:10 < krzee> client has the routes to vpn and lan in its routing table after starting openvpn? 17:11 < kc8pxy> 100% loss to 10.64.64.1 with that client config connected. 17:11 < krzee> ok, and routes are there? 17:12 < kc8pxy> ......... no... weird. 17:12 < krzee> openvpn is currently running and connected? 17:12 < kc8pxy> one sec. 17:12 < krzee> run it without daemon mode to see foreground 17:13 < kc8pxy> krzee: been runnign them both in the forground for a bit, and using tee to log and show the output 17:13 < krzee> cool 17:13 < krzee> dont need tee tho, can use --log without going to background 17:13 < krzee> but whatever works works ;] 17:14 < kc8pxy> ok, still 100% loss, but now it's saying destination unreachable. 17:14 < krzee> right cause no routes 17:14 < krzee> which i believe is because you arent connected right now 17:14 < krzee> likely timing out from inactivity due to firewall 17:14 < krzee> restart it, let it connect, check for routes 17:14 < kc8pxy> 10.64.64.1 10.64.64.5 255.255.255.255 UGH 0 0 0 tun0 17:14 < kc8pxy> 10.64.64.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 17:14 < kc8pxy> 10.32.64.0 10.64.64.5 255.255.255.0 UG 0 0 0 tun0 17:14 < krzee> ok so it does make the routes when it connects 17:15 < krzee> then its firewall 17:16 < kc8pxy> firewall is not allowing access for a ping to the server? 17:16 < krzee> firewall is not allowing ANY packets 17:16 < krzee> over the tun 17:17 < krzee> if you use verb 6 17:17 < krzee> you will see all reads and writes 17:17 < krzee> you should only see writes on server after it switches fully to data going over tun if im right 17:18 < kc8pxy> ok 17:19 < krzee> i THINK verb 5 shows them all too with less scroll 17:22 < krzee> but i know verb 4 does not 17:23 < krzee> note, it could be an issue on client firewall, except you said client works fine with other server 17:23 < krzee> so its server firewall 17:26 < kc8pxy> krzee: server firewall down, and i can ping 10.64.64.1 but not the ip behind the server. 17:26 < krzee> still a firewall issue 17:26 < kc8pxy> kk 17:26 < krzee> a completely down firewall wont forward packets like that 17:27 < Bushmills> are the 10.64.64.x addresses your own choice? 17:27 < kc8pxy> so, it's shorewall.. yay:-( 17:27 < krzee> make sure ip forwarding is enabled, and the forward/pass chain allows the vpn subnet to contact the lan subnet over tun device 17:27 < krzee> Bushmills would know more than i about iptables i assume 17:28 < krzee> i know for sure reiffert would 17:29 < Bushmills> potential collision potential. many gprs/umts providers seem to have their gateway on 10.64.64.64 17:29 < kc8pxy> Bushmills: yeah.. i wanted something out of the ordinary. i'm already starting to have issues, with commodity subnets. i have 3 vpn's I'm client of on this lappy, and somethign unique makes some things simpler. the way i have them, i can be on all 3 at once :) 17:30 < krzee> i use 10.8.X/24 17:30 < Bushmills> unluckily, your out of the ordinary choice is not very out of the ordinary at all. 17:30 < krzee> for vpn stuff 17:30 < krzee> 10.7.X/24 for dnstun stuff 17:30 < krzee> and 10.0.X/24 for lan stuff 17:31 < Bushmills> i thought I use the ASCII of V and P of VPN 17:31 < Bushmills> (those are 86 and 80) 17:31 < Bushmills> so i made mine 10.86.80.x 17:31 < krzee> heheh nice 17:33 -!- Kacie [n=anwoke82@65.100.249.52] has joined ##openvpn 17:37 -!- Kacie [n=anwoke82@65.100.249.52] has left ##openvpn [] 18:24 -!- brizly [n=brizly_v@p4FC9A5A6.dip0.t-ipconnect.de] has joined ##openvpn 18:39 -!- brizly1 [n=brizly_v@p4FC9A552.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 18:58 < daemoen> hey guys, just got open vpn running correctly, need some info/assistance though... alot of our computers are windows vista and windows 7 based 18:58 < daemoen> windows 7 requires signed drivers, cant get around it, anyone know if the tap drivers are avail for windows 7 from somewhere? 18:59 < daemoen> nvm =) 19:01 < krzee> !win7 19:01 < vpnHelper> krzee: "win7" is http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 19:02 < daemoen> krzee: is that the actual only installer, or will rc19 have that as well? 19:02 -!- hackeron_ [n=hackeron@cpc3-seve19-2-0-cust404.13-3.cable.virginmedia.com] has joined ##openvpn 19:02 < daemoen> you would think that rc19 would have it as well (but yeah, i found out about that installer just a sec ago by googling ) 19:02 < krzee> well 19:02 < krzee> you can still use rc19 19:02 < krzee> just use the drivers from that installer 19:03 < krzee> and tell rc19 installer not to install tap 19:11 -!- hackeron [n=hackeron@gentoo/user/hackeron] has quit [Connection reset by peer] 19:24 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 19:33 -!- Douglas [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:33 < Douglas> sup 19:36 * Douglas pokes Kryczek 19:36 < Douglas> er 19:36 < Douglas> damn tab 19:36 * Douglas pokes krzie 19:40 * daemoen is confused now. 19:40 < daemoen> installed the openvpn rc client on windows 7.... when i had used the openvpn installer on windows xp, it had a "config" dir samples, etc.... the rc client didnt seem to have any of that... 19:40 < daemoen> so im guessing that its just a matter of creating "config" and putting the ovpn in there? 19:41 < daemoen> hehe, nvm. 20:00 < krzee> sup dougy 20:03 < Douglas> yoo 20:03 < Douglas> pm, since its not ovpn related in any shape or form 20:13 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:33 -!- rawDawg [n=OMG@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 20:48 -!- graffz [i=moneybag@la.migra.armed.us] has quit [Remote closed the connection] 21:07 -!- master_of_master [i=master_o@p549D3B73.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:11 -!- master_of_master [i=master_o@p549D40F2.dip.t-dialin.net] has joined ##openvpn 21:15 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Remote closed the connection] 21:18 < Douglas> !win7 21:18 < vpnHelper> Douglas: "win7" is http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 21:18 < Douglas> !windows 21:18 < vpnHelper> Douglas: Error: "windows" is not a valid command. 21:18 < Douglas> blah 21:33 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 21:34 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 21:36 < krzee> !factoids search win 21:37 < vpnHelper> krzee: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', 'win7', 'winnat', 'win_ipfail', and 'win2k8' 21:37 < Douglas> !winipforward 21:37 < vpnHelper> Douglas: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 21:37 < Douglas> krzee++ 21:38 < Douglas> !win_ipfail 21:38 < vpnHelper> Douglas: "win_ipfail" is if the adapter fails to set the IP properly check that DHCP client service, and tap-win32 is enabled. 21:38 < Douglas> !winroute 21:38 < vpnHelper> Douglas: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 21:41 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 21:43 -!- Douglas [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 22:03 < onats> !ping 22:03 < vpnHelper> pong 22:39 < reiffert> moi 22:39 < reiffert> n 22:41 < krzee> haha i didnt know bout !ping 22:42 < krzee> moinmoin 22:42 < reiffert> pig 22:42 < reiffert> !ping 22:42 < vpnHelper> pong 22:43 < reiffert> it's 05:42 and I'm awake ad it looks like the n-key is not working properly. 22:46 < krzee> n-key? 22:47 < reiffert> the one between B and M 22:47 < reiffert> n-keystroke? 22:47 < krzee> wouldnt it be between M and O ? 22:48 < krzee> ohhh on the keyboard 22:48 < krzee> heheh 22:48 < reiffert> hehehe 23:40 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] --- Day changed Tue Jul 28 2009 00:00 -!- clas33k [i=moneybag@la.migra.armed.us] has joined ##openvpn 00:07 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 00:36 -!- rawDawg [n=OMG@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 60 (Operation timed out)] 00:46 -!- oc80z [i=oc80z@blea.ch] has joined ##openvpn 00:52 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [] 01:44 -!- pipegeek [n=ptr@64.107.84.160] has quit [Remote closed the connection] 01:48 -!- methylenedioxy [n=halcyonl@67.159.30.243] has joined ##openvpn 01:48 -!- c64zottel [n=hans@p5B17A993.dip0.t-ipconnect.de] has joined ##openvpn 01:50 < methylenedioxy> !route 01:50 < vpnHelper> methylenedioxy: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 01:59 -!- clas33k [i=moneybag@la.migra.armed.us] has quit [Remote closed the connection] 02:04 < methylenedioxy> If any of the writers of that documentation are watching/lurking at the moment, thank you very much :) Very helpful 02:04 -!- methylenedioxy [n=halcyonl@67.159.30.243] has left ##openvpn [] 02:10 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:18 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 113 (No route to host)] 02:19 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:22 -!- methylenedioxy [n=halcyonl@67.159.30.243] has joined ##openvpn 02:24 < methylenedioxy> !redirect 02:24 < vpnHelper> methylenedioxy: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 02:32 -!- methylenedioxy [n=halcyonl@67.159.30.243] has left ##openvpn [] 03:02 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: flokuehn, krzie, fred, Kryczek, eliasp, JyZyXEL, Typone, dimedo, plaerzen 03:02 -!- Netsplit over, joins: eliasp, plaerzen, JyZyXEL, flokuehn, Kryczek, dimedo, fred, krzie, Typone 03:08 -!- kladizkov [n=fabin@61.17.17.157] has joined ##openvpn 03:09 < kladizkov> is it possible to use a VPN connection as http proxy without having to install a proxy software like squid? 03:13 < Bushmills> kladizkov, about as much as you can use an network cable between two network cards as proxy 03:15 < kladizkov> does that mean, if i connect from my windows after configuring VPN.. and if i take my browser.. can i browse straight away using the VPN connection? 03:15 -!- Dieterbe [n=Dieterbe@213.219.136.83.adsl.dyn.edpnet.net] has joined ##openvpn 03:16 < Bushmills> it means, if the computer at the other end can serve as proxy, the vpn can give you a connection to it. 03:16 < Dieterbe> Hello, when using openvpn on linux, all tutorials say to manually `mknod /dev/net/tun c 10 200`. This works fine, but i wonder why this is needed. Can't this be done automatically? 03:18 < Bushmills> Dieterbe, shouldn't be needed with devfs or sysfs 03:21 < Bushmills> some linux for resource-starved routers may be without that, but most current day linuxes should create their device files automatically 03:22 < Dieterbe> hmm using debian5, which probably uses udev. i'll investigate 03:23 < Bushmills> the tutorials you're reading may be outdated 03:35 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 03:51 -!- onats1 [n=15172@221.121.120.254] has joined ##openvpn 03:54 -!- onats [n=15172@unaffiliated/onats] has quit [Read error: 60 (Operation timed out)] 04:19 < kladizkov> Bushmills: does it mean that the user *doesn't* have to set http proxy IP and port in their browser? 04:22 < Bushmills> kladizkov, if remote computer is used as gateway to internet, that's right. but that would hardly qualify the name "proxy". if there's a proxy on remote, it depends: of remote is set up as gateway, and proxy on remote is set up as transparent proxy, that's right too. if remote proxy is not set as transparent, and/or remote is not gateway, user needs to do local setup. 04:22 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:24 < Bushmills> good morning krzee 04:24 < krzee> moin moin man! 04:24 < Bushmills> If any of the writers of that documentation are watching/lurking at the moment, thank you very much :) Very helpful 04:24 < Bushmills> * methylenedioxy (n=halcyonl@67.159.30.243) has left ##openvpn 04:24 < krzee> in the airport waiting a bit 04:24 < krzee> ahh cool, that was about !route? 04:24 < Bushmills> (doc was http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing) 04:25 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 04:25 < krzee> =] 04:25 < krzee> thanx, i love hearing positive feedback on that one 04:25 < Bushmills> i thought so :) 04:27 < Bushmills> but, strictly speaking, he didn't thank you 04:27 < Bushmills> it was conditional: " If any of the writers of that documentation are watching/lurking at the moment..." 04:27 < Bushmills> you were neither watching nor lurking 04:29 < Bushmills> you're on the way to HAR? 04:30 < krzee> well my client krzie was lurking ;] 04:30 < krzee> nah not yet, headed to california right now 04:30 < krzee> then new york 04:30 < krzee> then HAR 04:31 < krzee> im in florida 04:31 < Bushmills> ah. you're aware of elevator syndrome at customs? 04:31 < krzee> no whats that? 04:31 < Bushmills> just as elevators go from 12th to 14th floor, custom officers watches go from 4:19 to 4:21 04:31 < krzee> haha 04:52 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 05:19 < krzee> so 05:19 < krzee> i got to the airport... 05:19 < krzee> they did not have me setup to be on the plane 05:19 < krzee> i bought the ticket over the phone 05:20 < krzee> so i check my credit card, i was not charged 05:20 < krzee> luckily i record my phonecalls 05:20 < krzee> those damn indian call-centers suck 05:21 < krzee> im far from racist, but when you are american, call and american business, for travel within america, the person should damn well be american (or sound like it and understand it) 05:22 < krzee> (i expect when i goto germany and try to buy a ticket for travel within germany from a german airline, that the people will be german 05:22 < krzee> ) 05:22 < krzee> that ends my pre-flight rant 05:22 < Bushmills> my tickets were purchased online. 05:22 < krzee> be back from california after my flight 05:23 < Bushmills> one is supposed to print them out, but they accept them on a PDA too 05:23 < krzee> time to board 05:23 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 05:39 -!- c64zottel [n=hans@p5B17A993.dip0.t-ipconnect.de] has left ##openvpn [] 05:59 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:23 -!- Dieterbe [n=Dieterbe@213.219.136.83.adsl.dyn.edpnet.net] has left ##openvpn [] 06:54 -!- YpsyZNC is now known as Ypsy 07:27 -!- thedoc_ [n=andelyx@vpn1.edgewire.sg] has joined ##openvpn 07:28 -!- kyrix [n=ashley@80-121-36-74.adsl.highway.telekom.at] has joined ##openvpn 07:29 -!- treats [n=jl@173-14-131-35-NewEngland.hfc.comcastbusiness.net] has joined ##openvpn 07:30 < treats> nub question: where are the server log files on a unix machine? 07:36 < ecrist> depends on where you put them in your config 07:36 < ecrist> more than likely, they'll be in all.log, if you've got it configured, but the openvpn-only log file is determined in the config 07:38 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 07:40 < treats> thanks ecrist 07:47 -!- Douglas [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 08:09 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 08:17 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has joined ##openvpn 08:41 < kladizkov> Bushmills: In order to avoid local browser setup, is it necessary that the remote openvpn server should be both a gateway and has transparent proxy? 08:43 < kladizkov> suppose it has squid ( setup as transparent proxy ), but not a gateway, then can clients browse without any changes done to browser configuration? 08:49 -!- mrme [n=Administ@ns303573.ovh.net] has joined ##openvpn 08:49 < mrme> hi all 08:49 < mrme> can I tell openvpn to check helth 08:49 < mrme> like ping ? 08:50 < Douglas> what do you mean "health" 08:51 < mrme> I mean reconnect 08:52 * Douglas logs onto the forum 08:52 < mrme> k 08:52 < mrme> thanx 08:57 -!- mrme [n=Administ@ns303573.ovh.net] has quit ["Leaving"] 09:10 -!- teddy_ [n=teddy@208.92.235.227] has joined ##openvpn 09:11 < teddy_> Can I install OpenVPN (bridged mode) on my LAN computer? Then portforward 1194/udp from my router to the OpenVPN server? Will that work? 09:15 < dazo> teddy_: Yes, that will work 09:16 < teddy_> Really? Thats great news if just portwarding 1194/udp is good enough to make OpenVPN work. 09:16 < dazo> teddy_: yes, really :) I've done it myself in some setups 09:16 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:17 < teddy_> I was going to choose OPENVPN ROUTED, but that will only talk to the OPENVPN server itself..I will have to do a OpenVPN bridged since I need to talk to all the computers on that LAN where OpenVPN is also on... 09:17 < ecrist> teddy_: no 09:17 < ecrist> !route 09:17 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:18 < Douglas> yoooooooo 09:18 * Douglas waves to ecrist 09:19 < ecrist> sup, douglas? 09:19 < Douglas> nada 09:19 < Douglas> how you doin 09:24 < ecrist> doing OK 09:24 < ecrist> got some serious road rash on my right arm from a failed attempt at riding my motorcycle 09:25 < Douglas> ouch 09:25 < Douglas> :( 09:25 < Douglas> what kinda bike you got? 09:25 * Douglas is wearing a motorcycle shirt 09:26 < ecrist> it's a 1972 honda 350cc 09:26 < Douglas> ah 09:26 < Douglas> nice 09:26 < ecrist> using it for the rest of the summer, will buy something nice next spring. 09:26 < Douglas> get a harley 09:29 < ecrist> nope 09:29 < ecrist> Vicotry Vegas 09:29 < Douglas> victory.. 09:29 < Douglas> i think my uncle deals those too 09:30 * Douglas goes to look 09:30 < ecrist> Victory is made by Polaris, which is based here in Minnesota 09:30 < ecrist> the Victory factory is in Spirit Lake, Iowa 09:31 < ecrist> lived there for a summer. lots of drinking and whoring. 09:31 < ecrist> ;) 09:31 < ecrist> http://www.polarisindustries.com/en-us/Victory/2009/8-Ball-Cruisers/Vegas-8-Ball/Pages/features.aspx 09:31 < Douglas> lmfao ecrist 09:32 < Douglas> win 09:32 < ecrist> 1634cc displacement 09:33 < Douglas> BERLIN - GERMAN police said on Tuesday they had caught a 12-year-old boy in possession of more than 150 doses of heroin and hundreds of euros in cash. 09:33 < Douglas> god damn 09:37 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 09:38 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:40 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 113 (No route to host)] 09:41 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 09:43 -!- thedoc_ is now known as thedoc 10:04 < Douglas> ahh 10:04 -!- Douglas [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 10:07 < MadTBone> what's the purpose of the Diffie Hellman parameters? 10:08 -!- jeiworth [n=jeiworth@189.163.255.127] has joined ##openvpn 10:23 -!- Troy_unv [i=d4fad70d@gateway/web/freenode/x-38e737d307f636dc] has joined ##openvpn 10:23 -!- Troy_unv [i=d4fad70d@gateway/web/freenode/x-38e737d307f636dc] has left ##openvpn [] 10:36 < ecrist> MadTBone: Diffie-Hellman key exchange (D-H) is a cryptographic protocol that allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure communications channel. This key can then be used to encrypt subsequent communications using a symmetric key cipher. 10:37 < ecrist> a quick google search turns up a lot 10:37 < ecrist> http://en.wikipedia.org/wiki/Diffie_Hellman 10:37 < vpnHelper> Title: Diffie-Hellman key exchange - Wikipedia, the free encyclopedia (at en.wikipedia.org) 10:37 < daemoen> !dh 10:37 < vpnHelper> daemoen: "dh" is build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN 10:43 < MadTBone> ecrist: thanks... just wondering about the order of operations during a config ... in the How-To, build-dh is listed *after* build-key client[1-3] .... however, my understanding is that adding a client does not require rebuilding DH params 10:53 -!- Douglas [n=billing@66.45.235.77] has joined ##openvpn 11:12 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:22 -!- kyrix [n=ashley@80-121-36-74.adsl.highway.telekom.at] has quit ["Leaving"] 11:24 < ecrist> nope, it does not 11:24 < ecrist> order in the config doesn't matter 11:24 < ecrist> all options are parsed before execution. 11:24 -!- spectre- [n=Uganda@41.210.144.95] has joined ##openvpn 11:25 < spectre-> ok 11:25 < spectre-> newbie question time 11:25 < ecrist> \o/ 11:26 < spectre-> is a vpn going to allow, say, a remote site using 192.168.0.0/24 to all of a sudden appear on my local network as 192.168.5.0/24? 11:26 < spectre-> or does the remote network have to retain the subnets it uses for representation on the vpn lan it connects to? 11:27 < spectre-> or, alternativelt, am i way off base and the two vpn servers communicate using their public ip's only? 11:27 < thedoc> spectre-, No, your vpn should not suddenly change subnets 11:27 < spectre-> (i'm tunneling across the net in this example) 11:27 < spectre-> ok 11:28 < thedoc> spectre-, so am I. 11:28 < spectre-> so i can't have a site using 192.168.0.0/24 vpn to a network using the same? 11:28 < thedoc> spectre-, discontigeous (sp?) networks, no. 11:29 < spectre-> are you saying that each of my sites that vpn to my host network must use different subnets from eachother internally 11:29 < spectre-> ? 11:29 < ecrist> spectre-: yes, you can provided two conditions 11:29 < ecrist> 1) you need a tap-based VPN (bridged) 11:30 < ecrist> 2) You need to make sure you don't have duplicate IPs between the two networks. 11:30 < thedoc> ecrist, and that's more problem than it really is ;) 11:30 < spectre-> i'm not trying to accomplish bridging a subnet, i'm just trying to create a multiclient-server vpn setup 11:30 < spectre-> and wondering what i have to do in preperation for that 11:31 < ecrist> your question, as worded, was about bridging a subnet 11:31 < spectre-> sure 11:31 < ecrist> perhaps try rewording 11:31 < spectre-> i'm just clarifying 11:31 < spectre-> :) 11:32 < ecrist> don't ask one question, have it answered and tell us we answered the wrong question. 11:32 -!- Darkclaw66 [n=andre@unaffiliated/darkclaw66] has joined ##openvpn 11:32 < Darkclaw66> I am running OpenVPN and I am wondering if its safe to use a rule in pf.conf "pass in quick on $vpn_if" 11:32 -!- DeathWolf [i=yggdrasi@saber.kawaii-shoujo.net] has left ##openvpn [] 11:33 < spectre-> i'm not telling you anything other than clarifying what i meant because i'm aware that my original questioning was misleading :) 11:33 < ecrist> Darkclaw66: depends on how well you trust your vpn users. 11:33 < ecrist> spectre-: so, what is your question? 11:33 < spectre-> so, do i need to go to each remote site then and configure them to use different non-overlapping subnets? 11:33 < spectre-> from each-other? 11:33 < spectre-> before vpn'ing? 11:34 < Darkclaw66> anyone know? 11:34 < ecrist> no, you don't need to spectre- 11:34 < ecrist> Darkclaw66: I answered your question 11:34 < ecrist> 11:33 < ecrist> Darkclaw66: depends on how well you trust your vpn users. 11:34 < Darkclaw66> I dont trust them 11:34 < spectre-> and, to be more specific, what i'm trying to accomplish is remote access to a database application without using termservices 11:34 < ecrist> they will be assigned an address on the VPN interface for the VPN subnet 11:35 < Darkclaw66> ecrist, how do I specify specific access to certain ports? 11:35 < ecrist> Darkclaw66: then you need to firewall the VPN interface as you would any other interface. 11:35 < ecrist> Darkclaw66: /j #pf 11:35 < spectre-> ok so if it's 192.168.0.0 locally, i can have the VPN map it to 192.168.5.1 in the server network? 11:35 < Darkclaw66> if I default to block all, wouldnt it be allownig 11:35 < Darkclaw66> gotcha 11:35 < spectre-> so as to block ip conflicts? 11:36 < ecrist> sure 11:36 < ecrist> !1918 11:36 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 11:36 < ecrist> I would use the 172.16/12 subnet, myself. 11:36 < spectre-> any reason why? :) 11:36 < ecrist> most company lans use 10/8 and most home systems use 192.168/16 11:37 < spectre-> right 11:37 < ecrist> 172.16/12 is relatively untouched. 11:37 < spectre-> home lans and my local isp haha 11:37 < spectre-> ok 11:37 < spectre-> gotcha 11:37 < spectre-> good advice 11:37 < spectre-> now, can i specify subnet mappings based on client site? 11:38 < spectre-> so say site 1 gets 5.0, site 2 gets 6.0 11:38 < spectre-> etc? 11:38 < ecrist> yes 11:38 < ecrist> !ccd 11:38 < vpnHelper> ecrist: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 11:38 < spectre-> nice channel bot. 11:38 < ecrist> spectre-: I would suggest you read the man page as well as the howto 11:39 < spectre-> will do ;) just doing some preliminary 11:39 < ecrist> you're doing it backwards. 11:39 < spectre-> ok now, another newbie one, i can make this port specific? 11:39 < ecrist> only with a firewall on the client side. 11:40 < spectre-> what i'm working with are pfsense boxes 11:40 < spectre-> so that's fine then i guess 11:40 < ecrist> you would have to do policy-based routing within pf 11:41 < spectre-> so openvpn is an uncontrolled secure(maybe) link between sites, then? it's up to the firewall to lock down the ports? 11:41 < ecrist> yes 11:41 < ecrist> VPN != Firewall 11:41 < spectre-> k 11:41 < spectre-> cool 11:41 < spectre-> right 11:42 < spectre-> perhaps this is overkill if i just want tunneling to a few ports? 11:42 < ecrist> spectre-: I would use SSH for that 11:42 < spectre-> like site a can securely tunnel to site b over port 12345? 11:43 < spectre-> well, it needs to be continuous, accessible on the remote lans, etc 11:43 < spectre-> how well does this handle bad links? 11:44 < spectre-> (i'm in uganda doing this for a hospital and the isp's here are shit) 11:44 < spectre-> flapping, hard outs, etc 11:45 < ecrist> spectre-: you're well outside the bounds of this channel topic 11:45 < spectre-> eh? 11:45 < ecrist> however, with a proper wrapper script, an SSH tunnel sounds like it would be sufficient 11:45 < spectre-> ah 11:46 < ecrist> run the tunnel on your pfsense box and use policy-routing within the ruleset. 11:48 < spectre-> yeah 11:48 < spectre-> meh, maybe i'll do the vpn 11:49 < spectre-> i want to do a/d replication and such as well 11:49 < spectre-> so it may be best 11:49 < spectre-> thanks for the info 12:01 -!- Darkclaw66_ [n=andre@akprofessionalconsulting.com] has joined ##openvpn 12:05 -!- kladizkov [n=fabin@61.17.17.157] has quit ["Ex-Chat"] 12:14 -!- Darkclaw66 [n=andre@unaffiliated/darkclaw66] has quit [Read error: 110 (Connection timed out)] 12:26 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 12:45 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has joined ##openvpn 13:11 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 13:47 < ecrist> devshed has way too many annoying fucking advertisements. 13:47 < ecrist> FUCK 13:48 -!- Ypsy is now known as YpsyZNC 13:48 < ecrist> SafariBlock to the resuce 13:48 < ecrist> rescue* 14:13 -!- Dougy [i=Douglas@doug.rackvibe.com] has joined ##openvpn 14:17 -!- Douglas [n=billing@66.45.235.77] has quit [] 14:17 -!- Dougy is now known as Douglas 14:21 -!- DammitJim [n=user@41-117.202-68.tampabay.res.rr.com] has joined ##openvpn 14:22 < DammitJim> I need some guidance in regards to DHCP with a VPN 14:23 < DammitJim> I have succesfully set up a VPN using static IP address 14:23 < DammitJim> how do I set the VPN server to hand out IPs dynamically? 14:23 -!- brizly [n=brizly_v@p4FC9A5A6.dip0.t-ipconnect.de] has left ##openvpn [] 14:34 < ecrist> DammitJim: OpenVPN, right? 14:34 < ecrist> it should just hand them out, automagically. 14:34 < ecrist> !configs 14:34 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:36 < DammitJim> yes, ecrist 14:37 < DammitJim> ok, I'm going to pastebin 14:40 -!- k4dm3l [n=kadm3l@190.144.247.194] has joined ##openvpn 14:40 < k4dm3l> hello! 14:40 < k4dm3l> i'm trying to get access to a VPN with a linux ubuntu client! 14:40 < k4dm3l> but it does not up interfaces 14:40 < k4dm3l> anyone can help me? 14:41 < DammitJim> http://www.pastebin.com/m708d703e 14:41 < DammitJim> :) 14:42 < DammitJim> that config is working, but it is basically a point to point... how do I set it up to do dhcp? 14:42 < ecrist> expired or unknow paste id 14:43 < DammitJim> http://pastebin.com/m708d703e 14:43 < DammitJim> sorry, I guess www shouldn't go before pastebin 14:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:49 -!- brizly [n=brizly_v@p4FC9A5A6.dip0.t-ipconnect.de] has joined ##openvpn 14:51 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has quit [Read error: 60 (Operation timed out)] 14:53 < DammitJim> do I just need to get rid of ifconfig 10.80.0.1 10.80.0.2 and instead, enter 14:53 < DammitJim> server 10.8.0.0 255.255.255.0 14:54 < DammitJim> on the server.conf 14:54 < DammitJim> and for the client, 14:55 < DammitJim> change nothing? 14:58 < DammitJim> why does openvpn require ifconfig if --dev tun is used? 14:59 < Douglas> you ask a shit pile of questions 14:59 < Douglas> reminds me of me.. way too much 14:59 < DammitJim> lol @ Douglas 14:59 < DammitJim> it's better to ask than to remain silent and learn nothing? 15:00 < Douglas> this is true 15:00 < Douglas> however some googling would answer just about everything you have asked 15:00 < DammitJim> I've been googling 15:00 < Douglas> here you go: make a list of ALL your questions etc 15:00 < Douglas> and 15:00 < Douglas> !forum 15:00 < vpnHelper> Douglas: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 15:00 < DammitJim> but there are tons of different answers w/o consistency 15:00 < DammitJim> that's why I came to ask here 15:02 < k4dm3l> whats your problem DammitJim ? 15:03 < DammitJim> I currently have a VPN working but I'm statically assigning IP address per client 15:03 < DammitJim> I'd like to use DHCP instead 15:03 < k4dm3l> ok 15:04 < k4dm3l> simply use a line "server 10.0.4.0 255.255.255.0" that means you will use a 24 bit subnet 15:04 < k4dm3l> can you post your server.conf ? 15:04 < k4dm3l> and some client conf? 15:04 < DammitJim> got that 15:05 < DammitJim> http://pastebin.com/m708d703e 15:05 < DammitJim> thanks k4dm3l 15:05 < Douglas> DammitJim++ 15:05 < Douglas> I was going to bitch at you for having comments in your configs, but you don't 15:06 < DammitJim> LOL @ Douglas... sorry... I've been yelled at that many times already 15:06 < DammitJim> so, you missed your opportunity 15:06 < DammitJim> lol 15:09 < DammitJim> oh... I might need to use tap 15:16 < DammitJim> do I have to specify a separate DHCP server? 15:16 < Douglas> no 15:17 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.0.12/2009070611]"] 15:21 < k4dm3l> noooooo 15:21 < k4dm3l> openvpn has its own 15:21 < k4dm3l> use proto udp 15:21 < k4dm3l> is better 15:22 < DammitJim> I'm at Route: Waiting for TUN?/TAP interface to come up 15:22 < DammitJim> ok, I'm going to change that and see if that works 15:27 < k4dm3l> http://www.privatepaste.com/c80bfMlFa4 15:27 < k4dm3l> that will be your config files 15:27 < DammitJim> thank you, sir 15:27 < k4dm3l> you had to work server2server 15:27 < k4dm3l> like a tunnel 15:27 < k4dm3l> but with a tunnel you only need secret.key 15:27 < DammitJim> oh 15:28 < DammitJim> thanks k4dm3l I'm going to try it 15:30 < k4dm3l> the ifconfig you specify 2 address, for each end of the tunnel 15:30 < DammitJim> oh 15:34 < DammitJim> k4dm3l, for the server, you put 10.82.0.1... can I just change that to 15:35 < DammitJim> 10.80.0.0 15:40 < k4dm3l> with a road warrior method, just say server IP_RANGE SUBNET_RANGE 15:40 < k4dm3l> course 15:41 < k4dm3l> it says your clients will recieve an address from 10.80.0.0 to 10.80.0.255 15:43 -!- kc8pxy [n=gecko@dsl093-212-231.clb1.dsl.speakeasy.net] has joined ##openvpn 15:44 < DammitJim> thanks 15:45 < DammitJim> what did you mean when you said IP_RANGE SUBNET_RANGE 15:45 < DammitJim> substitute those with address/range? 15:46 < k4dm3l> thats the order... server XXX.XXX.XXX.XXX BBB.BBB.BBB.BBB 15:46 < DammitJim> oh... right! 15:47 < DammitJim> :) 15:47 < k4dm3l> where X is the IP range, and B is the subnet 15:47 < DammitJim> and to be clear.. this connection is not a bridge, right?' 15:49 < reiffert> you guys know 15:49 < reiffert> !route 15:49 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:49 < reiffert> ? 15:51 < k4dm3l> nop 15:51 < k4dm3l> is tun 15:54 < reiffert> !factoids search tun 15:54 < vpnHelper> reiffert: 'mactuntap' and 'tunortap' 15:54 < reiffert> !tunortap 15:54 < vpnHelper> reiffert: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 16:15 -!- DammitJim [n=user@41-117.202-68.tampabay.res.rr.com] has quit ["I ♥ Elive"] 16:35 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [] 16:37 -!- PeterFA [n=peter@unaffiliated/peterfa] has joined ##openvpn 16:37 < PeterFA> It's me again. 16:37 < PeterFA> Why can't openvpn be able to make a tun or a tap? 16:38 < PeterFA> Oh, lemme look at the open vpn site. 16:38 < PeterFA> I think I remember this part now. 16:42 < k4dm3l> explain yourself 16:44 < PeterFA> I have a config file that I got from this company that sells VPN connectivity. When I run OpenVPN, OpenVPN ultimately errors out that it cannot create the tun dev dynamically. 16:45 < PeterFA> Tue Jul 28 14:35:00 2009 Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2) 16:45 < PeterFA> Tue Jul 28 14:35:00 2009 Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2) 16:45 < PeterFA> Tue Jul 28 14:35:00 2009 Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2) 16:45 < PeterFA> Oops, sorry. 16:45 < PeterFA> It says that just once. 16:45 < thedoc> They suck then. 16:45 < thedoc> PeterFA, I sell vpn connectivity too :D 16:46 < thedoc> You could migrate to me ;) 16:46 < PeterFA> I'm working for them :D 16:46 < thedoc> lmao! <3 16:46 < PeterFA> The problem really looks like it's my end. 16:52 -!- PeterFA [n=peter@unaffiliated/peterfa] has quit [Read error: 60 (Operation timed out)] 16:54 -!- PeterFA [n=peter@unaffiliated/peterfa] has joined ##openvpn 16:54 < PeterFA> Yay! I'm now using my VPN connection! 16:59 < |Mike|> and what was the problem? 17:03 < reiffert> PeterFA: mknod 17:03 < reiffert> cd /dev/net; mknod tun c 10 200 17:03 < reiffert> or similiar. 17:04 < Douglas> oh hey 17:04 < Douglas> that wouldnt happen to be openvz 17:08 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 17:08 < PeterFA> |Mike|, the problem was the module for Mr. Tun wasn't there. 17:08 < |Mike|> makes sense :) 17:08 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 17:10 < Douglas> oh hey 17:10 < Douglas> its td 17:13 -!- k4dm3l [n=kadm3l@190.144.247.194] has quit [Remote closed the connection] 17:13 -!- tjoff [n=a@c213-89-131-87.bredband.comhem.se] has joined ##openvpn 17:14 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:14 < tjoff> !route 17:14 < vpnHelper> tjoff: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:14 < tjoff> !howto 17:14 < vpnHelper> tjoff: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:15 -!- RadarG [n=nightwol@pool-72-69-243-24.chi01.dsl-w.verizon.net] has joined ##openvpn 17:16 < tjoff> !redirect 17:16 < vpnHelper> tjoff: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 17:16 < RadarG> I have almost got the link up but I'm getting a error on the client that says local address is not valid in its context. Does anyone knows what this means 17:20 < RadarG> A goolge search says its a mix match between server and topology mode but what does that mean 17:29 -!- kc8pxy [n=gecko@dsl093-212-231.clb1.dsl.speakeasy.net] has quit [Read error: 60 (Operation timed out)] 17:39 -!- WnnR [n=rvillarr@97-87-24-82.static.aldl.mi.charter.com] has joined ##openvpn 17:46 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has joined ##openvpn 18:03 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 18:07 -!- WnnR [n=rvillarr@97-87-24-82.static.aldl.mi.charter.com] has quit ["Outa here"] 18:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection reset by peer] 18:26 < RadarG> any ideas? 18:35 -!- jeiworth_ [n=jeiworth@189.163.255.127] has joined ##openvpn 18:36 -!- jeiworth [n=jeiworth@189.163.255.127] has quit [Read error: 104 (Connection reset by peer)] 18:40 -!- brizly [n=brizly_v@p4FC9A5A6.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 18:42 -!- brizly [n=brizly_v@p4FC9A584.dip0.t-ipconnect.de] has joined ##openvpn 18:50 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 18:51 -!- jeiworth_ is now known as jeiworth 18:58 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 19:02 < kc8pxy> this is not totally openvpn stuff, but related. 19:02 < kc8pxy> test 19:03 < kc8pxy> ll 19:03 < kc8pxy> kk 19:03 -!- jthan [n=jonathan@208-58-24-75.c3-0.smt-ubr1.atw-smt.pa.cable.rcn.com] has joined ##openvpn 19:03 < jthan> Hey all. I have a few questions. THe main one is - is using vnc over a vpn secure? 19:03 < kc8pxy> i have an openvpn up and workign with shorewall. 19:04 < kc8pxy> jthan: why would it not be? 19:04 < jthan> kc8pxy: I don't know? Because vnc by itself is very insecure. 19:06 < krzee> [17:03] Hey all. I have a few questions. THe main one is - is using vnc over a vpn secure? 19:06 < krzee> its as secure as the vpn 19:06 < kc8pxy> jthan: it should be as secure equally as secure as you keep your openvpn keys. rsa is a nasty nut to crack. talking frankly,(insecure vnc) in a locked bank vault( rsa-keyed vpn) would seem secure to me 19:06 < jthan> Alright. But can others on the same vpn intercept the traffic? 19:06 < krzee> the vnc server should only listen on the vpn ip 19:06 < krzee> no 19:07 < krzee> unless they cracked the server 19:07 < krzee> in which case, who cares cause they already have access to create a vnc of their own by then 19:08 < jthan> Hm. 19:08 < kc8pxy> jthan: only if they crack yoru server, or are on the same broadcast domain as the machine you are vnc'ing into, could i see someone intercepting it. 19:08 < thedoc> If they are on your boxes, you have bigger problems to worry about. 19:08 < jthan> of course. 19:09 < jthan> I have a vps that acts as my openvpn server, and I'm just assessing adding a friend to the vpn so I can vnc into his box for remote support basically. 19:09 < jthan> I'm not worried about the security of my vpn or server, moreso his computer. 19:09 < krzee> just make sure his vnc server only listens on the vpn ip 19:09 < jthan> 1094 (default) 19:09 < jthan> or you mean the internal IP 19:09 < jthan> *doh* 19:10 < krzee> then only people who can reach the vpn ip can access it 19:10 < krzee> as in 10.8.0.1 19:10 < jthan> Right 19:10 < |Mike|> left. 19:10 < krzee> which means anyone on the server, anyone on the vpn 19:10 < krzee> for that last part, theres an exception 19:11 < jthan> Right 19:11 < |Mike|> left. 19:11 < jthan> because you can disable client to client coummunication 19:11 < krzee> if you do not use --client-to-client, you could give him and you static vpn ips, and firewall off the others 19:11 < krzee> you can selectively enable it 19:11 < jthan> That's what I'm reading now. 19:11 < krzee> --client-to-client allows it to happen within openvpn proc 19:12 < krzee> not using that means packets hit the kernel, can use firewall 19:32 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 19:33 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 19:41 -!- jthan [n=jonathan@208-58-24-75.c3-0.smt-ubr1.atw-smt.pa.cable.rcn.com] has left ##openvpn [] 19:44 -!- tjoff [n=a@c213-89-131-87.bredband.comhem.se] has quit [] 19:57 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 19:58 -!- Darkclaw66_ [n=andre@akprofessionalconsulting.com] has quit ["Leaving"] 20:11 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 20:14 -!- jeiworth [n=jeiworth@189.163.255.127] has quit [Read error: 104 (Connection reset by peer)] 20:14 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["I ♥ GNU/Linux!"] 20:17 < daemoen> hey guys, is there a way of specifying the ip used by openvpn, as well as the ip pool that it will assign? 20:18 < daemoen> i know that generally, it uses the first # of the subnet it is set to use... 21:07 -!- master_of_master [i=master_o@p549D40F2.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:12 -!- master_of_master [i=master_o@p549D3A02.dip.t-dialin.net] has joined ##openvpn 21:25 -!- rawDawg [n=OMG@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 21:36 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 21:54 -!- rawDawg [n=OMG@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 113 (No route to host)] 21:54 < PeterFA> Is there some sort of unary operator like the Java syntax "test? yes: no" 21:54 < PeterFA> Well, something resembling that. 21:55 < PeterFA> Er, wrong window. 21:55 < PeterFA> That was for BASH 22:04 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 22:05 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 22:13 < PeterFA> Is there a way of knowing by commandline when OpenVPN has created a VPN? 22:13 < PeterFA> Like, "Yeah, it's OK now!" 22:24 < kc8pxy> I'm trying to nail down where and how i can fix the issue with my vpn clients not being able to access the machines on teh serverside of the connection. 22:25 < kc8pxy> my test client can connect to the vpn, and ping, as well as ssh into teh vpn server, via openvpn ip address, and the server's lan address. but everything else on the lan seems to be off-limits 22:26 < Douglas> did you enable client-to-client 22:26 < kc8pxy> no. 22:26 < kc8pxy> I'm not looking for other clients, i'm looking to access other machines on the route i pushed. 23:42 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] --- Day changed Wed Jul 29 2009 00:13 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 00:13 -!- spectre- [n=Uganda@41.210.144.95] has quit ["Leaving"] 00:18 -!- Darkclaw66 [n=portness@unaffiliated/darkclaw66] has joined ##openvpn 00:18 < Darkclaw66> how can I have openvpn client automatically disconnect itself after inactivity for 10 mins? 00:26 < Darkclaw66> anyone here? 00:26 < Darkclaw66> I need to have the client disconnect itself 00:35 < Darkclaw66> anyone? 00:37 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 00:38 < Darkclaw66> this place is dead too often 00:38 < daemoen> Darkclaw66: if you think this is bad, try getting help in ddwrt some time :p its usually much worse. you missed the activity earlier 00:39 < Darkclaw66> lol 00:39 < Darkclaw66> well, im doing my best but its not good enough 00:39 < Darkclaw66> !help 00:39 < vpnHelper> Darkclaw66: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 00:39 < Darkclaw66> !help persist-tun 00:39 < vpnHelper> Darkclaw66: Error: There is no command "persisttun". 00:39 < Darkclaw66> ? persist-tun 00:40 < Darkclaw66> what does persist-tun do? I can't find info on it 00:41 < reiffert> !factoids search persist 00:41 < vpnHelper> reiffert: No keys matched that query. 00:41 < reiffert> !factoids search tun 00:41 < vpnHelper> reiffert: 'mactuntap' and 'tunortap' 00:41 < Darkclaw66> !factoids persist-tun 00:41 < vpnHelper> Darkclaw66: Error: The "Factoids" plugin is loaded, but there is no command named "persist-tun" in it. Try "list Factoids" to see the commands in the "Factoids" plugin. 00:41 < reiffert> !man 00:41 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 00:41 < Darkclaw66> !man persist-tun 00:41 < vpnHelper> Darkclaw66: Error: "man" is not a valid command. 00:42 < Darkclaw66> okay cool 00:42 < reiffert> --persist-tun 00:42 < reiffert> Don't close and reopen TUN/TAP device or run up/down scripts across SIGUSR1 or --ping-restart 00:42 < reiffert> restarts. 00:42 < reiffert> SIGUSR1 is a restart signal similar to SIGHUP, but which offers finer-grained control over reset op- 00:42 < reiffert> tions. 00:43 < Darkclaw66> I am reading it but I dont know if its what I need to change 00:44 < Darkclaw66> why shouldnt I disable that? 00:45 < reiffert> I have no idea. 00:45 < Darkclaw66> oh well 01:00 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has quit [Remote closed the connection] 01:01 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has joined ##openvpn 01:07 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 01:12 -!- [2]anwoke [n=A@65.100.249.52] has joined ##openvpn 01:23 -!- [2]anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 01:23 -!- [2]anwoke [n=A@65.100.249.52] has joined ##openvpn 01:24 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 110 (Connection timed out)] 01:24 -!- [2]anwoke is now known as anwoke 01:26 -!- [1]anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 01:34 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:44 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 01:45 < Darkclaw66> how can I have the openvpn client automatically disconnect itself when theres inactivity? 01:47 -!- anwoke [n=A@65.100.249.52] has quit [" HydraIRC -> http://www.hydrairc.com <- *I* use it, so it must be good!"] 01:53 -!- CoffeeIV [i=rgr@rrcs-71-42-183-82.sw.biz.rr.com] has quit ["Leaving"] 01:54 -!- Nullslash [n=ahmed@cpe-24-164-133-222.si.res.rr.com] has joined ##openvpn 02:01 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:25 -!- Nullslash [n=ahmed@cpe-24-164-133-222.si.res.rr.com] has quit [Client Quit] 02:46 -!- Darkclaw66 [n=portness@unaffiliated/darkclaw66] has quit [Read error: 110 (Connection timed out)] 02:57 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:04 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 03:06 -!- CoffeeIV_ [n=CoffeeIV@adsl-99-162-117-1.dsl.austtx.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 03:08 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:22 -!- RadarG [n=nightwol@pool-72-69-243-24.chi01.dsl-w.verizon.net] has quit [] 03:26 -!- jthan [n=jonathan@208-58-24-75.c3-0.smt-ubr1.atw-smt.pa.cable.rcn.com] has joined ##openvpn 03:26 < jthan> hello all. I'm trying to build a ca key on my openvpn server and I get this error http://pastebin.ca/1510858 03:34 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 03:46 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Read error: 60 (Operation timed out)] 03:46 -!- |Mike|_ [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 03:47 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has joined ##openvpn 03:47 -!- NfNitLoop [n=bip@cl-852.chi-02.us.sixxs.net] has quit [Read error: 60 (Operation timed out)] 03:52 -!- NfNitLoop [n=bip@cl-852.chi-02.us.sixxs.net] has joined ##openvpn 04:11 -!- YpsyZNC is now known as Ypsy 04:27 < Bushmills> jthan, you didn't execute ./vars 04:32 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:44 -!- freaky[t] [i=alpha@member.team-box.net] has quit [Remote closed the connection] 04:52 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:55 -!- freaky[t] [i=schnucki@member.team-box.net] has joined ##openvpn 05:00 < reiffert> Bushmills: you need to source it. 05:01 < Bushmills> true 05:01 < Bushmills> . vars 05:01 < Bushmills> i shouldn't give pre-coffee replies 05:02 -!- |Mike|_ is now known as |Mike| 05:02 < reiffert> :) 05:35 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 05:54 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["I ♥ GNU/Linux!"] 05:56 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 06:23 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 06:24 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has joined ##openvpn 06:27 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 104 (Connection reset by peer)] 06:29 -!- zheng [n=zheng@210.73.203.83] has joined ##openvpn 06:48 < dazo> !route 06:48 < vpnHelper> dazo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 07:26 -!- Robuster [n=hype@server77-68-53-8.live-servers.net] has joined ##openvpn 07:26 < Robuster> hello 07:26 < Robuster> is anyone alive? 07:27 < Robuster> i've been struggling with this openvpn install on debian 4 for about 5 hours now 07:28 < Robuster> i'm following some flash tutorial and i see that right after he does the apt-get install openvpn, he get a configuration wizard to setup TUN/TAP 07:28 < Robuster> but i dont get this 07:35 -!- teddy_ [n=teddy@208.92.235.227] has quit [Client Quit] 07:36 < thedoc> Has anyone tried setting up a http tunnel on squid and openvpn on the same server where the user is required to do a http connect to the proxy first before it can connect to the vpn? 07:38 < Bushmills> !howto 07:38 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:38 < Bushmills> Robuster, ^^^ 07:39 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 07:39 < muh2000> hi 07:39 < Bushmills> 'lo 07:41 < thedoc> Bushmills, I was just asking on some thoughts on that. I don't think there's a reference in the manual for that. 07:41 < Bushmills> thedoc, almost, just other way around. my machine needs to connect to openvpn first, before it can connect to squid on the same remote machine :P 07:42 < Bushmills> thedoc, the next line, saying "Robuster, ^^^", means that the howto was directed at Robuster 07:42 < thedoc> Ahh. 07:43 < thedoc> Bushmills, I use it in this case to get out of corporate firewalls :| 07:43 < thedoc> Or proxies which are sitting in the middle. 07:43 < thedoc> :\ 07:45 < Bushmills> openvpn client can connect to server through proxy. client config has a section for it.. 07:45 < Bushmills> http-proxy server port 07:46 < Bushmills> with restrictive proxies, it may be necessary to use an unconspicious port+protocol for vpn traffic, such as tcp/443 07:46 < thedoc> Bushmills, Yeah, I'm dealing with some restrictive proxies at the moment. What I've done is to push it out as tcp/80. 07:47 < thedoc> Although we all know why tcp/80 isn't recommended for WAN connectivity 07:47 < Bushmills> just means that openvpn server shouldn't run a web server on port 80 07:48 < thedoc> Bushmills, Which I don't. 07:48 < thedoc> No reason why openvpn should run a web service all on the same box 07:49 < thedoc> One sec. Trying something 07:49 < Bushmills> and what's your problem with connecting to openvpn on tcp/80 thorugh the proxy, then? 07:49 < thedoc> brb 07:49 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 07:49 < Robuster> is it required to setup bridge? 07:50 < Bushmills> Robuster, what traffic do you want to run over openvpn? 07:50 < Robuster> you mean what kind of protocol? 07:50 < Robuster> only me is gonna use it 07:51 < Bushmills> will you need to rely on, say, broadcasts from/to the remote? 07:51 < muh2000> openvpn + amd geode 500mhz net transfer benchmark: http://nopaste.org/p/amqbLkuDF 07:52 < Robuster> no i dont think so 07:52 < Bushmills> then bridging is discouraged 07:53 < Robuster> last time i tried to setup openvpn i followed some guide with server-bridge, and i had to call my datacenter and tell them to reinstall my box 07:53 < Bushmills> that's one of the reasons why it is discouraged 07:56 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has quit [Read error: 60 (Operation timed out)] 07:57 < muh2000> same setup without openvpn: http://nopaste.org/p/aIqfZCOJi 08:02 < Robuster> unable to write 'random state' 08:02 < Robuster> writing new private key to 'ca.key' 08:02 < Robuster> whats this 'random state' ? 08:03 < Robuster> i keep getting this 08:08 < ecrist> sup bitches? 08:09 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 08:10 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has joined ##openvpn 08:20 -!- gypsymauro [n=coloriom@84.18.151.77] has joined ##openvpn 08:20 < gypsymauro> hi 08:20 < gypsymauro> I want to play with openvpn to understand the mechanism, what's the best way to do that? using virtualbox? or there are some online services for free? 08:22 -!- zheng [n=zheng@210.73.203.83] has quit [Read error: 113 (No route to host)] 08:24 < Bushmills> gypsymauro, you take two computers, install openvpn on both. configure one as server, and as client. 08:26 < Bushmills> (the other as client) 08:30 < brah> But then you couldn't test host-to-site, site-to-site, bridges, iroutes, etc. 08:30 < brah> Yes, make a ton of VMs 08:30 < brah> 4 should be enough 08:39 -!- PeterFA [n=peter@unaffiliated/peterfa] has quit [Read error: 60 (Operation timed out)] 08:40 < gypsymauro> :) 08:40 < gypsymauro> and to test a lan to lan? 09:11 < ecrist> gypsymauro: find two computers on different lans 09:11 < ecrist> set up a test environment 09:20 -!- brad_ [n=quassel@12.48.121.170] has joined ##openvpn 09:27 -!- Darkclaw66 [n=portness@lan.akprofessionalconsulting.com] has joined ##openvpn 09:41 -!- mrme [n=Administ@ns303573.ovh.net] has joined ##openvpn 09:41 < mrme> hi all 09:42 -!- jeiworth [n=jeiworth@189.177.38.156] has joined ##openvpn 09:44 -!- oktoba [n=zezeze@p50989776.dip0.t-ipconnect.de] has joined ##openvpn 09:44 < mrme> hi alll 09:44 < mrme> is there p2p vpn? 09:44 < mrme> that uses openvpn? 09:45 < oktoba> hello , i installed on gentoo openpvn 2.0.9. the emerge tells me at end its better to do a tun0 using net.tun0 script. and that i cant use "server" in config then. i commented "server" in my config. but now openvpn dont start. i get = Options error: Parameter ca_file can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified. Any Ideas hwo to solve this ? 09:46 < oktoba> before with "server IP NETMASK" in config it started well 09:47 < Darkclaw66> where do I set inactivity, is that in the server or client config? 09:49 < oktoba> as i remember u can set on both 09:49 -!- mrme [n=Administ@ns303573.ovh.net] has quit ["Leaving"] 09:54 < ecrist> Darkclaw66: both 09:56 < ecrist> oktoba: I would ignore those instructions and do things the OpenVPN way 09:56 -!- jeiworth [n=jeiworth@189.177.38.156] has quit ["No Ping reply in 90 seconds."] 09:57 -!- jeiworth [n=jeiworth@189.177.38.156] has joined ##openvpn 09:57 < Darkclaw66> ecrist why does it have to be both 09:59 < ecrist> !man 09:59 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 10:00 < Darkclaw66> that wasn't an answer as to why it needs to be in both though 10:14 -!- ebil|work [n=andy@wsip-98-191-211-137.dc.dc.cox.net] has joined ##openvpn 10:22 < oktoba> ecrist, how should this work, openvpn dont start with this failure 10:25 < Robuster> can anyone help me with some troubleshooting? 10:26 < Robuster> http://sec.pastebin.com/d53dccb1a 10:31 < ecrist> Robuster: first, update to rc19 10:32 < Robuster> i took this from apitude 10:32 < Robuster> aptitude* 10:32 < ecrist> also, your error is covered in detail with a quick google search. 10:32 < ecrist> http://www.void.gr/kargig/blog/2008/05/17/openvpn-multi-bad-source-address-from-client-solution/ 10:33 < vpnHelper> Title: Openvpn MULTI: bad source address from client solution | Into.the.Void. (at www.void.gr) 10:33 < ecrist> it doesn't matter where you got it. you're using an out of data release candidate. 10:41 < Robuster> ok i did what it said on this site ecrist, and i still get this error messages 10:42 < Robuster> http://sec.pastebin.com/d64f4bd26 10:42 < Robuster> this is how my config looks 10:52 < Robuster> can anyone help me? 10:53 < Darkclaw66> ecrist why do certain commands need to be in the server and client config? 10:54 < Darkclaw66> that would give a lot of power to the client 10:54 < Darkclaw66> if the server says it will disconnect in n time, why should the client have power to disable that? 10:57 < Darkclaw66> the manual doesn't specify whether the options need to be placed in one or both files 10:57 -!- gypsymauro [n=coloriom@84.18.151.77] has left ##openvpn [] 11:00 -!- DeathWolf [i=yggdrasi@saber.kawaii-shoujo.net] has joined ##openvpn 11:00 < DeathWolf> hello all, is it possible to set specific metrics when connecting for the routes that get added? 11:01 < Darkclaw66> I can't find any documentation that answers my question 11:01 < |Mike|> Robuster: you might want to generate your own certs :P 11:01 < DeathWolf> (I have two vpns, and I want both to be possibly used as gateways, but the first should be used by default) 11:01 < |Mike|> Robuster: could you set your "verb" to 6 ? 11:01 < |Mike|> !logs 11:01 < vpnHelper> |Mike|: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 11:02 < |Mike|> and what's the exact issue.. 11:02 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:03 < Robuster> |Mike| i did that 11:03 < Robuster> Wed Jul 29 14:25:50 2009 /sbin/route add -net 192.168.1.2 netmask 255.255.255.0 gw 10.8.0.2 11:03 < Robuster> route: netmask doesn't match route address 11:04 < Robuster> in route: 11:04 < Robuster> 77.90.10.0 * 255.255.255.0 U 0 0 0 eth0 11:05 < |Mike|> !linnat 11:05 < vpnHelper> |Mike|: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 11:06 < ecrist> Darkclaw66: clients initiate connections to the server, not the other way around. 11:06 < ecrist> for a timeout, the client needs to be aware of how long to wait before restarting a connection which may have gone stale. 11:07 < ecrist> the server needs to know so that it can drop a dead connection, and send pings to the client to help maintain the keepalive. 11:07 < ecrist> with stateful firewalls, there needs to be some level of traffic to maintain state before the state goes stale and is removed from the dynamic ruleset. 11:08 < ecrist> Darkclaw66: while I don't usually subscribe to such comments, your question stems from your own ignorance. 11:08 -!- oktoba [n=zezeze@p50989776.dip0.t-ipconnect.de] has quit [] 11:21 < Darkclaw66> uh huh, how so? 11:22 < Darkclaw66> that's a specific design implementation, nothing to do with my ignorance 11:22 < Darkclaw66> "said ignorance 11:23 -!- brad_ [n=quassel@12.48.121.170] has quit [Remote closed the connection] 11:23 < Darkclaw66> maybe you misread my question 11:24 < Darkclaw66> my question is related to inactivity, with that option, it will *not* initiate a restart 11:25 < Darkclaw66> ecrist: while I don't usually suscribe to irrelevant answers, your answer stems from your own braggart. 11:30 < ecrist> regardless, if the client wants to stay connected, any inactivity disconnect you may introduce will be null once the client reconnnects 11:30 < ecrist> there is nothing you can do about that 11:34 < Darkclaw66> you didn't even laugh at my last comment? it was supposed to be funny 11:34 < Darkclaw66> oh well 11:36 < ecrist> my ego gets in the way of humor. 11:37 < thedoc> ecrist, Have you fixed your nfs share? :) 11:39 < Darkclaw66> :( 11:46 < Douglas> hello thedoc 11:46 < thedoc> hey doug 11:47 < Douglas> hii 11:49 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 11:58 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 12:02 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 12:02 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 12:02 -!- [1]anwoke is now known as anwoke 12:03 -!- mark___ [i=mark@94-168-244-59.cable.ubr10.shef.blueyonder.co.uk] has joined ##openvpn 12:05 < mark___> hi.. i've got an openvpn client on 10.20.30.5 that can route into the VPN fine.. i've added a static route on my router (10.20.30.1) to point all traffic going to the vpn range (10.1.13.0) to the vpn client box 12:05 < mark___> but it doesn't route the traffic 12:05 < mark___> i've enabled ip forwarding 12:05 < mark___> do i need to set any iptables rules? 12:06 < mark___> my router is routing the traffic to the server the client is on fine: Tracing route to 10.1.13.10 over a maximum of 30 hops 12:06 < mark___> 1 1 ms 1 ms 1 ms 10.20.30.1 2 1 ms 1 ms 1 ms 10.20.30.5 12:06 < mark___> 1 1 ms 1 ms 1 ms 10.20.30.1 12:06 < mark___> 2 1 ms 1 ms 1 ms 10.20.30.5 12:06 < mark___> 3 * * * Request timed out. 12:06 < mark___> even 12:09 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 12:10 < thedoc> Ohh god! 12:10 < thedoc> Paste bin it please. 12:10 < ecrist> mark___: you'll need to allow that traffic on any intermediary firewalls 12:10 < mark___> pastebin 3 lines? 12:10 < mark___> sorry 12:10 < ecrist> and, are you *sure* you have ip_forwarding on? 12:10 < mark___> # cat /proc/sys/net/ipv4/ip_forward 12:10 < mark___> 1 12:11 < Douglas> ecrist++ 12:11 < krzee> 3? i counted 5 12:11 < thedoc> mark___, Do you have any iptables rules which are dropping traffic? 12:11 < thedoc> krzee, :) 12:11 < krzee> sup doc 12:11 < mark___> iptables has no rules 12:11 < thedoc> mark___, How about your NAT rules? 12:11 < thedoc> iptables -L -t nat 12:11 * thedoc suspects nat. 12:11 < mark___> MASQUERADE all -- anywhere anywhere 12:12 < mark___> i'm confused :o 12:13 < thedoc> Hm. 12:13 < mark___> its just a default debian install 12:13 < mark___> i added that rule trying to get it to work 12:13 < ecrist> !iptables 12:13 < vpnHelper> ecrist: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall 12:13 < mark___> so what i've done should work/ 12:13 < mark___> ?* 12:14 < mark___> in theory 12:14 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has left ##openvpn [] --- Log closed Wed Jul 29 12:14:55 2009 --- Log opened Wed Jul 29 12:14:58 2009 12:14 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 12:14 -!- Irssi: ##openvpn: Total of 81 nicks [0 ops, 0 halfops, 0 voices, 81 normal] 12:14 -!- Irssi: Join to ##openvpn was synced in 1 secs 12:15 -!- [1]anwoke [n=A@65.100.249.52] has quit [Read error: 54 (Connection reset by peer)] 12:15 -!- teddy_ [n=teddy@208.92.235.227] has joined ##openvpn 12:15 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 12:17 < teddy_> when you install a new openvpn configuration in windows...how do you associate the new interface to the new openvpn configuration ? 12:18 < teddy_> Associate TAP-win32 Adapter to the new OpenVPN configuration file ? 12:22 < |Mike|> with the config :) 12:26 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has joined ##openvpn 12:26 -!- anwoke [n=A@65.100.249.52] has quit [Connection timed out] 12:26 -!- [1]anwoke is now known as anwoke 12:26 < kc8pxy> anyone free to help me figure out my goofy mess of a vpn issue? 12:27 < ecrist> I would, if i knew your problem. 12:30 < kc8pxy> ecrist: i have a vpn which i got working. i can ping and ssh the vpn server via both it's vpn ip of 10.64.64.1, and it's internal ip 10.32.64.42, and i've pushed a route for 10.32.64.0 12:32 < kc8pxy> ecrist: i can TRY to ping and connect to the other 10.32.64.x boxen on the lan, but i'm not getting connections. 12:33 < kc8pxy> ecrist: i borrowed this config from a seperate vpn on a seperate network.. but the one i copied from works. ideas? 12:35 < ecrist> sure. do you have ip_forwarding enabled on the VPN server? 12:36 < kc8pxy> ecrist: is this good enough? 12:36 < kc8pxy> net.ipv4.conf.all.forwarding = 1 12:37 < ecrist> not sure, on my freebsd boxes it's net.inet.ip.forwarding 12:37 < kc8pxy> this is a debian box 12:38 < ecrist> output from 'sysctl -a | grep forward' 12:39 < kc8pxy> http://pastebin.com/f622e10fa 12:39 < ecrist> you forgot the | grep forward 12:41 < |Mike|> it's 1 12:42 < ecrist> if forwarding is enabled, make sure your firewall is allowing the traffic 12:48 < solvik> !redirect 12:48 < vpnHelper> solvik: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 12:54 < kc8pxy> ecrist: gar.. i gre'd forward of the tee. 12:55 < Douglas> ecrist: thanks for sortingi t 12:55 < Douglas> sorting it 12:55 < ecrist> Douglas: it's right in the admin control panel, on Visual Confirmation link or something, about half way down. 12:56 < Douglas> no issues, i only emailed you because i wanted to see if you thought it was too difficult 12:56 < Douglas> i would have found it 12:56 < Douglas> http://www.ovpnforum.com/viewtopic.php?f=6&t=411 for anyone who feels like helping a forum person 12:56 < vpnHelper> Title: OpenVPN Forum View topic - subnet routing (at www.ovpnforum.com) 12:56 < ecrist> I would have helped him if I could have gotten away with !route !iroute !howto 12:56 < ecrist> lol 12:57 < Douglas> hah 12:58 -!- c64zottel [n=hans@p5B17AFF8.dip0.t-ipconnect.de] has joined ##openvpn 12:59 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 13:00 < kc8pxy> ecrist: firewall is allowing. i can tcpdump -ni eth0 icmp on the recieving machine, and see ping requests,, but no replies.. it replies to lan pings though. 13:01 -!- c64zottel [n=hans@p5B17AFF8.dip0.t-ipconnect.de] has left ##openvpn [] 13:01 < ecrist> so, the machine being pinged is getting the ECHO_REQUEST, but not sending a reply, or it's sending a reply and doesn'tk now where to route it? 13:02 < kc8pxy> ecrist: dunno.. i see no listing for for a reply in the tcpdump. it's not hitting the nic, if it's replyyying 13:02 -!- muh2000_ [n=muh2000@unaffiliated/muh2000] has joined ##openvpn 13:02 < ecrist> try running the dump on the client machine 13:02 < ecrist> s/client/receiving/ 13:05 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 13:11 < kc8pxy> we have been.. we get no reply sent . 13:13 < Robuster> hello 13:14 < Robuster> finnaly i was able to connect to my vpn 13:14 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Read error: 110 (Connection timed out)] 13:14 < Robuster> but for some reason it doesnt traffic anything through it 13:14 < Robuster> even though the openvpn is green 13:14 < Robuster> Wed Jul 29 20:13:08 2009 route ADD 10.8.142.0 MASK 255.255.255.0 10.8.142.5 13:14 < Robuster> Wed Jul 29 20:13:08 2009 Route addition via IPAPI succeeded 13:14 < Robuster> Wed Jul 29 20:13:08 2009 Initialization Sequence Completed 13:15 < thedoc> Robuster, Are you sure that your box is sending all traffic through the vpn? 13:15 < Robuster> http://sec.pastebin.com/d1e939d5b 13:15 < Robuster> this is my client config 13:16 < thedoc> Robuster, What's your routing table? 13:17 < Robuster> what does this mean 13:17 < thedoc> Robuster, Which platform? 13:17 < Robuster> i run the server on debian 13:17 < Robuster> but i use windows for client 13:18 < thedoc> Robuster, Do a route print in command prompt, what does your routing table look like? 13:19 < Robuster> http://sec.pastebin.com/d2b3b4ef6 13:20 < Robuster> been trying to get this vpn to work for 8 hours now :'( 13:21 -!- encino [n=encino@ppp-124-121-108-208.revip2.asianet.co.th] has joined ##openvpn 13:21 < encino> i need some help 13:21 < encino> who is free to help me 13:21 < kc8pxy> robuster what is the subnet you are trying to get routed to? 13:21 < thedoc> Robuster, Can you ping your vpn tunnel tun0 interface? 13:22 < encino> i would like to link up 5 place network to the internet is this the right channel to ask 13:23 < encino> !howto 13:23 < vpnHelper> encino: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:23 < Robuster> thedoc yes 13:23 < Robuster> the one in ifconfig right? 13:23 < thedoc> Robuster, What is the problem you're facing at the moment? 13:24 < kc8pxy> Robuster: what about the internal nic ip? 13:24 < Robuster> well it isnt tunneling my traffic 13:24 < thedoc> Robuster, Do you have a push directive on your server? 13:24 < Robuster> i will check 13:24 < thedoc> That might be the issue 13:24 < Robuster> in the openvpn config? 13:24 < kc8pxy> thedoc: i have a similar issue. but i DO have a push 13:25 < kc8pxy> Robuster: yes 13:25 < thedoc> You guys do know that to make changes to the routing table, Windows needs administrative access right? 13:25 < thedoc> So if it's under Win7/Vista, set appropriate permissions 13:25 < Robuster> yes i got admin rights 13:25 < Robuster> ;push "redirect-gateway" 13:25 < Robuster> this one thedoc? 13:25 < thedoc> Yeah 13:26 < Robuster> lets try 13:26 < thedoc> Robuster, Remove the ; infront 13:27 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 13:27 < Robuster> now browsing didn't work at all 13:28 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 54 (Connection reset by peer)] 13:28 -!- [1]anwoke is now known as anwoke 13:28 < kc8pxy> tha'ts not the right one 13:29 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 13:30 < Robuster> do i need to do this iptables command? 13:31 -!- ebil|work [n=andy@wsip-98-191-211-137.dc.dc.cox.net] has quit [Read error: 60 (Operation timed out)] 13:32 < Robuster> iptables -t nat -A POSTROUTING -o eth0 -s 10.8.142.1/24 -j MASQUERADE 13:33 < thedoc> Robuster, should be 10.8.142.0/24 13:33 < thedoc> You're specifying an entire subnet 13:33 < thedoc> and make sure you have NAT enabled 13:34 < encino> thedoc 13:34 < encino> are you free to help me out 13:34 < encino> i having problem 13:35 -!- mark___ [i=mark@94-168-244-59.cable.ubr10.shef.blueyonder.co.uk] has quit ["leaving"] 13:35 < Robuster> how can i check if nat is enabled thedoc? 13:35 < thedoc> Sorry man, it's 3am here 13:35 < thedoc> I'm about to go to bed 13:35 < encino> dammn 13:35 < thedoc> Robuster, echo "1" > /proc/sys/net/ipv4/ip_forward 13:35 < thedoc> if it's redhat 13:35 < thedoc> If not, look for the relevant config files to echo 1 into it 13:35 < Robuster> its debian 13:35 < encino> i just need a good website to help me link up my network 13:35 < Robuster> ok 13:36 < kc8pxy> encino: what kind of netowork? 13:36 < encino> im using ubuntu server is this os able to link 13:36 -!- PeterFA [n=peter@c-67-183-73-27.hsd1.wa.comcast.net] has joined ##openvpn 13:36 < kc8pxy> encino: link? 13:37 < encino> kc8pxy : i wan to link server to server 13:37 < encino> is this openvpn will do it 13:37 < Robuster> thedoc still no luck, internet goes down when i connect to the vpn 13:38 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has joined ##openvpn 13:38 < kc8pxy> encino: you have 2 places you want to to link, and they have the internet between them? 13:39 < encino> ya i have 5 places to link 13:40 < encino> just wan the lan network to link 13:40 < kc8pxy> encino: ...... that is doable, but might not be fun. especially if this is yoru first time linking with openvpn. try linking one pladce to another first, and add places. 13:40 < encino> oh good 13:40 < encino> how do i start 13:40 < kc8pxy> encino: !howto 13:40 < kc8pxy> !howto 13:41 < vpnHelper> kc8pxy: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:41 < Robuster> i am willing to pay anyone that can help me solve this problem its driving me nuts 13:43 -!- bandini [n=bandini@host97-104-dynamic.45-79-r.retail.telecomitalia.it] has joined ##openvpn 13:47 < Robuster> thedoc do i need to reboot after i use the iptables command? 13:48 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 110 (Connection timed out)] 13:48 -!- [1]anwoke is now known as anwoke 13:48 -!- Ypsy is now known as YpsyZNC 13:48 < encino> kc8pxy how come so many setting 13:48 < kc8pxy> Robuster: reboot will likely flush yoru tables.. that might not work 13:48 < kc8pxy> encino: so many? 13:49 < Robuster> ok is there any other command i need to issue or will it take effect anyways? 13:49 < kc8pxy> encino: it's secure and highly configurable system. of course there will be many settings. 13:50 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 54 (Connection reset by peer)] 13:50 < encino> hmmm i dont know i will set wrong or not ? 13:50 < encino> for the main server what internet service will be good 13:50 < encino> im running on 4mbps download 13:50 < encino> 512kbps upload 13:51 < kc8pxy> encino: i think you are not telling us enough to make a recommendation. 13:51 < encino> oh sorry 13:51 < encino> i mean if my main office i setup one openvpn server 13:52 < encino> what is the best internet speed to run the lan work perfectly 13:55 -!- ^scott^ [n=scott@stthom.org] has quit [Read error: 104 (Connection reset by peer)] 13:58 < Robuster> please someone help me :| 13:58 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 13:58 < encino> robuster i cant help you 13:59 < encino> im still new on openvpn and linux stuff 13:59 < encino> i also wan to linkup all my office 13:59 < kc8pxy> encino: almost any speed should be fine, 13:59 < encino> but dont know which way is the best 13:59 < kc8pxy> encino: and keep it in-channel 13:59 < encino> oh sorry 13:59 < encino> ok i will write in here 13:59 < encino> if i use ubuntu server os 14:00 < encino> is it simple to setup my vpn 14:00 < Robuster> thx alot everybody i got it working now ::D:D:D:D:D 14:00 < kc8pxy> encino: you should be good, it has easy-rsa. it shoudl be as simple as you can make it 14:01 < kc8pxy> Robuster: what was the silver bullet? 14:01 < Robuster> well not sure really, i just did the iptables and echo'd 1 to the ip_forward list once again and restarted and now its working 14:01 < encino> kc8pxy so where is the start place 14:02 < encino> setup one ubuntu server in my office and fix the internet line in it 14:03 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 14:04 < Robuster> btw is there any bandwidth limit enabled by default? 14:04 < Robuster> my server is 100mbit connection and i barely get 2mbit/s when i use the vpn 14:06 -!- tjz [n=tjz@bb220-255-106-86.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 14:08 -!- rawDawg [n=rawDawg@99.57.58.238] has joined ##openvpn 14:17 < reiffert> http://www.osnews.com/story/19731/The-25-Year-Old-UNIX-Bug 14:17 < vpnHelper> Title: The 25 Year Old BSD Bug (at www.osnews.com) 14:18 < Robuster> !bandwidth 14:18 < vpnHelper> Robuster: Error: "bandwidth" is not a valid command. 14:19 < reiffert> !factioids search shape 14:19 < vpnHelper> reiffert: Error: "factioids" is not a valid command. 14:19 < reiffert> !factoids search shape 14:19 < vpnHelper> reiffert: No keys matched that query. 14:20 < reiffert> Robuster: see shape in !man 14:20 < reiffert> --shaper that is 14:21 -!- jthan [n=jonathan@208-58-24-75.c3-0.smt-ubr1.atw-smt.pa.cable.rcn.com] has left ##openvpn [] 14:23 -!- jeiworth [n=jeiworth@189.177.38.156] has quit [Read error: 110 (Connection timed out)] 14:24 < ecrist> freebsd-update fetch && freebsd-update install 14:29 -!- muh2000_ is now known as muh2000 14:30 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:31 -!- mark___ [i=mark@94-168-244-59.cable.ubr10.shef.blueyonder.co.uk] has joined ##openvpn 14:32 < mark___> anyone know why i could be able to ping all servers in the vpn but not access them with any other protocol? 14:36 < Robuster> reiffert yes is that on by default? 14:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 14:43 -!- fixUp [n=fixUp@host86-142-42-79.range86-142.btcentralplus.com] has joined ##openvpn 14:44 < fixUp> Has anyone had any experience of using Samba + OpenVPN together to provide a secure means of provding storage between to international locations ? 14:45 < ecrist> mark___: your firewall 14:45 < ecrist> fixUp: yes 14:45 < ecrist> I use OpenVPN to secure Samba, AFP, and many other things. 14:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:47 < mark___> i'm working on a windows xp box with no firewall and the VPN server + the server i'm trying to connect to have a blank ruleset in iptables 14:56 < reiffert> sentence does not parse, try again please. 14:56 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 54 (Connection reset by peer)] 14:57 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 15:00 -!- fixUp [n=fixUp@host86-142-42-79.range86-142.btcentralplus.com] has quit ["Lost terminal"] 15:18 -!- rawDawg [n=rawDawg@99.57.58.238] has quit [Read error: 104 (Connection reset by peer)] 15:29 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.0.12/2009070611]"] 15:34 < Bushmills> reiffert, s/have/has/, and it parses 15:39 < reiffert> ah! 16:02 -!- bandini [n=bandini@host97-104-dynamic.45-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 16:15 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 54 (Connection reset by peer)] 16:24 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 16:30 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 16:54 -!- RadarG [n=nightwol@pool-72-69-243-24.chi01.dsl-w.verizon.net] has joined ##openvpn 16:55 < RadarG> !topology 16:55 < vpnHelper> RadarG: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 17:05 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:05 -!- jeiworth [n=jeiworth@189.163.176.22] has joined ##openvpn 17:31 -!- hardwire [n=hardwire@216-67-98-253.static.acsalaska.net] has joined ##openvpn 17:31 < hardwire> is there a config include function? 17:31 < hardwire> so include as config from a config 17:32 < hardwire> is it just "config" ? 17:37 -!- tjoff [n=a@c213-89-131-87.bredband.comhem.se] has joined ##openvpn 17:48 < solvik> does anyone wrote a script for authentification without using ldap or pam ? 17:48 < solvik> with mysql for example 17:55 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [] 18:01 -!- mark___ [i=mark@94-168-244-59.cable.ubr10.shef.blueyonder.co.uk] has quit [Read error: 104 (Connection reset by peer)] 18:01 -!- fdas [n=fdas@ool-43562735.dyn.optonline.net] has joined ##openvpn 18:02 < fdas> !howto 18:02 < vpnHelper> fdas: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 18:03 < fdas> !configs 18:03 < vpnHelper> fdas: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:09 < fdas> I am looking for some assistance in fixing openvpn error. I have auth-user-pass in config. openvpn works fine for few mins and exits while TLS renegotiation with message ERROR: could not read Auth username from stdin 18:09 < fdas> Any ideas? 18:11 < fdas> anyone? i have searched on google but couldn't find any fix 18:12 -!- p2hicy [n=p2hicy@unaffiliated/p2hicy] has quit [] 18:12 < fdas> !iporder 18:12 < vpnHelper> fdas: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 18:12 -!- fred [n=fred@slamd64/fred] has left ##openvpn [] 18:24 -!- brizly1 [n=brizly_v@p4FC9A58D.dip0.t-ipconnect.de] has joined ##openvpn 18:24 -!- brizly [n=brizly_v@p4FC9A584.dip0.t-ipconnect.de] has quit [Read error: 60 (Operation timed out)] 18:32 -!- plaerzen [n=carpe@vip1.tundraeng.com] has quit ["Leaving"] 18:34 -!- fdas [n=fdas@ool-43562735.dyn.optonline.net] has quit [] 18:35 -!- fdas [n=fdas@ool-43562735.dyn.optonline.net] has joined ##openvpn 18:55 -!- fdas [n=fdas@ool-43562735.dyn.optonline.net] has quit [] 19:05 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 19:06 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 19:33 < RadarG> does anyone knows what this means 19:35 < RadarG> ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct. [if_index=18] 19:36 < RadarG> Route addition via IPAPI failed 19:36 -!- tjoff [n=a@c213-89-131-87.bredband.comhem.se] has quit [] 19:39 < Douglas> yes RadarG 19:39 < Douglas> google 19:39 < Douglas> !factoids search windows 19:39 < vpnHelper> Douglas: No keys matched that query. 19:39 < Douglas> !factoids help 19:39 < vpnHelper> Douglas: Error: The "Factoids" plugin is loaded, but there is no command named "help" in it. Try "list Factoids" to see the commands in the "Factoids" plugin. 19:39 < Douglas> !list factiods 19:39 < vpnHelper> Douglas: Error: 'factiods' is not a valid plugin. 19:39 < Douglas> !list Factoids 19:39 < vpnHelper> Douglas: change, forget, info, learn, lock, random, search, unlock, and whatis 19:40 < Douglas> sigh 19:40 < Douglas> krzie: help 19:41 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 19:46 -!- zheng [n=zheng@210.73.203.83] has joined ##openvpn 20:09 < RadarG> this thing is ticking me off 20:11 -!- zheng_ [n=zheng@210.73.203.83] has joined ##openvpn 20:12 -!- zheng_ [n=zheng@210.73.203.83] has quit [Read error: 54 (Connection reset by peer)] 20:16 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 20:19 -!- vaq [n=c99@vaq/unaffiliated] has quit [] 20:28 -!- encino [n=encino@ppp-124-121-108-208.revip2.asianet.co.th] has quit [] 20:46 -!- RadarG [n=nightwol@pool-72-69-243-24.chi01.dsl-w.verizon.net] has quit [Remote closed the connection] 20:51 -!- RadarG [n=nightwol@pool-72-69-243-24.chi01.dsl-w.verizon.net] has joined ##openvpn 21:07 -!- master_of_master [i=master_o@p549D3A02.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:11 -!- master_of_master [i=master_o@p549D3A39.dip.t-dialin.net] has joined ##openvpn 21:49 < RadarG> on a on the windows adapter that is used for openvpn is it supose to have a gateway listed? 21:51 < RadarG> I mean the tap32 adapter 21:59 < ecrist> depends 21:59 < ecrist> if you push a gateway on the server, otherwise no 22:04 < ecrist> 22:06 < thedoc> sigh, why do people think that anyone can run high speed proxies/vpns for no cost. 22:06 < thedoc> Bandwidth actually does cost money. 22:06 < ecrist> no it doesn't. 22:06 < ecrist> I have 50Mb/10Mb for about $75/mo 22:07 < ecrist> it's cheap. ;) 22:07 < thedoc> ecrist, Not consumer DSL :P 22:07 < thedoc> Subscribed lines from thenoc. 22:08 < thedoc> ecrist, I don't think a multihomed NOC will charge you 75/mth for a 50mbit pipe :P 22:08 < ecrist> thedoc: comcast cable at 50/10 22:11 < ecrist> thedoc: did you see the pics dir on /down (you know the site) has a daily update zip now? 22:12 < thedoc> ecrist, That's cable for consumers, not NOC links where you house servers on ;p 22:12 < thedoc> ecrist, I lost that link when I swapped machines :| Could you furnish me the login/pass and link again pl0x? :) 22:13 < ecrist> thedoc: that's with static IPs 22:13 < ecrist> secure-computing.net serves on that. 22:13 < ecrist> more reliable than the 'real' NOC I have access to. 22:13 < ecrist> sure, here comes a PM 22:14 -!- zheng [n=zheng@210.73.203.83] has quit ["Leaving"] 22:14 < thedoc> ecrist, Oh nice. Pity that most places don't have such kind of up/down + static ip 22:14 < ecrist> thedoc: Comcast has their DOCSIS 3 test in Minneapolis 22:14 < ecrist> :P 22:14 < thedoc> >_> 22:15 < thedoc> ecrist, I'm getting ticked off by some of my vpn customers. perpetually bitching about the pricing 22:15 < thedoc> >_< 22:15 < ecrist> heh 22:15 < ecrist> pay me to host a pseudo DC for you 22:15 < ecrist> cost + 15% you provide the servers 22:16 < ecrist> cost = cable modem + actual metered power 22:16 < ecrist> I have rack space 22:16 < ecrist> ask any regulars here about my reliability. 22:16 < thedoc> ecrist, Multihomed? 22:17 < ecrist> nope, haven't needed to be 22:17 < ecrist> it multi-homed is EXPENSIVE 22:18 < thedoc> That has almost always been a requirement :P 22:18 < thedoc> ecrist, Any chance you can handle the reverse to forward dns zone mappings? 22:19 < ecrist> I can 22:20 < ecrist> well, check the secure-computing.net DNS, forward and reverse match 22:20 < thedoc> ecrist, Please don't tell me this is hosted out of your room :P 22:21 < ecrist> comcast does reverse as IPv4 doesn't do nibbles. 22:21 < ecrist> thedoc: in my basement. 22:21 < ecrist> I do forward. 22:21 < ecrist> I support IPv6, forward and reverse locally 22:21 < thedoc> ahh 22:22 < ecrist> thedoc: talk to krzee or Douglas/Dougy about my reliability 22:22 < ecrist> the both host servers with me. 22:22 < ecrist> ovpnforum.com and krzee's personal server are hosted here. 22:23 < Darkclaw66> how can I enable a password on openvpn client so that it doesn't automatically connect? 22:23 < thedoc> ecrist, Awesome. Let me consider that option 22:23 < thedoc> Might be worthwhile. 22:23 < ecrist> password protect your SSL certificates. 22:24 < Darkclaw66> I should have done that... can I modify the existing certs or do I have to create new ones? 22:24 < ecrist> and, if more reliability is needed, I have access to a 'real' datacenter 22:24 < ecrist> you need to create new ones. 22:24 < thedoc> ecrist, I need alot of b/w, cheap :| 22:24 < thedoc> If you have an option for that, I would look into that seriously <3 22:24 < ecrist> the CSR key is what contains the password. 22:25 < ecrist> thedoc: what's 'a lot'? 22:25 < Darkclaw66> I see, well, back to the hammer and nail 22:25 < thedoc> ecrist, I currently push about 25mbit, we're looking at another 25mbit++ 22:27 < Darkclaw66> ecrist do I use build-key? 22:27 < ecrist> Darkclaw66: sorry, I don't support easy-rsa, others here might. 22:27 < Darkclaw66> you use ssl-admin? 22:27 < ecrist> thedoc: I can't support 25mbit+ at this time. 22:28 < ecrist> Darkclaw66: I wrote ssl-admin 22:28 < ecrist> thedoc: if you're looking for another DC, I can setup and maintain one here in Minneapolis for you, though. 22:28 < ecrist> *securely* 22:29 < Darkclaw66> weird, I used the change password feature in openvpn client and it seems to work. it asks for a password to connect 22:29 < Darkclaw66> is this a local authentication ? 22:29 < thedoc> ecrist, Could I have a word with you in private? 22:29 -!- lilalinu- [n=lilalinu@ist.deswahnsinns.de] has joined ##openvpn 22:29 < ecrist> thedoc: you've earned the priv to PM me any time. 22:30 < ecrist> /ignore works if you abuse it. ;) 22:30 < thedoc> ecrist, Thanks mate. 22:30 < ecrist> Darkclaw66: yes, it is. 22:30 < ecrist> it's an SSL-based authentication to 'unlock' the certificate key 22:30 -!- lilalinux [n=lilalinu@ist.deswahnsinns.de] has quit [Read error: 104 (Connection reset by peer)] 22:31 < Darkclaw66> but I didnt change the password on the server 22:33 < Darkclaw66> so basically it modified the CSR key on the client and now it requires a password but the server doesn't know anything about it? 22:34 < ecrist> Darkclaw66: the password exists within the certificate key 22:34 < ecrist> not anything to do with the server 22:34 < ecrist> there are plugins to incorporate user/pass authentication on the server side 22:34 < Darkclaw66> oh I see, so even if I set a password while I was building the cert on the server, the server wouldn't keep that information? 22:35 < Darkclaw66> unless I used a plugin? 22:38 < RadarG> in my conf file on my server I have the following statement "ifconfig 10.194.168.1 10.194.168.2" does that mean that that server's ip is 10.194.168.1? 22:40 < Darkclaw66> yes 22:41 < RadarG> is that also the gatweay to 22:43 < ecrist> Darkclaw66: yes 22:43 < ecrist> using PAM or LDAP, or something. 22:44 < ecrist> RadarG: ingoring the freebsd stuff, read this: 22:44 < ecrist> !freebsd 22:44 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 22:44 < Darkclaw66> RadarG I am using freebsd 22:45 < Darkclaw66> .2 is the gateway 22:46 < Darkclaw66> .1 is the server 22:49 < RadarG> I'm just having trouble getting connectivity I have the link up but I cant ping nothing 22:50 < Darkclaw66> do you have pf enabled? 22:50 < Darkclaw66> or any other packet filtering device? 22:52 < RadarG> pf packet filter? I saying no 22:53 < RadarG> now when I do a ifconfig I see tun0 ip 10.251.62.1 with a ptp:10.251.62.2 22:54 < RadarG> now 62.2 is the ipaddress that the windows vista 22:54 < Darkclaw66> are you doing tun or tap 22:54 < RadarG> tun 22:55 < Darkclaw66> ifconfig on the server ? 22:55 < RadarG> I have a 192.168.2.1 here that I'm trying to get it to talk to 192.168.1.1 back in the states 22:56 < RadarG> the if config is from the server I see that I tx 18 packets 22:56 -!- onats [n=15172@unaffiliated/onats] has joined ##openvpn 22:57 < RadarG> should be able to ping the remote(states) from the server? 23:00 < Darkclaw66> you should be able to ping the client to the server but not other way around 23:00 < ecrist> RadarG: have you given us !configs and !logs? 23:01 < RadarG> 1sec 23:04 * ecrist goes to bed. 23:07 -!- Robuster [n=hype@server77-68-53-8.live-servers.net] has quit [] 23:07 < RadarG> man ecrist I was going to send you my logs 23:08 < Darkclaw66> i can try to help 23:08 < ecrist> I"ll be online tomorrow, RadarG 23:08 < RadarG> aound this time 23:08 < RadarG> around 23:09 < ecrist> no, it's 23:09 now. Tryin 10 hours 23:13 -!- onats1 [n=15172@221.121.120.254] has quit [Connection timed out] 23:19 < RadarG> I'll pm you the logs I'll be asleep than 23:19 < RadarG> i sent you a copy of the logs Darkclaw66 23:19 < Darkclaw66> i got it 23:20 < Darkclaw66> the logs aren't actually valuable to me, the confs would be better 23:21 < Darkclaw66> umm where's your server statement in the conf? 23:21 < Darkclaw66> that's a crucial part of the server config 23:23 < RadarG> check the other pastebin I sent you 23:24 < Darkclaw66> which one are you using? 23:24 < ecrist> RadarG: FYI, don't expect help in here if you start PMing people stuff 23:25 < Darkclaw66> I didn't want to say anything but yeah please don't :) 23:27 < RadarG> arent you guys worried about who your giving logs out to? 23:27 < ecrist> no 23:28 < RadarG> http://pastebin.com/d59c7cca8 client config 23:28 * ecrist updates entry message 23:29 < RadarG> http://pastebin.com/d18aedf7 server config #2 due to server setup 23:30 < RadarG> http://pastebin.com/d608ccd09 server config 23:30 < RadarG> http://pastebin.com/d67629c5e server logs 23:30 < RadarG> http://pastebin.com/d73f8ec51 client logs 23:31 < ecrist> Welcome to ##openvpn. We do not permit pasting ANY lines to the channel; use http://pastebin.com or something similar. If you're not willing to post your logs and config to the channel, we're not willing to help you. READ THIS MESSAGE! 23:31 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has left ##openvpn [] --- Log closed Wed Jul 29 23:31:24 2009 --- Log opened Wed Jul 29 23:31:27 2009 23:31 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 23:31 -!- Irssi: ##openvpn: Total of 71 nicks [0 ops, 0 halfops, 0 voices, 71 normal] 23:31 -!- Irssi: Join to ##openvpn was synced in 0 secs 23:33 < RadarG> server is in asia behind it is three lans 0.1,2.1,3.1 stateside has 192.168.1.1 I'm trying to redirect traffic from 2.1 to 1.1 I have now 5 xboxs that need a stateside link to get downloaded content 23:34 < ecrist> krzie: I"m going to work on moving the channel to #openvpn again. 23:35 < RadarG> I have the link create and it shows as running I just need to get traffic to flow 23:36 < Darkclaw66> why? 23:36 < RadarG> why what 23:36 < Darkclaw66> why does ecrist want to move the channel 23:37 < ecrist> Darkclaw66: I originally had it moved to ##openvpn. It's an 'un-official' channal now. Working with the developers to make it an 'official' channel (hence the ##). 23:37 < Darkclaw66> im completely oblivous, I originated from efnet :) 23:37 < RadarG> I have an xbox hooked up on 2.1 23:38 < ecrist> ## == unofficial and # == official 23:39 < RadarG> any ideas Darkclaw66 23:41 < Darkclaw66> your implementation is a little bit more entailed than mine but it shouldnt make a difference 23:42 < Darkclaw66> I also think that having two configs is problematic, stick with one and work on that 23:42 < RadarG> what for server 23:43 < Darkclaw66> start with the most basic configuration and then start building it up 23:43 < ecrist> RadarG: have you posted your configs and logs? 23:44 < Darkclaw66> I think you will have an easier time keeping the setup simple so you can get it working and then start adding the features you want 23:44 < RadarG> yes please check pastebins above 23:47 -!- ecrist_mac [n=ecrist@173.8.118.221] has joined ##openvpn 23:48 < RadarG> ecrist do you want me to post the pastebins again 23:48 < ecrist> no 23:54 < RadarG> i just need to verify that the vpn is good I can setup the iptables and ipchains 23:55 < RadarG> Darkclaw66 I thought this was a basic config 23:58 -!- mode/##openvpn [+o ecrist_mac] by ChanServ 23:58 -!- mode/##openvpn [-o ecrist_mac] by ecrist_mac 23:58 < thedoc> o/ 23:58 < thedoc> Make it official! kgo! 23:59 < ecrist_mac> who is kgo? 23:59 < thedoc> ok, go do it :P 23:59 * thedoc stifles a chuckle --- Day changed Thu Jul 30 2009 00:00 < RadarG> so how can I fix this? 00:00 < thedoc> RadarG, What seems to be the issue? 00:01 < RadarG> my vpn will connect but I cant ping nothing 00:01 < thedoc> RadarG, iptables -L -t nat 00:01 < thedoc> Paste bin that 00:01 < ecrist_mac> !iptables 00:01 < vpnHelper> ecrist_mac: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall 00:01 -!- mlw4428 [n=matthew@pool-71-127-100-148.aubnin.fios.verizon.net] has joined ##openvpn 00:01 -!- mlw4428 [n=matthew@pool-71-127-100-148.aubnin.fios.verizon.net] has left ##openvpn ["Leaving"] 00:05 -!- HellDragon [i=jd@Wikipedia/HellDragon] has joined ##openvpn 00:05 < RadarG> the install for zerina should have fixed iptables. 00:05 < thedoc> RadarG, Pastebin your iptables -L and iptables -L -t nat 00:13 < RadarG> http://pastebin.com/d1b732c2d 00:17 < ecrist> fucking freenode staff membrs 00:22 < thedoc> ecrist, They're not going to make it official? 00:22 < RadarG> is my client config good 00:23 < thedoc> RadarG, Looks ok. 00:23 < ecrist> thedoc: working on it. 00:23 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 00:23 < thedoc> Do you have a DNS server configured? 00:23 < ecrist> we 'were' official, aside from regular ass-clowns 00:23 < ecrist> we've since stopped that 00:23 < RadarG> for the vpn? 00:23 < ecrist> now working on becoming 'official' again. 00:23 < thedoc> Yes RadarG 00:24 < thedoc> ecrist, ahh, ok 00:24 < ecrist> RadarG: 'the install for ' doesn't suffice 00:24 < RadarG> on the adapter setting on the vista box I'm not seeing one 00:24 < ecrist> if you can't produce rulesets and/or clear them, we can't help you. 00:25 < daemoen> hey guys, ive got openvpn running in bridge mode, i get my ip address just fine, i can reach the bridge interface, i can reach the actual gateway for the bridge interface (across the vpn), but I *cannot* reach any of the other routes. I have added the push "reoute a.b.c.d ne.tm.as.k" info across, i see them in the routing table. 00:25 < RadarG> the rulesets should be fine, 00:25 < daemoen> but i cant ping anything at all in any subnet other than the actual subnet the bridge is a member of 00:26 < RadarG> what dns do I need to setup for the vpn? 00:26 < ecrist> RadarG: we don't trust 'the rulesets should be fine' sorry 00:26 < thedoc> RadarG, There is an option in the server.conf to specify the dns servers which you use. 00:27 < daemoen> I would originally blame the switch or something, but since I can reach 1 gateway but not the rest, not sure where to begin 00:27 < thedoc> Infact, can you even resolve domains on your server? 00:27 < RadarG> those are mine do they need to be there 00:27 < ecrist> daemoen: ip_forward: 1? 00:27 < RadarG> my isps here in asia 00:27 < daemoen> ecrist: hrm? 00:27 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 00:27 < thedoc> RadarG, I don't care where your isp is. Do you have admin access to the vpn server? 00:27 < RadarG> are they needed? 00:27 < RadarG> yes 00:28 < thedoc> Can you resolve dns queries? 00:28 < RadarG> do I need to change it? 00:28 < RadarG> ye 00:28 < RadarG> yes 00:28 < thedoc> Do you have 1 for ip_forward? 00:28 < ecrist_mac> holy shit, adium is nice. 00:29 < ecrist_mac> I might stop using irssi on a regular basis and log in from here. 00:29 < daemoen> dont see that option anywhere 00:29 < RadarG> the server fwd the request to my isp dns server 00:29 < daemoen> dont recall seeing that option in the howto either 00:30 < ecrist_mac> thedoc: I already asked that, no fair. 00:30 < thedoc> ecrist, adium has some nice themes 00:30 < thedoc> You should check that out. 00:30 < thedoc> ecrist, lmao, I was talking to RadarG 00:30 < thedoc> :P 00:30 < RadarG> my dns skills are low 00:30 < thedoc> It's fair enough! >:) 00:30 < ecrist> thedoc: Adium is what I'm using. 00:30 < thedoc> RadarG, Do you have ip_forward set to 1? 00:30 < thedoc> ecrist, adium for msn/xchat for irc 00:30 < thedoc> <3 00:30 < RadarG> how do I check? 00:31 < ecrist> thedoc: Adium for IRC, too, now 00:31 < thedoc> RadarG, echo "1" > /proc/sys/net/ipv4/ip_forward 00:31 < ecrist> I've been using Xchat longer than most. 00:31 < thedoc> ecrist, Is it any good for IRC? 00:31 < ecrist> IRC support is new in 1.4, which is still beta 00:31 < daemoen> that would do it, thanks guys 00:31 < ecrist> IRC support seems to be good. 00:31 < ecrist> daemoen: np 00:31 < thedoc> Hm 00:31 < RadarG> done 00:32 < RadarG> was it supose to display something 00:32 < thedoc> RadarG, Does it work yet? 00:32 < thedoc> No. 00:32 < thedoc> Hm, I might be asked to fly down to the Philippines again 00:32 < thedoc> \o/ 00:33 < RadarG> does what work yet? 00:33 < thedoc> RadarG, Reconnect to your vpn and try again 00:33 < thedoc> See if that gets you anywhere. 00:33 < thedoc> Alternatively, you can try connecting to your vpn, see where it fails if you do a traceroute to google.com 00:33 < RadarG> 1sec 00:34 < daemoen> one thing you guys should add to that, is that it will not persist through reboot if you only do the echo 1 > blah blah 00:34 < daemoen> you also have to set it in your systems sysctl :) 00:34 < thedoc> daemoen, That's right 00:34 < ecrist> daemoen: FreeBSD? 00:35 < daemoen> ecrist: nah, RHEL and derivitives :) 00:35 < ecrist> !freebsd 00:35 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 00:35 < ecrist> oh 00:35 < ecrist> ~linux < FreeBSD 00:35 < daemoen> and they wont keep the setting unless you update /etc/sysctl.conf 00:35 < daemoen> meh, i never did get into the whole bsd side 00:35 < thedoc> daemoen, It's not hard to but we should make changes to the guide. 00:35 < ecrist> if (!pussy); then FreeBSD; fi 00:36 < RadarG> ok I reconnected and the vista box is showing green 00:36 < daemoen> ecrist: invalid evaluation. 00:37 < thedoc> ecrist, Are you using tunnelblick for your openvpn on mac? 00:37 < daemoen> if ! [ $user = "pussy" ]; then 00:37 * daemoen snickers 00:37 < ecrist> thedoc: yes 00:37 < thedoc> I actually paid for viscosity. It's a nice mac app for vpn. 00:37 < thedoc> \o/ 00:37 < RadarG> ecrist whats next 00:37 < ecrist> it is, but it's for-fee, which I don't need. 00:38 < ecrist> daemoen: you're assigning all users to pussy 00:38 < ecrist> does not compute 00:38 < thedoc> ecrist, I paid for one, I'm sure some of my customers use it so safer to try it and see if there are any potential problems 00:38 < thedoc> It's 9 bucks anyway. :P 00:38 < daemoen> ecrist: i know, lol. 00:39 < daemoen> ecrist: had i done it as an actual eval, i would have used == ;) 00:39 < ecrist> thedoc: I would like to support it, but I was snubbed by their dev team. Fuck them. 00:39 < daemoen> iow: noone uses freebsd =D 00:39 < ecrist> I don't support it in this channel. 00:39 < thedoc> ecrist, Shoot, that sucks. 00:39 < ecrist> viscosity == banhammer. >:) 00:39 < RadarG> tracert to states failed 00:40 -!- HellDragon [i=jd@Wikipedia/HellDragon] has quit [Read error: 104 (Connection reset by peer)] 00:40 * thedoc shivers. 00:40 < thedoc> ecrist, I use viscosity :P 00:40 < ecrist> /mode +b daemoen!*@* 00:40 < ecrist> muahahaha 00:40 < ecrist> doh, extra space 00:40 < thedoc> teehee. 00:41 < thedoc> RadarG, Flush your iptables, just only have the NAT stuff in there. 00:41 < ecrist> !iptables 00:41 < vpnHelper> ecrist: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall 00:41 < RadarG> wouldnt I have to redo my rules 00:42 < thedoc> Yes you would. 00:42 < ecrist> daemoen: everyone who's anyone uses FreeBSD. You may notice major carriers and such use it. 00:42 < thedoc> I do not have time to walk through all your rules to see what might have broken it. 00:42 < ecrist> RadarG: ##openvpn != your_fucking_firewall_support 00:43 < daemoen> ecrist: major carriers use Windows for their users, LINUX and BSD for their servers, whats your point ? :p 00:43 < ecrist> re: Qwest 00:43 < ecrist> re: Comcast 00:43 < ecrist> re: AT&T 00:43 < daemoen> ecrist: yeah, and they all use all three, lol 00:43 < ecrist> re: Hotmail (until MS took over) 00:43 < daemoen> just depends on what they are doing, lol 00:44 -!- RadarG [n=nightwol@pool-72-69-243-24.chi01.dsl-w.verizon.net] has quit [Remote closed the connection] 00:44 < ecrist> no, daemoen they use FreeBSD almost exclusively 00:44 < thedoc> Looks like someone flushed all their rules and the nat broke :) 00:44 < thedoc> lol@radar 00:44 * daemoen doesnt want to get into the distro war :) 00:44 < daemoen> but, thanks guys, forgot about setting the ip forward my stuff is all working flawlessly now :) 00:45 -!- daemoen [n=daemoen@ct-unlimited.com] has left ##openvpn ["WeeChat 0.3.0-rc2"] 00:45 < ecrist> quick exit 00:45 < ecrist> I would win distro-war 00:45 < ecrist> especially considering my Capt Morgan - enhanced stat of mind. 00:48 < ecrist> road-rash hurts. "ow" 00:48 * ecrist has to peeeeee 00:48 < thedoc> I fail to see the relationship between road rash and peeing. 00:51 -!- RadarG [n=nightwol@pool-72-69-243-24.chi01.dsl-w.verizon.net] has joined ##openvpn 00:51 < RadarG> dones 00:51 < RadarG> tablesflushed 00:52 < thedoc> !nat RadarG 00:52 < vpnHelper> thedoc: Error: "nat" is not a valid command. 00:52 < thedoc> !redirect 00:52 < vpnHelper> thedoc: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 00:52 < thedoc> !nat 00:53 < vpnHelper> thedoc: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 00:53 < thedoc> !linnat 00:53 < vpnHelper> thedoc: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 00:58 < RadarG> ok for step one I only need a few ips to go through the vpn 00:58 < thedoc> RadarG, What subnet did you assign for your vpn pool of ips? 01:00 < RadarG> 10.251.62.0 01:00 < thedoc> RadarG, Then use iptables -t nat -A POSTROUTING -s 10.251.62.0/24 -o eth0 -j MASQUERADE 01:01 -!- mode/##openvpn [+o ecrist_mac] by ChanServ 01:01 < RadarG> eth0 that will be my WAN side? eth2 is the ones that the xboxs are connected to 01:02 < thedoc> eth0 is on your WAN interface. 01:02 < RadarG> yes to my modem 01:05 < RadarG> here is my ifconfig eth0 wan eth1 green eth2 xboxs eth3 wireless 01:05 < RadarG> done 01:06 -!- mode/##openvpn [-o ecrist_mac] by ecrist_mac 01:07 < RadarG> now since dns is n both side should I push dns? 01:07 < ecrist> okay, now I'm going to bed. 01:08 < ecrist_mac> me too 01:09 < RadarG> cant the client use its own dns 01:12 < RadarG> thedoc what next 01:13 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 01:14 -!- RadarG [n=nightwol@pool-72-69-243-24.chi01.dsl-w.verizon.net] has quit [] 01:15 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 01:16 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 01:16 -!- [1]anwoke is now known as anwoke 01:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:37 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 01:48 -!- ecrist_mac [n=ecrist@173.8.118.221] has quit ["Leaving."] 01:50 -!- c64zottel [n=hans@p5B17AB96.dip0.t-ipconnect.de] has joined ##openvpn 01:50 -!- c64zottel [n=hans@p5B17AB96.dip0.t-ipconnect.de] has left ##openvpn [] 02:15 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:30 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 104 (Connection reset by peer)] 02:43 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 02:46 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 02:47 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 03:07 -!- lilalinu- is now known as lilalinux 03:08 -!- onats [n=15172@unaffiliated/onats] has left ##openvpn [] 03:24 -!- basti122303 [n=Mudrasch@91-64-151-104-dynip.superkabel.de] has joined ##openvpn 03:24 -!- basti122303 [n=Mudrasch@91-64-151-104-dynip.superkabel.de] has left ##openvpn [] 03:25 -!- basti122303 [n=Mudrasch@91-64-151-104-dynip.superkabel.de] has joined ##openvpn 03:27 < basti122303> hallo i have a problem with the openvpn (dhcp) -> i get an false network mask for my client from the dhcp server, with a static key and a statiy address it wars all ok 03:30 -!- basti122303 [n=Mudrasch@91-64-151-104-dynip.superkabel.de] has left ##openvpn [] 03:32 -!- kladizkov [n=fabin@61.17.17.157] has joined ##openvpn 03:33 < kladizkov> when i use my vpn server as gateway, i get disconnected from local internet connection and also the vpn connection.. how can i use the vpn server as gateway? 04:28 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 04:29 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 04:36 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Connection reset by peer] 04:37 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 04:59 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 05:00 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has quit ["Quit"] 05:00 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 05:05 < Bushmills> !redirect 05:05 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 05:05 < Bushmills> kladizkov, ^^^^ 05:06 -!- Rakol [n=wrathacc@ppp121-45-29-15.lns10.adl2.internode.on.net] has joined ##openvpn 05:06 -!- Rakol [n=wrathacc@ppp121-45-29-15.lns10.adl2.internode.on.net] has left ##openvpn [] 05:06 < kladizkov> Bushmills: thanks.. let me try it out 05:07 < Bushmills> you probably add a default route to vpn server to your local routing table, but neglect to add a route to the public ip of vpn server 05:17 -!- lataffe [n=lataffe@cm-84.211.147.71.getinternet.no] has quit [Read error: 104 (Connection reset by peer)] 05:17 -!- lataffe [n=lataffe@cm-84.211.147.71.getinternet.no] has joined ##openvpn 05:20 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 05:53 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:42 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 06:52 -!- ecrist_mac [n=ecrist@ms.choksondik.secure-computing.net] has joined ##openvpn 06:52 -!- ecrist_mac [n=ecrist@ms.choksondik.secure-computing.net] has left ##openvpn [] 07:03 -!- kladizkov_ [n=fabin@61.17.17.157] has joined ##openvpn 07:07 -!- kladizkov [n=fabin@61.17.17.157] has quit [Read error: 110 (Connection timed out)] 07:31 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["I ♥ GNU/Linux!"] 08:18 < teddy_> openvpn bridging works..its the coolest...only thing left i can find is increase performance as much as possible and use dns for openvpn clients so they can resolve names on the LAN 08:21 < teddy_> Now if I can only find a Homer Simpson waterbird that will click 'YES' at the right time. 08:39 -!- c64zottel [n=hans@p5B17AB96.dip0.t-ipconnect.de] has joined ##openvpn 08:39 -!- c64zottel [n=hans@p5B17AB96.dip0.t-ipconnect.de] has left ##openvpn [] 09:11 -!- YpsyZNC is now known as Ypsy 09:13 -!- ebil|work [n=andy@ip70-174-136-104.dc.dc.cox.net] has joined ##openvpn 09:24 -!- hackeron_ is now known as hackeron 09:27 -!- Douglas [i=Douglas@doug.rackvibe.com] has quit [Read error: 110 (Connection timed out)] 09:30 < treats> @teddy_ haha 09:31 < treats> is it a paid position? 09:50 -!- otakun [n=otakun@75-147-206-201-Memphis.hfc.comcastbusiness.net] has joined ##openvpn 09:56 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 09:56 -!- jeiworth [n=jeiworth@189.163.176.22] has quit [Read error: 110 (Connection timed out)] 09:57 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 10:14 -!- jeiworth [n=jeiworth@189.234.80.58] has joined ##openvpn 10:15 -!- kladizkov_ [n=fabin@61.17.17.157] has quit ["Ex-Chat"] 10:42 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:48 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:23 < ecrist> friggin web registration 11:23 < ecrist> why does Ricoh make me register (which take a 'few days' to process) to download their fucking private MIB spec? 11:35 -!- toehio [n=toehio@dyn.83-228-168-104.dsl.vtx.ch] has joined ##openvpn 11:36 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 11:47 -!- ebil_andy [n=andy@ip70-174-136-104.dc.dc.cox.net] has joined ##openvpn 11:50 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 11:52 -!- toehio [n=toehio@dyn.83-228-168-104.dsl.vtx.ch] has quit [Connection timed out] 11:53 -!- toehio [n=toehio@dyn.83-228-168-104.dsl.vtx.ch] has joined ##openvpn 11:53 < dazo> teddy_: "Homer Simpson" + "click YES" + "right time" ..... are those requirements really compatible? 11:54 * dazo wonders why MIB specs needs to be private .... 11:55 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has joined ##openvpn 12:04 -!- ebil|work [n=andy@ip70-174-136-104.dc.dc.cox.net] has quit [Read error: 110 (Connection timed out)] 12:14 < ecrist> dazo: private as in, their manufacturer-specific OIDs 12:15 < dazo> ecrist: I still don't understand why that needs to be secret .... I mean, you mostly need that when you buy their products and want to do SNMP stuff against it .... why use SNMP to start with if you want to be exclusive and special? 12:16 * dazo is probably too soaked into the FSF/OSS world 12:16 < ecrist> right, which is my complaint 12:16 < dazo> :) 12:17 < ecrist> i'm trying to support their printer in my nagios check. hard to do without the spec 12:18 < dazo> cool 12:18 < dazo> do you recommend nagios? 12:18 < ecrist> most definately 12:18 * dazo needs to setup some monitoring on a site soon 12:19 < dazo> nagios looked like quite a beast to setup, at first sight 12:19 * ecrist knows the nagios developer 12:19 < ecrist> it is 12:20 * dazo don't like beasts :( 12:21 < ecrist> I liken nagios to ldap. it's a bear when you don't know what you're doing, but once you do, it's easy as pie. 12:21 < |Mike|> unf unf. 12:22 < |Mike|> nagios <3 12:22 < ecrist> ditto 12:22 < dazo> yeah, you're probably right .... I just don't have that much time available to get into it yet 12:22 * dazo probably does too much right now ... on too many places ... 12:23 < treats> ecrist, I have not dipped my feet in the waters of nagios. I see it on my horizon though, do you have a recommendation on how to get comfortable? 12:23 < |Mike|> try hot water :P 12:23 < ecrist> treats: just set it up 12:24 < ecrist> really, the only way is to dive in 12:24 < treats> "/j #nagios" "/msg how do you monitor a ftp server?" 12:24 < ecrist> the real complexity comes with learning how to parent your hosts and setup proper notifications. 12:25 < ecrist> our nagios system emails and builds an RSS feed, which we monitor via a bot I wrote that sits on our XMPP server and posts RSS updates to the MUCs 12:26 -!- Ypsy is now known as YpsyZNC 12:26 < |Mike|> no SMS ecrist ? :P 12:27 < treats> i would turn my phone off if every nagios message came via sms 12:27 < ecrist> no, I don't have an SMS gateway that ties directly to the GSM network, so any SMS I send would go out via the net anyways. On top of that, my email comes straight to my blackberry anyhow. 12:28 < |Mike|> same here, works like a charm 12:28 < ecrist> treats: with ~35 hosts and about 500 processes, I get maybe 2 or 3 notifications per day. 12:28 < |Mike|> heartbeat <3 12:28 < ecrist> *and* notifications are routed based on time of day and process. some processes don't need to send emails or SMS. we have a lot that are RSS only 12:29 -!- treats is now known as treats|fightingf 12:29 * dazo stumbled over a Siemens MC75 compatible GSM modem for USD16 12:29 -!- treats|fightingf is now known as treats|afk 12:29 * dazo bought it 12:29 < |Mike|> you manage those 35 boxes with puppet aswell ? 12:29 < ecrist> nope 12:29 < ecrist> we don't really need puppet 12:30 < ecrist> our authenticaion and SUDO configs are stored in LDAP, and that's the most dynamic stuff that's common to all hosts. 12:30 < |Mike|> we maintain ~ 400 servers with it, works like a charm :d 12:30 < ecrist> everything else we have is a mishmash of different utility boxes. 12:31 < ecrist> sometimes I wish I had a bigger network to manage, then I wake up. 12:31 < |Mike|> it's nice to manage 400 boxes with 1 command, but if you screw 1 thing up in the config, 400boxes go down, that's not so nice :P 12:32 < |Mike|> i hate migrations tbh. 12:33 < |Mike|> ecrist: lookin for a new job ? :) 12:33 < ecrist> *Actually*, yes 12:35 < |Mike|> hehe 12:35 < |Mike|> not a good time tho 12:36 -!- treats|afk is now known as treats 12:42 -!- lataffe__ [n=lataffe@cm-84.211.147.71.getinternet.no] has joined ##openvpn 12:44 -!- lataffe [n=lataffe@cm-84.211.147.71.getinternet.no] has quit [Read error: 113 (No route to host)] 12:44 -!- Douglas [i=Douglas@64.18.154.249] has joined ##openvpn 13:18 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 13:20 -!- otakun [n=otakun@75-147-206-201-Memphis.hfc.comcastbusiness.net] has quit [Read error: 110 (Connection timed out)] 13:24 -!- bandini [n=bandini@host210-27-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 13:52 -!- bandini [n=bandini@host210-27-dynamic.20-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 13:57 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 14:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:34 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:34 -!- Douglas [i=Douglas@64.18.154.249] has quit [] 14:42 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 15:33 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Connection timed out] 15:33 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 15:38 -!- Vakz [n=Vakz@90-224-164-17-no123.tbcn.telia.com] has joined ##openvpn 15:38 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.0.12/2009070611]"] 15:46 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 15:54 -!- linagee [n=jalton@about/linux/staff/linagee] has joined ##openvpn 15:54 < linagee> can you have one router with multiple vpn tunnels out to some servers for lower latency? 15:55 < linagee> er, multiple openvpn tunnels specifically. (in other words can you run more than one instance of openvpn) 16:08 < ecrist> sure 16:08 < ecrist> it cannot listen on the same IP to the same port, however. 16:11 < linagee> ecrist: ah. so as long as port, instance, and network (route) are different, things should work? 16:11 < ecrist> yep 16:12 < linagee> ecrist: cool. I'm deploying voip from a different colo with lower latency but have an established vpn. so the phones are on the old vpn, i tried to make a route to the new colo, but it turns out i'm just adding more latency. ;) so i want routes directly to the new colo 16:13 < linagee> it should work to make new openvpn instances on routers to the new colo and just give it a different network address 16:13 < ecrist> linagee: you realize you're working in circles, right? 16:13 < ecrist> that tunnel, although appears direct, still travels across the same path 16:14 < linagee> ecrist: sort of. the back end is a bit more complex. i did improve it right away when i moved because I moved to where my ITSP is. so voice quality improved right away for forwarding of calls. :) 16:14 < linagee> ecrist: my ITSP ping time is now like 2ms or something crazy cool like that 16:14 < linagee> colo to colo is like 18ms 16:16 < linagee> it might make sense to move *everything* over to the new colo, just not there yet or sure that's the best option 16:18 -!- lonebrave [n=lonebrav@pool-72-81-244-68.bltmmd.fios.verizon.net] has joined ##openvpn 16:26 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 17:09 -!- lonebrave [n=lonebrav@pool-72-81-244-68.bltmmd.fios.verizon.net] has quit [] 17:10 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 17:15 -!- master_of_master [i=master_o@p549D3A39.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 17:20 -!- master_of_master [i=master_o@p549D3A39.dip.t-dialin.net] has joined ##openvpn 17:34 -!- muh2000 [n=muh2000@unaffiliated/muh2000] has quit [Read error: 54 (Connection reset by peer)] 17:40 -!- lonebrave [n=lonebrav@pool-71-166-36-30.bltmmd.fios.verizon.net] has joined ##openvpn 17:41 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 17:51 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 17:51 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 18:14 -!- Biscuits [i=Biscuits@s5593f0f9.adsl.wanadoo.nl] has joined ##openvpn 18:14 < Biscuits> !howto 18:14 < vpnHelper> Biscuits: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 18:15 < Biscuits> Hey, I'm trying to link two networks together, and have OpenVPN running on both, both router machines can ping eachother by their endpoint (openvpn) IPs as well as their "normal" (physical interface) IPs, but when I try to ping other machines on the other side of the bridge it doesn't work. Could anyone help me troubleshoot ? 18:24 -!- brizly [n=brizly_v@p4FC9A5B7.dip0.t-ipconnect.de] has joined ##openvpn 18:27 < rawDawg> !route 18:27 < vpnHelper> rawDawg: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 18:27 < Biscuits> !route 18:27 < vpnHelper> Biscuits: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 18:27 < Biscuits> eoh 18:27 * Biscuits goes reading 18:30 < Biscuits> hmmm, is push "route ... ..." the equivalent of just having route ... ... in the config file of the other side ? 18:37 < Biscuits> Hmm, I've really read that, but it's not working, and I have no idea how to troubleshoot this :( 18:37 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit ["leaving"] 18:38 < Biscuits> Is there any way to get the kernel to dump info on packets dropped or routed ? 18:39 -!- brizly1 [n=brizly_v@p4FC9A58D.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 18:41 < rawDawg> tcpdump 18:49 < |Mike|> lol 18:49 < |Mike|> Biscuits: setup iptables 18:50 < Biscuits> ? 18:51 < Biscuits> I've added rules -A INPUT/FORWARD/OUTPUT -i (or -o in OUTPUT's case) tun0 -j ACCEPT on both sides 18:51 < Biscuits> still nothing :/ 18:52 < Biscuits> Also, another test, a different machine on the network where I set up the route's 10.0.0.0/24 -> router, I can ping 10.0.0.1 (local openvpn endpoint on the router), but not 10.0.0.2 :/ 18:53 < Biscuits> Somehow it seems as if the machine that's running openvpn is refusing to actually pass on packets :( 18:54 < Biscuits> hmmm... 18:54 < Biscuits> I am a complete idiot :/ 18:54 < Biscuits> I put ip_forward=yes in /etc/network/options 18:54 < Biscuits> But somehow that never got read or something 18:55 < Biscuits> a cat /proc/sys/net/ipv4/ip_forward got me 0, echo'ing 1 to it fixed most of it :S 18:55 < Biscuits> I can now ping the other side from a client box :) 18:55 < Biscuits> still no machine on the other side though :/ 18:56 -!- YpsyZNC is now known as Ypsy 18:58 < |Mike|> set up client-to client then.. 18:58 < Biscuits> ? 18:59 < |Mike|> 2009/07/31 01:50:43 < Biscuits> Also, another test, a different machine on the network where I set up the route's 10.0.0.0/24 -> router, I can ping 10.0.0.1 (local openvpn endpoint on the router), but not 10.0.0.2 :/ 18:59 < |Mike|> client's can't ping eachother if you don't have a client-to-client setup :) 18:59 < |Mike|> ping/ exchange data blablabla. 19:00 < Biscuits> oh, but the routers (the machine's actually running openvpn) can ping eachother by both their openvpn ips (10.0.0.x) and their physical ips (192.168.1.5 and 192.168.0.1) 19:06 < Biscuits> Hmmm... ok, weird. I've got networks A and B. A machine on network A can ping anything in network B, but a machine in network B can only ping the router in network A, no other machines. Would that be related to the iptables on the router in network A or B ? 19:10 -!- DeathWolf [i=yggdrasi@saber.kawaii-shoujo.net] has left ##openvpn [] 19:16 < |Mike|> push some more routes :D 19:17 -!- Douglas [i=Douglas@64.18.144.2] has joined ##openvpn 19:17 < |Mike|> probably a iptables issue Biscuits 19:17 < Biscuits> yeah, just wondering on what side :p 19:18 < Biscuits> Hmmm, crap, seems related to the fact that the openvpn endpoint on network A isn't the actual gateway :( 19:19 < Biscuits> I tried adding a route on the gateway to fix things 19:19 < Biscuits> and that seems to get A->B communication working 19:19 < Douglas> mv krzie /dev/null 19:19 < Biscuits> but B->A only works if the machine on A has a route set up 19:20 < |Mike|> Douglas: behave. 19:20 < |Mike|> then it's another routing issue mr Biscuits 19:21 < Biscuits> Hmm, yeah, wonder if it'll help if I set that openvpn endpoint up as the gateway instead 19:26 < Darkclaw66> what's the problem? 19:34 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 19:34 -!- lataffe__ [n=lataffe@cm-84.211.147.71.getinternet.no] has quit [Operation timed out] 19:45 < Biscuits> Darkclaw66: Got two networks 192.168.0.x and 192.168.1.x. I've got a router connected to internet 192.168.0.1, a router connected to internet 192.168.1.1 (dedicated router, can't install anyway), a server machine 192.168.1.5. 19:46 < Biscuits> I've got an OpenVPN bridge between 192.168.0.1 and 192.168.1.5 19:46 < Biscuits> pinging from 192.168.1.5 to 192.168.0.x works fine 19:46 < Biscuits> pinging from 192.168.0.x to 192.168.1.5 works fine too 19:46 < Biscuits> In the dedicated router I set rules to route 10.0.0.x and 192.168.0.x to 192.168.1.5 19:47 < Biscuits> pinging from 192.168.1.x to 192.168.0.x then works 19:47 < Biscuits> but pinging from 192.168.0.x to 192.168.1.x doesn't work, unless I explicitely add a local route on the machine in 192.168.1.x for the 192.168.0.x subnet :/ 19:47 -!- lataffe__ [n=lataffe@cm-84.211.147.71.getinternet.no] has joined ##openvpn 19:51 < Darkclaw66> did you try disabling your firewall to see if it that makes a difference 19:51 < Biscuits> Firewall on all of those machines is turned off 19:51 < Darkclaw66> do you have client-to-client enabled 19:52 < Biscuits> Isn't client-to-client only useful when there's more than two machines in the OpenVPN setup? 19:52 < Biscuits> E.g. right now it's just a client (192.168.0.1) and a server (192.168.1.5) 19:53 < Douglas> yes 19:53 < Douglas> mmmm 19:53 < hardwire> I'm hoping to name all new tap devices dynamically.. calling them bbone0-9 .. is there a method for openvpn to dynamically assign tap devices with a different prefix than "tap"? 19:53 < Douglas> lemon ice pop 19:53 < Darkclaw66> i thought you said you had two networks 19:54 -!- B1scuits [i=Biscuits@s5593f0f9.adsl.wanadoo.nl] has joined ##openvpn 19:54 < B1scuits> heh, k, so something went wrong while trying to turn off and on the firewall on the ADSL modem :p 19:54 < B1scuits> PING 192.168.1.3 (192.168.1.3) 56(84) bytes of 19:54 < B1scuits> err 19:54 < B1scuits> gah 19:54 < B1scuits> Anyway 19:54 < B1scuits> Two physical networks 19:55 < B1scuits> but the openvpn network is just a tunnel between two machines 19:55 < Darkclaw66> if you want the clients to be able to talk to each other you need to have client-to-client 19:55 < hardwire> it's a shame that doesn't mean establish new tunnels between each other :) 19:57 < B1scuits> But client-to-client is only for multiple OpenVPN clients :/ 19:57 < B1scuits> Not machines that are merely routed through it 20:09 < B1scuits> hmmm 20:09 < B1scuits> Could it be related to the fact that the ping from 192.168.0.x is coming from 192.168.1.5, and then has to be sent back to 192.168.1.1 (which will then see it's for 192.168.0.x and send it on to 192.168.1.5) ? 20:10 -!- lataffe__ [n=lataffe@cm-84.211.147.71.getinternet.no] has quit [No route to host] 20:10 < B1scuits> so to machine 192.168.1.3 he gets a ping from 192.168.0.1, which somehow originated from 192.168.1.5, then has to send that back on it's default gateway 192.168.1.1, and then triggers some kind of anti spoof protection ? 20:11 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 20:12 -!- Biscuits [i=Biscuits@s5593f0f9.adsl.wanadoo.nl] has quit [Read error: 110 (Connection timed out)] 20:12 -!- Douglas [i=Douglas@64.18.144.2] has quit [Read error: 104 (Connection reset by peer)] 20:34 -!- saylar [n=saylar@p5DDFB97E.dip.t-dialin.net] has joined ##openvpn 20:38 < saylar> hey guys. I#m a little confused about the way openvpn apparently works. is it correct that openvpn shuts down eth0 if a connection is established? if so, is there a way that i can still access my ssh server, which was listening on eth0 until openvpn started? this is probably a dumb question, i'm pretty sure i'm just missing one keyword in my google search. 20:44 -!- jeiworth [n=jeiworth@189.234.80.58] has quit [Read error: 110 (Connection timed out)] 20:51 < lonebrave> trying to get openvpn to work...getting VERIFY ERRORs (self signed cert) on client when trying to connect. server output: http://pastebin.com/d36654f93 client output: http://pastebin.com/d7e277311 20:52 < lonebrave> i thought i followed the howto for creating the certs/keys, but something is obviously wrong 20:56 < Darkclaw66> what tool did you use to create them 20:57 < Darkclaw66> I personally used easy-rsa 20:58 < Darkclaw66> was a cinch 21:00 < lonebrave> used easy-rsa, from the openvpn-2.0.9.tar.gz 21:01 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 21:01 < lonebrave> i do only have openvpn-2.0.7 on my client, though (latest available in fink for os x) 21:05 < thedoc> saylar, eth0 does not shut down 21:05 < saylar> i sjust found the bridging howto. is this what I'm looking for 21:05 < saylar> ? 21:06 < lonebrave> logs of my key creation here: http://pastebin.com/d41311c36 21:06 -!- [2]anwoke [n=A@65.100.249.52] has joined ##openvpn 21:07 -!- master_of_master [i=master_o@p549D3A39.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:12 -!- master_of_master [i=master_o@p549D3D98.dip.t-dialin.net] has joined ##openvpn 21:14 -!- Vakz [n=Vakz@90-224-164-17-no123.tbcn.telia.com] has quit [Read error: 54 (Connection reset by peer)] 21:17 -!- [3]anwoke [n=A@65.100.249.52] has joined ##openvpn 21:17 -!- [3]anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 21:18 -!- [3]anwoke [n=A@65.100.249.52] has joined ##openvpn 21:18 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 110 (Connection timed out)] 21:18 -!- [2]anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 21:19 -!- superdave888 [n=superdav@c-98-207-209-220.hsd1.ca.comcast.net] has joined ##openvpn 21:21 < superdave888> what is the best source of information for a first-time install / deployment of openvpn 21:23 < thedoc> !howto 21:23 < vpnHelper> thedoc: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 21:24 -!- [1]anwoke [n=A@65.100.249.52] has quit [Read error: 110 (Connection timed out)] 21:24 < superdave888> !howto 21:24 < vpnHelper> superdave888: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 21:25 < saylar> thedoc, do you have a suggestion on where to look for a solution? I really don't know where else to look ;) 21:25 < thedoc> saylar, What was your original question again? 21:26 < saylar> if a vpn connection is established as i client, i can no longer access the services that were running on eth0 before. (thererfore i thought eth0 would be shutdown) 21:26 < saylar> as a client 21:27 < thedoc> saylar, What services are you running on eth0? 21:27 < saylar> ssh and an apache for example 21:28 < thedoc> saylar, What are you trying to accomplish exactly? 21:29 -!- B1scuits [i=Biscuits@s5593f0f9.adsl.wanadoo.nl] has quit [] 21:29 < saylar> to establish a vpn connection to a remote server and still be able to access the machine from inside my LAN. the machine had an ip of 192.168.0.2 before and it is no longer accessible as soon as the vpn connection is online. 21:30 < thedoc> saylar, Check your routing tables. :) 21:30 < saylar> hrhrhr 21:30 < saylar> i was afraid you were gonna say that ;) 21:30 < thedoc> and also, are you tunneling all your traffic via your vpn? I heard that might break stuff. 21:32 < saylar> well, to be honest. i just installed openvpn, kvpnc, imported the config files and established a connection. anyway, thanks for your help. now i know that something with the routing is not working as it should be. that's a start at least. 21:33 < thedoc> saylar, Try modifying the routes in the routing table to look something like, 192.168.0.0/24 metric 1 21:34 < thedoc> 0.0.0.0 metric 1 21:34 < thedoc> That should have your machine do something similar to split tunneling 21:34 < saylar> ah, ok. I'll try that. 21:47 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 21:47 -!- [3]anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 22:04 -!- saylar [n=saylar@p5DDFB97E.dip.t-dialin.net] has left ##openvpn [] 22:09 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 22:11 -!- funcky1 [n=funcky@c-71-235-206-130.hsd1.ct.comcast.net] has joined ##openvpn 22:15 < funcky1> im having a serious error with openvpn on ubuntu. it disconnects while i am connected to the vpn then continues the connection unprotected. I've had this problem for months and months and i've had it with 2 separate vpns now. 22:18 < funcky1> it happens quite frequently 22:19 -!- [3]anwoke [n=A@65.100.249.52] has joined ##openvpn 22:20 -!- funcky1 is now known as commie 22:20 -!- commie is now known as classstruggle 22:20 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 22:21 < classstruggle> im having a serious error with openvpn on ubuntu. it disconnects while i am connected to the vpn then continues the connection unprotected. I've had this problem for months and months and i've had it with 2 separate vpns now. it happens up to 3 times a day. 22:24 < classstruggle> this is a vpn service so i dont know if i have logs 22:27 -!- hardwire` [n=hardwire@216-67-98-253.static.acsalaska.net] has joined ##openvpn 22:28 -!- hardwire [n=hardwire@216-67-98-253.static.acsalaska.net] has quit [Read error: 104 (Connection reset by peer)] 22:58 -!- hardwire [n=hardwire@39.183.dowl.anc.borealisbroadband.net] has joined ##openvpn 23:00 -!- hardwire` [n=hardwire@216-67-98-253.static.acsalaska.net] has quit [Read error: 110 (Connection timed out)] 23:01 -!- classstruggle [n=funcky@c-71-235-206-130.hsd1.ct.comcast.net] has left ##openvpn ["Leaving."] 23:04 -!- hardwire [n=hardwire@39.183.dowl.anc.borealisbroadband.net] has quit [Read error: 60 (Operation timed out)] 23:05 -!- hardwire [n=hardwire@216-67-98-253.static.acsalaska.net] has joined ##openvpn 23:13 -!- hardwire` [n=hardwire@39.183.dowl.anc.borealisbroadband.net] has joined ##openvpn 23:17 -!- classstruggle [n=funcky@c-71-235-206-130.hsd1.ct.comcast.net] has joined ##openvpn 23:19 < classstruggle> im having a serious error with openvpn on ubuntu. it disconnects while i am connected to the vpn service then continues the connection unprotected. I've had this problem for months and months and i've had it with 2 separate vpn services now. it happens up to 3 times a day. 23:19 < ecrist> !logs 23:19 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 23:20 < classstruggle> i dont have any logs i deleted them all and discontinued service with both services. 23:20 < ecrist> how the hell are we supposed to help you, then? 23:21 < classstruggle> by telling me what this bug is 23:22 < ecrist> we would have no idea without logs. 23:22 < ecrist> if you want an answer, provide them 23:22 -!- Ypsy is now known as YpsyZNC 23:22 < classstruggle> i have no logs x( 23:22 < ecrist> sorry, nothing we can do 23:23 < classstruggle> im sure theres someone in here that knows about this 23:24 < ecrist> no, there isn't 23:24 < classstruggle> i heard ubuntu had an soc connection manager bug or something 23:26 < classstruggle> ecrist: do you know anything about ubuntu and/or an soc connection manager bug? 23:27 < ecrist> nope 23:27 -!- classstruggle [n=funcky@c-71-235-206-130.hsd1.ct.comcast.net] has left ##openvpn ["Leaving."] 23:28 -!- classstruggle [n=funcky@c-71-235-206-130.hsd1.ct.comcast.net] has joined ##openvpn 23:29 < classstruggle> oops 23:29 -!- hardwire [n=hardwire@216-67-98-253.static.acsalaska.net] has quit [Read error: 110 (Connection timed out)] 23:34 < Darkclaw66> classstruggle how can you tell its unprotected? 23:34 < classstruggle> because i do an ip check 23:34 < Darkclaw66> hmm do tell 23:34 < ecrist> lol 23:35 < classstruggle> whatismyip.com 23:35 < ecrist> classstruggle: I think you do not understand your VPN config 23:35 < ecrist> if we had logs and configs, we could help you 23:36 < ecrist> I suspect there is no 'bug,' just a misunderstanding on your end. 23:36 < classstruggle> ecrist: i connect fine and everything works for a long time 23:37 -!- hardwire` is now known as hardwire 23:37 -!- hardwire [n=hardwire@39.183.dowl.anc.borealisbroadband.net] has quit [Remote closed the connection] 23:38 -!- hardwire [n=hardwire@216-67-98-253.static.acsalaska.net] has joined ##openvpn 23:38 < classstruggle> its just when it disconnects that there's a problem 23:39 < ecrist> regardless, without logs we cannot help you 23:39 < ecrist> that is the end of it. 23:40 < classstruggle> it leaves me surfing unprotected 23:40 < ecrist> *shrug* 23:40 < Darkclaw66> the heart is willing but the flesh is weak and spongy 23:41 < classstruggle> i told you i dont have any lags Darkclaw66 23:41 < classstruggle> logs 23:42 < ecrist> classstruggle: please go away until you get logs, or just drop it. 23:42 -!- [3]anwoke [n=A@65.100.249.52] has quit [Read error: 104 (Connection reset by peer)] 23:42 < Darkclaw66> classstruggle reproduce the problem and you'll have the logs 23:44 < classstruggle> how can i do that when im not subscribed to the service? the reason i came here is because i didnt want to risk investing money for subscribing to a service when it could just disconnect at any time and leave me vulnerable to hackers. 23:44 < Darkclaw66> openvpn is free, not sure what you mean 23:45 < classstruggle> vpn services are not free 23:45 < Darkclaw66> if you are paying a company to do it for you yes but the software (server/client) is free 23:46 < ecrist> classstruggle: if you're paying a service, talk to their support. 23:47 < classstruggle> i did and they told me that no one had experienced that problem, ever. 23:47 < ecrist> right, and we're telling you, without logs, we cannot help you 23:50 < Darkclaw66> I considered getting a dedicated server but its not worth it 23:50 < Darkclaw66> too expensive 23:50 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 23:52 < ecrist> g'night. 23:52 * ecrist goes to bed. --- Day changed Fri Jul 31 2009 00:03 -!- lonebrave [n=lonebrav@pool-71-166-36-30.bltmmd.fios.verizon.net] has quit [] 00:05 < anwoke> hi all 00:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:10 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has joined ##openvpn 00:13 < anwoke> Hi, will the windows 1.0.3 client work with a openvpn 2.0.9 server? 00:14 < kc8pxy> 1.0.3? 00:15 < anwoke> correction the about says it is 1.0.3, but the installer says 2.1 00:21 -!- anwoke [n=A@65.100.249.52] has quit [Client Quit] 00:22 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 00:29 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 00:29 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 00:35 < Darkclaw66> anwoke I noticed that as well 00:36 < Darkclaw66> not sure 00:39 < anwoke> well we are having issues using it to connect to multiple vpn's, we can connect, we can ping our self and the vpn server, but can't ping anything else on the network 00:39 < anwoke> on either server 00:40 < anwoke> but clients using other clients other then the windows client can 00:41 -!- ebil_andy [n=andy@ip70-174-136-104.dc.dc.cox.net] has quit [Read error: 110 (Connection timed out)] 00:43 < kc8pxy> he;s using the gui rev 01:19 -!- Darkclaw66 [n=portness@unaffiliated/darkclaw66] has quit [Read error: 110 (Connection timed out)] 01:30 -!- hardwire [n=hardwire@216-67-98-253.static.acsalaska.net] has quit [Read error: 104 (Connection reset by peer)] 01:45 -!- hardwire [n=hardwire@216-67-99-228.static.acsalaska.net] has joined ##openvpn 01:49 -!- classstruggle [n=funcky@c-71-235-206-130.hsd1.ct.comcast.net] has left ##openvpn ["Leaving."] 01:52 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 02:01 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:20 -!- zheng [n=zheng@210.73.203.83] has joined ##openvpn 02:20 -!- zheng [n=zheng@210.73.203.83] has quit [Remote closed the connection] 02:21 -!- zheng [n=zheng@210.73.203.83] has joined ##openvpn 02:29 -!- zheng [n=zheng@210.73.203.83] has quit [Remote closed the connection] 02:47 -!- b0nn [n=this@203-109-245-158.static.bliink.ihug.co.nz] has joined ##openvpn 02:47 < b0nn> !howto 02:47 < vpnHelper> b0nn: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 03:15 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: disco-, fkr, vpnHelper 03:21 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 03:21 -!- fkr [i=fkr@news.bytemine.net] has joined ##openvpn 03:21 -!- disco- [n=disco@andromeda.h4xed.com] has joined ##openvpn 03:22 -!- disco- [n=disco@andromeda.h4xed.com] has quit [SendQ exceeded] 03:22 -!- RadarG [n=nightwol@pool-72-69-243-24.chi01.dsl-w.verizon.net] has joined ##openvpn 03:23 < RadarG> !redirect 03:23 < vpnHelper> RadarG: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 03:24 < RadarG> !def1 03:24 < vpnHelper> RadarG: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 03:24 -!- disco- [i=disco@andromeda.h4xed.com] has joined ##openvpn 04:11 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:30 -!- boswarrior [n=mrnice@62.178.9.197] has joined ##openvpn 04:31 -!- boswarrior [n=mrnice@62.178.9.197] has quit [Client Quit] 04:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:20 -!- lataffe_ [n=lataffe@cm-84.211.147.71.getinternet.no] has joined ##openvpn 05:49 -!- lonebrave [n=lonebrav@pool-71-166-36-30.bltmmd.fios.verizon.net] has joined ##openvpn 06:01 -!- lonebrave [n=lonebrav@pool-71-166-36-30.bltmmd.fios.verizon.net] has quit [] 06:23 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 06:32 -!- dazo [n=dazo@nat/redhat/x-63d29adcfa8e615f] has quit ["Leaving"] 06:41 -!- ebil_andy [n=andy@wsip-98-191-211-137.dc.dc.cox.net] has joined ##openvpn 06:45 -!- lkthomas [i=lkthomas@218.213.78.173] has joined ##openvpn 06:45 < lkthomas> hey guys 06:45 < lkthomas> I got a question 06:46 < lkthomas> assume office network is 192.168.80.0 06:46 < lkthomas> how could I config openvpn so that it could connect and access the whole office network ? 06:48 < lkthomas> anyone still alive ? 06:50 < ebil_andy> well 06:50 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:50 < ebil_andy> I assume you want the client to be able to access the entire office network? 06:50 < lkthomas> yes 06:51 < Bushmills> !route 06:51 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 06:51 < Bushmills> lkthomas, ^^^ 06:51 < ebil_andy> well, the howto DOES have a pretty good section on that (it's a really good document) aaaaand Bushmills beat me to it 06:51 < lkthomas> I try all kinds of method none of them are working 06:52 < ebil_andy> what have you tried 06:52 < lkthomas> vpnserver public IP 1.2.3.4 06:52 < ebil_andy> what was the last thing you tried 06:52 < lkthomas> private network 192.168.104.0 06:52 < lkthomas> on vpn server side: push "route 192.168.104.0 255.255.255.0" 06:52 < ebil_andy> actually. the best way to do this 06:53 < ebil_andy> sanitize and post your config files (client AND server) on a pastebin somewhere 06:53 < lkthomas> vpn client did not config any route 06:53 < ebil_andy> remove sensitive info and also add logfiles from client and server (verb 6 iirc) 06:53 < ebil_andy> that way someone here can actually HELP you 06:54 < ebil_andy> We need !logs and !configs and maybe !interface <-- from the channel topic 06:54 < ebil_andy> !logs 06:54 < vpnHelper> ebil_andy: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 06:54 < ebil_andy> !configs 06:54 < vpnHelper> ebil_andy: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 06:57 -!- thedoc [n=andelyx@vpn1.edgewire.sg] has joined ##openvpn 06:58 < lkthomas> http://www.pastebin.ca/1513672 06:58 < lkthomas> please check 06:59 < lkthomas> server side got eth1 which is runing 192.168.104.0 network 07:05 < lkthomas> ebil_andy, well, you ask me to paste the config 07:05 < lkthomas> but no response 07:05 < ebil_andy> sorry, I'm at work 07:05 < ebil_andy> 1 sec let me take a look 07:05 < lkthomas> thanks :) 07:06 < ebil_andy> what ISP do you use for the server? 07:06 < ebil_andy> rather, is it a residential ISP or a business ISP? 07:07 < lkthomas> just a server in datacenter 07:08 < lkthomas> assume it is an office IP 07:08 < ebil_andy> so port 80 UDP is allowed incomming? 07:08 < lkthomas> yes 07:08 < ebil_andy> ok, that's what I was getting at. because most residential ISP's will block that 07:08 < lkthomas> assume no firewall blocking apepar 07:08 < lkthomas> appear 07:08 < lkthomas> so what do you think about the config ? 07:08 < ebil_andy> any reason you enabled tls-auth? 07:09 < ebil_andy> and commented out ns-cert-type 07:09 < lkthomas> could we focus on routing first ? 07:09 < lkthomas> these thing could be fix later on 07:09 < ebil_andy> now you never said, can you even get a connection? 07:09 < lkthomas> yes 07:09 < ebil_andy> ok 07:10 < lkthomas> let me paste the ifconfig tun0 07:10 < lkthomas> server: inet addr:10.8.72.1 P-t-P:10.8.72.2 | client: inet addr:10.8.72.6 P-t-P:10.8.72.5 07:11 < lkthomas> question: server got 192.168.104.0, client got 192.168.80.0. how could I get them connect together ? 07:12 < lkthomas> of course, they are both public accessable 07:12 < lkthomas> but client only could connect to server 07:13 < ebil_andy> what does route -n look like on each machine 07:16 < lkthomas> can I pm you the info ? 07:16 < ebil_andy> and you didn't post your logs. that's what's going to show an error if there is one. 07:16 < lkthomas> I don't want public know my IP 07:16 < ebil_andy> yeah, pm away 07:33 < ecrist> good morning 07:33 < thedoc> Hello ecrist o/ 07:35 < reiffert> lkthomas: 07:35 < reiffert> !route 07:35 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 07:36 < ebil_andy> reiffert, yeah, I've been trying to help him for the past 15-20 mins or so. he needs to sanitize and paste his configs (which he's done) and logs so that people can help. his config looks fine to me 07:37 -!- jeiworth [n=jeiworth@189.163.176.22] has joined ##openvpn 07:37 < lkthomas> I did route 07:37 < lkthomas> but not work 07:37 < lkthomas> log did not show error 07:38 < lkthomas> do I have to enable NAT ? 07:38 < reiffert> ebil_andy: well, if he preferrs to stay on his own ... 07:38 < thedoc> What seems to be the question? 07:38 < thedoc> lkthomas, do a cat /proc/sys/net/ipv4/ip_forward 07:38 < thedoc> What does it return? 07:38 < reiffert> thedoc: how much is six times seven? 07:39 < lkthomas> 1 07:39 < thedoc> reiffert, No idea, I have to break out the calculator. 07:39 < lkthomas> both return one 07:39 < ebil_andy> wait 07:39 < lkthomas> server and client 07:39 < ebil_andy> 6*7 returns one? 07:39 < ebil_andy> that's your problem! 07:39 < lkthomas> lkthomas, do a cat /proc/sys/net/ipv4/ip_forward 07:39 < lkthomas> What does it return? 07:39 < ecrist> 42 07:39 < ecrist> /exec -o echo "6*7" | bc 07:40 < ecrist> :P 07:40 < lkthomas> guys 07:40 < lkthomas> would you mind to help me a bit ? 07:40 < reiffert> public error jeopardy? 07:40 < lkthomas> it is kind of urgent 07:40 < ecrist> lkthomas: sure 07:40 < ecrist> !logs 07:40 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 07:40 < ecrist> !configs 07:40 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:40 < lkthomas> as I told you that log did not show error 07:40 < lkthomas> I paste it to you on pm already 07:41 < ecrist> lkthomas: if you won't play by the rules, go away 07:41 < lkthomas> ebil_andy, I use your config file 07:41 < lkthomas> not work either 07:41 < reiffert> !factioids search firewall 07:41 < vpnHelper> reiffert: Error: "factioids" is not a valid command. 07:41 < reiffert> !factoids search firewall 07:41 < vpnHelper> reiffert: 'dynamicfirewall' and 'firewall' 07:41 < reiffert> !firewall 07:41 < vpnHelper> reiffert: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. 07:42 < ebil_andy> lkthomas, then it's a firewall issue 07:42 * ebil_andy thinks this sounds familiar... 07:42 < lkthomas> where is the firewall comes from 07:42 < lkthomas> iptables shows all accept 07:42 < ecrist> !iptables 07:42 < vpnHelper> ecrist: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall 07:42 < ebil_andy> yeah, post your logs. we still haven't seen them 07:42 < reiffert> !interface 07:42 < vpnHelper> reiffert: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 07:42 < ecrist> !all 07:42 < vpnHelper> ecrist: "all" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles 07:46 < lkthomas> traceroute 192.168.104.1 07:46 < lkthomas> traceroute to 192.168.104.1 (192.168.104.1), 30 hops max, 40 byte packets 07:46 < lkthomas> 1 10.8.72.1 (10.8.72.1) 181.459 ms 262.017 ms 342.388 ms 07:46 < lkthomas> 2 * * * 07:46 < ecrist> don't paste in here, please 07:46 < lkthomas> ok 07:46 < lkthomas> from client side traceroute to server private subnet gateway 07:46 < lkthomas> after reach server tun0 interface 07:46 < lkthomas> it drops 07:47 < reiffert> lkthomas: you will help yourself most when you do as we propose.. 07:47 < ecrist> lkthomas: post your configs and logs 07:48 * ecrist considers getting the cluebat 07:48 < lkthomas> config file: http://www.pastebin.ca/1513672 07:49 < lkthomas> log: http://www.pastebin.ca/1513703 07:49 < lkthomas> I told you guys that nothing really interesting on log 07:49 < lkthomas> it's nothing there 07:50 < reiffert> !interface 07:50 < vpnHelper> reiffert: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 07:50 < lkthomas> I was asking if I have to enable NAT and no one give me the answer 07:50 < ecrist> right, and if you were competent enough to not need help, you'd know better. 07:51 < lkthomas> http://pastebin.ca/1513705 07:52 < ecrist> well, first, that's not your entire log file. 07:52 < lkthomas> how do you define entire file 07:52 < ebil_andy> ecrist, I told him he needs something like this: http://eeble.net:8080/~andy/openvpn_troubleshoot.html 07:52 -!- clyons [n=clyons@unaffiliated/clyons] has joined ##openvpn 07:52 < vpnHelper> Title: OpenVPN Troubleshooting logs/configs (at eeble.net:8080) 07:52 < ecrist> second, if you're having problems routing to 192.168.104/24, you need ip_forward enabled and you need to setup a return path from the 192.168.104/24 network to access the VPN 07:52 < reiffert> 2nd we do know your public IP adresse and 3rd the routing tables are missing. 07:53 < lkthomas> guys 07:53 < lkthomas> maybe it is better to give me a link of guide which is work for you 07:53 < lkthomas> it is wasting time to debug 07:53 < ebil_andy> the howto 07:53 < ebil_andy> read it 07:53 < lkthomas> I don't mind to start from scratch 07:53 < ebil_andy> it worked for me 07:53 < ecrist> !route 07:53 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 07:54 < ecrist> that document should get you going 07:54 < reiffert> lkthomas: you said it's urgent .. starting over will last too long. 07:55 < lkthomas> one question 07:55 < lkthomas> side A got subnet 1 07:55 < lkthomas> side B got subnet 2 07:55 < lkthomas> do I have to push the route out between two side ? 07:55 < ecrist> read the doc, then ask quetions 07:56 < reiffert> btw, did you notice he was removing the "2" in front of his public IP adresses? 07:57 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 07:58 < reiffert> well, you probably did. 07:59 < ecrist> he removed the IP from the configs, but not the logs 08:00 -!- cpm_ is now known as cpm 08:00 < lkthomas> ok 08:01 < lkthomas> client side, I push client side private subnet to server 08:01 < lkthomas> add route to local subnet 08:01 < ecrist> lkthomas: you're going to need iroute, too 08:01 < ecrist> !iroute 08:01 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 08:01 < lkthomas> $#@&*#&*! 08:01 < lkthomas> it might be the case 08:01 < lkthomas> let me test it, wait 08:01 -!- clyons [n=clyons@unaffiliated/clyons] has quit ["Leaving"] 08:06 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 08:08 < lkthomas> after reconfig iroute 08:08 < lkthomas> it's all the same 08:09 < ecrist> lkthomas: does 192.168.104/24 sit behind the OpenVPN server, or one of the clients? 08:09 < lkthomas> server 08:09 < ecrist> you don't need iroute for that, then. 08:09 < lkthomas> client is 192.168.80.0/24 08:09 < ecrist> you need a CCD entry for the client for 192.268.80/24 08:10 < lkthomas> it does not allow me to do that 08:10 < ecrist> then, you need to provide a route on the OpenVPN server LAN to route 192.186.80/24 to the VPN server IP 08:10 < lkthomas> it will specific server mode only 08:10 < ecrist> what? 08:11 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 60 (Operation timed out)] 08:13 < lkthomas> Jul 31 21:12:00 app1-testing openvpn[3528]: ERROR: Linux route add command failed: external program exited with error status: 2 08:13 < lkthomas> <-- is this normal ? 08:14 < lkthomas> openvpn try to run this command: /sbin/ip route add 192.168.104.0/24 via 10.8.72.5 08:14 < ecrist> did you read and follow !route 08:14 < ecrist> ? 08:14 < lkthomas> if I ping 10.8.72.5, I got no response 08:14 < ecrist> holy shit man 08:14 < lkthomas> ? 08:14 < lkthomas> yeah ? 08:14 < ecrist> read the docs we posted, follow their instructions 08:16 -!- oc80z [i=oc80z@blea.ch] has left ##openvpn [] 08:16 -!- oc80z [i=oc80z@blea.ch] has joined ##openvpn 08:18 < lkthomas> do I need to use client to client on server ? 08:18 < ecrist> only if you want vpn clients to talk to eachother. 08:18 < ecrist> one server and one client, no, you don't need it 08:19 < lkthomas> Options error: --client-config-dir/--ccd-exclusive requires --mode server 08:19 < ecrist> client-config-dir goes in the server config 08:19 < lkthomas> what should I use if I want to use ccd ? 08:20 < ecrist> ok, I'm done 08:20 < ecrist> read the docs 08:24 < lkthomas> I still don't get it 08:24 < lkthomas> 192.168.104.0 10.8.72.5 is in the routing table 08:24 < lkthomas> I could ping 192.168.104.240 which is in server 08:24 < lkthomas> but anything else can't 08:24 < lkthomas> why would it happen ? 08:24 < lkthomas> I read the whole routing section 08:24 < lkthomas> docs I mean 08:25 < lkthomas> nothing useful a 08:25 < lkthomas> changed setting 08:25 < lkthomas> nothing effect at all 08:26 -!- onats_ [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 08:36 < reiffert> ecrist: but it's sooo urgent! 08:42 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["I ♥ GNU/Linux!"] 08:48 < ecrist> yeah, sooo urgent 08:49 < lkthomas> traceroute 192.168.104.240 result is diff than traceroute 192.168.104.1 08:51 < lkthomas> ok, I just did traceroute 192.168.104.1 08:51 < lkthomas> it goes to 10.8.72.1 which is another side of tun0 inet address 08:52 < lkthomas> but second hop start to be unreachable 08:52 < lkthomas> is that means the package don't know how to forward from 10.8.72.1 to 192.168.104.x interface ? 08:57 < lkthomas> guys 08:57 < lkthomas> you know what 08:58 < lkthomas> I might know what is happening 08:58 < lkthomas> 192.168.104.x subnet does NOT contain gateway 08:58 < lkthomas> neither 192.168.80.x 09:00 < lkthomas> do you guys think that no gateway will cause packet can't be route ? 09:05 -!- ebil_andy [n=andy@wsip-98-191-211-137.dc.dc.cox.net] has quit ["Leaving"] 09:08 < reiffert> lkthomas: what should the host do when a packet arrives with destination outside the local subnet? 09:08 < lkthomas> it will ask gateway what to do ? 09:08 < reiffert> no. 09:08 < lkthomas> hmm ? 09:09 < reiffert> it will check the local routing table 09:09 < lkthomas> if it does not exists, drop, if exists, then forward 09:09 < reiffert> no. 09:10 < reiffert> forward for locally attached networks, send to gateway otherwise, drop when no gateway. 09:10 < lkthomas> CRAP! 09:10 < lkthomas> that hits the end 09:10 < lkthomas> no gateway 09:10 < lkthomas> ...... 09:11 < lkthomas> is that possible to config local attached interface as gateway ? 09:12 < reiffert> what? 09:12 < lkthomas> except using NAT 09:12 < lkthomas> is there have any other method to build a gateway ? 09:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:13 < reiffert> sorry, but I do not understand you. 09:13 < lkthomas> assume 192.168.104.x does not have gateway 09:13 < lkthomas> OH wait 09:13 < lkthomas> it does 09:13 < lkthomas> hmm 09:14 < lkthomas> 192.168.104.1 is reachable from server 09:14 < lkthomas> but connect with client, the client could only be able to reach 192.168.104.240 which is eth1 09:18 -!- dazo [n=dazo@nat/redhat/x-vnvdhlyeplxctetj] has joined ##openvpn 09:26 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:26 -!- lkthomas [i=lkthomas@218.213.78.173] has quit ["Leaving"] 09:33 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 09:35 -!- jeiworth [n=jeiworth@189.163.176.22] has quit [Success] 09:37 < ecrist> sweet 09:37 < ecrist> he left and nobody had to make him to leave. 09:59 -!- jeiworth [n=jeiworth@189.177.38.156] has joined ##openvpn 10:07 -!- MadTBone [n=bruce@160.39.238.200] has quit ["Leaving"] 10:22 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:26 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 10:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:32 -!- c64zottel [n=hans@p5B17AF56.dip0.t-ipconnect.de] has joined ##openvpn 10:41 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 10:43 -!- Darkclaw66 [n=portness@lan.akprofessionalconsulting.com] has joined ##openvpn 10:44 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 10:45 -!- Qantouri1c [n=Qantouri@d54C49D91.access.telenet.be] has quit [Read error: 104 (Connection reset by peer)] 10:46 < kc8pxy> heya guys, i need some help with configuring a new client for a working vpn 10:48 -!- Darkclaw66 [n=portness@lan.akprofessionalconsulting.com] has quit [] 10:50 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 10:52 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:55 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 10:55 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 10:55 < RadarG> ecrist did you look at my configs 10:57 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has joined ##openvpn 10:59 -!- c64zottel [n=hans@p5B17AF56.dip0.t-ipconnect.de] has left ##openvpn [] 11:00 < ecrist> what configs and when? 11:00 < ecrist> why would I have looked at them? 11:01 -!- a0n [n=a0n@2001:6f8:1302:1:222:41ff:fe35:e68c] has left ##openvpn [] 11:01 < RadarG> to help me out, I think it was you who wanted to ook at them the other day 11:05 < ecrist> well, if you post !all and tell me what your problem is, I'd be willing to look at your config 11:05 < RadarG> !all 11:05 < vpnHelper> RadarG: "all" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles 11:07 < anwoke> !all 11:07 < vpnHelper> anwoke: "all" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles 11:08 -!- kc8pxy_ [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has joined ##openvpn 11:11 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has joined ##openvpn 11:12 < techqbert> !route 11:12 < vpnHelper> techqbert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:21 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has quit [Read error: 113 (No route to host)] 11:30 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 11:33 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Connection timed out] 11:34 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 11:34 -!- kyrix [n=ashley@91-115-181-190.adsl.highway.telekom.at] has joined ##openvpn 11:36 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has quit [Read error: 110 (Connection timed out)] 11:40 -!- eliasp_ [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 11:41 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 113 (No route to host)] 11:42 < kc8pxy_> heya guys 11:42 < kc8pxy_> can aa 2.1_RC18 client connect to a 2.0.9 server? 11:43 < ecrist> kc8pxy_: sure 11:43 -!- eliasp_ [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 60 (Operation timed out)] 11:43 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 11:43 < kc8pxy_> ecrist: then i need some help. 11:44 < ecrist> I use a 2.1rc15 client on a 2.0.9 server all the time 11:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:57 < reiffert> rc19 is current 11:59 -!- disciplezero [n=disciple@99-181-166-226.lightspeed.cicril.sbcglobal.net] has joined ##openvpn 12:02 < disciplezero> I'm a little rusty with my understanding of gpl 2. Is it fair to use gpl applications in a commercial setting, so long as the source is made avaialble? 12:09 < ecrist> yep 12:12 < RadarG> ecrist I have everything in pastebins links. My cleint connects to the server but it looks like its not getting dns nor gateway address. I cant ping anything from either side. 12:12 < RadarG> http://pastebin.com/d6ce5056d client config 12:12 < RadarG> http://pastebin.com/m5cf43067 ipconfig client 12:12 < RadarG> http://pastebin.com/m7a5eaf38 client logs 12:12 < disciplezero> thanks 12:12 < RadarG> http://pastebin.com/m47bc5b7 route client 12:13 < RadarG> http://pastebin.com/m66131fd4 server config 12:13 < RadarG> http://pastebin.com/m27e26cef server log files 12:13 < RadarG> http://pastebin.com/m6e4aa726 server route 12:18 < kc8pxy_> ifconfig belongs in a windows client config? 12:20 < RadarG> yes a vista box 12:20 < kc8pxy_> what does the ifconfig line do? 12:25 < RadarG> on what log 12:25 < kc8pxy_> the client.. ifconfig, to my knowwledge is a linux command. 12:27 < kc8pxy_> ahhh... something i didn't see. 12:27 < kc8pxy_> # 12:27 < kc8pxy_> Sat Aug 01 01:08:35 2009 us=898523 WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 10.251.62.2 10.251.62.1' 12:27 < kc8pxy_> in the client log 12:32 < RadarG> it sets the ip on the client (I think) 12:36 -!- jeiworth_ [n=jeiworth@189.177.38.156] has joined ##openvpn 12:47 -!- disciplezero [n=disciple@99-181-166-226.lightspeed.cicril.sbcglobal.net] has quit ["Leaving"] 12:49 -!- jeiworth [n=jeiworth@189.177.38.156] has quit [Read error: 110 (Connection timed out)] 13:00 < RadarG> how do I setup the dns and gateway information to the client. 13:01 < RadarG> kc8pxy_ I wondering if I had the ifconfig setup right 13:01 < kc8pxy_> RadarG: i'm no expert right now/. 13:02 < kc8pxy_> guh 13:02 < kc8pxy_> i'm getting pulled in to many directions to help effectively right now. 13:03 < RadarG> ecrist do you think my client config is good 13:03 < ecrist> RadarG: sorry, haven't looked at it. I'm busy making money during the day, so not always available 13:04 < RadarG> thats understandable 13:04 < ecrist> RadarG: you're going to have problems, likely, if you're pushing the 192.168.0.0/24 subnet 13:05 < RadarG> ecrist Please explain, should I change it to something like 192.168.4.0? 13:06 < ecrist> yes 13:06 < ecrist> most home routers use 192.168.0.1/24 or 192.168.1.0/24 13:07 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:08 < thedoc> Morning guys 13:09 < RadarG> brb changing the 192.168.0.x network to 192.168.4.x 13:13 < krzee> RadarG, good call 13:14 -!- RadarG [n=nightwol@pool-72-69-243-24.chi01.dsl-w.verizon.net] has quit [Remote closed the connection] 13:14 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 13:15 < ecrist> why the hell are no sedation dentists open on Fridays? 13:15 -!- jthan [n=jonathan@208-58-24-75.c3-0.smt-ubr1.atw-smt.pa.cable.rcn.com] has joined ##openvpn 13:16 < jthan> I keep getting this error when I run ./build-ca http://pastebin.ca/1514007 13:16 < ecrist> jthan: you must not have sources vars 13:16 < ecrist> . vars 13:16 < ecrist> or source vars 13:17 < jthan> Sure I do. 13:17 < jthan> I just edited it, and set it. 13:17 < ecrist> to use easy-rsa, you need to source vars, then run the rest of the commands 13:17 < jthan> I edited "vars" 13:18 < jthan> then . ./vars 13:18 < jthan> ./clean-all 13:18 < jthan> ./build-ca 13:18 < ecrist> this is why I hate easy-rsa 13:18 < ecrist> it isn't. 13:18 < ecrist> lol 13:18 < jthan> lol 13:18 < jthan> Do you think reinstalling will do anything? 13:18 * jthan is at a loss 13:19 < ecrist> no 13:19 < jthan> It always worked in the past for me :-P 13:19 < ecrist> what OS do you use? 13:19 < jthan> Ubuntu 8.04 LTS on a VPS 13:21 < ecrist> !ssl-admin 13:21 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 13:22 < jthan> I'll check that out. 13:22 < jthan> thanks 13:22 < ecrist> if you have questions, ask me, I wrote it. 13:24 < jthan> oh, that's cool :-) 13:24 < ecrist> I wrote it because easy-rsa sucked and I could never get it to work right. 13:25 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 13:30 < jthan> ecrist: just curious - if I do everything with easy-rsa anyway.. Where do I put all the files when I'm done? Do I just leave them in easy-rsa? 13:30 < jthan> right now the path is /etc/openvpn/easy-rsa 13:30 < ecrist> yes, you'd leave everything there. 13:30 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 110 (Connection timed out)] 13:30 -!- [1]anwoke is now known as anwoke 13:46 -!- RadarG [n=nightwol@pool-72-69-243-24.chi01.dsl-w.verizon.net] has joined ##openvpn 13:49 -!- kc8pxy_ [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has quit [Read error: 60 (Operation timed out)] 13:54 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 13:55 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 13:55 -!- [1]anwoke is now known as anwoke 14:12 -!- jthan [n=jonathan@208-58-24-75.c3-0.smt-ubr1.atw-smt.pa.cable.rcn.com] has left ##openvpn [] 14:15 -!- TbbW [n=wolf@c-2404e255.138-502-64736c11.cust.bredbandsbolaget.se] has joined ##openvpn 14:16 < TbbW> anyone know how to add more then one openvpn ip to the same comp? 14:16 < TbbW> i got 4 ip's from my service provider thru openvpn and i can't figure out how to add the last 3 of them 14:17 < ecrist> multiple local statements, iirc 14:18 < TbbW> thanks ecrist, that made google give me abit more interesting results :) 14:20 < ecrist> np 14:20 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:20 < ecrist> TbbW: there is a bug with multiple local statements if you're using both TCP and UDP. AFAIK, there is not currently a fix. 14:21 < ecrist> oh, wait, nm, that bug has to do with multiple remote statements in a client config with both TCP and UDP 14:22 < TbbW> well i got 4 ipv4 ip's from a service provider called prq 14:22 < thedoc> prq? Isn't that from the piratebay? 14:22 < TbbW> not sure if you'r refering the tcp and udp as actual traffic within the tunnel 14:22 < TbbW> prq is just a bunker providing hosting 14:23 < ecrist> no, referring to tunnel transport 14:24 < TbbW> and yes... iirc it's the same that TPB used 14:24 < TbbW> ecrist: okey :) 14:25 -!- kyrix [n=ashley@91-115-181-190.adsl.highway.telekom.at] has quit [Read error: 60 (Operation timed out)] 14:31 -!- jeiworth_ [n=jeiworth@189.177.38.156] has quit [Read error: 110 (Connection timed out)] 14:36 -!- jeiworth [n=jeiworth@189.234.80.58] has joined ##openvpn 14:37 < TbbW> hmm... creating one conf for each ip wont do it... get bind errors on the port used 14:41 -!- kyrix [n=ashley@188-23-177-21.adsl.highway.telekom.at] has joined ##openvpn 14:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:43 < TbbW> wonder if i should add an alias for the tun0 in the /etc/networking/interfaces for the last 3 14:43 < ecrist> TbbW: just add more local lines to the same server config 14:46 -!- djMax [n=chatzill@66.92.91.132] has joined ##openvpn 14:46 < djMax> Can I import external certificates such as a web SSL cert into openvpn? 14:47 < ecrist> djMax: there is no such thing as 'importing' a certificate into OpenVPN 14:47 < djMax> ok, so it has to issue its own 14:47 < ecrist> you simply reference the CA certificate for which you want to accept client certificates 14:47 < ecrist> and then provide a server certificate for OpenVPN to use 14:47 < djMax> I see. So if I have a Windoze infrastructure I can just grab the cert for the CA it has 14:52 < djMax> haven't been able to find instructions for where to put the CA cert, pointer perhaps? 14:54 < ecrist> !man 14:54 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 14:54 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 14:55 < djMax> I'm reading the how to but it's not entirely clear to me which files will need to be generated on the openvpn server. Namely the dh{n}.pem files and how they relate to the server cert/key... 14:55 < TbbW> ecrist: the ifconfig line ? 14:56 < thedoc> Anyone here uses netflow? 15:00 < TbbW> nope... ifconfig line just kept overwriting each other 15:00 < ecrist> the 'local' line 15:00 < ecrist> how many times do I have to say it? 15:01 < TbbW> i dont have a local line in my openvpn config 15:01 < ecrist> so put them in there 15:01 < ecrist> local 15:01 < ecrist> local 15:01 < ecrist> local 15:01 < ecrist> local 15:01 < TbbW> so i remove the ifconfig line then ? 15:01 < ecrist> yes 15:02 < TbbW> do i need to put the netmask there aswell ? 15:02 < ecrist> !configs 15:02 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:02 < TbbW> first ip got diffrent netmask then the last 3 for some reson 15:02 < djMax> the static key "howto" says "server configuration file"... Would be nice if it says what that is 15:03 < ecrist> TbbW: --local host 15:03 < ecrist> Local host name or IP address for bind. If specified, OpenVPN will bind to this address only. If unspecified, OpenVPN will bind to all interfaces. 15:03 < ecrist> so, if you omit ifconfig and local, you'll get bind on all interfaces 15:04 * ecrist goes for a ride on his hawt motorcycle 15:05 -!- joh [n=joh@129.241.56.185] has joined ##openvpn 15:06 < djMax> !howto 15:06 < vpnHelper> djMax: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:06 < joh> Hi, I'm trying to set up openvpn through our proxy which requires NTLM authentication, but when I try to connect I get: Attempting NTLM Proxy-Authorization phase 1, HTTP proxy returned: 'HTTP/1.0 407 Proxy Authentication Required', Proxy requires authentication 15:07 < djMax> Boy that is kind of a stretch for "HowTo". The thing is probably 50 pages. 15:07 < joh> Is ntlm support in openvpn bad maybe? 15:08 < TbbW> sry for the pm ecrist :) 15:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 15:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:14 < TbbW> ecrist: well ? 15:22 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 15:29 < TbbW> http://forum.prq.se/viewtopic.php?f=2&t=2 <- my client config looks exactly like that one exept for the redirect-gateway part 15:29 < vpnHelper> Title: prq.se View topic - Setting up OpenVPN in Ubuntu (at forum.prq.se) 15:53 < djMax> is there a way to see what ccd file the server is trying to access? Trying to route a subnet behind the client and getting bad addresses 15:54 -!- jeiworth [n=jeiworth@189.234.80.58] has quit ["No Ping reply in 90 seconds."] 15:55 -!- jeiworth [n=jeiworth@189.234.80.58] has joined ##openvpn 16:13 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 16:18 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 16:20 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit ["leaving"] 17:17 < reiffert> djMax: strace 17:17 < reiffert> djMax: 17:17 < reiffert> !route 17:17 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:38 < RadarG> I think some of these FAQ are confussing me. Now according to routing faq it just allows of of the lans to comunicate with eachother. With that thought in mind could I just create a setup like that and set my machines to use a gateway that is on the other side of the vpn tunnel 17:46 -!- kyrix [n=ashley@188-23-177-21.adsl.highway.telekom.at] has quit [Read error: 113 (No route to host)] 17:50 < RadarG> hmm maybe I'm trying about this the wrong way. Maybe you guys can help me break it down into pieces and check one piece at a time. My goal is to take 5 ip address behind my server on the 192.168.2.0 and send all the traffic across the vpn and use the other ends gateway to reach the outside. The client file is here can somebody look at to see if I have it right? http://pastebin.com/d6ce5056d 17:50 < anwoke> question 17:51 < anwoke> why would our openvpn server allow us to ping and connect to all of the linux boxes, servers and the networked printers, but we can't ping or connect to any of the windows machines on the network? 17:51 < Bushmills> RadarG, if you find the FAQs confusing, I wonder how you can make sense of the replies here 17:53 < RadarG> becuase some of them dont work with my setup 17:53 < Bushmills> anwoke, because something hasn't been configured correctly? 17:54 < anwoke> any idea as to where to start looking? 17:55 < RadarG> The big problem is that my config isnt working which is a combination of many little problems that need to be solved. If I tackle the little problems one at a time the bigger problem will evently get solved 17:55 < Bushmills> anwoke, traceroute, mtr or similar to see where packets get stuck 17:57 < Bushmills> http://scarydevilmonastery.net/masq 17:57 < Bushmills> !route 17:57 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:57 < Bushmills> RadarG, ^^^ 17:57 < RadarG> I have read that three times 17:57 < RadarG> I dont have a common name to use that setup 17:57 < Bushmills> strange, it was only the first time that i pasted the first link 17:57 < Bushmills> or you must be an exceptional quick reader 17:59 < RadarG> other people have posted this link. It looks helpful but I would like to fix the problem one at a time if you dont mind 18:00 < RadarG> One thing that I noticed is that I dont see a gateway address on the client as listed here http://pastebin.com/m5cf43067 18:00 < RadarG> this is a ipconfig from the vista client 18:01 < RadarG> how can I fix this using a solution that will complete my goal? 18:02 < Bushmills> !redirect 18:02 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 18:02 < Bushmills> !def1 18:02 < vpnHelper> Bushmills: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 18:03 < RadarG> nat is enabled on the server but I dont want all network traffic to go across it. 18:03 < Bushmills> " My goal is to take 5 ip address behind my server on the 192.168.2.0 and send all the traffic across the vpn and use the other ends gateway to reach the outside." 18:03 < Bushmills> "but I dont want all network traffic to go across it." 18:04 < Bushmills> which one? 18:04 < RadarG> ok bad wording on my part I want to take only 192.168.2.10-14 accross the link. 18:05 < Bushmills> !route 18:05 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 18:06 < RadarG> how can I use this if I dont have a common name. My common name is blank. can I still use this method? 18:06 -!- Douglas [i=Douglas@64.18.144.2] has joined ##openvpn 18:07 < Bushmills> i suppose you'll have one openvpn client, on the same network as 192.168.2.10-14. use that client as gateway for 192.168.2.10-14. 18:09 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 18:09 < RadarG> the setup will be this 4 xboxs--server/firewall--dsl--vpn client/vista box--internet 18:09 < RadarG> the machines on the 2.1 network are xboxs 18:10 < RadarG> the server has 3 lans behind it 18:10 < Bushmills> concept of gateway and routing is not machine brand or model specific 18:11 < RadarG> the problem is that I'm trying to use the method located here http://zerina.de/zerina/?q=documentation/extended-howto-net2net 18:11 < vpnHelper> Title: HOWTO net2net (extended version) | ZERINA - OpenVPN for IPCops (at zerina.de) 18:12 < Bushmills> if that is the problem, don't use it. 18:12 < RadarG> its used to connect two ipcop firewalls what confussing me is that I have two server config files 18:13 < RadarG> http://pastebin.com/m66131fd4 server config 18:14 < RadarG> http://pastebin.com/m1fb719e2 link config 18:14 < Bushmills> you asked for a way to break down the problem. here is one: don't think of 5 clients. think of one client. get that one configured so it routes over vpn client over vpn over vpn server as gateway to world. 18:14 < Bushmills> (once that works, same method will work for the remaining 4 clients too) 18:16 < Bushmills> since your vpn seems to be in operation already, the remaining configuration should be a bit of routing (clients), and a bit of setting up NAT (on server) 18:17 < RadarG> nat is setup on the server and rules are forwarded I can start the link and it connects and shows good on my firewall gui. 18:18 < RadarG> one issue I had is that thedoc wanted my to flush my iptables thats not an option. I dont want to spend hours redoing all of my rules 18:18 < RadarG> iroute should reduce the need to fluch out the iptables right? 18:20 < RadarG> or breaking the mods on my firewall 18:20 < Bushmills> you need NAT. flushing iptables you'd to to prevent a firewall to keep whatever you are trying to get working from working, by eliminating a potential problem cause. 18:21 < Bushmills> (and setting table policies) 18:21 < Bushmills> (if needed) 18:21 < RadarG> but is such a step needed when I can complete the link? I just cant ping the remote 18:22 < Bushmills> if your NAT works, and you can connect to world, you don't need to flush them. if it doesn't, and you don't know what is wrong, you might want to flush them, so the rules are not what keeps your setup from working 18:23 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 18:23 < RadarG> well I use it as a last resort if you dont 18:23 < RadarG> mind 18:23 < Bushmills> no, i don't 18:23 < RadarG> which end would you like to start checking the server end or the client? 18:24 < Bushmills> since you say that you have setup NAT already, you probably want to test it 18:25 < Bushmills> unless you haven't done so already 18:26 < RadarG> how can we test. When using the xboxs the network tests siad that I had a moderate nate setup. I have to forwards the ports to get xbox live to work properly 18:26 < Bushmills> mtr or traceroute on vpn client 18:26 < RadarG> mtr? whats that? 18:27 < Bushmills> http://en.wikipedia.org/wiki/MTR_(Software) 18:27 < RadarG> the last tracert I did was done on both sides when I ran the command the trace went outside of my wan and failed it didnt go across the link 18:28 < Bushmills> well, fix that 18:28 < RadarG> ok how 18:28 < Bushmills> set up a route through vpn 18:29 < RadarG> is that using iroute 18:29 < Bushmills> that's something you tell the OS, not openvpn 18:30 < RadarG> this involves using the route command right 18:30 < RadarG> http://pastebin.com/m1fb719e2 server route 18:30 < Bushmills> depends. either that, or tell openvpn to call on OS route command when it connects 18:30 < RadarG> shoot wrong one 18:32 < RadarG> like this http://pastebin.com/d6ce5056d 18:33 < Bushmills> !redirect 18:33 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 18:34 < Bushmills> !def1 18:34 < vpnHelper> Bushmills: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 18:36 < RadarG> so I would put this entry in my server or my client 18:36 < RadarG> !man 18:36 < vpnHelper> RadarG: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 18:37 < Bushmills> client side. 18:39 < RadarG> it doesnt give an example 18:39 < RadarG> do I just put "redirect-gatway" in there 18:40 -!- brizly [n=brizly_v@p4FC9A5B7.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 18:41 < Bushmills> better with def1, for testing (and in case your client doesn't come up with a default gateway already) 18:41 -!- brizly [n=brizly_v@p4FC997F9.dip0.t-ipconnect.de] has joined ##openvpn 18:41 < RadarG> ok def1 at the bottom of my client conf 18:42 < RadarG> done 18:42 < Bushmills> !def1 18:42 < vpnHelper> Bushmills: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 18:42 < Bushmills> read 18:44 < RadarG> I dont understand this part0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0 18:44 < RadarG> i put this in the clinet config "redirect-gateway def1" 18:44 < Bushmills> yes 18:45 < Bushmills> then connect, and look at route 18:45 < RadarG> on the windows side using using "route print" 18:46 < RadarG> the gui is staying yellow 18:46 < Bushmills> if you are satisfied that traffic goes goes through vpn, try mtr or traceroute 18:47 < RadarG> http://pastebin.com/m47bc5b7 client vista route 18:49 < RadarG> do I need to setup a persistant route on the client connecting the tun 18:51 < Bushmills> redirect is supposed to do that 18:54 < RadarG> its not even connecting now 18:54 -!- jeiworth [n=jeiworth@189.234.80.58] has quit ["No Ping reply in 90 seconds."] 18:55 -!- jeiworth [n=jeiworth@189.234.80.58] has joined ##openvpn 18:55 < Douglas> http://www.newegg.com/Product/Product.aspx?Item=N82E16820609475 18:55 < Douglas> fk 18:55 < vpnHelper> Title: Newegg.com - SUPER TALENT Pico Mini 16GB USB2.0 Flash Drive Black Model STU16GMAK - USB Flash Drives (at www.newegg.com) 18:55 < Douglas> i got oen of those 18:55 < Douglas> those are awesome. 19:02 < RadarG> Bushmills here is the client config http://pastebin.com/d270579f0 19:04 -!- hardwire [n=hardwire@216-67-99-228.static.acsalaska.net] has quit [Read error: 60 (Operation timed out)] 19:04 < RadarG> i think i might have found a problem with the client config did you see the route entry? 19:06 < RadarG> should that route line read "route 192.168.2.0 255.255.255.0" 19:06 < ecrist> bitches 19:07 < Douglas> ericccccccc 19:07 < ecrist> I got one of those: http://www.usshootingacademy.com/onlineProducts/Glock22.jpg 19:08 < ecrist> *actually*, this one 19:08 < ecrist> http://www.impactguns.com/store/media/glock/glock_22_RTF.jpg 19:09 * ecrist figures Douglas was linking random shit, so he would, too. 19:09 < ecrist> Douglas: :P 19:09 < RadarG> Bushmills that client config had 192.168.0.0. 192.168.0.1 was one of the networks behind my server but I changed it to 4.1 19:10 < RadarG> now since I'm wanting 2.1 network to pass it shold be 192.168.2.0 right? 19:10 < Bushmills> you should be able to drop that route statement for now completely 19:10 -!- jeiworth [n=jeiworth@189.234.80.58] has quit [Operation timed out] 19:11 < RadarG> hmm I'll comment it out and restart the link 19:11 < Douglas> hmm 19:12 < Douglas> ecrist: guns are the shit 19:12 < Douglas> i never understood how people make guns stand like that though 19:12 < Douglas> they always toppled when i tried it 19:14 < RadarG> Bushmills its not connecting I'm getting alot of UDPv4 reads and writes but the GUI is still yellow 19:21 < ecrist> Douglas: screw magazine down to the table and insert back into gun. 19:23 < RadarG> Bushmills I just checked the logs on the server and I'm getting "TLS_ERROR: BIO read tls_read_plaintext error" 19:33 < RadarG> here is the server log http://pastebin.com/d6f899a64 19:34 < Douglas> ecrist: true story 19:38 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [] 19:45 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has joined ##openvpn 19:46 < kc8pxy> i saw someplace that you can use can drop all udp packets that don't have ta.key on them.. what is the iptables syntax for that? 20:35 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 20:48 < NfNitLoop> w /wc 20:48 < NfNitLoop> durr. 20:48 -!- NfNitLoop [n=bip@cl-852.chi-02.us.sixxs.net] has left ##openvpn [] 20:52 -!- master_of_master [i=master_o@p549D3D98.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)] 20:56 -!- master_of_master [i=master_o@p549D608A.dip.t-dialin.net] has joined ##openvpn 21:03 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit ["leaving"] 21:05 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 21:25 -!- RadarG1 [n=nightwol@pool-72-69-243-24.chi01.dsl-w.verizon.net] has joined ##openvpn 21:25 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 21:38 -!- RadarG [n=nightwol@pool-72-69-243-24.chi01.dsl-w.verizon.net] has quit [Read error: 110 (Connection timed out)] 21:40 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 21:53 < RadarG1> . 21:54 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 110 (Connection timed out)] 21:54 -!- [1]anwoke is now known as anwoke 21:59 < solvik> !redirect 21:59 < vpnHelper> solvik: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 22:00 < solvik> in order to use the internet connection of the server, i have to use --redirect-gateway in the openvpn config ? 22:00 < solvik> !def1 22:00 < vpnHelper> solvik: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 22:01 < ecrist> solvik: yes 22:01 < solvik> no need to do server-bridge etc.. , 22:01 < solvik> ? 22:06 -!- RadarG1 [n=nightwol@pool-72-69-243-24.chi01.dsl-w.verizon.net] has quit [] 22:26 -!- djMax [n=chatzill@66.92.91.132] has quit ["ChatZilla 0.9.85 [Firefox 3.5.1/20090715094852]"] 22:27 < kc8pxy> i saw someplace that you can use can drop all udp packets that don't have ta.key on them.. what is the iptables syntax for that? 22:32 -!- RadarG [n=nightwol@pool-72-69-243-24.chi01.dsl-w.verizon.net] has joined ##openvpn 22:33 < ecrist> solvik: no need to bridge or anything 22:34 < anwoke> question 22:34 < anwoke> with the windows gui, how do I set it up so I can have multiple vpn configs for different networks? 22:38 < RadarG> Bushmills are you there? 22:55 < RadarG> Can one of you guys please try to help me understand why my link isnt working I tried removing the redirect-gateway def1 from my client config but its still not connecting the client config is located here Could someone please review it? http://pastebin.com/d35b37b01 23:10 < thedoc> Blah. 23:10 < thedoc> My entire biological clock is fucked at the moment 23:11 < thedoc> Sleeping at 6am, waking at 11. 23:11 < thedoc> kc8pxy, That might be HMAC I believe. 23:16 < RadarG> thedoc can you help me fix my dns and gateway setting on my client? 23:17 < thedoc> RadarG, What's the problem? 23:22 < RadarG> i dont think that my client is getting the right dns and gateway addresses. It cant connect but the log looks fine the client log is here http://pastebin.com/d3b8945ae and my client config is here http://pastebin.com/d228fb1f3 23:23 < RadarG> thank you 23:29 < ecrist> paypal's API is actually pretty slick. 23:42 -!- Vakz [n=Vakz@90-224-164-17-no123.tbcn.telia.com] has joined ##openvpn 23:44 < thedoc> RadarG, You aren't able to connect? 23:44 < Vakz> Good morning everyone! I'm having some trouble setting up my OpenVPN server (first time i'm trying). I have no problem connecting to it, and i have a friend connecting to it over the internet without any errors. Problem is though that no traffic is going through it (as in he keeps his regular IP). Any ideas what could be the problem? 23:45 < thedoc> Vakz, Which platform is your friend on? 23:45 < Vakz> Windows. Both of us are 23:45 < thedoc> Look into push-default-gateway 23:45 < thedoc> Vakz, WinVista/7 for him? 23:45 < Vakz> Vista 23:46 < Vakz> push "redirect-gateway def1" i suppose is the right one? tried it before, didn't make any diffrence, i'm afraid 23:47 < RadarG> thedoc it stays yellow 23:48 < thedoc> RadarG, What's the output of that window? 23:49 < RadarG> thedoc on the vista box 23:49 < thedoc> Sorry folks, gotta jet. Some real life stuff coming up. 23:49 < thedoc> RadarG, Here's a hint. Run it as administrator. 23:49 < Vakz> when we tried OpenVPN-AS (i used to have linux on my server, but installed W Server 2008 a few days ago) it worked as long as he started OpenVPN as administrator. But since he now starts it by right-clicking the client.ovpn (as was suggested in the howto), how does he start it as administrator? 23:51 < RadarG> thedoc I am running it was administrator 23:55 < RadarG> does my client config look ok? 23:58 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 23:59 < RadarG> :( --- Day changed Sat Aug 01 2009 00:00 < Vakz> hmm 00:00 < RadarG> Can someone please look at my client config and help me fix it. 00:00 < Vakz> i'm getting this error: Warning: route gateway is not reachable on any active network adapters: 10.8.0.5 00:06 < RadarG> I'm looking at the ifconfig tun0 on my server and I'm seeing two entries inet addr:10.251.62.1 & P-t-P:10.251.62.2 can someone explain the difference. Is 10.251.62.1 supose to be my gateway on the vista box? 00:19 -!- superdave888 [n=superdav@c-98-207-209-220.hsd1.ca.comcast.net] has quit ["Ex-Chat"] 00:19 < RadarG> there has to be something that I'm missing 00:21 < Vakz> what's the problem you're getting, RadarG? 00:22 < RadarG> well my client will not connect to my server 00:23 < RadarG> I have been bashing my head in for days without any luck 00:24 < RadarG> here is my client config http://pastebin.com/d228fb1f3 00:27 < RadarG> that and I using an IPCOP OpenVPN app (Zerina) and it confussing trying to get the setup to work. I have three LANs behind the sever and I'm trying to run one of the lans over the VPN 00:28 < RadarG> hell at this point I'll be happy if I can get anything over the link 00:32 < RadarG> I have been using this http://www.zerina.de/zerina/?q=documentation/extended-howto-net2net 00:32 < vpnHelper> Title: HOWTO net2net (extended version) | ZERINA - OpenVPN for IPCops (at www.zerina.de) 00:35 < RadarG> does my client config look right? 00:44 < RadarG> I;m looking in the GUI and I'm seeing UDPv4 reads and writes 00:45 < RadarG> and than I get alot of writes to the server and than it fails TLS error 00:47 < RadarG> I am seeing a "VERIFY SCRIPT ERROR: depth=0, /C=US/ST=IN/O=RadarG/OU=None/CN=xxx" 00:57 -!- rawDawg [n=rawDawg@cpe-76-188-4-240.neo.res.rr.com] has joined ##openvpn 00:58 < RadarG> Here is my server.conf from my http://pastebin.com/m2c769f28 01:00 < RadarG> sorry thats a link config 01:03 -!- rawDawg [n=rawDawg@cpe-76-188-4-240.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 01:04 -!- RadarG [n=nightwol@pool-72-69-243-24.chi01.dsl-w.verizon.net] has quit [] 01:11 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 01:45 -!- Vakz_ [n=Vakz@90-224-164-17-no123.tbcn.telia.com] has joined ##openvpn 01:46 -!- Vakz [n=Vakz@90-224-164-17-no123.tbcn.telia.com] has quit [Read error: 54 (Connection reset by peer)] 01:46 -!- Vakz_ is now known as Vakz 01:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 02:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 02:38 -!- kyrix [n=ashley@188-23-69-166.adsl.highway.telekom.at] has joined ##openvpn 02:41 -!- c64zottel [n=hans@p5B17BF94.dip0.t-ipconnect.de] has joined ##openvpn 02:42 -!- c64zottel [n=hans@p5B17BF94.dip0.t-ipconnect.de] has left ##openvpn [] 03:15 -!- kyrix [n=ashley@188-23-69-166.adsl.highway.telekom.at] has quit [Read error: 113 (No route to host)] 03:22 -!- kyrix [n=ashley@188-23-69-166.adsl.highway.telekom.at] has joined ##openvpn 03:49 -!- stephenh_ [i=stephenh@69.30.200.88] has joined ##openvpn 04:01 -!- stephenh [i=stephenh@69.30.200.88] has quit [Read error: 110 (Connection timed out)] 04:03 -!- kyrix [n=ashley@188-23-69-166.adsl.highway.telekom.at] has quit ["Leaving"] 04:42 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 05:18 -!- c64zotte1 [n=hans@p5B178F4E.dip0.t-ipconnect.de] has joined ##openvpn 05:32 -!- c64zotte1 [n=hans@p5B178F4E.dip0.t-ipconnect.de] has left ##openvpn [] 05:39 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 05:47 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 05:50 -!- thedoc_ [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 06:17 -!- linagee [n=jalton@about/linux/staff/linagee] has quit [Read error: 54 (Connection reset by peer)] 06:20 -!- Rossatom [n=atom@62.68.142.97] has joined ##openvpn 06:22 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 06:26 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 06:28 -!- brizly1 [n=brizly_v@p4FC98DEF.dip0.t-ipconnect.de] has joined ##openvpn 06:36 -!- brizly [n=brizly_v@p4FC997F9.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 07:16 -!- eoch [n=eoch@64-126-117-142.dyn.everestkc.net] has joined ##openvpn 07:45 < eoch> anyone using openvpn on a windows server cluster as a clustered service? 07:49 < Douglas> ut oh 07:49 < Douglas> airport evac 07:50 < Douglas> http://www.cnn.com/2009/US/08/01/new.york.airport.evacuated/index.html 07:50 < vpnHelper> Title: Flights halted, terminal evacuated at LaGuardia Airport - CNN.com (at www.cnn.com) 08:46 -!- thedoc_ [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 08:51 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 08:52 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 09:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:32 -!- rawDawg [n=omglol@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 10:11 -!- rawDawg [n=omglol@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 113 (No route to host)] 10:45 < Vakz> should the TAP OpenVPN creates be Local Only or internet? 11:22 < Bushmills> pardon? 11:24 < kc8pxy> any veterans here?? i have question about ta.key and udp filtering. it's mentioned in the sample config, but no details given. 11:32 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 11:43 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 11:48 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 11:48 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 12:03 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 12:05 -!- Vakz [n=Vakz@90-224-164-17-no123.tbcn.telia.com] has quit [Read error: 60 (Operation timed out)] 12:11 -!- Vakz [n=Vakz@90-224-164-17-no123.tbcn.telia.com] has joined ##openvpn 12:21 -!- Rossatom [n=atom@62.68.142.97] has quit [Client Quit] 12:45 -!- RadarG [n=nightwol@pool-72-69-243-24.chi01.dsl-w.verizon.net] has joined ##openvpn 12:53 -!- Opv [n=navin@200.2.186.207] has joined ##openvpn 12:56 -!- Opv [n=navin@200.2.186.207] has quit [Client Quit] 13:08 < RadarG> !redirect 13:31 < RadarG> this problem ticks me off 13:48 -!- RadarG [n=nightwol@pool-72-69-243-24.chi01.dsl-w.verizon.net] has quit [Remote closed the connection] 14:00 -!- RadarG [n=nightwol@pool-72-69-243-24.chi01.dsl-w.verizon.net] has joined ##openvpn 14:00 -!- eoch [n=eoch@64-126-117-142.dyn.everestkc.net] has quit ["KVIrc Insomnia 4.0.0, revision: , sources date: 20090115, built on: 2009/03/07 00:45:02 UTC http://www.kvirc.net/"] 14:07 -!- RadarG [n=nightwol@pool-72-69-243-24.chi01.dsl-w.verizon.net] has quit [Remote closed the connection] 14:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 14:40 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 14:50 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 15:25 < b0nn> !howto 15:25 < vpnHelper> b0nn: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:25 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 15:28 < b0nn> hmm 15:28 < b0nn> can someone explain to me the significance of tun0? 15:29 -!- TbbW [n=wolf@c-2404e255.138-502-64736c11.cust.bredbandsbolaget.se] has left ##openvpn [] 15:34 -!- dazo|h [n=dazo@ip4-83-240-69-215.cust.nbox.cz] has joined ##openvpn 15:53 < Bushmills> b0nn, http://en.wikipedia.org/wiki/TUN/TAP 15:53 < vpnHelper> Title: TUN/TAP - Wikipedia, the free encyclopedia (at en.wikipedia.org) 16:02 < b0nn> Bushmills: Excellent, thanks, I feel foolish for not looking it up before asking :) 16:27 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["I ♥ GNU/Linux!"] 16:41 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 16:52 -!- CRASH69 [n=crash@201.200.94.66] has joined ##openvpn 16:56 < CRASH69> may someone give me a hand with this? http://www.dd-wrt.com/phpBB2/viewtopic.php?p=330779#330779 17:01 -!- kc8pxy_ [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has joined ##openvpn 17:03 -!- dazo|h [n=dazo@ip4-83-240-69-215.cust.nbox.cz] has quit ["Leaving"] 17:13 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has quit [Read error: 113 (No route to host)] 17:28 -!- RadarG [n=nightwol@pool-72-69-243-24.chi01.dsl-w.verizon.net] has joined ##openvpn 17:28 < RadarG> !topology 17:28 < vpnHelper> RadarG: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 17:40 < RadarG> ok I reverted to an old client config but when I start it up I get an error that says reqested address is not valid in its context. whats this mean? 17:48 < b0nn> I am /trying/ to follow this: http://wiki.debian.org/HowTo/openvpn, but am not sure how ifconfig 10.9.8.1 10.9.8.2 these ips are determined 17:48 < b0nn> do I use the ips of my eth1, or wlan0, or new range of ips for the tun0? 17:51 -!- BoomSie [n=gideon@84-245-27-118.dsl.cambrium.nl] has joined ##openvpn 18:00 -!- BoomSie [n=gideon@84-245-27-118.dsl.cambrium.nl] has quit ["Ex-Chat"] 18:33 -!- YpsyZNC is now known as Ypsy 18:51 < RadarG> ok guys I went in and nuked my server and client and rebuilt it. I have a green light on my client but I can not do a tracert from the client to the my workstation in Asia. Do I need to put a route on the vista box? 18:58 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 19:01 -!- antiwire [n=antiwire@unaffiliated/antiwire] has joined ##openvpn 19:02 < RadarG> ok i need help configuring my client for a route coneciton 19:03 < antiwire> Hey, I'm a little confused about the next steps in a bridged type of setup. I have my server and client connected already but I'm not sure where I assign addresses on the client. Do I actually assign an address to the tap0 interface? 19:04 < RadarG> Here is a link to my working client config http://pastebin.com/d70982c97 19:05 < RadarG> I think you can assigned the ips of the clients in the client config if I'm not mistaken 19:05 < antiwire> Does the client require bridging too ans if so, what gets bridged on the client side? 19:05 < antiwire> ans/and 19:06 < b0nn> hmm 19:06 < b0nn> I need a clear guide to follow 19:07 < RadarG> good luck I'm still figuring it out 19:07 < b0nn> I want to have an openvpn server on a box with a wifi ethernet capability 19:07 < b0nn> RadarG: :) 19:07 < RadarG> I read a good article on how to setup dd-wrts to use openvpn 19:07 < b0nn> I want openvpn clients to have to login before their traffic can be routed 19:07 < b0nn> dd-wrts? 19:08 < RadarG> hacked linksys routers 19:08 < b0nn> http://www.dd-wrt.com/wiki/index.php/OpenVPN? 19:08 < vpnHelper> Title: OpenVPN - DD-WRT Wiki (at www.dd-wrt.com) 19:08 < RadarG> yeap 19:09 < RadarG> I have seen them do both openvn and a portal setup. I'm sure its possible to set on up to do both 19:10 < RadarG> here is a link to the dd-wrt openvpn server and client setup http://www.geek-pages.com/articles/latest/openvpn_server_and_client_on_dd-wrt.html 19:10 < vpnHelper> Title: OpenVPN server and client on DD-WRT - Geek Pages -- Information on how to do geeky things... (at www.geek-pages.com) 19:12 < RadarG> I know you can use a radius server with openvpn though. That would give you your logon 19:13 < RadarG> there is alot of different ways that you can do want your wanting. The hardpart will be trying to get it into one box 19:13 < b0nn> yeah 19:13 < b0nn> I saw that a proxy can be used as well 19:14 < antiwire> I have my server and clients connected in bridged mode but I'm not exactly sure how the client is supposed to be setup. My server had a bridge setup with eth1 dedicated to openvpn. eth1 and tap0 are bound to br0 and br0 has an IP that corresponds to the actual LAN that the server is on. tap0 and eth1 have no addresses bound to them. 19:14 < antiwire> in my client I have no bridge setup right now. 19:23 < b0nn> oh, client certificates seem to be for authentication 19:25 < b0nn> http://hackertarget.com/2009/07/guide-to-openvpn-on-ubuntu-904-jaunty-jackalope/ 19:25 < vpnHelper> Title: Guide to OpenVPN on Ubuntu 904 Jaunty Jackalope | hackertarget.com - online security vulnerability scanning service and consulting (at hackertarget.com) 19:27 < RadarG> can someone help me add a route to my client 19:28 < b0nn> what OS? 19:28 < RadarG> Vista 19:28 < b0nn> lol, I've never used vista 19:29 < RadarG> I have my link green I just need to figre out how to get traffic across it 19:29 < RadarG> ecrist are you there? 19:29 < b0nn> there's ample hits on google for that sort of thing, I presume you've looked and tried those? 19:30 < RadarG> I have read a couple but I have a custom config 19:30 < b0nn> oh 19:31 < b0nn> hmm 19:31 < b0nn> fuck it 19:32 < b0nn> I'm just going to ssh -N -L 19:32 < b0nn> or not 19:32 < RadarG> I think its supose to be "route 10.111.20.0 255.255.255.0 192.168.1.2" 19:33 < RadarG> or is it "route 10.111.20.2 255.255.255.0 192.168.1.2" 19:33 < RadarG> I'm lost 19:37 < RadarG> Can please help me to setup this route? 19:42 < RadarG> ok I added that route command to my client config how do I check to see if its good? 19:43 < b0nn> n# /etc/init.d/openvpn start 19:43 < b0nn> Starting virtual private network daemon: openvpn failed! 19:44 < b0nn> RadarG: ping and tracert? 19:44 < RadarG> no good 19:45 < b0nn> heh 19:45 < b0nn> how do I troubleshoot this 19:45 < b0nn> Starting virtual private network daemon: openvpn failed! 19:46 < b0nn> meh, fixed it 19:46 < b0nn> used /usr/sbin/openvpn instead of /etc/init.d/openvpn start 19:48 < RadarG> can you ping your clent 19:49 < b0nn> nah 19:50 < b0nn> the client is complaining about something 19:50 < b0nn> Footer text not found in file 'static.key' 19:50 < RadarG> never heard of that one 19:55 < RadarG> these routes on the vista client is confussing me. I think that I can setup a route to send the tun to the 192.168.1.2 gateway but how do I set it up so when someone pings 192.168.4.1 from the client that it goes down the tun 19:59 -!- b0nn [n=this@203-109-245-158.static.bliink.ihug.co.nz] has quit [Read error: 60 (Operation timed out)] 19:59 < RadarG> can someone explain what a metric is when refering to routing? 20:05 -!- b0nn [n=shane@203-109-245-158.static.bliink.ihug.co.nz] has joined ##openvpn 20:05 < b0nn> woops :D 20:12 -!- Darkclaw66 [n=portness@unaffiliated/darkclaw66] has joined ##openvpn 20:13 < Darkclaw66> I have openvpn running and I have a question. If I want to encrpyt all web (port 80 and 443) acccess, how can I enstruct the browser to go through the vpn? 20:16 < RadarG> The VPN at my work uses a proxy I think you would need a proxy on the other end 20:16 -!- c64zottel [n=hans@p5B17AE16.dip0.t-ipconnect.de] has joined ##openvpn 20:19 < RadarG> can someone tell me what is wrong with this command Im trying to add the route on my vista client "route ADD 10.111.20.2 MASK 255.255.255.0 192.168.1.2 METRIC 276 IF 2" 20:19 < antiwire> RadarG: what is the shell tell you when you try to run that? 20:19 -!- c64zottel [n=hans@p5B17AE16.dip0.t-ipconnect.de] has left ##openvpn [] 20:21 < Darkclaw66> can I use openvpn to encrpyt all web (80,443) activity? 20:22 -!- b0nn_ [n=this@203-109-245-158.static.bliink.ihug.co.nz] has joined ##openvpn 20:22 < b0nn_> right, I can ping my tun0 over the wifi 20:22 < b0nn_> And the client connects to the tunnel 20:23 < b0nn_> so 20:23 < b0nn_> now what do I do? 20:23 < b0nn_> I want /all/ traffic from the client to use the tunnel, and then be forwarded appropriately 20:26 -!- b0nn [n=shane@203-109-245-158.static.bliink.ihug.co.nz] has quit [Read error: 104 (Connection reset by peer)] 20:26 -!- RadarG [n=nightwol@pool-72-69-243-24.chi01.dsl-w.verizon.net] has quit [Remote closed the connection] 20:33 < Darkclaw66> what do you guys think about using a socks5 behind a vpn to encrpyt all web activity? 20:39 < Darkclaw66> im sure someone in here knows 20:49 -!- lonebrave [n=lonebrav@pool-71-166-36-30.bltmmd.fios.verizon.net] has joined ##openvpn 20:52 -!- antiwire [n=antiwire@unaffiliated/antiwire] has quit ["You make your own luck in life."] 20:55 < b0nn_> w00t it works! 20:55 < b0nn_> I has openvpn encrypting my traffic over wifi 20:56 < b0nn_> and iptables is routing the traffic from tun0 -> world 20:56 < b0nn_> exactly what I desired 20:58 -!- antiwire [n=antiwire@unaffiliated/antiwire] has joined ##openvpn 20:58 < antiwire> i freaking got it 20:59 < antiwire> bridged setup working over the internet now 21:08 -!- master_of_master [i=master_o@p549D608A.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:08 < antiwire> there isn't a sane way, short of proxying, to make the clients use the gateway on the other end of the VPN so that internet traffic can go through the VPN and out the remote network...As I see it, doing that would effectively kill the VPN 21:10 < antiwire> I suppose I would run proxy software on the VPN server and then setup the clients to just use that 21:11 -!- master_of_master [i=master_o@p549D64F4.dip.t-dialin.net] has joined ##openvpn 21:11 < antiwire> I think I am answering my own question right there 21:12 -!- Ypsy is now known as YpsyZNC 21:13 -!- antiwire [n=antiwire@unaffiliated/antiwire] has left ##openvpn ["☯"] 21:14 < b0nn_> I used iptables to do that 21:40 -!- martian67 [n=martian6@about/linux/regular/martian67] has joined ##openvpn 21:41 < martian67> can i set up an ipv6 listner? 21:41 -!- RadarG [n=nightwol@pool-72-69-243-24.chi01.dsl-w.verizon.net] has joined ##openvpn 21:42 < RadarG> b0nn_ I got dropped off did your problem get resolved? 21:44 < martian67> is it possible set up an ipv6 listner (tunnel endpoint)? 21:56 -!- RadarG [n=nightwol@pool-72-69-243-24.chi01.dsl-w.verizon.net] has quit [] 21:57 -!- RadarG [n=nightwol@pool-72-69-243-24.chi01.dsl-w.verizon.net] has joined ##openvpn 21:58 -!- RadarG [n=nightwol@pool-72-69-243-24.chi01.dsl-w.verizon.net] has quit [Client Quit] 22:00 < ecrist> I am here. 22:08 -!- lonebrave [n=lonebrav@pool-71-166-36-30.bltmmd.fios.verizon.net] has quit [] 22:12 -!- b0nn_ [n=this@203-109-245-158.static.bliink.ihug.co.nz] has quit [Read error: 110 (Connection timed out)] 22:13 -!- Rossatom [n=atom@62.68.142.97] has joined ##openvpn 22:19 -!- b0nn [n=this@203-109-245-158.static.bliink.ihug.co.nz] has joined ##openvpn 22:22 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 104 (Connection reset by peer)] 22:22 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has joined ##openvpn 22:23 < Darkclaw66> what do you guys think about using a socks5 behind a vpn to encrpyt all web activity? 22:33 < b0nn> Isnt all activity over the vpn encrypted via ssl? 22:36 -!- kc8pxy_ [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 22:51 -!- CRASH69 [n=crash@201.200.94.66] has left ##openvpn [] 23:14 -!- lampliter [n=esj@harvee.org] has joined ##openvpn 23:19 < lampliter> having a problem with DNS and open VPN 23:19 < lampliter> Windows 7, open VPN 2.1_RC 19 23:19 < lampliter> I can resolve names on the far side of the network but if the VPN is up, I cannot resolve anything locally 23:21 < lampliter> had the same problem on linux in that if the first name server received an nxdomain then searching ceased. The interim solution was to use dnsmasq to route DNS requests based on the domain. What's a reasonable solution in the Windows world? --- Day changed Sun Aug 02 2009 00:13 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 00:15 < anwoke> hey guys, why can't we access any of the windows shared directories via the vpn, we can access the linux shares just fine, but we can't access any of the windows shared directories 00:17 < lampliter> it's a broadcast problem 00:17 < anwoke> any idea as to how we fix it? 00:18 < anwoke> all of the systems that are wired into the network can access them just fine 00:18 < lampliter> I think it's in my configuration file 00:19 < lampliter> now, it's not there on this machine. I think you need to change the server to tell it the address of your wins server 00:20 < lampliter> I'm a little tired. I've spent the past 12 hours converting from linux to w7 00:20 -!- Rossatomm [n=atom@62.68.142.97] has joined ##openvpn 00:21 < anwoke> lampliter, and that should do the trick? 00:22 < lampliter> if my memory is correct, then it should. If you tell it the address of your wins server then the clients will know to go there for name resolution 00:23 < lampliter> I would go a look but my system configuration leaves a bit to be desired 00:23 < lampliter> I've just gotten speech recognition working again and I'm discovering all sorts of messed up crap with Windows 7 and USB devices 00:23 < lampliter> for example, my speech recognition microphone now has two USB profiles. Why? Beats the hell out of me. It just does 00:24 < lampliter> but I must say, it is significantly better than XP 00:24 < lampliter> sorry. I'm tired and cranky. 00:27 < anwoke> know the feeling 00:27 < lampliter> yet. It's been made significantly worse by a very persistent lack of consulting opportunities 00:29 < lampliter> it's annoying. You build a good customer base of happy customers and then some event happens and poof, they all vanish 00:31 < Darkclaw66> what do you guys think about using a socks5 behind a vpn to encrpyt all web activity? 00:31 < lampliter> anyway, hope that hint helps. Another one might be the option which is something like dfln or some sort of similar abbreviation. It does nasty things to routing over the local network to the Internet but, it may be a place to start 00:32 < lampliter> I don't really understand what you're trying to accomplish 00:33 < Darkclaw66> ? 00:33 < lampliter> yes. Why try to encrypt all Web traffic via Socks five proxy 00:33 < Darkclaw66> how else will the browser know? 00:34 < lampliter> sorry. I'm probably just really tired but it's not make in a sense to me. The VPN encryption traffic, if you are directing all traffic over the VPN then why go further? 00:35 < Darkclaw66> cause its the Internet 00:35 < Darkclaw66> the end point is not the server 00:36 < lampliter> say what all Internet traffic to go over the VPN to the Sox five proxy and back out to the Internet? Or Internet traffic is handled locally via the Sox five proxy? 00:42 -!- |ns|nR8 [n=doof@CPE-144-131-71-66.nsw.bigpond.net.au] has joined ##openvpn 00:48 < anwoke> got wins up and running but still can't access windows shares 00:49 < lampliter> hmm 00:51 -!- martian67 [n=martian6@about/linux/regular/martian67] has left ##openvpn ["out"] 00:51 < anwoke> I can ping teh servers just fine 00:51 < anwoke> just can't access the shares 00:51 -!- thedoc [n=andelyx@bb116-15-27-66.singnet.com.sg] has joined ##openvpn 00:52 < lampliter> got wireshark? 00:52 < anwoke> yeah 00:52 < lampliter> do a little packet sniffing and see if it's broadcasting. My guess is that's the problem 00:53 < anwoke> it should be broadcasting because systems wired into the network can connect to the file shares just fine 00:53 < lampliter> ok 00:54 < anwoke> but going to sniff anyways 00:54 < lampliter> is this a problem of browsing? 00:54 < anwoke> yeah 00:54 < anwoke> can't connect/browse file shares 00:54 < anwoke> on windows based file servers 00:54 < lampliter> ok, just confirming 00:54 < anwoke> linux servers are fine 00:56 -!- thedoc_ [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 00:57 < lampliter> everything in my memory and what I've been able to find on the net says that the remote clients are not finding the Windows name server (not DNS) 00:58 < lampliter> can you open a Windows file server share via something like \\servername\sharename 00:58 < lampliter> ie \\bob\sw 00:58 < lampliter> http://unknownegg.org/tech/index.htm 00:58 < lampliter> is a good resource 00:59 < anwoke> wired in with my laptop I can, if I disconnect and leave the office and connect to the office network via vpn, I can't 01:00 < thedoc_> anwoke, Have you tried using the ip instead of the net bios name? 01:00 < anwoke> yep even with the ip i can't 01:01 < anwoke> but i can ping the server and remote into it just fine via vpn 01:02 < anwoke> keeps saying network path not found 01:03 < lampliter> sorry. really must sleep 01:03 < anwoke> not a problem 01:07 -!- |ns|nR8 [n=doof@CPE-144-131-71-66.nsw.bigpond.net.au] has quit ["Leaving"] 01:09 < anwoke> any ideas as to why I can't access the file shares using the ip address either 01:11 -!- thedoc [n=andelyx@bb116-15-27-66.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 01:11 -!- toehio [n=toehio@dyn.83-228-168-104.dsl.vtx.ch] has quit [Connection timed out] 01:13 -!- toehio [n=toehio@dyn.144-85-143-180.dsl.vtx.ch] has joined ##openvpn 01:23 -!- Rossatomm [n=atom@62.68.142.97] has quit [Client Quit] 01:39 -!- Vakz [n=Vakz@90-224-164-17-no123.tbcn.telia.com] has quit [Read error: 54 (Connection reset by peer)] 01:46 -!- lampliter [n=esj@harvee.org] has quit ["Leaving."] 01:57 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 02:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:24 -!- Rossatom [n=atom@62.68.142.97] has quit [Client Quit] 02:24 -!- toehio [n=toehio@dyn.144-85-143-180.dsl.vtx.ch] has quit [Network is unreachable] 02:25 -!- toehio [n=toehio@dyn.83-228-223-070.dsl.vtx.ch] has joined ##openvpn 02:26 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 02:39 -!- thedoc_ [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 04:44 < b0nn> hmm 04:45 < b0nn> I broke my openvpn 04:46 < b0nn> my traffic is going to the openvpn server 04:46 < b0nn> but it's not going back 04:46 < b0nn> I thought it might be firewall related, so flushed the firewall, to no avail 04:46 < b0nn> any ideas? 04:48 < Bushmills> b0nn, traceroute on server to client, look where it wants to go 04:50 < b0nn> hmm, looks like a configuration error in the route settings 04:52 < b0nn> 21:52:06.158892 IP 192.168.1.1 > 192.168.1.2: ICMP 192.168.1.1 udp port openvpnunreachable, length 160 04:52 < b0nn> 192.168.1.1 is the server 04:55 < b0nn> does tun0 need to be added to the route? 04:55 < Bushmills> any interface where packets are supposed to be routed to needs to be added to the route 04:57 < Bushmills> but openvpn takes care of its own virtual net by adding routes to the corresponding interfaces. so the routes should be there 04:57 < b0nn> yeah 04:57 < b0nn> openvpn on the server was down 04:57 < b0nn> not sure why, investigating that now 04:58 < b0nn> Starting virtual private network daemon: openvpnAlready running (PID file exists) failed 04:58 < b0nn> here i the lockfile ? 04:59 < Bushmills> /var/run probably 05:01 < b0nn> perfect 05:01 < b0nn> I'm alive again 05:07 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has quit [Nick collision from services.] 06:19 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 06:20 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 06:21 -!- lonebrave [n=lonebrav@pool-71-166-36-30.bltmmd.fios.verizon.net] has joined ##openvpn 06:42 -!- brizly1 [n=brizly_v@p4FC98DEF.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:44 -!- brizly [n=brizly_v@p4FC98EBA.dip0.t-ipconnect.de] has joined ##openvpn 07:16 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:47 -!- chaot_s_ [n=Chaot_s@d54C0C5DB.access.telenet.be] has joined ##openvpn 07:52 < chaot_s_> Hi all, can someone help me with an awnser on the following question??? : i have a server connected @ 100Mbit internet on location A its mesured down and upstream is 9.6Mb/s up and 10.1Mb/s Down. its running openvpn in dev tun. linked to location B. on location B i have 25Mbit down / 2Mbit Up. measured 2.1Mb/s Down and 190Kb/s up. when transfering a file from loacation A to B i only get speeds around 500Kb/s. i would expect to get at least 07:55 < chaot_s_> the serverspecs are location A CenTOS 5.3 on an AMD1000Mhz 1Gb Ramm location B CenTOS 5.3 2x intel PIII@ 1000Mhz 2Gb ramm 07:57 < chaot_s_> thnx in advance :) 08:03 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 104 (Connection reset by peer)] 08:11 -!- brah [n=asdfaf@86-126-16-190.fibertel.com.ar] has quit [Read error: 110 (Connection timed out)] 08:41 < Douglas> chaot_s_: what speeds do you get inbetween w/o vpn? 08:42 < chaot_s_> downloading files from apache runs @ 2.1Mb/s 08:44 < chaot_s_> the overal load on the server is near 0, transfering via FTP or http runs smooth @ location B's max download speed. 08:46 < chaot_s_> and that is with location A as hosting / source location of course :) 08:58 < chaot_s_> Douglas : is that the awnser you wanted ? 09:24 -!- c64zottel [n=hans@p5B17AE16.dip0.t-ipconnect.de] has joined ##openvpn 09:26 -!- c64zottel [n=hans@p5B17AE16.dip0.t-ipconnect.de] has left ##openvpn [] 09:26 -!- lizone [n=vadim@user-0ccejib.cable.mindspring.com] has joined ##openvpn 09:33 < lizone> I've installed openvpn onto my machine (lenny) and wanted to use socks server with it. It seems it's not installed yet my sshd uses it -- how come? could someone explain it to me? 09:35 < lizone> so, the thing is, I've installed socks server (dante-server package) but the question remains: how come the sshd on my system was able to pull it off without a socks proxy server? 09:39 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 09:43 < Douglas> Assignment: 09:43 < Douglas> Do people accomplish more when they are allowed to do things in their own way? Plan and write an essay in which you develop your point of view on this issue. Support your position with reasoning and examples taken from your reading, studies, experience, or observations. 09:43 < Douglas> fuckkkkk 09:48 < chaot_s_> lol @ Douglas 09:48 < Douglas> im supposed to write 10 pages on that wtf 09:48 < Douglas> you can only bullshit so far.. damn 09:49 < chaot_s_> seems point off useless to mee indeed... 09:49 < chaot_s_> why would someone make an assignment out of somthing like that.. 09:50 < Douglas> are you from the usa 09:50 < chaot_s_> nope i'm dutch / living in belguim 09:50 < Douglas> ah well, we have this test called the SAT 09:50 < Douglas> this is a "prep" thing 09:52 < chaot_s_> though if i think on the project, it may reveal some information on if someone is a teamplayer or not.... 09:53 < chaot_s_> what is the use or gain of this test? 09:53 < Douglas> college 09:53 < Douglas> http://en.wikipedia.org/wiki/SAT 09:53 < vpnHelper> Title: SAT - Wikipedia, the free encyclopedia (at en.wikipedia.org) 09:53 < chaot_s_> lol okay :P 09:54 < Douglas> if you get a certain score, most colleges will give you XX money, also need to get a certain score for admittance 09:55 < chaot_s_> on times like these i'm getting real curious on how life would be over in the usa... 09:55 < Douglas> Lo 09:55 < Douglas> l 09:58 < lizone> chaot_s: would be a lot of fun -- that I can guarantee you 09:58 < chaot_s_> my realtion is not going well... have no work because i dont have any papers or diplom's i'm said i'm good working with network stuff and computers, done loads of enorous projects... and still would like a new life 09:59 < chaot_s_> how about moving to the usa? 09:59 < chaot_s_> :) 09:59 < lizone> you would feel like at home with Obama's agenda 09:59 < lizone> no need for moving over here 09:59 < chaot_s_> sorry havent been following pollitics :) 10:00 < chaot_s_> is the agenda so bad? 10:00 < chaot_s_> lets go google :) 10:01 < lizone> you tell me; you live in Europe 10:01 < lizone> you should know better 10:02 < chaot_s_> the world doesn't seem too bad over here, and the news on tv tells bad stories, though never trust the news... they tend to be worse than it is... 10:04 < Douglas> there is plenty of bad in the usa 10:04 < Douglas> ie our preesident.. 10:04 < Douglas> socialist fuck 10:04 * Douglas stops swearing 10:06 < chaot_s_> for work in the netherlands or belguim there is a big set of rules, and then companies that say there is no money for new personel... housing is pretty expensive and mostly owned by housing companies that ask more than twice the price a government institute does... 10:07 < chaot_s_> The hageu (politic city) is useless, promissing golden worlds, only messing with tax, and traffic raising all prices taxes and undressing the poor people... making the rich even richer.... 10:09 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 10:09 < lizone> my point is: let people be rich and don't despise the rich 10:10 < chaot_s_> on the street when you talk about democracy its always the same conclusion... money rules the world... making money is not allowed... 10:10 < chaot_s_> and having money seems impossible :) 10:11 < chaot_s_> i used to earn 1150 euro a month 10:11 < Douglas> :( 10:11 < Douglas> i make 600 usd a month and i work 7 days a week 10:11 < Douglas> lo 10:11 < Douglas> l 10:11 < lizone> guys, that sucks 10:11 < Douglas> well 10:11 < Douglas> i'm 16 10:11 < chaot_s_> my boss pays 2167 euro for paying me 1150 euro :) 10:11 < Douglas> so i get paid like crapppp 10:12 < lizone> OK, that explains a lot 10:12 < Douglas> my co worker makes $700/week 10:12 < chaot_s_> allmost 50% goes to the state... in taxes... 10:12 < chaot_s_> i have to pay healt security... 114 euro a month... 10:13 < chaot_s_> 530 euro rent for the house... 2 rooms, bathroom, a toilet and a living room... 10:13 < chaot_s_> 95 euro internet tv and telephone... 10:14 < chaot_s_> and then comes the call costs... normaly about 30 euro... 10:14 < lizone> chaot_s: as I remember you've said that living in Belgium is great, haven't you? 10:14 < lizone> :-)) 10:16 < lizone> paying a lot of taxes on your income will never pay off -- it kills human motivation 10:16 < chaot_s_> so... 1150 -530 -114 -95 -30 leaves me with 381 euro to do the rest... like paing for a car, the feul, the insurance of the car the house and stuff in it... 10:16 < Douglas> ouch 10:17 < chaot_s_> and then... my boss says... car from the office??? okay here you go :) 10:17 < chaot_s_> then there is this litle nifty tax rule.... 10:17 < chaot_s_> saing.... 25% on the price of the NEW valeu of the care is income... 10:17 < chaot_s_> and on income... you pay tax :) 10:18 < lizone> what's the price of gasoline in Europe? 10:19 < chaot_s_> 1 liter of euro 95 is in belgium 1.256 Euro, and in netherlands there is a extra tax with lets it go up to 1,413 euro the liter :) 10:19 < chaot_s_> let recalculate to translate that to gallons :) 10:19 < lizone> when you see the difference between the price in the US and Europe, you'll see how Europe is heavily taxed 10:20 < lizone> and that's what Obama wants to do over here 10:20 < chaot_s_> 1 liter = 0.26417 gallon :) 10:20 < lizone> yeah 10:21 < chaot_s_> so roughly 4liter is 1 gallon, agreed? 10:22 < lizone> yeah 10:22 < chaot_s_> 1 gallon euro 95 is than 5,024 euro :) 10:22 < chaot_s_> and what is your currency? 10:22 < lizone> you got it right 10:22 < chaot_s_> us dollar i think :) 10:22 < lizone> we pay here right now 2.5 $ for a gallon 10:23 < lizone> you see the freedom we still have here :-)) 10:23 < lizone> not for long though 10:23 < chaot_s_> we pay an imaginating! 7,1607072 us dollar for that gallon :) 10:24 < chaot_s_> lol 10:24 < lizone> you pay for your health care this way ;-))) plus more taxes on other products and services 10:24 -!- thedoc_ [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 10:25 -!- thedoc_ [n=andelyx@unaffiliated/thedoc] has quit [Client Quit] 10:26 < chaot_s_> 155 us dollar a month for basic healt insurance :) 10:26 < chaot_s_> not even europe covery :) 10:26 < lizone> no 10:26 < lizone> for 155 you'll not be able to buy any insurance 10:26 < chaot_s_> that wos converted 114 euro a month in my country :) 10:27 < chaot_s_> and i have to correct, the feul price too, i was using american dollars in first calculation :) 10:28 < chaot_s_> it's 6.80200 us dollar a gallon here :) 10:28 < chaot_s_> what do you pay for basic healt insurance then? 10:28 < lizone> it is still over 6 versus 2.5 10:29 < lizone> basic full coverage for a person without preexisting condition is over 800$ 10:30 < chaot_s_> car insurance here is 95Euro a month... basic, witch means wreck it... or let it be wrecked by a stupid other driver... and you get say 400 euro's back... buing a new one is about 1200 euro's for a 12 to 14 year old car... 10:30 < chaot_s_> is that a year? 10:31 < lizone> no 10:31 < chaot_s_> or every month? 10:31 < lizone> yeah 10:31 < chaot_s_> that is really psyco high... 10:31 < chaot_s_> :S 10:31 < lizone> hahaha, it is 10:32 < lizone> that's why people complain about it all the time and that's why it is a big issue here 10:32 < chaot_s_> i can break my whatever and not pay anything more than that stuppid 114 euro :) 10:32 < lizone> you may pay nothing and still being taken care of, though 10:33 < chaot_s_> that needs some explanation... i think :) 10:33 < Douglas> hey 10:33 < Douglas> kids 10:33 < Douglas> !notopenvpn 10:33 < vpnHelper> Douglas: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 10:33 < Douglas> just kidding 10:33 < chaot_s_> lol @ Douglas 10:35 < lizone> right, that's openvpn channel 10:35 < chaot_s_> prices in netherlands and belguim keep rising... due to people getting older :) in 5 years 50+% will be over the age of 65 (which means they live without working) though get paid 70% of the last earned incomme... 10:36 < chaot_s_> lol my first question never got awnserd. 10:36 < lizone> which was? 10:36 < Darkclaw66> what do you guys think about using a socks5 behind a vpn to encrpyt all web activity? 10:36 < chaot_s_> i created channel howslife :) 10:37 < chaot_s_> Darkclaw66 i dont think about that... google is the friend... and i'll google something arrounds now :) 10:37 < lizone> Darkclaw66: I think it is a good idea 10:37 < lizone> it doesn't have to be all activities 10:37 < lizone> lol 10:37 < Darkclaw66> lizone have you used socks5 before 10:38 < lizone> yeah 10:38 < Darkclaw66> everytime I try to use it, says Auth Failed and I can't fix it 10:39 < lizone> what OS do you use it? 10:39 < Darkclaw66> freebsd 10:39 < lizone> i'm not really familiar with BSD 10:39 < lizone> i'm a debian user 10:39 < Darkclaw66> i dont think the problem is isolated to the OS 10:39 < chaot_s_> Darkclaw66: http://www.yingjenie.com/ying/linux/socks5/index.html 10:39 < vpnHelper> Title: SOCKS5 Proxy Mini-Howto (at www.yingjenie.com) 10:39 < lizone> no it's not but could be os specific 10:40 < Darkclaw66> already seen that chaot_s_ and the problem still remains 10:40 < chaot_s_> what is the problem then :) 10:40 < Darkclaw66> Auth Failed everytime I try to use it 10:40 < chaot_s_> okay... googling :) 10:40 < lizone> what options do you put in the client.conf 10:40 < Darkclaw66> for now I am passing everything 10:40 < chaot_s_> os is BSD? 10:41 -!- lonebrave_ [n=lonebrav@pool-71-166-36-30.bltmmd.fios.verizon.net] has joined ##openvpn 10:41 < Darkclaw66> permit - - - - - - 10:41 < lizone> what about the sockd.conf? 10:41 < Darkclaw66> that is socks5.con 10:41 < Darkclaw66> that is socks5.conf 10:41 < Darkclaw66> i dont have a sockd.conf 10:42 < lizone> you see, that what I was talking about 10:42 < Darkclaw66> its just a different file name no biggy 10:43 < lizone> so what method do you use in the sockd.conf? 10:43 < Darkclaw66> i dont specify a method and the manual says if I dont then it wont check auth 10:43 < lizone> there are 3 options as far as i remember 10:44 < lizone> but then you need to run the service as nobody 10:45 < lizone> what do you have in the inetd.conf? 10:45 < lizone> or xinetd.conf? 10:45 < lizone> if such a server is on BSD 10:45 < Darkclaw66> i think the problem is isolated to socks5.conf nothing else 10:46 < Darkclaw66> cause im not sure why anything else would affect it unless it was a firewall issue and I disabled the firewall and I was still having the same problem 10:46 < lizone> that's right, I'm talking about it, not about other things 10:47 * chaot_s_ cannot help in this, no knowledge about socks :) 10:47 < chaot_s_> at least not this way :) 10:47 < lizone> if you start the socks server using inetd you should have something like this socks stream tcp nowait nobody /usr/local/etc/sockd sockd 10:47 < Darkclaw66> not using inetd 10:48 < lizone> is it a stand alone sockd? 10:48 < Darkclaw66> yes 10:48 < lizone> so, the problem might be with permission 10:49 < Darkclaw66> it gets run as root 10:50 < Darkclaw66> the port it was using is 1080 10:52 < lizone> all I can say to you is read methods in the configuration file 10:53 < chaot_s_> my question wass can someone help me with an awnser on the following question??? : i have a server connected @ 100Mbit internet on location A its mesured down and upstream is 9.6Mb/s up and 10.1Mb/s Down. its running openvpn in dev tun. linked to location B. on location B i have 25Mbit down / 2Mbit Up. measured 2.1Mb/s Down and 190Kb/s up. when transfering a file from loacation A to B i only get speeds around 500Kb/s. i would expect to get 10:54 < Darkclaw66> depends on the protocol you used to transfer files 10:54 < chaot_s_> lol i expected that awnser :) 10:55 < chaot_s_> SMB in this case, file (avi 634MB) from a client behind location A to a client Behind B :) 10:56 < Darkclaw66> yeah samba is slow, try using ftp you'll see a big difference 10:56 < lizone> or even kermit 10:56 < lizone> is pretty good 10:57 -!- lonebrave [n=lonebrav@pool-71-166-36-30.bltmmd.fios.verizon.net] has quit [Read error: 110 (Connection timed out)] 10:58 < lizone> chaot_s: that speed you have, is it for a residential or business use? 10:58 < chaot_s_> let's test http download from Remote ip -->> 2.1Mb/s 10:59 < lizone> gush, wish I had something like this 10:59 < Darkclaw66> im jealous I wish I had those kinds of speeds 10:59 < chaot_s_> that is a normal home connection :) 10:59 < lizone> how much do you pay for it? 10:59 < lizone> it is symmetrical? 10:59 < chaot_s_> the 100Mbit, is with phone and tv (fiber) 55Euro a month :) 11:00 < chaot_s_> the 25/2Mbit is belgium, only 100Gb a month further same options is 95 euro :) 11:01 < Douglas> my home connection is 101Mbps 11:01 < lizone> yeah, hopefully Verizon will come up with such speeds soon 11:01 < chaot_s_> the 100Mbit fiber is with fair use... and 60Gb trafic a day is normal for our usage :) 11:02 < Darkclaw66> i could get faster speeds but I would have to pay more money 11:02 < lizone> chaot_s: that's a disappointment 11:02 < Darkclaw66> and im already paying almost $70 a mont 11:02 < lizone> that's not worth a buck 11:03 < chaot_s_> lizone : explain :) 11:03 < lizone> if it's just 60Gb is not much -- I use over 150Gb easily a month 11:03 < chaot_s_> DAILY! 11:04 -!- Rossatom [n=atom@62.68.142.28] has joined ##openvpn 11:04 < lizone> chaot_s; sorry!!!! 11:04 < lizone> that's something, i like it very much 11:04 < chaot_s_> sorry caps :P 11:04 -!- Rossatom [n=atom@62.68.142.28] has quit [Remote closed the connection] 11:04 < chaot_s_> progging in assembly :) 11:05 < chaot_s_> and assembly likes capslock on :) 11:05 < chaot_s_> 1.75Tb a month :) 11:05 < chaot_s_> is still fair use :) 11:05 < lizone> that's enough even for me ;-))) 11:05 < chaot_s_> lets view a video hosted on the other location... why download it? 11:06 < lizone> I use Usenet a lot 11:06 < lizone> it takes some bandwidth 11:06 < chaot_s_> location a has 4 lan storage disks each being 3.2Tb :) 11:06 < chaot_s_> and then 2 users pc's :) 11:06 < chaot_s_> good for 1Tb together :) 11:07 < chaot_s_> only viewing a video does hick every now and then, due to openvpn limiting to somewhere around 500Kb/s :( 11:07 < chaot_s_> which i'm here to fix... hopefully :) 11:08 < lizone> why do you have to use openvpn? 11:09 < lizone> i use openvpn only for personal use like voip, mail, im 11:12 < chaot_s_> i maintain 3 locations. location A 100/100Mbit, 2 user computers, and 2 laptops via wireless... ip range 192.168.12.0/24 location B 25/2Mbit 4Pc's and a bunch of wireless ip range 192.168.10.0/24 location C 24/1.3Mbit 4 pc's + 2 laptops wireless ip range 192.168.11.0/24. how else than openvpn in dev tun (tunnel between A/B A/C and C/B) would you connect that with locations via internet? 11:13 -!- epaphus [n=unix3@201.199.62.74] has quit [Remote closed the connection] 11:13 < lizone> i see your point 11:13 < chaot_s_> being able to run every aplication to communicate with any other pc :) 11:13 < lizone> that's exactly the right approach 11:13 < chaot_s_> thats... why i use openvpn :) 11:13 < lizone> openvpn is great for that 11:14 < chaot_s_> the 100Mbit location also is vpn server for roadwarriors... needing to connect to home :) 11:15 < lizone> so, it seems like you have a lan spread over a few households 11:15 < chaot_s_> its been hell to buid ip tables :) 11:15 < chaot_s_> indeed its spread over 3 households :) 11:15 < lizone> you don't bridge? 11:15 < lizone> you're right, routing is a better option 11:16 < lizone> more efficient, i guess 11:17 < chaot_s_> i route cause of efficiency, and due to all locations having dhcp, and on location a (100Mbit) somtimes a lan party is organized... and then we need more ip's 11:17 < chaot_s_> and the default gateway isseu is annoying in some game's :) 11:18 < lizone> can you play games in a routing environment? 11:18 < chaot_s_> ant this way somthing can go down without the other loacations having an isseu with the being down situation 11:18 < chaot_s_> jep :) 11:19 < chaot_s_> just do the right masqeurading and all works well :) 11:19 < lizone> so let me ask you about something 11:19 < chaot_s_> some games like the masqueraded option some dont... a batch file and putty fix that :) 11:20 < chaot_s_> go ahead :) 11:20 < chaot_s_> btw.. download of the same file via vpn runs at 416Kb/s 11:20 < Darkclaw66> well, I was able to get tinyproxy to work behind a VPN 11:21 < Darkclaw66> you guys sure socks5 works with IE? 11:22 < chaot_s_> Darkclaw66: http://www.tech-archive.net/Archive/VB/microsoft.public.vb.controls.internet/2009-05/msg00002.html seems not? 11:22 < vpnHelper> Title: Re: Pls help ==> SOCKS4 / SOCKS5 proxy server (at www.tech-archive.net) 11:22 < lizone> let's say I would like to build a network of 3 lans. On each I would have a different subnet. How should I go about connecting voip on those subnets? 11:24 < lizone> how to push those subnets into each network (lan) to be visible 11:24 < chaot_s_> lilzone: never been there actualy :) what software, i can test it right away and see is my setup would work. 11:25 < Darkclaw66> chaot_s_ not sure what I need to get out of that article 11:26 < chaot_s_> Darkclaw66 : sorry i didn't ask a question first, its stated there that an other auth tool is used, 11:26 < chaot_s_> or asked about, 11:26 < Darkclaw66> oh well 11:26 < chaot_s_> sorry for that wierd awnser of mine 11:26 < chaot_s_> lizone: got any specific viop software in mind? 11:27 < lizone> chaot_s: I use hardware 11:27 < lizone> like voip adapters and ipphones 11:28 < lizone> so, if on each lan I have a different subnet how do I make them (subnets) visible to one another? 11:29 < lizone> let's expand it a bit: i have routers with dd-wrt installed 11:29 < chaot_s_> that would probably be done by relaying the broadcast-ports used by the devices... i expect them to use tcp/ip 11:29 < chaot_s_> which devices do you have? 11:30 < lizone> no, sip uses udp 11:30 < lizone> i mean, voip uses mainly sip protocol 11:31 < lizone> can't really use tcp because of its nature -- too slow for audio 11:32 < chaot_s_> i think it depends on the way broadcasting for the other devices is done. 11:33 < lizone> yeah, but broadcasting is done on the openvpn network but what about those lan networks? 11:34 < chaot_s_> you could create a broadcast relay on the openvpn servers to relay that broadcast to the other vpn subnets and have it relayed there. problem would be, can / will the devices allow the other ip range 11:34 < lizone> you know, the networks behind the routers 11:34 < lizone> so let's just say routers see each other, but what about the subnets behind those routers? 11:35 < chaot_s_> my setup is runing with 192.168.40.0/24 for the vpn interfaces. i dont see that network. 11:35 < Darkclaw66> are you able to ping the server 11:36 < chaot_s_> when i broadcast on my range, (192.168.10.255) i get respons only from my range. 11:36 < Darkclaw66> are you using tun or tap? 11:36 < chaot_s_> dev tun 11:37 < chaot_s_> and i can ping an reach all networks behind the vpn endpoints by just pinging them. 11:37 < lizone> chaot_s: how about your subnets behind the openvpn network? 11:38 < lizone> what is your openvpn ip? 11:38 < chaot_s_> i can communicat with all nodes connected within the vpn net, any client connected to enywere behind the vpn servers, including the vpn servers 11:40 < lizone> OK, so how do you make them visible to each other? 11:40 < lizone> do you push those subnets on each client from the server? 11:42 < lizone> and if so, does the communication between clients go through the server or directly between clients? 11:42 < chaot_s_> so i'm using ip 192.168.10.10 on my pc. my vpnserver uses ip 192.168.10.1 for eth0 (local lan link). dev tun0 uses ip 192.168.40.1 . The other endpoint uses 192.168.40.11 for it's tun0, and uses ip 192.168.12.1 on its eth1 (local lan link) there is client 192.168.12.100 which i can just simple ping. 11:43 < chaot_s_> i do that using iptables, and pushing routes 11:43 < lizone> OK, i get it 11:44 < chaot_s_> route 192.168.10.0 255.255.255.0 on location remote 11:44 < lizone> let me analyze a bit that configuration of yours 11:44 < lizone> i'll have some questions 11:45 < chaot_s_> i have that in my config on the location where subnet 192.168.12.0 is :) 11:45 < chaot_s_> works like a charm :P 11:46 < chaot_s_> Bezig met het traceren van de route naar 192.168.12.100 via maximaal 30 hops 11:46 < chaot_s_> 1 <1 ms <1 ms <1 ms 192.168.10.1 11:46 < chaot_s_> 2 15 ms 16 ms 16 ms 192.168.40.30 11:46 < chaot_s_> 3 16 ms 17 ms 16 ms 192.168.12.100 11:46 < chaot_s_> hmm better not copy paste... 11:46 < chaot_s_> oops :) 11:46 < lizone> I don't see the ip through which the openvpn server communicates with other nodes -- which is it? 11:47 < chaot_s_> this is the trace from my ip 10.10 to 12.100 11:47 < chaot_s_> 10.1 is my local lan on my vpn server 11:47 < chaot_s_> aka my gateway. 11:48 < lizone> so the openvpn has 10.10.12.100/24, is that righ? 11:48 < chaot_s_> the 40.30 is the vpn server on the other side of my tunnenl, the exit point actualy 11:49 < chaot_s_> nope open vpn has the 192.168.40.30 11:50 < lizone> what's the openvpn server's ip and netmask? 11:50 < chaot_s_> okay i'll type some more info :P 11:50 < lizone> thanks 11:52 < chaot_s_> server has 2 lan cards. 1 dhcp being the internet connection, the ip is whatever on that (eth0) eth1 is connected to a local switch, config is static 192.168.12.1/255.255.255.0 11:53 < chaot_s_> i have routing enabled and use iptables for masquerading the internal ip's so everyone has internet 11:55 < chaot_s_> next i installed openvpn set it up to use dev tun, and give dev tun an ip of 192.168.40.30 its dev tun so point to point, and has the other endpoint being 192.168.40.10 11:56 < chaot_s_> that 192.168.40.10 ip is the endpoint on the other location whitch has the exact same setup. only the local lan (eth1) is 192.168.10.1/255.255.255.0 11:56 < chaot_s_> the trafic gets routed by haveing some rules in iptables. 11:57 < Bushmills> "exact same setup" ... both are configured as clients?? 11:58 < chaot_s_> the tunnels are indeed the same. 11:59 < lizone> that makes me confused 11:59 < chaot_s_> only the ip addresses for the tunnels are inversed in the config 11:59 < Bushmills> you need a server and a client 11:59 < chaot_s_> then i've done somethin wierd :P 12:00 < Bushmills> probably doesn't connect, therefore you don't see openvpn traffic 12:00 < chaot_s_> how can i ping and transfer then? 12:01 < Bushmills> first get client connected to server 12:01 < Bushmills> openvpn, configured as client, connected to openvpn, configured as serfer, bedoel ik. 12:01 < Bushmills> server 12:03 < lizone> chaot_s: it seems to me like you have more than one server on your network -- and I've seen that kind of solution but I'd be more for a solution with one server 12:03 < chaot_s_> http://pastebin.com/m179ddc4d 12:04 < chaot_s_> Bushmills is dutch :) 12:04 < chaot_s_> lol 12:04 < Bushmills> nee hoor 12:04 < chaot_s_> mijn configs... 12:04 < chaot_s_> my configs :) 12:04 < chaot_s_> and for location C is two other files 12:05 < chaot_s_> difference in those is the 192.168.40.X ip 12:05 < chaot_s_> thats all 12:05 < chaot_s_> (these are the old configs. 12:06 < chaot_s_> so Bushmills :) tell me what is wrong with this setup? 12:06 < Bushmills> you have two connections to different servers? 12:06 < chaot_s_> jep :) 12:07 < Bushmills> both connect? 12:07 < chaot_s_> 3 locations 12:07 < lizone> chaot_s: you have two locations not three 12:07 < chaot_s_> a to b | a to c | and c to b 12:08 < chaot_s_> i run 2 vpn instances on each location 12:08 < chaot_s_> on server A runs 1 instance for location B, and one instance for location C 12:08 < Bushmills> i misunderstood. thought you were trying to get two machines connected, using identical configs 12:08 < lizone> i see it 12:09 < chaot_s_> server B does the same, only connects to A and C 12:09 < chaot_s_> and C... well we get the picture :) 12:09 < chaot_s_> this was doen so there is no central point of failur... 12:10 < chaot_s_> my setup wirks like a charm Bushmills 12:10 < chaot_s_> :) 12:11 -!- Darkclaw66 [n=portness@unaffiliated/darkclaw66] has quit [] 12:11 < chaot_s_> i only need to know... i have a server connected @ 100Mbit internet on location A its mesured down and upstream is 9.6Mb/s up and 10.1Mb/s Down. its running openvpn in dev tun. linked to location B. on location B i have 25Mbit down / 2Mbit Up. measured 2.1Mb/s Down and 190Kb/s up. when transfering a file from loacation A to B i only get speeds around 500Kb/s. i would expect to get at least 1.5mb/s or even more... can someone help me unders 12:11 < lizone> chaot_s: I'd would opt for a single openvpn server -- it would be easier to manage the network 12:12 < Bushmills> try to transfer a files, using scp, and compare transfer speed 12:12 < Bushmills> could give an idea if - in case the cpu is a bit slow for encryption - the transfer speeds are roughly comparable 12:13 < lizone> kermit will be faster 12:13 < chaot_s_> lizone: indeed, how do you fix this then :) in the single setup location b and c would connect to A meaning ping of B->A+A->C... 12:13 < lizone> you don't need to encrypt through already encrypted connection 12:16 < chaot_s_> in games a ping of 16 is okay. 32 is also acceptable, though gaming loads the connections, and ping goes up a litle... and the is 50 or so ping. 12:16 < chaot_s_> now i only handle trafic directly to locations. 12:16 < lizone> chaot_s: it's possible to have a single server and direct connections between clients (not through the server) 12:16 < chaot_s_> once setup its fine. 12:16 < chaot_s_> i didn't know that. 12:17 < chaot_s_> is it still server based? or do i need to setup all clients manualy? 12:18 < chaot_s_> now i connect some device somewhere and can use whatever resource is located at whatever location :) 12:18 < lizone> as far as i know you need to set up each client 12:18 < lizone> but it's easy 12:19 < chaot_s_> i like feature's which dont need extra software... cause that needs updates... 12:20 < chaot_s_> now i have 3 servers which i need to manage, and all is done, i dont care about the systems running in it. a phone, a laptop, windows linux vista whatever is connected just uses the extended lan :) 12:21 < lizone> chaot_s: well, have ever used a router with dd-wrt installed? 12:21 < chaot_s_> i have :) 12:21 < chaot_s_> actualy 3 in this lan too :) 12:22 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 12:22 < chaot_s_> linksys wrt54g running DD-wrt v24-sp1 12:23 < lizone> what is the advantage of having 3 openvpn servers over clients 12:24 < chaot_s_> actualy no idea, the servers were already in place when the vpn locations came to mind... so those seemed the best location. 12:25 < chaot_s_> and btw.. the wrt's are actualy a switch / ap on location A 12:25 < chaot_s_> and C 12:25 < lizone> do you use them as clients or servers? 12:26 < chaot_s_> the are just plain wireless accepoints in this case 12:27 < lizone> :-)) you have a pretty big network 12:28 < chaot_s_> only on my location i use 2 to give my neigbour acces to my lan mine runs ap+wds and my neigbour can hookup wireless (this is done cause his laptop has to litle range) 12:28 < chaot_s_> lol 12:29 < chaot_s_> i'm also doing some stuff just for the kick of it :) 12:29 < chaot_s_> like, okay.. i have some scrap... can i make something out of it... 12:29 < lizone> i know something about it 12:30 < lizone> ;-)) 12:30 < chaot_s_> like... who builds his own led matrix, and programs it using assembly... for gods sake use C for that... NOPE! i want it done in Assembly :) 12:32 < lizone> though, these day computers are cheap and sometimes it's better to have a virtual servers on one powerful machine than on a few old geezers ;-)) 12:32 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 12:32 < chaot_s_> lol, something like... virtualbox? running... server 2003? 12:33 < chaot_s_> vbox headless actualy :) 12:34 < lizone> actually, virtualbox is not as good as vmware server for servers 12:34 < chaot_s_> i didn't test it actualy, i saw virtualbox, and happy as a litle kid got it to run on my server :) 12:35 < lizone> virtualbox is good for having a windows environment on linux 12:35 < Douglas> virtualbox is ok 12:35 < Douglas> i like vmware more 12:35 < lizone> but it's a work in progress 12:36 < chaot_s_> lol 12:36 < lizone> vmware is more mature production 12:37 < lizone> virtualbox is not as stable as vmware 12:37 < chaot_s_> what would be best acording to you out there? 12:37 < chaot_s_> and it should be free if posible :) 12:38 < lizone> it depends on what do you want to do with it 12:38 < lizone> you want to use it as a server? 12:39 < chaot_s_> the idea is to get a domain controller on all locations :) 12:40 < lizone> xen is very good and free 12:40 < lizone> and i use virtual private servers; they are cheap these days -- linode is my favorite 12:40 < chaot_s_> there are hardware updates planned also, giong to be new servers on all locations being intel e6300's 12:41 < chaot_s_> xen does only run windows when hyperv is integrated ? 12:41 < lizone> no 12:41 < lizone> i don't think so 12:41 < chaot_s_> lol 12:42 < chaot_s_> i gave xen a try, though i could not ge windows to run on it :) 12:42 < lizone> i'd say it may not run windows but definitely runs linux 12:42 < chaot_s_> i got that to work indeed 12:42 < Douglas> xen runs windows 12:42 < lizone> and can't be run on windows 12:43 < lizone> might run windows but can't be run on windows 12:43 < chaot_s_> worked like a charm. and xen gets my recomandations when needing to run a linux client 12:44 < chaot_s_> i had xen on centos 5.2 on an old amd 1200Mhz. i never got it to run windows server 2003. though a centos vm worked just fine. 12:45 < chaot_s_> if i remmeber correctly it had something to do with missing hardware virtualization support in the old AMD core 12:46 < chaot_s_> and i have to say... the xen hypervisor is hugeass faster then whatever i've seen out there befor :) 12:47 < lizone> I figured that it'd be cheaper for me to have a vpn online than in-house 12:48 < lizone> online = read --> on the internet 12:50 < lizone> i'm taking off, see you guys! 12:50 -!- lizone [n=vadim@user-0ccejib.cable.mindspring.com] has quit ["Leaving"] 12:51 < chaot_s_> need to go to 12:51 < chaot_s_> bye 12:51 -!- chaot_s_ [n=Chaot_s@d54C0C5DB.access.telenet.be] has quit ["logging OUT"] 13:16 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 13:21 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 13:26 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 104 (Connection reset by peer)] 13:31 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 13:48 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has quit [Read error: 113 (No route to host)] 13:52 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has joined ##openvpn 14:04 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 14:10 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 14:24 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 14:30 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 60 (Operation timed out)] 14:30 -!- [1]anwoke is now known as anwoke 14:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 14:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:45 -!- Darkclaw66 [n=portness@unaffiliated/darkclaw66] has joined ##openvpn 14:45 < Darkclaw66> can I specify tcp and udp for proto? 14:52 < anwoke> question, with the windows firewall up we can't access the file shares via the vpn 14:52 < anwoke> but when we take it down we can access them, and file and printer sharing are already allowed through the firewall 14:53 < anwoke> 137, 138, 139 and 445 are already allowed through the firewall, so any ideas as to why we can't access it when the firewall is up? 14:54 < Darkclaw66> what ip are you using 14:54 < anwoke> server ip is 10.32.64.3 14:55 < Darkclaw66> can you turn off the firewall to see if it works 14:55 < anwoke> vpn ip is 192.168.64.10 14:55 < anwoke> when I turn off the firewall it works just fine 14:55 < Darkclaw66> okay what firewall are you using 14:55 < anwoke> I can connect to them 14:55 < anwoke> it is the basic windows firewall included with server 2003 14:55 < anwoke> we also have a shorewall firewall 14:56 < anwoke> but it is getting throguh the shorewall firewall fine 14:56 < anwoke> it is the windows firewall that is blocking it 14:56 < Darkclaw66> the client firewall is goofing it up? 14:56 < anwoke> any ideas as to how we fix it 14:57 < Bushmills> anwoke, does openvpn connect at all with the firewall up? 14:57 < anwoke> with the firewall up i can ping the server and remote into it just fine, just can't connect to the file shares 14:57 < anwoke> yeah, I can remote desktop into the server just fine via vpn with the firewall up 14:59 < Bushmills> then look at what the firewall tells you what incoming packets it is blocking when you try to connect a file share 15:01 < anwoke> as far as I can tell its not blocking any of the smb because those ports are open 15:05 < Darkclaw66> is the firewall that is blocking it on the server or client? 15:05 < anwoke> server 15:06 < Bushmills> well, if it isn't blocking any, it can't be the firewall, right? 15:06 < Darkclaw66> what is the name of the firewall on the server? 15:07 < Darkclaw66> this is the rule you need: pass in on $vpn_if proto tcp from $vpn_network to $vpn_server port {445,139} flags S/SA keep state 15:07 < anwoke> its just the basic windows firewall 15:10 < anwoke> got it, had to add the vpn scope into the firewall 15:13 < Darkclaw66> does it work now 15:17 < anwoke> yep 15:17 -!- lampliter [n=esj@harvee.org] has joined ##openvpn 15:22 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 15:26 < Darkclaw66> lol 15:26 < Darkclaw66> i think the phrase best appropriate to describe his exit, "thank you drive thru" 16:02 -!- lonebrave_ [n=lonebrav@pool-71-166-36-30.bltmmd.fios.verizon.net] has quit [Remote closed the connection] 16:03 -!- lonebrave_ [n=lonebrav@pool-71-166-36-30.bltmmd.fios.verizon.net] has joined ##openvpn 16:05 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 16:08 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has joined ##openvpn 16:16 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has quit [Read error: 60 (Operation timed out)] 16:31 -!- YpsyZNC is now known as Ypsy 16:32 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has joined ##openvpn 16:50 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 16:52 -!- lonebrave [n=lonebrav@pool-71-166-36-30.bltmmd.fios.verizon.net] has joined ##openvpn 16:59 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 17:03 -!- CoffeeIV [i=rgr@rrcs-71-42-183-82.sw.biz.rr.com] has joined ##openvpn 17:06 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 60 (Operation timed out)] 17:06 -!- [1]anwoke is now known as anwoke 17:06 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["I ♥ GNU/Linux!"] 17:08 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:11 -!- lonebrave_ [n=lonebrav@pool-71-166-36-30.bltmmd.fios.verizon.net] has quit [Read error: 110 (Connection timed out)] 17:30 -!- lonebrave [n=lonebrav@pool-71-166-36-30.bltmmd.fios.verizon.net] has quit [Remote closed the connection] 17:30 -!- lonebrave [n=lonebrav@pool-71-166-36-30.bltmmd.fios.verizon.net] has joined ##openvpn 17:33 < lampliter> anyone awake for a open VPN DNS per network question? 17:35 -!- kc8pxy [n=gecko@99-182-113-98.lightspeed.clmboh.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 17:49 < anwoke> lampliter, i got my issue resolved, it was the windows firewall, i had to add teh vpn scope into teh windows firewall and now it all works 17:55 < lampliter> that fre has caused more probs than anything I know 17:56 < lampliter> that's really good news you were able to figure that out 17:56 < lampliter> I'm still trying to figure out my problem. 17:56 < lampliter> How to use the remote DNS for only remote queries but use the local DNS for everything else 17:57 < lampliter> the only way I was able to solve this under linux was by abusing DNSmasq a little bit 17:57 < lampliter> unfortunately, I had to backtrack to Windows because of my physical disability and need to use speech recognition 18:05 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 18:34 -!- teddy_ [n=teddy@208.92.235.227] has quit [Remote closed the connection] 19:13 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 19:31 -!- troy- is now known as troy 19:45 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 20:03 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 110 (Connection timed out)] 20:03 -!- [1]anwoke is now known as anwoke 20:04 < Darkclaw66> lampliter i might be able to help you with the dns question 20:04 < Darkclaw66> whats the prob 20:59 < Douglas> someone just told me OS X is the best OS ever madew 20:59 < Douglas> made 21:09 -!- master_of_master [i=master_o@p549D64F4.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:09 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 21:12 -!- master_of_master [i=master_o@p549D3C6F.dip.t-dialin.net] has joined ##openvpn 21:21 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 21:29 < lampliter> Darkclaw66: still around? 21:38 -!- CRASH69 [n=crash@201.200.94.66] has joined ##openvpn 21:39 < CRASH69> hello, can someone help me with this? http://www.dd-wrt.com/phpBB2/viewtopic.php?p=330779#330779 21:43 < Darkclaw66> im back 21:44 < lampliter> hey 21:44 < Darkclaw66> im interested to learn more about the dns problem youre having 21:44 < lampliter> it's real simple. I have two DNS servers with non-identical name sets 21:45 < lampliter> one in my network complete with names belonging to my network. The other, on the other end of the VPN with names belonging to that side 21:45 < lampliter> I need to route the DNS queries to the right name server based on the domain name 21:45 < lampliter> or else do them in parallel and take the one that succeeds 21:46 < lampliter> if the resolver's fault 21:46 < lampliter> :-) 21:46 < Darkclaw66> do you need to have seperate dns, can't use one? 21:47 < lampliter> yes. I have my name server, my customer has their name server 21:47 < lampliter> and this is going to get more survey because I'm running with more customers each with their own DNS 21:47 -!- exes [n=exes@mercury.exes.org] has joined ##openvpn 21:47 < lampliter> it's a bit crazy making 21:48 < Darkclaw66> if you have the right packet filtering rules, that will probably resolve your problem 21:48 < exes> if I want to do a multipoint bridge to allow OSPF traffic, but don't want clients communicating with each other... is that possible? 21:48 < exes> I'm not looking for how to do it as much if its possible 21:48 < lampliter> Darkclaw66: actually it won't. It's not something you can resolve with packets 21:48 < lampliter> packet routing 21:49 < lampliter> or packet filtering 21:49 < lampliter> you don't know where you need to go until you look at the domain name you are querying 21:53 < Darkclaw66> hmmm 21:54 < Darkclaw66> it would need to install a ton of dependencies not worth it 21:54 < Darkclaw66> lets see 21:54 < lampliter> which is why the DNSmasq folks working out how to use of a name-based routing for DNS 21:57 < lampliter> now, is there any tool I could use in Windows to do the same thing? 21:57 < Darkclaw66> I am not sure, it sounds like a very unique situation 21:58 < lampliter> well, it's not. It's called the split Horizon DNS 21:58 < lampliter> I don't mean to sound argumentative. I apologize if I am coming across as such 21:58 < Darkclaw66> not at all, you are frustrated and I completely understand 21:59 < Darkclaw66> its just with Windows, its a completely different environment and to tell it which domains to use a specific DNS, I am not sure 21:59 < lampliter> I mostly really tired and cranky because I needed to get a lot of work done today and my blood sugar has been cycling between mid-70s and over 200 multiple times a day. It really sucks being diabetic 22:00 < lampliter> the solution would involve some form of DNS proxy. 22:00 < lampliter> When open VPN starts, you would run that proxy and add the remote name server into the search list 22:02 < lampliter> it could be implemented a couple of ways which is to either using a name-based routing or a search list (parallel or in series) querying every name server known until one succeeds or they all fail 22:03 < lampliter> feel like coding anything? 22:03 < lampliter> I think the latter option might be the better one 22:03 < Darkclaw66> im not sure, I havent actually needed to do that 22:03 < lampliter> I'm just not sure how to fit it into open VPN 22:04 < lampliter> needed to do that? Coding? Split Horizon DNS? 22:05 < Darkclaw66> needing more than one DNS and differentiating them between the client 22:06 < Darkclaw66> depending on the domain 22:07 < lampliter> well, I need to resolve private names in the harvee.com. esjworks.com. and the inguide.com domains here and the private names in the cust.com domain on the other side of the VPN 22:11 < lampliter> seriously, the only time this problem shows up is when you have public and private names for a given domain and you're trying to bridge two networks that both use private names. Like I say, this is something like a third or fourth place I've worked with in the past couple of years that have this problem 22:11 < lampliter> I know it's a royal pain. I can really get that but solving it isn't hard if you have hands that can write code 22:12 < lampliter> for what it's worth, I don't. They were damaged 15 years ago and speech recognition accessibility for programming by voice just hasn't kept up 22:36 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 23:10 -!- Ypsy is now known as YpsyZNC 23:18 < pekster> lampliter: I don't know if dnsmasq or something similar runs nicely under Cygwin. A really hackish approach here is to pack a custom version up with your VPN package and set the client to use localhost for DNS and spin up the dnsmasq (or whatever) process to handle the proper direction of queries based on domain 23:19 < pekster> BIND would work there too, although it's overkill for what you need 23:40 -!- jeiworth [n=jeiworth@189.163.179.78] has joined ##openvpn 23:43 -!- lampliter [n=esj@harvee.org] has quit ["Leaving."] --- Day changed Mon Aug 03 2009 00:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:06 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 00:15 -!- [2]anwoke [n=A@65.100.249.52] has joined ##openvpn 00:22 -!- troy is now known as troy- 00:24 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 110 (Connection timed out)] 00:24 -!- [2]anwoke is now known as anwoke 00:33 -!- [1]anwoke [n=A@65.100.249.52] has quit [Read error: 110 (Connection timed out)] 00:48 < reiffert> mac os x resolver library works too. 01:03 < CoffeeIV> I am trying to delete an accumulation of routes on a windows XP machine that are the results of lots of VPN experiments. When I do "route DELETE xx.x.x.x" it is always saying "The route specified was not found". Is there a trick to deleting routes on XP ? Is there a way to clear them all in mass ? 01:06 < reiffert> reboot. 01:08 -!- troy- is now known as troy 01:10 < CoffeeIV> reiffert: these routes have survived multiple reboots, I think some date from a cisco VPN that I have not connected to in 3 years 01:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:27 -!- dazo [n=dazo@nat/redhat/x-vnvdhlyeplxctetj] has quit ["Leaving"] 01:40 -!- dazo [n=dazo@nat/redhat/x-wmccpyfcmhmjqdoi] has joined ##openvpn 01:57 -!- dazo [n=dazo@nat/redhat/x-wmccpyfcmhmjqdoi] has quit ["Leaving"] 02:04 -!- CRASH69 [n=crash@201.200.94.66] has left ##openvpn [] 02:08 -!- lonebrave [n=lonebrav@pool-71-166-36-30.bltmmd.fios.verizon.net] has quit [Read error: 110 (Connection timed out)] 02:21 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:25 -!- dazo [n=dazo@nat/redhat/x-ceumtracfmdhqvlq] has joined ##openvpn 02:26 -!- jPalmPuck [n=portness@lan.akprofessionalconsulting.com] has joined ##openvpn 02:27 -!- troy is now known as troy- 02:44 -!- Darkclaw66 [n=portness@unaffiliated/darkclaw66] has quit [Read error: 110 (Connection timed out)] 02:53 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 02:54 -!- lonebrave [n=lonebrav@pool-96-244-228-226.bltmmd.fios.verizon.net] has joined ##openvpn 02:56 -!- dazo [n=dazo@nat/redhat/x-ceumtracfmdhqvlq] has quit [Read error: 60 (Operation timed out)] 02:57 -!- dazo [n=dazo@nat/redhat/x-rxafpipfwvymoqyw] has joined ##openvpn 03:26 < reiffert> krzie: bsd: how to mount /tmp and /var as ramdisk, get all directories in /var but let / be rw? 03:37 -!- dazo_ [n=dazo@nat/redhat/x-rlxxblfhvropayfl] has joined ##openvpn 03:37 -!- dazo [n=dazo@nat/redhat/x-rxafpipfwvymoqyw] has quit [Nick collision from services.] 03:37 -!- dazo_ is now known as dazp 03:37 -!- dazp is now known as dazo 03:37 -!- dazo_ [n=dazo@nat/redhat/x-rzothdfarwwtunpd] has joined ##openvpn 03:43 -!- dazo_ [n=dazo@nat/redhat/x-rzothdfarwwtunpd] has quit [Remote closed the connection] 03:52 < reiffert> ah, varmfs, tmpmfs, rc.conf 03:53 -!- Gumbler [n=Gumbler@unaffiliated/gumbler] has joined ##openvpn 03:53 -!- troy- is now known as troy 04:33 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:38 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 04:50 -!- lonebrave [n=lonebrav@pool-96-244-228-226.bltmmd.fios.verizon.net] has quit [] 05:09 -!- mark-use [n=chatzill@dslb-084-060-245-203.pools.arcor-ip.net] has joined ##openvpn 05:14 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 05:21 -!- troy is now known as troy- 05:28 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: flokuehn, krzie, Kryczek, JyZyXEL, Typone, dimedo, |Mike| 05:29 -!- Netsplit over, joins: |Mike|, JyZyXEL, flokuehn, Kryczek, dimedo, krzie, Typone 05:32 -!- jeiworth [n=jeiworth@189.163.179.78] has quit ["No Ping reply in 90 seconds."] 05:33 -!- jeiworth [n=jeiworth@189.163.179.78] has joined ##openvpn 05:52 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: flokuehn, krzie, Kryczek, JyZyXEL, Typone, dimedo, |Mike| 05:53 -!- Netsplit over, joins: |Mike|, JyZyXEL, flokuehn, Kryczek, dimedo, krzie, Typone 06:15 < ivenkys> gents - this might be a very simple question but here goes - i have setup tun networking (tap being too complicated for me) , and now i want to access the printer across the network, whats the way to do it ? any documentation (other than tap) , pointers etc. would be very useful. 06:16 < ivenkys> server - openbsd openvpn2.1 client laptop/road warrior- os x openvpn2.0 06:24 < ecrist> ivenkys: if your printer has a route to the VPN subnet, you should be able to print without a problem 06:24 < ecrist> i.e. set the default gateway for the printer, and make sure your default gateway has the route to the VPN 06:25 < ecrist> I printer over the VPN to the office printer all the time. 06:25 < ivenkys> ecrist: hmm - i thought i had done that ., let me re-check that 06:26 < ivenkys> ecrist: my understanding is that as long as the default gateway (which in my case is the VPN server) has a route to the VPN client IP - you should be able to acess the server side VPN .. is that correct ? 06:42 -!- brizly [n=brizly_v@p4FC98EBA.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:43 -!- brizly [n=brizly_v@p4FC99E56.dip0.t-ipconnect.de] has joined ##openvpn 06:50 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: flokuehn, krzie, Kryczek, JyZyXEL, Typone, dimedo, |Mike| 06:51 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 06:52 -!- Netsplit over, joins: |Mike|, JyZyXEL, flokuehn, Kryczek, dimedo, krzie, Typone 06:54 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: flokuehn, krzie, Kryczek, JyZyXEL, Typone, dimedo, |Mike| 06:55 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: magic_1 06:56 -!- Netsplit over, joins: magic_1 06:56 -!- Netsplit over, joins: |Mike|, JyZyXEL, flokuehn, Kryczek, dimedo, krzie, Typone 07:04 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:17 -!- mius [n=miusf@85.214.97.22] has quit ["-"] 07:18 < ecrist> ivenkys: it theory. Do you have ip_forward enabled? 07:21 < Douglas> http://www.bash.org/?884444 07:21 < vpnHelper> Title: QDB: Quote #884444 (at www.bash.org) 07:22 -!- mius [n=miusf@85.214.97.22] has joined ##openvpn 07:23 -!- b0nn_ [n=this@203-109-245-158.static.bliink.ihug.co.nz] has joined ##openvpn 07:32 < |Mike|> wb all. 07:35 -!- b0nn [n=this@203-109-245-158.static.bliink.ihug.co.nz] has quit [Connection timed out] 07:45 -!- Irssi: ##openvpn: Total of 67 nicks [0 ops, 0 halfops, 0 voices, 67 normal] 08:24 -!- mrcool [n=chatzill@ns303573.ovh.net] has joined ##openvpn 08:25 < mrcool> hi all 08:37 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: lilalinux, _impuls, worch, PeterFA, pekster 08:44 < Douglas> ecrist: ping 08:45 -!- Netsplit over, joins: lilalinux, PeterFA, _impuls, pekster, worch 08:45 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["I ♥ GNU/Linux!"] 08:45 < ecrist> pong 08:46 < Douglas> couple of things 08:46 < Douglas> first off, im switching user registration to admin approval only.. which i will do 08:46 < Douglas> that ok? 08:48 < ecrist> I would not, no. 08:48 < Douglas> what do you mean 08:48 < Douglas> you wouldnt do it? or you wouldn't help 08:48 < ecrist> I wouldn't switch to admin approval. 08:49 < Douglas> reason being? 08:49 < ecrist> no reason people can't register themselves. 08:49 < mrcool> any one know privet vpn networks? 08:49 < mrcool> that uses openvpn? 08:49 < Douglas> i am so tired of all the spambots joining 08:49 < ecrist> Douglas: why do you care if they join? Their posts need approval. 08:50 < Douglas> because they are weird usernames on the memberlist.. small level OCD i have 08:50 < ecrist> so, write an SQL query that blows away users registered more than 30 days ago with 0 posts. 08:51 < Douglas> ecrist: have you had a memory lapse about my sql knowledge? 08:51 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: mius, magic_1 08:51 < ecrist> not at all, I can direct you to the MySQL docs, if you like. 08:52 < Douglas> i'll figure something out i guess 08:52 -!- Netsplit over, joins: mius, magic_1 08:52 < Douglas> mysql docs take more time than i have 08:52 < Douglas> just like the 200 goddamn page iptables manual 08:52 < ecrist> lol, you're in the wrong channel if you're going to get document-reading sympathy. 08:52 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: flokuehn, krzie, Kryczek, JyZyXEL, Typone, dimedo, |Mike| 08:52 < ecrist> not only the wrong channel, but you're talking to the wrong guy. ;) 08:53 < ecrist> Douglas: so ban them all 08:53 -!- Netsplit over, joins: |Mike|, JyZyXEL, flokuehn, Kryczek, dimedo, krzie, Typone 08:53 < Douglas> ecrist: i'm surprised you didn't tell at me for suggesting something of that type 08:53 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has quit [Remote closed the connection] 08:53 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has joined ##openvpn 08:54 < Douglas> http://www.okean.com/chinacidr.txt woot 08:54 < Douglas> now to script the proper syntax for that 08:55 < ecrist> hang on 08:57 < Douglas> w00t 08:57 < Douglas> i did it 08:57 -!- achilles [n=achilles@86.108.14.198] has joined ##openvpn 08:58 < solvik> lol :) 08:58 < Douglas> i probably way overcomplicated it 08:58 < Douglas> tmp=`cat ~/chip | awk '{print $1}'` 08:58 < Douglas> echo $tmp | xargs -n 1 /bin/echo "Deny from" 08:58 < achilles> hello all, I have a problem can't find solution for, I have site to site openvpn system, it's cool, but when internet disconnection happen for any reason, it releases the connection and routes go away , is there a way to keep routes set ? 08:59 < ecrist> Douglas: you are going to ban them from the board, right? 08:59 < Douglas> yeah like a .htaccess deny or something 08:59 < ecrist> achilles: keeping the routes set isn't 'proper' way to do it. 09:00 < ecrist> Douglas: there is an IP ban config page in the admin control panel 09:00 < achilles> ecrist, oh , could you please advice 09:00 < ecrist> text box, all you have to do is enter the ranges in there. 09:00 < Douglas> MF 09:00 < Douglas> where 09:01 < Douglas> ah 09:01 < Douglas> ecrist: can i put cidr's? 09:01 < achilles> the stupid way I use is to set a cron job to keep setting routes .. I know it's stupid 09:01 < achilles> :) 09:02 < ecrist> Douglas: I'm looking in the docs re CIDR 09:02 < Douglas> ah 09:02 < Douglas> if not, i alreay have the textfile made 09:02 < Douglas> http://38.108.110.98/~doug/ips.txt 09:02 < ivenkys> ecrist: i do have ip forwarding enabled - sorry i was away 09:04 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 09:05 < Douglas> damn it 09:05 < Douglas> i always lose my password for ecrist's server >:( 09:05 < ecrist> grr 09:05 * ecrist hates users. 09:05 < Douglas> ecrist: i'll find it 09:05 < Douglas> fwiw 09:05 < Douglas> typo in the login msg i believe 09:05 < Douglas> | hosting.secure-computping.net | 09:06 < Douglas> o.o ecrist: no ftp daemon running? 09:07 < ecrist> tx, fixed. 09:07 < ecrist> Douglas: no 09:07 < ecrist> my users get SFTP only. 09:07 < ecrist> FTP exposes user passwords 09:07 < ecrist> FTP is anon only for SCN projects and code 09:07 < Douglas> ah, ok 09:08 < Douglas> i thought i remembered you saying you took my ssh privs 09:08 < Douglas> so was gonna try the passwd reminder you emailed me via ftp 09:08 * Douglas doesn't think he changed it 09:08 < ecrist> my users have SFTP in a chroot, none of my users have shell acces 09:08 < ecrist> s 09:08 < Douglas> fair enough 09:08 * Douglas installs sftp client 09:09 < Douglas> "Access: ssh + sftp + scp" <-- your emails lie! hahaha. 09:09 * Douglas installs 09:10 < ecrist> Douglas: you initially had that access, now sftp only 09:10 < ecrist> scp will work, as well, iirc 09:10 < Douglas> k 09:12 < Douglas> Error: Authentication failed. 09:12 < Douglas> :-< 09:12 * Douglas thinks 09:13 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: flokuehn, krzie, Kryczek, JyZyXEL, Typone, dimedo, |Mike| 09:14 -!- Netsplit over, joins: |Mike|, JyZyXEL, flokuehn, Kryczek, dimedo, krzie, Typone 09:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 09:22 < ecrist> fucking netsplits 09:23 < Douglas> yessir 09:31 -!- mrcool [n=chatzill@ns303573.ovh.net] has quit ["ChatZilla 0.9.85 [Firefox 3.0.12/2009070611]"] 09:47 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:19 -!- mark-use [n=chatzill@dslb-084-060-245-203.pools.arcor-ip.net] has quit [Read error: 104 (Connection reset by peer)] 10:21 -!- mark-use [n=chatzill@dslb-084-060-245-203.pools.arcor-ip.net] has joined ##openvpn 10:24 -!- achilles [n=achilles@86.108.14.198] has quit [Read error: 60 (Operation timed out)] 10:28 -!- jeiworth [n=jeiworth@189.163.179.78] has quit [Read error: 110 (Connection timed out)] 10:31 -!- Irssi: ##openvpn: Total of 64 nicks [0 ops, 0 halfops, 0 voices, 64 normal] 10:32 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has joined ##openvpn 10:56 -!- mark-use [n=chatzill@dslb-084-060-245-203.pools.arcor-ip.net] has quit [Read error: 113 (No route to host)] 11:10 -!- CoffeeIV [i=rgr@rrcs-71-42-183-82.sw.biz.rr.com] has quit [Read error: 110 (Connection timed out)] 11:14 -!- YpsyZNC is now known as Ypsy 11:19 -!- troy- is now known as troy 11:20 -!- CoffeeIV [i=rgr@rrcs-71-42-183-82.sw.biz.rr.com] has joined ##openvpn 11:23 -!- jPalmPuck [n=portness@lan.akprofessionalconsulting.com] has quit [] 11:38 -!- otakun [n=otakun@75-147-206-201-Memphis.hfc.comcastbusiness.net] has joined ##openvpn 11:41 -!- otakun [n=otakun@75-147-206-201-Memphis.hfc.comcastbusiness.net] has quit [Client Quit] 11:44 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 11:45 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 11:55 -!- Ypsy is now known as YpsyZNC 12:38 -!- bakermd [n=bakermd@38.101.225.215] has joined ##openvpn 12:39 < bakermd> I have an openvpn server setup and am trying to connect a linux client. If the user is not root, they cannot establish a session. My main problem though is that I need the vpn connections to be non-interactive... if the Root user must make the connection, then I cannot have it asking for a username and password at the cli... any way around this? 12:39 < bakermd> I am downloading the client.ovpn file when testing here 12:42 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 12:50 -!- dazo [n=dazo@nat/redhat/x-rlxxblfhvropayfl] has quit ["Leaving"] 12:51 -!- dazo [n=dazo@nat/redhat/x-mygcvyjkkgqjybzk] has joined ##openvpn 12:57 < Bushmills> bakermd, connect during machine start 12:58 -!- leservo [n=obleskie@12.130.118.17] has joined ##openvpn 12:58 < Bushmills> do authentication not on vpn level, but on service level. 12:58 < bakermd> Bushmills: Thanks - Not sure I really understand though 12:59 < bakermd> auth on service level 12:59 < Bushmills> (for proper operation, openvpn client wants to add to route, which user is not allowed to) 12:59 < leservo> I'm having a problem connecting my linux client to my linux server. I think the server think's it's a client, beacuse in the log it says "openvpn client, initialization sequence complete" wheras on the actual client it just hangs at the UDPv4 link remote: ipaddr. I don't understand why this is happening because in the client config it says client at the top and likewise the server config says server 12:59 < Bushmills> bakermd, authenticate using keys + certificate. no password, no username. 12:59 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 12:59 < Bushmills> that means, connection can be done non-interactively, during system start. 13:00 < bakermd> Bushmills: Okay - that sounds perfect - where would I find a sample of this config? 13:00 < bakermd> or the options to pass? 13:00 < Bushmills> !factoids search rsa 13:00 < vpnHelper> Bushmills: "easy-rsa-unix" is http://www.freebsddiary.org/openvpn-easy-rsa.php for a writeup of making certs with easy-rsa in fbsd, only the dir changes for linux 13:00 < Bushmills> !factoids search authentication 13:00 < vpnHelper> Bushmills: No keys matched that query. 13:01 < Bushmills> !factoids search auth 13:01 < vpnHelper> Bushmills: 'tls-auth' and 'authpass' 13:01 < Bushmills> !howto 13:01 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:01 < Bushmills> probably in there 13:01 < Bushmills> !easy-rsa-unix 13:01 < vpnHelper> Bushmills: "easy-rsa-unix" is http://www.freebsddiary.org/openvpn-easy-rsa.php for a writeup of making certs with easy-rsa in fbsd, only the dir changes for linux 13:01 < bakermd> Cool - thanks - looking 13:05 < bakermd> I really do not see what I need yet - I know how to create rsa keys, and I see the discussion about initscript... but I am missing the part wherein I see how to configure the client to login non-interactively 13:06 < bakermd> Forcing the opposite, password auth only, seems Very straight-forward 13:06 -!- ElectricBill [n=bill@smtpv2.cosi.net] has joined ##openvpn 13:08 < bakermd> I am using the whole openvpnas deal 13:08 < ElectricBill> I've an openvpn client where I bridge tap0 to eth1 (br1). BOOTP requests from device attached to eth1 are seen with tcpdump, but do 13:09 < ElectricBill> not appear on remore (server) side. Other traffic (from server side) appears on client side. 13:09 < ElectricBill> I'm stumped. Any ideas how to diagnose, or otherwise make it work? 13:14 < ecrist> bitches 13:14 < Douglas> fag 13:31 < leservo> what command can i use to see what programs are using certain ports in linux 13:31 < ecrist> sockstat on freebsd 13:31 < Douglas> lsof would do 13:31 < Douglas> wouldn't t 13:31 < ecrist> I think you need lsof 13:31 < Douglas> it 13:31 < bakermd> Okay, so I have the client starting at boot, using a username/password file for now. It is connecting and getting an IP, however I cannot ping anything on the network that it is connected to.. any ideas? In openvpnas I have set Should VPN clients have access to private subnets? to Yes - Advanced - and added both of our internal subnets there 13:31 < leservo> lsof lists a billion things 13:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:32 < ecrist> !route 13:32 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:32 < ecrist> bakermd: you need a couple things. 13:32 < Douglas> lol 13:32 < ecrist> 1) ip_forward enabled 13:32 < ecrist> 2) return routing on the remote LAN 13:33 < bakermd> Okay - thank you 13:34 < bakermd> hmm - this seems a little different than what I want though 13:34 < bakermd> I want machines to connect to the VPN and get their 10.8.0.x IP's and then be able to access the 192.168.100.x network @ corporate that the VPN server is connected to - are we on the same page? 13:35 < bakermd> I also told it to give the DNS server addresses to the client, and that does not seem to be propegating - pinging the DNS server's IP fails however 13:36 < bakermd> Scratch that - telling it to use NAT fixed the clients not being able to talk to the LAN at Corp 13:37 < bakermd> I think we're all good!! :) Thanks for all the help!! 13:40 < Douglas> http://platform.ak.facebook.com/www/app_full_proxy.php?app=93833863228&v=1&size=b&cksum=4592cb350f50d3bcc42a097a99e3c15f&src=http%3A%2F%2Fapps.radioactivespoon.com%2Ffbquiz%2Fimages_user%2F329.jpg 13:40 < Douglas> ahahah 13:41 < leservo> my vpn client hangs at UDPv4 link remote: . It worked on my home network, but now it's not working when i'm on someone elses internet. what could be the cause of this? i dont' think it's a firewall issue 13:41 < leservo> because when i stop iptables it still doesnt work 13:42 < ecrist> bakermd: yes, we're on the same page. read the link I posted. 13:42 < ecrist> leservo: 13:42 < ecrist> !all 13:42 < vpnHelper> ecrist: "all" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles 13:43 < ecrist> most importantly, the logs 13:43 < leservo> ok ecrist 13:44 < Douglas> ooh 13:44 < Douglas> ecrist 13:44 < Douglas> when did vpnHelper learn !all? 13:45 < leservo> ecrist, http://pastebin.com/m63067494 13:48 < ecrist> leservo: have you noticed line 58 from you post? 13:48 < ecrist> which is going to be your problem. 13:48 < leservo> err let me see 13:49 < ecrist> that error is quite regular throughout your log file 13:49 < leservo> ecrist, the connetion im on now doesnt use my home subnet though. im actually onthe airplane 13:49 < Douglas> Mon Aug 3 11:36:07 2009 TCP/UDP: Socket bind failed on local address 69.42.14.2:50: Cannot assign requested address 13:50 < leservo> hmmm 13:50 < ecrist> Douglas wins. /me checks out 13:50 < leservo> in the server.conf it says to use port 53... 13:51 < Douglas> ecrist: come on man 13:51 < Douglas> how do you miss that 13:51 < Douglas> you're the smart one 13:51 < leservo> wait i just deleted the log and restarted the server to see a fresh log. let me see if it says the same 13:51 < ecrist> the error I pointed out occurs before the other. 13:52 < leservo> i dunno i'm pretty sure i set the server up correctly. because whether or not openvpn is running or not on the server, the client still hangs at the same place. it's like it cant even communicate with the server, even though ive disabled iptables and know the prot is open in the router 13:53 < leservo> could virgin atlantic somehow be blocking the openvpn? they arent blocking port 53, so i don't understand 13:53 < ecrist> logs... 13:54 < leservo> let me see if the client keeps a log 13:55 < leservo> let me enable client logs one sec 13:56 < leservo> when i add the log-append etc in the client config it wont start. am i not allowed to do that/ 13:56 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 54 (Connection reset by peer)] 13:57 < leservo> oh wait it worked 13:57 < leservo> the logs i mean 13:58 < leservo> ya the last line in the client log is just UDPv4 link remote: 69.42.14.2:53 13:58 < leservo> and it hangs there 14:06 < ecrist> fuck 14:06 < leservo> what 14:06 < ecrist> leservo: we need to see the logs 14:08 < leservo> ecrist, client log: http://pastebin.com/m6fb08eb1 14:12 < leservo> it's nothing unusual 14:16 -!- anwoke [n=A@75-162-248-40.slkc.qwest.net] has joined ##openvpn 14:16 < leservo> ecrist, if i change the port from 53 to 54 it works. what does tihs tell you? is some program stealing 53 or something? 14:22 < leservo> ok now ive just changed it to port 54... i dunno why i had to do that but whatever it works now 14:28 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:30 -!- leservo [n=obleskie@12.130.118.17] has quit ["Leaving"] 14:33 -!- toehio [n=toehio@dyn.83-228-223-070.dsl.vtx.ch] has quit [Read error: 60 (Operation timed out)] 14:33 -!- worch_ [i=worch@battletoad.com] has joined ##openvpn 14:41 -!- pekster_ [n=pekster@c-76-113-143-76.hsd1.mn.comcast.net] has joined ##openvpn 14:44 -!- pekster [n=pekster@c-76-113-143-76.hsd1.mn.comcast.net] has quit [Read error: 110 (Connection timed out)] 14:45 -!- worch [i=worch@battletoad.com] has quit [Read error: 110 (Connection timed out)] 14:45 -!- PeterFA [n=peter@unaffiliated/peterfa] has quit [Read error: 110 (Connection timed out)] 14:46 -!- PeterFA [n=peter@c-67-183-73-27.hsd1.wa.comcast.net] has joined ##openvpn 14:48 -!- toehio [n=toehio@dyn.83-228-157-187.dsl.vtx.ch] has joined ##openvpn 14:53 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 14:53 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [Remote closed the connection] 15:09 -!- anwoke [n=A@75-162-248-40.slkc.qwest.net] has quit [Read error: 110 (Connection timed out)] 15:32 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 15:42 -!- troy [n=troy@worldnet.tauri.ca] has quit [Nick collision from services.] 15:43 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 15:43 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 15:50 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 15:58 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.0.12/2009070611]"] 16:49 -!- c64zottel [n=hans@p5B17B23E.dip0.t-ipconnect.de] has joined ##openvpn 17:22 -!- treats [n=jl@173-14-131-35-NewEngland.hfc.comcastbusiness.net] has quit [Read error: 110 (Connection timed out)] 17:24 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [] 17:33 -!- c64zottel [n=hans@p5B17B23E.dip0.t-ipconnect.de] has quit ["Leaving."] 17:44 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 17:44 -!- unix3 [n=unix3@190.10.68.228] has quit [Remote closed the connection] 18:07 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 18:10 -!- antiwire [n=antiwire@unaffiliated/antiwire] has joined ##openvpn 18:11 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 18:21 -!- jeiworth [n=jeiworth@189.163.134.102] has joined ##openvpn 18:21 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 18:23 < antiwire> is there a directive that can be set on the server side that would actually replace /etc/resolv.conf if the nameserver I want the client to use after the VPN connection is established? 18:24 < antiwire> if the/with the 18:35 < redfox> hi, after a (obviously) successful connect to an openvpn server, i get this message: AUTH: Received AUTH_FAILED control message, and it disconnects. anyone knows what this means? 18:49 < |Mike|> redfox: check your certs & paths 18:49 < redfox> |Mike|: i get a VERIFY OK 18:50 < |Mike|> !logs 18:50 < vpnHelper> |Mike|: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 18:51 < |Mike|> !config 18:51 < vpnHelper> |Mike|: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 18:52 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 18:54 < redfox> |Mike|: client conf: http://pastebin.com/d7bd6022d log: http://pastebin.com/d13427565 .. no access to server conf, but that (matching) client conf was provided 18:56 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 18:56 < xp_prg> hi all, I am trying to make a client key with build-key and it says you must define KEY_DIR 18:57 < xp_prg> it didn't say this before and I forget what I did ;( 19:05 < redfox> |Mike|: log again with verb 6: http://pastebin.com/d16328c39 19:06 < xp_prg> should I enter in a common name, is that necessary? 19:07 < xp_prg> yup I should 19:24 -!- antiwire [n=antiwire@unaffiliated/antiwire] has quit ["You make your own luck in life."] 19:50 < Douglas> i just woke up 19:50 < Douglas> i look high as f 19:55 -!- thedoc [n=andelyx@vpn1.edgewire.sg] has joined ##openvpn 20:19 < xp_prg> what is the setting so that other clients can communicate with other openvpn ips? 20:19 < Douglas> xp_prg 20:20 < Douglas> sounds like you need to run . ./vars 20:20 < Douglas> if you are using easy-rsa 20:21 < xp_prg> clienttoclient 20:22 < Douglas> hi all, I am trying to make a client key with build-key and it says you must define KEY_DIR 20:22 < Douglas> was referring to that 20:23 < xp_prg> oh ok thanks! 20:23 < xp_prg> is it possible to push dns settings? 20:23 < xp_prg> to clients? 20:27 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 20:28 -!- epaphus [n=unix3@201.199.192.2] has joined ##openvpn 20:34 -!- YpsyZNC is now known as Ypsy 20:45 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit ["leaving"] 20:50 -!- epaphus [n=unix3@201.199.192.2] has quit ["Leaving"] 21:08 -!- master_of_master [i=master_o@p549D3C6F.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:12 -!- master_of_master [i=master_o@p549D3CF4.dip.t-dialin.net] has joined ##openvpn 21:15 -!- Ypsy is now known as YpsyZNC 21:46 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 21:47 -!- jeiworth [n=jeiworth@189.163.134.102] has quit [Read error: 110 (Connection timed out)] 22:18 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 22:18 < thedoc> Douglas, We're usually prompt on payment ;) 22:25 -!- epaphus [n=unix3@201.199.62.74] has quit ["Leaving"] 22:34 < ecrist> sup, fuckers? 22:34 < thedoc> ecrist, Battling some evil vmware fusions 22:36 < ecrist> ew 23:46 -!- lolipop [n=soontak@219.95.197.122] has joined ##openvpn 23:58 -!- toehio [n=toehio@dyn.83-228-157-187.dsl.vtx.ch] has quit [Connection timed out] --- Day changed Tue Aug 04 2009 00:02 -!- toehio_ [n=toehio@dyn.144-85-202-205.dsl.vtx.ch] has joined ##openvpn 00:07 -!- exes [n=exes@mercury.exes.org] has left ##openvpn [] 00:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:53 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 01:56 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 54 (Connection reset by peer)] 02:01 -!- achilles [n=achilles@86.108.14.198] has joined ##openvpn 02:11 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:26 -!- achilles [n=achilles@86.108.14.198] has quit [Read error: 110 (Connection timed out)] 02:26 -!- achilles [n=achilles@91.186.236.43] has joined ##openvpn 02:38 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 02:49 -!- achilles [n=achilles@91.186.236.43] has quit [Read error: 104 (Connection reset by peer)] 02:50 -!- soontak_ [n=soontak@219.95.197.122] has joined ##openvpn 02:51 -!- lolipop [n=soontak@219.95.197.122] has quit [Read error: 104 (Connection reset by peer)] 03:16 -!- achilles [n=achilles@86.108.14.198] has joined ##openvpn 03:34 -!- achilles [n=achilles@86.108.14.198] has quit [Read error: 110 (Connection timed out)] 03:40 -!- b0nn [n=this@203-109-245-158.static.bliink.ihug.co.nz] has joined ##openvpn 03:43 -!- b0nn [n=this@203-109-245-158.static.bliink.ihug.co.nz] has left ##openvpn [] 03:43 -!- b0nn_ [n=this@203-109-245-158.static.bliink.ihug.co.nz] has quit [Read error: 60 (Operation timed out)] 04:01 < |Mike|> redfox: oic, you're renting that VPN line ? 04:02 < |Mike|> xp_prg: yes, it's possible to push-dns :) 04:02 < |Mike|> !dns 04:02 < vpnHelper> |Mike|: "dns" is Level3 open recursive DNS server at 4.2.2.1 04:02 < |Mike|> !push-dns 04:02 < vpnHelper> |Mike|: Error: "push-dns" is not a valid command. 04:03 < |Mike|> 115.Tue Aug 4 01:57:01 2009 us=616519 tls_server = DISABLED 04:03 < |Mike|> 116.Tue Aug 4 01:57:01 2009 us=616545 tls_client = ENABLED 04:03 < |Mike|> redfox: ^ 04:03 < |Mike|> and; 178.Tue Aug 4 01:57:01 2009 us=618345 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 04:13 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 04:13 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 04:14 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Connection reset by peer] 05:04 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 05:29 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 05:52 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 06:08 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: ElectricBill, _impuls, qknight, dazo, lilalinux, pa, PeterFA, kaii, soontak_, joh, (+15 more, use /NETSPLIT to show all of them) 06:10 -!- Netsplit over, joins: thedoc, soontak_, polaru, toehio_, PeterFA, pekster_, worch_, ElectricBill, dazo, mius (+15 more) --- Log closed Tue Aug 04 06:17:33 2009 --- Log opened Tue Aug 04 06:17:42 2009 06:17 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 06:17 -!- Irssi: ##openvpn: Total of 62 nicks [0 ops, 0 halfops, 0 voices, 62 normal] 06:18 -!- Irssi: Join to ##openvpn was synced in 25 secs 06:24 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: ElectricBill, _impuls, victor_, thermoman, krzie, qknight, davidisko, dazo, |Mike|, lilalinux, (+48 more, use /NETSPLIT to show all of them) 06:25 -!- Netsplit over, joins: chinsan_, lataffe__, kala, jreno, APTX|, kaii, qknight, HardDisk_WP, reiffert, Pagautas (+48 more) 06:25 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Success] 06:25 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: PeterFA, kala, brizly, joh, mius, pa, thedoc, lilalinux, toehio_, freaky[t], (+15 more, use /NETSPLIT to show all of them) 06:25 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 06:26 -!- Netsplit over, joins: lataffe__, thedoc, polaru, toehio_, PeterFA, pekster_, worch_, ElectricBill, dazo, mius (+15 more) 06:26 -!- brizly1 [n=brizly_v@79.201.162.197] has joined ##openvpn 06:41 -!- brizly [n=brizly_v@p4FC99E56.dip0.t-ipconnect.de] has quit [Success] 06:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:59 < Douglas> omg 06:59 < Douglas> netsplits can gtfo 07:01 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: flokuehn, krzie, Kryczek, JyZyXEL, Typone, dimedo, |Mike| 07:03 -!- Netsplit over, joins: |Mike|, JyZyXEL, flokuehn, Kryczek, dimedo, krzie, Typone 07:04 < Douglas> -.- 07:09 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: flokuehn, krzie, Kryczek, JyZyXEL, Typone, dimedo, |Mike| 07:10 -!- Netsplit over, joins: |Mike|, JyZyXEL, flokuehn, Kryczek, dimedo, krzie, Typone 07:14 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: worch_, mius, flokuehn, krzie, Kryczek, ElectricBill, JyZyXEL, Typone, dimedo, |Mike| 07:15 -!- Netsplit over, joins: |Mike|, JyZyXEL, flokuehn, Kryczek, dimedo, krzie, Typone 07:16 -!- worch_ [i=worch@battletoad.com] has joined ##openvpn 07:16 -!- ElectricBill [n=bill@smtpv2.cosi.net] has joined ##openvpn 07:16 -!- mius [n=miusf@85.214.97.22] has joined ##openvpn 07:16 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: flokuehn, krzie, Kryczek, JyZyXEL, Typone, dimedo, |Mike| 07:16 -!- flokuehn_ [n=flokuehn@62.48.92.62] has joined ##openvpn 07:16 -!- krzie [n=krzee@butters.secure-computing.net] has joined ##openvpn 07:17 -!- dimedo [n=dimedo@mail.raktefakt.net] has joined ##openvpn 07:18 -!- JyZyGyZyX [n=lol@a88-113-58-89.elisa-laajakaista.fi] has joined ##openvpn 07:18 -!- Typone [n=nitsme@195.197.184.87] has joined ##openvpn 07:25 -!- flokuehn_ is now known as flokuehn 07:45 -!- dazo [n=dazo@nat/redhat/x-mygcvyjkkgqjybzk] has quit ["Leaving"] 07:50 -!- dazo [n=dazo@nat/redhat/x-vvcgowjecircwhsj] has joined ##openvpn 08:09 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: PeterFA, kala, joh, mius, pa, thedoc, lilalinux, toehio_, freaky[t], polaru, (+15 more, use /NETSPLIT to show all of them) 08:20 -!- Netsplit over, joins: mius, ElectricBill, worch_, polaru 08:22 -!- JyZyGyZyX [n=lol@a88-113-58-89.elisa-laajakaista.fi] has joined ##openvpn 08:22 -!- toehio_ [n=toehio@dyn.144-85-202-205.dsl.vtx.ch] has joined ##openvpn 08:22 -!- jreno [n=jreno@38.219.68.216.DED-DSL.fuse.net] has joined ##openvpn 08:25 -!- reiffert [n=thomas@88.198.83.82] has joined ##openvpn 08:25 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 08:25 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 08:30 -!- pekster_ [n=pekster@c-76-113-143-76.hsd1.mn.comcast.net] has joined ##openvpn 08:30 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has joined ##openvpn 08:30 -!- lataffe__ [n=lataffe@cm-84.211.147.71.getinternet.no] has joined ##openvpn 08:30 -!- PeterFA [n=peter@unaffiliated/peterfa] has joined ##openvpn 08:30 -!- HardDisk_WP [n=Marco@wikipedia/harddisk] has joined ##openvpn 08:30 -!- qknight [n=joachim@serverkommune.de] has joined ##openvpn 08:30 -!- kaii [n=kai@ciphron.de] has joined ##openvpn 08:30 -!- flokuehn [n=flokuehn@globalways/developer/flokuehn] has joined ##openvpn 08:30 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 08:30 -!- joh [n=joh@129.241.56.185] has joined ##openvpn 08:30 -!- freaky[t] [i=schnucki@member.team-box.net] has joined ##openvpn 08:30 -!- hackeron [n=hackeron@gentoo/user/hackeron] has joined ##openvpn 08:30 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 08:30 -!- lilalinux [n=lilalinu@ist.deswahnsinns.de] has joined ##openvpn 08:30 -!- _impuls [n=m@gateway.theta.stoerimpuls.net] has joined ##openvpn 08:58 -!- jeiworth [n=jeiworth@189.163.134.102] has joined ##openvpn 09:25 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 09:27 < |Mike|> delinking servers, how gay. 09:27 < |Mike|> I felt so lonely for a while.. 09:27 < Douglas> lol 09:28 < Douglas> really pissing me off 09:35 < |Mike|> it was stable enough for me (ipv6 user) 09:38 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:39 -!- xand [n=xand@unaffiliated/xelam] has joined ##openvpn 09:53 < ecrist> I think I need to fix my IPv6 stuff 09:54 < Douglas> i think i need to learn how to make crond stop writing to /var/spool/mail/doug 09:54 < Douglas> "/var/spool/mail/doug": 14277 messages 14277 new 09:54 < Douglas> just since July 25 09:55 < ecrist> set MAILTO in the top of the file and set to /dev/null 09:55 < ecrist> or, use a proper redirect 09:55 < ecrist> 2&>/dev/null 09:55 < ecrist> and, in your cron entries, use --quiet options for programs that have them. 09:55 < Douglas> the cron is just the cacti poller 09:55 < Douglas> (10:59:28) [doug@nyc01-01-05] /var/spool/mail crontab -l 09:55 < Douglas> */1 * * * * /usr/local/bin/php -q /home/doug/domains/cacti.bergenhosting.com/public_html/graphs/poller.php 09:55 < Douglas> You have mail in /var/spool/mail/doug 09:55 < Douglas> (11:01:32) [doug@nyc01-01-05] /var/spool/mail 09:57 < Douglas> lol 09:57 * Douglas redirects 09:58 < |Mike|> Douglas: run a spamfilter ? ;) 09:58 < thedoc> cacti pollers are the shit ;p 09:58 < thedoc> Douglas, Have you thought of looking into SolarWinds: Onion 09:58 < Douglas> nope 09:58 < Douglas> i like cacti 09:59 < thedoc> It's only a couple of grand ;p 09:59 < Douglas> hahah 09:59 < Douglas> buy it for me ;) 10:02 < ecrist> Douglas: here's my cacti crontab line 10:02 < ecrist> */5 * * * * cacti /bin/sleep 10 && /usr/local/bin/php /usr/local/share/cacti/poller.php > /dev/null 2>&1 10:02 < thedoc> Douglas, You wish :D 10:03 < ecrist> *and* why the hell are you running the poller every minute? that's a bit insane, IMHO 10:03 < Douglas> ecrist, i'm just testing something 10:03 < Douglas> & 10:03 < Douglas> thats what i was told to set mine to, ecrist :p 10:03 < Douglas> <@Scott-Mc> */5 * * * * / 10:03 < Douglas> er 10:03 < Douglas> <@Scott-Mc> */5 * * * * /usr/local/bin/php -q /home/www/graphs/poller.php > /dev/null 2>&1 10:04 < ecrist> also, * * * * * is the same as */1 * * * * 10:04 < ecrist> tool 10:05 < Douglas> heh 10:05 < Douglas> i know 10:05 < Douglas> ecrist: i don't think you've noticed with me yet that i like the long complicated ways 10:05 -!- dazo [n=dazo@nat/redhat/x-vvcgowjecircwhsj] has quit [Remote closed the connection] 10:05 -!- dazo [n=dazo@nat/redhat/x-uuyikfylknlwwdvs] has joined ##openvpn 10:06 -!- dazo [n=dazo@nat/redhat/x-uuyikfylknlwwdvs] has quit [Remote closed the connection] 10:06 < ecrist> s/long complicated/really fucking retarded/ 10:06 -!- dazo [n=dazo@nat/redhat/x-vdrqelcmlbcnjcqr] has joined ##openvpn 10:06 < ecrist> there, I fixed that for you 10:07 < Douglas> ecrist 10:07 < Douglas> how did a spam psot get approved 10:07 < Douglas> post 10:07 < Douglas> . 10:07 * ecrist looks into it 10:07 < Douglas> oh hmm 10:08 < Douglas> i didnt see the icon saying it was pending 10:08 < Douglas> but i do see it pending in mod cp 10:09 < Douglas> http://www.ovpnforum.com/viewtopic.php?t=428 @ all 10:09 < vpnHelper> Title: OpenVPN Forum View topic - OpenVPN Over Cisco VPN (at www.ovpnforum.com) 10:09 -!- teddy [n=teddy@208.92.235.227] has joined ##openvpn 10:10 < ecrist> Douglas: don't ask me to look into something and then delete/move the topic 10:10 < Douglas> i didnt mean to heh, my bad 10:12 < Douglas> ecrist: just looked at your profile 10:12 < Douglas> Interests: Guns, Sex, Booze 10:12 < Douglas> ++ 10:34 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:37 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 11:15 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 11:29 -!- stonekeeper [n=lea@host81-149-34-109.in-addr.btopenworld.com] has joined ##openvpn 11:29 < stonekeeper> hi there. Any reason why openvpn would default to 10M between windows and linux on a 100M network? Cheers. 11:36 -!- stonekeeper [n=lea@host81-149-34-109.in-addr.btopenworld.com] has quit ["Leaving."] 11:39 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:52 < ecrist> wow, stonekeeper was her for 7 minutes before he gave up 11:54 < Douglas> lool 11:58 < ecrist> LOL @ #mysql 11:58 < ecrist> 11:57 < Tatsh> how many rows in a table before i see a performance hit? 11:58 < ecrist> 11:57 < Emmett> 1 12:07 < dazo> heh 12:16 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 12:17 < Douglas> lool ecrist 12:27 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 12:32 < ecrist> why the extra o? 12:32 < |Mike|> haha 12:33 < Douglas> ecrist: dont know, o key stuck 12:42 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 13:05 -!- Kryczek [i=kryczek@about/security/staff/Kryczek] has joined ##openvpn 13:06 -!- fir3 [n=chatzill@141.70.105.0] has joined ##openvpn 13:06 -!- lizone [n=zenst@user-0ccejib.cable.mindspring.com] has joined ##openvpn 13:06 < fir3> hi 13:08 < fir3> i'd like to set up an openvpn server but my internet connection is quite slow. will the clients connect via p2p or can will there be much traffic via my server? 13:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:29 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 13:31 -!- metvop [i=HydraIRC@20.sub-70-211-135.myvzw.com] has joined ##openvpn 13:50 -!- pekster_ [n=pekster@c-76-113-143-76.hsd1.mn.comcast.net] has quit [Read error: 60 (Operation timed out)] 13:55 < ecrist> fir3: OpenVPN is not a distributed setup. all clients connect through the server. 13:55 < fir3> ecrist: so all the traffic goes through the server? 13:56 < fir3> are there any alternatives? something like hamachi, easy to use, for windows+linux 13:59 < ecrist> not sure 13:59 < ecrist> this is ##openvpn, really all I've cared to figure out, aside from Cisco IPSec 14:00 < reiffert> fir3: poptop 14:03 < fir3> reiffert: is pptp p2p or does all traffic go through the server? 14:04 < reiffert> fir3: pptp is rtfm. 14:05 < fir3> didn't i mention "easy to use"? :) 14:06 < reiffert> easy to use is stfu 14:13 < ecrist> fir3: why not use hamachi, as you suggest? 14:13 < fir3> hamachi doesn't work correctly on linux, i was able to connect but couldn't see other pcs or connect :/ 14:13 < ecrist> use a real OS then. 14:13 < ecrist> :) 14:15 < ecrist> http://www.hackitlinux.com/50226711/using_hamachi_on_linux.php 14:15 < vpnHelper> Title: HackITLinux: Using Hamachi on Linux (at www.hackitlinux.com) 14:16 < fir3> i know how to use it on linux, the problem is that it doesn't really work 14:17 < ecrist> o.O 14:17 < ecrist> well, we're not aware of any distributed VPNs that work well on all OSes. 14:21 < fir3> i just found this: http://socialvpn.wordpress.com/ looks nice except that you need a facebook account and not that straightforward to install like hamachi, but i'll give it a try 14:21 < vpnHelper> Title: Social VPN (at socialvpn.wordpress.com) 14:21 < reiffert> ssh supports VPN. 14:22 < fir3> but not p2p i guess 14:22 < reiffert> rtfm and tell us. 14:22 < fir3> :) 14:23 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has joined ##openvpn 14:24 < reiffert> starting with openssh-4.3 14:24 -!- lizone [n=zenst@user-0ccejib.cable.mindspring.com] has quit ["Leaving"] 14:30 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 15:07 -!- metvop [i=HydraIRC@20.sub-70-211-135.myvzw.com] has left ##openvpn [] 15:08 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 15:13 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 60 (Operation timed out)] 15:17 -!- fir3 [n=chatzill@141.70.105.0] has quit ["ChatZilla 0.9.85 [Firefox 3.1b2/20081201080242]"] 15:18 -!- krzie [n=krzee@butters.secure-computing.net] has quit [Read error: 60 (Operation timed out)] 15:58 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 16:24 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.0.13/2009073022]"] 16:29 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 16:41 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 17:00 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 110 (Connection timed out)] 17:00 -!- [1]anwoke is now known as anwoke 17:01 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [] 17:14 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit ["leaving"] 17:15 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 17:18 -!- krzie [n=krzee@butters.secure-computing.net] has joined ##openvpn 17:34 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit [Read error: 60 (Operation timed out)] 17:37 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["I ♥ GNU/Linux!"] 17:38 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 17:39 -!- toehio_ [n=toehio@dyn.144-85-202-205.dsl.vtx.ch] has quit [Read error: 101 (Network is unreachable)] 17:40 -!- toehio [n=toehio@dyn.83-228-212-124.dsl.vtx.ch] has joined ##openvpn 17:42 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 17:44 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit [Client Quit] 17:45 -!- lizone [n=lisar@user-0ccejib.cable.mindspring.com] has joined ##openvpn 17:47 < xp_prg> can you push dns entries for resolve.conf somehow? 17:51 < |Mike|> yes. 17:51 < |Mike|> serverside 17:51 < |Mike|> i did answere your question before.. 17:53 < lizone> I need help with setting up sockd (dante proxy server) on debian lenny; my initial setup works lawlessly except proxy http traffic 17:55 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 17:57 < lizone> anyone willing to help? 17:58 -!- [2]anwoke [n=A@65.100.249.52] has joined ##openvpn 17:58 < Douglas> !notopenvpn 17:58 < vpnHelper> Douglas: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 18:03 -!- toehio [n=toehio@dyn.83-228-212-124.dsl.vtx.ch] has quit [Read error: 60 (Operation timed out)] 18:13 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 110 (Connection timed out)] 18:13 -!- [2]anwoke is now known as anwoke 18:14 -!- lizone [n=lisar@user-0ccejib.cable.mindspring.com] has left ##openvpn ["Leaving"] 18:17 -!- [1]anwoke [n=A@65.100.249.52] has quit [Read error: 110 (Connection timed out)] 18:19 -!- toehio [n=toehio@dyn.144-85-201-096.dsl.vtx.ch] has joined ##openvpn 19:06 -!- Kobaz [n=kobaz@its.kobaz.net] has joined ##openvpn 19:06 < Kobaz> I've had this issue in the past 19:07 < Kobaz> I have my ca.crt on the server 19:07 < Kobaz> somehow i have a different ca.crt on the client 19:07 < Kobaz> and I can connect to the server just fine 19:07 < Kobaz> If i copy the ca.crt from the server to the client, so they both match... I get certificate failure 19:12 < |Mike|> use the full path serverside sir. 19:13 < |Mike|> you need to create client(s) certificates aswell... 19:13 < Kobaz> yeah 19:13 < Kobaz> i have my client certs 19:13 < Kobaz> i've set up dozens of openvpn servers and clients 19:13 < Kobaz> and every so often i have an odd problem like this 19:14 < Kobaz> somehow the ca cert on the client gets changed, and it can still connect, and if I fix it with the correct ca, it can't connect 19:14 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: flokuehn, pa, joh, freaky[t], hackeron 19:14 < |Mike|> !logs 19:14 < vpnHelper> |Mike|: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 19:14 < |Mike|> read ^ 19:15 < Kobaz> yeah 19:15 < Kobaz> from the logs it's not apparent what's wrong 19:16 -!- hackeron [n=hackeron@cpc3-seve19-2-0-cust404.13-3.cable.virginmedia.com] has joined ##openvpn 19:16 -!- joh [i=johannj@caracal.stud.ntnu.no] has joined ##openvpn 19:17 * Douglas farts 19:18 -!- flokuehn [n=flokuehn@62.48.92.62] has joined ##openvpn 19:18 -!- flokuehn [n=flokuehn@62.48.92.62] has quit [Killed by reynolds.freenode.net (Nick collision)] 19:18 -!- flokuehn [n=flokuehn@globalways/developer/flokuehn] has joined ##openvpn 19:18 -!- freaky[t] [i=schnucki@member.team-box.net] has joined ##openvpn 19:18 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 19:18 -!- flokuehn [n=flokuehn@globalways/developer/flokuehn] has quit [Connection reset by peer] 19:18 -!- freaky[t] [i=schnucki@member.team-box.net] has quit [SendQ exceeded] 19:18 -!- flokuehn [n=flokuehn@62.48.92.62] has joined ##openvpn 19:19 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 19:20 < |Mike|> Kobaz: we need logs.. 19:20 < |Mike|> verb 6 19:20 < Douglas> !logs 19:20 < vpnHelper> Douglas: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 19:21 < Kobaz> i know 19:22 < Kobaz> you can stop that now 19:22 < Kobaz> i'm getting the logs... i had to put back the other ca 19:22 < Douglas> you can chill with the attitude 19:22 < Douglas> or.. like.. not get help 19:22 < Kobaz> pastebin.ca/1518565 19:22 < Kobaz> heh 19:22 * Douglas loads 19:23 < Kobaz> I'm just saying... I help other people with the same sort of stuff... and logs are important 19:24 < Kobaz> but, heh... you know 19:26 < Kobaz> that's with the correct ca 19:29 < Kobaz> and this is with the wrong ca... pastebin.ca/1518570 19:29 < |Mike|> your TLS handshake failed 19:29 < Kobaz> yeah i know 19:29 < Kobaz> with the correct ca... the certificate handshake fails 19:29 < Kobaz> with the wrong ca, it succeeds 19:29 < |Mike|> you need to generate the TLS certificates aswell 19:30 < Kobaz> i have the ca.crt and ca.key 19:30 < Kobaz> and ca.crt's on the clients 19:33 < |Mike|> you didn't even read what i said sir. 19:33 < |Mike|> see the documentation about the TLS handshake (MITM) 19:34 < Kobaz> yeah I'm not sure how that helps 19:46 -!- boswarrior [n=mrnice@62.178.9.197] has joined ##openvpn 19:51 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 20:03 -!- toehio [n=toehio@dyn.144-85-201-096.dsl.vtx.ch] has quit [Read error: 60 (Operation timed out)] 20:09 -!- boswarrior [n=mrnice@62.178.9.197] has quit ["Ex-Chat"] 20:10 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn 20:16 -!- toehio [n=toehio@dyn.83-228-135-247.dsl.vtx.ch] has joined ##openvpn 20:47 < mrnice1> !redirect 20:47 < vpnHelper> mrnice1: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 20:47 < mrnice1> !def1 20:47 < vpnHelper> mrnice1: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 20:48 < mrnice1> !iporder 20:48 < vpnHelper> mrnice1: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 20:48 < mrnice1> !ipforward 20:48 < vpnHelper> mrnice1: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 20:48 < mrnice1> !linipforward 20:48 < vpnHelper> mrnice1: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 20:57 -!- mrnice1 is now known as mrnice` 20:57 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 21:08 -!- master_of_master [i=master_o@p549D3CF4.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:12 -!- master_of_master [i=master_o@p549D3934.dip.t-dialin.net] has joined ##openvpn 22:16 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 22:30 -!- toehio [n=toehio@dyn.83-228-135-247.dsl.vtx.ch] has quit [Connection timed out] 22:31 -!- toehio [n=toehio@dyn.83-228-142-055.dsl.vtx.ch] has joined ##openvpn 23:27 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn --- Day changed Wed Aug 05 2009 00:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:54 -!- tjz [n=tjz@bb220-255-106-86.singnet.com.sg] has joined ##openvpn 01:54 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 01:57 -!- achilles [n=achilles@91.186.236.43] has joined ##openvpn 01:59 < achilles> hello, I have a problem, I installed site-to-site vpn, it's okay the tun devices connected, but the routes keep erased, I don't know why, can anybody help me please 02:07 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:11 -!- JyZyGyZyX [n=lol@a88-113-58-89.elisa-laajakaista.fi] has quit [Read error: 110 (Connection timed out)] 02:25 < achilles> oh I got it, dmesg shows that "tun0 disabled privacy extension" 02:25 < achilles> what does that mean ? 02:31 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 02:40 < reiffert> tun0 was disabling the privacy extension 03:49 -!- mikeones [n=mikeones@pool-70-104-31-42.dllstx.fios.verizon.net] has joined ##openvpn 03:50 < mikeones> hello 03:54 < reiffert> hi mike11 03:55 < mikeones> does openvpn need a defualt-gw on the nic connecting to the internet? I am at a location where all trrafic must go through a proxy. The address I get via DHCP does not have a defualt-gw so the proxy is on the same lan as my addess requiring all traffic to go through the proxy to the internet. 04:11 < reiffert> what kind of proxy are we talking about? 04:12 < reiffert> n principle a default gateway takes all those packages that dont belong to the local subnet, so how should the OS know where to send the package to? 04:26 < mikeones> reiffert: so openvpn requires a defualt gateway to function even if I configure the client to the the proxy on the lan? 04:27 < mikeones> this seems to be the case for the checkpoint ssl vpn my company has as I can't accss this either 04:32 -!- deblike [n=xchat@vpn-pool-78-139-211-19.tomtel.ru] has joined ##openvpn 05:01 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 05:05 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 05:21 < |Mike|> heh 05:50 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 113 (No route to host)] 05:59 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 06:04 -!- deblike [n=xchat@vpn-pool-78-139-211-19.tomtel.ru] has quit [Client Quit] 06:27 -!- brizly [n=brizly_v@p4FC99B5B.dip0.t-ipconnect.de] has joined ##openvpn 06:44 -!- brizly1 [n=brizly_v@79.201.162.197] has quit [Read error: 110 (Connection timed out)] 07:16 < ecrist> good morning 07:17 < Douglas> sup bitches 07:26 -!- bakermd [n=bakermd@38.101.225.215] has quit [Read error: 104 (Connection reset by peer)] 07:26 -!- bakermd [n=bakermd@38.101.225.215] has joined ##openvpn 07:30 -!- bakermd [n=bakermd@38.101.225.215] has quit [Read error: 60 (Operation timed out)] 07:32 -!- bakermd [n=bakermd@38.101.225.215] has joined ##openvpn 07:33 -!- achilles [n=achilles@91.186.236.43] has quit [Read error: 113 (No route to host)] 07:39 -!- bakermd [n=bakermd@38.101.225.215] has quit [Read error: 60 (Operation timed out)] 07:40 -!- bakermd [n=bakermd@38.101.225.215] has joined ##openvpn 07:47 -!- bakermd_ [n=bakermd@38.101.225.215] has joined ##openvpn 07:48 -!- bakermd [n=bakermd@38.101.225.215] has quit [Read error: 104 (Connection reset by peer)] 07:56 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has joined ##openvpn 08:09 -!- |ns|nR8 [n=doof@CPE-144-131-91-103.nsw.bigpond.net.au] has joined ##openvpn 08:19 -!- achilles [n=achilles@212.118.25.21] has joined ##openvpn 08:28 -!- achilles [n=achilles@212.118.25.21] has quit [Read error: 104 (Connection reset by peer)] 08:45 -!- achilles [n=achilles@212.118.25.21] has joined ##openvpn 09:01 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:01 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 09:03 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 09:07 -!- |ns|nR8 [n=doof@CPE-144-131-91-103.nsw.bigpond.net.au] has quit ["Leaving"] 09:10 -!- supsc [n=stiebing@static-213-182-96-193.teleos-web.de] has joined ##openvpn 09:10 < supsc> !howto 09:10 < vpnHelper> supsc: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:11 < supsc> !route 09:11 < vpnHelper> supsc: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:24 < bakermd_> Windows clients connecting to my OpenVPNAS box are working 100%, Linux clients are Not getting the DNS servers - any idea as to why Win would get DNS and not Linux? 09:30 < redfox> hi, i have a little routing problem. ive got a machine with a network interface (eth0 192.168.0.0/16 255.255.0.0) and a connected vpn client(tun0 10.222.1.1 255.255.255.255), i have also a machine in the local network which _has_ to be connected with ip 10.1.1.3, but i cannot reach this ip. i dont know the correct routing settings to accomplish this task, any suggestions? 09:32 -!- achilles [n=achilles@212.118.25.21] has quit [Read error: 113 (No route to host)] 09:42 -!- achilles [n=achilles@212.118.25.21] has joined ##openvpn 09:43 < supsc> !logs !configs 09:43 < vpnHelper> supsc: Error: "logs" is not a valid command. 09:43 < supsc> !logs 09:43 < vpnHelper> supsc: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 09:43 < supsc> !configs 09:43 < vpnHelper> supsc: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:44 < supsc> !interface 09:44 < vpnHelper> supsc: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 09:45 < supsc> !man 09:45 < vpnHelper> supsc: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 09:45 < redfox> actually its not a openvpn related problem 09:45 < supsc> !topology 09:45 < vpnHelper> supsc: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 09:45 < supsc> !iporder 09:45 < vpnHelper> supsc: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 09:45 < supsc> !/30 09:45 < vpnHelper> supsc: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 09:50 -!- achilles [n=achilles@212.118.25.21] has quit [Read error: 60 (Operation timed out)] 09:59 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["I ♥ GNU/Linux!"] 09:59 -!- supsc [n=stiebing@static-213-182-96-193.teleos-web.de] has left ##openvpn [] 10:11 < mikeones> does openvpn need a defualt-gw on the nic connecting to the internet? I am at a location where all trrafic must go through a proxy. The address I get via DHCP does not have a defualt-gw so the proxy is on the same lan as my addess requiring all traffic to go through the proxy to the internet. 10:32 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 10:36 -!- Gumbler is now known as HappyGumbler 11:00 < bakermd_> Anyone know how to allow hosts on the LAN to connect to the 10.8.0.x IPs that are given to VPN clients? If I am on the VPN Server I can access them this way, but it would be advantageous if I could access them from any machine on the LAN 11:06 -!- achilles [n=achilles@91.186.236.43] has joined ##openvpn 11:08 -!- YpsyZNC is now known as Ypsy 11:17 -!- unclecameron [n=unclecam@74-47-23-103.dr01.myck.or.frontiernet.net] has joined ##openvpn 11:21 < reiffert> bakermd_: 11:21 < reiffert> !route 11:21 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:21 < bakermd_> reiffert: Gotcha - thanks 11:25 -!- HappyGumbler is now known as Gumbler 11:29 < unclecameron> client can ssh into server, but not LAN behind it, read guide in link above http://pastebin.com/m469c2695 11:31 < reiffert> unclecameron: would you mind reading the URL as well? 11:31 < reiffert> !route 11:31 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:31 * ecrist tries not to break his website. 11:31 < unclecameron> read it a few times now 11:32 < ecrist> I'm recompiling PHP and extensions, so it may go up/down. 11:32 < unclecameron> it's not exactly my setup, so trying to sort it out 11:32 < reiffert> unclecameron: then you should know that pushing the route from the vpn transfer net is not the way to do it. 11:33 < reiffert> where 10.1.2.0/24 seems to be your transfer-net 11:33 < reiffert> and 10.1.2.0/24 seems to be your server lan as well 11:33 < reiffert> change that. 11:33 < unclecameron> yeah, I think that's what's screwing me up 11:34 < reiffert> unclecameron: !howto is the way to do it. 11:34 < reiffert> !howto 11:34 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:35 < unclecameron> I'm trying to use the same eth0 on the server to both accept incoming vpn tunnels and route back out on the same subnet, will this work 11:35 < unclecameron> the vpn sits in a dmz, then I want the intranet firewall to only accept connections from the vpn box 11:35 < reiffert> yes. 11:40 -!- Ypsy is now known as YpsyZNC 11:40 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:40 -!- epaphus [n=unix3@190.10.68.228] has quit [Client Quit] 11:52 < bakermd_> I think I'm almost done getting everything to work now w/openvpn - One issue remains: If a machine is set to connect at boot, via /etc/openvpn/conn.conf I see the device connect to the VPN and then almost immediately disconnect with the following message repeating in messages every 5 seconds: Cannot load private key file [[INLINE]]: error:02001002:system library:fopen:No such file or directory: error:20074002 11:52 < bakermd_> If I manually issue a service openvpn restart, the client is happy again... any thoughts? 11:53 -!- achilles [n=achilles@91.186.236.43] has quit [Read error: 104 (Connection reset by peer)] 11:53 -!- achilles [n=achilles@91.186.236.43] has joined ##openvpn 11:58 < reiffert> bakermd_: where do you store the key files? 12:10 < PeterFA> reiffert, where your config file will reference them. 12:10 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 12:10 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 12:12 < PeterFA> Why would OpenVPN refuse a connection with error 111 with UDP? 12:14 -!- funky [n=repulse@unaffiliated/funky] has joined ##openvpn 12:14 < funky> hello 12:14 < funky> !howto 12:14 < vpnHelper> funky: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:18 < ecrist> PeterFA: 12:19 < ecrist> !logs 12:19 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 12:20 < PeterFA> ecrist, would you be willing to look at a log with verb at 5? 12:20 < PeterFA> ecrist, 12:20 < PeterFA> I'm troubleshooting somebody else. 12:25 < PeterFA> All I have is a log with verbosity at level 5. 12:34 -!- YpsyZNC is now known as Ypsy 12:36 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 12:37 -!- achilles [n=achilles@91.186.236.43] has quit [No route to host] 12:47 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 12:51 -!- Bushmills is now known as l 12:52 -!- c64zottel [n=hans@p5B17B469.dip0.t-ipconnect.de] has joined ##openvpn 12:52 -!- l is now known as Guest62686 12:52 -!- c64zottel [n=hans@p5B17B469.dip0.t-ipconnect.de] has left ##openvpn [] 12:53 -!- Guest62686 is now known as Bushmills 12:56 < ecrist> ok, I'm going to restart my apache, we'll see if things work still 13:01 -!- bandini [n=bandini@host47-108-dynamic.41-79-r.retail.telecomitalia.it] has joined ##openvpn 13:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:10 < PeterFA> Would not having the module for Mr. tun cause err 111? 13:12 * ecrist doesn't know what 111 is 13:12 < ecrist> !111 13:12 < vpnHelper> ecrist: Error: "111" is not a valid command. 13:13 < PeterFA> ecrist, the error 111 with label, "Connection refused" 13:13 < ecrist> that sounds to me like a firewall issue 13:14 < ecrist> !learn 111 as 'Connection Refused' - Check your firewall. 13:14 < vpnHelper> ecrist: Joo got it. 13:16 < Douglas> !learn ecrist as smelly old hag 13:16 < vpnHelper> Douglas: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 13:17 < PeterFA> Possibly, it could mean that the module for Mr. tun isn't there. 13:31 < ecrist> PeterFA: without logs at verb 6, we cannot help you 13:31 < PeterFA> ecrist, ok. 13:48 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 13:58 -!- FluxTendu [n=Cecinest@240.136.101-84.rev.gaoland.net] has joined ##openvpn 13:58 < FluxTendu> !howto 13:58 < vpnHelper> FluxTendu: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:05 < FluxTendu> sorry but i have a newbie question: my connexion to the server is set, but my net programs still use my nic card what can i do to redirect all trafic to the tap-win32 adaptater? 14:06 < FluxTendu> (windows 7 rc) 14:07 -!- andre_pl [n=andre@206.225.8.61] has joined ##openvpn 14:08 < andre_pl> I've got an openVPN client and server finally working together, but i'm wondering now if theres a way to tell the client to only use the VPN for certain connections, it seems everything i do goes through the VPN now, its taken over my connection 14:13 -!- jeiworth [n=jeiworth@189.163.134.102] has quit ["No Ping reply in 90 seconds."] 14:15 -!- jeiworth [n=jeiworth@189.163.134.102] has joined ##openvpn 14:18 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 14:24 -!- teddy [n=teddy@208.92.235.227] has quit [Read error: 60 (Operation timed out)] 14:24 -!- jeiworth [n=jeiworth@189.163.134.102] has quit [Read error: 54 (Connection reset by peer)] 14:24 -!- teddy [n=teddy@208.92.235.227] has joined ##openvpn 14:25 -!- jeiworth [n=jeiworth@189.163.134.102] has joined ##openvpn 14:26 -!- worch [i=worch@battletoad.com] has joined ##openvpn 14:26 -!- worch_ [i=worch@battletoad.com] has quit [Read error: 54 (Connection reset by peer)] 14:27 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 14:36 -!- R3g15 [n=Cecinest@81.222.64.211] has joined ##openvpn 14:40 -!- FluxTendu [n=Cecinest@240.136.101-84.rev.gaoland.net] has quit [Read error: 104 (Connection reset by peer)] 14:40 -!- FluxTendu [n=Cecinest@240.136.101-84.rev.gaoland.net] has joined ##openvpn 14:44 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:46 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 14:49 < ecrist> andre_pl: it depends on the configuration of the client and server 14:49 < ecrist> !configs 14:49 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:54 -!- FluxTendu [n=Cecinest@240.136.101-84.rev.gaoland.net] has quit [Read error: 54 (Connection reset by peer)] 14:55 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 14:56 -!- andre_pl_ [n=andre@CPE002129932fb2-CM0019475d2388.cpe.net.cable.rogers.com] has joined ##openvpn 14:59 -!- toehio [n=toehio@dyn.83-228-142-055.dsl.vtx.ch] has quit [Read error: 101 (Network is unreachable)] 15:00 -!- R3g15 [n=Cecinest@81.222.64.211] has quit [Read error: 110 (Connection timed out)] 15:00 -!- toehio [n=toehio@dyn.144-85-164-245.dsl.vtx.ch] has joined ##openvpn 15:09 -!- bandini [n=bandini@host47-108-dynamic.41-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 15:09 -!- andre_pl [n=andre@206.225.8.61] has quit [Read error: 110 (Connection timed out)] 15:26 -!- Ypsy is now known as YpsyZNC 15:30 -!- NfNitLoop [n=bip@cl-852.chi-02.us.sixxs.net] has joined ##openvpn 15:33 -!- FluxTendu [n=Cecinest@240.136.101-84.rev.gaoland.net] has joined ##openvpn 15:39 < FluxTendu> !route 15:39 < vpnHelper> FluxTendu: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:43 -!- brizly [n=brizly_v@p4FC99B5B.dip0.t-ipconnect.de] has quit ["Leaving."] 15:48 < FluxTendu> i want to connect to the ivacy.com openvpn with my windows 7, the connection/log seems ok, but my applications doesn't use the good route... http://pastebin.org/6801 16:00 < FluxTendu> !iporder 16:00 < vpnHelper> FluxTendu: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 16:01 -!- FluxTendu [n=Cecinest@240.136.101-84.rev.gaoland.net] has quit [] 16:07 -!- toehio [n=toehio@dyn.144-85-164-245.dsl.vtx.ch] has quit [Read error: 101 (Network is unreachable)] 16:09 -!- toehio [n=toehio@dyn.144-85-178-059.dsl.vtx.ch] has joined ##openvpn 16:24 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.0.13/2009073022]"] 16:30 -!- flokuehn [n=flokuehn@62.48.92.62] has quit ["Lost terminal"] 16:31 -!- flokuehn [n=flokuehn@62.48.92.62] has joined ##openvpn 17:07 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 54 (Connection reset by peer)] 17:19 < |Mike|> hello. 17:22 -!- YpsyZNC is now known as Ypsy 17:25 < PeterFA> The bot should be retrained to say, "try modprobe tun" when someone says "!111" 17:25 < PeterFA> !111 17:25 < vpnHelper> PeterFA: "111" is 'Connection Refused' - Check your firewall. 17:26 < Douglas> http://web.twzone.net/08052009073.jpg 17:26 < Douglas> anyone want? its freeeeeeeeee 17:26 < |Mike|> vpnHelper: forget 111 17:26 < vpnHelper> |Mike|: Joo got it. 17:26 < |Mike|> !111 17:26 < vpnHelper> |Mike|: Error: "111" is not a valid command. 17:26 < |Mike|> bleh 17:26 < |Mike|> bots-- 17:26 < PeterFA> |Mike|, thanks. 17:26 < |Mike|> PeterFA: you might want to contact ecrist :) 17:26 < PeterFA> |Mike|, ok. 17:27 < PeterFA> ecrist, Err 111 seems to be caused also by the fact that tun module isn't loaded in the case of Linux. 17:29 -!- anwoke [n=A@71.35.255.238] has joined ##openvpn 17:39 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit ["leaving"] 17:40 -!- anwoke [n=A@71.35.255.238] has quit [Read error: 60 (Operation timed out)] 17:53 -!- toehio [n=toehio@dyn.144-85-178-059.dsl.vtx.ch] has quit [Network is unreachable] 17:54 -!- toehio [n=toehio@dyn.144-85-187-218.dsl.vtx.ch] has joined ##openvpn 17:57 < PeterFA> I'm off to start playing with OpenVPN based VPNs. I wrote a script that tests a bunch. 17:57 < PeterFA> Which means, this client won't stay connected. 17:57 -!- PeterFA [n=peter@unaffiliated/peterfa] has quit ["Off playing with VPNs."] 17:58 < |Mike|> define tests.. 18:06 -!- andre_pl_ [n=andre@CPE002129932fb2-CM0019475d2388.cpe.net.cable.rogers.com] has quit ["leaving"] 18:19 -!- funky [n=repulse@unaffiliated/funky] has quit ["leaving"] 18:35 * Douglas just ate for an hour no stop 19:05 -!- Ypsy is now known as YpsyZNC 19:07 -!- unclecameron1 [n=unclecam@173-86-185-164.dr01.myck.or.frontiernet.net] has joined ##openvpn 19:08 < Douglas> ecrist 19:11 -!- unclecameron [n=unclecam@74-47-23-103.dr01.myck.or.frontiernet.net] has quit [Read error: 60 (Operation timed out)] 19:47 -!- unclecameron1 [n=unclecam@173-86-185-164.dr01.myck.or.frontiernet.net] has left ##openvpn [] 19:48 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: NfNitLoop, hackeron, |Mike| 19:49 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: joh, xand, jreno, Kobaz 19:50 -!- Netsplit over, joins: hackeron 19:52 -!- NfNitLoop [n=bip@cl-852.chi-02.us.sixxs.net] has joined ##openvpn 19:52 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 19:52 -!- joh [i=johannj@caracal.stud.ntnu.no] has joined ##openvpn 19:52 -!- Kobaz [n=kobaz@its.kobaz.net] has joined ##openvpn 19:52 -!- xand [n=xand@unaffiliated/xelam] has joined ##openvpn 19:52 -!- jreno [n=jreno@38.219.68.216.DED-DSL.fuse.net] has joined ##openvpn 19:53 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 19:53 < xp_prg> how do I limit the dhcp addresses handed out? 19:54 < xp_prg> can I reserve a dhcp address of my choosing? 19:58 -!- anwoke [n=A@71.35.255.238] has joined ##openvpn 20:05 < xp_prg> hi anwoke do you know a way to allocate a fixed ip address? 20:06 < Douglas> er 20:06 < Douglas> static ip per client 20:06 < Douglas> ? 20:06 < xp_prg> no I want one static ip for a certain client and the rest to be dynamic 20:06 < Douglas> !ccd 20:06 < vpnHelper> Douglas: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 20:06 < xp_prg> the problem is the dynamic ip gives out the static ip address seomteims 20:07 < xp_prg> how can I tell it not to do that? 20:07 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 20:07 < Douglas> ello td 20:08 < xp_prg> Douglas do you know? 20:09 < Douglas> no 20:09 < thedoc> o/ 20:10 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 20:12 < xp_prg> well do you understand the pool idea? 20:13 -!- trnzmeta [n=bleh@secure27.lnk.telstra.net] has joined ##openvpn 20:14 < trnzmeta> guys: auth.log: openvpn[23643]: PAM unable to dlopen(/lib/security/pam_mysql.so): /lib/security/pam_mysql.so: undefined symbol: pam_get_item 20:15 < trnzmeta> and openvpn[23643]: PAM adding faulty module: /lib/security/pam_mysql.so 20:15 < trnzmeta> any ideas? 20:15 < Douglas> o.O 20:15 < Douglas> what in the 20:15 * Douglas beats ecrist with a cattle prod 20:24 -!- anwoke [n=A@71.35.255.238] has quit [Read error: 113 (No route to host)] 20:24 -!- [1]anwoke is now known as anwoke 20:43 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 20:54 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:55 < xp_prg> anyone used the ifconfig-pool ? 21:14 -!- master_of_master [i=master_o@p549D3934.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:17 -!- master_of_master [i=master_o@p549D3D5D.dip.t-dialin.net] has joined ##openvpn 21:56 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 21:56 < thedoc> Solar winds orion ftw. 21:56 < thedoc> \o/ 21:58 < Douglas> lol 22:02 -!- hoops125 [n=hoops125@CPE00bc4fe9ed0b-CM001a7008191a.cpe.net.cable.rogers.com] has joined ##openvpn 22:02 < hoops125> Is there a way to compile OpenVPN, so that OpenSSL is built into OpenVPN itself, and not requiring any other OpenSSL executables/libraries from the computer where it is installed? 22:07 -!- hoops125 [n=hoops125@CPE00bc4fe9ed0b-CM001a7008191a.cpe.net.cable.rogers.com] has quit [] 22:57 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 23:05 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 23:05 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 23:11 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 60 (Operation timed out)] 23:43 -!- jeiworth [n=jeiworth@189.163.134.102] has quit [Read error: 110 (Connection timed out)] 23:57 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn --- Day changed Thu Aug 06 2009 00:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:57 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has left ##openvpn [] 01:08 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 01:12 -!- [2]anwoke [n=A@65.100.249.52] has joined ##openvpn 01:12 -!- [1]anwoke [n=A@65.100.249.52] has quit [Read error: 54 (Connection reset by peer)] 01:16 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 01:24 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 110 (Connection timed out)] 01:24 -!- [1]anwoke is now known as anwoke 01:32 -!- [2]anwoke [n=A@65.100.249.52] has quit [Read error: 110 (Connection timed out)] 01:43 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:46 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 01:53 -!- parag7732 [n=parag773@mail2.eastnets.com] has joined ##openvpn 01:55 < parag7732> In pptp logs i m finding this "CCP: timeout sending Config-Requests" but it dosn't terminate the ppp interface and it remains up ? I want that it should immediatly terminate the ppp session when there is timeout occurs . 01:56 < dazo> parag7732: pptp is not OpenVPN .... probably not the right place for pptp questions :( 01:56 < parag7732> dazo, #pptp is not up 01:56 < dazo> parag7732: sorry about that .... here people mostly talk about OpenVPN stuff ... 01:57 < parag7732> dazo, any other place u can recommand pls ? 01:57 * dazo tries to think about some channels 02:00 < dazo> parag7732: sorry, I don't think there is ... can't find any references anywhere else. I can't see anyone have recommended any channels in my irc logs either 02:01 < dazo> parag7732: why not go for openvpn instead? .... it's safer, and has an active community, both on irc and mailing lists 02:01 < parag7732> dazo, thanks 02:01 < parag7732> dazo, there are 1000 of devices which support l2tp and pptp 02:01 < parag7732> not openvpn 02:01 < parag7732> can openvpn run on 1723 port and provide the same ? 02:02 < parag7732> as like pptp 02:02 < dazo> parag7732: true .... but openvpn got the community pptp is lacking 02:02 < dazo> parag7732: no, OpenVPN and pptp are two very different protocols ... not compatible at all 02:02 < parag7732> dazo, Yes i know this....but i have many hardware devices which only supports pptp and l2tp 02:02 < parag7732> thats why i m using poptop 02:03 < dazo> I see ... well, sorry I can't help you here then 02:03 < parag7732> Thanks Dazo, 02:03 < dazo> np! 02:04 < dazo> parag7732: just out of curiosity ... what kind of hardware devices are you setting up? 02:05 < parag7732> VOIP ATA's with inbuild pptp vpn :) 02:05 < dazo> ahh 02:59 -!- achilles [n=achilles@91.186.236.43] has joined ##openvpn 03:10 -!- joh [i=johannj@caracal.stud.ntnu.no] has quit [Remote closed the connection] 03:24 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 03:25 -!- achilles [n=achilles@91.186.236.43] has quit [Remote closed the connection] 03:45 -!- trnzmeta [n=bleh@secure27.lnk.telstra.net] has quit [] 03:52 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 03:59 -!- joh [i=johannj@caracal.stud.ntnu.no] has joined ##openvpn 04:14 -!- thedoc [n=andelyx@vpn1.edgewire.sg] has joined ##openvpn 04:34 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 04:52 -!- |ns|nR8 [n=doof@CPE-138-130-145-140.nsw.bigpond.net.au] has joined ##openvpn 04:54 -!- zoki [n=zoki@80.77.144.66] has joined ##openvpn 04:57 < zoki> hello 04:58 < zoki> I want to ask is there a way that I can specify in the server config to push route only to one host? 04:59 < thedoc> zoki, ccd 04:59 < zoki> ah ok, thanx thedoc 05:00 < zoki> and I have a problem from time to time on my openvpn server 05:01 < zoki> for some reason openvpn is eating my CPU 05:01 < zoki> and then there is no connectivity 05:01 < zoki> after some time cpu usage goes down and my connectivity is ok again 05:02 < zoki> any guess why openvpn would eat my CPU? 05:03 < zoki> i'm reading the logs all day long and cant find any reason 05:03 < |ns|nR8> what operating system ? 05:03 < |ns|nR8> windows ? 05:04 < zoki> linux, slackware 11 05:05 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 05:09 -!- BoomSie [n=gideon@dw77242112238.amsterdam-tc.dataweb.net] has joined ##openvpn 05:15 -!- Bushmills [n=nnnnnnl@verhau.de] has left ##openvpn ["Leaving."] 05:21 -!- zoki [n=zoki@80.77.144.66] has quit ["Leaving"] 05:43 -!- teddy [n=teddy@208.92.235.227] has quit [Read error: 110 (Connection timed out)] 05:48 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: Kryczek 05:49 -!- Netsplit over, joins: Kryczek 05:53 -!- |ns|nR8 [n=doof@CPE-138-130-145-140.nsw.bigpond.net.au] has quit [Read error: 110 (Connection timed out)] 05:56 -!- |ns|nR8 [n=doof@CPE-203-51-70-194.nsw.bigpond.net.au] has joined ##openvpn 06:39 < ecrist> Douglas: what? 06:43 < ecrist> looks like ovpnforum didn't survive my php upgrade 06:43 < ecrist> will work on it 06:47 -!- krzee [n=k@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 06:48 -!- supsc [n=stiebing@static-213-182-96-193.teleos-web.de] has joined ##openvpn 06:50 < supsc> is it possible to tell the server which certified client should get which ip address, so that i can route special clients in a different way? 06:58 < reiffert> yes. 06:58 < reiffert> !ccd 06:58 < vpnHelper> reiffert: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 06:59 < supsc> thx 07:03 < reiffert> !static 07:03 < vpnHelper> reiffert: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 07:03 < reiffert> !iporder 07:03 < vpnHelper> reiffert: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 07:07 -!- teddy [n=teddy@208.92.235.227] has joined ##openvpn 07:23 -!- parag7732 [n=parag773@mail2.eastnets.com] has quit ["Leaving"] 07:26 < |Mike|> ecrist: lol 07:30 -!- toehio [n=toehio@dyn.144-85-187-218.dsl.vtx.ch] has quit [Read error: 101 (Network is unreachable)] 07:32 -!- toehio [n=toehio@dyn.83-228-192-226.dsl.vtx.ch] has joined ##openvpn 07:35 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has joined ##openvpn 07:36 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:54 -!- BoomSie is now known as BoomSie32 08:03 < Douglas> ecrist 08:08 < ecrist> Douglas: what? 08:09 -!- bakermd_ [n=bakermd@38.101.225.215] has quit [Client Quit] 08:09 < Douglas> is there something up with the server 08:09 * Douglas is transferring ovpnforum.com to another registrar, but has never had that make a site not work 08:18 < ecrist> Douglas: read up 08:18 < Douglas> oh ha 08:18 < Douglas> righto 08:19 < ecrist> I think it's got something to do with php5-mcrypt, as a dependancy isn't installing correctly, still trying to debug 08:19 < ecrist> don't know when I'll get it working. 08:20 < Douglas> i guess i can thro up a static html page later 08:26 -!- supsc [n=stiebing@static-213-182-96-193.teleos-web.de] has left ##openvpn [] 08:33 < ecrist> Douglas: got mcrypt installed, but it's still not loading. trying to figure out why 08:34 -!- |ns|nR8 [n=doof@CPE-203-51-70-194.nsw.bigpond.net.au] has quit ["Leaving"] 08:35 < Gorkhaan> Hi everyone, sorry for interrupt. I have a small question. What are the advantages for this option? push "dhcp-option DOMAIN domainname.ltd" 08:38 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 08:38 < ecrist> Douglas: back online 08:45 -!- teddy [n=teddy@208.92.235.227] has quit ["Ex-Chat"] 08:46 < reiffert> Gorkhaan: probably none as your vpn client will not be able to resolve domainname.ltd to an ip address for using that host as a DNS server. 08:46 < Douglas> ecrist yay 08:47 < Gorkhaan> reiffert : ok, thx. :) 09:28 -!- toehio [n=toehio@dyn.83-228-192-226.dsl.vtx.ch] has quit [Success] 09:29 -!- toehio [n=toehio@dyn.83-228-215-198.dsl.vtx.ch] has joined ##openvpn 09:33 -!- supsc [n=stiebing@static-213-182-96-193.teleos-web.de] has joined ##openvpn 09:36 < supsc> probably it's obvious for most people, but i still can't figure it out: 09:36 < supsc> when having a bridged vpn (host to net) i try to force one windows host a specific ip, which it now already gets - but unfortunately the dhcp of the net sets another ip to the windows client which i don't want to happen. any simple solutions for this scenario? 09:37 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 09:39 < ecrist> supsc: ask again, krzee probably knows 09:40 < supsc> when having a bridged vpn (host to net) i try to force one windows host a specific ip, which it now already gets - but unfortunately the dhcp of the net sets another ip to the windows client which i don't want to happen. any simple solutions for this scenario? 09:46 -!- jeiworth [n=jeiworth@189.177.20.66] has joined ##openvpn 09:48 -!- globe_tmp [i=29f909f1@gateway/web/freenode/x-qvqgzjpbasqtwgke] has joined ##openvpn 09:48 < globe_tmp> hi 09:49 < reiffert> supsc: see man dhcp-options 09:49 < globe_tmp> ppl i setuped a Openvpn setup ; and i got a script for nat related http://pastebin.com/m2228c925 09:49 < globe_tmp> and i want to block all my incoming ssh traffic from vpn client 09:49 < reiffert> supsc: class your hosts in hosts to get a DHCP-IP and those which mac-addresses start with 00:FF which is typical for openvpn 09:50 < reiffert> supsc: I think ISC dhcp daemon config/manpages cover it. 09:50 < globe_tmp> but /sbin/iptables -I INPUT -p tcp --dport 22 -s 10.8.0.0/24 -j DROP doesn't have any effect 09:51 < supsc> reiffert: unfortunatley the dhcp is some netgear router where i cant really configure things in 09:51 < reiffert> supsc: firewall your client. 09:53 -!- NfNitLoop [n=bip@cl-852.chi-02.us.sixxs.net] has quit [Read error: 60 (Operation timed out)] 09:53 < supsc> reiffert: oh dear - looks like no way around learning some iptables hoped there was a on line config ;-) thx so far 09:55 -!- NfNitLoop [n=bip@cl-852.chi-02.us.sixxs.net] has joined ##openvpn 10:00 -!- supsc [n=stiebing@static-213-182-96-193.teleos-web.de] has left ##openvpn [] 10:02 -!- BoomSie32 [n=gideon@dw77242112238.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"] 10:07 -!- toehio [n=toehio@dyn.83-228-215-198.dsl.vtx.ch] has quit [Success] 10:08 -!- toehio [n=toehio@dyn.144-85-223-114.dsl.vtx.ch] has joined ##openvpn 10:27 -!- NfNitLoo` [n=bip@cl-852.chi-02.us.sixxs.net] has joined ##openvpn 10:28 -!- NfNitLoop [n=bip@cl-852.chi-02.us.sixxs.net] has quit [Read error: 104 (Connection reset by peer)] 10:30 -!- Douglas [i=Douglas@64.18.144.2] has quit [] 10:30 -!- Douglas [i=doug@208.99.80.128] has joined ##openvpn 10:32 -!- NfNitLoo` is now known as NfNitLoop 10:37 -!- NfNitLoop [n=bip@cl-852.chi-02.us.sixxs.net] has quit [Read error: 60 (Operation timed out)] 10:51 -!- NfNitLoop [n=bip@cl-852.chi-02.us.sixxs.net] has joined ##openvpn 11:00 -!- NfNitLoop [n=bip@cl-852.chi-02.us.sixxs.net] has quit [Read error: 60 (Operation timed out)] 11:02 -!- rawDawg2 [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 11:03 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 11:04 -!- c64zottel [n=hans@p5B17B3DF.dip0.t-ipconnect.de] has joined ##openvpn 11:09 -!- NfNitLoop [n=bip@cl-852.chi-02.us.sixxs.net] has joined ##openvpn 11:12 -!- NfNitLoop [n=bip@cl-852.chi-02.us.sixxs.net] has quit [Read error: 60 (Operation timed out)] 11:13 -!- NfNitLoop [n=bip@cl-852.chi-02.us.sixxs.net] has joined ##openvpn 11:17 -!- NfNitLoop [n=bip@cl-852.chi-02.us.sixxs.net] has quit [Read error: 60 (Operation timed out)] 11:17 -!- c64zottel [n=hans@p5B17B3DF.dip0.t-ipconnect.de] has quit ["Leaving."] 11:19 -!- CaMason [n=CaMason@93-97-245-22.zone5.bethere.co.uk] has joined ##openvpn 11:20 < CaMason> hi guys. I've got this app that pipes the key to openVPN (windows). Is there any way I can get hold of that key? (so I can set this up manually) 11:23 -!- NfNitLoop [n=bip@cl-852.chi-02.us.sixxs.net] has joined ##openvpn 11:28 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 11:31 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 11:36 -!- toehio [n=toehio@dyn.144-85-223-114.dsl.vtx.ch] has quit [Read error: 110 (Connection timed out)] 11:37 -!- toehio [n=toehio@dyn.83-228-186-211.dsl.vtx.ch] has joined ##openvpn 11:44 -!- globe_tmp [i=29f909f1@gateway/web/freenode/x-qvqgzjpbasqtwgke] has quit ["Page closed"] 11:56 -!- Bushmills [n=nnnnnnl@verhau.de] has joined ##openvpn 12:03 -!- CaMason [n=CaMason@93-97-245-22.zone5.bethere.co.uk] has quit [Read error: 104 (Connection reset by peer)] 12:05 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:12 -!- watwat [n=obleskie@kri1-1x-dhcp149.studby.uio.no] has joined ##openvpn 12:17 -!- watwat [n=obleskie@kri1-1x-dhcp149.studby.uio.no] has quit [Remote closed the connection] 12:30 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 104 (Connection reset by peer)] 12:31 -!- rawDawg2 [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 12:34 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 12:53 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 12:54 -!- c64zottel [n=hans@p5B17B3DF.dip0.t-ipconnect.de] has joined ##openvpn 12:55 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 104 (Connection reset by peer)] 12:55 -!- [1]anwoke is now known as anwoke 13:02 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 13:02 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 104 (Connection reset by peer)] 13:02 -!- [1]anwoke is now known as anwoke 13:06 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 13:07 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 104 (Connection reset by peer)] 13:08 -!- [1]anwoke is now known as anwoke 13:13 < xp_prg> is it posible to push a command to all clients when they connect? 13:13 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 13:13 < krzee> as in... 13:14 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 104 (Connection reset by peer)] 13:14 -!- [1]anwoke is now known as anwoke 13:14 < xp_prg> /etc/init.d/set_dns.py 13:14 < krzee> ahh 13:15 < krzee> no, thats gotta be set on clients 13:27 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.0.13/2009073022]"] 13:33 -!- NfNitLoo` [n=bip@cl-852.chi-02.us.sixxs.net] has joined ##openvpn 13:34 -!- NfNitLoop [n=bip@cl-852.chi-02.us.sixxs.net] has quit [Read error: 104 (Connection reset by peer)] 13:40 < ecrist> non-developers do not understand the complexity and sheer amount of code needed to build a functional menu for a website. 13:40 < Douglas> lol 13:40 < ecrist> my menu array, non-minified, is already at 300 lines of code. 13:40 < Douglas> ecrist: i just gout a foundry fastiron 1500 13:40 < Douglas> loaded 13:40 < ecrist> sweet 13:40 < Douglas> ecrist: http://web.twzone.net/08052009073.jpg 13:41 < Douglas> for a price of 0 dollars and 0 cents 13:52 -!- jeiworth_ [n=jeiworth@189.177.33.39] has joined ##openvpn 13:52 -!- jeiworth [n=jeiworth@189.177.20.66] has quit [Read error: 104 (Connection reset by peer)] 13:57 < ecrist> Douglas: sweet 13:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:59 < Douglas> ecrist: yes 13:59 < Douglas> i also got 4 2u amd opterons with 4gb ram and 8x15k scsi 13:59 < Douglas> again.. free 14:03 < xp_prg> I am looking in the /etc/init.d/openvpn can can't find where tun0 is brought up 14:03 < xp_prg> any ideas? 14:28 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:48 < ecrist> xp_prg: it's brought up by the openvpn binary 14:48 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has joined ##openvpn 14:59 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 15:08 < ecrist> 11k just to hold the array to generate the code for my site menu 15:08 < ecrist> sheesh 15:23 -!- NfNitLoo` is now known as NfNitLoop 15:36 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["I ♥ GNU/Linux!"] 15:37 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 15:42 -!- NfNitLoop [n=bip@cl-852.chi-02.us.sixxs.net] has quit [Read error: 60 (Operation timed out)] 15:45 -!- NfNitLoop [n=bip@cl-852.chi-02.us.sixxs.net] has joined ##openvpn 15:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 15:58 -!- NfNitLoop [n=bip@cl-852.chi-02.us.sixxs.net] has quit [Read error: 60 (Operation timed out)] 16:00 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 16:09 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 16:12 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 16:29 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Connection reset by peer] 16:30 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 110 (Connection timed out)] 16:30 -!- [1]anwoke is now known as anwoke 16:32 -!- c64zottel [n=hans@p5B17B3DF.dip0.t-ipconnect.de] has quit ["Leaving."] 16:49 -!- PeterFA [n=peter@unaffiliated/peterfa] has joined ##openvpn 16:58 < PeterFA> I need to pass a user name and password to openvpn as a client in commandline mode entirely non-interactively. 17:16 < PeterFA> "# openvpn --remote 192.168.1.100 1194 --proto udp $VPNArguments & <(echo "username"; echo "password")" results in "bash: /dev/fd/63: permission denied" 17:17 < PeterFA> Does OpenVPN insist on stdin from keyboard? 17:34 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 17:35 < reiffert> PeterFA: see manpage for script-security- 17:43 < PeterFA> reiffert, ok, so I reduced the security level (high security isn't needed for the user/pass) 17:43 < PeterFA> I've been writing a script that goes through a list of servers and checks their vitals. 17:43 < PeterFA> It's so the admins can get a heads up early instead of waiting for customers. 17:43 < PeterFA> You know, when they complain. 17:51 < PeterFA> What is the format for the file that OpenVPN will refer to to get the username/pass? 17:51 < PeterFA> It's supposed to be on separate lines, and that's all the manual says, but OpenVPN client refuses to read the password. 17:53 -!- tjoff [n=a@c213-89-131-87.bredband.comhem.se] has joined ##openvpn 17:57 -!- lonebrave [n=lonebrav@pool-72-81-244-68.bltmmd.fios.verizon.net] has joined ##openvpn 18:06 < PeterFA> --script-security seems to have no effect on authentication at all. I want to get it from the file but I can't. 18:22 -!- jeiworth_ [n=jeiworth@189.177.33.39] has quit [Read error: 110 (Connection timed out)] 18:30 -!- troy- [n=troy@worldnet.tauri.ca] has quit [Read error: 110 (Connection timed out)] 18:38 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 19:26 -!- lonebrave [n=lonebrav@pool-72-81-244-68.bltmmd.fios.verizon.net] has quit [] 19:32 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["I ♥ GNU/Linux!"] 19:37 -!- Eagleray [n=erayd@khepry.erayd.net] has joined ##openvpn 19:37 < Eagleray> Hi - I'm wanting to assign different vlans to different clients, using the same server instance. Is this possible? 19:38 < Eagleray> i.e. basically the idea is to segregate clients into different vlan groups, as the system will be running in tap mode, but without letting the client specify which vlan they are on 19:48 -!- ^Sug4r^ [n=^Sug4r^@78.251.90.230] has joined ##openvpn 19:51 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.0.13/2009073022]"] 20:00 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has left ##openvpn [] 20:07 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 20:19 -!- ^Sug4r^ [n=^Sug4r^@78.251.90.230] has quit ["Leaving... TTYL"] 20:19 -!- tjoff [n=a@c213-89-131-87.bredband.comhem.se] has quit [Read error: 60 (Operation timed out)] 20:25 -!- PeterFA [n=peter@unaffiliated/peterfa] has quit ["Leaving"] 20:35 -!- PeterFA [n=peter@95.211.4.12] has joined ##openvpn 20:35 < PeterFA> What's the performance hit of OpenVPN? 20:36 < Eagleray> PeterFA: minimal - realistically it's just the crypto overhead 20:36 < PeterFA> Eagleray, ok. 20:36 -!- PeterFA [n=peter@unaffiliated/peterfa] has quit [Client Quit] 20:36 < Eagleray> PeterFA: the tunneling doesn't add much, unless you're doing very crazy things with your MTU 20:49 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 20:54 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 60 (Operation timed out)] 20:54 -!- [1]anwoke is now known as anwoke 20:56 -!- cyris| [n=cyris@S0106001e2a4f7c8d.ed.shawcable.net] has joined ##openvpn 20:58 < Eagleray> I'm trying to do this: http://pressf1.co.nz/showthread.php?p=808217 - can anyone help with that? I'm utterly stumped. 20:58 < vpnHelper> Title: OpenVPN & VLANs - server config problem - PC World Forums (at pressf1.co.nz) 20:58 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 20:58 -!- cyris| [n=cyris@S0106001e2a4f7c8d.ed.shawcable.net] has quit [Client Quit] 21:06 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 21:08 -!- master_of_master [i=master_o@p549D3D5D.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:13 -!- master_of_master [i=master_o@p549D3AD7.dip.t-dialin.net] has joined ##openvpn 21:13 -!- PeterFA [n=peter@c-67-183-73-27.hsd1.wa.comcast.net] has joined ##openvpn 21:14 < PeterFA> I need a reliable way to determine if the VPN is running or not. It has to be a command I can use in a script. I'm hoping I don't have to use netcat. 21:14 < Eagleray> ping will do :p 21:14 < PeterFA> Eagleray, how will ping work? 21:14 < Eagleray> or ps if all you care about is the process 21:14 < Eagleray> well if you're using ping, just ping the other end of the tunnel 21:14 < PeterFA> Eagleray, I want to know if it has successfully created a VPN. 21:15 < Eagleray> if the tunnel is up, it returns true 21:15 < Eagleray> if the tunnel is down, it will return false 21:15 < Eagleray> what more do you need? 21:15 < PeterFA> Eagleray, what if I don't know the IP of the other end of the tunnel? 21:15 < Eagleray> then watch syslog for a successful connection 21:15 < Eagleray> or interrogate the local interfaces to find the ip at the other end 21:16 -!- anwoke [n=A@65.100.249.52] has quit [Connection timed out] 21:16 -!- [1]anwoke is now known as anwoke 21:16 < Eagleray> I can't really give you more info without you telling me more about your setup and what you're trying to achieve 21:16 < PeterFA> Is there an easy way to see if tun0 gets an IP without monkeying around with too much grep, awk, and sed stuff? 21:17 < PeterFA> Eagleray, ok, I'm writing a script that goes to each server listed on the command line, tries to connects to it, and if successful, runs a series of tests, recording their results and uploading the results to another server. 21:17 < PeterFA> Eagleray, the setup is overly flexible and unrealiable. 21:18 < PeterFA> Eagleray, the point isn't to create a VPN to use, but to test. 21:18 < PeterFA> When finished, it's closed and the script moves on to the next one. 21:18 < Eagleray> And why don't you want to use grep, sed or awk? 21:18 < PeterFA> Eagleray, because I'm getting kind of tired of scripting. 21:19 < PeterFA> Eagleray, I want to use the easiest method possible. 21:19 < Eagleray> the easiest method possible is ifconfig+grep+sed, if you want to find out the remote ip 21:19 < Eagleray> or if you want better performance, interrogate the files in /proc/net directly 21:19 < PeterFA> Eagleray, I don't need the remote IP. 21:19 < PeterFA> Eagleray, hmm. 21:20 < PeterFA> Eagleray, that might be the way to go. 21:20 < Eagleray> ok, so what *do* you need? 21:20 < Eagleray> is the only thing you need to know whether the tunnel is up? 21:20 < PeterFA> Eagleray, yeah. 21:20 < Eagleray> then just watch the openvpn log output 21:21 < PeterFA> so that I can wait for the client to authenticate, and then the script can move on to a bunch of tests. 21:21 < Eagleray> it will tell you if the tunnel initialisation succeeded or not 21:21 < PeterFA> Eagleray, thanks for your help. Adios. 21:21 -!- PeterFA [n=peter@unaffiliated/peterfa] has left ##openvpn ["Leaving"] 23:23 -!- xp_prg [n=xp_prg3@dsl081-249-107.sfo1.dsl.speakeasy.net] has joined ##openvpn 23:26 -!- oc80z [i=oc80z@blea.ch] has quit [Remote closed the connection] 23:27 -!- oc80z [i=oc80z@blea.ch] has joined ##openvpn --- Day changed Fri Aug 07 2009 00:02 -!- Gumbler [n=Gumbler@unaffiliated/gumbler] has quit ["Quit"] 00:02 -!- Gumbler_ [i=Gumbler@animux.de] has joined ##openvpn 00:02 -!- Gumbler_ is now known as Gumbler 00:18 -!- xp_prg [n=xp_prg3@dsl081-249-107.sfo1.dsl.speakeasy.net] has quit ["This computer has gone to sleep"] 01:00 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 01:01 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:12 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:24 -!- zheng [n=zheng@210.73.203.83] has joined ##openvpn 02:39 -!- MT- [n=MTeck@ubuntu/member/pdpc.active.mtecknology] has joined ##openvpn 02:40 < MT-> so... how do I make a connection to my server from command line? 02:41 < MT-> I got sick of network manager so I switched to wicd which doesn't have ovpn support leaving me to do this part from cli 02:54 < MT-> I suppose I need a config file that I can use to manage my configs - still don't know how to make the config yet :( 02:55 < reiffert> !howto 02:55 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 03:00 -!- antiwire [n=antiwire@unaffiliated/antiwire] has joined ##openvpn 03:01 < antiwire> hey, is there a method to use in which I can have Linux based clients automatically change /etc/resolv.conf so that they will send DNS queries down the VPN to a DNS server on the other end? 03:02 < antiwire> I'm currently manually "fixing" my resolv.conf to spec out the DNS server on the other end 03:06 < MT-> detailed 03:06 < reiffert> antiwire: yes, there is. 03:07 < reiffert> debian is coming with a shell script called update-resolv-conf 03:08 < antiwire> reiffert: is it something that the server pushes or clients have installed? 03:08 < reiffert> the client already has. Server is pusing Nameserver Addresses. 03:09 < antiwire> is it using the push "dhcp-option DNS option ? 03:09 < antiwire> and then the client has the script to snag that 03:09 < reiffert> yup 03:09 < antiwire> perfect. 03:09 < antiwire> thanks 03:09 < reiffert> yw 03:12 < MT-> great - I forgot what I set for ovpn on my server -_- 03:13 < MT-> I know I set lza and a different encryption... 03:27 < MT-> This has to be close - no cigar though - I guess I'll try again some other day - way too late to keep fighting and way too much for the next couple weeks 03:31 -!- clog_ [n=zeff@nat.umh.ac.be] has joined ##openvpn 03:32 -!- clog_ [n=zeff@nat.umh.ac.be] has quit [Client Quit] 04:14 -!- code- [i=code@antenora.aculei.net] has joined ##openvpn 04:19 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 04:23 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 04:27 -!- antiwire is now known as antlwire 04:27 -!- antlwire is now known as antiwire 04:49 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:57 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:27 -!- toehio [n=toehio@dyn.83-228-186-211.dsl.vtx.ch] has quit [Read error: 101 (Network is unreachable)] 05:28 -!- toehio [n=toehio@dyn.144-85-203-205.dsl.vtx.ch] has joined ##openvpn 05:47 -!- zheng [n=zheng@210.73.203.83] has quit [Read error: 110 (Connection timed out)] 05:50 -!- GoGi [n=gogi@p5B175037.dip.t-dialin.net] has joined ##openvpn 05:50 < GoGi> Why does openvpn now have a default setting for --up? That totally unintuitive 05:51 < GoGi> is 05:51 < GoGi> now I have to disable everything manually or openvpn will die because the default scripts do not exist 05:53 < |Mike|> --up ? 05:55 < |Mike|> according to the documentation it's still not enabled on default 05:55 < |Mike|> "# From a security perspective, I think it makes# sense to remove this, and have users who need# it explictly enable in their --up scripts or# firewall setups." 05:56 < |Mike|> last time it changed was in 2004. 05:56 < |Mike|> according to the Change Log 05:57 -!- toehio [n=toehio@dyn.144-85-203-205.dsl.vtx.ch] has quit [Read error: 60 (Operation timed out)] 05:58 < GoGi> oh sorry 05:58 < GoGi> it's my distributions fault 05:58 < GoGi> 's 05:59 < |Mike|> what distro are you using ? 05:59 -!- antiwire is now known as wire-anti 05:59 -!- wire-anti is now known as antiwire 06:02 -!- antiwire [n=antiwire@unaffiliated/antiwire] has left ##openvpn ["☯"] 06:07 < GoGi> gentoo 06:07 < GoGi> I have solved it 06:08 -!- toehio [n=toehio@dyn.83-228-192-120.dsl.vtx.ch] has joined ##openvpn 06:19 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:28 -!- GoGi [n=gogi@p5B175037.dip.t-dialin.net] has quit ["Leaving"] 06:50 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 06:51 -!- shion [n=sven@85.183.32.135] has joined ##openvpn 06:51 -!- shion [n=sven@85.183.32.135] has left ##openvpn ["Konversation terminated!"] 07:01 -!- YpsyZNC is now known as Ypsy 07:05 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 07:08 -!- toehio [n=toehio@dyn.83-228-192-120.dsl.vtx.ch] has quit [Read error: 101 (Network is unreachable)] 07:09 -!- toehio [n=toehio@dyn.144-85-189-029.dsl.vtx.ch] has joined ##openvpn 07:17 < Douglas> fuckkkk 07:17 < Douglas> $120 for a 1TB 07:18 < cpm> ? 07:19 < Douglas> 1tb drive 07:19 < Douglas> just spent $120 for ot 07:19 < Douglas> for it 07:19 < Douglas> ;\ 07:22 < Douglas> ooh 07:26 -!- toehio [n=toehio@dyn.144-85-189-029.dsl.vtx.ch] has quit [Read error: 60 (Operation timed out)] 07:27 < ecrist> good morning, folks 07:27 < Douglas> hi ecirst 07:27 < Douglas> ecrist 07:27 * Douglas sigh 07:28 < ecrist> what is your issue? 07:28 < Douglas> just spent $120 for a 1TB drive 07:28 < Douglas> lol 07:29 < ecrist> so? 07:29 < ecrist> we spend $400 on 500GB drives 07:29 < Douglas> what 07:29 < Douglas> ? 07:29 < Douglas> do the drives shit gold bricks? 07:30 < ecrist> no, they're SAS server-rated drives. 07:30 < mrnice`> your dollars arent worth the paper printed on :) 07:30 < Douglas> that's different ecrist 07:30 < Douglas> this was a 1tb 7200rpm sata 07:31 < ecrist> Douglas: the SAS part is just a card on these drives. the drives are just 7200rpm sata drives with Dell's custom firmware and a super high MTBF 07:31 < Douglas> nice 07:38 -!- toehio [n=toehio@dyn.83-228-171-022.dsl.vtx.ch] has joined ##openvpn 07:52 -!- GoGi [n=gogi@2001:8d8:81:1832:0:0:0:2] has joined ##openvpn 07:52 < GoGi> Will openvpn with --client-to-client behave like an ethernet switch? 07:54 < Douglas> in what sense 07:54 < Douglas> allowing each client to communicate with each other over the vpn ip space? 07:56 < GoGi> being able to send broadcast packets to them 07:59 -!- toehio [n=toehio@dyn.83-228-171-022.dsl.vtx.ch] has quit [Read error: 101 (Network is unreachable)] 07:59 < GoGi> and is it possible to run an openvpn server without any security? 07:59 < GoGi> (anyone can connect) 07:59 -!- toehio [n=toehio@dyn.144-85-129-114.dsl.vtx.ch] has joined ##openvpn 08:04 < reiffert> GoGi: no. 08:07 < Douglas> GoGi that sounds reckless 08:11 < reiffert> GoGi: broadcasts: tap device 08:11 < GoGi> thanks 08:11 < GoGi> not if there is no connection to the public internet 08:16 < reiffert> nonsense. 08:18 -!- toehio [n=toehio@dyn.144-85-129-114.dsl.vtx.ch] has quit [Read error: 110 (Connection timed out)] 08:19 -!- toehio [n=toehio@dyn.83-228-148-020.dsl.vtx.ch] has joined ##openvpn 08:45 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["I ♥ GNU/Linux!"] 08:49 -!- toehio [n=toehio@dyn.83-228-148-020.dsl.vtx.ch] has quit [Success] 08:51 -!- toehio [n=toehio@dyn.83-228-152-230.dsl.vtx.ch] has joined ##openvpn 08:51 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has joined ##openvpn 08:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:09 < GoGi> ? 09:26 < ecrist> GoGi: no, it will not allow anyone to connet 09:26 < ecrist> connect* 09:26 < GoGi> ok :( 09:28 < ecrist> you can make an unencrypted (non-password-protected) ssl certificate/key pair available and enable duplicate-cn 09:31 < GoGi> ah that's a good idea 09:31 < GoGi> thank you 09:42 -!- c64zottel [n=hans@p5B17B447.dip0.t-ipconnect.de] has joined ##openvpn 09:43 < |Mike|> why would you want to run that? 09:49 -!- jeiworth [n=jeiworth@189.163.134.102] has joined ##openvpn 09:50 -!- toehio [n=toehio@dyn.83-228-152-230.dsl.vtx.ch] has quit [Connection timed out] 09:52 -!- toehio [n=toehio@dyn.83-228-220-157.dsl.vtx.ch] has joined ##openvpn 10:00 < ecrist> |Mike|: I'm guessing it's for a college dorm for LAN gaming purposes. 10:37 < krzee> [05:59] and is it possible to run an openvpn server without any security? 10:37 < krzee> [05:59] (anyone can connect) 10:37 < krzee> actually yes 10:38 < ecrist> teach, oh great and powerful OZ 10:38 < krzee> in fact they give an example commandline for just that in the manual 10:38 < GoGi> in the manual?? 10:38 < krzee> !man 10:38 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 10:38 < ecrist> what?! I'm not going to read the manual 10:38 < krzee> yes, in the manual 10:38 < krzee> hahahah 10:39 < GoGi> "Example 1: A simple tunnel without security" 10:39 < GoGi> but does this work in server mode? 10:39 < ecrist> that question is probably answered in the manual, as well 10:43 < GoGi> exactly 10:44 < GoGi> the manual says you need TLS for server mode 10:44 < GoGi> oh but I have forgot to ask for that in the first place 10:44 < GoGi> sorry 10:50 -!- Ypsy is now known as YpsyZNC 10:55 -!- jeiworth [n=jeiworth@189.163.134.102] has quit [Read error: 110 (Connection timed out)] 10:55 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:57 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:09 -!- toehio [n=toehio@dyn.83-228-220-157.dsl.vtx.ch] has quit [Read error: 110 (Connection timed out)] 11:10 -!- toehio [n=toehio@dyn.83-228-142-055.dsl.vtx.ch] has joined ##openvpn 11:26 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 11:27 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 11:30 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 11:31 < newmember> Can the windows client connect to two different openvpn servers at the same time? 11:31 -!- jeiworth [n=jeiworth@189.177.33.39] has joined ##openvpn 11:38 < reiffert> newmember: yes. 11:39 < newmember> I think I have to change the tun number in the client, is there anything else I have to change? 11:44 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:48 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 11:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 12:12 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: Kreg-Work, lilalinux, flokuehn, Douglas, _impuls, sigius, mrnice`, worch 12:12 -!- Netsplit over, joins: Douglas, flokuehn, sigius, worch, mrnice`, Kreg-Work, lilalinux, _impuls 12:14 -!- c64zottel [n=hans@p5B17B447.dip0.t-ipconnect.de] has left ##openvpn [] 12:29 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:50 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Read error: 60 (Operation timed out)] 13:19 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 13:38 -!- jeiworth [n=jeiworth@189.177.33.39] has quit [Read error: 60 (Operation timed out)] 13:38 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 13:43 -!- NxTitle [n=NxTitle@unaffiliated/nxtitle] has joined ##openvpn 13:43 < NxTitle> is there a way to port forward a range of IP addresses from a server to a client via openvpn? or is that more of an iptables question? 14:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:17 -!- otakun [n=otakun@75-147-206-201-Memphis.hfc.comcastbusiness.net] has joined ##openvpn 14:19 < otakun> hey i need help with openvpn on linux when i try to start the server on my ubuntu machine i get failed to connect to vpn 14:24 < otakun> anyone? 14:29 -!- GoGi [n=gogi@2001:8d8:81:1832:0:0:0:2] has quit [Remote closed the connection] 14:37 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit ["I am off"] 14:37 < ecrist> otakun: can you read the channel topic, and ask your question again? 14:39 < otakun> k i did sorry im not understanding 14:39 < ecrist> We need !logs and !configs and maybe !interface 14:39 < ecrist> it's in the channel topic 14:39 < ecrist> /topic if you need help 14:39 < NxTitle> !interface 14:40 < vpnHelper> NxTitle: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 14:40 < ecrist> did you check your firewall? 14:40 < otakun> well i really just wannt a good straight forward tortiral 14:40 < ecrist> go away 14:40 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 14:40 < otakun> can u point in the right direction 14:40 < ecrist> !howto 14:40 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:40 < ecrist> it's, also in the channel topic 14:41 < MT-> this channel is really unfriendly... 14:41 < otakun> k thank you im kinda new to all this linux and vpn 14:41 < otakun> yes 14:41 < otakun> it is 14:41 < ecrist> I am only unfriendly with people who expect me(us) to do their homework and aren't willing to RTFM 14:41 < otakun> i dont even know how to use irc that well 14:42 < otakun> didnt ask for homework 14:42 < otakun> i can learn it myself 14:42 < otakun> i just wanna be pointed in the right direction 14:42 < ecrist> my point is, lots of resources are available by reading the channel topic. Most people don't bother. 14:43 < otakun> i understand but im new to irc still and commands and all that i havent learned them yet really just know how to enter the channel 14:43 < otakun> lol 14:43 < ecrist> 14:39 < ecrist> /topic if you need help 14:43 < otakun> guess i need to stop and look for a irc totorial lol 14:44 < MT-> !irc 14:44 < vpnHelper> MT-: Error: "irc" is not a valid command. 14:44 < otakun> .... 14:44 < MT-> A list of official Ubuntu IRC channels, as well as IRC clients for Ubuntu, can be found at https://help.ubuntu.com/community/InternetRelayChat - For a general list of !freenode channels, see http://freenode.net/faq.shtml#channellist 14:44 < vpnHelper> Title: Internet Relay Chat - IRC - Community Ubuntu Documentation (at help.ubuntu.com) 14:44 < MT-> i just grabbed that from ubottu 14:44 < otakun> thank you as well 14:45 < MT-> that doesn't explain it well... 14:45 < MT-> here - http://www.irchelp.org/irchelp/irctutorial.html 14:45 < vpnHelper> Title: An IRC Tutorial (at www.irchelp.org) 14:45 < MT-> that's the link I gave to my employees 14:45 < otakun> lol 14:45 < MT-> coworkers* 14:46 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.0.13/2009073022]"] 14:46 < ecrist> !learn irc as http://www.irchelp.org/irchelp/irctutorial.html 14:46 < vpnHelper> ecrist: Joo got it. 14:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Remote closed the connection] 14:49 < otakun> kk thank both of u gouys 14:49 < otakun> guys 14:51 -!- NxTitle [n=NxTitle@unaffiliated/nxtitle] has quit [Read error: 104 (Connection reset by peer)] 14:51 < MT-> now to figure out my problem (procrastination instead of other work :P 14:52 < MT-> i really really really hate running firefox over ssh :( 14:57 < ecrist> ok... 14:57 < MT-> ecrist: you ever do it? 14:59 < Douglas> fuck 14:59 < Douglas> i havent eaten today 14:59 < Douglas> i am starving 15:02 < MT-> What's the nonblock part of this mean? "Attempting to establish TCP connection with IP:1194 [nonblock]" 15:11 < ecrist> not sure. 15:11 < ecrist> MT-: have I ever done what? 15:11 < MT-> firefox over ssh 15:11 < ecrist> yep 15:11 < ecrist> even did a writeup on how to do it 15:11 < ecrist> http://www.secure-computing.net/wiki/index.php/Secure_browsing 15:11 < vpnHelper> Title: Secure browsing - Secure Computing Wiki (at www.secure-computing.net) 15:13 < MT-> so so slow and painful :( 15:13 < ecrist> I disagree 15:13 -!- teepark [n=teepark@c-98-210-255-213.hsd1.ca.comcast.net] has joined ##openvpn 15:13 < ecrist> it's not really any slower than a VPN would be. 15:14 < MT-> um - I move my mouse over something and it takes 10+ sec to react to me 15:14 < Douglas> then it local 15:14 < Douglas> i ssh tunnel and get nearly as good speeds as if i dont 15:15 < MT-> this is on a system in a different part of the town 15:16 < MT-> I don't yet have a vpn working so I need to do it that way 15:17 < Douglas> why 15:17 < Douglas> you wont get any faster speeds tunenling through the vpn 15:17 < MT-> hu? 15:18 < MT-> it's my only simple way to access the firewall right now 15:18 < MT-> I'm using pfsense 15:18 < MT-> when I get ovpn working, I connect and run firefox local to connect to the router - much much much faster 15:20 < Douglas> ah 15:20 < Douglas> that works then 15:21 < MT-> not right now :( 15:25 -!- teepark [n=teepark@c-98-210-255-213.hsd1.ca.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 15:26 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: pa 15:27 -!- teepark [n=teepark@c-98-210-255-213.hsd1.ca.comcast.net] has joined ##openvpn 15:28 -!- Netsplit over, joins: pa 15:28 < MT-> does this openvpn config look ok? http://pastebin.com/d4d28e7c3 15:29 < teepark> i'm trying to configure vpn with the networkmanager applet. i can get the network connection popup window with the vpn tab, but the 'Add' button (and all others) is grayed out. do i need to install something beyond just the latest networkmanager? 15:29 < MT-> teepark: network-manager-openvpn 15:30 < Douglas> !networkmanager 15:30 < vpnHelper> Douglas: Error: "networkmanager" is not a valid command. 15:30 < Douglas> er 15:30 < Douglas> !factoids search networkmanager 15:30 < vpnHelper> Douglas: No keys matched that query. 15:30 < Douglas> !factoids search network manager 15:30 < vpnHelper> Douglas: No keys matched that query. 15:30 < Douglas> gah 15:31 < Douglas> ecrist: help 15:31 < MT-> Douglas: I already gave him the answer... 15:31 < Douglas> MT- that isn't the answer 15:31 * Douglas pokes krzie 15:31 < Douglas> the answer is DONT USE NETWORK MANAGER 15:31 -!- Netsplit kubrick.freenode.net <-> irc.freenode.net quits: pa 15:31 * Douglas pokes vpnhelper 15:31 < teepark> MT-: that was it. thanks 15:32 < MT-> I like wicd - but it doesn't handle vpn so I'm learning to do it via cli 15:34 -!- otakun [n=otakun@75-147-206-201-Memphis.hfc.comcastbusiness.net] has quit [Read error: 110 (Connection timed out)] 15:35 < MT-> wicd gives me an internet connection before I can do anything when I log in 15:41 < ecrist> !learn tools as https://www.secure-computing.net/ip.php 15:41 < vpnHelper> ecrist: Joo got it. 15:43 < Douglas> ecrist 15:43 < Douglas> isnt there a vpnHelper entry tha tsays dont use network manager 15:44 < ecrist> !networkmanager 15:44 < vpnHelper> ecrist: Error: "networkmanager" is not a valid command. 15:44 < ecrist> somewhere, I've seen it 15:44 < ecrist> !ubuntu 15:44 < vpnHelper> ecrist: "ubuntu" is dont use network manager! 15:44 < Douglas> oh, just ubuntu 15:44 < Douglas> teepark: what distro are youusing? 15:45 < MT-> so... close.... 15:45 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 15:46 < MT-> what do you guys have against network manager? 15:47 < teepark> Douglas: arch 15:52 < |Mike|> re. 15:55 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 16:00 < MT-> Any ideas why I can't make the vpn connection work? It seems like I'm just missing one tiny piece... http://pastebin.com/d6378c953 16:01 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has quit ["Távozom"] 16:01 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 16:04 < Douglas> MT- 16:04 < Douglas> i don't know the specifics behind network manager 16:04 < Douglas> but there is a reason not to 16:05 < Douglas> errr 16:05 < Douglas> MT-, yo uneed to run openvpn as root locally for starters 16:05 < Douglas> that is probably your only isuse 16:05 < Douglas> issue 16:07 < MT-> Douglas: oh... 16:07 < MT-> network manager did that part for me I guess :P 16:08 < Douglas> lol. 16:08 * Douglas approves posts on the forum 16:12 < Douglas> !forum 16:12 < vpnHelper> Douglas: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 16:12 < Douglas> @ all 16:15 < MT-> hrm... so I need to be root for every ovpn connection I want to make..... 16:16 < Douglas> yes 16:16 < Douglas> you also need to join the forum 16:16 < Douglas> what? 16:16 < Douglas> the forum compels you 16:16 < Douglas> what? 16:16 < MT-> that didn't make sense 16:19 < Douglas> it was a shameless plug to make you join my forum 16:19 < MT-> oh.. 16:19 < MT-> I don't use forums.. 16:19 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has quit ["Távozom"] 16:20 < MT-> I'm an admin in the Ubuntu South Dakota forums with the ubuntu member status set on it - but I don't use it 16:23 < Douglas> nice 16:26 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 16:38 -!- thebraintrain [i=617a4258@gateway/web/freenode/x-ckjbpqapsuoznkuj] has joined ##openvpn 16:48 < |Mike|> bloat. 16:49 < |Mike|> indeed MT- ; run it as root or sudo 16:51 < MT-> |Mike|: is there any real security threat to being able to access openvpn w/o sudo? 16:54 < ecrist> sure, it allows you to modify network devices 16:55 < MT-> oh :( 16:56 < MT-> otherwise I was just going to add ALL NOPASSWD:/usr/sbin/openvpn in the suduoers file :P 16:57 -!- Wulf4 [n=wulf@f054105129.adsl.alicedsl.de] has joined ##openvpn 16:57 < Wulf4> Hello! 16:57 -!- Wulf4 is now known as Wulf_ 16:58 < thebraintrain> Hello all, anyone have experience connecting to an openvpn connection via KDE 4.2 and the networkmanager widget? 16:58 < Wulf_> I'm trying to set up a multi-client vpn with tap devices. two clients are connected, both can communicate with the server 16:59 < Wulf_> when one client tries to ping the other, ARP requests are sent (and received on the server), but they are neither answered nor forwarded to the second client. what's wrong? 17:04 -!- MT- [n=MTeck@ubuntu/member/pdpc.active.mtecknology] has left ##openvpn [""http://profarius.com/""] 17:06 < |Mike|> o he left 17:06 < |Mike|> Wulf_: client-to-client (search in the howto) 17:06 < |Mike|> !howto 17:06 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:12 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 17:12 < Wulf_> |Mike|: it works, thank you! 17:15 -!- Wulf_ [n=wulf@f054105129.adsl.alicedsl.de] has left ##openvpn [] 17:15 -!- thebraintrain [i=617a4258@gateway/web/freenode/x-ckjbpqapsuoznkuj] has quit [Ping timeout: 180 seconds] 17:15 < |Mike|> np. 17:17 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 17:25 -!- teepark [n=teepark@c-98-210-255-213.hsd1.ca.comcast.net] has quit [Read error: 110 (Connection timed out)] 17:54 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["Távozom"] 18:42 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 18:42 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 18:42 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 18:49 < ecrist> ping krzee you around? 18:51 < |Mike|> (he is on holiday) 18:52 < ecrist> Douglas: install the RSS plugin for PHPBB 18:57 < |Mike|> chmod 777 / 18:58 < |Mike|> -R 19:13 -!- YpsyZNC is now known as Ypsy 19:14 -!- teddy [n=teddy@208.92.235.227] has joined ##openvpn 19:16 < Douglas> ecrist 19:16 < Douglas> your gonna make me google it arent you 19:16 < Douglas> you bastard 19:17 < Douglas> ecrist: like this? http://www.phpbb.com/community/viewtopic.php?f=70&t=552465 19:17 < vpnHelper> Title: phpBB View topic - [MODDB] simple syndication (at www.phpbb.com) 19:18 < Douglas> or http://www.phpbb.com/community/viewtopic.php?f=69&t=1214645 ? 19:18 < vpnHelper> Title: phpBB View topic - RSS Feed 2.0 (at www.phpbb.com) 19:42 < krzee> hey man 19:42 < krzee> wassup ecrist 19:44 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 19:44 < Douglas> lol 19:44 < Douglas> he left 19:56 -!- disco-_ [i=disco@andromeda.h4xed.com] has joined ##openvpn 20:01 -!- RadarG [n=nightwol@pool-98-108-119-38.chi01.dsl-w.verizon.net] has joined ##openvpn 20:02 < RadarG> !iporder 20:02 < vpnHelper> RadarG: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 20:09 -!- disco- [i=disco@andromeda.h4xed.com] has quit [Read error: 110 (Connection timed out)] 20:29 -!- RadarG [n=nightwol@pool-98-108-119-38.chi01.dsl-w.verizon.net] has quit [] 21:00 -!- thedoc [n=andelyx@bb116-15-13-141.singnet.com.sg] has joined ##openvpn 21:03 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 21:04 -!- thedoc_ [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 21:08 -!- master_of_master [i=master_o@p549D3AD7.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:10 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 54 (Connection reset by peer)] 21:13 -!- master_of_master [i=master_o@p549D32F4.dip.t-dialin.net] has joined ##openvpn 21:14 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 21:17 -!- Ypsy is now known as YpsyZNC 21:22 -!- thedoc [n=andelyx@bb116-15-13-141.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 22:01 < troy-> where can i find openvpn-auth-pam.so? 22:12 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 22:12 -!- zoster [n=lisar@user-0ccejib.cable.mindspring.com] has joined ##openvpn 22:12 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 22:13 < zoster> is there any specific setup to use openvpn as a proxy server for internet browsing? 22:14 < thedoc_> http-proxy module. 22:14 < thedoc_> Take a look at that 22:14 -!- thedoc_ [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 22:14 < zoster> hi, thanks 22:15 < zoster> one more thing, do I have to install squid in this case? 22:17 < zoster> thedoc: is it the module I should install somehow into the openvpn server, or is it just an option in the clinet.conf file? 22:33 -!- zoster [n=lisar@user-0ccejib.cable.mindspring.com] has quit ["Leaving"] 22:34 -!- blist3rz [n=blisterz@moscow.perfect-privacy.com] has joined ##openvpn 22:34 < blist3rz> how does one chain openvpn? 22:34 < blist3rz> in terminal 23:01 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 110 (Connection timed out)] 23:22 -!- blist3rz [n=blisterz@moscow.perfect-privacy.com] has quit ["Bye"] 23:24 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 23:24 < thedoc> Douglas, You there? 23:27 -!- rawDawg [n=OMG@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn --- Log closed Fri Aug 07 23:34:44 2009 --- Log opened Fri Aug 07 23:34:54 2009 23:34 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 23:34 -!- Irssi: ##openvpn: Total of 62 nicks [0 ops, 0 halfops, 0 voices, 62 normal] 23:35 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 23:35 -!- Irssi: Join to ##openvpn was synced in 40 secs 23:36 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 23:36 -!- Typone [n=nnitsme@195.197.184.87] has joined ##openvpn 23:41 -!- oc80z [i=oc80z@blea.ch] has joined ##openvpn --- Day changed Sat Aug 08 2009 00:05 < ecrist> krzie: I'm here now, but going to bed in a couple minutes. 00:06 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 00:16 < ecrist> g'night 00:30 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 01:03 -!- disco-_ is now known as disco- 01:03 -!- disco- is now known as disco-_ 01:07 < reiffert> moin 01:18 -!- Lilarcor [n=Lilarcor@208-58-211-51.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has joined ##openvpn 01:18 -!- Lilarcor [n=Lilarcor@208-58-211-51.c3-0.161-ubr1.lnh-161.md.cable.rcn.com] has quit [Remote closed the connection] 01:21 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 54 (Connection reset by peer)] 01:47 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 02:36 -!- |ns|nR8 [n=doof@CPE-138-130-86-138.nsw.bigpond.net.au] has joined ##openvpn 02:37 -!- c64zottel [n=hans@p5B178E22.dip0.t-ipconnect.de] has joined ##openvpn 02:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:51 -!- |ns|nR8 [n=doof@CPE-138-130-86-138.nsw.bigpond.net.au] has quit ["Leaving"] 03:18 -!- RadarG [n=nightwol@pool-98-108-119-38.chi01.dsl-w.verizon.net] has joined ##openvpn 03:23 -!- eliasp_ [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 03:24 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 113 (No route to host)] 03:32 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit ["I am off"] 03:34 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 03:46 < RadarG> !help 03:46 < RadarG> !routing 03:55 < RadarG> I think I might have figured out why my setup isnt working. I believe it has something to do with the routing and dns on my client. Can someone please help me clear it up? My client is using 192.168.1.0/24 and the server is using 192.168.4.0/24 I order for the client to be able to send traffic down the tunnel I need to have the following in the cleint config file right? "route add -net 192.168.4.0 netmask 255.255.255.0 gw ?.? 03:56 < RadarG> for the gateway ipaddress is it the ip that the client pulled or is it the address on the other end? 04:01 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 04:05 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 04:06 -!- eliasp_ [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 113 (No route to host)] 04:26 < RadarG> How do I make a client into a gateway? 04:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 04:44 < RadarG> I have been running wireshark on the vista box. I seeing that the client is sending out ARP requests to the vista box's default GW but its not rx the responses back. How can I fix this? 04:48 < RadarG> here is my current config for the vista box http://pastebin.com/d75a5a20 I'm trying to use it as a gateway for my server in asia 04:55 < RadarG> I think that routing on the vista box is messed up 04:55 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Remote closed the connection] 05:08 < RadarG> I added a static route onto the vista box(ipaddress 10.111.20.2) "route -p ADD 10.111.20.0 MASK 255.255.255.0 192.168.1.10 METRIC" why isnt the route working? When I looked at wireshark again I saw that the client was sending out ARPs but the once again the gateway is returning the requests. Did I preform the wrong command? 05:08 < RadarG> is not returning the requests 05:20 < Eagleray> Is anyone here familiar with the OpenVPN source? I'm trying to find the bit of it where SSL certificate information is stored for each session, but I have been unable to find any documentation on the overall source structure - and there's a lot of code to trawl through! 05:21 < Eagleray> Not asking to be spoonfed anything, but a pointer to the right file would be incredibly helpful 05:28 < RadarG> hmm changing the default gw on the client didnt resolve the ARP issue? 05:31 < RadarG> any ideas anyone? 05:32 < RadarG> !routing 05:32 < RadarG> !route 05:36 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 05:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:56 -!- bsod2 [n=bsod@i101244.upc-i.chello.nl] has joined ##openvpn 06:02 -!- YpsyZNC is now known as Ypsy 06:27 -!- Ypsy is now known as YpsyZNC 06:35 < RadarG> WTF I do a trace from my box to 10.111.20.3??? 06:35 < RadarG> its on my ISP network 06:38 < RadarG> WTF I can ping 10.11.20.1 the ping is 45ms so it cant be my server. I think that is where some of my problems have been coming from 07:18 -!- bauruine [n=bauruine@2001:470:1f13:99b:216:eaff:feb3:722a] has joined ##openvpn 07:31 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 07:37 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 07:39 < RadarG> I'm trying to make my client a gateway. When using the "redirect-gateway" what do I put down for the default gateway of the v8 adapter? 07:44 < Douglas> krzie: ello 07:46 < Douglas> thedoc 07:46 < Douglas> there? 08:06 < RadarG> hello 08:43 < RadarG> I have a question. If I have a lan behind my server and client will I need a iroute for each one? 08:47 < RadarG> !iroute 09:00 < Douglas> Google AdSense ad on the radio. 09:20 < Eagleray> RadarG: No - you just need to route the netblock, not every machine individually. 09:21 < Eagleray> RadarG: just feed it the network address and the netmask 09:25 < RadarG> I thought that iroute was need if there was lans behind the client and server. Are you saying that aroute will take care of it? 09:31 < Eagleray> RadarG: no, I'm saying that you don't need to individually pass every client, you can just pass the whole subnet in one go 09:36 -!- RadarG1 [n=nightwol@pool-98-108-119-38.chi01.dsl-w.verizon.net] has joined ##openvpn 09:37 < Eagleray> RadarG1: no, I'm saying that you don't need to individually pass every client, you can just pass the whole subnet in one go 09:49 -!- RadarG [n=nightwol@pool-98-108-119-38.chi01.dsl-w.verizon.net] has quit [Read error: 110 (Connection timed out)] 10:08 < reiffert> TOR! 10:29 -!- troy- [n=troy@worldnet.tauri.ca] has quit [Read error: 60 (Operation timed out)] 10:46 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 10:56 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 10:57 -!- zoster [n=lisar@user-0ccejib.cable.mindspring.com] has joined ##openvpn 10:58 < zoster> what modes does openvpn have; as far as I know: server, client? are there any additional? 11:06 -!- zoster [n=lisar@user-0ccejib.cable.mindspring.com] has quit ["Leaving"] 12:07 -!- lilalinux [n=lilalinu@ist.deswahnsinns.de] has left ##openvpn ["Leaving"] 12:27 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:29 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 12:50 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 12:51 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["Távozom"] 13:06 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 13:11 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 13:24 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 13:26 < newmember> My openvpn on my XP will not connect two different openvpn servers at the same time 13:27 < newmember> I can connect successfully to either server one at a time 13:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:36 < Gorkhaan> newmember : How many TUN/TAP interface do you have? :) 13:36 -!- jeiworth [n=jeiworth@189.163.134.102] has joined ##openvpn 13:36 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 13:36 < newmember> one version9 13:36 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 104 (Connection reset by peer)] 13:37 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 13:39 < rawDawg> Gorkhaan is right, you need two adapters 13:40 < Gorkhaan> :) addtap.bat in bin directory afaik 13:40 < Gorkhaan> or something like that 13:40 < newmember> ok I have two adapters 13:40 < newmember> do I need to add an item to the config file? 13:42 < Gorkhaan> on default it will Random search for free TUN/TAP interface 13:42 < newmember> nice 13:42 < newmember> very nice 13:42 < Gorkhaan> but you can give it name too 13:42 < newmember> thanks 13:42 < rawDawg> --dev-node 13:42 < Gorkhaan> yep, that's it 13:42 < rawDawg> --show-adapters to see them 13:43 < newmember> I have set one to "dev tun0" and the other "dev tun1" 13:43 -!- troy_ [n=troy@72.37.245.28] has joined ##openvpn 13:43 < rawDawg> dev-node tun0 13:43 < troy_> where can i find openvpn-auth-pam.so? 13:44 < newmember> Next thought, I have two openvpn servers, one on amazon and the other in my office, to connect the two servers can I use the same 1194 port between each other or do I have to use another port? 13:45 < newmember> I guess I am asking, can a openvpn server and openvpn client be on the same port? 13:45 < rawDawg> yes 13:46 < newmember> sweet 13:47 -!- troy_ changed the topic of ##openvpn to: OpenVPN 2.1rc19 Released || CHECK YOUR FIREWALL || We need !logs and !configs and maybe !interface || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through server. || Also interesting: !man !/30 !topology !iporder || We know, the new site sucks. (We agree.)never mind. 13:48 -!- troy_ changed the topic of ##openvpn to: OpenVPN 2.1rc19 Released || CHECK YOUR FIREWALL || We need !logs and !configs and maybe !interface || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through server. || Also interesting: !man !/30 !topology !iporder || We know, the new site sucks. (We agree.) 13:48 < troy_> never mind .. 13:48 < troy_> i dont know why i can do that. 13:50 < Douglas> anyone can chage it 13:50 < Douglas> change 13:50 < troy_> sup Mr. Haber. 13:50 -!- Douglas changed the topic of ##openvpn to: OpenVPN 2.1rc19 Released || CHECK YOUR FIREWALL || We need !logs and !configs and maybe !interface || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through server. || Also interesting: !man !/30 !topology !iporder || Check out !forum too || We know, the new site sucks. (We agree.) 13:50 < Douglas> troy_: how are you doing my friend 13:51 < troy_> good, i've compiled openvpn-auth-pam 13:51 < Douglas> nice 13:51 < Douglas> i need to go moderate teh forum sooni 13:51 < Douglas> are you a member, troy? 13:51 < troy_> which forum? 13:51 < Douglas> !forum 13:51 < Douglas> aww 13:51 < Douglas> vpnhelper is gone 13:51 < Douglas> www.ovpnforum.com 13:52 < troy_> nope, but i'll join 13:52 < Douglas> so many spambots 13:52 < Douglas> id say 90% of the members 13:53 < newmember> interesting chrome has a problem displaying webmin's openvpn page for adding new users to a openvpn server 13:58 < newmember> awesome the two TAP adapters solved the problem, thanks 14:04 -!- vcs [n=vcs@70-140-181-94.lightspeed.hstntx.sbcglobal.net] has joined ##openvpn 14:07 < vcs> Hi, can someone help me with joining a subnet together using tun interfaces when the OpenVPN server is not the gateway for the subnet I need to link? I have read through the howtwo and tried everything, but I still cant get clients to conect. 14:08 < vcs> I am pushing the route to clients, and added the route on the machine that needs to be able to talk back to the VPN 14:08 < vcs> !route 14:08 < newmember> when you push the route, does it show up in the route tables? 14:08 < vcs> yes 14:09 < vcs> let me get config files 14:10 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 14:13 < vcs> http://pastebin.com/m254efd63 14:13 < vcs> It basically looks like this 14:14 < vcs> Client (10.8.0.6) -> OpenVPN server (10.8.0.1,192.168.11.17) -> Database (192.168.11.19) 14:14 < vcs> I dont have access to the 192.168.11.17 gateway 14:14 < vcs> so I just did a route add -net 10.8.0.0 255.255.255.255 192.168.11.17 14:14 < vcs> on the database 14:15 < vcs> the 192.169.11.0 subnet is pushed to the client successfully 14:15 < magic_1> vcs what are you trying to achieve(which i am sure is evident) however what is the error that you are getting 14:16 < vcs> trying to connect to the postgres database. I cant ping it or connect to it 14:16 < vcs> from the client 14:17 < vcs> i can ping 10.8.0.1 and connect to it 14:18 < vcs> I can ping and connect to 192.168.11.17 14:18 < vcs> but when I try 192.168.11.19 i have no luck 14:19 < vcs> I can see the connection trying to be made in tcpdump\ 14:20 < vcs> on 192.169.11.19 14:20 < vcs> it looks like its not being routed back correctly 14:22 -!- RadarG [n=nightwol@pool-98-108-119-38.chi01.dsl-w.verizon.net] has joined ##openvpn 14:22 < magic_1> immm 14:22 -!- jeiworth [n=jeiworth@189.163.134.102] has quit [Read error: 110 (Connection timed out)] 14:22 < vcs> I extensively read the openVPN 2 howto, enabled ip forwarding, etc 14:22 < magic_1> have you set the gateway on the machine with the DB 14:22 < magic_1> still 14:23 < vcs> Doesn't adding the route achieve that like so: route add -net 10.8.0.0 255.255.255.255 192.168.11.17 14:23 < magic_1> you need to make sure that the machine has a route back first off and secondly you need to make sure the firewall allows for the traffic to be routed 14:23 < vcs> I did that on he database 14:24 < magic_1> you wont need to do the route add as all you will need to do is set the machine that is connected to the vpn as your gateway 14:24 < magic_1> that way it will route for you 14:24 < magic_1> can you ping any of the other machines 14:25 < vcs> The database is not part of the VPN 14:25 < vcs> I could add it but the goal is the access the entire subnet 14:25 < vcs> i can only ping the gateway 14:26 < vcs> at its VPN address and LAN address 14:26 < magic_1> well then there is your issue 14:27 < magic_1> what machines are you using to create the link between the 2 sites, is this a site to site 14:27 < vcs> I want my 10.8.0.0 subnet to talk to my 192.168.11.0 subnet like it was on the same lan 14:28 < vcs> one site has the client 14:28 < vcs> the other site (the one with the 192.168.11.0 subnet) has the OpenVPN server behind a firewall, and a database machine which is also firewalled 14:29 < magic_1> this is a very easy task 14:32 < vcs> I thought it would be also, I followed the howto very closesly but I must have missed something... 14:32 < magic_1> hhmm 14:32 -!- RadarG [n=nightwol@pool-98-108-119-38.chi01.dsl-w.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 14:32 < magic_1> what OS are you running on each side 14:32 < vcs> CentOS 5 on all machines 14:32 -!- RadarG1 [n=nightwol@pool-98-108-119-38.chi01.dsl-w.verizon.net] has quit [Read error: 113 (No route to host)] 14:32 < magic_1> so you can ping both sides 14:33 < magic_1> what firewall are you using 14:33 < vcs> Well, I can ping the OpenVPN server by both its VPN Ip 10.8.0.1 and its nic ip (192.168.11.17) 14:33 < vcs> Hardware firewall? I think sonic firewall... all machines are running iptables 14:33 < magic_1> this would be possible 14:34 < magic_1> have you pushed the routes where needed from the server 14:34 < vcs> yes, push "route 192.168.11.0 255.255.255.0" 14:38 -!- RadarG [n=nightwol@pool-98-108-119-38.chi01.dsl-w.verizon.net] has joined ##openvpn 14:38 < magic_1> hhmm, you most definitely check you rules and your nating rules 14:38 < vcs> should my interfaces be masquerading on my OpenVPN server? 14:40 < vcs> All the OpenVPN guide discussed was accepting on the tun and tap interfaces 14:40 < magic_1> was going through your pastebin 14:41 < magic_1> seems like a firewall issue as everything seems fine 14:41 < vcs> ahh ok 14:42 < vcs> Yeah i read that openvpn guide word for word haha 14:42 < vcs> didn't think I did anything wrong 14:42 -!- hackeron [n=hackeron@cpc3-seve19-2-0-cust404.13-3.cable.virginmedia.com] has quit [Connection timed out] 14:44 < magic_1> you also need to make sure your openvpn machines are set as your user machines gateways 14:45 < vcs> Well I mean I can connect to the server over its 192.168.11.17 lan addres while on the vpn 14:45 < vcs> do you think the problem is between that interface and the database? 14:50 -!- IncredibleHink [n=Hink@cpe-173-173-76-122.tx.res.rr.com] has joined ##openvpn 14:58 -!- disco-_ is now known as disco- 15:08 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 15:20 -!- troy_ [n=troy@72.37.245.28] has quit [Read error: 110 (Connection timed out)] 15:30 -!- IncredibleHink [n=Hink@cpe-173-173-76-122.tx.res.rr.com] has quit [Client Quit] 15:30 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 15:37 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 15:37 -!- toehio [n=toehio@dyn.83-228-142-055.dsl.vtx.ch] has quit [Network is unreachable] 15:39 -!- toehio [n=toehio@dyn.144-85-186-003.dsl.vtx.ch] has joined ##openvpn 15:39 < krzee> ecrist, whats up man, i saw you said my name earlier 15:39 < krzee> =] 15:39 < krzee> im out in san diego right now, getting ready for amsterdam 15:47 < Douglas> ooh shit 15:47 < Douglas> krzees all ova 15:47 < Douglas> when you gonna be back home 15:50 < |Mike|> it's named hilights krzee :P 15:54 < krzee> late aug 15:54 < krzee> sup mike 15:55 < |Mike|> i love wheelchairs 15:55 < krzee> y 15:59 -!- Bushmills is now known as l 16:00 -!- l is now known as Guest97682 16:00 -!- Guest97682 is now known as Bushmills 16:04 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 16:05 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 16:17 -!- toehio [n=toehio@dyn.144-85-186-003.dsl.vtx.ch] has quit [Read error: 101 (Network is unreachable)] 16:19 -!- toehio [n=toehio@dyn.83-228-153-045.dsl.vtx.ch] has joined ##openvpn 16:29 < vcs> I can access my one of my subnet machines on every port but PostgresSQL's port 5432. It shows filtered in nmap from inside the VPN, but not on the local network. I checked iptables and everything looks ok, would there be any specific reason this is happeneing? 16:29 < |Mike|> heh 16:30 < |Mike|> did you bind it to the openvpn interface aswell ? 16:31 < vcs> Its all working but that one port and its not listening on openvpn, its listening on a nic on one of the subnets i push to clients 16:32 < vcs> accessing apache works fine, sshing works fine 16:32 < vcs> every port shows open in nmap 16:32 < |Mike|> what's in your postgrssql config ? 16:32 < vcs> besides postgres, which shows as filtered from the vpn and open from the subnet 16:33 < |Mike|> bind to * or eth0 (or whatever your interface is named) 16:34 < vcs> it is binded to eth0 16:34 < vcs> that machines is not on the vpn 16:34 < vcs> only on a subnet that is pushed to the vpn client 16:34 < |Mike|> so basicly you're hosting that postgressql on a client ? 16:36 < vcs> no 16:37 -!- toehio [n=toehio@dyn.83-228-153-045.dsl.vtx.ch] has quit [Read error: 101 (Network is unreachable)] 16:38 -!- toehio [n=toehio@dyn.83-228-142-245.dsl.vtx.ch] has joined ##openvpn 16:39 < vcs> postgres is on a subnnet 16:39 < vcs> same as the vpn server 16:39 < vcs> the client is the only thing that cant connect 16:41 < krzee> [14:34] that machines is not on the vpn 16:41 < krzee> [14:34] only on a subnet that is pushed to the vpn client 16:41 < krzee> is ovpn running on the router for that machine's lan? 16:43 -!- Kryczek [i=kryczek@about/security/staff/Kryczek] has left ##openvpn ["cya"] 17:03 < |Mike|> no answere is always good :d 17:03 -!- Bushmills is now known as l 17:04 -!- l is now known as Bushmills 17:06 -!- toehio [n=toehio@dyn.83-228-142-245.dsl.vtx.ch] has quit [Read error: 110 (Connection timed out)] 17:08 -!- toehio [n=toehio@dyn.83-228-189-016.dsl.vtx.ch] has joined ##openvpn 17:10 < Douglas> http://www.speedtest.net/result/535588404.png 17:10 < Douglas> not bad since im sitting on a bus driving towards the train st ation 17:10 < Douglas> lol 17:32 -!- troy- [n=troy@worldnet.tauri.ca] has joined ##openvpn 17:34 -!- c64zottel [n=hans@p5B178E22.dip0.t-ipconnect.de] has left ##openvpn [] 17:35 -!- troy_ [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 17:47 -!- troy_ [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 104 (Connection reset by peer)] 17:47 -!- troy_ [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 18:00 -!- nospeq [n=nospeq@92.25.90.98] has joined ##openvpn 18:06 -!- troy_ [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 18:21 -!- YpsyZNC is now known as Ypsy 18:27 -!- nospeq [n=nospeq@92.25.90.98] has quit [Read error: 110 (Connection timed out)] 18:39 -!- nospeq [n=nospeq@92.25.90.98] has joined ##openvpn 19:08 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 54 (Connection reset by peer)] 19:09 -!- nospeq [n=nospeq@92.25.90.98] has quit [Read error: 110 (Connection timed out)] 19:27 -!- nospeq [n=nospeq@92.25.90.98] has joined ##openvpn 19:31 -!- troy_ [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 19:41 -!- nospeq [n=nospeq@92.25.90.98] has quit [Read error: 60 (Operation timed out)] 19:48 -!- vcs [n=vcs@70-140-181-94.lightspeed.hstntx.sbcglobal.net] has quit ["Java user signed off"] 19:49 < |Mike|> meep. 19:54 -!- troy_ [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 19:54 -!- troy_ [n=troy@72.37.245.28] has joined ##openvpn 20:00 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Remote closed the connection] 20:28 -!- troy_ [n=troy@72.37.245.28] has quit [Read error: 110 (Connection timed out)] 20:37 -!- nospeq [n=nospeq@92.25.90.98] has joined ##openvpn 20:40 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:43 < Douglas> waste of a fucking evening 20:53 -!- troy_ [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 20:56 < RadarG> I think I have wasted two weeks trying to get mine to work 21:00 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.2/20090729225027]"] 21:02 -!- Ypsy is now known as YpsyZNC 21:03 < troy_> sup Douglas 21:03 < |Mike|> say what ? 21:03 < |Mike|> RadarG: 21:07 < RadarG> yes 21:08 -!- master_of_master [i=master_o@p549D32F4.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:09 < RadarG> though I did have a couple of bad moments. Last night I broke the wife's computer twice. The first time I route all of her traffic back to korea and second time I bridged the connections on her box and she called me complaining that she didnt have any internet. That wasnt good 21:13 -!- master_of_master [i=master_o@p549D34B2.dip.t-dialin.net] has joined ##openvpn 21:19 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 21:29 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 21:30 < Douglas> troy- 21:30 < Douglas> troy_ 21:30 < Douglas> pricing out a big box 21:30 < troy_> personal use? 21:30 < Douglas> no 21:30 -!- nospeq [n=nospeq@92.25.90.98] has quit [Read error: 110 (Connection timed out)] 21:39 -!- nospeq [n=nospeq@92.25.90.98] has joined ##openvpn 21:54 -!- troy_ [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 22:08 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 22:39 -!- nospeq_ [n=nospeq@92.25.90.98] has joined ##openvpn 22:39 -!- nospeq [n=nospeq@92.25.90.98] has quit [Read error: 110 (Connection timed out)] 22:58 -!- nospeq [n=nospeq@92.25.90.98] has joined ##openvpn 22:59 -!- CarltonFsck [n=unixsox@c-76-19-28-18.hsd1.ma.comcast.net] has joined ##openvpn 23:14 -!- nospeq_ [n=nospeq@92.25.90.98] has quit [Read error: 110 (Connection timed out)] 23:16 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 23:17 < newmember> I have openvpn set up with client to server, what type of route do i need to add so that the server end lan can see the client? 23:24 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 23:30 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 23:46 -!- nospeq [n=nospeq@92.25.90.98] has quit [Read error: 110 (Connection timed out)] 23:49 -!- nospeq [n=nospeq@92.25.90.98] has joined ##openvpn 23:59 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn --- Day changed Sun Aug 09 2009 00:25 -!- nospeq [n=nospeq@92.25.90.98] has quit [Read error: 110 (Connection timed out)] 00:48 -!- nospeq_ [n=nospeq@92.25.90.98] has joined ##openvpn 00:48 < rawDawg> !route 00:48 < rawDawg> vpnhelper is gone :\ 00:48 < rawDawg> a static route :) 00:50 < Douglas> :( 00:50 < Douglas> vpnhelper is gone 00:51 -!- Douglas changed the topic of ##openvpn to: OpenVPN 2.1rc19 Released || CHECK YOUR FIREWALL || We need !logs and !configs and maybe !interface || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through server. || Also interesting: !man !/30 !topology !iporder || We know, the new site sucks. (We agree.) || vpnHelper will be back... eventually 01:08 -!- RadarG [n=nightwol@pool-98-108-119-38.chi01.dsl-w.verizon.net] has quit [] 01:26 -!- nospeq_ [n=nospeq@92.25.90.98] has quit [Read error: 110 (Connection timed out)] 01:30 < reiffert> You skipped the !forum part, accidentially? 01:33 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 01:38 -!- nospeq [n=nospeq@92.25.90.98] has joined ##openvpn 01:52 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 02:12 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 02:24 -!- nospeq [n=nospeq@92.25.90.98] has quit [Read error: 110 (Connection timed out)] 02:28 -!- c64zottel [n=hans@p5B179A05.dip0.t-ipconnect.de] has joined ##openvpn 02:29 -!- c64zottel [n=hans@p5B179A05.dip0.t-ipconnect.de] has left ##openvpn [] 02:31 -!- nospeq [n=nospeq@92.25.90.98] has joined ##openvpn 02:49 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 03:10 -!- nospeq [n=nospeq@92.25.90.98] has quit [Read error: 110 (Connection timed out)] 03:15 -!- nospeq [n=nospeq@92.25.90.98] has joined ##openvpn 04:05 -!- bauruine [n=bauruine@2001:470:1f13:99b:216:eaff:feb3:722a] has quit [Read error: 60 (Operation timed out)] 04:08 -!- kyrix [n=ashley@188-23-67-239.adsl.highway.telekom.at] has joined ##openvpn 04:17 -!- bauruine [n=bauruine@2001:470:1f13:99b:21c:25ff:fe95:7b9] has joined ##openvpn 04:40 -!- CarltonFsck [n=unixsox@c-76-19-28-18.hsd1.ma.comcast.net] has quit ["Leaving"] 05:01 -!- kyrix [n=ashley@188-23-67-239.adsl.highway.telekom.at] has quit ["Leaving"] 07:25 -!- c64zottel [n=hans@62.12.218.20] has joined ##openvpn 07:25 -!- c64zottel [n=hans@62.12.218.20] has quit [Client Quit] 07:25 -!- c64zottel [n=hans@62.12.218.20] has joined ##openvpn 07:27 -!- c64zottel [n=hans@62.12.218.20] has left ##openvpn [] 07:31 -!- YpsyZNC is now known as Ypsy 08:00 < Douglas> reiffert: huh 08:25 < oc80z> is there a /dev/tap dependence with tunnel mode (not bridge) 08:54 < |Mike|> omg an oc80z 08:55 < Douglas> ooooo 08:55 < |Mike|> Douglas: why is vpnhelper down? 08:55 < Douglas> you'd need to speak to jeff abou that 08:56 < Douglas> about that 09:18 -!- mirco [n=mirco@p54B2563D.dip.t-dialin.net] has joined ##openvpn 09:19 < mirco> Hi all I can't find info how to remove a cert from easyrsa, could one of U pls help me? 09:23 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 09:24 -!- mirco_ [n=mirco@tmo-109-171.customers.d1-online.com] has joined ##openvpn 09:25 -!- rawDawg [n=OMG@cpe-76-188-26-242.neo.res.rr.com] has quit [] 09:27 -!- mirco_ [n=mirco@tmo-109-171.customers.d1-online.com] has quit [Read error: 104 (Connection reset by peer)] 09:28 -!- mirco_ [n=mirco@p54B2563D.dip.t-dialin.net] has joined ##openvpn 09:29 -!- mirco [n=mirco@p54B2563D.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 09:33 -!- mirco [n=mirco@tmo-109-171.customers.d1-online.com] has joined ##openvpn 09:35 -!- mirco [n=mirco@tmo-109-171.customers.d1-online.com] has quit [Read error: 104 (Connection reset by peer)] 09:35 -!- mirco_ [n=mirco@p54B2563D.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 09:36 -!- mirco [n=mirco@p54B2563D.dip.t-dialin.net] has joined ##openvpn 09:36 -!- mirco [n=mirco@p54B2563D.dip.t-dialin.net] has quit [Client Quit] 09:38 < |Mike|> rm ? 09:39 < thedoc> Anyone knows if you try to migrate an existing ovpn setup to another server, is it safe to just tar the entire openvpn folder, copy it to the new server and untar it? 09:40 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 09:42 < |Mike|> if you have the client certs etc in the same dir, sure 09:42 < |Mike|> you need to change IP's in the config tho 09:42 < |Mike|> and in the clients aswell 09:43 < thedoc> Yeah 09:43 < thedoc> I know that 09:43 < thedoc> o/ 10:06 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 10:15 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 10:16 < Douglas> yes thedoc 10:16 < Douglas> should work fine 10:16 < Douglas> i hope you aren't moving it off my sever 10:22 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:26 < |Mike|> haha 10:26 < Douglas> i'm cold as balls wtf 10:34 -!- c64zottel [n=hans@p5B179A05.dip0.t-ipconnect.de] has joined ##openvpn 10:34 -!- c64zottel [n=hans@p5B179A05.dip0.t-ipconnect.de] has left ##openvpn [] 10:54 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 10:55 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 11:03 -!- mirco [n=mirco@p54B2563D.dip.t-dialin.net] has joined ##openvpn 11:04 < nospeq> hi, is it possible to have multiple clients behind same nat in openvpn? 11:16 < rawDawg> yes 11:34 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:36 < newmember> what type of settings or route do I need so that my lan can ping an openvpn client? 11:36 < reiffert> !route 11:37 < Douglas> reiffert: vpnhelper is gone 11:40 < reiffert> bring it back! 11:41 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 11:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:42 < Douglas> tell krzie 11:42 < Douglas> krzee 11:42 < Douglas> whatever one he is 11:43 < krzee> oops 11:45 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 11:46 < krzee> sorry 11:46 < reiffert> !sorry 11:46 < vpnHelper> reiffert: Error: "sorry" is not a valid command. 11:46 < reiffert> !! 11:46 < vpnHelper> reiffert: Error: "!" is not a valid command. 11:47 < reiffert> !route 11:47 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:48 -!- krzee changed the topic of ##openvpn to: OpenVPN 2.1rc19 is latest || CHECK YOUR FIREWALL || We need !logs and !configs and maybe !interface || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through server. || Also interesting: !man !/30 !topology !iporder !forum || We know, the new site sucks. (We agree.) 12:01 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 12:02 -!- binrapt [i=void@unaffiliated/binrapt] has joined ##openvpn 12:04 < binrapt> Hello, I need to run arbitrary Winsock2 applications through different remote IPs (some of them are my own, most of them are the remote IPs of my shells). Is it possible to single Windows applications through the VPN client without affecting other applications? Usually VPNs operate on all outgoing connections from the entire OS, no? 12:04 < binrapt> *Is it possible to run 12:04 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:06 < reiffert> binrapt: openvpn creates a virtual network interface 12:07 < bauruine> !redirect 12:07 < vpnHelper> bauruine: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 12:07 < binrapt> reiffert: And by default the network interface isn't actually used by any normal Windows application without further configuration? 12:08 < binrapt> Because it will default to the normal hardware interface used to access the internet? 12:08 < reiffert> typically, network interfaces carry ip addresses. 12:09 < reiffert> e.g. the remote site and the local openvpn instance work within the same virtual subnet. 12:10 < binrapt> I was told that I might have to run the OpenVPN client within VMWare to selectively run a group of applications through a certain outgoing IP of my choice (the outgoing IP of a remote OpenVPN server running on a shell) 12:11 < binrapt> But there probably are solutions that require no virtual machines, no? 12:11 < reiffert> I cant see any reason for a virtual maschine here. 12:12 < binrapt> I have Winsock2 application A. I need to run A 8 times through two different outgoing IPs. 12:12 < binrapt> One of them is the IPv4 given by my ISP 12:12 < binrapt> The other one is the IPv4 of my shell 12:12 < binrapt> 4 of them use my local IP 12:12 < binrapt> 4 of them use the remote IP 12:13 < binrapt> I don't know how to have the application use a certain network interface 12:14 < reiffert> you specify with the help of system calls bind() and listen() 12:14 < binrapt> I should have 4 of them use my onboard NIC and the other 4 ones the virtual NIC? 12:14 < binrapt> "A" does not use bind or listen 12:14 < binrapt> It's a client 12:15 < binrapt> It uses normal TCP/UDP and doesn't bind any local ports - it connects to remote ports 12:16 < reiffert> then there is your answer. 12:16 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 12:17 < binrapt> reiffert I don't understand, so what's a good mechanism to select the NIC for the application? Hm 12:18 < binrapt> I mean OpenVPN just provides the virtual NIC, right? From there on I'm on my own? 12:18 < binrapt> So I might have to inject a module which selects an NIC for Winsock2 based on the arguments passed to the application, for example? 12:18 < reiffert> e.g. routing. 12:19 -!- troy- [n=troy@worldnet.tauri.ca] has quit [No route to host] 12:20 < binrapt> Routing makes decisions based on addresses, no? In this case they all operate on the same addresses so I wouldn't know which NIC to give to which connection 12:20 < binrapt> They connect to the same IPs, 8 times 12:21 < reiffert> it depends on your application, though things are getting theoretical at that point. 12:21 < reiffert> e.g. your clients will choose a local port for its udp/tcp transmissions 12:21 < reiffert> you can have routing based on that local port. 12:22 < binrapt> True 12:23 < binrapt> I think the easiest solution is probably injecting a module into the target process which forces the application to use a certain NIC - I just need to RTFM to find out how to pull this off in Winsock 12:24 < reiffert> a virtual machine looks like a more simple approach. 12:25 < binrapt> It's probably too slow and would require more effort to control the clients then 12:25 < binrapt> I would have to write some networked IPC for the VM then first so I can control the clients without going into the VM all the time 12:26 < binrapt> Multi threading is important in this case too, VMWare only supports 2 cores for some reason 12:26 < binrapt> I don't even know any VMs which allow you to use as many cores as you wish 12:27 < binrapt> openvpn-blacklist - list of blacklisted OpenVPN RSA shared keys 12:27 < binrapt> What's that all about? 12:28 < Douglas> !forum 12:28 < vpnHelper> Douglas: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 12:29 < Douglas> ecrist ping 12:29 < reiffert> binrapt: an old bug in openssl. 12:29 < reiffert> binrapt: which let openssh and openvpn have a blacklist package. 12:32 < newmember> here is my routing question, how do I add a route or a config item to enable me to connect to my vpn client from my host? http://pastebin.ca/1523092 12:33 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:34 < reiffert> newmember: 12:34 < reiffert> !route 12:34 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 12:39 -!- teddy [n=teddy@208.92.235.227] has quit [Remote closed the connection] 12:39 -!- teddy [n=teddy@208.92.235.227] has joined ##openvpn 12:45 -!- teddy [n=teddy@208.92.235.227] has quit [Client Quit] 12:46 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 12:51 < newmember> reiffert: I can see how iroute can help for LANs behind my client, how do I get to client its self only from the ovpn server lan? 12:53 < krzee> all explained in !route 12:53 < krzee> comes down to a push route 12:53 < krzee> but if the server isnt the router for its lan, you need 1 more thing outside openvpn 12:53 < krzee> in !route its under the picture: ROUTES TO ADD OUTSIDE OPENVPN 12:53 < krzee> you also must make sure NO clients will be using the same subnet as the server lan 12:54 < newmember> krzee: good points 12:54 < krzee> so helps to move server lan (and any client lans that other clients can reach over vpn) to very unused subnets (10.8.10.x for example) 12:57 < newmember> (client)192.168.3.6 255.255.252.0-----------192.168.3.1 255.255.252.0(openvpnserver)192.168.0.1 255.255.255.0 with every client log on, openvpn gives the client a seperate /22 12:58 < binrapt> Sun Aug 09 19:56:42 2009 All TAP-Win32 adapters on this system are currently in use. 12:58 < binrapt> addtap.bat said it successfully installed the driver and paused 12:58 < newmember> I would like connect to 192.168.3.6 from the LAN 12:59 < binrapt> I don't see any new NIC in the listings of Windows hm 12:59 < newmember> binrapt: are you on vista or windows7? 12:59 < binrapt> Vista 64 13:00 < newmember> you have to run openvpn client as administrator 13:00 < binrapt> I am 13:00 < ecrist> Douglas: what? 13:00 < binrapt> As a responsible Windows user I have only one account 13:00 < binrapt> With administrator rights 13:00 < ecrist> binrapt: you have to run openvpn client as an administrator 13:01 < ecrist> !sudowin 13:01 < vpnHelper> ecrist: Error: "sudowin" is not a valid command. 13:01 < binrapt> Oh, normal execution doesn't run it with privileged rights? 13:01 < binrapt> That's strange 13:01 < ecrist> !learn sudowin as http://sourceforge.net/projects/sudowin/ 13:01 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 13:01 < binrapt> Does an Administrator prompt do the job? 13:01 < binrapt> Normal left clicks in explorer.exe do not execute it with administrator rights? 13:01 < newmember> when I start my GUI, it asks for permission to proceed 13:02 < ecrist> !learn sudowin as http://sourceforge.net/projects/sudowin/ 13:02 < vpnHelper> ecrist: Joo got it. 13:02 < ecrist> binrapt: why would it? 13:02 * ecrist goes down for a reboot 13:02 < binrapt> ecrist: Because there is only one administrator account 13:02 < ecrist> binrapt: prgrams don't normally run automatically as administrator 13:02 < ecrist> see my link to sudowin above 13:04 < binrapt> Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39) 13:04 < binrapt> I just checked in the device manager 13:04 < binrapt> I already have 3 TAP devices heh 13:04 < binrapt> They just aren't visible 13:05 < Douglas> ecrist: pending post 13:05 < Douglas> idk what to say 13:05 < binrapt> http://www.pubbs.net/openvpn/200904/45404/ 13:05 < vpnHelper> Title: Openvpn-devel - Vista-64 cannot load Tap-Win32 driver - openvpn archive (at www.pubbs.net) 13:05 < binrapt> 2009, hooray 13:06 < binrapt> http://readlist.com/lists/lists.sourceforge.net/openvpn-users/1/8913.html 13:06 < vpnHelper> Title: OpenVPN GUI for Vista 64 bit? - ReadList.com (at readlist.com) 13:06 < binrapt> This problem has been around for a while it seems 13:06 < binrapt> "Use OpenVPN 2.1_rc7 from http://openvpn.net/index.php/downloads.html" 13:07 < reiffert> rc7 is old. 13:07 < binrapt> So OpenVPN GUI uses totally outdated OpenVPN binaries? 13:07 < binrapt> Which Windows package should I use? 13:07 < binrapt> I an not entirely sure how this works for OpenVPN 13:07 < reiffert> gui included in recent versions 13:08 < binrapt> http://openvpn.net/ this looks like proprietary software 13:08 < vpnHelper> Title: Welcome to OpenVPN (at openvpn.net) 13:08 < krzee> !download 13:08 < vpnHelper> krzee: "download" is (#1) www.openvpn.net/download to download openvpn, or (#2) http://openvpn.net/index.php/open-source/downloads.html 13:08 < binrapt> Thanks 13:08 < krzee> np 13:08 < krzee> they re-did the site, not the best its been 13:08 < newmember> binrapt: maybe this helps http://www.personalvpn.org/openvpn_vista.htm 13:08 < vpnHelper> Title: Personal VPN - OpenVPN and Windows Vista (at www.personalvpn.org) 13:09 < krzee> !vista 13:09 < vpnHelper> krzee: "vista" is 13:51 < Nirkus> ecrist: i figured it out. i was able to create a link to windows explorer and activate 'run as administrator' within the 'advanced' context menu. using an windows explorer started by that link i was able to write files to c:\program files (x86)\OpenVPN\config\ 13:11 < |Mike|> wow, it's back up ! 13:13 < krzee> ya i didnt know 13:13 < |Mike|> is it on a unstable box? 13:14 < krzee> nah im just fuckin with them 13:14 < krzee> im local 13:14 < krzee> had some usb2 deadlocks while using an external hd heavily with cp 13:14 < krzee> seems rsync makes it happier tho 13:15 < |Mike|> hehe 13:25 < newmember> this guy has the same issue as me: http://www.techimo.com/forum/linux-unix/227760-openvpn-not-routing-traffic-http-server-client.html 13:26 < krzee> !redirect 13:26 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 13:27 < krzee> !def1 13:27 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 13:27 < krzee> !ipforward 13:27 < vpnHelper> krzee: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 13:27 < krzee> !nat 13:27 < vpnHelper> krzee: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 13:30 < binrapt> Ok the new TAP adapter appears to work so far 13:30 < newmember> krzee: if those were meant for me, I would add that I am not trying to route all traffic or the default route. I just would like to ping the remote ovpn client from the LAN. Appreciating that those would accomplish that, the other volume of traffic would not work out in this situation. 13:31 < newmember> BTW my openvpn client can access all the hosts on the LAN 13:34 -!- epaphus [n=unix3@201.199.62.74] has left ##openvpn ["Leaving"] 13:34 < binrapt> Sun Aug 09 20:32:10 2009 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054) 13:34 < binrapt> These messages keep on being printed :( 13:35 < binrapt> I probably misconfigured either my OVPN server or OVPN client I suppose? 13:35 < binrapt> http://wiki.debian.org/HowTo/openvpn 13:35 < vpnHelper> Title: HowTo/openvpn - Debian Wiki (at wiki.debian.org) 13:35 < binrapt> Copied the static.key to the Windows OpenVPN/config directory, made a client.ovpn 13:35 < newmember> binrapt: do you have a "keepalive" in the client config? 13:36 < binrapt> newmember nope 13:36 < binrapt> I used all the same values from the site I posted except for the remote IP obviously 13:36 < binrapt> I replaced it with the outgoing IPv4 of my shell 13:36 < newmember> keepalive 10 120 13:37 < binrapt> Ok 13:37 < krzee> and the real error is above that 13:38 < binrapt> krzee: http://siyobik.info/index.php?module=pastebin&id=240 13:38 < binrapt> I don't see any error message above them as such 13:40 < binrapt> Do you? 13:41 < krzee> howd it get .2? 13:42 < krzee> !configs 13:42 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:42 < krzee> !logs 13:42 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 13:43 < binrapt> krzee: http://wiki.debian.org/HowTo/openvpn 13:43 < vpnHelper> Title: HowTo/openvpn - Debian Wiki (at wiki.debian.org) 13:43 < binrapt> I followed that 13:43 < binrapt> ifconfig 10.9.8.2 10.9.8.1 13:43 < binrapt> newmember still the same 13:44 < binrapt> I can ping 10.9.8.2 13:44 < binrapt> But not 10.9.8.1 13:44 < newmember> another thought, sometimes a firewall will shut down a connection if its not being used 13:45 < binrapt> I don't have any firewalls 13:45 < binrapt> I can check the packets in Wireshark, sec 13:46 -!- toehio [n=toehio@dyn.83-228-189-016.dsl.vtx.ch] has quit [Read error: 60 (Operation timed out)] 13:46 < binrapt> I'm just behind a router with default port forwarding to me 13:46 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 13:46 < newmember> binrapt: that might do it 13:47 < binrapt> Why would it close OpenVPN connections? I mean I could connect directly without the router to check 13:48 < binrapt> newmember: The remote server sends ICMP messages 13:48 < binrapt> Port unreachable 13:48 < binrapt> Unrelated to the router 13:49 < binrapt> It was simply not running yet 13:50 < binrapt> Ok now it's running, trying again 13:50 < binrapt> Sun Aug 09 20:49:43 2009 Peer Connection Initiated with 207.46.197.32:1194 13:50 < binrapt> All is good <3 13:50 < binrapt> ping 10.9.8.1 works, hooray 13:50 < newmember> I think you were trying to get rid of that error 13:51 < binrapt> Yes I was 13:51 < binrapt> newmember it was caused by the OpenVPN server not running 13:51 < newmember> well that might do it 13:51 < binrapt> Yes indeed, haha 13:51 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:51 < Douglas> wb krzee 13:52 < binrapt> So all I need to do now is socket, bind with OpenVPN IP, connect and it'll perform the operation on the shell through the OpenVPN server? 13:58 -!- toehio [n=toehio@dyn.144-85-221-154.dsl.vtx.ch] has joined ##openvpn 14:03 < binrapt> A socket operation was attempted to an unreachable network 14:03 < binrapt> :( 14:04 * Douglas twitch 14:05 < binrapt> I have no idea which local port to bind 14:05 < binrapt> But it doesn't appear to matter 14:05 < binrapt> I tried connection.bind(('10.9.8.2', 64010)) 14:05 < binrapt> (Python) 14:06 < binrapt> (10.9.8.2 is my client's first ifconfig argument) 14:08 < binrapt> A socket operation was attempted to an unreachable network. This usually means the local software knows no route to reach the remote host. 14:08 < binrapt> So my client configuration is still wrong? 14:08 < binrapt> Even though I can ping 10.9.8.1? 14:23 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["cu later"] 14:23 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 14:57 < binrapt> Shell says: no such device 14:57 < binrapt> http://siyobik.info/index.php?module=pastebin&id=241 14:57 < binrapt> Ping works though 14:57 < binrapt> What am I doing wrong? 14:57 -!- Eriar [n=eriar@p5B0D46CB.dip.t-dialin.net] has joined ##openvpn 14:58 -!- Eriar [n=eriar@p5B0D46CB.dip.t-dialin.net] has left ##openvpn [] 15:00 < krzee> .1 is windows? 15:00 < krzee> try 15:00 < krzee> !winroute 15:00 < vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 15:00 < krzee> also, make sure windows firewall is turned off 15:01 < krzee> for the ovpn device 15:02 < binrapt> krzee: .1 is Debian 15:02 < binrapt> .2 is Vista 64 15:02 < binrapt> I am told I need to set up NAT on the Debian shell 15:02 < |Mike|> you have client-to-client enabled aswell ? 15:02 < krzee> he doesnt need it 15:02 < binrapt> Hm no, I can post my current configs if you wish 15:02 < krzee> in fact cant 15:02 < krzee> since he doesnt have clients 15:03 < binrapt> I want to have my Vista 64 client run network applications through the outgoing IP of the shell 15:03 < binrapt> The shell runs openvpn 15:03 < binrapt> It's the server 15:04 < binrapt> http://www.tektonic.net/wiki/index.php/VPN_+_NAT_Howto 15:04 < vpnHelper> Title: VPN + NAT Howto - TekPedia (at www.tektonic.net) 15:04 < binrapt> Is this guide the right one for me? 15:06 < krzee> !howto 15:06 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:06 < krzee> !redirect 15:06 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 15:06 < krzee> !sample 15:06 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 15:06 < |Mike|> so your server or shell runs openvpn and you would like to connect your vista laptop trough a router ? 15:06 < krzee> he wants to route outgoing traffic through his server 15:06 < binrapt> I don't want to redirect everything 15:06 < krzee> not just shell, you are root, right? 15:07 < binrapt> |Mike| no 15:07 < binrapt> krzee correct 15:07 < krzee> what do you want to redirect? 15:07 < binrapt> It's my dedicated server 15:07 < binrapt> I need to selectively redirect arbitrary Winsock2 applications through the shell's IP 15:07 < krzee> ok 15:07 < binrapt> Sometimes I need to use my local ISP IPv4 15:07 < binrapt> Sometimes I need the shell's outgoing IPv4 15:07 < krzee> you need a sockd running on ovpn ip 15:07 < krzee> dante 15:08 < krzee> www.ircpimps.org/sockd.conf 15:08 < krzee> that is an insecure config, ONLY run it listening on ovpn ip 15:08 < krzee> then use proxifier to selectively route apps over the vpn via the sockd 15:08 < binrapt> I used dante on its own first, but I don't know how to socksify arbitrary Winsock2 applications without hooking like freecap does 15:09 < binrapt> The problem is that I have already Winsock2 hooks of my own installed 15:09 < binrapt> And setting them up ot cooperate with freecap is problematic 15:09 < krzee> proxifier might be able to 15:09 < krzee> not sure if they use freecap 15:10 < krzee> could you maybe have the winsock apps hitting seperate ip space than others? 15:10 < krzee> then selectively route that ip space over vpn 15:10 < binrapt> No they all hit the same IPs 15:10 < krzee> they must? 15:10 < binrapt> Yes 15:10 < binrapt> This is for Diablo II 15:10 < krzee> oh 15:11 < binrapt> I play 8 characters at once all the time, haha 15:11 < krzee> why the vpn? 15:11 < krzee> oh ok 15:11 < krzee> no idea man 15:11 < binrapt> And they prevent you from joining one game with more than 4 characters from the same IP 15:11 < binrapt> So I need 4 from my own IP and 4 from a remote IP 15:11 < krzee> seperate computer 15:11 < krzee> selectively route on that computer over vpn 15:11 < binrapt> Well, VMWare would be easier, no? 15:12 < krzee> prolly if diablo runs good in your vm 15:16 < reiffert> why not use source port based routing? 15:17 -!- toehio [n=toehio@dyn.144-85-221-154.dsl.vtx.ch] has quit [Read error: 60 (Operation timed out)] 15:17 < binrapt> reiffert: Possible, but source ports are chosen randomly, no? 15:18 < binrapt> So I'd have to hook ws2_32.dll connect and bind it to a port of my choice? 15:18 < binrapt> Ah 15:18 < binrapt> Proxifier appears to be more elegant 15:19 < binrapt> It uses injection too but it doesn't overwrite connect and such like freecap does 15:21 < binrapt> Nice, it's an LSP 15:21 < reiffert> How comes you know about injecting code into binaries but are mostly clueless when it comes to VPN? 15:21 < binrapt> Because I've never worked with VPNs before 15:22 < binrapt> Implementing SOCKS5 yourself is trivial actually 15:23 < binrapt> The problem is just that making it work through normal hooks is annoying with asynchronous I/O since you really want to block in the beginning 15:23 < binrapt> Unluckily Diablo II uses asynchronous I/O only and I haven't figured out a smart way to implement SOCKS5 myself for it without breaking its asynchronous connect sequence hm 15:26 < binrapt> reiffert: You consider VPNs to be a technically easier subject? 15:30 < binrapt> Because I don't :| yet 15:32 -!- ThoMe [i=tm@tm.muc.de] has joined ##openvpn 15:32 < ThoMe> hello 15:34 < binrapt> Urgh, I followed http://www.tektonic.net/wiki/index.php/VPN_+_NAT_Howto 15:34 < vpnHelper> Title: VPN + NAT Howto - TekPedia (at www.tektonic.net) 15:34 < binrapt> connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP) 15:34 < binrapt> connection.bind(('192.168.2.2', 0)) 15:34 < binrapt> connection.connect((host, port)) 15:34 < binrapt> Woops sorry, I wanted to put that on one line 15:35 < binrapt> connect fails with socket.error: [Errno 10051] A socket operation was attempted to an unreachable network 15:35 < binrapt> I can ping 192.168.2.1 (server, 20 ms) 15:35 < binrapt> And 192.168.2.2 (my local VPN IP) 15:35 < ThoMe> emm 15:35 < ThoMe> is it posible to say in my client 15:36 < ThoMe> "set no gateway" ? 15:36 < ThoMe> also when the sever said "your gateway is after the connect 192.168.100.1..." ? 15:38 < krzee> it doesnt set a gateway unless you tell it to 15:39 < ThoMe> krzee: hi. 15:39 < ThoMe> krzee: but the server isnt from me 15:40 < binrapt> voidandfire:~# traceroute -n -s 192.168.2.1 4.2.2.1 15:40 < binrapt> traceroute to 4.2.2.1 (4.2.2.1), 30 hops max, 60 byte packets 15:40 < binrapt> 1 * * * 15:40 < binrapt> Prints further stars only :( 15:40 < krzee> oh 15:40 < krzee> route-nopull or something like that 15:40 < krzee> but then you need to set normal routes for the vpn like in --server 's pushes 15:40 < krzee> all seen in 15:40 < krzee> !man 15:40 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 15:41 -!- toehio [n=toehio@dyn.144-85-128-081.dsl.vtx.ch] has joined ##openvpn 15:43 < krzee> binrapt, that wouldnt work unless you have NAT on the server 15:43 < krzee> as explained in !redirect 15:43 < krzee> !redirect 15:43 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 15:43 < krzee> if you dont want all, you still ned ip forwarding and nat 15:44 < binrapt> krzee as I already said 15:44 < binrapt> I added NAT 15:44 < krzee> the first part is for making all 15:44 < krzee> then nat is broken or ip forwarding is off or somewhere you arent passing the vpn subnet 15:44 < binrapt> # iptables -t nat -s 192.168.2.2 -A POSTROUTING -j SNAT --to 207.46.232.182 15:45 < binrapt> It showed the same behaviour even when I wasn't using NAT at all :( 15:45 < krzee> !linfw 15:45 < vpnHelper> krzee: "linfw" is "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info 15:45 < krzee> see bottom link 15:45 < ThoMe> krzee: ok, and how I can say set the network 15:45 < ThoMe> 172.16.0.0/16 and 192.168.0.0/16 over the gateway X ? 15:45 < krzee> ThoMe, no idea what you mean 15:45 < krzee> oh 15:45 < krzee> !route 15:46 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:46 < ThoMe> on the client-site 15:46 < krzee> err 15:46 < krzee> nm that 15:46 < krzee> just push route 15:46 < krzee> !push 15:46 < ThoMe> nm? 15:46 < vpnHelper> krzee: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 15:46 < ThoMe> on the client ? 15:46 < krzee> nevermind that !route 15:46 < krzee> oh on the client 15:46 < krzee> just route 172.16.0.0 255.255.0.0 15:46 < krzee> and other one 15:46 < krzee> route 172.16.0.0 255.255.0.0 15:47 < krzee> route 192.168.0.0 255.255.0.0 15:47 < binrapt> What does "X" mean? 15:47 < binrapt> Is this an abbreviation for outgoing IP? 15:47 < ThoMe> yes this i ok :-) 15:47 < binrapt> I've seen this twice today already when I was reading OpenVPN documents 15:47 < binrapt> "gateway's X" 15:47 < binrapt> "server's X" 15:47 < krzee> no idea, would need context 15:48 < ThoMe> krzee: and now the last: how i can say on my client "dns/wins server is 172.16.1.8" ? :-) 15:48 < ThoMe> sorry please :-( 15:49 < ThoMe> is the last, really :-) 15:49 < krzee> this is all clear in the manual 15:49 < ThoMe> also on my client? 15:49 < krzee> try the very first hit in manual for "wins" 15:49 < krzee> !man 15:49 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 15:49 < ThoMe> ah ok 15:49 < krzee> its a client command 15:49 < krzee> server would normally push it to client 15:50 < krzee> to make it appear as if in client config 15:53 < ThoMe> dhcp-option dns 172.16.1.8 krzee ? 15:54 < ThoMe> ah now works 15:54 < ThoMe> thank you very much and good night :-) 15:55 < krzee> yw 15:55 < krzee> gn 16:00 < mirco> could you tell me how to remove a cert from easy-rsa? 16:00 < krzee> !crl 16:00 < vpnHelper> krzee: "crl" is (#1) --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) 16:00 < vpnHelper> krzee: that will create the CRL file for you. ssl-admin will also build a crl for you 16:10 < mirco> Ok ok thank's, but how do I add the specific key to the CRL 16:10 < mirco> pkitool doesnt know such a parameter... 16:11 < Douglas> http://thenextweb.com/2009/08/09/note-friend-boss-fb-bitch-job/ 16:11 < vpnHelper> Title: Note to self: Dont friend your boss on FB and then bitch about your job. The Next Web (at thenextweb.com) 16:29 -!- toehio [n=toehio@dyn.144-85-128-081.dsl.vtx.ch] has quit [Success] 16:31 -!- toehio [n=toehio@dyn.144-85-188-092.dsl.vtx.ch] has joined ##openvpn 16:52 -!- mirco_ [n=mirco@tmo-109-171.customers.d1-online.com] has joined ##openvpn 16:56 -!- markus [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 17:05 -!- Ypsy is now known as YpsyZNC 17:08 -!- mirco [n=mirco@p54B2563D.dip.t-dialin.net] has quit [Connection timed out] 17:18 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: bauruine, Typone 17:18 -!- mirco [n=mirco@tmo-105-85.customers.d1-online.com] has joined ##openvpn 17:18 -!- Netsplit over, joins: bauruine, Typone 17:18 -!- mirco_ [n=mirco@tmo-109-171.customers.d1-online.com] has quit [Connection timed out] 17:20 < newmember> anyone know an openvpn consultant that might be available for me, I think my issue is a simple problem but I just need it completed. Thanks 17:29 -!- toehio [n=toehio@dyn.144-85-188-092.dsl.vtx.ch] has quit [Read error: 60 (Operation timed out)] 17:29 < |Mike|> newmember: you can state your question here :) 17:30 < newmember> this guy has the same issue as me: http://www.techimo.com/forum/linux-unix/227760-openvpn-not-routing-traffic-http-server-client.html 17:30 < newmember> |Mike|: you might have seen my posts from earlier toady 17:31 < |Mike|> !logs 17:31 < vpnHelper> |Mike|: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 17:31 < newmember> I want my lan to be able to ping a openvpn client 17:31 < |Mike|> that's possible 17:31 < reiffert> follow the stuff on !route 17:32 < newmember> !route talked more about LAN to LAN traffic accorss a vpn not to a openvpn client, at least that was my take 17:32 < vpnHelper> newmember: Error: "route" is not a valid command. 17:32 < |Mike|> !route 17:32 < vpnHelper> |Mike|: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:32 < |Mike|> that ^ 17:33 < newmember> yes I read that 17:33 < |Mike|> Each client has an Apache HTTP server that's on port 8000. I'm trying to reach this HTTP server through the VPN. The HTTP server works fine if I connect to the machine without using the VPN. 17:33 < |Mike|> "doh" 17:33 < |Mike|> or you must have some router wich supports VPN's 17:34 < |Mike|> and then again, those httpd's are bounded to 1 ip 17:35 < |Mike|> or something 17:35 < newmember> I have openvpn server running on pfsense in the office, and openvpn server running on centos on a server on amazon. Currently the office is a client to amazon and they can ping each other but not the LAN 17:35 < |Mike|> didn't you spoke with krzee about this issue ? 17:35 < |Mike|> you have to add routes for those 17:35 < |Mike|> if your router isn't capable to do such stuff 17:36 < newmember> earlier, then someone else needed a hand and I had to chase the kids for while 17:36 < |Mike|> you have to create a client for each office computer (basicly) 17:36 < newmember> ok I can add route NP. 17:38 < newmember> where do I route too; eg (centos)(tun0)192.168.4.1 255.255.252.0----------------192.168.4.10 255.255.252.0(tun1)(BSD)(LAN)192.168.0.0(255.255.255.0) 17:38 < newmember> I want to connect to 192.168.4.1 from 192.168.0.17 for example 17:39 < newmember> I think my issue is that I have the incorrect route on centos 17:39 < krzee> !route 17:39 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:39 < newmember> centos is the server and BSD is the client 17:39 -!- CarltonFsck [n=unixsox@c-76-19-28-18.hsd1.ma.comcast.net] has joined ##openvpn 17:39 < krzee> !configs 17:40 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 17:41 -!- toehio [n=toehio@dyn.144-85-146-008.dsl.vtx.ch] has joined ##openvpn 17:45 -!- mirco [n=mirco@tmo-105-85.customers.d1-online.com] has quit [Read error: 104 (Connection reset by peer)] 17:45 < |Mike|> gheghe, i've struggled with route's in the past newmember, i've learned from it :) 17:52 -!- markus [n=markus@c83-250-33-131.bredband.comhem.se] has quit ["leaving"] 17:55 < newmember> Im back sorry. configs on their way 18:01 < krzee> np im kinda busy anyways 18:01 < krzee> plus im smoking tons of weed 18:02 < krzee> (visiting california) 18:02 < krzee> TX: cumm: 874KB peak: 2.25Mb rates: 2.25Mb 1.71Mb 1.71Mb 18:02 < krzee> RX: 34.9MB 92.6Mb 92.6Mb 69.8Mb 69.8Mb 18:05 -!- mirco [n=mirco@p54B2563D.dip.t-dialin.net] has joined ##openvpn 18:07 < krzee> root@hemp:/usr/external> screen -r|grep -v There|grep -v Type |grep -v 11548|wc -l 18:07 < krzee> 32 18:10 < newmember> http://pastebin.ca/1523386 18:11 < newmember> Lets keep this a little more simple, this is config to my computer which is connected now. I can reach any host on the LAN but the LAN hosts can not ping me 18:12 < newmember> thanks for the assistance 18:13 < newmember> laptop(192.168.3.6)--------------192.168.3.1(tun1)BSD-FW---192.168.0.0 LAN-----------192.168.0.17(host) 18:13 < newmember> laptop(192.168.3.6)--------------192.168.3.1(tun1)BSD-FW(NIC1)192.168.0.0 LAN-----------192.168.0.17(host) 18:20 -!- toehio [n=toehio@dyn.144-85-146-008.dsl.vtx.ch] has quit [Success] 18:20 -!- toehio_ [n=toehio@dyn.83-228-191-232.dsl.vtx.ch] has joined ##openvpn 18:23 < |Mike|> you're missing a part 18:25 < newmember> sorry which part? 18:29 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 18:39 < |Mike|> !ccd 18:39 < vpnHelper> |Mike|: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 18:41 < newmember> sec 18:43 < newmember> http://pastebin.ca/1523417 18:44 < newmember> thanks 18:46 < |Mike|> why would you like to push a route twice ? 18:46 < |Mike|> or are 2 different subnets behind that bsd box ? 18:49 < newmember> correct one is for the LAN and the other is for the DMZ 18:50 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 110 (Connection timed out)] 18:51 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 18:57 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 110 (Connection timed out)] 19:15 -!- jeiworth [n=jeiworth@189.163.134.102] has joined ##openvpn 19:27 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 19:29 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 19:37 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 19:37 -!- toehio_ [n=toehio@dyn.83-228-191-232.dsl.vtx.ch] has quit [Connection timed out] 19:39 -!- toehio [n=toehio@dyn.144-85-175-061.dsl.vtx.ch] has joined ##openvpn 19:57 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 20:05 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 20:23 -!- nospeq [n=nospeq@92.25.90.98] has quit [Read error: 110 (Connection timed out)] 20:28 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 110 (Connection timed out)] 20:32 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 20:42 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 110 (Connection timed out)] 20:58 -!- toehio [n=toehio@dyn.144-85-175-061.dsl.vtx.ch] has quit [Success] 20:59 -!- toehio [n=toehio@dyn.144-85-185-194.dsl.vtx.ch] has joined ##openvpn 21:11 -!- master_of_master [i=master_o@p549D34B2.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:13 -!- master_of_master [i=master_o@p549D3E44.dip.t-dialin.net] has joined ##openvpn 21:17 -!- nospeq [n=nospeq@92.25.90.98] has joined ##openvpn 21:18 -!- xp_prg [n=xp_prg3@c-67-188-6-132.hsd1.ca.comcast.net] has joined ##openvpn 22:01 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 22:01 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 22:14 -!- deblike [n=xchat@62.68.142.120] has joined ##openvpn 22:14 -!- nospeq [n=nospeq@92.25.90.98] has quit [Read error: 60 (Operation timed out)] 22:26 -!- deblike [n=xchat@62.68.142.120] has quit [Client Quit] 22:35 -!- zheng [n=zheng@210.73.203.83] has joined ##openvpn 22:38 -!- nospeq [n=nospeq@92.25.90.98] has joined ##openvpn 22:52 -!- deblike [n=xchat@62.68.142.120] has joined ##openvpn 22:58 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 22:58 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 54 (Connection reset by peer)] 23:24 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 23:28 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 23:28 -!- nospeq [n=nospeq@92.25.90.98] has quit [Read error: 110 (Connection timed out)] 23:29 -!- toehio [n=toehio@dyn.144-85-185-194.dsl.vtx.ch] has quit [Network is unreachable] 23:30 -!- toehio [n=toehio@dyn.144-85-137-235.dsl.vtx.ch] has joined ##openvpn 23:56 -!- CarltonFsck [n=unixsox@c-76-19-28-18.hsd1.ma.comcast.net] has quit [Remote closed the connection] 23:56 -!- CarltonFsck [n=unixsox@c-76-19-28-18.hsd1.ma.comcast.net] has joined ##openvpn --- Day changed Mon Aug 10 2009 00:04 -!- zheng [n=zheng@210.73.203.83] has quit ["Leaving"] 00:05 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 110 (Connection timed out)] 00:13 -!- CarltonFsck [n=unixsox@c-76-19-28-18.hsd1.ma.comcast.net] has quit [Remote closed the connection] 00:19 -!- jeiworth [n=jeiworth@189.163.134.102] has quit [Read error: 110 (Connection timed out)] 00:22 -!- deblike [n=xchat@62.68.142.120] has quit [Read error: 110 (Connection timed out)] 00:22 -!- deblike [n=xchat@62.68.142.71] has joined ##openvpn 00:42 -!- mirco [n=mirco@p54B2563D.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 00:52 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.2/20090729225027]"] 01:11 -!- nospeq [n=nospeq@92.25.90.98] has joined ##openvpn 01:24 -!- xp_prg [n=xp_prg3@c-67-188-6-132.hsd1.ca.comcast.net] has quit ["This computer has gone to sleep"] 02:06 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 02:11 -!- zheng [n=zheng@210.73.203.83] has joined ##openvpn 02:12 -!- Eagleray [n=erayd@khepry.erayd.net] has left ##openvpn [] 02:26 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:28 -!- zheng [n=zheng@210.73.203.83] has quit [Read error: 104 (Connection reset by peer)] 02:28 -!- zheng [n=zheng@210.73.203.83] has joined ##openvpn 03:21 -!- RadarG [n=nightwol@pool-98-108-119-38.chi01.dsl-w.verizon.net] has joined ##openvpn 03:23 < RadarG> hey I stll havent had any luck getting my connection to work. I have another idea. Will openvn work in virtualbox? 03:25 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 03:25 < RadarG> I have a xp virtual working in bridge mode, using an IP address on the same subnet as my host. Since the connection is only need temporarly can I just set up the guest os as the new gateway and hook the xboxs to point to it? 03:30 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 03:30 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 03:31 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 03:32 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 03:33 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 03:38 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 03:39 < mirco> Hi all I've been asking how to revoke a cert yesterday, now that I know how I've the next problem: 03:39 < mirco> http://pastebin.org/7818 03:40 < mirco> As I'm not using PKCS11 I'll try commenting it out... 03:42 < mirco> After commenting out the pkcs11 section I come a bit further but am stuck at the rest of the error-msg: 03:42 < mirco> 35268:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:Expecting: TRUSTED CERTIFICATE 03:44 < mirco> Here's another pastebin, and just to let you know, I'm running all that on MacOSX 10.5.8 03:44 < mirco> http://pastebin.org/7819 03:51 -!- tecchi [n=sascha@ip-95-222-214-15.unitymediagroup.de] has joined ##openvpn 03:52 < tecchi> hi, is it possible to setup a road warrior environment with only one interface/public ip on the server machine? 03:58 < mirco> I think it's the default setup to have only one public ip... 04:02 < dazo> mirco: Read line 5 carefully in your last pastebin .... for some reason, openssl (which is used under the hood in easy-rsa/pkitool) do not manage to load some data 04:02 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 110 (Connection timed out)] 04:02 < dazo> mirco: make sure paths are valid and that the user running this command do have access to read it as well 04:02 < dazo> tecchi: yes, it is 04:02 < tecchi> is there any howto available? 04:02 -!- zheng [n=zheng@210.73.203.83] has quit [Read error: 104 (Connection reset by peer)] 04:03 < dazo> !howto 04:03 < vpnHelper> dazo: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 04:03 -!- zheng_ [n=zheng@210.73.203.83] has joined ##openvpn 04:03 < dazo> tecchi: ^^ 04:03 < tecchi> argh, ok :) 04:04 -!- zheng_ [n=zheng@210.73.203.83] has quit [Read error: 54 (Connection reset by peer)] 04:04 < mirco> dazo: thank you, the *.crt file is zero sized... but why 04:05 < dazo> mirco: I don't know that .... if the .crt is empty, something is definitely wrong ... I dunno how that could have happened 04:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:06 < mirco> I mv'ed it from ../keys to ~/Desktop and back... but usually that can't be the reason! But I read that I could even put it on the crl if the file isn't there: let me see... 04:07 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 04:08 < mirco> It must have a prob with the f...ing name: mirco@home ... 04:10 < mirco> can I use a file name? so I could run "revoke-full mircoathome.crt" ?? 04:15 < mirco> doesn't look like... :-( 04:15 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 60 (Operation timed out)] 04:15 < mirco> Can i add it to crl.pem manually?+ 04:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 04:21 -!- bootlaces [n=david@222-152-136-115.jetstream.xtra.co.nz] has joined ##openvpn 04:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:22 -!- bootlaces [n=david@222-152-136-115.jetstream.xtra.co.nz] has quit [Client Quit] 04:24 -!- zheng [n=zheng@210.73.203.83] has joined ##openvpn 04:28 < mirco> dazo: it's definetly the name of that f...ing cert, I created one just to revoke and it worked as expected: So I learned another lesson to do like in the early linux days before utf8 came up no special-signs ...!!! 04:30 < dazo> mirco: hmmm ... that's interesting .... good thing to be aware of ... I'd expect openssl to be UTF/multi-byte safe though, but I've been wrong before 04:30 < RadarG> when I try to generate my CA cert on a windows box I get the following error openssl is not recognized. Why is this? 04:31 < dazo> RadarG: seems like you're missing a path to the openssl binary 04:31 < mirco> mirco@home was the cert's common-name 04:32 -!- tecchi [n=sascha@ip-95-222-214-15.unitymediagroup.de] has quit ["Leaving."] 04:33 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 04:33 < mirco> dazo: So I think I'll jusst ignore that cert in the near future, I created it only for my own home-router to office connection... 04:34 < dazo> mirco: that's odd that this wrong behavior it kicks in when using @ in common-name 04:35 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Connection reset by peer] 04:35 < mirco> But I've got another theme left: I'ld like to setup a roadwarrior for my home-router, so that I can connect via UMTS 04:36 < mirco> dazo: oh yeas that's f...ing odd!!! 04:36 < dazo> mirco: shouldn't be any big challenge ... you're home router will then act as a server? 04:37 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 04:37 < mirco> Problem with that roadwarrior is with the cert's... I've setup easy-rsa for the office-router, now I created another server-cert (pkitool --server schmidt-vpn) but I can't connect.... 04:38 < mirco> TLS Error: TLS handshake failed 04:38 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Connection timed out] 04:38 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 04:39 < mirco> I don't wanna setup a second easy-rsa for the home-router and my dad's home-router and the one for our sales-person#1 , #2 and so on.... 05:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:05 -!- deblike [n=xchat@62.68.142.71] has quit [Remote closed the connection] 05:09 -!- binrapt [i=void@unaffiliated/binrapt] has left ##openvpn [] 05:10 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Connection timed out] 05:12 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 05:13 -!- zheng [n=zheng@210.73.203.83] has quit ["Leaving"] 05:15 < RadarG> cna someone help me create a openssl.cnf file to use on my windows box 05:17 < RadarG> Can someone pastebin a windows example of a openssl.cnf file? 05:25 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 05:26 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 05:32 < RadarG> does anyone know why the build-ca doesnt work in windows? its says that openssl is not recongnized but when I look into the build-ca.bat file I dont see anything about openssl 05:35 -!- toehio [n=toehio@dyn.144-85-137-235.dsl.vtx.ch] has quit [Connection timed out] 05:36 < RadarG> where do put in the build-ca.bat where openss; is located at? 05:37 -!- toehio [n=toehio@dyn.144-85-137-101.dsl.vtx.ch] has joined ##openvpn 05:40 < mirco> If you have openssl already installed on your windows box check your $PATH... 05:44 < RadarG> I found the openssl.exe in the "C:\Program Files\OpenVPN\bin" 05:44 < RadarG> do I have to copy build-ca.bat into the bin folder? 05:44 < mirco> radarg: and is that in your $PATH? 05:46 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Connection timed out] 05:47 < RadarG> I dont see a $PATH statement in the build-ca.bat 05:51 < RadarG> http://pastebin.com/d5f113a17 06:00 < mirco> ragarg: you can check your path in the system-settings right click on workplace and then settings... 06:05 < RadarG> my instructions that I was following didnt tell me to reboot after installing openvpn 06:07 < RadarG> everything is working now 06:08 < RadarG> the ca.crt stayson the server right? 06:13 < RadarG> 'build-key-server" do I use just the hostname or xxx.dydns.org? 06:20 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 06:38 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 110 (Connection timed out)] 06:40 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Read error: 60 (Operation timed out)] 06:40 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 06:50 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [] 06:59 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 07:00 -!- mirco_ [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 07:15 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:16 < mirco_> I've created a new server cert (pkitool --server test-server) and I've created new client-certs (pkitool --pass test-client) but I can't connect them. I've another router which also got cert's from easy-rsa to which I can connect with those cert's... Could someone pls give me a hand? 07:17 -!- toehio [n=toehio@dyn.144-85-137-101.dsl.vtx.ch] has quit [Connection timed out] 07:18 -!- toehio [n=toehio@dyn.83-228-146-007.dsl.vtx.ch] has joined ##openvpn 07:21 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Connection timed out] 07:27 -!- toehio [n=toehio@dyn.83-228-146-007.dsl.vtx.ch] has quit [Read error: 60 (Operation timed out)] 07:39 < ecrist> good morning. 07:39 < |Mike|> morning 07:39 -!- RadarG [n=nightwol@pool-98-108-119-38.chi01.dsl-w.verizon.net] has quit [] 07:40 < |Mike|> mirco_: logs & configs ktnx :) 07:40 -!- toehio [n=toehio@dyn.144-85-218-228.dsl.vtx.ch] has joined ##openvpn 07:40 < |Mike|> !configs 07:40 < vpnHelper> |Mike|: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:40 < |Mike|> !logs 07:40 < vpnHelper> |Mike|: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 07:40 < |Mike|> !more 07:40 < vpnHelper> |Mike|: Error: You haven't asked me a command; perhaps you want to see someone else's more. To do so, call this command with that person's nick. 07:46 < ecrist> |Mike|: !all works, too. 07:47 < |Mike|> hm ok 07:48 < |Mike|> i'm used to a gozer or dunkbot :P 07:49 < mirco_> |Mike|: took some time to collect it: http://pastebin.org/7871 07:50 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Remote closed the connection] 07:51 < |Mike|> do you run some kind of firewall? 07:51 < mirco_> OS on Client is MacOSX 10.5.8 (Viscosity with OpenVPN 2.1) os on Router is PFsense 1.2.3RC1 (FreeBSD7 based with OpenVPN 2.0.6) 07:51 < |Mike|> !keepalive 07:51 < vpnHelper> |Mike|: Error: "keepalive" is not a valid command. 07:52 < mirco_> Yes I'm running the pfsense as firewall 07:52 < |Mike|> your TLS is low aswell 07:52 < |Mike|> TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 07:53 < |Mike|> keepalive 10 120 07:53 < |Mike|> instead of 10 60 07:53 < mirco_> I know, that's what I'm getting since yesterday... The Firewall has a rule to allow UDP-traffic from any source and any port to go trough WAN-Interface on port 1194 07:54 < |Mike|> huh 07:55 < |Mike|> i'm sure that it's a firewall issue 07:55 < |Mike|> openvpn[4403]: TCP/UDP: Incoming packet rejected from 217.91.96.41:59024[2], expected peer address: 217.91.96.41:1194 (allow this incoming source address/port by removing --remote or adding --float) 07:56 < mirco_> I know but I didn'*t get this msg yesterday and today before you asked.... 07:56 < mirco_> when I add "keepalive 10 120" to the config it error's ... 07:56 < |Mike|> error? 07:59 -!- toehio [n=toehio@dyn.144-85-218-228.dsl.vtx.ch] has quit [Connection timed out] 08:00 < mirco_> german-error msg: 08:01 < mirco_> but after restarting the OpenVPN service on the pfsense router I see the following: Aug 10 14:58:30 openvpn[37111]: TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use 08:01 -!- toehio [n=toehio@dyn.83-228-179-201.dsl.vtx.ch] has joined ##openvpn 08:01 < mirco_> damn 08:02 < |Mike|> i read german aswell ;) 08:02 < |Mike|> what runs on port 1194 then? 08:04 < mirco_> I don't know, but aftewords came that annoying "remove --remote or add --float and as I've float in the server config I added it on the client site too.... to no eval... 08:04 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 110 (Connection timed out)] 08:07 < mirco_> When adding "keepalive 10 120" Viscosity give's the following error: "Verbindung fehlgeschlagen" Das OpenVPN Subsystem konnte nicht gestartet werden. Bitte überprüfen Sie den Protokollabschnitt... 08:07 -!- otakun [n=otakun@75-147-206-201-Memphis.hfc.comcastbusiness.net] has joined ##openvpn 08:12 < mirco_> Options error: --keepalive conflicts with --ping, --ping-exit, or --ping-restart. If you use --keepalive, you don't need any of the other --ping directives. 08:12 < mirco_> that is much clearer... ! 08:15 < mirco_> Mon Aug 10 15:14:35 2009 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 08:15 < mirco_> Mon Aug 10 15:14:35 2009 TLS Error: TLS handshake failed 08:15 < mirco_> Mon Aug 10 15:14:35 2009 SIGUSR1[soft,tls-error] received, process restarting 08:16 < mirco_> it seems I've got the usual DSL reconnect running atm, cause yesterday at 15h I replaced my IPCop with pfsense.... 08:24 < mirco_> the dyndns client in pfsense seems to more limited than I expected, not even that it manages only one entry it seems to be very slow too!!! 08:24 < |Mike|> it's doing altq aswell ? 08:24 < |Mike|> trafic shaping 08:27 < mirco_> yeap 08:29 < mirco_> atm it's doing nothing, and I'll be in the office for another 1,5 hours... 08:29 < Douglas> i need to go take a piss 08:29 < Douglas> but i don't want to move 08:30 < |Mike|> ok mirco_ 08:30 -!- toehio [n=toehio@dyn.83-228-179-201.dsl.vtx.ch] has quit [Network is unreachable] 08:30 -!- toehio_ [n=toehio@dyn.83-228-144-032.dsl.vtx.ch] has joined ##openvpn 08:30 < mirco_> Super! thank's a ton... 08:40 < mirco_> seems the f...ing dyndns client didn't update... :-( 08:48 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 08:48 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 09:01 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 09:06 -!- teddymills [n=teddy@208.92.235.227] has quit [Remote closed the connection] 09:07 -!- jeiworth [n=jeiworth@189.177.33.39] has joined ##openvpn 09:08 -!- toehio_ [n=toehio@dyn.83-228-144-032.dsl.vtx.ch] has quit [Network is unreachable] 09:10 -!- toehio [n=toehio@dyn.144-85-131-165.dsl.vtx.ch] has joined ##openvpn 09:19 -!- otakun [n=otakun@75-147-206-201-Memphis.hfc.comcastbusiness.net] has quit [] 09:20 < mirco_> Damn it... 09:28 -!- bauruine [n=bauruine@2001:470:1f13:99b:21c:25ff:fe95:7b9] has quit [Remote closed the connection] 09:30 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Connection timed out] 09:50 -!- missnebun [n=gabe@pool-96-250-54-238.nycmny.fios.verizon.net] has joined ##openvpn 10:26 -!- unclecameron [n=unclecam@173-86-185-164.dr01.myck.or.frontiernet.net] has joined ##openvpn 10:41 -!- unclecameron [n=unclecam@173-86-185-164.dr01.myck.or.frontiernet.net] has quit ["Leaving."] 10:44 -!- mirco_ [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Read error: 60 (Operation timed out)] 10:44 -!- bakermd [n=bakermd@38.101.225.215] has joined ##openvpn 10:44 < bakermd> Anyone got any insight on this startup error? 10:44 < bakermd> http://pastie.org/578596 10:45 -!- unclecameron [n=unclecam@173-86-185-164.dr01.myck.or.frontiernet.net] has joined ##openvpn 10:53 < krzee> that has nothing at all to do with openvpn 10:53 < krzee> ohh openvpn_as 10:53 < krzee> no, no clue 10:53 < krzee> we basically just troubleshoot the opensource openvpn 10:55 < bakermd> Cool - gotcha 10:56 -!- toehio [n=toehio@dyn.144-85-131-165.dsl.vtx.ch] has left ##openvpn [] 10:57 < krzee> not that anyones against troubleshooting as 10:58 < krzee> its just, as works very differently and nobody here has experience with it 10:58 < krzee> if you get it down, you could be the resident expert ;] 10:58 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:03 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: Kreg-Work, flokuehn, Douglas, _impuls, mrnice`, worch --- Log closed Mon Aug 10 11:09:15 2009 --- Log opened Mon Aug 10 11:09:19 2009 11:09 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 11:09 -!- Irssi: ##openvpn: Total of 63 nicks [0 ops, 0 halfops, 0 voices, 63 normal] 11:09 -!- Irssi: Join to ##openvpn was synced in 30 secs 11:10 < |Mike|> !sample 11:10 < vpnHelper> |Mike|: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 11:10 -!- gabriel25ny [n=gabe@pool-96-250-54-238.nycmny.fios.verizon.net] has joined ##openvpn 11:11 -!- ElectricBill [n=bill@smtpv2.cosi.net] has joined ##openvpn 11:11 -!- mius [n=miusf@85.214.97.22] has joined ##openvpn 11:11 < |Mike|> lets test if openvpn client on win7 works 11:11 -!- gabriel25ny is now known as missnebun 11:29 -!- mirco [n=mirco@tmo-104-252.customers.d1-online.com] has joined ##openvpn 11:38 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 11:39 -!- mirco [n=mirco@tmo-104-252.customers.d1-online.com] has quit [Read error: 54 (Connection reset by peer)] 11:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:46 -!- mirco [n=mirco@p54B27FBB.dip.t-dialin.net] has joined ##openvpn 11:48 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has joined ##openvpn 11:49 -!- Irssi: ##openvpn: Total of 68 nicks [0 ops, 0 halfops, 0 voices, 68 normal] 11:51 < |Mike|> argh 11:51 < |Mike|> Mon Aug 10 18:50:53 2009 us=498019 Route addition via IPAPI failed 11:54 < newmember> argh, good? 11:54 < newmember> argh, bad? 12:00 < |Mike|> i do push a route, but it doesn't understand it on some way 12:01 < |Mike|> lol, 192.0.o.1 doesn't work 12:01 * |Mike| slaps himself 12:01 < ecrist> that o should be capitalized, I think. 12:01 < ecrist> :P 12:05 -!- mirco_ [n=mirco@tmo-104-252.customers.d1-online.com] has joined ##openvpn 12:10 -!- xp_prg [n=xp_prg3@64.164.138.246] has joined ##openvpn 12:23 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [] 12:25 -!- mirco [n=mirco@p54B27FBB.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 12:36 -!- c64zottel [n=hans@p5B17B0F8.dip0.t-ipconnect.de] has joined ##openvpn 12:38 -!- netnoodle [n=obleskie@kri1-1x-dhcp149.studby.uio.no] has joined ##openvpn 12:39 < netnoodle> can someone help me get my vpn up and running? the connection never completes, and the client just hangs at sending the initial packets. i know it's not an iptables issue. the config files and logs are at http://pastebin.ca/1524112 12:40 < netnoodle> could the issue be in line 21-22? i never noticed that before 12:43 -!- mirco_ [n=mirco@tmo-104-252.customers.d1-online.com] has quit [] 12:44 < |Mike|> local some-ip ? :) 12:48 < Gumbler> !howto 12:48 < vpnHelper> Gumbler: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:48 < Gumbler> !redirect 12:48 < vpnHelper> Gumbler: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 12:48 -!- xp_prg2 [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:48 < Gumbler> !def1 12:48 < vpnHelper> Gumbler: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 12:52 < netnoodle> |Mike|, is it supposed to bind to somethign locally 12:56 -!- xp_prg [n=xp_prg3@64.164.138.246] has quit [Read error: 110 (Connection timed out)] 12:57 < |Mike|> netnoodle: yes 12:59 < netnoodle> |Mike|, could it be a time zone issue. is there anything that has to do with timezones and the certificates? 13:00 < netnoodle> the tls negotiation is failing 13:01 < |Mike|> could you set verb to 6 on the client ? 13:01 < netnoodle> yes |Mike| one second 13:02 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 13:02 < netnoodle> |Mike|, http://pastebin.ca/index.php 13:02 < netnoodle> sorry 13:02 < netnoodle> http://pastebin.ca/1524140 13:03 < dazo> !factoids search tcp 13:03 < vpnHelper> dazo: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 13:05 < netnoodle> |Mike|, the reason why I'm thinking it might be a time issue is because the same config worked when my computer was at home, but now im 9 hours ahead of the server time and i set my laptop clock manually 13:05 < |Mike|> time shouldn't mather 13:05 < netnoodle> ok 13:06 < netnoodle> i don't know why it kept doing P_CONTROL_HARD_RESET_CILENT_V2 over and over 13:07 < |Mike|> i don't see a problem atm 13:08 < netnoodle> hmm 13:08 < Gumbler> yes 13:08 < Gumbler> it works :) 13:09 < Gumbler> traffic redirect trough the openvpn :) *sry bad englisch* 13:15 -!- mirco [n=mirco@p4FDC7015.dip.t-dialin.net] has joined ##openvpn 13:21 -!- netnoodle [n=obleskie@kri1-1x-dhcp149.studby.uio.no] has quit [Remote closed the connection] 13:36 -!- nospeq_ [n=nospeq@78.146.157.183] has joined ##openvpn 13:40 -!- bandini [n=bandini@host230-106-dynamic.21-79-r.retail.telecomitalia.it] has joined ##openvpn 13:49 < newmember> I am still having an issue with my config. http://pastebin.ca/1524196 13:50 < newmember> I am connected. But cant route from LAN at client to server LAN. 13:51 < ecrist> newmember: for the LAN at client you need a couple things 13:52 < newmember> ecrist: good to know, thanks 13:52 < ecrist> 1) NAT configured on the VPN 13:53 < ecrist> 2) set the VPN client up as the default gateway or the next hop for that subnet 13:55 -!- nospeq [n=nospeq@92.25.90.98] has quit [Read error: 110 (Connection timed out)] 13:56 < ecrist> 1) should have read: NAT configured on the VPN client 13:58 -!- mirco [n=mirco@p4FDC7015.dip.t-dialin.net] has quit [] 14:00 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 14:00 -!- PeterFA [n=peter@unaffiliated/peterfa] has joined ##openvpn 14:01 < newmember> ecrist: i am trying to find specific statements for config that include NAT. I was trying to avoid routing all traffic. 14:02 < newmember> ecrist: thanks for the review and thoughts 14:03 -!- clyons [n=clyons@unaffiliated/clyons] has joined ##openvpn 14:05 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 14:11 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 14:11 < newmember> ecrist: is this what you were thinking of: http://nimlabs.org/~nim/dirtynat.html 14:11 < vpnHelper> Title: NAT tricks for VPN with clients in private address ranges (at nimlabs.org) 14:13 < ecrist> sure 14:13 < ecrist> there is nothing within the OpenVPN config that will make it work magically 14:15 < PeterFA> Where can I get complete documentation on the management interface? Alas, the site has documentation on the management interface but there's only some of the documentation. 14:16 < newmember> ecrist: I do not think I have situation where I have identical network address spaces. So I am thinking i do not need nat. were you seeing that I have identical network address spaces? 14:17 < ecrist> no 14:17 < ecrist> if you don't want NAT 14:17 < ecrist> !route 14:17 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:17 < ecrist> !iroute 14:17 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 14:18 < PeterFA> !interface 14:18 < vpnHelper> PeterFA: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 14:18 < newmember> correct so I added iroutes to the ccd for this client and added route to the openvpn server. 14:20 < PeterFA> So, why is the documentation on the management interface truncated after "command parsing?" 14:20 < PeterFA> http://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html 14:20 < vpnHelper> Title: Management Interface (at openvpn.net) 14:20 < unclecameron> !ccd 14:20 < vpnHelper> unclecameron: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 14:21 * PeterFA weeps because he's lonely. 14:22 < ecrist> newmember: so what's your problem? 14:24 < newmember> I can ping or connect to anything from the client LAN to the Server LAN 14:24 < newmember> interface status: http://pastebin.ca/1524237 14:24 < ecrist> does the client lan know how to route, do you have ip_forward enabled on the vpn client machine? 14:24 < newmember> sorry I can't ping or connect 14:24 < ecrist> is the firewall open 14:25 < newmember> firewalls have been turned off for trouble shooting 14:25 < ecrist> !iptables 14:25 < vpnHelper> ecrist: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall 14:25 < PeterFA> How do I use the "needok" command in the management interface? 14:25 < PeterFA> !needok 14:25 < vpnHelper> PeterFA: Error: "needok" is not a valid command. 14:25 < PeterFA> vpnHelper, yes it is. 14:25 < vpnHelper> PeterFA: Error: "yes" is not a valid command. 14:26 < newmember> ecrist: Ya I read that, I am using pf not iptables on the client 14:26 < ecrist> pfctl -d 14:26 < PeterFA> vpnHelper, I wasn't giving you a command I was correcting you, idiot. 14:26 < vpnHelper> PeterFA: Error: "I" is not a valid command. 14:26 < PeterFA> vpnHelper, correct, you are not a valid command. 14:26 < vpnHelper> PeterFA: Error: "correct," is not a valid command. 14:26 * PeterFA weeps. 14:26 -!- Kobaz [n=kobaz@its.kobaz.net] has left ##openvpn [] 14:27 -!- dotplus [n=dotplus@unaffiliated/dotplus] has joined ##openvpn 14:28 < dotplus> !configs 14:28 < vpnHelper> dotplus: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:28 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 14:31 < dotplus> when configuring files in server.conf, etc. can I use absolute paths like this: ca /path/to/CA.crt or is it only relative to the root of the openvpn directory, such as /etc/openvpn? 14:31 * PeterFA wonders why he was versioned from freenode-connect. 14:32 < PeterFA> Oh, it's a bot. 14:32 < newmember> hmmmm, it works but all i did was reconnect. did ecrist have a magic wand? 14:33 < newmember> and I reconnected and reboot several times last night 14:35 -!- nospeq__ [n=nospeq@89.243.162.213] has joined ##openvpn 14:38 -!- nospeq [n=nospeq@89.243.162.213] has joined ##openvpn 14:42 -!- missnebun [n=gabe@pool-96-250-54-238.nycmny.fios.verizon.net] has quit [] 14:43 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 14:44 -!- CRASH69 [n=crash@201.200.94.66] has joined ##openvpn 14:48 -!- CRASH69 [n=crash@201.200.94.66] has left ##openvpn [] 14:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:53 -!- nospeq_ [n=nospeq@78.146.157.183] has quit [Read error: 110 (Connection timed out)] 14:53 -!- nospeq_ [n=nospeq@92.25.95.75] has joined ##openvpn 14:55 -!- ThoMe is now known as thomas 14:57 -!- nospeq__ [n=nospeq@89.243.162.213] has quit [Read error: 110 (Connection timed out)] 15:01 -!- nospeq [n=nospeq@89.243.162.213] has quit [Read error: 110 (Connection timed out)] 15:02 < dotplus> are there standard suggestions for whether using tcp or udp is better in particular circumstances? 15:03 < krzee> !tcp 15:03 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 15:04 < dotplus> thanks 15:16 -!- clyons [n=clyons@unaffiliated/clyons] has quit ["Leaving"] 15:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 15:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:22 -!- troy- [n=troy@72.37.245.28] has joined ##openvpn 15:22 -!- Bushmills is now known as l 15:23 < troy-> how can i specify the group users must belong to for secondary user/pass auth? 15:23 -!- l is now known as Bushmills 15:33 < krzee> group? 15:33 < Douglas> sweeet 15:33 < Douglas> im in 111 8th ave 15:33 < Douglas> lol 15:35 < troy-> Douglas, why? 15:36 < troy-> krzee, i'm using the pam module so i want to restrict what users can login 15:36 < Douglas> troy- 15:36 < Douglas> i am chilling with bqscott 15:36 < troy-> say hi for me :P 15:36 -!- mirco [n=mirco@p4FDC7015.dip.t-dialin.net] has joined ##openvpn 15:36 < Douglas> he said hi back 15:37 < troy-> ok 15:40 < krzee> troy-, not using certs? 15:41 < krzee> you dont need to deny it at PAM 15:41 < troy-> i'm using both 15:41 < krzee> can deny it by adding cert to CRL 15:41 < troy-> i want to make sure users dont give eachother the certs 15:41 < krzee> or adding disable to ccd entry 15:42 < troy-> hmmm 15:42 < krzee> if they share certs they'll share logins 15:42 < krzee> hell its easier to share the login 15:42 < troy-> true 15:42 < troy-> if i were just using pam auth how could i restrict what users on the system could use the vpn? 15:59 -!- c64zottel [n=hans@p5B17B0F8.dip0.t-ipconnect.de] has quit ["Leaving."] 16:04 -!- PeterFA [n=peter@unaffiliated/peterfa] has quit ["VPN stuff"] 16:15 -!- bandini [n=bandini@host230-106-dynamic.21-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 16:16 -!- mirco [n=mirco@p4FDC7015.dip.t-dialin.net] has quit [] 16:18 < krzee> [13:41] or adding disable to ccd entry 16:18 < krzee> with that 16:18 < krzee> and username-as-commonname something like that 16:19 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 16:24 -!- nospeq [n=nospeq@92.25.91.125] has joined ##openvpn 16:28 -!- nospeq__ [n=nospeq@92.25.248.15] has joined ##openvpn 16:30 -!- nospeq_ [n=nospeq@92.25.95.75] has quit [Read error: 60 (Operation timed out)] 16:32 -!- troy_ [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 16:34 -!- troy- [n=troy@72.37.245.28] has quit [Read error: 104 (Connection reset by peer)] 16:34 -!- nospeq [n=nospeq@92.25.91.125] has quit [Read error: 60 (Operation timed out)] 16:34 -!- troy- [n=troy@72.37.245.28] has joined ##openvpn 16:42 -!- nospeq [n=nospeq@89.243.160.20] has joined ##openvpn 16:53 -!- troy_ [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 16:59 -!- nospeq__ [n=nospeq@92.25.248.15] has quit [Read error: 110 (Connection timed out)] 17:05 -!- troy_ [n=troy@72.37.245.28] has joined ##openvpn 17:05 -!- troy- [n=troy@72.37.245.28] has quit [Read error: 104 (Connection reset by peer)] 17:20 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["cu later"] 17:28 -!- Ynot [n=Y@sd-4720.dedibox.fr] has joined ##openvpn 17:31 -!- mrnice` [i=bouncer@ip077244250141.rev.nessus.at] has quit ["ZNC - http://znc.sourceforge.net"] 17:42 -!- nospeq_ [n=nospeq@92.25.93.61] has joined ##openvpn 17:51 -!- nospeq__ [n=nospeq@92.25.93.94] has joined ##openvpn 17:59 -!- nospeq [n=nospeq@89.243.160.20] has quit [Read error: 110 (Connection timed out)] 18:09 -!- nospeq_ [n=nospeq@92.25.93.61] has quit [Read error: 110 (Connection timed out)] 18:10 -!- nospeq_ [n=nospeq@89.240.2.21] has joined ##openvpn 18:15 -!- jeiworth [n=jeiworth@189.177.33.39] has quit [Read error: 110 (Connection timed out)] 18:22 -!- nospeq__ [n=nospeq@92.25.93.94] has quit [Read error: 110 (Connection timed out)] 18:22 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 18:29 -!- nospeq__ [n=nospeq@89.240.2.21] has joined ##openvpn 18:31 < nospeq__> hi, i've installed openvpn on centos box. it's address is 192.168.1.x. i have installed alfresco overthere on port 8080. how to access it if my openvpn is 10.8.0.1? 18:35 -!- nospeq_ [n=nospeq@89.240.2.21] has quit [Read error: 60 (Operation timed out)] 18:41 < |Mike|> eat crap 18:43 -!- davidm [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has joined ##openvpn 18:43 -!- davidm is now known as Guest28928 18:44 -!- Guest28928 [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has quit [Connection reset by peer] 18:47 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has quit [Read error: 110 (Connection timed out)] 18:54 -!- nospeq [n=nospeq@89.240.2.21] has joined ##openvpn 18:59 -!- nospeq_ [n=nospeq@89.240.2.21] has joined ##openvpn 19:00 < nospeq_> ok, i found. sorry for stupid question ;) 19:01 -!- nospeq__ [n=nospeq@89.240.2.21] has quit [Read error: 60 (Operation timed out)] 19:16 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 19:17 -!- nospeq [n=nospeq@89.240.2.21] has quit [Read error: 110 (Connection timed out)] 19:32 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 19:53 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 19:55 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 20:00 -!- troy_ [n=troy@72.37.245.28] has quit [Read error: 110 (Connection timed out)] 20:02 < ecrist> sup bitches? 20:05 < Douglas> hey eric 20:05 < Douglas> thers an old pending post about buying an openvpn with some weird payment system 20:05 < Douglas> should i make a marketplace forum ? 20:13 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 113 (No route to host)] 20:16 -!- Snadder [i=sander@084202250202.customer.alfanett.no] has quit [Read error: 104 (Connection reset by peer)] 20:16 -!- sander_ [i=sander@084202250202.customer.alfanett.no] has joined ##openvpn 20:16 -!- sander_ is now known as Snadder 20:19 -!- sander_ [i=sander@084202100202.customer.alfanett.no] has joined ##openvpn 20:23 -!- Snadder [i=sander@084202250202.customer.alfanett.no] has quit [Read error: 60 (Operation timed out)] 20:23 -!- sander_ is now known as Snadder 20:36 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 20:38 < ecrist> Douglas: sure, I denied the post you're talking about, though. 20:40 < Douglas> oh ok 20:46 -!- zheng [n=zheng@210.73.203.83] has joined ##openvpn 21:03 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 21:08 -!- master_of_master [i=master_o@p549D3E44.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:12 -!- master_of_master [i=master_o@p549D3B06.dip.t-dialin.net] has joined ##openvpn 21:16 -!- xp_prg2 [n=xp_prg3@99.2.31.217] has quit [Read error: 113 (No route to host)] 21:19 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 21:20 < thedoc> !linnat 21:20 < vpnHelper> thedoc: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 21:28 < Douglas> thedoc: if you install snort, consider joining #snorby 21:42 < nospeq_> !redirect 21:42 < vpnHelper> nospeq_: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 21:48 < nospeq_> !route 21:48 < vpnHelper> nospeq_: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 21:59 -!- nospeq_ [n=nospeq@89.240.2.21] has quit [Read error: 60 (Operation timed out)] 22:07 -!- nospeq_ [n=nospeq@92.25.91.75] has joined ##openvpn 22:34 -!- kopf [i=kopf@spoon.netsoc.tcd.ie] has joined ##openvpn 22:34 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 22:35 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 22:35 < kopf> Hi. Is it possible to configure openvpn (client, windows) to maintain a persistant connection with the server? Sometimes my internet connection goes down for a second or two (at least that's what i *think* is causing it) and the client will be disconnected from the server, and I have to double click the openvpnGUI systray icon to reconnect. 22:39 < Douglas> sounds like a keepalive 22:39 < Douglas> !configs 22:39 < vpnHelper> Douglas: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 22:40 < kopf> can't include the server config, a friend runs it (and i have no shell access). Does that matter? should I come back another time with it? 22:41 < Douglas> do client for now 22:46 -!- zheng [n=zheng@210.73.203.83] has quit ["Leaving"] 22:49 < kopf> sorry Douglas, something crazy just came up here 22:49 < kopf> will check in about my problem another time 22:58 -!- nospeq__ [n=nospeq@92.27.205.153] has joined ##openvpn 23:06 -!- nospeq_ [n=nospeq@92.25.91.75] has quit [Read error: 110 (Connection timed out)] 23:06 < Douglas> kopf np im about togot bed 23:07 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 104 (Connection reset by peer)] 23:07 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 23:09 -!- troy_ [n=troy@72.37.245.28] has joined ##openvpn 23:10 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 104 (Connection reset by peer)] 23:10 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 23:17 -!- nospeq [n=nospeq@92.27.205.153] has joined ##openvpn 23:19 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 104 (Connection reset by peer)] 23:19 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 23:22 -!- nospeq__ [n=nospeq@92.27.205.153] has quit [Read error: 110 (Connection timed out)] 23:23 -!- kopf [i=kopf@spoon.netsoc.tcd.ie] has left ##openvpn [] 23:27 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 104 (Connection reset by peer)] 23:28 -!- troy_ [n=troy@72.37.245.28] has quit [Read error: 110 (Connection timed out)] 23:52 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn --- Day changed Tue Aug 11 2009 00:19 -!- nospeq_ [n=nospeq@78.151.207.192] has joined ##openvpn 00:31 -!- nospeq [n=nospeq@92.27.205.153] has quit [Read error: 110 (Connection timed out)] 00:36 -!- nospeq [n=nospeq@78.151.207.192] has joined ##openvpn 00:49 -!- nospeq_ [n=nospeq@78.151.207.192] has quit [Read error: 110 (Connection timed out)] 01:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:09 -!- nospeq_ [n=nospeq@78.151.190.205] has joined ##openvpn 01:13 -!- nospeq [n=nospeq@78.151.207.192] has quit [Read error: 110 (Connection timed out)] 01:23 -!- unclecameron [n=unclecam@173-86-185-164.dr01.myck.or.frontiernet.net] has left ##openvpn [] 02:07 -!- dazo [n=dazo@nat/redhat/x-vdrqelcmlbcnjcqr] has quit ["Leaving"] 02:08 -!- deblike [n=xchat@62.68.142.62] has joined ##openvpn 02:16 -!- dazo [n=dazo@nat/redhat/x-738053e914142980] has joined ##openvpn 02:20 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 110 (Connection timed out)] 02:20 -!- magic_1 [n=magic@mail.pharmed.co.za] has joined ##openvpn 02:23 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:27 -!- dazo [n=dazo@nat/redhat/x-738053e914142980] has quit ["Leaving"] 02:30 -!- dazo [n=dazo@nat/redhat/x-665bbc5db94a4811] has joined ##openvpn 02:59 -!- RadarG [n=nightwol@pool-98-108-119-38.chi01.dsl-w.verizon.net] has joined ##openvpn 03:05 < RadarG> anyone awake today? 03:06 < reiffert> no. 03:07 < RadarG> I'm still having fun trying to get my connection to work 03:08 < RadarG> whats the difference between a tun and a tap? 03:09 < reiffert> !howto 03:09 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 03:10 < RadarG> having looked at that its not that great 03:11 < reiffert> come back when it's better than. 03:12 < RadarG> I'll leave once I get my connection up 03:14 < reiffert> I'm afraid thats a threat and not a promise ... so tun is layer 3 and tap is layer 2. 03:14 < RadarG> that was a good answer thank you 03:16 < RadarG> I dont enjoy being difficult the howto is helpful if you have been messing with openvpn for awhile, but for a novice its rough 03:20 < RadarG> a good eample was a problem I had last night with a windows install. the howto didnt specify that I needed to reboot prior to creating my keys. I wasted over an hour trying to figure out why my keys were not being created. 03:22 < reiffert> indeed that question got covered in the faq. 03:22 < reiffert> (tun vs tap) 03:22 < reiffert> I never was rebooting after the installation under windows. never. promise. 03:23 < RadarG> I had to though maybe it had something will me runnging a virtual who knows 03:24 < reiffert> Maybe more about environment variables and openssl. 03:25 < RadarG> the vm is xp. I'm not what could have been differnt its a brand new instal 03:28 < reiffert> probably my fault. 03:37 -!- deblike [n=xchat@62.68.142.62] has quit [Client Quit] 03:41 * thedoc cheers 03:58 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 04:14 -!- nospeq_ [n=nospeq@78.151.190.205] has quit [Read error: 110 (Connection timed out)] 04:32 -!- Snadder [i=sander@084202100202.customer.alfanett.no] has quit [Read error: 110 (Connection timed out)] 04:43 < RadarG> I'm a bit confussed on using the "redirect-gateway" I'm not sure if its needed. I'm setting up a client to connect to a server. I want to be able to use the client as a gateway for 4 hosts. Would I need the redirect gateway option on the server? 04:47 < RadarG> so if I use push "redirect-gateway" 0.0.0.0/0.0.0.0 04:48 < RadarG> it will use the defualt gate of the server right? 04:59 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 05:01 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 05:02 < RadarG> I'm setting up a new install can someone please review my config? I would really like to hear inputs http://pastebin.com/d5321629d 05:02 < RadarG> this is my server config 05:05 < reiffert> # 05:05 < reiffert> push "redirect-gateway" 0.0.0.0/0.0.0.0 05:05 < reiffert> wrong. 05:06 < reiffert> # 05:06 < reiffert> push "route 10.8.0.0 255.255.255.0" 05:06 < reiffert> I'd remove that line in the 1st run 05:06 < reiffert> # 05:06 < reiffert> route 192.168.1.0 255.255.255.248 05:06 < reiffert> # 05:06 < reiffert> push "route 192.168.1.0 255.255.255.0" 05:06 < reiffert> inconsistent 05:06 < RadarG> oic 05:06 < RadarG> i didnt catch that 05:07 < RadarG> now the redirect gateway the "10.8.0.0" will that push the defualt gateway for the server? The server has 192.168.1.0/24 behind it that gateway is want I want to go out on 05:11 < RadarG> so the redirect gateway should be 05:11 < RadarG> push "redirect-gateway" 192.168.1.2/255/255/255/0 05:12 < RadarG> 192.168.1.2/255.255.255.0 05:24 < mirco> Hi all, I've my home-router connected as a client to the office-router, and now I'ld like to test if it's possible come as road-warrior from the office to the home-router! On the homerouter I see this: udp Out 84.178.127.187:1194 217.91.96.41:1194 MULTIPLE:MULTIPLE 21:09:33 00:00:58 18255 1763425 05:26 < mirco> And if I try to connect as roadwarrior I see this in the home-router OpenVPN.log: openvpn[4403]: TCP/UDP: Incoming packet rejected from x.x.x.x:62748[2], expected peer address: x.x.x.x:1194 (allow this incoming source address/port by removing --remote or adding --float) 05:32 < reiffert> push "redirect-gateway" 192.168.1.2/255/255/255/0 05:32 < reiffert> wrong 05:32 < reiffert> check manpage 05:32 < reiffert> its on the homepage 05:32 < reiffert> !man 05:32 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 05:32 < reiffert> normally people do: 05:32 < reiffert> push "redirect-gateway def1" 05:38 < RadarG> is "C:\\Program Files\\filename.crt" or "C:\\Program Files\filename.crt" 05:45 < RadarG> figured it out trial and error 05:45 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 05:46 < RadarG> is the gui on the server going to come up and say conncted even though there is no clients connected to it? 05:55 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Remote closed the connection] 06:02 < RadarG> damm i thought that I had it there for a minute 06:03 < mirco> I'm trying to setup OpenVPN on my home-router, I've successfully setup the Office-Router a few month ago. I can connect as roadwarrior to the office and could yesterday also connect the home-router as client to the office router, but then the home-router rejected packets coming from the roadwarrior... home-router is a pfsense 1.2.3RC1 nanobsd embeded Snap, offfice-router is pfsense 1.2.2 on Intel-Atom with gmirror 06:04 < mirco> Here is a sceme of the topography: http://pastebin.org/8152 06:04 < mirco> Here are the logs and configs from the home-router and roadwarrior, when home-router is not connected to the office-router as client: http://pastebin.org/8156 06:04 < RadarG> verify error unsupported cert 06:07 < mirco> RadarG: Where is that error? I can't find it in the log? 06:09 < RadarG> sorry I have my own problem that needs fixing. I'm i dont know enough to help you out. I'm still learning this stuff 06:10 < mirco> But did you mean me? 06:10 < RadarG> yes 06:11 < mirco> Because I think my prob is cert related to, but don't come further to, I saw you in here yesterday too.... 06:11 < mirco> But you didn't read my logs, or did you? 06:11 < RadarG> one sec i'll read them 06:12 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 06:12 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 06:12 < mirco> I ask because I expected that you've to read em to give such an answer... 06:12 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:16 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["cu later"] 06:16 < RadarG> server config http://pastebin.com/d20966fb6 client config http://pastebin/d2dab5789 06:16 < RadarG> I'm getting a cert error 06:18 < RadarG> i have been working for a long time to get my setup running its been one headache after another 06:19 -!- xand [n=xand@unaffiliated/xelam] has quit [Read error: 104 (Connection reset by peer)] 06:20 -!- xand [n=xand@unaffiliated/xelam] has joined ##openvpn 06:21 < dazo> mirco: try to run your setup with verb 4 on client and server and repost the logs .... your logs are a bit vague .... 06:22 < RadarG> I think that I might have figured it out my client name cant be the same as my server mane 06:22 < mirco> the config's aren't looking unusual... But my experience is limited to runnung openVPN on IPcop and pfsense, IPcop has the pro that it show's if the client is connected and it manages cert's, but pfsense is the better Firewall... 06:22 < dazo> mirco: and also make sure that the server and clients have synchronized clocks as well 06:22 < mirco> dazo: thank you I'll repost logs ina few mins... 06:23 < RadarG> I learned about the clock issue the hard way. I have a 12 hour time zone difference to deal with 06:23 < dazo> mirco: and make sure to post the log file from when the openvpn server/client was started .... not just the last 100 lines or so 06:23 < mirco> Last login: Tue Aug 11 12:03:16 on ttys002 06:23 < mirco> \ [mirco@macbook-pro-wlan.bad-nauheim.xxx.de ~] 06:23 < mirco> 1$ date 06:23 < mirco> Di 11 Aug 2009 13:23:07 CEST 06:24 < mirco> wall:~# date 06:24 < mirco> Tue Aug 11 13:23:14 CEST 2009 06:24 < mirco> So time can't be the prob... 06:32 < mirco> dazo: Here are the "verb 4" logs: http://pastebin.org/8162 06:33 < dazo> mirco: date seems to be close enough 06:33 < mirco> yeap, they're both ntp synced... 06:34 < dazo> mirco: that's good enough .... try switching to TCP ... it might be you have some firewall issues. Not all firewalls like UDP for VPN 06:36 < RadarG> has anyone seen the following error "TXT_DB error number 2 could not find C;\Program Files\Openvpn\easy-rsa\keys\*old 06:36 < mirco> I'll do so but let me mention, that I'm running a totally similar setup on the office-router where I can connect as roadwarrior and with the home-router as client, with the same firewall setup.... Hopefully it'll help!!! And the office-router trough which I'm trying to connect right now also let me connect to my IPcop based old opneVPN only three days ago ... 06:37 < RadarG> I'm trying to make the cleint key and got that error 06:37 < mirco> nope sorry radarg, but have you thought about trying it on unix... You might get more people knowing unix than win... in here! 06:39 < RadarG> I would but I dont have a unix server setup in the states 06:39 < RadarG> so I'm stuck with a windows box 06:42 < RadarG> hmm I tried creating the client key on both the server and the client and got the same error 06:46 < RadarG> I figred it out. I was "build-key clientname" instead of "build-key client clientname" 06:46 < RadarG> it made the key but gave me the error at the end 06:47 < RadarG> I was wrong smae error 06:49 < mirco> Damn it, my home-router firewall seems to block packets, but it has the rule as the office-router to let em trough... Why the hell? 06:51 * dazo is so tempted to say: I told you so :-P 06:52 < mirco> yeap now I know.... But see this: office-router 06:53 < mirco> TCP/UDP * * WAN address 1194 (OpenVPN) * OpenVPN 06:53 < mirco> home-router: TCP/UDP * * WAN address 1194 (OpenVPN) * OpenVPN 06:57 < mirco> since 13:42 the home-router doesn't show a single packet in his vpn or firewall Log, I'm short before a reboot... 07:03 -!- mirco_ [n=mirco@tmo-104-252.customers.d1-online.com] has joined ##openvpn 07:14 < RadarG> damm i fix one problem and find another has anyone seen this error before http://pastebin.com/d951d47 07:17 < Douglas> does the file exist 07:17 < Douglas> lol 07:19 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 07:19 < RadarG> t was a winodws problem from copying the certs to the windows box it renamed them to name.crt.txt 07:21 < Douglas> k 07:24 < RadarG> scratch that I'm still getting the same error 07:26 < RadarG> I have name.crt,name.key, and name.csr in the OpenVPN 07:26 < RadarG> ey folder 07:31 < ecrist> good morning 07:31 < reiffert> RadarG: so now you are knowing enough for the howto, eh? 07:31 < reiffert> RadarG: try it. 07:32 < Douglas> ello eric 07:32 -!- RexMundi [n=RexMundi@77.95.99.166] has joined ##openvpn 07:35 < mirco_> dazo: port is diretly after restarting the openvpn-server open, after a few connects nmap tells me it changed to filtered, and the firewall.log doesn't show an entry, and openvpn.log shows only that single connect: http://pastebin.org/8173 and here's the client: http://pastebin.org/8174 07:36 < mirco_> for me this seems to be a problem with the home-router which is running another release of pfsense than the office-router 07:36 < dazo> mirco_: sounds like a firewall issue then ... for some reason, the port is not configured to always be open 07:36 < dazo> pfsense .... that's some bsd based distro? 07:37 < mirco_> I even added a NAT rule: WAN TCP 1194 (OpenVPN) 192.168.0.1 07:37 < mirco_> (ext.: x.x.x.x) 1194 (OpenVPN) OpenVPN 07:38 < Douglas> i need to take a sh*t 07:38 -!- Eagleray [n=erayd@khepry.erayd.net] has joined ##openvpn 07:38 < Douglas> bbiab 07:39 < RadarG> I'm stuck 07:39 < ecrist> we don't want to hear about you having to poop, Douglas 07:39 < mirco_> dazo: yeap pfsense is bad-based and till I changed my home-router (pcengines.ch WRAP) from ipcop to pfsense I was very happy with the setup, now I'm kind of annoyed from the RC version I installed on my WRAP... 07:40 < Eagleray> Hi all - Is there any documentation available for the openvpn source? I'm adding a feature, and trying to follow all the (often uncommented) code paths adds a lot of development time 07:40 < mirco_> RadarG: me too 07:40 < dazo> mirco_: I'm sorry ... I have no idea how to configure pf based firewalls :( 07:40 < mirco_> dazo: no reason to excuse.... 07:41 < dazo> Eagleray: I'd like to get a copy of that doc as well, if you'll ever find it ;-) 07:41 < dazo> Eagleray: what kind of feature are you adding? 07:41 < ecrist> Eagleray: none that I'm aware of. The OpenVPN development team is rather shut-in, and likes it that way. Historically, they've been fairly hostile toward patches and offers of help and support. 07:41 < Eagleray> dazo: internal vlan tagging 07:42 < dazo> Eagleray: ahh ... cool 07:42 < Eagleray> ecrist: damn that's annoying - the source isn't exactly the nicest to work with 07:42 < dazo> Eagleray: I presume you're subscribed to the openvpn-devel mailing list? 07:42 < Eagleray> dazo: nope 07:43 < Eagleray> dazo: probably something I should do though :-) 07:43 < dazo> Eagleray: I know .... I'll be trying to add a MOTD message upon successful connections (a feature being discussed in mailing lists from time to time, but nobody have done it yet) 07:43 < Eagleray> dazo: motd displayed how? 07:43 < dazo> Eagleray: yeah, could be clever .... but just be warned .... you might not get too much feedback on patches sent to the devel list 07:44 < Eagleray> dazo: I wasn't intending so submit it until the feature is complete 07:44 < ecrist> dazo: motd wouldn't work very well, I'm thinking. 07:44 < Eagleray> dazo: if they don't accept it, I'll just throw it on my own site 07:44 < reiffert> I made a contrib/patch that uses utmp/wtmp for clients 07:44 < dazo> Eagleray: it's a missing feature .... right now, I'm trying to figure out how to implement it 07:44 < Eagleray> dazo: only way I can think of implementing that is to spit the motd out on stderr / stdout 07:44 < ecrist> with three different core OSes to support, with varying clients and graphics libraries to link with, it would be very difficult. 07:45 < dazo> ecrist: I'm thinking more of ... --motd on the server side 07:45 < reiffert> you can use push "echo" 07:45 < dazo> Eagleray: on the client side, stdout is the first approach ... then some management interface later on 07:45 < dazo> reiffert: yeah, that's a workaround 07:45 < dazo> reiffert: did you get your contrib/patch included? 07:45 < reiffert> no. 07:45 < ecrist> what I would like is a way to puch config updates to clients 07:46 < Douglas> ecrist: that'd be cool 07:46 < ecrist> s/puch/push/ 07:46 * dazo read punch :-P 07:46 < Eagleray> ecrist: you can already do that by forcing a tunnel restart 07:46 * Douglas is listening to russian lesbians 07:46 < Douglas> dazo: me to 07:46 < ecrist> Eagleray: no, you can't push a new remote address to a client config programatically 07:46 < ecrist> for example 07:47 < Eagleray> ecrist: oh right, gotcha - you mean update the non-pull config stuff 07:47 < ecrist> yes 07:47 < Eagleray> my normal approach is just to write a provisioning wrapper, but your way would certainly be more convenient! 07:48 < mirco_> dazo: It has a cute interface and till yesterday I was very happy with pfsense... http://de.tinypic.com/view.php?pic=30vggic&s=3 http://de.tinypic.com/view.php?pic=2rncxoh&s=3 07:48 < vpnHelper> Title: PFsense Firewall NAT Pictures, PFsense Firewall NAT Images, PFsense Firewall NAT Photos, PFsense Firewall NAT Videos - Image - TinyPic - Kostenlose Bild- und Videospeicherung und gemeinsame Nutzung von Fotos (at de.tinypic.com) 07:48 < RadarG> ok I'm stuck on the certificate loading problem 07:48 < ecrist> mirco_: get rid of pfsense and just run raw freebsd 07:48 < ecrist> you'll be happier, sans the 'cute interface' 07:49 < mirco_> Have you tought about moving easyrsa to unix... 07:49 < ecrist> easyrsa to unix? 07:49 < mirco_> ecrist: prob is I don't have an experience setting up pf except using the "cute interface" ... 07:50 < mirco_> yeah I mean just running easy-rsa on a possible VMware based unix machine.... 07:51 < ecrist> mirco_: easy-rsa is a bunch of bash scripts. 07:51 < ecrist> it *is* on unix 07:51 < RadarG> ok guys does anyone know why I'm getting this key error 07:51 < mirco_> I thought RadarG is running it on Win... 07:51 < RadarG> i ma 07:51 < RadarG> i am 07:52 < mirco_> ecrist: so wouldn't it simplify things to run it on the arch it was written for? 07:53 < Eagleray> Good grief, sourceforge mailing lists are useless when it comes to reading archives :( 07:53 < dazo> oh yeah 07:54 < dazo> Eagleray: the archives are available via gmane as well, also via their nntp service 07:55 < Eagleray> dazo: what's it called? gmane search doesn't seem to see it 07:57 < Eagleray> yay, found the list 07:57 < dazo> I have it in nntp .... gmane.network.openvpn.devel / .user 07:57 < Eagleray> snap 07:58 < Douglas> I HATE THE FUCKING WEATHER 08:01 < ecrist> Douglas: what does the weather have to do with OpenVPN? 08:01 < Douglas> nothing 08:02 < Douglas> it has everything to do with ruining the plans for the next 3 days i had 08:02 * Douglas grumbles 08:05 < RadarG> ok guys i need help with my cert error I'm missing something but I cant figure it out 08:11 < RadarG> I have been reading and it says that the path defined isnt correct or the files can not be read by the radius daemon what ever that means 08:21 < krzee> alright guys 08:21 < krzee> leaving for p,lane in 1.5 hrs 08:21 < krzee> overnight in new york 08:21 < krzee> on to amsterdam 08:21 < krzee> so ill be seeing ya all from random airports 08:21 < krzee> other than that, adios for awhile 08:22 < krzee> i wont be very coherent 08:26 < RadarG> one klast thing before I go to bed. I seem to have my client isses worked out but the stateside server is on the 98.xxx.xxx.xxx network let my client is showing connection reset from peer on 66.114.124.140 08:27 < RadarG> P_CONTROL_HARD_RESET_CLIENT_V2 08:28 < krzee> real error should be above that 08:29 < RadarG> ok laugh at my expense I double checked my config and I was connecting to xxxxx.xxxx.org. I cleaned out the file to post on pastebin. Thats a real ip address 08:30 < RadarG> and like magic it connected I'll work on the rest later thanks guys 08:32 < Douglas> krzeeeeeeee 08:32 < Douglas> gonna chill in the city ? 08:34 < krzee> ya i gotta buddy out there imma crash with for the night 08:36 < Douglas> word 08:36 < Douglas> i was there yesterday 08:36 < Douglas> ok 08:36 < Douglas> bbl 08:37 < dazo> Douglas: come to central europe and your weather challenge will not be so big .... we have both rain and sun in a round robin type of cycle ..... so you'll get at least some of both :-P 08:39 < Douglas> w00t 08:39 < Douglas> internet in car 08:39 < Douglas> dazo: i was gonna take my gf to a water park and other stuff . . . 08:39 < Douglas> lol 08:39 < ecrist> krzee: when you're back 08:39 < ecrist> we should talk about new bot 08:39 < dazo> Douglas: then you probably don't need to worry about rain at all ... or have I misunderstood the water park concept? :-P 08:43 < krzee> ecrist, cool with me if its better 08:43 < krzee> whatever helps the most 08:46 < ecrist> want to do what they do in #php with ops on the bot 08:46 < ecrist> add a few new features. 08:48 < ecrist> that server of your still working OK? 08:49 < ecrist> I see you have a heavy traffic load on your box lately. 08:50 < krzee> i do?!? 08:50 < reiffert> no, you do. 08:50 < ecrist> yeah, like 10K. 08:50 < ecrist> :P 08:50 < krzee> lol 08:50 < reiffert> load 10K? ya man! 08:51 < krzee> ya the box is good, its doing exactly what i want it to 08:51 < krzee> (not existing to anyone but you / me) 08:51 < krzee> ;] 08:53 < ecrist> lol 08:55 < Douglas> hm 08:56 < Douglas> dazo: thunderstorms in a water park 08:56 < Douglas> bad 08:59 < dazo> Douglas: hmmmm .... sounds a bit too exciting .... 08:59 -!- dazo is now known as dazo|afk 09:02 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 09:04 < Douglas> dazo|afk: id do it 09:04 < Douglas> but im not putting my gf in danger lol 09:04 < Douglas> my mom.. yeah... she can go hold a giant metal pole in the storm 09:05 * dazo|afk was just about to call Douglas a gentleman .... until he wrote about his mother .... 09:05 * dazo|afk is now really afk 09:06 < Douglas> lmfao 09:23 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 09:24 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 09:24 -!- mirco_ [n=mirco@tmo-104-252.customers.d1-online.com] has quit [Read error: 110 (Connection timed out)] 09:41 -!- tjoff [i=tjoff@h-63-94.A163.priv.bahnhof.se] has joined ##openvpn 09:45 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:53 -!- RexMundi [n=RexMundi@77.95.99.166] has quit [Read error: 104 (Connection reset by peer)] 09:58 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 09:58 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 09:59 -!- Irssi: ##openvpn: Total of 65 nicks [0 ops, 0 halfops, 0 voices, 65 normal] 10:05 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 10:06 -!- dazo|afk is now known as dazo 10:09 -!- Snadder [i=sander@084202100202.customer.alfanett.no] has joined ##openvpn 10:15 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 10:17 -!- jeiworth [n=jeiworth@189.163.134.102] has joined ##openvpn 10:30 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:41 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 10:45 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:59 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 11:00 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 11:03 -!- nospeq [n=nospeq@89.240.15.80] has joined ##openvpn 11:18 -!- unclecameron [n=unclecam@173-86-185-164.dr01.myck.or.frontiernet.net] has joined ##openvpn 11:24 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:35 -!- dazo [n=dazo@nat/redhat/x-665bbc5db94a4811] has quit [Remote closed the connection] 11:36 -!- dazo [n=dazo@nat/redhat/x-2ed4adac0e4a0b97] has joined ##openvpn 11:47 -!- brad_ [n=quassel@12.48.121.170] has joined ##openvpn 12:05 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has joined ##openvpn 12:12 < KaiForce> !logs 12:12 < vpnHelper> KaiForce: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 12:12 < KaiForce> !configs 12:12 < vpnHelper> KaiForce: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:19 < reiffert> !wtf 12:19 < vpnHelper> reiffert: Error: "wtf" is not a valid command. 12:19 < reiffert> !die 12:19 < vpnHelper> reiffert: Error: "die" is not a valid command. 12:19 < reiffert> !factoids search world 12:19 < vpnHelper> reiffert: No keys matched that query. 12:19 < reiffert> !factoids search insane 12:19 < vpnHelper> reiffert: No keys matched that query. 12:19 < reiffert> !factoids search conquer 12:19 < vpnHelper> reiffert: No keys matched that query. 12:19 < reiffert> !factoids search ecrist 12:19 < vpnHelper> reiffert: No keys matched that query. 12:20 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 110 (Connection timed out)] 12:23 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 12:24 < ecrist> reiffert: wtf are you looking for? 12:24 < reiffert> nothing special 12:25 < reiffert> world leadership 12:25 < ecrist> ChanServer sets mode ##openvpn +o for reiffert 12:25 < reiffert> 19:25 [freenode] -!- There is no such nick chanserver 12:26 < ecrist> ChanServ sets mode ##openvpn +o for reiffert 12:29 < ecrist> there's your world domination 12:29 < ecrist> as long as your view of the world is confined to this channel 12:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:57 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 13:10 -!- nqe [n=nukie@213.211.145.58] has joined ##openvpn 13:10 < nqe> !howto 13:10 < vpnHelper> nqe: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:11 < nqe> I'm using an exclamation mark ! in the middle of a password. is that preventing me to correctly using my .key file? 13:19 < ecrist> shouldn't 13:20 < nqe> is there a way of passing the pw quoted? 13:21 < ecrist> not that I'm aware of. 13:22 < nqe> using passfile? 13:22 < ecrist> no different than reading from STDIN 13:32 < reiffert> using --script-security=2 you can pass it with environment variables. 13:32 < reiffert> try to escape the ! like \! 13:32 -!- nqe [n=nukie@213.211.145.58] has quit [Read error: 60 (Operation timed out)] 14:27 -!- DogWater [i=DogWater@dhcp92.cmh.ee.net] has joined ##openvpn 14:28 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.0.13/2009073022]"] 14:29 < DogWater> We have a toplogy like this: L3 switch -> Server A -> Server B we are trying to use Server A as a bridge between Server B and the L3 switch but we're having an issue with BPDUGuard on the switch, should we be able to avoid that? 14:35 -!- jeiworth [n=jeiworth@189.163.134.102] has quit [Read error: 110 (Connection timed out)] 14:39 -!- DogWater [i=DogWater@dhcp92.cmh.ee.net] has quit [] 14:45 < ecrist> didn't even wait 10 minutes for an anser 14:45 < ecrist> answer 14:45 -!- mirco [n=mirco@p54B265C0.dip.t-dialin.net] has joined ##openvpn 14:53 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:06 -!- jeiworth [n=jeiworth@189.177.33.39] has joined ##openvpn 15:28 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 15:37 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 15:43 -!- magic_1 [n=magic@mail.pharmed.co.za] has quit [Read error: 113 (No route to host)] 16:01 < reiffert> ecrist: and the answer would be? 16:03 -!- magic_1 [n=magic@gprs02.rb.mtnns.net] has joined ##openvpn 16:28 -!- mirco [n=mirco@p54B265C0.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 16:47 -!- RadarG [n=nightwol@pool-98-108-119-38.chi01.dsl-w.verizon.net] has quit [] 17:16 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 17:24 -!- mirco [n=mirco@p54B25D63.dip.t-dialin.net] has joined ##openvpn 17:26 -!- mirco_ [n=mirco@tmo-104-48.customers.d1-online.com] has joined ##openvpn 17:37 < mirco_> dazo: are u there? 17:42 -!- Bushmills is now known as l 17:42 -!- mirco [n=mirco@p54B25D63.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 17:42 -!- l is now known as Guest34574 17:43 -!- Guest34574 is now known as Bushmills 17:45 -!- mirco_ [n=mirco@tmo-104-48.customers.d1-online.com] has quit [Read error: 104 (Connection reset by peer)] 17:46 -!- mirco [n=mirco@p54B25D63.dip.t-dialin.net] has joined ##openvpn 18:06 -!- markus [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 18:07 -!- markus [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Client Quit] 18:07 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["cu later"] 18:20 -!- Snadder [i=sander@084202100202.customer.alfanett.no] has quit [Read error: 60 (Operation timed out)] 18:41 -!- jeiworth [n=jeiworth@189.177.33.39] has quit [Read error: 110 (Connection timed out)] 18:49 < Douglas> ecrist 18:49 < Douglas> ring 18:49 < Douglas> ecrist: http://www.ovpnforum.com/viewtopic.php?f=6&t=411 18:49 < vpnHelper> Title: OpenVPN Forum View topic - subnet routing (at www.ovpnforum.com) 18:52 -!- jeiworth [n=jeiworth@189.177.231.19] has joined ##openvpn 19:04 -!- mirco [n=mirco@p54B25D63.dip.t-dialin.net] has quit [] 19:05 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 110 (Connection timed out)] 19:05 -!- magic_1 [n=magic@gprs02.rb.mtnns.net] has joined ##openvpn 19:10 -!- markus [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 19:18 -!- gravyface [n=gravyfac@CPE001d7e53314f-CM0014e8b59110.cpe.net.cable.rogers.com] has joined ##openvpn 19:19 < gravyface> !topology 19:19 < vpnHelper> gravyface: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 19:19 < gravyface> umm 19:20 < gravyface> was hoping to see a recommended network topology/deployment for openvpn-as. 19:22 < gravyface> behind edge firewall with port forwarding? 19:24 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 19:25 -!- gravyface [n=gravyfac@CPE001d7e53314f-CM0014e8b59110.cpe.net.cable.rogers.com] has left ##openvpn [] 19:46 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: nospeq, magic_1 19:49 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: joh, Ynot, jreno 19:49 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 19:49 -!- magic_1 [n=magic@gprs02.rb.mtnns.net] has joined ##openvpn 19:49 -!- nospeq [n=nospeq@89.240.15.80] has joined ##openvpn 19:49 -!- Netsplit over, joins: Ynot, joh, jreno 19:53 -!- racan [n=racan@97-117-243-144.phnx.qwest.net] has joined ##openvpn 20:01 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: joh, Ynot, jreno 20:01 -!- racan [n=racan@97-117-243-144.phnx.qwest.net] has left ##openvpn [] 20:02 -!- Netsplit over, joins: Ynot, joh, jreno 20:04 -!- dotplus [n=dotplus@unaffiliated/dotplus] has quit [Read error: 104 (Connection reset by peer)] 20:07 -!- dotplus [n=dotplus@allgoodbits.com] has joined ##openvpn 20:20 < Douglas> reminder to all of those who have not joined yet 20:20 < Douglas> !forum 20:20 < vpnHelper> Douglas: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 20:35 -!- jeiworth [n=jeiworth@189.177.231.19] has quit ["No Ping reply in 90 seconds."] 20:35 -!- jeiworth [n=jeiworth@189.177.231.19] has joined ##openvpn 20:55 -!- miusf [n=miusf@85.214.97.22] has joined ##openvpn 20:57 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: roentgen, mius, ElectricBill 20:57 -!- miusf is now known as mius 21:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 21:00 -!- ElectricBill [n=bill@smtpv2.cosi.net] has joined ##openvpn 21:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Operation timed out] 21:04 -!- gravyface [n=gravyfac@CPE001d7e46ff91-CM0014e8b59110.cpe.net.cable.rogers.com] has joined ##openvpn 21:08 -!- master_of_master [i=master_o@p549D3B06.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:12 -!- master_of_master [i=master_o@p549D39F8.dip.t-dialin.net] has joined ##openvpn 21:43 -!- PhotoJim [n=jim@balgo.photojim.ca] has joined ##openvpn 22:07 -!- BasketCase [n=BasktCas@asylum.sanitarium.net] has joined ##openvpn 22:08 < BasketCase> is it possible to either push multiple DNS search domains to an openvpn client (I know that is non-standard) OR configure the OpenVPN client to set multiple DNS search domains regardless of what the server says? 22:08 < BasketCase> I know it can be done with ISC dhcpd even though it isn't standard 22:18 -!- markus___ [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 22:24 -!- markus [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 110 (Connection timed out)] 22:28 -!- jeiworth [n=jeiworth@189.177.231.19] has quit [Read error: 110 (Connection timed out)] 23:00 -!- subinacls_ [n=subinacl@253.182.100.97.cfl.res.rr.com] has joined ##openvpn 23:00 -!- subinacls_ [n=subinacl@253.182.100.97.cfl.res.rr.com] has quit ["Leaving"] 23:00 -!- subinacls_ [n=subinacl@97.100.182.253] has joined ##openvpn 23:01 < subinacls_> i am trying to enable the vpn to push routes to the connected clients 23:01 < subinacls_> to forward the traffic over the vpn link 23:01 < subinacls_> when the routes some up 23:01 < subinacls_> it does not set the DfGW of the client 23:02 < subinacls_> and when i try to ping or go to a web page 23:02 < subinacls_> it just times out 23:02 < subinacls_> any advice is greatly appreciated 23:04 < subinacls_> here are my configs 23:04 < BasketCase> subinacls_: for the default gateway you want "redirect-gateway" in the client side config 23:04 < subinacls_> ahh! 23:04 < subinacls_> i was just about to post configs! 23:05 < subinacls_> so on my client add / change options! 23:05 < subinacls_> TY sir! 23:07 < subinacls_> clients GW stays the same 23:07 -!- subinacls_ [n=subinacl@97.100.182.253] has quit ["Leaving"] 23:08 -!- subinacls_ [n=subinacl@253.182.100.97.cfl.res.rr.com] has joined ##openvpn 23:08 < subinacls_> clients df gw stayed the same 23:08 < subinacls_> no changes 23:09 < subinacls_> http://slexy.org/view/s2kDRpizq4 23:09 < BasketCase> it works for me. I push the route to my private IPs in the server config then I redirect-gateway in the client config 23:09 < vpnHelper> Title: Paste // Slexy 2.0 (at slexy.org) 23:10 < subinacls_> line #5 23:11 < BasketCase> redirect-gateway should switch the default gateway to the tunnel IP 23:12 < BasketCase> looks like you are pushing some other default gateway 23:12 < subinacls_> hmm i see 23:13 < subinacls_> i will make changes as directed! 23:15 -!- subinacls_ [n=subinacl@253.182.100.97.cfl.res.rr.com] has quit ["Leaving"] 23:15 -!- subinacls_ [n=subinacl@253.182.100.97.cfl.res.rr.com] has joined ##openvpn 23:16 < subinacls_> stil nothing 23:16 -!- d91admin [n=chatzill@122.172.61.187] has joined ##openvpn 23:16 < subinacls_> http://slexy.org/view/s2bGA16yF9 23:16 < vpnHelper> Title: Paste // Slexy 2.0 (at slexy.org) 23:16 < subinacls_> my configs 23:17 < d91admin> hi; having trouble accessing httpd over ovpn; setup a rackcloud server with iptables, httpd. can ssh thru ovpn but cant see httpd. can someone pls. help? 23:18 < subinacls_> Wed Aug 12 00:17:25 2009 ROUTE default_gateway=192.168.101.1 is still the same 23:18 < BasketCase> on the client side it isn't push "redirect-gateway def1" it is just redirect-gateway 23:18 < subinacls_> ahh 23:18 < subinacls_> sorry for my mistakes 23:18 < subinacls_> late nights early mornings 23:20 -!- d91admin [n=chatzill@122.172.61.187] has quit [Client Quit] 23:49 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn --- Day changed Wed Aug 12 2009 00:07 < reiffert> moin 00:10 < krzee> moin moin from new york 00:16 < reiffert> far far north north! 00:31 -!- unclecameron [n=unclecam@173-86-185-164.dr01.myck.or.frontiernet.net] has quit ["Leaving."] 00:37 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 00:42 < BasketCase> it looks like installing resolvconf gave me the work around I needed btw 00:50 -!- thedoc_ [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 00:53 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 00:55 -!- thedoc_ [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 00:56 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: Typone 00:57 -!- Netsplit over, joins: Typone 00:57 -!- gravyface [n=gravyfac@CPE001d7e46ff91-CM0014e8b59110.cpe.net.cable.rogers.com] has quit [Connection reset by peer] 00:57 -!- gravyface [n=gravyfac@CPE001d7e46ff91-CM0014e8b59110.cpe.net.cable.rogers.com] has joined ##openvpn 01:01 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 01:01 < krzee> working around what? 01:09 -!- hackmykack1234 [n=keith@122.169.104.151] has joined ##openvpn 01:09 -!- Snadder [i=sander@084202100202.customer.alfanett.no] has joined ##openvpn 01:11 < Douglas> krzee 01:11 < Douglas> evenin 01:11 * Douglas off to sleep 01:11 < hackmykack1234> hey guys .. had some wierd stuff happen in openVPN on my laptop today .. basically could not connect to the Server with a 113 error code ... 01:12 < krzee> are you currently having the same problem? 01:12 < hackmykack1234> when I checked "route" i noticed that the metric was 205 or some such number .. whereas on the machines where it works the route Metric is 0 01:13 < hackmykack1234> Hi krzee, well I don't have the problem now coz i changed the metric to 0 on my laptop 01:13 < hackmykack1234> and now OpenVPN works fine 01:13 < krzee> windows i take it 01:13 < hackmykack1234> was just wondering if its meant to be like this or if there was a bug in OpenVPN 01:14 < hackmykack1234> krzee, nope .. archLinux 01:14 < krzee> oh, no idea then 01:14 < krzee> never heard of that problem 01:14 < krzee> can you reproduce it on another box? 01:15 < hackmykack1234> krzee, hmmm let me try ... give me a few mins 01:15 < krzee> also, 01:15 < krzee> !configs 01:15 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 01:17 < BasketCase> krzee: I was trying to get two different domains into my my resolv.conf for searching 01:17 < krzee> BasketCase, ahh gotchya 01:17 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 01:19 < Douglas> krzee its late 01:19 < Douglas> wtf are you doing online 01:19 < BasketCase> now if only I could find a way to make the wifi work reliably :\ 01:20 < krzee> Douglas, the question is what are YOU doing online... isnt it past your bedtime? 01:23 < Douglas> krzee: gf is here 01:23 < Douglas> just put her in my bed, im sittign on the couch now 01:23 < Douglas> about togoto sleep 01:23 < Douglas> 2mins or so 01:23 < krzee> ya im bout to shower and sleep too 01:23 < krzee> got a plane to catch tomorrow 01:24 < krzee> amsterdam here i come! 01:24 < Douglas> ooo 01:25 -!- hackmykack1234 [n=keith@122.169.104.151] has quit [Read error: 60 (Operation timed out)] 01:25 < krzee> im in NY right now dude 01:34 -!- hackmykack1234 [n=keith@122.169.104.151] has joined ##openvpn 01:35 < hackmykack1234> krzee, to answer ur question ... yes it does happen on another machine if I change the metric to 204 from 0 01:36 < krzee> lol 01:36 < krzee> that very much wasnt my question 01:37 < krzee> but im going to sleep anyways 01:41 < hackmykack1234> krzee, oops ... :>) very sorry about that then 01:42 < hackmykack1234> krzee, gnite ... and thnx for the help 01:43 -!- kleind [n=kleind@83.125.45.111] has joined ##openvpn 01:46 < kleind> Hi. I need a recommendation. I never used openVPN yet and I am tasked to set up "something" VPN-alike within a couple of days. It is supposed to be in production status within a couple weeks for about only 20 client (not much more expected ever). Which version should I start with? 2006's stable or 2009's release candidate Thanks. 01:47 < kleind> Hm, looks like 2.0.9 does not support vista. Then I guess the rc is my way to go. 01:48 < kleind> (some clients use vista) 01:56 < krzee> yes, rc19 01:56 < krzee> !sample 01:56 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 01:56 < krzee> !winroute 01:56 < vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 01:56 < krzee> !howto 01:56 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 01:56 < krzee> gnite 02:04 -!- hackmykack1234 [n=keith@122.169.104.151] has quit [Read error: 110 (Connection timed out)] 02:11 < kleind> krzee, thanks. I was not about to ask about those things, though :) 02:16 -!- aeturnus [n=aeturnus@h129.218.19.98.static.ip.windstream.net] has joined ##openvpn 02:51 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 02:51 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 02:58 -!- mirco [n=mirco@p54B266A7.dip.t-dialin.net] has joined ##openvpn 03:06 -!- Cope [n=stephen@87-194-125-249.bethere.co.uk] has joined ##openvpn 03:21 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: Typone 03:21 -!- Netsplit over, joins: Typone 03:25 < Cope> morning 03:26 < Cope> i'm a little puzzled about routing... I've included push "route 86.91.46.96 255.255.255.240" in my server.conf 03:26 < Cope> thats the network on which the openvpn server sits 03:27 < Cope> i'm expecting that over the vpn i can now connect to any machines on that network 03:27 < Cope> do i have to add a route back to the vpn server on every server on the network? that's very painful! 03:32 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 03:55 -!- mirco [n=mirco@p54B266A7.dip.t-dialin.net] has quit [] 03:56 < dazo> Cope: basically, you need routes on the inside as well, yes .... so that the LAN computers know where the VPN resides. This is normally the case when the OpenVPN server is not located *on* the default gateway 03:57 < dazo> Cope: however, often it's enough to add that route on the default gateway .... but some routers are known to be broken in such setups ... then you'll need to either setup manually the route on each box ... or better, push the route via DHCP 04:02 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 104 (Connection reset by peer)] 04:03 -!- magic_1 [n=magic@gprs02.rb.mtnns.net] has joined ##openvpn 04:07 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: Typone 04:08 -!- Netsplit over, joins: Typone 04:10 -!- magic_1 [n=magic@gprs02.rb.mtnns.net] has quit [Read error: 54 (Connection reset by peer)] 04:11 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 04:17 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: Typone 04:18 -!- Netsplit over, joins: Typone 04:20 -!- magic_1 [n=magic@gprs02.rb.mtnns.net] has joined ##openvpn 04:26 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:28 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 04:28 -!- Cope [n=stephen@87-194-125-249.bethere.co.uk] has quit ["Lost terminal"] 04:34 -!- dazo [n=dazo@nat/redhat/x-2ed4adac0e4a0b97] has quit [Remote closed the connection] 04:35 -!- dazo [n=dazo@nat/redhat/x-bb1159ed321d986b] has joined ##openvpn 04:42 -!- jpetersson [n=jpeterss@gw2.mysql.com] has joined ##openvpn 04:42 -!- jpetersson is now known as garnser 04:51 -!- RadarG [n=nightwol@pool-98-108-119-38.chi01.dsl-w.verizon.net] has joined ##openvpn 05:04 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 05:10 -!- lataffe_ [n=lataffe@cm-84.211.147.71.getinternet.no] has joined ##openvpn 05:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:23 -!- brizly [n=brizly_v@90-230-225-201-no152.business.telia.com] has joined ##openvpn 05:23 < RadarG> I'm having trouble setting up my vpn server to use 10.8.0.1 and my client to use 10.8.0.2 for some reason I'm getting an error about subnetmask and network but it looks fine to me. Here is the server config for review http://pastebin.com/d7aa22d67 05:25 < RadarG> wouldnt I use a ifconfig and a push ifconfig? 05:27 -!- lataffe__ [n=lataffe@cm-84.211.147.71.getinternet.no] has quit [Read error: 110 (Connection timed out)] 05:33 < RadarG> if I want to do an ifconfig for a client the first address is for the client and the second address is the server right? 05:37 < reiffert> RadarG: 05:37 < reiffert> !factoids search subnet 05:37 < vpnHelper> reiffert: "samesubnet" is (#1) when a machine on a lan much be accessed over openvpn but sits on the same lan subnet as the other machines that needs to access it, and you dont have access to change the lan subnet: add a second IP address to the machines on the lan that need to be accessed using a rare subnet. Then give the machine running openvpn an ip on the same subnet and use that as the default 05:37 < vpnHelper> reiffert: gateway for the machines you added IPs to., or (#2) make sure to turn on ip forwarding on the machine running openvpn. 05:37 < reiffert> hrmn, no, ignore that. 05:37 < reiffert> !factoids search p2p 05:37 < vpnHelper> reiffert: No keys matched that query. 05:37 < reiffert> !factoids search topology 05:37 < vpnHelper> reiffert: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 05:38 < reiffert> take this. 05:38 < reiffert> !/30 05:38 < vpnHelper> reiffert: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 05:38 < reiffert> and that. 05:38 -!- brizly [n=brizly_v@90-230-225-201-no152.business.telia.com] has quit ["Leaving."] 05:42 < RadarG> that didnt help me that just stated that openvpn will use more than 1 ip for a client how does this help me? 05:44 < RadarG> the articlejust tells me that I should freak out when I see traffic on wireshark that is going to other ips 05:44 < RadarG> shouldnt 05:44 < reiffert> ok, lets check the manpage. 05:44 < reiffert> especially the --serve rline. 05:44 < RadarG> ok I'm on it now 05:45 < reiffert> --server network netmask 05:45 < reiffert> For example, --server 10.8.0.0 255.255.255.0 expands as follows: 05:45 < reiffert> now check your config. 05:45 < reiffert> # 05:45 < reiffert> server 10.8.0.1 255.255.255.0 05:45 < reiffert> ah, there you made a mistake! 05:45 < reiffert> btw, I told you earlier to remove the following line 05:46 < reiffert> # 05:46 < reiffert> push "route 10.8.0.0 255.255.255.0" 05:46 < RadarG> the push route why? 05:46 < reiffert> do it. 05:46 < reiffert> it's done internally anyway. 05:47 < RadarG> ok 05:47 < reiffert> as you can see in the manpage under --server 05:47 < reiffert> For example, --server 10.8.0.0 255.255.255.0 expands as follows: 05:47 < reiffert> among other things: 05:47 < reiffert> route 10.8.0.0 255.255.255.0 05:47 < reiffert> push "route 10.8.0.0 255.255.255.0" 05:47 < reiffert> andsoon 05:54 < RadarG> ok I deleted the push route line. I have wireshark installed and running on both ends and it looks like traffic from the client is going to the server but I'm not getting anyreturn traffic coming back such as websites 05:56 < RadarG> the server is a vista box do I need to merge the netowrk connections on the vista box? 06:04 < RadarG> ok on wireshark the packets are leaving the client to go to google and on the server side I see that the packets look like they are leaving to go to google but I'm not seeing anything come back 06:05 < RadarG> it looks like the packets are getting stuck at the server and not making it out 06:06 < RadarG> will bridging the LAN to the VPN interfaces on the vista box resolve this? 06:11 < |Mike|> i wonder where people found that line reiffert (the server 10.8..... ) 06:11 -!- RadarG1 [n=nightwol@pool-98-108-119-38.chi01.dsl-w.verizon.net] has joined ##openvpn 06:12 < RadarG1> bridging the LAN and VPN connections on the vista box ia complete, I have dns on the client but websites are still not loading on the client 06:15 < |Mike|> !linnat 06:15 < vpnHelper> |Mike|: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 06:15 < RadarG1> DNS request time out cant find server name for address 10.8.0.1: timed out but my firewall responded back to the nslookup 06:16 < RadarG1> my client and server are both windows boxes 06:19 < |Mike|> i've no experience with openvpn on win* 06:21 < ecrist> good morning 06:22 < RadarG1> good morning to you and good night for me 06:23 < RadarG1> I'm still trying to get this to work 06:26 < RadarG1> ecrist do you have any experience with openvpn on windows systems? 06:28 -!- RadarG [n=nightwol@pool-98-108-119-38.chi01.dsl-w.verizon.net] has quit [Read error: 110 (Connection timed out)] 06:53 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 60 (Operation timed out)] 06:56 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 06:57 < reiffert> |Mike|: soryy? 06:58 < reiffert> RadarG1: bridging things is the wrong idea when routing does not work. 06:58 < reiffert> fix that routing. 06:58 < reiffert> RadarG1: btw, now you are ready for !route 06:58 < reiffert> have fun. 07:00 < reiffert> RadarG1: passing packets from client to server works for you? 07:00 < reiffert> But packets dont come back? 07:00 -!- markus___ is now known as _markus 07:03 -!- Cope [n=stephen@87-194-125-249.bethere.co.uk] has joined ##openvpn 07:03 < RadarG1> thats what it looks like but when I bridged the vista box I lost connection to the server. I did read another site that looks like it has a simialar setup as mine but they are using a tap while I'm trying to use a tun. will that make a difference? 07:04 < Cope> !logs 07:04 < vpnHelper> Cope: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 07:04 < RadarG1> all I have is the client's right now 07:06 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 07:10 < kleind> Hi everybody. I was here like 6 hours ago, had not used OpenVPN before ever. I just wanted to thank you guys for the excellent HOWTO. A first working setup is online by now. I'm really impressed! Thanks! 07:16 < Cope> i've got my vpn up, the server config shows me connected 07:16 < Cope> I see: 07:16 < Cope> inet 10.8.0.6 --> 10.8.0.5 netmask 0xffffffff 07:17 < Cope> on my client (macbook, tunnelblick) 07:17 < Cope> i expected to be able to ping 10.8.0.5 07:17 < Cope> or at least 10.8.0.6 07:17 < Cope> I can't 07:17 < RadarG1> I'm reading something about using a entry in the server config "mssfix 1400" but the article is old. Is this really needed noe in the current version of openvpn? 07:18 < Cope> 10.8.0.6 (ie my end of the tunnel) doesn't ping at all - just fails silently 07:19 < Cope> 10.8.0.5 (end point) doesn't ping, and I see: ping: sendto: No buffer space available 07:21 < Cope> configs: http://pastebin.com/m7dfdb841 07:28 < Cope> not sue what i am doing wrong here 07:28 < Cope> i've set this up lots of times before... but this just isn't working, it seems 07:28 < Cope> any ideaS? 07:33 < ecrist> RadarG1: I try not to 07:35 < ecrist> Cope: 'No buffer space available' means your firewall is blocking the packets. 07:35 -!- thermoman [n=thermoma@84.201.90.210] has left ##openvpn [""Wenn der Rechner versteckt ist, kann er von Hackern auch nicht gefunden werden." Antje Weber, Symantec"] 07:36 < Cope> ecrist: where? I'm not running a firewall on the openvpn box yet, my macbook has the firewall set to allow everything 07:37 < Cope> the openvpn machine is a xen vm, and the Xen Dom0 has a firewall, but it permits traffic to 10.8.0.0 07:37 < ecrist> Cope: how would I know where the firewall is. I'm telling you 'No buffer space available' is indicative of firewall blocking ICMP echo requests. 07:37 < Cope> ok 07:40 < RadarG1> ecrist why 07:41 < Cope> right, well i stopped the firewall on the xen box, and i see the same, so i guess maybe my mac firewall is still running 07:41 < Cope> seems unlikely, since i can ping everything else 07:42 < ecrist> RadarG1: I don't use windows, so why would I run OpenVPN on windows? 07:48 -!- zheng [n=zheng@114.92.141.195] has joined ##openvpn 07:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 07:57 -!- zheng [n=zheng@114.92.141.195] has quit ["Leaving"] 07:59 < mirco> Hi all, I need to know if I can configure my pfsense as client and server in paralell? Because I need to connect my home-router to the office router to use my voip phone and I want to be able to log in @home with my laptop as roadwarrior... 08:00 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit ["Leaving"] 08:08 < reiffert> RadarG1: tun layer 3, tap layer 2. 08:13 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 08:13 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Connection reset by peer] 08:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:16 < ecrist> mirco: sure 08:16 < ecrist> two separate instances of OpenVPN 08:16 < ecrist> one listening as a server, one connecting out as a client 08:18 < mirco> ecrist: can they be on the same port? cause when the are my 1.2.2 based wrap tells: TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use 08:54 < ecrist> no, they can't be on the same port 08:55 < ecrist> the client part should pick a random udp port to connect out from 08:55 < ecrist> the server should listen to udp 1194, by default 08:58 -!- MrPockets [n=Jimmy@unaffiliated/mrpockets] has joined ##openvpn 09:00 < MrPockets> I NEed some assistence in getting another client onto a pre-existing OpenVPN network (that i know little to noothing about) 09:06 -!- RadarG1 [n=nightwol@pool-98-108-119-38.chi01.dsl-w.verizon.net] has quit [] 09:07 < ecrist> create a certificate for it using the same CA the vpn server certificate is signed for. 09:07 < ecrist> issue to new client, it should work. 09:09 -!- gravyface [n=gravyfac@CPE001d7e46ff91-CM0014e8b59110.cpe.net.cable.rogers.com] has quit [Read error: 104 (Connection reset by peer)] 09:09 < MrPockets> yeah 09:09 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["cu later"] 09:09 < MrPockets> I think i need to track down a currently working client, and copy the config 09:09 < MrPockets> because this jackass didn't put a generic pre-config'd config anywhere 09:13 < MrPockets> Would this client I'm trying to setup being a 64 bit system pose any issues? 09:14 < ecrist> no 09:16 < MrPockets> good. Thanks for the help :) ! 09:19 < teddymills> I setup openvpn-bridged server on a NAT address. Portforwarded 1194/udp to the openvpn-server. OpenVPN clients from anywhere are able to connect. Do know know why I have to portforward 1194/udp on server side router, but vpn clients side router does not need portforwarding. 09:20 < teddymills> I setup openvpn-bridged server on a NAT address. Portforwarded 1194/udp to the openvpn-server. OpenVPN clients from anywhere are able to connect. Do NOT know why I have to portforward 1194/udp on server side router, but vpn clients side router does not need portforwarding. 09:20 < ecrist> teddymills: becuase they are forward natted. 09:21 < teddymills> do not understand 'forward natted' 09:22 < ecrist> teddymills: your clients are coming from a NAT IP, which is automatically added to the state tables on their client routers. They are then connected to a remote IP, for which it is making an unsolicited connection. In a typical NAT configuration, the unsolicited connection will be dropped, as the router won't know what to do with the packet. 09:22 < ecrist> You have created a forwarding rule, telling your router what to do with those packets. 09:23 < teddymills> thx 09:27 < MrPockets> There are logs somewhere, sayign who connects and when, correct? 09:29 < ecrist> if logs are defined in the config, otherwise it all goes to stdout 09:34 -!- PhotoJim [n=jim@balgo.photojim.ca] has left ##openvpn [] 09:38 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 09:40 -!- bsod2 [n=bsod@i101244.upc-i.chello.nl] has quit [Read error: 110 (Connection timed out)] 09:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 09:46 -!- aeturnus [n=aeturnus@h129.218.19.98.static.ip.windstream.net] has quit [Remote closed the connection] 09:46 -!- aeturnus [n=aeturnus@h129.218.19.98.static.ip.windstream.net] has joined ##openvpn 09:51 < MrPockets> balls 09:55 < MrPockets> Do i need to specify anything in regards to the 64 bit TAP adaptor? 09:55 < ecrist> what do you mean. I can't parse that question. 09:56 < MrPockets> I've got it installed, but it says "All TAP32 adaptors on this system are currently in use" 09:56 < MrPockets> and under netwokr connections, I don't have any TAP connections, like i've had on previous 64 bit system 09:58 < ecrist> MrPockets: You do need to use rc19, I believe, for 64-bit support 10:00 < MrPockets> mhmm 10:00 < ecrist> why do people type things that are meant to be sounds? it took more effort to type 'mhmm' than kk or ok would have 10:03 < MrPockets> Is the vocal language that we communicate via text over IRC not also meant to be a sound? 10:04 < thedoc> ecrist, mhm. yeah. 10:07 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:08 -!- joh [i=johannj@caracal.stud.ntnu.no] has quit [Remote closed the connection] 10:08 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:09 -!- jeiworth [n=jeiworth@189.163.134.102] has joined ##openvpn 10:10 -!- Snadder [i=sander@084202100202.customer.alfanett.no] has quit [Read error: 110 (Connection timed out)] 10:14 -!- MrPockets [n=Jimmy@unaffiliated/mrpockets] has quit ["Has he quit, or has he simply become sneekier?..."] 10:15 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 10:16 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:17 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 10:17 -!- sigius [n=sigius@93.125.185.45] has joined ##openvpn 10:19 < krzee> moin moin my german friends 10:19 < krzee> whats up with the Absinth out there? 10:22 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 10:23 -!- clebig [n=user@77.207.137.77] has joined ##openvpn 10:23 < clebig> hi 10:24 < clebig> It is possible to regenerate a new index.txt file using keys in keys directory ? 10:24 < clebig> or to edit manually this file ? 10:31 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:33 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 10:33 -!- karme [n=user@static.180.75.40.188.clients.your-server.de] has joined ##openvpn 10:35 -!- bsod2 [n=bsod@i101244.upc-i.chello.nl] has joined ##openvpn 10:40 < clebig> Can openvpn works without index.txt ? 10:45 < krzee> is the machine which that file resides on also the machine you generated certs from? 10:45 -!- karme [n=user@static.180.75.40.188.clients.your-server.de] has left ##openvpn ["ERC Version 5.3 (IRC client for Emacs)"] 10:45 < krzee> because there is no index.txt with openvpn, but it could be how the key generating software remembers certs so you can make a CRL later if needed 10:49 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 10:53 < clebig> yes krzee, the machine which that file resides on is also the machine i generated certs from 10:53 < clebig> I generated them with the build-key script 10:54 < clebig> provided by openvpn debian package 10:55 < clebig> To revoke a key, can I simply delete all refered files of this key ? 10:59 < krzee> absolutely not 10:59 < krzee> it was signed by your ca's key 10:59 < krzee> deleting stuff on the server wont undo that 10:59 < krzee> !crl 10:59 < vpnHelper> krzee: "crl" is (#1) --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) 10:59 < vpnHelper> krzee: that will create the CRL file for you. ssl-admin will also build a crl for you 11:01 < clebig> vpnHelper, is index.txt is corrupted, how can I use revoke-full script ? 11:01 < vpnHelper> clebig: Error: "is" is not a valid command. 11:01 < clebig> vpnHelper, if index.txt is corrupted, how can I use revoke-full script ? 11:01 < vpnHelper> clebig: Error: "if" is not a valid command. 11:01 < clebig> Ok but...if index.txt is corrupted, how can I use revoke-full script ? 11:02 < clebig> or How can I revoke securely my keys ? 11:02 < ecrist> clebig: you need to delete it and re-revoke all your keys 11:02 < ecrist> index.txt only contains the next serial number to be used 11:02 < ecrist> it's a single number in hex 11:03 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit ["Leaving"] 11:03 < clebig> delete index.txt ? 11:03 < krzee> ahh 11:03 * krzee didnt know 11:03 < krzee> ive never actually created a CRL 11:04 < clebig> and it will be automatically regenerated ? 11:05 < clebig> if I remove mykey.key, mykey.csr and mykey.crt manually, will I be still able to connect to my server ? 11:06 < clebig> (I meam if I remove thoses files on server side) 11:10 -!- rawDawg2 [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 11:10 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 11:11 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 11:17 < ecrist> IMHO, Cracked writers are pretty friggin' funny. 11:17 < ecrist> "Jesus is Jesus and therefore very difficult to kill, even in baby form." 11:17 < ecrist> that sentence is funny, in any context. 11:18 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:18 < ecrist> clebig: the client certificates don't need to exist on the openvpn server 11:19 < ecrist> krzee: you missed this 11:19 < ecrist> IMHO, Cracked writers are pretty friggin' funny. 11:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:19 < ecrist> "Jesus is Jesus and therefore very difficult to kill, even in baby form." 11:19 < clebig> ok, it's a bad news for me 11:19 < krzee> difficult~? 11:19 < krzee> !? 11:19 < vpnHelper> krzee: Error: "?" is not a valid command. 11:20 < clebig> I start to anderstand 11:20 < krzee> didnt they stone him and hang him on a cross? 11:20 < krzee> shit time to get on the plane 11:20 < ecrist> clebig: I told you what index.txt is 11:20 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Client Quit] 11:20 < clebig> so, the server only need it's ca then all other clients which have a key signed by this ca are able to connect, right ? 11:21 < ecrist> yes 11:21 < clebig> I the keys I want to revoke are not in the index file marked as revoked, the still be able to connect 11:22 < clebig> so if my index.txt is corrupted, all keys I have revoked in the past are now able to connect again 11:22 < clebig> ? 11:22 < clebig> which is a very bad news 11:22 < ecrist> no 11:22 < clebig> ah 11:22 < ecrist> which keys can connect is a function of your CRL 11:23 < clebig> where is my crl ? 11:23 < ecrist> if you lose your index, you cannot generate a new CRL, howeverl. 11:23 < clebig> it's a file ? 11:23 < ecrist> clebig: did you create one? 11:23 < ecrist> your index.txt contains the following fields, in order 11:23 < clebig> I don't know, and if I don't know, probably I never create it 11:24 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Connection timed out] 11:25 < ecrist> status (either V or R), unix timestamp, serial number, 'unknown', and certificate subject 11:25 < ecrist> so, start over 11:25 < ecrist> this time, make bacups 11:25 < ecrist> backups* 11:26 < clebig> yes 11:26 -!- sigius [n=sigius@93.125.185.45] has quit ["Leaving"] 11:26 < dazo> !route 11:26 < vpnHelper> dazo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:27 < clebig> and with my new index.txt, I will be able to revoke 'anterior created' keys ? 11:27 < ecrist> I don't know what 'anterior created' is 11:29 < clebig> the keys I created a long time ago 11:29 < clebig> but not referenced in the new index.txtr 11:30 < ecrist> do you have an index.txt.old? 11:30 < ecrist> that might be uncorrupted 11:32 < clebig> no, my collegue broke it too 11:32 < clebig> like all dpkg backups 11:33 < clebig> *config backups 11:33 < clebig> On a production server 11:33 -!- BasketCase [n=BasktCas@asylum.sanitarium.net] has left ##openvpn ["Client exiting"] 11:34 < clebig> rsync was not configured to backup /etc/ 11:36 -!- rawDawg2 [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 11:41 < clebig> ok thank you ecrist for your help 11:41 < clebig> bye 11:42 -!- clebig [n=user@77.207.137.77] has quit ["Leaving"] 11:49 * dazo wonders why do people log out when they believe they've gotten a complete answer .... 12:03 -!- markl_ [n=mark@tpsit.com] has joined ##openvpn 12:04 < markl_> is it possible to use openvpn to connect to a cisco asa 5505 12:04 < markl_> ? 12:04 < ecrist> no 12:05 < markl_> that's too bad, cisco's client is not so good 12:07 -!- emod [n=emod@sage.emoderation.net] has joined ##openvpn 12:08 -!- pkoraca [n=pkoraca@89-201-154-152.dsl.optinet.hr] has joined ##openvpn 12:14 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 12:23 -!- lataffe_ [n=lataffe@cm-84.211.147.71.getinternet.no] has quit [Connection reset by peer] 12:24 < dazo> markl_: Cisco uses it's own protocol, just as OpenVPN, pptp, etc, etc .... 12:27 -!- lataffe_ [n=lataffe@cm-84.211.147.71.getinternet.no] has joined ##openvpn 12:28 -!- pkoraca [n=pkoraca@89-201-154-152.dsl.optinet.hr] has quit ["Leaving"] 12:30 -!- rm [n=rm@fsf/member/rm] has joined ##openvpn 12:30 < rm> hello 12:31 < ecrist> hello 12:33 < rm> I use an IPv6-only tunnel, which runs over IPv4 link (using TCP) which has MTU of 1460 12:33 < rm> is there something I should specify in the config to ensure that packets never get fragmented? 12:33 < rm> automatically, the tun0 device gets 1500 MTU 12:33 -!- aeturnus [n=aeturnus@h129.218.19.98.static.ip.windstream.net] has left ##openvpn [] 12:33 < rm> even though the underlying eth device has MTU 1460 12:34 < ecrist> you can test with -mtu-test 12:34 < ecrist> !mtu 12:34 < vpnHelper> ecrist: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config 12:36 < rm> thanks 12:43 -!- jacky_bro [i=cb51a60a@gateway/web/freenode/x-f8bad0b30d64f588] has joined ##openvpn 13:05 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has joined ##openvpn 13:22 -!- actionhank [n=actionha@dsl5400B0C5.pool.t-online.hu] has joined ##openvpn 13:23 < actionhank> !howto 13:23 < vpnHelper> actionhank: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:30 < actionhank> I bought new apple airport express router. OpenVPN worked great before, now it will connect without problems to my server, but after 5 minutes it will disconnect my vpn connection, and wont let me connect again. Any suggestions on what the the most probable error might be? 13:30 < actionhank> Oh, and as an error message I get this: "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" 13:39 -!- actionhank_ [n=actionha@dsl5400B577.pool.t-online.hu] has joined ##openvpn 13:39 -!- actionhank_ [n=actionha@dsl5400B577.pool.t-online.hu] has quit [Client Quit] 13:42 -!- teddymills [n=teddy@208.92.235.227] has quit [Client Quit] 13:44 -!- Cope [n=stephen@87-194-125-249.bethere.co.uk] has quit ["Changing server"] 13:52 -!- actionhank [n=actionha@dsl5400B0C5.pool.t-online.hu] has quit [Read error: 110 (Connection timed out)] 14:03 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:06 -!- markl_ [n=mark@tpsit.com] has quit ["leaving"] 14:11 -!- tjz [n=tjz@bb220-255-106-86.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 14:16 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 14:17 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 14:17 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 14:43 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 14:56 -!- MrPockets [n=Jimmy@unaffiliated/mrpockets] has joined ##openvpn 14:57 < MrPockets> one more quick Q. As I'm setting up the config for the openVPN server. I'm at the part for "Configure Server mode and supply a VPN subnet for OpenVPN to draw client addresses from" 14:57 -!- anwoke [n=A@65.100.249.52] has quit [Connection timed out] 14:57 -!- [1]anwoke is now known as anwoke 14:58 < MrPockets> Last time i set this up, i configured it wrong, and it assigned my openVPN server the same address as the internal gateway when i connected the server for the first time 14:58 < ecrist> !1918 14:58 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 14:58 < ecrist> select anything you're not already using from that list 14:58 < ecrist> !1918 2 14:58 < vpnHelper> ecrist: Error: "1918" is not a valid command. 14:58 < MrPockets> ok. So it doesn't have to be on the same subnet? 14:59 < MrPockets> interneral IP is 10.0.0.0 i can have OpenVPN pushing out 192.168.1.0 15:01 * MrPockets shuts up and reads the wifi 15:02 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.0.13/2009073022]"] 15:03 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 15:22 -!- MrPockets [n=Jimmy@unaffiliated/mrpockets] has quit [Read error: 60 (Operation timed out)] 15:24 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 15:31 -!- MrPockets [n=Jimmy@unaffiliated/mrpockets] has joined ##openvpn 15:31 * MrPockets bangs head against desk 15:35 -!- subinacls_ is now known as subinacls 15:37 < MrPockets> I need some 'splanin'en. 15:38 < subinacls> wow 15:38 < subinacls> MrPockets, are you following me .... 15:38 < subinacls> ;) 15:38 < MrPockets> I just thought that was nutty :-0 15:39 < subinacls> MrPockets, having troubles with openvpn pushing 15:39 < subinacls> default-router part of the config to clients also 15:39 < subinacls> no matter what i do i can not get the clients to accept 10.10.101.1 as the DF GW 15:40 < MrPockets> hmm 15:41 < MrPockets> You trying to configure split tunnel? 15:44 -!- emod [n=emod@sage.emoderation.net] has quit [] 15:50 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Read error: 54 (Connection reset by peer)] 15:53 -!- mirco [n=mirco@p54B266A7.dip.t-dialin.net] has joined ##openvpn 16:05 -!- magic_1 [n=magic@gprs02.rb.mtnns.net] has quit [Read error: 104 (Connection reset by peer)] 16:09 -!- MrPockets [n=Jimmy@unaffiliated/mrpockets] has quit ["Has he quit, or has he simply become sneekier?..."] 16:13 -!- magic_1 [n=magic@gprs02.rb.mtnns.net] has joined ##openvpn 16:18 -!- rm [n=rm@fsf/member/rm] has left ##openvpn [] 16:22 -!- mirco [n=mirco@p54B266A7.dip.t-dialin.net] has quit [] 16:22 -!- bruceb [n=bruce@gw.msmnyc.edu] has joined ##openvpn 16:36 -!- jeiworth [n=jeiworth@189.163.134.102] has quit [Read error: 110 (Connection timed out)] 16:55 -!- subinacls is now known as sub-Phone-acls 16:56 -!- jeiworth [n=jeiworth@189.177.33.39] has joined ##openvpn 16:56 -!- unclecameron1 [n=unclecam@74.32.168.67] has joined ##openvpn 16:59 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 17:04 -!- sub-Phone-acls is now known as Sub-IN-acls 17:10 -!- flokuehn [n=flokuehn@62.48.92.62] has left ##openvpn [] 17:15 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 17:17 -!- bruceb [n=bruce@gw.msmnyc.edu] has quit [Remote closed the connection] 17:25 -!- Sub-IN-acls is now known as Sub-OUT-acls 18:10 -!- Sub-OUT-acls [n=subinacl@253.182.100.97.cfl.res.rr.com] has quit [Read error: 110 (Connection timed out)] 18:12 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 18:29 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["cu later"] 18:39 -!- tjoff [i=tjoff@h-63-94.A163.priv.bahnhof.se] has quit [] 18:45 -!- Snadder [i=sander@084202100202.customer.alfanett.no] has joined ##openvpn 18:52 -!- tjoff [i=tjoff@h-63-94.A163.priv.bahnhof.se] has joined ##openvpn 18:59 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 60 (Operation timed out)] 19:00 -!- jeiworth [n=jeiworth@189.177.33.39] has quit [Read error: 110 (Connection timed out)] 19:18 -!- Overand [i=overand@crappy.domain.name] has joined ##openvpn 19:29 < Overand> Hm. I'm not sure if this is *quite* the right place, since I'm using a hacked-up OpenVPN setup (pfsense - a freeBSD based router distro) - but what I have happening is I'm using a TAP setup to bridge two segments - but when a machine on the, er, 'server' end does an ARP for the IP of what actually is the LAN iface on the 'client' side (what's bridged to that end's TAP) - I get the MAC of the TAP interface rather than the actual LAN int - and this c 19:35 < ecrist> Overand: you are likely seeing the MAC of the bridge interface, not the TAP interface. 19:35 < ecrist> which is normal behavior. 19:36 < Overand> No, it's actually the TAP interface's mac, at least according to 'arp' on the workstation and ifconfig on the freebsd/pfsense system 19:37 < Overand> my guess is that this 'shouldn't matter' since they're bridegd anyway, and the "weird behavior" is some pfsense/pf/FreeBSD specific thing 19:37 < ecrist> I'm not sure what version of FreeBSD your particular version of pfsense is using, but I think all my FreeBSD boxes show the bridge interface 19:37 < ecrist> let me look at the sysctls 19:37 < ecrist> hang on 19:39 < ecrist> if you're worried about the logs showing wrong interface messages, set net.link.ether.inet.log_arp_wrong_iface to 0 19:40 < Overand> One end is 7.0, the other is 7.2 19:40 < Overand> It's not a matter of logs - it's a matter of the machines on one end not being able to route through the router on the other end 19:40 < Overand> *Unless* I assign a static ARP entry on said machines, heh. 19:41 < Overand> Which "works well enough" but is ugly for a number of reasons 19:41 < ecrist> if you're using properly configured bridging and TAP devices within OpenVPN, you should not have to set static ARP entries. 19:41 < Overand> ecrist: Windows and linux boxes behind one pfSense box (OpenVPN server) on subnet, say, 192.168.1.1, other stuff on the other end, same subnet - hence bridge 19:41 < Overand> ecrist: yeah - exactly 19:42 < Overand> But when I ARP from one end to the other, the LAN IP (bridged to the TAP interface) shows up with the TAP's mac 19:42 < Overand> Hmm. I have a thought. j'sec 19:52 < Overand> Yeah, same thing both ways - the LAN IP on each side is getting the wrong ARP entry, but as I said, it probably "shouldn't matter" 19:52 -!- magic_1 [n=magic@gprs02.rb.mtnns.net] has quit [Connection timed out] 19:57 < ecrist> wow, my blackberry theme site's been getting an average of about 1000 hits from unique IP addresses a month. 20:00 -!- thedoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 20:47 -!- SexyKen [n=ken@70-0-225-140.pools.spcsdns.net] has joined ##openvpn 20:47 < SexyKen> !route 20:47 < vpnHelper> SexyKen: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:47 < Douglas> balh 20:48 < Douglas> blah 20:48 < Douglas> one of the gentoo guys passed 20:48 < Douglas> that's sad 20:49 < SexyKen> I'm attempting to get OpenVPN working. I've got a Windows Vista Remote Client, connecting to a Debian Linux Server, set as a DMZ host from my firewall. The client connects to OpenVPN - but something must be up with routing. I can't connect to any of the boxes on the local network, though Windows does get a local IP. 20:51 < SexyKen> Any assistance would be very helpful. 20:53 < thedoc> Douglas, Whom? 21:07 < SexyKen> If I'm running OpenVPN GUI 1.0.3 - why isn't it compatible with vista? 21:08 -!- master_of_master [i=master_o@p549D39F8.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:11 -!- tjz [n=tjz@bb220-255-106-86.singnet.com.sg] has joined ##openvpn 21:13 -!- master_of_master [i=master_o@p549D3ACF.dip.t-dialin.net] has joined ##openvpn 21:21 < Douglas> thedoc 21:21 < Douglas> sec 21:21 < Douglas> thedoc: fmccor 21:24 -!- gravyface [n=gravyfac@CPE001d7e46ff91-CM0014e8b59110.cpe.net.cable.rogers.com] has joined ##openvpn 21:24 < gravyface> !route 21:24 < vpnHelper> gravyface: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 21:26 -!- SexyKenz [n=ken@c-24-4-238-23.hsd1.ca.comcast.net] has joined ##openvpn 21:27 < SexyKenz> hmm. 21:27 < SexyKenz> Can anyone assist here? 21:27 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 21:41 -!- jacky_bro [i=cb51a60a@gateway/web/freenode/x-f8bad0b30d64f588] has quit ["Page closed"] 21:43 -!- SexyKen [n=ken@70-0-225-140.pools.spcsdns.net] has quit [Read error: 110 (Connection timed out)] 21:48 -!- subinacls [n=subinacl@97.100.182.253] has joined ##openvpn 21:59 -!- tjz2 [n=tjz@bb220-255-106-86.singnet.com.sg] has joined ##openvpn 22:06 -!- subinacls [n=subinacl@97.100.182.253] has quit [Read error: 60 (Operation timed out)] 22:06 -!- subinacls [n=subinacl@97.100.182.253] has joined ##openvpn 22:14 -!- subinacls_ [n=subinacl@97.100.182.253] has joined ##openvpn 22:16 -!- subinacls [n=subinacl@97.100.182.253] has quit [Success] 22:16 -!- tjz [n=tjz@bb220-255-106-86.singnet.com.sg] has quit [Connection timed out] 22:24 -!- SexyKenz [n=ken@c-24-4-238-23.hsd1.ca.comcast.net] has quit [Read error: 113 (No route to host)] 22:44 -!- rm [n=rm@fsf/member/rm] has joined ##openvpn 22:44 < rm> hello 22:44 < rm> the man page says: "OpenVPN requires that packets on the control or data channels be sent unfragmented." 22:45 < rm> I wonder is that still true when using TCP transport, not UDP? 22:52 -!- SexyKen [n=ken@c-24-4-238-23.hsd1.ca.comcast.net] has joined ##openvpn 22:56 -!- subinacls_ [n=subinacl@97.100.182.253] has quit [Read error: 110 (Connection timed out)] 23:01 -!- subinacls [n=subinacl@253.182.100.97.cfl.res.rr.com] has joined ##openvpn 23:06 < ecrist> !tcp 23:06 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 23:14 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 23:15 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 23:39 -!- thedoc [n=andelyx@unaffiliated/thedoc] has quit [Nick collision from services.] 23:39 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 23:46 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] --- Day changed Thu Aug 13 2009 00:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 00:47 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 00:51 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 01:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:03 -!- unclecameron1 [n=unclecam@74.32.168.67] has left ##openvpn [] 01:17 -!- mirco [n=mirco@p54B26BE6.dip.t-dialin.net] has joined ##openvpn 01:30 -!- mirco [n=mirco@p54B26BE6.dip.t-dialin.net] has quit [] 01:33 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:47 -!- lataffe_ [n=lataffe@cm-84.211.147.71.getinternet.no] has quit [Read error: 104 (Connection reset by peer)] 01:50 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 02:18 -!- Snadder [i=sander@084202100202.customer.alfanett.no] has quit [Read error: 110 (Connection timed out)] 02:36 -!- SexyKen [n=ken@c-24-4-238-23.hsd1.ca.comcast.net] has quit [Read error: 60 (Operation timed out)] 02:54 -!- rm [n=rm@fsf/member/rm] has left ##openvpn ["Leaving"] 03:14 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: brad_, epaphus 03:16 -!- Netsplit over, joins: epaphus, brad_ 03:45 -!- tk_ [n=tk@78-2-125-157.adsl.net.t-com.hr] has joined ##openvpn 03:48 -!- lataffe_ [n=lataffe@cm-84.211.147.71.getinternet.no] has joined ##openvpn 03:49 < tk_> hi! i have to build a VPN and connect 4 or 5 computers. 2 of them are in one network, and 2 in other. I managed to connect 2 computers, just to see if it works, and they establish a network but i can't ping them!? 03:50 < tk_> andy help with that? 03:52 < tk_> nobody? 03:53 < thedoc> tk_, Did you permit your clients to talk to each other? 03:53 < tk_> one of computers is server, one is client 03:55 < tk_> i just tried server to client for testing, and they connect, but can't ping each other with IP given with openvpn 03:56 < thedoc> tk_, Your client should only be able to ping the end of the tunnel (server) 03:56 < tk_> yes, i know, but it doesnt 03:57 < thedoc> Do you have iptables which are dropping ICMP? 03:57 < tk_> i don't understand? 03:58 < tk_> i use network bridge mode, if that helps 03:59 < thedoc> tk_, Which platform are you using? 03:59 < tk_> windows 03:59 < thedoc> ahh. 03:59 < thedoc> tk_, Sorry man, no experience with Windows. 03:59 < thedoc> Perhaps the howto would be better. 03:59 < thedoc> !howto 03:59 < vpnHelper> thedoc: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 03:59 < tk_> ok, thanks 04:13 -!- tk_ [n=tk@78-2-125-157.adsl.net.t-com.hr] has quit ["Leaving"] 04:26 -!- Gorkhaan [n=Gorkhaan@89.186.101.16] has joined ##openvpn 04:35 -!- mirco [n=mirco@p54B26BE6.dip.t-dialin.net] has joined ##openvpn 04:58 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has joined ##openvpn 04:59 < mlaci> hi guys! it looks like openvpn doesn't forward the packets i send despite /proc/sys/net/ipv4/ip_forward is set to 1 and all relevant chains ACCEPT the packages. what could be wrong? 05:00 -!- SexyKen [n=ken@c-24-4-238-23.hsd1.ca.comcast.net] has joined ##openvpn 05:01 < Gorkhaan> iptables-ben Forwardolás jó? NAT, Masquerade :) 05:07 < thedoc> !nat 05:07 < vpnHelper> thedoc: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 05:07 < thedoc> !linnat 05:07 < vpnHelper> thedoc: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 05:10 -!- SexyKen [n=ken@c-24-4-238-23.hsd1.ca.comcast.net] has quit [] 05:10 < mlaci> Gorkhaan, latom Te is beszelni madzsar ;) mindegyik chain ures es a default policy ACCEPT. masquerade feltetlenul kell? 05:20 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:29 < mlaci> Gorkhaan, ugy latszik kell neki. igy mar megy: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 05:30 < Gorkhaan> gyere privátba mert angol csati 05:31 < mlaci> sorry everybody for the foreign language. masquerading helped me: iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 05:31 < cpm> yeah, me too 05:31 < Gorkhaan> :) 05:34 -!- RadarG1 [n=nightwol@pool-98-108-1-106.chi01.dsl-w.verizon.net] has joined ##openvpn 05:34 < RadarG1> well guys I think I have about figured it out 05:34 < RadarG1> I just need to work on the routing 05:36 < RadarG1> Im reading an article about a guy who setup a openvpn server on a windows box it talks about changing the routing table on the router. is this really needed if you have the routing setup on the server and the port forwarded to the server? 05:39 < eliasp> when revoking client certs, is the crl.pem file updated or does it only contain the information for the last revoked client? usually, the revoked clients should have a line starting with "R" in index.txt, right? 05:39 < RadarG1> any in here good with windows routing? 05:43 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:47 < RadarG1> http://pastebin.com/d78336fb2 05:47 -!- BigJB [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 05:47 < RadarG1> !route 05:47 < vpnHelper> RadarG1: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 05:47 < BigJB> !redirect 05:47 < vpnHelper> BigJB: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 05:48 < BigJB> !def1 05:48 < vpnHelper> BigJB: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 05:48 < RadarG1> i used the redirect 05:49 < BigJB> !nat 05:49 < vpnHelper> BigJB: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 05:49 < BigJB> !ipforward 05:49 < vpnHelper> BigJB: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 05:49 < BigJB> !linipforward 05:49 < vpnHelper> BigJB: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 05:49 < RadarG1> !winipforward 05:49 < vpnHelper> RadarG1: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 05:52 < RadarG1> I did the winipforward its still not working 05:52 < RadarG1> http://pastebin.com/d19f7295f server config 05:54 < RadarG1> http://pastebin.com/d2a899c33 client config 05:56 < RadarG1> on the server end I'm seeing with wireshark that the pings are making it through to the server but not going out 05:57 < eliasp> it seems i have trouble revoking certs because of "ERROR:name does not match..." ... would it also work just deleting the cert data + the entry from the index.txt to make sure, noone can establish an OpenVPN connection using this cert any longer? 05:59 < RadarG1> should I add a route on the windows box? 06:16 -!- subinacls [n=subinacl@253.182.100.97.cfl.res.rr.com] has quit [Read error: 60 (Operation timed out)] 06:16 < RadarG1> I think my problem lies in the windows routing on the vista box 06:18 -!- tonik [n=tk@78-2-125-157.adsl.net.t-com.hr] has joined ##openvpn 06:19 < tonik> hi, just one quick question... do i have to make a bridge on server and on client or just on server? thanks 06:26 < RadarG1> anybody good with routing on a windows box? 06:28 < reiffert> RadarG1: still client's packages reach server but not vice versa? 06:28 < reiffert> RadarG1: server able to ping client? 06:31 < RadarG1> no from server 192.168.1.10 tp client 192.168.4.7 reply from 10.8.0.1 destination host unreachable 06:31 < reiffert> RadarG1: I mean: 06:32 < reiffert> server able to ping client vpn ip? 06:32 < reiffert> which should be smth similar to 10.8.0.6 or 10.8.0.5 06:34 < reiffert> An possible answer will be simple: yes or no and shouldnt take *that* long. 06:34 < RadarG1> 10.8.0.6 timed out 10.8.0.5 timed out 06:35 < reiffert> ah, there you are. 06:35 < reiffert> ok, lets check you configs 06:35 < reiffert> btw, client can ping 10.8.0.1? 06:35 < RadarG1> http://pastebin.com/d19f7295f server config 06:35 < RadarG1> http://pastebin.com/d2a899c33 client config 06:36 < RadarG1> no 06:36 < reiffert> please remove those lines from the server config, its just for testing, ok? 06:36 < reiffert> local 192.168.1.10 06:36 < reiffert> ush "route 192.168.1.0 255.255.255.0" 06:36 < reiffert> push "redirect-gateway def1" 06:37 < reiffert> push "dhcp-option DNS 10.8.0.1" 06:37 < reiffert> client-to-client 06:37 < reiffert> ax-clients 2 06:37 < reiffert> verb 6 06:37 < reiffert> mute 20 06:37 < reiffert> route-method exe 06:37 < reiffert> route-delay 2 06:38 < reiffert> please remove the following lines from the client config, its just for testing, ok" 06:38 < reiffert> : 06:38 < reiffert> # 06:38 < reiffert> verb 6 06:38 < reiffert> # 06:38 < reiffert> mute 20 06:38 < reiffert> # 06:38 < reiffert> route-method exe 06:38 < reiffert> # 06:38 < reiffert> route-delay 2 06:38 < reiffert> # 06:38 < reiffert> route 192.168.1.0 255.255.255.0 06:38 < reiffert> nobind 06:38 < reiffert> # 06:38 < reiffert> mute-replay-warnings 06:38 < reiffert> # 06:38 < reiffert> comp-lzo 06:38 < reiffert> remove "comp-lzo" from server conf as well. 06:39 < reiffert> next step: 06:39 < reiffert> connect client to server, paste client log. 06:41 < reiffert> and while pasting, paste your *current* client and server configs. 06:41 < RadarG1> 1sec 06:42 < reiffert> 1sec passed away, you loose. 06:43 < RadarG1> lol 06:43 < reiffert> be sure to paste the remote line as well, I'd like to see at least the 1st three octects of the remote address. 06:45 < reiffert> come on, removing 18 lines shouldnt take that long 06:46 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 06:49 < RadarG1> i'm on the other side of the planet how my server it takes a bit 06:52 < reiffert> for what we surley know is we probably both are on the same planet, but I doubt you know my location. 06:54 < RadarG1> well my setup is more fun i have use a proxy just to talk in this irc room and then a remote desktop to the server 06:54 < reiffert> however, whatever you do, do it faster. 06:54 < RadarG1> i removed the lines and connected it connected 06:56 < reiffert> paste client log 06:56 < reiffert> ping from server: 10.8.0.5/6 06:56 < reiffert> ping from client: 10.8.0.1 06:56 < RadarG1> The data area passed to a system call is too small is what I'm seeing in the client logs 06:57 < reiffert> do what you are told. 06:58 < reiffert> please 06:58 < RadarG1> server can ping 10.8.0.1 but not 10.8.0.5 or 6 06:58 < ecrist> gahhh 06:59 < reiffert> RadarG1: ping from client: 10.8.0.1 07:00 < RadarG1> timed out 07:01 < ecrist> if you're connected to the VPN, and you can't ping the VPN server's VPN address, you have a firewall issue 07:01 -!- RadarG1 [n=nightwol@pool-98-108-1-106.chi01.dsl-w.verizon.net] has quit [Remote closed the connection] 07:01 < reiffert> ok, stop trying things with route, push, redirect etc, get your VPN working first. 07:03 < reiffert> How insane is he? 07:03 < ecrist> extremely 07:04 < ecrist> I've been telling him for a week he has a firewall issue 07:04 < reiffert> did anyone ask him which openvpn version he's trying to run? 07:05 < reiffert> http://www.google.com/search?hl=en&q=Openvpn+"The+data+area+passed+to+a+system+call+is+too+small"&aq=f&oq=&aqi= 07:05 < vpnHelper> Title: Openvpn "The data area passed to a system call is too small" - Google Search (at www.google.com) 07:05 < ecrist> possibly. 07:05 < reiffert> hehe 07:05 < reiffert> Buy The Data Area Passed To A System Call Is Too Small Online ... 07:06 < ecrist> I don't see ads anymore on google 07:06 < ecrist> I 'opted out' a few days ago. ;) 07:06 < ecrist> http://www.google.com/privacy_ads.html 07:06 < vpnHelper> Title: Advertising and Privacy – Google Privacy Center (at www.google.com) 07:06 < reiffert> It's a search result among all other results. 07:07 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 07:07 < ecrist> oh, I see it at the bottom 07:08 < reiffert> I bet he's on openvpn-2.0 07:11 < ecrist> according to the logs, he was asked many times, but has never answered the question in the channel 07:11 < ecrist> there were a couple posts of the config, but they've since expired and I can't see if he listed it there. 07:12 < reiffert> ok, let's nail that down 07:46 -!- tonik [n=tk@78-2-125-157.adsl.net.t-com.hr] has quit ["Leaving"] 08:21 -!- nospeq_ [n=nospeq@89.240.15.80] has joined ##openvpn 08:23 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 08:24 -!- clebig [n=clebig@77.207.137.77] has joined ##openvpn 08:24 < clebig> hello 08:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:39 -!- mirco [n=mirco@p54B26BE6.dip.t-dialin.net] has quit [] 08:40 < ecrist> good morning 08:43 -!- brad_ [n=quassel@12.48.121.170] has quit [Read error: 104 (Connection reset by peer)] 08:48 -!- nospeq [n=nospeq@89.240.15.80] has quit [Read error: 110 (Connection timed out)] 08:48 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:00 -!- mirco [n=mirco@tmo-109-244.customers.d1-online.com] has joined ##openvpn 09:07 -!- lataffe_ [n=lataffe@cm-84.211.147.71.getinternet.no] has quit [Read error: 113 (No route to host)] 09:15 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit ["Leaving"] 09:17 -!- lataffe__ [n=lataffe@cm-84.211.147.71.getinternet.no] has joined ##openvpn 09:20 -!- Snadder [i=sander@084202100202.customer.alfanett.no] has joined ##openvpn 09:26 -!- mirco [n=mirco@tmo-109-244.customers.d1-online.com] has quit [] 09:49 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 09:58 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 60 (Operation timed out)] 10:01 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 10:20 -!- unclecameron [n=unclecam@74.32.168.67] has joined ##openvpn 10:46 -!- unclecameron [n=unclecam@74.32.168.67] has quit [Read error: 104 (Connection reset by peer)] 10:53 -!- clebig [n=clebig@77.207.137.77] has quit ["Quitte"] 10:53 -!- jeiworth [n=jeiworth@189.177.33.39] has joined ##openvpn 11:00 -!- bsod2 [n=bsod@i101244.upc-i.chello.nl] has quit [Remote closed the connection] 11:06 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 11:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:30 -!- tonik [n=tk@78-2-125-157.adsl.net.t-com.hr] has joined ##openvpn 11:32 < tonik> hi! what should i do.. i get this log message --> http://pastebin.com/dad41a2b 11:32 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:34 < tonik> anyone? 11:34 -!- lataffe__ [n=lataffe@cm-84.211.147.71.getinternet.no] has quit [Read error: 113 (No route to host)] 11:34 < |Mike|> sec 11:35 < |Mike|> did you start the daemon ? 11:35 < |Mike|> does the box with the daemon on it have that IP ? 11:35 < |Mike|> !config 11:35 < vpnHelper> |Mike|: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 11:35 < |Mike|> !logs 11:35 < vpnHelper> |Mike|: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 11:35 < tonik> no.. sorry for asking but what is daemon 11:35 < tonik> i work on widows 11:35 < Gorkhaan> tonik: 1st: 2.0.9 is too old. use RC_19 plz 11:35 < |Mike|> you have to set up a daemon where you can connect clients to 11:36 < |Mike|> and/or servers 11:36 < tonik> can you explain me how, or paste a link where that is shown? 11:37 < tonik> 2.0.9 is too old? which is last stable version? 11:40 < |Mike|> !howto 11:40 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:45 < Gorkhaan> tonik: openvpn-2.1_rc19-install.exe 11:45 < Gorkhaan> http://openvpn.net/index.php/open-source/downloads.html 11:45 < vpnHelper> Title: Downloads (at openvpn.net) 11:46 < tonik> ok, now i know what is daemon, i just didn't understand the word. and yes, i started daemon.. 11:46 < tonik> ..thanks for the download link :) 11:49 -!- Nahual [n=Nahual@csi332711.dis.anl.gov] has joined ##openvpn 11:50 < tonik> so what should i do if i get this log message? http://pastebin.com/dad41a2b 11:51 < Nahual> I had a quick question regarding the easy-rsa utility. I have an existing ca.crt, ca.key, and dh2048.pem from a previous OpenVPN server, installed a new hard drive and the like. Is there a way for easy-rsa to use those? I put them in the keys directory but I get an index.txt file not found when I do a ./build-key client 11:51 < tonik> and if i now install the new version of openvpn can i keep old certificates and configuration files (server and client) 11:57 -!- _markus_ [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 11:58 < Nahual> I fixed the problem, can't make the keys directory out right, need to ./clean-all previously 11:58 -!- Nahual [n=Nahual@csi332711.dis.anl.gov] has left ##openvpn [] 12:06 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit ["Leaving"] 12:08 < |Mike|> index.txt ? 12:10 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 110 (Connection timed out)] 12:12 < tonik> when i want to connect i get this log message ---> http://pastebin.com/m91d177e can you tell me why? if needed i will paste server configuration.. 12:14 < Gorkhaan> tonik: Can you post your Server / Client configs too? 12:16 < tonik> just a sec.. 12:16 < Douglas> !all 12:16 < vpnHelper> Douglas: "all" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles 12:18 < tonik> this is server --> http://pastebin.com/m49b92d07 12:18 < Gorkhaan> server 192.168.10.0 255.255.255.128 12:18 < Gorkhaan> bad 12:18 < Gorkhaan> server 192.168.10.0 255.255.255.0 12:19 < Gorkhaan> server takes the first IP address 12:19 < tonik> and this is the client ---> http://pastebin.com/m79fde8c2 12:20 < Gorkhaan> in client skip this command until the connection is established: route 192.168.1.0 255.255.255.0 vpn_gateway 3 12:21 < Gorkhaan> In server: mssfix 1400 forget it 12:21 < Gorkhaan> imho. :) 12:21 < tonik> so i just coment that 12:21 < Gorkhaan> yup 12:21 < tonik> ok, ill try, thanks! 12:22 < Gorkhaan> add this to your server config: 12:22 < Gorkhaan> topology subnet 12:22 < tonik> ok 12:22 < Gorkhaan> and it should work I think 12:23 < tonik> we'll see in a moment :) 12:23 < Gorkhaan> comment out cipher BF-CBC too. Try to configure details after the Connection is established ( Initialization Sequence Completed ) 12:24 < |Mike|> !logs 12:24 < vpnHelper> |Mike|: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 12:24 < |Mike|> verb 6 ^ 12:25 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 12:34 -!- master_of_master [i=master_o@p549D3ACF.dip.t-dialin.net] has quit ["leaving"] 12:41 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 54 (Connection reset by peer)] 12:44 -!- Cope [n=stephen@87-194-125-249.bethere.co.uk] has joined ##openvpn 12:44 < Cope> Hi... spot of advice please? 12:44 < Cope> I've set up a vpn, and handed out keys etc, but i'm wondering about best practice re: passphrases 12:45 < tonik> i did everything you say and my server connects, but client waits and waits and doesnt connects 12:45 < Cope> if someone were to lose their laptop with the vpn client there, without passwd protection, that's quite a scurity risk 12:45 < Cope> sure i could revoke the certs as soon as someone told me they'd lost their machine 12:46 < Cope> so I tried creating a key with a passphrase, but tunnelblik at least didn't ask for the phrase when connecting 12:46 < Cope> so - what's approach to folk use, and how can I enforce passphrases if I decide that's the right approach? 12:46 -!- master_of_master [i=master_o@p549D3ACF.dip.t-dialin.net] has joined ##openvpn 12:47 < Gorkhaan> tonik: logs? 12:47 < tonik> sec... 12:49 < tonik> nothing.. just this, and waiting... http://pastebin.com/m4b7e2848 12:52 < Gorkhaan> ping works? 12:53 < tonik> ping to what? 12:54 < Gorkhaan> client pinging server 12:54 < Gorkhaan> firewall is okay? 12:54 < Gorkhaan> etc 12:54 < tonik> how can it work if client is not connected 12:54 < tonik> i closed firewall for testing 12:55 < tonik> so it isn't that 12:55 < |Mike|> Cope: get usb sticks encrypted with the keys on it ;) 12:55 < |Mike|> tonik: did you hit "connect" ? 12:55 < tonik> hahaha 12:56 < tonik> :))) 12:56 * |Mike| slaps tonik with a clue hammerrrrrrrrrrr 12:56 < tonik> of course i did.. several times 12:56 < tonik> and reconnect too 12:56 < tonik> :D 12:57 < |Mike|> set your verb to 6 on the client 12:57 < |Mike|> add 'verb 6' in your config.ovpn 12:57 < |Mike|> or client.ovpn or whatever you named it 12:58 < tonik> ok 12:58 < tonik> i did that 12:58 < |Mike|> then reconnect 12:58 < tonik> yes, i did that too 12:58 < |Mike|> select the stuff and copy it to pastebin... 13:00 < tonik> just to correct myself.. before i wanted to say how can it ping, not how can it work! :) 13:00 < tonik> here it is ---> http://pastebin.com/m49a89ade 13:02 < |Mike|> don't forget to enable tls aswell 13:03 < |Mike|> n/m you did that already 13:03 < |Mike|> heh 13:04 < |Mike|> you need the tls cert on your side aswell 13:04 < tonik> how do you mean on my side? 13:04 < tonik> on server and on client? 13:05 < |Mike|> yes 13:05 < |Mike|> otherwise they can't do the handshake 13:06 < tonik> how can i do that? 13:06 < |Mike|> did you generate them already? 13:06 < |Mike|> !tls 13:06 < vpnHelper> |Mike|: Error: "tls" is not a valid command. 13:06 < |Mike|> !tls-auth 13:06 < vpnHelper> |Mike|: "tls-auth" is The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. see !secure for how 13:06 < |Mike|> there you go 13:06 < |Mike|> !secure 13:06 < vpnHelper> |Mike|: "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 13:06 < tonik> in which directory should it be? 13:07 < Cope> |Mike|: that'd be a good way to distrubute keys, yeah 13:07 < Cope> what about password protecting them? 13:09 < |Mike|> if they are already on a encrypted usb, why passwd protect them? 13:14 < Cope> |Mike|: I want to protect against loss of the usb and laptop 13:15 < tonik> how do i generate tls in windows? 13:16 -!- mirco [n=mirco@p54B26BE6.dip.t-dialin.net] has joined ##openvpn 13:20 < jeiworth> hi all, say, i am looking for the windows gui that was patched for use with vista (i think tap device id 0901 instead of 0801?) anyone know where to find it? 13:20 < Gorkhaan> 2.1_rc19 13:20 < Gorkhaan> it works on Win7 too 13:21 < jeiworth> Gorkhaan: no, thats openvpn server, i need the gui for vista users to connect to the openvpn server ;) 13:21 < Gorkhaan> mate. I used it. :D 13:21 < |Mike|> tonik: search in the howto, i'm not a windows user... 13:21 < |Mike|> openvpn.se 13:21 < |Mike|> dev version 13:21 < jeiworth> http://openvpn.se/ 13:22 < vpnHelper> Title: OpenVPN GUI for Windows (at openvpn.se) 13:22 < Gorkhaan> http://openvpn.net/release/openvpn-2.1_rc19-install.exe 13:22 < Gorkhaan> It's included, 13:22 < tonik> thanks for links.. 13:22 < jeiworth> yes, but that version (including devel) has the wrong tap device id, i remember i found a patched version around half a year ago but i've lost the file and the link :-/ 13:23 < Gorkhaan> Well I dont know then. I have approximately 50 users with: XP, Vista, Win7 and rc19 works like charm 13:23 < tonik> by for now, thanks! 13:24 -!- tonik [n=tk@78-2-125-157.adsl.net.t-com.hr] has quit ["Leaving"] 13:25 < jeiworth> hmm it gives me errors installing the tap device, did you add it manually or have the installer do it? 13:26 < Gorkhaan> Installer 13:26 < Gorkhaan> it's good if you first remove it 13:27 < Gorkhaan> then trying to install the new one 13:27 < jeiworth> OpenVPN GUI is now packaged in the Windows installer. 13:27 < jeiworth> *duuuh* 13:28 < jeiworth> so i'll just use 2.1rc19 installer and see what happens ;) 13:28 < Gorkhaan> yup :P 13:29 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 13:30 < jeiworth> lol yes, _now_ i remember ^^ well thanks! 13:33 -!- aweeks [n=aweeks@osuosl/staff/aweeks] has joined ##openvpn 13:33 < Gorkhaan> lol. np. :D 13:34 < aweeks> !routh 13:34 < vpnHelper> aweeks: Error: "routh" is not a valid command. 13:34 < aweeks> !route 13:34 < vpnHelper> aweeks: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:41 -!- Cope [n=stephen@87-194-125-249.bethere.co.uk] has quit [Read error: 110 (Connection timed out)] 13:41 -!- _markus_ [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 110 (Connection timed out)] 14:27 < jeiworth> man vista sucks ass, pardon my french 14:33 < Gorkhaan> what's wrong? :D 14:37 < jeiworth> i'm in mexico so the vista is localized, however it wuoldn't accept the path to the cert- and key-files because c:\usuarios is just a link to c:\users :P 14:38 < jeiworth> and apparently this link is not followed in openvpn? anyway, now it works 14:41 < garnser> Gorkhaan: have you tried OpenVPN 2.1rc19 on Win 7 RTM? 14:42 -!- bruceb [n=bruce@gw.msmnyc.edu] has joined ##openvpn 14:42 < Gorkhaan> not with RTM, but what's wrong? 14:43 < Gorkhaan> u need to run OpenVPN Gui with Administrator privileges, because otherwise Routes wont work 14:47 < garnser> Gorkhaan: yeah I know I was playing with it on RC1, it seams like M$ has done changes with the IPAPI since RC1 -> RTM making OpenVPN unable to add routes proerly 14:48 < garnser> I talked with Francis about it, they said they would have a fix by the next release but I was curious whether someone did their own hack to fix it 14:54 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:55 -!- BigJB [n=BigJB@unaffiliated/bigjb] has quit [Remote closed the connection] 15:07 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 15:11 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 15:13 -!- c64zottel [n=hans@p5B17ABC2.dip0.t-ipconnect.de] has joined ##openvpn 15:14 -!- c64zottel [n=hans@p5B17ABC2.dip0.t-ipconnect.de] has left ##openvpn [] 15:16 < nospeq_> is there any plan to port openvpn to symbian? 15:21 < reiffert> better as the devel mailinglist 15:22 -!- tompaw [n=tompaw@slave20.tesserakt.eu] has left ##openvpn [] 15:29 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 110 (Connection timed out)] 15:29 -!- [1]anwoke is now known as anwoke 15:31 -!- nospeq__ [n=nospeq@89.240.15.80] has joined ##openvpn 15:32 -!- mirco_ [n=mirco@tmo-109-244.customers.d1-online.com] has joined ##openvpn 15:36 -!- plaerzen [n=carpe@vip1.tundraeng.com] has joined ##openvpn 15:36 < plaerzen> I used to write "Do not read this" and put it face up in the garbage. 15:37 -!- Grapsus [n=Alexis@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 15:40 -!- [1]anwoke [n=A@65.100.249.52] has joined ##openvpn 15:43 < reiffert> :) 15:43 -!- [2]anwoke [n=A@65.100.249.52] has joined ##openvpn 15:47 -!- nospeq_ [n=nospeq@89.240.15.80] has quit [Read error: 110 (Connection timed out)] 15:48 -!- mirco [n=mirco@p54B26BE6.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 15:49 -!- [2]anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 15:49 -!- [1]anwoke [n=A@65.100.249.52] has quit [Read error: 60 (Operation timed out)] 15:54 -!- mirco_ [n=mirco@tmo-109-244.customers.d1-online.com] has quit [Read error: 54 (Connection reset by peer)] 15:55 -!- mirco [n=mirco@p54B26BE6.dip.t-dialin.net] has joined ##openvpn 15:57 < redfox> !nat 15:57 < vpnHelper> redfox: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 15:57 < redfox> !linnat 15:57 < vpnHelper> redfox: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 15:58 -!- anwoke [n=A@65.100.249.52] has quit [Connection timed out] 16:02 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 16:03 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 16:06 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 16:15 < reiffert> ouch 16:15 < reiffert> http://www.milw0rm.com/exploits/9209 16:15 < vpnHelper> Title: DD-WRT (httpd service) Remote Command Execution Vulnerability (at www.milw0rm.com) 16:15 -!- mirco_ [n=mirco@tmo-109-244.customers.d1-online.com] has joined ##openvpn 16:15 -!- mirco_ [n=mirco@tmo-109-244.customers.d1-online.com] has quit [Read error: 104 (Connection reset by peer)] 16:16 -!- mirco_ [n=mirco@p54B26BE6.dip.t-dialin.net] has joined ##openvpn 16:16 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 104 (Connection reset by peer)] 16:16 -!- mirco [n=mirco@p54B26BE6.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 16:16 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 16:29 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 16:35 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 16:42 < plaerzen> reiffert, yeah I saw that a while back on regsec. Crazy, eh? 16:42 < plaerzen> There is a fix out now though I believe 16:51 -!- Snadder [i=sander@084202100202.customer.alfanett.no] has quit [Read error: 113 (No route to host)] 16:53 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 16:54 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 17:21 -!- Snadder [i=sander@084202250202.customer.alfanett.no] has joined ##openvpn 17:21 -!- jeiworth_ [n=jeiworth@189.234.3.95] has joined ##openvpn 17:21 -!- jeiworth [n=jeiworth@189.177.33.39] has quit [Read error: 104 (Connection reset by peer)] 17:26 -!- Grapsus [n=Alexis@che21-2-82-245-89-120.fbx.proxad.net] has quit [Read error: 104 (Connection reset by peer)] 17:26 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 131 (Connection reset by peer)] 17:29 -!- aweeks [n=aweeks@osuosl/staff/aweeks] has left ##openvpn [] 17:29 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 17:39 -!- f [n=pegg@pool-74-104-38-127.bstnma.east.verizon.net] has joined ##openvpn 17:39 < f> can someone point me to insturction on setting up public ip on openvpn 17:41 < reiffert> !factoids search forward 17:41 < vpnHelper> reiffert: 'winipforward', 'linipforward', 'ipforward', and 'fbsdipforward' 17:41 < reiffert> !factoids search howt 17:41 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:42 < reiffert> !factoids search rout 17:42 < vpnHelper> reiffert: 'winroute', 'iroute', 'router', and 'route' 17:43 < krzee> !redirect 17:43 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 17:46 < f> so any suggestions on how to properly route public ip's traffic, I know how to set regualr private ip's up and set up nat, but I am getting a little stuck with public ip's 17:47 < Gorkhaan> !redirect 17:47 < vpnHelper> Gorkhaan: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 17:49 -!- bruceb [n=bruce@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 17:52 < f> Gorkhaan: that would be marginally helpfull if I had not already set my redirections ipfowarding and NAT already 17:52 < f> Gorkhaan: it works just fine for privite ip ranges, but now I want to set it up to use some public IP's 17:53 < Gorkhaan> I dont understand what would you like to do. Public IP? 17:54 -!- bakermd [n=bakermd@38.101.225.215] has quit ["Peace out!"] 17:55 < Gorkhaan> You can Bridge your TUN/TAP interface with ETH interface, if you wanna see "public IP" on the client side 17:55 < Gorkhaan> But I still dont have a clue what's the problem sry. :) 18:16 -!- subinacls [n=subinacl@253.182.100.97.cfl.res.rr.com] has joined ##openvpn 18:24 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 18:32 -!- jeiworth_ [n=jeiworth@189.234.3.95] has quit [Read error: 60 (Operation timed out)] 18:35 -!- subinacls [n=subinacl@253.182.100.97.cfl.res.rr.com] has quit [Read error: 110 (Connection timed out)] 19:24 -!- f [n=pegg@pool-74-104-38-127.bstnma.east.verizon.net] has quit ["This computer has gone to sleep"] 20:05 -!- subinacls [n=subinacl@253.182.100.97.cfl.res.rr.com] has joined ##openvpn 20:11 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 20:15 -!- zheng [n=zheng@210.73.203.83] has joined ##openvpn 20:16 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 20:16 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 20:37 -!- sye [n=chatzill@72.168.232.65] has joined ##openvpn 20:37 < sye> a 20:38 -!- sye [n=chatzill@72.168.232.65] has left ##openvpn [] 20:39 -!- mirco [n=mirco@p54B26E1A.dip.t-dialin.net] has joined ##openvpn 20:39 -!- Gorkhaan [n=Gorkhaan@89.186.101.16] has quit [Remote closed the connection] 20:50 -!- mirco_ [n=mirco@p54B26BE6.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:05 -!- mirco [n=mirco@p54B26E1A.dip.t-dialin.net] has quit [] 21:09 -!- master_of_master [i=master_o@p549D3ACF.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:16 -!- nospeq__ [n=nospeq@89.240.15.80] has quit ["Sto andando via"] 21:57 -!- dimedo [n=dimedo@mail.raktefakt.net] has left ##openvpn ["Leaving"] 22:02 -!- tarbo2_ [n=me@unaffiliated/tarbo] has joined ##openvpn 22:11 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 110 (Connection timed out)] 22:27 < ecrist> have a good night, kids 22:27 < Douglas> cya ecrist 22:37 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Remote closed the connection] --- Day changed Fri Aug 14 2009 00:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 00:38 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 01:04 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 01:27 -!- sander_ [i=sander@084202100202.customer.alfanett.no] has joined ##openvpn 01:28 -!- Snadder [i=sander@084202250202.customer.alfanett.no] has quit [Read error: 60 (Operation timed out)] 01:45 -!- davalex [i=davalex@207.192.70.56] has joined ##openvpn 01:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:46 < davalex> !route 01:46 < vpnHelper> davalex: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 01:46 < davalex> !/30 01:46 < vpnHelper> davalex: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 01:48 < davalex> !iporder 01:48 < vpnHelper> davalex: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 01:50 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Read error: 60 (Operation timed out)] 01:51 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 02:19 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:36 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit ["Leaving"] 03:06 -!- RadarG [n=nightwol@pool-98-108-1-106.chi01.dsl-w.verizon.net] has joined ##openvpn 03:07 < RadarG> reiffert sorry about yesterday 03:07 < RadarG> I had to take care of a big problem 03:10 < reiffert> do it faster 03:11 < reiffert> RadarG: what version of openvpn are you using? 03:12 < RadarG> 1.0.3 of the gui 03:13 < reiffert> RadarG: what version of openvpn are you using? 03:13 < RadarG> 2.0.9 03:13 < reiffert> update to 2.1_rc19 03:14 < reiffert> 2.0.9 is 3 years old and doesnt work well on windows. 03:14 < RadarG> brb 03:14 < reiffert> afk 03:14 < reiffert> ecrist: I won the bet 03:16 < RadarG> nice to see that you guys were thinking of me 03:16 < RadarG> afk 03:22 -!- master_of_master [i=master_o@p549D3C1B.dip.t-dialin.net] has joined ##openvpn 03:33 -!- zheng [n=zheng@210.73.203.83] has quit [Read error: 104 (Connection reset by peer)] 03:34 -!- zheng [n=zheng@210.73.203.83] has joined ##openvpn 03:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 03:50 -!- c64zottel [n=hans@p5B17AEAC.dip0.t-ipconnect.de] has joined ##openvpn 03:50 -!- c64zottel [n=hans@p5B17AEAC.dip0.t-ipconnect.de] has left ##openvpn [] 03:59 < RadarG> reiffert server config http://pastebin.com/d621fdea0 was there a few lines that you wanted me to take out? 04:03 < davalex> Hi! I'm trying to revoke access to openvpn by using the revoke-full script. It's trying to find a file called crl.pem, that i can't find. Can this file be called some thing else? 04:07 -!- RadarG [n=nightwol@pool-98-108-1-106.chi01.dsl-w.verizon.net] has quit [] 04:09 < davalex> 7260:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 282 04:09 < davalex> cat: crl.pem: No such file or directory 04:09 < davalex> These are the errors I get 04:10 < davalex> ah 04:10 < davalex> fixed it 04:10 < davalex> http://ubuntuforums.org/showthread.php?t=757795 04:10 < vpnHelper> Title: openvpn: error revoking certificate - Ubuntu Forums (at ubuntuforums.org) 04:21 -!- lataffe [n=lataffe@cm-84.211.147.71.getinternet.no] has joined ##openvpn 04:23 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has left ##openvpn ["Leaving"] 04:33 -!- BigJB [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 04:43 -!- zheng [n=zheng@210.73.203.83] has quit [Read error: 104 (Connection reset by peer)] 04:43 -!- mirco [n=mirco@p54B26E1A.dip.t-dialin.net] has joined ##openvpn 04:44 -!- zheng [n=zheng@210.73.203.83] has joined ##openvpn 05:05 -!- zheng_ [n=zheng@210.73.203.83] has joined ##openvpn 05:05 -!- zheng__ [n=zheng@210.73.203.83] has joined ##openvpn 05:18 -!- zheng [n=zheng@210.73.203.83] has quit [Read error: 110 (Connection timed out)] 05:20 -!- stephenh_ [i=stephenh@69.30.200.88] has quit [Remote closed the connection] 05:20 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 05:22 -!- ThoMe [i=tm@tm.muc.de] has joined ##openvpn 05:25 -!- zheng_ [n=zheng@210.73.203.83] has quit ["Leaving"] 05:27 -!- zheng__ [n=zheng@210.73.203.83] has quit ["Leaving"] 05:28 -!- thomas [i=tm@tm.muc.de] has quit [Read error: 104 (Connection reset by peer)] 05:30 < |Mike|> morning. 05:31 < |Mike|> davalex: http://openvpn.net/archive/openvpn-users/2006-02/msg00107.html 05:31 < vpnHelper> Title: [Openvpn-users] Question on crl.pem file (at openvpn.net) 05:33 < mirco> could one of you tell me how to integrate "Subject Alternative Name" in an easy-rsa generated cert? 05:40 < |Mike|> or just fix a relay server for mail :p 05:40 < |Mike|> relay/backup 05:41 < |Mike|> fallover should be the right word :) 05:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:10 -!- tonik [n=tk@93-137-41-179.adsl.net.t-com.hr] has joined ##openvpn 06:11 -!- subinacls [n=subinacl@253.182.100.97.cfl.res.rr.com] has quit [Read error: 110 (Connection timed out)] 06:11 < tonik> how do i generate tls key in windows? Does it generate itself when i generate other keyes for server/clients or it has to be generated separately?! 06:13 -!- Grapsus [n=grapsus@anon-31-149.ipredate.net] has joined ##openvpn 06:23 < tonik> how do i generate tls key in windows? Does it generate itself when i generate other keyes for server/clients or it has to be generated separately?! 06:24 < mirco> tonik: It won't help to get your question answered if you do a double post... ;-) 06:25 < tonik> ok, than imagine that i erased one of them :) 06:26 < mirco> tonik: btw this reads more like a windows question, as long as you don't use easy-rsa ... :-) 06:29 < tonik> but it's a openVPN question :) So can you help me? 06:34 < |Mike|> tonik: 06:34 < |Mike|> !howto 06:34 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 06:35 < tonik> i didn't find that there and that's why i asked a question here 06:35 < mirco> |Mike|: as I would have said: RTFM and tonik: how are you creating those cert's? 06:36 < |Mike|> tonik: your IE browser has a ctrl f in it 06:36 < tonik> haha 06:36 < |Mike|> If you are using Windows, open up a Command Prompt window and cd to \Program Files\OpenVPN\easy-rsa. Run the following batch file to copy configuration files into place (this will overwrite any preexisting vars.bat and openssl.cnf files): 06:36 < |Mike|> init-config 06:36 < |Mike|> Now edit the vars file (called vars.bat on Windows) and set the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Don't leave any of these parameters blank. 06:36 < |Mike|> ~20 second search. 06:36 < tonik> yes, i did that 06:36 < |Mike|> On Windows: 06:36 < |Mike|> varsclean-allbuild-ca 06:36 < |Mike|> vars 06:36 < |Mike|> clean-all 06:36 < |Mike|> build-ca 06:37 < tonik> i did that all but where is my tls file then? 06:37 < |Mike|> tls != cert 06:38 < |Mike|> Using tls-auth requires that you generate a shared-secret key that is used in addition to the standard RSA certificate/key: 06:38 < |Mike|> openvpn --genkey --secret ta.key 06:38 < |Mike|> !tls-auth 06:38 < vpnHelper> |Mike|: "tls-auth" is The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. see !secure for how 06:38 < |Mike|> !secure 06:38 < vpnHelper> |Mike|: "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 06:38 < |Mike|> there ya go. 06:38 < |Mike|> note: 06:38 < |Mike|> # If a tls-auth key is used on the server then every client must also have the key. 06:39 < |Mike|> anyway, rtfm pleae. 06:44 < tonik> thank you very much! 06:44 < tonik> :)đ 06:44 < reiffert> tls auth sucks. cert++ 06:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:14 < |Mike|> :p 07:16 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Remote closed the connection] 07:39 -!- [1]gravyface [n=gravyfac@CPE001d7e46ff91-CM0014e8b59110.cpe.net.cable.rogers.com] has joined ##openvpn 07:39 < ecrist> good morning. 07:41 -!- tonik [n=tk@93-137-41-179.adsl.net.t-com.hr] has quit [Read error: 110 (Connection timed out)] 07:45 -!- gravyface [n=gravyfac@CPE001d7e46ff91-CM0014e8b59110.cpe.net.cable.rogers.com] has quit [Read error: 60 (Operation timed out)] 07:45 -!- [1]gravyface is now known as gravyface 07:52 < |Mike|> why's udp 'more' secure than tcp ecrist ? :) 07:52 < |Mike|> HAR2009 LIVE: http://www.rehash.nl/ 07:52 < ecrist> who said UDP is more secure than TCP? 07:52 < |Mike|> http://ds9a.nl/har-presentation-bert-hubert-3.pdf 07:52 < |Mike|> ecrist: i've red it somewhere on the openvpn site 07:52 < ecrist> !tcp 07:52 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 07:53 < ecrist> not a security issue, afaik, it's a stability/performance issue 07:53 < |Mike|> ah yes, that's what i could have red 07:56 < Douglas> theres a big kernel exploit 07:56 < |Mike|> pretty good speakin from Bert 07:56 < Douglas> for all you linux users 07:56 < Douglas> http://www.securityfocus.com/bid/36038/exploit 07:56 < vpnHelper> Title: Linux Kernel 'sock_sendpage()' NULL Pointer Dereference Vulnerability (at www.securityfocus.com) 07:56 < |Mike|> old stuff 07:57 -!- Grapsus [n=grapsus@anon-31-149.ipredate.net] has quit [Connection timed out] 07:58 -!- Grapsus [n=grapsus@anon-31-149.ipredate.net] has joined ##openvpn 07:58 -!- Irssi: ##openvpn: Total of 67 nicks [0 ops, 0 halfops, 0 voices, 67 normal] 08:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:03 < davalex> is there any way to list all client certificates? Or all certificates signed by our ca? 08:04 -!- tonik [n=tk@93-137-41-179.adsl.net.t-com.hr] has joined ##openvpn 08:04 < ecrist> cat indext.txt 08:05 < davalex> thanks! 08:06 < ecrist> cat index.txt 08:06 < ecrist> no 't' on the end of index 08:08 -!- watwat [n=obleskie@kri1-1x-dhcp149.studby.uio.no] has joined ##openvpn 08:08 < davalex> Just a (dumb) question: We are using easy_rsa to generate client certificates, these certificates are stored in easy_rsa/2.0/keys. Do we have to copy any of these files in to the openvpn/ssl folder? 08:08 < davalex> I guess openvpn does not read these files 08:08 < ecrist> no 08:09 < ecrist> OpenVPN does not care about client certificate files 08:09 < davalex> Ok 08:09 < davalex> So all I need is to check the index.txt in the easy_rsa/keys folder 08:09 < davalex> Thanks, ecrist 08:10 < watwat> I'm having a lot of trouble getting my vpn setup working between two fedora computers. im sure there's nothing wrong with the certificates or iptables, because i've used this exact setup before. it just hasn't been working since the client moved to another country. the server keeps getting these P_CONTROL_HARD_RESET_SERVER_V2 and the client gets P_CONTROL_HARD_RESET_CLIENT_V2 08:10 < Douglas> !all 08:10 < vpnHelper> Douglas: "all" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles 08:11 < watwat> one moment Douglas 08:12 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 08:12 < Douglas> krzee ! 08:13 < krzee> dougy ! 08:14 < Douglas> sup 08:14 < watwat> Douglas, http://pastebin.ca/1529426 08:14 < davalex> how can i update index.txt manually? 08:14 < ecrist> with a text editor 08:15 < davalex> But openssl writes to this file? 08:15 < ecrist> yep 08:15 < davalex> so it must be possible to use openssl to update this file? 08:15 < ecrist> yes 08:15 < davalex> Do you know how? 08:16 < ecrist> you haven't told me exactly what you want to do 08:17 < davalex> I have revoked a few certicates, there where some duplicates. I want remove the duplicates from the index.txt as well 08:17 < ecrist> don't remove them from index.txt, no reason to do so 08:18 < ecrist> make sure they've been added to your CRL 08:18 < davalex> how do I do that? 08:18 < davalex> list-crl? 08:19 < ecrist> sure 08:19 < ecrist> I don't use easy-rsa, so couldn't help you with specifics 08:19 < watwat> Douglas, anything look out of order? 08:20 -!- ggeller [n=ggeller@dsl017-112-098.lax1.dsl.speakeasy.net] has joined ##openvpn 08:20 < davalex> I acctually have to certifcates with the same CN. Is how can i remove those? 08:20 < Douglas> watwat: not from first glance 08:20 < redfox> hi, can someone explain me this error msg: Fri Aug 14 15:15:44 2009 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options 08:20 < watwat> Douglas, yes it doesnt make sense to me either. I'm really start to get angry at it 08:21 < krzee> redfox, 08:21 < krzee> !configs 08:21 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 08:22 < Douglas> krzee: Douglas, http://pastebin.ca/1529426 08:22 < ecrist> davalex: just revoke them with the revoke-full command. 08:23 < krzee> Douglas, i was talking to redfox 08:23 < redfox> krzee: ok, added route-gateway, now the error disappears, but my whole vpn setup is still not working 08:23 < redfox> wait.. 08:23 < Douglas> krzee: i am aware 08:23 < Douglas> but it was another issue 08:24 < Douglas> that i donno 08:24 < ggeller> Say I'm logged onto my openvpn server, a Centos box. I s there a way to see which and how many clients are connected (other than looking in /var/log/messages)? 08:24 < krzee> Douglas, no server command 08:24 < redfox> krzee: http://pastebin.org/9015 08:25 < krzee> hes not trying to give an ip to the server or the client 08:25 < krzee> redfox, 08:25 < krzee> !tcp 08:25 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 08:25 < davalex> ecrist: I have to use CN, it does seem like I'm able to use the "id", like 01 02 03 etc... 08:26 < krzee> push "route-gateway 10.0.0.0 10.1.2.1" ????? 08:26 < redfox> krzee: i know, it is necessary because im ssh-forwarding this port 08:26 < krzee> ahh 08:26 < ggeller> At lot of places block outgoing connections on everything except port 80 and 443. 08:27 < krzee> ggeller, they usually allow udp 53 too 08:27 < krzee> unless they block it and force you to use internal dns... but a lot leave it open 08:27 < krzee> ggeller, clients connected = management interface, see manual 08:28 < redfox> krzee: basically i have 2 openvpn tunnels on my server, one is a connected client in network 10.1.x.x/16 and one (this one) is the server for subnet 10.1.2.x/24, i wanna connect these two networks 08:28 < ggeller> see what I wrote at http://wsms.wikiplanet.com/mediawiki/index.php/Openvpn#sites 08:28 < vpnHelper> Title: Openvpn - Wsms (at wsms.wikiplanet.com) 08:28 < redfox> krzee: i also need to access the whole 10.x / 8 network 08:29 < krzee> werd 08:29 < ggeller> krzee: Thanks 08:29 < krzee> im in amsterdam, thats too in depth for me right now 08:29 < krzee> in fact, im going back to idle 08:30 < redfox> lol, ok 08:30 < redfox> understood :) 08:30 < krzee> =] 08:30 < ggeller> redfox: I'm not sure, but I think I saw something about what you want to do in the manual. 08:31 < ggeller> I'll let you know if my memory improves. 08:31 < krzee> i would assume as long as everyone is getting the right routes it should just work 08:31 < redfox> ggeller: thanks :) 08:31 < krzee> unless you need iroutes, no idea if the internal stuff will work right or not 08:31 < krzee> !iroute 08:31 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 08:32 < redfox> the kernel adds the route for himself 08:32 < krzee> openvpn adds them to the kernel 08:32 < krzee> the kernel surely doesnt add it itself 08:33 < krzee> but openvpn has internal routing stuff too for the situation mentioned above by my bot 08:33 < redfox> of course, the kernel adds routes for every new interface 08:33 < redfox> yes i know 08:33 < redfox> thats weird stuff :( 08:33 < krzee> ok 08:33 < ggeller> Man, my neighbor has a loud car alarm! 08:34 < redfox> now trying another net (192.x) for the second tunnel 08:34 < redfox> maybe there are conflicts... 08:39 < redfox> ok, i forgot to mention that the local network is also a 10.x network :D man, thats confusing :/ 08:44 -!- watwat [n=obleskie@kri1-1x-dhcp149.studby.uio.no] has quit ["Leaving"] 08:44 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 08:46 < krzee> 2 10/8 networks? 08:46 < |Mike|> lol 08:46 < Douglas> i want a /7 08:46 < Douglas> :( 08:47 < redfox> the local net (university) has a 10/8 network, the one vpn tunnel is 10/16, the second should be 10/24 (or /16) 08:47 < redfox> Fri Aug 14 15:44:52 2009 Warning: route gateway is not reachable on any active network adapters: 10.0.0.0 08:47 < redfox> meh 08:48 < redfox> i hate those vpn setups -.- 08:48 < krzee> netstat -rn 08:49 < redfox> client/server? 08:50 < krzee> whoever said: [15:47] Fri Aug 14 15:44:52 2009 Warning: route gateway is not reachable on any active network adapters: 10.0.0.0 08:50 < redfox> k 08:51 < redfox> pastebin down? 08:51 < redfox> never mind 08:52 < redfox> oh ok, my "route-gateway" setting was incorrect 08:52 < redfox> that fixed it 09:03 < tonik> can someone please check my client configuration file, i can't find the problem. Client can't connect!? http://pastebin.com/m18c504df 09:03 < krzee> tonik, 09:03 < krzee> !logs 09:03 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 09:04 < Bushmills> *why* can't you connect? 09:04 -!- sander__ [i=sander@084202250202.customer.alfanett.no] has joined ##openvpn 09:04 < tonik> this is log, but client just stands like that and nothing happens.. http://pastebin.com/m43576a8d 09:04 < krzee> !logs 09:04 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 09:04 < krzee> S 09:05 < tonik> http://pastebin.com/m43576a8d 09:05 < tonik> <--- this is log 09:05 < krzee> really, doesnt look like verb 6 09:05 < tonik> just a sec 09:06 < tonik> sorry 09:06 < krzee> your problem is prolly that you read docs like you read my bot telling you how to get help 09:06 < redfox> krzie: is it normal that openvpn adds only one route for his own ip on the client pc? 09:06 < krzee> yess unless you push the route 09:06 < Bushmills> or !redirect 09:07 < krzee> for the whole block 09:07 < tonik> http://pastebin.com/m6b8f9add <--- now it's verb 6 09:07 < redfox> krzee: im pushing the route 09:07 < krzee> oh ya, or that 09:07 < krzee> tonik, firewall issue most likely, i havnt seen other log yet tho 09:08 < tonik> no way, i turned off firewall to see if it will work and still nothing 09:08 < krzee> remember you just added a whole new network on a whole new interface, firewalls must know 09:08 < krzee> both sides 09:08 < tonik> yes, both sides 09:08 < krzee> you still havnt !logs 09:08 < tonik> http://pastebin.com/m6b8f9add 09:09 < krzee> no... 09:09 < krzee> BOTH SIDES 09:09 < tonik> but server connects 09:09 < tonik> just a sec.. ill paste server too 09:09 < krzee> nevermind, im outta here, gl 09:09 < tonik> by 09:12 -!- sander_ [i=sander@084202100202.customer.alfanett.no] has quit [Read error: 110 (Connection timed out)] 09:17 < redfox> krzee: still there? 09:18 < reiffert> anyone remeber RadarG? 09:19 < reiffert> he was using 2.0.9 09:19 < reiffert> so inducing the windows problems 09:19 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has joined ##openvpn 09:20 < newmember> Can I add a push "redirect-gateway" to specific users only with openvpn? 09:20 < newmember> Or does it have to be at the server level? 09:20 < Douglas> server level iirc 09:21 < newmember> which then means that everyone has to take it 09:23 < tonik> hi, can you just tell me what file should i have in keys directory on clients side? 09:23 < redfox> !route 09:23 < tonik> ..what fileS.. 09:23 < vpnHelper> redfox: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:23 < krzee> you can push it to certain users with ccd entries, or not push at all and put it in client configs 09:23 < krzee> !ccd 09:23 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 09:25 < Bushmills> reiffert: *remembers*? better ask who *doesn't* :D 09:26 < krzee> i believe he is on !ircstats 09:26 < krzee> !ircstats 09:26 < vpnHelper> krzee: Error: "ircstats" is not a valid command. 09:26 < krzee> !irclogs 09:26 < vpnHelper> krzee: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 09:26 < krzee> 23'rd most lines 09:27 < krzee> in over a yr of stats 09:29 < Bushmills> just 550 lines? it felt more than that. 09:30 -!- mirco [n=mirco@p54B26E1A.dip.t-dialin.net] has quit [] 09:35 < redfox> !push 09:35 < vpnHelper> redfox: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 09:35 < newmember> Can I put push "redirect-gateway" in a ccd file?All examples I have seen show this in a server conf file. As well I just tried it and its not working 09:35 < newmember> lol, I just saw what redfox just asked helper 09:36 < Douglas> holy crap krzee lol 09:36 < Douglas> well, im up there 09:36 < redfox> lol 09:37 < Douglas> #3 bitches 09:37 < Douglas> lol 09:38 < redfox> !tcp 09:38 < vpnHelper> redfox: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 09:38 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 09:38 < Douglas> hey thedoc 09:40 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 09:46 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:48 -!- jeiworth [n=jeiworth@189.234.3.95] has joined ##openvpn 09:56 -!- tonik [n=tk@93-137-41-179.adsl.net.t-com.hr] has quit ["Leaving"] 09:58 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:01 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 131 (Connection reset by peer)] 10:09 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:27 -!- bruceb [n=bruce@gw.msmnyc.edu] has joined ##openvpn 10:30 -!- Kobaz [n=kobaz@its.kobaz.net] has joined ##openvpn 10:30 < Kobaz> how do i make more than one openvpn connection in windows... it fails to bring up another tun/tap device 10:38 -!- Ynot [n=Y@sd-4720.dedibox.fr] has quit ["leaving"] 10:47 < |Mike|> no idea, i'm not a win guru 10:48 < ecrist> ditto 10:52 < krzee> same =/ 11:01 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:08 -!- ggeller [n=ggeller@dsl017-112-098.lax1.dsl.speakeasy.net] has quit ["Leaving"] 11:09 < Douglas> 15% off all hard drives on newegg.. coupon code HDDSALE15.. 11:12 < Douglas> wow htats fail 11:12 < Douglas> thats 11:12 < Douglas> max $10 total 11:13 < krzee> well man 11:14 < krzee> well man a 1.5tb drive is 130 11:16 < krzee> so you can never get all 15% 11:16 < krzee> it would need to be 150+ 11:17 < krzee> big fail 11:17 < krzee> i guess a SSD is over 150 11:18 < krzee> or the 10K drives 11:18 < Douglas> krzie - you can only get $10 off total 11:18 < Douglas> so if you get 100 drives, still only $10 off 11:18 < krzee> right 11:18 < Douglas> krzee: http://www.newegg.com/Special/ShellShocker.aspx 11:18 < vpnHelper> Title: Newegg.com - Computer Parts, PC Components, Laptop Computers, Digital Cameras and more! (at www.newegg.com) 11:18 < krzee> weaksauce 11:34 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Connection reset by peer] 11:39 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:45 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 11:50 -!- BasketCase [n=BasktCas@asylum.sanitarium.net] has joined ##openvpn 11:52 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has quit ["Quit"] 11:54 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 11:58 < ecrist> I have a site people desperately want me to build, but I don't have the time or motivation to do so. 12:04 -!- tj83_ [n=tj@unaffiliated/tj83] has joined ##openvpn 12:04 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:06 < tj83_> hey guys i know this is not an openvpn question but i am stumped ... I am using pptpd with bcrelay on ubuntu 8.04 server. the VPN works beautifully with local resources, http traffic is pass through to the internet through the server, connections are made and it does in fact work, buts its too painfully slow... a lot of time outs in the web browser, but i am able to transfer files on local file shares with decent speeds 100-300k/sec any thoughts? 12:08 < krzee> is the tunnel udp or tcp? 12:08 -!- mirco [n=mirco@p54B26E1A.dip.t-dialin.net] has joined ##openvpn 12:09 < tj83_> krzee, its pretty much default... i believe its only tcp as its an encrypted tunnel would this not require error checking? but regardless i have tcp/udp forwarding set in the router 12:09 < krzee> !tcp 12:09 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 12:10 < tj83_> hmm, i'll take a look 12:10 < tj83_> krzee, note that i have done this before with much better results 12:10 < krzee> ya its tcp by default according to http://www.chebucto.ns.ca/~rakerman/port-table.html 12:10 < vpnHelper> Title: TCP/IP Ports (at www.chebucto.ns.ca) 12:10 < krzee> read that link i gave from !tcp before commenting on it 12:11 < tj83_> krzee, i shall TY 12:11 < krzee> yw 12:17 < tj83_> krzee, "an internal meltdown effect." lol, sounds like it.... strange tho... i used this for about a year with no issue. and... also that local resources which are on the same TCP layer as the http traffic i am generating works fine. 12:17 < tj83_> none the less i will look into UDP for pptpd 12:17 < krzee> *shrug* 12:18 < krzee> ild ditch pptp, but i guess that obvious since im here and all 12:18 -!- tjoffet [i=tjoff@h-63-94.A163.priv.bahnhof.se] has joined ##openvpn 12:18 < tj83_> :P 12:18 -!- jeiworth [n=jeiworth@189.234.3.95] has quit [Read error: 104 (Connection reset by peer)] 12:19 -!- jeiworth [n=jeiworth@189.234.3.95] has joined ##openvpn 12:20 < |Mike|> unf unf baby ! :d 12:24 -!- subinacls [n=subinacl@253.182.100.97.cfl.res.rr.com] has joined ##openvpn 12:24 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 12:25 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 12:27 -!- tjoff [i=tjoff@h-63-94.A163.priv.bahnhof.se] has quit [Connection timed out] 12:27 -!- tjoffet is now known as tjoff 12:33 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 12:46 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has left ##openvpn ["Leaving"] 12:59 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 13:05 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:21 -!- nohop [n=nohup@pool-173-71-215-129.clppva.fios.verizon.net] has joined ##openvpn 13:22 < nohop> good afternoon all :) 13:22 < gravyface> hello all 13:23 < nohop> i have a problem with a openvpn client not reaching hosts behind the vpn server... i have ip forwarding enabled, and set NAT exactly the same way i use nat for machines 'outside'... with tcpdump i keep getting: 20:52:33.477447 IP 10.8.0.1 > 10.8.0.6: ICMP host 192.168.10.30 unreachable, length 92 13:23 < nohop> i can't seem to figure it out :) 13:25 < gravyface> I'm wondering if the following topology/architecture is possible (http://www.gliffy.com/pubdoc/1791410/L.jpg) -- site-to-site configuration, both OpenVPN client and OpenVPN server behind a NAT'ed firewall. 13:26 < gravyface> google-fu is failing me atm. 13:26 < BasketCase> gravyface: the NAT needs to port forward the connection to the right internal IP 13:28 < BasketCase> gravyface: then of course you would connect to the external IP not the internal one 13:28 < gravyface> yes, I can establish the tunnel, but I'd like to setup routing (static routes?) on the Ubuntu box so that from 66.100, I can connect to the other side through the tunnel. 13:29 < krzee> nohop, see 13:29 < krzee> !route 13:29 < BasketCase> you just need to push the route via the openvpn config 13:29 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:29 < gravyface> obviously this would be immensely easier if I had a home router capable of acting as a client, but I don't. 13:29 < krzee> gravyface, only advantage to that is you wouldnt need to add a route to the router 13:29 < Douglas> krzee arent you on vaca 13:30 < nohop> krzee: i'll try that, thanks :) 13:30 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has quit [Read error: 110 (Connection timed out)] 13:30 < krzee> aye, but im at someones house where 3 of us are very into computers 13:30 < krzee> smoking many joints and whatnot 13:30 < Douglas> ah 13:30 < Douglas> rofl 13:30 < krzee> all 3 on our macbook pros 13:31 < gravyface> so in my 66.1 home router, I put in a static route for 192.168.222.0's gateway as 192.168.66.2 so that way I figured I wouldn't have to setup local static routes on my XP machine, but I'm not sure what to do to setup Ubuntu to properly route packets received with a destination of 192.168.222.0/24 over the openvpn interface. 13:32 < krzee> gravyface, 13:32 < krzee> !route 13:32 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:32 < gravyface> I was farting around with iptables... but meh. 13:33 < gravyface> the op should write a cronjob that prints !route to this channel every 5 minutes; seems like the magic wiki article (tm) in here :) 13:33 < BasketCase> iptables is pretty meh IMHO :P 13:33 < krzee> gravyface, huh?? 13:33 < krzee> [20:33] the op should write a cronjob that prints !route to this channel every 5 minutes; seems like the magic wiki article (tm) in here :) 13:33 < krzee> ??? 13:34 < krzee> ohhh 13:34 < krzee> lol 13:34 < krzee> nm i didnt get it at first 13:34 < gravyface> krzee, exhale first. 13:34 < krzee> ya its a very common subject 13:34 < gravyface> :P 13:34 < gravyface> lemme take a look; thanks man 13:34 < krzee> it covers having lans on any part of the vpn, client(s) or server 13:40 < nohop> krzee: no luck.... the thing is.. the ping packets from my openvpn client to the subnet behind the vpn server DO reach the server... it's just that the server instantly replies to them with "unreachable".. while it should know perfectly well where to route it through... 13:40 < gravyface> gah, that needs some editing. 13:41 < krzee> nohop, 13:41 < krzee> !configs 13:41 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:41 < gravyface> client1: 192.168.1.0, client2: 192.168..umm...3.1 13:42 < nohop> krzee: will do that, hang on :) 13:42 < krzee> 1.0 2.0 and 3.0 13:42 < krzee> 2.0 being the server 13:44 < gravyface> krzee, for clarity sake, it would be better if 192.168.3.1 is the server, and client1 is 1.1 and client2 is 2.1. 13:45 < krzee> *shrug* 13:45 < krzee> guess it would 13:45 < gravyface> avoiding the ambiguous term of "client" in this case and using "site" or "office" would be better too. 13:45 < krzee> but i dont feel like going through it and making sure i dont mess anything up doing that 13:47 < gravyface> lol yeah, too late now. Good read though. Really need to brush up on networking basics -- have all these lil fragmented chunks of knowledge in my head, get confused (easily). 13:47 < nohop> krzee: http://pastebin.ca/1529772 i hope i pasted enough info on there... 13:48 < nohop> hmm.. i see i've beena bit inconsistent with my notation of subnets (255.255.255.0 vs /24) but i guess that's not too confuzzling :) 13:49 < krzee> not at all 13:49 < krzee> they are the same in my head when i read them 13:50 < nohop> good :) 13:51 -!- Kamel [n=1@c-66-177-144-238.hsd1.fl.comcast.net] has joined ##openvpn 13:52 < nohop> so 192.168.10.0/24 is able to ping 10.8.0.0/24, but not vise versa...whereas in my iptables script, under nat, i have: 13:52 < nohop> -A POSTROUTING -s 192.168.0.0/255.255.0.0 -j MASQUERADE 13:52 < nohop> -A POSTROUTING -s 10.8.0.0/255.255.255.0 -j MASQUERADE 13:52 < nohop> (sorry, forgot to paste that in the pastebin) .. which, to me, seem similar... and should make it work both ways ? what am i overlooking here ? 13:53 < Kamel> i have been looking for an answer on this for a while now, maybe someone can help. i'd just like to know if you were to set up openvpn in bridged mode, if clientA connects to the VPN and clientB connects to it as well, will data from clientA to clientB be routed through the server or will they have a tunnel established directly between them? 13:53 < krzee> why you NATing 192.168.0.0/255.255.0.0 13:54 < Kamel> if not, can you please provide a term i can use to search for this type of question 13:54 < Douglas> Kamel 13:54 < Douglas> no 13:54 < Douglas> they wont have a connection between one nother 13:54 < Douglas> another 13:54 < krzee> Kamel, 13:55 < krzee> through server ALWAYS with openvpn 13:55 < nohop> krzee: oh, sorry.. it was 192.168/16.. that's to give that subnet access to every route/interface on my server... (outside, tunnels, etc)... and that's the one that DOES work :) 13:55 < Kamel> Douglas: thanks, is there a mode of operation that would support this mesh type topology? 13:57 -!- tj83_ [n=tj@unaffiliated/tj83] has quit [Remote closed the connection] 13:58 < nohop> hmmm wait... is that nat masq line the thing that causing the problem in the first place? 13:59 < Kamel> does anyone know if a mode of operation exists in openvpn where all of the clients have direct tunnels to each other? (mesh topology is the best i can think of to describe this) -- for instance, clientA is in europe, clientB is in usa, and clientC is in japan. the objective is to get each client to have a tunnel, and be able to send data directly to each other, without the need for relaying 14:01 < nohop> yes, it is :) i guess i'll have to fiddle around a bit more with this when i'm less tired... but i think i understand what the problem is now.... 14:02 < ecrist> Kamel: no such support exists within OpenVPN at this time 14:02 < nohop> i'l probably have to do my masquerading individualle, so my vpn stuff isn't matching that iptables rule... 14:02 < nohop> sorry for the trouble and stupidity :) 14:02 < Kamel> ecrist: thanks 14:03 < gravyface> after reading !!route, I'm a bit confused as to what they mean by "client" -- in this scenario, does client1 and client2 have OpenVPN servers acting in client mode or are they referring to software clients installed? 14:08 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 14:10 < BasketCase> gravyface: the system that initiates the connection is the client. the system that accepts the connection is the server. They can both be the same software though. 14:15 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:16 < krzee> [21:03] after reading !!route, I'm a bit confused as to what they mean by "client" -- in this scenario, does client1 and client2 have OpenVPN servers acting in client mode or are they referring to software clients installed? 14:16 < krzee> [21:10] its openvpn with "client" in the config file 14:16 < krzee> [21:10] on a machine in the lan (or the router) 14:16 < krzee> [21:11] (but if the router, then the note under picture about route to add outside openvpn can be ignored) 14:16 < krzee> [21:11] if not, it must not be ignored 14:16 < krzee> nohop, does client lan need to access inet via vpn by default? 14:17 < krzee> or even the client machine? 14:17 < krzee> because if not, you dont need to nat the subnet 14:18 -!- ecrist_mac [n=ecrist@ms.choksondik.secure-computing.net] has joined ##openvpn 14:19 < Douglas> ROFL 14:19 < Douglas> choksondik 14:24 < ecrist> domy hosts have southpark-themed names 14:24 < ecrist> domy? wtf 14:24 < ecrist> my 14:28 < Douglas> lol 14:42 -!- Kamel- [n=1@c-66-177-144-238.hsd1.fl.comcast.net] has joined ##openvpn 14:43 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: mius, freaky[t], HardDisk_WP, Kamel, disco-, qknight, kaii 14:44 -!- Netsplit over, joins: kaii 14:45 -!- Netsplit over, joins: qknight 14:47 -!- jeiworth [n=jeiworth@189.234.3.95] has quit [Read error: 110 (Connection timed out)] 14:48 -!- bruceb [n=bruce@gw.msmnyc.edu] has quit [Client Quit] 14:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:48 -!- bruceb [n=bruce@gw.msmnyc.edu] has joined ##openvpn 14:56 -!- mius [n=miusf@85.214.97.22] has joined ##openvpn 14:56 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 14:56 < nohop> krzee: sorry for the slow reply.. but i think it's my masq crap that's messing things up... i've made stuff too complexfor my own good... sooo, i'll fiddle with it some more when i'mmore awake :) 14:57 < nohop> but thanks alot for your help! 14:57 < krzee> np 14:58 < krzee> nat is only needed when you want: 14:58 < krzee> !redirect 14:58 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 14:58 < nohop> yeah... i need to make individual rules for my masq-ing... 14:59 < nohop> cause now everything is masq'ed... which i thought is what i wanted, but it's not :) 15:00 < BasketCase> yeah, you only want NAT going out to the internet 15:00 < krzee> just remove the masq for 10/8 15:00 < nohop> that's not gonna work :) but i'll figure it out :) 15:00 < krzee> and the lan if they are headed to a 10/8 15:01 < krzee> 10/8 should NOT be nat'ed 15:01 < nohop> BasketCase: i have other tunnels too, that DO need mask... so i just added one rule without specifying an interface for it... so i have to figure out some crap :) 15:01 < nohop> krzee: yeah.. i understand that now :) thanks :) 15:01 * nohop hands krzee a beer for his help :) 15:01 < krzee> =] 15:02 < krzee> yw 15:02 < krzee> that rule does not interfere is what im saying 15:02 < krzee> just make sure the rule doesnt hit packets headed to 10/8 15:04 < nohop> -A POSTROUTING -s 192.168.0.0/255.255.0.0 -j MASQUERADE < that's the one that interferes 15:04 < nohop> the 10.8/24 i just need to delete 15:04 -!- eliasp_ [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 15:05 < nohop> and the 192.168/16 needs to be specified an interface (actually a couple, NOT including tap*) 15:06 < BasketCase> btw, if anyone is wondering who I am I am a sysadmin and I use OpenVPN to connect my laptop to my LAN from anywhere. Despite my very limited single purpose use of OpenVPN my local LUG talked me into giving an introduction presentation at the next meeting. So I figured I would hang out in here and see what kinds of questions people ask about OpenVPN. 15:06 < nohop> '38 15:06 < nohop> oops, forgot ^A :) 15:10 < krzee> BasketCase, most common questions have to do with troubleshooting a firewall, !route and !redirect 15:10 < krzee> !route 15:10 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:10 < krzee> !redirect 15:10 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 15:10 < krzee> in fact our topic says most of it for that reason 15:10 < BasketCase> yeah, I figured that but I also figured those would come after the meeting 15:11 < krzee> those kinds of questions would be regarding security a scalability im guessing 15:11 < krzee> !security 15:11 < vpnHelper> krzee: "security" is "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 15:11 < nohop> adding -o eth1 to my inet-masq'ing already fixed half the problem 15:11 < krzee> nohop, cool, keep playin =] 15:11 < BasketCase> cool, thanks 15:11 < nohop> annnyways..i gotto go now, will fiddle more with it later.. .thansk again and maybe will talk to you guys later :) 15:11 < krzee> looks like you got it 15:12 < nohop> yeah... was a stupid thing to overlook.. since most my things are NATted, i'm too used to throwing everything over it :) 15:12 < nohop> see yall :) 15:12 < nohop> *afk* 15:16 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 110 (Connection timed out)] 15:17 -!- Kamel- [n=1@c-66-177-144-238.hsd1.fl.comcast.net] has quit [] 15:22 -!- mirco [n=mirco@p54B26E1A.dip.t-dialin.net] has quit [] 15:33 -!- nohop [n=nohup@pool-173-71-215-129.clppva.fios.verizon.net] has quit ["BitchX-1.1-final -- just do it."] 15:36 -!- eliasp_ is now known as eliasp 15:38 < Kobaz> how do i have multiple vpn connections in windows, when i start more than one, it can't create another tun/tap device 15:45 < krzee> try renaming it, then installing a new one 15:45 < krzee> after renaming, you will need to change some ovpn config files 15:46 < krzee> can find in manual 15:46 < krzee> !man 15:46 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 15:46 -!- ewook [n=ewook@thales.fluffis.se] has joined ##openvpn 15:46 < ewook> woha. anyone sitting with a bridge'd setup willing to share his/her config both server and client wise? 15:55 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 15:57 < Kobaz> mmm 16:00 < ewook> I've failed big time when generating the keys for the clients, it fails at password it says, but.. never added one nor does it prompt for one *_* 16:33 -!- lhunath [n=lhunath@unaffiliated/lhunath] has joined ##openvpn 16:36 < lhunath> I'm trying to wrap my head around getting bridging set up; but I'm stuck. I want an OS X client to connect to a Linux server; I set the Linux server up to bridge eth0 and tap0 together on br0, set my eth0 ip/net config on br0 instead and started openvpn. on the client side I just used a matching client config file to connect to the br0 ip of the server and it connects well and assigns my client a 10.8.0.x ip. however, I can't ping ... 16:36 < lhunath> ... the server. 16:37 < lhunath> and when I try to ping my client's vpn ip from the server I get From 69.64.45.129 icmp_seq=1 Time to live exceeded 16:38 < lhunath> I'm lost as to what to try next; I've gone over the docs on openvpn.net and distro specific sites several times to no avail. looks like I'm doing it right; but apparently not. 16:38 < lhunath> I can't figure out what my server's ping packets may be up to for them to get TTL exceeded. 16:39 < ewook> oh. 16:39 < ewook> I'm still trying to get my client to connect to the server. 16:40 < ewook> would you mind posting your bridging-configs (server and client) ? and I might be able to help you later with the routing 16:40 < lhunath> are you also using bridging or are you using routing? 16:40 < ewook> bridging 16:41 < ewook> I'm just getting weird stuff errors from server and client at, 16:41 < ewook> atm 16:41 < ewook> and the lovely documentation at openvpn's page just makes it worse :P 16:42 < lhunath> http://stuff.lhunath.com/vpn.lyndir.com.conf 16:42 < lhunath> server. 16:43 < lhunath> http://stuff.lhunath.com/Lhunath.conf 16:43 < lhunath> client. 16:43 < ewook> thx, w8 until I'll implement and tweak ^^ 16:44 -!- Kobaz [n=kobaz@its.kobaz.net] has left ##openvpn [] 16:50 < Douglas> grrrrrr 16:50 < Douglas> lhunath 16:50 < Douglas> !configs 16:50 < vpnHelper> Douglas: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:50 < Douglas> ^ 16:51 < ewook> bggr 16:51 < lhunath> sure. 16:51 < ewook> well, I've missed something in a previous step 16:51 < ewook> Douglas: are you serious? :P 16:51 < Douglas> ewook: what? 16:52 < ewook> Douglas: only official paste-bin? 16:52 < Douglas> ewook: i was referring to the parenthesis 16:52 < ewook> noted. 16:59 < Douglas> !forum 16:59 < Douglas> @ all 16:59 < vpnHelper> Douglas: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 17:01 < lhunath> FWIW, I've sanitized those config files for you. 17:02 < ewook> I think I have a basic problem of badly generated certs. 17:03 < ewook> I give up for tonight... with no real guide to follow, generating the right stuff just stinks 17:05 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 104 (Connection reset by peer)] 17:14 -!- sander_ [i=sander@084202100202.customer.alfanett.no] has joined ##openvpn 17:14 < Douglas> ffffffff 17:14 < Douglas> i hate spammers 17:14 -!- bruceb [n=bruce@gw.msmnyc.edu] has quit [Remote closed the connection] 17:20 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 17:20 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 17:31 -!- sander__ [i=sander@084202250202.customer.alfanett.no] has quit [Read error: 110 (Connection timed out)] 17:57 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 18:14 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 18:15 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 18:55 -!- BigJB [n=BigJB@unaffiliated/bigjb] has quit [Remote closed the connection] 19:22 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 19:25 -!- Grapsus [n=grapsus@anon-31-149.ipredate.net] has quit ["Quitte"] 19:56 -!- gravyface [n=gravyfac@CPE001d7e46ff91-CM0014e8b59110.cpe.net.cable.rogers.com] has quit [" HydraIRC -> http://www.hydrairc.com <- *I* use it, so it must be good!"] 20:23 -!- lataffe [n=lataffe@cm-84.211.147.71.getinternet.no] has quit [SendQ exceeded] 20:24 -!- lataffe [n=lataffe@cm-84.211.147.71.getinternet.no] has joined ##openvpn 20:39 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 60 (Operation timed out)] 20:40 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 20:40 -!- lataffe [n=lataffe@cm-84.211.147.71.getinternet.no] has quit [SendQ exceeded] 20:41 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Client Quit] 20:43 -!- lataffe [n=lataffe@cm-84.211.147.71.getinternet.no] has joined ##openvpn 21:10 -!- master_of_master [i=master_o@p549D3C1B.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:13 -!- master_of_master [i=master_o@p549D4A28.dip.t-dialin.net] has joined ##openvpn 21:16 -!- _markus_ [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 21:16 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 60 (Operation timed out)] 21:19 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 21:57 -!- HardDisk_WP [n=Marco@velirat.de] has joined ##openvpn 22:07 -!- Dynaceron [n=DYN@S0106001c109e98db.no.shawcable.net] has joined ##openvpn 22:08 < Dynaceron> !howto 22:08 < vpnHelper> Dynaceron: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 22:10 < Dynaceron> Hi 22:10 < Dynaceron> Is it possible to only route specific ports through VPN? rather than whole traffic 22:11 -!- RadarG [n=nightwol@pool-98-108-1-106.chi01.dsl-w.verizon.net] has joined ##openvpn 22:15 < RadarG> reiffert I upgraded both the server and client 22:18 < RadarG> http://pastebin.com/d6a3ac7c9 server config 22:29 < krzee> Dynaceron, not the normal way, but i do have another way that makes it a yes 22:29 < krzee> normally not by ports cause its routing based 22:30 < krzee> but if you run a sockd (socks server) on the openvpn server ip 22:30 < krzee> which listens only on vpn ip, and uses inet for external 22:30 < krzee> example of such a config for dante www.ircpimps.org/sockd.conf 22:30 < krzee> (ONLY USE THAT WHEN SECURED BY THE VPN, ITS INSECURE CONFIG) 22:32 < Dynaceron> thanks for the info. 22:32 < krzee> then you can run an app like proxifier to send any apps through the ovpn secured proxy 22:32 < krzee> thats how i do mine 22:32 < Dynaceron> so I can setup a client/server to only route traffic over VPN to specific ips or blocks right? 22:33 < krzee> you can set that up without proxy 22:33 < krzee> with proxy inside openvpn tunnel you can also route based on ips/blocks/apps/ports/any combination of those 22:33 < krzee> if you have a nice app managing it 22:33 < Dynaceron> ok my issue is 22:34 < Dynaceron> We have a datacenter in germany, and our main office is in Canada 22:35 < Dynaceron> and our isp here in canada wont do a revdns on our ips so when we connect to a clients server we get the isp revdns 22:35 < Dynaceron> and yes I know I can use SSH tunnels 22:35 < Douglas> why not get a box for sshing 22:35 < Douglas> for staff or w/e 22:35 < Douglas> in the dc 22:36 < Dynaceron> well we have that as well both windows and linux boxes 22:36 < Dynaceron> but I was just wondering if there would be an easier way than remote desktoping or sshing into a server then tunneling 22:37 < Dynaceron> I have used openvn before for routing all traffic, so I thought of using VPN and came here. 22:40 < RadarG> http://pastebin.com/d50598023 client config 22:41 < RadarG> I had it backwards the the second one is server config and the first one is cleint 22:42 < krzee> just push a route to the dc subnets 22:42 < krzee> instead of port 22:42 < krzee> simple 22:43 < krzee> be sure you have a more specific route to the server's ip to go over normal inet, but i think thats done automaticly 22:43 < RadarG> krzee Can you please help me out I'm pretty sure I'm close to getting this done 22:43 < Dynaceron> more specific route? 22:44 < krzee> RadarG, whats your error? 22:45 < krzee> Dynaceron, like 10.0.10.10 is more specific than 10.0.10/24 22:45 < Dynaceron> so routing everything through public ports is bad? 22:45 < Dynaceron> oh ok sorry i didnt see your last message 22:46 < RadarG> i'm having difficulty geting connectivity. I had some trouble and reiffert had me upgrade becuase i was using a build that was three years old 22:47 < krzee> !logs 22:47 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 22:53 < RadarG> ser ver logs http://pastebin.com/d3076d235 22:57 < RadarG> client logs http://pastebin.com/d1e3bf007 22:58 < RadarG> the configs are in the pastebins that I posted earlier 22:58 < RadarG> with the lastest rc I should have better luck 23:03 < RadarG> here is a better thigns of server logs http://pastebin.com/d40559333 23:04 < RadarG> reiffert had me remove some lines from my server and client config but I catn remember what lines he watned me to remove. 23:43 -!- RadarG [n=nightwol@pool-98-108-1-106.chi01.dsl-w.verizon.net] has quit [Read error: 113 (No route to host)] --- Day changed Sat Aug 15 2009 00:06 -!- RadarG [n=nightwol@pool-98-108-1-106.chi01.dsl-w.verizon.net] has joined ##openvpn 00:20 -!- jreno_ [n=jreno@38.219.68.216.DED-DSL.fuse.net] has joined ##openvpn 00:20 -!- jreno [n=jreno@38.219.68.216.DED-DSL.fuse.net] has quit [Read error: 113 (No route to host)] 00:32 -!- RadarG [n=nightwol@pool-98-108-1-106.chi01.dsl-w.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 00:36 -!- RadarG [n=nightwol@pool-98-108-1-106.chi01.dsl-w.verizon.net] has joined ##openvpn 00:37 < RadarG> cool beans!!! I am able to ping the vpn server from the vpn client and viseversa!! 00:41 < RadarG> Reply from 192.168.10.1: bytes=32 time=429ms TTL=128 00:44 -!- sander_ [i=sander@084202100202.customer.alfanett.no] has quit [Read error: 110 (Connection timed out)] 00:49 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Remote closed the connection] 00:54 < RadarG> I can not ping anything on the 192.168.1.0 l LAN but I cant ping the distant end. When I try to ping a website I get DNS but the ping times out. When I do a nslookup I dont get a response from 192.168.1.2(sever dns) nor 192.168.200.1(client DNS) So this tells me that I'm getting DNS traffic through the tunnel however I cant pull up any websites in the browser. ALL firewalls on the client and server have been temp turned off. D 01:39 -!- RadarG [n=nightwol@pool-98-108-1-106.chi01.dsl-w.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 01:46 -!- RadarG [n=nightwol@pool-98-108-1-106.chi01.dsl-w.verizon.net] has joined ##openvpn 01:46 < Bushmills> !route 01:46 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 01:46 < RadarG> hmm it looks like it is a routing issue on the vista box 01:46 < Bushmills> oh really? 01:54 -!- c64zottel [n=hans@p5B17824F.dip0.t-ipconnect.de] has joined ##openvpn 01:54 -!- c64zottel [n=hans@p5B17824F.dip0.t-ipconnect.de] has left ##openvpn [] 01:59 < RadarG> now if I want my client (192.168.200.7) to talk to my server(192.168.1.10) I dont want to put down "route 192.168.200.0 25.255.255.0" becuase this ip might change. I would put down 192.168.10.0 because this is VPN address range right? 02:21 < RadarG> hmm still not passing the traffic the dns is coming back from 192.168.1.2 but not the replies to the ping 02:29 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 02:44 < RadarG> client config http://pastebin.com/d11e700d6 02:45 < RadarG> client logs http://pastebin.com/d17c01f46 02:48 < RadarG> server config http://pastebin.com/d62b4e761 02:54 < RadarG> server logs http://pastebin.com/d3831fb4e 02:56 < RadarG> server route http://pastebin.com/d4c8695fb 02:56 < RadarG> any ideas? 02:57 -!- mirco [n=mirco@p54B26CC3.dip.t-dialin.net] has joined ##openvpn 02:59 < Bushmills> did you read !route ? 03:00 < RadarG> yes 03:01 < RadarG> i have a a ccd and an iroute entry 03:03 < Bushmills> !firewall 03:03 < vpnHelper> Bushmills: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. 03:07 < RadarG> i'm not using iptables nor pf 03:12 < RadarG> the client has its windows firewall off, the server has its windows firewall off 03:13 < RadarG> the only thing that is inbetween them is two NAT routers and 7000 miles of internet 03:20 -!- mirco [n=mirco@p54B26CC3.dip.t-dialin.net] has quit [] 03:22 < RadarG> Ok in wireshark I'm seeing that when I ping servers default gw I see that the packets are leaving my vpn clients ip and are going to the servers default gw 03:23 < Bushmills> !blame windows 03:23 < vpnHelper> Bushmills: Error: "blame" is not a valid command. 03:29 < RadarG> on the server side vpn adapter I can see the packets coming from the client and going to the servers dfg however while sniffing the nic on the server I only see the openvpn packets I'm not seeing the ping packets going out. 03:32 < RadarG> so the problem is from the vista server 03:40 < reiffert> RadarG: did you upgrade to 2.1rc19? 03:40 < reiffert> "07:37 < RadarG> cool beans!!! I am able to ping the vpn server from the vpn client and viseversa!! 03:40 < reiffert> " 03:41 < reiffert> looks like you did. 03:41 < RadarG> yeap 03:41 < RadarG> pings are good 03:42 < RadarG> all those pastebins that I posted is all current 03:43 < reiffert> Have fun! 03:43 < RadarG> thanks 03:43 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 03:44 < reiffert> and be sure toi read !route 03:45 < RadarG> I did but I'm using iroute and ccd 03:45 < reiffert> and does it work at your place? 03:46 < RadarG> no the client can only ping the other side and it has dns but nothing else 03:46 < reiffert> check !route again. 03:47 < RadarG> are your talking about the section about the broken API 03:47 < reiffert> no 03:51 < RadarG> I have the iroute setup but its still not working 04:00 -!- mirco [n=mirco@p54B26CC3.dip.t-dialin.net] has joined ##openvpn 04:01 < RadarG> where on the 100 page site 04:02 < RadarG> !firewall 04:02 < vpnHelper> RadarG: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. 04:07 < RadarG> changing the device on both the server and the client from tap to tun had no effect 04:51 < RadarG> any other ideas? 04:52 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit ["Leaving"] 05:01 < RadarG> It is my understanding that since I have different LANs behind my server and clients that I have to use "tun" is this correct? 05:04 -!- mirco [n=mirco@p54B26CC3.dip.t-dialin.net] has quit [] 05:08 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 05:11 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 05:25 * RadarG wants to destory a windows vista box 05:25 < RadarG> I cant figure out this routing issue 05:30 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 05:31 -!- mirco [n=mirco@p54B26CC3.dip.t-dialin.net] has joined ##openvpn 05:52 -!- sander_ [i=sander@084202100202.customer.alfanett.no] has joined ##openvpn 05:58 -!- disco- [i=disco@andromeda.h4xed.com] has joined ##openvpn 06:19 -!- BigJB [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 06:22 -!- Dynaceron [n=DYN@S0106001c109e98db.no.shawcable.net] has quit [Read error: 148 (No route to host)] 07:01 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: Kreg-Work, Douglas, _impuls, ThoMe, worch 07:03 -!- Netsplit over, joins: worch 07:03 -!- Netsplit over, joins: Douglas 07:11 -!- ThoMe [i=tm@tm.muc.de] has joined ##openvpn 07:15 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 07:15 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit ["Leaving"] 07:24 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 07:31 -!- mirco [n=mirco@p54B26CC3.dip.t-dialin.net] has quit [] 07:33 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 07:44 -!- RadarG1 [n=nightwol@pool-98-108-1-129.chi01.dsl-w.verizon.net] has joined ##openvpn 07:56 -!- RadarG [n=nightwol@pool-98-108-1-106.chi01.dsl-w.verizon.net] has quit [Read error: 110 (Connection timed out)] 07:59 -!- heavenquake [n=heavenqu@unaffiliated/heavenquake] has joined ##openvpn 07:59 < heavenquake> My work laptop has been stolen. But it is set, at root level, to connect to my workplace's VPN on boot, silently. Will I be able to, from the VPN server, see a list of connected IP's? 08:03 < ElectricBill> run nmap to look for it? Does it have a fixed IP on the (open)vpn? 08:04 < heavenquake> I don't know, really. nmap.. that's a possibility of course. are there any connect logs for openvpn? 08:04 < ElectricBill> Sure there are. 08:05 < ElectricBill> In Debian derived distros, see /var/log/daemon.log 08:05 < ElectricBill> or /var/log/messages in SuSE, for example. 08:06 < ElectricBill> I assume it is certificate based? 08:06 < heavenquake> our vpn server runs debian 08:06 < heavenquake> yes. certificates 08:06 < ElectricBill> You will see the certificate name and associated IP upon connection in the log 08:07 < heavenquake> will I see the external IP of the household that connects? 08:07 < ElectricBill> Yes 08:07 < heavenquake> that's awesome 08:07 < ElectricBill> What OS does the laptop run? 08:07 < heavenquake> Ubuntu 08:07 < ElectricBill> Then the thief might not be able to login or use it? 08:08 < heavenquake> it's set to autologin 08:08 < ElectricBill> Then there is hope 08:08 < ElectricBill> You might be able to set a process to watch the log and alert you 08:08 < heavenquake> all he has to do is, more or less, plug in a cable or fiddle around with the wireless 08:09 < ElectricBill> Maybe some kind of tail|grep shell hack... 08:09 < heavenquake> hmm. I'll look into that, that's not a bad idea 08:09 < ElectricBill> or can nagios do something like this? I dunno. 08:09 < ElectricBill> good luck 08:10 < heavenquake> I need to go for a few moments, excuse me. Thank you very much for your help :) 08:26 -!- RadarG [n=nightwol@pool-98-108-1-129.chi01.dsl-w.verizon.net] has joined ##openvpn 08:26 -!- RadarG1 [n=nightwol@pool-98-108-1-129.chi01.dsl-w.verizon.net] has quit [Remote closed the connection] 09:50 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 10:04 -!- _markus_ [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 110 (Connection timed out)] 10:08 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["cu later"] 10:49 -!- lhunath [n=lhunath@unaffiliated/lhunath] has left ##openvpn ["OK, so ten out of ten for style, but minus several million for good thinking, yeah?"] 10:55 * RadarG giving up for the night 10:55 -!- RadarG [n=nightwol@pool-98-108-1-129.chi01.dsl-w.verizon.net] has quit [] 11:11 -!- mirco [n=mirco@p54B26CC3.dip.t-dialin.net] has joined ##openvpn 11:28 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:46 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 11:51 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 11:56 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:03 -!- krzee [n=k@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 12:07 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 12:10 -!- Bora [n=DYN@S0106001c109e98db.no.shawcable.net] has joined ##openvpn 12:30 -!- mirco [n=mirco@p54B26CC3.dip.t-dialin.net] has quit [] 12:42 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit ["Leaving"] 12:42 -!- mirco [n=mirco@p54B26CC3.dip.t-dialin.net] has joined ##openvpn 12:43 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 12:44 -!- mirco [n=mirco@p54B26CC3.dip.t-dialin.net] has quit [Client Quit] 12:55 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 13:49 -!- bruceb [n=bruce@gw.msmnyc.edu] has joined ##openvpn 13:51 -!- bruceb [n=bruce@gw.msmnyc.edu] has quit [Remote closed the connection] 13:53 -!- bruceb [n=bruce@gw.msmnyc.edu] has joined ##openvpn 14:12 -!- plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has joined ##openvpn 14:13 < plt> i installed openvpn on two linux machines 14:13 < plt> each with its own keys and almost similar config 14:14 < plt> if i want to transfer all the keys and conf form one to another can i simply copy /etc/openvpn folder ? - both machines are running same os, same version everything is same except for openvpn keys and slight config differences 14:14 < plt> somehow it doens't work for me ?! 14:14 < plt> anyone here kind enough to help or suggest what might be wrong ? 14:18 -!- bruceb [n=bruce@gw.msmnyc.edu] has quit [Remote closed the connection] 14:18 -!- bruceb [n=bruce@gw.msmnyc.edu] has joined ##openvpn 14:20 -!- bruceb [n=bruce@gw.msmnyc.edu] has quit [Client Quit] 14:28 < Douglas> plaerzen 14:29 < Douglas> you can just copy the folder yes 14:29 < Douglas> er 14:29 < Douglas> plt even 14:29 < Douglas> and 14:29 < Douglas> !all 14:29 < vpnHelper> Douglas: "all" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles 14:30 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 14:30 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 14:41 < plt> Douglas, sorry just saw this : i have copied the folder 14:42 < plt> since the same conf etc. work on another (clone of same machine) one i am guessing confs are right ?! 14:42 < plt> i am pasting them anyway along with the error i get 14:45 < plt> routing table - do you mean output of iptables ? 15:07 < BasketCase> plt: routing table would be 'route -n' or 'ip ro ls' 15:07 < BasketCase> plt: iptables is the firewall 15:49 -!- CRASH69 [n=crash@201.200.94.66] has joined ##openvpn 15:51 < Douglas> plt 15:51 < Douglas> route -n 15:54 < CRASH69> hey guys, we set a bridged openvpn using 192.168.2.0/24 site-to-site works great, and later added a routed mobile tunnel for the laptop on 192.168.3.0/24, we can ping from laptop to the 192.168.2.0 attached to the server, but fail to ping the side at client router, what are we missing? here is a diagram and routetables http://www.dd-wrt.com/phpBB2/viewtopic.php?p=336190&highlight=#336190 15:55 < Douglas> using openvpn? 15:55 < CRASH69> yes 15:55 < Douglas> !al 15:55 < vpnHelper> Douglas: Error: "al" is not a valid command. 15:55 < Douglas> !all 15:55 < vpnHelper> Douglas: "all" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles 15:56 < CRASH69> wahoo bunch x), taking care 16:12 < ecrist> !route 16:12 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:12 < ecrist> !iroute 16:12 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 16:12 * ecrist goes back to xbox 16:19 -!- krzee [n=k@unaffiliated/krzee] has quit ["Leaving"] 16:19 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 16:20 < ecrist> krzee, you there, or just auto-reconnect? 16:21 < ecrist> regardless, send me an email later with the features and capabilities you want in the new, custom bot 16:21 < krzee> here kinda 16:21 < ecrist> I'm on vacation this week, so will time to code it. 16:21 < krzee> just what its got now basically 16:22 < ecrist> ok, here's my plan 16:22 < krzee> we can grep out all commands from the logs you have 16:22 < krzee> thats all that matters to me 16:22 -!- Bora [n=DYN@S0106001c109e98db.no.shawcable.net] has quit [Read error: 104 (Connection reset by peer)] 16:22 < ecrist> new bot will get permissions for chanserv (bot permissions based on channel perms 16:22 < ecrist> new bot will have ops in chan 16:23 < krzee> mine can do that 16:23 < krzee> didnt think we wanted it 16:23 < ecrist> new bot will auto-ban channel floods and can, on the back end, do the dirty work of kicking users, etc. 16:24 < ecrist> will script something that will search for and report (via channel topic updates) the most current stable and dev version of OpenVPN 16:25 < ecrist> along with a few loggin capabilities. !log will DCC send logs pertaining to with a predetermined buffer before/after their channel posts. 16:25 < ecrist> DCC send isn't required, could do PM, but will make it easier to look through logs. 16:26 < ecrist> also, !command will pm the !command to for people with +v in channel permissions 16:26 < ecrist> so we don't have to do: krzee: !command 16:27 < krzee> werd 16:27 < ecrist> considering some other features, provided they're not too noisy, such as a digest for the openvpn devel list within channel, or some info on svn commits 16:28 < ecrist> all in line with your thoughts, or too much? 16:31 < krzee> bro ild love to give a real answer 16:31 < krzee> but ive been drinking absinthe and smoking tons 16:31 < krzee> in im .nl 16:31 < ecrist> LOL 16:31 < ecrist> no worries 16:33 * ecrist is away: xbox 16:35 < Douglas> . 16:36 -!- plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has quit [" HydraIRC -> http://www.hydrairc.com <- Nine out of ten l33t h4x0rz prefer it"] 16:37 < krzee> =] 16:56 < CRASH69> anybody and/or Douglas: http://pastebin.com/m330fadd0 , bridged openvpn using 192.168.2.0/24 site-to-site works great, and later added a routed mobile tunnel for the laptop on 192.168.3.0/24, we can ping from laptop to the 192.168.2.0 attached to the server, but fail to ping the side at client router, what are we missing? cheap diagram http://www.dd-wrt.com/phpBB2/viewtopic.php?p=336190&highlight=#336190 17:00 -!- anwoke [n=A@65.100.249.52] has joined ##openvpn 17:06 -!- heavenquake [n=heavenqu@unaffiliated/heavenquake] has quit ["Kick me!"] 17:09 < reiffert> !route 17:09 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:10 < reiffert> CRASH69: see above 17:12 -!- racan [n=racan@97-117-243-144.phnx.qwest.net] has joined ##openvpn 17:14 -!- racan [n=racan@97-117-243-144.phnx.qwest.net] has left ##openvpn [] 17:24 -!- CRASH69 [n=crash@201.200.94.66] has quit [Read error: 113 (No route to host)] 17:24 -!- anwoke [n=A@65.100.249.52] has quit [Read error: 113 (No route to host)] 17:26 -!- CRASH69 [n=crash@201.200.94.66] has joined ##openvpn 17:30 < CRASH69> !route 17:30 < vpnHelper> CRASH69: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:57 -!- Gorkhaan_ [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 18:04 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 145 (Connection timed out)] 18:45 -!- LumberCartel [n=LumberCa@24.86.160.252] has joined ##openvpn 18:46 < LumberCartel> Hello folks. Is OpenVPN being discontinued? I'm unable to find the download for it on the web site... 18:46 < LumberCartel> Only the Access Server (which I don't use), no clients. 18:46 < LumberCartel> Also, when I type "download" in the search dialogue, all I get are release notes and stuff like that. 18:46 * LumberCartel is worried. 18:46 < LumberCartel> I've got a lot of clients using OpenVPN now, and I'm hoping that this product hasn't died. 18:47 < LumberCartel> Help! 18:48 * LumberCartel wonders if the old web site design is available, and has a download option for the OpenVPN client for Widows XP/Vista, and others. 18:49 < LumberCartel> Maybe OpenVPN was forked to another project? 18:49 < LumberCartel> Hello? 18:51 < LumberCartel> Or was the domain name taken over by some commercial entity? The "contact us" page has contacts for sales and licensing, investment, etc., and although the logo looks the same as before it looks quite different now. 18:53 < LumberCartel> Someone on #Crypto pointed me here: http://www.openvpn.net/index.php/open-source/downloads.html 18:53 < vpnHelper> Title: Downloads (at www.openvpn.net) 18:53 < LumberCartel> It seems this new web site design is confusing. 18:54 < LumberCartel> My problem is also that when I direct users to it now, they click on the tab with the word "Download" in it (like I did), and then they see Access Server but nothing else. 18:54 < LumberCartel> I would like to suggest that a link to downloading OpenVPN clients be included there as well. 18:58 * LumberCartel suspects that nobody is here except bots. 19:00 < Gorkhaan_> http://openvpn.net/index.php/open-source/downloads.html 19:00 < vpnHelper> Title: Downloads (at openvpn.net) 19:00 < Gorkhaan_> ... 19:06 * LumberCartel just sent a feedback message to OpenVPN: http://www.openvpn.net/index.php/component/contact/12-contacts/3-support-staff.html 19:07 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: disco- 19:09 < Gorkhaan_> LumberCartel, What's wrong? :) 19:10 < Gorkhaan_> LumberCartel, http://openvpn.net/index.php/open-source/downloads.html 19:10 < vpnHelper> Title: Downloads (at openvpn.net) 19:10 < Gorkhaan_> I go to sleep now 19:10 -!- Gorkhaan_ [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["cu later"] 19:19 -!- iamamoron [n=iamamoro@210.238.181.188] has joined ##openvpn 19:20 < iamamoron> hi there, i have setup open vpn but when i ping public ip latency is fine but when i ping private hell it is very slow 19:20 < LumberCartel> How many NICs do you have on your local computer? 19:23 < iamamoron> 2 19:23 < iamamoron> one for public 19:23 < iamamoron> one for private 19:26 < iamamoron> i running openvpn on SSL 19:26 < LumberCartel> Oh. Why? 19:27 < LumberCartel> OpenVPN takes care of all that for you already. 19:27 < iamamoron> i run it on port 443 19:27 < LumberCartel> Is OpenVPN transferred over TCP or UDP? 19:27 < iamamoron> any ideas why it slows down? 19:28 < iamamoron> TCP 19:28 < iamamoron> it is on TCP 19:28 < LumberCartel> I have many ideas, because there are many possibilities. I've made some assumptions (e.g., healthy network connection, etc.) before asking some questions. 19:28 < LumberCartel> What can you tell me about the server? And which version of OpenVPN are you running on client and on server? 19:29 < LumberCartel> What I would like to know about the server is CPU speed, and current system utilization. 19:30 < LumberCartel> If CPU utilization is high, then that is likely a major part of the problem. If the server is Windows OS, then that is well-known to create intermittent performance problems. 19:30 < iamamoron> the vpn server only consumes 1.3% CPu and 2 % mem 19:30 < iamamoron> both are linux 19:30 < LumberCartel> Good. 19:30 < LumberCartel> The 1.3% CPU utilization seems very high for one client. 19:31 < LumberCartel> Are others connected? 19:31 < iamamoron> what you mean others? 19:31 < LumberCartel> Are others connected to the VPN, or are you the only one right now? 19:31 < iamamoron> only 3 are connected 19:31 < iamamoron> 2 are fine 19:31 < iamamoron> only one is having problem 19:32 < iamamoron> even if i disconnect the 2 19:32 < iamamoron> still i have this problem 19:32 < LumberCartel> When you disconnect the one having problems, does the CPU utilization for OpenVPN remain the same, or does it drop down? 19:32 < BasketCase> iamamoron: were you saying that you run OpenVPN through SSL or are you saying that you are using the port number for https 443? 19:33 < iamamoron> yes 19:33 < LumberCartel> Yes to what? 19:33 < iamamoron> i am running openvpn on port 443 19:33 < iamamoron> tcp 19:33 < LumberCartel> I was meaning to ask you (thanks to BasketCase for broaching the subject), if you are able to run OpenVPN without tunnelling it through SSL. 19:33 < iamamoron> the ping reply for public is only about 174 ms 19:33 < LumberCartel> How come you're using TCP port 443? 19:34 < iamamoron> but for private ip it reaches 300 ms 19:34 < iamamoron> very wierd 19:34 < iamamoron> by setting it on client.conf 19:34 < iamamoron> and server.conf 19:34 < BasketCase> some people seem to think that running random services on tcp/443 provides extra priority or something 19:34 < LumberCartel> For the public IP, you appear to have a somewhat slow connection. Most servers I connect to are typically 10ms - 15ms. 19:34 < iamamoron> dont you know it? 19:35 < iamamoron> 100ms because it is in different country 19:35 < LumberCartel> That makes sense. 19:35 < iamamoron> of course 19:35 < iamamoron> i really wondered why 19:35 < iamamoron> private seems to reply that kind of reply 19:35 < iamamoron> it doubles the latency 19:35 < iamamoron> any ideaS? 19:36 < LumberCartel> What if you make an FTP or Samba connection inside and outside the VPN, and compare transfer speeds for a large file? That will tell you if you really are experiencing latency, or an ICMP routing issue. 19:37 < LumberCartel> It is possible that the routing on your server is trying to send ICMP responses back out the default gateway before reverting to 10.8/16 (the network you're probably on inside your VPN). 19:38 < LumberCartel> ...or it is in fact sending it along to the default gateway, which is then firing it back to your server which then routes it properly. 19:38 < LumberCartel> If this is the case, then you might not have IP Forwarding enabled on your server. 19:38 < iamamoron> no i have 19:38 < LumberCartel> Take care when enabling this feature to make sure everything else is working. 19:39 < LumberCartel> Good. 19:39 < LumberCartel> I think the next step for you is to do some packet sniffing on your server side. 19:39 < iamamoron> LumberCartel: It is possible that the routing on your server is trying to send ICMP responses back out the default gateway before reverting to 1 19:39 < LumberCartel> You should also keep in mind that OpenVPN seems to be consuming a lot of processing power -- if I were you, I'd want to know what's causing this. 19:40 < iamamoron> LumberCartel: It is possible that the routing on your server is trying to send ICMP responses back out the default gateway before reverting to 1 <----- how to know that? 19:40 < LumberCartel> ...before reverting to 10.8/16 (the network you're probably on inside your VPN). 19:40 < iamamoron> ? 19:41 < iamamoron> so what am i going to do? 19:41 < LumberCartel> If you want to share your server.conf and client.conf files on http://www.pastebin.ca/ (or similar service), after removing confidential information, I'd be willing to take a peek at them. 19:41 < iamamoron> the case is this one i guess 19:41 < iamamoron> LumberCartel: It is possible that the routing on your server is trying to send ICMP responses back out the default gateway before reverting to 1 19:41 < iamamoron> what should be done? 19:42 < LumberCartel> Which version of OpenVPN are you using? 19:42 < LumberCartel> ...before reverting to 10.8/16 (the network you're probably on inside your VPN). 19:42 < iamamoron> server openvpn-2.1-0.25.rc7.fc9.i386 19:42 < iamamoron> client openvpn-2.0.9-1 19:43 < LumberCartel> I know what your problem is. 19:43 < iamamoron> hmmm what? 19:43 < iamamoron> version compat? 19:43 < LumberCartel> Firstly, for your server, you need to upgrade to the newer version. I know that rc7 has some problems (some some later versions). Currently there is rc19 which works very well. 19:44 < LumberCartel> For the client, it's always a good idea to match what the server has, and in your case I would do that even though it isn't really needed. 19:44 < iamamoron> huh? 19:44 < LumberCartel> Since both Operating Systems are Linux, the process should be relatively similar for upgrading them, so you might as well. 19:45 < iamamoron> are you sire? 19:45 < iamamoron> sure 19:45 < iamamoron> maybe routing problem? 19:45 < LumberCartel> In the case of Widows (especially Widows Vista), 2.0.x doesn't work properly. 19:45 < BasketCase> you might want to try using udp instead of tcp too 19:45 < LumberCartel> I'm pretty sure because I've had this problem before, and resolved it by upgrading to the newest version of OpenVPN (which was rc13 or something like that as I recall). 19:46 < LumberCartel> For server-to-server, UDP is fine, and also using port 1194 is recommended. 19:46 < LumberCartel> ...more than using 443 which is reserved for HTTPS. 19:46 < iamamoron> no, i cant do tyhat 19:46 < LumberCartel> If you want to use a port other than 1194, which only makes sense for one of two reasons... 19:46 < iamamoron> my road warrior client cannot connect on hotels 19:46 < iamamoron> that blocks and filter ports 19:46 < LumberCartel> (firewall policies that don't allow 1194, or security-by-obscurity to hide the fact that OpenVPN is in use) 19:47 < iamamoron> thats why i used port 443 19:47 < LumberCartel> Well, ports above 1024 are typically open. 19:47 < iamamoron> nop 19:47 < LumberCartel> Wow. 19:47 < iamamoron> i tried it 19:47 < iamamoron> it is blocked 19:47 < LumberCartel> What a bunch of idiots. 19:47 < LumberCartel> Oh well. 19:48 < LumberCartel> It's their network, so they can implement whatever rules they prefer and you just have to follow them. 19:48 < iamamoron> yes 19:48 < LumberCartel> As for using UDP or TCP, I find that UDP doesn't always work reliably, especially for most end-users. 19:48 < iamamoron> thats why i picked port 443 19:49 < iamamoron> normally open all the time 19:49 < iamamoron> protocol must be tcp not udp 19:49 < iamamoron> udp also blocked somehow 19:49 < iamamoron> i tried it also 19:50 < BasketCase> remind me not to go wherever you are :P 19:50 < LumberCartel> The only problem I can forsee with using TCP port 443 (or 80) is that there are bots out there that try to hack into stuff on those ports (mostly 80) which might be contributing to your CPU utilization problems. 19:50 < LumberCartel> To combat that waste of bandwidth, use the "tls-auth" feature. 19:51 < LumberCartel> Anyway, backup your systems, then upgrade to the newest version of OpenVPN because I know that anything pre-rc13 has performance problems. 19:51 < LumberCartel> ...and some have serious routing issues. 19:52 < LumberCartel> !redirect 19:52 < vpnHelper> LumberCartel: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 19:52 < LumberCartel> !topology 19:52 < vpnHelper> LumberCartel: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 19:53 * LumberCartel laughs becasue he just noticed that the IRC channel topic includes "We know, the new [web] site sucks." 19:53 < LumberCartel> s/becasue/because/ 19:58 -!- BigJB [n=BigJB@unaffiliated/bigjb] has quit [Remote closed the connection] 19:59 * LumberCartel looks at iamamoron and points to: http://www.openvpn.org/index.php/open-source/documentation/change-log/71-21-change-log.html 20:01 < LumberCartel> iamamoron: I have to go, but before I go I recommend you look into implementing tls-auth (but only after you get the new versions working, because there are a few steps to it). 20:07 < iamamoron> ok thanbks 20:07 < LumberCartel> I'll try to get on here again later. If you see me, feel free to let me know how you're progressing. 20:08 < LumberCartel> How far have you gotten now? 20:10 < iamamoron> not yet 20:10 < iamamoron> i will chat to you whatever progress 20:12 < LumberCartel> I wish you luck. Take care. 20:12 -!- LumberCartel [n=LumberCa@24.86.160.252] has quit [" Try HydraIRC -> http://www.hydrairc.com <-"] 20:33 -!- krzy [i=nobody@hemp.ircpimps.org] has joined ##openvpn 20:33 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 20:51 < Douglas> krzy 20:52 < krzy> fucked up but here 20:52 < Douglas> i dont require much competence 20:52 < Douglas> sober up tho 20:52 < krzy> good 20:52 < krzy> no 20:52 < Douglas> cuz you do owe me money coming up by the end of the month 20:52 < Douglas> not sure what date it will make the inv 20:52 < krzy> dont have at the moment 20:52 < Douglas> lol 20:52 < Douglas> when will you have 20:52 < krzy> on the end of a vacation/binge 20:53 < krzy> small time will be back on top, its a cycle based on vacation 20:53 < Douglas> ok so like first week or 2 of sept? 20:54 < krzy> i believe ill be good by then =] 20:54 < krzy> but bro 20:54 < krzy> im so gone off the absinthe 21:08 < Douglas> l 21:08 < Douglas> lol 21:17 -!- master_of_master [i=master_o@p549D4A28.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:17 -!- master_of_master [i=master_o@p549D449F.dip.t-dialin.net] has joined ##openvpn 21:23 -!- CarltonFsck [n=unixsox@c-76-19-28-18.hsd1.ma.comcast.net] has joined ##openvpn 22:19 -!- kab [n=_k_a_b_@189.155.251.230] has joined ##openvpn 22:19 < kab> hello :) 22:20 < kab> !route 22:20 < vpnHelper> kab: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 23:06 -!- CarltonFsck [n=unixsox@c-76-19-28-18.hsd1.ma.comcast.net] has quit ["Leaving"] 23:24 < kab> !howto 23:24 < vpnHelper> kab: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 23:24 < kab> !configs 23:24 < vpnHelper> kab: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 23:24 < kab> !logs 23:24 < vpnHelper> kab: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 23:46 < reiffert> moin --- Day changed Sun Aug 16 2009 00:47 < iamamoron> huhu 00:47 < iamamoron> openvpn is still slow 00:47 < iamamoron> even if i upgraded 01:04 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 01:12 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit ["Leaving"] 01:13 -!- kab [n=_k_a_b_@189.155.251.230] has quit ["Leaving"] 01:28 -!- tjz2 [n=tjz@bb220-255-106-86.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 02:08 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 02:41 -!- roninbaka [n=email@220.163.61.237] has joined ##openvpn 02:42 -!- krzy is now known as krzee 02:42 < roninbaka> Hi I'm trying to find away to only use my openVPN connection to access certain websites from a list that I will maintain rather than the whole of connection. I'm using a windows enviroment. 02:52 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit ["Leaving"] 02:58 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit ["No Ping reply in 90 seconds."] 03:06 < krzee> then just push those routes 03:15 < Bushmills> (or add them to client config, not pushing, do avoid having to restart server) 03:15 < Bushmills> s/restart server/reload server config/ 03:17 < Bushmills> though i believe that restricting/allowing access is better done through a different service. for example, through proxy ACLs on server 03:27 -!- tjz [n=tjz@bb220-255-241-83.singnet.com.sg] has joined ##openvpn 03:27 -!- LumberCartel [n=LumberCa@24.86.160.252] has joined ##openvpn 03:28 < LumberCartel> iamamoron: How's the VPN working for you now? 03:29 < iamamoron> still very slow 03:29 < LumberCartel> Did you manage to get the versions upgraded? 03:35 < Bushmills> !tcp 03:35 < vpnHelper> Bushmills: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 03:35 < LumberCartel> UDP is definitely better, but when it comes to regular end-users I find that UDP doesn't always work reliably like TCP does. 03:35 < LumberCartel> For technical folks, or server-to-server stuff, UDP tends to be fine for OpenVPN. 03:36 < Bushmills> no need for double checking, as result of tunneling tcp over tcp 03:36 < LumberCartel> Unfortunately, it seems that UDP packets do get dropped more regularly due to there being more rotten networks these days. 03:37 -!- krzee [i=nobody@hemp.ircpimps.org] has quit [Read error: 54 (Connection reset by peer)] 03:37 < LumberCartel> From a security standpoint, UDP has the advantage of the server generally not being detectable to packet scanners. 03:38 < Bushmills> that may be true for SYN scans. 03:38 < LumberCartel> Obscurity is not the best security tactic though. 03:39 < Bushmills> the "generally undetectable" may apply to the very casual scanner who probably isn't a thread anyway 03:39 < Bushmills> threat 03:40 < LumberCartel> Yup. When it comes to obscurity, the folks who are smart enough to know stuff is there are usually the ones you really want to keep out. 03:40 < LumberCartel> s/obscurity/security/ 03:42 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 03:44 < Bushmills> the tcp hint was for iamamoron btw 03:44 < Bushmills> my guess is that he's tunneling through tcp 03:44 < LumberCartel> Yes, he is. 03:44 < Bushmills> (most people who suffer from slow speed do) 03:44 < LumberCartel> He can't use UDP because of firewall rules where the client laptops have to go. 03:45 < LumberCartel> I was on earlier trying to help him. 03:45 < Bushmills> i see 03:45 < LumberCartel> He's using OpenVPN 2.1-rc7 on the server, and 2.0-something on the client. 03:45 < LumberCartel> I suggested upgrading to rc19 on both. 03:45 < LumberCartel> I had performance problems that were resolved after rc10 or rc13 (I don't recall exactly). 03:45 < Bushmills> shouldn't hurt to do so 03:46 < LumberCartel> I've got OpenVPN deployed at all the sites I'm responsible for. 03:47 < LumberCartel> The Widows XP/Vista support is excellent with the current release. 03:48 * LumberCartel uses NetBSD servers for the server-side of OpenVPN on all but two of client sites. 03:49 < LumberCartel> Those two are running Widows 2003 and it slows down intermittently (but that's a Widows problem because it's not just OpenVPN that gets effected by this). 03:51 < LumberCartel> They'll be switching to NetBSD sometime between now and the end of 2009. 03:51 < LumberCartel> At that point, this problem will be resolved. 04:08 < roninbaka> Would it be possible to route by country using OpenVPN? I'm in China and I have a openVPN provider in the US and I'd like to try and put all traffic that is not internal to China and route it over VPN is this possible? 04:09 < Bushmills> roninbaka: you can route by destination net / ip address 04:11 < Bushmills> propably easier to route all china addresses to provider, and default (the rest) through openvpn 04:11 < roninbaka> could you point me to a place that would be able to list this? I will probably have to setup my routers DNS server to access OpenDNS through open VPN as well. Even with openDNS dns requests still get changed 04:13 < Bushmills> roninbaka: for DNS, best configs would probably be, either a local resolver with upstream through DNS, or local a recursor with default through openvpn 04:13 < Bushmills> with upstream through openvpn, i mean ... 04:13 < LumberCartel> roninbaka: If you know Perl, this module will be helpful to you: IP::Country::Fast 04:13 < LumberCartel> That module could be used to examine your computer's IP address, then contact the correct OpenVPN server after that. 04:14 < LumberCartel> Examining the computer's IP address will reveal which country you're in. 04:15 < LumberCartel> ...unless you're behind a firewall, in which case you'll need to "wget http://www.lumbercartel.ca/tools/ip.html" to find out what the public IP really is. 04:18 < roninbaka> Thanks Guys I've found a list of the Ipranges in China from countryipblocks.net even if there is something missing from this having it go through VPN will only result in a bit of a speed hit. So putting everything through openVPN except china is deffintalythe way to go thanks 04:19 < LumberCartel> That's great, I'm glad you found a way to solve your problem. 04:20 < roninbaka> I'm currsed by internet filltering. 04:20 < Bushmills> as local recursor, check out maradns. small footprint, simple config, and fast. 04:21 < Bushmills> (can also be used as local resolver) 04:22 < Bushmills> (resolver as in dns cache, without recursing itself) 04:29 -!- c64zottel [n=hans@p5B179865.dip0.t-ipconnect.de] has joined ##openvpn 04:29 * LumberCartel wonders how many more folks will be talking Commodore 64 tonight. 04:29 -!- c64zottel [n=hans@p5B179865.dip0.t-ipconnect.de] has left ##openvpn [] 05:08 -!- LumberCartel [n=LumberCa@24.86.160.252] has left ##openvpn [] 05:09 -!- unixSnob [n=jj@ip-94-140-188-213.reverse.destiny.be] has joined ##openvpn 05:10 < unixSnob> suppose you have multiple openvpn config files - which one does the init.d script choose? 05:21 < reiffert> unixSnob: depends. 05:22 < unixSnob> reiffert: just got my answer, I believe. /etc/defaults/openvpn needs to be edited 05:22 < reiffert> unixSnob: it highly depends on the init.d script itself. Every distribution comes with its own implementation. 05:23 < unixSnob> wouldn't the existence of the file upon installation in the distro be a clear sign that it's used 05:23 < unixSnob> ? 05:24 < unixSnob> it probably appeared as a result of running aptitude install openvpn 05:25 < reiffert> "of the file", which one? 05:27 < unixSnob> reiffert: the /etc/default/openvpn was created for me.. I didn't have to generate it from scratch 05:27 < reiffert> unixSnob: you are right that the existance of a file might be an indication that it will be used, however coming back to your initial questions, it highly depends on the init.d script itself which one and how many multiple openvpn config files get choosen. 05:28 < reiffert> will get choosen? 05:29 < unixSnob> i just looked at the init script. It sources /etc/default/openvpn 05:32 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 05:33 -!- unixSnob [n=jj@ip-94-140-188-213.reverse.destiny.be] has quit ["leaving"] 06:15 -!- iamamoron [n=iamamoro@210.238.181.188] has quit [Read error: 113 (No route to host)] 06:32 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 06:32 -!- mirco [n=mirco@p54B255C0.dip.t-dialin.net] has joined ##openvpn 06:33 -!- ronin-baka [n=email@220.163.33.42] has joined ##openvpn 06:35 -!- roninbaka [n=email@220.163.61.237] has quit [Read error: 60 (Operation timed out)] 06:49 -!- disco- [i=disco@andromeda.h4xed.com] has joined ##openvpn 06:57 -!- _impuls [n=m@gateway.theta.stoerimpuls.net] has joined ##openvpn 06:57 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 06:58 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 07:09 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Remote closed the connection] 07:19 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: disco- 07:45 -!- bauruine [n=bauruine@2001:470:1f13:99b:216:eaff:feb3:722a] has joined ##openvpn 08:06 -!- robotti^ [i=robotti@kapsi.fi] has joined ##openvpn 08:18 < Douglas> BLAHHHHHHHHHHHHHH 08:36 < |Mike|> blah what 08:38 < Douglas> i donno 08:45 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 08:48 -!- Pig [n=dark@82.77.65.174] has joined ##openvpn 08:49 < Pig> hello 08:49 < Pig> i installed openvpn using 'apt-get install openvpn 08:49 < Pig> and configured it, but when i start it i keep getting 'failed' 08:49 < Pig> and in /var/log/openvpn-status.log it says nothing 08:49 < Pig> how can i troubleshoot? 08:49 < krzee> thats not a log 08:49 < krzee> thats a status fil 08:49 < krzee> file 08:50 < Pig> ok 08:50 < krzee> check /var/log/messages 08:50 < Douglas> fffffffff 08:50 < Douglas> sweet 08:50 < Douglas> my colo bill was $375 this month instead of $500 08:50 < Pig> nothing in there 08:51 < Pig> Starting virtual private network daemon: server failed! 08:51 < Douglas> !configs 08:51 < vpnHelper> Douglas: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 08:52 < Pig> i see there is no tun interface in ifconfig 08:55 < Douglas> that only comes up once openvpn runs 08:55 < Pig> oh 08:55 < Pig> hmm 08:55 < Pig> maybe my box is not compatible with openvpn 08:55 < Douglas> err 08:55 < Douglas> ive never heard of that before 08:55 < Douglas> ever 08:56 < Pig> i'm not even able to create a tan interface 08:56 < Pig> http://pastebin.com/d42c5f6c5 08:57 < Douglas> uname -a 08:57 < Pig> Linux hax 2.6.28.4-xxxx-std-ipv6-64 #2 SMP Wed Feb 18 16:36:25 UTC 2009 x86_64 GNU/Linux 08:57 < Douglas> interesting 08:57 < Douglas> custom kernel then 08:57 < Pig> might be the ipv6 that is bringing problems? 08:58 < Pig> i will install on another one instead 08:58 < Pig> thanks 09:14 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 09:29 -!- bauruine [n=bauruine@2001:470:1f13:99b:216:eaff:feb3:722a] has quit ["Verlassend"] 10:51 -!- bauruine [n=bauruine@host-88-80-29-52.cust.prq.se] has joined ##openvpn 11:12 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 11:19 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:21 -!- subinacls_ [n=subinacl@253.182.100.97.cfl.res.rr.com] has joined ##openvpn 11:22 -!- subinacls [n=subinacl@253.182.100.97.cfl.res.rr.com] has quit [Read error: 110 (Connection timed out)] 11:29 -!- subinacls__ [n=subinacl@253.182.100.97.cfl.res.rr.com] has joined ##openvpn 11:30 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 11:33 -!- subinacls__ [n=subinacl@253.182.100.97.cfl.res.rr.com] has quit [Read error: 131 (Connection reset by peer)] 11:34 -!- subinacls [n=subinacl@97.100.182.253] has joined ##openvpn 11:34 -!- subinacls_ [n=subinacl@253.182.100.97.cfl.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 11:44 -!- hyper_ch [n=hyper@adsl-84-227-140-82.adslplus.ch] has joined ##openvpn 11:44 < hyper_ch> !howto 11:44 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:45 < hyper_ch> !route 11:45 < vpnHelper> hyper_ch: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:48 < hyper_ch> !redirect 11:48 < vpnHelper> hyper_ch: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 11:52 < hyper_ch> hhhmmmmm, I'm confused with the routing. I setup a server (static IP on the net) and a client (current in a lan) and this works fine. The client can ping the server through vpn and can ssh into it. However when I try to run a program through the vpn that needs to access the internet through the server it won't work 11:57 -!- subinacls [n=subinacl@97.100.182.253] has quit [Remote closed the connection] 11:57 -!- subinacls [n=subinacl@97.100.182.253] has joined ##openvpn 11:58 < subinacls> i am looking for some advice on tunneling client traffic over vpn 11:58 < subinacls> i am almost sure i have bad configs 11:58 < subinacls> can i see someones configs 11:58 < subinacls> for both the server and client 11:58 < subinacls> who is tunneling client traffic over their vpn 11:58 < hyper_ch> subinacls: well, it works for me as I can connect to tunneled machines 11:58 < hyper_ch> but I can't reach the internet through the tunnel 12:00 < subinacls> yes that is my problem 12:00 < subinacls> i am trying to set up a tunnel which will allow my clients to forward their traffic over the tunnel to the internet 12:00 < subinacls> i can connect to the server 12:00 < subinacls> no problem 12:00 < hyper_ch> welcome to the club :) 12:12 < bauruine> hyper_ch, http://wiki.openvpn.eu/index.php/Konfiguration_eines_Internetgateways works for me :-) 12:12 < vpnHelper> Title: Konfiguration eines Internetgateways – OpenVPN Wiki (at wiki.openvpn.eu) 12:12 < subinacls> damn PITA configurations 12:13 < bauruine> but i can't reach my machine over my normal not vpn ip anymore :-( 12:13 < hyper_ch> bauruine: will try :) 12:14 < subinacls> flush the nat tables 12:14 < subinacls> and make sure your routes are clean 12:16 < bauruine> subinacls, i think there are some problems with my routing tables :-/ i will nopaste it maybe you find something wrong. 12:16 < subinacls> maybe... 12:16 < subinacls> im not having the best day of my life with openvpn today 12:19 < bauruine> http://pastebin.com/d6945123 thats my config on the router 12:20 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 12:21 < bauruine> everything works but i can't ping 85.4.68.228 from the internet 12:21 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 12:24 < hyper_ch> how do I ping from the vpn client through the vpn tunnel an address on the internet? 12:24 < hyper_ch> I tried: ping -I tun0 google.com 12:24 < hyper_ch> I also tried to use the ip: ping -I 10.8.0.6 google.com 12:28 < hyper_ch> ifconfig on the client gives this: http://www.pastebin.ca/1531611 12:30 < hyper_ch> nah, can't reach the internet through the vpn server 12:31 < bauruine> hyper_ch, enabled ip_forward and nat? 12:31 < hyper_ch> run the command for the ip_forward 12:31 < hyper_ch> no clue if that works 12:31 < hyper_ch> and added the nat entry 12:32 < hyper_ch> bauruine: the nat table: http://www.pastebin.ca/1531615 12:33 < Douglas> hyper_ch 12:34 < Douglas> linux? 12:34 < hyper_ch> Douglas: yes 12:34 < Douglas> on the openvpn server, cat /proc/sys/net/ipv4/ip_forward 12:34 < hyper_ch> that returns 0 12:34 < Douglas> that is your issue then 12:34 < hyper_ch> sorry 12:34 < Douglas> almost guaranteed 12:34 < hyper_ch> wrong machine :) 12:34 < Douglas> oh 12:34 < hyper_ch> that returns 1 12:34 < Douglas> it needs to return 1 on openvpn server 12:35 < Douglas> iptables stopping it? 12:35 < hyper_ch> ks357331:/etc/network# cat /proc/sys/net/ipv4/ip_forward 12:35 < hyper_ch> 1 12:35 < hyper_ch> what about iptables? 12:35 < hyper_ch> I posted above the nat table for it 12:35 < Douglas> hm 12:36 < hyper_ch> from the client I can ping the server just fine, I can even ssh into it through the tunnel 12:36 < hyper_ch> but I can't ping google.com from the client through the tunnel 12:37 < hyper_ch> by using ping -I tun0 google.com adn ping -I 10.8.0.6 google.com 12:37 < Douglas> !all 12:37 < vpnHelper> Douglas: "all" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles 12:38 < hyper_ch> hmmm 12:38 < hyper_ch> what log files? 12:39 < Douglas> the openvpn one 12:39 < hyper_ch> is there even one? 12:39 < Douglas> ... 12:39 < Douglas> start with !configs 12:39 < Douglas> !configs 12:39 < vpnHelper> Douglas: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:39 < Douglas> then i'lll tell you about 12:40 < Douglas> !logs 12:40 < vpnHelper> Douglas: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 12:40 < hyper_ch> --> /var/log has nothing seperate for openvpn 12:40 < Douglas> generally speaking 12:40 < Douglas> its in the openvpn config folder 12:40 < Douglas> ie /etc/openvpn, or where ever you stored config & started vpn 12:40 < hyper_ch> that grep thing does not work 12:41 < Douglas> explain 12:41 < hyper_ch> hyper@xubi:/etc/openvpn$ `grep -vE '^#' client.conf` 12:41 < hyper_ch> bash: client: command not found 12:41 < Douglas> client.conf 12:41 < Douglas> is that the correct file? 12:41 < hyper_ch> yes 12:41 < Douglas> take the `'s out 12:44 < hyper_ch> Douglas: http://www.pastebin.ca/1531620 12:45 < Douglas> kimsufi ! 12:45 < Douglas> fail 12:45 < Douglas> status openvpn-status.log 12:45 < Douglas> whats in that file 12:46 < hyper_ch> Douglas: http://www.pastebin.ca/1531622 12:46 < hyper_ch> Douglas: why fail with kimsufi? 12:46 < Douglas> cuz they are anothe hosting company 12:46 < Douglas> lol 12:47 -!- subinacls [n=subinacl@97.100.182.253] has quit [Read error: 54 (Connection reset by peer)] 12:47 < Douglas> hyper_ch: is there anything ni /var/log/messages 12:47 -!- subinacls [n=subinacl@253.182.100.97.cfl.res.rr.com] has joined ##openvpn 12:47 < Douglas> for openvpn 12:48 < hyper_ch> http://www.pastebin.ca/1531624 12:48 < hyper_ch> disabled privacy extension 12:49 < hyper_ch> (after this hard copy/paste work I have to put a pizza into the ofen) 12:49 < Douglas> lol 12:49 * Douglas gets a perspiration rag 12:50 < hyper_ch> so, pizza is in the ofen 12:51 < hyper_ch> (it should be working :( ) 12:56 < hyper_ch> Douglas: I guess it's strange for you also? 13:03 < hyper_ch> I did now save all iptables rules to a file: http://www.pastebin.ca/1531634 13:07 * Douglas loo 13:07 < Douglas> k 13:11 < hyper_ch> Douglas: but it does not help :( 13:17 -!- bauruine [n=bauruine@host-88-80-29-52.cust.prq.se] has quit [Read error: 113 (No route to host)] 13:29 -!- bauruine [n=bauruine@85.4.68.228] has joined ##openvpn 13:37 -!- kab [n=_k_a_b_@189.155.251.230] has joined ##openvpn 13:42 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:43 < Douglas> Last Result: 13:43 < Douglas> Download Speed: 409308 kbps (51163.5 KB/sec transfer rate) 13:43 < Douglas> Upload Speed: 5973 kbps (746.6 KB/sec transfer rate) 13:51 -!- subinacls_ [n=subinacl@97.100.182.253] has joined ##openvpn 13:53 < hyper_ch> Douglas: ? 13:53 -!- subinacls [n=subinacl@253.182.100.97.cfl.res.rr.com] has quit [Nick collision from services.] 13:53 -!- subinacls_ is now known as subinacls 13:58 < Douglas> hyper_ch: my connection 13:58 < Douglas> wins 13:58 < hyper_ch> nice downspeed 13:58 < Douglas> idk why upload is failing 13:58 < Douglas> its full duplex 13:58 < hyper_ch> but you have no idea why it's not working for me, right? 13:58 < Douglas> n 13:58 < Douglas> post it here 13:58 < Douglas> !forum 13:58 < vpnHelper> Douglas: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 14:01 < hyper_ch> Douglas: I'll restart teh server first and try again:) 14:03 < hyper_ch> Douglas: you work at a hosting company also? 14:06 -!- tjz [n=tjz@bb220-255-241-83.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 14:15 < Douglas> hyper_ch 14:15 < Douglas> yes 14:15 < Douglas> and i help run one 14:15 < hyper_ch> Douglas: any good offers? 14:20 < Douglas> not that can compete with kimsufi 14:21 < Douglas> as far as traffic goes 14:21 < hyper_ch> what do you mean by as far as traffic goes? 14:22 < Douglas> we dont give 100mbps unmetered 14:22 < Douglas> only 2000 or 3000gb 14:23 < hyper_ch> I don't think I hit that much yet 14:23 < Douglas> pm? 14:23 < hyper_ch> go ahead 14:23 < Douglas> dont want to spam the channel 14:23 < Douglas> ecrist yells at me enough 14:32 -!- Pig [n=dark@82.77.65.174] has quit ["You can turn your back on a person, but never turn your back on a drug."] 14:45 -!- subinacls [n=subinacl@97.100.182.253] has quit [Read error: 60 (Operation timed out)] 14:45 -!- subinacls [n=subinacl@253.182.100.97.cfl.res.rr.com] has joined ##openvpn 15:00 < reiffert> moin 15:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:25 -!- mirco [n=mirco@p54B255C0.dip.t-dialin.net] has quit [] 15:30 -!- bauruine [n=bauruine@85.4.68.228] has quit [Read error: 145 (Connection timed out)] 15:35 -!- plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has joined ##openvpn 15:35 -!- plt [n=plt@c-69-181-147-87.hsd1.ca.comcast.net] has left ##openvpn [] 15:44 -!- kab_ [n=_k_a_b_@189.231.60.194] has joined ##openvpn 16:00 -!- kab [n=_k_a_b_@189.155.251.230] has quit [Read error: 110 (Connection timed out)] 16:18 -!- _kab_ [n=_k_a_b_@189.231.14.227] has joined ##openvpn 16:35 -!- bauruine [n=bauruine@85.4.68.228] has joined ##openvpn 16:38 -!- kab_ [n=_k_a_b_@189.231.60.194] has quit [Read error: 110 (Connection timed out)] 16:39 -!- PokerFacePenguin [n=joe@68.16.15.79] has joined ##openvpn 16:40 -!- kab_ [n=_k_a_b_@189.155.223.232] has joined ##openvpn 17:01 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 17:02 < plaerzen> ha 17:02 -!- _kab_ [n=_k_a_b_@189.231.14.227] has quit [Read error: 110 (Connection timed out)] 17:02 < reiffert> ho 17:03 < Douglas> he 17:03 < subinacls> i have tried till mt hearts content with trying to get clients to forward traffic over the vpn link 17:03 < Douglas> !redirect-gateway 17:03 < vpnHelper> Douglas: Error: "redirect-gateway" is not a valid command. 17:03 < Douglas> blah 17:03 < subinacls> yep have that 17:03 < Douglas> vistac lients? 17:03 < Douglas> vista clients 17:03 < Douglas> !factoids search redirect gateway 17:03 < vpnHelper> Douglas: No keys matched that query. 17:03 < subinacls> also did a bunch of iptables-fu 17:03 < Douglas> !factoids search redirect-gateway 17:03 < vpnHelper> Douglas: No keys matched that query. 17:03 < Douglas> !factoids search forum 17:03 < vpnHelper> Douglas: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 17:04 * Douglas farts 17:04 < Douglas> !interface 17:04 < vpnHelper> Douglas: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 17:05 < reiffert> !factoids search redirect 17:05 < vpnHelper> reiffert: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 17:05 < Douglas> are you f kidding me 17:05 < subinacls> im putting together my information 17:05 < subinacls> i will post in one moment 17:05 < Douglas> subinacls: see !all 17:05 < Douglas> !all 17:05 < vpnHelper> Douglas: "all" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles 17:15 < subinacls> http://slexy.org/view/s22ono8w0G 17:15 < vpnHelper> Title: #openvpn help // Slexy 2.0 (at slexy.org) 17:15 < subinacls> the OS is Ubuntu 17:15 < subinacls> 8.10 17:15 < subinacls> linode hosted 17:16 < subinacls> kernel has tun compiled into it 17:16 -!- _kab_ [n=_k_a_b_@189.231.64.160] has joined ##openvpn 17:16 < subinacls> openvpn ver 17:16 < subinacls> 2.0.9 17:17 < subinacls> client can connect to it 17:17 < subinacls> just not forward their traffic over the link 17:17 < subinacls> if you guys can help make this work 17:17 < subinacls> that would be astounding 17:18 < reiffert> j 17:18 < reiffert> 2.0.9 is three years old. update to 2.1 rc19 17:18 < subinacls> will do! 17:18 < reiffert> and be sure to read 17:18 < reiffert> !route 17:18 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:20 < subinacls> will do! 17:20 < subinacls> i have a odd configureation 17:20 < subinacls> i am behind 2 nat routers 17:20 < subinacls> any problems with this configuration i may need to know ? 17:20 < reiffert> be sure to be able to add static routes to those nat routers 17:21 < subinacls> so i may want to just go ahead and many my network static ? 17:21 < subinacls> make(*) 17:21 < reiffert> depepnds on your setup, e.g. run openpvn on those nat boxes 17:24 < krzee> it only matters if you plan on sharing lans over the vpn, then theres an extra step 17:24 < krzee> or if you plan on contacting inet over the lan 17:24 < reiffert> he is, isnt he? 17:25 < reiffert> 00:03 < subinacls> i have tried till mt hearts content with trying to get clients to forward traffic over the vpn link 17:25 < reiffert> oh, he's not. 17:25 < reiffert> normal push "redirect-gateway def1" will do 17:25 < krzee> ahh ok 17:26 < krzee> that will, then he needs to nat the vpn network to the lan ip 17:26 < krzee> and it will get NAT'ed again 17:26 < krzee> OR 17:26 < subinacls> currently i reside behind a pfsense box 17:26 < krzee> nat the vpn network at the existing nat box 17:26 < krzee> along with a route back to vpn network via the vpn box on lan 17:35 -!- kab_ [n=_k_a_b_@189.155.223.232] has quit [Read error: 110 (Connection timed out)] 17:35 -!- kab_ [n=_k_a_b_@189.231.53.29] has joined ##openvpn 17:38 < subinacls> sorry had a phone call 17:38 < subinacls> behind the pfsense box i am on a tomato flashed linksys wrt54g 17:39 < subinacls> so i nat the route from tomato to pfsense 17:39 < krzee> nat a route? 17:39 < subinacls> the vpn sorry 17:39 < krzee> you can 17:39 < krzee> or you can setup a route on pfsense knowing vpn subnet is behind 17:40 < krzee> as well as a nat entry for the vpn subnet identical to your lan nat stuff 17:40 < krzee> which is prolly easier, as opposed to double nat'ing 17:41 < subinacls> hmm maybe a network rework is called for 17:41 < subinacls> tty for the advice! 17:41 -!- _kab_ [n=_k_a_b_@189.231.64.160] has quit [Read error: 60 (Operation timed out)] 17:42 -!- _kab_ [n=_k_a_b_@189.155.240.174] has joined ##openvpn 17:44 < krzee> np 17:51 -!- kab_ [n=_k_a_b_@189.231.53.29] has quit [Read error: 145 (Connection timed out)] 17:59 < |Mike|> yo 18:02 -!- kab_ [n=_k_a_b_@189.155.236.79] has joined ##openvpn 18:05 < krzee> yoyoyo 18:06 < krzee> |Mike|, wheres a 24-hour food delivery in downtown amsterdam!? 18:06 < |Mike|> i have no idea 18:06 < krzee> =[ 18:06 < |Mike|> there are stores wich are open for 24/7 tho 18:07 < reiffert> krzee: you are in amsterdam? 18:07 < krzee> yup! 18:07 -!- jm2 [n=jm@c-24-13-145-59.hsd1.il.comcast.net] has joined ##openvpn 18:07 < reiffert> crazy, how long do you stay in europe? 18:07 < reiffert> are you going to 18:07 < krzee> plane takes off in 7 hrs 18:08 < reiffert> wow, that's a quite short trip, eh? 18:08 < krzee> very 18:09 < reiffert> how's that? We could have met together 18:09 < krzee> but my body can only take so much of the narcotic tourism i was engaging in 18:09 < krzee> is amsterdam close to germany?? 18:09 < |Mike|> krzee: chris already left ? 18:09 < |Mike|> 300km 18:09 < reiffert> krzee: let's say 350km to my place 18:09 < krzee> nah hes next to me 18:09 < |Mike|> if you're goign to meet me, you're close to the german border :p 18:10 -!- _kab_ [n=_k_a_b_@189.155.240.174] has quit [Read error: 60 (Operation timed out)] 18:10 < reiffert> Google thinks it's 430km 18:12 < reiffert> visiting HAR2009? 18:12 -!- hyper_ch [n=hyper@adsl-84-227-140-82.adslplus.ch] has quit [Read error: 104 (Connection reset by peer)] 18:12 < |Mike|> reiffert: he had no ticket 18:12 < |Mike|> i spoke with krzee yesterday on the phone 18:13 < krzee> har was the excuse, i had shittons of fun with ryan and chris 18:13 < reiffert> :D 18:13 < krzee> im gunna go look for food 18:13 < reiffert> enjoy your stay, I'm off to bed 18:14 < krzee> right on bud 18:14 < krzee> weird being around same time as you 18:14 < Douglas> o.o 18:14 < krzee> lol 18:14 < Douglas> krzee likes boys 18:14 < krzee> Douglas, ? 18:14 < Douglas> i donno 18:14 < Douglas> lol 18:15 < |Mike|> are you still in adam krzee ? 18:15 < krzee> that was only you 18:15 < krzee> |Mike|, ya til 8am 18:15 < krzee> plane leaves 8am 18:15 < |Mike|> when is chris leaving ? 18:15 -!- hyper_ch [n=hyper@adsl-84-226-47-91.adslplus.ch] has joined ##openvpn 18:15 < krzee> afternoon 18:15 < |Mike|> on monday aswell ? 18:16 < reiffert> http://www.google.de/search?q=amsterdam+night+life&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a 18:16 < vpnHelper> Title: amsterdam night life - Google-Suche (at www.google.de) 18:16 < krzee> ya 18:16 < |Mike|> word 18:16 < |Mike|> no chance to meet up with him 18:16 < krzee> reiffert, if one of those delivers food... 18:16 < krzee> im on top of it 18:17 < reiffert> http://www.google.de/#hl=de&q=Amsterdam+Nightlife&btnG=Google-Suche&meta=&aq=f&fp=eb7d8eb6a2f89501 18:17 < vpnHelper> Title: Google (at www.google.de) 18:17 < reiffert> it really looks like "life" can be reduced to the inner circle :) 18:17 -!- subinacls [n=subinacl@253.182.100.97.cfl.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 18:18 < krzee> ya it sucks, i didnt realize you were so far away 18:18 < reiffert> http://couponing.about.com/od/pizzacouponsinoh/qt/pzoh166.htm 18:18 < vpnHelper> Title: Amsterdam Pizza Coupons - Pizza Coupons and Locations in Amsterdam, OH (at couponing.about.com) 18:18 < reiffert> Mo's Pizza, SPringfield Rd 18:18 < krzee> Amsterdam, OH 43903 18:18 < krzee> lol 18:19 < reiffert> OH is Ohio, eh? 18:19 < krzee> ya 18:19 < krzee> like usa 18:19 < krzee> ;] 18:19 < reiffert> off by 6.000km, close :) 18:19 < |Mike|> krzee: yeah, i'm 250 km away from your place 18:19 < reiffert> http://www.google.de/#hl=de&q=Amsterdam+pizza+&meta=&fp=eb7d8eb6a2f89501 18:19 < vpnHelper> Title: Google (at www.google.de) 18:20 < BasketCase> off by enough to be using the wrong unit of measure :P 18:20 < Douglas> oh shit 18:20 < Douglas> krzee 18:20 < krzee> damn! if i made it out there i coulda met with reif and bush 18:20 < Douglas> you're in ohio? lol 18:20 < |Mike|> it was fun to have you on the phone tho :D 18:20 < Douglas> oh 18:20 * Douglas d'oh 18:20 < reiffert> BasketCase: beg your pardon? 18:20 < krzee> hehe same 18:21 < BasketCase> in Ohio they use miles not km 18:21 < krzee> heh 18:21 < reiffert> :) 18:21 < reiffert> BasketCase: it's their fault. 18:22 < BasketCase> agreed (and I am in Orlando Florida so I am stuck with miles too) 18:22 < krzee> i was in orlando very recently 18:22 < krzee> mybe like 2-3 weeks ago 18:22 < BasketCase> so was I ;) 18:22 < krzee> hehe 18:23 < BasketCase> you could come back and teach one of our LUGs how to do OpenVPN 18:23 < BasketCase> actually, you were probably hear during the last meeting 18:23 < reiffert> I guess !howto could be too simple. 18:31 < jm2> i have tried to connect to a Microsoft server using openserver, but I am clueless on how to tell if the connection is really made. 18:33 < |Mike|> krzee: msg me your skype addy :) 18:34 -!- subinacls [n=subinacl@253.182.100.97.cfl.res.rr.com] has joined ##openvpn 18:36 -!- _kab_ [n=_k_a_b_@189.231.52.242] has joined ##openvpn 18:46 -!- jm2 [n=jm@c-24-13-145-59.hsd1.il.comcast.net] has quit [Client Quit] 18:52 -!- kab_ [n=_k_a_b_@189.155.236.79] has quit [Read error: 110 (Connection timed out)] 18:55 < |Mike|> krzee: 18:55 < Douglas> swallows 19:10 -!- kab_ [n=_k_a_b_@189.155.228.155] has joined ##openvpn 19:10 -!- subinacls is now known as Sub-OUT-acls 19:17 -!- _kab_ [n=_k_a_b_@189.231.52.242] has quit [Read error: 60 (Operation timed out)] 19:23 -!- PokerFacePenguin [n=joe@68.16.15.79] has left ##openvpn [] 19:34 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["cu later"] 19:45 -!- _kab_ [n=_k_a_b_@189.231.0.57] has joined ##openvpn 19:52 -!- CRASH69 [n=crash@201.200.94.66] has quit ["Leaving."] 20:03 -!- kab_ [n=_k_a_b_@189.155.228.155] has quit [Read error: 110 (Connection timed out)] 20:13 -!- iamamoron [n=iamamoro@210.238.181.188] has joined ##openvpn 20:13 < iamamoron> hi there 20:14 < iamamoron> openvpn is still slow 20:14 < iamamoron> any ideas? 20:19 -!- kab_ [n=_k_a_b_@189.155.239.236] has joined ##openvpn 20:19 < iamamoron> : any ideas 20:19 < iamamoron> open vpn is very slow 20:20 < iamamoron> it seems that the vpn is congested any ideas? 20:21 < iamamoron> when i ping the public ip of openvpn client it says 100ms but when i ping internal ip it says 300ms any ideas? 20:27 -!- _kab_ [n=_k_a_b_@189.231.0.57] has quit [Read error: 145 (Connection timed out)] 20:36 < krzee> running it on tcp? 20:39 < iamamoron> yes 20:39 < iamamoron> i am running it on tcp 20:40 < krzee> running it on tcp?1tcp 20:40 < krzee> oops 20:40 < Douglas> lol 20:40 < Douglas> !tvcp 20:40 < krzee> !tcp 20:40 < Douglas> !tcp 20:40 < vpnHelper> Douglas: Error: "tvcp" is not a valid command. 20:40 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 20:40 < vpnHelper> Douglas: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 20:40 < Douglas> bastard! 20:43 < iamamoron> so what should be done? 20:44 < Douglas> dont use tcp 20:51 -!- _kab_ [n=_k_a_b_@189.231.69.7] has joined ##openvpn 20:54 -!- master_of_master [i=master_o@p549D449F.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)] 20:58 -!- master_of_master [i=master_o@p549D3E26.dip.t-dialin.net] has joined ##openvpn 21:09 -!- kab_ [n=_k_a_b_@189.155.239.236] has quit [Read error: 110 (Connection timed out)] 21:11 -!- subinacls_ [n=subinacl@97.100.182.253] has joined ##openvpn 21:13 -!- Sub-OUT-acls [n=subinacl@253.182.100.97.cfl.res.rr.com] has quit [Read error: 110 (Connection timed out)] 21:24 -!- subinacls_ is now known as subinacls 21:38 < iamamoron> would it fix this shit? 21:39 < BasketCase> a 300% slowdown isn't completely out there for using tcp 21:39 < iamamoron> BasketCase: ? 21:39 < BasketCase> it is on the high side but within understandable results 21:39 < krzee> you really asked that an hour later instead of already testing it? 21:40 < iamamoron> BasketCase: : what should be done? 21:40 < BasketCase> try tcp 21:40 < BasketCase> err, try udp 21:41 < BasketCase> 50% slowdown is within the expected window for udp 21:41 < BasketCase> you are testing with icmp. icmp is certainly not designed to flow over tcp. 21:42 < BasketCase> I would actually expect icmp over udp to be FASTER than plain icmp since most ISPs and backbone routers give icmp very low priority. 21:43 < BasketCase> most of the ISPs I have talked to won't even listen to you if you say icmp is slow. you have to give them a real service like http before they care. 21:45 < iamamoron> so you mean openvpn is really slow 21:45 < BasketCase> no, tunneling things over tcp is really slow 21:45 < iamamoron> because even udp is 50% slow 21:45 < BasketCase> I would say that 100-2000% slow down is within reason for a tcp tunnel 21:45 < BasketCase> -20-50% slow down is within reason for a udp tunnel 21:46 < BasketCase> !tcp 21:46 < vpnHelper> BasketCase: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 21:46 < BasketCase> did you read that? 21:47 < BasketCase> (the 2000% I mentioned is for tcp over tcp. udp or icmp over tcp is probably a 50-1000% slow down. 21:47 < BasketCase> depending on connection quality 21:48 < BasketCase> and yes, I really did intend to put that many zeros there. 21:48 < iamamoron> for what reason? 21:48 < BasketCase> because tcp is an error correcting and dynamic timeout protocol 21:49 < BasketCase> you can end up with multiple layers of retransmissions 21:49 < BasketCase> multiplying the amount of traffic being transmitted 21:50 < BasketCase> basically, tcp protocols will be overly retransmitted while udp and icmp protocols will either get data they don't need anymore or will also be overly retransmitted 21:51 < BasketCase> and that isn't taking into account the packet order stuff 21:52 < krzee> iamamoron, if you read that link (which i put on my bot from the manual) which you were linked to 70 minutes ago, you would know all about it 21:53 < BasketCase> it is pretty technical but essentially it means tunneling over tcp is bad/slow 21:54 < BasketCase> unfortunately tunneling over ssh has pretty much the same problem 21:55 < BasketCase> tunneling NFS is fun :P 21:56 < BasketCase> I need to setup some kind of media streaming service for my vpn. If you are playing music or video you really don't want any kind of retransmission. Once a packet is missed you don't care about it anymore 21:56 < BasketCase> NFS over OpenVPN just doesn't cut it from crappy coffee shop connections 21:57 < ecrist_mac> BasketCase: NFS over anything other than LAN is fail 21:57 < BasketCase> yeah, I noticed :( 21:58 < BasketCase> I just haven't gotten around to setting up or even picking an alternative 21:58 < BasketCase> not much motivation when I have an iPod that is local :P 21:58 < ecrist_mac> I would recommend Samba or AFP for client workstations, or a nightly rsync. 21:59 < BasketCase> no disk space for rsync, no Mac for AFP 21:59 < BasketCase> laptop == 40GB 21:59 < BasketCase> home media == ~6TB 22:00 < BasketCase> iPod == 160GB 22:01 < BasketCase> I actually do have Samba setup for a local Windows system. I should try it the next time I am somewhere else. 22:02 < BasketCase> it is read only but that should be OK 22:02 < BasketCase> no way I am letting a Windows computer change anything on a real computer :P 22:02 < ecrist_mac> I use Samba reliably over OpenVPN, safe with AFP 22:04 < BasketCase> yeah, I will have to try it 22:04 < BasketCase> you configure it any differently than normal? 22:05 < BasketCase> I used to support Windows desktops which made me a Samba expert but it has been years since I had to deal with that junk. 22:06 < BasketCase> the guy who wrote Samba Unleashed is a friend of mine but I don't think he knows it as well as I do 22:06 < ecrist_mac> nothing setup within Samba specific to the VPN 22:07 < ecrist_mac> my Samba config is pretty complex with group level shares, various access restrictions and it's all stored in LDAP. ;) 22:07 < BasketCase> k, next time I am elsewhere I will try to smbmount my media instead of NFS mount 22:07 < BasketCase> keeping everything read only means I don't pay too much attention to the security 22:07 < BasketCase> though I used to do netgroups and stuff 22:08 < BasketCase> I haven't had to support Windows professionally since win2k came out :) 22:11 < BasketCase> I got a look at a beta of XP a few days after the last windows using company I worked for went out of business :P 22:14 < ecrist_mac> I administer 35 FreeBSD servers and 3 windows desktops. 22:21 < BasketCase> not bad 22:21 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 22:21 < BasketCase> I have around 120 Linux, 2 OpenBSD, and no Windows. 22:22 < BasketCase> some day I might try to get into FreeBSD 22:22 < BasketCase> I like OpenBSD for pf and Linux for everything else. 22:23 < BasketCase> I know that FreeBSD has pf as well but it is usually a bit behind. 22:24 < BasketCase> my OpenVPN server is on OpenBSD but that is more of a factor of network design than OS preference 22:25 < ecrist_mac> OpenBSD is too obtuse for my tastes, and I'm not a huge fan of Theo's. 22:25 -!- PokerFacePenguin [n=joe@68.16.15.79] has joined ##openvpn 22:25 < ecrist_mac> FreeBSD is my *nix of choice, and I know it well. 22:26 < BasketCase> I like Theo. I like Linus. I even like DJB. I like people who are willing to say "screw this crap I am writing my own!" 22:28 < BasketCase> my company has extended qmail more than once 22:28 < BasketCase> we even wrote our own crond and ftpd 22:29 < BasketCase> we even extended djbdns though we haven't made that one public 22:29 < BasketCase> (yet) 22:29 -!- tjz [n=tjz@bb220-255-241-83.singnet.com.sg] has joined ##openvpn 23:42 -!- PokerFacePenguin [n=joe@68.16.15.79] has left ##openvpn [] --- Day changed Mon Aug 17 2009 00:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:21 -!- _kab_ [n=_k_a_b_@189.231.69.7] has quit ["Leaving"] 00:27 -!- sam__ [n=sam@210.73.203.83] has joined ##openvpn 00:27 < sam__> # 00:28 < sam__> HELP, I made a mistake format -- mkdosfs /dev/sda1, HOW can I recover it? 00:29 < tjz> wrong channel 00:29 < tjz> go find linux 00:31 < sam__> sorry for that, I clicked it wrongly 00:32 < BasketCase> lol, and I just had yet another dead WD Raptor drive to deal with :\ 00:33 < BasketCase> luckily I now have an assistant to dispatch to deal with such annoyances :) 00:33 < hyper_ch> hmmm, still that vpn tunnel doesn't work right :( 00:35 < BasketCase> hyper_ch: I don't see your problem in my recent scrollback so you may want to re-post a summary of your problem and see if anyone who is online this time of the day has an idea 00:36 < hyper_ch> BasketCase: douglas tried to help me a couple of hours ago and I posted it in the forum: http://www.ovpnforum.com/viewtopic.php?f=6&t=481&sid=36ccf83defbe24aef56015e27abbd361 00:36 < vpnHelper> Title: OpenVPN Forum View topic - Can't reach the internet through the vpn tunnel (at www.ovpnforum.com) 00:37 < BasketCase> I haven't looked back to the details of your earlier conversation but are you using redirect-gateway in the client config? 00:38 < BasketCase> that tells the client to replace its default route with the VPN tunnel 00:40 < BasketCase> if you already debugged past that then you are probably beyond my experience so I doubt I can help. 00:40 < hyper_ch> not really 00:41 < hyper_ch> I can connect to the vpn server through the tunnel, I can ping it and vice-versa 00:42 < BasketCase> then your problem is probably either a lack of a route or a lack of routing/nat to the internet 00:42 < hyper_ch> the server has a static IP and is hooked up directly to the net 00:43 < BasketCase> is it setup to route or nat to the internet from the vpn interface? 00:44 < hyper_ch> in the howto I was told to add this rule to iptables on the server: iptables -t nat -A POSTROUTING -o ethX -s 10.8.0.0/24 -j SNAT --to 1.1.1.1 00:46 < BasketCase> I don't really speak iptables but I suspect you are supposed to change ethX to tunX, 10.8* to your vpn network, and 1.1.1.1 to your real IP 00:46 < BasketCase> I might be wrong about the tunX part 00:47 < hyper_ch> well, I used eth0 and the actual static ip 00:47 < hyper_ch> took it from this howto: http://wiki.openvpn.eu/index.php/Konfiguration_eines_Internetgateways#Forwarding_und_NAT 00:47 < vpnHelper> Title: Konfiguration eines Internetgateways – OpenVPN Wiki (at wiki.openvpn.eu) 00:48 < BasketCase> with pf I use: nat on $ext_if from $user_ip to any -> $ext_if ($ext_if is my real IP and $user_ip is the VPN IP) 00:49 * BasketCase loves the simplicity and power of pf 00:49 < hyper_ch> no clue what pf is 00:50 < BasketCase> the firewall package that comes with OpenBSD and has been ported to just about every UNIX other than Linux 00:52 < BasketCase> I haven't done NAT on Linux since before iptables came out so I doubt I can help you but your info seems sane. 00:52 < hyper_ch> ok :) 00:53 < hyper_ch> but pf doesn't look ans simpler either ;) 00:53 < BasketCase> only because I obscured it with variables 00:53 < BasketCase> oh, do you have ip forwarding enabled? 00:53 < hyper_ch> yes 00:54 < BasketCase> ok, was worth asking 00:54 -!- bauruine [n=bauruine@85.4.68.228] has quit [Read error: 113 (No route to host)] 00:55 < BasketCase> if I gave you a pf rule like "pass in from $internet proto udp from any to $external_if port 1194" you might have a better impression of pf ;) 00:55 < hyper_ch> :) 00:57 < BasketCase> the iptables equiv would be some nonsense like: iptables -A input -s 0.0.0.0 -d 0.0.0.0 -p tcp -m state --state NEW -m tcp -dport 1194 --tcp-flags SYN,RST,ACK SYN -j ACCEPT" 00:57 < BasketCase> s/input/INPUT/ 01:00 < hyper_ch> it's both complicated ;) 01:00 < BasketCase> wait, that isn't specific enough to match the pf rule... 01:01 < BasketCase> the iptables equiv would be some nonsense like: iptables -A INPUT -i eth? -s 0.0.0.0 -d internet_ip -p tcp -m state --state NEW -m tcp -dport 1194 --tcp-flags SYN,RST,ACK SYN -j ACCEPT" 01:01 < hyper_ch> I think I solved it now 01:01 < BasketCase> that is as close as I can get to understanding iptables after a couple of drinks :P 01:02 < BasketCase> (I only figured that out because some day I will have to learn iptables) 01:03 < hyper_ch> hehehe 01:03 < hyper_ch> or rather ufw ;) 01:04 < BasketCase> I have used iptables to (mostly) secure an NFS/PXE server so I guess I can claim I know it now. 01:04 < hyper_ch> ufw looks rather simple: http://ubuntuforums.org/showthread.php?t=823741 01:04 < vpnHelper> Title: How-To: UFW - Ubuntu Forums (at ubuntuforums.org) 01:05 < BasketCase> go for it. It runs on top of iptables so it can only remove the ugly ;) 01:06 < hyper_ch> no ufw for debian :( 01:06 < hyper_ch> how can I also use udp through a udp vpn tunnel? 01:06 < BasketCase> there is no extra config for that 01:06 < BasketCase> it is a simple route 01:07 < hyper_ch> yeah right, "simple" ;) 01:07 < BasketCase> the underlying protocols will not know or care what protocol the tunnel is 01:07 < BasketCase> except that they will go slower if it is tcp 01:07 < hyper_ch> nah, the problem lies not with openvpn it seems 01:08 < hyper_ch> problem is the http proxy server 01:08 < BasketCase> http is tcp 01:08 < BasketCase> and I run http through OpenVPN all the tmie 01:08 < BasketCase> time 01:08 < hyper_ch> well, I'm trying to route all rtorrent traffic through a vpn tunnel 01:08 < reiffert> 08:08 CEST 01:09 < BasketCase> that is a bit difficult unless you are routing all traffic through the tunnel 01:09 < BasketCase> because p2p traffic is pretty unpredictable by nature 01:09 < hyper_ch> the problems are the udp trackers 01:09 < hyper_ch> I figured it out meanwhile with the actual connections... that works 01:09 < hyper_ch> I can bind rtorrent to a given IP 01:09 < BasketCase> if you are using NAT then you have to deal with port forwarding 01:10 < hyper_ch> I have setup squid at the vpnserver and use this in rtorrent: http_proxy=10.8.0.1:3128 01:10 < hyper_ch> tcp trackers work fine the only problem left are the udp trackers 01:11 < BasketCase> bittorrent doesn't really use http 01:11 < BasketCase> especially for udp stuff since http is tcp 01:11 < hyper_ch> the tracker connections do 01:12 < BasketCase> I have my router redirecting ports 6880:6889 to the internal IP that I run my BT client on 01:12 < BasketCase> so the BT client thinks it is on my real IP and so does the rest of the BT network 01:13 < hyper_ch> hmmm 01:14 < BasketCase> in pf speak: rdr on $ext_if proto {tcp udp} from any to $ext_if port 6880:6889 -> $desktop port 6880:6889 01:14 < BasketCase> I have no idea how to redirect with iptables 01:15 < hyper_ch> neither have I ;) 01:15 < hyper_ch> so, I'm gone now 01:15 < hyper_ch> gotta study 01:15 < BasketCase> good luck 01:48 -!- ElectricBill [n=bill@smtpv2.cosi.net] has quit [Read error: 60 (Operation timed out)] 01:49 -!- ElectricBill [n=bill@smtpv2.cosi.net] has joined ##openvpn 01:54 -!- sam__ [n=sam@210.73.203.83] has quit [Read error: 60 (Operation timed out)] 02:30 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has joined ##openvpn 02:36 -!- sam__ [n=sam@210.73.203.83] has joined ##openvpn 02:41 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 03:00 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:25 -!- deblike [n=xchat@62.68.142.27] has joined ##openvpn 03:50 -!- mirco [n=mirco@p54B26E7C.dip.t-dialin.net] has joined ##openvpn 03:58 -!- lataffe [n=lataffe@cm-84.211.147.71.getinternet.no] has quit [Read error: 145 (Connection timed out)] 04:00 -!- lataffe_ [n=lataffe@cm-84.211.147.71.getinternet.no] has joined ##openvpn 04:07 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 04:09 -!- sam__ [n=sam@210.73.203.83] has quit [Read error: 131 (Connection reset by peer)] 04:40 -!- sam__ [n=sam@210.73.203.83] has joined ##openvpn 04:58 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit ["Leaving"] 04:59 -!- sam__ [n=sam@210.73.203.83] has quit [Read error: 104 (Connection reset by peer)] 05:11 -!- lataffe__ [n=lataffe@84.211.147.71] has joined ##openvpn 05:16 -!- deblike [n=xchat@62.68.142.27] has quit [Client Quit] 05:17 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:23 -!- dazo [n=dazo@nat/redhat/x-bb1159ed321d986b] has quit [Remote closed the connection] 05:28 -!- lataffe_ [n=lataffe@cm-84.211.147.71.getinternet.no] has quit [Read error: 113 (No route to host)] 05:29 -!- lataffe [n=lataffe@cm-84.211.147.71.getinternet.no] has joined ##openvpn 05:35 -!- lataffe__ [n=lataffe@84.211.147.71] has quit [Read error: 145 (Connection timed out)] 05:35 -!- Robuster [n=fff@75.127.95.111] has joined ##openvpn 05:35 < Robuster> how can i troubleshoot why my openvpn is no starting? 05:35 < Robuster> Starting virtual private network daemon: server(FAILED). 05:35 -!- dazo [n=dazo@nat/redhat/x-lpnqjxrcwnzpropg] has joined ##openvpn 05:36 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 05:38 < hyper_ch> Robuster: linux? 05:39 < Robuster> yes 05:39 < Robuster> but nevermind i solved it, it was some error with the route command 05:39 < Robuster> i have another question, is there any guide how i can create a 'double vpn' ? 05:40 < hyper_ch> no clue what that is 05:40 < hyper_ch> but I daresay that there are guides for just about everything :) 05:40 < Robuster> i think its like user -> vpn -> vpn -> internet 05:41 -!- alex84358 [n=alex@58.34.189.239] has joined ##openvpn 05:41 < hyper_ch> you mean like user -> vpn1 --> server1 --> vpn2 --> server1 --> internet? 05:41 < hyper_ch> sorry, second server should be server2 05:41 < thedoc> hyper_ch, Why so complex? :) 05:42 < hyper_ch> thedoc: ? 05:42 < thedoc> Tunneling through 2 vpn servers :P 05:42 < hyper_ch> thedoc: because Robuster asked for it 05:43 < alex84358> hello guys, I need some help about adding routes in my client - i can ping 10.8.0.1 but my default route is still 192.168.0.1 thus everything is still using the "normal" connection 05:43 < Robuster> yes something like that i dont know how it works really, i bought a vpn before and it said 'double vpn' and that it was extra secure 05:44 < hyper_ch> alex84358: added this to the server config: 05:44 < hyper_ch> push "redirect-gateway def1" 05:44 < hyper_ch> push "dhcp-option DNS 111.111.111.111" 05:44 < hyper_ch> push "dhcp-option DNS 222.222.222.222" 05:44 < hyper_ch> of course using real dns ips 05:44 < thedoc> Robuster, Sounds like marketing bullshit. That's like saying thicker condoms are extra secure :P I'm not saying that it's not workable, I'm just saying that it smells like marketing bullshit :P 05:44 < Robuster> ah ok thanks 05:45 < hyper_ch> Robuster: any closer description? 05:45 < alex84358> i've been reading doc for hours i think i might use help 05:46 < hyper_ch> alex84358: you know German? 05:47 < Robuster> "Using Double VPN service your Internet provider won't be able to determine a real IP VPN – this will ensure the best anonymity and safety. The traffic passes through two VPN servers. Subscriptions allow having any of our servers on the input." 05:47 < thedoc> hyper_ch, I think the user > vpn1 > server 1 > vpn 2 > server 2 > might show a significant increase in latency and overhead. 05:47 < thedoc> Robuster, Do you have a link to that? 05:47 < Robuster> http://secretsline.biz/ 05:47 < vpnHelper> Title: VPN Service: vpn, openvpn, pptp, proxy, anonymous, hide ip, double vpn, vpn software, vpn service, windows vpn, proxy server, anonymous proxy (at secretsline.biz) 05:48 < hyper_ch> thedoc: according to what Robuster posted it looks like what I posted above 05:49 < thedoc> Most probably. Not sure why that's even considered more security. If one of the vpn servers get rooted, is it really that hard to be rooting the rest? :P 05:50 < Robuster> there is a law in my country that allows the goverment to warrentlessly wiretap all traffic that crosses the borders, is vpn with triple aes encryption a good choice to stay anonymous? 05:50 < hyper_ch> if the servers are setup identically then rooting the others isn't hard 05:50 < hyper_ch> if they are not, it's more challenging 05:50 < thedoc> hyper_ch, Yeah. Although I have this feeling that it's probably setup in the same manner for ease of management. 05:51 < thedoc> hyper_ch, So that's kind of a moot point. 05:51 < hyper_ch> ;) 05:51 < thedoc> o/ 05:51 < thedoc> brb :) 05:51 < thedoc> dinner time. 05:52 < hyper_ch> well, I think the best is still to rent a small server, employ full disk-encryption, turn off most of the logging, install a tor-exit node (to have more traffic than just yours and set it up as vpn server 05:52 < alex84358> hyper_ch nein mein deutch is zu alt :) 05:52 < Robuster> well i bought a server from OVH and set up a vpn there 05:53 < hyper_ch> Robuster: I did the same 05:53 < hyper_ch> but in addition I also deployed a fully encrypted system :0 05:53 < hyper_ch> alex84358: well, you could use that guide here (it's simple and straight-forward) and for the text passages you could use google translate: http://wiki.openvpn.eu/index.php/Konfiguration_eines_Internetgateways 05:53 < vpnHelper> Title: Konfiguration eines Internetgateways – OpenVPN Wiki (at wiki.openvpn.eu) 05:54 < Robuster> thanks hyper_ch 05:55 < hyper_ch> but full-disk encryption took me a little while to deploy on that server (even with a great howto for debian) 05:55 < hyper_ch> I think I did about 5-6 reinstalls of the server through the ovh admin interface 05:58 < hyper_ch> Robuster: what do you have on your server already running? 06:01 < alex84358> hyper_ch ich wird diese Text lesen, danke schön 06:01 < hyper_ch> alex84358: good luck 06:07 < Robuster> hyper_ch only vpn 06:10 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 06:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:34 < Douglas> fuck 06:38 -!- thedoc [n=tenacity@vpn1.edgewire.sg] has joined ##openvpn 06:44 < kleind> so I see I can configure common-Name-based route pushes. can i also prohibit clients to configure routes themselves? in a test, i could easily "ip route add $net via $openvpn-gateway" and use it. What's the way to address this? Configure static IPs based on the cn and then configure iptables? 06:51 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 06:52 < alex84358> [6:51pm] alex84358: added this to the server config: [6:51pm] push "redirect-gateway def1" > What do you mean exactly by def1 ? 06:52 < hyper_ch> just put that in the server config 06:52 < hyper_ch> alex84358: it's so in that howto that I linked you to 06:52 < Douglas> alex84358: that is how it must be done 06:52 < Douglas> to rereoute all traffic 06:53 < Douglas> man i feel like im gonna throw up 06:53 < Douglas> i hate nose bleeds 06:53 < hyper_ch> Douglas: after I added that (and namesevers) it works :) 06:53 < alex84358> by the way i've read the document in german but i don't use a firewall or iptables 06:53 < Douglas> that redirects all traffic 06:54 < hyper_ch> alex84358: is the server linux? 06:56 < alex84358> "def1" as is ? 06:56 < alex84358> what is it refering to ? 06:56 < Douglas> google it 06:57 < alex84358> yes server is linux debian, client is openvpn on osx 07:01 < alex84358> hyper_ch : do you also use iptables ? 07:01 < alex84358> because i'm not and i dont know if I can operate ipforwarding without :/ 07:01 < alex84358> anyway i'm editing my server.conf :) 07:02 < hyper_ch> if you have debian you run iptables 07:03 < reiffert> alex84358: def1 as in READ THE FUCKING MANPAGE 07:06 < Douglas> reiffert++ 07:11 < Douglas> !configs 07:11 < vpnHelper> Douglas: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:12 < Douglas> !logs 07:12 < vpnHelper> Douglas: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 07:24 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["cu later"] 07:35 < alex84358> push "redirect-gateway def1 bypass-dhcp" makes it ok, however I've got MULTI: bad source address from client...packet dropped showing up on the server when trying to ping anything, I think it's because I'm missing some NAT/route between the tun and the internet , how can i do this? 07:36 < alex84358> (i'm trying to ping an ip from the internet at the moment not a domain name) 07:42 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit ["Leaving"] 07:48 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 07:52 -!- pavelsr [n=pavesr@94.26.69.88] has joined ##openvpn 07:52 < pavelsr> hi, i'm trying to configure bridged vpn server (openvpn) behind NAT, but when I start it I am not able to do ping out of my internal network 07:52 < pavelsr> is there anyone who would like to give me a hand with this 07:53 < pavelsr> unfortunately i cannot handle it on my own 07:55 < alex84358> this error on the server MULTI: bad source address from client...packet dropped ? 08:01 < bauruine> alex84358, you need to use snat or masquerading. look at the german documentation its described there 08:10 -!- pavelsr [n=pavesr@94.26.69.88] has quit ["Leaving"] 08:11 -!- alex84358 [n=alex@58.34.189.239] has quit [Remote closed the connection] 08:13 -!- pavelsr [n=pavesr@94.26.69.88] has joined ##openvpn 08:36 -!- pavelsr [n=pavesr@94.26.69.88] has quit [Read error: 110 (Connection timed out)] 08:45 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has quit [Remote closed the connection] 08:49 -!- pavelsr [n=pavesr@83.228.8.136] has joined ##openvpn 08:57 -!- jeiworth [n=jeiworth@189.234.3.95] has joined ##openvpn 09:06 -!- disco- [i=disco@andromeda.h4xed.com] has joined ##openvpn 09:26 -!- pavelsr [n=pavesr@83.228.8.136] has quit [Read error: 104 (Connection reset by peer)] 09:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:33 -!- ronin-baka [n=email@220.163.33.42] has quit [Read error: 104 (Connection reset by peer)] 09:33 -!- roninbaka [n=email@220.163.33.42] has joined ##openvpn 09:38 -!- iamamoron [n=iamamoro@210.238.181.188] has quit ["Miranda IM! Smaller, Faster, Easier. http://miranda-im.org"] 09:38 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 09:39 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 09:40 < Douglas> ffffffffff 09:40 < Douglas> spamming bots 09:44 < reiffert> ? 09:44 < Douglas> the forum 09:44 < Douglas> i disapprove minimum 10-15 spam threads per day 09:44 < Douglas> pisses me off 09:45 < reiffert> disapprove all threads in the 1st place and re-approve those when owner starts crying 09:46 < Douglas> nah 09:47 < hyper_ch> Douglas: still here :) you got too much bandwidth? 09:47 < Douglas> hyper_ch: what about bandwidth 09:47 < hyper_ch> Douglas: if you have too much of it, then this is a nice torrent to spread: http://thepiratebay.org/torrent/5053827 (only 21 GB) 09:47 < vpnHelper> Title: TPB index (download torrent) - TPB (at thepiratebay.org) 09:52 < hyper_ch> Douglas: am I right to assume that running the TPB website takes a lot of computing power and bandwidth and that the actual tracker uses very little? 10:03 -!- rawDawg [n=rawDawg@99.57.58.238] has joined ##openvpn 10:18 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:41 -!- plaerzen [n=carpe@vip1.tundraeng.com] has quit [Remote closed the connection] 10:51 -!- bruceb [n=bruce@gw.msmnyc.edu] has joined ##openvpn 10:56 -!- lataffe [n=lataffe@cm-84.211.147.71.getinternet.no] has quit [Read error: 113 (No route to host)] 11:12 -!- unclecameron [n=unclecam@74-47-188-93.dr01.myck.or.frontiernet.net] has joined ##openvpn 11:23 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 11:33 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 11:37 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 12:08 -!- jvaill [n=jvaill@mctnnbsa51w-142166095007.pppoe-dynamic.nb.aliant.net] has joined ##openvpn 12:08 < jvaill> hey. 12:09 < jvaill> !howto 12:09 < vpnHelper> jvaill: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:10 < jvaill> I'm trying to configure a VPN so a remote client can access my network, I have dd-wrt installed on my router with OpenVPN 12:10 < jvaill> I can connect fine, but the remote client can't get an IP from the router. 12:10 < jvaill> Been trying for a while now, any help would be appreciated. 12:13 -!- bauruine [n=bauruine@85.4.68.228] has joined ##openvpn 12:22 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 12:40 -!- c64zottel [n=hans@p5B17B2F4.dip0.t-ipconnect.de] has joined ##openvpn 12:53 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit ["Leaving"] 13:01 -!- rawDawg [n=rawDawg@99.57.58.238] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 13:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:24 -!- pavelsr [n=pavesr@94.26.69.88] has joined ##openvpn 13:24 < hyper_ch> the vpn works remarkably well :) 13:25 < bauruine> hyper_ch, mhm forwarding of the internet traffic doesn't work :-( i always get "MULTI: bad source address from client [192.168.10.11], packet dropped" i enabled ip forwarding and snat. the same setup worked some times ago but now it fails 13:25 < hyper_ch> bauruine: no clue :) 13:27 < hyper_ch> bauruine: whats your server/client config? 13:27 < hyper_ch> tried to manually delete the routes and restart networking and openvpn? 13:29 < bauruine> i tried it from different machines and vms so old routes should not be the problem 13:30 < bauruine> server.conf http://pastebin.com/d44619c3f and client.conf http://pastebin.com/dd998ae0 13:31 < hyper_ch> bauruine: those are real dns servers? 13:32 < bauruine> hyper_ch, yes 13:33 < hyper_ch> bauruine: can you run on both machines: sudo iptables-save > /etc/iptables.rules and pastebin it? 13:34 < bauruine> hyper_ch, mom 13:35 -!- jvaill2 [n=jvaill@mctnnbsa51w-142166221012.pppoe-dynamic.nb.aliant.net] has joined ##openvpn 13:38 < bauruine> http://pastebin.com/debfac0f thats the server the client tables are empty 13:38 < hyper_ch> bauruine: in the client I have some additional stuff: http://pastebin.com/m37a8bc99 13:39 < bauruine> i will try it 13:41 < hyper_ch> in the server config I have this additionally: 13:41 < hyper_ch> ifconfig-pool-persist ipp.txt 13:41 < hyper_ch> comp-lzo 13:43 < |Mike|> !linnat 13:43 < vpnHelper> |Mike|: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 13:44 < |Mike|> remove that server line 13:44 -!- plaerzen [n=carpe@vip1.tundraeng.com] has joined ##openvpn 13:45 < bauruine> |Mike|, which line? 13:45 < |Mike|> and don't forget tls-auth :P 13:46 < hyper_ch> bauruine: http://www.void.gr/kargig/blog/2008/05/17/openvpn-multi-bad-source-address-from-client-solution/ 13:46 < vpnHelper> Title: Into.the.Void. » Openvpn MULTI: bad source address from client solution (at www.void.gr) 13:46 < jvaill2> Hey. Does this config look wrong to anyone? http://pastebin.ca/1532834 Server is router running dd-wrt, client can't get an IP from it. 13:47 < hyper_ch> jvaill2: shouldn't it be just "server" at the beginning? 13:48 < jvaill2> I really don't know, should it? does it matter? 13:48 < jvaill2> I can connect to it fine, it just doesn't get an IP 13:48 < jvaill2> or rather, it gets assigned a local ip (169...) 13:48 < hyper_ch> jvaill2: I don't know either for sure :) 13:49 < hyper_ch> jvaill2: and you miss the address 13:49 < jvaill2> nah, just ommited it for the pastebin :-P 13:50 < hyper_ch> jvaill2: actually, I have no clue:) 13:50 < jvaill2> ok, well thanks anyway! :] 13:50 < jvaill2> who else wants to try? 13:50 < hyper_ch> jvaill2: my server config: http://pastebin.ca/1532843 13:51 -!- jvaill [n=jvaill@mctnnbsa51w-142166095007.pppoe-dynamic.nb.aliant.net] has quit [Read error: 110 (Connection timed out)] 13:51 -!- jvaill2 is now known as jvaill 13:51 < jvaill> hmm. 13:51 < jvaill> this line: ifconfig-pool-persist ipp.txt what does it do ? 13:52 < hyper_ch> no clue, found it in a guide 13:52 < jvaill> what's in your ipp.txt file? 13:52 < hyper_ch> I guess it will just kind of remember client ips 13:52 < hyper_ch> haven't checked ;)( 13:52 < jvaill> I forgot to mention, I get an error somewhere along the lines of "MULTI : no dynamic or static remote --ifconfig address is available" on server side. 13:54 < hyper_ch> tried to google for it? 13:54 < jvaill> yes 13:54 < jvaill> big times 13:54 < hyper_ch> well, I can't really help you then 13:54 < jvaill> kk 13:54 < jvaill> thanks for your time anyway 13:55 < hyper_ch> using openvpn since yesterday :) 13:55 < Douglas> hm 13:55 < Douglas> jvaill 13:55 < Douglas> !man 13:55 < jvaill> yes? 13:55 < vpnHelper> Douglas: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 13:55 < jvaill> trust me 13:55 < jvaill> I've been trying all day 13:55 < jvaill> and a big part of the day friday 13:55 < Douglas> what's your issue 13:55 < jvaill> it connects, but doesn't get an IP from the router 13:56 < jvaill> router is running dd-wrt, with openvpn server. 13:56 < jvaill> instead client gets assigned a local ip (169...) 13:57 < jvaill> error of "MULTI : no dynamic or static remote --ifconfig address is available" on server logs 13:57 < jvaill> I really don't know what that means. 13:58 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has joined ##openvpn 14:02 -!- pavelsr [n=pavesr@94.26.69.88] has quit [Read error: 104 (Connection reset by peer)] 14:11 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 14:38 -!- jvaill [n=jvaill@mctnnbsa51w-142166221012.pppoe-dynamic.nb.aliant.net] has quit [] 14:43 -!- jeiworth [n=jeiworth@189.234.3.95] has quit [Read error: 60 (Operation timed out)] 14:45 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:14 < bauruine> mhm still doesn't work. if i ping from the vpn client i can see icmp requests (with tshark) but i can't see any icmp replys not even on the eth0 internet interface :-/ maybe there is a problem with the nat rule? 15:22 -!- jeiworth [n=jeiworth@189.177.39.68] has joined ##openvpn 15:28 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 15:29 < Bushmills> should you want to see icmp replies on eth0, i suggest to turn off openvpn, and route your icmp requests through eth0 15:30 -!- mirco [n=mirco@p54B26E7C.dip.t-dialin.net] has quit [] 15:31 < bauruine> Bushmills, sorry i ping from the client and sniff from the server 15:33 < Bushmills> tshark tun0 interface instead 15:34 < bauruine> Bushmills, http://pastebin.com/d157da2cc 15:39 < bauruine> Bushmills, thats the nat rule http://pastebin.com/d6873d0e4 16:08 -!- BasketCase [n=BasktCas@asylum.sanitarium.net] has quit ["Client exiting"] 16:19 -!- c64zottel [n=hans@p5B17B2F4.dip0.t-ipconnect.de] has quit ["Leaving."] 16:30 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 16:40 -!- subinacls [n=subinacl@97.100.182.253] has quit [Nick collision from services.] 16:40 -!- subinacls_ [n=subinacl@97.100.182.253] has joined ##openvpn 17:10 < rawDawg> can you edit the common name in the client crt/key? 17:15 -!- Elusis [n=onemynds@74.195.23.140] has joined ##openvpn 17:15 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 17:16 < Elusis> !route 17:16 < vpnHelper> Elusis: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:19 < Elusis> Hi guys. quick question: I have a site-to-site bridge configured on port 1194 and a roadwarrior setup running on 1195... currently I have having trouble getting traffic from the road warrior to the other side of the site bridge. I want to make sure this is possible before I dig deeply into what could be causing the routing issue.. 17:23 < Elusis> !interface 17:23 < vpnHelper> Elusis: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 17:23 < reiffert> bridging tap0, eth0 and tap1 together to br0? 17:23 < Elusis> roadwarrior is tun 17:23 < Elusis> sorry.. left out that bit 17:25 < Elusis> would rather tap... but was told that connecting multiple clients to a site bridge was impossible 17:25 -!- CRASH69 [n=crash@201.200.94.66] has joined ##openvpn 17:25 < CRASH69> !all 17:25 < vpnHelper> CRASH69: "all" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles 17:29 -!- bruceb [n=bruce@gw.msmnyc.edu] has quit [Remote closed the connection] 17:44 < reiffert> Elusis: thats wrong, it works perfectly. 17:44 < Elusis> hrmm 17:44 < Elusis> thats great news 17:45 < reiffert> you just bridge tap0 to eth0, (+ tap1 in your case) 17:45 < Elusis> still need a seperate instance of openvpn? 17:46 < reiffert> jup 17:46 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit ["cu later"] 17:46 < reiffert> one instance per listen port 17:46 < reiffert> which is quite annoying 17:47 < Elusis> aaah... thats terrific that there is a solution. been trying to get that question answered at the ddwrt forums for weeks now 17:47 < reiffert> uh, ddwrt. 17:47 < reiffert> ddwrt sucks ass. 17:48 < Elusis> bahaha 17:48 < CRASH69> lol 17:48 < Elusis> have a better suggestion? 17:48 < reiffert> there's a quite nice #openwrt on freenode. 17:48 < reiffert> openwrt. 17:48 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 17:49 < reiffert> http://www.milw0rm.com/exploits/9209 17:49 < vpnHelper> Title: DD-WRT (httpd service) Remote Command Execution Vulnerability (at www.milw0rm.com) 17:49 < reiffert> Unlike the already documented CSRF vulnerability ( 17:49 < reiffert> http://www.securityfocus.com/bid/32703 ) this DOES NOT need an authenticated 17:49 < reiffert> session. This means someone can even post some crafted [img] link on a forum 17:49 < reiffert> and a dd-wrt router owner visiting the forum will get owned :) 17:49 < vpnHelper> Title: DD-WRT Cross-Site Request Forgery Vulnerability (at www.securityfocus.com) 17:49 < Elusis> yeah.. I know about that exploit.. its been closed I thought tho 17:50 < reiffert> Elusis: yeah, and 30% of old dd-wrt bunnys remain in an old fashioned way 17:51 < Elusis> yeah.. thats the biggest issue you see on the ddwrt forums is running a butt-ass old version of the firmware 17:51 < Elusis> those guys are massiviely unhelpfull there though 17:52 < Elusis> on the forum atleast 17:52 < reiffert> -forum -board >> google 17:54 < reiffert> Elusis: dd-wrt got a nice gui, for sure, but look, the authors are self-employed IIRC and dont spend that much time on development. 17:54 < reiffert> Elusis: it's a 1:1 openwrt copy on a selfmade GUI. More or less. 17:55 < Elusis> yeah.. have been commming to that conclusion myself... the interface is nice but alot of things plain dont work. For instance my VPN setup is all sh scripting because the fkning GUI dont configure it correctly 17:56 < reiffert> GUI is pain in the ass, all the time. 17:56 < Elusis> perhaps I should back away from it and give openwrt a shot.. Im pretty comfortable in the CLI 17:56 < reiffert> does openwrt still stick on NVRAM variables? 17:57 < Elusis> nah..doesnt seem too - atleast on my hardware (WRT54G-TM) 17:57 < reiffert> It was a pain in the ass, too. 17:57 < Elusis> but I will admit they have a real problem with consistency 18:00 < reiffert> there a are in fact major problems on openwrt. 18:01 < Elusis> dont dount it 18:01 < Elusis> doubt* 18:02 < Elusis> whats your feelings on Tomato? 18:02 < reiffert> Whats Tomato? I know potato, an old debian release. 18:03 < CRASH69> rofl is there a beaner? x) 18:05 < Elusis> bahahah 18:06 < Elusis> http://www.polarcloud.com/tomato 18:06 < vpnHelper> Title: Tomato Firmware | polarcloud.com (at www.polarcloud.com) 18:06 < reiffert> Elusis: the domain doesnt end on openwrt.org ... 18:07 < Elusis> yeah.. its another open source wrt variant 18:08 < reiffert> comeone, it's a copy of a copy of a copy .. 18:08 < reiffert> stay with the sources. 18:08 < Elusis> bahaha.. you have a point ;) 18:12 < Elusis> well... one more question for ya bro and I'll leave ya be 18:12 < reiffert> rtfm 18:13 < Elusis> :/ 18:13 < reiffert> come on .. 18:13 < Elusis> that deserves my standard answer too: SMFD 18:14 -!- Elusis [n=onemynds@74.195.23.140] has quit ["Leaving"] 18:14 < reiffert> Sacramento Metropolitan Fire District? 18:17 < CRASH69> yay a simple Iam bussy will do, or I have no time, or even silence :/ 18:18 < reiffert> I was about to tell him to go ahead asking his question ... 18:18 < reiffert> so after the nice talking we have had previously I didnt expect him to draw such stupid actions. 18:20 < garnser> how amusing, I think I'm going to start spending some more time on this channel 18:23 < CRASH69> ah, but I understand him... no offense, but open community can be *very* rude, and I personally ***hate*** the rtfm, specially after I had try 3 weeks to do something and major failure at, not all of us are programmers or whatever, so is really annoying to get rtfm, and you never know when is a joke (wich in case is tottally good) bah just my point of view, I was following the chat and didnt otice the sarcasm 18:24 < garnser> I must say the manual for openvpn is pretty good though :) 18:24 < garnser> except lately when they've started leaving out new features 18:25 < garnser> but I guess that's what happens when you're trying to go enterprise 18:25 < reiffert> CRASH69: On the opposite you might understand, that when people come here after 3 weeks of bad howtos, funny forums and whatnot they still dont get things in the right order where the beautiful manpage will definitly lead people to illumination. 18:25 < CRASH69> I do not agree 18:26 < reiffert> garnser: leaving out new features like... hm.. multiple bind() listen() calls per instance? releasing 2.1-STABLE? meshing networks or ... name it! 18:26 < garnser> reiffert: exactly what I was thinking about 18:27 < reiffert> garnser: I hope that there will be a fork() at some day soon. 18:27 < garnser> they did add --multihome a while back though, not that it's documented 18:27 * garnser goes and check the code for what it do 18:28 < reiffert> garnser: ah, that xml style configration schema ... wasnt it about that? 18:28 < reiffert> just for the client side only? 18:28 < garnser> reiffert: nah I read somewhere it should "easy" the transition between IPv4 and IPv6, I think it allows one instance to listen to multiple IPs 18:28 < garnser> server side 18:29 < reiffert> IPs, but not ports. 18:30 < garnser> well then again, NAT is your friend 18:30 < reiffert> it would be nice to have a "port udp/1194 tcp/443 udp/53" style or similar, infact I was about to investigate that feature when something else crossed my way some months ago 18:30 < garnser> I guess it is for multiple IPs as well 18:30 < garnser> yeah I was thinking about that a while ago as well 18:30 < garnser> or some built in way to estimate the best connectivity option via a proxy and point the client to the instance that makes most sense 18:31 < garnser> like check latency, jitter, packet-loss etc 18:31 < reiffert> ah, and another thing .. get openvpn woking with the help of HTTP PUT and GET Requests ... 18:31 < reiffert> http proxy++ 18:31 < garnser> uhu? 18:32 < reiffert> HTTP GET and POST of course 18:32 < garnser> speaking of HTTP proxy, I noticed the port-share feature doesn't seam to forward the DNS-query so virtualhosts doesn't work via apache if it's sahred with openvpn on port 80 18:32 < garnser> I still don't see what you mean by doing HTTP GET/POST with OpenVPN 18:32 < reiffert> port-share/ 18:33 < reiffert> omg, never noticed. 18:33 < reiffert> garnser: openvpn is http-proxy capable AFAIR, using connect host:port mechanism 18:33 < Douglas> yes it is 18:34 < Douglas> check 18:34 < Douglas> 1man 18:34 < reiffert> http 1.1 connect foo:2323 18:34 < Douglas> !man 18:34 < vpnHelper> Douglas: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 18:34 < reiffert> but openvpn doesnt support HTTP/1.1 GET and POST requests for using a http proxy, does it? 18:34 < garnser> ah 18:34 < garnser> now I see what you're saying 18:35 < reiffert> as every http-proxy I can think of surely blocks CONNECT 18:37 < garnser> reiffert: speaking of the multiple port/protocol option of OpenVPN, I was talking with the founders about that a couple of weeks back, gonna check if I have an email response on it 18:38 < reiffert> did it come over openvpn-devel? 18:39 < garnser> reiffert: nah I was talking directly with them 18:39 < garnser> I'm evaluating their enterprise product so I sent them a 2 page letter with feature-requests 18:40 < reiffert> oh boy, what a chance for use to get some progress into openvpn .. 18:40 < reiffert> ecrist: read the backlog from here... 18:40 < reiffert> krzie: you might wanne try as well 18:40 < reiffert> s,use,us, 18:41 < garnser> uhu, what language are you programming in that formats regexp that way? :P 18:42 < reiffert> Lemme think of when I was using /'s the last time in regexps 18:42 < reiffert> s/\/\/\///\\//\/\////\\\\\/g 18:42 < reiffert> :p 18:42 < CRASH69> I used to use something called fail2ban, for ssh, set it like 7 attemps and banned for X time, does openvpn port get alot of hammering, thinking about DoS or so? 18:42 < Douglas> that just blew my mind 18:43 < garnser> I actually seen that exact row somewhere else before 18:43 < garnser> wonder where... 18:43 < reiffert> CRASH69: fail2ban is a nice idea, but it sucks and can lead you into pain and driving a car to your remote site. changing the port is a lot easier on that. 18:44 < reiffert> CRASH69: to answer your question, I never ever saw a single openvpn hammering or any other stupid guy trying to fake the CA. 18:44 < garnser> being boring but I would probably look into having some layer7 IDS doing that instead 18:44 < reiffert> garnser: what row, Douglas' personal mind blower? 18:45 < garnser> reiffert: yeah 18:45 < reiffert> garnser: layer7 IDS inspecting every single encrypted packet, eh? 18:46 < garnser> reiffert: yeah... lets not talk about it, it's painful 18:46 < reiffert> :) 18:46 < garnser> in the sense that I've never dealt with it and from the guys working with it I never wanna touch it 18:47 < CRASH69> hehe 18:47 < CRASH69> so I dont worry about my home-to-home vpn? 18:47 < reiffert> My first and last attempt on layer-7 firewalling was crashing my SMP machine, years ago, so I decided to never touch it again. The support forums couldnt imagine maschines to crash on their code... 18:47 < garnser> I saw an interesting article on slashdot though whereas some company made some IDS like thing that dropped packages to avoid spam based on known flows, I guess something similar probably could be doable instead of layer 7 IDS 18:47 < CRASH69> just want to tighten security 18:48 < garnser> reiffert: hah 18:48 < CRASH69> and avid stupid DoS 18:48 < reiffert> CRASH69: unplug the cable. 18:49 < garnser> yeah, was just going to say the same, especially now with all the crap Comcast is doing (my cable-provider) 18:49 < CRASH69> oh well 18:50 < reiffert> I'm on cable as well and they are filtering NS queries and even more, they are replacing negative queries with their own Search-Ad-Page. 18:51 < reiffert> So I was setting up openvpn and tunneling every single NS query to my personal bind running in a data center. 18:51 < reiffert> setting up openvpn on my cable modem. 18:51 * Douglas syn floods redfox 18:51 < Douglas> er 18:51 < Douglas> reiffert 18:51 < Douglas> damn tab 18:51 < Douglas> ( 18:51 < Douglas> (( 18:51 < garnser> reiffert: I was thinking about doing the same but they don't seam to hijack traffic if you run your own recursive BIND instance 18:51 < garnser> I guess it's only a matter of time though 18:51 < reiffert> garnser: it will only be a small step ... yeah 18:52 < reiffert> Douglas: my mobile is stronger that your syn flood attack, go ahead. 18:52 < Douglas> lol 18:52 < reiffert> .oO and who is redfox? 18:53 < Douglas> tab key made me say redfox 18:53 < garnser> I wonder if the net-neutrality laws are ever going to pass... 18:54 -!- CRASH69 [n=crash@201.200.94.66] has quit ["Leaving."] 18:54 < reiffert> /dcc send Douglas tab-keys ... say "Empire State Building" for me now please 18:54 < Douglas> ..................... 18:54 < Douglas> lol 18:55 < reiffert> garnser: I dont care, I guess there will always be some way to get around or to live with it. 18:55 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 19:19 -!- jeiworth [n=jeiworth@189.177.39.68] has quit [Read error: 60 (Operation timed out)] 19:22 -!- CRASH69 [n=crash@201.200.94.66] has joined ##openvpn 19:23 < CRASH69> If bridging a roadwarrior client. How to overcome that client is not on same subnet? 19:25 < garnser> CRASH69: add routes on your router pointing the subnet used to your VPN-server 19:26 < garnser> and enable ip-forwarding on the VPN gateway 19:26 < garnser> why do you use bridging if they're not on the same subnet anyway? 19:28 < CRASH69> this is a home setup, with family/friends, want to be able to 'lan'gaming while at travel x) 19:29 < garnser> ah 19:29 < garnser> well again, add a route 19:35 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 113 (No route to host)] 19:39 < CRASH69> by the moment I have done a site-to-site bridged, and wants to add a mobile bridged, as I have failed with mobile bridged, I add it routed, still I cant ping the site that is on router client (I can on side that is router server), would you mind to give a view at? http://pastebin.com/m330fadd0 19:41 < garnser> ugh, too tired to read through that, make a diagram :P 19:41 < CRASH69> coming 19:43 < CRASH69> garnser: http://www.flickr.com/photos/55299288@N00/3827448509/sizes/o/ 19:43 < vpnHelper> Title: Flickr Photo Download: Diagram1 (at www.flickr.com) 19:44 < garnser> so 192.168.2.0/24 and 192.168.3.0/24 can't reach one another? 19:45 < CRASH69> basically I can not ping 192.168.2.155 form mobile, all other is fine 19:45 < garnser> and mobile would be laptop @traveling? 19:45 < garnser> so 192.168.3.X to 192.168.2.X 19:46 < CRASH69> ping 192.168.3.x ----> 192.168.2.155 = fail! :´( 19:46 < CRASH69> ping 192.168.3.x ----> 192.168.2.75 = pass! 19:47 < garnser> you don't have 192.168.3.0/24 in your routing-table on the side 192.168.2.155 sits on... 19:47 < garnser> add push route 192.168.3.0/24 on the tap instance server 19:48 < CRASH69> that is true, I add it (manually) and same (though I really dont know how to add it) 19:48 < garnser> or --route 192.168.3.0/24 vpn_gateway 19:48 < garnser> well, push route on the server side or route 192.168.3.0/24 vpn_gateway on the client-side 19:52 < garnser> also why would you route a 169 network... 19:58 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 20:01 < garnser> CRASH69: any luck? 20:07 -!- epaphus [n=unix3@201.199.41.166] has joined ##openvpn 20:09 -!- unclecameron1 [n=unclecam@74-47-188-93.dr01.myck.or.frontiernet.net] has joined ##openvpn 20:09 -!- unclecameron [n=unclecam@74-47-188-93.dr01.myck.or.frontiernet.net] has quit [Read error: 110 (Connection timed out)] 20:30 -!- epaphus [n=unix3@201.199.41.166] has quit [Read error: 110 (Connection timed out)] 20:48 < CRASH69> garnser: nop, I added push route 192.168.3.0/24 on the tap instance server, and reboot, no route on the router client 20:49 -!- PokerFacePenguin [n=joe@68.16.15.79] has joined ##openvpn 20:49 < CRASH69> at the end I did: route add -net 192.168.3.0/24 gw 192.168.2.1 20:49 < CRASH69> and route showed up, though not outside tunneled side to check it 20:50 < CRASH69> so tomorrow... 20:54 -!- master_of_master [i=master_o@p549D3E26.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)] 20:54 < ecrist> interesting... 20:58 -!- master_of_master [i=master_o@p549D3D69.dip.t-dialin.net] has joined ##openvpn 21:13 < PokerFacePenguin> I need some clarification on how a bridged openvpn works. Will the client side of the openvpn setup still route their internet traffic through their own router as usual, yet still be able to access a shared samba directory on the server side? Or does a bridged setup mean that they will have to get their IP address from the openvpn server and route all of their internet traffic through the openvpn server side default gateway? 21:13 < PokerFacePenguin> hope that made sense 21:19 -!- alex____ [n=alex@58.34.189.239] has joined ##openvpn 21:20 < alex____> hyper_ch / bauruine : thanks to your german documentation it's working perfectly now. iptables had to be used for snatting stuffs. Thanks a lot :) 21:22 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 21:23 < alex____> douglas / reiffert : you're a bunch of frustrated assholes, this was my first time and the man is 3000+ lines, obviously i hadn't read it all.. guess you too didn't unless you wanted to spend a week on this 21:24 < alex____> don't be so rude next time it's no use for no one 21:34 < Douglas> alex____ 21:34 < Douglas> if you are going to give me attitude 21:34 < Douglas> there's the door 21:34 < Douglas> get the fuck out 21:34 < Douglas> and don't let it hit you on the ass on your way 21:34 < Douglas> good day 21:35 < thedoc> 3,000 lines is srs bsns. 21:35 < thedoc> How the hell did you think we got through it initially? :P 21:35 < Douglas> we read for what we /needed/ 21:35 < Douglas> searching through text is great 21:35 < Douglas> ok 21:35 < Douglas> i am off before i tear alex____ a nwe one 21:35 < Douglas> new 21:36 < thedoc> Piss off now Douglas ;p 21:36 -!- alex____ [n=alex@58.34.189.239] has quit [Read error: 60 (Operation timed out)] 21:46 < CRASH69> PokerFacePenguin: it can behave both ways 21:46 < PokerFacePenguin> . 21:46 < PokerFacePenguin> 0 21:46 < PokerFacePenguin> crash: thanks for the clarification 21:47 < CRASH69> you choose/config how 21:47 < CRASH69> np 21:47 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 21:48 < PokerFacePenguin> CRASH69: I have been reading a little over at http://openmaniak.com/openvpn_tutorial.php#static and it is becoming a bit clearer...i still might pop in for more questions later :) 21:50 < PokerFacePenguin> CRASH69: basically, i have two linux boxen that operate on seperate networks (two home nets) and want to share a directory (samba preferably) between them...all other network functions I want to operate independently 21:51 < CRASH69> I am sick of reading x) dont have great expectations I only have like 3 weeks at it, actually 3 painfully weeks 21:51 < CRASH69> ah 21:51 < CRASH69> first than all 21:52 < CRASH69> bridged is meant to be one network 21:53 < PokerFacePenguin> CRASH69: i hear that routed is a little easier, but then my network broadcasts for the shares dont happen that way... 21:55 < CRASH69> bridged does broadcasting, so is usefull for file sharing in windows, if you dont need broadcast (you want to use samba, so you dont need it to share files) dont use bridged 21:55 < CRASH69> if you use samba you dont need broadcast 21:56 < PokerFacePenguin> CRASH69: ah 21:58 < PokerFacePenguin> CRASH69: preciate the tip 22:19 < ecrist> reiffert: there were a few things in there that were interesting, which was i supposed to take particular note of? 22:20 < ecrist> tap device is layer 2 networking, tun device is layer 3 22:20 < ecrist> most people only need layer 3 22:20 < ecrist> windows shares can bridge the subnets with a properly configured WINS server 22:20 < ecrist> (you will likely need to push the WINS server as a DHCP option) 23:01 < thedoc> schnap. 23:01 < thedoc> http tunnel doesn't support udp 23:01 < thedoc> :\ 23:02 < thedoc> !tcp 23:02 < vpnHelper> thedoc: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 23:19 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Remote closed the connection] 23:57 -!- mirco [n=mirco@p54B26B25.dip.t-dialin.net] has joined ##openvpn --- Day changed Tue Aug 18 2009 00:04 -!- PokerFacePenguin [n=joe@68.16.15.79] has quit ["Leaving."] 00:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:11 -!- unclecameron1 [n=unclecam@74-47-188-93.dr01.myck.or.frontiernet.net] has left ##openvpn [] 00:20 -!- CRASH69 [n=crash@201.200.94.66] has quit ["Leaving."] 00:53 -!- bauruine [n=bauruine@85.4.68.228] has quit [Read error: 113 (No route to host)] 00:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 00:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 01:31 < kala> anybody knows if openvpn can function with Windows having *two* default routes to the *same* default gateway? 01:31 < kala> this seem to happen when user has WIFI AP in their home network and they connect laptop to both WIFI and wired network 01:34 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:34 < kleind> morning guys. i'd like to repost my (unanswered) question from yesterday: so I see I can configure common-Name-based route pushes. can i also prohibit clients to configure routes themselves? in a test, i could easily "ip route add $net via $openvpn-gateway" and use it. What's the way to address this? Configure static IPs based on the cn and then configure iptables? 01:37 -!- mirco [n=mirco@p54B26B25.dip.t-dialin.net] has quit [] 01:42 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has joined ##openvpn 01:43 -!- mirco [n=mirco@p54B26B25.dip.t-dialin.net] has joined ##openvpn 01:44 -!- mirco_ [n=mirco@p54B26B25.dip.t-dialin.net] has joined ##openvpn 02:04 -!- mirco [n=mirco@p54B26B25.dip.t-dialin.net] has quit [Connection timed out] 03:01 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: plaerzen 03:07 -!- plaerzen [n=carpe@vip1.tundraeng.com] has joined ##openvpn 03:12 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: xand, davidisko, Gumbler, victor_, dazo, vpnHelper, YpsyZNC, oc80z 03:12 -!- davidisk1 [i=davidisk@nte.sk] has joined ##openvpn 03:12 -!- Gumbler_ [i=Gumbler@animux.de] has joined ##openvpn 03:12 -!- victor [i=victor@195.95.184.30] has joined ##openvpn 03:12 -!- Netsplit over, joins: xand 03:12 -!- dazo [n=dazo@62.40.79.66] has joined ##openvpn 03:12 -!- Blu3 [i=david@blue-labs.org] has joined ##openvpn 03:12 -!- Gumbler_ is now known as Gumbler 03:13 -!- Netsplit over, joins: YpsyZNC 03:14 -!- Netsplit over, joins: vpnHelper 03:16 -!- Blu3 [i=david@BlueLabs/Blu3] has left ##openvpn ["I ❤♥❤ Guys"] 03:17 -!- oc80z [i=oc80z@blea.ch] has joined ##openvpn 03:19 < mirco_> Hi all, I'm trying to setup a cert based ipsec tunnel, followed this pfsense.iserv.nl/tutorials/mobile_ipsec/ and it worked fine with psk's... As I'm using easy-rsa for cert-creation I now need to add a SubjectAltName field to the cert. Cause the same connection has now with certs this error: "racoon: ERROR: failed to get subjectAltName" So I added subjectAltName = DNS:copy:commonName,DNS:example.xx to openssl.cnf of easy-rsa, but get different 03:34 -!- lolmaus [n=lolmaus@77.72.19.231] has joined ##openvpn 03:36 < lolmaus> Hi! I've installed OpenVPN on linux and following the official howto. When doing a easy-rca script "./build-key-server server" and filling all the info, it says: "/etc/openvpn/easy-rsa/keys/serial: No such file or directory" and gives some more errors 03:36 < lolmaus> What do i do wrong? How to fix that? 03:41 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 03:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:42 -!- voodoo [n=wunhelzm@199-247.dsl.iskon.hr] has joined ##openvpn 03:43 < voodoo> hi, i have problem with static key openvpn setup... i was trying to do this http://tinyurl.com/m792by but i cant ping when openvpn is connection is up 03:43 < vpnHelper> Title: Static Key Mini-HOWTO (at tinyurl.com) 03:48 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:49 < bauruine> lolmaus, does the directory keys exist? 03:50 < lolmaus> bauruine, yes, and it seems that the scripts have worked out fine, except for that 'serial' file that hasn't been created 03:55 < bauruine> so it's working now? 03:57 < lolmaus> bauruine, haven't tried yet. 04:18 < voodoo> !howto 04:18 < vpnHelper> voodoo: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 04:23 -!- leservo [n=obleskie@kri1-1x-dhcp149.studby.uio.no] has joined ##openvpn 04:24 < leservo> is there any reason that an openvpn connection would work fine in TCP mode but not in UDP mode, when there's no firewall to get in the way? 04:58 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit ["Leaving"] 05:02 -!- leservo [n=obleskie@kri1-1x-dhcp149.studby.uio.no] has quit [Remote closed the connection] 05:14 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 05:30 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:06 -!- Gorkhaan [n=Gorkhaan@adsl-101-16.globonet.hu] has quit [Remote closed the connection] 06:29 -!- mirco_ [n=mirco@p54B26B25.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)] 06:29 -!- roninbaka [n=email@220.163.33.42] has quit [Read error: 104 (Connection reset by peer)] 06:32 -!- mirco [n=mirco@p54B26B25.dip.t-dialin.net] has joined ##openvpn 06:36 -!- roninbaka [n=email@220.163.62.238] has joined ##openvpn 06:49 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has joined ##openvpn 06:50 < ivenkys> !route 06:50 < vpnHelper> ivenkys: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 06:51 < ivenkys> !howto 06:51 < vpnHelper> ivenkys: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 06:51 < ivenkys> !configs 06:51 < vpnHelper> ivenkys: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 06:52 < ivenkys> argh - why does this paste it on the main channel - thats just annoying - for everyone 06:59 -!- voodoo [n=wunhelzm@199-247.dsl.iskon.hr] has quit [Read error: 110 (Connection timed out)] 07:04 < dazo> ivenkys: nah, we don't mind it :) It's just good to see people trying to solve the basic stuff themselves first ;-) 07:14 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 07:23 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 07:24 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 07:35 < ivenkys> dazo: :-) - i am struggling with the DNS - DHCP issue , i seem to have followed the manual exactly , but obviously not 07:36 < dazo> ivenkys: pushing DNS server to VPN clients? 07:37 < ivenkys> dazo: yup 07:37 < dazo> ivenkys: what kind of clients? 07:38 < ivenkys> dazo: ubuntu and os x dynamic I.P clients - sounds very simple , but something is amiss 07:38 < dazo> ivenkys: you'll need some --up scripts to do that, as /etc/resolv.conf must be updated 07:38 < dazo> on the client side 07:38 < dazo> and this cannot be pushed 07:39 < ivenkys> dazo: thats what i had initially - as in i would "mangle" my /etc/resolv.conf based on if i am on the VPN or not - 07:40 < ivenkys> dazo: what are those DNS options for , if they cannot be "pushed" 07:40 < dazo> ivenkys: quite recently, most distros now ship a package called resolvconf ... which gives a kind of an API for scripts to more easily update the /etc/resolv.conf properly and without too much worries 07:41 < dazo> ivenkys: you can push DNS server info .... but not push "up /run/this/script" 07:41 < ivenkys> dazo: true - , but what are those DNS DHCP options for 07:41 < dazo> ivenkys: http://www.phocean.net/2006/12/07/openvpn-and-dns-on-a-linux-client.html ..... seen this one? 07:41 < vpnHelper> Title: Phocean.net » OpenVPN and DNS on a linux client (at www.phocean.net) 07:43 < ivenkys> dazo: aah - perfect -, thats what i wanted to know - is it a combination of the two... i wonder if in Os X there is a similar script 07:43 < ivenkys> dazo: i have written a crude script for thos 07:43 < ivenkys> thos/this even 07:44 < dazo> ivenkys: I dunno about osx .... never done much openvpn stuff on these boxes at all .... actually just one box, and DNS was not needed at all :-P 07:45 < ivenkys> dazo: many thanks - very helpful 07:54 < dazo> np! :) 07:58 -!- bruceb [n=bruce@gw.msmnyc.edu] has joined ##openvpn 08:04 < mirco> ivenkeys: I use Viscosity on my and several other Mac's and am very happy about it's DNS script.... Didn't have a so nice solution while using tunnelblick... But I remember that the script used by Viscosity is OpenSource... 08:04 -!- voodoo [n=wunhelzm@169-120.dsl.iskon.hr] has joined ##openvpn 08:04 < voodoo> hi, anyone around ? 08:09 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 08:09 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 08:11 -!- tjz [n=tjz@bb220-255-241-83.singnet.com.sg] has quit [Success] 08:13 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 08:13 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 08:18 < ecrist> good morning 08:19 < lolmaus> I've installed OpenVPN to my VPS and i can no longer connect to it via SSH! I didn't even launch OpenVPN, just installed it and generated some keyfiles. What's wrong? How to fix that? 08:19 < ecrist> lolmaus: no idea 08:20 < ecrist> if you didn't even start OpenVPN, it's not an OpenVPN problem 08:20 < lolmaus> ecrist, OpenVPN might make some configuration changes to the system when being installed 08:20 < ecrist> lolmaus: what OS? 08:20 < lolmaus> ecrist, Arch Linux at a virtual server 08:21 < ecrist> OpenVPN does not make changes to the system when being installed. 08:21 < ivenkys> mirco: do you have a copy of the script at hand or so.. 08:21 < Douglas> lolmaus: it doesnt 08:21 < ivenkys> mirco: i dont like TunnelBlick , it just eats CPU cycles 08:21 < Douglas> affect that 08:22 < lolmaus> And easy-rca scripts? Do they affect? 08:22 < ivenkys> lolmaus: nope 08:22 < ivenkys> lolmaus: the easy-rsa scripts are used simply to generate key pairs - they are text files 08:23 < lolmaus> Ok thx 08:28 < Douglas> what was the 'distro' you could install that does layer3 routing etc 08:28 < Douglas> m0n0wall? 08:29 < ecrist> Douglas: any flavor of linux or bsd can do layer 3 routing 08:29 < ecrist> hell, windows can do layer 3 routing 08:29 < Douglas> ecrist: yeah i know 08:29 < Douglas> but wasn't there a distro specifically designed to do routing stuff 08:29 < Douglas> vyatta maybe? 08:29 * Douglas googles 08:30 * Douglas clueless 08:30 < ecrist> dd-wrt, open-wrt 08:30 < Douglas> gross 08:30 -!- saftsack_ [n=oliver@p4FC75412.dip.t-dialin.net] has joined ##openvpn 08:30 < Douglas> i have a good old p4 here with dual gigabit nics i was gonna do some routing on 08:31 < saftsack_> hi, is someone here familiar with the radiusplugin? 08:31 < ecrist> Douglas: throw FreeBSD on there 08:32 < Douglas> i could do that 08:32 < Douglas> but i was hoping for a nice web interface to boot 08:32 < ecrist> you are lame 08:33 < Douglas> i can do it via command line 08:33 < Douglas> well, figure out how to even 08:33 < Douglas> i just didnt want to take that route 08:33 < ecrist> still lame 08:33 < Douglas> why? 08:33 < ecrist> your credibility just went to 0 08:34 < ewook> ecrist: so did yours. 08:34 < ecrist> what?! I *had* credibility? 08:34 < ewook> yes, -1. you gained +1. 08:34 < ecrist> lol 08:35 < Douglas> ecrist 08:35 < Douglas> same thing 08:35 < Douglas> when did i have credibility? 08:39 < ivenkys> !topic 08:39 < vpnHelper> ivenkys: Error: "topic" is not a valid command. 08:41 < ivenkys> !route 08:41 < vpnHelper> ivenkys: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 08:41 < Douglas> ecrist: now i have to find a tutorial for freebsd on how to do it 08:41 < ecrist> on how to do what? 08:41 < Douglas> make it into a router so i can route the 40 vlans or so 08:41 < Douglas> i need to 08:42 < ecrist> sysctl net.inet.ip.forwarding 1 08:42 < ecrist> route add netmask/CIDR gateway 08:42 < ecrist> that was hard 08:42 < ecrist> same exact thing on linux, iirc 08:42 < Douglas> o.o 08:43 -!- voodoo [n=wunhelzm@169-120.dsl.iskon.hr] has quit ["Lost terminal"] 08:43 < ecrist> if you want to to survive a reboot, create a shell script that does all the route add commands and put it in /usr/local/etc/rc.d/ and it will be run at boot. 08:43 < Douglas> so you're saying if i get a /25 from my colo, and have it sent over the uplink, i can just set 'route add 4.0.0.2/29 4.0.0.1' 08:43 < ecrist> yep 08:43 < Douglas> over eth1 08:43 < Douglas> and it'll make it? 08:44 < Douglas> mind blowing 08:44 < Douglas> im going to have to test this now 08:44 < ecrist> Douglas: all of our routers at my day job are FreeBSD boxes. 08:44 < ecrist> we have one Cisco device, which we use for IPSec VPN connections from our clients. 08:44 * ecrist leaves 08:45 < Douglas> well what id be doing i guess 08:45 < Douglas> is a p4 box with uplink in eth0, eth1 outgoing gbit to the 3548 i have 08:54 < Douglas> ecrist 08:55 < Douglas> I have a feeling a p4 router is a bad idea 09:04 -!- Narel [n=WEILL@AToulouse-257-1-177-102.w90-30.abo.wanadoo.fr] has joined ##openvpn 09:04 < Narel> Hi 09:04 < Douglas> . 09:05 < Narel> I'va a problem with OpenVPN in gentoo, I can connect to server ping Virtual VP IP, ping real LAN IP of the server, but not other computers in the server LAN 09:05 < Douglas> !client 09:05 < Douglas> hmm 09:05 < vpnHelper> Douglas: Error: "client" is not a valid command. 09:05 < Douglas> !factoids search client 09:05 < vpnHelper> Douglas: 'someclient2client' and 'client-to-client' 09:05 < Douglas> !client-to-client 09:05 < vpnHelper> Douglas: "client-to-client" is When this option is used, each client will see the other clients which are currently connected. Otherwise, each client will only see the server. Don't use this option if you want to firewall tunnel traffic using custom, per-client rules. 09:06 < Narel> routes are in Openvpn.conf 09:06 < Narel> I don't have iptables 09:07 -!- bruceb [n=bruce@gw.msmnyc.edu] has quit [Read error: 54 (Connection reset by peer)] 09:07 -!- bruceb [n=bruce@gw.msmnyc.edu] has joined ##openvpn 09:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:16 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 09:28 < Narel> how to make openVPN ping the real LAN of the VPN server 09:28 < Narel> can ping the real VPN server IP but not other computer of the same network 09:29 -!- roninbaka [n=email@220.163.62.238] has quit [] 09:31 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:31 < Narel> Tue Aug 18 16:27:11 2009 us=62000 TEST ROUTES: 1/1 succeeded len=1 ret=1 a=0 u/d=up 09:31 < Narel> Tue Aug 18 16:27:11 2009 us=78000 C:\WINDOWS\system32\route.exe ADD 192.168.2.0 MASK 255.255.255.0 192.168.3.1 09:31 < Narel> I can't ping the gateway 09:31 < Narel> of 192.168.2.0 09:36 < thedoc> Why are you adding routes which do not make sense? 09:36 < thedoc> 192.168.2.0 is a subnet ID, not used for hosts. 09:36 < thedoc> 3.1 is in a different subnet 09:36 < Douglas> its thedoc 09:37 < thedoc> Oh right. It's me. 09:37 * thedoc muses and runs off 09:37 < Douglas> . 09:38 < Douglas> thedoc: http://dougy.hosting.secure-computing.net/awstats/awstats.pl?config=ovpnforum.com 09:38 < vpnHelper> Title: Statistics for ovpnforum.com (2009-08) - main (at dougy.hosting.secure-computing.net) 09:38 < Douglas> http://www.ovpnforum.com/viewtopic.php?f=6&t=490 09:38 < Douglas> woooooooot 09:38 < vpnHelper> Title: OpenVPN Forum View topic - OVPN Setting for Windows 2003 server and windows xp client (at www.ovpnforum.com) 09:38 < Douglas> i think i can help a guy 09:38 * Douglas will try 09:42 < Narel> but I wan't to access 192.168.2.1 09:43 < Narel> 192.168.3.0 is the virtual VPN network 09:43 < Narel> 192.168.2.0 is the real LAN of the server 10:06 < |Mike|> push some routes 10:06 < |Mike|> !route 10:06 < vpnHelper> |Mike|: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:24 -!- lolmaus [n=lolmaus@77.72.19.231] has quit [] 10:33 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has quit [No route to host] 10:35 < mirco> ivenkys: As I'm running it on this machine I could try to find it and sent it over to you... 10:42 < ivenkys> mirco: that would be helpful - thanks 10:42 < mirco> ivenkys: wait a sec... 10:46 < mirco> ivenkys: got some python scripts... I could zip or tar them and send em via mail 10:48 < ivenkys> mirco: appreciate this - many thanks 10:51 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has quit ["leaving"] 11:02 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:03 < Narel> I've setted push "route 192.168.2.0 255.255.255.0" but no effects 11:03 < Narel> only 192.168.2.14 Real IP of OpenVPN server in accessible 11:03 < Narel> not other hosts in this subnet 11:04 < Narel> tap system without bridge, only routes 11:06 < Narel> !nobind 11:06 < vpnHelper> Narel: "nobind" is Do not bind to local address and port. The IP stack will allocate a dynamic port for returning packets. Since the value of the dynamic port could not be known in advance by a peer, this option is only suitable for peers which will be initiating connections by using the --remote option. 11:06 < Narel> !mtu-test 11:06 < vpnHelper> Narel: "mtu-test" is you can just use --mtu-test on the client to see what the best mtu for your connection is 11:06 < Narel> !pull 11:06 < vpnHelper> Narel: Error: "pull" is not a valid command. 11:07 < Narel> !mssfix 11:07 < vpnHelper> Narel: Error: "mssfix" is not a valid command. 11:07 < Narel> !tun-mtu 11:07 < vpnHelper> Narel: Error: "tun-mtu" is not a valid command. 11:09 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has joined ##openvpn 11:11 < mirco> Hi all, I'm trying to setup a cert based ipsec tunnel, followed this pfsense.iserv.nl/tutorials/mobile_ipsec/ and it worked fine with psk's... As I'm using easy-rsa for cert-creation I now need to add a SubjectAltName field to the cert. Cause the same connection has now with certs this error: "racoon: ERROR: failed to get subjectAltName" So I added subjectAltName = DNS:copy:commonName,DNS:example.xx to openssl.cnf of easy-rsa, but get different 11:22 -!- jeiworth [n=jeiworth@189.177.39.68] has joined ##openvpn 11:33 < dazo> mirco: don't have too high expectations about finding an answer in this channel .... it's mainly openvpn people here ... but there are some who might have played with ipsec as well 11:34 < ivenkys> mirco: as a pointer - ipsec just seems much too complicated for what it does and for smaller home based VPN's its clearly an overkill. 11:35 < mirco> the problem is not ipsec, the core Problem lies in easyRSA... I need to add a field SubjectAltName to my cert... So I need to mod the config of the EasyRSA I'm running! 11:35 < mirco> ivenkys: I know 11:36 < mirco> I might try to do the same with OpenVPN 11:36 < dazo> mirco: not sure how well easy-rsa can solve this .... it's not primarily written for anything else than openvpn .... it might even be a bug in easy-rsa 11:37 < mirco> there's one parameter called subjectaltname in my easyrsa's openssl.cnf, so I think all I need is a openssl guru... 11:37 < dazo> mirco: to read up about the openssl.cnf .... openssl resources is probably the best shot .... as easy-rsa uses that .... might be that the format of the contents needs to be formatted in a specific way 11:39 < mirco> the openssl.cnf has different sections and I don't know in which section to place the parameter so that the generated cert get's that field, made some experiment's but got to many errors... 11:39 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 11:40 < mirco> I'll give it one last try, if that won't work I'll come back to you to again try to come to the effort with OpenVPN... 11:44 < robotti^> ho 11:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:06 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 12:15 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 12:17 < hyper_ch> in wireshark: how can I see what is bittorrent traffic? 12:19 -!- rawDawg2 [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 12:19 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 12:19 -!- rawDawg2 [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Client Quit] 12:20 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 12:25 -!- Narel [n=WEILL@AToulouse-257-1-177-102.w90-30.abo.wanadoo.fr] has quit ["Quitte"] 12:28 < ivenkys> gents - anyone here using openvpn with ubuntu 12:29 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 12:29 < ivenkys> i seem to have got into a tangle - with resolvconf and the up/down script supplied with openvpn 12:29 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 12:33 < hyper_ch> ivenkys: works fine on jaunty 12:34 < ivenkys> hyper_ch: aah - i am on Jaunty 12:34 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has quit [Remote closed the connection] 12:35 < ivenkys> let me detail what i am seeing , i have installed resolvconf , modified the client configuration to have the DHCP Domain option , added the pre-defined up/down script . My problem - i cant ping the internal LAN behind the VPN server using their names , IP addresses work fine 12:36 < hyper_ch> ivenkys: you know german? 12:36 < ivenkys> hyper_ch: sorry - no 12:36 < hyper_ch> you know how to use google translate? 12:36 < ivenkys> hyper_ch: were you planning to curse me 12:36 < ivenkys> hyper_ch: yup 12:37 < hyper_ch> do you need internet access provided through the vpn tunnel? 12:37 < ivenkys> no - not necesssarily - 12:37 < ivenkys> i just need to access the internal LAN ., 12:37 < hyper_ch> have a look at this howto: http://wiki.openvpn.eu/index.php/Konfiguration_eines_Internetgateways 12:37 < vpnHelper> Title: Konfiguration eines Internetgateways – OpenVPN Wiki (at wiki.openvpn.eu) 12:37 < garnser> ivenkys: activated ip-forwarding? 12:38 < hyper_ch> or !howto 12:38 < hyper_ch> !howto 12:38 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:38 < ivenkys> garnser: yup - 12:38 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 131 (Connection reset by peer)] 12:38 < garnser> ivenkys: have you checked with tcpdump if the traffic passes through? 12:38 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 12:39 < ivenkys> garnser: this IRC session is via VPN - ., its an OS X client , OpenBSD server , My ubuntu client doesnt seem to work 12:39 < ivenkys> garnser: both ubuntu and os X are at the same location, same network - so its an Ubuntu specific problem 12:39 < garnser> but you can connect successfully? 12:40 < ivenkys> garnser: yup 12:40 < garnser> have you checked that all routes is added properly? 12:41 < ivenkys> the openvpn log seems to say so - yes 12:41 < ivenkys> the changes to /etc/resolv.conf are also as i would expect 12:42 < ivenkys> hyper_ch: i am going through that German -> English translation 12:42 < garnser> have you dumped traffic on the tap/tun interface and see if something tries to pass through? 12:44 -!- gregd [n=gregd720@98.143.155.131] has joined ##openvpn 12:44 < ivenkys> garnser: i did a nslookup and it goes to my internal LAN named instance - which is correct as it is the first line in the /etc/resolv.conf 12:44 < ivenkys> garnser: let me try tcpdump 12:45 < gregd> hi guys, got such a problem.... I want to keep default gateway for certain subnet for all client, whilst the new default gateway (the one that's pushed from openvpn server) should be altered.. is itt possible at all with openvpn? 12:45 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 54 (Connection reset by peer)] 12:45 -!- rawDawg2 [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 12:47 < ivenkys> garnser: on ping - the traffic does go through the virtual interface 12:47 -!- gregd [n=gregd720@98.143.155.131] has quit [Read error: 104 (Connection reset by peer)] 12:47 -!- gregd [n=gregd720@98.143.155.131] has joined ##openvpn 12:47 < gregd> hi guys, got such a problem.... I want to keep default gateway for certain subnet for all client, whilst the new default gateway (the one that's pushed from openvpn server) should be altered.. is itt possible at all with openvpn? 12:48 -!- rawDawg2 [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 12:48 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 12:49 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 12:49 < gregd> in other words.. I want to force all clients to keep their gateway for all local private networks (10., 172..., 192.168.).. whilst alter gateway for all other networks? 12:50 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 12:51 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 12:55 < gregd> ok.. found that i need split tunneling 12:55 < gregd> but cant find naything on how to do it with openvpn 12:58 < ivenkys> garnser: oh bloody hell - i was giving the fully qualified name of the domain - i need to use the "shortname" and then it works .., thanks 12:58 < ivenkys> hyper_ch: thanks for your help 13:03 < gregd> any advice? 13:09 -!- gregd [n=gregd720@98.143.155.131] has quit [Read error: 54 (Connection reset by peer)] 13:11 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 13:12 -!- gregd [n=gregd720@98.143.155.131] has joined ##openvpn 13:12 < gregd> or actually should I looked at bridged solution? 13:17 < garnser> gregd: if you push the routes needed and remove redirect-gateway you'll get a split-tunnel setup 13:18 < garnser> just add multiple --push "route 192.168.0.0 255.255.255.0" for each net you want to route 13:18 < gregd> ok, however i dont now the default gw for each of the clients 13:18 < garnser> you don't need to know it.. 13:19 < gregd> the clients should persist the default gw for 10. 192.168. and 172... 13:19 < gregd> hmmm 13:19 < garnser> it doesn't matter what default gateway you have 13:19 < garnser> if you want them to route say 192.168.0.0/24 over the VPN you just push that and voila 13:19 < gregd> i want the vice-versa... 13:19 < garnser> you want clients to push routes to the server? 13:19 < gregd> the 192 to be over their own (dhcp'd) gateway... 13:20 < gregd> and the rest over vpn 13:20 < garnser> I'm not following... 13:21 < gregd> I need something like "persist gateway for 192.0.0.0/24" command 13:21 < gregd> to be pushed by server to client 13:21 -!- retro_neo [n=hello_wo@cust-158-218.on3.ontelecoms.gr] has joined ##openvpn 13:21 < gregd> along with redirect default gateway 13:21 < gregd> got it? 13:22 < garnser> well if they're already on a 192 network you will have a conflict, OpenVPN has added some features to work around this but if you're pushing prefix that's within the same range as the client already sits on you're screwed 13:22 -!- Yoshi47 [n=jan@firewall.walinga.com] has joined ##openvpn 13:23 < garnser> well, if you do a redirect-gateway the client will maintain whatever routes it had earlier but replace the default gw and add a static route to get to the VPN server via your net_gateway 13:23 < gregd> i cant avoid the conflict.. the client is on 10... so persisting 10. subnet would not harm 13:24 < gregd> exactly, it will persist the previous routes... but the clients use the previous-defualt-gw to access 192.168. as well 13:24 < gregd> so I'd like it to keep the default-gw for the 192.168. 13:24 < Yoshi47> So anyone have an explanation of this- "From the firewall im trying to send logs to a remote server over the vpn connection but it doesn't work, can't ping or talk to any devices on a remote vpn connection from the firewall, all internal devices work and can access the vpn devices but not from the firewall itself" 13:24 < gregd> and everything else to be done over vpn 13:24 < garnser> gregd: the clients doesn't have a default gw for the 192 network, it's all layer 2 if they're already on it 13:25 -!- mirco_ [n=mirco@p54B26B25.dip.t-dialin.net] has joined ##openvpn 13:25 -!- mirco [n=mirco@p54B26B25.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 13:25 < gregd> it does not have default gw for the 192, that's right, but it has a default gw for 0.0.0.0 and i'd like to alter it (or trim it down) to be 192.168.0.0 instead of 0.0.0.0 13:26 < garnser> well just push 192.168.0.0/24 then... 13:26 < retro_neo> I would appreciate your comments on the text of this site : http://ConnectionVPN.com/ (service similar to www.ipredator.se but using openvpn) 13:27 < vpnHelper> Title: ConnectionVPN.com (at ConnectionVPN.com) 13:27 < gregd> garnser: the command, will not make the client use VPN for 192.168.0.0/24 only? 13:28 < gregd> for accessing 192.* 13:29 < garnser> --push "route 192.168.0.0 255.255.255.0" will make the VPN client use VPN for that only yes 13:29 < garnser> don't push 192.0.0.0/8 that includes public IP-space 13:30 < garnser> see: http://openvpn.net/index.php/open-source/documentation/howto.html#numbering 13:30 < vpnHelper> Title: HOWTO (at openvpn.net) 13:31 < gregd> ok, let me rephrase this. A client is on 10.0.0.0/24 network and uses 10.0.0.1 gw to access 10.0.0.0/24 as well as 0.0.0.0. Now, the client connects to my VPN server which makes the client belong to 192.168.0.0/24 network.... 13:32 < garnser> right 13:32 < gregd> in this case i would like the client to persist the route for 10.0.0.0/16 as well as change its default route (0.0.0.0) to use 192.168.0.1 gw 13:33 < gregd> i.e. my VPN gateway 13:33 < garnser> and the solution to that is --push "redirect-gateway" 13:34 < gregd> "redirect-gateway" will make the client forget the 0.0.0.0 route and use mine gw for 0.0.0.0 13:34 < garnser> no 13:34 < gregd> apparently (from my testing) it looks like it does this 13:35 < garnser> redirect-gateway will remove the default gateway, add a static route to the VPN server via your net_gateway and then add a new default route to the 192 address thus routing all traffic but the one you're on via layer 2 over the VPN 13:36 < gregd> so do you recon the client will be able to access i.e. 10.9.0.1 via its own (previous) 10.0.0.1 gw (once connected to my VPN)? 13:36 < garnser> if you have a 8-bit netmask yes 13:37 < gregd> yeah.. i meant 10.0.9.1 13:37 < garnser> yes if you have a netmask that's 20-bit or lower 13:38 -!- retro_neo_ [n=hello_wo@fr-d1.connectionvpn.com] has joined ##openvpn 13:38 -!- dcdave [n=dcdave@dslb-088-071-005-007.pools.arcor-ip.net] has joined ##openvpn 13:39 < garnser> Yoshi47: check that you've the appropiate routes on your firewall to access the subnet behind the vpn-gateway 13:39 < garnser> and ip-forwarding enabled on the vpn-gateway 13:39 < Yoshi47> garnser, ive been playing with the routes but can't seem to get it, 13:40 < Yoshi47> garnser, how would one go about ip-forwading on ipcop firewall? 13:40 < garnser> Yoshi47: no idea 13:40 -!- _impuls [n=m@gateway.theta.stoerimpuls.net] has quit [Remote closed the connection] 13:40 * garnser only does Linux 13:40 < gregd> garnser: what you're saying it somehow does not adhere to openvpn documentation.. redirect-gateway redirects client default network gateway through vpn.. in the scenario above, the client will not be able to access 10.0.9.1 anymore 13:40 < Yoshi47> garnser, ipcop is linux 13:41 < gregd> and that's proved by my testing 13:41 -!- linux_manju [n=manju@218.248.69.9] has joined ##openvpn 13:41 < garnser> gregd: can you please point out where in the documentation it states that it removes local layer2 routes? I've an installation with 33k users with this exact setup 13:42 < linux_manju> Hi all 13:42 < garnser> gregd: please post a copy of your route-table when connected to the VPN 13:42 < garnser> when using redirect-gateway 13:42 -!- kyrix [n=ashley@91-115-189-176.adsl.highway.telekom.at] has joined ##openvpn 13:42 < gregd> garnser: sure, sec 13:43 < linux_manju> I have a bridge setup.. The config works fine with three Client machines.. But one of the client machine.. connectes to the bridge fine.. but nothing goes through ( ping tap/bridge network ) 13:43 < linux_manju> Would really appreciate some help here 13:43 < linux_manju> Client is a Ubuntu Jaunty with kernel 2.6.31 13:44 < garnser> gregd: you should have 10.0.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 and 192.168.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0 and 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 tun0 13:44 * linux_manju correction Kernel is 2.6.30.4 13:45 < garnser> linux_manju: check that the bridge-interface is up 13:45 < garnser> ip link show dev br0 13:45 < linux_manju> garnser: Yes.. tap0 is up 13:45 < linux_manju> garnser: in client? 13:45 < garnser> linux_manju: you're not using brctl to bridge tap0 and eth0? 13:45 -!- gregd [n=gregd720@98.143.155.131] has quit ["Leaving."] 13:45 < linux_manju> garnser: Not in the client.. thought I need to do that only in the server 13:46 < garnser> Yoshi47: you enable ip_forwarding with: sysctl net.ipv4.ip_forward=1 13:46 -!- gregd [n=gregd720@98.143.155.131] has joined ##openvpn 13:46 < garnser> linux_manju: depends on the setup I guess 13:46 < gregd> garnser: routing table before connecting to vpn: http://pastebin.com/m779e3bfb 13:46 < Yoshi47> garnser, ok i'll try it 13:46 < gregd> garnser: after connecting to vpn with (push redirect-gateway): http://pastebin.com/m6e48bbd6 13:46 < linux_manju> garnser: In other three machines.. It works out of the box.. The same config... 13:47 < linux_manju> garnser: Only this machine is creating all sorts of trouble 13:47 < linux_manju> garnser: tap comes up.. Connection is initialized .. gets the IP .. but nothing goes through 13:47 < gregd> so, before connecting to vpn, my client is on 10.208.24.0/255.255.248.0 and access everything using 10.208.24.1 13:47 < garnser> gregd: so what portion of 10.208.24.0 * 255.255.248.0 U 2 0 0 wlan0 being removed are you refering to? 13:48 < garnser> it's present in both dumps 13:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 13:48 < garnser> row 4 before connect and row 7 after connect 13:48 < gregd> so lets consider now a host at 10.200.0.1 13:48 < gregd> at the beginning (without vpn) the client accesses it over 10.208.24.1 gateway.. 13:49 < linux_manju> garnser: I dont need to bridge it.. as I want client to communicate with the network behind the Server.. not the otherway around 13:49 < gregd> and after the client connects to vpn it will be not able to access this host anymore, right? 13:49 < garnser> so you have multiple networks behind the 10.208.24.1 router? 13:49 < gregd> garnser: yes 13:49 < garnser> add route 10.200.0.1 255.255.255.0 net_gateway to your config 13:49 < gregd> what do you mean by "net_gateway" ? 13:50 < garnser> gregd: it's a general pointer you can use with OpenVPN 13:50 < gregd> is is a keyword or my gateway? 13:50 < gregd> fair enough.. eureka 13:50 < garnser> gregd: see --route network/IP [netmask] [gateway] [metric] in the docs 13:50 < garnser> linux_manju: ok my bad, wasn't sure what kind of setup you have 13:50 < gregd> let me test it 13:51 -!- rawDawg2 [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 13:51 < garnser> linux_manju: does a layer2 route get added to the tap interface once it comes up? 13:52 < linux_manju> garnser: YEs 13:52 < garnser> linux_manju: and you don't have conflicting IP-ranges? 13:52 < linux_manju> garnser: 192.170.31.0 0.0.0.0 255.255.255.0 U 0 0 0 tap0 13:52 < linux_manju> garnser: nope 13:52 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 54 (Connection reset by peer)] 13:52 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 13:53 < garnser> linux_manju: and tcpdump gives nothing on the interface? 13:53 < linux_manju> garnser: tcpdump on the server or client? 13:53 -!- gregd [n=gregd720@98.143.155.131] has quit ["Leaving."] 13:53 < garnser> linux_manju: client 13:53 < linux_manju> garnser: checking 13:53 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has quit ["leaving"] 13:54 < linux_manju> garnser: Looks like.. something fishy here.. 13:54 < garnser> :) 13:54 -!- retro_neo [n=hello_wo@cust-158-218.on3.ontelecoms.gr] has quit [Read error: 110 (Connection timed out)] 13:55 < linux_manju> garnser: tcpdump throws all the broadcast .. of the other side of the bridge 13:55 < linux_manju> garnser: Why on the earth ping does not reply :( 13:55 < garnser> linux_manju: do you see the ICMP packages going over the interface? 13:56 < linux_manju> garnser: Checking 14:01 < linux_manju> garnser: arp who-has 192.170.31.13 tell 192.170.31.60 14:01 < linux_manju> garnser: and no replies 14:01 < linux_manju> garnser: No replies even If I do.. arping -I tap0 192.170.31.13 14:01 < garnser> linux_manju: have you enabled client-to-client on your server? 14:01 < garnser> well I guess if it works on other hosts it doesn't make much sense 14:02 < linux_manju> garnser: Nope.. But 192.170.31.13 is not the openvpn client.. its behind the openvpn bridge 14:02 < garnser> right but you can ping it from other vpn-clients? 14:02 < linux_manju> garnser: yes 14:02 < linux_manju> Without any issue.. same config 14:02 < garnser> yeah dunno what it could be in that case 14:03 < garnser> linux_manju: checked the logs for abnormalties? 14:03 < linux_manju> garnser: Yes 14:03 < linux_manju> garnser: Nothing there.. both server and client 14:05 -!- gregd [n=gregd720@98.143.155.131] has joined ##openvpn 14:05 < garnser> any luck gregd ? 14:05 < garnser> linux_manju: yeah don't know what the issue could be in that case 14:05 < gregd> garnser: it works :) 14:05 < garnser> gregd: good 14:06 < gregd> garnser: it me a while explaining the stuff by it was worthy! :) 14:06 < gregd> thanks a zillion 14:06 < garnser> np 14:06 -!- KaiForce [n=chatzill@adsl-70-228-99-174.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.2/20090729225027]"] 14:06 -!- gregd [n=gregd720@98.143.155.131] has left ##openvpn [] 14:07 < garnser> linux_manju: what OS are you running on the other clients? 14:10 -!- rawDawg2 [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 14:10 < linux_manju> garnser: Server is a dd-wrt ( Linsys ) 14:10 < linux_manju> client is Sheeva plug 14:11 < linux_manju> The other clients which were able to connect successfully were Ubuntu Desktop 14:11 -!- ecrist_mac [n=ecrist@ms.choksondik.secure-computing.net] has left ##openvpn [] --- Log closed Tue Aug 18 14:12:11 2009 --- Log opened Tue Aug 18 14:12:15 2009 14:12 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 14:12 -!- Irssi: ##openvpn: Total of 73 nicks [0 ops, 0 halfops, 0 voices, 73 normal] 14:12 -!- jeiworth [n=jeiworth@189.177.39.68] has quit [Read error: 110 (Connection timed out)] 14:12 -!- Irssi: Join to ##openvpn was synced in 35 secs 14:16 < linux_manju> garnser: Any idea? 14:16 < linux_manju> This is really driving me crazy :( 14:16 < garnser> linux_manju: nope :( 14:17 < garnser> anyhow, lunch-time 14:17 -!- garnser is now known as garnser|lunch 14:18 -!- bauruine [n=bauruine@85.4.68.228] has joined ##openvpn 14:19 < linux_manju> garnser|lunch: Ok.. thanks for trying 14:35 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 14:50 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:52 -!- retro_neo_ is now known as retro_neo 15:03 -!- dcdave [n=dcdave@dslb-088-071-005-007.pools.arcor-ip.net] has quit ["Leaving"] 15:07 -!- linux_manju [n=manju@218.248.69.9] has quit ["leaving"] 15:20 -!- jeiworth [n=jeiworth@189.163.254.44] has joined ##openvpn 15:25 -!- retro_neo is now known as retro_neo_ 15:25 -!- retro_neo [n=hello_wo@cust-158-218.on3.ontelecoms.gr] has joined ##openvpn 15:43 -!- retro_neo_ [n=hello_wo@fr-d1.connectionvpn.com] has quit [Read error: 110 (Connection timed out)] 15:54 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has joined ##openvpn 15:57 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has quit ["Távozom"] 16:19 < garnser|lunch> Yoshi47: any luck with the ip-forwarding? 16:33 -!- jeiworth_ [n=jeiworth@189.163.254.44] has joined ##openvpn 16:35 -!- subinacls_ [n=subinacl@97.100.182.253] has quit [Read error: 110 (Connection timed out)] 16:37 -!- jeiworth [n=jeiworth@189.163.254.44] has quit [Success] 16:42 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 16:46 -!- subinacls_ [n=subinacl@253.182.100.97.cfl.res.rr.com] has joined ##openvpn 16:50 -!- subinacls_ [n=subinacl@253.182.100.97.cfl.res.rr.com] has quit [Read error: 60 (Operation timed out)] 16:55 < bauruine> i try to do that http://forum.prq.se/viewtopic.php?f=2&t=12 . but the second client is not in the lan, its behind a second vpn (with tap) both can ping each other with their tap interace an also with the public ip. but if i ping from the internet the ping fails. i can see icmp requests on the vpn server but they where not routed to the client. thats the routing table on the server http://pastebin.com/d5aaa3553 16:55 < vpnHelper> Title: prq.se View topic - How to setup internal routing. (at forum.prq.se) 16:57 -!- misse- [i=misse@cl-858.sto-01.se.sixxs.net] has joined ##openvpn 17:00 < misse-> Hi, I've had a working bridging openvpn server which lets client use my home dhcp. The server has been off for a while and now when I booted it up, my client gets connected but it doesn't request an IP.. when running dhclient manually on tap0 on the client, I do get an IP from my home dhcp, but that breaks my connection. The server logs MULTI: no dynamic or static remote --ifconfig 17:00 < misse-> and I don't understand what's wrong :/ 17:02 -!- retro_neo_ [n=hello_wo@204.124.182.162] has joined ##openvpn 17:03 -!- subinacls_ [n=subinacl@253.182.100.97.cfl.res.rr.com] has joined ##openvpn 17:03 < bauruine> misse-, dhclient overwrites the default route ;-) 17:07 < misse-> bauruine: Yep, I know. but why doesn't openvpn receive an IP the normal way when connecting? 17:08 -!- mius [n=miusf@85.214.97.22] has quit ["-"] 17:12 < bauruine> i don't know sorry im new to openvpn. 17:13 < bauruine> and fight since 3 days with it :-( 17:13 -!- mius [n=miusf@85.214.97.22] has joined ##openvpn 17:14 < reiffert> bauruine: see !howto 17:15 < bauruine> !howto 17:15 < vpnHelper> bauruine: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:16 < bauruine> reiffert, i don't think that will solve my problem as it's a routing problem i think (any good channels for that?) 17:17 -!- retro_neo_ [n=hello_wo@204.124.182.162] has left ##openvpn ["Leaving"] 17:18 < reiffert> !route 17:18 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:19 -!- retro_neo [n=hello_wo@cust-158-218.on3.ontelecoms.gr] has quit [Read error: 110 (Connection timed out)] 17:27 < bauruine> reiffert, i don't get it. could i show you my setup / routing tables? 17:29 < misse-> reiffert: did you look at my problem posted above? 17:41 < bauruine> here is a small description of my problem http://pastebin.com/d26abd9bf 17:43 -!- jeiworth_ [n=jeiworth@189.163.254.44] has quit [Read error: 110 (Connection timed out)] 18:01 -!- mirco_ [n=mirco@p54B26B25.dip.t-dialin.net] has quit [] 18:17 -!- subinacls_ is now known as subinacls 18:26 -!- bruceb [n=bruce@gw.msmnyc.edu] has quit [Remote closed the connection] 18:29 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has quit [Read error: 60 (Operation timed out)] 18:34 -!- kyrix [n=ashley@91-115-189-176.adsl.highway.telekom.at] has quit [Read error: 113 (No route to host)] 18:34 < garnser|lunch> reiffert: don't you find it interesting that everyone spends 3 days with their problems? :) 18:34 -!- garnser|lunch is now known as garnser 18:36 < Douglas> i love how i just sent 700 kbps of packets at this one kid who pisses me off 18:36 < Douglas> he has a 20mbit home line 18:36 < Douglas> and that 700kbps created 60% packetloss 18:36 < Douglas> wonderful 18:37 < misse-> garnser: excuse me, but do you know if it's possible for linux openvpn clients to connect to an openvpn server with "mode server"? When I do, the client don't asks for an IP via dhcp, it just sits there until I manually run dhcp on the tap device. 18:38 < garnser> Douglas: how mean 18:38 < garnser> misse-: are you saying that your server has mode server or your client has? 18:39 < misse-> garnser: my server. Should I paste my config at pastebin? 18:39 < garnser> misse-: sure, please paste both server and client 18:39 < Douglas> garnser 18:39 < Douglas> he said he'll shove a grenade up my ass 18:39 < Douglas> so i threw the first punch 18:39 < Douglas> i broke his internet 18:39 < Douglas> lol 18:39 < garnser> and please remove everything that's commented out 18:39 < Douglas> misse- 18:39 < Douglas> there? 18:40 < garnser> misse-: reminds me of when we had a network-lab at my high-school 18:40 < Douglas> garnser: you new around these parts? 18:40 < garnser> all the kids were running 2000 server and my friend and I just started using FreeBSD 18:41 < garnser> our teacher wouldn't allow us back in class after we crashed every 2000 server with a DDoS :) 18:41 < Douglas> ROFL 18:41 < Douglas> garnser: same question 18:43 < garnser> Douglas: define these parts 18:43 < misse-> garnser: http://pastebin.com/m6de0a328 18:43 < Douglas> garnser: this channel 18:44 < Douglas> misse-: did you manually just strip that config of it s comments 18:44 < garnser> Douglas: yeah, I've been on the openvpn-users list for quite some time but figured I should join the IRC channel as well 18:45 < Douglas> garnser: i was going to say you seem new.. 18:45 < misse-> Douglas: there were never any comment in my config. I took it from an howto.. I understand it fully, and it works for windows clients, but linux clients don't request any Ip's 18:45 < Douglas> word of the wise 18:45 < Douglas> here 18:45 < Douglas> for you 18:45 < Douglas> there are three commands that will come in very handy.. 18:45 < Douglas> they are: 18:45 < garnser> misse-: did you bridge your interface on the server-side? 18:45 < Douglas> !configs 18:45 < vpnHelper> Douglas: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:45 < Douglas> !logs 18:45 < vpnHelper> Douglas: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 18:46 < Douglas> !all 18:46 < vpnHelper> Douglas: "all" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles 18:46 < Douglas> garnser: those 3 18:46 < misse-> garnser: yup. if I run dhclient on my client tap0 it will receive an IP from the server side dhcp which is on another server than the openvpn server. 18:46 < garnser> Douglas: I'm not here to get help, quite the opposite 18:46 < Douglas> garnser, i am aware 18:46 < Douglas> i am saying use those when people come in here and ask for help 18:47 < Douglas> that way you dont need to repeat yourself 18:47 < garnser> ah 18:47 < garnser> fair enough 18:47 < Douglas> it gets old in quite a hurry 18:47 < garnser> misse-: have you checked your logs at the DHCP server if there's any attempt to get an IP upon connection? 18:48 < misse-> garnser: uhm, no.. but when there's no sign of that on the client. but I'll check 18:49 < Douglas> misse- 18:49 < Douglas> !factoids search verb 18:49 < vpnHelper> Douglas: No keys matched that query. 18:49 < Douglas> set openvpn to verb 6 18:49 < Douglas> garnser: another useful one for you personally 18:49 < Douglas> !forum 18:49 < vpnHelper> Douglas: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 18:50 < misse-> Douglas: both server and client? 18:51 < Douglas> misse-: yes 18:51 < Douglas> it will make everything very verbose 18:51 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 18:52 < garnser> I've actually never tried to have DHCPD assign clients with tap an IP 18:52 < misse-> Douglas: indeed it did :D still nothing to shed any light on the client side. checking server side now... 18:53 < misse-> the only thing I can think of is no dynamic or static remote --ifconfig address is available for 18:54 < misse-> but.. I dunno 18:55 < garnser> I wonder if it could be that DHCPD isn't listening on tap0 but when you do it manually it's forwarded over the bridge to eth0 or whatever 18:55 < misse-> Douglas: would you like to take a peak at the server or client log with verb6? 18:56 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit ["leaving"] 18:58 < garnser> misse-: do you start dhcpd prior to or after starting the bridge? 18:59 < misse-> garnser: I don't actually start anything at all manually. I'd like the openvpn to start whatever it needs to get an IP for the tap interface 19:01 < garnser> misse-: well my point is if you have DHCPD running on the server hosting OpenVPN you can have an issue whereas DHCPD wont listen on the bridge-interface but the DHCP request does get forwarded over when you do a manual dhclient-request in some magic way 19:01 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 19:01 < garnser> so try to restart dhcpd after the bridge is created on the server-side and see if that helps 19:01 < misse-> garnser: if I change the server config to server-bridge 1.1.1.2 255.255.255.0 1.1.1.3 1.1.1.10 the client get's an IP from that scope and all is well.. but I would like the client to ask and receive an IP from my dhcp 19:02 < misse-> the dhcp server is running on another server altogether than the openvpn server with the bridged interface. 19:03 < garnser> ah ok 19:03 < misse-> this must be the first time a windows version of a software makes me happier than the linux version :/ 19:04 < misse-> cause this works flawlessly on win 19:04 < Douglas> incorrect 19:04 < Douglas> this is the first time a windows version of a software runs on a broken config 19:04 < Douglas> it's how it has to be 19:04 < misse-> Douglas: broken config? 19:04 < Douglas> somethings broken 19:04 < Douglas> dont know what 19:04 * Douglas is thining 19:04 < Douglas> thinking even 19:05 < garnser> misse-: I'm guessing you're starting OpenVPN as root on the client-side? 19:06 < misse-> garnser: correct 19:11 < garnser> Douglas: not sure how openvpn implemented this but couldn't it be that openvpn tries to trigger dhclient which is already running this causing a conflict? 19:11 < Douglas> that's a question for the devs 19:11 < garnser> misse-: I guess you could do a up-script triggering dhclient upon connection... 19:13 < misse-> garnser: I'd have to include a deletion of the new default gw in that script too. 19:13 < misse-> thanks for the tip, but I think openvpn should be able to handle this by itself. as do Douglas seem to believe 19:14 < garnser> well I think the problem is that with Linux tap driver there's no trigger for dhcp since the server normally pushes everything 19:15 < misse-> garnser: is that openvpn specific or in other cases where you use tap? 19:16 < garnser> misse-: I would say it's Linux-specific, I just looked at the openvpn manual: 19:16 < garnser> --dhcp-renew Ask Windows to renew the TAP adapter lease on startup. This option is normally unnecessary, as Windows automatically triggers a DHCP renegotiation on the TAP adapter when it comes up, however if you set the TAP-Win32 adapter Media Status property to "Always Connected", you may need this flag. 19:17 < garnser> basically, there's nothing telling the linux-kernel to ask for any IP-data since nothing is pushed by the OpenVPN server 19:17 < garnser> this would explain why it works under windows but not linux 19:18 < garnser> misse-: which distro are you using? 19:18 < misse-> ubuntu 19:18 < misse-> 8.10 19:18 < misse-> it sure would.. but why? :( seems kindof stupid 19:18 < garnser> misse-: not sure about the specifics of ubuntu configs but I guess you could add DHCP as an option in /etc/network/interfaces for tap0 19:19 < garnser> but yeah otherwise you have to do an up-script since nothing triggers tap to set an IP 19:20 < garnser> Douglas: do you think that makes sense? ^ 19:20 < Douglas> im out of it 19:20 < Douglas> lol 19:22 < garnser> misse-: did you have a dump of your logs on the client-side? 19:23 < misse-> garnser: I can fix 19:24 < garnser> misse-: not that I know of your programming skills but what you could do is to have the OpenVPN server do a DHCP-request on behalf of the clients and pass that data through ccd thus pushing DHCP 19:25 < misse-> http://pastebin.com/m4de87b81 19:25 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 19:26 < garnser> Är du svensk misse- ? 19:27 < misse-> garnser: ah det stämmmer 19:28 < garnser> misse-: anyhow, just looked at the log, as I said, no IP-info is pushed and unless something triggers a dhclient you wont get an IP 19:28 < misse-> yeah. 19:28 < misse-> now why on earth doesn't the tap driver trigger a dhcp request once online? 19:28 < misse-> oh well. I think I'll solve it as you suggested with up scripts 19:29 < garnser> misse-: cause that's not how Linux is structured 19:29 < misse-> the programming solution you suggested was far to advanced for my meager programming skills 19:29 < garnser> misse-: ok, I'll look through some old code I have and see if I can patch something together 19:35 < garnser> btw isn't it a bit late to be hacking OpenVPN in Sweden 19:40 < misse-> garnser: ... yeah :$ 19:43 < garnser> Douglas: do you know if OpenVPN has any wildcard for CCD? 19:45 < Douglas> not a clue sir 19:45 < misse-> garnser: hey, thanks but don't bother. I've accepted defeat and are now running server-bridge instead. 19:45 < garnser> misse-: that's no fun, I'm going to code it anyway 19:46 < misse-> Douglas: a polite "ha" to you sir :P there wasn't anything wrong with my configs, just my knowledge about the tap driver 19:46 < misse-> garnser: :) if you get it working I'd gladly test it 19:46 < misse-> ... tomorrow 19:46 < Douglas> im too young to be called sir 19:46 < misse-> or,as it happens, later today 19:46 < misse-> Douglas: strike that part then, the rest holds true 19:47 < misse-> thanks for your efforts, both of you. Good night 19:47 < garnser> misse-: np 19:57 < garnser> Douglas: how did you figure I'm old enough to be called sir? :) 20:03 < Douglas> maturity 20:05 < garnser> lol, what now? 20:06 < garnser> I'm going to bet you're older than I am 20:10 < garnser> or maybe not based on your Linkedin data 20:11 < garnser> if I found the right one that is 20:21 < Douglas> garnser 20:21 < Douglas> how olda re you 20:21 < Douglas> how old are you 20:22 -!- thedoc [n=tenacity@vpn1.edgewire.sg] has joined ##openvpn 20:22 < garnser> Douglas: 21 20:23 < Douglas> i am 16 sir 20:23 < Douglas> thedoc semlls 20:23 < Douglas> smells 20:23 < garnser> ouch... 20:24 < garnser> now I feel old 20:24 < Douglas> failwhale 20:27 -!- mius [n=miusf@85.214.97.22] has quit ["-"] 20:37 -!- mius [n=miusf@85.214.97.22] has joined ##openvpn 20:41 < garnser> screw this I'm way to jetlagged to write any decent code 20:54 -!- master_of_master [i=master_o@p549D3D69.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)] 20:56 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:58 -!- master_of_master [i=master_o@p549D3DA6.dip.t-dialin.net] has joined ##openvpn 21:19 -!- hacim [n=micah@debian/developer/micah] has joined ##openvpn 21:19 < hacim> so the gpg signature on the source downloads seems to be signed with keyid: 1FBF51F3, James Yonan 21:19 < hacim> how do I know that is the right person? 21:20 < hacim> and right keyid? 21:20 < thedoc> hacim, Where did you get that source from? 21:20 < thedoc> openvpn.net? 21:21 < hacim> thedoc: presumably, yes 21:21 < hacim> assuming that there was no man in the middle during the download process 21:21 < thedoc> hacim, Highly unlikely. Does the checksum match? 21:21 < hacim> i'm trying to verify the gpg signature 21:22 < hacim> there is no checksum associated with it 21:22 < thedoc> o/ 21:22 < hacim> understood that it is highly unlikely, but I am required to follow protocols 21:23 < hacim> also 21:23 < thedoc> hacim, I don't have the pgp signature for this. Sorry about it. Perhaps someone else here can help. 21:23 < Douglas> ecrist: ping 21:23 < hacim> recently there was a wordpress site compromise, where the attacker replaced the distributed source with a trojaned backdoor 21:23 < hacim> the hacker kindly updated the md5sum 21:23 < thedoc> hacim, I didn't hear about that. Which packages were compromised? 21:23 < hacim> so i dont really find that mechanism of cryptographically authenticating source as particularly useful 21:24 < hacim> thedoc: wordpress 21:24 < thedoc> Looks like pgp signatures is the only way to go these days. 21:24 < hacim> well its useful... but only if there is a clear way of verifying that the signature that is being used is the right one 21:25 < Douglas> man 21:25 < hacim> i mean... i dont know if James Yonan is just someone who compromised openvpn.net and signed a trojaned source tarball 21:25 < Douglas> i should be that security conscious 21:25 < Douglas> i just download and untar 21:25 < hacim> everyone should be 21:25 < hacim> openvpn is a critical piece of security ifrastructure 21:25 < Douglas> here you go hacim 21:25 < Douglas> http://www.linuxsecurity.com/content/view/117363/49/ 21:25 < hacim> a backdoor into your organization or corporate network would be a goldmine 21:25 < vpnHelper> Title: OpenVPN: An Introduction and Interview with Founder, James Yonan - The Community's Center for Security (at www.linuxsecurity.com) 21:26 < hacim> ok, so thats great 21:26 < Douglas> OpenVPN: An Introduction and Interview with Founder, James Yonan 21:26 < hacim> however 21:26 < hacim> I can quite trivially go and create a gpg key that has the user id of James Yonan 21:26 < hacim> there is nothing that stops me from doing that 21:26 < Douglas> james yonan is not in here 21:26 < Douglas> hacim: at what point does it stop? 21:26 < hacim> even if he was.... how would I know it was him :) 21:26 < Douglas> exactly 21:26 < thedoc> hacim, Yes, that's a problem too. It's a little hard to verify the identity if you're looking at it that way. 21:26 < Douglas> so you may as well just forget openvpn at that point 21:26 < hacim> that is what the web of trust is all about 21:27 < hacim> there are 6 people who have signed james' key 21:27 < hacim> there might be a valid trust path between me and james through other people I have exchanged keys with 21:27 < hacim> anyways, thanks all 21:27 < hacim> think about these things, they are important! 21:29 < thedoc> hacim, o/ good luck in your search for the pgp signature :P 21:30 < thedoc> He does have a point though, there has to be a form of a mutual trust somewhere which you can't exactly replace or fix with technology. 21:31 * thedoc goes to read steal-the-interwebz. 21:31 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 21:36 < garnser> I find it amusing that hacim has a verified account with freenode given that he has to run IDENTIFY in clear-text 21:37 < hacim> garnser: I find that really annoying 21:37 < thedoc> garnser, I'd say that works on mutual trust that freenode isn't about to screw him over and well, no one is performing a MITM attack :P 21:37 < hacim> i prefer IRC networks, like oftc, which offer ssl connections 21:37 < garnser> just saying, why trust freenode if you can't trust openvpn.net 21:37 < Douglas> like SSL isn't flawed already 21:38 < Douglas> -already 21:38 < hacim> it is flawed 21:38 < hacim> i dont trust freenode 21:38 < Douglas> the whole protocol is fucked 21:38 < hacim> thats why I dont use mys3kr3tp1assw0rd 21:38 < hacim> i agree, thats why I'm into the monkeysphere 21:38 < hacim> which aims to replace the flawed x509 setup with a web of trust model 21:39 < garnser> I just think people has to realize that nothing is ever going to be secure, there has to be a way of securing things based on a trust network rather then technical solutions 21:49 < thedoc> There's no patch for human stupidity :P 22:00 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 22:01 < thedoc> krzee, o/ 22:01 < krzee> waddup 22:02 < thedoc> My paypal account broke. 22:02 < thedoc> fuck 22:02 < thedoc> :| 22:03 < thedoc> Anyone here had extensive experience with ddos scrubbing? I'm trying to find out how it works but the google-fu is weak today 22:05 -!- hacim [n=micah@debian/developer/micah] has left ##openvpn [] 22:19 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 22:39 -!- ljs [n=ljs@61.170.137.197] has joined ##openvpn 22:45 -!- ljs [n=ljs@61.170.137.197] has quit ["暂离"] 23:47 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] --- Day changed Wed Aug 19 2009 00:49 -!- koolkat [n=kk@amsterdam.perfect-privacy.com] has joined ##openvpn 00:54 -!- bauruine [n=bauruine@85.4.68.228] has quit [Read error: 113 (No route to host)] 01:12 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 01:22 -!- delief [n=Killer@persian-green.feralhosting.com] has joined ##openvpn 01:25 -!- delief [n=Killer@persian-green.feralhosting.com] has quit [Client Quit] 01:28 -!- Overand [i=overand@crappy.domain.name] has left ##openvpn [] 01:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:48 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has joined ##openvpn 01:59 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:17 -!- c64zottel [n=hans@p5B17AF36.dip0.t-ipconnect.de] has joined ##openvpn 02:23 -!- kyrix [n=ashley@91-115-17-230.adsl.highway.telekom.at] has joined ##openvpn 02:47 -!- kyrix [n=ashley@91-115-17-230.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 02:47 -!- kyrix [n=ashley@188-23-184-47.adsl.highway.telekom.at] has joined ##openvpn 03:28 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 03:29 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 03:30 -!- oliver__ [n=oliver@p4FC75D04.dip.t-dialin.net] has joined ##openvpn 03:47 -!- kyrix [n=ashley@188-23-184-47.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 03:48 -!- kyrix [n=ashley@91-115-20-20.adsl.highway.telekom.at] has joined ##openvpn 03:48 -!- saftsack_ [n=oliver@p4FC75412.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 04:28 -!- BigJB [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 05:11 < kala> how long does the OpenVPN tunnel work in your experience. Is one tunnel restart per one hour or per one day normal or not? 05:15 < reiffert> infinite 05:15 < kala> ok. sounds good 05:16 < kala> any advice how to debug the problem when client VPN tunnel is resstarted for no obivious reasons. About once per hour or once per two hours or something like that 05:17 < reiffert> a log file from both sides might be a good start among syslog information. 05:20 < kala> the client log file shows "Inactivity timeout (--ping-restart), restarting 05:20 < kala> I could perhaps capture the network packets and see, if the packets are actually transmitted that time 05:23 < Bushmills> !inactive 05:23 < reiffert> keepalive 10 120 05:23 < vpnHelper> Bushmills: Error: "inactive" is not a valid command. 05:23 < reiffert> see keepalive 05:23 < reiffert> moin Bushmills 05:23 < Bushmills> --inactive n [bytes] 05:23 < Bushmills> Causes OpenVPN to exit after n seconds of inactivity on the 05:23 < Bushmills> TUN/TAP device. 05:23 < Bushmills> greetings 05:23 < reiffert> Bushmills: he's on ping-restart, he's not on exit 05:23 < Bushmills> oh. right 05:24 -!- backblue [n=igor@82.102.1.42] has joined ##openvpn 05:24 < Bushmills> I was just glimpsing at the problem description 05:25 < Bushmills> did too much selective reading, i think 05:25 < kala> keepalive is 5 15 05:25 < kala> so, three missing replies and openvpn declares that the tunnel is not working 05:26 < reiffert> try on 10 120 05:27 < kala> however, I'm also seeing sometimes the replay-warnings 05:29 < kala> but now when I check it they don't occur right before the tunnel restart, but some good 10-20 minutes before, so they should be un-related 05:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:07 -!- Fleck [n=kvirc@unaffiliated/fleck] has joined ##openvpn 06:07 < Fleck> hey - how do i restar openvpn? 06:08 < Fleck> i added new entry to ipp.txt and openvpn ignores it 06:08 < backblue> /etc/init.d/openvpn restart? 06:11 -!- gorkhaan [n=gorkhaan@89.186.101.16] has joined ##openvpn 06:27 -!- YpsyZNC [n=ypsy@geekpadawan.de] has quit [Read error: 60 (Operation timed out)] 06:30 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 06:31 -!- YpsyZNC [n=ypsy@geekpadawan.de] has joined ##openvpn 06:39 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has quit [Read error: 110 (Connection timed out)] 06:48 < kala> ok, I traced the last interruption to the WIFI failure. Don't know if the WIFI AP failed or just the Windows interface 06:51 -!- Fleck [n=kvirc@unaffiliated/fleck] has left ##openvpn ["No matter how dark the night, somehow the Sun rises once again"] 06:52 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 06:56 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 07:06 -!- gorkhaan [n=gorkhaan@89.186.101.16] has quit [Remote closed the connection] 07:34 -!- victor [i=victor@195.95.184.30] has quit [Nick collision from services.] 07:34 -!- victor [i=victor@jerl.in] has joined ##openvpn 07:34 -!- victor [i=victor@jerl.in] has quit [Nick collision from services.] 07:39 -!- victor___ [i=victor@jerl.in] has joined ##openvpn 07:59 -!- bruceb [n=bruce@gw.msmnyc.edu] has joined ##openvpn 08:07 < Douglas> http://www.ovpnforum.com/viewtopic.php?f=5&t=494 08:07 < vpnHelper> Title: OpenVPN Forum View topic - TAP-win32 driver install problems on Vista x64 (at www.ovpnforum.com) 08:12 < reiffert> 2.0.9 without opening that URL 08:13 < Douglas> d'oh 08:13 * Douglas should have had that epiphany himself 08:13 < bauruine> day4 it's time for a reposte :-( http://pastebin.com/d675756e9 any idea why this doesn't work? 08:17 < Douglas> Yessssss 08:17 < Douglas> reiffert 08:17 < Douglas> the forum is crepin up google 08:17 < Douglas> just passed openvpn.eu :) 08:17 * Douglas seo win 08:17 < misse-> garnser, Douglas I've run in to another problem now that I've been running server-bridge.. I can connect, I get an IP from openvpn, I get the route to my home network, I can ping and connect to resources at home. But my resources at home can't connect to the vpn client... no route to host, no arp record. 08:18 < Douglas> misse- 08:18 < Douglas> i don't want to troll you.. so don't take it at as one 08:18 < Douglas> but ask the channel, not me and garnser 08:18 < Douglas> :) 08:18 < Douglas> we'll help... but dont address us specifically 08:18 < reiffert> Douglas: pardon? 08:18 < Douglas> reiffert: go to google, search openvpn forum 08:18 < Douglas> tell me what # ovpnforum.com is 08:19 < reiffert> Douglas: why should I, I do know that URL./ 08:19 < Douglas> i want to know what it is on google DE edition 08:19 < Douglas> its #5 for me 08:19 < Douglas> just got on top of openvpn.eu 08:19 < reiffert> allright. exact search terms? 08:20 < Douglas> 'openvpn forum' without the 's 08:20 < misse-> Douglas: you're right though :) where's my manners. 08:20 < Douglas> haha :P 08:20 * Douglas reads 08:20 < reiffert> 4 without. with one sub-topic it's 5 08:21 < Douglas> sweeeet 08:21 < Douglas> :D 08:21 < Douglas> thanks reiffert! :) 08:21 < reiffert> I'm sorry, but I owe an US keyboard on a US installation, my google is in english. 08:21 < Douglas> ah 08:21 < Douglas> i think its still different per ip 08:22 < Douglas> depending on its geographical location 08:27 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 08:31 -!- master [n=master@pool-98-116-54-40.nycmny.fios.verizon.net] has joined ##openvpn 08:31 < master> !forum 08:31 < vpnHelper> master: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 08:33 < master> when i add my license it says 08:33 < master> chain_add_license_key: 08:34 < master> what can be the problem 08:34 < Douglas> what the hell 08:34 < misse-> hm. My problem totally disappears when I change the server mode to "mode server" and assigns a static adress to my tap0 adapter after connecting." 08:34 < Douglas> license? 08:35 < master> yes the license 08:35 < master> which is located at http://www.openvpn.net/index.php/access-server/license-key.html 08:35 < vpnHelper> Title: License Key (at www.openvpn.net) 08:36 < Douglas> ah 08:36 < Douglas> access server 08:36 < Douglas> i've never used it 09:02 < reiffert> Douglas: now I#m at a german google, no hit on the 1st page 09:05 -!- snifff [n=flesh@80-254-76-178.dynamic.monzoon.net] has joined ##openvpn 09:15 -!- thedoc [n=tenacity@38.108.110.106] has joined ##openvpn 09:15 < master> !logs 09:15 < vpnHelper> master: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 09:15 < master> !howto 09:15 < vpnHelper> master: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:19 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:20 -!- YpsyZNC is now known as Ypsy 09:36 -!- kyrix [n=ashley@91-115-20-20.adsl.highway.telekom.at] has quit ["Leaving"] 09:41 -!- snifff [n=flesh@80-254-76-178.dynamic.monzoon.net] has quit [Read error: 60 (Operation timed out)] 09:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:55 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 09:55 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 10:01 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has quit [Read error: 60 (Operation timed out)] 10:24 -!- NfNit|oop [n=codyc@ool-4a58802b.dyn.optonline.net] has joined ##openvpn 10:30 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:31 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:31 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Client Quit] 10:32 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:39 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 10:47 -!- jeiworth [n=jeiworth@189.177.39.68] has joined ##openvpn 11:05 -!- _markus_ [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 11:06 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 60 (Operation timed out)] 11:06 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 11:10 -!- quentusrex [n=quentusr@freeswitch/developer/quentusrex] has joined ##openvpn 11:10 < quentusrex> is there any good way to segragate a vpn? 11:11 < krzee> define segregate 11:11 < hyper_ch> what do you mean by that? 11:11 < quentusrex> I have multiple clients all on the same vpn, and I want to restrict some of the clients to only be able to access their own computers, but allow my servers access to everything. 11:11 < quentusrex> I'm thinking iptables could do something like this, 11:11 < krzee> yes, firewall entries 11:11 < quentusrex> but I wanted to know if there was already something designed for this. 11:11 < krzee> do NOT use --client-to-client 11:12 < quentusrex> but for instance one of my clients has 20 computers he needs to access over the vpn 11:12 < quentusrex> so how do I allow him to access all of his machines, in and out, but not any other computers on the vpn. 11:13 < krzee> [12:11] do NOT use --client-to-client 11:13 < krzee> [12:11] yes, firewall entries 11:13 < krzee> thATS HOW 11:13 < krzee> tbh its in the howto 11:13 < krzee> !factoids search policy 11:13 < vpnHelper> krzee: "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario 11:14 < quentusrex> thanks. 11:15 < krzee> yw 11:16 < quentusrex> krzee and do you have any info about how to scale it horizontally? openvpn that is. Sometimes the bandwidth requirements max out the ethernet card... 11:16 < quentusrex> so I'd like to move whole clients onto other machines, 11:17 < krzee> --remote-random 11:17 < krzee> When multiple --remote address/ports are specified, initially randomize the order of the list as a kind of basic load-balancing measure. 11:17 < krzee> !man 11:17 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 11:17 < quentusrex> yes, 11:17 < quentusrex> but how do I connect the servers to each other?? 11:17 < krzee> by connecting them to eachother :-p 11:17 < krzee> and pushing the necessary routes around 11:18 < quentusrex> by having them join the other server as clients? or is there a server->server method? 11:18 < quentusrex> is there docs on this? 11:18 < krzee> as clients 11:18 < krzee> its just 2 ovpn instances 11:18 < krzee> yes, the manual 11:18 < krzee> theres no hand holding doc 11:18 < krzee> but the manual has everything you need 11:18 < quentusrex> :( 11:18 < quentusrex> ok, thanks. 11:18 < krzee> np 11:21 < quentusrex> is there a reason in the docs why employee is above sys admin? 11:22 < quentusrex> or is it sysadmins and contractors are employees? 11:23 < reiffert> theres a howto 11:23 < reiffert> !howto 11:23 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:23 < quentusrex> krzee and is it possible to define a route so that a sysadmin can access a contractors box, but a contractor can't access a sysadmins box? 11:24 < garnser> quentusrex: like they pointed above 11:24 < garnser> iptables 11:24 < quentusrex> reiffert I'm reading the howto, and asking questions about it. 11:24 < quentusrex> garnser, Im' not an iptables guru, I'm asking if it is possible to do 'one way' access. 11:24 < garnser> quentusrex: yes it is possible if you use iptables 11:24 < reiffert> quentusrex: udp is possible one way. 11:25 < reiffert> quentusrex: tcp is a two way protocol. 11:25 < garnser> like krzee sent: 11:25 < garnser> !factoids search policy 11:25 < vpnHelper> garnser: "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario 11:25 < quentusrex> ok, so anything that can access a contractors box through tcp, the contractor can access? 11:26 < reiffert> quentusrex: no. 11:26 < garnser> this is unrelated to wether you use TCP or UDP 11:26 < Bushmills> quentusrex: you'd probably use a differerent mechanism than routing for this purpose 11:26 < reiffert> let's create a network zombie from quentusrex. 11:26 < Bushmills> (consider that contractor has control over machine, and therefore route on that machine) 11:27 < Bushmills> preventing access to sysadmin machine should be done on sysadmin machine 11:28 < Bushmills> but if you consult sysadmin, he'll probably have a solution 11:35 -!- master [n=master@pool-98-116-54-40.nycmny.fios.verizon.net] has quit [] 12:17 < Yoshi47> problems with pinging/ accessing network, ex ping from "firewall->vpn->remote_server" not working, yet "local_server->vpn->remote_server" works fine, seems like the firewall doesn't know what to do with the packet traceroute doesn't work either. 12:19 < NfNit|oop> So I'm trying to understand the way authentication works with openvpn... I sign someone's key and send them that signature, then they have access. How do I later revoke their access? 12:19 < Yoshi47> NfNit|oop, delete it off your system 12:19 < NfNit|oop> delete, what, their key? 12:20 < Yoshi47> yeah 12:20 < NfNit|oop> but I haven't configured anything to point to their key. 12:20 < Yoshi47> its stored locally so the server can compare it with the one you sent them 12:20 < NfNit|oop> actually, they never sent me the key, only the .csr 12:20 < Yoshi47> then how do they have access 12:21 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit ["Leaving"] 12:21 < NfNit|oop> I assume they have access because they go "See, here's my public key! And you signed it! So let me in!" 12:21 < NfNit|oop> But, that seems... wrong. :) 12:22 < Yoshi47> NfNit|oop, yep, you have to setup a vpn tunnel for them to get in, 12:23 < NfNit|oop> but my tunnel only points to *my* keys. 12:23 < NfNit|oop> and if I've used my keys to sign multiple people's CSRs... 12:23 < Yoshi47> then you have nothing to worry about, 12:23 < NfNit|oop> I see no way of revoking access to one of those people. 12:23 < Yoshi47> your server still need to have a tunnel that authenticate with their key 12:24 < Yoshi47> thats the beauty of public keys, you just delete the tunnel your server 12:25 < NfNit|oop> except, I'm using the same tunnel for multiple people. 12:25 < Yoshi47> oh 12:25 < NfNit|oop> I don't want to "delete the tunnel". 12:25 < NfNit|oop> I want to revoke someone's access. 12:25 < Yoshi47> why would you use the same tunnel for multiple people 12:25 < NfNit|oop> because it's nice to configure it once and use it in multiple locations? 12:26 < NfNit|oop> why wouldn't I? 12:27 < Yoshi47> NfNit|oop, different then what i do, i setup a indiviual one for each person, here is a link to the how to http://www.openvpn.net/index.php/open-source/documentation/howto.html#revoke 12:27 < vpnHelper> Title: HOWTO (at www.openvpn.net) 12:28 < Yoshi47> vpnHelper, can you help me? 12:28 < vpnHelper> Yoshi47: Error: "can" is not a valid command. 12:28 < NfNit|oop> ah, ok. 12:28 < NfNit|oop> I would've sworn that I'd searched for "openssl revoke" earlier and hadn't seen that bit. :) 12:28 < Yoshi47> NfNit|oop, i searched for openvpn revoke 12:29 < NfNit|oop> ah, and I have to give it a crl-verify option. 12:29 < NfNit|oop> There we go. 12:29 < NfNit|oop> Tihs all seems a lot more complicated than it needs to be. SSH Auth is much easier to work with. 12:29 < Yoshi47> vpnHelper, problems with pinging/ accessing network, ex ping from "firewall->vpn->remote_server" not working, yet "local_server->vpn->remote_server" works fine, seems like the firewall doesn't know what to do with the packet traceroute doesn't work either 12:29 < vpnHelper> Yoshi47: Error: "problems" is not a valid command. 12:29 < NfNit|oop> Put a public key in a list of keys that can access a server. *boom* done. 12:30 < Yoshi47> NfNit|oop, don't you hate it when its so simple in the end! 12:30 < NfNit|oop> no, I love it. I wish it were that simple in openvpn. :p 12:31 < Yoshi47> NfNit|oop, im guessing you didn't RTWFM 12:40 < Yoshi47> /join #lightning 12:40 -!- backblue [n=igor@82.102.1.42] has quit ["Ex-Chat"] 12:41 < NfNit|oop> I did RTFM, it's still simpler in SSH. :p 12:44 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has quit [Remote closed the connection] 12:45 < krzee> it CAN be more simple in ssh 12:45 < krzee> depending on your goal 12:46 < krzee> if you only need to access the web or other single app bouncing through a machine, ssh forwarding is easier 12:46 < NfNit|oop> 1) have a simple authoritative list of keys that have access to which I can add/remove public keys. :) 12:46 < krzee> if you need EVERYTHING to go through, ovpn is easier 12:46 < NfNit|oop> Oh, I just mean the auth bit. 12:46 < krzee> if you need a list of users to access a lan, openvpn wins 12:46 < NfNit|oop> Yeah, I realize the difference between ssh forwarding and openvpn routing. :) 12:46 < krzee> etc etc 12:47 < krzee> best to know a few ways and the advantages of each, sometimes its easier to use one, other times easiest to use another 12:47 < NfNit|oop> Yes. Totally not what I was talking about. ;) 12:48 < krzee> its less simple in ovpn, but also can be made more secure than standard ssh 12:48 < NfNit|oop> how's that? 12:49 < krzee> ssh you're only talkin bout pubkey priv key 12:49 < NfNit|oop> and? 12:49 < krzee> ovpn you have your own whole pki setup, with DH and a static key, auto-checking to be sure server IS the server 12:49 < NfNit|oop> why do I need a whole pki? 12:49 < krzee> so you have what ssh has, plus a few things 12:50 < krzee> you dont, and you arent forced to use it 12:50 < krzee> which is why i said it CAN be made more secure 12:50 < NfNit|oop> if I want to do pub/priv auth, it appears I am? 12:50 < krzee> you arent forced to 12:50 < krzee> you can use ONLY static key if you like 12:50 < NfNit|oop> oh, but that's not very secure. 12:50 < krzee> agreed 12:51 < krzee> hell, you can even use no encryption OR auth if you like, its very flexible 12:51 < NfNit|oop> I'm just griping because I'd like to both 1) use pub/priv auth 2) have it be as simple as SSH's. :) 12:51 < krzee> on top of what else i said, you can also hook it into ldap/active directory/pam/whatever else you could make yourself via a script in any language 12:51 < krzee> for auth 12:52 < krzee> as well as securing the .key from the cert from local access without password 12:52 < krzee> do you use freebsd? 12:52 < Yoshi47> does anyone have a vpn connection they can test something for me on? 12:52 < NfNit|oop> Debian. 12:53 < krzee> Yoshi47, im using mine right now, so it depends what you wanna know 12:53 < Yoshi47> your on the end side though right? 13:00 < NfNit|oop> aren't both sides "end sides" 13:00 < NfNit|oop> :) 13:01 < krzee> right 13:01 < krzee> confused me too 13:02 < Douglas> im rubbing my wireless mouse against my chest to clean it 13:02 < Douglas> and my cursor is movign 13:02 < Douglas> moving 13:02 -!- Robuster [n=fff@75.127.95.111] has quit [Client Quit] 13:02 < NfNit|oop> yes. It does that. 13:02 * Douglas 's tit is a mouse pad 13:02 < NfNit|oop> are you high, Douglas? 13:02 < NfNit|oop> :p 13:03 < Douglas> that'd be bad for quadspeedi 13:03 < Yoshi47> krzee, sorry im using ipsec for this site, 13:05 < krzee> Yoshi47, no need to apologize, doesnt bother me if you use ipsec as long as you arent here for help with it ;] 13:06 < Yoshi47> krzee, nope i won't ask for help on that site here dont worry, you know of a good irc for that? 13:07 < krzee> nah but if you find one pls let me know, ild like to know where to send the people that end up here looking for help with that 13:11 < Yoshi47> krzee, ok 13:34 -!- DammitJim [n=user@41-117.202-68.tampabay.res.rr.com] has joined ##openvpn 13:34 < DammitJim> afternoon.... 13:35 < DammitJim> can someone help me with this error I am getting on linux? I can get the VPN to establish on windows, but on linux I get the following: 13:35 < hyper_ch> !configs 13:35 < vpnHelper> hyper_ch: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:40 < DammitJim> working on it 13:41 -!- DammitJim [n=user@41-117.202-68.tampabay.res.rr.com] has quit ["I ♥ Elive"] 13:52 -!- DammitJim [n=user@41-117.202-68.tampabay.res.rr.com] has joined ##openvpn 13:52 < DammitJim> ok, here it is 13:52 < DammitJim> http://pastie.org/588874 13:53 < DammitJim> no, wait 13:53 < DammitJim> that's wrtong 13:53 < DammitJim> wrong 13:53 < DammitJim> ugh 13:54 < DammitJim> This is the one 13:54 < DammitJim> http://pastie.org/588879 13:54 < DammitJim> I just don't understand why I'm getting the errors once the script wants to add the routes 13:55 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 14:03 < DammitJim> anybody? :) 14:03 < krzee> starting it as root? 14:04 < DammitJim> yes, sir 14:05 < DammitJim> I must be missing something very essential here 14:06 < DammitJim> again.. this same config works on windows (client) 14:06 < DammitJim> and the linux client machine can do a tun connection with another server 14:06 < krzee> also, why tap? 14:07 < DammitJim> someone here told me to do tap for client connection 14:07 < krzee> and how are you handing out IPs? 14:07 < krzee> !tunortap 14:07 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 14:07 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 14:07 < DammitJim> krzee, thank you... I'm learning 14:08 < DammitJim> I was having a hard time getting tun working and someone then suggested a simple tap config and it worked on windows 14:08 < krzee> you also have nothing handing out IPs 14:09 < krzee> see --server and --server-bridge 14:09 < krzee> unless you have a layer2 protocol needing you to run TAP, you should be using tun with server 14:09 < krzee> like this 14:09 < rawDawg> !wins 14:09 < vpnHelper> rawDawg: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 14:09 < krzee> !sample 14:09 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 14:10 < krzee> DammitJim, what is your final goal? 14:10 < DammitJim> krzee, would this code do the handing out of ips? 14:10 < krzee> sharing lans behind the vpn machines? 14:10 < DammitJim> openvpn --mktun --dev tap0 14:10 < DammitJim> brctl addif br0 tap0 14:10 < DammitJim> ifconfig tap0 0.0.0.0 promisc up 14:10 < DammitJim> on the server... 14:10 < krzee> no 14:10 < krzee> thats just to setup the tap bridge 14:10 < krzee> read the howto 14:10 < DammitJim> all I'm doing is trying to access another network 14:10 < krzee> and manual 14:10 < krzee> !sample 14:10 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 14:10 < krzee> !route 14:10 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:11 < krzee> there ya go 14:11 < krzee> go read stuffs 14:11 < DammitJim> krzee, I appreciate all the info 14:11 < krzee> yw 14:11 < DammitJim> please tell me out of all of them, which one is #1 to read 14:11 < krzee> all of them 14:11 < DammitJim> please understand I'm a little bit overwhelmed with all the stuff you just sent me 14:11 -!- c64zottel [n=hans@p5B17AF36.dip0.t-ipconnect.de] has left ##openvpn [] 14:11 < krzee> yup, setting up vpn's is not part of beginner networking 14:11 < krzee> can be overwhelming at first 14:12 < krzee> but if you wanna understand it, you get to read a lot 14:12 < krzee> we all did it 14:12 < DammitJim> appreciate it 14:13 < DammitJim> I guess I'll have to tell the other network admin that I'm going to have to postpone this project 'cause I won't be able to get it to work until I read all that and understand it all 14:14 < krzee> very good idea, not just with openvpn but with anything you dont understand 14:14 < DammitJim> good point 14:14 < DammitJim> I just thought we had it since we were able to get it to work with windows 14:20 -!- jeiworth [n=jeiworth@189.177.39.68] has quit [Read error: 110 (Connection timed out)] 14:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:54 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:57 -!- DammitJim [n=user@41-117.202-68.tampabay.res.rr.com] has quit ["I ♥ Elive"] 14:58 -!- DammitJim [n=user@41-117.202-68.tampabay.res.rr.com] has joined ##openvpn 14:59 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 15:02 -!- koolkat_ [n=kk@amsterdam.perfect-privacy.com] has joined ##openvpn 15:07 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 15:07 -!- mirco [n=mirco@p54B26441.dip.t-dialin.net] has joined ##openvpn 15:16 -!- jeiworth [n=jeiworth@189.177.121.235] has joined ##openvpn 15:17 -!- koolkat [n=kk@amsterdam.perfect-privacy.com] has quit [Read error: 110 (Connection timed out)] 15:58 -!- DammitJim [n=user@41-117.202-68.tampabay.res.rr.com] has quit ["I ♥ Elive"] 16:01 -!- bauruine [n=bauruine@85.4.68.228] has joined ##openvpn 16:14 -!- plaerzen [n=carpe@vip1.tundraeng.com] has quit [Remote closed the connection] 16:16 -!- mirco [n=mirco@p54B26441.dip.t-dialin.net] has quit [Client Quit] 16:21 -!- quentusrex [n=quentusr@freeswitch/developer/quentusrex] has quit [Read error: 60 (Operation timed out)] 16:26 -!- Ypsy is now known as YpsyZNC 16:33 -!- jaysonsantos [i=c8638543@gateway/web/freenode/x-obkxlrdnjnrqqzbw] has joined ##openvpn 16:34 < jaysonsantos> Hello people, i configured a vpn and I can ping all my internal network in 192.168.10.* and I can't ping an ip like 172.16.22.73, what tha can be ? 16:37 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 16:47 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has joined ##openvpn 16:53 < krzee> not enough info 17:01 < Douglas> hi krzee 17:02 < krzee> hi 17:02 < krzee> im in manhattan 17:02 < Douglas> wut 17:02 < Douglas> for how long 17:02 < Douglas> and reiffert, you were wrong 17:02 < krzee> til morn 17:02 < Douglas> when did you get there 17:02 < krzee> 17th 17:02 < Douglas> dick 17:03 < Douglas> why didnt you tell me 17:03 < Douglas> i would of bought you food 17:03 < Douglas> lol 17:03 < krzee> lol 17:03 < krzee> you go around manhattan? 17:03 < Douglas> naw, not usually 17:03 < Douglas> i live right outside the city 17:03 < krzee> i thought you were by jersey 17:03 < Douglas> i am 17:03 < jaysonsantos> kzree My vpn is configured to push "route 10.8.0.0 255.255.0.0" and when i try to ping a 172.16.22.73 i don't receive anything 17:03 < Douglas> only time i am ever in the city 17:03 < Douglas> is to go to my datacenter 17:03 < Douglas> which i am moving out of soon 17:03 < krzee> jaysonsantos, whats 172.16.22.73 have to do with anything 17:04 < krzee> that push route and that ip are 100% unrelated 17:04 < Douglas> krzee: forum is #5 on google for me 17:04 < Douglas> #4 for some others 17:05 < krzee> haha you check that pretty often 17:05 < Douglas> nah, i just looked today 17:05 < Douglas> http://dougy.hosting.secure-computing.net/awstats/awstats.pl?config=ovpnforum.com 17:05 < vpnHelper> Title: Statistics for ovpnforum.com (2009-08) - main (at dougy.hosting.secure-computing.net) 17:05 < krzee> you could script it and turn it into an email alert ;) 17:06 < Douglas> meh 17:06 < Douglas> lol 17:06 < Douglas> dont care that much 17:07 < krzee> im reading bout the new keyboard sniffing techniques 17:07 < Douglas> sweet 17:07 < krzee> sniffing the power circuit 17:07 < Douglas> im approving posts on the foryum 17:07 < Douglas> forum 17:07 < krzee> interesting stuffs 17:07 < krzee> nice 17:07 < Douglas> http://www.ovpnforum.com/viewtopic.php?f=5&t=494 17:07 < vpnHelper> Title: OpenVPN Forum View topic - TAP-win32 driver install problems on Vista x64 (at www.ovpnforum.com) 17:07 < krzee> i always forget about that 17:08 < krzee> ecrist, maybe the new bot can integrate into the forum a little bit as well! 17:08 < krzee> as in, announce and whatnot 17:09 < Douglas> that'd be 'weet 17:09 < Douglas> yessss 17:09 < Douglas> new pdu on the way 17:21 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit ["leaving"] 17:27 < garnser> who maintain the bots? 17:29 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 17:31 < Douglas> garnser 17:31 < Douglas> which bots 17:31 < Douglas> vpnHelper is krzee's responsiblity 17:31 < vpnHelper> Douglas: Error: "is" is not a valid command. 17:31 < Douglas> vpnHelper, die 17:31 < vpnHelper> Douglas: Error: "die" is not a valid command. 17:31 < garnser> ok 17:37 -!- koolkat_ [n=kk@amsterdam.perfect-privacy.com] has quit [] 17:37 -!- koolkat_ [n=kk@amsterdam.perfect-privacy.com] has joined ##openvpn 17:38 -!- BigJB [n=BigJB@unaffiliated/bigjb] has quit [Remote closed the connection] 17:45 -!- jaysonsantos [i=c8638543@gateway/web/freenode/x-obkxlrdnjnrqqzbw] has quit ["Page closed"] 17:46 < garnser> Douglas: in regards of the forum-link you sent, I had an end-user with a similar problem running rc19 but it worked fine with rc16 17:50 < Douglas> reply to the thread 17:50 < Douglas> ! 17:50 < Douglas> :) 17:51 < garnser> ah don't make me register 17:52 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 17:52 -!- jeiworth [n=jeiworth@189.177.121.235] has quit [Read error: 110 (Connection timed out)] 17:52 < garnser> *puh* time to go downstairs, getting way too warm here.. 17:52 < Douglas> go downstairs and register 17:52 < Douglas> then reply 17:52 < Douglas> :) 17:53 < garnser> lol 17:54 < Douglas> that forum will stay pretty dead unless people join and start posting 17:54 < Douglas> so help it 17:59 < garnser> I will later, meeting now and then dinner at a colleagues house 18:02 < garnser> there 18:02 < garnser> ah and passwords in clear-text, awesome :P 18:02 < Douglas> where 18:03 < garnser> in the confirmation email 18:03 < garnser> http://openvpn.net/index.php/openvpn-cloud/cloud-overview.html btw have you ready anything about this, just saw it 18:03 < vpnHelper> Title: OpenVPN Cloud Overview (at openvpn.net) 18:05 < Douglas> nop 18:05 < krzee> i cant swim through the marketing to the tech stuff 18:05 < krzee> too dumbed down 18:05 < krzee> =/ 18:08 < garnser> yeah, nothing of technical importance in it 18:08 < garnser> and not true clouding 18:09 < krzee> their "whitepaper" is just an advertisement 18:09 < krzee> heres what a whitepaper looks like 18:09 < krzee> http://dev.inversepath.com/download/tempest/blackhat_df-whitepaper.pdf 18:10 < Douglas> boredom 18:30 -!- hyper__ch [n=hyper@adsl-84-227-41-165.adslplus.ch] has joined ##openvpn 18:30 -!- hyper_ch [n=hyper@adsl-84-226-47-91.adslplus.ch] has quit [Nick collision from services.] 18:30 -!- hyper__ch is now known as hyper_ch 18:36 < |Mike|> sup 18:37 < Douglas> boredom 18:52 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 145 (Connection timed out)] 18:57 < reiffert> . 18:59 < |Mike|> x 19:05 -!- rdircio [n=admin@189.137.161.66] has joined ##openvpn 19:06 < rdircio> hello 19:06 < rdircio> !howto 19:06 < vpnHelper> rdircio: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 19:07 < |Mike|> aha. 19:07 < |Mike|> hi 19:11 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has quit ["Távozom"] 19:30 -!- mikeones [n=mikeones@pool-70-104-31-42.dllstx.fios.verizon.net] has quit ["leaving"] 19:55 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 21:10 -!- master_of_master [i=master_o@p549D3DA6.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:14 -!- master_of_master [i=master_o@p549D3BC6.dip.t-dialin.net] has joined ##openvpn 21:25 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit ["leaving"] 21:49 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 21:49 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 21:53 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 21:53 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 21:59 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 22:01 -!- bauruine [n=bauruine@85.4.68.228] has quit [Read error: 60 (Operation timed out)] 22:01 -!- bauruine [n=bauruine@85.4.68.228] has joined ##openvpn 22:02 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 22:22 -!- FluxTendu [n=Cecinest@vpn.itshidden.com] has joined ##openvpn 22:23 < FluxTendu> hi 22:23 < FluxTendu> is there a way to stop routing to internet when vpn is disconnected? 22:28 < thedoc> PPTP vpns? 22:28 < thedoc> Ew. 22:28 < thedoc> That rubbish needs to get depreciated and thrown out of the door already. 22:31 < Douglas> hmm 22:32 * Douglas is building grsec kernels 22:32 * thedoc is building more openvpn servers 22:32 < thedoc> and well, reading up on bgp. 22:38 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 54 (Connection reset by peer)] 22:39 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 22:42 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 22:51 -!- FluxTendu [n=Cecinest@vpn.itshidden.com] has quit [] 22:52 -!- AlexGC [n=admin@201.127.201.55] has joined ##openvpn 22:52 < AlexGC> gentlemen. 22:53 < AlexGC> !redirect 22:53 < vpnHelper> AlexGC: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 22:54 < AlexGC> Any project devs or colaborators here? Congrats. It was a breeze to setup openvpn! thanks. 22:58 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 23:06 -!- hyper__ch [n=hyper@adsl-84-226-158-241.adslplus.ch] has joined ##openvpn 23:06 -!- hyper_ch [n=hyper@adsl-84-227-41-165.adslplus.ch] has quit [Nick collision from services.] 23:06 -!- hyper__ch is now known as hyper_ch 23:15 < rdircio> !nat 23:15 < vpnHelper> rdircio: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 23:15 < rdircio> lol 23:15 < rdircio> no !solarisnat ? 23:15 -!- bruce_ [n=bruce@160.39.238.196] has joined ##openvpn 23:15 < rdircio> !fbsdnat 23:15 < vpnHelper> rdircio: "fbsdnat" is see http://cavanantha.wordpress.com/2007/09/16/nat-on-freebsd-using-pf/ for a basic howto for NAT on FreeBSD 23:17 < bruce_> anyone use openvpn-admin on gnome? I'm trying to get it to prompt me for user/pass (auth-user-pass-verify in server's config) 23:17 < bruce_> !interface 23:17 < vpnHelper> bruce_: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 23:21 -!- rdircio [n=admin@189.137.161.66] has left ##openvpn [] 23:24 -!- bruceb [n=bruce@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 23:25 < AlexGC> Newbie Q: VPS with OpenVPN-as and 5 wan IPs .. I need each connecting client (5 total) to get a random IP to reach the internet. Suggestions? pointers? scenarios? all welcomed. 23:26 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 23:37 -!- bruce_ [n=bruce@160.39.238.196] has quit [Remote closed the connection] 23:40 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Connection timed out] 23:41 -!- garnser [n=jpeterss@gw2.mysql.com] has quit [Remote closed the connection] 23:43 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 23:45 -!- garnser [n=jpeterss@gw2.mysql.com] has joined ##openvpn 23:46 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit ["Leaving"] 23:53 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] --- Day changed Thu Aug 20 2009 00:03 < garnser> evening people 00:03 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 00:04 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 00:25 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 00:32 -!- bauruine [n=bauruine@85.4.68.228] has quit [Remote closed the connection] 00:35 -!- AlexGC [n=admin@201.127.201.55] has quit [Read error: 110 (Connection timed out)] 00:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:59 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 00:59 < joelsolanki> !route 00:59 < vpnHelper> joelsolanki: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 01:08 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 01:35 < garnser> misse-: around? 01:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:46 < misse-> garnser: yeah 01:47 < garnser> misse-: so I talked a bit with OpenVPN technologies about your problem, right now I'm waiting to see wether they're going to do any kind of implemenation or if someone needs to make a third-party plugin 01:48 < garnser> I started hacking a perl-script yday but the dhclient-libraries for perl was quite bad and I don't know the protocol well enough to do it in C 01:49 < misse-> btw, I've found a working solution for my linux clients. I run an up script which starts a dhcpcd -G on tap0. It works ok.. but networkmanager doesn't seem to support up script, so right now, I have to start and stop the tunnels manually from the cli. 01:49 < misse-> garnser: oh. thanks! :) 01:52 < garnser> misse-: why don't u use dhclient tapX -pf /usr/tmp/dhclient-tapX.pid in the up-script instead 01:52 < garnser> or maybe that will create the same issue with NetworkManager 01:52 < garnser> btw off topic, I was curious, is your nick supposed to represent your cat or you given that you're a Swede? 01:53 < misse-> heh. it's my nick, supposing to represent me being a cat. 01:54 < garnser> ah, fair enough 01:54 < garnser> so given that you're in kista, are you working for some fun company? 01:57 < garnser> misse-: ^ 01:57 < misse-> I'm in kista? No, just lived there when configuring openvpn last time. 01:57 < garnser> ah ok 01:57 < misse-> ya damn stalker you :P 01:58 < garnser> lol, you're the one who sent me the verb 6 log :P 01:58 < misse-> and the nickname comes from working in dreamhack crew for the last 4 years. 01:58 < garnser> btw how am I supposed to stalk you when you're tunneling through a IPv5 provider 01:58 < misse-> oh.. right 01:58 < misse-> well you weren't s'posed to read that part :] 01:58 < garnser> s/IPv5/IPv6/ 01:59 < misse-> good point 01:59 < garnser> misse-: so I take it that you know offer in that case? 02:00 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 02:00 < misse-> garnser: yeah. he stayed with me one night this weekend. Needed somewhere to sleep after DHSTHLM. 02:01 < misse-> oh, and if you whois my ipv6net you get my net name and thus my sixxs-handle. 02:01 < garnser> misse-: I wasn't stalkative enough to go that far :P 02:01 < thedoc> misse-, Does your provider issue native ipv6 routable ips? 02:02 < misse-> thedoc: nope. I tunnel through sixxs.net 02:02 < garnser> misse-: No match for "2001:16D8:FF00:359::2". 02:02 < garnser> booh 02:02 < thedoc> garnser, hm 02:03 < misse-> thedoc: they have pretty decent pops. 02:03 < misse-> garnser: :O rly? 02:04 < misse-> you're doing it wrong 02:04 < garnser> misse-: on the other hand we could just do it the old-fashioned way 02:04 < misse-> like, looking up my profile on dreamhacks crew site? 02:04 < garnser> my name is Jonathan Petersson network architect for the MySQL BU @ Sun 02:05 < misse-> oh. THAT old fashion way 02:05 < garnser> misse-: well dreamhacks site isn't as "easy" as birdies wheras there's a direct link in the mainmenu to crew 02:05 < misse-> Mine is Martin Bergman, IT tech. and Virtual server admin for Cybercom IS/IT Services. 02:05 < garnser> I recognize that name 02:06 < misse-> garnser: oh. birdie <3. I should've worked there last time, but work got in the way. 02:06 < misse-> you do? 02:06 < garnser> nah but I've a bunch of friends working there, MySQL has kept me quite busy for the last 4 years 02:06 < misse-> oh. I wrote a small article for IDG.. a really short review for a Dell E6400. 02:07 < misse-> and 3 more, but they haven't published those on the site. only in paper form 02:07 < garnser> *shrug* remote management on Dell-servers sucks.... 02:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 02:08 < thedoc> misse-, Does dreamhacks have a page in english? 02:08 < misse-> uh. yeah, but the E6400 is still a laptop 02:08 < misse-> thedoc: dreamhack.com should be available in english 02:08 < garnser> oh... 02:08 < garnser> my bad 02:08 < thedoc> Funny. google was showing me .se 02:09 < misse-> thedoc: I guess it's the one with more hits. but that one should really also have an english version 02:09 < misse-> haven't you heard of it before though? 02:09 < thedoc> misse-, the .com seems to point to a web domain where it's now been taken over as a random search engine. 02:09 < thedoc> misse-, I'm from the orient, so no. 02:09 < misse-> hm. my bad. 02:09 < garnser> misse-: so given that you're a Virtual server admin, what's your take on KVM? 02:09 < misse-> thedoc: define "orient".. cause they're doing a tour in asia this fall. 02:10 < thedoc> misse-, South East Asia, Singapore. o/ 02:10 < misse-> thedoc: then you'll have a chance to check at least the banners out. They're going there as a part of their E-sport trials tour. 02:11 < thedoc> misse-, I'd probably do just that. 02:11 < thedoc> Now, if only defcon was held in asia. 02:11 -!- krzee [i=nobody@hemp.ircpimps.org] has joined ##openvpn 02:12 < misse-> garnser: uhm. I haven't really looked into it proffesionally, since where running VMware esx. 02:12 < garnser> ouch... pricy 02:13 < misse-> garnser: so, no take.. yet. I want to try it out at home though. I got quite a bit of hardware when we moved to our new office 02:13 < garnser> misse-: don't bother unless you've VT support and a 64bit hypervisor 02:15 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:15 < thedoc> Guys, question here. 02:15 < garnser> well, I guess a 64bit distro given that the hypervisor is a part of the kernel 02:15 < thedoc> How best do you think one should try to convince people that they should encrypt/sign their data? 02:17 < garnser> thedoc: don't bother, unless you've a corporate policy enforcing it people wont bother until they realize themself 02:18 < thedoc> I see that some of us have had the same problem :P 02:19 < thedoc> garnser, I'm just surprised people have this attitude that, nah, no one is going to be snooping my data. 02:19 < garnser> well given what ISPs are doing today I've kinda given up myself 02:20 < garnser> I used to tunnel all traffic through a site through 2 tier 1 providers but I really don't trust anything today so I figured I should stay "clean" 02:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:21 -!- brizly [n=brizly_v@p4FC9978C.dip0.t-ipconnect.de] has joined ##openvpn 02:21 < thedoc> garnser, I don't get you there, by "clean", do you mean you still tunnel your traffic? 02:22 < garnser> thedoc: clean as in traffic that ISP's/governements doesn't look in to 02:23 < garnser> thedoc: we had a discussion about this yday here, the security really lies with the end-user and the end-user is never secure, period 02:24 < reiffert> mhm. 02:24 < garnser> yay reiffert is alive 02:24 < reiffert> take two blackboxes and dont let the user know he is using some secret security foo. 02:25 < thedoc> garnser, There's no telling what they wouldn't look into. 02:25 < garnser> reiffert: did you read into the DHCP proxy-push I was discussing with misse- yday? 02:25 < reiffert> => no end-user involved, no security that lies with him 02:25 < reiffert> garnser: I cant remember, I think I did not 02:25 < thedoc> garnser, Although I was wondering if an end user to a remote vpn server would be enough security 02:25 < thedoc> with aes-256 bits worth of encryption. 02:26 < thedoc> While aes-256 has no known method of cracking in real time, who knows really. 02:26 < thedoc> \o/ 02:26 < reiffert> thedoc: have a close look on the 1st three places on top 500. 02:28 < thedoc> reiffert, Top 500 of what? 02:29 < thedoc> Super computers? 02:29 < Bushmills> is your goal to protect againt snooping of access provider + route, or against attackers on your own LAN? 02:29 < garnser> reiffert: so the issue was around having a bridge server setup and have clients recieve DHCP-data from a "corporate" dhcp-server rather than OpenVPN with server, server-bridge, ifconfig or ifconfig-push 02:29 < reiffert> thedoc: yup top500.org IIRC 02:29 < reiffert> garnser: sounds doable. 02:30 < thedoc> reiffert, I do not doubt that using one of those, you could brute force your way through the encryption but how many people have access to such massive amounts of computing power? 02:30 < garnser> the problem today is that this only works in windows since windows automatically triggers a DHCP-request when the interface goes live whereas Linux doesn't do anything unless you explicity tells it to trigger dhclient via a up-script 02:30 < garnser> so my thinking was to create a ccd dhcp-proxy push-script where the OpenVPN server would make the DHCP-request for the VPN-client and once recieved push that data to the client 02:31 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: koolkat_ 02:31 < reiffert> garnser: a client side --up script, like linux uses for resolv.conf voodoo, should do as well. 02:31 -!- Netsplit over, joins: koolkat_ 02:31 < reiffert> ? 02:32 -!- koolkat_ [n=kk@amsterdam.perfect-privacy.com] has quit [SendQ exceeded] 02:32 < garnser> reiffert: sure but that's not a standardized way of doing it since OpenVPN usually pushes IP-information rather than relying on the client to do so 02:32 < garnser> the client doing a DHCP-request that is 02:32 -!- koolkat_ [n=kk@amsterdam.perfect-privacy.com] has joined ##openvpn 02:34 < garnser> but then again I guess NetworkManager might have some way of triggering dhclient upon seeing that a tap/tun interface has been started 02:34 < reiffert> no idea about network manager. 02:35 < garnser> reiffert: well NetworkManager isn't finished yet, I've talked a bit with Dan Williams about the future of it but it's a bit vauge 02:36 < garnser> especially now that they're going to move the backend of NetworkManager to netcf 02:36 < reiffert> I wouldnt rely on X11, a window manager and a network manager. 02:36 < garnser> reiffert: since when does X11 have anything to do with NetworkManager 02:37 < garnser> nm-applet != NetworkManager 02:37 < reiffert> networkmanager.sf.net? 02:37 < reiffert> http://projects.gnome.org/NetworkManager/ ? 02:37 < vpnHelper> Title: NetworkManager - Linux Networking made Easy (at projects.gnome.org) 02:37 < garnser> reiffert: http://projects.gnome.org/NetworkManager/ 02:38 < reiffert> Depends: libc6 (>= 2.7-1), libdbus-1-3 (>= 1.0.2), libdbus-glib-1-2 (>= 0.71), libgcrypt11 (>= 1.4.0), libglib2.0-0 (>= 2.16.0), libgpg-error0 (>= 1.4), libhal1 (>= 0.5.8.1), libiw29 (>= 28+29pre7), libnl1, libnm-util0, iproute, dhcdbd (>= 1.12-2), lsb-base (>= 3.0-6), wpasupplicant (>= 0.4.8), dbus (>= 0.60), hal (>= 0.5.7.1), ifupdown, adduser 02:39 < reiffert> sounds ok. 02:40 < reiffert> Do you have an idea how many people are actually using network manager? 02:40 < garnser> reiffert: don't get tricked that it's a part of the gnome-project, major distros are using it as the backends to configure network-devices nowadays 02:40 < garnser> it's not really ideal yet but it's getting there 02:41 < garnser> the problem right now is that it lives in init 5 rather than init4 02:42 < misse-> garnser: I'm not sure, I mean, they're Xeon's and 64bit atleast.. have to check if they've got VT support 02:43 < garnser> afaik Xeon has had 64-bit support for quite some time, VT is pretty new (2-3 years) 02:44 < misse-> it's gonna be a close one in that case 02:44 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 02:44 < misse-> they're sunfire v65x's 02:45 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:45 < garnser> yuck 02:45 < misse-> hey! 02:45 < misse-> they were free. 02:46 * garnser don't get it why someone buy twice as expensive hardware when you can get an HP box with badass remote-management 02:50 < garnser> sun hardware is never free even you don't pay for them 02:50 < misse-> garnser: ah, well. 1. They were bought long before my time, so noone ever consulted me. 2. They were bought during the 'happy days' where money wasn't an issue. 3. The project tech's are idiots. 02:50 < garnser> lol 02:51 < misse-> I correct myself then: I haven't and will not pay for them, ever. 02:51 < garnser> so what servers whould you recommend using? 02:51 < misse-> So far though, they've earned me help when I moved, and some money.. so. yay 02:52 < misse-> HP/Dell 02:52 < garnser> why dell? 02:53 < thedoc> Dell? 02:54 < thedoc> Dell has like horrible hardware. 02:54 * thedoc was just dealing with some major failures over the week. 02:54 < misse-> I like 'em. 02:54 < reiffert> I do as well. 02:55 < garnser> misse-: have you ever used HP's advanced iLO? 02:55 < misse-> In comparison to HP, they've wopped ass in prices, support, delivery times and amount of hw failures.. I realize though that others would have had a completely different experince.. 02:56 < misse-> garnser: no. but I've heard it rocks. The problem is, my HP sales guys truly suck. 02:56 < garnser> that's too bad, I called them saying "we're going to buy 100 servers per year, give us discount" 02:56 < misse-> Since we're not tied to any server provider, we always ask HP & DELL. Dell always wins. 02:57 < garnser> whereas I got 25% on anything I bought from them 02:57 < misse-> :D oh well, we're not that big of a server client I guess 02:58 < garnser> you should chat with Magnus Wetterberg @ HP 02:59 < misse-> Last time, I called them both friday saying I needed an offer for four servers, I emailed them a spec, said I wanted an answer as soon as possible. Dell had an offer tuesday, which we modified like 6 times over 2 days and then we orderd. HP came with an offer through dustin a week later, with the wrong specs, wrong price range (even though I've specifically asked for.. whatever the model was called) and about 5k/server more expensive. 03:00 < misse-> garnser: could you pm me his contact details? 03:00 < garnser> misse-: well ad a dot between the first and last name followed by [ at ] hp.com 03:02 < misse-> great. 03:02 < garnser> btw don't mention me, something tells me he's not too happy about Sun acquiring us... 03:04 < misse-> not your fault though. 03:05 < misse-> and hey, he's a salesman. He shouldn't be pissed of, he should be on his knees trying to get back in bed with you. 03:05 < reiffert> :) 03:05 < garnser> lol 03:05 < garnser> anyhow I'm off 03:05 < garnser> 1am and I'm on vacation 03:06 -!- mirco [n=mirco@tmo-109-33.customers.d1-online.com] has joined ##openvpn 03:06 < garnser> gotta sleep before the sun comes up 03:06 < misse-> garnser: sleep tight. (Where are you btw?) 03:06 < reiffert> 1am sounds like .. Hawaii? 03:07 < reiffert> west-coast .us? 03:07 < garnser> Silicon Valley 03:07 < garnser> moved here from Uppsala 2.5 years ago 03:07 < misse-> can't be. there's no way there'd be internet on hawaii. 03:07 < garnser> moving back to sweden in october 03:07 < garnser> lol, misse- there is 03:07 < misse-> pfft. 03:08 < misse-> an hawaiian IT tech? Yeah right. 03:08 < misse-> (did I just make that word up? yeah. yeah I think I did) 03:08 < garnser> well 9.6 kbps modem is technically internet, right? :P 03:08 < misse-> garnser: why're you moving back is a question I'll save for when your awake next time. Sleep well 03:08 < garnser> hawaiian? that's a word 03:08 < misse-> really? 03:09 * misse- gets a proud fuzzy feeling for having guessed right 03:09 < garnser> misse-: cause Sun can go and burn in hell and there's no way in hell that I'm going to work for Oracle 03:09 < garnser> they obviously belong together... 03:09 < misse-> garnser: soo.. what's left. Microsoft? 03:11 < garnser> well they've been doomed since day 1 03:11 < misse-> true 03:13 < garnser> like vmware :P 03:19 < misse-> men 03:19 < misse-> vad är min människa för en människa egentligen? 03:21 < misse-> I disagree. but.. I'm not really a big fan :] I started out back at home with xen on a pIII 600mhz 512MB ram. THAT was fun. 03:22 -!- ewook [n=ewook@thales.fluffis.se] has quit [Remote closed the connection] 03:28 -!- mirco [n=mirco@tmo-109-33.customers.d1-online.com] has quit [Client Quit] 03:31 -!- saftsack_ [n=oliver@79.199.126.193] has joined ##openvpn 03:39 -!- Bushmills [n=nnnnnnl@verhau.de] has left ##openvpn ["Leaving."] 03:47 -!- Bushmills [n=nnnnnnl@verhau.de] has joined ##openvpn 03:48 -!- oliver__ [n=oliver@p4FC75D04.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 04:53 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has joined ##openvpn 04:56 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit ["Leaving"] 05:02 -!- klaas [n=chatzill@94-224-182-164.access.telenet.be] has joined ##openvpn 05:03 < klaas> !howto 05:03 < vpnHelper> klaas: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 05:04 < klaas> !route 05:04 < vpnHelper> klaas: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 05:06 < klaas> !topology 05:06 < vpnHelper> klaas: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 05:06 < klaas> !configs 05:06 < vpnHelper> klaas: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 05:06 < klaas> !iporder 05:06 < vpnHelper> klaas: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 05:07 < klaas> !forum 05:07 < vpnHelper> klaas: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 05:07 < klaas> !interface 05:07 < vpnHelper> klaas: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 05:10 < klaas> !logs 05:10 < vpnHelper> klaas: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 05:39 < klaas> Hi, I'm setting up openvpn on a LAN to encrypt the stuff that is being send between 2 pcs. Both machines are running Vista. They both have gigabit ethernet but I'm only getting 100-150mbit out of the connection. I've disabled both authentication and cypher to test the tunneling speed (which is 100-150mbit). I've tried playing around with mtu settings but no luck so far. Is there anything I... 05:39 < klaas> ...can do to further tweak the settings to gain performance? server config: http://pastebin.com/m3397b006 client config: http://pastebin.com/m29f6b62d 05:45 < bauruine> i have routing problems. any idea why this doesn't work? 05:45 < bauruine> http://pastebin.com/d675756e9 05:46 -!- cpm [n=Chip@border0.avitecture.net] has joined ##openvpn 06:06 -!- c64zottel [n=hans@p5B17AB4C.dip0.t-ipconnect.de] has joined ##openvpn 06:31 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has quit [Read error: 60 (Operation timed out)] 06:33 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 06:37 -!- brizly1 [n=brizly_v@p4FC99ADF.dip0.t-ipconnect.de] has joined ##openvpn 06:45 -!- bauruine [n=bauruine@85.5.224.95] has joined ##openvpn 06:52 -!- brizly [n=brizly_v@p4FC9978C.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:57 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has quit ["leaving"] 07:03 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 07:09 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 07:18 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: CoffeeIV 07:19 -!- Netsplit over, joins: CoffeeIV 07:19 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: CoffeeIV 07:19 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: IcyPolecat, cpm 07:19 -!- Netsplit over, joins: CoffeeIV 07:20 -!- Netsplit over, joins: IcyPolecat 07:22 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:24 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: oc80z, disco-, joelsolanki, CoffeeIV, dazo, ElectricBill, code-, davalex, davidisk1, jreno_, (+3 more, use /NETSPLIT to show all of them) 07:25 -!- Netsplit over, joins: CoffeeIV, joelsolanki, koolkat_, subinacls, oc80z, dazo, davidisk1, disco-, ElectricBill, jreno_ (+3 more) 07:25 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: qknight, thedoc, IcyPolecat, robotti^, dotplus, cpm, _markus_, teddymills 07:26 -!- Netsplit over, joins: cpm, IcyPolecat, thedoc, _markus_, teddymills, robotti^, qknight, dotplus 07:27 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: hyper_ch, Eagleray, krzie, fkr 07:28 -!- Netsplit over, joins: hyper_ch, Eagleray, krzie, fkr 07:28 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: stephenh, sigius, HardDisk_WP, Spockz, pa, solvik, chinsan_, redfox, kaii 07:29 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: master_of_master, c64zottel, brizly1, YpsyZNC, worch, Bushmills 07:29 -!- Netsplit over, joins: sigius, HardDisk_WP, kaii, stephenh, pa, chinsan_, Spockz, solvik, redfox 07:29 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 07:29 -!- Netsplit over, joins: brizly1, c64zottel, Bushmills, master_of_master, YpsyZNC, worch 07:35 < joelsolanki> Hello All. 07:37 < joelsolanki> right now i have linux server which is acting has vpn server. Behind that vpn server there is 192.168.1.0/24 which i have routed and its working good. the vpn client is in usa which is windows os and working properly and able to reach the lan behind vpn server. 07:37 < joelsolanki> but now i want to reverse the setup. 07:38 < joelsolanki> means the windows server will act as vpn server and the linux server will act vpn client. and local lan behind linux server has to be accessible from windows vpn server. 07:38 < joelsolanki> can anyone give me idea on how to do this ? 07:39 < joelsolanki> right now in my current setup on linux vpn server this line does all thing for me. push "route 192.168.1.0 255.255.255.0" 07:39 < hyper_ch> hmmm, when I run the openvpn tunnel on one of my local machines 07:39 < joelsolanki> but when i reverse how do i do ? 07:39 < hyper_ch> I can't then connect to it by ssh from outside over the "usual" public IP anymore 07:40 < hyper_ch> the ssh request doesn't reach the vpned box anymore 07:44 < Bushmills> hyper_ch: fix your route 07:44 < hyper_ch> !route 07:44 < vpnHelper> hyper_ch: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 07:47 < hyper_ch> Bushmills: I wonder how that helps 07:48 < hyper_ch> Bushmills: from the lan itself I can ping the machine through it's normal IP 07:48 < hyper_ch> and from the public IP por 22 is also forwarded to that lan ip 07:49 -!- XitroX [n=xitrox@p4FEB8312.dip0.t-ipconnect.de] has joined ##openvpn 07:49 < Bushmills> i didn't say that *that* helps. i only said that you need to fix you route, because "the ssh request doesn't reach the vpned box anymore" 07:49 < hyper_ch> so when I use from an external machine: ssh user@public_ip I should be able to get into the box 07:49 < XitroX> Hey. A mayby dumb question but why should i use Routing if Bridging seems much easier? 07:50 < Bushmills> XitroX: by bridging, traffic is sent to your box which isn't when using routing 07:50 < hyper_ch> Bushmills: you said "fix your route" so you actually said that helps 07:51 < Bushmills> hyper_ch: the link you get by !route may not be relevant to your problem - which i assumed you referred to as "that" 07:51 < joelsolanki> any suggestions on my problem ? 07:52 < joelsolanki> i think i need to refer the !route 07:52 < hyper_ch> the whole thing makes no sense: I can ssh into the box using the internal lan ip without issues from other boxes on the lan 07:52 < XitroX> hmm okay. Bushmills i got some problems with my routing. the "server" is an xp box with 2 nics and the client is an ubuntu box. i can ping the server but not with it's private-lan-ip. Any Suggestion maybe? 07:52 < hyper_ch> however I cannot ssh into it anymore by using a different internet attached machine and the public ip of my inet connection 07:54 < Bushmills> hyper_ch: traceroute or mtr the hostname or ip address you'd ssh to. look whether traffic goes through openvpn 07:54 < hyper_ch> logging into the openvpn server and then using the vpn ip it works 07:56 < Bushmills> XitroX: ping it with its openvpn ip address 07:58 < hyper_ch> hmmm, ping works fine but traceroute does not 08:00 < XitroX> that works already. but what makes me courious is: the client get's the ip 10.8.0.6 but 10.8.0.5 as "pointopoint" and get the route from the server config: ""route 192.168.24.0 255.255.255.0"" which results in "route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.5" 08:01 < hyper_ch> as soon as I turnoff the vpn again on the lan machine I can ssh into it 08:01 < XitroX> shouldn't the gw be 10.8.0.1 (server) 08:01 < Bushmills> hyper_ch: make sure the ssh server binds to all interfaces, not just to eth0 08:02 < hyper_ch> Bushmills: ah :) good suggestion :) 08:02 < hyper_ch> actually, eth0 is the usual one 08:02 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 08:03 < Bushmills> XitroX: peer address as gateway for client is ok. 08:03 < XitroX> hmm... so the problem might be the server with false routing configuration? 08:04 < Bushmills> XitroX: i don't know. as i recall, you asked why routing instead of bridging. 08:04 < Bushmills> maybe there's a factoid 08:04 < hyper_ch> !forum 08:05 < vpnHelper> hyper_ch: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 08:05 < Bushmills> !factoids search bridging 08:05 < vpnHelper> Bushmills: No keys matched that query. 08:05 < Bushmills> !bridge 08:05 < vpnHelper> Bushmills: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for anything where the protocol uses MAC addresses instead of IP 08:05 < vpnHelper> Bushmills: addresses. (but not samba, see !wins) 08:05 < XitroX> yeah because i didn't get the routing to work. so i wanted to know if i could use bridging instead with no big downsides 08:06 -!- bruceb [n=bruce@gw.msmnyc.edu] has joined ##openvpn 08:09 < XitroX> thanks for the info. i think i'll stick to bridgin and maybe switch later. thank you Bushmills 08:09 < Bushmills> "i can ping the server but not with it's private-lan-ip. " that is your problem? 08:11 -!- hetii [i=54b5e5ea@gateway/web/freenode/x-oasayfletkcyzxpu] has joined ##openvpn 08:11 < XitroX> yup 08:12 < hetii> hello :) 08:12 < hyper_ch> !config 08:12 < vpnHelper> hyper_ch: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 08:12 < hyper_ch> !configs 08:12 < vpnHelper> hyper_ch: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 08:13 < hetii> small question: is it possible to set on client config to dont allow one of the pushed routed by the server ? 08:15 < Bushmills> hetii: i don't think so. but you can let client execute a script after connect, which removes the offending route(s) 08:16 < hetii> ok with one directive will execute for me the external script ? 08:16 < Bushmills> better solution is probably to setup server to push routes depending on what client connects 08:17 < Bushmills> !connect-script 08:17 < vpnHelper> Bushmills: Error: "connect-script" is not a valid command. 08:17 < Bushmills> !client-connect 08:17 < vpnHelper> Bushmills: Error: "client-connect" is not a valid command. 08:18 < hetii> and when its exaclty executed ? because now i must restart my firewall after few secound when each interfeces got his ip 08:18 < Bushmills> hetii: check openvpn man page for --client-connect 08:19 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 08:19 < Bushmills> !factoids search client-connect 08:19 < vpnHelper> Bushmills: No keys matched that query. 08:19 < hetii> the other solution that you propose also are ok. 08:20 < hetii> so i suppose that i need it both/ one to restart my firewall and secound to erase/block doubble route 08:26 -!- bruce_ [n=bruce@160.39.238.196] has joined ##openvpn 08:26 -!- bruceb [n=bruce@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 08:26 < Bushmills> hetii: seems i was wrong - look look like client-connect is server only, not either. 08:26 < hetii> hmmm 08:26 < hetii> thats bad 08:27 -!- connectionVPN [n=hello_wo@83.212.248.23] has joined ##openvpn 08:29 < hetii> but i see in man that openvpn support if statement, so meybe i can do somethin like if client_ip=someip: dont push :>? 08:29 < Bushmills> !ccd 08:29 < vpnHelper> Bushmills: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 08:29 < connectionVPN> anyone involved on openvpn cloud on this chan? 08:30 * cpm wonders what the openvpn cloud is 08:30 -!- XitroX [n=xitrox@p4FEB8312.dip0.t-ipconnect.de] has left ##openvpn [] 08:33 < connectionVPN> cpm: http://openvpn.net/index.php/openvpn-cloud/cloud-overview.html 08:33 < vpnHelper> Title: OpenVPN Cloud Overview (at openvpn.net) 08:33 < Douglas> its a bunch of marketing bull shit 08:35 < connectionVPN> it seems like a hosted vpn solution 08:35 < cpm> looks exactly like marketing hype 08:35 * cpm == Douglas 08:37 < |Mike|> looks like it, yes. 08:37 < connectionVPN> who exactly is openvpn inc ? 08:38 < Douglas> now on that note 08:38 < Douglas> all of you people 08:38 < Douglas> !forum 08:38 < vpnHelper> Douglas: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 08:38 * hyper_ch has opened a new thread in the forum and was happy that his posts didn't first need to be approved by a mod anymore :) 08:44 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has joined ##openvpn 08:52 -!- teddymills [n=teddy@208.92.235.227] has quit [Client Quit] 08:54 < ecrist> krzie: it sure could 08:54 < ecrist> good morning 08:54 < ecrist> Douglas: pong 08:56 < Douglas> hi 08:56 < Douglas> no idea what i wanted to ask you 08:58 < ecrist> here's an idea, next time when you ping me, just say what you want. I'll get the message, eventually 08:59 < Douglas> fair nuff 08:59 -!- hetii [i=54b5e5ea@gateway/web/freenode/x-oasayfletkcyzxpu] has quit [Ping timeout: 180 seconds] 08:59 < Douglas> i think i pinged you cuz someone asked something 08:59 < Douglas> and i thought maybe you oculd help 08:59 < Douglas> could 08:59 < Douglas> but you were not around 08:59 < Douglas> thats why i ping you most of the time 09:00 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:00 < ecrist> oh, don't do that 09:00 < Douglas> why bot? 09:00 < Douglas> not 09:08 -!- mirco [n=mirco@tmo-105-101.customers.d1-online.com] has joined ##openvpn 09:09 -!- mirco [n=mirco@tmo-105-101.customers.d1-online.com] has quit [Read error: 104 (Connection reset by peer)] 09:11 -!- mirco [n=mirco@tmo-105-101.customers.d1-online.com] has joined ##openvpn 09:14 < klaas> is there any easy way to detect MTU problems on windows, wireshark or so? But then the question remains how do I notice that fragmentation is the problem? 09:15 -!- mirco [n=mirco@tmo-105-101.customers.d1-online.com] has quit [Read error: 54 (Connection reset by peer)] 09:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:19 -!- mirco [n=mirco@tmo-108-32.customers.d1-online.com] has joined ##openvpn 09:36 -!- mirco [n=mirco@tmo-108-32.customers.d1-online.com] has quit [Read error: 104 (Connection reset by peer)] 09:47 -!- jeiworth [n=jeiworth@189.177.121.235] has joined ##openvpn 09:58 -!- mirco [n=mirco@tmo-108-32.customers.d1-online.com] has joined ##openvpn 10:01 -!- connectionVPN [n=hello_wo@83.212.248.23] has quit ["This computer has gone to sleep"] 10:02 -!- mirco [n=mirco@tmo-108-32.customers.d1-online.com] has quit [Read error: 104 (Connection reset by peer)] 10:14 -!- jeiworth_ [n=jeiworth@189.177.121.235] has joined ##openvpn 10:15 -!- connectionVPN [n=hello_wo@cust-158-218.on3.ontelecoms.gr] has joined ##openvpn 10:20 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:27 -!- jeiworth [n=jeiworth@189.177.121.235] has quit [Connection timed out] 10:30 -!- thedoc_ [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 10:37 -!- bruce_ [n=bruce@160.39.238.196] has quit [Read error: 104 (Connection reset by peer)] 10:39 -!- bruceb [n=bruce@gw.msmnyc.edu] has joined ##openvpn 10:44 -!- thedoc_ [n=tenacity@unaffiliated/thedoc] has quit ["Leaving"] 10:44 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 10:45 < reiffert> moin 10:45 < reiffert> klaas: openvpn --mtu-test or similar 10:45 < reiffert> !factoids search mtu 10:45 < vpnHelper> reiffert: 'mtu-test' and 'mtu' 10:46 < reiffert> !mtu-test 10:46 < vpnHelper> reiffert: "mtu-test" is you can just use --mtu-test on the client to see what the best mtu for your connection is 10:47 -!- bauruine [n=bauruine@85.5.224.95] has quit [Read error: 148 (No route to host)] 10:48 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 10:57 -!- bruceb [n=bruce@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 10:58 -!- bruceb [n=bruce@160.39.238.196] has joined ##openvpn 11:12 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:12 -!- ksjdf [i=5e9c19f0@gateway/web/freenode/x-vvupjfoyqjvclbjf] has joined ##openvpn 11:12 < ksjdf> hello 11:13 < ksjdf> i need help with openvpn 11:13 < ksjdf> i've managed to run ovpn tunnel between a linux and a windows host 11:13 < ksjdf> i can ping from linux to win, but not vice versa 11:13 < ksjdf> !redirect 11:13 < vpnHelper> ksjdf: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 11:14 < ksjdf> !def1 11:14 < vpnHelper> ksjdf: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 11:17 -!- c64zottel [n=hans@p5B17AB4C.dip0.t-ipconnect.de] has left ##openvpn [] 11:20 < ksjdf> anyone here 11:21 < ksjdf> http://pastebin.com/d3953dc26 <= my server config 11:21 < ksjdf> http://pastebin.com/d6b4ae527 <= client conf 11:22 < garnser> ksjdf: what does the topic say? 11:23 < ksjdf> !logs 11:23 < vpnHelper> ksjdf: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 11:23 < garnser> before that 11:23 < ksjdf> i don't have fw 11:23 < garnser> so iptables -L -n -v doesn't return anything? 11:24 < ksjdf> devnull:/etc/openvpn# iptables -L -n -v Chain INPUT (policy ACCEPT 18912 packets, 3031K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 33 packets, 2802 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 29995 packets, 3757K bytes) pkts bytes target prot opt in out source 11:24 < ksjdf> nope :) 11:24 < ksjdf> wait a second 11:25 < garnser> ksjdf: and if you run a tcpdump on the interface when you ping from windows do you see any traffic? 11:26 < ksjdf> ok - shoot me... windows fire was somehow turned on 11:26 < garnser> lol 11:29 < ksjdf> !howto 11:29 < vpnHelper> ksjdf: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:30 < ksjdf> !nat 11:30 < vpnHelper> ksjdf: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 11:30 < ksjdf> !linnat 11:30 < vpnHelper> ksjdf: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 11:39 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 113 (No route to host)] 11:49 -!- ksjdf [i=5e9c19f0@gateway/web/freenode/x-vvupjfoyqjvclbjf] has quit ["Page closed"] 12:08 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:28 -!- plaerzen [n=carpe@vip1.tundraeng.com] has joined ##openvpn 12:33 < klaas> is there any setting I can change to increase the tunneling speed except the mtu settings? lzo is off, cypher is off, auth is off 12:43 < garnser> klaas: you can remove the encryption 12:43 < klaas> well the cypher is already off and so is auth is there any other encryption i'm missing? 12:44 < garnser> ah, nah sry missed that part 12:44 < garnser> you should be getting wire-speed if you turn everything off 12:45 < klaas> i'm getting 150mbit over a gigabit so i'm trying to figure out what's wrong 12:45 < garnser> what CPU do you have? 12:45 < klaas> one is a core2duo laptop and other is a core2duo something should check 12:46 < garnser> ok, how big are the packages you're sending? 12:46 < garnser> and what's the latency between the 2 nodes? 12:46 < klaas> well i've tried both ftp & smb 12:46 < klaas> they're on lan next to eachother with a switch between them so <1ms 12:47 < klaas> and i've confirmed that i get alot more bandwidth when i'm not tunneling 12:48 < garnser> hm 12:48 < garnser> how does you CPU load look when you're tunneling? 12:48 < klaas> http://pastebin.com/m3397b006 & http://pastebin.com/m29f6b62d for the exact configs 12:50 < garnser> looks fine 12:50 < klaas> the side downloading is at 1-25% with peaks to 44%, the side that's uploading is 20-60% and up 12:50 < garnser> only thing I can think of is that the openssl implementation is bad under windows 12:51 < klaas> well if there's no cypher and auth is there still anything being doing by openssl? 12:55 -!- bauruine [n=bauruine@85.4.68.228] has joined ##openvpn 13:04 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: misse-, Douglas, tjoff, Typone 13:04 -!- ThoMe [i=tm@tm.muc.de] has quit [Read error: 60 (Operation timed out)] 13:04 -!- Netsplit over, joins: misse-, Douglas, tjoff, Typone 13:05 -!- ThoMe [i=tm@tm.muc.de] has joined ##openvpn 13:05 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: Gumbler, sander_, xand, tarbo2_, connectionVPN 13:06 -!- Netsplit over, joins: connectionVPN, xand, Gumbler, sander_, tarbo2_ 13:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:14 < garnser> klaas: nah, good point 13:14 < garnser> could be that OpenVPN sucks when it comes to throughput in Windows 13:17 < klaas> or something on the vista machines is severely broken 13:20 < hyper_ch> well, vista is defective by design ;) 13:21 < klaas> very true but sadly enough it's the only option i have atm :( 13:21 < hyper_ch> there's many linuxes out there 13:21 < klaas> it's not that it's on company level ;) 13:22 < hyper_ch> :( 13:22 -!- sander_ is now known as Snadder 13:25 < klaas> hmm is there any tracing tool i might look to search what the cpu is being used by in openvpn when just tunneling and doing no encryption? 13:25 < garnser> klaas: htop 13:25 < hyper_ch> iotop 13:26 < hyper_ch> yeah right, htop not iotop :) 13:26 < klaas> i presume there's no windows variant of it? 13:27 < hyper_ch> windows lacks man useful tools 13:27 < garnser> you've windows on both sides? 13:27 < klaas> aye both vistas 13:27 < klaas> sadly enough :( 13:42 < klaas> hmm found a decent tools it seems Process Monitor, it show me that most of the calls are being to EtwActivityIdControl (65%) in tcpip.sys not that it helps but at least i know now :p 13:43 < klaas> decent tool* 13:53 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 60 (Operation timed out)] 14:14 < klaas> well time to go home, more fiddling over the weekend + next week i guess 14:15 < klaas> but in the end openvpn really rocks damn nice work guys 14:15 -!- klaas [n=chatzill@94-224-182-164.access.telenet.be] has quit ["ChatZilla 0.9.85 [Firefox 3.5.2/20090729225027]"] 14:18 < bauruine> how can i debugg routing problems? 14:18 < Bushmills> bauruine: mtr, traceroute, route -n 14:20 < bauruine> Bushmills, the route should work traceroute is blocked at the first vpn gateway :-( 14:21 < Bushmills> !firewall 14:21 < vpnHelper> Bushmills: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. 14:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 15:03 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 15:07 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 15:11 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 15:13 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn 15:14 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit [Client Quit] 15:15 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn 15:24 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit ["ZNC - http://znc.sourceforge.net"] 15:27 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn 15:32 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit [Client Quit] 15:34 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn 15:40 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit ["ZNC - http://znc.sourceforge.net"] 15:42 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn 15:51 -!- triarius [n=vinnix@41.210.201.166] has joined ##openvpn 15:51 -!- triarius [n=vinnix@41.210.201.166] has left ##openvpn [] 15:52 -!- genoobie [n=genoobie@pool-96-240-81-132.bflony.east.verizon.net] has joined ##openvpn 15:52 < genoobie> hello 15:52 < genoobie> anyone here? 15:53 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 15:53 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 15:53 -!- DeepFrz [n=Phil@wnpgmb0911w-ad03-127-222.dynamic.mts.net] has joined ##openvpn 15:53 < bauruine> genoobie, just ask 15:53 < genoobie> well, it has more to do with nortel's vpn client than openvpn 15:54 < genoobie> the problem is I've installed nortel's vpn and with xp + sp3, it's crashing the system 15:55 < genoobie> I'm trying to figure out how to fix this and I can't call my IT dept for a variety of reasons (namely b/c they're not very bright) 15:55 < bauruine> genoobie, sorry never used it. 15:56 < genoobie> yeah, I figured as much 15:58 < garnser> http://www.reuters.com/article/marketsNews/idINN2053486920090820?rpc=44 meh :( 15:58 < vpnHelper> Title: UPDATE 1-Oracle wins U.S. approval to buy Sun Microsystems | Markets | Markets News | Reuters (at www.reuters.com) 16:00 < bauruine> mhm i have a vpn with tap and try to route a ip which is routed to the vpn server forward to my home router (linux pc with vpn client) i can ping server --> client (public ip) but i cant ping internet --> client (but i can see icmp requests on the server) any ideas about routing? ip_forward is 1 and my routing table looks like this http://pastebin.com/d7dee17c9 16:01 < bauruine> trying since 5 days -.- 16:12 -!- explore [n=msparker@pool-173-74-61-155.dllstx.fios.verizon.net] has joined ##openvpn 16:19 < Bushmills> bauruine: you try to use one of the public ip addresses of your openvpn server to route to your openvpn client? 16:19 < bauruine> Bushmills, yes 16:20 < Bushmills> that's possible. though I have that working with routing config, using tun, only. no idea what to do with tap 16:20 < bauruine> Bushmills, somethink like this http://forum.prq.se/viewtopic.php?f=2&t=12 16:20 < vpnHelper> Title: prq.se View topic - How to setup internal routing. (at forum.prq.se) 16:22 < Bushmills> i don't think it help a lot, looking at that text - it after all doesn't seem to give a working solution, 16:23 < Bushmills> but I didn't follow any description to set that up, therefore I can't give you a link to a text, describing that. 16:24 < bauruine> Bushmills, you have done something similar? 16:25 < Bushmills> I use routing config, aliased public ip addresses to server NIC, and masquerade incoming packets to client with iptables DNAT 16:25 < bauruine> Bushmills, mhm would also be ok i try this since 5 days any working solution is welcome now :-) 16:26 < Bushmills> disadvantage is that client sees the server ip as packet origin only, instead of the real packet origin. 16:28 < bauruine> mhm this sucks because i do nat on the "client" :-/ 16:28 < |Mike|> nat on he client, lol ! 16:29 < bauruine> prq vpn --> own server --> home router (aka client) --> nat for the lan 16:29 < |Mike|> and your router supports vpn stuff ? 16:30 < bauruine> |Mike|, router = linux box :D 16:30 < |Mike|> okay 16:30 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 16:31 < bauruine> |Mike|, i have a "working" vpn i can ping server --> client (over private ip and public ip) but i can't ping internet -->(vpns) --> client 16:31 < |Mike|> euh 16:32 < Bushmills> well, I can 16:32 < |Mike|> you can't ping your own server ? 16:33 < bauruine> |Mike|, i can ping my server. 16:33 < bauruine> my setup is internet ---> prq.se vpn --> own server (root server) --> client (aka linux router at home) 16:34 < |Mike|> wtf is prq.se ? 16:34 < bauruine> |Mike|, a hosting and vpn tunnel provider 16:34 < |Mike|> ah, that makes sense 16:36 < bauruine> which give me 4 Public IPs and one of those i try to route to my home lan to route all my traffic over the vpn 16:37 < Bushmills> routing a public ip address to your home machine is not needed for using openvpn for all your internet traffic 16:37 < Bushmills> !redirect 16:37 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 16:37 < bauruine> and form my server i have a route for the second ip from prq and can ping my home router with this ip but i can't ping this ip from the internet (the packages stop on my server) 16:37 < Bushmills> that's all you need 16:38 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Client Quit] 16:38 < bauruine> Bushmills, but double nat sucks... 16:38 < Bushmills> there is no double NAT 16:38 < Bushmills> just once, on the vpn server 16:39 < bauruine> Bushmills, and on my home router... i don't wan't to configure openvpn on every pc 16:40 < Bushmills> routing default traffic through vpn suffices 16:43 < Bushmills> prioritise your problems. there are two unrelated things you try to achieve. 16:43 < genoobie> anyone here use nortel vpn client? 16:43 -!- ativan_ [n=epiphany@CPE00222d1dada1-CM00222d1dad9d.cpe.net.cable.rogers.com] has joined ##openvpn 16:44 < ativan_> !route 16:44 < vpnHelper> ativan_: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:44 < Bushmills> routing your internet access through server, and pinging client from internet, are not related 16:44 -!- koolkat_ [n=kk@amsterdam.perfect-privacy.com] has quit [Read error: 110 (Connection timed out)] 16:45 < ativan_> I have this weird problem, I can ping the gateway but the OpenVPN connection never takes effect, I'm still going over the insecure connection despire OpenVPN being connected 16:45 < ativan_> I mean, I can ping the openVPN gateway 16:45 < Bushmills> what is an "openvpn gateway"? 16:46 < ativan_> the server running openvpn, it has a 10.x IP 16:46 < bauruine> Bushmills, i 16:46 < Bushmills> i know of openvpn clients and openvpn servers 16:46 < ativan_> its an openvpn server, sorry. 16:46 < genoobie> no prob 16:46 < Bushmills> when you ping the server, so you ping it by its vpn address? 16:46 < genoobie> hey ativan_ do you know where might be a good place to look? 16:48 < bauruine> i wan't the public ip on my home router. there are thousands of hosts with ips on the internet and everything works why should it be impossible to route one fucking ip? -.- 16:48 < bauruine> anyway thanks for your help :-) 16:51 < Bushmills> well, yes, you can. but after having done so, your other objective, "to route all my traffic over the vpn", is not touched by that. 16:53 * Bushmills declares that a SEP 16:55 -!- ativan_ [n=epiphany@CPE00222d1dada1-CM00222d1dad9d.cpe.net.cable.rogers.com] has quit [] 16:59 < bauruine> Bushmills, i have a working setup for that (for the road warriors) 17:00 -!- explore [n=msparker@pool-173-74-61-155.dllstx.fios.verizon.net] has quit ["Lost terminal"] 17:08 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 17:34 -!- genoobie [n=genoobie@pool-96-240-81-132.bflony.east.verizon.net] has left ##openvpn ["Leaving"] 18:00 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 18:02 -!- bruceb [n=bruce@160.39.238.196] has quit [Remote closed the connection] 18:20 -!- subinacls__ [n=subinacl@253.182.100.97.cfl.res.rr.com] has joined ##openvpn 18:21 -!- subinacls [n=subinacl@253.182.100.97.cfl.res.rr.com] has quit [Nick collision from services.] 18:21 -!- subinacls__ is now known as subinacls 18:55 -!- jeiworth_ [n=jeiworth@189.177.121.235] has quit [Read error: 110 (Connection timed out)] 19:13 -!- DeepFrz [n=Phil@wnpgmb0911w-ad03-127-222.dynamic.mts.net] has quit [Read error: 104 (Connection reset by peer)] 19:13 -!- Deep_away [n=Phil@wnpgmb0911w-ad03-127-222.dynamic.mts.net] has joined ##openvpn 19:15 -!- Deep_away [n=Phil@wnpgmb0911w-ad03-127-222.dynamic.mts.net] has quit [Client Quit] 19:16 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: misse-, reiffert, mius, tjoff, Douglas, saftsack_, kala, mrnice1, Typone 19:17 -!- Netsplit over, joins: saftsack_, mius, reiffert, kala 19:22 -!- DeepFrz [n=Phil@wnpgmb0911w-ad03-127-222.dynamic.mts.net] has joined ##openvpn 19:23 -!- DeepFrz [n=Phil@wnpgmb0911w-ad03-127-222.dynamic.mts.net] has quit [Remote closed the connection] 19:23 -!- DeepFrz [n=Phil@wnpgmb0911w-ad03-127-222.dynamic.mts.net] has joined ##openvpn 20:13 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 20:20 -!- subinacls [n=subinacl@253.182.100.97.cfl.res.rr.com] has quit [Nick collision from services.] 20:21 -!- subinacls_ [n=subinacl@97.100.182.253] has joined ##openvpn 20:21 -!- subinacls_ is now known as drone 20:36 -!- connectionVPN [n=hello_wo@cust-158-218.on3.ontelecoms.gr] has quit ["This computer has gone to sleep"] 20:44 -!- DeepFrz [n=Phil@wnpgmb0911w-ad03-127-222.dynamic.mts.net] has left ##openvpn [] 20:59 -!- Gumbler_ [i=Gumbler@animux.de] has joined ##openvpn 21:00 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has quit [Read error: 54 (Connection reset by peer)] 21:00 -!- Gumbler_ is now known as Gumbler 21:10 -!- master_of_master [i=master_o@p549D3BC6.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:13 -!- master_of_master [i=master_o@p549D3571.dip.t-dialin.net] has joined ##openvpn 21:14 -!- drone [n=subinacl@97.100.182.253] has quit [Read error: 110 (Connection timed out)] 21:47 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn 21:47 -!- misse- [i=misse@cl-858.sto-01.se.sixxs.net] has joined ##openvpn 21:47 -!- Douglas [i=doug@208.99.80.128] has joined ##openvpn 21:47 -!- tjoff [i=tjoff@h-63-94.A163.priv.bahnhof.se] has joined ##openvpn 21:47 -!- Typone [n=nnitsme@195.197.184.87] has joined ##openvpn 21:55 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 21:55 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 22:06 -!- Douglas_ [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 22:06 -!- Douglas_ [n=douglas@ool-43503ed4.dyn.optonline.net] has quit [Client Quit] 22:07 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 22:17 -!- freaky[t] is now known as freaky|bday 22:20 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 23:28 -!- subinacls_ [n=subinacl@97.100.182.253] has joined ##openvpn 23:47 < thedoc> !linnat 23:47 < vpnHelper> thedoc: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 23:58 -!- Ycros [n=ycros@gnaw.yi.org] has joined ##openvpn 23:59 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] --- Day changed Fri Aug 21 2009 00:01 < Ycros> guys, I'm trying to get an OpenVPN client running under my windows 7 install, when I run it via the GUI as a normal user I get issues as it tries to set routes, when I try to run it as an administrator, it seemingly ignores the settings in my client config file however 00:02 < thedoc> Ycros, How do you know? :) 00:02 < Ycros> how do I know what? 00:03 < thedoc> It's ignoring your settings? 00:03 < thedoc> Which settings to be exact? 00:03 < Ycros> because it tries to load the wrong cert files 00:04 < thedoc> Ycros, You're pointing to the wrong cert files? 00:04 < Ycros> it tries to load the defaults (ie. client.key client.crt) 00:04 < ecrist> perhaps you're putting the files in the wrong location? 00:04 < Ycros> it works when I run it as my normal user 00:04 < Ycros> and it connects succesfully, but it fails at running the route commands 00:05 < Ycros> as admin, it fails early and can't find the files. If I rename my key files to client.* - it then tries to connect to my-server-1 00:05 < Ycros> which is the default example configuration 00:05 < Ycros> ecrist: all files are in \program files\openvpn\config\ 00:06 < Ycros> I've tried running openvpn through the gui, from the command line - both with the same results 00:08 * ecrist is tired and goes to bed. 00:10 < Ycros> using Process Monitor I can see that it IS reading in my config file 00:13 -!- connectionVPN [n=hello_wo@cust-158-218.on3.ontelecoms.gr] has joined ##openvpn 00:13 -!- connectionVPN [n=hello_wo@cust-158-218.on3.ontelecoms.gr] has quit [Remote closed the connection] 00:20 -!- subinacls_ [n=subinacl@97.100.182.253] has quit [Read error: 110 (Connection timed out)] 01:22 -!- tjz [n=tjz@bb220-255-241-83.singnet.com.sg] has joined ##openvpn 01:25 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit ["Leaving"] 01:32 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 01:32 < thedoc> !linnat 01:32 < vpnHelper> thedoc: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 01:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 01:44 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit ["Leaving"] 01:59 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 02:08 -!- c64zottel [n=hans@p5B17AF61.dip0.t-ipconnect.de] has joined ##openvpn 02:08 -!- c64zottel [n=hans@p5B17AF61.dip0.t-ipconnect.de] has left ##openvpn [] 02:09 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:29 -!- Narel [n=WEILL@90.5.169.217] has joined ##openvpn 02:29 < Narel> Hi 02:30 -!- pernils [n=chatzill@s204h37o1nst0.sip.tyfon.se] has joined ##openvpn 02:30 < Narel> Some problems with my openVPN 02:30 -!- connectionVPN [n=hello_wo@cust-158-218.on3.ontelecoms.gr] has joined ##openvpn 02:30 -!- connectionVPN [n=hello_wo@cust-158-218.on3.ontelecoms.gr] has quit [Remote closed the connection] 02:30 < Narel> I will try to explais 02:30 < thedoc> Would you like a, 1 02:30 < thedoc> 1) hug 02:30 < thedoc> 2) help 02:30 < thedoc> 3) cuddle 02:31 < thedoc> Please select one of the following options. 02:31 < Narel> 2 02:31 < thedoc> lol 02:31 < Narel> mdr 02:31 < thedoc> What seems to be the problem 02:31 < reiffert> no 3 after 1 02:32 < pernils> what is the best solution tap ord tun for a roadwarrior that must make a windows domain login on then cop. internal lan ??? 02:32 < reiffert> pernils: both will work. 02:32 < pernils> what should you preferred ?? 02:33 < reiffert> tun. 02:33 < Narel> Server: 192.168.3.0 (Virtual) ; Real LAN Server: 192.168.10.0 = I can ping the virtual LAN Ip of the server and the real on 192.168.10.14 but not 192.168.01.1 or 192.168.10.11 02:33 < Narel> real one 02:33 < Narel> Client Network: 192.168.1.0 02:34 < pernils> okey .. I will skip the tap thing then ... have been struggling for very LONG time now to get this work ... 02:34 < Narel> /proc/sys/net/ipv4/ip_forward is 1 02:34 < Narel> tun0 02:35 < thedoc> Narel, You lost me there. 02:35 < thedoc> Can you try rephrasing that in a more coherent manner? 02:35 < Narel> I'm french that's a problem :) 02:36 < Narel> not very good english 02:36 < thedoc> I don't speak french :P 02:36 < Narel> OpenVPN Server LAN: 192.168.10.0 02:36 < Narel> OpenVPN virtual Network: 192.168.3.0 02:37 < Narel> Client Network: 192.168.1.0 02:37 < Narel> I can ping 192.168.10.4 (Real IP of the OpenVPN server) 02:37 < thedoc> right, ok. 02:37 < Narel> I can ping 192.168.10.14 (Real IP of the OpenVPN server) 02:37 < Narel> but not other computers of 192.168.10.0 02:38 < thedoc> Narel, Is this vpn client connected from within your internal network? 02:38 < Narel> no 02:39 < Narel> No VPN client in server part 02:39 < thedoc> Narel, What's your setup like? 02:39 < thedoc> As in, how is this client connecting? 02:39 < Narel> just my computer is connected with OpenVPN client in Vista 64 02:42 < Narel> I must connect with another computer to send you my server config 02:42 < Narel> I can sed you the log of my openVPN client if you want 02:43 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Nick collision from services.] 02:43 < Narel> http://pastebin.com/mf5fe019 02:44 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 02:47 -!- kyrix [n=ashley@188-23-177-111.adsl.highway.telekom.at] has joined ##openvpn 02:47 < pernils> I'm missing some major thing here ... and I have get lost in all the FAQ and howto that I have read ... dev tun will make the roadwarriors on a different subnet than for example my win 2003 server 02:47 < thedoc> hm 02:47 < thedoc> Narel, Can your server ping the 192.168.10.x ips? 02:47 < thedoc> Do you have 2 NIC's or just one? 02:47 -!- bauruine [n=bauruine@85.4.68.228] has quit [Read error: 113 (No route to host)] 02:48 < pernils> they will connect to a virtual device .. in this case called tun0 .... when I now check ifconfig .. I can see that tun0 have no ip adress assigned to it .. 02:48 < Narel> only 192.168.10.14 VPN server LAN IP 02:48 < Narel> but any others 02:49 < Narel> but not any others 02:49 < pernils> Like this ... tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 02:49 < thedoc> Narel, From your server itself, you can't ping any of the other 192.168.10.x devices? 02:49 < Narel> from my server I can ping all IPs 02:50 < Narel> of it network 02:50 < thedoc> Narel, iptables -L -t nat 02:50 < thedoc> Er, no wait. 02:50 < thedoc> Just do an iptables -L 02:50 < pernils> wrong of me ... it have ... 02:50 < thedoc> Infact, do both really. 02:50 * thedoc slaps himself. 02:50 < Narel> only iptables -L ? 02:51 < Narel> and it solve my problem 02:51 < thedoc> Narel, iptables -L and iptables -L -t nat 02:51 < thedoc> That shows me the iptables setup :p 02:51 < Narel> iptables must be installed ? 02:52 < Narel> no rules in iptables 02:54 < thedoc> Narel, That's the problem :P 02:54 < thedoc> !linnat 02:54 < vpnHelper> thedoc: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 02:54 * thedoc points to linnat 02:55 < pernils> anyone having a openvpn .. and shorewall solution running ??? 02:55 < Narel> I don't know about how to set up correcty iptables for accessing my network correctly 02:56 < thedoc> Narel, Follow the linnat stuff :) 02:59 -!- dazo|h [n=dazo@ip4-83-240-69-215.cust.nbox.cz] has joined ##openvpn 02:59 < pernils> thedoc .. do you have openvpn and shorewall runnig ??? 03:00 < thedoc> no. 03:00 < thedoc> Just iptables 03:00 < thedoc> and openvpn 03:00 < pernils> to bad .. 03:01 < thedoc> Only 900gb of transfer to go before hitting 1tb 03:04 < pernils> I must be stupid but ... if you have dev tun (virtual device tun0) how do you get this subnet to talk to the other subnet ... in my case .. (tun0 = 10.0.8.x loc = 192.168.100.x) 03:05 < thedoc> routing has to take place. 03:05 < thedoc> iptables would be a good place. 03:09 < pernils> Okey .. then we have strip it down to that (was my own thougth also) .. shorewall is just a script language that just make the iptables syntax code ... 03:31 -!- oliver__ [n=oliver@p4FC75BD4.dip.t-dialin.net] has joined ##openvpn 03:34 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has joined ##openvpn 03:39 -!- saftsack_ [n=oliver@79.199.126.193] has quit [Read error: 145 (Connection timed out)] 03:40 -!- oliver__ [n=oliver@p4FC75BD4.dip.t-dialin.net] has quit [Read error: 54 (Connection reset by peer)] 03:47 -!- svinkels [n=svinkels@seb44-1-88-163-78-7.fbx.proxad.net] has joined ##openvpn 03:47 -!- pernils_ [n=chatzill@s204h37o1nst0.sip.tyfon.se] has joined ##openvpn 03:48 < svinkels> hello 03:50 < svinkels> when i run openvpn server.conf , i have no such file exist on dh1024.pem , but i have generate this file ... 03:51 < misse-> svinkels: then it's probably not in the same path as you specified in server.conf 03:51 -!- pernils [n=chatzill@s204h37o1nst0.sip.tyfon.se] has quit [Read error: 60 (Operation timed out)] 03:51 -!- pernils_ is now known as pernils 03:54 < pernils> set the path in server.conf ..... in my case dh /etc/openvpn/keys/dh1024.pem 03:54 < pernils> make the same for ca cert key ... 03:55 < pernils> ca /etc/openvpn/keys/ca.cert 03:55 < svinkels> yes 03:55 < pernils> cert /etc/openvpn/keys/server.crt 03:55 < svinkels> it's better :p 03:55 < svinkels> but now : 03:55 < svinkels> http://pastebin.ca/1537439 03:57 < svinkels> my server.conf : http://pastebin.ca/1537443 03:57 < pernils> norway ??? 03:58 < svinkels> French 03:58 < pernils> ok 03:58 < svinkels> i'm 03:58 < pernils> sweden .. 03:58 < svinkels> sorry for my poor english 03:58 < pernils> first part Fri Aug 21 11:00:08 2009 WARNING: you are using chroot without specifying user and group -- this may cause the chroot jail to be insecure 03:59 < pernils> make proper chroot .... 04:00 < svinkels> i use nobody ? 04:00 < svinkels> i must use 04:00 < svinkels> .. 04:00 -!- kyrix [n=ashley@188-23-177-111.adsl.highway.telekom.at] has quit ["Leaving"] 04:02 < svinkels> i add this line in my server.conf : user nobody 04:02 < svinkels> group nobody 04:04 < pernils> that should be okey .. I think I m also a newbee ... but what do you get when you make ls -l on then dir where openvpn is located ... in my case I have root as owner and usergroup root 04:04 < pernils> like ... 04:04 < pernils> drwxr-xr-x 3 root root 1024 2009-08-21 10:59 openvpn 04:06 < pernils> http://pastebin.ca/1537443 04:07 < pernils> on row 37 .. you have a strange line chroot /etc/openvpn 04:07 < svinkels> where i must to chroot ? 04:08 < pernils> na .. it's better that you ask someone who is knowing what they are doing ... 04:08 < pernils> try to remove the line chroot /etc/openvpn from server.conf ... 04:08 < svinkels> drwxr-xr-x 2 root root 4096 août 20 11:34 openvpn 04:08 < pernils> or make a # in fron of it ... 04:09 < pernils> just wonder .. have you made symbolik link fron /etc/openvpn/server.conf to /home/svinkels/server.conf 04:10 < svinkels> now i have : http://pastebin.ca/1537450 04:10 < svinkels> now my server.conf is : http://pastebin.ca/1537452 04:10 < dazo|h> svinkels: in general .... scandinavians should not be allowed to complain about bad English .... not before having visited central Europe for a longer time ;-) 04:11 < dazo|h> svinkels: chroot .... do you know what that feature does? 04:11 < svinkels> lol dazo 04:11 < svinkels> i love google traductor ! 04:12 < dazo|h> :) 04:12 < svinkels> yes i known chroot .. i use chroot to my FTP personal 04:12 < pernils> I was not complaining about bad english ... 04:13 < svinkels> but here, whis VPN i dont understand what chroot 04:13 < dazo|h> svinkels: good! :) It's not all who knows ... but then I'll skip the basic part :) 04:13 < svinkels> it's true pernils dont complaining 04:14 < dazo|h> svinkels: an openvpn chroot is basically the same as ftp chroot :) .... it's a directory where basically only --client-config-dir files can be found .... or if that feature is not used, it could be an empty directory 04:15 < dazo|h> that directory should be read/writeable only to the user openvpn runs as (user / group config) 04:15 < svinkels> but VPN is access to a lan, not to file share ... 04:16 < dazo|h> svinkels: yeah, but if the openvpn process is rooted somehow .... it will have to break out of a chroot to access system files 04:16 < dazo|h> svinkels: so it's a second line of defence 04:17 < dazo|h> svinkels: all daemons accepting connections from the Internet should in general be chrooted, to provide a bit higher security 04:17 < pernils> is there a easy way to see what deamon runs in what user/group ?? 04:18 < pernils> mc 04:18 < dazo|h> pernils: in *nix based ..... ps 04:18 < dazo|h> on linux ... ps faxuw 04:19 < pernils> that was easy to remember .. ps faxuw .. :( 04:20 < svinkels> dazo, my way (that i would like) a VPN + Squid in my computer personal, to use since my computer professional and have not restricted in internet, you understand ? so i dont know where i must to chroot ... 04:21 < dazo|h> pernils: f - "forrest", prints processes in a tree ... a - all .... x - lists all process without tty in addition .... u - more user info .... w - wide listing 04:21 < svinkels> lol, i have shame for my english 04:21 < pernils> writing it down ... 04:21 < dazo|h> svinkels: no worries ... the thing is that many just create a chroot dir themselves .... f.ex /var/chroot/openvpn .... and then set the chroot param to that directory in the config 04:23 < dazo|h> pernils: you can also do ls -l /proc .... all the numeric directories are directories which contains info about a different processes, and the directory number is the process ID (pid) 04:23 < svinkels> or i mkdir a /home/svinkels/VPN ... ? 04:23 < dazo|h> svinkels: yeah 04:23 < dazo|h> svinkels: it do not matter where the directory lays (unless you're using a more restrictive SELinux setup, then /home should be avoided) 04:25 < svinkels> ah 04:26 < svinkels> in the doc on openvpn.com : http://openvpn.net/archive/openvpn-users/2005-12/msg00181.html the chroot is in /etc/openvpn/ovpn_jail 04:26 < vpnHelper> Title: [Openvpn-users] OpenVPN : chroot directive + client-connect script (at openvpn.net) 04:27 < dazo|h> svinkels: yeah ... I personally find it less a bit messy placing chroots in /etc .... and I usually have /var/chroot/ ... then I know quite easy where chroots are to be found 04:28 < svinkels> dazo can you pastebin your server.conf ? 04:28 < dazo|h> svinkels: but when using chroot .... using --user and --group is, IMO, required .... if you start openvpn as root, there are techniques to escape chroots .... but only root may manage that ... 04:29 < svinkels> i dont run openvpn in root ? 04:30 < svinkels> i mustn't run openvpn in root ? 04:30 < dazo|h> svinkels: as root ... as the root user 04:30 < dazo|h> svinkels: you have two root scopes in Unix .... root on the file system - / .... and the root user ... which has the uid and gid 0 04:31 < svinkels> oh ? 04:31 < svinkels> i dont knew that 04:32 < dazo|h> svinkels: the root user ... that's the administrator user 04:32 < svinkels> yes 04:32 < svinkels> i know this ! 04:32 < svinkels> but another i dont know 04:33 < dazo|h> svinkels: http://pastebin.ca/1537471 04:35 < dazo|h> svinkels: in my config .... I also use --client-config-dir /etc/openvpn/clients .... and since I use --chroot /var/chroot/openvpn .... I then need to have a directory on the file system /var/chroot/openvpn/etc/openvpn/clients .... could probably a little overkill, but I like this style ... that's a matter of taste 04:36 < dazo|h> svinkels: it's important that all processes on a system runs with as little privileges as possible ... so that's also why using --user and --group helps out in this aspect ... but then, the chroot dir should normally be owned by that user as well 04:37 < dazo|h> svinkels: as a minimum, the user running the process must be allowed to enter that chroot directory 04:39 < svinkels> ok 04:39 < svinkels> thx 04:40 < dazo|h> np 04:41 < svinkels> I understood, but I'm afraid of sudden hurt and create a security hole on my personal machine. I do not know where to begin or continue! I hope google translated well! 04:54 < pernils> thanks for this lesson ... seems that my box is huge security hole .. not so big that it will start to pulling keyboard chair etc in to that black hole ... Have some reading in front of mee ... (again) 05:01 < ThoMe> hello 05:01 -!- ThoMe [i=tm@tm.muc.de] has left ##openvpn [] 05:02 -!- ThoMe [i=tm@tm.muc.de] has joined ##openvpn 05:02 < ThoMe> hello 05:02 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 05:10 < dazo|h> Hi'ya 05:15 -!- _markus_ [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 110 (Connection timed out)] 05:20 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit ["Leaving"] 05:30 -!- YpsyZNC is now known as Ypsy 05:31 -!- Ypsy [n=ypsy@geekpadawan.de] has left ##openvpn ["WeeChat 0.2.6.3"] 05:44 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 06:34 < pernils> would someone be helpfull with the route in server.conf .... I can't figure that out ... 06:35 < pernils> some info of configuration 06:35 < pernils> loc 192.168.100.x internal lan 06:36 < pernils> net 62.63.x.x ip adress of the gateway that is used to connect to internet 06:36 < pernils> tun 10.8.0.x adress of the openvpn tunnel 06:37 -!- brizly [n=brizly_v@p4FC99C0B.dip0.t-ipconnect.de] has joined ##openvpn 06:37 < pernils> want to make roadwarriors on then tun dev to se the loc network 192.168.100.x 06:38 < dazo|h> pernils: in server config .... push "route 192.168.100.x 255.255.255.0", I'd presume 06:38 < pernils> testing ... 06:40 < pernils> I had already done that .. I saw now ... push "route 192.168.100.0 255.255.255.0" 06:41 < pernils> the client can connect .. get its ip 10.8.0.6 06:41 < pernils> openvpn server has 10.8.0.1 06:46 < pernils> but i can't reach the loc (192.168.100.x) from the roadwarrior .... 06:50 < pernils> been on this for some hours now .... Wonder if it would be easier to change to dev atp instead and setting upp the brctl utility 06:50 < pernils> dev tap 06:53 -!- brizly1 [n=brizly_v@p4FC99ADF.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:55 < pernils> in server.conf what is the difference between ifconfig and server .............. server does the dhcp thing .. but ifconfig is just "server" to client ...?? 06:56 < dazo|h> pernils: have you checked your firewall? 06:57 < dazo|h> pernils: the difference between ifconfig and server ... is described in the man page .... server is basically a "macro", doing a few more needed config options in addition 06:58 < pernils> yes IMO it seems okey .. have shorewall .. have you some experince about taht one .. 06:58 -!- subinacls_ [n=subinacl@97.100.182.253] has joined ##openvpn 06:59 < dazo|h> pernils: no, I've just used openvpn in a lot of different environments ... misc. Linux distroes, Windows clients, dd-wrt and openwrt 06:59 < pernils> have read the howto on shorewalls homepage .. so many times now .. 07:00 < pernils> this push route that will show in the client routing table ? 07:00 < dazo|h> yes, it should 07:00 < dazo|h> pernils: but openvpn must be started with admin/root privileges on the client 07:01 < pernils> the client is win_xp .. and as everybody else you always log in as admin (bad habbit) 07:02 < dazo|h> :-P 07:02 < dazo|h> well. "Run as ..." works well ;-) 07:02 < pernils> yepp ... 07:03 < dazo|h> pernils: if you add --verb 4 to the config files .... could you post your logs? 07:03 < pernils> strange .. I restarted the roadwarrior for the million time and now I can get ping to the loc subnet 07:05 < pernils> the only thing that I can recall that I have done is change in /etc/shorewall/interfaces road tun+ .... to ..... road tun0 07:06 < pernils> I was sure that tun+ was a wilcard for every tun tun0 tun1 tun2 .... 07:07 < dazo|h> in iptables, tun+ should be wildcard, yes 07:07 -!- Narel [n=WEILL@90.5.169.217] has quit ["Quitte"] 07:08 < dazo|h> but I don't know the shorewall config syntax 07:08 < pernils> It could also (guessing) that shorewall must always be restarted after some changes in openvpn ... 07:08 < dazo|h> only if ipaddresses and/or interfaces changes, I'd guess 07:09 < pernils> the page that I have been looking on so many times that it now started to fade is ... http://www.shorewall.net/OPENVPN.html 07:09 < vpnHelper> Title: OpenVPN Tunnels and Bridges (at www.shorewall.net) 07:17 < dazo|h> hmm 07:17 -!- subinacls_ [n=subinacl@97.100.182.253] has quit [Read error: 110 (Connection timed out)] 07:24 < pernils> the thing that I will acomplish is that a roadwarrior will be able to connect to a MPS system running under Sybase database engine. So next thing is to make a domain login on the 2003 server ... 07:25 < pernils> anychance that some one could point me in to right direction ... 07:27 < pernils> or is the answer so easy that I just login to the domain and not to local win_xp at boot up 07:29 < pernils> ... think I found the answer ... make openvpn as service on the xp client 07:29 < pernils> but I must specify the WINS server 07:33 < pernils> openvpn as service was to just make it .. automatic instead of manually 07:34 < pernils> so the last step is just to change in server.conf push "dhcp-opption WINS 192.168.100.8" right ?? 07:34 < dazo|h> sounds right 07:34 < pernils> opption with on p .. option 07:35 < dazo|h> option sounds even more correct ;-) 07:39 < pernils> strange .. that small error in /etc/shorewall/interfaces road tun+ should be road tun0 have caused me 8 hours of struggling ... sometimes windows seems more user friendly ... 07:45 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 07:48 < pernils> Warning: route gateway is not reachable on any active network adapters: 10.8.0.5 ... hmmm 07:50 < dazo|h> uhh? 07:50 < pernils> have that on the client 07:50 < dazo|h> yeah, I understood 07:51 < dazo|h> how does the ip config look at the client side after that the tunnel is established? 07:53 < pernils> the vpntap have ipadress 10.8.0.6 and dhcp server 10.8.0.5 and WINS server 192.168.100.8 but no standard gateway ... 07:53 < pernils> and also a strange netmask ... 255.255.255.252 07:53 < dazo|h> that's a normal netmask for p-t-p links 07:54 < dazo|h> can you ping 10.8.0.5 from the client? 07:55 < pernils> nope .. searching the server.conf file ... 07:56 < pernils> server 10.8.0.0 255.255.255.0 07:57 < pernils> route 10.8.0.0 255.255.255.0 10.8.0.1 07:57 < dazo|h> mm 07:57 < pernils> push "route 192.168.100.0 255.255.255.0" 07:58 < pernils> push "dhcp-option WINS 192.168.100.8" 07:58 < pernils> push "dhc-option DNS 192.168.100.8" 07:58 < dazo|h> I'm usually a little bit confused by these openvpn p-t-p links .... but it seems to look sensible .... but because of how openvpn implements p-t-p, it uses 4 ipaddresses on each node (network, remote, local and broadcast address) .... so that's why the client have the .252 (/30) netmask 07:59 < pernils> ok 08:00 < pernils> anyway the above is from the server.conf something that could be removed or 08:01 < pernils> is the route 10.8.0.0 255.255.255.0 10.8.0.1 needed ? 08:02 < dazo|h> no, these extract seems to be very fine .... I would try to not add 10.8.0.1 08:02 < dazo|h> just .... route 10.8.0.0. 255.255.255.0 08:05 < pernils> tested .. and it worked .. but I have to restart shorewall every time I change something it seems 08:07 < pernils> could it also work withus the route .. line ? 08:13 < pernils> yes it does ... .. seems that if I have restarted Shorewall .. then I must restart Openvpn 08:15 -!- limx [n=limx@dslb-084-062-075-165.pools.arcor-ip.net] has joined ##openvpn 08:15 < limx> hi 08:16 -!- bruceb [n=bruce@gw.msmnyc.edu] has joined ##openvpn 08:16 < pernils> a another error .. I had the line > push "dhc-option DNS 192.168.100.8" it is missing a p that was wy I didn't get the DNS on then vpntap on roadwarrior 08:20 < pernils> But I'm missing the standard gateway on the vpntap on the client (xp) .. Must the reason that I cant find the domain controller that sits on the other side of the vpn tunnel .... 08:37 -!- limx [n=limx@dslb-084-062-075-165.pools.arcor-ip.net] has quit [Remote closed the connection] 08:44 < dazo|h> pernils: so you want to route all internet traffic via the vpn tunnel? 08:45 < dazo|h> pernils: if that's the question --redirect-gateway is the option you'll need to dig into 08:52 < pernils> nop that is not the case .. just wonder about domain login must have a gateway ... but have find the answer ... 2003 didn't have a wins server .. have done it now .. testing ... 08:54 < pernils> na didn't work this time ... when I try to change the client xp to be part of a domain .. I get the answer that the domain could not be found ... 08:55 < dazo|h> pernils: you are aware of that it can take some time before windows recognises new dns servers? 08:55 < dazo|h> pernils: on the mailing list, it's been discussed lately 08:55 < dazo|h> (openvpn-users) 08:56 < dazo|h> with a few suggestions to windows --up scripts to make windows catch the change quicker 08:58 < dazo|h> !tuntap 08:58 < vpnHelper> dazo|h: Error: "tuntap" is not a valid command. 08:58 < dazo|h> !tun 08:58 < vpnHelper> dazo|h: Error: "tun" is not a valid command. 08:58 < dazo|h> !factoids search tun 08:58 < vpnHelper> dazo|h: 'mactuntap' and 'tunortap' 08:58 < dazo|h> !tunortap 08:58 < vpnHelper> dazo|h: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 08:58 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 08:59 < pernils> !wins 08:59 < vpnHelper> pernils: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 08:59 < dazo|h> heh 08:59 < pernils> !lol 08:59 < vpnHelper> pernils: Error: "lol" is not a valid command. 08:59 < pernils> hmm .. nice one 09:00 < dazo|h> :) 09:01 < pernils> okey ... thanks for all got to go ... 09:01 < dazo|h> np! :) 09:01 < pernils> !bye 09:01 < vpnHelper> pernils: Error: "bye" is not a valid command. 09:01 < pernils> part sig out 09:02 -!- pernils [n=chatzill@s204h37o1nst0.sip.tyfon.se] has quit ["ChatZilla 0.9.85 [Firefox 3.5.2/20090729225027]"] 09:03 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:10 -!- explore [n=msparker@pool-173-74-61-155.dllstx.fios.verizon.net] has joined ##openvpn 09:46 -!- svinkels [n=svinkels@seb44-1-88-163-78-7.fbx.proxad.net] has quit [Remote closed the connection] 10:03 -!- Netsplit calvino.freenode.net <-> irc.freenode.net quits: stephenh, sigius, pa, Spockz, solvik, HardDisk_WP, chinsan_, redfox, kaii 10:03 -!- chinsan [i=chuck-th@72.21.49.42] has joined ##openvpn 10:03 -!- Netsplit over, joins: sigius, HardDisk_WP, kaii, stephenh, pa, chinsan_, Spockz, solvik, redfox 10:17 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:17 -!- _markus_ [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 10:17 -!- Yoshi47 [n=jan@firewall.walinga.com] has quit ["Leaving"] 10:17 -!- plaerzen [n=carpe@vip1.tundraeng.com] has quit [Remote closed the connection] 10:27 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 110 (Connection timed out)] 10:33 -!- chinsan_ [i=chuck-th@chinsan.info] has quit [Connection timed out] 11:06 -!- sera|work [n=wolf@g227039149.adsl.alicedsl.de] has joined ##openvpn 11:07 < sera|work> http://openvpn.net/archive/openvpn-users/2007-05/msg00155.html <-- i have the same problem, using pkcs12-files from tinyca on client and server... 11:07 < vpnHelper> Title: [Openvpn-users] Connection resets (at openvpn.net) 11:10 < sera|work> hm, okay, i made an error generating the certificate as it seems, it's working with a new one :) 11:10 -!- sera|work [n=wolf@g227039149.adsl.alicedsl.de] has left ##openvpn ["Verlassend"] 11:14 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 11:28 -!- jeiworth [n=jeiworth@189.177.39.68] has joined ##openvpn 11:35 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 11:59 -!- teddymills [n=teddy@208.92.235.227] has quit [Client Quit] 12:00 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit ["Leaving"] 12:13 -!- limx [n=limx@dslb-092-072-204-204.pools.arcor-ip.net] has joined ##openvpn 12:13 < limx> hey 12:13 < limx> i just installed openvpn and it works great when I start it manually 12:14 < limx> i connected to my university's vpn server with username/password 12:14 < limx> but openvpn doesnt use the --auth-user-pass /root/pass command line argument? 12:14 < limx> I want to put it in init.d/ to let it autostart 12:15 < limx> /root/pass contains 2 lines, first line username and second with password 12:25 < limx> okay, i got it 12:25 < limx> needed to compile with a special flag 12:29 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 12:29 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:39 -!- boobam [n=randomst@80-47-85-135.lond-hex.dynamic.dial.as9105.com] has joined ##openvpn 12:41 < boobam> !howto 12:41 < vpnHelper> boobam: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:58 -!- ruben23 [n=RPL@122.55.48.243] has joined ##openvpn 12:58 < ruben23> hi 13:00 -!- jeiworth_ [n=jeiworth@189.177.30.75] has joined ##openvpn 13:01 -!- jeiworth [n=jeiworth@189.177.39.68] has quit [Read error: 54 (Connection reset by peer)] 13:06 < ruben23> hi can i deploy openvpn between my two remote site-to create one network..? 13:09 < cpm> yes you can 13:09 < cpm> or rather, you may, whether you can or not is up to you 13:09 < cpm> this is known as a bridge. 13:11 < ruben23> cpm:openvpn is capable on that..? and si it easy to setup...what do i need interms of hardware for it..? 13:13 < cpm> http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html 13:13 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 13:30 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:32 -!- bruceb [n=bruce@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 13:32 -!- bruceb [n=bruce@160.39.238.196] has joined ##openvpn 14:04 -!- bruceb [n=bruce@160.39.238.196] has quit [Read error: 145 (Connection timed out)] 14:16 -!- bruceb [n=bruce@gw.msmnyc.edu] has joined ##openvpn 14:20 -!- tjz [n=tjz@bb220-255-241-83.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 14:26 -!- bruceb [n=bruce@gw.msmnyc.edu] has quit [Remote closed the connection] 14:30 -!- limx [n=limx@dslb-092-072-204-204.pools.arcor-ip.net] has quit [Remote closed the connection] 14:30 < boobam> hi, I'm a total n00b, I'm following this guide to setting up OpenVPN on CentOS 5 http://www.webhostingtalk.com/showthread.php?t=595436 14:30 < vpnHelper> Title: HOWTO OpenVPN setup guide for FC3, FC4, FC5, CentOS and others,connecting via Windows - Web Hosting Talk (at www.webhostingtalk.com) 14:31 < boobam> when I try #./build-ca it asks for an argument, and I don't know what argument to give it 14:31 < krzee> you must not haver sourced vars 14:31 < krzee> . ./vars 14:32 < boobam> oh you're right, I messed up, thanks krzee 14:33 < krzee> yw 14:35 < boobam> hrm, it still doesn't seem to work 14:41 < boobam> disregard my previous comment, I had edited vars incorrectly 14:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:02 -!- lampliter [n=esj@harvee.org] has joined ##openvpn 15:04 < lampliter> on a Windows client, I need to mount a network share after the VPN has come up. disarray documentation to doing this? 15:04 < lampliter> Sorry, speech recognition air. Disarray should be any documentation to doing this 15:19 < dazo|h> !wins 15:19 < vpnHelper> dazo|h: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 15:19 < dazo|h> lampliter: ^^ ... this might help 15:22 * dazo|h starts looking for the bed 15:22 -!- dazo|h [n=dazo@ip4-83-240-69-215.cust.nbox.cz] has quit ["Leaving"] 15:26 -!- Spockz [n=spockz@71pc198.sshunet.nl] has quit ["Ciao"] 15:26 < boobam> hi, if I've created a client key with ./build-key client1 so I have files client1.csr and client1.key and so forth, can I change the name of these files on both end of the VPN tunnel without creating a problem? 15:30 -!- explore [n=msparker@pool-173-74-61-155.dllstx.fios.verizon.net] has left ##openvpn [] 15:33 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 15:33 < Dougy> wow this chan is empty 15:36 < lampliter> it is amazing 15:36 < lampliter> I'm trying to research what tool I can use to tell if the VPN is up. Any ideas? 15:37 < Dougy> ps 15:42 < boobam> how do I go about working out why "service openvpn start" fails? 15:43 < Bushmills> log files 15:45 < boobam> where would I find the pertinent file? 15:45 < Bushmills> name is specified in your configuration 15:48 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 15:48 < boobam> my configuration is modelled on this http://www.designpc.co.uk/downloads/server.conf am I missing where it specifies the log? 15:49 < Bushmills> yes. specify a log file, try to start, then look at the log file 15:50 < boobam> how do I specify a log file? I apologise for my ignorance 15:51 < Bushmills> man page tells you 15:51 < Bushmills> !log 15:51 < vpnHelper> Bushmills: Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 15:52 < boobam> !logs 15:52 < vpnHelper> boobam: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 15:53 < boobam> !howto 15:53 < vpnHelper> boobam: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:56 < boobam> so adding a line ";log openvpn.log " should create a log file in /etc/openvpn ? 15:57 < lampliter> I'm not finding anything good for programmatically detecting if the VPN on a Windows client 15:57 < lampliter> any suggestions? 16:01 -!- mutombo^ [n=pajo@77.29.173.79] has joined ##openvpn 16:02 < Bushmills> lampliter: test whether the vpn interface is up 16:05 < boobam> bushmills, can you point me in the write direction to getting logs to work? I've added log openvpn.log to my server conf but it doesn't seem to be writing anything 16:05 < Bushmills> boobam: specify path and filename 16:06 < boobam> bushmills: like this? "log /etc/openvpn/openvpn.log" 16:06 < mutombo^> can anyone here point me to somewhere in making a double vpn ? 16:06 < Bushmills> would work, but /etc is not exactly a great place to put log files into 16:07 < mutombo^> something like this: client -> Openvpn1 -> Openvpn2 -> Internet 16:07 < boobam> it's just that that's what I've got at the moment, and it's not writing anything when it fails to start 16:07 -!- bruceb [n=bruce@gw.msmnyc.edu] has joined ##openvpn 16:08 < boobam> I'm just trying to set up a single-user vpn on a vps so it's ok if it's a little messy :P, I'm a bit a of a noob as I'm sure you can tell 16:09 < Bushmills> boobam: stop it (in case openvpn does run), then start it again 16:11 < boobam> bushmills: it still doesn't seem to be working http://pastebin.com/da6a3f4 16:11 -!- prg3 [n=prg3@playground.cein.ualberta.ca] has joined ##openvpn 16:12 < Bushmills> your (empty) log file is 3 minutes older than openvpn-status.log, which again is older than your config file? 16:14 < prg3> Is there any magic way to setup a server, where all of the client configs point at a single port, and have the server round robin it to whatever OVPN service ports are alive? 16:14 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 16:14 < Dougy> !howto 16:14 < vpnHelper> Dougy: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:14 < prg3> .. assuming you can use the same config for all of them, except differing port numbers. 16:18 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Client Quit] 16:22 < boobam> bushmills, I thought I had to #touch openvpn.log which is why the empty file exists 16:23 < boobam> if I rm those files, nothing happens at all in the way of logging 16:23 < Bushmills> no need to touch. remove it 16:24 < Bushmills> try to start openvpn directly, with --conf specifying path and name of your config file 16:24 < Bushmills> ehm ... --config, that is 16:25 < Bushmills> or just openvpn /path/to/your/configfile 16:26 < boobam> oh, that helps, that points me to the error in my server.conf 16:28 < mutombo^> any help for me ? 16:28 < boobam> I'm using the conf file here http://www.designpc.co.uk/downloads/server.conf and replacing the #### with my public nameservers as it suggests, but doing so gives me a Unrecognized option or missing parameter(s) error 16:29 < boobam> oh my god I'm a moron 16:35 -!- boobam_ [n=randomst@95.154.207.110] has joined ##openvpn 16:35 < boobam_> lol, thank you bushmills, that works fine, I was just being a huge idiot 16:38 -!- boobam_ [n=randomst@95.154.207.110] has quit [Client Quit] 16:42 -!- subinacls_ [n=subinacl@253.182.100.97.cfl.res.rr.com] has joined ##openvpn 16:47 -!- tjz [n=tjz@bb220-255-241-83.singnet.com.sg] has joined ##openvpn 16:52 -!- mutombo^ [n=pajo@77.29.173.79] has quit [Read error: 110 (Connection timed out)] 16:52 -!- boobam [n=randomst@80-47-85-135.lond-hex.dynamic.dial.as9105.com] has quit [Read error: 110 (Connection timed out)] 17:09 -!- bauruine [n=bauruine@85.4.68.228] has joined ##openvpn 17:11 -!- prg3 [n=prg3@playground.cein.ualberta.ca] has left ##openvpn [] 17:13 -!- unix3_ [n=unix3@190.10.68.228] has joined ##openvpn 17:15 -!- unix3__ [n=unix3@190.10.68.228] has joined ##openvpn 17:20 -!- subinacls_ is now known as subinacls 17:29 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 113 (No route to host)] 17:31 -!- unix3_ [n=unix3@190.10.68.228] has quit [Read error: 113 (No route to host)] 18:21 -!- unix3__ [n=unix3@190.10.68.228] has quit [Read error: 60 (Operation timed out)] 18:38 -!- bruceb [n=bruce@gw.msmnyc.edu] has quit [Remote closed the connection] 18:39 -!- BasketCase [n=BasktCas@asylum.sanitarium.net] has joined ##openvpn 18:51 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 18:52 < Dougy> ok so 18:52 < Dougy> if i have 16 certs signed, and i want to make only 12 use redirect-gateway 18:52 < Dougy> what do i put in their ccd entries 18:53 < rawDawg> push redirect-gateway 18:54 < Dougy> that simple? 18:54 < Dougy> or 'push redirect-gateway def1' ? 18:54 < rawDawg> yeah def1 is default-gateway 18:55 < Dougy> wow its that simple, lol 18:55 * Dougy headdesks 18:55 < Dougy> if only this math equation was clicking as easily as that 18:56 < rawDawg> #math 18:56 < Dougy> ill get trolled of the IRC 18:56 < Dougy> off 18:56 < Dougy> i know the equation is simple and i just cant make it wrok 18:56 < Dougy> work 18:56 < Dougy> i havent done math in 3 months im rusty 18:57 < rawDawg> what's it? 18:57 < Dougy> tx+12y = -3 18:57 < Dougy> The equation above is the equation of a line in the xy-plane, and t is a constant. If the slope of the line is -10 what is the value of t? 18:57 * Dougy sighs 18:57 < Dougy> i'm almost embarrassed to say i can't figure it out 18:59 < Dougy> i have an idea but 18:59 < Dougy> :| 19:02 < rawDawg> lol all i remember is y = mx + b 19:02 < rawDawg> try #math 19:03 < Dougy> yea i remember that oto 19:03 < Dougy> too 19:03 < Dougy> y = (-tx-3)/12 19:03 < Dougy> but still 19:03 < Dougy> then y = (-tx/12) - 1/4 19:03 < Dougy> still though 19:03 < Dougy> i guess the answer would be 120 but fuck it seems wromg 19:03 < Dougy> wrong 19:06 < BasketCase> this may be a silly question but I have OpenVPN running on the system that routes traffic between my LAN, my wifi, and my internet connection. What is the easiest way to configure OpenVPN to do redirect-gateway if I connect from my wifi but not if I connect from somewhere out on the internet? 19:06 < BasketCase> is it better to have two client configs or two server configs running on the different interfaces? 19:07 < ecrist> this is not #math. :/ 19:07 < BasketCase> I already kinda have a working system with 2 client configs based on the MAC of the AP but thought there might be a more elegant solution 19:11 < ecrist> there isn't really an easy way 19:12 < ecrist> unless you setup two OpenVPN instances, with connections from outside your LAN being redirected via a firewall ruleset to an instance which does the redirect-gateway 19:12 < ecrist> the other will not do that. 19:12 < ecrist> both instances should use the same keys 19:14 < Dougy> ecrist: i need to make a shell script to make openvpn client configs 19:14 < Dougy> o.O 19:15 < ecrist> Dougy: that's easy 19:15 < Dougy> yes i know 19:16 < Dougy> im just saying i have to 19:16 < ecrist> oh. 19:18 < rawDawg> BasketCase: http://openvpn.net/index.php/open-source/documentation/howto.html#redirect 19:18 < vpnHelper> Title: HOWTO (at openvpn.net) 19:19 < BasketCase> yeah, I already have it redirecting. OpenVPN is only actually listening on the wifi interface 19:19 < rawDawg> i saw something about the local flag 19:19 < BasketCase> rdr on $ext_if proto udp from any to $ext_if port 1194 -> $wireless_if port 1194 19:23 < rawDawg> can't u just use def1? 19:24 < BasketCase> oh, you meant redirect as in OpenVPN 19:24 < BasketCase> yes, that is what I do. I have redirect-gateway in one client config but not the other 19:26 < rawDawg> so you only want to redirect gateway when you are connected to your wifi 19:26 < BasketCase> right 19:26 < rawDawg> a script with two configs is the only thing i can think of 19:27 < BasketCase> yeah, that is what I figured 19:27 < BasketCase> I am trying plan B now which simply removes the need for redirect-gateway on my wifi 19:29 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 19:29 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 19:35 -!- BasketCase_Eee [n=kmk@asylum.sanitarium.net] has joined ##openvpn 19:35 < BasketCase_Eee> ok, my plan B worked. I removed the need for redirect-gateway on my wifi 19:36 < BasketCase_Eee> that means my wifi>internet traffic isn't going over the vpn but my wifi>lan traffic is which is good enough 19:36 < BasketCase_Eee> and less kludgey 19:36 < Dougy> ecrist: there still? 19:37 < rawDawg> BasketCase_Eee nice 19:37 < BasketCase_Eee> now to figure out how to tell Gentoo not to shut down the VPN tunnel before it unmounts NFS mounts 19:37 < rawDawg> i'd also like to get an asus Eee 19:37 < rawDawg> how do u like it 19:38 < BasketCase_Eee> it is ok 19:38 < BasketCase_Eee> I have a 1000-40G 19:38 -!- akatsuki [n=l@unaffiliated/akatsuki] has joined ##openvpn 19:39 < BasketCase_Eee> I think I would have been happier with a ~14" notepad that has a larger battery and a real CPU 19:39 < rawDawg> lol 19:40 < BasketCase_Eee> I get right at 4 hours of battery with wifi in use 19:40 < BasketCase_Eee> the screen uses like 1.5W so it almost doesn't matter if you close it some of the time 19:41 < akatsuki> !forum 19:41 < vpnHelper> akatsuki: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 19:41 < BasketCase_Eee> and the Xandros Linux they come with is awful 19:43 < BasketCase_Eee> the CPU is actually close to being fast enough for me. I would just like it to have virtualization so I could play the occasional game 19:44 < BasketCase_Eee> I tried doing a virtual Windows setup for games only but without hardware virtualization it was too slow even for solitaire 19:48 < Dougy> ecrist: nvm 19:49 < Dougy> will linux configs work the same on windows 19:49 < Dougy> ? 19:50 < Dougy> akatsuki: join the forum 19:50 -!- BasketCase_Eee [n=kmk@asylum.sanitarium.net] has left ##openvpn ["Client exiting"] 19:55 < akatsuki> Dougy: ur helpful, thanks 19:58 < Dougy> akatsuki: :) 19:58 < Dougy> have an issue? 20:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 20:02 -!- akatsuki [n=l@unaffiliated/akatsuki] has quit [Nick collision from services.] 20:20 -!- jeiworth_ [n=jeiworth@189.177.30.75] has quit [Read error: 110 (Connection timed out)] 21:05 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 21:06 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Client Quit] 21:06 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 21:10 -!- master_of_master [i=master_o@p549D3571.dip.t-dialin.net] has quit [Connection timed out] 21:13 -!- master_of_master [i=master_o@p549D6A99.dip.t-dialin.net] has joined ##openvpn 21:28 -!- lampliter [n=esj@harvee.org] has quit ["Leaving."] 22:04 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 22:11 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["leaving"] 22:33 -!- ruben23 [n=RPL@122.55.48.243] has quit [Read error: 104 (Connection reset by peer)] 22:55 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] --- Day changed Sat Aug 22 2009 00:39 -!- Serideru [n=GTWebste@72-24-197-68.cpe.cableone.net] has joined ##openvpn 01:36 -!- Serideru [n=GTWebste@72-24-197-68.cpe.cableone.net] has quit [Client Quit] 01:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 02:23 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 02:34 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:37 < joelsolanki> Hello ecrist 02:37 < joelsolanki> ecrist: hi 02:51 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 02:54 -!- svinkels [n=svinkels@seb44-1-88-163-78-7.fbx.proxad.net] has joined ##openvpn 02:54 < svinkels> plop 02:54 < svinkels> a french boy here ? 02:55 < hyper_ch> no 02:55 < svinkels> anybody ? 02:55 < hyper_ch> nobody's here 02:56 < svinkels> arf 03:21 < reiffert> J'ai oubliee beaucoup lets mots et lets phrases :p 03:21 < svinkels> :p 03:21 < svinkels> c'est deja un petit debut ! 03:22 < svinkels> moi je loupais les corus d'anglais a l'ecole et du coup c'est pas facile de comprendre ! 03:22 < svinkels> les cours * 03:28 < reiffert> Come on, english is world language ... 03:28 < reiffert> so whats up with your openvpn installation? 03:32 < svinkels> the question is for me ? 03:33 < reiffert> jup 03:33 < reiffert> yes 03:33 < reiffert> oui 03:45 < svinkels> reiffert, yesterday , dazo try to help me for the config of openvpn, but i don't suceeded 03:46 < svinkels> today i try again 03:46 < svinkels> i use easy-rsa 03:47 < svinkels> first question : when i run build-key-server, what is the question : A challenge password 03:47 < svinkels> i don't understand 03:47 < svinkels> sorry for my poor english langage 03:48 < svinkels> it's the password for the client when i try to connect vpn ? 03:48 < svinkels> it's the password for the client when they try to connect vpn ? 03:48 < svinkels> reiffert, ? 03:50 < svinkels> :( 03:54 < reiffert> I'm drinking coffee and sorting 500 fotos I took yesterday, please be patient. 03:54 < hyper_ch> why take 500 pics? 03:54 < svinkels> np 03:54 < reiffert> svinkels: allright, your questions get answered in the official openvpn howto 03:55 < reiffert> hyper_ch: because 60 cars involved. 03:55 < hyper_ch> :) 03:55 < hyper_ch> reiffert: you konw a big deal about openvpn? 03:57 < reiffert> svinkels: the howto is straight forward when it comes to key generation 03:57 < reiffert> svinkels: 03:57 < reiffert> !howto 03:57 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 03:57 < reiffert> hyper_ch: big deal .. somth. like selling 500 openvpn installations for a burger and a coke? 03:57 < svinkels> it's ok 03:58 < hyper_ch> reiffert: hmmm, maybe you can help with my issue then: http://www.ovpnforum.com/viewtopic.php?f=6&t=504&sid=a861ee7730e597615ac4dfb0b9e222d1 03:58 < vpnHelper> Title: OpenVPN Forum View topic - "normal ssh" won't work (at www.ovpnforum.com) 03:58 < reiffert> lemme sort my pics first 03:59 < hyper_ch> doesn't picasa auto-sort ;) 04:00 < reiffert> it's sort out bad ones. 04:00 < hyper_ch> why do you take bad pics ;) 04:02 < reiffert> why do you have openvpn issues? 04:03 < hyper_ch> because I like to make my life troublesome ;) 04:04 < reiffert> :) 04:09 < hyper_ch> and it is not polite to counter a question with another one ;) 04:10 < reiffert> will it be impolite when I decide not to answer your questions? 04:10 < hyper_ch> that will be even more impolite ;) 04:10 < hyper_ch> so you really really shouldn't do that 04:14 < reiffert> remove this line: 04:14 < reiffert> push "redirect-gateway def1" # leitet den Internettraffic am Client zum Server um 04:14 < reiffert> and you things will fix: 04:14 < reiffert> "d I can't connect through my non-vpned public IP anymore." 04:14 < bauruine> hyper_ch, maybe i can help :-) 04:15 < hyper_ch> reiffert: but if I remove that then all traffic originating from the client won't be using the vpn tunnel anymore 04:15 < hyper_ch> bauruine: http://www.ovpnforum.com/viewtopic.php?f=6&t=504&sid=a861ee7730e597615ac4dfb0b9e222d1 04:15 < vpnHelper> Title: OpenVPN Forum View topic - "normal ssh" won't work (at www.ovpnforum.com) 04:16 < hyper_ch> reiffert: what I don't understand is that when the vpn tunnel is active I can still logon on the client from the lan, I can ping the lan gateway from the lan and from the internet... but I just can't ssh into the client anymore using the normal public ip 04:16 < reiffert> hyper_ch: well, what you need is somth. similar to a SNAT rule, telling all your established incoming ssh packets to take the way out they came in. 04:17 < hyper_ch> reiffert: sounds good :) but iptables hates me ;) 04:17 < reiffert> nice docs on netfilter.org 04:17 < svinkels> to test my confi, i can use a server and a client in the same lan ? 04:17 < hyper_ch> reiffert: actually it doesn't make sense 04:18 < hyper_ch> because I shouldn't be able to ssh into the client from the lan also 04:18 < reiffert> hyper_ch: same subnet packets dont travel over the router. 04:18 < hyper_ch> whether now an incoming packet comes from 10.0.0.1 or 10.0.0.20 shouldn't matter IMHO 04:18 < bauruine> hyper_ch, do something like that http://wiki.ubuntuusers.de/Multiple_Uplink_Routing (or google self for source based routing) i have 04:18 < vpnHelper> Title: Multiple Uplink Routing › Wiki › ubuntuusers.de (at wiki.ubuntuusers.de) 04:18 < reiffert> hyper_ch: as in same subnet packets travel direct. 04:19 < hyper_ch> I see 04:20 < reiffert> either let your router nat the ssh packets for you or use a ssh gateway on your router, or tell your client to SNAT your packets back to where they came from, or take bauruine's rule based routing. 04:20 < reiffert> it's about marking packets in the mangle(?) table and ip route them. 04:20 < hyper_ch> reiffert: the router nats the ssh packages 04:20 < reiffert> hyper_ch: proove! 04:21 < hyper_ch> reiffert: hmm ... how? 04:21 < reiffert> tcpdump. 04:21 < hyper_ch> well, router has tomato wrt on it and such an entry: On TCP 22 10.0.0.5 SSH 04:22 < hyper_ch> well, router has tomato wrt on it and such an entry: On TCP 22 10.0.0.5 SSH 04:23 < reiffert> this does NOT NAT your ssh packages. 04:23 < reiffert> the router itself uses NAT to get your internal network masqued to the outer world 04:24 < hyper_ch> ok 04:26 < hyper_ch> first I need to stop BT 04:26 < hyper_ch> otherwise there's too much stuff going on, right? 04:26 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 04:28 < reiffert> tcpdump -n port 22 04:29 < hyper_ch> can you exclude also an IP? 04:29 < svinkels> when i config my client.conf i must to put the IP on the server, but a name dns run too ? 04:31 < reiffert> tcpdump -n port 22 and not host 12.12.13.13 04:31 < hyper_ch> great :) 04:31 < joelsolanki> hello all. 04:32 < joelsolanki> http://pastebin.ca/1538715 04:32 < joelsolanki> i have a windows openvpn server and linux vpn client 04:33 < reiffert> joelsolanki: openvpn versions? 04:33 < joelsolanki> there is a lan behind linux machine 04:33 < joelsolanki> i want to have windows server access the lan which is behind linux machine. 04:33 < joelsolanki> ok checking 04:33 < reiffert> joelsolanki: !route sounds like a good help for you. 04:33 < reiffert> !route 04:33 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 04:34 < reiffert> explaining iroute route and push "route .." 04:35 < hyper_ch> reiffert: http://pastebin.ca/1538719 04:35 < joelsolanki> vpn client has openvpn-2.1-0.19.rc4.fc7 and windows machine which is acting as vpn server has openvpn 2.0.0 04:35 < joelsolanki> 2.0.9 04:35 < reiffert> upgrade to 2.1rc19 04:35 -!- c64zottel [n=hans@p5B17B0F2.dip0.t-ipconnect.de] has joined ##openvpn 04:35 < hyper_ch> reiffert: the ip there 84.... is my current public ip 04:35 < reiffert> http://gallery.reifferscheid.org/v/1000km+Nuerburgring/ 04:35 < vpnHelper> Title: 1000km Nürburgring (at gallery.reifferscheid.org) 04:36 < reiffert> hyper_ch: we've already discovered, that your router is not NAT'ing your incoming ssh connection. 04:36 < joelsolanki> reiffert: u want me to upgrade the version on windows vpn server ? 04:36 < reiffert> joelsolanki: yes. 04:36 < reiffert> 2.09 is way old. 3 years. 04:36 < hyper_ch> reiffert: so I have to look at that multi upload link guide that you pointed out? 04:36 < reiffert> 2.1 works much better especially on windows. 04:37 < joelsolanki> ok but will that fix my problem ? 04:37 < hyper_ch> multi uplink routing :) 04:37 < reiffert> hyper_ch: just tell your router to NAT incoming SSH packets. 04:37 < hyper_ch> hmmm 04:37 < joelsolanki> reiffert: do u think upgrading will fix my problem ? or my config is lacking ? 04:38 < joelsolanki> i read the secure-computing but i m confused 04:38 < reiffert> hyper_ch: smth like iptables -t nat -I POSTROUTING -o INTERNAL_INTERFACE(e.g.LAN) -p tcp --dport 222 -j MASQUERADE 04:38 < reiffert> --dport 22 of course. 04:38 < hyper_ch> reiffert: I have to do that on the router, right? 04:39 < reiffert> joelsolanki: upgrading to a recent version might prevent you from broken software, so I think reading !route might be a good start and when it doesnt start working, upgrade to 2.1rc19 04:39 < reiffert> hyper_ch: wrt (tomato) yes. 04:40 < joelsolanki> reiffert: yes i read !route but it is bit confusing. i already tried to configure this according to !route 04:40 < hyper_ch> not sure if tomato can do that 04:40 < reiffert> hyper_ch: every linux does. 04:40 < reiffert> hyper_ch: " 04:40 < reiffert> hyper_ch: you've to replace "INTERNAL_INTERFACE(e.g.LAN)" by lan0 or whatever your internal subnet interfaces is called. 04:40 < joelsolanki> if u can check the my pastebine http://pastebin.ca/1538715 04:41 < hyper_ch> reiffert: well, the gui can't do it as far as I see :) 04:41 < reiffert> joelsolanki: I was checking it shortly, and !route came into my mind. iroute push route and route might too much to make it work. 04:41 < reiffert> s,shortly,recently. 04:41 < joelsolanki> means ? 04:42 < joelsolanki> is there anything missing in server.conf ? 04:42 < reiffert> joelsolanki: btw, what is your problem with that config? 04:42 < joelsolanki> actually i want the window vpn server to have access the lan behind the linux vpn client 04:42 < joelsolanki> but that is not working :( 04:43 < joelsolanki> so i want to solve this. 04:43 < joelsolanki> i think there is something missing so i came here so some help 04:43 -!- c64zottel [n=hans@p5B17B0F2.dip0.t-ipconnect.de] has left ##openvpn [] 04:47 < joelsolanki> reiffert : any help plz 04:47 < Bushmills> !route 04:47 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 04:52 < joelsolanki> Bushmills: i tried to understand and configure according to !route only but it is creating problem. so want to know where i have messed 04:52 < joelsolanki> so can u help 04:56 < reiffert> hyper_ch: does it work? 04:56 < Bushmills> sorry, no - I'm sporadically hopping in and out, because of background activity 04:56 < hyper_ch> reiffert: can't figure out what the lan name is 04:56 < reiffert> hyper_ch: ifconfig -a | more 04:57 < hyper_ch> hmmm, if config didn't work before 04:57 < hyper_ch> now it does 04:57 < hyper_ch> http://www.pastebin.ca/1538726 04:58 < hyper_ch> br0 it seems 04:59 < reiffert> 10.0.0.1 is the routers LAN-IP Adress? 04:59 < reiffert> or is it 192.168.0.5? 05:00 < hyper_ch> 10.0.0.1 is the routers 05:00 < hyper_ch> 192.168.0.5 is the dsl modem 05:00 < hyper_ch> well, the wan access 05:01 < reiffert> so br0 sounds ok then. 05:01 < reiffert> your connection to the router might break when entering the route. you may have to relogin then. 05:01 < hyper_ch> I see in the examples on wikibooks this here: 05:01 < hyper_ch> WANIP=$(nvram get wan_ipaddr) 05:01 < hyper_ch> iptables -t nat -A PREROUTING -p tcp -d $WANIP --dport 22 -j DNAT --to 192.168.1.1:22 05:01 < reiffert> thats called PORT FORWARDING 05:02 < hyper_ch> so I could use LANIP=$(nvram get lan_ipaddr) 05:02 < reiffert> now we masq the IP. 05:02 < hyper_ch> I mean to use the variable 05:02 < reiffert> we dont need LANIP here but LAN INTERFACE 05:02 < hyper_ch> right 05:02 < reiffert> which will br br0 for all times on wrt. 05:03 < hyper_ch> iptables -t nat -I POSTROUTING -o br0 -p tcp --dport 22 -j MASQUERADE 05:03 < hyper_ch> (bgtw, should I enable NAT Loopback? current it's only "forward" and I have no clue what that means) 05:04 < reiffert> try this first. 05:04 -!- bauruine [n=bauruine@85.4.68.228] has quit [Connection timed out] 05:05 -!- bauruine [n=bauruine@85.4.68.228] has joined ##openvpn 05:06 < hyper_ch> I'll restart the router 05:07 -!- hyper_ch [n=hyper@adsl-84-226-158-241.adslplus.ch] has quit [] 05:08 -!- hyper_ch [n=hyper@adsl-84-226-158-241.adslplus.ch] has joined ##openvpn 05:09 < hyper_ch> hmmm, iptables -t nat -L doesn't list that rule :( 05:10 -!- freaky|bday is now known as freaky[t] 05:11 * hyper_ch gives reiffert a very, very big cookie 05:11 < hyper_ch> with chocolate topping 05:12 < reiffert> you can pay me on paypal if you want. 05:12 < hyper_ch> paypal is evil 05:13 < hyper_ch> or you a openvpn dev? 05:13 < reiffert> no, I'm just a stupid guy helping people out on #openvpn. 05:13 < hyper_ch> well, you seem to know a lot about openvpn and routing and stuff 05:13 < hyper_ch> even iptables 05:14 < hyper_ch> now I have to put that into my blog so that the next time I'll know what to do 05:16 < joelsolanki> Hi reiffert: can u help me 05:24 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 05:24 < hyper_ch> !howto 05:24 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 05:27 < hyper_ch> !configs 05:28 < vpnHelper> hyper_ch: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 05:28 < svinkels> there is a probleme of securité if i use openvpn daemon on boot ? 05:28 < reiffert> Is there a problem regarding security when I start openvpn on boot? No. 05:29 < svinkels> your server vpn personal is always work ? 05:38 < reiffert> vpn personal? 05:39 < reiffert> you mean the sysadmin guy that watches the vpn server and cares about it? 05:39 < reiffert> openvpn works like a charme, there is no vpn personal. 05:43 -!- bauruine [n=bauruine@85.4.68.228] has quit [Read error: 110 (Connection timed out)] 05:44 -!- bauruine [n=bauruine@host-88-80-29-52.cust.prq.se] has joined ##openvpn 05:49 < hyper_ch> reiffert: so, you are now on my blog :) 05:54 < hyper_ch> reiffert: http://www.simplylinux.ch/openvpn-einrichten 05:54 < vpnHelper> Title: Linux für alle » OpenVPN einrichten (at www.simplylinux.ch) 06:09 < svinkels> ok reiffert 06:14 < svinkels> 06:14 < svinkels> apparently my vpn to work, question the VPN server will always have the same address in XxX1? I was not really understood as secure openvpn, example: I robbed my laptop there is no password to connect. 06:15 < hyper_ch> svinkels: the server should have always the same ip 06:16 < hyper_ch> svinkels: you have an entry in the server config like: server 10.8.0.0 255.255.255.0 --> then the server will always be 10.8.0.1 I think 06:16 < svinkels> thankx 06:16 < svinkels> 06:16 < svinkels> and the work we have a vpn radius, at Cisco, I use the cisco vpn client that uses profile. pcf 06:16 < svinkels> I thought I could add a profile that will get my openvpn home. Is this possible? 06:17 < hyper_ch> what do you mean? 06:19 < svinkels> for work, I use cisco vpn client on windows, avc profile set for my company vpn + password login. 06:19 < svinkels> rechercher 06:21 < svinkels> 06:21 < svinkels> I thought with openvpn create a login profile with password, but no, he plays keys with RSA public / private that I must give to the customer. but only the profile is sufficient, no password needed. if I steal my laptop, the person has access to my vpn then? 06:29 -!- bauruine [n=bauruine@host-88-80-29-52.cust.prq.se] has quit [Read error: 60 (Operation timed out)] 06:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 06:35 < hyper_ch> svinkels: don't you fully encrypt your computers? 06:38 -!- brizly1 [n=brizly_v@p4FC999AD.dip0.t-ipconnect.de] has joined ##openvpn 06:46 -!- bauruine [n=bauruine@85.4.68.228] has joined ##openvpn 06:48 < reiffert> hyper_ch: I'd prefer to just have #openvpn in your blog. 06:48 < reiffert> svinkels: you can add a password to a client key. 06:49 < reiffert> svinkels: the howto says: 06:49 < reiffert> If you would like to password-protect your client keys, substitute the build-key-pass script. 06:49 < reiffert> "" 06:50 < svinkels> yes 06:50 < svinkels> cool 06:50 -!- svinkels [n=svinkels@seb44-1-88-163-78-7.fbx.proxad.net] has quit [Remote closed the connection] 06:52 < bauruine> i have this setup http://ubuntu-pics.de/bild/22567/diagram1_2XdsIN.png any idea why i can't ping internet --> 88.80.19.xx ? baldur --> 88.80.19.xx works. 06:53 -!- brizly [n=brizly_v@p4FC99C0B.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:54 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 06:54 < joelsolanki> !configs 06:54 < vpnHelper> joelsolanki: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 06:58 < joelsolanki> Hi all. 06:59 < joelsolanki> I have a windows machine acting as vpn server and linux client acting as vpn client. i want windows server to access the lan behind the linux machine. linux machine has 1 lan port with ip 192.168.2.5 06:59 < joelsolanki> this is my current configuation. http://pastebin.ca/1538843 07:00 < joelsolanki> anybody please give me suggestions for my messed configuration. i am not ablet o fix it :( 07:02 -!- XapoH [n=X@78.108.77.14] has joined ##openvpn 07:04 < XapoH> hi. how can i use openvpn in client-server (many-to-one) mode on ethernet level (tap) without encryption? 07:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:05 < reiffert> !factoids search encrypt 07:05 < vpnHelper> reiffert: "encryption" is Why symetric encryption is better: http://www.ketufile.com/Symmetric_vs_Asymmetric_Encryption.pdf 07:05 < reiffert> hmpf. 07:05 < reiffert> !factoids search non 07:05 < vpnHelper> reiffert: No keys matched that query. 07:06 < reiffert> !factoids search non* 07:06 < vpnHelper> reiffert: No keys matched that query. 07:06 < reiffert> !factoids search plain 07:06 < vpnHelper> reiffert: No keys matched that query. 07:06 < reiffert> XapoH: from the manpage: Set alg=none to disable encryption. 07:07 < reiffert> joelsolanki: Try on krzee or ecrist when they are awake. 07:07 < joelsolanki> oh ok. i will checkout with them. 07:08 < XapoH> reiffert, do you mean i should write "alg none" in config? 07:08 < reiffert> XapoH: no. 07:09 < reiffert> I want you to read it up in the manpage 07:09 < reiffert> !man 07:09 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 07:11 < XapoH> auth none then, right? 07:11 < reiffert> no. 07:11 < XapoH> it can't be done though config? 07:12 < XapoH> *through 07:12 < reiffert> "< XapoH> auth none then, right?" -> no. 07:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 07:21 -!- waldner_ [n=waldner@unaffiliated/waldner] has joined ##openvpn 07:23 < hyper_ch> reiffert: instead of your name or instead of ##openvpn ? 07:24 < waldner_> I want openvpn in bridged mode to dynamically create a tap interface on the client, bring it up and configure it using dhcp (the dhcp server is in the LAN). According to http://openvpn.net/index.php/open-source/faq.html#bridge-addressing, it seems that all that's needed is "mode server" on the server, but that doesn't work for me 07:24 < vpnHelper> Title: FAQ (at openvpn.net) 07:24 < waldner_> I also tried "server-bridge" with no parameters which should push "route-gateway dhcp" to the client, but no joy 07:24 < waldner_> the client creates the tap interface, but does not bring it up and of course does no dhcp request 07:25 < waldner_> do I still need an up script on the client? 07:25 < reiffert> hyper_ch: instead of my nickname 07:25 < hyper_ch> reiffert: ok :) 07:26 < hyper_ch> there's not much traffic on the blog anyway :) its' more notes for myself 07:26 < reiffert> waldner_: depends on your client OS. Windows: no, *NIX: --up script. 07:26 < hyper_ch> however repogen and debgen is quite popular :) 07:26 < waldner_> the client is linux yes 07:26 < waldner_> ok I need --up thanks 07:27 < reiffert> waldner_: #!/bin/bash dhclient $2 or similar 07:27 < waldner_> yes sure 07:27 < reiffert> lemme look that up 07:27 < waldner_> but then the FAQ and the manual are a bit misleading imho 07:27 < reiffert> device=$1 07:27 < reiffert> mtu=$2 07:27 < reiffert> mru=$3 07:27 < reiffert> ip=$4 07:27 < reiffert> mask=$5 07:27 < reiffert> cmd=$6 07:27 < waldner_> reiffert: yeah I know how to use an up script 07:28 < reiffert> waldner_: you will run into further trouble when dropping priviledges, maybe you dont. sudo might help. 07:28 < waldner_> yep thanks 07:29 < reiffert> waldner_: AFAIR there is an resolv.conf up script .. never had a look on how they do things there. 07:29 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 07:31 < XapoH> my previous question was incorrect. now more correct: why does `mode server` requires `tls-server`? 07:33 < reiffert> XapoH: the manpage will show you what it expands to. 07:33 < reiffert> For example, --server 10.8.0.0 255.255.255.0 expands as follows: 07:34 < reiffert> see manpage 07:34 < XapoH> i know 07:34 < XapoH> that's why i use `mode server` and `ifconfig` instead 07:34 < XapoH> but i get `Options error: --mode server requires --tls-server` 07:35 -!- bauruine [n=bauruine@85.4.68.228] has quit [Read error: 104 (Connection reset by peer)] 07:35 < reiffert> oh, I see. 07:35 < reiffert> intresting question indeed. 07:37 < XapoH> so, how can i solve this problem? 07:37 < XapoH> without recompilation preferably 07:37 -!- svinkels [n=svinkels@seb44-1-88-163-78-7.fbx.proxad.net] has joined ##openvpn 07:38 < svinkels> i read this : http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html 07:38 < vpnHelper> Title: RSA Key Management (at openvpn.net) 07:39 < svinkels> i dont understand the build-key-pass, i must to run just for the client certificate, or server and client certificate ? 07:41 < reiffert> svinkels: you want to protect your client keys with a password? 07:41 < reiffert> svinkels: then run this script when creating a client key. 07:42 < svinkels> ok 07:44 < reiffert> afk & 07:46 < svinkels> where are you save ca.key ? 08:22 * XapoH patched ovpn (test eax,eax to xor eax,eax): now it doesn't require tls-server anymore :) but it still doesn't establish connection. pity. however it doesn't crash :D 08:31 -!- joelsolanki [i=joelsola@124.125.148.135] has joined ##openvpn 08:31 < joelsolanki> ecrist: Hi 08:31 < joelsolanki> krzee: Hi 09:01 < waldner_> sorry if this is a faq...can I run two instances of openvpn server on the same host, one in tap mode the other in tun mode both listening on the same udp port (eg 1194)? 09:05 < waldner_> ok, stupid question, sorry 09:06 < waldner_> need more coffee 09:11 < joelsolanki> ecrist / krzee: Hello 09:11 < joelsolanki> and hello all 09:12 < joelsolanki> I have windows 2003 machine acting as openvpn server and linux machine acting as openvpn client. 09:12 < joelsolanki> Here is my current config http://pastebin.ca/1538843 09:13 < joelsolanki> i want window 2003 server to have acces to lan behind linux machine. 09:13 < joelsolanki> I have the example file and configured but i am not able to reach the lan behind linux from window 2003 server. 09:13 < joelsolanki> I did a ' route print ' on windows 2003 server and here is something i see confusing. let me pastebin it. 09:15 < joelsolanki> http://pastebin.ca/1538948 09:16 < joelsolanki> 192.168.2.0/255.255.255.0 seems to be routed thru 10.9.0.2 09:16 < joelsolanki> how is this possible ? 09:16 < joelsolanki> i think this is the problem due to which i m not able to access the lan. any help plz 09:19 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 09:38 -!- enemy^x [n=enemy@62.80-202-242.nextgentel.com] has joined ##openvpn 09:38 < enemy^x> is openvpn better than freeswan? 09:38 < enemy^x> !howto 09:38 < vpnHelper> enemy^x: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:50 < |Mike|> freeswan? 10:05 -!- enemy^x [n=enemy@62.80-202-242.nextgentel.com] has quit [Read error: 110 (Connection timed out)] 10:48 -!- CoffeeIV [i=rgr@rrcs-71-42-183-82.sw.biz.rr.com] has quit [Read error: 110 (Connection timed out)] 11:23 -!- subinacls [n=subinacl@253.182.100.97.cfl.res.rr.com] has quit [Read error: 110 (Connection timed out)] 11:26 < waldner_> is my understanding correct that to do client-to-client the openvpn server has to parse the IP packets/ethernet frames itself? 11:31 -!- cyris| [n=cyris@S0106001e2a4f7c8d.ed.shawcable.net] has joined ##openvpn 11:32 -!- cyris| [n=cyris@S0106001e2a4f7c8d.ed.shawcable.net] has left ##openvpn ["Leaving"] 11:48 < joelsolanki> is ecrist or krzee available ? 11:48 < joelsolanki> i have problem with routing local lan behind client. 11:57 < joelsolanki> this room is pretty slow :( 11:58 < waldner_> !route 11:58 < vpnHelper> waldner_: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:59 < waldner_> !redirect 11:59 < vpnHelper> waldner_: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 12:02 < joelsolanki> waldner: i already looked but still it is creating problem. 12:02 < joelsolanki> I have windows 2003 machine acting as openvpn server and linux machine acting as openvpn client. 12:02 < joelsolanki> Here is my current config http://pastebin.ca/1538843 12:02 < joelsolanki> i want window 2003 server to have acces to lan behind linux machine 12:02 < joelsolanki> I have the example file and configured but i am not able to reach the lan behind linux from window 2003 server 12:02 < joelsolanki> I did a ' route print ' on windows 2003 server and here is something i see confusing. let me pastebin it. 12:03 < joelsolanki> http://pastebin.ca/1538948 12:03 < joelsolanki> how is this possible ? 12:03 < joelsolanki> i think this is the problem due to which i m not able to access the lan. any help plz 12:08 -!- Serideru [n=GTWebste@72-24-197-68.cpe.cableone.net] has joined ##openvpn 12:10 -!- Martin_vW [n=martin@77-21-43-87-dynip.superkabel.de] has joined ##openvpn 12:15 < Martin_vW> I'm experiencing sudden slowdowns when using OpenVPN (2.1~rc11-1ubuntu3, Ubuntu jaunty; proto udp, dev tun) to connect to my office's VPN, ie websites will take forever to load and SSH sessions become insufferable slow. Any ideas how I could debug this issue? Can I somehow measure the bandwidth that is flowing through the tunnel? I'll start with measuring the ping, that should be easy. 12:18 < hyper_ch> Martin_vW: linux? 12:18 < Martin_vW> hyper_ch: yes 12:20 < hyper_ch> Martin_vW: ethstatus 12:21 < hyper_ch> or ethstats 12:25 -!- CoffeeIV [i=rgr@rrcs-71-42-183-82.sw.biz.rr.com] has joined ##openvpn 12:26 < Martin_vW> just as I was testing ethstatus, it happened again. Looks like the ping remains stable at about 50ms, but the throughput is practically 0. scp stalled, ssh won't connect, a websites takes 10 seconds to load a single 16px image 12:27 < Martin_vW> ah, what I forgot to tell: /etc/init.d/openvpn usually fixes this. That's why I'm so sure it's an openvpn issue :) 12:28 < Martin_vW> It's just that having to restart it every few hours is really annoying. 12:29 < Martin_vW> openvpn logged "TLS: tls_process: killed expiring key" to the syslog about 15 minutes ago, but it looks like this is normal; it's doing that exactly every hour. 12:31 < joelsolanki> did u measure your ram and cpu usage ? 12:32 < Martin_vW> according to ethstatus, there's always 50-80KB/s throughput on tun0, but scp does only 0-2KB/s 12:33 < joelsolanki> the host where you are trying to do scp, is that pinging normal without any packet loss ? 12:33 < Martin_vW> openvpn memory usage is 6MB, cpu usage 0% 12:34 < joelsolanki> Hmm. does the syslog says anything interesting ? 12:34 < Martin_vW> 12% packet loss through the VPN 12:34 < joelsolanki> Hmm. so when u restart the vpn service and then try to ping the same host,then do u see the packet loss ? 12:35 < joelsolanki> it would be worth checking. 12:35 < joelsolanki> there should be something in messages and syslog 12:36 < Martin_vW> the last ovpn syslog entries: http://pastie.org/private/kycndsbdtcyw6myahyq 12:37 < Martin_vW> doesn't look unusual to me 12:37 < Martin_vW> messages does not contain any ovpn entries 12:38 < Martin_vW> nothing of interest in dmesg too 12:38 < joelsolanki> did you check the hardware itself ? 12:40 < Martin_vW> I've restarted openvpn. Throughput is back to normal, no packet loss in the first few minutes. 12:41 < Martin_vW> What's strange though: while the ping is usually 50-100ms and there is no packet loss, there is always a delay of several seconds between every packet. 12:42 < Martin_vW> http://pastie.org/private/g9syi8oasttni74ogbig2q 12:42 < Martin_vW> compare latency vs time 20 seconds 12:44 < Martin_vW> joelsolanki: what could I check on the hardware? 12:45 < Martin_vW> besides openvpn, everything seems to work flawlessly... no segfaults, no random crashes, network is working without problems. 12:45 < joelsolanki> i see 12:45 < joelsolanki> then it is nothing with hardware. 12:45 < joelsolanki> which version of openvpn u r using 12:45 < Martin_vW> from Ubuntu jaunty, 2.1~rc11-1ubuntu3 12:46 < Martin_vW> I could try stracing the openvpn process when it's becoming slow again 12:47 < Martin_vW> no packet loss in the last 220 seconds 12:48 -!- AlexGC [n=admin@201.127.201.55] has joined ##openvpn 12:48 < AlexGC> gentlemen 12:48 < Martin_vW> and I could try tcpdump on tun0. Damn, I shouldn't have restarted openvpn that early 12:48 < AlexGC> !route 12:48 < vpnHelper> AlexGC: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 12:48 < AlexGC> !redirect 12:48 < vpnHelper> AlexGC: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 12:49 < AlexGC> lol 12:49 < AlexGC> !ipforward 12:49 < vpnHelper> AlexGC: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 12:49 < joelsolanki> hmm 12:49 < AlexGC> ! ipforward 12:49 < vpnHelper> AlexGC: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 12:50 < AlexGC> ! linipforward 12:50 < vpnHelper> AlexGC: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 12:51 < waldner_> or /proc/sys/net/ipv4/conf/all/forwarding 12:52 < AlexGC> my vps is wierd. 12:53 < AlexGC> openvpn-as failed do to the MAC addrs, then I was suggested to try openpnv open source, and failed at the firewall line 12:54 < AlexGC> Has anyone made it work on a virtuozzo vps? 12:56 -!- joelsolanki [i=joelsola@124.125.148.135] has quit [] 13:02 -!- LumberCartel [n=LumberCa@24.86.160.252] has joined ##openvpn 13:03 < LumberCartel> I wonder if OpenVPN could benefit from UDT (in addition to TCP and UDP support)? http://www.udt.sourceforge.net/ 13:03 < vpnHelper> Title: UDT: Breaking the Data Transfer Bottleneck (at www.udt.sourceforge.net) 13:03 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit ["ZNC - http://znc.sourceforge.net"] 13:04 < LumberCartel> UDT is BSD licensed, so there's no licensing problems for OpenVPN. 13:05 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn 13:07 < AlexGC> Can anyone suggest some VPS hosts that runs openvps-as as its intended to? pointers suggestions appreciated 13:09 < LumberCartel> VPS? 13:09 < AlexGC> yes. I got one last night with a company, but runs vituozzo and does not have a MAC addr, hence I cant reg the licenses 13:10 < LumberCartel> I'm sorry, but I don't know what VPS is. 13:10 < AlexGC> virtual private server 13:13 < LumberCartel> Wow. No node (MAC) address? That's really weird. 13:14 < AlexGC> sad actually. but yes. I could not get the licences to register do to that error. They told me it could not be fixed as openvpn-as was not designed to work in a VPS like that. So suggested I tried OS openvpn 13:15 < AlexGC> they charged me support time for tweaking the install ( i could not get it righ) but we got stuck at the firewall part 13:16 < AlexGC> i know zip about firewalls (aside from my dsl router).. so I'm frustrated 13:17 < LumberCartel> There are many types of firewalls. Some really suck, and some (like "pf") are very powerful and extremely flexible. 13:17 < LumberCartel> Which OS is running in your VPS? 13:18 < AlexGC> Centos 5 13:18 < LumberCartel> Does "ifconfig" show you what your node address is? 13:19 < |Mike|> virtuozzo... *sigh* 13:20 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit ["ZNC - http://znc.sourceforge.net"] 13:20 < |Mike|> you might want to contact your system admin (the one wich runs dom0) about it 13:20 < AlexGC> LumberCartel: i have tun0 with 10.8.0.1 thats what you ment? 13:21 < LumberCartel> That's your IP address. 13:21 < LumberCartel> If you type "ifconfig" it should show you more details, such as the node (MAC) address. 13:21 < LumberCartel> You might need to use a "-v" switch for verbose output. 13:21 < LumberCartel> Check your "man ifconfig" page for details though. 13:21 < LumberCartel> Each OS seems to have different options for ifconfig these days. 13:21 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn 13:22 < AlexGC> LumberCartel: the mac addr as all 0000 http://pastebin.ca/1539221 13:22 < LumberCartel> That is weird. 13:23 < AlexGC> :) yep I've used that word a lot lately 13:23 < LumberCartel> There is a serious problem with them doing that... 13:23 < LumberCartel> If they have two guests bridged on the same LAN, they're going to run into routing problems. 13:24 < AlexGC> they said it could not be fixed 13:24 < AlexGC> or not supported 13:24 < LumberCartel> Then find another provider. They're stupid. 13:24 < AlexGC> yeah, that's why I was asking for suggestions. 13:24 < LumberCartel> Or set up your own server and do it right. 13:25 < AlexGC> i need the sever in a data center un south USA 13:25 < LumberCartel> My suggestion would be to buy a computer, install your favourite OS on it with OpenVPN and whatever else you need, then co-locate it somewhere. 13:25 < AlexGC> cant do that. 13:26 < LumberCartel> Why not? Company policies? 13:26 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 13:26 < AlexGC> no.. location and time.. I'm not un USA and need the server in 13:27 < AlexGC> I actually tested it on a Centos 5 VPS under XEN and worked flawlessly 13:27 < AlexGC> so I bought a larger vps with this guys , and failed terribly 13:29 < Martin_vW> OpenVPN got slow again 13:29 < Martin_vW> I'm running strace and tcpdump, but I'm not sure about what they are trying to tell me :) 13:30 < Martin_vW> tcpdump shows packets marked with [TCP Retransmission], I guess that's not good 13:30 < Martin_vW> and the strace output suggests that openvpn blocks too much 13:31 < Martin_vW> it's hanging on polls for 1-3 seconds 13:36 < Martin_vW> ah. From the manpage, --mssfix: "The usual symptom of such a breakdown is an OpenVPN connection which successfully starts, but then stalls during active usage." 13:36 < Martin_vW> I'll try --tun-mtu 1500 --fragment 1300 --mssfix 13:38 < Martin_vW> ok, then it breaks completely with "FRAG_IN error flags=0xfa2a187b: FRAG_TEST not implemented" in syslog. 13:44 -!- LumberCartel [n=LumberCa@24.86.160.252] has quit [Read error: 110 (Connection timed out)] 13:44 -!- mius [n=miusf@85.214.97.22] has quit [Connection timed out] 13:45 -!- CarltonFsck [n=unixsox@c-76-19-28-18.hsd1.ma.comcast.net] has joined ##openvpn 13:52 < Martin_vW> any suggestions? I don't know anything about MTU 13:53 -!- mius [n=miusf@85.214.97.22] has joined ##openvpn 14:00 -!- mius [n=miusf@85.214.97.22] has quit ["-"] 14:33 -!- XapoH is now known as XapoH[away] 14:53 -!- oc80z [i=oc80z@blea.ch] has quit [Read error: 104 (Connection reset by peer)] 14:54 -!- Martin_vW [n=martin@77-21-43-87-dynip.superkabel.de] has quit ["Leaving."] 14:57 -!- jeiworth [n=jeiworth@189.163.134.102] has joined ##openvpn 15:00 -!- joelsolanki [i=joelsola@124.125.148.135] has joined ##openvpn 15:01 -!- CarltonFsck [n=unixsox@c-76-19-28-18.hsd1.ma.comcast.net] has quit ["Leaving"] 15:01 < joelsolanki> krzee: hi 15:01 < joelsolanki> ecrist: hi 15:10 -!- joelsolanki [i=joelsola@124.125.148.135] has quit [] 15:13 -!- fahadsadah [n=fahad@wikipedia/fahadsadah] has joined ##openvpn 15:13 < fahadsadah> Hello guys. 15:14 < fahadsadah> I have an existing VPN (non-OpenVPN). 15:14 < fahadsadah> Users are not allowed to connect to this, and must connect through an OpenVPN gateway. 15:14 < fahadsadah> This gateway has one IP in the current VPN. 15:14 < fahadsadah> Can I do some sort of VPN NAT? 15:15 < |Mike|> !linnat 15:15 < vpnHelper> |Mike|: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 15:15 < fahadsadah> Thanks! 15:15 < fahadsadah> Also, is there a way of disabling the whole OpenVPN PKI infrastructure? 15:15 < |Mike|> by not using it ? :) 15:15 < fahadsadah> Lol 15:15 < fahadsadah> Thanks! 15:24 < XapoH[away]> does anyone know how to use `mode server` without `tls-server`? 15:25 < XapoH[away]> or why is `tls-server` required 15:26 < |Mike|> because the cert exchange won't be encrypted, so MITM is possible.. 15:26 < fahadsadah> What if you trust the net? 15:26 < fahadsadah> Forcing security is not good... 15:26 < XapoH[away]> i don't want to have any authentification on encryption 15:26 < XapoH[away]> *or 15:32 < fahadsadah> XapoH[away]: Add "cipher none" and "auth none" 15:32 < XapoH[away]> but tls-server is still required 15:32 < waldner_> and client-cert-not-required 15:32 < fahadsadah> Options error: You must define CA file (--ca) or CA path (--capath) 15:32 < fahadsadah> I've disabled cipher 15:34 < XapoH[away]> --client-cert-not-required must be used with an --auth-user-pass-verify 15:34 < waldner_> oh thanks for the correction 15:35 < waldner_> but then how to entirely disable auth? 15:35 < XapoH[away]> it's what openvpn says :) 15:35 < waldner_> well I guess you could use /bin/true as auth-user-pass-verify anyway 15:36 < XapoH[away]> well, i haven't /bin/true on my winxp :) 15:36 < waldner_> argh 15:37 < waldner_> I suppose you can write a .bat file to achieve the same effect 15:39 < XapoH[away]> batch can't return exit code. need int main() { return 1; } :) 15:40 < waldner_> oh really? I didn't know that 15:41 < AlexGC> Q: I'm getting iptables: Unknown error 4294967295 when I place the iptables -t nat -o etc etc line, any ideas? suggestions? 15:41 < thedoc> AlexGC, What's your exact command? 15:41 < waldner_> XapoH[away]: I remember something like testing errorlevel, so there must be a way 15:42 < waldner_> exit /b 15:42 < AlexGC> thedoc: iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE 15:42 < thedoc> You missed out -s for source. 15:43 < AlexGC> this one iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE also fails 15:43 < AlexGC> same error thedoc 15:43 < XapoH[away]> You must define DH file (--dh) // damn it :( 15:43 < |Mike|> what error ? 15:44 < thedoc> venet0 is a vmware thing? 15:44 < AlexGC> iptables: Unknown error 4294967295 ... yes 15:44 < |Mike|> thedoc: openvz 15:44 < |Mike|> you can't run iptables on an openvz image... 15:45 < XapoH[away]> waldner_, it can test, but can't return. google agrees. 15:45 < waldner_> exit 1 15:45 < |Mike|> the owner of the server has to do it for you thedoc 15:45 < waldner_> exit -10 15:45 < AlexGC> ohh 15:45 < thedoc> |Mike|, Not me, AlexGC 15:45 < thedoc> :p 15:45 < |Mike|> AlexGC: read up 15:45 < AlexGC> :) 15:46 < waldner_> XapoH[away]: http://www.robvanderwoude.com/errorlevel.php 15:46 < waldner_> third google hit 15:46 < vpnHelper> Title: Batch files - Errorlevels (at www.robvanderwoude.com) 15:46 < XapoH[away]> oh, wait. i used wrong config (with `server`). now i tried `mode server` with `ifconfig blabla` - still require tlserver 15:47 -!- tecchi [n=tecchi@ip-81-210-194-238.unitymediagroup.de] has joined ##openvpn 15:47 < waldner_> In Windows 2000 & XP a new /B switch has been added to the EXIT command, enabling the batch file to quit with a return code 15:48 < XapoH[away]> waldner_, ouch. sry, ok :) anyway, i'v already done program returning 1. 16:01 < XapoH[away]> found `if (options->mode == MODE_SERVER) { <...> if (!options->tls_server) msg (M_USAGE, "--mode server requires --tls-server"); <...> }` in source code. it seems that requirement doesn't depend of any other options. 16:12 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit ["Leaving"] 16:14 < tecchi> hi, where can i find a howto to install openvpn on a single nic machine? 16:20 -!- sascha [n=tecchi@ip-81-210-194-238.unitymediagroup.de] has joined ##openvpn 16:20 -!- tecchi [n=tecchi@ip-81-210-194-238.unitymediagroup.de] has quit [Read error: 104 (Connection reset by peer)] 16:23 -!- sascha is now known as tecchi 16:29 -!- tecchi [n=tecchi@ip-81-210-194-238.unitymediagroup.de] has quit [Read error: 104 (Connection reset by peer)] 16:29 -!- tecchi [n=tecchi@ip-81-210-194-238.unitymediagroup.de] has joined ##openvpn 16:34 < BasketCase> tecchi: 16:34 < BasketCase> !howto 16:34 < vpnHelper> BasketCase: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:35 < BasketCase> number of NICs isn't important 16:36 -!- tecchi [n=tecchi@ip-81-210-194-238.unitymediagroup.de] has quit [Read error: 104 (Connection reset by peer)] 16:37 -!- explore [n=msparker@99.184.84.221] has joined ##openvpn 16:43 -!- explore [n=msparker@99.184.84.221] has left ##openvpn [] 16:56 -!- Serideru [n=GTWebste@72-24-197-68.cpe.cableone.net] has quit [Client Quit] 17:04 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 17:04 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 17:40 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 17:54 < ecrist> I hate it when people PM me for a problem in here. 18:00 < |Mike|> ecrist: irssi with some ignorance rules :D 18:00 < ecrist> |Mike|: not sure how to write a rule to prevent that. 18:01 < ecrist> unless there is a way to have ignore all except foo 18:02 < |Mike|> if joined #... then ignore .. 18:02 * ecrist puts RTFM for irssi ignore on his TODO list 18:02 < |Mike|> haha 18:03 < |Mike|> i basicly ignore query's from #* 18:03 < |Mike|> :P 18:03 < ecrist> did joelsolanki pm you, too? 18:03 < ecrist> looked like he was looking for krzee and myself, specifically 18:09 < |Mike|> nope 18:21 < ecrist> hrm 18:21 < waldner_> MULTI: bad source address from client [192.168.0.1], packet dropped 18:21 < ecrist> without writing a plugin, there isn't an easy way to read nicks in from a file or variable for exceptions. 18:22 < waldner_> but I don't have any subnet behnd the client 18:22 < ecrist> |Mike|: can you try to PM me? 18:23 < waldner_> that is when pinging from the client to the lan behind the openvpn gateway 18:23 < ecrist> waldner_: that error is answered many times on the google 18:23 < ecrist> it generally means you have a VPN allocation conflict with a local subnet 18:23 < waldner_> yes by they all mention having a subnet behind the clint, which I don't have 18:23 < ecrist> all clients are on a subnet 18:24 < waldner_> sure 18:24 < ecrist> unless you're connected directly to the internet, which is rare for consumers 18:24 < waldner_> I'm using a subnet topology, the subnet used is 172.22.1.0/24 18:24 < waldner_> the vpn gateway has network 10.0.0.0/24 on its lAN side 18:25 < waldner_> and I get that error when pinging from a vpn client to an internal box in the 10.0.0.0 lan 18:25 < waldner_> the packet crosses the vpn gateway and reaches the internal host 18:25 < waldner_> it replies, and reaches the vpn gateway on its lan interface 18:25 < waldner_> there is dropped, ie it doesn't forward it to the vpn client 18:26 < waldner_> and I see that error in the log 18:26 < ecrist> waldner_: did you read the FAQ on OpenVPN.net? 18:26 < ecrist> you must be trying to route something that the VPN doesn't know about 18:26 < ecrist> http://openvpn.net/index.php/open-source/faq.html 18:26 < vpnHelper> Title: FAQ (at openvpn.net) 18:26 * ecrist goes away. 18:27 < |Mike|> ecrist: done 18:27 < waldner_> yes, and I didn't find anything relevant, unless I missed something 18:27 < ecrist> now I just have to remember to whitelist people I want to be able to PM. 18:27 < ecrist> ;) 18:28 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit [Read error: 110 (Connection timed out)] 18:28 < waldner_> the faq say that the error occurs because openvpn does not have a route to 192.168.0.1 18:28 < waldner_> but it indeed has a route: 18:28 < waldner_> 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.254 18:29 < waldner_> and in fact I can ping that client from the vpn server, both to that 192. address and through the tunnel 18:31 < waldner_> unless "internal" route means something special 18:31 < waldner_> which I'd be glad to know in that case 18:37 < |Mike|> !howto 18:37 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 18:39 < waldner_> I'm reading it, but it doesn't mention what "internal" routes are 18:40 < waldner_> is that something openvpn needs when it has to decide to which of the many clients in the subnet it has to send the packet? 18:40 < |Mike|> you can push ccd to ccd --- Log opened Sat Aug 22 21:18:26 2009 21:18 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 21:18 -!- Irssi: ##openvpn: Total of 64 nicks [0 ops, 0 halfops, 0 voices, 64 normal] 21:18 -!- Irssi: Join to ##openvpn was synced in 10 secs 21:19 -!- master_of_master [i=master_o@p549D6EC9.dip.t-dialin.net] has joined ##openvpn 21:33 -!- demo| [n=demo@84.108.222.192] has joined ##openvpn 21:33 -!- demo [n=demo@bzq-84-108-222-192.cablep.bezeqint.net] has quit [Read error: 104 (Connection reset by peer)] 21:55 < demo|> damnit 21:55 < demo|> !logs 21:55 < vpnHelper> demo|: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 21:59 -!- jeiworth [n=jeiworth@189.163.134.102] has quit [Read error: 110 (Connection timed out)] 22:03 -!- quentusrex_ [n=quentusr@freeswitch/developer/quentusrex] has joined ##openvpn 22:03 < quentusrex_> Is it possible to log traffic? such as what client is pulling how much traffic? 22:07 < demo|> can anyone help me getting oVPN with windows as client and linux as server? 22:09 < quentusrex_> demo|, I only have a moment, but what's your issue? 22:10 < demo|> i want to make all my traffic forward thro the vpn but i get "no internet access" on the TAP network adapter 22:10 < demo|> and no gateway set 22:11 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 22:11 < quentusrex_> what's your network ip address on the client? and what's the client's vpn ip addresS? 22:11 < demo|> my client got 10.8.0.2 and the vpn is 10.8.0.1 22:12 < quentusrex_> so you are on a network, without vpn and you get the ip of 10.8.0.2 22:12 < quentusrex_> ? 22:12 < quentusrex_> from your network router? 22:12 < demo|> no 22:12 < demo|> i get that ip from the vpn 22:12 -!- jeiworth [n=jeiworth@189.163.134.102] has joined ##openvpn 22:12 < quentusrex_> what's your local network ip? 22:13 < demo|> 192.168.1.101 22:13 < quentusrex_> can you ping either of the gateways ? 22:13 < quentusrex_> local or vpn? 22:14 < demo|> i can ping both 22:16 < demo|> any idea quentusrex_? 22:16 < quentusrex_> can you ping this ip? 22:16 < quentusrex_> 74.125.67.100 22:16 < quentusrex_> it's google's ip... 22:17 < demo|> yes 22:17 < quentusrex_> can you ping 'google.com' 22:17 < demo|> i dont understand why wouldnt i 22:17 < demo|> i can 22:17 < demo|> why wouldnt i? 22:18 < quentusrex_> then why don't you have internet access? 22:18 < demo|> if i woulnt have internet access i wouldnt be here 22:18 < quentusrex_> it might not think you do, but you seem to have access. 22:18 < demo|> the network adpater of TAP says that 22:20 < demo|> ? 22:21 < quentusrex_> I don't see what the problem is... 22:21 < quentusrex_> you have internet access 22:21 < quentusrex_> and you're traffic is routing... 22:21 < quentusrex_> i g2g, I'll be back in a few hours. 22:21 < demo|> i want to forward all my internet traffic through the VPN 22:22 < demo|> anyone? 22:45 < Dougy> ecrist: inet issues? 22:45 < Dougy> thedoc: ping 22:49 < thedoc> 'sup? 22:57 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit ["Leaving"] 22:59 -!- tjoff [i=tjoff@h-63-94.A163.priv.bahnhof.se] has joined ##openvpn 23:02 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 23:05 -!- tjoff [i=tjoff@h-63-94.A163.priv.bahnhof.se] has quit [] 23:12 -!- tjoff [i=tjoff@h-63-94.A163.priv.bahnhof.se] has joined ##openvpn 23:23 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 23:24 -!- hyper__ch [n=hyper@adsl-84-227-43-183.adslplus.ch] has joined ##openvpn 23:24 -!- hyper_ch [n=hyper@adsl-84-226-158-241.adslplus.ch] has quit [Nick collision from services.] 23:24 -!- hyper__ch is now known as hyper_ch --- Day changed Sun Aug 23 2009 00:09 < ecrist> Douglas: I had some... 00:19 < ecrist> resolved now 00:23 < ecrist> 00:30 * ecrist goes to bed 01:15 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 02:00 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 02:17 < fahadsadah> !howto 02:17 < vpnHelper> fahadsadah: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:18 < fahadsadah> !redirect 02:18 < vpnHelper> fahadsadah: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 02:18 < fahadsadah> !nat 02:18 < vpnHelper> fahadsadah: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 02:22 -!- ballen [n=ballen@208.79.89.202] has joined ##openvpn 02:23 -!- tjz [n=tjz@bb220-255-241-83.singnet.com.sg] has quit ["bbl"] 02:28 -!- ballen [n=ballen@208.79.89.202] has quit [Read error: 104 (Connection reset by peer)] 02:44 -!- ballen [n=ballen@97.87.29.39] has joined ##openvpn 03:05 -!- ballen_ [n=ballen@208.79.89.202] has joined ##openvpn 03:05 -!- ballen [n=ballen@97.87.29.39] has quit [Nick collision from services.] 03:05 -!- ballen_ is now known as ballen 03:10 -!- koolkat [n=kk@amsterdam.perfect-privacy.com] has joined ##openvpn 03:10 < koolkat> why doesnt openvpn connection to vpn service work on vbox ubuntu guest, vista host? connection to the service works fine on regular ubuntu system, it also connects in the vbox when I have the host connected to the service. What's going on? 03:17 -!- ballen [n=ballen@208.79.89.202] has left ##openvpn [] 03:23 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 03:40 -!- tecchi [n=tecchi@81.210.194.238] has joined ##openvpn 03:45 < tecchi> i set up a bridging openvpn. while i can connect successfully (no errors, neither on the sever nor on the client) i cannot ping the server from the client and vice versa 03:45 < tecchi> i suppose there is a routing problem 04:38 -!- tecchi [n=tecchi@81.210.194.238] has quit [Remote closed the connection] 05:00 < reiffert> !route 05:00 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 05:03 -!- mius [n=miusf@earthtomoon.net] has joined ##openvpn 05:41 -!- dazo|h [n=dazo@ip4-83-240-69-215.cust.nbox.cz] has joined ##openvpn 06:13 -!- Netsplit sendak.freenode.net <-> irc.freenode.net quits: misse-, reiffert, Ycros, Snadder, stephenh, sigius, pa, solvik, HardDisk_WP, Douglas, (+12 more, use /NETSPLIT to show all of them) 06:17 -!- Netsplit sendak.freenode.net <-> irc.freenode.net quits: krzie, master_of_master, IcyPolecat, nemysis, svinkels, CoffeeIV, tjoff, mius, quentusrex_, code-, (+31 more, use /NETSPLIT to show all of them) 06:17 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Operation timed out] 06:17 -!- garnser [n=jpeterss@gw2.mysql.com] has quit [Read error: 60 (Operation timed out)] 06:17 -!- garnser_ [n=jpeterss@gw2.mysql.com] has joined ##openvpn 06:17 -!- eliasp_ [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 06:17 -!- Netsplit over, joins: dazo|h, mius, tjz, koolkat, hyper_ch, tjoff, jeiworth, quentusrex_, demo|, master_of_master (+53 more) 06:28 -!- chinsan_ [i=chuck-th@chinsan.info] has joined ##openvpn 06:32 -!- demo| [n=demo@84.108.222.192] has quit [Read error: 145 (Connection timed out)] 06:37 -!- chinsan [i=chuck-th@72.21.49.42] has quit [Read error: 145 (Connection timed out)] 06:37 -!- brizly [n=brizly_v@p4FC99A07.dip0.t-ipconnect.de] has joined ##openvpn 06:40 -!- tecchi [n=tecchi@ip-81-210-194-238.unitymediagroup.de] has joined ##openvpn 06:41 -!- svinkels [n=svinkels@seb44-1-88-163-78-7.fbx.proxad.net] has quit [Remote closed the connection] 06:41 < tecchi> if i want to setup openvpn on a single nic machine, do i have to use a bridging setup? 06:47 < reiffert> no. 06:47 < tecchi> what is the alternative? 06:47 < reiffert> !howto 06:47 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 06:49 < hyper_ch> howdy reiffert 06:49 < dazo|h> _markus_: not easy to say, but most likely a kind of bug was found .... assertion errors are programmatic checks to crash a program if some parameters to a function f.ex. is wrong .... complete log files is needed to see more .... and then preferably at verb level 4 or higher 06:53 < reiffert> hyper_ch: did you fix your blog? 06:53 < hyper_ch> reiffert: I did... already yesterday :) 06:53 -!- brizly1 [n=brizly_v@p4FC999AD.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 07:01 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 07:04 < tecchi> hmm...how do i forward packages from the tun0 interface to the public iface to access the internet through the vpn tunnel? 07:05 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit [Client Quit] 07:08 -!- demo| [n=demo@bzq-84-108-222-192.cablep.bezeqint.net] has joined ##openvpn 07:10 < demo|> i want to forward all my internet traffic through the VPN, can anyone help me? 07:14 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 07:20 < hyper_ch> !howto 07:20 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:20 < hyper_ch> demo|: it's listed there 07:20 < demo|> hyper_ch, i did whats listed but it still doesnt work 07:21 < hyper_ch> demo|: http://openvpn.net/index.php/open-source/documentation/howto.html#redirect 07:21 < vpnHelper> Title: HOWTO (at openvpn.net) 07:21 < hyper_ch> demo|: show your server config 07:21 < hyper_ch> !configs 07:21 < vpnHelper> hyper_ch: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:22 < demo|> okay just a sec lemme paste it 07:24 < reiffert> demo|: !redirect-gateway 07:24 < reiffert> !def1 07:24 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 07:25 < demo|> i added "--push redirect-gateway df1" in the client config file 07:26 < demo|> and did everything that is written in the !redirect 07:26 < demo|> nothing else, besides that its the default config file 07:26 < hyper_ch> that should be added to the server 07:26 < tecchi> so why did you add this to your client config? 07:26 < demo|> it still wont work, i added it to there too 07:26 < hyper_ch> and you also need to add nameservers IIRC 07:26 < hyper_ch> !configs 07:26 < vpnHelper> hyper_ch: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:27 < demo|> where do i find server.conf in a debian system? 07:27 < hyper_ch> didn't you just say above you added it on the server also? 07:27 < tecchi> checkout /dev/null ;) 07:27 < hyper_ch> tecchi: that's mean :( 07:28 < demo|> i added it to the server means i tried to add it to the server and delete from the client 07:28 < demo|> now its on server config,, just a sec ill connect 07:28 < tecchi> a sample config should be under /usr/share/doc/openvpn 07:28 < hyper_ch> how can you add it to the server without knowing where its config is... 07:29 < hyper_ch> and server-wide configs are usually in /etc somewhere 07:29 < |Mike|> omg a demo 07:29 < demo|> hyper_ch, through the web interface 07:30 < hyper_ch> webinterface? 07:30 < demo|> anyways i get "no internet access" on the TAP interface and when i use "ipconfig" the gateway is blank 07:30 < |Mike|> you can't see a gateway by using ifconfig.. 07:30 < tecchi> ipconfig 07:30 < demo|> the client is windows 07:30 < tecchi> i think he is running this on the win client 07:30 < demo|> the server is on linux 07:31 < |Mike|> please paste your configs on a pastebin or pastie.org 07:31 < tecchi> to use tap you have to setup a bridge on the server 07:31 < |Mike|> !configs 07:31 < vpnHelper> |Mike|: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:31 < demo|> okay wait ill find the confs 07:31 < hyper_ch> try /etc/openvpn/ 07:32 < demo|> yeah but all i have there hyper_ch is "static.key update-resolv-conf" 07:32 < hyper_ch> pastebin the goddamn configs 07:33 < demo|> im looking for the goddamn configs 07:33 -!- tecchi [n=tecchi@ip-81-210-194-238.unitymediagroup.de] has quit [Read error: 104 (Connection reset by peer)] 07:33 < hyper_ch> demo|: how did you setup the server? 07:34 < demo|> downloaded a .deb file 07:34 < hyper_ch> you don't download just .deb 07:34 < hyper_ch> you use repositories to install software 07:35 < reiffert> demo|: 14:25 < demo|> i added "--push redirect-gateway df1" in the client config file 07:36 < reiffert> demo|: you have to add to a config file: 07:36 < reiffert> push "redirect-gateway def1" to the server config file. 07:37 < hyper_ch> and I'd suggest to remove openvpn server first from the debian machine and use the debian repos to install it 07:37 < hyper_ch> and then it needs to be configure 07:37 < hyper_ch> d 07:38 < demo|> debian repos? you mean apt-get? 07:38 < reiffert> depends on the debian version 07:38 < demo|> its lenny 07:38 < reiffert> demo|: comes with 2.0.9? 07:38 < hyper_ch> demo|: yes, apt uses repositories 07:38 < demo|> okay 07:39 < demo|> will do 07:39 < reiffert> demo|: does lenny come with openvpn-2.0.9? 07:39 < demo|> no idea reiffert 07:39 < demo|> ill install it with backports 07:39 < reiffert> demo|: check it and stick to 2.1-rc19 07:39 < demo|> openvpn-as-1.1.3-Ubuntu9.amd_64.deb 07:39 < demo|> thats what i had download 07:40 < hyper_ch> reiffert: debian lenny has 2.1 rc 11 07:40 < reiffert> mhm. 07:40 < hyper_ch> demo|: you d8id downoad an ubuntu package for debian? 07:41 < |Mike|> what the hell 07:41 < hyper_ch> demo|: dpkg --purge openvpn 07:41 * |Mike| crawls back under his rock 07:41 < hyper_ch> |Mike|: is there space for more? 07:42 < |Mike|> yes! 07:42 < demo|> dpkg - warning: while removing openvpn, directory `/etc/openvpn' not empty so not removed. 07:42 < demo|> should i remove it manually? 07:42 * hyper_ch joins |Mike| 07:42 < hyper_ch> demo|: it won't hurt 07:42 * reiffert turns back to 1000km Le Mans Series 07:42 < hyper_ch> demo|: but don't know if it's necessary 07:43 < demo|> okay 07:43 < hyper_ch> also pastebin your /etc/apt/sources.list 07:44 < demo|> http://pastebin.ca/1540197 07:44 < demo|> should i use backports to get openvpn, hyper_ch? 07:44 < hyper_ch> demo|: backports are not needed 07:44 < hyper_ch> demo|: but depending on what you use the server for you want to enable them (or not) 07:45 < demo|> okay so now i need to just "apt-get install openvpn"? 07:46 < hyper_ch> first apt-get update 07:46 < hyper_ch> then apt-get upgrade 07:46 < hyper_ch> and then apt-get install openvpn 07:46 < demo|> okay 07:47 < demo|> Setting up openvpn (2.1~rc11-1) ... 07:47 < demo|> thats the version it got 07:47 < hyper_ch> now you need to configure it 07:47 < hyper_ch> add keys 07:47 < hyper_ch> etc. 07:47 < hyper_ch> generate keys etc. 07:47 < hyper_ch> !howto 07:47 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:48 < demo|> okay so ill do that and brb 07:48 < demo|> mean while thanks alot :) 07:48 < hyper_ch> this one is straight forward (alas in German) and has everything but the key generation: http://wiki.openvpn.eu/index.php/Konfiguration_eines_Internetgateways 07:48 < vpnHelper> Title: Konfiguration eines Internetgateways – OpenVPN Wiki (at wiki.openvpn.eu) 07:50 < demo|> kinda hard with the german 07:50 < demo|> should i just throw all the commands i see there? 07:51 < hyper_ch> google translate works wonders on texts in other languages 07:52 < hyper_ch> or use the english howto (which is not so straight to the point but contains tons of useful info) 07:52 < reiffert> demo|: follow the howto, stupid! 07:55 < |Mike|> i wouldn't do that if i where you. 07:55 < hyper_ch> what wouldn't you do? 07:56 < demo|> hyper_ch it tells me to do openvpn --config server.conf but i get an error 07:56 < hyper_ch> where does it tell that and what tells so? 07:56 < hyper_ch> and what error do you get? 07:57 < |Mike|> you might want to add a full path demo| 07:57 < |Mike|> any carp fishers here btw? :D 07:57 < hyper_ch> nope, fishing is boring 07:57 < demo|> tanin:/etc/openvpn# openvpn --config /etc/openvpn/server.conf 07:57 < demo|> Options error: error parsing --server: server is not a recognized flag Use --help for more information. 07:57 * hyper_ch hides under the rock 07:57 < hyper_ch> demo|: I still have no clue what you're trying to do 07:58 < hyper_ch> where does it say to do so? 07:58 < demo|> after it says to write down everything there in a server.conf file 07:58 < demo|> then it says to test it with openvpn --config server.conf 07:58 < hyper_ch> demo|: and where does it say that? 07:59 < reiffert> |Mike|: you would not follow the official howto? 07:59 < demo|> in the page you gave me 07:59 < |Mike|> reiffert: nope :P 07:59 < hyper_ch> demo|: I gave you two pages and one has many links to subpages 07:59 < reiffert> |Mike|: why is that? 07:59 -!- earthian [n=earthian@fostral.net] has joined ##openvpn 08:00 < demo|> the german one 08:00 < |Mike|> demo|: paste your server and client configs ktnx 08:00 < |Mike|> reiffert: because it works 08:00 < reiffert> |Mike|: "it"? 08:00 < |Mike|> my dirty openvpn network 08:01 < hyper_ch> demo|: what does the config look like? 08:01 < hyper_ch> !configs 08:01 < vpnHelper> hyper_ch: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 08:01 < reiffert> |Mike|: so because your personal network is working, but if you were demo|, you would not follow the howto? Awsome! 08:01 < demo|> sec 08:01 < earthian> Hi, does anybody has some knowledge of setting up openvpn on linux-vserver? If so, could you help me set one up? At the moment i fail to understand how to make vserver guest to connect to the vpn server which is accessible via local area network, i.e 192.168... 08:01 < reiffert> earthian: !howto 08:01 < reiffert> !howto 08:01 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:01 < |Mike|> reiffert: anybody should read the howto before they start braggin in ##openvpn 08:02 < reiffert> ACK 08:03 < earthian> reiffert, there is nothing mentioned in the howto regarding setup on vserver 08:03 < earthian> the host works ok 08:03 < earthian> but not the guests... 08:03 < earthian> :/ 08:03 < reiffert> earthian: no, the howto covers clients and server. 08:03 < reiffert> earthian: no matter where or in what environment they live. 08:03 < demo|> http://pastebin.ca/1540214 - my server.conf 08:03 < earthian> yes i know how to set up client and server 08:04 < reiffert> earthian: but if you really like to get help in ##openvpn, be aware that probably nobody ever used vserver before, you want to try #vserver instead. 08:04 < earthian> i fail to set up openvpn properly on a client that is a guest in a linux virtual server 08:04 < earthian> yes yes :) 08:04 < earthian> i am trying both 08:04 < reiffert> good luck. 08:04 < earthian> thanks 08:04 < hyper_ch> demo|: that config is totally out of shape 08:05 < demo|> i just did copy paste from the german site 08:05 < hyper_ch> look at the output 08:05 < hyper_ch> that's something else altogether 08:05 < reiffert> hyper_ch: congrats, now you can have your own openvpn support channel. 08:06 < reiffert> 7topic please follow the german howto from hyper_ch. He will help you. 08:06 < hyper_ch> it's not my howto :) 08:06 < hyper_ch> demo|: pastebin your whole config 08:06 < reiffert> !factoids search example 08:06 < vpnHelper> reiffert: No keys matched that query. 08:06 < reiffert> !factoids search example-config 08:06 < vpnHelper> reiffert: No keys matched that query. 08:07 < reiffert> !factoids search config 08:07 < vpnHelper> reiffert: 'ifconfig' and 'configs' 08:07 < reiffert> !factoids search configs 08:07 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 08:07 < reiffert> !factoids search examples 08:07 < vpnHelper> reiffert: No keys matched that query. 08:07 < reiffert> !factoids search example 08:07 < vpnHelper> reiffert: No keys matched that query. 08:07 < reiffert> hrmn. 08:07 < demo|> oh okay 08:07 < demo|> i think it was my fault 08:07 < demo|> i did a copy from the google translation so it did a bit of a mess 08:07 < demo|> lemme re-pastebin 08:08 < demo|> hyper_ch; http://pastebin.ca/1540217 08:08 < reiffert> why not use the example configs from the !howto? 08:08 < demo|> i think this one makes more sense 08:08 < reiffert> they probably won't work ... 08:09 < hyper_ch> reiffert: and did you generate the cert and the keys? 08:09 < reiffert> hyper_ch: hm? 08:09 < hyper_ch> sorry :) 08:09 < hyper_ch> demo|: did you generate the cert and the keys? 08:10 < reiffert> hyper_ch: why use ping-timer-rem? 08:10 < hyper_ch> reiffert:because the howto says so ;) 08:10 < demo|> nope ill just see the offical howto how to generate those just a sec 08:10 < |Mike|> !howto 08:10 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:11 < |Mike|> scroll all the way down 08:11 < |Mike|> don't you have sample config files in /usr/share or something? 08:11 < demo|> i guess, the server conf i just paste isnt good? 08:12 < hyper_ch> demo|: it's good 08:12 < hyper_ch> demo|: generate the keys and alter the conf (if needed) with the path of th ekeys 08:13 < reiffert> why use ping-timer-rem? 08:13 < reiffert> why change the keepalive setting? 08:13 < reiffert> why mute 50? 08:14 -!- eliasp_ is now known as eliasp 08:15 < demo|> err i cant find the easy-rsa 08:18 < hyper_ch> I used that to create keys and stuff: http://openvpn.net/index.php/open-source/documentation/howto.html#pki 08:18 < vpnHelper> Title: HOWTO (at openvpn.net) 08:19 < demo|> can i just download the .tar and copy the easy-rsa from there to the /etc/openvpn ? 08:19 < hyper_ch> dunno 08:23 < demo|> tanin:/etc/openvpn/easy-rsa# ./clean-all 08:23 < demo|> you must define KEY_DIR 08:23 < demo|> errr 08:25 < |Mike|> where can i buy some clue hammers ? 08:26 < hyper_ch> demo|: just go on 08:27 < demo|> im pasted it 08:27 < demo|> now im generating dh 08:28 < reiffert> demo|: cd /usr/share/doc/openvpn/examples/easy-rsa 08:28 < demo|> its okay i already copied it by downloading a .tar 08:29 < reiffert> ok, my help is not necessary. 08:29 < demo|> hmm missing "keys/server.crt" 08:29 < hyper_ch> you'll have to adjust the paths 08:30 < demo|> yeah i copied it all to /etc/openvpn so it'll fit 08:31 < hyper_ch> so it works? 08:31 < demo|> getting an error now 08:32 < demo|> lemme paste it 08:32 < demo|> http://pastebin.ca/1540239 08:32 < demo|> this is what i get now :/ 08:33 < hyper_ch> and what does it say? 08:33 < reiffert> It says: Exiting 08:34 < hyper_ch> but what does the error message say? 08:34 < demo|> what do you mean? 08:34 < demo|> i pasted it 08:34 < hyper_ch> demo|: did you read it? 08:35 < demo|> Cannot load certificate file 08:35 < hyper_ch> there we go 08:35 < hyper_ch> and where does it look for the file? and where have you the cert file put to? 08:35 < demo|> it loooks for it in keys 08:35 < demo|> and its in keys 08:36 < hyper_ch> ls -al /etc/openvpn/keys/ 08:36 < demo|> -rw-r--r-- 1 root root 0 Aug 23 13:31 server.crt 08:38 < demo|> any ideas? 08:38 < hyper_ch> hmmm 08:38 < hyper_ch> not really 08:39 < reiffert> demo|: the server.crt got a size of 0. 08:40 < hyper_ch> right, that did escape me now :9 08:40 < reiffert> |Mike|: want some popcorn? 08:41 -!- c64zottel [n=hans@p5B17B42B.dip0.t-ipconnect.de] has joined ##openvpn 08:41 -!- c64zottel [n=hans@p5B17B42B.dip0.t-ipconnect.de] has left ##openvpn [] 08:47 < hyper_ch> demo|: regenerte the cert and keys 08:47 < demo|> okay 08:47 < demo|> seems to work now 08:47 < hyper_ch> you already did? 08:48 < |Mike|> reiffert: please 08:48 < demo|> yeah i did something abit longer but okay 08:48 < demo|> Sun Aug 23 13:47:38 2009 Initialization Sequence Completed 08:49 < hyper_ch> now get the client.crt and client.key to your machine 08:49 < demo|> im running windows , doesi t matter? 08:50 < hyper_ch> well, I don't konw how to setup the client on windows 08:50 < hyper_ch> but you'll need the crt and key there also 08:51 < demo|> i have this openvpn-as win client installed from my last install, can i use it? 08:51 < hyper_ch> no clue, I don't use windows 08:52 -!- micro [n=Micro@dyn.83-228-205-139.dsl.vtx.ch] has joined ##openvpn 08:54 < micro> hi, could someone help me with openvpn client config plz ? need help about keys/certs 08:54 < hyper_ch> !howto 08:54 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:55 < micro> i read how to configure, troubles come with client keys... openvpn don't wanna load them :( 08:55 < hyper_ch> !configs 08:55 < vpnHelper> hyper_ch: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 08:55 < micro> Cannot load certificate file thinkpad.crt: error:02001002: 08:56 < demo|> how do i add root as a user to the webinterface? 08:56 < hyper_ch> I have no clue what you mean by webinterface 08:56 < hyper_ch> and I don't think adding root to a webinterface is a good idea 08:57 < demo|> https://ip:8443/admin 08:57 < demo|> anyone ? 08:58 < hyper_ch> what about that? 08:58 < demo|> how do i add a user to access it 08:58 < reiffert> demo|: what openvpn version do you have on windows? 08:59 < hyper_ch> demo|: what's that? 09:00 < demo|> i dunno some sort of web admin thingy 09:00 < demo|> reiffert, i downloaded "openvpn-as" before 09:00 < hyper_ch> and how am I supposed to know? 09:01 < micro> humm, i explain better my troubles... i have install/config the server and it's running fine... on the server i have made the ca.crt and the clients crt/key then transfert them to the client computer (and create/edit client config file in /etc/openvpn/ on client too) 09:01 < micro> but when i start client, it's cannot load my certif. 09:01 < micro> Sun Aug 23 15:49:57 2009 OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Mar 9 2009 09:01 < micro> Sun Aug 23 15:49:57 2009 Cannot load certificate file thinkpad.crt: error:02001002:system library:fopen:No such file or directory: error:20074002:BIO routines:FILE_CTRL:system lib: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib 09:02 < micro> Sun Aug 23 15:49:57 2009 Exiting 09:02 < micro> so what i have do wrong plz ? 09:03 < micro> i already RTFM but can't find any info about that :( 09:03 -!- bauruine [n=bauruine@85.4.68.228] has joined ##openvpn 09:07 < micro> anyone for some help ? ^^ 09:08 < micro> !configs 09:08 < vpnHelper> micro: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:13 < reiffert> demo|: "-as"? 09:13 < reiffert> demo|: use 2.1rc19 from openvpn.net 09:14 < demo|> reiffert for my windows client, right? 09:14 < reiffert> yep 09:14 < demo|> btw do you know how i can access the web interface? 09:14 < reiffert> webif? -as? what are you talking about? 09:15 < demo|> when i start openvpn and enter https://ip:8443/admin 09:15 < demo|> i can put in a user and password 09:15 < reiffert> show me the homepage of openvpn-as please 09:16 < micro> nobody know why my client won't load his own crt (made on the vpn server then transferred to the client) ?? 09:16 < reiffert> ah, it's that access server stuff. Sorry, I dont know anything about it. 09:16 < reiffert> -as is a commercia product, use the official support ways please. 09:16 < demo|> oh 09:17 < demo|> so why do i have it still running,, i removed it 09:17 < demo|> weird 09:30 -!- micro [n=Micro@dyn.83-228-205-139.dsl.vtx.ch] has quit ["Quitte"] 09:39 < demo|> http://pastebin.ca/1540322 09:39 < demo|> can anyone help me with this error? 09:50 -!- xand [n=xand@unaffiliated/xelam] has quit [Client Quit] 10:02 < |Mike|> invalid id 10:03 -!- XapoH[away] is now known as XapoH 10:21 -!- rawDawg [n=OMG@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 10:30 < |Mike|> demo|: 10:54 -!- rawDawg [n=OMG@cpe-76-188-26-242.neo.res.rr.com] has quit [] 11:01 -!- ballen [n=ballen@97.87.29.39] has joined ##openvpn 11:02 -!- ballen [n=ballen@97.87.29.39] has left ##openvpn [] 11:03 -!- XapoH is now known as XapoH[away] 11:13 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 11:17 -!- earthian_ [n=earthian@fostral.net] has joined ##openvpn 11:18 -!- earthian [n=earthian@fostral.net] has quit [Read error: 113 (No route to host)] 11:29 < demo|> |Mike| 11:34 < earthian_> hi 11:36 < earthian_> how do i fix problems with "ns1/192.168.6.10:43995 MULTI: bad source address from client [10.128.64.2], packet dropped"? I have a setup of linux vserver where vserver host has ip 192.168.6.2, vserver guests have ip address somewhere between 192.168.6.10..100 and openvpn server is 192.168.6.1, so everything is on the same subment, but the vserver guests are behind the vserver host.. is there any way for the guests to make them talk properly with openvp 11:36 < earthian_> n server? 11:37 < reiffert> !route 11:37 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:38 < earthian_> but there are no different subnets or lans :/ 11:38 < earthian_> everything is on one cable 11:38 < earthian_> and two boxes 11:39 < reiffert> you were asking for a solution, I gave you one, you seem to ignore it after reading one sentence. Allright, hey please find someone who fits better to your setup. 11:40 < earthian_> thanks 11:44 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 11:44 -!- bauruine [n=bauruine@85.4.68.228] has quit [Read error: 110 (Connection timed out)] 11:47 < demo|> reiffert 11:47 < demo|> can you help me with this error? http://pastebin.ca/1540510 11:52 < |Mike|> !tls-auth 11:52 < vpnHelper> |Mike|: "tls-auth" is The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. see !secure for how 11:52 < |Mike|> there you go 11:54 < demo|> thanks 11:55 < demo|> !secure 11:55 < vpnHelper> demo|: "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 11:58 -!- XapoH [n=X@78.108.77.14] has joined ##openvpn 11:58 < demo|> |Mike| 11:58 < demo|> i generated a key, and added "tls-auth ta.key 0" to the server conf 11:59 < demo|> but now i get this error: 11:59 < demo|> Sun Aug 23 16:59:04 2009 TLS Error: cannot locate HMAC in incoming packet from 84.108.222.192:60969 12:00 -!- bauruine [n=bauruine@88.80.25.148] has joined ##openvpn 12:02 < |Mike|> did you edit your client config aswell ? 12:02 < |Mike|> what is in your client.ovpn ? 12:03 -!- XapoH[away] [n=X@78.108.77.14] has quit [Read error: 60 (Operation timed out)] 12:03 < demo|> do i need to generate a ta.key in the client too? even if i used 0 instead of 1 in the tls-auth? 12:04 < |Mike|> you need to copy that key to the client. 12:04 < |Mike|> otherwise they can never give eachother a handshake 12:06 < demo|> okay, doing it now 12:06 < demo|> now i get TLS Error: incoming packet authentication failed from 12:07 < demo|> am i supposed to use the same ta.key or generate a new one in the clinet? 12:08 < |Mike|> did you even read the stuff what vpnHelper uttered ? 12:09 < demo|> no 12:13 < demo|> should it be "tls-auth ta.key 1" on both client and server configs? 12:14 < bauruine> mhm after using openvpn every ssl connection fails 12:16 < |Mike|> you didn't read demo| 12:16 < |Mike|> 0 at the server and 1 on the clients. 12:21 < demo|> |Mike| 12:21 < demo|> now i get this; http://pastebin.ca/1540548 12:21 < demo|> both using same ta.key, server is on 0 client on 1 12:21 < |Mike|> did you generate client keys / crts ? 12:22 < demo|> yeah i copied them too 12:22 < |Mike|> can you dump your client and server config on pastebin.ca ? 12:22 < demo|> !configs 12:22 < vpnHelper> demo|: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:22 < demo|> just a sec 12:23 < demo|> http://pastebin.ca/1540554 - server.conf 12:24 < demo|> http://pastebin.ca/1540556 - client conf 12:28 < |Mike|> ns-cert-type server <== that line could fuck it up 12:28 < |Mike|> 99.# To use this feature, you will need to generate 12:28 < |Mike|> 100.# your server certificates with the nsCertType 12:28 < |Mike|> 101.# field set to "server". The build-key-server 12:28 < |Mike|> 102.# script in the easy-rsa folder will do this 12:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:30 < demo|> handshake failed 12:31 < demo|> |Mike|; could this be because i used chmod on the ta.key to fetch it from ftp? 12:33 < bauruine> i am using openvpn (tap) and since that i can't surf https sites i always get a "ssl_error_rx_record_too_long" message 12:34 < |Mike|> you had to give it more, it should work.. 12:35 < |Mike|> regenerate the ssl cert again, retry 12:39 < demo|> any ideas mike? 12:52 < |Mike|> bauruine: check the mtu 12:53 < bauruine> |Mike|, it's 1500 is that to big? 12:54 < |Mike|> that's default 12:55 < |Mike|> you could increas the keepalive and try it out 12:56 < |Mike|> demo|: nope 12:57 -!- rawDawg [n=OMG@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 13:03 < bauruine> |Mike|, what do you mean with keep alive? i have already lowered the mtu to 1300 but i still get the same error 13:04 < |Mike|> !keepalive 13:04 < vpnHelper> |Mike|: Error: "keepalive" is not a valid command. 13:04 < |Mike|> !factoids search keepalive 13:04 < vpnHelper> |Mike|: No keys matched that query. 13:05 < bauruine> the only keepalive is #Tests the connection with a ping like paket. 13:27 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit ["Leaving"] 13:53 -!- joelsolanki [i=joelsola@124.125.148.209] has joined ##openvpn 13:55 -!- joelsolanki [i=joelsola@124.125.148.209] has quit [Client Quit] 14:21 < demo|> uhm 14:21 < demo|> can someone help me 14:21 < demo|> on the certs 14:21 < demo|> i put the same common name on all of them? 14:21 < reiffert> !howto 14:21 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:21 < demo|> i read that 14:21 < demo|> and i did what it says didnt work 14:21 < demo|> cant you just tell me 14:21 < demo|> instead of referring? 14:22 < reiffert> no. 14:25 < demo|> thanks for not being helpful 14:28 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 14:28 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 14:50 < Bushmills> didn't you find the howto helpful? 14:53 < demo|> it is very helpful, but there are some cases where it isnt 14:53 < demo|> so most of the people here are thinking they are helping by directing people to manuals 14:56 < quentusrex_> Does anyone know if it is possible for openvpn to query a url for its configs? 14:57 < ecrist> quentusrex_: not really 14:57 < ecrist> you could create a wrapper script which does so, however. 14:57 < demo|> anyways finally i got running but i uncomment the default-gateway def1 and now i cannot do new connections (get into website w/e) 14:58 < demo|> !redirect 14:58 < vpnHelper> demo|: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 14:58 < demo|> !ipforward 14:58 < vpnHelper> demo|: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 14:58 < demo|> !linipforward 14:58 < vpnHelper> demo|: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 14:59 < demo|> !nat 14:59 < vpnHelper> demo|: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 14:59 < demo|> !linnat 14:59 < vpnHelper> demo|: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 15:00 < demo|> thank god 15:00 < demo|> :D 15:15 < kaii> quentusrex_: if you really plan to wrap a script that downloads the config for your openvpn clients, do not forget to totally ensure that any key is protected appropriately from public access. also ensure that keys are transmitted using a secure channel, e.g. HTTPS 15:37 -!- waldner_ [n=waldner@unaffiliated/waldner] has joined ##openvpn 15:37 < waldner_> can openvpn update routing tables other than "main" (in iproute2 lingo)? 15:42 < reiffert> you can run scripts that do that job for you. 15:43 < waldner_> yes, I meant natively of course 15:43 < reiffert> e.g. --up 15:43 < waldner_> thanks 15:46 < demo|> what is "--script-security 2" used for? 15:47 < reiffert> demo|: I could point you to the manpage this time .. 15:48 < demo|> that would be lovely 15:48 < reiffert> !man 15:48 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 15:48 < demo|> thanks 15:51 < waldner_> is there a document somewhere that describes the internals of openvpn, eg how it uses the tun/tap interfaces and the udp connections to the peers, and if and when it parses the packets itself or when it just sends them to the tun/tap interface, etc.? 15:51 < waldner_> (that is, other than reading the source) 15:53 < reiffert> waldner_: there is a howto, the manpage and the faq. Source of course. 15:53 < demo|> do i need to "--mode m" if i would like to get multiple clients connected to the server? 15:53 < waldner_> yes, but those do not really go into the kind of details I'm interested in. Thanks however 15:59 < demo|> reiffert? 16:02 -!- XapoH [n=X@78.108.77.14] has quit [Read error: 54 (Connection reset by peer)] 16:03 -!- XapoH [n=X@78.108.77.14] has joined ##openvpn 16:10 -!- waldner_ [n=waldner@unaffiliated/waldner] has left ##openvpn ["Leaving"] 16:11 < demo|> anyone? 16:41 < rawDawg> demo| server mode 16:42 < rawDawg> if you want all clients to use the same common name: use --duplicate-cn 16:42 < rawDawg> you really should read the manual 16:42 < rawDawg> !man 16:42 < vpnHelper> rawDawg: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:52 < demo|> rawDawg 16:52 < demo|> i want to have 2 clients connected to the vpn server 16:52 < rawDawg> ok 16:52 < demo|> when i setup the other client i get "waiting for tun/tap to be up" something like that 16:53 < rawDawg> !configs 16:53 < vpnHelper> rawDawg: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:53 < rawDawg> read topic 16:53 < demo|> do i need to run the server in a specific mode or it should be enabled by default? 16:55 < rawDawg> server should be in server mode 16:56 < rawDawg> !sample 16:56 < vpnHelper> rawDawg: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 16:56 < rawDawg> i can't stress enough for you to read the entire manual 16:56 < rawDawg> it is not that long 16:57 < rawDawg> at least read about each parameter in the sample config 16:58 < demo|> ive been over the manuals 16:58 < demo|> damnit 16:58 < demo|> its already up and working with one client 16:59 < demo|> im just asking about the other 16:59 < demo|> i get "waiting for tap/tun interface to come up" 16:59 < demo|> its same config as the first client 17:02 < rawDawg> linux or windows? 17:03 < demo|> server running on debian, client 1 that works is on win7 and client 2 is on winxp 17:03 < demo|> do i need to add another "dev tun" line to the server conf? 17:04 < rawDawg> no 17:05 < rawDawg> let's see the config 17:05 < demo|> just a sec please 17:09 < demo|> http://pastebin.ca/1540902 17:10 < demo|> there it is rawDawg 17:13 < demo|> rawDawg ? 17:15 < rawDawg> i will take a look 17:17 < demo|> okay 17:17 < demo|> i think its something with the winxp 17:19 < rawDawg> try --route-method exe 17:20 < rawDawg> !factoids search win 17:20 < vpnHelper> rawDawg: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', 'win7', 'winnat', 'win_ipfail', 'win2k8', and 'sudowin' 17:20 < rawDawg> !winroute 17:20 < vpnHelper> rawDawg: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 17:22 < |Mike|> dear god. 17:23 < |Mike|> demo|: are you the same guy as on efnet ? 17:23 < demo|> yes 17:23 < |Mike|> ok, then you're a nitwit. 17:24 < demo|> pashul ti nahoi pidar :) 17:24 < |Mike|> poshol nahuy my friend. 17:25 < rawDawg> demo| if that doesn't work make sure the dhcp client service is running 17:25 < demo|> okay 17:28 < |Mike|> demo|: are you afraid that the m0sfet dudes are going to capture your data ? 17:35 -!- dazo|h [n=dazo@ip4-83-240-69-215.cust.nbox.cz] has quit ["Leaving"] 17:46 < demo|> okay 17:47 < demo|> dunno what happend but it worked 17:47 < demo|> i think the route-delay helped 17:47 < demo|> thanks rawDawg :) 17:48 -!- earthian__ [n=earthian@fostral.net] has joined ##openvpn 17:48 < |Mike|> demo|: can i publish your ip for now ? 17:48 < demo|> sure 17:48 < |Mike|> lol. 17:48 < |Mike|> i knew you where the same guy as on efnutz. 17:49 < demo|> because of my nick? 17:49 < |Mike|> or notdemo ? 17:50 < demo|> yeah someone stole it 17:51 < |Mike|> aww.. 17:55 -!- earthian__ [n=earthian@fostral.net] has quit [Remote closed the connection] 17:58 -!- earthian_ [n=earthian@fostral.net] has quit [Read error: 113 (No route to host)] 17:58 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 18:02 -!- bruceb [n=bruce@gw.msmnyc.edu] has joined ##openvpn 18:08 -!- Douglas [i=doug@208.99.80.128] has quit [Remote closed the connection] 18:19 -!- bruceb [n=bruce@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 18:19 -!- bruceb [n=bruce@160.39.238.196] has joined ##openvpn 18:26 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 18:33 -!- misse- [i=misse@cl-858.sto-01.se.sixxs.net] has quit [Success] 18:37 -!- misse- [i=misse@cl-858.sto-01.se.sixxs.net] has joined ##openvpn 19:43 -!- FluxTendu [n=Cecinest@vpn.itshidden.com] has joined ##openvpn 19:43 < FluxTendu> !redirect 19:43 < vpnHelper> FluxTendu: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 19:44 -!- FluxTendu [n=Cecinest@vpn.itshidden.com] has quit [] 20:07 < koolkat> are there any problems using openvpn on a virtual machine? will some of the traffic go outside of the guest machine and through the host? 20:26 -!- thedoc [n=tenacity@unaffiliated/thedoc] has joined ##openvpn 20:40 -!- rawDawg [n=OMG@cpe-76-188-26-242.neo.res.rr.com] has quit [] 20:40 < Dougy> koolkat: err 20:40 < Dougy> never heard of that before 20:59 < bauruine> since im using openvpn i can't access https sites i just get the error "ssl_error_rx_record_too_long" 21:11 -!- master_of_master [i=master_o@p549D6EC9.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:13 -!- master_of_master [i=master_o@p549D3FD2.dip.t-dialin.net] has joined ##openvpn 22:33 -!- koolkat [n=kk@amsterdam.perfect-privacy.com] has quit [] 22:40 -!- koolkat [n=kk@amsterdam.perfect-privacy.com] has joined ##openvpn 23:20 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 23:31 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 23:36 -!- Serideru [n=GTWebste@72-24-197-68.cpe.cableone.net] has joined ##openvpn 23:50 -!- bruceb [n=bruce@160.39.238.196] has quit [Remote closed the connection] 23:52 -!- jeiworth [n=jeiworth@189.163.134.102] has quit [Read error: 110 (Connection timed out)] 23:58 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] --- Day changed Mon Aug 24 2009 00:31 < bauruine> since im using openvpn i can't access https sites i just get the error "ssl_error_rx_record_too_long" 00:42 -!- thedoc [n=tenacity@unaffiliated/thedoc] has quit ["Leaving"] 00:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 00:50 -!- joelsolanki [i=joelsola@202.160.161.94] has joined ##openvpn 00:50 < joelsolanki> hi is krzee or ecrist available plz ? 01:00 -!- bauruine_ [n=bauruine@85.4.68.228] has joined ##openvpn 01:14 -!- bauruine [n=bauruine@88.80.25.148] has quit [Read error: 110 (Connection timed out)] 01:15 -!- koolkat [n=kk@amsterdam.perfect-privacy.com] has quit [] 01:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:34 -!- bauruine_ [n=bauruine@85.4.68.228] has quit [Read error: 113 (No route to host)] 01:56 -!- joelsolanki [i=joelsola@202.160.161.94] has quit [] 02:28 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:33 -!- ZakMcRofl [n=unknown@95-91-80-231-dynip.superkabel.de] has joined ##openvpn 02:35 < ZakMcRofl> just to clarify, "OpenVPN ALS " has nothing to do with "this" OpenVPN, right? 02:37 < ZakMcRofl> hmm 02:37 < ZakMcRofl> OpenVPN Technologies has joined forces with Adito VPN community to launch a Web-based OpenVPN Application Layer Software (OpenVPN ALS) 02:37 < ZakMcRofl> never mind i guess 02:38 < ZakMcRofl> so where can i ask about adito? #adito or here? 02:46 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has joined ##openvpn 04:15 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 04:36 -!- demo| [n=demo@bzq-84-108-222-192.cablep.bezeqint.net] has quit [Read error: 110 (Connection timed out)] 05:04 -!- demo| [i=demo@tanin.sixth.cz] has joined ##openvpn 05:13 < demo|> if i use vpn to traffic all my inet connection and have two clients, is it possible to assign each a different ip? 05:26 -!- Narel [n=elrond@AToulouse-257-1-74-217.w90-5.abo.wanadoo.fr] has joined ##openvpn 05:26 -!- Narel [n=elrond@AToulouse-257-1-74-217.w90-5.abo.wanadoo.fr] has left ##openvpn ["Leaving"] 05:38 < Bushmills> demo|: i think you didn't read the section on Common Name, which reiffert ponted you to yesterday, very well. 05:38 -!- chinsan_ is now known as chinsan 05:38 < Bushmills> pointed 05:39 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:40 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 06:06 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 06:07 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 06:21 < |Mike|> !ccd 06:21 < vpnHelper> |Mike|: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 06:38 -!- brizly1 [n=brizly_v@p4FC99B8A.dip0.t-ipconnect.de] has joined ##openvpn 06:53 -!- brizly [n=brizly_v@p4FC99A07.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 07:04 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 07:09 < reiffert> another day of popcorn :) 07:11 < demo|> you like eating popcorn? you'll get fat in the end 07:12 < reiffert> I AM fat in the first place 07:13 < Bushmills> matter of perspective 07:13 < reiffert> yup 07:13 < reiffert> I'm too tall (short that is) :) 07:14 < Bushmills> i'm heavier than you are, i think 07:14 < demo|> haha 07:14 < Bushmills> and i'm *not* fat :) 07:15 < reiffert> Bushmills: how many KG's? 07:15 < Bushmills> between 112 and 115. depends on where I had spent the weekend 07:16 < reiffert> allright, then you are infact heavier than I am ... 07:19 < Bushmills> you probably notice when we drive in your car that acceleration goes down :D 07:27 < ecrist> good morning 07:28 < dazo> morning! 07:31 < bauruine> hi, is there any known issue with https when using a openvpn tunnel? 07:32 < reiffert> bauruine: maybe MTU related. 07:32 < ecrist> no 07:33 < ecrist> looking at your past messages, it looks like an MTU issue, as reiffert suggests. 07:40 < bauruine> mhm ok i try to set it lower. thanks 07:44 -!- dotplus [n=dotplus@unaffiliated/dotplus] has left ##openvpn [] 07:45 < ecrist> !mtu 07:45 < vpnHelper> ecrist: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config 07:52 -!- eliasp_ [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 07:58 -!- User877 [n=User@HSI-KBW-091-089-113-133.hsi2.kabelbw.de] has joined ##openvpn 07:58 -!- User877 [n=User@HSI-KBW-091-089-113-133.hsi2.kabelbw.de] has quit [Client Quit] 07:59 -!- akraemer [n=akraemer@HSI-KBW-091-089-113-133.hsi2.kabelbw.de] has joined ##openvpn 07:59 -!- akraemer [n=akraemer@HSI-KBW-091-089-113-133.hsi2.kabelbw.de] has quit [Client Quit] 08:00 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 110 (Connection timed out)] 08:01 -!- akraemer [n=akraemer@HSI-KBW-091-089-113-133.hsi2.kabelbw.de] has joined ##openvpn 08:02 < akraemer> Hi, anybody can say me what causes this error message? I try to set up an openvpn-connection to my firewall. At the firewall log i can see thiss message: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=DE/ST=BW 08:02 < akraemer> ... 08:03 -!- bruceb [n=bruce@gw.msmnyc.edu] has joined ##openvpn 08:04 < ecrist> !logs 08:04 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 08:04 < akraemer> itś an setup with client and user certificates 08:08 < akraemer> ok one moment 08:13 < akraemer> ok here is my log and config: 08:13 < akraemer> http://pastebin.com/de504a8b 08:17 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has quit [Remote closed the connection] 08:21 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 08:22 -!- bruceb [n=bruce@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 08:22 -!- bruceb [n=bruce@160.39.238.196] has joined ##openvpn 08:24 < akraemer> someone here who can help me with this openvon problem? 08:27 < ecrist> looking at it, akraemer 08:27 < ecrist> you didn't send the entire server log 08:27 -!- bruceb [n=bruce@160.39.238.196] has quit [Client Quit] 08:27 -!- bruceb [n=bruce@160.39.238.196] has joined ##openvpn 08:27 < akraemer> one moment please 08:34 < akraemer> ok: http://pastebin.com/m3978bf78 08:34 < akraemer> does this looks better? 08:35 < ecrist> much 08:35 < ecrist> line 75 seems to indicate the issue 08:36 < akraemer> yes of cause, but my google searches wassnt sucessful 08:38 < akraemer> line 73 also contains an error 08:38 < akraemer> about the self signed certificate 08:38 < ecrist> sure, I can't diagnose that without the server config, though. 08:38 < ecrist> !all 08:38 < vpnHelper> ecrist: "all" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles 08:42 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 08:44 < akraemer> ok heres the server.conf included: http://pastebin.com/d14a7d499 08:45 < akraemer> this is my server.conf from endian-hardware-firewall-appliance which commes with openvpn includes. 08:47 < akraemer> think, this server.conf file should be ok. maybe my client conf is corrupt ore the certifikates? 08:48 < ecrist> I would check your certificates. 08:48 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 08:49 < ecrist> pkcs12 certs are often screwed up. 08:49 < ecrist> I recommend having separate cert/keys 08:49 < akraemer> are there any other criterial which the certifikates have to match? 08:50 < akraemer> ore ehat the have to include? 08:50 < akraemer> what 08:50 < ecrist> your server should have three components. the ca certificate 'ca' the server certificate, and the server key 08:50 < ecrist> the error online 73 you referred to is because you do not reference the signing CA 08:51 < akraemer> okay, so it seams that the pkcs12 file is not cleanly struktured. I will shortly insert ist separately. one moment 08:53 -!- Serideru [n=GTWebste@72-24-197-68.cpe.cableone.net] has quit [Read error: 104 (Connection reset by peer)] 09:03 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 09:03 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 09:04 -!- demo| [i=demo@tanin.sixth.cz] has quit [Read error: 110 (Connection timed out)] 09:11 < akraemer> ok. now i a bit further i only get this: 09:11 < akraemer> VERIFY nsCertType ERROR: /C=DE/ST=Baden_Wuerttemberg/L=Offenburg/O=Lukrativ/OU=IT/CN=nb-ak.lukra-tiv.de/emailAddress=a.kraemer@lukra-tiv.de/CN= 09:11 < akraemer> nb-ak.lukra-tiv.de, require nsCertType=CLIENT 09:11 < akraemer> do i have to add something like ns-cert-type client ? 09:11 < reiffert> !howto 09:11 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:11 < reiffert> see there for cert creation 09:22 < akraemer> ok, i got it. deaktivated the ns-cert-type checking on my openvpn-server and now it works. Now ill have to look how i can get XCA to generate valid ns-cert extensions and valid pkcs12 files. 09:22 < akraemer> thanks to reiffert andd ecrist 09:28 < akraemer> is the ns-cert type identical with the netscape ssl client setting or tls-client in XCA 09:28 < akraemer> someone of you already used XCA? 09:34 -!- jeiworth [n=jeiworth@189.177.121.235] has joined ##openvpn 09:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:08 -!- demo| [i=demo@tanin.sixth.cz] has joined ##openvpn 10:09 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:19 -!- kn0x_ [n=pinochle@67.159.48.101] has joined ##openvpn 10:22 < kn0x_> anyone have a good reference for point-to-point vpn 10:24 < kn0x_> I have a remote site that I would like to use a dd-wrt or tamato router to create a site-to-site VPN tunnel so IP phones at the remote site can get to an Asterisk VoIP server without NAT 10:24 < kn0x_> anyone recommend a way to accomplish this so I can research? 10:25 < ecrist> !howto 10:25 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:25 < ecrist> there are examples there. 10:26 < kn0x_> cool, but what I don't understand how the router (remote endpoint) shares its VPN session with its LAN without NAT 10:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:36 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 10:38 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 10:41 -!- demo [n=demo@bzq-82-81-130-120.red.bezeqint.net] has joined ##openvpn 10:44 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 10:46 -!- thedoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 10:48 -!- demo [n=demo@bzq-82-81-130-120.red.bezeqint.net] has quit [] 10:52 < kaii> kn0x_: it's called routing. :) 10:53 < kaii> kn0x_: dd-wrt does not support routing networks via openvpn .. it does per default use NAT between the LAN and the remote LAN 10:54 -!- demo| [i=demo@tanin.sixth.cz] has quit [Read error: 110 (Connection timed out)] 10:55 < kaii> kn0x_: you can add "iptables -t nat -D -i tun0" (or something similar, you will find out) to the dd-wrt startup script to delete the NAT rule on the corresponding TUN interface 11:19 < ecrist> kn0x_: here 11:19 < ecrist> !route 11:19 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:19 < ecrist> !iroute 11:19 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 11:24 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 11:25 -!- ZakMcRofl [n=unknown@95-91-80-231-dynip.superkabel.de] has quit [Read error: 113 (No route to host)] 11:31 < kn0x_> 11:51 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 11:52 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 11:54 -!- jeiworth_ [n=jeiworth@189.177.121.235] has joined ##openvpn 11:58 -!- jeiworth [n=jeiworth@189.177.121.235] has quit [Read error: 145 (Connection timed out)] 12:20 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 12:24 < |Mike|> demo ran out ? 12:27 -!- jeiworth [n=jeiworth@189.177.121.42] has joined ##openvpn 12:41 -!- jeiworth_ [n=jeiworth@189.177.121.235] has quit [Connection timed out] 13:06 < garnser_> *yawn* 13:06 -!- garnser_ is now known as garnser 13:22 -!- svinkels [n=svinkels@seb44-1-88-163-78-7.fbx.proxad.net] has joined ##openvpn 13:22 < svinkels> plopplop 13:23 < svinkels> udp port 1194 is blocked at work, what port do you think I might try to circumvent their filtering? 13:23 < hyper_ch> use another port then 13:23 < hyper_ch> but if they find out it might be a reason to fire you 13:26 < svinkels> the 445 port ? 13:26 < misse-> hyper_ch: a reason to fire? Only if he's breaking som kind of policy.. and even then a talk with the boss might suffice.. I mean, first off they have to find out and get proof 13:26 < |Mike|> use 1194 tcp instead? :p 13:27 < hyper_ch> misse-: it can be a reason 13:27 < hyper_ch> circumvention of business security can be very serious 13:27 < misse-> hyper_ch: sure enough. I work in sweden though. Bosses are very lenient most of the time 13:27 < hyper_ch> svinkels: there are 65xxx ports 13:28 < hyper_ch> misse-: as you see, that port is already blocked, so I don't think that company is that lenient 13:29 < svinkels> in computer charter, no one mentioned the use of a private vpn 13:30 < hyper_ch> does it mention that the use of private vpn is ok? 13:31 < svinkels> no :p 13:31 < misse-> hyper_ch: you're right :) but I found out that irc is blocked out of our network.. because it's part of some 10y/o napster rule.. so 13:31 -!- explore [n=msparker@pool-173-74-61-155.dllstx.fios.verizon.net] has joined ##openvpn 13:32 < hyper_ch> misse-: so? there's still DCC for filesharing by irc 13:32 < hyper_ch> misse-: I see why they block it 13:32 < hyper_ch> misse-: it was also blocked at my university 13:32 < svinkels> it is impossible to connect vpn discreetly? without a trace? 13:33 < misse-> svinkels: you always leave traces 13:33 < svinkels> i can't use the port 8080 ? 13:33 < misse-> hyper_ch: true, didn't think of that. I asked the firewall manager though, and I said to myself. NO, we have other protection against bandwidth abuse.. 13:34 < misse-> svinkels: they'll still see what kind of traffic and to where it's going 13:34 < hyper_ch> svinkels: if you value your job, ask permission from your boss or the tech department or whoever is in charge of security 13:34 < hyper_ch> misse-: it's not only about bandwidth abuse but getting malware also 13:35 < misse-> hyper_ch: which we have a rich library of software and licenses and a healty dose of central managed antimalware, antivirus and antispyware :) 13:35 < svinkels> I am a network administrator over a region, but the company is international and people are so microsoft and my Linux is not mad love! 13:36 < hyper_ch> misse-: and all those things only work against known malware 13:36 < misse-> hyper_ch: I understand your point, I do. I'm just saying that companies act diffrently, some more lenient than others. 13:36 < misse-> yes, known malware, that's correct. 13:37 < hyper_ch> misse-: as said, if svinkels uses it without the proper ok then he risks his/her job... 13:42 < jeiworth> hi all, quick question, i just tried to revoke a user certificate using the revoke-full script from easy-rsa and i get a confusing output: error 23 at 0 depth lookup:certificate revoked <-- so error but certificate revoked, or what? thanks! 13:43 < ecrist> no, it appears to mean the certificate is already revoked. 13:44 -!- quentusrex_ [n=quentusr@freeswitch/developer/quentusrex] has quit ["Leaving"] 13:45 < jeiworth> ecrist: hmm thanks... strange though, list-crl states that this certificate is indeed revoked and has today this time as timestampt? well, seems to have worked either way... 13:51 < ecrist> *shrug* 13:51 < jeiworth> yea... ^^ 13:52 < jeiworth> maybe it was already revoked and by trying to revoke it again it updated the timestamp? 13:52 < ecrist> shouldn't have updated the timestamp 13:53 < ecrist> my guess is you ran it twice, thinking the first failed, or the second was simply an error. 13:53 < ecrist> easy-rsa, in it's crappily-written methods, could have simply run twice, too. 13:57 -!- zu [n=zu@bucketheaded.eu] has joined ##openvpn 13:59 < zu> !route 13:59 < vpnHelper> zu: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:00 < zu> !iporder 14:00 < vpnHelper> zu: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 14:00 < zu> !man 14:00 < vpnHelper> zu: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 14:07 -!- explore [n=msparker@pool-173-74-61-155.dllstx.fios.verizon.net] has quit ["Lost terminal"] 14:14 -!- danieldg [n=me@about/networking/240.0.0.0/danieldg] has joined ##openvpn 14:14 * ecrist updates FreeBSD/OpenVPN wiki page 14:15 < danieldg> !redirect 14:15 < vpnHelper> danieldg: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 14:16 < danieldg> well, I'm trying to do something a bit more complex than that. I would like to add a route to an alternate iproute routing table and send specific marked traffic via the VPN 14:17 < danieldg> the easiest way imo would be to just execute a shell script on the client when the VPN is started. Is that the best way, and if so, how to do it? 14:18 < danieldg> (debian linux on both sides of the VPN, if that matters) 14:19 < zu> !nat 14:19 < vpnHelper> zu: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 14:19 < danieldg> oh. Never mind, I can do it via a script, using up on the client confg 14:20 < zu> !linnat 14:20 < vpnHelper> zu: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 14:36 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:43 < ecrist> sup, krzee? 14:45 < krzee> dying of hangover + coffee 14:45 < krzee> you? 14:45 < ecrist> back to the daily grind. 14:45 < ecrist> I'm going to start work on the new channel bot this week, I think. 14:45 < ecrist> was meaning to ask you what you meant by 'integration with the forum' 14:45 < krzee> nice 14:48 < krzee> like when someone posts, the bot says so 14:52 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:52 < ecrist> ok 14:52 * ecrist is out 14:53 -!- XapoH is now known as XapoH[away] 14:56 < zu> Hi, I have one question 14:57 < zu> In a tun configuration, is-it possible on the server to route the traffic to one specific host through one of the client 14:58 < zu> ? 14:58 < danieldg> yes, if I read correctly 14:59 < danieldg> "to one specific host" means what - one of the server's IPs? 14:59 < zu> I tried by adding "route add -host A.B.C.D gw CLIENT_IP tun0" on the server 15:00 < danieldg> you want the server's access to A.B.C.D to be routed (through the VPN) to the client? 15:00 < zu> yes 15:00 < danieldg> that will work, as long as the client agrees that it owns the IP A.B.C.D 15:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 15:01 < zu> erf 15:02 < zu> what do you mean by "it owns" ? 15:02 -!- Netsplit sendak.freenode.net <-> irc.freenode.net quits: krzie, ThoMe 15:02 < danieldg> it has that IP on one of its interfaces 15:02 < zu> I tried by putting the above route and adding an iptables MASQUERADE on the client, but nothing... 15:02 < danieldg> masquerade isn't what you want 15:03 < danieldg> you would want REDIRECT on the client 15:03 < danieldg> or just adding A.B.C.D to an interface (even a dummy interface) on the client 15:03 -!- Netsplit over, joins: ThoMe 15:04 < zu> In fact, I want "server's access to A.B.C.D to be routed (through the VPN) THROUGH the client?" 15:04 < danieldg> ... where do you want it to end up? 15:04 -!- Netsplit over, joins: krzie 15:04 < zu> danieldg: to A.B.C.D :) 15:05 < danieldg> that's a bit more complex 15:05 < zu> IP A.B.C.D's access is blocked on the server 15:05 < zu> not on the client 15:05 < danieldg> you'll have to have IP forwarding enabled on the client 15:05 < zu> yep it's set up 15:05 < danieldg> and then MASQUERADE the connection so that it appears the client is sourcing it 15:05 < zu> yes also 15:05 < danieldg> then it should work. 15:06 < zu> but I think the routes I put on the server don't work 15:06 < danieldg> linux server? try "ip route get A.B.C.D" 15:06 < zu> alright 15:09 < zu> # ip route get A.B.C.D 15:09 < zu> A.B.C.D via 10.8.0.6 dev tun0 src 10.8.0.1 cache mtu 1500 advmss 1460 hoplimit 64 15:09 < zu> here are the routes btw : 15:09 < zu> 10.8.0.6 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 15:09 < zu> A.B.C.D 10.8.0.6 255.255.255.255 UGH 0 0 0 tun0 15:09 < zu> 10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 15:09 < zu> 10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 15:09 < danieldg> the server is correct. The client may not be. 15:10 < danieldg> packet sniffer on the client may be useful to debug. Sniff on both the tun device and the outgoing interface 15:30 < zu> I'm checking with wireshark 15:37 < zu> hum 15:48 -!- explore [n=msparker@pool-173-74-61-155.dllstx.fios.verizon.net] has joined ##openvpn 15:54 -!- solvik [n=solvik@oxyradio.com] has left ##openvpn [] 16:25 < |Mike|> mkay 16:45 -!- NfNit|oop is now known as nfNitLoop 16:46 -!- nfNitLoop is now known as NfNitLoop 16:48 < |Mike|> NfNitLoop: 16:52 < reiffert> NaN 16:58 < NfNitLoop> sorry. 16:58 < NfNitLoop> #python wanted me to authenticate. 16:58 < NfNitLoop> Had to grab my real nick. :p 17:20 < svinkels> you known the port use by VPN cisco in default ? TCP port 10 000 et UDP (nat/pat) but i dont know the port UDP NAT/PAT a idea ? 17:21 < svinkels> if i use the same port for my personal openvpn that the port use by cisco VPN of my office, i am most discretly no ? 17:22 < reiffert> i'd go for udp/1194, udp/53, tcp/80, tcp/443 17:22 < reiffert> or ntp, whatever protocol is used 17:22 < svinkels> im sure just for tcp 10 000 17:22 < reiffert> then dont ask here. 17:22 < svinkels> i can choose in my profil 17:22 < svinkels> but to nat/pat udp i dont known 17:23 < svinkels> in not write in my profil 17:23 < svinkels> i look tomorrow 17:23 < svinkels> it was just if somebody are the same vpn to have the answer now :p 17:42 -!- explore [n=msparker@pool-173-74-61-155.dllstx.fios.verizon.net] has quit ["leaving"] 18:33 -!- garnser [n=jpeterss@gw2.mysql.com] has quit [Read error: 104 (Connection reset by peer)] 18:38 -!- jeiworth [n=jeiworth@189.177.121.42] has quit [Read error: 110 (Connection timed out)] 19:10 -!- jeiworth [n=jeiworth@189.177.40.13] has joined ##openvpn 19:18 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 19:22 -!- MTeck [n=MTeck@ubuntu/member/pdpc.active.mtecknology] has joined ##openvpn 19:22 < MTeck> !faq 19:22 < vpnHelper> MTeck: "faq" is (#1) http://openvpn.net/index.php/documentation/faq.html, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ 19:24 < MTeck> Is there any sample .ovpn config I can use to base what I did from? I kinda lost my system and didn't back this up 19:29 -!- agliodbs [n=agliodbs@dsl081-245-111.sfo1.dsl.speakeasy.net] has joined ##openvpn 19:30 < jeiworth> /usr/share/doc/openvpn/examples/sample-config-files/ 19:30 < agliodbs> to save me a lot of frustration: is there any way to resolve the OpenVPN vs. Cisco Anyconnect issue? 19:30 < MTeck> thanks 19:30 < jeiworth> MTeck: np 19:30 < agliodbs> or am I stuck uninstalling and reinstalling every time I want to switch? 19:40 < MTeck> jeiworth: now to try this out - wish me luck :) 19:41 < MTeck> jeiworth: wait... it didn't have anything for address pools 19:41 < jeiworth> MTeck: hehe go for it 19:41 < MTeck> How do I set that? 19:41 < jeiworth> uhm you mean the openvpn's own dhcp service? 19:42 < MTeck> maybe I don't need it 19:42 < MTeck> we'll see 19:44 < MTeck> jeiworth: any ideas what I did wrong? http://pastebin.com/d75240ae0 19:45 < MTeck> jeiworth: I had this working before I wiped my system clean so I know it's not the server 19:46 < jeiworth> hmm so this is your client machine? what system are you on? 19:46 < jeiworth> do you have bridge-utils installed? 19:46 < MTeck> I'm on Ubuntu 9.10 19:47 < jeiworth> ok, let me upload my client.conf, we are also using the tap device... 19:47 < MTeck> I'm installing that 19:47 < MTeck> same error though 19:49 < MTeck> OH! 19:49 < MTeck> permission denied 19:50 < jeiworth> http://pastebin.com/d6b11c991 19:50 < MTeck> http://mteck.pastebin.com/d86cb546 19:50 < MTeck> I'll compare to that 19:51 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:51 < jeiworth> ah well, obviously you have to sudo openvpn sincce it needs to initiate the tap device and the bridge, you could also set the suid but this is a bit dangerous if you share that machine with others since it theoretically enables them to start openvpn as server 19:52 < jeiworth> netmask 192.168.2.5 <-- that wont work 19:53 < MTeck> Aside from cipher, they're about the exact same 19:53 < MTeck> cipher aes-128-cbc 19:54 < MTeck> hrm - I don't have this either ns-cert-type server 19:55 < jeiworth> broadcast 255.255.255.254 looks strange too, shouldn't that be 255.255.255.255? 19:56 < MTeck> On the server, the vpn address pool is 192.168.1.0/24 and the localnetwork is 192.168.1.0/24 19:57 < MTeck> I thought I used to specify that in the config 19:57 < jeiworth> yup 19:58 < MTeck> How do I do that? 19:58 < jeiworth> ok, let me ssh to my server and check the config 19:58 < MTeck> jeiworth: I mean in the client config 19:58 < jeiworth> nope, the client does nothing of the sort 19:59 < jeiworth> all network config is done in the sever.conf afaik 20:00 < jeiworth> @topic, w00t, i like the new website design -_- 20:00 < MTeck> http://mteck.pastebin.com/d4bbde168 20:01 < MTeck> Full error & config ^ 20:02 < MTeck> I think I might got it 20:03 < MTeck> s/tap/tun/ works 20:05 < jeiworth> i think your server-config is somehow strange: Mon Aug 24 19:59:23 2009 /sbin/ifconfig tap0 192.168.2.6 netmask 192.168.2.5 mtu 1500 broadcast 255.255.255.254 20:05 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 20:05 < MTeck> It's a pfsense box 20:09 < jeiworth> http://mteck.pastebin.com/d248f74c7 20:09 < MTeck> brb - gotta travel a few minutes 20:09 < jeiworth> hmm dont know that, what is pfsense? pf==personal firewall? 20:10 < jeiworth> well better hurry, just have around 15min left in the office ;) 20:10 * jeiworth uses the wait to go and smoke a cig 20:14 < jeiworth> re 20:22 < BasketCase> pf == packet filter 20:22 < BasketCase> made by the OpenBSD people 20:23 -!- bruceb [n=bruce@160.39.238.196] has quit [Remote closed the connection] 20:24 < BasketCase> though pfsense is FreeBSD 20:26 < jeiworth> BasketCase: ah kk, thanks, didnt know that 20:26 < agliodbs> ok, troubleshot the openvpn vs. cisco issue 20:26 < agliodbs> if anyone cares 20:33 -!- agliodbs [n=agliodbs@dsl081-245-111.sfo1.dsl.speakeasy.net] has quit [] 20:49 < MTeck> jeiworth: fire extenguisher blew up 20:54 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has quit ["bbl"] 21:02 -!- jeiworth [n=jeiworth@189.177.40.13] has quit [Read error: 110 (Connection timed out)] 21:11 -!- master_of_master [i=master_o@p549D3FD2.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:14 -!- master_of_master [i=master_o@p549D4143.dip.t-dialin.net] has joined ##openvpn 21:28 < kn0x_> anyone point to docs how to generate public keys for OpenVPN-AS 21:29 -!- thedoc [n=zing@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 21:54 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 21:56 -!- explore [n=msparker@pool-173-74-61-155.dllstx.fios.verizon.net] has joined ##openvpn 22:02 -!- tjz [n=tjz@121.7.20.94] has joined ##openvpn 22:12 -!- thedoc [n=zing@119.73.165.162] has joined ##openvpn 22:13 -!- thedoc_ [n=zing@unaffiliated/thedoc] has joined ##openvpn 22:16 -!- explore [n=msparker@pool-173-74-61-155.dllstx.fios.verizon.net] has quit [Read error: 60 (Operation timed out)] 22:31 -!- thedoc [n=zing@119.73.165.162] has quit [Read error: 110 (Connection timed out)] 22:33 -!- MTeck [n=MTeck@ubuntu/member/pdpc.active.mtecknology] has left ##openvpn [""http://profarius.com/""] 23:08 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 23:12 -!- CoffeeIV [i=rgr@rrcs-71-42-183-82.sw.biz.rr.com] has quit [Client Quit] 23:31 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] --- Day changed Tue Aug 25 2009 00:44 -!- nemysis_ [n=misterbe@unaffiliated/misterbean] has joined ##openvpn 00:45 -!- Eagleray [n=erayd@khepry.erayd.net] has quit ["leaving"] 00:51 < krzee> !route 00:52 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 01:29 -!- XapoH[away] is now known as XapoH 01:37 -!- serAphim [n=serAphim@f051111215.adsl.alicedsl.de] has joined ##openvpn 01:39 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:41 < serAphim> Hi there. I got a strange issue with RDP-connections to server 2008. We got 2 of them, DC and T1. Connections to DC work after a ping, but get disconnected after a couple of minutes. Connections to T1 break at "waiting for userprofile-service". There are no problems with our 2003-Server. Any ideas? 01:43 < krzee> could be that you need to adjust your MTU 01:43 < krzee> or maybe you're using tcp as your transport protocol for the vpn 01:43 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 01:52 < serAphim> no, i'm using udp. i'll try setting the mtu 01:52 < krzee> !mtu 01:52 < vpnHelper> krzee: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config 01:54 < serAphim> the results will show up in the gui? 01:55 < serAphim> MTU=1500 [...] NOTE: Beginning empirical MTU test -- results should be available in 3 to 4 minutes. 01:57 < krzee> dunno, never used a gui 01:57 < serAphim> NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1541,1541] 01:58 < krzee> thats normal, not sure what your problem is =/ 01:58 < krzee> got a keepalive? 01:59 < serAphim> no. one more thing, the first result of a ping to a server in the vpn-lan times out, the following are fine 02:00 < serAphim> gn. i hate 2008 02:08 -!- banannaz [i=tyrky3@ssh.sign.io] has joined ##openvpn 02:09 -!- BasketCase [n=BasktCas@asylum.sanitarium.net] has quit [Read error: 110 (Connection timed out)] 02:10 < banannaz> is there a way you could get openvpn to automatically conect to a vpn (including login details) on startup and not allow any internet connections until the vpn connection has been made? 02:12 < banannaz> on windows. 02:13 < krzee> sure, run it as a service, and use !redirect 02:13 < krzee> !redirect 02:13 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 02:14 < banannaz> is there a way to make a virtual machine make a direct connection to the internet, while its host is connected to a vpn? 02:14 < krzee> sure, use bridged networking in the VM software 02:15 < krzee> it'll get its own connection to your router, not being played with by host systems routes 02:15 < banannaz> krzee: would that prevent windows from connecting to the windows update server until the connection had been made? 02:15 < krzee> banannaz, not sure, why dont you try it and find out 02:16 < krzee> i dont actually use windows 02:16 < banannaz> im talking about running it as a service krzee 02:16 < banannaz> krzee: what does running something as a service mean? 02:17 < krzee> windows has something called services, they are apps running in the background to over-simplify 02:17 < krzee> when you installed it asked if you wanted to install it as a service 02:18 < banannaz> i just want windows to connect to the vpn before ANY other connections are made. 02:19 < krzee> cool, try what i said, im going to bed 02:19 < banannaz> when I installed openvpnz? 02:19 < banannaz> krzee: when I installed openvpnz? 02:20 < krzee> why adding the z? 02:20 < banannaz> it looks cool 02:20 < krzee> and of course when you installed openvpn, we're talking about running openvpn as a service arent we... 02:20 < banannaz> yes 02:21 < krzee> google should be able to help you from there, gnite 02:37 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has joined ##openvpn 02:50 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 02:52 -!- serAphim [n=serAphim@f051111215.adsl.alicedsl.de] has quit [Read error: 104 (Connection reset by peer)] 02:54 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:57 -!- nemysis_ [n=misterbe@unaffiliated/misterbean] has quit [Read error: 110 (Connection timed out)] 03:27 -!- thedoc_ [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 03:50 -!- Traveler [n=traveler@82.108.46.35] has joined ##openvpn 03:50 -!- Traveler is now known as Guest10905 03:52 < Guest10905> ok so I have this strange problem in bridged mode. I'm setting 10.0.100.1 to 10.0.100.254 as the ifconfig pool to use for clients 03:53 < Guest10905> when I try to connect with a client (windows), it connects and gets 10.0.100.1, so far so good 03:53 < Guest10905> if I disconnect that client and reconnect, I see lots and lots of "read UDPv4 [ECONNREFUSED]: Connection refused (code=111)" in the server log 03:54 < Guest10905> the client do reconnect, but it gets 10.0.100.2 instead 03:54 < Guest10905> if I do that again, the client gets .3, etc. 03:54 < dazo> !logs 03:54 < vpnHelper> dazo: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 03:54 < Guest10905> I do have persist-{local,remote}-ip in the server config 03:54 < dazo> !configs 03:54 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 03:54 < dazo> Guest10905: ^^^ 04:05 < Guest10905> server log is here: http://pastebin.com/m2d48cb5d 04:05 < Guest10905> in a few minutes I'll paste the other information requested 04:05 < Guest10905> client disconnection is at 9:56:21 04:09 < Guest10905> this is server config: http://pastebin.com/m45fa3c65 04:10 < dazo> And what does the client log and config look like? 04:11 < Guest10905> doing that, just a sec 04:12 < Guest10905> http://pastebin.com/m746c6261 <-- client config 04:18 < Guest10905> http://pastebin.com/m6de2dab1 <- client log 04:18 < Guest10905> as I said, everythong does work, it's just that the client doesn't get the same IP address again 04:18 < Guest10905> and lots and lots of connection refused on the server 04:20 < dazo> I am wondering if you the persist-remote-ip should be on the client side, not server side 04:20 < dazo> have you tried that? 04:20 < Guest10905> I can try to add that to che client config if you want 04:20 < Guest10905> ok 04:21 < Guest10905> all the example I've seen have that in the server config though, but trying doesn't hurt 04:21 < dazo> and I would also consider to take it out of server config 04:22 < dazo> it's a lot of examples on the Internet for OpenVPN configs ..... and unfortunately, some of them use features wrong and/or are not working in all kind of environments ..... openvpn is so flexible, it's not just one solution which works ... 04:24 < Guest10905> same, client gets .2 the second time 04:24 < Guest10905> (I've tried with persist-remote-ip in both configs, and in the client only) 04:25 < dazo> hmm 04:25 < Guest10905> If I enable a similar config in routed mode, everything is fine 04:25 < dazo> I see you are running quite old openvpn versions as well .... I don't remember all quirks which were bothering these old releases .... you should consider to jump up to rc19 04:26 < Guest10905> it's the stable version available on ubuntu 04:26 < Guest10905> unfortunately I cannot change that 04:26 < dazo> rc7 is not a stable release 04:26 < dazo> not anymore .... rc15 and and rc19 are recommended 04:26 < Guest10905> well, then they haven't maed it to ubuntu yet 04:26 < Guest10905> well, let me check, maybe this morning 04:26 < dazo> ubuntu is just lagging .... 04:27 < dazo> CentOS, RHEL and Fedora ships rc15 04:27 < Guest10905> yeah gentoo as well 04:27 < Guest10905> but as I said I cannot change this here 04:27 < dazo> compile from source? 04:27 < Guest10905> let me compare the config with the routed one, maybe there's something obvious 04:31 < Guest10905> apparently it's the duplicate-cn thing on the server 04:31 < Guest10905> I commented it out and now it works 04:31 < dazo> odd 04:32 < reiffert> parity 04:32 < dazo> heh 04:32 < Guest10905> the client gets .1, although I get a warning on the server "MULTI: new connection by client 'client.example.org' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect." 04:32 < Guest10905> but that's what I want after all 04:33 < Guest10905> apparently the previous session is kept somehow active by the server even if the client disconnects 04:33 < dazo> the prev. session is kept for a little while before the connection is completely closed .... this is to allow for packet loss on the connection 04:33 < Guest10905> how long is "a little while"? 04:34 < dazo> up to a minute or so, I believe 04:34 < Guest10905> I can wait more between reconnection if that's the issue 04:34 < Guest10905> ok 04:50 < Guest10905> yeah I've noticed that I see the same for tun 04:50 < Guest10905> it seems the server keeps the client session active even if the client disconnects 04:50 < Guest10905> the client is windows, it that matters 04:55 < dazo> I checked my log files on a server with regular connections .... avg. time between the "disconnect" and the "cleanup" is 57.5 sec 04:56 < Guest10905> ah that could be a hint, I don't recall seaing any cleanup message on the server log 04:56 < Guest10905> dazo: can you paste your server config? 04:57 < Guest10905> ah much better now 04:58 < Guest10905> I lowered the keepalive values and I see that the session is reset after 10 seconds 04:58 < Guest10905> and when the client reconnects I don't see the MULTI business as before 04:58 < Guest10905> I think that was it 04:59 < Guest10905> if you want to paste you config anyway, I can compare and see if I have any other obvious mistakes though 05:01 -!- akraemer_ [n=akraemer@HSI-KBW-091-089-113-133.hsi2.kabelbw.de] has joined ##openvpn 05:15 -!- Guest10905 [n=traveler@82.108.46.35] has quit ["Java user signed off"] 05:17 -!- akraemer_ [n=akraemer@HSI-KBW-091-089-113-133.hsi2.kabelbw.de] has quit [Read error: 104 (Connection reset by peer)] 05:18 -!- akraemer_ [n=akraemer@HSI-KBW-091-089-113-133.hsi2.kabelbw.de] has joined ##openvpn 05:18 -!- akraemer [n=akraemer@HSI-KBW-091-089-113-133.hsi2.kabelbw.de] has quit [Read error: 110 (Connection timed out)] --- Log opened Tue Aug 25 07:04:24 2009 07:04 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 07:04 -!- Irssi: ##openvpn: Total of 66 nicks [0 ops, 0 halfops, 0 voices, 66 normal] 07:04 -!- Irssi: Join to ##openvpn was synced in 8 secs 07:04 < ecrist> grr 07:05 < dazo> morning! 07:06 -!- sascha [n=tecchi@81.210.194.238] has quit [] 07:07 < ecrist> hi 07:07 < ecrist> I need a generator 07:07 < ecrist> :/ 07:08 < dazo> bad power? or just expensive electricity? 07:09 < ecrist> my part of town sees bad storms. 07:09 < ecrist> good power, generally, but it flashes out during heavy wind/rain sometimes. 07:09 < ecrist> I'd rather buy a motorcycle than a generator at this point, though 07:10 < dazo> heh 07:11 < ecrist> only about $4000 installed, and they're dual-fule (propane and/or natural gas) 07:11 < dazo> well, then you just need a generator without engine .... and when you need a working generator .... some MacGyver magic with the engine-less-generator and a motor cycle ... and voila, a working generator! :-P 07:14 < ecrist> lol 07:14 < ecrist> i also need my damn ip6 tunnel to start working 07:15 < dazo> uhmmm ... not a MacGyver task :( 07:16 < ecrist> no, my gif interface is up, I can ping ipv4 address of tunnel, but the tunnel is not passing traffic 07:20 < ecrist> rawr 07:22 -!- chantra [n=chantra@91.121.8.26] has joined ##openvpn 07:25 < chantra> hi all, what would be the best place to post a bugreport ? 07:25 < ecrist> the developer mailing list 07:25 < chantra> openvpn-devel Archives or openvpn-users Archives 07:25 < chantra> ecrist: cheers 07:26 -!- BigJB [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 07:27 -!- sera|work [n=wolf@p50997331.dip0.t-ipconnect.de] has quit ["Verlassend"] 07:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 07:43 < zu> Hi 07:47 < zu> with a tun configuration, on the server, can we route access to A.B.C.D through one of his clients ? 07:47 < zu> I tried multiple things, but none works... 07:47 < ecrist> yes 07:47 < ecrist> !route 07:48 < ecrist> !iroute 07:48 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 07:48 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 07:49 < zu> aaaaah 07:49 < zu> thanx 07:49 < zu> !ccd 07:49 < vpnHelper> zu: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 07:49 < ecrist> no problem 08:17 -!- plaerzen [n=carpe@vip1.tundraeng.com] has joined ##openvpn 08:17 < plaerzen> hello 08:19 -!- bruceb [n=bruce@160.39.238.196] has joined ##openvpn 08:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:32 < ecrist> heya plaerzen 08:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:47 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 08:47 -!- BoomSie [n=gideon@dw77242112238.amsterdam-tc.dataweb.net] has joined ##openvpn 08:48 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Client Quit] 08:48 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 08:48 < plaerzen> ecrist, long time no irc. What's new these days ? 08:49 < reiffert> !factoids search news 08:49 < vpnHelper> reiffert: No keys matched that query. 08:56 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 09:03 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 09:03 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 09:08 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 09:10 < ecrist> lol 09:14 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 09:15 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 09:32 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 09:34 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:41 -!- epaphus [n=unix3@190.10.68.228] has left ##openvpn ["Leaving"] 09:45 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has joined ##openvpn 09:47 -!- elventear [n=elventea@telsasoft-host81.dsl.visi.com] has quit [Client Quit] 09:53 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Remote closed the connection] 10:10 -!- teddymills [n=teddy@208.92.235.227] has quit [Remote closed the connection] 10:13 -!- misterbean [n=misterbe@unaffiliated/misterbean] has joined ##openvpn 10:17 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 10:21 -!- bruceb [n=bruce@160.39.238.196] has quit [Read error: 104 (Connection reset by peer)] 10:28 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 10:35 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 10:36 -!- bruceb [n=bruce@gw.msmnyc.edu] has joined ##openvpn 10:40 < plaerzen> I'm going to the philippines for a month, so I don't think I will be on irc much. (hah) 10:44 -!- carpenike [n=ryan@c-98-218-119-237.hsd1.md.comcast.net] has joined ##openvpn 10:44 -!- akraemer_ [n=akraemer@HSI-KBW-091-089-113-133.hsi2.kabelbw.de] has quit ["Verlassend"] 10:45 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 10:45 < carpenike> Hi all, not sure where else to ask this question where there might be knowledgeable people, so sorry in advance... But anybody know of alternatives to the SSL Explorer application by 3SP Networks? It's a SSL Web Based VPN solution that was bought by Barracuda and now is no longer a software solution. 10:47 -!- BoomSie [n=gideon@dw77242112238.amsterdam-tc.dataweb.net] has quit ["Ex-Chat"] 10:51 < ecrist> OpenVPN has a similar product now. 10:51 < ecrist> openvpn.net 10:55 -!- BigJB_ [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 10:56 < carpenike> Really, i'll go have a look. Thanks! 10:57 < carpenike> Is that the Access Server? 10:59 -!- jeiworth [n=jeiworth@189.177.40.13] has joined ##openvpn 11:09 -!- BigJB [n=BigJB@unaffiliated/bigjb] has quit [Success] 11:11 -!- bruceb [n=bruce@gw.msmnyc.edu] has quit [Read error: 60 (Operation timed out)] 11:21 -!- bruceb [n=bruce@72.248.165.226] has joined ##openvpn 11:22 < ecrist> yes, access server 11:23 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 11:23 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 11:27 -!- demo| [i=demo@tanin.sixth.cz] has joined ##openvpn 11:32 < kn0x_> Can Access Server generate keys for Public Key auth? 11:32 -!- kn0x_ is now known as kn0x 11:33 -!- jeiworth [n=jeiworth@189.177.40.13] has quit [Read error: 60 (Operation timed out)] 11:33 -!- agliodbs [n=agliodbs@dsl081-245-111.sfo1.dsl.speakeasy.net] has joined ##openvpn 11:40 -!- jeiworth [n=jeiworth@189.177.40.13] has joined ##openvpn 11:45 < eliasp_> sees anyone a problem with this OpenVPN configuration? server: http://dpaste.com/85188/ client: http://dpaste.com/85189/ 11:45 < eliasp_> the connection on this client is always interrupted and i see a lot of these lines in the log: Tue Aug 25 18:45:41 2009 read UDPv4 [EHOSTUNREACH]: No route to host (code=113) 11:46 < eliasp_> sometimes i'm able to send some packets... then the connection stalls again 11:46 < eliasp_> the strange thing: it works without any trouble with the same configuration on all other clients... 11:48 < eliasp_> also made sure, the clock is in sync on all machines... 11:50 -!- agliodbs [n=agliodbs@dsl081-245-111.sfo1.dsl.speakeasy.net] has left ##openvpn [] 12:27 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 12:34 -!- bauruine [n=bauruine@85.4.68.228] has joined ##openvpn 12:37 -!- BigJB_ is now known as bigjb 12:53 < NfNitLoop> eliasp_: Is that client behind a NAT? 12:54 < NfNitLoop> or some other firewall that only accepts packets for open connections? 12:54 < eliasp_> NfNitLoop: no, the affected client is a KVM VM running on a server in the same datacenter as the OpenVPN server... but in the same datacenter, the VMs running on the physical server which provides the OpenVPN server doesn't cause any trouble... all other external clients (notebooks, connected over the internet) work fine too 12:55 < eliasp_> there are 2 physical servers: base001.company.com and base002.company.com ... each runs 2 KVM VMs... they all use base001 as OpenVPN server... 12:56 < eliasp_> i've compared the routing-tables, firewall-settings (iptables through shorewall), openvpn configs, DNS-settings, .. they're all the same on both 12:56 -!- svinkels [n=svinkels@seb44-1-88-163-78-7.fbx.proxad.net] has quit [Remote closed the connection] 12:56 < eliasp_> even changed several times the MAC address of the VM to make sure, there isn't a MAC collision... 12:57 < NfNitLoop> Hmm. I don't know, then. 13:08 -!- bauruine [n=bauruine@85.4.68.228] has quit [Read error: 110 (Connection timed out)] 13:23 -!- BoomSie [n=gideon@84-245-27-118.dsl.cambrium.nl] has joined ##openvpn 13:39 -!- hyper_ch [n=hyper@adsl-84-227-43-183.adslplus.ch] has quit [Remote closed the connection] 13:41 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 13:45 < eliasp_> anyone else has an idea regarding the code=113 error? 13:45 -!- hyper_ch [n=hyper@adsl-84-227-43-183.adslplus.ch] has joined ##openvpn 13:46 < ecrist> !113 13:46 < vpnHelper> ecrist: Error: "113" is not a valid command. 13:46 < ecrist> !factoids search 113 13:46 < vpnHelper> ecrist: No keys matched that query. 13:46 < ecrist> usually a firewall or routing issue, iirc 13:47 < eliasp_> ecrist: yes, what i thought first too... but routing table + firewall-config looks on another machine (where everything is fine) identical 13:47 -!- bauruine [n=bauruine@88.80.25.148] has joined ##openvpn 13:47 < ecrist> something's different 13:48 < eliasp_> ecrist: i ran diff over: networking config files, shorewall config, output of 'ip r s', resolv.conf, openvpn config,... couldn't find a single difference (besides IP addresses) 13:49 < eliasp_> the strange thing: the problem only occurs "inside" of a VPN connection.. everything else works just fine 13:49 -!- hyper_ch [n=hyper@adsl-84-227-43-183.adslplus.ch] has quit [Remote closed the connection] 13:51 -!- hyper_ch [n=hyper@adsl-84-227-43-183.adslplus.ch] has joined ##openvpn 13:52 < eliasp_> btw: versions of iptables, openvpn, iproute2, kernel, ... all the same on all machines 13:53 < bauruine> i have problems with https while surfing over the vpn someone said it's mtu related i added http://pastebin.com/d33c54b32 to my client and server config but i have still the same problems 14:01 < eliasp_> hmm, just installed net-dns/bind-tools and the problems (EHOSTUNREACH code=113) didn't occur anymore so far? does OpenVPN depend on them in any way? 14:02 < hyper_ch> hi bauruine 14:02 < bauruine> sali hyper_ch :-) 14:03 < hyper_ch> bauruine: https works fine here 14:05 < bauruine> hyper_ch, i got "ssl_error_rx_record_too_long" on every page 14:05 < hyper_ch> bauruine: hmmm, I just tried with my bank and it works - used that howto for internet gateway that you showed me 14:06 < hyper_ch> bauruine: want my config? 14:07 < bauruine> hyper_ch, i have a really unusual setup 14:07 < hyper_ch> :( 14:07 < bauruine> doen't think they will work 14:08 < bauruine> http://ubuntu-pics.de/bild/22892/diagram1_DxzOpw.png maybe it's a problem with the tap device 14:09 < hyper_ch> prq ^^ 14:09 < bauruine> :-) 14:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:09 < hyper_ch> Baldur.... yggdrasil.... hmmmm 14:10 < hyper_ch> how about breaking it down? 14:10 < hyper_ch> first make the vpn connection to yggdrasil and turn it into an internet gateway and check if https works then 14:10 < hyper_ch> if it does, add Baldu 14:10 < hyper_ch> and then finally the prq one 14:11 < hyper_ch> and why is AvP2 crashing my xserver :( 14:16 < bauruine> hyper_ch, i will try that. 14:16 < hyper_ch> good luck 14:18 < bauruine> thank you (off for testing) 14:18 -!- bauruine [n=bauruine@88.80.25.148] has quit ["Verlassend"] 14:22 -!- bigjb [n=BigJB@unaffiliated/bigjb] has quit [Remote closed the connection] 14:25 -!- jeiworth [n=jeiworth@189.177.40.13] has quit ["No Ping reply in 90 seconds."] 14:26 -!- jeiworth [n=jeiworth@189.177.40.13] has joined ##openvpn 14:29 < banannaz> is there a way to force windows to connect through openvpn only from startup onward? 14:34 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Connection timed out] 14:37 < eliasp_> hmm, the error=113 problem is only gone on one of the boxes... i've added 'verb 5' to the OpenVPN config there.... seeing a lot of 'rwrRrWrRw' since then in the log, but not the code=113 error.. it seems it wasn't bind-tools related... installing them didn't help on the 2nd box... 14:39 < eliasp_> ah, and i've removed a 2nd "remote" line to the config.. maybe this has caused it... strange 14:39 < eliasp_> s/to/from/g 14:45 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:45 < eliasp_> is there a way to make OpenVPN display the hostname related to this message: Tue Aug 25 21:45:35 2009 us=489080 read UDPv4 [EHOSTUNREACH]: No route to host (code=113) 14:46 < eliasp_> doing a manual "nslookup base001.company.com" works just fine... 14:46 < eliasp_> oh, now it doesn't... strange 14:46 < eliasp_> hmm.. 14:46 < eliasp_> at least a point where i can start debugging 14:49 -!- explore [n=msparker@pool-173-74-61-155.dllstx.fios.verizon.net] has joined ##openvpn 15:01 -!- BoomSie_ [n=gideon@84-245-27-118.dsl.cambrium.nl] has joined ##openvpn 15:05 -!- BoomSie [n=gideon@84-245-27-118.dsl.cambrium.nl] has quit [Read error: 110 (Connection timed out)] 15:05 -!- jeiworth [n=jeiworth@189.177.40.13] has quit ["No Ping reply in 90 seconds."] 15:06 -!- jeiworth [n=jeiworth@189.177.40.13] has joined ##openvpn 15:13 -!- banannaz [i=tyrky3@ssh.sign.io] has left ##openvpn [] 15:27 -!- zeal [i=zeal@puffy.csbnet.se] has joined ##openvpn 15:27 < zeal> Hi, using windows 2008, says it can't find tap device 15:28 < zeal> openvpn --show-adapters give nothing, altough there is a TAP-win32 in the device manager 15:40 -!- XapoH is now known as XapoH[away] 15:45 -!- stinker [i=tyrky3@ssh.sign.io] has joined ##openvpn 15:47 < stinker> could anyone please tell me how to stop windows from making any connections but through the vpn period? even during startup? 15:52 < stinker> HELLO 15:53 < NfNitLoop> boot into linux. 15:53 < NfNitLoop> ;) 15:54 < NfNitLoop> but seriously, I'm not sure how possible that is. 15:54 < NfNitLoop> you'll want Windows to at least make DHCP requests to configure the actual network connection over which you'll send your VPN traffic, no? 15:56 < stinker> NfNitLoop: i just dont want windows to make any connections to any servers that log those connections 15:58 < stinker> can i make the dhcp requests with one computer and then connect only to the vpn with another? 15:59 < NfNitLoop> what are you trying to do? stealthily use someone else's network? 16:00 < NfNitLoop> in theory, yes, you can avoid DHCP requests, if you manually configure your networking. But you're still going to be sending packets, and those packets can still be logged by anyone between you and your end point. 16:00 < NfNitLoop> (unlikely as it may be.) 16:02 < stinker> NfNitLoop: could you tell me more about manually configuring my network? 16:05 < NfNitLoop> I could, if I knew what you were trying to accomplish. 16:05 < NfNitLoop> Why are you so worried about Windows making connections when it starts up? 16:06 < stinker> can you please just tell me about manually configuring the network? 16:06 < zeal> maybe u can put a cheapo nat (broadband router) in between 16:07 < stinker> zeal what for? 16:08 < zeal> if you don't want ur arp, dhcp etc enter the network 16:08 < zeal> u can put a firewall in the router and only allow the openvpn port 16:09 < stinker> these are .ovpn packages 16:10 < zeal> don't understand what u are trying to do 16:11 < stinker> start ovpn when windows starts up, and prevent windws from making any connections except through the vpn. 16:13 < stinker> at all 16:13 < stinker> from the moment its turned on 16:15 < zeal> hmm, that should be a firewall issue I think 16:15 < zeal> because all openvpn will go through the openvpn port, then u can disable all other ports except vpn 16:16 < zeal> there might be some hardcore ways to config it though 16:17 < stinker> can I do it with a windows firewall instead of a router firewall? 16:17 < NfNitLoop> what sort of network are you connecting to? 16:17 < NfNitLoop> do you control net network? 16:17 < zeal> prolly, Im not an expert on windows firewall, otherwise there should be some nice free software firewalls with more features maybe 16:17 < NfNitLoop> "net network" -> "the network". 16:20 < stinker> zeal: and what would I need to do in order to accomplish this? 16:20 < zeal> block all ports except the port u use for openvpn 16:20 < stinker> NfNitLoop: at the end of the vpn? 16:20 < zeal> both in and out 16:22 < stinker> zeal: the .ovpn packages already do this 16:23 < stinker> zeal: I just want it to start up with windows and prevent any beginning connections from not going through the vpn. 16:25 < NfNitLoop> maybe try #windows. ;) 16:26 -!- lkmkld [n=lkmkld@196.3.182.250] has joined ##openvpn 16:27 < stinker> theyre not going to know 16:27 < lkmkld> krzee 16:28 < stinker> because i have to login to the vpn as well and i dont know how to do that automatically 16:29 -!- bruceb [n=bruce@72.248.165.226] has quit [Read error: 145 (Connection timed out)] 16:29 < lkmkld> huh? 16:34 < stinker> please could someone please andwer my question 16:45 -!- bruceb [n=bruce@gw.msmnyc.edu] has joined ##openvpn 16:45 -!- jeiworth [n=jeiworth@189.177.40.13] has quit ["No Ping reply in 90 seconds."] 16:46 -!- jeiworth [n=jeiworth@189.177.40.13] has joined ##openvpn 16:56 -!- lkmkld [n=lkmkld@196.3.182.250] has left ##openvpn ["Leaving"] 17:00 -!- explore [n=msparker@pool-173-74-61-155.dllstx.fios.verizon.net] has quit ["Lost terminal"] 17:02 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 17:09 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 17:24 -!- bruceb [n=bruce@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 17:24 -!- bruceb [n=bruce@160.39.238.196] has joined ##openvpn 17:27 -!- demo| [i=demo@tanin.sixth.cz] has quit [Read error: 110 (Connection timed out)] 17:29 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["leaving"] 17:29 -!- demo| [i=demo@tanin.sixth.cz] has joined ##openvpn 17:44 -!- misterbean [n=misterbe@unaffiliated/misterbean] has quit ["Leaving"] 18:03 -!- jeiworth [n=jeiworth@189.177.40.13] has quit [Read error: 60 (Operation timed out)] 18:25 -!- BoomSie_ [n=gideon@84-245-27-118.dsl.cambrium.nl] has quit ["Ex-Chat"] 18:30 -!- protocols [n=protocol@ip-88-153-199-22.unitymediagroup.de] has joined ##openvpn 20:20 -!- stinker [i=tyrky3@ssh.sign.io] has quit ["Lost terminal"] 20:39 -!- demo [n=demo@bzq-84-108-222-192.cablep.bezeqint.net] has joined ##openvpn 20:40 -!- demo| [i=demo@tanin.sixth.cz] has quit [Read error: 60 (Operation timed out)] 20:43 -!- agliodbs [n=agliodbs@204.9.180.30] has joined ##openvpn 21:15 -!- master_of_master [i=master_o@p549D4143.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:18 -!- master_of_master [i=master_o@p549D4060.dip.t-dialin.net] has joined ##openvpn 21:21 -!- fahadsadah [n=fahad@wikipedia/fahadsadah] has quit [Read error: 145 (Connection timed out)] 21:24 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 21:24 < Dougy> f what did i come on here for 21:39 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 21:42 -!- rawDawg2 [n=rawDawg@76.188.26.242] has joined ##openvpn 21:50 -!- agliodbs [n=agliodbs@204.9.180.30] has quit [] 21:56 -!- agliodbs [n=agliodbs@204.9.180.30] has joined ##openvpn 21:57 -!- agliodbs [n=agliodbs@204.9.180.30] has quit [Client Quit] 21:58 -!- rawDawg2 [n=rawDawg@76.188.26.242] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 22:00 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 110 (Connection timed out)] 22:17 -!- deblike [n=xchat@62.68.142.2] has joined ##openvpn 22:23 -!- agliodbs [n=agliodbs@204.9.180.30] has joined ##openvpn 22:27 -!- carpenike [n=ryan@c-98-218-119-237.hsd1.md.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 22:30 -!- agliodbs [n=agliodbs@204.9.180.30] has quit [] 22:33 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 22:37 -!- fkr [i=fkr@news.bytemine.net] has quit [Remote closed the connection] 22:37 -!- fkr [i=fkr@news.bytemine.net] has joined ##openvpn 22:40 -!- agliodbs [n=agliodbs@204.9.180.30] has joined ##openvpn 22:44 -!- agliodbs [n=agliodbs@204.9.180.30] has quit [Client Quit] 22:48 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has quit ["Távozom"] 23:01 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 23:03 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 23:05 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has quit [Client Quit] 23:20 -!- deblike [n=xchat@62.68.142.2] has quit [Read error: 110 (Connection timed out)] 23:20 -!- deblike [n=xchat@62.68.142.2] has joined ##openvpn 23:22 -!- agliodbs [n=agliodbs@204.9.180.30] has joined ##openvpn 23:23 -!- agliodbs [n=agliodbs@204.9.180.30] has quit [Client Quit] 23:39 -!- hyper__ch [n=hyper@adsl-62-167-53-241.adslplus.ch] has joined ##openvpn 23:39 -!- hyper_ch [n=hyper@adsl-84-227-43-183.adslplus.ch] has quit [Nick collision from services.] 23:39 -!- hyper__ch is now known as hyper_ch --- Day changed Wed Aug 26 2009 00:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:02 -!- mirco [n=mirco@p54B23B7B.dip.t-dialin.net] has joined ##openvpn 01:09 -!- mirco [n=mirco@p54B23B7B.dip.t-dialin.net] has quit [] 01:29 -!- XapoH[away] is now known as XapoH 01:39 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 01:53 -!- mirco_ [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 01:53 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:10 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 02:10 -!- mirco_ is now known as mirco 02:17 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has joined ##openvpn 02:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:42 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has joined ##openvpn 02:46 -!- davalex [i=davalex@207.192.70.56] has quit [Remote closed the connection] 02:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 02:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:15 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 03:24 < chantra> hi, 03:24 < chantra> I have been trying to sent email to openvpn-devel a few times, to no avail :s 03:25 < chantra> first time through gmane, yesterday directly from SF mailing list 03:26 < chantra> should I expect a confirmation email (like I always received with mailman), is it a human accepting new subscribers (thus I should maybe way some more days ) 03:39 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has quit [] 03:55 -!- Netsplit sendak.freenode.net <-> irc.freenode.net quits: qknight, Gumbler, robotti^, IcyPolecat, _markus_, plaerzen 03:55 -!- robotti^_ [i=robotti@kapsi.fi] has joined ##openvpn 03:55 -!- qknight_ [n=joachim@serverkommune.de] has joined ##openvpn 03:55 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 03:55 -!- Netsplit over, joins: IcyPolecat 03:55 -!- Netsplit over, joins: plaerzen 03:55 -!- Gumbler_ [i=Gumbler@animux.de] has joined ##openvpn 03:55 -!- Gumbler_ is now known as Gumbler 04:07 < reiffert> chantra: you have to register before sending your 1st email 04:08 < chantra> reiffert: cheers, I did... but never received the confirmation email 04:09 < chantra> reiffert: is anybody on this chan able to check the mail logs? 04:10 < reiffert> you will get a confirmation email, yup. 04:10 < chantra> well, it is SF hosted, so I guess only mailman admin might be able to see something 04:10 < chantra> reiffert: I did not get the confirmation email in the next 20hours ish 04:11 < chantra> so I am wondering if it is a human that needs to accept to send the conf email 04:11 < reiffert> https://lists.sourceforge.net/lists/listinfo/openvpn-devel 04:11 < vpnHelper> Title: Openvpn-devel Info Page (at lists.sourceforge.net) 04:12 < reiffert> chantra: you should get them immediatly .. 04:12 < chantra> reiffert: ok, so something went wrong 04:12 < chantra> lets try again 04:14 < chantra> hum, might have been a user error :) 04:19 < chantra> man, my bad.... email was received, but my mail client might have a filter rule that put it i dont know where :s 04:20 < chantra> \o/ 04:20 < chantra> i had a generic sourceforge.net rule..... that I never look into :) 04:27 -!- mirco__ [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 04:40 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Connection timed out] 04:40 -!- mirco__ is now known as mirco 04:42 < reiffert> <:) 05:33 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [] 05:34 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 05:44 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:59 -!- XapoH [n=X@78.108.77.14] has left ##openvpn [] 06:01 -!- deblike [n=xchat@62.68.142.2] has quit [Client Quit] 06:08 -!- luc^ [n=luc@wall.ic-energo.cz] has joined ##openvpn 06:11 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 06:28 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 06:29 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 06:38 -!- brizly1 [n=brizly_v@p4FC99B19.dip0.t-ipconnect.de] has joined ##openvpn 06:50 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [] 06:53 -!- brizly [n=brizly_v@p4FC9991B.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:57 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 07:04 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 07:09 -!- melvin [n=melvin@port-87-193-219-24.static.qsc.de] has joined ##openvpn 07:09 < ecrist> good morning 07:09 < melvin> Hi. my Tap-Tunnel works with bridge. but i don't find out how to get the client use dhcp request. 07:10 < melvin> i can start dhclient tap0 on client after openvpn start. but how an i automate it? 07:10 < ecrist> you can script it. 07:10 < ecrist> up-script 07:10 < ecrist> !man 07:10 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 07:10 < melvin> can or must? 07:11 < melvin> and on windows? 07:11 < ecrist> Windows has some scripting capabilities 07:11 < melvin> i tryed network-manager on gnome to. is there also a script needed? 07:11 < ecrist> modern versions of windows actually have some pretty nice scripting abilities. 07:11 < ecrist> !network-manager 07:11 < vpnHelper> ecrist: Error: "network-manager" is not a valid command. 07:11 < ecrist> !ubuntu 07:11 < vpnHelper> ecrist: "ubuntu" is dont use network manager! 07:12 < melvin> am i right with this: if i want dhcp automaticly on client i have to use the "push" 07:13 < melvin> no easy way to use external dhcp server? 07:14 < ecrist> melvin: people do it all the time. not sure what the normal thing to do is, but nobody's complained about it being that difficult. 07:14 < ecrist> enable dhcp on the tap interface and you should be fine. 07:15 < ecrist> (when OpenVPN connected, the Tap interface will show a link, and start looking for a DHCP server) 07:15 < melvin> ok. how do i enable it on tap= 07:15 < ecrist> in windows? 07:15 < ecrist> go do the network device list and enable it, same as any other adapter 07:15 < melvin> i only try linux by now. but later for windows 07:16 < ecrist> you'll need to run dhclient on the interface in question, which probably means a script 07:16 < melvin> on windows the tap device use dhclient automaticly on connecting? 07:16 < melvin> and only on linux i need something liek "up dhclient tap0"? 07:16 < ecrist> on FreeBSD, I'd just do: echo "ifconfig_tap0="DHCP" >> /etc/rc.conf 07:17 < ecrist> not sure what you do in Linux 07:17 < melvin> the tap device is created on starting openvpn 07:17 < ecrist> create it before hand 07:17 < melvin> i have no ifconfig settings 07:17 < ecrist> so script it and be done with it 07:17 < ecrist> this is not #linux_101 07:18 < melvin> ok. i only want to know if there is a better way to do this. thx a lot 07:21 -!- luc^ [n=luc@wall.ic-energo.cz] has quit ["Leaving."] 08:29 < dazo> huh!?!? http://sourceforge.net/project/stats/detail.php?group_id=236344&ugn=eurephia&type=prdownload&mode=60day&file_id=1672796 .... what happened around aug 11? 08:29 < vpnHelper> Title: SourceForge.net: Project Statistics for eurephia (at sourceforge.net) 08:30 < ecrist> no idea 08:30 -!- bruceb [n=bruce@160.39.238.196] has quit [Client Quit] 08:30 < ecrist> too bad they don't show referrers 08:30 < ecrist> SF is the devil 08:30 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 08:31 < dazo> just surprised that my patched openvpn version suddenly gained so much interest ... and it is only the rc19 .... the only file which suddenly gained popularity 08:31 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn 08:31 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Client Quit] 08:31 < ecrist> could one person have downloaded it multiple times? 08:31 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit [Read error: 104 (Connection reset by peer)] 08:31 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 08:32 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Client Quit] 08:32 < reiffert> dazo: hmm? 08:33 < dazo> ecrist: hmmm .... I'm checking up now ..... sounds strange one user wants to download one package >10 times a day for over for 2 weeks and still going strong ... 08:56 -!- jeiworth [n=jeiworth@189.163.134.102] has joined ##openvpn 09:03 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 09:04 -!- kyrix [n=ashley@91-115-31-91.adsl.highway.telekom.at] has joined ##openvpn 09:11 -!- Deffie [n=Deffie@nectarine/admin/deffie] has joined ##openvpn 09:13 < Deffie> hi all, i installed openvpn, it is up and running with tap devices, the server runs on a linux router and on the same machine there are some folder shared with samba, i'm able to reach hosts on the internet and on the real company LAN, i'm also able to browse shares on the vpn server on the lan host but not on its internet host, is this normal or theres some error ? 09:15 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 113 (No route to host)] 09:17 -!- jeiworth [n=jeiworth@189.163.134.102] has quit [Read error: 110 (Connection timed out)] 09:20 < dazo> Deffie: could sound like firewalling issues 09:21 < melvin> yny chance to bind openvpn to an vlan interface like tap0.6? 09:28 -!- jeiworth [n=jeiworth@189.177.40.13] has joined ##openvpn 09:33 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 09:33 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Client Quit] 09:33 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 09:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:40 -!- jeiworth [n=jeiworth@189.177.40.13] has quit [Read error: 60 (Operation timed out)] 09:42 -!- c64zottel [n=hans@p5B17AD74.dip0.t-ipconnect.de] has joined ##openvpn 09:42 -!- c64zottel [n=hans@p5B17AD74.dip0.t-ipconnect.de] has left ##openvpn [] 09:49 -!- demo| [n=demo@bzq-79-180-126-118.red.bezeqint.net] has joined ##openvpn 09:54 -!- explore [n=msparker@pool-173-74-61-155.dllstx.fios.verizon.net] has joined ##openvpn 10:01 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has quit [Read error: 60 (Operation timed out)] 10:03 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 10:09 -!- jeiworth [n=jeiworth@189.177.121.42] has joined ##openvpn 10:09 -!- demo [n=demo@bzq-84-108-222-192.cablep.bezeqint.net] has quit [Read error: 110 (Connection timed out)] 10:09 -!- demo [i=demo@tanin.sixth.cz] has joined ##openvpn 10:20 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 10:21 -!- demo| [n=demo@bzq-79-180-126-118.red.bezeqint.net] has quit [Read error: 113 (No route to host)] 10:23 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 10:33 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 10:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:51 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 11:02 < dazo> melvin: there's no vlan support in openvpn .... some people are working on it, but nothing is public yet 11:08 -!- mirco [n=mirco@89.244.144.143] has joined ##openvpn 11:21 -!- kyrix [n=ashley@91-115-31-91.adsl.highway.telekom.at] has quit ["Leaving"] 11:31 -!- mirco [n=mirco@89.244.144.143] has quit [] 11:34 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has joined ##openvpn 11:50 < ElectricBill> dazo, so if I try to send .q packets over layer 2 thru an openvpn connection, what happens? They won't be relayed to a remote LAN bridged to an openvpn tap interface? 11:50 < dazo> ElectricBill: Good question .... probably it will not be tagged at all when leaving the tunnel 11:51 < ElectricBill> reason I ask is I thought I had done it and it worked. But I'm not really sure. I'll have to be cautious. 11:51 < dazo> ElectricBill: well, if you do bridging on each side .... it might be that it will go through correctly .... but using routing, it will not work 11:51 < ElectricBill> Right. Makes sense. 11:52 < ElectricBill> So long as it doesn't mangle the ether packets. 11:52 < dazo> I only presume here ... I might be very wrong .... and I have no problems being corrected when being wrong :) 11:52 < dazo> ElectricBill: exactly, thats my hypothesis 11:52 < ElectricBill> Everything I know is wrong. I learned that long ago. 11:52 < ElectricBill> I think. 11:53 < dazo> heh 11:54 -!- hyper_ch [n=hyper@adsl-62-167-53-241.adslplus.ch] has quit [Remote closed the connection] 11:56 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has quit [] 11:59 < ecrist> why the hell does my boss need a network admin to add his GPG keys for him? 12:02 < ElectricBill> Because there was a guy available in the men's room to hand him a towel last night. 12:03 < ElectricBill> ...so you should put a tip jar on your desk. 12:06 < ecrist> I don't have a desk. 12:06 < ecrist> not good enough for that. 12:06 < ecrist> I work on a corner of the conference room table, when it's not in use. 12:06 < ElectricBill> Well, you can still have jar... 12:06 < ecrist> otherwise I grab an available surface. 12:07 -!- hyper_ch [n=hyper@adsl-62-167-53-241.adslplus.ch] has joined ##openvpn 12:08 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 12:09 -!- ativan_ [n=epiphany@CPE00222d1dada1-CM00222d1dad9d.cpe.net.cable.rogers.com] has joined ##openvpn 12:10 < ativan_> I setup OpenVPN on a FreeBSD box, previously had it working fine on a Linux box, anyway, I can connect to OpenVPN fine and transit packets, however I get nothing back. A tcpdump shows requests being sent to DNS servers, but non being received... any suggestions? 12:10 < ecrist> firewall 12:10 < ecrist> !freebsd 12:10 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 12:10 < ecrist> !ssl-admin 12:10 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 12:10 < ativan_> ipfw is set to open 12:11 < ecrist> just an FYI on those last two 12:11 < ecrist> pfctl -d 12:11 < ecrist> ipfw add 1 allow all from any to any 12:11 -!- agliodbs [n=agliodbs@dsl081-245-111.sfo1.dsl.speakeasy.net] has joined ##openvpn 12:11 < ativan_> already there =) 12:11 < ativan_> ip forwarding is also enabled 12:11 < ativan_> ipdivert compiled into kernel 12:12 < ativan_> gateway on 12:12 -!- smerz [n=daniel@smerz.demon.nl] has quit [Client Quit] 12:12 < ecrist> If you're using a recent version, it should be in GENERIC 12:12 < ecrist> the freebsd is a client or server? 12:12 < ativan_> server 12:13 < ativan_> client is XP, it worked fine with the Linux openvpn 12:13 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 12:13 -!- unix3 [n=unix3@190.10.68.228] has quit [Connection reset by peer] 12:13 -!- demo| [n=demo@bzq-84-108-222-192.cablep.bezeqint.net] has joined ##openvpn 12:13 < ecrist> it's the same openvpn, just guessing your missing some bits 12:13 < ecrist> !all 12:13 < vpnHelper> ecrist: "all" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles 12:13 -!- demo [i=demo@tanin.sixth.cz] has quit [Read error: 104 (Connection reset by peer)] 12:17 < ativan_> k, brb 12:21 < ativan_> http://pastebin.ca/1543546 12:21 < ativan_> all the configs, ipfw and server log 12:38 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 12:38 < ecrist> ativan_: when the XP client connects to the FreeBSD server, can they ping eachother across the VPN? 12:39 < ativan_> yep 12:39 < ativan_> that's why i'm so confused =( 12:41 < ecrist> so, what's not working is VPN Client -> Internet 12:41 < ecrist> right? 12:41 < ativan_> yep 12:41 < ecrist> do you have reverse routes for the VPN subnet on the server LAN? 12:41 < ativan_> (right) ;p 12:42 < ativan_> hrm, i'm not sure. brb 12:56 < ativan_> i'm not sure how to set up the reverse routes :/ 12:56 < ativan_> oh oops, 1sec 12:58 -!- BigJB [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 13:04 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has quit ["Távozom"] 13:09 -!- epiphany_ [n=epiphany@CPE00222d1dada1-CM00222d1dad9d.cpe.net.cable.rogers.com] has joined ##openvpn 13:11 -!- ativan_ [n=epiphany@CPE00222d1dada1-CM00222d1dad9d.cpe.net.cable.rogers.com] has quit [Read error: 60 (Operation timed out)] 13:11 -!- epiphany_ [n=epiphany@CPE00222d1dada1-CM00222d1dad9d.cpe.net.cable.rogers.com] has quit [Read error: 104 (Connection reset by peer)] 13:12 -!- ativan_ [n=epiphany@CPE00222d1dada1-CM00222d1dad9d.cpe.net.cable.rogers.com] has joined ##openvpn 13:46 -!- demo [n=demo@bzq-79-180-126-118.red.bezeqint.net] has joined ##openvpn 14:05 -!- demo| [n=demo@bzq-84-108-222-192.cablep.bezeqint.net] has quit [Read error: 110 (Connection timed out)] 14:05 -!- demo| [n=demo@bzq-84-108-222-192.cablep.bezeqint.net] has joined ##openvpn 14:22 -!- demo [n=demo@bzq-79-180-126-118.red.bezeqint.net] has quit [Read error: 113 (No route to host)] 14:40 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 14:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:02 -!- ElectricBill [n=bill@smtpv2.cosi.net] has quit ["Leaving"] 15:11 -!- demo [n=demo@bzq-79-180-126-118.red.bezeqint.net] has joined ##openvpn 15:20 -!- jeiworth [n=jeiworth@189.177.121.42] has quit [Read error: 110 (Connection timed out)] 15:22 -!- notdemo [n=demo@bzq-84-108-222-192.cablep.bezeqint.net] has joined ##openvpn 15:22 -!- notdemo [n=demo@bzq-84-108-222-192.cablep.bezeqint.net] has quit [Client Quit] 15:22 -!- notdemo [i=demo@tanin.sixth.cz] has joined ##openvpn 15:26 -!- notdemo [i=demo@tanin.sixth.cz] has quit [Client Quit] 15:26 -!- notdemo [n=demo@bzq-84-108-222-192.cablep.bezeqint.net] has joined ##openvpn 15:28 -!- jeiworth [n=jeiworth@189.177.40.13] has joined ##openvpn 15:29 -!- demo| [n=demo@bzq-84-108-222-192.cablep.bezeqint.net] has quit [Read error: 110 (Connection timed out)] 15:29 -!- demo [n=demo@bzq-79-180-126-118.red.bezeqint.net] has quit [Read error: 148 (No route to host)] 15:34 -!- Netsplit sendak.freenode.net <-> irc.freenode.net quits: Serideru, disco-, code-, fkr, ThoMe, |Mike|, MadTBone 15:35 -!- Netsplit over, joins: ThoMe, disco-, Serideru, MadTBone, fkr, |Mike|, code- 15:42 -!- ativan_ [n=epiphany@CPE00222d1dada1-CM00222d1dad9d.cpe.net.cable.rogers.com] has quit [] 15:51 -!- notdemo [n=demo@bzq-84-108-222-192.cablep.bezeqint.net] has quit [] 15:59 -!- dazo|h [n=dazo@ip4-83-240-69-215.cust.nbox.cz] has joined ##openvpn 16:54 -!- explore [n=msparker@pool-173-74-61-155.dllstx.fios.verizon.net] has left ##openvpn [] 16:55 -!- dazo|h [n=dazo@ip4-83-240-69-215.cust.nbox.cz] has quit ["Leaving"] 17:17 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 17:19 -!- BigJB [n=BigJB@unaffiliated/bigjb] has quit [Remote closed the connection] 17:56 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 18:01 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 54 (Connection reset by peer)] 18:25 -!- jeiworth [n=jeiworth@189.177.40.13] has quit [Read error: 110 (Connection timed out)] 18:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 18:52 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has quit ["Távozom"] 19:31 -!- jeiworth [n=jeiworth@189.163.134.102] has joined ##openvpn 20:11 -!- melvin_ [n=melvin@port-87-193-219-24.static.qsc.de] has joined ##openvpn 20:19 -!- melvin [n=melvin@port-87-193-219-24.static.qsc.de] has quit [Read error: 110 (Connection timed out)] 20:24 -!- agliodbs [n=agliodbs@dsl081-245-111.sfo1.dsl.speakeasy.net] has quit [] 21:11 -!- master_of_master [i=master_o@p549D4060.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:14 -!- master_of_master [i=master_o@p549D3B74.dip.t-dialin.net] has joined ##openvpn 21:44 -!- habanot2 [n=TMD@dyn-152-051.wilf.wireless.yu.edu] has joined ##openvpn 21:44 < habanot2> hey 21:45 < habanot2> i'm somewhat of a begginer is it idfficult to install openvpn oneself 21:45 -!- jeiworth [n=jeiworth@189.163.134.102] has quit [Read error: 110 (Connection timed out)] 21:46 -!- CamargoBP-Mobile [n=CamargoB@orem.jiveip.net] has joined ##openvpn 21:48 -!- CamargoBP-Mobile [n=CamargoB@orem.jiveip.net] has quit [Client Quit] 21:49 -!- CamargoBP-Mobile [n=CamargoB@orem.jiveip.net] has joined ##openvpn 22:14 -!- habanot2 [n=TMD@dyn-152-051.wilf.wireless.yu.edu] has quit ["-= TMD-RecruitServer 5.1=-"] 23:00 -!- jeiworth [n=jeiworth@189.163.134.102] has joined ##openvpn 23:08 -!- admin0 [n=admin0@bb121-6-1-187.singnet.com.sg] has joined ##openvpn 23:10 < admin0> hi .. i got one lan card and one openvpn adapter .. after openvpn connects (in my windows), i want computers on my network also use the openvpn .. but since i just have 1 network card, what can I do to ensure that from that same LAN, i am able to connect to my ISP and again have my network be secured using openvpnm 23:13 < admin0> i cannot remove the isp's ip address from the lan card .. when i bridge lan and openvpn adapter, openvpn does not connect at all. 23:39 -!- lkthomas [i=lkthomas@218.213.78.173] has joined ##openvpn 23:39 < lkthomas> guys 23:39 < lkthomas> anyone still alive ? 23:41 -!- eliasp_ [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 104 (Connection reset by peer)] 23:41 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 23:46 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 23:54 -!- bret [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has joined ##openvpn 23:56 -!- bret [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has quit [Remote closed the connection] 23:57 -!- bret [n=CamargoB@orem.jiveip.net] has joined ##openvpn 23:57 -!- CamargoBP-Mobile [n=CamargoB@orem.jiveip.net] has quit [Read error: 54 (Connection reset by peer)] --- Day changed Thu Aug 27 2009 00:03 -!- jeiworth [n=jeiworth@189.163.134.102] has quit ["No Ping reply in 90 seconds."] 00:05 -!- jeiworth [n=jeiworth@189.163.134.102] has joined ##openvpn 00:29 -!- eliasp_ [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 00:30 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 104 (Connection reset by peer)] 00:33 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 00:34 -!- eliasp_ [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Broken pipe] 01:07 -!- jeiworth [n=jeiworth@189.163.134.102] has quit ["No Ping reply in 90 seconds."] 01:08 -!- jeiworth [n=jeiworth@189.163.134.102] has joined ##openvpn 01:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:32 -!- Deffie [n=Deffie@nectarine/admin/deffie] has joined ##openvpn 01:38 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 01:57 -!- Sargun [n=Sargun@atarack/Staff/Sargun] has joined ##openvpn 02:03 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:09 < reiffert> moin 02:24 < kleind> morning. so I have an openvpn installed an configured, almost looks good. what I am puzzled with right now is the following: I have a firewall system between the vpn server and the internal network which is told to just route the specific traffic. among its standard-rules, theres one that shall drop tcp packets with state INVALID. When my vpn client tries to connect (ssh) to one machine on my network, the session never gets started since all reply packet 02:24 < kleind> s are apparently invalid. from other networks (also through that firewall) everything works great. Any ideas what I might be facing here? 02:24 < kleind> "one" is not to say just one specific, i should have said "any" 02:25 < kleind> icmp works perfectly btw 02:27 -!- adm1n0 [n=admin0@bb121-6-1-187.singnet.com.sg] has joined ##openvpn 02:29 -!- admin__ [n=admin0@bb121-6-1-187.singnet.com.sg] has joined ##openvpn 02:29 -!- admin__ [n=admin0@bb121-6-1-187.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 02:35 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has joined ##openvpn 02:40 < Sargun> I'm getting extremely poor performance with OVPN, I realize this is unspecific as hell, but any ideas? 02:40 < Sargun> it's not a CPU problem 02:42 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 02:43 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 02:45 -!- admin0 [n=admin0@bb121-6-1-187.singnet.com.sg] has quit [No route to host] 02:47 -!- adm1n0 [n=admin0@bb121-6-1-187.singnet.com.sg] has quit [Read error: 113 (No route to host)] 02:52 -!- admin0 [n=admin0@bb121-6-1-187.singnet.com.sg] has joined ##openvpn 02:53 < admin0> hi guys .. i just have one nic card(windows) , and want to use this card to bridge/route/nat other systems in my local network .. is it possible ? 02:58 < reiffert> who is it telling rumors that a "one nic card" is a special situation? 03:06 < admin0> so its possible ? 03:06 < admin0> or not possible ? 03:08 < admin0> is it possible for the same nic card to connect to my isp using a fixed ip address, as well as behave as a router/nat/gateway for my local network ? right now I have 2 static ips in the nic card, one for isp one for the local net . 03:13 < |Mike|> sure 03:13 < |Mike|> !howto 03:13 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 03:15 < lkthomas> guys, what encryption is fastest ? 03:16 < |Mike|> the lowest, doh. 03:18 < lkthomas> yes, but which one 03:18 < reiffert> the none compression 03:18 < lkthomas> compression != encryption 03:18 < reiffert> you got me. 03:19 < reiffert> the none encryption. 03:19 < reiffert> feeling better? 03:20 < lkthomas> one more thing, how come windowsxp tun interface only got 10Mbit ? 03:36 < Deffie> hi all, i have the vpn server host which has multiple ip addresses, i beginned using one of these IPs as the vpn server but i noticed that other services on the same ip were needed from the clients and they were accessed off-vpn, so i decided to change ip of the vpn server, i changed it only on the client since the server is listening on ANY, the problem is that after some handshaking till TLS it stops and goes timeout 03:37 < |Mike|> lkthomas: no idea, there must be some setting in the menu ? (i'm not a win user) 03:40 < Deffie> from tcpdump i can see some handshaking and after that incoming packets without reply (on the server) 03:40 < |Mike|> hmz, i'm not sure if you can link openvpn to multiple ip's tho 03:42 -!- dazo [n=dazo@62.40.79.66] has quit [Remote closed the connection] 03:43 -!- dazo [n=dazo@nat/redhat/x-kdfveslahhogndkh] has joined ##openvpn 03:43 -!- jeiworth [n=jeiworth@189.163.134.102] has quit ["No Ping reply in 90 seconds."] 03:44 < Deffie> actually i have only a client from one ip 03:44 < Deffie> ip where to listen isnt specified in server.conf 03:44 < Deffie> i see it listening on every ip 03:45 < |Mike|> yes, but you can't connect on a other ip, right? 03:45 -!- jeiworth [n=jeiworth@189.163.134.102] has joined ##openvpn 03:46 -!- oc80z [i=oc80z@blea.ch] has quit [Read error: 110 (Connection timed out)] 03:47 < Deffie> hm, you were somewhat right :P 03:48 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has quit [Read error: 60 (Operation timed out)] 03:51 < Deffie> specifying a single ip address where to listen it works 04:01 -!- oc80z [i=oc80z@blea.ch] has joined ##openvpn 04:14 -!- Guest18253 [n=fredrik@nat-01.core.rbnet.no] has joined ##openvpn 04:20 < Guest18253> It seems like OpenVPN doesn't support multiple simultaneous groups (so differnt users can connect getting different dhcp pools). Or am I wrong? 04:20 -!- Guest18253 is now known as Jupiter 04:20 -!- Jupiter is now known as Guest21204 04:22 -!- Guest21204 is now known as jupiter 04:22 -!- jupiter is now known as Jupiter82 04:22 < Jupiter82> damn nickserv :P 04:23 < |Mike|> ... 04:26 < Jupiter82> nevermind. Just needed to register =) ...Are there any other ways to give users different subnets/dhcp pools? 04:31 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has joined ##openvpn 04:35 < dazo> Jupiter82: --client-config-dir (aka ccd) ... that's the option for such things .... what are you trying to achieve? 04:37 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 04:38 < |Mike|> !ccd 04:38 < vpnHelper> |Mike|: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 04:49 < Jupiter82> dazo: You can add different groups in Openvpn, but only one can be active 04:49 < Jupiter82> In Cisco, you have Group Authentication and you can have different groups giving users differnt dhcp pools 04:49 -!- bret [n=CamargoB@orem.jiveip.net] has quit [Read error: 113 (No route to host)] 04:49 < dazo> Jupiter82: then you might need to have a look at --duplicate-cn 04:50 < dazo> Jupiter82: I understand that you want to assign different DHCP pools ... but what do you solve with that? 04:51 < dazo> Jupiter82: maybe there's another solution in OpenVPN which solves the same challenge, but in a different way 04:53 < Jupiter82> let's say I have two users. Both of them can reach 192.168.0/24 but only one can be able to reach 192.190.23.21 04:57 < Jupiter82> so the only solution i've found so far it to install lots of openvpn's on diffent ports. but that's kinda hazzle 05:31 < Bushmills> Jupiter82: iptables -A INPUT -s ip.of.user1 -d 192.168.0/24 -j ACCEPT (INPUT table policy of DENY or DROP assumed) 05:32 -!- admin0 [n=admin0@bb121-6-1-187.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 05:32 < Bushmills> ehm, -d 192.190.23.21 05:37 < Jupiter82> that's lots of work with hundreds of users :( 05:37 < Bushmills> script it. 05:38 < Bushmills> loop though a list, which lists ip address and allowed destination 05:38 < Bushmills> or have a list of users which are allowed to access 192.190.23.21, loop through that one 05:40 < Bushmills> (there's IIRC also a multiple sources / multiple destination module for iptables, but I forgot its name) 05:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:45 -!- Sp4rKy [n=Sp4rKy@freenode/sponsor/sp4rky] has joined ##openvpn 05:45 < Jupiter82> how can I give the users correct IP's since only one dhcp pool is available ? 05:46 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 05:46 -!- Sp4rKy [n=Sp4rKy@freenode/sponsor/sp4rky] has left ##openvpn [] 05:47 < Bushmills> !ccd 05:47 < vpnHelper> Bushmills: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 06:22 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 06:38 -!- brizly1 [n=brizly_v@p4FC99B19.dip0.t-ipconnect.de] has quit [Read error: 60 (Operation timed out)] 06:39 -!- brizly [n=brizly_v@p4FC9963F.dip0.t-ipconnect.de] has joined ##openvpn 06:43 < ecrist> good morning 07:04 < dazo> morning 07:04 < dazo> Jupiter82: have a look at http://www.eurephia.net/ .... it provides more authentication as well, but access control as you describe it also handles .... 07:04 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) 07:05 -!- Sp4rKy [n=Sp4rKy@freenode/sponsor/sp4rky] has joined ##openvpn 07:05 < Sp4rKy> heya 07:05 < Sp4rKy> how could I ask openvpn not to check source address ? 07:06 < Sp4rKy> to avoid message like "xxx::48536 MULTI: bad source address from client [y.y.y.y], packet dropped" 07:06 < Sp4rKy> (I have a redundant installation providing vm, so all there is many entry points) 07:07 -!- misse- [i=misse@cl-858.sto-01.se.sixxs.net] has quit [Remote closed the connection] 07:07 -!- misse- [i=misse@cl-858.sto-01.se.sixxs.net] has joined ##openvpn 07:11 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 07:12 < ecrist> I've considered writing an access server for OpenVPN that would be open-sourced. 07:12 < ecrist> unfortunately, I suck at coding. 07:18 < cpm> yeah, that'll take the skip outta yer step 07:27 < Sp4rKy> Aug 27 14:05:43 openvpn ovpn-server[3508]: maxence/62.160.40.62:48644 MULTI: Learn: 10.10.1.2 -> z2-3/87.98.243.39:53448 07:27 < Sp4rKy> Aug 27 14:05:43 openvpn ovpn-server[3508]: z2-2/87.98.243.123:48536 MULTI: bad source address from client [10.10.1.2], packet dropped 07:27 < Sp4rKy> how can I avoid that ? 07:27 < Sp4rKy> (z2-2 and z2-3 provides 10.10.1.0/24 throw iroute) 07:28 < ecrist> well, I could do the PHP front-end for one, and could probably code the backend in perl, but the graphic design of the frontend is not my forte. 07:28 < Sp4rKy> (so the request can come to z2-3 and leave using z2-2, how can I ask openvpn not to check that ?) 07:34 < |Mike|> !all 07:34 < vpnHelper> |Mike|: "all" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles 07:37 < Sp4rKy> it will be complicated :) 07:37 < Sp4rKy> I have 3 nodes interconnected in a mesh, using ospf in internal 07:38 < Sp4rKy> each of these 3 nodes is connected to another vpn :) 07:40 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit [Remote closed the connection] 07:41 < dazo> ecrist: want to elaborate more on what this access server would do? 07:42 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has joined ##openvpn 07:42 < ecrist> basically what the OpenVPN one does. 07:42 < ecrist> It would be nice to patch openvpn to allow for pushing new configs to clients, too. 07:43 < ecrist> oh, and provide a web-based client, to allow a user to connect from any computer, even without OpenVPN installed. 07:45 < dazo> ecrist: I see ... yeah, that'd be cool .... I'd like to join such a team :) 07:48 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has quit ["Távozom"] 07:49 < dazo> ecrist: seriously .... if doing something, I'd probably recommend something pythonish or rubish, not php for a frontend .... a clever implementation could then either run as a standalone python/ruby script with an embedded web-server for the small environments. Those having more demand could then either use a web server with proxy ... OR could use mod_python/mod_ruby/mod_{whatever} to run the same modules .... then you have something which 07:49 < dazo> scales 07:55 < ecrist> I hate large libraries and frameworks like ruby. I, personally, don't know python, so that would limit my abilities. 07:56 < ecrist> also, I am not fond of projects that have their own built-in web server. 07:57 < ecrist> we use Openfire at work for our IM, and it has a built-in webserver, all written in java. it's a pain in the ass to manage, and I can't do some of the fancier things I can with a full daemon. 07:58 < ecrist> the frameworks are nasty for something like this, since our project wouldn't be super complicated on the front-end. think of something similar to postfix-admin 07:58 < |Mike|> does anyone use that ? 07:58 < ecrist> just my ¢.02 07:58 < ecrist> does anyone use what? 07:58 < ecrist> postfix-admin? I do. 07:59 < |Mike|> depends on the scale tbh 07:59 < ecrist> ugh, that should have been 2¢ 08:10 < dazo> ecrist: if you know perl .... python would be a breeze .... it's basically just indenting which replaces {} ... and to remember colon where you want to go a step deeper ..... it language it self is very easy 08:11 < dazo> ecrist: ruby on rails is too much for me .... but the language itself is not that bad, but I don't have much experience with ruby yet .... but supposedly good OOP modeling 08:12 < dazo> ecrist: and for built-in web server .... I can agree that it's not ideal in many settings .... that's why with proper abstraction layer, you just replace the "tiny" web-server with another full scale web server, but both uses the same modules below 08:14 < dazo> ecrist: for python .... you need to be pretty silly if you don't manage to write a python program within a couple of days .... even within one day, I'd say .... look for a book called "Dive into Python" .... it's a downloadable PDF with example code .... you'll be surprised how easy it is :) 08:18 < ecrist> I'm supposedly going to write a new bot for this channel soon, maybe I'll use that as a first python project. 08:18 < dazo> :) 08:18 < ecrist> involved rewriting some code, since I've already go a basic bot written in perl... 08:19 < dazo> go for it! :) 08:19 < dazo> what are you waiting for!? ;-) 08:19 < dazo> (except available time, perhaps .....) 08:19 -!- c64zottel [n=hans@p5B17AB4E.dip0.t-ipconnect.de] has joined ##openvpn 08:20 -!- c64zottel [n=hans@p5B17AB4E.dip0.t-ipconnect.de] has left ##openvpn [] 08:20 < ecrist> *if* a community-written access server were to come to fruition with my assisstance, I think it would have a php front-end, however. 08:20 < ecrist> perl *does* have all those SSL libraries, not sure what's available for python. 08:20 < ecrist> dazo: available time is my biggest problem these days. 08:21 < ecrist> doesn't help the MN State Fair starts today (I LIVE for the fair). 08:21 < dazo> there's a lot of SSL stuff for python, but mostly only client side stuff ... but some servers are there too 08:22 < ecrist> any certificate generation/mgmt libraries? 08:22 < dazo> python has quite a big collection of misc modules, just as you're used to in Perl 08:22 < dazo> I have not looked for certificate stuff .... dunno 08:23 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 08:23 < ecrist> honestly, the availability of the masses of libraries within perl is what's kept me there, from learning python. 08:23 < dazo> http://sunh11373.blogspot.com/2007/04/python-utility-for-converting.html .... there's something at least ... 08:23 < vpnHelper> Title: Simple Code: Python utility for generating certificate (at sunh11373.blogspot.com) 08:25 < dazo> I understand that .... but that's not worse in Python, really .... but I have not found something like cpan, though ... but it's plenty of modules 08:25 < dazo> http://sandbox.rulemaker.net/ngps/m2/ 08:25 < vpnHelper> Title: M2Crypto - A Python crypto and SSL toolkit (at sandbox.rulemaker.net) 08:30 < ecrist> will have to take a look at it. 08:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:30 < ecrist> could be something fun to work on. 08:35 * ecrist puts ftp log through awstats 08:42 -!- jeiworth [n=jeiworth@189.163.134.102] has quit [Read error: 60 (Operation timed out)] 08:53 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has joined ##openvpn 09:10 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 09:11 -!- jeiworth [n=jeiworth@189.177.121.42] has joined ##openvpn 09:17 -!- jeiworth [n=jeiworth@189.177.121.42] has quit [Read error: 104 (Connection reset by peer)] 09:17 -!- jeiworth [n=jeiworth@189.177.21.126] has joined ##openvpn 09:21 < plaerzen> g'morning ovpn 09:29 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:41 < dazo> morning 09:42 -!- CamargoBP-Mobile [n=CamargoB@c-98-202-190-192.hsd1.ut.comcast.net] has quit ["Leaving..."] 09:43 -!- Jupiter82 [n=fredrik@nat-01.core.rbnet.no] has left ##openvpn [] 09:45 -!- anguis [n=anguis@dslb-092-075-112-149.pools.arcor-ip.net] has joined ##openvpn 09:45 < anguis> hi folks 09:45 < anguis> I've got into some trouble using a routed vpn with windows clients. 09:46 -!- Sargun [n=Sargun@atarack/Staff/Sargun] has quit [Remote closed the connection] 09:46 < anguis> if I start the tunnel with an administrator account, everything's alright, but if I start the vpn using a normal user account the default gateway is not set to the vpn servers IP address - any suggestions? 09:49 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 09:49 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.2/20090729225027]"] 09:56 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 09:58 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:17 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 10:21 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 10:29 -!- dazo [n=dazo@nat/redhat/x-kdfveslahhogndkh] has quit [Remote closed the connection] 10:29 -!- dazo [n=dazo@nat/redhat/x-nzkqxsatollsgkzx] has joined ##openvpn 10:33 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 10:36 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 10:37 < zu> Hi 10:37 < zu> I have another question 10:37 < zu> It is said in the FAQ : 10:37 < zu> The first available /30 subnet (after the one the server is using) is: 10:37 < zu> * 192.168.1.4/30 * 192.168.1.4 -- Network address * 192.168.1.5 -- Virtual IP address in the OpenVPN Server 10:38 < zu> * 192.168.1.6 -- Assigned to the client 10:38 < zu> * 192.168.1.7 -- Broadcast address. 10:39 < zu> Could anyone tell me the different ip addresses of the server ? 10:39 < zu> (with their meaning, of course...) 10:40 < krzee> .1 10:41 < krzee> always .1, the virtual ip address cant be reached, its internal to the process only 10:42 < zu> oki 10:44 < zu> so .1 is the real address of the server, .2 is its virtual address 10:44 < krzee> forget about .2 10:44 < krzee> also, 10:44 < zu> do .3 exists too ? 10:44 < krzee> !topology 10:44 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 10:46 < dazo> anguis: your experience is expected .... you need more privileges to be allowed to modify the routing table on any OS 10:47 < krzee> later all, time to go enjoy the birthday 10:48 < dazo> krzee: yours? 10:50 < dazo> obviously, as he didn't respond ... to busy starting drinking :-P 10:52 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 10:54 -!- explore [n=msparker@pool-173-74-61-155.dllstx.fios.verizon.net] has joined ##openvpn 10:56 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 11:10 < anguis> dazo: are there any possibilities to accomplish that without having to give full administrative rights to the users? 11:10 < anguis> or, if this is not possible, are there any other recommendet clients for windows? 11:10 < dazo> anguis: it might be limiting it to some network service levels might be sufficient .... but I have no big windows experience 11:10 -!- epaphus [n=unix3@190.10.68.228] has quit [Connection timed out] 11:11 < dazo> anguis: you'll hit this problem with all VPNs .... those where you don't "see it", is because they have fixed this during the installation process, giving the process updating the routing table the needed privileges 11:13 < dazo> anguis: you can run openvpn as a service, then it will have the needed privileges, iirc .... but not sure how you then control which vpn config to connect and disconnect from .... I belive that the vpn will be established during boot or so 11:13 < dazo> anguis: also double check against the openvpn-users mailing list .... this is a frequent topic there 11:17 < anguis> dazo: thank you for your help :-) 11:17 < dazo> anguis: np! :) 11:24 < Bushmills> anguis: you might want to start openvpn at boot time, so when users log in, the tunnel is already up 11:28 < |Mike|> !bsdnat 11:28 < vpnHelper> |Mike|: Error: "bsdnat" is not a valid command. 11:28 < |Mike|> !freebsdnat 11:28 < vpnHelper> |Mike|: Error: "freebsdnat" is not a valid command. 11:28 < |Mike|> !linnat 11:28 < vpnHelper> |Mike|: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 11:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:29 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:30 < |Mike|> !bsdnat 11:30 < vpnHelper> |Mike|: Error: "bsdnat" is not a valid command. 11:30 < |Mike|> wtf. 11:30 < |Mike|> !fbsdnat 11:30 < vpnHelper> |Mike|: "fbsdnat" is see http://cavanantha.wordpress.com/2007/09/16/nat-on-freebsd-using-pf/ for a basic howto for NAT on FreeBSD 11:33 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 11:38 < ecrist> nat on from to -> 11:39 < ecrist> !learn pfnat as nat on from to -> 11:39 < vpnHelper> ecrist: Joo got it. 11:39 < ecrist> !learn freebsdnat as see !fbsdnat 11:39 < vpnHelper> ecrist: Joo got it. 11:39 < ecrist> !learn bsdnat as see !fbsdnat 11:39 < vpnHelper> ecrist: Joo got it. 11:41 -!- agliodbs [n=agliodbs@dsl081-245-111.sfo1.dsl.speakeasy.net] has joined ##openvpn 12:05 -!- jeiworth [n=jeiworth@189.177.21.126] has quit ["No Ping reply in 90 seconds."] 12:06 -!- jeiworth [n=jeiworth@189.177.21.126] has joined ##openvpn 12:27 -!- jeiworth [n=jeiworth@189.177.21.126] has quit [Connection timed out] 12:46 -!- dft [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has joined ##openvpn 12:46 < dft> hello 12:47 < dft> I'm trying to setup openvpn on openbsd 4.5 from ports and the "init-config" doesn't exist 12:48 -!- brizly [n=brizly_v@p4FC9963F.dip0.t-ipconnect.de] has quit ["Leaving."] 12:52 -!- brizly [n=brizly_v@p4FC9963F.dip0.t-ipconnect.de] has joined ##openvpn 12:53 < |Mike|> !init-config 12:53 < vpnHelper> |Mike|: Error: "init-config" is not a valid command. 12:53 < |Mike|> did you configure openvpn ? 12:53 < |Mike|> !all 12:53 < vpnHelper> |Mike|: "all" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles 12:53 < |Mike|> ^ 12:54 -!- explore [n=msparker@pool-173-74-61-155.dllstx.fios.verizon.net] has quit ["leaving"] 12:54 -!- explore [n=msparker@173.74.61.155] has joined ##openvpn 12:56 < dft> when installing from ports you don't normally have to 12:57 -!- explore [n=msparker@173.74.61.155] has quit [Client Quit] 12:58 -!- explore [n=msparker@pool-173-74-61-155.dllstx.fios.verizon.net] has joined ##openvpn 12:59 < |Mike|> LOLLLLLLLLLLLLLL 12:59 < ecrist> dft: you need to configure your own OpenVPN instance. 12:59 < ecrist> are you sure you're an OpenBSD user? 13:00 < dazo> :-P 13:00 < |Mike|> i doubt it :p 13:03 < dft> easy there fellas, it's been awhile, normally I reserve my openbsd installs for pf usage and nothing more 13:03 < dft> so I guess I would have to admit I'm not a daily openbsd user 13:03 < |Mike|> altq+pf <3 13:04 < ecrist> they are both available on freebsd. ;P 13:04 < dft> indeed, I've been running the same pf box for years and decided up to the horse power with some new hardware 13:04 < dft> hell, just the scrub all alone makes things perform much better 13:27 -!- hanasaki [i=BLACKLIS@cpe-69-76-130-13.kc.res.rr.com] has joined ##openvpn 13:27 < hanasaki> is there a hardware box that can be put at both ends to make a vpn tunnel? ie something like the linksys does for ipsec 13:29 < dft> ecrist: when you say I need to configure my own instance are you referring to the ./configure that is executed by make install or some post install configuration is required? 13:34 < ecrist> the post install configuration 13:34 -!- hanasaki [i=BLACKLIS@cpe-69-76-130-13.kc.res.rr.com] has left ##openvpn [] 13:45 -!- ecrist_mac [n=ecrist@ms.choksondik.secure-computing.net] has joined ##openvpn 13:49 -!- dirtygreek [i=40848f22@gateway/web/freenode/x-icgdbhskcatrdecx] has joined ##openvpn 13:49 < dirtygreek> !howto 13:49 < vpnHelper> dirtygreek: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:53 -!- ecrist_mac [n=ecrist@ms.choksondik.secure-computing.net] has left ##openvpn [] 13:55 < dirtygreek> Hi - I was actually just hoping to get a copy of palmpre.zip that's mentioned on the webos development site 13:56 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has quit ["leaving"] 14:15 < ecrist> dirtygreek: what does that have to do with OpenVPN? 14:15 < dirtygreek> http://www.webos-internals.org/index.php?title=OpenVPN_for_Palm_Pre&oldid=3890 14:15 < vpnHelper> Title: OpenVPN for Palm Pre - WebOS Internals (at www.webos-internals.org) 14:15 * ecrist looks 14:16 < dirtygreek> I was just hoping someone would have it since he references this channel in his instructions 14:16 < dirtygreek> no link on the page. but I guess no luck. Trying to talk to the author of the page directly 14:16 < ecrist> I think he references us here for actual software support, not Palm Pre dev support 14:17 < ecrist> here's a link: 14:17 < ecrist> http://ipkg.nslu2-linux.org/feeds/optware/cs08q1armel/cross/unstable/openvpn_2.1_rc15-1_arm.ipk 14:17 < dirtygreek> I got that. 14:17 < dirtygreek> But then he mentions unzipping palmpre.zip, which does not come with that .ipk 14:17 < dirtygreek> Anyway, it's cool. Thanks. 14:17 < ecrist> what about the second link? 14:18 < ecrist> oh, that's for LZO 14:18 < ecrist> oh 14:18 < ecrist> wait, the palmpre.zip is the client certificates 14:18 < ecrist> you generate that on your own 14:18 < ecrist> it's got his client config and certificates. 14:19 < dirtygreek> Ah, I see that now. Feel like a n00ber. Thanks. 14:19 < ecrist> np 14:19 -!- dirtygreek [i=40848f22@gateway/web/freenode/x-icgdbhskcatrdecx] has quit ["Page closed"] 14:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:48 -!- Netsplit sendak.freenode.net <-> irc.freenode.net quits: misse-, _markus, zeal --- Log closed Thu Aug 27 14:49:29 2009 --- Log opened Thu Aug 27 14:55:48 2009 14:55 -!- ecrist_ [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 14:55 -!- Irssi: ##openvpn: Total of 72 nicks [0 ops, 0 halfops, 0 voices, 72 normal] --- Log closed Thu Aug 27 14:56:02 2009 --- Log opened Thu Aug 27 14:57:14 2009 14:57 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 14:57 -!- Irssi: ##openvpn: Total of 71 nicks [0 ops, 0 halfops, 0 voices, 71 normal] 14:57 -!- Irssi: Join to ##openvpn was synced in 24 secs 14:58 -!- \malex\ [i=5BO5rBEO@unaffiliated/malex/x-000000001] has joined ##openvpn 15:00 < \malex\> i'm trying to push out some routes to a windows 2.0.9 client from a linux server using push "route 192.168.1.0 255.255.255.0 192.168.10.1" and the windows client's log file says "Route addition via IPAPI succeeded", but when i check the routing table on the client thsoe routes aren't actually there. could someone point me where to look for the problem? 15:04 < ecrist> \malex\: there are a few reasons those routes wouldn't be there. 15:04 < ecrist> !all 15:04 < vpnHelper> ecrist: "all" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles 15:08 < \malex\> ecrist: can you offer some pointers where to look? unless you really want to pore over my config and logs :) 15:08 < ecrist> if the client cannot get to 192.168.10.1 locally, the route addition will fail. 15:09 < \malex\> the client can get to 192.168.10.1 just fine. in fact, running the route add commands listed in the client's log file succeeds just fine 15:11 < \malex\> i mean manually running them from a command prompt 15:14 < ecrist> well, i need to see the information requested above to help you 15:14 < \malex\> i'm gathering it as we speak. there is quite a bit 15:15 < reiffert> \malex\: 2.0.9 is ancient and buggy. 15:15 < reiffert> (like hell) 15:16 < \malex\> so the latest 2.1 rc is recommended? 15:16 < ecrist> yes 15:17 < \malex\> i'll try that first. thanks 15:17 -!- DaGhettoKid [n=DaGhetto@ip65-46-72-90.z72-46-65.customer.algx.net] has joined ##openvpn 15:18 < DaGhettoKid> question, i generated a oepnvpn client.crt and the client files some time ago, i have all the config files available, how can i generate a 2nd set of client files compatible with that server 15:18 < DaGhettoKid> !howto 15:18 < vpnHelper> DaGhettoKid: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:19 < reiffert> . vars 15:19 < reiffert> build-key client2 15:20 < DaGhettoKid> cool, reiffert, and will it be compatible with the same server? 15:20 < DaGhettoKid> also what is the switch to make it so the client.crt has a password 15:23 < reiffert> !howto 15:23 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:23 < reiffert> search for password 15:23 < DaGhettoKid> ok 15:58 < DaGhettoKid> thanks reiffert, that helped alot i got it done 15:58 < DaGhettoKid> now the question is, which files are NEEDED for the vpn client to connect, the clients... client.key, client.csr, client.crt, ca.key, ca.rt 15:58 < DaGhettoKid> what else? 16:01 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has joined ##openvpn 16:03 < DaGhettoKid> nvm i figured it out, thanks guys = ) 16:03 -!- DaGhettoKid [n=DaGhetto@ip65-46-72-90.z72-46-65.customer.algx.net] has quit ["Leaving"] 16:04 -!- kyrix [n=ashley@188-23-185-238.adsl.highway.telekom.at] has joined ##openvpn 16:10 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has joined ##openvpn 16:31 -!- syntaxcollector [n=syntaxco@mail.zymeworks.com] has joined ##openvpn 16:31 < syntaxcollector> openvpn masters! 16:31 < syntaxcollector> i bow before you all 16:31 * syntaxcollector needs help 16:32 < syntaxcollector> i have an openvpn server on an fc4 machine, and openvpn clients on gentoo machines 16:32 < syntaxcollector> everything works, except for one very important detail 16:32 < syntaxcollector> i cannot "push" dhcp-option dns to the clients 16:32 < syntaxcollector> is there a special package or something that I am missing in gentoo? 16:32 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has quit ["Távozom"] 16:35 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has joined ##openvpn 16:46 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.2/20090729225027]"] 16:50 -!- myk_robinson [n=mrobinso@72.4.43.74] has joined ##openvpn 16:50 < myk_robinson> is anyone here able to help connect Ubuntu 9.04 to an OpenVPN server? the server seems to be configured right, as everything works from Windows, but having trouble in Linux 16:59 < \malex\> reiffert, ecrist: it looks like upgrading my windows client to 2.1_rc19 fixed the routes not being added. thanks 17:00 -!- explore [n=msparker@pool-173-74-61-155.dllstx.fios.verizon.net] has quit ["Lost terminal"] 17:09 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 17:12 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Remote closed the connection] 17:13 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 17:16 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 17:21 -!- myk_robinson [n=mrobinso@72.4.43.74] has quit ["Leaving."] 17:47 -!- syntaxcollector [n=syntaxco@mail.zymeworks.com] has quit [] 17:58 -!- victor___ [i=victor@jerl.in] has quit [Read error: 101 (Network is unreachable)] 18:06 -!- kyrix [n=ashley@188-23-185-238.adsl.highway.telekom.at] has quit ["Leaving"] 18:23 < dft> is it normal to always get a bunch of "default_foo: not found" ? 18:24 < dft> when sourcing vars 19:10 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 110 (Connection timed out)] 19:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [No route to host] 19:20 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 19:23 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 19:39 -!- prg3 [n=prg3@playground.cein.ualberta.ca] has joined ##openvpn 19:41 < prg3> Hi, I'm looking for a way to setup 2 (or n) geographically distributed openvpn servers in a way that a user can connect to one, and get the whole network (push route), yet if they connect to multiples, they will route properly to the closest openvpn entry point to the network... my first thought is route metrics, but I can't seem to find a way to push metrics with the routes.. 19:49 -!- gorkhaan [n=gorkhaan@adsl-101-16.globonet.hu] has quit ["Távozom"] 19:58 -!- mikeones [n=mikeones@pool-70-104-31-42.dllstx.fios.verizon.net] has joined ##openvpn 20:00 < mikeones> hello, I am using 2.0 and sending out a defualt-gw via open vpn. How can I get the server to send routes to my client allowing access to my other local subnets at work? 20:00 < mikeones> I can add route statments by hand to allow access to these other subnets but I would like openvpn to do this 20:01 < mikeones> I don't think iroute is for this purpose 20:09 -!- protocols [n=protocol@ip-88-153-199-22.unitymediagroup.de] has quit [Read error: 145 (Connection timed out)] 20:14 -!- sako [n=sako@130.166.200.254] has joined ##openvpn 20:15 < sako> hey guys i want to connect to my schools vpn and i have no idea where to start 20:15 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:15 < sako> all the documentation on my schools site is for windows/mac 20:15 < sako> i am trying to use openvpn on linux.. 20:15 < sako> !howto 20:15 < vpnHelper> sako: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 20:35 -!- sako [n=sako@130.166.200.254] has quit ["leaving"] 20:36 < Bushmills> mikeones: let server push route(s) 20:38 < Bushmills> but - if your traffic gets routed through openvpn already, pushing routes wouldn't make a lot of sense. those routes to your LANs should exist already. 20:44 -!- agliodbs [n=agliodbs@dsl081-245-111.sfo1.dsl.speakeasy.net] has quit [] 20:45 -!- WormFood [n=wormfood@219.133.100.209] has joined ##openvpn 20:54 < mikeones> Bushmills: since openvpn is setting a new defual-gw I lose access to my local work routes without setting them after openvpn updates my routing table 20:56 < mikeones> Bushmills: we have a class B VLSM'd into class C's. I would like to tell openvpn to push a route to the class B but point it to my local ethernet adapter 20:58 < Bushmills> is that network on the server side? 20:59 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 21:10 -!- master_of_master [i=master_o@p549D3B74.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:14 -!- master_of_master [i=master_o@p549D3E18.dip.t-dialin.net] has joined ##openvpn 21:17 < mikeones> Bushmills: no, client side 21:25 -!- marker_ [n=claudio@host5.190-138-191.telecom.net.ar] has joined ##openvpn 21:26 < marker_> hi everybody!°!! 21:27 < marker_> I do the implementation of openvpn recently and itś works very very good 21:29 < marker_> and now I have a simple question, my PCs clients are in Windows XP and Vista , could they connect to 2 openvpn servers??? 21:30 < marker_> imagine that i have two VPNs in two diferent site, and I would like if they computers can connect to both at the same time 21:30 < marker_> it this possible ? 21:35 < marker_> hello?! 21:43 < WormFood> sure, no problem marker_, just learn routing, and make sure each VPN uses a different network address. 21:47 < prg3> WormFood: similar question, what if both are entry points to the same network, can there be priorities on those routes? 21:49 < marker_> routing itsnt my problem, but how could run two openvn clients in one pc? 21:51 < prg3> marker_: easy, openvpn-gui works great like that on windows, or just run 2 of them from CLI with different configs. 21:52 -!- epaphus [n=unix3@201.199.41.166] has joined ##openvpn 21:52 < marker_> prg3: mmmm..... so when I will run a openvpn gui, i need choose where config file take 21:53 < prg3> marker_: as long as all the configs are in the config directory, it "just works" 21:54 < marker_> for example in my config directory, now, there is a client.ovpn file, so, if I like connect to second VPN, I will put another config file , for example client2.ovpn 21:55 < marker_> y run the second openvpn-gui with that configuration file 21:55 < marker_> that's rigth? 21:57 < prg3> Yup 21:59 < marker_> prg3: thank you a lot! 21:59 < marker_> i will probe that 21:59 < prg3> No problem 21:59 -!- tjz2 [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 21:59 < marker_> and sorry for my english 21:59 < marker_> im from Argentina and im learning english now 22:01 < prg3> No problem, I didn't think yours was bad at all..I've heard much worse from native english speakers trying to communicate online :) 22:04 < marker_> jajaja thanks again! 22:06 -!- tjz [n=tjz@121.7.20.94] has quit [Read error: 145 (Connection timed out)] 22:06 < prg3> np 22:06 < marker_> in a few minutes i will to probe that, im working in Linux now, so I neen to restart and in on Windows = ( 22:06 < prg3> It'll work under Linux too 22:07 < dft> hello 22:07 < marker_> Yes , but I installed openserver in my work, and all users have windows 22:08 < dft> I hope someone can help me getting past the process of sourcing vars on openbsd 4.5 22:08 < prg3> Best to test under the user's actual environment :) 22:08 < dft> I keep getting multiple errors regarding default_foo: not found 22:08 -!- epaphus [n=unix3@201.199.41.166] has quit [Read error: 60 (Operation timed out)] 22:08 < dft> I've edited vars accordingly but continue to be getting stonewalled 22:09 < dft> all the errors seem to stem from openssl.cnf 22:11 < marker_> dft i dont understand your problem 22:11 < dft> np, let me explain a different way 22:12 < dft> when sourcing vars I get repeated errors similar to the following 22:12 < dft> /root/openvpn/easy-rsa/2.0/openssl.cnf[68]: policy: not found 22:13 < marker_> can you show me the vars file ??? 22:13 < dft> now I've installed openvpn from pkg_add and made a copy of /usr/local/share/examples/openvpn in ~root 22:13 < dft> marker_: sure, standby for pastebin 22:16 < dft> marker_: http://pastebin.com/d19c695e1 22:17 < marker_> dft 22:17 < dft> marker_: 22:19 < marker_> look, when you run one script for example, a script to make server's keys, if prefered that you stay in /etc/openvpn 22:19 < marker_> so, you copy the file openssl.cnf in /etc/openvpn 22:20 < dft> it's odd though that the installation hasn't created that, but I'll give it a shot 22:20 < marker_> find it 22:25 < marker_> dft 22:25 < marker_> you have that error "/root/openvpn/easy-rsa/2.0/openssl.cnf[68]: policy: not found" when you run any script? 22:26 < dft> marker_: whenever I try to just source the vars script in prep for ./build-dh && ./build-ca --initca 22:28 < marker_> is better if you do this ---> run the scripts in /etc/openvpn/ 22:28 < marker_> and copy /root/openvpn/easy-rsa/2.0/openssl.cnf[68]: policy: not found 22:28 < marker_> openssl.cnf in /etc/openvpn 22:28 < marker_> sorry copy openssl.cnf in /etc/openvpn 22:29 < dft> I see so take all the easy-rsa scripts into /etc/openvpn and work from there 22:31 < dft> still no luck 22:32 < marker_> you run the scripts but you must stay in /etc/openvpn 22:32 < marker_> did you copy /openssl.cnf ??? in /etc/openvpn ? 22:38 < dft> I don't think I follow you when you stress staying in /etc/openvpn 22:39 < dft> I copied the openssl.cnf that came with openvpn, are you thinking of /etc/ssl/openssl.cnf that is built during the install of openbsd? 22:40 < marker_> look when you run any scripts of openvpn, the scripts read the file vars, in this file, there is a variable, that variable is the result of pwd command 22:40 < dft> right $EASY_RSA 22:41 < marker_> so, when you run one scripts , the scripts find the file openssl.cnf in "pwd" 22:41 < dft> right that's self explanatory 22:41 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 22:44 < marker_> ok 22:44 < dft> wait I think I see what you're getting at now, in openssl.cnf there are some $ENV:: parameters that may need tweaking 22:47 < dft> don't be shy, if you think I'm wrong, please say so 22:48 < dft> pfff, well that didn't work 22:48 < marker_> dft: you dont change anything in openssl.cnf 22:49 < marker_> dft in which system are you installing openvpn ? 22:50 < dft> openbsd 4.5 22:50 < marker_> mmmm. 22:51 < dft> I've found some posts online regarding the same issue, but no one actually describes how they got past it 22:51 < marker_> I installed openvpn in debian etch, following that guide http://howto.landure.fr/gnu-linux/debian-4-0-etch-en/install-and-setup-openvpn-on-debian-4-0-etch 22:51 < vpnHelper> Title: Install and setup OpenVPN on Debian 4.0 Etch Lone-Wolf Scripts (at howto.landure.fr) 22:51 < marker_> read it maybe could be help you 22:52 < dft> well I'm going to shift focus for now, I'm getting too frustrated with this to be productive now 22:52 < dft> I'll have a look thank you 22:52 < dft> time for a nap 22:52 < marker_> read this ---> http://blog.innerewut.de/2005/07/04/openvpn-2-0-on-openbsd 22:52 < vpnHelper> Title: BlogFish: OpenVPN 2.0 on OpenBSD (at blog.innerewut.de) 22:52 < marker_> but read and do 22:52 < dft> read that one already 22:52 < marker_> ah ok 22:53 < dft> battery is about to die on the netbook ttyl 22:55 < marker_> dft 22:57 < marker_> dft priv. 22:58 < marker_> dft 23:00 -!- marker_ [n=claudio@host5.190-138-191.telecom.net.ar] has quit ["Ex-Chat"] 23:21 -!- tread [n=tread@c-24-61-234-150.hsd1.nh.comcast.net] has joined ##openvpn 23:24 < tread> Hi guys. I'm using TomatoVPN, which uses OpenVPN on the Tomato firmware for Linksys routers. I'm somewhat of a newbie.. I just want to set up a bridged VPN which runs from my router and asks for a simple username and password.. instead I find myself confused by talk of public keys and certificates.. i can't make sense of anything i found of google, can anyone help? 23:36 -!- garnser [n=jpeterss@gw2.mysql.com] has joined ##openvpn 23:36 < garnser> I started to wonder why I didn't see anything here for 3 days 23:36 < garnser> turned out I was offline 23:38 < tread> heh --- Day changed Fri Aug 28 2009 00:14 -!- Angie [n=angie@unaffiliated/angie] has joined ##openvpn 00:15 < Angie> hi how would I configure openvpn to connect to a vpn that uses username/password authentication only and no csr/crt/key files 00:22 -!- Chris [n=chris@unaffiliated/chris] has joined ##openvpn 00:22 < garnser> Angie: --auth-user-pass 00:23 -!- Chris [n=chris@unaffiliated/chris] has left ##openvpn [] 00:23 < Angie> garnser: so openvpn --auth-user-pass username password? 00:23 < garnser> Angie: and --client-cert-not-required 00:24 < garnser> hm, actually 00:24 < garnser> client-cert-not-required and username-as-common-name should do it 00:24 -!- agliodbs [n=agliodbs@63.195.55.98] has joined ##openvpn 00:25 < garnser> Angie: ^ 00:25 < Angie> uff 00:25 < garnser> Angie: client-cert-not-required and username-as-common-name on server-side and auth-user-pass on the client side 00:26 * garnser is a bit too drunk to give any decent support 00:26 < Angie> :\ 00:26 < garnser> but that should do it 00:27 -!- tjz2 [n=tjz@bb121-7-20-94.singnet.com.sg] has quit ["bbl"] 00:27 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 00:27 < Angie> $ openvpn --auth-user-pass kahonez --dev tun --pull --tls-client --client-cert-not-required --mode 'p2p' 00:27 < Angie> Options error: --client-cert-not-required requires --mode server 00:27 < Angie> Use --help for more information. 00:27 < Angie> kahonez being the nick 00:28 < Angie> if I have --mode server set it doesn't work 00:29 < Angie> because -pull can't work with --mode server 00:30 < garnser> Angie: is that on the server or client-side? 00:30 < Angie> client 00:32 < garnser> yeah, just auth-user-pass on the client-side 00:32 < garnser> but you need to add --client-cert-not-required on the server-side as well 00:34 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 00:34 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 00:36 < garnser> Angie: any luck? 00:37 < Angie> no 00:37 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 60 (Operation timed out)] 00:38 < garnser> Angie: lemmie get a config for you 00:39 < Angie> thanks so much for helping 00:39 < Angie> its a vpn.itshidden.com account 00:39 < Angie> i dunno if its me or them 00:40 < garnser> Angie: http://pastebin.com/m20c5d13 00:41 < garnser> I've no idea how they deal with it 00:48 < Angie> "http://pastebin.com/m20c5d13" 00:48 < Angie> * Unknown post id, it may have expired or been deleted 00:48 < Angie> garnser: try codepad.org :P 00:49 < garnser> Angie: http://pastebin.com/m20c5d13 works fine for me 00:51 < Angie> kk 00:53 < garnser> well /me is off 00:53 < Angie> nop 00:53 < Angie> doesn't work 00:53 < Angie> kk :( 00:53 < garnser> Angie: look at --auth-user-pass in the manual 00:54 < garnser> and up verb to 4 so you get some decent logging going 00:54 < Angie> its the ca.crt part 00:54 < Angie> the acct didnt come with one 00:54 < garnser> hm 00:54 < garnser> oh 00:55 < garnser> Angie: check http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html then 00:55 < vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 00:55 < Angie> kk 00:55 < Angie> thanks 00:55 < garnser> only other thing I can think about 00:58 < Angie> yea 01:03 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 01:07 -!- Angie [n=angie@unaffiliated/angie] has left ##openvpn ["Leaving"] 01:35 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has joined ##openvpn 01:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:46 -!- lkthomas [i=lkthomas@218.213.78.173] has quit [Read error: 54 (Connection reset by peer)] 01:46 -!- lkthomas [i=lkthomas@218.213.78.173] has joined ##openvpn 01:59 -!- lkthomas [i=lkthomas@218.213.78.173] has quit [Read error: 104 (Connection reset by peer)] 01:59 -!- lkthomas [i=lkthomas@218.213.78.173] has joined ##openvpn 02:05 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 02:06 -!- lkthomas [i=lkthomas@218.213.78.173] has quit [Read error: 104 (Connection reset by peer)] 02:07 -!- lkthomas [i=lkthomas@218.213.78.173] has joined ##openvpn 02:10 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 02:20 -!- lkthomas [i=lkthomas@218.213.78.173] has quit [Read error: 104 (Connection reset by peer)] 02:20 -!- lkthomas [i=lkthomas@218.213.78.173] has joined ##openvpn 02:26 -!- lkthomas [i=lkthomas@218.213.78.173] has quit [Client Quit] 02:31 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:00 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Nick collision from services.] 03:02 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 03:04 -!- tjz2 [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 03:04 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 03:07 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 03:10 -!- agliodbs [n=agliodbs@63.195.55.98] has quit [] 03:12 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:23 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 03:26 -!- tjz2 [n=tjz@bb121-7-20-94.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 03:27 -!- tjz2 [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 03:27 -!- tjz2 [n=tjz@bb121-7-20-94.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 03:27 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:34 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 03:46 -!- duke-- [i=sb@black.cubewerk.de] has joined ##openvpn 03:47 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 03:48 < duke--> hi, i tried to setup a ipv4/ipv6 tunnel setup with openvpn by this howto http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_OpenVPN_Tunnelbroker.php?lang=en#inst-openvpn . Unfortunately, openvpn did not pass the local and remote-ip address to the --up script. /etc/openvpn/scripts/up.sh tun0 1500 1541 init 03:48 < vpnHelper> Title: JOIN Homepage -- Howto: OpenVPN IPv6 Tunnel Broker Guide (at www.join.uni-muenster.de) 03:49 < duke--> an ideas 03:49 < duke--> ? 03:50 < krzee> post configs without comments and up script 03:50 < krzee> hammered and might not be helpful, but it will help others see it too 03:50 < duke--> a second 03:54 < |Mike|> !all 03:54 < vpnHelper> |Mike|: "all" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles 03:54 < |Mike|> there ya go duke-- :) 03:54 -!- c64zottel [n=hans@p5B17AB9B.dip0.t-ipconnect.de] has joined ##openvpn 03:55 -!- c64zottel [n=hans@p5B17AB9B.dip0.t-ipconnect.de] has left ##openvpn [] 04:00 < dazo> duke--: have you checked the environment variables in your script? 04:00 < dazo> (have a look at the "Environmental Variables" section in the man page 04:12 < duke--> give me a second, was in a meeting 04:16 < Bushmills> mikeones: where then comes the need from to let openvpn add any client routes to local interfaces? those should be there already, before openvpn starts. 04:16 < duke--> http://pastebin.com/m6daad4d1 04:16 < duke--> here we go 04:18 < |Mike|> ? 04:19 < duke--> dazo: the problem is not the script itself, it's more the missing variables passing to it 04:19 < dazo> duke--: which version are you running? 04:20 < duke--> # 04:20 < duke--> Server is Debian 5.0 2.1~rc11-1 04:20 < duke--> # 04:20 < duke--> Client is windows xp openvpn-2.0.9 04:21 < dazo> duke--: that's most probably your trouble .... the variable passing and environmental variables has changed, quite a lot from 2.0.9 to 2.1_rc15 and up .... but also from rc11 to rc15 and up 04:21 < dazo> duke--: rc19 is stable .... but if you want to be conservative, running rc15 is also a lot better 04:21 < dazo> than staying below rc15, that is 04:21 < duke--> according to http://openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html 04:21 < vpnHelper> Title: OpenVPN 2.1 (at openvpn.net) 04:21 < duke--> the --up should still send cmd tun_dev tun_mtu link_mtu ifconfig_local_ip ifconfig_remote_ip [ init | restart ] 04:22 < dazo> duke--: ^^^^ openvpn 2.1 .... and those docs is based on the latest available rc candidate 04:24 < duke--> same information in the manual from 2.0.x 04:25 < duke--> obviously the problem is somewhere else 04:30 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 04:34 < duke--> no further ideas? 04:34 < duke--> :/ 04:37 -!- tjz2 [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 05:00 -!- tjz2 [n=tjz@bb121-7-20-94.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 05:03 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 05:29 -!- tjz [n=tjz@121.7.20.94] has joined ##openvpn 05:41 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 05:53 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 06:10 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:40 -!- brizly1 [n=brizly_v@p4FC9997D.dip0.t-ipconnect.de] has joined ##openvpn 06:55 -!- brizly [n=brizly_v@p4FC9963F.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:56 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 06:59 -!- Deffie [n=Deffie@nectarine/admin/deffie] has joined ##openvpn 07:02 < ecrist> good morning, folks. 07:03 < cpm> morn'n 07:34 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn 07:38 -!- anguis [n=anguis@dslb-092-075-112-149.pools.arcor-ip.net] has left ##openvpn [] 08:18 -!- Douglas [n=admin@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 08:24 -!- duke-- [i=sb@black.cubewerk.de] has quit ["leaving"] 08:38 * ecrist wonders if Snow Leopard will support a TAP device 08:38 < ecrist> and proper bridging 08:38 < Douglas> lol 08:38 < ecrist> it *does* support TAP, no bridging though. 08:38 < Douglas> ecrist: freebsd is making my life hard 08:38 < Douglas> :( 08:38 < ecrist> how so? 08:39 < ecrist> did you install the RSS module on ovpnforum? 08:39 < Douglas> im trying to set up a kickstart for it 08:39 < Douglas> and im clueless 08:39 < Douglas> and whooops 08:39 < Douglas> i need to add that to my to do list 08:39 < Douglas> do you have a link t oit ? 08:39 < ecrist> no 08:40 < ecrist> what do you mean, a kickstart? 08:40 < Douglas> pxe boot hands off install 08:40 < Douglas> aside from typign freebsd in 08:40 < ecrist> there are lots of docs out there to do such a thing 08:40 < ecrist> it is something I've never played with. 08:41 < Douglas> i know there are soem docs, i see that 08:41 < Douglas> some 08:41 < Douglas> but they are all for freebsd boxes 08:43 < Douglas> http://people.freebsd.org/~alfred/pxe/en_US.ISO8859-1/articles/pxe/article.html 08:43 < vpnHelper> Title: FreeBSD Jumpstart Guide (at people.freebsd.org) 08:43 < Douglas> i don't know if i can /have/ to build a custom kernel like it says.. if i do i dont have the tools or smarts to 08:43 < ecrist> it's really eays 08:43 < ecrist> easy 08:43 < ecrist> any freebsd box has the tools 08:43 < Douglas> again 08:43 < Douglas> a) i don't know freebsd at all 08:44 < ecrist> cd /usr/src/sys/i386/conf 08:44 < Douglas> b) i dont have a freebsd box 08:44 < ecrist> cp GENERIC 08:44 < ecrist> EDIT 08:44 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 08:44 < ecrist> cd /usr/src/ && make buildkernel KERNCONF= && make installkernel KERNCONF= 08:45 < ecrist> why the hell are you trying to make a freebsd kickstart without a freebsd box? 08:45 < Douglas> because I DONT KNOW FREEBSD for the tenth time 08:45 < Douglas> and 08:45 < Douglas> i have it working for linux distros on debian already 08:47 < ecrist> reading the link you sent, it looks pretty straight forward 08:47 < Douglas> for freebsd.. sure 08:47 < Douglas> then i need to add in centos debian fedora ubuntu (soon arch and gentoo) 08:48 < ecrist> Douglas: you're going to need freebsd components to do it, but it can be done from a linux system, I think. 08:49 < Douglas> i think im going to need a freebsd test box or something 08:49 < ecrist> let's see: 1) setup tftp and nfs, 2) copy boot images to tftp site, 3) profit 08:49 < ecrist> that article is 6 years old, btw 08:50 < Douglas> yea 08:50 < ecrist> you shouldn't need a custom kernel, it's optional 08:50 < Douglas> i got tftp and nfs running 08:50 < Douglas> thats how i do the other installs (NFS) 08:50 < ecrist> short of the matter is, if you're going to PXE boot freebsd, you're going to have to learn a bit about FreeBSD 08:50 < Douglas> whats cool is i have centos debian ubuntu and fedora kickstarts.. fully working.. 32 and 64bit.. in 320MB 08:51 < Douglas> er, sorry thats with a compressed version 08:51 < Douglas> in 170MB :) 08:51 < ecrist> http://www.google.com/search?client=safari&rls=en&q=FreeBSD+PXE+boot+server&ie=UTF-8&oe=UTF-8 08:51 < vpnHelper> Title: FreeBSD PXE boot server - Google Search (at www.google.com) 08:53 < Douglas> ecrist: i could get away with bootonly cds couldnt i 08:54 < ecrist> don't know your requirements. 08:54 < ecrist> /j ##freebsd 08:54 < ecrist> I'm sure they'd be willing to help you. 08:54 < Douglas> already in there 08:54 < Douglas> i asked.. got 'No'. 08:55 < ecrist> what did you ask? 08:55 < Douglas> if there was a tutorial on how to do ti on a linux box 08:55 < Douglas> it 08:55 < ecrist> holy crap 08:55 < ecrist> how about you follow one of the freebsd ones? it's the same thing 08:55 < ecrist> you just need to convert the actual steps to the linux equiv. 08:55 < Douglas> Lol 08:56 < ecrist> you just build a freebsd PXE boot server 08:56 < ecrist> s/you/or/ 08:58 < Douglas> hm 08:58 < ecrist> Douglas: once you learn FreeBSD and get comfortable, you'll wonder why you spent so much time on Linux. 08:58 < ecrist> :) 09:00 < Douglas> you know ecrist i used to use freebsd 09:00 < Douglas> imho it has gone downhill since the 4 / 5 era 09:00 < ecrist> oh, really? how so? 09:02 < Douglas> well, 6 was a mix of 4 and 5, didnt impress me 09:02 < Douglas> havent used 7 all that much 09:02 < Douglas> i hear 8 isnt bad 09:02 < ecrist> no, I would say 5 was a mix of 4 and 6 09:03 < ecrist> 5 was a devlish bastard of a release. buggy nearly all the way to EOL 09:03 < ecrist> 6 was solid, and was a stability release, offering great improvements to multi-core processing, at the great detriment of unicore systems. 09:04 < ecrist> 7 offered GIANT leaps in performance for multi-core systems, amonst other stability and feature improvements. 09:04 < ecrist> 8 is going to be awesome 09:04 < Douglas> from what people tell me, 8 is great 09:04 < Douglas> hah, rhyme 09:05 < ecrist> Douglas: 4 was a great release, but it is old and archaic (even though I still have a 4.11 system hanging around) 09:05 < ecrist> I've been using FreeBSD full-time since version 2.2.5 09:05 < ecrist> back in 1997 09:06 < Douglas> old school 09:07 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has quit ["Verlassend"] 09:21 < tread> Has anyone used TomatoVPN, the open-source firmware for Linksys routers that comes with OpenVPN? 09:27 < cpm> probably someone has, the authors maybe, perhaps others. I haven't. 09:29 < Douglas> wo0t ecrist just had to do some bsd work 09:29 < Douglas> lol 09:29 < Douglas> with mdconfig and bsdlabel 09:36 < ecrist> tread: others in here have. if you have a question, I would suggest asking it 09:41 < tread> I'm just having newbie troubles with TomatoVPN. It has very little docs because it expects me to use OpenVPN docs, but I can't even find any of the tools mentioned in the OpenVPN docs in the firmware's file system (like ./build-ca, ./build-key-server, etc.) 09:42 < ecrist> thte build-ca and etc are part of easy-rsa 09:42 < tread> and on top of that, I just want password authentication for users, no keys/certificates, and I can't figure out how to do that using TomatoVPN. 09:42 < ecrist> OpenVPN supports that, and it is covered in the docs. 09:43 -!- Sp4rKy [n=Sp4rKy@freenode/sponsor/sp4rky] has left ##openvpn [] 09:43 < tread> I know.. but I can't find easy-rsa anywhere on TomatoVPN's filesystem. I'm ssh'd into it right now, and just can't find any of the files mentioned in the OpenVPN docs, except for one executable file called openvpn 09:44 < ecrist> odss are the utilities are not there. 09:45 < ecrist> it would comsume a considerable amount of space on a very limited file system 09:45 < Douglas> ecrist: i made 2 ramdisks :) now just to figure out how to make workign install.cfg's 09:45 < tread> ah, ok, guess i'll work on doing it on my laptop then transferring the files to the router. 09:47 < tread> but if I just want to use password authentication, how much of the key/certificate stuff do I still need to do? presumably I can skip building client keys, but do I still have to build the certificate authority and also the server key? 09:47 < ecrist> noneo f it, really 09:47 < ecrist> !password-only 09:47 < vpnHelper> ecrist: Error: "password-only" is not a valid command. 09:48 < ecrist> http://openvpn.net/archive/openvpn-users/2004-10/msg00418.html 09:48 < vpnHelper> Title: [Openvpn-users] New Username/Password Authentication Mode (at openvpn.net) 09:48 < ecrist> !learn password-only as http://openvpn.net/archive/openvpn-users/2004-10/msg00418.html 09:48 < vpnHelper> ecrist: Joo got it. 09:52 < tread> ecrist, so then what's the first thing I should do to get this set up on my router? Your link assumes I'm modifying an already-running VPN, and the OpenVPN how-to assumes I need to generate keyfiles and have sample config files and whatnot (which I don't). All I have is the TomatoVPN GUI, and I can't figure out what to do first. 09:53 < ecrist> there are examples to creating a vpn without the certificates. I just don't know where any of them are right now. 10:05 < dazo> tread: install easy-rsa on your own computer ... and just copy needed certs and key files to the Tomato box (sounds weird :-P) 10:06 < dazo> tread: or another easy-rsa replacement .... ssl-admin, TinyCA ... whatever you like .... do it manually in openssl if your mojo is high enough for that 10:06 < tread> dazo, yes but I don't want to use keys and certificates.. I just wanted to set this up easily with a username and password. It was very easy to set up a PPTP VPN running off a Windows server last time I tried :p 10:07 < ecrist> OpenVPN is not PPTP 10:07 < tread> I know. 10:07 < tread> but it doesn't have to be any more difficult :) 10:07 < dazo> tread: you don't see the parallel .... pptp is not safe .... doesn't require much certfiles/keys ...... openvpn safer .... needs more files ..... 10:08 < dazo> tread: to do user/pwd auth ... you need some plugins to openvpn anyway .... out-of-the box, it works best with either static keys or with proper PKI (key/cert files) 10:08 < ecrist> riding a motorcycle is more difficult than riding a bike - even though they only each have two wheels. 10:10 < dazo> good one! :) 10:11 < tread> dazo: well, one of my main goals here is to make it very easy for me to connect as a client from any public computer. That's why I want user/pass authentication. 10:12 < dazo> tread: from the URL you posted higher up: "If you download the tarball, you will find a perl script in 10:12 < dazo> sample-scripts/auth-pam.pl which will do PAM authentication on a *nix system. 10:12 < dazo> You can use this script along with the --auth-user-pass-verify directive on 10:12 < dazo> the server. 10:12 < dazo> " 10:13 < dazo> Can you Tomato box do PAM auth? 10:13 * dazo doubts that 10:13 < tread> dazo, no idea. 10:14 < tread> Shouldn't it be able to do anything that OpenVPN can do, even if it's GUI doesn't have an option for it? 10:14 < tread> its* 10:14 < ecrist> tread: you're dealing with a stripped down OS on a piece of fringe hardware with little to know extra resources. 10:15 < ecrist> PAM has a considerable overhead for the benefit it provides on such a small scale as a consumer LAN gateway. 10:16 < tread> sigh... all I wanted was to run a vpn from my router so I can type in a username and password from a remote location, and then be able to ssh or vnc into any computer on the home network. I thought this would take me like 10 min to set up... 10:16 < ecrist> you can do it, you'll just need to find the components. I sent you a link with basic instructions. 10:16 < tread> (all the computers are already running vnc and ssh servers successfully.) 10:16 < ecrist> you will still need OpenVPN installed on what ever machine you're connecting from. 10:17 < tread> ecrist, Ubuntu's GUI network-manager has VPN support. 10:17 < tread> I was planning to use that as the client. 10:17 < ecrist> !ubuntu 10:17 < vpnHelper> ecrist: "ubuntu" is dont use network manager! 10:17 < tread> lol 10:18 < ecrist> I forget the specific reason someone added that bit, but NM on ubuntu is horribly broken. 10:19 < tread> well, at the very least, can I just have a single config file on a USB drive that I can use to connect to the server from any client machine with OpenVPN installed, without having to do any extra configuration (or even have root priveleges) on the client machine? 10:20 < ecrist> yes, that was covered on the link above 10:20 < ecrist> !password-only 10:20 < vpnHelper> ecrist: "password-only" is http://openvpn.net/archive/openvpn-users/2004-10/msg00418.html 10:22 < tread> wait, so I *don't* need to install any extra plugins on the server to use password authentication? 10:23 < tread> What about PAM? 10:23 < reiffert> contrib 10:23 -!- admin0 [n=admin0@cm240.delta133.maxonline.com.sg] has joined ##openvpn 10:24 < tread> ok, thanks for the help guys. i'll see where it gets me. I guess I should just give up completely on using the TomatoVPN GUI for this. 10:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:54 -!- explore [n=msparker@pool-173-74-61-155.dllstx.fios.verizon.net] has joined ##openvpn 10:58 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 11:03 -!- jeiworth [n=jeiworth@189.177.121.59] has joined ##openvpn 11:10 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 11:14 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit [Client Quit] 11:25 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:33 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 11:34 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has joined ##openvpn 11:34 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 11:57 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 12:30 -!- _markus_ [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 12:30 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has quit [] 12:40 -!- agliodbs [n=agliodbs@dsl081-245-111.sfo1.dsl.speakeasy.net] has joined ##openvpn 12:43 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 110 (Connection timed out)] 13:05 < tread> newbie question: when the docs specify a subnet with the notation 192.168.1.0/24, what is the /24 following that IP address? 13:06 < Douglas> er 13:06 < Douglas> tread: what? 13:07 < tread> Douglas, In the OpenVPN online documentation, he frequently refers to subnets using such a notation. For example: First, set aside an address pool in your 192.168.1.0/24 subnet for use by OpenVPN clients 13:07 < tread> I'm just asking for a definition of that IP_address/# notation. 13:08 < Douglas> that's a CIDR 13:08 < Douglas> 192.168.1.0 - .255 13:23 < ecrist> same as 192.168.1.0 255.255.255.0 13:24 < Douglas> ok 13:24 < Douglas> debian is being RETARDED 13:25 < Douglas> time for a diff distro 13:27 < ecrist> FreeBSD is viable... 13:27 < ecrist> and, you need to build a bsd box anyway... 13:28 < Douglas> hm 13:28 < Douglas> maybe 13:28 < Douglas> i might have just fixed my debian issue 13:37 -!- tjz2 [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 13:39 < tread> sigh.. can anyone explain why I can't use a static key with ethernet bridging? I get the error " Options error: --server-bridge and --secret cannot be used together (you must use SSL/TLS keys)" 13:39 < ecrist> don't know the answer to that one. 13:39 < tread> Is there some way around that? I only need one computer to ever be the client, so keyfiles/certificates seems like huge overkill. I just want to be able to bridge my laptop into my home network. 13:43 < ecrist> tread: you could have created the certificates and been done with it by now. 13:44 < tread> ecrist: yeah... i'm trying that now. I installed openvpn on my laptop (`sudo apt-get install openvpn` on Ubuntu), but it looks like easy-rsa didn't come with it :/ 13:44 -!- tjz [n=tjz@121.7.20.94] has quit [Read error: 145 (Connection timed out)] 13:45 < ecrist> it should have 13:45 < ecrist> it's in the source directory 13:46 < tread> ecrist, well, the online docs say to check /usr/share/doc/openvpn/ , which exists but it's not in there. the other dir it says to check don't exist. 13:47 < Douglas> ecrist: got it to work 13:47 < Douglas> nwo just to make the install.cfg :| 13:47 < ecrist> PXE boot for FreeBSD? 13:47 < tread> any way for me to get the easy-rsa package explicitly? 13:47 < Douglas> ecrist: yes 13:47 < Douglas> got 32 and 64bit images to boot (bootonly cd basically) 13:47 < Douglas> just need to automaet now 13:48 < Douglas> automate 13:48 < ecrist> tread: google for it. otherwise, use ssl-admin 13:48 -!- bauruine [n=bauruine@host-88-80-29-52.cust.prq.se] has joined ##openvpn 13:50 < tread> gah, it was in /usr/share/doc/openvpn/examples/easy-rsa/ 14:30 -!- Optic [n=dfraser@miso.capybara.org] has joined ##openvpn 14:30 < Optic> hello! 14:30 < Optic> I have an openvpn setup that depends on systems getting the same ip each time, using ipp.txt 14:30 < Optic> which works fine 14:31 < Optic> but I would like to also move to a multiple-server/failover setup 14:31 < Optic> are those two things compatible at all? :) 14:31 < Optic> a static hostname would be fine too 14:32 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:34 < ecrist> you don't want much, do you? 14:35 < Optic> nope, nothing at all 14:35 < Optic> should be easy 14:35 < Optic> :) :) 14:35 * Optic chuckles 14:35 < ecrist> !iporder 14:35 < vpnHelper> ecrist: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 14:35 < ecrist> start with that. ipp.txt is not the right place for your static IP config 14:35 < Optic> thanks 14:35 < ecrist> you may wish to look into something like CARP for failover 14:36 < ecrist> bridging may be an option for your VPN instances 14:38 < Douglas> wow 14:38 < Douglas> i got freebsd working but i cant make debian work 14:38 < Douglas> what is that 14:38 < Optic> hey cool, client-connect script is cool 14:40 < Optic> so if I do a client connect script on my cluster that uses a common database of IP addresses, this should work fine 14:40 < ecrist> there you go 14:40 < ecrist> the only difficult part is proper routing, which can be abolished with bridging 14:40 < Optic> i have a small web cluster and a single-point-of-failure openvpn server 14:41 < Optic> hmm routing yes 14:41 < Optic> i have hundreds of clients connecting though 14:41 < Optic> bridging might be iffy 14:42 < ecrist> why does number of clients matter 14:43 < Optic> hmm, i'm not sure 14:43 < Optic> it just feels like it should :) 14:51 < Optic> what's a reasonable limit for clients on a bridged vpn? 14:51 < Optic> on say, a linux server? 14:53 < Optic> ecrist: an alternative might be to use the client-connect script to set the remote machine's IP in the backend based on which server it connected to 14:53 < Optic> so anything that needs to know the address of the remote machine can get it from there 14:53 < Optic> then each server can have a distinct IP block 14:53 < Optic> and there is no need to statically assign addresses 14:54 < Optic> does that make sense? 14:58 < ecrist> sure 14:58 < ecrist> I'd just use bridging 14:59 < ecrist> ;P 15:00 < Optic> wouldn't the clients be able to talk to each other? 15:00 -!- BigJB [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 15:00 < Optic> and broadcast traffic sent to all clients? 15:00 < ecrist> sure 15:00 < ecrist> if you have client-to-client 15:01 < ecrist> I don't see a requirement mentioned above that indicates the desire to not have communication as such. 15:01 < Optic> oh i see 15:01 < Optic> I didn't think about it because we're running a routed system now 15:01 < Optic> all of our clients are linux, so doing a bridge setup wouldn't be too bad 15:02 < Optic> we'd eventually like to support a couple thousand clients 15:10 < Optic> yeah, bridging would be better :) 15:11 -!- c64zottel [n=hans@p5B17AB9B.dip0.t-ipconnect.de] has joined ##openvpn 15:11 -!- tread [n=tread@c-24-61-234-150.hsd1.nh.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 15:11 -!- c64zottel [n=hans@p5B17AB9B.dip0.t-ipconnect.de] has left ##openvpn [] 15:12 < Optic> at any rate, openvpn is great at being able to do everything i've ever needed it to do 15:12 -!- tread [n=tread@c-24-61-234-150.hsd1.nh.comcast.net] has joined ##openvpn 15:32 -!- Douglas [n=admin@ool-43503ed4.dyn.optonline.net] has quit [] 15:40 < tread> ok, I want to test the OpenVPN server that I set up on my router to see whether I can remotely VPN into my home network, but I'm currently connected to my home network /through/ that router. Is it possible for me to tell whether or not it works without leaving my house to find another internet connection? 15:41 < tread> It seems to be working (no errors), but nothing in `ifconfig` changes when I connect to the VPN, and everything works exactly the same, so I can't tell :/ 15:43 < tread> but I have the VPN set up to use bridging (TAP instead of TUN) and to get an IP addy from the router's DHCP service... so I'm not sure if anything should be different after a successful connection. Any suggestions? 15:48 * tread doesn't want to have to run his laptop back and forth to McDonald's to get this working. 16:04 -!- admin0 [n=admin0@cm240.delta133.maxonline.com.sg] has quit ["Leaving"] 16:09 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 16:10 -!- bauruine [n=bauruine@host-88-80-29-52.cust.prq.se] has quit [Read error: 113 (No route to host)] 16:36 -!- jeiworth [n=jeiworth@189.177.121.59] has quit [Read error: 60 (Operation timed out)] 17:00 -!- explore [n=msparker@pool-173-74-61-155.dllstx.fios.verizon.net] has quit ["Lost terminal"] 17:01 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 17:10 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Remote closed the connection] 17:10 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 18:00 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 18:19 -!- BigJB [n=BigJB@unaffiliated/bigjb] has quit [Remote closed the connection] 18:21 < Dougy> ecrist: ping 18:29 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 18:32 < Dougy> wo0t 18:32 < Dougy> massive forum prune time 18:34 < Dougy> over 1000 registered inactive usersf 18:34 < Dougy> fai 18:34 < Dougy> fail 18:35 < reiffert> 1000 registered inactive users fail in? 18:36 < reiffert> beeing inactive? 18:46 -!- Caplain [i=shayne@caplain.loves.thraen.fbi.gov.silverelitez.org] has joined ##openvpn 18:46 < Caplain> is there some trick to get one vpn client to ping another? 18:49 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 60 (Operation timed out)] 18:55 < Dougy> reiffert: never activated 19:06 -!- Ycros [n=ycros@gnaw.yi.org] has quit [Remote closed the connection] 19:43 < Dougy> krzee: 19:43 < Dougy> . 19:47 -!- agliodbs [n=agliodbs@dsl081-245-111.sfo1.dsl.speakeasy.net] has quit [] 19:53 < krzee> , 19:58 < Dougy> krzee: still broke ? 20:21 -!- WormFood [n=wormfood@219.133.100.209] has quit [Read error: 60 (Operation timed out)] 20:22 -!- WormFood [n=wormfood@59.40.10.9] has joined ##openvpn 20:39 < garnser> Caplain: up-script? 20:40 < Caplain> garnser, the computers on the lans of the vpn clients can ping the other computers on the lans of the other vpn clients 20:40 < Caplain> thats fine for now 21:08 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 21:09 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 21:10 -!- master_of_master [i=master_o@p549D3E18.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:14 -!- master_of_master [i=master_o@p549D6CC5.dip.t-dialin.net] has joined ##openvpn 21:45 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 22:34 -!- ryanrhee90 [n=Adium@rrcs-71-42-217-13.sw.biz.rr.com] has joined ##openvpn 22:34 < ryanrhee90> hi all 22:35 < ryanrhee90> i'm having trouble setting up openvpn. i've tried turning off the firewall and it didn't help me. i'm really new to this so i don't know what to try. can someone help me please? 22:36 < ryanrhee90> anyone here? 22:40 < ryanrhee90> hello?? 22:47 < ryanrhee90> anyone? 23:00 < ryanrhee90> hello?? 23:17 -!- ryanrhee90 [n=Adium@rrcs-71-42-217-13.sw.biz.rr.com] has left ##openvpn [] 23:45 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 23:53 -!- hyper_ch [n=hyper@adsl-62-167-53-241.adslplus.ch] has quit [Read error: 104 (Connection reset by peer)] 23:55 -!- hyper_ch [n=hyper@adsl-89-217-165-91.adslplus.ch] has joined ##openvpn --- Day changed Sat Aug 29 2009 00:18 -!- Caomai [i=shawn@li11-176.members.linode.com] has joined ##openvpn 01:05 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 01:18 -!- tread [n=tread@c-24-61-234-150.hsd1.nh.comcast.net] has quit ["Leaving"] 01:34 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:46 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 02:24 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 03:19 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 03:29 -!- Hyphenex [n=Hyphenex@nimue-37.its.uow.edu.au] has joined ##openvpn 03:30 < Hyphenex> hey, in my openVPN config file, how do I tell it to route everything in a subnet, say 130.123.0.0 through an IP and not through my VPN? 03:36 -!- Caplain [i=shayne@caplain.loves.thraen.fbi.gov.silverelitez.org] has quit [Read error: 104 (Connection reset by peer)] 03:36 -!- Caplain [i=shayne@caplain.loves.thraen.fbi.gov.silverelitez.org] has joined ##openvpn 03:38 < Hyphenex> I need to add that gateway before the default.. hmm 03:42 < reiffert> !def1 03:42 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 03:42 < reiffert> route add -net 130.123.0.0 gw ip 03:43 < Hyphenex> reiffert Thanks, that goes in my config file? :) 03:43 < reiffert> jup 03:43 < Hyphenex> before the redirect-gateway part? 03:44 < reiffert> Basically you cant do it with a config file, but every client got some batch scripts possibilities around 03:44 < Hyphenex> oh bummer, I thought the VPN config file would have an option for it 03:45 < reiffert> no that I know of, but you might wanna try the manpage. 03:45 < reiffert> !man 03:45 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 03:45 -!- tjoff [i=tjoff@h-63-94.A163.priv.bahnhof.se] has quit [] 03:45 < reiffert> afk, watching cars driving in circles 03:46 < Hyphenex> okie doke. Thanks 03:50 -!- Caplain [i=shayne@caplain.loves.thraen.fbi.gov.silverelitez.org] has quit [Read error: 60 (Operation timed out)] 04:05 -!- Caplain [i=shayne@caplain.loves.thraen.fbi.gov.silverelitez.org] has joined ##openvpn 04:07 -!- Caplain [i=shayne@caplain.loves.thraen.fbi.gov.silverelitez.org] has quit [Read error: 104 (Connection reset by peer)] 04:07 -!- Caplain [i=shayne@caplain.loves.thraen.fbi.gov.silverelitez.org] has joined ##openvpn 04:10 -!- Caplain_ [i=shayne@caplain.sragger.com] has joined ##openvpn 04:10 -!- Caplain [i=shayne@caplain.loves.thraen.fbi.gov.silverelitez.org] has quit [Read error: 104 (Connection reset by peer)] 04:12 -!- Hyphenex [n=Hyphenex@nimue-37.its.uow.edu.au] has quit [Remote closed the connection] 04:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:39 -!- svinkels [n=svinkels@seb44-1-88-163-78-7.fbx.proxad.net] has joined ##openvpn 04:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 04:39 < svinkels> plop 04:40 < svinkels> how you have secure your file ca.key ? 04:41 < hyper_ch> ??? 04:46 < svinkels> it's not the file ca.key the most sensitive ? 04:49 < hyper_ch> how do you secure your box? 04:52 < svinkels> yes 04:52 < hyper_ch> secure your box... that's how to secure the ca.key 04:53 < svinkels> at the moment i use the user nobody in my profil, but a tutorial say the most is create a user openvpn with : useradd -d /dev/null -g openvpn -s /bin/false openvpn 04:54 < svinkels> how you secure your ca.key ? 05:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:36 -!- Caplain_ is now known as Caplain 05:42 < Bushmills> against what? 06:16 -!- jfkw [n=jtk@24.216.241.93] has joined ##openvpn 06:35 < hyper_ch> Bushmills: I assume against everything 06:39 -!- brizly [n=brizly_v@p4FC9846F.dip0.t-ipconnect.de] has joined ##openvpn 06:53 -!- brizly1 [n=brizly_v@p4FC9997D.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 07:02 -!- BigJB [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 07:07 -!- paul__p [n=dexter_e@user2729.bc.airbites.ro] has joined ##openvpn 07:15 < WormFood> is there some way to run openvpn without tun/tap? I've googled, and can't seem to find an answer. 07:19 -!- dazo|h [n=dazo@188.148.248.2] has joined ##openvpn 07:21 < paul__p> Hello all, a have a question about openvpn & LAN & routing. I have a computer(let's call SERVER) with 2 NICs, eth0 -> pppoe(internet/89.x.y.z) and eth1(LAN - 192.168.0.1/24). I want to start an openvpn server on this computer(initialy I assigned on 192.168.0.1, but this conflicts with la LAN network(and dhcpd), so I changed to 192.168.1.1), my problem is that it's not working right, I included (push "route 192.168.0.0 255.255.255.0") where 192 07:22 < paul__p> And If I run "ip r l" I get: 192.168.1.2 dev tun0 proto kernel scope link src 192.168.1.1 07:22 < paul__p> 89.38.a.b dev ppp0 proto kernel scope link src 89.34.y.z 07:22 < paul__p> 192.168.1.0/24 via 192.168.1.2 dev tun0 07:22 < paul__p> 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1 07:22 < paul__p> default dev ppp0 scope link 07:23 < paul__p> is this correct? I don't have internet acces on vpn :( 07:24 < paul__p> It is necesary to add "192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1 " ?? 07:25 < paul__p> in firewall I have "-A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE" , is necesary to add for 192.168.1.0/24 , or just 192.168.1.1(tun0 ip addr) or 192.168.1.2 ??? 07:25 < paul__p> thank you in advance 07:26 < Bushmills> paul__p: http://scarydevilmonastery.net/masq is what I do for internet via remote VPN server (and redirect-gateway on vpn client) 07:27 < Bushmills> of course your $MYNET would be 192.168.1.0/24 07:28 < paul__p> Bushmills: Thank you very much 07:29 < Bushmills> yw 07:39 -!- dazo|h [n=dazo@188.148.248.2] has quit ["Leaving"] 08:02 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 08:13 -!- paul__p [n=dexter_e@user2729.bc.airbites.ro] has quit [] 08:21 -!- tjz2 [n=tjz@bb121-7-20-94.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 08:28 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 08:31 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 08:34 -!- tjz2 [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 08:54 -!- dft_ [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has joined ##openvpn 08:56 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 08:58 -!- sunrayser [i=sunrayse@82.131.201.163.pool.invitel.hu] has joined ##openvpn 08:59 < sunrayser> what can cause "NOTE: unable to redirect default gateway -- Cannot read current default gateway from system"? 09:01 < sunrayser> !interface 09:01 < vpnHelper> sunrayser: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 09:01 < sunrayser> !howto 09:01 < vpnHelper> sunrayser: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:01 < sunrayser> !route 09:01 < vpnHelper> sunrayser: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:01 < sunrayser> !redirect 09:02 < vpnHelper> sunrayser: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 09:02 < sunrayser> !def1 09:02 < vpnHelper> sunrayser: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 09:03 < sunrayser> !config 09:03 < vpnHelper> sunrayser: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 09:03 -!- dubphil [i=500eab4f@gateway/web/freenode/x-rtvywskshvcbqrai] has joined ##openvpn 09:05 < dubphil> Hello, I have setup a bridged mode vpn that I can connect to, but I can't ping the vpn network, I have also bridged the client tap device but I think that this is not well defined, anyone can help me please ? 09:07 < Bushmills> !factoids search tap 09:07 < vpnHelper> Bushmills: 'tap', 'mactuntap', 'wintaphide', 'tunortap', and 'obsdtap' 09:07 < Bushmills> !tunortap 09:07 < vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 09:07 < Bushmills> !route 09:07 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:07 < Bushmills> !tap 09:07 < vpnHelper> Bushmills: "tap" is "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, 09:07 < vpnHelper> Bushmills: anything where the protocol uses MAC addresses instead of IP addresses. 09:08 < dubphil> my vpn server is in the network 192.168.100.0 and has given to the client the 192.168.100.100 but my client is in a 192.168.0.0 network 09:08 < dubphil> here is what I don't understand 09:09 -!- dft [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 09:09 < dubphil> to use a bridged vpn do I need to bridged the client also ? 09:10 < dubphil> this is unclear on all the docs and howto I red 09:15 -!- sunrayser [i=sunrayse@82.131.201.163.pool.invitel.hu] has quit [] 09:53 -!- tjz2 [n=tjz@bb121-7-20-94.singnet.com.sg] has quit ["bbl"] 10:47 -!- Serideru1 [n=GTWebste@24-116-116-232.cpe.cableone.net] has joined ##openvpn 10:50 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has joined ##openvpn 10:53 -!- Serideru1 [n=GTWebste@24-116-116-232.cpe.cableone.net] has quit [Client Quit] 11:18 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has quit [] 11:32 -!- tread [n=tread@c-24-61-234-150.hsd1.nh.comcast.net] has joined ##openvpn 11:35 < tread> Hi all. I just set up OpenVPN yesterday on my router. I set it up as a bridge (TAP instead of TUN). So I connect to the VPN, it says everything is fine, then it starts throwing out "read UDPv4 [EHOSTUNREACH]: No route to host (code=113)" error. And even though my tap0 IP is 192.168.1.99, I can't even ping the server @ 192.168.1.1. I don't know where to begin troubleshooting, can anyone please help? 11:39 < tread> I did already search Google pretty thoroughly, and found a couple of posts about this issue, but no solutions. 12:06 < tread> Ok, I've found out a bit about my problem. It comes from the fact that I'm on a network with subnet 192.168.1.0/24 and I'm bridging in to another subnet with the same prefix, so when it updates the routing tables, it loses the original route out of my network. Any suggestions for how to work around this without changing which subnet I'm on? (I'd like it to work regardless of my subnet of origin.) 12:12 -!- ryanrhee90 [n=Adium@rrcs-71-42-217-13.sw.biz.rr.com] has joined ##openvpn 12:12 < ryanrhee90> hi all 12:20 < tread> hi ryanrhee90 12:20 < ryanrhee90> hi! 12:20 < ryanrhee90> i was wondering if you could help me with setting up openvpn on my ubuntu box. 12:21 < ryanrhee90> (i've tried turning off the firewall) 12:21 < tread> I'd like to, but I'm also here for help setting up OpenVPN on my Ubuntu box. 12:26 -!- dubphil [i=500eab4f@gateway/web/freenode/x-rtvywskshvcbqrai] has quit ["Page closed"] 12:26 < ryanrhee90> :( ah. okay. 12:37 < hyper_ch> ryanrhee90: ubuntu wiki 12:38 < hyper_ch> !howto 12:38 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:48 -!- Caomai [i=shawn@li11-176.members.linode.com] has left ##openvpn [] 13:02 -!- tread [n=tread@c-24-61-234-150.hsd1.nh.comcast.net] has quit [Read error: 110 (Connection timed out)] 13:03 -!- tread [n=tread@c-24-61-234-150.hsd1.nh.comcast.net] has joined ##openvpn 13:19 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 13:19 -!- cool [n=cool@unaffiliated/gary4gar] has joined ##openvpn 13:19 -!- c64zottel [n=hans@p5B1794C4.dip0.t-ipconnect.de] has joined ##openvpn 13:22 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 13:23 < cool> Hi, I need to access my company website which is can be only be opened from White Listed IPs. My Office PC's IP is whitelisted while home's IP is not. Can I use OpenVPN to connect to My office computer and access that website. Is OpenVPN a solution? 13:24 < cool> Office PC run CentOS 5. Home PC run Windows XP SP2 13:25 < cool> a quicky reply will be help as I got some pending work to finish, if not then my boss will kill me :| 13:27 -!- tread [n=tread@c-24-61-234-150.hsd1.nh.comcast.net] has quit [Read error: 110 (Connection timed out)] 13:29 -!- tread [n=tread@c-24-61-234-150.hsd1.nh.comcast.net] has joined ##openvpn 13:35 < misse-> cool: your office pc probably has an internal IP which isn't accessible from the internet, if not, there's still probably a firewall in place to prevent from that kind of incoming connections 13:35 < misse-> cool: doesn't your work offer a VPN solution for you to work from home? 13:36 < cool> no, the Remote server is a Public IP. the thing is one needs to get His IP whitelisted from sysadmin before he can connect 13:37 -!- c64zottel [n=hans@p5B1794C4.dip0.t-ipconnect.de] has quit ["Leaving."] 13:37 < cool> Sysadmin whitelisted my office IP but as In Home I don't Have Static ip. the same is not possible here 13:38 -!- ryanrhee90 [n=Adium@rrcs-71-42-217-13.sw.biz.rr.com] has quit [Read error: 104 (Connection reset by peer)] 13:39 < cool> ISP for Home gives dynamic IP which changes everytime 13:40 < cool> So I thought, I would connect to that remote server via tunneling through my Office PC 13:41 < cool> Infact, I already had setup OpenVPN on Office PC 13:41 < cool> I can successfully connect from my Windows XP powered box 13:52 -!- zeal [i=zeal@puffy.csbnet.se] has left ##openvpn [] 14:11 -!- cool_ [n=cool@59.95.160.254] has joined ##openvpn 14:11 -!- cool [n=cool@unaffiliated/gary4gar] has quit [Read error: 54 (Connection reset by peer)] 14:15 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 14:15 -!- cool [n=cool@unaffiliated/gary4gar] has joined ##openvpn 14:16 -!- cool_ [n=cool@59.95.160.254] has quit [Read error: 104 (Connection reset by peer)] 14:25 -!- gorkhaan [n=gorkhaan@adsl-101-101.globonet.hu] has joined ##openvpn 14:33 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has joined ##openvpn 15:28 -!- cool [n=cool@unaffiliated/gary4gar] has quit [Read error: 104 (Connection reset by peer)] 15:28 -!- cool_ [n=cool@59.95.160.254] has joined ##openvpn 16:26 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 16:27 -!- dft_ [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has quit [Read error: 60 (Operation timed out)] 16:27 -!- dft [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has joined ##openvpn 16:32 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has quit ["IceChat - Keeping PC's cool since 2000"] 17:14 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 101 (Network is unreachable)] 17:16 -!- Ko_deZ [n=mt@084202122021.customer.alfanett.no] has joined ##openvpn 17:17 < Ko_deZ> Hi. I am trying to get some starcraft gaming to work. I have a openvpn network set up, using tap devices. I was under the impression that this should send all the broadcast messages trought the interface, but having a server and a client, and the client able to ping the server directly, I still get no answer when pinging on broadcast. What might I have forgotten? 17:29 < Ko_deZ> Maybe I put that in too many words. 17:29 < Ko_deZ> let me rephrase that. 17:30 < Ko_deZ> For two connecting clients, what more than using tap devices is needed to get broadcast between them? No bridging into other networks, just between the VPN clients. 17:47 -!- syntaxcollector [n=syntaxco@S0106001310f0b4c7.vc.shawcable.net] has joined ##openvpn 17:50 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 17:54 -!- syntaxcollector [n=syntaxco@S0106001310f0b4c7.vc.shawcable.net] has quit [] 17:55 < misse-> Ko_deZ: hm, depending on how you configured, there's a chance that your two clients aren't even on the same network, despite being connected to the same vpn 17:56 < misse-> Ko_deZ: I'd recommend you look in to bridging instead :) 17:56 -!- cool_ [n=cool@59.95.160.254] has quit [Read error: 110 (Connection timed out)] 18:07 -!- gorkhaan [n=gorkhaan@adsl-101-101.globonet.hu] has quit ["Távozom"] 18:13 -!- Ko_deZ [n=mt@084202122021.customer.alfanett.no] has quit [Remote closed the connection] 18:23 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 18:30 < svinkels> hello 18:30 < svinkels> you know this : 9090/tcp open zeus-admin 18:33 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 18:34 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 18:39 -!- svinkels [n=svinkels@seb44-1-88-163-78-7.fbx.proxad.net] has quit [Remote closed the connection] 18:52 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 18:52 < Dougy> ecrist: there ? 19:27 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 19:59 < tread> hi all. Is it common to need to add the "float" option to client config files, because without that directive, it connects to the VPN server using the server's WAN IP, but then once it's connected it starts receiving packets from the server's LAN IP, and so it rejects them. 20:01 -!- BigJB [n=BigJB@unaffiliated/bigjb] has quit [Remote closed the connection] 20:54 -!- cool [n=cool@unaffiliated/gary4gar] has joined ##openvpn 20:55 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 21:11 -!- master_of_master [i=master_o@p549D6CC5.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:11 -!- dafex [n=britishf@94.75.253.247] has joined ##openvpn 21:13 < dafex> is there a way to setup openvpn to connect upon windows startup before the machine connects to the internet in any other way? 21:14 -!- master_of_master [i=master_o@p549D6CA2.dip.t-dialin.net] has joined ##openvpn 22:01 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has joined ##openvpn 22:02 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has quit [Client Quit] 22:06 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has joined ##openvpn 22:14 -!- cool_ [n=cool@209.200.240.73] has joined ##openvpn 22:15 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has quit [] 22:16 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Remote closed the connection] 22:21 -!- cool [n=cool@unaffiliated/gary4gar] has quit [Read error: 60 (Operation timed out)] 22:22 -!- cool_ is now known as cool 22:38 -!- cool [n=cool@209.200.240.73] has quit [Read error: 104 (Connection reset by peer)] 22:45 -!- BasketCase [n=BasktCas@asylum.sanitarium.net] has joined ##openvpn --- Day changed Sun Aug 30 2009 00:31 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has joined ##openvpn 00:33 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has quit [Client Quit] 00:47 -!- dafex [n=britishf@94.75.253.247] has quit ["Lost terminal"] 01:00 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 60 (Operation timed out)] 01:11 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 01:23 -!- jfkw [n=jtk@24.216.241.93] has quit ["leaving"] 03:07 -!- kamalparyani [n=puppy@125.99.66.138] has joined ##openvpn 03:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 03:16 -!- kamalparyani [n=puppy@125.99.66.138] has quit ["Leaving"] 03:45 -!- Wulf_ [n=wulf@f054101093.adsl.alicedsl.de] has joined ##openvpn 03:45 < Wulf_> Hello! 03:52 -!- joako [n=joako@opensuse/member/joak0] has joined ##openvpn 03:52 < joako> How can I get more details about a generic TLS error? 04:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:01 -!- c64zottel [n=hans@p5B1797A6.dip0.t-ipconnect.de] has joined ##openvpn 05:01 -!- c64zottel [n=hans@p5B1797A6.dip0.t-ipconnect.de] has left ##openvpn [] 05:19 -!- svinkels [n=svinkels@seb44-1-88-163-78-7.fbx.proxad.net] has joined ##openvpn 05:19 < svinkels> plop 05:20 < svinkels> i know what service open this port : 9090/tcp open zeus-admin 05:20 < svinkels> when i run nmap for my ip adresse, i have this open .... 05:23 -!- Wulf_ [n=wulf@f054101093.adsl.alicedsl.de] has left ##openvpn [] 05:51 -!- joako [n=joako@opensuse/member/joak0] has quit [Read error: 113 (No route to host)] 06:05 -!- mirco [n=mirco@p54B24E89.dip.t-dialin.net] has joined ##openvpn 06:13 -!- gorkhaan [n=gorkhaan@adsl-101-101.globonet.hu] has joined ##openvpn 06:17 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 06:20 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 06:40 -!- brizly1 [n=brizly_v@p4FC981E5.dip0.t-ipconnect.de] has joined ##openvpn 06:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 06:53 -!- brizly [n=brizly_v@p4FC9846F.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 07:24 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Remote closed the connection] 07:24 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 07:27 < eliasp> is there a way to have the hostname which can't be resolved in the logs when seeing this message: read UDPv4 [EHOSTUNREACH]: No route to host (code=113) 07:51 < Optic> moo 08:01 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 08:03 < ecrist> good morning. 08:12 -!- _markus_ [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 110 (Connection timed out)] 08:32 -!- svinkels [n=svinkels@seb44-1-88-163-78-7.fbx.proxad.net] has quit [Remote closed the connection] 08:44 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 09:00 < |Mike|> eliasp: fix a route 09:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:16 < eliasp> |Mike|: the routes are IMHO ok: http://dpaste.com/87296/ ... i have the same routes on 2 other boxes which don't cause any trouble... 09:16 < eliasp> but now (verb 6) i see another suspicious message in the log: UDPv4 READ [0] from [undef]:1194: DATA UNDEF len=-1 09:16 < eliasp> any idea what could mean/cause this? 09:19 < |Mike|> can you ping the gateway ? 09:20 < eliasp> yes, works fine so far... the strange thing regarding the OpenVPN trouble is... it works sometimes, then it doesn't work again... couldn't find out yet, why/when it doesn't work... 09:21 < eliasp> the connection is randomly interrupted + then i see this messages in the log... 09:27 -!- syntaxcollector [n=syntaxco@S0106001310f0b4c7.vc.shawcable.net] has joined ##openvpn 09:28 -!- syntaxcollector [n=syntaxco@S0106001310f0b4c7.vc.shawcable.net] has quit [Client Quit] 09:35 < |Mike|> could you paste client and server log (verb 6) at pastebin ? 09:45 < eliasp> ok, preparing server log now with verb 6.. 09:53 -!- c64zotte1 [n=hans@p5B179E2E.dip0.t-ipconnect.de] has joined ##openvpn 09:55 -!- dft_ [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has joined ##openvpn 10:06 -!- gorkhaan [n=gorkhaan@adsl-101-101.globonet.hu] has quit ["Távozom"] 10:10 -!- dft [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 10:15 < eliasp> uuuh, the server log grows really big.... 56M now... just looking for the matching lines... 10:18 < |Mike|> eh, what the 10:21 < eliasp> hmm, nothing suspicious in the server log... even when using verb 6 ... i'll go back to verb 3 for the server log 10:28 -!- mirco [n=mirco@p54B24E89.dip.t-dialin.net] has quit [] 10:36 -!- c64zottel [n=hans@p5B179350.dip0.t-ipconnect.de] has joined ##openvpn 10:37 -!- mirco [n=mirco@84.178.78.137] has joined ##openvpn 10:51 -!- c64zotte1 [n=hans@p5B179E2E.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 11:02 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 11:02 < Dougy> ecrist: ecrist ecrist 11:02 < Dougy> haha 11:30 -!- c64zottel [n=hans@p5B179350.dip0.t-ipconnect.de] has left ##openvpn [] 11:42 < ecrist> Dougy: what 11:46 < Dougy> did you rcv my pm 12:00 -!- davidisk1 is now known as davidisko 12:00 -!- TechnOo [i=BingO@wlan-s-177.hh.se] has joined ##openvpn 12:00 < TechnOo> Hii Rooom 12:00 < TechnOo> wow.. many people. 12:00 < TechnOo> hope i will get help 12:01 < TechnOo> i have setup webmin.. and also have added openVPN module and its package OpenVPN 12:01 < TechnOo> now i want to configure it.. 12:01 < TechnOo> so how can i do that ? 12:02 < eliasp> TechnOo: i'd recommend not to use webmin... better write the config files on your own... there's a lot of documentation here: http://openvpn.net/index.php/open-source/documentation.html 12:02 < vpnHelper> Title: Documentation (at openvpn.net) 12:08 < Dougy> TechnOo: 12:08 < Dougy> !howto 12:08 < vpnHelper> Dougy: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:08 < Dougy> :) 12:08 < Dougy> if we dont help 12:08 < Dougy> !forum 12:08 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 12:08 < Dougy> :) 12:11 < TechnOo> Thanks alot 12:17 < tread> Hi all. Is it possible to give the LAN I'm VPNing into a different subnet? I want to talk to other computers on the same subnet as the VPN server (192.168.1.1), but, for example, if the IP on the server's lan is 192.168.1.x (for some x 0-255), I would like to be able to talk to it by calling it 10.8.0.x. Is this possible? 12:18 < Dougy> im having a bad day tread 12:18 < Dougy> but i think so 12:21 < tread> ah, well i've been trying to figure out a way to do it using the `route`, `ifconfig` and other options, but I can't find a way. about the ROUTE option 12:25 < tread> (ignore that last sentence fragment) 12:36 < ecrist> tread: not really, without policy-routing on the VPN server 12:55 < tread> ecrist, ok, i just wish there was some way to make this work smoothly without knowing in advance that the subnet of my client's LAN will be different from that of my server's LAN... seems like this should be a common enough problem. 12:56 < ecrist> it is a common problem to those who don't plan accordingly 12:57 < ecrist> you could use a better subnet for your server LAN 12:57 < tread> plan how? I can control the server's subnet, but I can't control or predict the client's subnet since I don't know everywhere that I'll want to connect from. 12:57 < ecrist> 192.168.0/23 is not a good choice 12:58 < ecrist> use the 10.x subnet 12:58 < ecrist> that is typically an enterprise network subnet, where as the 192.168.0/23 is used for most consumer LANs 13:00 < ecrist> use anything here: 13:00 < ecrist> !1918 13:00 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 13:01 < tread> ecrist, I suppose I will take your advice and do that, but I still won't be able to test the VPN from within the VPN server's subnet though (i.e., I can't connect to my home network via VPN while my client is physically on that same home network). That's not a huge problem, but I'm confused as to how Windows PPTP VPN servers are able to handle this so flawlessly and OpenVPN isn't. 13:02 < ecrist> PPTP would have had the same problem OpenVPN has regarding IP conflicts. 13:02 -!- joako [n=joako@opensuse/member/joak0] has joined ##openvpn 13:06 < tread> ecrist, I have only an anecdote to the contrary, but I set up a PPTP VPN server on my parents' Windows network a little while back, and I tested it first from within the same network, and it worked flawlessly, I could ping and ssh into other machines on the network, and all of that still works when I connect remotely (usually from another home LAN with the same subnet) 13:07 < ecrist> tread: it is not usually a good idea to connect to a VPN server that resides on the network which you're already connected to. 13:07 < ecrist> you get circular routing 13:07 < ecrist> honestly, if it's worked for you in the past, you go lucky. 13:08 < ecrist> s/go/got/ 13:08 < ecrist> IP conflicts are not something to be handled by the VPN server, they're to be handled by the admin 13:08 < ecrist> use a sensible IP subnet and carry on. 13:08 < tread> will do. 13:09 < tread> I guess I'll go back to using a TAP bridge then. My only reason for switching to a routed (TUN) VPN was that I thought I could make this conflict go away. 13:09 < ecrist> you're going to have the same problem with a TAP bridge. 13:11 < tread> i know. i had the problem earlier, which is why I switched to TUN. 13:11 < tread> so it appears there was no reason for me to switch to TUN. 13:12 < ecrist> I 13:12 < ecrist> m not aware of anyone suggesting you do so... 13:13 < tread> yeah. got the idea from some poorly written forum posts/ 13:21 < joako> I've successfully setup OpenVPN and have the link up. I can access from server LAN -> Client but not from client -> server LAN only client -> server machine 13:22 < joako> I see rx and tx activity on tun0 on server but not on tap0.... 13:28 < ecrist> firewall 13:37 < joako> Which would be the correct rule to add? I've tried iptables -A FORWARD -i tun+ -j ACCEPT from the FAQ and that didn't work 13:50 -!- Longkong [i=50db404d@gateway/web/freenode/x-kcckuqgenuluuazp] has joined ##openvpn 13:51 < Longkong> hi :) 13:51 < Longkong> I am trying to set up a new OpenVPN 2.1 Server with port-share, I cant get it to work though.. 13:52 < Longkong> Do I have to do something special on the client side as well? 13:52 < Dougy> o.O 13:52 < Dougy> just bought an ipod touch 14:01 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has joined ##openvpn 14:03 < hyper_ch> ipods are evil 14:16 < BasketCase> wish I could disagree and I own two of them. Wouldn't want a touch though. 14:24 < Dougy> ecrist: im pissed 14:24 < Dougy> i spent 30 minutes settign this fking plugin up 14:24 < Dougy> and its not working 14:29 < Dougy> hm 14:29 < Dougy> there we go 14:30 < Dougy> http://www.ovpnforum.com/smartfeed.php?&limit=1_DAY&count_limit=20&sort_by=standard&feed_type=RSS2.0&feed_style=HTML 14:30 < vpnHelper> Title: OpenVPN ForumOpenVPN ForumConfiguration :: I think routing is my issue... :: Author Unca Xitron (at www.ovpnforum.com) 14:42 -!- Folko [n=quassel@static.15.33.40.188.clients.your-server.de] has joined ##openvpn 14:43 -!- Folko [n=quassel@static.15.33.40.188.clients.your-server.de] has quit [Read error: 104 (Connection reset by peer)] 14:46 -!- tread [n=tread@c-24-61-234-150.hsd1.nh.comcast.net] has quit [Read error: 110 (Connection timed out)] 14:46 -!- tread [n=tread@c-24-61-234-150.hsd1.nh.comcast.net] has joined ##openvpn --- Log closed Sun Aug 30 14:59:39 2009 --- Log opened Sun Aug 30 14:59:43 2009 14:59 -!- ecrist_ [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 14:59 -!- Irssi: ##openvpn: Total of 69 nicks [0 ops, 0 halfops, 0 voices, 69 normal] 14:59 -!- Kreg-Work [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 14:59 -!- eliasp [n=quassel@95.208.45.212] has joined ##openvpn 15:00 -!- hyper_ch [n=hyper@adsl-89-217-165-91.adslplus.ch] has joined ##openvpn 15:00 -!- Irssi: Join to ##openvpn was synced in 32 secs 15:04 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has joined ##openvpn 15:05 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has quit [] 15:13 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 15:13 < troy-> how can i announce different routes for different users? 15:19 < reiffert> !ccd 15:20 < vpnHelper> reiffert: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 15:22 < troy-> reiffert, do i need to redefine everything in the sub config? 15:22 < reiffert> ", but only for the specified client based on common-name 15:22 < reiffert> " 15:23 < troy-> ahhh sorry reading comprehension problem :P 15:30 -!- Sakkath [i=sakkath@68.229.95.106] has joined ##openvpn 15:31 < Sakkath> linux server, windows client, connects and gets an ip with no problem. does all my traffic automatically go through the tunnel or is there something i need to change? i can't seem to find an answer on google 15:32 < Dougy> hello troy- 15:32 < troy-> hey 15:32 < troy-> got it workin' 15:33 < Dougy> what are you up too 15:33 < Dougy> s/too/to/ 15:34 < troy-> needed to make some config changes to a friends box 15:34 < troy-> now just chilling 15:36 < Sakkath> it's push redirect-gateway? 15:37 < Sakkath> do i need to do anything in iptables on the server box? 15:40 < Dougy> yes 15:40 < Dougy> read the 15:40 < Dougy> !howto 15:40 < vpnHelper> Dougy: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:46 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 15:47 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 15:50 -!- Sakkath [i=sakkath@68.229.95.106] has left ##openvpn [] 16:18 -!- CoffeeIV_ [n=CoffeeIV@adsl-99-162-117-1.dsl.austtx.sbcglobal.net] has joined ##openvpn 16:21 -!- jeiworth [n=jeiworth@189.163.134.102] has joined ##openvpn 16:23 < CoffeeIV_> !route 16:23 < vpnHelper> CoffeeIV_: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:25 -!- Longkong [i=50db404d@gateway/web/freenode/x-kcckuqgenuluuazp] has quit ["Page closed"] 16:50 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has joined ##openvpn 16:52 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 17:00 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has quit [] 17:09 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 17:21 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 17:48 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.2/20090729225027]"] 18:16 -!- countd [n=countd@unaffiliated/countd] has joined ##openvpn 18:21 -!- TechnOo [i=BingO@wlan-s-177.hh.se] has left ##openvpn [] 18:30 -!- PokerFacePenguin [n=joe@68.16.15.79] has joined ##openvpn 18:31 < Dougy> hello bitches 18:41 -!- PokerFacePenguin [n=joe@68.16.15.79] has left ##openvpn [] 18:42 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 19:01 -!- code- [i=code@antenora.aculei.net] has left ##openvpn [] 19:31 -!- dft [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has joined ##openvpn 19:38 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has joined ##openvpn 19:45 -!- dft_ [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 19:51 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 19:55 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has quit [] 19:57 -!- syntaxcollector [n=syntaxco@S0106001310f0b4c7.vc.shawcable.net] has joined ##openvpn 19:58 -!- syntaxcollector [n=syntaxco@S0106001310f0b4c7.vc.shawcable.net] has quit [Client Quit] 20:04 -!- NfNitLoop [n=codyc@ool-4a58802b.dyn.optonline.net] has quit ["leaving"] 20:13 -!- W0rmF00d [n=wormfood@59.40.80.213] has joined ##openvpn 20:13 -!- WormFood [n=wormfood@59.40.10.9] has quit [Read error: 104 (Connection reset by peer)] 20:16 -!- joako [n=joako@opensuse/member/joak0] has quit [Read error: 113 (No route to host)] 20:32 -!- joako [n=joako@opensuse/member/joak0] has joined ##openvpn 20:32 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has joined ##openvpn 20:33 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has quit [Client Quit] 20:37 -!- misse- [i=misse@cl-858.sto-01.se.sixxs.net] has quit [Read error: 104 (Connection reset by peer)] 20:38 -!- mirco [n=mirco@84.178.78.137] has quit [Read error: 145 (Connection timed out)] 20:39 -!- mirco [n=mirco@p54B25C3F.dip.t-dialin.net] has joined ##openvpn 20:41 -!- misse- [i=misse@cl-858.sto-01.se.sixxs.net] has joined ##openvpn 21:11 -!- master_of_master [i=master_o@p549D6CA2.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:12 -!- misse- [i=misse@cl-858.sto-01.se.sixxs.net] has quit [Read error: 110 (Connection timed out)] 21:14 -!- master_of_master [i=master_o@p549D409B.dip.t-dialin.net] has joined ##openvpn 21:27 -!- jeiworth [n=jeiworth@189.163.134.102] has quit [Read error: 110 (Connection timed out)] 21:30 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 21:33 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Client Quit] 21:39 -!- prg3 [n=prg3@playground.cein.ualberta.ca] has left ##openvpn [] 22:03 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 22:33 -!- joako [n=joako@opensuse/member/joak0] has quit [Read error: 113 (No route to host)] 22:39 < Dougy> ecrist_: hope you got the pm 22:39 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 23:28 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 23:29 -!- joako [n=joako@opensuse/member/joak0] has joined ##openvpn 23:47 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 23:53 -!- danieldg [n=me@about/networking/240.0.0.0/danieldg] has quit [Read error: 60 (Operation timed out)] 23:56 -!- danieldg [n=me@about/networking/240.0.0.0/danieldg] has joined ##openvpn --- Day changed Mon Aug 31 2009 00:12 -!- mirco [n=mirco@p54B25C3F.dip.t-dialin.net] has quit [] 00:25 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 00:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:39 -!- dft_ [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has joined ##openvpn 00:47 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 00:50 -!- troy_ [n=troy@mta-1.io.na.tauri.ca] has joined ##openvpn 00:53 -!- mirco_ [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 00:54 -!- dft [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 01:08 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 01:09 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Success] 01:09 -!- mirco_ is now known as mirco 01:15 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 01:21 -!- troy_ [n=troy@mta-1.io.na.tauri.ca] has quit [Read error: 110 (Connection timed out)] 01:21 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 01:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:01 -!- c64zottel [n=hans@p5B179B98.dip0.t-ipconnect.de] has joined ##openvpn 02:02 -!- c64zottel [n=hans@p5B179B98.dip0.t-ipconnect.de] has left ##openvpn [] 02:17 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:25 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has joined ##openvpn 02:44 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Remote closed the connection] 02:50 -!- danieldg [n=me@about/networking/240.0.0.0/danieldg] has quit [Read error: 60 (Operation timed out)] 02:52 -!- danieldg [n=me@about/networking/240.0.0.0/danieldg] has joined ##openvpn 02:58 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has joined ##openvpn 03:19 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 03:41 -!- joako [n=joako@opensuse/member/joak0] has quit [Read error: 104 (Connection reset by peer)] 04:11 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 04:40 -!- c1rcuit [n=c1rcuit@pool-71-250-21-223.nwrknj.east.verizon.net] has joined ##openvpn 04:41 < c1rcuit> I installed openvpn properly, but why is it that no folder called openvpn was created in /etc 04:41 < c1rcuit> ? 04:44 < reiffert> please define "i", "properly" and "installed". 04:45 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 04:48 < c1rcuit> I installed openvpn via sudo apt-get install openvpn, ./configure, make, and make install 04:48 < c1rcuit> everything seemed to go well 04:48 < c1rcuit> however i notice there is no /etc/openvpn 04:49 < c1rcuit> just wanted to know why this is so 04:53 -!- c1rcuit [n=c1rcuit@pool-71-250-21-223.nwrknj.east.verizon.net] has left ##openvpn ["Leaving"] 05:15 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has quit ["bbl"] 05:19 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 05:24 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 05:47 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 06:05 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 06:14 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:14 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 06:16 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 06:18 -!- Signum [i=chaas@debian/developer/pdpc.base.haas] has joined ##openvpn 06:19 < Signum> Hi. Is there a documentation on how to compile a Windows package? I want to deploy the 2.1rc19 but the only precompiled binaries I could find were 2.1beta7. 06:19 < Signum> Or is there a way to extract the bare files from the EXE installer? 06:30 < kala> Signum: http://www.openvpn.net/release/openvpn-2.1_rc19-install.exe ? 06:31 < kala> this doesn't work for you? 06:32 < Signum> kala: It would. But we are preconfiguring the NSI-based installer to deploy ready EXEs to our users. 06:33 < Signum> kala: Plan B is to tell them to install the rc19 manually and then we'll send them a ZIP with the config files they had to extract into their config/ directory. 06:33 < kala> well, you could create e Visual Basic script for installation and config files and everything 06:34 < kala> we have one which removes the old version, turns off unsigned driver warning, installs openvpn, turns warning back one, puts config files in place and starts the daemon 06:34 < Signum> kala: I'm preparing the installer from Linux (where the OpenVPN server and CA is located) using "nsis". So I'd like to stay there. All I need is the executable files. :) 06:35 < kala> ah 06:35 < kala> don't know about this "NSIS" stuff 06:35 < kala> although, Linux would be nice :) 06:35 < Signum> How exactly do you do the configuration? Sounds like I love it already. :) 06:36 < kala> the config is the text file, right? 06:36 < Signum> Right. 06:36 < Signum> And there's is the ca.crt and the user's key and cert. 06:36 < kala> and all my clients use the same file 06:36 < Signum> Oh, okay. 06:36 < kala> the user cert is managed by Windows 06:36 < Signum> Hmmm. 06:36 < kala> and Active Directory 06:36 < kala> the "machine cert" actually 06:37 < Signum> I wonder if I could send the user something that *uses* the openvpn-2.1_rc19-install.exe, installs it (warnings disabled magically) and then copy the config over. 06:37 < kala> I suppose even a .bat file could do that 06:38 < kala> more difficult to write and debug perhaps 06:39 -!- brizly [n=brizly_v@p4FC98A56.dip0.t-ipconnect.de] has joined ##openvpn 06:40 < kala> although, something is still wrong, because my Windows clients drop the VPN tunnel for no apparent reason. "Inactivity timeout, restarting" and I'm not able to figure out, if this is WIFI network, Windows or OpenVPN fault 06:42 < Signum> Oh, did I mention that I'm just having trouble with Vista users? :) 06:42 < Signum> Our installer works perfectly on WinXP. But fails on Vista. 06:42 < Signum> That why I had hopes in the rc19 version instead of the beta7. 06:42 < kala> oh, wonderful world of Microsoft 06:42 < kala> yeah, somebody told me that they had to use the RC19 (or some high number) to get things running on Vista 06:43 < kala> not my managed client, but one of the partners. We are still using XP 06:43 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 06:44 < Signum> We are officially only supporting XP for a reason (I don't use Windows at all for myself). But guess who has installed Vista on his computer. Our PHB. :) 06:45 < Signum> He hasn't yet agreed to update to XP. 06:47 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 06:48 < kala> windows 7 is right around the corner ;) 06:49 < Signum> Great... I'm so looking forward to it. 06:50 < Signum> I stopped using Windows a few months after XP came out. Must have been a while already. If I invest time into my system then I prefer it starts with "L". 06:55 -!- brizly1 [n=brizly_v@p4FC981E5.dip0.t-ipconnect.de] has quit [Connection timed out] 07:24 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has joined ##openvpn 07:26 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit [Remote closed the connection] 07:30 -!- ribasushi [n=rabbit@dslb-084-063-046-216.pools.arcor-ip.net] has joined ##openvpn 07:31 < ribasushi> hi 07:31 < ribasushi> can someone point out what's wrong here: http://pastebin.com/m7be25d5d 07:32 < ecrist_> good morning. 07:35 < ecrist_> ribasushi: you don't give us much to go on. 07:35 < ribasushi> ecrist_: let me know whatever else you might need 07:36 < ecrist_> I don't think you need the dev tun_cc at the end 07:36 < ecrist_> not sure how this relates to OpenVPN, thoug. 07:36 < ecrist_> though* 07:37 < ribasushi> let me paste something else 07:41 < ribasushi> ecrist_: here http://pastebin.com/m719a705f 07:42 < ribasushi> ecrist_: 10.0.58.1 can ping .50 and vice-versa 07:43 < ecrist_> I didn't doubt that 07:44 < ecrist_> I was saying your command should likely be 'ip route add 192.168.59.0/24 via 10.0.58.50' 07:44 < ribasushi> same: ip route add 192.168.59.0/24 via 10.0.58.50 07:44 < ribasushi> whoops 07:44 < ecrist_> ribasushi: check this out 07:44 < ribasushi> RTNETLINK answers: No such process 07:44 < ecrist_> !iroute 07:44 < vpnHelper> ecrist_: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 07:45 < ribasushi> ecrist_: hmmm... before I do that, I need to add something to the routing table first don't I? 07:45 < ribasushi> I mean before I adjust openvpn how to cope with it 07:47 < ecrist_> no 07:47 < ecrist_> not necessarily 07:48 < ecrist_> !all 07:48 < vpnHelper> ecrist_: "all" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles 07:48 < ecrist_> hook us up with that information (specifically the configs) and tell us what you're expecting to see. 07:48 < ecrist_> we'll tell you what's wrong 07:48 < ribasushi> that's a lot of stuff to sanitize... 07:48 < ribasushi> basically I am expecting to be able to point out to the router that a specific subnet lies behind the tunnel 07:48 < ribasushi> I get the "no such process" 07:49 -!- Signum [i=chaas@debian/developer/pdpc.base.haas] has left ##openvpn [] 07:49 < ecrist_> all you need to do is point the LAN to the OpenVPN server, and put in place a proper iroute 07:50 < ecrist_> no hard routing tables on the OpenVPN server, the OpenVPN daemon will handle all that. 07:51 < ribasushi> how will the kernel of the server know to hand packets to 192.168.59.X to the openvpn instance, without a routing table entry? 07:52 < ecrist_> did you read the comment above regarding iroute? 07:52 < ecrist_> it's also covered in the man page 07:52 < ribasushi> yes I did, and it has nothing to do with my question... anyway I'll kep trying 07:52 < ecrist_> put the iroute in 07:53 < ecrist_> you don't need the entry in the kernel routing table 07:53 < ecrist_> !man 07:53 < vpnHelper> ecrist_: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 07:53 < ecrist_> try that, too. 07:54 < ribasushi> from your manual: Remember that you must also add the route to the system routing table as well 07:54 < ecrist_> excellent, so do it. 07:55 < ribasushi> I can't as shown in the pastebin :) 07:55 < ecrist_> what OS, and can you show me the routing tables? 07:58 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.2/20090729225027]"] 08:07 < Optic> moo 08:07 -!- MadTBone_ [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 08:08 -!- MadTBone__ [n=MadTBone@160.39.238.196] has joined ##openvpn 08:24 -!- MadTBone_ [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 08:24 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn 08:24 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has quit [Remote closed the connection] 08:27 -!- nohup_ [n=nohup@chef6.nohup.nl] has joined ##openvpn 08:27 < nohup_> goodmorning everyone! 08:28 -!- MadTBone__ [n=MadTBone@160.39.238.196] has quit ["Leaving"] 08:28 -!- MadTBone__ [n=MadTBone@160.39.238.196] has joined ##openvpn 08:28 -!- MadTBone__ [n=MadTBone@160.39.238.196] has quit [Client Quit] 08:29 -!- MadTBone__ [n=MadTBone@160.39.238.196] has joined ##openvpn 08:45 -!- You're now known as ecrist 08:53 < |Mike|> hi! 08:54 < reiffert> sshhht. 09:00 < nohup_> i have this weird problem with openvpn that when i tunnel over UDP, certain packets break (i.e. some pages load over www, others don't.. depending on the content) 09:00 < nohup_> when tunneling over tcp, they all work 09:00 < nohup_> it's not random, it's completely consistent 09:02 < nohup_> ssh will hang forever, because something breaks during handshake (i DO get the "SSH-2.0-lshd-2.0.2" reply when i netcat to port 22 of my server over the openvpn tunnel) 09:02 -!- explore [n=msparker@pool-173-74-61-155.dllstx.fios.verizon.net] has joined ##openvpn 09:02 < nohup_> i can't seem to lay my finger on it... funny thing is that it is also dependent on the location.. it did work a few days ago when i was in a hotel... 09:13 -!- JoelR [n=joel@193.145.14.94] has joined ##openvpn 09:14 < JoelR> Hi i have a vpn server, and i want to connect from another machine that has behind a network (this machine would be a gw for its subnet), i am using client-config-dir and route 192.168.1.0 255.255.255.0 but it does not work, anyone could help me? i want to interconnect two lans 09:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:27 < melvin_> by using tls-auth on tcp-server the client gets an "connectino reset, restarting" after some while. keepalive is configured. 09:27 < melvin_> without tls-auth the clients stays connected for several days 09:35 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:37 < nohup_> melvin_: was that in reply to my question ? :) 09:41 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 09:41 < JoelR> anybody?? :S 09:42 -!- jeiworth [n=jeiworth@189.177.252.153] has joined ##openvpn 09:42 < Bushmills> JoelR: ever bothered to read /topic? 09:42 < JoelR> !route 09:42 < vpnHelper> JoelR: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:43 * Bushmills applauds JoelR 09:43 < JoelR> Bushmills, you are so kind.. 09:43 < Bushmills> don't be mistaken :P 09:47 < nohup_> AH! i found my problem 09:47 < ecrist> melvin_: what is your keepalive? 09:47 < nohup_> for some reason openvpn sets the mtu differently on both ends... 09:48 < nohup_> so some packets with mtu's bigger than set on the server, but smaller than on the client.. just don't make it across the tunnel using udp 09:48 < nohup_> is.. this a known 'issue'? (wouldn't call it a bug) 09:48 < nohup_> and is there a way to set this in the configuration file? 09:49 < melvin_> ecrist: keepalive 20 120 09:50 < melvin_> seams to only acour by using login plugin 09:51 -!- tecchi [n=tecchi@81.210.161.128] has joined ##openvpn 09:53 < ecrist> !mtu 09:53 < vpnHelper> ecrist: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config 09:53 < ecrist> I'd start with the login plugin and adjust keepalive from there 09:53 < ecrist> I think mine is 10 120, lemme check 09:54 < ecrist> aye, 10 120 for my server, works like a charm. 09:56 -!- tecchi [n=tecchi@81.210.161.128] has left ##openvpn [] 09:58 -!- nohup_ [n=nohup@chef6.nohup.nl] has quit [Read error: 60 (Operation timed out)] 09:58 -!- nohup [n=nohup@5ED5921C.cable.ziggo.nl] has joined ##openvpn 10:00 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:03 < nohup> hmm.. i judsthda it working... now i tried restarting openvpn, and i'm getting broken connections again, even though i keep setting the mtu at the same size on both sides... 10:03 < melvin_> i change it to that values 10:10 < melvin_> the same again. after 12 min Server says: Connection reset, restarting [-1] 10:11 < nohup> i cannot find anything on google regarding this (probably mtu) problem... 10:11 < ecrist> melvin_: that's normal 10:12 < melvin_> if i disable tls-auth or plugin it works like a charm 10:12 < ecrist> it should not actually disconnect you 10:12 < ecrist> it's just renegotiating the keys 10:12 < melvin_> but i have to reenter the login data on the client 10:14 < melvin_> i'd like to use tls-auth but i can't reneter login data ervery 10 minutes. 10:15 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 10:23 -!- tecchi [n=tecchi@ip-81-210-161-128.unitymediagroup.de] has joined ##openvpn 10:24 -!- tecchi [n=tecchi@ip-81-210-161-128.unitymediagroup.de] has quit [Remote closed the connection] 10:25 < nohup> weird.. had it working once.. now i can't seem to get any usefull connection to stay alive over the vpn... 10:25 < nohup> nobody ever had problems with connections breaking due to incorrect mtu settings ? 10:27 < nohup> hmm... 10:28 < nohup> i'll ask again when it's not this early in themorning ;) 10:28 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 10:35 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 10:45 -!- Deffie_ [n=Deffie@195.62.234.66] has joined ##openvpn 10:47 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [Read error: 113 (No route to host)] 10:47 -!- Deffie_ is now known as Deffie 10:55 -!- explore [n=msparker@pool-173-74-61-155.dllstx.fios.verizon.net] has quit ["Lost terminal"] 10:58 -!- JoelR [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 10:58 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 10:58 -!- JoelR [n=joel@193.145.14.94] has joined ##openvpn 10:59 < nohup> man.. i finally got it fixed... this is insane.. had to change the MTU to... 400! 10:59 < nohup> that is SO damn low it's almost useless :) 11:00 < nohup> but anyways, i now have 'tunneled' my home landline on another continent here to my place in the usa 11:00 < nohup> which is pretty cool :) 11:03 -!- brah [n=asdfaf@86-126-16-190.fibertel.com.ar] has joined ##openvpn 11:14 < melvin_> ecrist: Problem ocour only, if i ping a server constantly in terminal 11:31 -!- agliodbs [n=agliodbs@dsl081-245-111.sfo1.dsl.speakeasy.net] has joined ##openvpn 11:42 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Client Quit] 11:43 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 11:54 -!- nohup [n=nohup@5ED5921C.cable.ziggo.nl] has quit ["Disconnecting"] 11:56 -!- nohup [n=nohup@2001:5c0:1503:eb00:21e:8cff:fe54:4410] has joined ##openvpn 12:04 -!- ambro718 [n=ambro@BSN-77-101-149.dsl.siol.net] has joined ##openvpn 12:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:12 -!- thedoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 12:17 < ambro718> How do I get openwrt to automatically configure the IP address of my tun/tap interface? I've created an init script to run before the 'network' script runs (START=39) to create the interface, and configured it in /etc/config/network. However, on boot the interface is created, but not configured. 12:23 < ecrist> /j #openwrt 12:25 < |Mike|> openvpn creates the tun/tap device... 12:26 < ecrist> |Mike|: who is that directed at? 12:26 < |Mike|> this idle channel 12:28 < BasketCase> yes, there should be no OS level configuration for a tun or tap interface 12:34 < ambro718> sorry wrong channel 12:46 < ecrist> you could both be wrong. 12:47 < krzee> yup 12:47 < krzee> tap does require config 12:47 < krzee> tun does not 12:47 < ecrist> I manually configure my tap device on a briged VPN, and it is used, and a component of a bridge, even when the VPN server is non-operational. 12:47 < krzee> well tap does if briding that is 12:47 < krzee> wassup eric =] 12:48 < ecrist> heya krzee, back from your travels? 12:48 < krzee> ya been back for a lil but been busy as shit since i got back 12:48 < krzee> gunna go look at a house in a few 12:48 < krzee> ive been looking but still havnt bought 12:48 < ecrist> nice. 12:50 < krzee> amsterdam was WAY fun 12:50 < krzee> everyone out there was way cool 12:50 < krzee> even random people met on the street 12:52 < ecrist> that's a place I've always wanted to visit. Doesn't look like I'll be doing much travel for the next 10-15 years, though (two kids, three dogs, etc) 12:52 < ecrist> australia and ireland, as well 13:02 -!- Longkong [i=50db404d@gateway/web/freenode/x-yjxijxysecnwijky] has joined ##openvpn 13:03 < Longkong> Hi... 13:05 < Longkong> I am trying to setup a port-share setup 13:05 < Longkong> But it is not working ;/ 13:06 < Longkong> According to the logs, it seems to ignore this line, however when I change the server for example to a udp server, it comlains that this is not possible with a port-share setup 13:12 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 13:23 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 13:23 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 13:31 -!- ambro7181 [n=ambro@BSN-77-101-149.dsl.siol.net] has joined ##openvpn 13:32 < ambro7181> Is there some way to make openvpn more cpu-efficient? I've set it up on a linksys router to provide a virtual network bridged with my ISP's iptv network, but it's so slow I can barely watch one channel. I have to use TCP for transport, and I've already disabled encryption. 13:32 < BasketCase> is there any way you can get out of using TCP? 13:33 < ecrist> !tcp 13:33 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 13:33 < BasketCase> because TCP is horrible for any kind of streaming service 13:33 < BasketCase> once a packet is missed or delayed you don't need it anymore 13:33 < ecrist> s/horrible/the wrong protocol to use/ 13:33 < BasketCase> because it is horrible :P 13:34 < ecrist> no, it's not horrible, it's simply the wrong one. 13:34 < BasketCase> well, in my experience it is both 13:35 < ambro7181> ecrist: I know it is, but I need it - it completly avoids packet loss when I watch TV over wireless 13:35 < ecrist> that's akin to saying minivans are horrible. they're great for getting the family across town, but probably not right for walking around the mall 13:35 < BasketCase> I didn't say horrible with no context 13:35 < ambro7181> I can't watch TV on wireless because half of the multicast datagrams are lost 13:35 < ecrist> ambro7181: sure, and if you read the link I sent, and BasketCase's comments, you'll understand why you're having problems. 13:35 < BasketCase> ambro7181: yes, it avoids packet loss by retransmitting packets you don't need or want anymore 13:36 < ambro7181> that's the whole purpose, without it my IPTV is unwatchable over wireless 13:36 < ecrist> ambro7181: you need better wireless, then 13:36 < ambro7181> it's the sole reason I'm setting up VPN 13:36 < ecrist> read the tcp link 13:36 < BasketCase> yep 13:37 < ambro7181> no, I've tried 802.11n and it's still unusable even in direct proximity (reading link...) 13:38 < ecrist> then you have another issue 13:38 < ambro7181> I was just asking if it's possible to speed it up; it works gread with a regular PC 13:43 -!- ambro718 [n=ambro@BSN-77-101-149.dsl.siol.net] has quit [Read error: 113 (No route to host)] 13:45 -!- ambro7181 [n=ambro@BSN-77-101-149.dsl.siol.net] has quit ["Leaving."] 13:45 -!- ambro718 [n=ambro@BSN-77-101-149.dsl.siol.net] has joined ##openvpn 14:02 -!- Shaun2222 [n=Shaun222@ip70-181-79-96.oc.oc.cox.net] has joined ##openvpn 14:11 -!- explore [n=msparker@173.74.61.155] has joined ##openvpn 14:28 -!- ambro718 [n=ambro@BSN-77-101-149.dsl.siol.net] has quit [Read error: 110 (Connection timed out)] 14:43 -!- jeiworth [n=jeiworth@189.177.252.153] has quit [Read error: 104 (Connection reset by peer)] 14:43 -!- jeiworth [n=jeiworth@189.177.33.161] has joined ##openvpn 14:44 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 14:56 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 14:57 -!- troy_ [n=troy@mta-1.io.na.tauri.ca] has joined ##openvpn 15:14 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 15:20 -!- nuhiNlow [i=gjrhoivy@adsl-70-133-157-224.dsl.ablntx.sbcglobal.net] has joined ##openvpn 15:31 -!- Longkong [i=50db404d@gateway/web/freenode/x-yjxijxysecnwijky] has quit ["Page closed"] 15:52 -!- countd [n=countd@unaffiliated/countd] has quit [Read error: 110 (Connection timed out)] 16:05 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 16:14 -!- unix3 [n=unix3@190.10.68.228] has quit [Client Quit] 16:25 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 16:25 < Dougy> ello 16:26 < nuhiNlow> hi 16:37 -!- _markus_ [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 16:45 -!- explore [n=msparker@173.74.61.155] has quit ["leaving"] 16:50 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 110 (Connection timed out)] 16:51 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 16:52 * Dougy pokes krzee 16:57 -!- BillyCrook1 [n=BillyCro@69.76.204.209] has joined ##openvpn 17:00 < BillyCrook1> Here's my config and serverlogs. http://pastebin.com/m121f9182 the problem I am having is that I appear to be hitting some keylength limit in openvpn 17:00 < BillyCrook1> specifically, I created 5120 bit rsa keypairs for the CA, server, and client 17:01 < BillyCrook1> and and 8192bit dh.pem 17:01 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 17:02 < BillyCrook1> I chose such long keys so that the negotiation process would be significantly computationally intensive for a very very long time, in order to severely retard dictionary attacks 17:02 < BillyCrook1> (I'm not yet requiring username and passwords, but I will eventually) 17:03 < BasketCase> so you are retarding dictionary attacks at the expense of your CPU cycles? 17:04 < BillyCrook1> I have plenty of those for one negotiation 17:04 < BillyCrook1> nobody (in the near future) has enough for a billion negitions 17:05 < BillyCrook1> I also wanted a longer keylength so that in the event RSA becomes weakened, my keys can stand up longer 17:05 < BillyCrook1> (assuming its weakened in some linear way, which may be a stretch) 17:06 -!- _markus_ [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 60 (Operation timed out)] 17:08 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 131 (Connection reset by peer)] 17:09 < BillyCrook1> Is it a design goal, or a bug that limits the keylength? 17:16 < reiffert> please ask the devel mailinglist. 17:17 < BillyCrook1> :-( I degraded my keys to 4096 bits, and its working.... 17:19 -!- nohup [n=nohup@2001:5c0:1503:eb00:21e:8cff:fe54:4410] has quit [Read error: 60 (Operation timed out)] 17:25 -!- MadTBone__ [n=MadTBone@160.39.238.196] has quit [Remote closed the connection] 17:25 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit [Read error: 104 (Connection reset by peer)] 17:26 -!- BillyCrook1 [n=BillyCro@69.76.204.209] has quit [Remote closed the connection] 17:27 -!- BillyCrook1 [n=BillyCro@CPE-69-76-204-209.kc.res.rr.com] has joined ##openvpn 17:38 -!- _markus_ [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 17:50 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 110 (Connection timed out)] 18:29 < nuhiNlow> i'm getting in server logs connection refused code 111 18:29 < nuhiNlow> i have shorewall also 18:32 < nuhiNlow> my config http://pastebin.com/m6c334dfb 18:40 -!- tread [n=tread@c-24-61-234-150.hsd1.nh.comcast.net] has quit ["Leaving"] 18:45 -!- jeiworth [n=jeiworth@189.177.33.161] has quit [Read error: 110 (Connection timed out)] 18:47 -!- BillyCrook1 [n=BillyCro@CPE-69-76-204-209.kc.res.rr.com] has quit ["Leaving."] 18:48 < nuhiNlow> http://pastebin.com/m1602e34 18:48 < nuhiNlow> i put my errors at the top 18:48 < nuhiNlow> config file follows 19:09 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 19:33 -!- nuhiNlow [i=gjrhoivy@adsl-70-133-157-224.dsl.ablntx.sbcglobal.net] has quit ["+++ OK ATH OK"] 19:35 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["leaving"] 19:53 -!- JoelR [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 19:53 -!- JoelR [n=joel@193.145.14.94] has joined ##openvpn 20:19 -!- agliodbs [n=agliodbs@dsl081-245-111.sfo1.dsl.speakeasy.net] has quit [] 20:57 -!- JoelR [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 20:57 -!- JoelR [n=joel@193.145.14.94] has joined ##openvpn 20:58 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 21:01 -!- dft [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has joined ##openvpn 21:01 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 21:11 -!- master_of_master [i=master_o@p549D409B.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:14 -!- master_of_master [i=master_o@p549D3F76.dip.t-dialin.net] has joined ##openvpn 21:15 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has joined ##openvpn 21:16 -!- dft_ [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 21:28 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 21:30 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: hyper_ch, bauruine, zu 21:36 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 21:36 -!- hyper_ch [n=hyper@adsl-89-217-165-91.adslplus.ch] has joined ##openvpn 21:36 -!- zu [n=zu@bucketheaded.eu] has joined ##openvpn 21:45 -!- JoelR [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 21:45 -!- JoelR [n=joel@193.145.14.94] has joined ##openvpn 22:10 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["leaving"] 22:40 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has quit [] 22:58 -!- troy_ is now known as troy- 23:02 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has joined ##openvpn 23:09 -!- MTeck [n=MTeck@ubuntu/member/pdpc.active.mtecknology] has joined ##openvpn 23:09 < MTeck> How can I route traffic through an OpenVPN tunnel? 23:12 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Read error: 60 (Operation timed out)] 23:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 23:29 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 23:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 23:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 23:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 23:39 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Read error: 60 (Operation timed out)] 23:45 < BasketCase> MTeck: 23:45 < BasketCase> !route 23:45 < vpnHelper> BasketCase: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 23:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 23:53 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 23:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] --- Day changed Tue Sep 01 2009 00:03 -!- |Mike|_ [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 00:05 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Read error: 104 (Connection reset by peer)] 00:08 -!- |Mike|_ [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Read error: 60 (Operation timed out)] 00:09 -!- hyper__ch [n=hyper@adsl-84-227-14-25.adslplus.ch] has joined ##openvpn 00:09 -!- hyper_ch [n=hyper@adsl-89-217-165-91.adslplus.ch] has quit [Nick collision from services.] 00:09 -!- hyper__ch is now known as hyper_ch 00:11 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 00:13 -!- jeiworth [n=jeiworth@189.163.186.134] has joined ##openvpn 00:15 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 00:17 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Read error: 104 (Connection reset by peer)] 00:18 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 00:29 < MTeck> BasketCase: thanks 00:39 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Read error: 110 (Connection timed out)] 00:40 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 00:42 -!- jeiworth [n=jeiworth@189.163.186.134] has quit [Read error: 110 (Connection timed out)] 00:50 -!- admin0 [n=admin0@bb121-6-1-187.singnet.com.sg] has joined ##openvpn 00:50 < admin0> hi all .. i am trying to get my client side network to be able to use the internet .. but its not working at all 00:53 < krzee> to use it through the server you mean? 01:00 -!- admin0 [n=admin0@bb121-6-1-187.singnet.com.sg] has quit [Read error: 113 (No route to host)] 01:25 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:37 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 02:14 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 02:16 -!- troy- [n=troy@mta-1.io.na.tauri.ca] has quit [Read error: 110 (Connection timed out)] 02:19 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has quit [] 02:22 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 113 (No route to host)] 02:23 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 02:38 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has joined ##openvpn 03:13 -!- RexMundi [n=RexMundi@77.95.99.166] has joined ##openvpn 03:19 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 03:30 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 03:49 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 03:50 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 03:54 -!- dft [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has quit [Read error: 60 (Operation timed out)] 03:54 -!- dft [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has joined ##openvpn 03:56 < |Mike|> 2009/09/01 10:21:19 <+IcE^> can't the iphone do vpn also? or don't you want the email accessable on the phone at all? 03:56 < |Mike|> 2009/09/01 10:30:23 < hackman> IcE^: OpenVPN is not supported and currently I'm too lazy to port the OpenVPN infrastructure I have build for the OpenVPN to anything else 03:56 < |Mike|> who done that yet ? :_ 03:56 < |Mike|> :) 04:08 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 04:30 -!- tecchi [n=tecchi@ip-81-210-161-128.unitymediagroup.de] has joined ##openvpn 05:08 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:17 -!- JoelR [n=joel@193.145.14.94] has quit [Remote closed the connection] 06:19 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 06:24 < melvin_> Hi. dhcp Problem again. Server is confgured as server-bridge. Windows Client works, gets dns, routing and domain information. now i try to connect a linux client. i know, no built in dhcp client on linux. so i wrote a simple up script with only "dhclient $1" in it. BUt it doesn't work. i can start dhclient after initialisaion manualy but not on the up script. 06:25 -!- tecchi [n=tecchi@ip-81-210-161-128.unitymediagroup.de] has quit [] 06:26 < melvin_> can i split the config to use external dhcp on windows and builtin dhcp for linux clients? 06:29 < |Mike|> !all 06:29 < vpnHelper> |Mike|: "all" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles 06:30 < |Mike|> melvin_: how many linux clients do you got ? 06:30 < |Mike|> otherwise i would 'ccd' them 06:30 < |Mike|> !ccd 06:30 < vpnHelper> |Mike|: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 06:30 < |Mike|> so they get a static ip 06:31 < melvin_> its 1 to 10 clients 06:31 < melvin_> MTeck: you mean i should use ccd with stic ip ? 06:31 < |Mike|> for the linux clients, yes. 06:32 < melvin_> |Mike|: no other way? 06:32 < melvin_> why can't dhclient not work on tap device? 06:33 < |Mike|> http://openvpn.net/archive/openvpn-users/2007-09/msg00265.html 06:33 < vpnHelper> Title: Re: [Openvpn-users] Linux DHCP client via bridge (at openvpn.net) 06:33 < melvin_> i found i site, who says use ifdown $1 first, then dhclient $1 06:34 < melvin_> |Mike|: does it work with NetworkManager if i use static ip? 06:37 < |Mike|> not sure 06:37 < |Mike|> you could try 06:38 * dazo guesses not 06:38 < melvin_> any chance to integrate dhclient in openvpn in the near future? 06:39 < melvin_> i prefere external dhcp because of ddns in Windows AD. with ddns i can reach vpn clients on their domain name 06:39 < dazo> melvin_: that's more a question for openvpn-devel@lists.sourceforge.net ... if there are active openvpn developers here ... they sure stay low about it 06:40 < dazo> melvin_: and there are no possibility to get the clients to propagate their hostname and IP to Windows DNS server without it being the DHCP server as well? 06:40 * dazo believes one of the networks he's party administering does that .... Linux DHCP server and internal Windows DNS server .... 06:41 < |Mike|> i don't like to work around with diff. osses :P 06:41 < melvin_> dazo: maybe i can write some script for the ddns update. but there is another problem using openvpn internal dhcp-server 06:42 < melvin_> the dns lookup on the windows client does not work 06:42 < dazo> melvin_: the network I keep an eye have no special scripts afaik ... 06:42 < dazo> melvin_: actually, the Linux DHCP server is a slave-DNS to the windows DNS ... and that propagates new IPs automatically on the fly .... 06:43 < melvin_> using Windows ad with bind may be tricky. mixing dhcp server also 06:43 < melvin_> i use a seperate scope for openvpn. works realy great 06:43 < melvin_> but only on Windows clients :-( 06:44 < dazo> melvin_: I'm doing it ..... no issues at all .... practically out of the box, afaik .... well, I didn't configure the windows server at all ... but I'm sure I'd hear about it if those windows admins had issues 06:44 < melvin_> not the "works on all os" that i thought 06:44 < dazo> aha 06:44 < dazo> so the windows works fine .... but not Linux .... gotcha! 06:44 < dazo> sorry about the confusion 06:45 < melvin_> not exactly. i don't have a config to use both clients 06:45 < melvin_> external dhcp for windows clients great, internal dhcp is for unix clients great 06:46 < melvin_> i would use internal dhcp for both, but the dns resolution on windows didn't work for me. 06:48 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 06:54 -!- brizly [n=brizly_v@p4FC98A56.dip0.t-ipconnect.de] has quit [Connection timed out] 06:54 < dazo> melvin_: I'm sorry, but I don't know too much about how the Windows DNS<->DHCP integration works .... I just have my experiences from having that separated, and it seems to work for all Windows clients pretty well. Non-windows clients is another issue, but that's because I have not configured the DHCP server to do dhcp-dns updates ... but to be honest, I'm not sure how well it works by bypassing the openvpn DHCP service at all ... I've trie 06:54 < dazo> d a little bit, without much success 06:56 < melvin_> dhcp client seams to work, if i reenable the tap device. 06:56 -!- brizly [n=brizly_v@p4FC9987F.dip0.t-ipconnect.de] has joined ##openvpn 06:56 < melvin_> on up.script first "ifdown $1" then "ifup $1" 06:57 < melvin_> on /etc/network/interface "iface tap0 inet dhcp" 06:57 < melvin_> crazy. 06:59 < dazo> melvin_: I'd say this is probably safer when you know that the DHCP support in OpenVPN is disabled .... what you're doing sounds more like a dirty hack, and most probably will cause some challenges later on 07:01 < melvin_> dazo: 90% of the clients are windows. so i need to use the windows-preferred solution. myabe the "ifdown hack" is some kind of a bug in openvpn? for me all works as expected but dhclient on tap device. 07:04 < dazo> melvin_: iirc, dhclient runs as a daemon against an interface. This way it will be able to change the IP address upon request from the DHCP server. I also believe that dhclient declines to run on an already configured device .... so that might be why your hack works, as ifdown tap0 will remove the config, and ifup will then run dhclient tap0 later on 07:06 < melvin_> dazo: Ok. but i can run "dhclient tap0" after vpn initialisation on a different terminal without problem. it only doesn't work in the up-script 07:08 < melvin_> does the openvpn bring the tap device up? I think so, but it does not use the system way to do this. if it use the system way, the dhclient gets started automatily 07:09 < melvin_> how does the openvpn creates the tap device? 07:10 < dazo> melvin_: openvpn does in deed bring up and create the tap device if it do not exists. And openvpn takes care of configuring as soon as it gets an IP address from the openvpn server 07:16 < melvin_> ok. this explain it 07:20 < melvin_> if i could use server-bridge in ccd config, i where able to split the dhcp config for both clients 07:21 < dazo> melvin_: I doubt you can use server-bridge in ccd .... I think that needs to be in the global config 07:21 < melvin_> yes, sadly 07:22 -!- KaiForce [n=chatzill@70.228.104.238] has joined ##openvpn 07:22 < melvin_> is there an openven-devel ice channel? 07:23 < melvin_> ice = irc 07:24 < dazo> melvin_: not afaik ... but if you find one, I'd like to join it too! :) 07:25 -!- MTeck [n=MTeck@ubuntu/member/pdpc.active.mtecknology] has left ##openvpn [""http://profarius.com/""] 07:52 -!- jeiworth [n=jeiworth@189.163.186.134] has joined ##openvpn 08:00 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 08:04 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Client Quit] 08:06 -!- tuxick [i=BluesMur@tuxick.xs4all.nl] has joined ##openvpn 08:06 < tuxick> lo 08:10 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 113 (No route to host)] 08:12 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 08:13 < Optic> moo 08:13 < tuxick> got a problem with simple tunnel between 2 freebsd machines 08:14 < tuxick> on one end i see ping requests come in, and go out again 08:14 < tuxick> but one the other one i see no replies or requests at all 08:14 < tuxick> something special needed on freebsd? 08:16 < reiffert> no (nothing special) 08:16 < reiffert> see the replys go out on tun0? 08:17 < tuxick> only on 1 box 08:18 < tuxick> the other one is deaf/mute 08:18 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 08:18 < tuxick> uhm, just deaf 08:19 < tuxick> since it doesn't seem to get requests, it will of course not reply 08:19 < tuxick> but it can send requests 08:21 < tuxick> 15:21:00.152500 IP 10.1.1.2 > 10.1.1.1: ICMP echo request, id 9087, seq 3, length 64 08:21 < tuxick> 15:21:00.152518 IP 10.1.1.1 > 10.1.1.2: ICMP echo reply, id 9087, seq 3, length 64 08:21 < tuxick> in fact i can't even ping the local endpoint on either side 08:22 < tuxick> this works on linux 08:23 < reiffert> pinging the local endpoint is a requirement. 08:23 < tuxick> it's the simplest setup possible, with static.key 08:23 < tuxick> all i need for this 08:24 < reiffert> have a look into the client logfile 08:24 < reiffert> verb 3 should be enough to see whats going on 08:25 < tuxick> NOTE: failed to obtain options consistency info from peer -- this could occur if the remote peer is running a version of OpenVPN before 1.5-beta8 or if there is a network connectivity problem, and will not necessarily prevent OpenVPN from running 08:25 < tuxick> duh 08:25 < tuxick> that's a bit vague 08:26 < tuxick> no complaints on server side 08:26 < reiffert> what version of openvpn does your BSD come with? 08:27 < tuxick> both ends 2.0.6 08:27 < reiffert> ancient pieces of shit! 08:28 < reiffert> !factoids search bsd 08:28 < vpnHelper> reiffert: 'freebsd', 'fbsdbridge', 'fbsdjail', 'obsdtap', 'fbsdipforward', 'fbsdnat', 'freebsdnat', and 'bsdnat' 08:28 < reiffert> !freebsd 08:28 < vpnHelper> reiffert: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 08:28 < reiffert> I'd go on 2.1rc19. 08:28 < reiffert> 2.0.9 is 5 years old and buggy. 08:28 < tuxick> hm 08:28 < reiffert> 2.0.6 08:28 < tuxick> should still work 08:28 < ecrist> good morning 08:29 < tuxick> morning 08:29 < reiffert> ecrist: what is it that keeps freebsd from upgrading to a recent openvpn? 08:29 < ecrist> nothing 08:29 < ecrist> why? 08:29 < reiffert> should 2.0.6 still work on BSD? 08:29 < ecrist> yes, but 2.0.9 is in prots 08:29 < tuxick> it's what i found in ports 08:29 < ecrist> ports* 08:29 < tuxick> ok 08:29 < tuxick> but still 08:29 < reiffert> tuxick got a problem where he isnt able to ping its local adapter 08:29 < ecrist> 2.1 is in ports, too 08:30 < reiffert> read the above if you like to 08:30 < tuxick> ah -devel 08:30 < tuxick> will try 08:30 < ecrist> ports/security/openvpn-devel 08:30 < tuxick> ye spotted 08:30 < ecrist> sounds like a firewall issue 08:31 < ecrist> 2.1rc19 is what's currently in ports 08:31 < ecrist> looks pretty up to date to me. ;) 08:31 < tuxick> i just needed simple 1-1 tunnel so went for 2.0 08:31 < reiffert> so you will get 2.0.6 when using pkg_add and sysinstall? 08:32 < ecrist> if he has 1) an old version of freebsd, or 2) an ancient ports tree 08:32 < ecrist> portsnap fetch && portsnap extract 08:32 < tuxick> one box is rather old and to be phased out 08:32 < tuxick> trying -devel now 08:32 < reiffert> firewall issue? 08:32 < ecrist> that's my guess. 08:32 < tuxick> ipfw add allow all from any to any via tun0 08:32 < reiffert> ecrist: btw .. freebsd. I love to install packages by pkg_add -r foo 08:33 < tuxick> hmm 08:33 < reiffert> ecrist: is there a recursive pkg_delete foo, so that all dependiencies get uninstalled that got installed previously by pkg_add -r foo? 08:33 < ecrist> call me old-fashioned, but I still prefer building from source. 08:33 < ecrist> at least once, make package 08:34 < ecrist> if you're going to do that sort of thing, you're best of looking into something like portmaster or another ports manager 08:34 < ecrist> there is a -r to pkg_delete 08:34 < reiffert> ok, will try to remember that for my next time on BSD 08:35 < reiffert> ecrist: yeah, but it removes the packages that depend on foo. 08:35 < tuxick> ok 08:36 < tuxick> OpenVPN 2.1_rc18 08:36 < tuxick> and still can't even ping local end 08:37 < tuxick> ye on the old box i see ping requests and reply 08:37 < tuxick> yet 08:37 < ecrist> do you have a firewall on the local end. 08:37 < ecrist> reiffert: you're right. that's an odd option to pkg_delete. 08:37 < ecrist> I would think it would work 'up' and not 'down' 08:38 < tuxick> on the old box there is no firewall at all 08:39 < tuxick> the new box still complains about "failed to obtain options consistency info from peer" 08:40 < reiffert> !configs 08:40 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 08:40 < ecrist> !all 08:40 < vpnHelper> ecrist: "all" is please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles 08:41 < reiffert> have to remember that one, too 08:42 < tuxick> http://www.pastebin.ca/1550268 08:43 < reiffert> !logs 08:43 < vpnHelper> reiffert: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 08:43 < tuxick> :) 08:45 < reiffert> you might wanna try explicit dev settings, that is "dev tun0" 08:45 < ecrist> !learn all as For more detailed instructions, look to: !logs !configs !interface 08:45 < vpnHelper> ecrist: Joo got it. 08:46 < tuxick> ok checking all 08:48 < tuxick> but, it should be possible to ping local end, no? 08:48 < tuxick> even when tunnel is broken 08:49 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 08:49 < |Mike|> tunnel ? 08:50 < |Mike|> ifconfig ? 08:52 < |Mike|> ecrist: you did blow some n00bies into the air yet ? 08:54 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:02 < tuxick> now checking with linux client on same lan 09:02 < tuxick> which works 09:02 < tuxick> hmm 09:03 < tuxick> that narrows it down :) 09:03 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has quit ["bbl"] 09:07 < tuxick> ok cheers guys, must have been either firewall or nat 09:07 < tuxick> but still can't ping local endpoints, i can live with that 09:07 < tuxick> switched to tcp and it's ok now 09:08 -!- dft_ [n=dft@99.227.194.14] has joined ##openvpn 09:14 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:15 -!- jeiworth [n=jeiworth@189.163.186.134] has quit [Read error: 110 (Connection timed out)] 09:21 < ecrist> |Mike|: not yet. ;) 09:22 < ecrist> tuxick: didn't I suggest the firewall almost an hour ago? 09:23 < tuxick> ecrist: i got confused by being unable to ping local end 09:23 < tuxick> even on the box that has no firewalling at all 09:23 < tuxick> of course firewalling is a logical thing to look for 09:23 < tuxick> even though the tunnel was up 09:23 -!- dft [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 09:24 < tuxick> i've dealt with openvpn before :) 09:26 < |Mike|> !linnat 09:26 < vpnHelper> |Mike|: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 09:27 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 09:28 -!- jeiworth [n=jeiworth@189.177.121.59] has joined ##openvpn 09:35 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 09:36 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 09:47 -!- BigJB [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 10:01 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 10:02 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 10:14 -!- W0rmF00d is now known as WormFood 10:22 -!- unclecameron [n=unclecam@74-47-188-93.dr01.myck.or.frontiernet.net] has joined ##openvpn 10:47 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 10:48 -!- jeiworth [n=jeiworth@189.177.121.59] has quit [Read error: 104 (Connection reset by peer)] 10:49 -!- jeiworth [n=jeiworth@189.177.121.59] has joined ##openvpn 11:10 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 11:11 -!- troy_ [n=troy@mta-1.io.na.tauri.ca] has joined ##openvpn 11:12 -!- hyper_ch [n=hyper@adsl-84-227-14-25.adslplus.ch] has quit [Remote closed the connection] 11:15 -!- hyper_ch [n=hyper@adsl-84-227-14-25.adslplus.ch] has joined ##openvpn 11:19 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has joined ##openvpn 11:27 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:28 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Connection timed out] 11:34 < |Mike|> !ping 11:34 < vpnHelper> pong 11:35 < KaiForce> Windows 7 and OpenVPN client - can do? 11:38 < |Mike|> yes. 11:48 -!- agliodbs [n=agliodbs@adsl-63-195-55-98.dsl.snfc21.pacbell.net] has quit [] 11:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:57 < reiffert> tuxick: does it work? What was the major cause it didnt? 11:58 -!- agliodbs [n=agliodbs@dsl081-245-111.sfo1.dsl.speakeasy.net] has joined ##openvpn 11:58 < |Mike|> iptables -F ? :P 11:58 < reiffert> iptables: No such file or directory 11:58 < reiffert> BSE 12:10 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 12:10 -!- unix3 [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 12:10 < Optic> Bovine spongiform encephalopathy 12:21 -!- js_ [n=js@h-79-136-125-151.NA.cust.bahnhof.se] has joined ##openvpn 12:22 < js_> for some reason openvpn seems to create a connection, but i can't connect to the other endpoint 12:22 < js_> this is a server<->server tunnel, and i just changed it to connect to another server (with the same ip) 12:23 < js_> it worked before the change, and the cfg/key is the same 12:24 < js_> logs don't show any error either 12:25 < js_> no firewall on the new one 12:30 < js_> with verb 10 it stays at "ovpn-openvpn[4681]: I/O WAIT TR|Tw|SR|Sw [10/209595]" 12:31 < js_> anyone alive? 12:34 < js_> that's odd, changing from hostnames to ips fixed it 12:35 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 12:37 < ecrist> our work here is done! 12:38 < js_> hehe 12:44 -!- BigJB [n=BigJB@unaffiliated/bigjb] has quit [Remote closed the connection] 12:54 < tuxick> reiffert: either firewall or nat, i switched to tcp and it worked 13:56 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 14:10 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 14:29 -!- sky_ [n=sky@189.58.127.230.dynamic.adsl.gvt.net.br] has joined ##openvpn 14:29 < sky_> Hello! 14:30 < sky_> anybody had used openvpn (linux) over satellite link? 14:31 -!- bandini [n=bandini@host73-109-dynamic.41-79-r.retail.telecomitalia.it] has joined ##openvpn 14:31 < ecrist> yes, it sucks 14:32 < ecrist> *any* VPN sucks over satellite 14:32 < ecrist> the problem is there is far too much latency between packets 14:32 < ecrist> we had a user that used to use satellite internet, her way in to the network was the MS Remote Desktop, which, surprisingly, worked very well. 14:33 < BasketCase> that is a surprise 14:34 < BasketCase> I tried a sat link once and about the only thing I could stand to do on it was usenet 14:38 -!- Kreg-Work is now known as kreg-lt 14:38 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 14:48 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 15:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:23 -!- KaiForce [n=chatzill@70.228.104.238] has quit ["ChatZilla 0.9.85 [Firefox 3.5.2/20090729225027]"] 15:29 -!- Caplain [i=shayne@caplain.sragger.com] has quit [Read error: 60 (Operation timed out)] 15:38 -!- Caplain [i=shayne@caplain.loves.thraen.fbi.gov.silverelitez.org] has joined ##openvpn 15:41 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 15:41 < reiffert> ecrist: how big is the latency in the US when going online via 3G? 15:41 < reiffert> ecrist: for germany you get smth around 250ms ping times .. 15:53 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 15:55 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 16:06 -!- bandini [n=bandini@host73-109-dynamic.41-79-r.retail.telecomitalia.it] has quit [Read error: 113 (No route to host)] 16:24 -!- unix3 [n=unix3@190.10.68.228] has quit [Client Quit] 16:40 -!- dft [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has joined ##openvpn 16:41 -!- dft_ [n=dft@99.227.194.14] has quit [Read error: 131 (Connection reset by peer)] 16:49 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:56 -!- Caplain [i=shayne@caplain.loves.thraen.fbi.gov.silverelitez.org] has quit ["Caplain out"] 16:56 -!- sevac [n=sevac@201.151.40.213] has joined ##openvpn 17:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 17:08 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: tuxick 17:10 -!- BluesMurf [i=BluesMur@tuxick.xs4all.nl] has joined ##openvpn 17:10 -!- BluesMurf is now known as tuxick 17:21 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 17:21 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit [Read error: 60 (Operation timed out)] 17:25 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn 17:48 -!- dft [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has quit [Read error: 60 (Operation timed out)] 17:48 -!- dft [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has joined ##openvpn 17:54 -!- troy_ [n=troy@mta-1.io.na.tauri.ca] has quit [Read error: 110 (Connection timed out)] 17:55 < sky_> ecrist ow.. just now i read your response .. lol.. thankz.. 17:55 < sky_> ecrist later i try openvpn without crypto.. 17:58 -!- jeiworth [n=jeiworth@189.177.121.59] has quit [Read error: 60 (Operation timed out)] 18:02 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 18:02 -!- smerz [n=daniel@smerz.demon.nl] has quit [Client Quit] 18:02 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 18:23 -!- sky_ [n=sky@189.58.127.230.dynamic.adsl.gvt.net.br] has left ##openvpn [] 18:31 -!- chinsan_ [i=chuck-th@chinsan.info] has joined ##openvpn 18:47 -!- chinsan [i=chuck-th@chinsan.info] has quit [Read error: 110 (Connection timed out)] 18:50 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 145 (Connection timed out)] 19:03 -!- Saberu [i=Oliver@125.81.154.100] has joined ##openvpn 19:03 < Saberu> Parameter ca_file can only be specified in TLS-mode- help please! 19:05 -!- Evet [n=Evet@unaffiliated/evet] has joined ##openvpn 19:06 < Evet> how to? 19:10 < BasketCase> !howto 19:10 < vpnHelper> BasketCase: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 19:12 < BasketCase> Saberu: pastebin your config 19:13 < Saberu> ok thanks 19:14 < BasketCase> don't thank me yet, I haven't actually helped you :P 19:14 < Saberu> but you offered :p 19:16 < BasketCase> I guess the important question is what mode are you running in 19:17 < Saberu> centOS5 19:17 < Saberu> http://pastebin.com/m747a27bc 19:17 -!- krzie [n=krzee@unaffiliated/krzee] has joined ##openvpn 19:17 < Saberu> i think it may just be that i didn't fill in the config properly 19:19 < krzie> whats up guys 19:19 < BasketCase> I am not that familiar with the tap setup as I use the tun setup instead but I believe you need a server line 19:19 < Saberu> i've tried it with the ca file commented out and not commented out 19:19 < Saberu> server line? 19:19 < BasketCase> or server-bridge 19:20 < Saberu> how would i do that? 19:21 < Saberu> i might try setting the log to be more verbose 19:22 < BasketCase> looks like you got an incomplete sample file 19:22 < BasketCase> http://openvpn.net/index.php/open-source/documentation/howto.html#server 19:22 < vpnHelper> Title: HOWTO (at openvpn.net) 19:23 < Saberu> maybe i messed up when i edited somehow 19:24 < Saberu> vi can be annoying at times 19:26 < krzie> saberu, what is your goal? 19:26 < Saberu> hmm i used the config file on the site 19:26 < Saberu> still has same problem 19:27 < Saberu> my goal is to have a complete VPN solution so i can get around china's poisoned DNS servers 19:27 < krzie> so you just want to redirect inet over the vpn 19:27 < Saberu> might also be useful for other stuff 19:27 < krzie> correct? 19:28 < Saberu> well including DNS, my SSH tunnel doesn't seem to do the trick so i need something better 19:28 < krzie> right 19:28 < krzie> !redirect 19:28 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 19:28 < krzie> !sample 19:28 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 19:28 < krzie> you have no reason to be using tap, and should be using tun 19:28 < Saberu> ok 19:28 < Saberu> i guess tap is only useful if you want to do lan games and stuff over a virtual lan? 19:28 < krzie> theres some sample configs ive used for you 19:28 -!- seirmubsa [n=seirmubs@h120.121.82.166.ip.windstream.net] has joined ##openvpn 19:29 < krzie> Saberu correct 19:29 < Saberu> thanks i'll try it 19:29 < krzie> !tunortap 19:29 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 19:29 < seirmubsa> Can someone help with a bridge issue? 19:29 < Saberu> is tap much more difficult to setup then? 19:29 < krzie> seirmubsa why are you using bridge? 19:29 -!- sevac [n=sevac@201.151.40.213] has quit [Read error: 60 (Operation timed out)] 19:30 -!- sevac [n=sevac@li40-221.members.linode.com] has joined ##openvpn 19:30 < seirmubsa> network broadcasts. 19:30 < krzie> Saberu its more difficult, uses more overhead, and leaves you open to layer2 attacks over the vpn 19:30 -!- BasketCase_Eee [n=kmk@asylum.sanitarium.net] has joined ##openvpn 19:30 < krzie> so it should only be used when actually needed 19:30 < krzie> seirmubsa you can use tap without bridge for those 19:30 < seirmubsa> Well, I'd kinda like to figure this out anyway. :p 19:31 < krzie> cool, sorry i cant help 19:31 < seirmubsa> Whenever I try to bridge eth1 (my internal if), it just kills the if completely. 19:31 < krzie> ive never had a valid reason to use a bridge over the inet, so cant help with it 19:31 < BasketCase_Eee> Saberu: is your OpenVPN version old? 19:32 < krzie> seirmubsa you will need to set the gateway again, thats 1 thing the normal script floating around doesnt have on it 19:32 < krzie> maybe thats your issue, maybe not 19:32 -!- sevac [n=sevac@li40-221.members.linode.com] has quit [Client Quit] 19:32 < seirmubsa> Well, it strips eth1 of it's address. 19:33 < seirmubsa> I have to run the bridge-stop script and do ifconfig eth1 192.168.1.1 to reset i it 19:33 < krzie> if you decide to lose the bridge i can help, otherwise someone should come around later who can help ya 19:33 < Saberu> BasketCase yes 19:33 < Saberu> 2.09 19:34 < Saberu> i was too lazy to get the new one i just copied the guide directly because i assumed it's more likely to work with their instructions 19:34 < krzie> anything that works in 2.09 works in 2.1 19:34 < krzie> except some script security stuff, but thats a very simple fix 19:34 < krzie> (and it tells you about that when you start up 2.1) 19:35 < Saberu> what do i put here? server 10.8.1.0 255.255.255. 19:35 < Saberu> my public ip? 19:35 < krzie> !man 19:35 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 19:35 < krzie> read --server 19:35 < krzie> understand it instead of asking 19:35 < seirmubsa> Here we go again. 19:36 < krzie> saberu, in fact the man page is actually much nicer than the howto, for that sample i gave you read up on every single config option 19:36 < krzie> (my recommendation) 19:37 < Saberu> ok thanks, i'll spend a few hours looking at this now :s 19:37 < BasketCase_Eee> the server line tells it what to serve out 19:38 < BasketCase_Eee> local (which you had commented out) is where you put your public IP 19:39 < seirmubsa> Let me guess, br0 is supposed to take over the gateway address and I just have to change all the iptables rules to nat it instead of eth 19:40 < Saberu> ok BasketCase i understand better now thanks 19:40 < Saberu> i had put my public ip in local actually 19:41 < Saberu> just didnt know what to put in the server line 19:41 < BasketCase_Eee> ;comment 19:42 * BasketCase_Eee helps and cooks dinner at the same time :) 19:42 < krzie> haha nice 19:42 < krzie> whats for dinner 19:43 < seirmubsa> Bingo, that was it. 19:43 < BasketCase_Eee> pork chops with sauted onions and mushrooms, snap peas, and mashed potatos 19:46 -!- chantra_ [n=chantra@ns22757.ovh.net] has joined ##openvpn 19:49 -!- chantra [n=chantra@91.121.8.26] has quit [Read error: 104 (Connection reset by peer)] 19:50 -!- troy [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 19:51 -!- troy- [n=troy@mta-1.io.na.tauri.ca] has joined ##openvpn 19:51 < Saberu> Cannot open TUN/TAP dev /dev/tun: No such file or directory (errno=2) 19:51 < krzie> BasketCase_Eee sounds nice! 19:52 < Saberu> do i need to do this? Make device: mknod /dev/net/tun c 10 200 19:53 < krzie> no 19:53 < krzie> openvpn will dynamicly create your tun device 19:53 < Saberu> but that error above 19:54 < krzie> you have tun compiled into the kernel (if not, do you have the module loaded)? 19:54 < Saberu> this might be helpful, i did modprobe tun and got this error 19:55 < krzie> you need to have tun support in the kernel, whether its compiled in staticly or a module 19:56 < Saberu> FATAL: Could not load /lib/modules/2.6.18-92.1.13.el5.028stab059.6/modules.dep: No such file or directory 19:56 < Saberu> i think i don't have the tun driver 19:56 < krzie> then go compile it in 19:56 < Saberu> how? 19:57 < krzie> that is a question for a help channel dedicated to your OS 19:57 < krzie> if you used freebsd or osX ild help ya with it 19:57 < BasketCase> depmod -a might help with that error 19:58 < BasketCase> CONFIG_TUN is the kernel option you need 19:58 < BasketCase> =y or =m 19:58 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:59 < krzie> sup dougy 19:59 < Dougy> krzie: still broke ? 19:59 < Saberu> just CONFIG_TUN=y and it will work? 19:59 < krzie> ya why 19:59 < Dougy> krzie: because im tired of looking at my billing app and seeing OVERDUE NOTICE SENT TO IRCPIMPS 19:59 < Dougy> lol 19:59 < krzie> lol 19:59 < BasketCase> after you recompile the kernel, install the new one, and boot from it assuming that is your only problem 19:59 < krzie> how overdue am i? 19:59 < Dougy> about a week now.. its not a huge issue, i know you'll get me for it 20:00 < Dougy> just was reminding you 20:00 < Dougy> krzie: INVOICE Date August 18, 2009 20:00 < BasketCase> if you compile it as a module you might be able to add it to the running kernel 20:00 < krzie> lol 20:01 < krzie> cool how much is it? 20:01 < Dougy> do you want me to pm it to you 20:01 < Dougy> or just say here 20:01 -!- opsec [n=opsec@fedora/opsec] has joined ##openvpn 20:01 < krzie> pm i guess 20:01 -!- opsec [n=opsec@fedora/opsec] has left ##openvpn ["I'll be your huckleberry..."] 20:02 < krzie> thats why i normally pay things by the year 20:02 < Dougy> krzie: that wasnt pm 20:02 < krzie> heh 20:04 < Saberu> hmm well on centos channel they say it's defo an openvpn issue, i'd tend to agree as it's a virtual driver 20:04 < BasketCase> it is a virtual driver that is part of the Linux kernel 20:04 < Dougy> !forum 20:04 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 20:04 < Dougy> @ all 20:04 < Dougy> hhaahahah 20:05 < Dougy> krzie: porn pending on the forum 20:05 < Dougy> i deleted like 10 porn threads the other day 20:05 < Dougy> Beautiful Older Pussy !!! 20:05 < Dougy> Super Granny 3 For Realarcade !!! 20:05 < Dougy> ahahaa 20:05 < Saberu> i hate those spammers, if google sees a spammer link on your forum and it's not on a subdomain/ other domain your site gets marked 20:05 < krzie> saberu, they are very wrong, there are quite a few apps that use tun, and tun is distributed with your OS, not with oivpn 20:05 < krzie> ovpn* 20:06 < Dougy> Saberu: all posts are moderated 20:06 < Dougy> for new members 20:06 < Dougy> so all the spambots dont make it to the forum 20:06 < Dougy> Return to the previous page 20:06 < Dougy> wo0t 20:06 < Dougy> krzie: forum had 1338 uniques last month 20:06 < Dougy> http://dougy.hosting.secure-computing.net/awstats/awstats.pl?config=ovpnforum.com 20:06 < vpnHelper> Title: Statistics for ovpnforum.com (2009-09) - main (at dougy.hosting.secure-computing.net) 20:06 < BasketCase> my companies uses a public forum to provide customer support so we have to deal with that problem too 20:06 < BasketCase> company uses 20:07 < Dougy> phpBB is the worst 20:07 < krzie> basketcase, ya its a pita 20:07 < BasketCase> we are on VB 20:07 < Dougy> i wish i kept vbulletin 20:07 < BasketCase> but then it is commercial 20:07 < Dougy> but i didnt feel like renewing 20:07 -!- troy [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Connection timed out] 20:07 < BasketCase> they go around looking for people running it without a license too 20:07 < Dougy> i knwo the abuse team 20:07 < Dougy> well, some of 20:08 < Dougy> s/knwo/know/ 20:08 < BasketCase> we have gotten takedown notices about people using it on a secondary domain that wasn't listed in the purchase 20:08 -!- W0rmF00d [n=wormfood@59.40.76.214] has joined ##openvpn 20:09 < Saberu> you get get open source forums as good as vb now 20:09 < Dougy> MyBB is nice 20:09 < Dougy> i thought about doing something like what Linode does 20:09 < Dougy> would definitely eliminiate the spam issue . 20:09 < Dougy> ecrist: speaking of .. ping 20:10 < Saberu> discuz is awesome 20:10 < BasketCase> the big problem with many web apps like forums and blogs is scaling them 20:11 < BasketCase> as users multiplies their server requirements go up even faster 20:11 < Saberu> discuz has different options for different usage levels 20:11 < Saberu> you can scale it as you like 20:11 < Saberu> and good cache handling 20:12 < BasketCase> yeah, it stays off of my radar which is a good thing 20:16 -!- WormFood [n=wormfood@59.40.80.213] has quit [Read error: 145 (Connection timed out)] 20:18 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 20:33 < seirmubsa> When OpenVPN is started without and args, does it use ./etc/openvpn/server.conf by default? 20:37 < BasketCase_Eee> when I run openvpn without any args I get a usage list output 20:38 < BasketCase_Eee> server.conf wouldn't be the default as it isn't always a server 20:41 -!- W0rmF00d is now known as WormFood 20:44 < krzie> there is no default config 20:44 < krzie> minimal way to start is openvpn 20:44 < krzie> if another option is specified, --config must be used 20:45 < BasketCase_Eee> I prefer to add the --config anyways just because it looks weird to me without it 20:45 < krzie> that definitely doesnt hurt anything ;] 20:46 -!- _sky [n=sky@189.58.172.73.dynamic.adsl.gvt.net.br] has joined ##openvpn 20:46 < _sky> hi 20:46 < krzie> hi 20:48 < _sky> ;-) 20:48 < _sky> krzie you had used openvpn over satellite link? 20:49 < krzie> i have set it up once, didnt use it much 20:49 < krzie> the important things would be to set the mtu right, and use UDP as your transport protocol, and use tun if possible 20:49 < krzie> !mtu 20:49 < vpnHelper> krzie: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config 20:50 < _sky> hmm, tun and udp ok.. too disabled auth, cipher and comp-lzo 20:51 < _sky> vpnHelper just in client? or server too? 20:51 < vpnHelper> _sky: Error: "just" is not a valid command. 20:52 < _sky> krzie so.. i need use --mtu-test? 20:53 < _sky> or defined a value in config files ? what value is best for link of satellite 21:08 < krzie> im way busy, but thats enough for you to find what to do from the manual 21:08 < krzie> !man 21:08 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 21:11 -!- master_of_master [i=master_o@p549D3F76.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:11 < _sky> tnkz 21:14 -!- master_of_master [i=master_o@p549D3F5F.dip.t-dialin.net] has joined ##openvpn 21:25 < _sky> \quit 21:25 -!- _sky [n=sky@189.58.172.73.dynamic.adsl.gvt.net.br] has left ##openvpn [] 21:52 -!- taan [n=Igor@c-24-130-20-70.hsd1.ca.comcast.net] has joined ##openvpn 21:54 < taan> hi, can i use usual windows vpn client to connect to openvpn server ? (link to documentation?) 21:54 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 21:57 < BasketCase_Eee> openvpn server connects to openvpn client 21:58 < BasketCase_Eee> well, actually the other way around but you get the idea 22:01 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 22:01 < taan> yes, my question is do i need to deploy a special client (administrative rights) or windows installed client can work too ? 22:05 < BasketCase_Eee> you need the Windows version of the OpenVPN client 22:07 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 23:04 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 23:17 -!- troy- [n=troy@mta-1.io.na.tauri.ca] has quit [Read error: 104 (Connection reset by peer)] 23:18 -!- troy [n=troy@mta-1.io.na.tauri.ca] has joined ##openvpn 23:18 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Read error: 104 (Connection reset by peer)] 23:18 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 23:19 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 23:32 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 23:39 -!- onats [n=onats@222.127.167.130] has joined ##openvpn 23:56 -!- thedoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] --- Day changed Wed Sep 02 2009 00:16 -!- brizly [n=brizly_v@p4FC9987F.dip0.t-ipconnect.de] has quit ["Leaving."] 00:21 -!- BasketCase_Eee [n=kmk@asylum.sanitarium.net] has quit [Read error: 110 (Connection timed out)] 00:22 -!- BasketCase [n=BasktCas@asylum.sanitarium.net] has quit [Read error: 110 (Connection timed out)] 00:23 -!- brizly [n=brizly_v@p4FC9987F.dip0.t-ipconnect.de] has joined ##openvpn 00:39 -!- taan [n=Igor@c-24-130-20-70.hsd1.ca.comcast.net] has quit ["Leaving."] 00:41 -!- onats [n=onats@222.127.167.130] has quit ["Leaving"] 00:54 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 00:54 -!- Saberu [i=Oliver@125.81.154.100] has quit [Read error: 110 (Connection timed out)] 00:58 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 01:28 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:33 -!- unclecameron [n=unclecam@74-47-188-93.dr01.myck.or.frontiernet.net] has quit ["Leaving."] 01:39 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 01:41 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has joined ##openvpn 01:52 -!- BasketCase [n=BasktCas@asylum.sanitarium.net] has joined ##openvpn 02:00 -!- spiekey [n=mario@projekte.imos.net] has joined ##openvpn 02:00 < spiekey> Hello! 02:03 < spiekey> i use this config to connect two networks: http://pastebin.com/d724ddb9c 02:03 < spiekey> this setup is pretty simple and easy to set up. 02:03 < spiekey> Can i also have multiple Clients this way? 02:05 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 02:13 -!- BasketCase [n=BasktCas@asylum.sanitarium.net] has quit ["Client exiting"] 02:40 -!- troy [n=troy@mta-1.io.na.tauri.ca] has quit [Read error: 110 (Connection timed out)] 03:36 -!- admin0 [n=admin0@bb116-14-116-188.singnet.com.sg] has joined ##openvpn 03:36 < admin0> hey guys .. using the openvpn examples, i am setting up my private LAN in routed openvpn 03:36 < admin0> is it possibel to set the OPENVPN adapter in NAT ? 03:37 < admin0> i just have 1 network card and 1 openvpn .. and is there a way to set the NAT flag on that openvpn itnerface 03:37 < admin0> such that all outgoing openvpn packets are natted 03:45 < dazo> admin0: which OS are you running on the server? 03:45 < admin0> linux 03:45 < admin0> in linux, i am already doing NAT 03:46 < admin0> i want to know if doing NAT on the windows is possible or not 03:46 < dazo> admin0: aha! I don't know much about Windows at all .... but I believe it is connected to such a "share this internet connection" feature in the network connection settings .... iirc from earlier discussions here 03:47 < admin0> dazo, yes... but for share this internet connection, i need to use one network card for that .. while I only have 1 network card 03:47 < admin0> which needs to have both the public and private network ips 03:47 < admin0> can i share the connection and then break it up ? 03:48 < admin0> my single card connects to the isp router , and again connects to my private home network 03:48 < dazo> admin0: dunno ... doubtful .... might be worth lurking around here to hear if others have the needed knowledge ... 03:48 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 03:49 < dazo> spiekey: no, you cannot have multiple clients this way .... have a look at the server mode in the man pages for openvpn ... it's pretty much straight forward 03:50 < dazo> spiekey: --server might be what you need instead ... but it's a while since I've done such small simple setups .... but I believe that should be enough 03:51 -!- |ns|nR8 [n=doof@CPE-124-180-5-205.vic.bigpond.net.au] has joined ##openvpn 03:58 -!- admin0 [n=admin0@bb116-14-116-188.singnet.com.sg] has quit ["Leaving"] 04:07 -!- troy [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 04:08 -!- \malex\ [i=5BO5rBEO@unaffiliated/malex/x-000000001] has quit [Read error: 60 (Operation timed out)] 04:15 -!- \malex\ [i=PzwUNSH2@44.32582657.org] has joined ##openvpn 04:21 -!- |ns|nR8 [n=doof@CPE-124-180-5-205.vic.bigpond.net.au] has quit [Read error: 110 (Connection timed out)] 04:25 -!- troy [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Connection timed out] 04:39 -!- Evet [n=Evet@unaffiliated/evet] has quit [Read error: 110 (Connection timed out)] 04:39 -!- Evet [n=Evet@88.226.200.142] has joined ##openvpn 04:54 -!- sehh [n=sehh@cust-224-67.on1.ontelecoms.gr] has joined ##openvpn 04:55 < sehh> hey people 04:55 -!- misse- [i=misse@cl-858.sto-01.se.sixxs.net] has joined ##openvpn 04:57 < sehh> i've installed openvpn on my server and client, by following the instructions in the HOWTO and the sample config files (but I use TCP instead of UDP ports). Once I start them, the client connects to the server and both show connection ok in the log file. Unfortunately I can't ping anything, even though I've disabled all firewalls. Any suggestions please? 04:57 < sehh> server is WinServer2003 and client is WinVista 04:59 < sehh> also, "route print" shows that the routing table has been properly updated on both server and client 05:00 < sehh> i'm not interested in making the client have access to the whole remote network, i only need the client to have access to the server 05:00 -!- tuxick [i=BluesMur@tuxick.xs4all.nl] has quit [Remote closed the connection] 05:00 -!- BluesMurf [i=BluesMur@82.95.232.97] has joined ##openvpn 05:01 -!- BluesMurf is now known as tuxick 05:03 < sehh> !iporder 05:03 < vpnHelper> sehh: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 05:06 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Connection timed out] 05:08 -!- tuxick [i=BluesMur@82.95.232.97] has left ##openvpn [] 05:09 < sehh> do I need to enable IP Forwarding on the server for the VPN to work? 05:44 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 05:47 < sehh> ... 05:52 -!- Saberu [i=Oliver@125.81.163.35] has joined ##openvpn 05:53 -!- \malex\ [i=PzwUNSH2@unaffiliated/malex/x-000000001] has quit [Remote closed the connection] 05:57 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 06:10 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:16 < dazo> sehh: yes, ip forwarding is needed on the machines which passes network traffic between network interfaces, including tun/tap 06:16 < sehh> ok I've used the registry to enable IP forwarding on the win2003 server 06:17 < dazo> sehh: so if you have a roadwarrior connecting to a VPN to access internal services, only the server needs it ..... if you have site-to-site VPN, it must be enabled on both sides of the VPN tunnel 06:17 < sehh> it made no difference, so now I've stoped trying to make it work with "tun" and instead i tried "tap" and it worked first time!! now I can ping 10.8.0.1 and 10.8.0.2 from both directions!!! 06:18 < dazo> sehh: which version are you running? 06:19 < sehh> next thing to fix is to make the server "appear" with its normal ip address 192.168.1.10 instead of the 10.8.0.1 vpn address 06:19 < dazo> sehh: I know earlier on, TAP was the only thing which worked .... but after some 2.1 RC candidate, I believe TUN began to work as well 06:19 < sehh> version of openvpn? OpenVPN 2.1_rc19 -- released on 2009.07.16 (from the website) 06:19 < dazo> rc19 is very good 06:19 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 06:19 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 06:20 < sehh> nice, at least tap works now for pinging the vpn ip addresses 06:20 < sehh> what do i need to do in order to make the client be able to ping the 192.168.1.10 ip address of the server? is this a routing issue? 06:22 < dazo> yes, that's pure routing .... in the server config .... you can then add: push "route 192.168.1.10" .... or just add: route 192.168.1.10 in the client config 06:22 < sehh> but i don't want the client to be able to access the entire remote network, only the server 06:25 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 06:26 < dazo> yeah, that's why you want to use route with just an IP address ..... but! to restrict it even more, having good firewall rules on the openvpn server is also crucial 06:27 < dazo> route == host routing ....... route == network routing 06:30 < sehh> aha I'm testing this right now 06:31 < sehh> push "route 192.168.1.10 255.255.255.255" 06:31 < sehh> is that correct? 06:31 < sehh> (i'm adding it in my server config) 06:36 < Evet> can i use openvpn as a proxy? 06:40 -!- brizly1 [n=brizly_v@79.201.151.247] has joined ##openvpn 06:41 < dazo> sehh: if you read the manual ... you'll see that route 192.168.1.10 and route 192.168.1.10 255.255.255.255 are doing the same 06:41 < dazo> Evet: what kind of proxy are you thinking about? 06:41 -!- Deffie [n=Deffie@195.62.234.66] has joined ##openvpn 06:42 < Evet> dazo, first i want to connect my webserver, then make that connect somewhere 06:43 < dazo> Evet: Still not sure what you really want .... but do you want to route all your internet traffic via your web server? 06:43 < dazo> (from your client) 06:43 < Evet> dazo, yes. is it possible? 06:44 < dazo> Evet: yes, that is possible with OpenVPN .... but it's not called proxy server ... but it's more routing traffic via VPN 06:45 -!- c64zottel [n=hans@91.23.167.59] has joined ##openvpn 06:45 < dazo> Evet: what kind of traffic are you going to pass through? If it's just web traffic, or applications supporting SOCKS .... an ssh session with dynamic port forwarding might be just as good .... 06:45 < Evet> dazo, no, i route ssh manually 06:46 < Evet> i just want for 06:46 < Evet> one specific address 06:46 < Evet> not for all web traffic 06:46 < Evet> and only http 06:47 < dazo> Now you are asking for something completely different again .... now you don't want to route all internet traffic via your web server and out on the internet .... 06:47 < sehh> dazo: thank you for your help, apparently the HOWTO needs some modifications to make it "Just Work(TM)" 06:47 < sehh> dazo: with your suggestions I've managed to make everything work 06:48 < sehh> dazo: my next step is to protect the network shares (netbios) from the client 06:48 < dazo> sehh: yeah, everyone says that .... the problem with openvpn is that it is so flexible, that it's difficult to make just one howto to fit all situations . 06:48 < Evet> dazo, i want route all internet traffic between my pc and a specific remote server 06:49 < dazo> Evet: okey ... I'll try to point you in a direction .... 06:49 < dazo> !howto 06:49 < vpnHelper> dazo: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 06:49 < sehh> dazo: I believe the HOWTO as it is will never work no matter what, because its missing the bit about IP Forwarding thats a must-have on a Windoze server. 06:50 < Evet> dazo, i read it hours ago 06:50 < Evet> couldnt get anything 06:50 < dazo> sehh: yeah, that's a good point ... but that's usually implied for *nix folks .... wanna route ip traffic, ip forwarding must be enabled .... never thought that it needs to be said explicit 06:50 < sehh> really? the howto is very easy to follow, it should at least allow you to make a basic connection 06:51 < dazo> Evet: try this one then: http://openvpn.net/index.php/open-source/documentation/miscellaneous/78-static-key-mini-howto.html 06:51 < vpnHelper> Title: Static Key Mini-HOWTO (at openvpn.net) 06:51 < sehh> dazo: same here, I'm using Fedora for everything, thats why I wasn't aware about the registry hack. First time I'm trying to administer silly Windoze systems :( oh well 06:52 < dazo> sehh: yeah .... windoze is a hazzle when being in a network .... a pity microsoft tries to make it _the_ network os :-P 06:53 < dazo> ever thought about how safe a windows box would be if you didn't give it a internet connection? :-P 06:53 < sehh> well they are a monopoly, but thank god for Linux, *BSD and the rest... its also nice that at work we only use Linux (Fedora to be specific) 06:54 < sehh> dazo: nah, it wouldn't be safe from all those viruses floating around in USB sticks ;) 06:54 * dazo likes that sehh is using Fedora 06:54 < sehh> yes, F11 to be specific, its nice clean and fast 06:54 < dazo> sehh: heh ... true .... but still more difficult to hack into .... but I'm sure USB DoS attacks would be widely used :-P 06:54 -!- brizly [n=brizly_v@p4FC9987F.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:55 < sehh> i believe every single system at work runs Fedora, with the exception of a FreeBSD system 06:55 < ecrist> good morning 06:55 < dazo> sehh: yeah, F11 is nice .... looking fwd to F12, hoping that will be as stable as F8 and F10 was ..... F11 has some annoying issues from time to time 06:55 < sehh> USB DoS attacks haha thats a nice one 06:55 < dazo> morning! 06:56 < sehh> no issues here with F11, except a vfs bug that makes the file system hang on .gvfs special files 06:56 < dazo> Evet: when going through the last link I sent you .... please do yourself the favor of reading through the man page for each of the config options used ... then you might see better how it works 06:56 < sehh> we've reported the bug to redhat's bugzilla, hopefuly it will be fixed in the near future 06:57 < Evet> dazo, thanks dude. im on it 06:57 < dazo> sehh: be sure :) Well, you've not been hit by gnome-power-manager/Xorg bug .... screen blanking randomly? 06:57 < sehh> dazo: YES! wow, i didn't know that was a bug! I thought my monitor was dying :P 06:58 < sehh> gonna google that one, see what kind of bug it is... 06:58 < dazo> sehh: yeah ... gnome-power-manager is using some features in Xorg, which triggers a bug in Xorg ... or something like that .... really annoying 06:59 < dazo> sehh: https://fedoraproject.org/wiki/Common_F11_bugs#Display_goes_blank_briefly.2C_apparently_at_random 06:59 < vpnHelper> Title: Common F11 bugs - FedoraProject (at fedoraproject.org) 06:59 < dazo> hmmmm .... a hotfix is in place now ...... 07:22 -!- seirmubsa [n=seirmubs@h120.121.82.166.ip.windstream.net] has quit [Read error: 113 (No route to host)] 07:39 -!- oc80z [i=oc80z@blea.ch] has quit [Read error: 104 (Connection reset by peer)] 07:41 -!- oc80z [i=oc80z@blea.ch] has joined ##openvpn 07:45 -!- c64zottel [n=hans@91.23.167.59] has left ##openvpn [] 07:46 -!- Evet [n=Evet@88.226.200.142] has quit [Read error: 110 (Connection timed out)] 07:46 -!- Evet [n=Evet@88.226.200.142] has joined ##openvpn 08:04 -!- NOTORIOUS_VR [n=IceChat7@mail.scmgroupcanada.com] has joined ##openvpn 08:05 < NOTORIOUS_VR> mornign all 08:05 < NOTORIOUS_VR> i'm having a heck of an issue adding a static route to a client after connecting through openvpn... can anyone help me? 08:05 < cpm> morn'n 08:05 < NOTORIOUS_VR> I can ping the gateway once I connect throughopenvpn... but everytime I try to set a static route with the 'route' command it says the gateway doesn't lie on the same network 08:06 < cpm> NOTORIOUS_VR, what OS? 08:06 < NOTORIOUS_VR> when I do a tracert from the client it clearly gos out through the internet and not over the VPN 08:06 < NOTORIOUS_VR> the client is win xp 08:06 < cpm> sorry, can't help ya. Others can no doubt. 08:06 < NOTORIOUS_VR> the openvpn server is intregrated into my pfsense box 08:06 < NOTORIOUS_VR> hehe... no worries, thanks though! 08:09 < ecrist> !all 08:09 < vpnHelper> ecrist: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 08:11 < NOTORIOUS_VR> pastebin? 08:11 < NOTORIOUS_VR> i guess you're talkin' to me 08:12 < ecrist> yep 08:12 < NOTORIOUS_VR> what's a pastebin :P 08:13 < cpm> http://pastebin.ca for instance. 08:13 < ecrist> http://lmgtfy.com/?q=what%27s+a+pastebin 08:13 < NOTORIOUS_VR> ahh... gotcha 08:14 < NOTORIOUS_VR> client config (I think that's what you need): http://pastebin.ca/1551476 08:14 < NOTORIOUS_VR> what's the easiest way to get the server config from my pfsense box? 08:15 < Optic> mooo 08:15 -!- _markus_ [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 60 (Operation timed out)] 08:19 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 08:19 < NOTORIOUS_VR> thing is everything works properly except that static route... 08:20 < NOTORIOUS_VR> which is another VPN so maybe that's why? the connection is going through an instagate 08:20 < ecrist> it's not so simple. we need your configs, please 08:21 < NOTORIOUS_VR> not sure how to get the serve configs sorry 08:21 < NOTORIOUS_VR> !configs 08:21 < vpnHelper> NOTORIOUS_VR: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 08:22 < NOTORIOUS_VR> ^^^ that doesn't work 08:25 < NOTORIOUS_VR> says no suck file or directory 08:25 < NOTORIOUS_VR> such* 08:28 < ecrist> NOTORIOUS_VR: I don't know where pfsense keeps its config. if you log into a terminal, however, and use the following command, it could lend a hint: ps auxww | grep openvpn 08:28 < ecrist> on my VPN server, it gives me the output of: 08:28 < ecrist> vpn 13978 0.2 0.6 9496 5700 ?? Ss 1Jul09 375:21.84 /usr/local/sbin/openvpn --cd /usr/local/etc/openvpn --daemon --config /usr/local/etc/openvpn/server.conf --writepid /var/run/openvpn.pid 08:28 < ecrist> which tells me my server config is in /usr/local/etc/openvpn/server.conf 08:38 -!- nuhiNlow [i=qiomakli@adsl-69-148-184-54.dsl.ablntx.swbell.net] has joined ##openvpn 08:39 < NOTORIOUS_VR> awesome.. 08:39 < NOTORIOUS_VR> here's the server: http://pastebin.ca/1551497 08:43 < |Mike|> you might want to remove that 255.255 etc 08:43 < |Mike|> lport = port 08:45 < NOTORIOUS_VR> I'm not sure how it would react since the config is done through pfsense's web interface 08:46 < NOTORIOUS_VR> remove 255.255 from push route? 08:46 < |Mike|> no. 08:46 < |Mike|> behind server 08:47 < |Mike|> you might want to add tls-auth aswell 08:48 < |Mike|> hmz, according to the 2.0 howto, it's not bad to have 'server x.x.x.x 255.255.255.0' 08:48 < NOTORIOUS_VR> :) 08:48 < |Mike|> !tls-auth 08:48 < vpnHelper> |Mike|: "tls-auth" is The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. see !secure for how 08:49 < NOTORIOUS_VR> sounds like that'll make things more complicated lol 08:49 < NOTORIOUS_VR> I'd like to get the routes working before going more secure :D 08:49 < |Mike|> you want to get MITM'd ? :P 08:52 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [] 08:54 -!- spiekey [n=mario@projekte.imos.net] has quit [Read error: 113 (No route to host)] 08:54 < |Mike|> you still get it ? 09:00 < ecrist> NOTORIOUS_VR: you're trying to push the static route of 192.168.10.0, and that's what's not working, right? 09:01 < NOTORIOUS_VR> nope 09:01 < NOTORIOUS_VR> I can get to everything @ that route 09:01 < |Mike|> except? 09:01 < NOTORIOUS_VR> I need to make a static route to 100.100.1.1 09:01 < ecrist> and where is that route? 09:01 < NOTORIOUS_VR> was trying to make that @ the client side 09:02 < NOTORIOUS_VR> 100.100.1.1 goes through gateway 192.168.10.6 09:02 * ecrist is trying to get a picture for the topology 09:02 < NOTORIOUS_VR> .6 is an instagate box btw 09:02 < ecrist> so, the 100.100.1.1 IP is on the LAN of the client 09:02 < ecrist> here's what you need, then 09:02 < ecrist> !route 09:02 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:02 < ecrist> !iroute 09:02 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 09:03 < |Mike|> !topology 09:03 < vpnHelper> |Mike|: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 09:03 < ecrist> that's not what he needs, |Mike| 09:03 < |Mike|> i needed that 09:03 < |Mike|> haha 09:03 < NOTORIOUS_VR> lol 09:08 -!- drepan [n=pandre@196.25.31.194] has joined ##openvpn 09:16 < drepan> When connecting Openvpn (192.168.200.10/24 gw 192.168.200.1) I am trying to to route packets to another network through another device (route add 192.1.1.0 mask 255.255.255.0 gw 192.168.200.20) that is also on the openvpn network. This does not work as the windows client keeps changing the routing table. Anyone experienced soemthing like this before 09:17 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:17 < ecrist> !route 09:17 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:17 < ecrist> !iroute 09:17 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 09:23 -!- sehh [n=sehh@cust-224-67.on1.ontelecoms.gr] has quit ["Fedora Condom Linux - "shinny, rubbery and roundish...""] 09:27 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 09:30 -!- mirco [n=mirco@p54B2382E.dip.t-dialin.net] has joined ##openvpn 09:34 -!- mirco [n=mirco@p54B2382E.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)] 09:39 -!- jfkw_ [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 09:45 -!- mirco [n=mirco@p54B2532A.dip.t-dialin.net] has joined ##openvpn 09:49 < NOTORIOUS_VR> ecrist: thanks for all your help! I added the route push command on the sever for all the routes I need and everything works like a charm! 09:49 -!- mirco [n=mirco@p54B2532A.dip.t-dialin.net] has quit [Client Quit] 09:50 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Read error: 110 (Connection timed out)] 10:00 -!- drepan [n=pandre@196.25.31.194] has left ##openvpn ["Kopete 0.12.7 : http://kopete.kde.org"] 10:04 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 10:04 < ecrist> no problem. 10:05 < NOTORIOUS_VR> I knew it was something small as the route worked on the server no issues... but I guess trying to push it on the client side wasn't the proper way to do it 10:10 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:19 -!- mirco [n=mirco@p54B26EE7.dip.t-dialin.net] has joined ##openvpn 10:22 -!- jfkw_ [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Remote closed the connection] 10:32 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 10:33 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:45 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 10:50 -!- BasketCase [n=BasktCas@asylum.sanitarium.net] has joined ##openvpn 10:52 -!- jeiworth [n=jeiworth@189.177.121.59] has joined ##openvpn 11:10 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:14 -!- epaphus [n=unix3@190.10.68.228] has left ##openvpn ["Leaving"] 11:29 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 11:29 -!- sky_ [n=sky@189.58.172.22.dynamic.adsl.gvt.net.br] has joined ##openvpn 11:30 < sky_> hi for all!! 11:32 -!- SparFux1 [n=raoul@e182020012.adsl.alicedsl.de] has joined ##openvpn 11:32 < SparFux1> Hi people. 11:32 < SparFux1> Is there a way to use openvpn to have peer to peer vpn connections to contacts in a list? 11:33 < SparFux1> Like in Wippien? http://www.wippien.com/ 11:33 < vpnHelper> Title: Free P2P VPN software - Wippien. (at www.wippien.com) 11:38 < krzee> no 11:38 -!- henux [i=henrih@unaffiliated/henux] has joined ##openvpn 11:39 < krzee> all connections between peers will flow through the server 11:39 < henux> can Mac OS X and OpenVPN interoperate without a problem? 11:39 < SparFux1> Well, perhaps it would be easy to extend pidgin or some IM client to be able to set up peer to peer vpn connections to its contacts. 11:39 < krzee> henux, yes, i use ovpn on osx every day 11:39 < krzee> SparFux1, not with openvpn 11:39 < henux> krzee: and how about iPhone? 11:40 < krzee> henux, no because nobody has ported tuntap support for the iphone 11:40 < henux> okay thanks 11:40 < SparFux1> krzee: but openvpn can set up several connections, like several interfaces, and it could use one interface to each contact. 11:40 < krzee> SparFux1, ok go invent it then 11:40 < SparFux1> no no, I just have that question. 11:41 < SparFux1> isn't it like this? I mean, how does wippien do things? 11:41 < krzee> but you choose to argue the answer 11:41 < SparFux1> krzee: not argue, I don't mean it like this. Just discuss it. 11:41 < krzee> i dunno, this is not the wippien help chan 11:41 < krzee> but ovpn doesnt work like you asked 11:41 < krzee> that i can tell ya 11:41 < SparFux1> ok. 11:43 < krzee> contact list for p2p, you may like hamachi 11:43 < krzee> ive never used it, cant help with it 11:43 < krzee> but i think it does that 11:44 < SparFux1> yes, I know hamachi, but I'd like a gpl solution, you know. 11:45 < krzee> gpl isnt so special imho 11:45 < krzee> i prefer bsd license 11:45 < SparFux1> yes, or bsd, but hamachi isn't even open source! 11:46 < sky_> krzee yesterday i has tested --test-mtu in openvpn.. but this did a link satellite down for any minutes, is a correct? 11:47 < krzee> it took thel ink down? 11:47 < krzee> the link 11:47 < sky_> yes 11:47 < krzee> oh the vpn link 11:47 < krzee> ya it just tests and stops 11:47 < sky_> satellite link.. 11:47 < krzee> then you use the test results to tune your MTU 11:47 -!- kreg-lt is now known as kreg 11:48 -!- mirco [n=mirco@p54B26EE7.dip.t-dialin.net] has quit [] 11:48 < krzee> if simply testing the mtu took the link which ovpn runs on top of down, you have some sort of bigger problem 11:48 < sky_> but because link is down and return, dont show me result tests.. 11:48 < krzee> or it was coincidence 11:48 < sky_> i have tested three times, and all link go to down 11:49 < krzee> very interesting 11:49 < krzee> you have uncovered a bigger issue with your connection 11:49 < krzee> you seem to be able to DOS it simply by changing packet window sizes 11:50 -!- agliodbs [n=agliodbs@dsl081-245-111.sfo1.dsl.speakeasy.net] has left ##openvpn [] 11:50 -!- SparFux1 [n=raoul@e182020012.adsl.alicedsl.de] has quit ["Leaving."] 11:50 < sky_> exists other procedure to discovery mtu in linux? 11:51 < krzee> i read somewhere about a method in windows, should be some sort of way to duplicate in windows 11:51 < sky_> me too.. 11:51 < krzee> by setting do not frag flag and pinging with diff sizes 11:51 < sky_> what a value secure for i test in a satellite link? 11:52 < krzee> no such value, depends on your link 11:52 < krzee> ive seen some varying answers to that 11:53 < sky_> hmm right.. 11:53 < sky_> i search later more about tests for discovery mtu, thankz 11:54 < krzee> np 11:54 < krzee> you could also look for a diff ping util that might support that method i said above 11:54 < krzee> changing packet size and setting not to frag 11:54 < krzee> when you get reply, you found good packet size 11:55 < krzee> make sure to read up on every mtu setting in manual, it can be confusing 11:56 < sky_> yes.. really is confuse.. with parameters mssfix, and others .. 11:58 < krzee> !static 11:58 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 11:58 < krzee> !ccd 11:58 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 12:04 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [] 12:07 -!- mirco [n=mirco@p54B26EE7.dip.t-dialin.net] has joined ##openvpn 12:12 -!- henux [i=henrih@unaffiliated/henux] has left ##openvpn [] 12:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:40 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 13:04 -!- thedoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 13:13 -!- BigJB [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 13:40 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 13:41 -!- mirco [n=mirco@p54B26EE7.dip.t-dialin.net] has quit [Remote closed the connection] 13:50 -!- mirco [n=mirco@p54B26EE7.dip.t-dialin.net] has joined ##openvpn 13:52 -!- mirco [n=mirco@p54B26EE7.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 13:52 -!- mirco [n=mirco@p54B26EE7.dip.t-dialin.net] has joined ##openvpn 13:53 < sky_> \quit 13:53 -!- sky_ [n=sky@189.58.172.22.dynamic.adsl.gvt.net.br] has quit ["..(cyp): BitchX: use it, it makes hair grow in funny places!"] 14:01 -!- dft_ [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has joined ##openvpn 14:12 -!- Deffie [n=Deffie@nectarine/admin/deffie] has joined ##openvpn 14:32 -!- dft [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 14:43 -!- BigJB [n=BigJB@unaffiliated/bigjb] has quit [Remote closed the connection] 14:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:54 < BasketCase> !howto 14:54 < vpnHelper> BasketCase: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:55 < BasketCase> !route 14:55 < vpnHelper> BasketCase: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:55 < BasketCase> !redirect 14:55 < vpnHelper> BasketCase: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 14:58 -!- DigitalFlux-AFK [n=DigitalF@unaffiliated/digitalflux] has joined ##openvpn 14:58 < DigitalFlux-AFK> Hey guys 14:59 < DigitalFlux-AFK> i was wondering if OpenVPN can do WAN optimization/acceleration ? 14:59 < DigitalFlux-AFK> and is it really effective ? 15:14 < BasketCase> !topology 15:14 < vpnHelper> BasketCase: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 15:19 < BasketCase> has anyone tried the new topology subnet feature with OpenBSD as the server? 15:20 < BasketCase> I will probably try it when I get a chance 16:00 -!- Evet [n=Evet@unaffiliated/evet] has quit [] 16:07 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [Read error: 113 (No route to host)] 16:10 -!- Deffie [n=Deffie@nectarine/admin/deffie] has joined ##openvpn 16:27 -!- Deee_ [n=denismol@81-174-39-217.dynamic.ngi.it] has joined ##openvpn 16:31 -!- phatfish [i=PHAT@cpc1-hem15-0-0-cust204.lutn.cable.ntl.com] has joined ##openvpn 16:34 -!- Deee_ [n=denismol@81-174-39-217.dynamic.ngi.it] has quit [] 16:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 16:39 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Remote closed the connection] 16:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:50 -!- Shaun2222 [n=Shaun222@ip70-181-79-96.oc.oc.cox.net] has left ##openvpn [] 17:05 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 17:15 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:30 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 18:22 -!- mikeones [n=mikeones@pool-70-104-31-42.dllstx.fios.verizon.net] has quit ["leaving"] 18:31 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 18:33 -!- smerz [n=daniel@smerz.demon.nl] has quit [Client Quit] 18:34 -!- seirmubsa [n=seirmubs@h120.121.82.166.ip.windstream.net] has joined ##openvpn 18:34 -!- jeiworth_ [n=jeiworth@189.177.121.59] has joined ##openvpn 18:35 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 18:35 -!- jeiworth [n=jeiworth@189.177.121.59] has quit [Read error: 104 (Connection reset by peer)] 18:36 -!- seirmubsa [n=seirmubs@h120.121.82.166.ip.windstream.net] has quit [Client Quit] 18:38 -!- Deffie [n=Deffie@nectarine/admin/deffie] has quit [Read error: 113 (No route to host)] 18:47 -!- mirco [n=mirco@p54B26EE7.dip.t-dialin.net] has quit [] 18:54 -!- nuhiNlow [i=qiomakli@adsl-69-148-184-54.dsl.ablntx.swbell.net] has quit ["There are two major products that come out of Berkeley: LSD and UNIX. We don't believe this to be a coincidence."] 19:11 -!- jeiworth_ [n=jeiworth@189.177.121.59] has quit [Read error: 110 (Connection timed out)] 19:42 -!- epaphus [n=unix3@201.199.41.166] has joined ##openvpn 19:45 -!- dft [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has joined ##openvpn 19:51 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has quit ["bbl"] 20:00 -!- dft_ [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 20:08 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Read error: 110 (Connection timed out)] 20:09 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 20:45 < Optic> moo 20:50 < dft> oi 20:57 < dft> okay, I know I've asked this already but I'm still having issues getting the vars file to source properly under openbsd4.5 20:58 < dft> I keep getting errors like HOME not found, RANDFILE not found etc 20:58 < dft> I've modified the appropriate variables as layed out in the setup guide 20:59 < dft> from what I understand I shouldn't have to touch teh openssl.cnf that comes with openvpn, but I'm thinking I may have to 21:02 -!- epaphus [n=unix3@201.199.41.166] has quit [Read error: 110 (Connection timed out)] 21:11 -!- master_of_master [i=master_o@p549D3F5F.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:14 -!- master_of_master [i=master_o@p549D3AED.dip.t-dialin.net] has joined ##openvpn 21:48 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 22:25 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Read error: 110 (Connection timed out)] 22:29 -!- dft [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has quit [Read error: 60 (Operation timed out)] 22:29 -!- dft [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has joined ##openvpn 22:34 < BasketCase> dft: I run my OpenVPN server on OpenBSD 4.5 and I don't remember having to do anything non-standard to easy-rsa 22:35 < BasketCase> I just remember being a little confused about which directory to be in when I sourced it 22:36 < dft> do you recall which directory you were in? 22:36 < BasketCase> not really 22:36 < dft> damn 22:36 < BasketCase> I only did it once ;) 22:37 < BasketCase> also, there are two different versions of easy-rsa 22:37 < dft> right, I've been working with 2.0 only for the time being 22:37 < dft> perhaps I need to try the other 22:38 < BasketCase> I appear to have used the older version 22:38 < BasketCase> at least it is the one that has my site info in vars 22:38 < dft> ahah, finally a clue 22:38 < dft> let's see what I can muster up with 1.0 22:40 < dft> wellie wellie well 22:40 < dft> no errors 22:40 < BasketCase> http://dpaste.com/88967/ < my vars file 22:41 < BasketCase> I don't use a shell with that syntax though so I ended up translating it 22:42 < BasketCase> it works well on OpenBSD btw 22:42 < dft> well I've sourced vars without errors from openssl.cnf so I think I'm on to something 22:42 < dft> I figured as much, Theo and team are very particular about what goes into ports 22:42 < BasketCase> I don't see anything in my openssl.cnf file that looks like something I would have done 22:43 < BasketCase> I have been using it on an old K6-2 500MHz system and it still works fine 22:43 < dft> I've running build-ca now 22:43 < BasketCase> though I am about to upgrade that to a nice low powered Atom based system 22:43 < dft> I have a p3 500 I'm toying with 22:44 < BasketCase> I use OpenBSD as my router/firewall 22:44 < BasketCase> and love it for that 22:44 < dft> that's all I've used it for 22:44 < dft> pf 22:44 < BasketCase> I have used it as a desktop but that was a long time ago 22:44 < BasketCase> yeah, pf is wonderful 22:45 < dft> I've had the same pf for years, thought it was time to upgraded 22:45 < BasketCase> I take great pleasure in having the newest version of OpenBSD up and running the day it comes out and having exactly 6 months of uptime when the next version shows up 22:46 < dft> BasketCase: ty so much for the hint about the old easy-rsa 22:46 < BasketCase> can't do that this time though as I had a hardware failure and had to temporarily replace the K6 with an old 1.3GHz tbird 22:46 < BasketCase> but it sucks way too much power for a router 22:46 < BasketCase> ~92W 22:46 < dft> ouch 22:46 < dft> yeah I guess an atom based box would be ideal 22:46 < BasketCase> I expect the Atom system I ordered last night to be 20-25W 22:46 < dft> nice Mhz and with a good chunk of ram you're set 22:47 < BasketCase> but that is an educated guess 22:47 < BasketCase> the system is diskless so I don't have to spin a hard drive 22:47 < dft> are you going to pxe boot it or usb stick? 22:47 < BasketCase> PXE 22:47 < BasketCase> already doing that 22:48 < BasketCase> for about a year 22:48 < dft> interesting ideda 22:48 < BasketCase> I originally did that because I wanted redundant storage and OpenBSD's software RAID was horrible 22:48 < BasketCase> so it runs off of Linux software RAID 22:48 < dft> pardon the typos, netbook kbd is a pain sometimes 22:49 < BasketCase> yeah, I have one of those too 22:50 < dft> well time to chill as I build-dh 22:50 < BasketCase> lol 22:50 < BasketCase> those old CPUs take a while 22:50 < dft> no kidding 22:50 < BasketCase> my first OpenBSD system was a 40MHz SS2 22:50 < BasketCase> took forever to build ssh keys 22:50 < dft> I bet 22:50 < dft> I think my first openbsd box was a p133 22:51 < BasketCase> did that too 22:51 < BasketCase> the SS2 was probably faster 22:53 < dft> brb 23:31 -!- mrbnet [n=mrbnet@c-75-73-142-28.hsd1.mn.comcast.net] has joined ##openvpn 23:34 < mrbnet> I have a firewall with 2 WAN adapters. I have configured local to one of the wan IPs but when I start openvpn is shows GW of the other wan adapter in the Openvpn practive 23:34 -!- deblike [n=xchat@88.204.14.105] has joined ##openvpn 23:39 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: chantra_, brah, davidisko, disco-, DigitalFlux-AFK, pa, BasketCase, worch, kaii, CoffeeIV_, (+23 more, use /NETSPLIT to show all of them) 23:41 -!- Netsplit over, joins: jreno_, chantra_, oc80z, DigitalFlux-AFK, xenophile7x7, epaphus, RexMundi, Optic, davidisko 23:42 -!- Saberu [i=Oliver@125.81.163.35] has joined ##openvpn 23:42 -!- brah [n=asdfaf@86-126-16-190.fibertel.com.ar] has joined ##openvpn 23:42 -!- kreg [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 23:42 -!- melvin_ [n=melvin@port-87-193-219-24.static.qsc.de] has joined ##openvpn 23:42 -!- kn0x [n=pinochle@67.159.48.101] has joined ##openvpn 23:42 -!- Bushmills [n=nnnnnnl@verhau.de] has joined ##openvpn 23:42 -!- worch [i=worch@battletoad.com] has joined ##openvpn 23:42 -!- garnser [n=jpeterss@gw2.mysql.com] has joined ##openvpn 23:42 -!- plaerzen [n=carpe@vip1.tundraeng.com] has joined ##openvpn 23:43 -!- chinsan_ [i=chuck-th@chinsan.info] has joined ##openvpn 23:43 -!- hyper_ch [n=hyper@adsl-84-227-14-25.adslplus.ch] has joined ##openvpn 23:43 -!- danieldg [n=me@about/networking/240.0.0.0/danieldg] has joined ##openvpn 23:43 -!- fkr [i=fkr@news.bytemine.net] has joined ##openvpn 23:43 -!- ThoMe [i=tm@tm.muc.de] has joined ##openvpn 23:43 -!- disco- [i=disco@andromeda.h4xed.com] has joined ##openvpn 23:43 -!- master_of_master [i=master_o@p549D3AED.dip.t-dialin.net] has joined ##openvpn 23:43 -!- BasketCase [n=BasktCas@asylum.sanitarium.net] has joined ##openvpn 23:43 -!- WormFood [n=wormfood@59.40.76.214] has joined ##openvpn 23:43 -!- CoffeeIV_ [n=CoffeeIV@adsl-99-162-117-1.dsl.austtx.sbcglobal.net] has joined ##openvpn 23:43 -!- HardDisk_WP [n=Marco@velirat.de] has joined ##openvpn 23:43 -!- kaii [n=kai@ciphron.de] has joined ##openvpn 23:43 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 23:43 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 23:43 -!- redfox [n=redfox2@ns351996.ovh.net] has joined ##openvpn 23:43 < BasketCase> ahh, that explains why the bot was ignoring me 23:46 < BasketCase> if I want to use topology subnet and I want to ccd push a specific VPN IP to the client what IP would I use for the second parameter? the .1? 23:47 < BasketCase> !ccd 23:47 < vpnHelper> BasketCase: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name --- Day changed Thu Sep 03 2009 00:05 < BasketCase> actually, I can't seem to get ccd to work at all :\ 00:09 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 00:14 -!- deblike [n=xchat@88.204.14.105] has quit [Client Quit] 00:16 < rawDawg> BasketCase 00:16 < rawDawg> !configs 00:16 < vpnHelper> rawDawg: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 00:24 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 00:26 -!- rawD [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 00:26 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 00:34 -!- rawD [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 00:35 < BasketCase> how can I tell for certain what "common name" was used to generate an ssl cert? 00:38 < BasketCase> nm that 00:38 < BasketCase> I isolated my problem but not sure what is going on: 00:38 < BasketCase> Thu Sep 3 01:37:20 2009 192.168.11.46:57295 TLS Auth Error: --client-config-dir authentication failed for common name 'laika2.sanitarium.net' file='/etc/openvpn/ccd/laika2.sanitarium.net' 00:38 < BasketCase> # file /etc/openvpn/ccd/laika2.sanitarium.net 00:38 < BasketCase> /etc/openvpn/ccd/laika2.sanitarium.net: ASCII text 00:38 < BasketCase> permissions on the file and the dir are world readable 00:39 < BasketCase> so my ccd isn't working because it doesn't see the ccd file which is there 00:39 < hyper_ch> !howto 00:39 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 00:39 < BasketCase> I set ccd-exclusive to force it to fail there 00:40 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 110 (Connection timed out)] 00:49 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: chinsan_, hyper_ch, danieldg, plaerzen, tjz, garnser, disco-, ThoMe, fkr 00:50 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: pa, BasketCase, kaii, CoffeeIV_, HardDisk_WP, WormFood, stephenh, redfox, master_of_master 00:52 -!- chantra [n=chantra@ns22757.ovh.net] has joined ##openvpn 00:52 -!- DigitalFlux-AFK [n=DigitalF@unaffiliated/digitalflux] has quit [Read error: 104 (Connection reset by peer)] 00:52 -!- oc80 [i=oc80z@blea.ch] has joined ##openvpn 00:52 -!- DigitalFlux-AFK [n=DigitalF@98.142.211.26] has joined ##openvpn 00:53 -!- Netsplit over, joins: master_of_master, BasketCase, WormFood, CoffeeIV_, HardDisk_WP, kaii, stephenh, pa, redfox 00:53 -!- Netsplit over, joins: garnser, plaerzen 00:53 -!- Netsplit over, joins: tjz, chinsan_, hyper_ch, danieldg, fkr, ThoMe, disco- 00:53 -!- oc80z [i=oc80z@blea.ch] has quit [Connection reset by peer] 00:53 -!- chantra_ [n=chantra@ns22757.ovh.net] has quit [Read error: 104 (Connection reset by peer)] 01:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:12 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: garnser, plaerzen 01:13 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: disco-, pa, BasketCase, kaii, CoffeeIV_, hyper_ch, ThoMe, danieldg, HardDisk_WP, WormFood, (+6 more, use /NETSPLIT to show all of them) 01:23 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 60 (Operation timed out)] 01:26 -!- Netsplit over, joins: master_of_master, BasketCase, WormFood, CoffeeIV_, HardDisk_WP, kaii, stephenh, pa, redfox 01:26 -!- oc80z [i=oc80z@blea.ch] has joined ##openvpn 01:26 -!- Netsplit over, joins: garnser, plaerzen 01:26 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has quit [Connection timed out] 01:26 -!- Blu3 [i=david@blue-labs.org] has joined ##openvpn 01:26 -!- Netsplit over, joins: tjz, chinsan_, hyper_ch, danieldg, fkr, ThoMe, disco- 01:26 -!- oc80 [i=oc80z@blea.ch] has quit [Connection timed out] 01:26 -!- chantra [n=chantra@ns22757.ovh.net] has quit [Read error: 104 (Connection reset by peer)] 01:26 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 01:27 < BasketCase> ok, as usual once I realized the problem it was obvious... 01:27 < BasketCase> if you use ccd and chroot the ccd is relative to the chroot. 01:32 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:32 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: disco-, pa, BasketCase, kaii, CoffeeIV_, hyper_ch, ThoMe, Blu3, danieldg, HardDisk_WP, (+9 more, use /NETSPLIT to show all of them) 01:39 -!- oc80 [i=oc80z@blea.ch] has joined ##openvpn 01:39 -!- Netsplit over, joins: master_of_master, BasketCase, WormFood, CoffeeIV_, HardDisk_WP, kaii, stephenh, pa, redfox 01:39 -!- Netsplit over, joins: garnser, plaerzen 01:40 -!- Netsplit over, joins: Blu3, tjz, chinsan_, hyper_ch, danieldg, fkr, ThoMe, disco- 01:40 -!- chantra [n=chantra@ns22757.ovh.net] has joined ##openvpn 01:40 -!- oc80z [i=oc80z@blea.ch] has quit [Connection reset by peer] 01:42 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 01:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:59 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:02 -!- Blu3 [i=david@BlueLabs/Blu3] has left ##openvpn ["I ❤♥❤ Guys"] 02:03 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 02:09 < fkr> ahoi 02:18 < krzee> !route 02:18 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 02:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 02:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:33 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 02:34 < melvin_> Good Morning everyone 02:34 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 02:39 < melvin_> I still have the Problem with Connection Timeouts. I use tls-server wih tcp and tap devices. test client is in the same subnet as server. after some time i get "connection timeout (code 110)" what can i do? 02:42 < reiffert> why tcp? 02:43 < krzee> !tcp 02:43 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 02:43 < krzee> !tunortap 02:43 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 02:43 < krzee> moin reiffert 02:43 < reiffert> moin krzee, alles fit? 02:44 < reiffert> [is] everything ok? 02:44 < krzee> ja, du? 02:44 < reiffert> hehehehe :) 02:45 < krzee> goog said it was "all fit" but i figured hopw that could mean that 02:45 < melvin_> reiffert: it should run on port 443. 02:45 < krzee> melvin_, can udp 53 outbound work? 02:45 < krzee> you can tell by trying to use 4.2.2.1 as your NS 02:46 < krzee> !factoids search dns 02:46 < vpnHelper> krzee: 'pushdns' and 'dns' 02:46 < krzee> !dns 02:46 < vpnHelper> krzee: "dns" is Level3 open recursive DNS server at 4.2.2.1 02:46 < melvin_> krzee: i thought on most firewalls it is blocked 02:46 < krzee> depends 02:46 < krzee> quite often they let you use any NS 02:46 < krzee> but they may not 02:47 < melvin_> i want to use openvpn behind some other firewall for roadwarrior 02:47 < melvin_> so i thought 443 tcp may be the best 02:47 < melvin_> tcpt over tcp isn't the best but should work, shouldn't it? 02:48 < krzee> could run one on each, udp is worth using when you can if you plan on using tcp traffic over the vpn 02:48 < krzee> read the doc: 02:48 < krzee> !tcp 02:48 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 02:48 < krzee> that is linked to from the ovpn manual 02:49 < melvin_> any safe udp port i can use? 02:49 < krzee> [03:45] melvin_, can udp 53 outbound work? 02:49 < krzee> [03:45] you can tell by trying to use 4.2.2.1 as your NS 02:49 < krzee> [03:46] krzee: i thought on most firewalls it is blocked 02:49 < krzee> [03:46] depends 02:49 < krzee> [03:46] quite often they let you use any NS 02:49 < krzee> [03:46] but they may not 02:50 < krzee> thats as safe of a udp port as you'll find 02:50 < reiffert> :) 02:50 < reiffert> Your time is 4 minutes off 02:50 < krzee> lol 02:50 < krzee> island time ;] 02:50 < reiffert> :D 02:51 < reiffert> Oh wait, my brain lacks ... 02:51 < krzee> it syncs with ntp 02:51 < melvin_> ok 02:52 < melvin_> any way to work with tcp port? or ist it suposed to fail anyway 02:52 < krzee> are you serious? 02:52 < reiffert> he didnt read the tcp link. 02:52 < krzee> good call 02:53 < melvin_> on rading 02:55 < melvin_> why works ssh portforwading? it use the same methods 02:56 < krzee> tcp will work, but it wont be as reliable 02:57 < krzee> which is what that doc explains 02:57 < krzee> its not the best method 02:58 < krzee> and ssh works as a SOCKS server, which is a proxy, not a full packet encapsulation tool for the IP (or in your case since you use tap, ethernet) layer 02:58 < krzee> which is why i said: 02:58 < krzee> !tcp 02:58 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 02:59 < krzee> !tunortap 02:59 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 02:59 < reiffert> ssh supports tunneling networks with tun nowadays. 02:59 < krzee> no shit? 02:59 < reiffert> no shit 02:59 < krzee> hah i didnt know that 03:00 < krzee> http://blog.tiensivu.com/aaron/archives/272-SSH,-TUN-devices,-and-3com-NBX.html 03:00 < vpnHelper> Title: SSH, TUN devices, and 3com NBX - Aaron Tiensivu's Blog (at blog.tiensivu.com) 03:00 < krzee> ya, no shit 03:00 < krzee> ;] 03:00 < melvin_> i need tap to use an external dhcp server 03:00 < krzee> his last line, You could also do the same type of thing with OpenVPN, but I'm more comfy with SSH so far. 03:01 < krzee> why do you need the external dhcp server? 03:01 < melvin_> for ddns entries of the clients. so i can reach them without knowing the actual ip adress 03:02 < reiffert> :) 03:02 < krzee> so you can reach them from machines other than the server, right? 03:03 < krzee> so they are each getting an inet routable ip from the external dhcp? 03:03 < reiffert> afk, bye bye 03:04 < melvin_> krzee: they getting an internal adress from the dhcp server + routing information 03:04 < krzee> melvin_, have you made this work as expected? 03:04 < krzee> later reif 03:05 < melvin_> almost. windows client works, linux clients need static address 03:05 < krzee> i dont see how you could have each of them on a diff dyndns 03:05 < krzee> if they are all on the same inet routable ip 03:06 < krzee> in which case you are NAT'ing and dont need the dhcp server 03:07 < melvin_> the openvpn server has a inet address that is transferd to an internal address. clients connecting on this tap-bridge and get dhcp adress from internal dhcp server 03:07 < krzee> ya, thats not needed 03:08 < krzee> but anyways 03:08 < melvin_> the clients stay all in the same subnetz. its just an dhcp scope 03:08 < krzee> your timeout error... 03:08 < krzee> its after a successful connection was up for a bit? 03:08 < melvin_> yes 03:08 < krzee> try udp 03:08 < krzee> switching to tun would help as well 03:08 < melvin_> no mather if connected throught the firewall or internal 03:08 < krzee> in which case youd simply nat like you already are 03:09 < krzee> but youd also nat the vpn subnet 03:09 < melvin_> ok 03:09 < krzee> but main thing that would help is udp 03:09 < krzee> even with tun, with any packet loss tcp can cascade downhill 03:11 < melvin_> ok. but then it doesn't work from everywhere :( 03:11 < krzee> then have both 03:11 < krzee> as i orig said 03:11 < krzee> you can run 2 ovpn instances 03:11 < melvin_> why is tcp possible when it dosn't work well? 03:12 < krzee> because of your situation 03:12 < krzee> you want both, so you can use the worse choice (tcp) when udp doesnt work 03:12 < melvin_> yes. sounds good 03:13 < melvin_> can i improve the tcp situation with different mtu or other tricks? 03:14 < krzee> well you could test mtu from a few locations, if you see its always lower, sure 03:14 < krzee> but not likely for road warrior setup 03:16 -!- joel__ [n=joel@193.145.14.94] has joined ##openvpn 03:16 < krzee> !mtu 03:16 < vpnHelper> krzee: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config 03:16 < joel__> anyone knows why doing: push "dhcp-option DNS 1.2.3.4" does not work? :S 03:16 < krzee> joel__, 03:16 < krzee> !pushdns 03:16 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit 03:17 < melvin_> one other question. if i don't use dhcp there is no need for tap? how much is the overhead / speed differnce between tap and tun 03:17 < krzee> melvin_, the exact amount as the overhead for layer2 03:17 < krzee> per packet 03:19 < krzee> !forum 03:19 < vpnHelper> krzee: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 03:20 < melvin_> krzee: ok. 10% or 5%? 03:22 < reiffert> 32/1500 per packet + broadcast + multicat traffic. 03:22 < melvin_> ok. sounds not that much 03:24 < melvin_> if i post the client output, can you see why tcp failed after a while? 03:25 -!- deblike [n=xchat@88.204.14.105] has joined ##openvpn 03:31 < joel__> krzee, i already did it, but when i disconnect i get with no nameservers listed at all at /etc/resolv.conf 03:34 < dazo> joel__: In Linux, you'll need the resolvconf package installed .... and you need --up scripts .... most probably also the down-root plug-in if you run openvpn as a non-privileged user 03:34 * dazo looks up a tutorial on this 03:35 < joel__> dazo: i already have installed resolvconf package, and i am using update-resolv-conf script both for "up" and for "down" 03:35 < dazo> joel__: http://www.phocean.net/2006/12/07/openvpn-and-dns-on-a-linux-client.html 03:35 < vpnHelper> Title: Phocean.net » OpenVPN and DNS on a linux client (at www.phocean.net) 03:35 < dazo> joel__: then it should work .... are you sure the openvpn process got the needed privileges to update /etc/resolv.conf? 03:36 < dazo> krzee: the link over here is a worthy candidate to be added to !pushdns 03:36 < joel__> dazo: not sure of that but it should work by default, i am using debian 5 03:36 < dazo> joel__: do you use --user and/or --group in your openvpn config? 03:36 < joel__> no 03:37 < dazo> joel__: do you start openvpn as root? 03:37 < joel__> yes 03:37 < joel__> by doing /etc/init.d/openvpn start 03:39 < dazo> joel__: then it must be some issues with your scripts .... other users here on this channel have had success with the link I posted here now .... double check against that one 03:40 < joel__> dazo: let me try.. (but i doubt there is a non-working script with openvpn package in debian btw) 03:41 < dazo> joel__: last famous words ;-) 03:42 < dazo> joel__: debian still ships the old 2.1_rc7 or so? ... I strongly advice you to upgrade to the rc19 release if not 03:42 < dazo> (or at least rc15) 03:43 < joel__> dazo: 2.1~rc11-1 03:43 * dazo thought so 03:46 < joel__> dazo: that link does not work. 03:46 < joel__> dazo: i mean, i followed its instruction but they are fake. 03:46 < joel__> it still does not update any resolv.conf 03:49 < dazo> joel__: then you need to dig into all the log files which has been touched .... increase logging to openvpn, etc, etc ... do you use --script-security ? Is that set to the proper security level? 03:49 < joel__> Hmm.. this is weird.. before i tried by using "up update-resolv-conf" and "down update-resolv-conf" and it did not work, now, suddenly it is working. 03:49 < dazo> joel__: this is not rocket science .... a lot of users use this feature in OpenVPN ... 03:49 < dazo> heh 03:50 < joel__> dazo: yes, but that link (phocean.net) does not work. 03:50 -!- DexterF [n=dexter@ip-88-153-214-143.unitymediagroup.de] has joined ##openvpn 03:50 < DexterF> hi 03:50 < dazo> joel__: well, I have reports from users that it works very well 03:51 < dazo> but each computer setup is different 03:51 < DexterF> vpn n00b question: got a machine at home with linux on it and would like to connect from outside by vpn from a windows machine. trouble is, the firewall the win machine goes thru slams in fake RST packets every once in a while 03:52 < DexterF> this effectively means I can't establish a solid ssh tunnel, so I thought I have a look how openvpn handles such discomforts 03:54 -!- RexMundi_ [n=RexMundi@77.95.99.166] has joined ##openvpn 03:54 -!- RexMundi [n=RexMundi@77.95.99.166] has quit [Read error: 104 (Connection reset by peer)] 03:54 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:23 < Bushmills> DexterF: udp is connectionless. run openvpn over udp (which is default anyway) 04:30 < DexterF> Bushmills: but I need to tunnel thru tcp 443 (firewall). how about that? 04:32 < Bushmills> if you (have to) use tcp for openvpn, incoming connections can be reset by fake RST. 04:33 < Bushmills> maybe try to filter them with firewall 04:47 < DexterF> Bushmills: I'm not the admin 04:47 < DexterF> and I wouldn't know howe to filter out RST packets on Windows 04:48 < Bushmills> invoke magic 05:05 -!- joel__ [n=joel@193.145.14.94] has quit ["Saliendo"] 05:12 -!- kyrix [n=ashley@91-115-188-168.adsl.highway.telekom.at] has joined ##openvpn 05:21 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: krzie, brah, qknight, RexMundi_, davidisko, dazo, |Mike|, disco-, oc80, DexterF, (+56 more, use /NETSPLIT to show all of them) 05:21 -!- Netsplit over, joins: phatfish, kleind 05:22 -!- Netsplit over, joins: RexMundi_, DexterF, deblike, roentgen, chantra, disco-, ThoMe, fkr, danieldg, hyper_ch (+26 more) 05:26 -!- dft [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has quit [Remote closed the connection] 05:26 -!- dft [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has joined ##openvpn 05:26 -!- deblike [n=xchat@88.204.14.105] has quit [Client Quit] 05:27 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 05:27 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 05:27 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 05:27 -!- kyrix [n=ashley@91-115-188-168.adsl.highway.telekom.at] has joined ##openvpn 05:27 -!- mrbnet [n=mrbnet@c-75-73-142-28.hsd1.mn.comcast.net] has joined ##openvpn 05:27 -!- krzie [n=krzee@unaffiliated/krzee] has joined ##openvpn 05:27 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 05:27 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:27 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 05:27 -!- DigitalFlux-AFK [n=DigitalF@unaffiliated/digitalflux] has joined ##openvpn 05:27 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has joined ##openvpn 05:27 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn 05:27 -!- zu [n=zu@bucketheaded.eu] has joined ##openvpn 05:28 -!- NOTORIOUS_VR [n=IceChat7@mail.scmgroupcanada.com] has joined ##openvpn 05:28 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 05:28 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has joined ##openvpn 05:28 -!- dazo [n=dazo@nat/redhat/x-nzkqxsatollsgkzx] has joined ##openvpn 05:28 -!- Snadder [i=sander@084202100202.customer.alfanett.no] has joined ##openvpn 05:28 -!- tarbo2_ [n=me@unaffiliated/tarbo] has joined ##openvpn 05:28 -!- ribasushi [n=rabbit@dslb-084-063-046-216.pools.arcor-ip.net] has joined ##openvpn 05:28 -!- qknight [n=joachim@serverkommune.de] has joined ##openvpn 05:28 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 05:28 -!- mius [n=miusf@earthtomoon.net] has joined ##openvpn 05:28 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 05:28 -!- dazo [n=dazo@nat/redhat/x-nzkqxsatollsgkzx] has quit ["Leaving"] 05:28 -!- dazo_ [n=dazo@nat/redhat/x-vgvsdkqhyqebxvwp] has joined ##openvpn 05:28 -!- brizly1 [n=brizly_v@79.201.151.247] has joined ##openvpn 05:28 -!- eliasp [n=quassel@95.208.45.212] has joined ##openvpn 05:28 -!- reiffert [n=thomas@88.198.83.82] has joined ##openvpn 05:28 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 05:31 -!- dazo_ is now known as dazo 05:38 < |Mike|> !tls-auth 05:38 < vpnHelper> |Mike|: "tls-auth" is The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. see !secure for how 05:39 < |Mike|> !secure 05:39 < vpnHelper> |Mike|: "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 05:39 < |Mike|> krzie: 05:39 < |Mike|> !iroute 05:39 < vpnHelper> |Mike|: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 05:39 < |Mike|> !route 05:39 < vpnHelper> |Mike|: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 05:41 -!- kyrix [n=ashley@91-115-188-168.adsl.highway.telekom.at] has quit ["Leaving"] 05:53 < melvin_> krzee: i got the same disconnection on udp 05:55 < |Mike|> melvin_: unstable provider ? 05:56 < melvin_> |Mike|: the test run with the external network of the firewall and a dsl Connection. 05:57 < melvin_> |Mike|: internal connection breaks also 05:57 < melvin_> seams no differnece if udp or tcp 05:58 < melvin_> reinserting username and password brings "tls handshake failed" 05:59 < melvin_> only restaing openvpn client works 05:59 < |Mike|> username and password ? 06:00 < melvin_> i use pam plugin for usr-auth 06:01 < |Mike|> okay 06:01 < melvin_> for me it seams to be no problem with tcp-over-tcp but the tls after some while 06:01 < melvin_> i get soft restart, but this didn't work 06:01 < melvin_> only restarting the client helps. 06:04 < |Mike|> is that client behind a router ? 06:06 < melvin_> yes. i have a seperate inet connection for testing 06:06 < melvin_> but i also try to connect internal with another client 06:07 < melvin_> connection breaks mostly after 30 min 06:22 < dazo> melvin_: have you tried adding --ping on the client? 06:23 < dazo> from man page: "(1) Compatibility with stateful firewalls. The periodic ping will ensure that a stateful firewall rule which allows OpenVPN UDP packets to pass will not time out." 06:33 < melvin_> dazo: i thougt keepalive on server will do this 06:33 < dazo> melvin_: do you have low enough values then? 06:37 -!- NOTORIOUS_VR [n=IceChat7@mail.scmgroupcanada.com] has quit ["Don't push the red button!"] 06:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:40 -!- brizly [n=brizly_v@p4FC99D89.dip0.t-ipconnect.de] has joined ##openvpn 06:41 < melvin_> keepalive 30 120 06:41 < melvin_> if i increase logfile i can see the "ping" 06:41 < melvin_> seams to work like a charm 06:41 < melvin_> network is dsl 10 mbit or external switch of the firewall 06:42 < melvin_> but after some time it breaks with tls error 06:42 < dazo> melvin_: does the server or the client side break the connection? ... can you see that from the log files? 06:42 < melvin_> tls-auth is disabled for testing 06:43 < dazo> melvin_: tls-auth is not the same as tls .... TLS is used whenever you are using certificates 06:43 < melvin_> haven't figured out yet. 06:43 < dazo> melvin_: tls-auth is an extra security level, useful only on udp connections 06:44 < melvin_> server say: "[UNDEF] Inactivity timeout (--ping-restart), restarting" 06:44 < melvin_> client brings the login up 06:44 < dazo> melvin_: that means that the client dies 06:44 < melvin_> network connection is stable 06:44 < dazo> melvin_: you need to check up your router/firewall on the client side .... it seems that you have some equipment which do not allow connections to be established more than xx minutes 06:46 < dazo> melvin_: have you tried to stream video or audio for more a long time? does that last longer than an openvpn session? using mplayer to do the streaming may help to catch re-connections 06:46 < melvin_> yes, thats what i thought too. but my second test client is connected on the external switch. client hangs directly on the inet 06:47 -!- brizly1 [n=brizly_v@79.201.151.247] has quit [Read error: 145 (Connection timed out)] 06:48 < melvin_> and if i put the client on the same switch as the server runs, the disconnections occurs too 06:48 < dazo> melvin_: check your firewall config on that box then 06:50 < melvin_> ok 07:22 -!- DexterF [n=dexter@ip-88-153-214-143.unitymediagroup.de] has quit ["leaving"] 07:23 < ecrist> good morning 07:51 -!- mrbnet [n=mrbnet@c-75-73-142-28.hsd1.mn.comcast.net] has quit [Read error: 113 (No route to host)] 08:06 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 08:12 < Optic> moo 08:22 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 08:23 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 08:23 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 08:46 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 08:55 -!- teddymills [n=teddy@208.92.235.227] has quit [Client Quit] 08:58 -!- garnser [n=jpeterss@gw2.mysql.com] has quit [Remote closed the connection] 08:58 -!- garnser [n=jpeterss@gw2.mysql.com] has joined ##openvpn 09:02 -!- mobidroid [n=mobidroi@modemcable170.13-20-96.mc.videotron.ca] has joined ##openvpn 09:05 < mobidroid> Hi there, I configured my vpn server and client, using tunnel brick (on mac os x) it connect like a charm but I cant ping anything else than the vpn server. I guess I need to add a route to allow all my client internet traffic to pass by the vpn server ?! 09:07 < dazo> mobidroid: that's right sounds like routing and maybe even firewalling 09:07 < dazo> !route 09:07 < vpnHelper> dazo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:07 < dazo> mobidroid: ^^ 09:08 < mobidroid> I'm just a bit confused if the config must be server side or client side? 09:08 -!- dft [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has quit [Remote closed the connection] 09:08 < mobidroid> nevermind let me read first ;) 09:09 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has quit [Read error: 60 (Operation timed out)] 09:09 < dazo> mobidroid: do the reading, you might need some routes on the server .... but normally, you need it on the client. But, to complicate it a little bit more .... you can push routes to the client from the server .... using --push "route " 09:10 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has joined ##openvpn 09:16 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:16 < mobidroid> yeah all conf are pushed from the server to the client because i dont see any route conf in my client conf file 09:18 -!- OzoneCo [n=OzoneCo@76.85.140.14] has joined ##openvpn 09:18 -!- js__ [n=js@h-79-136-125-151.NA.cust.bahnhof.se] has joined ##openvpn 09:26 -!- OzoneCo [n=OzoneCo@76.85.140.14] has left ##openvpn [] 09:29 < mobidroid> I read, the example is more for reaching lan behind a client, not sure what route i need to add to tell my client1 to reach "The internet" using the server config... Here the 3 route I see in my client log : http://pastebin.com/m7fbb8ffc 09:30 < mobidroid> the 192.168.2.1 I guess is the lan behind my client adding the route SERVER -> LAN CLIENT 1 make no sense to me 09:33 -!- js_ [n=js@h-79-136-125-151.NA.cust.bahnhof.se] has quit [Read error: 110 (Connection timed out)] 09:33 -!- Saberu [i=Oliver@125.81.163.35] has quit [Read error: 110 (Connection timed out)] 09:34 < mobidroid> !howto 09:34 < vpnHelper> mobidroid: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:35 -!- js__ is now known as js_ 09:37 < mobidroid> I think i need this: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 09:39 < |Mike|> !linnat 09:39 < vpnHelper> |Mike|: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 09:39 < |Mike|> there ya go. 09:42 < mobidroid> yeah, took it from the how to but not much success :( How can I know what is the routing on my client, I tried traceroute and it didnt show much info. Im a bit n00b in networking, sorry 09:42 < |Mike|> !all 09:42 < vpnHelper> |Mike|: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 09:43 < mobidroid> k ill repaste bin according to your standard hold on :) 09:49 < mobidroid> http://pastebin.com/m483f264d 09:50 < mobidroid> I tried iptables -L too see the list of rules but dont know what "chain" to use :S 09:54 < mobidroid> !interface 09:54 < vpnHelper> mobidroid: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 09:55 < ecrist> These are for me. 09:55 < ecrist> !route 09:55 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:57 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 09:57 < mobidroid> http://pastebin.com/d30d0768 with the interface thingnie 09:58 -!- c64zottel [n=hans@p5B17A50F.dip0.t-ipconnect.de] has joined ##openvpn 09:58 -!- c64zottel [n=hans@p5B17A50F.dip0.t-ipconnect.de] has left ##openvpn [] 09:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 09:59 < mobidroid> http://pastebin.com/m168965f6 with the route thingnie $#@@#$ 09:59 < dazo> mobidroid: iptables - INPUT chain is for traffic which is destined to go only to the current box .... FORWARD chain is needed to control traffic which is being forwarded (routed) by the current box (meaning, traffic in from one interface going out on another interface) 10:01 < mobidroid> yeah so it look like my FOWARD chain is screwed ? 10:01 < dazo> mobidroid: and OUTPUT chain is for traffic leaving the current box ...... INPUT and OUTPUT goes for traffic in/out of the current box' local services ..... while FORWARD is used when it just passes traffic 10:02 < dazo> mobidroid: I haven't paid to much attention to everything here .... but it could be, yes .... another thing ... have you enabled ip_forwarding on your openvpn server? 10:02 < mobidroid> the problem is that when i type iptables -L no rules appears anywhere 10:02 < dazo> mobidroid: and the default policy is then ACCEPT, I presume? 10:03 < mobidroid> dazo: my conf are here: http://pastebin.com/m168965f6 i guess the foward has been putted 10:03 < dazo> cat /proc/sys/net/ipv4/ip_forward (to check if forwarding is enabled) 10:03 < mobidroid> yup ACCEPT is the policy 10:03 < mobidroid> arggg it's to 0 10:04 < dazo> okey, that means no firewalling on the filter table in iptables ..... but you still got a few other tables .... you mentioned POSTROUTING 10:04 < mobidroid> so fowarding is off? 10:04 < dazo> yup 10:04 < dazo> echo 1 > /proc/sys/net/ipv4/ip_forward 10:04 < mobidroid> k 10:05 < dazo> (or you can edit /etc/sysctl.conf to enable it on boot ..... add a line like: net.ipv4.ip_forward = 1 10:05 < mobidroid> dazo ur the man! it work !!!! 10:05 < dazo> mobidroid: cool! :) 10:05 < mobidroid> Thx a lot! dont know why this damn flag was to 0, i remember in the past to put it on 10:06 < mobidroid> is this value reseted by something somehow at reboot? 10:06 < dazo> mobidroid: you're welcome! Glad it worked! But! remember that is reset now on boot .... you must edit /etc/sysctl.conf to enable it during boot 10:06 < mobidroid> ahhh that's why! :) 10:06 < mobidroid> thx a lot, learned something today :) 10:07 < ecrist> ping krzee 10:07 < dazo> mobidroid: it's a kernel parameter .... and all changes done in /proc and /sys are only changing parameters in memory only 10:08 < mobidroid> ok cool :) Now let's subscribe to google voice mouahahha :) Thx dazo I was getting depress :P 10:08 < dazo> mobidroid: have fun ;-) 10:08 < mobidroid> u bet :) Thx all for your help cheers 10:09 -!- Igor_AKA_Warrior [n=igor@65.215.13.196] has joined ##openvpn 10:12 < Igor_AKA_Warrior> hello guys 10:12 < ecrist> hi 10:12 < Igor_AKA_Warrior> would somebody please help me with a tunnel routing problem in OpenVPN 10:12 < ecrist> !ask 10:12 < vpnHelper> ecrist: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/, or (#3) http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help 10:13 < ecrist> ;) 10:13 < Igor_AKA_Warrior> ok :) ... I setup a client to multi-client openvpn server 10:13 < Igor_AKA_Warrior> linux to freebsd 10:14 < Igor_AKA_Warrior> each side can ping each other fine on the setup'ed network.... 172.16.1.128/30 10:15 < Igor_AKA_Warrior> however, I have lan's on each side, client, and server... and I need certain pc's to be able to reach each other on each side 10:15 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has quit ["bbl"] 10:15 < Igor_AKA_Warrior> so I setup a route on each side "192.168.3.0/24" to route through the tunnel 10:16 < Igor_AKA_Warrior> when I ping, or otherwise send packets from client to server, I see through tcpdump that packets get sent, and come out fine on the server side 10:16 < ecrist> !route 10:16 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:16 < ecrist> !iroute 10:16 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 10:17 < Igor_AKA_Warrior> when I do the same from server to client tcpdump shows that packets DO leave the openvpn tunnel on the server side, but never come out on the client side 10:20 < Igor_AKA_Warrior> ahhh... I think i might see what's going on 10:21 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 10:25 < Igor_AKA_Warrior> halleluya! 10:25 < Igor_AKA_Warrior> I think i was going mad 10:25 < Igor_AKA_Warrior> iroute helped 10:26 < Igor_AKA_Warrior> I don't think I ever encountered this before with tls-server <=> tls-client , and I've been a faithful openvpn user since 2005 :) 10:26 < Igor_AKA_Warrior> thank you guys 10:26 < ecrist> no problem 10:27 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 10:30 -!- Igor_AKA_Warrior [n=igor@65.215.13.196] has left ##openvpn ["Konversation terminated!"] 10:59 -!- jeiworth [n=jeiworth@189.177.121.59] has joined ##openvpn 11:36 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit [Remote closed the connection] 11:39 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 11:42 -!- dft [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has joined ##openvpn 11:42 < dft> hello 11:47 < dft> I'm stuck at TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed with a self-signed cert on my server end any suggestions? 11:48 < dft> and yes the crt was built using build-key-server 12:13 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:15 < dft> wait I think I found the issue, ST must be two chars only right? 12:25 < |Mike|> !tls-auth 12:25 < vpnHelper> |Mike|: "tls-auth" is The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. see !secure for how 12:26 < |Mike|> !howto 12:26 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:26 < |Mike|> basicly you have to generate the ssl cert with openssl 12:27 < |Mike|> and copy it to the client(s) on a secure way (scp ?) 12:27 < |Mike|> and set tls-auth to 0 on the server and 1 on the clients 12:27 < |Mike|> openvpn --genkey --secret ta.key 12:28 < |Mike|> tls-auth ta.key 0 12:28 < |Mike|> tls-auth ta.key 1 (on the client) 12:31 < dft> I tried that and it was still giving me the same error, I'm regenerating all keys/certs again from scratch we'll see what happens 12:36 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 12:47 -!- Psi-Jack [n=psi-jack@75.112.145.226] has joined ##openvpn 12:48 < Psi-Jack> !howto 12:48 < vpnHelper> Psi-Jack: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:51 -!- krzee [i=nobody@hemp.ircpimps.org] has joined ##openvpn 13:07 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Read error: 104 (Connection reset by peer)] 13:07 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 13:21 -!- emod [n=emod@sage.emoderation.net] has joined ##openvpn 13:29 -!- Blu3 [i=david@blue-labs.org] has joined ##openvpn 13:36 -!- emod_ [n=emod@S0106001ec21749d5.gv.shawcable.net] has joined ##openvpn 13:38 -!- emod [n=emod@sage.emoderation.net] has quit [Read error: 104 (Connection reset by peer)] 13:40 -!- Administrator_ [n=chatzill@adsl-75-56-202-99.dsl.lsan03.sbcglobal.net] has joined ##openvpn 13:41 -!- emod_ [n=emod@S0106001ec21749d5.gv.shawcable.net] has quit [Read error: 60 (Operation timed out)] 13:41 -!- Administrator_ is now known as pieeater 13:41 -!- emod [n=emod@sage.emoderation.net] has joined ##openvpn 13:50 -!- retro_neo [n=hello_wo@cust-158-218.on3.ontelecoms.gr] has joined ##openvpn 13:51 < retro_neo> I followed these intructions for using my own certificate but the server won't start : http://www.openvpn.net/index.php/access-server/howto-openvpn-as/175-how-to-replace-the-access-server-private-key-and-certificate.html I this in the log: "WEB-PP ERR: 'Enter PEM pass phrase:' 13:51 < vpnHelper> Title: How to replace the Access Server private key and certificate (at www.openvpn.net) 13:53 < retro_neo> apache uses a script bash script with the password at startup, how can I do something similar with openvpn as? 13:54 < krzee> i dont believe theres much help in here for -AS 13:54 < krzee> its not free, last i knew nobody here knows about it 13:54 < krzee> ive tried to troubleshoot stuff on it before, they changed too much from the opensource version 13:54 < ecrist> people know about it, don't know of anyone who uses it, though. 13:55 < krzee> ecrist, its very different than normal ovpn 14:02 < retro_neo> thanks, will try the official support 14:04 < ecrist> krzee: when you have a few, check out ovpnforum.com. I did some reorganization, would like your insight. 14:05 < krzee> !forum 14:05 < vpnHelper> krzee: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 14:05 < krzee> i think wishlist should be outside the server admin part 14:06 < krzee> but overall i like 14:06 < ecrist> kk 14:06 < krzee> interesting that topic count and post count dont take into account deleted posts 14:06 < krzee> (your test post in off-topic) 14:08 < ecrist> not following... 14:08 -!- BasketCase [n=BasktCas@asylum.sanitarium.net] has left ##openvpn ["Client exiting"] 14:08 < krzee> doesnt matter, but just noticed that when you delete a post, the front page that says topic count / post count doesnt remove the count of deleted stuff 14:08 < krzee> as seen on front page in off-topic 14:09 < ecrist> oh, you have to manually re-sync the counts 14:09 < krzee> you had made a test and removed it 14:09 < krzee> AHH 14:09 < krzee> oops c/l 14:09 < ecrist> looks right to me 14:09 < ecrist> 1 topic, 2 posts 14:09 < krzee> ohh right 14:10 < krzee> my eyes skipped to "There are no topics or posts in this forum." 14:10 < krzee> but above there is introductions 14:10 < ecrist> moved wishlist 14:10 < ecrist> it's on the main page now 14:12 < ecrist> can't you listen to multiple ports now with local ip:port? 14:13 < krzee> dont believe so 14:13 < krzee> but if im wrong, would love to know about it 14:13 < krzee> but besides just multiple ports, would be cool if it was like udp53 and tcp 443 in 1 daemon 14:13 < ecrist> I'm thinking of client side 14:13 < krzee> ohhh sure 14:14 < krzee> you can do lotsa stuff like that in client side blocks 14:14 < krzee> including changing all sorts of settings for each block 14:15 < krzee> god im so lazy, its been 3mo with a server w/ dougy and i still havnt moved my friggen mail server 14:15 < ecrist> I've got a Dell 2850 in my rack, under warranty, I still have no OS on. I've had it for about 4 months. 14:15 < pieeater> hello, room i need some help on VPN routing. I posted my questions on openvpn forum. Krzee pointed to http://secure-computing.net/wiki/index.php/OpenVPN/Routing. but i couldn't still get it to work 14:16 < krzee> in my recent defense, ive had like 4 3somes in about 10 days, so computers havnt been top priority 14:16 < pieeater> here are my diagram http://img379.imageshack.us/img379/2748/vpndiagram.png and config http://pastebin.com/d4c3ac6e5 14:16 < krzee> pieeater, after reading that doc, whats the problem? 14:16 < ecrist> boobies > computers 14:17 -!- jeiworth [n=jeiworth@189.177.121.59] has quit [Connection timed out] 14:17 < krzee> ecrist, o so true 14:17 < pieeater> i still can't ping or anything from any dial-up VPN workstation 14:18 < krzee> oh i replied to you recently 14:18 < krzee> on the mail list iirc 14:18 < krzee> can the server reach those lans with no vpn running? 14:18 < pieeater> i saw only one 14:19 < pieeater> yes. i can reach on vlans from the vpn server 14:19 -!- WormFood [n=wormfood@59.40.76.214] has quit [Read error: 110 (Connection timed out)] 14:19 < krzee> ya there was only 1, just saying i remember ya 14:19 < krzee> then lines 15-17 on config should go away 14:19 < krzee> that will break its route to those lans by sending them over the vpn 14:20 -!- WormFood [n=wormfood@59.40.76.214] has joined ##openvpn 14:20 < krzee> i see you use ipp 14:20 < krzee> !ipp 14:20 < vpnHelper> krzee: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 14:20 < krzee> is the openvpn server the gateway for those lans? 14:21 < krzee> (aka the router) 14:21 < pieeater> no. i have a SSG140 router/gw/fw 14:21 < pieeater> the vpn is natted behind it 14:21 < krzee> then you must add a route for 10.9.0.x to go to the openvpn server's lan ip 14:21 < krzee> as seen in my roputing document under the picture, "ROUTES TO ADD OUTSIDE OPENVPN" 14:22 < krzee> s/roputing/routing/ 14:22 < pieeater> i read that but i was not clear 14:22 < krzee> whats not clear about it? 14:22 < krzee> your client sends a packet at a lan machine, with source ip of 10.9.0.6 14:22 < |Mike|> hai :) 14:22 < krzee> lan machine gets it, and replies, but has no route to 10.9.0.6 14:23 < krzee> so the packet goes to default route (SSG140) 14:23 < krzee> which doesnt have a route for it, so it goes to default (internet) 14:23 < krzee> and is lost forever 14:23 < pieeater> to be honest with you, i don't know to how put your instructions in the vpn conf 14:23 < krzee> add a route to SSG140 and be happy 14:23 < krzee> you dont, you add a route to the router 14:23 < krzee> and you remove lines 15-17 in that pastebin 14:24 < krzee> route 192.168.10.0 255.255.255.0 14:24 < krzee> route 192.168.20.0 255.255.255.0 14:24 < krzee> route 192.168.40.0 255.255.255.0 14:24 < krzee> those dont belong 14:24 < pieeater> i talked to Juniper support guy. he told me it's a passthrough. No routing needed. 14:24 < krzee> hes wrong 14:24 < krzee> no route = traffic has no way back 14:24 < pieeater> so I just need to add a static route for the VPN pool on the SSG right 14:24 < krzee> correct 14:25 < krzee> route for 10.9.0.x goes to 192.168.10.123 14:25 < krzee> and remove those lines 14:25 < pieeater> i will give that a try now 14:25 < krzee> boom, should work fine 14:25 < pieeater> thanks a lot. I will report back 14:25 < krzee> (unless firewalls get in your way) 14:25 < krzee> np 14:26 < krzee> sup mike 14:27 < pieeater> Krzee, one more thing. I need to keep the push entries right? 14:27 < krzee> correct 14:27 < krzee> thats how the clients know to add the routes 14:27 < pieeater> cool 14:27 < krzee> to flow over vpn 14:28 < krzee> the route entries would break your routing to those lans by sending it over the vpn 14:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:28 < krzee> or trying to at least, with no matching iroute entry it wouldnt know where to go 14:29 < krzee> but with no lans behind clients, route/iroute are not needed 14:29 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:31 < |Mike|> krzee: reading a forum 14:32 < krzee> do you guys in .nl use the LED grow lights? 14:32 < |Mike|> WARNING: potential route subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0] 14:32 < |Mike|> some people use it, yes 14:32 < |Mike|> i've seen a small setup a while ago 14:33 < krzee> that warning depends on your setup if it matters 14:33 < krzee> if you are trying to route a lan over a vpn, its valid 14:33 < krzee> if its just a ptp vpn, or even redirecting inet over the vpn, its ok 14:33 < |Mike|> http://www.webhostingtalk.nl/networking/152651-openvpn-waarschuwing.html 14:33 < vpnHelper> Title: OpenVPN Waarschuwing - webhostingtalk.nl (at www.webhostingtalk.nl) 14:34 < |Mike|> he posted the config files 14:34 < krzee> yup, matters 14:34 < krzee> he needs to change 1 site 14:34 < krzee> to a uncommon subnet 14:35 < |Mike|> okay 14:35 < krzee> ergin shlergin 14:35 < |Mike|> ergin shlergin ? 14:35 < krzee> *shrug* its what 1/2 the words sound like in my head 14:39 < krzee> lol ecrist i like your avatar on the forum 14:42 < ecrist> :) 14:57 -!- jeiworth [n=jeiworth@189.177.249.221] has joined ##openvpn 15:05 -!- zuez [n=sf@catalyst.httpd.org] has joined ##openvpn 15:06 < zuez> I build openvpn clients using the build-key script, it enforces users to authenticate over ldap.. is there anyway I can build a client cert to avoid having to authenticate? I'd like to add a dummy server and don't want to hardcode username/password anywhere to get it to VPN in.. 15:12 < zuez> Basically want some clients to have to authenticate over ldap, others not to... 15:18 < |Mike|> krzee: 15:19 < |Mike|> !all 15:19 < vpnHelper> |Mike|: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 15:22 -!- my007ms [i=logs@196.219.63.12] has joined ##openvpn 15:23 < my007ms> can i use openvpn in LAN-to-LAN setup 15:23 < |Mike|> zuez: you can generate client certs and use those 15:24 < |Mike|> (and don't forget tls-auth!!) 15:37 -!- jeiworth [n=jeiworth@189.177.249.221] has quit [Read error: 60 (Operation timed out)] 15:44 -!- whaletales [n=paul@87.127.190.17] has joined ##openvpn 15:50 -!- jeiworth [n=jeiworth@189.177.249.221] has joined ##openvpn 16:11 < pieeater> hello, krezee I just spent over 2 hours with Juniper to add a static route. They can't help. I don't see a way to add a route either. I was able to add route for another network using Cisco ASA having similar setup except using a cisco concentrator 16:11 < pieeater> does anyone here know how to deal with a Juniper SSG 16:13 < |Mike|> years ago lol 16:16 < krzee> ya thats really a juniper problem 16:16 < krzee> if you cant add a route its not a router 16:17 < krzee> dont tell them its about openvpn 16:17 < pieeater> I think NetScreen SSG 140 is a router 16:17 < krzee> just tell them you need a route to network 10.9.0.0/24 to go to 192.168.10.123 16:18 < krzee> i know its a router, so a route can be added to it 16:18 < krzee> but if they tell you it cant, tell them they are claiming its not a router 16:18 < pieeater> hihihih lol 16:18 < |Mike|> lolified pieeater 16:19 < pieeater> it's kinda weird. i will have to call in with another tech. 16:19 < krzee> or find the docs 16:19 < krzee> either way, you are beyond the scope of ovpn now 16:19 < pieeater> okie 16:20 < pieeater> thanks guys 16:20 < krzee> yw 16:21 < |Mike|> wow, i had a few beers and i feel semi drunk :p 16:24 -!- retro_neo [n=hello_wo@cust-158-218.on3.ontelecoms.gr] has quit ["Leaving"] 16:49 -!- BillyCrook1 [n=BillyCro@69.76.204.209] has joined ##openvpn 16:50 < BillyCrook1> What does the nopool direictive do? I'm in the documentation manual on the site (69-openvpn-21) and I see reference to the server directive's logic depending on nopool, but I don't see a definition of nopool itself 16:55 < krzee> hah good question 16:55 < krzee> except 16:56 < krzee> what do you see right below where it says nopool 16:56 < krzee> ifconfig-pool 16:58 -!- emod [n=emod@sage.emoderation.net] has quit [] 16:59 < BillyCrook1> yes? and? 16:59 < BillyCrook1> does that mean that "nopool" is to be evaluated as "has ifconfig-pool not been declared thus far in the config" 17:00 < krzee> something along those lines ild say 17:01 < krzee> or maybe theres actually a nopool directive that isnt documented 17:01 < krzee> would be easy enough to check if you care 17:03 < BillyCrook1> you mean what, like I could sign some NDA, and buy rights to temporarily view parts of the source code? 17:04 < krzee> openvpn is open source 17:04 < BillyCrook1> lulz 17:04 < krzee> you download it and look through it 17:04 < krzee> and modify it to your needs 17:05 < krzee> !download 17:05 < vpnHelper> krzee: "download" is (#1) www.openvpn.net/download to download openvpn, or (#2) http://openvpn.net/index.php/open-source/downloads.html 17:09 -!- syncer [n=andamaso@opensuse/member/andamasov] has joined ##openvpn 17:10 < syncer> Hi everybody 17:10 < syncer> how can i remove username/password prompt at startup? 17:11 < krzee> by default openvpn doesnt need username/password 17:11 < krzee> are you saying you dont control the server, and it requires a login/password, and youd like to not be prompted for them? 17:12 < |Mike|> passwords and openvpn, are like, boohooish. 17:13 < syncer> krzee: yes, i want define user/passowrd at some file or etc, for automatic openvpn startup at boot time 17:14 < krzee> !pwfile 17:14 < vpnHelper> krzee: "pwfile" is OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defining ENABLE_PASSWORD_SAVE in config-win32.h 17:16 < syncer> krzee: thanks! i'm going to google again) 17:16 < krzee> !learn pwfile as see --auth-user-pass in the manual (!man) for more info 17:16 < vpnHelper> krzee: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 17:17 < krzee> !learn pwfile as see --auth-user-pass in the manual (!man) for more info 17:17 < vpnHelper> krzee: Joo got it. 17:20 < BillyCrook1> krzee: searching for "nopool site:openvpn.net" effectively searches the source. 17:21 < BillyCrook1> syncer: it's open source, so you can't ask other people about it. Learn C++ first. Then download the source, then figure it out yourself. 17:24 < syncer> BillyCrook1: i know what is opensource, and do what i can for it, so please leave my without your stupid comments 17:25 < syncer> krzee: it's seems i must rebuild openvpn for that 17:25 < syncer> krzee: thank you for help! 17:25 < BillyCrook1> syncer: if you're going to troll someone, and call them stupid, it would help your credibility to use proper English. 17:26 -!- whaletales is now known as aptanet 17:26 < syncer> BillyCrook1: you are strange 17:28 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:29 < syncer> BillyCrook1: i'm not came and said: guys do for me feature 1 and feature 2 because i need them 17:31 < BillyCrook1> syncer: did come for ask question not to man page? 17:32 < syncer> n 17:32 < syncer> BillyCrook1: what is your problem? 17:39 < syncer> krzee: work like a charm! thanks a lot! 17:47 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 17:48 -!- syncer [n=andamaso@opensuse/member/andamasov] has left ##openvpn ["Konversation terminated!"] 18:04 -!- js_ [n=js@h-79-136-125-151.NA.cust.bahnhof.se] has quit [Read error: 104 (Connection reset by peer)] 18:04 -!- js_ [n=js@h-79-136-125-151.NA.cust.bahnhof.se] has joined ##openvpn 18:11 -!- Spockz|lap [n=Spockz@71pc198.sshunet.nl] has joined ##openvpn 18:14 < Spockz|lap> http://spockz.pastebin.com/m4e1bb7bb << What am I doing wrong there? Only one connection is allowed. As soon as someone else (with a different username) connects, the other connections are reset. 18:18 < |Mike|> lol. 18:18 < |Mike|> vipeaux ? 18:19 < |Mike|> Spockz|lap: 18:19 < |Mike|> !tls-auth 18:19 < vpnHelper> |Mike|: "tls-auth" is The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. see !secure for how 18:19 < |Mike|> and you don't push a route 18:20 < Spockz|lap> |Mike|: username-as-common-name 18:20 < Spockz|lap> that was the one I needed :P 18:20 < Spockz|lap> |Mike|: is pushing a route required? 18:20 < |Mike|> depends on your setup 18:20 < Spockz|lap> I only use it to connect to that signle machine 18:21 < Spockz|lap> I don't want to share the network 18:21 < |Mike|> but you're behind a LAN ? 18:21 < |Mike|> s/lan/router 18:21 < BillyCrook1> why can 'tun-ipv6' not be used with 'mode server'?? 18:21 < Spockz|lap> yes, other people might be behind a NAT/router yes 18:21 < |Mike|> BillyCrook1: no idea ;p 18:22 < BillyCrook1> I DEMAND ANSWERS!!!!! 18:22 -!- qwebirc33677 [i=41dac603@gateway/web/freenode/x-lflpekrsznvuijog] has joined ##openvpn 18:22 < Spockz|lap> BillyCrook1: maybe you need to have an ipv6 enabled interface? 18:22 < |Mike|> BillyCrook1: ignorance blabla 18:22 < BillyCrook1> hmm. My OS can do ipv6. 18:22 < BillyCrook1> the interface is instantiated when openvpn starts 18:23 < |Mike|> Spockz|lap: remove that log-append line btgw. 18:23 < |Mike|> *btw 18:23 < Spockz|lap> |Mike|: why, is it bad? :p 18:23 < |Mike|> it's like apache_log_comebine module 18:23 < Spockz|lap> |Mike|: together with the verb 3? Or aren't they related? 18:24 < |Mike|> verb = verbose 18:24 < |Mike|> some sort of log level. 18:25 < Spockz|lap> yeah ok 18:25 < |Mike|> so basicly you have a dedicated box where you would run all your trafffic trough ? 18:25 < Spockz|lap> hmm, the daemon restarts quite quickly all of the sudden 18:26 < Spockz|lap> |Mike|: it is more like a development box that runs a whole package (webserver, version controll, etc.) 18:26 < |Mike|> i see. 18:26 < |Mike|> git <3 18:26 < Spockz|lap> and it's in my lan, but I want it to be accessible for other developers without having to forward every port 18:26 < Spockz|lap> |Mike|: git, svn, mercury :P 18:26 < |Mike|> ken het maar al te goed :) 18:26 < Spockz|lap> :P 18:27 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 60 (Operation timed out)] 18:27 < Spockz|lap> |Mike|: was dus wel leuk daarnet, met z'n 10en proberen te connecten en elkaar dan van de server trappen :P 18:27 < |Mike|> op welke doos ? 18:27 < Spockz|lap> |Mike|: would something like username.useraddedsuffix be possible? While still authenticating again username? 18:27 < |Mike|> spockz is van WHT ? 18:28 < Spockz|lap> |Mike|: WHT? 18:28 < |Mike|> got ldap ? 18:28 < |Mike|> webhostingtalk.nl 18:28 < Spockz|lap> |Mike|: nee, spockz is van mij? 18:28 < Spockz|lap> |Mike|: nop, just linux user authentication, I still want to setup a decent LDAP box 18:28 < |Mike|> is/van/ afkomstig 18:29 < |Mike|> ldap would work with l / p on a descent way 18:29 < Spockz|lap> once I go to ldap I want to use it as authentication mechanism on all my machines/services 18:30 < |Mike|> so what's the problem? 18:31 < Spockz|lap> I have mac machines, windows machines, and subversion and the lot... 18:31 < Spockz|lap> and now openvpn 18:32 < |Mike|> then allow those clients (and client to client ) :d 18:32 < Spockz|lap> I'd have to look in to it :P 18:33 < Spockz|lap> But with a central LDAP auth server :p 18:33 < Spockz|lap> which contains all useraccounts... 18:33 < Spockz|lap> I wonder whether access to svn and groups/directories would be as simple that way as it is with apache and auth.. :P 18:35 < |Mike|> i miss the word openvpn. 18:36 < |Mike|> and some a's. 18:37 < Spockz|lap> a's? :p 18:37 < Spockz|lap> but I already know openvpn can bind with ldap... :P 18:37 < |Mike|> knew. 18:37 < Spockz|lap> but can't PAM take care of the LDAP part? 18:38 < |Mike|> never worked with PAM and ovpn. 18:38 < |Mike|> but what's the issue ? 18:38 < Spockz|lap> ehm, no issue? :p 18:39 < Spockz|lap> the only thing I try to achieve right now is that username.something is passed along to the auth module as username 18:39 < |Mike|> so your ovpn connection remains stable ? 18:39 < Spockz|lap> but still regarded by openvpn as different so people can create multiple connections from the same username 18:40 < |Mike|> !howto 18:40 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 18:40 < Spockz|lap> |Mike|: yes, after I added 'username-as-common-name' it ran fine :) 18:40 < |Mike|> that's why i love keys. 18:41 < |Mike|> fuck luser password and names. 18:41 -!- BillyCrook1 [n=BillyCro@69.76.204.209] has quit ["Leaving."] 18:42 < |Mike|> anyway, it's 0145 18:42 < |Mike|> time sleep ! 18:43 < Spockz|lap> :p 18:43 < Spockz|lap> |Mike|: yes.. keys :) 18:43 < Spockz|lap> huh 18:43 < Spockz|lap> group nobody,, the GID couldn't be found... 18:43 < |Mike|> huh what. 18:44 < |Mike|> fish in some pools Spockz|lap :) 18:44 < |Mike|> not the one outside, but the one in your box. 18:46 < Spockz|lap> ah it's nogroup :P 18:46 < Spockz|lap> good night 18:46 < Spockz|lap> I'm off to bed myself :p 18:50 -!- ZummiG777 [n=ZummiG77@campfieldm-00.sworps.tennessee.edu] has joined ##openvpn 18:52 < ZummiG777> Question: I'm trying to use openvpn (server) on a system with two network cards acting in a bridged setup, with the tun interface not participating in the bridge. I'm not able to ping any of the 'pushed' hosts from the client systems even though there is a correct route in the table. Is there something special that needs to be done on bridged networks? 18:54 -!- Spockz|lap [n=Spockz@71pc198.sshunet.nl] has quit ["Leaving"] 18:56 -!- jeiworth [n=jeiworth@189.177.249.221] has quit [Connection timed out] 19:24 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 19:35 -!- Saberu [i=Oliver@125.81.153.97] has joined ##openvpn 19:46 -!- ZummiG777 [n=ZummiG77@campfieldm-00.sworps.tennessee.edu] has quit ["Leaving"] 20:04 -!- W0rmF00d [n=wormfood@219.133.100.168] has joined ##openvpn 20:16 -!- rapha [i=rapha@unaffiliated/rapha] has joined ##openvpn 20:16 < rapha> Hi 20:17 < rapha> Would it be possibly to do a bridged VPN on a server I only have SSH access to? Or would I loose the connection during setup and not be able to ssh into the server anymore? 20:22 -!- WormFood [n=wormfood@59.40.76.214] has quit [Read error: 110 (Connection timed out)] 20:54 -!- Psi-Jack [n=psi-jack@75.112.145.226] has quit [Remote closed the connection] 21:01 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 21:02 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 21:11 -!- master_of_master [i=master_o@p549D3AED.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:15 -!- master_of_master [i=master_o@p549D3E23.dip.t-dialin.net] has joined ##openvpn 21:39 -!- epaphus [n=unix3@201.199.62.74] has quit [Remote closed the connection] 22:12 -!- mobidroid [n=mobidroi@modemcable170.13-20-96.mc.videotron.ca] has quit ["The computer fell asleep"] 22:32 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 22:37 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 22:44 -!- Serideru [n=GTWebste@24-116-116-232.cpe.cableone.net] has joined ##openvpn 23:09 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 23:09 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 23:22 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Read error: 60 (Operation timed out)] 23:31 -!- qwebirc33677 [i=41dac603@gateway/web/freenode/x-lflpekrsznvuijog] has quit [Ping timeout: 180 seconds] --- Day changed Fri Sep 04 2009 00:15 -!- pieeater [n=chatzill@adsl-75-56-202-99.dsl.lsan03.sbcglobal.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.2/20090729225027]"] 00:16 -!- kleind [n=kleind@83.125.45.111] has quit [Read error: 110 (Connection timed out)] 00:16 -!- kleind [n=kleind@83.125.45.111] has joined ##openvpn 00:24 -!- hyper_ch [n=hyper@adsl-84-227-14-25.adslplus.ch] has quit [Read error: 60 (Operation timed out)] 00:24 -!- hyper__ch [n=hyper@adsl-84-227-153-24.adslplus.ch] has joined ##openvpn 00:24 -!- hyper__ch is now known as hyper_ch 01:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:36 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 02:04 -!- harlan [n=harlan@ntp/programmemanager/harlan] has joined ##openvpn 02:05 < harlan> What client choices do I have if I want to connect from a MacBook (Leopard) to an openvpn server? 02:11 < thedoc> tunnelblick and viscosity 02:12 -!- ndee_ [n=andy@80-218-196-219.dclient.hispeed.ch] has joined ##openvpn 02:12 < ndee_> I connected from my OS X client to my windows server, how can I configure it so that my whole traffic should go over this vpn connection? 02:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 02:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:26 < ndee_> when I change a setting in the config file in windows, how can I restart the openvpn server? 02:38 -!- Saberu [i=Oliver@125.81.153.97] has quit [Client Quit] 02:38 < harlan> thanks thedoc 02:38 -!- harlan [n=harlan@ntp/programmemanager/harlan] has left ##openvpn [] 02:40 < melvin_> Good Morning. After some further tests, i thinks the connections problem comes from the openvpn Version. i installed 2.0.9 yesterday and connection works since then. only problem: i cna't compare the two version because the auth-pam modul don't work on openvpn 2.0.9: PLUGIN_INIT: plugin initialization function failed: /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so 02:43 -!- ndee [n=andy@213.55.131.182] has joined ##openvpn 02:48 -!- ndee [n=andy@213.55.131.182] has quit [Remote closed the connection] 02:48 -!- ndee [n=andy@80-218-196-219.dclient.hispeed.ch] has joined ##openvpn 02:48 -!- ndee_ [n=andy@80-218-196-219.dclient.hispeed.ch] has quit [Read error: 104 (Connection reset by peer)] 02:51 < melvin_> ah, found it: it tryes to find /lib/libpam.so wich doesn't exist: #> ln -s /lib/libpam.so.0 /lib/libpam.so does the trick 02:54 < ndee> I added push "redirect-gateway" but somehow, the default gateway doesn't get overwritten on os x, anyone encountered this problem before? 02:57 < reiffert> !def1 02:57 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 02:59 -!- ndee [n=andy@80-218-196-219.dclient.hispeed.ch] has quit [Remote closed the connection] 02:59 -!- ndee [n=andy@80-218-196-219.dclient.hispeed.ch] has joined ##openvpn 03:00 < reiffert> melvin_: 2.0.9 is still ancient, 3 year old software. Upgrade to 2.1 rc 19. 03:01 < melvin_> reiffert: i realy want it! but i got connection timeouts every 30 minutes. 03:01 < melvin_> tryed to find the network problem the last thre days- 03:02 < melvin_> now it seams the 2.0.9 works and 2.1 does not 03:03 < melvin_> if i knew how i would write a detailed error description 03:03 < melvin_> for me it seams to be als tls rekeying problem. sof-reset works on 2.09 but not on 2.1 whatever soft-reset means 03:06 < reiffert> maybe talk to the mailinglist. 03:07 < melvin_> why does it work for others? 03:09 < reiffert> why does it not for you? 03:11 < dazo> melvin_: that libpam link you created should normally be created automatically by running ldconfig, as long as the directory is listed in /etc/ld.conf (/lib is on the other hand not needed to explicitly list in this file) 03:11 < melvin_> i don't know. i tryed bot tcp and udp 03:12 < melvin_> with firewall and not, with direct inet connection 03:12 < melvin_> windows and linux client 03:12 -!- bauruine [n=bauruine@85.5.224.95] has joined ##openvpn 03:12 < melvin_> all kinds of combination 03:12 < melvin_> everytime the same failure 03:12 < melvin_> not always agfter 30 min. but after some while client gets disconnected 03:13 < melvin_> the only thing i changed ow is the opvn version 03:13 < dazo> melvin_: and there are some situations where 2.0.9 and 2.1 do not play well together .... especially if there are differences in the openssl library versions as well .... upgrading to the same version on both sides usually solves the issue 03:14 < dazo> melvin_: for a good error description .... setting --verb to 4 or higher and pastebin the logs (both client and server) usually helps a lot 03:16 < melvin_> dazo: 2.0.9 and 2.1 works better for me than 2.1 and 2.1 (2.1 on debian, redhat and windows) 03:19 < dazo> melvin_: users with 2.1 on the server side, 2.0 clients mostly have some issues ..... the other way around works better, but still not as solid as the 2.1 on both sides ..... but with 2.1, I also mean rc15 or newer .... ubuntu shipped a buggy rc7 and rc11, iirc ... I've been running rc15 and upgraded continuously to rc19 and never had any issues with any 2.1 clients (newer than rc13) .... it simply just works(tm) 03:19 -!- kleind [n=kleind@83.125.45.111] has quit [Remote closed the connection] 03:21 < dazo> melvin_: btw, Red Hat and Fedora ships 2.1rc15 as default 03:24 < melvin_> dazo: rpm are rebuild with newser sources by me 03:25 < melvin_> ubuntu testing uses 2.1rc19 03:26 < dazo> melvin_: but make sure you use also do not use anything older than rc15 anywhere in your infrastructure .... rc15 and rc19 are the versions which has lasted the longest without quick fixes ... they really are rock solid. 03:29 < reiffert> you really cant tell for rc19 yet 03:29 < melvin_> dazo: ok. test with 2.0.9 as server still running. i can use the second test server to make the verb=4 logfile to show the connection timeout. Server is directly connected to internet. Client is windows with 2.1rc19 and ubuntu with 2.1.19. 03:30 < dazo> melvin_: but with 2.0 on the server, you simply will have issues .... that's the worst of all combination you can have 03:33 < melvin_> ok. 03:34 < melvin_> i only want to get sure that it has nothing to do with the network layer between the client and the server 03:39 < melvin_> dazo: server use openssl-0.9.8b-8.3.el5_0.2 lzo-2.02-CO5.1 zlib-1.2.3-3 03:40 < melvin_> client have openssl 0.9.8g lzo 2.0.3 zlib 1.2.3 03:41 < dazo> melvin_: but you are running openvpn 2.0.9? 03:43 < melvin_> i build both packages. 2.0.9 yesterday evening. 03:43 < dazo> it's anyway easier to see of you have network layer issues by upgrading the software to a known stable release (and 2.0.9 has not been updated for 3 years, it cannot be considered as stable as 2.1 anymore) 03:43 < melvin_> i have two sever running. one with 2.0.9 and one with 2.1rc19 03:43 < dazo> aha ... good .... then you can have some real possibilities to figure this out 03:44 < melvin_> one client with one connections to each server 03:45 < melvin_> dazo: the server has different connections to the internet. one directly one behind a firewall. after this test run, i change the version of the servers 03:45 < melvin_> after this i may know if it is the network or the version 03:48 < melvin_> dazo: if you wnat i can give you a test account to the 2.1rc19. maybe you can see the connection problem too 03:49 -!- thedoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 03:49 < dazo> melvin_: nice of you .... but lets see if log files can reveal enough info .... and if you can get sessions to last longer than 30 minutes 03:52 < melvin_> ok 03:59 < melvin_> dazo: 2.0.9 results in the same error: http://paste.debian.net/45678/ 03:59 < dazo> melvin_: and the 2.1_rc19 connection? 04:01 < melvin_> ^still running on the other server 04:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 04:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:26 < dazo> melvin_: how long has the rc19 connection been up now? 04:38 -!- misterbean [n=misterbe@unaffiliated/misterbean] has joined ##openvpn 04:49 -!- olh [n=olaf@88.65.85.218] has joined ##openvpn 04:55 -!- bootlaces [n=david@222-152-150-37.jetstream.xtra.co.nz] has joined ##openvpn 04:57 < melvin_> dazo: here comes the log 04:57 < melvin_> http://paste.debian.net/45681/ 04:58 < melvin_> 11.00 till 11.42 04:58 < dazo> melvin_: and this was with 2.1rc19 on server and client? 05:00 < dazo> melvin_: "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" this simply means that it did not receive any packages at all for 1 minute .... you for sure got some network issues in addition here 05:00 < melvin_> dazo: yes 05:01 -!- olh [n=olaf@88.65.85.218] has quit [Read error: 131 (Connection reset by peer)] 05:01 < melvin_> this is the failure taht i always get 05:02 < |Mike|> netwerk connectivity is low there ? 05:02 < melvin_> dazo: network is up 05:02 < melvin_> dsl 10 mbit 05:02 < melvin_> no firewall 05:02 < |Mike|> you ever ran a smokeping tool on your dsl? 05:02 -!- bootlaces [n=david@222-152-150-37.jetstream.xtra.co.nz] has left ##openvpn [] 05:02 < dazo> melvin_: yeah, but there must be some issues with your connection .... faulty router ... something which chops your connection 05:02 < melvin_> |Mike|: no 05:03 < dazo> melvin_: it might be that your ISP don't allow too long established connections even 05:03 < melvin_> ok. i change the test. my client connects from wlan to dsl and then to the openvpn server 05:04 < melvin_> i put the client on the same switch as the server. take some time. 05:05 < melvin_> i don't belive its the network. over the same dsl connection i run openvpn to another server over days without problems 05:07 < dazo> melvin_: then it is something with that concrete laptop .... something *is* breaking that connection after 30min++ ... there are no other possibilities .... it can be local firewall, buggy network driver, faulty hardware .... but something is stopping that data flow 05:10 < melvin_> dazo: the two server run on different hardware, one laptop, one XEN client with pci passthrough 05:11 < melvin_> clients are two laptops with differnent hardware, one with linux, one with windows installed 05:11 < melvin_> both server use the same centos version. mybe there is a problem in the kernel 05:12 < dazo> melvin_: Think logically now ... you told me that you had other clients where the connection was reliable via openvpn ... or have I misunderstood you? 05:13 < dazo> melvin_: if that is the case ... it is not a server problem ... it's a client issue .... I'm confused now which server/client connections which works and not 05:13 < dazo> melvin_: anyway, checking dmesg to see if you see something there is always good to do 05:13 -!- ThoMe [i=tm@tm.muc.de] has quit [Client Quit] 05:16 < melvin_> dazo: i never run a client on my server longer than 30 min 05:16 < melvin_> its my first installation of an openvpn server 05:16 < melvin_> now client and server ar on the same switch 05:18 < melvin_> two clients are connected, one on the switch (linux) the other by dsl (windows) 05:18 < melvin_> i go to dinner and paste the log after coming back 05:35 -!- BigJB [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 05:44 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: master_of_master, MadTBone, CoffeeIV_, pa, BigJB, HardDisk_WP, redfox, kaii, stephenh 05:45 -!- Netsplit over, joins: BigJB, master_of_master, MadTBone, CoffeeIV_, HardDisk_WP, kaii, stephenh, pa, redfox 05:45 -!- zuez [n=sf@catalyst.httpd.org] has quit [Excess Flood] 05:45 -!- zuez_ [n=sf@catalyst.httpd.org] has joined ##openvpn 05:56 -!- cpm [n=Chip@border0.avitecture.net] has joined ##openvpn 06:00 -!- CoffeeIV_ [n=CoffeeIV@adsl-99-162-117-1.dsl.austtx.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 06:38 -!- bauruine [n=bauruine@85.5.224.95] has quit [Read error: 148 (No route to host)] 06:39 < melvin_> dazo: here comes the new log: http://paste.debian.net/45695/ 06:40 -!- brizly1 [n=brizly_v@p4FC99C0E.dip0.t-ipconnect.de] has joined ##openvpn 06:41 < dazo> melvin_: it is exactly the same issue 06:41 < dazo> melvin_: the connection is chopped of after some time. Here it goes almost 1 hour. 06:42 < melvin_> yes. but as i said the clients is in the same net, 87.234.155 -> 87.234.46.154 06:42 < melvin_> the other client (windows) stops nearly at the same time 06:42 < dazo> melvin_: understood .... and this was against which server? 2.0 or 2.1? 06:43 < melvin_> OpenVPN 2.1_rc19 i386-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Aug 31 2009 06:44 < dazo> melvin_: you really now have to begin to dig deeper into the firewall config, especially on servers .... but also look in /var/log and dmesg ... to see if you see something abnormal in regards to network connectivity .... devices, drivers, whatever connected to networking 06:44 < dazo> melvin_: can you do a iptables-save ... and paste bin the complete result? 06:44 < melvin_> normaly yes :-) but ther is no firewall left. yust to laptops connected on the same network 06:45 < dazo> melvin_: there might be firewalling on the local openvpn servers as well 06:45 < melvin_> dazo: iptables i disabled 06:45 < dazo> melvin_: please .... I want to be 100% sure it really is so 06:46 < dazo> melvin_: and the openvpn server .... is that running as a Xen guest? .... if so, the firewall dump for the Xen host is valuable as well 06:46 < melvin_> the second server is on Xen (the live sever in the future) 06:46 < melvin_> all logs come from the server diretly connected to the inet 06:47 < dazo> fine ... but I want to see the firewall settings .... to be absolutely sure nothing is lurking around there .... this anyway begins to look more like an OS issue than a openvpn issue 06:48 < dazo> but I need arguments to exclude iptables from a possible failure list 06:48 < melvin_> ok. here is the Account: User: dazo / PWD: dAzoIN! 06:48 < melvin_> ip as above: 78.234.46.155 06:49 < reiffert> telnet and ssh doesnt work. 06:49 < melvin_> ssh is started 06:49 < melvin_> sorry 06:49 < reiffert> thomas@mail:~$ telnet 78.234.46.155 22 06:49 < reiffert> Trying 78.234.46.155... 06:50 < dazo> melvin_: can't get in 06:50 < melvin_> 154, sorry again :( 06:50 < melvin_> 155 is the clien 06:50 < reiffert> thomas@mail:~$ telnet 78.234.46.154 22 06:50 < reiffert> Trying 78.234.46.154... 06:51 < dazo> melvin_: you have something blocking ssh 06:51 < dazo> unless this was a just a trick to get some IP addresses to try to hack :-P 06:51 < melvin_> ok, i'm so bad .... :(( 87.234.46.154 06:51 < melvin_> sudo su should work 06:51 < melvin_> config i in /etc/openvpn 06:53 < melvin_> great 06:54 < dazo> melvin_: you are bridging the interface which you establishing the openvpn connection .... that very seldom works well 06:55 < melvin_> dazo: i thought this config is quit common 06:55 -!- brizly [n=brizly_v@p4FC99D89.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:55 < dazo> melvin_: yeah, but then the tap device is bridged against an internal network interface 06:56 < melvin_> dazo: understand 06:57 < melvin_> dazo: in only have i wireless nic for laptop here. can i bridge the tap with this? 06:57 < dazo> melvin_: I'd suggest, skip the bridging of the tap devices .... establish them as separate virtual interfaces with their own IP range .... inside a private range .... f.ex. 192.168.30.0/24 06:57 < dazo> melvin_: you can bridge any network devices, afaik 06:59 < dazo> melvin_: but back to my suggestion. Then you setup either a routing for the tap IP addresses to the destination you want to allow traffic ... and you might consider to masquerade the traffic from these devices via iptables 06:59 < dazo> melvin_: that's a setup which might work better for you 06:59 < melvin_> do i need two nic for it? i don't understand how to seperate the networks 06:59 < reiffert> /sbin not im path 07:00 < dazo> melvin_: in this setup, you just use the tap device as a virtual NIC .... and just use eth0/br0 as the normal public interface 07:00 < dazo> reiffert: sudo su - 07:00 < reiffert> of course. 07:00 < dazo> ;-) 07:00 * dazo did the same "mistake" 07:01 < reiffert> so the bridge is up an running 07:01 < melvin_> so i don't need the bridge? 07:01 < dazo> melvin_: no, you don't 07:01 < reiffert> 4 openvpn instances? 07:01 < dazo> melvin_: in this setup, bridging to not give you any benefits at all 07:02 < melvin_> reiffert: 2, one for tcp one for udp 07:02 < dazo> reiffert: good catch 07:02 < dazo> melvin_: you have 4 openvpn processes running 07:02 < reiffert> whats his problem btw? 07:03 < melvin_> dazo: maybe because of the userchange to nobody? I don't know 07:03 < dazo> reiffert: connection dies after 30min++ ..... "TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" 07:03 < dazo> melvin_: you use the pam-auth plugin? Might be that forks out a child 07:03 < melvin_> yes. 07:03 < dazo> or down-root 07:04 < dazo> ? 07:04 < melvin_> pam-auth 07:04 < dazo> yeah, 2 processes are running as nobody and 2 as root 07:04 < reiffert> its a virtual machine? 07:04 < melvin_> down-root is on the list 07:04 < melvin_> reiffert: no. FSC laptop 07:05 < melvin_> i thought i need the brigde to route the traffic into the internal network. 07:05 < reiffert> routing is done with tun 07:05 < dazo> melvin_: but the thing is that you don't have an internal network, you have only one public IP address on this box 07:05 < melvin_> reiffert: tap for dhcpclient 07:06 < melvin_> dazo: Yes. because the "Live" Configuration lives beyond a firewall who translates the external ip 07:06 < dazo> melvin_: you try to get public IP addresses from the dsl via VPN .... for the VPN clients? 07:06 < melvin_> dazo: now without the firewall thi internal Inteface gets this ip 07:07 < melvin_> Scenario client -> external IP (Firwall -> NAT) -> Internal IP of VPN Server -> DHCP Server from internal Network 07:07 < dazo> melvin_: let's turn things up-side-down now .... let's skip trying to figure out what's wrong ..... let's rather figure out what you want openvpn to solve for you .... and then we'll look up a solution from that side 07:07 < melvin_> so i only need one interface 07:07 < melvin_> no routing on the vpn 07:07 < melvin_> i thought it is the best solution 07:08 < dazo> melvin_: okay ... so you want the VPN client to believe it is connected physically on the local network? 07:08 < melvin_> yes 07:09 < melvin_> dazo: for the client it shouid be no differnece if in internal network or connected through vpn 07:09 < melvin_> dazo: this all works like a charm, but only for 30 minutes ... :/ 07:09 < dazo> melvin_: first of all .... this makes things pretty complicated .... because OpenVPN got it's own "DHCP" service, which is not possible to disable, afaik .... 07:10 < melvin_> dazo: i read something about a dhcp proxy since rc17 or so 07:10 * dazo reads the changelog 07:11 < melvin_> 2008.09.10 -- Version 2.1_rc10 07:12 < dazo> I see it .... looking into that one 07:12 < Bushmills> there *is* a dhcp forwarder. dhcp3-relay for example. that one allows dhcp requests through a router. 07:13 < melvin_> the dhcp works. i decided to use dhcp for windows clients and static ccd config for unix clients 07:15 < dazo> melvin_: server-bridge 10.204.5.1 255.255.255.0 10.204.5.50 10.204.5.200 .... this do not match at all your network config ..... from the man page: "The gateway and netmask parameters to --server-bridge 07:15 < dazo> can be set to either the IP/netmask of the bridge interface, or 07:15 < dazo> the IP/netmask of the default gateway/router on the bridged sub- 07:15 < dazo> net" 07:18 < melvin_> dazo: ok. its just typed for pushing the client some ip. 07:18 * dazo needs to go away for a little while .... will come back 07:20 < melvin_> dazo: i changed the gateway to the external ip 07:24 < melvin_> reiffert: do you have any idea why this connection is terminated after some minutes? 07:24 -!- ndee [n=andy@80-218-196-219.dclient.hispeed.ch] has quit [] 07:35 < reiffert> no 07:48 -!- Serideru [n=GTWebste@24-116-116-232.cpe.cableone.net] has quit [Remote closed the connection] 07:59 < Optic> moo 08:06 < Bushmills> moin reiffert 08:07 < Bushmills> melvin_: connection idling? 08:11 < reiffert> re-keying 08:12 < reiffert> hi bushmills, zeitungsente time? 08:12 < Bushmills> i'm still in Wö 08:13 < Bushmills> you might have notices, as I didn't check out your QRL 08:13 < Bushmills> noticed 08:14 < Bushmills> thought about pedalling today, but it's a bit humid outside 08:15 < reiffert> train? 08:15 < Bushmills> alternatively, patience 08:18 -!- gregd [n=gregd720@98.143.155.131] has joined ##openvpn 08:18 < gregd> hi guys, I am trying to get openvpn working on iphone/ipod... apparently there is a bug in init_ssl function... anyone aware of it? 08:19 < reiffert> gregd: there is no tun/tap adapter for iphone. 08:19 < gregd> it finishes with "bus error"... so I guess somewhere a null pointer access appears.. just trying to debug it now 08:19 < gregd> reiffert, I know.. but the error does not concern tun/tap adapter 08:20 < gregd> reiffert, there is no tun/tap.. but there is tunemu that works for me in the case of tinc-vpn 08:20 < reiffert> intresting. 08:21 < gregd> i know.. that's why im spending my time on it 08:22 < reiffert> I've had vague plans for porting tun/tap from OS X to iphone, but I lack an iphone. 08:22 < gregd> reiffert, it compiles very well... 08:22 < gregd> redfox, give me some more time... maybe i will get it working.. 08:23 < gregd> sorry, redfox, ment to send it to reiffert 08:23 < reiffert> after compiling the tun/tap kernel module, does it load? 08:24 < gregd> it does not come to the point... when initializing ssl it crashes... 08:24 < gregd> unless i miss something 08:24 < redfox> gregd: np ;) 08:25 < reiffert> gregd: can you manually load the module itself? 08:25 < reiffert> kldload or similar 08:27 < gregd> no, cannot do it on iphone... but when I added it to tinc-vpn, it was loaded succesfully 08:27 < reiffert> ssh got a tunnel mode as well using tun/tap .. 08:27 < reiffert> openssh 08:30 < gregd> however, one note - i'm trying to run it on jailbroken iphone... i guess it is not possible to make it work on original one... 08:31 < ecrist> good morning, bitches 08:32 -!- Irssi: ##openvpn: Total of 73 nicks [0 ops, 0 halfops, 0 voices, 73 normal] 08:32 < dft> ecrist, good morning jerkface lol 08:32 < dft> btw, I've got vpn working on obsd4.5 now 08:32 < ecrist> I hate backup processes 08:33 < ecrist> they're so finicky 08:33 < dft> turns out the 1.0 easy-rsa scripts is the way to go 08:33 * dft agrees 08:33 < dft> bacula or zmanda? 08:33 -!- misterbean [n=misterbe@unaffiliated/misterbean] has quit ["Leaving"] 08:33 < ecrist> neither 08:33 < ecrist> in-house perl script and rsync 08:34 < dft> ew 08:34 < ecrist> we had a developer change some things, which we un-anticipated by our backups (changes specific to DB backups) 08:34 -!- misterbean [n=misterbe@unaffiliated/misterbean] has joined ##openvpn 08:35 * dft pulls out the book of developer related stories...If only I had a dime for each one 08:36 -!- misterbean [n=misterbe@unaffiliated/misterbean] has quit [Client Quit] 08:36 < dft> the one that gets me the most is, we'll write our own logging function instead of using calls to syslog or MS event log for our custom apps 08:36 -!- misterbean [n=misterbe@unaffiliated/misterbean] has joined ##openvpn 08:36 < ecrist> yeah, we have a lot of that 08:37 < dft> so frustrating when you're trying to move towards a nice lean syslogging chain type of env. 08:39 < dft> anyways, I should go get some work done...bbl 08:45 < gregd> wtf... apparently there is a bug in "warn_in_group_or_others_accessible" 08:46 < melvin_> Bushmills: yes idle or busy connections dies after 30 min 08:46 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:47 < reiffert> Bushmills: when rekeying 08:56 -!- bauruine [n=bauruine@85.5.224.95] has joined ##openvpn 08:59 < hyper_ch> hi bauruine 09:00 < bauruine> sali hyper_ch 09:00 -!- zuez_ [n=sf@catalyst.httpd.org] has quit ["."] 09:00 < hyper_ch> you run a mailserver? 09:01 < gregd> ok, so now such a problem - why a client A (computer A) is accepted to connect to server using certificate X, while client B (computer B) is not accepted to connect to the server using the same certificate (certificate X)? 09:02 -!- brah [n=asdfaf@86-126-16-190.fibertel.com.ar] has quit [Remote closed the connection] 09:03 < hyper_ch> bauruine: you run a mailserver? 09:03 < bauruine> not at the moment. 09:04 < hyper_ch> bauruine: I just wonder if I should raise the limit for emails from 10 MB to something more 09:05 < my007ms> what is most fast cipher to use in openvon 09:05 < bauruine> hyper_ch, i think most of the (big) provider have a limit of ~10MB so i don't think it's realy usefull. 09:06 -!- brah [n=asdfaf@86-126-16-190.fibertel.com.ar] has joined ##openvpn 09:06 < hyper_ch> I know... my boss just said someone tried to mail him a 14mb attachment and it couldn't get through 09:06 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 09:08 < bauruine> for files with this size it's better to use ftp or something like that 09:09 < dft> if they really insist on sending it via email have them send through to a gmail account or something 09:09 < dft> otherwise I agree with bauruine, use ftp or sftp or scp 09:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:15 < hyper_ch> dft: it's law documents :) nobody wants to send that through gmail 09:16 < hyper_ch> but I think it won't hurt to raise the limits 09:16 < hyper_ch> that means people can send us whatever they want 09:16 < hyper_ch> and if we send too big attachments we'll immediately know 09:20 < dft> hyper_ch: email is no more secure than gmail unless the contents are gpg encrypted 09:20 < hyper_ch> gmail analyzes emails automatically ;) 09:21 * dft perks up 09:21 < dft> how ( I ask because I haven't heard of this before) 09:22 < phatfish> funny guy ;) 09:23 < hyper_ch> what does google live from? analyzing behaviour and display according ads ;) 09:23 < dft> hyper_ch: right of course 09:24 < hyper_ch> while they might not make a direct use of the content you can be sure it gets analyzed 09:24 < dft> http://epic.org/privacy/gmail/faq.html#21 09:24 < vpnHelper> Title: Gmail Privacy FAQ (at epic.org) 09:24 < dft> nice little article 09:24 < hyper_ch> while just sending an email throught the internet unencrypted doesn't necessarily mean it gets read somewhere in between 09:25 < dft> true, but the risk is still there, which rules out the ability of non-repudiation 09:26 < hyper_ch> I know... and that's why I try to encourage the use of GPG 09:26 < hyper_ch> meanwhile I managed that all people in the law firm will at least sign their emails and add the public key 09:27 < dft> nice 09:27 < dft> I guess at a law firm the concept is a little easier to sell considering they're a little more conscientious of privacy matters 09:27 < hyper_ch> well, before I did my internship there, they used hotmail and gmail :) 09:28 < dft> oh dear 09:28 < dft> anyways, gotta go run some errands, ttyl 09:28 < hyper_ch> however they were aware of the dangers 09:28 < hyper_ch> so the firm has an internal network 09:28 < hyper_ch> and external network 09:28 < hyper_ch> they are physically seperated 09:28 < hyper_ch> each workplace has two computers :) 09:28 < hyper_ch> (and a usb stick) 09:44 -!- bauruine [n=bauruine@85.5.224.95] has quit [Read error: 148 (No route to host)] 09:59 -!- misterbean is now known as nemysis_ 10:01 -!- ndee [n=andy@adsl-84-226-50-62.adslplus.ch] has joined ##openvpn 10:11 * ecrist needs another mac mini 10:11 < Optic> cloud computing services should let you have macs 10:11 < ecrist> fuck the cloud 10:12 < Optic> haha 10:12 < ecrist> I can't stand the 'cloud' or the term 'cloud' 10:12 < ecrist> it's overrated, overpriced bullshit 10:12 < ecrist> I have more reliability, more bandwidth, and more control in my 'data center' in my basement 10:13 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: xenophile7x7, jreno_, chantra, oc80 10:13 < Optic> hmm 10:15 -!- Netsplit over, joins: chantra, oc80, xenophile7x7, jreno_ 10:15 -!- oc80 [i=oc80z@blea.ch] has quit [Dead socket] 10:17 -!- ndee [n=andy@adsl-84-226-50-62.adslplus.ch] has quit [Read error: 60 (Operation timed out)] 10:17 -!- chantra [n=chantra@ns22757.ovh.net] has quit [Read error: 104 (Connection reset by peer)] 10:18 -!- c64zottel [n=hans@p5B17AB91.dip0.t-ipconnect.de] has joined ##openvpn 10:18 < melvin_> ecrist: that's exactly what i my belief 10:19 -!- ndee [n=andy@adsl-84-226-50-62.adslplus.ch] has joined ##openvpn 10:26 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 10:32 -!- js_ [n=js@h-79-136-125-151.NA.cust.bahnhof.se] has left ##openvpn [] 10:35 -!- oc80z [i=oc80z@blea.ch] has joined ##openvpn 10:39 -!- W0rmF00d is now known as WormFood 10:39 -!- chantra [n=chantra@ns22757.ovh.net] has joined ##openvpn 10:40 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 10:42 -!- ndee [n=andy@adsl-84-226-50-62.adslplus.ch] has quit [] 10:44 -!- jeiworth [n=jeiworth@189.177.121.59] has joined ##openvpn 10:48 < WormFood> it is not possible to run openvpn without tap/tun, is it? 10:54 < gregd> WormFood, theoretically it is... but it will be useless 10:54 < gregd> what are u trying to do.. 10:55 < WormFood> sadly, I don't have the ability to load the required modules on my VPS 10:55 < gregd> WormFood,VPS usually come with builtin support for tun/tap 10:56 < WormFood> I want to be able to route packets between 2 computers over open....and I understand what you mean about the theory of it working without tun/tap 10:56 < WormFood> well, I have 2 different VPSes, and neither of them come with tap/tun :( 10:56 < WormFood> really frustrating. 10:56 < gregd> use pptp or ipsec vpn 10:56 < WormFood> if I can get things working the way I envision, I would gladly pay for a dedicated server.....but I'm not willing to risk the money on it, without testing my ideas first. 10:57 < WormFood> I just have most experience with openvpn...never use pptp, but am aware of it 10:57 < gregd> reiffert, I give up with the openvpn on iphone... it looks like there are some bugs in openssl ... or somewhere else there is memory lick and openssl breaks on HMAC_Update(&ctx, seed, seed_len)... 10:58 < WormFood> is pptp encrypted? 10:58 < gregd> WormFood, it can be 10:58 < WormFood> I'm sure it can be, if it isn't by standard 10:58 < gregd> or look for other vps? 10:58 < WormFood> well, both of mine are free for me 10:58 < WormFood> my uncle is paying for one 10:58 < gregd> reiffert, I've checked again the tinc-vpn build on tunemu ... and it works great on iphone! 10:59 < WormFood> I told him not to pay for another year, because I wanted to switch companies, but that retard paid for another year 10:59 < gregd> lol 10:59 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 10:59 < WormFood> ok gregd, you confirmed what I was already thinking....thanks for your time 11:01 < WormFood> it is midnight here, I'm going to bed, see ya'll l8r 11:05 -!- nemysis_ is now known as Va 11:06 -!- Va is now known as nemysis_ 11:12 -!- roygbiv [n=blank@pdpc/supporter/active/roygbiv] has joined ##openvpn 11:14 < roygbiv> i have an openvpn client that connects over another VPN tunnel. so it's openvpn inside of another vpn. long story. anyway the routes that openvpn adds to my system are using my physical eth0 interface and not the tun0 interface from the other VPN. can i control which interface these routes are using? 11:36 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:41 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has quit ["bbl"] 11:56 < teddymills> OpenVPN is about a lightyear ahead of PPTP..Why are you bothering with PPTP? 11:58 < melvin_> dazo: I have upgraded Redhat to newer Kernel and openssl. 12:06 < |Mike|> !iroute 12:06 < vpnHelper> |Mike|: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 12:06 < |Mike|> !route 12:06 < vpnHelper> |Mike|: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 12:06 < |Mike|> roygbiv: ^ 12:10 -!- jeiworth [n=jeiworth@189.177.121.59] has quit [Remote closed the connection] 12:11 -!- jeiworth [n=jeiworth@189.177.121.59] has joined ##openvpn 12:18 * ecrist considers applying for a job with NGA 12:26 < |Mike|> NGA? 12:40 < ecrist> US National Geospatial-Intelligence Agency 12:40 < ecrist> https://webpsbet01.nga.mil/EXPROD/erecruit_browsercheck.html 12:56 -!- ZummiG777 [n=ZummiG77@campfieldm-00.sworps.tennessee.edu] has joined ##openvpn 12:57 -!- ZummiG777 [n=ZummiG77@campfieldm-00.sworps.tennessee.edu] has left ##openvpn ["Leaving"] 12:59 -!- melvin_ [n=melvin@port-87-193-219-24.static.qsc.de] has quit ["Lost terminal"] 13:16 -!- roygbiv [n=blank@pdpc/supporter/active/roygbiv] has left ##openvpn [] 13:17 -!- rapha [i=rapha@unaffiliated/rapha] has quit ["Changing server"] 13:26 -!- brizly1 [n=brizly_v@p4FC99C0E.dip0.t-ipconnect.de] has quit ["Leaving."] 13:27 -!- brizly [n=brizly_v@p4FC99C0E.dip0.t-ipconnect.de] has joined ##openvpn 13:29 -!- dft [n=dft@CPE0040050149d6-CM00080d77ae83.cpe.net.cable.rogers.com] has quit [""I solemnly swear I'm up to no good""] 13:49 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 14:05 < krzie> still no job ecrist ? 14:15 < |Mike|> ecrist: i see, never heard of it :p 14:15 < |Mike|> http://www.foxitsoftware.com/pdf/desklinux/ 14:15 < |Mike|> woooooooooooooooooooooot 14:15 < vpnHelper> Title: Foxit Corporation - Foxit Reader for desktop Linux (at www.foxitsoftware.com) 14:16 < |Mike|> friend of mine works there, and that bastard didn't tell me :p 14:18 -!- WormFood [n=wormfood@219.133.100.168] has quit [Read error: 60 (Operation timed out)] 14:19 -!- WormFood [n=wormfood@219.133.100.168] has joined ##openvpn 14:43 < ecrist> krzie: no, still working for the same people. 14:45 < krzie> ahh 14:48 < ecrist> I wouldn't mind a cool job in the intelligence community. That org deals with all the satellite technology 14:48 < ecrist> real 'spook' stuff 14:48 < ecrist> :D 14:59 -!- zuez [n=sf@catalyst.httpd.org] has joined ##openvpn 15:02 < zuez> I have a box setup on one LAN acting as an OpenVPN server. Then I have an office LAN, and a box in the office that's connecting to the OpenVPN server, so they can speak to each other np. Ideally what I'd want now, is for the OpenVPN server to be able to tap into the office's LAN 15:02 * cpm does not care for TLAs very much. 15:02 < zuez> I'm not sure if that's possible with a p-t-p interface... anything I've tried doesn't do it. 15:02 < zuez> Do I need to use a different technique? 15:02 -!- _markus_ [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 15:08 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:11 < zuez> !route 15:11 < vpnHelper> zuez: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:15 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 110 (Connection timed out)] 15:18 < krzie> zuez, thats exactly the dc to read =] 15:18 < krzie> doc 15:18 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Read error: 110 (Connection timed out)] 15:19 < krzie> you can even have both lans accessing the other 15:19 < krzie> and you can do this for as many lans as you like, the example in !route has 3 lans, 1 behind server and 2 behind clients 15:23 < zuez> yeah, trying to figure that out now 15:23 < zuez> doing it all remotely so hope I don't break anything 15:24 < zuez> I also have two instances of VPN running on the server 15:24 < zuez> same configs pretty much, just two subnets one for clients one for servers 15:24 < zuez> so I hope that doesn't confuse me much 15:25 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has joined ##openvpn 15:27 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 15:28 < krzie> zuez, well after thoroughly reading the doc you can ask me about it if you need to 15:28 < |Mike|> haha 15:29 < krzie> mike, ? 15:29 < |Mike|> i love docs and my cold beer :d 15:29 < krzie> =] 15:30 < |Mike|> i'm getting tired of my wheelchair lol 15:30 < |Mike|> i'm going to torch the goddamn thing 15:32 < zuez> krzie: It should still work the same if I'm running two instances of VPN on two tunneled interfaces? 15:37 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.2/20090729225027]"] 15:39 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has joined ##openvpn 15:57 -!- gregd [n=gregd720@98.143.155.131] has quit [Read error: 110 (Connection timed out)] 15:59 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.2/20090729225027]"] 16:07 -!- c64zottel [n=hans@p5B17AB91.dip0.t-ipconnect.de] has quit ["Leaving."] 16:13 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 16:24 < krzie> zuez, sure 16:26 < krzie> only add routes via one of the instances 16:29 < zuez> krzie: What if two completely separate clients (LANs ultimately) are connecting to each instance, but they all want to speak to each other? 16:31 < krzie> but they will not be switching which they connect to, right? 16:38 < zuez> nope they will not be switching 16:38 < zuez> I just have actual users connect to one instance and get their own subnet 16:39 < zuez> and servers such as lan nodes use different vpn instance with their own certs/authentication 16:39 < krzie> then ya, thats not an issue 16:40 -!- silk [n=sixth@tanin.sixth.cz] has joined ##openvpn 16:40 < silk> hi can anyone help me setting up openvpn on a openVZ vps? 16:40 < |Mike|> eeuw. 16:40 < |Mike|> it's giving problems with venet0 ? 16:41 < |Mike|> and/or iptables? 16:41 < silk> Note: Cannot open TUN/TAP dev /dev/net/tun: Permission denied (errno=13) 16:41 < |Mike|> uh uh, i'm aware of that 16:41 < |Mike|> you might want to contact the owner of the box :) 16:42 < zuez> krzie: Thanks for * dude. 16:42 < silk> but is it solvable? 16:42 < silk> or ill need to switch to xen? 16:45 < |Mike|> Xen versus openVZ.... 16:45 < |Mike|> xen will eat openvz for sure. 16:45 < krzie> silk, both can work 16:46 < krzie> but your issue, either you arent root, dont have tun compiled in, or your provider needs to enable something 16:46 -!- kurt_ [n=kurt@astound-69-42-7-19.ca.astound.net] has joined ##openvpn 16:46 < |Mike|> his provider has to do it krzie 16:46 < |Mike|> same with iptables etc 16:46 < |Mike|> his provider has to handle all that : 16:46 < |Mike|> p 16:46 < krzie> a few people have solved that issue, but nobody ever cares to put a writeup on the solutions on our wiki 16:46 < krzie> if you get it working please find out what your provider did and write about it on the wiki 16:46 < krzie> !wiki 16:46 < vpnHelper> krzie: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN 16:47 < krzie> or on the forum (!forum) 16:47 < kurt_> hoping someone can help me with firestarter/iptables configuration for my bridged openvpn server 16:47 < kurt_> everything works w/o firewall running, with running, I cannot pass rdp 16:47 < krzie> why are you using a bridge? 16:48 < silk> yes mike on a xen vpn i had it ran with no problem 16:48 < kurt_> its a game dev company, they must pass UDP 16:48 < krzie> udp is layer3, doesnt need a bridge 16:48 < kurt_> client uses udp over lan to find server 16:48 < krzie> !tunortap 16:48 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 16:49 < kurt_> I've actually got the vpn working just fine 16:49 < kurt_> its the firewall interaction that's the issue 16:49 < krzie> then allow everything over the tap device 16:50 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has joined ##openvpn 16:50 < kurt_> so, should both internet side (br0), actually be set to tap? 16:50 < krzie> err, allow * from br0 16:50 < kurt_> pings are working fine 16:50 < krzie> i dont bridge, never had a reason 16:50 < krzie> you dont have a reason either 16:51 < krzie> so *shrug* 16:51 < kurt_> :) 16:51 < kurt_> I don't think the UDP packets for lan will be correctly passed w/o bridging 16:51 < krzie> wrong 16:52 < krzie> UDP is layer3 16:52 < krzie> you dont need to tunnel layer2 to have a layer3 protocol flow over the vpn 16:53 < kurt_> well, I've spent a lot of time getting the bridging working, and it does, so for now, until I can figure out the routed solution, I need to run with what I have 16:53 < krzie> hah 16:53 < kurt_> appreciate your insight tho 16:54 < krzie> because it was hard to do it wrong is no reason to continue doing it wrong 16:54 < krzie> !sample 16:54 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 16:54 < krzie> theres a routed setup 16:54 < krzie> no bridge script, none of that bs 16:54 < kurt_> only part tripping me up at this point is firewall. I will definitely look at that 16:54 < krzie> for lans on either side, see !route 16:55 < krzie> well if you know its the firewall, why dont you make a rule to allow the traffic 16:55 < krzie> remember you cant be doing it based on IP since you are not tunneling layer3 16:55 < kurt_> I have - want to see my rules --list in pastebin? 16:56 < krzie> since i dont use bridge, or linux (fbsd/osx) i may not be very helpful 16:56 < krzie> but sure 16:56 < krzie> even if i dont see anything, maybe someone else will 17:00 < kurt_> http://pastebin.com/m3bd9d2b0 - took me a little time to remove a bit of sensitive info 17:01 < |Mike|> sed to the reque. 17:01 < |Mike|> or :$s/ip/to-crap 17:01 < |Mike|> or was it %s 17:02 < kurt_> krzie - can I see your ifconfig set up - are you using 2x interfaces? 17:02 < krzie> i dont need to ifconfig anything, ovpn does it 17:02 < krzie> just this: 17:02 < krzie> !sample 17:02 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 17:02 < kurt_> and are you enabling packet forwarding? 17:03 < kurt_> I mean - I wanted to see what your interfaces looked like 17:03 < kurt_> are you using manual/dhcp 17:03 < krzie> only matters if you are having lans behind openvpn or accessing inet over the vpn 17:03 < krzie> otherwise ip forwarding isnt needed 17:04 < krzie> niether, openvpn assigns the ips 17:04 < kurt_> so, have you statically set everything? 17:04 < kurt_> did you have to include bcast/network? 17:04 < krzie> only static if i say so 17:04 < krzie> !static 17:04 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 17:05 < kurt_> which iface is your defautl gw 17:05 < krzie> one that is unrelated to ovpn 17:12 < krzie> because i dont bridge, that doesnt matter whatsoever 17:14 < krzie> but if i wanted to, clients could use the vpn as their default gateway (see !redirect) 17:34 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 17:34 < Optic> moo 18:01 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.2/20090729225027]"] 18:53 -!- qwebirc68123 [i=41dac603@gateway/web/freenode/x-yrbylvihammofkqp] has joined ##openvpn 19:07 -!- kurt_ [n=kurt@astound-69-42-7-19.ca.astound.net] has quit [] 19:08 -!- pieeater [i=41dac603@gateway/web/freenode/x-ietkfqfkvevwcfbs] has joined ##openvpn 19:09 -!- pieeater [i=41dac603@gateway/web/freenode/x-ietkfqfkvevwcfbs] has quit [Client Quit] 19:09 -!- qwebirc68123 [i=41dac603@gateway/web/freenode/x-yrbylvihammofkqp] has quit ["Page closed"] 19:39 -!- jeiworth [n=jeiworth@189.177.121.59] has quit [Read error: 110 (Connection timed out)] 19:48 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 19:49 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 20:37 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 20:38 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 20:47 < Optic> moo 20:53 -!- troy- [n=troy@mta-1.io.na.tauri.ca] has joined ##openvpn 21:11 -!- master_of_master [i=master_o@p549D3E23.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:11 -!- BigJB [n=BigJB@unaffiliated/bigjb] has quit [Remote closed the connection] 21:14 -!- master_of_master [i=master_o@p549D631C.dip.t-dialin.net] has joined ##openvpn 21:32 -!- RadarG [n=nightwol@210.124.129.119] has joined ##openvpn 21:33 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Remote closed the connection] 21:36 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 21:43 -!- kosmic [n=sat@unaffiliated/greyhat] has joined ##openvpn 22:42 -!- Koper [n=Koper@elisha.wowpanda.net] has joined ##openvpn 22:42 < Koper> Hi.. I have a question, I installed a vpn on a server. The server has IP address 10.8.0.1 22:42 < Koper> If from the server I connect to 10.8.0.1, is it exactly the same as connecting to 127.0.0.1? Or does it have all the overhead involing with encapsulating packets and especially encrypting them? 23:00 < RadarG> has anyone had any luck using wrts with openvpn? 23:35 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Remote closed the connection] 23:35 -!- dougy[itouch] [n=dougyito@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 23:38 -!- dougy[itouch] [n=dougyito@ool-43503ed4.dyn.optonline.net] has quit ["Colloquy for iPhone - http://colloquy.mobi"] 23:38 -!- dougy[itouch] [n=dougyito@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 23:38 -!- Techie [n=Techie@ip-118-90-15-51.xdsl.xnet.co.nz] has joined ##openvpn 23:38 -!- Techie [n=Techie@ip-118-90-15-51.xdsl.xnet.co.nz] has quit ["Leaving"] 23:39 -!- dougy[itouch] [n=dougyito@ool-43503ed4.dyn.optonline.net] has quit [Client Quit] 23:40 -!- dougy[itouch] [n=dougyito@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 23:43 -!- dougy[itouch] [n=dougyito@ool-43503ed4.dyn.optonline.net] has quit [Client Quit] 23:47 -!- RadarG [n=nightwol@210.124.129.119] has quit [] 23:49 -!- davidisko [i=davidisk@nte.sk] has quit [Read error: 110 (Connection timed out)] 23:59 -!- RadarG [n=justin@210.124.129.119] has joined ##openvpn --- Day changed Sat Sep 05 2009 00:13 -!- RadarG [n=justin@210.124.129.119] has quit ["Leaving"] 00:14 -!- RadarG [n=nightwol@210.124.129.119] has joined ##openvpn 00:17 < RadarG> ok after spending countless hours trying make windows vista act like a router I gave up and changed my xbox vpn setup to a different config. Right now I have a ubuntu box setup using virtial box in asia and I have a hacked wrt setup in the states setup as the server. Hopefully in a couple of hours I'll have it setup 00:24 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:00 -!- Koper [n=Koper@elisha.wowpanda.net] has quit [Read error: 104 (Connection reset by peer)] 01:17 -!- c64zottel [n=hans@p5B17B1FC.dip0.t-ipconnect.de] has joined ##openvpn 01:17 -!- kn0x [n=pinochle@67.159.48.101] has quit [Remote closed the connection] 01:17 -!- c64zottel [n=hans@p5B17B1FC.dip0.t-ipconnect.de] has left ##openvpn [] 01:19 < RadarG> has anyone seen the following error "Connection reset by peer (WSAECONNRESET) (code=10054)" my client is showing this while trying to connect to the openvpn wrt server 01:19 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:30 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 01:31 -!- kn0x [n=pinochle@67.159.48.101] has joined ##openvpn 01:48 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 01:48 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:13 -!- silk [n=sixth@tanin.sixth.cz] has quit [Read error: 110 (Connection timed out)] 02:46 -!- kn0x [n=pinochle@67.159.48.101] has quit [Read error: 104 (Connection reset by peer)] 02:47 < RadarG> http://pastebin.com/d5d4b7c8b I think my problem is iptables related on the wrt this pastebin explains further 02:48 -!- kn0x [n=pinochle@67.159.48.101] has joined ##openvpn 02:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 03:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:12 -!- ribasushi [n=rabbit@dslb-084-063-046-216.pools.arcor-ip.net] has quit ["Leaving"] 03:22 -!- silk [n=sixth@tanin.sixth.cz] has joined ##openvpn 03:24 -!- Koper [n=Koper@elisha.wowpanda.net] has joined ##openvpn 03:41 -!- troy- [n=troy@mta-1.io.na.tauri.ca] has quit [Read error: 110 (Connection timed out)] 03:41 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 04:15 < RadarG> has anyone had any luck running openvpn on a dd-wrt? 04:22 < RadarG> hmm I'm getting hard resets back from the client 04:23 < RadarG> is there anyone good with iptables in here? 04:28 < RadarG> scratch that 04:41 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:19 < RadarG> ok i found the issue with the wrt the log is saying that it is unable to load the dh.pem 05:25 < RadarG> does it matter if I used openvpn to generate the keys and the file that it created was dh1024.pem and the one on the wrt is dh.pem? 05:26 < reiffert> no. 05:32 -!- thedoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 05:46 -!- DigitalFlux-AFK [n=DigitalF@unaffiliated/digitalflux] has quit [Read error: 60 (Operation timed out)] 05:48 -!- DigitalFlux-AFK [n=DigitalF@unaffiliated/digitalflux] has joined ##openvpn 06:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:22 -!- BigJB [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 06:54 -!- brizly [n=brizly_v@p4FC99C0E.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:56 -!- brizly [n=brizly_v@p4FC99F96.dip0.t-ipconnect.de] has joined ##openvpn 07:05 -!- RadarG [n=nightwol@210.124.129.119] has quit [] 07:10 -!- gallatin [n=gallatin@dslb-094-220-052-024.pools.arcor-ip.net] has joined ##OpenVPN 07:17 -!- _markus_ [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 60 (Operation timed out)] 07:19 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 07:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 07:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:35 < Optic> moo 07:38 -!- gallatin [n=gallatin@dslb-094-220-052-024.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)] 07:59 -!- RadarG [n=nightwol@210.124.129.119] has joined ##openvpn 08:06 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 08:16 -!- kyrix [n=ashley@93-82-9-48.adsl.highway.telekom.at] has joined ##openvpn 08:48 -!- BigJB_ [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 09:01 -!- BigJB [n=BigJB@unaffiliated/bigjb] has quit [Connection timed out] 09:02 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 60 (Operation timed out)] 09:05 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 09:12 -!- kyrix [n=ashley@93-82-9-48.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 09:12 -!- kyrix [n=ashley@188-23-77-67.adsl.highway.telekom.at] has joined ##openvpn 09:15 < RadarG> can someone please help me generate my keys using ubuntu? 09:17 -!- kaii is now known as kh 09:17 < RadarG> its say source the vars script first 09:19 -!- kh is now known as kaii 09:23 < RadarG> i edited the vars but it still says to source the vars 09:33 < _markus> source ./vars 09:33 < _markus> ./clean-all 09:33 < _markus> ./build-ca 09:37 < RadarG> thanks 09:39 < RadarG> I am confussed a bit on the server key and server cert. I'm creating the cert and key that will go on a dd-wrt openvpn server. I'm making the keys but it is asking me to enter in a challenge password do I have to use one? 09:41 < _markus> no 09:42 < _markus> you can use blank password. 09:42 < RadarG> so I just hit enter 09:42 < _markus> ye 09:42 < _markus> s 09:49 < |Mike|> wtf 09:49 < |Mike|> since when do we actually help people with basic questions ? 09:52 < Optic> moo 09:53 -!- hihello [i=ircN@c-68-62-2-82.hsd1.mi.comcast.net] has joined ##openvpn 09:53 < hihello> !howto 09:53 < vpnHelper> hihello: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:53 < hihello> !redirect 09:53 < vpnHelper> hihello: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 09:53 < hihello> !ipforwad 09:53 < vpnHelper> hihello: Error: "ipforwad" is not a valid command. 09:53 < hihello> !ipforward 09:53 < vpnHelper> hihello: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 09:53 < hihello> !winipforward 09:53 < vpnHelper> hihello: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 09:56 < hihello> so i do the microsoft little patch there ^ 09:56 < hihello> how do i actually forward specific hostname:ports 09:56 < hihello> through the openvpn gui? 09:57 < |Mike|> read the howto sir. 09:57 < hihello> i goto the how to page 09:58 < hihello> and search for ip forwarding but nothing like that exists 09:59 < hihello> i only wnat to redirect specific traffic 09:59 < hihello> not all traffic 10:00 * |Mike| not a windows guru 10:01 < hihello> :( 10:05 < hihello> so you can't help? 10:06 < hihello> the server end is linux.. 10:06 < hihello> dont i have to do something with ip tables or something on the linux server?? 10:06 < hihello> to forward specific ports in the tunnel? 10:09 < hihello> |Mike| ? 10:10 < |Mike|> !linnat 10:10 < vpnHelper> |Mike|: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 10:10 < |Mike|> you are using NAT? 10:10 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has quit ["bbl"] 10:13 < hihello> I setup TAP/TUN up 10:13 < hihello> then made a secret-key 10:13 < hihello> rebooted 10:13 < hihello> put in the config on the linux server 10:14 < hihello> the connected to it from the openvnp gui 10:14 < hihello> i'm connected to the vpn 10:14 < hihello> but i just need to know how to route specific traffic through the server's openvpn 10:14 < hihello> i'm 100% linux noob 10:14 < hihello> i've used ssh tunneling via putty for what i'm trying to replace openvpn with 10:18 < hihello> Sat Sep 05 10:49:28 2009 Route: Waiting for TUN/TAP interface to come up... 10:18 < hihello> Sat Sep 05 10:49:29 2009 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up 10:18 < hihello> Sat Sep 05 10:49:29 2009 Initialization Sequence Completed 10:18 < hihello> see its connected in the gui 10:19 < hihello> |Mike| ? 10:27 < hihello> can no one help me? 10:28 -!- kyrix [n=ashley@188-23-77-67.adsl.highway.telekom.at] has quit [Remote closed the connection] 10:31 < hihello> thanks |Mike| 10:31 < hihello> you're real helpful 10:31 -!- hihello [i=ircN@c-68-62-2-82.hsd1.mi.comcast.net] has left ##openvpn [] 10:32 -!- Koper [n=Koper@unaffiliated/koper] has quit ["ZNC - http://znc.sourceforge.net"] 10:32 -!- Koper [n=Koper@elisha.wowpanda.net] has joined ##openvpn 11:02 -!- BigJB_ is now known as BigJB 11:10 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 11:19 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 11:20 -!- _markus_ [n=markus@83.250.33.131] has joined ##openvpn 11:32 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 110 (Connection timed out)] 11:59 -!- RadarG [n=nightwol@210.124.129.119] has left ##openvpn [] 12:01 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 12:39 -!- thedoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 12:55 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 13:09 -!- worch [i=worch@battletoad.com] has quit [Client Quit] 13:11 < |Mike|> stfu hihello, i have a social life aswell. 13:13 -!- Koper [n=Koper@elisha.wowpanda.net] has left ##openvpn [] 13:21 -!- Gumbler is now known as HappyGumbler 13:27 -!- silk [n=sixth@tanin.sixth.cz] has quit [Read error: 60 (Operation timed out)] 13:30 -!- jeiworth [n=jeiworth@189.163.170.81] has joined ##openvpn 13:58 -!- kreg [n=kreg@208-98-188-95.directcom.com] has quit [Connection timed out] 14:34 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 14:43 -!- troy_ [n=troy@mta-1.io.na.tauri.ca] has joined ##openvpn 14:50 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 60 (Operation timed out)] 15:47 -!- kreg [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 15:56 -!- brah [n=asdfaf@86-126-16-190.fibertel.com.ar] has quit [Read error: 60 (Operation timed out)] 16:00 -!- c64zottel [n=hans@p5B17B1FC.dip0.t-ipconnect.de] has joined ##openvpn 16:01 -!- c64zottel [n=hans@p5B17B1FC.dip0.t-ipconnect.de] has left ##openvpn [] 16:48 -!- asdfas [n=asdfaf@host203.190-230-52.telecom.net.ar] has joined ##openvpn 16:52 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 16:53 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 17:04 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 17:05 -!- Douglas [i=Douglas@124.sub-75-195-165.myvzw.com] has joined ##openvpn 17:05 < Douglas> ello.. 17:05 < Douglas> krzie: hi 17:07 -!- Douglas [i=Douglas@124.sub-75-195-165.myvzw.com] has quit [Client Quit] 17:08 < |Mike|> quit hilighting him tknx. 17:35 -!- six [i=sixth@tanin.sixth.cz] has joined ##openvpn 17:35 < six> !redirect 17:35 < vpnHelper> six: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 17:35 < six> !ipforward 17:35 < vpnHelper> six: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 17:35 < six> !linipforward 17:35 < vpnHelper> six: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 17:36 < six> !linnat 17:36 < vpnHelper> six: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 17:38 -!- asdfasd [n=asdfaf@86-126-16-190.fibertel.com.ar] has joined ##openvpn 17:40 -!- asdfas [n=asdfaf@host203.190-230-52.telecom.net.ar] has quit [Read error: 110 (Connection timed out)] 17:43 -!- demo [i=sixth@tanin.sixth.cz] has joined ##openvpn 17:43 < demo> can anyone help me installing vpn on a vps? 17:44 < |Mike|> NO WE CAN'T 17:44 < demo> why not? 17:44 < |Mike|> depends on the VPS 17:44 < demo> well they enabled the tun 17:44 < |Mike|> openVZ ? 17:44 < demo> yes 17:44 < demo> !linnat 17:44 < vpnHelper> demo: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 17:45 < demo> that command i have a problem with 17:45 < |Mike|> iptables can't be done by the VPS owner .... 17:45 < |Mike|> only by some suspicious admin 17:45 < demo> so ill need to ask them to do that too? 17:45 < |Mike|> ircvps ? 17:46 < |Mike|> if so, i'm talking with him atm... 17:46 < demo> what? 17:46 < |Mike|> n/m. 17:46 < demo> WHAT? 17:47 < |Mike|> ... act normal sir. 17:48 < demo> mike 17:48 < demo> it also must be done by the owner of the box? 17:48 < |Mike|> Yes. 17:48 < demo> how lovely 17:48 < demo> thanks again :) 17:48 < |Mike|> it's stated in the openvpn howto aswel ;) 17:49 < demo> i cant read. 17:49 < |Mike|> only poshol nahuy right ? 17:49 < demo> da :) 17:49 < |Mike|> ok :) 17:53 < demo> openvz is a pain in the ... 17:53 < |Mike|> ircvps ? 17:53 < demo> no 17:54 < |Mike|> lies. 17:54 < demo> no lie!1 17:54 < |Mike|> it is. 17:54 < demo> it is. 17:54 < |Mike|> ircvps is el-cheapo 17:55 < |Mike|> but last time i spoke with you, you said that you had some dutch vps :p 17:55 < |Mike|> technotop? 17:55 < demo> wtf are you familiar with them all? 17:55 < demo> its not dutch 17:55 < |Mike|> sure thing. 17:55 < demo> its .nl 17:55 < |Mike|> XLS ! 17:58 -!- six- [n=demo@tanin.sixth.cz] has joined ##openvpn 17:58 < six-> damn isp 17:58 < |Mike|> 2009/09/06 00:52:18 < demo> its .nl 17:58 < |Mike|> 2009/09/06 00:52:36 < |Mike|> XLS ! 17:58 < six-> it starts with pc and ends with extreme 17:59 < |Mike|> omfg, even worse 17:59 < six-> I would need to disagree 17:59 < |Mike|> you pay 14 euro's a moth ? 18:00 < six-> 14usd maybe 18:00 < six-> damn my dns doesnt work 18:00 < six-> :-( 18:01 < |Mike|> they write smething about flexibility and freedome about it in their pdf 18:02 < six-> i find that kinda cute :-) 18:02 -!- demo [i=sixth@tanin.sixth.cz] has quit [Read error: 60 (Operation timed out)] 18:02 -!- six [i=sixth@tanin.sixth.cz] has quit [Read error: 110 (Connection timed out)] 18:02 < six-> mike, what should i put for dns in the wintap? 18:02 < six-> the ip of the vpn? 18:03 < |Mike|> i'm not a windows guru 18:03 < |Mike|> push-dns are you refering to btw? 18:03 < six-> no i just did something with my ISP 18:03 < six-> because i had issues 18:03 < six-> moved from mpls to l2tp 18:03 < six-> and since my vpn dns isnt working good 18:04 < |Mike|> mpls, l2tp ? 18:05 < six-> yup 18:06 < |Mike|> wtf is that. 18:07 < six-> uhm 18:07 < six-> moved to a dial up connection? 18:10 < |Mike|> no idea? 18:30 -!- six- [n=demo@tanin.sixth.cz] has quit [Read error: 110 (Connection timed out)] 18:37 < kosmic> how do find out if your vpn service is watching your traffic 18:40 < |Mike|> send some weirdo arp requests :p 18:40 < |Mike|> they aren't allowed to sniff it either way 18:40 < kosmic> seriously? 18:40 < |Mike|> you have some kind of privacy polcy with them. 18:40 < kosmic> who makes sure they dont 18:40 < |Mike|> *policy 18:42 < |Mike|> that's why i dislike vps providers 18:42 < kosmic> vps'? 18:42 < kosmic> they dont have policies? 18:43 < |Mike|> o crap, you where talking about VPN 18:43 < kosmic> yeah 18:43 < |Mike|> are you the owner of the openvpn setup ? 18:43 < kosmic> i don't think they offer that as a service no 18:43 < kosmic> i am talking about those companies that sell you anonymity 18:44 < kosmic> they have to keep logs to catch abusive users i presume 18:44 < |Mike|> i'm not paranoid at all, but it woudln't surprise me if they sniff your data 18:44 < |Mike|> *wouldn't 18:45 < kosmic> do you sniff peoples data? 18:45 < |Mike|> I don't run a VPN companie 18:45 < |Mike|> but all my data is analized by snort (in/out) :) 18:46 < kosmic> i havent used snort in 8 years 18:46 < kosmic> cant remeber if i even succeeded in configuring it or not 18:47 < |Mike|> snort aint easy to configure tho. 18:47 < |Mike|> but after it's configured, it can do a lot :D 18:47 < kosmic> still hard? wow ;) 18:47 < |Mike|> you have to understand it. 18:48 * |Mike| & 18:48 < kosmic> that would certainly help 18:49 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 18:54 < kosmic> don't really trust anyone not to watch what kind of stuff i would do on a vpn 18:55 -!- BigJB [n=BigJB@unaffiliated/bigjb] has quit [Read error: 54 (Connection reset by peer)] 19:23 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 19:31 < kosmic> what has anybone heard of 12vpn 19:31 < kosmic> if anything 19:31 < kosmic> they are cheap! 19:31 < kosmic> but are they reliable 20:17 -!- WormFood [n=wormfood@219.133.100.168] has quit [Read error: 110 (Connection timed out)] 20:19 -!- WormFood [n=wormfood@219.133.100.121] has joined ##openvpn 20:34 -!- epaphus [n=unix3@201.198.69.30] has joined ##openvpn 20:50 -!- mius [n=miusf@earthtomoon.net] has left ##openvpn [] 20:53 -!- epaphus [n=unix3@201.198.69.30] has quit [Read error: 110 (Connection timed out)] 20:58 -!- jeiworth [n=jeiworth@189.163.170.81] has quit [Read error: 110 (Connection timed out)] 21:03 -!- RadarG [n=nightwol@210.124.129.119] has joined ##openvpn 21:10 < RadarG> when setting up a openvpn client the only keys that need to be in the client config file is the ca.crt and the client1.cft and .key right? 21:11 -!- master_of_master [i=master_o@p549D631C.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:15 -!- master_of_master [i=master_o@p549D3E49.dip.t-dialin.net] has joined ##openvpn 21:33 -!- troy- [n=troy@mta-1.io.na.tauri.ca] has joined ##openvpn 21:33 -!- troy_ [n=troy@mta-1.io.na.tauri.ca] has quit [Read error: 104 (Connection reset by peer)] 22:16 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 22:16 < Dougy> holy shit 22:16 < Dougy> ecrist: when did you rearrange the forum 22:16 < Dougy> lol 22:18 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 22:35 < RadarG> is there a difference if I create my keys on a windows box vs a linux based system or is a key a key? 22:43 < RadarG> ecrist Are you there? 22:48 < RadarG> has anyone had any luck getting openvpn to work on wrts? 22:53 < RadarG> I think that I'm going to try the KISS method maybe I'll have better luck 22:53 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 22:59 -!- dougy[itouch] [n=dougyito@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 23:04 < kosmic> radarg, hmm good question 23:04 < kosmic> create your keys underlinux, 23:04 < kosmic> windows is closed source you know ;) and besides their rng has been known to break 23:51 -!- dougy[itouch] [n=dougyito@ool-43503ed4.dyn.optonline.net] has quit [Read error: 104 (Connection reset by peer)] 23:51 -!- dougy[itouch]_ [n=dougyito@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 23:51 -!- dougy[itouch]_ is now known as dougy[itouch] --- Day changed Sun Sep 06 2009 00:00 -!- dougy[itouch] [n=dougyito@ool-43503ed4.dyn.optonline.net] has quit ["Colloquy for iPhone - http://colloquy.mobi"] 00:07 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 01:28 -!- troy- [n=troy@mta-1.io.na.tauri.ca] has quit [Read error: 110 (Connection timed out)] 01:29 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 02:11 < RadarG> Here is a config that I was going to use but I have decided to simplify it and make the server (dd-wrt) use a static key can someone help me clean it up? http://pastebin.com/d1e109daa 02:17 -!- c64zottel [n=hans@p5B17861B.dip0.t-ipconnect.de] has joined ##openvpn 02:18 -!- c64zottel [n=hans@p5B17861B.dip0.t-ipconnect.de] has left ##openvpn [] 02:42 < RadarG> has anyone seen this error before http://pastebin.com/d2fe0fd9d 02:43 < RadarG> I'm taking a windows client and connecting it to a dd-wrt server 02:49 < RadarG> http://pastebin.com/d5ba44348 I found a site that wants me to add a couple of iptable entries but I'm not sure how it will effect me exisiting script. Can someone please look at the pastebin and comment on it? Thanks 03:07 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Remote closed the connection] 03:16 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 03:24 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 03:28 -!- epaphus [n=unix3@201.199.62.74] has quit ["Leaving"] 03:30 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit [Remote closed the connection] 03:31 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has joined ##openvpn 03:45 -!- hyper_ch [n=hyper@adsl-84-227-153-24.adslplus.ch] has quit [Remote closed the connection] 03:45 -!- hyper_ch [n=hyper@adsl-84-227-153-24.adslplus.ch] has joined ##openvpn 03:47 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:36 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:04 < krzee> Bushmills, here? 05:54 -!- BigJB [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 05:57 -!- HappyGumbler is now known as Gumbler 06:40 -!- brizly1 [n=brizly_v@p4FC9A198.dip0.t-ipconnect.de] has joined ##openvpn 06:56 -!- brizly [n=brizly_v@p4FC99F96.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 07:17 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 07:51 -!- RadarG1 [n=nightwol@210.124.129.119] has joined ##openvpn 08:02 -!- RadarG [n=nightwol@210.124.129.119] has quit [Read error: 110 (Connection timed out)] 08:05 < RadarG1> is there any one in here today that has configured openvpn on a wrt? 08:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:04 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 09:16 < Optic> cows 09:45 < RadarG1> can someone help me with this client config? http://pastebin.com/da17c44d 09:45 < RadarG1> I'm trying to use a static key 09:53 < RadarG1> fixed it 10:24 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 10:56 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 10:57 -!- troy_ [n=troy@mta-1.io.na.tauri.ca] has joined ##openvpn 11:14 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 11:28 < RadarG1> all right guys I think that I'm close to getting my setup completed 11:33 -!- jeebusmobile [n=dude@unaffiliated/jeebusroxors] has joined ##openvpn 11:33 < jeebusmobile> !route 11:33 < vpnHelper> jeebusmobile: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:50 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 12:07 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has quit ["bbl"] 12:14 < jeebusmobile> Hello, I'm having issues routing beyond the vpn server. The server cannot ping the tun address, which seems like it would be the problem. 12:15 < jeebusmobile> Server is running openbsd, let me know what configs you need if any, thanks. 13:07 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:14 -!- jeebusmobile [n=dude@unaffiliated/jeebusroxors] has quit ["leaving"] 13:35 < |Mike|> or just idle.. 13:44 -!- RadarG1 [n=nightwol@210.124.129.119] has quit [] 13:52 < ecrist> I am here now. 13:52 < ecrist> doh, just missed hiim 14:04 < Optic> moo 14:09 -!- rgubler [n=rob@99-36-114-69.lightspeed.irvnca.sbcglobal.net] has joined ##openvpn 14:11 < rgubler> hello, does the client or server drop the connection when TLS key negotiation fails to occur with in 60 seconds? 14:14 < rgubler> more important is it possible to increase this threshold to some arbitrary time? my connection is being dropped due to this. however when both the server and client are in verbose mode 6 i can see many transactions occuring between them. i suspect the timeout needs to be increased. 14:15 < rgubler> the client is going through a proxy. in a similar way, when i ssh through the proxy it takes quite a few seconds before the session is established.. which makes me think its possible openvpn needs more time to negotiate the link 14:16 < rgubler> i've tested the client over a connection that doesn't require a proxy, and it works fine.. any input you guys have would be great :) 14:16 < ecrist> Optic: what is up with the 'moo' 14:18 < ecrist> rgubler: sure, which timeout 14:21 < rgubler> ecrist: this is the specific error: TLS Error: TLS key negotiation failed to occur within 60 seconds. followed by: TLS Error: TLS handshake failed. i found the --tls-timeout option in the openvpn man page, but this interval specifies a timeout that seems to not cover what i want.. 14:21 < rgubler> so, i 'm not sure the option i want exists.. which i hope isn't the case 14:22 < ecrist> usually, the failure indicates a connection problem 14:25 -!- unix3_ [n=unix3@201.199.62.74] has joined ##openvpn 14:25 < rgubler> yeah, i'm not sure i believe it in this case.. like i mentioned my ssh connections through the proxy take some time before they're established.. i can see data being xmited and rcv'd on server and client 1 second before the connection drops out.. 14:27 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 104 (Connection reset by peer)] 14:29 < rgubler> oh, i think i found it! --hand-window 14:29 < rgubler> sweet 14:36 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 14:37 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 15:00 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 15:01 -!- troy_ [n=troy@mta-1.io.na.tauri.ca] has quit [Read error: 104 (Connection reset by peer)] 15:02 -!- troy_ [n=troy@mta-1.io.na.tauri.ca] has joined ##openvpn 15:02 < eliasp> i have trouble reaching the net behind my OpenVPN server... i push "route 192.168.1.0 255.255.252.0" to the clients and the route is also correctly applied on the clients... now i'd like to ping the default gateway of the remote LAN (192.168.1.10), but i can't reach it... pinging the other interface of the OpenVPN server in this net (192.168.1.2) works fine... 15:02 < eliasp> ip-forwarding is enabled, + iptables according to http://openvpn.net/index.php/open-source/faq.html#firewall is also done... 15:02 < vpnHelper> Title: FAQ (at openvpn.net) 15:03 < eliasp> my local net differs from the remote one (remote: 192.168.1.0/24, local: 192.168.10.0/24) 15:03 < eliasp> so this shouldn't cause a conflict 15:03 < eliasp> what else is missing? 15:18 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 15:20 < Bushmills> try netmask 255.255.248.0 15:21 < Bushmills> as you're also intend to push route 192.168.0-15.x, route 192.168.0.0 netmask 255.255.248.0 15:26 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 15:31 < eliasp> ok 15:31 < eliasp> Bushmills: still the same ;-( 15:32 < eliasp> or even worse... now i can't even reach the internal interface of the OpenVPN server.... 15:32 < eliasp> ah, because of this: Sun Sep 6 22:31:37 2009 /sbin/ip route add 192.168.1.0/21 via 10.8.0.1 15:32 < eliasp> this runs into a RTNETLINK answers: Invalid argument 15:42 -!- unix3_ [n=unix3@201.199.62.74] has quit [Client Quit] 15:51 -!- BigJB [n=BigJB@unaffiliated/bigjb] has quit ["leaving"] 15:54 -!- jeiworth [n=jeiworth@189.163.170.81] has joined ##openvpn 16:00 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 16:03 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 60 (Operation timed out)] 16:05 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 16:05 -!- _markus_ [n=markus@83.250.33.131] has quit [Read error: 145 (Connection timed out)] 16:10 -!- _markus_ [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 16:23 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 110 (Connection timed out)] 16:35 < rgubler> alright looks like --hand-window option didn't fix my problem. quick recap: i can connect to my ovpn server fine when i dont use a proxy. when i use a proxy it attempts to connect but ultimately fails. i've uploaded my config and related logs here: http://pastebin.com/d50c366a0 . anyone have any ideas? mtu problem maybe? 16:39 < rgubler> actually mtu problem doesn't make sense.. all of those packets are about 100 bytes 16:45 -!- troy_ [n=troy@mta-1.io.na.tauri.ca] has quit [Read error: 60 (Operation timed out)] 17:52 < |Mike|> lol 17:59 < rgubler> it looks like the serve stops receiving packets.. i can server continues to send WRITE [142] messages, they arrive at the client.. the client sends WRITE [50] .. WRITE [62] but they dont arrive at the server 17:59 < |Mike|> !all 17:59 < vpnHelper> |Mike|: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 18:01 < |Mike|> hmz rgubler 18:02 < |Mike|> 164.Sun Sep 6 13:53:36 2009 us=887607 :23435 TLS Error: TLS key negotiation failed to occur within 180 seconds (check your network connectivity) 18:02 < |Mike|> 165.Sun Sep 6 13:53:36 2009 us=887836 :23435 TLS Error: TLS handshake failed 18:02 < |Mike|> 166.Sun Sep 6 13:53:36 2009 us=889274 :23435 Fatal TLS error (check_tls_errors_co), restarting 18:02 < |Mike|> 167.Sun Sep 6 13:53:36 2009 us=889528 :23435 SIGUSR1[soft,tls-error] received, client-instance restarting 18:02 < |Mike|> 168.Sun Sep 6 13:53:36 2009 us=890125 TCP/UDP: Closing socket 18:03 < rgubler> yeah, the is the originally error.. i added some options to the config files that seem to change the sequence of events a little.. but ultimately the same TLS error occurs 18:03 < |Mike|> you might want to change the mtu's 18:04 < rgubler> i'll give that a try... although by the look of the log file it seems no packet is bigger than 100 bytes 18:04 < rgubler> (haven't done any tcpdumps to verify packets, minus headers, are near that size though 18:05 < |Mike|> mtu has nothing to do with packetsizes :) 18:05 < rgubler> sure it does.. if packetsize < mtu then there is no problem 18:22 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has joined ##openvpn 18:24 < |Mike|> rgubler: you tried to change your mtu for the tls handshake ? 18:25 < rgubler> not yet.. trying to read the man page to determine a good size to use.. 18:29 < |Mike|> take a look at the keepalive aswell. 18:29 < |Mike|> you might want to increase that. 18:34 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 18:40 -!- my007ms [i=logs@196.219.63.12] has left ##openvpn ["Leaving"] 18:40 -!- troy- [n=troy@CPE00907f17e478-CM00186845db94.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 18:42 -!- dougy[itouch] [n=dougyito@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 18:42 < rgubler> yeah.. no luck 18:53 -!- dougy[itouch] [n=dougyito@ool-43503ed4.dyn.optonline.net] has quit ["Colloquy for iPhone - http://colloquy.mobi"] 18:54 -!- dougy[itouch] [n=dougyito@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 18:57 -!- dougy[itouch] [n=dougyito@ool-43503ed4.dyn.optonline.net] has quit [Client Quit] 18:58 -!- dougy[itouch] [n=dougyito@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:00 -!- dougy[itouch] [n=dougyito@ool-43503ed4.dyn.optonline.net] has quit [Client Quit] 19:01 -!- dougy[itouch] [n=dougyito@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:01 -!- dougy[itouch] [n=dougyito@ool-43503ed4.dyn.optonline.net] has quit [Remote closed the connection] 19:02 -!- epaphus [n=unix3@201.199.62.74] has quit ["Leaving"] 19:15 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 19:23 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 19:23 -!- danieldg [n=me@about/networking/240.0.0.0/danieldg] has quit ["Lost terminal"] 20:26 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 20:53 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 21:07 -!- Wyk3d [n=Wyk3d@cl-86-125-166-80.cablelink.mures.rdsnet.ro] has joined ##openvpn 21:08 < Wyk3d> !redirect 21:08 < vpnHelper> Wyk3d: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 21:11 -!- master_of_master [i=master_o@p549D3E49.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:14 -!- master_of_master [i=master_o@p549D4331.dip.t-dialin.net] has joined ##openvpn 21:35 -!- Wyk3d [n=Wyk3d@cl-86-125-166-80.cablelink.mures.rdsnet.ro] has quit [Read error: 104 (Connection reset by peer)] 21:35 -!- Wyk3d [n=Wyk3d@cl-86-125-166-80.cablelink.mures.rdsnet.ro] has joined ##openvpn 21:39 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 22:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 22:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 22:02 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 22:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Client Quit] 23:20 -!- rgubler [n=rob@99-36-114-69.lightspeed.irvnca.sbcglobal.net] has quit [Remote closed the connection] 23:20 -!- rgubler [n=rob@99-36-114-69.lightspeed.irvnca.sbcglobal.net] has joined ##openvpn 23:55 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Read error: 60 (Operation timed out)] 23:55 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 23:58 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] --- Day changed Mon Sep 07 2009 00:10 -!- thedoc [n=zing@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 00:26 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 00:28 -!- rawDawg [n=rawDawg@76.188.26.242] has joined ##openvpn 00:40 -!- hyper__ch [n=hyper@adsl-89-217-80-123.adslplus.ch] has joined ##openvpn 00:40 -!- hyper_ch [n=hyper@adsl-84-227-153-24.adslplus.ch] has quit [Nick collision from services.] 00:40 -!- hyper__ch is now known as hyper_ch 01:09 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 01:22 -!- RadarG [n=nightwol@210.124.129.119] has joined ##openvpn 01:48 -!- jeiworth [n=jeiworth@189.163.170.81] has quit [Read error: 145 (Connection timed out)] 02:07 < RadarG> is there a stripped down version of linux that I can put openvpn on? 02:09 < RadarG> or will almost anything work 02:16 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has joined ##openvpn 02:18 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:32 -!- sixth [n=sixth@bzq-82-81-250-239.cablep.bezeqint.net] has joined ##openvpn 02:32 < sixth> HI 02:33 < sixth> any idea how to use "iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" in a OpenVZ vpn? my provider doesnt 02:33 < dazo> RadarG: OpenVPN will run on a lot of setups .... you might need to cross compile it if your hardware is non-x86 based .... but except for that, it really works well on a lot of systems 02:34 * dazo runs openvpn on a wrt-54gl with openwrt/x-wrt 02:34 < dazo> sixth: that command looks sensible ... what do you want to achieve? 02:34 < sixth> route all my inet trafiic through the vpn 02:35 < dazo> sixth: and your eth device on the server which is connected to your ISP, is eth0 ? 02:36 < sixth> its a vps 02:36 -!- pif [n=ldm@zenon.apartia.fr] has joined ##openvpn 02:37 < dazo> sixth: this rule you listed, explicit says that only traffic going out on eth0 will be masqueraded .... and you cannot do masq. without giving an explicit eth device which is the "internet" ... unless you want to have connection issues, of course :-P 02:37 < pif> hi, I'd like to use my laptop as a wifi access point and bridget to an openvpn subnet, is it possible? 02:37 < pif> s/bridget/bridge/ 02:37 < dazo> pif: everything is possible, even the impossible .... it just takes a bit longer time ;-) 02:38 < pif> is there a howto somewhere? 02:38 < sixth> dazo i dont have an eth0 i have an "venet" 02:38 -!- c64zottel [n=hans@p5B17AE8D.dip0.t-ipconnect.de] has joined ##openvpn 02:38 < dazo> pif: yeah, it sounds possible .... even though, not sure how to do every step .... but the openvpn part is no problem at all 02:39 -!- c64zottel [n=hans@p5B17AE8D.dip0.t-ipconnect.de] has left ##openvpn [] 02:39 < dazo> pif: if you'll first get your laptop up'n'running as a wifi AP without VPN (just like an ordinary wireless router) .... We can help you here to get further with openvpn 02:39 < pif> oki 02:39 < dazo> sixth: exactly, try replacing eth0 with venet then 02:39 < sixth> i did it doesnt help 02:39 < sixth> i dont have eth0 in my "ifconfig" 02:40 < pif> ifconfig -a 02:40 < dazo> sixth: can you pastbin your ifconfig -a ... and also the results of iptables-save 02:40 < dazo> !pastebin 02:40 < vpnHelper> dazo: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 02:41 < sixth> dazo, http://pastebin.ca/1556871 02:41 < dazo> sixth: also check what 'cat /proc/sys/net/ipv4/ip_forward' says ... 02:42 < sixth> 1 02:42 < dazo> sixth: venet got the same IP addr as localhost .... it do not have any public facing interfaces 02:43 < sixth> venet0:0 does 02:44 < dazo> sixth: this setup looks strange .... as you've bounded localhost and public interface ..... that really do not sound correct .... but I won't go deeper than to raise my concern ..... 02:44 < dazo> sixth: when it comes to your iptables setup .... it's empty 02:45 < dazo> sixth: and! you don't have any tun/tap devices on this box ...... 02:45 < dazo> sixth: this is a very incomplete setup .... 02:45 < sixth> i do 02:45 < dazo> sixth: I see lo, vnet0 and vnet0:0 in your ifconfig setup 02:45 < sixth> it just doesnt show because its openvz 02:46 < dazo> well, this box you listed up for me .... do not have any interface at all ..... did you give me the right setup? 02:46 < sixth> yes 02:47 < dazo> sixth: and this openvz is going to be the openvpn server? 02:47 < sixth> yes 02:48 < dazo> sixth: then this openvz needs to have tun/tap devices .... or else, it's not going to work .... and it needs to be visible 02:51 < sixth> if ill use iproute 02:51 < sixth> can i use that instead of iptables, dazo? 02:52 < dazo> sixth: probably not .... iproute is more for routing and network configuration .... iptables are for firewalling (including NAT and masq) 02:54 < rgubler> hello, i am trying to resolve a problem i experienced earlier this morning. i can connect to my openvpn server fine when not behind a proxy. when i am behind a proxy it looks as those the client continuously sends requests to the server, but the server does not respond. ultimately the link fails due to TLS key negotiation timeout.. here is my configuration and logs: http://pastebin.com/d50c366a0 03:10 -!- rob___ [n=rob@99-36-114-69.lightspeed.irvnca.sbcglobal.net] has joined ##openvpn 03:10 -!- rob___ is now known as rgubler_ 03:11 -!- sixth [n=sixth@bzq-82-81-250-239.cablep.bezeqint.net] has quit [] 03:12 -!- sixth [n=sixth@yona.sixth.ru] has joined ##openvpn 03:12 < sixth> finally 03:12 < sixth> fixed 03:12 < sixth> :) 03:15 < rgubler_> if only i could say the same 03:15 < rgubler_> haha 03:15 < sixth> well i have been in mails with the dumb provider for a week and i finally fixed it by myself so it wasnt easy 03:16 < rgubler_> ah 03:16 < rgubler_> cool 03:18 < sixth> btw dazo i did "iptables -t nat -A POSTROUTING -o ethX -s 10.8.0.0/24 -j SNAT --to public ip" 03:18 < sixth> thanks for the help :) 03:20 -!- sixth- [n=sixth@yona.sixth.ru] has joined ##openvpn 03:27 -!- rgubler [n=rob@99-36-114-69.lightspeed.irvnca.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 03:31 -!- sixth- [n=sixth@yona.sixth.ru] has quit [Read error: 60 (Operation timed out)] 03:32 -!- sixth [n=sixth@yona.sixth.ru] has quit [Read error: 104 (Connection reset by peer)] 04:04 -!- sixth [n=sixth@82.80.154.220] has joined ##openvpn 04:05 < sixth> help, im running windows and i have problems with my dns , with openvpn it doesnt work , and i cant ping my dhcp server 04:07 -!- RadarG [n=nightwol@210.124.129.119] has quit [] 04:09 -!- sixth- [n=sixth@bzq-82-81-250-239.cablep.bezeqint.net] has joined ##openvpn 04:13 -!- sixth- [n=sixth@bzq-82-81-250-239.cablep.bezeqint.net] has quit [Client Quit] 04:14 -!- sixth [n=sixth@82.80.154.220] has quit [Read error: 104 (Connection reset by peer)] 04:24 -!- sixth [i=sixth@yona.sixth.ru] has joined ##openvpn 04:25 < sixth> can anyone help me? im using openvpn to to traffic my inet and the dns doesnt seem to work on a l2tp connection 04:38 -!- melvin [n=melvin@87.193.219.24] has joined ##openvpn 04:39 < melvin> dazo: i think i found the problem. 04:40 < dazo> melvin: ahh! Hi again! Sorry for not managing to check back on Friday .... work became hectic 04:40 < dazo> melvin: what did you find? 04:50 < sixth> dazo any idea about my problem? 04:50 < sixth> what can i do? 04:51 < dazo> sixth: I'm not a Windows user at all .... check the mailing lists, if you haven't .... DNS issues on Windows is a topic which flags up there from time to time .... something about the DNS cache is not refreshed when the VPN is established, or something like that .... 04:52 < dazo> sixth: but l2tp ... not sure what you mean with that .... but that sounds more like IPSec .... and that's not openvpn at all .... 04:52 < sixth> my isp uses l2tp now to connect me 04:52 < sixth> like a dial up 04:53 < dazo> aha 04:53 < sixth> before it did, everything worked fine 04:56 < sixth> gonna go try some stuff 04:56 -!- sixth [i=sixth@yona.sixth.ru] has quit [] 05:14 -!- sixth [n=sixth@82.80.154.220] has joined ##openvpn 05:15 < sixth> anyway to get openvpn to work for pptp? 05:28 < dazo> sixth: openvpn is not pptp .... that will NEVER work .... that's two completely different protocols 05:30 < sixth> well i am connected just the dns is the problem 05:30 < sixth> i give him the servers ip 18.8.0.1, anything, doesnt work 05:30 < sixth> my router holds the pptp conncetion 05:33 -!- mius [n=miusf@earthtomoon.net] has joined ##openvpn 05:49 -!- kyrix [n=ashley@188-23-64-16.adsl.highway.telekom.at] has joined ##openvpn 05:50 -!- bauruine [n=bauruine@95-224.5-85.cust.bluewin.ch] has quit [Read error: 60 (Operation timed out)] 06:01 -!- sixth- [n=sixth@bzq-82-81-250-239.cablep.bezeqint.net] has joined ##openvpn 06:01 < melvin> dazo: the problem with the disconnectong 06:01 < melvin> the rekeying stops because if the password is not cached. 06:07 < melvin> i don't understand why the password is needed for the rekeying / tls soft reset. the connection is stable with enabled auth-cache. 06:17 -!- ashley_ [n=ashley@188-23-64-16.adsl.highway.telekom.at] has joined ##openvpn 06:18 -!- kyrix [n=ashley@188-23-64-16.adsl.highway.telekom.at] has quit [Connection timed out] 06:19 -!- WormFood [n=wormfood@219.133.100.121] has quit [Read error: 110 (Connection timed out)] 06:19 -!- sixth [n=sixth@82.80.154.220] has quit [Read error: 110 (Connection timed out)] 06:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:22 -!- WormFood [n=wormfood@219.133.100.121] has joined ##openvpn 06:25 < dazo> melvin: ahh .... you disabled that? .... that explains a lot. The secret key in the key file is usually password encrypted (thus you need to enter a password) ... without the auth-cache, openvpn will discard that memory region where the password was stored, and on rekeying, it's not able to read the key file again .... it's basically that easy 06:25 < dazo> melvin: did you disable that during compile? I didn't recall you had that disabled in the config file .... I thought that was enabled by default 06:26 -!- sixth- [n=sixth@bzq-82-81-250-239.cablep.bezeqint.net] has quit [] 06:27 < melvin> dazo: no, i had disabled it in the config 06:27 < melvin> because i thought the password is only needed for the plugin 06:27 < dazo> melvin: then I'm very sorry for not spotting that .... 06:27 < melvin> dazo: no no :-) don't worry about that 06:27 < dazo> melvin: ahh ... no, that's needed for the SSL files .... if you disable passwords in the SSL key, you don't need it, but that's not so clever 06:28 < melvin> what is the disabling good for? 06:28 < dazo> melvin: which option did you use? 06:29 < dazo> melvin: I honestly don't know .... I would not think about disabling that ... unless if you have very high reneg-* options and/or use only the connection once and stops openvpn for each disconnect 06:29 < melvin> its configured on the client 06:29 < melvin> auth-nocache 06:29 < dazo> hmm 06:29 < melvin> you couldn't see it 06:30 < dazo> melvin: ahh .... that explains it :) 06:30 < dazo> melvin: okey, now I'm calm :) I should have asked for client config as well .... that's my lessons learned ;-) 06:30 < melvin> my failure was that: i thought with disabled cache its easyer to see when connection broke 06:31 < dazo> melvin: well, you kind of were right ;-) 06:31 < melvin> so now i know a lot more about tls soft reset :-) 06:31 < dazo> melvin: I'm very happy you found the solution at least :) Nothing feels better than that :) 06:31 < dazo> heh 06:31 < melvin> thx so much :) 06:32 < dazo> melvin: you're mostly welcome! :) 06:32 < dazo> s/mostly/most/ 06:32 < melvin> :-) talk later 06:40 -!- brizly [n=brizly_v@p4FC991B8.dip0.t-ipconnect.de] has joined ##openvpn 06:41 < Wyk3d> !forum 06:41 < vpnHelper> Wyk3d: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 06:41 -!- BigJB [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 06:41 -!- brizly1 [n=brizly_v@p4FC9A198.dip0.t-ipconnect.de] has quit [Read error: 60 (Operation timed out)] 06:46 -!- melvin [n=melvin@87.193.219.24] has quit ["leaving"] 06:48 -!- sq7obj [n=sq7obj@tiberium.net.pl] has joined ##openvpn 06:49 < sq7obj> hi. Anyone know how to set up tunnel to remote host which will redirect, for example, from port 12345 on that remote machine to port 666 on my PC? 06:50 < Wyk3d> i'm using the sample configuration with IPs mirrored and the same key to make a tunnel between two computers, http://pastebin.ca/1557053 is what i connect from the vista computer and http://pastebin.ca/1557054 is when connecting from xp .. any ideas ? 06:51 < Wyk3d> oh and the firewall is disabled on both computers ofc 06:51 < dazo> sq7obj: what you ask about is, is usually called port NATing 06:51 < dazo> sq7obj: on Linux, you use iptables to manage that 06:52 < dazo> Wyk3d: complete configs would be great .... 06:52 < dazo> !configs 06:52 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 06:52 < dazo> Wyk3d: ^^ 06:53 < dazo> (please remember the "grep" statement 06:53 < Wyk3d> dazo: as i said, sample with ips mirrored .. but ok, sec 06:53 < sq7obj> dazo: hm, can i make it with OpenVPN, or it's impossible? 06:54 < dazo> sq7obj: VPN is only to establish a secure private network over an insecure network link .... VPN does not do port forwarding like it seems like you're asking about 06:55 < sq7obj> mhm... ok, thanks dazo. 06:55 < dazo> sq7obj: you can use openvpn in addition to port forwarding .... so that you have a remote public server which connects to your home computer via VPN ... then you can setup the remote server to forward the assigned ports to your local home computer 06:56 < reiffert> sq7obj: ssh can do that too 06:57 < Wyk3d> dazo: on vista i have http://pastebin.ca/1557062 and on xp http://pastebin.ca/1557064 06:57 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: phatfish 06:57 < sq7obj> reiffert: i know, but i can't do it because of current sshd config. Someone said to me that i can make it with OpenVPN, but i suppose that i need to talk to admin to change sshd config 06:58 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 06:58 < sq7obj> dazo: ok, thank you :) 06:59 < WormFood> so I can't use vpn to establish a secure private network over a secure network link? ;P 07:00 < WormFood> a vpn over a vpn....double secure! ;) 07:00 < Wyk3d> dazo: and with comments removed on xp http://pastebin.ca/1557070 and on vista http://pastebin.ca/1557072 07:01 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: mius, krzee, freaky[t], zuez, qknight 07:02 < dazo> WormFood: yeah, if you want to .... even three and for times, if you want to too .... depends on your definition of an in-secure link ;-) 07:02 < thedoc> and really, what's the point of doing that? 07:02 < thedoc> and hello dazo. 07:02 < thedoc> o/ 07:03 < dazo> thedoc: heh .... depends on how paranoid you are .... and when you visited your psychiatrist the last time ;-) 07:04 < thedoc> dazo> Just imagine NSA's surprise if they find out that people do that :p 07:04 -!- mius [n=miusf@earthtomoon.net] has joined ##openvpn 07:04 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 07:04 -!- zuez [n=sf@catalyst.httpd.org] has joined ##openvpn 07:04 -!- qknight [n=joachim@serverkommune.de] has joined ##openvpn 07:04 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 07:04 < dazo> thedoc: you know how 3DES encryption works? 07:04 < thedoc> dazo> Barely but I have some idea to it. 07:04 < dazo> thedoc: 3DES basically is DES encrypted with DES encrypted with DES ;-) (3 x DES) 07:05 < thedoc> Isn't it something like running the DES algorithm 3 times or something like that? 07:05 < thedoc> That's what I thought :p 07:05 < dazo> yeah 07:05 -!- zuez [n=sf@catalyst.httpd.org] has quit [Excess Flood] 07:05 -!- zuez [n=sf@catalyst.httpd.org] has joined ##openvpn 07:05 -!- sq7obj [n=sq7obj@tiberium.net.pl] has left ##openvpn ["Thanks again, bye."] 07:05 -!- phatfish [i=PHAT@cpc1-hem15-0-0-cust204.lutn.cable.ntl.com] has joined ##openvpn 07:06 < dazo> thedoc: if I would know for sure NSA was looking at my traffic .... I'd love to challenge them with a 5x openvpn link .... and even mix the encryption algorithms ;-) 07:06 < thedoc> dazo> The point of encryption was to just hold off the cracking of the cipher long enough till the data is rendered useless, no? :p 07:07 < dazo> thedoc: yeah .... but if you transfer documents you don't want to share with anyone? streaming video from one country to another is probably not worth it .... but just for fun :-P 07:07 * dazo wonders if he needs an appointment with a psychiatrist soon :-P 07:07 < WormFood> if you were worried about the possibility of one of your links being compromised, then that would provide another layer 07:08 < thedoc> dazo> I can understand documents but for data streams? 07:08 < WormFood> you only need one secure layer to make your data safe 07:08 < dazo> WormFood: not safe .... safer .... nothing is absolutely safe 07:08 < thedoc> dazo> I would start worrying when the can break in real time. 07:08 < dazo> WormFood: if time is unlimited and CPU power is unlimited, nothing is safe at all 07:08 < thedoc> Until then, AES-256 <3 07:08 < dazo> yup! 07:09 < WormFood> i like to encrypt my data with rot13....and just for kicks, I double encrypt it, to make it double secure 07:09 < thedoc> Of course, if you get to the point where you're "interesting" enough, they'll probably arrest you and beat the shit out of you. 07:10 < dazo> lol 07:10 < thedoc> No real need to "break" silly encryptions 07:11 < dazo> WormFood: rot13 is not an encryption .... that's just a scrambler 07:11 < dazo> WormFood: encryption needs some kind of keys which you need to be able to decrypt the message .... rot13 don't need any keys, not last time I checked 07:12 < Wyk3d> dazo: so any idea what that might be ? anyone seen that WSAECONNRESET code 10054 before ? 07:13 < dazo> Wyk3d: ahh ... sorry ... no, I have no idea at all .... seems to be a Windows issue though ... not sure how many windows users hangs out here, though .... it's a lot of BSD and Linux people here .... have you searched the mailing lists? 07:16 < Wyk3d> daze: well i typed WSAECONNRESET into the search box at http://sourceforge.net/mail/?group_id=48978 but no luck 07:16 < vpnHelper> Title: SourceForge.net: Mailing Lists for OpenVPN (at sourceforge.net) 07:17 < Wyk3d> *dazo 07:19 < dazo> Wyk3d: http://lmgtfy.com/?q=openvpn-users+WSAECONNRESET ;-) 07:20 < vpnHelper> Title: Let me google that for you (at lmgtfy.com) 07:20 -!- bauruine [n=bauruine@27-3.3-213.fix.bluewin.ch] has joined ##openvpn 07:23 < thedoc> This world needs to make encryption mandatory on all data streams. 07:25 < dazo> thedoc: nah ... that will just encourage all those agencies to get even more massive hardware for decryption .... let the world believe it is safe, and the the enlightened ones use encryption instead ;-) 07:25 < thedoc> dazo> Maybe because I sell vpns :) 07:25 < thedoc> \o/ 07:32 < WormFood> double encrypting your VPN will make it harder to crack....not just a little harder, but much harder 07:32 < WormFood> I mean, to attack it from the outside, with brute force 07:33 < dazo> WormFood: agreed ... the more encryption layers you add, the safer the connection gets .... but it has to be a good encryption and not a scrambler, that was my point 07:33 < thedoc> WormFood> Existing ciphers are still unbreakable within a "reasonable" amount of time. 07:33 < thedoc> But certainly, it's alot harder to break if you tunnel your vpn through another vpn. 07:39 < WormFood> dazo, let me introduce you to sarcasm 07:42 < WormFood> dazo, did you totally miss the point that if you use ROT13 twice, you get your plaintext 07:42 < WormFood> thedoc, using multiple layers of encryption are only more safe, when being attacked from the outside....IE, someone sniffing your traffic over wireless, or internet 07:43 < dazo> WormFood: heh ... of course .... 07:43 * dazo is too much dug into chats and work at the same time :) 07:43 < thedoc> WormFood> Yep. 07:44 < WormFood> BUT, if all of your layers are on one computer, if that computer gets compromised, then all your data is compromised 07:45 < WormFood> also, if you have multiple computers, doing multiple layers of encryption, it only takes the inner most layer to be compromised to get at all the data 07:45 < WormFood> anyways, the logistics of this stuff can be fun to think about sometimes. 07:50 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 07:50 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 08:07 < Wyk3d> dazo: lol, turns out my problems was only that i had to connect on both computers not just one 08:08 < dazo> Wyk3d: you almost deserves to be kicked out of the channel for this one ;-) 08:10 < Wyk3d> just seemed counter intuitive to connect twice when one should connect and the other should listen 08:11 < Wyk3d> thought it has some service for listening, i did install it on the xp machine 08:11 < dazo> Wyk3d: you probably would need now to setup a server mode on the side you define as server .... then it will be more what you'd normally expect 08:12 < Wyk3d> i'm following the instruction in the OpenVPN book atm 08:12 < dazo> ahh :) 08:12 < dazo> enjoy! :) 08:15 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 08:20 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 08:29 -!- bauruine [n=bauruine@27-3.3-213.fix.bluewin.ch] has quit [Read error: 113 (No route to host)] 08:58 -!- ashley_ [n=ashley@188-23-64-16.adsl.highway.telekom.at] has quit ["Leaving"] 08:59 -!- jeiworth [n=jeiworth@189.177.249.221] has joined ##openvpn 09:12 -!- asdfasd is now known as brah 09:19 -!- jeiworth [n=jeiworth@189.177.249.221] has quit [Read error: 60 (Operation timed out)] 09:20 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:04 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Read error: 110 (Connection timed out)] 10:04 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 10:05 < ivenkys> gents - question - i am running OpenVPN on a Linux box and am using the standard "up" script which essentially modifies /etc/resolv.conf - now one of the problems is , this means __every__ request now goes through the VPN , whereas i want only requests to the "internal" hosts should go via the VPN , any suggestions on how i can get this behavior 10:06 < ivenkys> i am using routed VPN btw 10:10 < ecrist> !all 10:10 < vpnHelper> ecrist: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 10:10 < ecrist> actuall 10:10 < ecrist> !configs 10:10 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:11 < ivenkys> ecrist: was that for me 10:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 10:29 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 10:31 < ecrist> yes, but I'm leaving now, sorry. 10:44 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:45 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 10:47 -!- jeiworth [n=jeiworth@189.177.249.221] has joined ##openvpn 10:50 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 10:50 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:59 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 11:00 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 11:03 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Read error: 60 (Operation timed out)] 11:06 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 11:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:25 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has quit ["bbl"] 11:32 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 11:48 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 11:55 -!- thedoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 12:05 -!- brah [n=asdfaf@86-126-16-190.fibertel.com.ar] has quit [Remote closed the connection] 12:07 -!- brah [n=asdfaf@86-126-16-190.fibertel.com.ar] has joined ##openvpn 12:08 -!- gregd [n=gregd720@98.143.155.131] has joined ##openvpn 12:22 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:30 -!- BigJB_ [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 12:33 < gregd> alright, any updated on using openvpn on iphone (with the support of tunemu)? 12:41 -!- BigJB [n=BigJB@unaffiliated/bigjb] has quit [Read error: 110 (Connection timed out)] 12:43 -!- nemysis_ [n=misterbe@unaffiliated/misterbean] has quit [Read error: 104 (Connection reset by peer)] 12:45 -!- nemysis_ [n=misterbe@cable-89-216-136-230.dynamic.sbb.rs] has joined ##openvpn 12:52 < Wyk3d> is the security provided by certificates greater than shared keys in the case when p2p mode is used ? 13:04 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit [Read error: 104 (Connection reset by peer)] 13:04 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 13:10 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit ["No Ping reply in 90 seconds."] 13:12 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 13:23 -!- rgubler__ [n=rob@99-36-114-69.lightspeed.irvnca.sbcglobal.net] has joined ##openvpn 13:26 -!- gregd [n=gregd720@98.143.155.131] has quit [Read error: 110 (Connection timed out)] 13:36 -!- rgubler_ [n=rob@99-36-114-69.lightspeed.irvnca.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 13:43 < krzee> Wyk3d, yes 13:52 < Wyk3d> how exactly ? 14:04 < krzee> if the shared key is found, all security breaks down 14:04 < krzee> if a cert is found, you add it to the CRL and keep going 14:05 < krzee> with certs you can use DH and a tls static key as well 14:05 < krzee> !hmac 14:05 < vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 14:05 < vpnHelper> krzee: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 14:05 < krzee> !dh 14:05 < vpnHelper> krzee: "dh" is build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN 14:08 < rgubler__> hello, i am trying to resolve a problem i experienced yesterday morning. i can connect to my openvpn server fine when not behind a proxy. when i am behind a proxy it looks as those the client continuously sends requests to the server, but the server does not respond. ultimately the link fails due to TLS key negotiation timeout.. here is my configuration and logs: http://pastebin.com/d5f1a8143 14:08 -!- rgubler__ is now known as rgubler 14:08 < reiffert> define "a proxy" 14:09 < rgubler> http proxy that redirects internal connections to the internet 14:10 < rgubler> its not a socks proxy 14:11 < reiffert> Never ever hear about a proxy beeing able to redirect port tcp/443 connections. However it seems to be related to your problem. You cant do anything here. 14:11 < rgubler> i can connect via ssh over the proxy 14:12 < rgubler> and btw, tcp 443 is https port.. so it would make sense to be able to redirect to that port 14:12 < reiffert> openvpn uses HTTP CONNECT on proxys. Maybe that particular proxy blocks HTTP CONNECT calls. 14:13 < rgubler> i dont think so.. if you look at the log i posted it shows the connection being established. eventually the client displays the key locality information obtained from the server 14:13 < rgubler> it doesn't get any further though 14:13 < reiffert> you said: 14:13 < reiffert> " but the server does not respond. " 14:13 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 14:14 < reiffert> proxy logs and tcpdump will help. 14:15 < rgubler> true, sorry for the error. let me clarify "does not respond" to: the client successfully connects to the openvpn server, after exchanging some amount of data that is visible on both client and server, the connection is ultimtely dropped due to TLS key negotiation timeout 14:15 < rgubler> unfortunately i dont have access to the proxy logs 14:50 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: krzie, brah, qknight, RexMundi_, nemysis_, _markus_, dazo, disco-, DigitalFlux-AFK, tarbo2_, (+44 more, use /NETSPLIT to show all of them) 14:54 -!- Netsplit over, joins: APTX|, nemysis_, BigJB_, bauruine, roentgen, nemysis, mikkel_, freaky[t], qknight, mius (+18 more) 14:54 -!- zuez [n=sf@catalyst.httpd.org] has quit [Excess Flood] 14:55 -!- Netsplit over, joins: rgubler, kosmic, chinsan_, fkr, disco- 14:55 -!- zuez [n=sf@66.7.199.96] has joined ##openvpn 14:56 -!- Netsplit over, joins: hyper_ch, plaerzen, epaphus, garnser, Bushmills 14:56 -!- Netsplit over, joins: WormFood, master_of_master, HardDisk_WP, kaii, stephenh, pa, redfox 14:56 -!- zuez [n=sf@66.7.199.96] has quit [Excess Flood] 14:56 -!- zuez_ [n=sf@66.7.199.96] has joined ##openvpn 14:57 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 15:01 -!- brah [n=asdfaf@86-126-16-190.fibertel.com.ar] has joined ##openvpn 15:01 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has joined ##openvpn 15:01 -!- kreg [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 15:01 -!- DigitalFlux-AFK [n=DigitalF@unaffiliated/digitalflux] has joined ##openvpn 15:01 -!- kn0x [n=pinochle@67.159.48.101] has joined ##openvpn 15:01 -!- chantra [n=chantra@ns22757.ovh.net] has joined ##openvpn 15:01 -!- oc80z [i=oc80z@blea.ch] has joined ##openvpn 15:01 -!- jreno_ [n=jreno@38.219.68.216.DED-DSL.fuse.net] has joined ##openvpn 15:02 -!- Wyk3d [n=Wyk3d@cl-86-125-166-80.cablelink.mures.rdsnet.ro] has quit [Read error: 104 (Connection reset by peer)] 15:03 -!- Wyk3d [n=Wyk3d@cl-86-125-166-80.cablelink.mures.rdsnet.ro] has joined ##openvpn 15:03 -!- jeiworth [n=jeiworth@189.177.249.221] has joined ##openvpn 15:05 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: Optic, roentgen, RexMundi_ 15:07 -!- zuez_ [n=sf@66.7.199.96] has quit ["."] 15:15 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: jeiworth, DigitalFlux-AFK, chantra, xenophile7x7, kn0x, brah, kreg, jreno_, oc80z 15:17 -!- Netsplit over, joins: kreg, jeiworth, brah, xenophile7x7, DigitalFlux-AFK, kn0x, chantra, oc80z, jreno_ 15:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:17 -!- RexMundi_ [n=RexMundi@77.95.99.166] has joined ##openvpn 15:17 -!- Optic [n=dfraser@miso.capybara.org] has joined ##openvpn 15:18 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: jeiworth, DigitalFlux-AFK, chantra, xenophile7x7, kn0x, brah, kreg, jreno_, oc80z 15:18 -!- Netsplit over, joins: jeiworth 15:18 -!- DigitalF1ux-AFK [n=DigitalF@98.142.211.26] has joined ##openvpn 15:18 -!- Netsplit over, joins: brah, jreno_ 15:18 -!- kreg [n=kreg@208.98.188.95] has joined ##openvpn 15:18 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 15:36 -!- troy_ [n=troy@mta-1.io.na.tauri.ca] has joined ##openvpn 15:36 < troy_> is there a way to use openvpn on my blackberry? 16:03 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: krzie, Wyk3d, dazo, bauruine 16:03 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: DigitalF1ux-AFK, Pagautas 16:04 -!- Netsplit over, joins: bauruine 16:05 -!- Netsplit over, joins: Wyk3d, dazo, krzie 16:06 -!- DigitalFlux-AFK [n=DigitalF@unaffiliated/digitalflux] has joined ##openvpn 16:10 < Wyk3d> krzee: thanks, though i'm guessing you'd use the CRL with a third party certificate authority which you need to pay for ? and if you have your own server for it with remote access you could just shut it down for example in case of key theft until you can change the key onsite .. 16:12 < Wyk3d> krzee: the security from hmac and DH sounds nice though 16:13 -!- BigJB_ [n=BigJB@unaffiliated/bigjb] has quit [Read error: 104 (Connection reset by peer)] 16:14 < Wyk3d> or rather, i've no use for DH, i don't want any key exchange to happen 16:15 < Wyk3d> .. unless it has benefits other than that 16:20 -!- jeiworth [n=jeiworth@189.177.249.221] has quit [Read error: 104 (Connection reset by peer)] 16:21 -!- jeiworth [n=jeiworth@189.234.76.184] has joined ##openvpn 16:25 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 17:09 -!- Wyk3d1 [n=Wyk3d@cl-86-125-162-131.cablelink.mures.rdsnet.ro] has joined ##openvpn 17:11 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:26 -!- Wyk3d [n=Wyk3d@cl-86-125-166-80.cablelink.mures.rdsnet.ro] has quit [Read error: 110 (Connection timed out)] 17:32 -!- Wyk3d1 [n=Wyk3d@cl-86-125-162-131.cablelink.mures.rdsnet.ro] has quit [Read error: 110 (Connection timed out)] 17:35 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 17:49 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 17:58 -!- rawDawg [n=rawDawg@76.188.26.242] has quit [Read error: 148 (No route to host)] 18:07 -!- troy_ [n=troy@mta-1.io.na.tauri.ca] has quit [Read error: 110 (Connection timed out)] 19:29 -!- yakischloba [n=jake@boss.shiftedlabs.com] has joined ##openvpn 19:32 -!- jeiworth [n=jeiworth@189.234.76.184] has quit [Read error: 60 (Operation timed out)] 19:33 < yakischloba> I wasn't really able to discern by reading old forum threads - is there any tap driver that can be fannagled into working with vista 64bit? 19:34 < yakischloba> s/forum/mailing list 19:37 < reiffert> yes. 19:37 < yakischloba> could you kindly direct me to it, and anything i might need to know to get it working? 19:39 -!- epaphus [n=unix3@201.199.41.166] has joined ##openvpn 19:41 < reiffert> 2.1rc19 19:41 < reiffert> openvpn.net/download 19:41 < yakischloba> thanks. 19:42 < reiffert> yw 19:42 < reiffert> afk 19:54 -!- W0rmF00d [n=wormfood@218.17.254.175] has joined ##openvpn 19:55 -!- WormFood [n=wormfood@219.133.100.121] has quit [Nick collision from services.] 19:55 -!- W0rmF00d is now known as WormFood 20:04 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 20:31 -!- grouper [n=grouper@ip68-105-173-2.ga.at.cox.net] has joined ##openvpn 20:31 -!- grouper [n=grouper@ip68-105-173-2.ga.at.cox.net] has left ##openvpn [] 20:34 -!- Saberu [i=Oliver@125.81.159.193] has joined ##openvpn 20:34 < Saberu> ok i have a really easy question 20:34 < Saberu> which last time resulted in people telling me to FO more or less 20:34 < Saberu> where can I get a TUN/TAP virtual network driver for CentOS? 20:35 < Saberu> so i can use openvpn 20:36 < Saberu> here? http://vtun.sourceforge.net/tun/ 20:36 < vpnHelper> Title: Universal TUN/TAP driver (at vtun.sourceforge.net) 20:36 < Saberu> doesn't support 64bit arch? 20:39 < Saberu> configure: error: Unsupported OS 20:47 < ecrist> Saberu: You'll need to contact the CentOS folks 20:47 < ecrist> it should be part of a standard kernel 20:52 < Saberu> it's not part of mine 20:53 < Saberu> cos mines an openvz container, and as you know they dont like supporting those 20:53 < ecrist> you will need to contact the CentOS folks 20:53 -!- epaphus [n=unix3@201.199.41.166] has quit ["Leaving"] 20:53 -!- jeiworth [n=jeiworth@189.163.170.81] has joined ##openvpn 21:11 -!- master_of_master [i=master_o@p549D4331.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:15 -!- master_of_master [i=master_o@p549D4368.dip.t-dialin.net] has joined ##openvpn 21:45 -!- troy- [n=troy@mta-1.io.na.tauri.ca] has joined ##openvpn 23:00 -!- troy- [n=troy@mta-1.io.na.tauri.ca] has quit ["Leaving"] 23:05 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 23:26 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Read error: 113 (No route to host)] 23:31 -!- saberu2 [i=Oliver@125.81.163.192] has joined ##openvpn 23:32 < saberu2> well i've installed my server, trying to setup my client but where do i get the client key data from? 23:32 < saberu2> should the key be identical on server and client? 23:34 -!- jeiworth [n=jeiworth@189.163.170.81] has quit [Read error: 60 (Operation timed out)] 23:37 < saberu2> ah seems to work now 23:39 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 23:39 -!- Saberu [i=Oliver@125.81.159.193] has quit [Read error: 110 (Connection timed out)] 23:43 -!- jeiworth [n=jeiworth@189.163.170.81] has joined ##openvpn 23:43 < saberu2> oh some problem 23:43 < saberu2> wheni type build-key vpnhome 23:43 < saberu2> could not find C:\*.old 23:44 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Read error: 54 (Connection reset by peer)] 23:45 < saberu2> o nm 23:46 < saberu2> works now, i know what hapeend 23:47 < saberu2> unable to open private key ca.crt from keys folder :x 23:54 < saberu2> you must define KEY_DIR when trying to use sign-req 23:56 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 23:57 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn --- Day changed Tue Sep 08 2009 00:09 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 00:11 -!- |Mike|_ [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 00:13 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Read error: 101 (Network is unreachable)] 00:15 -!- IcyPolecat [n=IcyPolec@vm1.rubicon.je] has quit [Remote closed the connection] 00:15 -!- fkr [i=fkr@news.bytemine.net] has quit [Read error: 60 (Operation timed out)] 00:15 -!- fkr [i=fkr@news.bytemine.net] has joined ##openvpn 00:15 -!- IcyPolecat [n=IcyPolec@vm1.rubicon.je] has joined ##openvpn 00:16 -!- |Mike|_ [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Read error: 113 (No route to host)] 00:29 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 00:33 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Read error: 60 (Operation timed out)] 00:45 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 00:46 -!- rgubler [n=rob@99-36-114-69.lightspeed.irvnca.sbcglobal.net] has quit [Read error: 60 (Operation timed out)] 00:48 -!- rgubler [n=rob@99-36-114-69.lightspeed.irvnca.sbcglobal.net] has joined ##openvpn 00:51 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Read error: 113 (No route to host)] 01:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:05 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 01:08 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 01:23 -!- c64zottel [n=hans@p5B17AB83.dip0.t-ipconnect.de] has joined ##openvpn 01:23 -!- c64zottel [n=hans@p5B17AB83.dip0.t-ipconnect.de] has left ##openvpn [] 01:39 -!- _markus_ [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Remote closed the connection] 01:39 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 01:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:44 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:28 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 02:51 -!- dazo [n=dazo@nat/redhat/x-vgvsdkqhyqebxvwp] has quit ["Leaving"] 02:59 -!- dazo [n=dazo@nat/redhat/x-eazrrndvqmlftkay] has joined ##openvpn 03:22 -!- oc80z [i=oc80z@blea.ch] has joined ##openvpn 03:22 -!- kn0x [n=pinochle@67.159.48.101] has joined ##openvpn 03:26 -!- rgubler [n=rob@99-36-114-69.lightspeed.irvnca.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 03:26 -!- Isaacariah [n=shaft@193.62.43.1] has joined ##openvpn 03:27 < Isaacariah> hi there 03:27 < Isaacariah> got openvpn running at home in server mode, the adaptor isnt firewalled, my ports are all mapped etc, yet when i try to connect from a remote host, such as a machine at work, I get a bad encapsulation length error 03:27 < Isaacariah> ive been searching the web hours and i cant figure it out 03:28 < Isaacariah> the MTU on both my adapters are the same 03:28 < Isaacariah> ive tried the mtu commands in the config file on the server & client 03:28 < dazo> Isaacariah: you're using UDP or TCP? Even though UDP is prefered, sometimes, there are no way around using TCP, just because of firewalls on the way 03:29 < dazo> Isaacariah: normally openvpn sets up these MTU and link-mtu and all that automatically ... so try stripping that away first 03:29 < Isaacariah> im using TCP, my workplace uses a proxy 03:29 < dazo> Isaacariah: aha 03:29 < Isaacariah> now it may be worth mentioning something that occured to me 03:30 < Isaacariah> my workplaces web filtering uses their own certificates to intercept ssh traffic on web pages (secure sites and that) 03:30 < Isaacariah> that wouldnt be intefering would it? 03:31 < dazo> Isaacariah: then you'll need to increase logging on both server and client .... and look for the MTU values being setup .... but you have 2 levels of MTU settings, iirc .... one for the link layer between the openvpn connections (the encrypted layer) .... and one "device" based MTU value .... it's the former you most probably need to adjust to make equal on both sides 03:32 < dazo> Isaacariah: nah ... not sure about that .... the traffic is encrypted, and it should not be decrypted on the way .... as that's a real man-in-the-middle situation and not a end-to-end encryption then 03:32 < Isaacariah> dazo, can you elaborate on how I adjust those? i've got tun-mtu 1500 and tun-mtu-extra 32 in both my server and client configs 03:32 < dazo> Isaacariah: it might be good to try to use port 443 for openvpn ... to make sure the proxy understand this is not decodable traffic 03:33 < Isaacariah> already using 443 03:33 < Isaacariah> on the server 03:33 < Isaacariah> the proxies secure port is 8070 03:33 < dazo> very good :) 03:33 < Isaacariah> right looking through the logs 03:33 * dazo will look up some MTU docs 03:33 < Isaacariah> on the client now 03:34 < Isaacariah> i see tun_mtu = 1500, tum_mtu_defined = ENABLED 03:34 < Isaacariah> ill just logmein to the server and look there 03:34 < dazo> Isaacariah: there are two MTU settings .... --link-mtu and --tun-mtu ..... --tun-mtu is the one you'll leave untouched .... that's the MTU value of the tun interface .... it sounds like you're having issues with --link-mtu 03:34 < Isaacariah> ahh 03:35 < Isaacariah> well, under the tun_mtu i see the same values for link_mtu 03:35 < dazo> Isaacariah: if you setup your server and client to use --verb 4 .... you'll see more info .... and look for both mtu messages on both client and server 03:36 < Isaacariah> done that, looking now 03:36 < dazo> Isaacariah: then you'll see messages like "local uses xxx mtu, remote uses xxxx mtu" ..... and you'll need to then force both sides to use the same mtu .... I believe going for the lowest mtu value might be the best way 03:38 -!- chantra [n=chantra@ns22757.ovh.net] has joined ##openvpn 03:39 < Isaacariah> maybe worth in my configs setting the link-mtu to a lower value, 1000 or something? 03:40 < dazo> Isaacariah: have a look for those mtu messages in the logs .... it really says there what it is using .... bringing it too low, causes a lot of fragmentation of the packages, which again gives more overhead and a slower connection 03:40 < Isaacariah> ok 03:41 < dazo> Isaacariah: you want it as high as possible ... but also not higher than what the routers/firewalls in between likes ... and they could then refragment them somehow 03:41 < Isaacariah> I see 03:43 < Isaacariah> right aha progress 03:43 * dazo is curious :) 03:43 < Isaacariah> even though I've set the link-mtu in the config file, the log is still showing that the server is using link-mtu 1576 and that its expecting the remote to use the same 03:44 < Isaacariah> even though in both config files iv've put link-mtu 1000 03:44 < Isaacariah> in the local options string 03:47 < dazo> you need to set this on both sides .... both on server and client 03:47 < dazo> ahhh 03:47 * dazo should read all lines before answering clever answers :-P 03:47 < dazo> hmm 03:48 < Isaacariah> right 03:48 < Isaacariah> now its changed 03:48 < Isaacariah> link-mtu is now showing as 1000 and tun-mtu is showing as 956 on the client 03:48 < Isaacariah> same on the server... 03:48 < Isaacariah> lower again? 03:49 < dazo> that's normal ... because of some overhead 03:49 < dazo> but 03:50 < dazo> might be you need --mssfix 03:51 < Isaacariah> already set on the server to 1400... needed on the client too? 03:52 < Isaacariah> no that didnt work] 03:53 < dazo> yeah, as long as you have a wrong mtu value ... it should be set to the same on both sides 03:53 < Isaacariah> hm 03:53 < Isaacariah> gah, must get back to work, people calling 03:53 < Isaacariah> thanks for your help dazo 03:54 < Isaacariah> bbl 03:54 < dazo> Isaacariah: no prob! c'ya! 03:57 < dazo> ecrist: krzee: Is this a link which could be useful for inclusion in some how-to urls? http://www.linuxconfig.org/VPN_-_Virtual_Private_Network_and_OpenVPN ... just skimmed it, looks good at first sight 03:57 < vpnHelper> Title: VPN - Virtual Private Network and OpenVPN (at www.linuxconfig.org) 04:15 -!- BigJB [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 04:25 -!- Isaacariah [n=shaft@193.62.43.1] has quit [Remote closed the connection] 04:43 -!- thedoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 04:49 -!- saberu2 [i=Oliver@125.81.163.192] has quit [Read error: 110 (Connection timed out)] 04:49 -!- saberu2 [i=Oliver@125.81.155.8] has joined ##openvpn 05:08 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Client Quit] 05:15 -!- jeiworth [n=jeiworth@189.163.170.81] has quit [Read error: 110 (Connection timed out)] 05:18 -!- saberu2 [i=Oliver@125.81.155.8] has quit [Read error: 145 (Connection timed out)] 05:20 -!- saberu2 [i=Oliver@125.81.155.8] has joined ##openvpn 05:21 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has joined ##openvpn 05:26 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:08 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 06:28 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 06:30 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 06:31 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has joined ##openvpn 06:39 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 06:40 -!- brizly [n=brizly_v@p4FC991B8.dip0.t-ipconnect.de] has quit [Read error: 60 (Operation timed out)] 06:41 -!- brizly [n=brizly_v@p4FC9A2C4.dip0.t-ipconnect.de] has joined ##openvpn 07:00 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 07:00 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 07:41 -!- Koper`` [n=koper@93.33.235.230] has joined ##openvpn 07:42 < Koper``> Hi, i have a problem with openvpn.. when my friend connects i get disconnected, and vice-versa 07:42 < Koper``> neither of us can stay connected at the same time 07:43 < thedoc> Working as intended. 07:43 < thedoc> Use a different name. :D 07:43 < Koper``> A different name? 07:43 < Koper``> What do you mean? 07:43 < thedoc> Hang on, let me find the right term for it. 07:43 < thedoc> I can't recall offhand. 07:44 < thedoc> Koper``> Are you logging in using a user/pass? 07:44 < thedoc> or via certs? 07:44 < Koper``> Via certs 07:44 < thedoc> Are you using the same common name? 07:45 < thedoc> That might be a problem, i *think* 07:45 < Koper``> No 07:56 < Koper``> Any ideas? 07:56 < Koper``> It's really making me waste a lot of time and getting on my nerves :/ 08:00 < thedoc> Koper``> Sorry, none at the moment. 08:03 -!- Jari-- [n=vai@81.90.68.28] has joined ##openvpn 08:03 < Jari--> hi 08:03 < Jari--> I am reading http://wiki.debian.org/HowTo/openvpn :"On the client, create a new /etc/openvpn/tun0.conf file and add the following: remote 10.15.108.(servers's X)" --> what is server's X? 08:03 < vpnHelper> Title: HowTo/openvpn - Debian Wiki (at wiki.debian.org) 08:04 < thedoc> Probably the ip of the server. 08:05 < Jari--> my server box? 08:06 < _markus> yes 08:06 < _markus> remote x.x.x.x is the address of your openvpn server. 08:06 -!- nemysis_ [n=misterbe@cable-89-216-136-230.dynamic.sbb.rs] has quit ["Leaving"] 08:07 -!- misterbean [n=misterbe@unaffiliated/misterbean] has joined ##openvpn 08:07 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 08:08 -!- Koper`` [n=koper@93.33.235.230] has quit [] 08:11 -!- misterbean is now known as nemysis_ 08:11 -!- zu [n=zu@bucketheaded.eu] has quit [Remote closed the connection] 08:12 < dazo> Jari--: --remote in a openvpn config is the server you want to connect to 08:13 < dazo> Jari--: man openvpn will give you plentiful info about those config options 08:20 -!- jeiworth [n=jeiworth@189.163.170.81] has joined ##openvpn 08:23 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 08:23 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 08:28 -!- RexMundi_ [n=RexMundi@77.95.99.166] has quit [Read error: 104 (Connection reset by peer)] 08:32 -!- c64zottel [n=hans@p5B17AB83.dip0.t-ipconnect.de] has joined ##openvpn 08:32 -!- c64zottel [n=hans@p5B17AB83.dip0.t-ipconnect.de] has left ##openvpn [] 08:46 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 08:48 < Optic> moo 09:00 -!- epaphus [n=unix3@190.10.68.228] has left ##openvpn ["Leaving"] 09:15 -!- explore [n=msparker@pool-173-57-115-183.dllstx.fios.verizon.net] has joined ##openvpn 09:18 -!- ivenkys_ [n=ivenkys@unaffiliated/ivenkys] has joined ##openvpn 09:26 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has quit [Connection timed out] 09:32 -!- brah [n=asdfaf@86-126-16-190.fibertel.com.ar] has quit ["Leaving"] 09:33 -!- brah [n=asdfaf@86-126-16-190.fibertel.com.ar] has joined ##openvpn 09:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 09:39 -!- jeiworth [n=jeiworth@189.163.170.81] has quit [Success] 09:56 -!- rgubler [n=rob@99.36.114.69] has joined ##openvpn 10:01 -!- jeiworth [n=jeiworth@189.163.170.81] has joined ##openvpn 10:12 -!- zuez [n=sf@catalyst.httpd.org] has joined ##openvpn 10:15 -!- saberu2 [i=Oliver@125.81.155.8] has quit [Read error: 60 (Operation timed out)] 10:23 < nemysis_> what is best 10:24 < nemysis_> Router for openvpn Netgear for Adsl 10:28 -!- BigJB_ [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 10:30 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:31 < ecrist> your question doesn't make sense. 10:33 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 10:37 -!- rgubler [n=rob@99.36.114.69] has quit [Read error: 145 (Connection timed out)] 10:41 -!- BigJB [n=BigJB@unaffiliated/bigjb] has quit [Read error: 110 (Connection timed out)] 10:46 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has joined ##openvpn 10:50 < krzee> that was a question? 10:51 < krzee> he would do bad in jeopardy 11:02 * |Mike| humps krzee 11:08 < zuez> krzee: That tutorial you wrote up on inter-LAN routing works solid 11:08 < zuez> krzee: I only have one more hurdle that I'm attempting to jump through 11:09 < zuez> I have three LANs, home/office/colo, when I connect from home or colo, I can route to the office np 11:10 < zuez> but when I connect to the VPN from the office, it tries to push the office route as well, have to manually remove the route 11:10 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has quit [Read error: 60 (Operation timed out)] 11:10 < zuez> I need to be able to do 'conditional routing', get specific routes pushed only when I'm at a particular location and not another 11:28 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has quit ["bbl"] 11:35 < krzee> can you use diff certs when in the office or not? 11:35 < krzee> certs 11:35 < krzee> if so, move the push routes to a ccd entry (or remove the push and put them in client configs) 11:36 < krzee> that way you handle it based on common-name, nice and easy 11:36 < krzee> that way when you connect from office you could even use the office LAN ip in the config that uses the inside-cert 11:37 < krzee> if thats unacceptable, you could create a script (see scripts section in manual) to remove the route for you automatically if you are inside the office (which you can easily figure out inside the script) 11:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:56 -!- melvin [n=melvin@port-87-193-219-24.static.qsc.de] has joined ##openvpn 11:57 < melvin> Hi. 11:58 < melvin> does anybody know why smb transfer is much slower than for example scp transfer? 11:59 < krzee> smb is a sucky protocol that was never made to work well over the internet 11:59 < melvin> no way to speed it up? 12:00 < krzee> *shrug* i just dont use it 12:00 < krzee> im sure if you learn about smb and whatnot you could find ways to tune it 12:00 < krzee> or so i assume 12:03 < ecrist> odd, usually SMB transfers are faster than scp. 12:04 < krzee> ecrist, seriously? 12:04 < krzee> that would very much contradict everything i read people saying 12:05 < melvin> for me scp 5x faster then smb 12:06 < krzee> ecrist, note, talking about over the internet, not LAN 12:08 -!- thedoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 12:14 -!- mikkel [n=mikkel@84.238.113.66] has joined ##openvpn 12:17 < ecrist> hrm. 12:18 * ecrist tests 12:34 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 12:38 -!- orbisvicis [n=orbisvic@207-172-176-168.c3-0.smt-ubr1.atw-smt.pa.cable.rcn.com] has joined ##openvpn 12:40 < orbisvicis> i have a bridged server, and openvpn pushes out the ifconfig parameters to configure the tap0 interface on the client 12:40 < orbisvicis> but it doesnt set any gateway or nameserver information 12:41 < ecrist> is it supposed to? 12:41 < orbisvicis> i dont want a default route set ... but I need to query over my tap0 interface to find either the gateway address or the nameserver address 12:42 < orbisvicis> so name resolution works 12:42 < ecrist> ok, gateway and default route are the same, fwiw 12:43 < ecrist> krzee: here's some interesting information for you 12:44 < ecrist> via LAN a 100M file generated with dd if=/dev/zero bs=1024 count=102400 12:44 < orbisvicis> is gateway address always == dhcp server ? 12:44 < ecrist> via SCP: 0:58.21 12:44 < ecrist> via Apple File Sharing: 1:01.82 12:45 < ecrist> via Samba: 0:58.12 12:45 < ecrist> for Apple File Sharing and Samba, the share was pre-mounted for the copy 12:45 < ecrist> the scp binary was used for all three copy operations 12:45 < krzee> interesting 12:46 < krzee> thats over inet, correct? 12:46 < krzee> if so, i stand corrected 12:47 < orbisvicis> also, im assuming openvpn talks to a dhcp server via br0 to lease an ip, so it could pass that information to the client. 12:47 < krzee> but also interested in knowing if its over bridge (netbios) with wins, dns, or ip 12:47 < krzee> since i think that could also have an impact 12:47 < ecrist> internet is going to slow both down, and I don't do samba over the internet. ;) 12:47 < krzee> ohhhh 12:48 < krzee> ok, my statement was only about over inet 12:48 < krzee> i dont think its an = slowdown 12:48 < krzee> at least not from my reading 12:48 < ecrist> TCP/IP is TCP/IP 12:48 < krzee> smb was made for lan use, performs poorly over slower links 12:48 < ecrist> they're all connected to via IP 12:48 < krzee> poorly as compared with other protocols 12:48 < krzee> from my reading 12:49 < ecrist> I can simulate a slow link with scp 12:49 < krzee> try those same tests over vpn as opposed to lan 12:49 < krzee> see if findings hold up 12:49 < ecrist> ok, I'm going to use a 10M file, instead, though. 12:49 < krzee> (assuming boredom) 12:50 < ecrist> not bored, interested in this topic 12:50 < krzee> ya, 10mb makes much more sense for that one ;] 12:51 < ecrist> I'll have to perform test tomorrow 12:51 < krzee> werd 12:51 < krzee> if im right, would be a good topic for wiki 12:51 < ecrist> I don't want to fight with command line on freebsd to get AFP and Samba clients working on my web server. 12:51 < ecrist> :) 12:52 < ecrist> I replied to your PMs, btw 12:52 < krzee> yup, saw 12:52 < krzee> that idea is good to 12:52 < krzee> too 12:52 < ecrist> which do you prefer? the forum gets a *lot* of spam 12:53 < krzee> your idea 12:53 < krzee> possibly with option to approve / deny from irc 12:53 < krzee> but that might be extra code that isnt really needed 12:53 < krzee> i guess that depends how easily coded it is 12:54 < krzee> s/might be/is/ 12:54 < ecrist> wow, interesting, someone posted a seemingly relavent post, with the spam hidden within a link on their signature. 12:54 < ecrist> tsk tsk 12:54 < krzee> hah, gettin tricky 12:55 < orbisvicis> well, if i set a 192.168.1.0/24 route with a gateway of 192.168.1.1 it really isnt a default route .. 12:56 < orbisvicis> in any case, I dont want to modify the routes, I want the dhcp/dns server addresses 12:57 < ecrist> krzee: if the bot is on my network, it would be pretty trivial, really. The bot could have direct access to the database, and approving a post is as simple as changing one column in the table. there's more the bb code does (logging, etc) but it's not needed. 12:57 < krzee> oh good point! 12:57 < ecrist> although, it wouldn't be that difficult to code the bot to go in via the website and submit the form, either. 12:58 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Read error: 104 (Connection reset by peer)] 12:59 < ecrist> orbisvicis: you seem to be assuming a lot 13:00 < ecrist> dhcp server != gateway in all cases 13:00 < ecrist> though, they *can* be the same. 13:00 < ecrist> openvpn does not talk to the dhcp server to lease addresses. 13:00 < ecrist> I would suggest reading the man page for OpenVPN search for DHCP OPTION on that page. 13:01 < krzee> server-bridge can take dhcp as an option as well 13:01 < krzee> as you'll see in manual 13:03 < orbisvicis> !man 13:03 < vpnHelper> orbisvicis: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 13:11 < zuez> krzee: Makes sense to go the path of deleting a route once connected from a particular LAN. Hopefully there's a cross platform way of removing the route.. 13:12 < orbisvicis> ok, so when openvpn generated an ip for the client, the client ip appeared on the dhcp server through some broadcast mechanism? 13:13 < orbisvicis> it might be better if I use server-bridge dhcp <- manual hints it only works on windows, that true ? 13:14 -!- brah [n=asdfaf@86-126-16-190.fibertel.com.ar] has quit ["Restarting"] 13:15 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 13:16 -!- brah [n=asdfaf@86-126-16-190.fibertel.com.ar] has joined ##openvpn 13:29 < orbisvicis> is it possible that dhcp via server-bridge is not available in 2.1r7 ? 13:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:30 < ecrist> how about using 2.1rc19, to begin? 13:30 * orbisvicis working on it 13:50 * ecrist is a sad panda 13:50 < ecrist> mirror/minerva DEGRADED ad6 14:00 < orbisvicis> still compiling libssl... 14:01 < orbisvicis> hopefully dhcp works, and the dhcp client updates the namerserver in resolv.conf and doesnt screw up the routes 14:01 < orbisvicis> otherwise i can: edit resolv.conf using up/down openvpn scripts ? 14:01 < orbisvicis> manual dhcp broadcast to find nameserver address .. ? 14:02 < orbisvicis> ^ for last, any programs to do that ? 14:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:36 < ecrist> now you're getting the idea. ;) 14:41 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 14:43 < Dougy> krzie: there ? 14:48 -!- tefen [i=slim@c-68-62-2-82.hsd1.mi.comcast.net] has joined ##openvpn 14:48 < tefen> !logs 14:48 < vpnHelper> tefen: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 14:48 < tefen> !configs 14:48 < vpnHelper> tefen: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:48 < tefen> Anyone here that uses openvpn on a linux server and then connects to it from win32 using the win32 gui around? 14:52 -!- tefen [i=slim@c-68-62-2-82.hsd1.mi.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 14:54 -!- tefen [i=slim@68.62.2.82] has joined ##openvpn 14:55 < tefen> Sorry my mirc crashed, did any one answer? 14:56 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:01 < _markus> tefen: wats the problem? 15:02 < tefen> I am just wondering if something is able to be done, and HOW.. like where is the documentation on something like this:::: 15:02 < tefen> I want to only use the VPN on my win32 system to forward specific host:port address through the vpn tunnel to my server 15:03 < tefen> but not use the VPN for all my traffic on my win32 box 15:03 < tefen> is this possible? how? where can i read more? (specific links please) 15:03 < tefen> i'm a total linux noob with this stuff 15:04 < tefen> I'm really hoping for some guidance here 15:04 < tefen> to tell you the truth 15:08 < tefen> Please :) 16:02 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Remote closed the connection] 16:04 < |Mike|> it's stated in the manual tefen 16:04 < tefen> i can't find it :( 16:05 < tefen> i've got openvpn running on my server and i'm connectd to it from my win32 box via the open vpn gui 16:06 < tefen> but when i bind my "local vpn" ip to the application 16:06 < tefen> it does not work 16:06 -!- kn0x [n=pinochle@67.159.48.101] has left ##openvpn [] 16:09 < |Mike|> indeed. 16:09 < |Mike|> !howto 16:09 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:20 < orbisvicis> can networkmanager do dhcp over bridge/tap0 ? 16:20 < orbisvicis> doesnt seem to work atm 16:20 < Dougy> er 16:20 < Dougy> orbisvicis 16:20 < Dougy> !ubuntu 16:20 < vpnHelper> Dougy: "ubuntu" is dont use network manager! 16:21 < Dougy> ^ 16:22 < Dougy> ecrist: forum is getting a lot of traffic ths month 16:24 < orbisvicis> Dougy: nm is convenient b/c it doesnt require sudo and its flexible .. 16:25 < orbisvicis> what instead 16:25 < Dougy> orbisvicis: command line 16:25 < Dougy> the proper way 16:27 < orbisvicis> flexible = detects and connects automatically to new/previous wireless points 16:27 < orbisvicis> hard to script without user interaction 16:28 < orbisvicis> and is it possible to automate "command line" to no use sudo ? 16:29 < orbisvicis> whatever, but isnt a tap0 interface via openvpn equivalent to any eth0 interface ? 16:29 < orbisvicis> ie i can run dhcpcd on either 16:29 < orbisvicis> dont see any reason nm cant treat tap0 like eth0 16:33 < |Mike|> i dislike control panels in general, and i fucking lynch the people behind it *gnarf* 16:33 -!- mikkel [n=mikkel@84.238.113.66] has quit [Read error: 131 (Connection reset by peer)] 16:34 < |Mike|> nm stand for ? 16:34 < orbisvicis> networkmanager 16:35 -!- explore [n=msparker@pool-173-57-115-183.dllstx.fios.verizon.net] has quit ["leaving"] 16:35 < |Mike|> use the command line :) 16:44 < orbisvicis> other reason not to is dhcpcd overwrites nm's /etc/resolv.conf 16:44 -!- aditsu [n=aditsu@pcd449157.netvigator.com] has joined ##openvpn 16:44 < orbisvicis> better to do everything in nm :) 16:45 < aditsu> hi, is it possible to run some custom commands automatically after starting an openvpn connection? 16:47 < orbisvicis> from the server, see --push. from the client, see up/down 16:47 < orbisvicis> better yet, see manual: "SCRIPTING AND ENVIRONMENTAL VARIABLES" 16:48 < orbisvicis> so, maybe something with the tap0 adapter is missing so network manager cant use it ? 16:49 < aditsu> ok thanks 16:50 -!- BigJB_ [n=BigJB@unaffiliated/bigjb] has quit [Remote closed the connection] 17:10 -!- tefen [i=slim@68.62.2.82] has left ##openvpn [] 17:12 -!- aditsu [n=aditsu@pcd449157.netvigator.com] has left ##openvpn [] 17:21 -!- racan [n=racan@174-17-87-184.phnx.qwest.net] has joined ##openvpn 17:22 -!- racan [n=racan@174-17-87-184.phnx.qwest.net] has left ##openvpn [] 17:28 < bauruine> !forum 17:28 < vpnHelper> bauruine: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 17:51 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 18:09 -!- kreg [n=kreg@208.98.188.95] has quit [Remote closed the connection] 18:30 -!- phatf1sh [i=PHAT@cpc1-hem15-0-0-cust204.lutn.cable.ntl.com] has joined ##openvpn 18:44 -!- phatfish [i=PHAT@cpc1-hem15-0-0-cust204.lutn.cable.ntl.com] has quit [Read error: 110 (Connection timed out)] 18:45 -!- Bushmills [n=nnnnnnl@verhau.de] has quit ["Terminated with extreme prejudice - dircproxy 1.0.5"] 18:50 -!- Bushmills [n=Bushmill@verhau.de] has joined ##openvpn 18:56 -!- W0rmF00d [n=wormfood@219.133.100.13] has joined ##openvpn 19:01 -!- WormFood [n=wormfood@218.17.254.175] has quit [Read error: 60 (Operation timed out)] 19:07 -!- BingO [i=BingO_@wlan-s-39.hh.se] has joined ##openvpn 19:07 < BingO> Hi room ..!! 19:07 < BingO> i installed OPENVPN with webmin on Centos 5.3 19:08 < BingO> is it any type of guide or tutorial for setup openvpn on webmin ?? 19:32 -!- W0rmF00d is now known as WormFood 19:33 -!- BingO [i=BingO_@wlan-s-39.hh.se] has left ##openvpn [] 19:38 < Dougy> oh hey 19:38 < Dougy> he left 19:54 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 19:56 -!- rgubler [n=rob@99-36-114-69.lightspeed.irvnca.sbcglobal.net] has joined ##openvpn 20:29 -!- rgubler [n=rob@99-36-114-69.lightspeed.irvnca.sbcglobal.net] has quit [Read error: 54 (Connection reset by peer)] 20:29 -!- rgubler [n=rob@99-36-114-69.lightspeed.irvnca.sbcglobal.net] has joined ##openvpn 20:35 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 20:40 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.2/20090729225027]"] 20:59 < ecrist> Dougy: yes, btw, I reorganized the forum 21:00 < thedoc> !forum 21:00 < vpnHelper> thedoc: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 21:00 < Dougy> ello 21:00 < Dougy> ecrist: i saw that 21:00 < Dougy> it blew my mind 21:00 < Dougy> thedoc: hi 21:01 < ecrist> o.O 21:01 < Dougy> i pulled it up and was like 21:01 < Dougy> what the hell.. coooooooooool! 21:01 < Dougy> lol 21:03 < ecrist> I added a few topics and some icons... 21:03 < thedoc> Dougy> o/ 21:04 < Dougy> ecrist: huge increase in traffic this mo 21:05 < Dougy> on pace for over 2300 uniques this mo 21:05 < Dougy> 1k more than last 21:05 < ecrist> yeah, all of it spam 21:05 < Dougy> shh 21:05 < ecrist> Dougy: I don't know where you're getting your stats, but I show 568 unique IPs, as opposed to 1339 last month. 21:05 < Dougy> 568 so far 21:06 < Dougy> 1 week of mo done 21:06 < Dougy> * 4 weeks 21:06 < Dougy> 568*4 = almost 2300 21:06 < Dougy> plus a few days.. 2300-2400 21:06 < ecrist> conjecture 21:07 < ecrist> if you look at stats from last month, there were as many days over 100 as this month so far. 21:07 < ecrist> otoh, school is in session, so there are going to be some college students trying to setup vpns for the video game and torrent enjoyment. 21:08 < Dougy> dont know what otoh means 21:08 < Dougy> but yes this is tur 21:08 < Dougy> true 21:08 < ecrist> on the other hand 21:11 -!- master_of_master [i=master_o@p549D4368.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:14 -!- master_of_master [i=master_o@p549D42FB.dip.t-dialin.net] has joined ##openvpn 21:35 -!- ryanrhee90 [n=Adium@rrcs-71-42-217-13.sw.biz.rr.com] has joined ##openvpn 21:35 < ryanrhee90> hi all 21:36 < ryanrhee90> i have openvpn set up on my server, and i can authenticate into it from home. however, i lose internet when i open the tunnel. why does this happeN? 21:37 < ryanrhee90> hi, anyone here? 21:37 < ryanrhee90> !route 21:37 < vpnHelper> ryanrhee90: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 21:38 < ryanrhee90> !logs 21:38 < vpnHelper> ryanrhee90: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 21:40 < rgubler> i resolved my TLS timeout problem... it was being caused by my uniqie configuration i was using to test my openvpn connection that is never likely to be used ever.. except for the purpose of that test.. I was VPN'd into a network, then, from the same box, I OpenVPN'd into the network I setup over the http proxy. i suspect the problem is the MTU of the client side.. never found an MTU that worked, but doesn't much matter since 21:48 -!- pif [n=ldm@zenon.apartia.fr] has quit [Read error: 60 (Operation timed out)] 21:48 -!- pif [n=ldm@zenon.apartia.fr] has joined ##openvpn 22:23 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has joined ##openvpn 22:23 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has quit ["leaving"] 22:24 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has joined ##openvpn 22:26 < techqbert> I recently reissued keys on my machine and now my mac client gets 10.8.0.18 until my ubuntu client gets issued 10.8.0.18. why does my openvpn server issue same IP to two separate machines 22:39 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 23:01 < techqbert> Common name attribute of the client keys made the difference. I had them all as the same name mistakenly. 23:59 -!- tarbo2_ [n=me@unaffiliated/tarbo] has quit [Read error: 60 (Operation timed out)] --- Day changed Wed Sep 09 2009 00:04 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 00:11 -!- orbisvicis [n=orbisvic@207-172-176-168.c3-0.smt-ubr1.atw-smt.pa.cable.rcn.com] has quit [Read error: 113 (No route to host)] 00:23 -!- creativehavoc [i=creative@66.183.136.88] has joined ##openvpn 00:24 < creativehavoc> !howto 00:24 < vpnHelper> creativehavoc: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 00:28 -!- creativehavoc [i=creative@66.183.136.88] has left ##openvpn [] 00:28 -!- creativehavoc [i=creative@66.183.136.88] has joined ##openvpn 00:29 < creativehavoc> hello? 00:32 -!- c64zottel [n=hans@p5B17AE3E.dip0.t-ipconnect.de] has joined ##openvpn 00:33 -!- c64zottel [n=hans@p5B17AE3E.dip0.t-ipconnect.de] has left ##openvpn [] 00:35 -!- creativehavoc [i=creative@66.183.136.88] has left ##openvpn [] 00:36 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:40 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 110 (Connection timed out)] 00:43 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 00:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 01:32 -!- rgubler_ [n=rob@99-36-114-69.lightspeed.irvnca.sbcglobal.net] has joined ##openvpn 01:39 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 01:44 < misse-> is it possible to have to simultaenous vpn connections active with openvpn? the prolem I'm facing now is that I don't have an available tap adapter 01:46 -!- rgubler [n=rob@99-36-114-69.lightspeed.irvnca.sbcglobal.net] has quit [Read error: 113 (No route to host)] 01:57 < reiffert> yes it's possible. just start another openvpn instance. 01:57 < reiffert> openvpn --mktun --dev tap0 02:23 -!- rgubler_ [n=rob@99-36-114-69.lightspeed.irvnca.sbcglobal.net] has quit [Read error: 60 (Operation timed out)] 02:30 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:41 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has joined ##openvpn 02:43 -!- melvin [n=melvin@port-87-193-219-24.static.qsc.de] has quit ["leaving"] 02:53 < krzee> !tunortap 02:53 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 03:14 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has joined ##openvpn 03:37 < thedoc> Anyone knows if openvpn works with ipv6 yet? 03:38 < krzee> not over ipv6 encapsulated tunnel 03:38 < krzee> but i just scored some broker scripts for use over ovpn 03:38 < krzee> from the maillist 03:39 < thedoc> krzee> You mean, not through a 4to6 tunnel? 03:39 < thedoc> But if you're saying like, client (ipv4) > (ipv4) server (ipv6) > internet 03:39 < thedoc> That works? 03:40 < krzee> aye 03:40 < thedoc> Aye, thanks. 03:40 < thedoc> krzee> Looking into implementing that for users :D 03:40 < krzee> cool lemme toss the scripts up 03:40 < thedoc> krzee> Please do <3 03:41 < thedoc> It's really for waving the epeen around. 03:41 < thedoc> lol 03:41 < krzee> ;] 03:46 < krzee> www.ircpimps.org/join-0.8.tar 03:47 < krzee> !mail 03:47 < vpnHelper> krzee: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 03:47 < thedoc> krzee> What script is that? 03:50 < krzee> !ipv6 03:50 < vpnHelper> krzee: "ipv6" is http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_OpenVPN_Tunnelbroker.php?lang=en to learn how to setup openvpn to be an ipv6 tunnel broker 03:52 < krzee> !learn ipv6 as Here are some scripts from the mail list: http://article.gmane.org/gmane.network.openvpn.user/27514 or from a mirror: http://www.ircpimps.org/join-0.8.tar 03:52 < vpnHelper> krzee: Joo got it. 03:52 < krzee> i have not looked at the scripts at all 03:52 < krzee> dont plan on it either, i dont use ipv6 03:52 < krzee> but there they are =] 04:20 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 04:21 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 04:59 -!- thedoc [n=zing@unaffiliated/thedoc] has quit ["This computer has gone to sleep"] 05:08 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 05:38 -!- hyper__ch [n=hyper@adsl-89-217-80-123.adslplus.ch] has joined ##openvpn 05:39 -!- hyper_ch [n=hyper@adsl-89-217-80-123.adslplus.ch] has quit [Nick collision from services.] 05:39 -!- hyper__ch is now known as hyper_ch 05:39 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: plaerzen, tarbo2 05:47 -!- ivenkys_ is now known as ivenkys 05:50 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 05:50 -!- plaerzen [n=carpe@vip1.tundraeng.com] has joined ##openvpn 06:04 -!- thedoc [n=zing@38.108.110.110] has joined ##openvpn 06:15 -!- rapha [i=rapha@unaffiliated/rapha] has joined ##openvpn 06:15 < rapha> Hi! 06:16 < rapha> I'm trying to follow http://www.openvpn.net/index.php/open-source/documentation/howto.html but the first command ("./vars") already gives me "./vars: line 29: /etc/openvpn/easy-rsa/2.0/whichopensslcnf: No such file or directory" - what am I doing wrong? 06:16 < vpnHelper> Title: HOWTO (at www.openvpn.net) 06:16 < rapha> huh, yeah... 06:19 < |Mike|> you might want to open that script 06:19 < |Mike|> and read the line where "WICHopensslCNF (config)" is located 06:20 < |Mike|> you need to define wich config you're going to use to generate your client/server keys 06:20 < |Mike|> puppet -v -o 06:20 < |Mike|> o crap, wrong terminal 06:21 < rapha> the only line referring to that in vars is "export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`" 06:21 < rapha> and i searched my entire system; i don't have a file "whichopensslcnf" anywhere 06:21 < |Mike|> haha 06:21 < |Mike|> may i please quote you to bash.org ? :) 06:21 < rapha> oh if it's funny i'll laugh along :) 06:21 < rapha> er 06:22 < |Mike|> let me grab the vars script. sec. 06:22 < rapha> are you telling me this is supposed to be $(which openssl.cnf) or something? 06:22 < rapha> sure 06:22 < rapha> 2.1 rc15 is the version in the OpenBSD ports tree, which i have here 06:23 < |Mike|> # This variable should point to 06:23 < |Mike|> # the openssl.cnf file included 06:23 < |Mike|> # with easy-rsa. 06:23 < |Mike|> export EASY_RSA="`pwd`" 06:24 < rapha> interesting; the -rc19 tarball does contain a file called "whichopensslcnf" 06:24 < |Mike|> /usr/local/etc/openvpn/easy-rsa/2.0 06:24 < |Mike|> -rwxr-xr-x 1 root wheel 190 Jun 6 18:03 whichopensslcnf 06:24 < rapha> yeah; dont have that 06:25 < rapha> ill try with the one from the -rc19 tarball 06:25 < |Mike|> http://pastie.org/610884 06:27 < |Mike|> put that there :) 06:28 < rapha> thanks - working now :-) 06:33 < |Mike|> np. 06:37 < |Mike|> hmz, i'm lookin for a http loadbalancer wich handles "health checks" aswell 06:37 < |Mike|> stunnel with haproxy == fail 06:40 < |Mike|> (silence . . . ) 06:41 < rapha> didnt lighttpd do that? 06:44 < |Mike|> nope 06:56 -!- brizly [n=brizly_v@p4FC9A2C4.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:57 -!- brizly [n=brizly_v@p4FC99FAE.dip0.t-ipconnect.de] has joined ##openvpn 06:59 < rapha> looks like openvpn is b0rked on openbsd ... "ifconfig: SIOCIFDESTROY: Invalid argument" and other stuff like that on startup 07:01 < |Mike|> what did you do ? 07:01 < reiffert> play with 2.0.6 07:13 < rapha> okay, I have the openvpn server running now, and it's listening on 1194, which I've verified from the client using nmap, but when I try to connect nothing happens 07:14 < |Mike|> lol 07:14 < |Mike|> did you generate the certificates 07:14 < |Mike|> ? 07:14 < |Mike|> !tls-auth 07:14 < vpnHelper> |Mike|: "tls-auth" is The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. see !secure for how 07:14 < |Mike|> ^check that aswell 07:32 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has quit [Read error: 60 (Operation timed out)] 07:38 -!- [BIOS]Hrishi [n=[BIOS]Hr@121.243.61.82] has joined ##openvpn 07:38 < [BIOS]Hrishi> hey guyz 07:39 < [BIOS]Hrishi> need help over here 07:39 < [BIOS]Hrishi> i have a openvpn server set up 07:39 < ecrist> ok 07:39 < [BIOS]Hrishi> how do i configure it to give client ip's in the /16 range? 07:39 < [BIOS]Hrishi> its giving it in /24 range only 07:39 < ecrist> tell the openvpn server to give in the /16 range 07:39 < ecrist> what is your 'server' line in your server config? 07:40 -!- bauruine [n=bauruine@92.105.159.93] has joined ##openvpn 07:40 < [BIOS]Hrishi> i need it to give out ip's like 10.1.x.2 07:40 < [BIOS]Hrishi> server 10.1.0.0 255.255.0.0 07:40 < [BIOS]Hrishi> is this correct? 07:40 < ecrist> yep, looks like it to me. 07:40 < [BIOS]Hrishi> it still gives me in the /24 range 07:41 < ecrist> I'm not following what you mean. 07:41 < [BIOS]Hrishi> it should give out ip's like 10.1.1.1, 10.1.2.1 07:41 < ecrist> you can't do that 07:41 < [BIOS]Hrishi> y? 07:41 < [BIOS]Hrishi> there are people who have done it 07:42 < ecrist> you can't do that with OpenVPN alone, you'd need a custom script to hand out the ips, or statically assign them. 07:42 < [BIOS]Hrishi> how do i statically assign them? 07:42 < ecrist> have you read the man page? 07:43 < ecrist> !static 07:43 < vpnHelper> ecrist: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 07:44 < [BIOS]Hrishi> thanks man, i'll look into it and come back if there is a problem 07:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:48 -!- [BIOS]Hrishi [n=[BIOS]Hr@121.243.61.82] has quit ["Ex-Chat"] 07:59 -!- hrishi_ [n=hrishi@121.243.61.82] has joined ##openvpn 08:00 < hrishi_> hey guyz ... 08:00 < hrishi_> i had reported a problem previously 08:00 < hrishi_> about /24 and /16 range in openvpn server 08:00 < hrishi_> its still not working 08:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:01 < hrishi_> the 'server' line in openvpn.conf is "server 10.1.0.3 255.255.0.0" ... and it says network/netmask combination is invalid 08:01 < hrishi_> any suggestions??!! 08:02 < ecrist> yes 08:02 < hrishi_> if i try "server 10.1.0.0 255.255.0.0", it still gives assigns ip' 08:02 < ecrist> read the man page 08:02 < ecrist> !man 08:02 < hrishi_> ip's in the /24 range 08:02 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 08:02 < ecrist> and howto 08:02 < ecrist> !howto 08:02 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:02 < ecrist> I told you what to do, please do it. 08:06 < Optic> mooo 08:13 -!- dnivra [n=bios@121.243.61.82] has joined ##openvpn 08:14 < dnivra> !man 08:14 < vpnHelper> dnivra: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 08:15 < dnivra> !howto 08:15 < vpnHelper> dnivra: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:19 < dnivra> i have configured the openvpn server and am able to connect a client to it. unfortunately, it's possible with a /16 subnet and not a /24 subnet. i get the error "network/netmask conflict". is it possible to do so with netmask "255.255.0.0" and not "255.255.255.0"? 08:21 -!- hrishi_ [n=hrishi@121.243.61.82] has quit ["Leaving"] 08:21 < dnivra> the server line in file "openvpn.conf" is 10.1.0.1 255.255.0.0 08:21 < dnivra> any ideas on what to do? 08:26 -!- mode/##openvpn [+o ecrist] by ChanServ 08:26 -!- mode/##openvpn [+b *!*n=bios@121.243.61.*] by ecrist 08:26 -!- mode/##openvpn [-o ecrist] by ecrist 08:27 -!- dnivra [n=bios@121.243.61.82] has quit [Client Quit] 08:29 -!- [BIOS]Goo [n=varrun@117.254.114.67] has joined ##openvpn 08:31 < [BIOS]Goo> I dont know why u banned us "dnvira" and "hrishi" , we are under the univ and have the same public IP natted 08:32 < ecrist> you all look the same to me. I've directed you to the docs, yet the same question keeps getting asked. 08:32 < ecrist> if you ask the question again, I'll ban you as well. 08:32 < [BIOS]Goo> fyn 08:33 < ecrist> fyn? 08:33 < [BIOS]Goo> fine :) 08:33 -!- [BIOS]Goo [n=varrun@117.254.114.67] has quit [Client Quit] 08:36 -!- zerko_ [i=zerko@srv1.techality.com] has joined ##openvpn 08:39 -!- zerko_ [i=zerko@srv1.techality.com] has quit [Connection reset by peer] 08:40 -!- zerko [i=zerko@srv1.techality.com] has joined ##openvpn 08:43 < zerko> can someone help please? 08:43 < ecrist> !ask 08:43 < vpnHelper> ecrist: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/, or (#3) http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help 08:44 < zerko> I just did :) 08:44 < ecrist> 08:43 < zerko> can someone help please? 08:44 < ecrist> that appears to be asking to ask. 08:44 < ecrist> which is covered by 08:44 < ecrist> !ask 1 08:44 < zerko> I have a server in one location, I want to move the server to a different location 08:44 < vpnHelper> ecrist: Error: "ask" is not a valid command. 08:44 < ecrist> ok 08:45 < zerko> The new location isnt on the same subnet/class c 08:45 < zerko> Totally different IPs, but I want to keep the original IP 08:45 < zerko> Is there anyway I can do this with OpenVPN? 08:46 < ecrist> I don't really follow what you're trying to do. 08:47 < zerko> I have a server in one location on 208.65.99.* range 08:47 < zerko> I want to move that server to a different datacenter 08:47 < zerko> but do not want to change to new IPs 08:47 < zerko> i want to keep it on the 208.65.99.* but the new datacenter is using different Ips on the network 08:49 < zerko> Im trying to use the best/easiest way of forwarding or moving the original IP to the new location 08:49 < zerko> Get what I mean? 08:49 < ecrist> sure 08:49 < zerko> is this possible with openvpn? 08:49 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has left ##openvpn [] 08:49 < rapha> |Mike|: ofc i generated the certificates. What I'm saying is, the server doesn 08:50 < ecrist> you can, but it's going to require you still have access to your old IPs, and you still have a system at the old datacenter. 08:50 < rapha> 't even see anybody TRY to connect 08:50 < rapha> (even after I've disabled the firewall, which had a hole poked for 1194) 08:50 < zerko> ecrist, thats fine 08:50 < zerko> the thing is, eventually they will be routing it over 08:51 < zerko> this would just be a temporary solution until the routes set in 08:51 < zerko> is this pretty simple to do? i don't have any experience with open vpn 08:53 < zerko> ? 08:55 -!- dazo [n=dazo@nat/redhat/x-eazrrndvqmlftkay] has quit ["Leaving"] 08:56 < ecrist> all you need to do is get a machine on the current network setup as a VPN server and have it forward packets to a vpn client which resides on your new location 08:57 < zerko> Ok so for this 08:57 < zerko> I need 2 machines, a server side and a client side? 08:57 < ecrist> yep 08:57 < zerko> or does the vpn cient need to be installed on each machine that I move? 08:58 < zerko> better yet, does both machines need to be dedicated to the openvpn? 08:58 < ecrist> you really only need the client on one machine and you can do routing from there. 08:58 < zerko> Ok, on centos does openvpn exist on yum? 08:59 < zerko> and does it need to be a dedicated machine? 08:59 < zerko> could it be a VPS? 08:59 < zerko> that resides on the same network? 09:01 < ecrist> sure 09:02 < zerko> ok. 09:02 < zerko> is there any good documentation that explains how to install and configure openvpn for this? 09:02 < zerko> I appreciate your help so far. 09:07 -!- dazo [n=dazo@62.40.79.66] has joined ##openvpn 09:09 < ecrist> not that I know of 09:09 < ecrist> !route 09:09 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:09 < ecrist> try that to start 09:12 < rapha> hmmm thats wierd it works with the openvpn command but not with NetworkManager 09:12 < ecrist> !ubuntu 09:12 < vpnHelper> ecrist: "ubuntu" is dont use network manager! 09:13 < zerko> can i install open vpn on centos? 09:13 < ecrist> sure, why not? 09:14 < zerko> ok, also when you say "clients" 09:14 < zerko> does this mean the machines i am moving? 09:14 < zerko> do i have to install software on those actual machines? 09:14 -!- vindex [n=vindex@fencepost.gnu.org] has joined ##openvpn 09:14 < vindex> evening 09:14 -!- vindex is now known as Guest98961 09:14 < Guest98961> anyone running openvpn on gentoo with bridging? 09:14 < ecrist> at least one, yes 09:15 < thedoc> o/ all 09:15 < rapha> pft 09:16 < rapha> gonna show networkmanager who's boss 09:16 -!- Guest98961 is now known as moldenauer 09:16 < moldenauer> im having issues setting up openvpn with bridging on my host, with the current baselayout 09:17 < moldenauer> cant find any recent document explaining the setup. it is a simple one, theres one physical NIC connected to a local switched net, and i need a bridge for the vpn 09:17 < moldenauer> i could ditch bridging and go for a routing based approach but broadcasting is most ideal 09:19 < rapha> oh apropos bridging ... can that be done in a way that works on a server you don't have phsyical access to without loosing your shell while setting it up? :P 09:20 < moldenauer> huh, should be heh 09:20 < moldenauer> you should lose access only if you do it wrong 09:20 < moldenauer> :P 09:20 < moldenauer> my problem here is dealing with the goddamn gentoo baselayout init scripts and the network config stuff they use 09:21 < moldenauer> im having a real mess with the bridging setup 09:21 < moldenauer> none of the documents i came across worked for me 09:21 < moldenauer> in terms of outdated information, even wrong advice, non applicable configs, etc 09:21 < moldenauer> anyone with a similar setup who can help? 09:22 < moldenauer> it really sucks if i have to go for a cisco vpn to avoid wasting time :> 09:22 < rapha> moldenauer: sounds like i'll use this routing thing for a while heheh 09:22 < rapha> HAH! 09:22 < rapha> got it working with NetworkManager 09:22 < rapha> now i only need some NAT setup or something ... cant ping the internet yet 09:23 < moldenauer> rapha: routing is fine until you need broadcasting 09:23 < moldenauer> sigh 09:23 < thedoc> moldenauer> What do you do that you require broadcast? 09:24 < moldenauer> thedoc: CIFS, private code, etc, essentially i want a true vpn 09:24 < moldenauer> plus 09:25 < moldenauer> what if i want to test non IP protocols 09:25 < moldenauer> ;) 09:25 < thedoc> I'm not sure why anyone still deals with anything else other than tcp/ip 09:26 < moldenauer> well, i guess thats my problem, good for you if you only have to stick to good old tcp/ip transport 09:27 < moldenauer> i have to play with things like sctp etc 09:27 < rapha> okay i see the problem i think ... what does "bad source address from client" mean and how do i fix that? 09:27 < moldenauer> but anyway, i gotta get this done subjective perspectives aside 09:27 < moldenauer> ;( 09:27 < reiffert> rapha: !route 09:27 < thedoc> moldenauer> Sorry mate, no idea on that. 09:27 < thedoc> :| 09:27 < moldenauer> thedoc: no idea on bridging or what 09:27 < rapha> reiffert? 09:28 < thedoc> Running non tcp/ip transport 09:30 < reiffert> !route 09:30 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:30 < reiffert> rapha: it will answer your question. 09:31 < rapha> hum ... i only have a single box so far thats running the openvpn client for itself 09:31 * rapha still takes a look 09:32 -!- Sup3rFly [n=sup3rfly@boxcars.triplecrowncasinos.com] has joined ##openvpn 09:32 -!- rgubler [n=rob@99-36-114-69.lightspeed.irvnca.sbcglobal.net] has joined ##openvpn 09:33 < Sup3rFly> does OpenVPN-GUI allow you to use as service, so you can login before windows login? 09:33 < ecrist> yes 09:36 < Sup3rFly> I enabled allow_service=1 and setup OpenVPN service to start automatically. How does the user get prompted to login via OpenVPN before they put in their windows credentials? 09:37 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 09:38 -!- ryanrhee90 [n=Adium@rrcs-71-42-217-13.sw.biz.rr.com] has quit ["Leaving."] 09:41 < moldenauer> ok bridging is up 09:42 < moldenauer> is it possible to provide server-bridge an argument so it gives different addresses? other than that in the span of the private lan 09:45 < dazo> moldenauer: if you want that .... you might not need bridging, but pure routing .... 09:48 < moldenauer> dazo: did you see my previous messages....? 09:49 < moldenauer> dazo: broadcasting. needed. 09:49 < dazo> moldenauer: no, have not read too much scrollback yet 09:51 < Sup3rFly> do i need a .config file for openvpn service to work? 09:54 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:55 < dazo> Sup3rFly: yes, you will 09:56 < moldenauer> meanwhile 09:56 -!- gregd [n=ask@98.143.155.131] has joined ##openvpn 09:56 < moldenauer> http://store.theonion.com/kennedy-slain-by-cia,-mafia,-castro,-lbj,-freemasons-1962-p-342.html 09:56 < vpnHelper> Title: Onion Store > Kennedy Slain By CIA, Mafia, Castro, LBJ, Freemasons (1962) (at store.theonion.com) 09:56 < moldenauer> heh 10:02 < Sup3rFly> frick. i'm failing. is it possible to have the openvpn-gui login box appear before you login into windows? 10:03 < Sup3rFly> so a user can log into the domain 10:04 < dazo> moldenauer: I've read through things now .... if the netmask is correct in --server-bridge and corresponds to the netmask on the bridge interface .... the broadcast address should be correct immediately, or not? 10:04 < dazo> Sup3rFly: nope 10:04 < Sup3rFly> damn, you would think someone would have done that already 10:04 < dazo> Sup3rFly: if you want VPN to be connected automatically on computer boot ... then you cannot get the user to do any fun stuff before login in 10:05 < Sup3rFly> i want the option... 10:05 < dazo> Sup3rFly: those setups being discussed here and on the mailing lists have not included user/password auth ... only automatic starting of openvpn as a service, afaik 10:05 < Sup3rFly> that would be fine 10:06 < Sup3rFly> just like the cisco vpn starts automatically and you have the option to login 10:06 < dazo> Sup3rFly: which also means, no password on the ssl key file 10:06 < Sup3rFly> oh well, i still heart openvpn i suppose 10:08 < dazo> moldenauer: if you want to add another subnet on top of the bridge, I don't expect it can use the broadcast address of the physical network .... as that's outside it's own scope .... 10:08 -!- rgubler_ [n=rob@99-36-114-69.lightspeed.irvnca.sbcglobal.net] has joined ##openvpn 10:14 < moldenauer> dazo: you mean "its own scope"? and sure broadcasting is tied to a specific subnet 10:14 < moldenauer> but that doesnt answer my question 10:16 < dazo> moldenauer: but you said .... "is it possible to provide server-bridge an argument so it gives different addresses? other than that in the span of the private lan" .... With --server-bridge you define the network scope the clients will get ... 10:16 < dazo> moldenauer: --server-bridge [ gateway netmask pool-start-IP pool-end-IP ] (from man page) 10:17 -!- Sup3rFly [n=sup3rfly@boxcars.triplecrowncasinos.com] has quit [] 10:18 < rgubler_> moldenauer: if your goal is to have openvpn on its own subnet, separate from the nodes on your lan, yes that is possible 10:19 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 10:19 -!- rgubler [n=rob@99-36-114-69.lightspeed.irvnca.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 10:19 < moldenauer> rgubler_: well, i want to support bridging ON A VPN-only network. 10:19 < moldenauer> rgubler_: i might just go for routing in the end because it seems overcomplicated to set this using bridging 10:19 < moldenauer> rgubler_: i meant broadcasting there 10:20 < moldenauer> sorry, been a couple hours messing with it 10:20 < rgubler_> you just need to create a bridge device, and not attach it to your ethernet device 10:21 < rgubler_> openvpn --mktun --dev tap0 10:21 < rgubler_> then don't call brctl to attach tap0 to eth0 10:22 < rgubler_> or whatever it is you attach it to 10:22 < rgubler_> br0 10:22 < rgubler_> that will essentially create a virtual switch where only ovpn users will reside 10:23 < rgubler_> well actually you'll probably have to create a bridge interface.. just dont use an existing one where your lan is talking on 10:23 < moldenauer> thanks, anything i should bear in mind for the clients? 10:23 < moldenauer> i dont have a second NIC for this system 10:23 < moldenauer> though i guess theres a possibility to create some virtual iface 10:23 < rgubler_> add client-to-client in your client config 10:24 < rgubler_> actually add that in your server config :) 10:24 < rgubler_> brctl addbr br1;openvpn --mktun --dev tap0 10:24 < rgubler_> brctl addif br1 tap0 10:25 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 10:25 < rgubler_> then in your config: dev tap0 10:27 < moldenauer> rgubler_: would this allow me to add firewall rules for each client? btw i havent found examples of this stuff anywhere 10:28 < rgubler_> uh yeah.. it will behave just like any other layer 2 interface coming into the computer.. at least as far as iptables cares 10:29 < rgubler_> there is some weirdness i dont quite understand with mac address assignment on tap devices.. so i'd recommend doing your firewall rules at the ip layer 10:31 < moldenauer> mind if we on private, i dont want to bother the channel with my specific setup issues 10:31 < moldenauer> dont mind putting them her eif it isnt a problem 10:31 < moldenauer> i think i should have stated my objectives with the vpn a little better for sure 10:32 < rgubler_> well i am by no means an openvpn guru so i'd say talk in here.. so other people can chime in if they want 10:33 -!- gregd [n=ask@98.143.155.131] has quit [] 10:34 < moldenauer> alright 10:34 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 10:36 < moldenauer> well, my intention with the vpn so far: 1) I would like to be able to use non-IP protocols and have broadcasting available. 2) I want to keep the network out of the private LAN, isolated. 3) I want to be able to provide firewall rules for clients, so a specific client isnt allowed to access foo service somewhere 4) I'm running some services off the same host that is going to act as openvpn server (namely apache, samba, git, perhaps other stuf 10:37 < moldenauer> rgubler_: those are my requirements, thats why i went for bridging first 10:38 < rgubler_> ok, sounds reasonable. is your goal realling to completely isolate the openvpn clients from your real LAN, while also firewalling the connectivity between openvpn users? 10:38 < rgubler_> really* 10:39 -!- maxagaz [n=g@125.39.108.219] has joined ##openvpn 10:39 < maxagaz> hi 10:39 < moldenauer> rgubler_: yes, correct 10:39 < moldenauer> rgubler_: i would also like to make client setup easy, or at least possible to bundle my config for both windows and linux hosts 10:39 < maxagaz> could someone explain me how to connect to a vpn ? 10:40 < moldenauer> im not going to have a gazillion hosts but the easier the better for clients 10:41 < rgubler_> moldenauer: ok. well in that case what i think you'll need to do then is: (1) create a new bridge device that has no physical ethernet device attached (like we did earlier) and attach only openvpn's tap0 device to it; (2) give your newly created bridge device a local ip address that isn't shared with your LAN you can then run services on that specific ip if desired on the host; (3) you'll need the "client-to-client directive 10:41 -!- rgubler_ [n=rob@99-36-114-69.lightspeed.irvnca.sbcglobal.net] has quit ["leaving"] 10:43 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has quit ["bbl"] 10:48 -!- kreg [n=kreg@208-98-188-95.directcom.com] has joined ##openvpn 10:50 < moldenauer> he disappeared 10:50 < moldenauer> heh 10:51 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 10:51 -!- jeiworth [n=jeiworth@189.163.170.81] has quit [Success] 10:53 -!- davidm [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has joined ##openvpn 10:54 -!- davidm is now known as Guest65164 10:54 -!- Guest65164 [n=davidm@c-24-22-174-216.hsd1.wa.comcast.net] has left ##openvpn [] 10:54 < dazo> moldenauer: just have your criteria clear .... in regards to 2) .... with "network" do you mean the VPN network? 10:55 < zerko> Ok, i have openvpn installed on one server 10:55 < zerko> (the original network) 10:55 < zerko> I want to forward its IPs to a new network 10:55 < zerko> Do I have to install the client on EACH server I migrate? 10:56 < dazo> moldenauer: I do have a working setup which is pretty close to what you list up here, except I don't use it for non-tcp/ip protocols yet .... and I use TAP + routing .... with firewall filtering on clients MAC addresses of the TAP device .... 10:57 < dazo> moldenauer: I do use cifs as well on this connection (I have only one cifs server on the inside, and no clients there - that might a difference), and VPN is a separate sub-net from the rest of the networks, using a virtual interface (the tap device) 10:59 * dazo reads openvpn-users ... and wonders when openvpn and other vpn and ssh products will be banned in China .... 11:00 < reiffert> I ever thought china already banned openvpn from their country-firewall 11:02 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:06 < moldenauer> dazo: china is moving back to telnet! 11:06 < dazo> moldenauer: yeah, I thought so ;-) 11:06 < moldenauer> the 70s called, they want their backdoors back! 11:07 < moldenauer> dazo: since i already brainfucked myself for the past 3 hours im going to try rg's approach, testing with a bridge not attached to lan 11:07 < moldenauer> should work i think 11:07 < moldenauer> lets see 11:08 < dazo> moldenauer: bridging against a virtual interface? 11:08 < dazo> bridging tap against a virtual interface, that is 11:11 < dazo> moldenauer: I could mention by the way ... my setup is working in gentoo ... it's just a little extra pre and post code to put into /etc/conf.d/net .... and then I do /etc/init.d/net.tap0 start .... and it sets up the tap device, and starts openvpn with the correct config for that device 11:14 -!- maxagaz [n=g@125.39.108.219] has quit [Client Quit] 11:16 -!- bauruine [n=bauruine@92.105.159.93] has quit [Read error: 148 (No route to host)] 11:16 -!- jeiworth [n=jeiworth@189.177.127.62] has joined ##openvpn 11:18 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit ["Leaving."] 11:19 < moldenauer> dazo: bridging tap0 with no associated physical iface 11:19 < moldenauer> dazo: lemme test this one and see whats up 11:19 < moldenauer> hope it works 11:20 < dazo> moldenauer: that doesn't make sense .... 11:21 < moldenauer> dazo: you can create a bridge without a physical nic 11:21 < moldenauer> hehe 11:21 < dazo> moldenauer: then you don't need a bridge ... the tap device can work as a normal ethernet interface ..... just being virtual 11:21 < moldenauer> your setup is routing based. 11:22 < moldenauer> show me your server config if you dont mind 11:22 -!- kreg [n=kreg@208-98-188-95.directcom.com] has left ##openvpn ["Leaving"] 11:22 < zerko> What im trying to acomplish: 11:22 < zerko> I have 2 datacenters 11:22 < zerko> Each have different IP ranges 11:22 < zerko> I want to migrate a few servers to the new datacenter 11:22 < zerko> but still be able to use the original IPs there 11:22 < zerko> We haven't added the routes yet 11:22 < zerko> So, i want to use OpenVPN temporarily to accomplish this 11:22 < zerko> get what im saying? 11:22 < zerko> Could someone help me please? 11:23 < dazo> moldenauer: I'll get it now 11:24 < reiffert> < zerko> get what im saying? no. 11:25 < zerko> reiffert, i am trying to connect the two seperate locations 11:26 < zerko> So I can use the same IPs on the new network 11:26 < zerko> I am trying to forward IPs from A to B 11:26 < reiffert> zerko: and your openvpn question is? 11:26 < zerko> 1) Is this possible 11:27 < zerko> 2) how can I do it through openvpn? is there step-by-step docs? 11:27 < reiffert> 1) whatever can be done with routing can be done by openvpn 11:27 < reiffert> 2) type !howto and !route 11:27 < reiffert> eg 11:27 < reiffert> !howto 11:27 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:28 < moldenauer> lol 11:28 < zerko> !howto route 11:28 < moldenauer> dazo: ok, lemme test something here, just a simple server-client test 11:28 < vpnHelper> zerko: Error: "howto" is not a valid command. 11:28 -!- kyrix [n=ashley@188-23-186-198.adsl.highway.telekom.at] has joined ##openvpn 11:28 < dazo> moldenauer: I'm almost ready 11:29 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 11:29 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 11:30 < dazo> moldenauer: http://pastebin.ca/1559943 11:30 < moldenauer> creating a config for my test client here 11:31 < dazo> moldenauer: that's a working setup on a Gentoo box 11:31 < reiffert> zerko: 11:31 < reiffert> !route 11:31 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:32 -!- jeiworth_ [n=jeiworth@189.177.127.62] has joined ##openvpn 11:33 -!- jeiworth [n=jeiworth@189.177.127.62] has quit [Read error: 104 (Connection reset by peer)] 11:34 < moldenauer> dazo: lemme see, im trying to figure out all the bits for the client config 11:35 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 11:36 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 11:38 < moldenauer> dazo: you have an external auth plugin? 11:39 < dazo> moldenauer: here's the client config .... http://pastebin.ca/1559954 11:39 < dazo> moldenauer: yeah, I'm using the eurephia plug-in for username/password auth + automatic firewalling per connection 11:40 < dazo> (it's one of my side projects) 11:40 < moldenauer> anything required in the chroot? 11:40 < reiffert> money, lots of. 11:41 < dazo> moldenauer: nope ... not without plugin 11:41 < moldenauer> i also wnated to take a look into that (chrooting) 11:41 < moldenauer> alright 11:41 < moldenauer> nice 11:41 < dazo> with plugin, you'll need an empty directory where the database can write some temp files 11:41 < dazo> and if you use ccd ... the client configs goes into the directory in the chroot 11:42 < moldenauer> eurephia sounds great, though lets do it step by step 11:42 < moldenauer> lemme get a working network first 11:42 < moldenauer> it seems thats exactly what i need 11:43 < moldenauer> wouldnt mind contributing some patches if i required any changes, though i doubt i will need to change anything major 11:43 < dazo> moldenauer: yup! That's why I just commented out that plugin ... this should be working out of the box on Gentoo sever and on whatever client you wish 11:43 < dazo> Please do! 11:43 < moldenauer> testing from a windows client atm 11:43 < moldenauer> lemme see 11:47 < moldenauer> dazo: funny enough, i get pedantic about ports. they are all palindromic primes. 11:47 < moldenauer> that way i dont forget where i should connect to if i lose the config 11:47 < moldenauer> :> 11:48 < dazo> heh 11:50 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:53 < moldenauer> dazo: works, lemme get the log up 11:53 < dazo> moldenauer: told you so ;-) 11:55 < moldenauer> dazo: http://pastie.org/private/oeknaincpdd6fhrnvvcrxw 11:55 < dazo> moldenauer: seems good at first look 11:55 < moldenauer> lemme move apache to vpn ip 11:55 < moldenauer> and see if it works ;) 11:56 < moldenauer> dont open the cigar box just yet 11:56 < dazo> you don't need that 11:56 < moldenauer> i want to move apache to the vpn 11:56 < dazo> you just add some little magic in the server log 11:56 < dazo> config 11:56 < dazo> push "route 255.255.255.255" 11:56 < dazo> no reconfig needed then :) 11:57 < dazo> (in apache, that is) 11:57 < dazo> if you go for eurephia later on ... you control the access in iptables 11:58 < moldenauer> Wed Sep 09 18:57:38 2009 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.6.0.128/255.255.255.0 on interface {A4D017A1-D8EE-4E2B-9EE3-B2BA13E6285E} [DHCP-serv: 10.6.0.0, lease-time: 31536000] 11:58 < moldenauer> yuck 11:58 < moldenauer> Wed Sep 09 18:57:38 2009 NOTE: FlushIpNetTable failed on interface [23] {A4D017A1-D8EE-4E2B-9EE3-B2BA13E6285E} (status=1168) : Element not found. 11:59 < moldenauer> Wed Sep 09 18:57:43 2009 TEST ROUTES: 0/0 succeeded len=-1 ret=1 a=0 u/d=up 11:59 < moldenauer> sorry 11:59 < moldenauer> anyway, im not able to access the ip 11:59 < moldenauer> interesting 11:59 < moldenauer> well 11:59 < moldenauer> lemme see 12:00 < moldenauer> Pinging 10.6.0.1 with 32 bytes of data: 12:00 < moldenauer> Reply from 192.168.153.1: Destination net unreachable. 12:01 < moldenauer> dazo: thats the culprit, no route 12:01 < moldenauer> shrug 12:01 < moldenauer> im on vista 12:01 < dazo> moldenauer: are you starting the client with admin privileges? 12:01 < dazo> and! more important! which version are you running on Vista? 12:02 < moldenauer> OpenVPN 2.1_rc19 on vista 12:02 < dazo> moldenauer: good! 12:02 < moldenauer> yes i restarted openvpn gui with admin privs 12:02 < moldenauer> # openvpn --version 12:02 < moldenauer> OpenVPN 2.1_rc19 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 9 2009 12:02 < moldenauer> on gentoo 12:02 < moldenauer> matching versions 12:02 < dazo> moldenauer: anyway .... I'm not strong on Windows (I'm a linux guy) .... and don't remember all hacks people might do sometimes 12:03 < dazo> moldenauer: and you've moved the problem over to Vista .... I call that progress :-P 12:03 < dazo> whooops 12:03 < moldenauer> i do linux kernel devel among other things, but gotta run on any road 12:03 < moldenauer> :P 12:03 < moldenauer> dont get me started, vista aint that bad, just poorly marketed :> 12:04 * dazo is forgetting time .... gotta run .... hungry wife at home ...... :( 12:04 < moldenauer> sarcasm aside 12:04 < moldenauer> ok, ttyl 12:05 < dazo> moldenauer: sure! if not this evening, at least tomorrow :) 12:05 < moldenauer> yeah, i hope to have my woes solved before tomorrow though haha 12:05 < moldenauer> this is truly getting in the way of some other real work 12:05 < moldenauer> ;( 12:06 -!- thedoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 12:07 -!- teddymills [n=teddy@208.92.235.227] has quit [Client Quit] 12:16 -!- gregd [n=gregd720@98.143.155.131] has joined ##openvpn 12:20 < |Mike|> re. 12:37 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 13:03 < moldenauer> TLS Error: cannot locate HMAC in incoming packet from 172.16.0.2 13:03 < moldenauer> receiving this on my windows vista client when trying to connect 13:03 < |Mike|> !tls-auth 13:03 < moldenauer> shrug 13:03 < vpnHelper> |Mike|: "tls-auth" is The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. see !secure for how 13:04 < |Mike|> !secure 13:04 < vpnHelper> |Mike|: "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 13:04 < |Mike|> moldenauer: ^ 13:04 < moldenauer> thanks, lemme see 13:04 < moldenauer> looks like i omitted that 13:05 < moldenauer> |Mike|: my bad, i messed up with a vim swap file 13:07 < |Mike|> :-) 13:07 < moldenauer> testing apache now :) 13:07 < moldenauer> sorry about the stupidity there 13:07 < moldenauer> should have known better 13:07 < |Mike|> no problem, we all make mistakes 13:12 < moldenauer> |Mike|: rocking, i gotta love openvpn 13:12 < moldenauer> sigh 13:12 < moldenauer> great stuff, now must do some housekeeping and prepare a drop-in package for the windows clients 13:12 < moldenauer> sucks to do the whole config by hand 13:13 < |Mike|> it's not like "click" and it works ;) 13:13 -!- mre [n=qszxezcr@gut75-5-82-247-8-197.fbx.proxad.net] has joined ##openvpn 13:13 -!- mre is now known as Guest12579 13:13 < moldenauer> |Mike|: are you being sarcastic? or you mean servers 13:13 < moldenauer> servers, sure, they need some loving 13:13 < moldenauer> depending on the complexity of your setup 13:14 < |Mike|> it's pretty complex :D 13:15 < moldenauer> just needs us to read the docs, i think we are all too used to do thing sin a rush 13:15 < moldenauer> it's good sometimes to take some time to sit down and read through the documentation 13:15 < moldenauer> in the long term it helps 13:16 < |Mike|> ya, but it's like 1 hr work for someone wich knows what he's doing and 5 days for a starter :P 13:17 < moldenauer> haha exactly 13:17 < moldenauer> i can definitely relate 13:17 < moldenauer> i dealt with checkpoint/cisco vpns before, it is too fancy tbh 13:17 < moldenauer> it works out of the box for sure 13:17 < moldenauer> but 13:17 -!- phatf1sh is now known as phatfish 13:18 < moldenauer> well, i wouldnt say it is a great thing 13:18 < moldenauer> openvpn is very flexible 13:18 < moldenauer> and it is free 13:18 < |Mike|> i'm a bsd guru but i never used apt nor sudo on linux, even guru's have to rtfm :D 13:18 < moldenauer> and i get to read the code 13:18 < moldenauer> i vomit kernel code during hangovers and i had to spend 2 days reading the docs 13:18 < moldenauer> ;( 13:19 < moldenauer> i blame alcohol, it is taking a toll for my intellect 13:19 < moldenauer> soon i will be using macintosh! 13:19 < |Mike|> it kills brain cells aswell 13:19 * moldenauer ducks 13:19 < moldenauer> sigh checking a decent dns server 13:19 < moldenauer> djbdns is great 13:19 < moldenauer> but im tired of configuring that crap 13:21 * |Mike| runs 13:22 < |Mike|> file{"/foo": ensure => directory} 13:22 < |Mike|> eh 13:22 < moldenauer> haha 13:23 < |Mike|> puppet is the bomb. 13:23 < moldenauer> djb is a really great coder but, shit, he doesnt grasp that everyone, sadly, went for a directory layout which is totally different 13:30 < Optic> moo 13:36 < |Mike|> omfg, i hate php. 13:40 -!- yakischloba [n=jake@boss.shiftedlabs.com] has left ##openvpn [] 13:43 < Guest12579> For openvpn do i need a domain or a dns ? 13:44 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 13:44 < |Mike|> just an IP :p 13:45 < Guest12579> can't i use a local one ? 13:45 < Optic> moo 13:47 < |Mike|> you can build a openvpn in your internal network if you want that :p 13:47 < moldenauer> |Mike|: i hate it too but sadly it is the language cheapest to deploy around 13:47 < moldenauer> which sucks 13:47 < moldenauer> python all the way here 13:48 < Guest12579> Thats would rather snooker my plans , as im behind a router which i do not have access to .. all i want to do is play over lan with my friend =( 13:53 < moldenauer> play over lan with a friend will require you to have bridging most likely 13:53 < moldenauer> just read the docs 13:53 < moldenauer> there are some helpful fellows here you can ask specific questions 13:55 -!- _markus_ [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 13:58 < Guest12579> You don't understand i'am stuck inside a internal network , i would have to invite my poor freind over which defeats the whole purpose of a vpn 14:02 < moldenauer> Guest12579: huh? thats what bridging is for. 14:03 < moldenauer> Guest12579: readthe documentation a bit first so you become familiar with it 14:08 -!- kyrix [n=ashley@188-23-186-198.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 14:08 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 110 (Connection timed out)] 14:08 < ecrist> http://lifehacker.com/5355155/hamachi-updates-and-adds-web+based-management 14:08 -!- kosmic is now known as prawn 14:08 < vpnHelper> Title: Hamachi Updates and Adds Web-Based Management - Vpn - Lifehacker (at lifehacker.com) 14:10 -!- kyrix [n=ashley@188-23-186-198.adsl.highway.telekom.at] has joined ##openvpn 14:11 < Guest12579> moldenauer, Ok Thanks , Looks like got some fun stuff lined up for me tonight =/ 14:13 -!- syntaxcollector [n=syntaxco@72.15.145.50] has joined ##openvpn 14:14 < moldenauer> Guest12579: not sure it's fun but entertaining for sure, been through that today and finally got it all set 14:15 < moldenauer> ;) 14:24 -!- syntaxcollector [n=syntaxco@72.15.145.50] has quit [] 14:26 < |Mike|> !all 14:26 < vpnHelper> |Mike|: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 14:27 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:40 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:21 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:29 -!- ashley_ [n=ashley@188-23-77-69.adsl.highway.telekom.at] has joined ##openvpn 15:29 -!- kyrix [n=ashley@188-23-186-198.adsl.highway.telekom.at] has quit [Connection timed out] 15:31 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has joined ##openvpn 15:33 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has quit [Client Quit] 15:40 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has joined ##openvpn 16:01 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 16:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:31 -!- _markus_ [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Remote closed the connection] 16:32 -!- gregd [n=gregd720@98.143.155.131] has quit [Read error: 110 (Connection timed out)] 16:35 -!- crazed [n=cr4z3d@unaffiliated/cr4z3d] has joined ##openvpn 16:36 < crazed> i don't have root access on a box, is it possible to get openvpn to work as a client? 16:37 < crazed> compiled correctly but i have Note: Cannot open TUN/TAP dev /dev/net/tun: Permission denied (errno=13) 16:40 < moldenauer> crazed: running openvpn from a compromised host? 16:40 < moldenauer> heh 16:46 < krzie> no, you can not 16:47 < krzie> you must have access to modify the virtual device and routing table 16:52 -!- syntaxcollector [n=syntaxco@96.49.144.155] has joined ##openvpn 16:52 -!- Casandrax [n=Casandra@host-90-233-151-14.mobileonline.telia.com] has joined ##openvpn 16:59 < crazed> crap 16:59 < crazed> i wanted to vpn from work 16:59 < crazed> but i don't have rooot 17:00 < crazed> tired of constant ssh tunnels.. 17:04 -!- syntaxcollector [n=syntaxco@96.49.144.155] has quit [Read error: 104 (Connection reset by peer)] 17:04 < reiffert> crazed: ssh supports network tunneling with tun as well 17:05 < reiffert> like openvpn does. 17:06 < crazed> yeah but you need to specify per port with -L as far as i know at least 17:07 < reiffert> thats port redirection/forwarding 17:07 < reiffert> http://www.debian-administration.org/articles/539 17:07 < vpnHelper> Title: Setting up a Layer 3 tunneling VPN with using OpenSSH (at www.debian-administration.org) 17:07 -!- syntaxcollector [n=syntaxco@74.198.148.18] has joined ##openvpn 17:07 < reiffert> !factoids search ssh 17:07 < vpnHelper> reiffert: No keys matched that query. 17:07 < reiffert> !learn ssh as Setting up a Layer 3 tunneling VPN with using OpenSSH http://www.debian-administration.org/articles/539 17:07 < vpnHelper> reiffert: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 17:08 < moldenauer> reiffert: btw any decent docs about openvpn firewalling out there? 17:08 < reiffert> !learn vpnHelper as you suck 17:08 < vpnHelper> reiffert: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 17:15 < krzie> moldenauer, the man page has sections on firewalling 17:16 < |Mike|> !test 17:16 < vpnHelper> |Mike|: Error: "test" is not a valid command. 17:17 < moldenauer> krzie: ill check, thanks 17:18 < reiffert> krzie: 17:18 < reiffert> !learn ssh as Setting up a Layer 3 tunneling VPN with using OpenSSH http://www.debian-administration.org/articles/539 17:18 < vpnHelper> reiffert: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 17:20 < |Mike|> reiffert: http://www.xkcd.com/627/ 17:20 < vpnHelper> Title: xkcd - A Webcomic - Tech Support Cheat Sheet (at www.xkcd.com) 17:20 -!- Guest12579 [n=qszxezcr@gut75-5-82-247-8-197.fbx.proxad.net] has quit [Remote closed the connection] 17:21 < reiffert> krzie: !learn help as http://www.xkcd.com/627/ 17:21 < vpnHelper> Title: xkcd - A Webcomic - Tech Support Cheat Sheet (at www.xkcd.com) 17:21 < reiffert> |Mike|: :) 17:33 -!- syntaxcollector [n=syntaxco@74.198.148.18] has quit [] 17:35 < krzie> lol 17:35 < krzie> ok 17:35 < krzie> !help 17:35 < vpnHelper> krzie: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 17:35 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 17:35 < krzie> cant use !help 17:36 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection reset by peer] 17:39 < Casandrax> Remove the *.ice.net ban, it seems to be overly powerful. 17:41 -!- jeiworth_ [n=jeiworth@189.177.127.62] has quit [Read error: 60 (Operation timed out)] 17:43 -!- ryanrhee90 [n=Adium@rrcs-71-42-217-13.sw.biz.rr.com] has joined ##openvpn 17:43 < ryanrhee90> hi all 17:43 -!- ryanrhee90 [n=Adium@rrcs-71-42-217-13.sw.biz.rr.com] has left ##openvpn [] 17:43 -!- ryanrhee90 [n=Adium@rrcs-71-42-217-13.sw.biz.rr.com] has joined ##openvpn 17:43 < ryanrhee90> hi all 17:44 < ryanrhee90> is there a way for an openvpn client to NOT use the vpn bridge for internet connections? 17:44 < ryanrhee90> i just want to be connected to the LAN, while using the client's internet connection instead of the server's internet con 17:46 < moldenauer> does anyone know how is RSA-SHA256 exactly used in contrast to, say, SHA1 or SHA256 in the auth option? 17:46 < moldenauer> does the hmac involve some PKI signature exchange/verification? 17:46 < reiffert> ryanrhee90: dont use redirect-gateway? 17:46 < moldenauer> im more curious about internals/impact speed-wise 17:46 < |Mike|> !secure 17:46 < vpnHelper> |Mike|: "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 17:46 < |Mike|> moldenauer: ^ 17:46 < |Mike|> moldenauer: yes 17:47 < moldenauer> |Mike|: hey mike, it isnt explained there i think 17:47 < ryanrhee90> reiffert: is that in the server config or client config? 17:47 < moldenauer> i mean, i know AES with 256 bit key in cbc mode is discussed 17:47 < moldenauer> but didnt see any mentions to TLS exchange or hmac there 17:47 < moldenauer> lemme see again though 17:47 < |Mike|> it used to be in the security overview 17:47 < |Mike|> as far as i can recall 17:48 < reiffert> ryanrhee90: to be sure, please show us both of them, have a look: 17:48 < reiffert> !configs 17:48 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 17:48 < reiffert> ryanrhee90: or even better: 17:48 < reiffert> !all 17:48 < vpnHelper> reiffert: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 17:48 < ryanrhee90> reiffert: will do. 17:49 < reiffert> k 17:49 < Casandrax> gadmintools has a client and server gui for openvpn. Maybe that could be a valid option ? 17:50 < moldenauer> |Mike|: nah no mention to using diff hmac algorithms 17:50 < moldenauer> |Mike|: lemme see if theres one elsewhere 17:51 < |Mike|> vpnHelper used to have a page wich all that data. 17:51 < vpnHelper> |Mike|: Error: "used" is not a valid command. 17:53 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:56 -!- syntaxcollector [n=syntaxco@S010600120188d200.vc.shawcable.net] has joined ##openvpn 17:58 < moldenauer> |Mike|: the preshared secret in TLS handshake is a clever idea 18:00 < ryanrhee90> client Mac OS X, tunnelblick, config: http://pastebin.com/m4def5bb5 18:01 < ryanrhee90> (reiffert) 18:02 < ryanrhee90> reiffert: the server is down at the moment but will be back up shortly. i will put up the server config and logs then. 18:02 < |Mike|> moldenauer: if you trust your clients, yes. 18:05 < moldenauer> |Mike|: right, but it is meant for servers listening to an untrusted network 18:05 < |Mike|> indeed. 18:05 < moldenauer> once you let someone in the subnet messing with the vpn server wont be the most enticing target :> 18:05 < |Mike|> would you add clients from an untrusted subnet/mask ? 18:06 < moldenauer> the last openssl heap overflows which were silently fixed are fairly nasty though 18:06 < |Mike|> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0082 18:06 < |Mike|> that one ? ;) 18:07 < moldenauer> nah 18:07 < reiffert> 2002? 18:07 < moldenauer> they dont have a cve 18:07 < moldenauer> they didnt release details 18:07 -!- sodapop [n=sodapop@143.233.245.245] has joined ##openvpn 18:07 < moldenauer> ;( 18:07 < |Mike|> that one is pretty nasty reiffert :D 18:08 < reiffert> that \0 stuff is more ... I guess 18:08 < sodapop> is it possible to set the default gw when openvpn starts (must be done at the client) 18:09 < reiffert> sodapop: starts? not when it connects successfully? 18:09 < |Mike|> gateway ? 18:09 < |Mike|> moldenauer: do you trust the computers e.g network behind some routers ? :) 18:09 < sodapop> reiffert: yes thats what i mean 18:10 < reiffert> sodapop: yes, it's possible. 18:10 < reiffert> sodapop: want to route default over the vpn? 18:11 < moldenauer> |Mike|: i dont trust any networked computer, but like women, you have to roll with it 18:11 < reiffert> sodapop: 18:11 < reiffert> !def1 18:11 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 18:11 -!- BillyCrook1 [n=BillyCro@72.22.210.100] has joined ##openvpn 18:11 < |Mike|> moldenauer: ok, how do you store your client certs etc? 18:12 < |Mike|> serverside certs and userside 18:12 < reiffert> afk 18:12 < BillyCrook1> I kind of wish somehow openvpn could do some form of name resolution for clients to find eachother's vpn IP addresses from their names. Is there any common way of doing that dynamically (not just running bind somewhere and hand entering each client) 18:13 < BillyCrook1> based on CN maybe 18:13 < |Mike|> /etc/hosts ? ;) 18:13 < moldenauer> BillyCrook1: run your own dns server 18:13 < moldenauer> imho 18:13 < BillyCrook1> I do 18:13 < moldenauer> sorry 18:13 < moldenauer> didnt read your full message 18:13 < BillyCrook1> I just would rather not edit a zone file every time a new client comes along 18:13 < moldenauer> dont use bind 18:13 < BillyCrook1> :-) 18:13 < moldenauer> go for djbdns or something gentleman 18:13 < moldenauer> but 18:13 < BillyCrook1> I was thinking maybe avahi, 18:13 < moldenauer> stay the hell out of bind 18:14 < |Mike|> opendns ffs. 18:14 < moldenauer> erm, avahi will only work on a bridged vpn 18:14 < BillyCrook1> but gah, avahi, i'd rather have it based on CN than hostname 18:14 < BillyCrook1> these loosers have alsorts of weird hsotnames 18:14 < moldenauer> |Mike|: havent checked that, is it good? i thought of writing a jackass dnsd in python with twisted 18:14 < moldenauer> like, fixed responses 18:14 < moldenauer> would make me feel fuzzy and sleep a tad better 18:14 < |Mike|> we don't use anything else here :D 18:15 < moldenauer> |Mike|: i want to setup dns next on the vpn 18:15 < moldenauer> havent got there yet though 18:15 < BillyCrook1> I guess I could write some script on the server that adds the CN and IP of the client to a hosts master file, and then push a script that appends the master file to the clients' hosts file 18:15 < |Mike|> if you have reserved ip's, why not ? 18:16 < |Mike|> BillyCrook1: use puppet :D 18:16 < BillyCrook1> my intention is that all my clients already can communicate with each other directly outside of the vpn, but once they join, I want them to resolve eachother's hostnames to vpn IPs 18:16 < |Mike|> client-to-client 18:16 < |Mike|> you can do that by running a nameserver 18:17 < BillyCrook1> bind with dyndns? 18:17 < |Mike|> how many users are we talking of ? 18:17 < BillyCrook1> 20 or so 18:17 < BillyCrook1> googling puppet... 18:18 < moldenauer> |Mike|: sha384 and other nonstandard cipher working great 18:18 < moldenauer> loving it 18:18 < moldenauer> |Mike|: eventually it would be nuts if openvpn could use something apart of openssl 18:18 < moldenauer> and have it built-in 18:18 < BillyCrook1> egads!!! puppet, no 18:18 < moldenauer> SERPENT is solid, even though slower because of the extra rounds 18:19 < BillyCrook1> all of my clients/servers are gnu+linux if that helps 18:20 -!- Gnewt [n=hackerle@li57-94.members.linode.com] has joined ##openvpn 18:20 < |Mike|> moldenauer: there are web apps wich are capable of using non-command line tools, but i disgrace them on default. 18:20 < |Mike|> BillyCrook1: it's GNU aswell, just add your clients and distribute it from 1 server :) 18:22 < BillyCrook1> theres a larger vpn i admin that has right now about 50 active clients, and 100 accounts, but they're thinking of changing their business model such that there will be something like 100 new accounts per month 18:22 < sodapop> reiffert: i used this but it does not work after the last update openvpn --route-gateway x.x.x.x --redirect-gateway --config openvpn.conf 18:22 < moldenauer> |Mike|: what do you mean re web apps 18:22 < moldenauer> BillyCrook1: a vpn business? 18:23 < moldenauer> BillyCrook1: people actually offload/outsource vpns? 18:23 < BillyCrook1> moldenauer: medical. we own a couple hundred labs around the US 18:23 -!- sodapop [n=sodapop@143.233.245.245] has quit ["WeeChat 0.3.0"] 18:23 -!- sodapop [n=sodapop@143.233.245.245] has joined ##openvpn 18:23 < BillyCrook1> connect each back home to upload files using vpn 18:23 < |Mike|> moldenauer: i've no idea how that app is named, i prefer command line :) 18:23 < BillyCrook1> expanding means letting labs we don't own connect in too 18:23 < BillyCrook1> theres a lot more labs we don't on than we do 18:24 < Gnewt> I have a road-warrior VPN set up, and I can connect to it and usually ping the server on its private IP, but I can't make any connections and DNS lookups don't work. Help? Server and client configs are here: http://pastebin.ca/1560461 18:24 < |Mike|> !push-dns 18:24 < vpnHelper> |Mike|: Error: "push-dns" is not a valid command. 18:24 < |Mike|> wtf 18:24 < BillyCrook1> Gnewt: any connections *to what*. Can the clients ping their DNS servers? (fix that first) 18:26 < Gnewt> |Mike|: Thank you! It works now... I looked push dns up manually 18:26 < |Mike|> np. 18:28 < BillyCrook1> I think I'm just going to make some script that seds my ifconfig-pool-persist file into a dns zone file and restarts bind 18:28 < |Mike|> ipp.txt 18:28 < |Mike|> you can reserve ip's per client btw 18:28 < |Mike|> so you can hardcode those 18:29 < BillyCrook1> I'm not too crazy about hardcoding any ips to hostnames 18:30 < BillyCrook1> I'd like eventually, to have so many more accounts than connected users that I could actually need to have multiple users use the same IP throughout the month/year 18:30 < BillyCrook1> like have 100 out of a thousand users on at any given time 18:31 < |Mike|> to client-to-client or to route the traffic ? 18:32 < BillyCrook1> most traffic is between a client, and a service running on the server itself or behind it on a private lan 18:32 < BillyCrook1> some traffic is between client 18:32 -!- jeiworth [n=jeiworth@189.163.146.103] has joined ##openvpn 18:32 < BillyCrook1> clients 18:33 -!- syntaxcollector [n=syntaxco@S010600120188d200.vc.shawcable.net] has quit [] 18:33 < BillyCrook1> I'm basically acting as a post office, but if the sender and receiver are connected at the same time, eventually, I want the sender to send it through me to them in one go 18:33 < moldenauer> |Mike|: what app? 18:33 < moldenauer> |Mike|: i use console software everywhere, even my desktop, gui distracts me 18:33 < moldenauer> im OCD. 18:34 < BillyCrook1> maybe even set up some way for the clients to set up a tunnel just between themselves during that operation to save my bandwidth for other users 18:34 < |Mike|> looks like my network BillyCrook1 :D 18:34 < Casandrax> MoldenBilly: Bind is perfect. DJ Bernsteins disco has no merit. 18:34 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 18:34 < moldenauer> lol 18:34 < moldenauer> Casandrax: yeah sure! :P 18:34 < Casandrax> :) 18:35 < Casandrax> moold :P 18:35 < BillyCrook1> |Mike|: OpenVPN 3.0 should have some sort of client map that the server sends back out to each client when they connect that tells them of all the other publicly accessible clients, which would themselves become servers 18:35 < |Mike|> moldenauer: i've no idea how they are named, but must be more faggisch than directadmin or cfagpanel :D 18:36 < BillyCrook1> |Mike|: akin to instant messaging, and the 'direct connections' used therein for filetransfers betwen people when one or both have publicly routable ips 18:36 < Casandrax> Lol! 18:36 < moldenauer> |Mike|: but what are you referring to? 18:36 < |Mike|> moldenauer: crap 18:37 < moldenauer> |Mike|: web hosting craps are horrible, webmin etc 18:37 < |Mike|> i was referring to that :P 18:37 < moldenauer> AND PERL 18:37 < moldenauer> . 18:37 * moldenauer ducks 18:37 < |Mike|> perldoc <3 18:37 < moldenauer> yeah perl is documented perfectly 18:38 < Casandrax> hehe 18:38 < moldenauer> but perl was retrieved from the ufo which crashed in roosevelt 18:38 < |Mike|> BillyCrook1: heh, are you insane ? you might want to use the msn version of irssi (forgot how it was named) 18:38 < BillyCrook1> ? 18:38 < Casandrax> Was it a Moolded ufo ? :) 18:38 < |Mike|> instant messenger 18:39 < |Mike|> look-a-like, but it's irc. (and your traffic is encrypted .) 18:39 < moldenauer> BillyCrook1: cat file | nc target port 18:39 < BillyCrook1> |Mike|: like any client that connects to the server, the server would try to connect back. And if it could reach the client in the opposite direction, it would call that client a superclient 18:39 < moldenauer> BillyCrook1: best file transfer system ever. 18:39 < BillyCrook1> and the list of superclients would be maintained on the server, and distributed to all clients and superclients 18:39 < Casandrax> kittycatbob 18:40 < BillyCrook1> then when a client's openvpn instance had traffic to route to a superclient, it would establish a tunnel with that superclient and send it direct 18:41 -!- sodapop [n=sodapop@143.233.245.245] has quit [Read error: 110 (Connection timed out)] 18:41 < BillyCrook1> tar cjf - | nc backupserver:5555 < /dev/sda 18:41 < Casandrax> Seems he had a late-superman-movie-experience :) 18:42 < |Mike|> bash forkbombs are needed :D 18:42 < |Mike|> BillyCrook1: i'll respond later this "night" 18:42 < BillyCrook1> but probably by the time any openvpn 3.0 rolls around, ipv6 will be in full swing 18:42 < Casandrax> Like all the A, B, and Dees! 18:42 < |Mike|> who uses ipv6 here ? 18:42 < BillyCrook1> and we can all look past this vpn herecy 18:43 < BillyCrook1> I pester each of my ISPs, VPS's, and Colo's about it quarterly 18:43 < |Mike|> you never used openVZ ? :) 18:43 < BillyCrook1> I'm not interested in 6to4 or hurricaine electric 18:43 < Casandrax> hurricaine electric is cool 18:44 < |Mike|> unstable crap 18:44 < Casandrax> cane 18:44 < BillyCrook1> lets route all my traffic through some third party I don't have an SLA with. Right.... 18:44 < moldenauer> BillyCrook1: you forgot the lasers and the girls with huge penises. 18:45 -!- BillyCrook1 [n=BillyCro@72.22.210.100] has left ##openvpn ["WTF"] 18:45 < Casandrax> So, hurricane gov is at it again eh ? 18:45 < Casandrax> tsk tsk 18:46 < Casandrax> Im to play, therefore i am :P 18:47 < moldenauer> someone bash.org this right away please 18:47 < moldenauer> i knew i was too hardcore for freenode, all those years in troll infested private networks. sigh. 18:47 < moldenauer> good to know im still in shape, gentlemen. 18:47 * moldenauer instructs Dimitri to turn up the internationale 18:47 < Casandrax> Do you really think private means private ? 18:47 < moldenauer> im reading this http://www.usenix.org/events/sec04/tech/full_papers/sailer/sailer_html/node21.html 18:48 < vpnHelper> Title: Discussion (at www.usenix.org) 18:48 < moldenauer> well 18:48 < Casandrax> LOL 18:48 < moldenauer> sure it doesnt 18:48 < moldenauer> but i can, in all honesty, assure you ive been in really screwed up networks. 18:48 < Casandrax> Then you have learnt the unlearnest' 18:48 < moldenauer> i was klined for years once in one unless i restrained myself to a channel only known as #pr0n 18:49 < Casandrax> Switch lines ? 18:49 < moldenauer> girls with penises were the least problematic thing you could experience there 18:49 < ryanrhee90> reiffert, you still here? 18:49 < ryanrhee90> i have my server up now 18:49 < Casandrax> Ryan! :) 18:50 < ryanrhee90> casandrax: hi? 18:50 < |Mike|> ryanrhee90: congratulations 18:50 < ryanrhee90> what's going on? 18:50 < Casandrax> Hi. 18:50 < ryanrhee90> Hi 18:50 < ryanrhee90> Is reiffert around? 18:51 < ryanrhee90> he's in the room... 18:51 < Casandrax> Nothings, we like openvpn and protecting it from external evils etc. Or, well freenode 18:51 < |Mike|> ryanrhee90: you got a Q ? 18:51 < ryanrhee90> |Mike| yes, i do 18:52 < |Mike|> "shoot" 18:52 < ryanrhee90> |Mike| I have a dedicated server that's acting as my vpn server 18:52 < ryanrhee90> |Mike| and I have my home box, that's behind 2 NATs. 18:52 < ryanrhee90> |Mike| When I connect to the VPN, I get a connection, but I lose my internet connection 18:52 < ryanrhee90> |Mike| Is there a way to use my home box's internet connection while being connected to the VPN? 18:53 < krzie> then you are overwriting your default route 18:53 < krzie> !configs 18:53 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:53 < |Mike|> you don't want to route all your traffic over the dedicated server, right ? 18:53 < ryanrhee90> |Mike|: yes. 18:53 < ryanrhee90> krzie: i'll post them up shortly, 18:53 < krzie> yes, openvpn by default does NOT interfere with your default route 18:53 < krzie> you did something to make that happen 18:53 < |Mike|> indeed krzie 18:54 < Casandrax> ryanrhee90: Is the vpn server on a different location ? ... Is your lan using the same lan-address as the lan on the other side ? 18:55 < |Mike|> Casandrax: doh. 18:55 < krzie> theres a few things he coulda done to cause that issue 18:55 < krzie> like using his lan subnet in server config line 18:56 < krzie> or both with same lan subnet and pushing the route over vpn 18:56 < ryanrhee90> http://pastebin.com/d280f5857 18:56 < krzie> etc etc 18:56 < |Mike|> Casandrax: subnet to subnet works if it's done properly :) 18:56 < ryanrhee90> my client is tunnelblick on OS X 18:56 < ryanrhee90> the server is running ubuntu 8.04 LTS 18:56 < ryanrhee90> casandrax: the vpn server is not physically accessible by me. (diff. location) 18:57 < ryanrhee90> the pastebin contains both server and client configs 18:57 < krzie> oh you;re bridging 18:57 < krzie> that ends the help from me 18:57 < Casandrax> |Mike|: Seems it could be proxied, yes. 18:57 < krzie> unless you decide you dont need a bridge (and most people dont) 18:57 < krzie> !tunortap 18:57 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 18:57 < Casandrax> |Mike|: Im using bridge setups 18:58 < ryanrhee90> krzie: i need layer 3 traffic 18:58 < |Mike|> !layer3 18:58 < vpnHelper> |Mike|: Error: "layer3" is not a valid command. 18:58 < Casandrax> bridge 18:58 < |Mike|> hmz 18:58 < krzie> ryanrhee90 so you dont need a bridge 18:58 < krzie> !sample 18:58 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 18:58 < ryanrhee90> krzie: in what situation would i need a bridge? 18:58 < krzie> ryanrhee90 if you needed layer2 traffic to pass over the vpn 18:59 < Casandrax> samba browsing 18:59 < krzie> by using a bridge you add overhead as well as open yourself to layer2 attacks from the other network 18:59 < krzie> Casandrax, wrong, see !wins 18:59 < Casandrax> yeah, acknowledged 19:00 < ryanrhee90> krzie: so without a bridge, machines connected to the server would still be in the same LAN via VPN? 19:00 < Casandrax> but, thusley not wrong 19:00 < krzie> ryanrhee90 19:00 < krzie> !route 19:00 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 19:01 < ryanrhee90> krzie, i don't have any LANs 'behind' the openvpn 19:01 < ryanrhee90> krzie: i have one server, and two clients, all three are separated. 19:02 < krzie> ohh 19:02 < krzie> well yes, you'll be able to contact them based on VPN ip 19:02 < |Mike|> topology... :p 19:02 < ryanrhee90> krzie: so you are right, i suppose i don't need a bridge. would you help me set up my connection again without a bridge? 19:02 < krzie> !sample 19:02 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 19:03 < krzie> done 19:03 < krzie> edit them to your needs 19:03 < krzie> read the man page for every config option in ther 19:03 < krzie> so you know whats going on 19:03 < krzie> !man 19:03 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 19:04 < krzie> its rare that people actually need a bridge, its common that they think they do 19:04 < krzie> and for some reason people seem to always think a bridge is easier to setup, i disagree 19:05 < |Mike|> i'm sure that they are confused with a bridged / nat connection 19:05 < |Mike|> (s) 19:07 < krzie> i blame the number of bridged walkthroughs 19:07 < krzie> cause its almost never the people who actually read things like the manpage 19:07 < krzie> they almost always have some walkthrough they followed 19:08 -!- sodapop [n=sodapop@143.233.245.245] has joined ##openvpn 19:10 < sodapop> this used to work before i update openvpn openvpn --route-gateway x.x.x.x --redirect-gateway --config openvpn.conf, now the def gw is not getting set 19:10 < |Mike|> openvpn.conf got overwriten ? 19:10 < ryanrhee90> krzie: i just deleted the dns push lines from my config and my problem was solved while the bridge was still enabled 19:10 < ryanrhee90> krzie: i think i'll just keep it this way. it doesn't hurt too much to have layer2 support ^^ 19:11 < sodapop> |Mike|: no 19:11 < |Mike|> what error did you get ? 19:12 < sodapop> this is at the client, no errors 19:13 < sodapop> sorry : NOTE: unable to redirect default gateway -- Cannot read current default gateway from system 19:13 < Casandrax> !Hornswagglez Mr-Snuggles! 19:13 < vpnHelper> Casandrax: Error: "Hornswagglez" is not a valid command. 19:13 < sodapop> hmmm 19:13 < |Mike|> !all 19:13 < vpnHelper> |Mike|: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 19:13 -!- Casandrax [n=Casandra@host-90-233-151-14.mobileonline.telia.com] has quit ["Omgsauwee !"] 19:14 < |Mike|> sodapop: someone else might want to help you, i'm going to sleep :) 19:14 < sodapop> |Mike|: no problem , thanks anyway 19:15 -!- sodapop [n=sodapop@143.233.245.245] has quit ["WeeChat 0.3.0"] 19:40 < ryanrhee90> hi all 19:40 < ryanrhee90> if i have two clients connected to an openVPN server, from two separate locations 19:40 < ryanrhee90> is it possible that one can ssh into the other using the VPN connection? 19:41 < ryanrhee90> The clients can ping each other's VPN IP address, but an ssh command says port 22: operation timed out 19:43 < techqbert> ryanrhee90: it seems likely though i'm just a new admin to openvpn. have you made sure client to client in the server .conf is allowed? 19:43 < ryanrhee90> techgbert: yes, that's why i'm able to ping from client to client 19:45 < techqbert> any other services work? 19:46 < ryanrhee90> hrm. which ones shall i try? 19:46 < ryanrhee90> techgbert 19:48 < techqbert> ftp sftp www cifs nfs 19:49 < ryanrhee90> http works 19:50 < ryanrhee90> techgbert: ftp gets a connection refused 19:51 < ryanrhee90> ah! it works now. :) 19:51 < techqbert> how about your /etc/hosts.allow. on arch linux i need a 192. and 10. entry 19:51 < ryanrhee90> i think my vpn server was lagging for a moment. 19:51 < techqbert> ;) 19:51 < ryanrhee90> techgbert: thanks anyway! :) 19:51 -!- ryanrhee90 [n=Adium@rrcs-71-42-217-13.sw.biz.rr.com] has left ##openvpn [] 19:53 -!- sodapop [n=sodapop@143.233.245.245] has joined ##openvpn 19:54 -!- fr33m4n [n=fr33m4n@ip-118-90-135-0.xdsl.xnet.co.nz] has joined ##openvpn 19:56 -!- sodapop1 [n=sodapop@143.233.245.245] has joined ##openvpn 19:58 -!- fr33m4n [n=fr33m4n@ip-118-90-135-0.xdsl.xnet.co.nz] has left ##openvpn [] 19:59 < sodapop1> any idea what error is 7 in ERROR: Linux route add command failed: external program exited with error status: 7 19:59 < sodapop1> are these documented ? 20:14 -!- sodapop [n=sodapop@143.233.245.245] has quit [Read error: 110 (Connection timed out)] 20:15 < krzie> the error 7 comes from the linux route command, not from openvpn 20:15 < krzie> openvpn passes it on to you 20:16 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 20:17 < krzie> sodapop1, are you starting openvpn as root? 20:20 < sodapop1> krzie: no as user nobody\ 20:20 < krzie> it MUST be started as root 20:20 < krzie> see --user and --group for dropping privs after starting 20:21 < sodapop1> sorry i didnt understand yes i start it as root 20:21 < sodapop1> i think the problem is related to this http://openvpn.net/archive/openvpn-users/2005-03/msg00705.html 20:21 < vpnHelper> Title: [Openvpn-users] OpenVPN 2.0-rc19 released (at openvpn.net) 20:22 < sodapop1> last paragraph 20:23 < krzie> !configs 20:23 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 20:45 -!- exks [n=ecks@d24-150-143-227.home.cgocable.net] has joined ##openvpn 21:01 -!- jeiworth [n=jeiworth@189.163.146.103] has quit [Connection timed out] 21:11 -!- MadTBone [n=MadTBone@160.39.238.196] has quit ["Leaving"] 21:11 -!- master_of_master [i=master_o@p549D42FB.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:15 -!- master_of_master [i=master_o@p549D4016.dip.t-dialin.net] has joined ##openvpn 21:21 -!- tjz [n=tjz@121.7.20.94] has joined ##openvpn 21:26 -!- plaerzen [n=carpe@vip1.tundraeng.com] has quit [Read error: 113 (No route to host)] 21:30 -!- yxa [n=lonari@58.185.90.101] has joined ##openvpn 21:30 -!- plaerzen [n=carpe@vip1.tundraeng.com] has joined ##openvpn 21:30 < yxa> can openvpn 2.0.x be configured to only allow clients to connect during certain time of day? 21:32 < moldenauer> heh, use iptables for that 21:32 < moldenauer> you can limit access to the openvpn service with plenty of stuff 21:32 < moldenauer> heck, even a cronjob 21:33 < moldenauer> possibly an auth plugin too 21:33 < moldenauer> but it's overkill 21:34 < yxa> a cronjob is only useful if the server is only serving clients. if it does permanent connections as well, it won't work 22:16 -!- phatf1sh [i=PHAT@cpc1-hem15-0-0-cust204.lutn.cable.ntl.com] has joined ##openvpn 22:19 -!- phatfish [i=PHAT@cpc1-hem15-0-0-cust204.lutn.cable.ntl.com] has quit [Read error: 60 (Operation timed out)] 22:33 -!- yxa [n=lonari@58.185.90.101] has quit [] 23:05 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 23:29 -!- sodapop1 [n=sodapop@143.233.245.245] has quit [Read error: 110 (Connection timed out)] 23:30 -!- ashley_ [n=ashley@188-23-77-69.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 23:30 -!- ashley__ [n=ashley@93-82-6-99.adsl.highway.telekom.at] has joined ##openvpn --- Day changed Thu Sep 10 2009 00:24 < moldenauer> anyone here with experience on kvm + running within the openvpn subnet? 00:25 < moldenauer> should work out of the box i guess 00:27 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 00:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:55 -!- hyper__ch [n=hyper@adsl-84-226-164-242.adslplus.ch] has joined ##openvpn 00:55 -!- hyper_ch [n=hyper@adsl-89-217-80-123.adslplus.ch] has quit [Nick collision from services.] 00:55 -!- hyper__ch is now known as hyper_ch 01:09 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 01:10 -!- gregd [n=gregd720@98.143.155.131] has joined ##openvpn 01:15 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 01:15 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 01:34 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:35 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 01:55 -!- ashley__ [n=ashley@93-82-6-99.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 01:57 -!- ashley__ [n=ashley@93-82-6-99.adsl.highway.telekom.at] has joined ##openvpn 02:08 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has joined ##openvpn 02:15 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:42 < dazo> moldenauer: good morning (at least if you're in Europe :-P) ... how did it work out for you yesterday? 02:45 < moldenauer> hey dazo 02:45 < moldenauer> dazo: havent gone to sleep yet, hacking some code up and setting up random stuff. openvpn is working perfectly, havent messed with firewalling yet 02:46 < dazo> moldenauer: cool! Nice to hear you managed to make it play nicely :) 02:47 < dazo> moldenauer: was just curious, as you had some Vista issues yesterday 02:48 < moldenauer> just a mistake on my end 02:48 < moldenauer> create d bridge manually when there was no need 02:51 < dazo> ahh! I see 03:08 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:23 -!- sodapop1 [n=sodapop@143.233.245.245] has joined ##openvpn 03:30 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 03:37 -!- fkr [i=fkr@news.bytemine.net] has quit [Remote closed the connection] 04:19 -!- sodapop1 [n=sodapop@143.233.245.245] has quit [Read error: 110 (Connection timed out)] 04:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:45 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Nick collision from services.] 04:46 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 04:47 -!- garnser [n=jpeterss@gw2.mysql.com] has quit [Remote closed the connection] 04:47 -!- garnser [n=jpeterss@gw2.mysql.com] has joined ##openvpn 04:53 -!- thedoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 05:30 -!- sodapop1 [n=sodapop@143.233.245.245] has joined ##openvpn 05:47 -!- plantain [n=plantain@unaffiliated/plantain] has joined ##openvpn 05:47 < plantain> I'm getting "recv_socks_reply: TCP port read failed on recv(): Operation now in progress (errno=115)" when trying to push openvpn over a socks proxy - ideas? 05:57 -!- mirco__ [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 06:13 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:13 -!- mirco__ is now known as mirco 06:35 -!- ashley__ [n=ashley@93-82-6-99.adsl.highway.telekom.at] has quit ["Leaving"] 06:41 -!- brizly [n=brizly_v@p4FC99FAE.dip0.t-ipconnect.de] has quit [Read error: 60 (Operation timed out)] 06:41 -!- brizly [n=brizly_v@p4FC99DE0.dip0.t-ipconnect.de] has joined ##openvpn 06:44 < ecrist> good morning 06:49 -!- dlynes [n=daniel@bas5-hamilton14-1242444747.dsl.bell.ca] has joined ##openvpn 06:52 -!- mbrevda [n=mbrevda@unaffiliated/mbrevda] has joined ##openvpn 06:52 < mbrevda> !forum 06:52 < vpnHelper> mbrevda: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 06:54 < mbrevda> hello. Im setting up a site-to-site tunnel. question is: how do I configure iptables on the remote site? Am I suposed to use nat? do I just do allow in/allow out? 06:59 < dlynes> Is there any core differences between 2.0.9 and 2.1_rc11? I've had everything working just peachy keen using 2.0.9 in Slackware, but then decided to use package management in Debian, and for whatever reason they decided to use a release candidate 07:00 < dlynes> mbrevda: you need to enable forwarding, you need to set up your nat to allow access to the lan from the tun device, and you also need to push a route to it, to the client side 07:00 < dlynes> mbrevda: so, there's three things you need to do 07:00 < dlynes> mbrevda: the forwarding and nat are set up on the openvpn server side, not the client 07:01 < mbrevda> I'm not the server admin and would rather not mess with it, so my focus is on the client side. is there anything specail that needs to be done in iptables to accomidate the tun devices? 07:02 < dlynes> mbrevda: Only thing you need to do on the client side (and maybe you don't even need to do it), is port forward udp 1194 to the client machine 07:03 < mbrevda> hmm, the client machine is the local gateway/router, so If im not mistaking, that wont be nesesary 07:04 < dlynes> mbrevda: I've always port forwarded that port, and it was so long ago that I set up my first install that I can't remember if I started that because openvpn doesn't open up the port on the router by keeping traffic going across it, or not 07:04 < dlynes> mbrevda: You still need to make sure that you're opening that port up, and not blocking traffic on it, with the firewall rules 07:06 < mbrevda> hmm, i have 'regular' forward rules (meaning nat for the network) is that enough 07:06 < mbrevda> ? 07:06 < dlynes> mbrevda: i thought you said openvpn was running on your router? 07:06 < mbrevda> right 07:06 < mbrevda> as a client 07:06 < dlynes> mbrevda: assuming you're using iptables on your router 07:06 < mbrevda> i am 07:07 < dlynes> mbrevda: then you would need 'allow' rules on your 'input' interface 07:07 < dlynes> mbrevda: nothing to do with your 'forward' chain 07:07 < dlynes> mbrevda: sorry s/interface/chain 07:07 < mbrevda> hmm 07:08 < dlynes> mbrevda: I'm guessing you don't understand iptables very well? 07:08 < mbrevda> im ok(more or less), just trying to understand how ovpn fits in the picture 07:09 < mbrevda> are you saying in need something like: -A INOUT -i tun0 -j ACCEPT? 07:09 < mbrevda> *INPUT 07:09 < dlynes> mbrevda: I was just thinking because it seems like you're a bit of a novice at iptables...so i was thinking you might consider something like shorewall to make your life easier 07:10 < dlynes> mbrevda: are you trying to route your LAN on the client side onto the LAN on the server side, and vice versa? 07:10 < mbrevda> neh, ide rather learn. ive got my iptables set up pretty much the way I like it 07:10 < mbrevda> basicly 07:10 < dlynes> ah....completely different story, then 07:10 < mbrevda> :) 07:10 < dlynes> You need to have it set up the same way as the server side, then 07:10 < mbrevda> meaning? 07:10 < dlynes> So the three steps I mentioned earlier 07:11 < dlynes> But even then 07:11 < dlynes> I don't know if it'll work with the 'push route ...', because I've never actually tried it 07:12 < dlynes> But you'll need the forwarding, and firewall rules to forward traffic from the tun device to the LAN, and vice-versa 07:12 < mbrevda> so amsqurading in both directions then? 07:12 < dlynes> by forwarding I mean echo "1" > /proc/sys/net/ipv4/ip_forward 07:12 < dlynes> no, not masquerading 07:12 < dlynes> If you do that, nothing you want to work will work 07:13 < dlynes> because it 'masq''s the LAN address, to appear as if you're coming from the router address 07:13 < mbrevda> hmm, so I treat the tun as a local device then, and just open it to INOUT/OUTPUT? 07:14 < dlynes> Treat the tun device like a LAN ethernet device 07:14 < mbrevda> right. 07:14 < dlynes> So that you're forwarding traffic from one LAN subnet to another 07:14 * mbrevda goes to try 07:14 < dlynes> However 07:15 < mbrevda> funny, it seems that I can ping some of the remote servers even befor I setup iptables - does that make sense? 07:15 < dlynes> You probably want 'push route my.lan.subnet.address my.lan.subnet.mask' as well, so that the other side can see your lan 07:15 < dlynes> mbrevda: of course...your iptables has nothing to do with you pinging the remote side 07:15 < dlynes> mbrevda: you're pinging hte remote side from your router, correct? 07:15 < mbrevda> well - if there is no rule allowing the trafiic shouldnt it be blocked 07:15 < mbrevda> correct 07:16 < dlynes> mbrevda: the rule allowing or preventing that will be on the server side, not your side 07:16 < dlynes> mbrevda: the rule allowing or preventing the server side from doing that to your side will be on your side 07:16 < dlynes> understand? 07:19 < dlynes> mbrevda: I guess we're the only two alive in this channel? 07:19 < mbrevda> not 100%... seems so. 07:19 < mbrevda> hmm, so how do I test if opening the ports worked? 07:20 < dlynes> ping your client side lan from the server side lan 07:20 < mbrevda> ssh seem to be being passed! so I take that works then 07:20 < dlynes> probably 07:20 < dlynes> mind if I ask which version of openvpn you're running? 07:21 < mbrevda> onesec ill check 07:21 < mbrevda> 2.0.9 07:22 < dlynes> ah 07:22 < dlynes> ok 07:22 < dlynes> I'm just having issues getting 2.1rc to work 07:22 < dlynes> I was hoping that if you were running one of the rc's, that I could find out from you what you did to get it to work 07:22 < dlynes> I've never had a problem with 2.0.9 07:23 < dlynes> but 2.1rc11 doesn't seem to work properly 07:25 < dlynes> ah 07:26 < dlynes> Seems it was a bug that got fixed in 2.1rc14 07:26 < dlynes> So I wonder why Debian would package it for lenny, then 07:26 < dlynes> hrm... 07:26 < mbrevda> sorry, im a whole 15 minutes in to openvpn... 07:27 < dlynes> Yeah...anyways I think i'm going to go back to compiling openvpn from source, then 07:27 < dlynes> Forget this release candidate stuff 07:27 < dlynes> 2.0.9 I know works 07:28 < mbrevda> question: re: iptables: input is local lan -> vpn lan? 07:29 < mbrevda> output is local lan <- vpn lan? 07:31 -!- gregd [n=gregd720@98.143.155.131] has quit ["Leaving"] 07:31 < mbrevda> dlynes: ^^^ 07:32 < dlynes> mbrevda: input is where 'traffic comes in'....so input would be coming in on WAN, or coming in on LAN, or coming in on TUN 07:32 < dlynes> mbrevda: output would be where 'traffic goes out', so output would be going out on WAN, or going out on LAN or going out on TUN 07:32 < mbrevda> so that means that if I accept, the vpn has access to my network, right? 07:32 < mbrevda> I dont think I need that open 07:32 < dlynes> correct 07:33 < dlynes> Ah...thought you wanted the two lan segments to be bidirectional 07:33 < dlynes> And that's why you were installing openvpn on the router 07:33 < mbrevda> at first I did. 07:33 < dlynes> Ok, so you only want it having access to the router? nothing else? 07:33 < mbrevda> I want it on the router becasue I need the entire network to have access, not just one pc 07:34 < dlynes> ah 07:34 < dlynes> So what you want then is a masq rule 07:34 < dlynes> and forward rules 07:34 < mbrevda> lol. thats what I said originaly :) 07:34 < dlynes> and input/output rules for the firewall, but not for the lan 07:35 < mbrevda> what do you mean, for the firewall? accept for the firewall? 07:35 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 07:35 < dlynes> so allow lan => vpn (masq'd), allow firewall => vpn, allow vpn => firewall, allow wan => firewall, allow firewall => wan 07:36 < dlynes> firewall = router 07:36 < dlynes> iow, just the router ip addresses 07:36 < dlynes> So say the router has 10.8.1.5 07:36 < mbrevda> dont want vpn => firewall 07:36 < dlynes> But, you probably don't know what ip it'll have on the tun device 07:37 < mbrevda> so? 07:37 < mbrevda> lets satr with the masq: whats that look like? 07:38 < mbrevda> -A -i tun -o eht0 -j foo?, -A -i etho -o tun0 -j foo? 07:38 < dlynes> I usually use shorewall, so I don't have to deal with all the iptables rulesets :) 07:38 < dlynes> I just know whether it's going to be a forward, an input, or an output 07:38 < mbrevda> k 07:39 < dlynes> The world was nice and simple when ipchains was still around...iptables confused hte hell out of me, for the most part 07:41 < teddymills> ipchains was weird...iptables runs each rule in order 07:41 < dlynes> teddymills: yeah, but ipchains was simpler 07:42 < teddymills> better toolls, better precision 07:42 < dlynes> teddymills: I ended up just giving up on trying to figure out how to get masquerading workign with iptables, using command line 07:42 < dlynes> teddymills: that's when I found shorewall, and life has been vastly improved ever since :) 07:43 < teddymills> most people leave iptables up to the pros..and use ipcop, smoothwall, untangle...and manage the iptables via a real simple web gui 07:43 < dlynes> teddymills: yeah...shorewall uses config files 07:44 < mbrevda> if only there was a simple gui that can be slapped on top of iptables 07:44 < dlynes> teddymills: I find the guis almost as confusing as running iptables from the command line 07:44 * mbrevda wonders why no such project exists 07:44 < teddymills> i dont like iptables rules either..but it is necessary to be able to do so, if no web gui available 07:44 < dlynes> teddymills: because for the most part the terminology the web guis use doesn't make any sense 07:45 < dlynes> teddymills: it's like moving from source based asterisk to using a gui like freepbx 07:45 < dlynes> teddymills: they rename all the terminology so badly that you don't know which way is up 07:45 < teddymills> http://www.youtube.com/watch?v=ldB8kDEtTZA 07:45 < vpnHelper> Title: YouTube - Mastering IPTables, Part I (at www.youtube.com) 07:45 * mbrevda has been compearing it to freepbx for ages 07:46 < mbrevda> shame there is no such project! 07:46 < mbrevda> was actualy thinking of incorperating it with freepbx 07:46 < dlynes> ewwww 07:47 < mbrevda> yup, that why I didnt bother. Perhaps there will be room for that in fpbx 3.0 07:48 < mbrevda> how can I see a list of the clients connect to the vpn? 07:55 < dlynes> mbrevda: check your log? 07:56 < dlynes> mbrevda: assuming you used that config directive :) 07:56 < mbrevda> no better way?! 07:56 < dlynes> mbrevda: not that i know of, no 07:56 < dlynes> mbrevda: but I'm far from being an openvpn expert 07:59 < mbrevda> thanks a lot guys 07:59 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 07:59 -!- KermitTheFragger [n=KermitTh@118-197.bbned.dsl.internl.net] has joined ##openvpn 08:00 < KermitTheFragger> hi all 08:00 < dlynes> mbrevda: there might be some third party log analysis tools that might tell you though 08:00 < dlynes> howdy ho, kermitty frogger 08:00 < KermitTheFragger> hi dlynes :) 08:00 < mbrevda> thaks all, I hope that all for today 08:00 -!- mbrevda [n=mbrevda@unaffiliated/mbrevda] has left ##openvpn [] 08:01 < KermitTheFragger> I'm currently using the normal openvpn client 08:01 < dlynes> KermitTheFragger: Just ask your question :) 08:01 < KermitTheFragger> dlynes: all right, here it comes :) 08:02 < KermitTheFragger> but im looking for a bit of a lightweight client, one that doesn't need a driver installed 08:02 < KermitTheFragger> im thinking something along the lines of a user space application which connects to the vpn and starts listenening on a port which acts as a HTTP proxy 08:02 < KermitTheFragger> am i making any sense ? 08:03 < dlynes> yeah...i have no idea though 08:03 < dlynes> you're talking about a client for windows, right? 08:03 < KermitTheFragger> yeah could be windows 08:03 < KermitTheFragger> or perhaps a java client 08:03 < dlynes> and placing an extra burden on the server? 08:03 < KermitTheFragger> no the server wouldnt have to know about it 08:04 < dlynes> you were mentioning something about an http proxy, though 08:04 < KermitTheFragger> what i mean is the client application connects normally to the openvpn server 08:04 < KermitTheFragger> but on the client side, the client application starts a local HTTP proxy 08:04 < KermitTheFragger> which i can direct other application to 08:05 < KermitTheFragger> that way i wouldnt need any root / administrator rights on the client side 08:05 < dlynes> And what does the http proxy do, that the tunnel doesn't already do? 08:06 < dlynes> because you're talking about still setting up the tunnel, which requires setting up a tap device, which requires admin privileges 08:06 < dlynes> if you want any kind of vpn on a windows box, you need admin privileges 08:06 < KermitTheFragger> why does the client need the tap device to setup the tunnel ? 08:06 < dlynes> if you want any kind of network routing set up on a linux box, you need root privilege 08:06 < KermitTheFragger> but you wouldnt set the routing then 08:07 < KermitTheFragger> you would direct some applications to the http proxy 08:07 < dlynes> KermitTheFragger: then effectively you've got an openvpn sized paperweight 08:07 < KermitTheFragger> firefox for example 08:07 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 08:07 < KermitTheFragger> thats the idea :) 08:07 < dlynes> i c...but you still need set up the tun device, to be able to create the network for openvpn 08:08 < KermitTheFragger> why do you need the tun device ? 08:08 < dlynes> i.e. openvpn could just as easily use a tap device too, but it decided on a tun device 08:08 < dlynes> KermitTheFragger: think of it like a virtual network interface 08:08 < KermitTheFragger> under the hood openvpn uses some kind of protocol 08:08 < dlynes> KermitTheFragger: you can't have a network without a network device 08:08 < KermitTheFragger> why couldnt an application not speak this protocol directly 08:09 < KermitTheFragger> wouldnt it be possible to create some sort of pseudo network in the application ? 08:09 < dlynes> KermitTheFragger: well, I'm sure you're more than welcome to fork openvpn to create a non-vpn/proxy version of it 08:10 < KermitTheFragger> dlynes: well i think forking wouldnt be needed, since im really looking to solve this on the client side 08:10 < dlynes> KermitTheFragger: but my time is worth enough that I would rather just set up two vpn routers between the two sides, instead 08:11 < dlynes> KermitTheFragger: and then have one windows box with a proxy server on it, that has access to the additional vpn router 08:11 < dlynes> KermitTheFragger: but, if you're going to go through all that hassle anyways 08:11 < dlynes> KermitTheFragger: you probably already have admin privs 08:11 < KermitTheFragger> dlynes: hmm yeah maybe im thinking to complicated 08:12 < KermitTheFragger> dlynes: it just occured to me that what i want could probably be done with apache and mod_proxy 08:14 < KermitTheFragger> awfully silent after I mentioned the A word.... :-) 08:16 < KermitTheFragger> dlynes: but aside from all the theory we just spewed out :) Besides the standard openvpn client, there is no more lightweight version ? 08:20 < dlynes> KermitTheFragger: not that i know of, no 08:20 < dlynes> KermitTheFragger: wife just woke up...she became more important :) 08:20 < dlynes> had nothing to do with apache 08:20 < KermitTheFragger> dlynes: lol :) well thx for the insights! im going to ponder a bit more on this issue 08:21 < dlynes> KermitTheFragger: but like i said...you could fork the openvpn code to come up with a client version capable of doing what you want to do 08:21 < dlynes> KermitTheFragger: and then use the standard server version 08:21 < ecrist> hello, bitches 08:22 * dlynes points at KermitTheFragger 08:22 * KermitTheFragger is one bad bitch 08:22 < dlynes> KermitTheFragger's in full prison drag 08:22 < KermitTheFragger> lol 08:22 * KermitTheFragger lost his soap 08:23 < KermitTheFragger> dlynes: well i would probably make a java version of it, since it would run on any platform 08:23 < KermitTheFragger> i dont know how complicated or not the openvpn protocol is btw 08:23 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 08:23 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn 08:23 < KermitTheFragger> as i understand it its mostly TLS/SSL with some special handshaking 08:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:24 < dlynes> aha 08:24 < ecrist> *shudder* 08:24 < ecrist> java 08:24 < dlynes> openvpn's working again now that I downgraded/upgraded to 2.0.9 08:25 < KermitTheFragger> ecrist: you've got something against java, boy ? :) 08:25 < ecrist> yes, I do. 08:25 < ecrist> two words: memory leaks 08:26 < KermitTheFragger> you can't have memory leaks in java 08:26 < KermitTheFragger> at worst you can not free a resource and have it not garbage collected 08:27 < Optic> moo 08:27 < ecrist> KermitTheFragger: I have servers running java apps that would say otherwise. 08:27 < KermitTheFragger> you mean out of heap space ? 08:28 < ecrist> isn't that memory? 08:28 < KermitTheFragger> no its not the same thing 08:28 < ecrist> I'm talking about memory 08:28 < KermitTheFragger> with java you the sysadmin predefine the max amount of memory the JVM is allowed to use 08:29 < KermitTheFragger> if thats not enough for the app, then you get a out of heap space exception 08:29 < ecrist> application X takes Y amount of memory at start. In Z amount of time, it's consuming W amount of memory, and never frees it. 08:29 < ecrist> that's not what I'm talking about 08:29 < KermitTheFragger> then thats a resource leak in the application 08:29 < KermitTheFragger> not a memory leak 08:29 < ecrist> now you're arguing semantics 08:29 < KermitTheFragger> leaked memory can never be reclaimed 08:29 < ecrist> the resource is memory 08:29 < ecrist> memory leak 08:29 < KermitTheFragger> if you lose a pointer in C, the mem is gone 08:30 < KermitTheFragger> alright lets call it a memory leak, for simplicities sake, what does that have to do with java ? 08:30 < ecrist> every java app I'm forced to run has memory leaks 08:30 < KermitTheFragger> how is it Java's fault the application sucks :) 08:30 < ecrist> every java app I'm forced to run has memory leaks 08:31 < ecrist> it's so common with java apps, I feel comfortable blaming it on java 08:31 < KermitTheFragger> lol 08:31 < ecrist> not only that, but java is slow, takes extra time to start up, and is a pain in the ass to get properly installed in a server environment 08:31 < ecrist> and to keep updated. 08:32 < KermitTheFragger> well java might have extra startup time for the JVM overhead, but in runtime it performs the same and in some cases faster then native compiled C applications 08:32 < KermitTheFragger> its been ever so since the JIT compiler was introduced 08:32 < KermitTheFragger> besides 08:33 < KermitTheFragger> you can also compile java applications AOT 08:33 < KermitTheFragger> with GCJ or Excelsior JET 08:33 < ecrist> meh, regardless, I hate java, and don't see that opinion changing any time soon. ;) 08:34 < KermitTheFragger> lol :) 08:36 < KermitTheFragger> ecrist: I recommend you buy a copy of YourKit (Java Profiler) for the next birthday of the dev who made your applications :) 08:36 < KermitTheFragger> if someone gave me a copy i certainly wouldn't take it as a a compliment...... :) 08:58 < dlynes> KermitTheFragger: you know why that is, right? i.e. compiled java being faster than native compiled C apps? 08:58 < KermitTheFragger> dlynes: compiled to bytecode or to native ? 08:58 < dlynes> KermitTheFragger: The people making that statement are using fresh university graduates to write both, and the java compiler makes up for shitty programmers, and the c compiler doesn't 08:59 < dlynes> KermitTheFragger: if instead, they used programmers that knew how to optimize c code well, the c code would easily outperform the java code 09:00 < dlynes> cookie cutter programming has never been optimal 09:00 < dlynes> C also has a lot more flexibility to code in different styles...java...less so 09:01 < dlynes> So, you can choose to write non-optimally, sloppy, optimally, or close to machine language if you wish 09:01 < dlynes> It's your choice 09:01 < dlynes> Too many factors affecting how fast the C code is to do a fair comparison 09:02 < KermitTheFragger> dlynes: if with flexibility you mean memory management you might as well use assembler 09:02 < KermitTheFragger> then you are REALLY flexible 09:02 < dlynes> Yes...I'm going to write a few hundred thousand line program in assembler 09:02 < dlynes> Not freaking likely 09:03 < KermitTheFragger> same goes for C, there is no C equivalent of Java EE 09:04 < dlynes> Of course not 09:04 < dlynes> I wouldn't try to write stuff like that in C, either 09:04 < dlynes> That's perfect code for cookie cutter programmers 09:04 < dlynes> It's same monotonous shit over and over again 09:05 < dlynes> One of the biggest reasons I became a sysadmin after being a programmer for many years 09:05 < dlynes> I got tired of writing that monotonous shit 09:05 < dlynes> And database programming 09:05 < dlynes> *cringe* 09:06 < KermitTheFragger> and what isnt monotonous ? everything becomes monotonous, ive programmed all kind of stuff, Asterisk PBX stuff (Reverse engineering cisco protocols), Java ERP, Linux kernel 09:06 < KermitTheFragger> it all becomes monotonous after a couple of weeks 09:06 < KermitTheFragger> when the new and shinny has vanished 09:06 < dlynes> Asterisk isn't boring...it's just retarded :) 09:07 < dlynes> app_voicemail.so and app_dial.so is some of the worst code I've seen since rzsz.c :) 09:07 < KermitTheFragger> i can tell you this, when i was doing Asterisk, i would have paid a 1000 dollars cash to have it been written in Java instead of C....what a pain that was 09:08 < dlynes> but yeah...I know what you mean...after a month of working on the same code, you want to stop and do something else 09:08 < KermitTheFragger> atleast with Java you have some powerfull stuff for debugging, since it is in a sandbox 09:08 < dlynes> KermitTheFragger: what's wrong with gdb? 09:08 -!- sodapop1 [n=sodapop@143.233.245.245] has quit [Read error: 110 (Connection timed out)] 09:09 < KermitTheFragger> gdb with C can't do all the tricks you can with a sandboxed languange like Java or C# 09:09 < KermitTheFragger> like hot code replacement 09:09 < dlynes> Or you mean something more like Forte, Netbeans, Eclipse, Microsoft Develper Studio? 09:09 < KermitTheFragger> of the indepth profiling 09:09 < KermitTheFragger> *of = or 09:10 < dlynes> KermitTheFragger: the indepth profiling you can do in Watcom C, using Watcom Profiler...I don't know why gnu doesn't have a similar profiler 09:10 < dlynes> And Watcom's profiler is way better than anything I've seen in C# or Java 09:10 < dlynes> but the hot code replacement is useful...I just don't know how useful 09:11 < dlynes> never used it much 09:11 < KermitTheFragger> its just a example 09:11 < dlynes> KermitTheFragger: but i will give you one thing 09:11 < dlynes> KermitTheFragger: Java is a lot more readable than C 09:12 < dlynes> Even if it's the crappiest programmer in the world that's writing the Java code 09:12 < KermitTheFragger> that is what i was referring to with asterisk :) 09:12 < dlynes> C can be right up there with Perl for unreadability 09:12 < dlynes> KermitTheFragger: yeah...and then some doofus decides that 'goto' is a good way to write code 09:13 < KermitTheFragger> i've managed to stay pretty clear of perl so far.... :) 09:13 < KermitTheFragger> lol, yeah 09:13 < dlynes> I'm surprised he hasn't pulled a chuck forsberg and used longjmp and setjmp :) 09:13 < KermitTheFragger> lol 09:14 < KermitTheFragger> i once spotted the strictfp keyword in a java app 09:14 < KermitTheFragger> when i asked the guy about it 09:14 < dlynes> never heard of it 09:14 < KermitTheFragger> he didnt have a clue where it was for, he just thought it looked cool :) 09:14 < KermitTheFragger> with strictftp java adheres the REAL floating point standard 09:14 < dlynes> but then again...I've only ever used Java for J2EE 09:14 < dlynes> a little bit for awt and swing (when I was learning), but that was it 09:14 < KermitTheFragger> even though the underlying platform might be capable of a bigger precision 09:14 < dazo> dlynes: if you write unreadable C code .... you're not a C coder 09:15 < dlynes> dazo: heh 09:15 < KermitTheFragger> dazo: if you write unreadable code in any language, your not a coder 09:16 < dlynes> KermitTheFragger: I've gotta deal constantly with coders that are oblivious to security issues, and they don't seem to care about it either...when I mention it, they think I'm personally insulting them ... 09:16 < dazo> dlynes: And following the code path through Java .... that's a hassle I prefer to be without ..... with x-layers of passing objects and classes before you reach the method which does the job .... in C, it would require 30% of the same code to do the same job 09:16 < dlynes> dazo: you must be getting me confused with Kermit 09:16 < KermitTheFragger> dazo: well thats a mater of preference :) 09:17 < dazo> dlynes: ahh ... true ;-) 09:17 < dazo> sorry! 09:17 < KermitTheFragger> dazo: you could probably also write it that way in Java 09:17 < dlynes> dazo: I was only mentioning stuff that j2ee is used for, is better for Java...I like using C more for pretty much anything that doesn't have tons of layers of complexity 09:17 < KermitTheFragger> over engineering is just more common in java then underengineering 09:17 < KermitTheFragger> waaaaaay more common 09:18 < dlynes> dazo: but in general, anything using ip-based sockets I'd never use Java for 09:18 < dlynes> dazo: Java's socket and nonblocking i/o implementations are flaky at best 09:19 < dlynes> dazo: in C, sockets just plain work as advertised 09:19 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 09:19 < KermitTheFragger> dlynes: one could argue that non blocking io isn't really needed these days anymore 09:19 < dlynes> KermitTheFragger: ummmm 09:19 < dazo> KermitTheFragger: uhh!?!? 09:19 < dlynes> KermitTheFragger: so you'd rather have ten thousand threads? 09:20 < KermitTheFragger> with todays kernel 09:20 < KermitTheFragger> non blocking IO doesn't offer a big performance gain 09:20 < dlynes> KermitTheFragger: I can write a single app in C, using two threads (one thread for control, and another for servicing sockets) that can handle 10,000 clients, using non-blocking sockets 09:20 < dlynes> KermitTheFragger: I can't do that in Java, and 10,000 threads just isn't practical 09:21 < KermitTheFragger> dlynes: why couldn't you do that in java ? 09:21 < dazo> KermitTheFragger: non-blocking IO is critical in today's application .... and is one core feature of all OS 09:21 < dlynes> KermitTheFragger: because Java's socket implementation is broken 09:21 < dazo> KermitTheFragger: all because of simplicity and efficiency 09:21 < dlynes> KermitTheFragger: its non-blocking sockets seem to be just blocking sockets encased in a thread 09:22 < KermitTheFragger> i've got Java NIO implementations nicely handling thousands of concurrent connections 09:22 < dlynes> KermitTheFragger: perhaps that's been fixed in Java 1.5 or 1.6 (it wasn't fixed in Java 1.2 to 1.4) 09:22 < KermitTheFragger> yeah sun got of their lazy but with java 1.5 :) 09:22 < KermitTheFragger> that was when .NET came around the corner 09:23 < KermitTheFragger> .NET 1.0 was just a copy of Java 09:23 < KermitTheFragger> but 1.5 and 2.0 actually had some good stuff 09:23 -!- sodapop1 [n=sodapop@143.233.245.245] has joined ##openvpn 09:23 < KermitTheFragger> Java 1.5 had to play catchup with .NET 09:25 < dlynes> KermitTheFragger: how much memory and horsepower do you need to do that in Java? What kind of throughput can you get on those threads? 09:26 < dlynes> KermitTheFragger: Windows, Solaris, BSD, Linux, or OS/2? 09:26 < KermitTheFragger> dlynes: i never really profiled the socket part that deeply because all holdups were caused in the backend 09:26 < KermitTheFragger> that was on Linux hosts 09:30 < KermitTheFragger> dlynes: iirc a Java NIO application was used to accommodate the .eu tld landrush 09:30 < KermitTheFragger> for example 09:31 < KermitTheFragger> dlynes: this one might be interesting for you: http://mina.apache.org/performance-test-reports.html 09:31 < vpnHelper> Title: Apache MINA - Performance Test Reports (at mina.apache.org) 09:32 < KermitTheFragger> and ofcourse you could probably tweak apache to do beter, but the point is, there is no big performance penalty 09:32 < dazo> KermitTheFragger: oh dear ... the qpid (Apache Qpid - AMQP broker) have been struggling with mina for quite some time to get the performance up-to-par with the C++ API .... 09:33 * dazo did QA for almost a year for qpid 09:33 < KermitTheFragger> dazo: well I can't help it they suck ;-) 09:33 < KermitTheFragger> j/k ofcourse 09:34 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:34 < KermitTheFragger> im not familiar with the implementation details of qpid 09:34 < dazo> KermitTheFragger: it was not due to plenty of bugs in mina .... and that performance increased quite drastic when cutting out mina .... unfortunately some customers required mina 09:34 < KermitTheFragger> are you sure it was a java problem ? and not a qpid problem ? 09:35 < dazo> KermitTheFragger: they did several implementations on the IO part ... with and without mina .... with support from mina people 09:36 < KermitTheFragger> why did some customers require mina ? isnt that a implementation detail ? 09:36 < dazo> might have improved since I stopped working with qpid, but at that time (dec. 2008) they were fighting with performance 09:36 -!- tjz [n=tjz@121.7.20.94] has quit ["bbl"] 09:37 < dazo> KermitTheFragger: well, I honestly don't know ... I was never in contact with the customers .... I just know the customer was important enough to get developers looking at it 09:37 < KermitTheFragger> dazo: that must be annoying as a dev :( 09:38 < dazo> yeah :) 09:38 < KermitTheFragger> i want you to use perl, to output java, which outputs C, wich outputs Javascript, which outputs HTML 09:39 < KermitTheFragger> and dont forget to correctly escape all quotes 09:39 < KermitTheFragger> :) 09:39 < dazo> I would then sell the customer a blackbox .... which took perl input and produced correct HTML out .... the customer would then not know, I skipped the "middle part" :-P 09:40 < dazo> And due to complexity .... I would increase the project budget 3-4x 09:40 < KermitTheFragger> lol 09:49 < moldenauer> btw anyone here in biochemistry or works with chemistry software? (namely substance/molecule databases) 09:52 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit [Read error: 104 (Connection reset by peer)] 09:56 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 09:59 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn 10:00 -!- sodapop1 [n=sodapop@143.233.245.245] has quit [Read error: 145 (Connection timed out)] 10:01 < teddymills> if going thru the openvpn interface going to be slower than RDP and a its public IP? I would think so...since openvpn itlsef has to go thru the public IP... 10:02 < teddymills> is going thru the openvpn interface going to be slower than RDP and a its public IP? I would think so...since openvpn itlsef has to go thru the public IP... 10:02 < ecrist> sure, marginally 10:02 < ecrist> no need to repeat your question. 10:03 < KermitTheFragger> some folk here may use Java, but where not stupid ;-) 10:03 < KermitTheFragger> *were 10:03 < KermitTheFragger> ugly mistake :) 10:03 < teddymills> i never tooking typing course in school...man, how i could have used that all these years...i was wussy to taking typing back then 10:04 < teddymills> it was wussy..damn 10:15 < ecrist> KermitTheFragger: I think you mean "we're" 10:15 < KermitTheFragger> ecrist: thats the one! 10:16 < KermitTheFragger> should have paid more attention in English class.... 10:17 < krzee> i had a teacher who was the typing instructor at my school 10:18 < krzee> she saw me typing with like 4 fingers and told me i should take her typing class 10:18 < krzee> the thing is, i had just been tested at 70WPM 10:18 < krzee> i asked her how many she types, it was like 63 WPM 10:18 < krzee> so i asked if she wanted to teach or if i should 10:19 < KermitTheFragger> how many weeks of detention did you get for that comment ? 10:19 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 10:20 < krzee> none, but eventually i was kicked out of her class permanently 10:20 < KermitTheFragger> lol, dare I ask why ? 10:21 < krzee> cause i finished all the work in the first month, and would bring in a dos game on a floppy 10:21 < krzee> and she was floppy-phobic 10:21 < krzee> "disk have virus!" 10:21 < krzee> so i scripted up a fake virus 10:22 < krzee> to look like it was erasing * 10:22 < krzee> then to play a wav of me laughing at her 10:22 < krzee> set it to run on the next kid who sat at the computer 10:22 -!- explore [n=msparker@173.57.115.183] has joined ##openvpn 10:23 < krzee> the school counselor worked it out where i still got an A 10:23 < krzee> cause i would always help him out with stuff when he needed (was a great excuse to leave classes) 10:23 < KermitTheFragger> hehe nice 10:24 < krzee> he was used to teachers either loving me or seriously hating me 10:24 -!- sodapop1 [n=sodapop@143.233.245.245] has joined ##openvpn 10:24 < krzee> cause i was relatively smart (high test grades and whatnot) but did the bare minimum of homework, and rarely paid attention unless they were interesting 10:30 < teddymills> ah yes..the classics..starting to study for midterms 3 hours before the exam :) 10:32 < zuez> !route 10:32 < vpnHelper> zuez: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:02 < krzee> teddymills, nah i just wouldnt study 11:02 < krzee> 3 hours prior ild be smoking weed 11:03 -!- plaerzen [n=carpe@vip1.tundraeng.com] has quit [Remote closed the connection] 11:10 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 11:12 < brah> yer so cool bro 11:29 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:41 -!- dazo [n=dazo@62.40.79.66] has quit ["Leaving"] 11:49 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 11:56 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 11:59 -!- BillyCrook1 [n=BillyCro@72.22.210.100] has joined ##openvpn 12:15 -!- KermitTheFragger [n=KermitTh@118-197.bbned.dsl.internl.net] has quit ["Leaving"] 12:20 -!- thedoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 12:24 -!- dazo [n=dazo@nat/redhat/x-nuaioztnieklweyr] has joined ##openvpn 12:45 -!- explore [n=msparker@173.57.115.183] has quit ["leaving"] 12:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:49 < |Mike|> r 12:55 < teddymills> and thats how you end up in the openvpn irc channel 12:56 < |Mike|> oh. 13:02 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 13:02 -!- ryanrhee90 [n=Adium@rrcs-71-42-217-13.sw.biz.rr.com] has joined ##openvpn 13:03 < xp_prg> hi all, I am seeing radical speed declines when I use the openvpn tunnel verses non-openvpn communication, I verify with iperf, why is it magnitudes slower? 13:03 < ryanrhee90> hi guys 13:03 < ryanrhee90> is there a way to reserve a vpn ip address for a specific machine when the server assigns IP addresses? 13:04 < |Mike|> !ccd 13:04 < vpnHelper> |Mike|: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 13:04 < |Mike|> ryanrhee90: ^ 13:04 < ryanrhee90> |Mike|: Thanks! 13:04 < |Mike|> !secure 13:04 < vpnHelper> |Mike|: "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 13:04 < |Mike|> hmz, i don't remember where the speed / encryption page is located 13:06 < ryanrhee90> !default 13:06 < vpnHelper> ryanrhee90: (default ) -- Returns the default value of the configuration variable . 13:06 < ryanrhee90> !config 13:06 < vpnHelper> ryanrhee90: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 13:06 < |Mike|> !all 13:06 < ryanrhee90> :( where's the default config? 13:06 < vpnHelper> |Mike|: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 13:06 < |Mike|> windows or *nix ? 13:07 < ryanrhee90> *nix 13:07 -!- Peste_Bubonica [n=eduardo@189.63.246.108] has joined ##openvpn 13:07 < Peste_Bubonica> Hi all... 13:07 < ryanrhee90> server ubuntu, client mac 13:07 < ryanrhee90> *clientS. 13:07 < |Mike|> there should be a directory named 'ccd' in the openvpn directory 13:07 < ryanrhee90> there wasn't, but i just created one. 13:07 < Peste_Bubonica> im creating a simple server config file.. but I dont know how to specify the host IP that will accept connections 13:07 < Peste_Bubonica> im only declaring port 5000 13:07 < |Mike|> i has to look like client1 ip, 13:07 < Peste_Bubonica> how can I specify the ip address? 13:07 < |Mike|> local ip ? 13:08 < |Mike|> !howto 13:08 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:08 < ryanrhee90> just wanted the syntax for "client-config-dir" in the server conf 13:09 < |Mike|> client-config-dir ccd 13:09 < ryanrhee90> |Mike| Thanks! And one more question, what should the config file inside ccd/ look like? i know it should be called ccd/ 13:10 < ryanrhee90> |Mike| (well not literally ) 13:10 < xp_prg> any good howtos on speeding up network traffic over openvpn? 13:10 < garnser> xp_prg: disable crypto 13:10 < garnser> tune mtu and fragmentation 13:10 < garnser> etc 13:10 < |Mike|> let me cat my config ryanrhee90 13:10 < xp_prg> thanks garnser :> 13:11 < |Mike|> wickedleaks /usr/local/etc/openvpn/ccd]$ cat client2 13:11 < |Mike|> iroute 192.168.1.0 255.255.255.0 13:11 < ryanrhee90> |Mike| is the iroute where you specify the ip address? 13:13 < |Mike|> hm, no 13:13 < ryanrhee90> hm... 13:13 < |Mike|> that would be stated in ipp.txt 13:13 < |Mike|> !ipp 13:13 < vpnHelper> |Mike|: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 13:13 < |Mike|> !static 13:13 < vpnHelper> |Mike|: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 13:13 < ryanrhee90> !iporder 13:14 < vpnHelper> ryanrhee90: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 13:14 < ryanrhee90> |Mike|: static seems like the way to go 13:14 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 131 (Connection reset by peer)] 13:15 < ryanrhee90> |Mike|: does the "ifconfig-push" also have to be in the openvpn conf file in the client machine? 13:17 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 13:17 < |Mike|> no, the client gets that "pushed" and will use it 13:18 < ryanrhee90> |Mike| Thanks! will try right now' 13:19 < ryanrhee90> |Mike| Works like a charm 13:19 < ryanrhee90> |Mike| Thanks again! 13:19 -!- ryanrhee90 [n=Adium@rrcs-71-42-217-13.sw.biz.rr.com] has left ##openvpn [] 13:19 < |Mike|> np 13:23 -!- Serideru2 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 13:24 -!- jeiworth [n=jeiworth@189.177.127.62] has joined ##openvpn 13:25 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 60 (Operation timed out)] 13:26 < moldenauer> back 13:26 < moldenauer> anyone here using openvpn along qemu on the same machine? 13:27 < moldenauer> i want to setup networking inside a guest and i dont have as much experience with kvm/qemu 13:33 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 13:45 -!- explore [n=msparker@pool-173-57-115-183.dllstx.fios.verizon.net] has joined ##openvpn 13:47 -!- explore [n=msparker@pool-173-57-115-183.dllstx.fios.verizon.net] has quit [Client Quit] 13:47 < xp_prg> anyone know how to do tcp-nodelay? 13:47 < xp_prg> do I just put that in the server.conf? 13:47 -!- explore [n=msparker@pool-173-57-115-183.dllstx.fios.verizon.net] has joined ##openvpn 13:56 < garnser> xp_prg: put it in the config 13:57 < xp_prg> I did, it didn't like it garnser 13:58 < xp_prg> OpenVPN 2.0.9 13:58 < xp_prg> is that why? 14:04 < garnser> prolly 14:04 < garnser> yeah 2.0.X doesn't support tcp-nodelay 14:05 < xp_prg> bummer ok 14:05 < ecrist> !man 14:05 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 14:11 < xp_prg> garnser --mlock I see this as an option but it is not clear how to put it in the config file 14:11 < xp_prg> would it be mlock=1 ? 14:11 < xp_prg> or just mlock? 14:11 < ecrist> mlock 14:12 < xp_prg> ecrist I am seeing 4 mbits/s when I use openvpn tunnel and 101 mbits/s without openvpn, something is seriously wrong 14:12 < ecrist> xp_prg: what kind of machine? 14:13 < xp_prg> linux on both sides 14:13 < xp_prg> I am up for ideas, how could it be so drastically different? 14:13 < ecrist> I can put linux on a pop machine. Is that what you're running? 14:13 < Peste_Bubonica> When I close openvpn, it try to run a iproute command, and ive got this error: RTNETLINK answers: Operation not permitted 14:14 < Peste_Bubonica> after that, I have to run the command manually, to release the peer... 14:14 < xp_prg> yes 14:14 < |Mike|> 101 mbit, lol ? 14:14 < Peste_Bubonica> If I dont do that, I can connect anymore... 14:15 < ecrist> xp_prg: you're running OpenVPN on a pop machine that's running linux? 14:15 < ecrist> sweet 14:15 < xp_prg> what is a pop machine? 14:15 < Peste_Bubonica> this is the output: http://www.pastie.org/612714 14:16 < ecrist> http://en.wikipedia.org/wiki/File:Vending_Machines.JPG 14:16 < vpnHelper> Title: File:Vending Machines.JPG - Wikipedia, the free encyclopedia (at en.wikipedia.org) 14:16 < xp_prg> ecrist want me to past my cnfig? 14:16 < xp_prg> past = paste cnfig = config 14:16 < ecrist> I'd rather have a picture of your linux-running pop machine with OpenVPN. 14:16 < ecrist> :P 14:17 < ecrist> I'd like to see proof that you're getting 101Mb without OpenVPN and 4Mbit with OpenVPN 14:17 < xp_prg> ecrist what is this with the pop machine, it is a 3u 14:18 < xp_prg> ok ecrist 14:18 < ecrist> holy crap dud 14:18 < ecrist> e 14:18 < ecrist> what kind of hardware are you running 14:18 < ecrist> I don't care what OS 14:20 < ecrist> LOL. 14:20 < ecrist> http://www.diyalarmforum.com/video/911.wmv 14:20 < ecrist> I love rednecks. 14:21 < xp_prg> http://pastebin.com/d7edd073b 14:21 < xp_prg> ecrist is that proof enough? 14:25 -!- brah [n=asdfaf@86-126-16-190.fibertel.com.ar] has quit [Read error: 110 (Connection timed out)] 14:25 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit ["ZNC - http://znc.sourceforge.net"] 14:27 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn 14:27 < ecrist> well, looking at the other data, the '101Mbits/sec' result is obviously flawed 14:27 < ecrist> that being said, you still haven't told me what hardware you're using 14:27 < xp_prg> ecrist what does it matter, iperf is running the same 14:28 < ecrist> because, OpenVPN encrypts the traffic, putting a heavier load on either 1) your main processor, or 2) an on-board crypto-card. 14:28 < ecrist> if you're running this on a P2 @ 133Mhz, you're going to have problems. 14:28 < xp_prg> ecrist I disabled crypto 14:29 < ecrist> or a dlink router 14:29 < ecrist> etc 14:29 < xp_prg> the speed has been confirmed in other ways as well, it is not wrong 14:29 < ecrist> tcp or udp? 14:29 < xp_prg> tcp 14:29 < ecrist> !tcp 14:29 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 14:29 < ecrist> there's your problem 14:29 < xp_prg> but iperf is going to show that much degradation? 14:29 < ecrist> read the fucking link 14:29 < xp_prg> ok 14:30 < xp_prg> ok let me retry with udp one sec 14:34 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 14:35 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:36 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 14:50 -!- sodapop1 [n=sodapop@143.233.245.245] has quit [Read error: 110 (Connection timed out)] 14:54 < xp_prg> converting to udp brought it up to 9Mbits/sec 14:59 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 15:04 -!- [1]mbrevda [n=mbrevda@94.159.176.118] has joined ##openvpn 15:04 -!- [1]mbrevda is now known as mbrevda 15:06 < ecrist> you still haven't told me what hardware, and your configs 15:06 * ecrist goes away 15:06 -!- my007ms [i=logs@196.219.63.12] has joined ##openvpn 15:07 < my007ms> howto check lzo working on tunnel or not ? 15:09 < krzee> raise verb and look for it in log 15:10 -!- BigJB [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 15:10 < my007ms> krzee i see in log Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] 15:10 < my007ms> but sorry don't know what you mean by raise verb :( 15:11 < krzee> !man 15:11 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 15:11 < krzee> --verb 15:13 < my007ms> ahh yes in debug mode 15:13 < my007ms> thanks krzee 15:14 < krzee> np 15:14 -!- jeiworth [n=jeiworth@189.177.127.62] has quit [Read error: 104 (Connection reset by peer)] 15:15 -!- jeiworth [n=jeiworth@189.177.127.62] has joined ##openvpn 15:26 -!- mbrevda [n=mbrevda@unaffiliated/mbrevda] has left ##openvpn [] 15:26 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:31 -!- dazo|h [n=dazo@212.71.72.138] has joined ##openvpn 15:33 -!- BillyCrook1 [n=BillyCro@72.22.210.100] has quit [Remote closed the connection] 15:35 < krzee> !configs 15:35 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:35 < krzee> (that was for me) 15:37 < xp_prg> when I use mlock it simply doesn't connect for some reason 15:49 -!- sodapop1 [n=sodapop@143.233.245.245] has joined ##openvpn 16:21 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 16:37 -!- Serideru2 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 16:38 -!- mirco [n=mirco@p54B27514.dip.t-dialin.net] has joined ##openvpn 16:50 -!- BigJB [n=BigJB@unaffiliated/bigjb] has quit [Remote closed the connection] 17:03 -!- Casandrax [n=Casandra@host-217-213-138-44.mobileonline.telia.com] has joined ##openvpn 17:05 -!- explore [n=msparker@pool-173-57-115-183.dllstx.fios.verizon.net] has quit ["leaving"] 17:14 -!- sodapop1 [n=sodapop@143.233.245.245] has quit [Read error: 110 (Connection timed out)] 17:18 -!- Matir [n=david@c-98-251-88-239.hsd1.ga.comcast.net] has joined ##openvpn 17:19 < Matir> !iporder 17:19 < vpnHelper> Matir: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 17:19 < Matir> !route 17:19 < vpnHelper> Matir: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:29 -!- sodapop1 [n=sodapop@143.233.245.245] has joined ##openvpn 17:46 < xp_prg> anyone know why a client would get two tun addresses? 17:47 < |Mike|> asin 2 ? 17:47 < xp_prg> ya 17:47 < xp_prg> http://pastebin.com/d55b4d45c 17:55 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 18:10 < reiffert> ps auxwww |grep openvpn 18:12 < |Mike|> << cat /dev/urandom 18:20 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 18:22 -!- dazo|h [n=dazo@212.71.72.138] has quit ["Leaving"] 18:37 -!- jeiworth [n=jeiworth@189.177.127.62] has quit [Read error: 145 (Connection timed out)] 18:41 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 18:51 -!- W0rmF00d [n=wormfood@219.134.136.100] has joined ##openvpn 18:51 -!- WormFood [n=wormfood@219.133.100.13] has quit [Read error: 104 (Connection reset by peer)] 19:00 < exks> ters is STILL in the lead @thinkgeek poll: http://twtpoll.com/r/s0kyhy #fb Unstoppable! 19:00 < vpnHelper> Title: twtpoll :: Timmy needs to know: What geeky tv show/movie are you looking forward to this fall? (You can write-in vote in the comments.) (via @thinkgeek) (at twtpoll.com) 19:01 < exks> woops, I think I accidentally pasted in here. sry 19:01 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 145 (Connection timed out)] 19:21 -!- Casandrax [n=Casandra@host-217-213-138-44.mobileonline.telia.com] has quit ["Leaving..."] 19:42 -!- kala [i=kala@uba.linux.ee] has quit [Read error: 145 (Connection timed out)] 19:44 -!- Dougy_ [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:45 < Dougy> krzie: hihihihhi 19:45 -!- Dougy_ [n=douglas@ool-43503ed4.dyn.optonline.net] has quit [Client Quit] 19:52 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 19:52 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 19:59 < Dougy> hi thedoc 20:04 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 20:40 -!- mirco_ [n=mirco@p54B2779B.dip.t-dialin.net] has joined ##openvpn 20:48 -!- mirco [n=mirco@p54B27514.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:48 -!- mirco_ is now known as mirco 20:49 -!- prawn [n=sat@unaffiliated/greyhat] has left ##openvpn [] 20:51 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 21:04 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: roentgen, tarbo2, thedoc, Gnewt 21:05 -!- Netsplit over, joins: Gnewt 21:05 -!- thedoc [n=zing@38.108.110.110] has joined ##openvpn 21:06 -!- Netsplit over, joins: tarbo2 21:08 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit [Client Quit] 21:12 -!- master_of_master [i=master_o@p549D4016.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:15 -!- master_of_master [i=master_o@p549D51F1.dip.t-dialin.net] has joined ##openvpn 21:47 -!- sodapop1 [n=sodapop@143.233.245.245] has quit [Read error: 110 (Connection timed out)] 21:51 -!- W0rmF00d is now known as WormFood 22:32 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 22:33 -!- dougy[itouch] [n=dougyito@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 22:38 -!- dougy[itouch] [n=dougyito@ool-43503ed4.dyn.optonline.net] has quit [Read error: 104 (Connection reset by peer)] 22:38 -!- dougy[itouch]_ [n=dougyito@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 22:38 -!- dougy[itouch]_ is now known as dougy[itouch] 22:51 -!- dougy[itouch] [n=dougyito@ool-43503ed4.dyn.optonline.net] has quit ["Colloquy for iPhone - http://colloquy.mobi"] 22:51 -!- dougy[itouch] [n=dougyito@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 22:59 -!- dougy[itouch] [n=dougyito@ool-43503ed4.dyn.optonline.net] has quit ["Colloquy for iPhone - http://colloquy.mobi"] 23:26 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] --- Day changed Fri Sep 11 2009 00:03 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 00:21 -!- mirco [n=mirco@p54B2779B.dip.t-dialin.net] has quit [] 00:54 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 00:55 -!- mirco_ [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 01:12 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Success] 01:12 -!- mirco_ is now known as mirco 01:33 -!- eliasp [n=quassel@95.208.45.212] has quit [Remote closed the connection] 01:34 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 01:38 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 02:04 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:35 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has joined ##openvpn 03:03 -!- thedoc [n=zing@38.108.110.110] has quit [Read error: 105 (No buffer space available)] 03:07 -!- verwilst [n=verwilst@router.begen1.office.netnoc.eu] has joined ##openvpn 03:08 < verwilst> if my openvpn client times out after 4 minutes of idle time 03:08 < verwilst> what can i do about it on an openvpn server level? 03:17 < dazo> verwilst: what would you like to happen? 03:18 < verwilst> that it stays connected, no matter how long i'm idle 03:18 < dazo> !configs 03:18 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 03:18 < dazo> verwilst: ^^ 03:19 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has quit [Read error: 60 (Operation timed out)] 03:19 < dazo> verwilst: I would though guess you're not using --keepalive on the server side (or --ping / --ping-restart) 03:21 < verwilst> keepalive 10 120 03:21 < verwilst> in server.conf 03:21 < verwilst> ( i was pastbinning it :) ) 03:21 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 03:22 -!- zu [n=zu@bucketheaded.eu] has joined ##openvpn 03:23 < zu> Hi 03:23 -!- bauruine [n=bauruine@92.105.159.93] has joined ##openvpn 03:23 < verwilst> dazo: http://pastie.org/613321 03:23 < zu> Someone here interested in porting openvpn on android ? 03:24 < verwilst> dazo: i can't change anything client-side 03:24 < verwilst> since i'm using networkmaager 03:24 < verwilst> manager 03:24 < verwilst> i would like to put sth in my ccd so that the connection stays up :) 03:24 < dazo> verwilst: no prob! That's why you can use --push on the server side 03:25 -!- thedoc [n=zing@unaffiliated/thedoc] has quit [Client Quit] 03:25 < dazo> verwilst: you use keepalive ... which should push the options to the client 03:25 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 03:25 * dazo double checks man page 03:25 < verwilst> dazo: myeah, still it timeouts after exactly 4 minutes 03:26 < verwilst> dazo: push looks nice :) 03:26 < dazo> verwilst: there's a hatch .... the client must have a --pull option .... But I believe NM does that ... or is it an extra option in the GUI? 03:28 < verwilst> dazo: what do you mean? that network manager overrides the keepalive 10 120? 03:28 < verwilst> it started happening after we switched to ccd 03:28 < verwilst> no idea how the configs were beforehand 03:28 < dazo> verwilst: if you do not have --pull in the client config .... it will ignore --push messages from the server 03:29 < verwilst> dazo: hm 03:29 < verwilst> will it also ignore the keepalive then? 03:29 < verwilst> i guess so? 03:30 < dazo> that might be one reason, yes ..... but! If it did work before .... and if you really did not upgrade anything openvpn related on the client ....then it's strange that ccd changed the behaviour 03:31 < verwilst> dazo: nope, i didnt touch the client at all :) 03:31 < verwilst> # Optional arguments to openvpn's command line 03:31 < verwilst> OPTARGS="" 03:31 < verwilst> hm :) 03:32 < verwilst> ah no, that's for openvpn, not networkmanager :( grm 03:32 < dazo> verwilst: try putting a keepalive statement in your ccd client config? Or else you'll need to either increase logging on the client side and look through logs .... or try a non-NM influenced openvpn setup on your client 03:32 < verwilst> a not-NM-using friend has it too 03:32 < verwilst> he's using a mac 03:32 < verwilst> dazo: actually, if i run it manually, it stays online i think 03:32 < verwilst> let me run it on the cli and look what happens 03:33 < dazo> verwilst: sounds like it's something worth bugging NM-openvpn people about .... I've stopped using NM-openvpn, due to too strict restrictions in config setup 03:34 < verwilst> myeah, it's pretty handy though 03:34 * dazo wish he had more time available, then he would write a openvpn-gui variant for Linux which uses raw openvpn configs 03:34 < verwilst> instead of having to go and start it on the cli all the time, which probably conflicts with networkmanager too :) 03:35 < dazo> openvpn is too flexible to gui-ficate the config ... unless you want a very advanced gui .... 03:35 < verwilst> dazo: but the ccd pushes my routes and such 03:35 < verwilst> so i guess pull should be on in NM? 03:35 < dazo> verwilst: it normally should ... unless there are some overrides .... 03:36 * dazo checks some bugzillas 03:36 < verwilst> we'll know in 2 minutes :P 03:36 < thedoc> verwilst> Are you doing it on openvpnas? 03:36 < thedoc> or openvpn? 03:36 < verwilst> rah we won't my ping is still on 03:36 < verwilst> ( i run a ping to an internal server in a screen to make NM not drop the vpn :P ) 03:37 < verwilst> thedoc: euh, normal ubuntu openvpn :) 03:37 < thedoc> If it's openvpn_as, I just found out that ccd isn't working right. 03:37 < thedoc> Hm, ok. o/ 03:38 < verwilst> there, /me waits 03:41 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:41 < verwilst> 4 minutes go by slowely if you're just waiting :P 03:43 < dazo> heh 03:44 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Remote closed the connection] 03:44 < verwilst> still online 03:44 < verwilst> it must be NM 03:46 < verwilst> /usr/sbin/openvpn --remote xxx.xxx.xxx.xxx --comp-lzo --nobind --dev tun --proto tcp-client --port 1194 --tls-auth /home/verwilst/Documents/OpenVPN/openvpn-ta.key 1 --syslog nm-openvpn --script-security 2 --up /usr/lib/network-manager-openvpn/nm-openvpn-service-openvpn-helper --up-restart --persist-key --persist-tun --management 127.0.0.1 1194 --management-query-passwords --route-noexec --client --ca /home/verwilst/Documents/OpenVPN/ 03:46 < verwilst> cacert.pem --cert /home/verwilst/Documents/OpenVPN/cert.pem --key /home/verwilst/Documents/Netlog/key.pem 03:46 < verwilst> this is the command NM executes 03:48 -!- stein0 [n=stein@mail.vgnett.no] has joined ##openvpn 03:49 < reiffert> verwilst: people normally use a config file. 03:49 < verwilst> reiffert: NetworkManager isnt people :) 03:49 < reiffert> it shortens down command line parameters to --config config.ovpn 03:51 < stein0> morning. 03:52 < stein0> how can http://openvpn.net/index.php/open-source/documentation/howto.html#policy work, when you push ipadresses outside of the server ip range? 03:52 < vpnHelper> Title: HOWTO (at openvpn.net) 03:54 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 03:56 < verwilst> http://pastie.org/613348 03:56 < verwilst> dazo: ^^ 03:58 < verwilst> http://www.mail-archive.com/ubuntu-bugs@lists.ubuntu.com/msg1064138.html 03:58 < vpnHelper> Title: [Bug 280160] Re: n-m-openvpn shuts down VPN when openvpn soft-restarts (at www.mail-archive.com) 03:58 < verwilst> might be this 03:58 < dazo> verwilst: at first sight, it looks so ... 03:59 < dazo> verwilst: it's a reason why I've stopped using nm-openvpn .... the core NM has improved the last 2 years, quite a lot .... but the plugins have not .... 04:00 < dazo> verwilst: there's even issues with nm-openvpn if you use reneg-sec options 04:00 < verwilst> dazo: crappy :( 04:01 < dazo> verwilst: yeah, I know :( I wish I had more time to contribute with something to solve it 04:04 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has quit ["bbl"] 04:04 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 04:06 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:46 -!- thedoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 04:56 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 05:37 -!- [1]mbrevda [n=mbrevda@94.159.176.77] has joined ##openvpn 05:38 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:24 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 06:29 -!- tjz2 [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 06:34 < [1]mbrevda> !howto 06:34 < vpnHelper> [1]mbrevda: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 06:34 -!- [1]mbrevda is now known as mbrevda 06:41 -!- brizly [n=brizly_v@p4FC99DE0.dip0.t-ipconnect.de] has quit [Read error: 60 (Operation timed out)] 06:41 -!- plantain [n=plantain@unaffiliated/plantain] has left ##openvpn [] 06:42 -!- brizly [n=brizly_v@p4FC9994F.dip0.t-ipconnect.de] has joined ##openvpn 06:46 -!- rooth [i=rooth@92.43.35.21] has joined ##openvpn 06:47 < ecrist> good morning 06:49 < ecrist> verwilst: 06:49 < ecrist> !ubuntu 06:49 < vpnHelper> ecrist: "ubuntu" is dont use network manager! 06:50 < verwilst> network manager is nice 06:50 < verwilst> apart from the openvpn bugs :P 06:50 < ecrist> sure, except that it doesn't work 06:50 < |Mike|> bugs/ 06:50 < ecrist> so, you either get working, or broken. your choice. 06:50 < ecrist> the upside is the broken will look nice. 06:51 < verwilst> 'it doesnt work' is a bit too black/white imo :P 06:52 < ecrist> ok, not my first rodeo, however. 06:52 < ecrist> up to you 06:56 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has quit [Read error: 105 (No buffer space available)] 06:57 < verwilst> ecrist: the openvpn plugin has room for improvement, that's true :) 06:57 < ecrist> sure 06:57 -!- Peste_Bubonica [n=eduardo@189.63.246.108] has quit ["Leaving"] 06:57 < ecrist> it's buggy enough we're not going to support it here, however 07:06 < dazo> +1 07:08 < dazo> Somebody could write a nice little python script which integrates with Gnome & KDE ... which only keeps a list of config files and starts openvpn as a daemon with the given config file ... hooking into the management interface for passing username/passwords when needed 07:10 < ecrist> someone should port tunnelblick to KDE and Gnome 07:10 < ecrist> I know it wouldn't be that easy, but once the legwork was done, all it is is a pretty face on the command line utility 07:11 < dazo> tunnelblick ... is that F/OSS? 07:11 < ecrist> yes 07:11 < ecrist> !tunnelblick 07:11 < vpnHelper> ecrist: Error: "tunnelblick" is not a valid command. 07:11 < ecrist> !osx 07:11 < vpnHelper> ecrist: Error: "osx" is not a valid command. 07:12 < ecrist> !learn osx as http://www.tunnelblick.net/ 07:12 < vpnHelper> ecrist: Joo got it. 07:12 < ecrist> !learn osx as http://www.viscosityvpn.com/ (PAY) 07:12 < vpnHelper> ecrist: Joo got it. 07:12 < ecrist> !forget learn 1 07:12 < vpnHelper> ecrist: Error: There is no such factoid. 07:12 < ecrist> !forget osx 1 07:12 < vpnHelper> ecrist: Joo got it. 07:12 < ecrist> !learn osx as http://www.tunnelblick.net/ (FREE) 07:12 < vpnHelper> ecrist: Joo got it. 07:12 < ecrist> !osx 07:12 < vpnHelper> ecrist: "osx" is (#1) http://www.viscosityvpn.com/ (PAY), or (#2) http://www.tunnelblick.net/ (FREE) 07:12 < dazo> objective-c ..... 07:13 < ecrist> !learn tunnelblick as http://www.tunnelblick.net - Free OpenVPN GUI Client for Mac OS X 07:13 < vpnHelper> ecrist: Joo got it. 07:15 < dazo> that's not going to be trivial ... doesn't look like portability was in mind when writing this .... seems to depend heavily on Cocoa 07:17 -!- jm [i=jonathan@192.121.234.85] has joined ##openvpn 07:18 < jm> hello guys, quick question: how do i set a static ip per user with client-connect? 07:18 < jm> i tried "client-connect /bla/script /tmp/file", writing ifconfig-push a.b.c.d m.a.s.k to /tmp/file 07:18 < dazo> Cocotron is being developed as a Cocoa compatible API .... but nothing really released ... under heavy development, as far as I can see 07:18 < jm> but it won't work 07:19 < ecrist> dazo: tunnelblick is mostly candy, wouldn't really be that hard, it doesn't do anything super special, other than give you a way to view logs, start/stop OpenVPN processes 07:19 < dazo> dazo: well, then we're back at my Python script :-P 07:20 < dazo> jm: http://openvpn.net/archive/openvpn-users/2008-01/msg00048.html 07:20 < vpnHelper> Title: Re: [Openvpn-users] Assign a static IP address to some clients (at openvpn.net) 07:21 < dazo> ugh wrong url 07:21 < dazo> jm: http://blog.gauner.org/2008/07/17/openvpn-static-ip-assignments/ 07:21 < vpnHelper> Title: OpenVPN: Static IP Assignments at blog.gauner.org (at blog.gauner.org) 07:22 < jm> dazo. thanks! but can i do it without a file per client? 07:23 < dazo> jm: nope 07:23 < jm> damn, ok 07:23 < jm> thanks! 07:23 < dazo> jm: unless you only have one client, of course 07:23 < jm> :-) 07:23 < ecrist> sure you can. 07:23 < dazo> jm: why do you want to assign static IP? 07:23 < dazo> yeah, by doing it client config 07:24 < jm> dazo. i'm helping a friend, don't know why he wants it like that 07:24 < jm> maybe to keep addressing easy 07:24 < jm> was hoping that a client-connect-script could fetch ip from a database and set it 07:24 < ecrist> jm, you can do that 07:24 < jm> oh! 07:24 < jm> how? 07:25 < dazo> creating ccd script on-the-fly? 07:25 < ecrist> use client-connect to parse the certicate and/or username passed to the connection and dynamically generating the config file 07:25 < ecrist> yep 07:25 < jm> yeah, tried. i cant get it working 07:26 < ecrist> you were passing too many options 07:26 < ecrist> client-connect script 07:26 < jm> okay 07:26 < ecrist> the script is passed a temp file name by openvpn, stored in $1 to use for the generated file 07:26 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 07:27 < ecrist> so you'd do something like: echo "foobeans" >> $1 07:27 < jm> aha i see 07:27 < ecrist> when the script exits, $1 is passed to the client as the config 07:27 < jm> okay, will try it out 07:27 < ecrist> fwiw, I've never done this, or looked in to doing this, until you brought it up. I gleaned all this from reading the man page, which I would suggest you do. ;) 07:28 < ecrist> quote: If the script wants to generate a dynamic config file to be applied on the server when the client connects, it should write it to the file named by $1. 07:28 < jm> heh, i've read it but it seems that im too stupid 07:28 < jm> i thougt $1 was an argument to the script 07:28 < jm> (set by me) 07:29 < ecrist> you would be mistaken. :D 07:30 < jm> :-) 07:30 < jm> it works like a charm 07:30 < jm> thank you! 07:31 < ecrist> no problem. 07:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:06 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 08:23 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 08:23 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 08:25 < Optic> moo 08:44 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 08:49 -!- blk [n=blk@85.4.110.235] has joined ##openvpn 08:51 < blk> can someone tell me why the ip, when pushing a single ip (with netmask 255.255.255.255), isn't pingable? it works if i push through the whole net (with mask 255.255.255.0)? 08:59 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 09:01 < reiffert> !net30 09:01 < vpnHelper> reiffert: "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 09:04 -!- CcK [n=cck@dryades.org] has joined ##openvpn 09:04 < blk> thanks guys 09:06 < CcK> !howto 09:06 < vpnHelper> CcK: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:08 < CcK> hi guys, i want vpn clients to get an ip from the dhcp server on our lan, to do that i must choose bridging right ? 09:08 < CcK> !route 09:08 < vpnHelper> CcK: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:13 < ecrist> CcK: yes 09:14 < CcK> ecrist: thanks, btw is it normal that in the documentation they assume the easy-rsa dir to be in /usr/share whatever, whereas when you compile from source, they are not copied anywhere and stay in the source dir ? 09:25 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 09:27 -!- bauruine [n=bauruine@92.105.159.93] has quit [Read error: 148 (No route to host)] 09:36 -!- blk [n=blk@85.4.110.235] has quit ["Segfault (0x0)"] 09:37 -!- roshenia [n=roshenia@80.94.228.14] has joined ##openvpn 09:38 < roshenia> hi! i install openvpn client on my windows 2003 server. but my server cannot assign ip adress from openvpn server.. 09:38 < roshenia> i get "route: Waiting for TUN/TAP interface to come up..." 09:39 < roshenia> and nothing do 09:40 < roshenia> may be its do becouse my win2003 server is domain controller with dhcp server? and dhcp client doesnt enabled? 09:42 < roshenia> "Routing and remote access" service work too 09:45 < roshenia> if i manually enter ip info in my interface i get womething like this^ 09:45 < roshenia> Fri Sep 11 17:45:49 2009 ERROR: netsh command failed: external program did not e 09:45 < roshenia> xecute -- returned error code -1 09:53 < krzee> !winroute 09:53 < vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 09:54 < roshenia> krzee, tnx. but i need rras 09:55 < krzee> theres still #1 and #2 09:56 < roshenia> can you give me example? 09:56 < Optic> yawn! 09:57 < krzee> !winroute 09:57 < krzee> !man 09:57 < vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 09:57 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 09:57 < roshenia> Fri Sep 11 17:58:34 2009 ERROR: netsh command failed: external program did not e 09:57 < roshenia> xecute -- returned error code -1 09:57 < roshenia> Fri Sep 11 17:58:39 2009 NETSH: C:\WINDOWS\system32\netsh.exe interface ip set a 09:57 < roshenia> ddress Local Area Connection 3 dhcp 09:59 < roshenia> with route-method exe i get it 09:59 < roshenia> http://pastebin.com/m2f8fa5a6 10:00 < roshenia> DHCP Client Service is not started in my server 10:09 -!- tjz2 [n=tjz@bb121-7-20-94.singnet.com.sg] has quit ["bbl"] 10:13 -!- LeDruide [n=cck@82.244.104.216] has joined ##openvpn 10:14 -!- LeDruide [n=cck@82.244.104.216] has quit [Remote closed the connection] 10:26 -!- explore [n=msparker@pool-173-57-115-183.dllstx.fios.verizon.net] has joined ##openvpn 10:28 < |Mike|> !tls-auth 10:28 < vpnHelper> |Mike|: "tls-auth" is The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. see !secure for how 10:30 -!- CcK [n=cck@dryades.org] has quit [Read error: 113 (No route to host)] 10:30 < |Mike|> !secure 10:30 < vpnHelper> |Mike|: "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 10:30 < |Mike|> with how many bits is tls/ssl encrypted ? 10:31 < |Mike|> 128bits ? 10:31 < ecrist> |Mike|: I think it depends on the certificate 10:32 < |Mike|> so if i'm using 2048 bits on the server / client certs, openvpn will generate the ta.key's with the same level of encryption ? ( 2048 bits ) 10:32 -!- kaushal [n=kaushal@64.124.122.228] has joined ##openvpn 10:32 < kaushal> hi 10:32 < |Mike|> hi 10:33 < kaushal> |Mike|: i have question about gopenvpn ? 10:33 < kaushal> http://gopenvpn.sourceforge.net/ 10:33 < vpnHelper> Title: gopenvpn (at gopenvpn.sourceforge.net) 10:33 < |Mike|> never worked with gopenvpn, but shoot :) 10:34 < kaushal> the issue is that when i connect to vpn server, the internal nameservers doesnot get populated to /etc/resolv.conf 10:34 < kaushal> but with the Network Manager Applet openvpn on Ubuntu, it works fine 10:35 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 10:35 < kaushal> but there is a limitation, i can connect only to one vpn server 10:35 < kaushal> https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/91389 10:35 < vpnHelper> Title: Bug #91389 in network-manager (Ubuntu): “Support for more than one VPN simultaneously” (at bugs.launchpad.net) 10:36 < |Mike|> !ubuntu 10:36 < vpnHelper> |Mike|: "ubuntu" is dont use network manager! 10:38 < kaushal> is there a way to populate internal nameservers using gopenvpn ? 10:38 < kaushal> with gopenvpn i can connect to multiple instances 10:39 < |Mike|> i've no idea, maybe that someone else here uses it ? 10:44 < |Mike|> ecrist: could that be correct? 10:47 -!- verwilst [n=verwilst@router.begen1.office.netnoc.eu] has quit ["Ex-Chat"] 10:47 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 10:48 < kaushal> |Mike|: where can i seek help ? 10:51 < |Mike|> you might want to contact gopenvpn 10:51 < |Mike|> why don't you use the openvpn client btw? 10:51 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 10:54 < kaushal> |Mike|: unfortunately there is no Mailing List for gopenvpn 10:54 < dazo> |Mike|: gopenvpn seems to be a gui frontend 10:56 < dazo> kaushal: to make name server update working ... you'll need to have some --up and --down scripts to make that work .... NM-openvpn adds that automagically 10:56 < dazo> kaushal: http://www.phocean.net/2006/12/07/openvpn-and-dns-on-a-linux-client.html 10:56 < vpnHelper> Title: Phocean.net » OpenVPN and DNS on a linux client (at www.phocean.net) 10:59 -!- BillyCrook [n=BillyCro@72.22.210.100] has joined ##openvpn 11:01 < kaushal> dazo: hi 11:01 < kaushal> i have a question here with that link you pasted me 11:01 < dazo> kaushal: yeah? 11:02 < kaushal> it works well with Network Manager openvpn 11:02 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 11:02 < kaushal> i wanted to integrate it with gopenvpn 11:03 < dazo> kaushal: that was my point .... NM-openvpn does that magic which you seem to need to add into your config when not using NM 11:03 < kaushal> ok 11:04 < kaushal> dazo: i will try it out 11:04 -!- c64zottel [n=hans@p5B17AFF1.dip0.t-ipconnect.de] has joined ##openvpn 11:04 < kaushal> dazo: please give me a moment 11:04 < dazo> kaushal: you might want to see what kind of scripts the nm-openvpn package provides, to see if you can find similar scripts to the url you got .... if you want to try to do exactly the same 11:04 < dazo> as nm-openvpn does 11:05 < kaushal> ok 11:05 < kaushal> dazo: so what i understand is that put down and up scripts under /etc/openvpn and client.conf 11:06 < kaushal> and restart openvpn ? 11:06 < kaushal> and run gopenvpn ? 11:06 < dazo> kaushal: the most important pieces are those scripts, that they can be found .... then you need to adopt the config file which you use with gopenvpn .... and start the connection through gopenvpn 11:07 < dazo> kaushal: I don't think openvpn is running when no connection is established .... that's gopenvpn' 11:07 < dazo> s responsibility to start that one 11:07 < kaushal> dazo: ok 11:08 < dazo> How I could understand it .... gopenvpn is just a gui frontend to openvpn .... so gopenvpn starts openvpn with a given configuration file 11:13 < kaushal> dazo: yeah 11:14 < kaushal> dazo: let me try it and update you 11:14 < kaushal> is it ok ? 11:14 < dazo> kaushal: sure ... but I'm starting my weekend in about 15min ... but please leave a msgs and I'll catch it on Monday 11:15 -!- jeiworth [n=jeiworth@189.163.252.158] has joined ##openvpn 11:20 < kaushal> dazo: * Autostarting VPN 'client' [fail] 11:20 < kaushal> when i restart openvpn on my laptop 11:21 < dazo> kaushal: did you start it via gopenvpn? 11:21 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:21 < kaushal> ok 11:21 < dazo> kaushal: read what I've been writing to you twice ..... 11:24 -!- kaushal [n=kaushal@64.124.122.228] has quit [Read error: 104 (Connection reset by peer)] 11:26 -!- kaushal [n=kaushal@115.118.242.81] has joined ##openvpn 11:26 < kaushal> dazo: hi again 11:26 < kaushal> got disconnected 11:26 < kaushal> it did not work 11:27 < kaushal> when i right click on gopenvpn it shows three checkbox client and two of my vpn servers 11:27 < dazo> kaushal: set verbosity level in your config to 4 (verb 4) and read *carefully* through each line .... I am sure you will find very clear hints there 11:27 < kaushal> dazo: its actually a pain 11:28 < dazo> kaushal: I also do take it for granted that 1) you have the resolvconf package installed .... 2) that you don't try to change the default gateway in both of your connections .... that's tricky to do 11:29 < kaushal> dazo: basically i want my internal name servers to be populated 11:29 < dazo> kaushal: it's a pain until you've read through all docs and logs and found the error .... in 99.9999% of all cases here on #openvpn it is configuration errors 11:29 < kaushal> with NM it populated but with gopenvpn it doesnot 11:30 < dazo> kaushal: because you have an error in your configuration .... you need to read the log files CAREFULLY .... those log files are long and verbose, BUT they give exact information on where the error is 11:30 < kaushal> dazo: where i need to look for ? 11:30 < kaushal> i didnot understand that 11:31 < dazo> kaushal: I don't know where you have your log files .... a good place to start is /var/log .... OR you can look at "man openvpn" and look up --log there ... how to define your own log file 11:32 < kaushal> dazo: is it possible to have log file on the client side 11:32 < kaushal> ? 11:32 < dazo> yes it is 11:33 * dazo need to go now 11:33 < kaushal> ol 11:33 < kaushal> ok 11:34 < kaushal> anyone else can help me here ? 11:45 -!- exks [n=ecks@d24-150-143-227.home.cgocable.net] has quit [Remote closed the connection] 11:47 -!- explore [n=msparker@pool-173-57-115-183.dllstx.fios.verizon.net] has quit ["leaving"] 11:49 -!- zu [n=zu@bucketheaded.eu] has quit ["Reconnecting"] 11:49 -!- zu [n=zu@88.191.93.109] has joined ##openvpn 11:50 -!- mirco [n=mirco@p54B2779B.dip.t-dialin.net] has joined ##openvpn 11:52 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 11:58 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 12:01 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 60 (Operation timed out)] 12:03 -!- mirco [n=mirco@p54B2779B.dip.t-dialin.net] has quit [] 12:08 -!- kaushal [n=kaushal@115.118.242.81] has quit ["Lost terminal"] 12:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:20 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 12:29 < Optic> mooo 12:36 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 12:36 -!- ralph [n=ralph@static.237.46.40.188.clients.your-server.de] has joined ##openvpn 12:37 < ralph> hi there how can i figure this out : http://gentoo.pastebin.ca/1562329 12:39 -!- ralph [n=ralph@static.237.46.40.188.clients.your-server.de] has quit ["leaving"] 12:42 -!- sodapop [n=sodapop@143.233.245.245] has joined ##openvpn 12:42 -!- ralph [n=ralph@static.237.46.40.188.clients.your-server.de] has joined ##openvpn 12:42 < ralph> now ^^ 12:43 < ralph> how can i figure this out : http://gentoo.pastebin.ca/1562329 12:43 < sodapop> is it possible to force a default gw on the client side, redirect-gateway is not working for me anymore 12:44 < sodapop> it gives me this : OpenVPN ROUTE: omitted no-op route:.... 12:45 < ralph> sodapop: put a route to your client 12:45 -!- phatf1sh is now known as phatfish 12:45 < sodapop> ralph: how ? 12:46 < sodapop> you mean add it manually ? 12:46 < ralph> sodapop: route add -net 192.168.x.x netmask 255.255.255.0 gw you.r.g.w 12:46 < ralph> sodapop: i think syntax is ok just replace necceary 12:46 < sodapop> but if the tun iface goes down 12:46 < ralph> sodapop: make sure you have used iptables are working 12:47 < sodapop> the route will be deleted 12:47 < ralph> sodapop: what is in your o.cnf ? 12:47 < ralph> sodapop: push route ? 12:47 < sodapop> client config ? 12:47 < ralph> server 12:48 < sodapop> i have no access 12:48 < ralph> k what kind of os ? 12:48 < ralph> has your client 12:48 < sodapop> linux 12:48 < ralph> http://forums.gentoo.org/viewtopic-t-538662-start-0.html 12:49 < sodapop> this used to work at the client openvpn --route-gateway x.x.x.x --redirect-gateway 12:49 < ralph> check if all exists 12:49 < ralph> http://forums.gentoo.org/viewtopic-t-538662-start-0.html 12:49 < sodapop> ok 12:50 < ralph> it is possible to use this howto for linux global 12:50 < ralph> replace emerge with apt or smth 12:51 < sodapop> pacman 12:51 < sodapop> :) 12:51 < ralph> maybee ;) 12:52 < ralph> or just compile it from source ^^ if you want 12:52 < ralph> im on the same thing ;) but i want to know why it not build my ca 12:52 < sodapop> thanks ralph 12:52 -!- sodapop [n=sodapop@143.233.245.245] has quit ["WeeChat 0.3.0"] 12:52 < ralph> http://gentoo.pastebin.ca/1562329 12:53 < ralph> lol no one in there? 12:54 < BillyCrook> would it be clinically insane to put iSCSI over an openvpn link? 12:55 < ralph> hm? 12:55 < ralph> i dont understand 12:55 < Optic> hmm 12:56 < ralph> kann anybody help me with my kind of prob ? http://gentoo.pastebin.ca/1562329 12:56 -!- kaushal [n=kaushal@115.118.253.103] has joined ##openvpn 12:56 < kaushal> hi 12:56 < ralph> hi 12:57 < kaushal> ralph: I am using gopenvpn as a GUI to connect to openvpn servers 12:57 < ralph> kaushal: linux windows ? 12:57 < kaushal> I am able to connect to multiple vpn servers 12:57 < kaushal> linux 12:57 < kaushal> Ubuntu 9.04 12:57 < ralph> k 12:57 -!- kaushal [n=kaushal@115.118.253.103] has quit [Read error: 104 (Connection reset by peer)] 13:01 -!- kaushal [n=kaushal@115.118.253.103] has joined ##openvpn 13:01 < kaushal> ralph: sorry got disconnected 13:01 < kaushal> the issue is that the internal nameservers are not getting populated in resolv.conf ? 13:02 < kaushal> I could see that the internal nameservers are seen in daemon.log 13:02 < kaushal> any idea as what could be the issue ? 13:04 < kaushal> ralph: you around ? 13:07 -!- psychoschlumpf [i=lars@maintenance.chaotika.org] has joined ##openvpn 13:11 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 13:20 < krzee> !pushdns 13:20 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit 13:24 * ecrist <3 ImageMagick 13:30 < kaushal> krzee: as i said i can see it in daemon.log file :) 13:32 < kaushal> its not being populated using gopenvpn 13:34 < krzee> read that link 13:34 < krzee> basically 13:34 < krzee> you need a script to populate it 13:37 < kaushal> is it update-resolv-conf ? 13:39 < ralph> kaushal: yes now 13:39 < kaushal> krzee: please give me an example 13:40 -!- marsje [n=anonymou@mrcl.xs4all.nl] has joined ##openvpn 13:41 -!- jeiworth_ [n=jeiworth@189.234.72.53] has joined ##openvpn 13:44 < ralph> what kind of? 13:44 < ralph> the link explain everythin 13:49 -!- kaushal_ [n=kaushal@115.118.253.43] has joined ##openvpn 13:50 -!- kaushal [n=kaushal@115.118.253.103] has quit [Nick collision from services.] 13:50 -!- kaushal_ is now known as kaushal 13:51 -!- exks [n=ecks@d24-150-143-227.home.cgocable.net] has joined ##openvpn 13:56 -!- jeiworth [n=jeiworth@189.163.252.158] has quit [Success] 13:58 < kaushal> I am not getting help here 13:59 -!- atmosx [n=osx@ppp-94-69-208-131.home.otenet.gr] has joined ##openvpn 13:59 < atmosx> hello 14:00 < atmosx> I have a working openvpn server and clients. Can someone help configuring the DNS so that we can put names to the clients, aliases, and use static dns entries? 14:00 < ecrist> kaushal: you need to write a script to handle the updates and deletions 14:01 < kaushal> ecrist: i did that by using domain.up and domain.down 14:01 < kaushal> but it doesnot work 14:01 < ecrist> great, then your problem is solved. ;) 14:01 < ecrist> oh, so your scripts don't work. 14:02 < ecrist> atmosx: here 14:02 < ecrist> !static 14:02 < vpnHelper> ecrist: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 14:02 < kaushal> i followed http://www.phocean.net/2006/12/07/openvpn-and-dns-on-a-linux-client.html 14:02 < vpnHelper> Title: Phocean.net » OpenVPN and DNS on a linux client (at www.phocean.net) 14:02 < atmosx> !ccd 14:02 < vpnHelper> atmosx: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 14:04 -!- kaushal [n=kaushal@115.118.253.43] has quit ["leaving"] 14:11 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 14:14 < atmosx> ecrist: I read the examples a couple of times. The part that I don't understand clearly is the following: In the example it says to put in the ccd/name the lines "ifconfig-push 10.9.0.1 10.9.0.2" if I want my client "name" to have an IP of 10.9.0.1 14:15 < atmosx> if I need an IP of 10.8.0.10 how do I do it? It does not explain the syntax 14:15 -!- thedoc [n=zing@unaffiliated/thedoc] has quit [Read error: 145 (Connection timed out)] 14:19 < BillyCrook> !ifconfig 14:19 < vpnHelper> BillyCrook: "ifconfig" is usage: ifconfig l rn | Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices, rn is the IP address of the remote VPN endpoint. For TAP devices, rn is the subnet mask of the virtual ethernet segment which is being created or connected to. 14:20 -!- felix_ [n=felix@87.79.236.180] has joined ##openvpn 14:21 < ecrist> atmosx: you just copied the line that explains how to do it 14:23 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 14:23 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 14:23 < atmosx> ecrist: I'm missing something here 14:23 < atmosx> I don't understand how it works, I don't want to just make it work. I'd do it with trial and error I want to understand the syntax if possible 14:23 -!- unix3_ [n=unix3@190.10.68.228] has joined ##openvpn 14:25 < ecrist> ifconfig-push is the command 14:25 < ecrist> 10.9.0.1 is the IP you're assigning 14:26 < ecrist> 10.9.0.2 is the gateway for the /30 subnet (held by VPN server) 14:26 < ecrist> !/30 14:26 < vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 14:26 < atmosx> oh ic 14:26 < ecrist> it *is* explained, if you read the docs 14:27 < atmosx> I'm reading the conf file and I've searched the docs quite a lot :-P 14:28 < atmosx> the server's IP is static and it's always 10.8.0.2 ? 14:28 < ecrist> please read the link I just posted before you ask more questions 14:28 < atmosx> because from my laptop, when I'm on the office I connect to the VPN server using 10.8.0.1 as an IP for the server 14:28 < atmosx> ecrist: Oh sorry I did not see the link you posted 14:29 < atmosx> the ifconfig-pool-linear directive goes to the server? I have only macosx and linux client atm 14:29 < atmosx> clients/client/s 14:30 < ecrist> did you read the doc? 14:30 < ecrist> it's not as difficult as you're making it 14:32 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 14:35 < atmosx> ecrist: hmm I did it. This line is what I needed "ifconfig-pool-linear" 14:38 < ecrist> great, glad you got your problem fixed. 14:39 < ecrist> atmosx: take note, that option is incompatible with windows clients 14:40 -!- unix3_ [n=unix3@190.10.68.228] has quit [Remote closed the connection] 14:40 < ecrist> from the man page: NOTE: This option is incompatible with Windows clients. 14:40 < ecrist> and: This option is deprecated, and should be replaced with --topology p2p which is functionally equivalent. 14:40 < ecrist> assuming, of course, you're using 2.1rc19 14:40 < ecrist> there is no reason to be using 2.0.9 any longer 14:43 < atmosx> ecrist: thnaks for the hint. I'm using 2.0.9 but I'll keep it in mind. When the MacPorts version is upgraded I'll switch this option to topology. 14:45 < ecrist> I would suggest switching now, not 'when MacPorts version is upgraded' 14:46 < ecrist> you don't need MacPorts for OpenvPN 14:46 < ecrist> OpenVPN compiles on the mac without a problem 14:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:49 < atmosx> ecrist: yes and when it goes to version 2.2rc becuase of a security flaw what happens? 14:50 < ecrist> 2.1rc20 would be next 14:50 < atmosx> ecrist: I'm no student anymore, I can't deal 24/7 with cli or configuration, nor keeping notice from every ML or website that programs I install to my mac-mini server 14:50 < ecrist> you're point? 14:51 < ecrist> s/'re/r/ 14:52 < atmosx> if there's a security flaw, I'll miss it if I don't use a package manager. 14:52 < ecrist> you'll miss it because you're not paying attention 14:52 < atmosx> Of course, beucase I wont pay attention. 14:53 < atmosx> while the macports developers will, probably with a lag of a couple of weeks. I may not take notice for a year. 15:06 -!- atmosx [n=osx@ppp-94-69-208-131.home.otenet.gr] has left ##openvpn [] 15:08 -!- ralph [n=ralph@static.237.46.40.188.clients.your-server.de] has quit ["leaving"] 15:20 -!- BillyCrook [n=BillyCro@72.22.210.100] has quit [Remote closed the connection] 15:20 -!- ghoti [n=paul@38.117.126.254] has joined ##openvpn 15:23 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 15:31 -!- Serideru2 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 15:34 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 15:36 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Read error: 110 (Connection timed out)] 15:37 -!- Douglas [n=admin@66.45.235.77] has joined ##openvpn 15:37 < Douglas> krzee: hi 15:37 < Douglas> krzie: hi 15:37 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 15:40 < ghoti> Are there command-line tools to parse openvpn status files and summarize the output for human consumption? 15:48 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 15:49 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 15:55 < Douglas> krzie hi 15:57 -!- felix_ [n=felix@87.79.236.180] has quit [Read error: 145 (Connection timed out)] 16:09 -!- c64zottel [n=hans@p5B17AFF1.dip0.t-ipconnect.de] has left ##openvpn [] 16:10 -!- BigJB [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 16:14 < Blu3> is there still a problem with trying to connect 2.1 to 2.0 and vice versa? 16:20 -!- bytesaber_ [n=bytesabe@208-98-188-95.directcom.com] has joined ##openvpn 16:21 < Blu3> what're the significant differences between 2.0 and 2.1, and is there a reason the 2.1 branch is 4 years old and hasn't changed from 2.1rc to 2.1? 16:25 -!- dupondje [n=dupondje@d51A550F9.access.telenet.be] has joined ##openvpn 16:27 < dupondje> Hellow ! I got a VPN setup to connect to my other network that is behind a router. This just works great, but now I try to access the router as it would be from the inside network, but I can't get it working 16:27 < dupondje> any idea's ? 16:27 < dupondje> other network = router (192.168.1.x) -> router (192.168.124.x) -> router (192.168.3.x) 16:27 < ghoti> first off, you've misplaced your apostrophe. "idea's" would indicate something belonging to an idea, like "The idea's merit was unknkown." 16:28 < dupondje> I have vpn client on the last router and on my pc in another network 16:28 < dupondje> now I try to connect to the 124 router ... 16:34 -!- Bushmills [n=Bushmill@verhau.de] has left ##openvpn ["Leaving."] 16:36 -!- Bushmills [n=Bushmill@verhau.de] has joined ##openvpn 16:36 -!- Bushmills [n=Bushmill@verhau.de] has left ##openvpn ["Leaving."] 16:36 -!- Bushmills [n=Bushmill@verhau.de] has joined ##openvpn 16:36 < dupondje> hmz :) added routes to the config :D working smooth now 16:45 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 16:48 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 16:51 -!- fkr [i=fkr@news.bytemine.net] has joined ##openvpn 17:02 -!- Serideru2 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 17:07 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 17:14 -!- zu [n=zu@88.191.93.109] has quit ["Reconnecting"] 17:14 -!- zu [n=zu@bucketheaded.eu] has joined ##openvpn 17:16 -!- zu [n=zu@bucketheaded.eu] has quit [Client Quit] 17:21 -!- bytesaber_ [n=bytesabe@208-98-188-95.directcom.com] has quit ["Leaving"] 17:23 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:36 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 17:39 -!- jeiworth_ [n=jeiworth@189.234.72.53] has quit [Read error: 110 (Connection timed out)] 17:44 -!- my007ms [i=logs@196.219.63.12] has left ##openvpn ["Leaving"] 18:15 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has left ##openvpn [] 18:35 -!- Voziv [n=someplac@d67-193-163-166.home3.cgocable.net] has joined ##openvpn 18:36 < Voziv> I know this might not the bestplace to ask, but does anyone here know how ethernet bridging works for linux? 19:33 < WormFood> it works pretty well 19:34 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 19:42 < Voziv> Oki I got ethernet bridging working now, is there a solution as to how I can add a tap adapter in windows 7? tapinstall.exe is failing 19:42 < Douglas> !win7 19:42 < vpnHelper> Douglas: "win7" is http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 19:43 < Voziv> awesome 19:48 -!- BigJB [n=BigJB@unaffiliated/bigjb] has quit [Remote closed the connection] 20:13 -!- Voziv_ [n=someplac@d67-193-163-166.home3.cgocable.net] has joined ##openvpn 20:14 < Voziv_> ok so far so good 20:15 -!- Voziv [n=someplac@d67-193-163-166.home3.cgocable.net] has quit [Read error: 104 (Connection reset by peer)] 20:17 < Voziv_> How would I redirect my openvpn clients to use the gateway 10.0.0.6 on my vpn network? 20:27 -!- Voziv [n=someplac@d67-193-163-166.home3.cgocable.net] has joined ##openvpn 20:27 -!- Voziv_ [n=someplac@d67-193-163-166.home3.cgocable.net] has quit [Read error: 104 (Connection reset by peer)] 20:30 -!- unope [n=unop@amsterdam.perfect-privacy.com] has joined ##openvpn 20:36 -!- Douglas [n=admin@66.45.235.77] has quit [Read error: 148 (No route to host)] 20:36 < unope> Is everyone else forwarded to a comcast page when they try to go to http://verizion.com ? 20:39 < Voziv> unope: You misspelt verizion, should be verizon, i think at least.... verizion.com doesn't resolve for me 20:40 < Voziv> Does anyone know how I can get my clients to use my local dhcp server? 20:40 < unope> Voziv where does it bring you? 20:40 < Voziv> unope: Nowhere 20:41 < unope> Voziv, I have a problem 20:41 < Voziv> yes? 20:41 < unope> or to anyone else 20:43 < unope> I'm using OpenVPN to route my data to another location, but for some reason that website was resolved by my ISP 20:43 < unope> or it gave me the error message, rather. 20:44 < Voziv> no idea, I'm still trying to route my data to another location, no luck yet 20:45 < unope> 76 in the channel and no one active? 20:48 -!- Voziv [n=someplac@d67-193-163-166.home3.cgocable.net] has quit [] 21:05 -!- Voziv [n=someplac@d67-193-163-166.home3.cgocable.net] has joined ##openvpn 21:06 < Voziv> Bah, still no luck, I'm still trying to get my client to use my local gateway. Is there a push option for that? 21:12 -!- master_of_master [i=master_o@p549D51F1.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:13 -!- Voziv [n=someplac@d67-193-163-166.home3.cgocable.net] has quit [] 21:15 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit [Read error: 145 (Connection timed out)] 21:15 -!- master_of_master [i=master_o@p549D3DC1.dip.t-dialin.net] has joined ##openvpn 21:21 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 22:01 -!- unope [n=unop@amsterdam.perfect-privacy.com] has quit ["Leaving"] 23:01 -!- unope [n=unop@amsterdam.perfect-privacy.com] has joined ##openvpn 23:02 < unope> why is my isp resolving my dns when my vpn provider should be doing that? --- Day changed Sat Sep 12 2009 00:08 -!- kaushal [i=kaushal@115.118.240.5] has joined ##openvpn 00:08 < kaushal> hi 00:09 < kaushal> i get a postmaster reply whenever i post email to openvpn-users@lists.sourceforge.net 00:09 < kaushal> any ideas ? 00:12 < kaushal> http://gopenvpn.sourceforge.net/ can i write to the author ? 00:12 < vpnHelper> Title: gopenvpn (at gopenvpn.sourceforge.net) 00:13 < kaushal> i dont see any ML there 00:25 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 00:56 -!- kaushal [i=kaushal@115.118.240.5] has quit [Read error: 104 (Connection reset by peer)] 01:05 -!- toombs [n=eric@rn--stpw-2-1-a24.uwaterloo.ca] has joined ##openvpn 01:06 < toombs> is the protocol used in 2.1rc19 incompatible with that used in 2.0? 01:41 -!- tjz2 [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 01:43 -!- tjz2 [n=tjz@bb121-7-20-94.singnet.com.sg] has quit [Client Quit] 02:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 02:04 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 02:10 -!- toombs [n=eric@rn--stpw-2-1-a24.uwaterloo.ca] has quit ["Leaving."] 02:11 -!- pif [n=ldm@zenon.apartia.fr] has quit [Read error: 60 (Operation timed out)] 02:18 -!- pif [n=ldm@zenon.apartia.fr] has joined ##openvpn 02:25 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:37 -!- kaushal [i=kaushal@115.118.252.120] has joined ##openvpn 02:40 -!- mirco [n=mirco@p54B23901.dip.t-dialin.net] has joined ##openvpn 02:45 -!- kaushal [i=kaushal@115.118.252.120] has quit ["Leaving"] 03:11 -!- jm [i=jonathan@192.121.234.85] has quit [Remote closed the connection] 03:11 -!- jm [i=jonathan@192.121.234.85] has joined ##openvpn 03:15 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 03:18 -!- thedoc_ [n=zing@adsl48.dyn229.pacific.net.sg] has joined ##openvpn 03:19 -!- thedoc_ [n=zing@unaffiliated/thedoc] has quit [Client Quit] 03:20 -!- gallatin [n=gallatin@dslb-092-073-126-246.pools.arcor-ip.net] has joined ##OpenVPN 03:23 -!- c64zottel [n=hans@p5B17860F.dip0.t-ipconnect.de] has joined ##openvpn 03:23 -!- c64zottel [n=hans@p5B17860F.dip0.t-ipconnect.de] has left ##openvpn [] 03:35 -!- thedoc [n=zing@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 03:52 -!- hyper_ch [n=hyper@adsl-84-226-164-242.adslplus.ch] has quit [Remote closed the connection] 04:00 -!- hyper_ch [n=hyper@adsl-84-226-164-242.adslplus.ch] has joined ##openvpn 04:21 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:53 -!- kaushal [n=kaushal@115.118.247.250] has joined ##openvpn 05:53 < kaushal> hi 05:54 < kaushal> i was able to successfully connect to vpn servers using gopenvpn 05:54 < kaushal> but the issue is when the internet is available only when the gopenvpn connection is on 05:54 < kaushal> I am using resolvconf 05:55 < kaushal> is there a workaround for this ? 05:55 < kaushal> or am i doing it wrong ? 05:56 < kaushal> I have hardcoded the internal nameservers in /etc/resolvconf/resolvconf.d/head 05:57 -!- kaushal [n=kaushal@115.118.247.250] has quit [Client Quit] 06:03 < reiffert> gopenvpn? 06:15 < Bushmills> graphical user interface for those with feeble console-fu 06:16 < Bushmills> "It provides a GNOME system tray icon from which OpenVPN connections can be started and stopped" 06:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 06:55 -!- brizly [n=brizly_v@p4FC9994F.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:57 -!- brizly [n=brizly_v@p4FC99E45.dip0.t-ipconnect.de] has joined ##openvpn 06:59 < Optic> mo 07:16 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 07:21 -!- roshenia_ [n=roshenia@gw.pbh.by] has joined ##openvpn 07:21 -!- roshenia [n=roshenia@80.94.228.14] has quit [Read error: 104 (Connection reset by peer)] 07:35 -!- tecchi [n=tecchi@ip-95-223-200-71.unitymediagroup.de] has joined ##openvpn 07:58 -!- tecchi [n=tecchi@ip-95-223-200-71.unitymediagroup.de] has left ##openvpn [] 08:04 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 08:30 -!- mirco_ [n=mirco@p54B23901.dip.t-dialin.net] has joined ##openvpn 08:39 -!- mirco [n=mirco@p54B23901.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 08:39 -!- mirco_ is now known as mirco 09:10 -!- gallatin [n=gallatin@dslb-092-073-126-246.pools.arcor-ip.net] has quit ["Client exiting"] 09:24 -!- dlynes [n=daniel@bas5-hamilton14-1242444747.dsl.bell.ca] has quit [Remote closed the connection] 09:40 < roshenia_> hi! is it real to use openvpn client on windows 2003 server with dhcp server? 10:44 -!- ralph [n=ralph@static.237.46.40.188.clients.your-server.de] has joined ##openvpn 10:45 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 10:46 < ralph> hi 10:46 < ralph> anyone out there 10:46 < ralph> ? 10:46 -!- roshenia [n=roshenia@gw.pbh.by] has joined ##openvpn 11:00 -!- roshenia_ [n=roshenia@gw.pbh.by] has quit [Read error: 110 (Connection timed out)] 11:54 -!- thedoc_ [n=zing@unaffiliated/thedoc] has joined ##openvpn 11:54 -!- roshenia [n=roshenia@gw.pbh.by] has quit [Read error: 110 (Connection timed out)] 12:06 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 12:10 -!- thedoc [n=zing@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 12:19 < |Mike|> sure ralph 12:28 < Dougy> krzie: . 12:30 -!- RadarG [n=nightwol@210.124.129.119] has joined ##openvpn 12:30 < RadarG> has anyone had any luck installing openvpn on a openwrt? 12:33 < |Mike|> it's linux 12:34 < |Mike|> it's not that har d :D 12:39 < RadarG> I added the line "status /tmp/openvpn-status.log" into my wrt openvpn server. It looks like it isnt creating the log file. Can someone please help me troubleshoot this? 12:39 < |Mike|> ls -la /tmp/openvpn-status.log 12:41 < |Mike|> hello? 12:41 < RadarG> trying the command 12:42 < RadarG> no such file or directory 12:43 < |Mike|> touch /tmp/openvpn-status.log 12:43 < |Mike|> and chown it to the right user (the openvpn one!) 12:45 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 12:48 -!- zograk [n=phil@unaffiliated/zograk] has joined ##openvpn 12:49 < zograk> !howto 12:49 < vpnHelper> zograk: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:49 < zograk> heh 12:50 < zograk> !route 12:50 < vpnHelper> zograk: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:08 -!- RadarG [n=nightwol@210.124.129.119] has quit [Read error: 104 (Connection reset by peer)] 13:08 -!- RadarG [n=nightwol@210.124.129.119] has joined ##openvpn 13:20 < |Mike|> RadarG: works now? 13:51 -!- zograk [n=phil@unaffiliated/zograk] has quit ["Leaving"] 14:05 -!- jj_c75 [n=julio@189.173.106.208] has joined ##openvpn 14:06 < jj_c75> guys i'm new using openvpn, how can i try to connect to vpn ? 14:06 < |Mike|> with a client? 14:07 < jj_c75> i have openvpn client, comes with the fedora installation 14:10 -!- jj_c75 [n=julio@189.173.106.208] has quit [Remote closed the connection] 14:32 -!- EvilRick [n=bob@uni-238-1.uninet.co.za] has joined ##openvpn 14:34 < EvilRick> hey.. I'm using ovpn 2.1 rc19 to create a layer 2 (bridged) network. Latency with no traffic on teh link is very poor and jittery. When I load up some traffic the latency comes way down. I suspect this is due to some form of packet packing.. does anyone know how to fix this? 14:34 < EvilRick> or disable the option thats causing it 14:34 < EvilRick> could it be because of my choice of cypher 15:10 -!- RadarG [n=nightwol@210.124.129.119] has quit [] 15:13 -!- thedoc_ [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 15:14 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 15:47 -!- exks [n=ecks@d24-150-143-227.home.cgocable.net] has quit ["Changing server"] 15:47 -!- exks [n=ecks@d24-150-143-227.home.cgocable.net] has joined ##openvpn 16:29 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 16:40 -!- ruben23 [n=RPL@122.55.48.244] has joined ##openvpn 16:41 < ruben23> hi..? my openvpn failed to start--> where do i check its logs.. 16:46 < EvilRick> you can check in the console if you remove "daemon" from the config file 16:47 < EvilRick> or not specify --daemon on the command line 16:47 < EvilRick> also try "verb 9" to see more logs 16:51 -!- ruben23 [n=RPL@122.55.48.244] has left ##openvpn [] 17:11 < |Mike|> EvilRick: lol :p 17:27 < EvilRick> yeah.. I guess he wasnt that interested ;) 18:01 -!- mirco [n=mirco@p54B23901.dip.t-dialin.net] has quit [] 19:23 -!- unope [n=unop@amsterdam.perfect-privacy.com] has quit [Read error: 104 (Connection reset by peer)] 19:29 -!- xp_prg [n=xp_prg3@c-67-188-6-132.hsd1.ca.comcast.net] has joined ##openvpn 20:07 -!- mirco [n=mirco@p54B23901.dip.t-dialin.net] has joined ##openvpn 20:25 -!- mirco [n=mirco@p54B23901.dip.t-dialin.net] has quit [] 20:25 -!- mirco [n=mirco@p54B23901.dip.t-dialin.net] has joined ##openvpn 20:38 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 20:40 -!- mirco_ [n=mirco@p54B26A8E.dip.t-dialin.net] has joined ##openvpn 20:46 -!- mirco [n=mirco@p54B23901.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:46 -!- mirco_ is now known as mirco 20:50 -!- ghoti [n=paul@38.117.126.254] has quit [Read error: 110 (Connection timed out)] 21:12 -!- master_of_master [i=master_o@p549D3DC1.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:15 -!- master_of_master [i=master_o@p549D5FC9.dip.t-dialin.net] has joined ##openvpn 21:28 -!- roshenia [n=roshenia@gw.pbh.by] has joined ##openvpn 21:37 -!- unope [n=unop@amsterdam.perfect-privacy.com] has joined ##openvpn 21:51 -!- unope [n=unop@amsterdam.perfect-privacy.com] has quit ["Leaving"] 22:10 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has joined ##openvpn 22:48 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 23:30 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 23:43 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] --- Day changed Sun Sep 13 2009 00:01 -!- thedoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 00:03 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:09 -!- hyper__ch [n=hyper@adsl-84-227-130-76.adslplus.ch] has joined ##openvpn 01:09 -!- hyper_ch [n=hyper@adsl-84-226-164-242.adslplus.ch] has quit [Nick collision from services.] 01:09 -!- hyper__ch is now known as hyper_ch 01:09 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 01:31 -!- brizly [n=brizly_v@p4FC99E45.dip0.t-ipconnect.de] has quit ["Leaving."] 01:37 -!- brizly [n=brizly_v@p4FC99E45.dip0.t-ipconnect.de] has joined ##openvpn 02:29 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 02:41 -!- pif [n=ldm@zenon.apartia.fr] has left ##openvpn [] 02:42 -!- RadarG [n=nightwol@210.124.129.119] has joined ##openvpn 02:43 < RadarG> hmm I have a strange networking problem. I setup a wrt as a openvpn server I tested it on my network and everything worked fine however. I took it to my friends place he is in the same aprtment building as me. I'm on a 210.124.xxx.xxx but when I fired up ubuntu and I tried to connect to the box with my no-p.com account it resolves to 192.168.194.2 02:43 -!- tjz [n=tjz@bb121-7-20-94.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 02:49 < RadarG> according to no-ip.com the last update was at 2009-09-12 23:43 for IP 192.168.194.2 02:56 -!- c64zottel [n=hans@p5B17A369.dip0.t-ipconnect.de] has joined ##openvpn 02:58 -!- c64zottel [n=hans@p5B17A369.dip0.t-ipconnect.de] has left ##openvpn [] 03:30 * Bushmills fails to see the problem 03:47 -!- xp_prg [n=xp_prg3@c-67-188-6-132.hsd1.ca.comcast.net] has quit ["This computer has gone to sleep"] 03:49 -!- Aichibo [i=Aichibo@94.196.137.61.threembb.co.uk] has joined ##openvpn 03:49 < Aichibo> Hey guys 04:00 -!- zograk [n=phil@unaffiliated/zograk] has joined ##openvpn 04:02 < Aichibo> Anyone awake? :P 04:28 < Bushmills> estimated 66% of world population 04:30 < Bushmills> had you thought for a second before asking, you could have come to the same answer 04:36 -!- RadarG [n=nightwol@210.124.129.119] has left ##openvpn [] 04:45 -!- horf [n=horf@94.75.253.249] has joined ##openvpn 04:45 < horf> what is a "provider log," in reference to a VPN provider? 05:02 -!- Aichibo [i=Aichibo@94.196.137.61.threembb.co.uk] has quit [Read error: 110 (Connection timed out)] 05:07 -!- Aichibo [i=Aichibo@94.196.0.239.threembb.co.uk] has joined ##openvpn 05:48 < EvilRick> Hey.. I'm using ovpn 2.1 rc19 to create a layer 2 (bridged) network. Latency with no traffic on the link is very poor and jittery. When I load up some traffic the latency comes way down and stabilises. I suspect this is due to some form of packet packing.. Does anyone know how to fix this? Could it be my choice of cypher? 05:51 < Aichibo> Does anyone know why I'm getting "/etc/openvpn/easy-rsa/build-dh: line 7: Dhparam: command not found"? 05:58 < reiffert> EvilRick: grep proto server.conf 05:59 < reiffert> Aichibo: you didnt source the vars file. 06:00 < EvilRick> reiffert: what am I looking for? I am using TCP 06:01 < EvilRick> tcp-server. 06:02 < EvilRick> well actually the server end is the mikrotik implementation of openvpn. So I cant really look at the conf file. Is tehre any way for me to determine the version of the server I am connected to ? 06:02 < Aichibo> Thanks for the reply reiffert, I did source it though 06:02 < Aichibo> Did "source /etc/openvpn/easy-rsa/vars" 06:02 < Aichibo> then "/etc/openvpn/easy-rsa/build-dh 06:03 < reiffert> !tcp 06:03 < vpnHelper> reiffert: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 06:04 < reiffert> EvilRick: see above 06:04 < reiffert> Aichibo: see line 7 of build-dh $OPENSSL dhparam ... 06:04 < reiffert> $OPENSSL gets set in vars file 06:05 < Aichibo> "export KEY_CONFIG="/etc/openvpn/easy-rsa/openssl.cnf"" 06:05 < Aichibo> This bit? 06:05 < reiffert> export OPENSSL="openssl" 06:06 < Aichibo> Erm thats not in my VARS file 06:06 < reiffert> easy-rsa 1.0? 06:06 < reiffert> openvpn 2.0.x? 06:06 < Aichibo> Its the newest one whatever that is 06:07 < Aichibo> I just used the apt-get install openvpn 06:07 < Aichibo> but added an url to the source list 06:07 < reiffert> /usr/sbin/openvpn --version 06:07 < Aichibo> first 06:07 < Aichibo> 2.1_rc11 06:08 < reiffert> ancient. however. 06:08 < reiffert> cd /usr/share/doc/openvpn/examples/easy-rsa/2.0 06:08 < EvilRick> reiffert: I understand the TCP issues. but I get very bad, spiky latency on an unused link. This is using icmp packets so its icmp over tcp. I then get the same issue with games, and this is UDP over TCP. As soon as I make the link busy ( I run a 200 ms interval ping with a 1500 MTU packet across it) the latency issues go away 06:08 < Aichibo> Done 06:10 < Aichibo> "deb http://www.backports.org/debian/ woody openvpn" this is where I sourced it from I think 06:10 < vpnHelper> Title: Index of /debian (at www.backports.org) 06:10 < reiffert> Aichibo: edit the vars file, follow the howto, have fun. 06:10 < reiffert> Aichibo: woody is way old, jesus! 06:10 < Aichibo> Is that why it isn't working then? 06:11 < reiffert> That's a point where you can rent me as a debian administrator... 06:11 < reiffert> s,rent,hir, 06:11 < reiffert> e 06:17 < Aichibo> Could you just help me out please? 06:28 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:41 -!- brizly [n=brizly_v@p4FC99E45.dip0.t-ipconnect.de] has quit [Read error: 60 (Operation timed out)] 06:41 -!- brizly [n=brizly_v@p4FC993F6.dip0.t-ipconnect.de] has joined ##openvpn 07:20 < Aichibo> Anyone else have any suggestions that could help me out? 07:25 < Bushmills> Aichibo: check contents of /usr/share/doc/openvpn/examples/easy-rsa/2.0 07:31 < Aichibo> I used that vars file before but it kept coming up with an error 07:31 < Aichibo> Let me see if I can duplicate it 07:31 < Aichibo> replicate* 07:31 < Aichibo> w/e 07:33 < Aichibo> Right, I'm going to start from the beginning 07:33 < Aichibo> Where should I source the program from? 07:33 < Aichibo> Just leave the sources.list as is and apt-get install openvpn? 07:35 < Bushmills> Aichibo: check contents of /usr/share/doc/openvpn/examples/easy-rsa/2.0 07:35 < Aichibo> I did go there o.0 07:36 < Bushmills> the script you're looking for might be there 07:36 < Aichibo> Ok 07:37 < Bushmills> but that's something you should know, after all, you went there, you say. but only after looking, one can tell. 07:39 < Aichibo> Ok, grabbed all that 07:40 < Aichibo> I had a custom config in there before 07:40 < Aichibo> Which is probably why it was breaking 07:40 < Aichibo> I have the export OPENSSL="openssl" bit in vars now 07:40 < Aichibo> Reiffert was talking about it before 07:40 < Aichibo> Should I change it? 07:43 < Aichibo> There we go, this is where I got stuck last time 07:44 < Aichibo> With that config from the usr/share/doc examples it comes up with "Please edit the vars script to reflect your configuration 07:44 < Aichibo> but the thing is, I have edited it.. 08:12 -!- hanen [n=hanen@41.226.123.221] has joined ##openvpn 08:19 -!- hanen [n=hanen@41.226.123.221] has quit [Read error: 60 (Operation timed out)] 08:20 -!- Aichibo [i=Aichibo@94.196.0.239.threembb.co.uk] has quit [] 08:30 < |Mike|> you have to export the vars... 08:46 -!- Matir [n=david@c-98-251-88-239.hsd1.ga.comcast.net] has quit [Remote closed the connection] 08:51 -!- Matthews [i=matthews@support.team.at.shellium.org] has joined ##openvpn 08:51 < Matthews> !topology 08:51 < vpnHelper> Matthews: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 09:21 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 09:57 -!- thedoc [n=zing@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 10:33 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 10:35 -!- Matthews [i=matthews@support.team.at.shellium.org] has left ##openvpn [] 10:51 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 11:20 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Remote closed the connection] 11:22 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 11:39 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 11:39 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 12:16 -!- zograk [n=phil@unaffiliated/zograk] has quit ["Leaving"] 12:30 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 12:55 -!- mbrevda [n=mbrevda@unaffiliated/mbrevda] has quit [Nick collision from services.] 12:55 -!- [1]mbrevda [n=mbrevda@94.159.178.227] has joined ##openvpn 13:58 -!- mirco [n=mirco@p54B26A8E.dip.t-dialin.net] has quit [Remote closed the connection] 14:12 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 14:12 * Dougy beats krzie 14:31 -!- dupondje [n=dupondje@d51A550F9.access.telenet.be] has quit ["Ik ga weg"] 15:07 -!- xp_prg [n=xp_prg3@c-67-188-6-132.hsd1.ca.comcast.net] has joined ##openvpn 15:12 -!- Darkclaw66 [n=fortness@unaffiliated/darkclaw66] has joined ##openvpn 15:12 < Darkclaw66> is there any point using openvpn for email that is already using SSL via postfix (25)/dovecot(993) 15:12 < Darkclaw66> it would essentially be double encrypted, but is that necessary? 15:13 < Darkclaw66> also the client complains if I do have it go through the openvpn, since the IP doesnt match the SSL certificate 15:19 < Bushmills> Darkclaw66: simpifies relay control 15:20 < Bushmills> (you can simply specify openvpn net as mynetworks) 15:32 -!- smerz [n=daniel@smerz.demon.nl] has quit [Read error: 104 (Connection reset by peer)] 15:38 < Darkclaw66> Bushmills are you advocating using openvpn for postfix/dovecot? 15:39 < Bushmills> not the one nor the other. there are situations where running mail over openvpn is useful, and sometimes it isn't. depends on your case. 15:40 < Bushmills> i merely answered your question "is there any point" by giving an example for a point. 15:42 < Darkclaw66> well, I just need to know if theres any point 15:43 < Bushmills> ok. yes, there is. 15:47 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 15:51 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:53 -!- money [n=money@unaffiliated/money] has joined ##openvpn 15:54 < money> !configs 15:54 < vpnHelper> money: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:54 < money> !howto 15:54 < vpnHelper> money: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:56 < money> i have been using hamachi 15:56 < money> looking to setup openvpn 16:03 < Bushmills> you found it, the howto 16:04 < money> it's very complicated 16:04 < money> btw, will the VPN client built-in to windows work w/ openvpn? 16:05 < Bushmills> is there an openvpn client in windows? 16:06 -!- [1]mbrevda [n=mbrevda@94.159.178.227] has left ##openvpn [] 16:06 < reiffert> money: windows support ipsec and pptp. it does not work with openvpn natively. 16:08 < reiffert> thats why there is an openvpn client for windows which you can get on the homepage. 16:09 < money> yeah, i saw it. it's horribly ugly. 16:09 < money> looks like it was designed back in 1995 lol 16:10 < reiffert> because of? 16:10 < money> http://openvpn.se/ 16:10 < vpnHelper> Title: OpenVPN GUI for Windows (at openvpn.se) 16:10 < money> is that it? 16:11 < reiffert> yes and no. Thats the former site. it got integrated into openvpn recently. 16:11 < reiffert> !download 16:11 < vpnHelper> reiffert: "download" is (#1) www.openvpn.net/download to download openvpn, or (#2) http://openvpn.net/index.php/open-source/downloads.html 16:11 < money> oh? 16:11 < reiffert> be sure to fetch 2.1 16:11 < Bushmills> GUI != client 16:12 < money> installing it now 16:12 < reiffert> be sure to follow the howto. 16:12 < money> i wish something existed like hamachi 16:12 < money> but where the server is hosted by you 16:12 < Bushmills> but hamachi exists 16:13 < reiffert> hosted by me or by Bushmills? 16:13 < reiffert> (we sure both do, hehe) 16:13 < money> :-P 16:13 < Bushmills> boy talks with lines split by CR 16:13 < Bushmills> never knows when a sentence is finished that way :P 16:14 < reiffert> r u sure? 16:14 < Bushmills> (y/n) 16:14 < reiffert> it looks good to me, though 16:14 < money> the openvpn gui looks terrible in windows7 16:14 < money> the icon isn't even the right size 16:14 < money> it looks like something out of windows95 16:14 < reiffert> money: yeah, thats sooo important. 16:15 < money> no 16:15 < reiffert> feel welcome to improve the icon, send it to the devel mailinglist. 16:15 < money> but aesthetics are somewhat important 16:16 < money> do most people use the openvpn client? 16:16 < Bushmills> no. most people don't use openvpn at all 16:16 < money> why are you being a moron? 16:16 < reiffert> Bushmills is right. 16:17 < Bushmills> because I like to put people on /ignore if they come with that 16:17 < money> what a fucktard 16:18 < reiffert> money: look, "most people" is somewhat close to 3.000.000.000 people. 16:18 < money> the *obvious* implication was that i was talking about openvpn users 16:18 < money> for those who use openvpn, do most use the gui...? 16:19 < reiffert> money: I dont think so, you forgot to reduce the user community down to windows users. 16:19 -!- oliv [n=olivier@88.207.184.91] has joined ##openvpn 16:19 < reiffert> which we both, Bushmills and I, really cant tell you. 16:19 < money> for employees on the road 16:19 < money> using windows machines 16:19 < money> would the GUI be the best bet? 16:20 < reiffert> depends. 16:20 < money> on? 16:20 < reiffert> there are CLI junkies out there, I really cant tell you. I'd say try it out. 16:21 < reiffert> but if you think a windows 95 GUI-logo will scare people, then dont use it. 16:21 < money> it's just sad... 16:21 < reiffert> or .. maybe replace it with your company logo 16:21 < money> it takes all of 10 minutes to clean the aesthetics up 16:21 < reiffert> money: yeah, it's sooo sad the pescarolo got into engine troubles today. 16:24 < oliv> Hi, I set a vpn between two linux boxes, A, B. I set a route for a particular IP on A. On B I set iptables to accept and forward everything from tun0. I can see packets are going from tun0->eth0 on B. But nothing else. Any thought ? 16:24 < reiffert> Actually I think it was the gearbox. 16:24 < reiffert> oliv: do you think that using the windows openvpn GUI would help you here? 16:25 < reiffert> !factoids search nat 16:25 < vpnHelper> reiffert: 'nat', 'linnat', 'winnat', 'fbsdnat', 'pfnat', 'freebsdnat', and 'bsdnat' 16:25 < reiffert> !linnat 16:25 < vpnHelper> reiffert: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 16:25 < oliv> reiffert: No, is it this forum dedicated to gui ? 16:26 < reiffert> oliv: just kidding ;) 16:26 < oliv> reiffert: ha ha ! (-: 16:28 < oliv> reiffert: Is nat the solution ? 16:29 < reiffert> oliv: you wouldn't ask here if you got more knowledge about routing, would you? 16:32 < oliv> reiffert: I am confused. I think I mixed some basics. I first though about nat but ... I do not see the necessity of simple IP forwarding. I which case is it supposed to be used ? 16:35 < reiffert> you typically use nat when you cant manage to get routing done, because of private addresses and/or you want to hide/masq multiple hosts. 16:35 < oliv> reiffert: gggg... of course I used a private address. /-: cheers 16:42 < oliv> a simple one too... i suppose. on A i want the client.conf automatically set the routes for me. I manually do 1:"route add $vpn_server gw $local_gw_ip $eth_tun" 2:"route del default" 3:"route add default gw 10.8.0.6 tun0" is there a simpler way to do it ? 16:42 < Bushmills> !redirect 16:42 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 16:43 < reiffert> !def1 16:43 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 16:43 < oliv> cheers all. 17:06 < oliv> Simple measurement of performance (wget -m -l2) shows going through openvpn double the time of data access. Do you have any idea on how change the configuration (openvpn, nat, interfaces...) in order to increase preformance ? 17:06 < oliv> first though is to decrease the mtu of the vpn link 17:08 < reiffert> proto udp? 17:22 -!- oliv [n=olivier@88.207.184.91] has quit [Read error: 110 (Connection timed out)] --- Log closed Sun Sep 13 17:28:44 2009 --- Log opened Sun Sep 13 17:28:48 2009 17:28 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 17:28 -!- Irssi: ##openvpn: Total of 75 nicks [0 ops, 0 halfops, 0 voices, 75 normal] 17:29 -!- Irssi: Join to ##openvpn was synced in 22 secs 17:30 -!- oliv [n=olivier@sd-10781.dedibox.fr] has left ##openvpn [] 17:47 < |Mike|> AHOY 17:47 < |Mike|> no questions, ? 17:54 -!- xp_prg [n=xp_prg3@c-67-188-6-132.hsd1.ca.comcast.net] has quit [Connection reset by peer] 17:55 -!- xp_prg [n=xp_prg3@c-67-188-6-132.hsd1.ca.comcast.net] has joined ##openvpn 18:32 -!- epaphus [n=unix3@201.199.62.74] has left ##openvpn ["Leaving"] 18:39 < reiffert> |Mike|: what time is it? 18:40 < reiffert> |Mike|: how many tons of cosmic dust get to earth every nanosecond? 18:41 < reiffert> |Mike|: Where exactly will I have to point my laser at when I want to hit the reflector placed on moon and what laser power should I use at a minimum? 18:44 < EvilRick> 1:47:35 GMT+2 - .000000000432 Tons - Mare Tranquilitas 16.3177, -23.22743@1.6Watts :) 18:48 < reiffert> your computer clock is off by many minutes ... 18:48 < EvilRick> all my answers are off by many other units :) 18:48 < reiffert> mhm, 1.6 Watts sound unbuyable on dealextreme ... 18:50 < EvilRick> well the power you need will be directly related to the lasers coherence the quality of the optics and the sensetifity of the reciever 18:53 < reiffert> .. when ignoring those air inbetween 18:58 < reiffert> "At the Moon's surface, the beam is only about 6.5 kilometers (four miles) wide[2] and scientists liken the task of aiming the beam to using a rifle to hit a moving dime 3 kilometers (two miles) away. The reflected light is too weak to be seen with the human eye, but under good conditions, one photon will be received every few seconds (they can be identified as originating from the laser because the laser is highly monochromatic)." 19:07 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 20:33 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 20:49 -!- horf [n=horf@94.75.253.249] has quit [] 20:56 -!- blaker [n=money@28.208.128.131.reshall.uri.edu] has joined ##openvpn 21:04 -!- trnzmeta [n=bleh@secure27.lnk.telstra.net] has joined ##openvpn 21:04 < trnzmeta> anyone have any openvpn mon.d scripts that go beyond testing ports? 21:06 -!- kt7 [n=money@131.128.208.145] has joined ##openvpn 21:14 -!- money [n=money@unaffiliated/money] has quit [Read error: 110 (Connection timed out)] 21:15 -!- master_of_master [i=master_o@p549D5FC9.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:15 -!- blaker [n=money@28.208.128.131.reshall.uri.edu] has quit [Read error: 110 (Connection timed out)] 21:16 -!- master_of_master [i=master_o@p549D44F8.dip.t-dialin.net] has joined ##openvpn 21:16 -!- money [n=money@114.208.128.131.reshall.uri.edu] has joined ##openvpn 21:16 -!- money [n=money@114.208.128.131.reshall.uri.edu] has quit [Client Quit] 21:24 -!- kt7 [n=money@131.128.208.145] has quit [Read error: 145 (Connection timed out)] 21:50 -!- Voziv [n=someplac@d67-193-163-166.home3.cgocable.net] has joined ##openvpn 21:50 < Voziv> !route 21:50 < vpnHelper> Voziv: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 21:51 -!- Shaun2222 [n=Shaun222@ip70-181-79-96.oc.oc.cox.net] has joined ##openvpn 21:52 < Shaun2222> i remember way back there was some type of kernel module or hack to openvpn to allow a native windows client to work. I want to say it was called somthing like mmpoe.. Anybody know what i'm talking about? 22:10 < Voziv> I see alot of references to ccd/client1, what is that? Should I be making a folder called ccd in my openvpn directory and making a file named client1? 22:13 < Dougy> Voziv: not 'client1' 22:13 < Dougy> that's an example of a cert 22:14 < Dougy> if your cert(s) are google yahoo facebook then it'd be ccd/google ccd/yahoo ccd/facebook 22:14 < Dougy> etc 22:14 < Voziv> Cert? you put iroute into a cert? o.O 22:14 < Dougy> no 22:14 < Dougy> iroute goes in the ccd entry 22:14 < Dougy> i was referring to the name of the files in the ccd folder 22:15 < Voziv> ah nvm, i got things mixed up, makes more sense 22:16 < Voziv> this is a nightmare only because I don't know that much about networking 22:18 < Darkclaw66> is there any point using openvpn for email that is already using SSL via postfix (25)/dovecot(993) 22:18 < Darkclaw66> it would essentially be double encrypted, but is that necessary? 22:18 < Darkclaw66> also the client complains if I do have it go through the openvpn, since the IP doesnt match the SSL certificate 22:18 < Darkclaw66> but my actual question is if its already SSL encrypted, what would be the point of using OpenVPN? 22:19 < Voziv> To be able to route behind the open vpn server... so i.e. Client -> Server -> Internal network, what exactly do I need in terms of push route? 22:20 < Darkclaw66> but its really not being routed to the VPN server is it? it still has to go through the WAN routers 22:23 -!- Harakkis [i=Kapapa@88.80.28.50] has joined ##openvpn 22:23 < Harakkis> hi 22:23 < Harakkis> anyone here experienced in openvpn can help a newbie? i got the tunnel up but i have a more advanced question 22:26 < Harakkis> !howto 22:26 < vpnHelper> Harakkis: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 22:27 < Voziv> Hmm, can anyone explain the 2 different ips in " route 10.1.0.0 255.255.255.0 10.1.0.1" for me, if you could 22:28 < Voziv> is it network netmask gatway? 22:42 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 22:52 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 22:52 -!- Darkclaw66 [n=fortness@unaffiliated/darkclaw66] has quit [] 23:25 -!- Harakkis [i=Kapapa@88.80.28.50] has quit [Read error: 113 (No route to host)] 23:30 -!- Voziv [n=someplac@d67-193-163-166.home3.cgocable.net] has quit [] --- Day changed Mon Sep 14 2009 00:19 -!- roentgen [n=HaRT@psw.ro] has joined ##openvpn 00:28 -!- Shaun2222 [n=Shaun222@ip70-181-79-96.oc.oc.cox.net] has quit [Read error: 104 (Connection reset by peer)] 00:28 -!- Shaun2222 [n=Shaun222@staff.ndchost.com] has joined ##openvpn 01:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [No buffer space available] 01:08 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 01:15 -!- Gnewt [n=hackerle@li57-94.members.linode.com] has quit [Remote closed the connection] 01:17 -!- misse- [i=misse@cl-858.sto-01.se.sixxs.net] has quit ["Reconnecting"] 01:17 -!- misse- [i=misse@misse.org] has joined ##openvpn 01:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:27 -!- Gnewt [n=hackerle@64.62.228.94] has joined ##openvpn 01:49 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:52 -!- thedoc [n=zing@unaffiliated/thedoc] has quit [Read error: 105 (No buffer space available)] 02:35 -!- thedoc [n=zing@69.10.59.166] has joined ##openvpn 02:40 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has joined ##openvpn 02:50 -!- trnzmeta [n=bleh@secure27.lnk.telstra.net] has quit [] 02:58 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: Snadder, Blu3, stein0, exks, eliasp, chantra, DigitalFlux-AFK 02:58 -!- exks_ [n=ecks@d24-150-143-227.home.cgocable.net] has joined ##openvpn 02:58 -!- eliasp_ [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 02:59 -!- exks_ is now known as exks 02:59 -!- Blu3` [i=david@blue-labs.org] has joined ##openvpn 02:59 -!- Snadder [i=sander@202.100.202.84.customer.cdi.no] has joined ##openvpn 03:04 -!- DigitalFlux-AFK [n=DigitalF@unaffiliated/digitalflux] has joined ##openvpn 03:10 -!- kaushal [n=kaushal@64.124.122.228] has joined ##openvpn 03:10 < kaushal> hi 03:10 < kaushal> anyone here using gopenvpn ? 03:12 < reiffert> We are using Cisco VPN, thats why this channel got named after it. 03:12 < dazo> kaushal: you have been given the SAME information again and again and again and again .... and I even see you on the mailing list as well .... start reading the documentation ... now! .... It is clearly explained there .... and gopenvpn is JUST A FRONTEND to openvpn .... gopenvpn USES openvpn 03:13 < dazo> kaushal: your issues IS NOT gopenvpn .... it is pure openvpn configuration issue ... and that has been pointed out by several on this channel as well 03:18 < krzee> or join #gopenvpn ;] 03:28 < kaushal> dazo: sorry was away 03:29 < kaushal> dazo: it works perfectly fine with Network-manager-openvpn applet 03:29 < dazo> kaushal: because NM-openvpn applet works differently! It creates openvpn config on the fly .... while gopenvpn REQUIRES YOU to have created the needed config file first 03:30 < dazo> NM-openvpn got it's own (crappy) config editor .... while gopenvpn do not have that 03:31 < kaushal> dazo: i followed your link too 03:31 < dazo> gopenvpn fires up your favourite editor 03:31 < kaushal> domain.up and domain.down 03:31 < kaushal> it somehow doesnot work 03:31 < dazo> kaushal: and if that do not work for you ... YOU have done something wrong ... because that works for a lot of people 03:32 < dazo> kaushal: forget about gopenvpn now .... try to get openvpn to connect and work as you want from the command line .... THEN you can think about gopenvpn 03:33 < kaushal> dazo: sure as i said it works perfectly fine when i run sudo openvpn --config abc.opvn and xyz.opvn 03:34 < kaushal> i am able to connect successfully 03:34 < kaushal> it connects to both the vpn servers 03:34 < kaushal> perfectly 03:35 < dazo> kaushal: you need to make sure that your scripts are as instructed ... that they have the needed permissions and that execute permissions are correct .... you need to make sure you have openvpn-down-root.so and that the path to this is correct - and that the permissions are correct .... and you need to make sure your --script-security level is set correct in your config 03:36 < dazo> kaushal: when you run openvpn via gopenvpn .... are openvpn started with root privileges? 03:36 < kaushal> dazo: please give me a moment 03:37 < kaushal> ah ok 03:37 < kaushal> its started as normal user 03:37 < kaushal> is that the issue ? 03:37 < dazo> yes, most probably 03:46 -!- kaushal [n=kaushal@64.124.122.228] has quit [Read error: 104 (Connection reset by peer)] 04:07 -!- thedoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 04:08 -!- bill_ [n=bill@h231.102.140.67.dynamic.ip.windstream.net] has joined ##openvpn 04:10 -!- bill_ [n=bill@h231.102.140.67.dynamic.ip.windstream.net] has left ##openvpn ["Konversation terminated!"] 04:13 -!- kaushal [n=kaushal@64.124.122.228] has joined ##openvpn 04:13 < kaushal> hi again 04:13 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 04:13 < kaushal> the issue is that i am able to connect it through IP and not with the name ? 04:13 < kaushal> I mean hostname 04:14 < kaushal> using gopenvpn 04:14 < kaushal> i could see in the daemon.log file the DNS server getting populated too 04:15 < kaushal> while connecting using gopenvpn 04:15 < kaushal> any clue ? 04:19 < kaushal> dazo: you around ? 04:21 < kaushal> http://www.phocean.net/2006/12/07/openvpn-and-dns-on-a-linux-client.html says updated UPDATE 2008/07/11 04:21 < vpnHelper> Title: Phocean.net » OpenVPN and DNS on a linux client (at www.phocean.net) 04:21 < kaushal> which init scripts he is referring to ? 04:23 < kaushal> i also that domain.up script is not formatted properly 04:25 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 04:25 < kaushal> i am really really stuck 04:27 < kaushal> set | sed -n "s/^foreign_option_.* DNS \(.*\)'/nameserver \1/; T next; p;:next; s/^foreign_option_.* DOMAIN \(.*\)'/domain \1/; T; p;" | resolvconf -a $DEV ? 04:27 < kaushal> is this line correct ? 04:30 -!- c64zottel [n=hans@p5B17B228.dip0.t-ipconnect.de] has joined ##openvpn 04:31 -!- kaushal [n=kaushal@64.124.122.228] has quit ["leaving"] 04:37 -!- kaushal [n=kaushal@125.22.61.162] has joined ##openvpn 04:38 < kaushal> i added domain.up and domain.down and chmod 755 it as per that url 04:38 < kaushal> still no luck 04:38 < kaushal> added client.conf too 04:39 < kaushal> i have satisfied all the conditions as per that url 04:39 < kaushal> but still i am facing the DNS issue 04:41 < kaushal> I have tried all the advice from this channel 04:41 < kaushal> let me know what am i missing ? 04:45 < Bushmills> kaushal: you're executing a script upon connection on client side which updates your resolv.conf? 04:48 -!- kaushal_ [n=kaushal@64.124.122.228] has joined ##openvpn 04:49 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has quit [Read error: 105 (No buffer space available)] 04:49 -!- stein0 [n=stein@mail.vgnett.no] has joined ##openvpn 04:52 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has joined ##openvpn 04:56 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 04:57 -!- kaushal_ [n=kaushal@64.124.122.228] has quit ["leaving"] 04:57 -!- kaushal [n=kaushal@125.22.61.162] has quit [Nick collision from services.] 04:58 -!- kaushal [n=kaushal@64.124.122.228] has joined ##openvpn 04:59 < kaushal> sorry got disconnected 04:59 < kaushal> please suggest 05:01 < Bushmills> kaushal: you're executing a script upon connection on client side which updates your resolv.conf? 05:01 < kaushal> yeah 05:01 < Bushmills> does the script actually get executed? 05:01 -!- thedoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 05:01 < kaushal> Bushmills: sorry about it 05:02 < Bushmills> (you have set script-security in your config?) 05:02 < kaushal> let me check by running it by hand 05:02 < kaushal> you mean in abc.opvn 05:02 < kaushal> ? 05:02 < Bushmills> !script-security 05:02 < vpnHelper> Bushmills: Error: "script-security" is not a valid command. 05:02 < Bushmills> factoids search script-security 05:02 < Bushmills> !factoids search script-security 05:02 < vpnHelper> Bushmills: No keys matched that query. 05:03 < Bushmills> oh well. it is explained in the man page 05:03 < kaushal> sure 05:03 < Bushmills> therefore, does the script actually get executed? 05:04 < kaushal> ./domain.down 05:04 < kaushal> resolvconf: Error: /etc/resolv.conf must be a symlink 05:05 < kaushal> so it should be a symlink to which file name ? 05:05 < kaushal> is it /etc/resolvconf/resolvconf.d/resolv.conf ? 05:05 < Bushmills> looks wrong. that symlink issue seems a matter of resolvconf, can't tell you bout that. 05:06 < Bushmills> maybe there is #resolvconf with folks who know about resolvconf 05:07 < Bushmills> (i just know that i threw it off my system because it kept messing up my resolver configuration) 05:09 < Bushmills> i let system do resolving through a recursive DNS, which queries through whatever route is default, no matter how i'm connected. 05:10 -!- kaushal [n=kaushal@64.124.122.228] has quit [Read error: 104 (Connection reset by peer)] 05:12 -!- kaushal [n=kaushal@125.22.61.162] has joined ##openvpn 05:12 < kaushal> http://paste.ubuntu.com/270792/ 05:13 < kaushal> Bushmills: http://paste.ubuntu.com/270792/ 05:14 < kaushal> Bushmills: http://paste.ubuntu.com/270792/ 05:14 < Bushmills> resolvconf: Error: No interface name specified ... clearly looks like a config error in your resolvconf configuration 05:14 < Bushmills> i guess you better fixt that 05:14 < Bushmills> fix 05:15 < kaushal> Bushmills: any example ? 05:15 < kaushal> not sure i understand that 05:16 < Bushmills> you need somebody more resolvconf savvy than I am. unlikely that you find those folks here 05:16 < Bushmills> try #ubuntu or #dns or related 05:18 < Bushmills> or consider to run a local recursor instead. maradns or dnscache should be good choices. 05:31 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 05:33 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 05:54 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has quit [Remote closed the connection] 06:08 -!- kaushal_ [n=kaushal@64.124.122.228] has joined ##openvpn 06:11 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:12 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has joined ##openvpn 06:21 -!- kaushal [n=kaushal@125.22.61.162] has quit [Read error: 110 (Connection timed out)] 06:22 -!- thedoc [n=zing@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 06:32 < ecrist> good morning 06:34 -!- DigitalFlux-AFK [n=DigitalF@unaffiliated/digitalflux] has left ##openvpn [] 06:34 -!- kaushal_ [n=kaushal@64.124.122.228] has quit [Read error: 104 (Connection reset by peer)] 06:38 -!- kaushal [n=kaushal@125.22.61.162] has joined ##openvpn 06:38 < kaushal> hi 06:38 < kaushal> i got to know the issue now 06:38 < kaushal> basically there is a script called update-resolv-conf which needs to be called 06:39 < kaushal> in client configs 06:40 < kaushal> my question is http://paste.ubuntu.com/270831/ 06:41 < kaushal> where exactly i need to configure in the client configs ? 06:41 < kaushal> can i set it anywhere in the client configs ? 06:41 < ecrist> yes 06:41 < ecrist> the configs do not need to be in any order 06:41 < kaushal> oh ok 06:41 < kaushal> understood 06:41 < kaushal> Let me try it now 06:42 < kaushal> sorry for bugging all of you here 06:42 < kaushal> apology 06:43 < kaushal> # foreign_option_1='dhcp-option DNS 193.43.27.132' 06:43 < kaushal> can i specify example.com also ? 06:44 < kaushal> I mean # foreign_option_1='dhcp-option DNS example.com' ? 06:46 < ecrist> sure 06:46 < ecrist> you can specify a search string, just be sure to account for it in your script 06:47 < kaushal> foreign_option_1='dhcp-option search example.com' ? 06:47 < kaushal> am i correct ? 06:48 < ecrist> sure, I think that will work 06:50 -!- eliasp_ [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Remote closed the connection] 06:50 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 06:55 -!- brizly [n=brizly_v@p4FC993F6.dip0.t-ipconnect.de] has quit [Connection timed out] 06:56 -!- kaushal [n=kaushal@125.22.61.162] has quit [Read error: 113 (No route to host)] 06:58 -!- brizly [n=brizly_v@p4FC98F84.dip0.t-ipconnect.de] has joined ##openvpn 07:10 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: xenophile7x7, krzie, bauruine, Blu3`, mrnice1, garnser 07:11 -!- Nirkus [i=rmf2mlh@about/pxe/Nirkus] has joined ##openvpn 07:12 -!- Netsplit over, joins: bauruine, Blu3`, xenophile7x7, mrnice1, garnser, krzie 07:12 -!- zuez [n=sf@catalyst.httpd.org] has quit [Excess Flood] 07:12 -!- zuez [n=sf@catalyst.httpd.org] has joined ##openvpn 07:13 < Nirkus> hi! are there any cell phones known to run OpenVPN as a client? 07:20 -!- Blu3` is now known as Blu3 07:20 -!- psychoschlumpf [i=lars@fu/coder/psychoschlumpf] has left ##openvpn [] 07:31 -!- kaushal [n=kaushal@125.22.61.162] has joined ##openvpn 07:32 < kaushal> ecrist: it worked like a charm 07:32 < kaushal> Thanks ecrist dazo krzee 07:32 < kaushal> :) 07:45 -!- thedoc [n=zing@69.10.59.166] has joined ##openvpn 07:52 < kaushal> ecrist: when i select checkbox on gopenvpn for connecting it automatically, it doesnot work 07:53 < kaushal> it unchecks again :( 07:53 < kaushal> is that feature not available ? 07:55 -!- RadarG [n=nightwol@210.124.129.119] has joined ##openvpn 07:55 < RadarG> cool bean my openwrt openvpn server is working!!! 07:59 < RadarG> now I just needs to fox the 20 little things and than its ready to ship to the states 07:59 < dazo> RadarG: openwrt + openvpn is a good combo :) 07:59 < RadarG> I'll post my configs for review I know I can tweak it a bit 08:01 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: Blu3, xenophile7x7, krzie, bauruine, garnser, mrnice1 08:01 < RadarG> http://pastebin.com/d78e62d44 client config 08:02 -!- Netsplit over, joins: bauruine, Blu3, mrnice1, garnser, krzie 08:04 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 08:04 < RadarG> http://pastebin.com/d6312f177 server config 08:05 < RadarG> i found a few errors could you guys tell me what else I should put in there 08:05 -!- kaushal [n=kaushal@125.22.61.162] has quit ["leaving"] 08:06 < RadarG> the server's lan can not ping 254.1 or .254.2 but the clients lan ping pin 254.1 and 254.2 08:07 < RadarG> the clients lan is 192.168.200.0 and it can ping the servers lan 192.168.1.0 08:08 < RadarG> an room for improvements? 08:15 < RadarG> Will the openvpn server respond to a push route from the client? 08:15 < RadarG> iroute 08:15 < RadarG> !iroute 08:15 < vpnHelper> RadarG: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 08:16 < RadarG> !ccd 08:16 < vpnHelper> RadarG: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 08:17 < RadarG> hmm should that "route 192.168.200.0 255.255.255.0" should have be iroute but I dont have a common name I'm using a static key 08:23 < Optic> mooo 08:24 < RadarG> moo 08:26 < dazo> RadarG: iroute don't need to be inside ccd ... it can be in the normal config as well 08:27 < RadarG> what type of cipher should I use for this wrt what can it handle? 08:28 < RadarG> i thought iroute used a config file that had the clients lan on it 08:28 < dazo> iroute is when you want to route network behind the openvpn client 08:28 < dazo> to the server side 08:29 < dazo> ciphers ... if you use blowfish, that's usually strong enough and don't require too much resources 08:29 < ecrist> it's just usually done in a client-config 08:30 < thedoc> ergh. 08:30 < thedoc> I have half a mind to blow up a customer's site right now. 08:30 < thedoc> This is fucking ridiculous. 08:31 < dazo> thedoc: I dare you 08:31 < dazo> ;-) 08:31 < thedoc> dazo> I'm contemplating on null routing based on an misconfiguration on their cisco routers. 08:31 < thedoc> and do a /wave 08:32 < thedoc> zebra + ospf + /wave 08:32 < RadarG> doesnt open vpn use blowfish by defualt? If so is my link using blowfish even though I dont have a cipher line in my configs? 08:33 < dazo> RadarG: if you have verb 3 or more, you'll see which cipher being used, iirc 08:34 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 08:34 < RadarG> The problem that I run into is that I dont have alot of room for the logs on my wrt 08:37 < RadarG> here is the new configs client config http://pastebin.com/d79e4cd81 server config http://pastebin.com/d2ebf9454 08:44 < RadarG> I'm getting "Bad LZO decompression header byte: 42" on the client logs 08:48 -!- thedoc is now known as theDoc 08:51 < ecrist> Nirkus: yes, I think they have it running on windows mobile, Palm Pre, and iPhone 08:57 < Nirkus> ecrist: do you have some link on that? :) 09:01 -!- explore [n=msparker@pool-173-57-115-183.dllstx.fios.verizon.net] has joined ##openvpn 09:02 < RadarG> since I only have one client on my vpn server can i do without the client-to-client line? 09:06 -!- teddymills [n=teddy@208.92.235.227] has quit [Remote closed the connection] 09:07 < dazo> RadarG: yes 09:07 < dazo> (without, yes) 09:07 < RadarG> thanks 09:12 < ecrist> Nirkus: nope, you can check the logs here for info, though 09:12 < ecrist> !irclogs 09:12 < vpnHelper> ecrist: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 09:18 -!- jgarvey [n=jgarvey@cpe-098-026-065-013.nc.res.rr.com] has joined ##openvpn 09:36 < jgarvey> I've got openvpn working on my laptop when I use my wireless dd-wrt router. However, I'd like my laptop to have the same IP address on the wired network as the wireless network. 09:37 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 09:37 < jgarvey> I can get openvpn to assign an unused IP address on the same subnet I need to be on, but what I really need is a way to get a specific address 09:38 < jgarvey> I can't seem to find anything about this. 09:38 < jgarvey> Am I simply going to have to work around openvpn and set up a bridge to a virtual device with the same address or is there a better solution with vpn. 09:39 < jgarvey> s/same/desired/ 09:40 < jgarvey> am I suffering from the normal new user problems and simply missed something in all the docs? 09:47 < Bushmills> !ccd 09:47 < vpnHelper> Bushmills: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 09:48 < Bushmills> !ifconfig 09:48 < vpnHelper> Bushmills: "ifconfig" is usage: ifconfig l rn | Set TUN/TAP adapter parameters. l is the IP address of the local VPN endpoint. For TUN devices, rn is the IP address of the remote VPN endpoint. For TAP devices, rn is the subnet mask of the virtual ethernet segment which is being created or connected to. 09:48 < Bushmills> jgarvey: ^^^^^ 09:56 < |Mike|> reiffert: lol :p 09:59 -!- RadarG [n=nightwol@210.124.129.119] has quit [] 10:14 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has quit ["bbl"] 10:27 -!- Shaun2222 [n=Shaun222@staff.ndchost.com] has quit [Read error: 110 (Connection timed out)] 10:46 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 10:46 -!- unix3 [n=unix3@190.10.68.228] has quit [Client Quit] 10:48 < jgarvey> !ccd 10:48 < vpnHelper> jgarvey: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 10:49 -!- achilles [n=achilles@62.90.142.81] has joined ##openvpn 10:49 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:50 < achilles> hello I have site to site VPN, I have a problem in transporting RTSP ( UDP 554) , no iptables no filtration, all other protocols pass, do anybody has any idea why is that ? 10:50 < achilles> thank you! 10:51 < achilles> and I use UDP to setup my vpn, with PSK 10:55 < reiffert> same reasons as go for: 10:55 < reiffert> !tcp 10:55 < vpnHelper> reiffert: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 10:56 -!- BingO [n=BingO_@h-236-48.A193.priv.bahnhof.se] has joined ##openvpn 10:56 < BingO> Hii Rooom !!! 10:56 < BingO> i wanted to ask few things 10:57 < jgarvey> Bushmills: thanks for the pointer, that's probably enough of a clue for me to get it working. There's so little written on it, I can see how I missed it. 10:57 < BingO> can OPENVPN can connect with Cisco VPN devices which are on another End `??? 10:58 < BingO> i meant if one end is using OPENVPN and other End is using Cisco Routers for VPN then both can commucate ? 11:00 < krzee> BingO, 11:00 < krzee> !notcompat 11:00 < vpnHelper> krzee: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 11:02 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 11:02 -!- A-KO^ [n=ako@neo.maryland2600.org] has joined ##openvpn 11:03 < reiffert> !factoids search compat 11:03 < vpnHelper> reiffert: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 11:03 < reiffert> !factoids search vpn 11:03 < vpnHelper> reiffert: 'vpn', 'notopenvpn', and 'notovpn' 11:03 < A-KO^> Does anyone know how to get Windows Vista/7 firewall to correctly identify the openvpn network? I tried setting a manual gateway on the TAP interface but it didn't work. 11:03 -!- BillyCrook [n=BillyCro@72.22.210.100] has joined ##openvpn 11:04 -!- explore [n=msparker@pool-173-57-115-183.dllstx.fios.verizon.net] has quit ["leaving"] 11:05 < reiffert> !notopenvpn 11:05 < vpnHelper> reiffert: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 11:06 < reiffert> !notovpn 11:06 < vpnHelper> reiffert: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 11:06 < reiffert> !vpn 11:06 < vpnHelper> reiffert: "vpn" is http://openvpn.net/index.php/documentation/faq.html#tunnel-principal 11:08 < EvilRick> A-KO^: what is your exact problem? 11:08 < EvilRick> I am running W7 and have no real problems 11:10 -!- bauruine [n=bauruine@188.60.203.133] has joined ##openvpn 11:10 -!- Shaun2222 [n=Shaun222@staff.ndchost.com] has joined ##openvpn 11:10 < A-KO^> EvilRick: I'm trying to configure firewall rules for my openvpn connection, and it auto identifies it as a "public" network, and won't let me change it. 11:11 < A-KO^> which means it's getting the public profile rules, which is not what I want--I need it to identify that connection as private 11:11 < EvilRick> there is 1 issue with layer2 networks and the broadcast/multicast route metrics needing tweaking. windows only broadcasts on 1 interface for some wierd reason. Every ethernet interface in your system should have a broadcast route entry (check with "route print"). on W7 and vista the metric for the ovpn adapter is lower than the ethernet adapter 11:11 < EvilRick> A-KO^: Ok well I disabled my firewall so hence no problem.. my router is my firewall ;) 11:11 < A-KO^> eh 11:11 < EvilRick> but I am sure you can go in and specify the network the interface is on 11:11 < A-KO^> I tried that 11:12 < A-KO^> it doesn't work until it "identifies" the network 11:12 < A-KO^> :P 11:12 < A-KO^> jmaybe there's a reg key somewhere 11:12 < EvilRick> what version are you running? 11:13 -!- zuez [n=sf@catalyst.httpd.org] has quit ["."] 11:17 < EvilRick> my ovon adapter is being shown as being part of an "unidentified network (public network)" 11:18 < EvilRick> but its just a text tag that can be changed 11:20 -!- A-KO^ [n=ako@neo.maryland2600.org] has quit [Read error: 60 (Operation timed out)] 11:24 -!- EvilRick [n=bob@uni-238-1.uninet.co.za] has quit [] 11:27 -!- BingO [n=BingO_@h-236-48.A193.priv.bahnhof.se] has quit [Read error: 110 (Connection timed out)] 11:35 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 11:37 -!- xp_prg [n=xp_prg3@c-67-188-6-132.hsd1.ca.comcast.net] has quit ["This computer has gone to sleep"] 11:40 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 12:03 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:03 -!- moldenau1r [n=vindex@fencepost.gnu.org] has joined ##openvpn 12:11 < achilles> reiffert, I don't use TCP for tunneling, I setup up the tunnel using UDP 12:12 < reiffert> achilles: come on ... tcp over tcp == udp over udp 12:13 < achilles> reiffert, I see, you advice then to use TCP tunnel 12:13 < achilles> but this will be an over head for real time streaming 12:13 < achilles> isn't it ? 12:15 -!- moldenauer [n=vindex@unaffiliated/moldenauer] has quit [Read error: 110 (Connection timed out)] 12:29 -!- Shaun2222 [n=Shaun222@staff.ndchost.com] has quit [Read error: 110 (Connection timed out)] 12:29 -!- Shaun2222 [n=Shaun222@ip70-181-79-96.oc.oc.cox.net] has joined ##openvpn 12:33 -!- theDoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 12:57 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 12:58 < _markus> !route 12:58 < vpnHelper> _markus: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:04 -!- BillyCrook [n=BillyCro@72.22.210.100] has quit [Remote closed the connection] 13:04 -!- BillyCrook [n=BillyCro@72.22.210.100] has joined ##openvpn 13:07 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 104 (Connection reset by peer)] 13:11 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 13:14 -!- markus___ [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 13:15 < _markus> !howto 13:15 < vpnHelper> _markus: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:15 < _markus> !redirect 13:15 < vpnHelper> _markus: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 13:15 < _markus> !ipforward 13:15 < vpnHelper> _markus: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 13:15 < _markus> !linipforward 13:15 < vpnHelper> _markus: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 13:28 -!- SJr [n=sjr@128.189.79.114] has joined ##openvpn 13:28 < BillyCrook> The helperbot should devoice people after telling them to read and not skim, and PM them with a quiz over the material before revoicing the,m 13:31 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 13:34 < SJr> How can I view a certificate the server is spouting an error,: VERIFY ERROR: depth=0, error=certificate is not yet valid:. TLS Error: TLS handshake failed 13:37 -!- markus___ [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 110 (Connection timed out)] 13:39 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 110 (Connection timed out)] 13:41 < SJr> I'm going to ready a room at the hotel california 13:43 < BillyCrook> SJr: "not yet valid" sounds to me like a clock is off on one of the machines or the ca. Check the clocks. Then man openssl for how to view certificates, or just cat cert.crt | strings | less 13:43 < SJr> yeah 13:43 < SJr> I figured ito ut 13:44 < SJr> now I'm stuck with a bunch of Connection refused problems 13:46 < SJr> *sigh* I have to head to class now 13:51 -!- explore [n=msparker@173.57.115.183] has joined ##openvpn 14:05 -!- SJr [n=sjr@128.189.79.114] has quit [Read error: 110 (Connection timed out)] 14:07 * ecrist is happy. 14:07 < ecrist> one more set of systems tied to our LDAP directory. :) 14:08 -!- mirco [n=mirco@p54B27582.dip.t-dialin.net] has joined ##openvpn 14:16 -!- Intensity [i=[UJg+jfH@unaffiliated/intensity] has joined ##openvpn 14:31 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 14:31 < Dougy> http://www.ovpnforum.com/viewtopic.php?p=935&sid=dfce58d85065589fcdc9d71320e3c176#p935 14:31 < vpnHelper> Title: OpenVPN Forum View topic - Version 2 - Can't Reach the Internet thru the VPN (at www.ovpnforum.com) 14:31 < ecrist> yeah, I should write that new bot soon. 14:31 < Dougy> haha 14:32 < Dougy> it's ok - im close enough 14:32 < ecrist> you need to fix the temploate so people can find the RSS feed, though 14:33 < Dougy> soon 14:33 < Dougy> i lost the url for it, to be honest 14:33 < Dougy> lol 14:39 < Dougy> huge lag 14:39 < ecrist> I had a huge log in the toilet this morning. 14:39 < ecrist> oh, lag, not log 14:39 < ecrist> :D 14:41 < Dougy> hah 14:41 < Dougy> lulz 14:41 < Dougy> [15:38] [Dougy(+ei)] [2:freenode/##openvpn(+cn)] [Lag: 40.77] [Act: 1,3] 14:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:44 < ecrist> irssi? 14:44 < ecrist> what theme do you use? 14:47 < ecrist> http://skitch.com/ecrist/b9gij/screen-shot-2009-09-14-at-14.44.53 14:47 < vpnHelper> Title: Skitch.com > ecrist > Screen shot 2009-09-14 at 14.44.53 (at skitch.com) 14:48 < Dougy> ecrist: stock 14:48 < ecrist> that screen cap shows my screen status line, too 14:49 -!- A-KO [i=as@unaffiliated/a-ko] has joined ##openvpn 14:49 < A-KO> !forum 14:49 < vpnHelper> A-KO: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 14:52 < A-KO> Has anyone here successfully gotten the Windows Vista/7 firewall to properly recognize the TAP interface connection when connecting to OpenVPN? It keeps saying the network is "unidentified" and applies the public profile to it. 14:53 -!- bauruine [n=bauruine@188.60.203.133] has quit [Read error: 113 (No route to host)] 14:53 < Dougy> hm 14:53 < Dougy> i have heard this asked a lot 14:53 < Dougy> and i don't have a solution handy 14:53 * Dougy should resarch 14:53 < Dougy> research 14:54 -!- Lin [n=igormorg@unaffiliated/lincity] has joined ##openvpn 14:54 < A-KO> I found some script that a Microsoft developer put on the net for Windows 7 (though it's for RC) to change the connection profile, and it does indeed say "Work Network" for the unidentified network, but the public profile is still applying 14:54 < A-KO> as I'm still connected to the other network through the physical interface... 14:55 < Lin> heya. If local client IP is on network 192.168.1.0/24 and server local ip is 192.168.1.0/24, I will have some problem configuring vpn between peers? 14:55 < A-KO> yes 14:55 < A-KO> What I'm more or less doing is trying to use the Windows firewall to block all outbound traffic except to my VPN (Minus a couple of important protocols, of course) and more or less using the network to force VPN connectivity to access the internet. 14:55 < Lin> A-KO: the yes was to me? 14:56 < A-KO> yes Lin 14:57 < Lin> therefore I will always have a problem if some customer use the same network as me, is there anyway to avoid this? I mean if I have a lot of customers doing VPN on me, I will often face this problem. 14:57 < A-KO> Lin: so use a subnet they aren't likely to use 14:57 < A-KO> somewhere in the 10.* range 14:57 < A-KO> you might also be able to do something with forcing their route out over that interface, but it will break any and all local connectivity for them 14:58 < Lin> i have lot clients using 10.* too but I can try to use one uncommon as 10.231.147.0/24 14:58 * ecrist doesn't remember what the stock theme looked like 14:58 * ecrist goes home 14:58 * ecrist emotes one last time 14:58 < Lin> A-KO: anyway, thank you. 14:59 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 14:59 < A-KO> Lin: You could push a route down that overrides their route by providing a lower metric and a different interface to use for that subnet (deleting their local one)--but it would likely just break their network connectivity to other devices on their LAN :P 14:59 < A-KO> so just use a network that they're not likely to use 15:00 < Lin> A-KO: i will use the simple way 15:09 -!- pistache [n=pist@rps8501.ovh.net] has joined ##openvpn 15:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:38 -!- Lin [n=igormorg@unaffiliated/lincity] has quit [Read error: 145 (Connection timed out)] 15:55 -!- chantra [n=chantra@ns22757.ovh.net] has joined ##openvpn 16:23 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:23 -!- marsje_ [n=anonymou@mrcl.xs4all.nl] has joined ##openvpn 16:29 -!- marsje [n=anonymou@mrcl.xs4all.nl] has quit [Read error: 60 (Operation timed out)] 16:33 -!- marsje [n=anonymou@mrcl.xs4all.nl] has joined ##openvpn 16:43 -!- marsje__ [n=anonymou@mrcl.xs4all.nl] has joined ##openvpn 16:45 -!- marsje__ [n=anonymou@mrcl.xs4all.nl] has left ##openvpn [] 16:47 -!- marsje [n=anonymou@mrcl.xs4all.nl] has quit [Read error: 60 (Operation timed out)] 16:49 -!- marsje_ [n=anonymou@mrcl.xs4all.nl] has quit [Read error: 105 (No buffer space available)] 16:49 -!- tladuke [n=tladuke@adsl-71-131-147-110.dsl.sntc01.pacbell.net] has joined ##openvpn 16:51 < tladuke> After I installed and used tunnelblick (it's not running right now), I can't get to some sites -even by IP. Anybody around to help me fix my routes? Is thsi a route problem? 16:52 < A-KO> can you ping them? 16:52 < tladuke> nope 16:52 < A-KO> what's traceroute show? 16:52 < tladuke> wikia.com for example. my other computers on the lan can.. 16:52 < tladuke> no route to host 16:53 < A-KO> what's route print (or route -n in linux) show? 16:53 < tladuke> i can't figure out the mac equivalent of route -print 16:53 < tladuke> what about netstat -r? 16:53 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection reset by peer] 16:55 < tladuke> http://pastie.org/616759 16:55 < A-KO> what's your home IP? 16:55 < A-KO> your normal network IP? 16:56 < tladuke> the router is 82.1 16:56 < tladuke> the broken macbook is 82.113 16:57 < A-KO> hmm 16:57 < A-KO> can you ping 82.1? 16:57 < tladuke> yes 16:57 < tladuke> and most sites work fine 16:58 < A-KO> ... 16:58 < A-KO> then it's not a local problem, at least, not a routing problem in your network 16:59 < tladuke> hrm, but other computers do work 16:59 < tladuke> i wonder... ipv6 seems to be on 17:00 -!- explore [n=msparker@173.57.115.183] has quit ["Lost terminal"] 17:39 -!- SJr [n=sjr@128.189.72.127] has joined ##openvpn 17:40 < SJr> !logs 17:40 < vpnHelper> SJr: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 17:40 < SJr> !configs 17:40 < vpnHelper> SJr: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 17:40 < SJr> !interfaces 17:40 < vpnHelper> SJr: Error: "interfaces" is not a valid command. 17:40 < SJr> !interface 17:40 < vpnHelper> SJr: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 17:42 < SJr> Do you guys really want me to collect all that info, my problem is that I don't seem to get an IP Address on my client when it connects. It also seems to generate: TUN/TAP : Invalid argument (code=22) 18:05 < reiffert> hey, another one ready for jeopardy. 18:07 -!- jgarvey [n=jgarvey@cpe-098-026-065-013.nc.res.rr.com] has quit ["Leaving"] 18:09 -!- BillyCrook [n=BillyCro@72.22.210.100] has quit ["Leaving."] 18:34 -!- SJr [n=sjr@128.189.72.127] has quit [Read error: 110 (Connection timed out)] 18:42 -!- W0rmF00d [n=wormfood@218.17.216.6] has joined ##openvpn 18:50 -!- Voziv [n=someplac@d67-193-163-166.home3.cgocable.net] has joined ##openvpn 18:51 < Voziv> Hello, I'm trying to do a push "route .... " command. How would I specify my gateway and metric without having to specify an interface? 18:52 -!- tladuke [n=tladuke@adsl-71-131-147-110.dsl.sntc01.pacbell.net] has quit ["Java user signed off"] 18:57 -!- SJr [n=sjr@128.189.74.142] has joined ##openvpn 18:58 -!- WormFood [n=wormfood@219.134.136.100] has quit [Connection timed out] 18:59 < krzie> by looking in the manual for --route 18:59 < krzie> !man 18:59 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 19:01 < krzie> notice that below --route is --route-metric and --route-gateway as well 19:02 < krzie> as well as --route-tons_of_other_shit 19:02 < krzie> ;] 19:11 < SJr> !configs 19:11 < vpnHelper> SJr: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 19:19 < Dougy> krzie: 19:19 < Dougy> !!!!!!!!!!!!!!!!!!!!!!!! 19:19 < vpnHelper> Dougy: Error: "!!!!!!!!!!!!!!!!!!!!!!!" is not a valid command. 19:24 < SJr> Anyway I can't seem to get any communication accross my connection: http://pastebin.com/m1ac47bed 19:27 < krzie> SJr why are you using tap? 19:27 < SJr> My server is a DD-WRT router and that was an example 19:28 < krzie> sup dougy 19:28 < krzie> SJr, use tun 19:28 < krzie> heres a new example 19:28 < krzie> !sample 19:28 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 19:28 < krzie> also, you are using rc7 and rc11 19:28 < krzie> both have known bugs 19:28 < krzie> !dev 19:28 < vpnHelper> krzie: "dev" is https://lists.sourceforge.net/lists/listinfo/openvpn-devel to sign up for devel mail list 19:28 < krzie> oops 19:28 < krzie> OpenVPN 2.1rc19 is latest 19:30 < SJr> still getting the packet loss, krzee 19:30 < SJr> krzie I can't change the server version, it's part of the firmware, and the client is the newest version available afaik 19:31 < krzie> SJr 19:31 < krzie> !logs 19:31 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 19:31 < krzie> notice, ver 9 19:31 < krzie> verb 5 rather 19:31 < SJr> oh 19:33 < krzie> and when you're up and running, give these a read 19:33 < krzie> !hmac 19:33 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 19:33 < krzie> !mitm 19:33 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 19:33 < vpnHelper> krzie: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config 19:39 < SJr> Here are some new logs, config is the same except tap switched to tun. 19:39 < SJr> http://pastebin.com/m366c9c48 19:42 -!- c64zottel [n=hans@p5B17B228.dip0.t-ipconnect.de] has left ##openvpn [] 19:45 < SJr> I noticed that the IP addresses on both ends are incorrect 19:46 < SJr> inet addr:10.8.0.1 P-t-P:10.8.0.2 versus inet addr:10.8.0.6 P-t-P:10.8.0.5 19:57 < krzie> that is correct 19:57 < krzie> !/30 19:57 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 19:58 < krzie> the real ips involved there are 10.8.0.1 and .6 19:58 < krzie> second client would get .10 19:58 < krzie> .14 19:58 < krzie> and so on 19:59 < krzie> !topology 19:59 < vpnHelper> krzie: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 19:59 -!- Voziv_ [n=someplac@d67-193-163-166.home3.cgocable.net] has joined ##openvpn 20:00 < krzie> i need new logs 20:00 < krzie> keep it going until after you ping 10.8.0.6 from server and 10.8.0.1 from client 20:00 < krzie> (unless of course you can ping them now, in which case you're running fine and i dont need logs 20:00 < krzie> basically what im looking for is RWRWRW during the ping 20:01 < Dougy> krzie: sup sup 20:01 < krzie> if its only WWWWWW then a firewall is messin ya up 20:01 < krzie> sup dougy 20:01 < Dougy> krzie: where's my money bitch 20:01 < krzie> heh come here and try to talk to me like that 20:01 < Dougy> lmao 20:01 < Dougy> i woul 20:01 < Dougy> d 20:01 < Dougy> but id crack up laughing 20:01 < Dougy> it'd be lol 20:01 < krzie> that would be a nice trip to the hospitol 20:01 < krzie> :-p 20:01 < Dougy> you're a jackass then 20:02 < Dougy> i would just catch your shot and hook you 20:02 < Dougy> and it'd be over 20:02 < krzie> hahaha 20:02 < Dougy> ok so srsly 20:02 < Dougy> where's the $ i am owed sir 20:02 < Dougy> :) 20:03 < krzie> i go to NY annually, if you pull that off ill give you $200 extra 20:03 < Dougy> rofl 20:03 < krzie> hehe there ya go 20:03 < Dougy> i'm not gonna beat you and embarass you infront of your people 20:03 < Dougy> thats not cool 20:03 < krzie> i dont have many ppl out there 20:03 < krzie> no worries 20:03 < Dougy> ok, i'll strong arm a ho 20:03 < Dougy> (krzie) 20:03 < krzie> besides, if you could pull that off ild want it on youtube 20:03 < krzie> i grew up fighting, its a hobby 20:04 < krzie> my money says youd be choked out in under 90 sec 20:04 < krzie> but anyways 20:04 < krzie> back to business 20:04 < krzie> i do owe ya some $ 20:04 < krzie> fuck i need to get that out to ya 20:04 < Dougy> when you do i'll give you your new ips 20:04 < krzie> i wish i had paid for a yr in advance, its tough times atm 20:05 < Dougy> oh 20:05 < krzie> just got a apt, need to put stuff in it so i can move in and stop paying rent 20:05 < Dougy> well pay for one month then 20:05 < krzie> now theres only a bed in it 20:05 < krzie> need to get a fridge in there, then i can move in 20:05 < SJr> Oh sorry 20:05 < krzie> cause the beer cant be warm 20:05 < SJr> got side tracked 20:05 < krzie> all good SJr, can you ping those? 20:06 < Dougy> krzie: so send me 55$ and you can get me back in a month or two 20:06 < Dougy> well, a month 20:06 < krzie> hehehe 20:06 < krzie> whens the UFC when i need some quick $ 20:06 < Dougy> lmao 20:06 < krzie> nothing good to bet on til nov 20:06 < Dougy> you can bet on me knockin your punk ass out 20:06 < Dougy> make some $ that way 20:07 < krzie> i told you, ill pay you $200 if you come close to winning, and you dont have to risk any $ 20:07 < krzie> only your health buddy 20:07 < krzie> ;] 20:07 < Dougy> im not worried 20:07 < Dougy> you hit me you go to jail 20:07 < Dougy> so its all good 20:07 < Dougy> :) 20:07 < SJr> It's Rw 20:07 < SJr> but let me get you a full log 20:07 < krzie> only if they catch me 20:07 < krzie> if you recall, you dunno who i am or what country i live in 20:08 < krzie> :-p 20:08 < krzie> SJr, and it doesnt ping? 20:08 < krzie> from client to .1 20:08 < krzie> AND from server to .6 20:09 < Dougy> heh 20:09 < Dougy> krzie: i work for the nsa 20:09 < Dougy> i can find you 20:09 < Dougy> we invade everyone's privacy 20:09 < krzie> if you worked for the nsa you wouldnt have a small time colo co 20:09 < Dougy> thats what you think 20:09 < krzie> ahh right, all part of your cover ;] 20:09 < Dougy> righto 20:09 < krzie> they recruited you when you were 5? 20:10 < Dougy> yeah motherfuckers put me in nsa day camp 20:10 < krzie> hey hey hey, does your mom know you say those words? 20:10 < Dougy> yes 20:10 < Dougy> she does 20:10 < krzie> im gunna tell her and get you grounded 20:10 < Dougy> you can suck on my balls, bitch 20:10 < SJr> http://pastebin.com/m79750fa2 20:10 < Dougy> :D 20:11 < krzie> SJr wheres the ping start in server log? 20:11 < SJr> Hmmmm 20:12 < krzie> err in client log i mean 20:12 < SJr> um 20:12 < krzie> im leaning strongly twords firewall issue 20:12 < SJr> hmmmm I might be wasting your time 20:12 < krzie> # 20:12 < krzie> Mon Sep 14 18:07:33 2009 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 20:12 < SJr> thats when I killed it 20:12 < krzie> the CNTRL C comes after those 20:13 < SJr> I can ping one way and not the other 20:13 < krzie> only from server to client? 20:13 < SJr> Yeah 20:13 < Dougy> krzie: 20:13 < Dougy> igot a new wesite 20:13 < Dougy> website * 20:13 < SJr> I also know that my router doesn't respond to pings externally 20:13 < krzie> server firewall isnt showing love to tun device / ovpn ips 20:13 < SJr> let me trying routing past the network 20:14 < krzie> which is why it gives connection refused right after completing connection 20:14 < krzie> tis your firewall =] 20:14 < Dougy> krzie: www.bergenhosting.com 20:14 < SJr> I terminated the server first in that example 20:14 < krzie> dougy, i gotta get # to my guy and have him send it out 20:15 < krzie> $ 20:15 < Dougy> krzie: whacha think of the layout 20:15 < krzie> looks like an apple program 20:15 < krzie> (which means i like it) 20:15 < Dougy> lol 20:16 < Dougy> wo0t 20:16 < Dougy> click on the harddrives 20:16 < krzie> nice 20:16 < Dougy> yea 20:16 < krzie> thats clean 20:16 < SJr> I can SSH back 20:17 < krzie> then its your firewall blocking the pings 20:17 < SJr> yeah 20:17 < SJr> that's what I figured 20:17 < krzie> you may need to allow them just for tun device for keep-alive 20:17 -!- Voziv [n=someplac@d67-193-163-166.home3.cgocable.net] has quit [Read error: 110 (Connection timed out)] 20:17 < krzie> unless keep-alive uses udp or something, i dunno 20:17 < SJr> hmmmmm 20:17 < krzie> i expect it uses icmp tho 20:17 < krzie> (inside the tunnel) 20:17 < SJr> Well 20:17 < SJr> we will see 20:18 < SJr> I have to figure out how to get routing 20:18 < SJr> to work 20:18 < krzie> yup 20:18 < krzie> it wont be hard to figure out 20:18 < krzie> after period of inactivity if you get dropped and reconnect, you know why 20:18 < krzie> define routing 20:18 < krzie> lan behind ovpn, inet through ovpn? 20:19 < krzie> either way, answer is in the topic ;) 20:19 < SJr> oh lan behind ovpn 20:20 < krzie> !route 20:20 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:20 < SJr> awwww why is there so much reading... 20:20 < krzie> cause vpn is advanced networking 20:21 -!- zick [n=dzickus@pool-173-76-111-159.bstnma.fios.verizon.net] has joined ##openvpn 20:21 < krzie> its much easier to figure out AFTER i wrote that doc than before 20:21 < krzie> imho 20:21 < krzie> i had to read many things from many places to understand it enough to break it all down 20:22 < Dougy> ecrist: how do i split a thread on phpbb 20:22 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 20:22 < Dougy> ey td 20:26 < A-KO> Whoever built the standard of IPSec VPN over L2TP needs to be shot 20:26 < A-KO> IMO 20:26 < Dougy> lol 20:26 < Dougy> in b4 shooting 20:26 < krzie> that would be cisco 20:26 < A-KO> Much prefer SSL-based VPNs 20:26 < krzie> they reside in san jose, california 20:26 < krzie> happy hunting 20:27 < krzie> ;] 20:27 < A-KO> easier to understand, easier to use, works over existing fucking networking protocols 20:27 < A-KO> though for a lot of people SSL is also a pretty difficult concept 20:28 < Dougy> http://pastie.org/616920 20:28 < A-KO> lol 20:31 -!- Voziv [n=someplac@d67-193-163-166.home3.cgocable.net] has joined ##openvpn 20:31 < krzie> 21:21 <@SpaethCo> MACs need to be bound to ports, gratuitous ARP forbidden 20:31 < krzie> hah 20:32 < krzie> seems what hes reading knows about layer2 sniffing and he does not 20:32 < Dougy> SpaethCo is extremely smart 20:32 < krzie> evidently not smart enough to understand that what they said is absolutely correct 20:33 < krzie> and that his metaphor is extremely flawed, its more like the police department mandating that all swat officers use flak jackets during a raid 20:34 < Dougy> hah 20:34 < Dougy> 21:34 <@SpaethCo> Dougy: l2 sniffing is irrelevant if you're preventing mac-table poisoning, and you are in complete control of the infrastructure. 20:35 < SJr> krzie, should I go bridged or routing traffic in your opinion, the original example I was trying to play with used bridged, but since I couldn't get an IP address, I tried routing. 20:35 < krzie> !tunortap 20:35 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 20:36 < krzie> always go routed unless you know exactly why you need a bridge 20:36 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 20:37 < SJr> my routing table on my router is full 20:37 < A-KO> uhm 20:37 < A-KO> what? 20:37 < SJr> nothing :P 20:37 < krzie> A-KO, me? 20:37 < A-KO> no krzee 20:37 < A-KO> SJr 20:37 < A-KO> [21:37] my routing table on my router is full 20:37 < A-KO> :P 20:37 < krzie> ahh =] 20:37 < krzie> ya that dont seem right to me either 20:37 < A-KO> routing is FUN :P lol 20:38 < krzie> you must have a SHITTON of routes in there 20:38 < krzie> ive never actually seen a full routing table 20:38 < SJr> I'm in canada, krzie, it's a Metric Shit Ton. 20:38 < SJr> I dunno, I just remember from my old TCP books, that was the arguement for class based routing 20:39 -!- mirco_ [n=mirco@p54B2759B.dip.t-dialin.net] has joined ##openvpn 20:40 < krzie> SJr care to paste it? i have a fealing somethings wrong if you managed to fill it up 20:40 < krzie> and good pun with metric shitton ;] 20:40 < SJr> no I was just being silly, yes I'll use routing, but I just spent 4 hours on this, and watching Rob Roy 20:41 < SJr> I should have done homework 20:41 < A-KO> I'm writing documents 20:41 < krzie> only 4 hours? 20:41 < SJr> Yeah 20:41 < krzie> shiiiet 20:41 < A-KO> and irritated at windows vista/7 :( 20:41 < krzie> my first ovpn setup took over a day 20:41 < SJr> well 4 hours today, I spent a few hours a couple days ago. 20:41 < A-KO> really? 20:41 < A-KO> my first openvpn setup took me like an hour 20:41 < A-KO> :( 20:41 * SJr is a genius 20:41 < krzie> A-KO ouch, im so glad i stopped using windows 20:41 < SJr> I setup OpenVPN once before but it wasn't with certificates, so who knows 20:42 < krzie> A-KO i was confused by a couple things, like the fact that i should use tun but all the lame walkthroughs were saying to used bridge, stuff like that 20:42 < Dougy> krzie: what do you run on your desktop 20:42 < krzie> so i actually got it up and running before i considered it done 20:42 < SJr> I can't wait till I have access to my p0rn0 share while in the school library 20:42 < krzie> osX 20:42 < A-KO> krzee: what i'm irritated on is this damn tap adapter shit. Windows doesn't recognize the tap as a vpn, so it keeps the connection in the public firewall profile, which I've locked down to the extreme....essentially, when I first connect to a network, it's a completely untrusted "I don't want my computer talking to it" network....with the exception of openvpn, dns, icmp, and https.... 20:43 < krzie> you tried: 20:43 < krzie> !win7 20:43 < vpnHelper> krzie: "win7" is http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 20:43 < krzie> ? 20:43 < A-KO> yeah, the vpn actually works 20:43 < krzie> i have no idea if that has ANYTHING to do with your issue 20:43 < A-KO> it's just the firewall profile :P 20:43 < krzie> werd 20:43 < krzie> you're the same guy i saw on the mail list i take it, kyle? 20:43 < SJr> Sigh with all the time I wasted today, the only good news is that Patrick Swayze is dead. 20:43 < A-KO> if I turn off the firewall the vpn works great :P it's just windows not recognizing the adapterp roperly and applying the correct profile, or for that matter, letting me change it.... 20:43 < A-KO> me? 20:43 < A-KO> no 20:44 < krzie> funny, same EXACT thing just popped up on mail list 20:44 < A-KO> really? 20:44 < krzie> like a day or 2 ago 20:44 < A-KO> that's interesting 20:44 < krzie> !mail 20:44 < vpnHelper> krzie: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 20:44 < krzie> second link 20:46 -!- filthynoob [n=pwner@ppp-70-249-82-220.dsl.okcyok.swbell.net] has joined ##openvpn 20:47 < A-KO> apparently Windows recognizes networks based on the configured gateway IP--I think the problem has to do with openvpn not configuring a gw IP and instead just configures the route 20:47 < A-KO> if I were to think of something out of the blue 20:47 < filthynoob> !howto 20:47 < vpnHelper> filthynoob: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 20:47 < A-KO> the MAC of the gateway IP, for that matter... 20:48 < krzie> hrm i cant find the thread in the archives 20:48 < krzie> but i could swear i read it when i was home last night 20:49 -!- Voziv_ [n=someplac@d67-193-163-166.home3.cgocable.net] has quit [Read error: 110 (Connection timed out)] 20:49 < A-KO> I better not try to fix this right now i"ll be up all night working on it :P lol 20:49 -!- Voziv_ [n=someplac@d67-193-163-166.home3.cgocable.net] has joined ##openvpn 20:49 < A-KO> but if I can get it working that'll be awesome shit 20:49 -!- mirco [n=mirco@p54B27582.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:49 -!- mirco_ is now known as mirco 20:49 < krzie> ahh here is the thread 20:49 < krzie> http://article.gmane.org/gmane.network.openvpn.user/27572/match=firewall+windows 20:50 < vpnHelper> Title: Gmane -- Mail To News And Back Again (at article.gmane.org) 20:52 -!- Voziv [n=someplac@d67-193-163-166.home3.cgocable.net] has quit [Read error: 110 (Connection timed out)] 20:52 < A-KO> see krzee what's weird is 20:52 < A-KO> I do have a default gateway 20:52 < A-KO> I push a gw down when openvpn connects 20:53 < A-KO> and it still behaves like this 20:53 < A-KO> bah 20:53 < A-KO> lemme go get my laptop 20:53 < A-KO> lol 21:01 < A-KO> yeah 21:01 < A-KO> see 21:01 < A-KO> Local Area Connection 2 21:01 < A-KO> no default gateway 21:12 -!- master_of_master [i=master_o@p549D44F8.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:15 -!- master_of_master [i=master_o@p549D42FB.dip.t-dialin.net] has joined ##openvpn 21:19 < A-KO> ugh 21:19 < A-KO> this is retarded 21:19 < A-KO> lol 21:24 -!- SJr [n=sjr@128.189.74.142] has quit [Read error: 110 (Connection timed out)] 21:34 < A-KO> can't get it to work, sigh :/ 21:34 < krzie> seems to be much more of a windows issue than openvpn too 21:34 < krzie> tried windows help channels? 21:34 < A-KO> eeehhh 21:34 < A-KO> it's a combination of both I think 21:34 < A-KO> the way openvpn interfaces with it 21:34 < A-KO> yeah I've tried the MS help forums so far 21:34 < A-KO> seeing how that goes along 21:35 < krzie> if you find the answer somewhere else pls report it back if you would, or even better make a writeup on our wiki 21:35 < A-KO> Windows wants a default gateway on an adapter to identify a network (retarded, I know)--but since openvpn doesn't do that, it messes it all up :P 21:35 < A-KO> openvpn just pushes a route down 21:36 < A-KO> dest 0.0.0.0 mask 128.0.0.0 gw 10.8.0.9 21:36 < krzie> right windows wants that, and doesnt let you override, windows issue 21:36 < A-KO> no, I can use netsh to add a gw to an adapter 21:36 < A-KO> and then it makes a route table entry fori t 21:36 < krzie> well then you have it fixed 21:36 < krzie> make a batch script for --up 21:36 < krzie> with your netsh command 21:37 < A-KO> not entirely :P because when I add that, it sets the metric higher than the existing route....and for some reason route change has been retarded 21:37 < A-KO> I'm getting tired though so I'm not entirely thinking but I think I'm close to getting it 21:37 < krzie> if metric is the problem, set the metric 21:38 < A-KO> yeah....but I still think it's acting weird, probably having something to do with 2 default gateways on the network.... 21:38 < A-KO> you know what I should do? 21:38 < A-KO> make a PPTP vpn somewhere and connect to it--and see what Windows does with the routes with its own connections 21:38 < krzie> i dont use windows 21:38 < A-KO> because from what I hear, this problem doesn't exist with windows' pptp connections 21:38 < krzie> ahh werd 21:39 < krzie> i thought that was a real question 21:39 < A-KO> that would probably give me some insight 21:39 < krzie> couldnt hurt 21:39 < krzie> i take that back... it would hurt me to setup a pptp vpn ;] 21:39 < A-KO> lol 21:40 < A-KO> well I've got a bunch of windows machines I could set it up with 21:41 < A-KO> heh 21:42 < A-KO> odd way of doing it but openvpn overrides windows' default gateway with creating a mask of 128 21:42 < A-KO> rather than just overriding the existing gw 21:46 < krzie> !def1 21:46 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 21:47 < krzie> it only does that if you tell it to 21:47 < krzie> and its not odd, its clever 21:48 < A-KO> !man 21:48 < vpnHelper> A-KO: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 21:52 < A-KO> hm, ommitting def1 doesn't seem to set a gateway at all... 21:54 < filthynoob> omg 21:55 < filthynoob> openvpn is so hard 21:57 < A-KO> .... 21:57 < A-KO> no, what's hard is figuring out Windows' retarded fucking network firewall :P 21:57 < filthynoob> use linux :/ 21:57 < A-KO> uhm 21:57 < A-KO> I use more linux machines than I know what to do with :P 21:58 < filthynoob> is it a work computer or something 21:58 < A-KO> laptop of mine 21:58 < filthynoob> u tried hamachi? 21:58 < filthynoob> it works okay on windows 21:58 < filthynoob> dont think its open source though 21:59 < A-KO> not going t owork considering my openvpn server is linux :P 22:01 -!- APTX|_ [n=APTX@213.251.162.70] has joined ##openvpn 22:02 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: IcyPolecat, phatfish, mius, freaky[t], tjz, APTX|, nemysis_, techqbert, qknight 22:02 -!- Netsplit over, joins: phatfish 22:02 -!- Netsplit over, joins: tjz, techqbert, IcyPolecat, mius, qknight, freaky[t] 22:07 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 22:07 < filthynoob> !howto 22:07 < vpnHelper> filthynoob: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 22:08 < A-KO> krzee: if I figure it out I'll be sure to let everyone know :P 22:08 < A-KO> but so far, it's a no go 22:09 < A-KO> I've tried everything.....there's gotta be something in Windows that I'm missing. I deleted the default route to my existing network, and added it for the vpn--and the traffic goes out over that, and with doing that, I can set the profile for the VPN connection to "private" (more open firewall rules)--but the more secure firewall policy keeps getting applied 22:09 < A-KO> so, it's gotta be something more that I'm just missing 22:09 < A-KO> I even unchecked the firewall "public" profile (my secure one) from the VPN connection, still applies 22:11 < A-KO> wish the beta was still open for win7, I'd have more access to the windows engineers.... 22:32 -!- W0rmF00d is now known as WormFood 22:46 -!- Voziv_ [n=someplac@d67-193-163-166.home3.cgocable.net] has quit [] 23:10 -!- filthynoob [n=pwner@ppp-70-249-82-220.dsl.okcyok.swbell.net] has quit [Read error: 110 (Connection timed out)] 23:18 -!- roshenia [n=roshenia@gw.pbh.by] has quit [Read error: 104 (Connection reset by peer)] 23:18 -!- roshenia [n=roshenia@gw.pbh.by] has joined ##openvpn 23:28 -!- sticky [n=zach@2607:f128:42:1:0:0:0:2] has joined ##openvpn 23:51 -!- achilles [n=achilles@62.90.142.81] has quit [Read error: 113 (No route to host)] --- Day changed Tue Sep 15 2009 00:21 -!- mirco [n=mirco@p54B2759B.dip.t-dialin.net] has quit [] 00:29 -!- thedoc [n=zing@unaffiliated/thedoc] has quit [Remote closed the connection] 00:32 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 00:33 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 00:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:48 < thedoc> This is very odd. I just subscribed to the openvpn mailing list and it shows that the request originated from a black holed subnet. 00:48 < thedoc> Anyone knows if this is a known issue? 00:48 < thedoc> O_O; 01:07 -!- achilles [n=achilles@82.205.120.165] has joined ##openvpn 01:14 -!- hyper_ch [n=hyper@adsl-84-227-130-76.adslplus.ch] has quit [Remote closed the connection] 01:17 -!- hyper_ch [n=hyper@adsl-84-227-130-76.adslplus.ch] has joined ##openvpn 01:18 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 01:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:03 -!- achilles [n=achilles@82.205.120.165] has quit [Read error: 110 (Connection timed out)] 02:10 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has joined ##openvpn 02:47 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 02:48 -!- bauruine_ [n=bauruine@93-159.105-92.cust.bluewin.ch] has joined ##openvpn 02:48 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has quit [Read error: 60 (Operation timed out)] 02:49 -!- chutkin [n=Miranda@87.120.100.22] has joined ##openvpn 02:51 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has joined ##openvpn 02:57 -!- jhp [n=jhp@zeus.jhprins.org] has joined ##openvpn 03:23 -!- Shaun2222 [n=Shaun222@ip70-181-79-96.oc.oc.cox.net] has quit [Read error: 104 (Connection reset by peer)] 03:24 -!- Shaun2222 [n=Shaun222@204.10.36.76] has joined ##openvpn 03:43 -!- ribasushi [n=rabbit@dslb-084-063-061-149.pools.arcor-ip.net] has joined ##openvpn 03:43 < ribasushi> hi 03:43 < ribasushi> is there any harm to run ntp synchronizations over vpn? 03:43 < ribasushi> or better let these go over plain internet? 03:47 < dazo> ribasushi: shouldn't make any big difference, as long as the VPN is up'n'running .... latency over the VPN might be an issue if the throughput is low, but if you have a decent connection ... it would be about the same 03:48 < dazo> ribasushi: But I'd advice you to use both public NTP servers "over plain Internet" ... and then provide intra-synchronisation between trusted hosts in addition over the VPN 03:49 < ribasushi> fair nuff 03:49 < dazo> ribasushi: having configured 3-5 NTP servers, is not a disadvantage ... NTP works in a way to avoid drifting in hardware .... so the more you connect in a trusted environment, the better they can keep the time 03:49 < ribasushi> won't public servers "water down" the result though? 03:49 < ribasushi> I have currently one server set to a couple of *close* ntp servers 03:50 < ribasushi> and the rest sync to it only via the vpn 03:50 < ribasushi> is this bad? 03:50 < dazo> ribasushi: what's important in NTP is the stratus value .... stratus 1 is never public 03:50 < dazo> stratus 1 sits directly on a clock device 03:50 < ribasushi> 2 startus 2 servers within 15ms of the main vpn server 03:50 < ribasushi> is what i use 03:50 < dazo> stratus 2 is one step away from stratus 1 03:50 -!- achilles [n=achilles@62-90-200-222.alami.net] has joined ##openvpn 03:51 < dazo> ribasushi: your setup now really depending on that VPN always being in a good shape 03:51 < ribasushi> correct, if this server goes down ntp is the least of my worries :) 03:51 < dazo> ribasushi: so I'd advice you to use f.ex {0,1,2,3}.pool.ntp.org servers on both sides in addition 03:52 < dazo> ribasushi: you anyway would like to have time synchronised ... you know log files ;-) ... to easier match them 03:52 < ribasushi> won't using the pool servers just offer "good enough" half second accuracy (which isn't good enough for me) 03:53 < dazo> ribasushi: and with more ntp servers, internally and externally, if someone tries a ntp attack by tweaking your system clock using a false clock ... it won't go as easy, as it checks outlayers with all registered servers 03:53 < dazo> ribasushi: that's why configuring more ntp servers usually gives you better accuracy 03:54 < ribasushi> hm... I thought when there are more of them accuracy suffers 03:54 < ribasushi> fine I'll leave the pools in then 03:54 < dazo> ribasushi: if you need ms accuracy .... then you probably need your own stratus 1 server 03:54 < ribasushi> not ms but <10ms 03:54 < ribasushi> i.e. be faster than the network they are on 03:55 < dazo> ribasushi: NTP works in a genius way, the more servers ... and esp. the more trusted servers (which can update each others clocks, not just "read and consider to use that value") .... the more stable the drift will be, and the more accurate it will be 03:56 < ribasushi> hm... so then just use public on all 3 of them 03:56 < ribasushi> and also point each to the other two? 03:56 < dazo> ribasushi: if you need such accurate clock ... then you might need to look at something else than ntp actually .... it's been some discussions about such stuff in linux real-time setups .... but I've forgotten what it is 03:56 < ribasushi> meh I don't *need* it, but nice to have 03:56 < ribasushi> and afaik ntp can do this easy 03:57 < dazo> ribasushi: yes, that's a very good setup .... as the matter of fact, on some servers you can even use {0,1,2,3}.pool.ntp.org several times in the same config .... each of them points at 2-3 different public ntp servers 03:58 < ribasushi> interesting... will investigate further then 03:58 < dazo> ribasushi: ntp will provide a stable system clock ... it will have some drift, but for systems not depending on millisecond accuracy, it's usually good enough ... 03:59 < ribasushi> I thought the drift happens only on reboot 03:59 < ribasushi> i.e. as long as ntp is continuously running (after the day or so settling time) it will stay as close as the cpu clock allows 03:59 < dazo> oh, no, that happens the whole time .... and that's what the driftfile is used for .... so ntp will adjust the clock internally based on the drift value too .... 04:01 < ribasushi> bah... I thought the drift file is just a startup value to drive the cpuclock skew value 04:01 < ribasushi> and everything else happens solely based on network measurements, where ntpd keeps injecting data into the kernel clock loop... 04:01 < dazo> ntp is trying to avoid drifting .... so as ntp is running .... it will consider the drift value when adjusting the clock .... and this is why having trusted ntp servers in a network helps .... the drift is different on each server .... thus, they will get higher accuracy on the drift, accross the network as well 04:02 < ribasushi> yes I see... I look into how highly-meshed networks work 04:02 < dazo> :) 04:02 < ribasushi> that's definitely interesting, thanks for the insight 04:02 < dazo> no prob :) 04:02 < ribasushi> but to go back to the original question - openvpn latencies are not utterly unpredictable to fuck up with ntp? 04:02 < ribasushi> I remember reading osmething udp over udp being a bitch 04:02 < dazo> ribasushi: no, and especially not when using public ntp servers in addition 04:03 < dazo> udp over udp is not as bad as tcp over tcp 04:03 < dazo> !tcp 04:03 < vpnHelper> dazo: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 04:08 < ribasushi> right 04:09 < ribasushi> man I don't like this: http://finance.yahoo.com/q/bc?s=USDEUR=X&t=2y&l=on&z=m&q=l&c= 04:09 < vpnHelper> Title: USDEUR=X: Basic Chart for USD/EUR - Yahoo! Finance (at finance.yahoo.com) 04:31 -!- onats [n=onats@unaffiliated/onats] has quit [Remote closed the connection] 04:42 -!- c64zottel [n=hans@p5B17ACD5.dip0.t-ipconnect.de] has joined ##openvpn 05:08 -!- thedoc [n=zing@unaffiliated/thedoc] has quit [Read error: 145 (Connection timed out)] 05:26 -!- rapha [i=rapha@unaffiliated/rapha] has quit [SendQ exceeded] 05:38 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:43 -!- bauruine_ [n=bauruine@93-159.105-92.cust.bluewin.ch] has quit [Remote closed the connection] 05:51 -!- misterbean [n=misterbe@unaffiliated/misterbean] has joined ##openvpn 05:52 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 05:59 -!- rapha [i=rapha@static.141.55.40.188.clients.your-server.de] has joined ##openvpn 06:13 -!- achilles [n=achilles@62-90-200-222.alami.net] has quit ["Leaving"] 06:20 -!- thedoc [n=zing@cataclysm.edgewire.sg] has joined ##openvpn 06:42 -!- brizly1 [n=brizly_v@p4FC9A083.dip0.t-ipconnect.de] has joined ##openvpn 06:51 -!- markus___ [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 06:51 -!- markus___ is now known as _markus 06:56 -!- sehh [n=sehh@b2946pns.static.otenet.gr] has joined ##openvpn 06:56 < sehh> hey people 06:56 -!- misse- [i=misse@misse.org] has quit ["leaving"] 06:56 -!- brizly [n=brizly_v@p4FC98F84.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:57 < sehh> I've installed OpenVPN on my server and on two clients (both clients running Vista). The first Vista system works fine but the second Vista system does not route traffic properly (or thats what it looks like anyway). Both OpenVPN clients connect fine, so there isn't a problem in OpenVPN's configuration. 06:58 < sehh> Since the two machines are identical, I can't figure out why the second Vista machine won't route traffic properly 06:58 < sehh> the log shows the encrypted connection has been established, but I can't ping or see the server at all 06:59 < sehh> I would appreciate some help please, what should I look for in order to get the second Vista machine to see/ping the server? 07:00 < sehh> (both Vista machines have their firewalls disabled, both run Vista Home Premium) 07:00 < _markus> route-method exe 07:00 < _markus> route-delay 2 07:00 < _markus> try add that to your config. 07:00 < sehh> tried that already, no difference 07:00 < sehh> that was the first that shows up in google, but it doesn't have any effect here. 07:01 < _markus> are u running the client as administrator user? 07:01 < sehh> yes, from Services (it is set to Automatic) 07:01 < reiffert> openvpn version? 07:02 < sehh> OpenVPN 2.1_rc19 07:02 < sehh> same on both Vista machines 07:03 < sehh> maybe some service isn't running on my second Vista machine? is there a known service which could stop routing to the TUN interface? 07:06 < sehh> also tried "mssfix 1200" but that didn't help 07:07 < sehh> also enabled IP routing from the registry (changed the value from 0 to 1), no difference 07:08 < sehh> "route print" shows that routing is set but I can't tell if its correct or not, probably not since I can't ping the server at 10.8.0.1, but I can ping myself at 10.8.0.3 07:10 < sehh> please help :( 07:16 -!- zick [n=dzickus@pool-173-76-111-159.bstnma.fios.verizon.net] has quit ["leaving"] 07:23 -!- sehh [n=sehh@b2946pns.static.otenet.gr] has quit [Read error: 104 (Connection reset by peer)] 07:23 -!- sehh [n=sehh@b2946pns.static.otenet.gr] has joined ##openvpn 07:24 < sehh> back 07:24 < sehh> messed up with the connection and that got me off the network 07:24 < sehh> hmm 07:24 < sehh> still no go 07:27 < |Mike|> !all 07:27 < vpnHelper> |Mike|: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 07:28 < sehh> well, lots of work but I'm willing to do it if someone could please help me 07:28 < sehh> ok let me gather everything 07:32 < ecrist> good morning 07:36 < sehh> ok got them all, except the server configuration which unfortunately I can't get because I don't have access from here 07:36 < sehh> client config: http://pastebin.com/m593dcf24 07:36 < sehh> Vista routing table: http://pastebin.com/m60e68e1f 07:36 < sehh> client log: http://pastebin.com/m2f5f6c1f 07:36 < sehh> firewall is disabled 07:37 < sehh> please let me know if there is something else that you need from me 07:45 < sehh> hmmm 07:45 < sehh> changed the verbose mode on the log to a higher value but no errors are reported by OpenVPN 07:45 < |Mike|> sehh: `grep -vE '^#' client.conf` 07:45 < sehh> I think Vista is having routing problems, I can't see anything else 07:46 < sehh> unfortunately I'm on the Vista machine with no access to my Linux system (Fedora), so I can't run grep 07:47 < |Mike|> o yeah doh 07:48 < |Mike|> btw, you might want to look for tls-auth aswell 07:48 < |Mike|> 192.168.1.x is your openvpn subnet? 07:50 < sehh> 192.168.0.x is the local network (with .2 as the Vista box and .3 as the other Vista box), 192.168.1.x is the remote network and server that I'm trying to connect to (just the server, not interested in the rest). 07:50 < |Mike|> you got the server.conf for me ? 07:50 < sehh> basicaly, the two Vista boxes with 192.168.0.2 and 192.168.0.3 addresses need to connect to the remote server 192.168.1.10, thats it 07:51 < sehh> no sorry :( its on the remote server and I can't access it remotely from here 07:51 < sehh> it is based on the HOWTO found on the website, I only changed a few things (like paths to certificates), changed it to TCP instead of UDP and I use TAP instead of TUN 07:52 < sehh> the rest should be exactly like the sample config in the HOWTO 07:52 < |Mike|> !taptun 07:52 < vpnHelper> |Mike|: Error: "taptun" is not a valid command. 07:52 < |Mike|> !tunortap 07:52 < vpnHelper> |Mike|: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 07:53 < |Mike|> so you're into layer2 ? ;) 07:53 < sehh> yes I am aware of all that, we use an application that requires TAP because it sends broadcasts and some UDP traffic and that won't go through TUN 07:54 < sehh> if it wasn't for the broadcasts then I would be using TUN 07:54 < |Mike|> okay 07:54 < sehh> I've done my research and the first Vista box worked 100% the first time without any changes... 07:55 < sehh> the second Vista box is identical, but for whatever reason won't route traffic or something 07:55 < |Mike|> did you start the openvpn client as admin ? 07:55 < sehh> yes, I start it as a Service (its set to Automatic) 07:57 < sehh> I guess one option is to print on paper the output from "route print" from both machines and compare it line by line 07:57 < sehh> otherwise the problem is with some service that I'm not aware of thats disabled 07:57 < |Mike|> firewalls are off aswell? 07:57 < |Mike|> could you set 'verb' to 6 in the client ? 08:00 < sehh> yes all firewalls are disabled 08:00 < sehh> yes, one second please 08:05 < sehh> there you go: http://pastebin.com/d3fab6ee5 08:05 < sehh> thats the log with verb 6 08:06 < sehh> I started the service, made a few pings (unsuccessful) to the server and stopped the service 08:07 < |Mike|> route_default_gateway = '[UNDEF]' 08:08 < sehh> and that means? 08:09 < sehh> the machine has proper internet access and routing goes out to the DSL modem, so I assume the default route is working 08:09 < |Mike|> are you sharing the client certs? 08:10 < sehh> no ofcourse not, each client has its own certificate which I generated with the commands found in the HOWTO 08:10 < |Mike|> you could ping your openvpn server ip? 08:10 < sehh> the log shows that the encrypted connection is successful.. thats why I assume the problem lies with Vista routing 08:11 < Optic> moo 08:11 < sehh> no I can't 08:11 < |Mike|> weird. 08:11 < sehh> I can only ping myself, local systems (Vista to Vista, etc) and any public internet address 08:12 < |Mike|> you are going to route all your traffic over the vpn server? 08:12 < sehh> I know weird and I'm desperate and will have to format the entire system eventually... 08:12 < sehh> no, only traffic directed to the server itself (192.168.1.10) 08:12 < |Mike|> you done something with client-config-dir ? 08:13 < sehh> err not sure what you mean 08:13 < reiffert> 'PUSH_REPLY,route 192.168.1.10 255.255.255.255,route-gateway 10.8.0.1,ping 10,ping-restart 120,ifconfig 10.8.0.3 255.255.255.0' 08:14 < reiffert> C:\WINDOWS\system32\route.exe ADD 192.168.1.10 MASK 255.255.255.255 10.8.0.1 08:14 < sehh> I guess that comes from the server and tells the client how to setup routing 08:14 < reiffert> ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4 08:14 < reiffert> sehh: which is not working at your place, or did I get your wrong in the 1st place? 08:15 < sehh> well, its one remote server and I'm trying to connect two Vista clients, the first Vista works fine, the second Vista can't route traffic 08:15 < sehh> so I'm guessing that command is being sent to the first Vista box as well (which works fine) 08:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:16 < |Mike|> they have the same ip ? 08:16 < reiffert> NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables 08:16 < |Mike|> !ccd 08:16 < vpnHelper> |Mike|: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 08:16 < reiffert> !net30 08:16 < vpnHelper> reiffert: "net30" is "/30" is (#1) http://openvpn.net/index.php/documentation/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 08:16 < reiffert> !topology 08:16 < vpnHelper> reiffert: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 08:16 < sehh> Mike, no the first Vista box (that works) has IP 192.168.0.2 (10.8.0.2) and the second Vista box (that doesn't work) has IP 192.168.0.3 (10.8.0.3) 08:17 < reiffert> topology = 1 whatever 1 means. 08:18 < sehh> one sec, let me try to see if i can get access to the server somehow 08:28 < sehh> I think there is one last option... 08:28 < sehh> bridging isn't enabled in this Vista system 08:31 -!- sehh_ [n=sehh@b2946pns.static.otenet.gr] has joined ##openvpn 08:31 -!- sehh [n=sehh@b2946pns.static.otenet.gr] has quit [Read error: 104 (Connection reset by peer)] 08:31 -!- sehh_ is now known as sehh 08:31 < sehh> damn 08:33 -!- roshenia_ [n=roshenia@80.94.228.14] has joined ##openvpn 08:33 -!- roshenia [n=roshenia@gw.pbh.by] has quit [Read error: 104 (Connection reset by peer)] 08:44 -!- sehh [n=sehh@b2946pns.static.otenet.gr] has quit ["Leaving"] 08:52 -!- Jari-- [n=vai@81.90.68.28] has quit ["leaving"] 08:59 -!- garnser_ [n=jpeterss@gw2.mysql.com] has joined ##openvpn 08:59 -!- garnser [n=jpeterss@gw2.mysql.com] has quit [Read error: 104 (Connection reset by peer)] 09:16 -!- eostman [n=eostman@130.232.87.54] has joined ##openvpn 09:18 < eostman> !howto 09:18 < vpnHelper> eostman: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:40 -!- jfkw [n=jtk@24.216.241.93] has joined ##openvpn 09:41 -!- eostman_ [n=eostman@dyn-217-098.vpn.abo.fi] has joined ##openvpn 09:43 < eostman_> !forum 09:43 < vpnHelper> eostman_: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 09:48 < eostman_> Hey 09:49 -!- eostman [n=eostman@130.232.87.54] has quit [Read error: 145 (Connection timed out)] 09:50 < eostman_> Having problems with fedora 10 freezing when I try to open a vpn connection 09:52 < eostman_> anyone had similar problems? can't find any information about it 09:55 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has quit ["bbl"] 09:56 < eostman_> First the konsole freezes but I can still use firefox, and I am connected through the vpn, but slowly everything starts to freeze 09:56 -!- jeiworth [n=jeiworth@189.177.20.229] has joined ##openvpn 09:57 < eostman_> I can switch to tty2, but I cannot login etc 09:58 < dazo> eostman_: sounds like you have a program leaking memory .... 09:58 < dazo> eostman_: could be FF 09:59 < dazo> eostman_: have top running in a shell somewhere ... sort on memory usage then you'll spot quite quickly which program is causing these issues 10:00 < dazo> eostman_: depending on how much RAM you have and how much swap .... the kernel will usually start killing processes which begins to claim too much memory ..... so called oom-kills (out of memory) 10:00 < eostman_> okey, havn't had any problems before though. and it happens every time I try to start openvpn 10:02 < dazo> eostman_: could be a lot of things causing it .... a buggy plug-in ... another process freaking out when a route changes unexpectedly .... I've found that gdesklets (written mostly in python) is useless due to this ... it suddenly begins to eat memory 10:02 < dazo> eostman_: but pay attention to the memory usage and which process is eating it ... then you have the guilty one :) 10:02 < eostman_> okey, I will restart and do what you said:) 10:03 -!- eostman_ [n=eostman@dyn-217-098.vpn.abo.fi] has quit [Remote closed the connection] 10:11 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 10:18 -!- eostman [n=eostman@prowl.cs.abo.fi] has joined ##openvpn 10:18 < eostman> Hey again 10:19 < eostman> Didn't see any spikes in memory usage, top does unf freeze instantly when I run openvpn, but system acctivty worked 10:20 < eostman> nothing took any more than 50 M of memory 10:26 -!- jeiworth [n=jeiworth@189.177.20.229] has quit [Remote closed the connection] 10:29 -!- jeiworth [n=jeiworth@189.177.20.229] has joined ##openvpn 10:32 < ecrist> FWIW, Bind's GENERATE command is nice. 10:33 < reiffert> generating secrets? 10:33 < ecrist> no, large blocks of IP names. 10:33 < reiffert> ? 10:33 < reiffert> never seen such a thing before, what is it for? 10:34 < ecrist> rather than having 255 records to configure dhcp-1.example.com through dhcp-255.example.com, the following line does it all 10:35 < reiffert> awful. 10:35 < ecrist> $GENERATE 1-255 dhcp-$.example.com IN A 10.0.0.$ 10:35 < reiffert> ll have to remember that one. 10:35 < reiffert> thanks 10:35 < ecrist> you can't do classless spaces 10:36 < ecrist> I'm using it for IPv6 zone as well as IPv4 10:36 < ecrist> works for AAAA, A, PTR and CNAME, iirc 10:48 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 10:53 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 10:58 -!- thedoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 11:14 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has joined ##openvpn 11:19 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has quit ["leaving"] 11:43 < krzee> nice tip 11:45 < dazo> But I only think ISC BIND supports this syntax 11:46 < moldenau1r> |Mike|: heya 11:49 < reiffert> did anyone play around with OS X netinstall? 11:50 < reiffert> it looks like you need 10.X when creating a 10.X netinstall image with X not beeing up/downwards compatible 11:52 -!- BillyCrook [n=BillyCro@72.22.210.100] has joined ##openvpn 11:53 -!- teddymills [n=teddy@208.92.235.227] has quit [Client Quit] 11:56 -!- pistache [n=pist@rps8501.ovh.net] has left ##openvpn [] 12:03 < ecrist> dazo: you are correct. 12:03 < ecrist> I thought I said BIND above... 12:03 < ecrist> 10:32 < ecrist> FWIW, Bind's GENERATE command is nice. 12:04 < ecrist> indeed, I did. ;) 12:04 * dazo is getting ready to get home .... he don't bother reading every word :-P 12:12 < reiffert> ecrist: do you have access to Snow Leopard atm? 12:15 < ecrist> running on it right now 12:18 -!- dazo [n=dazo@nat/redhat/x-nuaioztnieklweyr] has quit ["Leaving"] 12:19 < cpm> does anyone jump on a new os release as fast as the apple faithful? 12:23 < ecrist> I waited a week. the biggest problem was printer drivers, and the printers I have weren't affected, so I updated. 12:23 < ecrist> cpm, I would say ubuntu folks jump quickest. 12:24 -!- c64zottel [n=hans@p5B17ACD5.dip0.t-ipconnect.de] has left ##openvpn [] 12:24 < cpm> not so sure. I think a lot of the ubuntu faithful sit back and let the rest of the penquins jump in first. 12:25 < cpm> whereas the ms faithful hang on to their existing working until they get pried away from it. 12:29 -!- dazo [n=dazo@nat/redhat/x-kmmscjvmexyngwtr] has joined ##openvpn 12:44 < ecrist> regardless, I think it's an example of conditioned response. 12:44 < ecrist> the failures in OS X aren't near as show-stopping as some other notable OSes on initial release, hence the larger crowd of early-adopters 12:44 < ecrist> out of three macs at home, however, only two can be upgraded to 10.6 12:45 < ecrist> i've only updated my daily-use machine. 12:45 < cpm> ah, time to retire them puppies 12:45 < cpm> can still get a good price for them depending. which do you have? 12:45 < ecrist> the kid's machine can be upgraded, but I'm waiting in case I need it. ;) 12:45 < ecrist> I have a 1.13GHz G4 Powerbook (12") 12:45 < ecrist> about 6 years old now 12:46 < ecrist> still on the original battery, still going strong 12:46 < ecrist> we've gone through about 4 power supplies, but it was a usage issue, really. 12:46 < ecrist> the wife still plays WoW on the damn thing, and her sister, despite my recommendation has to buy a new windows laptop every 6-12 months because 12:47 < ecrist> 'it gets slow and unusable' 12:51 -!- Aichibo [i=Aichibo@94.196.113.7.threembb.co.uk] has joined ##openvpn 12:52 < Aichibo> hey guys, sorted my previous problem 12:52 < Aichibo> however, I was just wondering 12:52 < Aichibo> Does anyone know how to spoof openvpn packets to make them look as if they came from a program like IE or MSN? 12:53 < ecrist> what? 12:53 < ecrist> it's not going to look a lot different already 12:54 < Aichibo> Well I read a article some time ago (which I can't find now :<) about how you can make the vpn packets look like they have originated from IE 12:54 < ecrist> it's TLS encapsulated, so it looks similar to any normal SSL-encyrpted website 12:54 < ecrist> if you put your VPN server on TCP port 80, it'll look similar. 12:54 < ecrist> however, I would caution agains using TCP for a VPN. 12:54 < Aichibo> Well here is the problem, I have a caching service called Squid which I have to get through 12:54 < Aichibo> Its not optional as its set up as a transparent proxy too 12:55 < Aichibo> and it scans all the packets so it needs to look like its from there 12:55 < Aichibo> I tried that but as you say, TCP for VPN sucks and UDP is alot better for it, much cleaner 12:55 < Aichibo> Any ideas how to get through squid? 12:55 < ecrist> squid is a web proxy, not a firewall 12:56 < ecrist> so, if you're using a non-web port, on UDP, you shouldn't run in to the Squid proxy 12:56 < Aichibo> Its blocking all the traffic i sent through it that doesn't come from MSN or IE/firefox 12:56 < Aichibo> Its through a vpn itself 12:56 < Aichibo> I'll just tell you the whole set up 12:56 < Aichibo> Its at unil, I have to connect via the uni VPN which uses squid to filter all the traffic 12:56 < Aichibo> blocking all the traffic they don't want 12:56 < Aichibo> however a program/site called your freedom does work 12:57 < Aichibo> And my guess is that it works because they spoof their packets to look like normal ie traffic or whatever 12:57 < Aichibo> as normal SSH/VPN won't get through 12:57 < Aichibo> even if you set the squid server as the proper proxy 12:57 < ecrist> http://openvpn.net/papers/openvpn-101.pdf 12:57 < ecrist> search for Squid within that document 12:58 < Aichibo> Ok 12:58 < Aichibo> Just DL'ing now 12:59 < ecrist> reiffert: what did you need with Snow Leopard? 13:34 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:44 -!- Shaun2222 [n=Shaun222@204.10.36.76] has left ##openvpn [] 13:52 < exks> probably a common question: what do the "WARN: could not open database for bits. Skipped" warnings mean? 14:06 < ecrist> no clue 14:06 < ecrist> sounds like something to do with TSL/SSL 14:12 < exks> that was my guess too. But huh, I guess not so common. 14:12 < exks> it is printed out to stderr when starting both the server and client 14:13 < exks> anyway, still seems to work though 14:22 -!- Aichibo [i=Aichibo@94.196.113.7.threembb.co.uk] has quit [] 14:23 -!- Gnewt [n=hackerle@64.62.228.94] has quit [Remote closed the connection] 14:25 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 14:37 -!- ico2_ [n=ico2@77-98-154-19.cable.ubr24.aztw.blueyonder.co.uk] has joined ##openvpn 14:38 -!- money [n=money@unaffiliated/money] has joined ##openvpn 14:41 < ico2_> hi, previously i was using tcp and all was well, since i now have udp available i decided to switch. after a little faffing with router config, it works, except that when i remove my default route (so that i can make the default route go through the vpn) it stops working. i have a route added for the server, that worked fine with tcp. 14:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Remote closed the connection] 14:47 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Read error: 104 (Connection reset by peer)] 14:47 < ico2_> (linux at both ends, btw) 14:57 -!- garnser_ [n=jpeterss@gw2.mysql.com] has quit [Read error: 104 (Connection reset by peer)] 15:12 -!- reber [n=reber@78.251.137.88] has joined ##openvpn 15:13 < reber> hi all 15:13 < reber> !howto 15:13 < vpnHelper> reber: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:14 < reber> !route 15:14 < vpnHelper> reber: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:24 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has joined ##openvpn 15:25 < reiffert> ecrist: did you ever get in contact with netboot or netinstall on OS X? 15:40 -!- ankitt [n=ankitspd@94.76.213.75] has joined ##openvpn 15:40 < ankitt> i get this error on my vps 15:40 < ankitt> Error: Could not establish license validation machine lock. 15:40 < ankitt> my host has done everything said here 15:40 < ankitt> http://www.openvpn.net/access-server/rd/liman-id-failed.html 15:43 < reiffert> ankitt: since AS is a commercial product, please get in contact with the official support. 15:43 < ankitt> i used free lisence 15:44 < ankitt> and what is this room for then? 15:44 < reiffert> openvpn. 15:47 < ankitt> thts what i am trying to install , right? 15:47 < |Mike|> moldenau1r: yo 15:48 < reiffert> ankitt: the URL you gave is telling "Access Sever" and I'm sorry to say but openvpn doesnt have this License Activation stuff. 15:48 < A-KO> if you want to use the open source openvpn, click the "open source project" link at the top of the page 15:49 < ankitt> ok 15:49 < reiffert> ankitt: you are welcome to stay and find someone else helping you, but I dont think that are many ppl around here who got in contact with AS. 15:50 < moldenau1r> |Mike|: im getting a crypto accel card soon 15:51 < moldenau1r> hope to be able to use it for openvpn 15:51 < ankitt> i will try OpenVPN 2.1_rc19 15:51 < ankitt> can i install wine 15:51 < ankitt> and run the windows installer 15:51 < A-KO> .... 15:51 < reiffert> ankitt: sorry? 15:51 < |Mike|> moldenau1r: i have the same here, i do generate keys with it :) 15:52 < ankitt> http://openvpn.net/release/openvpn-2.1_rc19-install.exe 15:52 < ankitt> can i use this on linux via wine 15:52 < reiffert> ankitt: wine, windows installer, whats that supposed to mean? 15:52 < A-KO> I'm going to go out on a limb and say that you might not want to be working with openvpn, ankitt, until you learn a bit more about what you're dealing with. Intimate networking and system knowledge is pretty much a requirement to understand what you're doing and how to implement it into your environment. 15:52 < moldenau1r> ankitt: lol what for 15:52 < moldenau1r> |Mike|: what one? im going for a HIFN 15:53 < ankitt> is the linux version gui? 15:53 < ankitt> ok can you give me instructions on how to install it 15:53 < ankitt> on centos 5 15:53 < A-KO> all versions require you to modify some sort of config file, even on Windows (the configs are the same, actually, minus a couple of settings) 15:53 < A-KO> !howto 15:53 < vpnHelper> A-KO: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:53 < reiffert> no. (though the gnome network manager is capable of running openvpn) 15:53 < reiffert> ankitt: see !howto 15:54 < |Mike|> moldenau1r: not sure, it's a smartcard ( it arrived today) 15:54 < moldenau1r> ah, more like pkcs then, mean a pci/pci express crypto accel 15:54 < moldenau1r> which has huge throughput 15:56 < moldenau1r> dazo: heya 15:56 < ankitt> actually i used this to install few mins ago i guess 15:56 < ankitt> http://www.bogdanmatu.com/?p=35 15:56 < vpnHelper> Title: OpenVPN CentOS 5 VPS Setup For Newbies | Bogdan Matu (at www.bogdanmatu.com) 15:57 < ankitt> when i type 15:57 < ankitt> http://www.bogdanmatu.com/?p=35 15:57 < vpnHelper> Title: OpenVPN CentOS 5 VPS Setup For Newbies | Bogdan Matu (at www.bogdanmatu.com) 15:57 < ankitt> srry 15:57 < ankitt> when i type 15:57 < ankitt> http://www.bogdanmatu.com/?p=35 15:57 < ankitt> opps 15:57 < ankitt> openvpn --config /etc/openvpn/server.conf 15:57 < ankitt> Cannot open dh1024.pem for DH parameters: error:02001002:system library:fopen:No such file or directory: error:2006D080:BIO routines:BIO_new_file:no such file 15:58 < reiffert> ankitt: you didnt follow the !howto. 16:01 < |Mike|> lol 16:01 < |Mike|> ankitt: rtfm 16:01 < |Mike|> generate the keys! 16:03 < |Mike|> and use rc.d to start openvpn ktnx. 16:15 < ankitt> i'll pay someone to install a fully working copy of openvpn on my vps 16:16 -!- qknight [n=joachim@serverkommune.de] has quit [Read error: 104 (Connection reset by peer)] 16:18 < ankitt> Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19) 16:19 -!- Blu3 [i=david@BlueLabs/Blu3] has left ##openvpn ["I ❤♥❤ Guys"] 16:19 -!- ico2_ [n=ico2@77-98-154-19.cable.ubr24.aztw.blueyonder.co.uk] has quit [Read error: 110 (Connection timed out)] 16:25 < moldenau1r> dazo: there? 16:25 < moldenau1r> im reviewing your code 16:32 < |Mike|> ankitt: what kind of vps ? 16:32 < |Mike|> openVZ == suckage 16:34 -!- ankitt [n=ankitspd@94.76.213.75] has quit [Read error: 104 (Connection reset by peer)] 16:38 -!- reber [n=reber@78.251.137.88] has quit ["Leaving"] 16:39 -!- frewsxcv [n=farwell@pcp037592pcs.hollister.reshall.calpoly.edu] has joined ##openvpn 16:40 < frewsxcv> if i have openvpn enabled, does that mean my traffic to the openvpn server is encrypted? 16:44 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 16:48 < |Mike|> depends on your config frewsxcv 16:49 < frewsxcv> |Mike|, assume it is encrypted....how is this different than an ssh tunnel? 16:49 < |Mike|> openvpn has different encryption levels 16:50 < frewsxcv> |Mike|, meaning what? 16:53 < |Mike|> !howto 16:53 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:55 < |Mike|> read that please. 17:12 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 17:38 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 17:42 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit ["Leaving."] 17:59 -!- jeiworth [n=jeiworth@189.177.20.229] has quit [Read error: 110 (Connection timed out)] 18:51 -!- BillyCrook [n=BillyCro@72.22.210.100] has quit ["Leaving."] 19:39 < Dougy> hai ladiez 20:05 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 20:41 -!- thedoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 21:00 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Read error: 110 (Connection timed out)] 21:01 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 21:11 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 131 (Connection reset by peer)] 21:12 -!- master_of_master [i=master_o@p549D42FB.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:16 -!- master_of_master [i=master_o@p549D41ED.dip.t-dialin.net] has joined ##openvpn 21:18 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 22:00 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 22:00 < ksnp> hi i keep getting permission denied on all the scripts when i try to generate keys 22:00 < ksnp> didn't seem to happen before and i never changed the file attributes 22:01 < ksnp> aren't files in easy-rsa executable ? 22:01 < ksnp> they are supposed to be correct ? 22:11 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 22:18 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has left ##openvpn [] 22:19 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit [Read error: 145 (Connection timed out)] 22:24 -!- dougy[itouch] [n=dougyito@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 22:25 -!- Dougy [n=douglas@ool-43503ed4.dyn.optonline.net] has quit ["Lost terminal"] 22:54 -!- dougy[itouch] [n=dougyito@ool-43503ed4.dyn.optonline.net] has quit ["Colloquy for iPhone - http://colloquy.mobi"] 22:56 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 23:10 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has left ##openvpn [] 23:13 -!- jfkw [n=jtk@24.216.241.93] has quit [Read error: 145 (Connection timed out)] --- Day changed Wed Sep 16 2009 00:20 -!- deblike [n=xchat@88.204.14.105] has joined ##openvpn 00:54 -!- ku0n [n=kuon@217.144.50.50] has joined ##openvpn 00:54 < ku0n> hello 00:56 < ku0n> I just compiled openvpn on macosx 10.6 64bit. It works fine, except the redirect-gateway def1 option. If this option is enabled, I can't go anywhere (I can't ping even the server). If I disable this option and add a route manually, like this sudo route add -net 0.0.0.0 192.168.200.1 128.0.0.0 (where 200.1 is server ip), everything works fine and all traffic is redirected on the VPN. 00:57 < ku0n> I've googled for a while now, but I can't find any solution. 00:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 00:57 < ku0n> In the meantime I want to connect to a server I don't manage, but it has redirect-gateway option set. How can I tell my client to ignore it so I can add the route manually? 01:03 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 01:14 -!- money [n=money@unaffiliated/money] has quit [Read error: 110 (Connection timed out)] 01:15 -!- deblike [n=xchat@88.204.14.105] has quit [Remote closed the connection] 01:24 -!- hyper__ch [n=hyper@adsl-84-227-148-66.adslplus.ch] has joined ##openvpn 01:24 -!- hyper_ch [n=hyper@adsl-84-227-130-76.adslplus.ch] has quit [Nick collision from services.] 01:24 -!- hyper__ch is now known as hyper_ch 01:33 -!- eostman [n=eostman@prowl.cs.abo.fi] has quit [Remote closed the connection] 02:10 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has joined ##openvpn 02:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:28 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:04 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has quit [Read error: 104 (Connection reset by peer)] 03:05 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has joined ##openvpn 03:05 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has quit [Read error: 104 (Connection reset by peer)] 03:05 -!- bauruine [n=bauruine@92.105.159.93] has joined ##openvpn 03:07 -!- bauruine [n=bauruine@92.105.159.93] has quit [Read error: 104 (Connection reset by peer)] 03:07 -!- bauruine [n=bauruine@92.105.159.93] has joined ##openvpn 03:20 -!- bauruine [n=bauruine@92.105.159.93] has quit [Success] 03:23 -!- fen_ [n=fen@220.233.179.84] has joined ##openvpn 03:24 -!- fen_ [n=fen@220.233.179.84] has quit [Client Quit] 03:24 -!- fen_ [n=fen@84.179.233.220.static.exetel.com.au] has joined ##openvpn 03:24 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 03:27 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has joined ##openvpn 03:30 < fen_> i've setup an openvpn and i can ping the server's tun0 address (10.8.0.1) have setup ipv4 ip_forward and shorewall to do masquerading/policy but i still can't get anywhere when routing from the windows client threough the tunnel. 03:31 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has quit [Read error: 104 (Connection reset by peer)] 03:32 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has joined ##openvpn 03:32 < onats> OT, does anyone have a copy of ozyman's script? 04:02 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has quit [Read error: 104 (Connection reset by peer)] 04:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:05 -!- phatfish [i=PHAT@cpc1-hem15-0-0-cust204.lutn.cable.ntl.com] has quit [Read error: 110 (Connection timed out)] 05:28 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:59 -!- APTX|_ is now known as APTX| 06:44 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has joined ##openvpn 06:44 -!- jfkw [n=jtk@24.216.241.93] has joined ##openvpn 06:45 < ecrist> onats: who's ozyman? 06:45 < onats> ecrist, well there's a script that I was googling about icmp tunneling 06:46 < onats> in order to get connectivity when connected to a hotspot that asks for payment 06:46 < onats> have you tried that? 06:47 < bauruine> hyper_ch, hi i have a problem with cryptsetup and an ssh server in the initramdisk. if i connect to the ssh and type unlock it hangs at "Begin: Waiting for encrypted source device... ..." i also got the error modprobe not found. any ideas how to debug? 06:48 < |Mike|> wtf? 06:48 < |Mike|> does this look like some linux help channel ? :P 06:48 < ecrist> onats: interesting, never heard of it 06:49 < bauruine> |Mike|, sorry it's directed to hyper_ch he wrotes (or at least modified) a script which provides that and i know he is in this channel :-) 06:49 < ecrist> bauruine: my guess is you're in the wrong channel. 06:50 < |Mike|> last time i seen him active was on 2009/09/04 16:25:44 06:52 < onats> ecrist, http://www.dnstunnel.de/ 06:52 < vpnHelper> Title: DNStunnel.de - free DNS tunneling service (at www.dnstunnel.de) 06:57 -!- brizly1 [n=brizly_v@p4FC9A083.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:59 -!- brizly [n=brizly_v@p4FC9A162.dip0.t-ipconnect.de] has joined ##openvpn 07:05 < ecrist> onats: http://beta.ivancover.com/dnstunnel/ozymandns_src_0.1.tgz 07:05 < onats> yay thanks!:D 07:05 < ecrist> no problem 07:05 < onats> ill have to tinker and setup my laptop with it 07:22 -!- onats [n=onats@unaffiliated/onats] has quit [Remote closed the connection] 07:29 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 07:40 -!- theDoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 07:47 -!- tjz2 [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 07:59 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 08:01 -!- tjz [n=tjz@220.255.158.226] has joined ##openvpn 08:11 -!- bauruine [n=bauruine@93-159.105-92.cust.bluewin.ch] has quit [Remote closed the connection] 08:13 < Optic> moo 08:21 < ecrist> baaa 08:21 < cpm> bwak! 08:22 < Optic> hihi 08:22 < reiffert> ecrist: did you ever get into netboot/netinstalling OS X? 08:22 < ecrist> no, i have not, sir 08:23 < reiffert> It works when serving .dmg images via HTTP and NFS 08:23 -!- tjz2 [n=tjz@bb220-255-158-226.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 08:23 -!- tjz2 [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 08:24 < reiffert> I wonder how to make it possible with just a stock / via NFS, so that updating will be more easy than this .dmg evasion 08:25 -!- tjz [n=tjz@220.255.158.226] has quit [Read error: 145 (Connection timed out)] 08:30 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 08:33 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 08:33 < ecrist> not sure 08:39 -!- huf [i=huf@mu.parawag.net] has joined ##openvpn 08:43 < Optic> mooo 08:43 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 131 (Connection reset by peer)] 08:48 < huf> hi. what could cause an openvpn server and client not to ping (arp who-has gets no reply when i tcpdump) when openvpn connect succeeds, client gets the correct ip on the correct interface, and the routes look correct too 08:50 -!- roshenia_ [n=roshenia@80.94.228.14] has quit [Read error: 131 (Connection reset by peer)] 08:50 -!- roshenia_ [n=roshenia@gw.pbh.by] has joined ##openvpn 08:52 < cpm> firewall 08:53 -!- tjz2 [n=tjz@bb220-255-158-226.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 08:54 -!- tjz2 [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 08:55 < huf> both hosts are linux and one doesnt even have iptables installed while the other has everything set to accept 08:58 < ecrist> !iptables 08:58 < vpnHelper> ecrist: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall 08:58 < ecrist> !configs 08:58 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:01 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn 09:03 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 09:07 -!- dollabill [n=mike@97.66.26.10] has quit [] 09:08 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 09:13 -!- dazo [n=dazo@nat/redhat/x-kmmscjvmexyngwtr] has quit ["Leaving"] 09:14 -!- tjz2 [n=tjz@bb220-255-158-226.singnet.com.sg] has quit [Read error: 60 (Operation timed out)] 09:14 -!- tjz2 [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 09:28 -!- dazo [n=dazo@nat/redhat/x-tnnidwuygurdfzsz] has joined ##openvpn 09:29 < huf> ecrist: http://pastebin.ca/1568362 09:29 < huf> did i miss anything? 09:30 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 09:30 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 09:30 < ecrist> huf: your route line on line 16 of your paste is redundant, I would suggest removing it 09:31 < ecrist> also, who is assigning the IP of the client? 09:32 < huf> the server is pushing an address to the client 09:32 < ecrist> what IP are you giving the server? 09:32 < ecrist> change your server line to something like this: 09:32 < huf> 10.8.0.1, and the client gets 10.8.0.4 09:32 < ecrist> server-bridge 10.8.0.1 255.255.255.0 10.8.0.2 10.8.0.254 09:34 < huf> still nothing 09:35 < huf> but we dont want to brige anyway 09:35 < ecrist> then why are you using device tap? 09:35 < huf> good question. i'll change it back 09:36 < ecrist> if you change to tun, your client should get address 10.8.0.5, iirc 09:36 -!- _markus_ [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 09:36 < ecrist> !topology 09:36 < vpnHelper> ecrist: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 09:36 < ecrist> and look at that if you want to avoid the /30 subnets 09:36 < huf> it got .6 09:36 < huf> well, on the client side i get a warning about Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:2: topology (2.0.9) 09:37 < ecrist> that sounds right 09:37 < huf> but it seems to succeed 09:37 < ecrist> oh, didn't notice the client was using 2.0.9 09:37 < ecrist> topology is available for that 09:37 < ecrist> s/is/isn't/ 09:37 < huf> yeah. the original problem was with a 2.0.9 client and server 09:38 < ecrist> what's wrong with that? 09:38 < huf> but it didnt work in the same way with this setup and since this vpn is on my box, i can screw with it all i want 09:38 < huf> same thing. we've connected two xp-s and a bunch of linuxes to it, and suddenly this ipbox and a vista wont connect 09:39 < huf> the vista at least complains *something* about not being able to set routes correctly (dont have the actual errormsg to hand atm), but this ipbox just seems to succeed and then doesnt pig 09:39 < huf> ping 09:40 < huf> well, with tun, the arp requests seem to work, i can send icmp packets 09:41 < huf> nothing comes back tho 09:43 < ecrist> then it's a firewall issue 09:44 -!- tjz2 [n=tjz@bb220-255-158-226.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 09:44 -!- tjz2 [n=tjz@220.255.158.226] has joined ##openvpn 09:46 < huf> hmm. but the client has no iptables binary anywhere on the system 09:46 < ecrist> then perhaps the server does 09:47 < huf> nah, it's off there and to be sure i did what you suggested with !iptables 09:48 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 110 (Connection timed out)] 09:55 -!- tjz2 [n=tjz@220.255.158.226] has quit [Read error: 145 (Connection timed out)] 09:55 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 09:59 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 10:02 < huf> hmm. if i make a server out of the client and vice versa, it works. 10:13 < huf> well... turns out the server had comp-lzo on... 10:14 -!- Nirkus [i=rmf2mlh@about/pxe/Nirkus] has quit [Read error: 104 (Connection reset by peer)] 10:17 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 10:23 -!- chutkin [n=Miranda@87.120.100.22] has quit [Read error: 110 (Connection timed out)] 10:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:43 -!- mekwall [n=oddy@c83-249-240-139.bredband.comhem.se] has joined ##openvpn 10:43 -!- mekwall [n=oddy@c83-249-240-139.bredband.comhem.se] has left ##openvpn ["Leaving."] 10:44 -!- mekwall [n=oddy@c83-249-240-139.bredband.comhem.se] has joined ##openvpn 10:44 -!- mekwall [n=oddy@c83-249-240-139.bredband.comhem.se] has left ##openvpn ["Leaving."] 10:44 -!- mekwall [n=oddy@c83-249-240-139.bredband.comhem.se] has joined ##openvpn 10:45 < mekwall> uhm... anyone experienced with openvpn + windows vista and offline files? even though im connected to my vpn server and can access network shares, the client says that the share is disconnected, and then i cant sync it :( 11:09 < ecrist> sounds like a windows question 11:14 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 11:25 < huf> you need a bit of extra magic to get ovpn to work on vista 11:26 < huf> we just solved this 20 minutes ago ;) 11:26 < huf> but it was a case of the vista client connecting but not pinging anyone 11:26 < huf> mekwall: does that look like your problem? 11:28 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 11:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:58 -!- theDoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 12:18 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 12:24 < mekwall> huf: i solved it... had to remove them, reboot and connect as network share again 12:24 < mekwall> also had to tweak the server config 12:25 -!- mekwall [n=oddy@c83-249-240-139.bredband.comhem.se] has left ##openvpn ["Leaving."] 12:28 -!- SJr [n=sjr@128.189.69.205] has joined ##openvpn 12:28 < SJr> !route 12:28 < vpnHelper> SJr: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 12:29 < SJr> !tap 12:29 < vpnHelper> SJr: "tap" is "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for windows sharing (without wins server) and LAN gaming, anything 12:29 < vpnHelper> SJr: where the protocol uses MAC addresses instead of IP addresses. 12:30 < SJr> !sample 12:30 < vpnHelper> SJr: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 12:30 < |Mike|> hi! 12:33 < SJr> hi! 12:33 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:48 -!- reber [n=reber@78.251.130.106] has joined ##openvpn 12:53 < reber> hi all 12:54 < ecrist> hello 12:55 < reber> got a problem with openvpn / default route gw. I'd like to route all traffic to the tun0 interface, but it seems that creating the route to 10.8.0.1 isn't possible (it fails at creation stage). I read some articles about it, saying that the default route must be 10.8.0.5 (because of the /30 netmask), but it doesn't work either, i even can't ping 10.8.0.5 12:56 < reber> i *can* ping 10.8.0.1 tho 12:56 < reber> and 10.8.0.10 12:56 < ecrist> !default 12:56 < vpnHelper> ecrist: (default ) -- Returns the default value of the configuration variable . 12:56 < ecrist> !def-gateway 12:56 < vpnHelper> ecrist: Error: "def-gateway" is not a valid command. 12:57 < reber> :) 12:58 < ecrist> add this to your server config: 12:58 < ecrist> push "redirect-gateway def1" 13:24 -!- explore [n=msparker@pool-173-57-72-22.dllstx.fios.verizon.net] has joined ##openvpn 13:32 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 13:32 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 13:37 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 13:40 < Hypnoz> I've noticed on the windows client, when openvpn is running you are unable to ping the original local IP anymore, but that is not the case with mac and linux clients 13:40 < Hypnoz> anyone know why the local ip would be blocked by the windows client after connecting to openvpn? 13:40 < A-KO> I haven't noticed that 13:41 < Hypnoz> do you have a windows machine running openvpn? 13:41 < A-KO> and I've noticed some weird things with openvpn and Windows, that's not one I've seen 13:41 < A-KO> yes? 13:41 < Hypnoz> can you ping it? 13:41 < Hypnoz> not the vpn-given ip, but the original one 13:41 < A-KO> ping it from inside the machine or from another machine in the openvpn subnet? 13:41 < Hypnoz> say you have 192.168.1.50 as your local, and 10.1.1.5 as your vpn 13:42 < Hypnoz> from another machine on the 192.168.1.0 network wouldn't be able to ping 192.168.1.50 13:42 < A-KO> haven't seen that, but it's easy to check 13:42 < A-KO> check route print 13:42 < A-KO> see what the routes look like 13:42 < A-KO> it should still be fine, as the adapter connection should still have the route for 192.168.1.50 "on-link" 13:44 -!- reber [n=reber@78.251.130.106] has quit [Read error: 60 (Operation timed out)] 13:45 < Hypnoz> route for the local ip says on-link and looks ok 13:45 -!- SJr [n=sjr@128.189.69.205] has quit [Connection timed out] 13:45 < A-KO> can you ping your normal default gateway from that machine? 13:45 < A-KO> ping 192.168.1.1? 13:45 < Hypnoz> i find it weird this only happens with the windows machines, mac and linux ones are still ok 13:45 < A-KO> okay, it's not the time to take jabs at Windows over this :P 13:45 < A-KO> you have a problem that can be fixed 13:45 < A-KO> it's a configuration issue 13:45 < Hypnoz> ya can ping gw 13:46 < A-KO> so another machine in the 192.168.1.0 net can't ping 192.168.1.50? Check firewalls? 13:46 < Hypnoz> firewall on the windows machine? 13:46 < A-KO> if you can ping it means routing is working fine 13:46 < Hypnoz> it seems like openvpn would disable those connections when it starts up 13:46 < A-KO> firewall on the windows machine, and firewall on the other machine in the 192.168.1.0 net 13:46 < A-KO> it doesn't 13:46 -!- reber [n=reber@78.251.130.106] has joined ##openvpn 13:46 < Hypnoz> hmm 13:46 < ecrist> openvpn doesn't disable anything you don't tell it to 13:46 < A-KO> it's probably setting your computer to the public firewall profile (if you're using Vista/7) 13:47 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 13:47 < Hypnoz> ah possible 13:47 < A-KO> something I'm trying to figure out how to fix, once I get over this sickness :P 13:48 < A-KO> windows identifies networks by the mac address of the default gateway--but openvpn never sets a default gateway on the tap adapter 13:48 < A-KO> it just adds the route (0.0.0.0 128.0.0.0) 13:48 < krzie> it doesnt add that route 13:48 < krzie> unless you tell it to 13:48 < krzie> by using redirect-gateway def1 13:48 < A-KO> .....redirect gateway def1 13:48 < A-KO> yes 13:48 < ecrist> A-KO: you could run an up/down script to assign the proper gateway for you 13:49 < krzie> and it doesnt only add that one, it also adds 128.0.0.0 128.0.0.0 13:49 < krzie> ecrist i told him that days ago 13:49 < A-KO> yes, that's not been working for w/e reason 13:50 < krzie> A-KO you said you made it work with a netsh command 13:50 < krzie> if you in fact did, that command in a batch file ran by --up WILL work 13:50 < A-KO> krzie: I made it allow me to change the profile for that network, that's correct, but the public one was still being applied--which I'm not sure why. 13:50 < A-KO> so I've been asking around to figure out if there's anything else Windows is doing 13:50 < krzie> werd 13:51 < A-KO> I even went in and unchecked the public profile from the TAP adapter, as well 13:51 < A-KO> in the windows firewall settings--and it was still applying 13:51 < A-KO> if you remove all default routes and apply one, it then sets the physical link to the unidentified network and public profile :P 13:51 < krzie> windows sucks 13:52 < A-KO> but that setting still gets applied to the tap adapter 13:52 < A-KO> eh I'm just going to create a pptp vpn and see how it does it--apparently the built-in Windows tools work fine 13:52 < A-KO> so in theory, it should be possible to mirror whatever that's doing 13:52 < krzie> i solved that problem as well 13:52 < krzie> but i did it very differently 13:52 < krzie> i decided to use OS's that dont suck 13:52 < krzie> works great for me 13:53 < krzie> ;] 13:53 < A-KO> eh 13:53 < A-KO> I use a multitude of OS' every day 13:53 < krzie> are you using tun or tap 13:54 < A-KO> pretty sure it's set to tun 13:54 < A-KO> heh 13:54 < A-KO> you know though 13:54 < A-KO> setting tap might fix it 13:54 -!- c64zottel [n=hans@p5B17B024.dip0.t-ipconnect.de] has joined ##openvpn 13:55 < A-KO> we'll see, I'm going to get more time on it this weekend 13:56 < krzie> tun is good 13:56 < krzie> was gunna say your ptpp test would be invalid with tap 13:56 < krzie> since ptpp is layer3 tun afaik 13:56 < A-KO> hmm 13:58 < Hypnoz> A-KO I figured it out 13:58 < Hypnoz> windows firewall was running 13:58 < Hypnoz> and there needs to be an exception check next to \"File and Print Sharing" 13:58 -!- SJr [n=sjr@128.189.69.205] has joined ##openvpn 13:58 < krzie> you can disable the windows firewall only for tap interface as well 14:04 < Hypnoz> i wish windows firewall was disabled by default that thing is terribad 14:04 < ecrist> while it's a pain, it likely does more good than harm 14:05 < krzie> agreed 14:05 < A-KO> the windows firewall in vista/7 is great, if I could just get it working right with how i want my vpn set up 14:06 < A-KO> it would be near godlike :P 14:08 < krzie> far from great if it does things you didnt tell it to and doesnt allow you to easily tell it not to 14:09 < Hypnoz> how is win firewall affecting your vpn a-ko? 14:09 < A-KO> it's complicated :P 14:10 < A-KO> shouldn't be as complicated as it is, but it is 14:10 < krzie> Hypnoz, it defaults to his vpn interface being in public profile instead of private profile 14:10 < A-KO> right now my mind is open as to who's at fault..... 14:10 < krzie> cause win tries to do too much 14:10 < krzie> who is at fault? its a windows issue 14:11 < krzie> it actually has nothing to do with openvpn 14:11 < krzie> except that we'ld like to know how you end up fixing it for the next guy who comes here with the same issue 14:12 < Hypnoz> krzie: can you be more specific, i've done a lot of windows tech, but not sure what you mean by public and private profiles 14:12 < ecrist> krzie: http://secure-computing.net/files/single_moms.png 14:13 < A-KO> Hypnoz: in Vista and 7, Windows allows you to set 3 different firewall rulesets. "Domain", "Public", and "Private". This allows you, for example, to go to a public wifi point and use a more restricted ruleset than you might want to use when plugged in at work or home. 14:14 < A-KO> supposedly, it identifies which type of network you're on by the mac address of the default gateway 14:14 < ecrist> A-KO: set the tap/tun adapter as being static (I think it is in windows anyway) and set the profile to private. It should stay that way 14:15 < A-KO> ecrist: yeah, but it's not :P I've set the options to static via netsh (netsh int ip set address name="Local Area Connection 2" static 10.8.0.10 255.255.255.0 10.8.0.9), and Windows does indeed let me set the profile for that connection from the network and sharing center--but for some reason the public profile rules are still applying 14:15 < reber> ecrist, what should be the default route ? Is this push "redirect-gateway def1" mandatory, or can i add the right route on the client side to test if it could work ? 14:16 < A-KO> even if I go into the options and uncheck the public profile from attaching to connection 2..... 14:16 < A-KO> which is why it's baffling to me 14:16 < ecrist> reber: I would add it to the config and do it properly 14:17 < A-KO> my only assumption is that because this is a tunnel and not a physical adapter, that Windows is applying it at the nic level (which should still carry the public profile) and that's what's blocking it, but that just doesn't seem right by how all of this seems to should work... 14:19 < ecrist> why should the profile be public at the NIC level? 14:19 < A-KO> and supposedly, this is not an issue when you use the built-in Windows VPN client (PPTP). I've also read setting the NDISdevicetype on the tun/tap device to 1 instead of 6 ,but that didn't seem to have an effect. There was also something on an MS blog about changing the current FW profile 14:19 < A-KO> ecrist: Local Area Connection, the physical connection, should be public because I want a very restricted ruleset for a network that I physically connect to. 14:20 < A-KO> and only opening up when the vpn is connected 14:20 < ecrist> that's silly 14:20 < ecrist> I'm talking about Local Area Connection 2, which is the vpn connection 14:20 < ecrist> that connection cannot be phyically connected to anything 14:22 < A-KO> it's not....what I meant was, I think the firewall is applying the public profile to lan2 because ultimately it goes out over the lan1 nic interface, which has the restrictive profile.... 14:22 < A-KO> makes no sense to me, but ya know 14:22 < A-KO> why it's not working isn't making any sense 14:22 < ecrist> so, disable the windows firewall and use something at the network level 14:23 < ecrist> like pfsense or a PIX 14:23 -!- A-KO^ [i=as@c-69-143-90-155.hsd1.md.comcast.net] has joined ##openvpn 14:24 < A-KO^> eh 14:24 < A-KO^> won't work 14:25 < ecrist> why? 14:25 < A-KO^> because this is on my laptop, the idea is to use a host-based solution to not trust any network I connect to, and only allow communication once my VPN tunnel is built 14:26 < ecrist> ah, then use a better OS? :P 14:26 -!- A-KO [i=as@unaffiliated/a-ko] has quit [Read error: 60 (Operation timed out)] 14:26 < A-KO^> I mean sure, this is overboard for security but I really, really, really do not trust public wifi networks :P 14:26 -!- A-KO^ is now known as A-KO 14:26 < A-KO> or even private ones sometimes 14:28 < A-KO> which is my primary use for openvpn at all, to have a point-to-point encrypted interface that is only as secure as the configuration I've created for it, regardless of the physical network I'm on... 14:29 < ecrist> sure, not really in need of a lecture on the benefits of a VPN. 14:30 < ecrist> usually, when someone has the kinds of problems you are, it's indicative of their attempts at doing things their system wasn't designed to do, or something thats needlessly over-complicated. 14:31 < A-KO> yeah, I've considered that 14:31 < A-KO> but I don't think this one fits either of those criteria. Windows 7's new firewall profiling allows multiple connection profiles at one time (somethign vista didn't do), which I would assume allows this 14:32 < ecrist> sure, also keep in mind Windows 7 is still pre-release 14:32 < A-KO> negative 14:32 < A-KO> it's final 14:32 < A-KO> been final 14:32 < ecrist> until it's released, it's pre-release 14:33 < A-KO> it is released.... 14:33 < A-KO> it's been available for technet customers for a few months now 14:33 < ecrist> general retail availability set for October 22, 2009 14:33 < A-KO> The only channel that doesn't have it yet is retail 14:33 < A-KO> everyone else has it 14:33 < A-KO> msdn, msdnaa, etc. 14:35 < ecrist> meh, I'm not going to waste much more time on it until it's released officially 14:36 < krzie> and i wont waste any time on it even after that 14:36 < ecrist> LOL 14:36 < ecrist> you say that now, you know we'll continue getting folks in here trying to use it. 14:36 < krzie> oh for sure 14:37 < ecrist> /ban * if [OS == 'Windows *'] 14:37 < krzie> nah ill just help them the same as i do with current windows clients 14:37 < krzie> if i know from someone else having fixed it, ill set a !command, then ill type the !command when someone needs it 14:37 < krzie> like !winroute for example ;] 14:37 < ecrist> if $OS ~= m/Microsoft/i { my $ban = TRUE; } 14:39 < krzie> but for all my windows needs i have a winxp virtual machine (which hardly ever gets turned on) 14:39 < krzie> although ill admit i did use it the other day for notepad++ 14:40 < krzie> they have nice shell syntax highlighting, much nicer than textwrangler 14:40 < krzie> and im not so into vim 14:40 < ecrist> I actually have a Dell 2450 running XP Pro in my server rack for my security company 14:40 < ecrist> need something around that can run our security download software 14:40 < ecrist> krzie FTL 14:40 < ecrist> vim FTW 14:40 < krzie> ya, you have a reason to 14:40 < krzie> hehe vim is nice, i just dont prefer it 14:41 < krzie> i mean i CAN use it 14:41 < krzie> just never got hooked 14:41 -!- SJr [n=sjr@128.189.69.205] has quit [Read error: 110 (Connection timed out)] 14:41 < ecrist> the admin that was here before me got me into it 14:41 < krzie> hell i do much of my code in nano 14:41 < krzie> lol 14:41 < ecrist> I'm no where near an expert, but it does everything I need 14:41 < ecrist> i used to use ee 14:42 < ecrist> still do, since it's not vi, and default installed on freebsd. 14:42 < krzie> im kinda liking textwrangler tho 14:42 < ecrist> vi and meta keys sucks 14:42 < krzie> (osx) 14:42 < krzie> i just need to improve its syntax highlighting for shell 14:43 < krzie> its quote highlighting doesnt go past the current line 14:43 < krzie> etc 14:43 < krzie> and it quotes " ' ` = 14:43 < ecrist> for gui I use gvim 14:43 < krzie> gvim... hrm 14:43 < krzie> command keys and whatnot? 14:44 < krzie> oh btw i got a good UFC bet for you 14:44 < ecrist> to a degree, yes 14:44 < krzie> if you care 14:44 -!- reber [n=reber@78.251.130.106] has quit [Read error: 104 (Connection reset by peer)] 14:44 < ecrist> not a betting man 14:45 -!- A-KO [i=as@unaffiliated/a-ko] has quit [Read error: 104 (Connection reset by peer)] 14:45 -!- Intensity [i=[UJg+jfH@unaffiliated/intensity] has quit [Read error: 104 (Connection reset by peer)] 14:46 < krzie> brock lesnar is a big favorite for nov 21st fight 14:46 < krzie> but he is going to lose 14:46 < ecrist> Brock is from Minneapolis 14:46 < ecrist> he's a bit of a celeb up here. 14:46 < krzie> he was a golden gopher 14:46 < ecrist> yep 14:47 < krzie> dinkytown! 14:47 < ecrist> you been there? 14:47 < krzie> aye 14:47 < krzie> used to goto wrestling camp there 14:47 < ecrist> there is some A$$ there. 14:48 < krzie> for sure, i was fucking softball camp girls 14:48 < krzie> the accent was kinda hot 14:48 < krzie> like bobbys world 14:48 < krzie> the mom 14:49 < ecrist> lol 14:50 < krzie> that camp was tough 14:50 < krzie> my buddy became an army ranger and told me that wrestling camp was = hard, except that we got food and sleep at wrestling camp 14:52 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:53 -!- reber [n=reber@78.251.130.106] has joined ##openvpn 15:03 -!- Intensity [i=[cbPeuAL@unaffiliated/intensity] has joined ##openvpn 15:13 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 15:27 -!- freaky[t] [i=alpha@member.team-box.net] has quit [Remote closed the connection] 15:27 -!- _markus_ [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 110 (Connection timed out)] 15:35 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 15:39 < reiffert> anyone into netboot/netinstall OS X? 15:41 -!- bytesaber_ [n=bytesabe@208-98-188-95.directcom.com] has joined ##openvpn 15:43 < |Mike|> years ago lol 16:00 -!- freaky[t] [i=alpha@member.team-box.net] has quit [Remote closed the connection] 16:07 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 16:08 -!- dougy[itouch] [n=dougyito@ool-45745ecf.dyn.optonline.net] has joined ##openvpn 16:10 < dougy[itouch]> Hello 16:10 < |Mike|> hello doug 16:10 < dougy[itouch]> Supp 16:12 < |Mike|> not much, chilltime :d 16:12 < dougy[itouch]> Im sitting in th doctors office 16:12 < dougy[itouch]> Just got flu shot 16:12 < |Mike|> you're 50+ ? 16:12 < dougy[itouch]> Swine flu shot in oct 16:12 < krzie> lulz@flu shot 16:13 < dougy[itouch]> No 16:13 < dougy[itouch]> 16 16:13 < dougy[itouch]> krzie: My mom lol 16:13 < krzie> injecting yourself with the virus to not get the virus 16:13 < dougy[itouch]> I dont want it 16:13 < dougy[itouch]> Lol 16:13 < krzie> my mom would hafta fight me to get that done to me 16:13 < dougy[itouch]> I got the mist 16:13 < ecrist> I do not condone anti-bacterial world and * vaccines 16:13 < dougy[itouch]> Looool 16:13 < |Mike|> fuck that flue 16:13 < krzie> physically, not metaphoricaly 16:13 < |Mike|> it's just a bit worse than a normal flue 16:13 < dougy[itouch]> Lol 16:13 < krzie> mike, i know someone who died from it 16:14 < krzie> well, knew 16:14 < dougy[itouch]> krzie: Im a passive guy 16:14 < ecrist> there are a handful I agree with, but killing all the bugs makes the ones that survive that much worse 16:14 < dougy[itouch]> krzie: Lol 16:14 < |Mike|> young people, under 20 / 22 are affected worse (as i red) 16:14 < dougy[itouch]> Yupp 16:14 < dougy[itouch]> Ie me 16:14 < |Mike|> i'm like 50, wouldn't affect me :p 16:15 < krzie> really mike? 16:15 < krzie> i was guessing much younger 16:15 < |Mike|> no, i'm 24 :P 16:15 < krzie> haha ya more like that 16:15 < dougy[itouch]> Yeaaaa 16:15 < |Mike|> but i feel 50 atm lol 16:15 < dougy[itouch]> krzie: Im going to the caribbean in nov 16:16 < dougy[itouch]> Cruisin 16:16 < krzie> cool 16:16 < |Mike|> my fingers smell 16:16 < |Mike|> wtf. 16:16 < dougy[itouch]> woa 16:16 < dougy[itouch]> H 16:16 < |Mike|> pure tee ha cee 16:16 < dougy[itouch]> With a girl mike? 16:16 < |Mike|> THC != girl 16:16 < krzie> lol 16:16 < krzie> i hope it was a female mike! 16:17 < krzie> you growing males now? 16:17 < |Mike|> it sure was :D 16:17 < |Mike|> i did visit my medical grow group after 3 weeks 16:18 < |Mike|> and they look really really nice and purple :-) 16:18 < dougy[itouch]> Win 16:18 < |Mike|> yeah 16:19 < |Mike|> i did scout their whole equipment for free from growshops (yes i'm dutch) 16:19 < |Mike|> <3 16:19 -!- c64zottel [n=hans@p5B17B024.dip0.t-ipconnect.de] has left ##openvpn [] 16:19 < dougy[itouch]> Wo0t 16:19 < krzie> with the accent to boot! 16:19 < dougy[itouch]> Lul 16:21 -!- dougy[itouch] [n=dougyito@ool-45745ecf.dyn.optonline.net] has quit ["Colloquy for iPhone - http://colloquy.mobi"] 16:23 < |Mike|> lol @dougy 16:23 < |Mike|> you know him krzie ? 16:23 < krzie> only from here 16:23 < |Mike|> mkay 16:47 -!- reber [n=reber@78.251.130.106] has quit [Remote closed the connection] 17:13 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 17:26 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 17:35 -!- TheS1 [n=theslayi@95-90-246-240-dynip.superkabel.de] has joined ##openvpn 17:37 < TheS1> hi, i want to install openvpn on my archlinux root server, it should only hold 10.0.0.0 Networt Adresses - Internet Connection must still go over eth0 17:37 < TheS1> how do i set this up? 17:43 < Hypnoz> so you want openvpn to create the range of 10.0.0.0/24 17:43 < Hypnoz> and all vpn clients will be in that range 17:43 < Hypnoz> and the way you control where your internet connection goes out is to choose which interface has the default gateway 17:43 < |Mike|> !howto 17:43 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:46 < TheS1> no actually i want a range of 10.0.0.0/8 (later maybe subnets) 17:49 < Hypnoz> oh. you set that up in the server.conf file in /etc/openvpn/ 17:49 < Hypnoz> the options in there are very well documented 17:50 < Hypnoz> but you should end up with a line like "server 10.0.0.0 255.255.255.248" or something like that 17:51 < Hypnoz> assuming you wanted the first 8 ip's in that range 17:51 -!- explore [n=msparker@pool-173-57-72-22.dllstx.fios.verizon.net] has quit ["Lost terminal"] 17:51 < Hypnoz> otherwise maybe like "server 10.0.0.150 255.255.255.0" for a block later in the ip range 17:51 < Hypnoz> err wrong SM 17:56 < |Mike|> SM ? 17:58 < Hypnoz> subnet mask 18:00 < Hypnoz> funny he wants a 10.0.0.0/8 for vpn, meaning he is reserving ip's for over 16 million vpn clients 18:00 < |Mike|> yep 18:00 < |Mike|> pretty insane 18:02 < Hypnoz> speaking of insane, I couldn't setup a route to the vpn subnet since we don't have a router, so i had to go to each server and manually add a static route to the vpn subnet 18:04 < |Mike|> static clients works great :P 18:05 < Hypnoz> static clients? 18:06 < |Mike|> static ip/routes to clients. 18:06 < Hypnoz> if you have hundreds of servers you have to put it on each one 18:08 < |Mike|> <3 puppet 18:08 < TheS1> well 10... net is privat, why should there be a problem? 18:08 < TheS1> all go on after i hade some sleep 18:08 < TheS1> so bye 18:08 < |Mike|> good night TheS1 18:09 -!- TheS1 [n=theslayi@95-90-246-240-dynip.superkabel.de] has left ##openvpn [] 18:11 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 18:35 -!- SJr [n=sjr@S01060008029e1eb2.vc.shawcable.net] has joined ##openvpn 18:37 -!- W0rmF00d [n=wormfood@59.40.10.95] has joined ##openvpn 18:54 -!- WormFood [n=wormfood@218.17.216.6] has quit [Read error: 110 (Connection timed out)] 19:22 -!- ^scott^ [n=scott@216.127.92.56] has joined ##openvpn 19:23 < ^scott^> Is it possible to use --iroute without x509 certs? 19:30 < |Mike|> no we don't SJr 19:30 < |Mike|> scott 19:31 < |Mike|> from irc-op... 19:31 < |Mike|> you can use openvpn w/o encryption tho 19:41 -!- W0rmF00d is now known as WormFood 19:54 -!- crazed [n=cr4z3d@unaffiliated/cr4z3d] has left ##openvpn [] 19:57 < krzie> ^scott^: no, without using certs you are in ptp mode so iroute would be pointless 19:57 < krzie> which is obvious when you understand what iroute is and why it exists 19:57 < krzie> !iroute 19:57 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 19:58 < krzie> the problem iroute solves cant exist when ovpn is in server mode 20:01 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 20:19 < jreno_> How do you increase the speed openvpn reconnects? 20:19 < jreno_> it seems like when the VPN session dies the only way to reconnect it is to restart openvpn 20:20 < jreno_> it should re-start automatically how do i make that happen? 20:29 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 20:32 < SJr> I generally leave OpenVPN running on my laptop, which is great, because as soon as it can connect, it does connect and I'm online. 20:33 < SJr> However when I'm at home it gets effed up because I'm on the lan locally that I'm connecting to 20:33 < SJr> any ideas how to prevent it from connecting locally 20:42 < Bushmills> SJr: stop openvpn. You probably don't want to have it sit in memory when you don't want to connect anyway. 20:43 < SJr> nah I run KDE I'm use to things running that I don't need 20:43 < Bushmills> even if those things do things you want to prevent (i.e. connecting)? 20:44 < SJr> So the only way to get an automated process to do something I don't want based on some very easily defined conditions, is manual intervention? 20:45 < rawDawg> write a script 20:47 < SJr> Hmmmmm so OpenVPN itself will not do this for me 20:47 < SJr> I'll need something else 20:47 < SJr> i.e. my interfaces script 20:50 < rawDawg> does any other vpn client do that? 20:50 < SJr> No not really, most connect really easily though 20:50 < SJr> this I have to run a console program fore 20:50 < SJr> and OpenVPN should be better than other VPN clients, because it's the standard for other VPN clients 20:51 < rawDawg> u on linux i take it? 20:51 < SJr> Yeah 20:53 < rawDawg> doesnt ovpn have a daemon? 20:54 < SJr> If it's a daemon then it will always connect and I need to stop that 20:55 < rawDawg> gotcha 20:57 < SJr> rawDawg what was your favorite scene in Minority Report? 21:01 < rawDawg> i havent seen that movie in a while 21:01 < rawDawg> i like the computers 21:03 < rawDawg> the interactive ui where the one dude is sliding parts in and draggin things around 21:05 < rawDawg> the flying cops were great too 21:06 < rawDawg> i might have to watch it again now 21:08 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 21:10 < rawDawg> dl it now :P 21:11 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 21:12 -!- master_of_master [i=master_o@p549D41ED.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:13 -!- thedoc [n=zing@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 21:16 -!- master_of_master [i=master_o@p549D3E15.dip.t-dialin.net] has joined ##openvpn 21:29 -!- thedoc [n=zing@cataclysm.edgewire.sg] has joined ##openvpn 22:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 22:08 -!- WormFood [n=wormfood@59.40.10.95] has quit ["Leaving"] 22:39 -!- fen_ [n=fen@84.179.233.220.static.exetel.com.au] has quit [Read error: 110 (Connection timed out)] 22:42 -!- mischief [n=mischief@unaffiliated/mischief] has joined ##openvpn 22:42 < mischief> !howto 22:42 < vpnHelper> mischief: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 22:49 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 22:50 -!- onats_ is now known as onats 22:50 < mischief> i'm trying to use OpenVPN under OpenBSD, but i get errors when the client is trying to set up route. http://openbsd.pastebin.ca/1569232 23:56 -!- onats_ [n=onats@unaffiliated/onats] has joined ##openvpn 23:59 -!- onats [n=onats@unaffiliated/onats] has quit [Nick collision from services.] 23:59 -!- onats_ is now known as onats --- Day changed Thu Sep 17 2009 00:06 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 00:11 -!- mischievious [n=mischief@unaffiliated/mischief] has joined ##openvpn 00:14 -!- mischief [n=mischief@unaffiliated/mischief] has quit [Nick collision from services.] 00:14 -!- mischievious is now known as mischief 00:21 -!- jfkw [n=jtk@24.216.241.93] has quit ["leaving"] 00:35 -!- bauruine_ [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 00:35 -!- bauruine_ [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Client Quit] 01:04 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:25 -!- newmember__ [n=chatzill@68.144.191.90] has joined ##openvpn 01:28 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Success] 02:14 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:48 -!- mischief [n=mischief@unaffiliated/mischief] has quit [Read error: 145 (Connection timed out)] 02:50 -!- newmember__ [n=chatzill@68.144.191.90] has quit [Client Quit] 02:53 -!- pez [i=pez@tfr.org] has joined ##openvpn 02:53 -!- pez is now known as Guest54697 02:53 -!- Guest54697 is now known as boomer 02:53 -!- mischief [n=mischief@unaffiliated/mischief] has joined ##openvpn 02:54 -!- boomer is now known as boomer1 02:54 -!- boomer1 [i=pez@tfr.org] has left ##openvpn [] 02:57 -!- pez1 [n=pez1@83.249.247.110] has joined ##openvpn 03:01 < mischief> anyone mind helping me with openvpn on OpenBSD as a client? i can't seem to get connectivity.. 03:06 < krzee> mischief, thats not a real question 03:06 < krzee> try mentioning your goal and what you are doing 03:07 < mischief> i'm trying to connect to a vpn, lol 03:07 < mischief> there are no errors in the openvpn log but i can't connect whereas a linux client can 03:07 < krzee> !logs 03:07 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 03:08 < mischief> i do not have access to the server log 03:09 < krzee> ill accept client, but may say its not enough info depending 03:09 < mischief> http://openbsd.pastebin.ca/1569409 is the log 03:10 < krzee> you're using 2.2.1.x for your vpn ips? 03:10 < krzee> is that your ip block? 03:11 < krzee> if not, you cant do that 03:11 * mischief shrugs 03:11 < krzee> thats not a reserved ip range 03:11 < krzee> !1984 03:11 < mischief> i did not set the VPN up 03:11 < vpnHelper> krzee: Error: "1984" is not a valid command. 03:11 < krzee> !factoids search 19 03:11 < vpnHelper> krzee: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 03:11 < krzee> you must change it 03:11 < krzee> !configs 03:12 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 03:12 < mischief> it isn't my vpn, i keep trying to tell you that 03:12 -!- huf [i=huf@mu.parawag.net] has left ##openvpn ["bye all"] 03:12 < krzee> well, i cant help you then 03:12 < krzee> you have no error 03:12 < krzee> if it should work, its your firewall 03:13 < mischief> my firewall doesn't filter that interface 03:13 < krzee> welp, its not your vpn, only the person who runs it can help you\ 03:14 < krzee> and if they dont own that ip range they are doing it VERY wrong 03:15 < krzee> and since its reserved by iana (but not for lan use) i know they are in fact doing it very wrong 03:17 < mischief> lol 03:17 < mischief> like i said, don't point fingers at me 03:19 -!- TheS [n=theslayi@95-90-246-240-dynip.superkabel.de] has joined ##openvpn 03:21 < TheS> what should i use? tun or tap? - i want to set up a 10.0.0.0/8 Network via OpenVPN, all other IPs should go over the normal internet connection 03:24 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 03:32 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 03:40 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Connection reset by peer] 03:41 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 03:48 < dazo> !tuntap 03:48 < vpnHelper> dazo: Error: "tuntap" is not a valid command. 03:48 < dazo> !tunortap 03:48 < vpnHelper> dazo: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 03:49 < dazo> TheS: ^^ 03:49 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 03:50 < gorkhaan> Hi! I'd like to ask if am I right: I read that a new OpenVPN version can run 2 servers on the same port, is it true? 03:50 < TheS> well thats the problem i don't know what it realy means, im no network profi 03:50 < dazo> gorkhaan: nope 03:51 < gorkhaan> dazo, thanks. :) 03:51 < dazo> TheS: then you most probably will do fine with tun 03:51 < TheS> ok 03:51 < mischief> !wins 03:51 < vpnHelper> mischief: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 03:53 < dazo> gorkhaan: well, I must say, I don't know what's up in the next 2.2 version of OpenVPN - I've not found any OpenVPN roadmap ... so I could be wrong, but so far 2 servers on the same port sounds rather ambiguous 03:53 < dazo> that would be something like vhost support 03:54 < gorkhaan> dazo, thx, I'm trying to find it, maybe I got it wrong... 03:57 < gorkhaan> yeah my bad, never mind. :) 03:58 < gorkhaan> dazo, I'd like to do QoS, I'd like to priorize ports, do traffic shaping. Any tips, infoz about it? :) 03:58 < dazo> gorkhaan: in Linux? ... then it's probably just to do normal qdisc stuff .... but I have no experience with it ;-) 03:59 < gorkhaan> yeah linux, okay thx! :) 03:59 < dazo> gorkhaan: in Linux it would be to configure traffic shaping on the tun/tap device, I'd say 04:06 < dazo> hmmmm .... http://www.reuters.com/article/pressRelease/idUS133605+08-Jun-2009+MW20090608 04:06 < vpnHelper> Title: OpenVPN's New Access Server Configuration Software Provides Businesses With Simple and Highly Secure VPN Connections | Reuters (at www.reuters.com) 04:06 < dazo> " OpenVPN's intuitive software-based platform makes it simple for an 04:06 < dazo> organization's employees, branch offices, suppliers, or even customers to 04:06 < dazo> gain simple, secure remote access to shared data, such as network file 04:06 < dazo> folders or client server applications. 04:06 < dazo> " 04:07 < dazo> I can agree to this .... but intuitive might be quite a bit exaggerating .... unless they intuitive for users who know openvpn and networking :-P 04:28 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 60 (Operation timed out)] 04:28 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 04:43 < rapha> bye all! 04:43 -!- rapha [i=rapha@unaffiliated/rapha] has left ##openvpn [] 05:01 -!- PyleS0S [n=PyleS0S@77.87.117.135] has joined ##openvpn 05:02 < PyleS0S> hello 05:04 < PyleS0S> am using openvpn server and see yellow screens 05:05 < PyleS0S> log: http://pastie.org/620100 05:05 < PyleS0S> what's wrong with it? 05:10 -!- per_ [n=per@90.184.202.237] has joined ##openvpn 05:11 < per_> using Ubuntu, when I run /etc/init.d/openvpn (re)start, one of my .conf-setups fail. Is it possible to get openvpn to tell me what the problem is? I can't seem to find any logs in /var/log that might help 05:15 -!- pez1 [n=pez1@83.249.247.110] has quit ["leaving"] 05:19 -!- PyleS0S [n=PyleS0S@77.87.117.135] has left ##openvpn [] 05:24 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:26 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 05:27 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 05:30 -!- thedoc [n=zing@unaffiliated/thedoc] has quit [Read error: 104 (Connection reset by peer)] 06:01 -!- moldenau1r is now known as vindex 06:30 < hyper_ch> bauruine: online? 06:33 < ecrist> good morning 06:34 < bauruine> hyper_ch, yes 06:35 < bauruine> hyper_ch, thanks for the cryptsetup initramfs ssh script works perfect! 06:39 -!- per_ [n=per@90.184.202.237] has quit ["Leaving"] 06:41 -!- brizly1 [n=brizly_v@79.201.161.209] has joined ##openvpn 06:46 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 06:48 -!- hyper__ch [n=hyper@adsl-62-167-95-86.adslplus.ch] has joined ##openvpn 06:48 -!- hyper_ch [n=hyper@adsl-84-227-148-66.adslplus.ch] has quit [Nick collision from services.] 06:48 -!- hyper__ch is now known as hyper_ch 06:49 < ecrist> 99.9% uptime is 8 hours of downtime over the course of a year 06:51 < ecrist> 99.999% uptime is 5 minutes of downtime over the course of a year 06:51 < ecrist> google apps has an SLA of 99.9% 06:51 < ecrist> discuss. 06:51 < ecrist> :D 06:56 -!- brizly [n=brizly_v@p4FC9A162.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 07:05 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 07:09 -!- freaky[t] [i=alpha@member.team-box.net] has quit [Remote closed the connection] 07:10 < ecrist> too funny 07:10 < ecrist> http://www.collegehumor.com/article:1791517 07:10 < vpnHelper> Title: "4 Awkward Moments in Facebook "Likes"" by Brian Murphy on CollegeHumor (at www.collegehumor.com) 07:25 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 07:42 < hyper_ch> bauruine: do you use grub? 07:43 < hyper_ch> bauruine: according to what howto did you set it up? was it that Heise/c't article? 08:00 -!- dazo [n=dazo@nat/redhat/x-tnnidwuygurdfzsz] has quit ["Leaving"] 08:03 -!- dazo [n=dazo@nat/redhat/x-nuexfbynhbstsirg] has joined ##openvpn 08:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:09 < Optic> mooo 08:10 < bauruine> hyper_ch, yes i am using grub i used http://www.howtoforge.com/unlock-a-luks-encrypted-root-partition-via-ssh-on-ubuntu 08:10 < vpnHelper> Title: HOWTO: Unlock A LUKS Encrypted Root Partition Via SSH On Ubuntu | HowtoForge - Linux Howtos and Tutorials (at www.howtoforge.com) 08:20 -!- RadarG [n=justin@210.124.129.119] has joined ##openvpn 08:21 -!- RadarG [n=justin@210.124.129.119] has quit [Remote closed the connection] 08:24 -!- RadarG [n=justin@210.124.129.119] has joined ##openvpn 08:40 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit ["Távozom"] 08:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:51 -!- RadarG [n=justin@210.124.129.119] has quit [Read error: 110 (Connection timed out)] 08:54 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 09:36 < hyper_ch> bauruine: ok, that one :) 09:37 -!- dazo is now known as dazo|afk 09:39 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 09:40 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 09:41 -!- jeiworth [n=jeiworth@189.177.20.229] has joined ##openvpn 09:44 -!- Intensity [i=[cbPeuAL@unaffiliated/intensity] has quit [Remote closed the connection] 09:45 -!- TheS [n=theslayi@95-90-246-240-dynip.superkabel.de] has quit ["Leaving."] 09:48 -!- frewsxcv [n=farwell@pcp037592pcs.hollister.reshall.calpoly.edu] has left ##openvpn ["Leaving"] 09:53 -!- Intensity [i=[tK2jh6l@unaffiliated/intensity] has joined ##openvpn 10:00 -!- Peste_Bubonica [n=eduardo@189.63.246.108] has joined ##openvpn 10:00 < Peste_Bubonica> Hi all... 10:00 < ecrist> hello 10:01 < Peste_Bubonica> can i make a multipoint vpn with openvpn? for now, I always used openvpn to conect two sites... but im on a company with 22 sites to be connected... someone already have done something like that? 10:01 < Peste_Bubonica> ecrist, :) 10:01 < Peste_Bubonica> like a dmvpn... 10:02 < ecrist> yes, you would have one site be the server, and the other sites would connect in from there. 10:02 < Peste_Bubonica> ecrist, understood.. 10:02 < ecrist> you could have a multi-spoke setup, but the routing for that gets more advanced. 10:02 < Peste_Bubonica> ecrist, but. all traffic will be passed from the server too? 10:02 < ecrist> yes 10:03 < ecrist> OpenVPN does not do P2P in the typical sense 10:03 < Peste_Bubonica> ecrist, I cant establish a direct connection on the sites? 10:03 < Peste_Bubonica> understood.. 10:03 < Peste_Bubonica> in this case I will get a massica data transmition on the server... :( 10:04 < Peste_Bubonica> ecrist, theres nothing like dmvpn? 10:14 < ecrist> don't know what dmvpn is 10:14 < ecrist> so, do multiple connections and direct-connect the sites that talk most to each other. 10:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Success] 10:22 < Peste_Bubonica> yes... by doing this, I dont have a heavy bandwidth traffic on the server side... 10:23 < Peste_Bubonica> but I have not experience with this thing :) 10:23 < ecrist> no time like the present to get some experience 10:29 < Peste_Bubonica> ecrist, but... many thanks by atention... 10:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:46 < ecrist> simply posting a link to something relevant on my site within a highly moderated comment on slashdot has gotten me 1000 unique hits today to the given page 10:48 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 10:54 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 10:54 -!- unix3 [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 10:55 -!- SJr [n=sjr@S01060008029e1eb2.vc.shawcable.net] has quit [Read error: 113 (No route to host)] 10:59 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has quit ["bbl"] 10:59 -!- c64zottel [n=hans@p5B17AF5F.dip0.t-ipconnect.de] has joined ##openvpn 11:01 -!- dazo|afk is now known as dazo 11:01 -!- dazo [n=dazo@nat/redhat/x-nuexfbynhbstsirg] has quit [Remote closed the connection] 11:02 -!- dazo [n=ndazo@nat/redhat/x-hiwtqectolpccyuj] has joined ##openvpn 11:02 -!- dazo is now known as Guest47554 11:04 -!- Guest47554 is now known as dazo 11:35 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:39 -!- thedoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 11:44 -!- wnl [n=wnl@adsl-232-65-36.asm.bellsouth.net] has joined ##openvpn 11:45 < wnl> may i ask a question that blatantly displays my ignorance? 11:46 < rawDawg> ask any question you like 11:47 < wnl> i have created a CA, a server cert, and two client certs. looking over my openvpn config for the server i cant see anywhere where i specify what client certs are allowed to connect. is any sort of check done on the client certs or are all valid certs allowed to connect? 11:47 < wnl> i cant find the answer in the docs. forgive me if im blind. :) 11:47 < |Mike|> !tls-auth 11:47 < vpnHelper> |Mike|: "tls-auth" is The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. see !secure for how 11:48 < wnl> so in order to restrict the clients that connect i must use tls-auth. 11:48 < |Mike|> no, tls-auth is a must in general, otherwise someone could MITM you 11:48 < |Mike|> !secure 11:48 < vpnHelper> |Mike|: "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 11:49 < |Mike|> and you can not connect without a client certificate in general. 11:50 < wnl> a cleint certificate signed by the same CA? or any valid client certificate? 11:50 < |Mike|> the 1st, doh :) 11:51 < wnl> thats what i wasn't sure of. thanks. 11:52 < cpm> you fool! 11:52 < wnl> cpm: :-P 11:52 * cpm bows to wnl 11:52 < wnl> cpm: you didnt know the answer either....so there! 11:53 < cpm> yeah, it's another case of 'if you can't describe it, then you don't know it' and at one time I could, for I answered these questions for myself, but can no longer, so I can't claim any knowledge. 11:53 < cpm> key management is sooo much fun. 11:54 < Optic> mooo 11:54 < cpm> bwaaak! 12:12 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 12:20 -!- wnl_ [n=wnl@adsl-176-62-190.asm.bellsouth.net] has joined ##openvpn 12:36 -!- wnl [n=wnl@adsl-232-65-36.asm.bellsouth.net] has quit [Read error: 110 (Connection timed out)] 12:39 -!- wnl_ is now known as wnl 12:54 < Hypnoz> !route 12:54 < vpnHelper> Hypnoz: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 12:56 < Hypnoz> if my work asked me to setup openvpn-server in linux on a public facing computer, should I download 2.0.9 or 2.1_rc19 12:57 < Hypnoz> they are both listed as the newest release on the openvpn download page 13:03 -!- c64zottel [n=hans@p5B17AF5F.dip0.t-ipconnect.de] has quit ["Leaving."] 13:20 < |Mike|> Hypnoz: what kind of clients are hanging behind it? 13:20 < |Mike|> win or *nix ? 13:20 < Hypnoz> all kinds of clients will connect with different client apps 13:21 < Hypnoz> I setup openvpn already in another site, but they were using ubuntu 8.04 so I just apt-get install openvpn 13:21 < Hypnoz> this system is running 7.10 13:21 < Hypnoz> which isn't supported for apt-get installs 13:23 < |Mike|> i would go for rc19 then 14:02 -!- SJr [n=sjr@128.189.90.240] has joined ##openvpn 14:07 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit [Remote closed the connection] 14:22 < ecrist> you are the ones who are the ball lickers! 14:31 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Remote closed the connection] 14:33 -!- Gumbler is now known as Xenu 14:35 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 14:46 -!- Xenu is now known as Gumbler 14:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:21 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 15:23 < ivenkys> gents - i have openvpn setup to go through UDP, its a routed setup but for some reason it has started getting really slow - i don't know where to start looking ? any pointers gents 15:26 < ivenkys> and in case it matters , it is really unusable when i have IRC running on the VPN server 15:36 -!- nuhiNlow [n=anewhigh@ppp-69-155-61-9.dsl.ablntx.swbell.net] has joined ##openvpn 15:39 -!- rorre [n=jeremy@pool-96-255-123-240.washdc.fios.verizon.net] has joined ##openvpn 15:42 < rorre> nuhiNlow: i only have 20 minutes until work ends. I may not have enough time to troubleshoot. 15:43 < nuhiNlow> well tell me what broke 15:43 < nuhiNlow> error messages? 15:43 < rorre> i replaced the server configuration file with the one from the howto, and can no longer connect. 15:44 < rorre> i reverted back to the first config and now i have the error "Options error: Unrecognized option or missing parameter(s) in PUSH-OPTIONS]:3: topology (2.0.9) again 15:45 < rorre> I still don't knwo why it thinks the dhcp server/gateway are 10.33.0.5 and I can no longer ssh my server on 10.33.0.1 15:47 < nuhiNlow> push "dhcp-option DNS 192.168.1.1" 15:47 < nuhiNlow> add that to original config 15:47 < nuhiNlow> and what does your push default gateway line look like? 15:47 < zerko> hey guys, would it be possible to setup a vpn to my house 15:47 < zerko> so all my protocols are proxied? 15:48 < nuhiNlow> dont worry about those ip addresses you just mentioned 15:48 < nuhiNlow> zerko, i did 15:48 < nuhiNlow> and that's what rorre is doing 15:48 < zerko> nuhiNlow how long did it take you? 15:48 < nuhiNlow> couple of hours 15:48 < zerko> do you need a server on both ends/ 15:48 < nuhiNlow> gentoo server 15:48 < nuhiNlow> no 15:48 < zerko> both ends* 15:48 < nuhiNlow> could be a laptop remote 15:48 < zerko> what do you have to do on the client? 15:48 < rorre> are you talking about this line nuhiNlow? 15:49 < zerko> or your home? 15:49 < rorre> push "redirect-gateway def1" 15:49 < nuhiNlow> yes 15:51 < rorre> what exactly is this 'def1' is that defined somewhere or is it a openvpn default? 15:51 < zerko> anyone here need a dedicated server in dallas, texas/ 15:52 < nuhiNlow> i'm in Abilene 15:52 < nuhiNlow> how much? 15:52 < nuhiNlow> i think it's default 15:52 < nuhiNlow> maybe take that out 15:52 < nuhiNlow> i'm not sure anymore. 0.o 15:52 < nuhiNlow> seems it was working before 15:53 < rorre> nuhiNlow: it isn't causing any errors having it uncommented. 15:53 < zerko> nuhiNlow, Private message? 15:53 < nuhiNlow> yes 15:53 < zerko> check your pm 15:53 < rorre> nuhiNlow: something else is causing the issue i think, well at least that error when connecting 15:55 < nuhiNlow> so you get that error regardless of def1? 15:55 < rorre> nuhiNlow: yeah 15:55 -!- dazo is now known as dazo|afk 15:56 < rorre> nuhiNlow: but, I have to leave work now, so. If you're around tomorrow I'll keep working on it, otherwise thanks for your help so far. I'll catch you later. 15:56 -!- rorre is now known as rorre|afk 15:57 < nuhiNlow> ok 16:10 -!- jeiworth [n=jeiworth@189.177.20.229] has quit [Read error: 110 (Connection timed out)] 16:23 -!- kurgon [i=jhope@c-68-62-2-82.hsd1.mi.comcast.net] has joined ##openvpn 16:24 < kurgon> Anyone here really well versed in running Openvpn on a linux server and connecting to it from Win32 ONLY on specific host:ip addresses, instead of all of your traffic going to the VPN.. I'm a COMPLETE linux noob without a doubt and would very much appriciate any helping me :) 16:28 -!- Peste_Bubonica [n=eduardo@189.63.246.108] has quit ["Leaving"] 16:28 -!- jeiworth [n=jeiworth@189.177.252.69] has joined ##openvpn 16:30 < kurgon> !iporder 16:30 < vpnHelper> kurgon: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 16:30 < kurgon> !forum 16:30 < vpnHelper> kurgon: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 16:47 -!- roshenia_ [n=roshenia@gw.pbh.by] has quit [Read error: 104 (Connection reset by peer)] 16:49 < nuhiNlow> kurgon, you just need to comment the route push default gateway 16:49 < nuhiNlow> take that out and you won't route through the vpn 16:51 < kurgon> how do i route just specific hostname:ip traffic through it? 16:52 < nuhiNlow> push route add 16:52 < nuhiNlow> and edit your windows hosts file 16:52 < nuhiNlow> for name resolution 16:53 < nuhiNlow> your wanting to route only traffic to say machine22 via the vpn? 16:53 < nuhiNlow> if i understand you 16:54 < kurgon> say i'm on my win32 machine... 16:54 < kurgon> openvpn running on linux sever.. 16:54 < kurgon> i am connected to the vpn via the openvpn win32 gui.. 16:54 < nuhiNlow> right 16:54 < kurgon> i want to be able to connet to www.hostname.com:8080 trhough the vpn 16:54 < kurgon> but nothing lese 16:55 < kurgon> else* 16:55 < kurgon> only specific hostnames and ports 16:55 < nuhiNlow> then you DO NOT push default gateway 16:55 < nuhiNlow> comment that line out on the server config file 16:55 < kurgon> ok.. 16:55 < kurgon> then how do i route the specific traffic? 16:55 < nuhiNlow> you do something like desdribed here 16:55 < nuhiNlow> http://pastebin.ca/1570165 16:55 < kurgon> k.. reading 16:55 < nuhiNlow> as long as win32 knows the ip of machine22, 16:56 < kurgon> where would i make sure that it knows the ip:port? 16:56 < nuhiNlow> ;push "route 218.123.45.6.0 255.255.255.0" 16:56 < nuhiNlow> that tells it to router 218.x.x.x via the linux server vpn 16:56 < nuhiNlow> but ports? 16:56 < nuhiNlow> that is iptables territory 16:56 < nuhiNlow> you're jumping OSI layers 16:56 < nuhiNlow> or something 16:56 < nuhiNlow> openvpn routes IP 16:57 < nuhiNlow> so you can route all traffic to a certain IP via the vpn 16:57 < nuhiNlow> maybe you could narrow it to a specific port via iptables 16:57 < nuhiNlow> not sure on that part 16:57 < nuhiNlow> you understand? 16:57 < kurgon> no.. :( 16:57 < nuhiNlow> where did i lose you? 16:57 < kurgon> you mentioned windows host file.. but then nothing about it again.. 16:57 < nuhiNlow> what exactly are you doing? 16:57 < nuhiNlow> give me the real world scenario 16:59 < kurgon> ok.. 16:59 < kurgon> say i'm trying to connect to.. 16:59 < kurgon> ftp.nuhiNlow.com:9121 16:59 < kurgon> i want everything to be normal, on my home pc (win32) 16:59 < nuhiNlow> except for that ftp 16:59 < kurgon> except for when i try to connect to ftp.nuhiNlow.com:9121, i want it to go through the vpn to the server 16:59 < nuhiNlow> i gotcha 16:59 < kurgon> server = linux debain 5.0 16:59 < nuhiNlow> why worry about ports? 17:00 < nuhiNlow> your server will choose a random NAT p[ort to connect from 17:00 < kurgon> well i dont need to as long as its specific to hosts 17:00 < nuhiNlow> right 17:00 < nuhiNlow> but ftp.....:21 17:00 < kurgon> not if you cahnge the port # 17:00 < kurgon> .. 17:00 < nuhiNlow> port 22,80,8080 just to that ftp host 17:00 < nuhiNlow> will route over vpn 17:00 < nuhiNlow> is that a problem? 17:00 < nuhiNlow> your google, yahoo whatever 17:00 < nuhiNlow> will route over the lan on win32 17:00 < kurgon> yeah, i dont want my 'everyday' traffic to route to the vpn.. 17:01 < nuhiNlow> email, aim, etc 17:01 < nuhiNlow> right 17:01 < nuhiNlow> what i told you will do that 17:01 < kurgon> i only want specific hostnames to route through the vpn 17:01 < kurgon> ok 17:01 < nuhiNlow> so take out route push "default gatway........... 17:01 < kurgon> right.. 17:01 < nuhiNlow> find the ip of ftp.whatever 17:01 < kurgon> k... 17:02 < nuhiNlow> and push "route ipofftpserver.x.x.x 255.255.255.255" 17:02 < nuhiNlow> then restart openvpn and reconnect 17:02 < kurgon> hmm.. ok 17:02 < kurgon> do i have to do anything with iptables?? 17:02 < nuhiNlow> if you want to name it bob 17:02 < kurgon> i dont eve use iptables on this machine.. its brand new 17:02 < kurgon> so nothing is setup 17:03 < nuhiNlow> well i use mine as a router 17:03 < nuhiNlow> and i had to add some iptables rules 17:03 < nuhiNlow> if you're not using, i'd say try it as is first 17:03 < nuhiNlow> i'm thinking you don't have to mess with iptables in your case 17:03 < kurgon> ok 17:03 < kurgon> sweet thanks for the info 17:03 < nuhiNlow> sure np 17:03 < nuhiNlow> HTH 17:03 < kurgon> ill try this when my son goes to bed 17:03 < kurgon> and i an focus on it ;) 17:03 < nuhiNlow> k 17:03 < nuhiNlow> i'll be around 17:03 < nuhiNlow> my fiancee isn't home yet 17:03 < kurgon> ok awesome 17:14 -!- kurgon [i=jhope@c-68-62-2-82.hsd1.mi.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 17:17 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 54 (Connection reset by peer)] 17:21 -!- SJr [n=sjr@128.189.90.240] has quit [Read error: 110 (Connection timed out)] 17:35 < |Mike|> supppppppppp 17:51 -!- SJr [n=sjr@128.189.90.240] has joined ##openvpn 18:19 -!- jeiworth [n=jeiworth@189.177.252.69] has quit [Read error: 110 (Connection timed out)] 18:51 -!- SJr [n=sjr@128.189.90.240] has quit [Read error: 110 (Connection timed out)] 19:12 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 19:16 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 19:35 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 60 (Operation timed out)] 19:42 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 20:19 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 20:20 -!- thedoc is now known as theDoc 21:12 -!- master_of_master [i=master_o@p549D3E15.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:16 -!- master_of_master [i=master_o@p549D77EC.dip.t-dialin.net] has joined ##openvpn 21:21 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 21:53 -!- swa_work [n=swa@swatteksystems.com] has quit ["Leaving"] 22:01 -!- exks [n=ecks@d24-150-143-227.home.cgocable.net] has left ##openvpn [] 22:09 < ecrist> shhhh 22:19 -!- ico2_ [n=ico2@rps945.ovh.net] has joined ##openvpn 22:20 < ico2_> hi, when using openvpn over udp, after i change my default route to go through openvpn, it stops working 22:20 < ico2_> (os=linux) 22:21 < ecrist> how are you setting the default route? 22:21 < ico2_> route del default 22:21 < ico2_> route add default gw 192.168.9.5 22:21 < ecrist> that won't work 22:21 < ecrist> as you've seen 22:21 < ico2_> i added a static route for the openvpn server 22:21 < ecrist> add the following to your server config 22:21 < ico2_> it worked when i used tcp 22:21 < ico2_> ecrist, ok 22:22 < ecrist> push "redirect-gateway def1" 22:22 < ecrist> your problems will be solved. 22:22 < ecrist> send beer ATTN: ecrist 22:22 < ico2_> lol 22:22 < ico2_> thanks ecrist, i'll try it out 22:23 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 22:24 -!- ico2 [n=ico2@77-98-154-19.cable.ubr24.aztw.blueyonder.co.uk] has joined ##openvpn 22:26 < ecrist> you must have gotten it working 22:26 < ecrist> two different ISPs 22:26 < ecrist> blueyonder.co.uk and ovh.net 22:26 -!- ico2_ [n=ico2@rps945.ovh.net] has quit [Read error: 104 (Connection reset by peer)] 22:29 -!- theDoc [n=zing@unaffiliated/thedoc] has quit [Remote closed the connection] 22:29 -!- ico2_ [n=ico2@rps945.ovh.net] has joined ##openvpn 22:29 < ico2_> hm, dunno what happened there 22:29 -!- thedoc_ [n=zing@unaffiliated/thedoc] has joined ##openvpn 22:29 < ico2_> but anyway, seems to be working, thanks 22:29 < ico2_> new problem though 22:29 -!- thedoc_ is now known as theDoc 22:30 < theDoc> I so fucking hate it when people don't use search domains for vpn. 22:30 < theDoc> >:( 22:30 < ico2_> i'm behind a router here which is doing masquerading, every so often the server gives me this error: Fri Sep 18 05:24:54 2009 core2/77.98.154.19:7045 MULTI: bad source address from client [192.168.1.5], packet dropped 22:34 -!- ico2_ [n=ico2@rps945.ovh.net] has quit ["Smoke me a kipper, i'll be back for breakfast"] 22:35 -!- ico2_ [n=ico2@rps945.ovh.net] has joined ##openvpn 22:42 -!- ico2 [n=ico2@77-98-154-19.cable.ubr24.aztw.blueyonder.co.uk] has quit [Read error: 110 (Connection timed out)] 22:49 -!- rorre|afk [n=jeremy@pool-96-255-123-240.washdc.fios.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 22:56 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 23:31 -!- ico2__ [n=ico2@77-98-154-19.cable.ubr24.aztw.blueyonder.co.uk] has joined ##openvpn 23:32 -!- LMJ [n=serwou@82.236.42.164] has joined ##openvpn 23:32 < LMJ> !howto 23:32 < vpnHelper> LMJ: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 23:33 -!- ico2_ [n=ico2@rps945.ovh.net] has quit [Read error: 110 (Connection timed out)] --- Day changed Fri Sep 18 2009 00:04 -!- ico2__ [n=ico2@77-98-154-19.cable.ubr24.aztw.blueyonder.co.uk] has quit [Read error: 110 (Connection timed out)] 00:46 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 01:07 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 60 (Operation timed out)] 01:30 -!- thirdwheel [i=amason@vaserv/clients/thirdwheel] has joined ##openvpn 01:30 < thirdwheel> !/30 01:30 < vpnHelper> thirdwheel: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 01:31 < thirdwheel> !topology 01:31 < vpnHelper> thirdwheel: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 01:34 -!- thirdwheel [i=amason@vaserv/clients/thirdwheel] has left ##openvpn ["Leaving"] 01:47 -!- thirdwheel [i=amason@vaserv/clients/thirdwheel] has joined ##openvpn 01:50 -!- thirdwheel [i=amason@vaserv/clients/thirdwheel] has left ##openvpn ["Leaving"] 02:10 -!- |ns|nR8 [n=doof@124.179.99.226] has joined ##openvpn 02:14 -!- bauruine [n=bauruine@101-76.105-92.cust.bluewin.ch] has joined ##openvpn 02:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:28 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:12 -!- dazo|afk is now known as dazo 03:12 -!- dazo [n=ndazo@nat/redhat/x-hiwtqectolpccyuj] has quit [Remote closed the connection] 03:12 -!- dazo_ [n=dazo@62.40.79.66] has joined ##openvpn 03:13 -!- dazo [n=nndazo@nat/redhat/x-gcdcvkgmkwjzbboi] has joined ##openvpn 03:13 -!- dazo_ [n=dazo@62.40.79.66] has quit [Client Quit] 03:13 -!- dazo is now known as Guest16488 03:13 -!- Guest16488 [n=nndazo@nat/redhat/x-gcdcvkgmkwjzbboi] has quit [Remote closed the connection] 03:14 -!- dazo|afk [n=nnndazo@nat/redhat/x-vxsiyqdvaqwxasqd] has joined ##openvpn 03:14 -!- dazo|afk is now known as dazo 03:16 -!- dazo [n=nnndazo@nat/redhat/x-vxsiyqdvaqwxasqd] has quit [Client Quit] 03:16 -!- dazo [n=nnnndazo@nat/redhat/x-wawilvombjojzgmk] has joined ##openvpn 03:17 -!- dazo [n=nnnndazo@nat/redhat/x-wawilvombjojzgmk] has quit [Client Quit] 03:17 -!- dazo [n=dazo@nat/redhat/x-xmatgggulspxulew] has joined ##openvpn 03:21 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has quit ["leaving"] 03:29 -!- |ns|nR8 [n=doof@124.179.99.226] has quit [Read error: 104 (Connection reset by peer)] 03:45 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 03:45 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 03:51 -!- |ns|nR8 [n=doof@CPE-139-168-52-8.vic.bigpond.net.au] has joined ##openvpn 04:07 -!- |ns|nR8 [n=doof@CPE-139-168-52-8.vic.bigpond.net.au] has left ##openvpn ["Leaving"] 04:37 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 54 (Connection reset by peer)] 04:49 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 05:07 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:11 -!- theDoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 05:51 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 06:19 -!- c64zottel [n=hans@p5B17AE71.dip0.t-ipconnect.de] has joined ##openvpn 06:40 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 06:41 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 06:42 -!- brizly [n=brizly_v@p4FC9A4C7.dip0.t-ipconnect.de] has joined ##openvpn 06:44 < ecrist> good morning 06:48 -!- brizly1 [n=brizly_v@79.201.161.209] has quit [Read error: 145 (Connection timed out)] 06:54 < nuhiNlow> hello 07:02 -!- manometer [n=manomete@76.73.16.26] has joined ##openvpn 07:05 -!- c64zottel [n=hans@p5B17AE71.dip0.t-ipconnect.de] has quit ["Leaving."] 07:12 < manometer> hallo 07:12 < manometer> hi 07:13 < manometer> how can i store my pw in the config? 07:14 < ecrist> !man 07:14 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 07:26 -!- fdas [n=fdas@77.92.94.119] has joined ##openvpn 07:27 < fdas> i am getting terrible speed with openvpn 2.1rc19 on my linux box. with openvpn my download speed is about 1mbps however if I connect using pptp i get about 7mbps. any ideas what could be wrong? 07:27 < fdas> i tried setting mtu but didn't help 07:28 < LMJ> fdas : i'm a n00b but did you activated compression ? 07:28 < fdas> yes compression is active 07:28 < LMJ> did you try without ? 07:29 < fdas> no i didn't let me try it now thanks LMJ 07:29 < LMJ> maybe a lead 07:32 < fdas> will the compression be disabled if I comment out the line comp-lzo? 07:32 < LMJ> I guess so 07:33 < LMJ> once the VPN is up, my client got the ip 172.16.0.6 and my server got the ip 172.16.0.1 (tun mode) to the server eth1. This eth0 have the IP 192.168.0.254 and is the default gw of my network 192.168. I would like to set it also default gw for my VPN client and redirect all Web traffic to the VPN. I put "push "redirect-gateway def1"", it adds a default gw but that's not enough to redirect all traffic through the VPN, could anyone help me out with route synt 07:33 < LMJ> ax ? 07:38 < ecrist> LMJ: you need to setup NAT on the VPN so traffic can flow out your gateway on the other end. 07:39 < ecrist> as it is, all other traffic should be getting routed through the VPN, but odds are, the remote network doesn't know how to handle it. 07:39 < LMJ> ecrist : should be done, my gateway share internet on the network 192.168/24, I should have fixed for 172.16* 07:40 < ecrist> so what's the problem? 07:41 < LMJ> doing a traceroute from the client, looks good now, it cross 172.16.0.1 than my ISP gateway 07:41 < ecrist> ok 07:42 < LMJ> but via HTTP, i wonder if the client use the Wifi or redirect the flow to the VPN 07:43 -!- manometer [n=manomete@76.73.16.26] has quit ["CGI:IRC"] 07:44 < ecrist> if you traceroute the IP of the webserver, why do you think the route would change for port 80? 07:44 < fdas> disabling compression didn't help my issue 07:44 < ecrist> fdas: udp or tcp? 07:44 < fdas> i got the same issue with both udp and tcp 07:44 < fdas> i just disabled on the tcp version 07:44 < ecrist> !tcp 07:45 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 07:45 < LMJ> ecrist : because I don't see logs inside my squid proxy 07:45 < ecrist> stop using TCP unless UDP absolutely won't work for starters 07:45 < ecrist> you're running a squid proxy on the VPN server LAN? 07:45 < ecrist> how are you enforcing it's use? 07:46 < LMJ> i'm using tcp here because i'm force to use 80/tcp or 443/tcp 07:46 < LMJ> everything who want to go out in direction of port 80, i redirected to flow to 3128 07:46 < ecrist> LMJ: I was talking to fdas, not you. however, if tcp is all you can use, use it. but read the link above as to why it's a bad idea. 07:47 < LMJ> ecrist : I knew you was speaking to fdas, my example was a case i have to use tcp :-/ 07:47 < fdas> ecrist: I have speed issue even on udp. tcp is my secondary option. sometimes i need to connect to the vpn from networks where everything is blocked except port 80 & 443 07:48 < ecrist> fdas: 07:48 < ecrist> !configs 07:48 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:48 < ecrist> keep in mind, you WILL NOT get full performance via TCP 07:54 * cpm thinks if using a network where everything aside from 80 and 443 is blocked, is to not use that network. Life is short, work is a waste of it for the most part, folks put that much effort into keeping you from doing it, well, good for them. To hell with it. 07:54 < ecrist> I would agree, cpm 07:59 < fdas> ecrist: http://pastebin.com/m76662f25 - this is the udp config i am using 07:59 < fdas> cpm: agreed however i am stuck :( 08:01 < fdas> ecrist: i am using 2.1rcp19 and debian 5 08:01 < fdas> 2.1rc19 there is no p :) 08:02 < ecrist> fdas: you sure you have the correct mssfix assigned? 08:03 < fdas> ecrist: i tried removing it but didn't make any change. I found that value on google 08:03 < ecrist> !mtu 08:03 < vpnHelper> ecrist: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config 08:10 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 08:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:19 -!- BigJB [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 08:25 < LMJ> i generated users vpn key, how can i restrict access to friend01 but not to friend02 ? 08:26 < ecrist> what do you mean by 'restrict access'? 08:27 < fdas> ecrist: I made the change to config and restart openvpn. where I do see the result? 08:28 -!- jfkw [n=jtk@24.216.241.93] has joined ##openvpn 08:28 < krzee> http://www.amazon.com/gp/product/0446549193?ie=UTF8&tag=bullnotbull-20&linkCode=as2&camp=1789&creative=9325&creativeASIN=0446549193 08:28 < ecrist> fdas: in you logs 08:28 < ecrist> morning, krzee 08:28 < krzee> g'mornin 08:29 < LMJ> sorry, allow friend01 to connect to my network today and not friend02 08:29 < krzee> LMJ, 08:29 < krzee> !policy 08:29 < vpnHelper> krzee: "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario 08:29 < LMJ> thanks 08:29 < krzee> basically, firewall 08:30 < LMJ> no krzee, I would like something like "if the key REZ5R4354 comes, allow it" 08:30 < LMJ> maybe pam 08:30 < krzee> (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies 08:30 < ecrist> krzee: re your link above, don't sweat it, it will all work itself out after the end of days. You're welcome to join my survival community, but you need to bring some of your wenches. ;) 08:31 < krzee> maybe i dont understand the goal 08:31 < krzee> ecrist, hehehe 08:31 < krzee> ecrist, cant get them visas to enter the usa ;] 08:31 < ecrist> visas won't matter at that point. 08:31 < krzee> hell at that point the usa is last place i wanna head to 08:31 < ecrist> border guards will be too worried about their own loved ones. 08:32 < krzee> you guys will be too big of targets 08:32 < krzee> im in a country that the world forgot exists, and really doesnt care about 08:32 < ecrist> if I didn't link it to you before: http://secure-computing.net/files/lightsout.pdf 08:32 < krzee> only worries here is fallout from you guys getting blown over 08:34 < Optic> moo 08:35 < fdas> ecrist: I got Empirical MTU test local->remote = [1573,1517] remote->local=[1541,1541]. Note: This connect is unable to accomodate a UDP packet size of 1573 consider using --fragment or mssfix options as workaround 08:36 < ecrist> ok, so I'd probably do what it suggests. 08:36 < LMJ> I want to say : I generated key for friend01 and friend02, they both can connect when they want to my network via VPN. Now, I would like to disallow friend01 access for a while, is there a way ? 08:37 < krzee> ohhh 08:37 < krzee> sure 08:37 < krzee> --disable in a ccd entry 08:37 < krzee> somethin like that, check the !man to be sure 08:37 < krzee> !man 08:37 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 08:38 < fdas> ecrist: should i say mssfix 1573? what about other users who connect to this server? will their speed get affected due to this? 08:38 < krzee> remote -> local is fine, dont adjust server 08:38 < krzee> only adjust that client 08:39 < LMJ> k thanks 08:40 < fdas> krzee: how do you say remote->local is fine is it because both numbers are same? 08:41 < ecrist> yes 08:41 < ecrist> the second number is the MTU that worked 08:41 < krzee> aye 08:41 < fdas> ecrist: should i have t oset mssfix 1573 or 1517 on the client? 08:42 < ecrist> 1517 08:42 < fdas> thanks so much for all your help. will try it and let you know 08:46 < fdas> ecrist, krzee, lmj: I am getting about 7mbps download with this change. thanks so much for all your help. learnt something new too. 08:46 -!- Sp4rKy [n=Sp4rKy@freenode/sponsor/sp4rky] has joined ##openvpn 08:46 < Sp4rKy> Hi 08:46 < Sp4rKy> is there any include directive for ccd files ? 08:46 < ecrist> what do you mean? 08:46 < Sp4rKy> I want to share the "push " config between many clients 08:46 -!- jeiworth [n=jeiworth@189.177.252.69] has joined ##openvpn 08:47 < Sp4rKy> so atm, I have to manually keep the push commands synchronized on all client files I want 08:47 < fdas> i have 1 more Q. If I have multiple servers each having different mtu how would it work? so is the mtu number same for the pc 08:47 < Sp4rKy> I would something to put on the ccd client files, like "include commonrules.cfg" 08:50 < krzee> fdas, see blocks in the manual 08:51 < krzee> Sp4rKy, see --client-connect scripts 08:51 < Sp4rKy> hmm 08:51 < LMJ> arg, trying SIP over VPN/tcp over Wifi, it hangs :-/ 08:51 < krzee> !tcp 08:51 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 08:51 < LMJ> network tweaks could improve this? 08:52 < LMJ> krzee : can use only tcp... 08:52 < krzee> sure, if you MUST use tcp, you wanna increase the tcp buffer 08:52 < LMJ> I can user* 08:52 < krzee> should be info in maillist archives on this 08:52 < LMJ> I can use* 08:52 < LMJ> ok 08:55 < krzee> also see tcp-nodelay 08:55 -!- Sp4rKy [n=Sp4rKy@freenode/sponsor/sp4rky] has left ##openvpn [] 08:58 < krzee> It's understandable by using TCP. Don't try use TCP in TCP, that's the basic 08:58 < krzee> things we need to avoid. But right now, as you have UDP problem. You need to 08:58 < krzee> encapsulate the TCP in TCP. The size of the header is much bigger than the 08:58 < krzee> system can handle, performance should be going down. 08:58 < krzee> Now, you need to rise up the size of the queue for incoming and outgoing on 08:58 < krzee> the system, to cache much more data before transmitting. 08:58 < krzee> This should give you a break then. 08:58 < krzee> Regards, 08:58 < krzee> -- 08:58 < krzee> Banyan He 09:00 < LMJ> this is a message mailing list ? 09:00 < krzee> !mail 09:00 < vpnHelper> krzee: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 09:01 < krzee> (#2) 09:04 < LMJ> ok 09:10 < LMJ> krzee, so I have to add in the conf server/client : socket-flags TCP_NODELAY ? 09:11 < krzee> --tcp-nodelay 09:11 < krzee> The macro expands as follows: 09:11 < krzee> if mode server: 09:11 < krzee> socket-flags TCP_NODELAY 09:11 < krzee> push "socket-flags TCP_NODELAY" 09:12 < krzee> This macro sets the TCP_NODELAY socket flag on the server as well as pushes it to connecting clients. The TCP_NODELAY flag disables the Nagle algorithm on TCP sockets causing packets to be transmitted immediately with low latency, rather than waiting a short period of time in order to aggregate several packets into a larger containing packet. In VPN applications over TCP, TCP_NODELAY is generally a good latency optimization. 09:12 < krzee> for voip over vpn where tcp is mandatory, that sounds like what you want 09:13 < LMJ> no need to add "socket-flags TCP_NODELAY" on the client ? 09:13 < LMJ> should I play with fragment/mssfix ? 09:13 < krzee> correct, thats explained by: 09:13 < krzee> [10:11] The macro expands as follows: 09:13 < krzee> [10:11] if mode server: 09:13 < krzee> [10:11] socket-flags TCP_NODELAY 09:13 < krzee> [10:11] push "socket-flags TCP_NODELAY" 09:13 < krzee> it pushes to the client 09:13 < krzee> you can play with it, sure 09:14 < krzee> do whatev makes you happy 09:14 < krzee> testing stuff wont hurt you... 09:14 < krzee> !mtu 09:14 < vpnHelper> krzee: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config 09:14 < LMJ> I guess reduce MTU size should be better 09:14 < krzee> you DO want tcp-nodelay tho 09:15 < LMJ> indeed 09:17 < LMJ> arg, mtu-test works only on udp :-/ 09:18 < krzee> o 09:18 < krzee> ive never used a tcp vpn 09:18 < krzee> never been forced to, never will do it unless i have no choice 09:18 < LMJ> I wish I haven't had to do 09:18 < LMJ> how you could do if the only way to go out it 80/tcp and 443/tcp 09:19 < LMJ> 53/udp is even blocked 09:24 < krzee> exactly as you're doing 09:24 < krzee> i just never find myself in that environment 09:24 < krzee> im not a corporate type 09:32 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 09:32 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 09:36 < LMJ> TCP_NODELAY improved the quality 09:36 < LMJ> I would say, it's 70% better, only 30% to reach a correct VoIP service 09:38 -!- amirlovenepal [n=amirlove@116.197.166.228] has joined ##openvpn 09:57 < ecrist> fart knockers. osCommerce 3.0a5 install is broken and I'm too lazy to figure out where the problem lies 09:57 < ecrist> it's an include path issue. 09:57 < ecrist> :\ 10:02 < krzee> hah weaksauce 10:02 < krzee> in cooler news, my shell script suite is up to 1000 lines and is fuckin gangster 10:04 -!- bauruine [n=bauruine@101-76.105-92.cust.bluewin.ch] has quit [Remote closed the connection] 10:06 < ecrist> o.O 10:06 < ecrist> what is this shell script suite you speak of? 10:07 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 10:09 < krzee> cant share the code (its for a job) but it interacts with a database to pull out daily a weekly figures, does all sorts of different math depending on a variety of things, and passes it on to the next script which does a variety of math as well 10:09 < krzee> 6 scripts in total, all running in a certain order 10:09 < krzee> with a glue script and a UI script 10:10 < krzee> the UI script will manage the variety of ways the math needs to be done (stored in flat files), or let the user do the necessary math for week or week up to the day 10:11 < ecrist> bash, sh, or perl? 10:11 < ecrist> or are you a python guy? 10:11 < krzee> replaces or sits along side existing much more complicated systems at the client's office 10:11 < krzee> bash/sh 10:11 < krzee> i used bc instead of bash math to know it can run on both 10:11 < ecrist> sh is compat with bash, not the other way around. 10:11 < krzee> ok, sh technically, but its only been run on bash so far 10:12 < ecrist> I'm very against bash-specific scripts. 10:12 < krzee> but i specifically used bc in my math to not be dependent on bash 10:12 < krzee> right 10:12 < ecrist> I know it's got lots of cool features people like, but it's not as portable (none of my boxes have bash) 10:13 < krzee> ie: instead of ans=$((1+1)) i used ans=`echo "1+1"|bc` 10:14 < krzee> it does have some cool features, but i dont think ive ever used much of the bash specific stuff anyways 10:14 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has quit ["bbl"] 10:15 < krzee> who knows, maybe if i knew more of it ild get hooked, but i dont know enough of it to care about it over sh for scripts, and i feel the same as you about portability 10:16 < krzee> all mine have bash, but since i run fbsd i dont expect it to always be present 10:16 < ecrist> unless I'm doing something uber simple, I use perl these days. 10:16 < ecrist> if I'm going to mess with databases and I can't easily pipe in/out of mysql, I go php 10:16 < krzee> ya this would likely be easier in perl/python 10:17 < krzee> but 10:17 < krzee> when you're gunna write a couple thousand lines of code, do it in your most comfy way 10:17 < krzee> for me thats shell 10:17 < krzee> im no real coder, but i can whip shit up 10:19 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 10:19 -!- hyper__ch [n=hyper@62.167.95.86] has joined ##openvpn 10:20 -!- hyper_ch [n=hyper@adsl-62-167-95-86.adslplus.ch] has quit [Nick collision from services.] 10:20 -!- hyper__ch is now known as hyper_ch 10:27 < Optic> C0W 10:27 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 10:36 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 10:36 -!- hyper__ch [n=hyper@adsl-62-167-95-86.adslplus.ch] has joined ##openvpn 10:36 -!- hyper_ch [n=hyper@62.167.95.86] has quit [Nick collision from services.] 10:36 -!- hyper__ch is now known as hyper_ch 10:39 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:05 < dazo> you guys should really get your feet really wet with some Python coding ... 11:11 -!- temba [i=pommes@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 11:18 -!- CrashSys [n=james@rrcs-24-173-156-170.se.biz.rr.com] has joined ##openvpn 11:30 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:36 -!- amirlovenepal [n=amirlove@116.197.166.228] has quit [Read error: 110 (Connection timed out)] 11:40 < CrashSys> !route 11:40 < vpnHelper> CrashSys: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:54 < CrashSys> I'm trying to set up routed VPN between my office and colo using these settings http://pastebin.ca/1570957 ... The problem I have is that my office (client) machine can ping the colo (server) machine but not the other way around... Any input would be much appreciated... 11:56 < CrashSys> I can see the Rw and wR ticking away when I try to ping from the server to the client but I get no response 12:00 -!- dazo is now known as dazo|afk 12:12 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 12:23 -!- ralph [n=ralph@static.237.46.40.188.clients.your-server.de] has quit ["leaving"] 12:23 -!- thedoc [n=zing@unaffiliated/thedoc] has quit ["This computer has gone to sleep"] 12:29 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 12:32 -!- felix__ [n=felix@static-87-79-66-24.netcologne.de] has joined ##openvpn 12:32 < felix__> hi 12:32 < felix__> Is it still possible to configure an openvpn client to NOT verify if the server has got a server-type certificate (http://openvpn.net/index.php/open-source/documentation/howto.html#mitm) 12:32 < vpnHelper> Title: HOWTO (at openvpn.net) 12:33 < felix__> I have a workshop on encrypted network traffic next week and i m looking for a scenarion for a small workshop 12:35 -!- _markus_ [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 12:47 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 110 (Connection timed out)] 12:51 -!- xattack [n=enrique@132.248.59.73] has joined ##openvpn 12:53 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 13:13 -!- achilles [n=achilles@62.90.142.81] has joined ##openvpn 13:29 < achilles> hello, is there a way to put redundancy remote server on the client side ? like having two servers in case the first failed check the another 13:29 < ecrist> yes, just add another remote line 13:32 < achilles> ecrist, that's cool, thanks 13:34 < techqbert> /j #opensolaris 13:38 < ecrist> no 13:41 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 13:56 -!- BigJB_ [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 14:06 -!- SoulMaster [n=SoulMast@h225n1fls32o823.telia.com] has joined ##openvpn 14:08 -!- BigJB [n=BigJB@unaffiliated/bigjb] has quit [Read error: 110 (Connection timed out)] 14:11 -!- hardwire [n=hardwire@216-67-99-228.static.acsalaska.net] has joined ##openvpn 14:12 < hardwire> ahoy.. hosting my own CA using easy-rsa-2.0 and getting ready to deploy openvpn to the masses. I'm hoping there is a way for me to sign a client key and wrap it and the config into an osx compatible package from linux 14:12 < hardwire> I've got that sorta working for doz 14:12 < hardwire> e 14:14 < SoulMaster> ?keeso! :) 14:14 < hardwire> I've seen you speak english. 14:14 * hardwire pokes at you 14:15 < SoulMaster> Make sence 14:15 < hardwire> I refuse. 14:15 < SoulMaster> poking backxx0r at you 14:17 < SoulMaster> Now, to reorder your train of thought ill require a pair of pliers and a monkeywrench. Got some of those ? ;) 14:17 < SoulMaster> (Monkey Island2) 14:18 < SoulMaster> hardwire: You seem to have had your Doz :P 14:19 < SoulMaster> hahah 14:21 < ecrist> are you two done? 14:22 < ecrist> hardwire: all I do is zip up the config and certificates, works for all windows, linux, and mac clients so far. 14:23 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:24 -!- jedahan_ [i=81316da5@gateway/web/freenode/x-cbkpxnbubabvxtdt] has joined ##openvpn 14:24 < jedahan_> what should a routing table from one client to one server look like (tun)? 14:24 < jedahan_> for some reason I think my push options are borked 14:25 < SoulMaster> ecrist: Having a bit of fun is/ and will always be apart of text meetings. We are done i think 14:26 < SoulMaster> ecrist: Do you think anyone got hurt in the ways of feelings ? 14:26 < SoulMaster> Or perhaps bodily harm :P 14:28 < SoulMaster> ecrist: Youre deeply churchish i take it ? 14:29 < ecrist> SoulMaster: no, but please don't continue to berate me about this 14:29 < jedahan_> from server.conf: http://pastie.org/622140 14:30 < SoulMaster> ecrist: In time youll learn, but i feel your holesome view of all the people in the worlds will at any point not work. 14:30 < SoulMaster> Sad truth i admit 14:30 -!- mode/##openvpn [+o ecrist] by ChanServ 14:30 -!- mode/##openvpn [+b *!*=SoulMast@*.telia.com] by ecrist 14:31 -!- mode/##openvpn [-o ecrist] by ecrist 14:31 < ecrist> jedahan_: a few things I note in your post 14:31 < ecrist> 1) you're pushing a route which is common on many private consumer lans. You will likely run into conflicts 14:31 < jedahan_> !route 14:31 < vpnHelper> jedahan_: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:32 < ecrist> 2) you're pushing a DNS server which resides on a different network from the route your pushing earlier. 14:32 < ecrist> 3) your redirect-gateway doesn't seem complete. 14:32 < ecrist> !redirect-gateway 14:32 < vpnHelper> ecrist: Error: "redirect-gateway" is not a valid command. 14:32 -!- jeiworth [n=jeiworth@189.177.252.69] has quit [Read error: 110 (Connection timed out)] 14:32 < jedahan_> !redirect 14:32 < vpnHelper> jedahan_: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 14:32 -!- SoulMaster [n=SoulMast@h225n1fls32o823.telia.com] has quit [Client Quit] 14:33 < jedahan_> !ipforward 14:33 < vpnHelper> jedahan_: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 14:33 < jedahan_> !linipforward 14:33 < vpnHelper> jedahan_: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 14:33 < jedahan_> !nat 14:33 < vpnHelper> jedahan_: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 14:33 < jedahan_> !linnat 14:33 < vpnHelper> jedahan_: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 14:37 -!- Irssi: ##openvpn: Total of 77 nicks [0 ops, 0 halfops, 0 voices, 77 normal] 14:37 -!- CrashSys [n=james@rrcs-24-173-156-170.se.biz.rr.com] has left ##openvpn [] 14:39 -!- fdas [n=fdas@77.92.94.119] has quit [] 14:40 -!- jedahan_ [i=81316da5@gateway/web/freenode/x-cbkpxnbubabvxtdt] has quit [Ping timeout: 180 seconds] 14:40 -!- Douglas [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 14:41 -!- jedahan [n=jedahan@ool-45717d06.dyn.optonline.net] has joined ##openvpn 14:42 < jedahan> !route 14:42 < vpnHelper> jedahan: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:46 < jedahan> thanks to the !commands I am connected to my home lan and things seem to be routed correctly, but I can't get dns working, even manually specifying in /etc/resolv.conf, any suggestions on where to learn how dns works with openvpn? 14:46 < ecrist> jedahan: see howto, there's some discussion there. 14:46 < ecrist> !hotwo 14:46 < vpnHelper> ecrist: Error: "hotwo" is not a valid command. 14:46 < ecrist> !howto 14:46 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:46 < jedahan> could you give me the ip for openvpn.net :-p 14:47 < ecrist> openvpn.net has address 174.36.59.157 14:47 < ecrist> openvpn.net mail is handled by 20 mx2.emailsrvr.com. 14:47 < ecrist> openvpn.net mail is handled by 10 mx1.emailsrvr.com. 14:49 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 60 (Operation timed out)] 14:52 < jedahan> hmm apparantly I cant get out of my local subnet - i can connect to the router but maybe i have nat wrong 14:52 < jedahan> !redirect 14:52 < vpnHelper> jedahan: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 14:52 < jedahan> !def1 14:52 < vpnHelper> jedahan: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 14:52 < jedahan> !man 14:52 < vpnHelper> jedahan: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 14:56 -!- jfkw [n=jtk@24.216.241.93] has quit [Read error: 145 (Connection timed out)] 15:05 < Hypnoz> jedahan, you need to setup a route on the router that tells it about the other network 15:05 < Hypnoz> or if you can't, you'd need to set up a static route on each machine that tells it how to get back to the openvpn server 15:13 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 15:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:25 < Douglas> hi ecrist 15:25 < Douglas> lolol 15:25 < Douglas> openvpn uses rackspace emial 15:25 < Douglas> me too! 15:32 -!- robotti^_ is now known as robotti^ 15:33 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 16:04 < jedahan> !howto 16:04 < vpnHelper> jedahan: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:06 < LMJ> hello back 16:06 < LMJ> SIP (VoIP) over openvpn over tcp over wifi looks better withTCP_NODELAY and a mssfix low ! 16:06 < LMJ> great news 16:07 -!- bytesaber_ [n=bytesabe@208-98-188-95.directcom.com] has quit [Read error: 113 (No route to host)] 16:11 < LMJ> last question for today, i would like to do a tricky thing : for the moment, as soon as the vpn is up, my laptop network access are redirected through the VPN and then go on Internet. I would like to : if destination-port=80/tcp or 443/tcp, use the Wifi gateway, for anything else, use the default gw provided for the post VPN operation. I guess it's more iptables then route to do this, right ? 16:22 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 16:23 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 16:26 -!- jeiworth [n=jeiworth@189.163.187.22] has joined ##openvpn 16:34 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 16:36 -!- jeiworth_ [n=jeiworth@189.163.187.22] has joined ##openvpn 16:36 < ecrist> LMJ: that requires a firewall or router that can do policy-based routing 16:37 < LMJ> or maybe iproute2 16:45 < hardwire> LMJ: ip rule + multiple routing tables + ipt_mangle 16:45 < LMJ> :-/ 16:46 < hardwire> OR 16:46 < ecrist> or pf 16:46 < hardwire> the simple solution 16:46 < hardwire> install squid, set it to bind to the wireless IP 16:46 < hardwire> done 16:46 < LMJ> what do you mean 16:46 < LMJ> install squid in localhost 16:46 < hardwire> you would have to have dhclient post-up scripts rewrite the squid.conf if the IP changes on your wireless interface 16:46 < hardwire> yeh 16:47 < LMJ> ho I see 16:47 < LMJ> force the browser to use the proxy who use wifi, right ? 16:47 < hardwire> but you set the bind ip in squid.conf to whatever that IP is 16:47 < ecrist> if squid isn't installed on his local machine, the squid proxy will never see it. 16:47 < hardwire> LMJ: yup. 16:47 < hardwire> then squid.conf would have to be rewritten when the wireless interface has no IP 16:48 < hardwire> and reloaded 16:48 < hardwire> OR.. you can cheat 16:48 < LMJ> hard to have something reliable across different wifi network configuration 16:48 < LMJ> indeed 16:48 < hardwire> actually.. cheating is bad. 16:48 < hardwire> nm 16:49 < LMJ> go ahead 16:51 -!- jeiworth [n=jeiworth@189.163.187.22] has quit [Read error: 110 (Connection timed out)] 16:53 -!- xattack [n=enrique@132.248.59.73] has quit ["leaving"] 16:59 -!- achilles [n=achilles@62.90.142.81] has quit ["Leaving"] 17:10 -!- Douglas [n=me@ool-43503ed4.dyn.optonline.net] has quit [Read error: 60 (Operation timed out)] 17:10 -!- temba [i=pommes@188-193-22-46-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 17:16 < jedahan> !pq http://pastie.org/622313.txt ::arbor 17:16 < vpnHelper> jedahan: Error: "pq" is not a valid command. 17:19 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn 17:28 -!- maxagaz [n=g@125.39.108.219] has joined ##openvpn 17:28 < maxagaz> hi 17:28 < maxagaz> i have some problems with openvpn on ubuntu 9.04 17:28 -!- whack [n=jls@syn.csh.rit.edu] has joined ##openvpn 17:29 < maxagaz> the first one is that it's launched automatically after the boot of the computer 17:29 < maxagaz> the second is that , after a while, it makes my connection so slow that it's unusable 17:29 < maxagaz> i can't figure out why 17:30 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit ["ZNC - http://znc.sourceforge.net"] 17:32 -!- jedahan [n=jedahan@ool-45717d06.dyn.optonline.net] has left ##openvpn ["Leaving"] 17:32 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn 17:32 -!- maxagaz [n=g@125.39.108.219] has quit [Remote closed the connection] 17:33 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has joined ##openvpn 17:34 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit [Client Quit] 17:36 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn 17:48 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit [Remote closed the connection] 17:48 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Remote closed the connection] 17:54 -!- BigJB_ [n=BigJB@unaffiliated/bigjb] has quit ["leaving"] 18:12 -!- JochenA [i=jochen@pdpc/supporter/student/JochenA] has joined ##openvpn 18:28 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 18:41 -!- Douglas [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 18:58 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 19:42 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 60 (Operation timed out)] 19:54 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 20:17 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 21:20 -!- master_of_master [i=master_o@p549D77EC.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:21 -!- master_of_master [i=master_o@p549D4715.dip.t-dialin.net] has joined ##openvpn 21:22 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 21:30 -!- dazo|h [n=dazo@ip4-83-240-69-215.cust.nbox.cz] has joined ##openvpn 21:46 -!- JochenA [i=jochen@pdpc/supporter/student/JochenA] has quit [Read error: 110 (Connection timed out)] 21:59 -!- Douglas [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 22:09 -!- dash_ [i=dash@114.121.114.105] has joined ##openvpn 22:11 < dash_> hallo 22:11 < dash_> can anyone help me 22:14 < ecrist> you haven't asked anything 22:14 < ecrist> so, not yet 22:15 * ecrist goes to bed 22:16 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 22:32 -!- ku0n [n=kuon@217.144.50.50] has quit ["leaving"] 22:49 -!- swa_work [n=swa@swatteksystems.com] has quit ["Leaving"] 22:52 < tjz> dash_, you fail 22:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 23:10 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 23:11 < jreno_> Can the same openvpn daemon be used for both client and server at the same time? 23:11 < jreno_> (got a url to a example, if yes) 23:14 < dazo|h> jreno_: no, that is not possible .... server can handle multiple clients, that's the only "multiple" scenario possible 23:14 * dazo|h heads for bed 23:48 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] --- Day changed Sat Sep 19 2009 00:08 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 00:32 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:37 -!- deception [i=oc80z@root.servergirl.net] has joined ##openvpn 01:55 < whack> jreno_: you have to run multiple instances 01:55 < whack> at least one for server, and 1 for every client instance 01:55 < whack> Specifying multiple 'remote' makes them round-robin 03:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:52 < reiffert> jreno_: just start two instances of openvpn. one as client, one as server. 04:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 04:24 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 04:25 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 05:30 -!- dash_ [i=dash@114.121.114.105] has quit ["Leaving"] 05:55 -!- fahadsadah [n=fahad@wikipedia/fahadsadah] has joined ##openvpn 05:55 < fahadsadah> Hi guys 05:55 < fahadsadah> I'm getting errors about TLS handshake failed. 05:56 < fahadsadah> I don't know which !logs you need? 05:56 < fahadsadah> !logs 05:56 < vpnHelper> fahadsadah: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 05:58 < fahadsadah> Sat Sep 19 06:55:09 2009 us=283347 82.28.217.234:52374 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 05:58 < fahadsadah> Sat Sep 19 06:55:09 2009 us=283451 82.28.217.234:52374 TLS Error: TLS handshake failed 05:58 < fahadsadah> Sat Sep 19 06:55:09 2009 us=283648 82.28.217.234:52374 SIGUSR1[soft,tls-error] received, client-instance restarting 05:58 < fahadsadah> That keeps repeating 05:59 < fahadsadah> !/30 05:59 < vpnHelper> fahadsadah: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 06:00 < |Mike|> !tls-auth 06:00 < vpnHelper> |Mike|: "tls-auth" is The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. see !secure for how 06:00 < |Mike|> read that fahadsadah 06:01 < fahadsadah> !secure 06:01 < vpnHelper> fahadsadah: "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 06:01 < fahadsadah> Can TLS be disabled? 06:01 < |Mike|> would you like to get MITM'd ? 06:01 < |Mike|> man in the middle attack 06:02 < fahadsadah> I know what MITM is. 06:02 < fahadsadah> And I trust both nets. 06:02 < fahadsadah> All the clients are currently trusting one CA cert. 06:03 < fahadsadah> I'm not too sure if my server's cert is signed by this CA 06:03 < |Mike|> then please check :) 06:03 < fahadsadah> How? 06:04 < fahadsadah> It isn't. 06:04 < fahadsadah> (catted the cert) 06:05 < ecrist> good morning 06:05 < fahadsadah> ecrist: Good morning 06:05 < fahadsadah> I think it would be best to simply reconfigure the clients. 06:05 < fahadsadah> I found the new CA cert. 06:07 < |Mike|> i got jumped by one of our dutch sheppards, sorry for the latency :P 06:09 < |Mike|> how many clients are attached fahadsadah ? 06:09 < fahadsadah> |Mike|: God knows. 06:10 < fahadsadah> !topology 06:10 < vpnHelper> fahadsadah: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 06:12 -!- brizly1 [n=brizly_v@p4FC98ADE.dip0.t-ipconnect.de] has joined ##openvpn 06:13 -!- brizly [n=brizly_v@p4FC9A4C7.dip0.t-ipconnect.de] has quit [Read error: 60 (Operation timed out)] 06:15 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:35 < fahadsadah> !bridging 06:35 < vpnHelper> fahadsadah: Error: "bridging" is not a valid command. 06:35 < fahadsadah> !routing 06:35 < vpnHelper> fahadsadah: Error: "routing" is not a valid command. 06:35 < fahadsadah> !howto 06:35 < vpnHelper> fahadsadah: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 06:39 < Bushmills> !route 06:39 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 06:40 < Bushmills> !factoids search bridge 06:40 < vpnHelper> Bushmills: 'bridge', 'bridge-dhcp', 'fbsdbridge', and 'bridge-fw' 06:40 < Bushmills> !tunortap 06:40 < vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 07:32 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:57 < felix__> Or if you want ip4 and ip6 which is likely today 07:58 < felix__> If you want to have two separate tunnels 07:58 < felix__> dont.. 08:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 09:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 09:12 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 09:23 -!- kladizkov [n=fabin@61.17.218.245] has joined ##openvpn 09:24 < kladizkov> is there any control panel to do things easy with openvpn? 09:28 < mischief> for mac, sure 09:41 < kladizkov> which is that application? 09:46 -!- mischievious [n=mischief@unaffiliated/mischief] has joined ##openvpn 09:48 < dazo|h> kladizkov: for mac, you have tunnelblick 09:49 -!- mischief [n=mischief@unaffiliated/mischief] has quit [Read error: 60 (Operation timed out)] 09:51 -!- DeathWolf [i=yggdrasi@saber.kawaii-shoujo.net] has joined ##openvpn 09:51 < DeathWolf> any suggestions on ways to reduce cpu usage(possibly lowering security, I'm just looking at a minimum of security, not full guarantee) 09:51 < DeathWolf> I've already reduced keysize, and am using blowfish 09:53 < DeathWolf> PID PPID USER STAT VSZ %MEM %CPU COMMAND 09:53 < DeathWolf> 3782 1 root R 5040 35% 83% /usr/sbin/openvpn --syslog openvpn(cu 09:54 < kladizkov> is it possible to limit bandwidth to a user? 09:58 < DeathWolf> would disabling data packets auth make the actual data transfer at risk of being intercepted, or is it just a DOS style risk? 09:58 < DeathWolf> ( --auth alg ) 10:21 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 10:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 10:38 < fahadsadah> http://paste.cluenet.org/2496 10:38 < fahadsadah> openvpn --config filename.cnf --verb 3 returns no output 10:43 -!- felix__ [n=felix@static-87-79-66-24.netcologne.de] has quit ["Lost terminal"] 10:51 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has quit ["bbl"] 11:54 < LMJ> hi 11:55 < LMJ> what should I put in ccd/client01 to disable access to the client01 user ? 12:05 < LMJ> second question, can i log somewhere then syslog default file ? tried ovpn-server.* in syslogd.conf without success 12:12 < LMJ> for my question 1, revoke the certificate works but it's not my target, I want to disable/enable login possibilities on the fly 12:41 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 12:57 -!- jedahan [n=jedahan@ool-45717d06.dyn.optonline.net] has joined ##openvpn 13:37 -!- whack [n=jls@syn.csh.rit.edu] has left ##openvpn [] 14:12 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 14:16 -!- kladizkov [n=fabin@61.17.218.245] has quit ["Ex-Chat"] 14:41 -!- dazo|h [n=dazo@ip4-83-240-69-215.cust.nbox.cz] has quit ["Leaving"] 15:12 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 15:12 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:40 < krzie> LMJ, try reading the manual, i coulda sworn i answered #1 for you a couple days ago 15:40 < krzie> !man 15:40 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 15:40 < krzie> see --disable and --log 15:40 < krzie> lol 15:42 -!- swa_work [n=swa@swatteksystems.com] has quit [Remote closed the connection] 15:52 < krzie> happy talk like a pirate day 16:15 < mischievious> krzie, arr, me hearty! 16:15 < mischievious> how goes it, salty sea dog? 16:19 -!- deception [i=oc80z@root.servergirl.net] has quit [Remote closed the connection] 16:27 < krzie> i be well matey 16:30 < krzie> is it possible to limit bandwidth to a user? 16:31 < krzie> see --shaper 16:33 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 17:14 -!- Peste_Bubonica [n=eduardo@189-47-176-158.dsl.telesp.net.br] has joined ##openvpn 17:16 < Peste_Bubonica> Hi all... Im reading about ssl certificates, and I will use openvpn with two clientes... With easy-rsa script, ive got dh01, and dh02.pem, but reading some howtos I always see the dh param as dh dh1024.pem. How can I make this file? is the union of each dh{n} generated? 17:21 < Peste_Bubonica> ops... i found this on a doc... huge thanks anyway 18:38 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit ["ZNC - http://znc.sourceforge.net"] 18:40 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn 18:44 < Peste_Bubonica> Im trying to create a multipoint config over tree sites... I have this server param: server 10.11.0.0 255.255.255.0 18:45 < Peste_Bubonica> When I run the openvpn daemon, my tun0 interface assumes the ip 10.11.0.1 with a peer 2... when I start a cliente connection, the cleint gets the ip 10.11.0.5 with a 6 peer(the server)... 18:46 < Peste_Bubonica> but the server does not assign this ip... if I add this ip on interface manually, the client1 reachs the server ip.. otherwise no... have a way to do that automatically ( up and down this ip when start a connection ) ? 18:46 -!- patch-tag [n=team@host1.patch-tag.com] has joined ##openvpn 18:49 < patch-tag> I have installed openvpngui v2 for windows, configured a connection per the instructions provided me, connected, and the connection is green, ie I assume success. However, I cannot putty or view web pages within the internal network. what exactly does "green" status mean for openvpn gui? Do I need to do additional config for putty/firefox? I was led to believe by coworkers that this was unnecessary. what is the troubleshooting seequence 18:49 < patch-tag> I should follow? 18:53 < patch-tag> I have installed openvpngui v2 for windows, configured a 18:53 < patch-tag> connection per the instructions provided me, connected, and the 18:53 < patch-tag> connection is green, ie I assume success. However, I cannot putty 18:53 < patch-tag> or view web pages within the internal network. what exactly does 18:53 < patch-tag> "green" status mean for openvpn gui? Do I need to do additional 18:53 < patch-tag> config for putty/firefox? I was led to believe by coworkers that 18:53 < patch-tag> this was unnecessary. what is the troubleshooting seequence 18:53 < patch-tag> [19:49] 18:53 < patch-tag> I should follow? 18:53 < patch-tag> ERC> 18:54 -!- patch-tag [n=team@host1.patch-tag.com] has quit [Remote closed the connection] 19:03 -!- swa_work [n=swa@swatteksystems.com] has quit [Remote closed the connection] 19:44 -!- Hypnoz [n=colin@99.163.48.4] has joined ##openvpn 20:21 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 20:57 -!- Hypnoz [n=colin@99.163.48.4] has left ##openvpn [] 21:12 -!- master_of_master [i=master_o@p549D4715.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:15 -!- master_of_master [i=master_o@p549D7060.dip.t-dialin.net] has joined ##openvpn 21:18 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 60 (Operation timed out)] 21:39 -!- Peste_Bubonica [n=eduardo@189-47-176-158.dsl.telesp.net.br] has quit ["Leaving"] 21:58 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 21:58 -!- roy_hobbs [n=roy_hobb@pool-98-109-7-79.nwrknj.fios.verizon.net] has joined ##openvpn 22:02 < roy_hobbs> Is there some high level example somewhere of a multiple network <--> multiple network setup/confguration? 22:34 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 22:36 < krzee> !route 22:36 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 23:29 -!- DeathWolf [i=yggdrasi@saber.kawaii-shoujo.net] has left ##openvpn [] 23:48 -!- roy_hobbs [n=roy_hobb@pool-98-109-7-79.nwrknj.fios.verizon.net] has left ##openvpn ["There goes Roy Hobbs, the best there ever was..."] 23:51 -!- Sup3rFly [n=sup3rfly@174-22-156-109.clsp.qwest.net] has joined ##openvpn 23:52 < Sup3rFly> grrr 23:52 < Sup3rFly> anyone ever got openvpn to work with a sprint mobile card? 23:52 < Sup3rFly> after i connect to openvpn, spring disconnects me within 30 secs 23:52 < Sup3rFly> seems to be a common issue --- Day changed Sun Sep 20 2009 00:00 -!- Sup3rFly [n=sup3rfly@174-22-156-109.clsp.qwest.net] has quit [] 00:10 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 00:18 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458]"] 01:39 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 01:40 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 02:47 -!- DarthShrine [n=angus@pdpc/supporter/student/DarthShrine] has joined ##openvpn 03:24 -!- DarthShrine [n=angus@pdpc/supporter/student/DarthShrine] has left ##openvpn [] 04:00 -!- thedoc [n=zing@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 04:23 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:30 -!- c64zottel [n=hans@p5B1797F0.dip0.t-ipconnect.de] has joined ##openvpn 05:31 -!- c64zottel [n=hans@p5B1797F0.dip0.t-ipconnect.de] has left ##openvpn [] 05:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 06:29 -!- brizly1 [n=brizly_v@p4FC98ADE.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:30 -!- thedoc [n=zing@bb121-6-132-93.singnet.com.sg] has joined ##openvpn 06:31 -!- thedoc [n=zing@bb121-6-132-93.singnet.com.sg] has quit [Remote closed the connection] 06:32 -!- brizly [n=brizly_v@p4FC99D4D.dip0.t-ipconnect.de] has joined ##openvpn 06:46 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 06:57 -!- ToastedSalad [n=xxx@c-71-235-206-105.hsd1.ct.comcast.net] has joined ##openvpn 06:57 < ToastedSalad> is there a way to get a vbox guest to connect directly to the internet while the host computer is connected to an OpenVPN? 07:04 -!- hyper__ch [n=hyper@adsl-84-227-95-150.adslplus.ch] has joined ##openvpn 07:04 -!- hyper_ch [n=hyper@adsl-62-167-95-86.adslplus.ch] has quit [Nick collision from services.] 07:04 -!- hyper__ch is now known as hyper_ch 07:34 -!- ToastedSalad [n=xxx@c-71-235-206-105.hsd1.ct.comcast.net] has left ##openvpn [] 08:06 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Read error: 60 (Operation timed out)] 08:22 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 08:53 -!- c64zottel [n=hans@p5B1797F0.dip0.t-ipconnect.de] has joined ##openvpn 09:16 -!- c64zottel [n=hans@p5B1797F0.dip0.t-ipconnect.de] has left ##openvpn [] 09:20 < |Mike|> re 09:24 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 09:50 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has quit ["bbl"] 10:08 -!- brizly [n=brizly_v@p4FC99D4D.dip0.t-ipconnect.de] has quit ["Leaving."] 10:22 -!- brizly [n=brizly_v@p4FC99D4D.dip0.t-ipconnect.de] has joined ##openvpn 11:49 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Remote closed the connection] 11:49 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 11:56 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 12:23 -!- pred2k3 [n=pred2k3@dslb-088-069-239-126.pools.arcor-ip.net] has joined ##openvpn 12:23 < pred2k3> hi, Im trying to run ./vars, but it doenst export anything, I have also tried to create a custom script, I cant export via shell file, whats wrong? 12:24 < |Mike|> try . /vars 12:24 < |Mike|> or just do it manually 12:24 < pred2k3> thats what I did 12:25 < |Mike|> but? 12:26 < pred2k3> I mean "./vars" 12:27 < |Mike|> cat vars and export all those lines manually 12:27 < |Mike|> export OPENSSL="openssl" 12:27 < |Mike|> export PKCS11TOOL="pkcs11-tool" 12:27 < |Mike|> export GREP="grep" 12:27 < |Mike|> stuff like that is in it :) 12:27 < pred2k3> I know what you mean 12:27 < pred2k3> but that doesnt solve the problem 12:27 < |Mike|> what's the problem then ? 12:28 < pred2k3> I cant export vars in a script 12:28 < |Mike|> you might want to set those environmental variable's otherwise you can't run clean-all etc 12:28 < |Mike|> what shell are you using ? 12:28 < pred2k3> bash 12:28 < |Mike|> echo $SHELL 12:28 < pred2k3> */bin/bash 12:29 < |Mike|> what does 'env' show you ? 12:29 < |Mike|> does it give you the exported things aswell ? 12:29 < pred2k3> no, I already checked that 12:30 < |Mike|> but why would you like to export the vars into a script ? 12:31 < pred2k3> In my eyes "vars" is ascript 12:31 < |Mike|> it is 12:31 < pred2k3> and export seems not to work.. 12:31 < pred2k3> but echo does 12:32 < Bushmills> pred2k3: . script 12:32 < pred2k3> what? 12:32 < Bushmills> keeps the script from being run in a subshell 12:32 < |Mike|> # . vars 12:33 < |Mike|> wow, now i understand his problem :p 12:33 < Bushmills> (and consequently, assignment to variables lost again after execution) 12:33 < pred2k3> yehaw 12:33 < pred2k3> thanks 12:50 -!- pred2k3 [n=pred2k3@dslb-088-069-239-126.pools.arcor-ip.net] has quit [] 12:55 -!- smerz [n=daniel@83.160.155.152] has joined ##openvpn 13:07 -!- pred2k3 [n=pred2k3@dslb-088-069-239-126.pools.arcor-ip.net] has joined ##openvpn 13:45 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 104 (Connection reset by peer)] 14:22 -!- smerz is now known as smerz`away 14:41 < ecrist> good afternoon 15:06 -!- smerz`away [n=daniel@83.160.155.152] has quit ["Ex-Chat"] 15:19 -!- dazo|h [n=dazo@ip4-83-240-69-215.cust.nbox.cz] has joined ##openvpn 15:36 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 16:27 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 16:40 < jedahan> heh, didnt have the firewall.user included >_< 16:52 < jedahan> everything looks like its working... 17:04 -!- jedahan [n=jedahan@ool-45717d06.dyn.optonline.net] has left ##openvpn ["Leaving"] 17:10 -!- nuhiNlow [n=anewhigh@ppp-69-155-61-9.dsl.ablntx.swbell.net] has quit [Remote closed the connection] 17:10 -!- nuhiNlow [n=anewhigh@ppp-69-155-61-9.dsl.ablntx.swbell.net] has joined ##openvpn 17:10 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 17:12 -!- robotti^ [i=robotti@kapsi.fi] has quit [Remote closed the connection] 17:12 -!- robotti^ [i=robotti@kapsi.fi] has joined ##openvpn 17:14 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 17:15 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 17:16 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 17:21 < pred2k3> n8 17:21 -!- pred2k3 [n=pred2k3@dslb-088-069-239-126.pools.arcor-ip.net] has quit [] 17:36 -!- nemysis is now known as Smartnow_ 17:37 -!- Smartnow_ is now known as nemysis 17:39 -!- dazo|h [n=dazo@ip4-83-240-69-215.cust.nbox.cz] has quit ["Leaving"] 18:21 -!- nemysis [n=nemysis@unaffiliated/nemysis] has left ##openvpn ["I am off"] 18:37 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 18:53 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit ["I am off"] 19:02 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 19:19 -!- jeiworth [n=jeiworth@189.163.187.22] has joined ##openvpn 19:23 -!- nemysis [n=nemysis@unaffiliated/nemysis] has left ##openvpn ["I am off"] 19:33 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 19:33 -!- jeiworth_ [n=jeiworth@189.163.187.22] has quit [Read error: 110 (Connection timed out)] 19:39 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 19:40 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Client Quit] 19:42 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 19:49 -!- mikethec [n=mike@c-76-101-145-22.hsd1.fl.comcast.net] has joined ##openvpn 19:50 < mikethec> Hello. Anyone around? :) 19:50 < nuhiNlow> yeah 19:51 < mikethec> I have a total n00b question. 19:51 < nuhiNlow> ? 19:51 < mikethec> I'm setting up OpenVPN on my DD-WRT router. 19:52 < mikethec> As I go through the instructions it talks about setting up two different IP addresses. 19:52 < nuhiNlow> yeah your tun0 needs an ip address 19:52 < mikethec> Specifically they're "push" and "server" 19:52 < nuhiNlow> server needs to be on a diff subnet from your LAN 19:52 < mikethec> I don't know enough to understand the significance nor what they should be set to. 19:52 < nuhiNlow> and WAN of course 19:52 < nuhiNlow> what is your LAN subnet now? 19:53 < |Mike|> pls, change nicks 19:53 < |Mike|> unreeadable convo ftw 19:53 < nuhiNlow> what? 19:54 < mikethec> When you're talking about the LAN subnet, you mean the 255.255.------ one? 19:54 < |Mike|> lol 19:54 < nuhiNlow> what is your LAN ip 19:54 < nuhiNlow> on the router. ? 19:54 < mikethec> 192.168.1.1 19:54 < nuhiNlow> so pick something you're not using, like 10.22.1.1 19:55 < nuhiNlow> and make that the server line 19:55 < mikethec> Quick question here... 19:55 < mikethec> And again, I admit I'm a total n00b... 19:55 < |Mike|> mikethec: read about tls-auth 19:55 < |Mike|> !tls-auth 19:55 < vpnHelper> |Mike|: "tls-auth" is The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. see !secure for how 19:56 < mikethec> Will using a different range of IPs still allow me to remotely look at and work with the network resources here in my house? 19:56 < |Mike|> !secure 19:56 < vpnHelper> |Mike|: "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 19:56 < mikethec> (i.e. file server, local fileshares, etc.) 19:56 < nuhiNlow> mikethec, yes if you push a route to your local network 19:57 < mikethec> So I would do what, push 192.168.1.1 and server of 10.blah blah blah? 19:57 < nuhiNlow> push "route 10.21.1.0 255.255.255.0" 19:57 < nuhiNlow> push "route 192.168.1.1 255.255.255.0" in your case 19:57 < mikethec> vpnHelper: The problem with most of that is I don't know enough to understand a lot of it. 19:57 < vpnHelper> mikethec: Error: "The" is not a valid command. 19:57 < |Mike|> lol 19:57 < mikethec> Oh. 19:58 < mikethec> And server is for what, exactly? The built-in VPN server? 19:58 < mikethec> And it just becomes whatever address I tell it? 19:58 < nuhiNlow> tun0 19:58 < nuhiNlow> yes 20:01 < mikethec> Um, one other question. 20:01 < mikethec> (at least that I know of at this point...) 20:02 < mikethec> How do I determine what the port number is of my OpenVPN server? 20:03 < nuhiNlow> 1194 udp is default 20:03 < nuhiNlow> rtfm 20:03 < mikethec> Why, thank you very much! 20:04 -!- mikethec [n=mike@c-76-101-145-22.hsd1.fl.comcast.net] has quit ["Leaving"] 20:04 -!- infe [i=infe@avior.praxxa.com] has joined ##openvpn 20:04 < nuhiNlow> rtfm get's em everytime 20:04 < infe> !redirect 20:04 < vpnHelper> infe: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 20:33 -!- Cocoabean [n=Cocoabea@ip98-185-212-4.sb.sd.cox.net] has joined ##openvpn 20:33 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:35 < Cocoabean> Hello, I am using the included scripts to start my bridge. I bridge eth0 and tap0 to br0 to use in a bridged VPN configuration. I enabled packet forwarding with sysctl but when I try to ssh into my openvpn server from outside my LAN, I can't connect. Port 22 is forwarding, and it works when the bridge is down, why aren't packets getting through? 20:36 < Cocoabean> Outside VPN connections also fail, though they work fine from inside the LAN. I'm pretty sure it has something to do with the bridge interface not forwarding. 20:40 < Cocoabean> Server config: http://pastebin.com/f30870e3f 20:48 -!- epaphus [n=unix3@201.199.62.74] has quit ["Leaving"] 20:51 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 21:12 -!- master_of_master [i=master_o@p549D7060.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:16 -!- master_of_master [i=master_o@p549D441A.dip.t-dialin.net] has joined ##openvpn 21:21 -!- Cocoabean_ [n=Cocoabea@ip98-185-212-4.sb.sd.cox.net] has joined ##openvpn 21:22 -!- Cocoabean [n=Cocoabea@ip98-185-212-4.sb.sd.cox.net] has quit [Read error: 104 (Connection reset by peer)] 21:22 -!- Cocoabean_ is now known as Cocoabean 21:55 -!- jeiworth [n=jeiworth@189.163.187.22] has quit [Read error: 110 (Connection timed out)] 22:09 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 22:14 -!- Cocoabean_ [n=Cocoabea@ip98-185-216-181.sb.sd.cox.net] has joined ##openvpn 22:18 -!- Cocoabean [n=Cocoabea@ip98-185-212-4.sb.sd.cox.net] has quit [Read error: 104 (Connection reset by peer)] 22:33 -!- Cocoabean_ [n=Cocoabea@ip98-185-216-181.sb.sd.cox.net] has quit [Connection timed out] 22:36 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 23:34 -!- thirdwheel [i=amason@vaserv/clients/thirdwheel] has joined ##openvpn 23:34 < thirdwheel> !/30 23:34 < vpnHelper> thirdwheel: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 23:34 < thirdwheel> !topology 23:34 < vpnHelper> thirdwheel: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 23:36 < thirdwheel> hey all, I've got the situation above with wanting to explicitly set /30 subnet, I've got topology subnet set, but it still tells me I need /29 or lower... pasted at http://openvpn.pastebin.com/d77800a5f 23:37 < thirdwheel> oops 23:37 < thirdwheel> wrong one 23:38 < thirdwheel> http://openvpn.pastebin.com/m644b65c3 23:39 < thirdwheel> running OpenVPN 2.1_rc18 23:59 -!- dollabill [n=mike@81.sub-75-216-2.myvzw.com] has joined ##openvpn --- Day changed Mon Sep 21 2009 00:00 -!- dollabill [n=mike@81.sub-75-216-2.myvzw.com] has quit [Client Quit] 01:03 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 01:14 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 01:17 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 01:18 < thirdwheel> anybody have a clue what I'm doing wrong? 01:57 -!- thirdwheel [i=amason@vaserv/clients/thirdwheel] has quit ["Leaving"] 02:11 -!- bauruine [n=bauruine@101-76.105-92.cust.bluewin.ch] has joined ##openvpn 02:18 -!- dazo|afk is now known as dazo 02:18 -!- dazo [n=dazo@nat/redhat/x-xmatgggulspxulew] has quit [Remote closed the connection] 02:18 -!- dazo [n=ndazo@nat/redhat/x-jzxzixjgyopjdzst] has joined ##openvpn 02:19 -!- dazo is now known as Guest68265 02:20 -!- Guest68265 [n=ndazo@nat/redhat/x-jzxzixjgyopjdzst] has quit [Client Quit] 02:20 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:20 -!- Guest68265 [n=dazo@nat/redhat/x-umnvaoeysziozsyi] has joined ##openvpn 02:21 -!- Guest68265 is now known as dazo 03:03 -!- bauruine [n=bauruine@101-76.105-92.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 03:11 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 03:36 -!- bauruine [n=bauruine@203-35.104-92.cust.bluewin.ch] has joined ##openvpn 04:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:52 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 05:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 05:33 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:24 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 06:29 -!- brizly [n=brizly_v@p4FC99D4D.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:30 -!- brizly [n=brizly_v@p4FC99487.dip0.t-ipconnect.de] has joined ##openvpn 06:40 -!- arossouw [n=arossouw@165.146.48.160] has joined ##openvpn 06:41 < arossouw> i need an idea, is there a way that a openvpnclient can connect to a less saturated openvpn server, when the openvpn server's line is too saturated with data? 06:42 < ecrist> not without some other sort of metric detector and a wrapper for openvpn 06:42 < ecrist> you could do it on the client or server side, server side would be easiest, I think. 06:42 < arossouw> so there is a way to automate? 06:43 < ecrist> through scripting, yes 06:43 < arossouw> any documentation i can read, or just give me idea's where i can look 06:43 < arossouw> openvpn forums? 06:44 < arossouw> thanks, i'll read through the mailing lists 06:45 < arossouw> i see the openvpn-client can have multiple remote options 06:52 < arossouw> i wonder if i add more than 1 remote server in the openvpn client and let iproute2 do the route management, based on link congestion 06:53 < ecrist> no, I'd do it in a script 06:53 < arossouw> ok 06:54 < arossouw> so i can write a python script to modify the openvpnclient configuration 06:54 < ecrist> sure 06:55 < arossouw> k, i'll try testing it in lab environment, thx 07:00 -!- naquad [n=naquad@83.143.234.194] has joined ##openvpn 07:00 < naquad> hi 07:00 < ecrist> hello 07:02 < naquad> I'm trying to route all client's traffic via openvpn, server is working and is accessible via openvpn (ping works ok), I've putted into /etc/openvpn/ccd/client1 this lines: push "redirect-gateway def1" and push "dhcp-option DNS 10.8.0.1" but clien't routing table didn't change. btw, clients internet is pppoe. what am I doing wrong? 07:03 < ecrist> !all 07:03 < vpnHelper> ecrist: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 07:03 < naquad> I think I've found the issue 07:03 < naquad> NOTE: unable to redirect default gateway -- Cannot read current default gateway from system 07:11 < naquad> configs and logs: http://pastebin.com/m81dc638 07:11 < naquad> maybe the problem is in clients connection to internet? it is pppoe 07:15 < ecrist> could be. 07:19 < krzee> i take it your pppoe does not give you a default route 07:19 < krzee> but that you could set one manually and fix the issue 07:19 < krzee> true? 07:19 < krzee> or rather it is device based via ptp 07:22 < krzee> see this thread: http://article.gmane.org/gmane.network.openvpn.user/25053/match=openvpn+ppp 07:22 < vpnHelper> Title: Gmane -- Mail To News And Back Again (at article.gmane.org) 07:23 < krzee> but read the whole thread 07:23 < krzee> better here: http://thread.gmane.org/gmane.network.openvpn.user/25122/focus=25053 07:23 < vpnHelper> Title: Gmane Loom (at thread.gmane.org) 07:25 < naquad> krzee, yes, it doesn't 07:25 < naquad> I think to do next: 07:25 < krzee> theres even a patch for ovpn in that thread 07:26 < naquad> put default as ifconfig's out p-t-p and then restart openvpn 07:26 < naquad> krzee, thank you 07:26 < krzee> (its linux specific issue) 07:26 < krzee> yes, that should also work 07:26 < krzee> yw 07:38 -!- mischievious [n=mischief@unaffiliated/mischief] has quit ["For they have sown the wind, and they shall reap the whirlwind."] 07:38 -!- mischievious [n=mischief@unaffiliated/mischief] has joined ##openvpn 08:12 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 08:49 -!- jeiworth [n=jeiworth@189.177.252.69] has joined ##openvpn 08:54 -!- klaernie [n=kandre@port-92-206-91-172.dynamic.qsc.de] has joined ##openvpn 08:55 < klaernie> !route 08:55 < vpnHelper> klaernie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 08:55 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 09:02 < klaernie> hi guys. I have a little question: can i instruct openvpn to use another nameserver for resolving the remote end, than the systems default? thx 09:06 < klaernie> anyone? 09:06 -!- jeiworth_ [n=jeiworth@189.177.252.69] has joined ##openvpn 09:07 -!- jeiworth [n=jeiworth@189.177.252.69] has quit [Read error: 104 (Connection reset by peer)] 09:09 -!- stony [n=stony@p5B322C1F.dip0.t-ipconnect.de] has joined ##openvpn 09:09 < stony> hi 09:09 < stony> eeer is it possible to create a tunnel without encryption ? 09:13 -!- stony [n=stony@p5B322C1F.dip0.t-ipconnect.de] has quit ["bye"] 09:14 < klaernie> !topology 09:14 < vpnHelper> klaernie: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 09:14 < klaernie> !/30 09:14 < vpnHelper> klaernie: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 09:15 < klaernie> !iporder 09:15 < vpnHelper> klaernie: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 09:15 -!- klaernie [n=kandre@port-92-206-91-172.dynamic.qsc.de] has quit ["Ex-Chat"] 09:32 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:33 -!- arossouw [n=arossouw@165.146.48.160] has quit ["Lost terminal"] 09:37 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 09:41 -!- derwayne [n=waynerr@p57A26688.dip.t-dialin.net] has joined ##openvpn 09:41 < derwayne> he 09:42 < derwayne> i search for a documentation regarding the crypto-api and openvpn 09:43 < derwayne> the magic google wont work for me here, all my spells wont work 09:45 < nuhiNlow> mine uses openssl 10:00 -!- bytesaber_ [n=bytesabe@208-98-188-95.directcom.com] has joined ##openvpn 10:14 -!- tuxick [i=BluesMur@82.95.232.97] has joined ##openvpn 10:14 < tuxick> lo 10:15 < tuxick> got a weird problem: multi client setup, all clients get same tunnel end IP 10:15 -!- bauruine [n=bauruine@203-35.104-92.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 10:20 < tuxick> http://pastebin.ca/1574031 10:30 < ecrist> reading 10:31 < ecrist> to older clients get bumped off the vpn when a new client connects? 10:40 -!- derwayne [n=waynerr@p57A26688.dip.t-dialin.net] has quit ["Verlassend"] 10:44 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:44 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has quit ["bbl"] 10:44 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 10:45 -!- mark-use [n=chatzill@167.Red-83-58-255.dynamicIP.rima-tde.net] has joined ##openvpn 10:45 < mark-use> any ideas where the problem can life? Vigor: PPP Closed : LCP Time-out () 10:47 -!- jm [i=jonathan@192.121.234.85] has quit [Read error: 113 (No route to host)] 10:48 < tuxick> ecrist: well things do fall apart 10:48 < tuxick> i don't see client complain though 10:53 < ecrist> does each client have their own certificate? 10:54 < ecrist> mark-use: no idea without more information 10:56 -!- jeiworth_ [n=jeiworth@189.177.252.69] has quit [Read error: 110 (Connection timed out)] 10:59 < mark-use> ecrist: first of all, it´s not a openvpn related problem as I run into timepressure and use PPTP -outch- now...I got an DrayTek router on the end, all worked before, now that error comes. 10:59 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:59 < mark-use> just want to get a clue where to search for the problem 11:00 < mark-use> searched *vpn* on freenode... I know these issues of "not in topic" but still hoped to get some help here 11:00 < mark-use> should have done that with openVPN, so I at least would know what´s going on ;) 11:02 < tuxick> ecrist: found it, needed a 'hack' ifconfig-pool-linea 11:02 < tuxick> seems a workaround for broken windows 11:02 < tuxick> as usual 11:02 < tuxick> ifconfig-pool-linear 11:02 < mark-use> hehe, that´s why egroupware is so silent ;) 11:03 < mark-use> hi tuxick by the way 11:03 < tuxick> at least i now got a new ip on linux client 11:03 < tuxick> hi 11:04 -!- wnl [n=wnl@adsl-176-62-190.asm.bellsouth.net] has quit [Read error: 113 (No route to host)] 11:04 -!- thedoc is now known as theDoc 11:10 -!- mark-use_ [n=chatzill@82.Red-83-58-83.dynamicIP.rima-tde.net] has joined ##openvpn 11:20 -!- mark-use_ [n=chatzill@82.Red-83-58-83.dynamicIP.rima-tde.net] has quit ["ChatZilla 0.9.82.1 [Firefox 3.0.3/2008092417]"] 11:28 -!- mark-use [n=chatzill@167.Red-83-58-255.dynamicIP.rima-tde.net] has quit [Read error: 110 (Connection timed out)] 12:03 -!- bauruine [n=bauruine@2001:470:1f13:99b:216:eaff:feb3:722a] has joined ##openvpn 12:05 -!- jeiworth [n=jeiworth@189.177.20.229] has joined ##openvpn 12:09 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 12:12 -!- nuhiNlow [n=anewhigh@ppp-69-155-61-9.dsl.ablntx.swbell.net] has quit [Remote closed the connection] 12:22 < Optic> mooooo 12:23 < Hypnoz> woof woof! 12:27 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 12:29 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 12:41 -!- dazo [n=dazo@nat/redhat/x-umnvaoeysziozsyi] has quit [Read error: 110 (Connection timed out)] 12:58 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 12:59 -!- teddymills [n=teddy@208.92.235.227] has quit [Client Quit] 12:59 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 13:00 -!- deception [i=oc80z@root.servergirl.net] has joined ##openvpn 13:00 -!- dazo [n=ndazo@nat/redhat/x-urcduzbboxnzjnbm] has joined ##openvpn 13:00 -!- dazo [n=ndazo@nat/redhat/x-urcduzbboxnzjnbm] has quit [Remote closed the connection] 13:01 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 13:01 -!- deception [i=oc80z@root.servergirl.net] has quit [Client Quit] 13:02 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 13:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:10 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 13:26 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 110 (Connection timed out)] 13:27 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 14:08 -!- theDoc [n=zing@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 14:11 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 14:13 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 14:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:03 -!- cq [n=chatzill@p5B0DF410.dip.t-dialin.net] has joined ##openvpn 15:03 < cq> !route 15:03 < vpnHelper> cq: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:12 < cq> I don't quite understand that document... I have a simpler case, where I have client--NAT--local_hub(192.168.2.x)--Server(withOpenVPN-192.168.2.80) where I would like to be able to access teh entire 192.168.2.x net from the client... the Server only has one interface (etho), can that work? 15:22 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 15:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 131 (Connection reset by peer)] 15:27 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 15:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:12 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 16:15 -!- Douglas [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 16:15 < Douglas> http://dougy.hosting.secure-computing.net/awstats/awstats.pl?config=ovpnforum.com 16:15 < Douglas> wo0t 16:15 < vpnHelper> Title: Statistics for ovpnforum.com (2009-09) - main (at dougy.hosting.secure-computing.net) 16:18 -!- Rolybrau [n=Rolybrau@85.3.177.246] has joined ##openvpn 16:18 -!- nemysis [n=nemysis@unaffiliated/nemysis] has left ##openvpn ["I am off"] 16:19 -!- Rolybrau [n=Rolybrau@85.3.177.246] has left ##openvpn ["I am off"] 16:20 -!- Rolybrau [n=Rolybrau@85.3.177.246] has joined ##openvpn 16:20 -!- Rolybrau [n=Rolybrau@85.3.177.246] has left ##openvpn ["I am off"] 16:21 -!- Rolybrau [n=Rolybrau@85.3.177.246] has joined ##openvpn 16:22 -!- Rolybrau [n=Rolybrau@85.3.177.246] has left ##openvpn ["I am off"] 16:23 -!- Rolybrau [n=Rolybrau@246-177.3-85.cust.bluewin.ch] has joined ##openvpn 16:23 -!- Rolybrau [n=Rolybrau@246-177.3-85.cust.bluewin.ch] has quit [Client Quit] 16:25 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 16:25 -!- Rolybrau [n=Rolybrau@246-177.3-85.cust.bluewin.ch] has joined ##openvpn 16:27 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:27 -!- Rolybrau [n=Rolybrau@246-177.3-85.cust.bluewin.ch] has left ##openvpn ["I am off"] 16:30 -!- Rolybrau [n=Rolybrau@246-177.3-85.cust.bluewin.ch] has joined ##openvpn 16:33 -!- unix3 is now known as epaphus 16:55 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 145 (Connection timed out)] 16:58 -!- Rolybrau [n=Rolybrau@246-177.3-85.cust.bluewin.ch] has quit ["I am off"] 17:00 -!- Rolybrau [n=Rolybrau@246-177.3-85.cust.bluewin.ch] has joined ##openvpn 17:01 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 17:06 -!- Rolybrau [n=Rolybrau@246-177.3-85.cust.bluewin.ch] has quit [Read error: 104 (Connection reset by peer)] 17:06 -!- nemysis [n=nemysis@unaffiliated/nemysis] has quit [Read error: 104 (Connection reset by peer)] 17:11 -!- Rolybrau [n=Rolybrau@85.3.177.246] has joined ##openvpn 17:13 -!- nemysis [n=nemysis@unaffiliated/nemysis] has joined ##openvpn 17:20 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:40 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 17:40 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 17:40 -!- unix3 is now known as epaphus 18:00 -!- Caplain [i=shayne@2001:470:5:fb:0:0:0:2] has joined ##openvpn 18:00 < Caplain> i cant get the vpn clients to ping eachother 18:03 < Bushmills> !client-to-client 18:03 < vpnHelper> Bushmills: "client-to-client" is When this option is used, each client will see the other clients which are currently connected. Otherwise, each client will only see the server. Don't use this option if you want to firewall tunnel traffic using custom, per-client rules. 18:04 < Caplain> perfect! 18:04 < Caplain> thanks :) 18:04 < Bushmills> np 18:06 < Caplain> amazing... 18:13 * Douglas farts 18:20 * Bushmills holds his nose. 18:20 < Bushmills> have you eaten a cadaver? 18:20 < cq> I've got a REALLY weird Vista bug. I ran openvpngui with admin privs to get the routing working, but now, somehow, it NEVER uses teh IP address from teh .ovpn file, but seems to use a value (and a .crt file etc.) from somewhere in teh registry... could that be possible? running ccleaner didn't help, reinstalling rebooting didn't either 18:21 < cq> it did use teh correct info frome the .ovpn file berofe I ran it as administrator 18:21 < Bushmills> cq, i reckon the problem is in your config 18:22 < cq> Bushmills: I checked the filenames five times... the config is correct. config is 192. addr, it goes to 195. config is blah.crt, it gores to other.crt 18:22 < cq> I've removed all other config files and crt, key, etc. files from the config dir too 18:22 < cq> no luck 18:27 < Hypnoz> thats pretty strange. And you said you reinstalled openvpn gui 18:27 < Hypnoz> 2.1_rc19 right 18:27 < cq> ok, weirder. if I hit Edit Config, it shows me a config file that isn't on the system anymore. 18:28 < Hypnoz> seems the path is different that openvpn is installed into than where you're looking 18:28 < Hypnoz> it should be C:\Program Files\openvpn\config right 18:28 < cq> seems so... I had it installed in /apps earlier, but that's completely deleted 18:28 < Hypnoz> check the path I wrote and see what files are in there 18:29 < Hypnoz> if you really get deperate, there is an option to search files on the computer for text inside them. You could search every file on your computer for the text of the IP address its trying to connect to 18:30 < Hypnoz> then if it comes up with a file, see what location that file is in 18:30 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 131 (Connection reset by peer)] 18:30 < cq> no, somethign is seriously fsck'ed with vista. 18:31 < cq> using cygwin I see the file openvpn sees, explorer shows me something different. 18:31 -!- jeiworth [n=jeiworth@189.177.20.229] has quit [Read error: 110 (Connection timed out)] 18:31 < cq> I have ZERO clue what/how this could be 18:32 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 18:34 < cq> max weirdness. I double click on the file, and it opens notepad with the info that openvpn sees. I open it with notepad++ and it sees the 'wrong' info. I think I need a fsck run 18:37 -!- JyZyXEL [n=lol@a88-113-58-89.elisa-laajakaista.fi] has joined ##openvpn 18:37 < JyZyXEL> Tue Sep 22 02:34:46 2009 openvpn_execve: external program may not be called due to setting of --script-security level 18:37 < JyZyXEL> Tue Sep 22 02:34:46 2009 script failed: external program fork failed 18:46 < Douglas> krzie: ping pong 18:47 < Hypnoz> ya cq that is somebad stuff 18:48 < cq> Hypnoz: yep. filesystem chech, then full backup. 18:48 < JyZyXEL> what the hell is that error 18:50 < cq> JyZyXEL: security level must be set to a certain value to allow external scripts to be called, I got that as a NOTE in one of my logs 18:51 < Bushmills> !script-security 18:51 < vpnHelper> Bushmills: Error: "script-security" is not a valid command. 18:51 < JyZyXEL> the tutorial says openvpn [client config file] 18:51 < Bushmills> hm 18:51 < JyZyXEL> it talks nothing about some security-script 18:52 < Bushmills> --script-security level [method] 18:52 < Bushmills> This directive offers policy-level control over OpenVPN's usage 18:52 < Bushmills> of external programs and scripts. Lower level values are more 18:52 < Bushmills> restrictive, higher values are more permissive. 18:53 < Bushmills> default is 1 18:53 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 18:54 < JyZyXEL> i guess the debian packager decided to change the default then 18:55 < JyZyXEL> cause this tutorial shit ain't working 18:56 -!- cq [n=chatzill@p5B0DF410.dip.t-dialin.net] has quit [Remote closed the connection] 18:56 < Bushmills> use the man page 18:57 < JyZyXEL> sudo openvpn --script-security 90000 client.conf 18:57 < JyZyXEL> Options error: You must define TUN/TAP device (--dev) 18:57 < Bushmills> (value of 1 does not permit execution of scripts) 18:57 < JyZyXEL> why the hell it now needs a device defined 18:58 < Bushmills> i assume you didn't look what range of values for script-security is legal. 18:59 < Bushmills> oh well, guessing a config is also a way to get it working, albeit an inefficient way 19:01 < Bushmills> are you, by any chance, running uuntu? 19:01 < Bushmills> ubunu, that is 19:02 < JyZyXEL> i just commented the out the "up /etc/openvpn/examples/home.up" 19:02 < JyZyXEL> looks like it was useless anyways 19:06 < JyZyXEL> it does: route add -net 192.168.0.0 netmask 255.255.255.0 gw $5 19:06 < JyZyXEL> what the heck is $5 19:07 < Bushmills> try an educated guess 19:21 -!- thirdwheel [i=amason@vaserv/clients/thirdwheel] has joined ##openvpn 19:22 < thirdwheel> !/31 19:22 < vpnHelper> thirdwheel: Error: "/31" is not a valid command. 19:22 < thirdwheel> !rfc3021 19:22 < vpnHelper> thirdwheel: Error: "rfc3021" is not a valid command. 19:24 < thirdwheel> is there anything that would stop a link properly supporting /31 PtP addressing (RFC3021) if the underlying OS supports it? 19:25 < thirdwheel> in OpenVPN I mean 19:32 < Bushmills> !topology 19:32 < vpnHelper> Bushmills: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 19:33 < Bushmills> !subnet 19:33 < vpnHelper> Bushmills: Error: "subnet" is not a valid command. 19:33 < Bushmills> hm 19:34 < thirdwheel> what I mean is would openvpn throw a gasket if I were to try, or would it let it slide and work on both ends provided the OSes on each side supported it? I assume one would need to use tap mode 19:35 < Bushmills> yes, unless you change --topology 19:36 < Bushmills> openvpn defaults to net30 which allocates a /30 per client 19:38 < Bushmills> and no, tun will do 19:39 < thirdwheel> i tried tun, and it threw a hissy fit at me 19:39 < Bushmills> what did you set topology to? 19:39 < thirdwheel> subnet 19:39 < thirdwheel> it just seemed to ignore it 19:40 < Bushmills> what version of openvpn? 19:40 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 19:40 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 19:40 < thirdwheel> 2.1rc18 for the server and rc15 for the client 19:41 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 19:41 < Bushmills> sounds ok. dunno. tried p2p? 19:42 < thirdwheel> i did, and it failed, though not because of that setting - the client was borking on something... when I got it working both sides were set to tap so I left it there 19:44 < hardwire> meh. 19:46 < Bushmills> topology p2p is what I'm using right now. 19:48 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: infe, tarbo2, tjz 19:58 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 19:58 -!- infe [i=infe@avior.praxxa.com] has joined ##openvpn 19:58 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 20:00 -!- epaphus [n=unix3@201.199.62.74] has quit [Remote closed the connection] 20:18 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 20:40 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 21:12 -!- master_of_master [i=master_o@p549D441A.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:16 -!- master_of_master [i=master_o@p549D42BB.dip.t-dialin.net] has joined ##openvpn 21:34 -!- jeiworth [n=jeiworth@189.163.187.22] has joined ##openvpn 21:36 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 22:42 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458]"] 22:43 -!- jeiworth [n=jeiworth@189.163.187.22] has quit [Read error: 60 (Operation timed out)] 22:48 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 22:55 -!- Douglas [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 23:04 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 23:07 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 23:25 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Read error: 54 (Connection reset by peer)] 23:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 23:57 -!- thedoc is now known as theDoc --- Day changed Tue Sep 22 2009 01:10 -!- nemysis [n=nemysis@unaffiliated/nemysis] has left ##openvpn ["I am off"] 01:22 -!- bauruine [n=bauruine@2001:470:1f13:99b:216:eaff:feb3:722a] has quit [Read error: 113 (No route to host)] 01:46 -!- thirdwheel [i=amason@vaserv/clients/thirdwheel] has quit ["Leaving"] 01:53 -!- cq [n=chatzill@p5B0DB259.dip.t-dialin.net] has joined ##openvpn 01:55 < cq> morning, I have openvpn installed and running on an ubuntu server behind a nat... that server has several virtual machines on it (with their own IP addresses...) how can I access those tthrough teh VPN as well? i.e. all the local 192.168.2.x addresses should also exist in the 10.0.8.x address space VPN uses... I looked at routing and bridging, but am not sure if that's what I need 02:08 -!- bauruine [n=bauruine@203-35.104-92.cust.bluewin.ch] has joined ##openvpn 02:08 -!- kurt_ [n=kurt@astound-69-42-7-19.ca.astound.net] has joined ##openvpn 02:12 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:48 -!- dazo [n=dazo@nat/redhat/x-bhodypkiejqplnwp] has joined ##openvpn 02:55 < reiffert> cq: routing. 02:55 < reiffert> push "route 192.168.2.0 255.255.255.0" 02:55 < reiffert> done 02:55 < cq> thanks! 03:59 < tuxick> got a problem with multiple windows clients, thought i had a fix but it made stuff worse 03:59 < tuxick> "There is a problem in your selection of --ifconfig endpoints 03:59 < tuxick> [local=10.2.1.4, remote=10.2.1.1]. The local and remote VPN endpoints 03:59 < tuxick> must exist within the same 255.255.255.252 subnet." 05:05 < Bushmills> tuxick: same 255.255.255.252 subnet are addresses which end in 4..7, 8..11 etc. 1..4 isn't 05:07 < tuxick> must be something openvpn is doing implicitly then 05:07 < tuxick> because i didn't tell it to 05:07 < Bushmills> unlikely. I think something to that end has been written in your config 05:07 < tuxick> http://pastebin.ca/1574031 05:08 < Bushmills> look at those changes coming from "i had a fix but it made stuff worse" 05:08 < tuxick> but this error appeared when i added a line 05:08 < tuxick> sec 05:08 < tuxick> ifconfig-pool-linear 05:08 < tuxick> that broke things for doze clients 05:08 < tuxick> no problem with linux 05:10 < Bushmills> afaik, ifconfig-pool-linear is deprecaredm and replaced against --topoplogy p2p 05:10 < Bushmills> and p2p is, again afaik, not to be used with windows clients 05:11 < Bushmills> net30 or subnet should be your options for windows clients 05:12 < tuxick> i simply wanted to allow multiple windows clients with same configs/certs 05:13 < Bushmills> right, http://forthfreak.net/snap/1253614372742263425.png - look at the last line 05:13 * tuxick sighs 05:14 < tuxick> that's what you get for ad hoc fixing 05:14 < Bushmills> i think what you want to do is done with server option --duplicate-cn 05:15 < tuxick> yes, enabled that 05:16 < Bushmills> !duplicate-cn 05:16 < vpnHelper> Bushmills: Error: "duplicate-cn" is not a valid command. 05:16 < tuxick> ah that wasn't in the paste 05:16 < Bushmills> hrmph 05:16 < Bushmills> !factoids search duplicate-cn 05:16 < vpnHelper> Bushmills: No keys matched that query. 05:17 < tuxick> yeye, no worries :) 05:21 -!- theDoc [n=zing@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:23 < Bushmills> if the problem remains, try to add --ifconfig-pool 10.2.1.4 10.2.1.251 to your server config 05:25 < Bushmills> hm.. wait .. a "server" directive to server config could be easier 05:25 < Bushmills> oh, there is one, but commented out. 05:26 < reiffert> be sure to check the manpage. "server" expands to multiple configuration lines. 05:26 * Bushmills gladly delegates that 05:27 * reiffert steps aside ;) 05:29 < tuxick> that wasn't commented out 05:29 < tuxick> it was to mark the "server" config section in the paste 05:29 < tuxick> hmm 05:30 < tuxick> and there is a 'server' line 05:33 < Bushmills> try mode server 05:34 < Bushmills> no don't. the server line should imply that 05:35 < reiffert> I cant see a server line on http://pastebin.ca/1574031 05:42 -!- Caplain [i=shayne@2001:470:5:fb:0:0:0:2] has quit [Read error: 60 (Operation timed out)] 06:07 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit ["Leaving"] 06:14 -!- brizly1 [n=brizly_v@p4FC99F0E.dip0.t-ipconnect.de] has joined ##openvpn 06:15 -!- cq [n=chatzill@p5B0DB259.dip.t-dialin.net] has left ##openvpn [] 06:21 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 06:29 -!- brizly [n=brizly_v@p4FC99487.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:29 -!- Caplain [i=shayne@caplain.loves.fram.fbi.gov.silverelitez.org] has joined ##openvpn 06:30 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:32 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit ["Leaving"] 06:56 -!- waynerr [n=waynerr@p57A25BEE.dip.t-dialin.net] has joined ##openvpn 07:02 -!- thedoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 07:28 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 07:32 < Rolybrau> What is the best Router for OpenVPN and VoIP? 07:33 < tuxick> ??? 07:37 < Rolybrau> Harware Router as Linksys or Netgear 07:40 < dazo> Rolybrau: that'd work 07:40 * dazo have good Linksys experiences with the good old WRT54GL 07:41 < Rolybrau> and new Linksys 160NL 07:43 -!- _markus_ [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 110 (Connection timed out)] 07:45 < Rolybrau> dazo I knew that WRT54GL works with OpenWRT Images, but 160NL is new one 07:48 < dazo> Rolybrau: might work fine .... I know WCG200v2 is officially on Linus Torvalds "hate list" ... (http://torvalds-family.blogspot.com/2009/07/not-so-evil-empire.html) 07:48 < vpnHelper> Title: Linus' blog: Not-so-evil empire (at torvalds-family.blogspot.com) 07:49 < dazo> Rolybrau: http://oldwiki.openwrt.org/Hardware%282f%29Linksys.html 07:49 < vpnHelper> Title: Hardware/Linksys (at oldwiki.openwrt.org) 07:50 < Rolybrau> Thanks I have looked at oldwiki 07:57 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 08:23 < Optic> moo 08:31 < tuxick> arf 08:35 -!- _markus_ [n=markus@c83-250-33-131.bredband.comhem.se] has joined ##openvpn 08:35 -!- waynerr [n=waynerr@p57A25BEE.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 08:38 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 08:40 < Rolybrau> What is the best Firmware for Router OpenWRT, FreeWRT, dd-wrt, Tomato 08:41 -!- zuez [n=sf@catalyst.httpd.org] has joined ##openvpn 08:41 < zuez> Anyone have any clue why one linux box in particular keeps setting the p-t-p interface as a default gateway when connected to an openvpn server... it shouldn't be using that as the default gateway 08:49 -!- _markus [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Read error: 110 (Connection timed out)] 08:49 -!- jeiworth [n=jeiworth@189.177.252.69] has joined ##openvpn 08:54 < dazo> zuez: are you using --redirect-gateway in your client config? or is it getting pushed? 08:55 < dazo> Rolybrau: I personally stay away from dd-wrt, I don't consider their approach towards handling security issues good - and one release did have 2 IP addresses hard coded in iptables, opening it up for those addresses 08:56 < Rolybrau> dazo I knew that dd-wrt is bad Firmware, thanks 08:56 < dazo> Rolybrau: I've heard a lot of good commends for Tomato, but I'm not sure if an openvpn version is available upstream by now .... earlier, that was a "third party" Tomato version with OpenVPN 08:57 < dazo> Rolybrau: I'm very happy with X-WRT (which is based on OpenWRT with web GUI in addition) 08:58 -!- _markus_ [n=markus@c83-250-33-131.bredband.comhem.se] has quit [Remote closed the connection] 08:59 < Rolybrau> Is X-WRT is better as OpenWRT or the same. There is another Web GUI at http://www.gargoyle-router.com/index.php 08:59 < vpnHelper> Title: Gargoyle Router Management Utility (at www.gargoyle-router.com) 09:02 -!- _Brandon_ [n=Brandon@93-43-150-22.ip92.fastwebnet.it] has joined ##openvpn 09:02 < dazo> Rolybrau: X-WRT = OpenWRT + webUI (webif2, iirc) .... so it is 100% OpenWRT with extra features 09:02 < Rolybrau> dazo thanks this is also same Firmware 09:04 -!- markl_ [n=mark@tpsit.com] has joined ##openvpn 09:04 < markl_> is it possible for the new mac vpn client to connect to an openvpn server? 09:04 < _Brandon_> hi, does all the traffic route through the openvpn server? because I get a very high latency when pinging between two clients 09:05 < dazo> markl_: nope ... you need an openvpn client .... but you have tunnelblick for mac 09:05 < dazo> _Brandon_: depends on your routing table 09:06 < markl_> dazo: ok thanks 09:06 < _Brandon_> dazo: I just enabled client-to-client 09:07 < dazo> _Brandon_: client-to-client .... is only useful to make several openvpn clients visible for each other, and that traffic goes via the openvpn server 09:09 -!- thedoc is now known as theDoc 09:11 < _Brandon_> dazo: I need this to be able to connect remotely to other clients for support etc.. so I think that I need client-to-client 09:11 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 09:12 < dazo> _Brandon_: if you are on one openvpn client side and wants to establish a connection to another openvpn client .... it is good to enable client-to-client, as that traffic will then be routed internally in openvpn, avoiding putting data on the tun/tap device on the openvpn server 09:13 < dazo> _Brandon_: if you are using p-t-p setup with tun device, client-to-client is required to make this work, iirc 09:13 < _Brandon_> I use tun and client-to-client 09:13 -!- jeiworth [n=jeiworth@189.177.252.69] has quit [Read error: 104 (Connection reset by peer)] 09:14 -!- jeiworth [n=jeiworth@189.177.252.69] has joined ##openvpn 09:14 < dazo> _Brandon_: then your traffic latency will be influenced by the speed of the slowest link 09:14 < _Brandon_> which is the server in my case since it's in the us, and I'm in europe 09:17 < dazo> ovpnclient1<---L1--->openvpn server<------L2------>ovpnclient2 ..... if L1 is slower than L2, the maximum speed you will get from client1 to client 2 will be maximum the speed of L1 minus traffic overhead 09:20 < _Brandon_> from what I see I get l1+l2 when pinging, when I ping the server I get around 150ms when pinging the other client I get 320ms 09:22 < dazo> _Brandon_: that sounds a bit too much, to be honest 09:22 < dazo> _Brandon_: do you use UDP or TCP? 09:22 < _Brandon_> udp 09:22 < dazo> _Brandon_: hmm 09:23 < dazo> _Brandon_: I'm not sure what the reason could be here 09:28 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 09:45 -!- explore [n=msparker@pool-173-57-72-22.dllstx.fios.verizon.net] has joined ##openvpn 09:45 -!- Abel408 [i=4a4626bd@gateway/web/freenode/x-gwpcvgwotmylyglq] has joined ##openvpn 09:47 < Abel408> I'm getting a really weird error with one of my openvpn clients and would love if someone could take a look at it with me. The problem is that everytime my router successfully initiates a connection with the openvpn server it seems to go dead. My computer is given a self-ip address, but I can still ssh into the router. There is a lot of helpful information on my problem here: http://pastebin.com/d4194ebf0 09:47 < Abel408> Any help is greatly appreciated. 09:48 < reiffert> I bet your router changes routing or bridging when it conncets and so fucks your wan connection 09:49 -!- bauruine [n=bauruine@203-35.104-92.cust.bluewin.ch] has quit [Remote closed the connection] 09:50 < reiffert> paste the server config and from the client paste: 09:50 < Abel408> added the ifconfig here: http://pastebin.com/d3a60544d 09:50 < reiffert> before connection: brctl show; route -n 09:50 < reiffert> and after that, again 09:50 < Abel408> reiffert: Ok, hold on one sec then, cause I will lose internet connection and crap 09:51 < reiffert> wait. 09:51 < reiffert> found it. 09:51 < Abel408> ok... 09:51 < reiffert> tun0 gets an ip address from the same subnet that your br0 belongs to. 09:51 < reiffert> change that to a different subnet and use routing, or: use tap and bridge the tap to br0 09:51 < reiffert> have fun. 09:52 < Abel408> It should be getting 10.133.0.1 and 10.133.0.2 09:52 < reiffert> then have a close look on what you've pasted 09:52 < Abel408> yea I realize that, but why is it setting my tun0 to that subnet? 09:52 -!- nuhiNlow [n=anewhigh@ppp-69-155-61-9.dsl.ablntx.swbell.net] has joined ##openvpn 09:53 < reiffert> # 09:53 < reiffert> Mon Sep 21 16:46:38 2009 /sbin/ifconfig tun0 10.133.4.5 pointopoint 10.133.4.6 mtu 1500 09:53 < reiffert> get the openvpn server conf. 09:54 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:54 < Optic> mooo 09:55 -!- tuxick [i=BluesMur@82.95.232.97] has left ##openvpn [] 10:02 < Abel408> reiffert: I added my server.conf to the bottom: http://pastebin.com/d18a014af 10:04 < reiffert> # 10:04 < reiffert> ifconfig 10.133.4.1 10.133.4.2 10:05 < reiffert> you want to read the manpage, especially: 10:05 < reiffert> the --server line and what it expands to 10:05 < reiffert> you should go on 10.8.0.0 255.255.255.0 10:05 < reiffert> additionally have a close look to 10:05 < reiffert> !route 10:05 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:05 < reiffert> but do the 1st step first. 10:06 < Abel408> Yea, the thing is My server is using untangle because I want to be able to have people who are not familiar with linux setup openvpn clients. I gotta figure out why untangle is doing that cause I can't change the config directly 10:09 < reiffert> wtf is untangle? 10:10 < reiffert> if you want linux newbies get their vpn going send them a zip file, please them to extract it and run that shellscript connect.sh which does all the magic. add the crt/ca files to the zip file and there you are. 10:10 < reiffert> however, you will have to run that vpn on a different subnet and use routing or see above for bridging. I recommend routing. 10:15 < Abel408> No, I want the linux newbies to access the openvpn server to setup the clients 10:18 -!- Rolybrau [n=Rolybrau@85.3.177.246] has quit [Read error: 145 (Connection timed out)] 10:26 -!- Rolybrau [n=Rolybrau@206-181.3-85.cust.bluewin.ch] has joined ##openvpn 10:29 < mischievious> untangle is a crappy distro, is what it is 10:35 < Abel408> I think it is pretty cool. Light weight and easy for anyone to use. Sucks that everything has to be done by th gui though 10:44 < reiffert> however, I dont see no reason for untangle not to work when you setup your vpn server the right way. 10:54 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has quit ["bbl"] 10:54 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:56 < Abel408> reiffert: Thats the thing... the untangle server is the openvpn server. But I did figure it out, I'm about to test it now. For some reason the last address pool you create becomes the address of the tun0 11:06 -!- Abel408 [i=4a4626bd@gateway/web/freenode/x-gwpcvgwotmylyglq] has quit [Ping timeout: 180 seconds] 11:06 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 145 (Connection timed out)] 11:06 -!- Abel408 [i=42a2b66c@gateway/web/freenode/x-dzuqzklqtvhnseny] has joined ##openvpn 11:08 < Abel408> hmmm... That didn't seem to work. My server.conf now says "ifconfig 10.133.0.1 10.133.0.2" but when the client connects I'm still getting "Tue Sep 22 12:04:07 2009 /sbin/ifconfig tun0 10.133.4.5 pointopoint 10.133.4.6 mtu 1500" 11:09 < Abel408> and the tun0 of my server is inet addr:10.133.0.1 P-t-P:10.133.0.2 Mask:255.255.255.255 11:27 -!- Abel408 [i=42a2b66c@gateway/web/freenode/x-dzuqzklqtvhnseny] has quit [Ping timeout: 180 seconds] 11:28 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:30 -!- Abel408 [i=4a4626bd@gateway/web/freenode/x-cobdavtbghsshdbi] has joined ##openvpn 11:31 < Abel408> Reiffert: Thanks for the assistance, but that did not fix it. My tun0 is ow on a different subnet, but it still has the exact same problem 11:32 < Abel408> Not sure what this means: "Authenticate/Decrypt packet error: cipher final failed" 11:33 -!- explore [n=msparker@pool-173-57-72-22.dllstx.fios.verizon.net] has quit ["Lost terminal"] 11:42 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 12:06 -!- DammitJim [n=user@41-117.202-68.tampabay.res.rr.com] has joined ##openvpn 12:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:06 < DammitJim> good afternoon.. can someone please help me understand something about routing? 12:06 < DammitJim> I think I have successfully set up a vpn 12:07 < DammitJim> but I cannot ping certain devices on the network I'm vpn'ing to 12:07 < DammitJim> it almost seems the ping can't respond back... like it can't find a route back to the client 12:11 -!- Abel408 [i=4a4626bd@gateway/web/freenode/x-cobdavtbghsshdbi] has quit [Ping timeout: 180 seconds] 12:17 -!- theDoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 12:39 -!- dazo is now known as dazo|afk 12:49 -!- DammitJim [n=user@41-117.202-68.tampabay.res.rr.com] has quit ["I ♥ Elive"] 12:52 -!- Rolybrau [n=Rolybrau@206-181.3-85.cust.bluewin.ch] has left ##openvpn ["I am off"] 12:53 -!- Rolybrau [n=Rolybrau@206-181.3-85.cust.bluewin.ch] has joined ##openvpn 12:55 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 13:05 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 13:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:22 -!- bandini [n=bandini@host105-110-dynamic.16-79-r.retail.telecomitalia.it] has joined ##openvpn 14:07 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 14:23 -!- Serideru2 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 14:23 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 14:39 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 14:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Remote closed the connection] 14:51 -!- jeiworth [n=jeiworth@189.177.252.69] has quit [Read error: 110 (Connection timed out)] 15:32 -!- bandini [n=bandini@host105-110-dynamic.16-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 15:45 -!- mirco [n=mirco@p54B27546.dip.t-dialin.net] has joined ##openvpn 16:17 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has joined ##openvpn 17:00 -!- jeiworth [n=jeiworth@189.177.20.229] has joined ##openvpn 17:02 -!- _Brandon__ [n=Brandon@93-43-150-22.ip92.fastwebnet.it] has joined ##openvpn 17:20 -!- _Brandon_ [n=Brandon@93-43-150-22.ip92.fastwebnet.it] has quit [Read error: 110 (Connection timed out)] 17:35 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:36 -!- Casandrax [i=Casandra@host-90-233-174-186.mobileonline.telia.com] has joined ##openvpn 17:45 -!- Serideru2 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 18:05 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 18:05 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 18:23 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 18:29 -!- andriijas [n=andreas@h-64-46.A155.priv.bahnhof.se] has joined ##openvpn 18:30 < andriijas> they are using openvpn at work, how can i see which routes the server forces on my when i connect to it and is it possible to refuse some of those rules? 18:39 -!- _Brandon__ [n=Brandon@93-43-150-22.ip92.fastwebnet.it] has quit ["Konversation terminated!"] 18:40 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 18:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 18:40 -!- mcu_ [n=mcu@modemcable070.241-59-74.mc.videotron.ca] has joined ##openvpn 18:40 < mcu_> hi 18:40 < mcu_> anyone around? 18:49 < Bushmills> it is your turn for a round 18:50 < mcu_> i need some help guys 18:50 < mcu_> i have one server 18:50 < mcu_> and i want to use openvpn to create a tunnel through a VPS at my host 18:51 < mcu_> when i browse the net i want to look like i am connecting from the vps IP 18:51 < mcu_> kind of like a proxy 18:52 < Bushmills> well, run a proxy there 18:52 < mcu_> i want more than a proxy though 18:53 < Bushmills> run two proxies 18:53 < mcu_> the prioblem is i am in canada and i can't access many of videos on youtube or hulu because they are just for USA 18:53 < mcu_> even yahoo videos 18:53 < mcu_> i also want to be able to mail out from the VPS 18:54 < Bushmills> run a mail server there 18:54 < mcu_> vps runs mail server 18:54 < Bushmills> use it 18:54 < mcu_> but i can't mail from my local PC and make it appear that its coming from the VPS IP 18:55 < mcu_> proxy is not enough for all this 18:55 < mcu_> is it? 18:56 < Bushmills> if your mailserver on the VPS sends your mail, of course it will appear as it is coming from there. it is coming from there, after all 18:56 -!- muna [i=d0b8061b@gateway/web/freenode/x-kivhvcalbmsoemkw] has joined ##openvpn 18:56 < muna> hello 18:56 < muna> anyone active 18:56 < muna> help 18:56 < Bushmills> !howto 18:56 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 18:57 < mcu_> but my mailer runs on local server 18:57 < muna> question is about wondering if vpn encrypts hides website addresses too 18:57 < muna> if i am client connecting ---->server 18:57 < Bushmills> it hides as much or as little as a network cable does 18:57 < muna> bushmills i dont understand 18:58 < Bushmills> how much does a network cable hide? 18:58 < muna> there is a server in our netowrk 18:58 < muna> there is very bad server admin sitting there 18:58 < muna> our school use proxy 18:58 < Bushmills> openvpn won't hide bad admin 18:58 < muna> no bushmills i mean if it hides the websites i browsed 18:59 < muna> b/c the server admin always tracks the websites browsed using proxy software 18:59 < Bushmills> would those be hidden, if you used a network cable, to connect your client to a gateway? 18:59 < muna> i dunno 18:59 < muna> i am not network geek 18:59 < mcu_> u mean a cable network? 18:59 < muna> thats why i am asking 18:59 < Bushmills> answer is "it depends on the configuration of the gateway" 18:59 < muna> the gateway is proxy 19:00 < Bushmills> same with openvpn. by itself, it doesn't hide anything, 19:00 < Bushmills> it is just a virtual equivalent of a network cable, sort of. 19:00 < muna> what do u mean configuration of gateway??? 19:00 < mcu_> oh 19:00 < muna> we use proxy i told u 19:01 < muna> client ----> proxy -----> server -----> internet 19:01 < muna> client ----> vpn ------> proxy------> server ------> internet 19:02 < mcu_> on the vps will i need shell access to enable the vpn 19:02 < Bushmills> if your openvpn server is outside proxy or server, proxy or server won't see what you're browsing 19:02 < muna> thanks bushmills of course it is outside 19:03 < muna> i use free vpn service 19:03 < muna> it is called hotspot shield 19:03 < Bushmills> in that case, server or proxy only see a stream of data 19:03 < muna> anchorfree.com 19:03 < Bushmills> but not what kind of connections, or what contents 19:04 < muna> so if i browse google the admin only sees vpn service ip right? not google ip 19:04 < Bushmills> if your resolve host names over openvpn too, they also don't see with who you client is talking. 19:04 < muna> http https connections 19:04 < muna> sometimes i use irc 19:05 < mcu_> so its good when you are p2ping? 19:05 -!- Xayto [n=INTTACT@202.181.80.16.static.rev.eftel.com] has joined ##openvpn 19:05 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 19:05 < muna> very rarely i use smtp too 19:06 < muna> thanks bushmills u seem experienced 19:07 < muna> what else can you tell me to effiecently use vpn 19:07 < Bushmills> no. just a run-off-the-mill user 19:07 < muna> and more security 19:07 < Bushmills> learn to use the bot 19:08 < muna> great thanks what vpn do u used payed or free 19:08 < muna> i use as i told u before free vpn 19:10 < muna> great channel great ppl be blessed with vpn service :D 19:11 -!- muna [i=d0b8061b@gateway/web/freenode/x-kivhvcalbmsoemkw] has left ##openvpn [] 19:32 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: vindex, krzie, stein0, sticky, |Mike|, infe, Casandrax, JyZyXEL, ribasushi, Rolybrau, (+24 more, use /NETSPLIT to show all of them) 19:33 -!- Netsplit over, joins: tjz, Casandrax, jeiworth, Rolybrau, markl_, zuez, Caplain, brizly1, tarbo2, infe (+24 more) 19:33 -!- zuez_ [n=sf@catalyst.httpd.org] has joined ##openvpn 19:33 -!- zuez [n=sf@catalyst.httpd.org] has quit [Excess Flood] 19:34 < mcu_> anyone still here? 20:10 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 20:10 -!- jeiworth [n=jeiworth@189.177.20.229] has quit [Read error: 145 (Connection timed out)] 20:29 -!- theDoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 20:40 -!- mirco_ [n=mirco@p54B23E48.dip.t-dialin.net] has joined ##openvpn 20:47 -!- mirco [n=mirco@p54B27546.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:47 -!- mirco_ is now known as mirco 20:50 < mcu_> anyone here? 21:12 -!- master_of_master [i=master_o@p549D42BB.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:16 < Xayto> !config 21:16 < vpnHelper> Xayto: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 21:16 -!- master_of_master [i=master_o@p549D4254.dip.t-dialin.net] has joined ##openvpn 21:18 < Bushmills> mcu_: http://oldwiki.openwrt.org/IRC.html 21:18 < vpnHelper> Title: IRC (at oldwiki.openwrt.org) 21:28 < mcu_> sorry 21:28 < mcu_> i setup my vpn and connection works...now my problem is with smtp port forwarding 21:28 < mcu_> i was hoping someone can help me with this 21:32 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 21:34 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 21:43 -!- xattack [n=enrique@lidsol.fi-b.unam.mx] has quit ["leaving"] 22:29 -!- theDoc [n=zing@unaffiliated/thedoc] has quit [Read error: 145 (Connection timed out)] 22:56 -!- theDoc [n=zing@119.73.165.162] has joined ##openvpn 22:58 -!- thedoc_ [n=zing@unaffiliated/thedoc] has joined ##openvpn 23:17 -!- theDoc [n=zing@119.73.165.162] has quit [Read error: 110 (Connection timed out)] 23:23 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 23:47 -!- Xayto [n=INTTACT@202.181.80.16.static.rev.eftel.com] has quit ["Leaving"] 23:56 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn --- Day changed Wed Sep 23 2009 00:05 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 00:08 -!- Casandrax [i=Casandra@host-90-233-174-186.mobileonline.telia.com] has quit [Read error: 110 (Connection timed out)] 00:09 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 00:14 -!- mirco [n=mirco@p54B23E48.dip.t-dialin.net] has quit [] 00:25 -!- misterbean [n=misterbe@unaffiliated/misterbean] has quit [Remote closed the connection] 00:42 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 00:48 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has quit ["bbl"] 00:54 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 00:59 -!- hyper_ch [n=hyper@adsl-84-227-95-150.adslplus.ch] has quit [Remote closed the connection] 01:34 -!- hyper_ch [n=hyper@adsl-84-227-95-150.adslplus.ch] has joined ##openvpn 01:49 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:50 -!- tjz [n=tjz@220.255.158.226] has joined ##openvpn 02:04 -!- dazo|afk is now known as dazo 02:05 -!- dazo [n=dazo@nat/redhat/x-bhodypkiejqplnwp] has quit [Remote closed the connection] 02:05 -!- dazo [n=ndazo@nat/redhat/x-lgvqoaajwlrkvptx] has joined ##openvpn 02:26 -!- swa_work [n=swa@swatteksystems.com] has quit [Remote closed the connection] 03:03 -!- hyper_ch [n=hyper@adsl-84-227-95-150.adslplus.ch] has quit [Remote closed the connection] 03:34 -!- thedoc_ [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 03:35 -!- bauruine [n=bauruine@203-35.104-92.cust.bluewin.ch] has joined ##openvpn 03:42 -!- robotti^ [i=robotti@kapsi.fi] has quit [Remote closed the connection] 03:42 -!- robotti^ [i=robotti@kapsi.fi] has joined ##openvpn 04:06 -!- waynerr [n=waynerr@p57A25C35.dip.t-dialin.net] has joined ##openvpn 04:23 -!- myton [n=manuel@adsl-69-229-62-65.dsl.sndg02.pacbell.net] has joined ##openvpn 04:59 -!- waynerr [n=waynerr@p57A25C35.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 05:00 -!- bauruine [n=bauruine@203-35.104-92.cust.bluewin.ch] has quit [Read error: 104 (Connection reset by peer)] 05:05 -!- andriijas [n=andreas@h-64-46.A155.priv.bahnhof.se] has left ##openvpn [] 05:40 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:02 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 06:27 -!- brizly1 [n=brizly_v@p4FC99F0E.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:29 -!- brizly [n=brizly_v@p4FC9A13E.dip0.t-ipconnect.de] has joined ##openvpn 06:53 -!- mikkel [n=mikkel@84.238.113.66] has joined ##openvpn 07:45 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 07:57 -!- theDoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 08:05 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 08:11 -!- Rolybrau [n=Rolybrau@206-181.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 08:11 -!- Rolybrau [n=Rolybrau@94-123.3-85.cust.bluewin.ch] has joined ##openvpn 08:16 -!- theDoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 08:22 -!- myton [n=manuel@adsl-69-229-62-65.dsl.sndg02.pacbell.net] has quit [Read error: 104 (Connection reset by peer)] 08:22 -!- myton [n=manuel@adsl-69-229-62-65.dsl.sndg02.pacbell.net] has joined ##openvpn 08:23 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [] 08:26 -!- lloyd_ [n=lloyd@c-66-41-36-92.hsd1.mn.comcast.net] has joined ##openvpn 08:28 < lloyd_> hi, im trying to setup openvpn. I have the authentication and all that working. I was able to setup a point to point tunnel just fine. However I want to set it up so that i can get to the internal network. Is this just ip forwarding rules in my firewall? I am not sure if it matters but i do have a hardware firewall that nats before it gets to the openvpn server itself. 08:29 < lloyd_> !route 08:29 < vpnHelper> lloyd_: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 08:34 -!- lloyd_ [n=lloyd@c-66-41-36-92.hsd1.mn.comcast.net] has quit ["Leaving"] 08:36 -!- myton [n=manuel@adsl-69-229-62-65.dsl.sndg02.pacbell.net] has quit [Read error: 104 (Connection reset by peer)] 08:39 -!- myton [n=manuel@ppp-69-229-29-47.dsl.sndg02.pacbell.net] has joined ##openvpn 08:44 -!- manuel_ [n=manuel@ppp-69-229-29-47.dsl.sndg02.pacbell.net] has joined ##openvpn 08:44 -!- myton [n=manuel@ppp-69-229-29-47.dsl.sndg02.pacbell.net] has quit [Read error: 104 (Connection reset by peer)] 08:44 -!- zuez_ [n=sf@catalyst.httpd.org] has quit ["."] 08:46 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 08:55 -!- misse- [i=misse@misse.org] has joined ##openvpn 09:04 -!- jeiworth [n=jeiworth@189.177.20.229] has joined ##openvpn 09:23 -!- theDoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 09:55 < Optic> mooo 10:10 -!- c64zottel [n=hans@p5B17B21A.dip0.t-ipconnect.de] has joined ##openvpn 10:10 -!- c64zottel [n=hans@p5B17B21A.dip0.t-ipconnect.de] has left ##openvpn [] 10:13 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:20 -!- lloyd [n=lloyd@fw-ext.ncell.com] has joined ##openvpn 10:21 < lloyd> for windows openvpn client access im using the openvpn GUI program. Is there a way to set it up for username / passwd authentication along with the TLS? 10:22 < |Mike|> you're referring to PAM ? 10:23 < lloyd> well on the server im using openldap 10:23 < lloyd> i have networkmanager on a linux box and it works great to do the username/passwd +TLS 10:23 < lloyd> im just trying to do the same thing on the windows side 10:23 < lloyd> but yeah essentially pam via ldap 10:24 < lloyd> maybe its just user or name or something but i havent found any examples of how to pass a username and password in the client.ovpn 10:24 < lloyd> prompting for it would also be fine 10:26 < lloyd> if there is a better alternative to openvpn GUI for windows too im all for suggestions =) 10:26 < |Mike|> !ubuntu 10:26 < vpnHelper> |Mike|: "ubuntu" is dont use network manager! 10:27 < |Mike|> there are no alternative openvpn clients for windows as far as i know 10:28 < lloyd> so yeah in networkmanager i put in my cert definitions and such and then put in a username password 10:29 < lloyd> but in the windows openvpn GUI i dont see any directives for username/passwd 10:30 < |Mike|> if you're using client certs, you don't need a l/p :P 10:33 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:34 < lloyd> well what if i wanted to disable certs and do just l/p 10:34 < lloyd> i suspect the answer is you cant do it 10:35 < |Mike|> it is possible with a PAM module 10:35 < lloyd> k ill look up windows openvpn pam 10:35 < lloyd> see if i cant find a pam module for the client side 10:35 < |Mike|> no, you can configure it on the server 10:36 < |Mike|> http://www.howtoforge.com/openvpn_wikid_strong_authentication 10:36 < vpnHelper> Title: How to configure OpenVPN to use WiKID Strong Authentication | HowtoForge - Linux Howtos and Tutorials (at www.howtoforge.com) 10:36 < |Mike|> you can use some parts of his openvpn sniplets 10:37 < lloyd> oh on the server side i have pam already working 10:37 < lloyd> with openldap 10:37 < lloyd> that works great 10:37 < lloyd> i just dont know how to get the windows client to pass a username / password. 10:37 < |Mike|> you can comment the client certs out 10:37 < |Mike|> and restart the client (only the client, not the os) 10:37 < lloyd> oh will it prompt me for username then? 10:38 -!- explore [n=msparker@pool-173-57-72-22.dllstx.fios.verizon.net] has joined ##openvpn 10:38 < |Mike|> no idea, i never used that insecure way of authentication :P 10:38 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 10:39 < lloyd> yeah it just fails heh 10:39 < lloyd> ill maybe just try adding username= 10:39 < lloyd> and see if that works as a guess. 10:39 < mcu_> quick question guys...where are the ovpn config files stored? 10:39 < mcu_> wihich directory? 10:39 < mcu_> in linux 10:40 < |Mike|> /etc/openvpn.conf 10:40 < mcu_> yes thats what i read, but its not there 10:40 < |Mike|> then copy server.conf to openvpn.conf 10:41 < mcu_> ok 10:41 < |Mike|> !howto 10:41 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:41 < mcu_> it will look in /etc by defaulty? 10:41 < |Mike|> scroll all the way down, there is a config aswell 10:41 < |Mike|> lloyd: i never used it, maybe you could google for it :d 10:42 -!- tjz [n=tjz@220.255.158.226] has quit [Read error: 145 (Connection timed out)] 10:44 < |Mike|> lloyd: http://openvpn.net/index.php/open-source/documentation/howto.html#auth 10:44 < vpnHelper> Title: HOWTO (at openvpn.net) 10:44 < |Mike|> Script plugins can be used by adding the auth-user-pass-verify directive to the server-side configuration file. For example: 10:44 < |Mike|> auth-user-pass-verify auth-pam.pl via-file 10:46 < dazo> mcu_: openvpn do not have a hard coded place to check for config files .... the openvpn binary requires the --config parameter to point at a config file 10:46 < dazo> mcu_: however ... most distros got some init.d scripts which mostly looks in /etc/openvpn .... some one looks for openvpn.conf in this dir, others for tun0.conf .... it depends on your distro 10:47 < |Mike|> and OS 10:47 < |Mike|> freebsd uses server.conf 10:47 < |Mike|> but several servers at work use other config names 10:48 < dazo> bottom line is ... it's not standardised :) 10:48 < dazo> lloyd: did you solve your --auth-user-pass issue? 10:49 * dazo uses that feature 10:52 -!- manuel_ [n=manuel@ppp-69-229-29-47.dsl.sndg02.pacbell.net] has quit [Read error: 104 (Connection reset by peer)] 10:52 -!- manuel_ [n=manuel@ppp-69-229-29-47.dsl.sndg02.pacbell.net] has joined ##openvpn 10:57 -!- mcu__ [n=mcu@modemcable070.241-59-74.mc.videotron.ca] has joined ##openvpn 11:00 -!- lloyd_ [n=lloyd@c-66-41-36-92.hsd1.mn.comcast.net] has joined ##openvpn 11:01 -!- lloyd [n=lloyd@fw-ext.ncell.com] has quit [Read error: 110 (Connection timed out)] 11:02 -!- bytesaber_ is now known as bytesaber 11:09 -!- lloyd_ [n=lloyd@c-66-41-36-92.hsd1.mn.comcast.net] has quit ["Leaving"] 11:15 -!- mcu_ [n=mcu@modemcable070.241-59-74.mc.videotron.ca] has quit [Read error: 110 (Connection timed out)] 11:18 -!- explore [n=msparker@pool-173-57-72-22.dllstx.fios.verizon.net] has quit ["Lost terminal"] 11:22 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 11:26 < |Mike|> dazo: omg, you h4x0r :) 11:30 < dazo> |Mike|: watch your bac^Wnetwork ;-) 11:36 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 11:56 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 11:59 -!- rorre [n=jeremy@pool-96-255-123-240.washdc.fios.verizon.net] has joined ##openvpn 11:59 -!- rorre [n=jeremy@pool-96-255-123-240.washdc.fios.verizon.net] has left ##openvpn [] 12:00 -!- rorre [n=jeremy@pool-96-255-123-240.washdc.fios.verizon.net] has joined ##openvpn 12:02 < rorre> Hello. I am trying to configure it so that a windows client machine at my workplace can behave as if it is connected to my home server's network. First off, is this the correct software to accomplish this goal? 12:04 -!- fahadsadah is now known as zz_fahadsadah 12:20 < Hypnoz> sure 12:20 < Hypnoz> you can also set it to traffic gets tunneled through your home network instead of using your corporate internet. This would allow you to browse porn at work 12:21 < rorre> Hypnoz: that's what I'm trying to accomplish. 12:22 -!- theDoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 12:22 -!- dazo is now known as dazo|afk 12:23 < Hypnoz> there is an awesome walkthrough on how to set it up on the openvpn site. 12:23 < Hypnoz> http://openvpn.net/howto.html#quick 12:28 < rorre> Hypnoz: I believe I missed a step. I had set it up and was connecting, but since changed the configuration file a bit to fix what i thought was messed up and can no longer connect. 12:28 < rorre> What would be useful information to provide to help troubleshoot. 12:35 < Hypnoz> rorre, I'm assuming you're using the windows 2.1_rc19 client from the openvpn site? 12:35 < Hypnoz> if so, you can right click the little icon by the clock, and click "show log" 12:36 < Hypnoz> and it may give you some info about a pushed route not working right 12:36 < Hypnoz> i know sometimes you need to run the openvpn gui client as administrator 12:36 < rorre> I amusing OpenVPN GUI for windows v 1.0.3 12:37 < rorre> I was previously connecting to the vpn, so my user permissions are acceptable, I modified a few lines relating to the ip addresses in the server config and now cannot connect 12:37 < rorre> I think what I want to accomplish is bridging. 12:40 -!- rorre [n=jeremy@pool-96-255-123-240.washdc.fios.verizon.net] has quit [Remote closed the connection] 12:43 -!- rorre [n=jeremy@pool-96-255-123-240.washdc.fios.verizon.net] has joined ##openvpn 12:43 < rorre> oops 12:43 < rorre> restarting my dhcpcd service kicks me out of irc 12:43 < rorre> Hypnoz: did I miss anything? 12:44 < Hypnoz> If I were you, on your windows machine connecting to openvpn, I would download 2.1_rc19 12:44 < Hypnoz> it works much better than 1.0.3 12:44 < Hypnoz> its like 3 years newer 12:44 < rorre> Wow, I have no idea why I have such an old client. I'll start there. 12:45 < Hypnoz> Do you know what version you installed for openvpn server? 12:45 < Hypnoz> are you at least in 2.x? 12:45 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 12:46 < rorre> 2.1_rc19 12:46 < Hypnoz> ya I'd go to http://www.openvpn.net/index.php/open-source/downloads.html and get the 2.1_rc19 for your client 12:47 < vpnHelper> Title: Downloads (at www.openvpn.net) 12:47 < rorre> Hypnoz: yeah, i had googled openvpn windows client and it sent to me some german 2006 website 12:47 < Hypnoz> ahh 12:47 < rorre> got the latest now, odd that i missed it before 12:47 < Hypnoz> ya they make it kinda confusing on their main site, since they dont list the newest client on top 12:47 < rorre> well i gues sits newest stable 12:47 < rorre> and then newest beta 12:48 < rorre> wow this actually gave me a verbose error message 12:48 < rorre> lol 12:48 < Hypnoz> newest stable was october 2006 lol 12:48 < rorre> i like this version 12:49 < rorre> neat - im connected now 12:49 < rorre> lol 12:50 < Hypnoz> woot 12:51 < rorre> it's not working, but I'm connected. So a start :) 12:51 < Hypnoz> right click the openvpn gui icon in your system tray and select "show log" 12:52 < Hypnoz> is your openvpn network on the same subnet as your home computers, or a different subnet (like 10.0.8.0/24) 12:52 < rorre> I set it to the same subnet 12:52 < rorre> but am unable to ping computersrom the client 12:52 < rorre> I set it up using the first option of bridging 12:53 < Hypnoz> hmm ya I was having that same issue 12:53 < rorre> Cool, any tips? :) 12:53 < Hypnoz> I thought I was on the network, but couldn't ping. I ended up making it on another network, and setting up a static route in the router 12:53 < rorre> I don't have fine control over my router. 12:54 < rorre> It's a pos verizon actiontech thing. 12:54 < Hypnoz> you might have to set up a static route like I did 12:54 < rorre> I don't know that my router allows that. 12:54 < rorre> when i was using the 10.33.x.x network i was able to ping the server from the client 12:55 < Hypnoz> my router didn't allow that either 12:55 < Hypnoz> so i had to set the static route on the computers themselves 12:55 < rorre> maybe i misunderstand the concept 12:56 < Hypnoz> I'm hesitant to have you go through this because I'm not sure this is the best way, but here's what I think happens. The computer that connects into the network through VPN isn't directly attached to the router 12:56 < rorre> I also know very little about the whole vpn thing in general: I have a network device called tap0 on the server that has a bad ip address 12:56 < Hypnoz> it's attached the the vpn computer, which is attached to the router 12:56 < Hypnoz> right 12:56 < rorre> I don't know if that's related 12:57 < rorre> well, traffic goes from client to router to server 12:57 < Hypnoz> so when a computer on the network wants to talk to a vpn connected computer, it can't just talk to the IP, it has to send the info to the vpn host computer first, which then passes it to the vpn connected client 12:58 < rorre> that makes sense 12:59 < Hypnoz> can you send me the line in your server.conf file that starts with "server" and has the network that vpn clients are connected to 13:00 < rorre> the line stazrting with 'server' is commented out 13:01 < Hypnoz> I think you need to have a server line to give the connecting clients a network to join to 13:02 < Hypnoz> or else they don't know what IP to get 13:02 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Success] 13:03 < Hypnoz> actually, it says "comment this out if you are ethernet bridging" 13:03 < Hypnoz> you might be doing that 13:03 < Hypnoz> does your server.conf say "dev tun" or "dev tap0" ? 13:03 < Hypnoz> would be like the 4th config option 13:07 < rorre> server-bridge 192.168.1.1 255.255.255.0 192.168.1.200 192.168.1.254 13:07 < rorre> is the line 13:07 < rorre> sorry for the delay im using vnc to irc and it hung 13:07 < rorre> i think this line is incorrect 13:08 < rorre> my server.conf says dev tap not dev tap0 13:12 < Hypnoz> From the OpenVPN walkthrough... 13:12 < Hypnoz> "Overall, routing is probably a better choice for most people, as it is more efficient and easier to set up (as far as the OpenVPN configuration itself) than bridging. Routing also provides a greater ability to selectively control access rights on a client-specific basis. 13:12 < Hypnoz> I would recommend using routing unless you need a specific feature which requires bridging, such as: 13:12 < Hypnoz> * the VPN needs to be able to handle non-IP protocols such as IPX, 13:12 < Hypnoz> * you are running applications over the VPN which rely on network broadcasts (such as LAN games), or 13:12 < Hypnoz> * you would like to allow browsing of Windows file shares across the VPN without setting up a Samba or WINS server. " 13:13 < Hypnoz> if you already have a bridge set up and working it might not be worth it to change 13:14 < rorre> well 13:14 < rorre> i can connect to the server, but i wouldn't say it's working 13:14 < rorre> i think the reason its not working is that i didnt bridge tap0 to anyuthing using my os bridging method 13:15 < rorre> or what it said in the config for server 13:15 < rorre> i need to go figure out how to do that i guess and then see if it works 13:15 < rorre> my client was assigned the ip 192.168.1.200 though 13:16 < Bushmills> !tunortap 13:16 < vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 13:21 < rorre> so i should go for tun most likley 13:22 -!- hyper_ch [n=hyper@191-36-239-77-pool.cable.fcom.ch] has joined ##openvpn 13:22 < rorre> i thought tun would add overhead - having to have two subnets instead of one 13:24 < cpm> you can do smb over tun, it's nmb that is awkward. As long as you know the path, it's fine, just can't browse. 13:29 -!- Rolybrau [n=Rolybrau@94-123.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 13:29 < rorre> i dont really care about using smb 13:29 < rorre> i want to use an application that uses ports 6000-6009 and 7000 and they are blocked at work 13:29 < rorre> that's about it. 13:37 < Bushmills> then don't bother using bridging mode. 13:38 < Bushmills> where is the app, and where is the openvpn server? 13:43 < mcu__> where does openvps_as web gui store its conf file? 13:46 < |Mike|> web gui ? 13:47 < mcu__> the web interface 13:47 < mcu__> it has to read som sort of file 13:47 < mcu__> some 13:47 -!- myton [n=manuel@ppp-69-229-29-47.dsl.sndg02.pacbell.net] has joined ##openvpn 13:48 -!- myton [n=manuel@ppp-69-229-29-47.dsl.sndg02.pacbell.net] has quit [Read error: 104 (Connection reset by peer)] 13:48 -!- myton [n=manuel@ppp-69-229-29-47.dsl.sndg02.pacbell.net] has joined ##openvpn 13:48 -!- manuel_ [n=manuel@ppp-69-229-29-47.dsl.sndg02.pacbell.net] has quit [Read error: 54 (Connection reset by peer)] 13:48 -!- Bushmills [n=Bushmill@verhau.de] has left ##openvpn [] 13:49 < |Mike|> since when does openvpn got a web interface ? 13:49 < |Mike|> s/got/have 13:49 < |Mike|> +n somewhere aswell 13:50 < mcu__> brb 13:50 -!- mcu__ [n=mcu@modemcable070.241-59-74.mc.videotron.ca] has left ##openvpn [] 13:50 < |Mike|> euh 14:02 -!- Rolybrau [n=Rolybrau@94-123.3-85.cust.bluewin.ch] has joined ##openvpn 14:03 -!- swa_work [n=swa@swatteksystems.com] has quit [Remote closed the connection] 14:15 -!- swa_work [n=swa@69.196.165.165] has joined ##openvpn 14:41 -!- mirco [n=mirco@p5B23D39E.dip.t-dialin.net] has joined ##openvpn 14:41 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:45 -!- hyper_ch [n=hyper@191-36-239-77-pool.cable.fcom.ch] has quit [Read error: 110 (Connection timed out)] 14:46 -!- mirco [n=mirco@p5B23D39E.dip.t-dialin.net] has quit [] 14:50 < krzie> mike, there have been a couple web UI's made 14:51 < krzie> and openvpnAS is made by them and is fully operated by webUI (i believe) 14:51 < krzie> but openvpn itself doesnt have one that is part of it 14:55 -!- hyper_ch [n=hyper@191-36-239-77-pool.cable.fcom.ch] has joined ##openvpn 15:02 -!- mcu_ [n=mcu@modemcable070.241-59-74.mc.videotron.ca] has joined ##openvpn 15:09 < mcu_> i have two servers guys 15:10 < mcu_> and maybe a 3rd later 15:10 < mcu_> i am quite confused. 15:13 < mcu_> i got openvpn running sorta.....but here is my situation. box1 is my main box and box 2 and 3 are on a different network and each have 10 ips 15:13 < mcu_> i want to be able to bind those IPs all t box 1.....shouls box1 be my server or client? 15:19 < krzie> good question, im not sure how youd do that 15:20 < krzie> would be easier i believe if you only needed ips from 1 to other 15:20 < krzie> then you could either use a tap and just fork them on over using dhcp or static ips 15:20 < krzie> or tun and NAT 15:21 < krzie> or tun and topology subnet (2.1 only) and waste 2 ips on network / subnet ips 15:21 < krzie> (instead of handing out lan ips for the vpn) 15:27 -!- sticky [n=zach@2607:f128:42:1:0:0:0:2] has quit [Read error: 104 (Connection reset by peer)] 15:27 < krzie> then again, i guess you could always just setup 2 vpns 15:28 < mcu_> right now i have server/client tunneling on 192.168.1.2 15:28 < mcu_> don't i need a gateway for 192.168.1.1 ? 15:31 -!- mirco [n=mirco@p54B23E48.dip.t-dialin.net] has joined ##openvpn 15:41 < krzie> huh? 15:49 -!- swa_work [n=swa@69.196.165.165] has quit [Read error: 145 (Connection timed out)] 15:52 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 15:52 < rorre> !redirect 15:52 < vpnHelper> rorre: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 15:54 -!- APTX|_ [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 15:55 < mcu_> any help for me? 15:55 < krzie> don't i need a gateway for 192.168.1.1 ? 15:55 < krzie> huh? 15:56 < mcu_> both server and client have tun0 15:56 < mcu_> both ip'ed 192.168.1.2 15:56 < mcu_> and gateway 192.168.1.1 15:56 < mcu_> but 192.168.1.1 does not exist yet 15:56 < mcu_> i need to create it 15:56 < mcu_> right? 15:56 -!- APTX| [n=APTX@213.251.162.70] has quit [Read error: 131 (Connection reset by peer)] 15:57 < krzie> server and client have the same ip!? 15:57 < krzie> you did something very very wrong 15:57 < krzie> !configs 15:57 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:57 < krzie> !sample 15:57 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 15:58 -!- mikkel [n=mikkel@84.238.113.66] has quit ["Leaving"] 16:00 -!- mirco [n=mirco@p54B23E48.dip.t-dialin.net] has quit [] 16:01 < rorre> !def1 16:01 < vpnHelper> rorre: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 16:01 < rorre> !ipforward !nat 16:01 < vpnHelper> rorre: Error: "ipforward" is not a valid command. 16:02 < rorre> !ipfoward 16:02 < vpnHelper> rorre: Error: "ipfoward" is not a valid command. 16:02 < rorre> god i wish i could freaking spell 16:02 -!- mirco [n=mirco@p54B23E48.dip.t-dialin.net] has joined ##openvpn 16:08 < mcu_> http://pastebin.ca/1577060 16:10 -!- jeiworth [n=jeiworth@189.177.20.229] has quit [Read error: 110 (Connection timed out)] 16:13 < mcu_> sorry ...its http://pastebin.ca/1577067 16:24 < mcu_> still there krzie? 16:24 -!- jeiworth [n=jeiworth@189.163.142.201] has joined ##openvpn 16:25 < Hypnoz> mcu, about your earlier question about binding multiple sytems with IP's to one box, look in server.conf for the section right below the push routes 16:25 < Hypnoz> it will be commented out, one of the lines is ;client-config-dir ccd 16:26 < Hypnoz> but basically I think box 2 and box 3 would connect to box1 through vpn, and their private subnets would be passed to the box1 and local subnets 16:26 < Hypnoz> and=as 16:30 < mcu_> so basically box1 is server and will use the IPs of tyhe clients 16:30 < mcu_> right? 16:30 < Hypnoz> yep 16:30 -!- mirco [n=mirco@p54B23E48.dip.t-dialin.net] has quit [] 16:31 < mcu_> http://pastebin.ca/1577067 16:31 < mcu_> is that right though? 16:31 < mcu_> just add the new directive to the server you mentionned? 16:31 -!- bytesaber [n=bytesabe@208-98-188-95.directcom.com] has quit [Read error: 113 (No route to host)] 16:33 < Hypnoz> you seem to be missing a lot of stuff from both client.conf and server.conf 16:34 < mcu_> i just testing for a real basic tunnel now 16:34 < mcu_> will add the rest later 16:36 < Hypnoz> this is the server.conf section I'm referring to 16:36 < Hypnoz> http://pastebin.com/d5b8d6f5b 16:38 < Hypnoz> this section talks about setting that up 16:38 < Hypnoz> http://openvpn.net/howto.html#scope 16:39 < mcu_> man 16:39 < mcu_> ok 16:39 < mcu_> i am totally off 16:39 < mcu_> the conf files i pasted 16:39 < mcu_> just for a basic test 16:41 < mcu_> it creates the tunnels fine, but i can not ping the gateway 192.168.1.1 16:41 < Hypnoz> ya your conf files are kinda crazy 16:41 < mcu_> lol 16:42 < mcu_> how do i create a basic gateway for 192.168.1.1 16:42 < mcu_> i need to create a route? 16:42 < ecrist> sup, fuckers? 16:42 < Hypnoz> you don't even have the lines to connect to the .key, ca.crt, etc files 16:42 < mcu_> i dont need that yet 16:42 < mcu_> i just want a basic tunnel 16:42 < mcu_> sup ecrist 16:43 < Hypnoz> in server.conf you need to point it to the ca.crt, server.crt, server.key, dh1024.pem 16:43 < Hypnoz> i'm surprised your openvpn daemon even started 16:47 < Hypnoz> there are sample server.conf and client.conf files in /usr/share/doc/openvpn/examples/sample-config-files 16:47 < Hypnoz> i would suggest you copy those over, and make changes from there 16:49 < mcu_> yea ok i see all that 16:49 < mcu_> but none of then specify the IP of tun0 16:50 < mcu_> where do i specify that? 16:50 < Hypnoz> the IP on the client or the server? 16:50 < mcu_> both 16:50 < mcu_> both server and client with have a tun0 16:50 < mcu_> with an IP and common gateway...no? 16:51 < Hypnoz> server will by default listen on any IP, but the first option is ;local a.b.c.d which you can change to whatever IP you want if you only want the server to listed on a single interface 16:53 < Hypnoz> scroll down in server.conf to the section about client-config-dir, that will show you the options to connect other systems with their own subnets, and give them static IP's too if you want 17:03 < mcu_> this is the part i dont know how to do 17:03 < mcu_> http://pastebin.ca/1577123 17:04 < Hypnoz> basically this means that you need to add a route on your gateway to point that subnet to the IP on the openvpn box, unless the openvpn box is also your gateway 17:05 < Hypnoz> since the connected vpn clients aren't directly connected to the gateway, the gateway doesn't know how to route to them 17:05 < mcu_> thats what i am missing now also 17:05 < mcu_> how do i do that? 17:05 < Hypnoz> what is your gateway/router? 17:05 < mcu_> 192.168.1.1 17:05 < Hypnoz> what kind of device 17:05 < mcu_> thats what i defined in conf 17:06 < mcu_> so i need a physical device 17:06 < mcu_> or is it just a route? 17:06 < Hypnoz> you don't need to define that in any .conf cause the openvpn server is using that as the gateway 17:06 < mcu_> i mean i have my isp's gateway 17:06 < mcu_> but i am talking about the internal ip 17:06 < Hypnoz> ya, what is the device that has 192.168.1.1 17:06 < mcu_> gateway 17:07 < Hypnoz> is it a linksys, netgear, cisco router, F5? 17:07 < mcu_> none has 192.168.1.1 17:08 < Hypnoz> you just said your gateway IP is 192.168.1.1 17:08 < Hypnoz> what device is your gateway.... 17:08 < mcu_> my physical gateway is my isps which is a cisco 17:08 < mcu_> its a server i am hosting there 17:09 < mcu_> thats got an external ip 17:09 < mcu_> now i am talking about 192.168.1.1 17:09 < mcu_> internal gateway 17:09 < mcu_> do i need a physical gateway for that also? 17:10 < Hypnoz> no, if you can't touch the physical gateway, then you can manually add static routes to each system 17:11 < Hypnoz> telling it that in order to route to the vpn subnet, it needs to use the openvpn server as the gateway 17:11 < mcu_> how do i do that? 17:11 < mcu_> for 192.168.1.1 17:12 < Hypnoz> on a linux computer, it would be something like "route add -net 10.1.5.0 netmask 255.255.255.0 gw 10.1.11.190" if your VPN subnet was 10.1.5.0 and your openvpn system was 10.1.11.190 17:13 < mcu_> ok well let me ask this 17:14 < mcu_> how do i know a vpn works? 17:18 -!- zerko [i=zerko@srv1.techality.com] has quit [Read error: 104 (Connection reset by peer)] 17:26 -!- Akiyuki [n=armin@e178216173.adsl.alicedsl.de] has joined ##openvpn 17:27 -!- Akiyuki [n=armin@e178216173.adsl.alicedsl.de] has left ##openvpn ["Ex-Chat"] 17:37 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 17:39 -!- JyZyXEL [n=lol@a88-113-58-89.elisa-laajakaista.fi] has left ##openvpn ["bye."] 17:41 < Hypnoz> hey mcu if you're still there, you can make sure things are working right buy running openvpn on the command line instead of as a daemon 17:41 < Hypnoz> /usr/sbin/openvpn --config /etc/openvpn/server.conf 17:41 < Hypnoz> or if you're running it from windows i'm not sure if you can do that 17:55 < krzie> or by pinging the vpn ip 17:55 < krzie> from other side 17:56 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 18:02 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 18:11 -!- mirco [n=mirco@p54B23E48.dip.t-dialin.net] has joined ##openvpn 18:16 < mcu_> still there krzie? 18:17 -!- brizly [n=brizly_v@p4FC9A13E.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 18:29 < krzie> im in and out 18:29 < krzie> Hypnoz is right, i didnt think of what he said 18:30 < krzie> his solution is cleaner 18:43 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 18:48 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 18:50 -!- unix3 [n=unix3@190.10.68.228] has quit [Read error: 60 (Operation timed out)] 18:52 < mcu_> hypnoz you around? 19:01 < mcu_> i can now ping the server and client from each other using private ips 19:02 < mcu_> problem is i cant ping any IPs I add from server1 network to server 2 box 19:02 -!- brizly [n=brizly_v@p4FC9A13E.dip0.t-ipconnect.de] has joined ##openvpn 19:18 -!- myton [n=manuel@ppp-69-229-29-47.dsl.sndg02.pacbell.net] has quit [Read error: 104 (Connection reset by peer)] 19:19 -!- myton [n=manuel@ppp-69-229-29-47.dsl.sndg02.pacbell.net] has joined ##openvpn 19:30 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 104 (Connection reset by peer)] 19:32 -!- fsck [n=pegg@pool-71-174-42-30.bstnma.east.verizon.net] has joined ##openvpn 19:33 < fsck> is there a way to nat out of a vip like "iptables -t nat -A POSTROUTING -s 10.80.72.0/24 -o eth0:1 -j MASQUERADE" I get a error when I use the : "Warning: weird character in interface `eth0:1' (No aliases, :, ! or *)." 19:44 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Read error: 110 (Connection timed out)] 20:07 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:21 < fsck> how do I get this to work "iptables -t nat -A POSTROUTING -s 10.80.175.0/24 -o eth0:1 -j MASQUERADE" 20:22 < fsck> I just get a syntax error because of the vip right now 20:22 -!- theDoc [n=andelyx@unaffiliated/thedoc] has joined ##openvpn 20:39 -!- mirco_ [n=mirco@p54B2755D.dip.t-dialin.net] has joined ##openvpn 20:43 -!- Bushmills [n=Bushmill@verhau.de] has joined ##openvpn 20:45 < krzie> !linnat 20:45 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 20:45 < theDoc> krzie:) 20:46 < krzie> wassup doc 20:46 < theDoc> I just got hit with a dcma notice on one of my vpn boxes 20:46 < krzie> doh! 20:46 < theDoc> I claim ignorance, I don't know what users do :) 20:47 < theDoc> krzie> It was only 1 copy of naruto. 20:47 < theDoc> I'm just going to flip them the bird 20:47 < krzie> wtf is naruto 20:47 < theDoc> krzie> Some japanese manga. 20:47 -!- mirco [n=mirco@p54B23E48.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:47 -!- mirco_ is now known as mirco 20:47 < krzie> lol 20:48 < theDoc> I claim a no-policing policy and if they want me to monitor, they can pay me for it;) 20:48 < krzie> werd 20:48 < krzie> they will ask for assisstance contacting the customer 20:49 < theDoc> krzie> I don't even know which customer did it 20:49 < theDoc> lol, randomized pool for connecting clients. 20:49 < krzie> o right 20:50 < theDoc> I have a pool of routable ips for exits:) 20:50 < theDoc> they kind of randomize themselves when clients connect 20:50 < theDoc> good luck to them if vpn picks up wide spread connectivity :) 20:51 < krzie> have you checked if you any any legal duty to monitor? 20:51 < krzie> like the responsibility lies on you unless you pass the buck 20:51 < theDoc> krzie> I have a no-policing/monitoring policy 20:52 < theDoc> The users are responsible for their own actions 20:52 < krzie> im not talkin bout your policy 20:52 < krzie> im talkin bout your legal responsibility 20:52 < krzie> which may or may not exist 20:52 < theDoc> krzie> doesn't exist i believe ;p 20:52 < theDoc> if it did, my provider would be screaming his head off now 20:53 < krzie> he can point at you 20:53 < krzie> if it did not exist, thepiratebay could be run from USA 20:53 < theDoc> hmm. 20:54 < theDoc> krzie> It's a grey area there. tbp was almost all copy right infringments ;p 20:54 < theDoc> on the other hand, we're just encrypting little ones and zeros:) 20:54 < theDoc> of course, ymmv. 20:54 < theDoc> something i will be talking to a few lawyers about ;p 20:54 < krzie> good idea 20:55 < krzie> im curious if the profit margin is high enough to warrant residing in the grey area 20:56 < krzie> and remember that with your current policy you could be used to xmit child porn, you will find yourself on the business end of the grey area if they find that happens 20:58 < fsck> how do I get this to work "iptables -t nat -A POSTROUTING -s 10.80.175.0/24 -o eth0:1 -j MASQUERADE" I want my traffic out look like it is coming from the vip ip 20:59 < krzie> im not really a linux guy, but ild say lose the -o 21:00 < fsck> krzie: how would i specify it to go out the eth0:1 interface then 21:00 < krzie> by ip 21:00 < krzie> !linnat 21:00 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 21:00 < krzie> #2 21:01 < krzie> what ya gotta know, BOTH those are eth0 21:01 < krzie> one is simply an alias 21:01 < krzie> and i guess you dont lose the -o 21:01 < krzie> you just use -o eth0 since :1 is still eth0 21:01 < krzie> and you SNAT to the ip thats on :1 21:02 < krzie> as i said, im no linux guru but thats what ild try 21:03 < theDoc> You can't -o eth0:1 21:03 < fsck> yaha eth0:1 is a illegail command 21:03 < theDoc> It's not an illegal command, you are using virtual interfaces and iptables doesn't handle vinterfaces 21:04 < fsck> what I am tring to accomplish is that right now it looks like all my trafic is comming fromt the eth0 interface, I want to change the ip so it looks like it is comming from a diffrent ip 21:04 < fsck> specifically the eth0:1 ip 21:06 < fsck> !redirect 21:06 < vpnHelper> fsck: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 21:07 < fsck> !ipfowarding 21:07 < vpnHelper> fsck: Error: "ipfowarding" is not a valid command. 21:07 < fsck> !ipforward 21:07 < vpnHelper> fsck: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 21:07 < fsck> !linipforward 21:07 < vpnHelper> fsck: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 21:09 < fsck> been done, I have everythign working so that the taffic goes in the vpn and out eth0, but now I want it to have it looke like it is comming out the eth0:1 ip 21:09 < fsck> so each vpn user would have a diffrent outpout ip 21:10 < krzie> fsck i told you how 21:10 < krzie> #2 21:10 < krzie> !linnat 21:10 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 21:10 < krzie> #2 21:10 < krzie> THAT IS HOW 21:11 < krzie> forget about eth0:1 21:11 < krzie> because eth0:1 IS THE SAME AS eth0 21:11 < krzie> use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to 21:11 < krzie> linux knows what virtual adapter the ip lives on 21:11 < fsck> I will try that now 21:12 < krzie> bbl 21:13 -!- master_of_master [i=master_o@p549D4254.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:16 -!- master_of_master [i=master_o@p549D4390.dip.t-dialin.net] has joined ##openvpn 21:17 -!- manuel_ [n=manuel@ppp-69-228-97-142.dsl.sndg02.pacbell.net] has joined ##openvpn 21:19 -!- manuel_ [n=manuel@ppp-69-228-97-142.dsl.sndg02.pacbell.net] has quit [Read error: 54 (Connection reset by peer)] 21:20 -!- manuel_ [n=manuel@ppp-69-228-97-142.dsl.sndg02.pacbell.net] has joined ##openvpn 21:26 < fsck> krzie: that was exactly what I was looking for, I also added in -s so that I could say that certain user would come out certain ip's, I am so happy now 21:30 -!- rawDawg [n=omglol@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 21:33 -!- myton [n=manuel@ppp-69-229-29-47.dsl.sndg02.pacbell.net] has quit [Read error: 110 (Connection timed out)] 22:09 -!- naquad [n=naquad@83.143.234.194] has quit [Read error: 60 (Operation timed out)] 22:12 -!- naquad [n=naquad@83.143.234.194] has joined ##openvpn 22:38 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 22:46 -!- jeiworth [n=jeiworth@189.163.142.201] has quit [Read error: 110 (Connection timed out)] 22:48 -!- fsck [n=pegg@pool-71-174-42-30.bstnma.east.verizon.net] has quit ["This computer has gone to sleep"] 23:09 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 23:43 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: krzie, ribasushi 23:46 -!- Netsplit over, joins: ribasushi, krzie --- Day changed Thu Sep 24 2009 00:06 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 00:10 -!- mirco [n=mirco@p54B2755D.dip.t-dialin.net] has quit [] 00:15 -!- rawDawg [n=omglol@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 113 (No route to host)] 00:36 -!- mischievious [n=mischief@unaffiliated/mischief] has quit ["For they have sown the wind, and they shall reap the whirlwind."] 00:43 -!- manuel_ [n=manuel@ppp-69-228-97-142.dsl.sndg02.pacbell.net] has left ##openvpn ["Leaving"] 01:15 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 01:35 -!- kurt_ [n=kurt@astound-69-42-7-19.ca.astound.net] has quit [] 01:38 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 01:38 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Read error: 104 (Connection reset by peer)] 01:38 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 02:21 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:26 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has quit ["bbl"] 02:33 -!- Guest61669 [n=chatzill@85.183.72.24] has joined ##openvpn 02:36 -!- Guest61669 [n=chatzill@85.183.72.24] has left ##openvpn [] 02:44 -!- appdev123 [n=chatzill@85.183.72.24] has joined ##openvpn 02:45 < appdev123> hello @ all 02:46 < appdev123> i need help 02:48 < appdev123> can i tell my issue? 02:48 < appdev123> ??? 02:49 < appdev123> someone out there 02:49 < reiffert> no. 02:49 < appdev123> :-) 02:51 -!- dok- [n=andelyx@119.75.42.2] has joined ##openvpn 02:53 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 02:53 < appdev123> i have a tapped bridge and I can connect to the vpn server 02:54 < appdev123> i get the ip adress correctly, but when I try to connect to other hosts in the net of the vpn server, I can not 02:57 < appdev123> here is my config 02:57 < appdev123> http://pastebin.com/d51440193 02:58 < appdev123> is there somebody who can help me out? 02:59 < appdev123> ??? 03:02 < reiffert> ok, so you have got placed your question, please sit here and wait for an answer. 03:07 < appdev123> it would be nice if someone could give me some hints 03:08 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:09 -!- dazo|afk is now known as dazo 03:34 -!- appdev123 [n=chatzill@85.183.72.24] has quit ["ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458]"] 03:47 -!- dok- is now known as theDoc 04:11 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: vindex, krzie, stein0, misse-, |Mike|, infe, ribasushi, Rolybrau, mrnice1, Typone, (+20 more, use /NETSPLIT to show all of them) 04:12 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: Intensity, mcu_, MadTBone, dazo, pa, naquad, vpnHelper, kaii, jreno_, xenophile7x7, (+19 more, use /NETSPLIT to show all of them) 04:14 -!- dazo [n=nnnndazo@nat/redhat/session] has joined ##openvpn 04:15 -!- Netsplit over, joins: HardDisk_WP, kaii, stephenh, pa, redfox, freaky[t], Intensity, vpnHelper, MadTBone, sigius (+36 more) 04:15 -!- Netsplit over, joins: theDoc, robotti^, xenophile7x7, zz_fahadsadah, jreno_ 04:15 -!- Rolybrau [n=Rolybrau@246-254.3-85.cust.bluewin.ch] has joined ##openvpn 04:15 -!- dazo is now known as Guest75273 04:15 -!- Guest75273 [n=nnnndazo@nat/redhat/x-ygwhhezsdflllmvc] has quit [Client Quit] 04:16 -!- Guest75273 [n=dazo@nat/redhat/x-lmdnaprsnoqktrtv] has joined ##openvpn 04:17 -!- Guest75273 [n=dazo@nat/redhat/x-lmdnaprsnoqktrtv] has quit [Client Quit] 04:17 -!- Guest75273 [n=ndazo@nat/redhat/x-txohhimnzojwjnfs] has joined ##openvpn 04:20 -!- Guest75273 is now known as dazo 04:28 -!- nuhiNlow [n=anewhigh@ppp-69-155-61-9.dsl.ablntx.swbell.net] has joined ##openvpn 04:28 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 04:28 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has joined ##openvpn 04:28 -!- Snadder [i=sander@202.100.202.84.customer.cdi.no] has joined ##openvpn 04:28 -!- fkr [i=fkr@news.bytemine.net] has joined ##openvpn 04:28 -!- Optic [n=dfraser@miso.capybara.org] has joined ##openvpn 04:42 -!- jeiworth [n=jeiworth@189.163.142.201] has joined ##openvpn 04:52 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 04:54 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 04:55 < |Mike|> krzie: never used one :p 05:01 -!- theDoc [n=andelyx@unaffiliated/thedoc] has quit ["Yaaar! Bend over lady! I'll show you a fishstick which makes it's own tartar sauce!"] 06:10 -!- colclough [n=cokes@87.198.213.218] has joined ##openvpn 06:14 -!- brizly1 [n=brizly_v@p4FC99607.dip0.t-ipconnect.de] has joined ##openvpn 06:28 -!- brizly [n=brizly_v@p4FC9A13E.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:28 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:31 -!- RadarG [n=justin@210.124.129.119] has joined ##openvpn 06:33 < RadarG> hello guys I'm still having some issues with my openvpn server I think that I have the configs right but it looks like the windows client isnt using the vpn route here is the config http://pastebin.com/d7319efcd 06:37 < RadarG> could it be that I'm using the client on a restricted account. I'm running the gui as admin and I can get to the admin page of my wrt 06:39 < |Mike|> what error does it g ive? 06:39 < |Mike|> !iroute 06:39 < vpnHelper> |Mike|: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 06:41 < RadarG> hmm it looks like nothing 06:42 < RadarG> I can ping the remote gateway 06:50 -!- artinfrieden [n=chatzill@82.113.121.84] has joined ##openvpn 06:56 < |Mike|> but? 06:57 < artinfrieden> hello i still try to find out how i can make a log, can i ask anyway something? 06:59 < |Mike|> verb 6 ? 07:00 < |Mike|> status openvpn-status.log 07:01 < |Mike|> but you might want to add /var/log/ to it ;) 07:04 < artinfrieden> Mike did you talk to me? 07:05 < artinfrieden> i found the log, i have to figure out how to use pastebin 07:05 < |Mike|> yes. 07:05 < |Mike|> !all 07:05 < vpnHelper> |Mike|: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 07:14 -!- RadarG [n=justin@210.124.129.119] has quit [Read error: 110 (Connection timed out)] 07:15 < artinfrieden> i am using vista. the comments i should remove from the log(?) what do you mean exactly? what comments? 07:23 < dazo> artinfrieden: all lines starting with # 07:23 < artinfrieden> ok i only have the logfile of the client, the server is at th ecompany i think i do not have acess from here 07:23 < artinfrieden> ah thank you 07:27 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [] 07:31 < artinfrieden> i will come back in the evening i have to delete the ip adresses from th elogfile 07:32 < artinfrieden> thnak you 07:32 -!- artinfrieden [n=chatzill@82.113.121.84] has quit [Remote closed the connection] 07:42 -!- colclough [n=cokes@87.198.213.218] has quit ["Leaving"] 07:51 < Optic> moo 08:00 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 08:07 -!- jfkw [n=jtk@24.216.241.93] has joined ##openvpn 08:13 -!- sno_ [n=sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn 08:13 < sno_> !redirect 08:13 < vpnHelper> sno_: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 08:14 < sno_> !def1 08:14 < vpnHelper> sno_: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 08:15 < sno_> hi all. im troubleshooting a vpn issue where a server is accepting vpn connections to a heartbeat virtual ip, tcp works fine but the second instance of server accepts udp and connecting gives tls errors and connection resfused. 08:15 < sno_> Wed Sep 23 20:19:28 2009 us=218273 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 08:31 -!- theDoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 08:36 -!- theDoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 08:39 -!- theDoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 08:40 -!- thedoc_ [n=zing@unaffiliated/thedoc] has joined ##openvpn 08:42 -!- thedoc_ [n=zing@unaffiliated/thedoc] has quit [Client Quit] 08:56 -!- thedoc_ [n=zing@unaffiliated/thedoc] has joined ##openvpn 08:58 -!- theDoc [n=zing@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 09:01 -!- artinfrieden [n=chatzill@82.113.121.149] has joined ##openvpn 09:02 -!- thedoc_ is now known as theDoc 09:21 < artinfrieden> hi again, i do not have the config but hope you want to have a look at the logfile anyway. http://pastebin.com/d37b35153 the problem is, that the website with the dashboard is not loading(only a bit of the top but not the field where you write in and save et cetera) thank you 09:24 -!- explore [n=msparker@pool-173-57-72-22.dllstx.fios.verizon.net] has joined ##openvpn 09:27 -!- thedoc_ [n=zing@unaffiliated/thedoc] has joined ##openvpn 09:28 -!- theDoc [n=zing@unaffiliated/thedoc] has quit [Read error: 104 (Connection reset by peer)] 09:30 -!- thedoc_ is now known as theDoc 09:47 -!- Rolybrau [n=Rolybrau@246-254.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 09:48 -!- Rolybrau [n=Rolybrau@246-254.3-85.cust.bluewin.ch] has joined ##openvpn 09:52 -!- jeiworth [n=jeiworth@189.163.142.201] has quit [Read error: 110 (Connection timed out)] 09:57 -!- jeiworth [n=jeiworth@189.177.20.229] has joined ##openvpn 09:58 -!- tiav [n=tiav@fw.sj.tdf-pmm.net] has joined ##openvpn 10:00 -!- dazo is now known as dazo|afk 10:00 -!- havoc [n=havoc@saturn.chaillet.net] has joined ##openvpn 10:00 < havoc> morning 10:01 < havoc> !redirect 10:01 < vpnHelper> havoc: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 10:01 -!- dazo|afk is now known as dazo 10:01 < havoc> !ipforward 10:01 < vpnHelper> havoc: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 10:02 < havoc> !winipforward 10:02 < vpnHelper> havoc: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 10:02 < rorre> !linipforward 10:02 < vpnHelper> rorre: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 10:03 < havoc> !nat 10:03 < vpnHelper> havoc: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 10:03 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:04 * havoc smacks head, forgot the entry in /etc/shorewall/masq :( 10:04 < havoc> not that that's my only issue though 10:05 < havoc> just installed openvpn-2.1_rc19-install.exe on a winxp sp3 client and redirect-gateway seems to be having no effect 10:06 * havoc tries a reboot 10:07 < havoc> I was using 2.0.9, but that didn't have the bypass-[dhcp|dns] options for redirect-gateway 10:07 < rorre> did you restart the serveR? 10:08 < havoc> the server, or the client service? 10:08 < havoc> both as a matter of fact though 10:08 < rorre> then i got nothin 10:08 < havoc> I'm only using redirect-gateway in the client config though, is that wrong? 10:08 < rorre> i dunno, my vpn doesn't work, I won't be of use :( 10:09 < havoc> ah, ok 10:12 < havoc> !def1 10:12 < vpnHelper> havoc: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 10:13 < havoc> yeah, redirect-gateway is having no effect, at least according to "route print" :( 10:14 < sno_> have discovered that my udp server conf allows a udp client to connect, but only when heartbeat isn't running or the server listening on the virtual ip :< anyone ran into this before or know a workaround? it seems the udp packets are being accepted but the return is not. no firewall in use 10:26 < |Mike|> vps ? 10:27 < |Mike|> sno_ 10:29 < havoc> ok, I need a break from this 10:29 -!- mcu__ [n=mcu@modemcable070.241-59-74.mc.videotron.ca] has joined ##openvpn 10:36 -!- mcu_ [n=mcu@modemcable070.241-59-74.mc.videotron.ca] has quit [Read error: 110 (Connection timed out)] 10:52 -!- IceGuest_75 [n=IceChat7@69-165-130-53.dsl.caneris.com] has joined ##openvpn 10:54 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 10:54 -!- explore [n=msparker@pool-173-57-72-22.dllstx.fios.verizon.net] has quit ["leaving"] 11:00 -!- IceGuest_75 is now known as d0de 11:00 -!- mcu__ [n=mcu@modemcable070.241-59-74.mc.videotron.ca] has quit [Read error: 110 (Connection timed out)] 11:02 < d0de> hey, could anyone give me a hand troubleshooting my vpn? It's been working solidly for a month, and today it suddenly stopped working and I have no idea why 11:03 < d0de> it connects properly but it's not routing any traffic 11:04 < d0de> ignore the previous two sentences, I just checked my firewall 11:05 < dazo> heh 11:06 * dazo wonder if an ircbot should send out reminders regularly .... "Have you checked your firewall?" .... 11:16 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:19 < artinfrieden> dazo are you still there? 11:19 < artinfrieden> the vpn connects but the website will not load the ajax googleapi 11:20 < artinfrieden> i connect through umts 11:20 < Bushmills> dazo: it is witten in capitals in the topix 11:20 < Bushmills> topic 11:20 < artinfrieden> do you know what it could be? 11:25 < Optic> hai 11:25 < artinfrieden> hello 11:25 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 11:27 -!- d0de [n=IceChat7@69-165-130-53.dsl.caneris.com] has quit ["Copywight 2007 Elmer Fudd. All wights wesewved."] 11:45 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has quit ["bbl"] 11:51 < artinfrieden> can anyone help me please? 11:53 < sno_> fixed, problem was the local declaration :) 11:53 < sno_> |Mike|: it was a real system , had the wrong ip in "local" and needed local to allow openvpn to listen to the heartbeat alias'd ip, not the real ip 11:56 < sno_> artinfrieden: don't ask to ask, just state your question and any troubleshooting you have done so far, if anyone knows they will reply :) 11:58 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 11:59 -!- bytesaber [n=bytesabe@208-98-188-95.directcom.com] has joined ##openvpn 12:00 < artinfrieden> i use vista and start openvpn as admin. it connects. i checked firewall and added udp port 5000. but still the dashboard will not load(this is a ajax googleapi). i put the client log to the pastebin(have no server log atm): http://pastebin.com/d37b35153 the vpn works with the DSL connection but since a few months i try to use UMTS but don`t know the mistake 12:03 < artinfrieden> thanks sno_ 12:05 < artinfrieden> sometimes the vpn disconnects and connects again immediately 12:07 < artinfrieden> i can use the rest of the website but only the window where i have to type in text and all the buttons like save et cetera will not load 12:12 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 12:12 -!- tiav [n=tiav@fw.sj.tdf-pmm.net] has quit [Remote closed the connection] 12:14 < sno_> would be interesting to see server log too artinfrieden , not sure whats going on 12:14 < sno_> heading home for the evening, cya all <3 12:14 < artinfrieden> cu 12:14 < artinfrieden> :) 12:24 < artinfrieden> i found out that when i press the back button in the browser while it still tries to load the page i can see the field to write in for half a second before it sitches to the previous page 12:29 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 12:29 -!- d0de [n=IceChat7@69-165-130-53.dsl.caneris.com] has joined ##openvpn 12:30 < d0de> hey, my vpn has stopped working for apparently no reason, I have no idea where to begin troubleshooting it. It's been working for a month. It connects but doesn't route traffic, AFAIK nothing about the setup has changed. 12:30 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 12:30 < d0de> could anyone offer any advice for tracking down the problem? 12:31 -!- theDoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 12:32 < d0de> could line 39 be the problem? http://pastebin.org/23543 12:36 -!- dode [n=IceChat7@95.154.207.110] has joined ##openvpn 12:36 < dode> ahh the problem was http://www.pubbs.net/openvpn/200908/35258/ in case anyone is interested 12:36 < vpnHelper> Title: Openvpn-users - OpenVPN with two default routes to the same gateway? - openvpn archive (at www.pubbs.net) 12:37 -!- dode [n=IceChat7@95.154.207.110] has quit [Client Quit] 12:44 -!- Hypnoz1 [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 12:46 -!- artinfrieden [n=chatzill@82.113.121.149] has quit [Remote closed the connection] 12:49 < Bushmills> d0de: mtr, traceroute 12:50 -!- dazo is now known as dazo|afk 12:52 -!- d0de [n=IceChat7@69-165-130-53.dsl.caneris.com] has quit [Read error: 110 (Connection timed out)] 12:56 -!- Gnewt [n=hackerle@li57-94.members.linode.com] has joined ##openvpn 12:56 -!- explore [n=msparker@pool-173-57-72-22.dllstx.fios.verizon.net] has joined ##openvpn 12:56 < Gnewt> Is there a way to forward a public port to a client within the network? 13:00 < Bushmills> Gnewt: yes, there is. 13:09 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 13:10 -!- explore [n=msparker@pool-173-57-72-22.dllstx.fios.verizon.net] has quit ["Lost terminal"] 13:16 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn 13:19 -!- mirco_ [n=mirco@tmo-104-152.customers.d1-online.com] has joined ##openvpn 13:21 -!- mirco__ [n=mirco@tmo-108-154.customers.d1-online.com] has joined ##openvpn 13:24 -!- mirco__ [n=mirco@tmo-108-154.customers.d1-online.com] has quit [Client Quit] 13:25 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 13:46 -!- mirco_ [n=mirco@tmo-104-152.customers.d1-online.com] has quit [Connection timed out] 13:51 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Read error: 110 (Connection timed out)] 13:52 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 14:16 -!- epaphus [n=unix3@190.10.68.228] has left ##openvpn ["Leaving"] 14:19 -!- explore [n=msparker@pool-173-57-72-22.dllstx.fios.verizon.net] has joined ##openvpn 14:32 -!- zuez [n=sf@catalyst.httpd.org] has joined ##openvpn 14:33 < zuez> Hey folks, some boxes I have when connecting to our openvpn server will not have their /etc/resolv.conf updates with updated DNS server(s)... others update just fine. Same platform/client/server configs... is this a known issue? 14:35 -!- APTX|_ is now known as APTX| 14:41 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:16 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 15:28 -!- Douglas [n=me@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 15:28 < Douglas> krzie: yoo 15:32 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 15:54 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:02 -!- ico2 [n=ico2@77-98-154-19.cable.ubr24.aztw.blueyonder.co.uk] has joined ##openvpn 16:06 < ico2> openvpn used to work, but now doesn't. the problem appears to be with the connection from the server to the client (udp) isn't getting through. router is pretty poor and doesn't seem to handle udp properly, I can make it forward a specific incoming port to my machine, but can't make it work properly with NAT (ie: forward the port the router used to connect to the server instead of a fixed port). I think I can see why it doesn 16:06 < ico2> 't work, but I cannot see how it worked before. any ideas? 16:19 < ecrist> ico2: things don't just 'stop working' 16:19 < ecrist> someone did something to make it stop 16:19 < ico2> i know 16:19 < ico2> but it did 16:19 < ico2> if anyone did anything then it was me 16:31 -!- ico2 [n=ico2@77-98-154-19.cable.ubr24.aztw.blueyonder.co.uk] has quit [Read error: 60 (Operation timed out)] 16:35 -!- ico2 [n=ico2@77-98-154-19.cable.ubr24.aztw.blueyonder.co.uk] has joined ##openvpn 16:56 -!- explore [n=msparker@pool-173-57-72-22.dllstx.fios.verizon.net] has quit ["leaving"] 17:07 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 60 (Operation timed out)] 17:09 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 17:13 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 17:36 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 54 (Connection reset by peer)] 17:54 -!- Traveler [n=traveler@74.115.0.27] has joined ##openvpn 17:54 < Traveler> hello dudes 17:54 < Traveler> dudes 17:54 < Traveler> i have a real spicy question 17:54 -!- Traveler is now known as Guest15766 17:55 < Guest15766> i want some assistance 17:55 < |Mike|> with 17:55 < krzie> !ask 17:55 < vpnHelper> krzie: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/, or (#3) http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help 17:55 < |Mike|> and if so 17:55 < |Mike|> !all 17:55 < vpnHelper> |Mike|: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 17:55 < |Mike|> y0 krzie :) 17:55 < Guest15766> if i use openvpn with some free vpn service can this guies at the end of vpn service hack my accounts 17:56 < Guest15766> for example i use yahoo.com 17:56 < krzie> yes 17:56 < Guest15766> really 17:56 < Guest15766> oh thats bad 17:56 < krzie> any traffic you proxy through a 3rd party can be sniffed by the 3rd party unless it has end to end encryption 17:56 < |Mike|> they got the certs, they can do a mitm (like sniffing a proxy) :p 17:57 < Guest15766> oh yahho is encrypted i guess 17:57 < krzie> yahoo uses such encryption, so is likely safe 17:57 < Guest15766> https means encrypted right 17:57 < krzie> right 17:57 < Guest15766> http is not crypted 17:57 < krzie> right 17:57 < |Mike|> not always 17:57 < Guest15766> oh thanks so i guess i am safe 17:57 < |Mike|> what free service are you using ? 17:57 < Guest15766> ancorfree 17:57 < Guest15766> do u know it 17:58 < krzie> make sure those https certs are correct 17:58 < krzie> switch cert = mitm on https 17:58 < Guest15766> hotspot shield 17:58 < |Mike|> isn't that a hotspot related shield ? 17:58 < Guest15766> i use hotspot shield 17:58 < |Mike|> it's MITM able 17:58 < |Mike|> pretty easy 17:59 < Guest15766> it is free and they put ads on the sites 17:59 < Guest15766> what's MITM? 17:59 < |Mike|> man in the middle attack 17:59 < Guest15766> what does middle attack? sorry i am new to vpn 18:00 < |Mike|> basicly they can set up a copy of yahoo.com and get signed GA / CA certs 18:00 < Guest15766> oh thats bad 18:00 < |Mike|> so they cert crap looks green in your browser 18:00 < krzie> none of this is AT ALL related to a vpn btw 18:00 < |Mike|> indeed 18:00 < krzie> for all of your questions, you can switch vpn provider with your isp 18:00 < |Mike|> that's why i basicly don't trust 'free' services. 18:01 < Guest15766> so hotspot shield anchorfree.com is scammers or what 18:01 < Guest15766> what do u use 18:01 < Guest15766> which one is safe dude 18:01 < krzie> i use my own servers 18:01 < |Mike|> likewise 18:01 < Guest15766> oh ur lucky 18:01 < |Mike|> and ip over dns 18:02 < krzie> ip over dns is useless other than bypassing those web interfaces 18:02 < |Mike|> my phone does vpn aswell :D 18:02 < krzie> it should never be used as a means for securing communications 18:02 < Guest15766> who knows about ancorfree.com service i am new 18:03 < |Mike|> more about it, you mean? 18:03 < Guest15766> are they scammers 18:03 < |Mike|> no idea 18:03 < Guest15766> what do u use mike 18:03 < krzie> never hearda them 18:03 < krzie> he uses his own servers 18:03 < Guest15766> what about u 18:03 < krzie> this is a channel for people who run openvpn 18:03 < krzie> so we all use our own servers 18:04 < |Mike|> i don't trust other networks i.e 'free' services on default Guest15766 18:04 < Guest15766> u guies are geeks or what 18:04 < krzie> |Mike| do you pay for google or not use it? 18:04 < |Mike|> google pays me ? lol 18:04 < Guest15766> how come u have your own servers 18:04 < krzie> !notovpn 18:04 < vpnHelper> krzie: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 18:04 < |Mike|> because i work with 500+ servers dayly ? 18:05 < Guest15766> mike will u share me some pls 18:05 < Guest15766> pls 18:05 < |Mike|> impossible. 18:05 < Guest15766> ok np 18:05 < Guest15766> i guess i better stick with my ancorfree 18:06 < |Mike|> Or you must have some sollution to my OpenPGP v2 card :D 18:06 < Douglas> krzie got my money yet 18:08 < krzie> i have $10 to last me til monday 18:08 < |Mike|> Guest15766: why are you using ancorfree anyway ? 18:08 < Guest15766> i will not use vpn anymore for sensitive sites. 18:08 < Guest15766> b/c i cant find better one 18:08 < |Mike|> vpn != ancorfree 18:09 < |Mike|> vpn is mostlikeley not for free 18:09 < |Mike|> let me add "secure" 18:09 < Guest15766> vpn is not ancorfree? what is that 18:09 < |Mike|> vpn = virtual private network 18:09 < Guest15766> oh i see now.. 18:10 < Guest15766> i use to hide my ip 18:10 < Guest15766> from the websites 18:10 < Guest15766> to hide my identity 18:11 < Guest15766> mike why do u use vpn 18:11 < |Mike|> because we acces servers wich we maintiain trough openvpn 18:12 < Guest15766> oh your adminstrator nice 18:12 < |Mike|> we got around 250 xen servers wich we access trough 10.3.3.7 18:12 < Guest15766> are u google admin or what 18:12 < Guest15766> 250 is big 18:12 < |Mike|> lol. 18:12 < |Mike|> 250 is small 18:12 < |Mike|> puppet ftw 18:12 < krzie> 250, google 18:12 < Gnewt> How can I forward a public port to a client within the VPN? 18:12 < krzie> LOL 18:12 < Guest15766> whats your website 18:13 < Guest15766> is it website 18:13 < |Mike|> www.hai2u.com is one of my websites 18:13 < krzie> Gnewt, NAT 18:13 < krzie> Gnewt, pretend the vpn client is simply a wired client with a diff subnet 18:14 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has joined ##openvpn 18:14 < Guest15766> mike thats nasty 18:14 < Gnewt> krzie: THanks! 18:14 < Guest15766> shit 18:14 < Gnewt> Thanks* 18:14 < Guest15766> shizer 18:14 < |Mike|> thanks. 18:14 < Gnewt> |Mike|: har har. 18:14 < |Mike|> Gnewt: nsfw lol 18:15 < Gnewt> Oh I'm aware ;P 18:15 < Guest15766> so your porn website admin cool 18:15 < Gnewt> LMAO 18:15 < |Mike|> one of many... 18:15 < krzie> lol 18:15 -!- jeiworth [n=jeiworth@189.177.20.229] has quit [Read error: 110 (Connection timed out)] 18:15 < Guest15766> well i am just a noob dude 18:15 < Guest15766> i have one laptop pc wich i adminster lol 18:16 < |Mike|> i'm a gpg noob, please bare with me :$ 18:16 < krzie> either a noob or a troll, im still deciding 18:16 < Guest15766> are u good at linux 18:17 < krzie> |Mike| invented linux 18:17 < Guest15766> lol 18:17 < Guest15766> nice joke 18:18 < Gnewt> no joke. 18:18 * Douglas reads 18:19 < |Mike|> at least i'm an admin at some telecoms dot com admin 18:19 * Douglas smaks krzie for ignoring him 18:19 -!- rorre [n=jeremy@pool-96-255-123-240.washdc.fios.verizon.net] has left ##openvpn [] 18:19 < Guest15766> do u live in us mike 18:19 < |Mike|> i don't.. 18:19 < Guest15766> do u have degree or master...whats your education status 18:19 < Douglas> who is Guest15766 18:20 < krzie> a troll 18:20 < |Mike|> master of disaster with a shitload of LPI{1-3} certs. 18:20 * Douglas packets that ip 18:20 < Guest15766> right 18:20 < |Mike|> chmod -R 777 / 18:21 < krzie> bad dougy 18:21 < Guest15766> so your top dog 18:21 < |Mike|> god knows.. 18:22 -!- Guest15766 [n=traveler@74.115.0.27] has quit ["Java user signed off"] 18:22 < Gnewt> Douglas: it's a proxy service... 18:22 -!- Traveler [n=traveler@74.115.0.27] has joined ##openvpn 18:23 < Gnewt> welcome back 18:23 -!- Traveler is now known as Guest33801 18:23 < |Mike|> AFNCA 18:25 -!- Guest33801 [n=traveler@74.115.0.27] has quit [Client Quit] 18:25 < |Mike|> 'what the fuck? ' 18:26 < Gnewt> I still can't tell if it's a troll or not 18:27 < krzie> i decided it was 18:27 < |Mike|> lastlog -word Traveler 18:27 < |Mike|> Lastlog: 18:27 < |Mike|> 2009/07/27 19:40:08 -!- Traveler5 [n=traveler@Z43c5.z.pppool.de] has joined ##openvpn 18:27 < |Mike|> 2009/07/27 19:50:53 -!- Traveler2 [n=traveler@Z5d87.z.pppool.de] has joined ##openvpn 18:27 < |Mike|> 2009/08/25 10:47:14 -!- Traveler [n=traveler@82.108.46.35] has joined ##openvpn 18:27 < |Mike|> 2009/08/25 10:47:42 -!- Traveler is now known as Guest10905 18:27 < |Mike|> 2009/08/25 12:12:37 -!- Guest10905 [n=traveler@82.108.46.35] has quit ["Java user signed off"] 18:27 < |Mike|> 2009/09/25 00:50:11 -!- Traveler [n=traveler@74.115.0.27] has joined ##openvpn 18:27 < |Mike|> 2009/09/25 00:50:16 < Traveler> hello dudes 18:27 < |Mike|> blablabla 18:28 < |Mike|> ignore the fucking tool 18:28 < |Mike|> hmz 18:28 < |Mike|> looks like a javabased platform where he chats from 18:28 < |Mike|> he/she/it 18:28 -!- mode/##openvpn [+o krzie] by ChanServ 18:28 <@krzie> next time ill just ban 18:28 -!- mode/##openvpn [-o krzie] by krzie 18:29 < Gnewt> hmm 18:29 < Gnewt> gnewt@fidelity:~$ host 82.108.46.35 18:29 < Gnewt> 82.108.46.35 does not exist, try again 18:29 < |Mike|> .. 18:29 < krzie> route: 82.108.0.0/14 18:29 < krzie> descr: Easynet UK 18:29 < |Mike|> verisign crap. 18:30 < krzie> inetnum: 82.108.46.32 - 82.108.46.47 18:30 < krzie> netname: DIGITALBRAIN 18:30 < krzie> descr: Digitalbrain Plc 18:30 < Douglas> krzie: i have a /25 now 18:30 < Douglas> swip'd to me 18:30 < Douglas> :D 18:30 < |Mike|> wtf 18:30 < |Mike|> ripe knows about it ? 18:30 < Douglas> krzie: when you pay me i'll give you your server's new ip addresses 18:30 < Douglas> lol 18:30 < krzie> right on 18:31 < krzie> i didnt even realize i didnt have access :-p 18:31 < |Mike|> Douglas: vlan's only :D 18:31 < krzie> you should turn it off to save power til i pay 18:32 < |Mike|> ffs 18:33 < |Mike|> OpenPGP v2 card are pita 18:33 < Douglas> krzie: haha 18:33 < Douglas> krzie: power is no issue, i got 2 spare amps right now, besides, all its doing is wearing away the hw you paid for 18:33 < Douglas> lol 18:33 < |Mike|> The key is using gnupg 2.0.12 (with the Ubuntu patches) and installing libccid, which seems not to be pulled in by default. After that, it.ll work as expected. We.ve been using a SCM SCR335 to attach it to the computer, but any other supported smartcard reader should work. 18:34 < |Mike|> We spent a whole day on this, trying to get it to work. I don.t get why kernelconcepts already sells these exclusively if the support in GnuPG is still so fresh. Bit of a shame. 18:34 < |Mike|> s/WE/ I ! 18:35 < |Mike|> jewstatus above openPGP v2 cards ! 18:36 < |Mike|> i did had a shitload of hassle about it yesterday 18:49 -!- aje [n=aj@213.150.56.107] has joined ##openvpn 18:49 < aje> hi there. 18:49 < |Mike|> hola 18:50 < aje> i am having trouble connecting to my vpn (openvpn gui v1.0.3) after upgrading to windows 7. 18:50 < aje> i will just prepare a log for you. 18:51 < |Mike|> !all 18:51 < vpnHelper> |Mike|: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 18:51 < krzie> !win7 18:51 < vpnHelper> krzie: "win7" is http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 18:54 < aje> http://pastie.org/629781 18:55 < krzie> log from other side 18:55 < aje> i cant get the server configs at the moment, as i am not capable of reaching the network admin right now. 18:56 < aje> this one here just annoys me> Fri Sep 25 09:37:46 2009 SENT CONTROL [213.173.231.213_]: 'PUSH_REQUEST' (status=1) 18:56 < krzie> we cant help you at the moment, as we cant access the server log 18:56 < aje> ok. :/ 18:56 < krzie> but you could try the link from !win7 18:56 < krzie> assuming everything worked before you went to win7 19:01 < aje> it did. 19:01 < aje> i reinstalled that version.... 19:01 < aje> but it still doesnt help. 19:01 < krzie> you removed the other first? 19:03 < krzie> !ccd 19:03 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 19:04 -!- jeiworth [n=jeiworth@189.163.142.201] has joined ##openvpn 19:04 < aje> yeah i did. 19:07 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 19:07 < aje> anything else that i can do_ 19:07 < aje> ? 19:07 < krzie> not til you get the server log and possibly server config file 19:08 < krzie> Fri Sep 25 09:37:28 2009 AUTH: Received AUTH_FAILED control message 19:08 < krzie> the server log should say why 19:08 < |Mike|> tls-auth failed ? 19:08 < krzie> it could help to turn up log verbosity 19:09 < |Mike|> or clients... 19:09 < krzie> verb 5 19:09 < krzie> mike, no 19:09 < aje> hrm? 19:10 < krzie> mike, error for that is diff 19:10 < |Mike|> i see 19:10 < |Mike|> 24/7 learning ! 19:10 < aje> krzie: will just paste a new log ok? 19:10 < krzie> would say something along the lines of hmac failed 19:10 < krzie> aje, sure 19:11 < krzie> im not confident we can help til you get the other side, but ill take a look 19:12 < krzie> > Aug 25 09:17:13 orange openvpn[22998]: Authenticate/Decrypt packet error: 19:12 -!- [-jon-]__ [n=jon@oaainsurance.com] has joined ##openvpn 19:12 < krzie> > packet HMAC authentication failed 19:12 < krzie> like that mike 19:12 < [-jon-]__> My client keeps spitting this out: Options error: On Windows, --ifconfig is required when --dev tun is used -- any ideas? 19:13 < krzie> [-jon-]__ 19:13 < krzie> !configs 19:13 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 19:13 < |Mike|> krzie: i see, now i understand 19:13 < [-jon-]__> krzie: http://pastebin.ca/1578504 19:13 < [-jon-]__> It's a client, not a server 19:14 < krzie> [-jon-]__ you dont have a server? 19:14 < [-jon-]__> the server is running 19:14 < [-jon-]__> I am trying to connect to it 19:14 < krzie> good, paste its config 19:14 < [-jon-]__> the server is running fine 19:14 < [-jon-]__> other peopel can connect to it 19:14 < krzie> ok, dont get help then 19:14 < |Mike|> what error do you get [-jon-]__ ? 19:14 < aje> http://pastie.org/629800 19:15 < [-jon-]__> My client keeps spitting this out: Options error: On Windows, --ifconfig is required when --dev tun is used -- any ideas? 19:15 < |Mike|> (jebus, pick another nick) 19:15 < aje> hehe. 19:16 < krzie> [-jon-]__ i have plenty of ideas, but cant give you any help til you listen to me 19:16 < [-jon-]__> its not my server.... 19:16 < krzie> well your client config doesnt properly match your server config 19:16 -!- jerrcs [i=jeremy@157-118-162-69.dfw.nervex.net] has joined ##openvpn 19:16 < krzie> get a client config from your admin then 19:16 < [-jon-]__> i did 19:16 < jerrcs> I'm the admin. 19:16 < jerrcs> I sent him a config file. 19:16 < [-jon-]__> its exactly the same as other clients. 19:16 < jerrcs> Yeah, it is. 19:16 < krzie> cool, paste the server config then 19:17 < jerrcs> Why? It's a windows 7 64bit issue. the tap adapter isn't working 19:17 < jerrcs> device doesn't exist, so it's asking for an ifconfig option. 19:17 < krzie> he didnt mention any of that 19:17 < krzie> !win7 19:17 < vpnHelper> krzie: "win7" is http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 19:17 < |Mike|> verb 6 ktnx 19:18 < jerrcs> Well hang on, I told him to download 2.1_rc19.. so isn't that technically newer? 19:18 < jerrcs> Or is 15e the last known version that worked? 19:19 < jerrcs> keyword: 64bit. 19:20 < krzie> honestly, im not sure, i dont use windows whatsoever 19:20 < [-jon-]__> thanks for the help? 19:20 < krzie> ild hope that rc19 would have been fixed for win7 as well 19:20 < krzie> ild assume they fixed rc16 and on 19:20 < jerrcs> it's not a windows 7 problem 19:20 < krzie> and ya ild reccommend going with rc19 as well 19:20 < jerrcs> it's a tap adapter on windows 7 (64bit) problem 19:20 < jerrcs> the adapter doesn't install properly or something 19:21 < krzie> is it there and active, and without windows firewall filtering it? 19:21 < jerrcs> idk 19:21 < jerrcs> I'm on xp.. 19:22 < [-jon-]__> it says network cable unplugged 19:22 < krzie> http://www.ovpnforum.com/viewtopic.php?f=5&p=740 19:22 < vpnHelper> Title: OpenVPN Forum View topic - TAP-win32 driver install problems on Vista x64 (at www.ovpnforum.com) 19:23 < krzie> before i go further, i need both configs and both logfiles 19:23 < krzie> heres the post i was referring to in the forum: 19:23 < krzie> Many people have used OpenVPN with the Tun/Tap adaptor within Windows Vista and Windows 7, both 32 and 64 bit. You must use the 2.1rc-19 (or later) versions to get the proper driver. 19:23 < krzie> If you cannot get this working, it is likely a configuration or installation error on the part of your admin. 19:24 < jerrcs> I use the SAME config file on my XP box. 19:24 < jerrcs> except the path to the keys are changed. 19:25 < krzie> before i go further, i need both configs and both logfiles 19:25 < jerrcs> My server config? 19:25 < krzie> !configs 19:25 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 19:25 < krzie> !logs 19:25 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 19:25 < jerrcs> yeah, no shit. I know how to pastebin.. and use grep 19:25 < jerrcs> heh 19:25 < jerrcs> one moment 19:26 < krzie> i dont doubt you know how, but i have been saying to paste them for awhile now and still no paste 19:26 < jerrcs> because it's not a server problem, but one moment 19:26 < jerrcs> http://pastebin.com/d6224e2e2 19:26 < jerrcs> first thing is "local", sorry. 19:26 < krzie> np 19:26 < jerrcs> must have cut it off when I was copying and pasting off of the terminal. 19:27 < krzie> side note on 1 thing that often gets misunderstood just in case 19:27 < krzie> !ipp 19:27 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 19:27 < krzie> (100% unrelated) 19:28 < jerrcs> that's fine.. not many people use it 19:28 < |Mike|> asin 1 to 5? 19:29 < jerrcs> well, was 1. now we're adding jon's client (7/64) 19:29 < krzie> hey jon, how bout a client log 19:29 < jerrcs> it was meant to be a secure link to my box and hide most IPs involved with logs (except for the openvpn logs) 19:29 < [-jon-]__> scroll up 19:30 < krzie> o i only saw your config 19:30 < krzie> lemme look 19:30 < [-jon-]__> oh 19:30 < [-jon-]__> the log? 19:30 < [-jon-]__> ok 19:30 < krzie> right 19:30 < [-jon-]__> Options error: On Windows, --ifconfig is required when --dev tun is used 19:30 < [-jon-]__> and to use --help are the only two lines in it 19:31 < |Mike|> with verb 6 ktnx. 19:31 < krzie> try adding client to the config 19:31 < krzie> first line 19:31 < jerrcs> ktnx? 19:31 < krzie> jerrcs, ? 19:32 < |Mike|> ok thanks. 19:32 < |Mike|> jerrcs must be some freebsd dick 19:32 < krzie> |Mike|, no thats me 19:32 < jerrcs> I haven't used freebsd in a couple of years. 19:32 < krzie> ;] 19:32 < jerrcs> I'm using ubuntu server (i'm brave) and debian 19:32 < |Mike|> he's a toolbsd guy. 19:33 < |Mike|> jerrcs used to hang in ##freebsd way back 19:33 < krzie> my gui client sits in there 19:33 < jerrcs> you did? 19:33 < jerrcs> Or me? 19:33 < |Mike|> jerrcs: you. flynn owned you. 19:34 < jerrcs> hmm. was probably a long time ago 19:34 < |Mike|> netbsd ftw. 19:34 < krzie> anyways 19:34 < krzie> [-jon-]__ seen my suggestion? 19:35 < krzie> client 19:35 < krzie> dev tun 19:35 < |Mike|> jerrcs: lol, clittforce united. 19:35 -!- mikeones [n=mikeones@pool-70-104-31-42.dllstx.fios.verizon.net] has joined ##openvpn 19:35 < jerrcs> what? 19:35 < krzie> mikeones im jealous of the fios.verizon.net =[ 19:36 < |Mike|> they suck harder than the rest.. ? 19:36 < jerrcs> I'm on fios too.. Just IRCing from another box. 19:36 < [-jon-]__> krzie: adding client worked 19:36 < [-jon-]__> thanks 19:36 < krzie> umm, im in a 3rd world country, i pay $100USD / mo for 1.5mbit down 19:37 < krzie> [-jon-]__ np 19:37 -!- jerrcs2 [n=jeremy@pool-173-67-23-115.bltmmd.fios.verizon.net] has joined ##openvpn 19:37 < jerrcs2> aha 19:37 < krzie> shit 19:37 < jerrcs2> works 19:37 < krzie> hes in dallas you're in b-more 19:38 < krzie> fucking fios is everywhere in usa now? 19:38 < jerrcs2> no 19:38 < |Mike|> jerrcs: wtf 19:38 < jerrcs2> i'm not in bmore, but I guess they group all maryland folks into there 19:38 < |Mike|> jerrcs2: wtf idiot 19:38 < jerrcs2> I'm near annapolis. 19:38 < jerrcs2> |Mike|? 19:38 < krzie> |Mike|, ?? 19:38 < krzie> whats the problem bro 19:39 < |Mike|> jerrcs2: bleep 19:39 < |Mike|> see msg 19:39 < jerrcs2> sorry, two different screens. 19:39 -!- jerrcs2 [n=jeremy@pool-173-67-23-115.bltmmd.fios.verizon.net] has quit [Client Quit] 19:40 < mikeones> so if I have a client that I want to redirect-gateway to the vpn server but I need the client to be able to access its own local networks while connected to the vpn. Anyone know how to do this? 19:41 < krzie> mikeones it should by default 19:41 -!- Hypnoz1 [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 19:41 < krzie> whatever most specific route is in routing table wins 19:41 < krzie> default route being the least specific 19:41 < krzie> try using --redirect-gateway def1 19:41 < krzie> !def1 19:41 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 19:42 < krzie> that way you dont wipe out the orig default gateway in case you disconnect 19:43 < mikeones> krzie: my local client os on 10.0.0.1/24 and I need to access 10.0.0.2/24 10.0.0.3/24 localy while redirecting all other traffic to the vpn 19:43 < krzie> you need to change the subnet 19:43 < krzie> of either the vpn or the client lan 19:44 < mikeones> I have the subnet set to 172.30.0.0 19:44 < mikeones> on the von 19:44 < mikeones> *vpn 19:44 < krzie> then whats the problem? 19:44 < krzie> have you even tried doing it? 19:44 < krzie> it should just work 19:45 < krzie> you're only changing your *default* route, you have more specific route to your lan 19:45 -!- mirco [n=mirco@p54B2755D.dip.t-dialin.net] has joined ##openvpn 19:45 < jerrcs> !redirect 19:45 < krzie> unless you mess with the route to 10.0.0.1/24 somehow in your vpn, it wont break anything 19:45 < vpnHelper> jerrcs: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 19:45 < jerrcs> Cool. Should try that out sometime. 19:45 < jerrcs> can I pm the bot? 19:45 < krzie> yes but syntax changes a bit 19:46 < krzie> must add chan name in pm 19:46 < jerrcs> oh alright 19:46 < krzie> but if you play with it you'll figure it out 19:47 < jerrcs> 19:46:55 openvpn!nat 19:47 < jerrcs> 19:46:56 You've given me 5 invalid commands within the last minute; I'm now ignoring you for 10 minutes. 19:47 < krzie> doh 19:47 < jerrcs> I tried ##openvpn!nat, ##openvpn !nat, !nat ##openvpn, #openvpn!nat, #openvpn !nat, openvpn!nat 19:47 < krzie> in 10min try !help 19:47 < mikeones> all I have normally is ip/mask/gateway. My router routes to my other local networks. If open vpn sets a new defualt-gateway then I lose access to these local networks right? 19:48 < jerrcs> Great. So now I have to wait 10 minutes to get some help. 19:48 < krzie> mikeones did you read what i said above? 19:48 < jerrcs> lol 19:48 < mikeones> krzie: yes 19:48 -!- jerrcs [i=jeremy@157-118-162-69.dfw.nervex.net] has quit ["leaving"] 19:48 < krzie> your lan routes have nothing whatsoever to do with your default route 19:49 < mikeones> krzie: can I add lan routes back via openvpn or do I need to add it back via route add? 19:49 -!- swa_work [n=swa@swatteksystems.com] has quit ["Leaving"] 19:50 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 19:50 < krzie> are you trying to connect that lan into the vpn for people on other side of vpn to access? 19:51 < mikeones> no 19:52 < krzie> then stop worrying 19:52 < krzie> and just do it 19:52 < mikeones> maybe I am not laying this out right 19:53 < krzie> i know you havnt tried it, because it woulda worked and you wouldnt be asking anything 19:53 < krzie> your default route has nothing to do with your route to the lan 19:54 < krzie> have you tried it? 19:54 < mikeones> I have 3 class C networks. Once connect to the vpn I can only reach my local class C. I have to "route add" the other 2 back in order to reach them 19:54 < krzie> paste the routing table 19:55 < krzie> (pastebin if over 5 lines) 19:55 < mikeones> one sec 20:07 -!- mirco [n=mirco@p54B2755D.dip.t-dialin.net] has quit [] 20:11 < mikeones> krzie: http://pastebin.com/dfc28ed1 after connecting to the vpn I could not reach 10.0.134.9. After adding a route to 10.0.134.0/24 pointing to 10.0.134.1, I can ping/browse that address 20:12 < ecrist> bitches 20:13 < mikeones> krzie: s/pointing to 10.0.134.1/pointing to 10.0.131.1 20:14 -!- theDoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 20:14 < mikeones> brb 20:19 < krzie> ok 20:19 < krzie> then do this 20:19 < krzie> --route network/IP [netmask] [gateway] [metric] 20:19 < mikeones> back 20:19 < mikeones> hmm 20:19 < krzie> in the config of machine who you add the route too 20:20 < mikeones> in the client? 20:20 < krzie> route 10.0.134.0 255.255.255.0 10.0.131.1 20:20 < krzie> its the client who loses its route? 20:21 < mikeones> yeah, sorry 20:21 < krzie> and the problem is you never added a route for that network in the first place 20:21 < krzie> but it worked because the default route went to the same place as that route would have 20:21 < krzie> you could add the route persistent, or fix it in openvpn how i said 20:21 < krzie> either would work 20:23 < mikeones> sweet 20:23 < mikeones> I can't belive I missed that option 20:23 < mikeones> thanks krzie 20:24 < krzie> np 20:24 < krzie> normally it would work fine, but your routing table is funky 20:24 < krzie> you rely on your default route to handle the lan routing 20:25 < krzie> http://www.youtube.com/watch?v=5zrsl8o4ZPo 20:25 < vpnHelper> Title: YouTube - (No background music) School kids taught to praise Obama (at www.youtube.com) 20:26 < krzie> sounds like some stalin type shit 20:26 < krzie> first song is actually a church song, they replaced jesus with obama 20:27 < Douglas> lol 20:38 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458]"] 21:13 -!- master_of_master [i=master_o@p549D4390.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:16 -!- master_of_master [i=master_o@p549D4497.dip.t-dialin.net] has joined ##openvpn 21:27 -!- tjz [n=tjz@220.255.158.226] has joined ##openvpn 21:29 -!- ico2 [n=ico2@77-98-154-19.cable.ubr24.aztw.blueyonder.co.uk] has quit [Read error: 110 (Connection timed out)] 21:30 -!- ico2 [n=ico2@77-98-154-19.cable.ubr24.aztw.blueyonder.co.uk] has joined ##openvpn 21:44 -!- ico2 [n=ico2@77-98-154-19.cable.ubr24.aztw.blueyonder.co.uk] has quit ["Smoke me a kipper, i'll be back for breakfast"] 22:04 -!- Douglas [n=me@ool-43503ed4.dyn.optonline.net] has quit [] 22:35 -!- Caplain_ [i=shayne@caplain.loves.fram.fbi.gov.silverelitez.org] has joined ##openvpn 22:36 -!- Caplain [i=shayne@caplain.loves.fram.fbi.gov.silverelitez.org] has quit [Read error: 104 (Connection reset by peer)] 23:05 * ecrist hates having his disks max out at home at 10.7MB/s 23:05 < ecrist> gmirror FTL 23:06 < ecrist> I'm utilizing 0.0856 Gbps of my available 1.0 Gbps transferring this file 23:07 < ecrist> nm, that box is only connected at 100Mbps 23:07 < ecrist> krzie: you're a fucker. ;D 23:09 < ecrist> I have been able to spend the whole week to now wiring and splicing network, voice, and CATV cabling. I love manual labor. 23:09 < ecrist> 10+ years of that as a profession, I need to get back in to it. 23:09 < ecrist> put on 60lbs sitting at a desk for two years. 23:10 < ecrist> this week alone I've lost 10lbs. 23:22 < ecrist> I'm so...... RONERY, so ronery, so ronery and sadry arone! 23:23 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 23:43 -!- jfkw [n=jtk@24.216.241.93] has quit ["leaving"] --- Day changed Fri Sep 25 2009 00:11 < ecrist> good night, moon 00:12 -!- nminus [n=nminus@97-126-87-46.tukw.qwest.net] has joined ##openvpn 00:14 -!- mikeones [n=mikeones@pool-70-104-31-42.dllstx.fios.verizon.net] has left ##openvpn [] 00:35 -!- Rolybrau [n=Rolybrau@246-254.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 00:36 -!- Rolybrau [n=Rolybrau@224-231.0-85.cust.bluewin.ch] has joined ##openvpn 00:56 -!- jeiworth [n=jeiworth@189.163.142.201] has quit [Read error: 110 (Connection timed out)] 01:06 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 01:21 -!- Rolybrau [n=Rolybrau@224-231.0-85.cust.bluewin.ch] has quit ["I am off"] 01:39 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 01:39 -!- mirco_ [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 01:56 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Connection timed out] 01:56 -!- mirco_ is now known as mirco 02:04 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 02:05 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:11 -!- bauruine [n=bauruine@232-145.104-92.cust.bluewin.ch] has joined ##openvpn 02:52 -!- dazo|afk is now known as dazo 03:34 -!- hyper_ch [n=hyper@191-36-239-77-pool.cable.fcom.ch] has quit [Read error: 104 (Connection reset by peer)] 03:36 -!- hyper_ch [n=hyper@191-36-239-77-pool.cable.fcom.ch] has joined ##openvpn 03:45 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 04:39 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:56 -!- theDoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 05:18 -!- temba [n=okotoba@188.193.22.46] has joined ##openvpn 05:24 -!- swa_work [n=swa@swatteksystems.com] has quit ["Leaving"] 05:38 -!- c64zottel [n=hans@p5B17B2B6.dip0.t-ipconnect.de] has joined ##openvpn 05:39 -!- c64zottel [n=hans@p5B17B2B6.dip0.t-ipconnect.de] has left ##openvpn [] 05:40 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 05:40 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:49 -!- nminus [n=nminus@97-126-87-46.tukw.qwest.net] has quit [Read error: 104 (Connection reset by peer)] 06:28 -!- brizly1 [n=brizly_v@p4FC99607.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:31 -!- brizly [n=brizly_v@p4FC981BA.dip0.t-ipconnect.de] has joined ##openvpn 06:55 < ecrist> good morning 06:56 < havoc> morning 07:28 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 07:36 < |Mike|> hi 07:46 -!- mark_ [n=mark@94-168-246-104.cable.ubr10.shef.blueyonder.co.uk] has joined ##openvpn 07:47 < mark_> hi guys.. is there any way to ignore a certain or all routes as a client? 07:47 < mark_> *pushed routes 07:50 < |Mike|> not that i'm aware of :x 07:50 < |Mike|> but why would you like to ignore them? 07:51 < ecrist> --push-reset 07:51 < ecrist> Don't inherit the global push list for a specific client instance. Specify this option in a client-specific context such as with a --client-config-dir configuration file. This option will ignore --push options at the global config file level. 07:51 < mark_> Ok so there is a vpn server in and US and one in the UK 07:51 < mark_> the UK server is a client of the US server 07:51 < ecrist> FWIW, I found that by searching !man for 'ignore' 07:51 < mark_> I'd like to connect to the US server for the US ips and UK server for UK ips 07:52 < mark_> but the US server pushes the UK range 07:52 < mark_> thanks 07:53 < havoc> I've pushed diff routes to same IPs from 2+ servers w/o issue, but I also set metrics on everything 07:53 < havoc> i.e. prioritized routes 07:54 < mark_> i wouldn't know where to start prioritising routers over eachother 07:54 < havoc> you only control your client? 07:55 < mark_> i control all 07:55 < havoc> ah 07:55 < mark_> 10.1.13.0 172.3.1.17 255.255.255.0 UG 0 0 0 tun1 07:55 < mark_> 10.1.13.0 192.168.10.17 255.255.255.0 UG 0 0 0 tun0 07:55 < havoc> eg. I'd push out all routes for both US and UK, but give US routes metric 30 and UK routes metric 50 from US server, and the opposite from UK server 07:55 < mark_> 10.1.13.10 is the UK route pushed by bother servers 07:56 < mark_> so metric is the priority of the route? 07:56 < havoc> supposedly, it's not always honored by the client, but it's always worked for me 07:57 < havoc> "route -n" or "route print" (linux/win) shows the metrics 07:57 < havoc> you'll often have multiple routes to same destination 07:57 < havoc> lower metric wins 07:58 < mark_> they are currently all 0 07:58 < havoc> I had 2 offices last year and did this setup so people coule be connected to both at once w/ tieing up our lame inter-office wicro link 07:58 < havoc> micro 07:59 < havoc> worked beautifully 07:59 < Optic> moo 08:00 < mark_> the problem I have is that my home machine would be a client of a client of the main US VPN server 08:00 < mark_> and I cant for the life of me get it my home network to route over to the US 08:00 < havoc> I also had the offices connected to each other over a 3rd ovpn link which I would run over whatever was the best interoffice connection at the time, Net, Canopy, etc... 08:00 < mark_> so I'm just connecting to both 08:01 < havoc> mark_: hah, I do that to, but a little different 08:01 < havoc> my home linux router/gw is a vpn client, but I only MASQ the remote VPN; so I can see them, but they can't see me 08:02 < mark_> I have my debian gateway at home as the client of the client 08:03 < mark_> thats why I'm trying to ignore or prioritise certain routes 08:04 < havoc> I'd say the isse is on the client your deb box is connecting to 08:04 < mark_> then I can connect directly as a client to the US as well 08:04 < havoc> i.e. it's not properly "sharing" it's connection by routing/forwarding packets 08:05 < mark_> is it possible to go client > (server client) > server 08:05 < havoc> but it's just another connection to share 08:05 < havoc> sure? 08:06 < havoc> so long as you don't have conflicting IP ranges 08:06 < mark_> nope 08:06 < havoc> and you have appropriate routes on the intermediary machines 08:06 < mark_> i'll try setting the metric first 08:06 < mark_> because I don't have a couple of hours to spare :) 08:07 < mark_> thanks for your help havoc 08:07 < havoc> I hope it actually *was* help ;) 08:08 < havoc> mark_: http://www.chaillet.net/autologic-network/autologic.network.routed.vpn.png 08:09 < havoc> that's kinda old, but it gives you an idea 08:09 < mark_> wow radio link 08:09 < mark_> :) 08:09 < havoc> yes, major PoS :( 08:09 < havoc> the park we were in was crap 08:10 < havoc> and we essentially had no budget 08:10 < havoc> I setup vpn servers at both locations so remote users had direct access to each w/o touching the radio link, if they were connected to both at once 08:11 < havoc> but connecting to either always gave you access to both anyway, hence the metrics 08:12 < havoc> I have many many ovpn instances spread about, I love it 08:12 < havoc> the one thing I haven't been able to do is get redirect-gateway working properly on clients :( 08:13 < havoc> I also have multiple instances running at most locations, including my home office 08:14 < havoc> e.g. I have a segment for friends/family where they are always connected; makes admining/supporting their machines way easier 08:14 < havoc> and it's setup so I can see them, but they can't see me or each other 08:16 -!- otto_ [n=otto@h-195-175.A197.priv.bahnhof.se] has joined ##openvpn 08:22 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 08:26 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 08:34 -!- bauruine [n=bauruine@232-145.104-92.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 08:48 -!- jeiworth [n=jeiworth@189.177.122.8] has joined ##openvpn 08:58 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:07 -!- enlight22 [n=s@58.245.103.62] has joined ##openvpn 09:07 < enlight22> anyone here feel like helping me with openvpn? 09:07 < ecrist> that's why we're here... 09:08 < enlight22> sweet 09:08 < enlight22> im trying to follow this guide. http://www.frontiernet.net/~beakmyn/vpn%20howto/Complete%20Home%20VPN%20Howto%20Guide.html#mozTocId455891 09:08 < vpnHelper> Title: The Point and Click Home VPN Howto Guide (at www.frontiernet.net) 09:08 -!- OBSD [n=angevin@user-160urrq.cable.mindspring.com] has joined ##openvpn 09:09 < enlight22> but my network is slightly different than outlined.. and i must not break something as i wont have physical access to this box for another year, as i am in china and the box is in florida 09:09 < ecrist> to begin, I don't feel like reading another guide, so I'm not going to even look. 09:10 < ecrist> what are you trying to do, (what's your end-result) and what problem ar eyou having? 09:10 < enlight22> thats fine. hehe 09:10 < enlight22> well, im not exactly having a specific problem yet 09:10 < enlight22> im just hoping to make sure i dont somehow break my ssh access to the box 09:10 < enlight22> the box is behind a nat 09:11 < enlight22> and the network assigns 10.0.0.23 to the box 09:11 < enlight22> in this guide i am presuming that they have 192.x.x.x. although they are not specific 09:12 < enlight22> my first question, i suppose. is that the guide states to set net.ipv4.ip_forward=1 in etc/sysctrl.conf 09:12 < enlight22> and i want to make sure that that isnt likely to cut me off from the box 09:13 < enlight22> that command i imagine is to allow traffic from my vpn access to the web through the vpn 09:13 < ecrist> no, not likely 09:13 < ecrist> that enables routing within the kernel 09:13 < ecrist> and usually, the file is /etc/sysctl.conf 09:13 < enlight22> oh, i mistyped, sorry 09:14 < enlight22> it further states to set some firewall rules. i dont really require a firewall as this is behind a nat and i only open the necessary ports.. 09:15 < ecrist> the worst part of how-tos and guides is they rarely meet your needs. 09:15 < enlight22> that is what i am finding... 09:15 < ecrist> so, again, what is you're ideal end-result? how are you going to use your vpn? 09:15 < enlight22> but this is the closest guide to my desired config i could find 09:15 < enlight22> end result.. a vpn to the box which web traffic can get through 09:15 < enlight22> i am behind the great firewall of china 09:16 < enlight22> and i am currently using ssh tunnel 09:16 < enlight22> but this game i like to play doesnt play well with that. 09:17 < ecrist> what it sounds like you need, then, is: 09:17 < ecrist> 1) a port open on your NAT, to redirect to your OpenVPN server 09:17 -!- Rolybrau [n=Rolybrau@205-202.3-85.cust.bluewin.ch] has joined ##openvpn 09:17 < enlight22> done 09:17 < ecrist> 2) an OpenVPN server running with push 'redirect-gateway def1' 09:18 < ecrist> possible NAT on the VPN, unless you're going bridged and getting an IP on the VPN from the remote LAN DHCP server 09:18 < enlight22> openvpn is installed, i have generated all the necessary keys, but not yet started the server 09:18 < enlight22> i would prefer ip from the lan dhcp server 09:18 < enlight22> unless u see a problem with that config 09:18 < ecrist> what IP space does the remote LAN use? 09:18 < enlight22> 10.0.0.1 to 255 09:19 < ecrist> that should be fine 09:19 < enlight22> changed by me in anticipation that i would one day set up vpn 09:19 < ecrist> I forget the options, but you can find them in the man page to tell OpenVPN to allow DHCP from another host 09:19 < enlight22> having in the past had my vpn through win2k8 09:20 < enlight22> is there any advantage to that vs having the openvpn give me an ip from its own dhcp and nat 09:20 < ecrist> not really 09:20 < enlight22> which is easier to config 09:21 < ecrist> better yet, setup server-bridge and have the VPN server assign an IP from a small range within your LAN subnet 09:21 < ecrist> it is what I do for some machines here 09:21 < ecrist> my DHCP server hands out 1-200 and the VPN server hands out 201-254 09:21 -!- OBSD [n=angevin@user-160urrq.cable.mindspring.com] has quit [Remote closed the connection] 09:21 < enlight22> so... instruct the dhcp server on the router to leave some address space open for the vpn? 09:21 < ecrist> yep 09:22 -!- PuffyTron [n=angevin@user-160urrq.cable.mindspring.com] has joined ##openvpn 09:22 < enlight22> ok, i can do that no problem.. why is that better than having the dhcp server pass through the vpn and assign the ip? 09:23 < ecrist> was easier for me to setup 09:23 < PuffyTron> where can I find a simple doc on how to setup an OpenVPN client with just a server address , password and username ? I keep reading crap about shared keys etc.. and other irrelevant or overlycomplicated crap 09:24 < PuffyTron> I don't control the VPN server I am connecting too 09:24 < ecrist> it allows me to assign static IPs to some VPN users, I'm a fan of reasonable segreagation of authority 09:24 < PuffyTron> or trying to connect to rather 09:24 < ecrist> PuffyTron: ask your admin 09:25 < PuffyTron> ecrist why should I have to bother an admin over something that should be so simple via a client to setup ? 09:26 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Connection timed out] 09:26 < ecrist> because he's the one who set up the VPN and would know how it's configured. 09:26 < ecrist> this is not so much a user-support channel as an admin-support channel. 09:27 < PuffyTron> ah yeah because openvpn is only a server and not a client right ? Makes perfect logical sense .. Not ! 09:28 < ecrist> no, but your admin can help you. have a nice day. :D 09:28 < enlight22> lol.. that sarcasm will get u a lot of help 09:28 < PuffyTron> it is logic learn some 09:28 -!- mode/##openvpn [+o ecrist] by ChanServ 09:28 -!- mode/##openvpn [+b *!*n=angevin@*.cable.mindspring.com] by ecrist 09:28 -!- mode/##openvpn [-o ecrist] by ecrist 09:29 < enlight22> lol 09:30 < enlight22> is there some reason to not give the vpn clients like.. 10.8.x.x and avoid changing dhcp on the router 09:30 < enlight22> i can easily do it 09:30 < ecrist> not at all, that's another way to do it. 09:30 < enlight22> but if memory serves, sometimes this router freaks out if i mess with the dhcp scope 09:31 < enlight22> ok, so i suppose i would prefer to set the vpn users 10.8 or let the dhcp assign to the vpn users 09:31 < reiffert> PuffyTron: want to have simple vpn? Use poptop alias pptp. 09:31 -!- PuffyTron [n=angevin@user-160urrq.cable.mindspring.com] has quit [Client Quit] 09:32 < enlight22> cause if i lock myself out by setting the dhcp to have some empty space... it wont be until someone visits my house with the patience to let me walk them through configuring the dhcp that i can get it fixed 09:34 < enlight22> ok, i have set net.ipv4.ip_forward = 1 09:34 < ecrist> what OS is your VPN server? 09:35 < enlight22> centos 5. elastix distro 09:35 < enlight22> i use it for phones... cause calling from china is very expensive, lol 09:36 < enlight22> one thing i forgot to mention, i dont really want to allow vpn users access to the lan 09:36 < enlight22> i use hamachi for that 09:36 < enlight22> or just open a port on the router directly to what i need 09:39 < enlight22> ok, looks like i dont need to do this IPtables crap, as i have iptables turned off.. 09:41 < enlight22> well. that is odd. i didnt change anything except net.ipv4.ip_forward and i just lost my connection 09:42 < enlight22> but hamachi shows another comp on the same lan is up 09:42 < enlight22> and i didnt start or stop anything for that ip_forward to take effect... 09:42 < enlight22> mysterious 09:46 < enlight22> ok, lol. my network just came back 09:48 < enlight22> must have been some dumb crap with hamachi. server says its been up for 3 days 09:49 -!- jeiworth [n=jeiworth@189.177.122.8] has quit [Read error: 110 (Connection timed out)] 09:52 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has joined ##openvpn 09:52 < enlight22> so i need to set net ip assigns to 10.8.0.0 255.255.255.0? 10:00 < enlight22> ok, i think i have it all mostly configed right 10:00 < enlight22> just need help with aditional configurations 10:08 < enlight22> hello? 10:09 < reiffert> Hi! 10:10 < enlight22> hi 10:10 < enlight22> feel like assisting me? 10:11 -!- markl_ [n=mark@tpsit.com] has quit ["leaving"] 10:12 < reiffert> you are ecrist's bunny, sorry. 10:13 < enlight22> yes, but he seems to have abandoned me 10:14 < reiffert> whats your goal again pls? 10:14 < enlight22> lan scope, 10.0.0.0/255.255.255.0 10:14 < enlight22> get openvpn working to route web across vpn 10:14 < enlight22> vpn server is behind nat, i have mapped the port 10:15 < enlight22> vpn clients do not need access to lan, just web 10:15 < enlight22> either IP assigned by the lans dhcp, or of the range 10.8.0.0 from the openvpn 10:15 < reiffert> !def1 10:15 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 10:16 < enlight22> right 10:16 < enlight22> so i have set it net IP assigns 10.8.0.0 10:16 < reiffert> then use nat on your server, so nat all the clients. 10:16 < enlight22> push redirect-gateway 10:17 -!- vindex [n=vindex@unaffiliated/moldenauer] has left ##openvpn ["Well, I've gotta go. I've got a government job to abuse, and a lonely wife to fuck."] 10:17 -!- swa_work [n=swa_work@swatteksystems.com] has joined ##openvpn 10:17 < enlight22> what ip do i set push "dhcp-option DNS to? 10:18 < reiffert> 10.8.0.1 where you have one running on your vpn server. 10:18 < enlight22> lol, u lost me... 10:18 < reiffert> no, I did not. 10:18 < enlight22> my vpn server has the ip 10.0.0.26 statically assigned by the dhcp 10:19 < reiffert> and it has 10.8.0.1 10:19 < reiffert> on tun0 10:20 -!- scfh [n=scfh@78.86.190.81] has joined ##openvpn 10:20 < enlight22> ahh, true. ok. so the vpn will assign ips to the clients.. not my lan dhcp server correct? 10:20 < reiffert> y 10:21 < enlight22> um. cause that is the way i understood that ecrist was saying? 10:22 < reiffert> sorry, y=yes 10:22 -!- otto_ [n=otto@h-195-175.A197.priv.bahnhof.se] has quit ["Ex-Chat"] 10:22 < enlight22> oh 10:22 < enlight22> so i need option push "redirect-gateway" 10:23 < reiffert> push "redirect-gateway def1" 10:23 < enlight22> and push dhcp-option DNS 10.8.0.1? 10:23 < reiffert> " " 10:23 < enlight22> right 10:23 < enlight22> hehe 10:24 < enlight22> what is the differece between redirect-gateway with and without def1 10:24 < reiffert> which is optional anyway 10:24 < reiffert> see manpage 10:24 < enlight22> the instructions i have been following just have push redirect-gateway 10:24 < enlight22> !def1 10:24 < vpnHelper> enlight22: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 10:25 < enlight22> man openvpn def1? 10:25 < reiffert> man openvpn 10:25 < reiffert> /def1 10:27 < enlight22> ok, i am looking at that man entry now. 10:27 < enlight22> but i am not understanding what it states, lol 10:27 < reiffert> just do it. 10:29 < enlight22> ok, and u say i dont need push dhcp-options dns 10:29 < reiffert> clients will ask their dns which is on their local subnet 10:34 < enlight22> suggestions for user and group? 10:34 < enlight22> nobody is ok? 10:36 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:37 < reiffert> yep 10:48 -!- tjz [n=tjz@220.255.158.226] has quit ["bbl"] 11:00 -!- explore [n=msparker@pool-173-57-72-22.dllstx.fios.verizon.net] has joined ##openvpn 11:02 -!- mark_ [n=mark@94-168-246-104.cable.ubr10.shef.blueyonder.co.uk] has quit ["Lost terminal"] 11:03 < enlight22> ok. i think all is done except to connect a client to it... 11:03 < enlight22> moment of truth as it were 11:03 -!- dazo is now known as dazo|afk 11:07 < enlight22> connection failed with the following error 11:07 < enlight22> Sat Sep 26 00:03:46 2009 Cipher 'DES-CFB' uses a mode not supported by OpenVPN in your current configuration. CBC mode is always supported, while CFB and OFB modes are supported only when using SSL/TLS authentication and key exchange mode, and when OpenVPN has been built with ALLOW_NON_CBC_CIPHERS. 11:14 -!- temba [n=okotoba@188.193.22.46] has quit [Connection reset by peer] 11:21 -!- vn [n=sys6x@c207.134.145-76.clta.globetrotter.net] has joined ##openvpn 11:21 < vn> hi, say I have a client on the route with a dynamically assigned IP and I want to assign it a route...what would be the proper way to config that? 11:22 < ecrist> with a client up script, or with a ccd entry 11:23 < enlight22> sup ecrist 11:23 < ecrist> sorry, I had to step away, busy at work. 11:23 < vn> um I'm new to this..let me google a bit 11:24 < ecrist> !man 11:24 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 11:24 < ecrist> !route 11:24 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:24 < ecrist> !iroute 11:24 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 11:24 < enlight22> connection failed with the following error ecrist 11:24 < enlight22> Sat Sep 26 00:03:46 2009 Cipher 'DES-CFB' uses a mode not supported by OpenVPN in your current configuration. CBC mode is always supported, while CFB and OFB modes are supported only when using SSL/TLS authentication and key exchange mode, and when OpenVPN has been built with ALLOW_NON_CBC_CIPHERS. 11:24 < ecrist> saw that, 11:24 < ecrist> !configs 11:24 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:25 < enlight22> wow. u guys have quite the system 11:27 < enlight22> lol, how do i pastebin? 11:28 < vn> pastebin.ca 11:28 < ecrist> www.pastebin.com 11:29 -!- mirco [n=mirco@p54B2746D.dip.t-dialin.net] has joined ##openvpn 11:32 -!- mirco [n=mirco@p54B2746D.dip.t-dialin.net] has quit [Client Quit] 11:34 < enlight22> http://pastebin.com/d652f9c96 11:34 < enlight22> the pastebin 11:48 -!- explore [n=msparker@pool-173-57-72-22.dllstx.fios.verizon.net] has quit ["leaving"] 11:54 < enlight22> :( 11:56 -!- hyper_ch [n=hyper@191-36-239-77-pool.cable.fcom.ch] has quit [Read error: 104 (Connection reset by peer)] 11:59 -!- tonyb486 [n=tonyb@libre.fm/hacker/tonyb486] has joined ##openvpn 11:59 -!- tonyb486 [n=tonyb@libre.fm/hacker/tonyb486] has left ##openvpn [] 12:15 -!- Hak5Darren [n=aardwolf@ip68-110-152-240.hr.hr.cox.net] has joined ##openvpn 12:16 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 12:16 < Hak5Darren> Can I find help for OpenVPN ALS in here? 12:16 < Hak5Darren> (Adito) 12:22 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Remote closed the connection] 12:25 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 12:31 -!- enlight22_NDS [n=s@58.245.103.62] has joined ##openvpn 12:32 -!- enlight22 [n=s@58.245.103.62] has quit [Read error: 104 (Connection reset by peer)] 12:34 -!- jeiworth [n=jeiworth@189.177.122.8] has joined ##openvpn 12:37 -!- mirco [n=mirco@p4FE92A0C.dip0.t-ipconnect.de] has joined ##openvpn 12:44 -!- teddymills [n=teddy@208.92.235.227] has quit [Client Quit] 12:52 -!- notan00b [n=notan00b@e68058.upc-e.chello.nl] has joined ##openvpn 12:53 < notan00b> does anybody know how to push a (!) host route from either the server or the client config? 12:53 < notan00b> push route only seems to want to do networks.... 12:59 -!- mirco [n=mirco@p4FE92A0C.dip0.t-ipconnect.de] has quit [] 13:01 < ecrist> notan00b: you can write a host as a network 13:01 < ecrist> netmask is /32 or 255.255.255.255 13:02 < ecrist> the rub is that network needs to be reachable on a local interface, which is hard to do for a /32 13:04 < vn> I wanna do such a route to a dynamically assigned client (IP) but not any client in that IP range, and only when hes on the road 13:04 < vn> thats doable? 13:08 -!- Caplain_ [i=shayne@caplain.loves.fram.fbi.gov.silverelitez.org] has quit [Read error: 60 (Operation timed out)] 13:18 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458]"] 13:21 -!- cnofused [i=d042f8e2@gateway/web/freenode/x-ijpznqggiqavkonn] has joined ##openvpn 13:21 < cnofused> hello 13:21 < cnofused> what is the password to download openvpn? 13:21 < cnofused> it used to be a free download 13:21 < ecrist> it is still free 13:21 < cnofused> i dont want the access server 13:21 < ecrist> click on the open-source link 13:22 < cnofused> oh open source proejct 13:22 < cnofused> thats wat imj looking for 13:22 < cnofused> thnx 13:22 < cnofused> the web site is very confusing 13:22 < |Mike|> lol ! 13:22 < |Mike|> it is 13:22 < cnofused> i hope they fix that soon 13:22 < cnofused> i think probably a lot of people get confused by it 13:23 < |Mike|> what OS / distro are you using ? 13:23 < cnofused> this lapptop is for a new user and it has vista - ther's no option to upgrade to xp 13:23 < cnofused> the server was set up by someone else i think it runs netbsd 13:24 < cnofused> what do you run open vpn on? 13:24 < |Mike|> NetBSD 13:24 < |Mike|> and freebsd aswell 13:24 < cnofused> cool!!! 13:25 < cnofused> is there a place to submit bugs? i want to tell them that there's something wrong with the web site - its confusing 13:25 < ecrist> lol, good luck 13:25 < ecrist> I told them that directly, via email, was met with as much as a shrug 13:25 < cnofused> others have tried already? 13:25 < cnofused> that's stupid 13:26 < cnofused> i think i need to send them an email then that rakes them over the coals for wasting everyone's time 13:26 < |Mike|> well, it's an commercial site 13:26 < |Mike|> they want to sell products 13:26 < cnofused> they need to have a big download button on the home page 13:27 < cnofused> thats fine, but if they try to hide it like this then people wont want to buy their products because theyll think they're difficult to use 13:27 < enlight22_NDS> ecrist did u get my pastebin 13:27 -!- enlight22_NDS is now known as enlight22 13:27 < ecrist> maybe, scrolling up 13:28 < cnofused> hey is it possible to set up openvpn so the client will insert one dns server into the list when the user is connected (and remove it upon disconnection)? 13:28 * cnofused just realized taht he screwed up the spelling of his name 13:29 -!- cnofused is now known as confused_ 13:29 < ecrist> cnofused: not easily 13:29 < ecrist> enlight22: need logs too 13:29 < ecrist> !logs 13:29 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 13:29 < confused_> ecrist: thanks - thats too bad because it would be very helpful for resolving internal names 13:31 < enlight22> Sat Sep 26 00:49:43 2009 Cipher 'DES-CFB' uses a mode not supported by OpenVPN in your current configuration. CBC mode is always supported, while CFB and OFB modes are supported only when using SSL/TLS authentication and key exchange mode, and when OpenVPN has been built with ALLOW_NON_CBC_CIPHERS. 13:31 < enlight22> that is the client log 13:31 * confused_ needs to learn how to spelll 13:32 < confused_> thank you everyone you saved me a lot of time trying to find the download - its working great now 13:32 < confused_> have a nice day 13:32 < confused_> \ 13:32 -!- confused_ [i=d042f8e2@gateway/web/freenode/x-ijpznqggiqavkonn] has left ##openvpn [] 13:36 < enlight22> http://pastebin.com/d4c40c630 ecrist that is the server log 13:40 -!- jeiworth [n=jeiworth@189.177.122.8] has quit [Read error: 60 (Operation timed out)] 13:42 < enlight22> :( 13:43 < enlight22> ecrist? 13:43 < ecrist> enlight22: my boss doesn't pay me to help you, you need to allow me to do my job as well. 13:43 < enlight22> lol, sorry.. 13:45 < ecrist> enlight22: are you running OpenVPN as root? 13:45 < enlight22> yes 13:45 < ecrist> looks to me like it's failing interface operations 13:45 < ecrist> like line 23 13:46 < enlight22> Fri Sep 25 12:08:31 2009 /sbin/ip addr del dev tun0 local 10.8.0.1 peer 10.8.0.2 13:46 < enlight22> RTNETLINK answers: Operation not permitted this line? 13:48 < ecrist> yes 13:49 < enlight22> hmm, well i havent the faintest clue what that means, or what to do about it, lol. 13:49 < ecrist> I don't know what you're trying to do, so I couldn't tell you either 13:50 < enlight22> lol, im trying to have openvpn work... set up as we discussed earlier... 13:51 < enlight22> i appreciate your help, but i am on the verge of throwing in the proverbial towel, and going with a "less secure" option such as pptp or freeswan 13:51 < enlight22> anything as long as it works 13:51 < enlight22> been messing with this for like 2 days, lol 13:54 < ecrist> enlight22: follow this 13:54 < ecrist> !route 13:55 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:55 < ecrist> should get you most of what you need, then add the default route stuff 13:55 < enlight22> ill take a look at it 14:10 -!- rooth [i=rooth@92.43.35.21] has quit ["reboot"] 14:35 -!- notan00b [n=notan00b@e68058.upc-e.chello.nl] has quit [Read error: 110 (Connection timed out)] 14:38 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:40 < enlight22> well, i got it to connect 14:41 < enlight22> i changed the cipher to bf-cbc 14:41 < enlight22> now i have another problem, no internet once it connects 14:46 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has joined ##openvpn 14:47 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has quit [Remote closed the connection] 14:48 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has joined ##openvpn 14:49 < ecrist> enlight22: you must not be NATing traffic out from the VPN to the internet, or routing it properly 14:50 < enlight22> i agree. any thoughts 14:50 < ecrist> yeah, NAT your traffic or route it properly 14:50 < ecrist> :D 14:51 < enlight22> i noticed for some reason it assigns my default gateway as 10.8.0.5 14:51 < enlight22> which doesnt seem right 14:51 < ecrist> it is right 14:51 < ecrist> !/30 14:51 < vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 14:52 < enlight22> !topology 14:52 < vpnHelper> enlight22: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 14:52 < ecrist> enlight22: that's not your issue 14:52 < enlight22> ecrist any idea why that other cipher didnt work if both client and server support it 14:52 < ecrist> ignore that, for your use the subnetting is fine 14:52 < ecrist> no idea 14:52 < ecrist> I wouldn't worry about it at this point and concentrate on getting your routing fixed 14:53 < enlight22> idk, i sort of feel like i wanna change it so that the dhcp of the lan assigns everything... however tha is de 14:53 < enlight22> that is a good idea 14:53 < ecrist> you need to either setup routing to the VPN subnet (route net 10.0.8.1/24 ) or nat everything from the VPN going out the server LAN interface 14:53 < ecrist> *shrug* 14:53 < ecrist> then do that 14:54 < enlight22> which of those 2 things u state would be preferable 14:54 < enlight22> i would do that if i had the faintest clue how, lol 14:55 < enlight22> i temporarily gave up and got pptp working in about 15 seconds.. then i had an inspiration to try and change ciphers and it connected 14:55 < ecrist> enlight22: I would NAT, as I've said 5 times 14:55 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 14:56 < enlight22> that is something i have to do in iptables? 14:56 < ecrist> yes, that's one way to do it 14:56 < ecrist> couldn't tell you how in iptables, never used it 14:56 < ecrist> FreeBSD + pf here. 14:57 < enlight22> what is the other way to do it? 14:57 < Hypnoz> I just joined, what are you trying to do? 14:57 < enlight22> cause iptables completly mystifies me 14:57 < enlight22> oh 14:57 < enlight22> i am trying to get openvpn, which is behind a nat with dhcp scope 10.0.0.x 14:58 < enlight22> dont need to access the lan 14:58 < ecrist> enlight22: iptables is the correct way to do it on you rsystem 14:58 < enlight22> just route internet 14:58 < ecrist> enlight22: have you heard of the site google.com? 14:58 < enlight22> yes ecrist as i have said. i have been messing with this and reading for 2 days 14:59 < ecrist> try this 14:59 < ecrist> http://lmgtfy.com/?q=how+to+nat+with+iptables&l=1 14:59 < vpnHelper> Title: Let me google that for you (at lmgtfy.com) 14:59 < enlight22> and i am just not getting it 14:59 < enlight22> i have read about iptables 14:59 < enlight22> it is not understandable to me 14:59 < ecrist> that link will give you a step-by-step 15:00 < enlight22> the setup i am tring to do must be a very common, perhaps the most common config.. i cant understand why there isnt a step by step to get this working 15:00 < enlight22> or even a shellscript.. wouldnt that be nice 15:01 < ecrist> we're not here to do it for you. hit that link above, nat your vpn, and you'll get on the internet 15:01 * ecrist goes away 15:05 < enlight22> yes, im sorry, i know u arent here to do it for me 15:06 < Hypnoz> are you saying you want vpn clients to be able to connect to the internet through the vpn tunnel? 15:06 < enlight22> yes hypnoz 15:06 < Hypnoz> there is an option in server.conf i believe 15:06 < enlight22> i am not finding this link ecrist sent me to be very useful 15:07 < enlight22> yes, i thought it was push "redirect-gateway def1" 15:07 < Hypnoz> look at server.conf for the line push "redirect-gateway" 15:07 < enlight22> i have that line 15:07 < Hypnoz> where did you get def1 15:07 < enlight22> with a def1 on it as ecrist stated 15:07 < enlight22> !def1 15:07 < vpnHelper> enlight22: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 15:07 < enlight22> ecrist said to put it there 15:08 < enlight22> perhaps i should remove it.. 15:08 < Hypnoz> one sec 15:09 < Hypnoz> cat /proc/sys/net/ipv4/ip_forward 15:09 < Hypnoz> is it 0 or 1 15:09 < enlight22> it is 1 i already changed it 15:09 < enlight22> let me run that command just to confirm 15:10 < Hypnoz> there is also an ipv4 forward setting in /etc/sysctl.conf 15:10 < enlight22> yes, i changed it, then reloaded sysctl 15:10 < enlight22> that command u gave shows it as 1 15:11 < Hypnoz> http://openvpn.net/index.php/open-source/documentation/howto.html#redirect 15:11 < vpnHelper> Title: HOWTO (at openvpn.net) 15:11 < Hypnoz> seems like you need 15:11 < Hypnoz> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 15:11 < Hypnoz> 10.8.0.0 would be 10.0.0.0 i guess 15:11 < |Mike|> depends.. 15:12 < enlight22> i have the vpn set up to use 10.8 15:12 < enlight22> my lan is 10.0 15:13 < Hypnoz> the link I sent you seems to think that iptables command is required 15:13 < Hypnoz> might adjust the IP and eth adapter and give it a shot 15:14 < enlight22> actually, i set my vpn as 10.8 so that command might be right just as itis 15:14 < enlight22> my only fear with messing with the iptables 15:14 < enlight22> im in china, i wont have physical access to this box for a year 15:14 < enlight22> so i can not break it 15:14 < enlight22> lol 15:15 < enlight22> i like this how to though, it seems to be in good plain english 15:15 < enlight22> i have no idea why i havent seen this one yet 15:15 < Hypnoz> yeah 15:16 < Hypnoz> well that command will only affect the 10.8.0.0 network so you should be ok 15:16 < Hypnoz> what happens if the box crashes or something 15:16 < Hypnoz> its dead for a year? 15:17 < enlight22> pretty much, unless i can walk one of my totally clueless roommates through fixing it over IM or the phone 15:17 < enlight22> the problem is this box is my elastix server 15:17 < enlight22> asterisk 15:17 < enlight22> so.. no phone if it breaks 15:18 < enlight22> a situation i would like to avoid at all costs basically 15:18 < Hypnoz> yeah 15:19 < Hypnoz> one thing you could do i guess, it set up a cron job to /etc/init.d/iptables stop in 10 min 15:19 < Hypnoz> so if the command does break something, iptables will shut down 15:19 < Hypnoz> otherwise you can delete the cron job 15:19 < Hypnoz> or i guess that would be a better job for at 15:19 < Hypnoz> at now+10min /etc/init.d/iptables stop 15:19 < Hypnoz> something like that 15:20 < enlight22> im on centos 5 if that helps 15:21 < enlight22> lol, that at command is syntax error last token seen / and garbled time 15:22 < Hypnoz> ya i kinda made that up, i'm not sure the syntax is right 15:22 < Hypnoz> might have to "man at" or google at or something 15:22 < enlight22> will service iptables stop also work? 15:22 < enlight22> is that basically the same thing 15:22 < Hypnoz> ya thats your command for centos 15:23 < Hypnoz> at now + 1 min echo test 15:23 < Hypnoz> see if that works 15:23 < Hypnoz> meh i'm not testing these just making them up 15:23 < Hypnoz> i don't use at much 15:24 < enlight22> to get out of the at prompt ctrl c? 15:24 < |Mike|> lol 15:24 < |Mike|> out of what prompt ? 15:24 < |Mike|> man ? 15:24 < enlight22> at> 15:25 < |Mike|> ? 15:25 < Hypnoz> does ctrl-z work? 15:25 < enlight22> i run at now + 1 min 15:25 < krzie> cntrl D prolly will 15:25 < enlight22> then i get an at> 15:25 < enlight22> and issue echo test 15:25 < enlight22> and get another at> 15:25 < enlight22> ahh, 15:25 < krzie> or you can likely type exit 15:26 < enlight22> ctrl d 15:26 < |Mike|> i get hardcore vibes from you enlight22 :d 15:26 < enlight22> that seems like it wked 15:26 < enlight22> what sort of vibe |Mike| 15:26 < |Mike|> hardcore vibes 15:26 < |Mike|> haha 15:26 < krzie> lol 15:26 < Hypnoz> use "atq" to check your jobs 15:26 < enlight22> atq runs and returns nothing 15:27 < |Mike|> as root ? 15:27 < krzie> it was for +1 min 15:27 < enlight22> yes 15:27 < enlight22> i am root 15:27 < krzie> you were prolly in the prompt while it ran 15:27 < Hypnoz> then the job ran 15:27 < enlight22> it didnt echo test at me 15:27 < Hypnoz> nah i did it too and it didn't echo to my command line 15:27 < enlight22> let me try it again 15:27 < Hypnoz> maybe it echo's in its own shell 15:27 < krzie> then i get an at> 15:27 < krzie> and issue echo test 15:27 < krzie> and get another at> 15:28 < Hypnoz> not on the shell you're seeing 15:28 < Hypnoz> try something else like at now + 1 min mkdir /tmp/woot 15:28 < krzie> oh ya, likely what Hypnoz said 15:28 < enlight22> ok, ill try tha 15:31 < enlight22> ok, atq shows a job pending 15:31 < enlight22> now to see if it ever makes woot 15:31 < enlight22> now to see if it ever makes woot 15:31 < enlight22> lol, sorry, wrong window 15:32 < enlight22> sucess 15:32 < enlight22> i ave a woot 15:32 < Hypnoz> woot 15:32 < enlight22> so. i suppose, i make the at service iptables stop command 15:32 < enlight22> then run the iptables to make the nat 15:32 < enlight22> then try and connect 15:32 < enlight22> all within the alloted time 15:32 < enlight22> if it breaks, at will fix it 15:33 < Hypnoz> you could try at with stopping a service 15:33 < Hypnoz> at now + 1 min system apache2 stop 15:33 < Hypnoz> something like that 15:33 < Hypnoz> see if it does it 15:34 < enlight22> hmm, ill stop pptp i think 15:34 < Hypnoz> probably faster to just do at now instead of at now + 1 min for tests 15:34 < enlight22> i min was doing it instantly 15:34 < enlight22> ihad to test it with 2 min 15:34 < Hypnoz> 1 min will do it when the minute changes 15:35 < Hypnoz> so if you do it now + 1 min at 1:35:50 15:35 < Hypnoz> it will wait 10 sec 15:35 < enlight22> ahh 15:35 < enlight22> ok, well i did 2 minutes service pptpd stop 15:35 < enlight22> we shall see if it does 15:35 < Hypnoz> if you just do at now it should stop it right when you do at> ctrl-d 15:36 < enlight22> ok, ill try it 15:36 < Hypnoz> you could also have the at job remove the command from iptables instead of stopping it. same result 15:36 < Hypnoz> do you already have iptables started on the system? 15:36 < Hypnoz> # ps axf | grep tables 15:37 < Hypnoz> or i think cent has # system iptables status 15:37 < Hypnoz> right 15:37 < enlight22> ok, t works 15:37 < enlight22> right 15:37 < enlight22> service status 15:37 < enlight22> but it is stopped im quite sure 15:37 < enlight22> i dont use a firewall cause its behind nat 15:37 < Hypnoz> so you might want to do that at command before you start iptables 15:38 < Hypnoz> cause sometimes there's already stuff loaded in there 15:38 < Hypnoz> just starting the service might drop your net connection 15:38 < enlight22> i cleared iptables 15:38 < enlight22> but i will do as u suggest 15:38 < Hypnoz> ah 15:38 < Hypnoz> ya better safe than sorry when your 2k miles away right :) 15:38 < enlight22> 10 minutes ought to do it 15:39 < enlight22> issuing this command wont start iptables correct iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 15:39 < enlight22> just add entr 15:39 < enlight22> entry 15:39 < Hypnoz> ya 15:39 < enlight22> cool 15:41 < Hypnoz> is eth0 the interface that goes out to the internet? 15:41 < enlight22> i hope so 15:41 < enlight22> ok done 15:41 < enlight22> started iptables 15:42 < enlight22> seems it didnt break anything 15:42 < Hypnoz> you can do # route 15:42 < Hypnoz> the destination that says "default" 15:42 < Hypnoz> that is your interface that goes out to the internet 15:44 -!- enlight22 [n=s@58.245.103.62] has quit [Read error: 104 (Connection reset by peer)] 15:44 -!- enlight22 [n=s@58.245.103.62] has joined ##openvpn 15:44 < enlight22> strange 15:50 < enlight22> perhaps i need to push dns 15:58 < enlight22> ok, that command doesnt make the routing work 15:58 < enlight22> :( 16:00 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458]"] 16:01 < Hypnoz> hmm 16:02 -!- vn [n=sys6x@c207.134.145-76.clta.globetrotter.net] has left ##openvpn [] 16:02 < Hypnoz> but your openvpn connects and you can ping the openvpn server right 16:03 < Hypnoz> are you using a windows computer as the vpn client? 16:05 < enlight22> yes, windows computer is the client 16:05 < enlight22> and i can access webmin and elastix config over the vpn 16:05 < enlight22> just no internet 16:06 < enlight22> i have a creeping suspicion that it is ebcause openvpn is giving the windows box the wrong subnet 16:06 < enlight22> it is assign 255.255.255.254 16:07 < enlight22> when it should be 255.255.255.0 16:13 -!- enlight22_NDS [n=s@58.245.103.62] has joined ##openvpn 16:13 < Hypnoz> open cmd 16:13 < Hypnoz> and type route print 16:14 < Hypnoz> it only needs to pass the default gateway as the openvpn computer 16:15 -!- enlight22 [n=s@58.245.103.62] has quit [Read error: 104 (Connection reset by peer)] 16:16 -!- enlight22 [n=s@58.245.103.62] has joined ##openvpn 16:16 < Hypnoz> enlight22: not sure if you saw my previous message, but on windows client running vpn, open cmd and type route print 16:16 < Hypnoz> what is the default gateway 16:16 < enlight22> i didnt see that 16:16 < enlight22> did u see my message 16:17 < enlight22> this one 16:17 < Hypnoz> last I saw was "which it should be 255.255.255.0" 16:17 -!- enlight22_NDS [n=s@58.245.103.62] has quit [Read error: 104 (Connection reset by peer)] 16:17 < enlight22> i tried this guide to get pptp working 16:17 < enlight22> using these iptables 16:17 < enlight22> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 16:17 < enlight22> Next, we need to allow TCP port 1723 and the GRE protocol through iptables. 16:17 < enlight22> iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT 16:17 < enlight22> iptables -A INPUT -i eth0 -p gre -j ACCEPT 16:17 < enlight22> The following iptables rules are necessary if you want to be able to route all your internet traffic through the VPN server. 16:17 < enlight22> iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT 16:17 < enlight22> iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT 16:17 < enlight22> and it worked perfectly 16:17 < enlight22> so i disconnected and tried to connect openvpn 16:18 < enlight22> and it also worked for a while 16:18 < enlight22> and then i think my at command killed me 16:18 < enlight22> lol 16:18 < Hypnoz> ah 16:18 < Hypnoz> I'm surprised you would need all those iptables rules, but if you got it working more power to you 16:18 < enlight22> why would openvpn work with those commands and not the one listed in their howto 16:19 < Hypnoz> and ya i agree iptables is a bitch, i'm not even gonna try to decipher all that 16:19 < enlight22> iptables -A INPUT -i eth0 -p tcp --dport 1723 -j ACCEPT 16:19 < enlight22> iptables -A INPUT -i eth0 -p gre -j ACCEPT 16:19 < enlight22> i dont think i need that bit 16:19 < enlight22> because openvpn doesnt use that port 16:19 < enlight22> or gre 16:19 < enlight22> i think i just need the masquerade part maby 16:19 < Hypnoz> probably true 16:20 < enlight22> but is there harm in leaving it there, then i can use pptp or openvpn? 16:20 < Hypnoz> maybe set the at service iptables stop command for like 1 hour 16:20 < enlight22> ok, doing it now 16:21 < Hypnoz> what are you using for pptp? i don't think openvpn supports that righ 16:21 < enlight22> pptpd 16:21 < enlight22> poptop 16:21 < enlight22> openvpn doesnt support it 16:21 < enlight22> pptpd is so much easier, omg 16:21 < Hypnoz> i want that, since iphone/ipod support pptp for vpn 16:22 < enlight22> this guide is truly excelent then 16:22 < enlight22> http://www.anindya.com/installing-configuring-pptp-vpn-rhel-centos/ 16:22 < vpnHelper> Title: Anindyas Blog Installing and Configuring PPTP VPN on RHEL/CentOS 5 (at www.anindya.com) 16:22 < enlight22> it worked first try 16:22 < enlight22> why there isnt step by step guides for openvpn is beyond me 16:22 < Hypnoz> and you run both that and openvpn on the same server 16:22 < enlight22> there are a few but they quite simply dont work 16:22 < enlight22> well, i had stopped pptpd before i messed with openvpn 16:23 < enlight22> this time as an expirament i just left both service running 16:23 < enlight22> and they both worked it seemed 16:23 < Hypnoz> http://openvpn.net/howto.html 16:23 < Hypnoz> that is the best tutorial page 16:23 < enlight22> yes, but it simply doesnt work 16:23 < enlight22> their iptables command is crap 16:24 < Hypnoz> it works for simple setups i guess 16:24 < enlight22> even though i have it configed exactly how tehy say 16:24 < Hypnoz> i don't tunnel traffic 16:26 < enlight22> ok, connecting to openvpn, we shall see 16:26 < Hypnoz> for your client you got 2.1_rc19 right 16:28 -!- enlight22_NDS [n=s@pool-173-65-103-197.tampfl.fios.verizon.net] has joined ##openvpn 16:28 < enlight22_NDS> ok 16:29 < enlight22_NDS> well i can connect through pptpd 16:29 < enlight22_NDS> but this time openvpn did not work 16:29 < enlight22_NDS> at all 16:30 < enlight22_NDS> lets see if my phones still work, or if iptables is blocking everythig as its default action 16:31 < enlight22_NDS> ok, at this point in time, im gonna have to say fuck openvpn 16:32 < enlight22_NDS> ive been messing with it for 2.5 days now and it still doesnt work 16:32 < enlight22_NDS> and pptpd worked in 15 seconds literally 16:32 < enlight22_NDS> perhaps i will continue with it later 16:32 < enlight22_NDS> lol 16:34 < enlight22_NDS> this pptp seems to work flawlessly though 16:35 < enlight22_NDS> my head is in excruciating pain, and the sun is comming up 16:35 < enlight22_NDS> i think i shall go to sleep 16:39 < Hypnoz> what port is pptpd listening on? 16:39 < Hypnoz> I'm looking at setting it up 16:58 -!- enlight22 [n=s@58.245.103.62] has quit [Success] 16:59 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection reset by peer] 17:00 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Remote closed the connection] 17:00 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit [Remote closed the connection] 17:15 -!- enlight22_NDS is now known as enlight22 17:36 -!- enlight22 [n=s@pool-173-65-103-197.tampfl.fios.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 17:41 -!- enlight22 [n=s@pool-173-65-103-197.tampfl.fios.verizon.net] has joined ##openvpn 17:45 -!- enlight22 [n=s@pool-173-65-103-197.tampfl.fios.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 17:47 -!- enlight22 [n=s@58.245.103.62] has joined ##openvpn 17:54 < krzie> enlight22 17:55 < krzie> !sample 17:55 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 17:55 < krzie> setup certs, use those, read EVERY option from both config files in the man page ( !man ) so you understand what they do 17:55 < krzie> boom, done 17:56 < krzie> and iptables commands, try the manual as well 17:56 < krzie> manual > howto 17:57 < krzie> or you could just learn iptables (its not part of openvpn) 18:06 < Hypnoz> krzie have you ever set up pptp? 18:08 < krzie> nope, never will either 18:12 < Hypnoz> wish my iphone could connect to openvpn 18:23 < |Mike|> my nokia e51 does :p 18:27 < krzie> Hypnoz, agreed, it just needs tuntap support 18:27 < krzie> which exists for apple (3rd party of course) so it may be more of a porting issue than complete writing 18:28 < krzie> reiffert was considering developing it and putting it in the app store, i dunno if he ever got the time tho 18:58 < |Mike|> wi4 19:00 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 19:01 -!- enlight22_NDS [n=s@pool-173-65-103-197.tampfl.fios.verizon.net] has joined ##openvpn 19:04 -!- enlight22 [n=s@58.245.103.62] has quit [Read error: 104 (Connection reset by peer)] 19:04 -!- enlight22 [n=s@58.245.103.62] has joined ##openvpn 19:14 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 19:14 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 145 (Connection timed out)] 19:15 -!- enlight22_NDS [n=s@pool-173-65-103-197.tampfl.fios.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 19:46 -!- enlight22 [n=s@58.245.103.62] has quit [Read error: 145 (Connection timed out)] 19:48 -!- enlight22 [n=s@pool-173-65-103-197.tampfl.fios.verizon.net] has joined ##openvpn 19:49 -!- enlight22_NDS [n=s@58.245.103.62] has joined ##openvpn 19:51 -!- enlight22 [n=s@pool-173-65-103-197.tampfl.fios.verizon.net] has quit [Read error: 104 (Connection reset by peer)] 20:23 -!- dollabill [n=mike@108.sub-75-216-225.myvzw.com] has joined ##openvpn 20:53 -!- sharp15 [n=stop_loo@208.102.33.103] has joined ##openvpn 20:54 < sharp15> is there a way to dump the fields of a certificate file? 20:55 < sharp15> by dump i mean view. 20:56 -!- dollabill [n=mike@108.sub-75-216-225.myvzw.com] has quit [Read error: 60 (Operation timed out)] 21:06 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: Intensity, krzie, stein0, misse-, |Mike|, infe, Hak5Darren, scfh, pa, ribasushi, (+37 more, use /NETSPLIT to show all of them) 21:06 -!- Netsplit over, joins: Intensity, jhp, zuez, sharp15, enlight22_NDS, redfox, pa, stephenh, kaii, HardDisk_WP (+37 more) 21:07 -!- zuez [n=sf@catalyst.httpd.org] has quit [Excess Flood] 21:07 -!- zuez [n=sf@catalyst.httpd.org] has joined ##openvpn 21:08 < sharp15> no one is here. 21:13 -!- DinkyDogg [n=DinkyDog@128.12.71.169] has joined ##openvpn 21:13 -!- master_of_master [i=master_o@p549D4497.dip.t-dialin.net] has quit [Connection timed out] 21:15 < DinkyDogg> Question for you guys: I'm getting an error "read UDPv4 [ECONNREFUSED]: Connection refused (code=111)" on my client when trying to connect to my server. This has been happening since I moved both client and server from one apartment (where they were on a LAN together) to another (where they are not on a LAN together). My ISP blocks none of my ports, and I am connecting to the internet-visible IP of the server. Any ideas on how to debug this? 21:16 -!- master_of_master [i=master_o@p549D7C20.dip.t-dialin.net] has joined ##openvpn 21:22 -!- DinkyDogg [n=DinkyDog@128.12.71.169] has quit [Remote closed the connection] 21:25 -!- jeiworth [n=jeiworth@189.163.142.201] has joined ##openvpn 21:28 -!- xod [n=onats@112.201.239.185] has joined ##openvpn 21:28 < sharp15> nevermind on my question. turns out less works just fine. 21:34 < sharp15> if i wanted more information on ssl is there a specific place i should look? 21:38 < krzie> google? 21:39 < krzie> !google how ssl works 21:39 < vpnHelper> krzie: Trustwave SSL - Support - How SSL Works: ; Secure Sockets Layer (SSL): How It Works - SSL Encryption/https ...: ; How SSL Works: 21:42 -!- xod is now known as onats 21:42 < krzie> Bushmills here? 21:42 < sharp15> krzie: was just curious if there was some specific materials recomended expected. 21:42 < Bushmills> now he is 21:42 < krzie> sharp15 not especially 21:43 < krzie> Bushmills moin moin! 21:43 < krzie> got a scripting q for ya 21:43 < krzie> if you aint busy 21:43 < Bushmills> shoot 21:44 < krzie> i wanna make a for loop, but i want it to be for everything that matches the following condition 21:44 < krzie> for agent in `awk '{print $3}' ${agentmap}|uniq` ;do 21:44 < krzie> AND 21:44 < krzie> i also need it to include any matches from this: grep "^${agent} " ${nokb} 21:44 < krzie> which were not in the first command 21:44 < Bushmills> match first, loop only through the matches 21:45 < krzie> there will be matches in the second command which were not in first 21:45 < krzie> and i need those to run through same loop 21:45 < Bushmills> matches | while read VAR ; do stuff : done for example 21:46 < krzie> basically i need a single command to output stuff from 2 files and |uniq them 21:46 < Bushmills> you can conditional execute on condition with && , || 21:46 < krzie> ya i use that often 21:47 < Bushmills> grep provides condition 21:48 < Bushmills> you possible want to sort before uniq 21:49 < krzie> `awk '{print $3}' ${agentmap}|uniq` `awk '{print $3}' ${sadcuts}|uniq 21:49 < Bushmills> ah. combining, i get it ... 21:49 < Bushmills> for A in $(echo 1 2) $(echo 3 4) ; do echo $A ; done 21:49 < krzie> right 21:49 < krzie> oh shit! 21:49 < krzie> awesome, thanx bro 21:50 < Bushmills> you're welcome 21:50 < Bushmills> took me a moment to spot what you really needed... 21:50 < krzie> aye, but once you knew that it took 2 seconds =] 21:51 < Bushmills> you can also group command, like: 21:51 < Bushmills> (echo 1 2; echo 3 4) | while read A ; do echo $A; done 21:52 < Bushmills> results may not be what you expect in this example... 21:52 < krzie> cool, ill play with both 21:53 < Bushmills> this shows the operation better: (ls; df ) | while read A ; do echo --- $A ; done 21:54 < krzie> sorry to hit and run, but work is over and i have no inet at home yet (new house) 21:54 -!- Kurogane [i=Kuro@190.87.111.150] has joined ##openvpn 21:55 < krzie> thanx a lot man 21:56 < krzie> saved the convo, gunna play with it and fully understand the differences while at home in no inet land 22:01 -!- Chrnos [n=Kuro@justice.powerlayer.net] has joined ##openvpn 22:06 -!- Chrnos [n=Kuro@justice.powerlayer.net] has quit [Read error: 104 (Connection reset by peer)] 22:06 -!- sharp15 [n=stop_loo@208.102.33.103] has quit ["thanks guys."] 22:06 -!- Chrnos [n=Kuro@justice.powerlayer.net] has joined ##openvpn 22:11 -!- Chrnos [n=Kuro@justice.powerlayer.net] has quit [Read error: 104 (Connection reset by peer)] 22:11 -!- Chrnos [n=Kuro@justice.powerlayer.net] has joined ##openvpn 22:13 -!- Kurogane [i=Kuro@190.87.111.150] has quit [Read error: 104 (Connection reset by peer)] 22:14 -!- Kurogane [i=Kuro@190.87.111.150] has joined ##openvpn 22:14 < Kurogane> any1 here familiar with CSF? 22:18 -!- Chrnos [n=Kuro@justice.powerlayer.net] has quit [Read error: 60 (Operation timed out)] 22:27 -!- sam_ [n=sam@114.92.146.94] has joined ##openvpn 22:53 -!- sam_ [n=sam@114.92.146.94] has quit [Remote closed the connection] --- Day changed Sat Sep 26 2009 00:00 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 00:13 -!- jeiworth [n=jeiworth@189.163.142.201] has quit [Read error: 110 (Connection timed out)] 00:26 -!- Chrnos [i=Kuro@190.87.111.150] has joined ##openvpn 00:26 -!- Kurogane [i=Kuro@190.87.111.150] has quit [Read error: 54 (Connection reset by peer)] 00:32 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 00:53 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 00:54 -!- hyper_ch [n=hyper@191-36-239-77-pool.cable.fcom.ch] has joined ##openvpn 01:05 -!- enlight22_NDS [n=s@58.245.103.62] has quit [Connection timed out] 01:44 * ecrist is not surprised enlight22 didn't find his answer 02:36 -!- zz_fahadsadah is now known as fahadsadah 02:48 -!- jeiworth [n=jeiworth@189.163.142.201] has joined ##openvpn 03:16 -!- jedahan [n=jedahan@ool-45717d06.dyn.optonline.net] has joined ##openvpn 03:16 < jedahan> can anyone help me simplify my iptables rules and still keep openvpn working? I feel like I copied a bit too much and am now wide open: http://pastie.org/631400 03:24 -!- fahadsadah [n=fahad@unaffiliated/fahadsadah] has left ##openvpn [] 03:36 -!- jeiworth_ [n=jeiworth@189.163.151.191] has joined ##openvpn 03:49 -!- jeiworth [n=jeiworth@189.163.142.201] has quit [Read error: 110 (Connection timed out)] 04:07 -!- jeiworth [n=jeiworth@189.163.149.132] has joined ##openvpn 04:08 -!- jeiworth_ [n=jeiworth@189.163.151.191] has quit [Read error: 60 (Operation timed out)] 04:45 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:05 -!- Chrnos [i=Kuro@190.87.111.150] has quit ["Leaving"] 05:09 -!- jeiworth_ [n=jeiworth@189.163.170.232] has joined ##openvpn 05:23 -!- jeiworth [n=jeiworth@189.163.149.132] has quit [Read error: 110 (Connection timed out)] 05:23 -!- theDoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 05:48 -!- jeiworth [n=jeiworth@189.163.168.65] has joined ##openvpn 05:49 -!- jeiworth_ [n=jeiworth@189.163.170.232] has quit [Read error: 60 (Operation timed out)] 06:01 -!- hyper_ch [n=hyper@191-36-239-77-pool.cable.fcom.ch] has quit [Remote closed the connection] 06:03 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 06:21 -!- BigJB [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 06:28 -!- brizly [n=brizly_v@p4FC981BA.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:31 -!- brizly [n=brizly_v@p4FC982A4.dip0.t-ipconnect.de] has joined ##openvpn 06:34 -!- jeiworth_ [n=jeiworth@189.163.146.39] has joined ##openvpn 06:44 -!- Rolybrau [n=Rolybrau@205-202.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 06:45 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 06:45 -!- Rolybrau [n=Rolybrau@173-210.3-85.cust.bluewin.ch] has joined ##openvpn 06:45 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 06:48 -!- jeiworth [n=jeiworth@189.163.168.65] has quit [Read error: 110 (Connection timed out)] 06:56 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 07:06 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 07:23 < Bushmills> your first FORWARD rules accepts all anyway, so you can drop all following ACCEPT FORWARDS - that's almost half of your rules. 07:26 -!- jeiworth [n=jeiworth@189.163.167.137] has joined ##openvpn 07:31 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has quit ["Quit"] 07:31 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 07:35 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has quit [Client Quit] 07:36 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 07:38 -!- jeiworth_ [n=jeiworth@189.163.146.39] has quit [Read error: 110 (Connection timed out)] 07:46 -!- OpenPsycho [n=gaurav@unaffiliated/openpsycho] has joined ##openvpn 07:46 < OpenPsycho> hi all 07:47 < OpenPsycho> has there been any issues with Openvpn and POP3/Imap connections any one has experienced? 07:47 < OpenPsycho> my connection to POP/IMAP without openvpn is very fine and works like a charm... but from VPN its very sluggish/ 07:47 < OpenPsycho> I woul dappreciate if any one would give me any pointers' 07:50 -!- OpenPsycho [n=gaurav@unaffiliated/openpsycho] has left ##openvpn [] 08:00 -!- swa_work [n=swa_work@swatteksystems.com] has quit ["Lost terminal"] 08:29 -!- mirco [n=mirco@p54B26F49.dip.t-dialin.net] has joined ##openvpn 08:46 -!- swa_work [n=swa_work@swatteksystems.com] has joined ##openvpn 09:25 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 113 (No route to host)] 09:35 -!- jeiworth [n=jeiworth@189.163.167.137] has quit [Read error: 110 (Connection timed out)] 09:48 -!- jeiworth [n=jeiworth@189.177.122.8] has joined ##openvpn 10:30 -!- mirco [n=mirco@p54B26F49.dip.t-dialin.net] has quit [] 12:21 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 12:27 -!- Penol [n=Penol@51.15.erx-ham.eidsiva.net] has joined ##openvpn 12:27 < Penol> i got Sat Sep 26 19:21:33 2009 us=173305 TAP-Win32 adapter 'ovpn' not found when i try to logon to my VPN what is the problem ? 12:28 < Penol> What to do to fix it ? 12:38 -!- Penol- [n=Penol@51.15.erx-ham.eidsiva.net] has joined ##openvpn 12:56 -!- Penol [n=Penol@51.15.erx-ham.eidsiva.net] has quit [Read error: 110 (Connection timed out)] 13:17 -!- swa_work [n=swa_work@swatteksystems.com] has quit [Read error: 54 (Connection reset by peer)] 13:21 < krzie> Penol- 13:21 < krzie> !configs 13:21 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:22 < krzie> namely the one with the error 13:22 < krzie> you must have done something like dev-node ovpn or something 13:22 < Penol-> dev-node ovpn 13:22 < Penol-> yeah 13:22 < Penol-> Should i remove that ? 13:22 < Penol-> or ? 13:22 < krzie> comment out that line 13:23 < Penol-> im connected now .) 13:23 < Penol-> Thanks 13:24 < krzie> yw 13:28 -!- swa_work [n=swa_work@swatteksystems.com] has joined ##openvpn 13:33 -!- hyper_ch [n=hyper@191-36-239-77-pool.cable.fcom.ch] has joined ##openvpn 14:21 -!- Penol- [n=Penol@51.15.erx-ham.eidsiva.net] has quit [Read error: 104 (Connection reset by peer)] 14:25 -!- Penol [n=Penol@51.15.erx-ham.eidsiva.net] has joined ##openvpn 14:34 -!- cvance [n=cvance@ip98-163-220-242.no.no.cox.net] has joined ##openvpn 14:34 < cvance> !howto 14:34 < vpnHelper> cvance: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:34 < cvance> !nat 14:34 < vpnHelper> cvance: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 14:35 < cvance> :) 14:43 -!- cvance [n=cvance@ip98-163-220-242.no.no.cox.net] has quit ["Ex-Chat"] 15:10 -!- cq [n=chatzill@p5B0DE960.dip.t-dialin.net] has joined ##openvpn 15:12 < cq> hello, I've looked at the !route info, and am not sure what I need, routing or bridging... I have external net--NAT--server(ubuntu) and behind the nat are a few other machines that I want to be able to access as well if I come in from outside... what do I need? 15:12 < krzie> !tunortap 15:12 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 15:13 < krzie> that is the only deciding factor between bridge/routing 15:13 < cq> ok, tun is enough then... 15:14 < cq> windows shares I get from the server 15:14 < krzie> then !route is what you want 15:14 < krzie> its for lans behind openvpn that you want accessed over the vpn, for tun setups 15:14 -!- krzie is now known as krzee 15:17 < cq> http://my.afterdawn.com/ketola/blog_entry.cfm/3370/routing_between_openvpn_and_lan_behind_nat looks like all I need is a push route then? 15:17 < vpnHelper> Title: Routing between LAN and VPN behind NAT (at my.afterdawn.com) 15:17 < krzee> i refuse to look at that, i spent a lot of time on my doc 15:17 < krzee> lol 15:18 < krzee> (i wrote !route) 15:18 < cq> !route 15:18 < vpnHelper> cq: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:18 < krzee> the difference between my doc and most, mine is made for you to actually understand what you're doing 15:18 < krzee> others arent docs, but are actually walkthroughs 15:18 < krzee> im against those 15:19 < krzee> they lead to people coming here with no clue what they were doing cause they blindly followed some walkthrough 15:19 < cq> krzee: I've read it twice but wasn't sure which parts I needed... it's definitely not a recipe but a know-what-youre-doing doc... 15:19 < krzee> its a learn-what-you're-doing doc 15:19 < krzee> it explains every option 15:20 < krzee> but it can NOT be skimmed, you must read to learn 15:20 < cq> krzee: I didn't skim it... but I haven't touched routing in around 10 years :) 15:20 < krzee> well you're embarking on an advanced networking setup 15:20 < krzee> time to learn 15:21 < cq> what's the best way to avoid overlapping IP spaces, go somewhere in the 10. space? 15:21 < cq> right now my home setup is in the 192.168 space, which a lot of lans use... 15:21 < krzee> somewhere in the 10 space that is uncommonly used 15:21 < krzee> 192.168 is fine too, but somewhere uncommon as well 15:21 < krzee> in the ovpn docs they use 10.8.0.x 15:22 < cq> I'm afraid of being at a client site where I tread on their range 15:22 < krzee> i use 10.8.x.x for mine, starting with 10.8.1.x and going up 15:22 < krzee> then dont use something common 15:22 < krzee> for example, DO NOT USE 192.168.0.x 15:22 < krzee> but lets say, 192.168.169.x shouldnt be common 15:22 < cq> 10.22 is my current client, I shoudl switch the LAN to 10.22. then, that should be uncommon enough 15:23 < krzee> cant use same vpn subnet and lan subnet 15:23 < krzee> but ya 10.22.0.x should be uncommon ild think 15:23 < cq> ok, so use 10.21 LAN and .22 vpn 15:23 < krzee> should be fine ild say 15:24 < krzee> the lan is behind client or server? 15:24 < krzee> or both? 15:25 < cq> LAN is behind the NAT 15:25 < krzee> that wasnt my question 15:25 < cq> the server is in the LAN 15:25 < krzee> the nat doesnt matter 15:25 < krzee> ok so the lan is behind the server 15:25 < krzee> once connected to the vpn, the nat basically doesnt exist 15:26 < cq> depends on what you mean by behind, after the VVPN connection yes. 15:26 < krzee> only time the nat comes into play is when making initial connection to vpn, if you can connect forget bout the nat 15:26 < krzee> all you need is a push route 15:26 < krzee> AND 15:26 < krzee> what i say below the image, ROUTES TO ADD OUTSIDE OVPN 15:32 -!- Penol [n=Penol@51.15.erx-ham.eidsiva.net] has quit [Read error: 54 (Connection reset by peer)] 15:34 < cq> krzee: suggestion: before the 'first push' add a minor heading along teh lines of 'Push route entries: let the VPN clients know which subnets are available over VPN' and before the The Route Entries another one with 'Route Entries: tell the OpenVPN server which nets are available and how to access tehm when a connection is established' 15:35 -!- Penol [n=Penol@51.15.erx-ham.eidsiva.net] has joined ##openvpn 15:35 < krzee> huh? 15:41 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: Intensity, cq, stein0, misse-, |Mike|, infe, Hak5Darren, scfh, pa, ribasushi, (+39 more, use /NETSPLIT to show all of them) 15:42 -!- Netsplit over, joins: Penol, cq, Gumbler, bauruine, sigius, Rolybrau, theDoc, jedahan, master_of_master, zuez (+38 more) 15:42 < cq> usign expr or what? 15:42 -!- zuez [n=sf@catalyst.httpd.org] has quit [Excess Flood] 15:42 -!- zuez [n=sf@catalyst.httpd.org] has joined ##openvpn 15:42 < krzee> bc 15:42 < krzee> could use bash builtin but i like that it can run in sh 15:42 < krzee> or csh 15:42 < krzee> etc 15:43 < cq> yeah... one of the things I use a ton in perl is $debug=3; print "whatever debugging info $vars\n" unless $debug<3; to get debugging levels... I miss that in shell 15:44 < krzee> i only need 2 debug levels 15:44 < krzee> set -x and [ -n "${VERB}" ] && echo "shit happens" 15:45 < krzee> shell is extremely powerful when used right, if you dont believe me take a look at bushmills' code sometime 15:46 < krzee> granted, a scripting language is more powerful when used right 15:46 < krzee> but i was not upto writing this in something im less than great with 15:46 < cq> rotfl first answer to shell scrpting question in http://www.computing.net/answers/solaris/sample-shell-script-code/4535.html 15:46 < krzee> i would say expert, but after seeing shit bushmills' wrote i knocked myself down a peg 15:46 < vpnHelper> Title: sample Shell script code (at www.computing.net) 15:47 < cq> is there a link to some of his code somewhere? 15:47 < cq> I was googling and didn't find it. 15:47 < krzee> hahaha 15:48 < krzee> dunno, but hes often here 15:49 < cq> I may drop offline, going to change some IPs around... 15:54 < cq> ok, now that#s annoying, my dsl router refuses to accept anything outside of 192.168 ... so no 10. nets for me 15:54 < krzee> i always lol at stuff like that 15:54 < krzee> i lol cause they call them "routers" 15:54 < krzee> yet they are merely nat boxes 15:55 < cq> yeah... don't really do much, but it has a linux based FW on it that you can change, so theoretically you can do anything... 15:55 < cq> but it's not worth hacking around for that 15:55 < krzee> you mean you have installed the linux firmware or you COULD 15:56 < cq> there IS a linux FW on it, I can get the source, change it, and reflash it if I want. 15:59 < krzee> waitwait 15:59 < krzee> so its already running a linux firmware? 15:59 < krzee> just ssh in and add the route then 16:08 -!- dazo|h [n=dazo@ip4-83-240-69-215.cust.nbox.cz] has joined ##openvpn 16:10 < cq> telnet and connections refused, need a different FW on there first... 16:16 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit ["No Ping reply in 90 seconds."] 16:16 < krzee> shouldnt be telnet, should be ssh 16:18 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 16:20 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 16:20 < Bushmills> cq, http://www.forthfreak.net/index.cgi?BashForth would be an example 16:20 < vpnHelper> Title: BashForth - Kwiki (at www.forthfreak.net) 16:20 -!- jeiworth [n=jeiworth@189.177.122.8] has quit [Read error: 110 (Connection timed out)] 16:21 < Bushmills> click on "source code" for .. you guessed it. 16:25 < Bushmills> pointers to functional equivalents in other scripting languages, therefore useful as comparison base, can be found here: http://www.forthfreak.net/index.cgi?ForthCoreWords 16:25 < vpnHelper> Title: ForthCoreWords - Kwiki (at www.forthfreak.net) 16:34 -!- naquad [n=naquad@83.143.234.194] has left ##openvpn ["Ухожу я от вас (xchat 2.4.5 или старше)"] 16:41 < krzee> Bushmills, what you said yesterday was perfect 16:41 < krzee> thx again =] 16:42 < krzee> i thought i was gunna hafta functionalize the whole loop and make 2 loops 16:43 < krzee> and once again, that bashforth is insane 16:44 < Bushmills> glad it worked for you 16:44 < Bushmills> yes, often it is called "nuts" but insane describes it very well too 16:44 < krzee> hehe 16:45 < krzee> another good description: mental gymnastics 16:45 < krzee> oh hey 1 more q 16:45 < krzee> for agent in $(awk '{print $3}' ${agentmap}|sort|uniq) $(awk '{print $3}' ${sacuts}|sort|uniq) ;do 16:45 < Bushmills> for me it was an exercise in bash, not in implementing a forth interpreter/compiler 16:46 < krzee> is there a way to sort|uniq the output of both together? 16:46 < krzee> if not i can simply check if they have ran yet when processing, but its cleaner to me if i can sort|uniq the results of both together 16:46 < krzee> seems to me there is not since it runs 1 then other 16:47 < Bushmills> probalby: $( awk (1) ....; awk (2) .... ) | sort|uniq 16:48 < Bushmills> ehm hang on, sort and uniq need to be within ... 16:51 < Bushmills> st like (echo 4 ; echo 2 ; echo 3 ; echo 1)|sort|uniq|while read A; do echo $A ; done 16:52 < krzee> [jeff@logs ~/GRANDE/configs]$ (echo 1 ; echo 2 ; echo 3 ; echo 1)|sort|uniq|while read A; do echo $A ; done 16:52 < krzee> 1 16:52 < krzee> 2 16:52 < krzee> 3 16:52 < krzee> yup 16:52 < krzee> thats it 16:52 < krzee> you = ninja 16:53 < krzee> == rather ;] 16:53 < Bushmills> ty :) 16:55 < krzee> (awk '{print $3}' ${agentmap} ; awk '{print $3}' ${sacuts})|sort|uniq|while read agent ;do 16:55 < krzee> =] 16:56 < Bushmills> i ordered me two items, and when i received them, i thought those should be great for somebody who is both mobile and like to drink a drop. in short, i thought of you when 16:57 < Bushmills> one of them is http://www.dealextreme.com/details.dx/sku.27662 . 16:57 < vpnHelper> Title: DealExtreme: $4.63 Stainless Steel Retractable Travellers Cup Keychain (Small/60ml) (at www.dealextreme.com) 16:57 < Bushmills> good size for a triple shot 16:58 < krzee> thats awesome! 16:58 < Bushmills> i have it here right now, and it is of pretty decent quality 16:58 < krzee> oh ya i forgot my buddy wants to get some absinth for his bar 16:58 < Bushmills> appears to be made from austerite. 17:01 < krzee> how much do you think a bottle of high quality is? 17:01 < krzee> its for his bar, but he wont be selling it, its for us to drink there =] 17:02 < krzee> his bar doesnt even make a profit, but it pays for itself and keeps us all drinking at the cost to him =] 17:04 < Bushmills> i eistimate a bottle of good quality at about 10..15 EUR, which is 14..21 $ 17:04 < krzee> you have paypal? 17:04 < Bushmills> yes 17:05 < krzee> cool, lemme see how many he wants 17:05 < krzee> im broke but ill be able to drink his ;] 17:05 < Bushmills> hehe 17:05 < krzee> just moved into a new place, its brutal 17:05 < krzee> keeps me broke as shit, gotta buy every little thing 17:05 < krzee> since i moved out of usa i been renting furnished places 17:06 < Bushmills> if you don't mind a suggestion of an interesting drink: 17:06 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Read error: 104 (Connection reset by peer)] 17:06 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 17:06 < Bushmills> i had a bottle of topi not too long ago. not very commonly consumed stuff 17:06 < krzee> 12 bottles cool? 17:06 < krzee> topi...? never heard of it 17:06 < Bushmills> its brandy from topinambur. also known as jerusalem artichoke. is commerically grown in texas, for example 17:07 < Bushmills> taste is a bit between grappa and slivovitz 17:07 < Bushmills> tastes stronger than it actually was. 17:08 < Bushmills> so if he's looking for an unusual, and not too known drink, mention topi to him 17:08 < krzee> when i read what you said he said "in other words it tastes like fremented ass" 17:08 < krzee> LOL 17:10 < krzee> im getting the address to ship to, msg paypal info? 17:10 < krzee> and is a case ok (12)? 17:10 < krzee> if not, whatever amount under that is fine too, dont wanna put you out any 17:10 < krzee> (put you out = be a pita) 17:13 < Bushmills> http://www.busses.de/zunsweier/images/beitraege/schnaps.499x300.jpg this is topi 17:13 < Bushmills> http://z.about.com/d/germanfood/1/0/v/4/-/-/Rosslerbyschwarzwald.jpg 17:13 < krzee> its a type of schnaps? 17:13 < Bushmills> yes 17:13 < krzee> that was a nickname of mine for awhile, schnaps 17:13 < krzee> (irl) 17:14 < krzee> he lost all interest when he heard it compared to grappa, lol 17:14 < Bushmills> nice about this topi is that there doesn't exist a huge industry for it 17:15 < krzee> but we've all had absinthe here, and love it 17:15 < Bushmills> so many destillers are the "traditional" type, small and not too much output 17:16 < Bushmills> good that he lost interest, it would be difficult to get it here where i am now. 17:16 < Bushmills> even though it is only destilled about 200 km away from here 17:16 < krzee> lol 17:17 < Bushmills> but absinth is easier. 17:17 < Bushmills> i'll check out current prices and qualities and come back when i know more 17:17 < Bushmills> looking forwards to testing te brew first :) 17:17 < krzee> right on =] 17:18 < krzee> the brew = something you're making? 17:18 < Bushmills> no, the absinth 17:18 < Bushmills> it is frequently available in shops who tap it from vat, bottle it for you 17:18 < krzee> ahh, thats the fun part =] 17:19 < Bushmills> isn't the a problem, getting 12 bottles of spirit through the customs? 17:20 < krzee> nah shouldnt be 17:20 < krzee> just costs some on this side 17:20 < krzee> could prolly get a tank through here with the right $ ;] 17:21 < Bushmills> no that the customs officers, when reading "booze", put it aside for themselves? 17:21 < krzee> nah 17:21 < krzee> they get paid and buy what they like instead 17:21 < krzee> the pay goes right to their pocket 17:28 < krzee> oh, you mean liquor... i thought you DO make that 17:29 < krzee> oops wrong win 17:32 -!- cq [n=chatzill@p5B0DE960.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 17:39 < krzee> how bout if its going to usa 17:39 < krzee> bleh 17:42 -!- APTX|_ [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 17:43 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit [Read error: 104 (Connection reset by peer)] 17:49 < Bushmills> you're sure you need any additional booze :P 17:50 -!- BigJB [n=BigJB@unaffiliated/bigjb] has quit [Remote closed the connection] 17:50 < krzee> lol 17:55 -!- swa_work [n=swa_work@swatteksystems.com] has quit [Read error: 60 (Operation timed out)] 18:15 -!- swa_work [n=swa_work@swatteksystems.com] has joined ##openvpn 18:26 -!- dazo|h [n=dazo@ip4-83-240-69-215.cust.nbox.cz] has quit ["Leaving"] 18:46 -!- jeiworth [n=jeiworth@189.163.167.137] has joined ##openvpn 18:53 -!- jeiworth [n=jeiworth@189.163.167.137] has quit [Remote closed the connection] 18:53 -!- jeiworth [n=jeiworth@189.163.167.137] has joined ##openvpn 21:13 -!- master_of_master [i=master_o@p549D7C20.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:17 -!- master_of_master [i=master_o@p549D474F.dip.t-dialin.net] has joined ##openvpn 21:36 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 22:15 -!- [-jon-]__ [n=jon@oaainsurance.com] has left ##openvpn [] 23:46 -!- xod [n=onats@112.201.239.185] has joined ##openvpn 23:47 -!- xod is now known as onats --- Day changed Sun Sep 27 2009 00:17 -!- aardwolf_ [n=aardwolf@ip68-110-152-240.hr.hr.cox.net] has joined ##openvpn 00:35 -!- Hak5Darren [n=aardwolf@ip68-110-152-240.hr.hr.cox.net] has quit [Read error: 111 (Connection refused)] 00:43 -!- hyper_ch [n=hyper@191-36-239-77-pool.cable.fcom.ch] has joined ##openvpn 02:19 -!- hyper_ch [n=hyper@191-36-239-77-pool.cable.fcom.ch] has quit [Remote closed the connection] 03:34 -!- Rolybrau [n=Rolybrau@173-210.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 03:35 -!- Rolybrau [n=Rolybrau@190-242.3-85.cust.bluewin.ch] has joined ##openvpn 04:17 -!- roninbaka [n=email@61.159.248.75] has joined ##openvpn 04:18 < roninbaka> !redirect 04:18 < vpnHelper> roninbaka: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 04:19 < roninbaka> How would i exclude ip ranges from going though my openvon connection? 04:19 < roninbaka> i'm in china and want to exclude all chinese traffic from going through my vpn in the US. to avoid the slowdown 04:19 < reiffert> see !firewall 04:20 < reiffert> oh, that way. See routing. 04:30 < roninbaka> !outing 04:30 < vpnHelper> roninbaka: Error: "outing" is not a valid command. 04:30 < roninbaka> !routing 04:30 < vpnHelper> roninbaka: Error: "routing" is not a valid command. 04:31 < roninbaka> !route 04:31 < vpnHelper> roninbaka: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 04:38 < roninbaka> i want to do an exception to route how do i do that? 04:40 < reiffert> route add -net china-netblock gw yourlocalchinagw 04:41 < reiffert> note, there is no exceptions on routes, there is just "other routes". 04:43 < roninbaka> can i also route using url's that way? 04:48 < reiffert> similar to *.cn? no. example.cn? yes, if example.cn resolves to just one ip address. 04:49 < roninbaka> so something like *.google.cn wouldn't work 04:49 < reiffert> what you do here is a tranparent squid/proxy and use acl dst_domain .cn in combination with tcp_outgoing_address and multi provider routing eg with the help of netfilter (linux). 04:51 < roninbaka> i'm with windows unfortunatly.. if possible I want to do it in the openvpn conf as then it doesn't matter what system is being run 04:52 < reiffert> there is squid for windows. 04:52 < roninbaka> and example is the ip block 58.14.0.0/15 is chinese so i would put this into the conf "route add -net 58.14.0.0/15 gw 192.168.1.1" right? 04:53 < reiffert> when 192.168.1.1 leads to china, then yes. 04:53 < roninbaka> is it just gw or -gw? 04:53 < reiffert> it is "read the help from the programm that belongs to your OS" 04:54 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 05:00 < roninbaka> thanks for your help hopefully i can get this working 05:02 < reiffert> I recommend using a squid/proxy on top of openvpn. 05:10 < roninbaka> yeah i think i will have to open vpn can not add more than 100 routes 05:10 < roninbaka> i have 1514 05:13 < roninbaka> i was really hoping to avoid that so that i can easily put it on other peoples computers easily 05:43 -!- mirco [n=mirco@p4FDCE3EA.dip.t-dialin.net] has joined ##openvpn 05:45 -!- hyper_ch [n=hyper@adsl-84-227-111-143.adslplus.ch] has joined ##openvpn 05:50 < |Mike|> hi! 05:50 < |Mike|> how do i start openvpn? 06:14 -!- brizly1 [n=brizly_v@p4FC99B73.dip0.t-ipconnect.de] has joined ##openvpn 06:17 -!- mirco [n=mirco@p4FDCE3EA.dip.t-dialin.net] has quit [] 06:24 -!- jeiworth [n=jeiworth@189.163.167.137] has quit [Read error: 110 (Connection timed out)] 06:27 -!- mirco [n=mirco@tmo-104-229.customers.d1-online.com] has joined ##openvpn 06:30 -!- brizly [n=brizly_v@p4FC982A4.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:45 < Bushmills> it will be a bit bothersome to exclude all of china that way. between 208.x.x.x and 223.x.x.x are many china ip blocks, but often not consecutive. 06:49 < reiffert> |Mike|: press the red button 06:50 -!- misterbean [n=misterbe@unaffiliated/misterbean] has joined ##openvpn 06:50 < |Mike|> reiffert: :D 06:58 -!- mirco [n=mirco@tmo-104-229.customers.d1-online.com] has quit [Connection timed out] 07:10 -!- mirco [n=mirco@p54B23E66.dip.t-dialin.net] has joined ##openvpn 07:20 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 07:30 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Read error: 104 (Connection reset by peer)] 07:33 -!- mirco [n=mirco@p54B23E66.dip.t-dialin.net] has quit [] 07:52 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: krzee, ribasushi 07:54 -!- Netsplit over, joins: ribasushi, krzee 07:54 -!- ribasushi [n=rabbit@dslb-084-063-061-149.pools.arcor-ip.net] has quit [SendQ exceeded] 07:54 -!- ribasushi [n=rabbit@dslb-084-063-061-149.pools.arcor-ip.net] has joined ##openvpn 08:20 -!- misterbean [n=misterbe@unaffiliated/misterbean] has left ##openvpn ["Leaving"] 09:19 -!- theDoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 09:45 -!- jeiworth [n=jeiworth@189.163.167.137] has joined ##openvpn 10:35 -!- theDoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 10:59 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has quit ["bbl"] 11:06 -!- tecchi [n=tecchi@ip-95-222-213-255.unitymediagroup.de] has joined ##openvpn 11:08 -!- tecchi [n=tecchi@ip-95-222-213-255.unitymediagroup.de] has quit [Client Quit] 11:18 -!- hyper__ch [n=hyper@adsl-84-227-111-143.adslplus.ch] has joined ##openvpn 11:18 -!- hyper_ch [n=hyper@adsl-84-227-111-143.adslplus.ch] has quit [Nick collision from services.] 11:18 -!- hyper__ch is now known as hyper_ch 11:19 -!- Penol [n=Penol@51.15.erx-ham.eidsiva.net] has quit [Read error: 113 (No route to host)] 11:33 -!- jeiworth_ [n=jeiworth@189.163.179.220] has joined ##openvpn 11:48 -!- jeiworth [n=jeiworth@189.163.167.137] has quit [Read error: 110 (Connection timed out)] 12:12 -!- theDoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 12:19 -!- c64zottel [n=hans@p5B17A9DB.dip0.t-ipconnect.de] has joined ##openvpn 12:19 -!- c64zottel [n=hans@p5B17A9DB.dip0.t-ipconnect.de] has left ##openvpn [] 12:26 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: krzee 12:28 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 12:29 -!- Netsplit over, joins: krzee 12:38 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: krzee 12:40 -!- Netsplit over, joins: krzee 12:49 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: krzee 12:49 -!- Netsplit over, joins: krzee 12:53 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: krzee 12:54 -!- Netsplit over, joins: krzee 12:58 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 13:03 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: krzee 13:04 -!- Netsplit over, joins: krzee 13:10 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: krzee 13:18 -!- APTX|_ is now known as APTX| 13:33 -!- ronin-baka [n=email@61.159.248.103] has joined ##openvpn 13:47 -!- roninbaka [n=email@61.159.248.75] has quit [Read error: 110 (Connection timed out)] 14:15 -!- dougy[itouch] [n=dougyito@64.18.128.2] has joined ##openvpn 14:24 -!- dougy[itouch] [n=dougyito@64.18.128.2] has quit ["Colloquy for iPhone - http://colloquy.mobi"] 14:33 -!- jedahan [n=jedahan@ool-45717d06.dyn.optonline.net] has left ##openvpn ["Leaving"] 14:48 -!- jeiworth [n=jeiworth@189.163.179.220] has joined ##openvpn 14:48 -!- jeiworth_ [n=jeiworth@189.163.179.220] has quit [Read error: 104 (Connection reset by peer)] 15:17 -!- krzee [n=krzee@butters.secure-computing.net] has joined ##openvpn 16:37 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 16:59 -!- nemysis_ [n=misterbe@unaffiliated/misterbean] has joined ##openvpn 17:19 -!- ronin-baka [n=email@61.159.248.103] has quit [Read error: 104 (Connection reset by peer)] 17:19 -!- roninbaka [n=email@61.159.248.103] has joined ##openvpn 17:34 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 17:35 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 18:06 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 18:06 -!- unix3 [n=unix3@190.10.68.228] has quit [Client Quit] 18:07 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 18:08 -!- unix3 [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 18:57 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 60 (Operation timed out)] 19:21 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 20:45 -!- theDoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 21:13 -!- master_of_master [i=master_o@p549D474F.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:17 -!- master_of_master [i=master_o@p549D49B7.dip.t-dialin.net] has joined ##openvpn 22:36 < onats> anyone play golf here? whats the best website to buy shoes from? 22:52 -!- thedoc_ [n=zing@119.73.165.162] has joined ##openvpn 22:55 -!- theDoc [n=zing@unaffiliated/thedoc] has quit [Nick collision from services.] 22:55 -!- theDoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 23:04 -!- nuhiNlow_ [i=bouncer@adsl-64-216-48-227.dsl.ablntx.swbell.net] has joined ##openvpn 23:12 -!- thedoc_ [n=zing@119.73.165.162] has quit [Read error: 110 (Connection timed out)] 23:15 -!- nuhiNlow [n=anewhigh@ppp-69-155-61-9.dsl.ablntx.swbell.net] has quit [Read error: 110 (Connection timed out)] 23:35 -!- nuhiNlow_ is now known as nuhiNlow 23:43 -!- Wanderer [i=nomad@c-98-245-36-37.hsd1.co.comcast.net] has joined ##openvpn 23:44 < Wanderer> if a CA expires, but the keys/crts built off it are good for 9 years, is it possible to rebuild the CA without recreating all the crts/keys, etc for clients? 23:53 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 23:55 -!- epaphus [n=unix3@201.199.62.74] has quit [Client Quit] 23:55 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn --- Day changed Mon Sep 28 2009 00:29 -!- Gnewt [n=hackerle@li57-94.members.linode.com] has left ##openvpn [] 00:32 -!- _Snark [n=a@203-206-130-80.perm.iinet.net.au] has joined ##openvpn 00:32 < _Snark> !route 00:32 < vpnHelper> _Snark: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 00:38 -!- error404notfound [n=shoaibi@58-65-160-128.nayatel.pk] has joined ##openvpn 00:42 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Remote closed the connection] 00:46 < _Snark> ok, after reading that, i hope my confusion isn't too moronic. i'm using a tap setup as per a guide i found not tun, and i'm not really trying to route between networks per se, this is a roadwarrior client-into-network setupid. I am connecting fine, but don't seem to be passing any traffic down the link. I am at least basically familiar with vpn config and routing (just not openvpn). is it a bad thing to have the client ip pool on the same ne 00:47 < _Snark> sorry, pool is 182-200 00:47 < _Snark> anyway 00:47 < _Snark> is it potentially just a firewall issue? the guide mentions nothing about ipchains (or is it tables these days?) config 00:51 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 00:54 -!- FluxD [n=FluxD@unaffiliated/fluxd] has joined ##openvpn 00:55 < FluxD> Hi, I am new to openvpn. I am trying to connect to an openvpn server with the config I got from them. I am on ubuntu/debian. Can anyone guide me how to connect? 01:01 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Remote closed the connection] 01:14 -!- chinsan_ is now known as chinsan 01:18 -!- swa_work [n=swa_work@swatteksystems.com] has quit [Remote closed the connection] 01:30 -!- Rolybrau [n=Rolybrau@190-242.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 01:30 -!- Rolybrau [n=Rolybrau@94-231.3-85.cust.bluewin.ch] has joined ##openvpn 01:30 < error404notfound> FluxD, whats the issue? 01:39 < FluxD> error404notfound, I am not really sure how to connect I tried using the gnome network manager applet too but it just says vpn connection not established 01:39 < error404notfound> FluxD, did you follow the openvpn how available at the site? 01:39 < error404notfound> !howto 01:39 < vpnHelper> error404notfound: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 01:40 < FluxD> nope let me start on that 01:40 < FluxD> thanks 01:41 < FluxD> error404notfound, I am behind a router Do I need to do anything extra? 01:41 < error404notfound> FluxD, you might need to open the respected ports 01:41 < FluxD> error404notfound, I am not running the server just the client part 01:42 < error404notfound> FluxD, still i think you will need to open ports 01:42 < FluxD> oh 01:42 < FluxD> And for a computer without a router? 01:44 < error404notfound> FluxD, applies same if there is a firewall 01:45 < error404notfound> is this your first time? if this, i would highly recommend the quick howto version... 01:45 < FluxD> Yea it is, I am reading it on the side 01:46 < FluxD> error404notfound, on linux do I do the openvpn config file as root? 01:49 < error404notfound> FluxD, sorry? 01:49 < error404notfound> you do need config files pointing to the server and any certificates if its over ssl 01:55 < error404notfound> i need to allow a client in LAN of openvpn client, i followed http://openvpn.net/index.php/open-source/documentation/howto.html#scope , created ccd, create a file with iroute, edited server.conf and added route with same subnet, restarted the daemon, but no use. 01:55 < vpnHelper> Title: HOWTO (at openvpn.net) 01:58 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:05 -!- FluxD [n=FluxD@unaffiliated/fluxd] has quit [Read error: 110 (Connection timed out)] 02:37 -!- bauruine [n=bauruine@92.104.145.232] has joined ##openvpn 02:37 -!- bauruine_ [n=bauruine@92.104.145.232] has joined ##openvpn 02:37 -!- bauruine_ [n=bauruine@92.104.145.232] has quit [Read error: 131 (Connection reset by peer)] 02:53 < kaii> error404notfound: assuming you configured it correctly, you should be able to see the routed (client) subnet in the openvpn "status" table 02:53 < error404notfound> kaii, works :D 02:54 < kaii> error404notfound: if its in the status table there are 2 common reasons for this to not work 02:54 < kaii> error404notfound: ok 02:54 < error404notfound> thanks :D 02:54 < error404notfound> openvpn is one great tool to be free (both definitions) 03:55 < error404notfound> need an idea over why a machine over 192.168.56.6 can ping 192.168.56.1 (vpn server) but not 192.168.56.14 (another client) 03:59 < error404notfound> works 04:01 < theDoc> You don't have the client-to-client directive turned on 04:13 -!- bandini [n=bandini@host19-21-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 04:14 < error404notfound> theDoc, yup :D 04:15 < error404notfound> okay, one more thing, i know how to make vpn-server aware of a lan behind a vpn client, but what if there are two lans behind a vpn client? same stuff? 04:26 -!- dazo|afk is now known as dazo 04:26 -!- dazo [n=ndazo@nat/redhat/x-txohhimnzojwjnfs] has quit [Remote closed the connection] 04:27 -!- dazo [n=nndazo@nat/redhat/x-oukdslrasharhhen] has joined ##openvpn 04:36 -!- oc80z [i=oc80z@blea.ch] has quit [Read error: 60 (Operation timed out)] 04:39 -!- dazo is now known as dazo|afk 04:53 -!- error404notfound [n=shoaibi@58-65-160-128.nayatel.pk] has quit [Connection timed out] 04:54 -!- error404notfound [n=shoaibi@58-65-160-128.nayatel.pk] has joined ##openvpn 05:01 -!- error404notfound [n=shoaibi@58-65-160-128.nayatel.pk] has left ##openvpn ["User guilty of hitting the Big Red X"] 05:09 -!- theDoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 05:17 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:38 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 06:14 -!- brizly [n=brizly_v@p4FC984B1.dip0.t-ipconnect.de] has joined ##openvpn 06:29 -!- brizly1 [n=brizly_v@p4FC99B73.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:51 -!- bauruine [n=bauruine@92.104.145.232] has quit [Read error: 148 (No route to host)] 07:11 -!- bauruine [n=bauruine@232-145.104-92.cust.bluewin.ch] has joined ##openvpn 07:12 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:40 -!- kyrix [n=ashley@91-115-177-18.adsl.highway.telekom.at] has joined ##openvpn 07:52 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 08:24 -!- jeiworth [n=jeiworth@189.163.179.220] has quit [Connection timed out] 08:25 < Optic> mooo 08:28 -!- theDoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 08:41 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 08:42 -!- sunta [n=cw@213.160.11.230] has joined ##openvpn 08:43 < sunta> hello community. I have issues with openvpn 2.1_rc19 when trying to access my IMAP-server. imap is the only protocol that causes issues. can anyone point me to some considerations when using openvpn on windows7? 08:45 < ecrist> good morning 08:46 < ecrist> sunta: you have not told us what your issue is. 08:47 < sunta> sorry. I can open the VPN connection. anything is working besides IMAP. I can use www/svn/smtp 08:47 < sunta> both sides 2.1_rc19 08:47 < ecrist> sunta: check your firewall 08:48 < ecrist> OpenVPN isn't going to block any specific protocols by itself. 08:48 < sunta> vista/linux/XP dont have that problem. only windows7 08:51 < ecrist> perhaps it's an issue with the windows 7 firewall 08:51 < ecrist> iirc, it does some policy-based routing things in an attempt to be smarter than you 08:52 < sunta> hm will check that 08:52 < sunta> tried to telnet port143, but win7 seems to not have telnet 08:53 < sunta> funny thing: non VPN-secured IMAP connections work 08:53 < sunta> will check the firewall on win7 for tunnel-interface 09:05 -!- jeiworth [n=jeiworth@189.177.136.30] has joined ##openvpn 09:06 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 09:06 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 09:15 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:26 -!- AZaz [n=user@87.98.172.238] has joined ##openvpn 09:26 -!- bauruine [n=bauruine@232-145.104-92.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 09:27 < AZaz> i have a vpn that routes out to the internet. The server has two IP addresses on 1 interface. The openvpn server is bound on the 1st IP. When I try to connect to the 2nd IP, it recognizes my IP as the local one, 10.8...., and not as the 1st, how can I solve this? 09:46 < ecrist> local 09:57 -!- explore [n=msparker@pool-173-57-72-22.dllstx.fios.verizon.net] has joined ##openvpn 10:02 -!- dazo|afk is now known as dazo 10:02 -!- dazo [n=nndazo@nat/redhat/x-oukdslrasharhhen] has quit [Remote closed the connection] 10:04 -!- dazo [n=nnndazo@62.40.79.66] has joined ##openvpn 10:11 -!- Abel408 [i=48e07777@gateway/web/freenode/x-owzccjpxrjxpytrl] has joined ##openvpn 10:11 < Abel408> Does this log mean that my certificates are wrong? http://pastebin.com/d4cb49658 10:22 -!- kyrix [n=ashley@91-115-177-18.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 10:22 -!- ashley_ [n=ashley@91-115-186-140.adsl.highway.telekom.at] has joined ##openvpn 10:23 < sunta> Abel408, looks like 10:23 < sunta> self made certificates? 10:24 < Abel408> nope... I'm gonna try transfering the certs again... 10:26 -!- dollabill [n=mike@97.66.26.10] has quit [] 10:27 < sunta> never tried without selfmade certificates:( 10:28 -!- dazo is now known as dazo|afk 10:29 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 10:35 -!- Abel408 [i=48e07777@gateway/web/freenode/x-owzccjpxrjxpytrl] has quit [Ping timeout: 180 seconds] 10:42 < ecrist> self-made certs are fine 10:44 -!- dazo|afk is now known as dazo 10:45 -!- dazo [n=nnndazo@62.40.79.66] has quit [Remote closed the connection] 10:46 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 10:49 -!- dazo [n=nnnndazo@nat/redhat/x-wdayuenwmcbkljwl] has joined ##openvpn 10:49 -!- dazo [n=nnnndazo@nat/redhat/x-wdayuenwmcbkljwl] has quit [Remote closed the connection] 10:49 -!- sunta [n=cw@213.160.11.230] has left ##openvpn ["Verlassend"] 10:50 -!- dazo_ [n=nnnnndaz@nat/redhat/x-deszihwxlzjxigkx] has joined ##openvpn 10:50 -!- dazo_ is now known as dazo 10:50 -!- AZaz [n=user@87.98.172.238] has left ##openvpn [] 10:51 -!- Abel408 [i=48e07777@gateway/web/freenode/x-cywgnycvxsshcdjh] has joined ##openvpn 10:53 < Abel408> Ok, I got my client to connect to the server but I cannot see anything on the network behind the server and I think it is because of my route add statement because I get an error in my log. I was wondering if anyone could lead me in the right direction. http://pastebin.com/d48446c8d 10:53 -!- dazo is now known as dazo|afk 10:54 < Abel408> oh crap I'm dumb 10:54 < Abel408> I forgot the 0 10:55 -!- bytesaber [n=bytesabe@208-98-188-95.directcom.com] has quit [Remote closed the connection] 10:58 < Abel408> Ok, I fixed my push statement, but still getting a route add error. http://pastebin.com/d48df54a4 Could it be because my netmask is huge? 11:20 -!- ashley_ [n=ashley@91-115-186-140.adsl.highway.telekom.at] has quit ["Leaving"] 11:41 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:42 -!- Abel408 [i=48e07777@gateway/web/freenode/x-cywgnycvxsshcdjh] has quit ["Page closed"] 11:48 -!- theDoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 11:53 -!- SockPants [n=jeroen@88.159.122.137] has joined ##openvpn 11:53 < SockPants> im in the process of setting up an openvpn server on my router, and i think that part's done, so i need to set it up so i can connect from my ubuntu 9.04 client. i'm using x509 keys but i have no idea where to set it up. in 'network connections' all the buttons in the 'vpn' tab are disabled 11:56 < |Mike|> you can't set keys or authentication method(s) ? 11:57 < SockPants> |Mike|: i think it's supposed to be a list of vpn connections but all the 'add','edit' buttons are gray, i wouldn't know where else to look 11:57 < SockPants> i went to synaptic and got 'openvpn' so i suppose it must be somewhere 11:57 < |Mike|> what kind of router are you using ? 11:57 < SockPants> pfsense 11:58 < |Mike|> !linnat 11:58 < vpnHelper> |Mike|: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 11:58 < SockPants> that's almost mostly gibberish to me 12:00 < SockPants> how does nat apply here? 12:02 < |Mike|> the openvpn server runs on your router right ? 12:03 < SockPants> yeah 12:03 < SockPants> that part should be set up 12:03 < SockPants> i'm trying to make it so i can connect to it when i'm out of the house 12:07 -!- S0ckPants [n=SockPant@88.159.122.137] has joined ##openvpn 12:07 -!- SockPants [n=jeroen@88.159.122.137] has left ##openvpn [] 12:11 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 12:22 -!- BingOo [i=BingO_@wlan-s-117.hh.se] has joined ##openvpn 12:22 < BingOo> Hiii Rooom !! 12:22 < BingOo> hope all wil be fine 12:22 < BingOo> i have installed OpenVPN with Webmin.. 12:22 < BingOo> can Open vpn communicate from one to multiple sides ? 12:23 < BingOo> i meant... Under Cerficate Authority List if i will create mulitple Certificate Authority ? 12:24 < BingOo> i crated two VPN CA(Cerntifiacte Autority) one is on port 1194 and other one is 1195 .. 12:25 < BingOo> service is not trying to run but i want to verify that it will work ??? 12:25 < ecrist> should 12:26 < BingOo> thanks for reply.. ecrist 12:26 < BingOo> you meant 2 say that ... it should work with two different ports ? 12:26 < BingOo> hmm my scenrio is 1 server ............ conecting with two other servers/clients but with different keys/info/ports 12:27 < BingOo> ?? 12:29 < BingOo> one is setup with 1194 which is working fine.. 12:29 < BingOo> but for other CA... which port should i use ?? 12:30 < BingOo> little bit confussion.. any one ?????????????? 12:31 < BingOo> hope some one get.. i want that 2-3 guys will connect on different ports on this one same server (1195,1196,1197).. is it possible ? 12:32 -!- FurnaceBoy [n=FurnaceB@bas1-toronto10-1279398894.dsl.bell.ca] has joined ##openvpn 12:33 < FurnaceBoy> hey all. I see a problem every few months where a client won't succeed in TLS negotiation, typically after a loss of connectivity. Then later it will succeed again. This happens rarely but I have no idea what causes it. Restarting client or server doesn't help. 12:33 < BingOo> any expert ????? 12:33 < FurnaceBoy> I am using ta.key 12:33 < |Mike|> !tls-auth 12:33 < vpnHelper> |Mike|: "tls-auth" is The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. see !secure for how 12:34 < FurnaceBoy> |Mike|: is that for me? 12:34 < |Mike|> yep 12:34 < FurnaceBoy> no, that's not my problem. 12:34 < BingOo> welcome.. Mike.. giv solution of my issue :(.. 12:34 < FurnaceBoy> I've been using tls-auth for years. this is a transient issue. 12:34 < |Mike|> you might want to set the ehm, timeout higher then FurnaceBoy 12:34 < |Mike|> timeouts due network connectivity is p.i.t.a imho 12:35 < FurnaceBoy> |Mike|: yeah it looks like a timeout. this client has been retrying for 8 hrs + 12:35 < |Mike|> s/is/are 12:35 < FurnaceBoy> |Mike|: other clients on the same internal network, via same router, are connected to vpn 12:35 < |Mike|> you can ping the server from the client side ? 12:35 < FurnaceBoy> not on that client, it's not getting past tls auth. 12:35 < |Mike|> or even from your internal network to the server (not trough openvpn!) 12:36 < |Mike|> traceroute openvpn-server ? 12:36 < FurnaceBoy> |Mike|: internal network is home net behind router, external is colo. other clients are negotiated and functioning. 12:36 < FurnaceBoy> |Mike|: it's affecting a single client, and it's transient. 12:36 < |Mike|> you can ssh without a problem to the colocated box? 12:36 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has quit ["bbl"] 12:36 < FurnaceBoy> |Mike|: absolutely. 12:36 < |Mike|> (even from the client wich has that problem) ? 12:36 < FurnaceBoy> |Mike|: yes. 12:37 < |Mike|> how many clients are connected? 12:37 < FurnaceBoy> |Mike|: the only problem observed is failure to get past TLS .. been like this for 8+ hours; not the first time I've seen this. Maybe 6 ? 12:37 < |Mike|> i've only seen such a problem in a huge setup (topology, /30 etc) 12:37 < FurnaceBoy> |Mike|: this same vpn , same config, same keys, has been running for years, with dozens of clients all over the world. this is the only problem i've seen, more than once, and it's rare. 12:38 < FurnaceBoy> |Mike|: more curious than anything. I do not know how to kick this client into passing negotiation. was working until connectivity loss yesterday afternoon 12:38 < |Mike|> hmz 12:38 < |Mike|> !topology 12:38 < vpnHelper> |Mike|: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 12:38 < BingOo> uinstall client and reinstall it.,. must be prob with client pc 12:38 < FurnaceBoy> BingOo: NO. 12:38 < FurnaceBoy> sorry, "No." 12:39 < |Mike|> brb, i'm on support this evening... *grmbl* 12:39 < FurnaceBoy> BingOo: this will "come good" soon. It's a transient condition. 12:39 < FurnaceBoy> |Mike|: thanks 12:39 < BingOo> hmm.. 12:39 < BingOo> i am in problem i am new in this open vpn 12:39 < FurnaceBoy> BingOo: I've seen it a dozen or so times over the years. 12:39 < |Mike|> BingOo: i'll read your question withing ~40 mins. 12:39 < BingOo> can i use 1194 for client and 1197 for another client .. ? 12:39 < FurnaceBoy> BingOo: can't remember if it's always on this OS X 10.4 system , or with others. 12:40 < BingOo> Mike.. Thanks alot.. !! i wil wait 12:40 < FurnaceBoy> BingOo: it's just more frustrating than anything, thought I'd finally ask experts in here. 12:41 < FurnaceBoy> 99.99% of the time openvpn has worked perfectly for me. it's wonderful. 12:41 < FurnaceBoy> this is the only irritation i've ever had, i think. :) 12:41 < BingOo> hmm.. 12:41 < BingOo> so only one client is not connecting.. 12:41 < BingOo> which os he has ? 12:41 < FurnaceBoy> yeah, i have at least 2 others connected from my home lan. 12:42 < FurnaceBoy> BingOo: OS X 10.4. I am not sure if this issue is restricted to that. It may well be. 12:42 < BingOo> was that client was working before or its new one ?? 12:42 < FurnaceBoy> BingOo: yes, working for years. 12:42 < FurnaceBoy> BingOo: until yesterday afternoon. and it will 'fix itself'. perhaps even re-connecting ADSL will fix it. 12:42 < BingOo> hmm.. which error message is showing by openvpn client software ? 12:42 < FurnaceBoy> BingOo: won't get past TLS auth .. i am using a TLS key 12:43 < FurnaceBoy> BingOo: "TLS Error: TLS handshake failed" 12:43 < BingOo> hmm.. 12:43 < BingOo> and nothing got change by yesterday afternoon ?.. internet connection etc ? 12:44 < BingOo> its mean..nothing happen.. it suddenly automaticaly showing this error message 12:44 < FurnaceBoy> BingOo: yes, lost 'net a couple of times (kicked phone). That tends to trigger this. 12:44 < BingOo> yes.. reboto to ADSL etc.. 12:45 < FurnaceBoy> BingOo: right, I suspect that will make the issue go away. It doesn't even look like openvpn is to blame, much. 12:45 < BingOo> reboot to network devices of client side.. 12:45 < FurnaceBoy> BingOo: good idea. i'll restart wireless. 12:45 < BingOo> yes 12:45 < BingOo> reboot to wireless and then reboot to client OS 12:45 < BingOo> then check out 12:46 < FurnaceBoy> rebooting OS X is a bit heavy handed, I'd prefer to avoid 12:46 < FurnaceBoy> I'll see if anything else works 12:47 < FurnaceBoy> wow. that worked. 12:47 < BingOo> :D 12:47 < FurnaceBoy> BingOo: interesting! 12:47 < BingOo> Congratzz 12:47 < FurnaceBoy> BingOo: so disable/re-enable wireless on the Mac did it. 12:47 * FurnaceBoy blames OS X 12:47 < BingOo> today is my 6th day in OPENVPN :) 12:47 < FurnaceBoy> thanks for the suggestion, I feel stupid for not trying that before. 12:48 < BingOo> Boy: i was btw recommending that reboot to both device X and wireless.. then i was sure.. 12:48 < BingOo> welcome..!! 12:48 < BingOo> so if you reboot to X then it was also doing that thing disbale/enable to wireless :).. 12:49 < BingOo> furnanceBOY: how long are you using this OPEN VPN ` 12:49 < FurnaceBoy> BingOo: yeah but reboots are a PITA. 12:49 < BingOo> ? 12:49 < FurnaceBoy> BingOo: been using openvpn for ~4 yrs ... this one setup ~ 3 yrs with clients all over the world 12:49 < FurnaceBoy> BingOo: I LOVE OpenVPN. 12:49 < BingOo> wow .. 4 years. yes it good thing 12:49 < BingOo> well now its ur turn :) 12:49 < FurnaceBoy> ha 12:50 < BingOo> 3 days before i setup OPEN VPN in WEBMIN.. 12:50 < BingOo> i setup CA .. client keys etc.. export it and one client was working not problme 12:51 < BingOo> but now i want to do .. create another CA .. etc all other thing with different port suppose 1196.. for another client 12:51 < BingOo> can i do this ? 12:51 < FurnaceBoy> BingOo: why do you want to do that? 12:51 < BingOo> i meant 1 server... (1194,1196) ::::::::::::: 2 different clients 12:51 < FurnaceBoy> BingOo: with 2 different CA's? 12:51 < FurnaceBoy> BingOo: the setup you are describing would be 2 different openvpn instances. 12:52 < BingOo> yes with 2 diff CA.. 12:52 < FurnaceBoy> BingOo: why? 12:52 < FurnaceBoy> BingOo: yuo would use 2 instances if you had 2 CAs and 2 ports. 12:52 < BingOo> hmmm.. 12:52 < FurnaceBoy> BingOo: why do you want to do that? 12:52 < FurnaceBoy> BingOo: it achieves nothing in one instance. 12:52 < BingOo> i setup another instance.. with port 1196.. but it don't work 12:53 < FurnaceBoy> BingOo: but why do you want 2 ports and 2 CAs on one instance? (which can't be done afaik and doesn't make sense anyway) 12:53 < BingOo> hmm... 12:53 < FurnaceBoy> why doesn't the 2nd work? any errors? 12:53 < FurnaceBoy> i've run 2-3 instances on differnt ports with different CAs 12:53 < BingOo> yes.. afert setup . service don't start .. FAILD error 12:53 < FurnaceBoy> that can definitely be done. 12:53 < FurnaceBoy> ok, check logs. 12:54 < BingOo> 1 min i check 12:54 < BingOo> have you every setup OPen vpn in WEbmin ? 12:54 < FurnaceBoy> hell no. 12:55 < BingOo> haha.. 12:55 < BingOo> will you handle GUI hand of OpenVPN `? 12:58 < FurnaceBoy> well, i don't use any guis for admin 12:58 < FurnaceBoy> life's too short 12:58 < |Mike|> only click admins use UI's :P 12:58 < BingOo> :) ok boy 12:58 < BingOo> leave it.. forget it 12:58 < FurnaceBoy> sorry :) 12:58 * |Mike| scrolls up 12:59 < |Mike|> FurnaceBoy: yours is working correctly now ? 12:59 < FurnaceBoy> |Mike|: solved. bouncing the Mac wireless fixed it. 12:59 < FurnaceBoy> |Mike|: looks more like OS X than anything else. 12:59 < FurnaceBoy> |Mike|: thanks for your time tho 12:59 < |Mike|> 2009/09/28 19:22:53 < BingOo> hmm my scenrio is 1 server ............ conecting with two other servers/clients but with different keys/info/ports 12:59 < |Mike|> heh? 12:59 < FurnaceBoy> |Mike|: I dunno why i didn't try that before. I guess b/c it works perfectly the rest of the time. 13:00 < |Mike|> FurnaceBoy: hmz, i never noticed problems with my leopard + wifi + openvpn tbh. 13:00 -!- c64zottel [n=hans@p5B17B510.dip0.t-ipconnect.de] has joined ##openvpn 13:00 -!- c64zottel [n=hans@p5B17B510.dip0.t-ipconnect.de] has quit [Client Quit] 13:00 < FurnaceBoy> |Mike|: this is 10.4, ppc, w/ G5 tower mobo wireless 13:00 < FurnaceBoy> |Mike|: my wife's 10.5 Macbook never has this issue afaik 13:01 < FurnaceBoy> |Mike|: somethign specific to this system, looks like 13:01 < FurnaceBoy> |Mike|: and not openvpn's fault 13:01 < |Mike|> could be a firewall issue or some kernel udp/tcp problem 13:01 < BingOo> Mike: just want to check that openvpn work with multiple ports, i meant if will create different 3-4 instances (CA's etc..with diff ports (1194,1195,1196..) ? 13:01 < |Mike|> why would you like to do that BingOo ? 13:02 < FurnaceBoy> BingOo: yes that works, I have done it. 13:02 < BingOo> hmmm.. just want to do experiment... if diff clients will connect with diff credentials/client keys 13:02 < FurnaceBoy> BingOo: as long as your O/S will give you the tun interfaces (I use tun) 13:03 < |Mike|> !tunortap 13:03 < vpnHelper> |Mike|: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 13:04 < BingOo> hmm.. 13:05 < BingOo> Mike.. is it good to run OPen vpn with webmin ? 13:05 < BingOo> i meant if i will use openvpn webmin module on webmin ... 13:06 < Bushmills> webmin sucks, so openvpn with webmin can't be any better 13:07 < BingOo> hmm.. 13:07 < Bushmills> there are plenty of other interactive configuration frontends for openvpn, called "editors" 13:07 < |Mike|> BingOo: i dislike phpmyadmin, postfixmyadmin, directadmin, webmin and a shitload of other "control panels" in general :P 13:08 < FurnaceBoy> |Mike|++ 13:08 < FurnaceBoy> BingOo: they just make life harder. 13:08 < FurnaceBoy> BingOo: learn to admin without gui 13:08 < FurnaceBoy> BingOo: openvpn config isn't very difficult, the documentation is good. 13:08 < |Mike|> openpvn isn't that hard to configure as long as you read the docs :) 13:09 < |Mike|> ^5 FurnaceBoy 13:09 < FurnaceBoy> BingOo: and reading the docs is necessary to understand what webmin is doing anyway. 13:09 < FurnaceBoy> BingOo: so you can't really avoid learning how it's *really* done 13:10 < |Mike|> knowledge = power 13:11 < FurnaceBoy> haha @ Bushmills 13:16 < Bushmills> my very first task on a BSD system was "break in" (admin was gone, company had no gateway passwd and such). Luckily there was webmin on the box :) 13:17 < Bushmills> seemed that it takes more effort to configure webmin safely than setting up a unix box safely. 13:19 < |Mike|> sounds familair Bushmills 13:23 < |Mike|> Argh, idiots must have set up this puppetmaster *sigh* 13:28 -!- hggh [n=jonas@danica.brachium-system.net] has joined ##openvpn 13:30 < hggh> I have openvpn server 2.1-rc11 working with client 2.09; when I use 2.1-rc10 or 2.1-rc19 vpn is established correct, and routes are setup. but now traffic goes throw vpn tunnel. version compatible problems? 13:38 < Bushmills> "and routes are setup. but now traffic goes throw vpn tunnel" sounds like traffic through vpn is the result of routes being setup. 13:38 < ecrist> single user mode to the rescue 13:40 < hggh> aeh errlang 13:40 < hggh> no traffic goes thow tunnel 13:40 < ecrist> !all 13:40 < vpnHelper> ecrist: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 13:41 < hggh> my configs are working. I have to use only an 2.1 client on windows because of vista 13:42 < |Mike|> don't 13:42 < |Mike|> did you ran it as admin ? 13:42 < hggh> after failing on vista I installed windows client 2.1-rc10 and 2.1-rc19 on windowsXP. On windows XP these new client also not working. 13:43 < hggh> same problem as on vista. client 2.09 on windowsXP is working fine 13:43 < |Mike|> hggh: you might want to read what vpnHelper uttered. 13:43 < hggh> i'm working on it. 13:47 < hggh> http://pastebin.com/d5f2f4df 13:47 < hggh> this config works with server 2.1-rc11 and client 2.09; but not with 2.1-rc10 and 2.1-rc19 13:48 < hggh> 2.1-rc10 and 2.1-rc19 can establish an vpn connection but _no_ traffic goes throw vpn tunnel 13:53 -!- jeiworth_ [n=jeiworth@189.177.136.30] has joined ##openvpn 13:53 < hggh> I have also run client and server in --verb 6, but no error returned 13:55 -!- jeiworth [n=jeiworth@189.177.136.30] has quit [Read error: 104 (Connection reset by peer)] 14:01 < Bushmills> when you say "but now traffic goes throw vpn tunnel" - what traffic goes through openvpn, and how did you find out? 14:02 < hggh> sorry this was misspoken. no traffic goes through openvpn. I have tested it with samba share and ping 14:02 < hggh> only with version 2.09 all works fine 14:05 < hggh> I have now upraded server to 2.1-rc19. client is still 2.1rc19; connection can be established, but no data goes through tunnel 14:28 -!- hyper_ch [n=hyper@adsl-84-227-111-143.adslplus.ch] has quit [Read error: 104 (Connection reset by peer)] 14:28 < |Mike|> hggh: you enabled client-to-client? 14:28 -!- hyper_ch [n=hyper@adsl-84-227-111-143.adslplus.ch] has joined ##openvpn 14:29 < |Mike|> !ccd 14:29 < vpnHelper> |Mike|: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 14:30 < |Mike|> ccd != client to client 14:30 < |Mike|> problem solved. 14:30 < hggh> |Mike|: no. client-to-client is not enabled 14:30 < |Mike|> why do you have ccd enabed on the client? 14:32 < hggh> it's not enabled or? 14:32 < |Mike|> read what vpnHelper uttered 14:34 < hggh> I don't understand you. I think client-to-client is not enabled on the client config 14:34 < |Mike|> !client-to-client 14:34 < vpnHelper> |Mike|: "client-to-client" is When this option is used, each client will see the other clients which are currently connected. Otherwise, each client will only see the server. Don't use this option if you want to firewall tunnel traffic using custom, per-client rules. 14:36 < hggh> sorry. This is my client config http://pastebin.com/m42c5883b I don't see any client-to-client option 14:38 < |Mike|> euh, you just changed it? 14:38 < hggh> no. its the orginal file from http://pastebin.com/d5f2f4df here 14:38 < hggh> on the top it's the server on the bottom it's the client 14:44 < hggh> why server 2.1-rc11 and windows client 2.09 is working but windows client 2.1-rc19/10 is not working? 14:44 < hggh> I think it's no configuration problem 14:45 < |Mike|> Next, we will deal with the necessary configuration changes on the server side. If the server configuration file does not currently reference a client configuration directory, add one now: 14:45 < |Mike|> client-config-dir ccdIn the above directive, ccd should be the name of a directory which has been pre-created in the default directory where the OpenVPN server daemon runs. 14:45 < |Mike|> a full path could be required aswell. 14:47 < hggh> why we should change ccd. it's working client gets the routes from the ccd file. But no traffic passes the tunnel? 14:47 < hggh> I can insert an full path, but I think this will not solve my problem 14:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:48 < |Mike|> http://pastebin.com/m452e6480 14:51 < hggh> I have added full path to ccd, not working. vpn can established. but no traffic goes through 14:51 < hggh> with windows client 2.09 traffic goes through 14:53 < |Mike|> you can't ping google.com trough the vpn? 14:53 < hggh> no 14:54 < |Mike|> and what error does that give you ? 14:54 < hggh> timeout 14:55 < |Mike|> and a traceroute dies where ? 14:56 < hggh> it does not reach the server. I will check it tomorrow again. thanks for your help |Mike| 14:57 -!- BingOo [i=BingO_@wlan-s-117.hh.se] has quit [] 14:58 < |Mike|> so you can't even ping the openvpn server hggh ? 14:58 < hggh> yes 14:58 < |Mike|> then it's a client side issue :) 14:58 < ecrist> firewall *cough* 14:58 < |Mike|> ^2 14:59 < ecrist> I wish we could have suggested that right away, like putting it in the channel topic... 14:59 < hggh> hehe perhaps. I will check it tomorrow. my dirt bucket is full 14:59 * ecrist d/c and goes home 14:59 < |Mike|> 'CHECK YOUR FIREWALL' lol 15:00 < |Mike|> ltr ecrist 15:05 -!- Angel_Dragonwak [i=Angel_Dr@201.53.178.214] has joined ##openvpn 15:06 < Angel_Dragonwak> !forum 15:06 < vpnHelper> Angel_Dragonwak: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 15:06 < Angel_Dragonwak> any DOTA players around? hehe 15:06 < |Mike|> dota? 15:07 < hggh> Angel_Dragonwak: I know it, it's and client side issue ;) 15:07 < hggh> *haha* 15:07 < hggh> <- funny man 15:07 < Angel_Dragonwak> o.o 15:07 < Angel_Dragonwak> there's no problem at all 15:08 < Angel_Dragonwak> well, i've this project that's related to DOTA 15:08 < Angel_Dragonwak> don't know, it's kinda of a famous game, a mod of Warcraft III 15:08 < Angel_Dragonwak> something like that :) 15:11 -!- Angel_Dragonwak [i=Angel_Dr@201.53.178.214] has quit [Read error: 104 (Connection reset by peer)] 15:22 -!- BingOo [i=BingO_@194.47.17.117] has joined ##openvpn 15:29 < BingOo> Hi .. back 15:29 < BingOo> mike 15:30 < BingOo> can i do one thing that create a web interface and use OPEN VPN on backend 15:30 < BingOo> just like Cpanel for domain hosting.. every user have ites own control panel for different seperate domain management.. on one server 15:31 < BingOo> so just like that can we do this thing people will login by there account and create site-to-site vpn management ? 15:43 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 15:45 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 60 (Operation timed out)] 15:51 -!- BingOo [i=BingO_@194.47.17.117] has left ##openvpn [] 16:00 -!- dazo|h [n=dazo@77.16.250.148.tmi.telenormobil.no] has joined ##openvpn 16:00 -!- dazo|h [n=dazo@77.16.250.148.tmi.telenormobil.no] has quit [Client Quit] 16:04 -!- ThoMe [i=tm@tm.muc.de] has joined ##openvpn 16:04 < ThoMe> good evening 16:04 < ThoMe> knock knock? :-) 16:27 -!- jeiworth [n=jeiworth@187.144.55.242] has joined ##openvpn 16:30 -!- jeiworth_ [n=jeiworth@189.177.136.30] has quit [Read error: 104 (Connection reset by peer)] 16:35 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 16:43 -!- explore [n=msparker@pool-173-57-72-22.dllstx.fios.verizon.net] has quit ["leaving"] 16:47 -!- armyriad [n=anonymou@pool-68-237-56-254.ny325.east.verizon.net] has joined ##openvpn 16:47 < armyriad> Where do I find a OpenVPN client for Windows? 16:55 < Bushmills> !google openvpn windows download 16:55 < vpnHelper> Bushmills: Downloads: ; Welcome to OpenVPN: ; Download - OpenVPN GUI for Windows: 16:58 < Bushmills> !google Where do I find a OpenVPN client for Windows? 16:58 < vpnHelper> Bushmills: OpenVPN GUI for Windows: ; Downloads: ; Welcome to OpenVPN: 16:58 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 60 (Operation timed out)] 17:03 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 17:06 < armyriad> The server doubles as a client? 17:17 < Bushmills> just a matter of the config 17:18 < armyriad> Oh, ok. 17:24 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 17:44 -!- FurnaceBoy [n=FurnaceB@bas1-toronto10-1279398894.dsl.bell.ca] has left ##openvpn ["ciao"] 17:51 < |Mike|> krzee: could you ban bingoo ? 18:07 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 60 (Operation timed out)] 18:17 -!- _Snark [n=a@203-206-130-80.perm.iinet.net.au] has quit [] 18:27 -!- armyriad [n=anonymou@pool-68-237-56-254.ny325.east.verizon.net] has quit [Read error: 113 (No route to host)] 18:50 -!- _Snark [n=a@203-206-130-80.perm.iinet.net.au] has joined ##openvpn 18:54 < _Snark> quick Q - i have a tun openvpn server setup, i can connect fine and have no dramas with that, however the openvpn server does not seem to pass traffic to it's local network, or any of the networks i have routes pushed to. I can ping the local ethernet IP of the openvpn server and nothing else. I can provide config files and IP addresses if neccessary 18:56 < |Mike|> client-to-client 18:57 < |Mike|> !client-to-client 18:57 < vpnHelper> |Mike|: "client-to-client" is When this option is used, each client will see the other clients which are currently connected. Otherwise, each client will only see the server. Don't use this option if you want to firewall tunnel traffic using custom, per-client rules. 18:57 < |Mike|> !all 18:57 < vpnHelper> |Mike|: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 18:57 < |Mike|> _Snark: provide us with the above information! 18:59 < _Snark> ok, can do the second thing, i don't think it's a client-to-client issue as it's more of a road-warrior setup than trying to link multiple networks, un momento por favor! 18:59 < Bushmills> _Snark: "openvpn server does not seem to pass traffic to it's local network" . why should it do that? 19:00 < _Snark> why would it not? isn't that more or less the point of a vpn server? 19:00 < Bushmills> unless instructed to, it essentially gives you a tunnel between two machines 19:01 < Bushmills> (this can also be seen as "the point" of a vpn server. "passing on traffic" doesn't sound like a core responsibility for it) 19:02 < Bushmills> !route 19:02 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 19:03 < _Snark> ok true i guess, anyway give me a moment to grab configs 19:04 < |Mike|> !all 19:04 < vpnHelper> |Mike|: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 19:04 < |Mike|> anyway, i'm off. 19:04 < |Mike|> later. 19:11 -!- jeiworth [n=jeiworth@187.144.55.242] has quit [Read error: 110 (Connection timed out)] 19:12 < _Snark> ok, pastebin of client config, server config, route table, ifconfig info 19:12 < _Snark> http://pastebin.com/m3a2e2334 19:13 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 19:13 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has left ##openvpn [] 19:13 < _Snark> i've also added iptables lines to allow traffic from the tun interface 19:14 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 19:14 < ksnp> can openvpn be modified to do ssl vpn ? 19:17 < _Snark> as far as that !route info goes, i am pretty sure i am pushing the right routes, i don't need ccd for clients 19:19 < ksnp> is there a good openvpn client for wm or iphone ? 19:19 < ksnp> wm=windows mobile 19:20 < _Snark> iphone has a built in cisco vpn client that should support cert based vpn and thus, in theory, openvpn 19:20 < _Snark> i havent set it up myself, but once i get my setup basically working i will.. 19:21 < ksnp> is cisco vpn bsaed on openvpn ? 19:21 < _Snark> no their client is proprietary 19:21 < ksnp> ok 19:21 < ksnp> but the protocol may be different right ? like ipsec vs ssl etc ? 19:21 < _Snark> i have no idea if they're compatible tbh, a quick google turns up some preliminary efforts to port the openvpn client to the iphone 19:21 < _Snark> so perhaps not 19:22 < ksnp> if you get it working do let me know. 19:22 < ksnp> looks like wm has more support 19:22 < _Snark> it would be easier to port for wm i am sure 19:23 < ksnp> have you tried setting up the firewall rules for the openvpn given on openvpn.net/howto ? to create different class of clients ? by any chance ? 19:24 < _Snark> no, sorry. at the moment i am stuck on a pretty basic functionality problem. I only have a single client setup, which connects ok, but openvpn server does not pass traffic to it's local network of any of the networks that have been pushed / configured in the server config 19:24 < _Snark> only the local network ip of the openvpn server is contactable 19:24 < ksnp> ok 19:33 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:01 -!- scfh [n=scfh@78.86.190.81] has quit [Read error: 145 (Connection timed out)] 20:13 < _Snark> so uhm.. anyone willing to have a quick look at my configs and suggest what i may have missed or misconfigured? http://pastebin.com/m3a2e2334 20:18 < _Snark> when connected to the VPN i can ping the local ip of the openvpn server but nothing else on the pushed routes (networks) 20:19 < ksnp> snark are you trying access the server side LAN or client side LAN ? 20:20 < _Snark> server side lan. this is a roadwarrior style setup basically 20:20 < ksnp> you need to setup routes on your gateway on the server or the machine you are trying to ping won't know how to respond to the ping 20:20 < _Snark> so just single remote users vpning into the network 20:21 < _Snark> yes, i've done this, i'll explain with IPs if that helps.. or at least, i've partially done this, perhaps not completely properly thus the issues 20:21 < _Snark> local eth on openvpn server is 10.0.0.181 20:22 < ksnp> did you setup routes ? 20:22 < _Snark> openvpn tun pool is 10.10.0.0 20:22 < _Snark> on the openvpn server gateway i have 10.0.0.181 as the default route for the 10.10.0.0 network 20:22 < ksnp> ok, not sure what then the problem migth be 20:22 < ksnp> actually if you follow openvpn.net/howto it should work, it did for me 20:23 < _Snark> the only potential issue i can think of i guess is that i am natting a public IP to the local openvpn server ip 20:24 < ksnp> just forward the port 20:24 < _Snark> yes, well, this is done 20:24 < ksnp> ya i guess 20:24 < _Snark> i can connect fine externally 20:25 < _Snark> it's just remote network connectivity that is the problem, and i'm kinda stumped 20:25 < ksnp> pastebin the config, i can see if i can be of help, but after an hour or so 20:25 < _Snark> http://pastebin.com/m3a2e2334 20:28 -!- [1]ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 20:28 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 20:30 -!- theDoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 20:33 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has quit [Read error: 60 (Operation timed out)] 20:33 -!- [1]ksnp is now known as ksnp 20:39 < _Snark> woops, so as it turns out the exceedingly obvious thing i was missing was ip forwarding enabled on the openvpn host.. 20:43 < _Snark> still a minor issue with talking to network(s) outside of the vpn servers network though 20:43 < _Snark> *investigates* 20:54 < ksnp> ok 20:54 < ksnp> is your server on windows or linux ? 20:54 < _Snark> linux 20:55 < _Snark> debian etch (as mentioned in the pastebin) 20:55 < _Snark> and like i mentioned i've solved the fundamental problem, just trying to figure out the routing different networks thing 21:02 < ksnp> ok 21:03 < ksnp> actually i wanted to test if my server can connect as client too. can i test with your server ? 21:04 < _Snark> so my vpn network is 10.10.0.0, the server lan is 10.0.0.0. 10.10.0.0 can now talk to all of 10.0.0.0 fine, but i also want 10.10.0.0 to be able to talk to a 203.xx.xxx.xx network, as per config 21:05 < ksnp> what's the 203.xx ? client side ? 21:05 < _Snark> server side 21:05 < _Snark> 10.0.0.0 is user vlan, 203.xx is server vlan 21:05 < ksnp> the server lan is 10.0.0.0 ? 21:05 < _Snark> it's a bit confusing because i think it should just work 21:05 < _Snark> yep 21:05 < ksnp> is what u wrote 21:06 < ksnp> so that's the vpn lan ip, not the normal lan ip ? 21:06 < _Snark> 10.0.0.0 can already talk to 203.xx on the server network 21:06 < _Snark> vpn is 10.10.0.0 21:06 < ksnp> 203. is server lan ? 21:07 < ksnp> when you say client can talk to all of 10.0.0.0 you mean all the other clinets ? 21:07 < _Snark> no no 21:07 < _Snark> 10.0.0.0 and 203.xx are both networks on the server end 21:07 < _Snark> openvpn server is on 10.0.0.0 (10.0.0.181) 21:08 < ksnp> u have two nics on the server ? 21:08 < _Snark> in the server end network, the 10.0.0.0 network can talk to 203.xx network already, but for whatever reason, despite pushing the route in the openvpn server config, 10.10.0.0 cannot talk to the 203.x network 21:08 < ksnp> and two lans other than vpn's ? 21:08 < _Snark> no, single nic 21:08 < _Snark> and yes 21:08 < ksnp> so single nic but two lan's ? (without openvpn) ? 21:09 < _Snark> yes. they are attached via a L3 switch 21:09 < ksnp> hmm, dunno what L3 switch ? 21:09 < _Snark> layer three switch, it can do basic layer three functionality such as static routes 21:10 < ksnp> does server have two ip addresses ? 21:10 < _Snark> so 10.0.0.0 and 203.xx have a static route between them 21:10 < _Snark> no 21:10 < ksnp> i c, what's the lan ip then ? 21:10 < _Snark> well, it has an IP in the openvpn TUN pool of course 21:10 < _Snark> 10.0.0.181 21:12 < _Snark> 10.0.0.0 can already talk to 203.xx so i figured if i just pushed "route 203.xx / subnet" and added a route 203.xx / subnet line to the openvpn config it would work 21:12 < _Snark> but apparently not 21:13 -!- master_of_master [i=master_o@p549D49B7.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:13 < _Snark> hmm.. had a thought 21:14 < ksnp> brb 21:14 < ksnp> i think you may have to add setup route for both on the server 21:15 < ksnp> sorry, working on something else same time, so delay 21:15 < _Snark> is np, i'm investigating something, potential incorrect gateway 21:16 -!- master_of_master [i=master_o@p549D450F.dip.t-dialin.net] has joined ##openvpn 21:18 < ksnp> ok 21:20 < ksnp> can i try connecting to your server ? 21:20 < ksnp> as client ? 21:21 < ksnp> you can disable it afterwards 21:21 < ksnp> or cna you give me a temp ssh in ? 21:22 < ksnp> only if you are comfortable, that's alright 21:22 < _Snark> it's ok, figured it out 21:22 < _Snark> the non-push route lines are like ccd for adding routes for remote networks 21:23 < _Snark> removed incorrect line from config 21:23 < ksnp> you mean iroute ? 21:23 < _Snark> and now is all good 21:23 < _Snark> i guess so yeah 21:23 < _Snark> thanks for your help anyway 21:24 -!- [1]ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 21:26 < [1]ksnp> sure, np 21:33 < [1]ksnp> take a look at the openvpn cloud as well on their page 21:33 < [1]ksnp> later, bye 21:34 -!- [1]ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has left ##openvpn [] 21:43 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has quit [Read error: 110 (Connection timed out)] 22:12 -!- _Snark [n=a@203-206-130-80.perm.iinet.net.au] has quit [] 22:20 -!- Rolybrau [n=Rolybrau@94-231.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 22:21 -!- Rolybrau [n=Rolybrau@119-190.3-85.cust.bluewin.ch] has joined ##openvpn 22:28 -!- agracey [n=agracey@wl-dhcp142-74.Mines.EDU] has joined ##openvpn 22:28 < agracey> I was wondering what the highest latency vpn would work at 22:29 < agracey> I am thinking about using it in an environment with a 2sec delay each way 22:32 < theDoc> agracey> It's not so much of latency but the applications you are driving over the vpn link. 22:32 < theDoc> If you're doing say, streaming HD video, that would pose a problem. 22:32 < theDoc> and really, why are you looking at a 2 second delay each way? 22:33 < agracey> compatition rules 22:33 < agracey> simulate delay to the moon 22:33 < agracey> and bac 22:33 < agracey> k 22:34 < theDoc> agracey> Like I said, it's really what kind of traffic you are streaming over the link. 22:35 < agracey> a picture that updates every couple seconds 22:35 < agracey> or two 22:35 < theDoc> agracey> Shouldn't be a problem really. 22:35 < agracey> awesome 22:35 < theDoc> It just renders slower. 22:35 < agracey> I am fine with that as long as it doesn't time out 22:36 < agracey> considering there is a 4sec total delay slower is not really an issue 22:36 < agracey> thank you 22:36 < theDoc> agracey> The vpn doesn't time anything out 22:36 < theDoc> The application does. 22:37 < agracey> so if I disconected the server from the client it woudl just hang? 22:38 < agracey> I have been usign tightvnc for testing but it does die every once in a while 22:39 < theDoc> agracey> Generally yes. 22:39 < theDoc> If you just disconnect the client from the vpn, there has to be a route to the server, else you just time out 22:39 < agracey> oh, ok that makes alot more sence and explains the errors 22:40 < agracey> I am just now setting up a private network so those should go away 22:41 < theDoc> agracey> The problems may not go away if you have a timeout value set too low on your application end. 22:43 < agracey> ok, does openvpn let me set that? 22:44 < theDoc> agracey> The problem isn't openvpn, it's whatever else you are running over the link. 22:44 < theDoc> Unless the vpn is timing out and disconnecting 22:45 < agracey> there is only one other thing on the link which is my own software which controls the rover using UDP. it is very low bandwidth ~16Mb/min 22:45 < agracey> the link is clean except the delay 22:46 < theDoc> agracey> Increase your software's timeout value 22:46 < theDoc> That should alleviate the timeout problem 22:47 < agracey> ok, thank you for the help/info 22:49 < theDoc> np. o/ 22:50 < theDoc> agracey> Do you work at mines.edu? 22:57 < agracey> school 22:58 < agracey> I am workign on one of the projects for the school 22:58 < theDoc> Oh, ok. 22:59 -!- agracey [n=agracey@wl-dhcp142-74.Mines.EDU] has left ##openvpn [] 23:11 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has quit ["bbl"] 23:20 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 23:24 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:26 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] 23:34 -!- krzie [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 23:52 -!- LMJ [n=serwou@82.236.42.164] has left ##openvpn ["Leaving"] --- Day changed Tue Sep 29 2009 00:07 -!- FluxD [n=FluxD@unaffiliated/fluxd] has joined ##openvpn 00:07 < FluxD> !log 00:07 < vpnHelper> FluxD: Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 00:07 < FluxD> Anyone know where the logs for openvpn are kept on debian? 00:21 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 60 (Operation timed out)] 00:31 < theDoc> FluxD> /var/log/ most likely 00:39 < FluxD> theDoc,thanks, I am trying to connect to a vpn server but I am behind a router Will I be able to connect? If not any way to? 00:48 < theDoc> FluxD> Not enough information but generally, yes 00:49 < FluxD> theDoc, What info is missing? 00:50 < theDoc> Router/firewall/whatever-else-that-may-be-in-between 00:57 -!- FluxD [n=FluxD@unaffiliated/fluxd] has quit ["Leaving"] 01:11 -!- hggh [n=jonas@danica.brachium-system.net] has left ##openvpn [] 01:25 -!- Wanderer [i=nomad@c-98-245-36-37.hsd1.co.comcast.net] has quit [Read error: 110 (Connection timed out)] 01:43 -!- thirdwheel [i=amason@vaserv/clients/thirdwheel] has joined ##openvpn 01:43 < thirdwheel> hey all, I tried to set up a /31 subnet in OpenVPN, and it told me that I need a /30 or better, version 2.1_rc18 01:43 < thirdwheel> one sec, I'll have a conf up 01:45 < theDoc> !topology 01:45 < vpnHelper> theDoc: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 01:45 < thirdwheel> http://openvpn.pastebin.ca/1583865 01:45 < theDoc> !/30 01:45 < vpnHelper> theDoc: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 01:45 < theDoc> ^ 01:46 < thirdwheel> that covers /30 and I've gotten it to work with that before, I've just tried a /31 subnet and it borked 01:55 < thirdwheel> not like it's important or anything, but it's good to know if one is limited in their IP address space 01:55 -!- thirdwheel [i=amason@vaserv/clients/thirdwheel] has quit ["Leaving"] 02:02 -!- dazo|h [n=dazo@ip4-83-240-69-215.cust.nbox.cz] has joined ##openvpn 02:06 -!- swa_work [n=swa@swatteksystems.com] has quit ["Leaving"] 02:38 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has quit [Read error: 110 (Connection timed out)] 02:58 -!- ribasushi [n=rabbit@dslb-084-063-061-149.pools.arcor-ip.net] has quit ["Leaving"] 03:15 -!- Wanderer [i=nomad@c-98-245-26-136.hsd1.co.comcast.net] has joined ##openvpn 03:36 -!- dazo|h [n=dazo@ip4-83-240-69-215.cust.nbox.cz] has quit ["Leaving"] 03:56 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:51 -!- theDoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 04:54 -!- court-jus [n=courtjus@clarifreebox.clarisys.fr] has joined ##openvpn 04:54 < court-jus> hi there 04:55 < court-jus> i need help while trying to have two openvpn servers on the same host (one uses TCP, the other UDP) share their remote clients' networks 04:56 < court-jus> from the server, i can ping the three different networks (the server's one and the clients' one) 04:56 < court-jus> but from each client I can't ping the other's net 04:56 < court-jus> i think my push route, route and iroute is OK but i may be missing something 04:57 < court-jus> !route 04:57 < vpnHelper> court-jus: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 04:57 < court-jus> oh and i already read the OpenVPN/Routing page on the wiki 04:57 < court-jus> when I make the same config with only one server, everything works fine 05:12 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 05:12 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 05:39 -!- theDoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 05:41 < Bushmills> !firewall ... you possibly allow tun0 but not tun1 05:41 < vpnHelper> Bushmills: Error: "firewall" is not a valid command. 05:58 -!- mius [n=miusf@earthtomoon.net] has left ##openvpn [] 06:15 -!- brizly1 [n=brizly_v@p4FC9A185.dip0.t-ipconnect.de] has joined ##openvpn 06:29 -!- brizly [n=brizly_v@p4FC984B1.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:41 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: roninbaka, onats, pa, nuhiNlow, freaky[t], HardDisk_WP, Intensity, redfox, vpnHelper, Bushmills, (+2 more, use /NETSPLIT to show all of them) 06:42 -!- Netsplit over, joins: vpnHelper 06:42 -!- Netsplit over, joins: nuhiNlow 06:44 -!- FurnaceBoy [n=FurnaceB@bas1-toronto10-1279398894.dsl.bell.ca] has joined ##openvpn 06:44 -!- Netsplit over, joins: stephenh 06:44 -!- Netsplit over, joins: kaii 06:45 -!- Netsplit over, joins: HardDisk_WP 06:47 -!- Netsplit over, joins: roninbaka 06:49 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 06:58 -!- Bushmills [n=nBushmil@verhau.de] has joined ##openvpn 06:59 -!- redfox2 [n=redfox2@ns351996.ovh.net] has joined ##openvpn 07:11 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 07:12 -!- hyper__ch [n=hyper@adsl-89-217-159-233.adslplus.ch] has joined ##openvpn 07:12 -!- hyper_ch [n=hyper@adsl-84-227-111-143.adslplus.ch] has quit [Nick collision from services.] 07:12 -!- hyper__ch is now known as hyper_ch 07:19 < court-jus> Bushmills, thanks for trying to help 07:19 < court-jus> but i've found the solution by myself 07:32 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 07:43 -!- huafist [i=189f06c3@gateway/web/freenode/x-gtbjisyltlnkbthv] has joined ##openvpn 07:47 < huafist> Good morning 07:48 < huafist> I'm trying to get an openvpn server up and running, and I can get the tunnel established, but it segmentation faults after just a second or two, and doesn't really give me any data to troubleshoot with 07:48 < huafist> This is my server config: http://pastebin.com/d559d242b 07:49 < huafist> And my client: http://pastebin.com/d5f7931f8 07:52 < ecrist> huafist: do you have a core dump to work from? 07:53 < huafist> No, not yet. I ran a stack trace and it didn't show anything out of the ordinary, all the way up to the point it segfaults 08:00 < |Mike|> *nix? 08:00 < |Mike|> 08:01 < huafist> slackware 12.1.0 08:01 < |Mike|> does nobody:nobody excist btw? 08:01 < |Mike|> *exist 08:02 < huafist> heh. Stupid thing isn't generating a core dump 08:03 < |Mike|> *didn't 08:08 * cpm is taking a dump, and examining the resulting logs 08:08 < |Mike|> does it look brownish ? 08:09 < cpm> things *not* to put in the comments to a user's helpdesk ticket. 08:21 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 08:32 < Optic> mooo 08:34 -!- court-jus [n=courtjus@clarifreebox.clarisys.fr] has quit ["Quitte"] 08:37 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] 08:52 < ecrist> huafist: what version of OpenVPN? 08:53 < huafist> 2.0.9 08:53 < huafist> The server will run forever, as long as I don't connect a client 08:53 < ecrist> try running 2.1rc19 08:53 < ecrist> both client and server 08:53 < ecrist> and make certain your ssl certificates are valid 08:53 < huafist> If I start up a client, it'll connect successfully, assign ip addresses to both machines, and then within a few seconds the server segfaults 08:54 < ecrist> check dmesg output for any indication of a core dump on another library, such as SSL, etc. 08:54 < ecrist> segfaults can be an indication of bad memory. 08:56 < huafist> dmesg did show something 08:56 < huafist> http://pastebin.com/d297a0732 08:57 -!- roninbaka [n=email@61.159.248.103] has quit [Read error: 148 (No route to host)] 09:08 -!- zuez [n=sf@catalyst.httpd.org] has quit ["."] 09:37 < ecrist> huafist: looks like a problem with the tun drive on slackware, perhaps 09:38 < ecrist> maybe try upgrading, or checking the release notes for recent updates? 09:45 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 09:50 -!- dergringo [n=dergring@88-183.104-92.cust.bluewin.ch] has joined ##openvpn 09:50 < dergringo> hi. The DH parameters on the server... can those be any parameters or are the ones from the CA required? 09:51 < ecrist> any 09:51 -!- jeiworth [n=jeiworth@187.144.55.242] has joined ##openvpn 09:55 -!- RexMundi [n=RexMundi@77.95.99.166] has joined ##openvpn 09:56 -!- huafist [i=189f06c3@gateway/web/freenode/x-gtbjisyltlnkbthv] has quit ["Page closed"] 10:02 < dergringo> thanks 10:04 < ThoMe> hello. 10:05 < ThoMe> is it posible to check if the zertifikat is revoke? 10:06 < ThoMe> have this files 10:06 < ThoMe> ca /etc/openvpn/keys/ca.crt 10:06 < ThoMe> cert /etc/openvpn/keys/server.crt 10:06 < ThoMe> key /etc/openvpn/keys/server.key # This file should be kept secret 10:06 < ThoMe> dh /etc/openvpn/keys/dh2048.pem 10:06 < ThoMe> /etc/openvpn/keys/ta.key 10:06 < ThoMe> which file is the revoke-file? 10:07 < ThoMe> ah crl-verify crl.pem 10:28 -!- EdwardIII [n=django@unaffiliated/edward123] has joined ##openvpn 10:28 < EdwardIII> hey 10:29 < EdwardIII> we have a working vpn setup at the moment and it's pretty cool, but would it be possible to do some sort of portable windows setup that i could put on a usb stick including the person's keys? 10:30 < EdwardIII> ah, should have done the research, waaay more popular a question than i thought 10:35 -!- pa [n=pa@82.60.135.205] has joined ##openvpn 10:50 -!- explore [n=msparker@pool-173-57-72-22.dllstx.fios.verizon.net] has joined ##openvpn 10:54 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has quit ["bbl"] 11:01 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 60 (Operation timed out)] 11:02 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 11:25 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:40 -!- explore [n=msparker@pool-173-57-72-22.dllstx.fios.verizon.net] has quit [Read error: 60 (Operation timed out)] 11:42 < |Mike|> EdwardIII: sure it can 11:43 < |Mike|> but it's not secure enough if you don't encrypt the usb stick 11:45 -!- explore [n=msparker@pool-173-57-72-22.dllstx.fios.verizon.net] has joined ##openvpn 11:45 < |Mike|> ThoMe: solved? 11:45 -!- jeiworth_ [n=jeiworth@189.177.21.77] has joined ##openvpn 11:54 -!- swa_work [n=swa@swatteksystems.com] has quit [Remote closed the connection] 11:55 -!- explore [n=msparker@pool-173-57-72-22.dllstx.fios.verizon.net] has quit ["Lost terminal"] 11:57 -!- jeiworth [n=jeiworth@187.144.55.242] has quit [Read error: 110 (Connection timed out)] 12:34 -!- LittleJ [n=linuz@82.78.185.26] has joined ##openvpn 12:35 -!- jeiworth_ [n=jeiworth@189.177.21.77] has quit [Read error: 104 (Connection reset by peer)] 12:35 -!- jeiworth [n=jeiworth@189.177.135.200] has joined ##openvpn 12:35 < LittleJ> !configs 12:35 < vpnHelper> LittleJ: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:39 -!- bandinia [n=bandini@79.25.109.132] has joined ##openvpn 12:51 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 12:54 -!- bandini [n=bandini@host19-21-dynamic.20-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 13:00 -!- explore [n=msparker@pool-173-57-72-22.dllstx.fios.verizon.net] has joined ##openvpn 13:06 -!- Dryanta [i=d@dryanta.com] has joined ##openvpn 13:06 < Dryanta> !logs 13:06 < vpnHelper> Dryanta: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 13:11 < Dryanta> Tue Sep 29 11:08:16 2009 us=199754 write UDPv4: No buffer space available (code=55) 13:11 < Dryanta> all the time 13:11 < Dryanta> i remember this last time i tried to set up openvpn dont know why it does that 13:14 -!- jeiworth_ [n=jeiworth@189.234.0.5] has joined ##openvpn 13:20 < ecrist> Dryanta: firewall issue 13:23 < Dryanta> ecrist: nope, some stupid routing issue actually 13:23 < Dryanta> 63.194.106.255 ff:ff:ff:ff:ff:ff UHLWb 1 482098 fxp1 13:23 < Dryanta> 67.0.0.0/8 10.4.1.1 UG 1 13201804 tun0 13:23 < Dryanta> 67.203.99.136 10.4.1.1 UGH 0 0 tun0 13:24 < Dryanta> thats the routes openvpn generated for the tunnel 13:24 < Dryanta> so its looping back on itself because he vpn endpoint is 67.203.99.136 13:24 < Dryanta> so when it made tun0 the endpoint it made an infinite loop 13:24 < Dryanta> thrashing my /var 13:24 < Dryanta> and sending load to 100% 13:24 < ecrist> so setup the proper route 13:25 < Dryanta> what do you mean 'setup the proper route' every time i invoke openvpn it adds its own busticated routes 13:25 < ecrist> !configs 13:25 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:27 < Dryanta> http://pastebin.ca/1584680 13:29 -!- jeiworth [n=jeiworth@189.177.135.200] has quit [Read error: 110 (Connection timed out)] 13:34 < ecrist> Dryanta: I would suggest setting one of them up as a server, the other as the client and see if that config works better for you. 13:35 < ecrist> I've never used ifconfig lines within my openvpn configs and couldn't help you with that. 14:12 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 14:13 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 14:13 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 14:45 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:51 -!- bytesaber_ [n=bytesabe@208.98.188.95] has joined ##openvpn 14:52 -!- bytesaber_ is now known as kreg 15:20 -!- explore [n=msparker@pool-173-57-72-22.dllstx.fios.verizon.net] has quit ["leaving"] 15:53 -!- Jouva [i=jouva@pool-173-62-197-146.phlapa.fios.verizon.net] has joined ##openvpn 15:53 < Jouva> !route 15:53 < vpnHelper> Jouva: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:05 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 60 (Operation timed out)] 16:06 < Dryanta> wc 16:06 -!- Dryanta [i=d@dryanta.com] has left ##openvpn [] 16:33 -!- Jouva [i=jouva@pool-173-62-197-146.phlapa.fios.verizon.net] has quit [Remote closed the connection] 16:42 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Read error: 104 (Connection reset by peer)] 17:52 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 18:48 -!- Rolybrau [n=Rolybrau@119-190.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 18:49 -!- Rolybrau [n=Rolybrau@104-147.3-85.cust.bluewin.ch] has joined ##openvpn 19:06 < |Mike|> zomg! 19:10 -!- theDoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 19:28 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 60 (Operation timed out)] 19:43 -!- jeiworth_ [n=jeiworth@189.234.0.5] has quit [Read error: 110 (Connection timed out)] 19:43 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 20:08 -!- theDoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 20:52 -!- redfox2 is now known as redfox 21:14 -!- master_of_master [i=master_o@p549D450F.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:16 -!- master_of_master [i=master_o@p549D4771.dip.t-dialin.net] has joined ##openvpn 21:20 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 60 (Operation timed out)] 21:42 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 21:47 -!- c64zottel [n=hans@p5B17B4D6.dip0.t-ipconnect.de] has joined ##openvpn 22:04 -!- klugefoo [n=klugefoo@24.6.97.0] has joined ##openvpn 22:06 < klugefoo> I have multiple clients on an ethernet bridge using tap devices and I want to be able to talk from one vpn client to another, what's the name of this setup or keywords I could search? 22:06 < theDoc> client-to-client 22:24 -!- xod [n=onats@112.201.239.185] has joined ##openvpn 22:24 -!- xod is now known as onats 22:39 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 22:45 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 23:13 -!- c64zottel [n=hans@p5B17B4D6.dip0.t-ipconnect.de] has quit ["Leaving."] 23:16 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] 23:44 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 60 (Operation timed out)] 23:55 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn --- Day changed Wed Sep 30 2009 00:35 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 00:53 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 113 (No route to host)] 01:16 -!- theDoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 01:35 -!- theDoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 01:55 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 02:05 -!- theDoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 02:09 -!- theDoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 02:13 < ThoMe> |Mike|: huhu. 02:18 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:34 -!- dazo|afk is now known as dazo 03:53 -!- ashley_ [n=ashley@86.53.96.123] has joined ##openvpn 03:53 < ashley_> What is comp-lzo? 03:53 < ashley_> Compression? 03:55 < EdwardIII> sounds like it 03:57 -!- kyrix [n=ashley@93-82-1-139.adsl.highway.telekom.at] has joined ##openvpn 04:08 < reiffert> !comp-lzo 04:08 < vpnHelper> reiffert: Error: "comp-lzo" is not a valid command. 04:08 < reiffert> !comp 04:08 < vpnHelper> reiffert: Error: "comp" is not a valid command. 04:08 < reiffert> !factoids search comp lzo 04:08 < vpnHelper> reiffert: No keys matched that query. 04:13 -!- S0ckPants [n=SockPant@88.159.122.137] has quit ["Lost terminal"] 04:20 < theDoc> !compression 04:20 < vpnHelper> theDoc: Error: "compression" is not a valid command. 04:20 < theDoc> hmm 04:36 < dazo> ashley_: EdwardIII: yes, comp-lzo provides lzo compression on the traffic going over the tunnel 04:37 < dazo> ashley_: EdwardIII: you'll need the lzo library installed to make it work with lzo 04:39 < EdwardIII> i tried to get that openvpnportable windows package running but every time i execute it, it tries to install the tap adapter then just says it failed and asks if i want to retry (have tried running as admin on XP & Windows 7) - anyone used this software before? it leaves no clues in it's /log directory 04:40 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:46 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 04:55 < ashley_> dazo: Do you know if there is a LZO package for Debian? 04:56 < ashley_> Found it 04:56 < ashley_> Thanks 04:56 -!- kyrix [n=ashley@93-82-1-139.adsl.highway.telekom.at] has quit [Read error: 60 (Operation timed out)] 05:01 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 05:03 -!- ashley_ is now known as smellynoser 05:06 -!- theDoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 05:10 -!- kyrix [n=ashley@93-82-1-139.adsl.highway.telekom.at] has joined ##openvpn 05:11 -!- chantra [n=chantra@ns22757.ovh.net] has quit [Read error: 60 (Operation timed out)] 05:18 -!- chantra [n=chantra@ns22757.ovh.net] has joined ##openvpn 05:44 -!- dazo is now known as dazo|afk 06:04 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 06:11 -!- EdwardIII_ [n=django@host81-149-214-135.in-addr.btopenworld.com] has joined ##openvpn 06:14 -!- brizly1 [n=brizly_v@p4FC9A185.dip0.t-ipconnect.de] has quit [Read error: 60 (Operation timed out)] 06:15 -!- brizly [n=brizly_v@p4FC9A391.dip0.t-ipconnect.de] has joined ##openvpn 06:15 -!- EdwardIII [n=django@unaffiliated/edward123] has quit [Read error: 110 (Connection timed out)] 06:17 < |Mike|> EdwardIII_: as admin? 06:17 < EdwardIII_> |Mike|: yeah 06:18 < EdwardIII_> on XP, logged in as the administrator user, on windows 7, by right clicking and going 'run as administrator' 06:21 < |Mike|> you downloaded it from openvpn.se right ? 06:32 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 06:32 -!- EdwardIII_ is now known as EdwardIII 06:51 -!- roshenia [n=roshenia@80.94.228.14] has joined ##openvpn 06:52 < roshenia> hi! how can i set netsh path when use ip-win32 netsh? 06:58 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 07:03 -!- dazo|afk is now known as dazo 07:03 -!- dazo [n=nnnnndaz@nat/redhat/x-deszihwxlzjxigkx] has quit [Remote closed the connection] 07:04 -!- dazo [n=nnnnnnda@nat/redhat/x-qrbubddmqyjscigk] has joined ##openvpn 07:04 -!- dazo is now known as Guest40968 07:06 -!- Guest40968 is now known as dazo 07:06 -!- kyrix [n=ashley@93-82-1-139.adsl.highway.telekom.at] has quit ["Leaving"] 07:30 < ecrist> mornin 07:47 -!- RexMundi [n=RexMundi@77.95.99.166] has quit ["Ik ga weg"] 08:00 -!- Vito111 [n=vito@195.3.173.128] has joined ##openvpn 08:00 < Vito111> !howto 08:00 < vpnHelper> Vito111: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:01 < Vito111> !route 08:01 < vpnHelper> Vito111: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 08:07 -!- MadTBone_ [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 08:07 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:10 < Optic> moo 08:32 -!- MadTBone__ [n=MadTBone@160.39.238.196] has joined ##openvpn 08:32 -!- MadTBone_ [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 08:41 -!- OpenPsycho [n=gaurav@unaffiliated/openpsycho] has joined ##openvpn 08:43 < OpenPsycho> Hi all, I am again with the same slow POP3 and IMAP connections with OpenVPN issue. I can provide with the srever/client configuration if needed. Just wanted to share if any one else in here have had a similar issue. 08:44 < OpenPsycho> Searching on google shows many similar issues but none solved 08:45 -!- roshenia [n=roshenia@80.94.228.14] has quit [Read error: 131 (Connection reset by peer)] 08:48 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has left ##openvpn [] 08:54 < |Mike|> !all 08:54 < vpnHelper> |Mike|: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 08:54 < |Mike|> OpenPsycho: what encryption level are you using ? 08:54 -!- t0mm [n=tomm@LMontsouris-156-24-6-35.w80-14.abo.wanadoo.fr] has joined ##openvpn 09:00 < OpenPsycho> |Mike|: Sorry, I didn't get you. Did you mean what SSL version ? 09:00 < OpenPsycho> |Mike|: i am pasting it to pastebin just a sec. 09:03 < |Mike|> you have different levels of encryption within openvpn 09:04 < |Mike|> stuff like this; 09:04 < |Mike|> DESX-CBC 192 bit default key (fixed) 09:04 < |Mike|> BF-CBC 128 bit default key (variable) 09:05 < OpenPsycho> |Mike|: I am using diffie helman .... if that is what you asked. other than that I have not done any specific configurations. 09:08 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:10 < OpenPsycho> |Mike|: http://pastebin.com/d111a89cd here it is. Please let me know if you need any more information. 09:10 < |Mike|> if you're using a higher encryption leven, and also ssl trough the openvpn "tunnel" it's like 2^2 09:10 < |Mike|> level* 09:12 < |Mike|> does your connection timeout when you try to connect to the imap daemon ? 09:12 < OpenPsycho> But |Mike| if that is to effect my connections. It should have effected all the connections right? FTP, HTTP, HTTPS and all 09:12 < OpenPsycho> nopes its sort of amusing. A few of my imap folders with lesser contents open very fine 09:12 < |Mike|> all *s traffic, yes. 09:12 < OpenPsycho> those with large number of emails on them. They take time 09:13 < OpenPsycho> what about POP3 then? POP3 is not a *s traffic. That should have been fine right? 09:13 < |Mike|> Yes 09:13 < |Mike|> how long does it take to retrieve mail trough pop3 / imap with and without vpn ? 09:14 < |Mike|> how big is the difference 09:15 < OpenPsycho> without VPN its lightning fast 09:15 < OpenPsycho> with VPN as I said...it works with a few and doesn't with others. My doubt...bulky contents aren't showing up with ease. but that with bulky ftp, http downloads. They are fine. 09:16 -!- dazo is now known as dazo|afk 09:16 < |Mike|> !secure 09:16 < vpnHelper> |Mike|: "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 09:16 < |Mike|> hmz, where is that page again 09:17 < OpenPsycho> will go through it |Mike| but I am amused. It was working all fine before. i wonder what has happened all of a sudden 09:17 < |Mike|> Currently set to 1024 by default, this value can reasonably be increased to 2048 with no negative impact on VPN tunnel performance, except for a slightly slower SSL/TLS renegotiation handshake which occurs once per client per hour, and a much slower one-time Diffie Hellman parameters generation process using the easy-rsa/build-dh script. 09:17 < |Mike|> that text is wrong imho 09:20 < OpenPsycho> |Mike|: was that for me? 09:20 < |Mike|> let me grab your config again 09:21 < |Mike|> could you change the keepalive setting to 60 120 ? 09:21 < OpenPsycho> sure 09:21 < OpenPsycho> let me check 09:22 < OpenPsycho> but will get disconnected I am on that VPN now :D 09:22 < |Mike|> yeah, doesn't mather :) 09:24 < OpenPsycho> no changes 09:24 < OpenPsycho> its the same 09:25 < OpenPsycho> |Mike|: i doubt if I am in the room...plz confirm :) 09:26 < |Mike|> ping 09:26 < |Mike|> hmz, are you using the same dns servers as the one without openvpn ? 09:29 < OpenPsycho> |Mike|: dns servers are same for the server for the client with or without openvpn 09:32 < |Mike|> i don't see why it should have such a latency imho 09:32 < |Mike|> your firewall looks correct, and so do your configs 09:33 < OpenPsycho> yes I myself have been going bananas for last 5 days 09:33 < OpenPsycho> with no yields 09:33 < OpenPsycho> thinking it might have been a routing issue 09:33 < OpenPsycho> or a firewall before the server 09:33 < OpenPsycho> I bypassed that firewall still with same results 09:33 < OpenPsycho> any pointers |Mike| ? 09:34 < |Mike|> does your client run a firewall ? 09:34 < |Mike|> or some kind of router in between ? 09:37 < OpenPsycho> yes indeed there are a lot 09:37 < OpenPsycho> but I dont think any o them are the reason 09:37 < OpenPsycho> the client runs a firewall...infact everyone does these days :) 09:38 * |Mike| doesn't :p 09:39 < OpenPsycho> :) I do :D 09:39 < OpenPsycho> anyway ... would that be a problem. 09:40 < OpenPsycho> I get this bad src IP address packet dropped type of messages at times int he server log....but that doesn't has anything to do with this...does it? 09:41 -!- OpenPsycho [n=gaurav@unaffiliated/openpsycho] has quit ["Leaving."] 09:42 -!- OpenPsycho [n=gaurav@unaffiliated/openpsycho] has joined ##openvpn 09:43 < OpenPsycho> |Mike|: ping 09:43 < OpenPsycho> brb 09:43 < |Mike|> oh, i was choppin some wood for the chimney 09:44 < |Mike|> could you pastebin that error ? 09:48 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has joined ##openvpn 09:49 < |Mike|> OpenPsycho 09:58 -!- dazo|afk [n=nnnnnnda@nat/redhat/x-qrbubddmqyjscigk] has quit ["Getting off stoned server - dircproxy 1.2.0"] 09:58 -!- dazo|afk- [n=nnnnnnnd@nat/redhat/x-qldsiorfuywjqxjm] has joined ##openvpn 09:59 -!- dazo|afk- is now known as dazo|afk 10:02 < OpenPsycho> |Mike|: http://pastebin.com/d4f77409d 10:10 -!- theDoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 10:13 -!- lib3rty1 [n=peer2mai@94.72.118.109] has joined ##openvpn 10:14 < lib3rty1> hi ;-) i have problem with connection to ovpn serwer 10:14 < lib3rty1> im on win 7 64 bit 10:14 < lib3rty1> and i have such error 10:14 < lib3rty1> when trying to connect 10:14 < lib3rty1> http://wklej.org/id/161283/ 10:14 < vpnHelper> Title: wklej.org - wklejka nr 161283 (at wklej.org) 10:15 < lib3rty1> could sbl help me ?? 10:19 < lib3rty1> and this is cfg file 10:19 < lib3rty1> http://wklej.org/id/161286/ 10:19 < vpnHelper> Title: wklej.org - wklejka nr 161286 (at wklej.org) 10:25 -!- jeiworth [n=jeiworth@189.234.0.5] has joined ##openvpn 10:55 -!- kyrix [n=ashley@93-82-1-139.adsl.highway.telekom.at] has joined ##openvpn 10:56 -!- xod [n=onats@112.201.239.185] has joined ##openvpn 11:00 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Read error: 60 (Operation timed out)] 11:00 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 11:03 -!- OpenPsycho [n=gaurav@unaffiliated/openpsycho] has quit ["Leaving."] 11:10 -!- t0mm [n=tomm@LMontsouris-156-24-6-35.w80-14.abo.wanadoo.fr] has quit [] 11:18 -!- xod is now known as onats 11:22 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 11:41 -!- Intensity [i=[gdYV96b@unaffiliated/intensity] has joined ##openvpn 11:46 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:58 -!- phantomcircuit [n=phantomc@adsl-76-199-100-233.dsl.pltn13.sbcglobal.net] has joined ##openvpn 11:58 < phantomcircuit> i just ran make check on a freebsd box and it uh didnt work 11:58 < phantomcircuit> http://pastebin.com/d52e2cb51 12:02 -!- kyrix [n=ashley@93-82-1-139.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 12:02 -!- kyrix [n=ashley@188-23-179-13.adsl.highway.telekom.at] has joined ##openvpn 12:02 < ecrist> phantomcircuit: cd /usr/ports/security/openvpn && make install 12:03 < ecrist> if you want latest, cd /usr/ports/security/openvpn-devel && make install 12:11 < phantomcircuit> ecrist, yeah that's what that's a pastebin of 12:11 < phantomcircuit> the part that failed was make check 12:15 < phantomcircuit> openvpn-devel failed with an identical error 12:17 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458]"] 12:35 -!- jeiworth_ [n=jeiworth@189.177.37.46] has joined ##openvpn 12:35 -!- jeiworth [n=jeiworth@189.234.0.5] has quit [Read error: 104 (Connection reset by peer)] 12:49 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 12:55 -!- theDoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 13:02 -!- phantomcircuit [n=phantomc@adsl-76-199-100-233.dsl.pltn13.sbcglobal.net] has quit [Client Quit] 13:06 -!- lib3rty1 [n=peer2mai@94.72.118.109] has quit [Read error: 54 (Connection reset by peer)] 13:09 -!- dazo|afk [n=nnnnnnnd@nat/redhat/x-qldsiorfuywjqxjm] has quit ["Getting off stoned server - dircproxy 1.2.0"] 13:13 -!- dazo|afk [n=nnnnnnnn@209.132.186.254] has joined ##openvpn 13:23 < |Mike|> ph 13:24 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: stein0, misse-, jeiworth_, mrnice1, stephenh, Typone 13:24 < |Mike|> ecrist: that pastebin makes no sense imho 13:37 -!- hardwire [n=hardwire@216-67-99-228.static.acsalaska.net] has quit [Connection reset by peer] 13:38 -!- hardwire [n=hardwire@216-67-99-228.static.acsalaska.net] has joined ##openvpn 13:43 -!- jeiworth_ [n=jeiworth@189.177.37.46] has joined ##openvpn 13:43 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 13:43 -!- misse- [i=misse@misse.org] has joined ##openvpn 13:43 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn 13:43 -!- stein0 [n=stein@mail.vgnett.no] has joined ##openvpn 13:43 -!- Typone [n=nnitsme@195.197.184.87] has joined ##openvpn 13:46 -!- dazo|afk [n=nnnnnnnn@209.132.186.254] has quit ["Getting off stoned server - dircproxy 1.2.0"] 13:50 -!- dazo|afk [n=nnnnnnnn@209.132.186.254] has joined ##openvpn 13:51 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has quit ["bbl"] 14:04 -!- DelphiWorld [n=Miranda@41.201.112.179] has joined ##openvpn 14:04 < DelphiWorld> hi all 14:04 < DelphiWorld> please, any company providing a free limited OpenVPN service? 14:08 -!- der [n=eric@198.183.82-79.rev.gaoland.net] has joined ##openvpn 14:12 < DelphiWorld> please, any company providing a free limited OpenVPN service? 14:13 < der> what do you mean by free limited service ? 14:14 < DelphiWorld> der: a free vpn service 14:15 < der> delphiworld: what is your purpose ? 14:16 < DelphiWorld> der, my country blocking SIP; i want to route SIP trafic for my home 14:22 < DelphiWorld> der: any idea? 14:24 < der> http://anonyproz.com/services.html but seems not to be free 14:24 < vpnHelper> Title: Anonyproz.com -OpenVPN Based VPN Provider> Services (at anonyproz.com) 14:25 < DelphiWorld> der: so if not free is not required;) 14:25 < DelphiWorld> der: i can't pay online, that is my big problem 14:26 < der> i see 14:27 < DelphiWorld> der: algeria problem, no credit card or paypal and i'm stressed;) sip blocked, no friends calling;) 14:27 < DelphiWorld> vpnHelper: help me;) (you are a bot!) 14:27 < vpnHelper> DelphiWorld: Error: There is no command "me;) (you are a bot!)". 14:37 * DelphiWorld don't got any solution;) 14:39 < der> delphiworld: sorry but i don't know free service 14:40 < DelphiWorld> der: np 14:43 -!- der [n=eric@198.183.82-79.rev.gaoland.net] has quit [] 14:45 -!- DelphiWorld [n=Miranda@41.201.112.179] has left ##openvpn ["I'm a happy Miranda IM user! Get it here: http://miranda-im.org"] 14:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:50 -!- mirco [n=mirco@p54B26F55.dip.t-dialin.net] has joined ##openvpn 14:58 -!- EdwardIII_ [n=django@host81-149-214-135.in-addr.btopenworld.com] has joined ##openvpn 15:16 -!- EdwardIII [n=django@unaffiliated/edward123] has quit [Read error: 110 (Connection timed out)] 15:16 -!- jeiworth_ [n=jeiworth@189.177.37.46] has quit [Read error: 104 (Connection reset by peer)] 15:17 -!- jeiworth [n=jeiworth@189.234.77.55] has joined ##openvpn 15:20 -!- jeiworth_ [n=jeiworth@189.177.29.164] has joined ##openvpn 15:30 -!- EdwardIII_ [n=django@host81-149-214-135.in-addr.btopenworld.com] has quit [Read error: 110 (Connection timed out)] 15:36 -!- jeiworth [n=jeiworth@189.234.77.55] has quit [Connection timed out] 15:44 -!- djc [n=djc@gentoo/developer/djc] has joined ##openvpn 15:45 < djc> I'm trying to setup a new VPN 15:45 < djc> using howto.html#pki 15:45 < djc> but when trying to start it, I get "Cannot load private key file kentyde.key: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch" 15:45 < djc> wtf am I doing wrong? 15:52 -!- jeiworth [n=jeiworth@189.234.79.51] has joined ##openvpn 15:54 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 15:58 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 15:58 -!- hagna_ [n=hagna@70.102.57.178] has joined ##openvpn 15:59 < hagna_> how can I configure openvpn to do a client bridge instead of a sever-bridge? 15:59 -!- jeiworth_ [n=jeiworth@189.177.29.164] has quit [Connection timed out] 16:00 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 60 (Operation timed out)] 16:18 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Read error: 110 (Connection timed out)] 16:19 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 16:20 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: Pagautas 16:23 -!- hagna_ [n=hagna@70.102.57.178] has quit [Read error: 113 (No route to host)] 16:29 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has joined ##openvpn 16:29 -!- mirco [n=mirco@p54B26F55.dip.t-dialin.net] has quit [] 16:31 -!- Rolybrau [n=Rolybrau@104-147.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 16:32 -!- Rolybrau [n=Rolybrau@243-48.3-85.cust.bluewin.ch] has joined ##openvpn 16:35 -!- jupiter15 [n=jupiter@unaffiliated/jupiter15] has joined ##openvpn 16:35 < jupiter15> !howto 16:35 < vpnHelper> jupiter15: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:38 < jupiter15> hello, in the routing vs bridging question, bridging is required if "the VPN needs to be able to handle non-IP protocols"... is ipv6 considered non ip??? 17:20 -!- jupiter15 [n=jupiter@unaffiliated/jupiter15] has quit [Read error: 110 (Connection timed out)] 17:23 -!- jupiter15 [n=jupiter@unaffiliated/jupiter15] has joined ##openvpn 17:37 -!- ChUbB [n=IceChat7@62-31-213-230.cable.ubr12.aztw.blueyonder.co.uk] has quit ["Make it idiot proof and someone will make a better idiot."] 17:43 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 18:01 -!- jupiter15 [n=jupiter@unaffiliated/jupiter15] has quit [Read error: 110 (Connection timed out)] 18:02 -!- jupiter15 [n=jupiter@unaffiliated/jupiter15] has joined ##openvpn 18:11 -!- MadTBone__ [n=MadTBone@160.39.238.196] has quit [Read error: 54 (Connection reset by peer)] 18:40 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 18:49 -!- jeiworth [n=jeiworth@189.234.79.51] has quit [Read error: 110 (Connection timed out)] 19:09 -!- klugefoo [n=klugefoo@24.6.97.0] has left ##openvpn [] 19:15 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 19:41 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 60 (Operation timed out)] 20:04 -!- kyrix [n=ashley@188-23-179-13.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 20:04 -!- ashley_ [n=ashley@93-82-5-138.adsl.highway.telekom.at] has joined ##openvpn 20:05 -!- theDoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 20:10 -!- jupiter15 [n=jupiter@unaffiliated/jupiter15] has quit [Read error: 110 (Connection timed out)] 20:13 -!- jupiter15 [n=jupiter@unaffiliated/jupiter15] has joined ##openvpn 20:40 < ashley_> ip6 is considered ip 20:40 < ashley_> juptier15: its more about netbios, etc.. etc.. 20:41 -!- ashley_ [n=ashley@93-82-5-138.adsl.highway.telekom.at] has quit ["Leaving"] 20:43 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 20:48 -!- Douglas [i=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 20:48 < Douglas> hai ho3z 20:49 -!- wookieJ [n=justin@pool-173-72-232-187.clppva.east.verizon.net] has joined ##openvpn 20:50 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:50 < Douglas> wookieJ ROFL 20:50 < wookieJ> sup 20:50 < Douglas> ecrist: wheres yo white ass at 20:50 < Douglas> luls 20:50 < theDoc> dougafag. 20:51 < Douglas> oh hey homeboy 20:51 < Douglas> whats good 20:51 < theDoc> <3 20:51 < Douglas> :) 20:51 < Douglas> hows the server 20:51 * Douglas roundhouse kicks krzee 20:51 < Douglas> bitch 20:51 < Douglas> you owe me money still 20:51 < wookieJ> that nigga said give him tha money 20:51 < wookieJ> brb 21:14 -!- master_of_master [i=master_o@p549D4771.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:16 -!- master_of_master [i=master_o@p549D4271.dip.t-dialin.net] has joined ##openvpn 21:55 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 22:22 -!- Douglas [i=Douglas@ool-43503ed4.dyn.optonline.net] has quit [] 22:56 -!- theDoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 22:56 -!- theDoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 22:57 -!- havoc [n=havoc@saturn.chaillet.net] has quit [Read error: 60 (Operation timed out)] 22:58 -!- havoc [n=havoc@saturn.chaillet.net] has joined ##openvpn 23:14 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Read error: 110 (Connection timed out)] 23:41 -!- pd4m [n=user@202.69.105.62] has joined ##openvpn 23:51 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] --- Day changed Thu Oct 01 2009 00:04 -!- pd4m [n=user@202.69.105.62] has quit [] 00:13 -!- hyper_ch [n=hyper@adsl-89-217-159-233.adslplus.ch] has quit [Remote closed the connection] 00:39 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 00:45 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Read error: 104 (Connection reset by peer)] 00:45 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 01:05 -!- aardwolf__ [n=aardwolf@ip68-110-152-240.hr.hr.cox.net] has joined ##openvpn 01:15 -!- hyper_ch [n=hyper@228-72.77-83.cust.bluewin.ch] has joined ##openvpn 01:23 -!- aardwolf_ [n=aardwolf@ip68-110-152-240.hr.hr.cox.net] has quit [Read error: 111 (Connection refused)] 02:21 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:01 -!- smellynoser [n=ashley@86.53.96.123] has quit ["Changing server"] 03:01 -!- ashley_ [n=ashley@86.53.96.123] has joined ##openvpn 03:01 -!- ashley_ is now known as smellynoser 03:11 -!- dazo|afk is now known as dazo 03:46 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 04:09 -!- oc80z [i=oc80z@quad.efnet.pe] has joined ##openvpn 04:23 -!- EdwardIII [n=django@host81-149-214-135.in-addr.btopenworld.com] has joined ##openvpn 04:28 -!- smellynoser [n=ashley@86.53.96.123] has left ##openvpn [] 04:35 -!- bauruine [n=bauruine@232-145.104-92.cust.bluewin.ch] has joined ##openvpn 04:38 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:39 -!- smellynoser [n=ashley@86.53.96.123] has joined ##openvpn 04:39 < smellynoser> Does the openvpn client need the lzo library installed to use LZO compression? 04:39 < smellynoser> And is there any other compression available? 04:39 < smellynoser> We seem to be using quite a lot of bandwidth on boxes that are using openvpn for stuff so it would be nice if I could compress this with openvpn 04:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:58 -!- hyper__ch [n=hyper@37-109.76-83.cust.bluewin.ch] has joined ##openvpn 04:58 -!- hyper_ch [n=hyper@228-72.77-83.cust.bluewin.ch] has quit [Nick collision from services.] 04:58 -!- hyper__ch is now known as hyper_ch 05:02 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 05:18 -!- theDoc [n=zing@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:23 -!- theDoc [n=zing@bb121-7-133-154.singnet.com.sg] has joined ##openvpn 05:27 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 05:32 -!- thedoc_ [n=zing@cataclysm.edgewire.sg] has joined ##openvpn 05:33 < dazo> smellynoser: yes, you need the lzo library to do lzo compression ... and no, there are no other way to compress the data 05:44 -!- theDoc [n=zing@bb121-7-133-154.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 05:56 -!- thedoc_ is now known as theDoc 06:30 -!- brizly1 [n=brizly_v@p4FC9A37D.dip0.t-ipconnect.de] has joined ##openvpn 06:31 -!- brizly [n=brizly_v@p4FC9A391.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:38 -!- ambro718 [n=ambro@193.77.101.149] has joined ##openvpn 06:39 < ambro718> Hi, I've created two tap-win32 devices on my XP system; how do I tell openvpn which device to use? 07:18 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 07:23 < havoc> ambro718: dev-node 07:24 < havoc> I have multiple TAPs on my winxp laptop 07:24 < havoc> I renamed them to something saner, and w/o spaces, and specify the names with dev-node in my configs 07:26 < havoc> you should also specify the type with "dev-type tap" 07:33 < ambro718> havoc: thanks, I see they can be selected by device name 07:34 < havoc> you're welcome :) 07:53 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has joined ##openvpn 07:57 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 08:02 < Optic> mooo 08:05 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 08:06 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has quit ["bbl"] 08:08 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 60 (Operation timed out)] 08:08 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 08:08 -!- bauruine [n=bauruine@232-145.104-92.cust.bluewin.ch] has quit [Remote closed the connection] 08:10 -!- EdwardIII_ [n=django@host81-149-214-135.in-addr.btopenworld.com] has joined ##openvpn 08:11 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458]"] 08:12 -!- Lilarcor [n=Lilarcor@ip70-187-168-252.oc.oc.cox.net] has joined ##openvpn 08:16 -!- EdwardIII [n=django@unaffiliated/edward123] has quit [Nick collision from services.] 08:16 -!- EdwardIII_ is now known as EdwardIII 08:19 -!- Lilarcor [n=Lilarcor@ip70-187-168-252.oc.oc.cox.net] has quit [Remote closed the connection] 08:20 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has joined ##openvpn 08:26 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: bandinia, Intensity, stein0, nemysis_, misse-, wookieJ, dazo, |Mike|, infe, pa, (+29 more, use /NETSPLIT to show all of them) 08:26 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: theDoc, LittleJ, ^scott^, aje, Optic, reiffert, vpnHelper, cpm, fkr, sno_, (+4 more, use /NETSPLIT to show all of them) 08:27 -!- Netsplit over, joins: Intensity, Pagautas, ThoMe, eliasp, kala, EdwardIII, dollabill, ambro718, brizly1, theDoc (+37 more) 08:27 -!- Netsplit over, joins: Rolybrau, polaru 08:27 -!- Netsplit over, joins: APTX|, |Mike|, jhp 08:28 -!- nemysis_ [n=misterbe@cable-89-216-136-230.dynamic.sbb.rs] has joined ##openvpn 08:41 -!- ambro718 [n=ambro@193.77.101.149] has left ##openvpn [] 08:42 -!- bauruine [n=bauruine@232-145.104-92.cust.bluewin.ch] has joined ##openvpn 08:42 -!- bauruine_ [n=bauruine@232-145.104-92.cust.bluewin.ch] has joined ##openvpn 08:42 -!- bauruine_ [n=bauruine@232-145.104-92.cust.bluewin.ch] has quit [Read error: 54 (Connection reset by peer)] 08:42 -!- bauruine [n=bauruine@232-145.104-92.cust.bluewin.ch] has quit [Read error: 54 (Connection reset by peer)] 09:05 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 09:34 < smellynoser> MOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO 09:34 -!- smellynoser [n=ashley@86.53.96.123] has left ##openvpn [] 09:42 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Read error: 104 (Connection reset by peer)] 09:55 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 10:10 -!- onats [n=onats@unaffiliated/onats] has quit [Remote closed the connection] 10:13 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 10:15 -!- theDoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 10:17 -!- jeiworth [n=jeiworth@189.234.75.163] has joined ##openvpn 10:21 -!- theDoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 10:32 -!- FurnaceBoy [n=FurnaceB@bas1-toronto10-1279398894.dsl.bell.ca] has left ##openvpn ["ciao"] 10:37 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 10:38 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 10:51 -!- nemysis_ [n=misterbe@cable-89-216-136-230.dynamic.sbb.rs] has quit [Remote closed the connection] 11:08 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:11 -!- misterbean [n=misterbe@unaffiliated/misterbean] has joined ##openvpn 11:14 -!- misterbean is now known as nemysis_ 11:21 -!- c64zottel [n=hans@p5B17AE68.dip0.t-ipconnect.de] has joined ##openvpn 11:21 -!- c64zottel [n=hans@p5B17AE68.dip0.t-ipconnect.de] has left ##openvpn [] --- Log closed Thu Oct 01 11:25:02 2009 --- Log opened Thu Oct 01 11:25:06 2009 11:25 -!- ecrist_ [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 11:25 -!- Irssi: ##openvpn: Total of 70 nicks [0 ops, 0 halfops, 0 voices, 70 normal] 11:25 -!- chinsan_ [i=chuck-th@chinsan.info] has joined ##openvpn 11:25 -!- Irssi: Join to ##openvpn was synced in 27 secs 11:26 -!- Netsplit bartol.freenode.net <-> irc.freenode.net quits: havoc, jfkw, ecrist, sigius, HardDisk_WP, disco-, hardwire, chinsan 11:29 -!- Netsplit over, joins: havoc 11:29 -!- Netsplit over, joins: jfkw 11:30 -!- Netsplit over, joins: HardDisk_WP 11:32 -!- hardwire [n=hardwire@216-67-99-228.static.acsalaska.net] has joined ##openvpn 11:32 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 11:37 -!- hyper_ch [n=hyper@37-109.76-83.cust.bluewin.ch] has quit [Remote closed the connection] 11:40 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 11:42 -!- chinsan_ [i=chuck-th@chinsan.info] has quit [Read error: 110 (Connection timed out)] 11:42 -!- disco- [i=disco@andromeda.h4xed.com] has joined ##openvpn 12:08 -!- Tonni [n=Tonni@chello084113221223.3.14.vie.surfer.at] has joined ##openvpn 12:09 < Tonni> !redirect 12:09 < vpnHelper> Tonni: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 12:09 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 12:11 -!- fbond [n=fab@storm.alittletooquiet.net] has joined ##openvpn 12:11 < Tonni> hi. i'm running two openvpn servers on one server, one listening on 1194 udp (network 10.10.0.0) and the other on 1195 udp (10.10.1.0). i'm connecting a XP and a linux machine to the 1195 network, and both can ping the server, but not each other 12:12 < fbond> Hi. What can I do to decrease how often UDP clients try to reach the server when the connection is down (like connect-retry but with UDP)? 12:13 < Tonni> for the 1194 network, i've got basically the same setup, most configs copied directly (of course changing certificates, network, port, etc), and the XP client is the same machine. there, the clients can communicate with each other 12:13 < Tonni> so i don't see what i did wrong this time, and maybe someone can help. should i post my config on nopaste somewhere, or are there known issues with non-standard-port setups? 12:14 -!- mirco [n=mirco@p54B27BB2.dip.t-dialin.net] has joined ##openvpn 12:21 < fbond> Tonni: It is not a config problem. The OS has to route between the two networks. 12:22 < fbond> Two separate OpenVPN servers don't just automatically route with each other. 12:22 -!- EdwardIII [n=django@unaffiliated/edward123] has quit [Read error: 110 (Connection timed out)] 12:23 < fbond> Tonni: Or, I guess probably you just need to add routes for the clients. 12:23 < fbond> Tonni: Oh, wait, so both machines are the 1195 network? 12:23 < fbond> In that case, ignore me. 12:23 < Tonni> fbond: the two networks are (supposed to be) separate 12:24 < fbond> Tonni: Okay, yeah, in that case, not sure. 12:24 -!- theDoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 12:29 < Tonni> well anyway, here's the server config: http://nopaste.info/d178a81817.html i think that's enough, or does the client config play a role here too? 12:29 < Tonni> i could paste that too of course if it might help 12:29 < dazo> !route 12:29 < vpnHelper> dazo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 12:31 < fbond> So, I have an OpenVPN server running UDP that is overloaded after a reboot because all of the remote clients are trying to connect at once. 12:31 < Tonni> dazo: that wasn't directed to me, was it? 12:31 < fbond> It was working fine before that because it hadn't been rebooted since way before the # of clients had grown large. 12:32 < dazo> Tonni: I just saw someone mentioning it could be routing issues ... so if you find it useful, be happy :) 12:32 < fbond> I need to get the clients to slow down the connections, but there doesn't seem to be a good option for that with UDP (there is --connect-retry but that only works with TCP). 12:32 < fbond> Any ideas? 12:32 < Tonni> fbond: assuming you're running linux, here's a dumb idea: isn't there a iptables modifier that lets you limit how many packets get accepted for a period of time? 12:33 < Tonni> oh, uhm, nevermind. even if it worked, that would block packets from already-connected clients too on a random basis 12:44 -!- aardwolf__ [n=aardwolf@ip68-110-152-240.hr.hr.cox.net] has quit [Read error: 104 (Connection reset by peer)] 12:44 -!- hyper_ch [n=hyper@adsl-89-217-159-233.adslplus.ch] has joined ##openvpn 12:50 -!- mirco [n=mirco@p54B27BB2.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 12:51 -!- mirco [n=mirco@p54B27BB2.dip.t-dialin.net] has joined ##openvpn 12:52 -!- wikiii [n=var@vps-1005590-1468.united-hoster.de] has joined ##openvpn 12:58 -!- mirco [n=mirco@p54B27BB2.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 12:59 -!- mirco [n=mirco@p54B27BB2.dip.t-dialin.net] has joined ##openvpn 12:59 -!- dazo is now known as dazo|afk 13:03 -!- jjox [n=jjo@84-73-44-229.dclient.hispeed.ch] has joined ##openvpn 13:05 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 13:07 -!- mirco [n=mirco@p54B27BB2.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 13:07 -!- mirco_ [n=mirco@p54B27BB2.dip.t-dialin.net] has joined ##openvpn 13:07 -!- mirco_ is now known as mirco 13:30 -!- jeiworth_ [n=jeiworth@189.234.75.163] has joined ##openvpn 13:31 -!- jeiworth [n=jeiworth@189.234.75.163] has quit [Read error: 104 (Connection reset by peer)] 13:57 -!- Rolybrau [n=Rolybrau@243-48.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 13:58 -!- jjox [n=jjo@84-73-44-229.dclient.hispeed.ch] has left ##openvpn [] 13:58 -!- Rolybrau [n=Rolybrau@242-226.0-85.cust.bluewin.ch] has joined ##openvpn 14:33 -!- bandinia [n=bandini@79.25.109.132] has quit [Remote closed the connection] 14:38 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:41 -!- jeiworth_ [n=jeiworth@189.234.75.163] has quit [Read error: 110 (Connection timed out)] 14:45 -!- wookieJ [n=justin@pool-173-72-232-187.clppva.east.verizon.net] has quit [No route to host] 15:17 -!- jeiworth [n=jeiworth@189.177.220.244] has joined ##openvpn 15:21 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 15:41 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 60 (Operation timed out)] 15:48 < Hypnoz> anyone here familiar with pptpd 15:54 -!- nemysis_ [n=misterbe@unaffiliated/misterbean] has quit ["Leaving"] 15:54 -!- misterbean [n=misterbe@unaffiliated/misterbean] has joined ##openvpn 15:55 -!- misterbean is now known as nemysis_ 16:00 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 16:16 -!- wookieJ [n=justin@pool-173-72-232-187.clppva.east.verizon.net] has joined ##openvpn 16:37 -!- Intensity [i=[gdYV96b@unaffiliated/intensity] has quit [Remote closed the connection] 16:38 -!- Tonni [n=Tonni@chello084113221223.3.14.vie.surfer.at] has quit [] 16:42 -!- Wanderer [i=nomad@c-98-245-26-136.hsd1.co.comcast.net] has left ##openvpn [] 16:43 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 16:47 -!- Intensity [i=[9N7YOGl@unaffiliated/intensity] has joined ##openvpn 17:05 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 110 (Connection timed out)] 18:16 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn 18:25 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 18:31 -!- mirco [n=mirco@p54B27BB2.dip.t-dialin.net] has quit [] 19:11 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 19:33 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 19:46 -!- theDoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 19:56 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 19:58 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has joined ##openvpn 20:43 -!- Raydiation [n=bernhard@193.170.53.51] has joined ##openvpn 20:43 < Raydiation> can i make something as simple as a hamachi network with openvpn? 20:48 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 20:52 < Raydiation> !howto# 20:52 < vpnHelper> Raydiation: Error: "howto#" is not a valid command. 20:52 < Raydiation> !howto 20:52 < vpnHelper> Raydiation: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 20:53 < Raydiation> dudes configuration is complicated as hell 20:54 -!- jeiworth [n=jeiworth@189.177.220.244] has quit [Read error: 110 (Connection timed out)] 20:56 < Raydiation> would be really great if you could do a gui for that 21:13 -!- Raydiation [n=bernhard@193.170.53.51] has quit ["Leaving."] 21:13 -!- master_of_master [i=master_o@p549D4271.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:16 -!- master_of_master [i=master_o@p549D444D.dip.t-dialin.net] has joined ##openvpn 21:56 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 22:11 -!- Netsplit bartol.freenode.net <-> irc.freenode.net quits: Optic, theDoc, hyper_ch, xenophile7x7, Intensity, HardDisk_WP, redfox, robotti^, fbond, tjz, (+7 more, use /NETSPLIT to show all of them) 22:13 -!- Netsplit over, joins: tjz, theDoc, Intensity, hyper_ch, fbond, HardDisk_WP, robotti^, jreno_, kaii, Bushmills (+7 more) 22:25 -!- jupiter15 [n=jupiter@unaffiliated/jupiter15] has quit [Read error: 110 (Connection timed out)] 22:27 -!- jupiter15 [n=jupiter@unaffiliated/jupiter15] has joined ##openvpn 22:52 -!- BitSlayer [n=kvirc@CPE0018f846ff26-CM001404927f9e.cpe.net.cable.rogers.com] has joined ##openvpn 22:53 < BitSlayer> can someone point me at docs on how to do a site to site vpn with openvpn? i dont want a client vpn (user/password) type. can openvpn do this? 22:56 < BitSlayer> i've read the docs and man page and website can't find reference on how to setup a site to site vpn anywhere 22:57 < theDoc> google has some stuff on it 22:57 < theDoc> www.lmgtfy.com/?q=openvpn+site+to+site 22:58 < Bushmills> !factoid search pki 22:58 < vpnHelper> Bushmills: Error: "factoid" is not a valid command. 22:58 < Bushmills> !factoids search pki 22:58 < vpnHelper> Bushmills: No keys matched that query. 22:59 < Bushmills> !factoids search keys 22:59 < vpnHelper> Bushmills: "keys" is http://openvpn.net/howto#pki 22:59 < Bushmills> BitSlayer: ^^^^, and !route 23:03 < BitSlayer> yeah that doesnt look like it will work. i need to vpn to a real cisco router, which doesnt understand any of the user, password, or group or group passwords, CA's, etc 23:05 < BitSlayer> i'm going back to google, seems to have some docs , may find something 23:05 < Bushmills> how are you going to install openvpn on a cisco router?? reflash the firmware? 23:06 < BitSlayer> no thats the whole point. i need to go {openvpn/linx} ---- {cisco router running ios} 23:06 < theDoc> BitSlayer> Can't do that. 23:06 < theDoc> Cisco does not support ovpn 23:06 < BitSlayer> well that saves a lot of time :P 23:07 < Bushmills> !factoids search compatible 23:07 < vpnHelper> Bushmills: No keys matched that query. 23:07 < theDoc> That being said, does anyone know if you can run a site-to-site vpn with openvpn? 23:07 < BitSlayer> doesnt look like openswan or etc support it either 23:07 < BitSlayer> theDoc - yes, its supported 23:07 < BitSlayer> several docs on it 23:07 < theDoc> BitSlayer> There was some luck getting PIX or the VPN concentrator 3000 to work with ovpn 23:07 < theDoc> but I heard it was a shit of a hack. 23:09 < BitSlayer> i was just playing with "vpnc" but the docs are crap 23:10 < Bushmills> !howto 23:10 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 23:12 < Bushmills> oh. the "v" looked almost like an "o" because weird screen rescaling atm (trying dual screen on two screens with very different resolution, but only stretching the desktop) 23:21 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 23:42 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] --- Day changed Fri Oct 02 2009 00:19 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Read error: 110 (Connection timed out)] 00:25 -!- hyper_ch [n=hyper@adsl-89-217-159-233.adslplus.ch] has quit [Remote closed the connection] 00:39 -!- ksnp [n=ksnp@71.6.65.18] has joined ##openvpn 00:39 < ksnp> anyone know of a good client ? 00:49 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 00:49 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Read error: 104 (Connection reset by peer)] 00:50 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 00:51 -!- mirco_ [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 00:51 -!- freaky[t] is now known as fReAkY[t] 00:57 -!- ksnp [n=ksnp@71.6.65.18] has left ##openvpn [] 01:00 -!- wookieJ [n=justin@pool-173-72-232-187.clppva.east.verizon.net] has left ##openvpn [] 01:08 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 01:08 -!- mirco_ is now known as mirco 01:09 -!- hyper_ch [n=hyper@226-191.77-83.cust.bluewin.ch] has joined ##openvpn 01:31 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 02:01 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:27 -!- t0mm [n=tomm@mail.keyade.com] has joined ##openvpn 02:27 < t0mm> Hi! 02:27 < t0mm> does anyone already try to bond (kernel module: bonding) two openvpn tap device ? 02:28 -!- Vito111 [n=vito@195.3.173.128] has quit [Remote closed the connection] 02:28 -!- Vito111 [n=vito@195.3.173.128] has joined ##openvpn 02:30 -!- fbond [n=fab@storm.alittletooquiet.net] has quit [Remote closed the connection] 02:30 -!- fbond [n=fab@storm.alittletooquiet.net] has joined ##openvpn 02:36 < theDoc> fbond> nice hostmask ;p 03:05 -!- dazo|afk is now known as dazo 03:12 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Read error: 60 (Operation timed out)] 03:26 -!- EdwardIII [n=django@host81-149-214-135.in-addr.btopenworld.com] has joined ##openvpn 03:32 -!- spiekey [n=mario@212.87.131.201] has joined ##openvpn 03:32 < spiekey> Hello! 03:32 < spiekey> i need to bridge eth0 and tap0 ...so i get br0: http://pastebin.com/da6f917 03:32 < spiekey> is there a way to rename eth0 to peth0 and to keep eth0 as a bridge? 03:32 < spiekey> problem: if eth0 changes to br0 i need to adjust iptables, configs...all based on "eth0" 04:17 -!- athimus [i=athimus@lyseo.edu.ouka.fi] has joined ##openvpn 04:19 < athimus> !howto 04:19 < vpnHelper> athimus: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 04:29 < dazo> spiekey: you can use udev rules to rename ethernet interfaces upon initialisation .... or you can use ifname to rename it in scripts .... udev is the preferred way, as you get the right dev name as early as possible 04:30 < dazo> spiekey: http://www.debianhelp.co.uk/udev.htm 04:30 < vpnHelper> Title: Rename Network Interface using udev in Debian (at www.debianhelp.co.uk) 04:32 < dazo> spiekey: you may as well have a look for /etc/udev/rules.d/*persistent-net.rules .... and just rename it in this file directly 04:36 < spiekey> thanks!!!! 04:45 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:50 < dazo> And a new 2.1 release is just announced ... 2.1rc20 .... with new features again .... this is a never ending story .... 04:57 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 04:57 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:02 < reiffert> ... 05:11 -!- hyper_ch [n=hyper@226-191.77-83.cust.bluewin.ch] has quit [Remote closed the connection] 05:28 -!- theDoc [n=zing@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:31 -!- fbond [n=fab@storm.alittletooquiet.net] has left ##openvpn [] 05:38 -!- bauruine [n=bauruine@232-145.104-92.cust.bluewin.ch] has joined ##openvpn 05:45 -!- c64zottel [n=hans@p5B17B3C1.dip0.t-ipconnect.de] has joined ##openvpn 05:46 -!- c64zottel [n=hans@p5B17B3C1.dip0.t-ipconnect.de] has left ##openvpn [] 05:50 -!- tjz [n=tjz@bb220-255-158-226.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 05:58 -!- bauruine [n=bauruine@232-145.104-92.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 05:59 -!- bauruine [n=bauruine@232-145.104-92.cust.bluewin.ch] has joined ##openvpn 06:01 -!- hyper_ch [n=hyper@adsl-89-217-159-233.adslplus.ch] has joined ##openvpn 06:02 -!- oc80 [i=oc80z@blea.ch] has joined ##openvpn 06:04 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Nick collision from services.] 06:06 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 06:06 -!- c64zottel [n=hans@p5B17B3C1.dip0.t-ipconnect.de] has joined ##openvpn 06:13 -!- brizly [n=brizly_v@p4FC9A296.dip0.t-ipconnect.de] has joined ##openvpn 06:15 -!- brizly1 [n=brizly_v@p4FC9A37D.dip0.t-ipconnect.de] has quit [Read error: 60 (Operation timed out)] 06:17 -!- oc80z [i=oc80z@quad.efnet.pe] has quit [] 06:35 -!- theDoc [n=zing@bb116-15-80-69.singnet.com.sg] has joined ##openvpn 06:43 -!- theDoc [n=zing@bb116-15-80-69.singnet.com.sg] has quit ["This computer has gone to sleep"] 06:48 -!- c64zottel [n=hans@p5B17B3C1.dip0.t-ipconnect.de] has quit ["Leaving."] 06:50 -!- hyper_ch [n=hyper@adsl-89-217-159-233.adslplus.ch] has quit [Remote closed the connection] 06:58 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 07:31 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 07:31 -!- EdwardIII_ [n=django@host81-149-214-135.in-addr.btopenworld.com] has joined ##openvpn 07:35 -!- EdwardIII [n=django@unaffiliated/edward123] has quit [Nick collision from services.] 07:35 -!- EdwardIII_ is now known as EdwardIII 07:53 < ecrist_> you are all bitches 07:53 -!- You're now known as ecrist 07:56 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 08:16 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] 08:40 -!- theDoc [n=zing@bb116-15-80-69.singnet.com.sg] has joined ##openvpn 08:40 -!- nuhiNlow [i=bouncer@adsl-64-216-48-227.dsl.ablntx.swbell.net] has quit [Remote closed the connection] 08:42 -!- nuhiNlow [i=bouncer@adsl-64-216-48-227.dsl.ablntx.swbell.net] has joined ##openvpn 08:42 -!- theDoc [n=zing@bb116-15-80-69.singnet.com.sg] has quit [Nick collision from services.] 08:42 -!- thedoc_ [n=zing@unaffiliated/thedoc] has joined ##openvpn 08:42 -!- thedoc_ is now known as theDoc 09:00 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 09:02 -!- irrwitzer [n=jjj@unaffiliated/irrwitzer] has joined ##openvpn 09:06 < irrwitzer> hi, is there a config option to tell an openvpn client to *not* set routes like 0/1 and 128.0/1 even if the server pushes the default route? The windows ui does support a setting like this, but I'm looking for a way to do this on macosx (with tunnelblick.app) 09:10 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:14 -!- jeiworth [n=jeiworth@189.163.179.220] has joined ##openvpn 09:32 -!- tzhgg [n=daniel@p508F1F6C.dip0.t-ipconnect.de] has joined ##openvpn 09:32 -!- tzhgg [n=daniel@p508F1F6C.dip0.t-ipconnect.de] has left ##openvpn [] 09:32 -!- tzhgg [n=daniel@p508F1F6C.dip0.t-ipconnect.de] has joined ##openvpn 09:35 < dazo> irrwitzer: which windows ui? the OpenVPN GUI does not do anything else than what is found in the openvpn configuration file 09:37 < irrwitzer> well, maybe I'm confusing something here, but iirc I had an option to disable sending ALL traffic over the vpn when using *a* openvpn gui on windows 7. Nevertheless, do you know an option for openvpn to reject the given default gateway? I even tried running a route deletion script with the "up" and "up-delay" directives, but that doesn't work either... 09:38 < dazo> irrwitzer: you do not have access to that configuration file? 09:38 * dazo don't recall such option right now 09:40 < irrwitzer> dazo: I do have access to my own config file (the clients), but I can't change the server's config file because my collegues like it the way it is... but I dislike the fact, that all existing connections drop the moment I connect to our vpn. Currently I manually delete the two routes set by openvpn, but that's rather unnerving, especially when openvpn reestablishes the connection while I'm afk. 09:40 < dazo> irrwitzer: the closest is probably --redirect-gateway options .... or maybe you removed --pull from client config? 09:41 < dazo> irrwitzer: if you have access to your local client config in win7 ... look at that config file .... copying that config file to another box, running openvpn from the command line should give *identically* experience .... And I believe tunnelblick works in a similar fashion, but try from command line first 09:41 -!- tzhgg [n=daniel@p508F1F6C.dip0.t-ipconnect.de] has quit ["Leaving"] 09:42 < irrwitzer> dazo: isn't the redirect-gateway option for the server side only? hmm, removing the pull option and setting all routes manually... that would be okay... hang on, I'll give it a try... 09:42 < dazo> irrwitzer: nope ... --redirect-gateway is a client option only .... but can be pushed from the server, iirc 09:44 -!- spiekey [n=mario@212.87.131.201] has quit ["Ex-Chat"] 09:46 < ecrist> irrwitzer: there is an option 09:46 < ecrist> I don't remember what it is, but there is an ignore option 09:47 < ecrist> --push-reset 09:47 < ecrist> !man 09:48 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 09:48 < ecrist> about damn time, vpnHelper 09:57 < irrwitzer> okay... disabling the pull option didn't work, openvpn sets the routes none the less... 09:57 < irrwitzer> --push-reset does only work when configured on the vpn server, right? 09:57 < ecrist> not sure 10:08 < ecrist> I think I'm lagging. 10:11 -!- Irssi: ##openvpn: Total of 73 nicks [0 ops, 0 halfops, 0 voices, 73 normal] 10:31 -!- hyper_ch [n=hyper@91.137.20.132] has joined ##openvpn 10:50 -!- EdwardIII_ [n=django@host81-149-214-135.in-addr.btopenworld.com] has joined ##openvpn 10:53 -!- Rolybrau [n=Rolybrau@242-226.0-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 10:54 -!- Rolybrau [n=Rolybrau@142-95.3-85.cust.bluewin.ch] has joined ##openvpn 11:04 -!- EdwardIII [n=django@unaffiliated/edward123] has quit [Read error: 110 (Connection timed out)] 11:07 -!- hyper_ch [n=hyper@91.137.20.132] has quit [Remote closed the connection] 11:08 -!- EdwardIII_ [n=django@host81-149-214-135.in-addr.btopenworld.com] has quit ["night all"] 11:08 -!- detys [n=detys@193.48.172.7] has joined ##openvpn 11:08 < detys> Hi 11:08 < detys> I want to start selling vpn access using openvpn. 11:09 < detys> Has anyone done this and can recommend a way to keep track of each users bandwith usage? 11:24 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 11:38 -!- phantomcircuit [n=phantomc@adsl-76-199-100-233.dsl.pltn13.sbcglobal.net] has joined ##openvpn 11:39 < phantomcircuit> OpenVPN is designed to operate optimally over UDP, but TCP capability is provided for situations where UDP cannot be used. In comparison with UDP, TCP will usually be somewhat less efficient and less robust when used over unreliable or congested networks. 11:39 < phantomcircuit> can someone explain that one too me? how could UDP possibly be more robust than UDP? 11:39 < phantomcircuit> er 11:39 < phantomcircuit> can someone explain that one too me? how could UDP possibly be more robust than TCP? 11:42 < reiffert> !tcp 11:42 < vpnHelper> reiffert: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 11:42 < reiffert> read that link. 11:47 < phantomcircuit> hmm 11:47 < phantomcircuit> so my problem is that i need to access the vpn over ssh 11:48 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:49 < phantomcircuit> actually that's not 100% true 11:51 < phantomcircuit> so redirecting the UDP connection over a TCP tunnel through SSH would involve at least an additional layer of UDP 12:02 -!- dazo is now known as dazo|afk 12:06 -!- detys [n=detys@193.48.172.7] has quit [Read error: 110 (Connection timed out)] 12:26 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 12:27 -!- theDoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 12:38 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 13:15 -!- seanc_ [n=seanc@71.6.14.2] has joined ##openvpn 13:15 < seanc_> what's the popular thought re: the following problem: RESOLVE: Cannot resolve host address: vpn.example.org: [NO_DATA] The requested name is valid but 13:15 < seanc_> does not have an IP address. 13:16 < seanc_> winxp... no firewall, running as admin, 2.0.18. 13:17 -!- galen_ [n=galen@c-24-20-185-90.hsd1.wa.comcast.net] has joined ##openvpn 13:18 < galen_> Here's a simple but deep question: can OpenVPN be integrated with Windows for a Single Sign On (SSO) effect? e.g. the user logs onto Windows and their credentials are used for everything, including the OpenVPN connection 13:20 -!- mirco [n=mirco@tmo-104-116.customers.d1-online.com] has joined ##openvpn 13:24 -!- mirco [n=mirco@tmo-104-116.customers.d1-online.com] has quit [Client Quit] 13:29 -!- bauruine [n=bauruine@232-145.104-92.cust.bluewin.ch] has quit [Read error: 60 (Operation timed out)] 13:41 -!- hyper_ch [n=hyper@adsl-62-167-29-207.adslplus.ch] has joined ##openvpn 13:46 -!- bauruine [n=bauruine@232-145.104-92.cust.bluewin.ch] has joined ##openvpn 13:48 -!- LordBurrito [i=luser@jimsun.linxnet.com] has joined ##openvpn 13:49 < LordBurrito> Quick, very quick, question: Does OpenVPN allow you to restrict client network access, say to a single, specified target/host, by client i.d.? 13:49 < galen_> Does OpenVPN support multicast? 13:53 < seanc_> LordBurrito: do that on the vpn server... use a firewall. 13:53 < seanc_> galen_: does it tunnel multicast? bridging, I believe so. 13:54 < galen_> seanc_: is that viable for use with many users connecting? 13:54 < seanc_> galen_: don't know, you'll have to find out 13:54 < galen_> the scenario is providing users a "full LAN" experience including things like bonjour printers 13:54 < seanc_> yup, use bridging 13:54 < seanc_> but beyond that, I don't know... just a knowledgable user 13:55 < galen_> well, i mean, is briging intended for point A to point B, or can it be point A to multiple clients? 13:56 < LordBurrito> seanc_: This is what I was seeking: http://www.openvpn.net/index.php/open-source/documentation/howto.html#policy 13:56 < epaphus> Hello guys, I need to know what reliable openvpn client exists for Ubuntu? 13:56 < LordBurrito> Thanks! 13:56 < epaphus> linux and windows.. 13:56 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Nick collision from services.] 13:56 < hyper_ch> openvpn is also a client 13:57 < epaphus> sorry, i meant an openvpn client GUI 13:57 < epaphus> for a ubuntu user to be able to select which VPN to connect to... 13:57 < hyper_ch> no need for a gui 13:59 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 13:59 < epaphus> ok let me be more specific :) ... a user has openvpn as a client.. with several different client.conf files (different VPNs) i need a GUI so he can start those at their will... know when they are connected to one, etc 13:59 < epaphus> i tried gopenvpn .. but it just doesnt seem to work properly.. 14:03 -!- seanc__ [n=seanc@73.sub-75-210-207.myvzw.com] has joined ##openvpn 14:05 < hyper_ch> no clue 14:05 < hyper_ch> I run my own server 14:05 < hyper_ch> so I run my own vpn 14:05 < hyper_ch> no need for something else 14:05 < epaphus> yeah but i have 20 users.. each need to use their own VPN and alternate during the day 14:05 -!- t0mm [n=tomm@mail.keyade.com] has quit [Read error: 113 (No route to host)] 14:10 -!- jeiworth_ [n=jeiworth@189.163.189.18] has joined ##openvpn 14:18 -!- Netsplit bartol.freenode.net <-> irc.freenode.net quits: Intensity, galen_, BitSlayer, kaii, vpnHelper, jreno_, xenophile7x7, cpm, HardDisk_WP, kreg, (+10 more, use /NETSPLIT to show all of them) 14:19 -!- Netsplit over, joins: Intensity, seanc__, vpnHelper, LordBurrito, galen_, jeiworth, cpm, BitSlayer, HardDisk_WP, robotti^ (+9 more) 14:24 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:25 -!- jeiworth [n=jeiworth@189.163.179.220] has quit [Connection timed out] 14:41 -!- c64zottel [n=hans@p5B17B3C1.dip0.t-ipconnect.de] has joined ##openvpn 14:43 -!- bauruine [n=bauruine@232-145.104-92.cust.bluewin.ch] has quit [Remote closed the connection] 14:43 -!- c64zottel [n=hans@p5B17B3C1.dip0.t-ipconnect.de] has left ##openvpn [] 14:52 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 60 (Operation timed out)] 14:58 -!- jeiworth_ [n=jeiworth@189.163.189.18] has quit [Read error: 105 (No buffer space available)] 15:05 < phantomcircuit> generating a dh key pair takes FOREVER 15:06 < Hypnoz> epaphus: You would think there would be a good VPN client in ubuntu since mac and windows both get them. It shouldn't be hard for someone to make a good vpn client. But really the only choice is the network manager openvpn client plugin, which is very shitty. What I do i just have a script that runs it in the command window, and i ctrl-c to disconnect 15:07 < Hypnoz> so copy the key files and .ovpn file to /home/user/.openvpn, then put this as a script 15:07 < Hypnoz> #!/bin/bash 15:07 < Hypnoz> cd /home/user/.openvpn 15:07 < Hypnoz> sudo openvpn --config user.ovpn 15:07 < phantomcircuit> Hypnoz, what's wrong with the NetworkManager plugin? 15:08 < Hypnoz> I forgot exactly what the issue I was having was, but I think it wasn't setting the routes right 15:11 < Hypnoz> eh maybe I fixed it. I think before I had it set to use the VPN as my default gateway 15:11 < Hypnoz> so ya, the network manager openvpn plugin is probably the best bet 15:21 -!- jeiworth [n=jeiworth@189.177.220.244] has joined ##openvpn 15:36 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 15:39 < epaphus> is there such thing as setting openvpn without encryption..? 15:39 -!- seanc__ [n=seanc@73.sub-75-210-207.myvzw.com] has quit [Read error: 110 (Connection timed out)] 15:39 < epaphus> Hypnoz, iam going to try that 15:45 < |Mike|> re. 15:45 < |Mike|> phantomcircuit: it sucks 15:46 < |Mike|> !ubuntu 15:46 < vpnHelper> |Mike|: "ubuntu" is dont use network manager! 16:02 -!- LordBurrito [i=luser@jimsun.linxnet.com] has quit ["Leaving IRC - dircproxy 1.0.5"] 16:19 -!- nemysis_ [n=misterbe@unaffiliated/misterbean] has quit [Remote closed the connection] 16:20 < epaphus> |Mike|, why does it suck? 16:20 -!- misterbean [n=misterbe@unaffiliated/misterbean] has joined ##openvpn 16:20 < |Mike|> because you can only use 1 VPN connection 16:20 < epaphus> |Mike|, one vpn at a time? 16:21 < |Mike|> Yes. 16:21 < epaphus> |Mike|, thats ok.. i only need one at a time. 16:21 < epaphus> other then that.. is there another problem i should know? 16:22 -!- misterbean is now known as nemysis_ 16:22 < |Mike|> 2009/10/02 20:55:07 < epaphus> ok let me be more specific :) ... a user has openvpn as a client.. with several different client.conf files (different VPNs) i need a GUI so he can start those at their will... know when they are connected to one, etc 16:23 < |Mike|> thats possible. 16:23 < epaphus> |Mike|, with that last statement.. yes i did mean many VPNs.. but the user will only use 1 at once 16:23 < epaphus> he will alternate bewteen them 16:24 < reiffert> phantomcircuit: you might wanna try openssh's tun/tap mode. 16:24 < reiffert> !ssh 16:24 < vpnHelper> reiffert: Error: "ssh" is not a valid command. 16:25 < reiffert> !openssh 16:25 < vpnHelper> reiffert: Error: "openssh" is not a valid command. 16:25 < epaphus> ssh works tcp over tcp.. 16:25 < reiffert> phantomcircuit: http://www.debian-administration.org/articles/539 16:25 < vpnHelper> Title: Setting up a Layer 3 tunneling VPN with using OpenSSH (at www.debian-administration.org) 16:25 < epaphus> if iam not mistaken, so i wouldnt trry that 16:25 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has joined ##openvpn 16:25 -!- krzee_ [n=krzee@butters.secure-computing.net] has joined ##openvpn 16:26 -!- Netsplit bartol.freenode.net <-> irc.freenode.net quits: Intensity, galen_, BitSlayer, kaii, vpnHelper, jreno_, xenophile7x7, HardDisk_WP, kreg, Optic, (+7 more, use /NETSPLIT to show all of them) 16:26 < newmember> hello 16:26 < reiffert> epaphus: how insane is what phantomcircuit was proposing compared to tcp over tcp? 16:26 -!- Netsplit over, joins: Intensity, jeiworth, vpnHelper, galen_, BitSlayer, HardDisk_WP, robotti^, jreno_, kaii, Bushmills (+6 more) 16:26 -!- galen_ [n=galen@c-24-20-185-90.hsd1.wa.comcast.net] has quit [] 16:28 < newmember> I am trying openvpn webmin interface and I am having a problem creating a New VPN Server. Does anyone else use this GUI? 16:57 -!- vindex [n=vindex@unaffiliated/moldenauer] has joined ##openvpn 16:58 < vindex> dazo|afk: heya 17:03 < |Mike|> lol newmember 17:03 < |Mike|> http://www.debian-administration.org/articles/539 17:03 < vpnHelper> Title: Setting up a Layer 3 tunneling VPN with using OpenSSH (at www.debian-administration.org) 17:03 < |Mike|> newmember: read that 17:09 < newmember> ya, openvpn is easier 17:09 < newmember> for my purpose 17:10 < newmember> thanks for the thought 17:10 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 17:25 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Read error: 104 (Connection reset by peer)] 17:33 -!- BitSlayer [n=kvirc@CPE0018f846ff26-CM001404927f9e.cpe.net.cable.rogers.com] has left ##openvpn ["Reality is that which, when you stop believing in it, doesn't go away"] 17:51 -!- jeiworth [n=jeiworth@189.177.220.244] has quit [Read error: 110 (Connection timed out)] 18:29 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458]"] 18:49 -!- Netsplit bartol.freenode.net <-> irc.freenode.net quits: jhp, |Mike| 18:51 -!- Netsplit over, joins: jhp, |Mike| 19:16 -!- tjz [n=tjz@bb121-7-60-51.singnet.com.sg] has joined ##openvpn 19:17 -!- phantomcircuit [n=phantomc@adsl-76-199-100-233.dsl.pltn13.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 19:17 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 145 (Connection timed out)] 19:42 < krzee_> Bushmills, if you're here can you answer something small for me 19:43 < krzee_> is there a diff or advantage to doing either of these 2 ways 19:44 < krzee_> [ "${stuck}" -eq "0" ] && whatever 19:44 < krzee_> (( ${stuck} == 0 )) && whatever 19:44 < krzee_> same thing to me... 20:06 < vindex> krzee_: the former is usually considered 'better form' afaik 20:06 -!- krzee_ is now known as krzee 20:07 -!- krzee [n=krzee@unaffiliated/krzee] has left ##openvpn [] 20:07 -!- krzee [n=krzee@unaffiliated/krzee] has joined ##openvpn 20:07 < krzee> vindex any reason other than opinion? 20:07 < vindex> no 20:07 < vindex> as far as i know. 20:07 < vindex> just aesthetics 20:08 < krzee> cool 20:08 < vindex> cant say if internally one performs better than the other or anything along those lines 20:08 < krzee> thanx =] 20:08 < vindex> either wya i think overhead is minimal / you dont give a dime in such a scenario 20:08 < vindex> np 20:08 < krzee> did you happen to need help with your vpn too? 20:11 < vindex> no thanks, i already got all my stuff to work nicely, spent my share of pain here weeks ago 20:11 < vindex> mostly hanging around 20:12 < vindex> talking to dazo|afk over some improvements and ideas 20:12 < vindex> i intend to write a small https app (possibly using twisted/tornado in python) for managing openvpn servers 20:12 < vindex> among other things 20:13 < vindex> i can also contribute a policy for grsecurity rbac users 20:13 < vindex> wrote it for my gentoo system 20:13 < krzee> ahh cool =] 20:13 < krzee> the policy would likely make a nice wiki article for our wiki 20:13 < krzee> and forum post even 20:14 < krzee> ( !wiki and !forum ) 20:14 < vindex> i havent looked at the plugin interface yet 20:14 < vindex> been swamped with some kernel project 20:14 < krzee> plugin interface? 20:14 < krzee> ahh like support for ldap and whatnot? 20:17 < vindex> well 20:17 < vindex> i would like to have something like dazo|afk's eurephia 20:17 < vindex> apply different firewall rules per client based upon certificate fingerprint etc 20:17 < vindex> apply different configuration, or lock based upon geoip 20:17 < vindex> nothing over complicated 20:17 < krzee> ahh not a problem, that would be a script in (i believe) --client-connect 20:18 < krzee> theres a section in manual for script order of execution, interesting read about extending ovpn's function 20:19 < krzee> s/function/features/ i guess 20:19 < krzee> im a native english speaker and i can barely speak it today, lol 20:22 < vindex> i could relate, been setting up a dual boot windows 7 and gentoo system after i decided i got enough of ubuntu's bs and vista suboptimal performance 20:24 < vindex> dont even know what time it is 20:24 < vindex> heh 20:24 < vindex> :( 20:27 < krzee> hehehe 20:27 < krzee> both of those explain why i stick to freebsd and osx 20:28 < vindex> haha, os x is a horrible mess sadly, though easy to the eye 20:28 < krzee> i think its greatness, and i used windows from 3.1 til vista came out 20:28 < vindex> security is, well, lacking. freebsd isnt too bad, linux 2.6 is a mess too 20:29 < krzee> oh well sure, i wouldnt use osx as a server 20:29 < vindex> i wish i could still 2.4 kernels in modenr distros 20:29 < vindex> still use* 20:30 < vindex> atm setting up awesome on the laptop 20:30 < vindex> if you dont know it you should chekc it out 20:30 < vindex> it's an insanely neat window manager 20:30 < krzee> awesome = os? 20:30 < vindex> uses the new xcb arch for async X 20:31 < vindex> the window manager 20:31 < ecrist> awesome = freebsd 20:31 < krzee> ahh coolness 20:31 < vindex> it's kind of complex to get it going the way you want, you must write your entire config and such in lua 20:31 < krzee> i dont use X 20:31 < vindex> all command line? :P 20:32 < krzee> cause i only use fbsd for my servers, osx for my desktops 20:32 < krzee> ya 20:32 < vindex> ah right 20:32 < krzee> in my belief system servers should be CLI 20:32 < vindex> i use screen for all my window management needs :P 20:32 < vindex> sure thing 20:32 < krzee> yup =] 20:32 < vindex> servers should never run guis 20:32 < vindex> it's counterproductive 20:33 < vindex> o be honest i need gui on the laptop for few things, browsing, multimedia and thats it. i use mutt for mail and so forth 20:33 < ecrist> Never and Always are words I stay away from. It's really easy to be wrong with either of them. 20:33 < vindex> i wish there was a command line firefox 20:33 < vindex> which worked well on framebuffer 20:33 < ecrist> lynx does it for m 20:33 < ecrist> e 20:33 < krzee> links is a lil cleaner too 20:34 < vindex> lynx is lagging a couple decades away from the state of the art in current wbe technologies :P 20:34 < krzee> but ya, aside from the occasional google i leave the web browsing to my desktop machines 20:35 < ecrist> my desktop is my OS X machine. I'm not too proud to say I use a GUI on a regular basis. 20:35 < vindex> theres a feed reader exactly like mutt which is pretty neat too 20:36 < vindex> guis are distracting as hell 20:36 < vindex> but, hey, the internet became stupid 20:36 < vindex> we need guis to browse it! 20:36 < vindex> how would you watch all those endless youtube videos and cnn reports otherwise! 20:37 < ecrist> krzee: how you doing? 20:37 < krzee> good bro, wishing i had inet at the new condo 20:37 < krzee> thats why you hardly see me on lately 20:37 < ecrist> ah, when does that get put in? 20:38 < krzee> in this country... nobody knows 20:38 < krzee> 3rd world country = 3rd world service 20:38 < ecrist> LOL 20:38 < krzee> but the new place has lights most days, thats pretty cool ;] 20:39 < vindex> you can always torch a nearby bank for your lightning needs 20:39 < vindex> nowadays i can hardly imagine someone would care 20:39 < krzee> i dont actually care bout light, its the computer being on i care about 20:39 < krzee> and the fan 20:40 < krzee> but once i can afford to ill get a power inverter to run on a few car batteries 20:40 < vindex> and the mosquito device 20:40 < krzee> (standard around here) 20:40 < vindex> haha 20:40 < vindex> thats ghetto but seen it 20:40 < krzee> around here its high class ;] 20:40 < krzee> with ghetto being no electricity whatsoever, and no running water 20:41 < vindex> where are you atm? 20:41 < krzee> caribbean 20:41 < ecrist> krzee: got a new project at the office I've been working on. need to build a fax server for 20,000 to 40,000 incoming faxes per week, and we need to automatically attach them to a claim and submit them with the claim 20:41 < vindex> sounds interesting at very least 20:41 < vindex> nice 20:41 < vindex> the less you have to lose the more free you are 20:41 < vindex> somehow people forget that these days 20:42 < krzee> ecrist, faxxess will all come at once or somewhat evenly spread out? 20:42 < krzee> you thinkin asterisk or freeswitch? 20:42 < ecrist> going to do T1 + Asterisk + IAXmodem + Hylafax and for routing we're using libdmtx and putted 2D barcodes on the cover sheets. 20:42 < vindex> enjoy the outside, you cant be too far from coast line if you are the good old caribe 20:43 < krzee> vindex, agreed, i like it here 20:43 < ecrist> we might start with 5 POTS lines, but we only need to 'need' 9 lines before POTS > T1 expense. 20:43 < vindex> in the good old* 20:43 < krzee> ecrist, you require them to be local numbers? 20:43 < vindex> sleep deprivation makes me skip words 20:43 < krzee> you can get free numbers to use 20:43 < ecrist> krzee: only going to be one number 20:44 < ecrist> and, the data has to be faxed directly to us, it's medical claim information 20:44 < krzee> ohhh 20:44 < krzee> then ya MUST be pots 20:44 < ecrist> yup 20:44 < ecrist> no fancy SIP or 3rd party provider 20:44 < ecrist> but, the libdmtx has been the most fun. 20:45 < ecrist> from the command line I can encode and decode a graphical barcode to a text string 20:45 < ecrist> turns out, the developer of it is from here in Minneapolis, too. ;) 20:45 < krzee> if you think it may end up with high amounts of calls you may wanna go freeswitch, but if it wont grow beyond what you said asterisk should be fine 20:46 < ecrist> *worst* case, we'd have to jump to a second T1 20:46 < ecrist> I think 24 lines should be sufficoient 20:46 < krzee> cool 20:46 < ecrist> with the barcoding, the clients can send more than one fax per call and I can split them on our end 20:46 < krzee> asterisk should be fine upto around 75 or so 20:46 < ecrist> but, the have to use our cover sheet, generated from their claim status 20:46 < krzee> concurrent 20:47 < ecrist> really, I expect 10 concurrent at once 20:47 < ecrist> we have a ton of very small clients that will use it once a week, or even once a month. 20:47 < krzee> and i say 75 being careful, you wont have a problem 20:47 < ecrist> otoh, we have some large clients that would probably tie the lines up 24x7 for one or two circuits 20:48 < ecrist> it's been a lot of fun to play with. hoping to go live with a test setup in a couple weeks. Probably a single pots line 20:48 < krzee> you doing tiff to pdf? 20:48 < ecrist> tiff 20:48 < krzee> ahh keeping it tiff 20:48 < krzee> theres a tool to tiff2pdf it 20:49 < ecrist> tiff seems to scan faster, and I'm surprised at the number of utilities out there to work with tiff 20:49 < krzee> if you care 20:49 < krzee> ahh cool 20:49 < krzee> well ya plus a fax IS a tiff 20:49 < ecrist> yea, using tiffcp to split the large faxes into their components 20:49 < krzee> so it requires no effort 20:49 < krzee> ahh thats nice 20:49 < ecrist> right, I'm a fan of keeping it native, unless there's a real reason not to 20:50 < krzee> if it werent for the medical laws to conform to ild show you how to earn per minute in use with unlimited concurrent 20:50 < ecrist> I was initially going to go PDF when I thought I'd have to rotated the faxes to OCR them, but the barcode isn't sensitive to its orientation 20:50 < krzee> but it would be illegal for your use 20:51 < ecrist> it decodes regardless of the skew 20:51 < ecrist> ack 20:52 < ecrist> well, I'm off to bed, gotta get up early. talk to you later. 20:53 < krzee> nite bud 20:59 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit [Client Quit] 21:04 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Remote closed the connection] 21:13 -!- Alja [n=Alja@190.26.146.76] has joined ##openvpn 21:14 < Alja> hi 21:14 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 21:15 < newmember> I have openvpn connected and I am pushing my LAN network, but I cant ping hosts on the LAN, ideas? 21:16 < Alja> I managed to connect client-server but, I'm not able to surf-browse using the vpn connection, is there a specific action to do like proxy to make the client use the vpn connection? 21:16 < newmember> Alja: you want to route all traffic to the vpn? 21:17 < Alja> yes, well basically I want to be able to surf using the country's server ip. 21:17 < newmember> Alja: you have to "push" a route to the client, or push all traffic 21:18 < Alja> I've tried that but no luck "push gateway" 21:19 < Alja> wait, could you explain "push a route to the client"? 21:19 < newmember> push "redirect-gateway def1" 21:20 < newmember> sec 21:20 < Alja> what would be "def1" 21:20 -!- master_of_master [i=master_o@p549D444D.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:22 < newmember> I thinks the NIC 21:25 < newmember> try this one 21:25 < newmember> push "redirect-gateway" 21:26 < Alja> I tried but it goes nowhere.... is there any special setup I'll need to do in the browser so it will use the vpn connection? 21:26 < newmember> add this to the client config 21:26 < newmember> verb 3 21:27 < Alja> I have it in verb 6 21:27 < newmember> really 21:27 -!- master_of_master [i=master_o@p549D7436.dip.t-dialin.net] has joined ##openvpn 21:27 < newmember> do you have "pull" in the clinet config? 21:28 < Alja> I don't think so.... how will it be? 21:29 < newmember> the word 21:29 < newmember> pull 21:29 < newmember> all by itself 21:29 < Alja> no, I'll try 21:29 < newmember> this allows the client to doenload the push 21:39 < Alja> if i add the "push" then it won't connect 21:39 -!- Alja [n=Alja@190.26.146.76] has quit [Remote closed the connection] 21:39 -!- Alja [n=Alja@190.26.146.76] has joined ##openvpn 21:42 < newmember> push with no quotes 21:44 < Alja> yes, so I tried but then there is no connection. 21:46 < newmember> odd 21:46 < newmember> you have the work push on a line by itself 21:46 < newmember> you have the word push on a line by itself 21:48 < Alja> no, should I try both, pull and push in different line? 21:51 < newmember> sorry 21:51 < newmember> push goes on the server 21:51 < newmember> pull goes on the client 21:52 < newmember> brb 21:52 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458]"] 21:55 < Alja> I put the two of them but still no connection to internet..... do I need to setup any dns somewhere? 21:55 < Alja> thanks anyway 21:55 < Alja> I believe it must be something related with dns since I can go to the server site but no where else 22:03 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 22:04 < newmember> ok 22:14 -!- Netsplit bartol.freenode.net <-> irc.freenode.net quits: pa, sno_, reiffert, ^scott^ 22:14 -!- sno [n=sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn 22:14 -!- ThoMe is now known as thomas 22:14 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 22:15 -!- Netsplit over, joins: pa 22:18 -!- ^scott^ [n=scott@stthom.org] has joined ##openvpn 22:34 -!- Alja [n=Alja@190.26.146.76] has quit [Read error: 110 (Connection timed out)] 22:49 < Bushmills> krzee: expression in (( )) is arithmetic. [] or [[]] is string. try comparing 1 against 01 either way 22:51 < Bushmills> or 4-3 against 1, for that matter 22:53 < Bushmills> for string, check put [[ ]] which is preferable over [ ] 22:53 < Bushmills> out 22:55 < Bushmills> vindex: trey the same. difference is more than just aesthetics. it makes the difference between yes and no 22:55 < Bushmills> try... 23:06 < vindex> Bushmills: doesnt it evaluate the condition as true or false within the brackets anyway? 23:07 < vindex> and that means the result is the same for that specific case 23:07 < vindex> i could be mistaken 23:08 < vindex> but he seemed to have it working just fine 23:11 < newmember> hmmmm, I am wondering how to add a user 23:12 < newmember> I cant see a place to add users 23:16 < vindex> newmember: users? you mean adding new certificates? 23:17 < newmember> hmmm, just somewhere I can a username and password for smb or ftp 23:19 < newmember> I have started LDAP 23:28 -!- nemysis_ [n=misterbe@unaffiliated/misterbean] has quit [Read error: 113 (No route to host)] 23:29 -!- misterbean [n=misterbe@unaffiliated/misterbean] has joined ##openvpn 23:33 -!- Netsplit bartol.freenode.net <-> irc.freenode.net quits: xenophile7x7, Bushmills, robotti^, kreg, redfox, jreno_, kaii 23:35 -!- Netsplit over, joins: robotti^ 23:36 -!- Netsplit over, joins: kaii 23:38 -!- misterbean is now known as nemysis_ 23:41 -!- tjz [n=tjz@bb121-7-60-51.singnet.com.sg] has quit [Read error: 104 (Connection reset by peer)] 23:47 -!- kreg [n=bytesabe@208-98-188-95.directcom.com] has joined ##openvpn 23:47 -!- jreno_ [n=jreno@38.219.68.216.DED-DSL.fuse.net] has joined ##openvpn 23:47 -!- redfox [n=redfox2@ns351996.ovh.net] has joined ##openvpn 23:48 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has joined ##openvpn 23:48 -!- redfox is now known as Guest55997 23:49 -!- Bushmills [n=nnBushmi@verhau.de] has joined ##openvpn --- Day changed Sat Oct 03 2009 00:36 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 01:14 -!- theDoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 01:30 -!- xod [n=onats@112.201.239.185] has joined ##openvpn 01:31 -!- xod is now known as onats 01:43 -!- jupiter15 [n=jupiter@unaffiliated/jupiter15] has quit [Remote closed the connection] 02:33 -!- mrparanoid [n=coroner@ppp114-81.static.internode.on.net] has joined ##openvpn 03:43 -!- WormFood [n=wormfood@119.123.26.161] has joined ##openvpn 03:44 -!- WormFood [n=wormfood@119.123.26.161] has quit ["Leaving"] 03:45 -!- c64zottel [n=hans@p5B1787F1.dip0.t-ipconnect.de] has joined ##openvpn 03:46 -!- c64zottel [n=hans@p5B1787F1.dip0.t-ipconnect.de] has left ##openvpn [] 03:46 -!- WormFood [n=wormfood@119.123.26.161] has joined ##openvpn 03:46 < WormFood> are there any good pages about setting up winblows clients, that is not on the main openvpn pages? 03:51 -!- brizly [n=brizly_v@p4FC9A296.dip0.t-ipconnect.de] has quit ["Leaving."] 04:11 < hyper_ch> !howto 04:11 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 04:14 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has joined ##openvpn 04:18 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has quit ["Leaving"] 04:39 -!- brizly [n=brizly_v@a89-183-7-96.net-htp.de] has joined ##openvpn 04:41 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:06 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 104 (Connection reset by peer)] 05:33 -!- brizly1 [n=brizly_v@a89-182-136-53.net-htp.de] has joined ##openvpn 05:48 -!- brizly [n=brizly_v@a89-183-7-96.net-htp.de] has quit [Read error: 110 (Connection timed out)] 05:55 -!- c64zottel [n=hans@p5B1787F1.dip0.t-ipconnect.de] has joined ##openvpn 05:55 -!- c64zottel [n=hans@p5B1787F1.dip0.t-ipconnect.de] has left ##openvpn [] 05:56 -!- BigJB [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 07:25 -!- nemysis_ [n=misterbe@unaffiliated/misterbean] has quit [Read error: 113 (No route to host)] 07:38 -!- misterbean [n=misterbe@unaffiliated/misterbean] has joined ##openvpn 07:39 -!- misterbean is now known as nemysis_ 07:55 -!- Rolybrau [n=Rolybrau@142-95.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 07:56 -!- Rolybrau [n=Rolybrau@193-113.3-85.cust.bluewin.ch] has joined ##openvpn 08:36 -!- hyper_ch [n=hyper@adsl-62-167-29-207.adslplus.ch] has quit [Remote closed the connection] 08:58 -!- brizly1 [n=brizly_v@a89-182-136-53.net-htp.de] has quit ["Leaving."] 09:41 -!- hyper_ch [n=hyper@91.137.20.132] has joined ##openvpn 09:52 -!- APTX|_ [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 09:53 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit [Read error: 104 (Connection reset by peer)] 09:54 -!- hyper_ch [n=hyper@91.137.20.132] has quit [Read error: 104 (Connection reset by peer)] 09:56 -!- hyper_ch [n=hyper@91.137.20.132] has joined ##openvpn 10:08 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 10:10 -!- mrparanoid [n=coroner@unaffiliated/mrparanoid] has quit [Remote closed the connection] 10:14 -!- hyper_ch [n=hyper@91.137.20.132] has quit [Read error: 60 (Operation timed out)] 10:18 -!- hyper_ch [n=hyper@91.137.20.132] has joined ##openvpn 10:46 -!- c64zottel [n=hans@p5B1787F1.dip0.t-ipconnect.de] has joined ##openvpn 10:47 -!- c64zottel [n=hans@p5B1787F1.dip0.t-ipconnect.de] has left ##openvpn [] 11:00 -!- hyper_ch [n=hyper@91.137.20.132] has quit [Remote closed the connection] 11:58 < krzee> !configs 11:58 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:00 < krzee> thanx bot =] 12:31 -!- brizly [n=brizly_v@a89-182-154-49.net-htp.de] has joined ##openvpn 13:15 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has joined ##openvpn 13:35 -!- tomm_ [n=tomm@aut75-9-88-183-93-251.fbx.proxad.net] has joined ##openvpn 13:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:52 -!- tomm_ [n=tomm@aut75-9-88-183-93-251.fbx.proxad.net] has quit [Read error: 60 (Operation timed out)] 14:03 -!- tomm_ [n=tomm@aut75-9-88-183-93-251.fbx.proxad.net] has joined ##openvpn 14:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 14:20 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Read error: 110 (Connection timed out)] 14:26 -!- brizly [n=brizly_v@a89-182-154-49.net-htp.de] has quit ["Leaving."] 14:30 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 14:35 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 14:42 -!- theDoc [n=zing@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 14:45 -!- nemysis_ [n=misterbe@unaffiliated/misterbean] has quit [Read error: 113 (No route to host)] 15:11 -!- rooth [i=rooth@ge.mig.en.redfox.nu] has joined ##openvpn 15:28 -!- Gumbler is now known as Kleinerluxx 15:46 -!- BingO [i=BingO_@wlan-s-245.hh.se] has joined ##openvpn 15:46 < BingO> Hii Room !!! 15:46 < BingO> Mike is expert here :) 15:46 < BingO> well i wanted to ask 15:46 < BingO> Mike ar u here ? 15:49 < BingO> well i installed OPEN VPN with webmin.....and setup.. working fine. 15:49 < BingO> i want to do just like plesk every owner of domain get different seperate control panel for managing there website/domains just like that i want to setup this webmin for OPENVPN 15:49 < BingO> that the user created in webmin should have its own interface for configuring there site - to - site vpn . 15:49 < BingO> Is it possible ?????? 15:56 < BingO> any one ??????????????? 16:10 -!- BingO [i=BingO_@wlan-s-245.hh.se] has left ##openvpn [] 16:11 -!- BingO [i=BingO_@wlan-s-245.hh.se] has joined ##openvpn 16:12 < krzee> !notovpn 16:12 < vpnHelper> krzee: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 16:12 < krzee> just because the word openvpn appears in the question does not make it a question about openvpn 16:12 < krzee> your question is a webmin question 16:15 -!- BingO [i=BingO_@wlan-s-245.hh.se] has left ##openvpn [] 16:21 < Bushmills> ho krzee 16:32 < krzee> hey bud 16:34 < Bushmills> did you get my note on your question? 16:34 < Bushmills> about 18 hours back ) 16:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 17:11 < krzee> neg 17:14 < krzee> ahh ya i see now 17:15 < krzee> thanx, ill stick to (()) for my usage 17:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 17:25 < Bushmills> (( \!stuck )) ... is probably the most efficient way to do that 17:27 < Bushmills> where if ... ; then should be quicker then (( )) && ... or (( )) || ( as the latter spawn, and if ... then doesn't) 17:28 < krzee> i didnt think of that 17:28 < krzee> although at this point me going back and modding all that code is very unlikely ;] 17:28 < krzee> its around 2000 lines now 17:29 < krzee> and only 1 small bug left which im bout to squash 17:30 < krzee> but im glad to have that in mind for the next thing i do 17:31 -!- hyper_ch [n=hyper@adsl-62-167-29-207.adslplus.ch] has joined ##openvpn 17:43 -!- dougy[itouch] [n=dougyito@pool-71-172-180-38.nwrknj.east.verizon.net] has joined ##openvpn 17:44 -!- dougy[itouch] [n=dougyito@pool-71-172-180-38.nwrknj.east.verizon.net] has quit [Client Quit] 17:51 -!- tomm_ [n=tomm@aut75-9-88-183-93-251.fbx.proxad.net] has quit [Read error: 113 (No route to host)] 18:01 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 18:08 -!- newmember_ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 18:10 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Read error: 110 (Connection timed out)] 18:20 -!- the_v_man [n=illumina@resnet-225339.resnet.bris.ac.uk] has joined ##openvpn 18:20 < the_v_man> !configs 18:20 < vpnHelper> the_v_man: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:22 -!- the_v_man [n=illumina@resnet-225339.resnet.bris.ac.uk] has quit [Client Quit] 18:33 -!- the_v_man [n=illumina@resnet-225339.resnet.bris.ac.uk] has joined ##openvpn 18:33 -!- the_v_man [n=illumina@resnet-225339.resnet.bris.ac.uk] has quit [Client Quit] 18:40 -!- JodaX [i=NOTOKAY@ks22848.kimsufi.com] has joined ##openvpn 18:41 < JodaX> how would i go about setting up openvpn as a proxy, does anyone have a "howto" for that ? 18:47 < Bushmills> JodaX: as a proxy for what? 18:50 < hardwire> a proxy for evil? 18:50 < JodaX> no,no, a proxy for good *does-the-evil-maniac-laughter* 18:51 < hardwire> yeh but.. it's not a proxy 18:51 < JodaX> cant one use it as one ? 18:51 < hardwire> what are you trying to do? 18:51 < JodaX> !redirect 18:51 < vpnHelper> JodaX: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 18:52 < hardwire> that's not a proxy 18:52 < JodaX> yeah, maybe in definition nazi world it isn't 18:52 < hardwire> that's just making sure the default route that is used to access the VPN server stays in place 18:52 < hardwire> JodaX: it's just plain not a proxy. 18:52 < JodaX> omg 18:53 < JodaX> don't be like that 18:53 < hardwire> ok 18:53 < hardwire> what is your default proxy set to? 18:53 < JodaX> what ? 18:53 < hardwire> exactly 18:54 < hardwire> what is your default gateway set to? 18:55 < JodaX> on this machine currently i asume to my router 18:55 < hardwire> is your router an IP proxy? 18:55 < hardwire> or is it an IP gateway. 18:56 < hardwire> using redirect-gateway changes where the default gateway is for your IP traffic.. to point to a remote gateway. 18:56 < hardwire> on the other end of the tunnel 18:56 < hardwire> while retaining the route that the --remote uses with the gateway you already had in place 18:57 < hardwire> what was once: 18:57 < hardwire> default -> localgateway 18:57 < hardwire> is now: 18:57 < hardwire> remote -> localgateway 18:57 < hardwire> default -> openvpntunnelremote 18:58 < JodaX> actual question is if this works if i only got a single interface in the machine 18:58 < hardwire> which is a pain to support.. you're much better off using an application layer proxy at the remote end OR using SSH dynamic forward mode (Socks server) 18:58 < JodaX> no, those just push problems onto the clientside 18:58 < hardwire> JodaX: on the far end that will be passing the traffic.. yes 18:59 < hardwire> JodaX: you can have a lot going on with only a single interface 18:59 < hardwire> it's all about how many subnets per machine.. not interfaces 18:59 < hardwire> when you open up a tunnel you have an extra subnet on both sides 18:59 < JodaX> see, what i want is for a "roadwarrior" be able to go on any unsecured lan, fire up his client app and get a secure link to the internet 18:59 < hardwire> packets need to route around them. 19:00 < hardwire> JodaX: sure.. that works just fine 19:00 < hardwire> but it's hardly a proxy (since those are troublesome) 19:01 < JodaX> lol 19:01 < JodaX> man 19:01 < JodaX> well, anyways, since that is cleared 19:01 < JodaX> to my original question for if there is a "howto" for this 19:01 < hardwire> one sec 19:01 < hardwire> googling it for you. 19:03 < krzee> howto for what 19:03 < krzee> for using it as a 'proxy' ? 19:03 < hardwire> http://www.openvpn.net/index.php/open-source/documentation/howto.html#redirect 19:03 < vpnHelper> Title: HOWTO (at www.openvpn.net) 19:03 < krzee> if so, thats: 19:03 < krzee> !redirect 19:03 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 19:04 < krzee> as pointed out above 19:04 < JodaX> hardwire, check out how krzee handled the situation 19:04 < JodaX> ^_^ 19:04 < hardwire> JodaX: his methods of interaction don't deter the fact that you're a boob. 19:04 < krzee> lol 19:04 < hardwire> sorry. 19:04 < JodaX> a "boob" 19:04 < krzee> but boobs are good 19:05 < hardwire> JodaX: wear it proudly. 19:05 < hardwire> JodaX: try not to disagree with people about what is and isn't a something that you don't know how to configure in the first place. 19:05 < krzee> but also, that question was answered in the topic 19:05 < krzee> || !redirect for 19:05 < krzee> sending inet traffic through server. 19:05 < krzee> ;] 19:06 < krzee> both !redirect and !route are basically the most commonly asked goals 19:06 < JodaX> hardwire, a proxy is a proxy is a proxy 19:06 < krzee> well actually openvpn doesnt get used like a proxy 19:06 < hardwire> proxy == proxy: true 19:06 < krzee> but i understood what you meant 19:06 < hardwire> gateway == proxy: false 19:07 < hardwire> Sorry.. I just thought it was really imperative that there is a distinction. 19:07 < hardwire> Not a nazi level thing.. but a functionality level thing. 19:08 < krzee> hardwire, after long enough in here you give up on that stuff ;] 19:08 < hardwire> If you want a proxy, use something that answers IP connections. 19:08 < hardwire> krzee: it's the developers own fault for making kick ass and attractive software. 19:08 < krzee> if you want to secure a proxy, run dante or squid on the private vpn ip 19:08 < krzee> in fact i personally do that 19:08 < hardwire> I typically use 'ssh -D portnumber remotehost' 19:09 < JodaX> proxy.typeof(gateway) == true ? 19:09 < hardwire> heh 19:09 < krzee> i like ovpn's encryption more so i run dante (same socks5 proto as your ssh tunnel) inside ovpn 19:09 < hardwire> proxys typically answer IP connections just like a web server would, then passes it off to another application, gateways direct packets. 19:09 * Bushmills runs squid too but as he didn't get an answer to what kind of proxy he wasn't into assumptions 19:10 < JodaX> hardwire, so a proxy does not direct any packets ? 19:10 < hardwire> krzee: dante is pretty cool fwiw. 19:10 < krzee> hardwire i agree, its a nice app 19:10 < hardwire> JodaX: nope.. it makes new packets. 19:10 < JodaX> shiit 19:11 -!- BigJB [n=BigJB@unaffiliated/bigjb] has quit [Remote closed the connection] 19:11 < hardwire> me -> proxy -> google = 2 TCP sessions 19:11 < hardwire> me -> google = 1 TCP sessions 19:11 < hardwire> oversimplified of course. 19:12 < krzee> JodaX, but the answer to your question, yes openvpn can be used to secure road warrior connections to the inet (not just web, not just tcp, but ALL inet), and your answer is !redirect 19:12 < JodaX> yeah, so openvpn doesn't like tunnel thru tcp ? 19:13 < hardwire> you're about to taste your foot.. stop now before the train derails! 19:13 < krzee> it CAN tunnel through tcp 19:13 < hardwire> and all the hamsters die. 19:13 < krzee> but tcp is a bad transport protocol if the inside is also TCP 19:13 < krzee> !tcp 19:13 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 19:13 < krzee> better to tunnel over udp 19:13 * hardwire loves the new multihome option because of that 19:14 < hardwire> simpler setup from the get go. 19:14 * hardwire has 3+ wan systems all over the place. 19:16 < hardwire> I have to use port 443 TCP for my roadies 19:17 < hardwire> they get whiny when things don't work magically. 19:17 < hardwire> it's not about presentation.. it's about simply having things work for most of em 19:17 < hardwire> slow + work = good, not work = bad 19:18 < hardwire> and because I can't safely anmticipate what internal subnets they are using remotely 19:18 < hardwire> I usually end up routing a few /32s and ahigh metric /24 of the subnet they want to talk to. 19:18 < hardwire> that way they at least have access to our servers (given they don't have the same IP) 19:19 < hardwire> it's much easier sometimes to use no l2 tunnels and use ssh 19:19 < hardwire> then have them reconfigure their client for the road 19:19 < hardwire> which seems to be getting easier through helper apps 19:20 < hardwire> I don't really need them connecting to our laserjet status ports to check ink levels whilke they are away 19:20 < hardwire> laserjet.. ink 19:20 < hardwire> haha 19:20 < hardwire> you know what I mean 19:20 < hardwire> -> caffeine 19:24 -!- athimus changed the topic of ##openvpn to: OpenVPN 2.1rc20 is latest || CHECK YOUR FIREWALL || We need !logs and !configs and maybe !interface || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through server. || Also interesting: !man !/30 !topology !iporder !forum || We know, the new site sucks. (We agree.) 19:25 < krzee> ahh rc20 is out... time to see changelog 19:25 < krzee> thanx athimus 19:25 < athimus> np 19:29 < krzee> http://guesshermuff.blogspot.com <--- NSFW 19:29 < vpnHelper> Title: Guess Her Muff (at guesshermuff.blogspot.com) 19:29 < krzee> !learn changelog as http://www.openvpn.net/changelog.html to see the openvpn changelog 19:29 < vpnHelper> krzee: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 19:30 < krzee> !learn changelog as http://www.openvpn.net/changelog.html to see the openvpn changelog 19:30 < vpnHelper> krzee: Joo got it. 19:31 < krzee> nice, lotsa fixes in rc20 19:45 < hardwire> remote weights would be great 19:45 < hardwire> would cut down on my tunnel count and abuse of OSPF 19:45 < hardwire> :) 19:45 < hardwire> it would be interesting to specify local:remote pairs with priority 20:09 -!- MacRohard [i=rm@cows.mckay.com] has joined ##openvpn 20:09 < MacRohard> is it possible to make openvpn load balance across multiple tcp connections? 20:12 < hardwire> MacRohard: it's possible to set up two tunnels and use bonding or multi-path routing. 20:12 < MacRohard> hardwire, hmm. that might not be ideal.. i was also hoping openvpn might be able to figure out which channel to use if one of them was currently slow or locked 20:13 < MacRohard> channel being a tcp connection 20:14 < hardwire> slow is difficult 20:14 < hardwire> locked is easy 20:14 < MacRohard> yea.. i don't mind if it's quite aggressive and duplicates data on both channels sometimes.. 20:14 < hardwire> slow is difficult to figure out. 20:14 < hardwire> well 20:15 < hardwire> I use bonding for that sort of thing 20:15 < krzee> openvpn does nothing of that sort 20:15 < krzee> your OS might 20:15 < hardwire> bonding in active-backup or lacp. 20:15 < MacRohard> hmm 20:15 < krzee> (as in what hardwire is saying) 20:15 < MacRohard> i guess bonding might work okay 20:16 < hardwire> or you can set up bridging 20:16 < hardwire> and use stp 20:16 < hardwire> but bonding detects breaks faster 20:18 < hardwire> it's nice being able to send out periodic arps over both tunnels to determine down link 20:19 < MacRohard> well if i just sent every packet over both channels that might be fine 20:19 < MacRohard> i mean.. as long as it gets through on one of them 20:19 < hardwire> that would be broadcast mode.. which costs you 2x the bandwidth 20:19 < hardwire> oh.. also.. haha 20:19 < hardwire> this is kinda tricky but. 20:20 < hardwire> you can do dynamic routing between local and remote.. and run your udp tunnel over that. 20:20 < hardwire> that way you only have one tunnel. 20:20 < hardwire> anyways.. what I do is I typically have 4 tunnels. 20:20 < hardwire> ispa <> ispa 20:20 < hardwire> ispa <> ispb 20:20 < hardwire> ispb <> ispa 20:20 < hardwire> ispb <> ispb 20:21 < hardwire> in most situations you can just set a short keepalive on the openvpn peers and use multiple local and remote statements. 20:21 < hardwire> that way when one fails it moves to the next quickly. 20:21 < hardwire> one pair 20:21 < hardwire> but it's difficult to use a preference 20:21 < hardwire> if you want to primarily use one local:remote pair over all others. 20:22 < MacRohard> basically i have to use tcp because the only traffic i can send has to be disguised inside an HTTP GET or POST request - this works fine mostly, but now and again they jam up. 20:22 < MacRohard> i have 4 usb 3g dongles to different telcos.. i don't really mind sending everything 2x or 4x if necessary. 20:23 < hardwire> each has it's own routing table? 20:23 < hardwire> or are you using explicit local ips in your vpn configurations? 20:23 < MacRohard> i tie everything back togetehr on a linux vm 20:23 < hardwire> I'd love to see a diagram of what you're doing. 20:23 < MacRohard> the linux vm terminates the HTTP GET/POST requests and funnels them back into the openssl tcp server 20:24 < hardwire> openvpn 20:24 < MacRohard> if you ping cows.mckay.com that's going over 3g over GET/POST over openvpn :P 20:25 < hardwire> heh 20:25 < hardwire> it's a strange setup for sure. 20:26 < hardwire> where is 80.68.94.205 hosted? 20:26 < MacRohard> it's an extra IP i have routed into my tun device no my bytemark virtual machine (virtual linux instance) 20:27 < MacRohard> well it proxyarps for it really i guess 20:27 < hardwire> ok 20:27 < hardwire> so bytemark is your virtual host provider? 20:27 < MacRohard> yeah 20:27 < hardwire> gotcha. 20:27 < hardwire> what do you have set up right now? 20:27 < hardwire> 4 tunnels or just 1? 20:27 < MacRohard> i'm just using one tunnel over one usb dongle right now 20:28 < MacRohard> but i have 3 others and i'm thinking i could make this a lot better 20:28 < MacRohard> i mean. it's surprisingly usable right now 20:28 < hardwire> yeh 20:28 < hardwire> whats your default gateway for the 3g device 20:28 < MacRohard> what do you mean? 20:28 < hardwire> is it simply "dev ppp0" 20:28 < MacRohard> well.. 20:29 < MacRohard> the one I'm currently using is plugged into a dovado umr 20:29 < MacRohard> which basically is a router that has a usb socket 20:29 < MacRohard> so it i just route through that over ethernet right now 20:29 < hardwire> and the router understands multiple uplinks? 20:29 < MacRohard> but i have another one plugged into my linux box that i'm trying to rig up now 20:29 < MacRohard> hardwire, no 20:29 < hardwire> that's what I'm getting too 20:29 < MacRohard> the one that's plugged in directly will be on ppp0 yeah 20:29 < hardwire> if you had all 4 in your linux box you'd need to set up multiple routing tables per gateway 20:30 < MacRohard> yea.. no problem 20:30 < hardwire> OR know the IP for each PPP session right off the bat. 20:31 < hardwire> MacRohard: yeh.. you just have to do some fancy grep action when a ppp link is established.. or use shorewall and the provider file and reload it on ppp connect 20:31 < hardwire> which is what I do with PPPoE 20:31 < hardwire> then you can run openvpn in tcp server mode 20:32 < hardwire> otherwise you need to specify the local IP to select the correct route back to your bytemark VM 20:33 < MacRohard> hmm 20:34 < MacRohard> i guess i could use iptables to nail specific port numbers to outbound devices 20:34 < hardwire> true nuff :) 20:34 < hardwire> using fwmarks 20:34 < MacRohard> yeah 20:34 < hardwire> but you need those routing tables set up and fwmark set up in ip rules 20:35 < hardwire> it's almost easier to just set up a ppp-up hook 20:35 < MacRohard> right 20:35 < hardwire> that passes the local IP to the hook script 20:35 < hardwire> you can just specify --local there 20:35 -!- xod [n=onats@112.201.239.185] has joined ##openvpn 20:35 < hardwire> when ppp dies.. the openvpn process should die too since theres no IP 20:35 < hardwire> maybe 20:35 < MacRohard> maybe :P 20:35 < MacRohard> so i'm going to have multiple tun devices on each end tho' 20:35 < hardwire> just thinking out loud 20:36 < MacRohard> or tap devices 20:36 < MacRohard> and bond those together? 20:36 < hardwire> tun or tap would work well if you want to use OSPFv2 to handle the route shifting 20:36 < hardwire> tap for bonding/bridging (requires MAC L2) 20:36 < MacRohard> right yea 20:36 < MacRohard> i don't know that ospf could respond fast enough 20:36 < hardwire> or you can simply use zebra to set up routes based on what interface is up 20:37 < hardwire> it responds within a second if you want it to 20:37 < MacRohard> well both interfaces will be up most of the time 20:37 < MacRohard> it's more a question of reducing the latency 20:37 < hardwire> but you get flaps when you set it too low 20:37 < MacRohard> like if a packet is jammed up in one tcp connection when it oculd be delivered instantly over the other 20:38 < hardwire> yeh 20:38 < hardwire> if you change the route for 80.68.94.205 depending on link then anything accessing that IP with TCP won't fail 20:39 < MacRohard> yeah it doesn't right now 20:39 < MacRohard> i can disconnect and reconnect the GEt/POSTing bit and none of my connectiosn drop 20:39 < MacRohard> it's pretty cool =) 20:41 < hardwire> bbl 20:42 < hardwire> MacRohard: it's probably easier to have your mobile side access the VM right.. no funky HTTP involvement? 20:43 < MacRohard> hardwire, the problem is anything non HTTP gets cut off 20:43 < hardwire> right.. because it's 3g 20:44 < hardwire> sigh 20:44 < MacRohard> it works normally, but i'm limited to 5GB of data before it reverts to HTTP only mode 20:44 < hardwire> ah 20:45 < MacRohard> per month 20:47 -!- smerz is now known as smerz`away 20:49 -!- WormFood [n=wormfood@119.123.26.161] has quit [Read error: 110 (Connection timed out)] 20:49 -!- WormFood [n=wormfood@116.25.163.93] has joined ##openvpn 20:53 -!- xod [n=onats@112.201.239.185] has quit [Remote closed the connection] 21:07 -!- smerz`away [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 21:14 -!- master_of_master [i=master_o@p549D7436.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:17 -!- master_of_master [i=master_o@p549D37C8.dip.t-dialin.net] has joined ##openvpn 21:32 -!- hardwire [n=hardwire@216-67-99-228.static.acsalaska.net] has left ##openvpn ["Ex-Chat"] 21:32 -!- hardwire [n=hardwire@216-67-99-228.static.acsalaska.net] has joined ##openvpn 21:57 -!- theDoc [n=zing@bb116-15-10-113.singnet.com.sg] has joined ##openvpn 21:57 -!- theDoc [n=zing@bb116-15-10-113.singnet.com.sg] has quit [Remote closed the connection] 22:36 -!- MacRohard [i=rm@cows.mckay.com] has quit ["out"] 22:52 -!- theDoc [n=zing@unaffiliated/thedoc] has joined ##openvpn 22:58 -!- tjz [n=tjz@bb121-7-60-51.singnet.com.sg] has joined ##openvpn 23:09 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] --- Day changed Sun Oct 04 2009 00:28 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:37 -!- hyper_ch [n=hyper@adsl-62-167-29-207.adslplus.ch] has quit [Remote closed the connection] 00:43 -!- hyper_ch [n=hyper@adsl-62-167-29-207.adslplus.ch] has joined ##openvpn 01:06 -!- newmember_ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Client Quit] 01:07 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 02:06 < hardwire> http://techbits.bogomip.com/2009/10/using-openvpn-and-bridges-to-create.html 02:06 < vpnHelper> Title: TechBits @ Bogomip: Using OpenVPN and bridges to create a seamless wired/wireless transition (at techbits.bogomip.com) 02:08 -!- krzie [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 02:20 -!- newmember_ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 02:20 -!- newmember_ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Remote closed the connection] 02:23 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:23 -!- newmember_ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 02:28 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Read error: 145 (Connection timed out)] 02:29 -!- newmember_ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Client Quit] 02:30 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 02:47 -!- xod [n=onats@112.201.239.185] has joined ##openvpn 02:47 -!- xod is now known as onats 02:49 -!- krzie [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 02:49 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:34 -!- theDoc [n=zing@unaffiliated/thedoc] has quit ["Leaving"] 03:35 -!- brizly [n=brizly_v@p4FC9A5F3.dip0.t-ipconnect.de] has joined ##openvpn 03:35 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 03:39 -!- tjz2 [n=tjz@bb121-7-60-51.singnet.com.sg] has joined ##openvpn 03:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:55 -!- xod [n=onats@112.201.239.185] has joined ##openvpn 03:58 -!- Rolybrau [n=Rolybrau@193-113.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 03:59 -!- Rolybrau [n=Rolybrau@227-244.1-85.cust.bluewin.ch] has joined ##openvpn 03:59 -!- tjz [n=tjz@bb121-7-60-51.singnet.com.sg] has quit [Read error: 110 (Connection timed out)] 04:06 -!- c64zottel [n=hans@p5B179D8E.dip0.t-ipconnect.de] has joined ##openvpn 04:26 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:28 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 04:30 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:40 -!- tjz2 [n=tjz@bb121-7-60-51.singnet.com.sg] has quit ["bbl"] 04:40 -!- tjz [n=tjz@bb121-7-60-51.singnet.com.sg] has joined ##openvpn 04:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 05:00 -!- Netsplit bartol.freenode.net <-> irc.freenode.net quits: havoc, c64zottel, vindex, Intensity, stein0, misse-, athimus, |Mike|, disco-, krackpot, (+55 more, use /NETSPLIT to show all of them) 05:01 -!- Netsplit over, joins: tjz, mikkel_, c64zottel, Rolybrau, xod, brizly, onats, newmember, hyper_ch, hardwire (+55 more) 05:01 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has quit [] 05:08 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 05:20 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has quit ["Leaving"] 05:20 -!- tjz2 [n=tjz@bb121-7-60-51.singnet.com.sg] has joined ##openvpn 05:33 -!- tjz [n=tjz@bb121-7-60-51.singnet.com.sg] has quit [Connection timed out] 05:35 -!- hkais1 [n=xenoadmi@78.52.209.75] has joined ##openvpn 05:43 -!- vindex [n=vindex@unaffiliated/moldenauer] has quit ["Changing server"] 06:20 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 06:25 -!- misterbean [n=misterbe@unaffiliated/misterbean] has joined ##openvpn 06:30 -!- brizly [n=brizly_v@p4FC9A5F3.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:32 -!- brizly [n=brizly_v@p4FC9845F.dip0.t-ipconnect.de] has joined ##openvpn 06:38 -!- xod is now known as onats 06:45 -!- APTX|_ is now known as APTX| 07:08 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 07:08 < buntfalke> hi 07:08 -!- c64zottel [n=hans@p5B179D8E.dip0.t-ipconnect.de] has quit ["Leaving."] 07:08 < buntfalke> shouldnt a plain "remote server port; lport port2" be the semantic equivalent to the same enclosed in tags? 07:08 < buntfalke> in case there is exactly one server only, of course 07:10 -!- hkais1 [n=xenoadmi@78.52.209.75] has left ##openvpn [] 07:11 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 07:14 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 07:14 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Client Quit] 07:16 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Read error: 60 (Operation timed out)] 07:16 -!- sno [n=sno@static.153.209.46.78.clients.your-server.de] has quit [Read error: 60 (Operation timed out)] 07:18 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 07:19 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 07:20 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 07:25 -!- Kleinerluxx [i=Gumbler@unaffiliated/gumbler] has quit [Read error: 104 (Connection reset by peer)] 07:29 -!- sno [n=sno@85-10-202-144.clients.your-server.de] has joined ##openvpn 07:30 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 07:37 -!- krzie [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 07:44 -!- WormFood [n=wormfood@116.25.163.93] has quit ["Leaving"] 07:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:54 -!- WormFood [n=wormfood@116.25.163.93] has joined ##openvpn 07:59 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 08:09 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 08:19 -!- WormFood [n=wormfood@116.25.163.93] has quit [K-lined] 08:33 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 08:35 -!- WormFood [n=wormfood@113.87.193.135] has joined ##openvpn 08:41 -!- WormFood [n=wormfood@113.87.193.135] has quit [K-lined] 08:43 -!- WormFood [n=wormfood@119.123.26.63] has joined ##openvpn 08:47 -!- WormFood [n=wormfood@119.123.26.63] has quit [K-lined] 10:41 < Optic> moo 10:50 -!- Guest55997 is now known as redfox 11:13 < buntfalke> Hi 11:14 < buntfalke> Shouldn't "remote ; lport " be the same as "remote ; lport " if there is only one server specified in that config? 11:14 < buntfalke> Semantically the same, that is... 11:34 < |Mike|> huh ? 11:41 < redfox> i think he asks whether lport and remote are logically connected to each other...? 11:54 -!- c64zottel [n=zestor@p5B179D8E.dip0.t-ipconnect.de] has joined ##openvpn 11:54 -!- c64zottel [n=zestor@p5B179D8E.dip0.t-ipconnect.de] has left ##openvpn [] 12:18 -!- kaperator [n=fra@p57B58F13.dip0.t-ipconnect.de] has joined ##openvpn 12:24 < buntfalke> no 12:24 < buntfalke> uh 12:24 < buntfalke> I ask, why the heck it makes any difference wether i put around those two or not 12:24 < buntfalke> especially since there are no other remote and lport-statements 12:24 < buntfalke> ... 12:24 < buntfalke> @ |Mike|, redfox 12:25 < |Mike|> i don't understand your crap, since it's not used in openvpn configs.. 12:25 < buntfalke> it is. 12:28 < buntfalke> at least since 2.1rcX where X > 8 should be enough iirc. X > 19 is enough for sure. 12:28 < buntfalke> >=, i mean 12:31 < buntfalke> So? Anyone? 12:38 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has joined ##openvpn 12:39 < redfox> buntfalke: i cant find any information about using xml in openvpn config for the moment and i dont think that many are using them, so you are on your own 12:40 -!- kaperator [n=fra@p57B58F13.dip0.t-ipconnect.de] has quit ["Ex-Chat"] 12:42 < |Mike|> i just downloaded a tar.gz and i don't see such a syntax in the config. 12:43 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 12:49 < buntfalke> uh 12:49 < buntfalke> okay 12:49 < buntfalke> noone ever said anything about xml 12:49 < buntfalke> Configuration A: 12:49 < buntfalke> ... 12:49 < buntfalke> remote vpn.server.com 1194 12:49 < buntfalke> lport 1199 12:49 < buntfalke> ... 12:49 < buntfalke> Configuration B: 12:49 < redfox> buntfalke: IS xml 12:49 < buntfalke> 12:49 -!- krackpot- [n=krackpot@S0106001310828008.vc.shawcable.net] has joined ##openvpn 12:49 < buntfalke> now the two lines from above 12:49 < buntfalke> 12:49 < redfox> where did you found that? 12:49 < buntfalke> and both configs behave differently 12:49 < buntfalke> redfox: in various openvpn configs floating around the net, and in the manpage 12:49 < buntfalke> plus, it works 12:49 < buntfalke> proof: http://www.openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html 12:49 < vpnHelper> Title: OpenVPN 2.1 (at www.openvpn.net) 12:50 < redfox> i C 12:50 < redfox> how exactly does it behave differently? 12:51 < buntfalke> So, now that we have that cleared up: 12:51 < buntfalke> When I use the configuraiton with out a connection profile (-stuff), the socks-proxy IP will be used as a vpn server ip (which fails, duh), if i use it with a profil, it works as expected 12:51 < buntfalke> looks like a bug to me 12:54 < redfox> could you paste that configuration block? 12:57 < |Mike|> !all 12:57 < vpnHelper> |Mike|: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 13:02 < buntfalke> redfox: i just wrote it there... 13:02 < buntfalke> Alright. All of it. 13:02 < buntfalke> Wait a second. 13:04 < buntfalke> http://pastebin.com/d41f2ea6f 13:04 < buntfalke> here we go 13:04 < redfox> buntfalke: i thought that would be an example, because lport and remote cant be used together in one config 13:04 < buntfalke> why do you think they cannot be used together in one config? 13:05 < redfox> because one declares a server, and the other a cliend. 13:05 < redfox> s/cliend/client/ 13:05 < buntfalke> the config you see is working, imagine it without the lines, and it uses localhost as VPN server ip 13:05 < buntfalke> redfox: wrong 13:06 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has quit [Read error: 110 (Connection timed out)] 13:07 < buntfalke> when running several openvpn clients on the same host, one can use the lport to change the port of the outgoing connection 13:08 < redfox> buntfalke: cant find that on the manpage 13:08 < |Mike|> lol @ pastebin 13:09 < redfox> --lport port 13:09 < redfox> TCP/UDP port number for bind. 13:09 < buntfalke> |Mike|: Be more specific 13:09 < buntfalke> redfox: so? 13:09 < |Mike|> 13:09 < |Mike|> remote 198.19.34.56 1194 udp 13:09 < |Mike|> 13:10 < buntfalke> so? 13:11 < |Mike|> it's clearly stated in the manual imho 13:11 < buntfalke> |Mike|: what is "it"? 13:12 < |Mike|> i still don't get your question i.e problem. 13:13 < buntfalke> Alright. 13:13 < buntfalke> My question is: 13:13 < redfox> buntfalke: ok, youre right. 13:14 < buntfalke> Why does the configuration I posted work, while the same configuration without the line and the line does not work, because if those two lines are omitted, the openvpn binary uses the socks proxy ip as vpn server ip. 13:14 < buntfalke> And 13:14 < buntfalke> To be honest, you either understand what I mean by now, or I give up on explaining it to you. 13:14 * buntfalke is frustrated 13:15 < buntfalke> redfox: same with your version? which client do you use? i use rc19 on debian testing 13:15 < redfox> buntfalke: it uses 127.0.0.1 as remote? 13:15 < buntfalke> yes 13:15 < buntfalke> or something very similar, either way it fails with sth that looks as if it would use 127.0.0.1 as remote 13:16 < redfox> buntfalke: yes, same for me. i didn't knew that. thanks 13:16 < buntfalke> Well. I actually wanted to know wether that's a bug. 13:16 < redfox> checking it... 13:17 < redfox> (i ment lport worked the same for me) 13:19 < buntfalke> Ah. Well, lport was out of question :-) 13:19 < redfox> ah, maybe 13:21 < redfox> the proxy line is out of the connection block (which should not be), maybe he is simply not using the proxy for the connection... but im not a developer so im not sure 13:22 < redfox> hm, ok, never mind 13:22 < redfox> i just don't know .) 13:23 < buntfalke> what's not within a profile is used as the default for - oh wait - for _following_ profiles. 13:23 < buntfalke> let me check, that might be actually... 13:24 < redfox> okay, thats a little bad verbalised 13:25 < buntfalke> you're right. 13:25 < buntfalke> if i move the socks-part to the top of the connection it's all broken again :-) 13:25 < redfox> actually you found it out :) 13:25 < redfox> okay, good 2 know 13:25 < redfox> sorry for the big misunderstanding 13:25 < buntfalke> oh, wait. my ssh -D wasnt running, so there actually was no proxy atm... 13:26 * buntfalke tries again 13:29 < buntfalke> same error as without -profile-block then 13:29 < buntfalke> so no bug, but doesnt work either :-) 13:29 < buntfalke> fails with 13:29 < buntfalke> Sun Oct 4 20:26:46 2009 recv_socks_reply: TCP port read failed on recv(): Operation now in progress (errno=115) 13:29 < buntfalke> http://pastebin.com/d626a8a20 13:29 < buntfalke> looks like it would use localhost as vpn server to me 13:31 < redfox> client log? 13:31 < redfox> could also be the message for connecting the proxy 13:32 < |Mike|> tcp ? 13:32 < |Mike|> you're using udp.. 13:32 < buntfalke> |Mike|: udp 13:33 < redfox> then it _is_ the message for connecting the proxy :) 13:33 < buntfalke> hmmm 13:33 < buntfalke> Good point 13:49 < reiffert> krzee: http://code.google.com/p/tunnelblick/issues/detail?id=72 13:49 < vpnHelper> Title: Issue 72 - tunnelblick - client.up.osx.sh missing patch - Project Hosting on Google Code (at code.google.com) 13:49 < reiffert> ecrist: http://code.google.com/p/tunnelblick/issues/detail?id=72 13:50 < reiffert> damn, he was closing this ticket. 13:55 < reiffert> what an assh.le 14:03 -!- seanc_ [n=seanc@71.6.14.2] has joined ##openvpn 14:04 < reiffert> and another issue, 115 ,) 14:09 < krackpot-> hey guys, how can you check if your isp is blocking UDP or if it's an issue with the config (do you have to do something special?). i can connect if i change the protocol to TCP 14:10 < reiffert> provider blocking UDP incoming or outgoing? Operating system? 14:11 < reiffert> eg http://www.utorrent.com/testport?port=1194 14:11 < vpnHelper> Title: Port Checker - µTorrent - a (very) tiny BitTorrent client (at www.utorrent.com) 14:13 < krackpot-> well i've only tried connecting to myself. i just had a friend try the TCP. by myself i was connecting from windows -> linux. friend was on mac 14:13 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 14:13 < krackpot-> i've tried different ports as well. they all work on TCP 14:15 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)] 14:15 -!- buntfalke_ is now known as buntfalke 15:11 -!- odonata [n=odonata@security.jails.se] has joined ##openvpn 15:13 < odonata> !redirect 15:13 < vpnHelper> odonata: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 15:19 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 15:19 < odonata> !ipforward 15:19 < vpnHelper> odonata: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 15:24 < odonata> !linipforward 15:24 < vpnHelper> odonata: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 15:24 < krackpot-> !def1 15:24 < vpnHelper> krackpot-: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 15:46 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 16:18 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 17:12 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 17:15 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 131 (Connection reset by peer)] 17:24 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Read error: 145 (Connection timed out)] 17:33 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 17:48 -!- Rolybrau [n=Rolybrau@227-244.1-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 17:49 -!- Rolybrau [n=Rolybrau@76-128.3-85.cust.bluewin.ch] has joined ##openvpn 18:01 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 18:12 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 18:12 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 18:19 -!- seanc_ [n=seanc@71.6.14.2] has left ##openvpn [] 19:09 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["This computer has gone to sleep"] 19:22 -!- infe [i=infe@avior.praxxa.com] has quit ["leaving"] 19:49 -!- Rolybrau [n=Rolybrau@76-128.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 19:50 -!- Rolybrau [n=Rolybrau@58-131.3-85.cust.bluewin.ch] has joined ##openvpn 21:14 -!- master_of_master [i=master_o@p549D37C8.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:18 -!- master_of_master [i=master_o@p549D47C2.dip.t-dialin.net] has joined ##openvpn 21:35 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Read error: 110 (Connection timed out)] 21:35 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 22:07 -!- nuhiNlow [i=bouncer@adsl-64-216-48-227.dsl.ablntx.swbell.net] has left ##openvpn ["Ex-Chat"] 22:19 -!- newmember_ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 22:32 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Read error: 110 (Connection timed out)] 22:34 -!- krackpot- [n=krackpot@S0106001310828008.vc.shawcable.net] has quit [Read error: 104 (Connection reset by peer)] 22:34 -!- krackpot- [n=krackpot@S0106001310828008.vc.shawcable.net] has joined ##openvpn 23:09 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 23:18 -!- newmember_ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Client Quit] --- Day changed Mon Oct 05 2009 00:10 -!- misse- [i=misse@misse.org] has quit ["Lost terminal"] 00:10 -!- krackpot- [n=krackpot@S0106001310828008.vc.shawcable.net] has quit ["Leaving"] 00:12 -!- misse- [i=misse@misse.org] has joined ##openvpn 00:17 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 00:19 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:25 -!- hyper_ch [n=hyper@adsl-62-167-29-207.adslplus.ch] has quit [Remote closed the connection] 00:26 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 00:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:01 -!- krzie [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 01:14 -!- hyper_ch [n=hyper@96-14.76-83.cust.bluewin.ch] has joined ##openvpn 01:48 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:34 -!- c64zottel [n=zestor@p5B17ADBD.dip0.t-ipconnect.de] has joined ##openvpn 02:57 -!- t0mm [n=tomm@mail.keyade.com] has joined ##openvpn 02:59 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 03:24 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 03:35 -!- dazo|afk is now known as dazo 03:47 -!- c64zottel [n=zestor@p5B17ADBD.dip0.t-ipconnect.de] has quit ["Leaving."] 04:20 -!- misterbean [n=misterbe@unaffiliated/misterbean] has quit [Read error: 113 (No route to host)] 04:27 -!- misterbean [n=misterbe@unaffiliated/misterbean] has joined ##openvpn 04:42 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Remote closed the connection] 04:53 -!- Rolybrau [n=Rolybrau@58-131.3-85.cust.bluewin.ch] has quit ["I am off"] 05:03 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:06 -!- Rolybrau [n=Rolybrau@58-131.3-85.cust.bluewin.ch] has joined ##openvpn 05:10 < |Mike|> http://wordpress.org/extend/themes/heartland 05:10 < vpnHelper> Title: WordPress Heartland « Free WordPress Themes (at wordpress.org) 05:10 < |Mike|> what the... 05:11 < theDoc> OH GOD 05:11 < theDoc> WTF! 05:11 < theDoc> IS THAT 05:12 < |Mike|> my younger neice wants that skin/theme on her blog :p 05:13 < |Mike|> she's 13 ^^ 05:16 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 05:22 -!- djc [n=djc@gentoo/developer/djc] has left ##openvpn [] 05:28 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:30 -!- Bushmills [n=nnBushmi@verhau.de] has left ##openvpn ["Leaving."] 05:30 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:59 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 06:01 -!- tjz2 [n=tjz@bb121-7-60-51.singnet.com.sg] has quit ["bbl"] 06:10 -!- BigJB [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 06:16 -!- brizly1 [n=brizly_v@p4FC98C4E.dip0.t-ipconnect.de] has joined ##openvpn 06:23 -!- Bushmills [n=nnBushmi@verhau.de] has joined ##openvpn 06:26 -!- t0mm [n=tomm@mail.keyade.com] has quit [Read error: 60 (Operation timed out)] 06:29 -!- t0mm [n=tomm@mail.keyade.com] has joined ##openvpn 06:30 -!- brizly [n=brizly_v@p4FC9845F.dip0.t-ipconnect.de] has quit [Read error: 105 (No buffer space available)] 06:36 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 06:48 < gorkhaan> Hi! I'm glad OpenVPN rc20 is out. I sucessfully updated my server! :) I have a little question: How can I try this : "Added "load-stats" management interface command to get global server load statistics." 06:51 < gorkhaan> anyone? :) 06:54 < gorkhaan> Next question: "Added the ability for the server to provide a custom reason string when an AUTH_FAILED message is returned to the client." This seems great stuff, Where can I set this up? :) 06:58 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 07:02 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit ["Távozom"] 07:09 -!- Rolybrau [n=Rolybrau@58-131.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 07:09 -!- Rolybrau [n=Rolybrau@200-112.3-85.cust.bluewin.ch] has joined ##openvpn 07:25 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 08:03 -!- theDoc [n=hex@cataclysm.edgewire.sg] has joined ##openvpn 08:03 < ecrist> LOL 08:13 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 08:16 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 08:20 -!- dollabilll [n=mike@97.66.26.10] has joined ##openvpn 08:20 -!- Rolybrau is now known as Rolybrau_ 08:20 -!- Rolybrau_ is now known as Rolybrau 08:21 -!- Rolybrau is now known as Rolybrau_ 08:22 -!- Rolybrau_ is now known as Rolybrau 08:24 < |Mike|> goddamn Rolybrau 08:24 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit ["I am off"] 08:24 < |Mike|> cool trigger. 08:24 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 08:24 < |Mike|> ecrist: you where lollin about? 08:35 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 113 (No route to host)] 08:48 < Optic> moo 08:55 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has joined ##openvpn 09:02 -!- jeiworth [n=jeiworth@189.177.220.244] has joined ##openvpn 09:05 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 09:07 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has quit [Read error: 105 (No buffer space available)] 09:07 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has joined ##openvpn 09:08 < ecrist> |Mike|: reiffert's link to me earlier 09:08 < ecrist> http://code.google.com/p/tunnelblick/issues/detail?id=72 09:08 < vpnHelper> Title: Issue 72 - tunnelblick - client.up.osx.sh missing patch - Project Hosting on Google Code (at code.google.com) 09:08 < ecrist> read the comments 09:13 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 09:22 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Connection timed out] 09:22 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 09:25 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 09:39 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 09:41 < odonata> hows it possible to 'push' a default gw to the client? 09:42 -!- BigJB_ [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 09:43 < theDoc> Using 2 hands and you take a deep breath and heave! 09:44 < odonata> :D 09:44 < theDoc> Trust me, that works. 09:44 < theDoc> I do that. 09:44 < theDoc> hehe 09:44 < odonata> im not that strong! 09:46 -!- c64zottel [n=zestor@p5B17ADBD.dip0.t-ipconnect.de] has joined ##openvpn 09:46 < odonata> theres a "push redirect-gateway" but i feel something is missing 09:52 -!- explore [n=msparker@pool-173-57-72-22.dllstx.fios.verizon.net] has joined ##openvpn 09:52 -!- BigJB [n=BigJB@unaffiliated/bigjb] has quit [Read error: 110 (Connection timed out)] 10:05 < odonata> got it :D 10:05 < odonata> was the client missing route 10:11 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:11 -!- pistache [n=pist@rps3598.ovh.net] has joined ##openvpn 10:12 < pistache> If I use username/password authentication without client certificate, will the password be transmitted plaintext on the network ? 10:12 < theDoc> no 10:13 < pistache> so it would not be possible for someone (unless he founds my private key) to connect to the server without username/password 10:13 -!- BingO [i=BingO_@194.47.17.111] has joined ##openvpn 10:13 < pistache> Is it really unsecure to use this method ? 10:15 < BingO> Hi room 10:15 < BingO> can OPENVPN communicate with two different sides with different Certificates ? 10:19 < BingO> Means... one company will use different client certs and other different both shouldn't commniucate with each other .. how it wil be done? 10:22 < ecrist> BingO: you make no sense 10:23 -!- Titan8990 [n=Titan899@unaffiliated/titan8990] has joined ##openvpn 10:24 < Titan8990> I am trying to set up a site-to-site VPN... I have set up a test env: server net: 12.1.1.0/24, client net1: 13.1.1.0/24 and client net2: 14.1.1.0/24 10:25 < Titan8990> client net1 and 2 can both communicate with 12.1.1.0/24 but not each other... is this likely an openvpn, routing, or firewall misconfiguration? 10:38 -!- hyper_ch [n=hyper@96-14.76-83.cust.bluewin.ch] has quit [Remote closed the connection] 10:43 -!- c64zottel [n=zestor@p5B17ADBD.dip0.t-ipconnect.de] has quit ["Leaving."] 10:46 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 10:49 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 10:52 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 10:52 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:56 < pistache> 15:48 <@Amandarn> j'me prépare gentiment à me casser aussi 10:56 < pistache> Woops. 10:56 < pistache> I meant : 10:56 < pistache> Oct 5 18:55:48 deboo ovpn-geeks[31773]: /sbin/ifconfig tap0 10.8.13.69 netmask 10.8.13.1 mtu 1500 broadcast 255.255.255.255 10:56 < pistache> Oct 5 18:55:48 deboo ovpn-geeks[31773]: Linux ifconfig failed: external program exited with error status: 1 10:57 < pistache> Any idea why i get this error ? 10:58 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 10:58 < pistache> I tried running that ifconfig as root, and I get many SIOCSIFADDR: No such device 11:00 -!- SerajewelKS [n=me@wikipedia/Crazycomputers] has joined ##openvpn 11:00 < SerajewelKS> how can i use redirect-gateway when i don't have a default gateway? 11:01 < SerajewelKS> even with "redirect-gateway def1" openvpn complains that it can't obtain the current default gateway 11:01 < SerajewelKS> which is because i don't have one, and i don't want one 11:01 < SerajewelKS> i can work around this by specifying "route 0.0.0.0 0.0.0.0" but this seems like a hack to me 11:03 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 11:08 < Bushmills> SerajewelKS: 11:08 < Bushmills> !def1 11:08 < vpnHelper> Bushmills: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 11:09 < Bushmills> strange that it complains - works here when no default gateway is in route 11:10 < Bushmills> but as long as it adds two routes, i think you savely assume that the complaint is merely a warning. 11:11 < Bushmills> pistache: netmask 10.8.13.1 is not a good netmask 11:12 < pistache> oh thanks Bushmills :) 11:13 -!- BingO [i=BingO_@194.47.17.111] has quit [] 11:21 -!- t0mm_ [n=tomm@213.251.158.186] has joined ##openvpn 11:22 -!- t0mm [n=tomm@mail.keyade.com] has quit [Read error: 54 (Connection reset by peer)] 11:23 < SerajewelKS> Bushmills: indeed. but it does not add the two routes. 11:23 < SerajewelKS> Bushmills: it cannot detect the gateway address and so fails from the entire redirect-gateway process 11:23 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 11:24 < Bushmills> SerajewelKS: that's the behaviour which I have when I omit def1 11:25 < Bushmills> do you push that from server, or is that part of client config? 11:46 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 11:51 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit [Read error: 104 (Connection reset by peer)] 11:54 -!- t0mm_ [n=tomm@213.251.158.186] has quit [Read error: 148 (No route to host)] 11:56 < SerajewelKS> Bushmills: client config. i tried with and without def1, and it doesn't make a difference. 11:59 < Bushmills> i PM'ed you my client conf, in case proper operatino depends on something else 12:03 -!- BingO [i=BingO_@wlan-s-111.hh.se] has joined ##openvpn 12:03 -!- hyper_ch [n=hyper@adsl-89-217-137-225.adslplus.ch] has joined ##openvpn 12:06 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 12:11 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 12:13 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 12:13 < SerajewelKS> that's roughly the same as my config 12:13 < SerajewelKS> in any case, "route 0.0.0.0 0.0.0.0" does work... 12:14 < SerajewelKS> i mean if i wanted to i could just do "route 0.0.0.0 128.0.0.0" "route 128.0.0.0 128.0.0.0" 12:14 < SerajewelKS> to emulate what def1 should be doing 12:15 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 54 (Connection reset by peer)] 12:15 < Bushmills> no sense in doing so, if you don't usually have a default route anyway 12:15 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 12:15 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 12:19 < SerajewelKS> right 12:22 -!- brizly1 [n=brizly_v@p4FC98C4E.dip0.t-ipconnect.de] has quit ["Leaving."] 12:22 -!- brizly [n=brizly_v@p4FC98C4E.dip0.t-ipconnect.de] has joined ##openvpn 12:23 -!- dazo is now known as dazo|afk 12:23 < BingO> hi.. can OPenvpn work at one Eth0 with two Virtual ports 1194 and 1195 ? 12:24 < ecrist> yes, with two different daemons 12:24 < ecrist> unless you use a wrapper 12:24 < BingO> different daemons means ? 12:24 < ecrist> you need two instances of OpenVPN 12:24 < BingO> means ? two CA ? 12:25 < ecrist> no, they can share the same CA 12:25 < ecrist> just means two different instances of OpenVPN 12:26 < BingO> actually my task is that .. 12:26 < BingO> have to configure Open vPN for two diff commpanies with different CA .. is it possible ? 12:26 < ecrist> yes 12:26 < BingO> means .. they will use different CA .. dont interfare each other 12:26 < BingO> how :) ?? 12:26 < ecrist> why would they interfere? 12:27 < ecrist> just setup two instances with two different configs 12:27 < BingO> thanks GOD some one is answering to my question otherwise No one understand :( 12:27 < ecrist> GOD has nothing to do with it 12:28 < ecrist> only MAN can help you here 12:28 < ecrist> !man 12:28 * ecrist chuckles to himself. 12:29 < BingO> hmm... My boss told me that setup with gui.. so i installed webmin + openvpn module + open vpn 12:29 < BingO> GUI is working perfect for configuring openvpn 12:29 < BingO> what do you mean about instance ??.. actually i am new in openvpn :( 12:29 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 12:29 < BingO> !instances 12:29 < vpnHelper> BingO: Error: "instances" is not a valid command. 12:29 < BingO> ecrist... 12:29 < ecrist> BingO: you need to not use the GUI and setup from the command line. 12:30 < BingO> ecrist.. ok ..what do you mean about instances ? 12:31 < ecrist> see the link vpnHelper posted above 12:31 < ecrist> you need to run OpenVPN twice, for two different connections 12:32 < BingO> hmm.. so you were saying that 12:32 < BingO> just create one CA with two instace.. 12:32 < BingO> i want two multiple CA for two different firms... possible? 12:34 < ecrist> language barriers try my patience. 12:34 < ecrist> BingO: forget two, just setup one to start 12:35 < ecrist> you can do two, easy, but setup one, first, and we'll get the second going 12:38 < BingO> by the way have you ever use opnvpn-gui i meant its gui interface for configuring ? 12:38 < ecrist> not for config, just for users 12:40 < BingO> hope today i will get ful Help 12:40 < BingO> ecrist: 12:40 < BingO> check out this doc i am following this one.. and i have setup it is working but for one.. 12:40 < BingO> http://www.frontiernet.net/~beakmyn/vpn%20howto/The%20Point%20and%20Click%20Home%20VPN%20Howto%20Guide.pdf 12:42 < BingO> i have full command on this doc i know each and every thing of ti, if you will guide me under this doc i will get very quick 12:43 < ecrist> nope. I'm not a guide. 12:43 < ecrist> !man 12:43 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 12:43 < ecrist> !howto 12:43 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:43 < ecrist> there you go 12:43 < BingO> No that kind of guide.. 12:43 < BingO> just tell me what you were saying after seen to this doc.. 12:44 < BingO> just tell me that how can we make instance after seen this tutorial, then i will understand you meaning 12:47 < BingO> first we create Certificate Authority... then create key list (Server and client) and then add VPN to list. 12:51 < SerajewelKS> BingO: in other news, webmin is insecure and awful 12:52 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 12:52 < SerajewelKS> BingO: i'm not sure, but i would bet that the webmin openvpn plugin doesn't support multiple instances, but that's just a guess 12:54 < BingO> http://www.frontiernet.net/~beakmyn/vpn%20howto/The%20Point%20and%20Click%20Home%20VPN%20Howto%20Guide.pdf 12:58 < ecrist> BingO: find another manual 12:58 < Titan8990> +1 webmin should NEVER be on an exposed server 12:59 < BingO> there is not manual .. 12:59 < BingO> i searched alot 13:00 < Titan8990> my favorite bot has this to say: i guess webmin is a lame web-based interface for unsafe system administration for Unix. Check it out at http://webmin.com/ Remember, dondelelcaro *hates* webmin. "i'd rather sit on the floor shoving table knives into live electrical outlets than run webmin on an exposed server." See http://lists.debian.org/debian-devel/2005/12/msg00790.html about the removal. Don't use their .debs, they are of extremely 13:00 < Titan8990> poor quality. 13:00 < vpnHelper> Title: Webmin (at webmin.com) 13:00 < BingO> well.. openvpn-gui package is same as showing in this webmin ? 13:00 < BingO> both are same GUI and functioning ? 13:01 < BingO> openvpn-gui is front end for configuring OPENVPN ? is it 13:01 < Titan8990> lol does that mean your server has a GUI too? 13:01 < BingO> haha Noo :P 13:02 < BingO> server is command based.. LEVEL 3 :) 13:02 < Titan8990> I found openvpn configuration to be fairly straight-forward... all single directives on their own line 13:02 < Titan8990> and may guides provide you with a configuration that is a good start 13:03 < BingO> is it any manually for making multiple instance even by command ? 13:03 < Titan8990> I don't see a gui being necessary.... maybe for windows clients to connect but not on the server end 13:03 < Titan8990> BingO, multiple vpn instances? 13:03 < BingO> Plesk also use its module for OPEN VPN ?? 13:03 < BingO> Titan yes .. 13:03 < Titan8990> BingO, openvpn --config config1; openvpn --config config2 13:04 < Titan8990> both configs can't use the same port but no issues with it 13:04 < BingO> hmm.. two configuration files with one CA ? 13:04 < ecrist> BingO: go read the man pages 13:04 < ecrist> I've already answered that question 13:05 < BingO> ok tell me that config1 and config2 are those files in which we define.. push "route 192.168.254.0 255.255.255.0" etc ? 13:06 < BingO> Ecrist: thanks.. !! for man pages i havn't touch you after that.. 13:07 < BingO> well.. thanks all..!! 13:07 < BingO> GOOD LUCK* 13:11 -!- BingO [i=BingO_@wlan-s-111.hh.se] has left ##openvpn [] 13:15 -!- MrPockets [n=Jimmy@unaffiliated/mrpockets] has joined ##openvpn 13:15 < MrPockets> ohhi. 13:16 < Titan8990> MrPockets! 13:16 < MrPockets> WOAHHI! 13:16 < Titan8990> yeah... i had some openvpn problems today :) 13:17 < MrPockets> So i've got this issue. It seems a client using OpenVPN connects fine, but when using outlook w/ exchange, it cant connect to the OpenVPN server. Client gets pissed, calls me to hollar, you know the story. 13:17 < MrPockets> Seems that restarting the OpenVPN server fixes the issue. So i'm looking into a way to audimate the process. I see the OpenVPN Service is set to Manual, but its not running (although the VPN server is running and connected) 13:17 < ecrist> MrPockets: as I suggested last week, I'd look into the firewall ruleset 13:18 < MrPockets> ecrist, This is the first time i've come in here and brought up the issue... 13:19 < ecrist> MrPockets: I apologize, that was another user. 13:20 * ecrist hides in the corner. 13:21 < MrPockets> no biggie. Just wondering what the OpenVPN "service" does, if it isn't running when OpenVPN is? (The firewalls just windowsFW. servers directly facing the internet) (yea, i know, bad idea, ect) 13:21 < Titan8990> MrPockets, i would blame windows, tell the boss you have to move it to debian 13:21 < Titan8990> but that would be to satisfy my own agenda... not so much fix the issue hehe 13:22 < MrPockets> Titan8990, its a board member for his private business. Didn't want to spend any cash so we halfassed a setup for him. Problem is i can't really tell a board member "hi, this probablys PROBABLY because your mouse cursor is a konk shell. ...douche bag" 13:22 < Titan8990> lol thats good 13:35 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 13:43 -!- mirco [n=mirco@p54B272B6.dip.t-dialin.net] has joined ##openvpn 13:49 -!- chefkoch [n=chefkoch@e176141146.adsl.alicedsl.de] has joined ##openvpn 13:50 < chefkoch> hi guys :) 13:53 < chefkoch> i configured openvpn with certificates in routing mode. most things are running. but i do have 2 questions left. my real network is 192.168.10.0/24 and my vpn connection is available at 10.8.0.0/24. 13:54 < chefkoch> i would like to do all traffic in my local network encrypted. well, i would like to forbid doing traffic dirctly throuh the 192.168.10.0 network, when i am connected to my openvpn server. is that possible? 14:08 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 14:09 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 14:12 -!- smerz [n=daniel@smerz.demon.nl] has quit [Read error: 60 (Operation timed out)] 14:15 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 14:21 -!- chefkoch [n=chefkoch@e176141146.adsl.alicedsl.de] has quit [" HydraIRC -> http://www.hydrairc.com <- Now with extra fish!"] 14:25 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 14:39 -!- _Joda_ [i=NOTOKAY@ks22848.kimsufi.com] has joined ##openvpn 14:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:57 -!- aimtrainer_ [n=aimtrain@e181176020.adsl.alicedsl.de] has joined ##openvpn 14:57 -!- JodaX [i=NOTOKAY@ks22848.kimsufi.com] has quit [Read error: 110 (Connection timed out)] 14:59 < aimtrainer_> hi! I just installed a dd-wrt version with openvpn server on my router and now I want to connect to it with my ubuntu machine - I already have network-manager-openvpn installed ... but no clue how to do it - could somebody help me please? 15:02 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 15:03 < Bushmills> !howto 15:03 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:03 < Bushmills> !keys 15:03 < vpnHelper> Bushmills: "keys" is http://openvpn.net/howto#pki 15:04 < Bushmills> !factoids search network manager 15:04 < vpnHelper> Bushmills: No keys matched that query. 15:04 < Bushmills> !factoids search nm 15:04 < vpnHelper> Bushmills: No keys matched that query. 15:08 < aimtrainer_> danke Bushmills 15:18 -!- rgouveia [n=rgouveia@169.89.54.77.rev.vodafone.pt] has joined ##openvpn 15:25 -!- aimtrainer_ [n=aimtrain@e181176020.adsl.alicedsl.de] has quit [Read error: 104 (Connection reset by peer)] 15:26 -!- cq [n=chatzill@p5B0DD51A.dip.t-dialin.net] has joined ##openvpn 15:27 < cq> hello, what are the ??.pem files that pkitool creates when setting up a new client? can they be deleted? seems they just contain parts of teh key and cert... 15:29 -!- krackpot- [n=krackpot@S0106001310828008.vc.shawcable.net] has joined ##openvpn 15:45 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has quit [Read error: 110 (Connection timed out)] 15:51 -!- dollabilll [n=mike@97.66.26.10] has quit [Read error: 148 (No route to host)] 15:51 < cq> this seems to be a bug in the manpage: --ifconfig-push local remote-netmask ... the second argument should be teh remote point if I see it correctly... with a netmask the connection fails and tells me that 15:54 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 15:55 -!- aimtrainer [n=aimtrain@g227022197.adsl.alicedsl.de] has joined ##openvpn 16:01 -!- BigJB_ [n=BigJB@unaffiliated/bigjb] has quit [Remote closed the connection] 16:04 -!- b3hnam [n=b3hnam@217.219.175.116] has joined ##openvpn 16:04 -!- aimtrainer_ [n=aimtrain@e179220135.adsl.alicedsl.de] has joined ##openvpn 16:09 < b3hnam> I am tring to use openvpn on a VPS but I can not connect here is my post http://www.webhostingtalk.com/showthread.php?p=6425194#post6425194 who can help me ? 16:09 < vpnHelper> Title: OpenVpn Problem - Web Hosting Talk (at www.webhostingtalk.com) 16:11 < b3hnam> I have this error on client 16:11 -!- b3hnam [n=b3hnam@217.219.175.116] has quit [Excess Flood] 16:13 -!- b3hnam [n=b3hnam@217.219.175.116] has joined ##openvpn 16:15 < b3hnam> I want use openvpn on a vps I have this errors http://www.webhostingtalk.com/showthread.php?p=6425194#post6425194 whocan help me ? 16:15 < vpnHelper> Title: OpenVpn Problem - Web Hosting Talk (at www.webhostingtalk.com) 16:20 -!- aimtrainer [n=aimtrain@g227022197.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 16:20 < b3hnam> why I have this client error http://pastebin.com/m4052eed ? 16:22 -!- aimtrainer_ [n=aimtrain@e179220135.adsl.alicedsl.de] has quit [Read error: 113 (No route to host)] 16:22 < b3hnam> aimtrainer : where I can read this ? 16:22 -!- Titan8990 [n=Titan899@unaffiliated/titan8990] has quit ["Leaving"] 16:27 < b3hnam> Titan8990 can you help me more to how read the error 113 ? sorry , im new here 16:31 < b3hnam> quits: [Read error: 110 (Connection timed out)] 16:32 < b3hnam> quits: [Read error: 110 (Connection timed out)] 16:32 < b3hnam> ? 16:40 -!- b3hnam [n=b3hnam@217.219.175.116] has left ##openvpn [] 16:41 -!- b3hnam [n=b3hnam@217.219.175.116] has joined ##openvpn 16:43 -!- krackpot- [n=krackpot@S0106001310828008.vc.shawcable.net] has quit ["Leaving"] 16:43 < b3hnam> I checked my firewals are disable (in client and server) , I changed the port to 1724, butI have problem , yet 16:45 < b3hnam> I think its for my country internet blocking 16:46 < b3hnam> when I telnet to 1724 port I see this characters @]│⌐oBh¬≡@]│⌐oBh¬≡@]│⌐oBh¬≡@]│⌐oBh¬≡@]│⌐oBh¬≡@]│⌐oBh¬≡@]│⌐oBh¬≡@]│⌐oBh¬≡@]│⌐oBh¬ 16:46 < b3hnam> @]│⌐oBh¬≡@]│⌐oBh¬≡@]│⌐oBh¬≡@]│⌐oBh¬≡@]│⌐oBh¬≡@]│⌐oBh¬≡@]│⌐oBh¬≡@]│⌐oBh¬≡ 16:49 < MrPockets> lol 16:49 < b3hnam> MrPockets : what is mean ? can you help me ? 16:49 < b3hnam> sorry my english is poor 16:49 < MrPockets> its cool. Im unsure of what this means though. 16:50 < MrPockets> when i telnet to my setup, i just get a blank prompt 16:51 < b3hnam> MrPockets how can I found where is problem ? 16:51 < MrPockets> You're trying to VPN to your own network, and cant. When you telnet to the port those charicters are what you get? 16:53 < b3hnam> MrPockets : I am trying to vpn to my vps (cent os) that hostet on a windows dedicatet server in another country 16:54 < b3hnam> But I have routing error http://pastebin.com/d69e790d4 16:54 < hardwire> You know.. BingO pm'ed me the other day and I have no idea why. 16:56 < b3hnam> MrPockets:Ichanged the port to 1724, because I guess for my country internet blocking but I have that error yet 16:58 < b3hnam> MrPockets : I try to check with telnet on my client like this :telnet my ip 1724 to find some information about problem then I saw that characters ! 16:58 < MrPockets> i'm not sure man 16:58 < MrPockets> I live in the US, so i'm not too familiar with how nations block traffic. 16:58 < b3hnam> they always make block some ports and some web sites 16:59 < hardwire> where are you? 17:00 -!- MrPockets [n=Jimmy@unaffiliated/mrpockets] has quit ["Has he quit, or has he simply become sneekier?..."] 17:00 -!- explore [n=msparker@pool-173-57-72-22.dllstx.fios.verizon.net] has quit ["Lost terminal"] 17:00 < b3hnam> Which ports can I use ? should i regenerate certifications after changing port in server.conf ? 17:02 -!- jeiworth_ [n=jeiworth@189.177.232.151] has joined ##openvpn 17:03 < b3hnam> Which ports can I use ? should i regenerate certifications after changing port in server.conf ? 17:03 < b3hnam> athimus : Which ports can I use ? should i regenerate certifications after changing port in server.conf ? 17:05 < b3hnam> where I can find a solution about my problem ? 17:13 -!- b3hnam [n=b3hnam@217.219.175.116] has left ##openvpn [] 17:13 -!- b3hnam [n=b3hnam@217.219.175.116] has joined ##openvpn 17:14 -!- jeiworth [n=jeiworth@189.177.220.244] has quit [Read error: 104 (Connection reset by peer)] 17:16 -!- c64zottel [n=hans@62-12-243-253.pool.cyberlink.ch] has joined ##openvpn 17:16 -!- c64zottel [n=hans@62-12-243-253.pool.cyberlink.ch] has left ##openvpn [] 17:19 < b3hnam> where I can read about error 110 ? 17:20 < jreno_> lol 110 = connection refused 17:21 < jreno_> well, connection timed out 17:21 < jreno_> same difference :) no response from the server -- check your firewall 17:22 < b3hnam> jreno_: my firewall is off but I have this error : http://pastebin.com/d69e790d4 17:22 < jreno_> wow pastebin is too slow 17:23 < jreno_> paste it on pastebin.ca (its faster) 17:23 < jreno_> still waiting for the .com to respond :( 17:24 < jreno_> sorry though i have to run... 17:25 < b3hnam> jreno_ : okk I will past in pastebin.ca now 17:28 < b3hnam> jreno_ : http://pastebin.ca/1596003 I paste here 17:28 < b3hnam> can you help me ? 17:29 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has joined ##openvpn 17:32 < b3hnam> who can help me about this error : http://pastebin.ca/1596003 17:34 < b3hnam> shashidam be in channele kiritoon 17:36 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 17:37 < b3hnam> Serideru1 : Are you talking with me ? 17:37 < b3hnam> Where I can read error ? 17:45 -!- b3hnam [n=b3hnam@217.219.175.116] has quit [Read error: 104 (Connection reset by peer)] 18:05 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 104 (Connection reset by peer)] 18:08 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 18:17 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 18:21 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 18:38 -!- jeiworth_ [n=jeiworth@189.177.232.151] has quit [Read error: 60 (Operation timed out)] 18:42 -!- shadowhywind [n=shadowhy@adsl-76-199-163-42.dsl.milwwi.sbcglobal.net] has joined ##openvpn 18:42 < shadowhywind> hay all, I was wondering does anyone have any experience setting up openvpn and ubuntu's networkmanager? 19:03 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 19:11 -!- bakhanbeigi [n=akb_behn@217.219.175.116] has joined ##openvpn 19:12 -!- mirco [n=mirco@p54B272B6.dip.t-dialin.net] has quit [] 19:12 < krackpot> are there any alternatives to openvpn GUI client for windows? something like viscosity on the mac? 19:13 < bakhanbeigi> What is the usage of city and country information ? the client and server city and country information should match ? 19:22 -!- shadowhywind [n=shadowhy@adsl-76-199-163-42.dsl.milwwi.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 19:30 < bakhanbeigi> Can I any port in openvpn ??? 19:35 < bakhanbeigi> Can I use any port for openVpn in TCP ? 19:41 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 105 (No buffer space available)] 19:53 < bakhanbeigi> is anybody here ?!!! 20:05 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 20:12 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 20:26 -!- bakhanbeigi [n=akb_behn@217.219.175.116] has quit [Read error: 104 (Connection reset by peer)] 21:11 < onats> hello, what's the format of a CRL list? 21:14 -!- master_of_master [i=master_o@p549D47C2.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:14 < onats> sorry, i found that you have to generate the PEM key 21:14 < onats> i mean PEM file 21:14 < onats> what would the user see once revoked? 21:14 < onats> i am currently within my network and cannot test 21:19 -!- master_of_master [i=master_o@p549D430E.dip.t-dialin.net] has joined ##openvpn 21:30 -!- stephenh_ [n=unknown@69.30.200.88] has joined ##openvpn 21:33 -!- stephenh [i=stephenh@69.30.200.88] has quit [Read error: 110 (Connection timed out)] 21:39 -!- isidorus [i=isidorus@nc.kla.as] has joined ##openvpn 21:40 < isidorus> !redirect 21:40 < vpnHelper> isidorus: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 21:41 -!- isidorus [i=isidorus@nc.kla.as] has left ##openvpn [] 21:56 -!- onats [n=onats@unaffiliated/onats] has quit [Remote closed the connection] 22:06 -!- xod [n=onats@112.201.239.185] has joined ##openvpn 22:06 -!- xod is now known as onats 22:17 < onats> !crl 22:17 < vpnHelper> onats: "crl" is (#1) --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) 22:17 < vpnHelper> onats: that will create the CRL file for you. ssl-admin will also build a crl for you 22:39 -!- hyper_ch [n=hyper@adsl-89-217-137-225.adslplus.ch] has quit [Remote closed the connection] 22:50 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 23:05 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 23:08 -!- hyper_ch [n=hyper@145-150.77-83.cust.bluewin.ch] has joined ##openvpn 23:46 < cq> this seems to be a bug in the manpage: --ifconfig-push local remote-netmask ... the second argument should be teh remote point if I see it correctly... with a netmask the connection fails and tells me that 23:58 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 110 (Connection timed out)] --- Day changed Tue Oct 06 2009 00:09 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:11 -!- brizly [n=brizly_v@p4FC98C4E.dip0.t-ipconnect.de] has quit ["Leaving."] 00:22 -!- krzie [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 00:35 < ecrist> it's my b-day bitches! 00:41 < onats> happy birthday ecrist! 00:44 < onats> ecrist, since its your birthday, are you in a good mood/ 00:44 < onats> :) 00:49 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:55 < onats> guys, what does it look like when a client connects using a revoked certificate? 00:55 < onats> im currently inside my network and can't test it 00:55 < onats> would they know that the cert was revoked? 00:59 -!- HectorBo [n=hectorbo@c-76-121-45-199.hsd1.wa.comcast.net] has joined ##openvpn 01:00 -!- krzie [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 01:03 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:09 -!- misse- [i=misse@misse.org] has quit [Read error: 113 (No route to host)] 01:15 -!- misse- [i=misse@misse.org] has joined ##openvpn 01:29 -!- dazo|afk is now known as dazo 01:29 -!- dazo [n=nnnnnnnn@209.132.186.254] has quit [Remote closed the connection] 01:29 -!- dazo [n=nnnnnnnn@209.132.186.254] has joined ##openvpn 01:30 -!- dazo is now known as Guest92658 01:30 -!- Guest92658 is now known as dazo 01:32 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:52 -!- cq [n=chatzill@p5B0DD51A.dip.t-dialin.net] has quit ["ChatZilla 0.9.85 [Firefox 3.0.14/2009090217]"] 01:55 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 02:10 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has quit ["Leaving"] 02:23 -!- spiekey [n=mario@212.87.131.201] has joined ##openvpn 02:23 < spiekey> Hello! 02:25 < spiekey> I am trying to set up a multiclient vpn server in bridge mode. I can connect with my client and everything seems to be okay...but if i try to ping my vpn server ip, it does not work. It looks like there is some problem with the arp stuff... 02:25 < spiekey> http://pastebin.com/d691b2270 02:25 -!- smerz [n=daniel@smerz.demon.nl] has quit [Read error: 105 (No buffer space available)] 02:26 < spiekey> this is a tcpdump -i any -n host on the server 02:28 < krzie> why are you choosing bridge mode? 02:28 < spiekey> krzie: the clients need to be in the same net as the vpn-server 02:28 < spiekey> due to some stupif print jobs... 02:28 < krzie> umm 02:28 < krzie> !tunortap 02:28 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 02:28 < krzie> if its not layer2, you dont need bridge 02:28 < krzie> period 02:30 < spiekey> i really think i need bridging..i will try to draw why... 02:30 < krzie> theres 1 reason why 02:30 < krzie> if you need layer2 02:30 < krzie> otherwise, you dont 02:33 < spiekey> krzie: http://pastebin.com/d6119ca96 02:34 < spiekey> so the very left network need to be able to access and see the very right network (needs to be in the same network) 02:34 < spiekey> therefore i cant do NAT 02:34 < spiekey> if you have a solution for this...i would be happy :) 02:34 < krzie> !route 02:34 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 02:34 < krzie> its not layer2 02:35 < krzie> anyways, im hitting bed 02:35 < krzie> nite 02:35 < spiekey> okay, thanks! 02:35 < spiekey> nite 02:40 -!- krzie [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 02:41 -!- t0mm [n=tomm@mail.keyade.com] has joined ##openvpn 03:22 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 03:25 < spiekey> what do you guys think? Bridge or no bridge? http://i34.tinypic.com/2ijl0tc.jpg 03:30 < spiekey> this is properly more accurate: http://i34.tinypic.com/25f4rw4.jpg 03:44 < dazo> spiekey: for best performance ... go for tun ... this setup is more than useful for tun + routing 03:44 < dazo> but! 03:45 < dazo> spiekey: each of your blue bubbles will need to be on separate network segments 03:45 < spiekey> dazo: well...on my diagram, i dont have the control over the cisco...so i can not set any routes... 03:45 < dazo> spiekey: cisco? 03:45 < spiekey> i think this brings me back to tap/bridge 03:45 < dazo> spiekey: where is your cisco router in this setup? 03:45 < spiekey> dazo: on my diagram 03:46 < spiekey> http://i34.tinypic.com/25f4rw4.jpg 03:46 < dazo> ahh ... I looked at the first one 03:46 < spiekey> so the packets would find the way to the print server...but will get stuck on the way back, since the cisco wont sent the packets to the openvpn box 03:47 < dazo> spiekey: no, that shoudn't change anything ... tun+routing should work here as well ... but the lower right network needs a different network range ... and the same for the roadwarriour 03:47 < spiekey> the cisco would then simply do a broadcast i guess 03:48 < spiekey> dazo: will you be here for another 15mins? i will then complete the diagram with ips....?! 03:48 < dazo> spiekey: sure I will 03:48 < spiekey> thanks 03:48 < dazo> what's more interesting to get into this schematics is ... where is your Internet connection in this scenario? 03:48 < dazo> where is your gateway to Internet for the 10.0.0.0/16 network? 03:49 < dazo> but basically, the road warrior and the openwrt client can be on the same OpenVPN subnet 03:50 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 03:50 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 04:03 < spiekey> dazo: here you go: http://i36.tinypic.com/3515vfo.jpg 04:03 < spiekey> how does the cisco know, where to send the packet to 10.0.1.1/24? 04:05 < dazo> Do you have many boxes in the 10.0.0.0/16 segment? Where the print server is ... or is it just this box here which will need to communicate with the other "bubbles"? 04:05 < spiekey> dazo: its a black net. I have no idea whats in there or how many boxes there are or will be 04:06 < dazo> spiekey: aha ... I see 04:06 < spiekey> so briding would be the easiest way.... 04:06 < spiekey> and i would not have to split it up in subnets... 04:06 < dazo> spiekey: not necessarily 04:07 < dazo> spiekey: you missed a little bit of my msgs earlier .... it's basically only the OpenVPN parts which needs separate network segments 04:09 < dazo> So the Cisco VPN can be 10.0.0.0/16 04:09 < dazo> together with print server and PC1 and PC2 04:09 -!- mekwall [n=oddy@c83-249-240-139.bredband.comhem.se] has joined ##openvpn 04:09 < spiekey> ah.... 04:09 -!- mekwall [n=oddy@c83-249-240-139.bredband.comhem.se] has left ##openvpn ["Leaving."] 04:09 < spiekey> anyway...if a tcp packet s has its source as pc3....how will it find its way back? It will be broadcasted into the top right network...correct? 04:11 -!- Netsplit bartol.freenode.net <-> irc.freenode.net quits: rgouveia, hyper_ch, xenophile7x7, HardDisk_WP, dazo, SerajewelKS, vpnHelper, pistache, ^scott^ 04:11 -!- Netsplit bartol.freenode.net <-> irc.freenode.net quits: Intensity, pa, Optic, fkr, Snadder 04:13 -!- Netsplit over, joins: Intensity, dazo, hyper_ch, rgouveia, SerajewelKS, pistache, xenophile7x7, ^scott^, pa, vpnHelper (+4 more) 04:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:55 -!- rgouveia_ [n=rgouveia@169.89.54.77.rev.vodafone.pt] has joined ##openvpn 04:56 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 05:08 -!- rgouveia [n=rgouveia@169.89.54.77.rev.vodafone.pt] has quit [Read error: 110 (Connection timed out)] 05:33 -!- thomas [i=tm@tm.muc.de] has quit [Remote closed the connection] 05:34 -!- ThoMe [i=tm@tm.muc.de] has joined ##openvpn 05:34 -!- ThoMe is now known as thomas 05:39 -!- rgouveia_ is now known as rgouveia 05:55 -!- rgouveia_ [n=rgouveia@169.89.54.77.rev.vodafone.pt] has joined ##openvpn 06:08 -!- rgouveia [n=rgouveia@169.89.54.77.rev.vodafone.pt] has quit [Read error: 110 (Connection timed out)] 06:08 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 06:09 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 06:10 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 06:56 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 06:59 -!- Flexa [n=flex@5ac74c8b.bb.sky.com] has joined ##openvpn 07:00 < Flexa> !howto 07:00 < vpnHelper> Flexa: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:01 -!- dollabilll [n=mike@97.66.26.10] has joined ##openvpn 07:03 < Flexa> hi guys, anyone about? 07:04 < Flexa> am having some trouble connecting to my ssl vpn from anywhere else other than my network 07:04 < Flexa> but works fine from my internal network, just cant connect to it from anywhere else, have forwarded the port properly 07:15 -!- dollabill [n=mike@97.66.26.10] has quit [No buffer space available] 07:25 < ecrist> onats: I *am* in a good mood today. :D 07:25 < onats> thats great! coz i have a tiny question to ask. hehe 07:26 < ecrist> onats: there is no message to the user that really states their certificate expired or was revoked. It will be evident in the logs, if I remember correctly, however. 07:27 < onats> so their connection just fails? 07:27 < ecrist> yes 07:27 < onats> thats good then. coz im revoking the access of a person on my network. i havent turned on my vpn server for two days already.. 07:28 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 07:28 < onats> great. thanks for the tip!:D 07:28 < ecrist> no problem 07:28 < onats> wheres the celebration? 07:28 < ecrist> no idea. it's not going to be until saturday, and the wife is planning something secret 07:28 < ecrist> should be fun! 07:29 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 07:33 < onats> sounds kinky 07:33 < onats> hahaha 07:33 < ecrist> I hope so. 07:34 -!- kaii [n=kai@ciphron.de] has left ##openvpn [] 07:35 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 07:56 < onats> !crl 07:56 < vpnHelper> onats: "crl" is (#1) --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with openvpn) 07:56 < vpnHelper> onats: that will create the CRL file for you. ssl-admin will also build a crl for you 07:57 -!- Flex\a [n=flex@5ac74c8b.bb.sky.com] has joined ##openvpn 08:03 < Optic> moooo 08:09 -!- Flexa [n=flex@5ac74c8b.bb.sky.com] has quit [Read error: 113 (No route to host)] 08:10 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 08:12 -!- Flexa [n=flex@5ac74c8b.bb.sky.com] has joined ##openvpn 08:13 -!- Flex\a [n=flex@5ac74c8b.bb.sky.com] has quit [Read error: 113 (No route to host)] 08:14 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 08:17 -!- temba_alternativ [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 08:18 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:21 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [] 08:24 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 08:28 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit [Read error: 105 (No buffer space available)] 08:29 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 08:29 -!- Flex\a [n=flex@5ac74c8b.bb.sky.com] has joined ##openvpn 08:30 -!- t0mm_ [n=tomm@mail.keyade.com] has joined ##openvpn 08:31 -!- Flexa [n=flex@5ac74c8b.bb.sky.com] has quit [Read error: 113 (No route to host)] 08:38 -!- t0mm [n=tomm@mail.keyade.com] has quit [Read error: 110 (Connection timed out)] 08:39 -!- deadlyquirk [n=noreply@c-98-212-197-126.hsd1.il.comcast.net] has joined ##openvpn 08:40 < deadlyquirk> !configs 08:40 < vpnHelper> deadlyquirk: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 08:44 < deadlyquirk> I'm having an issue with openvpn overwriting /etc/resolv.conf on my gentoo box. I set PEER_DNS="no" in /etc/conf.d/openvpn but am still having the issue. 08:44 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 08:45 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has quit [Excess Flood] 08:46 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 08:46 -!- WormFood [n=wormfood@58.61.134.87] has joined ##openvpn 08:48 < ecrist> deadlyquirk: AFAIK, openvpn doesn't overwrite resolv.conf 08:48 < ecrist> there must be a secondary script doing that dirty work 08:50 < WormFood> I want to ask before I even attempt it....has anyone tried to push like 900 routes on openvpn? (I know it defaults to not over 100, but that is easily changed) 08:51 -!- teddymills [n=teddy@208.92.235.227] has quit [Client Quit] 08:51 < ecrist> no, there is an issue with the number of routes being pushed. It has to happen in a certain amount of memory or something 08:51 < ecrist> there is a hard limit, I believe 08:52 < ecrist> I don't recall what that limit is, however 08:53 < WormFood> nice...thanks...I'm glad I asked before I tried it 08:54 -!- Flex\a [n=flex@5ac74c8b.bb.sky.com] has quit [Read error: 104 (Connection reset by peer)] 08:54 -!- Flexa [n=flex@5ac74c8b.bb.sky.com] has joined ##openvpn 08:54 < WormFood> that is ok, because I already have scripts setup to manually add everything to the routing table....I just expect winblows to puke on 900 routes (I don't know it will, just expect that kinda crap from winblows) 08:55 < ecrist> ah, I don't know why it would 08:55 < ecrist> 900 routes sounds like poor planning to me, though. 08:55 < WormFood> and I gotta say...I just got openvpn setup and working (as a client) on vista...what a pain in the ass! I truly believe windows is driven by mouse clicks 08:55 < WormFood> no, it really isn't poor planning, just the way things work 08:55 < WormFood> I'm in China, and many web sites are blocked in China, so I want to route the chinese IPs through the local gateway, and everything else through the vpn 08:56 < WormFood> so there are close to 900 blocks of IPs for china. 08:57 < ecrist> ah 08:59 -!- chowmeined [n=will@unaffiliated/chowmeined] has joined ##openvpn 09:00 < WormFood> now I'm thinking it may be easiest to just route EVERYTHING through the VPN, or just route the big sites that are blocked...like youtube and facebook 09:00 < WormFood> I manually added youtube, but in the last 2 days, they changed their IPs :( 09:10 < chowmeined> has anyone setup a routed vpn between two openbsd routers and had it work? im trying to connect to private networks with openbsd routers using openvpn, it sets up the tun0 interfaces and i can see the openvpn daemons establishing a session, routes are being added but no traffic flows 09:11 -!- hyper__ch [n=hyper@146-116.77-83.cust.bluewin.ch] has joined ##openvpn 09:11 -!- hyper_ch [n=hyper@145-150.77-83.cust.bluewin.ch] has quit [Nick collision from services.] 09:11 -!- hyper__ch is now known as hyper_ch 09:16 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit [Read error: 54 (Connection reset by peer)] 09:16 -!- temba_alternativ [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit [Read error: 104 (Connection reset by peer)] 09:19 -!- chowmeined [n=will@unaffiliated/chowmeined] has left ##openvpn ["Leaving"] 09:25 < theDoc> ecrist> You there? 09:30 -!- Netsplit bartol.freenode.net <-> irc.freenode.net quits: misterbean, jhp, Rolybrau, _Joda_, polaru, Pagautas, APTX|, spiekey, |Mike| 09:30 -!- Netsplit bartol.freenode.net <-> irc.freenode.net quits: colclough, havoc, Intensity, MadTBone, stein0, rgouveia_, misse-, athimus, odonata, dazo, (+55 more, use /NETSPLIT to show all of them) 09:31 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 09:31 -!- Netsplit over, joins: hyper_ch, Flexa, WormFood, Gumbler, theDoc, deadlyquirk, t0mm_, mirco, mikkel_, colclough (+59 more) 09:31 -!- Netsplit over, joins: fReAkY[t], aje, tarbo2, eliasp, IcyPolecat 09:33 < theDoc> ecrist> You there? 09:39 -!- newmember [n=chatzill@vpn.libertymedical.com] has joined ##openvpn 09:41 < ecrist> theDoc: yes 09:42 < ecrist> wasssup? 09:45 -!- deadlyquirk [n=noreply@c-98-212-197-126.hsd1.il.comcast.net] has left ##openvpn [] 09:49 -!- Flexa [n=flex@5ac74c8b.bb.sky.com] has quit [Read error: 113 (No route to host)] 09:52 -!- Flex\a [n=flex@5ac74c8b.bb.sky.com] has joined ##openvpn 09:54 -!- spiekey [n=mario@212.87.131.201] has quit [Read error: 148 (No route to host)] 10:10 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:13 -!- Netsplit bartol.freenode.net <-> irc.freenode.net quits: tarbo2, irrwitzer 10:13 -!- irrwitzer [n=jjj@62.48.92.115] has joined ##openvpn 10:17 -!- Netsplit bartol.freenode.net <-> irc.freenode.net quits: misterbean, Rolybrau, _Joda_, polaru, APTX| 10:17 < ecrist> theDoc: I'm still here. 10:17 -!- Netsplit bartol.freenode.net <-> irc.freenode.net quits: colclough, havoc, Intensity, MadTBone, stein0, rgouveia_, athimus, misse-, odonata, dazo, (+59 more, use /NETSPLIT to show all of them) 10:19 -!- Irssi: ##openvpn: Total of 2 nicks [0 ops, 0 halfops, 0 voices, 2 normal] 10:26 -!- jeiworth [n=jeiworth@189.234.75.163] has joined ##openvpn 10:26 -!- Netsplit over, joins: robotti^, cpm, LittleJ, mikkel_ 10:26 -!- reiffert [n=thomas@88.198.83.82] has joined ##openvpn 10:26 -!- dergringo [n=dergring@88-183.104-92.cust.bluewin.ch] has joined ##openvpn 10:26 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 10:26 -!- aje_ [n=aj@213.150.56.107] has joined ##openvpn 10:26 -!- Netsplit over, joins: irrwitzer, epaphus, Flex\a, newmember, buntfalke, hyper_ch, WormFood, Gumbler, theDoc, t0mm_ (+57 more) 10:28 -!- hyper_ch [n=hyper@146-116.77-83.cust.bluewin.ch] has quit [Remote closed the connection] 10:44 -!- jeiworth_ [n=jeiworth@189.177.45.33] has joined ##openvpn 10:53 -!- athimus [i=athimus@lyseo.edu.ouka.fi] has quit [Read error: 110 (Connection timed out)] 10:54 -!- jeiworth [n=jeiworth@189.234.75.163] has quit [Read error: 110 (Connection timed out)] 10:56 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 10:56 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 10:59 -!- HectorBo [n=hectorbo@c-76-121-45-199.hsd1.wa.comcast.net] has quit ["This computer has gone to sleep"] 11:04 -!- hyper_ch [n=hyper@adsl-89-217-137-225.adslplus.ch] has joined ##openvpn 11:06 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 11:12 -!- mahmoud [n=mahmoud@unaffiliated/mahmoud] has joined ##openvpn 11:12 < mahmoud> hi 11:12 < mahmoud> why does openvpn needs DH groups? 11:13 < mahmoud> why does the server need DH at all 11:15 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 11:15 < hyper_ch> what's a dh group? 11:17 -!- swa_work [n=swa@swatteksystems.com] has quit ["Leaving"] 11:17 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 11:18 -!- Hector [n=hectorbo@216.57.213.8] has joined ##openvpn 11:26 < mahmoud> hyper_ch: u make me feel as if i'm in wrong channel 11:26 < mahmoud> hyper_ch: easy-rsa/./build-dh <-- builds dh group file, stores it in pem format, in keyus 11:26 < mahmoud> check your server.config file 11:27 < hyper_ch> well, you answered your question yourself then ;) 11:27 < mahmoud> nah, u don't know what's my Q 11:27 < mahmoud> I'm not asking HOW, but WHY 11:27 < mahmoud> I don't get the idea behind using DH in this scenario 11:28 < hyper_ch> one doesn't have to be an aircraft technician in order to fly one :) 11:28 < mahmoud> as far as I know, thru SSL certificatres, client can communicate and encrypt a shared key 11:28 < hyper_ch> and I just credit the gals and guys that work on openvpn that they know what they are doing :) 11:28 < mahmoud> DH generates a shared key, over an insecure media. that's it. but why? we already have certificates (public keys) 11:29 < mahmoud> man, i'm an air craft maker then. i need to know how they did it 11:29 < mahmoud> actually, WHY they did it this ay 11:29 < mahmoud> s/ay/way/ 11:32 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit [Remote closed the connection] 11:36 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 11:44 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has joined ##openvpn 11:54 < dazo> mahmoud: If I'm not completely wrong ... DH is needed when using DSS based certificates .... it's a requirement in the SSL protocol 11:55 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 11:55 -!- mastamind [n=mastamin@85.127.38.28] has joined ##openvpn 11:56 < dazo> mahmoud: If you want to know more about SSL and TLS .... I can recommend this book: http://www.amazon.com/gp/product/0201615983/ref=ox_ya_oh_product 11:56 -!- rgouveia [n=rgouveia@169.89.54.77.rev.vodafone.pt] has joined ##openvpn 11:56 < mastamind> i try to use the port share feature of openvpn 2.1, and i am wondering if there is any way to tell openvpn not to open an encrypted connection to the server specified with the port-share directive. 11:57 -!- plaerzen [n=carpe@vip1.tundraeng.com] has joined ##openvpn 11:58 * plaerzen waves 11:58 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [] 11:59 < dazo> mastamind: openvpn do not do any encryption if it do not recognise the packets as OpenVPN packets ..... then it passes them straight forward to the configured server:port 12:01 < mastamind> dazo: who does openvpn regcognize that a connection attempt is not openvpn but https? 12:02 < mahmoud> dazo: what i know is a bit diffirent 12:02 < dazo> mastamind: it probably looks into each packet hitting the openvpn process ... it might even have set a flag in some TCP/IP headers for all I know, to make this more efficient 12:03 < mastamind> dazo: hmm. ok. thx. 12:05 < dazo> mahmoud: DH params are used as part of the key exchange in the SSL handshake process .... and it really is only used when using DSS certificates .... RSA certificates do not use DH parameters at all, as it uses a different algorithm for the key exchange 12:07 -!- mastamind [n=mastamin@85.127.38.28] has left ##openvpn [] 12:08 < mahmoud> dazo: makes sense. i was confused since i'm always using rsa certs 12:10 < mahmoud> dazo: so with easy-rsa we whouldn't configure dh group for openvpn 12:10 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 12:11 < dazo> mahmoud: Well, I believe you can configure DSS/DSA certificates with the pki-tool which is the core script in easy-rsa 12:11 < mahmoud> dazo: i mean, with ./build-ca and build-server 12:13 -!- rgouveia_ [n=rgouveia@169.89.54.77.rev.vodafone.pt] has quit [Read error: 110 (Connection timed out)] 12:13 < dazo> mahmoud: ./build-ca uses pki-tool as well .... It's no harm having the DH params there ... I don't see any problems not having it .... It will just behave more nicely and OpenVPN might not complain about missing DH params 12:13 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 12:13 < dazo> mahmoud: I mean, how many bytes do you save by not having dh.params? you only need it on the server 12:14 * dazo needs to head home now 12:14 < hyper_ch> or the home needs to head to dazo 12:15 < mahmoud> dazo: dude, who said i'm saving space? 12:15 < mahmoud> dazo: point is: why. just for learning the point behind it 12:15 < mahmoud> i can not make any sense behind using DH 12:15 < mahmoud> only case is, when DH keys used in a certificate 12:15 < dazo> hyper_ch: heh .... not sure my wife would appreciate that, though :-P 12:16 < mahmoud> dazo: the guide is creating RSA x.509 certs, and yet asking to generate diffie-hellman pem file 12:16 * mahmoud shrugzz 12:16 < dazo> mahmoud: rest asure ... it's a big sense using DH .... and if you somewhere in the certificate chain of your clients get a DSS/DSA certificate .... then you need the DH params to make it work securely 12:19 < dazo> mahmoud: If you have an openvpn certificate which is signed by VeriSign on your server , for example ... RSA certificate ..... and another user of yours gets his DSS/DSA certificate signed at VeriSign as well .... you will need to support DH params to get a secure connection ... if not, it will either fail, or worst case ... you have an insecure connection 12:19 < mahmoud> dazo: means, both client and server in such case my generate the DH param file 12:19 < mahmoud> dazo: but, the comments on config file says only server side 12:19 < dazo> mahmoud: you only need DH param on the server 12:19 < mahmoud> isn't that for prime? 12:20 < mahmoud> all DH needs to function is group 12:20 < mahmoud> base, and prime 12:20 < dazo> mahmoud: dh param is in reality a big prime number if I remember correctly 12:20 < mahmoud> dazo: and for sake of speed, it's never generated at each request? 12:20 < dazo> mahmoud: exactly 12:21 < dazo> mahmoud: or worse, for sake of speed .... a weak dh param is generated 12:21 < mahmoud> in ipsec dh keeps refresh every time it expires transparentlyu 12:22 < dazo> mahmoud: yeah ... that might work out ... it's not that expensive to generate it ... but it is expensive enough to slow down things, especially on not so beefy hardware 12:22 < mahmoud> when IKE is used 12:23 < mahmoud> funny why openvpn didn't give the choice, just in case we had great h/w 12:24 < mahmoud> not great h/w. a normal 5 year old PC :D 12:24 < dazo> mahmoud: maybe because a lot of people prefer stronger RSA keys instead .... just because DSS/DSA do have some flaws which might be used in some scenarios to crack the key 12:24 < mahmoud> so main focus is RSA 12:24 < dazo> mahmoud: nah ... I have 5 year old server ..... 2x Xeon 2.4GHz .... it's not that bad :-P 12:25 < mahmoud> what i meant is not bad. 12:25 < mahmoud> initially i said "great h/w". but great was too much for dh 12:25 < mahmoud> so, 5 year old PC 12:25 < mahmoud> a pc that can't generate dh is probably much older, which openvpn seems optimized for :P 12:26 < dazo> mahmoud: well, from a cryptographically point of view DSS/DSA is superior to RSA ... no doubt about that ... but because of a dirty bug in OpenSSL, which cannot be fixed without breaking things .... DSS/DSA is prune to be cracked ..... thus, people tend to use stronger RSA PKI keys instead (>2048bits) 12:26 < mahmoud> dss/dsa superior? it hought rsa is 12:29 < mahmoud> i'm using authentication prompts. same key is for auth, encryption and all 12:29 < mahmoud> guess that shared key is exchanged by encrypting it to server's public key 12:29 < dazo> cryptographically .... DSS/DSA is superior .... but openssl (if I recall things correctly, I got this explained a year ago by a colleague maintaining some openssh packages) breaks it somehow 12:29 < mahmoud> in my case, periodic dh changes would help me 12:32 * dazo really goes now and hope wife will still be happy :) 12:35 -!- dazo is now known as dazo|afk 12:45 -!- mirco [n=mirco@p54B2723A.dip.t-dialin.net] has joined ##openvpn 12:45 -!- t0mm_ [n=tomm@mail.keyade.com] has quit [Read error: 113 (No route to host)] 12:45 -!- ajbelayer [n=ajbelaye@129.82.5.224] has joined ##openvpn 12:46 < ajbelayer> !howto 12:46 < vpnHelper> ajbelayer: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:47 < ajbelayer> I have read the howto but I am still a beginner with OpenVPN and IPTables, could some help with this issue: 12:48 < ajbelayer> My client connects to VPN just fine, it can talk to the VPN server (and related services fine) but I want to be able to access machines on the same subnet network as the VPN server from the Client. I think there is a IPTables issue blocking traffic somewhere 13:02 < Bushmills> !route 13:02 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:02 < plaerzen> you have to bridge the VPN adaptor to the lan adaptor 13:03 < Bushmills> why should that be? 13:03 * Bushmills ticks plaerten on his fingers for giving bad advice 13:13 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 13:14 < plaerzen> Bushmills, you're right. 13:20 -!- ajbelayer [n=ajbelaye@129.82.5.224] has quit [Read error: 110 (Connection timed out)] 13:33 -!- SerajewelKS [n=me@wikipedia/Crazycomputers] has left ##openvpn [] 13:40 -!- Netsplit bartol.freenode.net <-> irc.freenode.net quits: stein0, rgouveia, misse-, newmember, misterbean, krzee, jhp, Rolybrau, hyper_ch, _Joda_, (+8 more, use /NETSPLIT to show all of them) 13:41 -!- Netsplit bartol.freenode.net <-> irc.freenode.net quits: havoc, Intensity, MadTBone, mahmoud, odonata, disco-, dazo|afk, Hypnoz, pa, mrnice1, (+45 more, use /NETSPLIT to show all of them) 13:42 -!- mirco [n=mirco@p54B2723A.dip.t-dialin.net] has joined ##openvpn 13:42 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 13:42 -!- plaerzen [n=carpe@vip1.tundraeng.com] has joined ##openvpn 13:42 -!- rgouveia [n=rgouveia@169.89.54.77.rev.vodafone.pt] has joined ##openvpn 13:42 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has joined ##openvpn 13:42 -!- Hector [n=hectorbo@216.57.213.8] has joined ##openvpn 13:42 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 13:42 -!- mahmoud [n=mahmoud@unaffiliated/mahmoud] has joined ##openvpn 13:42 -!- hyper_ch [n=hyper@adsl-89-217-137-225.adslplus.ch] has joined ##openvpn 13:42 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 13:42 -!- robotti^ [i=robotti@kapsi.fi] has joined ##openvpn 13:42 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 13:42 -!- LittleJ [n=linuz@82.78.185.26] has joined ##openvpn 13:42 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 13:42 -!- reiffert [n=thomas@88.198.83.82] has joined ##openvpn 13:42 -!- dergringo [n=dergring@88-183.104-92.cust.bluewin.ch] has joined ##openvpn 13:42 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 13:42 -!- aje_ [n=aj@213.150.56.107] has joined ##openvpn 13:42 -!- irrwitzer [n=jjj@62.48.92.115] has joined ##openvpn 13:42 -!- Flex\a [n=flex@5ac74c8b.bb.sky.com] has joined ##openvpn 13:42 -!- newmember [n=chatzill@vpn.libertymedical.com] has joined ##openvpn 13:42 -!- WormFood [n=wormfood@58.61.134.87] has joined ##openvpn 13:42 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 13:42 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 13:42 -!- dollabilll [n=mike@97.66.26.10] has joined ##openvpn 13:42 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 13:42 -!- thomas [i=tm@tm.muc.de] has joined ##openvpn 13:42 -!- Snadder [i=sander@202.100.202.84.customer.cdi.no] has joined ##openvpn 13:42 -!- fkr [i=fkr@news.bytemine.net] has joined ##openvpn 13:42 -!- Optic [n=dfraser@miso.capybara.org] has joined ##openvpn 13:42 -!- HardDisk_WP [n=Marco@velirat.de] has joined ##openvpn 13:42 -!- Intensity [i=[9N7YOGl@unaffiliated/intensity] has joined ##openvpn 13:42 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 13:42 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 13:42 -!- ^scott^ [n=scott@stthom.org] has joined ##openvpn 13:42 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has joined ##openvpn 13:42 -!- pistache [n=pist@rps3598.ovh.net] has joined ##openvpn 13:42 -!- dazo|afk [n=nnnnnnnn@209.132.186.254] has joined ##openvpn 13:42 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 13:42 -!- misse- [i=misse@misse.org] has joined ##openvpn 13:42 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 13:42 -!- stephenh_ [n=unknown@69.30.200.88] has joined ##openvpn 13:42 -!- master_of_master [i=master_o@p549D430E.dip.t-dialin.net] has joined ##openvpn 13:42 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 13:42 -!- _Joda_ [i=NOTOKAY@ks22848.kimsufi.com] has joined ##openvpn 13:42 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 13:42 -!- Bushmills [n=nnBushmi@verhau.de] has joined ##openvpn 13:42 -!- misterbean [n=misterbe@unaffiliated/misterbean] has joined ##openvpn 13:42 -!- odonata [n=odonata@security.jails.se] has joined ##openvpn 13:42 -!- sno [n=sno@85-10-202-144.clients.your-server.de] has joined ##openvpn 13:42 -!- hardwire [n=hardwire@216-67-99-228.static.acsalaska.net] has joined ##openvpn 13:42 -!- rooth [i=rooth@ge.mig.en.redfox.nu] has joined ##openvpn 13:42 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 13:42 -!- redfox [n=redfox2@ns351996.ovh.net] has joined ##openvpn 13:42 -!- jreno_ [n=jreno@38.219.68.216.DED-DSL.fuse.net] has joined ##openvpn 13:42 -!- kreg [n=bytesabe@208-98-188-95.directcom.com] has joined ##openvpn 13:42 -!- krzee [n=krzee@unaffiliated/krzee] has joined ##openvpn 13:42 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 13:42 -!- jhp [n=jhp@zeus.jhprins.org] has joined ##openvpn 13:42 -!- Vito111 [n=vito@195.3.173.128] has joined ##openvpn 13:42 -!- wikiii [n=var@vps-1005590-1468.united-hoster.de] has joined ##openvpn 13:42 -!- disco- [i=disco@andromeda.h4xed.com] has joined ##openvpn 13:42 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 13:42 -!- havoc [n=havoc@saturn.chaillet.net] has joined ##openvpn 13:42 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 13:42 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has joined ##openvpn 13:42 -!- Typone [n=nnitsme@195.197.184.87] has joined ##openvpn 13:42 -!- stein0 [n=stein@mail.vgnett.no] has joined ##openvpn 13:42 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn 13:42 -!- chantra [n=chantra@ns22757.ovh.net] has joined ##openvpn 13:42 -!- fReAkY[t] [i=alpha@member.team-box.net] has joined ##openvpn 13:42 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 13:42 -!- IcyPolecat [n=IcyPolec@vm1.rubicon.je] has joined ##openvpn 13:42 -!- jeiworth [n=jeiworth@189.177.45.33] has joined ##openvpn 13:42 -!- jeiworth_ [n=jeiworth@189.177.45.33] has quit [Connection reset by peer] 13:42 -!- Netsplit bartol.freenode.net <-> irc.freenode.net quits: havoc, Intensity, MadTBone, stein0, mahmoud, misse-, odonata, |Mike|, disco-, krackpot, (+63 more, use /NETSPLIT to show all of them) 13:42 -!- oc80 [i=oc80z@blea.ch] has quit [SendQ exceeded] --- Log closed Tue Oct 06 13:43:24 2009 --- Log opened Tue Oct 06 13:43:27 2009 13:43 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 13:43 -!- Irssi: ##openvpn: Total of 74 nicks [0 ops, 0 halfops, 0 voices, 74 normal] 13:43 -!- jeiworth [n=jeiworth@189.177.45.33] has joined ##openvpn 13:43 -!- oc80z [i=oc80z@blea.ch] has joined ##openvpn 13:43 -!- Irssi: Join to ##openvpn was synced in 22 secs 13:56 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 14:09 -!- Douglas [i=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 14:09 < Douglas> ecrist: you around? 14:10 < Douglas> ecrist: http://www.ovpnforum.com/viewtopic.php?p=1247 <-- last replier 14:10 < vpnHelper> Title: OpenVPN Forum View topic - OpenVPN Access server on a Windows Vista machine using VMWar (at www.ovpnforum.com) 14:12 -!- mahmoud [n=mahmoud@unaffiliated/mahmoud] has quit [Remote closed the connection] 14:12 -!- mahmoud [n=mahmoud@92.99.201.243] has joined ##openvpn 14:13 -!- mahmoud is now known as Guest70688 14:16 -!- hardwire [n=hardwire@216-67-99-228.static.acsalaska.net] has quit [Remote closed the connection] 14:26 -!- romel [i=romel@plox.tor.hu] has joined ##openvpn 14:26 < romel> Hi guys! 14:28 < romel> Got a problem with openvpn. I installed it on my FreeBSD gateway and it works fine. But I can't reach any internal network hosts when connected to server. 14:28 < romel> What do I need to make it work? 14:35 -!- mirco [n=mirco@p54B2723A.dip.t-dialin.net] has quit [] 14:38 < Bushmills> !route 14:38 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:39 < Bushmills> those host, are they on client or server side? 14:39 -!- Guest70688 [n=mahmoud@92.99.201.243] has quit ["Lost terminal"] 14:40 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:30 -!- newmember [n=chatzill@vpn.libertymedical.com] has quit [Read error: 110 (Connection timed out)] 15:31 -!- xok [n=xok@host-62-168-165-53.adsl.caucasus.net] has joined ##openvpn 15:31 < xok> hello all... 15:32 < xok> openvpn has created three tun* devices on my FreeBSD (6.2) system, I've killall -9 openvpn-ed and now I can't delete those devices.. 15:32 < xok> what is the reason and how to fix it?.. 15:33 < xok> anyone alive here?.. 15:36 -!- chefkoch [n=chefkoch@e176142033.adsl.alicedsl.de] has joined ##openvpn 15:37 < chefkoch> hello. openvpn does not redirect my gateway on vista. on windows xp it works perfect. how can i solve this issue? 15:39 < Douglas> !vista 15:39 < vpnHelper> Douglas: "vista" is 13:51 < Nirkus> ecrist: i figured it out. i was able to create a link to windows explorer and activate 'run as administrator' within the 'advanced' context menu. using an windows explorer started by that link i was able to write files to c:\program files (x86)\OpenVPN\config\ 15:39 < Douglas> m 15:39 < Douglas> hm 15:39 < Douglas> !redirect-gateway 15:39 < vpnHelper> Douglas: Error: "redirect-gateway" is not a valid command. 15:40 < Douglas> !redirect 15:40 < vpnHelper> Douglas: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 15:40 < xok> Douglas, how about me?... 15:41 < chefkoch> i have done all this thinks, but it did not work. 15:41 < chefkoch> i am running openvpn as an administrator. have added two lines to the config. route-method exe 15:41 < chefkoch> route-delay 2 15:42 < chefkoch> there are no error messages in the log, but the client does not get the gateway or the route. 15:42 < chefkoch> on windows xp everything works fine. 15:42 < chefkoch> firewalls are dieabled. 15:43 < chefkoch> i really dont know, how to solve this. there are not very much information about this problem... :( 15:45 < |Mike|> xok: ifconfig tun0 destroy 15:45 < xok> |Mike|, it doesn't work, I've tried that already... 15:45 < xok> |Mike|, thanks anyway... 15:45 < |Mike|> you could go to /dev and read MAKEDEV 15:46 < xok> |Mike|, what you mean saying "read MAKEDEV"?... 15:46 < xok> reading man page?.. 15:46 < |Mike|> Yes 15:47 -!- chefkoch [n=chefkoch@e176142033.adsl.alicedsl.de] has quit [" HydraIRC -> http://www.hydrairc.com <- s0 d4Mn l33t |t'z 5c4rY!"] 15:47 < xok> |Mike|, no manual page for makedev.. 15:47 < |Mike|> /usr/share/man/man8/MAKEDEV.8 15:48 < |Mike|> http://www.manpages.info/freebsd/MAKEDEV.8.html 15:48 < vpnHelper> Title: FreeBSD man pages : MAKEDEV (8) (at www.manpages.info) 15:49 < xok> |Mike|, thanks, but there is no such file.. 15:49 < |Mike|> i could build a cluehammer in the mean time.. 15:50 < xok> I get this error when running my openvpn server: http://pastebin.com/d54787f2e 15:50 -!- newmember [n=chatzill@adsl-074-169-237-010.sip.bct.bellsouth.net] has joined ##openvpn 15:50 < |Mike|> you are trying to remove openvpn or ? 15:50 < |Mike|> pastebin.com == dead in NL 15:51 < xok> |Mike|, well, I wanted to remove just devices... 15:51 < xok> thought that was problem... 15:51 < |Mike|> you're trying to use openvpn ? 15:52 < |Mike|> !tunortap 15:52 < xok> but now I found that it is not related to devices, something else happens... 15:52 < xok> |Mike|, tell me where to paste then... 15:52 < vpnHelper> |Mike|: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 15:52 < xok> |Mike|, no, I want FreeBSD to give VPN to Linux machines... 15:53 < |Mike|> aha, but what's the issue then ? 15:53 < xok> here is my config file for server: http://pastebin.com/d4dfdfebd 15:53 < xok> |Mike|, I can't start it up... 15:53 < |Mike|> wow, it works now. 15:53 < xok> |Mike|, what?.. 15:53 < |Mike|> !all 15:53 < vpnHelper> |Mike|: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 15:54 < |Mike|> pastebin.com works now 15:54 < xok> |Mike|, I'm glad.. :-) 15:54 < xok> |Mike|, can you see now my error and config file?.. 15:54 < |Mike|> 29.Wed Oct 7 00:33:59 2009 us=117841 /sbin/ifconfig tun2 10.0.1.1 10.0.1.2 mtu 1500 netmask 255.255.255.255 up 15:54 < |Mike|> 30.ifconfig: ioctl (SIOCAIFADDR): File exists 15:54 < |Mike|> 31.Wed Oct 7 00:33:59 2009 us=120575 FreeBSD ifconfig failed: shell command exited with error status: 1 15:55 < |Mike|> tun0 is already in use? 15:55 < xok> yes, but saying this it has created two other devices... 15:55 < |Mike|> try setting tap2 to tap0 15:55 < xok> I mean it has created tun1 then tun2... 15:55 < |Mike|> or tun0, whatever you want :) 15:55 < |Mike|> ifconfig -a ? 15:56 < |Mike|> (tun0 / tap0 has to show up) 15:56 < xok> |Mike|, still the same.. 15:56 -!- brizly [n=brizly_v@p4FC9A188.dip0.t-ipconnect.de] has joined ##openvpn 15:56 < |Mike|> what does /var/log/openvpn.log say ? 15:56 < xok> yes, tun0, tun1 and tun2 are all showed as expected.. 15:56 < |Mike|> try usuing tun0 15:57 < |Mike|> using 15:57 < xok> |Mike|, I did, but still the same.. 15:57 < |Mike|> restarted it ? 15:57 < xok> it is not started... 15:57 < |Mike|> then start it 15:57 < xok> I've "killall -9 openvpn"-ed... 15:57 < |Mike|> fail 15:57 < xok> could not... 15:57 < |Mike|> use /usr/local/etc/rc.d/ 15:57 < xok> throws this error.. 15:57 < |Mike|> ./openvpn forcestop 15:57 < |Mike|> ./openvpn forcestart 15:58 < xok> |Mike|, oh, let me try... 15:58 < |Mike|> how long are you using freebsd ? :x 15:58 < xok> |Mike|, not so much... :-D 15:59 < |Mike|> s/much/long 15:59 < xok> yeah, not so long.. :-) sorry 16:00 < xok> well, /usr/local/etc/rc.d/openvpn seems to do something, cause nothing shows up and $? equals to 0... 16:00 < |Mike|> ps -aux | grep vpn 16:00 < xok> but port is not being listened... 16:00 < xok> echo $? = 1 16:00 < xok> for ps aux | grep vpn 16:00 < |Mike|> you have to add 'start' or 'forcestart' behind that line.. 16:00 < xok> yeah, I have done both... 16:00 < xok> but still the same... 16:00 < |Mike|> check /var/log/openvpn.log 16:01 < |Mike|> pastebin it 16:01 < |Mike|> paste the url here 16:01 < |Mike|> i'll look at it tomorrow 16:01 < xok> oh, sorry... 16:01 < xok> I didn't run forcestart ... :-) 16:01 < |Mike|> read this; 16:01 < |Mike|> !all 16:01 < vpnHelper> |Mike|: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 16:01 < xok> now it shows up... 16:01 < |Mike|> other could help you, i'm going to sleep. 16:02 < xok> |Mike|, ok, thank you for your time and attention 16:05 -!- jeiworth [n=jeiworth@189.177.45.33] has quit [Success] 16:09 -!- jeiworth [n=jeiworth@189.163.180.234] has joined ##openvpn 16:15 -!- dollabilll [n=mike@97.66.26.10] has quit [No route to host] 16:20 < Douglas> xok: ? 16:20 < xok> Douglas, yes?.. 16:27 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Remote closed the connection] 16:30 < Douglas> xok: you pinged me before 16:31 < xok> nope, I didn't... 16:31 < xok> oh, yeah... 16:31 < xok> that was about hour ago... 16:31 < xok> I asked if you could help me... Douglas 16:33 -!- jeiworth_ [n=jeiworth@189.163.169.109] has joined ##openvpn 16:42 -!- arcsky [n=arcsky@2a01:48:100:1:1:0:0:1c2] has joined ##openvpn 16:42 < arcsky> !howto 16:42 < vpnHelper> arcsky: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:45 -!- jeiworth [n=jeiworth@189.163.180.234] has quit [Read error: 110 (Connection timed out)] 17:00 -!- newmember [n=chatzill@adsl-074-169-237-010.sip.bct.bellsouth.net] has quit [Client Quit] 17:01 -!- newmember [n=chatzill@adsl-074-169-237-010.sip.bct.bellsouth.net] has joined ##openvpn 17:02 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 17:09 -!- blarney [n=blarney@pool-71-126-233-9.bstnma.east.verizon.net] has joined ##openvpn 17:10 < blarney> hi, although not openvpn-specific, I'm wondering about using the vpnc command-line vpn client (I assume that openvpn has something similar) 17:10 < blarney> but if I use a command-line client to connect to a vpn network while logged in remotely to a machine over ssh, will it disconnect my ssh session? 17:34 < blarney> yep, tried it and it freezes my ssh connection :( 17:36 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 17:58 < jeiworth_> strange, i do that all the time 17:58 < Bushmills> blarney: openvpn is both server and client, depends on the config (or command line arguments) 17:59 < jeiworth_> afaik vpnc is for cisco concentrators, isn't it? 17:59 -!- blarney [n=blarney@pool-71-126-233-9.bstnma.east.verizon.net] has quit ["Leaving."] 17:59 < Bushmills> shouldn't affect any ssh session, unless the route changes 17:59 < jeiworth_> Description: Cisco-compatible VPN client 17:59 < jeiworth_> vpnc is a VPN client compatible with cisco3000 VPN Concentrator (also known as Cisco's EasyVPN equipment). vpnc runs entirely in userspace and 17:59 < jeiworth_> does not require kernel modules except of the tun driver to communicate with the network layer. 17:59 < Bushmills> s/changes/is changed/ 18:07 < jeiworth_> well well, he just left 18:08 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 18:10 < Bushmills> ah. 18:11 < Bushmills> I have join/part messages disabled 18:23 -!- newmember_ [n=chatzill@adsl-074-169-237-010.sip.bct.bellsouth.net] has joined ##openvpn 18:23 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has quit ["Leaving"] 18:23 < xok> guys, I've got an error on client when trying to establish communication... 18:23 < xok> is anyone here to help?.. 18:25 < Bushmills> yes, your log files 18:25 < Bushmills> and you 18:25 < Bushmills> you, by reading them 18:25 < xok> Bushmills, thank you very much, you were very helpful... 18:26 < Bushmills> i answered as best as i could to your question 18:26 < reiffert> xok: 18:26 < reiffert> !all 18:26 < vpnHelper> reiffert: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 18:26 < reiffert> !logs 18:26 < vpnHelper> reiffert: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 18:26 < xok> reiffert, ok, I will, I just asked if anyone presents here.. 18:27 < Bushmills> nobody will say that he will help if he doesn't even know what the problem is 18:27 < xok> this is config file for server: http://pastebin.com/d6d51cfe1 18:28 < xok> here is for client: http://pastebin.com/d1878babf 18:30 < xok> here is the error message (tail -n 3-ed) http://pastebin.com/d368660a1 18:30 < xok> this error is from server... 18:31 < xok> and here is error from client: http://pastebin.com/d3bf9aaac 18:32 < Hypnoz> are there any other clients that can connect to the server sucessfully? 18:32 < xok> Hypnoz, nope, I'm just trying to setup.... 18:32 < xok> this is my first try with VPN... 18:32 < Hypnoz> I don't have crl-verify crl.pem in my srever.conf 18:32 < Hypnoz> you can comment that out 18:33 < xok> ok, I will, from which, server or client?.. 18:33 < reiffert> xok: rtfm 18:33 < reiffert> !howto 18:33 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 18:33 < Hypnoz> comment out the "cipher BF-CBC" line 18:33 < Hypnoz> server.conf 18:34 < Hypnoz> actually that doesn't matter, its the default anyways 18:34 < xok> Hector, cipher and crl-verify too right?.. 18:34 < xok> Hypnoz, sorry, wrong nick... 18:35 -!- Douglas [i=Douglas@ool-43503ed4.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 18:35 < Hypnoz> my server.conf says "dev tun" not "dev tun0" 18:35 < xok> reiffert, thank you fro trying to help me, but for the first reading doesn't always help, I've read lots of stuff today really... 18:35 < xok> Hypnoz, ok, I will change too... 18:35 < reiffert> xok: copy&paste didnt help either. 18:36 < xok> reiffert, I'm very used to keyboard, I don't "copy & paste*... 18:37 < reiffert> call it useless typing of bullshit then. 18:37 < Hypnoz> in your server.conf, i notice the "ca keys/cacert.pem" maybe should be a ".ca" file 18:37 < reiffert> .oO how to convert a pem file ;) 18:37 < xok> Hypnoz, yeah, I've noticed that too, but I followed this page: http://www.section6.net/wiki/index.php/Basics_of_using_OpenSSL#Making_your_own_CA 18:37 < vpnHelper> Title: Basics of using OpenSSL - Section6wiki (at www.section6.net) 18:38 < xok> and somehow I ain't got no ca.crt file anywhere on the system... 18:41 -!- newmember [n=chatzill@adsl-074-169-237-010.sip.bct.bellsouth.net] has quit [Read error: 110 (Connection timed out)] 18:44 < xok> anything else I can do?... 18:45 < reiffert> go back to !howto 18:46 < xok> reiffert, hey, how old are you btw?... 18:46 < reiffert> ? 18:46 < xok> you're talking like a kid... 18:47 < reiffert> and you are my play mate 18:47 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has joined ##openvpn 18:48 < xok> you are very impolite person, and can't even understand how to talk to others... 18:48 < xok> I'm very sad and sorry, but I have to /ignore you... 18:49 < reiffert> you have to? You already do. 18:51 < xok> Hypnoz, sorry for disturbing you, can you please provide some additional help?.. 18:56 < Hypnoz> hey i'm back, i had to help a coworker out 18:56 < xok> Hypnoz, thank you for your time and attention... 18:57 < xok> Hypnoz, I've changed everything as you said, but still no luck... 18:57 < Hypnoz> the walkthrough I went through was on the openvpn.net site, and has all the info 18:57 < Hypnoz> http://openvpn.net/howto.html 18:57 < Hypnoz> this is running on linux right 18:57 < reiffert> and another person on his ignore list. 18:58 < Hypnoz> you want to run . ./vars && ./clean-all && ./build-ca 18:58 < Hypnoz> that will generate your ca.key file 18:58 < reiffert> edit the vars file.. 18:59 < Hypnoz> not necessary to edit vars, can manually edit those lines if they are wrong reiffert 19:00 < Hypnoz> but xok, you may have to put the full path to the 3 files in your server.conf file 19:00 < xok> Hypnoz, I remember it didn't work and i went to manually create all those certificates as described on the page I gave yu.. 19:00 < Hypnoz> ie, my server.conf ca line looks like this "ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt" 19:01 < xok> Hypnoz, ok, I will try with easy-rsa once again... 19:01 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has joined ##openvpn 19:03 < Hypnoz> really if i had to guess, it would be those files you generated, plus putting the right paths after "ca", "cert", "key" and "dh" 19:04 < Hypnoz> i don't think it's finding those files with the way you have the paths right now, you should use absolute paths 19:05 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 19:05 < reiffert> and assure "nobody" can read them. 19:05 < Hypnoz> they will be owned by root, and will be readable by root 19:06 < xok> Hypnoz, no, it can read those files, it would not start it wasn't so... 19:06 < xok> if it wasn't so... 19:06 < Hypnoz> hmm ... you may be right 19:09 < Hypnoz> were you able to generate a ca.key file using build-ca? 19:12 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458]"] 19:13 < xok> Hypnoz, yes, just finished... 19:14 < xok> Hypnoz, I am going to copy these files to my client machine: client1.key, client1.crt and ca.crt is it right?.. 19:14 < Hypnoz> yep 19:16 < Hypnoz> you may have to fix the paths of "ca", "cert", and "key" line in your client.conf 19:16 < Hypnoz> and I renamed client.conf to client.ovpn 19:16 < Hypnoz> what type of system are you using as client? windows, mac, linux? 19:16 < xok> Linux... 19:16 < xok> and BSD as server... 19:17 < Hypnoz> on my linux client, i create a folder in my home dir called .openvpn, and put the 4 files in there 19:18 < xok> 4 files?.. 19:18 < Hypnoz> then made a script that ran these commands 19:18 < Hypnoz> #!/bin/bash 19:18 < Hypnoz> cd /home/colin/.openvpn 19:18 < Hypnoz> sudo openvpn --config colin.ovpn 19:18 < xok> can you tell me which?.. 19:18 < Hypnoz> ca.crt, client1.crt, client1.key, client.ovpn(or client.conf) 19:19 < Hypnoz> client1.csr don't copy over 19:19 < xok> ah, you included confg file... 19:19 < xok> that's ok... 19:19 < xok> we need three files from the server right?.. 19:19 < Hypnoz> yeah, plus the client.conf 19:20 < Hypnoz> i put them all in the same folder 19:20 < Hypnoz> so you don't have to put "ca keys/ca.crt" 19:20 < xok> yeah, let me try now if it will work... 19:20 < Hypnoz> you just put "ca ca.crt" 19:20 < Hypnoz> make sure you're paths are right in your client.conf is what i'm saying 19:23 < xok> damn, still the same... 19:26 < xok> I have no idea what's going wrong here.. 19:26 < xok> does client machine need to adjust routing table?... 19:27 < xok> maybe this is the reason?.. 19:27 < Hypnoz> no client machine will be pushed routes from the server 19:27 < Hypnoz> and even then it doesn't matter about routes, it should connect either way and be able to ping the server 19:27 < xok> Hypnoz, then what's the reason I can't connect?.. 19:28 < xok> Hypnoz, it does connect... 19:28 < Hypnoz> it does? 19:28 < Hypnoz> can you ping the IP of your openvpn server from the client? 19:28 < xok> yes, it does, error log says it connects.. 19:28 < xok> nope... 19:28 < xok> let me give you the error... 19:29 < xok> Hypnoz, may I PM you the link from the server log?.. 19:29 < Hypnoz> sure 19:34 < xok> Hypnoz, I think the ifconfig tun0 should be interesting: 19:34 < Hypnoz> did you send it yet? i didn't get anything 19:34 < xok> tun0: flags=8051 mtu 1500 19:34 < xok> inet 10.0.1.1 --> 10.0.1.2 netmask 0xffffffff 19:35 < xok> Hypnoz, yes, I did... 19:35 < xok> 255.255.255.255 netmask?... 19:35 < xok> shouldn't it be 255.255.255.0?... 19:36 < Hypnoz> nah because the client tun0 will only need to talk to one IP, the openvpn server 19:37 < Hypnoz> 255.255.255.255 is ok for tun0 on the client 19:37 < xok> that's on the server side.. 19:38 < Hypnoz> mine has 255.255.255.255 for tun0 on server as well 19:38 < xok> ok... 19:39 < Hypnoz> can you send me the new server and client conf files? 19:39 < Hypnoz> and you made sure after changing your server.conf to restart openvpn right 19:39 < xok> Hypnoz, yeah, I've restarted server... 19:40 < xok> let me show you the config files... 19:40 < Hypnoz> just for completion, can you put the full paths to the files in server.conf and client.conf? 19:40 < xok> Hypnoz, I've done so... 19:40 < Hypnoz> ok 20:01 -!- newmember_ [n=chatzill@adsl-074-169-237-010.sip.bct.bellsouth.net] has quit [Client Quit] 20:09 -!- Hector [n=hectorbo@216.57.213.8] has quit ["This computer has gone to sleep"] 20:13 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:17 -!- Douglas [i=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 20:24 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 20:35 -!- WormFood [n=wormfood@58.61.134.87] has quit ["Leaving"] 20:35 -!- WormFood [n=wormfood@58.61.134.87] has joined ##openvpn 21:04 < epaphus> Hey guys, i managed to establish my VPN. and i can ping the endpoint. What should I run in linux so that my default gateway goes to the VPN thus all connections go through it? 21:12 -!- xok [n=xok@host-62-168-165-53.adsl.caucasus.net] has quit ["Leaving"] 21:14 < WormFood> does anyone know if windows will puke on 900 routes in its routing tables? I haven't tried it yet. 21:15 < WormFood> epaphus, route add -net 0/0 gw x.x.x.x 21:15 < WormFood> epaphus, make sure you route your vpn address over the normal interface first 21:15 < WormFood> I mean, the vpn server address (if i wasn't clear enough) 21:18 < epaphus> WormFood, or I can push the "redirect-gateway" right? 21:19 -!- master_of_master [i=master_o@p549D430E.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:22 -!- master_of_master [i=master_o@p549D4348.dip.t-dialin.net] has joined ##openvpn 21:23 < epaphus> anybody here every used the built in Network Manager to configure openvpn route? 21:23 < WormFood> that should work, but that wasn't your original question :P 21:23 < epaphus> i tried push "redirect-gateway" and push "redirect-gateway def1" and it didnt work.. :/ 21:24 < epaphus> its not altering my routing tables.. 21:24 -!- hyper__ch [n=hyper@adsl-84-227-223-248.adslplus.ch] has joined ##openvpn 21:24 -!- hyper_ch [n=hyper@adsl-89-217-137-225.adslplus.ch] has quit [Nick collision from services.] 21:24 -!- hyper__ch is now known as hyper_ch 21:24 < epaphus> i remember i had the same trouble time go hm 21:25 < WormFood> what platform? 21:27 < epaphus> ubuntu as the client 21:27 < epaphus> BSD as the server 21:27 < Douglas> WHATS GOOOOOOOOOOOOOOOOOOOOOOOOOD 21:27 < Douglas> epaphus 21:27 < Douglas> there? 21:27 < epaphus> huh? 21:27 < Douglas> !ubuntu 21:27 < vpnHelper> Douglas: "ubuntu" is dont use network manager! 21:28 < epaphus> why not? 21:28 < Douglas> i dont know to be honest with you 21:28 < Douglas> i just know do not do it 21:28 < epaphus> i need a GUI in ubuntu to manage VPNs 21:28 < epaphus> gopenvpn is a joke 21:28 < WormFood> what do you mean by that? it does not work right with openvpn? 21:29 < epaphus> WormFood, sure.. but ineed the gui because iam going to have people turning it off and on y end users 21:29 < WormFood> I was having problems walking my friend through setting up openvpn on ubuntu....he seems to think the gui will do everything for him, just give him a user name and password and address, and that is all...hahahaha (he clearly does not understand what is going on) 21:30 < WormFood> you just need a button connected to a script 21:31 < WormFood> you shouldn't need a full blown app for turning it on and off 21:31 < epaphus> if I use the openvpn directly... how does a end user know when he is connected or not.. or if the connection was dropped? 21:32 < WormFood> give them a web page to visit on the other end of the link...if it works, you're connected...if it don't work, you're not connected ;) 21:33 < epaphus> common, iam serious.. :) 21:33 < WormFood> it was a smart-ass answer, but it should work :P 21:34 < WormFood> yeah, I know, not exactly what you're looking for 21:34 < WormFood> what you want shouldn't be too hard to write 21:34 < epaphus> last time I used GOPenvpn it was a real joke 21:34 < WormFood> anyways...what is the deal with network manager and ubuntu 21:34 < WormFood> ? 21:34 < epaphus> VERY hard to get setup 21:34 < epaphus> i also like to know that 21:35 < WormFood> I will be trying to get openvpn setup on a wrt-54g router soon....that should be fun, with 900 routes in the routing table (maybe I'll just route EVERYTHING over the vpn) 21:41 < epaphus> I have to setup 30 ubuntu openvpn as clients 21:42 < epaphus> they are going to be hitting it hard.. and Iam worried about the stabilty of the connection.. thats why instead of running the script with a double click iam worried the connection will fail and the user doesnt know 21:52 < epaphus> !redirect 21:52 < vpnHelper> epaphus: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 21:53 < epaphus> !def1 21:53 < vpnHelper> epaphus: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 22:06 -!- Douglas [i=Douglas@ool-43503ed4.dyn.optonline.net] has quit [] 22:33 < epaphus> Is it possible to select in the openvpn server the IP to use for outbound connections to the internet? 22:40 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 22:42 -!- WormFood [n=wormfood@58.61.134.87] has quit [Read error: 110 (Connection timed out)] 22:42 -!- WormFood [n=wormfood@58.61.134.87] has joined ##openvpn 22:43 < ksnp> hi 22:46 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has left ##openvpn [] 22:46 -!- phantomcircuit [n=phantomc@76.199.100.233] has joined ##openvpn 22:46 < phantomcircuit> is it possible to run openvpn without a tun or tap device? 22:50 < Bushmills> yes. openvpn --help will not try to open a tun or tap device 23:18 < phantomcircuit> har har 23:23 < Bushmills> epaphus: no, you'd use routing or redirection support of your OS for that purpose. 23:26 -!- jeiworth_ [n=jeiworth@189.163.169.109] has quit [Read error: 110 (Connection timed out)] 23:31 -!- phantomcircuit [n=phantomc@76.199.100.233] has quit [Read error: 145 (Connection timed out)] 23:33 -!- phantomcircuit [n=phantomc@adsl-76-199-100-233.dsl.pltn13.sbcglobal.net] has joined ##openvpn 23:34 -!- phantomcircuit [n=phantomc@adsl-76-199-100-233.dsl.pltn13.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 23:37 -!- phantomcircuit [n=phantomc@adsl-76-199-100-233.dsl.pltn13.sbcglobal.net] has joined ##openvpn 23:41 -!- phantomcircuit [n=phantomc@adsl-76-199-100-233.dsl.pltn13.sbcglobal.net] has quit [Client Quit] 23:55 -!- jeiworth [n=jeiworth@189.163.169.109] has joined ##openvpn --- Day changed Wed Oct 07 2009 00:02 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 00:23 -!- hyper_ch [n=hyper@adsl-84-227-223-248.adslplus.ch] has quit [Remote closed the connection] 00:45 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 00:45 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 00:58 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 01:00 -!- swa_work [n=swa@swatteksystems.com] has quit [Remote closed the connection] 01:19 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:29 -!- krzie [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 01:30 -!- hyper_ch [n=hyper@83.77.116.146] has joined ##openvpn 01:33 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:36 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:41 -!- jeiworth [n=jeiworth@189.163.169.109] has quit [Read error: 110 (Connection timed out)] 02:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:06 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 03:15 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has quit ["Leaving"] 03:20 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 03:29 -!- t0mm [n=tomm@mail.keyade.com] has joined ##openvpn 03:46 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 03:56 -!- dazo|afk is now known as dazo 03:57 -!- dazo [n=nnnnnnnn@209.132.186.254] has quit [Remote closed the connection] 03:58 -!- dazo [n=nnnnnnnn@209.132.186.254] has joined ##openvpn 03:58 -!- dazo [n=nnnnnnnn@209.132.186.254] has quit [Remote closed the connection] 03:59 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 04:00 -!- dazo [n=dazo@209.132.186.254] has joined ##openvpn 04:25 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 04:29 -!- rockstar33339 [n=rockstar@93-39-35-230.ip74.fastwebnet.it] has joined ##openvpn 04:29 < rockstar33339> hello everyone 04:32 -!- rockstar33339 [n=rockstar@93-39-35-230.ip74.fastwebnet.it] has quit [Read error: 104 (Connection reset by peer)] 04:47 -!- theDoc [n=hex@219.95.190.217] has joined ##openvpn 04:49 -!- theDoc [n=hex@219.95.190.217] has quit [Client Quit] 04:57 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:03 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:17 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 05:20 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 05:21 -!- hyper__ch [n=hyper@141-8.76-83.cust.bluewin.ch] has joined ##openvpn 05:21 -!- hyper_ch [n=hyper@83.77.116.146] has quit [Nick collision from services.] 05:21 -!- hyper__ch is now known as hyper_ch 05:46 -!- Netsplit robinson.freenode.net <-> irc.freenode.net quits: pa, WormFood, Intensity, cpm 05:46 -!- Netsplit over, joins: cpm, WormFood, pa 05:50 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 06:16 -!- brizly1 [n=brizly_v@p4FC981AE.dip0.t-ipconnect.de] has joined ##openvpn 06:25 -!- rgouveia_ [n=rgouveia@169.89.54.77.rev.vodafone.pt] has joined ##openvpn 06:30 -!- brizly [n=brizly_v@p4FC9A188.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:42 -!- rgouveia [n=rgouveia@169.89.54.77.rev.vodafone.pt] has quit [Read error: 110 (Connection timed out)] 06:58 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:59 -!- bauruine [n=bauruine@232-145.104-92.cust.bluewin.ch] has joined ##openvpn 07:30 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 07:34 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 07:41 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 07:56 < ecrist> wow 08:07 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 08:11 -!- Stylles [n=Stylles@201.22.54.130.dynamic.adsl.gvt.net.br] has joined ##openvpn 08:14 -!- styllles [n=Stylles@201.22.54.130] has joined ##openvpn 08:14 < styllles> hi 08:14 < styllles> anyone ever see this error 08:14 < styllles> error on line 145 of /etc/openvpn/openssl.cnf 08:14 < styllles> 10065:error:0E065068:configuration file routines:STR_COPY:variable has no value: conf_def.c:629:line 145 08:15 -!- Netsplit robinson.freenode.net <-> irc.freenode.net quits: polaru, Stylles, APTX|, brizly1, misterbean, Rolybrau 08:15 -!- APTX| [n=APTX@213.251.162.70] has joined ##openvpn 08:15 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 08:16 < styllles> eliasp oi 08:17 -!- hyper_ch [n=hyper@141-8.76-83.cust.bluewin.ch] has quit [Remote closed the connection] 08:17 -!- styllles [n=Stylles@201.22.54.130] has left ##openvpn [] 08:18 -!- iElectric [n=ie@89.143.223.22] has joined ##openvpn 08:18 < iElectric> hello 08:19 < iElectric> I'm having troubles connecting from ubuntu client 08:19 < iElectric> if I use the same config on virtualbox windows xp machine, it works 08:20 < iElectric> logfile http://paste2.org/p/456678 08:21 < iElectric> any tip is appreciated:) 08:21 < iElectric> tap device just stays untouched 08:23 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn 08:24 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 08:30 -!- brizly [n=brizly_v@p4FC981AE.dip0.t-ipconnect.de] has joined ##openvpn 08:30 < Optic> mooo 08:32 < ecrist> !ubuntu 08:32 < vpnHelper> ecrist: "ubuntu" is dont use network manager! 08:33 < iElectric> ecrist, if that was ment for me 08:33 < iElectric> im runing it from init.d 08:36 < ecrist> ;) 08:36 < ecrist> !all 08:36 < vpnHelper> ecrist: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 08:39 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 08:48 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 08:50 -!- theDoc [n=hex@122.0.28.66] has joined ##openvpn 08:50 -!- iElectric [n=ie@89.143.223.22] has quit [Read error: 113 (No route to host)] 08:55 < ecrist> theDoc: what were you pinging me for yesterday? 08:55 < theDoc> ecrist> Wanted to ask you to pentest a box :D 08:56 -!- hyper_ch [n=hyper@adsl-84-227-223-248.adslplus.ch] has joined ##openvpn 08:59 < ecrist> ah 09:00 < theDoc> now is not the time, probably tomorrow. 09:00 < theDoc> i need sleep 09:00 < theDoc> fuck 30 hour work days 09:09 < ecrist> fuck 8 hour work days 09:17 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 09:21 -!- misterbean [n=misterbe@cable-89-216-136-230.dynamic.sbb.rs] has joined ##openvpn 09:21 -!- misterbean is now known as Guest22809 09:22 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 09:28 -!- krzie [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 09:30 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 09:30 -!- jeiworth [n=jeiworth@189.177.127.117] has joined ##openvpn 09:44 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit ["I am off"] 09:45 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 09:51 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [] 09:55 -!- newmember [n=chatzill@167.211.140.243] has joined ##openvpn 09:56 < newmember> Hmmm, I am setting up openvpn and Iam not able to see the network from my client. 10:00 < newmember> I am pushing a route to the client and I have "pull" on the client. 10:00 < newmember> I see this in the log: Wed Oct 07 08:57:38 2009 C:\WINDOWS\system32\route.exe ADD 172.16.64.0 MASK 255.255.240.0 10.0.8.5 10:00 < newmember> So think that is good 10:00 < newmember> Ideas 10:01 < Bushmills> what is "the network" and why do you think you should see it? 10:08 < newmember> network? My LAN network is 172.16.64.0 10:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 10:31 < newmember> Bushmills: I pushed the route for my lan network, and I excepted and added to my clients host table. So I should be able to send traffic to it 10:31 < Bushmills> !route 10:31 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:37 < newmember> Bushmills: I am good with my push "route 172.16.64.0 255.255.240.0" in my server config 10:37 < Bushmills> not enough 10:37 < newmember> how so 10:37 < Bushmills> !route 10:37 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:41 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:43 < newmember> Bushmills: I bet you are trying to helpful, thanks. 10:46 < newmember> I think I have demonstrated that the network is being pushed and excepted by the client 10:47 < newmember> I can even ping the NIC on the LAN side of openvpn server, so my thought is that the packets stop or dont come back to the NIC on the LAN side. 10:53 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 10:53 -!- bauruine [n=bauruine@232-145.104-92.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 10:54 -!- t0mm [n=tomm@mail.keyade.com] has quit [] 11:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:10 < teddymills> My office router portforwards 1194 to my openvpn server. My openvpn clients rely on the office routers DHCP since openvpn gets its DHCP licenses from that router. Problem is it is a Linksys and I have to reboot it every once in a while so DHCP works again. Can I setup my openvpn clients to use static IPs? And if so, is there a URL that shows me how? 11:15 < ecrist> newmember: you need to enable ip_forwarding on the vpn server 11:25 -!- mirco [n=mirco@p54B26B2A.dip.t-dialin.net] has joined ##openvpn 11:29 -!- tiav [n=tiav@fw.sj.tdf-pmm.net] has joined ##openvpn 11:30 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 11:30 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 11:33 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 11:33 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:40 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 11:43 -!- chefkoch2010 [n=chefkoch@e176136022.adsl.alicedsl.de] has joined ##openvpn 11:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 11:59 -!- chefkoch2010 [n=chefkoch@e176136022.adsl.alicedsl.de] has quit [" Try HydraIRC -> http://www.hydrairc.com <-"] 12:08 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has joined ##openvpn 12:28 < newmember> ecrist: good thought: > cat /proc/sys/net/ipv4/ip_forward 12:28 < newmember> 1 12:29 < newmember> I think I have it started 12:31 < ecrist> have you checked you firewall? 12:31 < newmember> I turned iptables off 12:31 < ecrist> !iptables 12:31 < vpnHelper> ecrist: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall 12:34 < ecrist> newmember: to really be able to help you, we need more information about your setup. routing tables would be nice, and well as local interface information 12:34 < newmember> thanks 12:38 < newmember> ecrist: http://pastebin.ca/1601954 12:39 < ecrist> !configs 12:39 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:42 -!- tiav [n=tiav@fw.sj.tdf-pmm.net] has quit [Remote closed the connection] 12:43 -!- chefkoch2010 [n=chefkoch@e176136022.adsl.alicedsl.de] has joined ##openvpn 12:44 < chefkoch2010> hello. my openvpn is very slow. about 100kb/sec on gigabit network. i can see an only 10mbit tun network adapter on windows. is it possible to reach higher rates about 8 megabyte/sec? 12:46 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 12:48 < newmember> ecrist: ok http://pastebin.ca/1601981 12:48 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)] 12:50 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 12:50 < newmember> chefkoch2010: I think I saw a 100Mb network adapter that can work with openvpn, It might be in the current version of openvpngui. I cant be sure. 12:51 < chefkoch2010> ok. what is the normal transfer rate for openvpn? do i have a problem with 100 kilo/s or is that normal on gigabit lan? 12:52 < ecrist> newmember: is the route successfully being pushed to the clients? 12:54 < newmember> Wed Oct 07 08:57:38 2009 C:\WINDOWS\system32\route.exe ADD 172.16.64.0 MASK 255.255.240.0 10.0.8.5 12:55 < newmember> Wed Oct 07 08:57:38 2009 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=30 and dwForwardType=4 12:55 < newmember> Wed Oct 07 08:57:38 2009 Route addition via IPAPI succeeded [adaptive] 12:55 < newmember> ecrist: yes 12:55 < newmember> I can ping the NIC side of the openvpn server, just not the hosts on the network 12:56 < chefkoch2010> you mean the hosts behind the vpn server? 12:57 < chefkoch2010> do you have ip forwarding activated on the vpn server? 12:57 < newmember> correct hosts on the LAN behind the vpn server 12:57 < newmember> cat /proc/sys/net/ipv4/ip_forward 12:57 < newmember> 1 12:58 < newmember> ip-forward is active 12:58 < chefkoch2010> how about your firewall settings? do you have nat enabled in your /etc/network/interfaces? 12:58 < newmember> hmmm. curious I am going to reboot the server tomake sure 12:58 -!- lorddoskias_ [i=907c1021@gateway/web/freenode/x-lbbonwnjjnaxeuzv] has joined ##openvpn 12:59 < newmember> nat in my interfaces? 12:59 < lorddoskias_> hi 12:59 < lorddoskias_> i need help with nat 12:59 < lorddoskias_> i have vpn connectivity 12:59 < lorddoskias_> client <=> server 12:59 < lorddoskias_> how can i check whether i need iroute rules so that masquerading works for the vpn client 13:00 < chefkoch2010> newmember: http://pastebin.ca/1602013 13:02 < lorddoskias_> !redirect 13:02 < vpnHelper> lorddoskias_: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 13:02 < lorddoskias_> !def1 13:02 < vpnHelper> lorddoskias_: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 13:02 < lorddoskias_> !nat 13:02 < vpnHelper> lorddoskias_: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 13:03 < lorddoskias_> !linnat 13:03 < vpnHelper> lorddoskias_: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 13:04 < newmember> !route 13:04 < vpnHelper> newmember: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:06 < newmember> that was for me 13:07 < lorddoskias_> :( 13:07 < lorddoskias_> no luck with forwarding 13:07 < lorddoskias_> damn it 13:10 < newmember> lorddoskias_: youo might want to add a new "redirect-gateway" but add a metric so that it becomes the primary over the existing one 13:10 < lorddoskias_> i send traffic to the openvpn server 13:10 < ecrist> redirect-gateway def1 13:10 < lorddoskias_> i wonder whether there is something else is hould do 13:11 < ecrist> push "redirect-gateway def1" 13:15 < lorddoskias_> Tracing route to 22.24.233.72.static.reverse.ltdomains.com [72.233.24.22] over a maximum of 30 hops: 1 euphoria [10.10.11.14] reports: Destination host unreachable. 13:15 < lorddoskias_> this is what i get 13:15 < lorddoskias_> 11.14 is the ip of my machines on the vpn 13:16 < lorddoskias_> 10.10.11.0 255.255.255.0 10.10.11.13 10.10.11.14 30 10.10.11.12 255.255.255.252 On-link 10.10.11.14 286 10.10.11.14 255.255.255.255 On-link 10.10.11.14 286 10.10.11.15 255.255.255.255 On-link 10.10.11.14 286 13:16 < lorddoskias_> this is the routing table, pertaining to the vpn 13:16 < ecrist> lorddoskias_: please do not paste in here 13:17 < lorddoskias_> ok, sry 13:18 < lorddoskias_> any suggestions 13:21 < lorddoskias_> ecrist: should i paste again on pastebin? 13:25 < chefkoch2010> is it normal, to have only 100 kilobit transfer rate on an 1 gbit lan? 13:26 < newmember> do I have to have iptable rules for NAT to work, or can I have no rules? 13:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:27 < chefkoch2010> new: you need rules, if thr network behind the server is in an other subnet. and you need to configure a route back from the default gateway on your lan side. 13:28 < chefkoch2010> new: how many hosts do you want to reach behind the vpnserver? 13:28 < newmember> 30-50 13:28 < newmember> its the office network 13:29 < chefkoch2010> ok. and the office network is in an other subnet? 13:29 < newmember> 172.16.64.0 network 13:29 < chefkoch2010> and your vpnserver ip? 13:29 < newmember> 172.16.64.60 13:30 < chefkoch2010> and the tun interface of the vpn server? 13:30 < newmember> yes 13:30 < newmember> tun0 13:30 < newmember> 10.0.8.1 13:30 < chefkoch2010> ok. 13:31 < chefkoch2010> .60 is on eth0? 13:31 < newmember> yes 13:31 < chefkoch2010> great. 13:31 < chefkoch2010> the vpnserver has a static ip .60, right? 13:31 < newmember> yes 13:32 < chefkoch2010> you can take my /etc/network/interface file from: http://pastebin.ca/1602013 13:33 < chefkoch2010> replace the 192.168.10.37 by your ip 172.16.64.60 13:33 < chefkoch2010> if you are using am other network as 255.255.255.0 change that as well. 13:34 < chefkoch2010> enter your gateway on the lan side. i gues 172.16.64.1 13:36 < newmember> Ok, i am on centos, so things are a little different here 13:36 < chefkoch2010> :) 13:37 < newmember> is there something specific youare asking to look at or set? 13:38 -!- xok [n=xok@host-62-168-165-53.adsl.caucasus.net] has joined ##openvpn 13:38 < xok> hello all... 13:38 < chefkoch2010> you need to enable routing (masquerading) on your vpn server. 13:39 < chefkoch2010> therefore i do have these two iptable rules. 13:39 < xok> I've got three subnets on my main server 172.16.*.*, 172.17.*.* and 192.168.*.* all of them have B class... 13:39 -!- dazo is now known as dazo|afk 13:40 < xok> openvpn server should use 10.0.1.* is it possible for clients of opevpn to communicate with other subnets?.. 13:41 < chefkoch2010> xok: yes. 13:42 -!- lorddoskias_ [i=907c1021@gateway/web/freenode/x-lbbonwnjjnaxeuzv] has quit ["Page closed"] 13:42 < xok> chefkoch2010, do I need some additional stuff to do or it would be accessible by default?... 13:44 < chefkoch2010> you need to push the routes to the clients by an push "route..." directive. the traffic will be routed to the vpnserver and the vpnserver needs to know how to route your requests to the other subnets. 13:45 < chefkoch2010> and forewarding on the vpn server must be enabled to do that. 13:45 < xok> I've got only one "push route" should I modify it or just add another?.. 13:45 < chefkoch2010> add as many you like. 13:45 < xok> chefkoch2010, thank you very much.... 13:52 -!- xok [n=xok@host-62-168-165-53.adsl.caucasus.net] has quit ["Leaving"] 14:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 14:07 -!- buntfalke_ is now known as buntfalke 14:15 -!- chefkoch2010 [n=chefkoch@e176136022.adsl.alicedsl.de] has quit [" HydraIRC -> http://www.hydrairc.com <- *I* use it, so it must be good!"] 14:17 -!- bandini [n=bandini@host129-111-dynamic.41-79-r.retail.telecomitalia.it] has joined ##openvpn 14:29 -!- zeq [n=zeq@genkt-048-069.t-mobile.co.uk] has joined ##openvpn 14:31 < epaphus> Hello, iam using openvpn to nat clients so that they can surf the internet through it. My question is.. if the machine has multiple IPs bound to it.. is it possible to select one in which they can surf or does it have to be the primary? 14:32 -!- xok [n=xok@host-62-168-165-53.adsl.caucasus.net] has joined ##openvpn 14:32 -!- toka [n=toka@95.104.75.43] has joined ##openvpn 14:33 < xok> hello all.. 14:33 < toka> xok, gismen 14:33 < xok> I wonder if openvpn does NAT... 14:34 < xok> I mean when the packet from 10.1.5.10 for example arrives to openvpn server what does it to?... 14:34 < toka> he wondes if openvpn does nat by default when simple ipip tunnel is running 14:35 < xok> it routers that packet to the default gateway it knows, but what happens when response arrives from remote server (for example apache server)... 14:36 < xok> packet would contain destination address 10.1.5.0 and default gateway of the openvpn server wouldn't know about such subnet?.. 14:37 < xok> how would router sitting on the 192.168.1.1 IP know about 10.1.5.0 subnet?.. 14:39 < ecrist> OpenVPN does not do NAT 14:39 < xok> ecrist, thank you for your response... 14:39 < xok> ecrist, so, how would our router know about such subnet?... 14:39 < zeq> Hi, guys. I have an openvpn tun connection working with IPv4 and IPv6, but I can't get broadcast packets to traverse the tunnel. For IPv6 routing I worked around this with radvd by specifying unicast only, and giving everything infinite lifetimes. I next tried setting up UPnP for handling port forwarding, but this time there seems to be no workaround for the lack of broadcast capability. Is it possible to get broadcast packets to traverse the t 14:40 < toka> ecrist, we have to learn about vpn subnet other routers or configure Nat yes? 14:40 -!- bandini [n=bandini@host129-111-dynamic.41-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 14:40 < ecrist> toka: yes 14:40 < xok> ecrist, do we need to configure the router's NAT to learn 10.1.5.0?.. 14:41 < ecrist> yes 14:41 < xok> ecrist, ok, thank you very much... 14:41 < newmember> ecrist: how do I list my NAT rules with iptables 14:42 < ecrist> newmember: I've never used iptables, so I don't know 14:42 < ecrist> !iptables 14:42 < vpnHelper> ecrist: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall 14:45 < epaphus> anybody know about the IP question? :) 14:46 -!- zeq1 [n=zeq@genkt-048-032.t-mobile.co.uk] has joined ##openvpn 14:47 < zeq1> Sorry, I lost my Internet connection, is anybody able to help me with my above problem? 14:48 -!- zeq1 [n=zeq@genkt-048-032.t-mobile.co.uk] has quit [Read error: 54 (Connection reset by peer)] 14:49 -!- zeq1 [n=zeq@genkt-048-032.t-mobile.co.uk] has joined ##openvpn 14:49 -!- toka [n=toka@95.104.75.43] has left ##openvpn ["Leaving"] 14:50 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Remote closed the connection] 14:53 -!- bandini [n=bandini@host129-111-dynamic.41-79-r.retail.telecomitalia.it] has joined ##openvpn 15:07 -!- zeq1 [n=zeq@genkt-048-032.t-mobile.co.uk] has quit [Read error: 60 (Operation timed out)] 15:11 -!- zeq [n=zeq@genkt-048-069.t-mobile.co.uk] has quit [Read error: 110 (Connection timed out)] 15:17 -!- zeq [n=zeq@genkt-048-022.t-mobile.co.uk] has joined ##openvpn 15:17 -!- xok [n=xok@host-62-168-165-53.adsl.caucasus.net] has quit ["Leaving"] 15:21 < zeq> damned "mobile broadband", it's definitely not ideal for IRC in a marginal reception area! :( 15:21 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 60 (Operation timed out)] 15:25 < Bushmills> why, that's what you have openvpn (and an irc bouncer) for ... 15:26 < |Mike|> and a hammer. 15:37 -!- newmember [n=chatzill@167.211.140.243] has quit ["ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458]"] 15:45 -!- zeq1 [n=zeq@genkt-048-026.t-mobile.co.uk] has joined ##openvpn 15:47 < zeq1> all good ideas! :) 15:48 < zeq1> okay, hopefully I'm now placed somewhere with enough signal to remain online :) 15:50 < zeq1> to simplify my question: is there any way to get broadcast packets to traverse a routed tun connection? Do I have to use tap? 16:06 -!- zeq [n=zeq@genkt-048-022.t-mobile.co.uk] has quit [Read error: 104 (Connection reset by peer)] 16:12 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Read error: 110 (Connection timed out)] 16:13 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit [Read error: 110 (Connection timed out)] 16:15 -!- MadTBone_ [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 16:15 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 16:19 -!- newmember [n=chatzill@adsl-074-169-237-010.sip.bct.bellsouth.net] has joined ##openvpn 16:19 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 16:19 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 16:21 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 16:23 < newmember> So I should be able to use openvpn without iptables. 16:28 -!- fccf [n=Lee@unaffiliated/fccf] has joined ##openvpn 16:28 -!- fccf [n=Lee@unaffiliated/fccf] has left ##openvpn [] 16:31 -!- f00fSteR [n=f00fSteR@static-64-61-181-148.isp.broadviewnet.net] has joined ##openvpn 16:31 < f00fSteR> holy shit 16:31 < f00fSteR> i have no idea this channel existed! 16:32 < f00fSteR> f'in goldmine! :)) 16:32 < f00fSteR> hi guys! 16:32 < f00fSteR> so... for my first question 16:32 < f00fSteR> why is openvpn require black vodoo in the network/route aspect of it ? 16:33 < f00fSteR> seriously... i cannot get that to work... if i do something else goes screwey 16:33 < f00fSteR> and whats the difference between tun and TAP ? 16:39 -!- zeq1 [n=zeq@genkt-048-026.t-mobile.co.uk] has quit [Read error: 110 (Connection timed out)] 16:41 < f00fSteR> err 16:41 < f00fSteR> ? 16:41 -!- jeiworth [n=jeiworth@189.177.127.117] has quit [Connection timed out] 16:46 -!- newmember [n=chatzill@adsl-074-169-237-010.sip.bct.bellsouth.net] has quit [Read error: 110 (Connection timed out)] 16:48 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 17:07 -!- zeq [n=zeq@genkt-048-027.t-mobile.co.uk] has joined ##openvpn 17:08 -!- MadTBone_ [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 17:08 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 17:08 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn 17:13 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 17:14 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 17:15 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 17:16 < Hypnoz> f00fSteR: http://openvpn.net/howto.html 17:18 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 17:18 < epaphus> thats mean..:S 17:19 < Hypnoz> ok, I'll try to actually help then ... what you might be missing is you have to set a route on your router that routes the VPN subnet to your openvpn server as its gateway 17:19 < Hypnoz> tun vs tap is described in server.conf, but if you don't know the diff just go with tun 17:19 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 17:23 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 17:29 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 104 (Connection reset by peer)] 17:29 < krackpot> when generating keys, will setting KEY_SIZE in vars.bat to 2048 slow down the overall connection speed, or just the authentication? or both? 17:29 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 17:29 < krackpot> (as opposed to the default 1024) 18:09 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 18:11 -!- zamba [i=marius@flage.org] has joined ##openvpn 18:11 < zamba> hi there! 18:12 < Hypnoz> why hello thur 18:14 < zamba> i want to set up a network/vpn structure where i can access several networks behind NAT 18:14 < zamba> i want to use one server and then the different end points as vpn clients 18:15 < zamba> the server runs a dhcpd? 18:26 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 18:34 -!- jeiworth [n=jeiworth@189.163.169.109] has joined ##openvpn 18:35 < krackpot> do i need to worry about the "unable to write random state" when generating keys? 19:05 -!- Douglas [i=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 19:08 -!- f00f [n=f00fSteR@66.sub-97-57-39.myvzw.com] has joined ##openvpn 19:10 < Douglas> USArCOWARDS (25 minutes ago) Show Hide 19:10 < Douglas> 0 19:10 < Douglas> Marked as spam 19:10 < Douglas> Reply 19:10 < Douglas> Eienem should bring Islam to? the USA. 19:10 < Douglas> WOW 19:11 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 19:12 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 19:17 -!- zeq1 [n=zeq@genkt-048-071.t-mobile.co.uk] has joined ##openvpn 19:20 -!- f00fSteR [n=f00fSteR@static-64-61-181-148.isp.broadviewnet.net] has quit [Read error: 110 (Connection timed out)] 19:22 -!- f00fSteR [n=f00fSteR@static-64-61-181-148.isp.broadviewnet.net] has joined ##openvpn 19:25 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 19:25 -!- f00f [n=f00fSteR@66.sub-97-57-39.myvzw.com] has quit [Read error: 60 (Operation timed out)] 19:31 -!- zeq [n=zeq@genkt-048-027.t-mobile.co.uk] has quit [Read error: 110 (Connection timed out)] 19:31 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 19:42 -!- f00f [n=f00fSteR@static-64-61-181-148.isp.broadviewnet.net] has joined ##openvpn 19:50 < ksnp> is it possible to run a server portably ? 19:54 -!- f00fSteR [n=f00fSteR@static-64-61-181-148.isp.broadviewnet.net] has quit [Read error: 110 (Connection timed out)] 19:54 -!- f00fSteR [n=f00fSteR@static-64-61-181-148.isp.broadviewnet.net] has joined ##openvpn 20:02 -!- f00f [n=f00fSteR@static-64-61-181-148.isp.broadviewnet.net] has quit [Read error: 110 (Connection timed out)] 20:03 < Bushmills> ksnp: if you can redirect packets sent to a machine with spare ip addresses, yes. if you rely on resolving to a changing ip address, you probably don't need openvpn (and it won't be of a lot of help in that case) 20:04 -!- [1]ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 20:17 -!- [2]ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 20:18 -!- PeterFA [n=peter@unaffiliated/peterfa] has joined ##openvpn 20:18 < PeterFA> I keep getting this error: 20:18 < PeterFA> Wed Oct 7 18:17:38 2009 TLS Error: Unroutable control packet received from 95.211.4.15:1194 (si=3 op=P_CONTROL_V1) 20:18 < PeterFA> I added --float. 20:19 -!- misse-_ [i=misse@misse.org] has joined ##openvpn 20:19 < PeterFA> There was an error that I thought that was to fix. 20:19 -!- misse- [i=misse@misse.org] has quit [Read error: 104 (Connection reset by peer)] 20:19 < PeterFA> And of course the TLS handshake always fails. 20:21 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has quit [Read error: 113 (No route to host)] 20:21 -!- [2]ksnp is now known as ksnp 20:22 < ksnp> is it possible to run an openvpn on top of another openvpn or 2 openvpn clients simultaneously 20:23 < PeterFA> ksnp, yeah. 20:31 < ksnp> on windows too ? 20:31 < ksnp> at least the portable version that i was running says openvpnportable is already running 20:32 < ksnp> anyway, how can i see the list of connected users, and disconnect one for instance ? 20:33 < PeterFA> ksnp, it doesn't work that way. 20:34 < PeterFA> ksnp, it's just wrapping one protocol, encrypting it, and sticking it in another. 20:34 < PeterFA> ksnp, it doesn't keep users. 20:35 < Douglas> ksnp 20:35 < Douglas> openvpn-status.log shows connected clients 20:35 < Douglas> as far as killing one, ot sure 20:35 < Douglas> not 20:36 -!- [1]ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has quit [Read error: 110 (Connection timed out)] 20:38 -!- onats [n=onats@unaffiliated/onats] has joined ##openvpn 20:40 < ksnp> ok 20:40 -!- mirco_ [n=mirco@p54B2717F.dip.t-dialin.net] has joined ##openvpn 20:40 < ksnp> PeterFA, you mean openvpn inside another openvpn correct ? is there a way to do that on windows client ? is there any that allows it ? 20:41 < ksnp> i suppose it would allow pptp inside openvpn or vice-versa, i see that it is possible in principle but is there a s/w or trick to make it work ? 20:41 < PeterFA> ksnp, yeah, but I don't know how to do it. However, due to the generic nature, it is quite possible. 20:41 < ksnp> yep, i can see that it should be 20:42 < ksnp> is there a client for ipod ? 20:42 < PeterFA> I'd just start one, then start the other but give it all the interface information that refers to the other tun/tap. 20:42 < ksnp> i found thereis for windows mobile 20:42 < ksnp> PeterFA, on windows at leas twith the portable openvpn client (one i got by searching) it says its already running, but that might be just a software check 20:43 < ksnp> if i install the openvpn instead of using this portable one, i suppose it will allow ? or is that you don't use windows openpn client at al :) 20:43 < PeterFA> I know, you're going to have to think cleverly about this. 20:44 < PeterFA> Well, I don't use Windows. 20:44 < PeterFA> I hate it. 20:44 < PeterFA> POS system. 20:44 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:44 * Douglas likes win7 20:49 < ksnp> lol 20:49 < ksnp> Douglas, you have any suggestions for this - openvpn inside openvpn on windows ? 20:50 -!- mirco [n=mirco@p54B26B2A.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:50 -!- mirco_ is now known as mirco 20:52 -!- rgouveia [n=rgouveia@169.89.54.77.rev.vodafone.pt] has joined ##openvpn 20:57 < Douglas> ksnp: nada 21:02 < ksnp> ok 21:02 < ksnp> does the openvpn server on windows required registry modifications ? 21:04 < Douglas> Today, I set my alarm to a baby's cry. When it went off during my lecture class, the boy sitting next to me immediately opened his backpack and said "sshh, it's okay lil guy, daddy loves you" The looks were priceless and I think I'm a little bit in love. 21:04 < Douglas> HAHAAHHAHAH 21:07 -!- teddymills [n=teddy@208.92.235.227] has quit [Remote closed the connection] 21:09 -!- WormFood [n=wormfood@58.61.134.87] has quit [Read error: 110 (Connection timed out)] 21:09 -!- rgouveia_ [n=rgouveia@169.89.54.77.rev.vodafone.pt] has quit [Read error: 110 (Connection timed out)] 21:13 -!- Zotha [n=Zotha@64-126-117-142.dyn.everestkc.net] has joined ##openvpn 21:14 -!- master_of_master [i=master_o@p549D4348.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:16 -!- PeterFA [n=peter@unaffiliated/peterfa] has quit [Nick collision from services.] 21:16 -!- PeterFA [n=peter@unaffiliated/peterfa] has joined ##openvpn 21:17 < ksnp> anyone familiar with vsftpd here ? 21:17 < PeterFA> ksnp, I used to know and understand it. 21:17 -!- master_of_master [i=master_o@p549D4209.dip.t-dialin.net] has joined ##openvpn 21:22 < ksnp> cna you help me get it to work :) ? 21:22 < ksnp> i disabled anonymous and enabled local users 21:23 < ksnp> worked yesterday with ftp, but not again today. i cheked that the daemon is running 21:30 < epaphus> hey guys, is it possible to have a box with 50 openvpn connections.. and route every private IP to a different connection? 21:38 < Zotha> has anyone setup openvpn on a windows cluster? 21:41 < onats> windows cluster? 21:42 < Zotha> yes, we have a 2003 windows cluster that I'm running openvpn on to about 20 sun boxes. and I'm having a problem on the windows cluster side. 21:45 < ksnp> Zotha, you are referring to server or client ? 21:47 < Zotha> I have server on windows cluster 21:47 < ksnp> ok 21:47 < ksnp> what is the problem ? 21:47 < Zotha> the problem i'm having is that the tun tap interface needs to have the same name on both sides of the cluster for the config to roll from side to side properly 21:48 < Zotha> but it renames the inactive side adapter to openvpn(1) instead of just openvpn 21:49 < Zotha> so when I roll the cluster to the other side it fails because it doesn't see an adapter with the correct name on the other side. 21:50 < ksnp> ok, sorry i dont know the answer 21:53 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has quit [" HydraIRC -> http://www.hydrairc.com <- *I* use it, so it must be good!"] 22:02 -!- Zotha [n=Zotha@64-126-117-142.dyn.everestkc.net] has quit ["MegaIRC v4.05 http://ironfist.at.tut.by"] 22:06 -!- Flex\a [n=flex@5ac74c8b.bb.sky.com] has quit [Read error: 104 (Connection reset by peer)] 22:11 -!- Douglas [i=Douglas@ool-43503ed4.dyn.optonline.net] has quit [] 22:18 -!- jeiworth [n=jeiworth@189.163.169.109] has quit [Read error: 110 (Connection timed out)] 22:29 -!- aje_ [n=aj@213.150.56.107] has quit ["leaving"] 23:27 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Connection timed out] 23:46 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] --- Day changed Thu Oct 08 2009 00:11 -!- mirco [n=mirco@p54B2717F.dip.t-dialin.net] has quit [] 00:14 -!- disappearedng [n=disappea@unaffiliated/disappearedng] has joined ##openvpn 00:16 < disappearedng> Hey 00:18 < disappearedng> when I start openvpn, I don' t need to adjust my browser or anything (like in the case of proxies) 00:28 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 00:37 -!- onats [n=onats@unaffiliated/onats] has quit ["This computer has gone to sleep"] 00:48 -!- disappearedng [n=disappea@unaffiliated/disappearedng] has quit [Read error: 110 (Connection timed out)] 00:49 -!- disappearedng [n=disappea@th241030.ip.tsinghua.edu.cn] has joined ##openvpn 00:53 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has joined ##openvpn 00:54 < techqbert> Is it possible to use OpenVPN and Openswan concurrently? Maybe one on the 10.* and the other on the 5.* subnet? 00:54 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 01:01 -!- hyper_ch [n=hyper@adsl-84-227-223-248.adslplus.ch] has quit [Remote closed the connection] 01:04 -!- bandini [n=bandini@host129-111-dynamic.41-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 01:21 -!- techqbert [n=jim@c-76-98-80-192.hsd1.pa.comcast.net] has quit [] 01:35 -!- hyper_ch [n=hyper@141-8.76-83.cust.bluewin.ch] has joined ##openvpn 01:42 -!- hyper__ch [n=hyper@22-83.77-83.cust.bluewin.ch] has joined ##openvpn 01:42 -!- hyper_ch [n=hyper@141-8.76-83.cust.bluewin.ch] has quit [Nick collision from services.] 01:42 -!- hyper__ch is now known as hyper_ch 01:53 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 02:25 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:27 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:58 -!- bauruine [n=bauruine@232-145.104-92.cust.bluewin.ch] has joined ##openvpn 03:10 -!- c64zottel [n=hans@62-12-228-206.pool.cyberlink.ch] has joined ##openvpn 03:11 -!- c64zottel [n=hans@62-12-228-206.pool.cyberlink.ch] has left ##openvpn [] 03:11 -!- swa_work [n=swa@swatteksystems.com] has quit [Remote closed the connection] 03:15 -!- dazo|afk is now known as dazo 03:15 -!- dazo [n=dazo@209.132.186.254] has quit [Remote closed the connection] 03:16 -!- dazo [n=ndazo@nat/redhat-us/x-qqjorqpyicovvrfg] has joined ##openvpn 03:16 -!- dazo [n=ndazo@nat/redhat-us/x-qqjorqpyicovvrfg] has quit [Remote closed the connection] 03:17 -!- dazo [n=nndazo@nat/redhat-us/x-karoiuycpnyenric] has joined ##openvpn 03:17 -!- dazo [n=nndazo@nat/redhat-us/x-karoiuycpnyenric] has quit [Remote closed the connection] 03:17 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has quit ["Leaving"] 03:18 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 03:18 -!- dazo [n=dazo@nat/redhat-us/x-qmrtthtfjafueyll] has joined ##openvpn 03:19 -!- Knoedel1 [n=Knoedel2@pd95b3f5a.dip0.t-ipconnect.de] has joined ##openvpn 03:19 < Knoedel1> !howto 03:19 < vpnHelper> Knoedel1: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 03:31 < Knoedel1> is there a howto for site-to-site vpn tunnels ? 03:31 < Knoedel1> !route 03:31 < vpnHelper> Knoedel1: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 03:39 < sno> good morning all. Is there anything im missing when trying to get snmp working across openvpn connection? What im trying to do is snmlwalk over a connected vpn. snmpwalk is working fine without the vpn and with the vpn host A can ping host B fine. Any suggestions are welcome. 03:39 < sno> snmpwalk* sorry 03:43 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 03:53 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 04:00 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:11 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has joined ##openvpn 04:12 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has left ##openvpn ["Leaving."] 04:28 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 04:43 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 145 (Connection timed out)] 04:48 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 04:53 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 04:59 -!- t0mm [n=tomm@nor75-15-82-67-190-6.fbx.proxad.net] has joined ##openvpn 05:02 -!- cpm_ [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:07 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:09 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 05:09 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 05:27 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 05:27 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 05:31 -!- cpm_ is now known as cpm 05:31 -!- dollabill [n=mike@209.168.226.66] has joined ##openvpn 05:34 -!- Knoedel1 [n=Knoedel2@pd95b3f5a.dip0.t-ipconnect.de] has quit [Read error: 145 (Connection timed out)] 05:36 -!- Knoedel1 [n=Knoedel2@pd95b3f5a.dip0.t-ipconnect.de] has joined ##openvpn 05:50 -!- dollabill [n=mike@209.168.226.66] has quit [Read error: 113 (No route to host)] 06:13 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 06:16 -!- brizly1 [n=brizly_v@p4FC980F5.dip0.t-ipconnect.de] has joined ##openvpn 06:16 -!- brizly [n=brizly_v@p4FC981AE.dip0.t-ipconnect.de] has quit [Read error: 60 (Operation timed out)] 06:20 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 07:02 -!- rgouveia_ [n=rgouveia@169.89.54.77.rev.vodafone.pt] has joined ##openvpn 07:10 -!- rgouveia1 [n=rgouveia@169.89.54.77.rev.vodafone.pt] has joined ##openvpn 07:16 -!- rgouveia [n=rgouveia@169.89.54.77.rev.vodafone.pt] has quit [Read error: 110 (Connection timed out)] 07:24 -!- rgouveia_ [n=rgouveia@169.89.54.77.rev.vodafone.pt] has quit [Read error: 110 (Connection timed out)] 07:29 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 07:30 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Client Quit] 07:44 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 07:55 -!- ebi_ [n=chatzill@mail.qualitytravel-berlin.de] has joined ##openvpn 07:56 < ebi_> Hi there. 07:57 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 07:58 -!- rgouveia [n=rgouveia@169.89.54.77.rev.vodafone.pt] has joined ##openvpn 07:58 < ebi_> Can someone tell me what the hardware requirements for an openvpn installation with max 100 concurrent clients are ? 07:59 < ebi_> Each client would only transmit a few hundred kb per hour. 07:59 < theDoc> sounds like a method to handle a c&c botnet ;p 08:01 < ebi_> well no. actually, not exactly ;o) 08:14 -!- pielgrzym [n=pielgrzy@1str003.multi-play.net.pl] has joined ##openvpn 08:14 < pielgrzym> hi there 08:14 < pielgrzym> does open vpn assign always the same ip per key to a client? 08:14 < pielgrzym> or do I need a special setup to do this? 08:14 < Bushmills> no. to be sure, look at: 08:14 < Bushmills> !ccd 08:14 < vpnHelper> Bushmills: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 08:15 < pielgrzym> Bushmills: thank you 08:15 -!- rgouveia1 [n=rgouveia@169.89.54.77.rev.vodafone.pt] has quit [Read error: 110 (Connection timed out)] 08:19 -!- zeq1 [n=zeq@genkt-048-071.t-mobile.co.uk] has quit [Read error: 110 (Connection timed out)] 08:21 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 08:25 < ecrist> good morning 08:26 < ecrist> !static 08:26 < vpnHelper> ecrist: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 08:28 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Read error: 110 (Connection timed out)] 08:28 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit [Read error: 110 (Connection timed out)] 08:29 < theDoc> ecrist> Can I get you for a moment? Some design questions, need your input :) 08:30 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 08:31 -!- MadTBone_ [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 08:33 < ecrist> sure 08:33 < ecrist> here or in a PM? 08:34 < theDoc> pm please. 08:34 < theDoc> is it ok? 08:34 < ecrist> sure 08:58 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 09:01 -!- rgouveia_ [n=rgouveia@169.89.54.77.rev.vodafone.pt] has joined ##openvpn 09:03 -!- pielgrzym [n=pielgrzy@1str003.multi-play.net.pl] has left ##openvpn ["= Hejka / Hi peeps :]"] 09:04 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 09:10 -!- disappearedng [n=disappea@unaffiliated/disappearedng] has left ##openvpn ["Leaving"] 09:20 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:26 -!- rgouveia [n=rgouveia@169.89.54.77.rev.vodafone.pt] has quit [Read error: 110 (Connection timed out)] 09:28 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 09:28 -!- unix3 [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 09:38 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [] 09:39 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 09:39 -!- MadTBone__ [n=MadTBone@mail2.msmnyc.edu] has joined ##openvpn 09:44 -!- c64zottel [n=zestor@62-12-228-206.pool.cyberlink.ch] has joined ##openvpn 09:46 -!- c64zottel [n=zestor@62-12-228-206.pool.cyberlink.ch] has left ##openvpn [] 09:50 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 09:54 -!- MadTBone_ [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 09:54 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 09:54 -!- MadTBone [n=MadTBone@mail2.msmnyc.edu] has joined ##openvpn 09:57 -!- pistache_ [n=pist@rps3598.ovh.net] has joined ##openvpn 09:57 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 09:57 < pistache_> http://pastebin.ca/1604332 09:57 < pistache_> Any idea why I get this ? 10:00 -!- ebi_ [n=chatzill@mail.qualitytravel-berlin.de] has quit ["ChatZilla 0.9.85 [Iceweasel 3.0.6/2009072220]"] 10:01 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 10:03 -!- tiav [n=tiav@fw.sj.tdf-pmm.net] has joined ##openvpn 10:14 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 10:15 -!- hyper_ch [n=hyper@22-83.77-83.cust.bluewin.ch] has quit [Remote closed the connection] 10:29 -!- jeiworth [n=jeiworth@189.177.42.231] has joined ##openvpn 10:30 < pistache_> Any idea ? 10:31 < pistache_> I regenerated my client certificates, sam error 10:32 < pistache_> My config file is available here : http://pastebin.ca/1604416 10:35 < pistache_> I get this in my server log : 10:35 < pistache_> Thu Oct 8 17:34:41 2009 us=322840 94.71.158.65:1024 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 10:40 < pistache_> date -u returns the same on both client and server 10:43 < pistache_> Any idea ? tried restarting the server 10:46 < pistache_> VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=FR/ST=Bouches-Du-Rh_xC3_xB4ne/L=Marseille/O=pistache/CN=pistache-server/emailAddress=@gmail.com 10:51 < pistache_> !interface 10:51 < vpnHelper> pistache_: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 10:53 < pistache_> There are interfaces and routes : http://pastebin.ca/upload.php 10:53 -!- bauruine [n=bauruine@232-145.104-92.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 10:53 < pistache_> !topology 10:53 < vpnHelper> pistache_: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 10:58 -!- Knoedel1 [n=Knoedel2@pd95b3f5a.dip0.t-ipconnect.de] has quit [] 11:13 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 11:14 < pistache_> any idea ? 11:16 < krzie> starting ovpn as root? 11:16 < pistache_> yes 11:17 < krzie> what os? 11:17 < pistache_> debian 5.0 11:17 < krzie> start over building your keys, follow !howto for that 11:17 < pistache_> Installed via apt-get, version 2.1~rc11 11:18 < krzie> get new version as well 11:18 < krzie> we're on rc20 11:18 < krzie> !download 11:18 < vpnHelper> krzie: "download" is (#1) www.openvpn.net/download to download openvpn, or (#2) http://openvpn.net/index.php/open-source/downloads.html 11:18 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:18 -!- hyper_ch [n=hyper@adsl-84-227-223-248.adslplus.ch] has joined ##openvpn 11:20 < pistache_> i built my jekeys --- Log opened Thu Oct 08 11:32:27 2009 11:32 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 11:32 -!- Irssi: ##openvpn: Total of 76 nicks [0 ops, 0 halfops, 0 voices, 76 normal] 11:32 -!- Irssi: Join to ##openvpn was synced in 21 secs 11:32 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has left ##openvpn [] --- Log closed Thu Oct 08 11:32:54 2009 --- Log opened Thu Oct 08 11:33:15 2009 11:33 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 11:33 -!- Irssi: ##openvpn: Total of 76 nicks [0 ops, 0 halfops, 0 voices, 76 normal] 11:33 -!- Irssi: Join to ##openvpn was synced in 23 secs 11:34 < pistache_> krzie: well 11:34 < pistache_> all my vpn clients are debian 5.0, and even my client was running until yesterday. 11:34 < pistache_> All my keys including root CA are expiring in 2019. 11:35 < ecrist> krzie: your box will have just gotten rebooted. stupid electricity went out at my place 11:37 -!- jeiworth_ [n=jeiworth@189.177.42.231] has joined ##openvpn 11:38 -!- jeiworth [n=jeiworth@189.177.42.231] has quit [Read error: 104 (Connection reset by peer)] 11:38 < pistache_> krzie: just checked on another box, same debian lenny 5.0, and he's got : VERIFY OK: depth=1, /C=FR/ST=Bouches-Du-Rh_xC3_xB4ne/L=Marseille/O=pistache/CN=pistache-server/emailAddress=xxx 11:38 < pistache_> Why do I get depth=0 and him depth=1 ? 11:40 -!- tiav [n=tiav@fw.sj.tdf-pmm.net] has quit [Remote closed the connection] 11:41 -!- pistache_ [n=pist@rps3598.ovh.net] has left ##openvpn [] 11:43 < krzie> ecrist, story of my life lately, i cant get a day uptime at my house for that reason 11:43 < krzie> lol; 11:54 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has joined ##openvpn 12:09 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 12:10 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 12:11 -!- disappearedng_ [n=disappea@unaffiliated/disappearedng] has joined ##openvpn 12:13 < disappearedng_> my question is, after I start openvpn, (if I didn't use the script provided by the repository), and I found out that Ihave a new interface under ifconfig, how do I tell my computer to use that to connect to the internet 12:33 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)] 12:34 < ecrist> redirect gateway 12:42 < |Mike|> redirect my beer please. 12:44 -!- t0mm_ [n=tomm@LMontsouris-156-24-6-35.w80-14.abo.wanadoo.fr] has joined ##openvpn 12:44 -!- t0mm [n=tomm@nor75-15-82-67-190-6.fbx.proxad.net] has quit [Read error: 104 (Connection reset by peer)] 12:46 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 12:50 -!- disappearedng_ [n=disappea@unaffiliated/disappearedng] has quit [Read error: 145 (Connection timed out)] 12:51 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)] 12:52 -!- dazo is now known as dazo|afk 12:57 -!- newmember [n=chatzill@vpn.libertymedical.com] has joined ##openvpn 13:07 -!- f00f [n=f00fSteR@static-64-61-181-148.isp.broadviewnet.net] has joined ##openvpn 13:08 -!- jeiworth_ [n=jeiworth@189.177.42.231] has quit [Read error: 104 (Connection reset by peer)] 13:09 -!- jeiworth [n=jeiworth@189.177.254.91] has joined ##openvpn 13:17 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 13:24 -!- f00fSteR [n=f00fSteR@static-64-61-181-148.isp.broadviewnet.net] has quit [Connection timed out] 13:24 -!- t0mm_ [n=tomm@LMontsouris-156-24-6-35.w80-14.abo.wanadoo.fr] has quit [Read error: 104 (Connection reset by peer)] 13:28 -!- t0mm [n=tomm@nor75-15-82-67-190-6.fbx.proxad.net] has joined ##openvpn 13:35 -!- t0mm_ [n=tomm@LMontsouris-156-24-6-35.w80-14.abo.wanadoo.fr] has joined ##openvpn 13:35 -!- t0mm [n=tomm@nor75-15-82-67-190-6.fbx.proxad.net] has quit [Read error: 104 (Connection reset by peer)] 13:38 -!- t0mm [n=tomm@nor75-15-82-67-190-6.fbx.proxad.net] has joined ##openvpn 13:57 -!- t0mm_ [n=tomm@LMontsouris-156-24-6-35.w80-14.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 13:58 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 13:59 -!- t0mm [n=tomm@nor75-15-82-67-190-6.fbx.proxad.net] has quit [Read error: 113 (No route to host)] 14:01 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 14:03 -!- dollabill [n=mike@97.66.26.10] has quit [No route to host] 14:07 -!- Douglas [i=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 14:14 -!- bandini [n=bandini@host129-111-dynamic.41-79-r.retail.telecomitalia.it] has joined ##openvpn 14:18 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 14:48 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:52 -!- brizly1 [n=brizly_v@p4FC980F5.dip0.t-ipconnect.de] has quit ["Leaving."] 15:06 -!- _Joda_ [i=NOTOKAY@ks22848.kimsufi.com] has quit [Read error: 131 (Connection reset by peer)] 15:27 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 15:30 < f00f> anyone have network topologies of how openvpn should be set up on a networking level ? 15:30 < f00f> sorry i meant hardware level ? 15:32 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 15:44 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 15:48 -!- temba [i=pommes@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 15:53 -!- suprsonic [n=supr@h216-165-164-206.mdsnwi.tisp.static.tds.net] has joined ##openvpn 15:54 < suprsonic> tun0: Disabled Privacy Extensions when starting on ubuntu? 16:03 < plaerzen> suprsonic, that sounds like something SElinux would do to me. 16:09 < Douglas> SElinux should die 16:09 < Douglas> Hey plaerzen! 16:13 < newmember> I have enabled ip_forward and enabled all iptables accept, what might prevent my packets from traniting the openvpn server to the local LAN? 16:17 < Douglas> hm 16:24 < plaerzen> Douglas, Hey Dougy! 16:27 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 16:32 -!- temba [i=pommes@188-193-22-46-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 16:41 -!- Intensity [i=[BdLfKfG@unaffiliated/intensity] has joined ##openvpn 16:44 -!- bandini [n=bandini@host129-111-dynamic.41-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 16:53 -!- newmember [n=chatzill@vpn.libertymedical.com] has quit [Read error: 110 (Connection timed out)] 17:00 < |Mike|> i eat bricks. 17:01 -!- suprsonic [n=supr@h216-165-164-206.mdsnwi.tisp.static.tds.net] has left ##openvpn [] 17:25 -!- krackpot- [n=krackpot@S0106001310828008.vc.shawcable.net] has joined ##openvpn 17:26 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 17:26 -!- newmember [n=chatzill@adsl-074-169-237-010.sip.bct.bellsouth.net] has joined ##openvpn 17:27 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has quit [Read error: 60 (Operation timed out)] 17:29 -!- rapha [i=rapha@unaffiliated/rapha] has joined ##openvpn 17:42 < rapha> Hi! 17:42 < rapha> I'm trying to get OpenVPN working on OpenBSD such that all my client traffic to the internet goes through the VPN. Unfortunately I don't seem to be able to get a proper NAT rule going with PF ... can you help? 17:45 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 17:50 < |Mike|> oka 17:50 < |Mike|> y 17:51 < |Mike|> rapha: please use google, it's stated. 17:54 < rapha> |Mike|: i've tried to before coming here ... my guess is i'm using the wrong keywords. What would you google for? 17:55 < |Mike|> openvpn + nat + pf 17:56 < rapha> thanks mike, that yielded something :-) 17:56 < |Mike|> I could call Peter Postma for this issue, but then again, it's 1 AM here in The Netherlands. 17:56 < rapha> sorry? 17:57 < |Mike|> Peter Postma is one of the guys wich ported PF to NetBSD 17:58 < rapha> In Duitsland ook, overigens :-) 17:58 < rapha> oh i c 17:58 < |Mike|> hij is nederlands imho :p 17:59 < rapha> well if you have his number, sure give him a call tell him there's some Duitsman on IRC trying to get the stuff to work 17:59 < |Mike|> I haven't used PF for a while, otherwise i could have helped you. 17:59 < |Mike|> duitsman, how clearly translated :P 17:59 < rapha> lol 17:59 < rapha> didnt know how to say it 18:00 < |Mike|> german! 18:00 < rapha> yes! 18:00 < rapha> well duitsman was supposed to sound funny 18:00 < |Mike|> aachen or closer ? ;P 18:00 < rapha> stuttgart 18:01 < |Mike|> that's close by 18:01 < rapha> close by aachen, more or less 18:01 < PeterFA> It's funny when you use a VPN. Google renders all their pages using the language spoken in the Netherlands when I visit their site now. 18:01 < rapha> where are you? 18:02 < PeterFA> My IP is now a Netherlands IP. 18:02 < |Mike|> f*ck, my incremental backup from last year doesn't contain my config anymore. 18:02 < rapha> kinda logic PeterFA , no? :) 18:02 < |Mike|> PeterFA: doh 18:02 < rapha> |Mike|: no worries 18:03 < |Mike|> rapha: if i find my rules again, i'll add them to vpnHelper 18:03 < |Mike|> !howto 18:03 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 18:04 < rapha> |Mike|: i got this now: http://pastie.org/647725 ... not working tho after pfctl -d; pfctl -e 18:05 < rapha> okay, one of them is basically a duplicate, but that should not matter 18:05 < |Mike|> you did define openvpn_port etc ? 18:06 < |Mike|> rephrase $port_openvpn 18:06 < |Mike|> and then you switch to $vpn_if 18:06 < |Mike|> defined ? 18:07 < rapha> $openvpn_port and $vpn_if are both defined 18:07 < rapha> but it's a bit confusing like this 18:07 < rapha> oh! pfctl -f monikers about something 18:10 < |Mike|> ..? 18:11 -!- MadTBone [n=MadTBone@mail2.msmnyc.edu] has quit [Remote closed the connection] 18:11 -!- MadTBone__ [n=MadTBone@mail2.msmnyc.edu] has quit [Remote closed the connection] 18:12 < rapha> i had require-order on so it didn't even load the rules 18:13 < rapha> it's cleaned up now, too ... http://pastie.org/647737 ... but still no luck 18:13 < rapha> and the openvpn config itself looks good; i pretty much stuck to the howto anyway 18:14 < |Mike|> i'll take a look at it in the morning rapha 18:14 < |Mike|> it's already late in the EU :p 18:15 < rapha> cool, thanks :) 18:15 < rapha> then i'll call it a day as well and just idle around here 18:32 -!- rapha [i=rapha@unaffiliated/rapha] has quit ["leaving"] 18:34 -!- swa_work [n=swa@swatteksystems.com] has quit [Remote closed the connection] 18:37 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 18:42 -!- rapha [i=rapha@unaffiliated/rapha] has joined ##openvpn 18:42 < rapha> back; server reboot didn't help either :P ... gnight now! 18:43 -!- jeiworth [n=jeiworth@189.177.254.91] has quit [Connection timed out] 18:59 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 60 (Operation timed out)] 19:09 -!- mirco [n=mirco@p54B2717F.dip.t-dialin.net] has joined ##openvpn 19:24 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: jhp, arcsky, |Mike| 19:25 -!- Netsplit over, joins: jhp, |Mike|, arcsky 19:28 -!- newmember [n=chatzill@adsl-074-169-237-010.sip.bct.bellsouth.net] has quit [Success] 20:00 -!- newmember [n=chatzill@adsl-074-169-237-010.sip.bct.bellsouth.net] has joined ##openvpn 20:03 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 20:03 < ksnp> how to see the client's log in a system with both the server and client ? 20:05 -!- theDoc [n=hex@cataclysm.edgewire.sg] has joined ##openvpn 20:32 < Bushmills> client has a config, server has a config. each config can specify a log file 20:38 -!- mirco [n=mirco@p54B2717F.dip.t-dialin.net] has quit [Read error: 145 (Connection timed out)] 20:40 -!- mirco [n=mirco@p54B2747F.dip.t-dialin.net] has joined ##openvpn 20:41 < ksnp> is there a way to run two openvpn clients on windows ? one inside the other or simultaneously ? 20:42 < ksnp> Bushmills, is there a way to see the decrypted traffic on the server for use with ngrep etc. ? 21:01 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 21:10 -!- newmember [n=chatzill@adsl-074-169-237-010.sip.bct.bellsouth.net] has quit [Read error: 110 (Connection timed out)] 21:14 -!- master_of_master [i=master_o@p549D4209.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:17 -!- master_of_master [i=master_o@p549D432D.dip.t-dialin.net] has joined ##openvpn 21:25 -!- Douglas [i=Douglas@ool-43503ed4.dyn.optonline.net] has quit [] 21:46 -!- FluxD [n=FluxD@unaffiliated/fluxd] has joined ##openvpn 21:46 < FluxD> Hi, I have a nic with 2 ips. When I start openvpn will it kill both ips ? 21:50 -!- epaphus [n=unix3@190.241.15.184] has joined ##openvpn 21:53 < theDoc> no. 21:54 < theDoc> why would it? 22:00 < ksnp> is it possible to run openvpn client on top another openvpn client in windows 22:00 < theDoc> why would you do that? 22:03 < ksnp> just want to run that way, and also two parallel openvpn clients for example 22:06 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has joined ##openvpn 22:07 < L|NUX> hello 22:07 < L|NUX> can some one give me an idea how can i do this 22:08 < L|NUX> i want openvpn to authenticate from radius this can be done by using openvpn - mysql module ... now the problem is i do not want my client account to be inactive like if his account got expired then he is able to browse only my website from where they can renew their account ... 22:09 -!- epaphus [n=unix3@190.241.15.184] has quit [Connection timed out] 22:10 < L|NUX> any one have any idea about that ? 22:17 < FluxD> theDoc, it did on mine 22:17 < theDoc> FluxD> no it doesn't. 22:17 < ksnp> FluxD, do an ifconfig | less (maybe it scrolled up, so you didnt see ;-) ) 22:18 < FluxD> ok checking 22:18 < FluxD> so it kills eth0 only ? 22:20 < FluxD> or what interface does it kill? 22:21 < FluxD> Yup second ip is unpingable for me 22:22 -!- xod [n=onats@112.201.132.36] has joined ##openvpn 22:22 -!- xod is now known as onats 22:22 < onats> !tls-error 22:22 < vpnHelper> onats: Error: "tls-error" is not a valid command. 22:23 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has joined ##openvpn 22:25 < theDoc> FluxD> How do you have it setup? 22:25 < theDoc> virtual interfacing? 22:27 < FluxD> Here let me paste original interfaces file 22:30 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 22:38 -!- krackpot- [n=krackpot@S0106001310828008.vc.shawcable.net] has quit [Read error: 110 (Connection timed out)] 22:51 < FluxD> sorry here you go http://pastebin.ca/1606056 ksnp theDoc 22:53 -!- kreg [n=bytesabe@208-98-188-95.directcom.com] has quit [Read error: 60 (Operation timed out)] 22:54 -!- kreg [n=bytesabe@208.98.188.95] has joined ##openvpn 22:54 < L|NUX> any one please give me some idea please :( 22:54 < L|NUX> i want openvpn to authenticate from radius this can be done by using openvpn - mysql module ... now the problem is i do not want my client account to be inactive like if his account got expired then he is able to browse only my website from where they can renew their account ... 22:57 < FluxD> sorry no clue :( 22:58 < L|NUX> :( 22:58 < L|NUX> ok 22:59 < FluxD> did you already get it working? 23:03 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has left ##openvpn [] 23:03 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 23:05 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has quit [Read error: 104 (Connection reset by peer)] 23:19 < L|NUX> nope --- Day changed Fri Oct 09 2009 00:07 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has joined ##openvpn 00:24 -!- hyper_ch [n=hyper@adsl-84-227-223-248.adslplus.ch] has quit [Remote closed the connection] 00:31 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 01:09 -!- hyper_ch [n=hyper@161-118.76-83.cust.bluewin.ch] has joined ##openvpn 01:27 -!- hkais [n=xenoadmi@g226143199.adsl.alicedsl.de] has joined ##openvpn 01:37 -!- dazo|afk is now known as dazo 01:37 -!- dazo [n=dazo@nat/redhat-us/x-qmrtthtfjafueyll] has quit [Remote closed the connection] 01:38 -!- dazo [n=ndazo@nat/redhat/x-qcwbgvecpsbqwfkc] has joined ##openvpn 01:46 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 01:57 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:03 -!- L|NUX [n=linux@unaffiliated/lnux/x-10290] has quit [] 02:27 -!- hkais [n=xenoadmi@g226143199.adsl.alicedsl.de] has quit ["Leaving."] 02:40 -!- bauruine [n=bauruine@232-145.104-92.cust.bluewin.ch] has joined ##openvpn 03:04 -!- onats [n=onats@112.201.132.36] has quit ["Ex-Chat"] 03:06 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has joined ##openvpn 03:07 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has left ##openvpn ["Leaving."] 03:16 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has quit ["Leaving"] 03:18 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 03:20 -!- pistache [n=pist@rps3598.ovh.net] has quit [SendQ exceeded] 03:44 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 04:11 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Read error: 110 (Connection timed out)] 04:12 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 04:14 -!- t0mm [n=tomm@nor75-15-82-67-190-6.fbx.proxad.net] has joined ##openvpn 04:22 -!- ranter [n=chatzill@born140.athome233.wau.nl] has joined ##openvpn 04:54 -!- ranter [n=chatzill@born140.athome233.wau.nl] has quit [Read error: 104 (Connection reset by peer)] 04:57 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:01 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 05:04 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:07 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 05:17 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 05:24 -!- tiav [n=tiav@fw.sj.tdf-pmm.net] has joined ##openvpn 05:29 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:40 -!- rgouveia [n=rgouveia@169.89.54.77.rev.vodafone.pt] has joined ##openvpn 05:41 -!- HJ [n=HJ@host81-130-72-54.in-addr.btopenworld.com] has joined ##openvpn 05:42 < HJ> hi there! 05:43 < HJ> anybody knows if the build-key command (to create client keys) can be ran in one line and without any user input? 05:46 < HJ> or if there's an existing tool to generate client keys from, say, a webpage 05:50 -!- fReAkY[t] is now known as freaky[t] 05:52 < Bushmills> HJ: build-key itself doesn't prompt for input, Instead, it calls openssl, prompting is done there. 05:54 -!- dazo is now known as dazo|afk 05:55 < HJ> Bushmills: thanks man, do u know if there's any way of feeding the parameters to the command or something? 05:56 < Bushmills> don't know. on #openssl they might know 05:56 < HJ> ok thanks 05:56 < Bushmills> worst case would be, writing an "expect" script. possibly that can be done easier 05:57 < HJ> i'll look into it 05:58 < HJ> i simply don't want to have to generate the key every time someone wants access to my vpn, i'm a lazy bastard :D 06:00 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 06:01 -!- rgouveia_ [n=rgouveia@169.89.54.77.rev.vodafone.pt] has quit [Read error: 110 (Connection timed out)] 06:06 < Bushmills> uh-oh... "sslsniff is designed to create man-in-the-middle (MITM) attacks for SSL/TLS connections, and dynamically generates certs for the domains that are being accessed on the fly." 06:07 < ecrist> good morning, bitches 06:07 < Bushmills> The new certificates are constructed in a certificate chain that is signed by any certificate that is provided. 06:07 < ecrist> openssl can pull it's data from environment variables 06:08 < HJ> ecrist: won't it be the same all the time though? 06:08 < ecrist> not if you change the environment variables 06:09 < ecrist> man openssl for more information 06:11 -!- rgouveia_ [n=rgouveia@169.89.54.77.rev.vodafone.pt] has joined ##openvpn 06:15 < rapha> |Mike|: morning :-) 06:15 < |Mike|> hi. 06:15 < |Mike|> morning 06:16 < rapha> running the risk of you still being half-asleep ... did you have a chance to take a look at that last night's pastie? :-) 06:19 < rapha> maar, heeft jij gehad een goede slaap? 06:22 < |Mike|> euh, let me scroll back up 06:23 < |Mike|> vpn_if="tun0" 06:23 < |Mike|> vpn_network="10.8.0.0/24" 06:24 < |Mike|> nat on $ext_if from $vpn_network to any -> ($ext_if) 06:24 < |Mike|> inbound rules: 06:24 -!- rgouveia [n=rgouveia@169.89.54.77.rev.vodafone.pt] has quit [Read error: 110 (Connection timed out)] 06:24 < |Mike|> pass in on $ext_if proto udp from any to port 1194 keep state 06:24 < |Mike|> pass quick on $vpn_if 06:25 < |Mike|> that's all you need to add in your pf.conf 06:25 -!- LobbyZ [n=default@94.75.193.5] has joined ##openvpn 06:25 < zamba> i've set up the following: http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 06:25 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 06:26 < zamba> is it possible to now do firewall for this? 06:26 < zamba> let's say that i only want client with ip 192.168.1.5 from one of the subnets to be able to access the other lans? 06:27 < |Mike|> what OS are you using ? 06:28 < zamba> linux 06:28 < zamba> on all routers 06:29 < |Mike|> what services are running on them near openvpn ? 06:30 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 06:31 < rapha> |Mike|: looks like i have everything i need in my pf.conf then ... maybe i have something i need NOT ... can I pastie you the whole pf.conf? 06:32 < |Mike|> sure 06:32 < zamba> |Mike|: huh? 06:32 < zamba> |Mike|: what's that got to do with anything? 06:33 < |Mike|> where you refering to client-to-client zamba ? 06:33 < zamba> |Mike|: yeah 06:33 < |Mike|> i misread your question lol 06:33 < |Mike|> http://www.nasa.gov/multimedia/nasatv/index.html 06:34 < |Mike|> 20 seconds to impact 06:34 < vpnHelper> Title: NASA - NASA TV (at www.nasa.gov) 06:38 < rapha> |Mike|: i thought it was supposed to take one more hour 06:38 < |Mike|> it's already over 06:39 < rapha> i was actually watching 06:39 < rapha> half-watching that is 06:39 < rapha> one guy stood up 06:39 < rapha> then they shook hands 06:39 < |Mike|> Yep 06:39 < rapha> then another guy grabbed his laptop 06:45 < rapha> |Mike|: http://gaia.2laborate.com/pf.conf - anything in there that would prevent it from working? 06:45 < |Mike|> can you ping your server/clients? 06:45 < rapha> yes 06:46 < rapha> the clients can also resolve internet addresses, but not ping them 06:48 -!- tecchi [n=tecchi@ip-81-210-208-167.unitymediagroup.de] has joined ##openvpn 06:48 < |Mike|> what does openvpn.log tell you? 06:48 < rapha> on the server or the client? 06:49 -!- JyZyXEL [n=lol@a88-113-58-89.elisa-laajakaista.fi] has joined ##openvpn 06:50 < JyZyXEL> where does the windows version try to find keys 06:50 < rapha> hmmm ... i'll pastie both 06:54 < JyZyXEL> where do you place ca.crt, client1.crt, client1.key 06:54 < JyZyXEL> on windows 06:54 < |Mike|> !howto 06:54 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 06:54 < |Mike|> JyZyXEL: ^ 06:55 < |Mike|> rapha: please 06:55 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)] 06:55 < JyZyXEL> the damn tutorial didn't say 06:55 < JyZyXEL> The final step in the key generation process is to copy all files to the machines which need them, taking care to copy secret files over a secure channel. 06:55 < JyZyXEL> it doesn't say where to copy them 06:57 < JyZyXEL> so what the fuck? 06:57 < |Mike|> step down sir, read your config imho. 06:58 < JyZyXEL> the sample config file takes relative paths for the keyfiles 06:58 < JyZyXEL> the only problem is that the damn thing doesn't say to what the paths are relative 07:00 < |Mike|> you can hardcode the paths to the certs aswell.. 07:01 < JyZyXEL> the tutorial completely lacks this part 07:02 < rapha> |Mike|: first the client, http://pastie.org/648219, and here the server: http://pastie.org/648225 07:03 < rapha> JyZyXEL: to the PWD from which openvpn is called 07:03 < |Mike|> Fri Oct 9 13:48:29 2009 WARNING: file '/home/rapha/.ssl/ta.key' is group or others accessible 07:03 < |Mike|> chmod 644 that stuff 07:03 < rapha> JyZyXEL: just put them somewhere you like and give absolute paths 07:03 < rapha> |Mike|: will do, but that's only security relevant, not the problem here, right? 07:03 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 07:04 < |Mike|> true 07:04 < rapha> "MULTI: bad source address from client [10.0.0.102], packet dropped 07:04 < rapha> ^--- that one looks wierd 07:05 < rapha> also that's the client's normal IP, not the VPN IP 07:06 < rapha> google says that "bad source address" message occurs when you try to access the VPN from machines behind the client. that's not the case for me. I only got this client which is sitting behind a normal home WLAN router 07:07 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 07:07 < |Mike|> i had the same issue yesterday @ work 07:07 < rapha> oh 07:07 < rapha> what did you do? :) 07:07 < |Mike|> but that had something to do with ns1 and ns2 07:08 < |Mike|> you're trying to route all traffic from the client(s) trough the openvpn ? 07:10 < rapha> yes, into the internet 07:11 < |Mike|> Fri Oct 9 13:50:53 2009 ERROR: Linux route add command failed: external program exited with error status: 7 07:11 < |Mike|> Fri Oct 9 13:50:53 2009 Closing TUN/TAP interface 07:11 < |Mike|> Fri Oct 9 13:50:53 2009 /sbin/ifconfig tun0 0.0.0.0 07:11 < |Mike|> SIOCSIFADDR: Permission denied 07:11 < |Mike|> SIOCSIFFLAGS: Permission denied 07:11 < |Mike|> what does ifconfig tun0 say ? 07:12 < rapha> hmm ... says this: http://pastie.org/648239 07:12 < |Mike|> route -n ? 07:14 < rapha> http://pastie.org/648246 07:14 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 07:15 < rapha> just changed the server to have "route 10.0.0.0 255.255.255.0" and "iroute 10.0.0.0 255.255.255.0" for the client in the ccd and that makes the "bad source address" stuff go away 07:15 < rapha> but now the client says it's got no route 07:15 < rapha> and: Fri Oct 9 14:14:34 2009 WARNING: potential route subnet conflict between local LAN [10.8.0.0/255.255.255.0] and remote VPN [10.8.0.0/255.255.255.0] 07:17 < rapha> oh wait that "got no route" thing was wrong. but now it can't ping the server anymore. 07:18 < rapha> woah! 07:18 < rapha> i think it just started working, but wtf? 07:24 < rapha> aah naaw 07:24 < rapha> the server was offline so the client waited 07:24 < rapha> *sigh* ... i'm still kinda sleepy 07:27 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 07:28 -!- krzie [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 07:29 < |Mike|> rapha: what's the internal subnet for the clients ? 07:29 < rapha> 10.0.0.0 07:29 < rapha> that home wlan router is on 10.0.0.254 and is normally the default gw ofc 07:31 < rapha> i'm gonna try this through UMTS where the client is directly connected to the internet 07:31 -!- HJ [n=HJ@host81-130-72-54.in-addr.btopenworld.com] has quit ["Quick! Kill your client! Bersirc 2.2 is here! [ http://www.bersirc.org/ - Open Source IRC ]"] 07:33 < |Mike|> you're creating a conflict between your internal en openvpn subnet :P 07:34 < rapha> but one is 10.0.0.0 the other 10.8.0.0? 07:35 < rapha> gonna try 172.27.27.0 then or something 07:35 < rapha> for the VPN 07:36 < |Mike|> would be a good decision hehe 07:37 -!- tecchi [n=tecchi@ip-81-210-208-167.unitymediagroup.de] has quit [] 07:39 < rapha> pft lol 07:39 < rapha> i tried 172.16.0.0/12 ... then i got Options error: --server directive netmask allows for too many host addresses (subnet must be 255.255.0.0 (/16) or higher) ... rofl 07:42 -!- c64zottel [n=hans@62-12-243-146.pool.cyberlink.ch] has joined ##openvpn 07:42 -!- c64zottel [n=hans@62-12-243-146.pool.cyberlink.ch] has left ##openvpn [] 07:43 < |Mike|> huh 07:43 < |Mike|> did you change your pf config aswell? 07:43 < rapha> oh 07:43 < rapha> good point 07:46 < rapha> no dice :-( 07:49 < rapha> and no error messages at all now, on neither side 07:49 < rapha> what's also wierd is, the SSH session i use to chat with you remains in working state all the time 07:50 < |Mike|> Huh 07:50 < |Mike|> do you have your openvpn client running ? 07:51 < rapha> it works no matter whether the client is running or not 07:51 < rapha> i would think with the route replacement it should drop as soon as i open the client 07:51 < rapha> ofc, the SSH session is on the server that is also supposed to be the openvpn machine 07:53 < |Mike|> did you change the pushed / iroutes aswell? 07:53 < rapha> yes 07:53 < rapha> (i also tried to disable them since i don't have any machines behind the clients themselves - but that didnt change anything9 07:54 < rapha> interesting: when i disabled the iroutes, for my windows box there was no "bad source address", but whenever here on irc (through ssh from the linux box) there was some activity, then i god a bad source address message in the openvpn lofg 07:55 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 07:56 -!- newmember [n=chatzill@vpn.libertymedical.com] has joined ##openvpn 07:59 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 08:01 -!- MadTBone [n=MadTBone@mail2.msmnyc.edu] has joined ##openvpn 08:02 -!- MadTBone [n=MadTBone@mail2.msmnyc.edu] has quit [Read error: 60 (Operation timed out)] 08:03 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 08:07 < Optic> moo 08:08 < rapha> foo 08:27 -!- newmember_ [n=chatzill@vpn.libertymedical.com] has joined ##openvpn 08:28 -!- newmember_ [n=chatzill@vpn.libertymedical.com] has quit [Client Quit] 08:29 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: polaru, newmember, buntfalke_, Guest22809 08:30 -!- Netsplit over, joins: buntfalke_ 08:35 -!- t0mm_ [n=tomm@nor75-15-82-67-190-6.fbx.proxad.net] has joined ##openvpn 08:36 -!- t0mm [n=tomm@nor75-15-82-67-190-6.fbx.proxad.net] has quit [Read error: 104 (Connection reset by peer)] 08:39 -!- JyZyXEL [n=lol@a88-113-58-89.elisa-laajakaista.fi] has left ##openvpn ["bye."] 08:54 -!- misterbean [n=misterbe@unaffiliated/misterbean] has joined ##openvpn 08:54 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 08:56 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 08:57 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 08:57 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 09:02 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit ["I am off"] 09:02 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 09:04 -!- t0mm_ [n=tomm@nor75-15-82-67-190-6.fbx.proxad.net] has quit [Read error: 104 (Connection reset by peer)] 09:04 -!- t0mm [n=tomm@LMontsouris-156-24-6-35.w80-14.abo.wanadoo.fr] has joined ##openvpn 09:07 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Client Quit] 09:07 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 09:08 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Client Quit] 09:09 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 09:13 -!- ruotsalainen [n=unknown@69.172.135.243] has joined ##openvpn 09:16 -!- ProgressivPirate [n=Progress@c-98-231-34-82.hsd1.fl.comcast.net] has joined ##openvpn 09:16 -!- t0mm_ [n=tomm@nor75-15-82-67-190-6.fbx.proxad.net] has joined ##openvpn 09:17 < ProgressivPirate> hello. Is it normal for an openvpn server to restart every minute? 09:17 < ProgressivPirate> I'm new to openvn and my log keeps reading Inactivity timeout (--ping-restart), restarting 09:22 -!- t0mm [n=tomm@LMontsouris-156-24-6-35.w80-14.abo.wanadoo.fr] has quit [Read error: 145 (Connection timed out)] 09:23 -!- buntfalke_ is now known as buntfalke 09:27 -!- tecchi [n=tecchi@ip-81-210-208-167.unitymediagroup.de] has joined ##openvpn 09:29 -!- bauruine [n=bauruine@232-145.104-92.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 09:29 -!- t0mm [n=tomm@LMontsouris-156-24-6-35.w80-14.abo.wanadoo.fr] has joined ##openvpn 09:29 -!- t0mm_ [n=tomm@nor75-15-82-67-190-6.fbx.proxad.net] has quit [Read error: 104 (Connection reset by peer)] 09:31 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 09:36 -!- xod [n=onats@112.201.132.36] has joined ##openvpn 09:36 -!- t0mm_ [n=tomm@nor75-15-82-67-190-6.fbx.proxad.net] has joined ##openvpn 09:36 < krzee> ProgressivPirate, no thats not normal 09:36 < krzee> read --keepalive in the manual 09:37 -!- tecchi [n=tecchi@ip-81-210-208-167.unitymediagroup.de] has left ##openvpn [] 09:40 -!- t0mm_ [n=tomm@nor75-15-82-67-190-6.fbx.proxad.net] has quit [Client Quit] 09:41 -!- t0mm_ [n=tomm@LMontsouris-156-24-6-35.w80-14.abo.wanadoo.fr] has joined ##openvpn 09:41 < ProgressivPirate> ok I'm finding briding vs. tunneling very confusing. Here is what my end state. I have 1 laptop that I want to be able to VPN to my home router and be assigned an IP via my home DHCP router. From what I'm reading that sounds like bridging 09:42 < ProgressivPirate> Do I need to use server bridge directive on my server? 09:42 -!- t0mm_ [n=tomm@LMontsouris-156-24-6-35.w80-14.abo.wanadoo.fr] has quit [Client Quit] 09:42 -!- t0mm_ [n=tomm@LMontsouris-156-24-6-35.w80-14.abo.wanadoo.fr] has joined ##openvpn 09:43 < havoc> ProgressivPirate: it can work either way 09:43 < havoc> I used to do it bridged, but have since switched ot a routed setup 09:44 < ProgressivPirate> "Bridging setups require a special OS-specific tool to bridge a physical ethernet adapter with a virtual TAP style device" 09:44 < havoc> correct 09:44 < ProgressivPirate> Is that line referring to the OS the client is on or the server? 09:44 < ProgressivPirate> my openvpn server is linux. My client will be Mac OS X (freebsd) 09:44 < havoc> server 09:44 -!- t0mm [n=tomm@LMontsouris-156-24-6-35.w80-14.abo.wanadoo.fr] has quit [Read error: 145 (Connection timed out)] 09:45 < havoc> ProgressivPirate: what is your router/server? 09:45 < ProgressivPirate> so if I wanted to use briding on the linux box just paste "server-bridge 192.168.1.1 255.255.255.0 192.168.1.200 192.168.1.254" 09:45 < havoc> ah 09:45 < krzee> ProgressivPirate, you dont need an ip from dhcp 09:45 < ProgressivPirate> in config.opnvpn 09:45 < krzee> !tunortap 09:45 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 09:46 < havoc> I just use TAP for everything now 09:46 < krzee> havoc, you're doing it wrong 09:46 < krzee> using tap uses extra overhead and opens you up to remote layer2 attacks 09:46 < ProgressivPirate> ok so I want tun then 09:46 < krzee> ONLY use tap when you have no choice 09:47 < ProgressivPirate> is there any extra config required for tun? other than dev tun 09:47 < havoc> krzee: can a TAP client connect to a TUN iface? 09:47 < krzee> depends on your goal 09:47 < krzee> if you want: 09:47 < krzee> !route 09:47 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:47 < krzee> or 09:47 < krzee> !redirect 09:47 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 09:47 < krzee> then sure 09:48 < krzee> havoc, no, 1 is for tunneling layer2 other for layer3 09:48 < krzee> tap is for layer2, tun is for layer3 09:48 < havoc> krzee: then I'm stuck w/ TAP 09:48 < havoc> unless win32 clients support TUN ifaces now 09:48 < krzee> you use tap when you need a layer2 protocol tunneled 09:48 < krzee> otherwise you use tun 09:48 < krzee> of course win supports tun 09:48 < krzee> always did 09:49 < krzee> the interface itself is CALLED tap 09:49 < havoc> al 09:49 < havoc> ah 09:49 < krzee> but it does tun fine 09:49 < ProgressivPirate> tun requires routes be configured manually? 09:49 < krzee> depends on which routes 09:49 < krzee> what is your goal 09:50 -!- t0mm_ [n=tomm@LMontsouris-156-24-6-35.w80-14.abo.wanadoo.fr] has quit [] 09:50 < ProgressivPirate> ugh. This is very confusing. I want to setup and VERY simple openvpn prrof of concept using static key authentication 09:50 -!- t0mm [n=tomm@LMontsouris-156-24-6-35.w80-14.abo.wanadoo.fr] has joined ##openvpn 09:50 -!- newmember [n=chatzill@vpn.libertymedical.com] has joined ##openvpn 09:50 < havoc> ah, that's why I had TAP, had to use TAP for bridge 09:51 < havoc> as the bridge was layer2 09:51 < krzee> ProgressivPirate, that is clearly explains in EXAMPLES in the manual 09:51 < havoc> I guess I could change that now 09:51 < krzee> havoc, whyd you need a bridge? 09:51 < ProgressivPirate> I don't care HOW I get there. I just want the easiest config possible, least amount of work. Once I get it working I'll fine tune it 09:51 < krzee> what layer 2 protocol did you run over it? 09:51 < havoc> krzee: looong story, but it's gone now 09:51 < havoc> wasn't my choice, or my setup, just something I "inherited" 09:52 < ProgressivPirate> krzee: My router has a GUI for openvpn and it's a bit misleading. When I select interface type TUN it requests a Local/remote endpoint addresses 09:53 < havoc> krzee: the issue now is getting all the client configs changed to use TUN 09:53 < krzee> openvpn doesnt come with a gui tho, i cant help with your gui 09:53 < havoc> also, can I use named TUN devices? 09:53 < krzee> but heres working configs 09:53 < krzee> !sample 09:53 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 09:54 < ecrist> twitter sucks balls 09:54 < havoc> I seem to recal; that in order to use multiple named TAP/TUN devs that only TAP was supported on win32 at the time or something 09:54 < ProgressivPirate> ty krzee 09:56 < havoc> yeah, switching from TAP to TUN is gonna be a nightmare 09:56 -!- rapha [i=rapha@unaffiliated/rapha] has quit [Read error: 104 (Connection reset by peer)] 10:01 -!- rapha [i=rapha@static.141.55.40.188.clients.your-server.de] has joined ##openvpn 10:05 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 10:14 -!- t0mm_ [n=tomm@nor75-15-82-67-190-6.fbx.proxad.net] has joined ##openvpn 10:15 -!- t0mm [n=tomm@LMontsouris-156-24-6-35.w80-14.abo.wanadoo.fr] has quit [Read error: 104 (Connection reset by peer)] 10:16 -!- rapha [i=rapha@unaffiliated/rapha] has quit ["brb"] 10:16 -!- hkais [n=xenoadmi@p5B2054BA.dip.t-dialin.net] has joined ##openvpn 10:17 -!- t0mm_ [n=tomm@nor75-15-82-67-190-6.fbx.proxad.net] has quit [Client Quit] 10:21 -!- jeiworth [n=jeiworth@189.177.45.33] has joined ##openvpn 10:21 -!- xod is now known as onats 10:24 -!- ProgressivPirate [n=Progress@c-98-231-34-82.hsd1.fl.comcast.net] has quit [Read error: 60 (Operation timed out)] 10:27 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:33 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 10:33 -!- hyper_ch [n=hyper@161-118.76-83.cust.bluewin.ch] has quit [Remote closed the connection] 10:43 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 11:06 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 11:09 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 11:19 -!- tiav [n=tiav@fw.sj.tdf-pmm.net] has quit [Remote closed the connection] 11:35 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 11:38 -!- rgouveia_ is now known as rgouveia 11:43 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 11:47 -!- hyper_ch [n=hyper@adsl-84-227-223-248.adslplus.ch] has joined ##openvpn 11:49 -!- c64zottel [n=hans@62-12-243-146.pool.cyberlink.ch] has joined ##openvpn 11:58 -!- ttuttle [n=tom@unaffiliated/ttuttle] has joined ##openvpn 11:58 < ttuttle> Hi. 11:59 < ttuttle> I've got a VPN (with certificate auth, using easy-rsa to set it up) that works most of the time, but sometimes the client starts spewing Authenticate/Decrypt packet error: packet HMAC authen 11:59 < ttuttle> ...tication failed. 11:59 < ttuttle> And then I need to restart the VPN on the server, and then it works again. 11:59 < krzee> !hmac 11:59 < vpnHelper> krzee: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 11:59 < ttuttle> Any suggestions? 11:59 < vpnHelper> krzee: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 12:00 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 12:00 < krzee> hmac errors are related to that 12:00 < ttuttle> krzee: Well, it works most of the time. It just randomly fails sometimes :P 12:00 < krzee> hmac errors are related to that 12:00 < krzee> just a push to right direction... 12:01 < krzee> \make sure that it can read that file after dropping its permissions if it does drop perms 12:01 < ttuttle> krzee: Ooh, that may be relevant. Gimme a sec. 12:01 < ttuttle> krzee: (I don't recall generating a key for that though.) 12:02 < ttuttle> Wow, my DNS has just stopped working >.< 12:03 * ttuttle curses dhcpcd and its inability to leave resolv.conf alone. 12:03 < ttuttle> krzee: I never specified tls-auth! 12:04 < ttuttle> krzee: This is quite confusing. 12:05 < ttuttle> Maybe I should go make a key and set it up? 12:08 < ttuttle> krzee: Oh, could I need persist-key on the server, since it drops privileges. 12:09 < ttuttle> krzee: Oh, I'm pretty sure that's it. Thanks for the pointer though. 12:15 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 12:21 -!- brizly [n=brizly_v@p4FC9821C.dip0.t-ipconnect.de] has joined ##openvpn 12:41 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has joined ##openvpn 12:58 -!- f00f [n=f00fSteR@static-64-61-181-148.isp.broadviewnet.net] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 13:15 -!- minidev [n=minidev_@p57B4EAFE.dip.t-dialin.net] has joined ##openvpn 13:15 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 13:19 < minidev> hi there. is it possible to run openvpn as a switch on the internet... so a couple of clients connect to it and openvpn routes the packages? 13:19 < ttuttle> minidev: Yes. 13:20 < ttuttle> minidev: Take a look at the client-to-client option. 13:20 < minidev> ohh, thanks... i've searched in the manuals and in a book i've bought about openvpn, but i didn't find anything 13:20 < ttuttle> minidev: No problem. 13:20 < minidev> ok, on progress..... =) 13:20 < ttuttle> minidev: (I've never actually used that -- I just have one client -- but it sounds like what you want.) 13:21 < krzee> client-to-client just changes how the server routes between clients 13:21 < krzee> with it specified, the pacjkets dont hit the servers kernel, therefore firewall 13:21 < krzee> without it, packets go from openvpn to kernel to openvpn 13:22 < minidev> is the /dev/tun neccessary for this porpose? i've rent a linux vserver and /dev/tun is not implemented in the kernel..... 13:22 < krzee> 100% needed 13:22 < krzee> well not in THAT location, but tuntap support must exist 13:23 < krzee> in some its /dev/net/tun 13:24 < minidev> uhh, indeed..... its in /dev/net/... the last time i searchd for it i cound't find it.... thanks a lot =) 13:26 < krzee> np 13:27 -!- c64zotte1 [n=hans@62-12-235-070.pool.cyberlink.ch] has joined ##openvpn 13:33 -!- samba [n=samba@76.104.236.199] has joined ##openvpn 13:34 < samba> hi all - does anyone know of (well-documented) projects where someone has used OpenVPN an in initrd? 13:34 -!- ttuttle [n=tom@unaffiliated/ttuttle] has left ##openvpn [] 13:35 -!- noji [n=noji@sul-lockss-dvargaslap.Stanford.EDU] has joined ##openvpn 13:41 -!- c64zottel [n=hans@62-12-243-146.pool.cyberlink.ch] has quit [Read error: 110 (Connection timed out)] 13:48 -!- noji [n=noji@sul-lockss-dvargaslap.Stanford.EDU] has quit [Read error: 54 (Connection reset by peer)] 14:05 -!- newmember [n=chatzill@vpn.libertymedical.com] has quit ["ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458]"] 14:06 -!- hkais [n=xenoadmi@p5B2054BA.dip.t-dialin.net] has quit [Read error: 113 (No route to host)] 14:06 -!- hkais1 [n=xenoadmi@g226143199.adsl.alicedsl.de] has joined ##openvpn 14:09 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: rgouveia, jfkw, xenophile7x7, tarbo2, Serideru, oc80z, LittleJ, Gumbler, HardDisk_WP, thomas, (+5 more, use /NETSPLIT to show all of them) 14:09 -!- Netsplit over, joins: jfkw 14:10 -!- mirco [n=mirco@p54B2747F.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 14:10 -!- brizly [n=brizly_v@p4FC9821C.dip0.t-ipconnect.de] has joined ##openvpn 14:10 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 14:10 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 14:10 -!- rgouveia [n=rgouveia@169.89.54.77.rev.vodafone.pt] has joined ##openvpn 14:10 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 14:10 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 14:10 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 14:10 -!- oc80z [i=oc80z@blea.ch] has joined ##openvpn 14:10 -!- LittleJ [n=linuz@82.78.185.26] has joined ##openvpn 14:10 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 14:10 -!- thomas [i=tm@tm.muc.de] has joined ##openvpn 14:10 -!- ^scott^ [n=scott@stthom.org] has joined ##openvpn 14:10 -!- HardDisk_WP [n=Marco@velirat.de] has joined ##openvpn 14:11 -!- jeiworth [n=jeiworth@189.177.45.33] has joined ##openvpn 14:12 -!- ThoMe [i=tm@tm.muc.de] has joined ##openvpn 14:12 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: Serideru, HardDisk_WP, Gumbler, oc80z, LittleJ, thomas, brizly 14:12 -!- tbic [n=tbic@24-236-204-27.static.aldl.mi.charter.com] has joined ##openvpn 14:12 -!- _LittleJ [n=linuz@82.78.185.26] has joined ##openvpn 14:12 -!- Netsplit over, joins: HardDisk_WP 14:12 -!- ThoMe is now known as thomas 14:12 -!- Gumbler_ [i=Gumbler@animux.de] has joined ##openvpn 14:12 -!- _LittleJ is now known as LittleJ 14:12 -!- oc80 [i=oc80z@blea.ch] has joined ##openvpn 14:12 -!- Gumbler_ is now known as Gumbler 14:13 -!- Netsplit over, joins: brizly 14:13 < tbic> I have a router with openvpn running I ping ping the other side of the vpn from the router but not from a computer connected to the router, any ideas? 14:13 -!- Netsplit over, joins: Serideru 14:20 < Bushmills> tbic: use mtr, traceroute or similar from a computer, connected to the router, see how far (and where through) it gets you 14:24 < tbic> it seems to be hitting my side B 192.168.2.1 and stops from a computer, from the router it goes though 14:37 < tbic> I can ping the router on side A from side B but not the router on side B from side A 14:41 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 14:43 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:43 < Bushmills> it would be much clearer if you talked of "vpn server" and "vpn client" side, rather than "side A" and "side B" 14:49 < tbic> sorry from the vpn client I can ping the server and a computer connected behind the server. from a computer behind the vpn client I can not the vpn server or the computer behind the vpn server. from the vpn server I cannot ping the vpn client or the computer behind the client 14:51 < Bushmills> "not ... the computer behind the vpn server." did you set up vpn server in any way to allow you to do that? 14:53 < tbic> I think I did. 14:55 < Bushmills> and what did you setup to reach clients behind the server? 14:57 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 14:57 < tbic> I'm sorry I don't exaclty understand what you asking 14:58 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 14:58 < Bushmills> after you installed and setup openvpn - which evidently worked - you think you did some setup to allow you to reach clients behind the server. i am asking *what* you did then. 14:59 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 14:59 < xp_prg> hi all, when openvpn starts as a server I need it to add a route, is there some way to do that? 14:59 < tbic> nothing just verified that the route existed 15:00 < Bushmills> !route 15:00 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:00 < Bushmills> tbic: ^^^^^ 15:01 < Bushmills> xp_prg: you can add route statement to client config, or push "route..." in server config 15:01 < Bushmills> xp_prg: ehm .. "when starts as server" . not when client connects, to client routing table? 15:03 < xp_prg> Bushmills there is one server and multiple clients 15:03 < xp_prg> I know how to pusht he route to the clients 15:04 < xp_prg> what is not clear to me is how to tell the server it needs this route on it 15:06 < Bushmills> xp_prg: does server have a route to its tun interface? 15:07 < xp_prg> here is what I do manually right now on the server: route add -net 10.5.5.0 netmask 255.255.255.0 tun0 15:08 < xp_prg> figured it out 15:09 < Bushmills> check out the --server config statement 15:12 < xp_prg> ok another quick question, I am using dynamic dns, I need openvpn to run a script when the tun0 interface goes up or down 15:12 < xp_prg> do you know a way to do that? 15:13 < Bushmills> client or server? 15:14 < xp_prg> both 15:14 < tbic> Bushmills: the push rout and rout command are in place correctly 15:15 < tbic> route 15:15 < Bushmills> tbic: the problem is probably in what you haven't done, not in what you did. 15:16 < tbic> yeah thats what Itried to figure out 15:16 < tbic> I'm trying to figure out, sorry my keyboard is really messed up 15:17 < Bushmills> xp_prg: on client, check out --script-security and --client-connect 15:18 < Bushmills> !client-connect 15:18 < vpnHelper> Bushmills: Error: "client-connect" is not a valid command. 15:18 < Bushmills> !script-security 15:18 < vpnHelper> Bushmills: Error: "script-security" is not a valid command. 15:18 < Bushmills> bah 15:18 < Bushmills> !factoids search script-security 15:18 < vpnHelper> Bushmills: No keys matched that query. 15:19 < tbic> !route 15:19 < vpnHelper> tbic: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:28 < tbic> I am getting the "bad source packet error" but i can not add an irouter this is on a dd-wrt. 15:32 -!- dollabill [n=mike@97.66.26.10] has quit [No route to host] 15:53 -!- minidev [n=minidev_@p57B4EAFE.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 16:11 -!- FluxD [n=FluxD@unaffiliated/fluxd] has quit ["Leaving"] 16:13 -!- tbic [n=tbic@24-236-204-27.static.aldl.mi.charter.com] has quit ["Leaving"] 16:19 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 16:34 < ecrist> on the prowl for some strange tonight 16:35 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 16:37 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 16:39 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 16:40 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Read error: 60 (Operation timed out)] 16:41 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 16:41 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 16:46 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Read error: 60 (Operation timed out)] 17:01 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 17:01 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 17:03 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 17:05 -!- c64zotte1 [n=hans@62-12-235-070.pool.cyberlink.ch] has left ##openvpn [] 17:17 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 17:34 < xp_prg> I am having a heard time figuring out how to configure the client to execute a script after it has connected 17:34 < xp_prg> what is the config to do that? 17:34 -!- Wizzup [n=puzziw@82.92.130.193] has joined ##openvpn 17:41 < xp_prg> I want to use this: --down-pre 17:41 < xp_prg> I don't understand how to use it 18:16 < krzee> !man 18:16 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 18:16 < krzee> after connected is --up 18:17 < krzee> skip to: 18:17 < krzee> Script Order of Execution 18:18 < krzee> in the manual 18:18 < krzee> then when you think you have the hook you want, go up to its portion of the manpage 18:19 < ksnp> is it possilbe to run openvpn inside openvpn with windows client ? 18:21 < krzee> openvpn inside openvpn? 18:21 < krzee> its not a virtual environment... 18:23 < ksnp> no 18:23 < ksnp> just windows 18:23 < ksnp> and want to run openvpn inside openvpn 18:23 < ksnp> is there a way to do that ? 18:23 < krzee> i have no clue what you mean by run openvpn inside openvpn 18:23 < ksnp> i suppose vm would allow to do that 18:23 < krzee> openvpn is an application 18:24 < ksnp> basically i vpn from point a to point b, when i vpn using that to point c 18:24 < ksnp> i know that of course 18:24 < krzee> which does not give a virtual environment, so you dont run things inside it 18:24 < krzee> oh 18:24 < krzee> a connect to openvpn over an existing tunnel 18:24 < krzee> sure 18:24 < krzee> the first tunnel must have NAT on the server tho 18:24 < krzee> so you can reach the inet from it 18:25 < krzee> !redirect 18:25 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 18:25 < krzee> basically that minus redirect-gateway, plus a route to use the vpn to connect to the second tunnels ip 18:25 < krzee> (external ip) 18:26 < krzee> its also possible to chain them 18:26 < krzee> and less packet overhead 18:26 < ksnp> ok, i understand that's how it is supposed to be done, basically i am trying openvpnportable as the client 18:26 < ksnp> can you suggest a client to do it ? 18:26 < krzee> in other words, connect the first's server to the seconds, then just connect to first and access second 18:26 < krzee> just openvpn 18:26 < krzee> !download 18:26 < vpnHelper> krzee: "download" is (#1) www.openvpn.net/download to download openvpn, or (#2) http://openvpn.net/index.php/open-source/downloads.html 18:26 < ksnp> will the usual install of the windows openvpn client allow that ? 18:27 < krzee> any openvpn will allow it 18:27 < ksnp> ok 18:27 < krzee> well i cant speak for modified stuff, never heard of openvpnportable 18:27 < ksnp> i tried the openvpnportable and i think it just allows one instance of it to run 18:27 < krzee> but openvpn itself does 18:27 < ksnp> ok, cool 18:27 < krzee> with windows install you simply toss in 2 .ovpn files i believe 18:27 < ksnp> for windows is it possible to make the oepnvpn client portable - witout having to do any installation ? 18:27 < krzee> (i dont use windows) 18:27 < ksnp> ok 18:27 < krzee> no, must be installled 18:27 < ksnp> was wondering if it makes any registry entries 18:28 < krzee> no idea 18:28 < ksnp> ok 18:28 < krzee> ild assume it must, it does add a tap adapter 18:28 < ksnp> sourceforge.net/projects/ovpnp/ is where i got the portable version 18:28 < krzee> which btw is just NAMED tqp, you can still use tun 18:28 < krzee> tap 18:30 < ksnp> so windows client allows both tun and tap ? 18:30 < ksnp> server too i assume ? 18:30 < krzee> both on both 18:31 < krzee> and for most stuff, no difference between win and other 18:31 < krzee> any of my configs would work on win with small changes 18:31 < krzee> changes would be not dropping permissions and changing paths to certs 18:34 < ksnp> not dropping permissions ? 18:34 < ksnp> can you elaborate ? 18:35 < krzee> !man 18:35 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 18:35 < krzee> --user and --group 18:36 < |Mike|> unf unf. 18:37 < xp_prg> krzee but can you give me an example of using it in the config? 18:38 < ksnp> krzee, i have openpvn installed on a linux machine and didn't quite have to play anything with permissions 18:38 < krzee> lol xp_prg 18:38 < krzee> sup mike 18:39 < krzee> ksnp, cool 18:39 < ksnp> so didn't get the permissions comment 18:40 < krzee> i use --user vpn 18:40 < krzee> and --group vpn 18:40 < krzee> to drop permissions from root to user/group vpn 18:40 < |Mike|> krzee: just got home from a business meeting :) 18:40 < krzee> vpn doesnt need superuser access once it has set itself up, so i dont let it keep themn 18:41 < krzee> xp_prg, example of --up in config, up /path/to/script 18:41 < xp_prg> cool thanks 18:41 < krzee> be back in a bit guys, gunna pick the girl up from class 18:41 < ksnp> ok 18:41 < ksnp> the user you run the dameon as 18:41 < krzee> ksnp, you must not have read the man, yes 18:55 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 60 (Operation timed out)] 18:57 < ksnp> ok 19:00 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has quit [Read error: 104 (Connection reset by peer)] 19:00 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 19:10 -!- PeterFA [n=peter@unaffiliated/peterfa] has quit [Read error: 60 (Operation timed out)] 19:12 -!- PeterFA [n=peter@unaffiliated/peterfa] has joined ##openvpn 19:17 -!- jeiworth [n=jeiworth@189.177.45.33] has quit [Connection timed out] 19:19 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 19:25 -!- PeterFA [n=peter@unaffiliated/peterfa] has quit [Nick collision from services.] 19:25 -!- PeterFA [n=peter@unaffiliated/peterfa] has joined ##openvpn 19:26 < PeterFA> I have Openvpn 2.1 and I'm trying to run it as a client, it works great, but it doesn't set $trusted_ip which I really need. 19:27 < |Mike|> !all 19:27 < vpnHelper> |Mike|: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 19:27 < PeterFA> |Mike|, would you be fine with just the command for the config? 19:28 < |Mike|> y 19:28 < PeterFA> Because I'm running this from command line without a config. 19:28 < PeterFA> And I don't have access to the server configs. 19:28 < PeterFA> openvpn --remote 95.211.4.12 1194 udp --auth-user-pass --client --ca ca.crt --cert client.crt --key client.key --dev tun --topology subnet --ns-cert-type server --nobind --persist-key --persist-tun --tls-client --pull --comp-lzo --verb 3 19:29 < |Mike|> use ldap 19:29 < PeterFA> OpenVPN 2.1_rc13 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Nov 23 2008 19:29 < PeterFA> Linux version 2.6.29-sabayon (root@sabayon) (gcc version 4.3.2 (Gentoo 4.3.2 p1.1) ) #1 SMP Wed Aug 19 22:18:09 UTC 2009 19:30 < PeterFA> Now, the VPN is always successful, I'm just not getting a $trusted_ip. 19:30 < |Mike|> what do you state under trusted_ip ? 19:31 < PeterFA> |Mike|, huh? 19:31 < |Mike|> echo $trusted_ip 19:31 < PeterFA> |Mike|, it's silent. 19:31 < PeterFA> Nothing is set. 19:32 < |Mike|> then i don't get your question. 19:32 < PeterFA> When openvpn is ran, it makes the connection and reports success, but echo $trusted_ip won't work. 19:33 < PeterFA> I need to figure out why, because I really need that. 19:33 < PeterFA> It's for my script. 19:33 < |Mike|> wtf is trusted_ip ? 19:33 < PeterFA> |Mike|, according to the manual, it gets set by the client. 19:33 < krzee> env variable 19:34 < PeterFA> krzee, do you know why openvpn would set up a VPN successfully and not set $trusted_ip? 19:36 * PeterFA watches in indignation as the channel suddenly falls silent. 19:37 < |Mike|> leaseweb even, heh. 19:37 < |Mike|> verkeerde terminal 19:37 < |Mike|> wops 19:38 < krzee> and be sure that it exists in the script you are using 19:38 < krzee> different scripts get diff vars 19:39 < PeterFA> krzee, the manual says that openvpn sets that itself. 19:39 < PeterFA> If I'm running a script then I can access the variables it sets. 19:40 < krzee> different hooks get access to diff vars from ovpn 19:40 < krzee> its all there in the manual 19:44 < PeterFA> krzee, well, this was working and suddenly it's not. What hook is required to get to those variables? 19:45 < krzee> oh, didnt know it was working 19:46 < PeterFA> krzee, it once was, but it's not. 19:46 < PeterFA> It was working last week. 19:47 < krzee> echo out vars to a file 19:47 < krzee> see whats going on 19:47 < PeterFA> Ok. 19:49 -!- the_wiz_kid_89 [n=talmiski@ip68-106-102-156.dc.dc.cox.net] has joined ##openvpn 19:49 < the_wiz_kid_89> yo question: how can i view a web page on a server that i need to ssh into? 19:50 -!- the_wiz_kid_89 [n=talmiski@ip68-106-102-156.dc.dc.cox.net] has quit [Client Quit] 19:51 < |Mike|> stfu 20:05 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Read error: 110 (Connection timed out)] 20:08 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:22 < PeterFA> krzee, anyways, an environment dump does not show $trusted_ip. 20:22 < PeterFA> I dumped with env 20:22 < PeterFA> I just need the openvpn client to set the environment variables as it says it does in the manual. 20:23 < PeterFA> If I can't find a reliable way of determining what the trusted IP address is, and figure out that the VPN is running then my script will not be reliable. 21:04 -!- swa_work [n=swa@swatteksystems.com] has quit [Remote closed the connection] 21:14 -!- master_of_master [i=master_o@p549D432D.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:17 -!- master_of_master [i=master_o@p549D6ABB.dip.t-dialin.net] has joined ##openvpn 21:17 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has quit [Read error: 104 (Connection reset by peer)] 21:18 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 21:30 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 21:39 -!- hyper__ch [n=hyper@adsl-89-217-178-90.adslplus.ch] has joined ##openvpn 21:39 -!- hyper_ch [n=hyper@adsl-84-227-223-248.adslplus.ch] has quit [Nick collision from services.] 21:39 -!- hyper__ch is now known as hyper_ch 22:08 -!- hkais [n=xenoadmi@78.52.37.4] has joined ##openvpn 22:24 -!- hkais1 [n=xenoadmi@g226143199.adsl.alicedsl.de] has quit [Read error: 113 (No route to host)] 22:41 -!- jmp_xinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 22:42 < jmp_xinu> is there any documentation on connecting to an openVPN server via ubuntu client? 22:51 -!- RadarG [n=nightwol@112.168.152.222] has joined ##openvpn 22:51 < RadarG> hello all 22:58 < RadarG> Hello everyone. I have my VPN working great but I now have the need to setup a second client I'm setting up a second server to replace the one that I'm using a private key. The first one is using a static key setup the server config file is here http://pastebin.com/d3a2e5d00 How can I this up to allow a second client until I get the new wrt server online? 23:02 -!- jeiworth [n=jeiworth@189.163.182.203] has joined ##openvpn 23:05 -!- RadarG [n=nightwol@112.168.152.222] has quit [] 23:19 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 23:29 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: epaphus, misterbean, jmp_xinu 23:43 -!- Netsplit over, joins: jmp_xinu 23:47 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 23:51 -!- hkais [n=xenoadmi@78.52.37.4] has quit [Read error: 145 (Connection timed out)] --- Day changed Sat Oct 10 2009 00:00 -!- hkais [n=xenoadmi@78.52.37.4] has joined ##openvpn 00:05 -!- jmp_xinu [n=jperez@ool-4579c388.dyn.optonline.net] has quit ["Leaving"] 00:15 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 00:20 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] 01:08 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: reiffert, havoc, sno, Bushmills, Vito111 01:08 -!- Netsplit over, joins: Vito111 01:10 -!- sno [n=sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn 01:10 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 01:12 -!- havoc [n=havoc@saturn.chaillet.net] has joined ##openvpn 01:22 -!- Bushmills [n=nnnBushm@verhau.de] has joined ##openvpn 01:27 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 01:29 -!- samba [n=samba@76.104.236.199] has quit [""free(self)""] 02:31 -!- linagee [n=linagee@about/linux/staff/linagee] has joined ##openvpn 02:32 < linagee> is it possible to open multiple openvpn connections to one server and then somehow "round robbin" the routing through the server? 02:41 < reiffert> no. 03:24 -!- c64zottel [n=hans@62-12-235-070.pool.cyberlink.ch] has joined ##openvpn 03:24 -!- c64zottel [n=hans@62-12-235-070.pool.cyberlink.ch] has left ##openvpn [] 03:37 -!- neoice [n=neoice@thule.neoice.net] has joined ##openvpn 03:38 < neoice> !redirect 03:38 < vpnHelper> neoice: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 03:38 < neoice> !ipforward 03:38 < vpnHelper> neoice: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 03:38 < neoice> !nat 03:38 < vpnHelper> neoice: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 03:39 < neoice> !linipforward 03:39 < vpnHelper> neoice: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 03:39 < neoice> !linnat 03:39 < vpnHelper> neoice: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 03:45 < neoice> so if my server is running an IPv6 tunnel (like 6to4), I probably need openVPN to run in TAP mode and push an additional route? 03:46 < neoice> I'm guessing this configuration isnt something too many people use 04:16 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has quit ["Leaving"] 04:27 -!- gallatin [n=gallatin@dslb-088-078-165-099.pools.arcor-ip.net] has joined ##OpenVPN 04:52 < reiffert> neoice: there are some bits about 6to4 on the mailinglist IIRC 04:52 < neoice> I saw some scripts. looks like it might be a bit out of my league, at least for how sleep deprived I currently am 04:53 < reiffert> getting some rest? 04:53 < Bushmills> !coffee 04:53 < vpnHelper> Bushmills: Error: "coffee" is not a valid command. 04:53 < Bushmills> blah 04:53 < reiffert> Hi bushmills :) 04:54 < Bushmills> moin moin 05:03 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)] 05:03 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:13 -!- gallatin [n=gallatin@dslb-088-078-165-099.pools.arcor-ip.net] has quit [Read error: 60 (Operation timed out)] 05:13 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 05:13 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 06:32 -!- brizly [n=brizly_v@p4FC9821C.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:35 -!- brizly [n=brizly_v@p4FC98B11.dip0.t-ipconnect.de] has joined ##openvpn 07:18 -!- rgouveia_ [n=rgouveia@77.54.89.169] has joined ##openvpn 07:23 -!- rgouveia1 [n=rgouveia@169.89.54.77.rev.vodafone.pt] has joined ##openvpn 07:29 -!- rgouveia_ [n=rgouveia@77.54.89.169] has quit [Read error: 145 (Connection timed out)] 07:31 -!- rgouveia [n=rgouveia@169.89.54.77.rev.vodafone.pt] has quit [Read error: 110 (Connection timed out)] 07:31 < |Mike|> re. 07:59 -!- RadarG [n=nightwol@112.168.152.222] has joined ##openvpn 07:59 < RadarG> hello all 07:59 < ecrist> hello 07:59 < RadarG> hey ecrist 08:00 < RadarG> my wrt openvpn server works great 08:00 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 08:01 * ecrist goes away 08:14 -!- RadarG [n=nightwol@112.168.152.222] has quit [] 08:23 -!- mirco [n=mirco@p54B27544.dip.t-dialin.net] has joined ##openvpn 08:32 -!- bauruine_ [n=bauruine@133-203.60-188.cust.bluewin.ch] has joined ##openvpn 08:39 -!- bauruine [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 113 (No route to host)] 09:01 -!- hyper_ch [n=hyper@adsl-89-217-178-90.adslplus.ch] has quit [] 09:01 -!- hyper_ch [n=hyper@adsl-89-217-178-90.adslplus.ch] has joined ##openvpn 09:07 -!- JyZyXEL [n=lol@a88-113-58-89.elisa-laajakaista.fi] has joined ##openvpn 09:08 -!- mirco [n=mirco@p54B27544.dip.t-dialin.net] has quit [] 09:37 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 09:57 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 10:25 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 10:42 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] 11:05 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 12:09 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 12:21 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 12:26 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has joined ##openvpn 13:28 -!- swa_work [n=swa@swatteksystems.com] has quit [Remote closed the connection] 13:33 -!- progressivpirate [n=progress@139.62.111.253] has joined ##openvpn 13:34 < progressivpirate> hello. I'm having a bit of trouble getting the simple expample on openvpn.net to work 13:34 < progressivpirate> last line of the server reads Sat Oct 10 14:33:12 2009 Initialization Sequence Completed 13:35 < progressivpirate> and last line of the client reads 2009-10-10 14:32:37 UDPv4 link remote: 13:35 < progressivpirate> but my vpn software, tunnelblick says 0 connections active 13:35 < progressivpirate> and I can't ping 13:35 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 13:36 < progressivpirate> server config file http://pastebin.com/m68ceba85 client config http://pastebin.com/m4499a983 13:44 -!- samba [n=samba@76.104.236.199] has joined ##openvpn 13:57 < Bushmills> progressivpirate: do you, after connection attempt, have a tun0 interface on client? 13:58 < progressivpirate> I'll check 13:58 < Bushmills> that's better than guessing 13:58 -!- samba [n=samba@76.104.236.199] has quit [""free(self)""] 13:58 < progressivpirate> ifconfig brings up this http://pastebin.com/m579ac58a 13:59 < progressivpirate> ifconfig on server http://pastebin.com/m6fa04a39 13:59 < Bushmills> twice the same ip addresses ... 13:59 < Bushmills> doesn't seem ok 14:00 < progressivpirate> what does this line on the client mean inet 10.8.0.2 --> 10.8.0.1 14:00 < progressivpirate> the arrow confuses me 14:01 < Bushmills> i had thought that's the p2p address, but i'm guessing as i'm not familiar with that layout. 14:01 < progressivpirate> FWIW this line is in my server config ifconfig 10.8.0.1 10.8.0.2 14:01 < progressivpirate> and this line is in my client config ifconfig 10.8.0.2 10.8.0.1 14:02 < Bushmills> therefore had i expected a different address pair for client 14:06 < progressivpirate> I'm not too familiar with ifconfig but this is the exact command my client is running when it starts up. /sbin/ifconfig tun0 10.8.0.2 10.8.0.1 mtu 1500 netmask 255.255.255.255 up 14:07 < Bushmills> what does your client routing table show? 14:08 < progressivpirate> this is odd. from the server I can ping the client ping 10.8.0.2 14:09 < progressivpirate> ok my firewall was blocking the ping. I can ping both ways now 14:09 < progressivpirate> so I guess it works 14:10 < progressivpirate> so if I want my VPN to have an address in the same subnet as the router I need to be using TAP? 14:10 < progressivpirate> i.e. the router is 192.168.1.1 and the computers are 192.168.1.10x 14:10 < progressivpirate> I want to VPN and get a 192 address 14:10 < Bushmills> ip addresses are assigned to interfaces, not to machines 14:11 < Bushmills> but router is a machine, not an interface 14:12 < progressivpirate> ok well if my tun0 interface is on the same subnet as my en0 interface....will that help connect the local lan and the VPN? 14:12 < Bushmills> !route 14:12 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:13 < Bushmills> also check iroute and client-to-client 14:13 < Bushmills> !tunortap 14:13 < vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 14:23 -!- progressivpirate [n=progress@139.62.111.253] has quit ["knowledge is power"] 15:04 -!- Cyllene [n=cy@unaffiliated/cyllene] has joined ##openvpn 15:17 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 15:25 -!- Cyllene [n=cy@unaffiliated/cyllene] has left ##openvpn [] 15:27 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)] 15:30 -!- mirco [n=mirco@p54B27544.dip.t-dialin.net] has joined ##openvpn 15:53 -!- todd_dsm [n=todd_dsm@66.43.220.149] has joined ##openvpn 15:54 -!- naquad [n=naquad@83.143.234.194] has joined ##openvpn 15:54 < naquad> hi 15:54 < naquad> how do i block user? 16:00 < todd_dsm> hey all, I'd like to get into OpenVPN for my company. I could use a little guidance starting out though. If anyone can point me to some specific documentation for my scenario, that would be great. This is what I need to accomplish: http://pastebin.com/d16498d28 16:10 -!- rgouveia1 [n=rgouveia@169.89.54.77.rev.vodafone.pt] has left ##openvpn [] 16:24 -!- hyper__ch [n=hyper@adsl-89-217-178-90.adslplus.ch] has joined ##openvpn 16:24 -!- hyper_ch [n=hyper@adsl-89-217-178-90.adslplus.ch] has quit [Nick collision from services.] 16:24 -!- hyper__ch is now known as hyper_ch 16:25 < todd_dsm> Update: http://pastebin.com/d4a53b10b 16:26 -!- VousDeux [n=CroiX@24-236-208-216.dhcp.cdwr.mi.charter.com] has joined ##openvpn 16:28 < VousDeux> Hello, I've been working fevorishly for several days at trying to learn how to make OpenVPN work between my DD-WRT router and my Kubuntu desktop. I have it working except for one thing. The push dhcp-options do not seem to be working for me. 16:28 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 16:29 < VousDeux> When I look at my resolv.conf I see dns servers from the ISP, not my private dns servers. 16:30 < VousDeux> I'm trying to use bridge mode. 16:32 < VousDeux> Without the push of the dns and domain, I cannot communicate with active directory efficiently. 16:34 < VousDeux> !howto 16:34 < vpnHelper> VousDeux: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:37 < VousDeux> Yep, already read that one :) 16:39 < VousDeux> !iporder 16:39 < vpnHelper> VousDeux: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 16:40 < VousDeux> !/30 16:40 < vpnHelper> VousDeux: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 16:41 < VousDeux> !redirect 16:41 < vpnHelper> VousDeux: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 16:42 < VousDeux> !def1 16:42 < vpnHelper> VousDeux: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 16:43 < VousDeux> !push 16:43 < vpnHelper> VousDeux: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 16:44 -!- krzee [n=krzee@unaffiliated/krzee] has joined ##openvpn 16:44 < disco-> I'm getting "MULTI: bad source address from client [x.x.x.x], packet dropped", in my OpenVPN server logs, but the client's connection is working fine. It's primarily being used for redirecting all traffic from the client over the VPN 16:44 < disco-> Other clients on the same server aren't producing this message, is this anything to worry about? 16:45 < krzee> that x.x.x.x is very important 16:45 < disco-> :P 16:45 < krzee> the reason you are getting that error is the source address your client is sending traffic as is NOT its vpn ip 16:45 < krzee> common error if trying to route a lan thats behind the client but forgot iroute 16:46 < disco-> ah ok, that's interesting 16:46 < krzee> but ive also seen it pop up on some systems just cause they send traffic over tun interface with inet source ip, no clue why 16:46 < disco-> i'm definitely not trying to route a LAN behind the client 16:46 < krzee> if its second case, its a misconfig somehow in the OS 16:47 < krzee> if its second case and a static ip, feel free to add an iroute for the client and the error will disappear 16:47 < disco-> That wouldn't surprise me actually. I've had two XP clients and they've both produced this at times, none of the Vista clients have 16:47 < krzee> or you could figure out why your src ip when going over tun is not being set to the tun ip 16:47 < krzee> if you do, pls lemme know 16:47 < VousDeux> Can you tell me why my push dhcp option settings don't seem to survive the initialization? I'm trying to push dns and domain, but my rosolve.conf shows only dns from isp. 16:47 < krzee> !pushdns 16:47 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit 16:48 < krzee> you must use a script to take that option and modify resolv.conf 16:48 < VousDeux> Oh, okay. 16:48 < VousDeux> Thanks. 16:48 < krzee> yw 16:55 < disco-> krzee, I can't work out what I should be doing with iroute. The x.x.x.x IP in the packet dropped message is the same IP address that the client's connecting from (static and public, not NAT'd) 16:56 < disco-> My OpenVPN net is 10.8.1.0/24, should it be "iroute 10.8.1.0 255.255.255.0" in the client's config? 16:56 < disco-> That's what the interwebs seem to suggest anyway 16:58 < krzee> nope 16:58 < krzee> i cant tell you what ip to put cause you keep x.x.x.x'ing it 16:59 < krzee> !iroute 16:59 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 16:59 < krzee> its only needed for that, but your OS is somehow misconfigured and sending packets over tun with wrong source address 17:00 < krzee> so you can quiet that error by using iroute to tell the server to expect and respond to packets from that ip by that client 17:01 < disco-> ah, ok 17:01 < disco-> Think I get it now, thanks for the help :) 17:01 < krzee> yw 17:04 < VousDeux> That worked like a charm and the simplicity was a pleasant surprise :) Thanks again! 17:05 < reiffert> http://www.theneocube.com/ 17:28 -!- mirco [n=mirco@p54B27544.dip.t-dialin.net] has quit [] 17:36 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: bauruine_, Bushmills, Vito111, master_of_master 17:37 -!- Netsplit over, joins: bauruine_, Bushmills, Vito111, master_of_master 17:43 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 131 (Connection reset by peer)] 18:00 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 18:16 < krzee> yw 18:23 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] 18:45 < |Mike|> krzee: yo 18:46 < krzee> whats up man 18:54 < krzee> im pretty down today 18:55 < krzee> the morons outnumber me by so much 18:55 < |Mike|> i'm drunk lol 19:00 -!- VousDeux [n=CroiX@24-236-208-216.dhcp.cdwr.mi.charter.com] has quit [Read error: 60 (Operation timed out)] 19:37 < krzee> theres so many dumb people out here 19:37 < krzee> they cant even drive right 19:37 < krzee> lol 20:10 -!- swa_work [n=swa@swatteksystems.com] has quit [Remote closed the connection] 21:13 -!- master_of_master [i=master_o@p549D6ABB.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:18 -!- master_of_master [i=master_o@p549D4FF1.dip.t-dialin.net] has joined ##openvpn 21:25 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 21:39 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 22:06 -!- hkais1 [n=xenoadmi@78.52.185.66] has joined ##openvpn 22:13 -!- hkais [n=xenoadmi@78.52.37.4] has quit [Read error: 145 (Connection timed out)] 23:07 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit ["Quitte"] 23:22 -!- samba [n=samba@76.104.236.199] has joined ##openvpn 23:38 -!- Guest84201 [n=chatzill@117.204.128.55] has joined ##openvpn 23:38 < Guest84201> hi everybody 23:39 < Guest84201> i hav a problem connecting to my office network using pptp vpn 23:39 < Guest84201> i can ping the vpn host, but i can't connect 23:39 < Guest84201> any idea what the problem could be? 23:42 -!- Guest84201 [n=chatzill@117.204.128.55] has left ##openvpn [] 23:45 -!- ricky87 [n=chatzill@117.204.128.55] has joined ##openvpn 23:45 -!- adurotec [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has joined ##openvpn 23:45 < ricky87> hi everybody 23:45 < ricky87> hi everybody 23:45 < ricky87> i hav a problem connecting to my office network using pptp vpn 23:46 < ricky87> i can ping the vpn host, but i can't connect 23:46 < ricky87> any idea what the problem could be? 23:49 < ricky87> please help me on this 23:55 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn --- Day changed Sun Oct 11 2009 00:09 -!- ricky87 [n=chatzill@117.204.128.55] has quit ["ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458]"] 02:01 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:02 -!- adurotec [n=davidc@99-128-202-138.lightspeed.okpkil.sbcglobal.net] has quit [Remote closed the connection] 02:08 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 02:09 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 02:10 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 02:42 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: tarbo2, ^scott^, swa_work 02:49 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 02:49 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 02:49 -!- ^scott^ [n=scott@stthom.org] has joined ##openvpn 02:49 -!- swa_ [n=swa@swatteksystems.com] has joined ##openvpn 02:57 -!- swa_work [n=swa@swatteksystems.com] has quit [Connection timed out] 03:33 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 03:40 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:24 -!- hkais1 [n=xenoadmi@78.52.185.66] has left ##openvpn [] 05:31 < Bushmills> are you trying to connect openvpn to pptp, or pptp tpo openvpn? 05:31 < Bushmills> oh well, doesn't really matter, neither way works 05:32 < Bushmills> hm.. maybe i should turn on join/part messages again 05:53 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:04 -!- hyper__ch [n=hyper@adsl-89-217-178-90.adslplus.ch] has joined ##openvpn 06:04 -!- hyper_ch [n=hyper@adsl-89-217-178-90.adslplus.ch] has quit [Nick collision from services.] 06:04 -!- hyper__ch is now known as hyper_ch 06:12 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 06:17 -!- brizly1 [n=brizly_v@p4FC99285.dip0.t-ipconnect.de] has joined ##openvpn 06:31 -!- brizly [n=brizly_v@p4FC98B11.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 07:44 -!- hyper_ch [n=hyper@adsl-89-217-178-90.adslplus.ch] has quit [Remote closed the connection] 07:49 -!- hyper_ch [n=hyper@adsl-89-217-178-90.adslplus.ch] has joined ##openvpn 09:10 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 09:28 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 09:50 -!- swa_ [n=swa@swatteksystems.com] has quit [Read error: 110 (Connection timed out)] 10:01 < newmember> i am diving down a rat hole here, with openfiler booting to "grub>" after installing on usb 10:07 < |Mike|> huh. 10:07 < newmember> when I install on USB and then boot from USB, the boot process stops at "GRUB>" 10:56 < krzee> sux4u! 10:58 < theDoc> krzee> does the hmac openvpn module actually drop packets which are not having the hmac signature? 11:01 < krzee> yes 11:01 < krzee> thats exactly what it does 11:01 < theDoc> krzee> mmm, doesn't that stop ddos straight in it's tracks? 11:01 < krzee> if the hmac sig doesnt match it does not continue to process the packet 11:01 < theDoc> or if there's no hmac signature even.. 11:01 < krzee> thats the point actually =] 11:01 < theDoc> awesome. 11:01 < theDoc> but can't they blow the server out of the water with more b/w? 11:02 < krzee> 8601 11:02 < theDoc> 8601? 11:02 < krzee> wrong win 11:04 -!- Otacon22 [n=otacon22@93-36-124-179.ip60.fastwebnet.it] has joined ##openvpn 11:05 < Otacon22> i'mt tring to setting up a little openvpn network, but i've discovered that i can connect from just one client to the server 11:05 < Otacon22> what should i change? 11:07 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 11:38 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: sno, irrwitzer, IcyPolecat, xp_prg, freaky[t], eliasp, Wizzup 11:38 -!- Netsplit over, joins: eliasp 11:40 -!- sno [n=sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn 11:40 -!- Wizzup [n=puzziw@82.92.130.193] has joined ##openvpn 11:40 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 11:40 -!- irrwitzer [n=jjj@62.48.92.115] has joined ##openvpn 11:40 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 11:40 -!- IcyPolecat [n=IcyPolec@vm1.rubicon.je] has joined ##openvpn 11:40 -!- Wizzup [n=puzziw@82.92.130.193] has quit [Client Quit] 11:40 -!- Wizzup [n=puzziw@82.92.130.193] has joined ##openvpn 11:47 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 11:48 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: sno, IcyPolecat, irrwitzer, xp_prg, freaky[t] 11:49 -!- Wizzup [n=puzziw@82.92.130.193] has quit [Client Quit] 11:50 -!- Netsplit over, joins: sno, xp_prg, irrwitzer, freaky[t], IcyPolecat 11:53 < Bushmills> !route 11:53 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:54 < Bushmills> client-to-client 11:54 -!- Wizzup_ [n=puzziw@82.92.130.193] has joined ##openvpn 11:58 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: sno, IcyPolecat, irrwitzer, xp_prg, freaky[t] 11:58 -!- Netsplit over, joins: irrwitzer 12:00 -!- Netsplit over, joins: sno, IcyPolecat 12:04 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:04 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 12:09 -!- Otacon22 [n=otacon22@93-36-124-179.ip60.fastwebnet.it] has quit [Read error: 104 (Connection reset by peer)] 12:18 -!- Wizzup [n=puzziw@82.92.130.193] has joined ##openvpn 12:18 -!- Wizzup [n=puzziw@82.92.130.193] has left ##openvpn [] 12:18 -!- Wizzup_ [n=puzziw@82.92.130.193] has left ##openvpn [] 12:28 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 12:45 -!- Otacon22 [n=otacon22@93-36-124-179.ip60.fastwebnet.it] has joined ##openvpn 13:14 -!- k3asd` [n=k3asd@host-78-15-229-1.cust-adsl.tiscali.it] has joined ##openvpn 13:16 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 13:23 * k3asd` hi at all 13:41 < krzee> hey 13:43 < k3asd`> hi krzee 13:46 -!- EnginA [i=engin@174.133.102.225] has joined ##openvpn 13:54 -!- krackpot [n=krackpot@S0106001310828008.vc.shawcable.net] has left ##openvpn ["Leaving"] 14:16 < krzee> need help with anything? 14:17 < EnginA> me ? 14:18 < krzee> well k3asd` but sure, how bout you? 14:37 < k3asd`> krzee, well 14:37 < k3asd`> i'm italian. excuse me for english :) 14:51 < krzee> no problem =] 15:27 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 15:57 -!- dergringo [n=dergring@88-183.104-92.cust.bluewin.ch] has left ##openvpn ["Leaving"] 16:12 -!- samba [n=samba@76.104.236.199] has quit [""free(self)""] 16:54 < Otacon22> k3asd`, anche io xD 16:55 < Otacon22> !howto 16:55 < vpnHelper> Otacon22: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:13 -!- EnginA [i=engin@174.133.102.225] has quit [Read error: 60 (Operation timed out)] 17:55 -!- bauruine_ [n=bauruine@133-203.60-188.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 18:29 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 18:56 -!- Douglas [i=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 18:56 < Douglas> krzie 19:06 < krzee> douglas 19:07 < krzee> im gunna send ya that month's $ this week, but i want you to keep it off for awhile 19:08 < krzee> cause i dont have $ 19:08 < Douglas> its been off 19:08 < krzee> nor do i actually use the server 19:08 < Douglas> lol 19:08 < Douglas> do you want me to just unrack it entirely? 19:08 < Douglas> sounds like you won't need it any more 19:19 < krzee> does it take any resources from you to leave it racked? 19:20 < krzee> if you need the space cool, but im sure ill have it turned back up in a while 19:20 < krzee> as i told you, i just bought a new condo, all my $ is going to not living in it empty 19:20 < krzee> fridge and stuff 19:30 < krzee> oh that and actually paying for the condo ;) 19:32 < Douglas> i can keep it racked, i got another 30U to put other chassis in right now 19:34 -!- mranderson [n=mranders@213.211.171.66.subscriber.vzavenue.net] has joined ##openvpn 19:34 < krzee> but ya, if it costs you even $1 to leave it racked, feel free to unrack 19:34 < krzee> makes no diff 19:36 < Douglas> doesnt 19:36 < Douglas> my colo provider forgot to bill me 19:36 < Douglas> so right now its free 19:36 < Douglas> LOL 19:45 < mranderson> Can anyone point me to a link on how to split .p12 file into a certificate and key files 19:47 < ecrist> man openssl 19:48 < mranderson> thats what i was hoping for ;) 19:48 < Douglas> oh hit 19:48 < Douglas> shit 19:48 < Douglas> hey eric 19:49 < ecrist> howdy 19:50 < Douglas> how you doin 19:50 < ecrist> good, recovering from a party-hard weekend. 19:50 < Douglas> win 19:51 < Douglas> kill your liver? 19:51 < ecrist> yeah, we celebrated my birthday this weekend. partied hard (read: whole bottle of jaegermeister) on friday night 19:51 < Douglas> shit 19:51 < Douglas> lol 19:51 < ecrist> then yesterday we went and played paintball all day and moved on to the strip joint 19:52 < ecrist> we paintballed from 12noon to about 8pm and then were at the strip joint from 9pm to around 1am 19:52 < ecrist> *yawn* 19:52 < ecrist> still tired. 19:53 < Douglas> your wife allowed? 19:53 < ecrist> she was the one that planned it 19:53 < ecrist> it was all a surprise to me 19:53 < Douglas> your wife rules 19:53 < ecrist> heh, you don't know half of it. ;) 19:54 < Douglas> i am pretty sure i don't want to 19:54 < Douglas> speaking of mrs crist 19:54 < Douglas> how is she 19:54 < ecrist> fine 19:54 < ecrist> tired as well 19:54 < Douglas> all recovered? 19:54 < ecrist> yeah, has been for a long time 19:54 < Douglas> i havent thought of it 20:11 < krzee> happy bday eric! 20:14 < Douglas> oh hey, i never said that 20:14 < Douglas> happy bday 20:14 < Douglas> lol 20:14 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 20:14 < Douglas> theDoc lieks bois 20:17 < ecrist> thanks krzee 20:18 < ecrist> I'm off to bed. work in the am. 20:18 < ecrist> krzee: if you're around tomorrow, I've some asterisk/freeswitch questions for you 20:18 < ecrist> g'night. 20:19 < krzee> gnite! 20:23 < theDoc> fuck. 20:23 < theDoc> anyone knows why ssh is taking forever to open up the communication channel after this line, debug2: channel 0: open confirm rwindow 0 rmax 32768? 20:23 < Douglas> !notopenvpn 20:23 < vpnHelper> Douglas: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 20:24 < krzee> no idea 20:24 < krzee> tried google? 20:25 < Douglas> krzee: only happens to my customers 20:25 < Douglas> my customers have the weirdest shit happen 20:26 < theDoc> krzee> google-fu is weak. 20:26 < theDoc> Douglas> this is happening on another server ;p 20:26 < theDoc> not yours specifically 20:27 < Douglas> o 20:28 < Douglas> google-fu is never weak 20:28 < krzee> UseDNS no 20:29 < theDoc> oh hehe 20:29 < theDoc> i found the reason 20:29 < krzee> !google debug2: channel 0: open confirm rwindow 20:29 < vpnHelper> krzee: [Bug 1651] New: Possible race condition using local port ...: ; 'ssh/sshd hang after "debug2: channel 0: open confirm rwindow 0 ...: ; ssh/sshd hang after "debug2: channel 0: open confirm rwindow 0 ...: 20:29 < theDoc> maybe i have a broken router or one that's overheating 20:29 < krzee> http://www.gossamer-threads.com/lists/openssh/dev/42411 20:29 < vpnHelper> Title: ssh/sshd hang after "debug2: channel 0: open confirm rwindow 0 rmax 32768" | OpenSSH | Dev (at www.gossamer-threads.com) 20:29 < krzee> you are prolly connecting from a host without reverse dns set correctly 20:30 < theDoc> krzee> then it's a douglas problem :p 20:30 < krzee> FROM a host 20:30 < theDoc> i'm connecting from his server ;p 20:30 < theDoc> krzee> Yes, that's right. 20:30 < Douglas> theDoc: ok 20:30 < Douglas> what ip are you going out from 20:30 < theDoc> I'm sshed to my other box via douglas's server :p 20:30 < theDoc> Douglas> .166 20:30 < krzee> and does that host have a reverse dns that does not match it's forward? 20:31 < Douglas> 166.59.10.xx.in-addr.arpa domain name pointer cataclysm.xxxxxx.sg. 20:31 < Douglas> dont even try and blame me 20:31 < theDoc> Douglas> kidding man :P 20:31 < krzee> i cant check for you without having the ip 20:31 < theDoc> stop being so touchy today. 20:31 < theDoc> krzee> it matches. 20:31 < Douglas> yeah it does 20:31 < theDoc> i'm going to tinker with it for abit more and see what happens. 20:31 * Douglas double checked theDoc's failed server admin fu 20:31 < theDoc> :( 20:32 < Douglas> HATE HE.net fmt2 20:32 < Douglas> HATE 20:32 < Douglas> RAGE 20:32 -!- mranderson [n=mranders@213.211.171.66.subscriber.vzavenue.net] has left ##openvpn ["Leaving"] 20:33 < krzee> ya i dunno what it is, but here is likely the wrong place for help with it 20:33 < Douglas> krzee: forum is slowly picking up 20:33 < Douglas> almost 20:33 < krzee> cool 20:33 < Douglas> shit loads of spam though 20:33 < Douglas> http://dougy.hosting.secure-computing.net/awstats/awstats.pl?config=ovpnforum.com 20:33 < vpnHelper> Title: Statistics for ovpnforum.com (2009-10) - main (at dougy.hosting.secure-computing.net) 20:34 < krzee> theres no captcha still? 20:34 < Douglas> captcha is breakable fairly easily, no ? 20:34 < krzee> negative 20:34 < Douglas> to be honest don't even know how to enable 20:35 < krzee> who edited the forum rules 20:35 < krzee> "grep -vE '^#|^;|^$|UDPv4 READ|UDPv4 WRITE|TUN READ' server.conf" 20:35 < krzee> was that you? i highly doubt it was eric 20:35 < Douglas> WTF 20:35 < Douglas> RAGE 20:35 < Douglas> that was not me 20:35 < Douglas> and 20:35 < Douglas> WTF 20:35 < Douglas> krzee 20:35 < Douglas> http://myfeedback.us/ 20:35 < vpnHelper> Title: OpenVPN Forum Index page (at myfeedback.us) 20:35 < Douglas> !!!!!!!!! 20:35 < vpnHelper> Douglas: Error: "!!!!!!!!" is not a valid command. 20:36 < krzee> dude, calm the fuck down 20:36 < Douglas> hahaha 20:36 * Douglas doesn't like theives 20:36 * Douglas goes to call their host 20:36 < Douglas> oh 20:36 < Douglas> weak 20:36 < Douglas> its eric's domain 20:36 * Douglas headdesks 20:37 < Douglas> krzee: eric definitely edited that 20:37 < Douglas> i can get the gist of that grep command but i could never come up wit hthat 20:37 < Douglas> with that 20:37 < krzee> and who cares even if someone did mirror it, as long as its still helping people i dont care what domain its on 20:38 < Douglas> i don't like it 20:38 < Douglas> doesnt make google or me happy 20:38 < krzee> if eric added |UDPv4 READ|UDPv4 WRITE|TUN READ to that grep he must have been drunk 20:39 < krzee> since those appear in logs, not configs 20:39 < Douglas> i know matter of factly i did not 20:39 < Douglas> but maybe he was drunk 20:39 < Douglas> append it 20:39 < krzee> append what? 20:39 < Douglas> that grep statement 20:39 < Douglas> to whatever it should be 20:40 < krzee> do you know what append means? 20:40 < Douglas> er, maybe amend is the word 20:40 < Douglas> i havent slept in 3 days 20:40 < Douglas> so 20:40 < Douglas> please forgive me 20:40 < Douglas> lets just go with.. modify.. 20:40 < krzee> werd 20:40 < Douglas> fix to; attach; "append a charm to the necklace" 20:40 < Douglas> ^ append 20:40 < krzee> append is >> 20:40 < krzee> like add to the end of 20:40 < Douglas> that too 20:41 < krzee> yes, attach and fix to works too, but not just "fix", but rather "fix to" 20:41 < krzee> as in add to 20:41 < Douglas> you're right 20:41 < Douglas> i already admitted i'm wrong 20:41 < krzee> werd 20:41 < Douglas> dude i bought a 20" widescreen acer 20:41 < Douglas> im totally getting rid of my other 20" non widescreen 20:41 < Douglas> it has a 2500:1 contrast ratio 20:41 < Douglas> this one is 10,000:1 20:42 < krzee> i rock a 42" sharp aquos for my monitor 20:42 < Douglas> O.O 20:42 < Douglas> that'd make me insnae 20:42 < Douglas> insane 20:42 < krzee> its fuckin sweet 20:42 < krzee> runnin at 1080p 20:43 < Douglas> win 20:43 < theDoc> hm. 20:43 < theDoc> got the problem 20:43 < theDoc> gssapi 20:46 < krzee> ya it was ecrist 20:46 < Douglas> logs ? 20:46 < krzee> he edited it 14 Sep 2009 17:20 20:46 < Douglas> (meaning did you check them) 20:46 < Douglas> ah 20:46 < Douglas> nice 20:46 < Douglas> told you was not me 20:46 < krzee> i fixed 20:47 < Douglas> win 20:55 -!- Ziber [i=Liber@liber-ipv6.net] has joined ##openvpn 20:56 < Ziber> I have an unsecure VPN running between two Ubuntu servers, and I would like to add my home computer to it, which runs Windows XP. It wont even try to connect unless I specify the ca, key, and cert files... but there's none of that on the server... 20:57 < krzee> then you cant do it 20:57 < krzee> those files are required to run a server 20:57 < krzee> without those files you can only use ptp 20:59 < Ziber> When I specify the files on the server, I get "unroutable control packet from " and on the client i get "connection reset by peer" 20:59 < krzee> !logs 20:59 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 21:00 < krzee> hey Douglas where do you guys moderate stuff? 21:01 < Douglas> [ Moderator Control Panel ] 21:01 < Douglas> on index page 21:01 < Douglas> read: http://www.ovpnforum.com/mcp.php?i=main&mode=front 21:01 < vpnHelper> Title: OpenVPN Forum Moderator Control Panel Login (at www.ovpnforum.com) 21:02 < Ziber> http://zpaste.org/174 <-- Client log file, verb to 6. 21:03 < krzee> and server... 21:03 < Ziber> http://zpaste.org/175 <-- server 21:03 < krzee> you generated your cert stuff with the official howto? 21:03 < Ziber> yes 21:04 < krzee> looks like theres an issue with them, try generating them again 21:04 < Ziber> Alright, that will be my tomorrow project 21:04 * Ziber away 21:06 < Douglas> ok well 21:06 < Douglas> im fuckin toast 21:06 < Douglas> im off to bed 21:06 -!- Douglas [i=Douglas@ool-43503ed4.dyn.optonline.net] has quit [] 21:07 < krzee> !ssl-admin 21:07 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 21:13 -!- master_of_master [i=master_o@p549D4FF1.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:18 -!- master_of_master [i=master_o@p549D4216.dip.t-dialin.net] has joined ##openvpn 21:57 -!- newmember_ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 21:57 -!- newmember_ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Remote closed the connection] 22:12 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Read error: 110 (Connection timed out)] 22:45 -!- tjz [n=tjz@bb121-7-60-51.singnet.com.sg] has joined ##openvpn 22:54 -!- tjz [n=tjz@bb121-7-60-51.singnet.com.sg] has quit ["bbl"] 23:52 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 23:52 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn --- Day changed Mon Oct 12 2009 00:05 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 00:15 -!- hyper_ch [n=hyper@adsl-89-217-178-90.adslplus.ch] has quit [Remote closed the connection] 00:36 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 01:06 -!- hyper_ch [n=hyper@69-154.1-85.cust.bluewin.ch] has joined ##openvpn 01:24 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 110 (Connection timed out)] 01:42 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 01:55 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 02:03 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 110 (Connection timed out)] 02:13 -!- samba [n=samba@76.104.236.199] has joined ##openvpn 02:30 -!- tjz [n=tjz@bb121-7-60-51.singnet.com.sg] has joined ##openvpn 02:39 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 02:50 -!- samba [n=samba@76.104.236.199] has quit [""free(self)""] 02:56 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 03:25 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 04:09 -!- c64zottel [n=hans@62.12.223.148] has joined ##openvpn 04:10 -!- c64zottel [n=hans@62.12.223.148] has left ##openvpn [] 04:50 -!- dazo|afk is now known as dazo 04:51 -!- dazo [n=ndazo@nat/redhat/x-qcwbgvecpsbqwfkc] has quit [Remote closed the connection] 04:51 -!- dazo [n=nndazo@nat/redhat/x-piuaofqqydwzkxto] has joined ##openvpn 05:06 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 145 (Connection timed out)] 05:24 -!- theDoc [n=hex@bb121-6-104-52.singnet.com.sg] has joined ##openvpn 05:27 -!- thedoc_ [n=hex@unaffiliated/thedoc] has joined ##openvpn 05:30 -!- theDoc [n=hex@bb121-6-104-52.singnet.com.sg] has quit [Read error: 60 (Operation timed out)] 06:08 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 06:31 < ecrist> good morning 06:32 -!- brizly1 [n=brizly_v@p4FC99285.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:34 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 06:34 -!- brizly [n=brizly_v@p4FC982A4.dip0.t-ipconnect.de] has joined ##openvpn 06:39 < |Mike|> morning. 06:44 < havoc> morning 07:25 -!- dazo [n=nndazo@nat/redhat/x-piuaofqqydwzkxto] has quit [Read error: 104 (Connection reset by peer)] 07:26 -!- dazo [n=nnndazo@nat/redhat/x-wkinkpoalifhnjra] has joined ##openvpn 07:26 -!- dazo is now known as Guest4842 07:30 -!- Guest4842 is now known as dazo 07:31 -!- dazo is now known as Guest84142 07:36 -!- Guest84142 is now known as dazo 07:36 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 07:36 -!- dazo is now known as Guest42807 07:40 -!- Guest42807 is now known as dazo 07:41 -!- dazo is now known as Guest63874 07:41 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 07:46 -!- Guest63874 is now known as dazo 07:46 -!- dazo is now known as Guest11849 07:50 -!- Guest11849 is now known as dazo 07:51 -!- dazo is now known as Guest79091 07:56 -!- Guest79091 is now known as dazo 07:56 -!- dazo is now known as Guest84010 08:00 -!- Guest84010 is now known as dazo 08:01 -!- dazo is now known as Guest43180 08:04 -!- WormFood [n=wormfood@116.24.207.222] has joined ##openvpn 08:04 < WormFood> port-share feature to allow OpenVPN and an HTTPS server to share TCP port 443. <-- how can they possible call this a feature? 08:05 < WormFood> you won't be sharing that port if the openvpn server is using tcp instead of udp 08:06 -!- Guest43180 is now known as dazo 08:06 -!- dazo is now known as Guest80245 08:08 < |Mike|> for fuck sake Guest80245 :P 08:08 < |Mike|> !howto 08:08 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:08 < Guest80245> |Mike|: sorry! 08:08 < Guest80245> grrr 08:08 < Guest80245> crappy proxy 08:09 -!- Guest80245 is now known as dazo 08:12 < |Mike|> !config 08:12 < vpnHelper> |Mike|: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 08:12 < |Mike|> !configs 08:12 < vpnHelper> |Mike|: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 08:12 < |Mike|> !examples 08:12 < vpnHelper> |Mike|: Error: "examples" is not a valid command. 08:12 < |Mike|> !example 08:12 < vpnHelper> |Mike|: Error: "example" is not a valid command. 08:12 < |Mike|> argh. 08:13 < dazo> !factoids search example 08:13 < vpnHelper> dazo: No keys matched that query. 08:16 -!- blinkiz [n=blinkiz@77.72.96.40] has joined ##openvpn 08:16 < blinkiz> Hi there 08:18 < blinkiz> Am trying to set up vpn server and client whit tun. The client can ping the server on this point to point connection but the server can't ping the client. How can I troubleshoot this? 08:18 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 104 (Connection reset by peer)] 08:19 < blinkiz> Am really just using the default config files from the doc folder here on ubuntu 08:27 < blinkiz> Anyone know if it's possible for the server to communicate with the client over a tun setup? 08:29 < blinkiz> okay, I did something wrong. Was not any errors. Just pinged the wrong ip.. Jisses.. 08:29 -!- blinkiz [n=blinkiz@77.72.96.40] has left ##openvpn ["Leaving"] 08:31 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 08:43 -!- jeiworth [n=jeiworth@189.163.182.203] has quit [Read error: 110 (Connection timed out)] 08:48 -!- aditsu [n=aditsu@n1164942003.netvigator.com] has joined ##openvpn 08:48 < aditsu> hi, I'm having problems with "bad source address from client" from a windows client trying to access a shared folder over vpn 08:49 < aditsu> does anybody know how to set it to use the vpn ip rather than the local one? 08:51 < |Mike|> !tls-auth 08:51 < vpnHelper> |Mike|: "tls-auth" is The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. see !secure for how 08:54 -!- tjz2 [n=tjz@bb121-7-60-51.singnet.com.sg] has joined ##openvpn 08:59 -!- c64zottel [n=zestor@62.12.223.148] has joined ##openvpn 09:02 -!- jeiworth [n=jeiworth@189.177.254.91] has joined ##openvpn 09:02 -!- jeiworth [n=jeiworth@189.177.254.91] has quit [Remote closed the connection] 09:07 -!- c64zottel [n=zestor@62.12.223.148] has left ##openvpn [] 09:11 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 09:12 -!- tjz [n=tjz@unaffiliated/tjz] has quit [Read error: 110 (Connection timed out)] 09:13 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Client Quit] 09:14 < ecrist> krzee: I was not drunk when I added that grep statement. 09:15 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:20 < Ziber> !route 09:20 < vpnHelper> Ziber: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:47 -!- tjz2 [n=tjz@bb121-7-60-51.singnet.com.sg] has quit ["bbl"] 09:47 -!- tjz [n=tjz@bb121-7-60-51.singnet.com.sg] has joined ##openvpn 09:47 -!- dekopolis [n=dekopoli@c-69-138-55-40.hsd1.tn.comcast.net] has joined ##openvpn 09:49 < dekopolis> hi...i'm using openvpn on my pfsense box at work and openvpn on my windows xp box at home to connect to work. everything is working fne, but I was wondering if there is a way to chagne the dns search order on my xp box...I would like it to use the dns server localy first 09:54 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has joined ##openvpn 09:55 < tjz> remove thoseremote dns 09:55 < tjz> change them to your local dns 09:55 < tjz> i assume you are running the openvpn server 09:55 < tjz> :D 09:55 < dekopolis> yes, openvpn server that runs on freebsd which is what pfsense basically is 09:56 < tjz> in the openvpn server conf 09:56 < tjz> change the dns 09:57 < dekopolis> ok, but the server won't know my local dns server 09:59 < tjz> isnt there dns option in the openvpn server config? 10:00 < dekopolis> yes 10:00 < dekopolis> and i have that set 10:01 < tjz> set to your local dns already? 10:01 < dekopolis> problem is on my xp box, if i'm connected to the vpn server, then when i browse internet it uses the dns server on my remote network for everything 10:01 < dekopolis> i want it to use the remote dns only as secondary 10:01 < dekopolis> so i'm thinking i need an option in the vpn client config 10:04 -!- hyper_ch [n=hyper@69-154.1-85.cust.bluewin.ch] has quit [Remote closed the connection] 10:14 -!- chrishuygens [n=Miranda@77-20-111-222-dynip.superkabel.de] has joined ##openvpn 10:15 < chrishuygens> hiho, where can i get some information about the strange subnet-settings openvpn uses? 10:16 < chrishuygens> i mean these 255.255.255.254-masks 10:16 < chrishuygens> i just dont get it :( 10:16 < thedoc_> 254 is a /31 mask. 10:16 < thedoc_> usually used for a point-to-point connection. 10:17 -!- thedoc_ is now known as theDoc 10:17 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 10:17 < chrishuygens> ok but lets say the server is 10.8.0.1 10:18 < chrishuygens> and the subnet for the clients is a 255.255.255.0 10:18 < chrishuygens> but if i do print route at the client it seemes that the routes lead to 10.8.0.5 or something 10:18 < chrishuygens> but not to 10.8.0.1 10:19 < chrishuygens> which would be the server... 10:19 < theDoc> Yes, it assumes a point-to-point setup 10:20 < theDoc> Think of it like sub interfacing on cisco ;p 10:20 < chrishuygens> the problem is i cant ping this 10.8.0.5 though it seems to be the servers ip in this strange p-t-p-connection 10:21 < chrishuygens> i just dont understand why... xD 10:28 < chrishuygens> !/30 10:28 < vpnHelper> chrishuygens: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 10:30 -!- c64zottel [n=zestor@62.12.223.148] has joined ##openvpn 10:30 -!- c64zottel [n=zestor@62.12.223.148] has quit [Client Quit] 10:46 < ecrist> !/30 10:46 < vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 10:46 < ecrist> doh, you foudn it 10:46 < ecrist> chrishuygens: if you use 2.1, you can use topology in your server config 10:46 < ecrist> !topology 10:46 < vpnHelper> ecrist: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 10:54 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 11:01 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has quit ["Leaving"] 11:04 -!- hyper_ch [n=hyper@adsl-89-217-178-90.adslplus.ch] has joined ##openvpn 11:10 -!- W0rmF00d [n=wormfood@58.60.222.184] has joined ##openvpn 11:15 -!- WormFood [n=wormfood@116.24.207.222] has quit [Read error: 60 (Operation timed out)] 11:19 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 145 (Connection timed out)] 11:24 -!- Dukelord [n=brenwill@41.204.234.100] has joined ##openvpn 11:25 < Dukelord> pls can someone suggest a free openvpn server that is very fast with unlimited bandwidth? Thanks 11:26 < theDoc> Dukelord> I run a vpn service. 11:26 < theDoc> Fast enough and we don't monitor. 11:27 < theDoc> but for free? lol, no thanks. 11:27 < theDoc> Dukelord> b/w, electricity, servers aren't free. 11:27 -!- W0rmF00d is now known as WormFood 11:27 -!- samba [n=samba@76.104.236.199] has joined ##openvpn 11:28 < Dukelord> hey Doc do u know any free one? 11:28 < theDoc> Like I said, no one is going to provision a free openvpn server with fast unlimited b/w. 11:28 < theDoc> Everything costs money. 11:28 < theDoc> You can pay for the service if you do require that kind of service. 11:29 < Dukelord> ok what is ur service about and how much? 11:29 < theDoc> Dukelord> 30usd/mth with no monitoring, throttling. 11:30 < theDoc> 25mbit on that server in a noc that's multihomed. 11:34 < chrishuygens> ok i read the whole /30 thing and now i understand much more of it. But of course theres now another problem occuring: i am able to ping from the client to the server but not the other way around. what could be the matter here? 11:43 < WormFood> chrishuygens, routing issues? 11:49 < chrishuygens> i think routing should be correct, have a look at http://pastebin.com/d19a4b185, may there be any firewall issue? 11:57 -!- dazo [n=nnndazo@nat/redhat/x-wkinkpoalifhnjra] has quit ["Getting off stoned server - dircproxy 1.2.0"] 12:06 -!- todd_dsm [n=todd_dsm@66.43.220.149] has quit [Client Quit] 12:08 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 12:12 -!- Dukelord [n=brenwill@41.204.234.100] has quit [Read error: 131 (Connection reset by peer)] 12:12 -!- Dukelord [n=brenwill@41.204.234.100] has joined ##openvpn 12:18 -!- SerajewelKS [n=me@wikipedia/Crazycomputers] has joined ##openvpn 12:18 < SerajewelKS> how much overhead does encryption introduce? 12:19 < SerajewelKS> because i currently have to tunnel my openvpn connection through an ssh tunnel, so i am wondering if i can turn off openvpn encryption, but if it's not going to have much effect i won't bother with it 12:19 < theDoc> Probably not much 12:19 < SerajewelKS> i figured :) 12:20 < chrishuygens> encryption will not increase the size of data, but the calculation time done on it 12:21 < SerajewelKS> yeah and i think my bottleneck is bandwidth, so i guess that wouldn't help 12:21 < SerajewelKS> a 766mhz should be sufficient to saturate my link, even with encryption 12:23 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 12:29 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458]"] 12:30 -!- dazo [n=dazo@nat/redhat-us/x-noejbejdadwnclpv] has joined ##openvpn 12:32 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 12:34 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 12:56 -!- aditsu [n=aditsu@n1164942003.netvigator.com] has left ##openvpn [] 13:09 -!- Dukelord [n=brenwill@41.204.234.100] has left ##openvpn [] 13:09 < ecrist> this is not, 'Pimp my for-pay VPN service' 13:10 < ecrist> please refrain from such promotions 13:16 -!- bauruine [n=bauruine@188.60.17.124] has joined ##openvpn 13:17 -!- swa_ [n=swa@swatteksystems.com] has joined ##openvpn 13:17 -!- swa_work [n=swa@swatteksystems.com] has quit [Remote closed the connection] 13:42 -!- dazo is now known as dazo|afk 13:50 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 13:52 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 14:07 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 14:09 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 14:20 -!- MrPocketz [n=Jimmy@unaffiliated/mrpockets] has joined ##openvpn 14:20 < MrPocketz> word 14:23 < krzee> werd 14:30 -!- swa_ [n=swa@swatteksystems.com] has quit [Read error: 110 (Connection timed out)] 14:39 -!- MrPocketz [n=Jimmy@unaffiliated/mrpockets] has quit [Connection reset by peer] 14:54 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 15:07 -!- smerz [n=daniel@83.160.155.152] has joined ##openvpn 15:11 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 15:30 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 15:37 < Otacon22> !howto 15:37 < vpnHelper> Otacon22: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:43 < Otacon22> I can't understand why my openvpn server works with just one client connected, no more.. 15:57 < Bushmills> Otacon22: because you're using same common name in all of your certificates 15:57 < Otacon22> Bushmills, i've created a zmo.key and i've copied it on the server and all clients 15:57 < Bushmills> that's another way of saying the samew 15:57 < Otacon22> ah 15:58 < Otacon22> Can't i force to work anyway? 15:58 < Bushmills> yes. probably 15:58 < Bushmills> read man page, it is written there somewhere 15:58 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 148 (No route to host)] 15:58 < Otacon22> ok, thank you 16:03 -!- swa_ [n=swa@swatteksystems.com] has joined ##openvpn 16:26 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 16:26 < ksnp> hi is to possible to open multiple and tcp+udp ports both at same time ? 16:31 -!- chrishuygens [n=Miranda@77-20-111-222-dynip.superkabel.de] has quit [Read error: 104 (Connection reset by peer)] 16:32 -!- pa [n=pa@unaffiliated/pa] has quit [SendQ exceeded] 16:37 -!- c64zottel [n=zestor@62.12.234.193] has joined ##openvpn 16:43 < krzee> yes and no 16:43 < krzee> in a single process, no 16:43 < krzee> however, feel free to run multiple servers on the same computer as long as they are running on diff sockets 16:44 < krzee> a socket being ip:port/(tcp/udp) 16:58 -!- c64zottel [n=zestor@62.12.234.193] has quit ["Leaving."] 17:03 < ksnp> just saw this, can you tell how to run as multiple processes, right now i use /etc/openvpn and it starts with a reboot, how do i make another process and also start upon reboot ? simply copy /etc/openvpn to /etc/openvpn1 and then somehow add it to the startup at some runlevel ? 17:03 < krzee> depending on how your os's script starts them, it may be as simple as putting another config in the dir you currently use 17:04 < krzee> but whatever it is, its not ovpn specific 17:05 < krzee> its just a matter of how the script you are using does it 17:05 < ksnp> i am using debian 17:05 < ksnp> so you are saying another openvpn.conf is enough no need for entire directory ? 17:06 < ksnp> does the openvpn look for all the conf files in the /etc/openvpn/ automatically and run / use them ? 17:06 < krzee> it does not need to be named openvpn.conf 17:06 < krzee> just try making openvpn2.conf or whatever in there 17:07 < krzee> then see if your script looks for all configs in there 17:07 < krzee> openvpn doesnt look for confs ANYWHERE 17:07 < krzee> your script does 17:07 < ksnp> ok 17:09 < SerajewelKS> ksnp: also, look at /etc/defaults/openvpn 17:09 < SerajewelKS> ksnp: on debian, that's where the list of servers to start is. i believe it starts all .conf files it finds by default. 17:10 < ksnp> ok, cool, thanks 17:12 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:24 -!- kurt_ [n=kurt@astound-69-42-7-19.ca.astound.net] has joined ##openvpn 17:25 -!- pfo [n=PF@srv.gmi.oeaw.ac.at] has joined ##openvpn 17:25 < pfo> anyone in here using the openvpn-auth-ldap plugin with an AD server? 17:25 < pfo> i'm having problems establishing a simple bind 17:32 < krzee> not i 17:33 < krzee> !factoids search directory 17:33 < vpnHelper> krzee: "activedirectory" is http://amigo4life.googlepages.com/openvpn for the guide of how to auth against AD 17:34 -!- todd_dsm [n=todd_dsm@66.43.220.149] has joined ##openvpn 17:35 -!- todd_dsm [n=todd_dsm@66.43.220.149] has quit [Client Quit] 17:36 -!- todd_dsm [n=todd_dsm@66.43.220.149] has joined ##openvpn 17:36 -!- todd_dsm [n=todd_dsm@66.43.220.149] has quit [Read error: 131 (Connection reset by peer)] 17:36 -!- todd_dsm [n=todd_dsm@66.43.220.149] has joined ##openvpn 17:41 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 17:42 < pfo> the openvpn service is running on linux 17:44 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit ["Leaving."] 17:45 < reiffert> either use auth pam and have pam auth against your linux PDC or use auth ldap against your linux PDC directly. 17:49 -!- pfo_ [n=PF@chello084114049188.14.vie.surfer.at] has joined ##openvpn 17:49 -!- pfo [n=PF@srv.gmi.oeaw.ac.at] has quit [Read error: 54 (Connection reset by peer)] 17:49 -!- pfo_ is now known as pfo 17:50 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 17:58 -!- pfo [n=PF@chello084114049188.14.vie.surfer.at] has left ##openvpn [] 18:10 < ksnp> with udp if openvpn looses any packets, does it still work fine ? 18:16 < zamba> sure 18:16 < zamba> it's just like any other packet loss 18:16 < zamba> rarely ever critical, but sometimes very annoysing 18:16 < zamba> annoying* 18:17 < ksnp> ok 18:19 < ksnp> i am looking to run multiple openvpn clients for example on windows, one inside another say, or two independent ones, i am using the openvpn portable (which i think inherently allows only one client instance) - is it possible to do this in windows with the usual openvpn.net client ? in linux ? 18:27 -!- mikeones [n=mikeones@pool-70-104-31-42.dllstx.fios.verizon.net] has joined ##openvpn 18:28 < mikeones> hello, anyway to add clients/grenrate new certs for a new client without having to regenrate ther server cert? 18:31 -!- LobbyZ [n=default@94.75.193.5] has quit ["Free FTW"] 18:31 -!- LobbyZ [n=default@94.75.193.5] has joined ##openvpn 18:46 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 18:47 -!- netbooker [n=chatzill@dhcp-lta-8-58.oakland.resnet.pitt.edu] has joined ##openvpn 19:02 -!- netbooker [n=chatzill@dhcp-lta-8-58.oakland.resnet.pitt.edu] has quit ["ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458]"] 19:08 < Bushmills> ksnp, if your vpn traffic consists of tcp, the udp-tunneled tcp connection will notice the loss, and rerequest 19:08 < Bushmills> but tunneling udp over udp might be a bad idea 19:10 < Bushmills> and yes, you can run two openvpn instances, on different ports/protocolls 19:14 < ksnp> just saw this, ok, thanks 19:15 < ksnp> mikeones, use CA and have the CA sign all the client certs 19:16 < ksnp> Bushmills, to get it rcorrectly are you saying that you can tunnel udp on top of tcp ? 19:16 < Bushmills> yes. you can setup openvpn to connect client to server using tcp, and tunnel udp traffic through it. 19:17 < Bushmills> (you can also tunnel tcp traffic through it but that doesn't make a lot of sense) 19:17 < ksnp> ok 19:18 < ksnp> what about udp on udp - that would make sense correct ? 19:18 < Bushmills> (unless all you can use to connect to server is tcp) 19:18 < ksnp> ok 19:18 < Bushmills> udp over udp has a higher chance of errors 19:18 < ksnp> compared to udp on tcp ? 19:19 < ksnp> or udp alone itself ? 19:19 < Bushmills> after all, both tunnel as well as payload my lose packets, and udp has no correction facility 19:19 < Bushmills> with udp over tcp, or tcp over udp, either the tunnel, or the tunneled traffic provides error checking 19:20 < ksnp> ya i see that but if a packet is lost, i suppose its lost for both ? assuming that the one sitting on top doesn't repacketize 19:20 < ksnp> ya see that too, ok 19:20 < ksnp> how do you tell via the conf to do one on top of another ? 19:20 < Bushmills> actually, udp over tcp may lack that, as the tcp tunnel may not be aware of the loss 19:21 < ksnp> but i tht there is no loss since its on top of tcp 19:21 < Bushmills> well, probably depends on why it was lost 19:21 < ksnp> ok 19:21 < ksnp> how do you tell via the conf to do one on top of another ? 19:21 < Bushmills> proto 19:21 < WormFood> but tunneling udp over udp might be a bad idea <-- why would that be a bad idea? Your think of tcp....tcp over tcp is a bad idea 19:22 < krzee> WormFood, hes fully aware of what hes talkin bout ;] 19:22 < Bushmills> WormFood: because if accumulated error probability 19:22 < krzee> and yes, tcp on tcp is a worse idea 19:22 < Bushmills> of 19:22 < WormFood> Bushmills, you got it backwards...tcp over tcp is a bad idea.....anything over udp is no problem 19:23 < krzee> WormFood, niether are a great idea, but if you must do one go with udp over udp 19:23 < krzee> at least you will just have loss and not complete meltdown 19:23 < WormFood> how can udp over udp be a bad idea? 19:23 < krzee> and the inside udp proto shouldnt die from loss 19:23 < Bushmills> if the situation is, udp traffic from A to B not over tunnel, and B to C through udp tunnel, the packet loss chance is higher, as both tunnel and payload may drop packets 19:23 < WormFood> it is not more likely to lose the packet 19:24 < Bushmills> so errors may arise out of openvpn missing packets, or the tunneled traffic missing packets 19:24 < WormFood> it is less likely the os would drop the encapsulated udp packet...it is not more likely to not get the packet 19:25 < WormFood> you're most likely to lose the udp packet over the internet, not over the vpn 19:25 < Bushmills> other possibility could come from packing several shorter packets into larger packets. so if one larger packet is lost, several shorter udp packets are affected, 19:25 < WormFood> once that udp packet gets to the server, and is decrypted, the encapsulated udp packet is less likely to be lost 19:26 < ksnp> btw, the situation is : A to B (over proto1), A to C via B using proto2 (over proto1) proto2 on top of proto1 19:26 < WormFood> and udp over tcp would be no error, since tcp is an end-to-end protocol, and would automagically resend the tcp packet carrying the udp packet 19:27 < krzee> would be no error, but not good for something like voip 19:27 < krzee> cant have retransmitions screwin it up 19:27 < Bushmills> we're talking udp over udp, i thought, and agreed that udp over tcp, or tcp over udp, is *not* a bad idea 19:27 < krzee> something like voip you gotta go udp over udp 19:28 < WormFood> anything over udp is not a bad idea 19:28 < WormFood> udp over udp is not a bad idea...it is not more likely to lose packets 19:28 < WormFood> tcp over tcp is a bad idea 19:29 < Bushmills> (02:25:50) Bushmills: other possibility could come from packing several shorter packets into larger packets. so if one larger packet is lost, several shorter udp packets are affected, 19:29 < WormFood> tcp over tcp is a horrible idea 19:29 < Bushmills> there's no retransmission handshake in udp 19:29 < WormFood> so what? 19:29 < WormFood> that is up to the app 19:29 < WormFood> it is not more likely to lose the packet 19:29 < Bushmills> so by losing one udp packet, you can lose several 19:29 < Bushmills> which may be worse than losing one, without the udp tunnel 19:30 < WormFood> is openvpn putting several udp packets encapsulated into one udp packet 19:30 < WormFood> ? 19:30 < Bushmills> (those packets can be traffic from/to different ports) 19:30 -!- samba [n=samba@76.104.236.199] has quit [""free(self)""] 19:30 < WormFood> that didn't answer my question....does openvpn act that way? 19:31 < Bushmills> i think it does, yes 19:32 < krzee> if the packets are small, ya i believe it would put more inside til mtu stops it 19:33 < krzee> should be configurable tho 19:33 < Bushmills> reduces network overhead, but increases average latency 19:35 < Bushmills> it's my impression that this packing takes place because packet size openvpn packets are not clearly in relation to packet sizes of the tunneled traffic. 19:40 < WormFood> what is the ultimate goal here? voip over vpn? 19:43 < WormFood> http://advantia.ca/weblog/securing-asterisk-voip-with-openvpn for what it is worth 19:43 < vpnHelper> Title: Securing Asterisk VoIP with OpenVPN (at advantia.ca) 19:43 < ksnp> WormFood, yes 19:43 < ksnp> some articles say the vpn improved quality, but i think refer to tcp 19:44 < ksnp> but basically the vpn on top of another vpn could be for any data 19:44 < ksnp> and only single tcp 19:44 < ksnp> not one on top of another 19:44 < WormFood> you want to tunnel one vpn over another vpn? (double encapsulation) 19:44 < ksnp> yes 19:44 < ksnp> say its for data 19:45 < WormFood> that does not make sense, but I'm sure you have a reason....what is the logic behind vpn over vpn? 19:45 < ksnp> hard to describe, mainly security etc. 19:45 < ksnp> let me ask this 19:45 < ksnp> if its udp over udp 19:46 < ksnp> its the protocol that takes care of retransmissions if they are needed correct ? 19:46 < WormFood> udp over udp is not a problem, and not more prone to errors or lost packets. 19:46 < ksnp> ok 19:46 < ksnp> cool 19:46 < WormFood> if it is udp over udp, it probably won't retransmit the udp packet 19:46 < ksnp> how do i tell in the client conf to do one on top of another 19:46 < Bushmills> udp doesn't take care of retransmission 19:46 < ksnp> yes i know, but the protocol will correct ? 19:46 < Bushmills> no 19:47 < WormFood> but you're not more likely to loose a udp packet....it is be just as reliable. 19:47 < ksnp> i am sorry, i meant the app layer 19:47 < WormFood> not in voip, it won't correct 19:47 < Bushmills> app layer should. 19:47 < WormFood> voip just lives with the lost packets 19:47 < ksnp> ok 19:47 < WormFood> it depends on the app 19:47 < ksnp> how do i tell in the client conf to do one on top of another 19:47 < ksnp> how do i tell in the client conf to do one on top of another 19:47 < ksnp> :) 19:47 < Bushmills> you don't 19:47 < WormFood> just make your 2nd endpoint inside the tunnel 19:48 < Bushmills> you just route traffic through it 19:48 < ksnp> ok so basically you start the first one, then route traffic thru it and the conf takes care of it automatically, ok makes sense 19:49 < WormFood> client --> vpn server x.x.x.x (routable IP), make network 192.168.0.x --> vpn server 192.168.0.x (non-routable ip), make network 192.168.1.x 19:49 < ksnp> (might have asked this but to confirm) if i want to do it on windows the client installation from openvpn.net should allow running two instances ? 19:49 < WormFood> it should 19:49 < WormFood> maybe not through the gui tho 19:49 < ksnp> ok 19:49 < ksnp> i downloaded the openvpnportable which i find is neat but allows only one instance of th eclient 19:50 < WormFood> then you'll have to do something about that. 19:50 < ksnp> as far as i can see definitely two instances of the clients have to be run ? 19:50 < ksnp> well, i can go with the install from openvpn.net (haven't tried that), only tried the portable version from another site 19:51 < Bushmills> you'd use two seperate config files, and tell each client at start which config file to use 19:51 < Bushmills> otherwise i don't know about the portable version, nor about windows 19:52 < WormFood> windows is no different than Linux 19:52 < WormFood> the GUI for openvpn under winblows just makes it easier 19:52 < WormFood> you may need to manually start each tunnel in the right order 19:52 < WormFood> honestly, I think you're being silly to want to run vpn over vpn, for no reason other than security. 19:54 < ksnp> if i want to manually start each tunnel i can use a cli or something in windows ? 19:54 < krzee> hey Bushmills 19:55 < ksnp> i haven't tried since i wasn't sure if it has a clean uninstall 19:55 < Bushmills> moinmoinhowsitgoingkrzee? 19:55 < krzee> should i be using for i in $(cat input) instead of for i in `cat input` ? 19:55 < krzee> moinmoin! 19:55 < ksnp> WormFood, case you or anyone tried the windows version just curious 19:55 < Bushmills> yes, $( ) is the preferred way 19:56 < Bushmills> but you can probably avoid the cat .. lets see ... 19:57 < Bushmills> not sure yet what to put behind for i in ... to make it ... ; done < input at the end 19:57 < Bushmills> maybe read i 19:58 < Bushmills> hm no 19:58 < WormFood> I've tested the winblows version....not really used it per se 19:58 < Bushmills> while read i : do ... ; done < input maybe 19:58 < WormFood> of course, you know, if both vpn endpoints are on the same server, all your security is totally shot 19:59 < WormFood> also, don't forget to adjust the max packet size, as each encapsulated tunnel will need more and more overhead each time it is encapsulated. 20:00 < ksnp> ok, looking for the max packet size 20:01 < ksnp> which paramter is this in the conf file ? 20:04 < ksnp> or how do i adjust it ? 20:06 < krzee> read everything about mtu in man page 20:06 < krzee> !man 20:06 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 20:07 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)] 20:19 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 20:23 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 20:26 < ksnp> ok, thanks 20:27 -!- [1]ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 20:42 < krzee> Bushmills, know a way to make this work? 20:42 < krzee> for ((NUM=0; NUM <= 4490 ; NUM+10)) 20:42 < krzee> the NUM+10 doesnt work out 20:42 < krzee> should i do it the long way instead...? 20:43 < krzee> should go 0,10,20,30 20:43 < Bushmills> for NUM in {0..10} ; do echo $NUM ; done increments by 1. 20:43 < krzee> yup, i love that one 20:43 < Bushmills> to increment by 10, you probably need to do for NUM in $(seq 0 4490 10) ... 20:44 < krzee> ohh right 20:44 < Bushmills> ehm, argument not in right order 20:44 < Bushmills> increment is 2nd arg 20:45 < krzee> seq not found in fbsd 20:45 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has quit [Read error: 113 (No route to host)] 20:45 -!- [1]ksnp is now known as ksnp 20:45 < krzee> -bash: seq: command not found 20:45 < krzee> ive read about that one on docs via google 20:46 < Bushmills> try for NUM in {0..4490..10} ; do .... 20:47 < Bushmills> for NUM in {0..4490..10} ; do echo $NUM ; done 20:47 < krzee> krzee@hemp:~/bruce> for NUM in {0..4490..10};do echo $NUM ; done 20:47 < krzee> {0..4490..10} 20:47 < Bushmills> hm. bash? what version? 20:48 < Bushmills> (works here) 20:48 < Bushmills> echo $BASH_VERSION 20:48 < krzee> 3.2.39(1)-release 20:49 < Bushmills> 4.0.33(1)-release .. that may make the difference 20:49 < krzee> ahh lets see 20:49 < Bushmills> i can test on a 3.x version machine 20:50 < Bushmills> indeed. on 3.2.39(1)-release it doesn't work 20:51 < Bushmills> seq comes from linux coreutils 20:53 < Bushmills> for ((NUM=0;NUM<=4490;NUM+=10)); do echo $NUM; done 20:53 < Bushmills> works with 3.x 20:54 < Bushmills> hm .. almost identical to the version in your question :D 20:55 < Bushmills> is also compatible with 4.x, so you're safe for now 20:56 < krzee> ahh 20:56 < krzee> thats exactly what i was looking for 20:56 < krzee> += 20:57 < Bushmills> monadics are a bit buggy in pre 2.05, at least |= or &= are 20:58 < Bushmills> though += should do well even in pre-2.05 20:59 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 21:05 -!- dekopolis [n=dekopoli@c-69-138-55-40.hsd1.tn.comcast.net] has quit ["Leaving"] 21:07 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has quit [" HydraIRC -> http://www.hydrairc.com <- Would you like to know more?"] 21:13 -!- master_of_master [i=master_o@p549D4216.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:17 -!- master_of_master [i=master_o@p549D4249.dip.t-dialin.net] has joined ##openvpn 21:19 -!- Netsplit over, joins: ^scott^ 21:19 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: swa_, tarbo2 21:20 -!- Netsplit over, joins: tarbo2 21:38 -!- lampliter [n=chatzill@harvee.org] has joined ##openvpn 21:40 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 21:47 < Bushmills> hehe ... echo {a..z..5}{z..a..-8} -> az ar aj ab fz fr fj fb kz kr kj kb pz pr pj pb uz ur uj ub zz zr zj zb 21:51 -!- hyper_ch [n=hyper@adsl-89-217-178-90.adslplus.ch] has quit [Read error: 54 (Connection reset by peer)] 21:52 < lampliter> trying to share a Windows share across the open VPN connection. Looks like wins is not working with this and window seven clients 21:52 < lampliter> any suggestions? 21:52 < Bushmills> !tunortap 21:52 < vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 21:52 < Bushmills> !wins 21:52 < vpnHelper> Bushmills: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 21:53 < lampliter> well actually, I'm running wins on a Windows 2008 server 21:53 < lampliter> the onlyLinux machine in the network is the open VPN gateway 21:53 < Bushmills> !factoids search WINS 21:53 < vpnHelper> Bushmills: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 21:54 < Bushmills> tja 21:54 -!- hyper_ch [n=hyper@adsl-84-227-137-239.adslplus.ch] has joined ##openvpn 22:33 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458]"] 22:43 -!- WormFood [n=wormfood@58.60.222.184] has quit [Read error: 60 (Operation timed out)] 22:45 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 22:46 -!- WormFood [n=wormfood@119.136.224.11] has joined ##openvpn 23:12 -!- WormFood [n=wormfood@119.136.224.11] has quit [Read error: 60 (Operation timed out)] 23:18 -!- WormFood [n=wormfood@119.122.10.10] has joined ##openvpn 23:21 -!- W0rmF00d [n=wormfood@119.122.11.192] has joined ##openvpn 23:21 -!- WormFood [n=wormfood@119.122.10.10] has quit [Nick collision from services.] 23:21 -!- W0rmF00d is now known as WormFood 23:31 < lampliter> DNS lookup is not happening right 23:32 < lampliter> the openvpn DNS address has been pushed into the WiFi interface but it's not being looked at 23:34 < newmember> lampliter: make sure you have "pull" on the client 23:34 < lampliter> as in pull for the DNS address? 23:35 < lampliter> my configuration is exactly the same as the one that works on a different network 23:47 -!- smerz [n=daniel@83.160.155.152] has quit ["Ex-Chat"] --- Day changed Tue Oct 13 2009 00:07 -!- lampliter [n=chatzill@harvee.org] has quit [Remote closed the connection] 01:15 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 01:18 -!- lampliter [n=chatzill@harvee.org] has joined ##openvpn 01:27 -!- bauruine [n=bauruine@188.60.17.124] has quit [Read error: 148 (No route to host)] 01:28 -!- dazo|afk is now known as dazo 01:43 -!- misterbean [n=misterbe@cable-89-216-136-230.dynamic.sbb.rs] has joined ##openvpn 01:44 -!- misterbean is now known as Guest38785 02:19 -!- kurt_ [n=kurt@astound-69-42-7-19.ca.astound.net] has quit [] 02:20 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:45 -!- bauruine [n=bauruine@232-145.104-92.cust.bluewin.ch] has joined ##openvpn 02:46 -!- hyper_ch [n=hyper@adsl-84-227-137-239.adslplus.ch] has quit [Remote closed the connection] 02:55 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 02:59 -!- naquad [n=naquad@83.143.234.194] has quit ["Ухожу я от вас (xchat 2.4.5 или старше)"] 03:12 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 03:47 -!- c64zottel [n=zestor@62.12.234.193] has joined ##openvpn 03:56 -!- hyper_ch [n=hyper@121-156.1-85.cust.bluewin.ch] has joined ##openvpn 03:59 -!- Surge_ [n=psurgeon@apcdns2.autopage.co.za] has joined ##openvpn 04:00 < Surge_> Is there a way to get the openvpn daemon to run the client-disconnect script when the openvpn daemon is shutdown? 04:01 -!- bauruine [n=bauruine@232-145.104-92.cust.bluewin.ch] has quit ["Verlassend"] 04:02 -!- c64zottel [n=zestor@62.12.234.193] has left ##openvpn [] 04:03 < Surge_> The problem I have is that I'm logging the client connections to the server into a database and whenever the server daemon is terminated it leaves "open" connections in the database and also loses the data usage. 04:04 < Surge_> client-connect runs but client-disconnect doesn't run when the server is shut down 04:15 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 04:29 < |Mike|> i'll come back to that question after lunch. 04:29 -!- bauruine [n=bauruine@95.152.113.188] has joined ##openvpn 05:17 < dazo> Surge_: there is a shutdown state for the --plugin interface, I know that for sure ... but not sure if startup and shutdown states are available via the script interfaces 05:18 < dazo> Surge_: have you tried to do it via --down? 05:19 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 104 (Connection reset by peer)] 05:26 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:31 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has quit [Read error: 60 (Operation timed out)] 05:32 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has joined ##openvpn 05:35 < Surge_> dazo: --down runs after the tap/tun device is brought down. --pre-down happens before but I'd need access to all the client connection variables. 05:36 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 05:37 < Surge_> I need access to "bytes_sent" and "bytes_received" for each connection. 05:38 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:38 -!- sigius [n=sigius@93.125.185.45] has joined ##openvpn 05:39 < Surge_> Maybe if I use the telnet admin interface and kill all the connections before the VPN goes down it will work. Not sure if the admin interface is still up when --pre-down runs. 05:39 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 05:39 < reiffert> Surge_: you'll get it from the status file. 05:42 < Surge_> reiffert: I thought of that - bit of a nasty hack though. Would just be nice if openvpn called client-disconnect for all the connections when its shutting down. 05:43 -!- sigius [n=sigius@93.125.185.45] has quit [Remote closed the connection] 05:43 -!- sigius [n=sigius@93.125.185.45] has joined ##openvpn 06:17 -!- brizly1 [n=brizly_v@p4FC982BA.dip0.t-ipconnect.de] has joined ##openvpn 06:23 < dazo> Surge_: then the cleanest way is probably to write a little plug-in in C .... I pick out all that information in one of my projects that way 06:25 < dazo> Surge_: http://eurephia.git.sourceforge.net/git/gitweb.cgi?p=eurephia/eurephia.git;a=blob;f=plugin/eurephia-auth.c;h=81a9d100f4441f4aba7e61d94a78961ff37962cb;hb=5501786363987737509c2306a9eba9af8d881817 .... If you look at the openvpn_plugin_handle_t openvpn_plugin_open_v1() and openvpn_plugin_func_v1() functions, you'll get an idea .... it's really not that complex at all 06:25 < vpnHelper> Title: SourceForge - eurephia/eurephia.git/blob - plugin/eurephia-auth.c (at eurephia.git.sourceforge.net) 06:26 < Surge_> Ta 06:31 -!- brizly [n=brizly_v@p4FC982A4.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:34 -!- Dukelord [n=brenwill@69.10.59.165] has joined ##openvpn 06:34 < Dukelord> help with tls error 06:57 -!- Oreva [n=brenwill@41.204.234.100] has joined ##openvpn 06:58 < Oreva> pls i need help with tls error 06:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 07:01 < ecrist> good morning 07:03 -!- Oreva [n=brenwill@41.204.234.100] has quit [Read error: 54 (Connection reset by peer)] 07:05 -!- Oreva [n=brenwill@69.10.59.163] has joined ##openvpn 07:06 < Oreva> g'murnin 07:16 -!- Oreva [n=brenwill@69.10.59.163] has left ##openvpn [] 07:17 -!- Dukelord [n=brenwill@69.10.59.165] has quit [Read error: 110 (Connection timed out)] 07:30 -!- bauruine [n=bauruine@95.152.113.188] has quit [Read error: 145 (Connection timed out)] 07:33 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit [Remote closed the connection] 07:39 -!- bauruine [n=bauruine@232-145.104-92.cust.bluewin.ch] has joined ##openvpn 07:59 < lampliter> morning 08:00 < lampliter> I'm having a real unpleasant time trying to access a Windows share (on a real, for live, Windows server) over an open VPN connection 08:01 < lampliter> XP works without a problem 08:01 < lampliter> vista and Windows 7 not so much. I can't even see the packets from these machines on the far end of the VPN 08:02 < ecrist> *cough* firewall *cough* 08:02 < lampliter> I'm also having DNS problems with these machines but I'm working around that using hosts 08:02 < lampliter> I turned it off. I swear I turned it off 08:02 < lampliter> doesn't mean it listen to me but I told it to 08:03 < reiffert> so after all it's a windows problem. 08:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:06 < lampliter> I'm not convinced but I'm willing to be. Let me check it yet again and see if something magic turned the firewall back on 08:09 -!- pa_ [n=pa@host163-6-dynamic.58-82-r.retail.telecomitalia.it] has joined ##openvpn 08:10 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 08:10 < reiffert> I merely think about windows itself, than anything in particular like a firewall or a broken nameservice, a caching local nameservice etc. 08:13 < lampliter> Nope, turn off the firewall and still no work 08:14 < lampliter> let me do a sanity check and turn on a file share locally and see if I can access that through loopback 08:16 -!- pa_ is now known as pa 08:18 -!- lampliter [n=chatzill@harvee.org] has quit [Remote closed the connection] 08:29 -!- Dukelord [n=brenwill@69.10.59.163] has joined ##openvpn 08:31 < Dukelord> pls i need help, openvpn wont connect on mobile ISP, tls error 08:34 < ecrist> we're gonna need more than that 08:38 -!- irrwitzer [n=jjj@62.48.92.115] has quit [Read error: 110 (Connection timed out)] 08:43 < Dukelord> !configs 08:44 < vpnHelper> Dukelord: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 08:44 < ecrist> !logs would help, as well 08:44 < vpnHelper> ecrist: Error: "logs" is not a valid command. 08:46 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Read error: 110 (Connection timed out)] 08:47 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 08:52 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 08:54 < reiffert> !logs 08:54 < vpnHelper> reiffert: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 08:58 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 60 (Operation timed out)] 09:03 -!- Dukelord [n=brenwill@69.10.59.163] has quit [Excess Flood] 09:03 -!- Dukelord [n=brenwill@69.10.59.163] has joined ##openvpn 09:14 -!- Surge_ [n=psurgeon@apcdns2.autopage.co.za] has quit [Remote closed the connection] 09:15 -!- Dukelord [n=brenwill@69.10.59.163] has quit [] 09:19 -!- plaerzen [n=carpe@vip1.tundraeng.com] has quit [Remote closed the connection] 09:20 -!- kyrix [n=ashley@80.109.56.248] has joined ##openvpn 09:20 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 09:24 -!- theDoc [n=hex@cataclysm.edgewire.sg] has joined ##openvpn 09:39 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 09:46 -!- Dukelord [n=brenwill@41.204.234.100] has joined ##openvpn 09:47 -!- samba [n=samba@76.104.236.199] has joined ##openvpn 09:48 < Dukelord> http://pastebay.com/60903....someone pls help 09:49 -!- JyZyXEL [n=lol@a88-113-58-89.elisa-laajakaista.fi] has left ##openvpn ["bye."] 09:53 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:00 < theDoc> Dukelord> You have problems reaching the server? 10:02 < theDoc> Dukelord> Looks like you have a slight problem reaching the server, do you have any firewalls dropping the packet? 10:03 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:09 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 10:20 -!- theDoc_ [n=hex@unaffiliated/thedoc] has joined ##openvpn 10:23 -!- theDoc_ [n=hex@unaffiliated/thedoc] has quit [Client Quit] 10:24 -!- Dukelord [n=brenwill@41.204.234.100] has quit [] 10:24 -!- thedoc_ [n=hex@cataclysm.edgewire.sg] has joined ##openvpn 10:25 -!- thedoc_ is now known as theDoc 10:27 < theDoc> Ouch, tunneling over tcp is ridiculous. 10:30 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 10:30 -!- Dukelord [n=brenwill@41.204.234.100] has joined ##openvpn 10:32 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 10:36 -!- Dukelord [n=brenwill@41.204.234.100] has quit [] 10:37 -!- Dukelord [n=brenwill@69.10.59.163] has joined ##openvpn 10:39 -!- hyper_ch [n=hyper@121-156.1-85.cust.bluewin.ch] has quit [Remote closed the connection] 10:40 < ecrist> Dukelord: looks like you've got a problem getting through. 10:41 < theDoc> ecrist> i got it fixed for him. changed the box proto to tcp. 10:49 -!- dazo is now known as dazo|afk 10:50 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 10:50 -!- Oreva [n=brenwill@41.204.234.100] has joined ##openvpn 10:50 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 10:54 -!- Oreva [n=brenwill@41.204.234.100] has quit [Read error: 54 (Connection reset by peer)] 10:57 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:58 < theDoc> reconnecting. 10:58 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 11:00 -!- Oreva [n=brenwill@41.204.234.100] has joined ##openvpn 11:02 -!- newmember_ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 11:02 -!- newmember_ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Remote closed the connection] 11:03 -!- Oreva [n=brenwill@41.204.234.100] has quit [Client Quit] 11:03 -!- Oreva [n=brenwill@41.204.234.100] has joined ##openvpn 11:06 < |Mike|> who was msg'ing me ? 11:06 < |Mike|> Dukelord: don't msg me 11:08 < Oreva> i wonder what is the point i someone can't ask for help around here 11:08 < |Mike|> !all 11:08 < |Mike|> we need 'all' of that :) 11:08 < |Mike|> hm, bot == fail? 11:09 < vpnHelper> |Mike|: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 11:09 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 11:09 -!- hyper_ch [n=hyper@adsl-84-227-137-239.adslplus.ch] has joined ##openvpn 11:09 -!- bauruine [n=bauruine@232-145.104-92.cust.bluewin.ch] has quit [Read error: 60 (Operation timed out)] 11:09 -!- k3asd` [n=k3asd@host-78-15-229-1.cust-adsl.tiscali.it] has quit ["Sto andando via"] 11:16 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Read error: 110 (Connection timed out)] 11:17 -!- Dukelord [n=brenwill@69.10.59.163] has quit [Read error: 110 (Connection timed out)] 11:17 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Remote closed the connection] 11:19 -!- hkais [n=xenoadmi@ip-109-85-124-157.web.vodafone.de] has joined ##openvpn 11:19 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 11:20 < hkais> hello all 11:21 < hkais> is it possible to setup openvpn to always provide fixed IPs to a defined clients? 11:22 < hkais> e.g. I have a config there routers connect to each other. here it would be fine to have always the same IP 11:22 -!- phusion [i=phusion@2001:41d0:1:839a:0:0:0:1337] has joined ##openvpn 11:24 < phusion> hey guys. i'm having troubles with my openvpn client disconnecting from the server and because of a touchy route setup it's causing me problems. can anyone point me in the right direction for configuration options pertaining to keeping a connection alive? 11:25 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 11:27 -!- phusion [i=phusion@2001:41d0:1:839a:0:0:0:1337] has quit [Read error: 60 (Operation timed out)] 11:30 -!- phusion [i=phusion@2001:41d0:1:839a:0:0:0:1337] has joined ##openvpn 11:31 < hkais> phusion: hi 11:32 < phusion> hey, sorry about that 11:32 < hkais> phusion: 11:32 < hkais> resolv-retry infinite 11:32 < hkais> persist-key 11:32 < hkais> persist-tun 11:32 < phusion> ahh ok.. i had tried using the keepalive option 11:32 < phusion> i imagine what was happening was i had the timeout set too low so it was disconnecting 11:33 -!- k3asd [n=k3asd@2001:5c0:1400:a:0:0:0:393] has joined ##openvpn 11:33 -!- k3asd is now known as k3asd` 11:33 < hkais> I asume you use the tun interface? 11:34 < phusion> tap 11:34 < phusion> the scenario is its basically a paid vpn service that i connect to to obtain an additional interface on my box to use for whatever 11:34 < phusion> so i dont have access to the server config 11:34 < hkais> not sure if persist-tun will work then 11:35 < hkais> I think you got a IP-forwarding for dyn IPs? 11:35 < phusion> its a static ip that i'm given 11:39 < phusion> seems theres a persist-tap option too? 11:44 -!- thedoc_ [n=hex@bb121-7-165-11.singnet.com.sg] has joined ##openvpn 11:46 -!- vingian [n=mustafa@66.93.6.130] has joined ##openvpn 11:46 < vingian> does anyone here know if we can use OpenVPN to connect to Kerio VPN? 11:50 -!- Oreva [n=brenwill@41.204.234.100] has quit [] 11:51 < vingian> anyone? 11:52 -!- Dukelord [n=brenwill@vpn1.edgewire.sg] has joined ##openvpn 11:52 < hkais> vingian: I think not. (not sure) kerio has afaik its own impl of a VPN 11:53 < vingian> i checked the kerio website and it seems they use a combination of SSL and Blowfish 11:53 < hkais> how can I configure openvpn to provide fix IPs to some clients? 11:53 < vingian> i think i read somewhere that OpenVPN also uses ssl 11:55 < hkais> vingian: sure many vpns work with ssl/tls. but the protocol inbetween ssl/tls must be compatible 11:56 < vingian> hkais: yes, true... 11:57 < vingian> hkais: I am a contractor, and different clients have different vpn software 11:57 < hkais> okay I haven't got it 11:57 < hkais> what is the problem right now if you are the contractor? 11:57 < vingian> hkais: and i guess i was just looking for a single client that could communicate with 'em all. I don't want to keep adding/removing/updating different vpn clients 11:58 < hkais> ahh okay you have to connect to different sites as a vpn-client? 11:58 < vingian> yup 11:58 < vingian> i already have vpnc for Cisco, and configuring that was... "fun" 11:59 < vingian> now i need to connect to two more sites, one uses sonicwall and the other uses kerio 11:59 < hkais> vingian: yes cisco is really funny ;-) 11:59 < vingian> so you can imagine the amount of effort i would have to put in just so that i can telecommute to work... 12:00 < vingian> might as well drive there and save me the trouble :P 12:00 < hkais> vingian: if you find a solution for all vpns please post it on the ML of openvpn. I am personally very interessted. But I think you will have to install all the odd and available vpn-clients 12:00 < vingian> hkais: thats the beauty of it... you'd think that all these VPN guys would figure out a way for Interop and follow some standard 12:01 < hkais> sure. But your companies should provide you the needed setups... That is how I work if I am under contract 12:01 < vingian> but no - i guess each vpn vendor suffers from N.I.H syndrome... :( 12:01 < hkais> vingian: yes (okay nearly) if you use ipsec ;-) 12:01 < hkais> NIH? 12:01 < vingian> lol!!!! their setup says: Use WinXP.... 12:01 < vingian> Not Invented Here 12:01 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 12:02 < hkais> for this I have a beatyful emulated windows xp in a vmware/virtual box... give it some memory and the world is fine 12:04 < vingian> yeh... but then how do you use your lin tools? 12:04 < vingian> i wouldn't mind doing that... 12:04 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 12:08 -!- vingian [n=mustafa@66.93.6.130] has quit ["Lost terminal"] 12:08 -!- kyrix [n=ashley@80.109.56.248] has quit ["Leaving"] 12:09 -!- Oreva [n=brenwill@vpn1.edgewire.sg] has joined ##openvpn 12:10 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 12:12 -!- vingian [n=mustafa@66.93.6.130] has joined ##openvpn 12:12 < vingian> great - my X just had a sigseg 12:13 -!- thedoc_ [n=hex@bb121-7-165-11.singnet.com.sg] has quit ["Leaving"] 12:16 < SerajewelKS> vingian: i have routed linux network traffic through a windows xp virtual machine before... and vice-versa 12:17 < SerajewelKS> it's not too hard 12:17 < vingian> SerajewelKS: care to share the tip? 12:17 < SerajewelKS> the guest OS needs two interfaces on the host 12:18 < SerajewelKS> one for internet access (where it will contact the vpn server) and one that you have configured on the host to handle the vpn routes you need 12:18 < SerajewelKS> then you have to tinker with the windows firewall to turn on masquerading and stuff. it helps if you have a windows server os :) 12:18 < vingian> hmmm... 12:19 < vingian> but then the win server os is going to be blocking a lot of precious memory... 12:19 < vingian> right? 12:19 < SerajewelKS> well, sure 12:19 < vingian> :) 12:19 < SerajewelKS> depending on how your vmm manages memory anyway 12:19 < vingian> no one said it'd be easy eh? :) 12:19 < SerajewelKS> you should be able to do that with 256mb allocated to windows though 12:19 < SerajewelKS> once the darn thing boots it'll be fast enough to do what you want 12:20 < vingian> hmmm... don't run anything on the windows box except the vpn clients... 12:20 < SerajewelKS> right :) 12:20 < SerajewelKS> if you have 3+ gb of ram though, you can throw 512 at it if you want 12:20 < SerajewelKS> a lot of ram for a glorified vpn client, but meh 12:20 < vingian> i did think about it - but never got around to do it coz i wasn't sure... i guess knowing some one else has done it encourages me to try it 12:20 < SerajewelKS> you can also get a crap box out of the trash, throw xp on it, and route through it instead :) 12:21 < hkais> vingian: sorry was afk. I do the same as SerajewelKS 12:21 < vingian> i wish... its a laptop i have... and with two slots for memory i only have 2 gigs 12:21 < vingian> :( 12:21 < SerajewelKS> ah 12:21 < SerajewelKS> well 2gb is enough to run a vm and linux 12:21 < SerajewelKS> depending on what you're doing with linux, anyway 12:21 < hkais> SerajewelKS: yes more than enough 12:22 < vingian> thats why i actually have lin actually 12:22 < hkais> I give my dummy XP only 256MB. For a router it is too much ;-) 12:22 < vingian> but now if i gotta run win again... 12:22 < hkais> how can I configure openvpn to provide fixed IPs to some clients? 12:22 -!- bauruine [n=bauruine@85.4.10.66] has joined ##openvpn 12:22 < vingian> but i guess you guys are right... use win as a router... 12:22 < vingian> kinda ironic innit? 12:24 < SerajewelKS> indeed 12:25 < hkais> and is there a way to setup a openvpn failover config? I have a config running with one server, but now I want to configure a failover route in the same network. How can I define it with openvpn? I have currently a ccd iroute set. If I setup the iroute for the failover-connection i get errors, that the openvpn-server trys to determine the proper IPs. Additionally openvpn-server drops the connection to the standard-vpn-connection 12:25 -!- bauruine [n=bauruine@85.4.10.66] has quit [Client Quit] 12:25 < hkais> vingian: the life is ironc ;-) 12:26 < vingian> hkais: well, good luck in your quest... i wish i could help but i am obviously new to openvpn :) 12:28 -!- Dukelord [n=brenwill@vpn1.edgewire.sg] has quit [Read error: 110 (Connection timed out)] 12:29 < ecrist> hkais: that is covered in the FAQ and howto 12:29 < ecrist> !static 12:29 < vpnHelper> ecrist: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 12:30 < hkais> ecrist: does the dhcp of openvpn filter out the static defined IPs to avoid duplicate IPs on the net? 12:30 < hkais> !iporder 12:30 < vpnHelper> hkais: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 12:31 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 12:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:33 < hkais> ecrist: do you have an idea how to solve the requirement to setup a failover-vpn-connection? The client side uses a iroute 192.168.50.0 255.255.255.0. So I need a second failover connection which also needs the iroute. But if I try this my connection gets dropped immediatelly 12:33 -!- Otacon22 [n=otacon22@93-36-124-179.ip60.fastwebnet.it] has quit [Read error: 110 (Connection timed out)] 12:34 < hkais> ecrist: thanks for the ref to fixed IPs. I have configured something wrong right now... 12:34 < ecrist> fix that, then see what else is broken. 12:36 < Optic> hihihi 12:37 -!- Guest38785 [n=misterbe@cable-89-216-136-230.dynamic.sbb.rs] has quit [Read error: 110 (Connection timed out)] 12:40 -!- Oreva [n=brenwill@vpn1.edgewire.sg] has quit [Read error: 110 (Connection timed out)] 12:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 12:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:58 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 12:59 < hkais> ecrist: the fixed IP is not the problem. This is a feature which helps me. The problem is the iroute setup for a failover connection 13:06 -!- Krampus [i=krampus@ozzle.org] has joined ##openvpn 13:06 < Krampus> Is there any solution to wanting to connect an iPhone to OpenVPN yet? 13:08 < hkais> Krampus: good question. would also know what. 13:08 < hkais> afaik: iPhone is a jail, apps are not easy to port there. 13:09 < hkais> typical apple. a golden cage... 13:10 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 13:10 < theDoc> god, openvpn over tcp is terrible. 13:11 < Krampus> hkais: yeah i figured. I'm trying to get exchange mail to work without having to open a bunch of ports. :) 13:11 < Optic> sometimes, with crappy nat action, it's the only way :) 13:12 < hkais> Krampus: I am also seeking for such an solution. I have a litte different requirement, but similar :( 13:17 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 13:26 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit ["Leaving."] 13:27 -!- misterbean [n=misterbe@unaffiliated/misterbean] has joined ##openvpn 13:30 < ecrist> !tcp 13:30 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 13:30 < Optic> hihi 13:36 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 13:43 -!- hkais [n=xenoadmi@ip-109-85-124-157.web.vodafone.de] has quit [Read error: 110 (Connection timed out)] 13:44 -!- UomO_BongA [n=rafa@186.18.133.31] has joined ##openvpn 13:45 < UomO_BongA> !howto 13:45 < vpnHelper> UomO_BongA: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:46 < UomO_BongA> !topology 13:46 < vpnHelper> UomO_BongA: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 14:02 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 14:27 -!- bauruine [n=bauruine@124-17.60-188.cust.bluewin.ch] has joined ##openvpn 14:34 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 14:38 -!- hkais [n=xenoadmi@g226143077.adsl.alicedsl.de] has joined ##openvpn 15:01 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 15:02 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 15:03 -!- kevinh [n=khowerto@4.58.0.2] has joined ##openvpn 15:21 -!- UomO_BongA [n=rafa@186.18.133.31] has quit ["Ex-Chat"] 15:25 -!- kevinh_ [n=khowerto@67.23.38.101] has joined ##openvpn 15:26 -!- freedev [n=Unknown@AMontsouris-756-1-32-150.w92-128.abo.wanadoo.fr] has joined ##openvpn 15:26 < freedev> hey 15:33 -!- kevinh [n=khowerto@4.58.0.2] has quit [Read error: 110 (Connection timed out)] 15:33 -!- kevinh_ is now known as kevinh 15:40 -!- kevinh_ [n=khowerto@4.58.0.2] has joined ##openvpn 15:56 -!- kevinh [n=khowerto@67.23.38.101] has quit [Read error: 110 (Connection timed out)] 15:56 -!- kevinh_ is now known as kevinh 16:01 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 60 (Operation timed out)] 16:06 -!- freedev [n=Unknown@AMontsouris-756-1-32-150.w92-128.abo.wanadoo.fr] has quit [Remote closed the connection] 16:09 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Read error: 104 (Connection reset by peer)] 16:09 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 16:10 -!- arcsky [n=arcsky@2a01:48:100:1:1:0:0:1c2] has quit [Read error: 60 (Operation timed out)] 16:16 -!- arcsky [n=arcsky@2a01:48:100:1:1:0:0:1c2] has joined ##openvpn 16:36 -!- epaphus [n=unix3@190.10.68.228] has quit [Connection timed out] 16:39 -!- epaphus [n=unix3@190.10.68.227] has joined ##openvpn 16:47 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:51 -!- epaphus [n=unix3@190.10.68.227] has quit ["Leaving"] 16:51 -!- epaphus [n=unix3@190.10.68.227] has joined ##openvpn 17:08 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 17:08 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has left ##openvpn [] 17:16 -!- todd_dsm [n=todd_dsm@66.43.220.149] has quit [Client Quit] 17:26 -!- epaphus [n=unix3@190.10.68.227] has quit [Read error: 60 (Operation timed out)] 17:26 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:41 < vingian> intraintr/window close 17:41 -!- vingian [n=mustafa@66.93.6.130] has left ##openvpn [] 17:41 -!- kevinh [n=khowerto@4.58.0.2] has quit [] 18:04 -!- UomO_BongA [n=rafa@186.18.133.31] has joined ##openvpn 18:26 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 18:29 -!- epaphus [n=unix3@190.10.68.227] has joined ##openvpn 18:38 -!- epaphus [n=unix3@190.10.68.227] has quit [Read error: 145 (Connection timed out)] 18:42 -!- bauruine [n=bauruine@124-17.60-188.cust.bluewin.ch] has quit ["Verlassend"] 18:43 -!- mikeones [n=mikeones@pool-70-104-31-42.dllstx.fios.verizon.net] has quit ["leaving"] 18:44 -!- Douglas [i=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 18:50 -!- bauruine [n=bauruine@124-17.60-188.cust.bluewin.ch] has joined ##openvpn 18:50 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 19:09 -!- kevinh [n=khowerto@rrcs-208-125-2-58.nyc.biz.rr.com] has joined ##openvpn 19:16 -!- epaphus [n=unix3@190.10.68.228] has quit [Connection timed out] 19:16 -!- kcsrnd [n=jkessler@69-57-95-80.dsl.static.nccray.com] has joined ##openvpn 19:32 -!- tjz [n=tjz@bb121-7-60-51.singnet.com.sg] has joined ##openvpn 19:52 -!- adriyel [i=adriyel@anapnea.net] has joined ##openvpn 19:52 < adriyel> MY GOD WHY 19:52 < adriyel> Vista is evil. That is all. 19:52 -!- adriyel [i=adriyel@anapnea.net] has left ##openvpn [] 20:03 -!- MrSpiffy [n=MrSpiffy@98.216.34.173] has joined ##openvpn 20:05 < MrSpiffy> hello 20:05 < MrSpiffy> ovpn in bridge mode is kicking my ass 20:06 < MrSpiffy> I configured using the howto. tunnel is up tap interface is up on the client 20:06 < MrSpiffy> iptables is set as per the how to on the server 20:06 < MrSpiffy> cisco router is my nat firewall - forwarding is on (tunnel is up) 20:06 < MrSpiffy> bu 20:06 < MrSpiffy> but 20:06 < MrSpiffy> NO PINGY PINGY 20:06 < MrSpiffy> http://pastebin.ca/1618504 20:07 < Douglas> !logs 20:07 < vpnHelper> Douglas: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 20:07 < MrSpiffy> can anybody offer some help with things to look for 20:08 < MrSpiffy> logs are empty except for the everything is OK alarm 20:08 < MrSpiffy> really - the tunnel is up but packet forwarding is fubar 20:08 < Douglas> verb ? 20:08 < Douglas> 6 20:08 < Douglas> oh 20:08 < Douglas> donno then 20:08 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 20:08 < MrSpiffy> linux server 20:08 < MrSpiffy> linux client 20:09 < MrSpiffy> testing on a gsm connection 20:10 -!- bauruine [n=bauruine@124-17.60-188.cust.bluewin.ch] has quit ["Verlassend"] 20:10 < MrSpiffy> I updated the pastebin with ifconfig route and iptables info 20:10 < MrSpiffy> http://pastebin.ca/1618510 20:24 -!- MrSpiffy [n=MrSpiffy@98.216.34.173] has quit [] 20:37 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 20:38 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 20:38 -!- MTecknology [n=MTeck@pdpc/supporter/active/mtecknology] has joined ##openvpn 20:39 < MTecknology> I'm trying to make openvpn work but I think it's because of a missing kernel option that it's not. 20:40 < MTecknology> You guys know what I need to have for it to work? 20:40 < MTecknology> I get this, the device mentioned does exist -> Tue Oct 13 20:35:34 2009 Note: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19) Tue Oct 13 20:35:34 2009 Note: Attempting fallback to kernel 2.2 TUN/TAP interface Tue Oct 13 20:35:34 2009 Cannot allocate TUN/TAP dev dynamically 20:40 < WormFood> anyone have any experience with openvpn and dd-wrt as a client? I can't believe it is so hard to make work. (I think the problem is dd-wrt) 20:41 < WormFood> MTecknology, you're missing the correct device 20:41 < MTecknology> file /dev/net/tun /dev/net/tun: character special 20:41 < WormFood> most likely because you're missing the proper kernel module, but it could just be you're lacking the correct /dev/ device 20:42 < MTecknology> I'm sure it's the kernel module 20:42 < MTecknology> what module do I need though? 20:42 < WormFood> # ls -l /dev/net/tun 20:42 < WormFood> crw-rw-rw- 1 root root 10, 200 2009-10-08 18:24 /dev/net/tun 20:42 < MTecknology> crw------- 1 root root 10, 200 2009-10-13 20:27 /dev/net/tun 20:42 < WormFood> what you showed with "file" is worthless....what matters is the major and minor numbers 20:42 < WormFood> well, more than just that 20:43 < WormFood> that looks good 20:43 < WormFood> lsmod|grep tun 20:43 < MTecknology> I've been screwing with the kernel a lot 20:43 < WormFood> tun 13084 0 20:43 < MTecknology> nothing 20:43 < WormFood> perhaps you compiled out support for it 20:43 < WormFood> try modprobe tun 20:43 < WormFood> or perhaps you forgot to compile the modules for your kernel 20:44 < WormFood> just because you don't see it with lsmod, does not mean you don't have it, you could have compiled it into the kernel (no module, monolithic) 20:44 < MTecknology> I did, what module is it in there though? 20:45 < WormFood> dmesg|grep tun <-- try this 20:45 < MTecknology> IPv6 over IPv4 tunneling driver 20:45 < WormFood> [260334.511692] tun: Universal TUN/TAP device driver, 1.6 20:45 < WormFood> [260334.511695] tun: (C) 1999-2004 Max Krasnyansky 20:45 < MTecknology> that's it 20:45 < WormFood> sounds like you didn't compile the kernel with tun support 20:45 < WormFood> double check your config 20:46 < MTecknology> I don't know what it should be in the config :P 20:46 < Douglas> ok maybe im stupid 20:46 < Douglas> WormFood: openvz? 20:46 < Douglas> er 20:46 < Douglas> maybe even MTecknology 20:47 < MTecknology> Douglas: searching for just open gives me nothin 20:47 < Douglas> MTecknology: are you using avps 20:47 < Douglas> a vps 20:47 -!- kevinh [n=khowerto@rrcs-208-125-2-58.nyc.biz.rr.com] has quit [] 20:47 < MTecknology> gno 20:47 < MTecknology> no* 20:48 < WormFood> MTecknology, just go back through the kernel configure...it should be pretty obvious....if you don't see it, keep looking...it is there 20:48 < Douglas> search for tun 20:48 < Douglas> press / 20:49 < MTecknology> THERE! 20:50 < MTecknology> thanks :) 20:53 < WormFood> it is disabled, right? 20:54 < MTecknology> ya 20:54 < MTecknology> I'm recompiling with it in 20:54 < MTecknology> ... I probably should have compiled it as a module.. 20:54 < WormFood> ok...since I helped you with your problem, maybe you can help me with my problem ;) :P 20:55 < MTecknology> i can try... 20:55 < WormFood> I doubt you can help me...I'm having problems using openvpn and dd-wrt as a client :( 20:55 < WormFood> god damn shit just does not work 20:56 < WormFood> it has connected before...gets compression errors....turn off compression, and I can't connect....fuckin' shit! 20:57 < MTecknology> WormFood: router isn't running out of memory, is it? 20:57 < WormFood> on phone...brb 20:59 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 21:05 < WormFood> ok, I'm back 21:05 < WormFood> I doubt it is running out of memory 21:05 < WormFood> but it sure is acting weird as hell 21:06 < WormFood> now I can upgrade the memory in the router real cheap...probably about $5 to upgrade it to 32 meg of ram 21:06 < WormFood> including installation 21:07 < WormFood> MTecknology, maybe it is running out of ram 21:08 < WormFood> bit when I stop the openvpn client, it still shows the same amount of free ram 21:08 < MTecknology> I'd probably dig up an old junky system, toss some nice NICs in and use that as the router 21:08 -!- phantomcircuit [n=phantomc@adsl-76-199-100-233.dsl.pltn13.sbcglobal.net] has joined ##openvpn 21:08 < WormFood> this is something I'm trying to sell...it needs to be small 21:09 < MTecknology> oh 21:09 < WormFood> and if I was at home, in usa, that is what I'd do...I have a TON of those slim compaq computers with the older CPUs in them, that perform well 21:09 < MTecknology> I think you're right thn.. I'm out of ideas 21:10 < WormFood> an I found a source for these routers for under $30 each 21:10 < MTecknology> nice 21:10 < WormFood> WRT54Gv4---or anything with 4/16 memory (4 flash, 16 ram) 21:10 < Douglas> haha 21:10 < Douglas> i have wRT54g 21:11 < WormFood> I have a WRT54GSV1 with 8 meg of flash, and 32 meg of ram 21:12 < WormFood> I paid less than $30 for it, but the faceplate was wrong, and the LEDs are under the wrong holes....and the RAM is bad (unknown when I bought it) 21:12 < WormFood> after spending forever, I decided it was bad ram...so I go buy some new ram, for a hair over $1 each, then pay about $3 to have them replaced :D 21:13 < WormFood> I think I paid 160 RMB for the router....that'd be a little over $25 21:14 -!- master_of_master [i=master_o@p549D4249.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:14 < WormFood> other than driving myself crazy, and wasting my time, I think that was a good price for what I got, including the fact I had to replace the ram. 21:15 < WormFood> if your router randomly locks up, and your firmware upgrades keep failing....then I suggest you replace the ram....I expect more WRT54 family of routers to start showing up with bad ram, at least the old ones. 21:16 < MTecknology> i had an old system that ram went bad in.. internet died constantly 21:16 < MTecknology> remove a stick of ream 21:16 < MTecknology> :) 21:16 < WormFood> and my WTR54 (not typo, WTR, not WRT) router died....really pissed me off....it was overheating, but it'd work for a while, then someone hit the power switch on the power strip, in such a manner (hold it on the edge causing the voltage to fluctuate wildly), that it just fried it :( 21:17 -!- master_of_master [i=master_o@p549D40E4.dip.t-dialin.net] has joined ##openvpn 21:22 -!- Douglas [i=Douglas@ool-43503ed4.dyn.optonline.net] has quit [] 21:24 -!- h00k [n=anthonyr@unaffiliated/h00k] has joined ##openvpn 21:24 -!- exigraff [n=exigraff@unaffiliated/exigraff] has joined ##openvpn 21:25 < h00k> !interface 21:25 < vpnHelper> h00k: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 21:26 < h00k> !howto 21:26 < vpnHelper> h00k: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 21:27 < h00k> So. Hrm. 21:29 < MTecknology> h00k: you should probably just explain what you have - it sounds like you pretty much have it 21:31 < h00k> Alright. 21:32 < h00k> So, I have a server on a DMZ given a static IP by the router (the server thinks it has DHCP) and I have everything set up but the proper bridging on /etc/network/interfaces 21:36 < h00k> So, I suppose that is the part that I need help with. 21:36 -!- samba [n=samba@76.104.236.199] has quit [""free(self)""] 21:44 < h00k> I think what we're looking for, anyway, is bridged 22:03 < MTecknology> h00k: looks like everyone is sleeping :( 22:04 -!- hkais1 [n=xenoadmi@f051014149.adsl.alicedsl.de] has joined ##openvpn 22:05 -!- xod [n=onats@112.201.145.81] has joined ##openvpn 22:07 < phantomcircuit> I'm on a network that blocks outgoing UDP, is using tcp really that bad? 22:07 -!- xod is now known as onats 22:08 < theDoc> phantomcircuit> depends really. dns uses udp, are they dropping that as well? 22:09 < phantomcircuit> uh 22:09 < phantomcircuit> lemme check 22:09 -!- UomO_BongA [n=rafa@186.18.133.31] has quit [Read error: 110 (Connection timed out)] 22:11 < phantomcircuit> weird 22:11 < phantomcircuit> maybe it's only blocking the vpn UDP port 22:12 < phantomcircuit> lets try that check again 22:12 < theDoc> phantomcircuit> are you using a paid vpn service? ;p 22:13 < phantomcircuit> uh no im running openvpn at home because this shitty community college blocks irc on their wifi 22:13 < theDoc> ahh. :) 22:14 < phantomcircuit> and id rather not have to run everything they block over ssh->socks 22:14 < WormFood> try running your openvpn server on different ports...hell, run it on port 53 (the dns port) 22:15 < WormFood> you can use tcp, but expect to get a lot of hung connections. 22:18 < theDoc> tcp is horrible for openvpn on a wan connection 22:18 < theDoc> jesus. 22:18 < theDoc> i was mucking with a test server last night to put into deployment and tcp was just shit. 22:19 -!- hkais [n=xenoadmi@g226143077.adsl.alicedsl.de] has quit [Read error: 110 (Connection timed out)] 22:20 < phantomcircuit> sigh 22:21 < phantomcircuit> i smell an application layer firewall 22:21 < phantomcircuit> whatever im out of here 22:21 -!- phantomcircuit [n=phantomc@adsl-76-199-100-233.dsl.pltn13.sbcglobal.net] has quit [Remote closed the connection] 22:29 < MTecknology> he shouldn't have left 22:29 < MTecknology> irc is blocked here to 22:29 < MTecknology> too* 22:43 -!- MTecknology [n=MTeck@pdpc/supporter/active/mtecknology] has left ##openvpn ["http://profarius.com/ - What have you seen lately?"] 22:44 -!- exigraff [n=exigraff@unaffiliated/exigraff] has quit ["verily, I shall return. >_>"] 23:02 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 23:16 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 23:35 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] --- Day changed Wed Oct 14 2009 00:23 -!- hyper_ch [n=hyper@adsl-84-227-137-239.adslplus.ch] has quit [Remote closed the connection] 00:41 -!- c64zottel [n=zestor@62-12-234-193.pool.cyberlink.ch] has joined ##openvpn 00:44 -!- hkais1 [n=xenoadmi@f051014149.adsl.alicedsl.de] has quit ["Leaving."] 00:45 -!- hkais [n=xenoadmi@78.51.14.149] has joined ##openvpn 00:54 -!- hkais [n=xenoadmi@78.51.14.149] has quit [Read error: 145 (Connection timed out)] 01:00 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 01:08 -!- hyper_ch [n=hyper@45-43.76-83.cust.bluewin.ch] has joined ##openvpn 01:23 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 60 (Operation timed out)] 01:42 -!- c64zottel [n=zestor@62-12-234-193.pool.cyberlink.ch] has quit ["Leaving."] 01:45 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 01:45 -!- kosmic [n=kosmic@unaffiliated/spice] has joined ##openvpn 01:45 < kosmic> !howto 01:45 < vpnHelper> kosmic: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:18 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:18 -!- brizly1 [n=brizly_v@p4FC982BA.dip0.t-ipconnect.de] has quit [Read error: 60 (Operation timed out)] 02:19 -!- brizly [n=brizly_v@p4FC982BA.dip0.t-ipconnect.de] has joined ##openvpn 02:32 < krzie> [23:17] tcp is horrible for openvpn on a wan connection 02:32 < krzie> no kidding, they mention that in the manual 02:33 < theDoc> krzee> Yeah man, i didn't realize it was THAT bad. 02:33 < tjz> tcp over tcp.. 02:33 < tjz> :D 02:33 < krzie> aka !tcp ;] 02:33 < theDoc> fuck, i saw my latency spike from 280ms to 1200ms. 02:37 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 02:48 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has joined ##openvpn 02:49 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has left ##openvpn ["Leaving."] 02:51 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 02:53 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 60 (Operation timed out)] 02:58 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Read error: 113 (No route to host)] 03:02 < misse-_> theDoc: with openvpn over tcp? :O 03:03 < theDoc> Yeah. Don't talk about it, it was just painful. 03:03 < theDoc> I had to kick my production box back into udp. 03:03 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 03:03 < misse-_> whoah. 03:04 < misse-_> glad I haven't tried it. 03:07 < theDoc> misse-_> I was testing something out for a customer and god, is tcp absolute shit for openvpn. 03:18 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 03:32 -!- kral [n=kral@93-62-244-18.ip24.fastwebnet.it] has joined ##openvpn 03:32 < kral> hi 03:33 < kral> i have a little problem with openvpn under win32 03:34 < kral> when i try to connect, log says: "The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet" 03:35 < kral> is it a client or a server configuration problem? 03:36 < kral> any tips? 03:48 -!- kral [n=kral@93-62-244-18.ip24.fastwebnet.it] has quit [Read error: 104 (Connection reset by peer)] 03:48 -!- kral_ [n=kral@93-62-244-18.ip24.fastwebnet.it] has joined ##openvpn 03:49 -!- kral_ is now known as kral 03:50 -!- dazo|afk is now known as dazo 04:03 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Read error: 110 (Connection timed out)] 04:17 -!- hkais [n=xenoadmi@ip-109-85-99-8.web.vodafone.de] has joined ##openvpn 04:23 -!- Dukelord [n=brenwill@41.204.234.100] has joined ##openvpn 04:38 -!- Dukelord [n=brenwill@41.204.234.100] has quit [] 04:43 -!- smellynoser [n=ashley@86.53.96.123] has joined ##openvpn 04:43 < smellynoser> Hi - I'm sending quite a bit of traffic through openvpn 04:44 < smellynoser> and it's starting to effect things 04:44 < smellynoser> I need to compress everything through the VPN, more than comp-lzo allows, if that's possible 04:44 < smellynoser> How much does comp-lzo compress the data by? 04:50 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 04:51 -!- Dukelord [n=brenwill@41.204.234.100] has joined ##openvpn 05:04 < hyper_ch> smellynoser: it depends on the data 05:04 < hyper_ch> text will be massively compressed 05:04 < hyper_ch> binary software data not that much 05:08 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 05:11 < dazo> smellynoser: What kind of traffic do you pass over your tunnel? If it is mostly mpg/mp3/jpg/avi/bz2/gz/zip/rar/etc, then you can skip the compression completely as that is not effective at all. If it is text data (html, txt, older office docs, etc), then it can be easily compressed and throughput will be improved with comp-lzo 05:12 < dazo> in some cases, compressing compressed data might even increase the size of the file by some few bytes 05:13 < smellynoser> I have comp-lzo on the client and server but it's still taking up 2mbits/second 05:14 < smellynoser> Sending text data 05:22 -!- Dukelord [n=brenwill@41.204.234.100] has quit [] 05:31 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:31 -!- buntfalke_ is now known as buntfalke 05:34 -!- Dukelord [n=brenwill@41.204.234.100] has joined ##openvpn 05:44 -!- UomO_BongA [n=rafa@186.18.133.31] has joined ##openvpn 05:51 -!- Dukelord [n=brenwill@41.204.234.100] has quit [Remote closed the connection] 05:52 -!- Dukelord [n=brenwill@41.204.234.100] has joined ##openvpn 05:56 -!- c64zottel [n=zestor@62-12-234-193.pool.cyberlink.ch] has joined ##openvpn 05:58 -!- SMTHelse [n=ask@cm219.kappa25.maxonline.com.sg] has joined ##openvpn 05:59 < SMTHelse> !route 05:59 < vpnHelper> SMTHelse: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 06:09 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 06:15 -!- Oreva [n=brenwill@41.204.234.100] has joined ##openvpn 06:15 -!- Dukelord [n=brenwill@41.204.234.100] has quit [Read error: 104 (Connection reset by peer)] 06:17 -!- brizly1 [n=brizly_v@p4FC9848B.dip0.t-ipconnect.de] has joined ##openvpn 06:19 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 06:26 -!- kral [n=kral@93-62-244-18.ip24.fastwebnet.it] has left ##openvpn ["Sto andando via"] 06:28 -!- c64zottel [n=zestor@62-12-234-193.pool.cyberlink.ch] has left ##openvpn [] 06:29 -!- Anaris [n=ask@cm219.kappa25.maxonline.com.sg] has joined ##openvpn 06:31 -!- brizly [n=brizly_v@p4FC982BA.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:34 -!- theDoc [n=hex@69.10.59.166] has joined ##openvpn 06:48 -!- SMTHelse [n=ask@cm219.kappa25.maxonline.com.sg] has quit [Read error: 110 (Connection timed out)] 07:03 -!- Oreva [n=brenwill@41.204.234.100] has quit [] 07:08 -!- Dukelord [n=brenwill@41.204.234.100] has joined ##openvpn 07:17 < ecrist> good morning. 07:20 -!- Anaris [n=ask@cm219.kappa25.maxonline.com.sg] has quit [] 07:25 -!- pjd_ [n=pjd@ghf60.internetdsl.tpnet.pl] has joined ##openvpn 07:26 < pjd_> Hi. So openvpn doesn't support self-signed certificates? 07:27 < pjd_> All I want is to use self-signed certificate and the server and distribute it to the clients, which are additionally authenticated. 07:27 < pjd_> This seems over-complicated to create CA for that. 07:27 < ecrist> why do you think OpenVPN doesn't support self-signed certificates? 07:28 < ecrist> I think you don't understand how SSL works 07:28 < pjd_> Because when I don't provide 'ca' entry, it complains. 07:28 < ecrist> indeed. 07:28 < ecrist> but the CA can be self-signed. 07:28 < ecrist> you need a chain 07:28 < pjd_> But I don't want CA. 07:28 < ecrist> otherwise, anyone could use any ssl certificate 07:28 < pjd_> I want self-signed leaf certificate. 07:29 < ecrist> I think you don't understand how SSL works 07:29 < pjd_> Unless you upload server's certificate onto clients. 07:29 < pjd_> You understand incorrectly, I'm afraid. 07:29 < ecrist> lol 07:29 < ecrist> you're right, I'm new here. 07:30 * tjz look around 07:30 < pjd_> I'm not here to prove anything, I'm just looking for help. 07:31 < pjd_> I want to use leaf self-signed certificate, which will be uploaded on clients' machines. 07:31 < ecrist> OpenVPN does not do what you're looking for 07:31 < ecrist> if it did, any SSL certificate at all could connect to your VPN 07:32 < pjd_> No. 07:32 < pjd_> Client will have server's certificate. 07:32 < pjd_> That's all he needs. 07:33 < pjd_> And will authenticate against the server using auth-user-pass-verify. 07:34 < pjd_> What's the point of having CA here? 07:34 < pjd_> (I also use client-cert-not-required option.) 07:35 < ecrist> to provide a certificate chain 07:35 < pjd_> Ok, and what's the purpose of certificate chain in this example? 07:36 < pjd_> Note that clients don't use certificates. 07:36 < ecrist> from the man page: 07:36 < ecrist> To use TLS mode, each peer that runs OpenVPN should have its own local certificate/key pair ( --cert and --key ), signed by the root certificate which is specified in --ca. 07:38 < pjd_> Client's certificate is optional in general (that's how 99% of https works), so it seems like openvpn shortcoming. 07:39 < ecrist> sure, but a CA is still required for those connections 07:40 < pjd_> For https? No. It is enough that you have server's cert. It's just easier to redistribute one CA cert instead of multiple certs signed by it. 07:41 < ecrist> pjd_: many CA certificates are included with modern web browsers, which is why things seem to just work. 07:41 < ecrist> it is *not* enough that you have the server's certificate. 07:41 < pjd_> CA cert is there only to verify server's cert signature. If you have server's cert already and you trust it, there's no need to CA. 07:42 < pjd_> ecrist: It is when you obtained it through secure channel. 07:43 < ecrist> regardless, openvpn cannot do what you want it to 07:43 < pjd_> I'm starting to think you don't know how SSL works:) 07:43 -!- HJ [n=HJ@host81-130-7-183.in-addr.btopenworld.com] has joined ##openvpn 07:43 < ecrist> if you're unhappy with that, 1) discuss with the devs to include the support or 2) use something else 07:43 < HJ> hi there 07:43 < pjd_> ecrist: Thank you, I just wanted to confirm that. 07:44 < ecrist> I told you that 5 minutes ago 07:45 -!- pjd_ [n=pjd@ghf60.internetdsl.tpnet.pl] has left ##openvpn [] 07:46 < HJ> I've managed to setup openvpn fine in tunnel mode, but i'd like to setup ethernet bridging instead, i've been following this tutorial http://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html but the bridge creation fails 07:46 < vpnHelper> Title: Ethernet Bridging (at openvpn.net) 07:47 < HJ> i've installed the bridge-utils so i've got brctl, but brctl add br0 returns "add bridge failed: package not installed"... 07:50 -!- Dukelord [n=brenwill@41.204.234.100] has quit [Read error: 104 (Connection reset by peer)] 07:50 -!- Dukelord [n=brenwill@74.115.0.24] has joined ##openvpn 07:54 < ecrist> HJ: looks like you're missing something 07:55 < HJ> ecrist> probably but i honestly can't see what 07:57 < ecrist> looks like some bridging utilities or kernel modules 07:58 < theDoc> ecrist> Got a second for a private message mate? 07:58 < ecrist> sure 07:58 < theDoc> Thanks. 07:58 < HJ> i installed the bridging utilities, and according to CentOS my kernel should already support it... 07:58 < ecrist> I can only give you advice, I've never used CentOS 07:59 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 08:01 < HJ> ecrist> fair enough, thanks anyway 08:01 < HJ> centos is generally really good, the only issue is that it comes quite barebone 08:09 -!- Oreva [n=brenwill@41.204.234.100] has joined ##openvpn 08:10 < HJ> would anyone know any other way of creating a bridge than with brctl? 08:19 -!- Oreva [n=brenwill@41.204.234.100] has quit [] 08:19 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 08:25 < Bushmills> HJ: http://monsterguide.net/how-to-build-a-bridge 08:25 < vpnHelper> Title: How to Build a Bridge - Monsterguide.net (at monsterguide.net) 08:31 < HJ> cheers! 08:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:31 < HJ> lol ok 08:32 -!- Dukelord [n=brenwill@74.115.0.24] has quit [Read error: 110 (Connection timed out)] 08:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 08:51 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has joined ##openvpn 08:59 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has left ##openvpn ["Leaving."] 08:59 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:00 -!- HJ [n=HJ@host81-130-7-183.in-addr.btopenworld.com] has quit [Client Quit] 09:03 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 09:05 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)] 09:17 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has joined ##openvpn 09:17 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:23 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has left ##openvpn ["Leaving."] 09:31 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 09:38 -!- kevinh [n=khowerto@4.58.0.2] has joined ##openvpn 09:41 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has joined ##openvpn 09:43 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has left ##openvpn ["Leaving."] 09:55 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 10:05 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 10:05 -!- jeiworth [n=jeiworth@189.177.138.34] has joined ##openvpn 10:15 -!- raspi [i=raspi@hastur.ext.fi] has joined ##openvpn 10:17 -!- Irssi: ##openvpn: Total of 86 nicks [0 ops, 0 halfops, 0 voices, 86 normal] 10:20 < raspi> What's the correct way to do bridged openvpn server in ubuntu? This worked on my local virtual machine but not in actual machine - http://codepad.org/XN4i76KF - all connections just died. 10:20 < vpnHelper> Title: Plain Text code - 88 lines - codepad (at codepad.org) 10:28 < |Mike|> tls-server? 10:29 < krzie> !tunortap 10:29 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 10:30 < |Mike|> ec2-run-instances --private-key privatekey.pem --cert certificate.pem --region [region] --availability-zone [zone] --instance-type [type] <--user-data-file [script]> [ami] 10:30 -!- smellynoser [n=ashley@86.53.96.123] has quit [Read error: 60 (Operation timed out)] 10:30 < |Mike|> err, fail! 10:32 -!- smellynoser [n=ashley@86.53.96.123] has joined ##openvpn 10:33 < raspi> or is there some weird network stuff going on xen when using bridge? 10:34 < raspi> my test machine was virtualbox 10:35 < |Mike|> you are using bridge in virtual box already. 10:38 < raspi> i'm trying to achieve this star-shaped network where openvpn is not actually connected to any physical LAN network. ie. tap0/br0 packets go only through openvpn, not physical network 10:38 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 60 (Operation timed out)] 10:39 < ecrist> raspi: you don't even need to bridge anything, then. 10:40 < raspi> we're using this for gaming 10:40 * hyper_ch heard that gaming is evil and sucks up way too much time 10:41 < ecrist> raspi: I don't care what you're using it for, really. Just letting you know you can setup OpenVPN in bridge mode, it will only setup the tap interface, and everything will work magically 10:41 < ecrist> since you're only worried about communicating with the VPN systems 10:41 < ecrist> and not a LAN, etc. 10:42 < raspi> yeah but it's "virtual" lan then, when everybody connects to it? 10:43 < ecrist> yep 10:43 < raspi> so broadcast packets etc works fine then? 10:44 < ecrist> yes 10:44 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:45 < raspi> allright, I'll try it when someone reboots my system :) 10:45 < raspi> thanks 10:52 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 10:53 -!- hyper_ch [n=hyper@45-43.76-83.cust.bluewin.ch] has quit [Remote closed the connection] 11:01 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 11:04 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 11:06 -!- Intensity [i=[BdLfKfG@unaffiliated/intensity] has quit [Remote closed the connection] 11:27 < krzie> yay 11:27 < krzie> rcracki running on osx! 11:27 < krzie> <-- hapy panda 11:35 -!- samba [n=samba@76.104.236.199] has joined ##openvpn 11:37 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 11:42 -!- h00k [n=anthonyr@unaffiliated/h00k] has quit [Read error: 54 (Connection reset by peer)] 11:50 -!- hyper_ch [n=hyper@adsl-84-227-137-239.adslplus.ch] has joined ##openvpn 12:40 -!- Dukelord [n=brenwill@41.204.234.100] has joined ##openvpn 12:51 -!- Dukelord [n=brenwill@41.204.234.100] has quit [Read error: 104 (Connection reset by peer)] 12:52 -!- Dukelord [n=brenwill@41.204.234.100] has joined ##openvpn 12:52 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 145 (Connection timed out)] 12:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:06 < Dukelord> looking for any vpn servers that i can connect via tcp over port 53 or via udp over port 69? 13:08 -!- dazo is now known as dazo|afk 13:11 < hyper_ch> isn't 53 used for nameserver queries? 13:14 < ecrist> Dukelord: build your own 13:15 < ecrist> hyper_ch: that's why he needs one running on that port, it isn't being blocked by his employer's firewall 13:15 < hyper_ch> ah 13:20 -!- Otacon22 [n=otacon22@93-36-124-179.ip60.fastwebnet.it] has joined ##openvpn 13:24 -!- tfbox_ [i=4c0abc9b@gateway/web/freenode/x-pnhfzdbmgtxzdxnx] has joined ##openvpn 13:26 -!- swa_work [n=swa@swatteksystems.com] has quit [Remote closed the connection] 13:26 -!- phantomcircuit [n=phantomc@adsl-76-200-190-37.dsl.pltn13.sbcglobal.net] has joined ##openvpn 13:27 < phantomcircuit> i was here last night trying to get around port blocking over community college's wifi 13:27 < phantomcircuit> turns out they're using an application layer filter, actual dns requests over udp 53 made it 13:27 < phantomcircuit> but vpn over 53 did not 13:27 < phantomcircuit> so sad :( 13:29 < Dukelord> looking for any vpn servers that i can connect via tcp over port 53 or via udp over port 69? 13:29 < raspi> try ip over dns? 13:30 -!- c64zottel1 [n=zestor@62.12.220.168] has joined ##openvpn 13:30 < raspi> http://thomer.com/howtos/nstx.html 13:30 < vpnHelper> Title: NSTX (IP-over-DNS) HOWTO (at thomer.com) 13:31 < ecrist> Dukelord: did you see my message above? 13:33 < Dukelord> i am not a hacker, so i don't understand, my mobile isp blocked all ports except tcp over 53 and udp over 59...sucks 13:34 < Dukelord> udp over 69 13:35 < ecrist> use udp over 53 13:35 < ecrist> tcp is a bad idea anyways 13:38 -!- kevinh [n=khowerto@4.58.0.2] has quit [Read error: 104 (Connection reset by peer)] 13:38 -!- kevinh [n=khowerto@4.58.0.2] has joined ##openvpn 13:39 < Dukelord> udp over 53 is blocked 13:40 < ecrist> you may simply be SOL 13:40 < Dukelord> i prefer udp cos it's faster, but i need udp over 69....SOL??? 13:40 < ecrist> shit out of luck 13:40 < Dukelord> lol...lmao... 13:40 < Dukelord> yup...preety much 13:45 < phantomcircuit> you're mobile isp blocks tcp 80 ?! 13:45 < Dukelord> yup 13:46 < Dukelord> crazy i know 13:46 < phantomcircuit> the hell would you use an isp that doesnt allow tcp 80? 13:50 < Dukelord> cos they are quite fase 13:51 < phantomcircuit> they're what now? 13:58 -!- hkais [n=xenoadmi@ip-109-85-99-8.web.vodafone.de] has quit [Read error: 110 (Connection timed out)] 13:58 < Dukelord> fast 14:05 < Otacon22> Bushmills, Do you remember that i've asked you about the multiclient mode on openvpn? I've setted all signed certifications for each client, but still just one client can connect to server. 14:05 < phantomcircuit> so you're using an isp that cannot access 99.999% of the web because they are fast? 14:05 < phantomcircuit> ? 14:06 < ecrist> Otacon22: what do you mean only one client can connect? 14:06 < Bushmills> you used same common name for all clients, that was? 14:06 < Otacon22> ecrist, yes 14:06 < ecrist> does each certificate have a unique common name? 14:06 < Otacon22> yes 14:06 < ecrist> or does each client have their own certificate 14:07 < ecrist> so, when one client is already connected, and another connects, is the second one denied, or is the first one disconnected? 14:07 < ecrist> !logs 14:07 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 14:08 < Otacon22> ecrist, when the second one try to connect appears Connection refused 14:08 < ecrist> can we get the logs for that from both the server and client, please? 14:08 < Otacon22> ecrist, yes, but another question before 14:09 < Otacon22> is it correct to copy the ca.cert from the server to the client? 14:09 < ecrist> yes 14:11 < Otacon22> ecrist, where are the logs? they are not in /var/log/openvpn.log 14:12 < ecrist> if you're just running the command locally, they will be on stdout 14:12 < ecrist> otherwise, where ever you've pointed OpenVPN to put them 14:12 < Otacon22> wait 14:13 < krzee> check messages 14:16 < Otacon22> ecrist, http://pastebin.com/d29f3a94 14:16 < Otacon22> (with verb 7) 14:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 14:17 < Otacon22> this is the log of the second client which do not connect to the server 14:17 < krzee> server log... 14:17 < Otacon22> wait for the server log 14:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:18 < Otacon22> ecrist, when i try to connect from the second client nothing happens on the server 14:18 < Otacon22> nothing 14:19 < ecrist> !configs 14:19 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:19 < ecrist> Otacon22: are you running in daemon mode? 14:19 < ecrist> sounds like not 14:19 < Otacon22> no 14:19 < Otacon22> not now for the tests 14:20 < Otacon22> does something changes if i use the daemon mode? 14:20 < krzee> --daemon in manual would answer that 14:20 < krzee> !man 14:20 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 14:20 < Otacon22> this is my server config http://pastebin.com/d788c4ec1 14:20 < Otacon22> ok 14:21 < krzee> whoa 14:22 < krzee> tap, tcp, and ptp with certs 14:22 < krzee> !sample 14:22 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 14:22 < krzee> go for something like that instead 14:22 < Otacon22> krzee, i've just copied from a tutorial 14:22 < Otacon22> (in italian) 14:22 < krzee> it shows 14:22 < krzee> no offense 14:25 -!- Dukelord [n=brenwill@41.204.234.100] has quit [] 14:26 < Otacon22> krzee, is the vpn tun ip address of the server, right? 14:26 < krzee> it is the external address 14:26 < krzee> the one the client connects to and that the server listens on 14:26 < krzee> which youd know by looking at the manual for the places i used it 14:26 < krzee> in fact, read the manual for every single option used in both configs 14:27 < krzee> do not use that config before you do that 14:27 < krzee> because if you dunno whats going on, its pointless 14:31 -!- kevinh [n=khowerto@4.58.0.2] has quit [] 14:31 -!- kevinh [n=khowerto@4.58.0.2] has joined ##openvpn 14:33 < Otacon22> ghghg 14:39 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 14:46 -!- c64zottel1 [n=zestor@62.12.220.168] has quit ["Leaving."] 14:59 -!- oc80 [i=oc80z@blea.ch] has quit [Read error: 104 (Connection reset by peer)] 15:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 15:05 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:06 -!- Otacon22 [n=otacon22@93-36-124-179.ip60.fastwebnet.it] has left ##openvpn ["Leaving"] 15:24 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: master_of_master, MadTBone, eliasp, raspi, tarbo2, dollabill, tjz, Vito111, ^scott^, Bushmills 15:27 -!- tfbox_ [i=4c0abc9b@gateway/web/freenode/x-pnhfzdbmgtxzdxnx] has quit ["Page closed"] 15:29 -!- raspi [i=raspi@raspi.fi] has joined ##openvpn 15:34 -!- todd_dsm [n=todd_dsm@66.43.220.149] has joined ##openvpn 15:34 -!- Vito111 [n=vito@195.3.173.128] has joined ##openvpn 15:34 -!- Bushmills [n=nnnBushm@verhau.de] has joined ##openvpn 15:34 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 15:34 -!- ^scott^ [n=scott@stthom.org] has joined ##openvpn 15:34 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 15:34 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 15:34 -!- tjz [n=tjz@unaffiliated/tjz] has joined ##openvpn 15:34 -!- master_of_master [i=master_o@p549D40E4.dip.t-dialin.net] has joined ##openvpn 15:34 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 15:45 -!- dollabill [n=mike@97.66.26.10] has quit [No route to host] 15:49 < |Mike|> oi. 15:59 -!- epaphus [n=unix3@190.10.68.228] has quit [Connection timed out] 15:59 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 16:14 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:17 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 16:27 -!- UomO_BongA [n=rafa@186.18.133.31] has quit [Read error: 104 (Connection reset by peer)] 16:33 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has quit [] 16:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 17:02 -!- kevinh [n=khowerto@4.58.0.2] has quit [] 17:08 < zamba> has tun or tap devices best performance bandwidth wise? 17:08 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 17:12 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 17:15 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Remote closed the connection] 17:17 -!- jeiworth [n=jeiworth@189.177.138.34] has quit [Read error: 110 (Connection timed out)] 17:18 -!- jeiworth [n=jeiworth@189.163.169.148] has joined ##openvpn 17:20 < Bushmills> 'tis less the device, but the fact that tap is used for bridging, and through a bridge goes more traffic than though (routed) tun interface 17:20 < Bushmills> ...which makes tap less efficient than tun 17:22 < krzee> and you ONLY use tap when you need layer2 traffic to pass through the vpn 17:28 -!- plaerzen [n=carpe@vip1.tundraeng.com] has joined ##openvpn 17:38 -!- UomO_BongA [n=rafa@186.18.133.31] has joined ##openvpn 17:44 < xp_prg> hi all, I am trying to figure out how to get the hostname of the client that is disconnecting 17:45 < xp_prg> is there a way to do that in the client-disconnect script? 17:46 < krzee> did you check the env vars that that script will have access to in the manual...? 17:46 < krzee> note, you want ip not hostname 17:48 < xp_prg> I want the host name seriously 17:48 < xp_prg> can I pass a variable to it somehow? 17:48 < krzee> you get the ip and resolv it for hostname 17:48 < xp_prg> oh ok 17:48 < krzee> but many ips can have same hostname 17:50 < krzee> in fact currently im tunneling through a machine that has the same hostname as its whole ip block 17:50 < krzee> so if your script only keeps track of hostname, you cant tell the diff between me and anyone else coming from this very large ip block 17:50 < krzee> just so you're aware... 17:51 < xp_prg> ok thanks, that is not the case in this architecture however 17:52 < krzee> *shrug* ok 18:06 -!- phantomcircuit [n=phantomc@adsl-76-200-190-37.dsl.pltn13.sbcglobal.net] has quit ["Leaving"] 18:06 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 60 (Operation timed out)] 18:27 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 19:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 19:37 < xp_prg> hi all, anyone here, how do I call a script when the openvpn is going down but so I can still use the interface? 19:37 < krzee> see script order of execution in manual 19:37 < krzee> !man 19:37 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 19:38 < xp_prg> I am looking in the manual, the only one I see is down 19:38 < xp_prg> oh wait, that might work! 19:40 -!- ethos5 [n=stewart@prod00.pvpn.sfo.witopia.net] has joined ##openvpn 19:43 < ethos5> I'm having a bit of a problem with my openvpn client. I want to have two openvpn connections on this machine, one that connects to my home network and another that all other traffic routes through via a commercial vpn service (that I have working). However, it is extremely slow to route all packets over the commercial VPN then connect to my home network. Is there a way to tell my openvpn config not to reroute any traffic to a particular host 19:43 < ethos5> I've looked into the Route command, and it seems to work fine when I am on a hardline, but it fails when on wifi 19:45 < krzee> only thing i can think of is you are using a common subnet and when you are on wifi have a conflict 19:45 < krzee> cause route was correct 19:46 < ethos5> haha, I don't think 10.7.137.1 is very common 19:46 < krzee> i agree with that 19:47 < ethos5> correct command would be 'route add -net ipaddr netmask 255.255.255.255 dev wlan0' for wireless, right? 19:47 < krzee> ohhh you mean the connect to home is going over the default route vpn 19:47 < ethos5> yeah, connect is trying to go over the commercial VPN 19:47 < ethos5> and I want it to connect directly 19:47 < krzee> you need to route the host your other vpn connects on to bypass the default route vpn 19:47 < ethos5> difference between .2ms and 170ms 19:47 < ethos5> ping 19:48 < ethos5> so, after the default VPN is up, run a 'route add -net home_ip netmask 255.255.255.255 dev wlan0', right? 19:49 < ethos5> or should I set it up as a gateway route? 19:49 < krzee> that may work 19:49 < krzee> if not specify the ip to leave from instead of dev 19:50 < krzee> one or the other should fix it 19:50 < krzee> but yup, you got the idea 19:50 < ethos5> mm, problem is that it is a laptop client, so I don't always know my exit IP 19:51 < krzee> script it up =] 19:51 < krzee> also i think ovpn knows it 19:51 < krzee> look through manual 19:51 < krzee> might be like gateway_ip or something 19:51 < krzee> it has some builtin vars like that to pass to route command 19:53 < ethos5> Oh, I didn't know Openvpn controlled the routes 19:53 < ethos5> i was doing it manually 19:53 < ethos5> do you add the routes in the config file? 19:53 < krzee> see --route 19:53 < krzee> !man 19:53 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 19:54 < ethos5> ok, thanks 19:55 < krzee> np =] 20:08 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 20:08 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 20:11 -!- ethos5 [n=stewart@prod00.pvpn.sfo.witopia.net] has quit [Read error: 104 (Connection reset by peer)] 20:14 -!- ethos5 [n=stewart@prod01.pvpn.sfo.witopia.net] has joined ##openvpn 20:16 < ethos5> ha, brilliant 20:16 < ethos5> krzie: thanks a ton, got it working 20:17 < ethos5> trick is to add a route in the default vpn connection to the static server, which overrides the gateway routes pushed by the server 20:23 -!- ethos5_ [n=stewart@prod04.pvpn.sfo.witopia.net] has joined ##openvpn 20:30 -!- ethos5__ [n=stewart@r69h135.res.gatech.edu] has joined ##openvpn 20:34 < krzee> you're welcome 20:36 -!- ethos5___ [n=stewart@lawn-128-61-121-2.lawn.gatech.edu] has joined ##openvpn 20:38 -!- ethos5__ [n=stewart@r69h135.res.gatech.edu] has quit [Read error: 113 (No route to host)] 20:38 -!- ethos5 [n=stewart@prod01.pvpn.sfo.witopia.net] has quit [Read error: 110 (Connection timed out)] 20:42 -!- ethos5 [n=stewart@prod01.pvpn.sfo.witopia.net] has joined ##openvpn 20:44 -!- ethos5_ [n=stewart@prod04.pvpn.sfo.witopia.net] has quit [Read error: 110 (Connection timed out)] 20:53 -!- ethos5___ [n=stewart@lawn-128-61-121-2.lawn.gatech.edu] has quit [Read error: 110 (Connection timed out)] 20:56 -!- Entriple [n=Entriple@67.221.38.101] has joined ##openvpn 20:57 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 20:57 < Entriple> !redirect 20:57 < vpnHelper> Entriple: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 20:57 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 21:02 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 21:14 -!- master_of_master [i=master_o@p549D40E4.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:18 -!- master_of_master [i=master_o@p549D42CF.dip.t-dialin.net] has joined ##openvpn 21:19 -!- Entriple [n=Entriple@67.221.38.101] has quit [Read error: 110 (Connection timed out)] 21:32 -!- ethos5 [n=stewart@prod01.pvpn.sfo.witopia.net] has quit ["leaving"] 21:39 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Remote closed the connection] 22:44 -!- Optic_ [n=dfraser@miso.capybara.org] has joined ##openvpn 22:45 -!- Optic [n=dfraser@miso.capybara.org] has quit [Nick collision from services.] 22:45 -!- Optic_ is now known as Optic 22:53 -!- UomO_BongA [n=rafa@186.18.133.31] has quit [Read error: 60 (Operation timed out)] 22:53 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 22:55 -!- vingian [n=vince@99-7-90-12.lightspeed.livnmi.sbcglobal.net] has joined ##openvpn 22:55 < vingian> hey guys 22:55 < vingian> i know this isn't the place to askt this question 22:56 < vingian> but i have a vpn connection and i want to route traffic for on my local network through that machine 22:56 < vingian> and needed some help 22:57 -!- WormFood [n=wormfood@119.122.11.192] has quit [Read error: 145 (Connection timed out)] 22:58 -!- c64zottel [n=hans@62-12-252-088.pool.cyberlink.ch] has joined ##openvpn 22:58 -!- c64zottel [n=hans@62-12-252-088.pool.cyberlink.ch] has left ##openvpn [] 22:59 -!- WormFood [n=wormfood@119.122.11.192] has joined ##openvpn 23:06 -!- vingian [n=vince@99-7-90-12.lightspeed.livnmi.sbcglobal.net] has left ##openvpn ["thanks"] 23:12 -!- samba [n=samba@76.104.236.199] has quit [""free(self)""] 23:16 -!- W0rmF00d [n=wormfood@119.136.226.108] has joined ##openvpn 23:24 -!- WormFood [n=wormfood@119.122.11.192] has quit [Read error: 145 (Connection timed out)] 23:36 -!- xp_prg [n=xp_prg3@c-98-234-50-128.hsd1.ca.comcast.net] has joined ##openvpn --- Day changed Thu Oct 15 2009 00:04 -!- disappearedng [n=disappea@th241030.ip.tsinghua.edu.cn] has joined ##openvpn 00:05 < disappearedng> if anyone is here pls reply 00:07 < disappearedng> I used a script /etc/init.d/openvpn start and then there is no tun0 showing in ifconfig, does that mean something is wrong? 00:28 -!- hyper_ch [n=hyper@adsl-84-227-137-239.adslplus.ch] has quit [Remote closed the connection] 00:53 -!- APTX|_ [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 00:55 -!- APTX| [n=APTX@213.251.162.70] has quit [Read error: 131 (Connection reset by peer)] 01:24 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 60 (Operation timed out)] 01:28 -!- hyper_ch [n=hyper@194-133.77-83.cust.bluewin.ch] has joined ##openvpn 01:33 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 02:39 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:04 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 03:37 -!- dazo|afk is now known as dazo 03:45 -!- xod [n=onats@112.201.145.81] has joined ##openvpn 03:46 -!- xod [n=onats@112.201.145.81] has quit [Client Quit] 04:01 < zamba> Bushmills: ok, so tun is more efficient..? 04:02 < zamba> Bushmills: what are the limitations? how much speed can one get through a vpn tunnel? 04:12 < dazo> zamba: tun has less overhead, as packets are processed in a higher level in the OSI layers. tun only transports IP packets, while tap tranports ethernet frames ... so tun is ideal as long as you only you TCP/IP and don't need bridging (ie. routing will work for you) 04:13 < dazo> zamba: limitations? .... how broad is your broadband? ... it also depends on how many connections you have per openvpn server .... but you should get a decent speed if your openvpn server got decent specs 04:15 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:30 -!- dupondje [i=d915b147@gateway/web/freenode/x-nnnzybbqftzknunr] has joined ##openvpn 04:31 < dupondje> Hello, I have made a VPN server and made a tunnel from my network to it 04:31 < dupondje> now I can connect with a VPN client to my server, to get access to the network, this works fine 04:32 < dupondje> but now I would like to be able to connect to 1 VNC server in my network, by just connecting to my server IP address and a custom port :) 04:32 < dupondje> any idea how I can make this possible ? 05:01 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:02 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 05:16 -!- oc80z [i=oc80z@blea.ch] has joined ##openvpn 06:12 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 06:13 < dupondje> nobody awake ? :) 06:15 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has joined ##openvpn 06:16 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has left ##openvpn ["Leaving."] 06:16 -!- brizly1 [n=brizly_v@p4FC9848B.dip0.t-ipconnect.de] has quit [Read error: 60 (Operation timed out)] 06:16 -!- brizly [n=brizly_v@p4FC98486.dip0.t-ipconnect.de] has joined ##openvpn 06:19 -!- Dukelord [n=brenwill@41.204.234.100] has joined ##openvpn 06:26 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 06:41 < dazo> dupondje: !route 06:41 < dazo> !route 06:41 < vpnHelper> dazo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 06:42 < Dukelord> looking for an affordable vpn server that allows me to connect via udp over port 69 and tcp over 53. 06:43 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 07:05 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 07:09 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 07:09 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: master_of_master, eliasp, tarbo2, tjz, Vito111, ^scott^, Bushmills 07:10 -!- Netsplit over, joins: master_of_master, tjz, tarbo2, ^scott^, eliasp, Bushmills, Vito111 07:11 -!- dollabilll [n=mike@97.66.26.10] has joined ##openvpn 07:28 -!- dollabill [n=mike@97.66.26.10] has quit [No route to host] 07:30 < dupondje> dazo: just need to forward 1 port ... not a full subnet or so :) tried some iptable rules, but doesn't seem to work 07:31 < Dukelord> looking for an affordable vpn server that allows me to connect via udp over port 69 and tcp over 53.must be very fast with unlimited bandwidth 07:32 < dazo> Dukelord: please stop it ... we've gotten your message already ... people with answers here will answer you 07:33 < dupondje> iptables -t nat -A PREROUTING -p TCP -d server_ip --dport 5800 -j DNAT --to 192.168.3.104:5800 07:33 < dupondje> doesn't seem to work :s 07:33 < dazo> dupondje: you still need routing, esp. if you are using tun mode .... but you will use netmask 255.255.255.255 to route host instead of a complete subnet 07:34 < dupondje> dazo: the subnet is routed on the server 07:34 < dupondje> 192.168.3.0 10.10.0.2 255.255.255.0 UG 0 0 0 tun0 07:34 < dazo> dupondje: please pastebun complete config files of openvpn server and client .... so we know better how you have set things up 07:35 < dazo> s/pastbun/pastebin/ 07:39 < dupondje> dazo: on the server I can ping 192.168.3.104, so thats working without problem 07:39 < dupondje> can make VPN connection to server to get access to the 192.168.3.* subnet 07:40 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 07:40 < dupondje> but just want now, that I can connect directly to server:5800 and that this gets forwarded to 192.168.3.104 07:40 < dupondje> so I don't need to start vpn client to get access to that single port 07:52 -!- Imran-UK [n=imran@78-86-182-205.zone2.bethere.co.uk] has joined ##openvpn 07:53 < Imran-UK> is anyone here a sysadmin for home users/"roadwarriors" on vpns? just need some general advice on improving vpn service levels. 07:53 * ecrist is 07:53 < Imran-UK> prolly sdsl (not adsl as we have currently) is an answer 07:53 < Imran-UK> hi ecrist 07:53 < theDoc> whoops, did anyone send me a pm? 07:54 < Imran-UK> ecrist, any general n00b advice is appreciated 07:55 < ecrist> dont' use 192.168.0.0 as your LAN or VPN address space is the #1 thing I can recommend 07:57 < Imran-UK> ok, we're not. getting bundled sdal (eg. two sdsl bonded as one, presenting one IP) was mentioned as an ioption 07:57 < Imran-UK> other is traffic shaping to prioritze vpn traffic 07:57 < Imran-UK> sdal=sdsl 07:58 < ecrist> what are you trying to do over your VPN? 07:58 < Imran-UK> some linux users getting at linux fileserver, a few windows users with remote desktop 9they complain the loudest) 07:59 < Imran-UK> we have adsl, which is only 80Kb up 07:59 < ecrist> ouch 07:59 < ecrist> adsl here does 860K up 07:59 < Imran-UK> yeah :/ 07:59 < ecrist> and I live in the first DOCSIS 3 rollout city, so I'm sporting 10mb up by 50mb down 08:00 -!- UomO_BongA [n=rafa@186.18.133.31] has joined ##openvpn 08:01 < Imran-UK> i know in the USA the bandwidht limits are much more favourable. hmm let me clarify the adsl up, one min 08:06 < Imran-UK> we're talking the same units here right? 860Kbytes/sec up? 08:08 < ecrist> Kbits 08:10 -!- Imran-UK [n=imran@78-86-182-205.zone2.bethere.co.uk] has quit [Read error: 60 (Operation timed out)] 08:10 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 08:10 -!- Imran-UK [n=imran@82-69-176-133.dsl.in-addr.zen.co.uk] has joined ##openvpn 08:14 -!- raspi [i=raspi@raspi.fi] has quit [Read error: 60 (Operation timed out)] 08:20 < Optic> moo 08:27 -!- Imran-UK [n=imran@82-69-176-133.dsl.in-addr.zen.co.uk] has quit [Read error: 110 (Connection timed out)] 08:27 -!- Imran-UK [n=imran@78-86-182-205.zone2.bethere.co.uk] has joined ##openvpn 08:28 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn 08:29 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 08:29 < le0> !redirect 08:29 < vpnHelper> le0: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 08:29 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit [Remote closed the connection] 08:29 < le0> !nat 08:29 < vpnHelper> le0: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 08:29 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn 08:29 -!- Dukelord [n=brenwill@41.204.234.100] has quit [Read error: 104 (Connection reset by peer)] 08:30 < le0> !def1 08:30 < vpnHelper> le0: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 08:30 -!- Dukelord [n=brenwill@41.204.234.100] has joined ##openvpn 08:31 < le0> !linnat 08:31 < vpnHelper> le0: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 08:37 -!- hyper_ch [n=hyper@194-133.77-83.cust.bluewin.ch] has quit [Remote closed the connection] 08:41 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 08:44 -!- vpnproblem [n=kid@user-387g74u.cable.mindspring.com] has joined ##openvpn 08:44 < vpnproblem> Hi. 08:44 < vpnproblem> !redirect 08:44 < vpnHelper> vpnproblem: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 08:44 < vpnproblem> !ipforward 08:44 < vpnHelper> vpnproblem: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 08:45 < vpnproblem> !nat 08:45 < vpnHelper> vpnproblem: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 08:45 < vpnproblem> !linnat 08:45 < vpnHelper> vpnproblem: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 08:50 < vpnproblem> Hi there, is someone able to help me ? I am trying to connect two linux systems thru openvpn but when i connect them, the server stays up and the client looses his internet connection. (server send a message like client/117.117.117.7:56971 MULTI: bad source address from client [117.117.117.7], packet dropped - where 117.117.117.7 is the clients real ip) 08:51 < vpnproblem> anyone ? please 08:54 < teddymills> http://openvpn.net/archive/openvpn-users/2005-03/msg00090.html <--search openvpn.net..lots of similars 08:54 < vpnHelper> Title: Re: [Openvpn-users] MULTI: bad source address from client...packet dropped (at openvpn.net) 08:54 -!- teddymills [n=teddy@208.92.235.227] has quit [Client Quit] 08:56 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 08:58 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 08:59 -!- Dukelord [n=brenwill@41.204.234.100] has quit [Read error: 131 (Connection reset by peer)] 09:00 < vpnproblem> Wb teddymills, i've done that too but nothing, still getting the error and my client connection drops 09:01 < dupondje> dazo: you still need my config files ? :) 09:01 < dupondje> can't only give server side atm 09:04 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit [Remote closed the connection] 09:05 -!- Dukelord [n=brenwill@41.204.234.100] has joined ##openvpn 09:08 -!- vpnproblem [n=kid@user-387g74u.cable.mindspring.com] has left ##openvpn [] 09:11 -!- sigius [n=sigius@93.125.185.45] has quit [Read error: 145 (Connection timed out)] 09:17 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 110 (Connection timed out)] 09:17 -!- le0_ [n=tehfin@83.138.128.243] has joined ##openvpn 09:17 < le0_> doh 09:18 < le0_> realise, when my default gw changes, i get booted =) 09:19 < le0_> can someone help me with a further issue: i have routing sorted at this stage: i can route to tinternet via my openvpn box using ccd files. however, thats all good when source sites are static. not so good when im moving about and need to route internet bound traffic through the vpn. is the only solution to manually amend the ccd file before connecting?? 09:23 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has joined ##openvpn 09:24 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has left ##openvpn ["Leaving."] 09:28 < teddymills> my openvpn clients connect via dhcp...can i set them to use static ips ? 09:29 < reiffert> "them"? 09:29 < reiffert> tell your dhcpd. 09:30 < teddymills> openvpn server does the dhcpd 09:30 < reiffert> then tell openvpn. 09:30 < reiffert> !static 09:30 < vpnHelper> reiffert: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 09:31 < reiffert> !ccd 09:31 < vpnHelper> reiffert: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 09:31 < reiffert> !iporder 09:31 < vpnHelper> reiffert: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 09:31 < reiffert> !ipp 09:31 < vpnHelper> reiffert: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 09:31 -!- kevinh [n=khowerto@4.58.0.2] has joined ##openvpn 09:31 < teddymills> that is to say..there is no dhcpd running on the openvpn server..openvpn server is set to server mode...and there are dhcp settings on the server.conf file 09:31 < reiffert> read the above lines. yw. 09:32 < dupondje> somebody can help me setting up a forwarding to an internal IP in the VPN ? 09:32 < reiffert> !factoids search forward 09:32 < vpnHelper> reiffert: 'winipforward', 'linipforward', 'ipforward', and 'fbsdipforward' 09:32 < reiffert> !ipforward 09:32 < vpnHelper> reiffert: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 09:34 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 09:35 -!- le0_ [n=tehfin@83.138.128.243] has quit [Read error: 104 (Connection reset by peer)] 09:35 -!- Dukelord [n=brenwill@41.204.234.100] has quit [Read error: 104 (Connection reset by peer)] 09:35 -!- Oreva [n=brenwill@41.204.234.100] has joined ##openvpn 09:36 -!- Oreva [n=brenwill@41.204.234.100] has quit [Read error: 104 (Connection reset by peer)] 09:36 -!- Dukelord [n=brenwill@41.204.234.100] has joined ##openvpn 09:39 < dupondje> !linipforward 09:39 < vpnHelper> dupondje: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 09:39 < dupondje> its already activated ... :p 09:39 < dupondje> useless :) 09:39 < dupondje> !ipforward 09:39 < vpnHelper> dupondje: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 09:42 < dupondje> I did: iptables -t nat -A PREROUTING -p tcp --dport 5900 -j DNAT --to-destination 192.168.3.104 09:42 < dupondje> and 09:42 < dupondje> iptables -A FORWARD -p tcp -i eth0 -d 192.168.3.104 --dport 5900 -j ACCEPT 09:42 < dupondje> but doesn't seem to work 09:42 < dupondje> it times out 09:45 -!- hyper_ch [n=hyper@adsl-84-227-137-239.adslplus.ch] has joined ##openvpn 09:47 -!- jeiworth [n=jeiworth@189.163.169.148] has quit [Read error: 110 (Connection timed out)] 09:50 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 09:50 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn 09:51 -!- Dukelord [n=brenwill@41.204.234.100] has quit [] 09:51 < dupondje> any idea reiffert ? :) 09:53 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 09:56 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 09:57 -!- jeiworth [n=jeiworth@189.177.138.34] has joined ##openvpn 09:57 -!- jeiworth [n=jeiworth@189.177.138.34] has quit [Read error: 104 (Connection reset by peer)] 10:01 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 10:07 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 10:08 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 10:08 -!- dupondje [i=d915b147@gateway/web/freenode/x-nnnzybbqftzknunr] has quit ["Page closed"] 10:19 -!- gilos [i=41ab6c0c@gateway/web/freenode/x-kqandfdlnhzygfuc] has joined ##openvpn 10:23 < gilos> I have windows server and solaris clients and I was wondering if there is a way I can push a route down to the solaris boxes or make the solaris clients have static IPs? I have persistent routes on the solaris boxes, but sometimes after restarting them I don't get the same IPs from the windows openvpn server. 10:25 < gilos> also the windows server is on a 2003 windows clustered system (active-passive) and I'm having problems with the tun/tap virtual interface being named the same on both systems. The cluster renames it since they have the same name 10:25 < gilos> and when rolling from side to side it will not restart because the offline side has been renamed to openvpn(1) instead of just being named openvpn. 10:27 < gilos> !route 10:27 < vpnHelper> gilos: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:32 < ecrist> gilos: you're on the right track 10:32 < ecrist> !static 10:32 < ecrist> !iporder 10:32 < vpnHelper> ecrist: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 10:32 < vpnHelper> ecrist: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 10:32 < ecrist> those will also help you 10:35 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:38 < gilos> I will check to see what I have set on the server side. 10:40 < le0> guys - is there a howto for client side up scripts on *nix boxes? to make DNS pushes work?? 10:40 < gilos> right now the only thing I have in the ccd files is "iroute 68.28.50.26 255.255.255.255" 10:41 -!- Lyndon [n=late@savolaiset.fi] has joined ##openvpn 10:42 < Lyndon> !route 10:42 < vpnHelper> Lyndon: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:44 -!- W0rmF00d is now known as WormFood 10:46 -!- kevinh [n=khowerto@4.58.0.2] has left ##openvpn [] 10:56 -!- dazo is now known as dazo|afk 10:57 -!- jeiworth [n=jeiworth@189.177.138.34] has joined ##openvpn 10:58 < kosmic> time for the newws! 10:58 < le0> can anyone point me to where i might find client side up and down scripts for dns rewrite? 11:01 < ecrist> sorry, I don't know of any 11:01 < ecrist> it's really as simple as echo "server a.b.c.d" >> /etc/resolv.conf though 11:02 < le0> sec, might have found something i can use 11:02 < le0> thx ecrist 11:08 < le0> k i found a script that will work..... 11:17 -!- dupondje [n=dupondje@235.167-78-194.adsl-static.isp.belgacom.be] has joined ##openvpn 11:19 < dupondje> iptables -A FORWARD -p tcp -i tun0 -d 192.168.3.104 --dport 5800 -j ACCEPT 11:19 < dupondje> iptables -t nat -A PREROUTING -p tcp --dport 5800 -j DNAT --to-destination 192.168.3.104 11:20 < dupondje> whats wrong with this to enable a portforwarding to IP address in the VPN client network ? 11:25 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 110 (Connection timed out)] 11:25 -!- le0 [n=tehfin@83.138.128.243] has joined ##openvpn 11:27 -!- vingian [n=vince@66.93.6.130] has joined ##openvpn 11:28 < vingian> hi folks 11:28 < vingian> i need help setting up a machine as a gateway for our vpn 11:29 < vingian> and though this isn't a purely openvpn issue 11:29 < vingian> i wonder if anyone can help me out 11:32 -!- le0 [n=tehfin@83.138.128.243] has quit [Read error: 60 (Operation timed out)] 11:33 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 60 (Operation timed out)] 11:36 < redfox> !route 11:36 < vpnHelper> redfox: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:36 < redfox> !redirect 11:36 < vpnHelper> redfox: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 11:37 < redfox> @vingian 11:37 < dupondje> redfox: any idea on my issue ? ;) 11:38 -!- xp_prg [n=xp_prg3@c-98-234-50-128.hsd1.ca.comcast.net] has quit [Client Quit] 11:39 < vingian> redfox: thanks... i will go through it and see if that helps 11:39 < redfox> dupondje: you should declare an output interface for your forwarding rule 11:39 < redfox> vingian: if you mean "gateway" as in "traffic through box", than !redirect will help 11:40 < vingian> redfox: yes that is what i meant 11:41 < redfox> please read the help guidelines and ask again if you have specific problems 11:41 < vingian> redfox: does redirect mean i may have to install vpn on the clients as well? 11:41 < redfox> that depends on whether you want to use a vpn 11:42 < redfox> or do you think about simple NATing traffic? 11:42 < redfox> without vpn 11:42 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 11:42 < vingian> well, i was hoping i could NAT the traffic for my "foreign" network through a single server 11:43 < vingian> so the server would be the only machine i'd connect to the vpn 11:44 < gilos> you should be able to use a box as a gateway to connect to another network going across the openvpn connection. you will just have to have a route to the other network on all the other systems or have the openvpn box be your default gateway. 11:44 < redfox> so you have a "private" vpn network and want to tunnel all the traffic through one of the clients? 11:44 < gilos> sorta like a branch to branch tunnel. 11:45 < vingian> yes 11:45 < redfox> i c 11:45 < vingian> gilos, redfox that is what i was intending to do 11:46 < vingian> and as i said, this isn't an openvpn issue... 11:47 < vingian> and i just wasn't sure where to ask... 11:47 < gilos> well how is the one box going to connect to the other network? 11:48 < gilos> the gateway box 11:48 < vingian> the gateway box is connected to the local network on iface 1 11:48 < redfox> vingian: you need !nat enabled on the gateway machine and configure !redirect on the vpn server 11:48 < vingian> and on iface 2 it is connected to the inet... 11:49 < vingian> the vpn connects through iface 2 11:49 < gilos> so are you just wanting to allow machines to connect to the internet? from a single box? 11:49 < gilos> or do you have a different network on the other side of the network? 11:49 < dupondje> redfox: iptables -A FORWARD -p tcp -i eth0 -d 192.168.3.104 --dport 5800 -j ACCEPT ? 11:50 < redfox> dupondje: yes, -o is missing 11:50 < vingian> gilos: its a different nework 11:51 < vingian> and i want clients on network 1 to be able to access resources on network 2 11:51 < vingian> but network 2 is connected to through vpn 11:52 < redfox> vingian: i told you what 2 do... !nat needs to be enabled on this machine, and the vpn server needs to push a route on all the clients 11:53 < gilos> redfox: if I understand vingian correctly, the rest of the clients won't have clients on them. 11:53 < redfox> gilos: he just told how to set up a gateway "for our vpn" in his first post 11:53 < gilos> it's going to be more of a branch to brand where computers on network 1 connect to computers on network 2 11:54 < hyper_ch> http://www.openstreetmap.org/user/h4ck3rm1k3/diary/8306 11:54 < redfox> s/told/asked/ 11:54 < vingian> redfox: thanks 11:54 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 11:54 < vingian> gilos: thats not the problem 11:55 < vingian> gilos: computers on my local can only vpn to the app servers - thats the 'other' network 11:55 < vingian> but i don't want to install separate vpn clients and manage them - so i just want one point of management 11:56 < redfox> vingian: yes, but the clients of the "other" vpn wont use the server as gateway until they are told by the "other" vpn server 11:56 < vingian> redfox: anyway - setting up the nat is exactly where i am having trouble - the packets dont go through 11:56 < redfox> or set up manually, of course. 11:56 < vingian> redfox: i am only looking for one way connectivity 11:57 < vingian> and i would suspect that with NAT i should be albe to do that 11:58 -!- Imran-UK [n=imran@78-86-182-205.zone2.bethere.co.uk] has quit [""Nothing will ever be attempted if all possible objections must be overcome first." - Unknown"] 11:59 < gilos> did you read the part about "Expanding the scope of the VPN to include additional machines on either the client or server subnet." 12:00 < redfox> vingian: correct. so i guess your clients already told to use that server as a gateway. then you only need to setup nat 12:00 < vingian> redfox: sound simple enough - doesnt it? :) 12:00 < vingian> redfox: i guess i need a good primer on NATTing 12:00 < vingian> !nat 12:00 < vpnHelper> vingian: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 12:01 < vingian> !nat | vingian 12:01 < vpnHelper> vingian: Error: "nat" is not a valid command. 12:02 < redfox> !linnat 12:02 < vpnHelper> redfox: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 12:02 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 12:02 < redfox> if you are using linux 12:04 < gilos> !wincluster 12:04 < vpnHelper> gilos: Error: "wincluster" is not a valid command. 12:07 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:09 < gilos> !ccd 12:09 < vpnHelper> gilos: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 12:10 < le0> guys can u automate the ccd entries? 12:10 < le0> for ppl who travel and arent always on the same local subnet? 12:11 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 12:13 < dupondje> iptables -A FORWARD -p tcp -i eth0 -d 192.168.3.104 -o tun0 --dport 5800 -j ACCEPT 12:13 < dupondje> still doesn't work :( 12:24 < ecrist> le0: what do you mean? 12:24 < ecrist> what is to automate? 12:25 < le0> instead of having static ip subnet in per-user ccd 12:26 < le0> sometimes users connect from different ips - such as public access wifi etc. - and their local subnet is different. how can i fix this so that i dont have to change the ccd contents every time it changes? 12:26 < le0> automate = generate automatically 12:27 < ecrist> le0: are you trying to route their local subnet, or just set a static IP? 12:28 < le0> their local subnet no matter what it is 12:28 < le0> i want to route all traffic via the vpn - internet included 12:28 -!- vingian [n=vince@66.93.6.130] has left ##openvpn [] 12:29 < ecrist> that's easy, you don't need to update the ccd entries every time 12:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:29 < le0> ok... but without ccd files, my routing wasnt working. how do i do this? 12:30 < ecrist> push 'redirect-gateway def1' 12:30 < ecrist> in the main server config 12:30 < ecrist> and make sure you're using proper NAT for the VPN subnet 12:30 < ecrist> krzee: one of us needs to write a howto for re-routing all traffic we can point people to 12:31 < le0> when i did that, without detailing subnets in ccd files i got this error: MULTI: packet dropped due to output saturation (multi_process_incoming_tun) 12:31 < le0> oops, wrong error 12:32 < le0> sec, i will get the right one 12:32 < ecrist> not sure what that's all about, but I've not seen your config or anything 12:32 < le0> Thu Oct 15 15:00:57 2009 us=875063 Finian_Mackin/x.x.x.x:1311 MULTI: bad source address from client [192.168.78.100], packet dropped 12:33 < le0> i solved that prob by setting an iroute in ccd for that user 12:33 < le0> and routing immediately worked 12:33 < ecrist> that's solved with proper NAT 12:33 < le0> server site NAT?? 12:33 < ecrist> yes 12:34 < ecrist> you need to NAT OpenVPN connections to our OpenVPN server public or LAN address, or route for the VPN addresses on the server-side LAN 12:34 < le0> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 12:34 < le0> like that? 12:34 < ecrist> *shrug* 12:34 < ecrist> no idea, I don't do linux 12:35 < le0> okie. i will have a play and see what i can do 12:35 < le0> thx for the input =) 12:35 < ecrist> no problem. 12:36 < ecrist> what you're trying to do is extremely common 12:36 < ecrist> and doesn't even require vpn clients have static IPs 12:36 < le0> i thought it should be.... 12:36 < le0> nah, vpn clients can be dynamic 12:38 -!- fatou73 [n=aleksei@socrates.at.mt.ut.ee] has joined ##openvpn 12:38 < ecrist> in that case, no reason for ccd entries 12:40 < WormFood> anyone have any experience with OpenVPN on DD-WRT, as a client? this fuckin' shit is driving me crazy....I'm about to just upload my own config, and forget about the shit web based interface. 12:41 -!- le0_ [n=tehfin@83.138.128.243] has joined ##openvpn 12:41 < ecrist> WormFood: good idea 12:41 < le0_> ok. so NAT was my problem. i remvoed the "client-config-dir" directive from server conf file 12:42 < le0_> and now im routing properly. no need for client config 12:42 < ecrist> le0_: glad to hear you fixed it 12:42 < le0_> thx ecrist 12:42 < ecrist> I actually helped someone in here. finally 12:43 < WormFood> ok...thanks ecrist...another question for you guys....anyone have any experience packaging openvpn install for windows, with the config files? I'd love to give my friends/customers a one step install for openvpn with the config files. 12:44 -!- biberao [i=mapd@unaffiliated/biberao] has joined ##openvpn 12:44 < biberao> hi 12:44 < ecrist> WormFood: there is a fairly complete howto on the OpenVPN website for that 12:45 -!- luse [n=Unknown@des77-1-78-224-147-63.fbx.proxad.net] has joined ##openvpn 12:45 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 12:45 < luse> hey there 12:45 < biberao> hi dewey 12:46 < dewey> hey 12:46 < luse> I would like some help to configure my openvpn server with tap/bridge 12:46 < biberao> luse whats that nick about? 12:46 < biberao> :p 12:46 < le0_> the sample conf files on openvpn site are pretty good for basics. anyone who needs more complex routing, google is the only way 12:46 < le0_> or in here =) 12:46 < luse> i've read http://www.openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html 12:46 < vpnHelper> Title: Ethernet Bridging (at www.openvpn.net) 12:47 < dewey> yeah. i have done the config work already...and i don't know why it's not working here :( 12:47 < ecrist> !all 12:47 < vpnHelper> ecrist: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 12:47 < luse> hum, ok 12:48 < luse> biberao: USE is my name :p 12:48 < dupondje> can't get it working :( 12:48 < biberao> use is a real name? 12:48 < dewey> ok...i'll prepare the pastebin thing... 12:48 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit [Read error: 110 (Connection timed out)] 12:48 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Read error: 110 (Connection timed out)] 12:48 < WormFood> cool ecrist, I think I glanced at it before, but didn't go through it in detail 12:49 < dewey> thats my server config: http://pastie.org/656367 12:49 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has joined ##openvpn 12:49 < dupondje> I want to enable a forwarding on my OpenVPN server so I can connect to 1 ip:port on a computer in the VPN directly .. 12:49 < WormFood> thanks for the info...I'll check it out before asking more questions about it in the future. 12:49 < dupondje> but it doesn't seem to work :( 12:50 < ecrist> dewey: I would suggest changing your vpn subnet 12:50 < ecrist> !1918 12:50 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 12:51 -!- MadTBone_ [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 12:52 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 12:54 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 110 (Connection timed out)] 12:55 < dupondje> somebody can assist me on my issue ? 12:55 < biberao> openvpn allows to set traffic over ssh tunnel? 12:56 < gilos> ssl 12:59 < WormFood> biberao, after your VPN is setup, you can send ANY traffic over it....it does not care about protocol (of course, it depends on exactly how everything is setup, you may need tap instead of tun depending on how crazy you want to get) 12:59 -!- le0_ [n=tehfin@83.138.128.243] has quit [Read error: 60 (Operation timed out)] 12:59 < biberao> oki 12:59 < biberao> thx 13:01 -!- le0_ [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 13:02 < luse> http://pastebin.com/m79066b85 <= here is my network and server/client configuration 13:03 < luse> There is linux on all servers. 13:03 < |Mike|> aha 13:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:04 < luse> So when i connect the vpn-client to the vpn-server 13:04 < ecrist> !ircstats 13:04 < vpnHelper> ecrist: Error: "ircstats" is not a valid command. 13:04 < luse> the vpn-client have a ip in the pool 192.168.10.2-98 (even if i want to use the dhcp of the lan for the futur) 13:04 < ecrist> !irclogs 13:04 < vpnHelper> ecrist: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 13:05 < luse> When I want to ping ZEUS from VPN-CLIENT, i can't 13:06 < luse> The only method i found to ping Zeus, is to add a route with a gateway = vpn-server on Zeus (and other servers I want to contact) 13:07 < luse> is there any other way to do this without route ? something lighter 13:09 < le0_> can you ping other hosts on 192.168.10.x? 13:10 < luse> only if they have a route to contact 192.168.0.106 as a gateway 13:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:11 < le0_> but they should all have static routes pointing at .106 to get to 192.168.0.x 13:11 < le0_> unless your default gw has that route 13:11 < le0_> then it can forward packets? 13:12 < le0_> can you add a route to 192.168.0.x to 192.168.10.254? 13:12 -!- samba [n=samba@76.104.236.199] has joined ##openvpn 13:12 < luse> on the client ? 13:12 < le0_> no on the router itself 13:13 < luse> i can't add route on the client 13:13 < le0_> then, all packets hit the router. packets bound for 192.168.0.x will be forwarded to vpn-server 13:13 < luse> s/client/router 13:13 < le0_> well all u can do is add static routes to servers on that subnet then 13:14 < le0_> are ur servers on .10 static ip's or do they grab reservations from the dns-dhcp server? 13:15 < le0_> u might be able to add secondary gateway there in dhcp options? 13:15 < luse> zeus/athena/hermes/vpn-server/dns-dhcp have static ip configuration 13:15 < le0_> k. cant you add static routes to rc.local etc? 13:15 < |Mike|> lol. 13:15 < |Mike|> you have to do that with openvpn ktnx. 13:16 < luse> now, the dhcp is used when some laptop connect to the lan 192.168.10.0/24 13:17 < luse> but i can assign static ip with the dhcp server, using the mac address of servers, too 13:17 < luse> |Mike|: yeah, but how ? 13:17 < |Mike|> static ip/routes ? 13:18 < le0_> arent u saying that the prob is that zeus cant send packets back to 192.168.0.0/24? 13:18 < luse> zeus can communicate on the lan with other servers on 192.168.10.0/24 13:19 < le0_> yeah but it needs to know where to send packets bound for 192.168.0.0/24 13:19 < luse> but when a vpn client connect to the lan, packets are sent to the vpn-server (using the route), and it forward to the server (zeus or something like that) 13:19 < le0_> either u tell 192.168.10.254 that packets for 192.168.0.0 route via vpn-server 13:19 < le0_> or u add local routes to servers 13:20 < le0_> i cant see any other way 13:20 < luse> zeus don't send packet back to vpn-server without route 13:21 < le0_> yep thats cos the default gateway doesnt know where to send packets for that network 13:21 < luse> yeah 13:21 < le0_> either u tell the def gw, or u tell the sever itself 13:21 < luse> if zeus/hermes/athena... use dns-dhcp to query their static ip, i can set the route 13:22 < luse> but i thought there were another solution 13:22 < le0_> yeah using reservation based on mac etc 13:22 < le0_> i dont think so 13:22 < luse> yep 13:22 < luse> why? 13:22 < le0_> maybe someone else here can help 13:22 < le0_> its basic routing from what i see 13:23 < le0_> if both ips dont know how to route to eachothers networks, packers drop 13:23 < luse> and i have a problem to use dhcp server to set ip for vpn-clients 13:24 < luse> but i need to g2g now... i think i will come back in 1hour 13:24 < luse> i'm at office, at the alarm will be on in 7 minutes. dang. :p 13:24 < le0_> np im sure someone else better equipped to help will be here.... 13:24 < luse> s/at/and/ 13:42 -!- fatou73 [n=aleksei@socrates.at.mt.ut.ee] has quit ["Lost terminal"] 13:45 -!- dupondje [n=dupondje@235.167-78-194.adsl-static.isp.belgacom.be] has quit [Read error: 110 (Connection timed out)] 13:47 -!- fatou73 [n=aleksei@socrates.at.mt.ut.ee] has joined ##openvpn 13:48 -!- luse [n=Unknown@des77-1-78-224-147-63.fbx.proxad.net] has quit [Read error: 113 (No route to host)] 13:48 -!- dupondje [n=dupondje@235.167-78-194.adsl-static.isp.belgacom.be] has joined ##openvpn 13:48 < biberao> dewey? 13:50 < fatou73> hi, this question seems to have gone through the mailing list at some point, but without an answer. is there a formal specification to the openvpn protocol, something similar to an RFC? 13:51 < krzie> not that i know of 13:52 -!- cilap [n=cilap@ip-109-84-133-49.web.vodafone.de] has joined ##openvpn 13:53 < cilap> hello all 13:53 < cilap> I think I am too stupid to understand the DHCP of openvpn 13:53 < cilap> I have configured ccd to provide a static address to one clinet 13:53 < cilap> client 13:54 < cilap> now this IP also gets passed to an other client via DHCP. The other clients has no fixed IP configured via ccd 13:54 < cilap> can someone help me? 13:54 < |Mike|> !howto 13:54 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:56 < cilap> |Mike|: I have read it, maybe I understood something wrong. 13:58 < reiffert> static 13:58 < reiffert> !static 13:58 < vpnHelper> reiffert: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 13:58 < reiffert> !ccd 13:58 < vpnHelper> reiffert: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 13:58 < reiffert> !iporder 13:58 < vpnHelper> reiffert: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 14:02 < cilap> reiffert: I am already using the ccd. 14:02 < cilap> reiffert: the iporder I think is the point 14:02 < cilap> what happens if I am not using the client connect script? 14:07 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 14:07 < krzie> ccd is fine 14:07 < Bushmills> cilap: check --ifconfig-pool server option 14:07 < krzie> if client-connect handed an ip, it would override ccd 14:08 < krzie> just like ccd overrides dynamic ip from --ifconfig-pool 14:09 < cilap> krzie: okay if I pass IPs to the client, I have to exclude this IPs from the ifconfig-pool? 14:09 < cilap> have I got it? 14:11 < krzie> negative 14:11 < krzie> if the ips are given from ccd/ they wont be duped by ifconfig-pool 14:19 -!- friz [n=ana@202.17.broadband12.iol.cz] has joined ##openvpn 14:20 -!- Dukelord [n=brenwill@70.88.214.124] has joined ##openvpn 14:20 -!- Dukelord [n=brenwill@70.88.214.124] has quit [Client Quit] 14:20 -!- friz [n=ana@202.17.broadband12.iol.cz] has quit [Remote closed the connection] 14:23 -!- UomO_BongA [n=rafa@186.18.133.31] has quit [Read error: 60 (Operation timed out)] 14:24 < cilap> okay I tried to setup a explicit ifconfig-pool, now the server reports, that ifconfig-pool is already set with --server 14:31 < cilap> must I split the --server into its corresponding params to get it work with ifconfig-pool and ccd/ifconfig-push ? 14:31 < cilap> or better is there an example? 14:32 < cilap> if I use --server an in ccd the ifconfig-push the DHCP provides the (ccd configured static IP) as a dynamic IP again to an other client! 14:33 < cilap> this is here reproducable 14:33 -!- cilap [n=cilap@ip-109-84-133-49.web.vodafone.de] has left ##openvpn [] 14:34 -!- hkais [n=xenoadmi@ip-109-84-133-49.web.vodafone.de] has joined ##openvpn 14:34 -!- hkais [n=xenoadmi@ip-109-84-133-49.web.vodafone.de] has left ##openvpn [] 14:35 -!- cilap [n=cilap@ip-109-84-133-49.web.vodafone.de] has joined ##openvpn 14:35 < cilap> sorry killed the wrong window... 14:41 -!- UomO_BongA [n=rafa@186.18.133.31] has joined ##openvpn 14:58 -!- jeiworth [n=jeiworth@189.177.138.34] has quit [Connection timed out] 15:12 -!- cilap [n=cilap@ip-109-84-133-49.web.vodafone.de] has quit [Read error: 104 (Connection reset by peer)] 15:14 -!- dupondje [n=dupondje@235.167-78-194.adsl-static.isp.belgacom.be] has quit ["Ik ga weg"] 15:52 -!- samba [n=samba@76.104.236.199] has quit [""free(self)""] 15:59 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has quit [] 16:01 -!- jeiworth [n=jeiworth@187.144.62.120] has joined ##openvpn 16:08 -!- dollabilll [n=mike@97.66.26.10] has quit [No route to host] 16:11 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has quit [Read error: 110 (Connection timed out)] 16:13 -!- teddymills [n=teddy@208.92.235.227] has quit [Read error: 110 (Connection timed out)] 16:19 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 16:26 -!- t0mas [n=Tomas@rockbox/developer/t0mas] has joined ##openvpn 16:26 < t0mas> hi 16:27 < |Mike|> wsup. 16:29 < t0mas> I seem to have a working connection from client to server, but my client does not configure the tun0 device with an IP 16:30 < |Mike|> client = ? 16:31 < t0mas> the linux commandline client 16:31 < t0mas> server config is like this: http://pastebin.com/d7510dffb 16:31 < t0mas> client is started like this: http://pastebin.com/dc7463b7 16:32 -!- edoceo [n=edoceo@c-98-247-254-241.hsd1.wa.comcast.net] has joined ##openvpn 16:33 < t0mas> and it results in the following output from the client: http://pastebin.com/d3ab34f3c 16:33 < |Mike|> what the fuck is tls-server anyway ? 16:33 < t0mas> eeeehm 16:34 < t0mas> the manual lists it as setting TLS to server mode 16:34 < |Mike|> !all 16:34 < vpnHelper> |Mike|: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 16:34 < |Mike|> !logs 16:34 < vpnHelper> |Mike|: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 16:34 < |Mike|> !configs 16:34 < vpnHelper> |Mike|: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:35 < t0mas> ok, I'll collect those :) 16:41 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:52 < t0mas> |Mike|: I have collected it :-) 16:52 < t0mas> http://pastebin.com/m6d0706ca 17:28 -!- t0mas [n=Tomas@rockbox/developer/t0mas] has quit ["Client Killed"] 17:35 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 17:51 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 17:52 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 18:00 < edoceo> I'm seeing an odd issue where Samba over my VPN is very slow, in-house clients are unaffected - pointers? 18:02 < |Mike|> i blame your firewall e.g encryption leve. 18:02 < |Mike|> l 18:20 < edoceo> |Mike|: encryption on openvpn is set low, FW is a Linksys type of device connected to internet connection in office - could be crap? 18:25 -!- jeiworth [n=jeiworth@187.144.62.120] has quit [Read error: 110 (Connection timed out)] 18:26 < |Mike|> low asin ? 18:28 < krzie> i blame samba 18:28 < krzie> its not a good proto over the inet 18:31 < le0_> guys - to change to udp from tcp all i should have todo is change proto attrib in conf files? 18:31 < le0_> cos i cant make a connection. and its been all good up til now on tcp 18:33 < krzie> yup, but better is to setup stuff right on udp 18:33 < le0_> are there any other changes to be made? 18:33 < krzie> if you are going to have tcp inside the tunnel 18:34 < krzie> well you gotta make sure your firewall (and nat if server if behind one) pass udp... 18:34 < le0_> ah of course 18:34 < le0_> need to port fw 18:34 < le0_> thx, only tcp is forwarded.... 18:34 < le0_> merci 18:34 < krzie> yw 18:57 -!- ErickG [n=ErickG@190.120.0.138] has left ##openvpn [] 19:11 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 19:11 < le0> udp ftw! =) 19:11 -!- le0_ [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 104 (Connection reset by peer)] 19:15 -!- APTX|_ is now known as APTX| 19:31 < edoceo> Well, after much searching with my Slow samba over VPN I found this: "We solved it. Appearantly the network card wasn't functional anymore." 20:35 -!- ksnp [n=ksnp@71.6.65.18] has joined ##openvpn 20:39 < ksnp> is there a pptp channel ? 20:44 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 20:48 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Client Quit] 20:48 -!- ksnp [n=ksnp@71.6.65.18] has left ##openvpn [] 20:48 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 21:14 -!- master_of_master [i=master_o@p549D42CF.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:18 -!- master_of_master [i=master_o@p549D46D3.dip.t-dialin.net] has joined ##openvpn 21:26 < ecrist> good evening 21:29 < krzie> whats up bro 21:30 < ecrist> not much 21:30 < ecrist> working on setting up an EV certificate for a website 21:42 -!- tjz [n=tjz@unaffiliated/tjz] has joined ##openvpn 22:03 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 22:08 -!- hyper_ch [n=hyper@adsl-84-227-137-239.adslplus.ch] has quit [Read error: 104 (Connection reset by peer)] 22:09 -!- hyper_ch [n=hyper@62.167.30.19] has joined ##openvpn 22:10 -!- UomO_BongA [n=rafa@186.18.133.31] has quit [Read error: 110 (Connection timed out)] 22:11 -!- UomO_BongA [n=rafa@190.55.70.209] has joined ##openvpn 22:32 -!- UomO_BongA [n=rafa@190.55.70.209] has quit [Read error: 110 (Connection timed out)] 23:09 -!- JyZyXEL [n=lol@a88-113-58-89.elisa-laajakaista.fi] has joined ##openvpn 23:10 -!- ksnp [n=ksnp@71.6.65.18] has joined ##openvpn 23:10 < JyZyXEL> i tried to connect my openvpn server and i get this: http://pastebin.com/m41824b8c 23:10 < JyZyXEL> was the connection succesfull or not? 23:15 < theDoc> lol, no 23:15 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] 23:15 < theDoc> JyZyXEL> How are you connecting and can you paste your server/client config? 23:18 < JyZyXEL> im using default configs 23:20 < theDoc> JyZyXEL> Can you pastebin your server/client config? 23:21 < JyZyXEL> why? they are the default ones? 23:22 < theDoc> Then obviously, it'll not work if you didn't make changes to the default config. 23:23 < JyZyXEL> i don't think the documentation even wanted me to make changes 23:23 < theDoc> You have to make changes, for sure. 23:23 < theDoc> remote 23:23 < theDoc> and certs. 23:23 < JyZyXEL> not if you use default cert names 23:24 < theDoc> sigh. 23:24 < theDoc> !howto jyzyxel 23:24 < vpnHelper> theDoc: Error: "howto" is not a valid command. 23:24 < ksnp> theDoc, can you tell me if i want to run openvpn on both the udp and tcp ports on debian, if i simply copy the conf file and change to tcp and change tun0 to tun1, if it is expected to work ? 23:24 < theDoc> ksnp> why would anyone do tcp is beyond me 23:24 < theDoc> That shit is retarded beyond believe. 23:25 < JyZyXEL> well? 23:25 < theDoc> JyZyXEL> I suggest you read the howto again 23:26 < ksnp> theDoc, ok 23:26 < JyZyXEL> acording to it, it should work after making certs 23:26 < ksnp> so there is no adv of doing tcp if i already have udp correct ? 23:26 < ksnp> i read somewhere that ssl vpn over tcp has some advantages 23:34 < ksnp> basically if i want to do udp over openvpn tcp 23:35 < ksnp> theDoc, can you please tell how to run two openvps using two conf files ? 23:41 < theDoc> ksnp> i just tested tcp the other day 23:41 < theDoc> i saw my latency go up by 3x 23:43 < ksnp> was the protocl being run udp on tcp ? 23:43 < ksnp> because udp on tcp is not as bad ? 23:44 < theDoc> !tcp 23:44 < vpnHelper> theDoc: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 23:47 < ksnp> ok, tpc over tcp i agree 23:47 < ksnp> but udp over tcp can be good sometimes ? 23:47 < ksnp> i read about it few places 23:47 < ksnp> anyway, can you please tell me how i can run both at the same time on debian for example ? 23:47 < ksnp> i just copied the conf, and changed to tcp and the tun0 to tun1 23:47 < theDoc> sigh. 23:48 < ksnp> but i get error sioaddrt or somethign like that 23:48 < theDoc> ksnp> If your tunnel is in tcp mode, it's shit. 23:48 < theDoc> end of story. 23:50 < ksnp> lol, ok 23:50 < ksnp> can you tell how to run it on udp on two ports simultaneously ? 23:50 < ksnp> can i simply copy the conf change the port number and tun0 to tun1 ? 23:51 -!- JacksonBrown [n=JacksonB@adsl-64-175-43-105.dsl.pltn13.pacbell.net] has joined ##openvpn 23:51 < JacksonBrown> !redirect 23:51 < vpnHelper> JacksonBrown: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 23:51 -!- Dukelord [n=brenwill@70.88.214.124] has joined ##openvpn 23:52 < JacksonBrown> anyone here to assist with an odd setup? 23:52 < ksnp> like what ? ;-) 23:52 < theDoc> Maybe. 23:52 < JacksonBrown> I have openvpn on my iPhone 23:52 < JacksonBrown> it works at first 23:53 < JacksonBrown> but when the iPhone sleeps, it disconnects from the GSM network, losing its IP 23:53 < JacksonBrown> when it wakes, OpenVPN tries to reconnect 23:53 < JacksonBrown> but the iPhone only gets an IP if an app tries to access the net 23:54 < JacksonBrown> so it fails to rebuild the route 23:54 < JacksonBrown> as I'm trying to route all traffic through it 23:54 < JacksonBrown> otherwise it reconnects fin 23:54 < JacksonBrown> e 23:55 < ksnp> what app do you have to be able to run openvpn on your iphone ? 23:55 < JacksonBrown> it's jailbroken 23:55 < JacksonBrown> so I can run this build http://code.gerade.org/tunemu/ 23:55 < vpnHelper> Title: tunemu - Tun device emulation for Darwin (at code.gerade.org) 23:57 < ksnp> so you can run openvpn AND some other app to use it at the same time ? 23:57 < JacksonBrown> yeah 23:57 < ksnp> i heard iphone allows only one app at a time, i guess running openvpn doesn't count as 1 app, just as 0 app ? 23:57 < JacksonBrown> it's jailbroken so none of that matters 23:57 < JacksonBrown> it runs as a console app 23:58 < ksnp> ok 23:58 < JacksonBrown> or daemon 23:58 < ksnp> ok, so you had it working fine except the aboev problem ? 23:58 < JacksonBrown> yeah 23:58 < JacksonBrown> nothing wrong with the setups 23:58 < ksnp> ok, cool 23:59 < JacksonBrown> just looking for a workaround 23:59 < ksnp> on a windows client i see that openvpn will eventually connect and get an ip 23:59 < ksnp> workaround for the problem above, or for something else ? 23:59 < JacksonBrown> the above 23:59 < ksnp> (windows xp pro client) 23:59 < ksnp> ok 23:59 < JacksonBrown> it'll eventually connect when it gets an IP 23:59 < ksnp> ok 23:59 < JacksonBrown> but it sets up the routes BEFORE that --- Day changed Fri Oct 16 2009 00:00 < JacksonBrown> so it won't route any internet traffic through the vpn 00:00 < ksnp> so if it does connect when an app tries to access it, what is your problem ? 00:00 < ksnp> oh ok 00:00 < ksnp> now i see 00:01 < ksnp> when you say app tries to access the net - you mean app trying to access something on the vpn subnet ? 00:01 < ksnp> if its just accessing the internet and it does get an openvpn ip and is a default gateway, then eventually that app would go via vpn correct ? 00:02 < JacksonBrown> at first 00:02 < ksnp> i mean after it wakes up 00:04 < JacksonBrown> OpenVPN tears down the gateway after it times out 00:04 < JacksonBrown> but doesnt rebuild it because there's no other default route 00:04 < ksnp> i c 00:04 < ksnp> oh ok 00:04 < ksnp> i thought that whenever the client connects to the server, the route gets built after that 00:05 < ksnp> at least when the server is pushing the router 00:05 < ksnp> route 00:05 < JacksonBrown> I can't push anything because I'm only using a static key 00:05 < ksnp> why don't you make the server push the route instead of you setting up the route yourself on the client side ? 00:05 < ksnp> oh 00:05 < ksnp> is the server in your control ? 00:05 < JacksonBrown> yeah 00:06 < JacksonBrown> I mean 00:06 < ksnp> ok, maybe you can try using cas and certs and push the route from server side, that way each time client connects, the gateway is setup automatically 00:06 < JacksonBrown> I could set up TLS 00:06 < JacksonBrown> yeah 00:06 < ksnp> i think the conf in the client can also do that ?? 00:06 < ksnp> doens't have to be pushed from the server 00:06 < ksnp> if i am not mistaken 00:06 < ksnp> maybe theDoc can tell 00:06 < ksnp> brb 00:07 < theDoc> What about? 00:07 < JacksonBrown> --redirect-gateway def1 00:07 < JacksonBrown> changes the route before the VPN actually connects 00:08 < JacksonBrown> then changes it back when the connection drops 00:08 < JacksonBrown> and wont rebuild if the client reconnects 00:12 < ksnp> i c 00:12 < ksnp> theDoc, can the client conf tell to setup the route on the client side after the connection is setup ? 00:12 < oc80z> hi ksnp 00:12 < oc80z> gluck 00:12 < ksnp> can you tell me how you got it working ? 00:13 < ksnp> oc80z, 00:13 < ksnp> JacksonBrown, i think pushing the routes from server should work 00:16 < ksnp> and your problem is only with the redirect gateway correct ? so if an app wants to access the server it can ? 00:16 < JacksonBrown> yep 00:16 < ksnp> ok, i am not familiar with iphone, but jailbroken is a hacked iphone that allows you to run multiple iphones ? 00:16 < ksnp> or something that allows you to run your own apps ? 00:17 < JacksonBrown> yeah 00:17 < ksnp> sorry i mean run multiple apps (not iphones :) ) 00:17 < ksnp> own apps, and multiple at the same time ? 00:17 < JacksonBrown> apps dont need to be signed 00:17 < JacksonBrown> and they add a small unix toolset 00:17 < JacksonBrown> theres a terminal program 00:17 < JacksonBrown> so I can run openvpn 00:17 -!- hyper_ch [n=hyper@62.167.30.19] has quit [Remote closed the connection] 00:17 < JacksonBrown> then set it up as a launchdaemon 00:17 < JacksonBrown> once it's working 100% 00:18 < ksnp> cool 00:18 < JacksonBrown> next will be to set it up so it DOESN'T connect if on a trusted wifi network 00:18 < ksnp> is there a risk of iphone turning into a brick if you jailbreak it ? 00:19 < ksnp> jailbreak it incorrectly ? 00:19 < JacksonBrown> it doesn't flash anything, so one should always be able to enter recovery mode and reupload the software 00:19 < JacksonBrown> though I'm not sure 00:20 < ksnp> you mean to revert it back to a regualr iphone type ? 00:20 < JacksonBrown> yeah 00:20 < ksnp> ok 00:20 < JacksonBrown> I think unlocking is a bit riskier 00:20 < JacksonBrown> for using it on other cell nets 00:20 < ksnp> oh ok, so jailbreak doesn't require unlocking ? 00:20 < ksnp> i guess so 00:20 < JacksonBrown> nope 00:20 < ksnp> doesn't need to be connected (two things0 of course 00:21 < ksnp> so your server runs at your home ? 00:21 < JacksonBrown> well you need to jailbreak to run the unlocking software 00:21 < ksnp> your office ? 00:21 < ksnp> i c 00:21 < JacksonBrown> ksnp: home, on a wrt54g 00:21 < JacksonBrown> if I generate keys on another machine 00:21 < ksnp> you have openvpn running on wrt working ?! 00:22 < JacksonBrown> yeah, that was easy 00:22 < JacksonBrown> http://tomatovpn.keithmoyer.com/ 00:22 < vpnHelper> Title: TomatoVPN (at tomatovpn.keithmoyer.com) 00:22 < ksnp> is it just the default package (say mega) that has it working ? 00:22 < ksnp> you are using dd-wrt ? 00:22 < ksnp> oh ok 00:22 < ksnp> does it allow multiple clients ? 00:22 < ksnp> and site to site as well ? 00:22 < JacksonBrown> yes, though I don't know the hardware limitations 00:23 < ksnp> ok, so you already tested 2 clients and it works ? 00:23 < ksnp> and did you try site to site ? 00:23 < JacksonBrown> haven't tried it 00:24 < ksnp> do you know if one can run an email server on a wrt ? 00:24 < JacksonBrown> I'm sure there's something if you're willing to try openwrt 00:24 < ksnp> ok 00:24 < ksnp> openwrt is supposed to be more complicated i think, at least compared to dd-wrt or tomato ? 00:25 < JacksonBrown> oh yeah 00:25 < JacksonBrown> no decent gui 00:25 < JacksonBrown> though it's improved 00:25 < ksnp> ok 00:26 < ksnp> do you have any other machine running a server other than your router ? 00:26 < JacksonBrown> yeah, I have an Ubuntu server 00:26 < ksnp> ok, cool, i guess you don't use that since it is not always on ? 00:27 < JacksonBrown> I was originally using that to host L2TP for the iPhone 00:27 < JacksonBrown> then OpenVPN 00:27 < JacksonBrown> then I decided to try the router 00:27 < ksnp> ok 00:27 < ksnp> is there a free l2tp app / client for iphone i guess ? 00:27 < JacksonBrown> it comes with one 00:27 < ksnp> oh ok 00:27 < JacksonBrown> not great though 00:28 < JacksonBrown> doesn't automatically reconnect when it wakes up 00:28 < ksnp> and even if not jailbroken, it is not counted as an app ? 00:28 < JacksonBrown> yeah it's part of the network settings 00:28 < ksnp> ok 00:28 < ksnp> what about pptp ? 00:28 < JacksonBrown> PPTP, L2TP/IPSec and Cisco IPSec support 00:28 < ksnp> ok 00:28 < ksnp> other than reconnection it works fine ? 00:28 < JacksonBrown> yep 00:28 < ksnp> ok 00:28 < JacksonBrown> nice and friendly 00:28 < ksnp> ok 00:28 < JacksonBrown> PTPP didn't work over my cell net though 00:29 < ksnp> oh why is that ? 00:29 < JacksonBrown> no idea 00:29 < ksnp> ok 00:29 < JacksonBrown> just wouldn't connect 00:29 < ksnp> maybe tomato has a l2tp server ? 00:29 -!- EnginAy [i=engin@ip-174-142-128-148.static.privatedns.com] has joined ##openvpn 00:29 < JacksonBrown> no, but you can get openswan on openwrt 00:29 < JacksonBrown> that was a pain 00:29 < JacksonBrown> because it's so big 00:30 < ksnp> hey you have an email server running on your ubuntu as well ? 00:30 < ksnp> ok 00:30 < JacksonBrown> naw 00:30 < ksnp> ok 00:30 < ksnp> ftp ? scp ? 00:30 < JacksonBrown> ssh 00:30 < ksnp> ok 00:31 < ksnp> can i ssh and use talk on it for a bit ? 00:31 < ksnp> instead of here i mean 00:31 < JacksonBrown> eh, it's not up 00:32 < EnginAy> why isn't there a "HOWTO Setup your openvpn server" doc ? instead there are bits of information in a long HTML page. 00:32 < ksnp> JacksonBrown, see your pm 00:32 < EnginAy> I mean, 00:32 < EnginAy> isn't primary intent of OpenVPN is that ? (and the client of course) 00:33 -!- pudges145 [i=iMGqxTsL@pool-173-57-173-123.dllstx.fios.verizon.net] has joined ##openvpn 00:33 < pudges145> achtung 00:34 < pudges145> do not exchanges messages w/ JacksonBrown 00:34 < pudges145> he is a known paedophile 00:34 < pudges145> and solicits minors over the FreeNode network 00:35 < JacksonBrown> lol 00:35 < JacksonBrown> hy 00:36 < ksnp> just ignore that troll 00:36 < JacksonBrown> pudges145: status of making #arab right-to-left reading 00:37 < ksnp> hey let me ask this : if i want to run openvpn on two ports with udp, i create a new copy of the conf, change the port and tun0 to tun1, is it expected to work (on debian) ? 00:37 < JacksonBrown> Can I run multiple OpenVPN tunnels on a single machine? 00:37 < JacksonBrown> Yes, of course. 00:37 < JacksonBrown> If you are running 2 or more OpenVPN instances on the same machine, you will need a separate virtual TUN/TAP adapter and a separate port (using the port directive) for each instance. 00:37 < JacksonBrown> Make sure each TUN/TAP adapter has a unique, non-overlapping subnet using server, server-bridge, or ifconfig. 00:38 < pudges145> i tooted 00:38 < pudges145> ksnp: wanna sniff? 00:38 < ksnp> JacksonBrown, you are referring to multiple servers or clients ? 00:38 < ksnp> or both ? 00:38 < ksnp> i guess both its basically same only conf changes what it is ? 00:38 < JacksonBrown> doesn't matter 00:39 < ksnp> ok, on debian i tried to create a copy of the conf file, and changed port number (actually udp to tcp) and then tun0 to tun1 00:39 < pudges145> ksnp: you didn't reply 00:39 < ksnp> i get some sioaddrt error 00:39 < pudges145> also JacksonBrown is a known troll 00:39 < JacksonBrown> duh 00:39 < ksnp> JacksonBrown, you can use ignore to ignore that troll, btw 00:39 < pudges145> he's attempting to reach operator status in this channel 00:40 < JacksonBrown> o/ 00:40 < pudges145> a google search for +gnaa +jacksonbrown will reveal that 00:40 < JacksonBrown> pudges145: I gave him the addy 00:40 < ksnp> hmm i used same subnet 00:40 < JacksonBrown> http://gnaa.nimp.org 00:40 < vpnHelper> Title: GNAA Last Measure Live! (at gnaa.nimp.org) 00:40 -!- neoice [n=neoice@thule.neoice.net] has left ##openvpn [] 00:40 < ksnp> mabye that's the problem ? 00:41 < JacksonBrown> 22:37 < JacksonBrown> Make sure each TUN/TAP adapter has a unique, non-overlapping subnet using server, server-bridge, or ifconfig. 00:41 < pudges145> bye tooted 00:41 -!- pudges145 [i=iMGqxTsL@pool-173-57-173-123.dllstx.fios.verizon.net] has quit ["brb my dad's egg is ready"] 00:42 < ksnp> ok 00:42 < ksnp> i guess i missed that 00:42 < JacksonBrown> never tried it though 00:42 < JacksonBrown> so who knows 00:42 < ksnp> ok 00:43 < ksnp> ok, nice chatting with you, need to get back to something, see you around next time, hopefully might be able to get to dd-wrt in a few days :) 00:44 < JacksonBrown> bye hiss 00:44 -!- JacksonBrown [n=JacksonB@adsl-64-175-43-105.dsl.pltn13.pacbell.net] has quit ["Lost terminal"] 00:44 -!- JacksonBrown [i=hyokSRuh@pool-173-57-173-123.dllstx.fios.verizon.net] has joined ##openvpn 00:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:53 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 60 (Operation timed out)] 00:58 -!- hyper_ch [n=hyper@213-191.76-83.cust.bluewin.ch] has joined ##openvpn 00:59 -!- EnginA [i=engin@93.158.114.91] has joined ##openvpn 00:59 -!- ksnp [n=ksnp@71.6.65.18] has quit [" HydraIRC -> http://www.hydrairc.com <- Go on, try it!"] 01:05 -!- Dukelord [n=brenwill@70.88.214.124] has quit [Read error: 145 (Connection timed out)] 01:06 -!- EnginAy [i=engin@ip-174-142-128-148.static.privatedns.com] has quit [Read error: 60 (Operation timed out)] 01:14 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 01:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:38 -!- EnginAy [i=engin@213.163.74.180] has joined ##openvpn 01:41 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 01:51 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has joined ##openvpn 01:57 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has quit [Read error: 54 (Connection reset by peer)] 01:57 -!- EnginA [i=engin@93.158.114.91] has quit [Read error: 110 (Connection timed out)] 01:57 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has joined ##openvpn 02:00 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has left ##openvpn ["Leaving."] 02:06 -!- EnginA [i=engin@98.143.144.115] has joined ##openvpn 02:13 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has joined ##openvpn 02:16 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has left ##openvpn ["Leaving."] 02:21 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 60 (Operation timed out)] 02:21 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:22 -!- EnginAyd [i=engin@213.163.74.135] has joined ##openvpn 02:22 -!- EnginAy [i=engin@213.163.74.180] has quit [Read error: 110 (Connection timed out)] 02:25 -!- c64zottel [n=hans@62.12.220.164] has joined ##openvpn 02:29 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 02:29 -!- krzie [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 02:41 -!- EnginA [i=engin@98.143.144.115] has quit [Read error: 110 (Connection timed out)] 02:44 -!- oc80x [n=oc80z@priv.efnet.pe] has joined ##openvpn 02:57 -!- EnginAy [i=engin@69.4.233.166] has joined ##openvpn 03:13 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Nick collision from services.] 03:15 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 03:15 -!- EnginAyd [i=engin@213.163.74.135] has quit [Read error: 110 (Connection timed out)] 03:33 < zamba> i'm using a vpn server that handles and sets up an internal network.. how can i predict the addresses given to each "peer"? 03:33 < zamba> and/or view them? 03:36 -!- twisted__ [n=twisted@207.70.183.44] has joined ##openvpn 03:37 < twisted__> anyone alive in here ? 03:38 -!- twisted__ [n=twisted@207.70.183.44] has left ##openvpn ["Leaving"] 04:03 -!- EnginAyd [i=engin@69.4.233.161] has joined ##openvpn 04:10 < roentgen> zamba: use ccd directive to "predict" 04:11 < roentgen> more exactly: client-config-dir /path/ccd 04:12 < roentgen> and ifconfig-pool-persist for the second issue 04:21 -!- dazo|afk is now known as dazo 04:21 -!- dazo [n=dazo@nat/redhat-us/x-noejbejdadwnclpv] has quit [Remote closed the connection] 04:22 -!- dazo [n=ndazo@nat/redhat-us/x-gisgajssqbthhzbj] has joined ##openvpn 04:25 -!- EnginAy [i=engin@69.4.233.166] has quit [Read error: 110 (Connection timed out)] 04:53 -!- newer [n=rookie@218.241.238.132] has joined ##openvpn 04:54 < newer> hi 04:54 < newer> who use openvpn als 05:03 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:04 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Nick collision from services.] 05:04 -!- buntfalke_ is now known as buntfalke 05:16 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 145 (Connection timed out)] 05:30 -!- ScruffCESI [n=Scruffy@LRouen-152-82-19-160.w80-13.abo.wanadoo.fr] has joined ##openvpn 05:30 < ScruffCESI> hi 05:55 -!- UomO_BongA [n=rafa@190.55.70.209] has joined ##openvpn 06:23 < zamba> roentgen: ifconfig-pool-persist to view the leased ip addresses? 06:27 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:31 -!- EnginAyd [i=engin@69.4.233.161] has quit [Read error: 145 (Connection timed out)] 06:31 < ecrist> openvpn status 06:32 < |Mike|> newer: als? 06:32 -!- brizly [n=brizly_v@p4FC98486.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:33 < reiffert> |Mike| http://www.ohloh.net/p/adito 06:33 < vpnHelper> Title: OpenVPN ALS (at www.ohloh.net) 06:34 -!- brizly [n=brizly_v@p4FC986F0.dip0.t-ipconnect.de] has joined ##openvpn 06:35 < |Mike|> thanks req 06:35 < |Mike|> err, reiffert ^ 06:37 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 06:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 06:46 -!- EnginAyd [n=engin@78.171.28.47] has joined ##openvpn 07:01 < reiffert> yw mike 07:03 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 07:06 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 07:07 -!- dollabilll [n=mike@97.66.26.10] has joined ##openvpn 07:13 -!- tsunami_ [n=tsunami@173-14-131-35-NewEngland.hfc.comcastbusiness.net] has joined ##openvpn 07:14 < tsunami_> i have some issues with my open vpn server where it fails when revolking users 07:14 < tsunami_> is there a walkthrough for revolking users by hand? 07:15 < reiffert> tsunami_: 07:15 < reiffert> !howto 07:15 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:15 -!- Dukelord [n=brenwill@70.88.214.124] has joined ##openvpn 07:19 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has joined ##openvpn 07:20 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has left ##openvpn ["Leaving."] 07:24 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 113 (No route to host)] 07:27 < tsunami_> yeah.. it's not in there. but this guy has a fix for me -- can someone here look over what he did. he commented out a few lines of code, does this have any adverse effects? 07:27 < tsunami_> http://osdir.com/ml/network.openvpn.devel/2008-05/msg00021.html 07:27 < vpnHelper> Title: [PATCH] easy-rsa: Make revoke-full work when engin: msg#00021 network.openvpn.devel (at osdir.com) 07:29 < reiffert> tsunami_: pardon "It's not in there"? 07:29 < tsunami_> sry, in the howto 07:29 < tsunami_> my issue isn't addressed 07:30 < reiffert> does your browser support searching? 07:30 < ecrist> lol 07:30 < tsunami_> ... 07:30 < reiffert> did you search after the word "revoke" on that page? 07:31 < tsunami_> yes 07:31 < reiffert> and did your browser return something on that page? 07:31 < tsunami_> i read through it carefully and inspected the server alongside 07:31 < tsunami_> your an ass 07:31 < |Mike|> excuse me ? 07:31 < reiffert> tsunami_: and you are welcome. 07:31 < tsunami_> i feel like you are being very rude 07:32 < tsunami_> you sent me the howto and I did read it 07:32 < |Mike|> it's not that the regular helpers get paid. 07:32 < tsunami_> i appologize 07:33 -!- tsunami_ [n=tsunami@173-14-131-35-NewEngland.hfc.comcastbusiness.net] has quit [] 07:34 < reiffert> wtf? 07:34 < ecrist> lol 07:34 < ecrist> I enjoy seeing people other than myself get frustrated with lusers 07:34 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 110 (Connection timed out)] 07:34 < reiffert> "my issue isn't addressed 07:34 < reiffert> " 07:35 -!- le0 [n=tehfin@83.138.128.243] has joined ##openvpn 07:35 -!- hyper_ch [n=hyper@213-191.76-83.cust.bluewin.ch] has quit [Remote closed the connection] 07:36 < |Mike|> wow, words do make a difference 07:37 < reiffert> should I feel guilty now or do I get things wrong? 07:38 < |Mike|> nope, i would have said the same 07:48 -!- le0_ [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 07:49 -!- le0 [n=tehfin@83.138.128.243] has quit [Read error: 60 (Operation timed out)] 07:51 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has joined ##openvpn 07:52 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has left ##openvpn ["Leaving."] 07:54 -!- oc80x [n=oc80z@priv.efnet.pe] has quit [] 07:55 -!- WormFood [n=wormfood@119.136.226.108] has quit [Read error: 145 (Connection timed out)] 08:02 < |Mike|> heh, who let oc80x in ? 08:02 < reiffert> ? 08:03 < ecrist> ? 08:04 -!- hyper_ch [n=hyper@213-191.76-83.cust.bluewin.ch] has joined ##openvpn 08:06 -!- rookie [n=rookie@218.241.238.132] has joined ##openvpn 08:08 -!- WormFood [n=wormfood@119.136.226.108] has joined ##openvpn 08:09 -!- exes [n=exes@galileo.exes.org] has joined ##openvpn 08:09 -!- newer [n=rookie@218.241.238.132] has quit [Read error: 104 (Connection reset by peer)] 08:09 < exes> is there any way to execute a program when a VPN connection is made, and potentially kill it when it's closed? 08:09 < exes> kind of a weird question I guess 08:09 < ecrist> yes, with up and down scripts 08:09 < exes> ah, yeah of course 08:10 < exes> thanks 08:10 < ecrist> np 08:13 -!- Dukelord [n=brenwill@70.88.214.124] has quit [Read error: 110 (Connection timed out)] 08:15 < zamba> what is the deal with the commercial product of openvpn? 08:16 < zamba> are we "open source" users missing out on anything? 08:16 < ecrist> yes 08:16 < zamba> what? 08:16 < ecrist> the commercial package is a more complete solution, offering a web interface for user certificate management, etc 08:16 < ecrist> if you read through the information, your questions will be answered 08:18 -!- theDoc [n=hex@cataclysm.edgewire.sg] has joined ##openvpn 08:18 < Optic> hi 08:20 < ecrist> moo 08:20 < zamba> so it's basically admnistration and ease-of-use the commercial package brings? 08:21 < reiffert> openvpn web gui is a perfect webgui ... 08:21 < ecrist> yes 08:21 -!- rawDawg2 [n=rawDawg@99.57.58.238] has joined ##openvpn 08:21 < zamba> demo? 08:22 < ecrist> I think there is a free non-commercial download good for one server and one client 08:24 < zamba> okei 08:24 < zamba> but the openvpn suite isn't moving in a commercial direction? it's still going to be a good open source product= 08:25 < zamba> with active development? 08:25 < ecrist> the open source project will remain 08:25 < ecrist> the commercial part just adds some admin utils and support 08:25 < zamba> ok, yeah.. that's good 08:28 -!- ScruffCESI [n=Scruffy@LRouen-152-82-19-160.w80-13.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 08:28 -!- ScruffCESI [n=Scruffy@LRouen-152-82-19-160.w80-13.abo.wanadoo.fr] has joined ##openvpn 08:35 -!- ScrufCESI [n=Scruffy@LRouen-152-82-19-160.w80-13.abo.wanadoo.fr] has joined ##openvpn 08:35 -!- Dukelord [n=brenwill@70.88.214.124] has joined ##openvpn 08:53 -!- rookie [n=rookie@218.241.238.132] has quit ["Leaving"] 08:53 -!- ScruffCESI [n=Scruffy@LRouen-152-82-19-160.w80-13.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 09:04 < gilos> I have a 2003 windows clustered system (active-passive) and I'm having problems with the tun/tap virtual interface being named the same on both systems. The cluster renames it since they have the same name 09:04 < gilos> and when rolling from side to side it will not restart because the offline side has been renamed to openvpn(1) instead of just being named openvpn. 09:04 -!- hyper__ch [n=hyper@87-232.76-83.cust.bluewin.ch] has joined ##openvpn 09:04 -!- hyper_ch [n=hyper@213-191.76-83.cust.bluewin.ch] has quit [Nick collision from services.] 09:04 -!- hyper__ch is now known as hyper_ch 09:05 -!- EnginAyd [n=engin@78.171.28.47] has quit [Read error: 113 (No route to host)] 09:09 < onats> !ping 09:09 < vpnHelper> pong 09:10 < onats> i setup a windows xp client. but my ccd config file with a directive to push route 10.0.1.0 does not get accepted.. it doesnt show onthe routing table of the windows xp client. is this an issue or a configuration issue? 09:14 < ecrist> config issue, likely 09:17 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:17 -!- kevinh [n=khowerto@4.58.0.2] has joined ##openvpn 09:19 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 09:23 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 09:25 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 09:28 -!- ruotsalainen [n=unknown@69.172.135.243] has quit ["leaving"] 09:33 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has joined ##openvpn 09:34 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has left ##openvpn ["Leaving."] 09:37 -!- Dukelord [n=brenwill@70.88.214.124] has quit [Read error: 110 (Connection timed out)] 09:39 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 09:42 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 09:42 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 09:42 -!- user_corrupt [n=user_cor@216.8.141.210] has joined ##openvpn 09:44 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 09:44 < user_corrupt> im running a version of openvpn on OSX, and though I am able to establish a tunnel connection, I'm not quite sure that my browser is being routed through that....the IP displayed by my client is different than the external IP that I am getting when I check on the internet 09:45 < edoceo> traceroute ? 09:45 < ecrist> traceroute is the way to go 09:45 < user_corrupt> okey doke, ill look into how to perform that, thanks 09:46 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 09:47 < teddymills> RDP is very slow when I am remote and connecting to any RDP client on the office network. I am going thru the router that portforwards 3389 to the OpenVPN server. Should I turen off the 3389 portforwarding? (RDP thru the public IP to that router, works much better) 09:48 < reiffert> netstat -nr 09:50 < user_corrupt> I did a traceroute, and it is reporting final hops in my local city, so I guess that I am not being tunneled through this active VPN that I have? 09:51 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has quit [] 09:51 < edoceo> user_corrupt: likely that only some of your traffic is on the VPN link 09:52 < edoceo> public traffic using standard link, private network traffic using the VPN - your routing table will likely show multiple gateways which will be chosen based on destination subnet 09:52 < user_corrupt> is there some way to force my browser to use the VPN to visit a particular site? 09:53 < edoceo> Yes, route traffic for that site through the vpn 09:53 < user_corrupt> k, im running osx leopard, so any hint how i might do that? 09:56 < user_corrupt> hmm, i have "send all traffic over VPN gateway" selected in the client... 09:58 -!- hyper_ch [n=hyper@87-232.76-83.cust.bluewin.ch] has quit [Remote closed the connection] 10:00 < edoceo> you'd need to check the routing table on your client, make sure that default route is set to send traffic through the VPN to it's gateway 10:03 < teddymills> missing a default gw of 172.16.235.1 on my vpn clients..but it still works...RDP does not work...Is the lack of the GW the problem? 10:13 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 10:16 -!- EnginA [n=engin@88.246.231.179] has joined ##openvpn 10:20 -!- jeiworth [n=jeiworth@189.177.138.34] has joined ##openvpn 10:21 -!- ScrufCESI [n=Scruffy@LRouen-152-82-19-160.w80-13.abo.wanadoo.fr] has quit [Read error: 60 (Operation timed out)] 10:24 -!- le0_ [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 110 (Connection timed out)] 10:28 -!- user_corrupt_ [n=user_cor@216.8.170.117] has joined ##openvpn 10:31 -!- user_corrupt [n=user_cor@216.8.141.210] has quit [Read error: 145 (Connection timed out)] 10:32 -!- user_corrupt_ [n=user_cor@216.8.170.117] has quit [Read error: 131 (Connection reset by peer)] 10:37 -!- user_corrupt [n=user_cor@dyn216-8-141-77.ADSL.mnsi.net] has joined ##openvpn 10:39 -!- hyper_ch [n=hyper@adsl-62-167-30-19.adslplus.ch] has joined ##openvpn 10:42 -!- user_corrupt [n=user_cor@dyn216-8-141-77.ADSL.mnsi.net] has left ##openvpn [] 10:56 -!- plaerzen [n=carpe@vip1.tundraeng.com] has quit [Remote closed the connection] 10:58 -!- EnginA [n=engin@88.246.231.179] has quit [Read error: 113 (No route to host)] 11:02 < Bushmills> unlikely. more likely is that you bound the rdp server to one interface only (to eth, and not to tun), or you have firewalled it. 11:08 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 11:09 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 11:12 -!- MadTBone_ [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 11:12 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn 11:47 -!- Muligan [n=muligan1@209-193-88-45.mammothnetworks.com] has joined ##openvpn 11:48 < Muligan> hey fellas 11:48 < Muligan> newb openvpn user here 11:48 < Muligan> trying to setup the client and establish a vpn connection in windows to a remote server 11:48 < Muligan> downloaded and installed the latest version 11:49 < Muligan> i'm trying to get the gui to start, but the only thing that comes up is the icon in the taskbar for the proxy settings 11:50 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit [Read error: 60 (Operation timed out)] 11:50 -!- samba [n=samba@76.104.236.199] has joined ##openvpn 11:50 < Muligan> http://pastebin.com/m703262fa 11:51 < Muligan> this is the readout from what I get when trying to start up one of the clients 11:51 < reiffert> 2.0.9? 11:51 < Muligan> 2.1r20 11:52 < reiffert> Cannot load certificate file client.crt: error:02001002 11:52 < reiffert> :system library:fopen:No such file or directory: 11:52 < Muligan> do I need to obtain that from the remote server? 11:54 < reiffert> there is an official howto. read it. 11:54 < reiffert> !howto 11:54 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:55 < |Mike|> o please, someone shoot some people 11:59 * reiffert shoots |Mike| 12:01 < |Mike|> thanks! 12:01 -!- jeiworth [n=jeiworth@189.177.138.34] has quit [Read error: 110 (Connection timed out)] 12:01 < |Mike|> i just had someone on the phone wich to surf trough an unprotected wifi router 12:01 < |Mike|> werd 12:02 < |Mike|> e-wrongwindow 12:05 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Read error: 110 (Connection timed out)] 12:06 -!- MadTBone_ [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 12:07 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 12:11 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 12:13 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has quit [] 12:15 -!- kusznir_ [n=kusznir@jim-1.eecs.wsu.edu] has joined ##openvpn 12:15 < kusznir_> HI all: quick question: Is there an easy way to add a "post-up" rule into openvpn so that when it activates its tun0 interface I can have it add a firewall rule? 12:16 < kusznir_> (I'm using firewall-builder, and it won't let me add rules for interfaces that are not yet up, but it runs well before openvpn starts...) 12:16 -!- rawDawg2 [n=rawDawg@99.57.58.238] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 12:17 < reiffert> kusznir_: "--up" 12:17 < kusznir_> So in the config file it would just be "up "? 12:17 < reiffert> kusznir_: So in the manpage it's searching and reading. 12:18 < teddymills> trying to make some vpn client certificates...cd /etc/openvpn/easy-rsa then I did './clean-all' and 'source ./vars' Did I just delete my ca.cert server certificate? 12:18 < kusznir_> ahh..sorry...Been googling for a while, but not finding anything relevant...I forgot to check the man page. 12:18 < reiffert> teddymills: clean-all did this. 12:18 < reiffert> kusznir_: maybe --connect is what you want, just read it up. 12:19 < teddymills> what about all the other openvpn clients..can they still connect? 12:19 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 12:19 < reiffert> kusznir_: sorry, --client-connect that is. 12:19 < |Mike|> teddymills: probably not 12:20 < reiffert> backup. 12:22 < teddymills> yes they can still connect...can i use the ca.cert file from one of the openvpn clients and copy it back to /etc/openvpn/easy-rsa/keys ? 12:24 < |Mike|> yep 12:24 < kusznir_> teddymills: if you don't have a backup of your ca.key, then you cannot make any more client keys, but existing clients will work. 12:24 < |Mike|> or whatever your path is btw 12:26 < teddymills> which one do i need? ca.crt or ca.key? 12:26 < kusznir_> teddymills: to make new certs, you need both. 12:26 < kusznir_> teddymills: to use keys (i.e., let clients work), you need only the ca.crt. 12:26 < kusznir_> let *existing* client keys work.... 12:29 < teddymills> when i made the first 10 openvpn clients., i gave each one USER.CRT USER.KEY USER.CSR CA.CRT and dh1024.pem 12:30 < reiffert> teddymills: you should read the howto. 12:30 < kusznir_> teddymills: nobody needs .csr and clients don't need dh1024.pem (only server). 12:30 < teddymills> i also have /etc/openvpn/server.key not sure if that is it 12:31 < kusznir_> In order to USE a key, any entity needs to have their .crt, their .key, and ca.crt. In order for you to create more clients, you must have ca.crt and ca.key. The ONLY time ca.key is used is when you CREATE a new key. 12:32 < kusznir_> and without ca.key, you CANNOT CREATE any more user crt/key's. 12:32 < teddymills> i suppose it would not hurt to copy them to /etc/openvpn/easy-rsa/keys as ca.key and make sure ca.crt is there as well 12:32 < kusznir_> If you've lost ca.key and you plan on making new certs for clients, you'll have to create a new ca, and issue ALL NEW keys to ALL existing clients. There's no way around it. 12:33 < kusznir_> /etc/openvpn/server.key IS NOT ca.key, and it will NOT WORK as ca.key. 12:33 < kusznir_> Every file is different...They're all unique credentials, and they CANNOT be substituted for each other. 12:35 -!- kusznir_ [n=kusznir@jim-1.eecs.wsu.edu] has left ##openvpn ["Leaving"] 12:35 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 12:36 -!- MadTBone_ [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 12:37 < teddymills> i made duplicates of the ca.crt and ca.key..before i renamed then server.key server.crt i believe..anyways..with those files I was able to make a certificate with the same paramters I used before...no problem..I just hope it works now. 12:37 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn 12:37 < teddymills> clean-all is deadly 12:40 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 12:41 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 12:43 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 12:55 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 13:02 -!- EnginA [n=engin@88.246.231.179] has joined ##openvpn 13:17 < reiffert> backup++ 13:36 -!- samba [n=samba@76.104.236.199] has left ##openvpn [] 13:38 -!- dollabilll [n=mike@97.66.26.10] has quit [] 13:41 -!- dazo is now known as dazo|afk 14:02 -!- k3asd` [n=k3asd@2001:5c0:1400:a:0:0:0:393] has quit ["Sto andando via"] 14:08 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit ["ZNC - http://znc.sourceforge.net"] 14:10 -!- EnginA [n=engin@88.246.231.179] has quit [Read error: 113 (No route to host)] 14:18 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit [Connection timed out] 14:26 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Read error: 110 (Connection timed out)] 15:03 -!- plaerzen [n=carpe@vip1.tundraeng.com] has joined ##openvpn 15:06 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 15:06 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn 15:08 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 15:09 -!- jetole [n=Joe@204.13.0.100] has joined ##openvpn 15:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 131 (Connection reset by peer)] 15:10 < jetole> can anyone tell me if there is a way to show a list of revoked certificates or if there is a way to see if a cert has been revoked? 15:15 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 60 (Operation timed out)] 15:32 -!- Dukelord [n=brenwill@70.88.214.124] has joined ##openvpn 15:35 -!- Dukelord [n=brenwill@70.88.214.124] has quit [Client Quit] 15:37 -!- EnginA [n=engin@88.246.231.179] has joined ##openvpn 15:54 < biberao> brb 15:54 -!- biberao [i=mapd@unaffiliated/biberao] has left ##openvpn [] 15:55 < |Mike|> okay? 15:55 < |Mike|> jetole: euh no idea, it's stated in the howto tho :P 16:14 -!- kevinh [n=khowerto@4.58.0.2] has quit [] 16:32 -!- Ziber [i=Liber@liber-ipv6.net] has quit ["BRB"] 16:33 -!- ErickG [n=ErickG@190.120.0.138] has left ##openvpn [] 16:34 -!- Ziber [i=Liber@liber-ipv6.net] has joined ##openvpn 16:42 -!- Ziber [i=Liber@liber-ipv6.net] has quit ["BRB again"] 16:45 -!- Ziber [i=Liber@liber-ipv6.net] has joined ##openvpn 16:46 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Remote closed the connection] 17:00 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 17:08 -!- EnginA [n=engin@88.246.231.179] has quit [Read error: 113 (No route to host)] 17:21 < krzee> jetole check out the CRL 17:21 < krzee> ild assume the plaintext CN is in there 17:30 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has quit [] 17:36 -!- c64zottel [n=hans@62.12.220.164] has quit ["Leaving."] 17:57 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 18:13 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 18:14 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 113 (No route to host)] 18:45 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 18:52 -!- todd_dsm [n=todd_dsm@66.43.220.149] has quit [Read error: 54 (Connection reset by peer)] 18:53 -!- todd_dsm [n=todd_dsm@66.43.220.149] has joined ##openvpn 19:22 -!- zamba [i=marius@flage.org] has quit [Read error: 60 (Operation timed out)] 19:30 -!- havoc [n=havoc@saturn.chaillet.net] has left ##openvpn ["bbl"] 19:40 < |Mike|> oc80z: 19:40 -!- UomO_BongA [n=rafa@190.55.70.209] has quit [Read error: 131 (Connection reset by peer)] 20:46 -!- DevilsPGD [i=xyzzy@S0106001cc0bf9ac7.ok.shawcable.net] has joined ##openvpn 20:47 < DevilsPGD> !route 20:47 < vpnHelper> DevilsPGD: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:47 < krzee> read it dont skim it ;] 20:48 < DevilsPGD> I'm pretty sure I've read it before, but looking for a refresher since I've been playing with IPSec a lot lately 20:53 < DevilsPGD> I've currently got one server out on the net and one LAN behind NAT, with an OpenVPN tunnel connecting the two. Works great. 20:53 < DevilsPGD> We're adding a second remote server in another data center for redundancy, what I'm trying to figure out is the best way to allow the servers to cross-talk without the traffic relaying through our LAN connection. 20:54 < DevilsPGD> Should I be going for a hub+spoke system, or is there a better way? 20:57 < DevilsPGD> Pointers to documentation/FAQs/whatever are appreciated, just not sure I've fully digested how routing will work with multiple tunnels active at once (or whether there is a better way then that) 21:12 -!- theDoc [n=hex@bb116-15-28-1.singnet.com.sg] has joined ##openvpn 21:14 -!- master_of_master [i=master_o@p549D46D3.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:16 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 21:18 -!- master_of_master [i=master_o@p549D7B10.dip.t-dialin.net] has joined ##openvpn 21:21 -!- thedoc_ [n=hex@cataclysm.edgewire.sg] has joined ##openvpn 21:31 -!- theDoc [n=hex@bb116-15-28-1.singnet.com.sg] has quit [Nick collision from services.] 21:31 -!- thedoc_ is now known as theDoc 21:37 -!- ethos5 [n=ethos5@r69h135.res.gatech.edu] has joined ##openvpn 21:39 < ethos5> Quickish question - I'm trying to set up my openvpn client so that it can roam between inside and outside my LAN. I want the server to route packets between my client and the rest of the LAN subnet when outside of the LAN, but if I push a route to the client telling it to route all traffic going to the gateway through the tunnel, everything breaks. Is there an easy way to do this, or am I barking up the wrong tree? 22:03 < krzie> !def1 22:03 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 22:04 < theDoc> Anyone here uses radius + daloradius? 22:04 < theDoc> Have a quick question 22:19 < ethos5> krzie: def1 would make sense if I wanted to use route-gateway, but I don't want all traffic to route though that server 22:19 < ethos5> i already have another VPN for that 22:20 < ethos5> What would happen if I set up two route-gateways? 22:20 < krzie> but if I push a route to the client telling it to route all traffic going to the gateway through the tunnel, everything breaks. 22:20 < krzie> what did you mean by that then? 22:21 < ethos5> OK, the client is my laptop 22:21 < ethos5> I want it to have a VPN tunnel to my LAN 22:21 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 22:21 < ethos5> It works perfectly if I am not ON the LAN when I make the VPN connection 22:21 -!- Dukelord [n=brenwill@70.88.214.124] has joined ##openvpn 22:22 < ethos5> but if I am on the same subnet as the rest of the LAN, routing causes my connection to FUBAR 22:22 < krzie> oh right 22:22 < ethos5> so I can't put a push in the server config 22:22 < krzie> why run it when on the lan? 22:22 < ethos5> So I can use the same IP addresses consistently 22:23 < ethos5> e.g. I want to SSH to one of the LAN computers 22:23 < krzie> i dont understand 22:23 < krzie> oh so you can have same lan ip either way 22:23 < ethos5> I can SSH to the same address both on and off the lan 22:23 < ethos5> more or less 22:23 < krzie> then have your lan dhcp give that ip to your mac ONLY 22:23 < krzie> you'll get that ip when on lan without vpn 22:24 < ethos5> and then set up a client conf dir? 22:24 < krzie> but with vpn, only when connected via vpn cause it also gives that exact ip 22:24 < krzie> no, dont connect when on lan 22:24 < ethos5> ok 22:24 < krzie> ovpn and dhcp will give same ip 22:24 < krzie> but you'll never be in 2 places at once 22:24 < ethos5> alright 22:24 < krzie> =] 22:25 < ethos5> Reason I was trying to work it that way is because my config currently turns on with my network devices 22:25 < ethos5> gonna have to go bash hacking to get it working again, wanted to avoid that 22:25 < ethos5> thanks for the help 22:25 < krzie> maybe you could whip up a intelligent client-connect script 22:25 < krzie> which could push the --redirect-gateway directive in certain cases 22:26 < ethos5> is there a way to do that inside of the ovpn conf files? 22:26 < krzie> not sure if its possible, but if it is, thats the script which would do it 22:26 < krzie> no, but POSSIBLY through --client-connect script 22:26 < krzie> which ovpn would call 22:26 < ethos5> or should I set up a script that changes the config file depending on if I am on the lan? 22:26 < ethos5> oh, ok 22:27 < krzie> ovpn has a few hooks for scripts, thats the hook youd use 22:27 < krzie> see manual for section on env variables to see if it has access to the right vars to get that info and act on it 22:27 < krzie> !man 22:27 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 22:27 < ethos5> ok, thanks 22:27 < krzie> yw 22:28 < krzie> oh and hey 22:28 < krzie> if you do make it work 22:28 < krzie> pls report back by adding it to our wiki 22:28 < krzie> !wiki 22:28 < vpnHelper> krzie: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN 22:28 < krzie> =] 22:28 < ethos5> OK, i'll write up an article if I get it working right 22:28 < krzie> it would be appreciated 22:29 < ethos5> It will be gentoo-centric for client side, that alright? 22:29 < krzie> sure 22:29 < krzie> the ovpn principals would remain 22:45 -!- ethos5 [n=ethos5@r69h135.res.gatech.edu] has quit ["leaving"] 22:59 -!- Muligan [n=muligan1@209-193-88-45.mammothnetworks.com] has quit [Read error: 54 (Connection reset by peer)] 22:59 -!- Muligan [n=muligan1@209-193-88-45.mammothnetworks.com] has joined ##openvpn 23:08 -!- Oreva [n=brenwill@70.88.214.124] has joined ##openvpn 23:08 -!- Dukelord [n=brenwill@70.88.214.124] has quit [Read error: 104 (Connection reset by peer)] 23:09 -!- disappearedng [n=disappea@unaffiliated/disappearedng] has left ##openvpn ["Leaving"] 23:10 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] 23:11 -!- W0rmF00d [n=wormfood@113.87.194.227] has joined ##openvpn 23:19 -!- WormFood [n=wormfood@119.136.226.108] has quit [Read error: 145 (Connection timed out)] 23:24 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 23:31 -!- W0rmF00d is now known as WormFood 23:58 -!- ryanrhee90 [n=Adium@98.197.248.23] has joined ##openvpn 23:59 < ryanrhee90> !howto 23:59 < vpnHelper> ryanrhee90: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 23:59 < ryanrhee90> !configs 23:59 < vpnHelper> ryanrhee90: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries --- Day changed Sat Oct 17 2009 00:00 < ryanrhee90> !pastebin 00:00 < vpnHelper> ryanrhee90: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 00:02 < ryanrhee90> hey guys! I have openvpn configured on a server. Hosts can talk to one another, but the server can't talk to any of the hosts, which is weird. Please help? Here's my config. http://www.pastebin.ca/1624582 00:02 < ryanrhee90> (hosts = clients. sorry) 00:03 < ryanrhee90> ah, d/c for a second. i'm still here. 00:03 < ryanrhee90> Oh, and i almost forgot. I'm running this on ubuntu 8.04 LTS server. 00:03 -!- ryanrhee90 [n=Adium@98.197.248.23] has quit ["Leaving."] 00:04 -!- ryanrhee90 [n=Adium@98.197.248.23] has joined ##openvpn 00:04 -!- Oreva [n=brenwill@70.88.214.124] has quit [Read error: 104 (Connection reset by peer)] 00:04 < ryanrhee90> grr, D/C again. I'm here. I should've thought twice before updating my IM client. 00:05 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 00:05 -!- Dukelord [n=brenwill@70.88.214.124] has joined ##openvpn 00:09 < ryanrhee90> :( anyone? 00:42 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] 00:49 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 00:49 -!- tjz [n=tjz@bb121-7-60-51.singnet.com.sg] has joined ##openvpn 01:08 -!- EnginA [n=engin@88.246.231.179] has joined ##openvpn 01:12 < ryanrhee90> hello?? anyone home? 01:16 < DevilsPGD> ryanrhee90: It is pretty much the middle of the night (in North America, anyway), and on a Friday night surely at least a few people have lives :) 01:16 < ryanrhee90> :( but #openvpn should have geeks in their basements with energy drink bottles everywhere! 01:18 < ryanrhee90> DevilsPGD: since you're up this late on a friday night, maybe you can help me :D 01:18 < DevilsPGD> I'd help if I could, but honestly I'm n00b enough that I'd probably make it worse before I'd make it better 01:18 < ryanrhee90> :( okay. thanks anyway! 01:19 < krzie> !ask 01:19 < vpnHelper> krzie: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/, or (#3) http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help 01:19 < DevilsPGD> I did glance at pastebin enough to know that nothing obvious jumped out at me, and that I haven't a clue what I'm looking for to actually say that there isn't anything obvious :) 01:19 < ryanrhee90> krzie: you're awake! :D 01:20 < ryanrhee90> devilspgd: :) thanks +1 for trying 01:22 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 01:23 < ryanrhee90> krzie: just in case you didn't catch my question earlier: I have openvpn configured on a server. clients can talk to one another, but the server can't talk to any of the clients, which is weird. Please help? Here's my config. http://www.pastebin.ca/1624582. I'm running ubuntu 8.04 server LTS. 01:25 < krzie> check firewall on server 01:25 < krzie> something is blocking it from talking to the client ip range 01:26 < krzie> or communicating over that dev 01:26 < krzie> oh you're bridging 01:27 < krzie> i cant help as good with bridges 01:27 < krzie> its rare to need one, i havnt needed to 01:27 < krzie> !tunortap 01:27 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 01:27 < krzie> !sample 01:27 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 01:34 < ryanrhee90> !help 01:34 < vpnHelper> ryanrhee90: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 01:35 < ryanrhee90> !conig 01:35 < vpnHelper> ryanrhee90: Error: "conig" is not a valid command. 01:35 < ryanrhee90> !config 01:35 < vpnHelper> ryanrhee90: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 01:35 < ryanrhee90> !pastebin 01:35 < vpnHelper> ryanrhee90: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 01:35 -!- ryanrhee90 [n=Adium@98.197.248.23] has left ##openvpn [] 01:36 -!- ryanrhee90 [n=Adium@98.197.248.23] has joined ##openvpn 01:36 < ryanrhee90> !howto 01:36 < vpnHelper> ryanrhee90: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 01:39 -!- Dukelord [n=brenwill@70.88.214.124] has quit [Read error: 113 (No route to host)] 01:41 < ryanrhee90> !sample 01:42 < vpnHelper> ryanrhee90: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 01:42 < krzie> why are you using tap? 01:42 < ryanrhee90> krzie: i think i'm using bridged ..? 01:42 < krzie> and bridge 01:42 < krzie> why? 01:42 < ryanrhee90> krzie: i'm using a bridged vpn b/c i need the layer 2 mac addresses 01:42 < krzie> why? 01:42 -!- EnginA [n=engin@88.246.231.179] has quit [Read error: 113 (No route to host)] 01:42 < krzie> what layer2 protocols do you need over vpn? 01:43 < ryanrhee90> krzie: ahhh... for one thing, there are some os x stuff that don't work well without the layer 2 stuff 01:44 < ryanrhee90> krzie: and i have a few perl scripts that look at mac addresses as well 01:44 < ryanrhee90> krzie: daemons, to be specific. 01:44 < krzie> iirc afp works over tcp/ip 01:46 < ryanrhee90> krie: bonjour is what i was referring to 01:47 < ryanrhee90> krzie: i could re-write the perl scripts to use layer3 instead if bonjour worked on layer3... that would be tedious, but i'd be willing to do it. :) 01:48 < ryanrhee90> krzie: but afaik bonjour uses mac addresses 01:48 < krzie> ahhaye seems it does 01:49 < krzie> ahh sye 01:49 < krzie> does the routing table know how to reach the clients? 01:49 < ryanrhee90> krzie: hrm, i'm curious though, what does push "route " do? i mean, i know what a route is, but afaik a static route should contain a src & dest IP 01:50 < ryanrhee90> krzie: haha, good call. i was thinking about that. the ifconfig on my clients don't have a default gateway which makes me think there is no route. 01:50 < krzie> !push 01:50 < vpnHelper> krzie: "push" is usage: push , goes in the server config and makes the command act as if it was in the client config, can be used in ccd entries 01:50 < krzie> the route added by openvpn always has dest of over the vpn 01:50 < krzie> so it knows what ip to use 01:51 < krzie> the is dest 01:51 < krzie> sorry im tired, it knows how to reach because it must travel over the vpn 01:51 < krzie> and is dest 01:52 < krzie> and static route doesnt contain src and dest, it has dest and how to get there 01:52 < ryanrhee90> krzie: ahh. so i think if i add something like this... push "route x.x.x.x" where x.x.x.x is the ip of the vpn server's tap interface, maybe the clients will figure it out... i'll give that a shot! hold on. 01:52 < ryanrhee90> krzie: well, technically, yes. 'src' was an oversimplification :P 01:52 < krzie> the clients know how 01:52 < krzie> im thinking the server doesnt 01:53 < ryanrhee90> krzie: if i ping the server's tap IP from a client, i get "no route to host" 01:53 < krzie> well, the clients can reach eachother 01:53 < ryanrhee90> krzie: and if i 'tail -f' the syslog while the pings are going, i see nothing. 01:53 < ryanrhee90> krzie: yes, they can. 01:53 < krzie> client-to-client makes their traffic not hit the servers kernel therefor routing table 01:54 < krzie> it all happens inside the proc 01:54 < krzie> without that traffic can still pass if the kernel allows 01:55 < ryanrhee90> krzie: i'm not quite sure if i'm understanding you correctly, but if client-to-client doesn't hit the server's kernel &| routing table, wouldn't that mean the clients don't know how to get to the server itself? it seems like the traffic would just go straight to the server proc ?? 01:57 < krzie> see if they have arp for the server 01:57 < krzie> see if it has arp for them 01:57 < krzie> see if they have arp for eachother 01:57 < krzie> im not too familiar with troubleshooting bridge 01:58 < ryanrhee90> krzie: the server is publicly accessible via an IP, so i'm sure there will be ARP entries of the server, though with a wrong IP... i'll check. 01:58 < krzie> umm no 01:58 < krzie> arp doesnt happen over inet 01:58 < krzie> only over LAN communication 01:59 < ryanrhee90> krzie: ah, wasn't aware of that. 01:59 < krzie> which a openvpn bridge makes happen over inet 01:59 < krzie> layer2 is lan, uses arp 01:59 < krzie> layer3 is ip, uses dns 02:01 < ryanrhee90> krzie: woudl you know the command to display the arp cache on ubuntu? 02:01 < ryanrhee90> krzie: nvm i think i got it. arp -a 02:01 < krzie> same as all os'es, arp -a 02:02 < ryanrhee90> more weirdness. the client's arp shows tap0 going to the network address 02:02 < ryanrhee90> and the server's arp has ... nothing regarding the vpn 02:03 < krzie> ping a client from other client 02:04 < krzie> then check arp again on all 3 02:05 < ryanrhee90> ackk! O_o;; i just lost connection to my other client... 02:06 < krzie> ok imma pass out 02:06 < krzie> gnite 02:06 < ryanrhee90> krzie: haha okay thanks for helping 02:11 -!- ryanrhee90 [n=Adium@98.197.248.23] has quit ["Leaving."] 02:12 -!- EnginA [n=engin@88.246.231.179] has joined ##openvpn 02:39 -!- xp_prg [n=xp_prg3@c-98-234-50-128.hsd1.ca.comcast.net] has joined ##openvpn 02:42 -!- EnginA [n=engin@88.246.231.179] has quit [Read error: 113 (No route to host)] 02:50 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 02:55 -!- hyper_ch [n=hyper@adsl-62-167-30-19.adslplus.ch] has quit [Remote closed the connection] 03:01 -!- EnginA [n=engin@88.246.231.179] has joined ##openvpn 03:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:33 -!- xp_prg [n=xp_prg3@c-98-234-50-128.hsd1.ca.comcast.net] has quit ["This computer has gone to sleep"] 03:40 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 04:04 -!- kosmic is now known as kosmic` 04:05 -!- kosmic` is now known as kosmic 04:08 -!- EnginA [n=engin@88.246.231.179] has quit [Read error: 113 (No route to host)] 04:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 04:30 -!- EnginA [n=engin@81.213.53.226] has joined ##openvpn 04:32 -!- c64zottel [n=hans@62.12.220.164] has joined ##openvpn 04:34 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 04:48 -!- uffo [n=force@84-50-161-222-dsl.rgu.estpak.ee] has joined ##openvpn 04:50 < uffo> hello i have a newbie question cai i use openvpn this way similar to hamachi that i create some relay server and i can have all peers connected everytime 04:52 < uffo> i mean i create in my own web server some sort of mediator? 04:53 < uffo> i have really enought of that hamachi horrors that it is offline because servers down and only have closed servers. 04:55 -!- EnginA [n=engin@81.213.53.226] has quit [Read error: 60 (Operation timed out)] 05:12 < uffo> is thera anyone here or all users is bots? 05:12 -!- EnginA [n=engin@88.246.231.179] has joined ##openvpn 05:13 < LobbyZ> All users are bots 05:18 -!- uffo [n=force@84-50-161-222-dsl.rgu.estpak.ee] has left ##openvpn [] 05:41 -!- EnginA [n=engin@88.246.231.179] has quit [Read error: 113 (No route to host)] 05:58 -!- EnginA [n=engin@88.246.231.179] has joined ##openvpn 06:04 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 06:17 -!- brizly [n=brizly_v@p4FC986F0.dip0.t-ipconnect.de] has quit [Read error: 60 (Operation timed out)] 06:18 -!- brizly [n=brizly_v@p4FC99A56.dip0.t-ipconnect.de] has joined ##openvpn 06:29 -!- EnginA [n=engin@88.246.231.179] has quit [Read error: 113 (No route to host)] 06:48 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 07:00 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 07:19 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 07:19 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 07:31 -!- hyper_ch [n=hyper@adsl-62-167-30-19.adslplus.ch] has joined ##openvpn 07:51 -!- EnginA [i=engin@64.120.158.100] has joined ##openvpn 07:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:16 < ecrist> lol 08:27 < Optic> moo 09:03 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 09:07 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has quit [] 09:27 -!- UomO_BongA [n=rafa@190.55.70.209] has joined ##openvpn 09:30 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 09:37 < Sky[x]> hello 09:38 < Sky[x]> i nedd a help i doind openvpn with this tutorial http://www.server-world.info/en/note?os=CentOS_5&p=openvpn 09:38 < vpnHelper> Title: Server World - CentOS 5 - VPN Server - Install / Configure OpenVPN (at www.server-world.info) 09:38 < Sky[x]> i dont have file with name "vars" any idea what that can be ? 09:39 -!- EnginAy [i=engin@213.163.74.136] has joined ##openvpn 09:39 -!- xenophile7x7 [n=xenophil@72.192.7.242] has joined ##openvpn 09:46 -!- kubanc [n=kubanc@89-212-11-218.dynamic.dsl.t-2.net] has joined ##openvpn 09:46 -!- kubanc [n=kubanc@89-212-11-218.dynamic.dsl.t-2.net] has left ##openvpn ["Leaving"] 09:57 -!- EnginA [i=engin@64.120.158.100] has quit [Read error: 110 (Connection timed out)] 10:20 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 10:21 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 10:30 < Bushmills> where did you look for it? 10:33 -!- zamba [i=marius@flage.org] has joined ##openvpn 10:33 < Sky[x]> i save the problem with install older version of openvpn on centos 10:37 < Bushmills> no, i mean in what directories did you look 10:41 < Sky[x]> in /usr/share/doc/openvpn-2.1 11:04 < Bushmills> use your package installer tool to list the contents of the openvpn archive, and grep it for vars$ 11:04 < Bushmills> if it doesn't show, the archive is incomplete 11:05 < Bushmills> (i assume that you looked below the openvpn dir, in examples) 11:12 < reiffert> Sky[x]: find /etc/openvpn /usr/share/doc/openvpn* -name "vars" 11:24 -!- UomO_BongA [n=rafa@190.55.70.209] has quit ["Ex-Chat"] 11:32 < Sky[x]> when i run openvpn my network break down any idea why ? :D 11:35 < Bushmills> the load of information you are giving allows only one conclusion: somebody pulls the plug when you do. 11:36 < Sky[x]> no 11:36 < Sky[x]> i just get this message promiscuous mode on ... thats all 11:36 < Bushmills> yes 11:36 < Sky[x]> i sit right here near ther server when i stop openvpn en reboot server network start working 11:36 < Sky[x]> and* 11:37 < Bushmills> that's when the plug is pushed in again. watch for the candid camera 11:38 < Sky[x]> ? 11:38 < Sky[x]> Oct 17 17:54:05 localhost kernel: eth0: Promiscuous mode enabled. 11:46 -!- mrparanoid [n=coroner@unaffiliated/mrparanoid] has joined ##openvpn 13:23 -!- fabio [n=fabio@64.146.222.87.dynamic.jazztel.es] has joined ##openvpn 13:23 < fabio> hello, anybody here? 13:24 < fabio> i almost done, but have a problem 13:27 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 13:34 -!- Hydrant [n=aj@CPE001d7e684fa2-CM0012c90d1420.cpe.net.cable.rogers.com] has joined ##openvpn 13:34 < Hydrant> is there a decent way to debug up/down scripts ? 13:34 < Hydrant> I don't see how to even redirect output of the script set with -x 13:45 < Hydrant> anyone use networkmanager with ubuntu? It's overwriting resolv.conf... but I'm using the program resolvconf and this leads to chaos 14:17 -!- krzie [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 14:18 -!- xp_prg [n=xp_prg3@c-98-234-50-128.hsd1.ca.comcast.net] has joined ##openvpn 14:18 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 14:20 -!- oc80z [i=oc80z@blea.ch] has quit [Read error: 104 (Connection reset by peer)] 14:21 < Bushmills> !ubuntu 14:21 < vpnHelper> Bushmills: "ubuntu" is dont use network manager! 14:22 < Bushmills> !factoids search network manager 14:22 < vpnHelper> Bushmills: No keys matched that query. 14:22 < Bushmills> !factoids search manager 14:22 < vpnHelper> Bushmills: No keys matched that query. 14:28 < reiffert> !factoids search Bushmills 14:28 < vpnHelper> reiffert: No keys matched that query. 14:28 < reiffert> !factoids search network 14:28 < vpnHelper> reiffert: No keys matched that query. 14:28 < reiffert> !factoids search a* 14:28 < vpnHelper> reiffert: 'ask', 'activedirectory', 'all', 'authpass', 'allinfo', and 'access-server' 14:28 < reiffert> !factoids search a? 14:28 < vpnHelper> reiffert: No keys matched that query. 14:28 < reiffert> !factoids search a. 14:29 < vpnHelper> reiffert: No keys matched that query. 14:29 < reiffert> !factoids search a?? 14:29 < vpnHelper> reiffert: 'ask' and 'all' 14:29 < reiffert> !factoids search ? 14:29 < vpnHelper> reiffert: No keys matched that query. 14:29 < reiffert> !factoids search ?? 14:29 < vpnHelper> reiffert: "dh" is build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN 14:29 < reiffert> !factoids search ??? 14:29 < vpnHelper> reiffert: 'tcp', 'faq', 'ccd', 'ask', 'vpn', 'tap', 'mac', 'nat', 'all', 'man', 'crl', 'ipp', 'dns', 'dev', 'bot', 'mtu', '/30', 'irc', and 'osx' 14:29 -!- PeterFA [n=peter@unaffiliated/peterfa] has quit [Read error: 104 (Connection reset by peer)] 14:30 < Bushmills> should match the ubuntu factoid, which contains phrases "network" and "manager" when searching for "manager" IMHO 14:31 < reiffert> yeah, let's forth() the bot 14:42 < Bushmills> s" manager" factoids search 14:47 < fabio> hello, anyone uses ubuntu? 14:49 < Bushmills> on #ubuntu are an estimated 1000 users, so I suppose somebody uses it, yes. 14:49 < Bushmills> i doubt they'll all squat that channel without actually being users 14:54 < reiffert> I know about one person using ubuntu 15:00 -!- fr00d [i=fr00d@unaffiliated/fr00d] has joined ##openvpn 15:00 < fr00d> Hello! 15:00 < fr00d> I'm trying to setup openvpn form a windows client to an openwrt server. The connection could be established, but I can't ping the client from the server. 15:01 < fr00d> The client can't reach any hosts inside the network. 15:01 < fr00d> Could somebody help me to solve this problem? 15:05 -!- AlHafoudh [n=AlHafoud@chello089173071159.chello.sk] has joined ##openvpn 15:06 < AlHafoudh> hi all 15:06 < AlHafoudh> please, why i cannot sniff whole communication on tap0 device on openvpn server machine? how to do that? we need to troubleshoot something 15:09 < reiffert> whats your operating system? 15:12 < AlHafoudh> debian lenny 15:20 < AlHafoudh> please any advice? 15:24 < reiffert> tcpdump -n -i tap0 15:40 -!- Hydrant [n=aj@CPE001d7e684fa2-CM0012c90d1420.cpe.net.cable.rogers.com] has left ##openvpn ["Konversation terminated!"] 15:54 -!- FlaPer87 [n=FlaPer87@unaffiliated/flaper87] has joined ##openvpn 15:54 < FlaPer87> hey guys, need some help with openvpn, I keep getting this message on the client read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 15:54 < FlaPer87> does any of you know what it means? 15:56 -!- DevilsPGD [i=xyzzy@S0106001cc0bf9ac7.ok.shawcable.net] has quit [Read error: 104 (Connection reset by peer)] 15:56 -!- DevilsPGD [i=xyzzy@S0106001cc0bf9ac7.ok.shawcable.net] has joined ##openvpn 16:05 < FlaPer87> anyone? 16:06 -!- rockstarx188 [n=rockstar@rps1637.ovh.net] has joined ##openvpn 16:06 < rockstarx188> hey everybody 16:06 < rockstarx188> any1 have any idea on how to get those 2 yellow computers to turn green in the windows openvpn client? 16:07 < rockstarx188> Sat Oct 17 23:04:27 2009 us=165946 UDPv4 link remote: *SERVERIP* 16:07 < rockstarx188> Sat Oct 17 23:06:28 2009 us=511981 NOTE: failed to obtain options consistency info from peer -- this could occur if the remote peer is running a version of OpenVPN before 1.5-beta8 or if there is a network connectivity problem, and will not necessarily prevent OpenVPN from running (0 bytes received from peer, 0 bytes authenticated data channel traffic) -- you can disable the options consistency check with --disable-occ. 16:07 < rockstarx188> this is all I get in the openvpn logs.. :S 16:19 < rockstarx188> !howto 16:19 < vpnHelper> rockstarx188: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:31 < Optic> moo 16:39 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] 16:42 < rockstarx188> optic ? 16:42 < FlaPer87> help http://pastebin.com/d400e0f96 16:45 -!- FlaPer87 [n=FlaPer87@unaffiliated/flaper87] has left ##openvpn ["WeeChat 0.3.0"] 16:47 -!- rockstarx188 [n=rockstar@rps1637.ovh.net] has quit ["Java user signed off"] 17:02 < |Mike|> re. 17:19 < jetole> krzee: when I asked how to see a list of all revoked keys yesterday, you said check out the CRL, can you explain that a little. I don't know what you mean. 17:26 < reiffert> |Mike|: being rude or shutting up? 17:27 < |Mike|> heh? 17:28 < reiffert> oups, jetole was addressing to krzee and not to Mike.... 17:28 < reiffert> My fault, just ignore me 17:28 < |Mike|> mkay, it's saturday evening ;) 17:29 < reiffert> And I'm lying on the couch, suffering from a cold 17:29 < |Mike|> that suck mate 17:29 < |Mike|> i hope you're getting better tho 17:30 < reiffert> todays the first day making some little progress, I left the couch for a car race :) 17:33 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 17:34 < |Mike|> and it made you feel better ? :p 17:37 -!- gilos [i=41ab6c0c@gateway/web/freenode/x-kqandfdlnhzygfuc] has quit [Ping timeout: 180 seconds] 17:48 -!- zamba [i=marius@flage.org] has quit [Read error: 113 (No route to host)] 17:49 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [No route to host] 17:50 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 17:54 < reiffert> Yeah, this or the ginger tea, well whatever it was, feeling better :) 18:15 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 18:23 -!- PeterFA [n=peter@unaffiliated/peterfa] has joined ##openvpn 18:23 < PeterFA> Does OpenVPN 2.1_rc13 set environment variables according to the manual or is there a bug or something? 18:24 < PeterFA> Is there a build option that prevents the setting of environment variables? 18:24 < |Mike|> whatfor? 18:25 < PeterFA> Because I'm scratching my head, feeling totally helpless because my script needs a variable to recognize when there is a VPN running. 18:25 < PeterFA> |Mike|, I have this Sabayon build of OpenVPN and it won't set environment variables as the manual clearly states. 18:26 < PeterFA> http://www.openvpn.net/index.php/open-source/documentation/manuals/69-openvpn-21.html 18:26 < vpnHelper> Title: OpenVPN 2.1 (at www.openvpn.net) 18:26 < PeterFA> It's very low to the bottom, if you need to see it. 18:27 < PeterFA> Text search for "SCRIPTING AND ENVIRONMENTAL VARIABLES" 18:27 < PeterFA> !factoids search trusted_ip 18:27 < vpnHelper> PeterFA: No keys matched that query. 18:27 < PeterFA> !factoids search trusted ip 18:27 < vpnHelper> PeterFA: No keys matched that query. 18:32 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 18:40 < PeterFA> I'd like to contact a developer/mailing list or something. 18:40 < PeterFA> Also is there a place for submitting bugs? 18:57 < ecrist> pfft 18:57 < ecrist> PeterFA: there is a developers mailing list 18:57 < ecrist> !mailing-list 18:57 < vpnHelper> ecrist: Error: "mailing-list" is not a valid command. 18:57 < ecrist> !lists 18:57 < vpnHelper> ecrist: Error: "lists" is not a valid command. 18:57 < ecrist> don't have a link 19:04 -!- explore [n=msparker@pool-173-57-92-51.dllstx.fios.verizon.net] has joined ##openvpn 19:09 -!- explore [n=msparker@pool-173-57-92-51.dllstx.fios.verizon.net] has quit [Client Quit] 19:15 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] 19:19 < reiffert> it's on the homepage. 19:47 < jetole> reiffert: I was going based on a /last since it was a shile since I was in the room 19:47 < jetole> so if I missed something? 20:17 -!- todd_dsm [n=todd_dsm@66.43.220.149] has quit [Read error: 104 (Connection reset by peer)] 20:18 -!- todd_dsm [n=todd_dsm@66.43.220.149] has joined ##openvpn 20:34 -!- W0rmF00d [n=wormfood@119.136.222.40] has joined ##openvpn 20:41 -!- WormFood [n=wormfood@113.87.194.227] has quit [Read error: 110 (Connection timed out)] 20:45 -!- c64zotte1 [n=hans@62-12-248-000.pool.cyberlink.ch] has joined ##openvpn 20:56 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [] 21:01 -!- c64zottel [n=hans@62.12.220.164] has quit [Read error: 110 (Connection timed out)] 21:14 -!- c64zotte1 [n=hans@62-12-248-000.pool.cyberlink.ch] has quit [Read error: 104 (Connection reset by peer)] 21:14 -!- master_of_master [i=master_o@p549D7B10.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:15 -!- c64zottel [n=hans@62-12-248-000.pool.cyberlink.ch] has joined ##openvpn 21:18 -!- master_of_master [i=master_o@p549D39B1.dip.t-dialin.net] has joined ##openvpn 21:31 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 21:31 -!- W0rmF00d is now known as WormFood 21:37 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [] 22:19 -!- fabio [n=fabio@64.146.222.87.dynamic.jazztel.es] has quit [Read error: 104 (Connection reset by peer)] 22:27 -!- c64zottel [n=hans@62-12-248-000.pool.cyberlink.ch] has left ##openvpn [] 22:28 -!- hr [n=asher@88.191.77.247] has joined ##openvpn 22:29 < hr> hi 22:29 < hr> !redirect 22:29 < vpnHelper> hr: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 22:29 < hr> !/30 22:29 < vpnHelper> hr: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 22:32 < hr> !topology 22:32 < vpnHelper> hr: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 22:35 -!- fabio [n=fabio@206.146.222.87.dynamic.jazztel.es] has joined ##openvpn 22:45 -!- tjz [n=tjz@bb121-7-60-51.singnet.com.sg] has joined ##openvpn --- Day changed Sun Oct 18 2009 00:07 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:11 -!- kcsrnd [n=jkessler@69-57-95-80.dsl.static.nccray.com] has quit [Read error: 54 (Connection reset by peer)] 00:14 -!- mrparanoid [n=coroner@unaffiliated/mrparanoid] has quit [Remote closed the connection] 00:56 -!- Voting [n=ericl@cpe-98-14-5-27.nyc.res.rr.com] has joined ##openvpn 01:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 01:37 -!- hyper_ch [n=hyper@adsl-62-167-30-19.adslplus.ch] has quit [Read error: 54 (Connection reset by peer)] 01:37 -!- hyper_ch [n=hyper@adsl-62-167-30-19.adslplus.ch] has joined ##openvpn 01:38 -!- Voting [n=ericl@cpe-98-14-5-27.nyc.res.rr.com] has quit ["Leaving."] 02:45 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 02:57 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] 03:19 -!- EnginAy [i=engin@213.163.74.136] has quit [Success] 03:24 -!- EnginA [i=engin@98.143.144.106] has joined ##openvpn 03:33 -!- EnginA [i=engin@98.143.144.106] has quit [Read error: 104 (Connection reset by peer)] 03:56 -!- exes [n=exes@galileo.exes.org] has left ##openvpn [] 04:15 -!- Dukelord [n=brenwill@70.88.214.124] has joined ##openvpn 04:32 -!- Dukelord [n=brenwill@70.88.214.124] has left ##openvpn [] 04:35 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 04:46 -!- fkr [i=fkr@news.bytemine.net] has quit ["leaving"] 04:47 -!- Dukelord [n=brenwill@70.88.214.124] has joined ##openvpn 04:54 -!- frepe [n=fredrik@c-9589e555.011-154-6c6b7013.cust.bredbandsbolaget.se] has joined ##openvpn 04:54 -!- frepe [n=fredrik@c-9589e555.011-154-6c6b7013.cust.bredbandsbolaget.se] has left ##openvpn ["Ex-Chat"] 04:54 -!- frepe [n=fredrik@c-9589e555.011-154-6c6b7013.cust.bredbandsbolaget.se] has joined ##openvpn 04:57 < frepe> I'm trying to channel the clients traffic through my VPN server with redirect-gateway. But I don't want the VPN host's IP set as the default gw for the client, but another IP. Is that possible? 04:59 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 05:02 -!- smellyno1er [n=ashley@86.53.96.123] has joined ##openvpn 05:14 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"] 05:14 -!- smellynoser [n=ashley@86.53.96.123] has quit [Read error: 111 (Connection refused)] 05:15 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 05:16 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 05:16 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:20 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 05:22 -!- c64zottel [n=hans@62-12-248-000.pool.cyberlink.ch] has joined ##openvpn 05:23 -!- Oreva [n=brenwill@70.88.214.124] has joined ##openvpn 05:26 -!- Dukelord [n=brenwill@70.88.214.124] has quit [Read error: 145 (Connection timed out)] 05:32 -!- Oreva [n=brenwill@70.88.214.124] has quit [] 06:08 -!- c64zotte1 [n=hans@62-12-233-212.pool.cyberlink.ch] has joined ##openvpn 06:24 -!- c64zottel [n=hans@62-12-248-000.pool.cyberlink.ch] has quit [Read error: 110 (Connection timed out)] 06:33 -!- brizly [n=brizly_v@p4FC99A56.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:35 -!- brizly [n=brizly_v@p4FC99D18.dip0.t-ipconnect.de] has joined ##openvpn 06:45 -!- hyper_ch [n=hyper@adsl-62-167-30-19.adslplus.ch] has quit [Remote closed the connection] 06:50 -!- hyper_ch [n=hyper@adsl-62-167-30-19.adslplus.ch] has joined ##openvpn 06:51 -!- fabio [n=fabio@206.146.222.87.dynamic.jazztel.es] has quit [Remote closed the connection] 06:56 -!- dazo|h [n=dazo@83.240.69.215] has joined ##openvpn 06:56 -!- dazo|h [n=dazo@83.240.69.215] has quit [Client Quit] 07:13 < Bushmills> default gateway is where your otherwise unrouted traffic, per destination, goes to. so wanting it for your (unspecified) traffic, but a the same not wanting it, is kind of contradictory 07:14 -!- AlHafoudh [n=AlHafoud@chello089173071159.chello.sk] has quit [] 07:30 -!- mikkel [n=mikkel@84.238.113.66] has joined ##openvpn 08:48 -!- Dukelord [n=brenwill@70.88.214.124] has joined ##openvpn 08:48 -!- Dukelord [n=brenwill@70.88.214.124] has left ##openvpn [] 08:58 -!- oc80z [i=oc80z@blea.ch] has joined ##openvpn 09:13 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has quit [] 09:19 -!- Douglas [i=Douglas@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 09:19 < Douglas> anyone here used dd-wrt 09:19 < ecrist> nope 09:20 < Douglas> i'm afraid to try this 09:20 < Douglas> imma brick my router or something if i do it 09:20 < Douglas> lol 09:22 < ecrist> naw, it's a pretty fool-proof process. I've flashed a router before, pretty simple. 09:23 < Douglas> hmm 09:23 < Douglas> i could just say skip this and throw up my cisco 2950 09:24 < ecrist> if you have a 2950, why fuck with ddwrt? 09:24 < Douglas> was going to try and enable snmp on the ddwrt 09:24 < Douglas> and just graph those ports 09:24 < Douglas> but meh 09:34 < ecrist> ah 09:34 < ecrist> I do that with a linksys managed switch 09:34 < ecrist> and bsnmp on freebsd 09:37 < Douglas> linksys wrt54g is what i got 09:37 < Douglas> instead i guess ill just have modem -> wrt54g -> switch -> pc's 09:53 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 09:54 -!- c64zotte1 [n=hans@62-12-233-212.pool.cyberlink.ch] has quit [Read error: 104 (Connection reset by peer)] 09:55 -!- c64zottel [n=hans@62-12-233-212.pool.cyberlink.ch] has joined ##openvpn 09:59 -!- Douglas [i=Douglas@ool-43503ed4.dyn.optonline.net] has quit [Read error: 113 (No route to host)] 10:01 -!- Douglas [n=contact@ool-43503ed4.dyn.optonline.net] has joined ##openvpn 10:01 < Douglas> ecrist: still there? 10:11 < ecrist> yeah 10:12 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 10:13 -!- biberao [i=mapd@unaffiliated/biberao] has joined ##openvpn 10:13 < biberao> hello hello hello 10:16 * ecrist goes away 10:23 -!- Douglas [n=contact@ool-43503ed4.dyn.optonline.net] has quit [Read error: 113 (No route to host)] 10:24 -!- Bushmills [n=nnnBushm@verhau.de] has quit [Nick collision from services.] 10:32 -!- rooth [i=rooth@ge.mig.en.redfox.nu] has quit ["reboot"] 10:37 -!- rooth [i=rooth@ge.mig.en.redfox.nu] has joined ##openvpn 10:52 -!- Bushmills1 [n=Bushmill@verhau.de] has joined ##openvpn 10:52 -!- Bushmills1 is now known as Bushmills 10:53 -!- Bushmills [n=Bushmill@verhau.de] has quit [Nick collision from services.] 10:53 -!- Bushmills1 [n=nBushmil@verhau.de] has joined ##openvpn 10:54 -!- Bushmills1 is now known as Bushmills 10:54 -!- Bushmills [n=nBushmil@verhau.de] has left ##openvpn ["Leaving."] 11:21 -!- WormFood [n=wormfood@119.136.222.40] has quit [Read error: 110 (Connection timed out)] 11:21 -!- WormFood [n=wormfood@121.34.165.71] has joined ##openvpn 11:22 -!- Sup3rFly [n=sup3rfly@71.39.149.153] has joined ##openvpn 11:22 -!- mikkel [n=mikkel@84.238.113.66] has quit [Read error: 148 (No route to host)] 11:22 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has quit [] 11:23 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 11:28 < Sup3rFly> i'm having a nightmare getting two openvpn servers to connect 11:28 < Sup3rFly> TLS Auth Error: Auth Username/Password verification failed for peer 11:28 < Sup3rFly> i've tried multiple username/passwords. Using PSK, so uploaded each of their .cer 11:28 < Sup3rFly> gah 11:40 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 11:51 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 12:00 -!- igor1 [n=igubenko@ool-18bedca2.dyn.optonline.net] has joined ##openvpn 12:01 < igor1> hello OpenVPN experts 12:01 < igor1> have a quesiton... anyone here 12:03 -!- Dukelord [n=brenwill@70.88.214.124] has joined ##openvpn 12:04 < igor1> anyone? 12:20 < igor1> is anyone here? 12:25 -!- MoonMaker1 [n=thomas@BAC71e8.bac.pppool.de] has joined ##openvpn 12:25 -!- MoonMaker1 [n=thomas@BAC71e8.bac.pppool.de] has left ##openvpn ["Leaving."] 12:36 -!- Dukelord [n=brenwill@70.88.214.124] has quit [Read error: 113 (No route to host)] 13:09 -!- SuprFly_ [n=sup3rfly@ace.triplecrowncasinos.com] has joined ##openvpn 13:17 -!- Sup3rFly [n=sup3rfly@71.39.149.153] has quit [Read error: 145 (Connection timed out)] 13:17 -!- Sup3rFly [n=sup3rfly@boxcars.triplecrowncasinos.com] has joined ##openvpn 13:24 < JacksonBrown> i tooted 13:25 < JacksonBrown> 12:04 < igor1> anyone? 13:25 < JacksonBrown> 12:20 < igor1> is anyone here? 13:25 < JacksonBrown> chan is deader than BSD 13:25 -!- JacksonBrown [i=hyokSRuh@pool-173-57-173-123.dllstx.fios.verizon.net] has left ##openvpn [] 13:26 < Optic> hi 13:26 < Optic> :) 13:30 -!- SuprFly_ [n=sup3rfly@ace.triplecrowncasinos.com] has quit [Read error: 110 (Connection timed out)] 13:37 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 13:42 -!- Bushmills [n=nBushmil@verhau.de] has joined ##openvpn 13:42 -!- Bushmills [n=nBushmil@verhau.de] has left ##openvpn ["Leaving."] 13:43 -!- Sup3rFly [n=sup3rfly@boxcars.triplecrowncasinos.com] has quit [] 14:02 -!- fkr [i=fkr@news.bytemine.net] has joined ##openvpn 14:07 < igor1> hello 14:07 < igor1> did I miss the experts? 14:08 < igor1> I don't know if BSD is dead perse... my question relates to an openvpn router running FBSD :) 14:15 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 14:19 < |Mike|> just state it ? :) 14:25 < igor1> ok :) .... I have a multi client openvpn server setup 14:25 < igor1> so far have just two clients with "static" (ccd) ip assignments setup 14:25 < igor1> I can ping one of the clients from the server just fine 14:26 < igor1> and I can telnet to its services 14:26 < igor1> but I've setup routing/NAT'ing rules on the server (which appear to work per tcpdump), and when I am trying to access these services from a remote PC 14:26 < igor1> it failes 14:27 < igor1> here's one from the server 14:27 < igor1> [root@millbasin /usr/local/etc/openvpn]# telnet 172.16.1.134 3389 14:27 < igor1> Trying 172.16.1.134... 14:27 < igor1> Connected to 172.16.1.134. 14:27 < igor1> Escape character is '^]'. 14:27 < igor1> 12:46:28.446171 IP 172.16.1.133.49718 > 172.16.1.134.rdp: S 2490818785:2490818785(0) win 65535 14:27 < igor1> 12:46:28.486059 IP 172.16.1.134.rdp > 172.16.1.133.49718: S 3893783029:3893783029(0) ack 2490818786 win 16416 14:27 < igor1> 12:46:28.486147 IP 172.16.1.133.49718 > 172.16.1.134.rdp: . ack 1 win 33222 14:27 < igor1> Connection closed by foreign host. 14:27 < igor1> [root@millbasin /usr/local/etc/openvpn]# 12:46:30.695040 IP 172.16.1.133.49718 > 172.16.1.134.rdp: P 1:3(2) ack 1 win 33222 14:27 < igor1> 12:46:30.740117 IP 172.16.1.134.rdp > 172.16.1.133.49718: R 1:1(0) ack 3 win 0 14:27 < igor1> Now, here's one from the client 14:28 < igor1> [root@millbasin /usr/local/etc/openvpn]# 12:47:07.257669 IP 172.16.1.133.3860 > 172.16.1.134.rdp: S 1881180932:1881180932(0) win 65535 14:28 < igor1> 12:47:10.180015 IP 172.16.1.133.3860 > 172.16.1.134.rdp: S 1881180932:1881180932(0) win 65535 14:28 < igor1> almost the same thing... NAT/routing works correctly... places it on the right interface 14:28 < igor1> but no response from the client this time 14:35 < igor1> I have to leave for some time... if anyone has any guesses or recommendations, please... it's a FBSD router/openvpn server with no firewall, using ipnat for NATing, and a Windows XP client ... 14:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:59 -!- igor [n=igubenko@pool-173-56-200-134.nycmny.east.verizon.net] has joined ##openvpn 15:07 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 15:16 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:17 -!- c64zotte1 [n=hans@62.12.212.73] has joined ##openvpn 15:17 -!- igor1 [n=igubenko@ool-18bedca2.dyn.optonline.net] has quit [Read error: 113 (No route to host)] 15:21 -!- c64zottel [n=hans@62-12-233-212.pool.cyberlink.ch] has quit [Read error: 60 (Operation timed out)] 15:23 -!- frepe [n=fredrik@c-9589e555.011-154-6c6b7013.cust.bredbandsbolaget.se] has quit ["Ex-Chat"] 15:46 -!- bmwiedemann [n=bernhard@mobilix.zq1.de] has joined ##openvpn 15:48 < bmwiedemann> good evening. I am getting "UDPv4 [ENETUNREACH]: Network is unreachable (code=101)" on my openvpn server from a client IP that is no more there for a week. I wonder how it can even remember the IP after a stop? 15:49 < bmwiedemann> version is openvpn-2.0.9-44.2 and yes, I tried ping-restart 60 16:02 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has quit [] 16:04 < bmwiedemann> ah. old server was still run by hoster guys. and they just firewalled replies. gn 16:04 -!- bmwiedemann [n=bernhard@mobilix.zq1.de] has left ##openvpn [] 16:13 -!- Bushmills [n=nBushmil@verhau.de] has joined ##openvpn 16:13 -!- Bushmills [n=nBushmil@verhau.de] has left ##openvpn ["Leaving."] 16:30 -!- xp_prg [n=xp_prg3@c-98-234-50-128.hsd1.ca.comcast.net] has quit ["This computer has gone to sleep"] 17:07 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit [Read error: 54 (Connection reset by peer)] 17:12 -!- KaiForce [n=chatzill@70.228.104.238] has joined ##openvpn 17:15 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [] 17:24 -!- KaiForce [n=chatzill@70.228.104.238] has quit [Remote closed the connection] 17:54 -!- igor1 [n=igubenko@ool-18bedca2.dyn.optonline.net] has joined ##openvpn 17:54 < igor1> hello guys, anyone here now who can help 18:00 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] 18:03 -!- igor1 [n=igubenko@ool-18bedca2.dyn.optonline.net] has quit ["Leaving."] 18:03 -!- igor__ [n=igor@ool-18bedca2.dyn.optonline.net] has joined ##openvpn 18:04 < igor__> !route 18:04 < vpnHelper> igor__: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 18:12 -!- igor [n=igubenko@pool-173-56-200-134.nycmny.east.verizon.net] has quit [Read error: 110 (Connection timed out)] 18:26 < igor__> !redirect 18:26 < vpnHelper> igor__: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 18:26 < igor__> !nat 18:26 < vpnHelper> igor__: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 18:26 < igor__> !fbsdnat 18:26 < vpnHelper> igor__: "fbsdnat" is see http://cavanantha.wordpress.com/2007/09/16/nat-on-freebsd-using-pf/ for a basic howto for NAT on FreeBSD 19:05 -!- epaphus [n=unix3@201.199.192.2] has joined ##openvpn 19:21 -!- Run32dll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 19:25 -!- epaphus [n=unix3@201.199.192.2] has quit ["Leaving"] 19:31 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 20:25 -!- tjz [n=tjz@bb121-7-60-51.singnet.com.sg] has joined ##openvpn 21:14 -!- master_of_master [i=master_o@p549D39B1.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:18 -!- master_of_master [i=master_o@p549D49D6.dip.t-dialin.net] has joined ##openvpn 21:18 -!- DevilsPGD [i=xyzzy@S0106001cc0bf9ac7.ok.shawcable.net] has quit [Nick collision from services.] 21:19 -!- DevilsPGD1 [i=xyzzy@S0106001cc0bf9ac7.ok.shawcable.net] has joined ##openvpn 21:19 -!- DevilsPGD1 is now known as DevilsPGD 21:20 -!- ErickG [n=ErickG@190.86.139.136] has joined ##openvpn 21:21 -!- rookie [n=rookie@218.241.238.132] has joined ##openvpn 21:22 < rookie> hello 21:24 -!- c64zotte1 [n=hans@62.12.212.73] has quit ["Leaving."] 22:05 -!- ErickG [n=ErickG@190.86.139.136] has left ##openvpn [] 22:07 -!- Dukelord [n=brenwill@70.88.214.124] has joined ##openvpn 22:19 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: fr00d, SerajewelKS, IcyPolecat 22:20 -!- Netsplit over, joins: fr00d, SerajewelKS, IcyPolecat 22:21 -!- fr00d [i=fr00d@unaffiliated/fr00d] has quit [Remote closed the connection] 22:21 -!- fr00d [i=fr00d@unaffiliated/fr00d] has joined ##openvpn 22:24 -!- hyper__ch [n=hyper@adsl-62-167-118-177.adslplus.ch] has joined ##openvpn 22:24 -!- hyper_ch [n=hyper@adsl-62-167-30-19.adslplus.ch] has quit [Nick collision from services.] 22:24 -!- hyper__ch is now known as hyper_ch 22:33 -!- kurt [n=kurt@astound-69-42-7-19.ca.astound.net] has joined ##openvpn 22:35 -!- rookie [n=rookie@218.241.238.132] has quit ["Leaving"] 22:56 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 22:58 -!- Oreva [n=brenwill@70.88.214.124] has joined ##openvpn 22:59 -!- Oreva [n=brenwill@70.88.214.124] has quit [Read error: 54 (Connection reset by peer)] 23:01 -!- Oreva [n=brenwill@64.251.25.150] has joined ##openvpn 23:04 -!- Oreva [n=brenwill@64.251.25.150] has quit [Read error: 104 (Connection reset by peer)] 23:04 -!- Oreva [n=brenwill@70.88.214.124] has joined ##openvpn 23:05 -!- Oreva [n=brenwill@70.88.214.124] has quit [Read error: 54 (Connection reset by peer)] 23:05 -!- Oreva [n=brenwill@70.88.214.124] has joined ##openvpn 23:17 -!- Oreva [n=brenwill@70.88.214.124] has quit [Read error: 60 (Operation timed out)] 23:18 -!- Dukelord [n=brenwill@70.88.214.124] has quit [Read error: 110 (Connection timed out)] --- Day changed Mon Oct 19 2009 00:08 -!- xp_prg [n=xp_prg3@c-98-234-50-128.hsd1.ca.comcast.net] has joined ##openvpn 00:17 -!- igor__ [n=igor@ool-18bedca2.dyn.optonline.net] has quit [Read error: 113 (No route to host)] 00:20 -!- hyper_ch [n=hyper@adsl-62-167-118-177.adslplus.ch] has quit [Remote closed the connection] 00:35 -!- misse-_ [i=misse@misse.org] has quit [Read error: 101 (Network is unreachable)] 00:40 -!- kurt [n=kurt@astound-69-42-7-19.ca.astound.net] has quit [] 00:49 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 00:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 01:07 -!- hyper_ch [n=hyper@68-149.77-83.cust.bluewin.ch] has joined ##openvpn 01:18 -!- krzee is now known as krzy 01:18 -!- krzie is now known as krzee 01:18 -!- krzy is now known as krzie 01:21 -!- Run32dll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 02:17 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:30 -!- dazo|afk is now known as dazo 02:35 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 02:44 -!- Dukelord [n=brenwill@70.88.214.124] has joined ##openvpn 02:44 -!- Dukelord [n=brenwill@70.88.214.124] has quit [Client Quit] 02:55 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 02:56 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 03:04 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 03:10 -!- Gobbla [n=Gobbla@c80-217-155-11.bredband.comhem.se] has joined ##openvpn 03:11 < Gobbla> I'm having some issues installing adito certificates running on a ubuntu server, get error message "User database could not be opened. Internal error." when i try to join it to my active direcory... Domain Controller Hostname is my DC (DC1.domain.com), domain is domain.com and service account is Administrator and the DC is running on a 2k8 R2 server 03:11 < Gobbla> anyone who might know what I'm doing wrong? 03:14 -!- smellyno1er [n=ashley@86.53.96.123] has quit [Client Quit] 03:22 < Gobbla> DC=domainname,DC=domain,DC=com does not work either 03:23 < Gobbla> the functional level is server 2003.. 03:24 -!- xp_prg [n=xp_prg3@c-98-234-50-128.hsd1.ca.comcast.net] has quit ["This computer has gone to sleep"] 03:29 -!- pexy_ [n=opera@ns.emhi.ee] has joined ##openvpn 03:32 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has joined ##openvpn 03:32 < pexy_> when creating cert for openvpn connection, is it possible to input the PEM password non-interactively? like through env variable or command line argument to openssl. 03:33 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has left ##openvpn ["Leaving."] 03:40 < reiffert> pexy_: see the VARS section in the manpage. 03:41 < pexy_> which man? 03:48 < |Mike|> *sigh* 03:54 < pexy_> if you mean this http://www.openvpn.net/man.html, then it covers password usage when connecting. i need help with creating cert, which is more related to openssl 04:05 -!- misse- [i=misse@misse.org] has joined ##openvpn 04:21 < dazo> pexy_: If you're using easy-rsa, have a look in the pkitool file (it's a shell script) ... I don't think password via env is supported, but should be doable to add that feature 04:21 < dazo> after all, pkitool uses openssl 04:22 < dazo> and all those build-* files, uses pkitool again 04:24 < |Mike|> yes, that's why they're called "scripts" :P 04:40 < pexy_> i'm using easy-rsa and pkitool and password is not supported non-interactively. i suspect that openssl read env vars which are described in openssl.cnf, but i can't find the right one for PEM password. variables from ./vars script are also in openssl.cnf. 04:48 < |Mike|> . vars please 04:48 < |Mike|> ./vars won't work. 04:49 < pexy_> ? 04:49 < |Mike|> something with enviroments etc 04:50 < dazo> pexy_: not ./vars .... . ./vars .... or source ./vars 04:51 < dazo> ( ) 04:51 < pexy_> i know that 04:51 < pexy_> i refered to the contents of that file 04:51 < dazo> pexy_: pkitool most probably do not handle passwords via ENV now .... but if you look into the script ... it should be doable doing that 04:53 < pexy_> i agree, but the obstacle so far is openssl, how to pass password to openssl non-interactively? which are other ways of passing password to openssl than just typing it in twice? 04:54 < dazo> -passin env:PWDVAR is the argument in many situations for openssl .... you then just need to export PWDVAR before calling openvpn 04:55 < dazo> s/openvpn/openssl 04:55 < pexy_> so passin is the keyword?? 04:56 < dazo> pexy_: is the argument ... but it depends on which "mode" openssl is used in .... for openssl rsa, -passin is the argument to pass ... env:VAR 04:56 < dazo> is where to pick the password from 04:56 < dazo> pexy_: look at man openssl .... look for "PASS PHRASE ARGUMENTS" 04:57 < dazo> (almost at the end of the man page) 04:58 < pexy_> so "input_password = $ENV::KEY_PASS" in openssl.cnf should work? 04:58 < dazo> that sounds very wrong 04:59 < dazo> in best case 04:59 < dazo> input_password = env:$KEY_PASS 04:59 < dazo> "env:" is a keyword for -passin 04:59 < pexy_> whats the equivalent of -passin in openssl.cnf? 04:59 * dazo dunno 05:00 < pexy_> it's probably easier to thange openssl command in pkitool that to modify openssl.cnf correctly 05:00 < dazo> I'd guess so 05:02 < pexy_> thats how country code gets into cert. openssl.cnf:"countryName_default = $ENV::KEY_COUNTRY". i assume password should be something similar 05:03 < dazo> pexy_: aha ... well, I'm terrified of openssl.cnf .... I find it rather chaotic, so I tend to avoid looking at that file, just leaving it to the defaults :-P 05:04 < pexy_> :D 05:11 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 05:32 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 05:38 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:03 -!- misterbean [n=misterbe@unaffiliated/misterbean] has quit [Read error: 110 (Connection timed out)] 06:12 -!- misterbean [n=misterbe@unaffiliated/misterbean] has joined ##openvpn 06:17 -!- brizly1 [n=brizly_v@p4FC9846B.dip0.t-ipconnect.de] has joined ##openvpn 06:26 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 06:31 -!- brizly [n=brizly_v@p4FC99D18.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:45 -!- c64zottel [n=hans@62.12.212.73] has joined ##openvpn 07:13 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 07:40 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 08:21 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has quit [] 08:32 < WormFood> but can I have openvpn push route exceptions for the --redirect-gateway?....in other words, have everything go through the vpn EXCEPT some networks? 08:35 < ecrist> no 08:37 < WormFood> :( 08:37 -!- MadTBone__ [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 08:37 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Read error: 104 (Connection reset by peer)] 08:39 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit [Read error: 110 (Connection timed out)] 08:41 < ecrist> WormFood: routing tables don't work that way 08:41 < ecrist> You can do something on the firewall level at the local client with an up script, but nothing directly built in to OpenVPN 08:42 < WormFood> thanks, I'm quite aware of how routing tables work 08:42 < WormFood> openvpn can push routes to use the vpn 08:42 < WormFood> I was hoping it could push route exceptions (really, add a route to use the network interface, not the vpn interface) 08:42 < ecrist> yep. there is nothing in the routing protocol that allows for routing exceptions 08:43 < ecrist> until you get in to IGRP and BGP 08:43 < WormFood> what I'm asking about has NOTHING to do with routing protocols....I'm asking about openvpn 08:43 < WormFood> basically, can openvpn push a route to not use the vpn? 08:43 < WormFood> and you already said "no" 08:43 < ecrist> NO 08:44 < ecrist> you asking about pushing a routing exception, that doesn't exist 08:44 < ecrist> your* 08:44 < ecrist> you're* 08:58 < WormFood> clearly you don't have a clue as to what I am asking about 08:58 < WormFood> sorry I'm not more clear 08:59 < ecrist> I do know what you're asking, and it cannot be done. 08:59 < WormFood> I'm sure it can be done 08:59 < WormFood> route add -net 1.2.3.0/24 gw old.gw.address.com 09:00 < ecrist> it can be done locally, but not from the OpenVPN server 09:00 < WormFood> it is a matter of openvpn supporting that feature or not 09:00 < ecrist> the openvpn server has no way of knowing the remote client's original gateway 09:00 < WormFood> just like the openvpn server can push routes to use through the vpn, I know it is teachnically capable of pushing routes to not use over the vpn 09:00 < ecrist> as I said above, you *can* accomplish it was an 'up' script on the client side; 09:01 < WormFood> I'd like to have something being pushed from the server, so my clients don't have to manually configure their machines. 09:01 < WormFood> however, you are right, I can put that in an 'up' script on the client site 09:01 < WormFood> I was hoping for something more dynamic 09:01 < ecrist> nope, not with OpenVPN, sorry. 09:02 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 104 (Connection reset by peer)] 09:02 -!- pexy_ [n=opera@ns.emhi.ee] has left ##openvpn [] 09:11 -!- kevinh [n=khowerto@rrcs-208-125-2-58.nyc.biz.rr.com] has joined ##openvpn 09:13 -!- kevinh [n=khowerto@rrcs-208-125-2-58.nyc.biz.rr.com] has quit [Client Quit] 09:33 < Optic> moooo 09:40 -!- duclicsic [n=lol@sagan.duclicsic.com] has joined ##openvpn 09:41 < duclicsic> sup 09:43 < duclicsic> so i have been using openvpn for a while now, had a nice little network going on, and now I need to shift the server to a different machine 09:43 < duclicsic> that part im cool with, i can get all the old clients to connect to it, but of course i now have to make client crt and key files for what was the server 09:44 < duclicsic> the ubuntu/debian distro no longer puts all the easy-rsa scripts in /etc/openvpn rather it puts them in /usr/share/docs ..... 09:44 < duclicsic> but i can't get the blighters to work 09:45 < duclicsic> it keeps erroring out because first it can't open this index.txt file that has never existed as long as i've used openvpn 09:45 < duclicsic> so i made it as a blank file, and now it complains about some file called "serial" not existing 09:46 < duclicsic> the docs on the site were great for getting started when i set this up the first time, but no longer seem to apply to the newer releases 09:46 < duclicsic> can anyone tell me where i get this magical serial number? do i just make one up? 09:47 < duclicsic> or a definitive guide on how to generate client keys/crts in 2.1? 09:47 < duclicsic> OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008 09:48 < WormFood> duclicsic, you can copy the keys and certs from the old server with no problems 09:48 < duclicsic> yeah i know, i did that for my server. i am failing when it comes to generating new client key/crts though 09:48 -!- georgious [n=quassel@router.gamasuconsult.com] has joined ##openvpn 09:48 < georgious> hey guys 09:49 < georgious> I have some problems with client-to-client 09:49 < georgious> clients can't really "see" each other even though I have enabled that directive 09:49 < WormFood> georgious, can they ping each other? 09:50 < georgious> nope - that is the problem 09:50 < georgious> ping don't go through 09:50 < georgious> they can ping the server 09:50 < georgious> but not each other 09:52 < duclicsic> hey.... my long drawn out question comes first here ;) 09:53 < duclicsic> and i'd like to add to it, why does the easy-rsa package seem to insistant that you run clean-all, if you're just making a new client key surely this is a terrible idea since it will delete all your server keys and certs and shit? 09:53 < georgious> duclicsic: you don't have to clean-all 09:53 < georgious> just start vars 09:53 < georgious> and then 09:53 < duclicsic> yeah i know, i just skip it 09:53 < georgious> build-key [[client]] 09:54 < duclicsic> but for the uninitiated it can seem confusing 09:54 < duclicsic> well, i would skip it if i had that whole bit working right now 09:54 < georgious> ok, what wrong with your config 09:54 < duclicsic> i have all my configs, they are all fine, i have a server and clients can talk to it 09:55 < duclicsic> the problem is that it's been ages since i set it up, and i am now trying to add a new client 09:55 < duclicsic> the easy-rsa scripts that were previously in the /etc/openvpn directory are no longer there 09:55 < duclicsic> they are in some /usr/share/doc/openvpn directory, and now no longer seem to work 09:56 < duclicsic> they complain about "index.txt" and "serial" not existing 09:56 < duclicsic> i have never seen or heard of these files though, they never existed when i set this up first time 09:57 < duclicsic> the docs on the site seem to be old, and refer to how things were done previously, when they worked ok 09:58 < georgious> version? 09:59 < ecrist> duclicsic: why do you have to remake the certificates? 09:59 < ecrist> I don't understand that part. 10:00 < ecrist> or are you just adding a client? 10:01 < georgious> he's just adding a client 10:01 < ecrist> on your old machine, you should be able to find the files the new machine is complaining about. 10:01 < georgious> duclicsic: did you try ./vars and then ./build-key ? 10:01 < ecrist> you're missing a . in front of ./vars 10:01 < duclicsic> i am just adding a client, georgious yes that is what i've been doing exactly 10:02 < ecrist> it should be '. ./vars' note the space 10:02 < duclicsic> sorry yes i have been typing ". ./vars" 10:02 < duclicsic> then "./build-key name" 10:02 < ecrist> is your shell bash? 10:02 < duclicsic> yes 10:02 < ecrist> then it should work. 10:03 < duclicsic> ok, but its complaining about missing files 10:03 < georgious> are you the owner of the files? 10:03 < georgious> root privileges maybe? 10:03 < duclicsic> no, they don't exist, they never did 10:03 < ecrist> you need to get those files from the old machine 10:03 < ecrist> if you created certificates on the old machine, those files will exist 10:03 < duclicsic> they weren't there on the old machine, these files have never been part of my openvpn setup 10:04 < duclicsic> oh hang on, i've migrated the server once before 10:04 < ecrist> they're not part of OpenVPN, they're part of OpenSSL 10:04 < duclicsic> maybe i didn't grab everything i needed 10:04 < duclicsic> hold on, i might still have that setup 10:05 < georgious> duclicsic: they are part of the config - but you may have thought "ah, some stupid .txt file - another README, I don't need it.. [[trash]]" 10:05 < georgious> :D 10:05 < duclicsic> yeah i thought i knew which files needed to migrate with it, and of course it all worked fine when i set it up 10:06 < duclicsic> it's only now that i've come to add clients that i'm getting confused 10:06 < georgious> because you didn't need to add new clients 10:06 < georgious> well.. 10:06 < georgious> my advice 10:06 < georgious> how many clients are there? 10:06 < duclicsic> i found the files, will try again ;) 10:06 < georgious> copy them in .../keys/ 10:08 < georgious> anybody can help me with client-to-client ? 10:08 < ecrist> georgious: check your firewall 10:08 < georgious> no firewall 10:08 < georgious> I disabled it 10:08 < ecrist> !all 10:08 < vpnHelper> ecrist: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 10:09 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 10:09 < georgious> ecrist: just a sec.. 10:10 < georgious> ecrist: server - http://pastebin.com/d25d2d53c 10:12 < duclicsic> one thing, the easy-rsa scripts are now located separately from the keys, do i have to copy them over and run them in the same directory or can i run them from anywhere? 10:12 < georgious> ecrist: client - http://pastebin.com/d37d84d5a 10:12 < georgious> duclicsic: easy-rsa will look in ./keys/ 10:12 < duclicsic> ok best move them over 10:12 < ecrist> georgious: logs, too, please 10:13 < ecrist> also, tcp is a bad idea if you can avoid it 10:13 < ecrist> !tcp 10:13 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 10:14 < georgious> ecrist: http://pastebin.com/d7eabf786 10:14 < georgious> hmm.. 10:14 < georgious> so.. maybe I should just use udp ? 10:17 < duclicsic> hurray! thanks guys. i have a new client key/crt 10:17 -!- Sky[x] [n=SkyB0x@88.200.89.118] has joined ##openvpn 10:17 < georgious> well done, duclicsic 10:17 < georgious> ecrist: my route table looks odd.. 10:18 < georgious> http://pastebin.com/m49da60e 10:18 < georgious> duclicsic: can you give me some help on my issue 10:18 < georgious> :) 10:19 -!- Gobbla [n=Gobbla@c80-217-155-11.bredband.comhem.se] has quit [Read error: 60 (Operation timed out)] 10:19 < duclicsic> i was gonna suggest firewall until ecrist said it first :D 10:19 < georgious> !route 10:19 < vpnHelper> georgious: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:19 -!- Sky[x] [n=SkyB0x@88.200.89.118] has quit [Read error: 104 (Connection reset by peer)] 10:20 -!- Sky[x] [n=SkyB0x@88.200.89.118] has joined ##openvpn 10:20 < georgious> once the tunnel is established 10:20 < georgious> and I can ping the server.. 10:20 < georgious> why should there be any problem? 10:21 < duclicsic> i dunno how it routes between clients, does the server need ip forwarding turned on? 10:21 < duclicsic> maybe it 10:21 < duclicsic> oops, maybe it's thatr 10:22 < georgious> erm.. 10:22 < georgious> it's a win machine 10:22 < duclicsic> ahh 10:22 < duclicsic> then i am even less likely to be of any help 10:23 < georgious> darn.. 10:23 < georgious> but it's not tun vs tap ? 10:24 < duclicsic> my setup is tun, and clients can talk no problem 10:25 < georgious> via your vpn network, right ? 10:25 < duclicsic> yeah 10:25 < georgious> no additional push route 10:26 < georgious> or sth in your config? 10:27 < duclicsic> i do push out a route to a LAN that hangs off the server, but that's unrelated. both clients can talk through the server 10:27 < duclicsic> never had a problem with it 10:28 -!- drue [n=drue@stiff.therub.org] has joined ##openvpn 10:29 < drue> how can i avoid openvpn clients that don't match a ccd entry from taking a used ip? that is, my ccd entries collide with the non-ccd range 10:43 -!- thomas [i=tm@tm.muc.de] has quit ["leaving"] 10:48 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has joined ##openvpn 10:50 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has left ##openvpn ["Leaving."] 10:54 -!- duclicsic [n=lol@sagan.duclicsic.com] has quit ["leaving"] 10:55 -!- georgious [n=quassel@router.gamasuconsult.com] has quit [Remote closed the connection] 10:57 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:58 -!- Sky[x] [n=SkyB0x@88.200.89.118] has quit [] 11:15 -!- Dukelord [n=brenwill@70.88.214.124] has joined ##openvpn 11:15 -!- Dukelord [n=brenwill@70.88.214.124] has left ##openvpn [] 11:20 -!- WormFood [n=wormfood@121.34.165.71] has quit [Read error: 110 (Connection timed out)] 11:21 -!- WormFood [n=wormfood@121.35.52.9] has joined ##openvpn 11:28 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:36 -!- MadTBone__ [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 11:37 -!- MadTBone__ [n=MadTBone@160.39.238.196] has joined ##openvpn 11:43 -!- gilos [i=cee65482@gateway/web/freenode/x-isfmksbrljtgzuah] has joined ##openvpn 11:43 -!- slap [n=slap@amsterdam.perfect-privacy.com] has joined ##openvpn 11:44 < slap> !push-dns 11:44 < vpnHelper> slap: Error: "push-dns" is not a valid command. 11:44 < slap> !pushdns 11:44 < vpnHelper> slap: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit 11:45 -!- hyper_ch [n=hyper@68-149.77-83.cust.bluewin.ch] has quit [Remote closed the connection] 11:51 -!- dazo is now known as dazo|afk 12:01 -!- kosmic is now known as vmlinuz 12:07 -!- odonata [n=odonata@security.jails.se] has quit [Read error: 60 (Operation timed out)] 12:07 -!- odonata [n=odonata@security.jails.se] has joined ##openvpn 12:13 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn 12:27 -!- hyper_ch [n=hyper@62.167.118.177] has joined ##openvpn 12:39 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has joined ##openvpn 12:48 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 12:51 -!- vmlinuz is now known as kosmic 12:56 -!- Dukelord [n=brenwill@70.88.214.124] has joined ##openvpn 13:02 -!- Dukelord [n=brenwill@70.88.214.124] has left ##openvpn [] 13:07 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 13:23 < SerajewelKS> ugh, stupid corporate network 13:23 < SerajewelKS> all outbound UDP is blocked :( 13:29 -!- slap [n=slap@amsterdam.perfect-privacy.com] has quit [Client Quit] 13:32 < Hypnoz> ouch 13:32 < Hypnoz> outbound udp on what port 13:32 < krzee> try udp 53 out 13:32 < Hypnoz> maybe you could go over an open port like 80 or 443 13:32 < Hypnoz> what is 53? 13:33 < krzee> dns 13:33 < Hypnoz> ah 13:33 < krzee> try to directly query a dns server outside the company 13:33 < krzee> like: host ircpimps.org 4.2.2.1 13:33 < krzee> if that doesnt work you gotta use TCP 443 13:36 -!- MadTBone__ [n=MadTBone@160.39.238.196] has quit [Read error: 110 (Connection timed out)] 13:39 -!- MadTBone__ [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 13:42 < SerajewelKS> Hypnoz: i currently have to tunnel ssh though apache on port 80 13:42 < SerajewelKS> Hypnoz: then i tunnel openvpn through ssh 13:42 < SerajewelKS> which is obnoxious when the connection stalls, the vpn connection goes to hell of course 13:43 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 13:44 < Hypnoz> could open a ping -t to the openvpn computer, that might keep the connection alive 13:44 < Hypnoz> but ya thats not the ideal setup 13:45 < Hypnoz> i was working at a company a while ago that used a proxy and all kinds of security and port blocking, as well as fully encrypting all hdd's in the company etc. it can get frustrating feeling so constricted 13:45 -!- Dukelord [n=brenwill@70.88.214.124] has joined ##openvpn 13:46 < Hypnoz> did you try krzee's suggestions 13:50 -!- Dukelord [n=brenwill@70.88.214.124] has left ##openvpn [] 13:54 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 13:56 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 14:00 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 14:03 < krzee> [14:40] Hypnoz: i currently have to tunnel ssh though apache on port 80 14:03 < krzee> [14:40] Hypnoz: then i tunnel openvpn through ssh 14:03 < krzee> [14:41] which is obnoxious when the connection stalls, the vpn connection goes to hell of course 14:03 < krzee> lol 14:03 < krzee> openvpn can tunnel through port 80 as well 14:03 < krzee> see --proxy stuff in manual 14:17 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Connection timed out] 14:53 -!- explore [n=msparker@pool-173-57-92-51.dllstx.fios.verizon.net] has joined ##openvpn 14:56 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:11 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458]"] 15:12 -!- jetole [n=Joe@204.13.0.100] has quit [Read error: 60 (Operation timed out)] 15:14 -!- hyper_ch [n=hyper@62.167.118.177] has quit [Remote closed the connection] 15:18 -!- c64zotte1 [n=hans@62-12-226-202.pool.cyberlink.ch] has joined ##openvpn 15:26 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has quit [] 15:33 -!- c64zottel [n=hans@62.12.212.73] has quit [Read error: 110 (Connection timed out)] 15:33 -!- dollabill [n=mike@97.66.26.10] has quit [No route to host] 15:55 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 16:01 -!- hyper_ch [n=hyper@adsl-62-167-118-177.adslplus.ch] has joined ##openvpn 16:15 -!- buntfalke [n=nobody@openvpn-tcp-019.triple-a.uni-kl.de] has joined ##openvpn 16:18 -!- jeiworth [n=jeiworth@189.163.187.234] has joined ##openvpn 16:23 < PeterFA> Anyone know how to contact the developers? 16:25 < krzie> !dev 16:25 < vpnHelper> krzie: "dev" is https://lists.sourceforge.net/lists/listinfo/openvpn-devel to sign up for devel mail list 16:26 < PeterFA> Thanks you. 16:28 < krzie> may i ask what you're going to submit to them? 16:29 < PeterFA> krzie, oh, an issue regarding setting environment variables in BASH. This is very important for my script which I've been commissioned to write. 16:30 < PeterFA> krzie, it seems OpenVPN no longer sets environment variables in the latest Sabayon build. 16:30 < PeterFA> Without the variables, my script is fail. :( 16:31 < krzie> Sabayon...? 16:32 < PeterFA> krzie, that's my desktop that I'm using right now to connect to an OpenVPN server. 16:32 < PeterFA> The build connects fine, and I'll get a trusted IP address, but the build doesn't set variables. 16:33 < krzie> Sabayon is some sort of linux or something? 16:34 < PeterFA> krzie, yes, it's a distribution of Linux. It's based off of Gentoo, and basically a, "Binary Gentoo." It's taylored for a nice desktop environment. 16:36 < krzie> gotchya 16:45 -!- Dukelord [n=brenwill@70.88.214.124] has joined ##openvpn 16:47 < krzie> PeterFA have you tried it in newest dev version and in 2.0? 16:50 -!- Dukelord [n=brenwill@70.88.214.124] has left ##openvpn [] 16:50 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 16:50 -!- Dukelord [n=brenwill@70.88.214.124] has joined ##openvpn 16:52 -!- Oreva [n=brenwill@70.88.214.124] has joined ##openvpn 16:52 -!- Dukelord [n=brenwill@70.88.214.124] has quit [Read error: 54 (Connection reset by peer)] 16:52 < Oreva> does anyone know about a vpn service called fastweb.webhop.net?? 16:52 < krzie> nope 16:55 < gilos> so anyone familiar with the windows tun/tap interface? I'm having issues using it in a windows clustered environment (active-passive) 16:56 < krzie> can you make your question sound like something related to openvpn? 16:56 -!- Dukelord [n=brenwill@70.88.214.124] has joined ##openvpn 16:56 -!- Oreva [n=brenwill@70.88.214.124] has quit [Read error: 54 (Connection reset by peer)] 16:57 < gilos> open vpn fails to start when I roll the cluster from side to side because the virtual tun/tap interface is renamed on the passive side from openvpn to openvpn(1) 16:57 < gilos> so the server config does not pick up the settings because the adapter is named openvpn(1) instead of openvpn 16:58 -!- Oreva [n=brenwill@70.88.214.124] has joined ##openvpn 16:58 -!- Dukelord [n=brenwill@70.88.214.124] has quit [Read error: 104 (Connection reset by peer)] 17:00 -!- Dukelord [n=brenwill@70.88.214.124] has joined ##openvpn 17:00 -!- Oreva [n=brenwill@70.88.214.124] has quit [Read error: 104 (Connection reset by peer)] 17:01 < Dukelord> does anyone know what tool i can use to detect the open TCP and UDP ports on my mobile ISP? 17:03 < krzie> what os does your mobile run? 17:05 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 17:06 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 17:11 -!- Dukelord [n=brenwill@70.88.214.124] has quit [Read error: 60 (Operation timed out)] 17:12 -!- dmarkey [n=dmarkey@dmarkey.xen.prgmr.com] has joined ##openvpn 17:13 < dmarkey> anyone know of an openvpn client for series 60 17:20 < krzie> whats series 60 17:21 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn 17:22 < DevilsPGD> S60 is Symbian OS 17:22 -!- MadTBone__ [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 17:25 < dmarkey> i dont think theres tun/tap for it 17:28 < krzie> ya thats the same problem for iphone/ipod touch 17:29 < krzie> pointless to get the code to compile cause theres no tuntap 17:29 < dmarkey> well, ipd apps have to go through the app store for a start 17:29 < dmarkey> but ipods are unix, so it might be easier 17:30 -!- explore [n=msparker@pool-173-57-92-51.dllstx.fios.verizon.net] has quit ["leaving"] 17:30 < krzie> the apps do NOT need to be on the store 17:30 < krzie> ive loaded many that werent 17:30 < krzie> but no tuntap, the end =] 17:50 < reiffert> rumors tell of some guys porting tuntap to ipod/iphone 17:52 < reiffert> maybe ask the mailinglist for the/a current status 17:52 < reiffert> the openvpn dev mailinglist is a good place to ask. 17:57 < dmarkey> reiffert: any word of S60? 17:58 -!- KaiForce [n=chatzill@70.228.104.238] has joined ##openvpn 17:59 < reiffert> Hm, good question, maybe search the list archive? 18:00 < reiffert> there should be something searchable out there, maybe on sf.net? 18:00 < krzie> !mail 18:00 < vpnHelper> krzie: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 18:00 < reiffert> !devmail 18:00 < vpnHelper> reiffert: Error: "devmail" is not a valid command. 18:01 < reiffert> krzie: would you mind laying your hands on vpnHelper and let him put errors via privmsg? 18:02 < krzie> i dont code it 18:02 < krzie> i just run it 18:02 < krzie> ecrist was talking bout coding up a new one 18:03 < reiffert> Bushmill runs a proposal ... I think he wanted to port forth to your bots internal language once... 18:03 < krzie> the bot is python 18:05 < reiffert> you never touch any code do you? 18:05 < krzie> not really nope 18:05 < krzie> just scripts 18:06 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 18:07 < reiffert> including perl? 18:14 < krzie> ive coded 1 perl script 18:14 < krzie> but im far from a perl guy 18:14 < krzie> really just shell 18:18 < reiffert> it's a very small step from shell to perl 18:19 < reiffert> What I liked most during my first days is hashes or what I missed most on shell. 18:23 -!- explore [n=msparker@pool-173-57-92-51.dllstx.fios.verizon.net] has joined ##openvpn 18:23 -!- KaiForce [n=chatzill@70.228.104.238] has quit ["ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458]"] 18:28 -!- groen [n=gr0en@udn1.com] has joined ##openvpn 18:30 < groen> hi, i have a problem where openvpn disables my inet when connected and if i put 18:30 < groen> #push "redirect-gateway def1" 18:31 < groen> in the server conf then it sets the default gateway to the wrong ip, where the server ip is 10.8.0.1 it sets it to 10.8.0.6 client .5 18:31 < groen> http://pastebin.com/d38356e62 18:32 < groen> the vpn works ok but i either want it to leave my inet working or route traffic through the vpn, and neither of them work. thanks 18:33 < groen> !redirect 18:33 < vpnHelper> groen: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 18:34 < groen> the client sits behind pfsense do you think this would require additional config to allow the inet to work while the openvpn is up 18:36 < krzie> in the server conf then it sets the default gateway to the wrong ip, 18:36 < krzie> where the server ip is 10.8.0.1 it sets it to 10.8.0.6 client .5 18:36 < krzie> thats just you not understanding the weirdness of openvpn's /30 scheme 18:36 < krzie> !/30 18:36 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 18:36 < krzie> !topology 18:36 < vpnHelper> krzie: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 18:37 < krzie> and reif pointed out !redirect, notice that the server must have NAT enabled for the vpn ips to be NAT'ed 18:38 < groen> what about if i leave the push "redirect-gateway def1" out of the config 18:38 < groen> inet should work by default ? 18:38 < groen> !topology 18:38 < vpnHelper> groen: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 18:42 < groen> trying that now 18:42 < groen> didnt work 18:45 -!- explore [n=msparker@pool-173-57-92-51.dllstx.fios.verizon.net] has quit ["Lost terminal"] 18:45 < groen> i added the topology subnet to conf and it wouldn't connect 18:47 < krzie> is it 2.1? 18:47 < krzie> and no, inet should not work by default with def1 18:48 < krzie> !redirect 18:48 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 18:48 < krzie> you also need ipforward and nat setup on the servers OS 18:48 < krzie> !ipforward 18:48 < vpnHelper> krzie: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 18:48 < krzie> !nat 18:48 < vpnHelper> krzie: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 18:48 < groen> i did ipforward, but not nat 18:48 < krzie> then it cant possibly work 18:48 < groen> but why does it disable my inet without the push redirect option 18:49 < krzie> !configs 18:49 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:49 < krzie> prolly conflicting subnets 18:49 < groen> groen> http://pastebin.com/d38356e62 18:49 < krzie> !interface 18:49 < vpnHelper> krzie: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 18:49 < krzie> # 18:49 < krzie> push "route 10.5.0.0 255.255.255.0" 18:49 < krzie> whats that for? 18:50 < krzie> lan behind the server? 18:50 < groen> well my client subnet is 10.5.0 18:50 < groen> i was told by someone else to set it to 10.8.x 18:52 < krzie> you are trying to have the lan which is behind the client accessible over the vpn? 18:53 < groen> no i have a remote box with an external ip which is the server, i have a client behind a pfsense box 18:53 < groen> 10.5 is the subnet of the client behind the pfsense box 18:53 < krzie> what subnet 18:53 < krzie> your vpn subnet is 10.8.0.x 18:54 < krzie> the LAN subnet of the client is 10.5.0.x ? 18:54 < groen> 10.5.0.x 18:54 < groen> yes 18:54 < krzie> thats how you're breaking its route 18:54 < krzie> you are telling it to route that subnet over the vpn 18:54 < krzie> so it does, then it cant reach its gateway 18:54 < groen> so should i comment out that push route ? 18:55 < krzie> you should remove it entirely 18:55 < krzie> it has NO purpose in your setup other than to break your routing 18:55 < krzie> im very curious why it ended up there in the first place 18:55 < groen> following documentation i guess... 18:55 < krzie> what did you think you were doing when you put that in? maybe i can help you do it 18:56 < krzie> i garuntee no ovpn docs would say to do that 18:56 < krzie> only time you push a route is to tell clients to send said route over the vpn as opposed to their normal gateway 18:57 < groen> success :D 18:58 < groen> now i just have this /30 issue with the push redirect-gateway def1 18:58 < groen> thanks 18:58 < groen> with the push redirect it is still setting the gateway to .6 not .1 18:59 < groen> plus i need to install nat on freebsd 7 18:59 < groen> hmmm 18:59 < groen> but thanks for your help 19:01 -!- ErickG [n=ErickG@190.120.0.138] has left ##openvpn [] 19:01 < krzie> its working right 19:01 < krzie> it shouldnt use .1 19:02 < krzie> its nat thats not right 19:02 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 60 (Operation timed out)] 19:02 < krzie> i understand common sense would make you think it should use .1, but its not like that 19:02 < groen> ofcourse not :P 19:02 < krzie> unless you use 2.1 with topology subnet 19:03 < groen> OpenVPN 2.0.6 19:04 < krzie> holy oldness 19:04 < krzie> !download 19:04 < vpnHelper> krzie: "download" is (#1) www.openvpn.net/download to download openvpn, or (#2) http://openvpn.net/index.php/open-source/downloads.html 19:04 < krzie> try getting something that was made within the last 4 yrs ;] 19:04 < krzie> openvpn-devel in ports 19:04 < krzie> also since you use fbsd, you may enjoy this: 19:04 < krzie> !ssl-admin 19:04 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 19:05 < krzie> its in ports 19:05 < krzie> its an alternative to easy-rsa 19:05 < groen> so i have to recreate the keys if i upgrade ? 19:05 < krzie> nope 19:06 < krzie> just letting you know bout a MUCH nicer way to handle future stuff with keys 19:06 < krzie> i never use easy-rsa anymore, ssl-admin is much nicer 19:06 < groen> oh ok 19:06 < groen> i thought easy-rsa was quite easy 19:06 < groen> with the docs... 19:06 < krzie> it is, and ssl-admin is even easier ;] 19:07 < krzie> imho 19:07 < krzie> menu driven 19:08 < groen> 2.0.6 is the latest versio in ports db 19:08 < groen> http://www.freshports.org/security/openvpn/ 19:08 < vpnHelper> Title: FreshPorts -- security/openvpn (at www.freshports.org) 19:08 < krzie> try openvpn-devel 19:10 < groen> thanks building now 19:10 < krzie> root@hemp:/usr/ports/security/openvpn-devel> cat distinfo 19:10 < krzie> MD5 (openvpn-2.1_rc19.tar.gz) = ba2ee667a8b7606b125b7d32f47ca578 19:10 < krzie> 20 is out, but if you must stay in ports 19 should be fine 19:10 < krzie> i like installing from ports as well, i understand 19:10 < krzie> plus portupgrade will bring it to rc20 soon enough im sure 19:15 < groen> you ever use pfsense ? 19:16 < krzie> nope, im a CLI kinda guy 19:16 < groen> it has a openvpn menu option, couldn't i just make the pfsense box the client and then use pfsense to route traffic through the vpn without installing nat on the server 19:17 < groen> if i install nat means i have to setup pf etc 19:17 < krzie> the ONLY way you can route inet traffic through a vpn is with NAT 19:17 < groen> ok 19:17 < krzie> think of it this way man 19:17 < krzie> the vpn is like a new lan 19:17 < krzie> in your case that lans subnet is 10.8.0.x 19:17 < krzie> which is NOT inet routable 19:18 < krzie> if you setup a lan at your house with 10.8.0.x without NAT, could it access the inet? 19:18 < groen> no 19:18 < krzie> niether can your vpn =] 19:19 < krzie> the packets will pass TO the inet 19:19 < krzie> but get dropped at the border router most likely 19:19 < krzie> even if not dropped, theres no route back 19:19 < krzie> so no inet til NAT 19:20 < groen> what i thought was cool is that i couldn't get sftp working through pfsense, but i can sftp over the vpn, oh ye 19:20 < groen> double encryption 19:20 < groen> haha 19:20 < krzie> hehe 20:16 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 20:24 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:36 -!- latentsin [n=ian@66-178-122-36.reverse.newskies.net] has joined ##openvpn 20:37 < latentsin> hey guys .. I need some information - anyone around? 20:37 < krzie> !ask 20:37 < vpnHelper> krzie: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/, or (#3) http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help 20:38 < latentsin> !ask is there another ssl vpn client i can use instead of the openvpn client? 20:38 < vpnHelper> latentsin: Error: "ask" is not a valid command. 20:39 < krzie> lol 20:39 < krzie> no, there is not 20:39 < latentsin> :) 20:39 < krzie> !copat 20:39 < vpnHelper> krzie: Error: "copat" is not a valid command. 20:39 < krzie> !compat 20:39 < vpnHelper> krzie: Error: "compat" is not a valid command. 20:39 < latentsin> hi krzie 20:39 < latentsin> i dont like when it pops up and ask for a username :( 20:39 < krzie> !factoids search compat] 20:39 < vpnHelper> krzie: Error: Spurious "]". You may want to quote your arguments with double quotes in order to prevent extra brackets from being evaluated as nested commands. 20:39 < krzie> !factoids search compat 20:39 < vpnHelper> krzie: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 20:40 < krzie> what pops up asking for a username? 20:40 < latentsin> the openvpn gui 20:40 < krzie> it must not be starting as admin 20:41 < latentsin> um i dont know .. i am the admin of this pc 20:42 < latentsin> the thing is .. I want to install openvpn on a few pcs. I dont want anyone to enter any password. i want the users to just run the software and it connects 20:42 < krzie> right but openvpn must be started with admin privs 20:43 < krzie> OR when you made the certs you may have put a password on them 20:43 < latentsin> i downloaded the certificate from the vpn provider 20:43 < krzie> did they also give you a pasword to use with it? 20:44 < krzie> you want the vpn to always be active? 20:44 < latentsin> yea I have the user and the pass to use with the account 20:44 < latentsin> i got it from alonweb - a feww openvpn provider 20:44 < latentsin> a free* 20:45 < latentsin> i guess I should give you the entire run down - i'll make it short 20:46 < latentsin> PPTP is blocked in my country - I want to use openvpn on my customers to connect to the web so they can make VOIP calls. I am planning to use witopia - very affordable. But I dont want to give my customers the username or password. I just want them to excute the software and thats it - people here aren't computer savvy 20:48 < krzie> well without you controlling both sides i cant really know whats asking you for a login/password 20:48 < krzie> openvpn CAN be setup to ask for them, but its not default 20:50 < latentsin> how do I go about setting that in the config file? 20:50 < latentsin> I have a key.txt with alot of writing 20:50 -!- Peste_Bubonica [n=eduardo@189.47.176.158] has joined ##openvpn 20:50 < Peste_Bubonica> Hi all... 20:50 < latentsin> and alonweb config file 20:51 < latentsin> with a few writing 20:51 < krzie> !factoids search pass 20:51 < vpnHelper> krzie: 'winpass', '2.1-winpass-script', 'authpass', and 'password-only' 20:51 < latentsin> hello Peste_Bubonica 20:51 < krzie> !authpass 20:51 < vpnHelper> krzie: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 20:51 < krzie> thats not it 20:51 < krzie> !winpass 20:51 < vpnHelper> krzie: "winpass" is openvpnGUI for windows has a change password feature that will change the passphrase on your .key files 20:51 < Peste_Bubonica> Can I push a dns server configuration to vpn clientes? im using this instruction on configuration file: push "dhcp-option DNS 172.16.0.234" 20:52 < Peste_Bubonica> but, When I connect to vpn, this configuration is not set on my resolv.conf 20:52 < Peste_Bubonica> latentsin, hello :) 20:52 < krzie> the clients are windows or unix? 20:52 < krzie> ahh unix 20:52 < krzie> you must use an external script to set it 20:52 < krzie> !pushdns 20:52 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit 20:52 < krzie> that thread is windows focused but mentions what script to run on linux 20:53 < Peste_Bubonica> krzee, understood... this works on with windows? 20:53 < Peste_Bubonica> with linux, I need to call a external script? 20:53 < krzie> correct, but with windows theres other issues 20:53 < krzie> i dunno if they still exist in newer win versions, i dont run windows 20:53 < Peste_Bubonica> ok... understood 20:54 < Peste_Bubonica> me too... but some users of the vpn will run with windows.. I will read the documentation that you indicate... 20:54 < Peste_Bubonica> krzie, many thanks!! 20:54 < krzie> yw 20:56 < latentsin> :) 20:57 < latentsin> so krzie - aren't there any other SSL VPN client other openvpn for windows? 20:57 < latentsin> Mac has a few - but i'm not mac :( 20:57 < krzie> any of mac's are simply werappers for openvpn 20:57 < krzie> they are not seperate apps 20:58 < krzie> they contain real openvpn and only work for openvpn 20:58 < latentsin> lol ok - how about a wrapper for windows? :D 20:58 < krzie> openvpn-gui 20:58 < latentsin> yea I dont mind that - I just want an it to make 'openvpn' when someone sees it 20:58 < latentsin> I am really new to OpenVPN :) 20:58 < latentsin> so i ask for ur patience 20:59 < krzie> ok well, only openvpn can connect to openvpn 20:59 < krzie> diff OS's have diff gui's 20:59 < krzie> but if they connect to openvpn, they ARE openvpn 20:59 < latentsin> OK I got that 20:59 < krzie> (with some gui) 21:00 < latentsin> i guess a better question would be .. I need a skin for openvpn 21:00 < latentsin> :) 21:01 < Peste_Bubonica> I like openvpn-gui 21:01 < latentsin> I know you do - its a beautiful Gui 21:01 < latentsin> but I can use that on people's pc 21:01 < krzie> if your people will have openvpn always running, you can simply install it as a service 21:01 < krzie> then they dont click anything 21:01 < latentsin> wow! 21:01 < latentsin> really? 21:01 < latentsin> how do I do that? 21:01 < krzie> yup, while installing the gui it asks you 21:02 < latentsin> you just got me excited 21:02 < krzie> at least it did when i last installed ovpn on windows 21:02 < latentsin> lol 21:02 < latentsin> is there an documentation on this 21:02 < latentsin> and is that what u are running? ..a service and not a gui? 21:02 < krzie> i dont use windows 21:03 < latentsin> is that a complex no? lol 21:03 < krzie> i need to be paid a lot to even look at windows 21:03 < latentsin> i'm teasing 21:03 < latentsin> :) 21:03 -!- groen [n=gr0en@udn1.com] has quit [Remote closed the connection] 21:03 < latentsin> dont worry - looking at windows isnt worth anything big 21:03 < latentsin> :) 21:04 -!- hyper__ch [n=hyper@adsl-89-217-12-138.adslplus.ch] has joined ##openvpn 21:04 -!- hyper_ch [n=hyper@adsl-62-167-118-177.adslplus.ch] has quit [Nick collision from services.] 21:04 -!- hyper__ch is now known as hyper_ch 21:04 < latentsin> where are you from krzie? 21:08 < latentsin> krzie, enough of the fluff talk - I have one last serious question 21:08 < latentsin> when I run openvpn as a service - is it gonna use the same cert file that is found in the openvpn directory? 21:09 < krzie> it will run all openvpn on all .ovpn files in the config dir, the certs get called by the configs 21:11 < latentsin> ok - great 21:11 < latentsin> you are SOO much help 21:11 < latentsin> thank you 21:11 < latentsin> :) 21:11 < krzie> yw 21:14 -!- master_of_master [i=master_o@p549D49D6.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:16 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 21:18 -!- master_of_master [i=master_o@p549D4521.dip.t-dialin.net] has joined ##openvpn 21:22 -!- c64zotte1 [n=hans@62-12-226-202.pool.cyberlink.ch] has left ##openvpn [] 21:27 -!- epaphus [n=unix3@201.199.62.74] has quit ["Leaving"] 21:28 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 21:30 -!- arcsky [n=arcsky@2a01:48:100:1:1:0:0:1c2] has quit [Read error: 60 (Operation timed out)] 21:30 -!- Ziber [i=Liber@liber-ipv6.net] has quit [Read error: 60 (Operation timed out)] 21:31 -!- phusion [i=phusion@2001:41d0:1:839a:0:0:0:1337] has quit [Read error: 60 (Operation timed out)] 21:31 -!- Ziber [i=Liber@liber-ipv6.net] has joined ##openvpn 21:32 -!- phusion [i=phusion@2001:41d0:1:839a:0:0:0:1337] has joined ##openvpn 21:33 -!- arcsky [n=arcsky@2a01:48:100:1:1:0:0:1c2] has joined ##openvpn 21:37 -!- Peste_Bubonica [n=eduardo@189.47.176.158] has quit [Remote closed the connection] 21:40 -!- latentsin [n=ian@66-178-122-36.reverse.newskies.net] has quit [Read error: 104 (Connection reset by peer)] 22:02 -!- epaphus [n=unix3@201.199.62.74] has quit ["Leaving"] 22:09 < hr> Hi 22:10 < hr> I'm really having a hard time to get the "road warrior" kind of configuration to work 22:10 < hr> the traffic doesn't go through the tunnel at all (tcpdump verified) 22:13 -!- ErickG [n=ErickG@190.86.219.177] has joined ##openvpn 22:15 -!- ErickG [n=ErickG@190.86.219.177] has left ##openvpn [] 22:19 < hr> http://pastie.org/661548 22:20 -!- explore [n=msparker@pool-173-57-92-51.dllstx.fios.verizon.net] has joined ##openvpn 22:29 < hr> ok never mind 22:29 < hr> found an error in my tests 22:29 < hr> I'll be back later ::p 22:30 < hr> with this route to the gateway being pushed by remote-gateway I've confused myself 22:38 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Client Quit] 22:38 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 22:39 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 22:57 -!- DevilsPGD [i=xyzzy@S0106001cc0bf9ac7.ok.shawcable.net] has quit [Read error: 104 (Connection reset by peer)] 22:58 -!- DevilsPGD [i=xyzzy@S0106001cc0bf9ac7.ok.shawcable.net] has joined ##openvpn 23:13 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 23:21 -!- muddd [n=fubard@c-98-224-33-102.hsd1.fl.comcast.net] has joined ##openvpn 23:23 < muddd> Hi... i set up a vpn server on my machine here, I can't connect to it locally to test it can I? I was gonna see if someone in here could connect to it and tell me what they can see 23:24 < muddd> for testing purposes for another project i have 23:24 < muddd> !howto 23:24 < vpnHelper> muddd: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 23:26 < muddd> darn, i'm not using openvpn... i'll be around if someone messes with pptp vpn's for windows clients? just msg me 23:26 -!- muddd [n=fubard@c-98-224-33-102.hsd1.fl.comcast.net] has left ##openvpn ["Leaving"] 23:33 -!- xp_prg [n=xp_prg3@c-76-21-3-192.hsd1.ca.comcast.net] has joined ##openvpn 23:35 -!- jeiworth [n=jeiworth@189.163.187.234] has quit [Read error: 60 (Operation timed out)] 23:40 -!- Dukelord [n=brenwill@70.88.214.124] has joined ##openvpn 23:40 -!- Dukelord [n=brenwill@70.88.214.124] has quit [Client Quit] 23:50 -!- Dukelord [n=brenwill@70.88.214.124] has joined ##openvpn 23:51 -!- explore [n=msparker@pool-173-57-92-51.dllstx.fios.verizon.net] has quit ["leaving"] 23:51 < Dukelord> Hello, pls what software can i use to determine the open tcp and udp ports on my mobile ISP? I'm behind a firewall i think --- Day changed Tue Oct 20 2009 00:03 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)] 00:18 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 00:22 -!- hyper_ch [n=hyper@adsl-89-217-12-138.adslplus.ch] has quit [Remote closed the connection] 01:10 -!- hyper_ch [n=hyper@141-142.1-85.cust.bluewin.ch] has joined ##openvpn 01:10 -!- xp_prg [n=xp_prg3@c-76-21-3-192.hsd1.ca.comcast.net] has quit ["This computer has gone to sleep"] 01:15 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 01:43 -!- Dukelord [n=brenwill@70.88.214.124] has quit [Read error: 60 (Operation timed out)] 02:17 < |Mike|> lol @mudd 02:24 -!- endre [i=me2@217.20.135.17] has joined ##openvpn 02:25 < endre> hi guise. i wonder if openvpn capable of direct radius authentication instead of using pam as a kind of middleware? 02:28 < |Mike|> and what's direct radius authentication? 02:31 < endre> a plugin for asking the radius server with the presharedkey to authenticate the user 02:31 < |Mike|> can it read signed certs? 02:32 < endre> what are you talking about? how should i know? 02:33 < |Mike|> You run that software, not me.. 02:33 < endre> you're a bit off-track.. im not running anything expect of a radius-capable authentication server 02:34 < |Mike|> is it some kind of router or what? 02:34 < endre> wtf? 02:34 < |Mike|> Compulsory Tunnels Forces VPN tunnels. 02:35 < |Mike|> it probably can 02:35 < |Mike|> http://www.google.nl/search?hl=nl&client=firefox-a&rls=com.ubuntu%3Aen-US%3Aofficial&q=direct+radius+authentication+%2B+openvpn&btnG=Zoeken&meta= 02:35 < vpnHelper> Title: direct radius authentication + openvpn - Google zoeken (at www.google.nl) 02:35 < |Mike|> here ya go 02:35 < endre> sure 02:35 < endre> http://www.hp.com/rnd/images/pdf_html/802_1XSolution.jpg 02:36 < endre> netherlands is a great country 02:36 < |Mike|> it sure is 03:05 -!- Richard [n=chatzill@5356C45E.cable.casema.nl] has joined ##openvpn 03:06 -!- Richard is now known as Guest61201 03:06 < Guest61201> Hello can someone help me with this error error 23 at 0 depth lookup:certificate revoked 03:07 -!- Guest61201 is now known as Richard-d 03:07 < Richard-d> Hello can someone help me with this error error 23 at 0 depth lookup:certificate revoked 03:17 -!- Richard-d [n=chatzill@5356C45E.cable.casema.nl] has quit ["ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458]"] 03:22 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 03:38 -!- Dukelord [n=brenwill@70.88.214.124] has joined ##openvpn 03:39 -!- Dukelord [n=brenwill@70.88.214.124] has left ##openvpn [] 03:40 -!- dazo|afk is now known as dazo 04:08 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 04:15 -!- Muligan [n=muligan1@209-193-88-45.mammothnetworks.com] has quit ["Leaving"] 04:35 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 04:38 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 04:51 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 04:52 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has joined ##openvpn 04:54 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has joined ##openvpn 04:57 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 04:59 -!- Jajaja [i=lqtl@67.212.67.74] has joined ##openvpn 05:00 < Jajaja> hi, can anyone please help me set up my router.. im 100% New to adsl 05:00 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has left ##openvpn ["Leaving."] 05:01 < hyper_ch> setup how? 05:01 < Jajaja> im using a planet ADW 4401 4port ethernet + wifi 802.11g router modem (adsl2/2) 05:02 < Jajaja> I am using openvpn in conjunction with a proxy server. im just hoping my router wouldn't affect the openvpn program 05:02 < Jajaja> am using cellphone to dial up, proxy server to bypass network, open vpn to communicate with proxy server and other applications. 05:35 -!- Jajaja [i=lqtl@67.212.67.74] has left ##openvpn [] 05:35 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 05:36 -!- c64zottel [n=hans@62-12-226-202.pool.cyberlink.ch] has joined ##openvpn 05:47 -!- hyper_ch [n=hyper@141-142.1-85.cust.bluewin.ch] has quit [Remote closed the connection] 05:52 -!- duclicsic [n=lol@sagan.duclicsic.com] has joined ##openvpn 05:52 < duclicsic> !route 05:53 < vpnHelper> duclicsic: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 05:53 < duclicsic> !tcp 05:53 < vpnHelper> duclicsic: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 06:05 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:14 -!- duclicsic [n=lol@sagan.duclicsic.com] has left ##openvpn [] 06:17 -!- brizly [n=brizly_v@p4FC9841F.dip0.t-ipconnect.de] has joined ##openvpn 06:17 -!- brizly1 [n=brizly_v@p4FC9846B.dip0.t-ipconnect.de] has quit [Read error: 60 (Operation timed out)] 06:27 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"] 06:31 -!- Richard-d [n=chatzill@5356C45E.cable.casema.nl] has joined ##openvpn 06:31 < Richard-d> Question about: Mon Oct 19 15:13:40 2009 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain 06:34 < Richard-d> http://pastebin.com/mb2e72dd 06:34 < Richard-d> Someone can help me? 06:35 < Richard-d> !logs 06:35 < vpnHelper> Richard-d: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 06:36 -!- Richard-d [n=chatzill@5356C45E.cable.casema.nl] has quit ["ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458]"] 06:40 -!- hyper_ch [n=hyper@89.217.12.138] has joined ##openvpn 07:27 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 08:00 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit [Remote closed the connection] 08:04 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 08:05 < Optic> mooo 08:11 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 08:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:35 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:40 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 08:44 -!- epaphus [n=unix3@201.199.62.74] has quit [Connection timed out] 09:02 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 09:05 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 09:11 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)] 09:17 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:18 -!- jeiworth [n=jeiworth@189.163.187.234] has joined ##openvpn 09:22 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 09:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:39 -!- Dukelord [n=brenwill@70.88.214.124] has joined ##openvpn 09:43 -!- stephenh_ [n=unknown@69.30.200.88] has quit [Remote closed the connection] 09:43 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 09:45 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 09:46 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 09:46 -!- ErickG [n=ErickG@190.120.0.138] has left ##openvpn [] 09:47 -!- colclough [n=cokes@87.198.213.218] has joined ##openvpn 09:57 -!- epaphus [n=unix3@190.10.68.228] has quit [Client Quit] 09:58 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:58 -!- epaphus [n=unix3@190.10.68.228] has quit [Connection reset by peer] 09:59 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 10:10 -!- explore [n=msparker@pool-173-57-92-51.dllstx.fios.verizon.net] has joined ##openvpn 10:21 -!- kevinh [n=khowerto@4.58.0.2] has joined ##openvpn 10:30 -!- ^scott^ [n=scott@stthom.org] has quit [Read error: 104 (Connection reset by peer)] 10:30 -!- ^scott^ [n=scott@stthom.org] has joined ##openvpn 10:31 < ^scott^> Hey, I'm trying to install OpenVPN on Vista Ultimate. Windows is refusing to let the install go because of "Compatability" issues with the TAP drivers. I'm using the latest devel installer from Mathias' site. 10:31 < ^scott^> Has anyone else dealt with this before? 10:35 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 10:35 -!- ogloom [n=chatzill@tbl22.caths.cam.ac.uk] has joined ##openvpn 10:36 -!- kekeke [n=evee@host86-179-19-10.range86-179.btcentralplus.com] has joined ##openvpn 10:36 < kekeke> !howto 10:36 < vpnHelper> kekeke: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:36 < kekeke> !redirect 10:36 < vpnHelper> kekeke: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 10:37 < kekeke> !def1 10:37 < vpnHelper> kekeke: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 10:37 < kekeke> !ipforward 10:37 < vpnHelper> kekeke: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 10:37 < kekeke> !winipforward 10:37 < vpnHelper> kekeke: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 10:38 < kekeke> question, for redirecting all inet traffic through vpn, does the ipforwarding take place on the client's machine? 10:39 -!- MadTBone_ [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 10:40 < kekeke> !nat 10:40 < vpnHelper> kekeke: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 10:40 < kekeke> !linnat 10:40 < vpnHelper> kekeke: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 10:48 < kekeke> so 10:50 < kekeke> soooooooo 10:50 < kekeke> :/ 10:50 < ogloom> never give up. Trust your instincts. 10:51 < kekeke> ;p; 10:51 < kekeke> lol 10:51 < kekeke> so boys boys boys 10:52 -!- MadTBone_ [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 60 (Operation timed out)] 10:52 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn 10:53 < kekeke> question: where is the openvpn config's default dir? 10:56 < ^scott^> c:\program files\openvpn\config 10:56 < ^scott^> I think, actually, now that I think about it, I always do full path in Windows 10:56 < ^scott^> Don't forget to \\ 10:56 < ^scott^> Gah, I hate Vista. So I've tried the latest Mathis OpenVPN package, and 2.0-rc15 and they're both getting a compatability error from Windows and its halting the install of the TAP 10:57 < kekeke> ^scott^ sorry i meant an openvps server on linux 10:57 < kekeke> i think i've got it though dw 10:57 < ^scott^> kekeke: Oh! On my CentOS installs it's at /etc/openvpn. Sorry, I've got windows on the brain. 10:58 < kekeke> lol dw 10:58 < kekeke> thanks 10:58 -!- Dukelord [n=brenwill@70.88.214.124] has quit [Read error: 113 (No route to host)] 10:59 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has quit [Remote closed the connection] 11:01 < ^scott^> I remember a friend of mine had to install OpenVPN and OpenVPN-gui separately in order to get this to work. 11:01 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 11:02 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 11:08 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 11:08 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 11:12 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 110 (Connection timed out)] 11:16 < kekeke> i'm trying to set up a server to redirect all traffic. in the howto it says i need to push a dns server address to replace their normal dns server... does this mean i have to set up a dns server? 11:17 < kekeke> or can i use an address such as one of opendns' servers? 11:23 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 11:24 -!- WormFood [n=wormfood@121.35.52.9] has quit [Read error: 110 (Connection timed out)] 11:25 -!- WormFood [n=wormfood@121.35.147.237] has joined ##openvpn 11:26 -!- colclough [n=cokes@87.198.213.218] has quit ["Leaving"] 11:44 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:45 -!- PeterFA [n=peter@unaffiliated/peterfa] has quit [Read error: 113 (No route to host)] 11:47 < ^scott^> Does anyone have OpenVPN running on a 32 bit Vista Ultimate here? 11:51 < DevilsPGD> ^scott^: I did... Still do on a couple 2008 boxes 11:52 < ^scott^> Did you use the OpenVPN-GUI, or just OpenVPN? 11:52 < DevilsPGD> No GUI 11:52 < DevilsPGD> I'm a Windows guy, but I still prefer the command line and configuration files 11:52 < DevilsPGD> I balance my masochism with more masochism. 11:54 < ^scott^> Hmmm, maybe I could rig up a batch file or something and avoid using a GUI. Did you have to prepare a custom installer, or were you able to use an prebuilt installer? 12:04 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:17 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 12:57 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 12:57 -!- misterbean [n=misterbe@unaffiliated/misterbean] has quit [Read error: 110 (Connection timed out)] 12:57 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 12:57 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 12:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:12 -!- explore [n=msparker@pool-173-57-92-51.dllstx.fios.verizon.net] has quit ["leaving"] 13:41 < kekeke> guys 13:41 < ogloom> here it comes 13:41 < kekeke> sorry for this n00b question but ogloom is to embarrassed to ask it - once you've set up a vpn server, how do you connect to it (from a windows machine) 13:41 < ogloom> some hilarious speech about why I'm retarded 13:41 < kekeke> AHAHAHA 13:42 < ogloom> why didnt you tell me you'd set it up. I thought you'd just installed the files 13:43 < ogloom> Guys, so how do I connect from a windows machine. I have "freecap" 13:43 < kekeke> HAHAHAHAHA 13:43 < kekeke> you don't use freecap to connect to a vpn, bro. 13:43 < ogloom> what do I use? 13:44 < kekeke> you tell me bro 13:44 < ogloom> kekeke, don't think, just because you have a fancy haircut, that you can backtalk to me son. 13:46 < Hypnoz> there is an openvpn windows gui client that works well on the openvpn.net site 13:46 < Hypnoz> http://www.openvpn.net/index.php/open-source/downloads.html 13:46 < vpnHelper> Title: Downloads (at www.openvpn.net) 13:46 < kekeke> thanks hyper_ch 13:47 < kekeke> oop 13:47 < kekeke> s 13:47 < kekeke> Hypnoz 13:47 < ogloom> thanks Hypnoz 13:59 * plaerzen had a girlfriend named keke once. 14:01 -!- dazo is now known as dazo|afk 14:09 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 14:19 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has quit ["Leaving"] 14:19 < kekeke> lol 14:21 < ogloom> guys, so I've set up all the config stuff. and according to openVPN, i connect to the server..but nothing happens. 14:21 < kekeke> question: for redirecting all inet traffic through vpn, does the ipforwarding take place on the client's machine? 14:21 < ogloom> like how can I connect to the VPN, but not d/c from IRC and stuff 14:22 < kekeke> what he means is, he's connected to the VPN and wants to tunnel his traffic through it 14:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Success] 14:30 < ogloom> anyone? 14:30 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 14:35 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 14:35 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has left ##openvpn [] 14:46 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 14:46 -!- BingO [i=BingO_@wlan-s-160.hh.se] has joined ##openvpn 14:46 < BingO> Hii Rooom ...!! 14:46 < BingO> i want to create VPN between two OPENVPN.. 14:46 < BingO> BOX* 14:46 < BingO> so can any body give me nice tutorial/Guide book tutorial for that ? 14:47 < BingO> plus easy wording.. 14:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:49 < BingO> any one ? 14:50 < BingO> no one strange :( 14:50 < krzie> !howto 14:50 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:52 < BingO> krzie: there is not site-to-site vpn configuration in this howto 14:53 < krzie> just 2 machines, no chance of third? 14:53 < krzie> no lan behind 1? 14:53 < krzie> as in lan that you want to communicate over the vpn 14:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:54 < BingO> means.. 14:54 < BingO> LAN::::::::: [openVPN]-----------------[openVPN]:::::::::::LAN 14:54 < krzie> !route 14:54 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:54 < BingO> i want to configure these two openVPN 14:55 < krzie> !sample 14:55 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 14:55 < krzie> start with that and modify it based on !route 14:55 < krzie> =] 14:56 < krzie> but !route wont hold your hand and just tell you what to put where, it is designed to help you learn all of the relevant directives so you can setup any type of setup similar to yours 14:58 < BingO> yes little bit understanding 14:58 < BingO> Thanks 15:03 < krzie> yw 15:03 < krzie> i wrote that one =] 15:11 -!- BingO [i=BingO_@wlan-s-160.hh.se] has left ##openvpn [] 15:12 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 148 (No route to host)] 15:18 -!- c64zottel [n=hans@62-12-226-202.pool.cyberlink.ch] has quit [Read error: 104 (Connection reset by peer)] 15:18 -!- c64zottel [n=hans@62.12.226.202] has joined ##openvpn 15:45 -!- kekeke [n=evee@host86-179-19-10.range86-179.btcentralplus.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 15:45 -!- swa_work [n=swa@swatteksystems.com] has quit [Read error: 54 (Connection reset by peer)] 16:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection reset by peer] 16:20 -!- LobbyZ [n=default@94.75.193.5] has quit ["Free FTW"] 16:29 -!- kosmic [n=kosmic@unaffiliated/spice] has quit ["leaving"] 16:34 -!- c64zottel [n=hans@62.12.226.202] has quit ["Leaving."] 16:39 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 16:57 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has quit [] 17:19 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 17:29 -!- ogloom [n=chatzill@tbl22.caths.cam.ac.uk] has quit ["ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458]"] 17:30 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 17:34 -!- kevinh [n=khowerto@4.58.0.2] has quit [] 17:43 < krzie> !sample 17:43 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 17:44 < krzie> !hmac 17:44 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 17:44 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 17:50 -!- swa_work [n=swa@swatteksystems.com] has joined ##openvpn 17:51 -!- DevilsPGD [i=xyzzy@S0106001cc0bf9ac7.ok.shawcable.net] has quit ["Leaving."] 17:51 -!- swa_work [n=swa@swatteksystems.com] has quit [Client Quit] 17:51 -!- DevilsPGD [i=xyzzy@S0106001cc0bf9ac7.ok.shawcable.net] has joined ##openvpn 18:12 -!- todd_dsm [n=todd_dsm@66.43.220.149] has quit [Client Quit] 18:12 -!- todd_dsm [n=todd_dsm@66.43.220.149] has joined ##openvpn 18:12 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 145 (Connection timed out)] 18:19 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 18:26 < krzie> ecrist, i just had to setup a new vpn, and wanted to say thanx for ssl-admin, its greatness 18:26 < krzie> its so lazy =] 18:36 -!- ErickG [n=ErickG@190.120.0.138] has left ##openvpn [] 19:06 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [] 20:56 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 21:04 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 21:06 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 21:14 -!- master_of_master [i=master_o@p549D4521.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:18 -!- master_of_master [i=master_o@p549D46ED.dip.t-dialin.net] has joined ##openvpn 21:56 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 21:57 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 22:08 < Lyndon> hi! i would like to hear your opinions about my planned topology and get headups for possible caveats; I've been running bridged openvpn for roadwarriors for a couple of years. now i need to connect couple of our sites (LANs 5-10machnes) to our mainsite, i've planned to put another openvpn as tun-interface to connect those sites on different subnets. I also have to build a VPN for our partner that is tunneled through mainsite to our sideoffice, i have unused 22:10 -!- hyper__ch [n=hyper@adsl-84-227-38-24.adslplus.ch] has joined ##openvpn 22:10 -!- hyper_ch [n=hyper@89.217.12.138] has quit [Nick collision from services.] 22:10 -!- hyper__ch is now known as hyper_ch 22:28 -!- jeiworth [n=jeiworth@189.163.187.234] has quit [Read error: 110 (Connection timed out)] 22:34 < krzee> Lyndon, bridge could work, could also use routed with sharing the lan at layer3 22:34 < krzee> like: 22:35 < krzee> !sample 22:35 < vpnHelper> krzee: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 22:35 < krzee> !route 22:35 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 22:40 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 22:43 -!- xp_prg [n=xp_prg3@c-98-234-54-62.hsd1.ca.comcast.net] has joined ##openvpn --- Day changed Wed Oct 21 2009 00:09 -!- dazo|afk is now known as dazo 00:09 -!- LobbyZ [n=default@94.75.193.5] has joined ##openvpn 00:18 -!- hyper_ch [n=hyper@adsl-84-227-38-24.adslplus.ch] has quit [Remote closed the connection] 01:13 -!- xp_prg [n=xp_prg3@c-98-234-54-62.hsd1.ca.comcast.net] has quit ["This computer has gone to sleep"] 01:15 -!- hyper_ch [n=hyper@185-127.77-83.cust.bluewin.ch] has joined ##openvpn 01:18 -!- DevilsPGD [i=xyzzy@S0106001cc0bf9ac7.ok.shawcable.net] has quit ["Leaving."] 01:24 -!- DevilsPGD [i=xyzzy@S0106001cc0bf9ac7.ok.shawcable.net] has joined ##openvpn 01:39 -!- DevilsPGD [i=xyzzy@S0106001cc0bf9ac7.ok.shawcable.net] has quit ["Leaving."] 02:21 -!- Rienzilla [i=rien@sinas.rename-it.nl] has joined ##openvpn 02:21 < Rienzilla> Good morning 02:24 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:29 < |Mike|> omg a Rienzilla 02:30 < Rienzilla> yes 02:33 < Rienzilla> I'm having a weird VPN issue, and I wonder if you guys could help me with it. I have a private subnet (10.7.1.0/24), with a default gateway (10.7.1.1) and a VPN concentrator (10.7.1.6). The gateway and VPN concentrator are also reachable from the internet via a public address. Clients who establish a (tun-based, routed) VPN with the VPN concentrator get an address from the 10.7.2.0/24 range. Routing on the VPN concentrator is enabled, and the gateway 02:34 < Rienzilla> now, pinging a host in the 10.7.1.0/24 range from a VPN host in the 10.7.2.0/24 range works fine, and vice versa 02:35 < Rienzilla> However, TCP connections from 10.7.2.0/24 to hosts in 10.7.1.0/24 does somehow not work. tcpdump on the interface while first pinging, then attempting a tcp connection yields this: http://www.pastebin.ca/1634498 02:35 < Rienzilla> any clue what might be wrong here? 02:37 < Rienzilla> (DNS queries to the DNS server in 10.7.1.0 work as well...) 02:40 < Rienzilla> !configs 02:40 < vpnHelper> Rienzilla: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 02:42 < Rienzilla> (http://www.pastebin.ca/1634507) 02:48 < Rienzilla> furthermore, it seems that when starting a ping, the first 3 or so packets are dropped, or have a multi-second latency, while after that the responses come in swift (100ms) 03:00 -!- c64zottel [n=hans@62-12-226-202.pool.cyberlink.ch] has joined ##openvpn 03:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:06 < Rienzilla> Ah 03:06 < Rienzilla> I got it 03:07 -!- c64zottel [n=hans@62-12-226-202.pool.cyberlink.ch] has left ##openvpn [] 03:07 < Rienzilla> (setup causes an assymmetric route, because traffic from 10.7.2.0/24 to 10.7.1.0/24 does not get routed through 10.7.1.1, while the other way around it will 03:16 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 03:38 -!- hyper__ch [n=hyper@185-127.77-83.cust.bluewin.ch] has joined ##openvpn 03:39 -!- hyper_ch [n=hyper@185-127.77-83.cust.bluewin.ch] has quit [Nick collision from services.] 03:39 -!- hyper__ch is now known as hyper_ch 03:39 -!- mirco [n=mirco@p54B25E0C.dip.t-dialin.net] has joined ##openvpn 04:09 -!- hyper_ch [n=hyper@185-127.77-83.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 04:10 -!- misterbean [n=misterbe@unaffiliated/misterbean] has joined ##openvpn 04:28 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 05:03 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:08 -!- mirco [n=mirco@p54B25E0C.dip.t-dialin.net] has quit [] 05:12 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 05:16 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 05:29 -!- hyper_ch [n=hyper@83.77.127.185] has joined ##openvpn 05:49 -!- jfkw [n=jtk@24.216.241.93] has joined ##openvpn 06:01 -!- mirco [n=mirco@217.91.96.41] has joined ##openvpn 06:17 -!- brizly1 [n=brizly_v@p4FC986EB.dip0.t-ipconnect.de] has joined ##openvpn 06:21 -!- Busch [n=Busch@HSI-KBW-078-043-240-220.hsi4.kabel-badenwuerttemberg.de] has joined ##openvpn 06:27 -!- LatinumKJ [i=bc188442@gateway/web/freenode/x-fccfuzuiibnwkgkt] has joined ##openvpn 06:27 < Busch> Hi, show me your config please 06:28 < LatinumKJ> Hi. I have 2 windows clients connected to a linux serve. The clients are assigned 10.8.0.6 and 10.8.0.10 and can ping the server but they can't ping each other. I did add client-to-client to /etc/openvpn/openvpn.conf in my server but that didn't help. Any help? 06:29 < Busch> We want to see your /etc/openvpn/openvpn.conf 06:30 < Busch> And we want to know which OS is running on clients 06:31 < LatinumKJ> Busch: The Server is Gentoo Linux x86_64 with this config: http://dpaste.com/110126/ and both clients are running Windows 7 06:31 -!- brizly [n=brizly_v@p4FC9841F.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:36 < Busch> Add push "route 10.8.0.0 255.255.255.0" to your server config and "client" in your client config 06:37 < LatinumKJ> I already have "client" in my clients' client.ovpn 06:37 < LatinumKJ> I'll add route then 06:38 < Busch> For testing only, you can also simply run "route ADD 0.0.0.0 MASK 0.0.0.0 METRIC 30" on your clients cmd. 06:40 < Busch> and then try to ping each other 06:40 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 06:41 < LatinumKJ> Busch I've added "route 10.8.0.0 255.255.255.0" yet they still fail to ping each other. In fact they also fail to ping 10.8.0.0 06:41 < Busch> Hmm, is your servers IP is 10.8.0.1 ? 06:42 < LatinumKJ> No: 10.8.0.0 from server "10.8.0.0 255.255.255.0" 06:43 < LatinumKJ> The virtual address that is. 06:45 < LatinumKJ> I can ping the server's real address but not this virtual one 06:47 < Busch> strange 06:47 < Busch> Clients log please 06:48 < LatinumKJ> Here's one client's log : http://pastie.org/663333 06:50 -!- hyper_ch [n=hyper@83.77.127.185] has quit [Read error: 131 (Connection reset by peer)] 06:52 < Busch> Is your default gateway 47.174.254.254 ? 06:52 < LatinumKJ> Busch: Yes, that's the router gateway IP 06:53 < Busch> And where is 10.8.0.5 ? 06:53 < LatinumKJ> 10.8.0.5 ? I don't have any virtual .5 06:53 < LatinumKJ> I only have .6 and .10 (the clients) 06:53 < LatinumKJ> the server is .0 06:53 < LatinumKJ> Could having both clients and the server on a local area network be a problem ? 06:55 < Busch> Whats your router (gateway) internal IP ? 06:55 < LatinumKJ> 47.174.254.254 06:56 < LatinumKJ> Wait, internal ? 06:56 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 06:57 < Busch> Yes, your internal IP 06:57 < LatinumKJ> My router says its "WAN Gateway" is 10.0.0.1 06:58 -!- smerz [n=daniel@smerz.demon.nl] has quit [Client Quit] 06:58 < Busch> Then you have no internet access :) 06:58 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 06:58 < LatinumKJ> Busch: Wait, what? Then how come I am talking with you now? :) 06:58 < Busch> Yes, thats strange ;) 06:59 < LatinumKJ> Inside the LAN, my router is recognized as 47.174.254.254 07:02 < LatinumKJ> I think this all feels a little confusing 07:03 < LatinumKJ> Both the clients and the server are inside a local area network created by a router whose address is 47.174.254.254 The first client's openvpn virtual address is 10.8.0.6 and the second one's address is 10.8.0.10. The openvpn server's virtual address is 10.8.0.0 07:04 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:17 -!- WormFood [n=wormfood@121.35.147.237] has quit ["Leaving"] 07:22 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 07:25 < ecrist> good morning 07:26 < Busch> Latinum : German or english only ? 07:26 < LatinumKJ> Busch: English only :( 07:28 < Busch> LatinumKJ : I`ve tested it now. Ive set up a debian server with two windows 7 clients. i have just added client-to-client on my server config and it works. i think you have a problem with your network. Could you draw a complete network map ? 07:29 < LatinumKJ> Busch: How do I do that? Just draw it ? 07:29 < Busch> Just draw :) 07:30 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 07:30 -!- hatsukai [n=hatsukai@unaffiliated/trismegisto] has joined ##openvpn 07:32 < hatsukai> Hello everybody, I have a problem with ioctl "Destination Address Required" error 07:32 < hatsukai> please help needed 07:33 < hatsukai> This is the error: http://pastebin.org/46666 07:37 < ecrist> o.O 07:38 < ecrist> !configs 07:38 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:39 < hatsukai> vpnHelper: could you please help me too? 07:39 < vpnHelper> hatsukai: Error: "could" is not a valid command. 07:39 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 60 (Operation timed out)] 07:40 < LatinumKJ> Busch: Here : http://kollaps117.ath.cx/files/scheme01.jpg Note that I also want external clients to connect to the server. 07:40 < hatsukai> vpnHelper: please help me 07:40 < vpnHelper> hatsukai: Error: "please" is not a valid command. 07:42 < ecrist> hatsukai: that command was meant for you 07:42 < ecrist> you need to provide me your configs 07:42 < hatsukai> ecrist: I only have the client part :) 07:43 < hatsukai> http://pastebin.org/46665 07:43 < Busch> LatinumKJ : Ok, thats nice. paste your clients config 07:44 < LatinumKJ> Busch: here : http://pastie.org/663387 07:49 < hatsukai> The very same configuration works well with other BSD boxes. But in this DragonFlyBSD it complains about ioctl and ifconfig 07:50 < Busch> LatinumKJ : Try this server config : http://pastie.org/663393 07:51 < hatsukai> what should I change/add to get this works? 07:55 < LatinumKJ> Busch: With push "route-gateway 47.174.254.254" will external clients be able to connect ? 07:56 < ecrist> hatsukai: you can't have both tap and tun in the same config 07:56 < Busch> LatinumKJ : No, sorry. Use ' push "redirect-gateway" ' instead. 07:57 < LatinumKJ> Busch: instead of route-gateway ? 07:57 < Busch> LatinumKJ : Yes 07:58 < LatinumKJ> Busch: with udp I get Wed Oct 21 15:56:38 2009 TCP: connect to 47.174.254.201:13370 failed, will try again in 5 seconds: Connection refused (WSAECONNREFUSED) from windows clients 07:58 < hatsukai> ok, but it works that way on NetBSD, if I just use dev tun, it does not work :). Anyway what should I change then? 07:58 < hatsukai> ecrist: please help me 07:59 < Busch> LatinumKJ : Ok, than use TCP 07:59 < hatsukai> I'm working ona DragonFlyBSD 2.4.1 and I've installed openvpn and lzo using pkgsrc. 07:59 < hatsukai> on a* 08:01 -!- LatinumKJ [i=bc188442@gateway/web/freenode/x-fccfuzuiibnwkgkt] has quit [Ping timeout: 180 seconds] 08:01 < ecrist> hatsukai: without the server config, there's not a lot more I can tell you. 08:01 < Busch> LatinumKJ : Or just replace tcp in clients config with udp ;) 08:02 < Busch> LatinumKJ : I think your client tries to connect to a udp server with tcp now. you cannot mix them :) 08:02 < hatsukai> :( 08:04 -!- garnser [n=jpeterss@90-230-86-48-no110.tbcn.telia.com] has joined ##openvpn 08:04 -!- LatinumKJ_ [i=bc188442@gateway/web/freenode/x-aacvbpwbcztwbagl] has joined ##openvpn 08:05 < LatinumKJ_> Busch: Sorry I got disconnected. Did I miss your response ? 08:05 < Busch> LatinumKJ_ : Does it work ? 08:05 < LatinumKJ_> Busch: With the new server config, windows creates a new network and connects to it, but I also loose connection to the internet. Anyway, even connected to the newly created network, I can't ping the server or the other client. 08:07 < hatsukai> ecrist: isn't there a way to modify ifconfig behavior using the client configuration file? 08:08 < ecrist> hatsukai: I don't know what's 'right' without seeing the server config 08:08 < ecrist> if it's not your server, talk to the admin 08:09 -!- garnser [n=jpeterss@90-230-86-48-no110.tbcn.telia.com] has quit [Remote closed the connection] 08:10 -!- LatinumKJ__ [n=kollaps@unaffiliated/kollapse] has joined ##openvpn 08:10 < hatsukai> ok, thanks ecrist 08:10 < hatsukai> good bye 08:10 -!- hatsukai [n=hatsukai@unaffiliated/trismegisto] has left ##openvpn [] 08:11 -!- LatinumKJ_ [i=bc188442@gateway/web/freenode/x-aacvbpwbcztwbagl] has quit [Ping timeout: 180 seconds] 08:13 < Optic> mooo 08:14 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit ["Leaving"] 08:25 < LatinumKJ__> Busch, Do you have any idea why my internet stops working on the client while the openvpn connection is activated ? 08:26 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 08:30 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 145 (Connection timed out)] 08:31 -!- Arabus [n=bernd@merle.net.t-labs.tu-berlin.de] has joined ##openvpn 08:31 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Read error: 110 (Connection timed out)] 08:33 -!- Arabus [n=bernd@merle.net.t-labs.tu-berlin.de] has left ##openvpn [] 08:33 < LatinumKJ__> Busch, Any more help ? 08:49 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] 09:00 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 09:15 < ecrist> LatinumKJ__: I'm guessing you have an IP address conflict which is overriding your local gateway when the VPN is active. 09:15 < ecrist> i haven't looked at any of your configs or logs, however. 09:20 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:21 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 09:24 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:33 -!- mirco [n=mirco@217.91.96.41] has quit [Read error: 145 (Connection timed out)] 09:34 -!- dazo is now known as dazo|afk 09:43 -!- mahmoud [n=mahmoud@unaffiliated/mahmoud] has joined ##openvpn 09:43 < mahmoud> Hi folks 09:43 < mahmoud> Someone tell me, Why do we need to define dhparam at all, when using certificates for authentication 09:44 < mahmoud> are DH params used as current shared keys to encrypt data, and regenerated each time session expires, or something similar? 09:44 < ecrist> !dhparam 09:44 < vpnHelper> ecrist: Error: "dhparam" is not a valid command. 09:44 < ecrist> !dh 09:44 < vpnHelper> ecrist: "dh" is build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN 09:44 < ecrist> as such, you're not *required* to use it, but it's a good idea. 09:45 < mahmoud> yeah, but which layer is it? 09:45 < mahmoud> problem is, if DH param is not defined, server can't start. it causes error that it's required. 09:46 < mahmoud> ecrist: r u sure it's not require config wise? 09:46 < mahmoud> theoritically, i 100% agree that it's not required. 09:48 < mahmoud> i'm badly stuck with this :) 09:48 -!- jeiworth [n=jeiworth@189.177.251.250] has joined ##openvpn 09:49 < mahmoud> google couldn't nail it. at least as far as my googlefu is conserned 09:51 < ecrist> it's so easy, why not just build the file 09:51 < mahmoud> ecrist: just to learn why openvpn folks mandated it 09:51 < mahmoud> ecrist: practically, my openvpn is rocking 09:52 < mahmoud> i just want to know why would they require it. reasoning behind it 09:52 < ecrist> not sure on that, other than to speculate that it's a good idea 09:53 < ecrist> no developers we're aware of sit in this channel 09:56 < mahmoud> bad 09:56 < mahmoud> where do they sit then 09:56 -!- jetsaredim [n=jgreenwa@pool-72-85-212-64.bstnma.east.verizon.net] has joined ##openvpn 09:56 < mahmoud> where could a geek ever set if not an irc channel? 09:56 < mahmoud> sit* 09:56 < jetsaredim> !howto 09:56 < vpnHelper> jetsaredim: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:57 < mahmoud> jetsaredim: where in that howto 09:57 < jetsaredim> ? 09:57 < jetsaredim> was just getting the info so I could look it up 09:58 < mahmoud> ah , i see, i thought u pointed me out 09:58 < krzee> dh is NOT required 09:58 < krzee> but should be usee 09:58 < ecrist> krzee to the rescue 09:58 < jetsaredim> mahmoud: sry for the confusion 09:59 < krzee> hey buddy 09:59 < krzee> ill brb, gotta take my girl to bellydance class 09:59 < mahmoud> krzee: should be usee? means? 10:00 < ecrist> used 10:01 < mahmoud> ecrist: then why does openvpn stop if dh is not defined in config? 10:01 < mahmoud> i tried commeting out dh and it caused an error 10:02 < ecrist> you haven't shown me the logs 10:02 < mahmoud> 1 sec 10:03 -!- mahmoud [n=mahmoud@unaffiliated/mahmoud] has quit [Nick collision from services.] 10:03 < jetsaredim> anyone know how to resolve this: http://pastebin.com/m30a8ad 10:03 -!- Mahmoud [n=mahmoud@unaffiliated/mahmoud] has joined ##openvpn 10:03 < Mahmoud> back, sorry d/c 10:04 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:04 < ecrist> jetsaredim: localhost should only resolve to 127.0.0.1 10:05 -!- DevilsPGD [i=xyzzy@S0106001cc0bf9ac7.ok.shawcable.net] has joined ##openvpn 10:05 < jetsaredim> ecrist: yes I agree, and yet "host localhost" seems to report such 10:05 < ecrist> if the vpn is working, I'd ignore the log entry 10:06 < jetsaredim> its not 10:06 < jetsaredim> trying to setup vpn over ssh tunnel 10:07 < jetsaredim> i've had it working on other systems before - but this is a new install and for some reason it's not working 10:07 < Mahmoud> alright, here is all what i have in my logs: 10:07 < Mahmoud> Options error: You must define DH file (--dh) 10:07 < Mahmoud> Use --help for more information. 10:07 < Mahmoud> that's it. 10:07 < Mahmoud> commented out dh 10:08 < jetsaredim> have to run - will be back to ask further questions 10:08 -!- jetsaredim is now known as _jetsaredim 10:09 < ecrist> Mahmoud: a quick google gives me the following: http://osdir.com/ml/network.openvpn.user/2004-09/msg00085.html 10:09 < vpnHelper> Title: Re: Options error: specify only one of --tls-serve: msg#00085 network.openvpn.user (at osdir.com) 10:10 < Mahmoud> ecrist: ? 10:10 < _jetsaredim> ecrist: to clarify my question - i don't think my issue is an openvpn problem - but a general system issue that is manifesting via openvpn 10:11 < Mahmoud> ecrist: the url isn't clear. seems they tak about something else 10:11 < Mahmoud> ecrist: at which stage does openvpn use DH param file 10:14 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 10:14 < epaphus> Hello, i have a LAN connected to a box that has a VPN with default-gateway... thus redirecting the internet through the VPN 10:15 < epaphus> there is a specific IP I dont want it to redirect through the VPN what is the best way to prevent this? 10:17 < Mahmoud> it seems the internal workflow of openvpn is not so nicely documented 10:18 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:19 < Mahmoud> sigh 10:20 < Mahmoud> hmmm 10:20 < Mahmoud> why isn't DH param file NOT secret? 10:20 < Mahmoud> it's the prime number! 10:20 < Mahmoud> only two things shouldn't be secret: 1) base 2) public number 10:20 < Mahmoud> prime supposed to be secret :/ 10:23 < Mahmoud> ?? 10:23 -!- mirco [n=mirco@80.187.215.187] has joined ##openvpn 10:30 < Mahmoud> i was confused 10:30 < Mahmoud> prime and group aren't secret 10:31 < Mahmoud> prime, group/base, public key === all public 10:31 < Mahmoud> only secret is power to group/base, the power is secret 10:31 < Mahmoud> makes perfect sense why openvpn doesn't regenerate prime each time 10:31 < Mahmoud> it's public and sent on wire anyway 10:31 < Mahmoud> anyway 10:32 < Mahmoud> question remains: when does openvpn REALLY need dh 10:40 < krzee> who said they arent secret 10:41 < krzee> they only go on the server 10:41 < krzee> they just arent MANDATORY 10:41 < Mahmoud> krzee: they get exchanged, part of DH algorithm 10:41 < krzee> ok 10:41 < Mahmoud> g^secret mod prime = foo 10:41 < krzee> either way, using proper perms wouldnt be a bad thing 10:42 < Mahmoud> foo, g, prime, foo == exchanged 10:42 < Mahmoud> "secret" is secret 10:42 < krzee> "secret" is only for ptp 10:42 < Mahmoud> krzee: no one said it would 10:42 < Mahmoud> dude.. 10:42 < krzee> otherwise its "key" is secret 10:42 < Mahmoud> it seems u don't know much about DH 10:42 -!- hyper_ch [n=hyper@adsl-84-227-38-24.adslplus.ch] has joined ##openvpn 10:43 < krzee> i dont care much bout it 10:43 < krzee> but i know quite a bit about proper ovpn setups, so if you want help get to your point 10:43 < Mahmoud> then don't spread misleading cancer-like infor 10:43 < krzee> cause im not gunna stick around talking dh internals 10:43 < Mahmoud> DH has no externals either 10:44 < Mahmoud> it's all dynamic, on fly 10:44 < krzee> whatev, good luck to you 10:44 < krzee> bbl 10:44 < Mahmoud> thanks for wasting my time.. 10:44 < krzee> you seem to be wasting it fine on your own, i see a 20 or so line monolouge of you talking and nobody caring 10:45 < krzee> epaphus, you had a question? 10:45 < epaphus> krzee, yeah.. do you want me to rephrase it? 10:46 < krzee> ya im curious if you mean ip like target outside the lan or machine on the lan you want to access inet without vpn 10:48 < krzee> Mahmoud, and ovpn doesnt NEED dh, ive ran and seen many vpns run without dh 10:48 < krzee> as i said like 30min ago 10:52 < Mahmoud> krzee: so can i comment dh out? 10:52 < krzee> i havnt seen your config nor your logs 10:52 < krzee> !configs 10:52 < krzee> !logs 10:52 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:52 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 10:53 < Mahmoud> krzee: i just pasted my logs 10:53 < Mahmoud> krzee: commenting dh out, results into asking that it msut be defined 10:53 < Mahmoud> anyway, i'll pastebin both 10:54 < krzee> _jetsaredim, see the manual for socks, ssh tunnels can be used via socks stuffs 10:55 < krzee> epaphus, ? 10:56 < krzee> _jetsaredim, and you can specify 127.0.0.1 instead of using 'localhost' 10:58 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 10:59 < Mahmoud> krzee: http://pastebin.com/m6392c95e 10:59 < Mahmoud> openvpn --config server.conf 11:03 < krzee> still waiting for log, but can offer some unrelated advice... 11:04 < krzee> oh thats ALL that shows up in the log with verb6? 11:05 < krzee> nah, thats not the logfile 11:05 < krzee> thats the status file 11:06 < Mahmoud> eh, verb 4 it was 11:06 < Mahmoud> lemme verb 6 it 11:06 < krzee> and it was your status file, not logfile 11:08 < Mahmoud> krzee: that's where log-truncate file is defined 11:08 < Mahmoud> krzee: shouldn't that be the log file 11:08 < krzee> also, is there a reason you dont want dh? 11:08 < krzee> no, thats a status file 11:09 < krzee> logfile might be messages or somethin 11:09 < krzee> unless you change it with --log 11:09 < Mahmoud> krzee: i have log-status.log and openvpn.log 11:09 < Mahmoud> sorry 11:09 < Mahmoud> openvpn-status.log 11:09 < Mahmoud> openvpn.log 11:09 < krzee> bleh you do 11:09 < krzee> my mistake 11:09 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 11:10 < krzee> did verb6 show more? 11:10 < Mahmoud> krzee: yeah, same exact output 11:10 < Mahmoud> nothing more 11:10 < krzee> and is there a reason other than educational you wish to not use dh? 11:11 < krzee> it ONLY gets used when establishing the tunnel and rekeying, so doesnt slow down your tunnel or anything 11:11 < Mahmoud> krzee: totally no 11:12 < Mahmoud> krzee: so is DH being used in my setup? 11:13 < Mahmoud> client authenticates server thru server's x.509 cert, and server authens client by its key 11:13 < Mahmoud> how does the client send its key? 11:13 < Mahmoud> encrypted to server's public key via RSA? or DH? 11:13 < Mahmoud> client's key = username and password 11:14 -!- epaphus [n=unix3@78.46.79.204] has joined ##openvpn 11:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:20 < _jetsaredim> any ideas as to what would cause this: http://pastebin.com/m4b91b66b 11:21 -!- _jetsaredim is now known as jetsaredim 11:22 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 11:27 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)] 11:27 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 11:30 -!- epaphus [n=unix3@78.46.79.204] has quit [Connection timed out] 11:40 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 11:41 -!- Mahmoud_ [n=mahmoud@92.99.239.67] has joined ##openvpn 11:42 -!- mirco [n=mirco@80.187.215.187] has quit [Read error: 131 (Connection reset by peer)] 11:43 -!- mirco [n=mirco@80.187.215.187] has joined ##openvpn 11:44 -!- Mahmoud [n=mahmoud@unaffiliated/mahmoud] has quit [Read error: 145 (Connection timed out)] 11:45 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 11:50 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:52 -!- LatinumKJ__ [n=kollaps@unaffiliated/kollapse] has quit [Read error: 131 (Connection reset by peer)] 12:02 -!- epaphus [n=unix3@190.10.68.228] has quit [Client Quit] 12:03 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 104 (Connection reset by peer)] 12:05 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: gilos 12:06 -!- Netsplit over, joins: gilos 12:23 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 12:42 -!- LumberCartel [n=LumberCa@24.86.160.252] has joined ##openvpn 12:46 -!- steve247 [i=6030e08d@gateway/web/freenode/x-dxcodyyimroqcijx] has joined ##openvpn 12:46 < LumberCartel> Hello folks. 12:46 < ecrist> hello 12:47 < LumberCartel> I have a question from one of my users about inserting a DNS server from OpenVPN's DHCP options. Is this an option? I did a quick search in Google but didn't find it. Thanks. 12:47 < LumberCartel> We don't want to replace existing DNS servers, just add one when the VPN is connected. 12:50 < ecrist> yes, but you need to use an up script to add to the search list 12:50 < LumberCartel> The client is Windows, running current beta of OpenVPN client 2. 12:51 < LumberCartel> 2.1_rc19 or 20. 12:52 -!- ZummiG777 [n=ZummiG77@campfieldm-work.sworps.tennessee.edu] has joined ##openvpn 12:53 -!- ZummiG777 [n=ZummiG77@campfieldm-work.sworps.tennessee.edu] has quit [Client Quit] 12:54 < LumberCartel> Okay, I found something: push "dhcp-option DNS 10.66.0.5" 12:54 < LumberCartel> Does this add to existing servers, or replace all of them? 12:54 < ecrist> iirc, it replaces them. 12:54 < ecrist> try it and see. ;) 12:55 < LumberCartel> But that's just for the OpenVPN interface, no? 12:57 < ecrist> no, DNS servers aren't per-interface, generally. 12:57 < LumberCartel> So the user's existing DNS servers on other interface are going to get clobbered when they connect to the VPN? 13:01 < LumberCartel> Okay, DNS servers are per-interface on Windows clients. 13:02 -!- LatinumKJ__ [n=kollaps@79.116.213.20] has joined ##openvpn 13:04 -!- TorchDragon [n=TorchDra@c-68-44-174-108.hsd1.pa.comcast.net] has joined ##openvpn 13:04 < TorchDragon> !howto 13:04 < vpnHelper> TorchDragon: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:04 < TorchDragon> Alright, been there, done that... 13:08 < TorchDragon> I updated an old Ubuntu box that was running OpenVPN without an issue but was configured before the whole RSA key debacle. I got the package installed on the newest Ubuntu distro and went back through the howto for rebuilding the PKI from scratch. 13:08 < TorchDragon> I can execute the OpenVPN server without any errors using the new cert structure. 13:09 < TorchDragon> However, the client bombs on the new certs with a "private key password verification failed" 13:09 < LumberCartel> TorchDragon: Are you using older OpenVPN clients? 13:09 < TorchDragon> I was using 2.0.9 and just upgraded to 2.1_r20 and get the same issue. 13:11 < LumberCartel> What does the "log" file tell you on the client side? 13:11 < LumberCartel> It often provides very helpful information that leads to solving the problem. 13:11 < LumberCartel> For example: Wrong certificate file ___.key. 13:12 < TorchDragon> Cannot load private key file maduin.key: error:0906D06C 13:12 < LumberCartel> Okay, so now you have progress. All you need to do is figure out why that file isn't loading. 13:13 -!- mirco [n=mirco@80.187.215.187] has quit [Read error: 110 (Connection timed out)] 13:15 < TorchDragon> Right, well, seeing as that's the only error I get. 13:17 < TorchDragon> That error number seems to come up as a "failed to verify" error in some sub process of the cert mechanisms. 13:17 < LumberCartel> It's a fatal error, so any other problems won't be reported until this one is resolved. 13:19 < TorchDragon> When entering the common name, does the common name need to be the same across the server and the clients? 13:20 < TorchDragon> There's a common name for the CA cert, the server cert, and the client cert. The how-to doesn't show whether or not those should all be the same. 13:21 < TorchDragon> It uses OpenVPN-CA but then uses "server" and doesn't list whether the client key should be "client1" or "server" for the common name. 13:21 < TorchDragon> That's the only part of this that I could muck up. :-) 13:21 < LumberCartel> No. I normally take the default for the Common Name when creating the certificate so that it is unique (and matches the filename of the certificate). 13:21 < TorchDragon> Ok then, that's what I have done as well. 13:21 < TorchDragon> So I'm at a loss here. 13:22 < TorchDragon> I could go and regenerate the cert and key files again but I wouldn't be doing anything different than I've done twice before. 13:23 < LumberCartel> Before you do that, you should really compare all the files on your client side with what the server has for the same files. 13:24 < LumberCartel> I suspect you'll find differences. The server files should be considered your authoritative source. 13:24 < TorchDragon> They're not. 13:24 < TorchDragon> I've copied them over directly, twice. 13:24 < LumberCartel> steve247: You can join multiple channels. For instance, to join NetBSD type this command: /join netbsd 13:24 < LumberCartel> steve247: To leave a channel, type: /part 13:24 < TorchDragon> ca.crt, client.crt, client.key They've come over without an issue, the file sizes are exactly the same. 13:25 < LumberCartel> Often different contents within those files will occupy the same number of bytes. You really need to compare the contents (or at least use an "md5" tool to compare). 13:26 < LumberCartel> If you post your log file to pastebin.ca or something I'll gladly take a quick look. 13:27 < TorchDragon> http://pastebin.ca/1635490 13:28 < LumberCartel> It looks like your .pem file is what might be missing. 13:28 < LumberCartel> Or is not correct somehow. 13:28 < TorchDragon> The how-to doesn't describe any .pem file for the client. 13:28 < LumberCartel> Is there a line in your configuration file that starts with "dh " ? 13:28 < TorchDragon> the only thing that is referenced is dh{n}.pem which is for the server only. 13:29 < LumberCartel> No. 13:29 < LumberCartel> If you have it on the server, you need to have it on the client too. 13:29 < TorchDragon> Then the how-to is telling people to configure their environments incorrectly. 13:29 < LumberCartel> Yup. 13:29 < TorchDragon> That's a problem. 13:29 < LumberCartel> Well, give it a try and see if it resolves the problem for you. 13:30 < LumberCartel> The whole web site sucks. 13:30 < LumberCartel> The old design was much better. 13:30 < LumberCartel> I've seen so many people come in here asking about what happened to the download for OpenVPn. 13:30 < LumberCartel> s/OpenVPn/OpenVPN/ 13:30 < LumberCartel> ...and I'm not here very often, so I suspect it happens a lot more frequently. 13:31 < LumberCartel> Anyway, if you have a "dh" directive on the server, you need to have one on the client as well. 13:31 < LumberCartel> ...and the same corresponding .PEM file. 13:32 < TorchDragon> That didn't change anything. 13:32 < TorchDragon> Same error. 13:33 < TorchDragon> Copied the file over, changed the config to add a reference to the dh1024.pem file, same exact error. 13:34 < LumberCartel> You've compared the other files as well? 13:35 < TorchDragon> As far as I can go. If my OS is screwing up file copy operations on the bit level, I'd be a lot more hosed than I am now. 13:36 < LumberCartel> Okay. Are you using UDP or TCP? 13:37 < TorchDragon> TCP 13:37 < LumberCartel> Good. 13:37 < LumberCartel> UDP does have some problems. The TLS stuff helps, but it's still not as good as TCP. 13:38 < LumberCartel> [The biggest problem being that many administrators think that UDP is a security risk so they block everything UDP.] 13:38 < LumberCartel> Would you mind posting your client and server configuration files for OpenVPN? Replace your hostnames with example.com and IPs with something private before-hand if you like (I recommend it). 13:38 < LumberCartel> I'm interested in client.ovpn and server.conf. 13:39 < TorchDragon> I'm in the middle of rebuilding them from scratch. 13:39 < TorchDragon> It occurs to me that the config files are probably not compatibile from the old version of openvpn that was running. 13:39 < TorchDragon> Even though they were running on a version 2.0+ 13:39 < LumberCartel> I think 2.0 and 2.1 should be okay to interchange. 13:40 < TorchDragon> Well, something apparently isn't correct. 13:41 < teddymills> get a lot of W's in my /var/log/openvpn.log on the server side...Does this just mean WRITES? 13:41 < LumberCartel> I have OpenVPN running at many customer sites, and it's easy to mess things up. 13:41 < LumberCartel> teddymills: Would you like to post to pastebin.ca or something similar? 13:41 < teddymills> not unless you like lots of W's :) 13:42 < LumberCartel> Is that all that's in the file? 13:42 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 13:43 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 13:43 < LumberCartel> Which OS are you using (server v. client)? 13:44 < LumberCartel> ^^ TorchDragon 13:44 < teddymills> WWWWWWWWWWWWWWWR <--lots and lots of that 13:44 < TorchDragon> Lumber: Ubuntu 9.10 Server, Vista 32-bit client 13:44 < LumberCartel> teddymills: Stop OpenVPN, rename log file, start OpenVPN. See if it continues. 13:45 < LumberCartel> TorchDragon: You're doing things similarily to me -- I use NetBSD servers and have an assortment of mostly XP and Vista clients. 13:48 < teddymills> Lumber...can read now. understanding all W's is difficult :) 13:48 < LumberCartel> That fixed it? Great! 13:48 < teddymills> THX dude! 13:48 < LumberCartel> If so, I suspect one of two possibilities... 13:49 < LumberCartel> 0. Hard drive corruption 13:49 < LumberCartel> 1. Some bug in OpenVPN that's causing bad output 13:49 < LumberCartel> You're welcome. 13:49 -!- steve247 [i=6030e08d@gateway/web/freenode/x-dxcodyyimroqcijx] has left ##openvpn [] 13:50 < teddymills> stop/start the daemon if probably what did fixed it...It is on a PowerPC G3 Blue+White.If I moved it to a P4 3Ghz, would my openvpn be any faster? 13:50 < LumberCartel> It could be. It depends on what you're using it for. 13:50 < LumberCartel> Also, if your internet links are very slow, then it probably won't matter anyway. 13:52 < teddymills> I scp -r'd the entire /etc/openvpn to a separate box. Sicne if the drive died, I would lose that all important ca.key (I ran ./clean-all last week on another openvpn server and it killed it) I had to restart all over...This time on our office openvpn server, I scp -r'd the entire /etc/openvpn to anotehr box..Now I should be able to build anotehr openvpn and use these keys? 13:52 < LumberCartel> TorchDragon: I'm sorry, I have to leave, but hopefully someone else will be able to carry on where I'm leaving off. 13:52 < LumberCartel> teddymills: You don't have backups? 13:52 < TorchDragon> Thanks for the help, I'm still rebuilding the configs. 13:52 < LumberCartel> You're welcome. 13:53 < teddymills> I did not have backups on the one i did the clean-all on...and clean-all cleaned me out...i rebuild it with pkcs12 certs and now it is cleaner and better 13:53 < LumberCartel> Oh, and if you're going to rebuild your DH key, consider 2048-bit instead because it doesn't take very much longer to generate. 13:54 < LumberCartel> teddymills: I recommend you remove all the "x" bits from your clean-all script. 13:54 < LumberCartel> teddymills: I always do that on my servers. 13:54 < LumberCartel> ...in addition to keep a backup. 13:55 < teddymills> I got burned once..Now I keep religious copies of every cert and every key on a separate box 13:55 < LumberCartel> Is this box in a separate physical location too (e.g., across at least one bridge that passes over a major river at least)? 13:56 < TorchDragon> And nope, I'm back in the same exact spot I was before. 13:56 < teddymills> i keep one set of keys on the box itself and another backup a different box 13:57 < teddymills> sorry, the current working keys, and 1 backup of the keys on the server box, and a backup of that on another box 13:57 < teddymills> you get the idea 13:58 < LumberCartel> TorchDragon: Would you like to post your client and server OpenVPN config files? Remember to hide your public IP with "x.x.x.x" and change your IDN (Internet Domain Name) to example.com first. 13:58 < TorchDragon> :-) No need to change, I tunnel through a local SSH session anyway. 13:59 < TorchDragon> http://pastebin.ca/1635545 14:00 < teddymills> My current openvpn server is a powerpc..if i install a debian 5.02 intel 32-bit, I should be able to use the same keys and stop using the powerpc ? 14:00 < LumberCartel> Yes, the key files and certificates should all work just fine. 14:01 < TorchDragon> How are you going to run intel binaries on a powerpc? 14:01 < teddymills> Wicked <--ala Garth in WW 14:01 < LumberCartel> If you're moving from OpenVPN 1.x to 2.x, however, you may need to update your configuration files somewhat, but hopefully not. 14:02 < LumberCartel> TorchDragon: Okay, so your client file doesn't have a "dh" directive. Is this the same for your server configuration file? 14:02 < teddymills> OpenVPN 2.1_rc11 powerpc-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008 14:03 < teddymills> I know that the current OpenVPn uses PKCS12 certs... 14:03 < LumberCartel> teddymills: You have two different pieces of hardware. For you, it's a luxury to test that OpenVPN works properly on the new system too. 14:04 < TorchDragon> LumberCartel: I added the dh line to the config again even though it made no difference when I added it before. 14:04 < LumberCartel> It has to match the server. 14:04 < TorchDragon> I added it now without providing a dh1024.pem file, there is no error from the dh directive. 14:04 < LumberCartel> Could you post your server configuration file? 14:04 < LumberCartel> Change the IP to x.x.x.x and the domain to example.com. 14:04 < LumberCartel> ...before posting. 14:04 < teddymills> With PKCS12, it is very easy..it is only 2 files the clients need. So I can build a new OpenVPN server and just replace the PowerPC..and email the 2 files to each OpenVPN user....that is just as easy if not easier than migrating 14:05 < TorchDragon> Also, every configuration provided from the website specifically does not reference having dh in the client. 14:05 < TorchDragon> NONE of the client files have DH 14:05 < TorchDragon> ALL of the servers have dh 14:05 < LumberCartel> Okay. 14:06 < teddymills> Lumber, was my last text sound in its logic ? 14:06 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:06 < LumberCartel> teddymills: Yes, assuming your end users will know what to do with the files you send to them. 14:07 < TorchDragon> I have now added the dh directive and added the dh1024.pem file to the client and there is no change in the error message. 14:07 < teddymills> 2 files in C:\Program Files\OpenVPN\config ..yes I think they can do that..but I would not want to lay bets... 14:07 < krzee> Mahmoud_, my power went out so i couldnt finish 14:08 < Mahmoud_> krzee: finsih what 14:08 < teddymills> Thanks Lumber, signing off...I am here every day btw....hope i can help others...i do in other channels, but I am a openvpn newbie 14:08 < krzee> talking with you, did you get everything figured out 14:08 < krzee> >? 14:08 < LumberCartel> teddymills: If I were you though, I would first get it working "as is" on the new server (if possible) before adding new files. Add the new files later once it's working stable for a while. 14:09 < Mahmoud_> krzee: not really, just some guesses 14:09 < Mahmoud_> krzee: i guess, certs used to auth, uname/pword are sent to servers public key, DH used to encrypt 14:09 < LumberCartel> TorchDragon: Well, if I can take a look at your server configuration file, I might be more helpful. My time is running, just so you know. 14:10 < TorchDragon> Would there be an issue with generating the PKI off of version 2.1~rc11-ubuntu3? 14:10 < LumberCartel> I'm not sure. 14:10 < TorchDragon> ie, would certs generated by that version not function with 2.1_rc20 from the website? 14:10 < LumberCartel> I don't know. Does Ubuntu do something different with OpenVPN? 14:11 < TorchDragon> I don't know. I just installed from the package manager. 14:11 < krzee> i see in manual for --dh it says its required in --tls-server which is part of --server, so i guess the setups i saw dh left out of must not have used --server or --tls-server 14:13 -!- _micah [n=msutton@orochi.unl.edu] has joined ##openvpn 14:14 < _micah> Is it possible to use OpenVPN with NetExtender? 14:15 < LumberCartel> _micah: What is NetExtender? 14:16 < _micah> Some other VPN software. 14:16 < LumberCartel> _micah: Do you mean to tunnel NetExtender in an OpenVPN tunnel, or try to use a NetExtender client with an OpenVPN server? 14:17 < _micah> Use OpenVPN client with a NetExtender server. 14:17 < LumberCartel> Then I don't know. You'll have to try it and see for yourself. Of course, if NetExtender uses OpenVPN technology (or claims to support it) then you should be fine. 14:17 < krzee> !notcompat 14:17 < vpnHelper> krzee: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 14:17 < krzee> #2 14:18 < _micah> K 14:18 < _micah> That answers my question. Thanks! 14:18 < krzee> but i agree with what LumberCartel said 14:18 < krzee> if they purposely implimented openvpn, sure 14:18 < krzee> if not, no 14:19 < _micah> It's not as far as I know. It's some commercial thing. 14:20 -!- _micah [n=msutton@orochi.unl.edu] has left ##openvpn [] 14:35 -!- LatinumKJ__ [n=kollaps@79.116.213.20] has quit [Remote closed the connection] 14:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 14:49 < biberao> brb 14:49 -!- biberao [i=mapd@unaffiliated/biberao] has left ##openvpn [] 14:55 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:02 < TorchDragon> Is anyone left here that could attempt to answer a questioN? 15:11 < LumberCartel> Just ask the question instead of asking to ask. =) 15:12 < TorchDragon> Its the same question I had before to you. 15:13 < TorchDragon> I started to try and manually build rc20 on my machine but that's decended into an absolute nightmare. 15:13 < LumberCartel> You might ask folks on the Unbuntu channels if any of them using OpenVPN have run into these sorts of problems. If Ubuntu is doing something different with OpenVPN, then someone there may also have an answer. 15:17 < Optic> moo 15:19 -!- c64zotte1 [n=hans@62.12.212.169] has joined ##openvpn 15:20 * LumberCartel uses his Commodore 64 to "moo" back 15:20 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 15:29 -!- LumberCartel [n=LumberCa@24.86.160.252] has quit ["Sign the anti-spam petition: [ http://www.lumbercartel.ca/law/canada/s-220/ ]"] 15:47 -!- tfrew [n=tfrew@75.145.244.105] has joined ##openvpn 15:50 -!- TorchDragon [n=TorchDra@c-68-44-174-108.hsd1.pa.comcast.net] has left ##openvpn [] 15:50 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has quit [] 15:55 < ^scott^> Hi All! I'm trying to get OpenVPN working on Vista Ultimate and the TAP installation is getting blocked by Windows. Other's don't seem to have this problem. 15:55 < ^scott^> Here's a screenshot of the problem: http://imgur.com/rhvkE.jpg How do others get around this? 15:57 < tfrew> turn off uac during the install 15:57 -!- tfrew [n=tfrew@75.145.244.105] has quit ["Leaving"] 15:58 < ^scott^> Sweet, lemme give that a shot. 16:05 < ^scott^> UAC is already off :( 16:10 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Read error: 145 (Connection timed out)] 16:10 < ^scott^> I'm going to try toggling it on and off, rebooting in between each toggle. 16:18 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 16:18 < ^scott^> Drat! 16:20 < ^scott^> Still having that error, even after toggling UAC 16:29 < ^scott^> Is there an OpenVPN mailing list where I can ask about this? 16:41 < ^scott^> lol called techsupport for my ISP "news group? Do you mean script access" 16:41 < ^scott^> hah! 16:42 -!- kreg [n=bytesabe@208.98.188.95] has quit [Remote closed the connection] 16:43 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 16:57 -!- Mahmoud_ [n=mahmoud@92.99.239.67] has quit ["leaving"] 17:08 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 17:32 -!- Berk [n=notquite@adsl-065-083-131-003.sip.int.bellsouth.net] has joined ##OpenVPN 17:34 < Berk> what is the proper way to stop a openvpn process? 17:34 < Berk> linux 17:35 -!- n0ah [i=n0ah@edge.chi.arknet.n0ah.org] has joined ##openvpn 17:36 < reiffert> Berk: use the init script, kill, read the appropriate signal, see manpage. 17:37 < Berk> I've been using> kill -15 #openvpn pid# 17:38 < n0ah> hey guys i've got a tunnel from chicago dc to raleigh @ home, traffic can be transfered between thoes to at full rate over the tunnel, but when i add a route for a /29 as the home in raleigh and route everything from/to the home in raleigh over the tunnel to the dc's network, it works but i only get a fraction of the speed on data transfers 17:38 * n0ah didn't know this channel existed 17:39 < n0ah> i don't think it's an openvpn issue just thought maybe the tunneling pros would have an idea 17:39 < n0ah> basicly thet ideas is to have a sun server at home with a public /29 that it can route from/through/to and it works 17:40 < n0ah> http://n0ah.org/tmp/tunnelsetup.txt little more technical details 17:40 < reiffert> openvpn version? 17:42 < n0ah> sorry, OpenVPN 2.1_rc20 17:42 < n0ah> \\ 17:43 < reiffert> !mtu 17:43 < vpnHelper> reiffert: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config 17:43 < n0ah> i can start it with that? 17:47 < Berk> ok did the rtfm thing and yes... kill -15 openvpnpid is the graceful way... however I want to script a check and timeout and if the process is still running send it a kill -9 openvpnpid... what is the best way to check for a hung openvpn process? 17:51 < reiffert> a USR2 17:52 < n0ah> Wed Oct 21 18:43:37 2009 TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use 17:52 < n0ah> that's --mtu-test --dev tun0 17:53 < n0ah> but it says it's 1500 :-/ 17:53 < n0ah> tun0: flags=8051 mtu 1500 17:54 < reiffert> ddress already in use 17:54 < reiffert> means there is another process still running. 17:54 < reiffert> !factoids search mtu 17:54 < vpnHelper> reiffert: 'mtu-test' and 'mtu' 17:54 < reiffert> !mtu-test 17:54 < vpnHelper> reiffert: "mtu-test" is you can just use --mtu-test on the client to see what the best mtu for your connection is 17:55 < reiffert> please check the manpage for detailsa 17:56 < n0ah> i can download from download through the tunnel just fine from the dc, no problems with banwidth there, it's just when the dc wants to route stuff through me over the tunnel that things get slow 17:56 < n0ah> i think it's probably a netbsd thing 17:56 < n0ah> thanks guys 17:57 -!- n0ah [i=n0ah@edge.chi.arknet.n0ah.org] has left ##openvpn [] 18:00 < Berk> ok so I get a "...openvpn[134]: event_wait : Interrupted system call (code=4)" in the log... how exacly will that translate to a hung process in a script? 18:01 < Berk> when i issue: kill -SIGUSR2 openvpnpid 18:02 < Berk> any way to simulate a hung instance of openvpn? 18:04 < reiffert> kill -STOP 18:05 < reiffert> SIGUSR2 18:05 < reiffert> Causes OpenVPN to display its current statistics (to the syslog file if --daemon is used, or stdout otherwise). 18:11 < Berk> ok thanks... the general idea is to issue a kill -SIGTERM openvpnpid, then issue a post to the logfile, check the logfile and issue a kill -SIGKILL if I don't find an openvpn entry after my logfile insertion. 18:11 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 18:12 < ksnp> i want to concatenate two strings for condition checking in the conf file - 18:12 < ksnp> {abcd}$some_variable including the { and }, i tried ${\{abcd\}$some_variable} but didn't work. any tips ? 18:12 < ksnp> oops sorry 18:12 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has left ##openvpn [] 18:13 < Berk> ok gotta run... thanks for the input... working on the scripts for my palm pre... :) 18:33 -!- Berk [n=notquite@adsl-065-083-131-003.sip.int.bellsouth.net] has quit [Read error: 110 (Connection timed out)] 18:36 < ^scott^> Hi All! I'm trying to get OpenVPN working on Vista Ultimate and the TAP installation is getting blocked by Windows. Other's don't seem to have this problem. 18:36 < ^scott^> Here's a screenshot of the problem: http://imgur.com/rhvkE.jpg How do others get around this? 18:42 -!- Guest67347 [n=peter@c-67-183-73-27.hsd1.wa.comcast.net] has joined ##openvpn 18:42 < Guest67347> !list 18:42 < vpnHelper> Guest67347: Admin, Channel, Config, Factoids, Google, Misc, Owner, Seen, Services, User, Weather, and Web 18:43 < Guest67347> What's the link to the mailing list? 18:47 -!- wtGoldFingaZ [n=wt@69.196.187.75] has joined ##openvpn 18:51 < ^scott^> I'm using gmane.network.openvpn.users 18:51 < ^scott^> Yea, that's a newsgroup. 18:51 < ^scott^> Let's see 18:51 < ^scott^> http://dir.gmane.org/gmane.network.openvpn.user 18:51 < vpnHelper> Title: Gmane -- Mail To News And Back Again (at dir.gmane.org) 18:52 < ^scott^> I couldn't find a traditional mailing list. 18:53 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 18:58 -!- jeiworth [n=jeiworth@189.177.251.250] has quit [Read error: 110 (Connection timed out)] 19:04 -!- wtGoldFingaZ [n=wt@69.196.187.75] has quit ["Ex-Chat"] 19:10 -!- ErickG [n=ErickG@190.120.0.138] has left ##openvpn [] 19:13 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 19:24 -!- c64zotte1 [n=hans@62.12.212.169] has left ##openvpn [] 19:29 -!- romel [i=romel@plox.tor.hu] has quit [Remote closed the connection] 19:52 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 19:53 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 19:59 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 20:08 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:14 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 20:24 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has left ##openvpn [] 20:39 -!- jetsaredim [n=jgreenwa@pool-72-85-212-64.bstnma.east.verizon.net] has left ##openvpn [] 20:49 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 21:14 -!- master_of_master [i=master_o@p549D46ED.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:15 -!- todd_dsm [n=todd_dsm@66.43.220.149] has quit [Client Quit] 21:16 -!- todd_dsm [n=todd_dsm@66.43.220.149] has joined ##openvpn 21:18 -!- master_of_master [i=master_o@p549D3FA1.dip.t-dialin.net] has joined ##openvpn 21:42 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)] 21:55 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 22:12 -!- tjz [n=tjz@121.7.60.51] has joined ##openvpn 22:48 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] 23:02 -!- mrpockets [n=chinlee@unaffiliated/mrpockets] has joined ##openvpn 23:02 < mrpockets> Hello. 23:02 < mrpockets> My OpenVPN settup works flawlessly wiht XP Pro SP3. In Win7, ive installed it as admin under Vista mode 23:02 < mrpockets> and have attemptd to run it as admin under both XPSP3 mode as well as vista mode, 23:03 < mrpockets> both ways, it perodicaly disconnects and reconnects. Ideas? 23:24 -!- mrpockets [n=chinlee@unaffiliated/mrpockets] has quit [Read error: 104 (Connection reset by peer)] 23:26 -!- IcyPolecat [n=IcyPolec@vm1.rubicon.je] has quit [Remote closed the connection] 23:35 -!- IcyPolecat [n=IcyPolec@vm1.rubicon.je] has joined ##openvpn --- Day changed Thu Oct 22 2009 00:06 -!- jfkw [n=jtk@24.216.241.93] has quit [Read error: 145 (Connection timed out)] 00:12 -!- DevilsPGD [i=xyzzy@S0106001cc0bf9ac7.ok.shawcable.net] has quit ["Leaving."] 00:20 -!- DevilsPGD [i=xyzzy@S0106001cc0bf9ac7.ok.shawcable.net] has joined ##openvpn 00:25 -!- hyper_ch [n=hyper@adsl-84-227-38-24.adslplus.ch] has quit [Read error: 104 (Connection reset by peer)] 00:46 -!- BasicOSX [n=BasicOSX@c-75-73-131-27.hsd1.mn.comcast.net] has joined ##openvpn 00:47 < BasicOSX> This a proper channel to ask question about openvpn-gui ? 01:09 -!- xp_prg [n=xp_prg3@66.92.0.185] has joined ##openvpn 01:15 -!- hyper_ch [n=hyper@127-74.76-83.cust.bluewin.ch] has joined ##openvpn 02:11 -!- bandini [n=bandini@host129-109-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 02:14 < |Mike|> openvpn-gui, does that excist? 02:16 < BasicOSX> http://openvpn.se/development.html 02:16 < vpnHelper> Title: OpenVPN GUI for Windows (at openvpn.se) 02:17 < |Mike|> shoot :) 02:18 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 02:27 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] 02:35 -!- misterbean [n=misterbe@unaffiliated/misterbean] has quit ["Leaving"] 02:49 -!- xp_prg [n=xp_prg3@66.92.0.185] has quit [Client Quit] 02:51 -!- xp_prg [n=xp_prg3@140a.hackerdojo.com] has joined ##openvpn 02:53 -!- edoceo [n=edoceo@c-98-247-254-241.hsd1.wa.comcast.net] has quit [Read error: 60 (Operation timed out)] 02:54 < reiffert> BasicOSX: openvpn comes with openvpn-gui now. You dont need to download an ancient version from openvpn.se anymore. 02:55 < |Mike|> it does? 02:55 < reiffert> No it does not, I like to trick you 03:01 -!- xp_prg [n=xp_prg3@140a.hackerdojo.com] has quit ["This computer has gone to sleep"] 03:08 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:12 < hyper_ch> hi reiffert 03:15 -!- dazo|afk is now known as dazo 03:18 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 03:45 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit [Remote closed the connection] 03:58 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 04:31 -!- onats [n=onats@112.201.145.81] has joined ##openvpn 04:31 < onats> hello 04:47 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 04:48 -!- onats [n=onats@112.201.145.81] has quit ["Leaving"] 05:01 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [] 05:20 -!- xod [n=onats@112.201.145.81] has joined ##openvpn 05:20 -!- xod is now known as onats 05:23 -!- bandini [n=bandini@host129-109-dynamic.25-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 05:23 -!- bandini [n=bandini@host54-24-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 05:31 -!- onats [n=onats@unaffiliated/onats] has quit [Remote closed the connection] 05:49 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:09 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:18 -!- brizly [n=brizly_v@p4FC98490.dip0.t-ipconnect.de] has joined ##openvpn 06:29 -!- bandini [n=bandini@host54-24-dynamic.20-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 06:33 -!- brizly1 [n=brizly_v@p4FC986EB.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:34 -!- DevilsPGD [i=xyzzy@S0106001cc0bf9ac7.ok.shawcable.net] has quit [Read error: 110 (Connection timed out)] 06:36 -!- DevilsPGD [i=xyzzy@S0106001cc0bf9ac7.ok.shawcable.net] has joined ##openvpn 06:44 -!- bandini [n=bandini@host54-24-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 06:49 -!- c64zottel [n=hans@62.12.212.169] has joined ##openvpn 06:50 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Connection timed out] 06:53 < ecrist> good morning 07:08 -!- gionnico [n=gionnico@79.35.154.223] has joined ##openvpn 07:08 < gionnico> Hello! 07:09 < gionnico> !route 07:09 < vpnHelper> gionnico: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 07:09 < gionnico> !howto 07:09 < vpnHelper> gionnico: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:11 < gionnico> I need a 443 SSL tunnel to bypass a proxy. Who can help me? 07:12 < Busch> !topology 07:12 < vpnHelper> Busch: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 07:12 < gionnico> I have a computer inside a 10.0.0.0/8 LAN (between the proxy) AND a home router with DDNS and IPSEC,PPTP,L2TP support. 07:14 -!- reiffert is now known as REIFFERT 07:15 < Busch> gionnico : What do you want to do ? 07:15 < gionnico> is IPSec ONLY for 2-side LISTENING services? 07:15 < gionnico> Busch: I want to connect the laptop behind the proxy to my home LAN (+internet access) 07:16 < gionnico> laptop behind proxy can't listen, but only go out for 443/SSL requests 07:18 < Busch> OpenVPN-GUI supports proxys 07:19 < Busch> (dial through a proxy) 07:19 < gionnico> Busch: ok. i can use openvpn as a client for the laptop 07:19 < gionnico> but i'd like to use my home router ipsec/pptp/l2tp support as "openvpn server" 07:19 < gionnico> so that i don't need a running machine inside my home lan 07:20 < gionnico> (the router is the running machine i need......) 07:20 < gionnico> how are proxys supported, btw? with plain ssl encryption? 07:22 < gionnico> Busch: ? 07:23 < Busch> I dont know, ive never used it. In the GUI you can enter HTTP and SOCKS. What type of router do you have ? 07:27 -!- DevilsPGD [i=xyzzy@S0106001cc0bf9ac7.ok.shawcable.net] has quit [Nick collision from services.] 07:27 -!- DevilsPGD1 [i=xyzzy@96.50.175.41] has joined ##openvpn 07:27 -!- DevilsPGD1 is now known as DevilsPGD 07:27 < gionnico> Busch: it's a billion 07:27 < gionnico> home router 07:30 -!- Busch [n=Busch@HSI-KBW-078-043-240-220.hsi4.kabel-badenwuerttemberg.de] has quit [Read error: 104 (Connection reset by peer)] 07:33 -!- gionnico [n=gionnico@79.35.154.223] has quit ["Sto andando via"] 07:34 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 08:05 < Optic> mooo 08:06 -!- robotti^ is now known as ROBOTTI^ 08:23 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 08:25 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 08:27 -!- Irssi: ##openvpn: Total of 78 nicks [0 ops, 0 halfops, 0 voices, 78 normal] 08:31 -!- epaphus [n=unix3@201.199.62.74] has quit [Remote closed the connection] 08:39 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"] 08:48 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 08:51 -!- Berk [n=notquite@adsl-065-083-131-003.sip.int.bellsouth.net] has joined ##OpenVPN 08:54 -!- Berkk [n=notquite@adsl-065-083-131-003.sip.int.bellsouth.net] has joined ##OpenVPN 08:56 < Ziber> I have a vpn between three servers (we'll call them A, B and C). I can ping and traceroute fine from A->B and A->C, but not B->C 08:57 -!- ROBOTTI^ is now known as robotti^ 08:57 < ecrist> how do they connect to eachother? 08:57 < ecrist> one server and two clients? 08:58 < Ziber> Correct 08:58 < Ziber> o.o 08:58 < Ziber> I just discovered that I cant ping A->B now 08:59 < Ziber> Nvm, got that working. 09:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:10 -!- Berk [n=notquite@adsl-065-083-131-003.sip.int.bellsouth.net] has quit [Read error: 110 (Connection timed out)] 09:12 -!- mahmoud [n=mahmoud@unaffiliated/mahmoud] has joined ##openvpn 09:12 < mahmoud> Hey 09:13 < mahmoud> So any clear cuts what is DH used for in OpenVPN exactly. What stage. 09:17 -!- ruotsalainen [n=unknown@69.172.135.243] has joined ##openvpn 09:20 < ecrist> mahmoud: you asked that yesterday 09:20 < mahmoud> ecrist: but didn't get clear line 09:21 < ecrist> dh parameters are used to negotiate a secure channel 09:21 < mahmoud> ecrist: once secure channel is negotiated, then? 09:22 < mahmoud> immediately jumps to authenticate? either by certs, or uname/pword? 09:22 < ecrist> here: http://lmgtfy.com/?q=what+are+diffie-hellman+parameters&l=1 09:22 < vpnHelper> Title: Let me google that for you (at lmgtfy.com) 09:23 < mahmoud> ecrist: trust me, i know DH very well, down to algorithm level 09:23 < mahmoud> ecrist: but i want to know how openvpn uses it 09:23 < ecrist> read the source if you need more information 09:23 < mahmoud> DH->securechannel->exchange auth?? what exactly next 09:23 < mahmoud> sadly, i'm not a programmer 09:25 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 09:28 < mahmoud> ecrist: mind hint me which C file is about DH 09:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 09:29 < ecrist> honestly, I don't know, I'm not a developer 09:30 < mahmoud> that's hard 09:30 < ecrist> what? 09:31 < mahmoud> it's hard for me to read the whole thing and see whow it's internally done :/ 09:31 < mahmoud> not just me, but any programmer would most likely find it hard 09:31 < ecrist> you could send a message to the developers mailing list 09:31 < mahmoud> that's great idea 09:31 < ecrist> I don't know why you're so worried about it 09:31 < ecrist> since you're not a developer, it's not like it really matters that much. 09:32 < ecrist> if you were trying to write a plugin or something else, I could understand, but you're not. 09:32 < mahmoud> i'm trying to understand its flow. security matters for me. 09:34 < ruotsalainen> why dont you download the code then? 09:34 < mahmoud> ruotsalainen: i just did. but i need to reverse engineer it a while untill i see how it's organized 09:34 < mahmoud> ruotsalainen: if you point me to a file, i would read it 09:35 < ruotsalainen> you're weird, or a troll. download the entire code, browse it. 09:35 < ecrist> mahmoud: there isn't that much source to openvpn 09:35 < ecrist> I'm sure there are comments 09:37 -!- jeiworth [n=jeiworth@189.234.97.2] has joined ##openvpn 09:39 * mahmoud starts with openvpn.c 09:39 < mahmoud> i guess openvpn.c gets into openvpn binary 09:52 -!- ZummiG777 [n=ZummiG77@campfieldm-work.sworps.tennessee.edu] has joined ##openvpn 09:54 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 09:55 < ZummiG777> Question: What is the method to have OpenVPN clients DHCP from a network's own DHCP source rather then from OpenVPN? 09:57 < ecrist> If --server-bridge is used without any parameters, it will enable a DHCP-proxy mode, where connecting OpenVPN clients will receive an IP address for their TAP adapter from the DHCP server running on the OpenVPN server-side LAN. Note that only clients that support the binding of a DHCP client with the TAP adapter (such as Windows) can support this mode. The optional nogw flag (advanced) indicates that gateway information should not ... 09:57 < ecrist> ... be pushed to the client. 09:58 < ZummiG777> Thank you! 09:59 < ecrist> sure, fwiw, that was taken, verbatim, from the man page 09:59 < ecrist> !ma 09:59 < ecrist> !man 09:59 < vpnHelper> ecrist: Error: "ma" is not a valid command. 09:59 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 09:59 < ZummiG777> OK - I'll check there next time. 10:30 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:47 -!- jeiworth [n=jeiworth@189.234.97.2] has quit [Read error: 110 (Connection timed out)] 10:51 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:17 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 11:26 < Lyndon> !firewall 11:26 < vpnHelper> Lyndon: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. 11:27 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 11:27 < Lyndon> !logw 11:27 < vpnHelper> Lyndon: Error: "logw" is not a valid command. 11:27 < Lyndon> !logs 11:27 < vpnHelper> Lyndon: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 11:28 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 11:34 -!- hyper_ch [n=hyper@127-74.76-83.cust.bluewin.ch] has quit [Remote closed the connection] 11:39 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Read error: 110 (Connection timed out)] 11:40 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 11:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:49 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has quit [] 11:51 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 11:51 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 11:56 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 12:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 12:06 -!- hr [n=asher@88.191.77.247] has left ##openvpn [] 12:11 -!- mahmoud_ [n=mahmoud@92.99.239.67] has joined ##openvpn 12:11 < mahmoud_> ; 12:12 -!- hyper_ch [n=hyper@adsl-84-227-38-24.adslplus.ch] has joined ##openvpn 12:12 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 12:18 -!- Berkk [n=notquite@adsl-065-083-131-003.sip.int.bellsouth.net] has quit [Read error: 104 (Connection reset by peer)] 12:18 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 12:23 -!- mahmoud [n=mahmoud@unaffiliated/mahmoud] has quit [Read error: 110 (Connection timed out)] 12:24 -!- dazo is now known as dazo|afk 12:24 -!- Berk [n=notquite@adsl-065-083-131-003.sip.int.bellsouth.net] has joined ##OpenVPN 12:30 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 12:34 -!- fatou73 [n=aleksei@socrates.at.mt.ut.ee] has quit [Read error: 110 (Connection timed out)] 12:36 -!- fatou73 [n=aleksei@socrates.at.mt.ut.ee] has joined ##openvpn 12:38 -!- gionnico [n=gionnico@host223-154-dynamic.35-79-r.retail.telecomitalia.it] has joined ##openvpn 12:38 < gionnico> hello 12:38 < gionnico> Can I run L2TP over TCP 443 only? 12:38 < gionnico> or L2TP needs UDP? 12:38 < gionnico> and what about PPTP? Does it also need UDP ? 12:40 < gionnico> !route 12:40 < vpnHelper> gionnico: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 12:42 < gionnico> some help? 12:42 < gionnico> help me setting up a vpn from laptop behind a proxy (client) and a home router (server) 12:43 < gionnico> !forum 12:43 < vpnHelper> gionnico: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 12:44 < Hypnoz> gionnico if you get either to work let me know, cause I want to be able to vpn from my iphone 12:45 < Hypnoz> I played with pptpd for so long it killed me 12:45 < krzee> !notovpn 12:45 < Hypnoz> couldn't get it to work no matter what I did 12:45 < vpnHelper> krzee: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 12:45 < gionnico> Hypnoz: does openvpn support iphone?? 12:45 < Hypnoz> no 12:45 < krzee> no, there is no tuntap support for iphone yet 12:45 < Hypnoz> because they can't compile the tun/tap into the kernel 12:45 < Hypnoz> s/can't/won't/ 12:47 < Hypnoz> I installed pptpd on ubuntu and tweaked it for a few hrs and never got any love 12:48 < Hypnoz> didn't really bother too much with l2tp and ipsec since i've heard l2tp is insecure and ipsec is a cisco vpn protocol 12:50 < gionnico> Hypnoz: nope L2TP is secure 12:50 < gionnico> PPTP is insecure ^^ 12:52 < mahmoud_> I sent an email to openvpn-users mailing list 12:53 < Hypnoz> /golfclap 12:53 < mahmoud_> lol 12:54 < mahmoud_> i mean, shall thee, subscribers, check your emails 12:55 < gionnico> what's the difference between openvpn and l2tp ? 12:56 -!- mahmoud_ [n=mahmoud@92.99.239.67] has left ##openvpn [] 12:56 -!- mahmoud [n=mahmoud@unaffiliated/mahmoud] has joined ##openvpn 12:56 < mahmoud> openvpn and l2tp are two diffirrent protocols 12:56 < mahmoud> but doing a similar thing 12:56 < gionnico> isn't openvpn on top of l2tp? 12:57 < mahmoud> no 12:57 < gionnico> but it's on top of ipsec 12:57 < mahmoud> no my dear, you are totally lost 12:57 < gionnico> that's why i'm here 12:57 < mahmoud> openvpn is on top of nothing. it is on top of its own 12:57 < mahmoud> ipsec is great, however, it often requires kernel hacks/recompiles 12:58 < mahmoud> so, it's a headache. although it's performance should be faster, which doesn't matter since OpenVPN is really scalable (servers can be added) 12:58 -!- mahmoud is now known as Mahmoud 12:58 < Mahmoud> Here openvpn comes, no need for kernel recompiles 12:59 < Mahmoud> also, it's end-to-end, server and client developed by same dudes 12:59 < Mahmoud> so less likely to have incompatibilities, such as what happens with IPSec 13:00 < gionnico> Mahmoud: can I connect a client (say behind a NAT, it's a proxy really) to a server with DDNS with openvpn? and with l2tp? (with ipsec i think I can't) 13:00 < Mahmoud> you can do with all 13:01 < Mahmoud> IPSec has Nat-Traversal, which adds a UDP/TCP header, to let NAT function 13:01 < gionnico> Mahmoud: but it needs 2 servers 13:01 < Mahmoud> but anyway, I suggest you go with OpenVPN, very easy, and abselutely NAT friendly out of the box 13:01 < gionnico> Mahmoud: ipsec/pptp/l2tp are supported by my home router 13:01 < Mahmoud> why would you need 2 servers? 13:02 < gionnico> Mahmoud: my router ipsec configuration page needs a "remote Secure Gateway Address(or Hostname)" 13:02 < Mahmoud> well, yeah, openvpn is not built into your home router, is it? So you need a server behind it. Just ask your router to NAT UDP 1194 to your server and it's done. 13:02 < Mahmoud> gionnico: i don't know how is your router's IPSec implementation. 13:03 < gionnico> Mahmoud: ok. so I have a home server inside my home lan 13:03 < gionnico> i can install openvpn 13:03 < gionnico> but university's proxy still block all traffic incoming 13:03 < Mahmoud> with IPSec you can have dynamic IPSec (used by clients). but it seems your rotuer dosn't support dynamic 13:03 < gionnico> except TCP 80 and TCP 443 13:04 < gionnico> Mahmoud: yes. my router supports DDNS 13:04 < Mahmoud> gionnico: that's Dynamic DNS, i mean Dynamic IPSec 13:04 < Mahmoud> anyway, ignore IPSec. It's dirty :) 13:05 < Mahmoud> you can run OpenVPN on any TCP or UDP port you wish 13:05 < ecrist> gionnico: this is an OpenVPN support channel, we don't support other VPNs here. 13:05 < gionnico> ecrist: i can't find an ipsec/pptp/l2tp channel 13:05 -!- ZummiG777 [n=ZummiG77@campfieldm-work.sworps.tennessee.edu] has quit ["Leaving"] 13:05 < Mahmoud> gionnico: try #cisco 13:05 < ecrist> understood, but this remains an OpenVPN channel 13:05 < gionnico> Mahmoud: so as i said i have the home server 13:06 < Mahmoud> gionnico: as i said u can run openvpn on it, peacfully 13:06 < gionnico> and need a client (between a restrictive proxy) to connect to it 13:06 < gionnico> the client is in university's private LAN behind the proxy (allowing 80 and 443 tcp only incoming) 13:06 < gionnico> possible with openvpn? 13:07 < Mahmoud> ah, sure possible 13:07 < Mahmoud> openvpn allows you to use an HTTP proxy ;) 13:07 < gionnico> Mahmoud: openvpn server or client? 13:07 < gionnico> (don't say both) 13:08 < Mahmoud> sure client. having server over proxy doesn't make much sense 13:08 < Mahmoud> it's your client that's stuck, isn't it? 13:08 < gionnico> yes 13:08 < Mahmoud> server is out of university right? 13:08 < gionnico> yep 13:08 < gionnico> ah so the client also have a "tunnel" function builtin? 13:08 < Mahmoud> great. so you can vpn to your home, over uni's proxy, and download all your pron, they won't see anything 13:09 < gionnico> like incapsulating with stunnel.. without needing stunnel? 13:09 < Mahmoud> all vpns have tunnels dude. how could it be virtual if no tunnel is used 13:09 < gionnico> Mahmoud: if I connect to the home server vpn.. will I also have access to my home lan? 13:09 < gionnico> will I have a tun0 device with my home lan class of ip? 13:10 < Mahmoud> yeah, it will be there. but openvpn will do it for ya 13:10 < gionnico> Mahmoud: so I need to "bind" firefox or thunderbird or xchat to that home-lan ip? 13:11 -!- BasicOSX [n=BasicOSX@c-75-73-131-27.hsd1.mn.comcast.net] has quit [] 13:11 < Mahmoud> how can u bind, u mean setting them to use a proxy in your home, which would naturally cross vpn? 13:11 < Mahmoud> well, u could, but you can do it even easier 13:11 < gionnico> please tell me 13:11 < Mahmoud> just let your server push a default gateway to your client each time u connect 13:12 < Mahmoud> it can also push you another dns server, just in case you wanted to resolve your own homey domains 13:12 < Mahmoud> anyway. do your self a favor, and delete the docs 13:12 < Mahmoud> i'm sick of spoon feeding you 13:12 < Mahmoud> delete == read i mean 13:12 < gionnico> so when thunderbird sends a packet to that gateway's IP , openvpn client TRAPS the package, and sends it into the tunnel? 13:13 < Hypnoz> gionnico, I'm not sure if it works but i'm going through this tutorial right now to test it 13:13 < Hypnoz> http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients.html 13:13 < vpnHelper> Title: Setting Up an IPSec L2TP VPN server on Ubuntu for Windows clients (at rootmanager.com) 13:13 < Mahmoud> gionnico: close 13:13 < gionnico> there are so many docs! now that i know i need to look for openvpn only (and not also ipsec/l2tp) i'll have less to search 13:13 < Mahmoud> gionnico: go to example section 13:14 < Mahmoud> gionnico: basically, ur client would have a tun0 interface with its next-hop as your system's routing default gateway 13:15 < Mahmoud> so, anything gets thru the tun0, whic is then transparently from any app gets openvpned, and then sent over your physical interface encrypted 13:15 < gionnico> and i need tun/tap kernel support i guess 13:15 < Mahmoud> seems so 13:15 < Mahmoud> should be by default with most linux/bsd 13:16 < gionnico> Mahmoud: you talked about UDP for DDNS... proxy blocks UDP.. it'd be useless to set the router to nat it 13:16 < Mahmoud> i didn't 13:17 < Mahmoud> i don't care about ddns 13:17 < Mahmoud> all i said, open vpn could run over UDP or TCP any port at your choice 13:17 < Mahmoud> bbl 13:17 < gionnico> ok thanks 13:23 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 13:43 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Remote closed the connection] 13:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:53 < gionnico> where should openvpn listen? 13:53 < gionnico> an invented private network? 13:53 < gionnico> can I use my real home LAN ip class? Will devices be able to browse all the lan computers if I do so? 14:08 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 14:12 -!- gionnico [n=gionnico@host223-154-dynamic.35-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 14:17 -!- f00f [n=f00fSteR@static-64-61-181-148.isp.broadviewnet.net] has joined ##openvpn 14:20 -!- gionnico [n=gionnico@host223-154-dynamic.35-79-r.retail.telecomitalia.it] has joined ##openvpn 14:20 < gionnico> anyone? 14:20 < gionnico> how do i configure the client? do i need to start the daemon also for the client? 14:20 -!- KaiForce [n=chatzill@70.228.104.238] has joined ##openvpn 14:31 -!- phusion [i=phusion@2001:41d0:1:839a:0:0:0:1337] has quit [Remote closed the connection] 14:39 < ecrist> !howto 14:39 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:39 < ecrist> !man 14:39 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 14:39 < ecrist> start with those 14:44 -!- phusion [i=phusion@2001:41d0:1:839a:0:0:0:1337] has joined ##openvpn 14:44 -!- BasicOSX [n=BasicOSX@frostmage.igi.com] has joined ##openvpn 14:50 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 148 (No route to host)] 14:50 < gionnico> ecrist: i've read something 14:53 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 14:54 < gionnico> but i can't ping the server 14:55 < gionnico> and the server can't ping the client 14:55 < gionnico> :/ 14:56 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:01 < ecrist> !configs 15:01 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:07 < gionnico> ecrist: thanks.. seems I managed to connect the client and server 15:08 < gionnico> even if the ip address is "random" 15:12 < gionnico> ecrist: is ethernet bridge / tap what i'm looking for 15:13 < gionnico> if I need a vpn client, connected to a vpn server, to exit in internet using the server's public connection? 15:13 < gionnico> sorry for my bad english 15:13 -!- BasicOSX [n=BasicOSX@frostmage.igi.com] has left ##openvpn [] 15:23 -!- gionnico [n=gionnico@host223-154-dynamic.35-79-r.retail.telecomitalia.it] has quit ["Sto andando via"] 15:32 -!- ruotsalainen [n=unknown@69.172.135.243] has quit ["leaving"] 15:34 -!- c64zottel [n=hans@62.12.212.169] has quit [Read error: 110 (Connection timed out)] 15:36 -!- c64zottel [n=hans@62-12-244-020.pool.cyberlink.ch] has joined ##openvpn 16:02 -!- zamba [i=marius@flage.org] has joined ##openvpn 16:05 -!- Berk [n=notquite@adsl-065-083-131-003.sip.int.bellsouth.net] has quit [Read error: 60 (Operation timed out)] 16:07 -!- KaiForce [n=chatzill@70.228.104.238] has quit ["ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458]"] 16:13 < zamba> i have a bit of a complex routing issue.. i have a central vpn server and then four clients connecting to it, each with their own subnet.. i'm using push and ipush to give the information about these networks to the different peers, so that all can route between each other.. 16:13 < zamba> using the client-to-client option, as far as i know..? 16:13 < zamba> now i want to reach a network that's not directly attached to one of the clients.. but i only want to reach that from the vpn server.. 16:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection reset by peer] 16:14 < zamba> i've tried route add -net netmask 255.255.255.0 gw dev tun0, but none of them works 16:14 < zamba> how should i solve this? 16:34 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Read error: 110 (Connection timed out)] 16:36 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 16:38 < ecrist> !iroute 16:38 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 16:44 -!- Mahmoud [n=mahmoud@unaffiliated/mahmoud] has left ##openvpn [] 16:45 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 16:48 < krzie> i dont understand 16:48 < krzie> trying to reach a network that is NOT directly attached to the client 16:48 < krzie> so how is it attached to the client? 16:49 < krzie> the client's default gateway has 2 lans attached to it and you want the server to be able to access both?> 16:50 -!- c64zottel [n=hans@62-12-244-020.pool.cyberlink.ch] has left ##openvpn [] 16:54 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has quit [] 16:54 < ecrist> krzie: any experience with ESXi? 16:55 < krzie> nope 16:55 < krzie> but if you get osx working on it i DEF wanna know 16:55 < krzie> =] 16:56 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 16:56 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has quit [Remote closed the connection] 16:56 < ecrist> I bet it could happen with hackintosh 16:57 < krzie> ya if the right kexts exist 16:57 < ecrist> I've got ESXi running on cartman right now, installing FreeBSD 16:57 < ecrist> going to do some performance testing 16:57 < krzie> kickass 16:57 < krzie> lemme know how you like 16:57 < ecrist> one thing I already don't like is the vmware utility is windows-only 16:58 < ecrist> that's only needed for creating and moving images around 16:58 < ecrist> once they're running, it's pretty easy to manage from web interface of kernel 16:58 < krzie> oh right i remember now thats why i didnt do any playing with esxi 16:58 < ecrist> kernel is only about 35MB on the iron 16:59 * ecrist goes away 16:59 < krzie> howd the phone setup go? 17:04 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 17:12 -!- bandini [n=bandini@host54-24-dynamic.20-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:20 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Connection timed out] 17:31 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 17:57 -!- MrPockets [n=chinlee@unaffiliated/mrpockets] has joined ##openvpn 17:57 < MrPockets> word! 18:02 < krzie> werd 18:03 < ecrist> krzie: what phone setup? 18:04 < krzie> you had mentioned that you were going to ask me some stuff re: freeswitch/asterisk 18:04 < krzie> i never heard from you so i figured you busted it out 18:04 < MrPockets> I'm havnig issues with OpenVPN in win7. Works flawlessly on winXP. I've installed in compatability mode as admin, adn run as admin as the forums say, but the conenction still randomly gets reset 18:05 < krzie> !win7 18:05 < vpnHelper> krzie: "win7" is http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 18:05 < krzie> hrm, thats prolly not valid anymore 18:05 < ecrist> no, haven't gotten that far yet 18:05 < ecrist> building a fax server 18:05 < krzie> ild bet that the new ones are fixed for win7 already 18:05 < krzie> ahh right on 18:06 < krzie> i thought you buildt that already 18:06 < ecrist> no, have a prototype right now 18:06 < krzie> coolness 18:06 < ecrist> the production system will involve a T1 and IAXmodem 18:06 < ecrist> right now we have a single USR fax modem and a single POTS 18:07 < krzie> ahh 18:07 < MrPockets> Thanks krzie. Should i run this setup in compatability mode of any kind? 18:07 < ecrist> we're anticipating 40000 incoming calls per week. 18:07 < ecrist> MrPockets: you shouldn't need to, no 18:08 < krzie> MrPockets, thats old, are you using the latest rc20 from openvpn.net? 18:08 < MrPockets> it was 19e i think 18:08 < MrPockets> or maybe just rc19 18:08 < krzie> see how rc20 works for you 18:08 < krzie> !download 18:08 < vpnHelper> krzie: "download" is (#1) www.openvpn.net/download to download openvpn, or (#2) http://openvpn.net/index.php/open-source/downloads.html 18:09 < MrPockets> will do. Thanks man 18:09 < krzie> np 18:11 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 148 (No route to host)] 18:20 < MrPockets> herm 18:21 < MrPockets> error while writing OpenVPN-gui.exe 18:22 < krzie> http://openvpn.net/release/openvpn-2.1_rc20-install.exe 18:23 < MrPockets> Thats what I just installed 18:23 < MrPockets> clicked ignore, it installed anyway, same issue with the connection resets. 18:24 < MrPockets> it seems to say connected until I open Outlook and try to sync it with echange. 18:32 -!- ErickG [n=ErickG@190.120.0.138] has left ##openvpn [] 18:32 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 18:33 < MrPockets> http://pastebin.com/m7b34759f if anyone can make heads or tails of that, PM'd be cool. gunna go grab some food. 18:35 < krzie> need server log 18:36 < MrPockets> Thats trickier. I'm running it on an integrated setup with EndianFW 18:36 < MrPockets> Lemme boot the XP machine to see if i can't crawl back there and grab it 18:38 < krzie> ohh 18:38 < krzie> also make sure windows firewall is turned off on that client 18:38 < krzie> and make sure you have a keepalive for the first mentioned problem 18:40 < MrPockets> trying 18:40 < MrPockets> Windows FW does have a fabulous way of breaking shit, doesn't it? 18:40 < krzie> sure does 18:41 < MrPockets> no dice 18:41 < krzie> same for any other firewalls 18:41 < MrPockets> yeah, its def when i make a bandwith intense connection to the remote network. I can ping all day and its fine, but when i sync outlook to exchange, or TDP it drops 18:41 < krzie> like norton or mcafee for example 18:41 < MrPockets> s/TDP/RDP 18:41 < MrPockets> oh god, yeah 18:41 < krzie> also, are you using tcp? 18:41 < krzie> if so, switch to udp 18:41 < krzie> !tcp 18:41 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 18:43 < MrPockets> yeah.firewall turned itself back off. Making sure it's off and this works now 18:43 < MrPockets> and yeah I'm using TCP. 18:43 * MrPockets reads up 18:53 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 18:59 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 19:00 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)] 19:19 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 19:20 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 19:22 -!- MrPockets [n=chinlee@unaffiliated/mrpockets] has quit ["Leaving"] 19:26 -!- Douglas [n=contact@ool-435316a6.dyn.optonline.net] has joined ##openvpn 19:30 -!- Busch [n=Busch@lvps92-51-131-139.dedicated.hosteurope.de] has joined ##openvpn 19:31 -!- Busch [n=Busch@lvps92-51-131-139.dedicated.hosteurope.de] has quit [Client Quit] 19:34 -!- jean001 [n=chatzill@APoitiers-552-1-83-144.w92-149.abo.wanadoo.fr] has joined ##openvpn 20:04 -!- jean001 [n=chatzill@APoitiers-552-1-83-144.w92-149.abo.wanadoo.fr] has left ##openvpn [] 20:08 -!- jean001 [n=chatzill@APoitiers-552-1-83-144.w92-149.abo.wanadoo.fr] has joined ##openvpn 20:36 -!- Bushmills [n=nBushmil@verhau.de] has joined ##openvpn 20:37 < krzie> moinmoin bush 20:37 < Bushmills> hi krzie 20:37 < Douglas> oh shit 20:37 < Douglas> is krzie 20:37 < Douglas> what up 20:39 < krzie> whats up man 20:40 < krzie> hey bush did you ever pick up those bottles of absinthe? 20:40 < Douglas> nada 20:40 < Douglas> tryin to make bank 20:40 < Douglas> same as everyday 20:40 < krzie> Douglas ya i hear ya man 20:41 < krzie> im waiting on a client to get a VPS so i can deliver the app he commissioned me to buy and get some $ (and send you $55) 20:41 < Douglas> word 20:41 < krzie> commissioned me to build rather 20:44 < Bushmills> krzie: i was still waiting for you to take a pick from the list of qualities 20:44 < krzie> ahh good! 20:44 < krzie> so you havnt spent anything yet, right? 20:44 < krzie> (the usa just changed their laws on absinthe, its easy to get now) 20:45 < krzie> had you already bought some, my boy would still take them obviously 20:45 < Bushmills> that's right, as i don't know on which ones 20:45 < Bushmills> unless i drank them myself :) 20:46 < krzie> perfect man, lets forget about that then, it will be cheaper and easier (easier because it doesnt require you or anyone else to do anything) to just get them from USA now 20:46 < krzie> and cheaper because no shipping across the world =] 20:46 -!- tjz [n=tjz@bb121-7-60-51.singnet.com.sg] has joined ##openvpn 20:46 < Bushmills> yes, that's a factor for sure 20:47 < Bushmills> hopefully you can use the list of brands, if the same are available in the states 20:47 < krzie> i never got a list of brands 20:47 < krzie> whered you send it 20:47 < Bushmills> PM, irc 20:48 < Bushmills> the weekend after elections here. need the date? 20:50 < krzie> ahh damn i musta missed it, i miss most on this client due to always forgetting to set myself away 20:50 < krzie> and on my other client i miss some because of power failures 20:50 < krzie> and i never log anywhere 20:50 < Bushmills> oh. 20:50 < Bushmills> i was in town then, over the weekend. had my netbook + mobile data link along. 20:51 < krzie> ahh right on 20:51 < krzie> even tho we arent getting them from you i really appreciate it 20:51 < Bushmills> no pain, it wasn't specifically for the booze that i went there 20:52 < jean001> hi ! 20:52 < jean001> is it possible to have just a little help for a routing question ? 20:52 < Bushmills> but I was delighted to find out that the open stuff (barreled) appear to be a rather good quality. 20:52 < tjz> have you seen the girl who got disable after getting the flu vaccine ? 20:52 < krzie> !ask 20:52 < vpnHelper> krzie: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/, or (#3) http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help 20:53 < krzie> absinthe by the barrel!? 20:53 < krzie> that sounds amazing 20:53 < Bushmills> is 'is "is asking a metaquestion?" a metaquestion?' a metaquestion? 20:54 < Bushmills> yes, you go there and have your bottle filled. or bucket, hip flask, or whatever vessel you prefer 20:55 < krzie> mah belly! 20:55 < Bushmills> i ordered 12 flasks, btw :) 20:55 -!- Guest5029666 [n=esunarto@68.12.232.196] has joined ##openvpn 20:55 < Bushmills> different sizes. from 1 to 8 ounces 20:56 < Guest5029666> good evening 20:56 < Bushmills> hi 20:56 < krzie> jean001 didnt you have a question? 20:56 < Guest5029666> i need help with openvpn for palm pre if anybody in the knows have a few mins 20:56 < jean001> ok, so from the client, i can ping and access the lan behind the server, but i can't do the same from the server 20:57 -!- Guest5029666 is now known as eric_okc 20:57 < krzie> Guest5029666 cant help with anything palm specific, but openvpn side should be the same ild expect... 20:57 < jean001> i use ccd with iroute and add a route line in the server conf 20:58 < krzie> jean, so server cant ping client at all? 20:58 < krzie> even by openvpn ip? 20:58 < Bushmills> jean001: does the client have any reason why it should route packets to the clients? 20:58 < jean001> in fact server can ping client only on its vpn IP 20:58 < eric_okc> krzie, i'm following instruction from webos-internals regarding openvpn, but it has a palmpre.zip that i don't know where to get from 20:58 < Bushmills> (i mean, what did you set up on client for it to do so) 20:59 < krzie> jean001, did you follow my doc? 20:59 < krzie> !route 20:59 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:59 < jean001> yes 20:59 < jean001> ty krzie 20:59 < jean001> i read very carefully your doc 20:59 < jean001> and i follow the main lines 20:59 < krzie> check the firewall on the client? 20:59 < jean001> no firewall 21:00 < jean001> for the test 21:00 < jean001> i had my config on pastebin 21:00 < krzie> i missed it 21:00 < jean001> can I give the link 21:00 < krzie> but its almost time i have to leave 21:00 < krzie> yes 21:00 < krzie> ill look if i have time before i gotta go 21:00 < krzie> and others here know tons too 21:00 < Douglas> krzie hows da apt 21:00 < jean001> ok, ty 21:00 < jean001> http://pastebin.com/m7e53ce00 21:01 < jean001> this is my "architecture" 21:01 < jean001> my server conf : http://pastebin.com/d27d8b8f3 21:01 < jean001> and the client conf : http://pastebin.com/m9b8a84b 21:01 < jean001> thank you very much 21:02 < krzie> damn time to leave 21:02 < krzie> if you dont get it solved tho ill be back later and see those links 21:03 < jean001> ok, ty krzie 21:14 -!- master_of_master [i=master_o@p549D3FA1.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:18 -!- master_of_master [i=master_o@p549D4303.dip.t-dialin.net] has joined ##openvpn 21:25 -!- eric_okc [n=esunarto@68.12.232.196] has quit ["excessive liquor"] 21:46 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 22:00 < krzee> jean001, ya didnt include ccd entries, also pls include routes outside ovpn 22:02 < krzee> actually can leave the routes out 22:05 < jean001> sorry, didn't see you were back 22:05 < jean001> in ccd\\jean (jean is the CN of my client) I wrote this line : iroute 192.168.1.0 255.255.255.0 22:06 < krzee> so 192.168.1.x is the lan that client is on? 22:07 < jean001> but it seems I have a problem with the client-config-dir ccd directive beause when I use ccd-exclusive, the connection doesn't work 22:07 < jean001> yes, absolutely 22:07 -!- xp_prg [n=xp_prg3@dsl081-249-107.sfo1.dsl.speakeasy.net] has joined ##openvpn 22:08 < jean001> 192.168.1.0 is the Lan that client is on 22:08 < krzee> try quoting the ccd directive 22:09 < krzee> "C:\\whatever" 22:10 < jean001> when I quote cleint-config dir and ccd-exclusive, the openvpn works, but still no connexions to the client lan from the server 22:10 < jean001> (and sorry for my poor english) 22:12 < krzee> ok so problem 1 fixed 22:12 < krzee> can you ping the lan ip of the client now? 22:12 < jean001> no, still not 22:12 < jean001> can only ping the client vpn ip 22:13 < jean001> I also have activated Ip forwarding on all the machines 22:13 < krzee> client is windows or unix? 22:14 < jean001> all the machines are on windows 22:14 < krzee> go doublecheck the client does NOT have windows firewall enabled for the tap adapter 22:15 < jean001> no, the windows firewall is disabled 22:15 < jean001> no firewall at all on the client 22:16 < krzee> so you just doublechecked that it is not enabled on that adapter? 22:16 < krzee> windows has a nasty habit of re-enabling the firewall 22:17 < krzee> after you do that, get a packet sniffer running and sniff the tap interface 22:17 < krzee> filter for icmp 22:17 < krzee> ie of windows packet sniffer: wireshark 22:17 < jean001> no, the win firewall is disabled 22:17 < jean001> i doubled check 22:17 < krzee> also sniff the machine that is on the same lan as the client where you are pinging 22:18 < krzee> find where the packets do and do not make it 22:19 < jean001> ok, thank you for your help 22:19 < jean001> I will download wireshark and try yo sniff icmp packets 22:20 < krzee> cool 22:21 < jean001> And do you have a clue what could be the problem with ccd-exclusive ? 22:23 < jean001> with ccd-exclusive, the client can't connect, but the connection works fine if quoted 22:23 < krzee> as in the dir is in quotes, right? 22:24 < krzee> if you see the howto ( !howto ) and go to the top of the top sample config file, you'll see that windows dirs must be in quotes 22:24 < jean001> ok 22:25 < jean001> so I just have to put quotes 22:25 < jean001> so I have to write : client-config-dir "C:\\Program Files\\OpenVPN\\config\\ccd" 22:26 < krzee> isnt that what you did a minute ago and said it worked? 22:27 < jean001> actually I quoted client config dir 22:27 < jean001> so it worked 22:27 < krzee> [23:07] try quoting the ccd directive 22:27 < krzee> [23:07] "C:\\whatever" 22:27 < krzee> but ya "quoting was the wrong term" 22:28 < jean001> sorry I msiunderstood 22:29 < krzee> no prob 22:29 < krzee> give it a shot in quotes 22:29 < jean001> so, I will make some tests, use wireshark and I come back later for further questions 22:30 < jean001> once again, thank you for your help 22:30 < krzee> cool 22:30 < jean001> see you later 22:30 < krzee> good luck 22:31 -!- jean001 [n=chatzill@APoitiers-552-1-83-144.w92-149.abo.wanadoo.fr] has left ##openvpn [] 22:53 -!- Douglas [n=contact@ool-435316a6.dyn.optonline.net] has quit [Read error: 113 (No route to host)] 23:23 -!- jean001 [n=chatzill@APoitiers-552-1-83-144.w92-149.abo.wanadoo.fr] has joined ##openvpn 23:24 -!- unix3_ [n=unix3@201.199.62.74] has joined ##openvpn 23:25 -!- jean001 [n=chatzill@APoitiers-552-1-83-144.w92-149.abo.wanadoo.fr] has quit [Client Quit] 23:27 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] 23:47 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] --- Day changed Fri Oct 23 2009 00:07 -!- unix3_ [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] 00:20 -!- hyper_ch [n=hyper@adsl-84-227-38-24.adslplus.ch] has quit [Remote closed the connection] 00:35 -!- REIFFERT is now known as reiffert 01:08 -!- hyper_ch [n=hyper@249-14.0-85.cust.bluewin.ch] has joined ##openvpn 01:21 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 01:24 -!- xp_prg [n=xp_prg3@dsl081-249-107.sfo1.dsl.speakeasy.net] has quit ["This computer has gone to sleep"] 02:05 -!- dazo|afk is now known as dazo 02:05 -!- dazo [n=ndazo@nat/redhat-us/x-gisgajssqbthhzbj] has quit [Remote closed the connection] 02:06 -!- dazo [n=nndazo@nat/redhat/x-xnkulhdhilnreqqt] has joined ##openvpn 02:06 -!- dazo is now known as Guest9776 02:11 -!- Guest9776 is now known as dazo 02:11 -!- dazo is now known as Guest12803 02:15 -!- bandini [n=bandini@host54-24-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 02:15 -!- Guest12803 is now known as dazo 02:16 -!- dazo is now known as Guest29270 02:21 -!- Guest29270 is now known as dazo 02:22 -!- dazo is now known as Guest11021 02:24 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:25 -!- Guest11021 is now known as dazo 02:26 -!- dazo is now known as Guest5102 02:31 -!- Guest5102 is now known as dazo 02:31 -!- dazo is now known as Guest70023 02:35 -!- Guest70023 is now known as dazo 02:36 -!- dazo is now known as Guest48206 02:41 -!- Guest48206 is now known as dazo 02:41 -!- dazo is now known as Guest4228 02:46 -!- Guest4228 is now known as dazo 02:46 -!- dazo is now known as Guest31765 02:51 -!- Guest31765 is now known as dazo 02:51 -!- dazo is now known as Guest23643 02:55 -!- Guest23643 is now known as dazo 02:56 -!- dazo is now known as Guest83733 02:58 < |Mike|> Guest83733: 02:58 < |Mike|> dazo 02:58 < Guest83733> crap!!!! 02:58 -!- Guest83733 is now known as Guest83733|afk 02:59 < |Mike|> freenode: nick: |Mike|, autosendcmd: /^msg nickserv identify my_3r33t_p4ssw0rd;wait -freenode 2000, max_kicks: 4, max_msgs: 1, max_modes: 4, max_whois: 1 02:59 < |Mike|> <3 03:00 -!- Guest83733|afk [n=nndazo@nat/redhat/x-xnkulhdhilnreqqt] has quit [Remote closed the connection] 03:01 -!- dazo [n=dazo@nat/redhat/x-wcgdrrhkbdewkkhm] has joined ##openvpn 03:01 < dazo> |Mike|: sorry about that .... dircproxy sometimes can fail big time :( 03:02 < |Mike|> irssi++ 03:02 < dazo> heh ... is it a proxy? 03:02 < |Mike|> irssi-proxy, yep :) 03:02 * dazo will check out that one 03:03 -!- brizly [n=brizly_v@p4FC98490.dip0.t-ipconnect.de] has quit [Read error: 60 (Operation timed out)] 03:04 < dazo> |Mike|: the odd thing ... this only happens to the FreeNode network 03:05 -!- brizly [n=brizly_v@79.201.132.144] has joined ##openvpn 03:05 < |Mike|> that's why i like efnet & ircnet so much, no services :) 03:07 < dazo> mm 03:10 < reiffert> irssi++ 03:11 < |Mike|> Irssi: Uptime: 141d 23h 19m 14s 03:11 < |Mike|> wow 03:18 < |Mike|> anyone here with KVM experience ? 03:29 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 03:36 -!- SerajewelKS [n=me@wikipedia/Crazycomputers] has quit [Read error: 104 (Connection reset by peer)] 03:51 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 04:04 -!- todd_dsm [n=todd_dsm@66.43.220.149] has quit [Read error: 104 (Connection reset by peer)] 04:05 -!- todd_dsm [n=todd_dsm@66.43.220.149] has joined ##openvpn 05:04 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 05:04 -!- fkr [i=fkr@news.bytemine.net] has quit [Read error: 60 (Operation timed out)] 05:07 -!- fkr [i=fkr@news.bytemine.net] has joined ##openvpn 05:27 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 05:42 < reiffert> 12:42:14 up 149 days, 5 min, 3 users, load average: 0.06, 0.11, 0.05 05:44 -!- c64zottel [n=hans@62-12-244-020.pool.cyberlink.ch] has joined ##openvpn 06:01 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:15 -!- Douglas [n=contact@ool-435316a6.dyn.optonline.net] has joined ##openvpn 06:17 -!- brizly1 [n=brizly_v@p4FC9838A.dip0.t-ipconnect.de] has joined ##openvpn 06:24 -!- brizly [n=brizly_v@79.201.132.144] has quit [Read error: 145 (Connection timed out)] 06:49 -!- Douglas [n=contact@ool-435316a6.dyn.optonline.net] has quit [Read error: 113 (No route to host)] 07:01 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 07:19 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 07:26 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 07:30 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 07:34 < ecrist> good morning 07:34 < ecrist> |Mike|: I have KVM experience 07:35 < ecrist> ecrist@puma:~-> uptime 7:35AM up 522 days, 21:37, 3 users, load averages: 0.00, 0.00, 0.00 07:35 -!- hyper_ch [n=hyper@249-14.0-85.cust.bluewin.ch] has quit [Remote closed the connection] 07:47 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 07:47 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 07:50 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 07:51 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 07:54 -!- jean001 [n=chatzill@APoitiers-552-1-83-144.w92-149.abo.wanadoo.fr] has joined ##openvpn 08:04 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 08:12 -!- smerz [n=daniel@83.160.155.152] has joined ##openvpn 08:13 -!- blinkiz [n=blinkiz@77.72.96.40] has joined ##openvpn 08:16 < blinkiz> Hi. Trying really hard to understand the option "shaper" here. it says in the man page that the value should be bytes per second. So I thought, 10 megabit = 1 310 720 byte. So I type in "shaper 1310720". But what happen? It goes in like 11,5 kbit/sec all time! Okay, I just add a zero, "shaper 13107200". Yeaks, now it runs at max, ~90 mbit/sec. So I have problem understanding this value. Anyone care to help? 08:16 < Optic> mooo 08:17 < blinkiz> I want shaper to restrict to 10 mbit. What is the value for that? 08:18 < ecrist> blinkiz: after setting shaper, have you run the mtu test to make sure the packets still fit? 08:18 < blinkiz> ecrist, no 08:19 < ecrist> !mtu 08:19 < vpnHelper> ecrist: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config 08:19 -!- Vity [n=illumina@resnet-225339.resnet.bris.ac.uk] has joined ##openvpn 08:20 < Vity> !howto 08:20 < vpnHelper> Vity: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:21 < Vity> Can i set up VPN to only route 1 application or 1 port through it? 08:21 < ecrist> no 08:21 < ecrist> OpenVPN doesn't do that, directly. 08:21 < ecrist> you can route a single IP, however 08:22 < Vity> With the routing tables? 08:22 < ecrist> yes 08:22 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 08:22 < blinkiz> ecrist, So why do I need to fiddle around with mtu when setting shaper high as 10 mbit (1 310 720 bytes)? 08:22 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 08:24 < ecrist> if you're fiddling with one thing, I recommend fiddling with the other 08:24 < blinkiz> ecrist, Can I just use --fragment and --mssfix instead? 08:25 < ecrist> how about you test your mtu settings with shaper set and adjust as recommended? 08:25 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has quit [Read error: 110 (Connection timed out)] 08:26 < blinkiz> ecrist, My final solution will be installed on many computers. Same with the server. If this involves some tests each time, it's not possible. 08:27 < ecrist> a single test, one time, should be sufficient. 08:27 < blinkiz> oki 08:27 < ecrist> keep in mind, to limit bandwidth on both ends, you need shaper in client AND server config 08:27 < ecrist> really, you're better off using something other than OpenVPN to shape your traffic 08:28 < blinkiz> ecrist, yeah, I only need to limit it one way. Outgoing from the client 08:28 < ecrist> OK, but the client can delete that line and work around your limitation, just an FYI 08:28 < blinkiz> ecrist, yeah, it's okay also. 08:29 < blinkiz> I only want to set a recommendation 08:29 < ecrist> ok, shaper 1310720 should be working OK 08:29 < ecrist> what version of OpenVPN? 08:30 < blinkiz> ecrist, problem is, that value gives me 11.5 kbit/sec 08:30 < blinkiz> lets see. w8 08:30 < ecrist> w8? 08:30 < ecrist> wait? 08:30 < ecrist> *sigh* 08:30 < blinkiz> On client its OpenVPN 2.1_rc11 x86_64-pc-linux-gnu. Will also be the windows version later, 2.1 rc20. 08:30 < blinkiz> Server is.. 08:31 < blinkiz> hehe.. It's sooo long to write "wait". Ain't it? :) 08:32 < blinkiz> Server is running the same, OpenVPN 2.1_rc11 i486-pc-linux-gnu 08:33 < blinkiz> So OpenVPN 2.1 rcXX everywhere. 08:33 < ecrist> you need to upgrade all to 2.1rc20 08:33 < ecrist> there are a lot of bug fixes between rc11 and rc20 08:33 < blinkiz> ecrist, Including this shaper thing? 08:34 < ecrist> dont' see anything specific to shaper 08:34 < blinkiz> Running Debian Lenny on server and openvpn from repository. Same with client, Ubuntu 9.04.. 08:34 < ecrist> don't really care what's in the repository 08:35 < ecrist> if you're going to run an RC, compile latest from source 08:35 -!- Vity [n=illumina@resnet-225339.resnet.bris.ac.uk] has quit [] 08:36 < blinkiz> ecrist, So this will solve shaper thing? 08:37 < ecrist> no, I'm getting rid of variables 08:38 < ecrist> !changelog 08:38 < vpnHelper> ecrist: "changelog" is http://www.openvpn.net/changelog.html to see the openvpn changelog 08:38 < blinkiz> I guess I can backport rc20-2 from debian sid unstable 08:38 < ecrist> read that, start from rc11 and work your way up the page. 08:38 < blinkiz> yeah, already read that. Lot of changes 08:38 < blinkiz> changes = fixes 08:39 < ecrist> blinkiz: you need to either 1) install 2.0.9 on all machines, or install 2.1rc20 on all machines. when you've done that, I can help you further 08:39 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 08:39 < blinkiz> ecrist, okay 08:40 < blinkiz> ecrist, I can easily backport 2.1 rc19 on my ubuntu machine. Will that be alright? 08:41 < ecrist> it doesn't appear to be 2.1rc20 08:41 < ecrist> lots of changes between rc19 and rc20 08:42 < blinkiz> Well, I can't be running the latest all time. I need to keep the version the distributions decided to be stable 08:42 < blinkiz> This one is going to be used on hundreds of machines 08:42 < ecrist> our recommendation is to either use 2.0.9, or use the latest rc. RC11 in not acceptable 08:42 < blinkiz> yeah, rc11 was way to old. I agree 08:44 < blinkiz> okay. Need to fix this then. Need to add so my script is auto installing this new openvpn version instead of the one from the repository. Be back tomorrow. Thanks for the help 08:45 < ecrist> no problem 08:45 < ecrist> come back tomorrow (weekdays are better for help in here, though) 08:51 -!- hyper_ch [n=hyper@adsl-84-227-38-24.adslplus.ch] has joined ##openvpn 08:52 < blinkiz> ecrist, Okay. did go faster than I expected... I now have rc20 on the server and rc19 on the client. 08:52 < blinkiz> ecrist, shaper 1310720 gives me 11.5kbit/sec 08:53 < ecrist> did you test your mtu settings? 08:53 < ecrist> tcp or udp? 08:53 < ecrist> !configs 08:53 < blinkiz> No, lets do that. wait... 08:53 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 08:53 < blinkiz> udp 08:54 < blinkiz> ecrist, Should I have the shaper option active when am running mtu-test? 08:54 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] 08:56 < ecrist> yep 08:56 < blinkiz> oh, running it without at the moment. Will probably be done within 2 minutes 08:57 < blinkiz> ecrist, Done, without shaper active: NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1557,1557] remote->local=[1557,1557] 08:58 < ecrist> that looks OK 08:58 < ecrist> now run with shaper 08:58 < blinkiz> yeah 08:59 < |Mike|> ecrist: cool, have you experienced KVM in production environments ? (think about heavy databases, large sites (zope / matrix (dirty java**))) 08:59 -!- phusion [i=phusion@2001:41d0:1:839a:0:0:0:1337] has quit [Remote closed the connection] 08:59 < ecrist> I think we're talking about different KVM 09:00 < ecrist> I'm talking about the 'Keyboard, Video, Mouse' switching 09:00 < blinkiz> hehe 09:00 < |Mike|> lol! 09:01 < blinkiz> ecrist, "shaper 1310720" and I got: NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1557,1557] remote->local=[1557,1557] 09:02 < ecrist> OK, MTU looks OK. 09:03 < ecrist> so, with shaper 1310720, you get 11.5Kb/s and if you add a 0, you get 100Mb/s 09:03 -!- smerz [n=daniel@83.160.155.152] has quit ["Ex-Chat"] 09:03 < blinkiz> ecrist, client conf: http://blinkiz.pastebin.com/m35a5e012 Server conf: http://blinkiz.pastebin.com/m3bca379a 09:04 < blinkiz> ecrist, Correct. 11.5 kb/s and adding a 0, 100 mbit 09:04 < |Mike|> ecrist: i was talking about Kernel-based Virtual Machine 09:05 < ecrist> what if you change that number to something funny, like 1300000? 09:05 -!- jean001 [n=chatzill@APoitiers-552-1-83-144.w92-149.abo.wanadoo.fr] has left ##openvpn [] 09:05 < ecrist> |Mike|: FreeBSD jails would qualify, which I use heavily 09:05 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Read error: 110 (Connection timed out)] 09:06 -!- Berk [n=notquite@adsl-065-083-131-003.sip.int.bellsouth.net] has joined ##OpenVPN 09:06 -!- jean001 [n=chatzill@APoitiers-552-1-83-144.w92-149.abo.wanadoo.fr] has joined ##openvpn 09:06 -!- smerz [n=daniel@83.160.155.152] has joined ##openvpn 09:06 -!- jean001 [n=chatzill@APoitiers-552-1-83-144.w92-149.abo.wanadoo.fr] has left ##openvpn [] 09:06 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 09:08 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 09:08 < |Mike|> we use debian lenny + xen in production environments, but i've red an article that debian is about to drop xen support after squeeze 09:09 < |Mike|> so now i'm trying to find something more reliable e.g similar as Xen 09:12 < blinkiz> |Mike|, We (I) use kvm in production 09:13 < |Mike|> what kind of setup have you set it up? 09:13 < |Mike|> (that's one hell of a nice (not) english sentence) 09:19 -!- c64zottel [n=hans@62-12-244-020.pool.cyberlink.ch] has left ##openvpn [] 09:20 -!- teddymills [n=teddy@208.92.235.227] has quit [Client Quit] 09:20 < |Mike|> how does KVM perform under heavy load / databases / sites (and their applications like Zope, Matrix etc) 09:22 < ecrist> |Mike|: have you looked into ESXi? 09:22 < ecrist> I'm actually running a test of it right now. 09:22 < ecrist> seems to be performing fairly well 09:22 * |Mike| dislikes the EULA 09:23 < ecrist> what about it? 09:23 < |Mike|> well, if you use ESXi for commercial use, you have to pay for it (around 9 euro per month per license) 09:23 < ecrist> didn't see that anywhere. 09:24 < ecrist> ESXi is free 09:24 < ecrist> ESX is for-pay 09:24 < |Mike|> oic, tought they where similar to eachother. 09:24 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 09:24 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 09:25 < |Mike|> what's the difference? (only the i and 'free' ?) 09:27 < ecrist> ESXi is a little neutered in terms of HA and VM migration 09:27 < ecrist> it can still be done, but it's not as easy 09:28 < ecrist> however, if you don't plan on HA and moving servers around between hardware, no big deal 09:28 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:29 < ecrist> the other caveat is ESXi is only good for one processor, up to four cores 09:29 < |Mike|> only 4 ? 09:30 < ecrist> yep 09:30 < ecrist> the for-pay version is $795 per processor, up to 12 cores 09:30 < ecrist> per processor 09:31 < |Mike|> one of our biggest mysql databases uses 8 cores and ~32gb mem so esxi wouldn't be a solution imho 09:31 < ecrist> ESX could be, though 09:31 < ecrist> IMHO, I'd use FreeBSD 7 in your position 09:32 < ecrist> FreeBSD is faster with MySQL/Postgres than Linux, in general 09:32 < |Mike|> i could test that on monday tho 09:32 < ecrist> FreeBSD does jails, which are pretty friggin fast (very, very, little overhead) 09:33 < |Mike|> (the company where i work, only uses debian) :p 09:33 < ecrist> ESXi hypervisor is only about 35MB 09:34 < ecrist> it's pretty close to bare-metal 09:35 < |Mike|> let me schedule a meeting with my bosses and other employees about it 09:35 < ecrist> doing two make buildworlds on two identical freebsd VMs and each is only using about 50% of the processor 09:36 < ecrist> |Mike|: fwiw, krzee and myself both use FreeBSD, so if you went that route, you'd have a bit of support. I can try to help with ESXi, but my exerience at this point is only about 16 hours more than yours. ;) 09:36 < |Mike|> hehe 09:36 < |Mike|> i'm a freebsd user aswell 09:36 < |Mike|> but last month they tried to recode my brain to debian thinkin & moves 09:37 < |Mike|> wow it's 16:37, time to get the train 09:37 < |Mike|> ttyl! 09:37 < ecrist> I've been fortunate to not have to learn linux. I dabbled in it back in 1997, and was converted early on to FreeBSD (FreeBSD 2.2.5) 09:37 < |Mike|> thanks for the positiv info ecrist 09:37 < ecrist> np 09:40 < krzee> i still have my fbsd 3 manual 09:41 < krzee> i had a friend who worked at walnut creek cdrom so he kicked down a box of them 09:41 -!- blinkiz [n=blinkiz@77.72.96.40] has quit [Remote closed the connection] 09:41 < krzee> (thats who distro'ed fbsd) 09:42 < krzee> i take that back, i dont have that anymore, just realized i left it in a plastic bin at moms house, then a bear broke into the shed and ate part of my books 09:42 < krzee> hes smarter than the avg bear 09:44 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 09:45 < ecrist> so, you used Bear Share? 09:46 -!- jeiworth [n=jeiworth@189.177.251.250] has joined ##openvpn 09:47 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Remote closed the connection] 09:48 < Berk> I have a question about the default behavior of open vpn and routing... Are the routes specified in the config file automatically taken down when openvpn recieves a SIGTERM signal? 09:48 < ecrist> the kernel will automatically remove the routes when the given interface goes down. 09:49 < Berk> so even in the instance of a hard kill the routes are removed? 09:49 < ecrist> yep 09:49 < Berk> cool 09:49 < ecrist> not a feature of OpenVPN - a feature of your kernel 09:50 < Berk> nice... thanks. 09:51 < Berk> am I correct in assumeing that any firewall rules are a different story... i.e. port 1194 will remain open until expilicitly removed or firewall restarted? 09:51 < ecrist> yep 09:52 < ecrist> in most cases 09:52 < ecrist> there is a thing called uPnP, which allows for dynamic opening of ports. If you're running on DD-WRT or some other things, there is potential for that being used, in which case the port would close upon shutdown (or shortly after) of the deamon 09:53 < Berk> can openvpn manipulate the firewall using a down script if I have depreciated the user (i.e. user/group = nobody/nobody)? 09:54 < ecrist> depends on the permissions setup of the firewall ruleset 09:55 < ecrist> generally, the nobody/nobody user/group has limited access 09:55 < Berk> so if I am running in tinfoil hat mode the answer is no.... :) 09:55 < ecrist> correct 09:57 < ecrist> if you're running in tinfoil hat mode, it's too late. we've already located you and we're on our way 09:59 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:00 < Berk> sweet... thanks for the tip off, my hd's are already in DOD format and I have started the fire in the file cabinet... so a cron job initiated in the up script watching the process list and managing the openvpn ports on the firewall would work? 10:01 < ecrist> yeah. there is usually an /var/run/openvpn.pid or similar you can cat for the PID, as well 10:01 < ecrist> check to see if it's running, if not, kill the firewall rule 10:01 < ecrist> there's other, funky ways of doing things, which would help. 10:01 < Berk> I think the question is does the firewall up script fire before the openvpn process is user/group depriciated? 10:02 < Berk> sorry my spelding not so goof sometimes... 10:02 < ecrist> pf has an ssh pf/auth thing where you ssh in to the system and it builds a ruleset based on who's logged in. you could wrap openvpn into a script the executed the ssh session, building the rule. 10:02 < ecrist> when OpenVPN died, it would kill the ruleset automatically, despite user/group setting 10:03 < ecrist> I maintain a static ruleset in regard to OpenVPN. If I needed more security/tinfoil-hat setup, I'd do the ssh thing. 10:03 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 10:04 < ecrist> http://www.openbsd.org/faq/pf/authpf.html 10:04 < vpnHelper> Title: PF: Authpf: User Shell for Authenticating Gateways (at www.openbsd.org) 10:04 < Berk> nod 10:06 < Berk> thanks... will read up on that. 10:31 -!- smerz [n=daniel@83.160.155.152] has quit ["Ex-Chat"] 10:33 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 10:34 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has quit [Client Quit] 10:35 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 10:48 -!- Douglas [n=contact@ool-435316a6.dyn.optonline.net] has joined ##openvpn 10:55 -!- Douglas [n=contact@ool-435316a6.dyn.optonline.net] has quit [] 11:07 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 11:16 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 11:27 -!- dazo is now known as dazo|afk 11:40 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 11:43 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 11:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:16 -!- ZummiG777 [n=ZummiG77@campfieldm-work.sworps.tennessee.edu] has joined ##openvpn 12:17 -!- ZummiG777 [n=ZummiG77@campfieldm-work.sworps.tennessee.edu] has quit [Client Quit] 12:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 12:27 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 12:30 < robert_> "ROUTE: route addition failed using CreateIpForwardEntry: The parameter is incorrect. [if_index=65540]" <-- wtf? 12:36 -!- j3g [n=andrer@200.130.18.1] has joined ##openvpn 12:37 < j3g> is it possible to have openvpn do a Gigabit tunnel? (gigabit speeds) 12:37 < j3g> what kind of hardware is necessary for that 12:40 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 12:52 -!- unix3 [n=unix3@190.10.68.228] has quit [Client Quit] 13:04 -!- epaphus [n=unix3@190.10.68.228] has quit [Client Quit] 13:20 -!- linagee [n=linagee@about/linux/staff/linagee] has quit [Read error: 60 (Operation timed out)] 13:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:57 -!- todd_dsm [n=todd_dsm@66.43.220.149] has quit [Client Quit] 14:03 < ecrist> j3g: sure, it's possible. 14:04 < ecrist> the hardware would be dependent upon the type of traffic you're sending 14:04 < ecrist> lots of large packets vs lots of small packets 14:37 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:40 < j3g> ecrist: lots of large packets 14:40 < j3g> it's for backups 14:41 < ecrist> then it should be fine on standard modern hardware 14:41 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)] 14:41 < ecrist> probably a P3 may work. more likely a p4 14:41 < j3g> for GIGABIT ? 14:45 < ecrist> yeah 14:45 -!- Berk [n=notquite@adsl-065-083-131-003.sip.int.bellsouth.net] has quit [Read error: 110 (Connection timed out)] 14:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection reset by peer] 14:49 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 14:51 -!- Irssi: ##openvpn: Total of 76 nicks [0 ops, 0 halfops, 0 voices, 76 normal] 14:59 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 14:59 < j3g> dude... i really don't think a p3 would handle gigabit encryption 14:59 < j3g> i've read of people having trouble keeping a core2 for 200mbits 15:00 < ecrist> I have a p3 that handles 2Gb/s on a regular basis. not all encrypted, but the encryption is pretty low overhead 15:01 < j3g> i'll do some field testing 15:02 < j3g> are you doing authentication ? or just encryption? 15:02 < hyper_ch> hmmm..... for some reasons with luks / dm-crypt I never got over 40mb/s transfer between two sata drives 15:02 < j3g> MB or Mb? 15:03 < hyper_ch> megabyte 15:03 < j3g> so around 400MBits... which config? 15:03 < hyper_ch> two sata II drives and a 2.4 ghz intel core2duo mainboard/os on 64bit 15:04 < hyper_ch> but usually it's in the range of 25-30Mb 15:05 < hyper_ch> it just seems so much slower to copy large files compared to unencrypted drives 15:05 < j3g> truecrypt does multicore 15:05 < j3g> for encryption 15:05 < j3g> that might be better for you 15:06 < hyper_ch> truecrypt doesn't give me full disk encryption of the OS on linux 15:06 < hyper_ch> and not remote rebooting and uncrypting :) 15:08 < hyper_ch> how much overhead does actually openvpn put on the traffic? lets say I transfer 1 gb of data... with the encryption overhead, how much will it be in the end? 15:08 < Bushmills> as few large files? estimated ... 0.55 % 15:09 < hyper_ch> so hardly noticeable 15:09 < Bushmills> with many small files, it can be more 15:09 < Bushmills> (or, many short packets) 15:09 < hyper_ch> so p2p like bittorrent will be considered as many small files because it splits data up in chunks? 15:10 < Bushmills> unlikely that those chunks are very small. lots of pings, for example. or ntp traffic, those are short packets 15:10 < hyper_ch> ok 15:10 < hyper_ch> I wonder then why not everything is fully encrypted 15:11 -!- ErickG [n=ErickG@190.120.0.138] has left ##openvpn [] 15:11 < Bushmills> how do you mean, "not everything"? 15:11 < hyper_ch> why not every p2p client encrypts all the packages it sends 15:11 < hyper_ch> if the overhead isn't that big 15:11 < Bushmills> problem is not intercepting packets with p2p, but the fact that you need to connect. 15:11 -!- epaphus [n=unix3@190.10.68.228] has left ##openvpn ["Leaving"] 15:12 < hyper_ch> I don't understand 15:12 < Bushmills> you's be not much anonymous with p2p with encrypted packets 15:12 < hyper_ch> nah 15:12 < hyper_ch> I was not aiming for anonymity 15:12 < Bushmills> as soon as you are sent something, encrypted or not, the sending machine needs to know where to send it to 15:12 < hyper_ch> but rendering the DPI useless that some providers employ 15:13 < hyper_ch> so you won't get throttled 15:13 < Bushmills> encryption is more overhead for sender than for receiver 15:13 < Bushmills> (cpu load) 15:14 -!- jean001 [n=chatzill@APoitiers-552-1-55-189.w92-136.abo.wanadoo.fr] has joined ##openvpn 15:14 < hyper_ch> well, on home connections, where you can get throttled I think the average cpu nowadays can encrypt more stuff than it can put through the pipe 15:14 -!- jean001 [n=chatzill@APoitiers-552-1-55-189.w92-136.abo.wanadoo.fr] has left ##openvpn [] 15:14 < hyper_ch> 100mbit is only standard in sweden and some asian countries 15:14 < Bushmills> only some (few?) providers do that throttling 15:14 < hyper_ch> well, more may join 15:14 < hyper_ch> and if you rent a dedicated server you won't get throttled... 15:15 < hyper_ch> as far as I know it only affects "home" users 15:15 < Bushmills> i think it was considered illegal in the usa, very shortly ago 15:15 < hyper_ch> did the FCC now decide on net neutrality? 15:15 < ecrist> not illegal yet, FCC is working on it 15:15 < hyper_ch> :) 15:15 < ecrist> most of the players have stopped because they don't want to create more problems and call more attention to things. 15:15 < Bushmills> i'm not into the details, as i'm not in the usa, as such i'm not directly affected 15:16 -!- j3g [n=andrer@200.130.18.1] has quit ["leaving"] 15:17 < hyper_ch> neither am I 15:17 < Bushmills> also, i don't even know whether i am throttled on my link, as everything goes in and out encrypted here 15:17 < hyper_ch> same here :) 15:17 < hyper_ch> well, at least to my dedicated box 15:18 < hyper_ch> actually... not on this box 15:18 < hyper_ch> everything on my home server :) 15:18 * ecrist has never been throttled by his ISP 15:18 < Bushmills> provider doesn't even see dns queries 15:20 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 15:21 < Hink> how do i disconnect a vpn user connected to my server 15:22 < hyper_ch> stop the power supply to his neighbourhood 15:22 < ecrist> Hink: you can log in to the server's management console and disconnect them there. 15:23 * plaerzen aves to krzee and ecrist, but mostly ecrist. 15:23 < ecrist> lol 15:23 < ecrist> how goes, plaerzen? 15:23 < plaerzen> s/aves/waves 15:23 < plaerzen> Eh, not bad I suppose. I'm above ground 15:23 < plaerzen> Trying to figure out some logwatch problems. 15:24 < plaerzen> I was gone for a month to the philippines. That was a wicked vacation. 15:24 < plaerzen> how goes with you, ecrist ? 15:24 < ecrist> good, I suppose. 15:25 < plaerzen> eh 15:26 < Hink> thanks ecrist 15:30 -!- jean001 [n=chatzill@APoitiers-552-1-55-189.w92-136.abo.wanadoo.fr] has joined ##openvpn 15:30 < ecrist> np 15:34 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 15:35 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 15:36 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [] 15:36 < jean001> hi all, I have a little openvpn with 1client, a lan behin the vpn server and a lan behind the vpn client. All is working fine, but I would like to know if there is a way to configure the routeur to avoid adding route manually on the lan machines ? Thank you for your help 15:45 < ecrist> yes, simply setup the default gateway to have the proper route 15:46 * ecrist goes away 16:04 -!- addict31 [n=chatzill@min31-2-89-84-55-35.dsl.club-internet.fr] has joined ##openvpn 16:09 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 16:18 -!- jean001 [n=chatzill@APoitiers-552-1-55-189.w92-136.abo.wanadoo.fr] has quit ["ChatZilla 0.9.85 [Firefox 3.0.13/2009073022]"] 16:19 < robert_> "ROUTE: route addition failed using CreateIpForwardEntry: The parameter is incorrect. [if_index=65540]" <-- what would cause this message? 16:19 < robert_> anybody? 16:23 < krzee> !configs 16:23 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:29 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 54 (Connection reset by peer)] 16:44 -!- addict31 [n=chatzill@min31-2-89-84-55-35.dsl.club-internet.fr] has quit ["ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458]"] 16:45 < robert_> alrighty. 16:45 -!- jean001 [n=chatzill@APoitiers-552-1-55-189.w92-136.abo.wanadoo.fr] has joined ##openvpn 16:48 < robert_> !pastebin 16:48 < vpnHelper> robert_: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 16:50 < robert_> krzee, Server 2003 (SP2), http://pastebin.ca/1640792 16:54 * robert_ pokes krzee 17:11 < jean001> Hi all, I would like to know how access the lan behin server/client without needing to add routes manually on the lan 17:11 < jean001> my "network" : http://pastebin.com/d6e8dda54 17:11 < jean001> server conf : http://pastebin.com/d12c21db5 17:11 < jean001> client conf : http://pastebin.com/m9b8a84b 17:11 < jean001> Thank you for your help. 17:21 -!- DevilsPGD [i=xyzzy@96.50.175.41] has quit ["Leaving."] 17:44 < krzie> jean001 you must add routes to the default gateway of the lan 17:44 < krzie> as seen in my route doc at !route under the diagram, ROUTES TO ADD OUTSIDE OPENVPN 17:46 < krzie> robert_ that was the client, how bout the server 17:47 -!- c64zottel [n=hans@62-12-244-020.pool.cyberlink.ch] has joined ##openvpn 17:49 < jean001> hello krizie 17:49 < krzie> hey 17:49 < jean001> thank you for your help yesterday, the problem was, as you said, I forgot to put quotes for client config dir 17:50 < krzie> np 17:50 < jean001> now everything work fine 17:50 < krzie> glad to hear it 17:51 < jean001> so when you say I need to add routes to the default gateway, you meen to the box (routeur) for each lan ? 17:51 < krzie> correct 17:51 < krzie> the device that the whole lan uses as their default gateway 17:52 < krzie> you run windows, when you look at ipconfig and see Default Gateway, that is what im referring to 17:53 < jean001> ok, but how should I do that ? 17:53 < krzie> by learning how to add a static route to your router 17:53 -!- Berk [n=notquite@65.13.134.238] has joined ##OpenVPN 17:54 < krzie> its not openvpn related, just standard networking 17:54 < jean001> the default gateway on the server side have a menu called "routes" and propose like that : destination mask gateway 17:54 < jean001> ok 17:54 < jean001> I will checked that 17:55 < krzie> well if it has that its pretty easy 17:55 < krzie> destination: both networks not local 17:55 < krzie> mask 255.255.255.0 17:55 < krzie> dest: local vpn machine 17:55 < krzie> (by lan ip) 17:55 < krzie> when i say both, i mean 2 seperate entries 17:56 < robert_> krzee, alright.. I'll post the server config. 17:58 < robert_> http://pastebin.ca/1640880 17:58 < robert_> there you go, krzee. 18:00 < krzie> and contents of ccd files 18:00 < krzie> (all this was in !configs) 18:00 < krzie> to show it again... 18:00 < krzie> !configs 18:00 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:02 < krzie> push "route 10.2.0.0 255.255.255.0" 18:02 < krzie> remove that 18:02 < krzie> what is 10.0.0.0 255.255.255.0 ? 18:02 < krzie> and ill assume that 10.3 and 10.4 are lans behind clients but cant know since no ccd entries have been pasted yet 18:03 < krzie> i guess maybe 10.0.0.0/24 is the local lan and this box is the gateway which has interfaces on both 66.118.133.3 AND 10.0.0.0/24 18:04 < krzie> if thats the case, remove route 10.0.0.0 255.255.255.0 18:04 < robert_> http://pastebin.ca/1640884 18:04 < robert_> commented for convenience, lol 18:04 < krzie> ;] 18:04 < krzie> umm 18:05 < krzie> those ifconfig-push "route etc" 18:05 < krzie> lose them all 18:05 < krzie> and explain what you're trying to do pls 18:06 < robert_> I have 3 subnets with different "levels" of access. 18:06 < krzie> "levels of access" get controlled in the firewall 18:06 < robert_> yup 18:06 < krzie> ok, go on 18:07 < krzie> what lans are where 18:07 < robert_> so, the three levels go as such- 1.) Management, where you get access to our management service, email, IM, etc. 2.) Contractor, you get access to the svn server, and Executive which has no limits. 18:08 < krzie> thats all firewall stuff 18:08 < krzie> im saying, there seem to be lans behind diff machines 18:08 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 18:08 < krzie> you have routes being added to the server as well as pushed to the clients 18:08 < robert_> yeah 18:09 < robert_> I'm trying to assign both of the guid certificates to one level, and give the other contractor access. 18:09 < krzie> !policy 18:09 < vpnHelper> krzie: "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario 18:09 < krzie> #1 18:09 < krzie> so are all those lans behind the server then 18:09 < krzie> ? 18:09 < robert_> yup 18:10 < krzie> ok, then remove ALL route entries 18:10 < krzie> only push the routes 18:10 < robert_> oh, okay. 18:10 < krzie> route entries tell the machine to add the route to those networks as going through openvpn 18:10 < krzie> push route entries do the same, but on the clients 18:11 < krzie> you would break routing to those lans on the server by telling it to route them over the vpn 18:11 < krzie> also, you dont need to push the vpn subnet to vpn clients 18:12 < robert_> I want separate, distinct subnets though 18:12 < krzie> yes, you do 18:12 < krzie> as seen in #1 of !policy 18:12 < robert_> ah. 18:12 < robert_> I also want like, 10.0.0.1 accessible from everybody 18:12 < krzie> then to push a route to that subnet to the right certs, put the push route in the ccd entry for the bosses 18:13 -!- f00f [n=f00fSteR@static-64-61-181-148.isp.broadviewnet.net] has quit [Read error: 104 (Connection reset by peer)] 18:13 < krzie> go read policy =] 18:13 < robert_> oh 18:13 < robert_> yeah 18:13 < robert_> that's basically what I want to do 18:14 < krzie> it actually seems to be using your exact situation 18:14 < krzie> our exact situation 18:14 < robert_> yeah 18:14 < krzie> heh too much lag 18:14 < krzie> doubletyping 18:14 < ecrist> hola 18:14 < robert_> heh, it was actually inspired from your example ;P 18:15 < robert_> Ohai 18:15 < krzie> wassup eric 18:15 < ecrist> nm, setting up with wife's new blackberry 18:16 < robert_> mmm blackberry 18:16 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 60 (Operation timed out)] 18:16 < robert_> krzie, can I push 10.0.0.1 to the clients? 18:17 < ecrist> why wouldn't you be able to? 18:17 < robert_> hm, true 18:18 * ecrist goes to get his drink on 18:18 < robert_> okay so then, can I add a default route, so that if I don't override it, you get a route? 18:19 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has quit [] 18:20 < krzie> huh? 18:20 < robert_> meh nevermind 18:20 < robert_> stupid idea, I think 18:21 -!- todd_dsm [n=todd_dsm@66.43.220.149] has joined ##openvpn 18:22 < krzie> you can push the route to everyone by putting the push in server config, then firewall it off for those who dont get it 18:22 < krzie> but by doing that someone with a brain would know theres something there they cant access because of a firewall 18:22 < robert_> yeah 18:22 < ecrist> why would that matter? 18:22 < robert_> eh then I'll just add 10.0.0.1 18:22 < krzie> ecrist, makes a target 18:23 < ecrist> so? 18:23 < ecrist> you don't think 'secure-computing.net' is a target, in and of itself? 18:23 < ecrist> ;) 18:23 < ecrist> a competent admin can ward off most attacks 18:23 < robert_> :p 18:25 < krzie> sure, but i dont push routes to people who shouldnt see they exist 18:25 < krzie> for just that reason 18:25 < krzie> they can do their own homework and find the targets themselves 18:25 < ecrist> ah, fair enough 18:25 -!- jeiworth [n=jeiworth@189.177.251.250] has quit [Read error: 145 (Connection timed out)] 18:25 < krzie> no reason for me to assist 18:25 < ecrist> it's silly to push routes to people who don't need them 18:25 < krzie> aye 18:26 < krzie> sure its not a security risk if the firewall is setup right, but i guess this goes back to why i dont run gui on my servers 18:41 < robert_> Fri Oct 23 19:36:54 2009 /sbin/route add -net 10.0.0.1 netmask 255.255.255.0 gw 10.2.0.5 gives me, "route: netmask doesn't match route address" 18:41 < robert_> :\ 18:41 < robert_> I'd like to push just what the endpoint needs to use 18:48 < robert_> can I push specific endpoints (10.0.0.1, 10.0.0.5) to certain clients? 18:50 < ecrist> yep 18:51 < ecrist> send them with a 32bit subnet mask 18:51 < ecrist> 10.0.0.1 255.255.255.255 18:59 < robert_> oh 255.255.255.255? okay. 19:02 < robert_> yeah that screwed up the vpn 19:04 < robert_> oooh 19:04 < robert_> perfect 19:07 * robert_ pokes ecrist 19:29 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Read error: 110 (Connection timed out)] 19:30 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 19:34 -!- ErickG [n=ErickG@190.87.250.195] has joined ##openvpn 19:45 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 19:47 -!- c64zottel [n=hans@62-12-244-020.pool.cyberlink.ch] has quit ["Leaving."] 19:51 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 20:12 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:14 -!- jeiworth [n=jeiworth@189.234.96.156] has joined ##openvpn 20:26 -!- ErickG [n=ErickG@190.87.250.195] has left ##openvpn [] 20:30 -!- jean001 [n=chatzill@APoitiers-552-1-55-189.w92-136.abo.wanadoo.fr] has quit [Read error: 104 (Connection reset by peer)] 21:06 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 21:13 -!- tjz [n=tjz@bb121-6-135-22.singnet.com.sg] has joined ##openvpn 21:14 -!- master_of_master [i=master_o@p549D4303.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:19 -!- master_of_master [i=master_o@p549D6FAB.dip.t-dialin.net] has joined ##openvpn 21:27 -!- Optic [n=dfraser@miso.capybara.org] has quit ["Terminated with extreme prejudice - dircproxy 1.2.0"] 21:30 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 21:45 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 21:58 -!- Sparxz [n=kvirc@89.124.68.18] has joined ##openvpn 22:04 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 22:06 -!- Sparxz [n=kvirc@89.124.68.18] has quit [Client Quit] 22:28 -!- hyper__ch [n=hyper@adsl-62-167-58-218.adslplus.ch] has joined ##openvpn 22:28 -!- hyper_ch [n=hyper@adsl-84-227-38-24.adslplus.ch] has quit [Nick collision from services.] 22:28 -!- hyper__ch is now known as hyper_ch 22:50 -!- phusion [i=phusion@2001:41d0:1:839a:0:0:0:1337] has joined ##openvpn 23:19 -!- Berk [n=notquite@65.13.134.238] has quit [Read error: 145 (Connection timed out)] 23:58 -!- theDoc [n=hex@220.255.255.31] has joined ##openvpn --- Day changed Sat Oct 24 2009 00:07 -!- theDoc [n=hex@220.255.255.31] has quit [Read error: 145 (Connection timed out)] 00:09 -!- theDoc [n=hex@cataclysm.edgewire.sg] has joined ##openvpn 01:17 -!- todd_dsm [n=todd_dsm@66.43.220.149] has quit [Read error: 110 (Connection timed out)] 01:17 -!- todd_dsm [n=todd_dsm@66.43.220.149] has joined ##openvpn 01:35 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has quit [] 02:10 -!- gallatin [n=gallatin@dslb-092-072-077-253.pools.arcor-ip.net] has joined ##OpenVPN 02:29 -!- Guest67347 [n=peter@c-67-183-73-27.hsd1.wa.comcast.net] has quit [Remote closed the connection] 02:55 -!- jeiworth [n=jeiworth@189.234.96.156] has quit [Read error: 110 (Connection timed out)] 03:17 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] 03:17 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 03:28 -!- gallatin [n=gallatin@dslb-092-072-077-253.pools.arcor-ip.net] has quit ["Client exiting"] 04:12 < hyper_ch> hi there 04:13 < hyper_ch> I wonder, is there any encryption too for my cell phone memory card so that stuff stored on it will be encrypted? 04:23 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] 04:30 < Bushmills> hyper_ch: openvpn encrypts transport, not storage. 04:30 < hyper_ch> I know 04:30 < Bushmills> oh, i thought you were asking 04:31 < hyper_ch> but as you are kinda experts on encryption I assumed someone in here might know about device encryption 04:33 < reiffert> http://www.google.de/search?q=Truecrypt+Iphone 04:33 < vpnHelper> Title: Truecrypt Iphone - Google-Suche (at www.google.de) 04:33 -!- todd_dsm [n=todd_dsm@66.43.220.149] has quit [Read error: 54 (Connection reset by peer)] 04:33 -!- todd_dsm [n=todd_dsm@66.43.220.149] has joined ##openvpn 04:35 < hyper_ch> no iphone here 04:37 < reiffert> you said cell phone. 04:37 < hyper_ch> thats right 04:37 < hyper_ch> but there are other cell phones than iphones 04:37 < reiffert> True there are. 04:42 < Bushmills> reiffert: yes, you should have produced a link to a tool which works on any existing phone 04:44 < Bushmills> or change the search term to "my cell phone" :D 05:05 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)] 05:07 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:18 < oc80z> heh 05:19 < oc80z> time to get a Palm Pre 06:07 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 06:17 -!- brizly [n=brizly_v@p4FC9A32F.dip0.t-ipconnect.de] has joined ##openvpn 06:18 -!- brizly1 [n=brizly_v@p4FC9838A.dip0.t-ipconnect.de] has quit [Read error: 60 (Operation timed out)] 06:35 -!- c64zottel [n=hans@62-12-244-020.pool.cyberlink.ch] has joined ##openvpn 06:54 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:08 -!- WormFood [n=wormfood@113.87.193.105] has joined ##openvpn 07:10 < WormFood> ugh....anyone here have experience with dd-wrt and openvpn? I get a connection to my openvpn server just fine from the router, ping the other end of the tunnel just fine (from the router), but none of the clients can ping the other end of the tunnel. Forwarding is turned on in the kernel, and it does not appear to be a firewall rule stoping me 07:11 < WormFood> I know I must be overlooking something, but can't figure it out. 07:14 -!- robert_ [n=hellspaw@objectx/robert] has quit [Read error: 54 (Connection reset by peer)] 07:32 -!- Optic [n=dfraser@miso.capybara.org] has joined ##openvpn 07:39 -!- c64zottel [n=hans@62-12-244-020.pool.cyberlink.ch] has left ##openvpn [] 07:52 -!- WormFood [n=wormfood@113.87.193.105] has quit [Read error: 110 (Connection timed out)] 07:55 -!- WormFood [n=wormfood@113.87.197.45] has joined ##openvpn 08:06 < |Mike|> WormFood: 08:06 < |Mike|> !all 08:06 < vpnHelper> |Mike|: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 08:20 -!- ephesus [n=bruno@d54C02215.access.telenet.be] has joined ##openvpn 08:20 < ephesus> !howto 08:20 < vpnHelper> ephesus: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:21 < Optic> mmm openvpn 08:22 < Optic> it rocks my world :) 08:22 < ephesus> !man 08:22 < vpnHelper> ephesus: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 08:23 < ephesus> !forum 08:23 < vpnHelper> ephesus: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 08:23 < |Mike|> wasn't telenet owned by some h4x0r? 08:24 -!- c64zottel [n=hans@62.12.244.20] has joined ##openvpn 08:29 -!- ephesus [n=bruno@d54C02215.access.telenet.be] has left ##openvpn [] 08:32 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 60 (Operation timed out)] 08:32 < WormFood> hi |Mike|...just got back and saw your message...will pastbin after I read more about dd-wrt/openvpn, if I still can't get it to work...thanks 08:32 < WormFood> |Mike|, I'm 99% sure it is an issue with dd-wrt, as I can connect between openvpn client and server with no problems, and ping the remote side of the vpn from the router, but not the router's clients 08:33 < |Mike|> firewall? 08:34 < WormFood> that is what I think the problem is, but not sure what to do about it 08:34 < WormFood> I suspect I just need to setup masquarading, or something...not really sure (actually, I expected it to just work) 08:34 < ecrist> try /j #dd-wrt 08:35 < WormFood> I'm already there and asking ecrist :P but I figured it wouldn't hurt to ask here too, as I figure I'm not the only on using openvpn on dd-wrt 08:35 < WormFood> I really don't think the problem is in openvpn or configuration, I'm 99% sure it has something to do with the firewall/iptables on the router. 08:35 < ecrist> the problem with dd-wrt is that it's not a normal linux distro. it's stripped down and highly customized. 08:36 < ecrist> also, they have a GUI interface to their openvpn config which his horribly lacking. 08:36 < WormFood> ecrist, and trying to get help on #dd-wrt is like pulling teeth....very unhelpful channel most of the time. 08:36 < ecrist> that's why we generally direct users to their channel 08:36 < WormFood> yes, I agree, the GUI is absolutely horrible 08:36 < WormFood> I gave up on the GUI, and I'm doing everything from the command line now....I just want it to work, then will automate it 08:37 < WormFood> and while it is stripped down, and customized, the basic concepts are the same 08:40 < WormFood> thanks for you input guys (this channel is so much more helpful) 08:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:45 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 08:53 < |Mike|> re. 09:07 < |Mike|> w00tix, time to do some test with ESXi + ssd 09:16 < WormFood> I think I got it figured out.....brb as I reboot my router 09:16 -!- WormFood [n=wormfood@113.87.197.45] has quit ["reboot router"] 09:17 -!- jeiworth [n=jeiworth@189.234.96.156] has joined ##openvpn 09:43 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 09:57 < Optic> moo 09:57 < Optic> yay 09:58 < Optic> i just setup a toy vpn on my server 09:58 < Optic> so i can have a trusted net link from my laptop 09:58 < Optic> the hard part was dnsmasq and iptables ;) 10:14 < theDoc> no, nothing really hard about that. 10:32 -!- Berk [n=notquite@adsl-065-013-134-238.sip.int.bellsouth.net] has joined ##OpenVPN 10:34 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:56 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 11:00 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 11:04 -!- TheBeast [n=id@unaffiliated/thebeast] has joined ##openvpn 11:05 < TheBeast> I'm running 2.1rc20 compiled from source on OS X 10.6. I'm a client, I connect without problems but I cannot resolve 11:06 < TheBeast> if I query the remote DNS server (the one serving the office) it resolves 11:06 < TheBeast> dig @blah.blah hostname.domain 11:13 < |Mike|> did you push the dns to the client? 11:14 -!- WormFood [n=wormfood@121.35.147.111] has joined ##openvpn 11:30 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 11:36 -!- frepe [n=fredrik@c-a689e555.011-154-6c6b7013.cust.bredbandsbolaget.se] has joined ##openvpn 11:37 < frepe> If I'm running an openvpn client on ubuntu, and the server is in bridged mode, will I need to set up a TAP interface on the client? 11:38 < hyper_ch> bridged mode? 11:38 < frepe> hyper_ch: yes 11:38 < |Mike|> !tunortap 11:38 < vpnHelper> |Mike|: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 11:41 -!- WormFood [n=wormfood@121.35.147.111] has quit ["why is it so fuckin' hard to make dd-wrt and openvpn work together?"] 11:44 < frepe> Yes, I know that. Do you know if I need to create tap device on the client? 11:55 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 11:56 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 11:57 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 12:28 -!- frepe [n=fredrik@c-a689e555.011-154-6c6b7013.cust.bredbandsbolaget.se] has quit [Read error: 60 (Operation timed out)] 12:52 -!- c64zottel [n=hans@62.12.244.20] has quit ["Leaving."] 13:33 -!- frepe [n=fredrik@c-a689e555.011-154-6c6b7013.cust.bredbandsbolaget.se] has joined ##openvpn 13:37 < krzie> frepe of course 13:40 -!- WormFood [n=wormfood@208.68.91.101] has joined ##openvpn 13:56 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 14:20 -!- WormFood [n=wormfood@208.68.91.101] has quit [Read error: 110 (Connection timed out)] 14:21 -!- WormFood [n=wormfood@121.34.202.227] has joined ##openvpn 14:25 -!- jmp_xinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 14:44 < jmp_xinu> hi, does anyone know of documentation to setup openVPN routed with multiple LAN on the server side 14:45 < jmp_xinu> ie cliens -> openVPN/Router/FW -> multi LAN (lan1, lan2 lan3) 14:48 < reiffert> jmp_xinu: 14:48 < reiffert> !route 14:48 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:50 < jmp_xinu> reiffert: did that :) but: 14:50 < reiffert> When did you do what? 14:51 < krzie> multiple lans on server side is simple 14:51 < krzie> just push all the routes to clients for the lans behind the server 14:52 < krzie> and make sure the router on server side knows the route back to vpn subnet 14:52 < jmp_xinu> all internal users in LANs can see VPN clients but VPN clients can not see past gateways in LANs :( 14:54 < krzie> make sure the firewall allows them to connect back through 14:54 < jmp_xinu> ok, let me chk that :) 14:55 < krzie> if you feel the firewall should be allowing, fire up packet sniffers everywhere in the chain of machines and see where the pings get to and where they stop 14:56 < krzie> when the traffic should be inside the vpn, sniff the vpn interface =] 14:57 < krzie> also feel free to follow !configs if you feel the firewall should allow 14:59 < jmp_xinu> hmm, i think the problem may be the Firewall :( not letting pockets from VPN clients back out 15:00 < krzie> cool, should be an easy fix once you know the issue =] 15:00 < krzie> just allow the vpn subnet to do whatever you want it to do 15:01 < krzie> ie: pass to and from vpn interface, pass to whatever subnets you want it to or blindly pass to lan interfaces, whatever your desire is 15:02 < krzie> the hard part is diagnosing the problem, now you should be good ;] 15:07 < jmp_xinu> krzie: thanks im trying multiple FW settings now 15:08 < jmp_xinu> in all i think VPN is set correctly as all internal lans can ping vpn clients but vpn cli cannot ping any in lans 15:14 < krzie> sounds like a reasonabke assumption 15:14 < krzie> thats why i brought up the firewall first 15:14 < krzie> thats the most likely culprit 15:17 -!- TheBeast [n=id@unaffiliated/thebeast] has quit ["leaving"] 15:20 < jmp_xinu> man 15:20 < jmp_xinu> no luck with the FW setting :( 15:20 < jmp_xinu> may be is the linux client 15:20 < jmp_xinu> let me try winblows 15:21 < krzie> negative 15:21 < krzie> and just cause you didnt get it working with your FW settings doesnt mean thats not your problem 15:21 < krzie> go do what i said to do if you thought the firewall was ok 15:21 < krzie> start the sniffing 15:21 < krzie> isolate the problem 15:22 < krzie> much better than trying another OS (openvpn runs the same on all of them, you'll be wasting your time) 15:23 < jmp_xinu> well reason i say that it may be the VPN client is that 15:24 < krzie> its not the client, it could be the configuration or the config of the OS, but its not openvpn itself 15:25 < jmp_xinu> i get to the openVPN/FW -> Gateway lan1 (or lan2, lan3) 15:25 < jmp_xinu> but let me sniff it 15:25 < krzie> but if you dont wanna listen to me, fine by me 15:25 < krzie> i stand to gain nothing either way ;] 15:28 < jmp_xinu> except you have gained a friend in me 15:29 < krzie> ;] 15:31 < |Mike|> igh krzie 15:34 < krzie> wassup man! 15:35 -!- WormFood [n=wormfood@121.34.202.227] has quit [Read error: 104 (Connection reset by peer)] 15:36 < |Mike|> chillin yo 15:36 < |Mike|> u ? 15:36 < krzie> workin on a script 15:36 < krzie> and bruting some stuffs 15:37 < krzie> tired as shit too, was up all night gettin some 2girl action 15:37 < krzie> which is always a good time 15:37 < |Mike|> haha 15:37 < |Mike|> i can imagine YEAH 15:38 < krzie> my girl has a friend with perfectly shaped 34DD and no gag reflex, its great 15:38 < |Mike|> 34?! 15:39 < |Mike|> rotflol 15:39 < krzie> ya, shes skinny with some huge ones, with no sag at all 15:39 < |Mike|> nice 15:39 < |Mike|> and girls with gag reflexes should get shot imho :P 15:40 < krzie> ya shes a shitty friend to my gf but we figure fuckit we can use her for sex at least, lol 15:41 < |Mike|> she better good for that yeah 15:41 < krzie> my gf rocks 15:41 < krzie> =] 15:42 < |Mike|> normally i would say "pics or it didn't happen" 15:42 < krzie> and ild say "it didnt happen then" 15:42 < krzie> *shrug* 15:42 < |Mike|> haha 15:43 < |Mike|> hm, i have some light RSI thingy in my right arm 15:43 < |Mike|> ffs. 15:43 < krzie> RSI? 15:44 < |Mike|> Repetitive Strain Injury (RSI) 15:44 < |Mike|> ye 15:44 < |Mike|> s 15:44 < krzie> fuck man you're ALWAYS hurt 15:44 < krzie> you should be the boy in the bubble 15:44 < |Mike|> lol! 15:44 < krzie> hey do you gamble? 15:44 < |Mike|> nope 15:44 < krzie> if so i got a winner for you in tonights UFC fights 15:44 < krzie> ok 15:45 < |Mike|> i had a black hat on my head tonight 15:45 < krzie> nice, anything good come of it?" 15:46 < krzie> s/"// 15:46 < krzie> but remember, !irclogs 15:46 < |Mike|> Some hardenberg 'thing' wich does voip and some video conferences etc 15:46 < krzie> ahh werd 15:47 < |Mike|> they are bare metal 15:47 < |Mike|> toystuff :p 15:47 < krzie> joo got my info script right? 15:48 < |Mike|> not sure 15:48 < |Mike|> nope 15:49 < krzie> link messages 15:49 < krzie> err 15:49 < krzie> link messaged 15:50 -!- carpe_ [n=carpe@vip1.tundraeng.com] has joined ##openvpn 15:52 -!- plaerzen [n=carpe@vip1.tundraeng.com] has quit [Read error: 110 (Connection timed out)] 15:55 -!- WormFood [n=wormfood@121.34.202.151] has joined ##openvpn 15:56 < krzie> lol 15:59 < |Mike|> lol wat 16:02 < frepe> Anyone knows of an ubuntu bug that prevents it running as an openvpn client because the network manager fails to bring up tap0 as it should? 16:02 < krzie> !ubuntu 16:02 < vpnHelper> krzie: "ubuntu" is dont use network manager! 16:03 < frepe> Why not? 16:03 < krzie> sux 16:06 < arcsky> !howto 16:06 < vpnHelper> arcsky: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:44 -!- fr00d [i=fr00d@unaffiliated/fr00d] has left ##openvpn [] 16:58 -!- frepe [n=fredrik@c-a689e555.011-154-6c6b7013.cust.bredbandsbolaget.se] has quit ["Ex-Chat"] 17:19 < jmp_xinu> krzie: well just so happens :( 17:21 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit [Read error: 104 (Connection reset by peer)] 17:21 < jmp_xinu> it is only my freakin' linux clients that are having this problem :( 17:21 < jmp_xinu> winblows works correctly :( 17:21 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 17:23 < jmp_xinu> of course with openVpn gui 17:23 < krzie> then your config on your linux boxen are bad 17:24 < krzie> likely firewall related ild guess 17:25 < jmp_xinu> i dont think ubuntu has any type of fiirewall on it but let me double chk 17:27 < |Mike|> on default, not. 17:27 < krzie> you're just using openvpn, right? no network manager bs frontend...? 17:28 < |Mike|> network manager is the biggest pile of shit in ubuntu imho. 17:28 < krzie> hence: 17:28 < krzie> ~ubuntu 17:28 < krzie> err 17:28 < krzie> !~ubuntu 17:28 < vpnHelper> krzie: Error: "~ubuntu" is not a valid command. 17:28 < krzie> !ubuntu 17:28 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit [Read error: 104 (Connection reset by peer)] 17:28 < vpnHelper> krzie: "ubuntu" is dont use network manager! 17:28 < krzie> heh 17:28 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 17:28 < jmp_xinu> correct only openVPN cmd line with openvpn config file 17:31 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit [Remote closed the connection] 17:31 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 17:31 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit [Remote closed the connection] 17:31 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 17:31 < krzie> same versions of openvpn? (rc20) 17:31 -!- epaphus [n=unix3@201.199.62.74] has quit ["Leaving"] 17:32 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 17:32 -!- c64zottel [n=hans@62-12-235-076.pool.cyberlink.ch] has joined ##openvpn 17:36 < jmp_xinu> so from internal lan's ubuntu, freebsd and winblows can ping vpn clients linux or windows 17:37 < jmp_xinu> and win VPN clients can pin them also 17:38 < jmp_xinu> but ubuntu VPN clients cannot ping beyond the gateways thus unable to ping any clients 17:38 < jmp_xinu> in the lan's 17:39 < jmp_xinu> so now i have to look at the ubuntu setups :( 17:40 < jmp_xinu> this is more painful than originally anticipated 17:43 < |Mike|> well, ubuntu doesn't run iptables on default. 17:45 < reiffert> !ubuntu 17:45 < vpnHelper> reiffert: "ubuntu" is dont use network manager! 17:45 < jmp_xinu> i see ubuntu clients are getting the pushed routes 17:46 < krzie> have you sniffed the stuff yet like i orig said to? 17:47 < jmp_xinu> reiffert: im running vpn via term 17:50 < jmp_xinu> krzie: doing that now, had to go grab another linux laptop ;) so i can watch the main gtwy 17:51 < krzie> everything you've done since i said that until now has been a waste of your time 17:51 < krzie> but hey, it IS your time ;] 17:51 < jmp_xinu> yes and your, sorry about that... 17:51 -!- WormFood [n=wormfood@121.34.202.151] has quit [Read error: 110 (Connection timed out)] 17:52 < krzie> nah i only goto this screen between stuff im doing, no time lost here 17:52 < krzie> =] 17:54 -!- WormFood [n=wormfood@58.60.222.175] has joined ##openvpn 17:55 < |Mike|> lol 17:56 < jmp_xinu> What, no more linux laptops! 17:56 < jmp_xinu> this really winblows 17:57 < |Mike|> shut up 17:58 < reiffert> jmp_xinu: you really dont know what ubuntu does when udev, hal and other fully automated shit detects a new interface. 17:58 -!- jeiworth [n=jeiworth@189.234.96.156] has quit [Read error: 110 (Connection timed out)] 17:59 < jmp_xinu> i just need something to watch tcpdump on my FreeBSD gaways 18:00 < jmp_xinu> i guess putty had to do 18:00 < jmp_xinu> reiffert: i guess i don't :( 18:03 < jmp_xinu> otherwise i would have this working by now :( 18:56 -!- oc80z [i=oc80z@blea.ch] has quit [Read error: 104 (Connection reset by peer)] 19:38 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has quit [] 19:59 -!- WormFood [n=wormfood@58.60.222.175] has quit [Read error: 110 (Connection timed out)] 20:02 -!- dazo|afk- [n=ndazo@nat/redhat/x-wmiqovfhffptasqj] has joined ##openvpn 20:03 -!- dazo|afk [n=dazo@nat/redhat/x-wcgdrrhkbdewkkhm] has quit [Read error: 104 (Connection reset by peer)] 20:03 -!- dazo|afk- is now known as dazo|afk 20:08 -!- dazo|afk- [n=nndazo@209.132.186.34] has joined ##openvpn 20:10 -!- alice|wl [n=helo@notomorrow.de] has joined ##openvpn 20:10 < alice|wl> hello, my openvpn sends out this: Sun Oct 25 02:04:12 2009 rw-42143.hashpeer.net.g01ng/85.181.18.25:1194 SENT CONTROL [rw-42143.hashpeer.net.g01ng]: 'PUSH_REPLY,route 10.41.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.41.0.18 10.41.0.17' (status=1) 20:11 < alice|wl> the ifconfig command seems to lead to an error on the client 20:11 < alice|wl> Sun Oct 25 01:04:15 2009 /sbin/ifconfig tap0 10.41.0.18 netmask 10.41.0.17 mtu 1500 broadcast 255.255.255.254 20:11 < alice|wl> ifconfig: SIOCSIFNETMASK: Invalid argument 20:12 < alice|wl> how can I change that? 20:12 -!- dazo|afk [n=ndazo@nat/redhat/x-wmiqovfhffptasqj] has quit [Read error: 60 (Operation timed out)] 20:13 < krzie> !configs 20:13 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 20:13 -!- dazo|afk- is now known as dazo|afk 20:17 < alice|wl> this is an ubuntu server and a wrt router as client 20:18 < alice|wl> and what is ccd? 20:22 -!- WormFood [n=wormfood@119.122.147.211] has joined ##openvpn 20:26 < alice|wl> here are my configs 20:26 < alice|wl> http://pastebin.org/48047 20:27 < alice|wl> !route 20:27 < vpnHelper> alice|wl: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:36 -!- c64zottel [n=hans@62-12-235-076.pool.cyberlink.ch] has quit ["Leaving."] 20:41 -!- jmp_xinu [n=jperez@ool-4579c388.dyn.optonline.net] has quit ["Leaving"] 20:44 -!- WormFood [n=wormfood@119.122.147.211] has quit [Read error: 110 (Connection timed out)] 20:44 < alice|wl> I dont know where that .17 is coming from 20:44 < alice|wl> it doesnt exist 20:46 < krzie> !/30 20:46 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 20:47 < krzie> it only exists within openvpn because you are using topology net30 (default) 20:47 < krzie> and you cant use tun on 1 and tap on other 20:48 < alice|wl> oh 20:48 < krzie> you should be using tun on both, see all options starting with --dev to see how to deal with that in your specially named situation 20:49 < krzie> dev tun encapsulates layer3 and dev tap encapsulates layer2 20:49 < krzie> layer3 is IP, layer2 is ethernet 20:50 < alice|wl> it works with tun 20:51 < alice|wl> I want the openwrt to be able to add more clients 20:53 < alice|wl> so other routers can connect via openvpn to this router and to the server 20:53 < alice|wl> and route their lans ... 20:55 < alice|wl> I fail to add the tun interface to a network bridge on the openwrt ... thats what I wanted to switch to bridge 20:58 < krzie> screw a bridge 20:58 < krzie> i outline what to do in !route 20:58 < krzie> bridging is only when you need layer2, that is not a situation where you do, you just need to setup your routing right 21:13 < alice|wl> k 21:14 -!- master_of_master [i=master_o@p549D6FAB.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:16 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 21:17 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)] 21:19 -!- master_of_master [i=master_o@p549D357F.dip.t-dialin.net] has joined ##openvpn 21:29 -!- Berk [n=notquite@adsl-065-013-134-238.sip.int.bellsouth.net] has quit [Read error: 110 (Connection timed out)] 21:47 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 21:48 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 22:14 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 22:15 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)] 22:47 -!- Serideru [n=GTWebste@24-116-116-232.cpe.cableone.net] has joined ##openvpn 23:00 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 23:17 -!- WormFood [n=wormfood@116.30.33.16] has joined ##openvpn 23:54 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 23:55 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [No route to host] --- Day changed Sun Oct 25 2009 00:16 -!- Serideru [n=GTWebste@24-116-116-232.cpe.cableone.net] has quit [Read error: 104 (Connection reset by peer)] 02:29 < krzee> !/net30 02:29 < vpnHelper> krzee: Error: "/net30" is not a valid command. 02:29 < krzee> !/30 02:29 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 02:30 < krzee> !topology 02:30 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 02:56 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] 05:30 < alice|wl> nice info, thanks a log 05:31 < alice|wl> erm lot 05:32 < krzee> np, they were both in topic tho ;] 05:32 < krzee> i was just grabbing them for a post on the maillist 05:37 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 05:38 -!- Gobbla [n=Gobbla@c80-217-155-11.bredband.comhem.se] has joined ##openvpn 05:39 < Gobbla> !route 05:39 < vpnHelper> Gobbla: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 05:39 < Gobbla> !howto 05:39 < vpnHelper> Gobbla: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 05:52 -!- c64zottel [n=hans@62-12-235-076.pool.cyberlink.ch] has joined ##openvpn 05:59 -!- Grapsus [n=grapsus@82.245.89.120] has joined ##openvpn 06:03 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)] 06:03 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 06:06 -!- bandini [n=bandini@host54-24-dynamic.20-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 06:18 -!- brizly1 [n=brizly_v@p4FC98662.dip0.t-ipconnect.de] has joined ##openvpn 06:18 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:33 -!- brizly [n=brizly_v@p4FC9A32F.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:38 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 07:16 < alice|wl> !topology 07:16 < vpnHelper> alice|wl: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 07:21 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:13 < WormFood> I thought that /30 was because of winblows....and you can do away with it, if all your clients are not winblows.....is that right, or did something change? 08:24 -!- jmp_xinu [n=jperez@ool-4579c898.dyn.optonline.net] has joined ##openvpn 08:25 < reiffert> !/30 08:25 < vpnHelper> reiffert: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 08:25 < jmp_xinu> krzie: it is now working :) 08:27 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)] 08:28 -!- buntfalke [n=nobody@openvpn-p0-079.triple-a.uni-kl.de] has joined ##openvpn 08:32 -!- xod [n=onats@112.201.157.66] has joined ##openvpn 08:33 -!- xod is now known as onats 08:36 -!- orogor [n=orogor@htr06-1-82-227-229-118.fbx.proxad.net] has joined ##openvpn 08:36 < orogor> hi here 08:37 < ecrist> good morning 08:38 < orogor> i was looking for vpn like stuff ,so maybe you guys are biased , but i was looking for setting up a private network , were we would have only 4-6 hosts at any time and with no spécial hosts always up 08:42 < ecrist> ok 08:42 < orogor> like , was i clear? is there a way to do that ? 08:43 < ecrist> yes. OpenVPN can do that. 08:43 < orogor> basically everyone would be either client or server at one point but whichever server is up and we connect to, it get you inside the same network 08:43 < jmp_xinu> and more... 08:44 -!- Optic [n=dfraser@miso.capybara.org] has left ##openvpn [] 08:44 < orogor> is there a tutorial on that ? 08:44 < ecrist> !howto 08:44 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:45 < orogor> that would be it ? Implementing a load-balancing/failover configuration 08:45 < ecrist> the difficult part of load-balancing is on the network side, not the VPN configuration 08:46 < ecrist> in the client configs, you just add multiple remote lines 08:46 < orogor> yes, because after that how would that work ? 08:47 < ecrist> what? 08:47 < orogor> openvpn only create an interface with encryption, as i understodd, server to server encryption to have multiple entries point , this is to be done in the general network configuration , right? 08:48 < ecrist> I apologize, but I don't understand much of what you're saying. 08:48 < orogor> haa 08:51 < jmp_xinu> orogor: if you want multiple available servers just add them to the list on the client side 08:51 -!- jean001 [n=chatzill@APoitiers-552-1-100-253.w92-156.abo.wanadoo.fr] has joined ##openvpn 08:52 < orogor> i think i ll need to draw a scema 08:54 -!- jean001 [n=chatzill@APoitiers-552-1-100-253.w92-156.abo.wanadoo.fr] has quit [Client Quit] 09:00 < WormFood> this is a stupid question....is there any encryption available that is less cpu intensive (yes, I know, less secure)...I'm not talking about the key exchange aspect of it 09:01 < WormFood> the reason why, is because I'm trying to run openvpn on my wrt54g router, and it is sucking up too much cpu power, and it is killing my bandwidth....when I overclock it, it overheats and locks up (and is still slow) 09:12 -!- jmp10 [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 09:13 < WormFood> d'oh! I found the cypher option....anyone know offhand what ciphers would be lowest cpu intensive? 09:13 -!- jmp_xinu [n=jperez@ool-4579c898.dyn.optonline.net] has quit [Read error: 110 (Connection timed out)] 09:14 < jmp10> i use cipher AES-128-CBC 09:14 < jmp10> how to recommended 09:15 -!- jmp10 [n=jperez@ool-4579c388.dyn.optonline.net] has quit [Client Quit] 09:16 -!- jmp_xinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 09:17 -!- jmp_xinu [n=jperez@ool-4579c388.dyn.optonline.net] has quit [Client Quit] 09:20 < arcsky> i run a routed openvpn and i can't ping from my client to a other subnet do i have to put a rut on my openserver or so? 09:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 09:30 < orogor> i guess i was lookign for something like remobo Hamachi wippen 09:30 < orogor> just i wouldn trust too much a thirst party with closed source 09:46 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 54 (Connection reset by peer)] 09:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 09:53 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 10:12 -!- Serideru [n=GTWebste@24-116-116-232.cpe.cableone.net] has joined ##openvpn 10:26 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 11:15 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] 11:19 -!- WormFood [n=wormfood@116.30.33.16] has quit [Read error: 110 (Connection timed out)] 11:20 -!- WormFood [n=wormfood@121.15.46.195] has joined ##openvpn 11:21 -!- oc80z [i=oc80z@blea.ch] has joined ##openvpn 11:28 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 11:51 < arcsky> run openvpn on udp vs tcp? 12:17 < reiffert> !tcp 12:17 < vpnHelper> reiffert: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 12:17 -!- jean001 [n=chatzill@APoitiers-552-1-100-253.w92-156.abo.wanadoo.fr] has joined ##openvpn 12:18 -!- jean001 [n=chatzill@APoitiers-552-1-100-253.w92-156.abo.wanadoo.fr] has left ##openvpn [] 12:18 -!- jean001 [n=chatzill@APoitiers-552-1-100-253.w92-156.abo.wanadoo.fr] has joined ##openvpn 12:24 -!- tookietookie [n=moe@timetogeek.net] has joined ##openvpn 12:25 < tookietookie> !man 12:25 < vpnHelper> tookietookie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 12:25 < tookietookie> !route 12:25 < vpnHelper> tookietookie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 12:26 -!- Serideru [n=GTWebste@24-116-116-232.cpe.cableone.net] has quit [Remote closed the connection] 12:27 -!- Serideru [n=GTWebste@24-116-116-232.cpe.cableone.net] has joined ##openvpn 12:51 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 12:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:55 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 13:00 -!- tookietookie [n=moe@timetogeek.net] has left ##openvpn [] 13:00 -!- tookietookie [n=moe@timetogeek.net] has joined ##openvpn 13:02 -!- jean001 [n=chatzill@APoitiers-552-1-100-253.w92-156.abo.wanadoo.fr] has left ##openvpn [] 13:10 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 13:17 -!- Serideru [n=GTWebste@24-116-116-232.cpe.cableone.net] has quit [Read error: 104 (Connection reset by peer)] 13:48 -!- disco- [i=disco@andromeda.h4xed.com] has quit [Read error: 110 (Connection timed out)] 13:52 -!- disco- [i=disco@andromeda.h4xed.com] has joined ##openvpn 14:15 -!- KavanS [n=KavanS@c-71-236-202-177.hsd1.or.comcast.net] has joined ##openvpn 14:15 < KavanS> question: trying to run openvpn on a dual-wan configuration....works on 1 wan, but not the other...it is set to listen on all interfaces as seen in netstat... 14:15 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Read error: 104 (Connection reset by peer)] 14:15 < KavanS> ovpn-server[27333]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 14:15 < KavanS> ^^^ what does that mean? 14:16 < KavanS> it seems to not work on one interface, but works fine on the other :\ 14:17 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 14:25 < KavanS> ahh dual wan udp has it's caveats it appears 15:01 -!- disco-_ [i=disco@andromeda.h4xed.com] has joined ##openvpn 15:03 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 15:04 -!- disco-__ [i=disco@andromeda.h4xed.com] has joined ##openvpn 15:16 -!- KavanS [n=KavanS@c-71-236-202-177.hsd1.or.comcast.net] has quit ["Leaving"] 15:17 -!- disco-_ [i=disco@andromeda.h4xed.com] has quit [Read error: 110 (Connection timed out)] 15:18 -!- disco- [i=disco@andromeda.h4xed.com] has quit [Read error: 110 (Connection timed out)] 15:20 -!- c64zottel [n=hans@62-12-235-076.pool.cyberlink.ch] has quit [Read error: 104 (Connection reset by peer)] 15:29 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] 15:37 -!- c64zottel [n=hans@62-12-235-076.pool.cyberlink.ch] has joined ##openvpn 16:00 -!- epaphus [n=unix3@201.199.41.166] has joined ##openvpn 16:59 -!- jean001 [n=chatzill@APoitiers-552-1-100-253.w92-156.abo.wanadoo.fr] has joined ##openvpn 17:11 < jean001> Hi all, I would like to make all the client network traffic go trough the tunnel so I use the push-redirect-gateway and push dhcp-option directives, but it doesn't work. 17:12 < jean001> I don't understand what I have to nat do on the server. 17:12 < jean001> my server conf : http://pastebin.com/d7861e662 17:12 < jean001> my client conf : http://pastebin.com/d481ecf03 17:12 < jean001> Thank you for your help. 17:19 < reiffert> !nat 17:19 < vpnHelper> reiffert: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 17:20 < jean001> thank you reffert, i'm going to ree that very carefully 17:21 < jean001> read* 17:25 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 17:39 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 17:43 < krzie> treat the vpn network as if it were the LAN, and nat accordingly 17:44 < krzie> like it was a non-routeable lan subnet 17:44 < krzie> (because it basically is) just forget about the fact that the lan subnet is a virtual private network 17:46 -!- explore [n=msparker@pool-173-57-92-51.dllstx.fios.verizon.net] has joined ##openvpn 17:47 -!- explore [n=msparker@pool-173-57-92-51.dllstx.fios.verizon.net] has quit [Client Quit] 18:01 -!- lifeforms [n=walter@clone.lfms.nl] has joined ##openvpn 18:02 < lifeforms> !redirect 18:02 < vpnHelper> lifeforms: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 18:02 < lifeforms> !def1 18:02 < vpnHelper> lifeforms: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 18:31 -!- xp_prg [n=xp_prg3@c-98-234-50-128.hsd1.ca.comcast.net] has joined ##openvpn 18:37 < lifeforms> I'm having a very hard time setting up ethernet bridging mode in FreeBSD 7, even though I've done it tens of times in the past.. did something change in FreeBSD that breaks this? 18:37 < krzie> first of all, why do you want a bridge? 18:38 < lifeforms> it would seem to me the most future-proof and config-free 18:38 < lifeforms> I'm not using IPv6 or weird non-IPv4 things now though, so I guess I'm flexible... 18:38 < krzie> and the most overhead and best way to open up your network to layer2 attacks 18:38 < krzie> ONLY use bridge when you need layer2 over the vpn 18:39 < lifeforms> ok :) 18:39 < krzie> if you dont, use tun 18:39 < krzie> !tunortap 18:39 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 18:39 < lifeforms> well that solves one problem, tun works :) 18:39 < lifeforms> however... 18:39 < lifeforms> you might not approve of what I'm aiming to do 18:39 < krzie> want the whole lan to communicate over the vpn? 18:40 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)] 18:40 < lifeforms> I want the client to be able to reach the world through my server's default gateway *ducks* 18:40 < krzie> nothing wrong with that, see !redirect 18:40 < lifeforms> or at least a /20 18:40 < krzie> !redirect 18:40 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 18:40 < lifeforms> okay, so I have to set up natting 18:40 < lifeforms> +? 18:40 < krzie> correct 18:40 < lifeforms> OK 18:40 < krzie> treat the vpn network as if it were the LAN, and nat accordingly 18:40 < krzie> like it was a non-routeable lan subnet 18:40 < krzie> (because it basically is) just forget about the fact that the lan 18:40 < krzie> subnet is a virtual private network 18:41 < krzie> as i told someone else very shortly before you joined 18:41 < lifeforms> I agree, hope I can get it together :) 18:41 < krzie> freebsd has a section on nat in the handbook 18:42 < krzie> !bsdnat 18:42 < vpnHelper> krzie: "bsdnat" is see !fbsdnat 18:42 < krzie> !fbsdnat 18:42 < vpnHelper> krzie: "fbsdnat" is see http://cavanantha.wordpress.com/2007/09/16/nat-on-freebsd-using-pf/ for a basic howto for NAT on FreeBSD 18:42 < lifeforms> yeah I've done it.. only have to figure out how I can get natd to use all tunX interfaces 18:42 < lifeforms> at least I'm assuming when multiple clients connect, that they each open a separate tun interface on the server? 18:43 < krzie> just act like the lan interface is tunX 18:43 < krzie> its identical to setting up any other nat 18:43 < krzie> incorrect 18:43 < krzie> always same tunX 18:43 < lifeforms> OK, great 18:43 < lifeforms> :) 18:43 < lifeforms> I was worrying about changing natd's interfaces in the client-dis/connect scripts 18:43 < krzie> assuming openvpn 2.x and --server 18:43 < lifeforms> okay great stuff :) 18:43 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 18:43 < lifeforms> now i can firewall the clients nicely too 18:43 < krzie> openvpn 1 used a seperate tun / connection cause it only supported ptp 18:44 < krzie> yupyup 18:44 < krzie> to have client to client traffic hit the firewall, dont use --client-to-client 18:44 < krzie> !factoids search c2c 18:44 < vpnHelper> krzie: No keys matched that query. 18:44 < krzie> !factoids search client 18:44 < vpnHelper> krzie: 'someclient2client' and 'client-to-client' 18:44 < orogor> anyone ever tried remobo Hamachi or wippen ? 18:44 < krzie> !someclient2client 18:44 < vpnHelper> krzie: "someclient2client" is "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario 18:44 < krzie> !client-to-client 18:45 < vpnHelper> krzie: "client-to-client" is When this option is used, each client will see the other clients which are currently connected. Otherwise, each client will only see the server. Don't use this option if you want to firewall tunnel traffic using custom, per-client rules. 18:45 < krzie> that was a bad explanation, ill re-do it 18:45 < lifeforms> oh don't bother :) 18:46 < krzie> well for others too 18:46 < lifeforms> true! 18:46 < lifeforms> !mac 18:46 < vpnHelper> lifeforms: "mac" is Use Tunnelblick for the Mac. (http://code.google.com/p/tunnelblick/) 18:46 < lifeforms> that bot is not bad 18:47 < krzie> coincidently i use osx and dont use tunnelblick 18:47 < lifeforms> I stumbled upon "Viscosity" 18:47 < krzie> i just use CLI with a script to start all my vpns and a shortcut to the script in my stacks 18:47 < lifeforms> it looked great, although it completely distroyed my routing table 18:47 < krzie> so i just goto stacks and click VPNs 18:47 < krzie> i dont really like any GUIs for openvpn 18:48 < krzie> and about the bot, thx... i didnt code it but i think it helps here a lot 18:49 < orogor> any recommendation for setting up a vpn between friends , were we can not considere than a specific computer is up all the time? 18:49 < krzie> how many friends? 18:49 < orogor> about 6 18:50 < krzie> get a VPS to act as the server 18:50 < orogor> that s why i asked about wippen before 18:50 < krzie> i can only talk about openvpn, i dont use anything else 18:50 < lifeforms> yeah get a small VPS account for a few bux a month 18:51 -!- epaphus [n=unix3@201.199.41.166] has left ##openvpn ["Leaving"] 18:52 < orogor> or openwrt on lafonera? 18:52 -!- xp_prg [n=xp_prg3@c-98-234-50-128.hsd1.ca.comcast.net] has quit ["This computer has gone to sleep"] 18:52 < orogor> but the hardware is very lightweigt 18:52 < krzie> what? 18:52 < orogor> some 25€ stuff 18:52 < krzie> i thought you said cant consider any specific computer is up all the time, wouldnt that include routers? 18:53 < orogor> https://shop.fon.com/FonShop/shop/FR/ShopController?view=product&product=PRD-018 18:53 < krzie> are you basically saying you can assume a router at someones house will always be up? 18:54 < orogor> well i can think so 18:54 < orogor> whom turns routers off? 18:54 < krzie> then you're fine running it on 1 of those 18:54 < krzie> well where i live my power goes out damn near daily, so my router isnt on 24/7... 18:55 < orogor> haa 18:55 < orogor> i have a ups 18:55 < krzie> when you said cant assume any specific computer will always be on, i include routers in how i listen to that 18:55 < krzie> i have 4 UPSs 18:55 < krzie> they only last a certain amount of time 18:55 < orogor> ouch 18:55 < orogor> well i only protect against 1sec shutodown 18:55 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 18:55 < orogor> the battery us worn now 18:56 < orogor> us/is 18:58 < orogor> sleep time 18:58 -!- orogor [n=orogor@htr06-1-82-227-229-118.fbx.proxad.net] has quit [Remote closed the connection] 18:58 < krzie> nite 18:59 < krzie> side-note, tomorrow i get a power inverter with 4 wet cell car batteries installed in-line 19:00 < lifeforms> that sounds good 19:07 < krzie> agreed 19:19 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has quit [] 19:22 -!- Krampus [i=krampus@ozzle.org] has left ##openvpn [] 19:27 -!- Grapsus [n=grapsus@82.245.89.120] has quit [Read error: 131 (Connection reset by peer)] 19:38 -!- Dukelord [i=Dukelord@89.238.166.98] has joined ##openvpn 19:39 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 19:46 -!- theDoc [n=hex@cataclysm.edgewire.sg] has joined ##openvpn 20:06 -!- Dukelord [i=Dukelord@89.238.166.98] has quit [Read error: 110 (Connection timed out)] 20:42 -!- c64zottel [n=hans@62-12-235-076.pool.cyberlink.ch] has left ##openvpn [] 21:15 -!- master_of_master [i=master_o@p549D357F.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:19 -!- master_of_master [i=master_o@p549D6487.dip.t-dialin.net] has joined ##openvpn 22:10 -!- hyper__ch [n=hyper@adsl-89-217-73-227.adslplus.ch] has joined ##openvpn 22:10 -!- hyper_ch [n=hyper@adsl-62-167-58-218.adslplus.ch] has quit [Nick collision from services.] 22:24 -!- Gobbla [n=Gobbla@c80-217-155-11.bredband.comhem.se] has quit [] 22:30 -!- phusion [i=phusion@2001:41d0:1:839a:0:0:0:1337] has quit [Read error: 60 (Operation timed out)] 22:31 -!- explore [n=msparker@pool-173-57-92-51.dllstx.fios.verizon.net] has joined ##openvpn 22:33 -!- phusion [i=phusion@2001:41d0:1:839a:0:0:0:1337] has joined ##openvpn 22:37 -!- xp_prg [n=xp_prg3@c-98-234-50-128.hsd1.ca.comcast.net] has joined ##openvpn 22:40 -!- xod [n=onats@112.201.211.116] has joined ##openvpn 22:46 -!- ErickG [n=ErickG@190.86.139.118] has joined ##openvpn 22:46 -!- xod is now known as onats 22:48 -!- dmarkey [n=dmarkey@dmarkey.xen.prgmr.com] has quit [Read error: 60 (Operation timed out)] 22:49 -!- Wowbagger [n=evaldo@evaldo.gardenali.biz] has joined ##openvpn 22:49 -!- xod_ [n=onats@112.201.211.116] has joined ##openvpn 22:49 -!- onats [n=onats@unaffiliated/onats] has quit [Nick collision from services.] 22:49 -!- xod_ is now known as onats 22:50 -!- dmarkey [n=dmarkey@dmarkey.xen.prgmr.com] has joined ##openvpn 22:57 -!- Wowbagger [n=evaldo@evaldo.gardenali.biz] has quit [Client Quit] 23:21 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: theDoc 23:26 -!- theDoc [n=hex@cataclysm.edgewire.sg] has joined ##openvpn 23:54 -!- ErickG [n=ErickG@190.86.139.118] has left ##openvpn [] --- Day changed Mon Oct 26 2009 00:30 -!- explore [n=msparker@pool-173-57-92-51.dllstx.fios.verizon.net] has quit ["leaving"] 00:32 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 01:19 -!- hyper__ch [n=hyper@adsl-89-217-73-227.adslplus.ch] has quit [Remote closed the connection] 01:22 -!- Optic [n=dfraser@miso.capybara.org] has joined ##openvpn 01:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 02:41 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:41 -!- hyper_ch [n=hyper@35-137.106-92.cust.bluewin.ch] has joined ##openvpn 02:54 -!- WormFood [n=wormfood@121.15.46.195] has quit [Read error: 110 (Connection timed out)] 02:55 -!- WormFood [n=wormfood@121.15.46.195] has joined ##openvpn 03:25 -!- xp_prg [n=xp_prg3@c-98-234-50-128.hsd1.ca.comcast.net] has quit ["This computer has gone to sleep"] 03:53 -!- dazo|afk is now known as dazo 03:54 -!- dazo [n=nndazo@209.132.186.34] has quit [Remote closed the connection] 03:54 -!- dazo [n=nnndazo@nat/redhat/x-amwtfshmhegoqfzi] has joined ##openvpn 03:55 -!- dazo is now known as Guest98953 03:55 -!- Guest98953 is now known as dazo 04:23 -!- Argafal [i=argafal@users.tokkee.org] has joined ##openvpn 04:24 < Argafal> !howto 04:24 < vpnHelper> Argafal: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 04:24 < Argafal> !redirect 04:24 < vpnHelper> Argafal: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 04:26 < Argafal> yeah, that's not gonna help me with my issue... :( cause openvpn works fine anywhere except with socks-proxy. i have the exact same problem as this guy: http://www.pubbs.net/openvpn/200907/57741/ unfortunately an hour of googeling didn't bring me any further. 04:26 < vpnHelper> Title: Openvpn-users - OpenVPN through SSH SOCKS proxy: TCP port read failed on recv(): Operation now in progress (errno=115) - openvpn archive (at www.pubbs.net) 04:27 < Argafal> if anyone could help me here (tunneling openvpn through socks) I would appreciate that a lotl. 04:28 < arcsky> !nat 04:28 < vpnHelper> arcsky: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 04:29 < Argafal> arcsky: was that supposed for yourself or as a hint for me? 04:32 -!- xod [n=onats@112.201.211.116] has joined ##openvpn 04:32 -!- xod [n=onats@112.201.211.116] has quit [Client Quit] 04:36 < WormFood> woot! it seems that changing my encryption on openvpn allows it to give me much more bandwidth when running openvpn on my dd-wrt router :D 04:36 < reiffert> from to? 04:37 < WormFood> from china to canada 04:37 < reiffert> the encryption... 04:37 < WormFood> from the default to des-cbc 04:37 < WormFood> yes, I know, it isn't as secure 04:43 < reiffert> and "much more bandwidth" is? 04:44 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:44 < WormFood> I can watch youtube with no delays now 04:44 < WormFood> before I'd have to pause it and wait for it to buffer, or it would stop every few seconds 04:45 < reiffert> "much more bandwidth" sounds like you were measuring it. 04:48 < krzee> lol 04:49 < WormFood> I can do some throughput measurements, but it is clearly more 04:49 < reiffert> please do so, I#m very intrested. 04:49 < WormFood> no question about it...it is much more bandwidth...while I didn't actually measure numbers, if you do this enough, you get a feel for it. 04:50 < WormFood> I should make some measurements and document it 04:50 < reiffert> I'm a student of physics. 04:50 < WormFood> I'm sure the guys using openvpn on dd-wrt (or any router) would like to know about this...because the other info I've seen says to overclock, and that only helps a little, and make my router lock up 04:51 < reiffert> so please dont tell me something about feelings for numbers but instead get some reproducable measurement and some reliable numbers to the desk. 04:53 < WormFood> I didn't say I had a feeling for numbers...I have a feeling for the bandwidth, based on experience 04:55 < krzee> can see that non-fealing for numbers thing 04:55 < krzee> would be interesting to see 04:56 < reiffert> assuming that playing a youtube video requires 10KB/s and further that you've got only 9KB/s through openvpn and after changing the cipher algo you get 11KB/s, would you still call 11 much more than 9? 04:56 < reiffert> On the other hand, how can you assure that you are connected to the same youtube server during your tests? 04:59 -!- xod [n=onats@112.201.211.116] has joined ##openvpn 04:59 -!- xod [n=onats@112.201.211.116] has quit [Read error: 104 (Connection reset by peer)] 05:00 < WormFood> I've watched enough youtube through my vpn to know what kinda bandwidth I need to watch videos without pausing....with the default encryption, I can't see any video without pausing...with the change of encryption, I can watch any video without pauses 05:00 < reiffert> and "much more bandwidth" can be translated to "11 >> 9"? 05:00 < WormFood> so....like I said, I will need to do some real tests to see exactly what kinda bandwidth I'm getting, as far as throughput, in real numbers 05:01 < WormFood> however, just changing the encryption clearly gives me more throughput 05:01 < reiffert> please go ahead, we are waiting. 05:01 < reiffert> for your results that is 05:01 < WormFood> later...I have things to do right now. 05:06 < WormFood> also, to do proper bandwidth measurements, I have to stop all other network activity, and prepare some things to get meaningful answers. 05:06 < krzee> shouldnt take long to do speedchecks when connected and not connected 05:07 < WormFood> also, it is hard to get a server that maxes out my download speed 05:08 < reiffert> more than 10KB/s? 05:37 -!- theDoc [n=hex@cataclysm.edgewire.sg] has quit ["Leaving"] 05:50 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 06:30 < Argafal> wer ist eigentlich dieser buntfalke ;-> 06:31 < buntfalke> ... 06:31 < Argafal> lol. 06:32 < Argafal> well. let me ask again, just cause i feel the question might be lost after the bandwidth discussion: openvpn works fine anywhere except with socks-proxy. i have the exact same problem as this guy: http://www.pubbs.net/openvpn/200907/57741/ unfortunately an hour of googeling didn't bring me any further. does anyone have any hints where to continue looking? 06:32 < vpnHelper> Title: Openvpn-users - OpenVPN through SSH SOCKS proxy: TCP port read failed on recv(): Operation now in progress (errno=115) - openvpn archive (at www.pubbs.net) 06:33 < reiffert> Argafal: sounds like a great question for the mailinglist(s) 06:33 -!- brizly1 [n=brizly_v@p4FC98662.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:34 < Argafal> reiffert: i can ask there, sure. let me check, are there different ones? 06:34 < reiffert> -user and -devel 06:34 < reiffert> !lists 06:34 < vpnHelper> reiffert: Error: "lists" is not a valid command. 06:34 < reiffert> !list 06:34 < vpnHelper> reiffert: Admin, Channel, Config, Factoids, Google, Misc, Owner, Seen, Services, User, Weather, and Web 06:34 < reiffert> !factoids search mail 06:34 < vpnHelper> reiffert: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 06:35 < Argafal> not sure if that belongs to -user or -devel 06:35 -!- brizly [n=brizly_v@p4FC9867F.dip0.t-ipconnect.de] has joined ##openvpn 06:35 < Argafal> if this guy is right with his suggestion it's more a dev aspect. 06:36 < Argafal> if it is about him and me using it in the wrong way, it is user... 06:37 < reiffert> I'd go for both with more details, like system call traces from the proxy etc 06:39 * Argafal ist subscribing to the lists. 06:40 < Argafal> i'm gonna put it on users first, asking for the issue to be forwarded to -dev is someone feels that's the right place. i'm not to familiar with internals of openvpn so it is probably best to search the problem on my own side ;) 06:42 < reiffert> -dev should be ok with additional infos I think. 06:43 < Argafal> well, i'm gonna read a bit of both lists and then decide. 06:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:46 < reiffert> devel is about fixing various stuff "patch" here and there and it's never about releasing 2.1 stable. 06:47 < reiffert> -user was about beginners questions and I finally decided to unsubscribe years ago 06:49 -!- Crown [n=crown@hst-151-179.telelanas.lt] has joined ##openvpn 06:49 < Crown> !redirect for sending inet traffic through server. 06:49 < vpnHelper> Crown: Error: "redirect" is not a valid command. 06:49 < Crown> !redirect 06:49 < vpnHelper> Crown: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 06:50 < Crown> Hi 06:50 < Crown> all 06:51 < reiffert> see !ipforward) and NAT (see !nat 06:52 < Crown> One question with "standart" config file. Why i can not ping 10.8.0.5 ip >?? 06:53 < reiffert> see !/30 06:53 < Argafal> standarD... 06:53 < Argafal> *nitpick* 06:54 < Crown> default :) 06:54 < reiffert> :) 06:54 < Argafal> hehe 06:54 < Crown> i know about 30 bit mask... 0.1 and 0.2 for server 06:54 < Crown> 4 subnet >> 5,6 client IP , 7broadcast 06:54 < reiffert> If you know already ... 06:55 < Crown> My client IP is 10.8.0.6 ant it CAt ping 10.8.0.1, but not 10.8.0.5 06:55 < Crown> and thereis no Route for 10.8.0.1 06:55 -!- WormFood [n=wormfood@121.15.46.195] has quit [Read error: 60 (Operation timed out)] 06:56 < Crown> i meen no specific route 06:56 < reiffert> of course there is. 06:56 -!- WormFood [n=wormfood@121.15.46.195] has joined ##openvpn 06:56 < Crown> Route print: 10.8.0.1 10.8.0.5 06:56 < reiffert> 10.8.0.1/32 10.8.0.5 UGSc 0 0 tun0 06:56 < Crown> but 10.8.0.5 is NOT accesable 06:56 < reiffert> it doesnt respond to ping. 06:57 < reiffert> 10.8.0.5 10.8.0.6 UH 6 0 tun0 06:58 < Crown> hmm, but whane i try to redirect traffic through 10.8.0.5 to results 06:58 < Crown> i thought because of unaccesebility of 10.8.0.5 :( 06:58 < Crown> pings just goes nowhere 06:59 < reiffert> look, there is a route how to get to 0.5: 06:59 < reiffert> 10.8.0.5 10.8.0.6 UH 6 0 tun0 07:00 < reiffert> so 0.5 does not respond to ping. accept it or die. 07:00 < Crown> Is this client side >? If yes, I do not have such route 07:01 < reiffert> this is client side, sitting on OS X 07:02 < reiffert> Please paste your routing table (client side) 07:02 < reiffert> to pastebin.com 07:03 < Crown> have done this 07:04 < reiffert> and your URL is? 07:04 < Crown> http://pastebin.com/m35975b84 07:05 < reiffert> Intresting, what is .4 doing there? 07:05 < Crown> I just thought of recent post section :) 07:05 < Crown> hmm 4 is network address 07:06 < reiffert> then you've finally answered your question yourself. 07:06 < reiffert> 5 is part of the 4 network. 07:06 < reiffert> :) 07:06 < Crown> very simple:) but why redirect not working 07:06 < Crown> i should sent all trafic to 0.5 07:06 < Crown> and no reaction 07:07 < reiffert> call traceroute. 07:07 < reiffert> traceroute 10.8.0.1 07:08 < reiffert> tracert on win 07:08 < Crown> Result are than i truly sendins to 0.5 but then no respaonse 07:08 < reiffert> Crown: same here, as I said before, accept || fail. 07:09 < Crown> hmm where should i change these variables >? 07:09 < Crown> tracert www.openvpn.net : 07:09 < reiffert> like I said before, read about !/30 07:09 < Crown> 10.8.0.1 is getting 07:09 < Crown> !30 07:09 < vpnHelper> Crown: Error: "30" is not a valid command. 07:09 < Crown> !/30 07:09 < vpnHelper> Crown: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 07:10 < reiffert> and be sure to read the very last word in the sentence. 07:11 < reiffert> the word starting with !topo 07:12 < Crown> !topo 07:12 < vpnHelper> Crown: Error: "topo" is not a valid command. 07:12 < Crown> !/topo 07:12 < vpnHelper> Crown: Error: "/topo" is not a valid command. 07:12 < Crown> !topology 07:12 < vpnHelper> Crown: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 07:14 < reiffert> and be sure to use openvpn-2.1rcXX with XX > 15 07:14 < Crown> i have the lates. 07:14 < Crown> anf topology "section" gives a littlie bit more infotrmation :) 07:14 < Crown> i SHOULD read this one carefull :) 07:15 < reiffert> or pay someone. 07:15 < Crown> i;'m just studying for my own.. 07:15 < Crown> like student :) 07:25 < Crown> topology subnet directive solving dhcp and subnetting problems. my client got 10.8.0.2 ip address 07:25 < Crown> and default-gateway is now 10.8.0.1 07:25 < Crown> butttt, no redirection by the way 07:25 < Crown> the same problem 07:25 -!- Dukelord [n=brenwill@89.238.166.98] has joined ##openvpn 07:26 < Dukelord> is it possible for my ISP to block all UDP ports? 07:26 < Crown> much more possible, that you firewall do it :) 07:26 < Crown> check your IP address class... 07:27 < Crown> is it PUB:LIC available 07:27 < Dukelord> yes, i am behind a firewall 07:27 < Dukelord> Ip address class? 07:27 < Dukelord> PUBLIC? 07:27 < Crown> turn it off and check result, if so hands on configuring 07:29 < Crown> !redirect 07:29 < vpnHelper> Crown: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 07:29 < Crown> !nat 07:29 < vpnHelper> Crown: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 07:31 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 07:34 -!- Dukelord [n=brenwill@89.238.166.98] has quit [Read error: 54 (Connection reset by peer)] 07:34 -!- Dukelord [i=Dukelord@89.238.166.98] has joined ##openvpn 07:43 < Crown> Whualiaaa, i made it there was a problem with nat :) 07:43 < Crown> :) 07:44 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 07:45 < Crown> reiffert THANK you 07:45 -!- Anodl [n=Arnold@p54A7AF37.dip0.t-ipconnect.de] has joined ##openvpn 07:59 < reiffert> I didnt do anything. 07:59 < reiffert> yw 08:01 < Crown> One way is to knowe WHERE to go 08:01 < Crown> And other is to know how to get there.. 08:02 < Crown> !\30 and topolody+ nat did it 08:02 < vpnHelper> Crown: Error: "\30" is not a valid command. 08:07 -!- c64zottel [n=hans@62-12-235-076.pool.cyberlink.ch] has joined ##openvpn 08:15 -!- bandini [n=bandini@host54-24-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 08:17 -!- Igor_AKA_Warrior [n=igor@65.215.13.196] has joined ##openvpn 08:18 < Igor_AKA_Warrior> hello guys, is there anyone here? 08:19 -!- bandini [n=bandini@host54-24-dynamic.20-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 08:20 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 08:20 < reiffert> Igor_AKA_Warrior: no, we've left for #ubuntu 08:21 < Igor_AKA_Warrior> :) ... I have a slight issue .... openvpn server <-> multi-client setup 08:21 < Igor_AKA_Warrior> a client can communicate with the server fine; 172.16.1.134 <-> 172.16.1.133 08:22 < Igor_AKA_Warrior> but when I am trying to get a machine from the server's network to communicate with this client, it fails 08:23 < Igor_AKA_Warrior> the server is set up to NAT/route traffic for 172.16.1.134, and it works... I see it in tcpdump... the traffic leaves fine 08:23 < Igor_AKA_Warrior> just nothing comes back :(:(:( 08:24 < Igor_AKA_Warrior> any ideas dear openvpn experts? 08:25 < Igor_AKA_Warrior> this is a tcpdump trace when the server itself contacts the client: 08:25 < Igor_AKA_Warrior> [root@millbasin ~]# 09:14:24.814309 IP 172.16.1.134.4899 > 172.16.1.133.56593: S 1712422599:1712422599(0) ack 2533602349 win 16416 08:25 < Igor_AKA_Warrior> 09:14:24.814399 IP 172.16.1.133.56593 > 172.16.1.134.4899: . ack 1 win 33222 08:26 -!- bandini [n=bandini@79.20.24.54] has joined ##openvpn 08:26 < Igor_AKA_Warrior> this is a trace when a machine sends traffic: 08:26 < Igor_AKA_Warrior> [root@millbasin ~]# 09:14:53.559406 IP 172.16.1.133.1225 > 172.16.1.134.4899: S 3592333937:3592333937(0) win 65535 08:26 < Igor_AKA_Warrior> 09:14:56.561294 IP 172.16.1.133.1225 > 172.16.1.134.4899: S 3592333937:3592333937(0) win 65535 08:32 < reiffert> read: 08:32 < reiffert> !route 08:32 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 08:33 < reiffert> and read 08:33 < reiffert> !firewall 08:33 < vpnHelper> reiffert: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. 08:34 < Igor_AKA_Warrior> firewall is off... server side is FBSD... using ipnat.... ipf is off.... Windows side firewall is off 08:35 < Igor_AKA_Warrior> route i checked last time... 08:35 < Igor_AKA_Warrior> maybe there is something i am missing 08:35 < Igor_AKA_Warrior> !route 08:35 < vpnHelper> Igor_AKA_Warrior: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 08:41 -!- carpe_ is now known as plaerzen 08:42 < reiffert> openvpn version? 08:42 < Igor_AKA_Warrior> OpenVPN 2.0.6 i386-portbld-freebsd6.3 [SSL] [LZO] built on Sep 1 2009 08:42 < Igor_AKA_Warrior> Developed by James Yonan 08:42 < Igor_AKA_Warrior> Copyright (C) 2002-2005 OpenVPN Solutions LLC 08:43 < reiffert> ok, get a recent openvpn version. 08:43 < reiffert> 2.1rc20 08:43 < Igor_AKA_Warrior> this one is too old? 08:43 < reiffert> yes. 08:43 < Igor_AKA_Warrior> ok 08:43 < reiffert> there should be a recent version in ports 08:43 < reiffert> at least 2.1rc15 IIRC 08:44 < Igor_AKA_Warrior> thanks, I'll try 08:44 < reiffert> same goes out for windows. 08:44 < reiffert> see !/30 and !topology as well, when windows is involved. 08:44 < Igor_AKA_Warrior> right... it only wants to use certain subnets, right? 08:45 < reiffert> in ports: openvpn-devel-2.1.r20 08:45 < reiffert> windows pretends on /30 subnets, more details: 08:45 < reiffert> !/30 08:45 < vpnHelper> reiffert: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 08:45 < reiffert> !topology 08:45 < vpnHelper> reiffert: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 08:45 < reiffert> next. 08:46 < Igor_AKA_Warrior> ok, thank you... I will check 08:46 < reiffert> yw 08:46 < Igor_AKA_Warrior> quick question... my setup is a bit messed up, as the networks on both sides happen to be the same - thanks linksys (and I can't change them) 08:47 < reiffert> bridged setup? 08:47 < Igor_AKA_Warrior> I am trying to avoid this, by defining virtual lan's 08:47 < Igor_AKA_Warrior> this would work better? 08:47 < reiffert> no. routed setup is better. 08:47 < reiffert> always. 08:48 < Igor_AKA_Warrior> what I am doing, is defining virtual networks on the router endpoints, and defining rules for routing/NAT'ing them across the tunnel 08:48 < Igor_AKA_Warrior> to avoid the problem 08:48 < Igor_AKA_Warrior> this should work, right? 08:52 -!- WormFood [n=wormfood@121.15.46.195] has quit [Read error: 60 (Operation timed out)] 08:53 < Igor_AKA_Warrior> if I confused you, don't worry :) I'll try it out 08:53 -!- WormFood [n=wormfood@121.15.46.195] has joined ##openvpn 08:53 < Igor_AKA_Warrior> thank you guys, I am a happy openvpn user since 2004 and I love this channel 08:54 < reiffert> but you said: 08:54 < reiffert> "the networks on both sides happen to be the same" 08:54 < Igor_AKA_Warrior> yeah 08:54 < reiffert> which means routing and net does not apply for you. 08:55 < reiffert> s,net,nat, 08:56 < Igor_AKA_Warrior> well, at least in theory, if I define a route on a machine on network A, which says PC 172.16.1.134 is reachable through router A, and router A has appropriate SNAT/routing rules, it should work 08:57 < Igor_AKA_Warrior> complicated and not fun... but accomplishes the task 09:08 < Dukelord> how can i detect open udp ports on my isp?most udp ports are blocked.isp has firewall 09:10 < reiffert> Dukelord: try udp/53 and udp/123 09:11 < reiffert> else use a port scanner like nmap 09:12 < Bushmills> try tcp 443 if the others don't work 09:15 < Dukelord> how do i use nmap to scan for oen udp ports? 09:15 < Dukelord> @Bushmills, tcp too slow for download thru vpn server 09:16 < Bushmills> that's last resort. still better than no connnection at all. 09:18 < Dukelord> i'm currently on tcp 53 09:24 < Dukelord> how to use nmap to scan for open udp port on isp.isp has firewall 09:25 < Dukelord> ?? 09:26 < reiffert> -sU 09:34 -!- Crown [n=crown@hst-151-179.telelanas.lt] has quit [Read error: 113 (No route to host)] 09:34 < ecrist> good morning 09:34 < ecrist> Dukelord: man nmap 09:34 < Igor_AKA_Warrior> open inbound or open outbound UDP ports? 09:35 < Igor_AKA_Warrior> for inbound, I suggest to run Netcat on some chosen port, and on the remote box use nmap 09:37 < Igor_AKA_Warrior> nc -lu 1234 09:39 < Igor_AKA_Warrior> nmap -sU destination_IP/32 -p U:1234 09:40 -!- Oreva [i=Dukelord@89.238.166.98] has joined ##openvpn 09:40 < Oreva> how to use nmap to scan for open udp port on isp.isp has firewall?? 09:40 -!- Dukelord [i=Dukelord@89.238.166.98] has quit [Read error: 131 (Connection reset by peer)] 09:41 < Igor_AKA_Warrior> nmap -sU -P0 -T Insane ip_range/mask_or_ip/32 09:47 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 09:58 -!- explore [n=msparker@pool-173-57-92-51.dllstx.fios.verizon.net] has joined ##openvpn 09:59 -!- Oreva [i=Dukelord@89.238.166.98] has quit [] 10:02 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 10:05 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 10:05 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 10:20 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 10:22 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 10:23 -!- xod [n=onats@112.201.211.116] has joined ##openvpn 10:23 -!- xod is now known as onats 10:33 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 10:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:37 -!- hyper_ch [n=hyper@35-137.106-92.cust.bluewin.ch] has quit [Remote closed the connection] 10:47 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has quit [] 11:05 -!- WormFood [n=wormfood@121.15.46.195] has quit [Read error: 60 (Operation timed out)] 11:17 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has joined ##openvpn 11:19 -!- WormFood [n=wormfood@121.35.146.24] has joined ##openvpn 11:23 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 11:29 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 11:42 -!- WormFood [n=wormfood@121.35.146.24] has quit [Read error: 60 (Operation timed out)] 11:43 -!- WormFood [n=wormfood@121.35.146.24] has joined ##openvpn 11:49 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 11:51 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:54 < Igor_AKA_Warrior> reiffert, any idea, what do I set up in my ccd config now? I had ifconfig-push 172.16.1.134 172.16.1.133 before, but now with subnet topology, I have ifconfig-push 172.16.1.131 172.16.1.129 which does not seem to be working 11:54 < Igor_AKA_Warrior> 172.16.1.129 is my main server ip 11:55 < Igor_AKA_Warrior> can't ping the client, although the client connects fine, and receives the config fine according to the openvpn logs 12:05 -!- WormFood [n=wormfood@121.35.146.24] has quit [Read error: 60 (Operation timed out)] 12:05 -!- WormFood [n=wormfood@121.35.146.24] has joined ##openvpn 12:06 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 12:07 -!- explore [n=msparker@pool-173-57-92-51.dllstx.fios.verizon.net] has quit ["leaving"] 12:10 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:15 -!- hyper_ch [n=hyper@adsl-89-217-73-227.adslplus.ch] has joined ##openvpn 12:15 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 12:16 -!- jeiworth [n=jeiworth@189.210.61.164] has joined ##openvpn 12:27 -!- explore [n=msparker@pool-173-57-92-51.dllstx.fios.verizon.net] has joined ##openvpn 12:27 -!- Rienzilla [i=rien@sinas.rename-it.nl] has quit ["ayee"] 12:44 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn 12:45 -!- glguy [n=eric@pdpc/supporter/professional/glguy] has joined ##openvpn 12:53 < glguy> I have an openvpn connection for packets to 192.168.1.0/24, is the best way to *require* that the packets only leave my computer for that network via openvpn to use an iptables rule? 12:53 < glguy> (I don't want them to leak out to the gateway if openvpn goes down or if I forget to start it) 12:54 < glguy> (Linux-2.6) 13:10 -!- deweynaut [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 13:13 -!- deweynaut is now known as dotehdew 13:14 -!- dotehdew is now known as dewey_ 13:21 -!- dewey_ [n=dewey@chello080109146125.tirol.surfer.at] has quit [] 13:30 < todd_dsm> hey all, does anyone know of some way to get the native xp vpn client to speak ssl to open vpn? Are there docs out there, software add-ons? Thanks in advance - TT 13:30 -!- WormFood [n=wormfood@121.35.146.24] has quit [Read error: 60 (Operation timed out)] 13:30 -!- deweynaut [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 13:30 -!- WormFood [n=wormfood@121.35.146.24] has joined ##openvpn 13:42 -!- dollabill [n=mike@97.66.26.10] has quit [] 13:43 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 13:44 -!- MrPockets [n=Jimmy@unaffiliated/mrpockets] has joined ##openvpn 13:44 < MrPockets> hey friends 13:45 < MrPockets> Trying to connect to OpenVPN server thats in production. Copy a client.ovpn config file form another WORKING client, cake a client9.ca and key9.key that aren't being used, and try to connect with them. 13:45 < MrPockets> i'm getting the "WARNING: No server certificate 13:45 < MrPockets> verification method has been enabled. See 13:45 < MrPockets> http://openvpn.net/howto.html#mitm for more info." 13:50 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 13:51 -!- Anodl [n=Arnold@p54A7AF37.dip0.t-ipconnect.de] has quit [Client Quit] 14:12 -!- KaiForce [n=chatzill@adsl-70-228-104-238.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.3/20090824101458]"] 14:17 -!- MrPockets [n=Jimmy@unaffiliated/mrpockets] has quit ["Has he quit, or has he simply become sneekier?..."] 14:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:50 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:50 < arcsky> the defualt gw for a vpn client is that the tun0 ip ? 14:51 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:52 -!- dazo is now known as dazo|afk 14:58 < Igor_AKA_Warrior> arcsky - if setup with topology subnet, yes... otherwise, whatever gw is setup for that particular client... see !/30 and !topology 14:58 < Igor_AKA_Warrior> reiffert, are you there? 14:59 < Igor_AKA_Warrior> I updated my openvpn, setup the stuff with topology subnet, but my original problem still remains 15:01 < Igor_AKA_Warrior> my client still does not respond to packets routed/NAT'ed by the server from its network 15:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 15:03 -!- jean001 [n=chatzill@APoitiers-552-1-100-253.w92-156.abo.wanadoo.fr] has quit [Read error: 113 (No route to host)] 15:04 -!- deweynaut is now known as dewey 15:07 < arcsky> !topology 15:07 < vpnHelper> arcsky: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 15:12 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 15:12 -!- jean001 [n=chatzill@92.156.51.253] has joined ##openvpn 15:13 < jean001> !nat 15:13 < vpnHelper> jean001: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 15:20 -!- jeiworth [n=jeiworth@189.210.61.164] has quit [Read error: 110 (Connection timed out)] 15:24 -!- jean001_ [n=chatzill@APoitiers-552-1-100-253.w92-156.abo.wanadoo.fr] has joined ##openvpn 15:24 -!- jean001 [n=chatzill@92.156.51.253] has quit [Read error: 131 (Connection reset by peer)] 15:24 -!- jean001_ is now known as jean001 15:25 < Igor_AKA_Warrior> !fbsdnat 15:25 < vpnHelper> Igor_AKA_Warrior: "fbsdnat" is see http://cavanantha.wordpress.com/2007/09/16/nat-on-freebsd-using-pf/ for a basic howto for NAT on FreeBSD 15:31 -!- jeiworth [n=jeiworth@189.177.133.17] has joined ##openvpn 15:32 -!- treats [n=treats@173-14-131-35-NewEngland.hfc.comcastbusiness.net] has joined ##openvpn 15:33 < treats> is there a default gateway automatically set with openvpn 15:36 -!- c64zottel [n=hans@62-12-235-076.pool.cyberlink.ch] has quit [Read error: 110 (Connection timed out)] 15:38 -!- c64zottel [n=hans@62-12-255-203.pool.cyberlink.ch] has joined ##openvpn 15:38 -!- treats [n=treats@173-14-131-35-NewEngland.hfc.comcastbusiness.net] has left ##openvpn [] 15:42 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has quit [Read error: 145 (Connection timed out)] 15:44 -!- WormFood [n=wormfood@121.35.146.24] has quit [Read error: 60 (Operation timed out)] 15:44 -!- WormFood [n=wormfood@121.35.146.24] has joined ##openvpn 15:47 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 15:47 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 15:48 < jean001> Hi all, I would like to redirect all the client network traffic through the tunnel, 15:48 < jean001> I have carefully read the doc but I don't undersand how to do the nat on the server side (windows), Do I have to add nat rules on the server's default gateway ? 15:49 < jean001> My server conf : http://pastebin.com/d3f5a918 and my client conf : http://pastebin.com/d262a7ef9 15:49 < jean001> Thank you for your help. 15:56 < krzie> !winnat 15:56 < vpnHelper> krzie: "winnat" is http://support.microsoft.com/kb/306126 for windows nat (windows calls it internet connection sharing aka ICS) 15:57 < krzie> the nat rules can be on either the server or the servers default gateway 15:57 < krzie> usually the server is directly connected to the inet for what you're talking about, so its a moot point 15:58 < krzie> but if the server is behind a nat, you can NAT the vpn subnet at either point 15:58 < jean001> hi krzie, thank you to help me again 15:59 < krzie> yw 16:03 < reiffert> http://reverse.lostrealm.com/protect/ldd.html 16:03 < vpnHelper> Title: ldd (at reverse.lostrealm.com) 16:05 < arcsky> i got problem 2 vpn clients cant ping each other, what info do you wanna see ? 16:09 -!- temba [i=pommes@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 16:14 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 16:15 -!- gilos123 [i=cee65482@gateway/web/freenode/x-hchbsqnjkidnoghp] has joined ##openvpn 16:24 -!- jean001_ [n=chatzill@92.156.51.253] has joined ##openvpn 16:24 -!- jean001 [n=chatzill@APoitiers-552-1-100-253.w92-156.abo.wanadoo.fr] has quit [Read error: 104 (Connection reset by peer)] 16:24 -!- jean001_ is now known as jean001 16:27 -!- jean001 [n=chatzill@92.156.51.253] has quit [Read error: 131 (Connection reset by peer)] 16:27 -!- jean001 [n=chatzill@APoitiers-552-1-100-253.w92-156.abo.wanadoo.fr] has joined ##openvpn 16:40 < gilos123> are there any IRC channels specifically for tun/tap application? 16:52 -!- Optic [n=dfraser@miso.capybara.org] has quit ["Terminated with extreme prejudice - dircproxy 1.2.0"] 16:53 < plaerzen> gilos123, perhaps ##openvpn ? 16:53 < plaerzen> oops 16:54 < plaerzen> wrong channel 16:54 < plaerzen> sorry 16:54 < gilos123> that's why I asked here.. didn't know if there were any tun/tap windows experts here. 17:11 -!- jean001 [n=chatzill@APoitiers-552-1-100-253.w92-156.abo.wanadoo.fr] has quit [Read error: 104 (Connection reset by peer)] 17:12 -!- jean001_ [n=chatzill@APoitiers-552-1-100-253.w92-156.abo.wanadoo.fr] has joined ##openvpn 17:13 -!- jean001 [n=chatzill@APoitiers-552-1-100-253.w92-156.abo.wanadoo.fr] has joined ##openvpn 17:13 -!- jean001_ [n=chatzill@APoitiers-552-1-100-253.w92-156.abo.wanadoo.fr] has quit [Read error: 104 (Connection reset by peer)] 17:14 -!- crayon [n=crayon@94.75.222.181] has joined ##openvpn 17:14 < crayon> hi 17:14 -!- jean001 [n=chatzill@APoitiers-552-1-100-253.w92-156.abo.wanadoo.fr] has quit [Read error: 104 (Connection reset by peer)] 17:14 -!- jean001 [n=chatzill@APoitiers-552-1-100-253.w92-156.abo.wanadoo.fr] has joined ##openvpn 17:15 < crayon> so if im using openvpn and using another service like opendns, will the traffic go through the vpn or will my isp resolve it? 17:39 -!- jean001 [n=chatzill@APoitiers-552-1-100-253.w92-156.abo.wanadoo.fr] has quit [Read error: 110 (Connection timed out)] 17:45 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has quit [] 17:48 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit ["Leaving."] 18:06 < krzie> depends on your settings 18:07 < krzie> if you redirect-gateway * goes over vpn 18:07 < krzie> if not, only vpn traffic goes over vpn 18:07 < krzie> and the route command can selectively override either of those 18:09 < crayon> could you elaborate on your last line please 18:09 < reiffert> push "route cnn.com" 18:09 < reiffert> traffic to cnn.com goes over the tunnel 18:09 < reiffert> if cnn.com resolves to a single ip address. of course. 18:10 < crayon> ????? 18:11 < crayon> none of that made any sense 18:11 < reiffert> from the beginning I guess? 18:12 < crayon> ? 18:12 < crayon> yes 18:12 < reiffert> you can use the "route" command to have additional traffic directed to hosts and subnets go over the tunnel 18:12 < reiffert> ah well, let me rephrase. 18:13 < reiffert> you can use the "route" command to make particular traffic travel over the tunnel. 18:14 < crayon> how do i use commands while using ovpn files 18:15 < reiffert> push "route 10.66.0.0 255.255.255.0" 18:16 < reiffert> will make traffic directed to the 10.66.0.0/24 subnet travel over the tunnel. 18:16 < reiffert> easy, eh? 18:16 < crayon> whats subnet? 18:17 < reiffert> a subnet is a range of ip addresses. 18:17 < glguy> \:-| 18:18 < crayon> is it 10.66.0.0 to 10.66.0.24 ? 18:18 < glguy> 10.66.0.0-10.66.0.255. the 24 refers to the number of bits 18:19 < crayon> :( 18:19 < reiffert> /24 means the same as 255.255.255.0 which is 10.66.0.0 - 10.66.0.255 18:19 < glguy> 255.255.255.0 is 11111111.11111111.11111111.00000000 (24 ones in binary) 18:20 < reiffert> or 32 - 8, where the 8 is used in 2**8 which is 2^8 in another notation, or 256 ip addresses. 18:20 < crayon> could someone tell me how to route my dns through openvpn? 18:22 < reiffert> crayon: whats the ip address of your nameserver? 18:22 < crayon> the nameserver i want to use? 18:23 < reiffert> yeah 18:23 < crayon> i dont know. let me check, 3-4 minutes. 18:23 < reiffert> however, let it be 1.2.3.4 18:24 < reiffert> push "route 1.2.3.4 255.255.255.255" 18:24 < reiffert> put that into your server.conf or put 18:24 < reiffert> route 1.2.3.4 255.255.255.255 in your client conf. 18:24 -!- jean001 [n=chatzill@APoitiers-552-1-26-163.w86-217.abo.wanadoo.fr] has joined ##openvpn 18:24 -!- jean001 [n=chatzill@APoitiers-552-1-26-163.w86-217.abo.wanadoo.fr] has left ##openvpn [] 18:27 < crayon> what do you want me to do, reiffert ? 18:28 < crayon> or what do i need to do? 18:29 < reiffert> crayon: send all your money to my paypal account 18:29 < crayon> lol 18:33 < crayon> hello? 18:34 < crayon> can anyone please help me? 18:38 -!- jean001 [n=chatzill@APoitiers-552-1-26-163.w86-217.abo.wanadoo.fr] has joined ##openvpn 18:43 < crayon> reiffert: can you please help 18:45 < reiffert> let me help myself first. 18:46 < Bushmills> crayon: please describe in a few lines (2 or 3), what you *do* know about networking (esp. routing) 18:46 < glguy> crayon, it seems like reiffert told you the solution and then that you ignored it 18:47 < glguy> simply rereading the chat log might answer your questions 18:47 < reiffert> Bushmills: better add "one" as an option.. 18:50 < crayon> im sorry i reread his answer but still don't understand it 18:51 < krzie> whats subnet? 18:51 < krzie> thats when you know you have not gained enough networking experience to be managing a VPN 18:52 < crayon> im not managing a vpn 18:52 < krzie> so your questions are for a research project? 18:52 < crayon> no 18:54 < crayon> im subscribing to a vpn service 18:54 < crayon> it says my OS has this one problem with openvpn 18:54 < krzie> they should send you a config file 18:54 < krzie> what is your OS? 18:54 < crayon> that it continues to send dns queries to my ISP 18:55 < krzie> windows? 18:55 < crayon> they did send a config file 18:55 < crayon> ubuntu 18:55 < krzie> they should also have sent you a client-side script 18:55 < krzie> thats not a "problem" its just how things work, then you use a script to grab the dhcp-option and use it in your resolv.conf 18:56 < crayon> how does that work 18:56 < krzie> !pushdns 18:56 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit 18:57 < krzie> read the whole thread from #2 18:59 < crayon> krzie: the title is "push multiple dns servers" 19:01 -!- temba [i=pommes@188-193-22-46-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 19:03 * Bushmills thinks running your own recursive DNS, or one using an upstream DNS, is an elegant way to avoid many DNS-related problems 19:06 < crayon> krzie: im afraid article 2 is a bit too advance. its concerning pushing multiple DNS servers, but I cant even do one yet 19:07 < crayon> hello! 19:08 < reiffert> hi crayon, how are you? 19:09 < crayon> reiffert: good thanks, and you? what do you think of the 2nd thread vpnhelper gave 19:09 < glguy> Wow, openvpn is super-trendy. A twitter feed? 19:10 < crayon> the vone krzie told me to read 19:10 < crayon> one* 19:10 < glguy> crayon: it sounds like the simplest solution is to call tech-support of the company you are getting VPN access through 19:12 < crayon> they're not responding to me ever since I told them I would give them bad reviews all over the net for not telling me about this DNS flaw 19:12 < reiffert> crayon: dunno, I dont trust krzie very much, he always tells bullshit. 19:13 < reiffert> to be honest ecrist should be your man 19:13 < reiffert> ask him. 19:14 < Bushmills> don't listen to reiffert. all he does is "read this" or "ask there" 19:14 -!- jean001 [n=chatzill@APoitiers-552-1-26-163.w86-217.abo.wanadoo.fr] has quit [Read error: 104 (Connection reset by peer)] 19:14 < glguy> Did you try turning it off and on again? 19:15 -!- jean001 [n=chatzill@APoitiers-552-1-26-163.w86-217.abo.wanadoo.fr] has joined ##openvpn 19:15 < crayon> now all i need is glguy to tell me not to listen to Bushmills to make me thouroughly confounded 19:15 < Bushmills> yes, he always says so 19:16 < glguy> you aren't thoroughly confounded? 19:16 < reiffert> :) 19:17 < crayon> turning what off and on again? 19:18 < crayon> Bushmills: do you troll noobs all day long? 19:19 < Bushmills> no. i have my sleep phases in between 19:19 < crayon> who supports you? 19:23 < crayon> krzie: im afraid article 2 is a bit too advance. its concerning pushing multiple DNS servers, but I cant even do one yet 19:27 -!- ErickG [n=ErickG@190.120.0.138] has left ##openvpn [] 19:27 -!- glguy [n=eric@pdpc/supporter/professional/glguy] has left ##openvpn ["have fun"] 19:27 -!- jean001 [n=chatzill@APoitiers-552-1-26-163.w86-217.abo.wanadoo.fr] has quit ["ChatZilla 0.9.85 [Firefox 3.0.13/2009073022]"] 19:38 -!- WormFood [n=wormfood@121.35.146.24] has quit [Read error: 60 (Operation timed out)] 19:38 -!- WormFood [n=wormfood@121.35.146.24] has joined ##openvpn 19:40 < krzie> lol reiffert 19:40 < krzie> oh and crayon dont listen to Bushmills 19:41 < Bushmills> luckily reiffert told him to not trust you :) 19:41 < crayon> you have to be out of the loop 19:42 < crayon> whoops that has a different meaning 19:42 < crayon> i meant out of the circle 19:43 < crayon> for me to take your word seriously 19:43 -!- jeiworth [n=jeiworth@189.177.133.17] has quit [Read error: 110 (Connection timed out)] 19:43 -!- todd_dsm [n=todd_dsm@66.43.220.149] has left ##openvpn ["Leaving"] 19:47 < crayon> Bushmills: im doing a survey on stupid Germans. 19:47 < crayon> what is 1 + 1 ? 19:50 -!- crayon [n=crayon@94.75.222.181] has left ##openvpn ["Leaving"] 19:51 < Bushmills> did he expect that I'd do his homework? 19:53 < reiffert> he can read domain names ... 19:54 < Bushmills> i wonder what his survey would have been, had I still used the French bouncer instead :) 19:55 < reiffert> however, bed is calling 19:55 < reiffert> n8 19:55 < Bushmills> again? 19:55 < Bushmills> you said so 25 min ago 20:01 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 20:04 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 20:23 < krzie> sorry bush i didnt see him said that or i woulda banned 20:24 < krzie> s/said/say/ 20:28 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 20:33 < Bushmills> don't bother 20:33 < Bushmills> probably just meant to provoke a thoughtless reaction 20:34 < krzie> yup 20:44 < Bushmills> I suppose that if he thinks I was trolling him, it is his right to try the same on me. 20:49 < krzie> good point 20:50 < krzie> he still woulda been banned tho 20:50 < krzie> lol 21:15 -!- master_of_master [i=master_o@p549D6487.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:18 -!- hads [n=hads@argon.nice.net.nz] has joined ##openvpn 21:19 -!- master_of_master [i=master_o@p549D62B3.dip.t-dialin.net] has joined ##openvpn 21:19 < hads> !route 21:19 < vpnHelper> hads: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 21:19 < hads> !logs 21:19 -!- tjz [n=tjz@bb121-6-135-22.singnet.com.sg] has joined ##openvpn 21:19 < vpnHelper> hads: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 21:27 < hads> Any ideas why I would be able to ping from LAN behind OpenVPN server to clients but from clients can only ping to the server or gateway but not the LAN? 21:27 < hads> It works if I add a static route to a LAN host and then try so obviously something to do with routing but why then would I be able to ping from any LAN host without a static route to a VPN client. 21:32 -!- teddymills [n=teddy@208.92.235.227] has quit [Client Quit] 21:34 -!- xod [n=onats@112.201.211.116] has joined ##openvpn 22:16 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: krzie, dazo|afk, Igor_AKA_Warrior, drue, Argafal, Rolybrau, vpnHelper, jfkw, sno, brizly, (+12 more, use /NETSPLIT to show all of them) 22:20 -!- master_of_master [i=master_o@p549D62B3.dip.t-dialin.net] has joined ##openvpn 22:20 -!- WormFood [n=wormfood@121.35.146.24] has joined ##openvpn 22:20 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 22:20 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 22:20 -!- explore [n=msparker@pool-173-57-92-51.dllstx.fios.verizon.net] has joined ##openvpn 22:20 -!- Igor_AKA_Warrior [n=igor@65.215.13.196] has joined ##openvpn 22:20 -!- brizly [n=brizly_v@p4FC9867F.dip0.t-ipconnect.de] has joined ##openvpn 22:20 -!- Argafal [i=argafal@users.tokkee.org] has joined ##openvpn 22:20 -!- dazo|afk [n=nnndazo@nat/redhat/x-amwtfshmhegoqfzi] has joined ##openvpn 22:20 -!- disco-__ [i=disco@andromeda.h4xed.com] has joined ##openvpn 22:20 -!- oc80z [i=oc80z@blea.ch] has joined ##openvpn 22:20 -!- plaerzen [n=carpe@vip1.tundraeng.com] has joined ##openvpn 22:20 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 22:20 -!- zamba [i=marius@flage.org] has joined ##openvpn 22:20 -!- drue [n=drue@stiff.therub.org] has joined ##openvpn 22:20 -!- rooth [i=rooth@ge.mig.en.redfox.nu] has joined ##openvpn 22:20 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 22:20 -!- sno [n=sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn 22:20 -!- krzie [n=krzee@unaffiliated/krzee] has joined ##openvpn 22:20 -!- robotti^ [i=robotti@kapsi.fi] has joined ##openvpn 22:20 -!- Snadder [i=sander@202.100.202.84.customer.cdi.no] has joined ##openvpn 22:20 -!- dazo|afk [n=nnndazo@nat/redhat/x-amwtfshmhegoqfzi] has quit ["Getting off stoned server - dircproxy 1.2.0"] 22:20 -!- dazo|afk [n=nnnndazo@nat/redhat/session] has joined ##openvpn 22:23 -!- HardDisk_WP [n=Marco@velirat.de] has joined ##openvpn 22:24 -!- WormFood [n=wormfood@121.35.146.24] has quit [Read error: 60 (Operation timed out)] 22:24 -!- WormFood [n=wormfood@121.35.146.24] has joined ##openvpn 22:34 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 22:51 -!- ErickG [n=ErickG@190.87.255.112] has joined ##openvpn 22:56 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 23:31 -!- ErickG [n=ErickG@190.87.255.112] has left ##openvpn [] 23:36 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn --- Day changed Tue Oct 27 2009 00:02 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: odonata, hyper_ch, eliasp, IcyPolecat, HardDisk_WP, rawDawg, Bushmills, arcsky, tjz, MadTBone_, (+1 more, use /NETSPLIT to show all of them) 00:02 -!- Netsplit over, joins: HardDisk_WP, tjz, rawDawg, MadTBone_, hyper_ch, Bushmills, IcyPolecat, arcsky, odonata, eliasp (+1 more) 01:14 -!- hyper_ch [n=hyper@adsl-89-217-73-227.adslplus.ch] has quit [Remote closed the connection] 01:26 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 01:59 -!- mikeones [n=mythtv@adsl-76-236-210-211.dsl.rcsntx.sbcglobal.net] has joined ##openvpn 01:59 < mikeones> !configs 01:59 < vpnHelper> mikeones: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 02:05 -!- hyper_ch [n=hyper@37-13.107-92.cust.bluewin.ch] has joined ##openvpn 02:06 < mikeones> hello, when setting up openvpn in failover configuration, I know I sould have different virtual IP address pool for each server, but do the lan address for each server need to be the same? I have iptables POSTROUTING setup and I push out a route to the local lan that the servers ethernet nic is on so traffic can be forwarded along. 02:27 -!- dazo|afk is now known as dazo 02:37 < dazo> http://i.imgur.com/prFIq.jpg ... best screen shot .... at least for this week :-P 02:45 -!- tjz2 [n=tjz@bb220-255-44-209.singnet.com.sg] has joined ##openvpn 02:46 < endre> ahahh 02:50 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has joined ##openvpn 02:51 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has left ##openvpn ["Leaving."] 02:51 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 03:03 -!- tjz [n=tjz@unaffiliated/tjz] has quit [Read error: 110 (Connection timed out)] 03:09 -!- mikeones [n=mythtv@adsl-76-236-210-211.dsl.rcsntx.sbcglobal.net] has quit ["leaving"] 03:43 -!- mikeones [n=mikeones@pool-71-252-209-129.dllstx.fios.verizon.net] has joined ##openvpn 04:16 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 04:19 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 04:20 -!- colclough [n=cokes@87.198.213.218] has joined ##openvpn 04:54 -!- Dovid [n=annon@tony09-118-62.inter.net.il] has joined ##openvpn 04:58 -!- WormFood [n=wormfood@121.35.146.24] has quit [Read error: 60 (Operation timed out)] 04:59 -!- WormFood [n=wormfood@121.35.146.24] has joined ##openvpn 05:08 -!- vaq [n=c99@83.136.90.2] has joined ##openvpn 05:10 < vaq> Hello, I've successfully configured my OpenVPN server and clients are able to connect and retreive a local ip (10.20.2.xxx) tun0 on the server is 10.20.2.1.. How do I enable so the client's may contact the real network that the OpenVPN server is connected to, which is 10.20.1.xxx 05:14 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 05:14 < endre> set up some routing on the server 05:15 < vaq> how 05:17 < endre> http://lartc.org/howto/ 05:17 < vpnHelper> Title: Linux Advanced Routing & Traffic Control HOWTO (at lartc.org) 05:19 < vaq> If i use briding and tap instead of tun I can get it on the same subnet, however I'm not able to ping the server only the client's ip itself. 05:19 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:19 < vaq> And I have "client-to-client" within openvpn.conf 05:24 < vaq> I can't ping 10.20.1.200 from the server 05:24 < hads> Check the topic too. 05:25 < vaq> This is my server cfg: http://www.pastebin.ca/1644908 05:26 -!- WormFood [n=wormfood@121.35.146.24] has quit [Read error: 60 (Operation timed out)] 05:27 < vaq> So the first client gets assigned 10.20.1.200 however he is unable to ping the servers ip address 10.20.1.3 05:27 -!- WormFood [n=wormfood@121.35.146.24] has joined ##openvpn 05:29 < vaq> What am I missing hads ? 05:37 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:44 -!- WormFood [n=wormfood@121.35.146.24] has quit [Read error: 60 (Operation timed out)] 05:45 -!- WormFood [n=wormfood@121.35.146.24] has joined ##openvpn 05:46 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)] 06:02 -!- hyper_ch [n=hyper@37-13.107-92.cust.bluewin.ch] has quit [Read error: 104 (Connection reset by peer)] 06:33 -!- brizly [n=brizly_v@p4FC9867F.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:35 -!- brizly [n=brizly_v@p4FC983D2.dip0.t-ipconnect.de] has joined ##openvpn 06:36 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 06:43 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 06:53 -!- hyper_ch [n=hyper@adsl-89-217-73-227.adslplus.ch] has joined ##openvpn 06:54 -!- WormFood [n=wormfood@121.35.146.24] has quit [Read error: 60 (Operation timed out)] 06:54 -!- WormFood [n=wormfood@121.35.146.24] has joined ##openvpn 07:39 < ecrist> good morning 08:05 < Igor_AKA_Warrior> good morning 08:06 < Igor_AKA_Warrior> guys, would someone please be able to assist me with yesterday's problem? I updated both my Windows and my FBSD server to openvpn 2.1, but a box from the server's side still can't reach the client :(:( 08:06 -!- bandinia [n=bandini@host129-106-dynamic.10-79-r.retail.telecomitalia.it] has joined ##openvpn 08:07 < Igor_AKA_Warrior> the only thing I accomplished, which is nice, is that I don't have separate /30 subnets anymore 08:11 -!- bandini [n=bandini@79.20.24.54] has quit [Read error: 145 (Connection timed out)] 08:12 < Igor_AKA_Warrior> no firewall; the server can reach the client on RDP (3389) fine, but a machine on the server's side cannot reach the client, even though its packets are routed and NAT'ed correctly as seen by tcpdump 08:12 < Igor_AKA_Warrior> the packets are simply never replied to :( 08:15 -!- Optic [n=dfraser@67.205.74.218] has joined ##openvpn 08:17 < Optic> mooo 08:19 < ecrist> !configs 08:19 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 08:20 < Igor_AKA_Warrior> ok, thanks, please don't run away :) 08:20 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)] 08:21 -!- scott9876 [n=scott987@faupat7.partners.org] has joined ##openvpn 08:23 < Igor_AKA_Warrior> http://pastebin.com/d18e3a3f2 - openvpn.conf - server 08:28 < Igor_AKA_Warrior> http://pastebin.com/d52aad84e - client 08:28 < Igor_AKA_Warrior> ccd/ 08:29 < Igor_AKA_Warrior> ifconfig-push 172.16.1.131 255.255.255.224 08:29 < Igor_AKA_Warrior> iroute 192.168.1.0 255.255.255.0 08:29 < Igor_AKA_Warrior> openvpn - latest from ports on FBSD - 2.1; latest from openvpn website on Windows 08:31 < ecrist> Igor_AKA_Warrior: what version, specifically? 08:31 < ecrist> 2.1rc20 is latest 08:31 < Igor_AKA_Warrior> OpenVPN 2.1_rc20 i386-portbld-freebsd6.3 [SSL] [LZO2] built on Oct 26 2009 08:31 < Igor_AKA_Warrior> Developed by James Yonan 08:31 < Igor_AKA_Warrior> Copyright (C) 2002-2009 OpenVPN Technologies, Inc. 08:31 < ecrist> ok 08:32 < Igor_AKA_Warrior> Windows - I downloaded 2.1rc .. what they had.. same thing 08:32 < ecrist> if I may make a suggestion, you need to NOT push/play with the 192.168.1.0/24 and the 192.168.0.0/24 networks 08:34 < Igor_AKA_Warrior> remote the iroute entry? 08:36 < scott9876> I'm instructed to add lines to /etc/modules configuration file. Nothing is in the directory, so I have to create it, does the name matter? I'm going to call it config 08:38 < Igor_AKA_Warrior> same thing :( 08:42 -!- KjetilK [n=kjetil@cm-84.208.141.2.getinternet.no] has joined ##openvpn 08:43 < KjetilK> !howto 08:43 < vpnHelper> KjetilK: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:45 -!- DannyButterman [n=olivier@81.56.253.150] has joined ##openvpn 08:46 < DannyButterman> Hi there. I need help on vtun. i know the topic is openvpn here but can't find a dedicated channel 08:54 -!- Dovid[Laptop] [n=annon@tony09-118-62.inter.net.il] has joined ##openvpn 08:55 -!- Dovid [n=annon@tony09-118-62.inter.net.il] has quit [Read error: 110 (Connection timed out)] 08:56 -!- nemysis_ [n=misterbe@unaffiliated/misterbean] has joined ##openvpn 08:58 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 08:59 -!- colclough [n=cokes@87.198.213.218] has quit ["Leaving"] 09:03 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 09:28 < ecrist> Igor_AKA_Warrior: can you draw up a diagram of your network? 09:39 -!- robl^laptop [n=robl@m485336d0.tmodns.net] has joined ##openvpn 09:39 -!- whitehat [n=whitehat@unaffiliated/whitehat] has joined ##openvpn 09:40 < whitehat> hello group. I just ran ./build-key-server VPN-server on F11 and received "wrong number of fields on line 1 (looking for field 6, got 1, '' left)" ideas? thank you. 09:44 -!- switchgirl [n=sara@82-41-221-104.cable.ubr13.sgyl.blueyonder.co.uk] has joined ##openvpn 09:44 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 09:44 < switchgirl> !vpn 09:44 < vpnHelper> switchgirl: "vpn" is http://openvpn.net/index.php/documentation/faq.html#tunnel-principal 09:44 < switchgirl> !openvpn 09:44 < vpnHelper> switchgirl: Error: "openvpn" is not a valid command. 09:45 < switchgirl> ok then what is openvpn and what's it do? 09:45 < switchgirl> how's it work? 09:45 < robl^laptop> is there anything specific with openvpn on a mac to cause problems with Internet when connected? I had a working routed connection for nearly a year with a client on a Windows Vista laptop and server running on FreeBSD (pfSense). I copied the config file and certs from the old laptop to a new MacBook Pro and it worked, except that Internet connectivity is lost when connected to the vpn. 09:50 -!- DannyButterman [n=olivier@81.56.253.150] has quit ["Bye"] 10:00 -!- drcode [n=chatzill@bzq-84-108-250-27.cablep.bezeqint.net] has joined ##openvpn 10:00 < drcode> hi all 10:01 < drcode> can I had to the same openvpn more connection? 10:01 < drcode> I have 1 openvpn server and 1 openvpn client,I want to add more clients 10:02 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 10:06 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 10:07 < Bushmills> drcode: yes, you can 10:08 < Bushmills> supported with openvpn version 2.x 10:08 < drcode> I use ver 2.0 10:08 < drcode> what I need to had on the server? 10:08 < Bushmills> mode server 10:09 < drcode> in openvpn.conf 10:09 < Bushmills> for example. or, on commandline 10:10 < drcode> mode server req tls-server 10:11 < drcode> Options error: specify only one of --tls-server, --tls-client, or --secret 10:11 < drcode> can't make it to work 10:11 < drcode> ok 10:11 < drcode> 1 min 10:11 < drcode> not working 10:11 < drcode> what I need to do with tls-server? 10:11 < Bushmills> do you want to read docs yourself, or do you want me to do it for you? 10:12 < drcode> k 10:12 < drcode> I will 10:12 < drcode> thanx again for pointing me 10:12 < Bushmills> yw 10:17 -!- Dovid[Laptop] is now known as Dovid 10:28 -!- drcode [n=chatzill@bzq-84-108-250-27.cablep.bezeqint.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.14/2009082707]"] 10:29 -!- Dovid [n=annon@tony09-118-62.inter.net.il] has quit [] 10:30 -!- bcalvin [n=bcalvin@66.88.39.226.ptr.us.xo.net] has joined ##openvpn 10:31 < bcalvin> hello... 10:32 < bcalvin> is there a way for me tell what version of OpenVPN my clients are using? 10:39 -!- gilos123 [i=cee65482@gateway/web/freenode/x-hchbsqnjkidnoghp] has quit [Ping timeout: 181 seconds] 11:00 < ecrist> good question 11:01 < bcalvin> I haven't found away through the telnet mgmt console 11:01 < bcalvin> or anything within the logs 11:02 < bcalvin> logs on the server side that is 11:06 -!- WormFood [n=wormfood@121.35.146.24] has quit [Read error: 60 (Operation timed out)] 11:17 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 11:20 -!- jeiworth [n=jeiworth@189.177.30.65] has joined ##openvpn 11:21 < ecrist> robl^laptop: nothing specific on a mac, really, no 11:21 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 11:22 -!- WormFood [n=wormfood@121.35.146.229] has joined ##openvpn 11:22 < ecrist> switchgirl: OpenVPN is an open-sourced SSL-based VPN 11:22 < robl^laptop> ecrist: thanks. I 've actually narrowed it down.. its something weird with pushing nameservers. it stops resolving external domains. 11:23 -!- szefte [n=7b@96-26-44-100.war.clearwire-wmx.net] has joined ##openvpn 11:31 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:34 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 11:42 -!- WormFood [n=wormfood@121.35.146.229] has quit [Read error: 60 (Operation timed out)] 11:42 -!- WormFood [n=wormfood@121.35.146.229] has joined ##openvpn 11:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:55 < Igor_AKA_Warrior> ecrist: draw up a diagram.... can I paste the server, client, machine interface and route configuration in pastebin? I am not sure how I can paste a diagram here 11:57 -!- WormFood [n=wormfood@121.35.146.229] has quit [Read error: 60 (Operation timed out)] 11:58 -!- WormFood [n=wormfood@121.35.146.229] has joined ##openvpn 12:06 -!- ErickG [n=ErickG@190.120.0.138] has quit ["Leaving."] 12:09 -!- buntfalke [n=nobody@openvpn-tcp-018.triple-a.uni-kl.de] has joined ##openvpn 12:13 -!- bcalvin [n=bcalvin@66.88.39.226.ptr.us.xo.net] has left ##openvpn [] 12:15 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 12:23 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 12:48 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 12:53 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 12:55 -!- robl^laptop [n=robl@m485336d0.tmodns.net] has quit [Read error: 104 (Connection reset by peer)] 13:00 < ecrist> Igor_AKA_Warrior: host it somewhere. ;) 13:05 < dazo> Igor_AKA_Warrior: http://imagebin.ca/ 13:05 < vpnHelper> Title: Imagebin - Upload an Image (at imagebin.ca) 13:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 13:07 -!- ErickG1 [n=ErickG@190.120.0.138] has joined ##openvpn 13:09 -!- ErickG [n=ErickG@190.120.0.138] has quit [Read error: 110 (Connection timed out)] 13:09 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)] 13:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:20 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:23 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 13:23 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit [Read error: 110 (Connection timed out)] 13:25 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 13:26 -!- MadTBone_ [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 13:32 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Remote closed the connection] 13:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 13:36 < Igor_AKA_Warrior> ok, ecrist -- i pasted you my detailed system config... let me draw my stuff... I suck at drawing... will take a few :) 13:36 < Igor_AKA_Warrior> thanks dazo 13:41 < dazo> Igor_AKA_Warrior: no prob 13:59 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 14:01 < Igor_AKA_Warrior> ecrist -- http://imagebin.ca/view/WY0eOq.html 14:01 < vpnHelper> Title: netconfig.png (at imagebin.ca) 14:02 < whitehat> hello. I'm getting a VERIFY ERROR. no certificate returned....incoming plaintext read error ideas? 14:03 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 14:16 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Success] 14:16 -!- bytesaber [n=bytesabe@208-98-188-95.directcom.com] has joined ##openvpn 14:21 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 14:21 < KjetilK> I have only two clients that will ever use my VPN. What's the easiest way to set up OpenVPN in such a case? Will it work just to give both the same static key? Could I set up two interfaces with a different static keys for each client? Or would I need the full PKI? 14:45 -!- dollabill [n=mike@97.66.26.10] has quit [No route to host] 14:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:51 -!- jeiworth [n=jeiworth@189.177.30.65] has quit [Connection timed out] 14:54 -!- TorchDragon [n=TorchDra@c-68-44-174-108.hsd1.pa.comcast.net] has joined ##openvpn 14:54 -!- WormFood [n=wormfood@121.35.146.229] has quit [Read error: 60 (Operation timed out)] 14:54 -!- WormFood [n=wormfood@121.35.146.229] has joined ##openvpn 14:57 < TorchDragon> I've manually rebuilt the openVPN server to version 2.1_rc20 on my ubuntu box. Completely regenerated all keys and certs. Installed OpenVPN 2.1_rc20 i686-pc-mingw32 on my Vista client and I am still getting the same exact "error: private key password verification failed" 14:58 < TorchDragon> I don't know if there's anything else I can do. 15:02 -!- ErickG1 [n=ErickG@190.120.0.138] has left ##openvpn [] 15:05 < krzie> KjetilK i use full pki either way, but feel free to use static key ptp setup 15:05 < krzie> examples of how are in the manual 15:06 < krzie> they start at the most simplie (no encryption, etc) and work in more stuff as you read 15:06 < KjetilK> krzie, so, you mean set up two interfaces? 15:06 < krzie> oh 2 clients 15:07 < krzie> my bad, was thinking 2 machines 15:07 < krzie> just go full 15:07 * KjetilK nods, that's the problem 15:07 < krzie> full PKI 15:07 < KjetilK> ok, thanks! 15:07 < krzie> its simple 15:07 < krzie> !sample 15:07 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 15:07 < krzie> you use fbsd by chance? 15:08 < KjetilK> Nope, Debian on the server, Ubuntu and Windoze on the clients 15:09 < TorchDragon> Ever run into a "private key password verification failed" error on a key with no password? 15:09 < TorchDragon> I can setup and start the server fine but I can no longer load the client. 15:09 < KjetilK> anyway, I just noticed that Ubuntu Jaunty's network-manager-openvpn is severly broken, so I think I'll wait a few days for Ubuntu Karmic to be released... 15:10 < KjetilK> thanks anyway, I'll go for full PKI and do it properly :-) 15:20 < TorchDragon> And I appear to be the only person in the world getting this error message. 15:23 -!- c64zotte1 [n=hans@62-12-230-119.pool.cyberlink.ch] has joined ##openvpn 15:23 -!- c64zottel [n=hans@62-12-255-203.pool.cyberlink.ch] has quit [Read error: 60 (Operation timed out)] 15:33 -!- alice|wl [n=helo@notomorrow.de] has quit [Remote closed the connection] 15:36 -!- flamia [i=c99@0x573c2b56.vbrnqu1.dynamic.dsl.tele.dk] has joined ##openvpn 15:39 < flamia> I seem to have a strange issue with my vpn clients, they stay connected just fine for a range of 5-10 minutes but then they loses all connectivity to the inside LAN range. This is my openvpn.conf server cfg: http://pastebin.ca/1645600 - This is my bridge setup: http://pastebin.ca/1645601 15:40 < flamia> No error logs in syslog regarding the client drop, in fact the client doesn't disconnect but no traffic is going through 15:43 -!- TorchDragon [n=TorchDra@c-68-44-174-108.hsd1.pa.comcast.net] has left ##openvpn [] 15:50 -!- todd_dsm [n=todd_dsm@66.43.220.149] has joined ##openvpn 15:52 -!- todd_dsm [n=todd_dsm@66.43.220.149] has quit [Connection reset by peer] 15:52 -!- todd_dsm [n=todd_dsm@66.43.220.149] has joined ##openvpn 15:54 < krzie> flamia, check if theres something a dhcp renew would be killing 15:55 < krzie> KjetilK 15:55 < krzie> !ubuntu 15:55 < vpnHelper> krzie: "ubuntu" is dont use network manager! 15:55 < flamia> krzie dhcp renewal on the clients WAN connectivity or the lease from the server to the clients vpn? - If so I'm not using DHCP there 15:55 < krzie> maybe you're using redirect-gateway, maybe you're using a pushed nameserver and trying to access based on hostname, etc etc 15:56 < krzie> which is why i didnt say thats your problem, i just said to check for it 15:56 < flamia> krzie: I'm not using redirect-gateway, this is an internal lan only. I'm pusing a nameserver from the server to the client. The clients config file is using static ip and not DNS 15:56 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 15:57 < flamia> The funny thing is that after the ping timeouts it comes back after 5 minutes 15:57 < flamia> then it times out again and then it comes back 15:57 < flamia> and so on. 15:57 < krzie> do you have a keep-alive? 15:57 < flamia> within the server cf g? 15:57 < krzie> within both 15:57 < flamia> "keepalive 10 120" in server cfg 15:58 < flamia> the client cfg has no keepalive 15:58 < flamia> should it be in both? 15:58 < krzie> nah thats good 15:59 < krzie> For example, --keepalive 10 60 expands as follows: 15:59 < krzie> if mode server: 15:59 < krzie> ping 10 15:59 < krzie> ping-restart 120 15:59 < krzie> push "ping 10" 15:59 < krzie> push "ping-restart 60" 15:59 < krzie> else 15:59 < krzie> ping 10 15:59 < krzie> ping-restart 60 15:59 -!- WormFood [n=wormfood@121.35.146.229] has quit [Read error: 60 (Operation timed out)] 15:59 < krzie> i wonder if 120 is too small 15:59 < krzie> too high i mean 15:59 -!- WormFood [n=wormfood@121.35.146.229] has joined ##openvpn 16:00 < flamia> I'll try 10 60 16:01 < flamia> Same issue 16:01 < krzie> wow that was fast 16:01 < flamia> 20 ICMP pings and then it times out 16:01 < flamia> did "keepalive 10 60" inside openvpn.conf, did a server restart and reconnected the client. 16:02 < krzie> ahh ya if it times out during a ping its def not a keepalive thing 16:02 < flamia> hmm 16:02 < krzie> what os is the client? 16:02 < flamia> Windows 7, using 2.1_rc15 16:02 < krzie> goto rc20 16:03 < flamia> sec 16:03 < krzie> also make sure the windows firewall is off for the vpn adapter, ive heard of people having problems with windows also changing the interface to be "public profile" or whatever its called 16:03 < krzie> im no windows guy, but ive picked that stuff up from being here 16:05 < flamia> Testing with rc20 now 16:08 < flamia> That did the trick, thanks for your debug help krzie 16:09 < krzie> yw 16:13 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 16:34 -!- drcode [n=chatzill@bzq-84-108-250-27.cablep.bezeqint.net] has joined ##openvpn 16:34 < drcode> hi all 16:35 < krzie> hi 16:35 < drcode> I have problem with routeing and bridge 16:36 < drcode> I have setup openvpn to use bridge 16:36 < drcode> from ubuntu example 16:36 < krzie> why using bridge? 16:36 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 16:36 < drcode> all work perfect 16:37 < drcode> I have somthing like this: --> --> 16:37 < drcode> I have somthing like this: --> --> --> 16:37 < krzie> what layer2 protocol do you need to flow over the vpn? 16:37 < drcode> I want to ping from wireless client into windows server 16:38 < krzie> you dont need a bridge 16:38 < krzie> !tunortap 16:38 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 16:38 < drcode> I have somthing like this: --> --> --> 16:38 < krzie> you want tun 16:38 < krzie> !route 16:38 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:38 < krzie> !sample 16:38 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 16:38 < krzie> there ya goes 16:40 < reiffert> hm, any "whats a subnet" guy around today? 16:40 < krzie> not yet but its still early in usa 16:40 < drcode> krzie: I don't have default gw on my lan 16:40 < krzie> lol of course you do 16:40 < krzie> or you have no inet 16:41 < reiffert> ah, there he is. 16:41 < reiffert> drcode: how can you send packets to your irc server then? 16:41 < krzie> or you have the worlds largest routing table 16:41 < krzie> lol 16:41 < drcode> I use masq 16:41 < krzie> "i wanna access a website, lemme add a route to it" 16:42 < krzie> and what machine does that masq...? 16:42 < drcode> openvpn server 16:42 < krzie> and your openvpn server is what all machines on the lan send their inet traffic to? 16:42 < drcode> yes 16:43 < krzie> does that not sound like a default gateway? 16:43 < drcode> I did masq to the internet 16:43 < krzie> hah 16:43 < drcode> a min 16:44 < drcode> how can I route bridge to wireless? 16:44 < krzie> "route bridge" 16:44 < krzie> lol 16:44 < drcode> where? 16:44 < drcode> in openvpn.conf 16:44 < krzie> theres a fundamental flaw in your thinking 16:44 < krzie> bridge is layer2 16:44 < krzie> routing is layer3 16:44 < krzie> do what i said and stop bridging 16:45 < krzie> i gave you everything you needed 16:45 < krzie> i did everything for you, and you're still stuck at your orig question 16:45 < drcode> k 16:46 < krzie> my example in !route has 2 clients with lans and a server with a lan 16:46 < krzie> your setup is very much the same 16:46 < krzie> 1 client with lan and 1 server with lan 16:46 < reiffert> JAY! get a layer 3 switch! 16:46 < krzie> lol reif 16:49 < drcode> thanx 16:49 -!- drcode [n=chatzill@bzq-84-108-250-27.cablep.bezeqint.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.14/2009082707]"] 16:53 -!- scott9876 [n=scott987@faupat7.partners.org] has quit [Read error: 110 (Connection timed out)] 16:57 -!- MadTBone_ [n=MadTBone@gw.msmnyc.edu] has quit [Remote closed the connection] 16:57 -!- whitehat [n=whitehat@unaffiliated/whitehat] has quit [Read error: 110 (Connection timed out)] 17:06 -!- Boolman [n=Boolman@ip4-147.bon.riksnet.se] has joined ##openvpn 17:07 < Boolman> hi. i have a problem with my openvpn. the clients cant connect to the server. im getting "TLS Error: TLS handshake failed" 17:13 < krzie> your certs were done wrong most likely 17:15 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 17:15 < kexman> hi 17:22 < krzie> hi 17:22 < kexman> i have a bit of offtopic qustion :) 17:22 < kexman> i can see machines from another network and my pc even has an ip assigned by the router from another network using a vpn 17:23 < kexman> what i want to do if forward all traffic toughr that router from which i get my ip from how could i do this ? 17:24 < krzie> by setting that other router as your default gateway 17:24 -!- KjetilK [n=kjetil@cm-84.208.141.2.getinternet.no] has left ##openvpn ["Konversation terminated!"] 17:25 < krzie> at least thats what ild expect, i dont use bridges and logic says not to use a bridge unless you have a specific reason to 17:25 < kexman> and how will then i connec to hamachi ? :) 17:25 < krzie> hamachi? 17:25 < krzie> did you notice you are in ##openvpn? 17:26 < krzie> sorry, cant help with your hamachi setup 17:26 < krzie> !notovpn 17:26 < vpnHelper> krzie: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 17:28 -!- Ziber [i=Liber@liber-ipv6.net] has quit [Read error: 60 (Operation timed out)] 17:29 < kexman> :) 17:29 < kexman> just tryed my luck :) 17:29 < kexman> sorry 17:29 < kexman> btw i think im gonna end up using openvpn afterall :) 17:30 -!- Ziber [i=Liber@liber-ipv6.net] has joined ##openvpn 17:31 -!- scott9876 [n=scott987@c-65-96-109-90.hsd1.ma.comcast.net] has joined ##openvpn 17:32 < krzie> kexman well when you do, you can accomplish your goals using routed tun 17:32 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has quit [Client Quit] 17:32 < krzie> you will want to see: !sample !redirect and !route 17:32 < kexman> krzie: i already done it once :) 17:33 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 17:33 < krzie> in order those are: sample configs ive used, how to make all traffic flow through vpn, how to have the lans able to communicate over the vpn 17:34 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit ["Leaving."] 17:35 < kexman> thanks alot 17:39 < reiffert> I've discovered the pizza paste in the fridge ... /me's going to make a pizza! 17:39 < kexman> gogo reiffert 17:40 -!- c64zotte1 [n=hans@62-12-230-119.pool.cyberlink.ch] has quit ["Leaving."] 17:41 -!- drcode [n=chatzill@bzq-84-108-250-27.cablep.bezeqint.net] has joined ##openvpn 17:41 < drcode> hi all 17:42 < drcode> where do I put ccd dir? 17:42 < drcode> it work to one side 17:42 < reiffert> drcode: hi 17:42 < drcode> hii 17:43 < reiffert> ccd dir? I've got mine in my car. 17:44 < reiffert> drcode: try c:\applications\openvpn 17:48 < Boolman> !route 17:48 < vpnHelper> Boolman: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:52 < krzie> drcode, anywhere you want, as long as your config points to that place 17:52 < krzie> and if the vpn drops permissions, make sure the he user it drops to has perms to read the dir 17:57 < Boolman> what am i doing wrong when im getting this message TCP/UDP: Incoming packet rejected (allow this incoming source address/port by removing --remote or adding --float) 17:58 < Boolman> ping -I tun0 172.16.0.65 <- isnt working. not sure if its suppose to 17:59 < Boolman> 172.16.0.65 is my lan interface, eth0 17:59 < Boolman> !redirect 17:59 < vpnHelper> Boolman: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 18:00 < Boolman> !def1 18:00 < vpnHelper> Boolman: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 18:01 < Boolman> !man 18:01 < vpnHelper> Boolman: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 18:05 -!- kexman [i=kexman@unaffiliated/kexman] has left ##openvpn [] 18:19 -!- scott9876 [n=scott987@c-65-96-109-90.hsd1.ma.comcast.net] has quit ["Leaving"] 18:45 -!- jmp_xinu [n=jperez@ool-4579c388.dyn.optonline.net] has joined ##openvpn 18:50 -!- jmp_xinu [n=jperez@ool-4579c388.dyn.optonline.net] has quit ["Leaving"] 19:06 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["This computer has gone to sleep"] 19:18 -!- WormFood [n=wormfood@121.35.146.229] has quit [Read error: 60 (Operation timed out)] 19:18 -!- WormFood [n=wormfood@121.35.146.229] has joined ##openvpn 19:36 -!- bytesaber [n=bytesabe@208-98-188-95.directcom.com] has quit [Read error: 110 (Connection timed out)] 19:46 -!- bytesaber [n=bytesabe@208-98-188-95.directcom.com] has joined ##openvpn 19:53 -!- theDoc [n=hex@cataclysm.edgewire.sg] has joined ##openvpn 19:56 -!- xod [n=onats@112.201.211.116] has quit [Read error: 110 (Connection timed out)] 19:57 -!- xod [n=onats@112.201.155.127] has joined ##openvpn 20:18 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 20:19 < kexman> OpenVPN for the win :) i totaly forgot about hamachi :D haha 20:19 < kexman> im just setting up an OpenVPN server on a windows machine 20:19 < kexman> the HOWTO is just absolutely fantastic :) congratulations to the one who made it :) 20:19 < kexman> and thank you :) 20:20 < kexman> but i have a question about the config file 20:21 < kexman> "ca ca.crt" ... how do you define path for this file if its not in the same directory as the config file ? 20:25 < kexman> baah all at sleep :) 20:37 < krzie> by defining the path... 20:37 < krzie> as shown in sample configs at bottom of the howto 20:37 < krzie> note the quotes and double \\ with windows paths 20:38 < krzie> assuming you're talking about the official ovpn howto and not my routing doc 20:45 -!- switchgirl [n=sara@82-41-221-104.cable.ubr13.sgyl.blueyonder.co.uk] has left ##openvpn ["Leaving."] 20:51 < theDoc> hello all. 20:52 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 20:53 < ksnp> anyone around ? 20:54 < krzie> nope, we're all hibernating 20:55 < krzie> sup theDoc 20:55 -!- ksnp is now known as ear-wax 20:56 -!- ear-wax is now known as ksnp 20:57 < ksnp> bbl 20:59 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has left ##openvpn [] 20:59 < krzie> lol 21:04 -!- gabriel25ny [n=gabe@pool-96-250-54-238.nycmny.fios.verizon.net] has joined ##openvpn 21:05 < theDoc> o/ krz 21:05 < theDoc> need moar customers :p 21:07 < theDoc> woohoo, my boss just asked me to poach an ex colleague from my previous work place. 21:07 < theDoc> lol 21:08 < theDoc> Any of you have a NAS/SAN at home? 21:08 < krzie> homemade... 21:09 < theDoc> ah, home brewed? 21:09 < krzie> a fbsd8 box with 1 small drive for the os and 4 1.5TB drives running in ZFS raidz running NFS 21:11 < theDoc> ah, i was looking for something smaller which doesn't require my desktop to be running 247 21:12 < theDoc> i would probably just get a small netgear NAS or something 21:13 < krzie> it doesnt require my desktop to be running 21:13 < krzie> it requires my nfs server to be running ;] 21:14 < theDoc> krzee> My desktop is doubling as a server :P 21:15 < theDoc> I use it for network simulation for gns3 though 21:15 -!- STS301 [n=STS301@opensuse/member/STS301] has joined ##openvpn 21:15 < theDoc> and it's noisy and it gives me a headache. I should colo it. 21:15 < STS301> !howto 21:15 < vpnHelper> STS301: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 21:16 -!- master_of_master [i=master_o@p549D62B3.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:18 -!- master_of_master [i=master_o@p549D63B7.dip.t-dialin.net] has joined ##openvpn 21:24 < kexman> krzie: well it doesnt works with \\ it works if i put the file in the config dir 21:24 < theDoc> krzee> Is there *any* point at all, to be using pptp? 21:24 < theDoc> other than how ridiculously stupid it is to configure? 21:24 < kexman> and im using quotes as well 21:24 < kexman> if i dont add path + quotes + \\ and just put the name of file and copy the file to the config dir it works 21:25 < kexman> the files are in c:\program files\openvpn\easy-rsa\ 21:27 -!- tjz2 [n=tjz@bb220-255-44-209.singnet.com.sg] has quit ["bbl"] 21:27 -!- tjz [n=tjz@bb220-255-44-209.singnet.com.sg] has joined ##openvpn 21:28 < STS301> !redirect 21:28 < vpnHelper> STS301: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 21:33 -!- tjz [n=tjz@unaffiliated/tjz] has quit [Client Quit] 21:34 -!- Serideru [n=GTWebste@24-116-116-232.cpe.cableone.net] has joined ##openvpn 21:35 -!- Serideru1 [n=GTWebste@24-116-116-232.cpe.cableone.net] has joined ##openvpn 21:43 -!- tjz [n=tjz@bb220-255-44-209.singnet.com.sg] has joined ##openvpn 21:47 < kexman> can anyone help me based on this client error log : http://pastebin.com/m3c5183fa 21:47 < kexman> server is up and running 21:47 < kexman> key files and stuff should be okay too 21:48 -!- STS301 [n=STS301@opensuse/member/STS301] has quit [Remote closed the connection] 21:49 < kexman> "remote-cert-tls server" i added that to the client config 21:49 < krzie> !sample 21:49 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 21:49 < kexman> isntead of this one "ns-cert-type server" ... do i need to add that to the server config as well ? 21:49 < kexman> uff 21:49 < kexman> krzie: i edited the sample file on both sides 21:49 < krzie> what did you want "remote-cert-tls server" to do? 21:50 < krzie> ya i pulled up my sample for me 21:50 < kexman> what ;ns-cert-type server does 21:50 < kexman> withou the ; :) 21:50 < krzie> then whyd you change it from ns-cert-type server ? 21:50 < krzie> surely you had to have a reason 21:50 < kexman> well in the howto it says to use that for versions 2.1 and above 21:50 < kexman> and i am using the latest beta 21:51 < theDoc> The how-to doesn't ask you to change it to remote-cert-tls 21:51 < krzie> pls show me where 21:51 < kexman> http://www.openvpn.net/index.php/open-source/documentation/howto.html#server 21:51 < vpnHelper> Title: HOWTO (at www.openvpn.net) 21:52 < kexman> search there for [OpenVPN 2.1 and above] 21:52 < kexman> theDoc: no it doesnt asks me 21:52 < krzie> i have a strong feeling if it can be used interchangeably and that is better, they would have simply updated ns-cert-type 21:53 -!- Serideru [n=GTWebste@24-116-116-232.cpe.cableone.net] has quit [Read error: 104 (Connection reset by peer)] 21:53 < kexman> so what should i use ? ns-cert-type ? 21:53 < krzie> yup 21:53 < kexman> connected instantly 21:53 < kexman> thanks 21:53 < kexman> soo 21:53 < kexman> what's the main difference between the two ? 21:53 < kexman> options 21:54 < kexman> can anyone tell me that ? 21:54 < krzie> no idea 21:54 < kexman> hehe :) 21:54 < krzie> read the manual for both? 21:54 < kexman> k thanks 21:54 < krzie> interesting, the howto does say that 21:54 < krzie> i havnt read the howto since 2.1 was started 21:55 < krzie> i have a feeling you made your certs with an older easy-rsa or something 21:56 < krzie> so when you mde the server key it was signed the ns-cert-type server method 21:56 < krzie> s/mde/made 21:56 < kexman> krzie: i made it right now 21:56 < kexman> with the ones that came with the openvpn 21:56 < kexman> openvpn-2.1_rc20-install.exe 21:56 < kexman> krzie: i used build-key-server.bat server on windows 21:56 < kexman> maybe its doze :P 21:56 < kexman> hehe 21:57 < krzie> like i said, no idea 21:57 < kexman> im glad that it works fine with the other options :P 21:57 < krzie> either way tho, you're good now =] 21:57 < kexman> now for the "fun" part :P 21:57 < kexman> travel all traffic trough that server :) 21:57 < kexman> thats a doze server :) 21:57 < kexman> does it automagically NAT ? :) 21:57 < krzie> make sure you know how to setup NAT aka ICS 21:57 < krzie> shit no it doesnt, lol 21:57 < krzie> !winnat 21:57 < vpnHelper> krzie: "winnat" is http://support.microsoft.com/kb/306126 for windows nat (windows calls it internet connection sharing aka ICS) 21:58 < kexman> hehe :P 21:58 < kexman> your funny : ... thanks :) 22:03 < kexman> pfff 22:03 < kexman> blahblah ... is it that it doesnt like 192.168.0.0/24 ? :) 22:03 -!- Serideru1 [n=GTWebste@24-116-116-232.cpe.cableone.net] has quit [Remote closed the connection] 22:04 -!- Serideru [n=GTWebste@24-116-116-232.cpe.cableone.net] has joined ##openvpn 22:09 < kexman> omg m$ sss bbbb ... it needs to set itself to 192.168.0.1 pffffff 22:13 < kexman> great 22:13 < kexman> i locked myself out from the server :( duhh 22:13 < kexman> need to go there ... now 22:23 < drcode> ccd are on server side? 22:23 < drcode> or on client side? 22:27 < krzie> ~did you ask the manpage? 22:27 < krzie> !ccd 22:27 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 22:28 < krzie> would be rather pointless on the client side 22:28 < drcode> krzie: I don't need to route on the client side? 22:28 < krzie> i have no idea what you're trying to do or talking about 22:29 < drcode> I have somthing like 22:31 < drcode> --> <10.2.0.1,OpenVpn Server 10.0.100.5> --> <10.0.100.6 openvpn client 10.0.2.2> --> 22:31 < krzie> !route 22:31 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 22:31 < drcode> I want to get from 10.2.0.5 to 10.0.2.1 22:31 < drcode> I did like the help say 22:32 < drcode> I can ping from vpn client to 10.2.0.5 22:32 < drcode> but I can't ping from 10.2.0.5 to 10.0.2.1 22:32 < krzie> 1min 22:32 < drcode> #routing 22:32 < drcode> push "route 10.2.0.0 255.255.255.0" 22:32 < drcode> #push "route 10.0.100.0 255.255.255.0" 22:32 < drcode> push "route 10.1.1.0 255.255.255.0" 22:32 < drcode> push "route 10.0.2.0 255.255.255.0" 22:32 < drcode> route 10.0.2.0 255.255.255.0 22:32 < drcode> #client-to-client 22:33 < drcode> client-config-dir ccd 22:33 < krzie> !pastebin 22:33 < vpnHelper> krzie: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 22:33 -!- gabriel25ny [n=gabe@pool-96-250-54-238.nycmny.fios.verizon.net] has quit [Read error: 113 (No route to host)] 22:33 < drcode> ok 22:33 < drcode> sorry 22:33 < drcode> any idea? 22:33 < krzie> 1min 22:33 < krzie> talking 22:34 < drcode> k 22:38 < krzie> I can ping from vpn client to 10.2.0.5 22:38 < krzie> but I can't ping from 10.2.0.5 to 10.0.2.1 22:38 < krzie> so whats 10.0.2.1? 22:38 < krzie> also 22:38 < krzie> !configs 22:38 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 22:39 < drcode> on vpn client there is nic 10.0.2.1 22:39 < drcode> on vpn client there is nic 10.0.2.2 22:39 < drcode> sorry 22:39 < drcode> I want to get from my laptop wireless to 10.0.2.1 22:40 < hads> Anyone know anything odd with a static route on OpenWRT? I can ping from LAN to VPN client through server (not gateway) but not from VPN client past the gateway (OpenWRT)? 22:40 < krzie> does 2.1 have a route to vpn subnet AND other lans subnet going through 2.2? 22:40 < hads> If I add a static route to a LAN box then the ping from the VPN client works okay. 22:40 < krzie> openWRT is just linux isnt it? 22:41 < hads> Yeah 22:41 < krzie> cant you just add the route like you would on any other lin box? 22:41 < hads> Yeah, I have the route on there 22:41 < hads> SOmething odd is going on though. 22:41 < krzie> ip forwarding enabled? 22:41 < krzie> (i assume so since its a router...) 22:41 < hads> Yeah 22:41 < krzie> !linipforward 22:41 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 22:42 < hads> I can ping from the LAN to the VPN clients, but not back again. 22:42 < hads> Though I can ping the gateway from the VPN client. 22:42 < hads> ANd if I add a static route to a LAN box then I can ping it from a VPN client fine. 22:43 < hads> So it's something related to the static route on the gateway. 22:44 < krzie> not necessarily 22:44 < krzie> when you add the static route you bypass openwrt all together 22:44 < krzie> could be the firewall on openwrt 22:44 < krzie> when you add the static route you bypass openwrt all together <--- talking bout the static route on lan machine 22:44 < krzie> in fact firewall is most likely 22:44 < hads> Hmm good point. 23:02 -!- WormFood [n=wormfood@121.35.146.229] has quit [Read error: 60 (Operation timed out)] 23:03 -!- WormFood [n=wormfood@121.35.146.229] has joined ##openvpn 23:15 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Remote closed the connection] 23:41 < drcode> krzie: I read uer help 23:41 < drcode> with route 23:42 < drcode> I want to do also backword 23:42 < drcode> from openvpn server side to lan on client side 23:46 -!- drcode [n=chatzill@bzq-84-108-250-27.cablep.bezeqint.net] has quit ["ChatZilla 0.9.84 [Firefox 3.0.14/2009082707]"] --- Day changed Wed Oct 28 2009 00:03 -!- Pagautas [n=bigman@ns.voip.ktu.lt] has quit [Read error: 60 (Operation timed out)] 00:04 < kexman> krzie: im back :) 00:04 < kexman> morning :) 00:55 < kexman> krzie: i did it man i did it 00:55 < kexman> openvpn & ICS is up and are running 00:55 < kexman> now the question is what nameserver should i use ? 00:56 < kexman> now im in a bit of shade here with ICS ... my 10.8.0.1 dissapeared somehow :) and instead i have 192.168.0.1 01:16 -!- flamia [i=c99@0x573c2b56.vbrnqu1.dynamic.dsl.tele.dk] has quit [] 01:36 -!- hyper_ch [n=hyper@adsl-89-217-73-227.adslplus.ch] has quit [Remote closed the connection] 01:39 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has quit [] 01:44 -!- WormFood [n=wormfood@121.35.146.229] has quit ["reboot router"] 01:47 < kexman> okay ... now i routed all my traffic through the openvpn server ... im trying a speedtest from speedtest.net ... i can reach only 1mbps while on the server machine i reach 10mbps ... and the same speedtest from the client machines yields me 3mbps (wuith the same speedtest server) 01:47 < kexman> is there any limitation to OpenVPN or its the line ? 01:48 < theDoc> openvpn has overheads. 01:48 < theDoc> are you going over tcp/udp? 01:48 < kexman> udp 01:48 < kexman> might be windows ICS ? :P 01:48 < kexman> blame doze :P haha 01:49 < theDoc> you are running your server on windows? 01:49 < kexman> no really im interested in all the details :) 01:49 < kexman> yes 01:49 < theDoc> bbl, giggling. 01:49 < kexman> hahahahaha :))) 01:49 < kexman> theDoc: really tell me is it doze ? 01:49 < theDoc> please don't tell me your server runs winXP 01:49 < kexman> its not a server 01:49 < kexman> its just a server for openvpn 01:50 < kexman> i just needed to acces that network 01:50 < kexman> and all the machines are dozeses 01:50 < kexman> this openvpn server yes it runs winxp :) 01:50 < kexman> why ? :) 01:51 < theDoc> lol 01:51 < kexman> is that that bad ? :) 01:51 < theDoc> kexman> nothing mate. :p 01:51 < theDoc> Yes. 01:51 < kexman> or its xp throttling not knowing how to handle such things :) 01:52 < theDoc> I think it's just XP and also the line speed. 01:52 < kexman> so you say if i would change that for a linux and use netfilter for nating then it would improve ? 01:52 < kexman> isnt that any openvpn setting ? 01:52 < kexman> its some tcp / ip window size or connection stuff in xp ? 01:52 < kexman> theDoc: well im just curious its no problem im not that of a big windows fanatic :P 01:53 < theDoc> kexman> To be honest, I have nfi :) 01:53 < kexman> no f i??? 01:53 < theDoc> lol, yes 01:55 < kexman> well i guess i can try and boot a livecd which has openvpn 02:08 -!- WormFood [n=wormfood@119.123.26.29] has joined ##openvpn 02:36 -!- hyper_ch [n=hyper@142-51.3-85.cust.bluewin.ch] has joined ##openvpn 02:45 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:56 -!- szefte [n=7b@96-26-44-100.war.clearwire-wmx.net] has quit [Read error: 60 (Operation timed out)] 02:57 -!- szefte [n=7b@96-26-44-100.war.clearwire-wmx.net] has joined ##openvpn 03:01 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:20 -!- mikeones [n=mikeones@pool-71-252-209-129.dllstx.fios.verizon.net] has quit ["leaving"] 03:35 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 03:48 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 03:50 -!- tookietookie [n=moe@timetogeek.net] has quit ["Leaving."] 03:53 < reiffert> moin 03:56 -!- Sky[x] [n=SkyB0x@88.200.89.223] has joined ##openvpn 04:00 < kexman> hello 04:05 -!- WormFood [n=wormfood@119.123.26.29] has quit [Read error: 60 (Operation timed out)] 04:05 -!- WormFood [n=wormfood@119.123.26.29] has joined ##openvpn 04:18 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 04:36 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:37 -!- xod is now known as onats 04:37 < onats> hey anyone up? 04:37 -!- Sky[x] [n=SkyB0x@88.200.89.223] has quit [Connection timed out] 04:37 < kexman> ye 04:38 < onats> im having trouble with a vpn client on windows xp. its looking for a route-gateway directive 04:38 < onats> !route-gateway 04:38 < vpnHelper> onats: Error: "route-gateway" is not a valid command. 04:39 < onats> !redirect-gateway 04:39 < vpnHelper> onats: Error: "redirect-gateway" is not a valid command. 04:39 < onats> !xp 04:39 < vpnHelper> onats: Error: "xp" is not a valid command. 04:39 < onats> !windows 04:39 < vpnHelper> onats: Error: "windows" is not a valid command. 04:39 < onats> ok i dont know what the command is 04:40 -!- hyper_ch [n=hyper@142-51.3-85.cust.bluewin.ch] has quit [Read error: 54 (Connection reset by peer)] 04:40 -!- hyper_ch [n=hyper@142-51.3-85.cust.bluewin.ch] has joined ##openvpn 04:46 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 04:47 < misse-> onats: paste your configs at pastebin or something :] 04:47 < misse-> and the client log 04:48 < onats> i got disconnected already.. gaahhh 04:48 < onats> i was trying to fix it on remote desktop connection 05:02 < kexman> haha 05:02 < kexman> just paste some errors to a pastebin.com 05:03 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:10 -!- szefte [n=7b@96-26-44-100.war.clearwire-wmx.net] has quit [Client Quit] 05:21 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 05:22 -!- WormFood [n=wormfood@119.123.26.29] has quit [Read error: 60 (Operation timed out)] 05:22 -!- WormFood [n=wormfood@119.123.26.29] has joined ##openvpn 05:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 05:43 -!- theDoc [n=hex@cataclysm.edgewire.sg] has joined ##openvpn 05:55 -!- APTX|_ [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 05:58 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit [Read error: 104 (Connection reset by peer)] 06:17 -!- brizly1 [n=brizly_v@p4FC98295.dip0.t-ipconnect.de] has joined ##openvpn 06:25 -!- dazo is now known as dazo|afk 06:28 -!- gabriel25ny [n=gabe@pool-96-250-54-238.nycmny.fios.verizon.net] has joined ##openvpn 06:33 -!- brizly [n=brizly_v@p4FC983D2.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:39 < Boolman> when i use a default server config. should my interface get a 255.255.255.255 netmask? to me that just seems wrong 06:40 < Boolman> i mean interface tun0 06:57 < Boolman> i interpret that as its an point to point connection, and the clients wont be able to communicate with each other :S 06:57 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 07:09 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: Snadder, drue, Argafal 07:10 -!- Netsplit over, joins: drue, Argafal, Snadder 07:19 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 07:21 < ecrist> Igor_AKA_Warrior: your setup will not work as configured 07:21 < ecrist> you need different ip subnets on the two networks 07:22 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 07:29 -!- hyper_ch [n=hyper@142-51.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 07:39 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Read error: 113 (No route to host)] 07:44 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit ["No Ping reply in 180 seconds."] 07:46 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 07:46 -!- hyper_ch [n=hyper@142-51.3-85.cust.bluewin.ch] has joined ##openvpn 07:48 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 07:54 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Remote closed the connection] 07:54 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 07:58 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Client Quit] 08:00 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 08:04 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Client Quit] 08:04 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 08:08 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Client Quit] 08:08 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 08:11 -!- eliasp [n=quassel@HSI-KBW-095-208-045-212.hsi5.kabel-badenwuerttemberg.de] has quit [Client Quit] 08:14 -!- c64zottel [n=hans@62.12.230.119] has joined ##openvpn 08:32 -!- gabriel25ny [n=gabe@pool-96-250-54-238.nycmny.fios.verizon.net] has quit [Read error: 60 (Operation timed out)] 08:37 -!- Serideru [n=GTWebste@24-116-116-232.cpe.cableone.net] has quit [Remote closed the connection] 08:49 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 09:02 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has joined ##openvpn 09:04 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has left ##openvpn ["Leaving."] 09:14 -!- alex88 [n=alex88@unaffiliated/alex88] has joined ##openvpn 09:15 < alex88> hi all, using push "dhcp-option DNS 192.168.1.1" in server conf doesn't set dns in resolv.conf in client..any help? 09:15 < alex88> i've also tried adding up down /etc/openvpn/update-resolv-conf to client.conf but don't helps 09:18 -!- gabriel25ny [n=gabe@pool-96-250-54-238.nycmny.fios.verizon.net] has joined ##openvpn 09:19 < ecrist> alex88: IIRC, the DNS is only-auto set for Windows clients. There is some information in the man page, I think. 09:19 < ecrist> !man 09:19 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 09:21 < alex88> yeah, but the update-resolv-conf should be do it, as is it written in it... 09:21 < alex88> btw, i'll search again in man 09:24 -!- `Kyle [n=Kyle@cpc2-sotn9-2-0-cust191.15-1.cable.virginmedia.com] has joined ##openvpn 09:24 < `Kyle> !route 09:24 < vpnHelper> `Kyle: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:26 < `Kyle> thanks, vpnHelper 09:28 < alex88> ecrist: ok got it working...i had to append script-security 2 09:30 < `Kyle> do i need --script-security 2 for ccd files 09:30 < `Kyle> ? 09:31 < `Kyle> hmmm 09:33 < `Kyle> ive got a really odd problem.. ive followed the guide but im a bit stuck. I've got two lans behind each vpn endpoint, and the clients on each lans can happily ping each other. However, the openvpn server and openvpn client can ping each other, but the openvpn server cannot ping any of the openvpn client's clients 09:33 < `Kyle> (if that makes sense) 09:37 < `Kyle> ahhh 09:37 < `Kyle> it must be seeing either server coming from the VPN interface, not the lan one 09:39 -!- zuez [n=sf@catalyst.httpd.org] has joined ##openvpn 09:39 < zuez> !route 09:39 < vpnHelper> zuez: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:40 -!- harpal [n=Harpal@121.246.75.165] has joined ##openvpn 09:40 -!- `Kyle [n=Kyle@cpc2-sotn9-2-0-cust191.15-1.cable.virginmedia.com] has quit [] 09:41 < harpal> how can I give client ssl VPN in browser? no need to install client? 09:51 < reiffert> o way. 09:51 < reiffert> no 09:51 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 09:54 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn 10:06 < kexman> i give up 10:06 < kexman> the net around me is so so ....... cant even tell how bad it is 10:14 < reiffert> Dont forget to send me all your money before suicide. 10:16 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has joined ##openvpn 10:22 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 10:30 -!- harpal [n=Harpal@121.246.75.165] has quit [Remote closed the connection] 10:37 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 10:42 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 10:42 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 10:57 < kexman> pff 10:57 < kexman> reiffert: wtf ? 11:03 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 11:03 -!- disco- [i=disco@andromeda.h4xed.com] has joined ##openvpn 11:07 -!- WormFood [n=wormfood@119.123.26.29] has quit [Read error: 60 (Operation timed out)] 11:11 < ecrist> lol 11:15 < Boolman> TCP/UDP: Incoming packet rejected from lan_intf:1194[2], expected peer address: ext_intf:1194 (allow this incoming source address/port by removing --remote or adding --float) 11:16 < Boolman> im getting that error message on the client. i guess im suppose to use --redirect-gateway but im not sure how to apply it 11:17 < Boolman> i got the push "redirect-gateway" line in server config 11:18 -!- disco-__ [i=disco@andromeda.h4xed.com] has quit [Connection timed out] 11:21 -!- WormFood [n=wormfood@121.34.202.195] has joined ##openvpn 11:22 < ecrist> Boolman: the error tells you what to do... 11:23 < Boolman> if i do the --float flag. i get "TCP/UDP: Socket bind failed on local address [undef]:1194: Address already in use" 11:38 -!- xod [n=onats@112.201.210.244] has joined ##openvpn 11:42 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:44 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 11:45 -!- WormFood [n=wormfood@121.34.202.195] has quit [Read error: 60 (Operation timed out)] 11:45 -!- WormFood [n=wormfood@121.34.202.195] has joined ##openvpn 11:48 < ecrist> Boolman: kill the other instance... 11:53 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 11:56 -!- hyper_ch [n=hyper@142-51.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 11:59 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 12:04 -!- WormFood [n=wormfood@121.34.202.195] has quit [Read error: 60 (Operation timed out)] 12:05 -!- WormFood [n=wormfood@121.34.202.195] has joined ##openvpn 12:33 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 12:34 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit [Client Quit] 12:34 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 12:43 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit ["Távozom"] 12:43 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 12:48 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit [Client Quit] 12:49 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 12:49 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 13:11 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 13:23 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 13:25 -!- connectionVPN [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has joined ##openvpn 13:35 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 13:37 -!- hyper_ch [n=hyper@adsl-89-217-73-227.adslplus.ch] has joined ##openvpn 13:49 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 14:00 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 14:19 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 14:34 < |Mike|> !all 14:34 < vpnHelper> |Mike|: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 14:36 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 14:44 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:45 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 14:50 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"] 15:05 -!- APTX|_ is now known as APTX| 15:08 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 15:18 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 15:23 -!- c64zotte1 [n=hans@62-12-255-127.pool.cyberlink.ch] has joined ##openvpn 15:29 -!- c64zottel [n=hans@62.12.230.119] has quit [Connection timed out] 15:32 -!- plaerzen [n=carpe@vip1.tundraeng.com] has quit [Read error: 104 (Connection reset by peer)] 15:33 -!- plaerzen [n=carpe@vip1.tundraeng.com] has joined ##openvpn 15:35 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Success] 15:49 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 15:59 -!- retro_neo_ [n=hello_wo@fr-d1.connectionvpn.com] has joined ##openvpn 16:03 -!- retro_neo_ is now known as connectionVPN_ 16:05 -!- jeiworth [n=jeiworth@189.177.20.86] has joined ##openvpn 16:06 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 16:18 -!- connectionVPN [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has quit [Read error: 110 (Connection timed out)] 16:31 -!- connectionVPN_ [n=hello_wo@fr-d1.connectionvpn.com] has quit ["This computer has gone to sleep"] 16:31 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 16:48 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 16:54 -!- temba [n=okotoba@188.193.22.46] has joined ##openvpn 17:04 < phusion> i'm having trouble keeping my openvpn client connected.. what options would i use to attempt to keep the connection active no matter what? 17:05 < phusion> i don't have access to the server but there shouldn't be anything on that end for timing out etc 17:08 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 17:08 -!- alex88 [n=alex88@unaffiliated/alex88] has left ##openvpn [] 17:12 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has quit [Client Quit] 17:14 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit ["Távozom"] 17:30 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 18:00 -!- c64zotte1 [n=hans@62-12-255-127.pool.cyberlink.ch] has left ##openvpn [] 19:13 -!- ErickG [n=ErickG@190.120.0.138] has left ##openvpn [] 19:43 -!- jeiworth [n=jeiworth@189.177.20.86] has quit [Read error: 110 (Connection timed out)] 19:44 -!- STS301 [n=STS301@opensuse/member/STS301] has joined ##openvpn 19:57 -!- temba [n=okotoba@188.193.22.46] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 20:06 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 20:18 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:23 -!- STS301 [n=STS301@opensuse/member/STS301] has quit [Remote closed the connection] 20:42 -!- gabriel25ny [n=gabe@pool-96-250-54-238.nycmny.fios.verizon.net] has quit [Read error: 113 (No route to host)] 20:44 -!- tjz [n=tjz@220.255.44.209] has joined ##openvpn 21:15 -!- master_of_master [i=master_o@p549D63B7.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:19 -!- master_of_master [i=master_o@p549D6467.dip.t-dialin.net] has joined ##openvpn 21:33 -!- jeiworth [n=jeiworth@189.234.96.156] has joined ##openvpn 21:52 -!- jeiworth [n=jeiworth@189.234.96.156] has quit [Read error: 110 (Connection timed out)] 22:27 -!- hyper__ch [n=hyper@84.226.41.99] has joined ##openvpn 22:27 -!- hyper_ch [n=hyper@adsl-89-217-73-227.adslplus.ch] has quit [Nick collision from services.] 22:27 -!- hyper__ch is now known as hyper_ch 23:33 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 23:33 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has left ##openvpn [] --- Day changed Thu Oct 29 2009 00:20 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 00:32 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:40 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 145 (Connection timed out)] 01:38 -!- hyper_ch [n=hyper@84.226.41.99] has quit [Remote closed the connection] 02:20 -!- hyper_ch [n=hyper@39-234.0-85.cust.bluewin.ch] has joined ##openvpn 02:49 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 02:49 < robert_> moo. 02:49 * robert_ pokes krzee 02:51 < robert_> when I try and connect with Windows XP, it just sits there right after verifying the CA and server's certificate. 02:58 < robert_> hm nevermind 02:58 < robert_> old keys/certs 02:58 < robert_> so now, it says I have no TAP adapter 03:03 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:20 -!- hads [n=hads@argon.nice.net.nz] has quit [Remote closed the connection] 03:54 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 04:20 -!- dazo|afk is now known as dazo 04:20 -!- dazo [n=nnnndazo@nat/redhat/x-oorjtxpjywykxcip] has quit [Remote closed the connection] 04:24 -!- dazo [n=nnnnndaz@nat/redhat/x-nhzelbaegsdzlnov] has joined ##openvpn 04:24 -!- dazo is now known as Guest65344 04:25 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 04:25 -!- Guest65344 is now known as dazo 04:25 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 04:26 -!- dazo is now known as Guest63823 04:27 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 04:31 -!- Guest63823 is now known as dazo 04:31 -!- dazo is now known as Guest28194 04:35 -!- Guest28194 is now known as dazo 04:36 -!- dazo is now known as Guest6941 04:41 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit [Remote closed the connection] 04:41 -!- Guest6941 is now known as dazo 04:41 -!- dazo is now known as Guest62442 04:45 -!- Guest62442 is now known as dazo 04:46 -!- dazo is now known as Guest80427 04:51 -!- Guest80427 is now known as dazo 04:51 -!- dazo is now known as Guest26380 04:53 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 04:55 -!- Guest26380 is now known as dazo 04:56 -!- dazo is now known as Guest65622 04:59 -!- Guest65622 [n=nnnnndaz@nat/redhat/x-nhzelbaegsdzlnov] has quit ["Leaving IRC - dircproxy 1.2.0"] 04:59 -!- Guest65622 [n=dazo@nat/redhat/x-ufhpwsfvggsxzoyq] has joined ##openvpn 05:00 -!- Guest65622 is now known as dazo 05:15 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:51 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 06:04 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 06:16 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 06:18 -!- gabriel25ny [n=gabe@pool-96-250-54-238.nycmny.fios.verizon.net] has joined ##openvpn 06:18 -!- gilos [i=cee65482@gateway/web/freenode/x-isfmksbrljtgzuah] has quit [Ping timeout: 180 seconds] 06:18 -!- brizly [n=brizly_v@p4FC98144.dip0.t-ipconnect.de] has joined ##openvpn 06:32 -!- brizly1 [n=brizly_v@p4FC98295.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:39 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 06:48 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 06:48 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 07:05 -!- xod [n=onats@112.201.210.244] has quit ["Ex-Chat"] 07:20 < ecrist> good morning 07:24 < |Mike|> hia ecrist 07:26 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has quit ["Leaving"] 07:30 < reiffert> moin 07:37 -!- gabriel25ny [n=gabe@pool-96-250-54-238.nycmny.fios.verizon.net] has quit [Read error: 113 (No route to host)] 07:42 -!- TomBombadil [n=TomBomba@84-119-72-65.dynamic.xdsl-line.inode.at] has joined ##openvpn 07:48 < TomBombadil> Hello @all 07:48 < TomBombadil> is there anyone who can help 07:50 < |Mike|> if you just state your question, someone will help :p 07:53 < TomBombadil> i have setup an tap connection; that work; now i have a routing problem; its a server to server connection; i can ping my tap device on each side but i dont know how i have to route so one network send packets to the other; i think its a standart question but i have not found any helpful doc 07:53 < TomBombadil> openwrt openvpn 07:54 < TomBombadil> perhaps there is a howto i havent found! 07:55 < ecrist> !route 07:55 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 07:55 < ecrist> !iroute 07:55 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 07:55 < ecrist> tips are accepted in beer form 07:56 < TomBombadil> thanks for the link 07:56 < TomBombadil> @reading ;) 07:57 < ecrist> @@ 08:06 -!- TomBombadil_ [n=TomBomba@84.119.82.23] has joined ##openvpn 08:09 < Optic> mooo 08:11 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 08:13 -!- TomBombadil [n=TomBomba@84-119-72-65.dynamic.xdsl-line.inode.at] has quit [Read error: 104 (Connection reset by peer)] 08:21 < gorkhaan> Hi! I'd like to ask: Does OpenVPN's Envinromental variables works with Windows Batch files? I want to Map a network drive in a batch file, with openvpn's username + password 08:27 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit [Read error: 131 (Connection reset by peer)] 08:28 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 08:29 -!- TomBombadil_ [n=TomBomba@84.119.82.23] has quit [Read error: 110 (Connection timed out)] 08:46 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit [Read error: 145 (Connection timed out)] 09:16 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:27 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 09:28 -!- c64zottel [n=hans@62-12-255-127.pool.cyberlink.ch] has joined ##openvpn 09:33 -!- arthur_l [n=arthur@logilab2-7-50.cnt.nerim.net] has joined ##openvpn 09:34 < arthur_l> !route 09:34 < vpnHelper> arthur_l: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:56 < arthur_l> where can i find documentation explaining the use of tun devices for openvpn using pki ? 09:57 < arthur_l> i'm having weird things going on, such as 09:57 < arthur_l> it initiates an initial tun device with .1 ptp .2 09:58 < arthur_l> then the first client that connects get .9 ptp .10 09:58 < arthur_l> I would expect it to get .9 ptp .1 09:58 < ecrist> !configs 09:58 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:03 -!- gabriel25ny [n=gabe@pool-96-250-54-238.nycmny.fios.verizon.net] has joined ##openvpn 10:20 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 10:29 -!- jeiworth [n=jeiworth@189.177.133.17] has joined ##openvpn 10:29 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 10:40 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 10:40 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 10:40 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Connection timed out] 10:41 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit [Client Quit] 10:41 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 10:41 -!- arthur_l [n=arthur@logilab2-7-50.cnt.nerim.net] has quit ["Client exiting"] 10:43 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit [Client Quit] 10:43 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 11:04 -!- WormFood [n=wormfood@121.34.202.195] has quit [Read error: 60 (Operation timed out)] 11:16 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [] 11:17 -!- jeiworth [n=jeiworth@189.177.133.17] has quit [Read error: 145 (Connection timed out)] 11:19 -!- WormFood [n=wormfood@58.60.223.158] has joined ##openvpn 11:22 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 11:38 -!- WormFood [n=wormfood@58.60.223.158] has quit [Read error: 60 (Operation timed out)] 11:39 -!- WormFood [n=wormfood@58.60.223.158] has joined ##openvpn 11:45 -!- jeiworth [n=jeiworth@189.177.133.17] has joined ##openvpn 12:02 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 12:13 -!- Mitar [n=mitar@193.2.157.120] has joined ##openvpn 12:15 < Mitar> is it possible to use RC4 for tunnel encryption? i would like to use fastest possible encryption just to scrammble data a little bit and it seems RC4 is fastest 12:15 < Mitar> and from man page i have a feeling that rc4 is used just for control data? 12:16 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 12:17 -!- orzel [n=orzel@2002:52e1:9a02:2:224:1dff:fe8f:c292] has joined ##openvpn 12:17 -!- talon_ [n=talon@93-97-172-144.zone5.bethere.co.uk] has joined ##openvpn 12:17 < talon_> hi there, i'm getting issues connecting over HTTP proxy 12:17 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 12:17 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 12:18 < talon_> Attempting to establish TCP connection with 10.136.5.12:3128 [nonblock] 12:18 < talon_> TCP connection established with 10.136.5.12:3128 12:18 < talon_> Send to HTTP proxy: 'CONNECT xx.xx.xx.xx:1194 HTTP/1.0' 12:18 < talon_> recv_line: TCP port read timeout expired: Operation now in progress (errno=115) 12:19 < talon_> the service is up on the server, (i checked with nmap), process is running 12:19 < orzel> hello. i have a weird routing problem and wonder if you could have a hint for me..... From the vpn-connected computer i can ping some, but not all of the nodes on the local network connected to the server. I can not see any difference between those that i can ping, and those that i can not. They all belong to the same subnetwork.. and i can ping them all from the server itself. 12:19 < talon_> and i opened a port on the firewall (server side) to forward 1194 12:19 < orzel> if you have any idea of what i could try.. or test.. or change 12:20 < talon_> orzel: i wish i was that far 12:21 < orzel> talon_: sorry ;-/ 12:21 < talon_> if the other nodes are vpn-connected as well, you could check to see if client-to-client is set in openvpn.conf 12:22 < orzel> i can ping xx.xx.xx.{1,2,5,6}, but i can't ping xx.xx.xx.{3,4,7} from the vpn, and i can ping everything from the server 12:22 < orzel> talon_: all those computers are on the local network, unrelated to vpn. Basic dhcp stuff. 12:23 < talon_> what is the internal ip of your vpn connected node? 12:24 < orzel> i use 10.23.0.0/24 for my vpn stuff 12:24 < orzel> this client is connect with 10.23.0.6 i think 12:24 < orzel> connected 12:25 < talon_> so tun0 on your server is 10.23.0.1 i guess 12:26 < orzel> that's it (it's called tun23) 12:26 < talon_> and the rest of your network is something different like 192.168.0.0/128 12:26 < orzel> yes 12:26 < orzel> wait, that's weird. I think i got something 12:27 < orzel> on the client i have a netmask of 255.255.255.252 for the vpn link 12:27 < talon_> ah 12:28 < orzel> which means the last two bits are 'special'. and if you check my line with working/not working, it indeed depends on the last two bits (1,2 and 5,6 have the same last two bits) 12:28 < orzel> now..... why is that so i have no clue 12:28 < talon_> :-) 12:28 < talon_> well, if you know about HTTP proxies you can be my friend 12:28 < orzel> i've never ever used such a mask in my whole life 12:28 < orzel> http proxies ? i'm afraid not ..... 12:28 < talon_> boo 12:29 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 12:31 < orzel> on the client openvpn log, it says "Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.23.0.6/255.255.255.252 on interface....(ugly hexa)" 12:31 < orzel> so the question now is : who gave this weird /30 mask ? 12:31 < talon_> file a bug 12:31 < talon_> if it came as default 12:31 < talon_> but against dhcpd or openvpn 12:32 < talon_> ? 12:32 < orzel> no clue. my openvpn.conf says "server 10.23.0.0 255.255.255.0"... 12:32 -!- hyper_ch [n=hyper@39-234.0-85.cust.bluewin.ch] has quit [Read error: 54 (Connection reset by peer)] 12:33 < krzee> !/30 12:33 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 12:34 < orzel> google finds some openvpn logs where /30 seems common 12:34 < krzee> the /30 is default 12:34 < talon_> ahh HA! 12:34 < krzee> because topology net30 is default 12:34 < orzel> krzee: well optimized, can you do it with less than 4 chars ? ;) 12:34 < talon_> use port 443 for proxied connections! 12:34 < krzee> its a workaround for stupid windows stuff 12:34 < talon_> sweet! 12:34 < krzee> they found a new way, as explained in !topology 12:34 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 12:35 * talon_ is jumping up and down in his chair waving his arms like a retarded fat kid 12:35 < talon_> whoo hoo! 12:35 < krzee> !topology 12:35 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 12:37 < orzel> krzee: mmm... ok, i understand the faq, but i'm not sure this is related to my problem. It's ok for me that the windows/openvpn stuff uses a /30, but this shouldn't prevent me to reach *.4 and *.5 on the local network connected to the server... or is it so ? 12:39 < orzel> i'm afraid this is totally unrelated, so this is not the reason of my problem :/ 12:45 < orzel> argh. i can't find anything on google and/or openvpn website. All problems are related to either missing "push" or bad forward/iptables rules 12:48 < orzel> if i use tcpdump and watch icmp packets, i can see them arrive from the tun for both cases (ip that ping, ip that do not ping). 12:48 < orzel> on the local network device, i can on see those that work. 12:48 < orzel> so somehow, the server does not forward some stuff 12:50 < orzel> ah, yes, they are. though slowly 12:53 < krzee> so you are sharing the lan behind the server over the vpn? 12:53 < krzee> what subnet is the server, vpn, client on? all 3 12:55 -!- dazo [n=dazo@nat/redhat/x-ufhpwsfvggsxzoyq] has quit [Read error: 104 (Connection reset by peer)] 12:56 < orzel> the local network is 10.11.0.0./24, i'm sharing it through the command push "route 10.11.0.0 255.255.0.0" 12:56 -!- dazo [n=ndazo@nat/redhat/session] has joined ##openvpn 12:56 -!- dazo is now known as Guest65588 12:56 < krzee> ... 12:56 < orzel> the vpn is using 10.23.0.0/24 as specified by the command "server 10.23.0.0 255.255.255.0" in openvpn.conf 12:57 < krzee> client lan? 12:57 < orzel> the client is on 10.23 of course, and also on 10.0.2.1/24 it seems, for its local network 12:58 < krzee> ok 12:58 < orzel> (i'm slow because the client is a windows xp and i'm not used to it) 12:58 < krzee> is your server the router for its LAN? 12:58 < orzel> yes 12:58 < orzel> and this has worked for years 12:58 < orzel> (it's also the dhcp for the lan, and dns) 12:58 < krzee> so you can in fact ping the machines on the server lan and its just slow? 12:59 < orzel> that's the most weird part : i can ping some of them, and others i can not 12:59 -!- Guest65588 [n=ndazo@nat/redhat/x-fuhgqllvemfowuet] has quit [Read error: 54 (Connection reset by peer)] 12:59 < orzel> from the client that is. I can ping them all from the server. 12:59 < krzee> make sure windows firewall is disabled for the tap adapter on the server 12:59 < krzee> and any additional filters like norton or mcafee 13:00 < krzee> also try turning off windows firewall on the clients that dont reply 13:00 < krzee> for the slowness, make sure you are using tun instead of tap, make sure you are using udp instead of tcp 13:00 < krzee> and try a mtu-test 13:00 < orzel> i think i dont have a firewall on the openvpn client, nothing is there on the systray anyway. 13:00 < orzel> i'm using tun, for sure 13:01 < orzel> the 'clients' that do not answer to ping are on the local network, and are not 'openvpn' client (just to be sure it's clear) 13:01 < krzee> umm 13:01 < krzee> which lan are they on? 13:02 < orzel> 10.11.0.0/16, the first i've described 13:02 < orzel> (though i had said /24, it's /16 actually) 13:02 < krzee> ok so all the machines you're trying to ping are on the SERVERS lan, right? 13:02 < orzel> absolutely 13:02 < krzee> why would you use a /16 in your lan? 13:02 < orzel> it's not a client-to-client pb 13:03 < krzee> you have over 254 machines in your lan? 13:03 -!- dazo [n=nndazo@nat/redhat/x-piplyqnmdhmiqreb] has joined ##openvpn 13:03 < orzel> There are lot of machines on the lan, yes. People use lot of small devices for test that require an ip 13:03 -!- dazo is now known as Guest82718 13:03 < orzel> still, i think most of the time we are below 256.. 13:03 < krzee> 254 13:03 < orzel> yes, 254 13:03 < krzee> gateway and broadcast 13:04 < orzel> still, below :) 13:04 < orzel> anyway, most of them are down now (people is gone, only ~10 are up i think, so this is not a network traffic pb. 13:05 < orzel> and the host i can ping or not ping are 100% reproduceable 13:05 < krzee> check that the added route was /16 13:06 < krzee> by checking the routing table on the client 13:06 < krzee> ive seen using different subnets than standard cause problems before FYI 13:07 < krzee> try /24 and see if all in the /24 works 13:07 < orzel> the first that fail are 10.11.0.3 10.11.0.4 13:07 < orzel> .1, .2, .5 and .6 works 13:08 < orzel> i did check the route on the client, they are ok 13:08 < orzel> moreover the traceroute shows that the ping is 'blocked' on the server. 13:08 < orzel> it 'reaches 10.23.0.1 (which is the tun ip on the server) 13:08 < krzee> sniffing on the server and machine you're aiming for show the same? 13:08 -!- DammitJim [n=DammitJi@41-117.202-68.tampabay.res.rr.com] has joined ##openvpn 13:08 < DammitJim> good afternoon from FL 13:09 < orzel> i dont have access to the machine i aim for 13:09 < krzee> orzel, it may be blocking traffic from the ip range 13:09 < krzee> you dont have access to ANY machines which you cant ping? 13:10 < krzee> DammitJim, waddup 13:10 < orzel> krzee: i dont think so. And the ip i cant reach belong to very different kind of hardware 13:10 < DammitJim> what package should I install to set up an openvpn server service in windows server 2003? 13:10 < DammitJim> I've done the openvpn thing through DD-WRT on routers, but not on a windows machine 13:10 < orzel> krzee: erm.. well, actually, no, i dont have acces to any of those 13:11 < orzel> krzee: (i'm still googling to do the 'mtu test', i just need some more time) 13:11 < krzee> orzel, get access to them, you must packet sniff to find out what device is stopping it 13:11 < krzee> but its not vpn related 13:11 < krzee> its standard networking from this point forward 13:11 < krzee> !download 13:11 < vpnHelper> krzee: "download" is (#1) www.openvpn.net/download to download openvpn, or (#2) http://openvpn.net/index.php/open-source/downloads.html 13:11 < krzee> rc20.exe 13:11 < krzee> (for DammitJim ) 13:12 -!- Guest82718 [n=nndazo@nat/redhat/x-piplyqnmdhmiqreb] has quit ["Reconnecting to server - dircproxy 1.2.0"] 13:12 -!- Guest82718 [n=nnndazo@nat/redhat/session] has joined ##openvpn 13:13 < DammitJim> krzee, thanks! I wasn't sure if that came with the server part and wasn't just the client 13:13 -!- Guest82718 is now known as dazo 13:13 < orzel> krzee: if i use tcpdump on the tun interface, and on the eth2 interface (local network), i can see ping request going through 13:14 < krzee> but you cant see if they make it to the client, and if they do you cant see if it responds 13:15 < krzee> err by client i meant lan machine 13:15 < orzel> i understand 13:15 < krzee> DammitJim, openvpn doesnt have a distinction between server part and client part 13:15 < krzee> its just diff config files 13:15 < orzel> i could see the icmp reply 13:15 -!- dazo [n=nnndazo@nat/redhat/x-houjbngsnkmwhuof] has quit [Client Quit] 13:15 < DammitJim> ah.. I am learning! Thanks again, krzee 13:16 < krzee> so the reply gets to the server but not back to the vpn client? 13:16 -!- dazo [n=dazo@nat/redhat/x-dlvtthzzeqpovsdz] has joined ##openvpn 13:20 < orzel> for the host that pings i see both,and for those that do not ping i only see the request 13:22 < orzel> krzee: well. I agree it looks like a ip pb and not related to openvpn. I dont want to waste any more of your time. I'll come and ask again if i can somewhow 'proove' that this could be related to openvpn itself 13:22 < orzel> krzee: thanks a lot for your time 13:29 -!- hyper_ch [n=hyper@adsl-84-226-41-99.adslplus.ch] has joined ##openvpn 13:30 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit [Read error: 60 (Operation timed out)] 13:34 < krzee> yw 13:35 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn 13:42 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 13:53 -!- phantomcircuit [n=phantomc@adsl-99-50-120-222.dsl.pltn13.sbcglobal.net] has joined ##openvpn 13:54 < phantomcircuit> I know this is kind of off topic, but does anybody know whether wireshark can decode the openvpn protocol? 14:00 -!- DammitJim [n=DammitJi@41-117.202-68.tampabay.res.rr.com] has left ##openvpn ["I ♥ Elive"] 14:05 < dazo> phantomcircuit: I don't recall that I've seen openvpn there .... basically because it's plain SSL traffic 14:05 < phantomcircuit> is it still plain ssl traffic if you're using a shared key and not certs? 14:06 < dazo> phantomcircuit: and I don't recall if wireshark supports decrypting "on the fly", even if it get the needed keys 14:06 < dazo> phantomcircuit: yeah, it should be .... SSL is flexible enough to provide symmetric encryption 14:06 < dazo> certs only add asymmetrical encryption in addition 14:06 < phantomcircuit> hmm 14:07 < phantomcircuit> oh crap i know why i cant do it, ssl uses a key derivation algorithm based on the shared key and some random data that never goes over the wire 14:07 < phantomcircuit> darn 14:07 < dazo> exactly 14:07 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 14:08 < dazo> it is possible though, in theory, if wireshark would have the static key as well ... then it could follow the key derivation process to some degree ... but the random data from each side would be the difficult part 14:10 < dazo> phantomcircuit: if you're debugging OpenVPN .... why not use --cipher none ? 14:18 -!- Boolman [n=Boolman@ip4-147.bon.riksnet.se] has quit [Read error: 104 (Connection reset by peer)] 14:27 -!- orzel [n=orzel@2002:52e1:9a02:2:224:1dff:fe8f:c292] has quit [Remote closed the connection] 14:37 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:46 -!- connectionVPN [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has joined ##openvpn 14:50 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 14:50 -!- Rolybrau [n=Rolybrau@127-238.3-85.cust.bluewin.ch] has joined ##openvpn 14:53 -!- dazo is now known as dazo|afk 14:56 -!- phantomcircuit [n=phantomc@adsl-99-50-120-222.dsl.pltn13.sbcglobal.net] has quit ["Leaving"] 14:57 -!- talon_ [n=talon@93-97-172-144.zone5.bethere.co.uk] has quit ["Changing server"] 15:04 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit [Read error: 110 (Connection timed out)] 15:06 -!- MadTBone_ [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 15:20 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 15:24 -!- c64zotte1 [n=hans@62-12-233-148.pool.cyberlink.ch] has joined ##openvpn 15:26 -!- MadTBone_ [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 15:26 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn 15:39 -!- c64zottel [n=hans@62-12-255-127.pool.cyberlink.ch] has quit [Success] 15:43 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit [Connection timed out] 15:45 -!- MadTBone_ [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 15:59 -!- mfeilner [n=mfeilner@dslb-084-056-097-049.pools.arcor-ip.net] has joined ##openvpn 16:01 -!- mfeilner [n=mfeilner@dslb-084-056-097-049.pools.arcor-ip.net] has left ##openvpn [] 16:02 -!- mfeilner [n=mfeilner@dslb-084-056-097-049.pools.arcor-ip.net] has joined ##openvpn 16:08 -!- c64zottel [n=hans@62.12.221.233] has joined ##openvpn 16:13 -!- mfeilner [n=mfeilner@dslb-084-056-097-049.pools.arcor-ip.net] has left ##openvpn [] 16:13 -!- c64zotte1 [n=hans@62-12-233-148.pool.cyberlink.ch] has quit [Read error: 60 (Operation timed out)] 16:19 -!- mfeilner [n=mfeilner@dslb-084-056-097-049.pools.arcor-ip.net] has joined ##openvpn 16:28 -!- Hypnoz [n=colin@66.104.252.161] has joined ##openvpn 16:40 -!- mfeilner [n=mfeilner@dslb-084-056-097-049.pools.arcor-ip.net] has left ##openvpn [] 16:47 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has quit [Client Quit] 17:06 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: arcsky, Rolybrau, MadTBone_, Ziber 17:06 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: connectionVPN, krzie, odonata, ErickG, dazo|afk, Igor_AKA_Warrior, drue, Argafal, vpnHelper, zuez, (+19 more, use /NETSPLIT to show all of them) 17:07 -!- Netsplit over, joins: MadTBone_, Rolybrau, master_of_master, le0, Ziber, HardDisk_WP, Bushmills, IcyPolecat, arcsky, odonata (+1 more) 17:08 -!- Netsplit over, joins: drue, zuez, ErickG, connectionVPN, hyper_ch, dazo|afk, WormFood, epaphus, plaerzen, Snadder (+2 more) 17:08 -!- explore [n=msparker@pool-173-57-92-51.dllstx.fios.verizon.net] has joined ##openvpn 17:08 -!- Netsplit over, joins: Igor_AKA_Warrior, oc80z, sigius, zamba, rooth, vpnHelper, sno, krzie, robotti^ 17:09 -!- zuez [n=sf@catalyst.httpd.org] has quit [Excess Flood] 17:09 -!- zuez_ [n=sf@66.7.199.96] has joined ##openvpn 17:10 -!- MadTBone_ [n=MadTBone@gw.msmnyc.edu] has quit [Connection timed out] 17:10 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn 17:16 -!- Douglas [n=contact@ool-435316a6.dyn.optonline.net] has joined ##openvpn 17:32 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit [Read error: 110 (Connection timed out)] 18:03 -!- kiwi_ [n=_netty@ks359129.kimsufi.com] has joined ##openvpn 18:03 < kiwi_> hello 18:06 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 18:06 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 18:08 < kiwi_> i patched openvpn so it supports openbsd routing romains. it's an openbsd specific feature. do you think it can be integrated into openvpn ? 18:29 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 60 (Operation timed out)] 18:29 -!- c64zottel [n=hans@62.12.221.233] has left ##openvpn [] 18:42 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit ["Távozom"] 18:45 -!- kiwi_ [n=_netty@ks359129.kimsufi.com] has quit ["Leaving."] 18:51 -!- ErickG [n=ErickG@190.120.0.138] has left ##openvpn [] 18:53 -!- connectionVPN [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has quit ["Leaving"] 19:17 -!- theDoc [n=hex@bb116-15-146-184.singnet.com.sg] has joined ##openvpn 19:22 -!- jeiworth [n=jeiworth@189.177.133.17] has quit [Connection timed out] 19:35 -!- theDoc [n=hex@bb116-15-146-184.singnet.com.sg] has quit ["This computer has gone to sleep"] 19:37 -!- Hypnoz [n=colin@66.104.252.161] has left ##openvpn [] 19:38 < krzie> Bushmills here? 19:39 < krzie> i have found some answers via google, but none as full featured or elegant as ild like, so i got a lil shell q for ya 19:40 -!- jeiworth [n=jeiworth@189.234.126.153] has joined ##openvpn 19:57 < Bushmills> yes 20:02 < krzie> got an easy way to check if a var is a number? (must support decimal point) 20:06 -!- theDoc [n=hex@119.73.165.162] has joined ##openvpn 20:06 < Bushmills> not really. st like this maybe: echo 123.456 | grep -qe '^[0-9]*\.[0-9]*$' && echo num 20:08 -!- theDoc [n=hex@119.73.165.162] has quit [Nick collision from services.] 20:09 -!- thedoc_ [n=hex@unaffiliated/thedoc] has joined ##openvpn 20:09 < krzie> but that doesnt work if no decimal 20:09 < krzie> decimal may or may not appear in the num 20:09 -!- thedoc_ is now known as theDoc 20:09 < Bushmills> doesn't need to. "must support decimal point" 20:09 < krzie> elthough i guess i could make 2 tests... didnt think bout that 20:10 -!- jeiworth [n=jeiworth@189.234.126.153] has quit [Read error: 110 (Connection timed out)] 20:10 < krzie> must support it, not that the decimal must appear =] 20:12 < krzie> but that made me realize i can just make 2 tests and if it passes either its valid 20:13 < Bushmills> try: echo 123..456 | grep -qe '^[0-9]*\.\?[0-9]*$' && echo num 20:14 < Bushmills> ? matches 0 or 1 occurances of prev char 20:14 < krzie> ahh no shit 20:14 < krzie> didnt know that one 20:14 < krzie> that works perfect bro 20:15 < krzie> you're so ninja 20:15 < Bushmills> i think that's ugly :P 20:15 < krzie> sure but its much more elegant than what i was gunna do 20:18 < Bushmills> if the whole string in the var is or isn't a num, you can leave away the ^ and $ 20:18 < Bushmills> ehm, no 20:18 < Bushmills> can't 20:19 < krzie> ans="n" 20:19 < krzie> while [[ "${ans}" != "y" ]] ;do 20:19 < krzie> echo "$agent currently has $bottom " 20:19 < krzie> echo "How much would you like to add to ${agent}? (if you add -20 it is withdrawing $20)" 20:19 < krzie> read xfer 20:19 < krzie> echo $xfer | grep -qe '^[0-9]*\.\?[0-9]*$' || echo "$xfer is not a number" && continue 20:19 < krzie> newbottom=`echo "${bottom} + ${xfer}"|bc` 20:19 < krzie> echo "so now agent has a new bottom of $newbottom " 20:19 < krzie> echo "Is this correct? (y/n) 20:19 < krzie> read ans 20:19 < krzie> done 20:19 < krzie> =] 20:20 < Bushmills> grep -qe '^[0-9]*\.\?[0-9]*$' <<< $xfer || echo $xfer is not a number # :D 20:20 < krzie> 3 <<< 's? 20:21 < Bushmills> a "here" doc 20:22 < krzie> that would try to read a file of what $xfer expands to 20:22 < Bushmills> line <, but doesn't read from file. reads from command line instead 20:22 < Bushmills> like .. 20:23 < krzie> heh 20:23 < krzie> never seen more than 1 < for input 20:23 < krzie> or 2 for output 20:24 < krzie> but yup it works 20:24 -!- zuez_ [n=sf@66.7.199.96] has quit [Remote closed the connection] 20:24 < Bushmills> << for input exists too 20:24 < Bushmills> like: 20:24 < krzie> whats the diff? 20:24 < Bushmills> cat << EOF 20:24 < Bushmills> foo 20:24 < Bushmills> bar 20:24 < Bushmills> EOF 20:24 < krzie> ahh 20:24 < krzie> until string is read 20:25 < krzie> 1 from file, 2 from input until string, 3 from var 20:25 < Bushmills> 3 can be literal too 20:26 < Bushmills> wc <<< "a b c" 20:26 < Douglas> blah 20:26 * Douglas is pissy 20:35 < Mitar> is it possible to use RC4 for tunnel encryption? i would like to use fastest possible encryption just to scrammble data a little bit and it seems RC4 is fastest 20:35 < Mitar> and from man page i have a feeling that rc4 is used just for control data? 20:36 < krzie> Mitar does your openssl support RC4? 20:36 < Mitar> yes 20:36 < krzie> then yes 20:36 < Douglas> hi krzie 20:36 < Douglas> how are you 20:36 < krzie> hi, good 20:36 < Douglas> nice 20:37 < krzie> whats your paypal email dougy? 20:38 < Douglas> man 20:38 < Douglas> my world got skullfucked today 20:38 < krzie> awesome! 20:38 < Douglas> not really 20:38 < krzie> oh 20:39 < krzie> i mean damn 20:39 < Douglas> im not looking forward to 6 months downtime 20:39 < Douglas> from surgery 20:39 < Mitar> so --show-ciphers does not show it, but --show-tls does 20:39 < Mitar> so i could use RC4 for data packets? how? 20:47 < krzie> i was under the impression that anything openssl supports could be used as a cipher 20:48 -!- dazo|afk- [n=ndazo@nat/redhat/x-pevifwqihlkplvoo] has joined ##openvpn 20:49 -!- dazo|afk [n=dazo@nat/redhat/x-dlvtthzzeqpovsdz] has quit ["Getting off stoned server - dircproxy 1.2.0"] 20:49 -!- dazo|afk- is now known as dazo|afk 21:02 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 21:05 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 21:15 -!- master_of_master [i=master_o@p549D6467.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:19 -!- master_of_master [i=master_o@p549D6169.dip.t-dialin.net] has joined ##openvpn 21:34 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 21:42 -!- jeiworth [n=jeiworth@189.234.96.156] has joined ##openvpn 21:43 -!- tjz [n=tjz@bb220-255-44-209.singnet.com.sg] has joined ##openvpn 21:49 < krzie> Bushmills i made it grep -qe '^-\?[0-9]*\.\?[0-9]*$' <<< ${xfer} 21:49 < krzie> now it supports negatives as well 22:07 -!- Douglas [n=contact@ool-435316a6.dyn.optonline.net] has quit [] 22:07 -!- xp_prg [n=xp_prg3@c-98-234-50-128.hsd1.ca.comcast.net] has joined ##openvpn 22:11 < Bushmills> that's a good mod 22:13 < krzie> thats a damn good regex 22:13 < krzie> on google people made it less useful and more complicated 22:16 < Bushmills> well, google indexes everything, and can't determine complexity or a solution. I suppose shorter or simpler ways can be found as well. 22:16 < Bushmills> of a solution ... 22:22 < krzie> true, and my query could be to blame (although my google-fu is usually rather good) 22:24 -!- stlsaint [n=stlsaint@unaffiliated/stlsaint] has joined ##openvpn 22:25 -!- thewrath [n=michaelb@dsl-206-251-13-64.dsl0.crls.pa.net] has joined ##openvpn 22:25 < thewrath> hey all 22:25 < stlsaint> hey thewrath 22:25 < krzie> sup 22:25 < thewrath> what port does openvpn 22:25 < thewrath> 1196? 22:25 < krzie> default 1194 22:25 < stlsaint> or 1194 22:25 < thewrath> k 22:25 < thewrath> ok 22:25 < thewrath> stlsaint u beat me darn you lol 22:25 < krzie> but it runs on whatever you tell it to 22:25 < thewrath> k 22:25 < stlsaint> yep yep 22:26 < stlsaint> krzie: how you would recommend i setup up a vps to allow someone else access to it thru vpn? 22:26 < thewrath> does openvpn run on centost too? 22:26 < krzie> make sure ssh runs on the vpn ip 22:26 < krzie> thewrath sure, thats just a linux 22:27 < thewrath> so you want vpn and ssh to run on same port? 22:27 < krzie> no... 22:27 < krzie> krzie: how you would recommend i setup up a vps to allow someone 22:27 < krzie> else access to it thru vpn? 22:27 < krzie> the answer is to run ssh on the internal vpn ip 22:27 < krzie> then nce connected to the vpn he can ssh to the vpn ip 22:27 < krzie> once* 22:28 < stlsaint> ah i get what your saying, not quite sure how to set it up tho! 22:28 < thewrath> stlsaint can you explain it to me 22:28 < krzie> heh 22:28 < krzie> !howto 22:28 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 22:28 < krzie> !man 22:28 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 22:28 < krzie> !sample 22:28 < vpnHelper> krzie: "sample" is a working sample config: http://www.ircpimps.org/openvpn.configs 22:28 < krzie> !forget sample 22:28 < vpnHelper> krzie: Joo got it. 22:29 < krzie> !learn sample as http://www.ircpimps.org/openvpn.configs for a working sample config 22:29 < vpnHelper> krzie: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 22:29 < krzie> !sample 22:29 < vpnHelper> krzie: Error: "sample" is not a valid command. 22:29 < krzie> hah 22:29 < stlsaint> thewrath: from what im taking, well you know that vpn is 'tunneling' so once you connect via vpn use ssh for transportation. i think!! 22:29 < krzie> !learn sample as http://www.ircpimps.org/openvpn.configs for a working sample config 22:29 < vpnHelper> krzie: Joo got it. 22:29 < thewrath> krzie is he correct 22:30 < theDoc> [vps] --- [vpn server] ---- [client] 22:30 < theDoc> something to that extend :p 22:31 < krzie> !learn sample as DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) 22:31 < vpnHelper> krzie: Joo got it. 22:31 < thewrath> but openvpn comes iwth good documentation? 22:31 < krzie> very good, but it can require semi-advanced networking knowledge 22:31 < krzie> because setting up a vpn can be an advanced networking subject 22:32 < krzie> but what stlsaint is trying to do is rather simple 22:33 < krzie> only pre-requisite before diving in would be knowing how to configure your ssh daemon 22:33 < stlsaint> krzie: well i know ssh pretty well, at least the basics of it 22:33 < krzie> then you know how to make it listen on specific ips 22:33 < krzie> in which case, you know the ssh side of this configuration 22:34 < krzie> so: 22:34 < krzie> !sample 22:34 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) 22:34 < stlsaint> ip's? hhmm i would have to take a look at my config file but ports yes! 22:34 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: misse-, jhp, phusion 22:34 < krzie> and use the howto for generating keys 22:36 -!- Netsplit over, joins: phusion, misse-, jhp 22:36 < thewrath> generating keys is easy 22:36 < krzie> all of it is 22:37 < thewrath> yrs 22:37 < krzie> thewrath did you need help with something? 22:38 < thewrath> when i said yrs no 22:38 < thewrath> i am in here iwth krzee 22:38 < thewrath> *stl 22:38 < stlsaint> krzie: so setup openvpn using howto, configure ssh, generate keys and thats it? 22:39 < krzie> yup 22:39 < krzie> although the keys part is part of the howto 22:39 < krzie> so really: setup openvpn using howto, configure ssh 22:39 < stlsaint> oh ok, so i wont need to forward any ip's from my router correct? 22:40 < krzie> does the vps have direct access to the inet? 22:40 -!- theDoc [n=hex@unaffiliated/thedoc] has left ##openvpn ["Leaving"] 22:40 < krzie> ie: not behind a NAT 22:40 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 22:40 < krzie> maybe im misunderstanding your goal 22:40 < krzie> let me repeat it 22:41 < stlsaint> krzie: no the vps will be behind router 22:42 < krzie> you want to have a vpn server on your vps to secure it, and let someone connect to ssh on the vps once they have authenticated to openvpn 22:42 < stlsaint> krzie: exactly 22:43 < krzie> the vps is at home? 22:43 < stlsaint> yep 22:43 < krzie> ok then of course it must have a port forwarded 22:43 < krzie> that question has absolutely nothing to do with openvpn 22:43 < krzie> ANYTHING you run that people should connect to have that answer 22:43 < stlsaint> krzie: alright, sorry i have never implemented a vpn 22:43 -!- ErickG [n=ErickG@190.87.249.20] has joined ##openvpn 22:44 < krzie> standard networking rules apply :-p 22:44 < stlsaint> kk 22:44 -!- ErickG [n=ErickG@190.87.249.20] has left ##openvpn [] 22:45 < stlsaint> well in that case i will need to setup reverse proxy, but thats off topic! 22:45 < theDoc> why do you need reverse proxy for that? 22:45 < krzie> you cant forward a port? 22:46 < stlsaint> sorry, not thinking clearly as it runs on different port(1194?) nvrm, crazy talk!! 22:46 < krzie> it also runs on udp when possible 22:46 < stlsaint> krzie: yes i can forward a port but i wasnt thinking straight as i know that the other port i have forwarded does not run on 1194 hence i say nvrm 22:47 < stlsaint> krzie: udp...kk 22:48 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 22:48 < stlsaint> sorry im laggin right now 22:49 < stlsaint> krzie: alright so same steps as you mentioned before,? openvpn howto, configure ssh? 22:50 < krzie> yes 22:52 < stlsaint> alright i should be set from there, 22:52 < stlsaint> krzie: thanks alot for help 22:52 < stlsaint> theDoc: thanks also 22:52 < krzie> yw 22:53 < stlsaint> later all 22:53 -!- stlsaint [n=stlsaint@unaffiliated/stlsaint] has left ##openvpn [] 22:57 -!- epaphus [n=unix3@201.199.62.74] has quit [Connection timed out] 23:04 -!- thewrath [n=michaelb@dsl-206-251-13-64.dsl0.crls.pa.net] has quit [] 23:50 -!- Gumbler_ [i=Gumbler@animux.de] has joined ##openvpn 23:52 -!- jeiworth_ [n=jeiworth@189.234.96.156] has joined ##openvpn 23:52 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has quit ["Quit"] 23:52 -!- Gumbler_ is now known as Gumbler 23:53 -!- jeiworth [n=jeiworth@189.234.96.156] has quit [Dead socket] 23:54 -!- wikiii [n=var@vps-1005590-1468.united-hoster.de] has quit [Read error: 104 (Connection reset by peer)] 23:54 -!- wikiii [n=var@vps-1005590-1468.united-hoster.de] has joined ##openvpn --- Day changed Fri Oct 30 2009 00:15 -!- teddymills [n=teddy@208.92.235.227] has quit [Remote closed the connection] 00:15 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 00:55 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: misse-, jhp, phusion 00:56 -!- Netsplit over, joins: phusion, misse-, jhp 01:17 -!- hyper_ch [n=hyper@adsl-84-226-41-99.adslplus.ch] has quit [Read error: 104 (Connection reset by peer)] 01:38 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: JyZyXEL, stein0, misse-, brizly, lifeforms, jhp, fatou73, redfox, wikiii, jreno_, (+3 more, use /NETSPLIT to show all of them) 01:40 -!- Netsplit over, joins: stephenh 01:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:40 -!- Netsplit over, joins: stein0 01:40 -!- Netsplit over, joins: phusion 01:41 -!- Netsplit over, joins: fatou73, lifeforms 01:42 -!- Netsplit over, joins: redfox 01:42 -!- redfox is now known as Guest71015 01:42 -!- Netsplit over, joins: jreno_ 01:43 -!- Netsplit over, joins: brizly 01:43 -!- Netsplit over, joins: JyZyXEL 01:44 -!- Typone [n=nnnitsme@195.197.184.87] has joined ##openvpn 01:46 -!- jhp [n=jhp@zeus.jhprins.org] has joined ##openvpn 02:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:15 -!- hyper_ch [n=hyper@81.62.243.100] has joined ##openvpn 02:37 -!- WormFood [n=wormfood@58.60.223.158] has quit [Read error: 60 (Operation timed out)] 02:37 -!- WormFood [n=wormfood@58.60.223.158] has joined ##openvpn 02:38 -!- LobbyZ [n=default@94.75.193.5] has quit ["Free FTW"] 02:50 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:08 -!- LobbyZ [n=default@217.18.70.127] has joined ##openvpn 03:38 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 113 (No route to host)] 03:38 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 03:39 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:54 -!- dazo|afk is now known as dazo 03:56 -!- WormFood [n=wormfood@58.60.223.158] has quit [Read error: 60 (Operation timed out)] 03:57 -!- WormFood [n=wormfood@58.60.223.158] has joined ##openvpn 04:16 -!- wikiii [n=var@vps-1005590-1468.united-hoster.de] has joined ##openvpn 04:21 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 04:29 -!- xp_prg [n=xp_prg3@c-98-234-50-128.hsd1.ca.comcast.net] has quit ["This computer has gone to sleep"] 04:34 -!- TomBombadil13 [n=TomBomba@84-119-77-120.dynamic.xdsl-line.inode.at] has joined ##openvpn 04:36 < TomBombadil13> hi @all question: routing problem. i can ping all pc from each server behind the vpn but i can not ping from one network to the other 04:38 -!- kiwi_ [n=_netty@ks359129.kimsufi.com] has joined ##openvpn 04:48 < reiffert> !route 04:48 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 04:49 < TomBombadil13> that works for tun but i have tap ... in my case it do not work at all 04:58 < reiffert> normal routing/nat applies after tap. 05:04 < dazo> TomBombadil13: unless you've done bridging, it's all about routing .... and usually routing works fine without any hassle ... but tcpdump and traceroute are your friends now, to figure out where it goes wrong 05:07 < Mitar> is it possible to use RC4 for tunnel encryption? i would like to use fastest possible encryption just to scrammble data a little bit and it seems RC4 is fastest 05:07 < Mitar> and from man page i have a feeling that rc4 is used just for control data? 05:07 < Mitar> so --show-ciphers does not show it, but --show-tls does 05:09 -!- Vito111 [n=vito@195.3.173.128] has quit [Read error: 104 (Connection reset by peer)] 05:11 < TomBombadil13> can i post my routing table 05:13 < TomBombadil13> dazo: hi 05:13 < dazo> TomBombadil13: pastebin it 05:14 -!- kiwi_ [n=_netty@ks359129.kimsufi.com] has quit ["Leaving."] 05:14 * dazo is at work .... and might be unresponsive at times .... patience is needed :) 05:19 < Mitar> dazo, i will wait :-) 05:21 < dazo> Mitar: OpenVPN supports mostly all ciphers which your OpenSSL installation does .... for a fast encryption, also consider blowfish 05:23 < dazo> Mitar: and if I don't recall wrong ... RC4 is used for asynchronous encryption, which is why it shows up in --show-tls .... while --show-ciphers is for the synchronous encryption of the tunnel 05:24 < Mitar> yes, RC4 is not in list of --ciphers 05:24 < Mitar> but it is on --tls-ciphers 05:24 < Mitar> so i cannot use it for data packets? or can i? 05:24 < dazo> Mitar: TLS uses asynchronous encryption to exchange a synchronous encryption key .... this is because asynchronous encryption is way slower than synchronous 05:25 < Mitar> but "openssl speed" benchmarks RC4 way higher than others 05:25 < Mitar> so even if algorithm is faster it will still be slower because it is asynchronous? 05:26 < dazo> exactly ... you can use RC4 to speed up the asynchronous part 05:26 < dazo> yes 05:26 < Mitar> ok, but currently i do not use tls for authentication 05:26 < dazo> it takes more CPU cycles to do the PKI stuff, because the keys needs to be a lot stronger 05:26 < Mitar> and just blowfist for data encrpytion 05:26 < dazo> --tls-auth is something else (I honestly don't understand why 'tls' is used in this context) 05:26 < Mitar> so there is no faster configuration possible 05:27 < Mitar> (except disabling encryption all together) 05:27 < dazo> you need --tls-server and --tls-client ... that's the core TLS implementation 05:27 < dazo> and the TLS implementation adds the PKI setup (asynchronous encryption) 05:30 < hyper_ch> TLS is stronger than SSL? 05:31 < dazo> SSLv3 and TLSv1 is pretty much similar ... the protocol is slightly changed and TLSv1 offers DSS/DSA in addition 05:31 < Mitar> http://pastebin.com/d5b7d77de 05:31 < Mitar> dazo, this is my client configuration 05:31 < dazo> what's confusing is that when you talk about SSL .... it can be a lot of things .... it can be the general encryption theory or it can be a specific implementation 05:32 < Mitar> so my guestion is is there a configuration which would improve client throughput which is currently CPU bound 05:32 < Mitar> i do not need security, but some scrambling would be nice 05:33 < Mitar> just so that simple sniffing does not work 05:33 < dazo> Mitar: how powerful is your CPU on the clients and servers? 05:33 < Mitar> on servers is a lot 05:34 < Mitar> on clients it is an openwrt system on routers 05:34 < Mitar> so 230 MHz and so 05:35 < dazo> oki ... then you can add --keysize as well 05:35 < Mitar> http://pastebin.com/m3cfb8596 benchmark on router 05:35 < dazo> f.ex keysize 64 .... 05:37 < Mitar> thanks 05:37 < Mitar> nice idea 05:37 < dazo> but it's interesting .... show-ciphers do show RC2 .... 05:37 < Mitar> and probably i could disable lzo-compresion 05:38 * dazo wonders if this has something to do with earlier export restrictions 05:38 < dazo> Mitar: depends on what kind of traffic you pass over the tunnel 05:38 < Mitar> all sorts of data 05:38 < Mitar> completly generic 05:38 < Mitar> but compression eats cpu cycles 05:38 < Mitar> so ... is it not better to not use it? 05:39 < dazo> Mitar: if it is easy compressible data .... (60-70% of the amount of traffic) ... it's really worth checking out how much CPU power that uses ...as that can boost the performance 05:39 < Mitar> yes because there is less to encrypt 05:39 < dazo> but if it is mainly already compressed data (like JPG,GIF,MP3, etc) ... then you'll waste energy and slow it down 05:39 < Mitar> so i cannot use cipher RC4 in my case? 05:40 < dazo> As long as --show-ciphers do not list it ... no 05:40 < Mitar> so ciphers are used for data packets 05:40 < Mitar> and -tls for control packets? 05:40 < dazo> yes 05:40 < dazo> basically yes 05:41 < Mitar> so even if it lists in ciphers-tls this does not help me in any way? 05:42 < dazo> it sure can improve performance .... especially during re-keying 05:43 < Mitar> http://pastebin.com/m5b81240a 05:43 < Mitar> i have made a paste of list from openvpn --show* 05:44 < Mitar> but this is used only to get keys for --cipher which is then used to encrypt data .. 05:44 < Mitar> thanks a lot for everything 05:52 -!- mfeilner [n=mfeilner@dslb-084-056-097-049.pools.arcor-ip.net] has joined ##openvpn 06:01 -!- Mitar [n=mitar@193.2.157.120] has left ##openvpn [] 06:02 -!- hyper_ch [n=hyper@81.62.243.100] has quit [Remote closed the connection] 06:10 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 06:11 -!- mfeilner [n=mfeilner@dslb-084-056-097-049.pools.arcor-ip.net] has left ##openvpn [] 06:13 -!- c64zottel [n=hans@62.12.221.233] has joined ##openvpn 06:19 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has joined ##openvpn 06:27 -!- a|3x [n=alex@67.160.190.87] has joined ##openvpn 06:28 < a|3x> hi, i am having a difficulty, anybody care to help? 06:28 < robert_> ever heard of the phrase, "Don't ask to ask." 06:28 < robert_> ? 06:28 < a|3x> its a prelude to me asking 06:29 < a|3x> to see if anyone is alive 06:29 < robert_> just ask your question 06:29 < a|3x> i am testing out openvpn access server, i have samba installed on the same machine 06:29 < robert_> if someone can help they will. 06:29 < a|3x> i can't seem to access my samba installation from a vpn client 06:29 < robert_> a vpn client? 06:29 < robert_> which vpn client? 06:30 < a|3x> well, the client computer 06:30 < a|3x> thats is far away 06:30 < a|3x> i have connected it to the vpn server and am able to ping and access internal services 06:30 < a|3x> but not samba 06:31 < a|3x> i have added the interface name and ip to interfaces = line in smb.conf 06:31 < robert_> samba uses udp, if I'm not mistaken. 06:31 < a|3x> udp is not tunneled? 06:33 -!- brizly [n=brizly_v@p4FC98144.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:35 < a|3x> robert_: udp should be tunneled through the vpn, right? 06:35 -!- brizly [n=brizly_v@p4FC983F5.dip0.t-ipconnect.de] has joined ##openvpn 06:44 < robert_> all traffic I think "should" be 06:44 < a|3x> so what could be wrong? 06:50 < ecrist> good morning 06:50 < a|3x> depends on where you are 06:51 < ecrist> a|3x: it's difficult for us to support access server since it's a commercial product. 06:52 < ecrist> however, are you able to connect to the samba share via IP address? 06:53 < a|3x> ecrist: what do you mean via ip address? i am able to connect from local computers, yes 06:54 < ecrist> is the VPN client a windows or linux machine? 06:54 < a|3x> client is windows 06:54 < ecrist> so, Start->Run and type \\IP_OF_SAMBA_SERVER\ and tell me what happens 06:55 < a|3x> the specified network name is no longer available 06:55 < ecrist> have you checked your firewall? 06:55 -!- netman [n=netman@62.58.98.250] has joined ##openvpn 06:56 < a|3x> i get strange "negative session response, not listening for called name" packets in wireshark 06:56 < ecrist> have you checked your firewall? 06:56 < a|3x> firewall is not the problem, i tried without it and also added a trust rule 06:57 -!- alibaba [n=xerox@goliath.hantsch.co.at] has joined ##openvpn 06:57 < a|3x> now this is the firewall on windows client i am talking about 06:57 < ecrist> because this isn't the first time someone's come in here claiming the firewall isn't the problem... 06:57 < a|3x> i shut down firewall on windows and it still doesn't work 06:57 < ecrist> what about the samba server? 06:57 < a|3x> also, i added a trust rule for server ip 06:57 < a|3x> i have ip tables set up 06:58 < a|3x> i have 2 chains, one for external network, another for internal network 06:58 -!- hyper_ch [n=hyper@adsl-84-226-41-99.adslplus.ch] has joined ##openvpn 06:58 < ecrist> try disabling iptables 06:58 < a|3x> i run internal network chain for openvpn as interface 06:59 < a|3x> i don't think thats a good idea 06:59 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 07:00 < ecrist> ok. I can't help you then. 07:00 < alibaba> Hello. I am currently trying to configure my first VPN in my life. It shall connect two sites (with a LAN behind) to each other over the Internet. I am using OpenSuSE 11.1 on both sides and I installed right now openvpn on the server side. Please, can somebody help me? 07:02 < a|3x> ecrist: i did shut down the firewall on the server to test and i get different message but still same result: "windows cannot find \\10.10.10.1... blah blah blah" 07:02 < ecrist> can you ping the ip? 07:02 < a|3x> ecrist: i am quite sure firewall is not the problem here because same iptable chain is used for internal network and vpn one 07:03 < a|3x> i can ping the ip even with all the firewalls 07:05 < a|3x> wireshark reveals a conversation with the server, i just can't figure out why its not working 07:06 < a|3x> there is an interesting packet in the exchange, wireshark shows it as "negative session response, not listening for called name" 07:09 < ecrist> I have no idea what that means. you'd have better luck in #samba 07:11 < kyrix> alibaba, we might help if you ask a qustion :) 07:11 < alibaba> Hi! Actually I need somebody who guides me. I never did that in my life before. 07:14 < alibaba> kyrix: Are you willing to do so, please? 07:15 < kyrix> alibaba: yes 07:15 < kyrix> ill help, but wont do it for you 07:15 < alibaba> Just a short moment, I finish changing the netmask on a few devices 07:17 < alibaba> Ok. Where do I start, please? I just installed openvpn on the server. (client is currently untouched) 07:17 < kyrix> alibaba, do you also configure the server? 07:19 < alibaba> Yes. What I must do (because my ISP on the client side changes me to DHCP, is establishing some kind of tunnel, so the client side (running a different network) can transparently reach my office LAN. 07:19 < alibaba> I was told the best is using a routed network. 07:20 < alibaba> So I configured the office LAN to 10.0.x.x/16 and the remote LAN to 10.1.x.x/16. 07:20 < kyrix> ok, good so far 07:22 < alibaba> I did now a "zypper in openvpn" on the gateway/firewall in my office. This shall become the "server". It has also a second NIC for WAN (with an official static IP). 07:24 < alibaba> The client side will also have a similar machine with 3 NICs (WAN, DMZ, LAN). LAN shall be tunneled/routed into my office LAN, DMZ not. 07:24 < alibaba> I think this is a relatively clean structure, but because I never configured openvpm in my life, I am afraid to do something wrong. 07:26 < alibaba> ok so far? 07:31 < kyrix> yup 07:31 < alibaba> phew. I was afraid you say no now. ;) 07:32 < alibaba> So I will have to configure now the server side first, I think. 07:33 < alibaba> What must I do? Can you possibly point me to a really bullet-proof step-by-step instruction? 07:35 < reiffert> !howto 07:35 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:36 < kyrix> yup: thats what i was about to do 07:36 < alibaba> Thank you. Is this a "dissertation" or a "cookbook"? 07:37 < kyrix> i wouldnt call it bullet proof, as setting up a vpn is never easy. but read the docs is 1st :) 07:37 < reiffert> alibaba: it's a howto 07:37 < reiffert> alibaba: mainly because it's called a howto. 07:40 < alibaba> I see 10.8.0.x IP's in the descriptions. Must they be changed to match the respective LAN or must they be outside of both LANs? 07:41 < reiffert> alibaba: 127.0.0.x 07:42 < alibaba> ? 07:42 < alibaba> Please, don't let me die. 07:42 < reiffert> you should read the complete howto before asking. 07:49 < alibaba> If I use the sample server config file, it uses 10.8.x.x IP's. Can I keep it as is? My LAN is 10.0.x.x/16. 07:50 < reiffert> 13:42 < reiffert> you should read the complete howto before asking. 07:50 < alibaba> You are really very helpful. 07:51 < reiffert> welcome 07:53 < kyrix> alibaba: or you can hire any of us :) plz understand that its not posible to do the work 4 u. we can help out, yes. but we cant configure all the vpns on this planet :) 07:53 < reiffert> no, we can't 07:54 < alibaba> I understand. But the descriptions (= howtos) lack an example setup - or I couldn't fine one. 07:55 < alibaba> Instead you point me to 100ds of pages being more or less a dissertation than step-by step description for a simple base-setup. 07:56 < kyrix> no, really read it. it _is_ a step by step 07:57 < kyrix> it goes through all the steps tough 07:57 < ecrist> !howto 07:57 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:57 < ecrist> !route 07:57 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 07:57 < ecrist> !freebsd 07:57 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 07:57 < ecrist> alibaba: read one of those. read the man pages 07:57 < ecrist> !man 07:57 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 07:58 < kyrix> i configured my first openvpn following this: http://howto.landure.fr/gnu-linux/debian-4-0-etch-en/install-and-setup-openvpn-on-debian-4-0-etch 07:58 < vpnHelper> Title: Install and setup OpenVPN on Debian 4.0 Etch Lone-Wolf Scripts (at howto.landure.fr) 07:58 < alibaba> kyrix, please answer one simple question: May I keep 10.8.x.x IP's used in the sample config, or must I change it? 07:58 < ecrist> you can keep those 07:59 < kyrix> it has some scripts that do "some" work for you, but you might not understand what you are doing, and later on not understand what to do if you run into problems 07:59 < kyrix> specially if something from that network setup or use case is different that what you have 08:01 < alibaba> So this IP's have to be outside of my LANs, right? 08:01 < kyrix> alibaba, that question is answered under: Editing the server configuration file on the howto. 08:01 < ecrist> no, they don't have to be 08:01 < ecrist> do you have 65,535 computers? 08:02 < alibaba> No. But I have Class B networks on both sides configured. Why shall I change that? 08:03 < ecrist> my point is, since you're not using the entire class b, you can use a subset of that address space for the VPN 08:03 < kyrix> _can_ but you dont have to. just leave the 10.8.x.x there 08:08 < alibaba> I do not really understand how this works. I have two LANs: 10.0.x.x/16 and 10.1.x.x/16 and I want to route them together through openVPN. 08:08 < alibaba> So what do you mean with using an address space for VPNs? 08:10 < alibaba> Is this 10.8.x.x a separate network where I route in/out on every side? 08:11 < kyrix> that will be the virtual network space. it is handled by openvpn, so you wont need to do anything with it to get the vpn working. 08:11 < kyrix> you will have to create a route for it on both networks so that other machines know where to find them later 08:12 < ecrist> alibaba: see my link to !route above 08:13 < kyrix> alibaba: take your time going through the docs and actually firing up the server. the best way to learn is to get your hands dirty 08:13 < alibaba> Ah, I slightly start to understand. So the tun devices of all machines build a virtual network. Then this network must not overlap with any of my LANs.- of course 08:25 -!- Guest71015 is now known as redfox 08:25 -!- redfox is now known as Guest86020 08:28 -!- Guest86020 is now known as redfox 08:37 -!- wolfrein [n=chatzill@117.204.131.23] has joined ##openvpn 08:37 -!- wolfrein [n=chatzill@117.204.131.23] has left ##openvpn [] 08:38 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 08:43 -!- gabriel25ny [n=gabe@pool-96-250-54-238.nycmny.fios.verizon.net] has quit [] 08:48 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 08:51 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 08:53 < alibaba> kyrix: Well, I read now very carefully the howto... It looked inded much more complicated at the beginning, but the routing link made it much clearer. Now I have some questions: What happens when the internet-connection of client or server dies (IP changes, or a disconnect happens). Must I stop and restart the server/client, or will it continue working when the Internet is up again? 09:00 < kyrix> it will connect again 09:01 < alibaba> Sounds really good. So if i understand right, I have almost everything done correctly when I am able to start the openvpn server? I can post you its output if this helps. 09:03 < alibaba> Does this look ok? http://pastebin.com/d7c87a1e 09:04 < alibaba> While it runs, I see a tun0 interface with the 10.8.x.x IP... 09:10 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has quit [Read error: 54 (Connection reset by peer)] 09:14 -!- alibaba [n=xerox@goliath.hantsch.co.at] has quit [Remote closed the connection] 09:15 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:23 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn --- Log opened Fri Oct 30 09:43:41 2009 09:43 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 09:43 -!- Irssi: ##openvpn: Total of 79 nicks [0 ops, 0 halfops, 0 voices, 79 normal] 09:43 -!- Irssi: Join to ##openvpn was synced in 8 secs 09:46 < Argafal> win 35 09:46 < Argafal> i'm sorry. 10:01 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 10:01 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 10:36 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 10:42 -!- ErickG1 [n=ErickG@190.120.0.138] has joined ##openvpn 10:42 -!- ErickG [n=ErickG@190.120.0.138] has quit [Read error: 104 (Connection reset by peer)] 11:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 11:09 -!- WormFood [n=wormfood@58.60.223.158] has quit [Read error: 60 (Operation timed out)] 11:14 -!- c64zottel [n=hans@62.12.221.233] has quit [Read error: 110 (Connection timed out)] 11:15 -!- c64zottel [n=hans@62-12-229-196.pool.cyberlink.ch] has joined ##openvpn 11:16 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 11:16 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 11:17 -!- teddymills [n=teddy@208.92.235.227] has quit [Read error: 54 (Connection reset by peer)] 11:17 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 11:21 -!- WormFood [n=wormfood@121.15.111.40] has joined ##openvpn 11:22 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 104 (Connection reset by peer)] 11:23 -!- TomBombadil13 [n=TomBomba@84-119-77-120.dynamic.xdsl-line.inode.at] has left ##openvpn [] 11:25 -!- TomBombadil13 [n=TomBomba@84-119-77-120.dynamic.xdsl-line.inode.at] has joined ##openvpn 11:26 < TomBombadil13> thanks for all the help ... should i post my config elsewere 11:27 < TomBombadil13> everywhere i mean 11:28 < ecrist> !configs 11:28 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:30 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 11:33 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 11:38 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:40 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 11:40 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:41 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 11:41 < epaphus> Hey guys, how easy /hard is it to give maintenance to route in operation? to make sure its stable ? 11:55 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn 11:57 -!- netman [n=netman@62.58.98.250] has quit [Remote closed the connection] 12:04 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 12:11 < ecrist> epaphus: not sure I understand your questions 12:11 < ecrist> s/s$// 12:14 < epaphus> ecrist, well.. once I have a router with a LAN behind it configured with openvpn as a default gateway to a server in another country... what possible implications may II face that I would need to do maintenance over openvpn? 12:16 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 12:19 < ecrist> you shouldn't run in to too many problems, provided there is a connection to the internet on both the server and the client 12:20 < ecrist> we do what you're talking about where I work and I've had very few issues. 12:20 < ecrist> one thing I would suggest is to make certain you have ssh access to the remote system, in case you need to kick or identify a problem with the VPN tunnel 12:21 < ecrist> http://ovpnforum.com/viewtopic.php?f=13&t=1177&sid=c2dbc57362e56cd6b447fa7246171b95 12:21 < vpnHelper> Title: OpenVPN Forum View topic - ecrist's VPN Setup (at ovpnforum.com) 12:23 < ecrist> that's my network here. the office link is similar to what I think you're referring to, only in your case you'er using the vpn link as the default gateway 12:23 < ecrist> OpenVPN is going to release the default gateway when it goes down. 12:23 < ecrist> if you want the network to be down when the VPN is not up, you need to set a manual route for the VPN server address and then manually define your default gateway. 12:24 < ecrist> the VPN server should also have a route to any maintenance systems in case the VPN is offline 12:28 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 12:28 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 12:46 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 12:47 < teddymills> i moved my openvpn server from powerpc to Intel Debian 5..Using the same vpn certs and keys..No client work was needed. Last thing I did was switch the ip. 12:48 -!- tessier [n=treed@kernel-panic/sex-machines] has joined ##openvpn 12:48 < tessier> Hello all! 12:49 < tessier> Is http://openvpn.se/ still the preferred windows openvpn GUI? That website looks like it hasn't had an update in years. 12:49 < vpnHelper> Title: OpenVPN GUI for Windows (at openvpn.se) 12:54 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 13:01 -!- Muli|CTGR [n=muligan1@209-193-88-45.mammothnetworks.com] has joined ##openvpn 13:01 < Muli|CTGR> hey fellas, have a quick question about openvpn usage on an alltel modem connection 13:01 -!- gionnico [n=gionnico@93-34-50-86.ip48.fastwebnet.it] has joined ##openvpn 13:01 < gionnico> hello 13:01 < Muli|CTGR> hi 13:01 -!- Muli|CTGR is now known as Muligan 13:02 < gionnico> can you help me setting up an ethernet bridge 13:02 -!- Muligan is now known as Muli|CTGR 13:02 < gionnico> i configured the tun0 device now i need tap0 device to share the internet connection 13:04 -!- connectionVPN [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has joined ##openvpn 13:04 < gionnico> !howto 13:04 < vpnHelper> gionnico: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:04 < gionnico> !topology 13:04 < vpnHelper> gionnico: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 13:08 -!- TomBombadil13_ [n=TomBomba@84-119-79-182.dynamic.xdsl-line.inode.at] has joined ##openvpn 13:16 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit [Remote closed the connection] 13:19 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 13:25 -!- TomBombadil13 [n=TomBomba@84-119-77-120.dynamic.xdsl-line.inode.at] has quit [Read error: 113 (No route to host)] 13:25 -!- TomBombadil13_ is now known as TomBombadil13 13:30 -!- TomBombadil13 [n=TomBomba@84-119-79-182.dynamic.xdsl-line.inode.at] has quit [] 13:32 < gionnico> please help me 13:32 < gionnico> i have tap device now 13:32 < gionnico> server-bridge directive doesnt work 13:33 < gionnico> and i can ping .1 13:33 < gionnico> but cant connect to ssh of the server using the virtual address 13:35 < gionnico> :/ 13:44 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has quit [Client Quit] 13:51 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 13:54 -!- TomBombadil13 [n=TomBomba@84-119-79-182.dynamic.xdsl-line.inode.at] has joined ##openvpn 14:03 -!- TomBombadil13 [n=TomBomba@84-119-79-182.dynamic.xdsl-line.inode.at] has left ##openvpn [] 14:09 -!- gionnico [n=gionnico@93-34-50-86.ip48.fastwebnet.it] has quit [Remote closed the connection] 14:13 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit [Read error: 110 (Connection timed out)] 14:14 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 14:16 < robert_> -of+on 14:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:37 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 14:39 -!- gionnico [n=gionnico@93-34-50-86.ip48.fastwebnet.it] has joined ##openvpn 14:39 < gionnico> hello 14:39 < gionnico> if I set up tap0 14:39 < gionnico> and want ethernet bridge 14:39 < gionnico> well should I use the same subnet addresses class for tap0 as eth0 real lan? 14:39 < gionnico> and what for br0 ?? 14:46 < gionnico> ?????? 14:50 < ecrist> gionnico: you could learn some patience... 14:50 < ecrist> if you're setting up a bridge, you would generally use the same IP block as your remote LAN 14:50 < ecrist> !tunortap 14:50 < vpnHelper> ecrist: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 14:54 < gionnico> ecrist: hmm.. tun may be ok then 14:54 < gionnico> i need to pass through an http(s) proxy 14:55 < gionnico> ecrist: ok. so i have eth0: 192.168.1.x 14:55 < gionnico> tun0 192.168.2.x 14:56 < gionnico> how do I share the server's internet access? 14:57 < gionnico> ecrist ? 15:01 < gionnico> i can also use ssh with the virtual ip if I tell sshd to listen on virtual ip, too 15:02 -!- xenon_ [n=rainer@idefix.provinz.hantsch.co.at] has joined ##openvpn 15:02 < gionnico> ???? 15:04 < xenon_> Good evening. Can somebody, please, help me with configuring openvpn between two linux machines? I have a working vpn connection (can ping the LAN IP of the server from the VPN client), but I can't get a working ping to another machine in the LAN on the server side. 15:06 < xenon_> Somebody here who can help, please? 15:07 -!- dazo is now known as dazo|afk 15:15 -!- xp_prg [n=xp_prg3@c-98-234-50-128.hsd1.ca.comcast.net] has joined ##openvpn 15:17 < xenon_> Hello, xp_prg! Can you help me, please? 15:18 < epaphus> is ipsec propietary ? 15:22 < xenon_> Must I so something special that the vpn server can ping the client's LAN-IP? The client can ping the server's LAN-IP, but otherwise round it doesn't work. 15:24 -!- c64zottel [n=hans@62-12-229-196.pool.cyberlink.ch] has left ##openvpn [] 15:27 < xenon_> Nobody here? 15:30 -!- MadTBone_ [n=MadTBone@160.39.238.196] has joined ##openvpn 15:32 < xenon_> Hello? 15:35 -!- le0_ [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 15:36 < xenon_> Nobody here who can help me fine-tuning openvpn? Please help. 15:51 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 110 (Connection timed out)] 15:57 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 15:57 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 16:00 < xenon_> What reson has this message, please? ERROR: Linux route add command failed: shell command exited with error status: 2 16:00 < connectionVPN> I'd appreciate your thoughts on this : https://ConnectionVPN.com/faq/ 16:01 < vpnHelper> Title: ConnectionVPN.com » F.A.Q » an easy to use VPN proxy service to secure, anonymize, liberate and encrypt your internet connection (at ConnectionVPN.com) 16:02 < xenon_> Somebody here who can help me with openvpn setup, please? I stuck. 16:06 < krzee> xenon_, 16:06 < krzee> !configs 16:06 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:06 < krzee> epaphus, yes ipsec is proprietary, by cisco 16:06 < epaphus> thanks 16:07 < krzee> and as far as if it can connect to ovpn... 16:07 < krzee> !notcompat 16:07 < vpnHelper> krzee: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 16:08 < xenon_> http://pastebin.com/d3a9cbfda <-- Server side 16:09 -!- jeiworth_ [n=jeiworth@189.234.96.156] has quit [Read error: 54 (Connection reset by peer)] 16:09 -!- jeiworth [n=jeiworth@189.234.96.156] has joined ##openvpn 16:09 -!- MadTBone_ [n=MadTBone@160.39.238.196] has quit [Read error: 110 (Connection timed out)] 16:10 < xenon_> http://pastebin.com/d5bb418b0 <-- Client side 16:11 < krzee> ok so 16:11 < krzee> 10.0.0.0 16:11 < krzee> is lan behind server 16:11 < xenon_> krzee: The tunnel partially works. The client can ping the server's LAN-IP. 16:11 < krzee> 10.1.0.0 is lan behind client 16:12 < krzee> correct? 16:12 < xenon_> Yes. 10.0.x.x is the server's LAN. 10.1.x.x is the client's LAN. I actually want to establish a routed tunnel between both LANS 16:12 < krzee> !route 16:12 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:12 < krzee> you read that? 16:13 < xenon_> Yes. I followed it, bit it does not work. 16:13 < krzee> it works for many people... 16:13 < krzee> you didnt follow it good enough 16:13 < krzee> !ccd 16:13 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 16:13 < krzee> for example 16:14 < krzee> im guessing you skimmed it? 16:15 < xenon_> I am a novice and have my problems. 16:16 < xenon_> what shall I do now exactly, please? 16:20 < krzee> you shall read !route again 16:20 < krzee> to setup the ccd and iroute entries 16:20 < krzee> i wont be holding hands, i already wrote that doc 16:20 < tessier> heh 16:20 < krzee> and im gunna watch a movie 16:23 < xenon_> Is this "client-common-name" the filename used also by the client's .crt file ? 16:23 < krzee> if its explained in !route it matters, if it isnt it doesnt 16:24 < krzee> just read !route like 5 times 16:24 < krzee> DO NOT SKIM IT 16:24 < xenon_> This description is far away from easily to understand. :/ 16:25 < krzee> you are embarking on an advanced networking project 16:29 < gionnico> ??????? 16:30 < xenon_> ERROR: Linux route add command failed: shell command exited with error status: 2 WHAT DOES THIS MEAN ? 16:30 < xenon_> Appears on the client. 16:31 < gionnico> how do I share the server's internet access? 16:31 < gionnico> i have eth0 and tun0 16:33 < gionnico> i need to setup bridge 16:33 < gionnico> but tun0 is configured (with an ip, NOT promiscuous mode and NO-CONFIG) by openvpn 16:33 < xenon_> krzee: I added now a directory /etc/openvpn/ccd/ and there a file "vpnprovinz" as all key files also use this name. Then I added client-config-dir /etc/openvpn/ccd/ to server.conf. 16:34 < xenon_> Changes nothing. :/ 16:34 < krzee> !logs 16:34 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 16:34 < krzee> which machine gets that error? 16:34 < krzee> what lan subnets are client and server on? 16:34 < krzee> oh wait i know that one 16:35 < krzee> also, are you starting both as root? 16:35 < xenon_> Server is on subnet 10.0.0.0/16 Client is on 10.1.0.0/16 The client shows the error line. 16:35 < krzee> why /16? 16:36 < krzee> you really have over 254 machines on each lan? 16:36 < xenon_> No. I like that and it usually should not matter. 16:36 < krzee> and that status 2 message is from your OS not from openvpn 16:36 < krzee> openvpn just passes it through for ya 16:37 < krzee> so lets see the client log with verb 4 16:37 < krzee> verb6 is in !logs but thats for another reason not effecting you 16:39 < xenon_> Shall I stop the client and then paste you the log? 16:39 < krzee> correct 16:39 < krzee> kill it 16:39 < krzee> start it new 16:39 < krzee> then paste log after everything is fully done 16:39 < krzee> initiation sequence completed 16:40 < xenon_> Must first activate the log... 16:40 < krzee> ahh, router running vpn? 16:40 < xenon_> Sure! Manually started as root. 16:41 < krzee> cool, you're 1 step ahead of me typing !router then ;) 16:41 < xenon_> Is it ok to redirect screen output to a file (on the client)? 16:42 < krzee> just use the log command 16:42 < krzee> log /path/to/file 16:44 < xenon_> The log is long. How can I get it into pastebin? 16:44 < krzee> copy and paste 16:44 < xenon_> Uhh... 16:44 < krzee> lol 16:46 < xenon_> http://pastebin.com/d41bdf978 16:47 < krzee> ok 16:47 < krzee> if you read !route complete enough, youd understand the problem 16:47 < krzee> ri Oct 30 22:42:48 2009 us=904661 /bin/ip route add 10.1.0.0/16 via 10.8.0.5 16:47 < krzee> RTNETLINK answers: File exists 16:47 < krzee> Fri Oct 30 22:42:48 2009 us=911079 ERROR: Linux route add command failed: shell command exited with error status: 2 16:47 < krzee> Fri Oct 30 22:42:48 2009 us=911228 /bin/ip route add 10.8.0.0/24 via 10.8.0.5 16:47 < krzee> Fri Oct 30 22:42:48 2009 us=917428 Initialization Sequence Completed 16:47 < krzee> its trying to add a route to its own lan 16:47 < krzee> its doing that because it didnt have the iroute 16:48 < xenon_> Besides: The client has 3 NICs: WAN, LAN and DMZ. DMZ is 10.2.x.x/16 16:48 < krzee> also, your oopenvpn version is yrs old 16:48 < krzee> like 4 16:49 < xenon_> I just installed it from online repos? OpenSuSE 11.1 isn't such old? 16:49 < krzee> yourclients commonname is hantsch 16:49 < krzee> so the file in ccd should be named that 16:49 < krzee> i dont care where you installed it from, its 4 yrs old 16:49 < krzee> !download 16:49 < vpnHelper> krzee: "download" is (#1) www.openvpn.net/download to download openvpn, or (#2) http://openvpn.net/index.php/open-source/downloads.html 16:49 -!- jeiworth [n=jeiworth@189.234.96.156] has quit [Read error: 104 (Connection reset by peer)] 16:49 -!- jeiworth [n=jeiworth@189.234.96.156] has joined ##openvpn 16:49 < krzee> sorry, 3 yrs old 16:50 < krzee> and heres from !route 16:50 < krzee> You may realize that client1 should not route 192.168.1.0 traffic over the vpn, and that client2 should not route 192.168.3.0 traffic over the vpn (because those networks are local to each client). Because of the iroute entries you will see below, openvpn knows this too and skips the push for the client. 16:51 < krzee> because your iroute wasnt and isnt setup right, you get your error 16:51 < krzee> =] 16:51 < krzee> bbiab 16:58 < xenon_> I renamed the ccd file now to hantsch, but the error is still there. 17:02 < krzee> read server log and be sure its reading the iroute command from ccd file when client connects 17:08 < xenon_> Yes, it reads the ccd file vpnprovinz. 17:12 -!- jeiworth [n=jeiworth@189.234.96.156] has quit [Read error: 54 (Connection reset by peer)] 17:13 -!- jeiworth [n=jeiworth@189.234.96.156] has joined ##openvpn 17:13 < xenon_> Now I am able to ping the LAN IP of the other side's vpn device. In both directions. 17:14 < xenon_> But I cannot ping a device in the other side's LAN. 17:15 < Bushmills> good evening 17:16 < xenon_> Good evening! 17:16 -!- Bushmills is now known as Laphroaig 17:16 < xenon_> krzee: What must I configure in addition? 17:18 * Laphroaig would point to !route but given that krzee is master if that document, he'll leave that to him, 17:19 < xenon_> Great! I read this file meanwhile the 8th time... :( 17:19 < Laphroaig> does it help? 17:19 < xenon_> Not really. 17:20 < Laphroaig> try to apply what you read 17:20 < xenon_> Server to client works, client to server, too, but not from one LAN to the other. 17:25 < xenon_> Laphroaig: As I have only one client (10.1.x.x/16), I added the following to the server.conf: 17:26 < xenon_> push "route 10.1.0.0 255.255.0.0" 17:26 < xenon_> route 10.1.0.0 255.255.0.0 17:26 < xenon_> client-to-client 17:26 < xenon_> Is this correct? 17:27 < xenon_> Server is 10.0.0.0 255.255.0.0 17:27 < Laphroaig> did you enable forwarding between devices? 17:28 < xenon_> You mean if IPforwarding is enabled? 17:28 < xenon_> Yes, it is. 17:29 < Laphroaig> try traceroute or mtr, to see where to packets go 17:31 < xenon_> When I do a traceroute 10.0.0.11 from the client, the first hop goes to 10.8.0.1, then it stucks. 17:32 < xenon_> Similar thing happens when I try something from the server's LAN to the client's LAN. 17:33 < xenon_> Then the first hop goes to 10.8.0.6. 17:33 < Laphroaig> routes on server and client appear to be correct? 17:33 < xenon_> route 17:33 < xenon_> sorry, wrong window. 17:36 < xenon_> http://pastebin.com/d7a5125e3 17:37 < xenon_> Laphroaig: Something wrong? 17:38 < Laphroaig> first glimpse looks ok. possibly a firewall issue. 17:39 < xenon_> How is this possible if I can reach the LAN IP of the remote machine? 17:41 < Laphroaig> by, for example, accepting packets which go to destination server, but not to destinations with ip addresses beyond 17:42 < gionnico> help? 17:42 < gionnico> i have eth0 and tun0 17:42 < gionnico> i need to setup bridge 17:42 < gionnico> but tun0 is configured (with an ip, NOT promiscuous mode and NO-CONFIG) by openvpn 17:43 < gionnico> how do I share the server's internet access? 17:48 < xenon_> Laphroaig: does the tun device of openvpn belong to internal or external network? 18:00 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has left ##openvpn [] 18:03 -!- ErickG1 [n=ErickG@190.120.0.138] has left ##openvpn [] 18:04 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 18:11 < Laphroaig> neither. it is a network on its own. whether it is internal or external depends on your view of its clients. 18:12 < Laphroaig> but as you have it running over existing physical interfaces, i suppose you could call it internal or external depending on what the physical interfaces are. 18:13 -!- Laphroaig is now known as ouzo 18:13 < ouzo> sorry bout the frequent nick changes - quite a mix of beverages today. 18:19 -!- jroysdon [n=User@Ox.roysdon.org] has joined ##openvpn 18:21 < jroysdon> Sorry for the newbie questions. I've started following two guides, but I see both are for a server/client setup. Does OpenVPN support a LAN to LAN (in Cisco speak) configuration, where either side may initiate and where neither side is really a "client" so to speak? 18:23 < jroysdon> !howto 18:23 < vpnHelper> jroysdon: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 18:24 < jroysdon> Ah, perhaps openvpn is not the solution I need 18:27 < xenon_> ouzo: Could you, please, help me with this setup? Seems that either SuSEFirewall2 does something wrong, or openvpn is not correctly configured. 18:29 < xenon_> I am able to ping the server's LAN IP, but cannot use any service (i.e. ssh) on it. I also cannot ping any machine in the remote LAN. 18:31 < ouzo> " cannot use any service" - sounds like firewall issue. or, you bind the sshd to a specific interface only. 18:32 < xenon_> Do you know SuSEFirewall2 ? I can assign interfaces to external, internal or dmz and it does the most by itself. I also can configure additional rules, but normally I don't need that... 18:33 < ouzo> !firewall 18:33 < vpnHelper> ouzo: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. 18:34 < ouzo> netstat -ltn should show what interface(s) sshd is bound to. 18:35 < xenon_> sshd can be used from LAN and WAN (there I only activate it when necessary). 18:35 < xenon_> sshd listens on all devices but is blocked to outside by the firewall. 18:36 < ouzo> i assumed that you had disabled firewall by now 18:36 < xenon_> So I would need to know where I should assign tun0 to. 18:37 < xenon_> No, I can't do that. Too risky. 18:37 < xenon_> Therefore I want to establish the tunnel. 18:37 < ouzo> sorry, you're on your own then, debugging the setup with firewall enabled. 18:38 < xenon_> I opened the tunnel on WAN side for openvpn. Therefore I can establish the tunnel. 18:38 < ouzo> so you can also connect to sshd? 18:38 < xenon_> from this IP where I am currently on, yes. 18:39 < xenon_> (trusted network) 18:39 < ouzo> over openvpn 18:39 < xenon_> Oh, no. only directly to the official IP. 18:40 < ouzo> well, if you insist that it is not a firewall issue, and sshd is bound to all interfaces, then i wouldn't know. 18:41 < xenon_> I expected that I will be able to connect to 10.0.0.3 too (as I can ping it), bit this does not work. But I can generally open ssh for a test. 18:41 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 18:41 < ouzo> i expected that too, but reality doesn't seem to agree 18:42 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit [Client Quit] 18:43 < xenon_> I could assign the tun device to internal and enable class routing? (routes all internal devices together)? 18:43 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 18:46 < xenon_> That was it! It works this way! 18:47 < xenon_> ouzo: Is that what comes in on tun0 safe? (Should be?) 18:47 < ouzo> depends on who sits on the other end 18:48 < ouzo> if krzee sit there, tun is not safe 18:50 < xenon_> Ok. So if I do class routing and associate tun0 to the internal LAN (=no protection with firewall), it should be fine? 18:52 < ouzo> !8ball will it be safe? 18:52 < vpnHelper> ouzo: Error: "8ball" is not a valid command. 18:53 < ouzo> vpnhelper doesn't know 18:53 < vpnHelper> ouzo: Error: "doesn't" is not a valid command. 19:08 -!- disco-_ [i=disco@andromeda.h4xed.com] has joined ##openvpn 19:08 -!- xenon_ [n=rainer@idefix.provinz.hantsch.co.at] has quit [Remote closed the connection] 19:08 -!- disco- [i=disco@andromeda.h4xed.com] has quit [Read error: 60 (Operation timed out)] 19:10 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 54 (Connection reset by peer)] 19:15 -!- c64zottel [n=hans@62-12-229-196.pool.cyberlink.ch] has joined ##openvpn 19:28 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit ["Távozom"] 19:35 < jroysdon> Does anyone use a public CA for signing their certs? For instance, I already have a signed key/crt, can I just use that for my OpenVPN setup? 20:00 < jroysdon> Can I use an SSL key/crt on my cert, share the CA for both, but use a pre-shared key/password on my client and not a PKI cert on the client? 20:02 -!- gionnico [n=gionnico@93-34-50-86.ip48.fastwebnet.it] has quit ["Sto andando via"] 20:22 -!- STS301 [n=STS301@opensuse/member/STS301] has joined ##openvpn 20:23 < STS301> hi, I have a problem connecting an openVPN server, I need to connect through a tunnel, but when I add the options --mktun --dev tun0 it tells me all the time "error: options --mktun or --rmtun should only be used together with --dev" 20:46 < WormFood> STS301, those options make the tunnel...you do not want to add them on to a longer commandline of other options 20:49 < STS301> WormFood: my actual problem is, that I have the .ovpn file, the certs and the key and if I import the with the Ubuntu networkmanager it works all fine, but I have problems connecting with openSUSE with KDE and so I wanted to connect via the commandline, but that doesn't work too on the first time, so I am searching for the right options to get it work and I am stuck at the tunnel now 20:53 -!- le0_ [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"] 20:53 < WormFood> make the tunnel device first, then run openvpn 20:54 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Nick collision from services.] 20:54 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 20:55 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 20:58 -!- a|3x [n=alex@67.160.190.87] has quit [Read error: 110 (Connection timed out)] 21:03 < STS301> WormFood: ok, just "ifconfig up" right? 21:05 < WormFood> no 21:05 < WormFood> not for openvpn 21:05 < WormFood> for network device, that would work, like eth0 21:05 < WormFood> but you're working with a tunnel 21:05 < WormFood> openvpn brings that up when it is executed 21:10 < STS301> ok, sry for that question, but how do I create a tunnel without openvpn? or do you mean with openvpn before connecting to the server, so two different commands? 21:14 -!- connectionVPN [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has quit ["This computer has gone to sleep"] 21:15 -!- master_of_master [i=master_o@p549D6169.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:16 < STS301> hmm, I think I got it now, I wrote: "openvpn --mktun --dev tun0 --dev-type tun" 21:17 < STS301> and then in the connection command defined the tun0 device as the tunnel device, so "--dev tun0" 21:17 < STS301> WormFood: But unfortunately it still doesn't work 21:19 -!- master_of_master [i=master_o@p549D6738.dip.t-dialin.net] has joined ##openvpn 21:22 -!- krzee [n=k@unaffiliated/krzee] has joined ##openvpn 21:29 -!- tjz [n=tjz@bb220-255-44-209.singnet.com.sg] has joined ##openvpn 21:39 -!- robotti^ [i=robotti@kapsi.fi] has quit [Remote closed the connection] 21:55 -!- robotti^ [i=robotti@kapsi.fi] has joined ##openvpn 22:04 < ouzo> STS301: you can gave an alternative config file, and specify to use that one 22:05 < STS301> ok 22:06 < ouzo> if not specifying the number of the tun device, it will pick the next available number 22:07 -!- ouzo is now known as Mushbills 22:09 < STS301> ok, actually it is a bit strange that it doesn't read all the settings from the ovpn file out... however it is a nice thing to learn 22:10 < STS301> Mushbills: I just set it to tun0 because the tunnel is open there 22:11 < Mushbills> for a second instance? 22:12 < Mushbills> each tunnel would require its own tun interface 22:13 < STS301> WormFood said that I should open the tunnel before connecting, maybe I missunderstood something 22:14 < STS301> my current command is:"openvpn --config config.ovpn --ca ca-cert.ca.crt --cert cert.user.crt --key the_key.user.key --port 443 --verb 4 --tls-client --script-security 2 22:22 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 22:29 < Mushbills> oh.. you're trying to create a tunnel through a tunnel? 22:30 < WormFood> that is NOT what I said 22:30 < WormFood> I said you need to MAKE the tunnel first 22:30 < WormFood> [09:53:53] make the tunnel device first, then run openvpn 22:32 < STS301> yes, I did make the tunnel first, on the way I thought was right 22:32 < STS301> and I think I was wrong 22:32 < WormFood> but it is 2 different openvpn commands to make the tunnel, and run openvpn 22:34 < STS301> ok 22:35 < STS301> so what now, I should run the mktunnel command in the main command or how do you mean? 22:37 < WormFood> you need the tunnel device first...you should only need to do that once 22:38 < STS301> ok, just "ifconfig tun0 up" ? 22:39 < WormFood> no 22:39 < WormFood> how? 22:39 < WormFood> tun0 is just a device node 22:39 < WormFood> ifconfig knows nothing about how to handle it 22:39 < STS301> ok 22:40 < WormFood> !howto 22:40 < vpnHelper> WormFood: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 22:40 < STS301> thanks, I was already there 22:40 < WormFood> then read it again 22:40 < WormFood> it covers everything you need to know 22:41 < WormFood> and why are you giving it a config file AND all the command line options? 22:43 < STS301> because openvpn doesn't recognize them, or however, thanks for your help 22:46 < WormFood> then you're doing something wrong 22:51 < STS301> I think so too 23:14 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 23:21 -!- c64zottel [n=hans@62-12-229-196.pool.cyberlink.ch] has quit ["Leaving."] 23:32 -!- a|3x [n=alex@c-76-115-142-105.hsd1.or.comcast.net] has joined ##openvpn --- Day changed Sat Oct 31 2009 00:11 -!- jroysdon [n=User@Ox.roysdon.org] has quit ["Leaving"] 00:25 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 01:00 -!- WormFood [n=wormfood@121.15.111.40] has quit [Read error: 60 (Operation timed out)] 01:00 -!- WormFood [n=wormfood@121.15.111.40] has joined ##openvpn 01:11 -!- STS301 [n=STS301@opensuse/member/STS301] has quit [Remote closed the connection] 01:29 -!- WormFood [n=wormfood@121.15.111.40] has quit [Read error: 60 (Operation timed out)] 01:29 -!- WormFood [n=wormfood@121.15.111.40] has joined ##openvpn 01:30 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 02:07 -!- todd_dsm [n=todd_dsm@66.43.220.149] has quit [Read error: 104 (Connection reset by peer)] 02:07 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has joined ##openvpn 02:21 -!- simplechat [n=simple@unaffiliated/simplechat] has joined ##openvpn 02:22 < simplechat> hi 02:22 < simplechat> i'm trying to set up a highly secured openvpn instance and i'm wondering if it is possible to keep the key seperate from the running openvpn process? 02:44 < krzee> lol no 02:45 < simplechat> what does it need it for? 02:45 < krzee> authenticating 02:46 < simplechat> hmmm 02:46 < simplechat> ok 02:46 < krzee> you can password protect the key 02:46 < krzee> you can keep it on a USB 02:46 < simplechat> cool 02:46 < krzee> but it must be there when connecting 02:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 02:47 < krzee> if you use persist-key its only needed on startup 02:48 < simplechat> hmmm 02:48 < simplechat> so its still stored unencrypted inside the openvpn process? 02:48 < krzee> why dont you check 02:49 < simplechat> unsure how to 02:49 < simplechat> but hmmm, that seems to be a good suggestion (encrypting it) 02:49 < simplechat> any good guides for hardening openvpn? 02:50 < krzee> !factoids search secure 02:50 < vpnHelper> krzee: "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 02:50 < simplechat> thank you krzee and thats a damn cool bot 02:50 < krzee> thx 02:54 < simplechat> Keep the root key (ca.key) on a standalone machine without a network connection 02:54 < simplechat> so this means that i can keep ca.key secret? 02:54 < krzee> yup 02:54 < krzee> very very secret 02:54 < krzee> its the key to everything 02:54 < simplechat> and then without ca.key, nobody can forge additional client keys? 02:55 < krzee> the whole PKI security model breaks down when that file is found 02:55 < krzee> correct 02:55 < simplechat> excellent :) 02:55 < krzee> well they can make keys 02:55 < krzee> but not certs 02:55 < simplechat> more info? 02:55 < krzee> well 02:56 < simplechat> can they connect to the vpn server and authenticate properly? 02:56 < krzee> heres an example of a good key making process 02:56 < krzee> no they cant 02:56 < krzee> heres an example of a good key making process 02:56 < simplechat> k 02:56 < krzee> i make a CSR/key 02:56 < krzee> i send it to you, the admin 02:56 < simplechat> yeah 02:56 < krzee> you take it to your ca machine, sign the cert which makes a crt 02:56 < krzee> but you never had my key 02:56 < krzee> i only sent you a CSR 02:57 < krzee> now i have my key and the client crt/ca.crt from you 02:57 < krzee> and i can connect 02:57 < simplechat> ok 02:57 < krzee> so you never helped me make a .key 02:57 < robert_> hai krzee 02:57 < krzee> i made it myself 02:57 < krzee> but until your ca signs it, i cant connect 02:57 < simplechat> ok 02:57 < krzee> sup robert_ 02:58 < simplechat> that is pretty sweet :) 02:58 < simplechat> also, is it possible to use both chroot and unprivileged mode? 02:58 < krzee> and i mean your ca signs my csr, not my key 02:58 < robert_> oh not much.. trying to wrap stuff in mono 02:59 < krzee> simplechat, why wouldnt it be? 02:59 < robert_> krzee, only I'm getting these wonderful exceptions like EntryPointNotFound, yay! 03:00 < robert_> lol 03:00 < krzee> hehe 03:00 < robert_> :P 03:00 < robert_> I'm not a fan of using a managed ssh2 library, lol 03:01 < krzee> i been sittin here watching 2 1/2 men and reading up on blackwater 03:01 < robert_> if you have system libraries then you might as well USE the damn things. 03:01 < robert_> fun fun 03:01 < krzee> rob, whatchya automating? 03:02 < robert_> work stuff. 03:02 < robert_> our existing infrastructure is php4/5 03:02 < robert_> it's in need of upgrading, with our .NET-ification 03:02 < krzee> sounds fun 03:03 < krzee> 03:03 < robert_> oh ye 03:03 < robert_> yes* 03:03 < krzee> i been shell scripting my butt off 03:03 < robert_> heh 03:04 < robert_> I've been wondering about a .NET system that would work similarly to MMC, only be cross-platform and could control like, openvpn. 03:04 < krzee> for the openvpn side you'll wanna use the management interface 03:05 < simplechat> krzee, some things break in chrooted mode in some applications :) 03:05 < robert_> yeah, it'll be an MMC<->openvpn management interface bridge 03:05 < krzee> yupyup 03:05 < krzee> simplechat, it wouldnt have --chroot if it wasnt for being used ;] 03:05 < simplechat> yeah 03:05 < simplechat> this thing seems pretty damn awesome 03:06 < krzee> just be sure to read every instance of the word chroot in the manual 03:06 < simplechat> like all of the quality software from openbsd :) 03:06 < krzee> it may have caveats you need to know of 03:06 < simplechat> ah, ok 03:06 < krzee> openvpn is unrealted to openbsd other than it can run on it 03:06 < krzee> unrelated 03:07 < simplechat> krzee, isn't it like openssh, where a good portion of the devs are from openbsd? 03:07 < krzee> not to my knowledge... 03:07 < simplechat> kk 03:08 < krzee> it does use blowfish as its default encryption method, which openbsd favors 03:08 < krzee> but thats pretty unrelated 03:10 < simplechat> hmmm 03:10 < simplechat> ok 03:11 < simplechat> !factoids openvpn chroot 03:11 < vpnHelper> simplechat: Error: The "Factoids" plugin is loaded, but there is no command named "openvpn" in it. Try "list Factoids" to see the commands in the "Factoids" plugin. 03:12 < simplechat> !factoids search chroot 03:12 < vpnHelper> simplechat: No keys matched that query. 03:12 < simplechat> hey krzee would you happen to have a nice source for how to build the chroot for openvpn? 03:12 < krzee> search is for finding all instances with the key in it 03:12 < robert_> so anyway krzee, Server 2003 still doesn't like the changes you suggested I make. \: 03:12 < krzee> like: 03:12 < krzee> !factoids search win 03:12 < vpnHelper> krzee: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', 'win7', 'winnat', 'win_ipfail', 'win2k8', and 'sudowin' 03:12 < simplechat> ah, ok 03:12 < krzee> otherwise you can just: 03:13 < krzee> !winroute 03:13 < vpnHelper> krzee: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 03:13 < simplechat> ok 03:13 < krzee> robert_, i dont remember the suggested changes nor the problem 03:13 < krzee> i help a lot of people in here =/ care to jog my memory? 03:31 -!- erroneousvamsi [n=vamsi@121.243.61.82] has joined ##openvpn 03:31 < erroneousvamsi> hello 03:32 < erroneousvamsi> Iam planning to host a vpn for a CTF 03:32 < erroneousvamsi> can anyone help me 03:32 < krzee> for a what? 03:32 < erroneousvamsi> Capture the flag 03:32 < krzee> ok... 03:32 < erroneousvamsi> CTF 03:33 < krzee> so where are you stuck? 03:33 < erroneousvamsi> Iam not sure about the band width issues 03:33 < krzee> nor am i, i dont play online games 03:33 < krzee> (or any sort of games really) 03:34 < erroneousvamsi> we hav contacted a prev hosts and they said it really does matter 03:34 < erroneousvamsi> Im frm India 03:34 < erroneousvamsi> so pls dont expect a good band width 03:34 < erroneousvamsi> can u be sure that there wont be any problems 03:35 < krzee> nope, cant be sure 03:35 < erroneousvamsi> hmmm 03:35 < erroneousvamsi> ok then 03:35 < erroneousvamsi> Ill try contactin soe one else 03:35 < krzee> bandwidth will likely matter a LOT 03:36 < erroneousvamsi> May be any prev hosts 03:36 < erroneousvamsi> Did u participate in any CTF before 03:36 < krzee> [04:31] nor am i, i dont play online games 03:36 < krzee> [04:31] (or any sort of games really) 03:37 < erroneousvamsi> oh sorry 03:37 < krzee> im going to bed, good luck to you 03:37 < erroneousvamsi> ok 03:37 < erroneousvamsi> Thanx 03:37 < erroneousvamsi> Bt can i hav 1 min 03:37 < erroneousvamsi> its a Hacking contest CTF style hacking contest 03:37 < erroneousvamsi> ny ways good nit buddy:-) 03:37 -!- erroneousvamsi [n=vamsi@121.243.61.82] has left ##openvpn ["Leaving"] 04:03 < simplechat> heyyas, is it possible to push dns settings for only a given tld? 04:03 < simplechat> ie. .internal? 04:16 < robert_> later krzee 04:18 < simplechat> !dns 04:18 < vpnHelper> simplechat: "dns" is Level3 open recursive DNS server at 4.2.2.1 04:19 < simplechat> !dns push 04:19 < vpnHelper> simplechat: Error: "dns" is not a valid command. 04:20 < simplechat> hey krzee, is it possible to push a given dns server for a given suffix? 04:21 < simplechat> do i just use dhcp-option DOMAIN and dhcp-option DNS? 04:43 -!- Mushbills is now known as Bushmills 04:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:02 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:05 -!- krphop_ [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn 05:06 < krphop_> Hello! so i've just setup openvpn on a centos system, and i'm having troubles configuring iptables to forward/masquerade packets properly 05:08 < Bushmills> http://scarydevilmonastery.net/masq 05:08 < krphop_> i've tried adding to my nat table '-A POSTROUTING -s openvz.priv.ip.network -o eth0 -j SNAT --to-source pub.ip.of.server 05:08 < krphop_> ah, i probably dont have ipforwarding on 05:09 < krphop_> aaaaaand ther it works 05:20 -!- mfeilner [n=mfeilner@dslb-084-056-097-049.pools.arcor-ip.net] has joined ##openvpn 05:42 -!- connectionVPN [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has joined ##openvpn 05:43 -!- mfeilner [n=mfeilner@dslb-084-056-097-049.pools.arcor-ip.net] has left ##openvpn [] 05:47 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:50 < krphop_> Bushmills: so, now i'm getting an error saying NOTE unable to redirect default gateway -- cannot read current default gateway from system 05:51 < krphop_> i can ping my remote server on its private address, but nothing else 05:51 < krphop_> and the gateway for teh tun device is not listed in my routes 05:51 < Bushmills> possibly you haven't had a default gateway. maybe the result of not using def1, and restarting openvpn. 05:51 < Bushmills> !def1 05:52 < vpnHelper> Bushmills: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 05:52 < krphop_> well, technically, i didnt have a default gateway to start 05:52 < Bushmills> that's exactly what it said 05:53 < krphop_> this is a particular connection that is unique, 05:53 < krphop_> right, but simply adding my tun device as a default gw doenst work, then i lose connection to my openvpn server 05:53 < Bushmills> read what vpnhelper said 05:54 < krphop_> yeah, reading the man page now 05:54 < krphop_> i'm using the def1 flag 05:55 < krphop_> push "redirect-gateway def1" 05:55 < Bushmills> shouldn't complain if there's no default gateway 05:55 < Bushmills> if you add a route manually, of course the route to the openvpn server may not be routed through tun 05:55 < krphop_> yeah, i think thats whats happening 05:55 < Bushmills> (i.e. you need an extra route to the openvpn server, when defaulting through vpn) 05:56 < krphop_> ah, route the openvpn server specifically, then a default out the tun device? 05:56 < Bushmills> that would work. but that's essentially what redirect-gateway does 05:57 < krphop_> but using redirect-gateway gives me the no default gateway error... 05:57 < Bushmills> so what does then? 05:58 < krphop_> what does what? 05:58 < Bushmills> (11:50:44) krphop_: Bushmills: so, now i'm getting an error saying NOTE unable to redirect default gateway -- cannot read current default gateway from system 05:58 < krphop_> thats when i use: push "redirect-gateway def1" 05:59 < Bushmills> ah, i misread. i read "(11:57:33) krphop_: but using redirect-gateway gives me the no default gateway error..." as "give me not .." 05:59 < krphop_> ah, sorry heh 06:01 < Bushmills> well, i don't know then. maybe you can work around whatever is the cause by adding a default route to loopback device, before starting openvpn. 06:02 < krphop_> ah, this seems to work 06:02 < krphop_> connect to the internet, add a route to my openvpn server through my 'gateway' (however not 'default') 06:02 < krphop_> connect to openvpn 06:03 < krphop_> and add a default gw of my nat address from the openvpn connection 06:03 < Bushmills> that's not standard procedure as I know it 06:03 < krphop_> haha 06:03 < krphop_> understandable :-) 06:03 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 06:03 < Bushmills> but a hackish fix is better than none 06:03 < krphop_> however most links have a default gateway 06:04 < krphop_> now, i'll try to setup openvpn to push those routes manually 06:05 < krphop_> this entire connection is a 'hackish fix' 06:06 < krphop_> ~400ms latency, a whopping ~150Kb/sec up down 06:07 < Bushmills> latency sucks 06:08 < krphop_> shit, i think they figured it out 06:09 -!- NG|NetGhost [i=netghost@bam.ng-hosting.de] has joined ##openvpn 06:11 -!- krphop_ is now known as krphop 06:15 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 06:16 -!- connectionVPN [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has left ##openvpn ["Leaving"] 06:18 < NG|NetGhost> hi, where can i tell openvpn in which directory it will find its client certificates? i want to set up multiple ovpn-instances with different users. maybe i am sightless, but i can't find anything in the manpage or in the howto section on the page 06:19 -!- brizly1 [n=brizly_v@p4FC98DED.dip0.t-ipconnect.de] has joined ##openvpn 06:20 < krphop> does openvpn care what the client certs are given they were signed with the proper CA? 06:23 < simplechat> krphop, it effects what ip you are given 06:23 < simplechat> other then that, and assuming you arn't in the revokation list, it doesn't care 06:25 -!- NG|NetGhost [i=netghost@bam.ng-hosting.de] has quit [""zieht sich zurueck""] 06:25 < simplechat> NG|NetGhost, you don't tell openvpn where its client certificates are 06:25 < simplechat> it will accept any certificate that has been signed by the CA 06:25 < simplechat> also, the word is "blind" not "sightless" (they mean the same thing, but one is the more common ussage) 06:33 -!- brizly [n=brizly_v@p4FC983F5.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 06:45 -!- c64zottel [n=hans@62-12-229-196.pool.cyberlink.ch] has joined ##openvpn 06:49 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 06:50 -!- Sypher|NL [n=Sypher@unaffiliated/syphernl/x-737232] has joined ##openvpn 06:52 < Sypher|NL> Hi, I am using the port-share feature to share my "SSL Site" with OpenVPN, but the Apache log files report the local server IP instead of the remote client. I tried X-Forwarded-For but this isn't working all the time and most of the time it produces '-'.. 06:53 < Sypher|NL> seeing it can pass-tru the UserAgent, I find it odd it can't do that with the remote IP... 06:55 -!- c64zottel [n=hans@62-12-229-196.pool.cyberlink.ch] has quit ["Leaving."] 07:01 < simplechat> Capitalisation maybe? 07:04 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"] 07:04 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 07:08 -!- simplechat [n=simple@unaffiliated/simplechat] has quit [Remote closed the connection] 08:11 -!- lummox [i=lummox@p508DFE68.dip.t-dialin.net] has joined ##openvpn 08:12 < lummox> Hello 08:12 < lummox> There is a CiscoVPN and through this CiscoVPN a OepnVPN VPN wants to be established. Accoridng to the log it gets established correctly but sending and receiving data doesnt work. The routing table looks ok. What could be the reason? 08:13 < lummox> CiscoVPN usually got MTU of 1380 Byte or something like this, and OepnVPN by default MTU 1500 B. 08:14 < lummox> So I sent a biggest possible ICMP echo request through another working OpenVPN and the MTU was 1500 Byte es expected (ICMP echo payload length 1472 B). 08:14 < lummox> This ICMP echo request was compressed by OepnVPN LZO compression to 101 Byte though 08:14 < lummox> so I think that MTU cannot be the problem, can it? 08:15 < lummox> the OpenVPN fragments get compressed down to below the MTU of CiscoVPN anyway, at least for ICMP echo request and hence should get through 08:15 < lummox> so what could be the reason? 08:15 < lummox> that OepnVPN through CiscoVPN through Ethernet wouldnt work 08:34 -!- TSM2 [n=the_soft@87-194-32-212.bethere.co.uk] has joined ##openvpn 08:35 -!- TSM2 [n=the_soft@87-194-32-212.bethere.co.uk] has left ##openvpn [] 08:59 -!- c64zottel [n=hans@62-12-229-196.pool.cyberlink.ch] has joined ##openvpn 09:10 -!- xp_prg [n=xp_prg3@c-98-234-50-128.hsd1.ca.comcast.net] has quit ["This computer has gone to sleep"] 09:24 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)] 09:39 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 10:15 -!- WormFood [n=wormfood@121.15.111.40] has quit [Read error: 60 (Operation timed out)] 10:16 -!- WormFood [n=wormfood@121.15.111.40] has joined ##openvpn 10:51 -!- scyld [n=krajcong@unaffiliated/wasyl] has joined ##openvpn 11:00 -!- c64zottel [n=hans@62-12-229-196.pool.cyberlink.ch] has quit [Read error: 60 (Operation timed out)] 11:00 -!- c64zottel [n=hans@62.12.220.2] has joined ##openvpn 11:08 -!- WormFood [n=wormfood@121.15.111.40] has quit [Read error: 60 (Operation timed out)] 11:09 -!- c64zottel [n=hans@62.12.220.2] has left ##openvpn [] 11:10 -!- hyper_ch [n=hyper@adsl-84-226-41-99.adslplus.ch] has quit [Remote closed the connection] 11:12 -!- MavRic [n=MavRic@c-24-91-143-191.hsd1.ct.comcast.net] has joined ##openvpn 11:15 < MavRic> morning all 11:26 -!- WormFood [n=wormfood@121.15.46.78] has joined ##openvpn 11:31 -!- asdfghjkl [i=asdfghjk@hypnos.chu.cam.ac.uk] has joined ##openvpn 11:32 < asdfghjkl> hey 11:32 < asdfghjkl> got a slightly weird problem with openvpn 11:32 < asdfghjkl> in that my server died a couple of days ago, so it's had a couple of restarts 11:33 < asdfghjkl> and now i can't ping anything from the client end 11:33 < asdfghjkl> despite the fact that it seems to be running perfectly on the server 12:00 < asdfghjkl> had this in my logs before it broke: 12:00 < asdfghjkl> Wed Oct 21 18:59:53 2009 client1/xxx.xxx.xxx.xxx:59275 MULTI: Learn: 10.8.0.6 -> client1/xxx.xxx.xxx.xxx:59275 12:00 < asdfghjkl> (it was always 10.8.0.6) 12:03 < asdfghjkl> but now it gives random ips in the form 10.8.0.xxx 12:03 < asdfghjkl> now gives this in logs: 12:03 < asdfghjkl> Sat Oct 31 16:51:37 2009 client1/xxx.xxx.xxx.xxx:61205 MULTI: bad source address from client [10.8.0.30], packet dropped 12:03 < asdfghjkl> any ideas? 12:07 -!- asdfghjkl_ [i=asdfghjk@hypnos.chu.cam.ac.uk] has joined ##openvpn 12:14 -!- asdfghjkl [i=asdfghjk@hypnos.chu.cam.ac.uk] has quit [Read error: 60 (Operation timed out)] 12:14 -!- asdfghjkl [i=asdfghjk@hypnos.chu.cam.ac.uk] has joined ##openvpn 12:18 -!- asdfghjkl_ [i=asdfghjk@hypnos.chu.cam.ac.uk] has quit [Read error: 60 (Operation timed out)] 12:19 < MavRic> I'm trying under windows to buld-ca and am getting errors...but not sure why..any suggestions? It's saying bad directory or something but i cant figure out what it's looking for 12:23 -!- bandinia [n=bandini@host129-106-dynamic.10-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 12:25 -!- asdfghjkl [i=asdfghjk@hypnos.chu.cam.ac.uk] has quit [] 13:00 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 13:42 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 13:43 -!- Tunker [n=Tunker@62.33.94.126] has joined ##openvpn 13:44 < Tunker> hi 13:44 < Tunker> sorry for my eanglish ( 13:45 < Tunker> my old provider, my openvpn eth0-tun0, now my ne provider, eth0-ppp0-tun0, my openvpn not work 13:54 -!- connectionVPN [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has joined ##openvpn 14:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:21 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"] 14:24 -!- Tunker [n=Tunker@62.33.94.126] has quit [Read error: 110 (Connection timed out)] 14:29 -!- Tunker [n=Tunker@62.33.94.98] has joined ##openvpn 14:42 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 14:46 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 14:49 -!- lummox [i=lummox@p508DFE68.dip.t-dialin.net] has quit [] 14:56 -!- xp_prg [n=xp_prg3@c-98-234-50-128.hsd1.ca.comcast.net] has joined ##openvpn 14:58 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 15:00 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit [Remote closed the connection] 15:01 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 15:14 < Bushmills> your new provider may be blocking packets of the protocol you use from/to the port you use 15:21 -!- Tunker [n=Tunker@62.33.94.98] has quit [Read error: 110 (Connection timed out)] 15:22 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit [Remote closed the connection] 15:31 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 15:35 -!- connectionVPN [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has quit [Read error: 60 (Operation timed out)] 15:35 -!- connectionVPN [n=hello_wo@fr-d1.connectionvpn.com] has joined ##openvpn 15:59 < krzie> also ive seen isues with ppp 15:59 < krzie> if it doesnt set a default route the same way 15:59 < krzie> !factoids search ppp 15:59 < vpnHelper> krzie: No keys matched that query. 16:00 < krzie> bleh i shoulda linked to that mail port 16:00 < krzie> post 16:00 < krzie> it was quite informative 16:22 -!- MavRic [n=MavRic@c-24-91-143-191.hsd1.ct.comcast.net] has left ##openvpn [] 16:36 -!- connectionVPN [n=hello_wo@fr-d1.connectionvpn.com] has quit [Read error: 110 (Connection timed out)] 16:42 < krzie> so before we can know what your problem is, we need more than "does not work" 17:38 -!- albertico [n=albertic@32.163.28.179] has joined ##openvpn 17:38 < albertico> !route 17:38 < vpnHelper> albertico: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 18:15 -!- epaphus [n=unix3@201.199.62.74] has quit ["Leaving"] 18:16 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 18:19 -!- ycy [i=michele@gateway/shell/blinkenshell.org/x-liikgpoxurzwkbvt] has joined ##openvpn 18:19 < ycy> hi 18:19 < ycy> to serve as an openvpn server, how many tcp and udp open ports do I need? 18:29 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit [Read error: 104 (Connection reset by peer)] 18:33 < Bushmills> ycy: 1 18:36 < ycy> cool 18:36 < ycy> thanks 18:36 < ycy> Bushmills: i have 3 linux box and I want them in the same net with openvpn 18:36 < ycy> one of them should be the server, right? 18:36 < Bushmills> right 18:37 < ycy> hm ok 18:37 < ycy> it is better to use udp or tcp? 18:37 < Bushmills> udp 18:37 < ycy> why? 18:37 -!- unix3 [n=unix3@201.199.62.74] has joined ##openvpn 18:37 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 104 (Connection reset by peer)] 18:38 < Bushmills> tunneling error correcting protocol over error correcting protocol can be inefficient or even lead to strange problems. 18:39 < Bushmills> !tcp 18:39 < vpnHelper> Bushmills: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 18:44 -!- albertico [n=albertic@32.163.28.179] has quit [Read error: 110 (Connection timed out)] 18:47 -!- unix3 is now known as epaphus 18:47 -!- albertico [n=albertic@207.150.251.98] has joined ##openvpn 18:48 < albertico> hi 18:50 < albertico> I am being unable to push another network 18:57 < albertico> I set the push statement, but when an external pc connects is not able to see the pushed subnet from the lan 18:57 < albertico> anyone? 19:02 -!- albertico [n=albertic@207.150.251.98] has quit ["Leaving"] 19:13 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 19:15 -!- corretico [n=laguilar@201.201.46.106] has quit [Client Quit] 19:16 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 20:11 < robert_> hey hey krzee :P 20:21 < krzie> hey man wasup 20:59 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [No route to host] 21:08 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 21:15 -!- master_of_master [i=master_o@p549D6738.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 21:17 < robert_> oh nothing much.. enjoying italian food. :D 21:19 -!- master_of_master [i=master_o@p549D4CFD.dip.t-dialin.net] has joined ##openvpn 21:20 < krzie> nice 21:24 -!- jeiworth [n=jeiworth@189.234.96.156] has quit [Read error: 104 (Connection reset by peer)] 21:25 -!- jeiworth [n=jeiworth@189.234.96.156] has joined ##openvpn 22:23 < robert_> indeed. 22:23 < robert_> so how's it going? 22:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 22:56 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 23:24 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 23:24 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)] --- Day changed Sun Nov 01 2009 00:05 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 00:06 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 01:48 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:34 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 54 (Connection reset by peer)] 01:44 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 02:01 -!- hyper_ch [n=hyper@adsl-89-217-143-3.adslplus.ch] has joined ##openvpn 03:03 -!- hyper_ch [n=hyper@adsl-89-217-143-3.adslplus.ch] has quit [] 03:03 -!- hyper_ch [n=hyper@adsl-89-217-143-3.adslplus.ch] has joined ##openvpn 03:42 -!- turneralex [n=aturner@203.206.236.193] has joined ##openvpn 03:42 < turneralex> Hey 03:42 < turneralex> is it possible to have different users vpn into different networks/subnets? 03:49 -!- mfeilner [n=mfeilner@dslb-084-056-082-097.pools.arcor-ip.net] has joined ##openvpn 04:06 -!- mfeilner [n=mfeilner@dslb-084-056-082-097.pools.arcor-ip.net] has left ##openvpn [] 04:09 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 04:44 -!- eliasp [n=quassel@HSI-KBW-085-216-038-191.hsi.kabelbw.de] has joined ##openvpn 05:08 -!- networkd [n=networkd@78-62-21-26.static.zebra.lt] has joined ##openvpn 05:11 < networkd> hey, need an advise. Say you have to secure public network with OpenVPN, you set-up server and so on.. but when it comes to clients who uses windows, how can you make this as much easy as possible for them ? Perfect would be if they just could download .exe file, click a few next buttons and the whole configuration is done. Is it possible to have custom configurations shipped with openvpn installation for windows ? 05:18 -!- brizly [n=brizly_v@p4FC99C1A.dip0.t-ipconnect.de] has joined ##openvpn 05:23 -!- thedoc_ [n=hex@unaffiliated/thedoc] has joined ##openvpn 05:24 -!- thedoc_ is now known as thedoc 05:24 -!- thedoc is now known as theDoc 05:33 -!- brizly1 [n=brizly_v@p4FC98DED.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 05:36 -!- hyper_ch [n=hyper@adsl-89-217-143-3.adslplus.ch] has quit [Remote closed the connection] 05:36 -!- Sypher|NL [n=Sypher@unaffiliated/syphernl/x-737232] has left ##openvpn ["Ik ga weg"] 05:40 -!- hyper_ch [n=hyper@adsl-89-217-143-3.adslplus.ch] has joined ##openvpn 05:49 -!- hyper_ch [n=hyper@adsl-89-217-143-3.adslplus.ch] has quit [Remote closed the connection] 05:53 -!- hyper_ch [n=hyper@adsl-89-217-143-3.adslplus.ch] has joined ##openvpn 05:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:58 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)] 06:11 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 06:51 -!- thedoc_ [n=hex@cataclysm.edgewire.sg] has joined ##openvpn 06:51 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Nick collision from services.] 06:51 -!- thedoc_ is now known as theDoc 06:59 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 07:00 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has joined ##openvpn 07:23 -!- c64zottel [n=hans@62.12.220.2] has joined ##openvpn 07:50 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 07:53 -!- BigJB [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 08:01 -!- networkd [n=networkd@78-62-21-26.static.zebra.lt] has quit ["Lost terminal"] 08:31 -!- switchgirl [n=sara@82-41-221-104.cable.ubr13.sgyl.blueyonder.co.uk] has joined ##openvpn 08:35 < switchgirl> hi i wish to set up a vpn on my eeepc so i can connect to the desktop from a cafe without my communications being evesdroped upon 08:45 < krphop> and? 08:51 < switchgirl> i dont know how 08:56 < hyper_ch> !howto 08:56 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:57 -!- eatnumber1 [n=eatnumbe@yubaba.csh.rit.edu] has joined ##openvpn 08:57 < eatnumber1> Is it possible to use STUN (or some other method) to proxy connection attempts in openvpn? 09:05 < krphop> i actually personally think the howto isnt that great, but it is there i guess 09:06 < eatnumber1> for stun? 09:06 < krphop> no, in response to messages prior to you entering 09:06 < eatnumber1> ah 09:06 < krphop> :-) 09:12 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 09:24 < theDoc> Anyone here has vista running with access-server? 09:29 < hyper_ch> nope 09:38 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 09:59 -!- c64zottel [n=hans@62.12.220.2] has quit [Read error: 104 (Connection reset by peer)] 10:08 -!- WormFood [n=wormfood@121.15.46.78] has quit [Read error: 60 (Operation timed out)] 10:13 -!- switchgirl [n=sara@82-41-221-104.cable.ubr13.sgyl.blueyonder.co.uk] has quit ["Leaving."] 10:18 -!- c64zottel [n=hans@62.12.220.2] has joined ##openvpn 10:21 -!- WormFood [n=wormfood@121.35.147.196] has joined ##openvpn 10:21 -!- jeiworth_ [n=jeiworth@189.163.185.76] has joined ##openvpn 10:32 -!- jeiworth [n=jeiworth@189.234.96.156] has quit [Read error: 110 (Connection timed out)] 10:33 -!- jeiworth_ [n=jeiworth@189.163.185.76] has quit [Remote closed the connection] 11:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:51 -!- teddymills [n=teddy@208.92.235.227] has quit [No route to host] 11:58 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 11:58 < magic_1> hi all 11:58 < magic_1> anyone here used openvpn with vyatta as yet 11:59 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 11:59 < hyper_ch> no 12:20 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit [SendQ exceeded] 12:20 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn 12:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 12:33 -!- jeiworth [n=jeiworth@189.163.185.76] has joined ##openvpn 12:35 -!- jean001 [n=chatzill@APoitiers-552-1-93-246.w92-149.abo.wanadoo.fr] has joined ##openvpn 12:36 -!- jean001 [n=chatzill@APoitiers-552-1-93-246.w92-149.abo.wanadoo.fr] has left ##openvpn [] 12:36 -!- jean001 [n=chatzill@APoitiers-552-1-93-246.w92-149.abo.wanadoo.fr] has joined ##openvpn 12:43 -!- jean001 [n=chatzill@APoitiers-552-1-93-246.w92-149.abo.wanadoo.fr] has left ##openvpn [] 12:51 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 12:51 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 12:52 -!- eatnumber1 [n=eatnumbe@yubaba.csh.rit.edu] has left ##openvpn ["Leaving."] 13:12 -!- BigJB [n=BigJB@unaffiliated/bigjb] has quit ["leaving"] 13:13 -!- BigJB [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 13:13 -!- cherva [i=5f2b872b@gateway/web/freenode/x-jafqvpfpznuihbhb] has joined ##openvpn 13:15 < cherva> what does dh1024.pem file does and what is the command to create it ? 13:17 < cherva> got it :) 13:38 -!- jhp [n=jhp@zeus.jhprins.org] has quit [Read error: 111 (Connection refused)] 13:40 -!- jhp [n=jhp@zeus.jhprins.org] has joined ##openvpn 13:43 -!- turneralex [n=aturner@203.206.236.193] has quit [Nick collision from syn.] 13:43 -!- fkr [i=fkr@news.bytemine.net] has quit [Nick collision from syn.] 13:43 -!- brizly [n=brizly_v@p4FC99C1A.dip0.t-ipconnect.de] has quit [Nick collision from syn.] 13:43 -!- Argafal [i=argafal@users.tokkee.org] has quit [Nick collision from syn.] 13:43 -!- bytesaber [n=bytesabe@208-98-188-95.directcom.com] has quit [Nick collision from syn.] 13:43 -!- drue [n=drue@stiff.therub.org] has quit [Nick collision from syn.] 13:43 -!- arcsky [n=arcsky@2a01:48:100:1:1:0:0:1c2] has quit [Nick collision from syn.] 13:43 -!- disco-_ [i=disco@andromeda.h4xed.com] has quit [Nick collision from syn.] 13:43 -!- freaky[t] [i=alpha@member.team-box.net] has quit [Nick collision from syn.] 13:43 -!- BigJB [n=BigJB@unaffiliated/bigjb] has quit [Nick collision from syn.] 13:43 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit [Nick collision from syn.] 13:43 -!- LobbyZ [n=default@217.18.70.127] has quit [Nick collision from syn.] 13:43 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit [Nick collision from syn.] --- Log closed Sun Nov 01 13:43:59 2009 --- Log opened Sun Nov 01 13:44:04 2009 13:44 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 13:44 -!- Irssi: ##openvpn: Total of 72 nicks [0 ops, 0 halfops, 0 voices, 72 normal] 13:44 -!- a|3x [n=alex@c-76-115-142-105.hsd1.or.comcast.net] has quit [Nick collision from syn.] 13:44 -!- chantra [n=chantra@ns22757.ovh.net] has quit [Nick collision from syn.] 13:44 -!- cherva [i=5f2b872b@gateway/web/freenode/x-jafqvpfpznuihbhb] has quit [Nick collision from syn.] 13:44 -!- fatou73 [n=aleksei@socrates.at.mt.ut.ee] has quit [Nick collision from syn.] 13:44 -!- disco- [i=disco@89.145.121.14] has joined ##openvpn 13:44 -!- Argafal [i=argafal@91.190.183.254] has joined ##openvpn 13:44 -!- freaky[t] [i=alpha@88.198.215.139] has joined ##openvpn 13:44 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit [Nick collision from syn.] 13:44 -!- fkr [i=fkr@134.106.146.207] has quit [Nick collision from syn.] 13:44 -!- Irssi: Join to ##openvpn was synced in 18 secs 13:44 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 13:44 -!- dmarkey [n=dmarkey@216.218.223.76] has quit [Nick collision from syn.] --- Log closed Sun Nov 01 13:44:23 2009 --- Log opened Sun Nov 01 13:49:03 2009 13:49 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 13:49 -!- Irssi: ##openvpn: Total of 84 nicks [0 ops, 0 halfops, 0 voices, 84 normal] 13:49 -!- Irssi: Join to ##openvpn was synced in 18 secs 13:52 -!- chantra [n=chantra@ns22757.ovh.net] has joined ##openvpn 13:53 -!- temba_alternativ [i=pommes@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 13:55 -!- temba_alternativ [i=pommes@188-193-22-46-dynip.superkabel.de] has quit [Client Quit] 13:59 -!- temba [i=pommes@188-193-22-46-dynip.superkabel.de] has quit [Read error: 60 (Operation timed out)] 13:59 -!- cherva [i=5f2b872b@gateway/web/freenode/x-3c0cf6a183532220] has joined ##openvpn 14:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:13 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 14:14 -!- temba [i=pommes@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 14:14 -!- BigJB [n=BigJB@client-80-1-161-180.bsh-bng-011.adsl.virginmedia.net] has quit [Client Quit] 14:14 -!- BigJB [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 14:20 -!- cherva [i=5f2b872b@gateway/web/freenode/x-3c0cf6a183532220] has quit [Ping timeout: 180 seconds] 14:21 -!- kexman [i=kexman@unaffiliated/kexman] has left ##openvpn [] 14:24 -!- BigJB [n=BigJB@unaffiliated/bigjb] has quit ["leaving"] 14:25 -!- BigJB [n=BigJB@unaffiliated/bigjb] has joined ##openvpn 14:52 -!- WormFood [n=wormfood@121.35.147.196] has quit [Read error: 60 (Operation timed out)] 14:52 -!- WormFood [n=wormfood@121.35.147.196] has joined ##openvpn 14:55 -!- BigJB [n=BigJB@unaffiliated/bigjb] has quit ["leaving"] 15:08 -!- scyld [n=krajcong@unaffiliated/wasyl] has quit ["Spaf"] 15:33 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 15:51 -!- temba [i=pommes@188-193-22-46-dynip.superkabel.de] has left ##openvpn [] 15:52 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 15:53 -!- rooth [i=rooth@ge.mig.en.redfox.nu] has quit ["reboot"] 15:58 -!- rooth [i=rooth@ge.mig.en.redfox.nu] has joined ##openvpn 16:16 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit [Remote closed the connection] 16:16 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 16:20 -!- Grapsus [n=grapsus@che21-2-82-245-89-120.fbx.proxad.net] has quit [Remote closed the connection] 16:20 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit ["Távozom"] 16:31 -!- hyper__ch [n=hyper@adsl-89-217-143-3.adslplus.ch] has joined ##openvpn 16:31 -!- hyper_ch [n=hyper@adsl-89-217-143-3.adslplus.ch] has quit [Nick collision from services.] 16:31 -!- hyper__ch is now known as hyper_ch 16:43 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 17:02 -!- pa [n=pa@host163-6-dynamic.58-82-r.retail.telecomitalia.it] has quit [Remote closed the connection] 17:07 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 17:42 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 60 (Operation timed out)] 17:56 -!- arcsky [n=arcsky@2a01:48:100:1:1:0:0:1c2] has quit [Read error: 60 (Operation timed out)] 18:00 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 18:00 -!- arcsky [n=arcsky@2a01:48:100:1:1:0:0:1c2] has joined ##openvpn 18:27 -!- corretico [n=laguilar@201.201.46.106] has quit [Client Quit] 18:27 -!- hyper_ch [n=hyper@adsl-89-217-143-3.adslplus.ch] has quit [Read error: 54 (Connection reset by peer)] 18:27 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 18:28 -!- hyper_ch [n=hyper@adsl-89-217-143-3.adslplus.ch] has joined ##openvpn 18:37 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit [Remote closed the connection] 18:37 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 18:39 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit [Client Quit] 18:39 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 18:40 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit [Remote closed the connection] 18:41 -!- acidchild [n=ash@li88-140.members.linode.com] has joined ##openvpn 18:42 < acidchild> Hello! my wireless dhcp gives 192.168.35.[1-255] and my VPN tun0 range is 176.16.x.x 18:42 < acidchild> how do i make clients default gateway change to 172.16.0.1 without losing access wifi connection to the AP? 18:43 < acidchild> push-route? or something on server openvpn.conf? 18:51 < krzie> !def1 18:51 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 19:15 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 19:45 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Read error: 110 (Connection timed out)] 19:46 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 20:01 < acidchild> krzie: can't seem to get it to work, if i do ip route add default via 172.16.0.5 dev tun0 on the client 20:01 < acidchild> it works.. now do i make it push that command to the client and replace the ip with the correct addy 20:01 < acidchild> because i guess the p2p ip changes. 20:15 -!- master_of_master [i=master_o@p549D4CFD.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:16 < krzie> !configs 20:16 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 20:18 < krzie> and is your server on the LAN (securing wifi) or a remote location? 20:19 -!- master_of_master [i=master_o@p549D62DE.dip.t-dialin.net] has joined ##openvpn 20:20 < acidchild> krzie: LAN securing wifi 20:20 < krzie> ahh 20:20 < acidchild> :) 20:20 < krzie> well there we go 20:20 < krzie> !local 20:20 < vpnHelper> krzie: "local" is a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless. 20:21 < acidchild> http://pastebin.slackadelic.com/p/okIw6t81.html 20:21 < acidchild> client conf 20:22 < acidchild> http://pastebin.slackadelic.com/p/Lqmjp240.html 20:22 < acidchild> server conf 20:23 -!- c64zottel [n=hans@62.12.220.2] has left ##openvpn [] 20:24 < acidchild> krzie: still not sure how i would do 'ip route add default via 172.16.0.5 ev tun0 20:24 < acidchild> dev* 20:25 < theDoc> sigh, ddos. 20:26 < acidchild> theDoc? :( 20:27 < theDoc> acidchild> Some political blog was bitching on and on about how they suffer from ddos and deem it too "technically complex" to implement a ddos solution to help alleviate the situation 20:28 < theDoc> and how $5/mth should give them access to enterprise level ddos solutions 20:28 * theDoc facepalms 20:28 < acidchild> :P 20:29 < acidchild> i've been struggling with openvpn all day :( 20:29 < theDoc> If it's too complex, maybe they should just learn to live with the ddos then. 20:29 < theDoc> Why, what is wrong? 20:30 < acidchild> and i've found a fix but i'm unable to get openvpn to push the line to clients. 20:30 < theDoc> acidchild> Have you looked into ccd? 20:30 < theDoc> !ccd 20:30 < vpnHelper> theDoc: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 20:30 < acidchild> its for everybody not just per-client 20:31 < acidchild> ip route add default via 172.16.0.5 dev tun0 20:31 < theDoc> acidchild> What is it you want to do? 20:31 < acidchild> i'm using openvpn to secure wifi, but i want to use the vpn server ip as the default gateway to the internet 20:31 < acidchild> my ip is .6 and my point to point ip is .5 20:32 < acidchild> oviously for other people these would change... but i must beable to do ip route add default via 172.16.0.? dev tun0 20:32 < acidchild> on all boxs connecting 20:32 < theDoc> acidchild> You're confusing me. 20:32 < acidchild> dhcp assigns the laptop a 192.168 addy and vpn adds a 172.16.x.x addy to tun0 20:33 < acidchild> i want all traffic to go via 172....1 20:33 < theDoc> acidchild> Your vpn network runs on 172.16? 20:33 < acidchild> yes 20:33 < theDoc> and your dhcp server for your LAN runs on 192.168.x? 20:33 < acidchild> yep 20:33 < acidchild> http://pastebin.slackadelic.com/p/Lqmjp240.html 20:33 < acidchild> my current config 20:34 < theDoc> This is your client or server conf/ 20:34 < acidchild> server. 20:34 < theDoc> Looks about right. 20:34 < acidchild> yep it works fine. 20:34 < theDoc> acidchild> I'm quite sure on my vpn box, I don't have to manually push a route in. 20:35 < acidchild> for default gateway? :/ 20:35 < theDoc> Yep, no need to. 20:35 < acidchild> well i do in my situation. 20:35 < theDoc> Hang on, let me get a client config and take a look 20:36 < acidchild> yes, maybe i should add this in to the client config, but can i not in the server config 20:37 < acidchild> brb going to try something 20:38 < theDoc> acidchild> no, I don't have it. 20:45 < acidchild> ip route add 172.16.0.0/24 dev tun0 20:45 < acidchild> ip route add default via 172.16.0.1 dev tun0 20:46 < acidchild> how do i make the client do that? 20:46 < acidchild> someone must know >.< that would work perfectly 20:46 < theDoc> I'm wondering if that would work if it went into the server.conf 20:46 < theDoc> I can't remember exactly the syntax. 20:52 < krzie> ddi you do what i said? 20:52 < krzie> !local 20:52 < vpnHelper> krzie: "local" is a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless. 20:52 < acidchild> krzie: it doesn't work 20:55 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 21:11 < acidchild> grr, all i want to do is run a simple command, openvpn suggests it supports iproute2 and route commands, but nothing on the internet at all 21:28 < krzie> what you want is: 21:28 < krzie> on the client config: 21:28 < krzie> redirect-gateway local 21:32 < krzie> you're reinventing the wheel 21:33 * acidchild passes krzie a 21:33 < acidchild> XL coffee 21:33 < acidchild> ty 21:33 < krzie> yw 21:37 -!- phusion [i=phusion@2001:41d0:1:839a:0:0:0:1337] has quit [Read error: 60 (Operation timed out)] 21:46 -!- epaphus [n=unix3@201.199.62.74] has quit ["Leaving"] 22:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 22:53 -!- barefoot [n=magic@41.121.62.217] has joined ##openvpn 22:53 -!- barefoot [n=magic@41.121.62.217] has quit [Client Quit] 23:01 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 60 (Operation timed out)] 23:06 -!- lampuser [n=lampuser@cpc4-finc11-0-0-cust149.4-2.cable.virginmedia.com] has joined ##openvpn 23:06 < lampuser> I am stuck at . . /vars 23:09 < lampuser> bash: /whichopensslcnf 23:09 < lampuser> no such file or directory 23:12 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 23:19 < lampuser> ? 23:38 -!- lampuser [n=lampuser@cpc4-finc11-0-0-cust149.4-2.cable.virginmedia.com] has quit [] --- Day changed Mon Nov 02 2009 00:06 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 00:15 -!- phusion [i=phusion@2001:41d0:1:839a:0:0:0:1337] has joined ##openvpn 00:23 -!- phusion [i=phusion@2001:41d0:1:839a:0:0:0:1337] has quit [Read error: 60 (Operation timed out)] 00:27 -!- phusion [i=phusion@2001:41d0:1:839a:0:0:0:1337] has joined ##openvpn 00:28 -!- hyper_ch [n=hyper@adsl-89-217-143-3.adslplus.ch] has quit [Remote closed the connection] 00:33 -!- phusion [i=phusion@2001:41d0:1:839a:0:0:0:1337] has quit [Read error: 60 (Operation timed out)] 00:37 -!- phusion [i=phusion@2001:41d0:1:839a:0:0:0:1337] has joined ##openvpn 00:40 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:22 -!- WormFood [n=wormfood@121.35.147.196] has quit [Read error: 60 (Operation timed out)] 01:22 -!- WormFood [n=wormfood@121.35.147.196] has joined ##openvpn 01:33 -!- turneralex [n=aturner@203.206.236.193] has joined ##openvpn 01:34 -!- hyper_ch [n=hyper@207-78.106-92.cust.bluewin.ch] has joined ##openvpn 01:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:56 -!- misse- [i=misse@cl-858.sto-01.se.sixxs.net] has joined ##openvpn 02:03 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has joined ##openvpn 02:04 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has left ##openvpn ["Leaving."] 02:10 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:18 < Bushmills> /usr/share/doc/openvpn/examples/easy-rsa/2.0/whichopensslcnf 02:31 -!- phusion [i=phusion@2001:41d0:1:839a:0:0:0:1337] has quit [Read error: 60 (Operation timed out)] 02:36 -!- phusion [i=phusion@2001:41d0:1:839a:0:0:0:1337] has joined ##openvpn 02:45 -!- dazo|afk is now known as dazo 02:50 -!- Muli|CTGR [n=muligan1@209-193-88-45.mammothnetworks.com] has quit [Read error: 54 (Connection reset by peer)] 02:51 -!- Muli|CTGR [n=muligan1@209-193-88-45.mammothnetworks.com] has joined ##openvpn 02:54 -!- redfox [n=redfox2@ns351996.ovh.net] has quit [Read error: 110 (Connection timed out)] 03:01 -!- turneralex [n=aturner@203.206.236.193] has quit [Read error: 104 (Connection reset by peer)] 03:03 -!- redfox [n=redfox2@ns351996.ovh.net] has joined ##openvpn 03:04 -!- redfox is now known as Guest57443 03:10 -!- turneralex [n=aturner@203.206.236.193] has joined ##openvpn 03:17 -!- dazo [n=ndazo@nat/redhat/x-pevifwqihlkplvoo] has quit [Read error: 54 (Connection reset by peer)] 03:18 -!- dazo [n=nndazo@nat/redhat/x-3073de1cfbe0ede4] has joined ##openvpn 03:18 -!- dazo is now known as Guest81582 03:22 -!- Guest81582 is now known as dazo 03:23 -!- dazo is now known as Guest10547 03:25 -!- Guest10547 is now known as dazo 03:26 -!- xp_prg [n=xp_prg3@c-98-234-50-128.hsd1.ca.comcast.net] has quit ["This computer has gone to sleep"] 03:26 -!- rhett [n=rhett@user-0ccssqu.cable.mindspring.com] has joined ##openvpn 03:27 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 03:27 < rhett> I want to access an rtsp server on an ip camera running linux that's behind a firewall without adjusting the firewall itself. I was thinking of setting up some sort of vpn or ssh tunnel 03:27 < rhett> does anyone know if either of these can run on a small embedded linux device? 03:28 < reiffert> yes, they do. 03:29 < dazo> rhett: openwrt (or X-wrt) are pretty good for small embedded devices .... and provides both ssh and openvpn 03:30 < rhett> thanks, I actually am working with an ip camera that happens to be running an arm9 03:30 < reiffert> openvpn compiles fine on arm9. 03:31 < rhett> great, which would you recommend, reiffert ? I had trouble in the past with an ssl tunnel periodically closing 03:31 < rhett> using ssh on an old old machine 03:32 < reiffert> rhett: this is #openvpn. 03:32 < rhett> yeah, so obviously you have a thumbs up for openvpn? 03:32 < rhett> but you think it will work good for my purposes? 03:35 < dazo> for sure 03:35 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 03:38 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 03:38 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 04:00 -!- hyper_ch [n=hyper@207-78.106-92.cust.bluewin.ch] has quit [Read error: 60 (Operation timed out)] 04:04 -!- hyper_ch [n=hyper@207-78.106-92.cust.bluewin.ch] has joined ##openvpn 04:32 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 05:05 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:27 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:34 -!- brizly [n=brizly_v@79.201.156.26] has quit [Read error: 110 (Connection timed out)] 05:37 -!- brizly [n=brizly_v@p4FC9833B.dip0.t-ipconnect.de] has joined ##openvpn 05:41 -!- rhett [n=rhett@user-0ccssqu.cable.mindspring.com] has quit ["Leaving"] 05:42 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [SendQ exceeded] 05:43 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:49 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 06:35 < ecrist> good morning 06:40 * robert_ yawns 06:40 < robert_> 'morning 06:50 < hyper_ch> hi there 06:51 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 06:56 < robert_> hey. 07:28 -!- colclough [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 07:47 < zamba> i have a routing issue i need to work out.. i have a openvpn server running on a public ip.. then i have four clients that are routers for their individual networks.. three of them have public ips, but not the last one.. i've set up client-to-client and i'm able to route to the different subnets behind the different routers, but now i want to reach an internal network that's in-front of the router that hasn't got a public ip 07:47 < zamba> how can i do this? 07:50 < reiffert> read this 07:50 < reiffert> !route 07:50 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 08:02 -!- Guest57443 is now known as redfox 08:02 -!- redfox is now known as Guest651 08:03 -!- Sky[x] [n=SkyB0x@212.235.186.230] has joined ##openvpn 08:11 < Bushmills> vpnhelper, learn reiffert is reiffert would say "read this: !howto !route !nat" 08:11 < vpnHelper> Bushmills: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 08:11 < Bushmills> !burst 08:11 < vpnHelper> Bushmills: Error: "burst" is not a valid command. 08:12 < reiffert> :) 08:13 < Bushmills> !valid command 08:13 < vpnHelper> Bushmills: Error: "valid" is not a valid command. 08:13 < Bushmills> pity, no statement of the kind of "foo is not foo" 08:15 < reiffert> !help 08:15 < vpnHelper> reiffert: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 08:16 < reiffert> !help factoids 08:16 < vpnHelper> reiffert: Error: There is no command "factoids". 08:16 < reiffert> !help factoid 08:16 < vpnHelper> reiffert: Error: There is no command "factoid". 08:16 < reiffert> !help learn 08:16 < vpnHelper> reiffert: (learn [] as ) -- Associates with . is only necessary if the message isn't sent on the channel itself. The word 'as' is necessary to separate the key from the value. It can be changed to another word via the learnSeparator registry value. 08:17 * robert_ shoots Bushmills with a tranquilizer dart <.< 08:18 < Bushmills> good stuff you got there. 08:18 -!- Sky[x] [n=SkyB0x@212.235.186.230] has quit [Client Quit] 08:23 -!- jeiworth [n=jeiworth@189.163.185.76] has quit [Read error: 110 (Connection timed out)] 08:33 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 08:35 -!- jeiworth [n=jeiworth@189.177.133.17] has joined ##openvpn 08:41 -!- reid97 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has joined ##openvpn 08:41 < ecrist> zamba: you need the following, more importantly 08:41 < ecrist> !iroute 08:41 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 08:42 < ecrist> reiffert: quite molesting the bot. ;) 08:42 < reiffert> he started doing so. 08:44 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit [Remote closed the connection] 08:49 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has joined ##openvpn 08:53 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has left ##openvpn ["Leaving."] 09:01 < zamba> ecrist: so i need to add the iroute entry to the ccd for the peer in question? 09:02 -!- teddymills [n=teddy@208.92.235.227] has quit [Client Quit] 09:03 < ecrist> yes 09:03 < ecrist> the iroute tells openvpn to route that subnet to that client 09:03 -!- c64zottel [n=hans@62.12.220.2] has joined ##openvpn 09:05 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:05 < zamba> cool 09:05 < zamba> thanks a lot 09:05 < ecrist> no problem 09:14 -!- DammitJim [n=DammitJi@41-117.202-68.tampabay.res.rr.com] has joined ##openvpn 09:14 < DammitJim> hi guys... I need some help with a VPN I have using tun... for some reason I cannot ping devices on the remote network from the machine that is VPN'ning 09:15 -!- jeiworth [n=jeiworth@189.177.133.17] has quit [Read error: 104 (Connection reset by peer)] 09:15 -!- jeiworth [n=jeiworth@189.177.133.17] has joined ##openvpn 09:17 < ecrist> DammitJim: I don't follow what you're asking. 09:17 < Bushmills> !route 09:17 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:18 < Bushmills> DammitJim: ^^^^^ 09:19 < DammitJim> ecrist, sorry... Bushmills thanks... I'll give it a total read to that 09:19 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has joined ##openvpn 09:19 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has left ##openvpn ["Leaving."] 09:19 < Bushmills> when done, pass a few credit points on to krzee 09:21 < DammitJim> krzee will get some 09:27 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 09:33 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 09:45 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 09:45 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has joined ##openvpn 09:45 < LyonJT> Hey 09:46 < LyonJT> Im having a few issues with my interfaces file anyone able to help? 09:46 < ecrist> you're interfaces file? 09:46 < LyonJT> yes 09:47 < ecrist> I don't know what that is 09:47 -!- scyld [n=krajcong@unaffiliated/wasyl] has joined ##openvpn 09:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:48 < LyonJT> On ubuntu-server 09:49 < LyonJT> in /etc/network 09:49 < DammitJim> Bushmills, I read the page fully and I have a couple of questions 09:49 < DammitJim> may I ask those questions here? 10:02 -!- c64zottel [n=hans@62.12.220.2] has quit [Read error: 60 (Operation timed out)] 10:02 -!- c64zottel [n=hans@62-12-247-010.pool.cyberlink.ch] has joined ##openvpn 10:05 -!- misty_wrk [n=misty@oh-71-2-0-66.sta.embarqhsd.net] has joined ##openvpn 10:05 < misty_wrk> !route 10:05 < vpnHelper> misty_wrk: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:09 -!- hyper_ch [n=hyper@207-78.106-92.cust.bluewin.ch] has quit [Connection timed out] 10:09 -!- WormFood [n=wormfood@121.35.147.196] has quit [Read error: 60 (Operation timed out)] 10:11 < DammitJim> misty_wrk, that's what I just read 10:11 < misty_wrk> mmm 10:11 < misty_wrk> I've had to move my vpn server to a different host on the same subnet where it was 10:12 < misty_wrk> I really shouldn't need to change anything in the config to accomplish that, so I thought. I set it up, fired it up, and I can ping all of my vpn gateways, and my server can ping behind them, but they can't ping behind the server 10:12 < misty_wrk> I can't figure out what I have missed 10:12 < misty_wrk> when I do tcpdump I can see the ping requests but the clients aren't getting the responses 10:14 < misty_wrk> here are my routing tables: http://pastebin.ca/1653237 10:15 -!- DigitalFlux [n=DigitalF@98.142.211.26] has joined ##openvpn 10:15 < DigitalFlux> Guys 10:15 < DigitalFlux> newbie here 10:15 < misty_wrk> trying to ping 192.168.1.102 from 192.168.4.1, and when I do a traceroute, it goes to the server and then dies 10:16 < DigitalFlux> and needs to do a gateway to gateway VPN between a Linux host and a Linksys router 10:16 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:16 < DigitalFlux> I need any kind of directions.. docs,links .. anything 10:16 < misty_wrk> see the topic 10:16 < misty_wrk> but you can't run a client ON the linksys router, you need it to be on a system BEHIND it 10:18 < DigitalFlux> misty_wrk: The VPN Client will be on a remote Linux host 10:18 < misty_wrk> the docs are in the topic 10:18 < DigitalFlux> !howto 10:18 < vpnHelper> DigitalFlux: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:18 < DigitalFlux> misty_wrk: Got it, thanks 10:19 < misty_wrk> this must be a stupid routing issue that I can't see 10:27 -!- WormFood [n=wormfood@58.61.134.79] has joined ##openvpn 10:28 < DigitalFlux> misty_wrk: ?! :) 10:29 < misty_wrk> I'm having trouble with my config 10:29 < DigitalFlux> Oh 10:29 < misty_wrk> since you said you were new, I didn't ask you for any help 10:29 -!- Guest651 is now known as redfox 10:29 -!- redfox is now known as Guest24319 10:30 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 10:31 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 10:33 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has quit [Client Quit] 10:34 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has joined ##openvpn 10:35 -!- SJr [n=sjr@206.12.55.92] has joined ##openvpn 10:37 < SJr> I'm getting this error: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1) when I try to connect, one solution is to use sudo, but before I formatted I didn't have this problem, so there must be another way. Basically I cannot create a new tun device, even though I have permission. 10:39 < SJr> setuid? 10:40 < reiffert> ls -al /dev/net/tun 10:41 < SJr> crw-rw-rw- 1 root sjr 10, 200 2009-11-01 18:55 /dev/net/tun 10:42 < SJr> I thought before, and it's been a few months that I actually, I statically created tun0 10:42 < reiffert> I've doubts about o+rw, but that shouldnt matter. maybe raise the verbosity/debug level 10:43 < SJr> well googling the error does seem to suggest that the problem is that non root cannot create a tun0 device, solutions are sudo, or setuid. 10:43 < SJr> Is it safe to use openvpn with setuid, sorry I just realized I have to go in a minute 10:43 < teddymills> James Yonan is a genius. 10:44 < reiffert> teddymills: he's an idiot for not releasing 2.1 10:45 < reiffert> SJr: launch it with strace -f -s 1024 -oout n have a look on the problem in particular. 10:47 -!- ikla [n=lbz@c-98-245-237-70.hsd1.co.comcast.net] has joined ##openvpn 10:48 < ikla> when I try to revoke-crt it says you must define a KEY_DIR I define it to /etc/openvpn/easy-rsa/keys then it errors out still 10:49 < reiffert> it's a shell script, debug yourself. 10:51 -!- SJr [n=sjr@206.12.55.92] has quit [Read error: 60 (Operation timed out)] 10:55 -!- hyper_ch [n=hyper@adsl-89-217-143-3.adslplus.ch] has joined ##openvpn 11:07 < misty_wrk> is there any kind of guide for troubleshooting the routing, besides what is in the topic? 11:23 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 11:37 -!- c64zottel [n=hans@62-12-247-010.pool.cyberlink.ch] has left ##openvpn [] 11:38 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 11:43 -!- dazo is now known as dazo|afk 11:45 -!- misty_wrk1 [n=misty@oh-71-2-0-66.sta.embarqhsd.net] has joined ##openvpn 11:49 -!- dewey [n=dewey@chello080109146125.tirol.surfer.at] has left ##openvpn [] 11:52 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 11:53 -!- hyper_ch [n=hyper@adsl-89-217-143-3.adslplus.ch] has quit [Remote closed the connection] 12:03 -!- misty_wrk [n=misty@oh-71-2-0-66.sta.embarqhsd.net] has quit [Read error: 110 (Connection timed out)] 12:10 < misty_wrk1> I have read the routing guide several times now, as far as I know I have all the routes and iroutes in place (this is not a new config), yet I can still not ping across the subnet on one side 12:11 < misty_wrk1> what is new is that I re-homed the server to a different system on the same subnet, which took over as a gateway for the old one which needs to be reinstalled 12:11 < misty_wrk1> but I set up iptables exactly like the old one, routing is set up exactly the same as far as I can tell( but obviously not in reality). 12:17 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 12:19 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has quit [] 12:21 < Bushmills> !firewk´all 12:21 < vpnHelper> Bushmills: Error: "firewk´all" is not a valid command. 12:21 < Bushmills> ehm... 12:21 < Bushmills> !firewall 12:21 < vpnHelper> Bushmills: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. 12:22 < misty_wrk1> lol 12:22 < krzee> im still drunk from last night 12:22 < krzee> just thought ild announce that 12:22 < misty_wrk1> krzee: you are the one who wrote the routing thing 12:22 < misty_wrk1> I read it 5x and still can't see my issue 12:22 < misty_wrk1> but it's very well written at least 12:23 < krzee> i sure am 12:23 < krzee> thanx 12:23 < krzee> flattery will get you everywhere when im drunk, paste your configs 12:23 < krzee> !configs 12:23 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:24 < misty_wrk1> ok I will do it, I don't think the configs are the issue though, I think it's kernel-level routing 12:24 < DammitJim> where do you guys suggest I ask about Dual Nic config? what channel? 12:25 < Bushmills> krzee: you've been priming your metabolism with what? 12:25 < krzee> absinthe 12:25 < Bushmills> hehe 12:25 < Bushmills> i could have guessed 12:26 < Bushmills> hopefully you didn't suffer from chameleon effec 12:26 < Bushmills> effect 12:27 < krzee> what effect? 12:27 < krzee> i dont know what happened honestly, my girl ios still telliong me stories 12:27 < Bushmills> chameleon effect = face takes on colour of drink 12:28 < krzee> whoa 12:28 < krzee> dunno 12:28 < krzee> but monster energy drink is a great mixer for it 12:28 < misty_wrk1> http://pastebin.ca/1653430 12:28 -!- hyper_ch [n=hyper@adsl-89-217-143-3.adslplus.ch] has joined ##openvpn 12:28 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 12:28 < misty_wrk1> thank you in advance for looking 12:29 < robert_> krzee, moo. :P 12:29 < krzee> i just remembered i setup openvpn at my friends house last night 12:29 < misty_wrk1> lol 12:29 < krzee> while hammered from absinthe 12:29 < krzee> lol 12:29 < robert_> lol 12:30 < krzee> local 0.0.0.0 12:30 < krzee> pls tell me that you modified that for pasting 12:31 < Bushmills> misty_wrk1: cat /proc/sys/net/ipv4/ip_forward 12:31 < misty_wrk1> 1 on both hosts 12:31 < misty_wrk1> that would be too easy 12:31 < misty_wrk1> krzee, I did not 12:31 < misty_wrk1> it was that way on my old system 12:31 < misty_wrk1> I wondered about it, but it said in the docs it is optional 12:31 < misty_wrk1> I am happy to try changing it 12:32 -!- SJr [n=sjr@206.12.55.92] has joined ##openvpn 12:32 < krzee> change it to an ip you want to bind openvpn to listen on 12:32 < krzee> # The routes we handle 12:32 < krzee> route 192.168.2.0 255.255.255.0 12:32 < krzee> route 192.168.3.0 255.255.255.0 12:32 < krzee> route 192.168.4.0 255.255.255.0 12:32 < krzee> route 192.168.6.0 255.255.255.0 12:32 < krzee> route 192.168.7.0 255.255.255.0 12:32 < krzee> those are all networks behind clients? 12:32 < misty_wrk1> yes 12:32 < krzee> push "route 192.168.1.0 255.255.255.0" 12:32 < DammitJim> Bushmills, can you help me understand why I can ping a machine on a remote network, but from that machine I cannot ping back? 12:32 < krzee> that is behind the server? 12:32 < misty_wrk1> yes 12:33 < Bushmills> looks a bit like 192.168.0.0/21 ... 12:33 < krzee> the router the server uses has a route for all those client networks AND the vpn network to flow through the server lan ip? 12:33 < Bushmills> DammitJim: !route or !firewall 12:33 < DammitJim> !route 12:33 < vpnHelper> DammitJim: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 12:33 < misty_wrk1> yes krzee, I pasted the routing tables 12:33 < DammitJim> !firewall 12:33 < vpnHelper> DammitJim: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. 12:34 < krzee> READ IT DONT SKIM IT! 12:34 < krzee> hehehe 12:34 < misty_wrk1> also no behavior change after binding to the external IP only 12:34 < robert_> DammitJim, I told you she couldn't take any more! And N'w, teh Eng'nes have expluded! 12:34 < robert_> :P 12:34 < Bushmills> LISTEN TO KRZEE! 12:34 < misty_wrk1> 4.1 can ping the VPN server but nothing behind it 12:35 < DammitJim> wooooot? 12:35 < krzee> of course 12:35 < krzee> 192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 12:35 < krzee> it doesnt have a route 12:35 < DammitJim> my issue is that for some reason, I can ping the laptop, but the laptop cannot ping back 12:35 < krzee> on the router 12:35 < krzee> give it the right route and try again 12:36 < krzee> DammitJim, firewall 12:36 < DammitJim> the router seems to want to send the ping to an outside address, even though it's 10.20.30.x 12:36 < krzee> didnt i tell you before to sniff packets and see where they drop? 12:36 * DammitJim checks firewall 12:36 < misty_wrk1> wha? 12:36 < krzee> misty_wrk1, look at your router routing table again 12:36 < misty_wrk1> wow 12:36 < krzee> 4.0 is fubar 12:36 < misty_wrk1> 192.168.4.0 192.168.100.2 255.255.255.0 UG 0 0 0 tun0 12:37 < krzee> ROUTER not server 12:37 < krzee> shit im drunk 12:37 < misty_wrk1> no no, the one with the route you saw is the client 12:37 < krzee> absinthe is great 12:37 < misty_wrk1> and 4.0 is local to it 12:37 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 12:37 < misty_wrk1> so that's actually correct 12:37 < krzee> oh you're right 12:37 < krzee> lol 12:38 < krzee> then wheres the routers route table? 12:38 < misty_wrk1> I don't know what you mean by router, they are both routers 12:38 < misty_wrk1> the server's route table, is that what you mean? 12:38 < Bushmills> hope you're not suffering from chartreuse packets 12:38 < krzee> oh 12:38 < krzee> both sides are default gateways for their lans? 12:39 < misty_wrk1> yes :D 12:39 < Bushmills> they are very displeasing to sniff at. 12:39 < krzee> and have you checked server log to be sure the ccd is being picked up? 12:39 < krzee> when the client connects it should say something bout the ccd and iroute 12:39 < misty_wrk1> well no, but it obviously is because the client has the right stuff in its routing table ... right? 12:39 < krzee> no 12:39 < krzee> !iroute 12:40 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 12:40 < misty_wrk1> Mon Nov 2 13:03:38 2009 us=788179 ccd_exclusive = DISABLED 12:40 < misty_wrk1> is that significant? taht's on the client 12:40 < krzee> nope 12:40 < krzee> just means clients WITHOUT a ccd entry are allowed to connect 12:40 < misty_wrk1> Mon Nov 2 13:35:11 2009 dutchsrv/69.68.55.161:14602 OPTIONS IMPORT: reading client specific options from: /etc/openvpn/ccd/dutchsrv 12:40 < krzee> if enabled, they are not 12:40 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 12:40 < misty_wrk1> and that ccd is in my pastebin 12:41 < misty_wrk1> I made sure it had the iroute 12:41 < krzee> that one matters, whats the next line 12:41 < krzee> push "route 192.168.2.0 255.255.255.0" 12:41 < krzee> why is that in the ccd> 12:41 < krzee> ? 12:43 * krzee thinks Bushmills is laughing at the attempts to drunken troubleshoot 12:43 < krzee> lol 12:43 < Bushmills> how do you know about misty_wrk1's condition? 12:44 < misty_wrk1> my condition? 12:44 < Bushmills> "attempts to drunken troubleshoot" 12:44 < misty_wrk1> krzee: I ran into problems with multiple subnets 12:44 < krzee> oh ya? what? 12:44 * robert_ pokes krzee 12:44 < misty_wrk1> 192.168.2.0's router participates as a vpn client, and if it gets pushed a route for its own subnet, it doesn't like it 12:44 < robert_> hai :P 12:44 < misty_wrk1> so I was putting them in the ccd to avoid that 12:44 < krzee> only cause it doesnt have an iroute like it should 12:45 < krzee> as explained in !route 12:45 < misty_wrk1> o 12:45 < misty_wrk1> rly? 12:45 < krzee> rly 12:45 < misty_wrk1> well hell, I can try it 12:45 < misty_wrk1> so I should put all the pushes in the server.conf 12:45 < krzee> every client that has a subnet behind it needs an iroute 12:46 -!- ikla [n=lbz@c-98-245-237-70.hsd1.co.comcast.net] has left ##openvpn ["Leaving"] 12:46 < krzee> and every push route belongs in server.conf unless certain clients should not get them for security reasons (which should ALSO have firewall rules in server to prevent them from accessing by adding their own routes) 12:46 < krzee> every push route that matches an iroute will be ignored by the client with the iroute 12:46 < krzee> because ovpn is smart like that 12:47 < robert_> heh 12:47 < misty_wrk1> ok I changed it 12:48 < robert_> krzee, question.. for some things, openvpn is performing... slowly. I'm not sure how else to describe it, lol 12:48 < misty_wrk1> they all did have the iroutes 12:48 < misty_wrk1> it doesn't change the behavior sadly 12:48 < krzee> robert_, for some things my brain is performing slowly right now, i dont know how else to describe it either 12:48 < robert_> is there something server-side (e.g. CA key size) that can affect the speed of the VPN? 12:49 -!- stein0 is now known as stein0_M10 12:49 < misty_wrk1> krzee: I can see ICMP requests going out of the client, and ICMP requests going to the server, but nothing going back from the server to the client 12:49 < misty_wrk1> I can't actually find the ICMP replies 12:49 < robert_> ln -s /dev/wasted /home/krzee 12:49 < robert_> :P 12:49 < krzee> ca cert is only used for connecting 12:49 < krzee> the hmac key is used for every packet tho 12:50 < krzee> although no matter how big it is only a certain amount of it is used 12:50 < robert_> thought so.. the keys are like 2048-bit 12:50 < krzee> mine are all 4096bit 12:50 < robert_> and yours still run fine? 12:50 < krzee> sure 12:50 < krzee> that stuff is only used during keying and rekeying hourly 12:51 < misty_wrk1> krzee, more info: at the same time I can see the requests on the server's tun0 I can also see them on the server's eth0 12:51 < krzee> and the hmac static key doesnt use the whole file 12:51 < robert_> Ah. 12:51 < misty_wrk1> shouldn't the tun0 be bound to eth1? 12:51 < krzee> bound to? 12:51 < misty_wrk1> eth1 being the NIC with the address I used for 'local' when you changed it 12:51 < krzee> misty_wrk1, you dont see them when sniffing tun0? 12:51 < misty_wrk1> I do 12:51 < misty_wrk1> but I also see them when sniffing eth0 12:52 < misty_wrk1> which is my INTERNAL nic for that system 12:52 < krzee> ya but you see them encrypted on eth0 12:52 < krzee> err 12:52 < misty_wrk1> that may be true, but why are they hitting that nic at all? 12:52 < krzee> im too drunk to get it 12:52 < misty_wrk1> aww 12:52 < krzee> ask Bushmills, lol 12:52 < robert_> lol 12:52 < misty_wrk1> if I have 'local 71.2.0.66' in server.conf 12:52 < misty_wrk1> and 71.2.0.66 is eth1 12:53 < misty_wrk1> shouldn't I be seeing them on eth1 rather than eth0? 12:53 < robert_> lol, you're drunk at.. 2pm? 12:53 < krzee> robert_, im STILL drunk at 2pm 12:53 < misty_wrk1> I guess I don't understand what the 'local' does 12:53 < robert_> lol, STILL drunk? from last night? or from hours earlier? lol 12:54 < krzee> misty_wrk1, then see --local in the man page 12:54 < krzee> last night robert_ 12:54 < misty_wrk1> well, I did look at it 12:54 < misty_wrk1> apparently that is where openvpn is listening 12:54 < misty_wrk1> simple enough 12:54 < Bushmills> you see them on tun, as the packets they are, and on eth, as the packets representing the tunnel 12:54 < krzee> misty_wrk1, you shouldnt have a single option in your configs you havnt read about in the manual 12:54 < misty_wrk1> Bushmills: but why are they on eth0 where the vpn is not listening? 12:54 < Bushmills> latter packets should have encrypted payload 12:54 < krzee> misty_wrk1, are you pinging an ip thats on eth0? 12:55 < misty_wrk1> krzee, I have read about them all, years ago when I set up the vpn 12:55 < misty_wrk1> oh 12:55 < Bushmills> and going to vpn port 12:55 < misty_wrk1> well yeah, yeah I am 12:55 < krzee> LOL 12:55 * misty_wrk1 goes to get more coffee 12:55 * krzee notes how fun this is 12:55 < misty_wrk1> ok, so how come I can't see any ICMP replies on ANY interface? 12:55 < krzee> i wish i always woke up drunk 12:55 < krzee> misty_wrk1, firewall 12:55 < Bushmills> misty_wrk1: because the tunnel can't tunnel itself through itself 12:56 < misty_wrk1> iptables firewall, and tun+ is loved 12:56 < misty_wrk1> the fw is on the same system 12:56 < misty_wrk1> on the other side, it is going through a dsl router 12:56 < krzee> whoa Bushmills that was too much for my feable mindstate 12:56 < krzee> misty_wrk1, but its not about tun 12:56 < krzee> its eth0 that needs to reply 12:56 < krzee> not tun* 12:57 < Bushmills> "route add vpn-server tun0" :D 12:57 < krzee> be the packet 12:57 < krzee> go through each dev 12:57 < krzee> lol 12:57 < misty_wrk1> that route already exists 12:58 < krzee> dsl router? you said each client and the server ARE the router 12:58 -!- SJr [n=sjr@206.12.55.92] has quit [Read error: 110 (Connection timed out)] 12:59 < krzee> omg its 3pm 12:59 < misty_wrk1> yeah well 12:59 < krzee> hey i won $75 usd gambling this week, cool 12:59 < robert_> lmao... how much did you consume last night? 13:00 < misty_wrk1> anyway what changed is the server, so the problem has to be on the server 13:00 < krzee> yay for the yankees 13:00 < krzee> robert_, not as much as youd think, absinthe is great 13:00 < robert_> Ah. That explains it. 13:00 < robert_> the russian stuff ftw 13:00 < robert_> :P 13:01 < krzee> misty_wrk1, if the packets get to eth0 and it never sends a reply, firewall 13:01 < krzee> you did the right thing by sniffing them out 13:01 < krzee> now you just gotta fix it in the firewall 13:02 < krzee> im assuming the eth0 ip is ON the server 13:02 < krzee> if it is a lan ip behind the server, could be something else 13:02 < krzee> but if its the ip that is bound to eth0, definitely the firewall 13:03 * misty_wrk1 scrutinizes iptables 13:03 < robert_> mmm iptables 13:04 < misty_wrk1> the server has two NICs, one is bridged with DSL and the other is on the switch for the subnet 13:04 < misty_wrk1> I have got nothing blocking ICMP 13:04 * robert_ sodomizes misty_wrk1's iptables with freebsd's pf <.< 13:04 < misty_wrk1> you are assuming it has an asshole 13:04 < robert_> :P 13:04 < misty_wrk1> ok maybe I have mixed up eth0 and eth1 because they switched functions when the servers switched 13:04 < misty_wrk1> I thought I caught them all 13:05 < robert_> sharp wit, missy. :P 13:08 < misty_wrk1> do I need port 1194 open on the client and server? because I didn't have it that way before, and somehow it "just worked" 13:08 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit [Read error: 104 (Connection reset by peer)] 13:08 < misty_wrk1> doesn't it do something through port 22 first? 13:09 < misty_wrk1> opening it doesn't help anyway, and if that was the problem the client wouldn't be able to connect at all 13:09 < krzee> Bushmills, if you're ever in need of md5 crackage pls see me 13:09 < krzee> got that shit down 13:10 < krzee> and a new 240 core vid card on the way 13:10 < krzee> and have 500gig of rti tables 13:10 < krzee> much more efficient than rt 13:12 < misty_wrk1> krzee: if I pastebin my iptables can you tell me if I have done something stupid? 13:12 < krzee> dunnno 13:12 < krzee> not a linux guy 13:12 < krzee> but im sure SOMEONe can 13:12 < misty_wrk1> haha 13:13 < misty_wrk1> I feel a bit funny pasting that 13:13 < misty_wrk1> security by obscurity 13:13 < misty_wrk1> but oh well http://pastebin.ca/1653486 13:17 -!- Thamster [n=Thamster@207.81.114.134] has joined ##openvpn 13:25 -!- Thamster [n=Thamster@207.81.114.134] has quit [Remote closed the connection] 13:25 -!- Thamster [n=Thamster@207.81.114.134] has joined ##openvpn 13:30 -!- Thamster [n=Thamster@207.81.114.134] has quit [Remote closed the connection] 13:31 -!- Thamster [n=Thamster@207.81.114.134] has joined ##openvpn 13:35 -!- WormFood [n=wormfood@58.61.134.79] has quit [Read error: 60 (Operation timed out)] 13:35 -!- Thamster [n=Thamster@207.81.114.134] has quit [Read error: 54 (Connection reset by peer)] 13:35 -!- Thamster_ [n=Thamster@207.81.114.134] has joined ##openvpn 13:35 -!- WormFood [n=wormfood@58.61.134.79] has joined ##openvpn 13:36 < le0> whats the prob misty_wrk1? 13:37 < misty_wrk1> I can behind the vpn on one side of the tunnel but not the other side 13:43 < misty_wrk1> I figured it out 13:43 < misty_wrk1> thanks for all the help 13:43 < misty_wrk1> I didn't even think of trying to ping a different host 13:43 < misty_wrk1> that host had the wrong gateway 13:45 -!- Thamster [n=Thamster@207.81.114.134] has joined ##openvpn 13:45 -!- Thamster_ [n=Thamster@207.81.114.134] has quit [Read error: 104 (Connection reset by peer)] 13:48 -!- turneralex [n=aturner@203.206.236.193] has quit [] 13:50 -!- Thamster_ [n=Thamster@207.81.114.134] has joined ##openvpn 13:51 -!- Thamster_ [n=Thamster@207.81.114.134] has quit [Remote closed the connection] 13:52 -!- Thamster_ [n=Thamster@207.81.114.134] has joined ##openvpn 13:53 -!- Thamster [n=Thamster@207.81.114.134] has quit [Read error: 104 (Connection reset by peer)] 13:53 -!- Thamster_ is now known as Thamster 13:55 < Hypnoz> so the vpn worked it was just that host had the wrong gateway set and couldn't return the icmp packet? 13:55 < misty_wrk1> yes, and I said at the very beginning that I thought it was a routing issue 13:55 < misty_wrk1> I'm sorry to waste everyone's time 13:58 < Thamster> what is the correct verbosity level to troubleshoot routing issues? 13:58 < Thamster> for web traffic 13:59 -!- Thamster_ [n=Thamster@207.81.114.134] has joined ##openvpn 13:59 -!- Thamster [n=Thamster@207.81.114.134] has quit [Read error: 54 (Connection reset by peer)] 13:59 -!- Thamster_ is now known as Thamster 13:59 < krzee> depends 13:59 < krzee> 5 or 6 is good for finding firewall issues 14:00 < krzee> 4 for other stuff 14:00 < krzee> 3 for normal usage ild say 14:00 < Thamster> i'm really stumped on this thing, i started an openvpn server on amazon ec2 14:00 < Thamster> and can connect to it from my mac 14:00 < Thamster> they seem to be talking back and forth 14:01 < Thamster> and exchange the keys for the client 14:01 < Thamster> but i can't seem to get out to the internet 14:01 < krzee> !redirect 14:01 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 14:01 < krzee> im guessing you're missing the nat 14:02 < Thamster> yeah i did redirect-gateway and tried setting up the nat using iptables 14:02 < Thamster> but i'm not sure if I have it right 14:02 < Thamster> iptables -t nat -A POSTROUTING -s 192.168.1.66 -j SNAT --to 10.8.0.1 14:02 < Thamster> is what i did 14:03 < Thamster> 192.168.1.66 being my mac client ip 14:03 < Thamster> on the local lan 14:03 < Thamster> and 10.8.0.1 being the server vpn ip 14:03 < Thamster> i ran that command on the server side 14:04 < krzee> !linnat 14:04 < vpnHelper> krzee: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 14:04 -!- xp_prg [n=xp_prg3@c-98-234-50-128.hsd1.ca.comcast.net] has joined ##openvpn 14:04 < Thamster> cool i'll take a look thanks 14:06 -!- misty_wrk1 [n=misty@oh-71-2-0-66.sta.embarqhsd.net] has left ##openvpn [] 14:10 < Argafal> /win 35 14:14 -!- WormFood [n=wormfood@58.61.134.79] has quit [Read error: 60 (Operation timed out)] 14:15 -!- WormFood [n=wormfood@58.61.134.79] has joined ##openvpn 14:21 < Thamster> what does the frontslash 24 mean? 14:21 < Thamster> 10.8.0.0/24 14:21 < Thamster> is that the range? 14:26 < reiffert> subnet mask. 14:30 < Thamster> in bytes? 14:32 < Thamster> how does it translate to 255.255.255.X 14:32 < Thamster> ? 14:36 < DammitJim> bridging is the word\ 14:47 -!- Thamster [n=Thamster@207.81.114.134] has quit [] 14:55 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 14:55 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:55 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 14:55 < reiffert> !subnet 14:55 < vpnHelper> reiffert: Error: "subnet" is not a valid command. 14:55 < reiffert> !learn subnet as http://www.subnet-calculator.com/ 14:55 < vpnHelper> reiffert: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 14:56 < reiffert> vpnHelper, die now. 14:56 < vpnHelper> reiffert: Error: "die" is not a valid command. 15:30 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 15:33 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 15:42 -!- Amjad [n=zjb@87.109.147.235] has joined ##openvpn 15:42 < Amjad> hello 15:42 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 15:42 < Amjad> I need some help anyone 15:44 < Amjad> ^scott^ 15:44 < Bushmills> /join #help 15:44 * Amjad slaps ^scott^ around a bit with a large trout 15:45 < Amjad> I want to help in the openvpn 15:45 < krphop> dont ask to ask, just effing ask 15:47 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Connection timed out] 15:47 < Amjad> I try to put in my license in and it said 15:47 < Amjad> Error: 15:47 < Amjad> chain_add_license_key: 15:48 < Amjad> What can be the problem. 15:48 < Bushmills> wong license with wrong program. 15:48 < reiffert> license? 15:48 < Bushmills> openvpn doesn't need licenses 15:49 < reiffert> Amjad: access server? 15:49 < reiffert> Amjad: go and use the official access server support. 15:49 < Amjad> ummm okay 15:50 < Amjad> license from the company 15:50 < reiffert> and get what you have paid for. 15:50 < Bushmills> "the company" sold you an openvpn license? 15:50 < Bushmills> quite daring. interesting business model 15:51 -!- xp_prg [n=xp_prg3@c-98-234-50-128.hsd1.ca.comcast.net] has quit ["This computer has gone to sleep"] 15:51 < Bushmills> Amjad: i can sell you two, for the same price 15:51 < reiffert> Bushmills: wanna buy a linux license? 15:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:52 < Amjad> ok Bushmills yes 15:53 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 15:53 < Bushmills> i'll accept paypal, and you can receive the licenses to use openvpn online. you can even have a corporate license if you like 15:55 < Amjad> rarlly? 15:55 < Amjad> good 15:56 < Bushmills> what language do you want your licenses in? 15:58 -!- DammitJim [n=DammitJi@41-117.202-68.tampabay.res.rr.com] has quit ["I ♥ Elive"] 15:58 < Amjad> English 15:59 < Bushmills> here is one license: http://www.gnu.org/licenses/gpl-2.0.html#SEC1 15:59 < vpnHelper> Title: GNU General Public License v2.0 - GNU Project - Free Software Foundation (FSF) (at www.gnu.org) 15:59 < Argafal> Bushmills: do your licenses contain support or is it just the software package for installing it yourself? ;) 16:01 -!- teratoma [n=unknown@69.172.135.243] has joined ##openvpn 16:03 < Bushmills> Argafal: license is not support 16:07 -!- stein0_M10 is now known as stein0 16:09 < Argafal> too bad ;)) 16:11 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 16:12 < Bushmills> why, would you like to buy support? 16:12 < Argafal> no, but I think Amjad did. 16:13 < Bushmills> no, he wanted to buy licenses 16:13 < Bushmills> i just sent him a free sample 16:13 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 113 (No route to host)] 16:14 < Argafal> Bushmills: :-> 16:14 < Bushmills> "try before you buy" :) 16:14 * Argafal likes this channel. 16:17 -!- Douglas [n=contact@ool-435033e6.dyn.optonline.net] has joined ##openvpn 16:17 < Douglas> is 8.0 rc2 fbsd fairly stable 16:26 -!- jeiworth [n=jeiworth@189.177.133.17] has quit [Connection timed out] 16:42 < Amjad> Bushmills: I'm alredy install openvpn with web interface 16:42 < Bushmills> do you also need a license for the web interface? 16:42 < Amjad> also I get tow free users license .... 16:43 < Amjad> Just when I try install the license .. I have this error message: 16:43 < Amjad> Error: 16:43 < Amjad> chain_add_license_key: 16:44 < Bushmills> do you want me to send you another license? 16:44 < Amjad> Do you have more information about this problem ?? 16:44 < Amjad> I can register again with another licsene ... it free !! 16:44 < Bushmills> ok 16:44 < Amjad> I don't know what the problem when I try add the key 16:45 < Bushmills> i suppose the problem is: MAC_ADDR is not present in local machine validation properties 16:46 < Amjad> this is not enough 16:46 < Amjad> to slove the problem ... 16:47 < Amjad> what you do if the problem appear with you ?? 16:49 < Bushmills> it is not openvpn, printing that error message. maybe consulting the support channels of the program which gives that error will give you better help. 16:51 < Amjad> Ok for more you information ... 16:51 < Amjad> I have insatll it on VPS 16:52 < Amjad> with VZPP Control panel 16:52 < Amjad> Bushmills 16:53 < Bushmills> i don't even know what "it" partains to. a program, requiring a license key, is what i know. 16:54 < Bushmills> openvpn doesn't require a license key. 16:54 < Bushmills> so you should ask in the channel for "it" 16:55 < Amjad> Maybe the problem because TUN was not on 16:57 < Amjad> can you give me the channel name ??? 16:57 < Amjad> another channel can help me ,,, 16:57 < Bushmills> /j #it 16:58 -!- jeiworth [n=jeiworth@189.177.28.40] has joined ##openvpn 17:14 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit [Read error: 104 (Connection reset by peer)] 17:20 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 17:32 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 17:38 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 17:56 -!- Nokio [n=gvachon@modemcable026.33-70-69.static.videotron.ca] has joined ##openvpn 17:59 < Nokio> Hi all, I just configured openvpn on my server and it start just fine. Now i created the client configuration and when i try to start it, both server talk to each other but in the end i get this : http://pastebin.com/d3a6a8964 Thanks in advance for the help 18:10 -!- Muli|CSGR [n=muligan1@209-193-88-45.mammothnetworks.com] has joined ##openvpn 18:12 < Hypnoz> that pastebin was from a client connecting? 18:13 -!- krphop is now known as krphop_afk 18:16 < Nokio> hypnoz yes. I just managed to get a bit further and it seem that the system cant find its tun device lol :p that might be my probleme because im now getting http://pastebin.com/d29cf22f7 18:16 < Hypnoz> Nokio: what operating system? 18:17 < Nokio> a customer old Red Hat Linux release 7.3 (Valhalla) 18:18 < Hypnoz> Ah. Did you remember to "sudo" the command 18:18 < Hypnoz> sudo openvpn --config client.ovpn 18:18 < Hypnoz> or client.conf maybe, whatever you named it 18:19 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 18:21 < Nokio> im running /etc/init.d/openvpn start as root 18:26 < Hypnoz> thats on the server 18:26 < Hypnoz> are you getting this error on the server or client 18:27 -!- Muli|CTGR [n=muligan1@209-193-88-45.mammothnetworks.com] has quit [Read error: 110 (Connection timed out)] 18:32 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 18:33 < Nokio> client 18:33 < Nokio> but its configured as server to server 18:41 -!- Thamster [n=Thamster@207.81.114.134] has joined ##openvpn 18:42 < Nokio> ok i made it through that but im now facing something else lol :( 18:42 < Nokio> the vpn is started and connected 18:42 < Nokio> the route are added 18:42 < Hypnoz> and? 18:42 < Nokio> if i try to ping from the client side the server tun ip it says : ping: sendmsg: Operation not permitted 18:43 < Hypnoz> it won't let you ping? 18:43 < Nokio> if i try to ssh to the server tun ip or server local ip it does not work but the vpn are clearly connected 18:43 < Hypnoz> you should be able to ping the openvpn server IP without an error 18:45 < Nokio> i know :( thats what make me sad hehe 18:45 < Hypnoz> can you ping google or something 18:46 < Nokio> yes it work all fine if i do a simple ping 18:46 < Hypnoz> so you can ping the openvpn server 18:47 -!- WormFood [n=wormfood@58.61.134.79] has quit [Read error: 60 (Operation timed out)] 18:47 < Nokio> http://pastebin.com/d8453b01 18:47 -!- WormFood [n=wormfood@58.61.134.79] has joined ##openvpn 18:48 < Thamster> are you pinging the vpn ip or the wan ip? 18:48 < Nokio> vpn ip 18:50 < Hypnoz> What about IPTABLES? Do you have a firewall running? Check with the command "iptables -L INPUT" and "iptables -L OUTPUT" to see if there are any DENY rules. 18:51 < Nokio> this is what it gives me http://pastebin.com/d2bd0659f 18:53 < Hypnoz> http://www.linuxquestions.org/questions/linux-networking-3/ping-sendmsg-operation-not-permitted-307848/page2.html 18:53 < vpnHelper> Title: ping: sendmsg: operation not permitted - Page 2 - LinuxQuestions.org (at www.linuxquestions.org) 18:53 < Hypnoz> this person had the same thing, and they said they disabled shorewall firewall and tried pinging and it worked 18:53 < Hypnoz> their iptables look similar to yours if you look at their ouput 18:54 < Nokio> hmmm true it could alse explain with i cant ssh using the server vpn ip 18:54 < Nokio> ill try that out 18:56 < Nokio> well since now the vpn is connected and now im probably having a firewall issue i will say thanks to you all for your help regarding openvpn :D 18:56 < Nokio> much apreciated 18:59 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 18:59 < Hypnoz> Welcome Nokio. Hopefully pausing Shorewall resolves it. 19:00 < Nokio> I hope so Hypnoz. :p Many thanks again 19:00 < Nokio> have a good night 19:00 -!- Nokio [n=gvachon@modemcable026.33-70-69.static.videotron.ca] has quit ["Leaving"] 19:06 -!- rrtor [n=greg@95.211.4.12] has joined ##openvpn 19:07 < rrtor> Network Manager is connecting to the VPN, but I'm unable to connect via the command line or GOpenVPN. Is there a way to export the network-manager-applet-openvpn's configuration? I'm using Debian 5. 19:10 -!- Thamster [n=Thamster@207.81.114.134] has quit [Read error: 110 (Connection timed out)] 19:13 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has quit ["Leaving."] 19:15 -!- jeiworth [n=jeiworth@189.177.28.40] has quit [Connection timed out] 19:15 -!- rrtor [n=greg@95.211.4.12] has quit ["leaving"] 19:42 -!- WormFood [n=wormfood@58.61.134.79] has quit [Read error: 60 (Operation timed out)] 19:42 -!- WormFood [n=wormfood@58.61.134.79] has joined ##openvpn 19:57 -!- ErickG [n=ErickG@190.87.249.243] has joined ##openvpn 20:10 -!- xp_prg [n=xp_prg3@99.23.56.166] has joined ##openvpn 20:15 -!- master_of_master [i=master_o@p549D62DE.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:20 -!- master_of_master [i=master_o@p549D62D5.dip.t-dialin.net] has joined ##openvpn 20:26 -!- vaq [n=c99@vaq/unaffiliated] has quit [Client Quit] 20:27 -!- xp_prg [n=xp_prg3@99.23.56.166] has quit ["This computer has gone to sleep"] 20:31 -!- ErickG [n=ErickG@190.87.249.243] has left ##openvpn [] 20:38 -!- xp_prg [n=xp_prg3@99.23.56.166] has joined ##openvpn 20:46 -!- Cyllene [n=cy@unaffiliated/cyllene] has joined ##openvpn 20:46 < Cyllene> Hi. I have a tap tunnel established between two machines. 20:47 < Cyllene> One is an IP ending in ::3, and the other has an IP ending in ::4 20:47 < Douglas> ipv6 :( 20:47 < Cyllene> The ::3 machine can successfully ping itself. 20:47 < Cyllene> The ::4 machine can not. 20:47 < Cyllene> More over, neither machine can ping each other. 20:47 < Cyllene> Does anyone have any idea why? 20:47 < Douglas> !configs 20:47 < vpnHelper> Douglas: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 20:47 < Douglas> actually 20:47 < Douglas> !all 20:47 < vpnHelper> Douglas: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 20:48 < Cyllene> Douglas: Before I do that, I am trying to use OpenVPN to "proxy" my sixxs connection to multiple workstations. 20:48 -!- jeiworth [n=jeiworth@189.163.185.76] has joined ##openvpn 20:53 < Cyllene> Douglas: http://pastebin.ca/1654188 20:58 < Cyllene> Douglas: Any idea? 20:58 < Douglas> hm 20:59 < Douglas> unfortunately, i must bolt 20:59 < Cyllene> ok 20:59 < Douglas> the reason i had you pastebin them is so everyone else can see 20:59 < Douglas> i'm sure someone else will read, and see, and try to help 20:59 < Douglas> worst case, stick a post up 20:59 < Douglas> !forum 20:59 < vpnHelper> Douglas: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 20:59 < Douglas> :) 20:59 < Douglas> /gone 21:00 -!- Douglas [n=contact@ool-435033e6.dyn.optonline.net] has quit [] 21:00 -!- xp_prg [n=xp_prg3@99.23.56.166] has quit ["This computer has gone to sleep"] 21:41 -!- robert_ [n=hellspaw@objectx/robert] has quit ["Xorg upgrade, hooray!"] 21:52 -!- jeiworth [n=jeiworth@189.163.185.76] has quit [Read error: 110 (Connection timed out)] 22:15 -!- xod [n=onats@112.201.173.29] has joined ##openvpn 22:15 -!- xod is now known as onats 22:51 -!- corretico [n=laguilar@201.201.46.106] has quit ["Leaving"] 22:53 -!- xp_prg [n=xp_prg3@c-98-234-50-128.hsd1.ca.comcast.net] has joined ##openvpn 22:54 -!- Amjad [n=zjb@87.109.147.235] has quit [Read error: 145 (Connection timed out)] 22:55 -!- Amjad [n=zjb@87.109.198.43] has joined ##openvpn 23:10 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 23:13 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 23:13 < robert_> moo. 23:14 < reiffert> moin 23:18 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 23:43 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] --- Day changed Tue Nov 03 2009 00:21 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 00:21 < krzee> !route 00:21 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 00:27 -!- hyper_ch [n=hyper@adsl-89-217-143-3.adslplus.ch] has quit [Remote closed the connection] 00:39 -!- brizly [n=brizly_v@p4FC9833B.dip0.t-ipconnect.de] has quit ["Leaving."] 01:05 -!- dazo|afk is now known as dazo 01:09 -!- hyper_ch [n=hyper@12-52.3-85.cust.bluewin.ch] has joined ##openvpn 01:15 -!- WormFood [n=wormfood@58.61.134.79] has quit ["working on router"] 01:16 -!- disco- [i=disco@andromeda.h4xed.com] has quit [Read error: 60 (Operation timed out)] 01:17 -!- disco- [i=disco@andromeda.h4xed.com] has joined ##openvpn 01:31 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 01:31 -!- Rolybrau [n=Rolybrau@242-133.3-85.cust.bluewin.ch] has joined ##openvpn 02:37 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:11 -!- reid97 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 03:12 -!- reid97 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has joined ##openvpn 03:13 -!- nemysis_ is now known as misterbean 03:16 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 03:17 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 03:23 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 03:35 -!- Amjad [n=zjb@87.109.198.43] has quit [Read error: 110 (Connection timed out)] 03:35 -!- Amjad [n=zjb@87.109.164.148] has joined ##openvpn 04:04 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 04:33 -!- lobsang [n=lobsang@212.30.64.162] has joined ##openvpn 04:34 < lobsang> i need some quick help configuring reverse route from server netowrk to client internal network 04:35 < hyper_ch> !howto 04:35 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 04:41 < lobsang> sorry to bother you but right now i don't have time to read the whole howto... I've read enough to configure everything but haven't noticed how to configure backward route.... routing from client to server network works fine 04:41 < lobsang> please help 05:03 < Bushmills> sorry, i don't have the time right now to retype the hoeto 05:03 < Bushmills> howto 05:03 < Bushmills> !route 05:03 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 05:03 < Bushmills> shorter 05:04 < Bushmills> use your third eye :) 05:29 -!- Arathorn [n=Arathorn@83.166.71.4] has joined ##openvpn 05:41 < Arathorn> hi all - how do I tell a openvpn server to push a route for the public /27 network that it's on to its roadwarrior clients... whilst excluding the server's IP itself from being routed? 05:41 < Arathorn> (otherwise my VPN traffic tries to flow over the VPN, which strangely enough doesn't seem to work :) 05:45 < krzee> !route 05:45 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 05:47 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 05:50 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 05:55 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:11 < reiffert> krzee: 06:11 < reiffert> !learn subnet as http://www.subnet-calculator.com/ or http://en.wikipedia.org/wiki/Subnetwork 06:11 < vpnHelper> reiffert: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 06:14 * Arathorn reads, not skims... 06:25 < Arathorn> krzee: i've read the tutorial, and I now understand (i think) what iroute does - i.e. lets the server route back to a given client using openvpn's in-app routing table rather than the kernel's one. 06:26 < Arathorn> i can't see how I can tell the client to route to the server by not going over the VPN, though 06:27 < Arathorn> i.e. i surely want a push "route-not-via-the-vpn 1.2.3.4 255.255.255.0", if my public network was 1.2.3/24, and the openvpn server was 1.2.3.4 06:28 < Arathorn> i guess one trick would be to push routes for 1.2.3.[0123] and .[567...] to the clients 06:28 < Arathorn> but that seems Wrong :( 06:53 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 06:53 -!- krphop_afk is now known as krphop 07:02 -!- hyper__ch [n=hyper@12-52.3-85.cust.bluewin.ch] has joined ##openvpn 07:02 -!- hyper_ch [n=hyper@12-52.3-85.cust.bluewin.ch] has quit [Nick collision from services.] 07:02 -!- hyper__ch is now known as hyper_ch 07:45 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 08:06 < ecrist> !learn subnet as http://www.subnet-calculator.com/ or http://en.wikipedia.org/wiki/Subnetwork 08:06 < vpnHelper> ecrist: Joo got it. 08:07 -!- stein0 is now known as stein0_T5 08:07 < ecrist> Arathorn: you can't exclude things in a routing table, and routes must always be next-hop 08:08 < Arathorn> ecrist: well, you can add a route with a higher priority/metric on the client to route a given range somewhere else, no? 08:09 < Arathorn> but i don't see any way for an openvpn server to tell a client to do that. 08:09 < Arathorn> as the server doesn't know what the default routing will be on the client, so can't override appropriately. 08:21 < ecrist> you can accomplish that with a client-side routing script and customized push options 08:23 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 08:24 < Arathorn> ecrist: by pushing the client-side routing script to the client? or having it there already? 08:24 < Arathorn> (unfortunately my clients are win32/osx/linux/godknowswhatelse) 08:33 < ecrist> perhaps a better design, then 08:37 < Arathorn> mm? 08:38 < Arathorn> what i'd really like to do is to push table-based routing to the client so that only packets to server:1194 are routed publically; everything else would go over the VPN 08:38 < Arathorn> but I can't see any cross-platform way of doing that at all. 08:41 -!- arcsky_ [n=arcsky@2a01:48:100:1:1:0:0:1c2] has joined ##openvpn 08:45 -!- arcsky [n=arcsky@2a01:48:100:1:1:0:0:1c2] has quit [Read error: 54 (Connection reset by peer)] 08:46 -!- arcsky_ [n=arcsky@2a01:48:100:1:1:0:0:1c2] has quit [Remote closed the connection] 08:46 -!- arcsky [n=arcsky@2a01:48:100:1:1:0:0:1c2] has joined ##openvpn 08:47 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 08:47 < ecrist> reroute the default gateway 08:49 < Arathorn> i don't want all the clients' random 'net traffic going over the VPN, though.. 08:50 < ecrist> ok, simplify your setup, then. 08:51 < ecrist> OpenVPN doesn't do policy-based routing, which is essentially what you're asking for. Nothing I can do about that. 08:51 -!- Irssi: ##openvpn: Total of 86 nicks [0 ops, 0 halfops, 0 voices, 86 normal] 08:53 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 08:54 -!- arcsky [n=arcsky@2a01:48:100:1:1:0:0:1c2] has quit [Read error: 54 (Connection reset by peer)] 08:56 < ecrist> !iporder 08:56 < vpnHelper> ecrist: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 08:57 < Cyllene> Hi. Let's say that I have a server which is connected to an IPv6 tunnel broker. 08:58 < Cyllene> Is it possible to use OpenVPN to share this IPv6 connection with other workstations? 08:58 < Cyllene> If so, what is the easiest way to accomplish this? 08:59 -!- arcsky [n=arcsky@2a01:48:100:1:1:0:0:1c2] has joined ##openvpn 09:00 -!- mrtn [n=pisi@isabel.offline.ee] has joined ##openvpn 09:00 < ecrist> Cyllene: yes, but OpenVPN doesn't, itself, directly support IPv6 at this time 09:00 < ecrist> you would need to use layer 2 tunnels (TAP) and assign IPs from there using rtadv or dhcp6 09:01 < mrtn> NOTE: unable to redirect default gateway -- Cannot read current default gateway from system 09:01 < mrtn> I get this on openwrt. 09:02 < mrtn> !interface 09:02 < vpnHelper> mrtn: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 09:02 < Cyllene> ecrist: I only want to do 1-2 computers. 09:02 < Cyllene> I would be content assigning IPs manually. 09:07 -!- explore_ [n=msparker@pool-173-57-92-51.dllstx.fios.verizon.net] has joined ##openvpn 09:08 -!- explore_ [n=msparker@pool-173-57-92-51.dllstx.fios.verizon.net] has quit [Client Quit] 09:13 < mrtn> no matter what is my configuration. I'm running rc19 09:13 < mrtn> http://paste.lisp.org/display/89729 09:14 < mrtn> I would be OK if I knew how to set up routing so that I could have a route to the other end of the PPP link, where my openvpn traffic has to go and to make a route so that all traffic gets routed via openvpn, some ofthe magic described in the documentation (step3) 09:16 < mrtn> Even if I put local def1 in redirect-gateway. 09:21 < ecrist> Cyllene: then you still need TAP 09:26 < Cyllene> ecrist: That's fine. 09:33 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 09:36 -!- arcsky [n=arcsky@2a01:48:100:1:1:0:0:1c2] has quit [Remote closed the connection] 09:36 < Arathorn> ecrist: i didn't realise that wanting to avoid your VPN traffic being routed over the VPN was such a complicated setup ;) 09:36 -!- arcsky [n=arcsky@2a01:48:100:1:1:0:0:1c2] has joined ##openvpn 09:40 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 113 (No route to host)] 09:40 -!- deviantintegral [n=devianti@p233xjyyz.xDSL-1mm.sentex.ca] has joined ##openvpn 09:42 < deviantintegral> hi all. I'm trying to set up my bridged connection so the client has the same MAC address for every connection so I can assign it a static IP. The client is OS X, and I can change the MAC address with ifconfig in the up script, but that breaks the connection. Is there a way to set openvpn to set the MAC address as soon as it creates the tap device? 09:49 -!- dazo is now known as dazo|afk 10:02 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:06 -!- Argafal [i=argafal@users.tokkee.org] has quit [Read error: 60 (Operation timed out)] 10:06 -!- Argafal [i=argafal@users.tokkee.org] has joined ##openvpn 10:06 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 10:13 -!- hyper_ch [n=hyper@12-52.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 10:13 -!- scyld [n=krajcong@unaffiliated/wasyl] has quit ["leaving"] 10:15 -!- scyld [n=krajcong@unaffiliated/wasyl] has joined ##openvpn 10:21 -!- SHoopA [n=shoop@75-32-195-237.lightspeed.ftwotx.sbcglobal.net] has joined ##openvpn 10:23 -!- jeiworth [n=jeiworth@189.177.133.17] has joined ##openvpn 10:25 -!- connectionVPN [n=hello_wo@fr-d1.connectionvpn.com] has joined ##openvpn 10:26 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 10:31 < Cyllene> ecrist: So, after establishing a tunnel and assigning the tap interfaces with v6 IPs, how do you make the VPN traffic go over the ipv6 tunnel on the openvpn server? 10:33 < Bushmills> !redirect 10:33 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 10:33 < Bushmills> !def1 10:33 < vpnHelper> Bushmills: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 10:33 < Bushmills> mrtn: ^^^^^^^^^^^^^^ 10:35 < Bushmills> workaround for similar problem recently was to add default route to loopback device when there wasn't one. even though that shouldn't be necessary with def1 10:35 < Cyllene> A ha 10:35 < Cyllene> Very nice 10:36 -!- SHoopA [n=shoop@75-32-195-237.lightspeed.ftwotx.sbcglobal.net] has quit ["—I-n-v-i-s-i-o-n— 3.1.1 (June '09)"] 10:42 -!- arcsky [n=arcsky@2a01:48:100:1:1:0:0:1c2] has quit [Remote closed the connection] 10:43 -!- arcsky [n=arcsky@2a01:48:100:1:1:0:0:1c2] has joined ##openvpn 10:46 -!- c64zottel [n=hans@62.12.220.165] has joined ##openvpn 10:50 -!- jean001 [n=chatzill@APoitiers-552-1-93-246.w92-149.abo.wanadoo.fr] has joined ##openvpn 10:50 -!- jean001 [n=chatzill@APoitiers-552-1-93-246.w92-149.abo.wanadoo.fr] has left ##openvpn [] 10:51 -!- jean001 [n=chatzill@APoitiers-552-1-93-246.w92-149.abo.wanadoo.fr] has joined ##openvpn 10:52 < Cyllene> !ipforward 10:52 < vpnHelper> Cyllene: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 10:52 < Cyllene> !nat 10:52 < Cyllene> !fbsdipforward 10:52 < vpnHelper> Cyllene: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 10:52 < vpnHelper> Cyllene: "fbsdipforward" is is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd 10:56 < Cyllene> !fbsdnat 10:56 < vpnHelper> Cyllene: "fbsdnat" is see http://cavanantha.wordpress.com/2007/09/16/nat-on-freebsd-using-pf/ for a basic howto for NAT on FreeBSD 11:02 < jean001> !winnat 11:02 < vpnHelper> jean001: "winnat" is http://support.microsoft.com/kb/306126 for windows nat (windows calls it internet connection sharing aka ICS) 11:02 -!- squarepeg [n=cliebow@WatchGuard.ellsworth-hs.ellsworth.k12.me.us] has joined ##openvpn 11:03 -!- ecrist_mac [n=ecrist@mtka.claimlynx.com] has joined ##openvpn 11:03 < jean001> !winipforward 11:03 < vpnHelper> jean001: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 11:04 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:04 -!- hyper_ch [n=hyper@adsl-89-217-143-3.adslplus.ch] has joined ##openvpn 11:06 -!- epaphus [n=unix3@190.10.68.228] has quit [Client Quit] 11:06 < squarepeg> hello..i have 9 vpns running from a watchguard firebox to smoothwall 2 and three boxes..just one school the vpn craps out after a couple minutes unless i send a steady stream of pings to it..All are set up identically..my firebox claims "key has expired" renegotiation failed md5-hmac authentication 3des-cbc encryption..can anyone tell me where to go from here? 11:12 -!- Guest70354 [n=noname@222.123.75.48] has joined ##openvpn 11:18 -!- dmz [n=dmz@64.203.207.101.dyn-cm-pool-54.hargray.net] has joined ##openvpn 11:19 < dmz> howdy y'all, is there anything like client-connect script for actual client side? I need to reset ssh & a few other things when the vpn resets 11:36 -!- xp_prg [n=xp_prg3@c-98-234-50-128.hsd1.ca.comcast.net] has quit ["This computer has gone to sleep"] 11:36 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 11:36 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 11:47 -!- squarepeg [n=cliebow@WatchGuard.ellsworth-hs.ellsworth.k12.me.us] has quit [Remote closed the connection] 11:47 -!- squarepeg [n=cliebow@WatchGuard.ellsworth-hs.ellsworth.k12.me.us] has joined ##openvpn 11:52 -!- squarepeg [n=cliebow@WatchGuard.ellsworth-hs.ellsworth.k12.me.us] has quit [Remote closed the connection] 11:52 -!- squarepeg [n=cliebow@WatchGuard.ellsworth-hs.ellsworth.k12.me.us] has joined ##openvpn 11:54 -!- squarepeg [n=cliebow@WatchGuard.ellsworth-hs.ellsworth.k12.me.us] has quit [Remote closed the connection] 11:54 -!- squarepeg [n=cliebow@WatchGuard.ellsworth-hs.ellsworth.k12.me.us] has joined ##openvpn 12:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:13 -!- misterbean is now known as nemysis_ 12:13 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:24 -!- Guest24319 [n=redfox2@ns351996.ovh.net] has quit [Read error: 60 (Operation timed out)] 12:24 -!- redfox [n=redfox2@ns351996.ovh.net] has joined ##openvpn 12:24 -!- redfox is now known as Guest8910 12:31 -!- stein0_T5 is now known as stein0_T13 12:55 -!- explore [n=msparker@pool-173-57-92-51.dllstx.fios.verizon.net] has quit ["leaving"] 12:57 -!- scoopex [n=scoopex@256bit.org] has joined ##openvpn 13:00 < scoopex> hi, is there a proxy-dns feature in openvpn? due to the fact that resolving of nameservers in /etc/resolv.conf cannot be chained (if the first servers cannot resolve the hostname/ip resolving is stopped) it would be very nice to have something like dnsmasq here..... 13:02 < ecrist_mac> not that I'm aware of 13:11 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 13:15 -!- hyper_ch [n=hyper@adsl-89-217-143-3.adslplus.ch] has quit [Remote closed the connection] 13:24 -!- hyper_ch [n=hyper@adsl-89-217-143-3.adslplus.ch] has joined ##openvpn 13:31 < scoopex> a small daemon(included in the openvpn client distribution) which acts like a dnsserver would be wonderful: this dnsserver is started on localhost, or the vpn ip. while starting it reads the original /etc/resolv.conf. incoming requests are routed be default to the old dns-servers - except the request to systems located in the openvpn network (specified by and addtional configuration)... 13:33 < ecrist> if it's so simple, you're welcome to write such a thing... 13:35 < scoopex> :-) 13:35 < scoopex> maybe :-) 13:36 -!- jean001 [n=chatzill@APoitiers-552-1-93-246.w92-149.abo.wanadoo.fr] has quit ["ChatZilla 0.9.85 [Firefox 3.0.13/2009073022]"] 14:02 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 14:08 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 14:09 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 14:27 -!- c64zottel [n=hans@62.12.220.165] has left ##openvpn [] 14:32 -!- hyper_ch [n=hyper@adsl-89-217-143-3.adslplus.ch] has quit [Read error: 54 (Connection reset by peer)] 14:32 -!- hyper_ch [n=hyper@adsl-89-217-143-3.adslplus.ch] has joined ##openvpn 14:38 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 14:39 < Hink> how do i check if a key is revoked 14:40 -!- squarepeg [n=cliebow@WatchGuard.ellsworth-hs.ellsworth.k12.me.us] has left ##openvpn ["Leaving"] 14:44 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:58 -!- connectionVPN_ [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has joined ##openvpn 14:59 -!- connectionVPN [n=hello_wo@fr-d1.connectionvpn.com] has quit [Read error: 60 (Operation timed out)] 15:00 < ecrist_mac> there is a revokation list 15:00 < ecrist_mac> man openssl 15:01 -!- ecrist_mac [n=ecrist@mtka.claimlynx.com] has left ##openvpn [] 15:09 -!- jeiworth [n=jeiworth@189.177.133.17] has quit [Read error: 54 (Connection reset by peer)] 15:39 -!- dollabill [n=mike@97.66.26.10] has quit [No route to host] 15:44 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.4/20091016092926]"] 15:52 -!- ErickG [n=ErickG@190.120.0.138] has left ##openvpn [] 15:54 < scoopex> where can i find the openvpn bugtracker....? 15:54 < robert_> Tue Nov 03 16:52:56 2009 There are no TAP-Win32 adapters on this system. You should be able to create a TAP-Win32 adapter by going to Start -> All Programs -> OpenVPN -> Add a new TAP-Win32 virtual ethernet adapter. 15:54 < robert_> :/ 16:02 < krzie> sounds pretty self-explanatary 16:03 < krzie> scoopex dunno, theres a dev mailing list tho, what bug do you feel you have found? 16:03 < krzie> since usually when people think they found a bug its either something openvpn shouldnt do or something they are doing wrong 16:07 < robert_> krzee, actually, there is a TAP device.. I've added and re-added and reinstalled openvpn. 16:08 < robert_> and so far nothing works. 16:08 < krzie> and im guessing renamed the tap device 16:08 < robert_> nope 16:08 < krzie> !factoids search win 16:08 < vpnHelper> krzie: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', 'win7', 'winnat', 'win_ipfail', 'win2k8', and 'sudowin' 16:08 < robert_> well, once I did. But the renamed one was deleted 16:11 -!- temba_alternativ [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 16:12 < krzie> i love that i dont use windows 16:12 -!- temba_alternativ [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit [Remote closed the connection] 16:12 < robert_> indeed :P 16:14 -!- temba_alternativ [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 16:28 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 16:29 -!- jeiworth [n=jeiworth@189.177.28.40] has joined ##openvpn 16:32 < robert_> So, nothing? 16:49 < krzie> dunno i havnt used win in a long time, but ild say delete openvpn and the tap, reinstall both together, give that a try 16:49 < krzie> check the reg entries here: 16:49 < krzie> !wintaphide 16:49 < vpnHelper> krzie: "wintaphide" is (#1) in regedit find HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318} then Look through each sub-key for one with a DriverDesc = TAP-Win32Adapter V8 . Set Characteristics = 0x89, or (#2) To show again, set it to 0x81 16:49 < krzie> as well 16:53 < robert_> I've removed openvpn completely. 16:54 -!- le0_ [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 17:02 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 17:03 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 17:05 < robert_> yeah no, it doesn't work. 17:08 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 110 (Connection timed out)] 17:08 -!- temba_alternativ [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit [Read error: 60 (Operation timed out)] 17:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 17:11 -!- Optic [n=ndfraser@miso.capybara.org] has left ##openvpn [] 17:13 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 17:28 -!- Optic [n=ndfraser@miso.capybara.org] has joined ##openvpn 17:49 -!- deviantintegral [n=devianti@p233xjyyz.xDSL-1mm.sentex.ca] has left ##openvpn [] 17:54 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [] 18:10 -!- Guest8910 is now known as redfox 18:10 -!- redfox is now known as Guest46223 18:11 -!- Guest46223 is now known as redfox 18:40 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 18:41 < krzie> post your config robert_ 18:41 < reiffert> !subnet 18:41 < vpnHelper> reiffert: "subnet" is http://www.subnet-calculator.com/ or http://en.wikipedia.org/wiki/Subnetwork 18:41 < reiffert> hi n n8 18:42 < krzie> !google subnet cheatsheat 18:42 < DigitalFlux> Results for subnet cheatsheat on Google: 18:42 < vpnHelper> krzie: Subnet Mask Cheat Sheet: ; Subnet Cheat Sheet: ; CIDR SUBNET MASK CHEATSHEET & ICMP TYPE CODES: 18:42 < DigitalFlux> -- 18:42 < krzie> hrmmm 18:43 -!- Cyllene [n=cy@unaffiliated/cyllene] has left ##openvpn [] 18:44 < reiffert> !google all the porn 18:44 < DigitalFlux> Results for all the porn on Google: 18:44 < vpnHelper> reiffert: Free Galleries & YouPorn: ; Porn Site Reviews: ; Porn, Sex, Free Porn, Porno, XXX, Free Porn Videos, Fuck, Free ...: 18:44 < DigitalFlux> -- 18:44 < reiffert> !google 1 EUR in US $ 18:44 < DigitalFlux> Results for 1 EUR in US $ on Google: 18:44 < vpnHelper> reiffert: XE - The World's Favorite Currency and Foreign Exchange Site: ; Euro in United States Dollar - Google Finance: ; Exchange Rates Graph (Euro, American Dollar): 18:44 < DigitalFlux> -- 18:45 < reiffert> !google 3 + 5 18:45 < DigitalFlux> Results for 3 + 5 on Google: 18:45 < DigitalFlux> -- 18:45 < vpnHelper> reiffert: WHO | The 3 by 5 Initiative: ; WHO | About 3 by 5: ; Directionality (molecular biology) - Wikipedia, the free encyclopedia: 18:57 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)] 19:02 -!- theDoc [n=hex@cataclysm.edgewire.sg] has joined ##openvpn 19:07 < oc80z> hey now 19:10 < krzie> sup 19:11 -!- hyper__ch [n=hyper@adsl-89-217-143-3.adslplus.ch] has joined ##openvpn 19:11 -!- hyper_ch [n=hyper@adsl-89-217-143-3.adslplus.ch] has quit [Nick collision from services.] 19:12 -!- hyper__ch is now known as hyper_ch 19:12 -!- connectionVPN_ [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has left ##openvpn ["Leaving"] 19:15 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 19:16 < theDoc> Anyone has any tips on cutting down on latency for gaming over openvpn? 19:17 < oc80z> there a quick alternative for authenticating user/pass, rather than radius.. i know /etc/passwd entry's work, but disabling their shell, will disable vpn access 19:18 < theDoc> oc80z> Not true, give their shell as /sbin/nologin 19:18 < theDoc> works just fine. 19:18 < oc80z> hmm i think i was able to log in and get a sh$ 19:18 < theDoc> oc80z> If you can login with a shell of /sbin/nologin, you have bigger problems on hand 19:18 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 19:20 < oc80z> odd,. it works 19:20 < oc80z> i could have sworn i did this and dev/null 19:21 < theDoc> oc80z> You must have missed something. :) 19:21 < oc80z> i know, well thats why we are here :) 19:21 < krzie> haha 19:22 < oc80z> thanks doc + 19:22 < theDoc> I need to find a guide which has a write up on optimizing ovpn for gaming 19:22 < theDoc> :\ 19:22 < theDoc> Like, srsly. 19:22 < krzie> just check mtu stuff, use udp 19:23 < krzie> its still lan gaming over inet, wont be the best quality... 19:23 < krzie> was made to be on 100mbit lans usually... 19:23 < theDoc> krzee> mtu is set to default and running udp 19:23 < oc80z> wait does this work.. 19:23 < krzie> theDoc 19:23 < krzie> !mtu-test 19:23 < vpnHelper> krzie: "mtu-test" is you can just use --mtu-test on the client to see what the best mtu for your connection is 19:24 < theDoc> krzie> Yeah, but I shouldn't see 4x increase in latency right right? :p 19:24 < theDoc> krzie> Wouldn't it be right to say that the server only accepts 1 mtu size? 19:24 < oc80z> heh, i think the dd-wrt-->ovpn is routing to it, tough to test 19:24 < oc80z> who-has 19:24 < oc80z> darn route already existed before this test. 19:24 < oc80z> ok, ill test @ work 19:24 < oc80z> thanks 19:25 < krzie> theDoc ild think so, dunno 19:26 < krzie> but you could change the settings on the client and it could help something if it was needed 19:26 < krzie> i havnt needed to adjust mtu before 19:26 < krzie> never had the scenario to do it 19:26 < krzie> even when i had it running over sat links 19:26 < theDoc> krzee> What kind of latencies over sat links? 19:26 < theDoc> 1,200ms? 19:28 < theDoc> I wonder if my latency can be caused by this crappy wifi point 19:28 -!- Amjad [n=zjb@87.109.164.148] has quit [Read error: 110 (Connection timed out)] 19:29 -!- Amjad [n=zjb@87.109.164.148] has joined ##openvpn 19:35 < krzie> even if i had #'s onhand they wouldnt be very valid due to crazy routing games 19:36 < theDoc> Oh yeah, true that. 19:36 < theDoc> Latency is the bane of the internet 19:36 < theDoc> :| 19:42 < krzie> i was gunna say gaming is 19:43 < krzie> then i remembered i wouldnt be getting a 240core vid card if it wasnt for gaming 19:43 < theDoc> lol 20:13 -!- Guest70354 [n=noname@222.123.75.48] has quit [Read error: 110 (Connection timed out)] 20:15 -!- master_of_master [i=master_o@p549D62D5.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:19 -!- Amjad [n=zjb@87.109.164.148] has quit [Read error: 145 (Connection timed out)] 20:20 -!- master_of_master [i=master_o@p549D6238.dip.t-dialin.net] has joined ##openvpn 20:20 -!- Amjad [n=zjb@87.109.231.74] has joined ##openvpn 20:42 -!- jeiworth [n=jeiworth@189.177.28.40] has quit [Read error: 60 (Operation timed out)] 20:48 -!- noname [n=noname@117.47.211.113] has joined ##openvpn 20:48 -!- noname is now known as Guest43925 20:55 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 21:45 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 21:56 -!- hyper_ch [n=hyper@adsl-89-217-143-3.adslplus.ch] has quit [Read error: 104 (Connection reset by peer)] 21:56 -!- hyper_ch [n=hyper@adsl-89-217-17-123.adslplus.ch] has joined ##openvpn 22:30 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 22:42 -!- Guest43925 [n=noname@117.47.211.113] has quit [Read error: 110 (Connection timed out)] 23:03 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 23:04 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 23:07 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 23:10 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 23:12 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Client Quit] 23:12 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn 23:12 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 23:13 -!- corretico__ [n=laguilar@201.201.46.106] has quit [Client Quit] 23:13 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Client Quit] 23:13 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 23:13 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn 23:14 -!- corretico__ [n=laguilar@201.201.46.106] has quit [Client Quit] 23:14 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Client Quit] 23:15 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 23:21 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 23:21 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 23:22 -!- corretico_ is now known as corretico__ 23:24 -!- corretico__ is now known as corretico_ 23:24 -!- corretico_ [n=laguilar@201.201.46.106] has quit ["Leaving"] 23:24 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 23:28 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)] 23:30 -!- corretico_ [n=laguilar@201.201.46.106] has quit ["Leaving"] 23:30 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 23:44 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: tessier, LittleJ, endre 23:44 -!- Netsplit over, joins: tessier, endre, LittleJ 23:58 -!- a|3x [n=alex@76.115.142.105] has quit [Read error: 110 (Connection timed out)] --- Day changed Wed Nov 04 2009 00:00 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 00:01 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 54 (Connection reset by peer)] 00:06 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)] 00:19 < robert_> krzee, sure. 00:21 -!- a|3x [n=alex@c-76-115-142-105.hsd1.or.comcast.net] has joined ##openvpn 00:24 < robert_> krzee, http://pastebin.ca/1656213 00:24 -!- tjz [n=tjz@bb220-255-44-209.singnet.com.sg] has joined ##openvpn 00:27 -!- hyper_ch [n=hyper@adsl-89-217-17-123.adslplus.ch] has quit [Remote closed the connection] 00:27 -!- a|3x [n=alex@c-76-115-142-105.hsd1.or.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 00:28 < krzee> dev-node tap0901 00:28 < krzee> try commenting that out 00:29 < robert_> tried it 00:29 < robert_> nothing happened 00:35 < krzee> !man 00:35 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 00:35 < krzee> thats for me, never seen ip-win32 netsh 00:46 < krzee> try setting dev-node correctly 00:48 < krzee> The --show-adapters option under Windows can also be used to enumerate all available TAP-Win32 adapters and will show both the network connections control panel name and the GUID for each TAP-Win32 adapter. 00:52 -!- a|3x [n=alex@c-76-115-142-105.hsd1.or.comcast.net] has joined ##openvpn 01:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:04 -!- mr_mojo [n=mr_mojo@5ac3fa48.bb.sky.com] has joined ##openvpn 01:04 < mr_mojo> hi guys, does openvpn support rate limiting on a per session basis? 01:08 -!- dazo|afk is now known as dazo 01:08 -!- dazo [n=nndazo@nat/redhat/x-3073de1cfbe0ede4] has quit [Remote closed the connection] 01:09 -!- dazo [n=nnndazo@nat/redhat/x-ef12213eb26cd67d] has joined ##openvpn 01:13 < krzee> mr_mojo, see --shaper 01:13 < mr_mojo> ok thanks 01:17 < onats> hello 01:17 < onats> whats up? 01:18 -!- c64zottel [n=hans@62.12.220.165] has joined ##openvpn 01:22 -!- hyper_ch [n=hyper@206-250.1-85.cust.bluewin.ch] has joined ##openvpn 02:15 < Amjad> krzee 02:16 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:46 -!- mr_mojo [n=mr_mojo@5ac3fa48.bb.sky.com] has quit [Read error: 60 (Operation timed out)] 02:47 -!- mr_mojo [n=mr_mojo@5ac3fa48.bb.sky.com] has joined ##openvpn 02:47 -!- lobsang [n=lobsang@212.30.64.162] has quit ["Java user signed off"] 02:54 < krzee> Amjad, 03:05 < Amjad> hi krzee 03:08 -!- mr_mojo [n=mr_mojo@5ac3fa48.bb.sky.com] has left ##openvpn ["Leaving"] 03:11 -!- reid97 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 03:11 -!- reid96 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has joined ##openvpn 03:13 -!- c64zottel [n=hans@62.12.220.165] has quit ["Leaving."] 03:19 < Amjad> krzee 03:20 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 03:24 -!- Amjad [n=zjb@87.109.231.74] has quit [Excess Flood] 03:24 -!- amjad [n=zjb@87.109.231.74] has joined ##openvpn 03:47 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has joined ##openvpn 03:58 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: amjad, kala 03:58 -!- Netsplit over, joins: amjad, kala 04:00 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 04:02 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: amjad, kala 04:02 -!- Netsplit over, joins: amjad, kala 04:03 -!- amjad [n=zjb@87.109.231.74] has quit [Client Quit] 04:03 -!- amjad [n=zjb@87.109.231.74] has joined ##openvpn 04:03 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: kala 04:04 -!- Netsplit over, joins: kala 04:05 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: kala 04:06 -!- Netsplit over, joins: kala 04:09 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: kala 04:09 -!- Netsplit over, joins: kala 04:10 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: kala 04:11 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has left ##openvpn ["Leaving."] 04:11 -!- Netsplit over, joins: kala 04:12 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: kala 04:13 -!- Netsplit over, joins: kala 04:15 -!- amjad [n=zjb@87.109.231.74] has quit [Excess Flood] 04:15 -!- amjad [n=zjb@87.109.231.74] has joined ##openvpn 04:16 -!- Muli|CSGR [n=muligan1@209-193-88-45.mammothnetworks.com] has quit ["Leaving"] 04:16 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: kala 04:16 -!- Netsplit over, joins: kala 04:18 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: kala 04:18 -!- Netsplit over, joins: kala 04:21 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: kala 04:22 -!- Netsplit over, joins: kala 04:23 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: kala 04:24 -!- Netsplit over, joins: kala 04:25 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: kala 04:25 -!- Netsplit over, joins: kala 04:27 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: kala 04:27 -!- Netsplit over, joins: kala 04:29 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: kala 04:29 -!- Netsplit over, joins: kala 04:30 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: kala 04:31 -!- Netsplit over, joins: kala 04:32 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: kala 04:33 -!- Netsplit over, joins: kala 04:36 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: kala 04:37 -!- Netsplit over, joins: kala 04:40 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: kala 04:41 -!- Netsplit over, joins: kala 04:41 < reiffert> wtf 04:44 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: kala 04:44 -!- Netsplit over, joins: kala 04:46 < onats> hi reiffert, busy? 04:48 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: kala 04:48 -!- Netsplit over, joins: kala 04:49 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: kala 04:50 -!- Netsplit over, joins: kala 04:51 -!- Netsplit over, joins: kala 04:53 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:16 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 05:20 -!- c64zottel [n=hans@62.12.220.165] has joined ##openvpn 05:28 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has joined ##openvpn 05:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 05:39 < amjad> Any one can help me ?? 05:39 * amjad slaps krzee around a bit with a large trout 05:49 -!- ubsafder [n=ubsafder@bdy93-10-88-185-29-167.fbx.proxad.net] has joined ##openvpn 05:58 < Bushmills> sorry, amjad, looks like folks are quite short in cash themselves. 06:00 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 06:41 < ecrist> amjad: I don't see where you've asked a question 06:45 < amjad> ok my dear .. I have success install openvpn 06:45 < amjad> ecrist 06:45 < amjad> but when I try install my Key in openvpn website admin ,,, I have this error message ... 06:45 < amjad> # 06:45 < amjad> Error: 06:45 < amjad> chain_add_license_key: 06:46 < reiffert> please use the official access server support. 06:46 < ecrist> amjad: we do not support Access Server in this channel. 06:46 < ecrist> you will need to contact OpenVPN Technologies for their official support 06:47 < amjad> where i can find ?? 06:47 < reiffert> http://openvpn.net 06:47 < vpnHelper> Title: Welcome to OpenVPN (at openvpn.net) 06:47 -!- c64zottel [n=hans@62.12.220.165] has quit [Remote closed the connection] 06:48 < amjad> I have open ticket in support ... but there is no one reply my ticket ,, 06:48 < ecrist> we still do not support it 06:49 < amjad> umm ok thx dear 06:49 < ecrist> quit call me mdear 06:54 -!- scoopex [n=scoopex@256bit.org] has left ##openvpn [] 06:55 < reiffert> call him pussy instead. 06:55 < ecrist> you are what you eat... 06:56 < reiffert> I am YOGHURT! 06:56 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 06:58 -!- StefanWork [n=stefanle@cp849982-a.mill1.nb.home.nl] has joined ##openvpn 06:58 < StefanWork> Hello 06:59 < StefanWork> We're experiencing some problems with openvpn in combination with subversion (small files) 07:00 < StefanWork> we're connecting with the openvpn server. Through that connection we can make a connection with the subversion server. From that point. We want to checkout a repository or a part of a repository to a folder on the server with the openvpn connection (the same server) which is our fileserver. When we try to check those files out the connection goes very slow. It drops to around 50 bytes/s. Has anyone experienced the same problem? 07:01 < ecrist> StefanWork: are you using TCP at the transport? 07:01 < StefanWork> in OpenVPN? 07:01 < ecrist> yes 07:01 < StefanWork> I will ask the person who installed it 07:02 < teratoma> what operating system is the openvpn server running? can you see the server configuration file? 07:03 < StefanWork> Yes we have access to the file. and it's on a win2k3 machine 07:05 < StefanWork> Does the configuration key 'proto' means the transport method? 07:05 < StefanWork> it's on UDP now 07:07 < ecrist> !mtu 07:07 < vpnHelper> ecrist: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config 07:09 < StefanWork> What are the mtu settings exactly? 07:11 < StefanWork> mtu is standard set on 1500 right? 07:12 < ecrist> MTU is the maximum transmission unit. having an incorrect setting can cause additional packet fragmentation that necessary. 07:12 < StefanWork> Thnx 07:12 < StefanWork> :) 07:12 < StefanWork> within 3 minutes the test has ran 07:13 < StefanWork> but I think the mtu is set on 1500 07:15 < StefanWork> NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1589,1589] remote->local=[1589,1589] 07:15 < ecrist> so that looks good. 07:17 < StefanWork> it's only with multiple files on the server, if I choose one file to upload/download it goes with the max mbit connection of the client connection, which is good and logical 07:18 < ecrist> I don't know what to say 07:18 < StefanWork> we're clueless here too 07:21 < StefanWork> FYI: we're using the latest build of openvpn, which is 2.1rc20 - I don't know if it's any help to you 07:30 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has left ##openvpn ["Leaving."] 07:32 < StefanWork> do you require more information? 07:34 -!- Sky[x] [n=SkyB0x@88.200.89.54] has joined ##openvpn 07:35 < ecrist> no, I don't have a solution 07:36 < StefanWork> ok, thanks for trying to help us 07:36 < StefanWork> :-) 07:40 -!- Sky[x] [n=SkyB0x@88.200.89.54] has quit [Client Quit] 07:41 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 07:42 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 07:46 < StefanWork> is this something? WIN32 I/O: Socket Receive error [1590]: Invalid argument (WSAEINVAL) 07:50 -!- hyper_ch [n=hyper@206-250.1-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 07:51 < StefanWork> Thanks for your time we're going for another solution which just means we're checking out the files on the local pc which works fine for now. 07:51 < ecrist> ok 07:55 -!- epaphus [n=unix3@201.199.62.74] has quit [Connection timed out] 08:01 -!- stein0_T13 is now known as stein0_W4 08:04 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 08:09 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 08:13 -!- amjad [n=zjb@87.109.231.74] has quit [Read error: 110 (Connection timed out)] 08:17 -!- c64zottel [n=hans@62.12.220.165] has joined ##openvpn 08:49 -!- Zathraz [n=Zzz@a83-163-198-186.adsl.xs4all.nl] has joined ##openvpn 08:50 < Zathraz> !howto 08:50 < vpnHelper> Zathraz: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:04 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)] 09:06 -!- hyper_ch [n=hyper@adsl-89-217-17-123.adslplus.ch] has joined ##openvpn 09:17 < krzee> weird 09:18 < krzee> that guy sat there saying my name for like 3.5 hours before finally asking a question 09:18 < krzee> i wonder if thats somehow been an effective method of finding help in the past 09:26 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:31 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined ##openvpn 09:32 < mort_gib> How do set a static IP address for a client 09:35 < krzee> !static 09:35 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 09:48 < Bushmills> "zathraz like to talk to dirt. sometimes, there little insect in dirt. zathroz likes insects too. not for talking too, but good for diet" 09:49 < Zathraz> dinner is served 09:49 < Bushmills> same zathraz? 09:49 < Zathraz> no, my brother 09:53 < Zathraz> hmm. TLS handshake failed :-( 09:55 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 09:55 < Zathraz> I used the sample server and client config files from the HowTo on the main website. Only adjusted the servers IP-address. Server is Linux, client is XP. Nothing in logs on the server so far. What is the best way yo tackle this please? 09:55 < mort_gib> krzee: http://pastebin.com/d2076d6c5 09:56 < mort_gib> Do you have time to have a look?? 09:57 < Zathraz> Hmm. I lied: Wed Nov 4 16:08:02 2009 us=216616 PKCS#11: __pkcs11h_forkFixup return 09:57 < Zathraz> SIOCSIFADDR: Permission denied 09:57 < Zathraz> SIOCSIFFLAGS: Permission denied 09:57 < Zathraz> Wed Nov 4 16:08:02 2009 us=217108 Linux ip addr del failed: external program exited with error status: 255 09:58 < Zathraz> what can be causing this? Running Debian Lenny. I am root and started openvpn manually for test purposes 10:01 -!- c64zottel [n=hans@62.12.220.165] has quit [Read error: 104 (Connection reset by peer)] 10:03 -!- c64zottel [n=hans@62.12.220.165] has joined ##openvpn 10:05 < ecrist> !iroute 10:05 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 10:05 < Bushmills> you have support for tun device? 10:06 < Zathraz> yes 10:06 < ecrist> that iroute command was for me 10:07 < Zathraz> Wed Nov 04 17:05:26 2009 UDPv4 link local: [undef] 10:07 < Zathraz> Wed Nov 04 17:05:26 2009 UDPv4 link remote: 10:07 < Zathraz> then the correct IP. So that works. However TLS handshake fails some how 10:07 < Zathraz> when looking at the server I saw the above in logs 10:08 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 10:08 < ecrist> !route 10:08 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:14 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 10:16 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 10:23 < krzee> mort_gib, route 10.55.0.0 255.255.255.0 delete that 10:23 < krzee> check that the ccd entry is read in server log when client connects 10:24 < mort_gib> krzee: ccd entry is read, I had to add --script-security for that to work 10:25 -!- StefanWork [n=stefanle@cp849982-a.mill1.nb.home.nl] has quit [Read error: 110 (Connection timed out)] 10:29 < krzee> so whats the problem 10:30 < mort_gib> krzee: ifconfig tun0 does not show an ip 10:30 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 10:31 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:38 < Zathraz> the TLS stuff is killing me :-( 10:38 < Zathraz> not much useful info in logs 10:39 < Zathraz> are these warning or should I pay attention please? 10:39 < Zathraz> Wed Nov 04 17:38:35 2009 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 10:39 < Zathraz> Wed Nov 04 17:38:35 2009 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables 10:39 < Zathraz> config files are the example files 10:40 -!- mpaiva [n=mpaiva@66.241.131.121] has joined ##openvpn 10:41 < mpaiva> hi, I am looking for a description for the option "--keepalive n m", I checked the man page figure it out that if I specify for example (keepalive 10 120), the server will take 240 seconds to restart the connection 10:42 < mpaiva> and if I have another keepalive option on the client side it will be summed to the server keepalive, what will mean 360 seconds 10:45 < dazo> Zathraz: sounds like you're missing --ca or --tls-server .... or something simple like that 10:46 < dazo> Zathraz: and those NOTE: messages can sometimes be a little bit misleading .... f.ex. if you don't use any user defined scripts, that NOTE is useless 10:46 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 10:46 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 60 (Operation timed out)] 10:47 < mort_gib> krzee: if I ping the client from the server I can see the traffic, but if I try to ping the server from the client it's not working, so it looks like the route is nor created... 10:48 < Zathraz> I enabled ms-cert-type server however still no handshake 10:49 < Zathraz> what kind of error do you get when you mix up certs? 10:49 < dazo> Zathraz: ms-cert-type!? where did you drag option that up? .... can't see I see that one in the man page 10:49 < dazo> ns-cert-type ... maybe 10:49 -!- stimpie [n=michiel@84-104-5-142.cable.quicknet.nl] has joined ##openvpn 10:50 < stimpie> !howto 10:50 < vpnHelper> stimpie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:50 < dazo> ns-cert-type ... that needs some ns attributes in the certificate .... does your config work without that one? 10:50 < Zathraz> yes yes. Typo ;-) ns-cert-type 10:51 < Zathraz> I followed: http://openvpn.net/index.php/open-source/documentation/howto.html#config 10:51 < vpnHelper> Title: HOWTO (at openvpn.net) 10:51 < dazo> Zathraz: boosting log info to verb 4 often gives somewhat more useful info 10:53 < dazo> Zathraz: did you do this? # To use this feature, you will need to generate 10:53 < dazo> # your server certificates with the nsCertType 10:53 < dazo> # field set to "server". 10:55 < Zathraz> out of curiousity. TLS fails within 60 secs. Do I need to open another port for tls on the firewall? 10:55 < Zathraz> or is 1194 udp sufficient? 10:55 < dazo> Zathraz: 1194 is enough 10:56 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 10:56 < Zathraz> i moved verb upto 6. No extra info is supplied. Got the feeling it is a client issue 10:57 < dazo> mpaiva: afaik .... there are not any "summing up" ... the last keepalive setting should be the one which rules ... so if the server push comes after the local setting is set, it will be overwritten by the server 10:58 < dazo> mpaiva: for the server side ... ping-restart is fixed at 120 sec, afaik .... but the "ping" and "push ping-restart" values will be used from the keepalive arguments 10:59 < Zathraz> with verb 6 on the client I get plenty of : P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0 11:00 < mpaiva> dazo, on the server side I have the "keepalive 10 120" argument and on the client side I don't have this rule 11:00 < dazo> mpaiva: then it's easy .... server will use ping 10 .... and client will use ping 10 and ping-restart 120 11:00 < mpaiva> by default openvpn set the -ping-restart it to 120 11:00 < Zathraz> 2.1.rc20 on the client (XP) and version 2.1~rc11 on the Debian server. Can that be an issue? 11:01 < mpaiva> when the connection drops it takes 360 seconds to restart 11:01 < mpaiva> because of that I was considering that the time is summed 11:01 < dazo> Zathraz: rc11 is outdated .... that really can be a big issue ... the stability between 2.0 and different RC releases before rc-15 are unpredictable 11:01 < dazo> mpaiva: I'll double check the code 11:02 < Zathraz> rc11 was supplied with Lenny Debian, the latest stable release 11:03 < mort_gib> I have a ccd folder with client options, on the server I can see that the files are matched, but I don't get the IP address on the server???? 11:04 < Zathraz> I think I will call it a day and try again with Debian-Lenny on both server and client and thus the same version. Hope that helps. Thanks folks 11:04 -!- Zathraz [n=Zzz@a83-163-198-186.adsl.xs4all.nl] has quit ["Leaving"] 11:06 < dazo> mpaiva: Its no big magic ... but I missed one thing .... for you with "keepalive 10 120", on the server: ping 10, ping-restart 2*120, push "ping 10", push "ping-restart 120" .... which means the client will use ping 10, ping-restart 120 (which are pushed from server) 11:06 < mpaiva> dazo, yes I got :-) 11:07 < mpaiva> I was trying to figure it out why the server was taking all that time 11:07 < mpaiva> dazo, thanks very much for you help 11:07 < dazo> mpaiva: you should not have any restarts after 240 seconds ... that's the timeout the server uses to consider when the connection is dead 11:08 < mpaiva> it would be good to update the man page for that, I think it could help other people 11:09 < mpaiva> I have been busy, but as soon I have some time I will check the openvpn project page 11:09 < mpaiva> and help writing some documentation about that 11:11 < dazo> mpaiva: I have no access to that ... but I'll notify the developers about it 11:12 < mort_gib> Anyone haev a minutes to spare?? 11:12 -!- scyld [n=krajcong@unaffiliated/wasyl] has quit ["Sssssssssss"] 11:12 < krzee> [12:47] krzee: if I ping the client from the server I can see the traffic, but if I try to ping the server from the client it's not working, so it looks like the route is nor created... 11:13 < mort_gib> Yes... I'm stuck :-( 11:13 < krzee> firewall on server 11:13 < mort_gib> Looks like the client options are sent by the server but not applied on the client! 11:13 < krzee> ya but you're wrong 11:13 < mort_gib> Yeah, I have a firewall on the server... 11:14 < krzee> ping replies require return routes 11:14 < mort_gib> Yes, but the route is not created on the client 11:15 -!- stimpie [n=michiel@84-104-5-142.cable.quicknet.nl] has left ##openvpn ["Ex-Chat"] 11:15 < krzee> what route isnt created on client? 11:15 < mort_gib> I get no ip address for tun0 (ifconfig tun0) 11:15 < krzee> !logs 11:15 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 11:15 < mort_gib> and route show has no entry with the tun0 range in it 11:17 < krzee> so how do you figure the server can ping the client? 11:17 < krzee> if the client doesnt have an ip to ping 11:18 < krzee> and is this mort from efnet i have friends in common with? 11:20 < mort_gib> http://pastebin.com/d3c3ea242 11:21 < mort_gib> Eh, no.... Not mort from efnet 11:21 < krzee> that meant nothing 11:21 < krzee> you gotta connect to the server 11:21 < krzee> and send client and server logs of it 11:21 < mort_gib> When I ping the client from the server I can see the traffic on the clients tun0 (tcpdump -i tun0) 11:21 < krzee> and update your openvpn 11:21 < krzee> you are on rc15 we're on rc20 11:22 < mort_gib> But not the other way around, and ping won't work on the client as the client is not picking up an dIP 11:22 < mort_gib> Yeah, from ports for OpenBSD 11:22 < krzee> no shit it doesnt work 11:22 < krzee> if you dont have an ip 11:22 < mort_gib> Yeah :-) No shit it wont work! 11:22 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 11:23 < krzee> !download 11:23 < vpnHelper> krzee: "download" is (#1) www.openvpn.net/download to download openvpn, or (#2) http://openvpn.net/index.php/open-source/downloads.html 11:23 < krzee> rc20 frmo source if your os doesnt stay current 11:23 < krzee> and logs of connection 11:23 < mort_gib> http://pastebin.com/d3c3ea242 11:24 < krzee> thats the same link 11:24 < krzee> [13:21] that meant nothing 11:24 < krzee> [13:21] you gotta connect to the server 11:24 < krzee> [13:21] and send client and server logs of it 11:25 < mort_gib> That is what the log shows 11:26 < krzee> so thats the client and the server? 11:26 < mort_gib> Yes 11:26 < krzee> NO 11:26 < krzee> thats a single log 11:26 < krzee> pay attention pls 11:26 < krzee> oh LOL 11:26 < krzee> i didnt see down there 11:26 < krzee> my bad 11:26 < mort_gib> Yes, I do pay attention 11:27 < mort_gib> I have verbose higher on the client 11:27 < krzee> set both to 6 pls 11:27 < mort_gib> Hang on... 11:28 -!- waldner [n=waldner@unaffiliated/waldner] has joined ##openvpn 11:29 -!- dazo is now known as dazo|afk 11:30 < mort_gib> http://pastebin.com/d7466d7fb 11:31 < mort_gib> Here you go, thanks for helping out btw! 11:34 < krzee> replace tls-client with client 11:34 < mort_gib> Ok.... 11:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:35 < krzee> also, your ccd entry is not being read 11:36 < krzee> which means either filename of entry isnt EXACTLY as common-name of client or the dropped permissions cant read it 11:36 < krzee> nobody:nobody needs access to it 11:37 < mort_gib> Yeah, and dev tun has to be de tun0 %£$^& 11:37 < krzee> only if you made it a static device 11:38 < krzee> dev tun should open a dynamic one 11:38 < krzee> then again i dont use obsd so cant speak on if that kernel supports it 11:38 < krzee> osx and fbsd does 11:39 < krzee> also you removed route 192.168.5.0 255.255.255.0 11:39 < krzee> correct? 11:39 < krzee> paste the new configs and logs after all the changes i asked for 11:39 < krzee> as well as: 11:39 < krzee> !interface 11:39 < vpnHelper> krzee: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 11:41 -!- DigitalFlux [n=DigitalF@98.142.211.26] has quit [Client Quit] 11:42 < mort_gib> configs here http://pastebin.com/d26bbbdde 11:43 < mort_gib> Sorry forgot ccd http://pastebin.com/d26a78492 11:43 < krzee> that changed a lot since your last paste 11:43 < krzee> remove this: 11:43 < krzee> ifconfig 10.55.0.1 10.55.0.5 11:43 < krzee> route 192.168.5.0 255.255.255.0 11:45 < mort_gib> push "route 192.168.5.0 255.255.255.0" ?? 11:45 < krzee> no 11:45 < mort_gib> or in ccd 11:45 < krzee> thats all handled by --server 11:45 < mort_gib> Sorry, got it! 11:46 < krzee> as explained in manual under --server 11:50 < mort_gib> Looks lots better now, routes show up 11:51 < krzee> pings? 11:52 < mort_gib> They are blocked on the firewall 11:52 < krzee> cool 11:52 < krzee> then yanno what to do 11:53 < mort_gib> I would like to turn off the firewall to test, but :-) Then I would loose connection... These two systems are some 150 Km apart 11:53 < krzee> accept it then 11:53 < mort_gib> I do know what to do, thanks my friend, if you ever come close to Gibraltar give me a shout 11:54 < epaphus> Is there such thing as an unencrypted VPN ? 11:54 < krzee> yw 11:54 < krzee> epaphus, ovpn supports it 11:54 < mort_gib> epaphus: Yeah, that happens between politicians 11:55 < krzee> cipher none 11:55 < krzee> iirc 11:55 < krzee> or simply a ptp with no --sercret 11:55 < krzee> as shown in examples in the manual 11:55 < epaphus> it would still use SSH keys for initial authentication ? 11:55 < krzee> epaphus, it could 11:55 < krzee> not ssh keys, but ya 11:56 < epaphus> What are the options for an openvpn server to authenticate me if I dont have a cert? 11:56 -!- clovisw1 [n=dvl@189.26.121.1] has joined ##openvpn 11:56 < krzee> pre-sahred key 11:57 < krzee> passwords 11:57 < krzee> !factoids search cert 11:57 < vpnHelper> krzee: 'servercert', 'certs', and 'nocert' 11:57 < krzee> !nocert 11:57 < vpnHelper> krzee: "nocert" is (#1) to use login and pass (NO CERTS) for auth in server setup, you want --username-as-common-name --auth-user-pass-verify --client-cert-not-required, or (#2) to know more, read about those config options in the manual (!man) 11:57 < clovisw1> hi, there is a way to calculate how much processor and memory necessary to support 140 active VPN sessions? 11:57 < krzee> clovisw1, not that i know of 12:01 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 12:01 < krzee> mort_gib, 12:01 < epaphus> krzee, thanks 12:01 < krzee> 1 more possible thing 12:01 < clovisw1> hum 12:02 < krzee> if you didnt add a route to default gateway of clients lan 12:02 < krzee> see the section in !route under the picture, routes to add outside openvpn 12:02 < krzee> !route 12:02 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 12:03 < epaphus> would a unencrypted VPN have an advantage over speed/reliability of the link? 12:04 < krzee> re-read the sentance pls 12:10 -!- gionnico [i=83af0c09@gateway/web/freenode/x-e26f7db5924c19eb] has joined ##openvpn 12:10 < gionnico> hello! 12:10 < gionnico> please can you help me improving my tunnel? 12:11 < gionnico> now it's only a [openvpn-client]-proxy-town--town-lan-[openvpn-server] 12:11 < gionnico> i need to go beyond lan-[openvpn-server]-FREE_INTERNET 12:12 < krzee> !redirect 12:12 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 12:13 < mort_gib> krzee: -Sorry, having great fun with pf 12:14 < krzee> =] 12:14 < mort_gib> Nah, it's fine, the "sysadmin" in the 192.2.1.0/24 has turned off the machine I was testing against !! 12:15 < mort_gib> I mean, REALLY who defines a private network as 192.2.1.0/24?? 12:16 < mort_gib> I can see the traffic from the remote network passing over the internal if on the VPN server 12:16 < mort_gib> I get NO reply from the server that was suppsed to have a static route to the remote network 12:16 < mort_gib> Typical :-) 12:16 < mort_gib> Still you helped me a lot! 12:18 < gionnico> !def1 12:18 < vpnHelper> gionnico: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 12:21 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit ["Leaving"] 12:22 < gionnico> krzee: so "redirect-gateway def1" in openvpn.conf (server-side) 12:22 < gionnico> !ipforward 12:22 < vpnHelper> gionnico: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 12:22 < gionnico> !lnipforward 12:22 < vpnHelper> gionnico: Error: "lnipforward" is not a valid command. 12:23 < gionnico> !linipforward 12:23 < vpnHelper> gionnico: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 12:23 < gionnico> !nat 12:23 < vpnHelper> gionnico: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 12:23 -!- teratoma [n=unknown@69.172.135.243] has quit [Remote closed the connection] 12:23 < gionnico> !linnat 12:23 < vpnHelper> gionnico: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 13:01 -!- amjad [n=zjb@87.109.150.144] has joined ##openvpn 13:05 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 13:19 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:27 -!- gionnico [i=83af0c09@gateway/web/freenode/x-e26f7db5924c19eb] has quit ["Page closed"] 13:28 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 13:32 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Connection reset by peer] 13:33 -!- clovisw1 [n=dvl@189.26.121.1] has left ##openvpn [] 13:33 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 13:51 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has quit [Read error: 54 (Connection reset by peer)] 14:05 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has joined ##openvpn 14:06 -!- c64zottel [n=hans@62.12.220.165] has quit ["Leaving."] 14:08 -!- ShortWire [n=Miranda@ip4da7ce73.direct-adsl.nl] has joined ##openvpn 14:08 -!- c64zottel [n=hans@62.12.220.165] has joined ##openvpn 14:27 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:38 -!- Draiden [n=draiden@cp1095419-a.gelen1.lb.home.nl] has joined ##openvpn 14:38 < Draiden> Hello 14:39 < Draiden> I have a small and simple question 14:39 < Draiden> does anyone has experience with openvpn in a vmware environment/ 14:39 < Draiden> ? 14:39 < |Mike|> 'k gebruik het al jaren in Xen domU's :) 14:39 < Draiden> ah dat is netjes 14:39 < Draiden> ik ben het nu voor het eerst aan het installeren op een vmware servertje 14:39 < |Mike|> maar in vmware nog nooit gebruikt imho 14:40 < Draiden> werkt goed want ik krijg al connectie vanaf mijn thuis-pc 14:40 < Draiden> zal vast niet zoveel anders zijn 14:40 < |Mike|> nee inderdaad, zelfde princiepe 14:40 < Draiden> mijn vraag is eigenlijk: hoe kan ik de server pingen? Ik begrijp dat de server een eigen intern ip adres zal moeten krijgen 14:40 < Draiden> moet ik dan een tweede virtuele netwerk adapter toevoegen? 14:40 < |Mike|> !tunortap 14:40 < vpnHelper> |Mike|: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 14:41 < Draiden> hm. Het enige wat ik eigenlijk met de openvpn server wil is een connectie vanaf windows naar de server zodat de server 'in' het netwerk hangt 14:41 < Draiden> als het ware 14:41 < Draiden> wat kan ik dan het beste gebruiken? 14:41 < Draiden> beetje als een fileservert dus 14:41 < |Mike|> dus geen forwarding ed? 14:41 -!- scyld [n=krajcong@unaffiliated/wasyl] has joined ##openvpn 14:42 < |Mike|> lets skip to english btw :) 14:42 < Draiden> hehe alrighty 14:42 < Draiden> what do you exactly mean with forwarding? 14:42 < |Mike|> i'm not a windows guru hehe 14:42 < Draiden> I don't think windows is the problem 14:43 < |Mike|> you would like to create a vm with windows wich is the "server" and has to act as a fileserver, correct? 14:43 < Draiden> how many network adapters do you use? 14:43 < Draiden> nope 14:43 < Draiden> it's a ubuntu linux server 14:43 < Draiden> and a windows machine connects through it through the openvpn client 14:43 < Draiden> to it* 14:43 < |Mike|> openvpn creates a tun0 or tap0 device, but it depends on your configuration 14:44 < Draiden> so in my linux interface I have to define the tun0 or tap0 device? 14:44 < |Mike|> Yep 14:44 < Draiden> and give that the specified ip range 14:44 < |Mike|> yes. 14:44 < |Mike|> !howto 14:44 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:44 < Draiden> like in most of the examples 10.0.8.1 14:44 < |Mike|> 10.0.0.0/8 yeah 14:45 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has quit [No route to host] 14:45 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has joined ##openvpn 14:47 < Draiden> hm isn't reachable 14:47 < |Mike|> could you paste me your config ? 14:48 < |Mike|> !config 14:48 < vpnHelper> |Mike|: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 15:03 -!- stein0_W4 is now known as stein0 15:07 -!- Throriakh [n=draiden@cp1095419-a.gelen1.lb.home.nl] has joined ##openvpn 15:07 -!- jeiworth [n=jeiworth@189.162.36.130] has joined ##openvpn 15:08 -!- Draiden [n=draiden@cp1095419-a.gelen1.lb.home.nl] has quit [Read error: 54 (Connection reset by peer)] 15:29 -!- jeiworth [n=jeiworth@189.162.36.130] has quit [Read error: 60 (Operation timed out)] 15:31 -!- dro [n=dro@69.153.177.2] has joined ##openvpn 15:31 < dro> hi guys, I have a bridged setup working on ubuntu 9.04 15:31 -!- Draiden [n=draiden@cp1095419-a.gelen1.lb.home.nl] has joined ##openvpn 15:31 < dro> however, I can only access the vpn server, nothing outside of it, so it's a routing issue, tried several commands in iptables, any links or suggestions? 15:32 -!- Throriakh [n=draiden@cp1095419-a.gelen1.lb.home.nl] has quit [Read error: 54 (Connection reset by peer)] 15:34 -!- Draiden [n=draiden@cp1095419-a.gelen1.lb.home.nl] has quit [Client Quit] 15:40 -!- dro [n=dro@69.153.177.2] has quit ["Leaving"] 15:56 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit ["Távozom"] 16:03 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 16:12 -!- ShortWire [n=Miranda@ip4da7ce73.direct-adsl.nl] has quit ["Miranda IM! Smaller, Faster, Easier. http://miranda-im.org"] 16:35 -!- connectionVPN [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has joined ##openvpn 16:37 -!- dazo|afk [n=nnndazo@nat/redhat/x-ef12213eb26cd67d] has quit [Read error: 110 (Connection timed out)] 16:43 -!- dazo|afk [n=nnnndazo@nat/redhat/x-f1eec416fa21d756] has joined ##openvpn 16:58 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has joined ##openvpn 17:01 -!- lifeforms [n=walter@clone.lfms.nl] has left ##openvpn [] 17:01 -!- scyld [n=krajcong@unaffiliated/wasyl] has quit [Read error: 60 (Operation timed out)] 17:15 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has quit [] 17:15 -!- scyld [n=krajcong@unaffiliated/wasyl] has joined ##openvpn 17:25 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: tessier, LittleJ, endre 17:25 -!- endre [i=me2@urbnet.hu] has joined ##openvpn 17:25 -!- tessier [n=treed@216.105.40.113] has joined ##openvpn 17:25 -!- Netsplit over, joins: LittleJ 17:35 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 17:37 -!- RyuKojiro [n=nkojiro@r74-192-66-53.vctrcmta01.vctatx.tl.dh.suddenlink.net] has joined ##openvpn 17:38 < RyuKojiro> Can anyone help me with forming a tap interface via openvpn under NetSBD? 17:38 < RyuKojiro> It seems to hav e problems with --mktun 17:57 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 18:03 -!- connectionVPN [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has left ##openvpn ["Leaving"] 18:10 -!- teddymills [n=teddy@208.92.235.227] has quit [Remote closed the connection] 18:13 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 18:15 -!- amjad [n=zjb@87.109.150.144] has quit [Read error: 104 (Connection reset by peer)] 18:18 < reiffert> ah, dazo is David Som. 18:19 -!- ErickG [n=ErickG@190.120.0.138] has left ##openvpn [] 18:35 -!- ubsafder [n=ubsafder@bdy93-10-88-185-29-167.fbx.proxad.net] has quit [Remote closed the connection] 18:37 < krzie> RyuKojiro first of all, why do you want tap instead of tun? 18:37 < reiffert> because tap rocks ass, it's a bigger challenge and tunneling layer 2 kicks ass 18:38 < reiffert> rockin n kickin, 'u know? 18:38 < krzie> lol 18:38 < krzie> like kickin rocks? 18:38 < reiffert> rocking kicks? 18:38 < reiffert> ricking kocks? 18:38 < krzie> english slang when you tell someone to kick rocks it means get the fuck outta here 18:38 < krzie> heheh 18:39 < krzie> kinda prison slang i guess 18:39 < reiffert> kicking rocks sounds like a long way home by foot and kicking rocks during that... 18:41 < krzie> right, thats prolly the idea behind the phrase 18:48 -!- c64zottel [n=hans@62.12.220.165] has left ##openvpn [] 19:09 -!- amjad [n=zjb@87.109.150.144] has joined ##openvpn 19:12 -!- theDoc [n=hex@cataclysm.edgewire.sg] has joined ##openvpn 19:17 -!- amjad [n=zjb@87.109.150.144] has quit [Remote closed the connection] 19:17 -!- amjad [n=zjb@87.109.150.144] has joined ##openvpn 19:34 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 19:34 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 19:51 -!- scyld [n=krajcong@unaffiliated/wasyl] has quit [Nick collision from services.] 19:52 -!- scyld [n=krajcong@unaffiliated/wasyl] has joined ##openvpn 20:07 -!- Douglas [n=contact@ool-435033e6.dyn.optonline.net] has joined ##openvpn 20:07 < Douglas> http://www.buy.com/retail/product.asp?sku=201975277&listingid=39898703 20:07 < Douglas> hmm 20:07 < vpnHelper> Title: Xbox 360 Wireless Controller (White) - B4F-00001 - Buy.com (at www.buy.com) 20:09 -!- scyld [n=krajcong@unaffiliated/wasyl] has quit [Read error: 60 (Operation timed out)] 20:15 -!- master_of_master [i=master_o@p549D6238.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:20 -!- master_of_master [i=master_o@p549D63EB.dip.t-dialin.net] has joined ##openvpn 20:45 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)] 20:46 -!- menace [n=knorr@unaffiliated/menace] has joined ##openvpn 20:47 -!- menace [n=knorr@unaffiliated/menace] has left ##openvpn [] 21:03 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 21:11 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 21:11 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 21:19 < krzie> im bored 21:19 < krzie> !forum 21:19 < vpnHelper> krzie: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 21:28 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: krzie, stein0, nemysis_, Lyndon, |Mike|, disco-, dazo|afk, corretico, JyZyXEL, krphop, (+42 more, use /NETSPLIT to show all of them) 21:29 -!- Netsplit over, joins: Douglas, krzee, drue, amjad, theDoc, tessier, endre, dazo|afk, waldner, corretico (+30 more) 21:29 -!- Netsplit over, joins: RyuKojiro, a|3x, Optic, onats, acidchild, fkr, fatou73, bytesaber, krphop, jreno_ (+2 more) 21:40 -!- amjad [n=zjb@87.109.150.144] has quit [Read error: 60 (Operation timed out)] 21:40 -!- amjad [n=zjb@87.109.215.244] has joined ##openvpn 21:40 -!- le0_ [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 110 (Connection timed out)] 22:14 -!- YellowSnow1 [n=chatzill@ip72-207-221-65.br.br.cox.net] has joined ##openvpn 22:14 < YellowSnow1> Can anyone shed some light on windows 7 id'ing the connection as "Unidentified Network" 22:20 < krzie> heard of it happening, havnt heard of a solution as of yet 22:21 < YellowSnow1> Thanks 22:21 < krzie> but i think i just found something 22:21 < krzie> gimme a sec 22:24 < YellowSnow1> i researched.. ddint find anything.. found stuff to disable the firewall.. but still cant ping 22:25 < krzie> http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/5e9a21ae-a116-4584-a917-2a0c244e0de7 22:25 < vpnHelper> Title: How to make a private Unidentified Network identifiable and private? (at social.technet.microsoft.com) 22:25 < krzie> no solution still 22:25 < krzie> microsoft problem 22:26 < krzie> which they of course dont take responsibility for 22:26 < krzie> and wont until they roll out a fix 23:24 -!- xp_prg [n=xp_prg3@c-98-234-50-128.hsd1.ca.comcast.net] has joined ##openvpn 23:34 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] --- Day changed Thu Nov 05 2009 00:25 -!- hyper_ch [n=hyper@adsl-89-217-17-123.adslplus.ch] has quit [Remote closed the connection] 00:54 -!- the_wiz_kid_89 [n=talmiski@ip72-205-32-177.dc.dc.cox.net] has joined ##openvpn 00:55 < the_wiz_kid_89> whenever i run openvpn vpn.ite...... i get "openvpn: command not found" 00:55 < the_wiz_kid_89> yet i'm SURE i installed it 00:55 < the_wiz_kid_89> what's the deal? 00:55 -!- the_wiz_kid_89 [n=talmiski@ip72-205-32-177.dc.dc.cox.net] has quit [Client Quit] 01:07 -!- YellowSnow1 [n=chatzill@ip72-207-221-65.br.br.cox.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.4/20091016092926]"] 01:26 -!- hyper_ch [n=hyper@19-180.78-83.cust.bluewin.ch] has joined ##openvpn 01:54 -!- dazo|afk is now known as dazo 01:54 -!- dazo [n=nnnndazo@nat/redhat/x-f1eec416fa21d756] has quit [Remote closed the connection] 01:54 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: amjad 01:55 -!- dazo [n=nnnnndaz@nat/redhat/x-1aee8e3927559d1b] has joined ##openvpn 01:55 -!- dazo [n=nnnnndaz@nat/redhat/x-1aee8e3927559d1b] has quit [Remote closed the connection] 01:55 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:55 -!- Netsplit over, joins: amjad 01:59 -!- dazo [n=nnnnnnda@nat/redhat/x-498d620b41f1d85f] has joined ##openvpn 01:59 -!- dazo is now known as Guest18895 02:02 -!- Guest18895 is now known as dazo 02:03 -!- dazo is now known as Guest15840 02:07 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has quit [Client Quit] 02:10 -!- Guest15840 is now known as dazo 02:16 -!- Douglas [n=contact@ool-435033e6.dyn.optonline.net] has quit [] 02:16 -!- reid96 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has quit [Read error: 104 (Connection reset by peer)] 02:39 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has joined ##openvpn 03:05 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:06 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 03:06 -!- gorkhaan_ [n=gorkhaan@87.229.108.75] has joined ##openvpn 03:06 -!- gorkhaan_ [n=gorkhaan@87.229.108.75] has quit [Read error: 104 (Connection reset by peer)] 03:12 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 03:27 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit ["Távozom"] 03:35 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 03:45 -!- a|3x [n=alex@c-76-115-142-105.hsd1.or.comcast.net] has quit [Read error: 113 (No route to host)] --- Log closed Thu Nov 05 03:50:32 2009 --- Log opened Thu Nov 05 04:17:24 2009 04:17 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 04:17 -!- Irssi: ##openvpn: Total of 78 nicks [0 ops, 0 halfops, 0 voices, 78 normal] 04:17 -!- Irssi: Join to ##openvpn was synced in 23 secs 04:24 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 04:36 -!- a|3x [n=alex@c-76-115-142-105.hsd1.or.comcast.net] has joined ##openvpn 04:36 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:40 -!- xp_prg [n=xp_prg3@c-98-234-50-128.hsd1.ca.comcast.net] has quit [Client Quit] 04:45 -!- scyld [n=krajcong@unaffiliated/wasyl] has joined ##openvpn 04:49 -!- chiwawa_42 [n=jerome@lib59-7-88-185-53-29.fbx.proxad.net] has joined ##openvpn 04:51 < chiwawa_42> Hi ! I'm using OpenVPN to establish tunnels from a cluster of secondary server to a master one. At every network glitch, the PtP tunnels adress change. How to make the adresses persistent ? May I fix it in client's config file ? Or shall I rather use different certificates for every clients and associate IP adresses to certificates ? How to do the later ? 04:59 -!- theDoc [n=hex@cataclysm.edgewire.sg] has joined ##openvpn 05:10 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 05:16 -!- krphop_ [n=krphop@38.108.177.113] has joined ##openvpn 05:17 -!- StefanWork [n=stefanle@cp849982-a.mill1.nb.home.nl] has joined ##openvpn 05:23 -!- Anodl [n=Arnold@p54A7A982.dip0.t-ipconnect.de] has joined ##openvpn 05:25 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has quit [Read error: 113 (No route to host)] 05:25 < StefanWork> !howto 05:25 < vpnHelper> StefanWork: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 05:41 -!- YaManicKill [n=ali@130.159.141.69] has joined ##openvpn 05:41 < YaManicKill> !howto 05:41 < vpnHelper> YaManicKill: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 05:42 -!- techtronic [n=liam@host86-177-243-200.range86-177.btcentralplus.com] has joined ##openvpn 05:43 < techtronic> hi folks, wondering if we can get some help, trying to setup OPENVPN on a VPS, having problems connecting, syslog gives us the following error Options error: You must define TUN/TAP device 05:43 < techtronic> any1 able to help? 05:45 < ecrist> !configs 05:45 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 05:49 < chiwawa_42> techtronic: the most probable issue is that you have no support for tun/tap devices in your VPS kernel, or no access to /dev to creates the nodes 05:50 < ecrist> techtronic: my message above was meant for you 05:50 < ecrist> chiwawa_42: this is for you 05:50 < ecrist> !static 05:50 < vpnHelper> ecrist: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 05:50 < chiwawa_42> ecrist: thanks :) 05:50 < techtronic> ecrist: thank i dont understand tho 05:51 < techtronic> chiwawa_42: we have full root access, how can we fix this 05:51 < ecrist> techtronic: I need to see your config files 05:51 < chiwawa_42> techtronic: beeing full root on a VPS rarelly allow you to rebuild the kernel. So at first, you must ensure tun/tap driver is avaible by looking at the kernel config 05:52 < chiwawa_42> zcat /proc/config.gz | grep -i tun 05:52 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has quit ["Leaving"] 05:53 < YaManicKill> chiwawa_42: i'm with techtronic - do you just want the server config file? 05:54 < techtronic> YaManicKill: its ecrist 05:54 < YaManicKill> sorry... ecrist i meant 05:54 < YaManicKill> we have solved the tun/tap device, but still can't connect to the vpn 05:54 < chiwawa_42> YaManicKill: maybe ecrist would be a better choice, I have problems of my own to solve too ;)à 05:54 < ecrist> configs and logs to begin 05:54 < ecrist> !logs 05:54 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 05:54 < techtronic> chiwawa_42: thanks for your help! 05:54 < ecrist> !configs 05:54 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 05:54 < ecrist> we can work from there 05:55 < ecrist> server and client 05:55 < YaManicKill> server config - http://pastebin.com/m156293ab 05:55 < YaManicKill> client config...i'm using network manager with the openvpn plugin, so i dunno where the config file is for that 05:55 -!- krzie [n=krzee@butters.secure-computing.net] has joined ##openvpn 05:56 < ecrist> morning krzie 05:56 < techtronic> ecrist: http://pastebin.com/m33236eca - log file 05:57 < ecrist> ack, you kept the sample config 05:58 < YaManicKill> ecrist: yes. i dont feel comfortable enough to make one from scratch 05:58 < techtronic> ok can you advise what it should be, we can im you ip address's of server etc 05:58 < YaManicKill> we tried that, and the server wouldn't even work 05:59 < ecrist> did you guys create a CA and server/client certificates? 05:59 < YaManicKill> ecrist: yep 05:59 < ecrist> I'm guessing no, this is in your logs: 05:59 < ecrist> Cannot open file key file 'static.key': No such file or directory (errno=2) 05:59 < YaManicKill> i created the certs and they are in /etc/openvpn/ 05:59 < ecrist> try editing the server config and use the full path to the key files 05:59 < YaManicKill> ok 06:05 < YaManicKill> done but no diff 06:06 < ecrist> what are the permissions on the file? the user starting openvpn needs to have read access to the file 06:06 < ecrist> post your new logs, as well, please 06:09 < YaManicKill> ecrist: on which file? the config? or the certs? 06:09 < ecrist> the certificates and key 06:10 < ecrist> the logs are specifically complaining about the server's private key 06:10 < YaManicKill> ok...some of them arente readable...2 secs 06:12 < YaManicKill> hmmm its the same error that my computer is constantly giving...and the server doesnt seem to see me trying to access it. i wonder whether my router is stopping me getting through or something 06:13 < ecrist> post your logs, please 06:14 < StefanWork> I have a small question. I'm using the dev tun system with openvpn. I can connect but I can't ping the server. Has anyone got a similar problem? I'm using linux as a server and the client is behind a router with the Windows XP OS 06:14 < ecrist> StefanWork: check your firewall 06:14 < YaManicKill> 2 secs ecrist 06:15 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 06:15 < StefanWork> from the client? 06:15 < StefanWork> @ ecrist 06:15 < ecrist> on both 06:15 < StefanWork> the server currently hasn't got a firewall (the server is turned off right now) so that data is flowing freely. 06:16 < StefanWork> Where can I find a guide to setup the router settings for openvpn on the client side? 06:16 < ecrist> I'm not sure what 'router settings' you're referring to. 06:16 < YaManicKill> http://pastebin.com/d3bdc327f 06:17 < YaManicKill> edited config file - http://pastebin.com/d4822f089 06:18 < StefanWork> ecrist: port forwards for example on the howto they're talking about the windows firewall but I can't find anything on a router 06:18 < ecrist> which is the server, windows or linux? 06:18 < ecrist> YaManicKill: the server log looks good. how about the client log? 06:18 < StefanWork> ecrist: linux is the server windows is the client 06:20 < YaManicKill> ecrist: i'm getting this error over and over again - Nov 5 12:12:06 Zeus NetworkManager: wait_for_connection_expired(): Connection (2) /org/freedesktop/NetworkManagerSettings/1 failed to activate (timeout): (0) Connection was not provided by any settings service 06:21 < ecrist> StefanWork: unless you're trying to route *all* internet traffic across the VPN from the client LAN, there's really nothing left to do 06:21 < ecrist> !ubuntu 06:21 < vpnHelper> ecrist: "ubuntu" is dont use network manager! 06:21 < ecrist> YaManicKill: ^^^^ that's for you 06:21 < YaManicKill> heh...ok 06:21 < YaManicKill> what should i use instead then? 06:22 < ecrist> the command line 06:22 < YaManicKill> w00t 06:22 < ecrist> network manager sucks 06:22 < ecrist> in every way 06:22 < YaManicKill> ecrist: well...debatable 06:22 < ecrist> afk for about 20 minutes 06:22 < StefanWork> ecrist: Thanks for your time :) 06:24 < YaManicKill> !howto 06:24 < vpnHelper> YaManicKill: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 06:35 < YaManicKill> ok...i think i've connected to it 06:35 < YaManicKill> but not sure 06:39 -!- c64zottel [n=hans@62.12.220.165] has joined ##openvpn 06:41 < YaManicKill> hmmm i dont think it worked...cause my ip is different from the server 06:41 < ecrist> back 06:41 < ecrist> 19 minutes, w00t 06:42 < ecrist> YaManicKill: logs, again 06:43 < YaManicKill> ooo its a tls error 06:43 < YaManicKill> right...i'll disable that just for a few mins to see if it works without it firstly 06:47 < YaManicKill> ecrist: Nov 5 12:47:38 vm3797 ovpn-server[5796]: Authenticate/Decrypt packet error: packet HMAC authentication failed 06:47 < YaManicKill> Nov 5 12:47:38 vm3797 ovpn-server[5796]: TLS Error: incoming packet authentication failed from 81.103.36.49:39397 06:47 < YaManicKill> thats the error i'm getting from the server 06:48 < YaManicKill> no errors on client 06:48 < YaManicKill> but i def have the same ta.key file 06:49 < ecrist> are you trying to use static keys, or client/server certificates? 06:49 < YaManicKill> client server certs 06:49 < YaManicKill> i think... 06:49 < YaManicKill> lol 06:49 < YaManicKill> i'm pretty new to the vpn scene 06:50 < ecrist> try removing the tls-auth line from your config 06:51 < YaManicKill> from both config? i tried. but it just complains 06:51 < YaManicKill> 2 secs i'll do it and then get you the error 06:51 < ecrist> from both 06:52 < YaManicKill> ooo wait i didnt restart the openvpn server...ha 06:53 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 06:53 < YaManicKill> ok. i've got past that error...now for another 1 06:53 < YaManicKill> 2 secs and i'll pastebin it 06:53 < YaManicKill> http://pastebin.com/d5cbc95b9 06:54 < chantra> YaManicKill: you dont have credentials 06:54 < YaManicKill> chantra: what you mean 06:54 < chantra> Note: Cannot open TUN/TAP dev /dev/net/tun: Permission denied (errno=13) 06:55 < chantra> r u running this as root? 06:55 < YaManicKill> oooo does it need to be root on clientside 06:55 < YaManicKill> obviously... 06:55 < YaManicKill> duh 06:55 < ecrist> yes, on both sides. 06:55 < chantra> YaManicKill: r u can use network-manager 06:56 < chantra> openvpn plugin 06:56 < ecrist> no, network manager is broken 06:56 < chantra> :s 06:56 < chantra> it used to work for me, a while back 06:56 < YaManicKill> ok. i think i'm connected...but my ip is still showing as what it was 06:56 < chiwawa_42> is it possible to push iproute2 commands (or even shell) from ccd config files ? 06:56 < ecrist> YaManicKill: you're going to have a new IP on tun0 06:57 < ecrist> chiwawa_42: not directly. you can push routes, but not 'commands' 06:57 < chantra> YaManicKill: sudo openvpn yourconfig.ovpn 06:57 < YaManicKill> chantra: yeah, i did that. 06:57 < chiwawa_42> ecrist: may I specify route's target table ? 06:57 < YaManicKill> well... .conf not .ovpn 06:57 < chantra> then, what is the output of ip addr 06:58 < ecrist> chiwawa_42: no 06:58 < chantra> YaManicKill: whatever . ;) 06:58 < YaManicKill> :P 06:58 < YaManicKill> wait...so am i running on the vpn now? 06:58 -!- chiwawa_42 [n=jerome@lib59-7-88-185-53-29.fbx.proxad.net] has left ##openvpn ["Leaving"] 06:58 < chantra> pastebin output of: 06:58 < chantra> ip route 06:58 < chantra> ip addr 06:58 -!- chiwawa_42 [n=jerome@lib59-7-88-185-53-29.fbx.proxad.net] has joined ##openvpn 06:58 < ecrist> YaManicKill: pastebin 'ifconfig' output 06:58 < chiwawa_42> oops 06:58 < chiwawa_42> ok, so I have to write client-side scripts 06:58 < chiwawa_42> thanks :) 06:59 < YaManicKill> http://pastebin.com/d33ae9c6a 06:59 < ecrist> no problem, chiwawa_42 06:59 < ecrist> you're connected to the vpn, YaManicKill 06:59 < chantra> YaManicKill: u have the interface tun0 now with IP 10.8.0.6 06:59 < YaManicKill> w00t 06:59 < YaManicKill> techtronic: its working 06:59 < ecrist> you should be able to ping 10.8.0.1 06:59 < YaManicKill> i am on the vpn 06:59 < YaManicKill> heh 06:59 < chantra> but, it does not mean you are using it :) 07:00 < YaManicKill> yeah, am pinging it 07:00 < YaManicKill> ok...so am on the vpn...how do i use it? :P 07:00 < chantra> YaManicKill: it depends on your route table 07:00 < ecrist> what is the reason for setting up a VPN? 07:01 < YaManicKill> ecrist: so i can get a cheap vps for my website :P 07:01 < YaManicKill> techtronic wants a vpn...i want a webserver...we split the cost 07:01 < ecrist> ah 07:01 < chantra> ok, but VPN to access what? the internet, a LAN? 07:01 < YaManicKill> chantra: the internet 07:01 < chantra> so far, you have a secured communication link between your client and your server 07:02 < YaManicKill> he is a security expert and is obsessed with security. he thinks someone on his network might be reading stuff 07:02 < YaManicKill> chantra: ok, and do i just route things through tun0 if i want them to go through the vpn? 07:02 < chantra> ok, so it meant that you need to route all the traffic through your VPN link 07:03 < chantra> and it also means that your webserver needs to be able to forward traffic 07:03 < ecrist> yes, 07:03 * YaManicKill goes to look at the howto 07:03 < chantra> basically, your want to to NATting on tun0 07:03 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 07:03 < ecrist> !route 07:03 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 07:03 < ecrist> YaManicKill: that may help 07:04 < chantra> :) 07:04 < YaManicKill> ecrist: cheers, will have a look 07:05 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 07:05 < YaManicKill> thanks guys for all your help 07:05 * YaManicKill gives everyone a cookie + 100 interpoints 07:06 -!- vlt [n=dm@suez.activ-job.com] has joined ##openvpn 07:09 < YaManicKill> 1 more q...does the windows gui for openvpn automatically route everything through the vpn? 07:09 < ecrist> no 07:09 < ecrist> !default-gateway 07:09 < vpnHelper> ecrist: Error: "default-gateway" is not a valid command. 07:09 < YaManicKill> ok 07:09 < ecrist> !def1 07:09 < vpnHelper> ecrist: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 07:09 < ecrist> it's a bit more involved to setup (need to setup NAT, as well) 07:11 < YaManicKill> ok 07:11 < YaManicKill> well...thats techtronic's job anyways :P not mine 07:22 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Connection timed out] 07:22 -!- amjad [n=zjb@87.109.215.244] has quit [Read error: 110 (Connection timed out)] 07:22 -!- amjad [n=zjb@87.109.172.103] has joined ##openvpn 07:22 < vlt> Hello. Is OpenVPN affected by the Authentication Gap in TLS Renegotiation (http://www.ietf.org/mail-archive/web/tls/current/msg03928.html)? 07:22 < vpnHelper> Title: [TLS] MITM attack on delayed TLS-client auth through renegotiation (at www.ietf.org) 07:29 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 07:31 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 07:31 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 07:45 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 07:51 < ecrist> vlt: I'm not certain. It's something you may want to bring up on the developer's mailing list 07:51 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 07:53 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 07:57 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Nick collision from services.] 07:59 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 08:01 -!- chiwawa_42 [n=jerome@lib59-7-88-185-53-29.fbx.proxad.net] has quit [Nick collision from services.] 08:11 -!- wimpog [n=wimpog@75.150.76.189] has joined ##openvpn 08:12 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 08:12 < wimpog> How are IP conflicts resolved? Suppose I connect from a network that has a server on 192.168.0.10 address to a network that also has a server on 192.168.0.10 address. When I try to connect, which server will I connect to - the one on my network, or the one on the other network I'm connected via VPN? 08:15 < wimpog> come on, answer my question, please 08:17 -!- blak [n=chatzill@adtk220.neoplus.adsl.tpnet.pl] has joined ##openvpn 08:18 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:27 -!- wimpog_ [n=wimpog@75.150.76.189] has joined ##openvpn 08:27 -!- wimpog_ [n=wimpog@75.150.76.189] has quit [Client Quit] 08:28 -!- Arathorn [n=Arathorn@83.166.71.4] has quit [Read error: 111 (Connection refused)] 08:29 < ecrist> !ipordeer 08:29 < vpnHelper> ecrist: Error: "ipordeer" is not a valid command. 08:29 < ecrist> !iporder 08:29 < vpnHelper> ecrist: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 08:29 < ecrist> wimpog ^^^ 08:36 -!- Arathorn [n=Arathorn@puma-easynet.mxtelecom.com] has joined ##openvpn 08:44 -!- wimpog [n=wimpog@75.150.76.189] has quit [Read error: 110 (Connection timed out)] 08:49 -!- Arathorn [n=Arathorn@puma-easynet.mxtelecom.com] has quit ["Leaving"] 09:05 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Nick collision from services.] 09:05 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 09:09 -!- kiwi_ [n=_netty@ks359129.kimsufi.com] has quit ["Leaving."] 09:09 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 09:24 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 09:31 -!- YaManicKill is now known as YaManicKill|away 09:35 -!- Ziber [i=Liber@liber-ipv6.net] has quit ["restarting irssi, brb"] 09:37 -!- Ziber [i=Liber@liber-ipv6.net] has joined ##openvpn 09:42 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 09:53 -!- blak [n=chatzill@adtk220.neoplus.adsl.tpnet.pl] has quit [Read error: 110 (Connection timed out)] 10:04 -!- c64zottel [n=hans@62.12.220.165] has quit [Read error: 60 (Operation timed out)] 10:04 -!- c64zotte1 [n=hans@62-12-236-090.pool.cyberlink.ch] has joined ##openvpn 10:04 -!- StefanWork [n=stefanle@cp849982-a.mill1.nb.home.nl] has quit [] 10:26 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 10:38 -!- Zathraz [n=Zzz@a83-163-198-186.adsl.xs4all.nl] has joined ##openvpn 10:40 < Zathraz> Hi. I *think* I might have a more or less working openvpn connection. however the test is on a LAN. When I issue a ping I get: ping: sendmsg: Operation not permitted 10:46 -!- hyper_ch [n=hyper@19-180.78-83.cust.bluewin.ch] has quit [Remote closed the connection] 10:58 -!- dazo is now known as dazo|afk 10:58 -!- Bushmills [n=nBushmil@verhau.de] has left ##openvpn ["Leaving."] 10:59 < Zathraz> also: when I test the connection over the internet there is no connection possible although portforwarding is enabled on the router in front of the openvpn server. There seems to be no route back to the client 11:00 -!- Bushmills [n=nBushmil@verhau.de] has joined ##openvpn 11:07 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 11:22 < vlt> Zathraz: You have to tell us more about your setup: tun/tap? external ping working? ...? 11:25 -!- Zathraz [n=Zzz@a83-163-198-186.adsl.xs4all.nl] has quit [Read error: 60 (Operation timed out)] 11:26 -!- Zathraz [n=Zzz@a83-163-198-186.adsl.xs4all.nl] has joined ##openvpn 11:31 -!- reid97 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has joined ##openvpn 11:31 < Zathraz> vlt: tun, works fine now with firewall down so it seems 11:32 < Zathraz> however when I test over the internet it fails 11:32 < Zathraz> seems that portforwarding on the router is insufficient 11:32 < Zathraz> exact same setup, only different IP 11:34 < Zathraz> using a Fritzbox 7170 11:35 < Zathraz> opened port 1194 UDP 11:36 < Zathraz> connection now is (I *think*) : PC -> serverZ -> fritzbox -> internet? -> fritzbox -> serverZ -> serverG (openvpnserver) 11:36 -!- techtronic [n=liam@host86-177-243-200.range86-177.btcentralplus.com] has quit [Read error: 60 (Operation timed out)] 11:36 < Zathraz> serverZ is connected to the fritzbox, but portforwarding on the fritzbox is set to serverG 11:37 < Zathraz> default gw on the LAN is serverZ 11:44 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 11:44 < Zathraz> will try it from a remote location. thanks 11:44 -!- Zathraz [n=Zzz@a83-163-198-186.adsl.xs4all.nl] has quit ["Leaving"] 11:49 -!- connectionVPN [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has joined ##openvpn 11:50 -!- hyper_ch [n=hyper@adsl-89-217-17-123.adslplus.ch] has joined ##openvpn 11:54 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:03 -!- xp_prg [n=xp_prg3@99.2.31.217] has joined ##openvpn 12:04 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 12:09 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [No route to host] 12:11 -!- amjad [n=zjb@87.109.172.103] has quit [Read error: 110 (Connection timed out)] 12:11 -!- amjad [n=zjb@87.109.167.193] has joined ##openvpn 12:15 -!- Anodl [n=Arnold@p54A7A982.dip0.t-ipconnect.de] has quit ["Leaving."] 12:24 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 12:33 -!- hyper__ch [n=hyper@adsl-89-217-17-123.adslplus.ch] has joined ##openvpn 12:34 -!- hyper_ch [n=hyper@adsl-89-217-17-123.adslplus.ch] has quit [Nick collision from services.] 12:34 -!- hyper__ch is now known as hyper_ch 12:34 -!- Optic [n=ndfraser@miso.capybara.org] has left ##openvpn ["Leaving"] 12:35 -!- noname [n=noname@222.123.78.226] has joined ##openvpn 12:36 -!- noname is now known as Guest36000 12:44 -!- c64zotte1 [n=hans@62-12-236-090.pool.cyberlink.ch] has quit [Remote closed the connection] 12:54 -!- r_01 [n=r_001@92.99.75.155] has joined ##openvpn 12:55 < r_01> Hello, 12:56 < r_01> skype is bocked in my country I used openVPN with alonweb to access it, but alonweb don't open youtube, doesn't anyone know any free service such as Alonweb to open youtube ? 13:03 -!- r_01 [n=r_001@92.99.75.155] has quit [Remote closed the connection] 13:03 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 13:18 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 13:26 -!- Draiden [n=draiden@cp1095419-a.gelen1.lb.home.nl] has joined ##openvpn 13:31 -!- c64zottel [n=hans@62-12-236-090.pool.cyberlink.ch] has joined ##openvpn 13:34 -!- Mark21 [n=mark@unaffiliated/mark21] has joined ##openvpn 13:35 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 13:35 < Mark21> Hello, I have the following error when I try to start openvpn. How can I solve this? error: http://yourpaste.net/3636/ 13:36 < Mark21> If you need extra information; feel free to ask (almost anything is possible) 13:43 < |Mike|> WARNING: file 'static.key' is group or others accessible 13:43 < |Mike|> Note: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2) 13:43 < |Mike|> you can make that device manually Mark21 13:44 < Draiden> Hello could someone help me with a small question. I'm installing openVPN on a Ubuntu 9.10 machine. I can connect but I can't ping the server 13:44 < Draiden> i'm using tun as the device transport is udp 13:44 < Draiden> no firewall is setup yet 13:45 -!- gionnico [i=83af0c56@gateway/web/freenode/x-04c9cb89ce4b0a4c] has joined ##openvpn 13:46 < gionnico> hello 13:46 < |Mike|> can you ping your client from the server? 13:46 < |Mike|> oi. 13:46 < gionnico> please help me 13:46 < Mark21> |Mike|: you mean by creating a file at that location? 13:46 < Draiden> |Mike|: Let's test that 13:47 < Draiden> |Mike|: Nope, doesn't seem to work either 13:47 < |Mike|> Mark21: device != file 13:48 < |Mike|> Mark21: man makedev 13:48 < |Mike|> mark21 from wht btw? 13:48 < |Mike|> Draiden: are you sure that you're not running a firewall? 13:49 < Mark21> |Mike|: at wht.nl it is mark17 (and in #webhostingtalk on another server I am mark21) 13:49 -!- gionnico [i=83af0c56@gateway/web/freenode/x-04c9cb89ce4b0a4c] has quit [Ping timeout: 180 seconds] 13:49 < |Mike|> ransbeer :) 13:50 < Draiden> |Mike|: It's a clean install with, if i'm correctly, only vpn and webmin installed 13:50 < Draiden> but if I have a firewall how can I check that? 13:50 -!- gionnico [i=83af0c56@gateway/web/freenode/x-ee3710991c4b8cb3] has joined ##openvpn 13:50 < gionnico> hello 13:50 < gionnico> please help me 13:50 < gionnico> i have openvpnclient-proxy-town--town-lan-openvpn server 13:50 < gionnico> i need to go further: openvpn server-FREE INTERNET 13:50 < |Mike|> gionnico: it would help if you state your question *lol* 13:51 < |Mike|> Draiden: euh, i'm not a iptables guy, but ubuntu doesn't install a firewall on default 13:51 < reiffert> Draiden: ask the guy who is administration that computer/network. 13:51 < |Mike|> reiffert: that's Draiden :P 13:53 -!- gionnico [i=83af0c56@gateway/web/freenode/x-ee3710991c4b8cb3] has quit [Ping timeout: 180 seconds] 13:54 < Draiden> |Mike|: Is it possible you would need a second network device (ie: eth1) or is the tunnel that is being created enough? 13:55 < |Mike|> you need a tun0 or tap0 13:56 < |Mike|> port 1194 13:56 < |Mike|> proto udp 13:56 < |Mike|> dev tun 13:56 < |Mike|> local x.x.x.x 13:56 -!- gionnico [i=83af0c56@gateway/web/freenode/x-05243432bda1165b] has joined ##openvpn 13:56 < gionnico> hello 13:56 < gionnico> |Mike|: ? 13:56 < gionnico> sorry 13:57 < gionnico> did you hear "linux" 13:57 < gionnico> well i couldn't read your answer if you answered me 13:57 < |Mike|> 2009/11/05 20:45:28 < gionnico> i need to go further: openvpn server-FREE INTERNET 13:57 < Draiden> local is the IP that you can connect to from the outside right? 13:57 < Draiden> @ |Mike| 13:59 < |Mike|> or the inside, depends on what you configure 14:00 -!- gionnico [i=83af0c56@gateway/web/freenode/x-05243432bda1165b] has quit [Ping timeout: 180 seconds] 14:00 < Draiden> |Mike| I have currently setup my subnet like this 10.8.0.0 255.255.255.0 is this correct? 14:00 < |Mike|> if you use local 10.7.0.0 it will listen on 10.7.0.0 and if you configure it was 213.213.213.0 it will listen on 213.213.213.0 :) 14:00 < |Mike|> Yep 14:01 < Mark21> |Mike|: when I try to create a tun device with makedev I don't get an error, but it still doesn't work :S 14:02 < Draiden> |Mike| But what can it mean when you can connect to your vpn server but when you ping from either side it doesn't respond? I have added the port number to my router on the client side 14:02 < |Mike|> Mark21: with MAKEDEV -n tap (or tun..) 14:02 < |Mike|> can you ssh to your ubuntu machine over your vpn Draiden ? 14:03 < Draiden> |Mike|: with it's internal address 10.8.0.1 for example? 14:04 < |Mike|> try, it could be .2 aswell 14:05 < Draiden> |Mike|: write to TUN/TAP: The data area passed to a system call is too small. 14:05 < Draiden> this message is being spawned every second on the status of the openvpn client 14:05 < Draiden> |Mike| plus: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542' 14:05 < Draiden> Thu Nov 05 21:04:07 2009 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo' 14:06 < Draiden> |Mike| Could that be the issue? 14:06 -!- gionnico [i=83af0c56@gateway/web/freenode/x-1904a399bf4b03f7] has joined ##openvpn 14:06 < |Mike|> try at least to read what you paste ! 14:06 < gionnico> |Mike|: ? 14:06 < gionnico> |Mike|: ... sorry? 14:06 < gionnico> |Mike|: sorry my ethernet cable 14:06 < |Mike|> gionnico: i was talking to Draiden 14:06 < gionnico> ah 14:06 < gionnico> |Mike|: well seems it's working now 14:07 < gionnico> but maybe too soon to tell 14:07 < |Mike|> what did you just try gionnico ? 14:08 < Mark21> |Mike|: currently still having some stupid issues with it, because after doing what you did mention it isn't located at /dev/net/tun but somewhere else (/etc/openvpn/net/tun) and somehow I can't create it in /dev/net/tun :S 14:08 < gionnico> so this is my client configuration: http://pastebin.com/d3652f03c 14:08 < Mark21> and openvpn looks for it there (or could I change that location?) 14:09 < Draiden> Seems to be working now :) 14:10 < |Mike|> Mark21: cd /dev/net && MAKEDEV -n tap ? 14:10 < gionnico> |Mike|: and this http://pastebin.com/dbe89f30 server config 14:10 < Draiden> |Mike| Thanks for your time :) 14:10 < Draiden> the comp-lzo was the problem 14:10 < |Mike|> Draiden: fixed? 14:10 < gionnico> |Mike|: pretty standard 14:11 < Draiden> |Mike| yep. only one warning left but that isn't causing direct problems so I will look that up later on :) 14:11 < gionnico> |Mike|: what to let client go into the wild internet 14:11 < gionnico> through the server's internet access? 14:11 < gionnico> server is behind a lan remember.... 14:11 < |Mike|> let me seek 14:11 < gionnico> and there are 2 different private ip address classes. like 192.168.0.1 real and 192.168.1.1 virtual 14:12 < |Mike|> hmz, aren't they clashing eachother *yet* ? 14:13 < gionnico> |Mike|: no clashing 14:13 < gionnico> i can only access the server using it's virtual ip 14:13 < gionnico> i can't access the whole lan 14:13 < gionnico> (would be good, too..) 14:14 < |Mike|> what routes are you pushing ? 14:14 < gionnico> |Mike|: "pushing"? 14:14 < gionnico> |Mike|: you can see the config 14:14 < gionnico> there's no iptables configured if that's what you mean 14:14 < gionnico> i don't know anything else 14:16 < |Mike|> how does your network look like ? 14:16 < |Mike|> it's like grabbin water without a glass for me :P 14:17 < gionnico> i have a openvpn client 14:17 < gionnico> alone 14:17 < gionnico> behind a proxy 14:17 < gionnico> then there is the backbone -> myhometown -> LAN -> openvpn-server 14:19 < gionnico> |Mike|: some network info: http://pastebin.com/d5947c133 14:20 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:21 < |Mike|> you could start to push 3 to 4 routes already :-) 14:22 < gionnico> |Mike|: who does that? 14:22 < gionnico> OS? scripts? openvpn? 14:23 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has joined ##openvpn 14:23 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 60 (Operation timed out)] 14:25 < |Mike|> openvpn 14:25 < |Mike|> !route 14:25 < vpnHelper> |Mike|: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:26 < |Mike|> !iroute 14:26 < vpnHelper> |Mike|: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 14:26 < |Mike|> !ccd 14:26 < vpnHelper> |Mike|: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 14:26 -!- ErickG [n=ErickG@190.120.0.138] has left ##openvpn [] 14:30 -!- gionnico [i=83af0c56@gateway/web/freenode/x-1904a399bf4b03f7] has quit [Ping timeout: 180 seconds] 14:31 -!- gionnico [i=83af0c56@gateway/web/freenode/x-d312ec7372eea194] has joined ##openvpn 14:31 < gionnico> >ping 14:34 < gionnico> do you copy? 14:35 < reiffert> copy 14:35 < Draiden> Good evening all 14:35 < reiffert> pasted 14:35 -!- Draiden [n=draiden@cp1095419-a.gelen1.lb.home.nl] has quit [] 14:36 -!- wikiii [n=var@vps-1005590-1468.united-hoster.de] has quit [Remote closed the connection] 14:38 < gionnico> |Mike|: i dont have more clients 14:38 < gionnico> do i still need client-to-client in server's config? 14:38 < |Mike|> nope 14:38 < |Mike|> since you don't have more than 1 client :P 14:43 < gionnico> |Mike|: so i just added push "route virtualnet subnet" 14:43 < gionnico> to server 14:43 < |Mike|> ehm, it's not that easy 14:44 < gionnico> |Mike|: i'm washed up 14:44 < gionnico> f*** 14:52 < gionnico> i need to find a connection outside this proxy to use ssh to fix openvpn.conf server-side 14:53 < gionnico> but what else should i set? 14:55 < gionnico> push "route server_real_lan submask" also or not? 14:55 < krzie> do i still need client-to-client in server's config? 14:55 < krzie> <|Mike|> nope 14:55 < krzie> <|Mike|> since you don't have more than 1 client :P 14:55 < krzie> !c2c 14:55 < vpnHelper> krzie: Error: "c2c" is not a valid command. 14:56 < krzie> !factoids search client 14:56 < vpnHelper> krzie: 'someclient2client' and 'client-to-client' 14:56 < krzie> !client-to-client 14:56 < vpnHelper> krzie: "client-to-client" is When this option is used, each client will see the other clients which are currently connected. Otherwise, each client will only see the server. Don't use this option if you want to firewall tunnel traffic using custom, per-client rules. 14:56 < |Mike|> hey master krzie :) 14:56 < krzie> hrm, thats bs 14:56 < krzie> its actually not like that 14:57 < robert_> hai krzee :P 14:57 < krzie> with client-to-client the clients traffic hits the firewall when headed to another destination which flows over vpn 14:57 < krzie> err i mean without 14:57 < krzie> then with it the traffic flows through without hitting the firewall on server, basically gets routed internally in the server process 14:58 < |Mike|> [mike@phantom ~]$ %blow 14:58 < |Mike|> -bash: fg: %blow: no such job 14:58 * |Mike| laughs 14:58 < krzie> heh 14:59 -!- Zathraz [n=Zzzz@5354873B.cable.casema.nl] has joined ##openvpn 14:59 < Zathraz> !route 14:59 < vpnHelper> Zathraz: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:59 < |Mike|> invasion of the dutch this week? 14:59 < Zathraz> !redirect 14:59 < vpnHelper> Zathraz: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 14:59 < Zathraz> lol 15:01 < Zathraz> OpenVPN works from LAN PC to server on LAN. However when I openVPN through a Fritzbox router traffic does not get back from the server although the correct UDP port is set to forward on the router 15:01 < Zathraz> any suggestions please 15:02 < |Mike|> Fr!tzbox++ 15:03 < Zathraz> When I google for this I get plenty of hits of people implementing OpenVPN on/inside their Fritzbox. But this is about a server behind a fritzbox 15:05 < krzie> wtf is a fritzbox 15:06 < Zathraz> http://www.avm.de/en/Produkte/FRITZBox/FRITZ_Box_Fon_WLAN/ 15:06 < vpnHelper> Title: AVM - FRITZ!Box Fon WLAN (at www.avm.de) 15:07 < Zathraz> a german toy 15:08 < krzie> so you're trying to secure wifi with ovpn? 15:08 < Mark21> < |Mike|> invasion of the dutch this week? << yes, let's take over IRC ;) 15:08 < |Mike|> h4x teh pl4n3t5! 15:08 < Zathraz> no. It is just a router. It has wifi too, but I do not use that 15:09 < Zathraz> I just want to connect 2 LANs 15:09 < krzie> !route 15:09 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:10 < Zathraz> yes, I know. But for now I cannot even get to the server. The rest of the lan is next 15:10 -!- ajbelayer1 [n=ajmobile@129.82.4.219] has joined ##openvpn 15:11 < Zathraz> current setup is: PC with Linux -> router -> internet -> fritzbox -> serverZ --> serverG 15:11 < Zathraz> working setup is: PC -> serverZ -> serverG 15:11 < ajbelayer1> !route 15:11 < vpnHelper> ajbelayer1: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:15 -!- glguy [n=eric@pdx.galois.com] has joined ##openvpn 15:16 < glguy> Is the way OpenVPN uses TLS vulnerable to the renegotiation vulnerability that has been described in various places today? 15:17 < glguy> (slashdot for one) 15:18 < Mark21> glguy: test it and you know it 15:19 < glguy> Is that "I don't know" or "I'm not telling"? 15:20 < Mark21> I don't know (tbh) 15:20 < glguy> OK, thanks :) 15:22 < ajbelayer1> I am having an issue routing traffic from a Ovpn client machine to a machine located behind the server. I can ping it but I cannot access any ports, can anyone help? 15:22 < Mark21> ajbelayer1: did you check your firewall (or even disable it temporarely)? 15:23 -!- KippiX [n=kippix@gob75-1-81-57-24-181.fbx.proxad.net] has joined ##openvpn 15:24 < ajbelayer1> I tried disabling it on both ends, I am not 100% sure about what entires I need, but since I can ping and access the machine from the local network I would think they are right 15:24 < ajbelayer1> do you have any links to good infomration on configuring IPTables for use with Ovpn in this manner? 15:25 < Mark21> ajbelayer1: what do you see when you do: iptables-save 15:26 < Bushmills> ajbelayer1: for iptables, a tun interface is just like any other interface. nothing special there. 15:27 < ajbelayer1> http://pastebin.com/d120af1be 15:28 < ajbelayer1> sorry it's kinda ugly 15:29 < Mark21> could you do the following? iptables-save > [some new file] 15:29 < Mark21> iptables -f 15:29 < Mark21> try it again (and say if it works) 15:30 < Mark21> after that feel free to restore the firewall rules with: iptables-restore < [some new file] 15:30 < Bushmills> have you seen the -m multiport --dport ... in iptables doc? 15:32 < Bushmills> what is the purpose of adding "ACCEPT" rules when the policy is "ACCEPT" anyway? 15:33 < reiffert> shortcutting the following drop/deny rules. 15:33 < ajbelayer1> Mark21: after the flush Pvpn works, means it is a iptables issue (I thought since I could ping that wasn't an issue) I take it this is likely a better question for an IPtables channel. Sorry I am still a beginner with iptables and routing 15:34 < reiffert> erm, working around them... 15:34 < Bushmills> reiffert: policy applies only when no matching rules was found, i.e. at the end 15:37 < Mark21> ajbelayer1: I did give you a restore option, but it is nice for finding the issue to flush iptables (after creating a backup) 15:39 < ajbelayer1> Mark21: yup I restored and I am looking up what rule I need to allow the bridge of the 2 networks in iptables. I must have missed something 15:42 < Zathraz> anyone any idea about my setup/issue please? Do I need to add some routing at the gatewayserver or on the router somehow? I thought that the 10,8,0.x stuff was encapsulated? 15:45 < robert_> 10,8,0? 15:45 < robert_> you mean 10.8.0.*? 15:46 < Zathraz> yes 15:47 -!- glguy [n=eric@pdx.galois.com] has quit [Read error: 145 (Connection timed out)] 15:48 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 16:00 -!- gionnico [i=83af0c56@gateway/web/freenode/x-d312ec7372eea194] has left ##openvpn [] 16:01 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 16:02 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 16:06 -!- ajbelayer1 [n=ajmobile@129.82.4.219] has quit [Read error: 145 (Connection timed out)] 16:06 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 16:08 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 16:10 < Zathraz> !forum 16:10 < vpnHelper> Zathraz: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 16:23 < krzie> Do I need to add some routing at 16:23 < krzie> the gatewayserver or on the router somehow? I thought that the 10,8,0.x stuff 16:23 < krzie> was encapsulated? 16:23 < krzie> did you read: !route 16:23 < krzie> because yes you do under some situations, and its explained on my writeup 16:23 < krzie> !route 16:23 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:26 -!- KippiX [n=kippix@gob75-1-81-57-24-181.fbx.proxad.net] has left ##openvpn [] 16:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 16:32 < Zathraz> krzee, I see some resemblance with my setup but not entirely. Might be the flue which is kicking in. Apologies for that 16:33 < roentgen> Hi guys 16:33 < Zathraz> my openvpnserver has internal IP 172.19.0.75 (and tun 10.8.0.1) the gateway has 172.19.0.72 and the router is 192.168.178.1 16:35 < roentgen> My VPN server 10.8.0.1 is also connected to a cisco vpn. Now I need some (not all) of my vpn clients 10.8.0.x see the lan behind cisco vpn 16:35 < roentgen> Please share some directions 16:35 < Zathraz> but my client gets not even an IP as there is a TLS timeout due to a routing issue 16:37 -!- amjad [n=zjb@87.109.167.193] has quit [Read error: 110 (Connection timed out)] 16:40 < Zathraz> krzie, do I need a NAT rule on the gw server? forwarding port 1194 although 1194 is already forwarded on the router? 16:41 < Zathraz> the same GW is in the setup that works 16:49 < reiffert> roentgen: read about !route 17:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 131 (Connection reset by peer)] 17:29 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 18:05 < Argafal> 3 18:09 -!- glguy [n=eric@pdx.galois.com] has joined ##openvpn 18:55 -!- jean001 [n=chatzill@ADijon-156-1-20-254.w90-39.abo.wanadoo.fr] has joined ##openvpn 18:57 -!- jean001 [n=chatzill@ADijon-156-1-20-254.w90-39.abo.wanadoo.fr] has quit [Client Quit] 18:59 -!- Optic [n=ndfraser@miso.capybara.org] has joined ##openvpn 19:03 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 19:04 -!- Zathraz [n=Zzzz@5354873B.cable.casema.nl] has quit ["Ex-Chat"] 19:08 -!- glguy [n=eric@pdx.galois.com] has quit ["Leaving"] 19:23 -!- amjad [n=zjb@87.109.144.130] has joined ##openvpn 19:50 -!- Dougy [n=douglas@64.18.144.2] has joined ##openvpn 19:51 < Dougy> holla 20:00 -!- connectionVPN [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has left ##openvpn ["Leaving"] 20:16 -!- master_of_master [i=master_o@p549D63EB.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:20 -!- master_of_master [i=master_o@p549D7207.dip.t-dialin.net] has joined ##openvpn 20:30 -!- robert_ [n=hellspaw@objectx/robert] has quit [Read error: 54 (Connection reset by peer)] 20:31 -!- tjz [n=tjz@unaffiliated/tjz] has joined ##openvpn 20:33 -!- theblue [n=lllll@unaffiliated/theblue] has joined ##openvpn 20:44 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 20:47 -!- amjad [n=zjb@87.109.144.130] has quit [Read error: 145 (Connection timed out)] 20:47 -!- amjad [n=zjb@87.109.214.243] has joined ##openvpn 20:48 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 20:49 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 23:15 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 23:18 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 23:50 -!- robert_ [n=hellspaw@objectx/robert] has quit [Read error: 131 (Connection reset by peer)] 23:56 -!- reid97 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 23:56 -!- reid97 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has joined ##openvpn 23:58 -!- bamdad [n=bamdadd@78.129.214.40] has joined ##openvpn 23:59 < bamdad> hi 23:59 < bamdad> i'm from Iran , here we have internet censorship 23:59 < bamdad> i want to make vpn server to bypass this servership --- Day changed Fri Nov 06 2009 00:00 < bamdad> the default port of vpns here are censored and are not accesible 00:00 < bamdad> can i make a VPN server with OpenVPN without the default port of vpn ? 00:00 < bamdad> i think the default port is 1723 00:01 < bamdad> should i use l2tp istead of openVPN? 00:03 < bamdad> any body can help me? 00:04 < bamdad> irc ports are censorded here too, i came here hardly 00:05 < bamdad> ok then , thanks for nothing 00:05 < bamdad> bye 00:05 -!- bamdad [n=bamdadd@78.129.214.40] has left ##openvpn [] 00:05 < endre> sure 00:05 < endre> fag 00:10 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 00:14 -!- c64zottel [n=hans@62-12-236-090.pool.cyberlink.ch] has left ##openvpn [] 00:15 -!- robert_ [n=hellspaw@objectx/robert] has quit [Read error: 131 (Connection reset by peer)] 00:23 < theDoc> lol, iran? work on getting electricity, thanks! 00:24 -!- hyper_ch [n=hyper@adsl-89-217-17-123.adslplus.ch] has quit [Remote closed the connection] 00:25 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 00:29 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 01:01 -!- kala [i=kala@uba.linux.ee] has quit [Remote closed the connection] 01:14 -!- hyper_ch [n=hyper@207-190.78-83.cust.bluewin.ch] has joined ##openvpn 01:19 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 01:36 < krzee> hah 02:01 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:13 -!- theblue [n=lllll@unaffiliated/theblue] has quit [Read error: 113 (No route to host)] 02:22 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 02:30 -!- tessier [n=treed@kernel-panic/sex-machines] has left ##openvpn [] 02:40 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 02:53 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 03:12 -!- reid97 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 03:13 -!- reid97 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has joined ##openvpn 03:33 -!- kyrix [n=ashley@188-23-74-124.adsl.highway.telekom.at] has joined ##openvpn 03:45 -!- Guest36000 [n=noname@222.123.78.226] has quit [Read error: 110 (Connection timed out)] 03:58 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 04:45 < scyld> Strange problem here. Windows users have strange problems accessing resources in my VPN. All of them (users) had some windows update installed. It is possible that this fucked up something. Anyone can help. Any info about such behavior in last 2 days? 04:47 < scyld> The problem is possible with ARP? Windows Vista client (I have VNC session established) can log in to VPN server, to his ftp account but cannot go any step further, for instance it cannot see a web page on another VPPN client... 04:47 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 04:49 < scyld> Sniffing packets on servers VPN interface shows that client only asks for arp mac address for anothers' client IP address, gets reply but that asks again and than nothing happens. 04:50 < scyld> Just 2 times arp request 2 responses and nothing else, client A should try to connect to client B after getting it's mac address, right? 04:51 < scyld> And on client A (Windows Vista) arp table contains that mac address... 04:51 < scyld> Anyone? 04:52 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:45 -!- hyper_ch [n=hyper@207-190.78-83.cust.bluewin.ch] has quit [Remote closed the connection] 05:53 -!- StefanWork [n=stefanle@cp849982-a.mill1.nb.home.nl] has joined ##openvpn 06:11 -!- robert_ [n=hellspaw@objectx/robert] has quit [SendQ exceeded] 06:12 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 06:26 -!- amjad [n=zjb@87.109.214.243] has quit [Read error: 110 (Connection timed out)] 06:26 -!- amjad [n=zjb@87.109.200.101] has joined ##openvpn 06:36 -!- hyper_ch [n=hyper@adsl-89-217-17-123.adslplus.ch] has joined ##openvpn 06:44 -!- Zathraz [n=Zzz@a83-163-198-186.adsl.xs4all.nl] has joined ##openvpn 06:47 -!- dazo|afk is now known as dazo 06:47 -!- c64zottel [n=hans@62-12-236-090.pool.cyberlink.ch] has joined ##openvpn 06:47 -!- dazo [n=nnnnnnda@nat/redhat/x-498d620b41f1d85f] has quit [Remote closed the connection] 06:48 -!- dazo [n=nnnnnnnd@nat/redhat/x-9c44e9254e62ae0d] has joined ##openvpn 08:00 -!- amjad [n=zjb@87.109.200.101] has quit [Read error: 60 (Operation timed out)] 08:01 -!- amjad [n=zjb@87.109.189.205] has joined ##openvpn 08:19 -!- ycy [i=michele@gateway/shell/blinkenshell.org/x-liikgpoxurzwkbvt] has quit ["Lost terminal"] 08:23 -!- mpaiva [n=mpaiva@66.241.131.121] has quit [Remote closed the connection] 08:40 -!- Zathraz [n=Zzz@a83-163-198-186.adsl.xs4all.nl] has quit [Connection timed out] 08:40 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)] 08:40 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 08:40 -!- Zathraz [n=Zzz@a83-163-198-186.adsl.xs4all.nl] has joined ##openvpn 08:41 -!- buntfalke_ is now known as buntfalke 08:44 -!- IRC-Monitor-878 [n=irc-moni@69.169.172.100.provo.static.broadweavenetworks.net] has joined ##openvpn 08:45 -!- IRC-Monitor-878 [n=irc-moni@69.169.172.100.provo.static.broadweavenetworks.net] has quit [Client Quit] 08:54 -!- amjad is now known as Amjad 08:57 -!- kyrix [n=ashley@188-23-74-124.adsl.highway.telekom.at] has quit [No route to host] 09:07 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 09:10 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 09:17 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 09:20 -!- phusion [i=phusion@2001:41d0:1:839a:0:0:0:1337] has quit [Read error: 104 (Connection reset by peer)] 09:21 -!- phusion [i=phusion@2001:41d0:1:839a:0:0:0:1337] has joined ##openvpn 09:21 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 09:23 -!- dro [n=dro@69.153.177.2] has joined ##openvpn 09:24 < dro> I setup openvpn on ubuntu in bridged mode, but now after connecting to openvpn from the client, I can't ping anything in the network besides the ubuntu openvpn server 09:30 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Connection timed out] 09:42 -!- dro [n=dro@69.153.177.2] has quit ["Leaving"] 09:43 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 09:45 -!- ErickG [n=ErickG@190.120.0.138] has left ##openvpn [] 09:46 -!- Lobsang [n=lobsang@212.30.64.162] has joined ##openvpn 09:48 < Lobsang> why would: pushing a file from client over vpn to samba server share utilize full bandwidth, and: pulling a file from client samba share to server use only about 20-30% 09:49 < Lobsang> some weird firewall IDS issue? 09:52 -!- StefanWork [n=stefanle@cp849982-a.mill1.nb.home.nl] has quit [] 10:04 -!- c64zotte1 [n=hans@62.12.218.248] has joined ##openvpn 10:08 -!- Netsplit over, joins: kala, reiffert, APTX| 10:08 -!- Netsplit wolfe.freenode.net <-> irc.freenode.net quits: tarbo2 10:08 -!- Netsplit over, joins: tarbo2 10:08 -!- Netsplit wolfe.freenode.net <-> irc.freenode.net quits: Snadder 10:08 -!- Netsplit wolfe.freenode.net <-> irc.freenode.net quits: Igor_AKA_Warrior, oc80z 10:09 -!- Netsplit over, joins: Igor_AKA_Warrior 10:09 -!- Netsplit wolfe.freenode.net <-> irc.freenode.net quits: zamba, dazo 10:09 -!- Netsplit over, joins: oc80z 10:09 -!- Netsplit over, joins: zamba 10:09 -!- c64zottel [n=hans@62-12-236-090.pool.cyberlink.ch] has quit [Read error: 60 (Operation timed out)] 10:09 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has quit [Client Quit] 10:09 -!- Netsplit over, joins: Snadder 10:09 -!- dazo [n=nnnnnnnn@nat/redhat/x-1888f5440d183515] has joined ##openvpn 10:09 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has joined ##openvpn 10:10 -!- dazo is now known as Guest26859 10:13 -!- Guest26859 is now known as dazo 10:13 -!- dazo is now known as Guest69028 10:17 -!- Guest69028 is now known as dazo 10:18 -!- dazo is now known as Guest68773 10:20 < Dougy> wat 10:21 -!- Amjad [n=zjb@87.109.189.205] has quit [Read error: 104 (Connection reset by peer)] 10:21 -!- Amjed [n=zjb@c-93-182-143-73.cust.relakks.com] has joined ##openvpn 10:22 < Dougy> Statistics 10:22 < Dougy> Total posts 247 | Total topics 80 | Total members 1000 | Our newest member SAWenomsnen 10:22 < Dougy> wow 10:22 < Dougy> fffffffffffking spam bots 10:23 -!- Guest68773 is now known as dazo 10:23 -!- zamba [i=marius@flage.org] has quit [Read error: 104 (Connection reset by peer)] 10:23 -!- dazo is now known as Guest91172 10:27 -!- Guest91172 is now known as dazo 10:27 -!- zamba [i=marius@flage.org] has joined ##openvpn 10:28 -!- dazo is now known as Guest33378 10:31 -!- Guest33378 is now known as Guest33378|afk 10:33 -!- jeiworth [n=jeiworth@187.146.149.106] has joined ##openvpn 10:49 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 110 (Connection timed out)] 10:51 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 11:00 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 11:01 -!- Zathraz [n=Zzz@a83-163-198-186.adsl.xs4all.nl] has quit ["Leaving"] 11:02 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:09 -!- matze [n=matze@p5481746F.dip.t-dialin.net] has joined ##openvpn 11:10 < matze> hi did one of you know a good tutorial or can help me with openvpn special in tunneling all traffic trough because that's the point i did'nt get ... connections works fine but no natd with iptables 11:12 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has joined ##openvpn 11:12 < Bushmills> !redirect 11:12 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 11:13 < Bushmills> http://scarydevilmonastery.net/masq 11:14 < matze> i allready do postrouting but didn't worked for me .. 11:16 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:16 < matze> also i uncomment this line push "redirect-gateway def1 bypass-dhcp" 11:18 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has quit [Remote closed the connection] 11:19 < matze> !def1 11:19 < vpnHelper> matze: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 11:19 < matze> !ipforward 11:19 < vpnHelper> matze: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 11:19 < matze> !nat 11:19 < vpnHelper> matze: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 11:20 < matze> !linipforward 11:20 < vpnHelper> matze: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 11:22 -!- Igor_AKA_Warrior [n=igor@65.215.13.196] has quit [Remote closed the connection] 11:22 -!- Traveler [n=traveler@82.108.46.35] has joined ##openvpn 11:23 -!- Traveler is now known as Guest19945 11:23 < Guest19945> http://pastebin.com/m59931232 11:23 < Guest19945> it seems "multihome" is not working at all 11:24 < Guest19945> I cannot find out why 11:24 < Guest19945> can paste the config if needed 11:24 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 11:26 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 11:27 < Guest19945> server config: http://pastebin.com/m5bb92cb 11:27 < ecrist> Guest19945: that log you posted means nothing to me. 11:27 < ecrist> !logs 11:27 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 11:29 < Guest19945> ecrist: it shows that client requests come in from an interface, and go out another interface, despite multihome 11:29 < Guest19945> but I can paste the full log, hang on 11:29 < ecrist> -float 11:29 < Guest19945> no 11:29 < Guest19945> I want the server to behave 11:29 < Guest19945> since that's what multihome should be for 11:30 < Guest19945> I have it running fine in another place, I can't find the reason it's misbehaving here 11:31 < Guest19945> client config: http://pastebin.com/m7df818c8 11:32 < ecrist> server config? 11:32 < Guest19945> I pasted it above 11:33 < ecrist> ah, yep 11:33 < Guest19945> openvpn (both server and client) is 2.1~rc11-1 under debian lenny 11:34 < ecrist> Guest19945: I'm not finding the multihome option in the man page... 11:34 < Guest19945> it's not documented, unfortunately 11:34 < Guest19945> you'll see it if you run openvpn --help 11:34 < ecrist> hrm... 11:34 < Guest19945> and it's in openvpn since 2.1rc4 or so 11:36 < ecrist> Guest19945: I would suggest that, 2.1 being an RC, and multihome not being in the man page, it's not supported. 11:36 < ecrist> despite --help 11:37 < Guest19945> it's also in the binary 11:38 < Guest19945> and the log messages are different when multihome is being used 11:38 < krzee> may not be functional yet 11:38 < Guest19945> (and I'm getting those messages) 11:38 < Guest19945> as I said, I have another identical installation that works 11:38 < krzee> which would be a good reason to not document it yet 11:38 < Guest19945> ah, rather not identical, that one is 2.1rc7 11:38 < ecrist> it doesn't seem to exist in rc15, FWIW 11:38 < Guest19945> it's not even in rc20 11:38 < Guest19945> it's not in the man 11:38 < ecrist> lol 11:39 < ecrist> and you expect support for it? 11:39 < Guest19945> tere are some posts in the mailing lists asking to document it 11:39 < ecrist> too funny 11:39 < Guest19945> jim himself announced that the functionality had been added 11:39 -!- matze [n=matze@p5481746F.dip.t-dialin.net] has quit [Connection timed out] 11:39 < ecrist> I don't care 11:39 < Guest19945> don't laugh too hard 11:39 < ecrist> it's not in the current bins 11:39 < Guest19945> then the one I have working must be by miracle heh? 11:40 < ecrist> it's been taken out, is what I'm saying. 11:40 < krzee> hey ild rather be lucky than good 11:40 < Guest19945> there was no announcement that it was taken out 11:40 < ecrist> Guest19945: you're wasting time 11:40 < Guest19945> and if you run strings on the binary the string is there 11:40 < ecrist> we're not going to support it here. 11:41 < Guest19945> fine 11:41 < Guest19945> I'm not surprised people don't say good things about this channel 11:42 < ecrist> people say bad things? 11:42 < Guest19945> yeah, they say they get rude answers 11:42 < krzee> Guest19945, if you dont like the free help given here, we wont make you stay 11:42 < ecrist> 'Please support me on the undocumented feature that isn't currently supported in a RC for something that's been developed for 7 years.' 'No, you're asses.' 11:43 < ecrist> Guest19945: who are 'people' 11:43 < Guest19945> it's documented on the website too? what do you want more than that? 11:43 < ecrist> give me a link on the website where it's documented 11:43 -!- YaManicKill|away is now known as YaManicKill 11:44 < krzee> Guest19945, if they got it working right im thinking it wouldnt have been removed from current 11:44 < Guest19945> http://openvpn.net/index.php/open-source/documentation/change-log/71-21-change-log.html 11:44 < vpnHelper> Title: 2.1 Change Log (at openvpn.net) 11:44 < Guest19945> it's in since 2.1rc3 11:44 < ecrist> that's the change log 11:45 < Guest19945> it's also in the download page, it's been there since 11:45 < Guest19945> I really think I'm wasting my time now 11:46 < Guest19945> http://openvpn.net/index.php/open-source/downloads.html 11:46 < vpnHelper> Title: Downloads (at openvpn.net) 11:46 < ecrist> you're using rc7 11:46 < ecrist> update to rc20 see if your problem goes away 11:46 < Guest19945> did you even read what I said? 11:46 < Guest19945> it's been there since it was merged 11:47 < ecrist> you're using 2.1rc7 and having problems 11:47 < Guest19945> the downloadable version changed, but the "what's new" box has had it since rc3 11:47 < ecrist> the current is 2.1rc20 11:47 < Guest19945> oh, nevermind 11:47 < Guest19945> I'm *really* wasting my time 11:47 < Guest19945> you were right 11:47 < ecrist> good bye 11:47 < Guest19945> no, I'm using 2.1rc7 and works perfectly 11:47 < ecrist> then why are you here? 11:47 < Guest19945> it-s rc11 that is not working 11:48 < ecrist> rc11 isn't rc20 11:48 < Guest19945> neither is rc7 11:48 < ecrist> use the most current or go home 11:48 < Guest19945> I'm surprised by the rudeness of people here 11:48 < Guest19945> what if I started out saying it was rc20? 11:48 < ecrist> we'd find out when you posted your logs 11:48 < ecrist> and then we'd be rudely asking you to upgrade 11:49 < Guest19945> no doubt about that 11:51 < krzee> or see if you can find rc7 if it works so well for you? 11:52 < Dougy> ayo krzee 11:53 < krzee> waddup 11:54 < Guest19945> ok, rc20 is failing too, dear my smartass 11:54 < krzee> Guest19945, you dont sound like you wanna be here 11:55 < krzee> you're free to go if you like 11:55 < Guest19945> sure, I just wanted to prove you wrong 11:56 < Guest19945> I'm leaving now 11:56 -!- Guest19945 [n=traveler@82.108.46.35] has left ##openvpn [] 11:56 < krzee> he showed us! 11:56 < ecrist> wow 11:56 -!- teddymills [n=teddy@208.92.235.227] has quit [Connection reset by peer] 11:59 < ecrist> how the hell are we (non-developers) supposed to support a feature that's been pulled? 12:04 < krzee> i felt no need to explain anything with his attitude 12:06 -!- gionnico [i=83af0c09@gateway/web/freenode/x-soizqijfwecttlsn] has joined ##openvpn 12:06 < gionnico> |Mike|: ? 12:06 < gionnico> hello!! 12:06 < gionnico> I need help 12:06 < krzee> !ask 12:06 < vpnHelper> krzee: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/, or (#3) http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help 12:06 < gionnico> please! why this channel is only bot telling rtfm help? 12:07 < gionnico> i have 1 client -> proxy -> town -- town -> lan -> 1 server 12:07 < gionnico> i'd like the client to use server's free internet access 12:08 < ecrist> gionnico: you know that the client is still using it's own internet, as well, right? 12:08 -!- LobbyZ [n=default@217.18.70.127] has quit [Read error: 54 (Connection reset by peer)] 12:08 < gionnico> ecrist: the client has limited internet access 12:08 < gionnico> i'd like the client to use server's unlimited access through the openvpn tunnel 12:09 < ecrist> by limited, do you mean it's filtered? 12:09 < gionnico> ecrist: yep 12:09 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 12:09 < ecrist> !def1 12:09 < vpnHelper> ecrist: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 12:09 < ecrist> that with some NAT rules in place are all you should need 12:09 < gionnico> ecrist: luckily enough the proxy allows HTTP CONNECT-METHOD in 443 port 12:09 < gionnico> so server is listening on tcp 443 12:10 -!- Irssi: ##openvpn: Total of 84 nicks [0 ops, 0 halfops, 0 voices, 84 normal] 12:11 < krzee> [14:06] please! why this channel is only bot telling rtfm help? 12:11 < krzee> because we seem the same questions over and over again 12:11 < gionnico> this is quite normal 12:12 < gionnico> ubuntu channel has some mods keeping answering 12:12 < gionnico> there's no such massive use of the bot 12:12 < krzee> im happy for them =] 12:13 < krzee> !redirect 12:13 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 12:13 < gionnico> !ipforward 12:13 < vpnHelper> gionnico: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 12:13 < gionnico> !linjipforward 12:13 < vpnHelper> gionnico: Error: "linjipforward" is not a valid command. 12:13 < gionnico> !linipforward 12:13 < vpnHelper> gionnico: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 12:14 < gionnico> !nat 12:14 < vpnHelper> gionnico: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 12:14 -!- xenon_ [n=rainer@89.104.9.29] has joined ##openvpn 12:14 < gionnico> !linnat 12:14 < vpnHelper> gionnico: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 12:14 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 12:15 < gionnico> what nat? (1) or (2) ? 12:15 < krzee> both are nat 12:15 < xenon_> Hello, since I installed openvpn, I cannot access the network from a windows running in vmplayer any more. Can somebody, please, help? 12:15 < krzee> #2 is to choose what IP address to NAT as 12:15 < gionnico> what does it mean 12:15 < gionnico> is 1 ok if i dont want to choose? 12:15 < krzee> you know what NAT is? 12:15 < gionnico> krzee: yes.. 12:15 < krzee> yes, 1 is great 12:16 < krzee> youd know if you wanted #2 12:16 -!- Piet [i=pietor@gateway/gpg-tor/key-0xC5C71DCE] has joined ##openvpn 12:16 < gionnico> krzee: ah do you know 12:16 < gionnico> openvpn server is already behind a home router 12:16 < gionnico> and behind a nat 12:16 < gionnico> i'm setting iptables in the server not the router (that is not busybox based..) 12:20 < krzee> first have you read and understood my doc on ovpn routing? 12:20 < krzee> !route 12:21 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 12:21 < Piet> i'm probably #147 to ask the same question, but since it's not in the topic and i just joined: is openvpn affected by the recently disclosed ssl/tls issue, and what'S the impact? 12:21 < krzee> Piet, link to issue please? 12:21 < krzee> all enc happens with openssl 12:21 < krzee> so if openssl is, your vpn might be 12:23 < waldner> http://www.phonefactor.com/sslgap/ 12:23 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 12:23 < vpnHelper> Title: SSL Authentication Gap (SSL Gap) | PhoneFactor (at www.phonefactor.com) 12:23 < Piet> http://extendedsubset.com/ 12:23 < vpnHelper> Title: extendedsubset.com (at extendedsubset.com) 12:24 < waldner> seems it's a flaw in the protocol rather than implementation 12:24 < Piet> right, that's the same thing 12:25 < gionnico> krzee: i haven't fully understood it 12:26 < krzee> ok so what doesnt work? 12:26 < gionnico> krzee: also because my case is ... quite .. different 12:26 < gionnico> i dont have more clients. just 1 client and 1 server 12:26 < krzee> not very different 12:26 < gionnico> someone told me that i dont need client-to-client thing 12:26 < krzee> just ignore a client 12:26 < gionnico> and .. what about iroute? 12:26 < krzee> my page explains what client-to-client does 12:26 < krzee> it also explains what about iroute if only 1 client 12:26 < krzee> READ THE WHOLE THING 12:26 < krzee> please 12:27 < krzee> it took me a lot of time and im clear about those 12:27 < robert_> moo. 12:27 < gionnico> and what is ccd... 12:27 < robert_> hai krzee 12:27 < xenon_> Hello, krzee. With your kindly help I got openvpn working last week. Works really fine, but now I see that my win98 in vmplayer cannot ping any local IP. Can you, please, help? 12:28 < gionnico> i dont need ccd, i only have 1 client right? 12:28 < krzee> xenon_, check that it has a route (or is bridged in) and firewall allows it 12:28 < krzee> gionnico, false 12:28 < xenon_> vmware is bridging. 12:28 < krzee> im very clear about this in the doc gionnico 12:28 < krzee> fine ill paste you from my doc 12:29 < krzee> Note that even if you only have 1 lan behind 1 client, YOU STILL NEED IROUTE 12:29 < krzee> That is why we add the iroute commands to a ccd entry. 12:30 < krzee> like how you missed the part that was all caps? 12:31 < gionnico> krzee: also.. server virtual lan is 192.168.2.1 12:31 < gionnico> ... the same as client's virtual lan 12:31 < xenon_> krzee: vmware is bridging. My local dhcp server assigns win a valid IP, netmask, gateway. 12:31 < gionnico> does your wiki page talk about virtual lan or real? 12:31 < krzee> gionnico, one must be changed 12:31 < gionnico> krzee: i didnt' miss it 12:32 < gionnico> i just thought i didnt need ccd. so iruoute could go directly in the openvpn.conf of server 12:32 < krzee> wrong 12:32 < krzee> iroute goes in ccd 12:32 < krzee> like my doc says 12:32 < gionnico> "The thing is, we cant just drop the iroute into server.conf because it would then be used for every client" 12:33 < gionnico> so? i only have 1 client. -> i do can drop ... 12:33 < krzee> thats why they didnt allow it in the config 12:33 < krzee> the code only allows it in ccd 12:33 < krzee> but openvpn would tell you that if you tried it 12:33 < krzee> invalid context or something like that 12:34 < gionnico> krzee: i cant try 12:34 < gionnico> i risk too mush 12:34 < gionnico> *much 12:34 < gionnico> i dont have physical access to the server 12:34 < gionnico> that's why i'm so prudent 12:35 < krzee> !configs 12:35 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:35 < krzee> im gunna take my gf to class 12:35 < krzee> but ill look after if you like 12:36 < gionnico> thanks 12:38 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)] 12:40 < xenon_> krzee: Can you,please, help? 12:44 < xenon_> I am not familiar enough with openvpn - can somebody help, please? Is this a problem with vmplayer or mis-configuration of openvpn? 12:51 < xenon_> krzee: please, help. 12:54 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 12:54 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 12:55 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 12:59 -!- nemysis_ [n=misterbe@unaffiliated/misterbean] has quit [Read error: 110 (Connection timed out)] 13:00 -!- jean001 [n=chatzill@ADijon-156-1-20-254.w90-39.abo.wanadoo.fr] has joined ##openvpn 13:00 -!- jean001 [n=chatzill@ADijon-156-1-20-254.w90-39.abo.wanadoo.fr] has left ##openvpn [] 13:02 -!- c64zottel [n=hans@62-12-245-028.pool.cyberlink.ch] has joined ##openvpn 13:04 < gionnico> !!! 13:04 < vpnHelper> gionnico: Error: "!!" is not a valid command. 13:04 < gionnico> redirect-gateway 13:04 < gionnico> error : cant be used for "server" 13:04 < ecrist> !def1 13:04 < vpnHelper> ecrist: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 13:04 < gionnico> but i tried server-gateway or something I KNOW ECRIST 13:04 < gionnico> it's been a week at least that i'm trying to setup this 13:04 < gionnico> ^_^ 13:04 < gionnico> i tried server-gateway or i cant remember well 13:05 < gionnico> but it was an unknown directive 13:05 < ecrist> the syntax in the server config is: push 'redirect-gateway def1' 13:06 < gionnico> ah... 13:06 < gionnico> ok thanks i think it's doublequotes.... 13:06 < gionnico> ? 13:06 < ecrist> double quotes works, too 13:07 < gionnico> ecrist: so push etc... and it's ok for server 13:07 -!- c64zotte1 [n=hans@62.12.218.248] has quit [Read error: 145 (Connection timed out)] 13:08 < ecrist> yep 13:08 < ecrist> that will push that out to clients 13:09 < gionnico> installing iptables... 13:09 < gionnico> i'll create that one postrouting rule.. 13:09 < gionnico> ip_forward is on 13:10 < gionnico> i have redirect gateway def1 push... 13:10 < gionnico> nothing changed in client config 13:10 < gionnico> and you're telling me this will give the client access to server's internet? 13:10 < ecrist> you'll need NAT on the server. 13:10 < gionnico> postrouting is server iptables config 13:10 < ecrist> so that the vpn server is natting the vpn traffic to the internet 13:10 < ecrist> !linnat 13:10 < vpnHelper> ecrist: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 13:10 < gionnico> i dont have iptables at all in client 13:11 < ecrist> you don't need it in client 13:11 < ecrist> only on server 13:11 -!- a|3x [n=alex@c-76-115-142-105.hsd1.or.comcast.net] has quit ["Leaving"] 13:12 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:14 < gionnico> ecrist: how do i do some test 13:14 < gionnico> just tried my mail client but doesnt work 13:14 < gionnico> let's start with something simplier 13:14 < gionnico> now I see i have duplicate default in route of client 13:14 < gionnico> is this ok? 13:15 < gionnico> one default is to proxy, other is to vpn 13:15 < gionnico> server 13:15 < ecrist> post your routing tables to pastebin from a client 13:15 < gionnico> here it is 13:15 < gionnico> http://pastebin.com/d318f3050 13:18 < gionnico> ecrist: firefox works 13:18 < gionnico> but 13:18 < gionnico> ping: unknown host google.com 13:18 < gionnico> from client terminal.. 13:19 < |Mike|> you can push dns servers aswel.. (RTFM) 13:19 < gionnico> |Mike|: .. ok but i have dns 13:20 < gionnico> proxy-provided university's dns but they resolve anything 13:21 < gionnico> something cool happened: i can connect to the server's real lan 13:21 < gionnico> using real server's lan IP from the client 13:21 < gionnico> and i can connect also to pc different from the server itself 13:23 < gionnico> |Mike|: for some weird reason university's dns stopped working 13:24 < gionnico> they dont work "with the tunnel" 13:24 < xenon_> Hello. I please for help with openvpn. I am almost sure that the probelm comes from openvpn setup but I don't know how to solve it. I configured my local firewall to do a "class routing", so tun0 and eth0, both in internal LAN group, are routed to each other. The LINUX system is able to reach both networks: the local LAN and the LAN on the server's LAN side. 13:24 < gionnico> (i know this is very uncorrect but i can't explain it better..) 13:25 < gionnico> ecrist: |Mike| omg so cool 13:25 < xenon_> When I start vmplayer, the windows inside of it gets a valid IP assigned by the local DHCP, but I cannot even ping the underlaying IP if the LAN! 13:25 < gionnico> i can use IMAP again !!! 13:25 < gionnico> maybe also irc 13:25 < gionnico> and emule 13:25 < gionnico> torrent 13:25 < gionnico> xD 13:26 < gionnico> my friends will be so envy 13:26 < xenon_> What is wrong here? Windows also uses "bridged networking" 13:26 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 13:26 < xenon_> ...through vmplayer 13:26 < gionnico> !dns 13:26 < vpnHelper> gionnico: "dns" is Level3 open recursive DNS server at 4.2.2.1 13:27 < gionnico> vpnHelper: you didn't help this time 13:27 < vpnHelper> gionnico: Error: "you" is not a valid command. 13:27 < gionnico> vpnHelper: i know you're stupid 13:27 < vpnHelper> gionnico: Error: "i" is not a valid command. 13:32 < gionnico> bbl 13:32 -!- gionnico [i=83af0c09@gateway/web/freenode/x-soizqijfwecttlsn] has left ##openvpn [] 13:35 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 13:36 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [No route to host] 13:37 -!- stephenh [i=stephenh@69.30.200.88] has quit [Operation timed out] 13:39 -!- gionnico [i=5231417c@gateway/web/freenode/x-qglsjjxsjnijiwdt] has joined ##openvpn 13:39 < gionnico> I'm back. 13:39 < gionnico> ecrist: |Mike| krzee : thank you all! 13:39 < gionnico> It's sooooo cooool! 13:40 < gionnico> just 1 thing: may I easily choose what route to use each-time? 13:40 < gionnico> since I have fast access to some university's services 13:41 < gionnico> and it would be a waste to go milan->myhometown->milan again 13:41 < gionnico> i'd loose all bandwidth advantages 13:41 < gionnico> also traceroute much more long 13:41 < gionnico> more hops 13:41 < ecrist> gionnico: not very easily, no 13:42 < gionnico> hmm def1 is to keep both routes 13:42 < ecrist> you may be able to come up with a client-side script to setup your routing tables, though 13:42 < gionnico> i never understood: internet was thought so that if a server crashed the "network" would survive 13:42 < gionnico> never understood how this applies with routes 13:42 < gionnico> ecrist: i have 2 "default" routes 13:42 < gionnico> why would the client only use the vpn one? 13:43 < gionnico> or it does use both? 13:43 < ecrist> depends on the metric 13:43 < gionnico> or one if available, else the other? 13:43 < ecrist> dual stack networking is relatively new 13:43 < gionnico> metric is priority? 13:47 < gionnico> giyf, rtfm etc i guess 13:48 < ecrist> metric is how many hops it takes to get to a destination 13:48 < ecrist> so, you can manually set a lower metric on the *other* default route based on a series of subnets 13:48 < ecrist> really, you're starting to get into more advanced stuff than OpenVPN 13:49 -!- xenon_ [n=rainer@89.104.9.29] has quit [Remote closed the connection] 13:49 -!- Amjed [n=zjb@c-93-182-143-73.cust.relakks.com] has quit [Read error: 113 (No route to host)] 13:50 < gionnico> ecrist: .... a question 13:50 < gionnico> do my openvpn client now also have a "real" ip address 13:50 < gionnico> inside the server's real lan? 13:50 < gionnico> it would be good so that I can also make the homerouter NAT point to it 13:50 < gionnico> and i could even have a webserver in openvpn client available to all 13:51 < gionnico> (COOLEST) 13:51 < ecrist> no, but you can setup a route on the remote system to route that subnet to the VPN server 13:52 < gionnico> remote system is the openvpn server? 13:52 < gionnico> or is the home gateway? because I dont have much control of it 13:52 < gionnico> only web interface and telnet.. 13:52 < gionnico> but i dont think i can change "route" 13:53 < gionnico> ecrist: eg: now from openvpn client i can ping all the server's lan using real ip 13:53 < Bushmills> stupid idea to waste home router bandwidth for incoming request, when you can just as well mount server exports, and copy what you want to publish there, by treating server directories as they were local (but without the bandwidth inpact when requests are done) 13:53 < gionnico> but i'd like: all computers inside server's lan should be able to ping openvpn client 13:54 < gionnico> and they don't know (i think) how to manage 192.168.2.1 (virtual network) 13:54 < gionnico> so i think they should be able to send it to a fake 192.168.1.150 (say this is the address of openvpn client inside real server's lan) 13:55 < gionnico> ecrist: or what if I open some ports (like NAT port 80 in homerouter) to point to the openvpn server? 13:55 < gionnico> could it make the client listen on it? 13:55 < gionnico> sorry i dont know much of networking. maybe what i'm saying is nonsense 13:57 < gionnico> it's quite important now that i think of it. for example bittorrent needs LISTENING ports 13:57 < gionnico> i'd like to use bittorrent in the client 13:58 < Bushmills> but you have openvpn to connect to the server, and have those things handled there. 13:59 < gionnico> Bushmills: so i should set the homerouter to forward to openvpn server's ip 13:59 < Bushmills> without sharing files being detrimental to your browsing speed ... 14:00 < gionnico> the ports that bittorrent listens on the client? 14:00 < Bushmills> i don't know what you "should" or "should not", i merely point out that using our client as extension of the server, actively involved in having files pulled from there, is possible but totally overrated. server is much better at that. 14:01 < gionnico> Bushmills: ok. 14:01 < gionnico> but if i download using the server 14:01 < gionnico> then i have to use the client to download from the server 14:01 < Bushmills> well, server has to listen to the same ports anyway, if it was to reroute them to your client. 14:01 < gionnico> about .. same time required 14:02 < Bushmills> consider that p2p is not only receiving, but also sending 14:02 < gionnico> Bushmills: yes ok... 14:02 < gionnico> well let me try.. i'll evaluate if it's too slow then 14:02 < Bushmills> your home net is likely connected to the net through an asymmetric line. 14:02 < Bushmills> (more down than up) 14:03 < Bushmills> so what goes up, jams your line 14:03 < gionnico> Bushmills: again,. you're right! 14:03 < gionnico> indeed i use an adsl.. 14:03 < gionnico> i know. but from having no access at all because under a proxy 14:03 < gionnico> to have little bandwidth, lot of wasted bandwidth increased latency 14:03 < gionnico> ... but still, it WORKS 14:03 < gionnico> .. i just want to check if it works 14:04 < Bushmills> you can spare you the trouble by simple letting the server deal with up AND down, and when complete, the client with down only, from server 14:05 < Bushmills> yes, it works. but you'd want to / have to secure the client as you secure the server, for example against brute force ssh login attempts and all that crap. 14:06 < gionnico> Bushmills: i've always been hating NAT 14:06 < Bushmills> not worth the trouble, IMHO 14:06 < gionnico> let's secure it. maybe i can also open the ports only when i want 14:06 < gionnico> that comes after 14:06 < Bushmills> you'd still use NAT for rerouting packets from server to your client 14:08 < Bushmills> it is not that your client magically gets a public ip address of its own. it merely "borrows" one from the server. 14:09 -!- gionnico [i=5231417c@gateway/web/freenode/x-qglsjjxsjnijiwdt] has quit [Ping timeout: 180 seconds] 14:11 -!- gionnico [n=gionnico@host124-65-dynamic.49-82-r.retail.telecomitalia.it] has joined ##openvpn 14:11 < gionnico> back... 14:11 < gionnico> connection was lost.. 14:13 < gionnico> ohh i know what the problem was 14:13 < gionnico> dhcpcd was called again. and it replaced DNS !! 14:13 < gionnico> how can solve this problem? 14:13 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 14:13 < |Mike|> wreck one 14:14 < gionnico> |Mike|: maybe just tell dhcpcd not to push DNS 14:14 < gionnico> because i set the proxy's IP in openvpn.conf 14:14 < |Mike|> you could do that 14:14 < gionnico> so it should NEVER need dns not even for start the connection 14:14 -!- reid97 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has quit [Success] 14:14 < gionnico> |Mike|: but.. it needs dns to resolve my openvpn server address..... 14:14 < gionnico> so no.. 14:15 < |Mike|> depends if you work with bla.foo.com or IP's :-) 14:15 < gionnico> |Mike|: as said i need dns to resolve dynamic openvpn server address 14:15 < Bushmills> running a local recursive DNS was the most reliable way to protect resolving. 14:15 < gionnico> my homerouter takes care of updating the dns=ip 14:18 < gionnico> Bushmills: ? 14:18 < gionnico> how can i solve this problem? 14:18 < gionnico> if I write my proxy-provided dns to resolv.conf when openvpn connects replaces the file 14:18 < gionnico> when i reboot i still have the replaced file 14:18 < Bushmills> one possibility is to locally run a recursive DNS 14:19 < gionnico> like? 14:19 < Bushmills> as long as it can get out "somehow", it will resolve 14:19 < Bushmills> depends. small memory footprint, and fast, would be maradns, for example. 14:19 < gionnico> Bushmills: ah so like it tries both 14:20 < Bushmills> no. it tries the default route. 14:20 < gionnico> Bushmills: how do i setup something like that? 14:20 < Bushmills> configure and run. 14:21 < gionnico> Bushmills: or i could tell openvpn to setup primary dns to normal dns 14:21 < gionnico> and secondary dns to proxy provided 14:21 < gionnico> maybe i'll get a timeout 14:21 < gionnico> but it should work 14:22 < gionnico> (i mean it 'll wait the primary to timeout then test the secondary..) 14:22 < Bushmills> why should second dns resolve what first can't? 14:23 < gionnico> second dns is available. 14:23 < gionnico> i can't explain.. 14:23 < gionnico> second dns is what i used before installing openvpn 14:23 < gionnico> it is directly accessible using the proxy's LAN 14:23 -!- krzee [n=k@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 14:23 < gionnico> 10.x.x.x class addresses 14:24 < gionnico> while i'd set to primary what i use in my hometown where i have the openvpn server 14:24 < Bushmills> so put it first? 14:24 < gionnico> Bushmills: ok put first 14:24 < gionnico> when openvpn is connected 14:24 < gionnico> all requests to it stop working 14:24 < gionnico> dunno why 14:25 < gionnico> Bushmills: now that i think of it.. the primary dns that i set is the private (real) IP of my homerouter 14:25 < gionnico> that also acts as a small dns server 14:25 < gionnico> (I setup the dns in the router) 14:25 < gionnico> maybe this is why it doesnt work when openvpn is not started 14:25 < gionnico> of course. it doesnt have access (yet) to that IP class 14:26 < gionnico> no i'm wrong. 14:26 < gionnico> that ip is pushed to client by openvpn server 14:26 < gionnico> so when the link has been established 14:27 < gionnico> or maybe not 14:27 < gionnico> i'll try :D 14:27 < |Mike|> have you fixed tls-auth etc? 14:28 < gionnico> hello ping? 14:28 < gionnico> tls-auth.... ? I'm using ca/cert/key directives 14:29 < |Mike|> !tls-auth 14:29 < vpnHelper> |Mike|: "tls-auth" is The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. see !secure for how 14:30 < gionnico> |Mike|: ... i dont have it.. 14:31 < gionnico> uhm i setup my homerouter to forward MSNmessenger traffic 14:31 < gionnico> incoming to certain ports to the openvpn router's real LAN ip 14:31 < gionnico> now if i use msn from the client i still get the message i'm behind a nat 14:34 < gionnico> why? 14:35 < gionnico> ... 14:38 < gionnico> any1? 14:40 < gionnico> |Mike|: ? 14:40 < |Mike|> dude, quit hilighting me 14:40 < |Mike|> i'm coding #!/bin/bash 14:41 < gionnico> .. sorry.. quite depressing talk and no answer 14:41 < gionnico> everybody silent 14:41 < gionnico> dont even know if someone read or if irc connection gone 14:41 < Bushmills> maybe nobody has an idea what "msn" is 14:41 < |Mike|> that too 14:41 < gionnico> Bushmills: it's not msn 14:41 < gionnico> it's in general 14:41 < gionnico> i need programs to listen 14:42 < |Mike|> you've set it up for your torrent client eh? 14:42 < gionnico> |Mike|: not yet ^^ 14:42 < gionnico> torrent is the same as msn i guess 14:42 < gionnico> the same as a webserver 14:42 -!- monttyle [n=monttyle@71-17-245-18.yktn.hsdb.sasknet.sk.ca] has joined ##openvpn 14:42 < gionnico> maybe you know how to run a webserver in a client 14:42 < gionnico> behind a server behind 2 nat 14:42 < Bushmills> check out prerouting table on server, and target SNAT (provided you're using iptables there) 14:43 < gionnico> Bushmills: sounds a good clue 14:43 -!- dollabill [n=mike@97.66.26.10] has quit [No route to host] 14:47 < monttyle> Hello. I'm thinking of using openvpn to tunnel traffic. I've already got a client-server tun-mode VPN running on 10.0.x.x, and am wondering how to route traffic from clients on 10.0.0.6 to things beyond 10.0.0.1. 14:48 -!- gionnico [n=gionnico@host124-65-dynamic.49-82-r.retail.telecomitalia.it] has quit ["Sto andando via"] 14:48 < Bushmills> !redirect 14:48 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 14:48 < Bushmills> !route 14:48 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:48 < Bushmills> !def1 14:48 < vpnHelper> Bushmills: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 14:51 < monttyle> Hehh. Handy, that thing. Sadly I do NOT want to redirect ALL outgoing traffic... 14:52 < Lobsang> i've got a strange openvpn problem... I'm transfering a file from client to server. When the server initiates the request only 20-30% of bandwidth is used. But when the client "pushes" the file to server, full bandiwdth is utilized 14:52 < Bushmills> you can ask server to push routes, or let client add routes upon connection 14:52 -!- reid99 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has joined ##openvpn 14:54 -!- LobbyZ [n=default@lobbyzffs.com] has joined ##openvpn 14:54 < Bushmills> or you add the routes to gateways/interfaces you don't want to route through vpn, before you let openvpn replace default route 15:01 < monttyle> Hmm. I'm pushing the route, and the client gets the route, but it doesn't seem to be even trying to use it. 15:05 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 15:08 < monttyle> On the server I have push "route 192.168.22.0 255.255.255.0". The client gets this and interprets it so as to add a route from 192.168.22.0/24 to 10.0.0.5. but when I run wget with --bind-addr=192.168.22.1, it downloads with absolutely no vpn traffic. 15:10 < Bushmills> what is vpn ip address of client? 15:10 < monttyle> 10.0.0.6 15:11 < monttyle> I disabled my firewall completely, which stopped any download from happening. Still no vpn traffic though. 15:11 < Bushmills> aren't you supposed to specify that as bind-address? 15:12 < Bushmills> " When making client TCP/IP connections, bind to ADDRESS on the local machine" 15:12 < monttyle> Yes, and I did. 15:12 < Bushmills> "I run wget with --bind-addr=192.168.22.1" - why should that be routed through vpn? 15:13 < monttyle> because it's on the 192.168.22.0/24 subnet? 15:13 < Bushmills> i see. what interface carries that ip address? 15:13 < monttyle> or do I have to test that on an IP the machine does not possess. 15:13 < monttyle> I have two interfaces named 'lan' and 'wan'. lan has 192.168.22.1 15:14 < monttyle> wan has a dhcp addresss, currently 192.168.0.196 15:14 < Bushmills> i think that, by specify the interface to send to, you skip the routing table 15:14 < Bushmills> so you send through the interface with the specified ip address 15:14 < monttyle> I see. I'll boot up a client PC on LAN and see where it routes. 15:16 < Bushmills> try ip address of client tun interface as bind-address 15:21 -!- eatnumber1 [n=eatnumbe@yubaba.csh.rit.edu] has joined ##openvpn 15:21 < eatnumber1> I'm trying to set up openvpn using bridging 15:21 < eatnumber1> I get a connection, but I can't get an ip 15:21 < eatnumber1> (I'm trying to get dhcp from the remote size) 15:21 < eatnumber1> side* 15:23 < Bushmills> !tunortap 15:23 < vpnHelper> Bushmills: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 15:28 < eatnumber1> sigh 15:28 < eatnumber1> I know that 15:28 < eatnumber1> I need tap 15:29 < eatnumber1> I would like some help setting it up though 15:29 < eatnumber1> I can't get an IP (as I said before) 15:29 < monttyle> Hm. When the vpn tunnel is running, the client connected to the VPN client over lan at 192.168.22.2 can no longer ping 192.168.22.1 and vice versa. 15:29 < monttyle> eatnumber1: what OS? 15:30 < eatnumber1> debian server, windows client 15:30 < monttyle> eatnumber1: If you set a static address, can you ping the server? 15:30 < eatnumber1> let me tr 15:30 < eatnumber1> try* 15:30 < Bushmills> monttyle: no wonder if you added a route to send traffic to 192.168.22.0/24 through vpn 15:31 < Bushmills> or where should the icmp replies go to? 15:31 < eatnumber1> monttyle: no 15:32 < monttyle> If you're on windows, try turning off Windows Firewall. 15:33 < eatnumber1> still doesn't work 15:34 < eatnumber1> oh, wait 15:34 < eatnumber1> lawl 15:34 < eatnumber1> I figured it out 15:34 < monttyle> what was it? 15:34 < eatnumber1> the tap0 interface wasn't up 15:34 < eatnumber1> wonder why openvpn didn't bring it up automatically 15:34 < monttyle> on the client or the server? 15:34 < eatnumber1> server 15:34 < monttyle> very odd, never seen that happen. 15:35 < monttyle> Bushmills: I should explain exactly what I'm trying to do here... Writing... 15:35 < Bushmills> yes, you did. "The client gets this and interprets it so as to add a route from 192.168.22.0/24 to 10.0.0.5" 15:36 < eatnumber1> hmm 15:37 < eatnumber1> how can I make dns go over the vpn? 15:37 < Bushmills> query a name server which is on an ip address which is routed over vpn 15:37 < monttyle> eatnumber1: configure a DNS server for a VPN IP? 15:38 < eatnumber1> configure my client machine to query the DNS server on the other side of the vpn rather than the one out on the internet 15:38 < monttyle> eatnumber: What's your server's IP on the VPN? Does your server give DNS? 15:39 < eatnumber1> Bushmills: yeah, do you know how to configure windows to choose the dns server given to me by dhcp from the vpn rather than dhcp from the internet? 15:39 < Bushmills> eatnumber1: you can push dns to windows clients 15:39 < eatnumber1> keep in mind, this is tap 15:40 < Bushmills> push is done when client connects 15:40 < eatnumber1> oh.... wait 15:40 < eatnumber1> I can't ping the dns server on the other side 15:40 -!- misterbean [n=misterbe@unaffiliated/misterbean] has joined ##openvpn 15:41 < monttyle> Bushmills: We're a small ISP catering to rural areas. We put down a satellite dish and connect people within a few miles over 802.11, with a server inbetween to do NAT. So there's maybe two dozen people on 192.168.x.y addresses, connecting to one server with a real IP. But the satellite modems are severely limited in their maximum number of connections, too many and they'll lock up. I want to tunnel traff 15:41 < monttyle> ic from behind the LAN connection ont the server, 192.168.22.x, to equipment more capable. 15:41 < eatnumber1> do I need /proc/sys/net/ipv4/ip_forward on? 15:41 < |Mike|> only if you wear panties 15:41 < eatnumber1> to connect to hosts in the network of the server? 15:42 < eatnumber1> oh wait, I'm an idiot. I'm going to stop talking until I really can't figure it out 15:46 < monttyle> Does my plan make sense? 15:56 < monttyle> Hello? 15:57 < eatnumber1> makes sense to me 15:58 < eatnumber1> each client will need openvpn installed though 15:59 < monttyle> Each server, but why each client? 16:00 < reiffert> openvpn over satellite link may be tricky because of latency. 16:00 < reiffert> and mtu. 16:01 < monttyle> reiffert: I've already been running a VPN over this satellite service for years now. MTU issues have been encountered, yes, and solved. The latency issues cannot be worse than the ones we have already due to these stupid, stupid satellite modems. 16:01 < reiffert> :) 16:01 < reiffert> I think krzie runs a sat link as well. 16:02 -!- misterbean [n=misterbe@unaffiliated/misterbean] has quit [Read error: 110 (Connection timed out)] 16:04 < monttyle> I suppose since I have both VPNs already working it's become more of a general routing question than an openvpn one... Any reccomendations where to look/ask on that? 16:04 < |Mike|> reiffert: that's correct. 16:06 < reiffert> monttyle: 16:06 < reiffert> !route 16:06 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:08 -!- Lobsang [n=lobsang@212.30.64.162] has quit ["Java user signed off"] 16:11 < |Mike|> i could install openvpn server + clients in business time aswell ;) 16:11 < |Mike|> ./msg n00b hi ! 16:11 < reiffert> ? 16:11 < |Mike|> no idea 16:11 < reiffert> ??? 16:12 < |Mike|> echo $? 16:12 < reiffert> 1 16:12 < |Mike|> omg. 16:12 -!- misterbean [n=misterbe@unaffiliated/misterbean] has joined ##openvpn 16:12 < monttyle> I think he's wondering about the 'i could install ...' line, and the ./msg line. I as well. 16:14 < |Mike|> aye 16:17 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 16:18 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [Remote closed the connection] 16:18 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 16:21 < eatnumber1> this is strange 16:21 < eatnumber1> every time I restart openvpn, it brings down tap0 and removes it from br0 16:21 < eatnumber1> and starting openvpn again doesn't re-add & re-start tap0 16:22 < reiffert> because of your start/stop shell script. blame your distribution. 16:23 < eatnumber1> my start/stop shell script? 16:23 < eatnumber1> distro is debian, btw 16:23 < eatnumber1> and ifupdown isn't configured to mess with tap0 at all 16:25 < |Mike|> sudo /etc/init.d/openvpn start 16:25 < |Mike|> :p 16:25 < eatnumber1> oh, I know what it is 16:25 < eatnumber1> openvpn is deleting tap0 16:25 < eatnumber1> when I stop it 16:32 < |Mike|> asin /dev/tap0 ? 16:32 < eatnumber1> uh 16:32 < eatnumber1> no 16:32 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 16:32 < eatnumber1> the network interface tap0 16:32 < |Mike|> that's pretty normal :) 16:33 < eatnumber1> yeah 16:33 < eatnumber1> I hadn't planned for that though 16:33 < eatnumber1> my network setup right now creates the bridge only at boot 16:33 < eatnumber1> now I need to add tap0 to the bridge every time openvpn starts 16:34 < |Mike|> there are many articles on debian's wiki for that ;) 16:35 < eatnumber1> yeah 16:35 < eatnumber1> I did it a completely different way than they say to do it 16:35 < eatnumber1> because they are all for tun devices 16:35 < eatnumber1> not tap 16:35 < |Mike|> !tunortap 16:35 < vpnHelper> |Mike|: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 16:35 < |Mike|> read that :) 16:36 < eatnumber1> you're the second person to say that to me 16:36 < eatnumber1> I know 16:36 < eatnumber1> I need tap 16:36 < eatnumber1> thanks though 16:52 < eatnumber1> works now... thanks everyone who helped me 16:52 -!- eatnumber1 [n=eatnumbe@yubaba.csh.rit.edu] has left ##openvpn ["Leaving."] 16:58 -!- plaerzen [n=carpe@vip1.tundraeng.com] has quit [Remote closed the connection] 16:59 -!- monttyle [n=monttyle@71-17-245-18.yktn.hsdb.sasknet.sk.ca] has quit [" HydraIRC -> http://www.hydrairc.com <- Nine out of ten l33t h4x0rz prefer it"] 17:02 -!- ErickG [n=ErickG@190.120.0.138] has left ##openvpn [] 17:09 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 17:42 -!- niko_ [n=niko@niko-niko.co.uk] has joined ##openvpn 17:43 -!- niko_ is now known as Guest51945 17:43 -!- Guest51945 is now known as koin 17:43 -!- Amjed [n=zjb@87.109.223.159] has joined ##openvpn 17:48 -!- bytesaber [n=bytesabe@208.98.188.95] has quit [Read error: 113 (No route to host)] 17:49 < koin> Hey everyone, is there a way to redirect certain ports instead of redirecting all traffic in openvpn? Or should I use something else like iptables? 17:50 < koin> to just simply block the ports that is* 17:51 -!- bytesaber [n=bytesabe@208-98-188-95.directcom.com] has joined ##openvpn 18:05 -!- correcaminos [n=laguilar@201.201.46.106] has joined ##openvpn 18:06 -!- corretico [n=laguilar@201.201.46.106] has left ##openvpn ["Leaving"] 18:11 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 18:13 -!- corretico [n=laguilar@201.201.46.106] has quit [Client Quit] 18:13 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 18:13 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 18:15 -!- corretico [n=laguilar@201.201.46.106] has quit [Client Quit] 18:15 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 18:16 -!- correcaminos [n=laguilar@201.201.46.106] has quit ["Leaving"] 18:16 -!- correcaminos [n=laguilar@201.201.46.106] has joined ##openvpn 18:21 -!- corretico [n=laguilar@201.201.46.106] has left ##openvpn ["Leaving"] 18:23 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 18:24 < Bushmills> koin: not with openvpn as such. 18:25 < Bushmills> but using something like a packet filter, you can reroute packets so that they're routed through the vpn interface 18:26 < Bushmills> (routing is done before openvpn gets hold of the packets) 18:27 -!- lowValueTarget [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 18:31 -!- corretico [n=laguilar@201.201.46.106] has quit ["Leaving"] 18:31 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 18:32 < koin> Bushmills: Thanks I will continue digging around 18:34 -!- correcaminos [n=laguilar@201.201.46.106] has quit ["Leaving"] 18:34 -!- corretico [n=laguilar@201.201.46.106] has quit [Client Quit] 18:35 -!- lowValueTarget [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [Remote closed the connection] 18:35 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 18:35 -!- correcaminos [n=laguilar@201.201.46.106] has joined ##openvpn 18:36 -!- correcaminos [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 18:36 -!- correcaminos [n=laguilar@201.201.46.106] has joined ##openvpn 18:36 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 54 (Connection reset by peer)] 18:37 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 18:38 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 18:38 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 18:40 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [Read error: 110 (Connection timed out)] 18:51 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 18:56 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [Remote closed the connection] 19:45 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 20:00 -!- jeiworth [n=jeiworth@187.146.149.106] has quit [Read error: 60 (Operation timed out)] 20:12 -!- Netsplit wolfe.freenode.net <-> irc.freenode.net quits: kala 20:13 -!- Netsplit over, joins: kala 20:16 -!- master_of_master [i=master_o@p549D7207.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:19 -!- master_of_master [i=master_o@p549D770C.dip.t-dialin.net] has joined ##openvpn 21:02 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 21:03 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Client Quit] 21:03 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 21:04 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Read error: 104 (Connection reset by peer)] 21:07 -!- xp_prg [n=xp_prg3@99.2.31.217] has quit ["This computer has gone to sleep"] 21:18 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [Remote closed the connection] 22:09 -!- hyper_ch [n=hyper@adsl-89-217-17-123.adslplus.ch] has quit [Read error: 104 (Connection reset by peer)] 22:10 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 22:12 -!- hyper_ch [n=hyper@adsl-84-226-13-237.adslplus.ch] has joined ##openvpn 22:35 -!- robert_ [n=hellspaw@objectx/robert] has quit [Read error: 60 (Operation timed out)] 22:36 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 22:40 -!- psi-jack [n=psi-jack@42.148.188.72.cfl.res.rr.com] has joined ##openvpn 22:40 < psi-jack> When I use server 192.168.10.0 255.255.0.0, my openvpn won't start telling me in the ysslog to use --help 22:40 < psi-jack> Why would that happen? 23:15 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 23:17 -!- darkpixel [n=darkpixe@2001:470:83b7:4242:6b45:3c76:409c:2f43] has joined ##openvpn 23:21 < darkpixel> I have a linux server and two linux clients using tun/subnet topology. The subnet is 10.1.15.0/24. The tunnels are totally up and working, but I've found that I can't do a broadcast ping to 10.1.15.255. I get no response. Am I missing something? 23:34 -!- psi-jack [n=psi-jack@42.148.188.72.cfl.res.rr.com] has quit ["leaving"] 23:50 -!- Amjed [n=zjb@87.109.223.159] has quit [Read error: 110 (Connection timed out)] 23:50 -!- Amjed [n=zjb@87.109.214.53] has joined ##openvpn --- Day changed Sat Nov 07 2009 00:11 -!- darkpixel [n=darkpixe@2001:470:83b7:4242:6b45:3c76:409c:2f43] has quit ["leaving"] 00:27 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:04 < robert_> hai krzee 01:07 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 01:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:49 -!- scyld [n=krajcong@unaffiliated/wasyl] has quit [Read error: 110 (Connection timed out)] 02:45 -!- gallatin [n=gallatin@dslb-094-220-126-001.pools.arcor-ip.net] has joined ##OpenVPN 02:49 -!- LittleJ [n=linuz@82.78.185.26] has quit [Read error: 104 (Connection reset by peer)] 03:12 -!- reid99 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 03:12 -!- reid99 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has joined ##openvpn 03:28 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 03:38 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 04:05 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)] 04:19 -!- Amjed [n=zjb@87.109.214.53] has quit [Read error: 104 (Connection reset by peer)] 04:20 -!- Amjed [n=zjb@93.182.157.109] has joined ##openvpn 04:46 -!- Amjad [n=zjb@87.109.214.53] has joined ##openvpn 04:51 -!- Amjed [n=zjb@93.182.157.109] has quit [Read error: 113 (No route to host)] 04:57 -!- guest_007 [n=guest@194.8.75.105] has joined ##openvpn 04:58 < guest_007> Hi can misconfigured router lead to: TLS Error: incoming packet authentication failed from xxx ? 05:01 < guest_007> same problem as: http://openvpn.net/archive/openvpn-users/2005-04/msg00455.html 05:01 < vpnHelper> Title: [Openvpn-users] Just another "Authenticate/Decrypt packet error: packet HMAC authentication failed" (at openvpn.net) 05:15 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has joined ##openvpn 05:19 -!- guest_007 [n=guest@194.8.75.105] has left ##openvpn ["Ex-Chat"] 05:31 -!- Amjed [n=zjb@87.109.201.199] has joined ##openvpn 05:44 -!- Amjad [n=zjb@87.109.214.53] has quit [Read error: 110 (Connection timed out)] 06:01 -!- pfo [n=pfo@chello084114049188.14.vie.surfer.at] has quit [Read error: 110 (Connection timed out)] 06:40 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:51 -!- gallatin [n=gallatin@dslb-094-220-126-001.pools.arcor-ip.net] has quit [Remote closed the connection] 07:12 -!- CaBa [i=caba@unique-inter.net] has joined ##openvpn 07:13 < CaBa> hey 07:21 < Dougy> hi 07:34 < CaBa> if i have an internet server with ~35 internet ips - can i set up an openvpn server in it that assigns those real internet ips to the clients for them to use them directly without any NAT etc? 07:38 < Bushmills> good question. it might work, but there is a complication: your server nic towards world must accept packets to those ip addresses as if those were its own. so it seems that it either need to be in promiscuous mode, or bridged. 07:39 < Bushmills> so essentially your server will need a router config. 07:39 < CaBa> Bushmills: but i cannot have a nic of the server use an ip and give it to a client at the same time, right? 07:41 < Bushmills> right. two interfaces with the same ip address is equal to trouble. 07:42 < CaBa> thought so 07:42 < CaBa> so one straight forward solution would be to create local ips for the clients and NAT them to seperate external IPs that are then actually configured on the server 07:43 < CaBa> and the other solution would be to have only one ip configured on the server, give the other ips to the client and have the server route them through "his" ip 07:43 < CaBa> right? 07:43 < Bushmills> second part is "no". if the server has only one ip address, no packets for clients will arrive there. 07:44 < Bushmills> (no other than replies from nat'ted client requests - but those will be sent with the one server ip address, so the above is still the case) 07:45 < CaBa> well in the above case i would configure all the IPs on the server and NAT each client differently 07:45 < Bushmills> that'd be one way, yes. 07:45 < CaBa> i necessarily need the clients to have their own internet ip 07:46 < CaBa> but i dont really like the nat solution 07:46 < Bushmills> linux server? 07:46 < CaBa> yes 07:46 < Bushmills> check whether the "advance router" kernel config, and what comes with it, can be of any help 07:46 < CaBa> why can't i configure the server to route from his main ip to the client ips? 07:46 < Bushmills> advanced router 07:46 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 07:47 < CaBa> i'll look into it 07:47 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 07:47 < CaBa> how comes this: 07:47 < CaBa> 14:43:42 < Bushmills> second part is "no". if the server has only one ip address, no packets for clients will arrive there. 07:47 < Bushmills> because, when a packet comes in on the one server ip address - to which client is it supposed to go? 07:47 < CaBa> i mean... the datacenters router takes care that packages for all my ips arrive at my router 07:47 < CaBa> at my server 07:48 < CaBa> now if i tell the server to route traffic for that IPs to the according client? 07:48 < CaBa> i am not familiar with vpn, but will each client have its own interface on the server? or how are they connected/ 07:48 < Bushmills> if the network card hasn't be setup to respond to those ip addresses, it will not "see" packets to those. 07:49 < Bushmills> but as soon as it does, it is the network card's ip address 07:49 < CaBa> uh... 07:49 < CaBa> hm. i wonder how all these ppl do that. at all vpns that i have access to i get assigned an internet ip 07:50 < Bushmills> hm. that's only partly true what i said 07:50 < Bushmills> there is the netmask, of course 07:50 < CaBa> ah, right 07:53 < CaBa> Bushmills: so what do you think about the routing approach? 07:53 < CaBa> Bushmills: and if its possible - how do i route traffic for the clients ips to the clients? 07:54 < CaBa> i just route it to the tap/tun interface? 07:54 < Bushmills> if the server behaves like a router, you'd route incoming packets to client net to tun 07:54 < CaBa> Bushmills: but wouldnt all the clients get all the packets then? 07:55 < Bushmills> each client has its own ip address 07:56 < CaBa> yes. i am just wondering if a client can do something about that and sniff packages for other clients 07:56 < CaBa> just thinking in the worst case szenario :P 07:57 < Bushmills> each client also connects to the server with its own physical ip address, through which the tunnel is established. 07:57 < Bushmills> that's where client data, by means of the tunnel, is actually sent to 07:59 < Bushmills> the tunnel is merely, besides encryption, a logical representation of the client/server connection, hiding the real world routing and path around it. But that doesn't mean that it isn't there anymore. 08:00 < CaBa> so lets say i have 2 clients, 1.2.3.4 and 1.2.3.5 - i route a packet for 1.2.3.4 to the tun interface - openvpn will now figure for which client that packet is and drop it in the right tunnel? 08:02 < Bushmills> wasn't that the case, clients wouldn't receive their own traffic. 08:02 < Bushmills> (unless everything sent to all clients ...) 08:03 < CaBa> yes, that "everything to everyone" i was afraid of ;) 08:03 < Bushmills> that'd make server configuration rather inefficient 08:04 < CaBa> Bushmills: hm. sounds as if this whole thing might work, are there any obvious caveats that you might wanna warn me of? 08:05 < Bushmills> foremost, my opinion on that matter is purely speculative, or based on educated guessing. no first hand practical concept proofing done by me,# 08:06 < Bushmills> if that's not caveat enough :) 08:06 < CaBa> yeah, don't worry, thats the way i understood your statements ;) 08:08 < CaBa> Bushmills: just to get back to one of your statements - this thing should work now with the server having only one ip configured to the world or not? 08:09 < CaBa> with the proper netmask this shouldnt be an issue, right? 08:23 -!- Netsplit wolfe.freenode.net <-> irc.freenode.net quits: reiffert, LobbyZ, todd_dsm, mikkel_, oc80z 08:26 -!- Netsplit over, joins: mikkel_, LobbyZ, todd_dsm, oc80z, reiffert 08:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 08:36 -!- Netsplit wolfe.freenode.net <-> irc.freenode.net quits: reiffert, LobbyZ, todd_dsm, oc80z, mikkel_ 08:40 -!- Netsplit over, joins: mikkel_, LobbyZ, oc80z, reiffert 08:40 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 08:43 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 08:44 -!- correcaminos [n=laguilar@201.201.46.106] has quit [Read error: 54 (Connection reset by peer)] 08:46 -!- teddymills [n=teddy@208.92.235.227] has quit [Read error: 60 (Operation timed out)] 08:57 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [No route to host] 09:53 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 09:54 -!- waldner [n=waldner@unaffiliated/waldner] has quit [Read error: 60 (Operation timed out)] 09:59 -!- theDoc [n=hex@cataclysm.edgewire.sg] has joined ##openvpn 10:02 -!- mobidroid [n=mobidroi@modemcable176.13-20-96.mc.videotron.ca] has joined ##openvpn 10:02 -!- mobidroid [n=mobidroi@modemcable176.13-20-96.mc.videotron.ca] has left ##openvpn [] 10:09 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 10:24 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 10:25 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 10:32 -!- redfox is now known as [flux]redfox 10:48 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Connection timed out] 11:02 < CaBa> # Configure server mode and supply a VPN subnet 11:02 < CaBa> # for OpenVPN to draw client addresses from. 11:02 < CaBa> # The server will take 10.8.0.1 for itself, 11:02 < CaBa> # the rest will be made available to clients. 11:02 < CaBa> why is this? 11:02 < CaBa> whats the 'local' directive for then? 11:27 -!- [flux]redfox is now known as redfox 12:03 -!- redfox is now known as [flux]redfox 12:06 -!- misterbean [n=misterbe@unaffiliated/misterbean] has quit ["Leaving"] 12:29 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 12:39 < CaBa> what are legal network/netmask combinations? 12:42 < CaBa> does openvpn only accept /24 or larger subnets? since it seems to insist on using .1 as its ip? 12:46 -!- markus_ [n=markus@nat.vpntunnel.se] has joined ##openvpn 12:53 < markus_> i have openvpn running with around 100users, i get really terrible speed in the tunnel, what can i do to improve my bandwidth in the tunnel? 13:02 -!- c64zotte1 [n=hans@62-12-238-219.pool.cyberlink.ch] has joined ##openvpn 13:02 -!- c64zottel [n=hans@62-12-245-028.pool.cyberlink.ch] has quit [Read error: 60 (Operation timed out)] 13:13 -!- mirco [n=mirco@p54B251EE.dip.t-dialin.net] has joined ##openvpn 13:23 -!- markus_ [n=markus@nat.vpntunnel.se] has quit [Remote closed the connection] 13:28 -!- markus_ [n=markus@nat.vpntunnel.se] has joined ##openvpn 13:36 -!- hyper_ch [n=hyper@adsl-84-226-13-237.adslplus.ch] has quit [Read error: 104 (Connection reset by peer)] 13:36 -!- hyper_ch [n=hyper@adsl-84-226-13-237.adslplus.ch] has joined ##openvpn 13:46 -!- mirco [n=mirco@p54B251EE.dip.t-dialin.net] has quit [] 14:04 -!- smerz [n=daniel@smerz.demon.nl] has joined ##openvpn 14:14 -!- robert_ [n=hellspaw@objectx/robert] has quit [Excess Flood] 14:15 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 14:17 -!- smerz [n=daniel@smerz.demon.nl] has quit ["Ex-Chat"] 14:43 -!- eliasp [n=quassel@HSI-KBW-085-216-038-191.hsi.kabelbw.de] has quit [Read error: 60 (Operation timed out)] 14:44 -!- fatou73 [n=aleksei@socrates.at.mt.ut.ee] has quit ["leaving"] 15:05 -!- eliasp [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 15:11 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 15:37 -!- xp_prg [n=xp_prg3@c-98-234-218-161.hsd1.ca.comcast.net] has joined ##openvpn 15:46 < krzie> markus_ are you using udp? are you using tun? 15:46 < krzie> is the cpu pegged on the server? 15:48 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 15:57 -!- CaBa [i=caba@unique-inter.net] has quit ["moep"] 15:59 -!- temba_alternativ [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 16:04 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit [Read error: 60 (Operation timed out)] 16:10 -!- xp_prg [n=xp_prg3@c-98-234-218-161.hsd1.ca.comcast.net] has quit ["This computer has gone to sleep"] 16:22 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 16:29 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 16:37 < oc80z> hello world =) 16:40 < markus_> krzie: i'm using udp+tun 16:40 < markus_> openvpn using about 70% cpu 16:45 < markus_> ps aux | grep openvpn, says around 70% does that mean for 1 core cpu? 16:45 < markus_> can i assign openvpn to core 2,3,4 ? 16:46 -!- temba_alternativ [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit [Connection timed out] 16:51 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 16:54 -!- zamba [i=marius@flage.org] has left ##openvpn [] 17:02 -!- Amjed [n=zjb@87.109.201.199] has quit [] 17:06 -!- Amjed [n=zjb@93.182.133.23] has joined ##openvpn 17:08 -!- YaManicKill is now known as YaManicKill|away 17:25 -!- Amjed [n=zjb@93.182.133.23] has quit [Read error: 60 (Operation timed out)] 17:50 -!- Amjed [n=zjb@87.109.201.199] has joined ##openvpn 17:50 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 18:53 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"] 18:57 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 18:59 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 19:07 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has joined ##openvpn 19:10 < krzie> markus_ check top for cpu usage 19:11 < krzie> openvpn should be taking less than openssl called by openvpn 19:11 < krzie> openvpn doesnt handle its own encryption, it uses openssl 19:17 < Dougy> hey krzee 19:17 < Dougy> krize 19:22 < krzie> sup player 19:22 < krzie> !forum 19:22 < vpnHelper> krzie: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 19:25 < krzie> there should be a part in the moderator control panel when you disapprove a post that you can delete the user in 1 click 19:25 < krzie> like a checkbox to delete user while disapproving 19:26 < Dougy> yeah itd be nice 19:26 < Dougy> dude 19:26 < Dougy> there are 45 pages in the admincp of spambots registered that didnt activate 19:26 < Dougy> on top of the tons that already do 19:26 < Dougy> krzie: bout to sell uber cheap openvz containers 19:27 < krzie> VPSs? 19:27 < Dougy> yeah 19:27 < Dougy> like $3/mo to $13/mo 19:27 < Dougy> lol 19:27 < krzie> right on 19:27 < Dougy> i think might sell.. i have the most ghetto website right now 19:27 < Dougy> circa 1995 style 19:27 < Dougy> wo0t 19:29 < krzie> heh 19:30 < krzie> 25GB BW BW 19:30 < Dougy> two BQ's? 19:30 < Dougy> BW* 19:30 * Dougy edit 19:30 < Dougy> worf 19:30 < Dougy> word * 19:30 < Dougy> fixed 19:30 < Dougy> thank ya :) 19:30 < Dougy> im working on the automation part now 19:30 < Dougy> it is fully automated.. you order.. pay.. it is set up within 90-120 seconds 19:31 < Dougy> just need to work on anti fraud mechanisms now.. because any scammer can get in and abuse now 19:32 < krzie> right on 19:32 < Dougy> yeah 19:32 < Dougy> used a bunch of the money i saved on my backup box to get this shit set up 19:32 < Dougy> built the whole box for lesss than 400 bones 20:16 -!- master_of_master [i=master_o@p549D770C.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:20 -!- master_of_master [i=master_o@p549D4252.dip.t-dialin.net] has joined ##openvpn 20:45 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 20:50 -!- Guest33378|afk [n=nnnnnnnn@nat/redhat/x-1888f5440d183515] has quit [Read error: 60 (Operation timed out)] 21:35 -!- theDoc [n=hex@cataclysm.edgewire.sg] has joined ##openvpn 21:39 < Dougy> ayo theDoc 21:39 < Dougy> what up dawg 21:40 < theDoc> Just woke up. 21:40 < theDoc> :D 22:00 -!- c64zotte1 [n=hans@62-12-238-219.pool.cyberlink.ch] has quit ["Leaving."] 22:00 < Dougy> yay 22:04 -!- eliasp [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 104 (Connection reset by peer)] 22:04 -!- eliasp [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 22:16 < Dougy> nvram set static_leasenum=2 22:16 < Dougy> nvram set static_leases="00:15:58:79:25:C7=DougPC=192.168.1.104 00:17:08:8F:75:98=Printer=192.168.1.103" 22:16 < Dougy> oops 22:30 * robert_ pokes krzie :P 22:40 -!- xp_prg [n=xp_prg3@c-98-234-218-161.hsd1.ca.comcast.net] has joined ##openvpn 22:43 -!- [flux]redfox is now known as redfox 23:19 -!- theblue [n=lllll@unaffiliated/theblue] has joined ##openvpn 23:39 -!- JustBe` [n=tiagogom@unaffiliated/justbe/x-000001] has joined ##openvpn 23:39 < JustBe`> !logfs 23:39 < vpnHelper> JustBe`: Error: "logfs" is not a valid command. 23:39 < JustBe`> !logs 23:39 < vpnHelper> JustBe`: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 23:40 < JustBe`> !howto 23:40 < vpnHelper> JustBe`: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 23:40 < JustBe`> !route 23:40 < vpnHelper> JustBe`: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 23:49 < JustBe`> !redirect 23:49 < vpnHelper> JustBe`: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 23:50 < JustBe`> !topology 23:50 < vpnHelper> JustBe`: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 23:50 < JustBe`> hum 23:50 < JustBe`> none helps 23:50 < JustBe`> anyone here? 23:53 * JustBe` feels alone --- Day changed Sun Nov 08 2009 00:11 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:05 -!- jreno_ [n=jreno@38.219.68.216.DED-DSL.fuse.net] has quit [Client Quit] 01:09 < robert_> hai krzee 01:33 < krzee> sup 02:04 -!- kosmic [n=kosmic@unaffiliated/spice] has joined ##openvpn 02:04 < kosmic> any ideas how one can split 1 vpn account across 2 pcs 02:05 < kosmic> can only log in to the server with one connection 02:05 < kosmic> so the other pc is fucked! 02:06 < theDoc> kosmic> Do you have access to the server? 02:06 < kosmic> thedoc, no this is an anonymizinbg service 02:06 < kosmic> not my personal server 02:07 < theDoc> kosmic> No then. 02:07 < theDoc> kosmic> I run anonymizing services too, if you need multiple access, we can provide that too. 02:12 < kosmic> thedoc, let me check it out 02:13 < theDoc> kosmic> what about? 02:14 < krzee> sure you can 02:14 < kosmic> the site 02:14 < krzee> the LAN needs to NAT through the client 02:14 < krzee> then they need routes to client for default route 02:14 < krzee> not a good solution normally 02:15 < theDoc> krzee> well... :P there's a reason why most providers don't permit it 02:15 < krzee> but for your needs, its a hackup that'll work 02:15 < theDoc> kosmic> My site is down at the moment due to re-design but if you want, I could hook you up with a trial account first 02:15 < krzee> theDoc, so they can sell more accounts? 02:16 < krzee> yes, you can route a lan through a single vpn connection without control over the server :-p 02:16 < theDoc> krzee> Some do that, I don't mainly because I don't really want users to be paying for one with no limits and sharing that account on multiple machines 02:17 < krzee> if you dont wanna learn what you need to (nat, routing) then you can buy more accounts 02:17 < theDoc> krzee> Of course, if they share it on their own LAN, who cares 02:17 < krzee> multiple machines, same inet connection 02:17 < theDoc> I'm more concerned about them running it on multiple machines on different connections 02:17 < krzee> this wouldnt work so good for that 02:17 < theDoc> krzee> which? 02:18 < krzee> what im telling him he can do wouldnt be very effective with remote machines opposed to lan 02:18 < theDoc> krzee> Yeah, that's about right 02:26 -!- Netsplit wolfe.freenode.net <-> irc.freenode.net quits: vlt, markus_, krzie, stein0, Mark21, misse-, odonata, YaManicKill|away, corretico, Piet, (+46 more, use /NETSPLIT to show all of them) 02:28 -!- Netsplit over, joins: krzee, drue, kosmic, JustBe`, theblue, xp_prg, eliasp, theDoc, master_of_master, todd_dsm (+45 more) 02:28 -!- Netsplit over, joins: phusion 02:28 < kosmic> where do you have servers, thedoc 02:28 < kosmic> what continents 02:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 02:38 < theDoc> kosmic> US based 02:39 < theDoc> We're possibly getting some in apac. 02:47 -!- Netsplit wolfe.freenode.net <-> irc.freenode.net quits: vlt, markus_, krzie, stein0, Mark21, misse-, odonata, |Mike|, disco-, YaManicKill|away, (+57 more, use /NETSPLIT to show all of them) 03:35 -!- Netsplit over, joins: hyper_ch, Amjed, |Mike|, ^scott^, Typone, disco-, Argafal, koin, endre, APTX| 03:35 -!- Netsplit over, joins: kala 03:36 -!- Netsplit over, joins: reid99 03:36 -!- Guest33378|afk [n=nnnnnnnn@nat/redhat/session] has joined ##openvpn 03:36 -!- scyld [n=krajcong@77-253-47-235.adsl.inetia.pl] has joined ##openvpn 03:36 -!- Netsplit over, joins: krzee, drue, phusion, kosmic, JustBe`, theblue, xp_prg, eliasp, theDoc, master_of_master (+45 more) 03:49 < YaManicKill|away> hmnmmm i can't get forwarding working through my vpn 03:49 -!- YaManicKill|away is now known as YaManicKill 03:51 < YaManicKill> actually...need to go, but will come back later with my issue, and config files/logs 03:53 < kosmic> someone sent me the private key fiel over email! 03:53 < kosmic> unencrypted. is this secure? i suspect its not 04:02 -!- hyper_ch [n=hyper@adsl-84-226-13-237.adslplus.ch] has quit [Remote closed the connection] 04:16 < krzee> [05:16] i just got an iphone config file for openvpn 04:16 < krzee> they got tuntap working? 04:23 < kosmic> no 04:23 < kosmic> it was pptp 04:23 < kosmic> not openvpn 04:24 < kosmic> what do you think about the private key being sent over email? 04:24 < krzee> o 04:24 < krzee> they shouldnt even have your private key 04:24 < krzee> in most secure env 04:24 < krzee> youd generate your priv key and csr 04:24 < krzee> then then cleartext your crt to you 04:25 < krzee> priv key never xmits 04:31 < kosmic> this vpn is from hong kong 04:31 < kosmic> thats nice 04:33 < kosmic> i should be able to generate my own certs i think 05:33 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 05:45 -!- hyper_ch [n=hyper@adsl-84-226-13-237.adslplus.ch] has joined ##openvpn 05:52 -!- kosmic is now known as stasi 06:24 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 06:27 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:52 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)] 07:08 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 07:10 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 07:24 -!- temba [i=pommes@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 07:32 -!- scyld [n=krajcong@unaffiliated/wasyl] has quit ["Brb"] 07:37 -!- Bloodhatch [n=a@ip4da62b32.direct-adsl.nl] has joined ##openvpn 07:41 -!- Bloodhatch [n=a@ip4da62b32.direct-adsl.nl] has quit [Client Quit] 07:42 -!- Bloodhatch [n=a@ip4da62b32.direct-adsl.nl] has joined ##openvpn 07:43 -!- Bloodhatch [n=a@ip4da62b32.direct-adsl.nl] has quit [Client Quit] 07:43 -!- Bloodhatch [n=a@ip4da62b32.direct-adsl.nl] has joined ##openvpn 07:50 < Bloodhatch> Hello people, I might have a few problems related to openvpn. I am using the 2.1rc20 build and the server installed on a w2k3 quad-core system. I can ping the remote server, with a delay of 40ms average (which is good I think). I can download files through the explorer of windows on the server to my local local hdd with my max download speed and I can upload from my local hdd to the server, again through the windows explorer, with my max upload 07:51 < Bloodhatch> So far so good, now when I use SVN and want to update, it goes with about 200 bytes/sec 07:53 < Bloodhatch> Does anybody in this channel have a clue of what's going on? :) 08:00 -!- c64zottel [n=hans@62-12-238-219.pool.cyberlink.ch] has joined ##openvpn 08:00 < Dougy> oi 08:01 -!- c64zottel [n=hans@62-12-238-219.pool.cyberlink.ch] has left ##openvpn [] 08:59 -!- eliasp [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 104 (Connection reset by peer)] 08:59 -!- eliasp [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 09:22 < oc80z> we will help 09:58 -!- CheBuzz_ [n=CheBuzz@13-46.li.cytanet.com.cy] has joined ##openvpn 09:59 < CheBuzz_> Quick question that might be dumb: is it possible to use tap mode without setting up a bridge? I'm thinking using iptables and SNAT, or some other method? 09:59 < CheBuzz_> And still have communication between the local network and the openvpn clients? 10:03 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 10:14 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.5/20091102152451]"] 10:17 < stasi> so my private vpn keyhas passed through the internet 10:17 < stasi> will that allow whoever intercepted the key to decrypt my communications? 10:24 -!- CaBa [n=caba@unique-inter.net] has joined ##openvpn 10:24 < CaBa> hi 10:26 < CaBa> is it possible to have one tap interface per client? and if so, how do i configure that? 10:27 < Bushmills> running one server instance per client should do. 10:29 < CaBa> hm... 10:36 -!- networkd [n=networkd@78-62-21-26.static.zebra.lt] has joined ##openvpn 10:37 < networkd> Hello, is anybody around ? My situation is that I intend to have many clients but let them use the same configuration (files and certificates), I did simple configuration as in site HOWTO and it works, but if I try to connect other client with same configuration, first client gets SIGUSR1 and keeps reconnecting 10:44 < Bloodhatch> oc80z, sorry I was away. Still willing to help ;)? 11:14 -!- Bloodhatch [n=a@ip4da62b32.direct-adsl.nl] has left ##openvpn [] 11:14 < Bushmills> networkd: check out the --duplicate-cn option 11:18 -!- networkd_ [n=networkd@78-62-21-26.static.zebra.lt] has joined ##openvpn 11:23 < networkd_> thanks Bushmills 11:23 < networkd_> It's not recommended but in my case clients are trusted so it might work 11:23 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Connection timed out] 11:23 -!- CheBuzz_ [n=CheBuzz@13-46.li.cytanet.com.cy] has left ##openvpn ["Leaving"] 11:24 < Bushmills> there's transport security, and end point security. former isn't impacted. latter is under your control. 11:32 < networkd_> I think I'll tweak it in other way since I want clients to have same customized installation (with supplied certificates).. sure downloading of this install will be password-protected 11:35 < CaBa> whats the difference between using the 'server' directive and using the 'server-bridge' directive while _not_ setting up a bridge but routing the traffic to the tun interface? 11:36 -!- networkd [n=networkd@78-62-21-26.static.zebra.lt] has quit [Read error: 110 (Connection timed out)] 11:38 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 11:49 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 12:03 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 12:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:11 -!- Amjed [n=zjb@87.109.201.199] has quit [Read error: 54 (Connection reset by peer)] 12:16 -!- Amjed [n=zjb@87.109.201.199] has joined ##openvpn 12:23 -!- theblue [n=lllll@unaffiliated/theblue] has quit [Read error: 60 (Operation timed out)] 12:44 -!- stasi is now known as kosmic 12:49 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 12:50 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 13:05 -!- networkd_ is now known as networkd 13:07 -!- temba_alternativ [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 13:15 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Connection reset by peer] 13:21 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:24 -!- temba [i=pommes@188-193-22-46-dynip.superkabel.de] has quit [Connection timed out] 13:27 -!- bandini [n=bandini@host236-110-dynamic.41-79-r.retail.telecomitalia.it] has joined ##openvpn 13:28 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 13:44 -!- temba_alternativ [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 14:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 14:45 -!- bandini [n=bandini@host236-110-dynamic.41-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 15:04 < vlt> Hello. When I reboot my v24-sp2-vpn router my openvpn connection isn't established (there's no openvpn process running at all). When I run it manually (`openvpn --config /tmp/openvpncl/openvpn.conf`) it works. HOw to make it start automatically? 15:11 < vlt> sorry, wrong channel ^ 15:13 -!- koin [n=niko@niko-niko.co.uk] has left ##openvpn [] 15:18 -!- correcaminos [n=laguilar@201.199.12.190] has joined ##openvpn 15:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 15:43 -!- correcaminos_ [n=laguilar@201.199.12.190] has joined ##openvpn 15:44 < krzie> CaBa you dont use server-bridge in that situation 15:44 < krzie> see the manual 15:45 < CaBa> krzie: yes, i know that its written that you don't use in that situation. but i'm asking what is the difference if you do it anyway 15:48 -!- Dougy_ [n=douglas@64.18.144.2] has joined ##openvpn 15:55 < krzie> you dont 15:55 < krzie> server-bridge requires layer2 tunneling 15:55 < krzie> when you are tunneling layer3 you DONT use that directive 15:56 < krzie> thats like saying whats the difference if you use telnet to connect to ssh 16:00 -!- Dougy [n=douglas@64.18.144.2] has quit [Read error: 110 (Connection timed out)] 16:01 -!- correcaminos [n=laguilar@201.199.12.190] has quit [Read error: 113 (No route to host)] 16:05 < Bushmills> what's the difference between a crocodile? 16:08 < krzie> a crocodile and what? 16:08 < Bushmills> just, between a crocodile 16:08 < krzie> hehe 16:08 < krzie> between a croc and NULL 16:09 < Bushmills> on land it walks, and in water, it swims. 16:09 < krzie> on land NULL , and in water it . 16:10 < Bushmills> the greener, the swimmer. 16:14 -!- correcaminos [n=laguilar@201.199.12.190] has joined ##openvpn 16:28 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 16:32 -!- correcaminos__ [n=laguilar@201.199.12.190] has joined ##openvpn 16:42 < krzie> que pasa correcaminos 16:42 < krzie> tienes muchos clientes aqui 16:43 -!- correcaminos_ [n=laguilar@201.199.12.190] has quit [Connection timed out] 16:50 -!- correcaminos [n=laguilar@201.199.12.190] has quit [Read error: 110 (Connection timed out)] 16:51 -!- correcaminos_ [n=laguilar@201.199.12.190] has joined ##openvpn 17:08 -!- correcaminos__ [n=laguilar@201.199.12.190] has quit [Read error: 110 (Connection timed out)] 17:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 17:32 -!- correcaminos__ [n=laguilar@201.199.12.190] has joined ##openvpn 17:33 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 17:34 -!- ^scott^ [n=scott@stthom.org] has quit [Read error: 60 (Operation timed out)] 17:34 -!- ^scott^ [n=scott@stthom.org] has joined ##openvpn 17:35 < robert_> krzee, got a bit? I need some help with fix0ring my VPN :p 17:41 -!- robotti^ [i=robotti@kapsi.fi] has quit [Read error: 104 (Connection reset by peer)] 17:43 < krzie> just ask the ?, if i know it ill help but others here can as well 17:43 -!- robotti^ [i=robotti@kapsi.fi] has joined ##openvpn 17:48 -!- reid99 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 17:49 -!- reid99 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has joined ##openvpn 17:49 -!- temba_alternativ [i=pommes@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 17:53 -!- correcaminos [n=laguilar@201.199.12.190] has joined ##openvpn 17:54 -!- Dougy_ is now known as Dougy 17:58 -!- correcaminos_ [n=laguilar@201.199.12.190] has quit [Connection timed out] 18:20 -!- networkd [n=networkd@78-62-21-26.static.zebra.lt] has quit ["Leaving"] 18:21 -!- correcaminos__ [n=laguilar@201.199.12.190] has quit [Connection timed out] 18:26 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit ["Távozom"] 18:38 -!- correcaminos_ [n=laguilar@201.199.12.190] has joined ##openvpn 18:43 < krzie> robert_ ? 18:56 -!- reid99 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 18:57 -!- reid99 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has joined ##openvpn 18:57 -!- correcaminos [n=laguilar@201.199.12.190] has quit [Read error: 110 (Connection timed out)] 19:01 -!- correcaminos__ [n=laguilar@201.199.12.190] has joined ##openvpn 19:09 < robert_> sorry, lol 19:09 < robert_> got like 500 things going on at once 19:09 -!- theblue [n=lllll@unaffiliated/theblue] has joined ##openvpn 19:11 -!- reiffert changed the topic of ##openvpn to: No support for Access Server. OpenVPN 2.1rc20 is latest || CHECK YOUR FIREWALL || We need !logs and !configs and maybe !interface || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through server. || Also interesting: !man !/30 !topology !iporder !forum 19:13 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 19:17 -!- correcaminos_ [n=laguilar@201.199.12.190] has quit [Read error: 110 (Connection timed out)] 19:20 -!- correcaminos__ [n=laguilar@201.199.12.190] has quit ["Leaving"] 19:21 -!- temba_alternativ [i=pommes@188-193-22-46-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 19:21 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 19:31 -!- theblue [n=lllll@unaffiliated/theblue] has quit [Client Quit] 19:54 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 20:16 -!- master_of_master [i=master_o@p549D4252.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:19 -!- master_of_master [i=master_o@p549D6207.dip.t-dialin.net] has joined ##openvpn 20:37 -!- tjz [n=tjz@bb220-255-44-209.singnet.com.sg] has joined ##openvpn 21:11 < krzie> (this is for me) 21:11 < krzie> !cofnigs 21:11 < vpnHelper> krzie: Error: "cofnigs" is not a valid command. 21:11 < krzie> !configs 21:11 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 21:35 -!- freaky[t] [i=alpha@88.198.215.139] has quit [Remote closed the connection] 21:46 < robert_> so anyway 21:46 < robert_> I'm back. 21:46 < robert_> for the most part. 21:48 * robert_ prods krzee :P 22:06 < robert_> krzee, http://dpaste.com/118057/ 22:18 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.5/20091102152451]"] 22:29 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 22:55 -!- freaky[t]_ [i=alpha@member.team-box.net] has joined ##openvpn 23:02 -!- tjz2 [n=tjz@bb121-7-30-30.singnet.com.sg] has joined ##openvpn 23:09 -!- tjz [n=tjz@unaffiliated/tjz] has quit [Read error: 145 (Connection timed out)] 23:33 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] --- Day changed Mon Nov 09 2009 00:17 -!- hyper_ch [n=hyper@adsl-84-226-13-237.adslplus.ch] has quit [Remote closed the connection] 00:19 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 00:39 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 00:47 -!- reid99 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has quit [Read error: 104 (Connection reset by peer)] 00:50 -!- hyper_ch [n=hyper@41-242.1-85.cust.bluewin.ch] has joined ##openvpn 01:01 -!- xp_prg [n=xp_prg3@c-98-234-218-161.hsd1.ca.comcast.net] has quit [Read error: 60 (Operation timed out)] 01:02 -!- xp_prg [n=xp_prg3@c-98-234-218-161.hsd1.ca.comcast.net] has joined ##openvpn 01:58 -!- tjz2 [n=tjz@bb121-7-30-30.singnet.com.sg] has quit ["bbl"] 01:59 -!- tjz [n=tjz@bb121-7-30-30.singnet.com.sg] has joined ##openvpn 02:06 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:12 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has joined ##openvpn 02:17 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has left ##openvpn ["Leaving."] 02:23 -!- Guest33378|afk is now known as dazo 02:52 -!- AtWork [n=a@cp849982-a.mill1.nb.home.nl] has joined ##openvpn 02:53 < AtWork> Good day all 02:55 -!- ImAtWork [n=a@84.29.237.10] has joined ##openvpn 02:56 < ImAtWork> Does anybody have time to help me with a possible OpenVPN problem? It's about a slow connection. 03:02 -!- AtWork [n=a@cp849982-a.mill1.nb.home.nl] has quit [Read error: 60 (Operation timed out)] 03:14 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.5/20091102152451]"] 03:18 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 03:22 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:35 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 03:36 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 03:41 -!- scyld [n=krajcong@unaffiliated/wasyl] has joined ##openvpn 04:03 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has joined ##openvpn 04:10 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 04:50 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:01 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has joined ##openvpn 05:03 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)] 05:03 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:05 -!- fALSO [n=falso@a81-84-230-28.cpe.netcabo.pt] has joined ##openvpn 05:05 < fALSO> hello 05:05 < fALSO> can anyone tell me if its possible to force an client to always have the same ip in the server? 05:05 < fALSO> (in openvpn, of course) 05:12 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 05:18 < ImAtWork> anybody here to help me to figure out why openvpn has slow operation speeds? 05:26 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has quit ["Leaving"] 05:44 < dazo> ImAtWork: have you read the topic of this channel? .... "We need !logs and !configs and maybe !interface " 05:44 < dazo> !logs 05:44 < vpnHelper> dazo: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 05:44 < dazo> !configs 05:44 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 05:44 < dazo> !interface 05:44 < vpnHelper> dazo: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 05:46 < dazo> fALSO: just out of curiosity .... why do you need fixed IP addresses? .... it is possible to manage this though, with --client-config-dir ... having a client config for each client with the fixed IP 05:46 < fALSO> hum 05:46 < fALSO> gonna check that out 05:59 < CaBa> does openvpn ensure, that no packages for client x reach client y even if client y changes the ip of his tap/tun device to the one assigned to client x? 06:10 -!- reid99 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has joined ##openvpn 06:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 06:22 < CaBa> anyone? 06:32 -!- dollabill [n=mike@68.59.71.29] has joined ##openvpn 06:34 -!- mekwall [n=oddy@c83-249-240-6.bredband.comhem.se] has left ##openvpn ["Leaving."] 06:51 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 06:55 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 06:58 -!- dollabill [n=mike@68.59.71.29] has quit [Read error: 148 (No route to host)] 07:07 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 07:11 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 07:24 -!- NoFX_SBC [n=nofxsbc@200-158-219-197.dsl.telesp.net.br] has joined ##openvpn 07:26 < NoFX_SBC> hello! i try to install the openvpn-2.1_rc20 on Windows Server 2008 but when it's try to install the TAP driver give me an error: tapinstall.exe returned: 2 07:28 < NoFX_SBC> i already tried other versions/revisions, disabled driver sign, run as administrator but get same error... someone know about a workaround to this issue? 07:28 < NoFX_SBC> thanks in advance! 07:31 < NoFX_SBC> !iporder 07:31 < vpnHelper> NoFX_SBC: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 07:32 < NoFX_SBC> !howto 07:32 < vpnHelper> NoFX_SBC: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:38 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 07:41 -!- hackmykack2345 [n=neil@triband-mum-59.183.3.39.mtnl.net.in] has joined ##openvpn 07:45 < hackmykack2345> hi guys .. am trying to setup OpenVPN so that multiple clients can connect to it simultaneously but seem to be hitting a roadblock .. the OpenVPN server is behind an ADSL Modem .. the first client can connect fine but subsequent clients cannot connect together .. however if i try multiple clients from the same LAN as the VPN Server they all connect fine (simultaneously) .. 07:46 < hackmykack2345> i guess y question is .. is there a problem with openvpn and Adsl modems or do i need a different modem 07:47 < hackmykack2345> or is the modem even the problem ? 07:47 < NoFX_SBC> hackmykack2345, you installed openvpn on Windows 2008? 07:51 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:54 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 08:03 -!- hackmykack2345 [n=neil@triband-mum-59.183.3.39.mtnl.net.in] has quit [Remote closed the connection] 08:11 < ecrist> good morning 08:13 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 09:10 -!- krphop_ is now known as krphop 09:10 -!- temba_alternativ [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 09:11 -!- krphop is now known as krphop_ 09:12 -!- krphop_ is now known as krphop_afk 09:12 -!- krphop_afk is now known as krphop 09:15 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit [Read error: 60 (Operation timed out)] 09:19 -!- temba [i=pommes@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 09:35 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 09:37 -!- temba_alternativ [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit [Connection timed out] 09:37 -!- temba_alternativ [i=pommes@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 09:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:50 -!- temba [i=pommes@188-193-22-46-dynip.superkabel.de] has quit [Connection timed out] 09:52 -!- temba [i=pommes@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 09:57 -!- temba_alternativ [i=pommes@188-193-22-46-dynip.superkabel.de] has quit [Read error: 60 (Operation timed out)] 10:00 < CaBa> does openvpn ensure, that no packages for client x reach client y even if client y changes the ip of his tap/tun device to the one assigned to client x? 10:04 < robert_> what's a package? 10:15 < ecrist> I don't understand the question 10:15 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit ["Távozom"] 10:17 -!- temba_alternativ [i=pommes@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 10:27 -!- hyper_ch [n=hyper@41-242.1-85.cust.bluewin.ch] has quit [Remote closed the connection] 10:34 -!- temba [i=pommes@188-193-22-46-dynip.superkabel.de] has quit [Connection timed out] 10:48 -!- darkwind_ [n=darkwind@64.71.152.247] has joined ##openvpn 10:48 < darkwind_> Hiya folks. 10:48 < CaBa> robert_: packet, sorry 10:48 < CaBa> robert_: we use the same word for package and packet in german :P 10:49 < darkwind_> re: IPv6 & openvpn, I want to set up a IPv6 over IPv4 VPN where each client gets one IP (not a /64), over an existing IPv4 network. Clients will not need a IPv4 VPN address. 10:49 < darkwind_> Every howto I see is detailing how to set up a tunnel broker sort of setup... and looks hackish. 10:49 < darkwind_> Is there a clean way to provide IPv6 addressing (TUN?) with OpenVPN (over IPv4)? 10:52 < CaBa> ecrist: well two client connect to a openvpn server. i wonder if its possible for a client to sniff packages for another client 10:59 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 11:09 -!- ImAtWork [n=a@84.29.237.10] has quit [] 11:11 -!- hyper_ch [n=hyper@adsl-84-226-13-237.adslplus.ch] has joined ##openvpn 11:14 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 11:16 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:19 -!- Sebb [n=sebastia@einstein.f0o.de] has joined ##openvpn 11:19 -!- LobbyZ [n=default@lobbyzffs.com] has quit ["Free FTW"] 11:20 < Sebb> !route 11:20 < vpnHelper> Sebb: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:20 < krzee> robert_, you forgot to say what the problem is 11:21 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 11:23 < Sebb> some developers here? I just experienced the bug described in http://sourceforge.net/tracker/index.php?func=detail&aid=2793731&group_id=48978&atid=454719 - which is open since half a year, commenting out link_socket_actual_match() works but is probably not the best way to fix it, especially if --float is disabled 11:23 < vpnHelper> Title: SourceForge.net: OpenVPN: Detail: 2793731 - --float does not work with --server (at sourceforge.net) 11:24 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:29 -!- Vhozard [n=vhozard@cc1176954-a.assen1.dr.home.nl] has joined ##openvpn 11:29 -!- usser [n=usser@pool-70-107-125-148.ny325.east.verizon.net] has joined ##openvpn 11:29 -!- Vhozard [n=vhozard@cc1176954-a.assen1.dr.home.nl] has left ##openvpn [] 11:29 < usser> hi guys i know this is not the place to ask this question, but maybe someone knows whats wrong with my pppd config here http://pastebin.com/m41fbcbd3 11:30 < krzee> Sebb, unfortunately no 11:30 < krzee> usser, correct, wrong place 11:31 < usser> krzee, is there pppd channel somewhere? 11:31 < krzee> no idea, i prefer good encryption 11:31 < usser> hehe 11:31 -!- LobbyZ [n=default@Woet.lobbyzffs.com] has joined ##openvpn 11:41 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 11:50 -!- xp_prg [n=xp_prg3@c-98-234-218-161.hsd1.ca.comcast.net] has quit ["This computer has gone to sleep"] 11:58 -!- temba_alternativ [i=pommes@188-193-22-46-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 12:03 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 12:07 < ecrist> CaBa: no 12:10 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 12:14 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:16 < CaBa> ecrist: no what? 12:16 < CaBa> ecrist: ah, no its not possible? how is that prevented? 12:22 < ecrist> the same way as other SSL-encrypted traffic is protected. 12:23 < ecrist> how would other clients decrypt the traffic? 12:23 < CaBa> ecrist: well what happens if client x changes his tun interfaces ip to the ip of client y - will he receive packets for the other client? 12:27 < ecrist> w00t 12:27 < ecrist> 12:22 !wolfe.freenode.net NickServ set your hostname to "pdpc/supporter/professional/ecrist" 12:45 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:45 < CaBa> hmm... if the openvpn client doesnt clean up the routes after disconnect thats not openvpn business but the client tool around it, right? 12:54 < ecrist> yes, if they were built with an up script 12:54 < ecrist> if they were passed in via openvpn server config, then openvpn will clean them up 13:01 -!- dazo is now known as dazo|afk 13:03 -!- mrtn [n=pisi@isabel.offline.ee] has left ##openvpn [] 13:05 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 13:07 < CaBa> ecrist: well it doesnt clean them all up 13:08 -!- rawDawg2 [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 13:08 < CaBa> ecrist: and i wonder if thats a bug in openvpn or in my interface 13:08 < CaBa> (gui interface) 13:12 -!- rawDawg2 [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 54 (Connection reset by peer)] 13:12 -!- rawDawg2 [n=rawDawg@99.57.58.238] has joined ##openvpn 13:17 -!- rawDawg2 [n=rawDawg@99.57.58.238] has quit [Read error: 104 (Connection reset by peer)] 13:18 -!- rawDawg2 [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 13:26 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 110 (Connection timed out)] 13:39 < darkwind_> So.. what all can openvpn do in the realm of ipv6 over ipv4? Can it assign IPs? Can it prevent clients from talking to each other? 13:39 < reiffert> !factoids search ipv6 13:39 < vpnHelper> reiffert: "ipv6" is (#1) http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_OpenVPN_Tunnelbroker.php?lang=en to learn how to setup openvpn to be an ipv6 tunnel broker, or (#2) Here are some scripts from the mail list: http://article.gmane.org/gmane.network.openvpn.user/27514 or from a mirror: http://www.ircpimps.org/join-0.8.tar 13:41 < robert_> krzee, I can connect to the vpn, but not any of the computers connected to the router. :\ 13:42 -!- Kristopher123 [n=Kristoph@65.203.132.77] has joined ##openvpn 13:43 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 13:43 < Kristopher123> I'm on a job site right now trying to configure OpenVPN on two Untangle boxes. One is at our colo (the server end) and the other is here (the client end). I'm having issues getting my IP settings right to allow a working site-to-site connection. I can go into further detail, just want to see if anyone would be interested in a challenge? Thanks! 13:44 < robert_> what's an Untangle box? 13:44 < Kristopher123> Untangle Server. http://www.untangle.com/ 13:44 < vpnHelper> Title: Open Source Network Gateway | Untangle (at www.untangle.com) 13:44 < robert_> Ah. 13:46 < robert_> Never heard of it :P 13:46 -!- Netsplit wolfe.freenode.net <-> irc.freenode.net quits: kala 13:48 -!- Netsplit over, joins: kala 13:49 -!- kala_ [i=kala@uba.linux.ee] has joined ##openvpn 13:49 < Kristopher123> Basically, we have a Juniper router with a VLAN of 192.168.0.x. The OpenVPN Server is 192.168.0.21. I have set OpenVPN's Address Pool to 192.168.0.190. I set the Client network address to 192.168.0.191. The exported network on the server is 192.168.0.0. When the client connects, the server gives it the address of 192.168.0.5 and that can ping 192.168.0.1 (core router) but can't ping devices such as 192.168.0.4. 13:50 -!- kala [i=kala@uba.linux.ee] has quit [Connection reset by peer] 13:50 < Bushmills> Kristopher123: did you read the topic? 13:51 < Kristopher123> Yes? 13:51 < Bushmills> thus, the instruction for lans behind server don't work for you? 13:51 < Kristopher123> Oh haha, missed that line. That sucks 13:52 < Bushmills> never mind, IRC seems to be a write-only medium. 13:52 < Kristopher123> So, how do I find soe help for this. 13:52 < Bushmills> !route 13:52 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:52 < Bushmills> you can copy and paste from topic, actually-. 13:53 < Kristopher123> Thanks. 13:57 -!- Kristopher123 [n=Kristoph@65.203.132.77] has quit ["Leaving"] 14:01 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 14:08 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 14:18 < darkwind_> reiffert: Ah. I have seen that -- that's actually where my questions came from. 14:18 -!- usser [n=usser@pool-70-107-125-148.ny325.east.verizon.net] has quit [Read error: 110 (Connection timed out)] 14:19 < darkwind_> It looks like the configuration file for an IPv6 setup (on the client) has a static IP configured (rathern than receiving one from the server). So, can OpenVPN provide an IPv6 address automatically, or does one ahve to be defined for each client? 14:19 < darkwind_> Also, there was no good example of a "hermit client" setup, which is what I was really interested in seeing. 14:20 -!- usser [n=usser@pool-70-107-125-148.ny325.east.verizon.net] has joined ##openvpn 14:34 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Connection timed out] 14:36 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 14:38 < darkwind_> Any ideas on where I might find information on this? 14:45 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 15:04 < CaBa> hm... my tun setup sets wirred routes on the client 15:04 < CaBa> i cant reach the network on the server at al 15:04 < CaBa> at all 15:05 < CaBa> Bushmills: i got that internet ip setup working with tap + routing 15:05 < CaBa> Bushmills: but then i realized, tap is not very save if you assume the clients do bad stuff 15:05 < CaBa> Bushmills: so i am trying to switch the setup to tun 15:07 < Bushmills> CaBa, do you have a suggestion how people could be encouraged to read the topic? 15:08 < CaBa> Bushmills: first of all its too long. however, i read it anyway :P 15:08 < Bushmills> did the suggestions, concerning network behind the server, not work for you? 15:08 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 15:08 < CaBa> Bushmills: if you were referring to "tap+routing" - i am aware that its not nice to do that 15:09 < CaBa> Bushmills: i can't even ping the server itself 15:09 < CaBa> Bushmills: i'm not even trying anything else yet 15:09 < CaBa> Bushmills: with my tap+routing setup i could reach also the internet through the server, yes. but now i am just working on server connectivity via tun 15:10 < CaBa> Bushmills: the wirred thing is - the only route on my client that hast the tun device as target is a route with the netmask (!) as destination 15:10 < CaBa> Bushmills: is that meant to be like that? 15:11 < Bushmills> so you have a route to, say, 255.255.255.0 ?? 15:11 < CaBa> yes 15:11 < CaBa> 255.255.255.0 114.166.40.188.vpn UH 0 0 tun0 15:11 < CaBa> im my eyes thats kinda nonsense, aint it? 15:11 < Bushmills> looks like a config error 15:12 < CaBa> client or server? 15:12 -!- NoFX_SBC [n=nofxsbc@200-158-219-197.dsl.telesp.net.br] has quit ["Saindo"] 15:12 < Bushmills> sure that 255.255.255.0 is actually the destination in route, not the netmask? 15:12 < CaBa> yes, its the destination 15:12 < CaBa> Destination Gateway Flags Refs Use Netif Expire 15:13 < CaBa> thats the column header :P 15:13 < Bushmills> server config, is my guess 15:14 < Bushmills> where it says "server subnet netmask" maybe 15:15 < CaBa> Bushmills: i'm not using that macro 15:16 -!- dollabill [n=mike@97.66.26.10] has quit [No route to host] 15:16 < CaBa> Bushmills: i just sent you my replacement for the --server directive. 15:17 < CaBa> Bushmills: actually the last octet should have a .240 and not a .0 since i want to use a /28 subnet - i just replaced that for testing purposes 15:21 < Bushmills> where is the netmask in your route? 15:22 < Bushmills> do route -n instead of route. i prefer to see ip addresses rather than host names 15:23 < CaBa> Bushmills: that was netstat -r. mac os x route doesn't seem to print the routing table 15:23 < CaBa> Bushmills: however, you can see the ip from the reverse record - just read it inverse 15:24 < CaBa> its the ip the client got assigned 15:24 < Bushmills> shouldn't that be the ip address of vpn server? 15:25 < CaBa> Bushmills: where? in that route on the client? 15:25 < Bushmills> or the vpn net 15:25 < Bushmills> yes 15:26 < CaBa> Bushmills: from my understanding neither the destination nor the gateway makes sense in that route 15:26 < CaBa> Bushmills: however, i don't understand why it is created 15:26 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 15:31 < CaBa> Bushmills: did you get that link with the server config? 15:34 < Bushmills> yes. i find that rather confusing. you set server tun ip address with the ifconfig statement, but you say that same ip address is assigned to client? (that's the ip address i had expected as gateway in route) 15:34 < CaBa> Bushmills: no 15:34 < CaBa> 113 is the server ip 15:34 < CaBa> 114 is the one assigned to the client 15:34 < CaBa> thats all fine 15:34 < CaBa> just the rout is crap 15:35 < Bushmills> i don't know what adds that route, but it looks very wrong. 15:36 < Bushmills> fix it 15:36 < CaBa> Bushmills: even without any push statement that route is set on the client 15:39 < Bushmills> change the netmask of server config ifconfig statement, look whether it has effect on client. if so, you know what causes it. 15:40 < CaBa> Bushmills: if i change the ipconfig-pool netmask then the destination of that wirred route keeps up with that 15:44 < CaBa> Bushmills: if i remove that route on the client and add a route "server ip gw client ip" instead then i have contact with the server 15:46 < CaBa> Bushmills: now i fixed all the routes on the client by hand. i can now use the internet via the server without any trouble. 15:46 < CaBa> Bushmills: but that doesnt really solve the trouble... 15:51 < Bushmills> any chance that this: "When used on *nix, requires that the tun driver supports an ifconfig(8) command which sets a subnet instead of a remote endpoint IP address." (with topology subnet) is what causes the problem? 15:52 < CaBa> Bushmills: client side or server side? 15:53 < Bushmills> take your pick. client, I'd say. 15:53 < CaBa> i can't guarantee for anything on this damn os x :))) 15:54 < CaBa> however, i didnt have that problem when i used tap 15:54 < CaBa> and tap implies subnet topology 15:54 < CaBa> or however, server-bridge macro does - and i used that earlier 15:54 < CaBa> the routes on my client were set good 15:55 < CaBa> ah 15:55 < CaBa> tun driver... 15:55 < CaBa> :P 15:55 < CaBa> didnt read that warning till the end 15:59 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 16:03 < CaBa> Bushmills: i will try the whole stuff in my win vm... not that the vm would make debugging more reliable :)) 16:17 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 16:18 -!- rawDawg2 [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 16:22 < CaBa> Bushmills: i'll go to bed... windows gives me a hard time, too - client and server ip have to be in the same /30 subnet... HALLO?? what would mean to get stuck with 3 clients?? 16:22 < CaBa> whatever.. 16:22 < CaBa> i'm off ;) 16:22 < CaBa> thanks for your help 16:40 -!- usser [n=usser@pool-70-107-125-148.ny325.east.verizon.net] has quit [Read error: 110 (Connection timed out)] 16:41 -!- usser [n=usser@pool-70-107-125-148.ny325.east.verizon.net] has joined ##openvpn 16:46 -!- fossil- [n=collider@81.167.183.56] has joined ##openvpn 16:46 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 16:47 < fossil-> I'm a noob - when setting up openvpn should I keep my /etc/network/interfaces and /etc/hosts intact? 16:48 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit [Client Quit] 16:50 -!- rawDawg2 [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 16:50 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 16:59 < reiffert> fossil-: keeping them intact alias working, yes. 16:59 < reiffert> consistent 17:04 < fossil-> reiffert: ok, thank you 17:06 < reiffert> depending on your interfaces manpage it may, or may not, give you hints about how to set up a tun or tap interface, playing with or without openvpn. 17:06 -!- rawDawg2 [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 17:06 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 17:22 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 54 (Connection reset by peer)] 17:22 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 17:36 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:36 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 54 (Connection reset by peer)] 17:36 < fossil-> I downloaded openvpn and installed it (debian) - then I made a openvpn.conf under etc/openvpn - this is the contents http://pastebin.org/52295 - I also made a key.txt where I added the key in the same directory. Then I restarted openvpn. I then forwardet port 5122 both UDP/TCP to the internal IP to the machine running openvpn. 17:36 < fossil-> Now I'm unable to ping anything outside my local network. 17:36 < fossil-> What am I overlooking here, please? 17:36 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 17:40 -!- scyld [n=krajcong@unaffiliated/wasyl] has left ##openvpn [] 17:40 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Client Quit] 17:42 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 17:43 < Bushmills> check route on your client 17:48 -!- fALSO_ [n=falso@a81-84-230-28.cpe.netcabo.pt] has joined ##openvpn 17:48 -!- fALSO [n=falso@a81-84-230-28.cpe.netcabo.pt] has quit [Read error: 60 (Operation timed out)] 17:54 -!- ErickG [n=ErickG@190.120.0.138] has left ##openvpn [] 17:56 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 18:00 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [] 18:02 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 18:03 < fossil-> Trying to use manuals and get a sense for these things. I now checked my route. What I think might be wrong is the second line (first under the definitions), but I'm definitely no expert. http://pastebin.org/52302 18:03 < fossil-> I guess 128.0.0.1 is used instead of 127.0.0.1 because we dont want localhost? 18:03 < fossil-> Should the gateway for 88.80.30.2 be set to the vpn server? 18:05 < fossil-> 192.168.0.1 is my router btw. 18:06 < fossil-> I meant 128.0.0.0 18:15 < Hypnoz> you have 2 default gateways 18:16 < fossil-> ok, thank you for the lead. 18:18 < fossil-> should I use the vpn server or the local router as the default gateway? I'd like to connect to the server locally by using the internal ip address, but all traffic outside should obviously go through the vpn server. 18:24 < Bushmills> !redirect 18:24 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 18:27 < fossil-> !def1 18:27 < vpnHelper> fossil-: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 18:29 < fossil-> !man 18:29 < vpnHelper> fossil-: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 18:55 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 19:46 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 20:13 -!- fossil- [n=collider@81.167.183.56] has quit [Read error: 104 (Connection reset by peer)] 20:15 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 20:16 -!- master_of_master [i=master_o@p549D6207.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:16 -!- usser [n=usser@pool-70-107-125-148.ny325.east.verizon.net] has left ##openvpn ["Leaving"] 20:20 -!- master_of_master [i=master_o@p549D6175.dip.t-dialin.net] has joined ##openvpn 20:30 -!- Syamz [n=irc@node2.tatiuc.edu.my] has joined ##openvpn 20:30 < Syamz> !howto 20:30 < vpnHelper> Syamz: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 20:31 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 20:31 < Syamz> !logs 20:31 < vpnHelper> Syamz: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 20:32 < Syamz> !configs 20:32 < vpnHelper> Syamz: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 20:32 < Syamz> !man 20:32 < vpnHelper> Syamz: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 20:32 < Syamz> !/30 20:32 < vpnHelper> Syamz: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 20:32 < Syamz> !topology 20:32 < vpnHelper> Syamz: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 20:33 < Syamz> !iporder 20:33 < vpnHelper> Syamz: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 20:33 < Syamz> openvpn can use public ip addressing? 20:40 < Syamz> !static 20:40 < vpnHelper> Syamz: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 20:40 < Syamz> !ccd 20:40 < vpnHelper> Syamz: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 20:51 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 20:58 -!- freaky[t]_ is now known as freaky[t] 21:17 -!- Syamz [n=irc@node2.tatiuc.edu.my] has quit [] 21:22 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Nick collision from services.] 21:22 -!- Netsplit wolfe.freenode.net <-> irc.freenode.net quits: JyZyXEL, sno, Piet, mrnice1, drue 21:24 -!- drue [n=drue@stiff.therub.org] has joined ##openvpn 21:24 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 21:24 -!- sno [n=sno@85-10-202-144.clients.your-server.de] has joined ##openvpn 21:24 -!- Netsplit over, joins: JyZyXEL 21:26 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 21:47 -!- mrnice1 [i=bouncer@77.244.250.141] has joined ##openvpn 21:48 -!- mrnice1 [i=bouncer@77.244.250.141] has left ##openvpn [] 21:48 -!- mrnice1 [i=bouncer@77.244.250.141] has joined ##openvpn 22:27 -!- hyper__ch [n=hyper@adsl-84-226-58-170.adslplus.ch] has joined ##openvpn 22:27 -!- hyper_ch [n=hyper@adsl-84-226-13-237.adslplus.ch] has quit [Nick collision from services.] 22:27 -!- hyper__ch is now known as hyper_ch 22:39 -!- Syamz [n=noc@203.82.79.108] has joined ##openvpn 22:39 < Syamz> hello, i having some problem, i cant install TAP-Win32 Adapter V8 , "an error occurred installing the TAP-Win32 device driver" 22:39 < Syamz> what i must do? 23:28 < robert_> you're not an admin. simple. 23:33 -!- Syamz [n=noc@203.82.79.108] has quit [Read error: 110 (Connection timed out)] 23:42 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 23:43 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 23:44 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn --- Day changed Tue Nov 10 2009 00:20 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 00:26 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 00:29 -!- hyper_ch [n=hyper@adsl-84-226-58-170.adslplus.ch] has quit [Remote closed the connection] 00:37 -!- dmz [n=dmz@64.203.207.101.dyn-cm-pool-54.hargray.net] has quit ["Ex-Chat"] 00:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 01:20 -!- dazo|afk is now known as dazo 01:45 -!- mekwall [n=oddy@83.249.242.68] has joined ##openvpn 01:47 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)] 01:50 -!- hyper_ch [n=hyper@128-125.79-83.cust.bluewin.ch] has joined ##openvpn 01:53 -!- mekwall [n=oddy@83.249.242.68] has quit [Read error: 60 (Operation timed out)] 01:56 -!- mekwall [n=oddy@c83-249-242-68.bredband.comhem.se] has joined ##openvpn 02:12 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:30 -!- mekwall [n=oddy@c83-249-242-68.bredband.comhem.se] has left ##openvpn ["Leaving."] 03:12 -!- reid99 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 03:13 -!- reid99 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has joined ##openvpn 03:20 < CaBa> hi 03:36 -!- sakhi [n=sakhi@uwcfw.uwc.ac.za] has joined ##openvpn 03:38 < sakhi> I need to implement Openvpn server for different branch offices, is it possible to have the OpenVPN server centralised? 03:42 < fALSO_> hello 03:42 < fALSO_> imagine that in my work i have the nwrwork 192.168.1.* and at my home too 03:42 < fALSO_> to have a vpn between them 03:43 < fALSO_> i have to change the network of one of them right? 03:45 < Bushmills> sakhi: openvpn based topologies are always "star" like, requiring the clients to connect to - and talk through - server. 03:46 < Bushmills> but for multiple branches, you're likely to use multiple servers. 03:47 < sakhi> Bushmills: thanks, I will do more research on it and I would really appreciate assistance in a form of useful links. I was thinking of having multiple servers for the brances it also decentralises the single point of faluire. 03:49 < Bushmills> multiple servers are possible, so clients fall back to another when one is down. 03:49 < sakhi> yep 03:51 < Bushmills> !remote 03:51 < vpnHelper> Bushmills: Error: "remote" is not a valid command. 03:51 < Bushmills> hm 03:51 < Bushmills> !man remote 03:51 < vpnHelper> Bushmills: Error: "man" is not a valid command. 03:52 < Bushmills> well, look at man page, where --remote is described, and where it says "The client will move on to the next host in the list, in the event of connection failure. Note that at any given time, the OpenVPN client will at most be connected to one server." 03:53 < sakhi> aptitude install remote 03:54 < Bushmills> no. remote is a configuration option for openvpn clients. 04:09 -!- mekwall [n=oddy@c83-249-242-68.bredband.comhem.se] has joined ##openvpn 04:26 * dazo is reading scrollback 04:26 < dazo> Bushmills: why multiple servers? 04:26 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 04:27 * dazo revokes that question .... " so clients fall back to another when one is down." 04:27 < dazo> !factoids search remote 04:27 < vpnHelper> dazo: No keys matched that query. 04:28 < dazo> fALSO_: you're in deep troubles with such setups .... using 192.168.[01]/24 nets in general is highly discouraged .... just of the reason you state above 04:29 < fALSO_> so... whats the recomende networks? 04:29 < fALSO_> like, for example 04:29 < fALSO_> which ips should i use at home? 04:30 < dazo> fALSO_: 192.168.3 :-P ... anything within the private ranges, except 192.168.[01]/24... as most routes use these ranges as default ranges ... you will sooner or later get a conflict with this range 04:31 < Bushmills> rnd() { echo $(($RANDOM % 254)) ; } ; echo 10.$(rnd).$(rnd).0 04:33 < Bushmills> rnd() { echo $(($RANDOM % 255)) ; } ; echo 10.$(rnd).$(rnd).0 # actually 04:33 < fALSO_> heheh 04:33 < fALSO_> so smoething like 04:33 < fALSO_> 10.10.10.0 04:33 < dazo> fALSO_: you have the 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 networks which are the private ranges .... pick a /24 in one of these ranges (which don't collide with other known networks you have), and you'll mostly be safe 04:33 < fALSO_> ok 04:33 < fALSO_> thanks for all your help 04:33 < fALSO_> ill change at home 04:33 < dazo> np! 04:34 < fALSO_> but at work, it will continue to be 192.168.1.0 04:34 < fALSO_> dont want to have the truble to change all of this 04:34 < fALSO_> hehe 04:34 < dazo> fALSO_: if you deploy more VPN clients .... this will bite back 04:34 < fALSO_> the problem is this 04:34 < dazo> (for other employees, that is) 04:34 < fALSO_> the network conenction that we have t work 04:34 < fALSO_> at 04:34 < fALSO_> doesnt allow portforwards 04:35 < fALSO_> so ill have to do the otherway 04:35 < fALSO_> openvpn server at HOME 04:35 < fALSO_> and client at WORK 04:35 < dazo> aha 04:35 < fALSO_> hehehehe ;-) 04:35 < fALSO_> to be able to access work machines at home 04:35 < dazo> bittorrent quicker at work? ;-) :-P 04:36 < fALSO_> nah 04:36 < fALSO_> need sometimes to do quick fixes on code 04:36 < fALSO_> etc 04:36 < fALSO_> i have a better connection at home ;-) 04:36 < dazo> heh 04:36 < fALSO_> 24mbits download and 1mbit upload 04:36 < dazo> that works 04:37 * dazo thinks back 10 years ago ... and the joy of the speed when the line was upgraded ... to 256kbit :-P 04:38 < fALSO_> heheheheheehe 04:49 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 104 (Connection reset by peer)] 05:00 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 05:10 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:22 -!- dollabill [n=mike@c-68-59-71-29.hsd1.fl.comcast.net] has joined ##openvpn 05:37 < sakhi> 12:27 * dazo revokes that question .... " so clients fall back to another when one is down." 05:37 < sakhi> dazo: is that possible? 05:37 < dazo> sakhi: if you list more --remote options to the client, then yes 05:38 -!- theDoc [n=hex@69.10.59.166] has joined ##openvpn 06:11 -!- mekwall [n=oddy@c83-249-242-68.bredband.comhem.se] has quit [Read error: 60 (Operation timed out)] 06:19 -!- dollabill [n=mike@c-68-59-71-29.hsd1.fl.comcast.net] has quit [No route to host] 06:28 < CaBa> Bushmills: switched from tunnelblick to viscosity - now the routes are set good 06:50 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 07:00 -!- dazo [n=nnnnnnnn@nat/redhat/x-fxkpfxklotvnsbfi] has quit [Read error: 104 (Connection reset by peer)] 07:00 -!- dazo [n=nnnnnnnn@nat/redhat/x-dlxvwuvkxkzfovds] has joined ##openvpn 07:01 -!- dazo [n=nnnnnnnn@nat/redhat/x-dlxvwuvkxkzfovds] has quit [Remote closed the connection] 07:01 -!- dazo [n=nnnnnnnn@nat/redhat/x-dvjyiyhecggvbzmo] has joined ##openvpn 07:02 -!- dazo is now known as Guest45852 07:02 -!- Guest45852 is now known as dazo 07:05 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"] 07:10 -!- mekwall [n=oddy@c83-249-242-68.bredband.comhem.se] has joined ##openvpn 07:11 -!- mekwall [n=oddy@c83-249-242-68.bredband.comhem.se] has left ##openvpn ["Leaving."] 07:17 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 07:27 -!- dunc [n=dunc@fenchurch.sandown.ipv6.braddon.org.uk] has joined ##openvpn 07:31 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 07:32 -!- NoFX_SBC [n=nofxsbc@200-158-219-197.dsl.telesp.net.br] has joined ##openvpn 07:46 -!- waKKu [n=vakku@unaffiliated/wakku] has joined ##openvpn 07:46 < waKKu> hi folks ;) 07:47 < waKKu> I wondering to setup a load-balance'd firewall at my network.. but, i've stuck in how to make openvpn works in this scenario.. 07:48 < waKKu> as I'll have 2 virtual internal IP's, so half LAN will point to vIP1 and another half vIP2... 07:50 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"] 07:51 < ecrist> just run two different server daemons, one per IP 07:53 < waKKu> ecrist but i'll need to establish two connections per client, right ? 07:53 < waKKu> client will connect to server1 and server2, both with same internal LAN 07:55 < ecrist> no, they should connect to one server, at random 07:56 < waKKu> ecrist ok.. but folks inside LAN (at server network) pointing to the second gateway, won't reach this client 07:57 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 08:05 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)] 08:09 < waKKu> !redirect 08:09 < vpnHelper> waKKu: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 08:11 < waKKu> !def1 08:11 < vpnHelper> waKKu: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 08:12 -!- dunc [n=dunc@fenchurch.sandown.ipv6.braddon.org.uk] has quit [Read error: 113 (No route to host)] 08:13 -!- Irssi: ##openvpn: Total of 75 nicks [0 ops, 0 halfops, 0 voices, 75 normal] 08:20 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 08:22 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 08:22 < waKKu> ok folks.. i something like this i'm trying to achieve.. is it possible? http://img690.imageshack.us/img690/9999/openvpn.jpg 08:24 < ecrist> waKKu: what about it? can it be done? sure. has nothing to do with OpenVPN. I currently have that setup at my office with two FreeBSD+pf machines as our core firewalls 08:25 < sakhi> yep same here it's possible 08:25 < waKKu> ecrist sakhi with two active/active firewalls ? 08:25 < sakhi> was just about to ask why you have two active firewalls? 08:26 < waKKu> sakhi HA (there is a second internet link there too... but i don't draw it to keep simple) 08:27 < ecrist> waKKu: it's still all outside of OpenVPN 08:27 < waKKu> ecrist you mean... is off-topic and stop talking here? 08:28 < ecrist> yes, sort of. first, you haven't really asked a question, and second, it has nothing to do with OpenVPN. 08:29 < arcsky> ist possible that my server conf can send to the client a route ? so the client doesnt need to add it manually every time 08:29 < ecrist> yes 08:29 < ecrist> !man 08:29 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 08:29 < ecrist> !route 08:29 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 08:29 < arcsky> push route didnt work 08:30 < ecrist> arcsky: those are for you 08:30 < ecrist> push route should work if you do it right 08:31 < arcsky> ok 08:40 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 08:49 -!- fALSO_ [n=falso@a81-84-230-28.cpe.netcabo.pt] has left ##openvpn [] 08:51 -!- LowKey [i=rhel@72.20.2.134] has joined ##openvpn 08:51 < LowKey> !howto 08:51 < vpnHelper> LowKey: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:51 < LowKey> !man 08:51 < vpnHelper> LowKey: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 08:51 < LowKey> !iporder 08:51 < vpnHelper> LowKey: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 08:55 < LowKey> !configs 08:55 < vpnHelper> LowKey: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:21 -!- jeiworth [n=jeiworth@189.234.8.199] has joined ##openvpn 09:24 -!- nietoyface [i=a1c4378f@gateway/web/freenode/x-jgetxsusndkbgjhv] has joined ##openvpn 09:32 -!- dunc_ [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn 09:37 -!- nietoyface [i=a1c4378f@gateway/web/freenode/x-jgetxsusndkbgjhv] has left ##openvpn [] 09:43 -!- hyper_ch [n=hyper@128-125.79-83.cust.bluewin.ch] has quit [Remote closed the connection] 09:45 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 09:46 < dunc_> hi folks, i've been reading about the reneg options for how long before rekeying, and have learned how it is based on whoever is set lowest. is there any way to totally disable rekeying just by tweaking the server, or must i tweak all client configs? 09:48 < dazo> dunc_: all client configs needs to be modified as well .... you really can't disable the OpenVPN rekeying easily 09:48 < dazo> dunc_: you're concerned about the current CVE? 09:49 < dunc_> yes :) 09:49 < dunc_> we're wondering about installing the openssl patch that disables renegotiation, but wondering how much this will break our openvpns 10:05 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 145 (Connection timed out)] 10:09 < LowKey> hello, someone help me : http://pastebin.com/m37ec0bcc 10:12 < CaBa> is there any gui that does not require editing the config file for windows? such as viscosity for mac os? 10:16 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 110 (Connection timed out)] 10:20 < dunc_> LowKey, the first line with the word "error" in tells you the problem 10:20 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 10:24 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 10:25 < LowKey> already fix first line error 10:25 < LowKey> still cannot connected to the vpn 10:31 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 10:31 -!- waKKu [n=vakku@unaffiliated/wakku] has left ##openvpn [] 10:32 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has quit [Read error: 104 (Connection reset by peer)] 10:36 -!- dollabill [n=mike@97.66.26.10] has quit [No route to host] 10:38 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 10:42 -!- buntfalke_ [n=nobody@openvpn-tcp-012.triple-a.uni-kl.de] has joined ##openvpn 10:44 -!- jeiworth [n=jeiworth@189.234.8.199] has quit [Read error: 60 (Operation timed out)] 10:49 -!- hyper_ch [n=hyper@adsl-84-226-58-170.adslplus.ch] has joined ##openvpn 10:55 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 10:57 -!- jeiworth [n=jeiworth@189.234.8.199] has joined ##openvpn 11:02 -!- jeiworth_ [n=jeiworth@189.177.221.123] has joined ##openvpn 11:07 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 11:15 -!- jeiworth [n=jeiworth@189.234.8.199] has quit [Success] 11:19 -!- le0 [n=tehfin@82.132.139.188] has joined ##openvpn 11:19 -!- le0 [n=tehfin@82.132.139.188] has quit [Read error: 104 (Connection reset by peer)] 11:26 -!- hyper_ch [n=hyper@adsl-84-226-58-170.adslplus.ch] has quit [Remote closed the connection] 11:29 -!- Netsplit wolfe.freenode.net <-> irc.freenode.net quits: mrnice1 11:31 -!- Netsplit over, joins: mrnice1 11:31 -!- mrnice1 [i=bouncer@77.244.250.141] has left ##openvpn [] 11:31 -!- mrnice1 [i=bouncer@77.244.250.141] has joined ##openvpn 11:33 -!- hyper_ch [n=hyper@adsl-84-226-58-170.adslplus.ch] has joined ##openvpn 11:39 -!- Netsplit wolfe.freenode.net <-> irc.freenode.net quits: mrnice1 11:41 -!- networkd [n=networkd@78-62-21-26.static.zebra.lt] has joined ##openvpn 11:41 < networkd> Hello, any news about a port for iPhone ? 11:41 < networkd> ..client 11:42 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 11:49 -!- ptotterm [i=ptman@puro.fixme.fi] has joined ##openvpn 11:50 < ptotterm> does openvpn do some kind of reliable transport over udp, or not? 11:53 -!- lietu [n=lutka@dungeon.of.lietu.net] has joined ##openvpn 11:53 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn 11:55 < lietu> hi.. any ideas on how to get openvpn client to work on windows 7 64bit? ... I'm stuck at "All TAP-Win32 adapters on this system are currently in use.", I've installed in Vista sp2 compatibility mode with admin privileges and running openvpn guy with the same settings, tried to create several TAP interfaces and it says "CreateFile failed on TAP device: ..." on each of them. also some guides say that you should check the devices in the network ... 11:55 < lietu> ... adapters control panel page, but I can't find any there 11:58 < lietu> ipconfig can see them though... could this have anything to do with the fact that I have 192.168.1. net at home and the same net is use at the other end? 12:01 -!- hyper_ch [n=hyper@adsl-84-226-58-170.adslplus.ch] has quit [Remote closed the connection] 12:05 < Bushmills> no, shouldn't matter, if you give your vpn net a different address range. you'll have problems talking to client on other site, but that won't prevent the interface to come up. 12:05 -!- hyper_ch [n=hyper@adsl-84-226-58-170.adslplus.ch] has joined ##openvpn 12:07 < lietu> hmm 12:10 -!- hyper_ch [n=hyper@adsl-84-226-58-170.adslplus.ch] has quit [Remote closed the connection] 12:14 -!- IcyPolecat [n=IcyPolec@vm1.rubicon.je] has quit [Remote closed the connection] 12:21 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [No route to host] 12:23 -!- hyper_ch [n=hyper@adsl-84-226-58-170.adslplus.ch] has joined ##openvpn 12:43 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:47 < krzee> [11:49] we're wondering about installing the openssl patch that disables renegotiation, but wondering how much this will break our openvpns 12:47 < krzee> whoa, why would you ever even consider that!? 12:49 < dunc_> because that was the quick fix for the ssl renegotiation problem until they implement an extension 12:49 < krzee> ahh, got link? 12:50 < dunc_> with default values it would just cause the vpn to bounce once an hour AFAICS 12:50 < dunc_> although I just tried it out on a test box and it doesn't do that, so I'm missing something somewhere 12:51 < dunc_> http://www.links.org/ 12:51 < vpnHelper> Title: Links (at www.links.org) 12:51 < dunc_> the last 2 posts 12:52 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:53 < dunc_> we're wondering if openvpn doesn't actually use renegotiation at all and does something else instead but i don't understand how it works enough to know 12:54 < krzee> unfortunately neither do i 12:54 < krzee> prolly a good conversation for the dev maillist 12:54 < dunc_> i guess so 12:55 < dunc_> i've got verb turned up to 11 and can see some SSL hello packets, which is what you're supposed to see for a reneg apparently 12:56 < dunc_> am going to ask ben if he thinks that's what's going on when he's around again 13:26 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 13:29 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 13:44 -!- eliasp_ [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 13:48 -!- eliasp [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has quit [Connection timed out] 13:54 -!- teddymills [n=teddy@208.92.235.227] has quit [Client Quit] 13:57 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 13:59 -!- dazo is now known as dazo|afk 13:59 -!- MadTBone_ [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 14:04 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit ["Leaving."] 14:05 -!- eliasp [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 14:07 -!- eliasp_ [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 110 (Connection timed out)] 14:07 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 14:09 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 14:17 -!- eliasp_ [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 14:22 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Read error: 113 (No route to host)] 14:22 -!- eliasp [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has quit [Success] 14:33 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit ["Leaving."] 14:33 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:34 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 14:36 -!- eliasp_ [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has quit [Connection timed out] 14:39 < NoFX_SBC> someone already installed openvpn on a HVM windoze? it's needed add another nic to instance config? thank in advance! 14:41 < ecrist> HVM? 15:05 < NoFX_SBC> ecrist it's a fullvirtualized machine 15:06 < NoFX_SBC> ecrist running windows 2008. when i try to install openvpn, the tapinstall.exe give me an error "tapinstall.exe returned error: 2" 15:06 < ecrist> *shrug* 15:06 < ecrist> no idea what that means 15:06 * ecrist goes home 15:06 < NoFX_SBC> ecrist thx 15:21 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit ["Leaving."] 15:24 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 15:48 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 15:49 -!- Amjed [n=zjb@87.109.201.199] has quit [Read error: 104 (Connection reset by peer)] 15:51 -!- Whtsup [n=sssi@WimaxUser374-58.wateen.net] has joined ##openvpn 15:53 < Whtsup> hello 15:53 < Whtsup> anyone alive 15:58 -!- NoFX_SBC [n=nofxsbc@200-158-219-197.dsl.telesp.net.br] has quit ["Saindo"] 16:00 -!- dollabill [n=mike@97.66.26.10] has quit [No route to host] 16:13 -!- MadTBone__ [n=MadTBone@mail2.msmnyc.edu] has joined ##openvpn 16:19 -!- teddymills [n=teddy@208.92.235.227] has quit [Client Quit] 16:23 -!- jeiworth [n=jeiworth@189.234.76.92] has joined ##openvpn 16:30 -!- MadTBone_ [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 113 (No route to host)] 16:39 -!- jeiworth_ [n=jeiworth@189.177.221.123] has quit [Connection timed out] 16:40 < Dougy> ecrist: hvm is qemu 16:42 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 16:58 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 17:29 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 17:33 -!- networkd [n=networkd@78-62-21-26.static.zebra.lt] has quit ["Leaving"] 17:49 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [No route to host] 17:50 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 17:50 -!- ErickG [n=ErickG@190.120.0.138] has left ##openvpn [] 17:55 -!- MadTBone__ [n=MadTBone@mail2.msmnyc.edu] has quit [Remote closed the connection] 17:59 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 18:12 -!- Ciccio [n=francesc@93-40-109-17.ip38.fastwebnet.it] has joined ##openvpn 18:12 < Ciccio> hi 18:14 < Ciccio> I'm having a strange behavior, I had a working openvpn server but now it seems stopped working and can't understand why... 18:14 < Ciccio> I can open the vpn tunnel but then no ping, no way to reach server even with internal or tun ip... 18:15 < Ciccio> even from server no way to ping the client... 18:29 < krzie> look at logs and see whats going o on both sidesn when you try to connect 18:29 < krzie> on both sides 18:30 -!- JustBe` [n=tiagogom@unaffiliated/justbe/x-000001] has quit [Read error: 110 (Connection timed out)] 18:31 < Dougy> grr 18:31 < Dougy> someone from in here is pming me 18:51 -!- jeiworth [n=jeiworth@189.234.76.92] has quit [Read error: 110 (Connection timed out)] 18:59 -!- Ciccio [n=francesc@93-40-109-17.ip38.fastwebnet.it] has quit [Read error: 113 (No route to host)] 19:13 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 19:57 -!- eliasp [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 19:58 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 20:15 -!- Whtsup [n=sssi@WimaxUser374-58.wateen.net] has quit [] 20:23 -!- master_of_master [i=master_o@p549D6175.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:25 -!- master_of_master [i=master_o@p549D5F35.dip.t-dialin.net] has joined ##openvpn 20:32 -!- jeiworth [n=jeiworth@189.163.144.187] has joined ##openvpn 20:48 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 21:01 -!- jeiworth [n=jeiworth@189.163.144.187] has quit [Read error: 110 (Connection timed out)] 21:24 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 21:33 < rawDawg> anyone get this working on win7? 21:33 < Dougy> get what 21:34 < rawDawg> ovpn clients 21:34 < Dougy> !win7 21:34 < vpnHelper> Dougy: "win7" is http://openvpn.net/beta/openvpn-2.1_rc15e-install.exe for a fixed installer for win7 21:34 < Dougy> hm 21:34 < rawDawg> or server fot that matter 21:34 < Dougy> so rc15+ should work 21:34 < Dougy> whats tha issue 21:34 < rawDawg> no issue 21:34 < rawDawg> i havent tried it yet 21:34 < rawDawg> just wondering 21:34 < Dougy> yes im sure many people have done 21:35 < rawDawg> cool 21:35 < rawDawg> how bout 64bit? 21:35 < Dougy> not a clue 21:35 < Dougy> if all else fails 21:35 < Dougy> !forum it 21:35 < vpnHelper> Dougy: Error: "forum" is not a valid command. 21:35 < Dougy> o.o 21:35 < Dougy> !forum 21:35 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 21:36 < Dougy> there 21:36 < Dougy> forum it if you dont get a response here 21:36 < Dougy> ok 21:36 < Dougy> sleep 21:36 < rawDawg> good idea 21:36 < rawDawg> gn thx 22:03 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 22:05 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Connection timed out] 22:16 -!- robert_ [n=hellspaw@objectx/robert] has quit [Read error: 104 (Connection reset by peer)] 22:34 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 22:43 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 22:51 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 23:12 -!- ericvw [n=ericvw@trenton.eecs.umich.edu] has joined ##openvpn 23:16 < ericvw> Hello, I am trying to setup a client-to-client connection with a friend of mine so that we can play a game over openvpn. We are both able to connect, but it appears that we are unable to see one another. My config files are located here: http://dpaste.com/118998/ 23:35 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 23:44 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn --- Day changed Wed Nov 11 2009 00:09 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 00:30 -!- jeiworth [n=jeiworth@189.163.144.187] has joined ##openvpn 00:48 -!- Mjolinor [n=Mjolinor@62.169.209.213] has joined ##openvpn 01:11 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:14 -!- Netsplit wolfe.freenode.net <-> irc.freenode.net quits: bytesaber, Rolybrau, robotti^, ^scott^ 01:15 -!- Netsplit over, joins: robotti^ 01:15 -!- hyper_ch [n=hyper@adsl-84-226-58-170.adslplus.ch] has quit [Remote closed the connection] 01:22 -!- Mjolinor [n=Mjolinor@62.169.209.213] has quit ["Leaving"] 01:49 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 01:56 -!- jeiworth [n=jeiworth@189.163.144.187] has quit [Read error: 110 (Connection timed out)] 02:06 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 02:06 -!- ^scott^ [n=scott@stthom.org] has joined ##openvpn 02:06 -!- bytesaber [n=bytesabe@208-98-188-95.directcom.com] has joined ##openvpn 02:07 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 02:07 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 02:08 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 02:09 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 02:46 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:46 -!- reber [n=reber@78.251.250.8] has joined ##openvpn 02:46 < reber> hi all 03:01 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit [Read error: 104 (Connection reset by peer)] 03:02 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:03 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 03:03 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit [Client Quit] 03:07 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 03:11 -!- reid99 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 03:11 -!- reid99 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has joined ##openvpn 03:16 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.5/20091102152451]"] 03:36 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 03:36 < robert_> moo. 03:49 -!- hyper_ch [n=hyper@95-110.107-92.cust.bluewin.ch] has joined ##openvpn 03:55 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 03:58 -!- dazo|afk is now known as dazo 03:59 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 03:59 -!- dazo [n=nnnnnnnn@nat/redhat/x-dvjyiyhecggvbzmo] has quit [Remote closed the connection] 04:00 -!- dazo [n=nnnnnnnn@nat/redhat/x-umqmcvmtsljhrmyv] has joined ##openvpn 04:04 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 04:44 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:54 -!- dazo [n=nnnnnnnn@nat/redhat/x-umqmcvmtsljhrmyv] has quit ["Getting off stoned server - dircproxy 1.2.0"] 04:54 -!- dazo [n=nnnnnnnn@nat/redhat/x-ewqzqrxmbfwhgbnp] has joined ##openvpn 04:55 -!- dazo is now known as Guest31792 04:58 -!- Guest31792 is now known as dazo 04:58 -!- dazo is now known as Guest32995 05:03 -!- Guest32995 is now known as dazo 05:04 -!- dazo is now known as Guest38831 05:08 -!- Guest38831 is now known as dazo 05:08 -!- dazo is now known as Guest96718 05:13 -!- Guest96718 is now known as dazo 05:14 -!- dazo is now known as Guest4809 05:17 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 05:18 -!- Guest4809 is now known as dazo 05:18 -!- dazo is now known as Guest50689 05:23 -!- Guest50689 is now known as dazo 05:24 -!- dazo is now known as Guest41799 05:28 -!- Guest41799 is now known as dazo 05:28 -!- dazo is now known as Guest620 05:32 -!- Guest620 is now known as dazo 05:33 -!- dazo is now known as Guest15109 05:38 -!- Guest15109 is now known as dazo 05:38 -!- dazo is now known as Guest2957 05:42 -!- Guest2957 is now known as dazo 05:43 -!- dazo is now known as Guest31302 05:48 -!- Guest31302 is now known as dazo 05:48 -!- dazo is now known as Guest85157 05:53 -!- Guest85157 is now known as dazo 05:54 -!- dazo is now known as Guest81860 05:58 -!- Guest81860 is now known as dazo 05:58 -!- dazo is now known as Guest70885 06:01 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 06:01 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 06:02 -!- Guest70885 is now known as dazo 06:03 -!- dazo is now known as Guest67060 06:08 -!- Guest67060 is now known as dazo 06:17 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit ["I am off"] 06:19 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 06:21 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 06:26 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 06:37 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 07:03 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 07:04 -!- dazo is now known as dazo|afk 07:04 -!- dazo|afk [n=nnnnnnnn@nat/redhat/x-ewqzqrxmbfwhgbnp] has quit ["Terminated with extreme prejudice - dircproxy 1.2.0"] 07:07 -!- zz_dazo [n=dazo@nat/redhat/x-vhasmvsuqrrivosy] has joined ##openvpn 07:07 -!- zz_dazo is now known as dazo 07:07 -!- dazo is now known as Guest54249 07:10 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 07:15 -!- hsch [n=hsch@wbs-41-208-224-238.wbs.co.za] has joined ##openvpn 07:18 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 07:18 < hsch> hi - I want to change my vpn network so that I have 2 subnets. 10.97.97.0/24 for the data machines and one for admin 10.97.0.0/24. admin must be able to see the data machines but no the otherway around. and the data machines are not aloud to see each other. I have the two networks but my iptables or routing is failing me. any advise 07:23 -!- Guest54249 [n=dazo@nat/redhat/x-vhasmvsuqrrivosy] has quit ["ZNC - http://znc.sourceforge.net"] 07:24 -!- zz_dazo [n=dazo@nat/redhat/x-kankqyqhdmiukaps] has joined ##openvpn 07:24 -!- zz_dazo is now known as dazo 07:24 -!- dazo is now known as Guest81578 07:27 -!- Guest81578 [n=dazo@nat/redhat/x-kankqyqhdmiukaps] has quit [Client Quit] 07:30 -!- zz_dazo [n=dazo@nat/redhat/x-jpsslvfluhguontt] has joined ##openvpn 07:30 -!- zz_dazo is now known as dazo 07:30 -!- dazo is now known as Guest18862 07:31 -!- Guest18862 [n=dazo@nat/redhat/x-jpsslvfluhguontt] has quit [Client Quit] 07:37 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 07:39 -!- dazo|h [n=dazo@nat/redhat/x-nniqhauwowgzbgai] has joined ##openvpn 07:44 -!- dazo|h [n=dazo@nat/redhat/x-nniqhauwowgzbgai] has quit ["Leaving"] 07:45 -!- dazo [n=dazo@nat/redhat/x-vzstbnsrwoorjnqe] has joined ##openvpn 07:45 < ecrist> hsch: if your admin can see the data machines, they can see the admin 07:45 -!- Bloodhatch [n=a@ip4da62b32.direct-adsl.nl] has joined ##openvpn 07:46 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 07:47 < Bloodhatch> hello people 07:47 < Bloodhatch> does anybody know what can cause slow transfer speeds while using openvpn? 07:47 < hsch> the vpn server is 10.97.97.1 10.97.98.1 07:47 < hsch> vpn data client is 10.97.97.3 07:48 < hsch> 10.97.98.3 07:48 < hsch> no I want to create a second subnet on the vpn 07:49 < hsch> now I want to create a second subnet with users 10.97.0.1 10.97.0.2 07:49 < ecrist> ok, so do it 07:49 < ecrist> I don't know what your question is 07:49 < hsch> and 10.97.0.1 10.97.0.2 must be able to see 10.97.97.3 10.97.98.3 07:49 < ecrist> Bloodhatch: all kinds of things. 07:49 < ecrist> can you elaborate? 07:51 < hsch> but I can't get 10.97.0.1 to see 10.97.97.3 07:51 < Bloodhatch> Ok, I've installed the lastest build of openvpn on a w2k3 server machine. When I connect with a client (only have tested with windows yet) to the server I have a 20-40ms average ping but the file transfers are extremely slow. With extremely slow I mean speeds of <1kb/s 07:53 < Bloodhatch> I have pinged the openvpn with "ping -f -l 1472 and received the packets. So that should be fine, right? 07:56 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 08:05 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 08:06 < Bloodhatch> Do you need more information? 08:06 < Bloodhatch> @ ecrist 08:09 < ecrist> Bloodhatch: see here 08:09 < ecrist> !mtu 08:09 < vpnHelper> ecrist: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config 08:09 < ecrist> try that 08:09 < Bloodhatch> Ok, one moment. 08:14 < Bloodhatch> NOTE: Empirical MTU test completed [Tried,Actual] local->remote=[1589,1589] remote->local=[1589,1429] 08:14 < Bloodhatch> @ ecrist 08:15 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 08:18 -!- reid99 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 08:18 -!- reid99 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has joined ##openvpn 08:37 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 08:48 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 08:58 -!- mekwall [n=oddy@83.249.242.68] has joined ##openvpn 08:59 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has joined ##openvpn 09:00 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 09:06 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 09:14 -!- mekwall [n=oddy@83.249.242.68] has quit [Read error: 54 (Connection reset by peer)] 09:19 -!- mekwall [n=oddy@c83-249-242-68.bredband.comhem.se] has joined ##openvpn 09:20 -!- krphop [n=krphop@38.108.177.113] has quit ["Leaving"] 09:22 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn 09:25 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:25 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:27 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 09:31 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 09:38 -!- ErickG [n=ErickG@190.120.0.138] has quit [Read error: 60 (Operation timed out)] 09:43 -!- alice|wl [n=helo@notomorrow.de] has joined ##openvpn 09:44 -!- bodom [n=bodom@2001:470:1f0a:ac0:0:0:1:2] has joined ##openvpn 09:44 < bodom> Hi there 09:44 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 09:44 < bodom> i got issues trying to connect to anonet, may somebody help me? 09:45 < alice|wl> hi, I have a server with an ipv6 address via tunnel. My laptop is connected to the server with a tun using certs. how do I get ipv6 on the client? 09:54 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 09:55 < joel_> hi, if i want that after openvpn client gets connected it executes a script how would i do to accomplish that? 09:55 < joel_> is there some "post-up" or something? 09:55 < bodom> alice|wl: the ipv6 address is on the network interface or on the tunneled interface? 09:56 < bodom> joel_: yes, it is, but I don't know where 09:57 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 09:57 < dazo> joel_: look for --client-connect .... or something like that 09:57 < dazo> joel_: it's very well documented in the man pages for OpenVPN 09:57 < bodom> joel_: should be --up 09:58 < dazo> yup, that's the one 09:58 < bodom> joel_: check --up-delay, --down --down-pre and --up-restart too 09:58 < dazo> joel_: on the client side it is --up and --down .... on the server side, it is --client-connect and --client-disconnect 09:58 < bodom> joel_: maybe you'll find them useful 09:59 < joel_> thank you very much 09:59 < bodom> you're welcome 10:01 < dazo> alice|wl: afaik, openvpn do not support IPv6 with tun .... you'll probably need to use tap ... unless you got a patched openvpn. There is a proposed IPv6 patch, but I don't recall if that was on accepting connections via IPv6, or if it was IPv6 in the tunnel 10:01 < dazo> (as tun) 10:02 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 10:05 < alice|wl> bodom: the server has a tun interface with clients and a sit interface with the ipv6 10:06 < alice|wl> thats because tun is layer 3 and tap is layer 2? I still confuse all that stuff (: 10:06 < dazo> alice|wl: tun is IP only, while tap will transfer ethernet frames directly over the tunnel .... so tun will only work with TCP/IP traffic 10:07 < dazo> (and for now, only IPv4) 10:07 < alice|wl> can you recomend a way connect my laptop with public ipv6 via my server? 10:07 * dunc_ does it 10:08 < dunc_> tun-ipv6 10:08 < dunc_> lets u put ipv6 down your tunnel 10:08 * dazo didn't know about that module 10:09 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 10:09 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 10:15 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 60 (Operation timed out)] 10:15 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 10:15 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 10:15 -!- hyper__ch [n=hyper@173-95.107-92.cust.bluewin.ch] has joined ##openvpn 10:15 -!- hyper_ch [n=hyper@95-110.107-92.cust.bluewin.ch] has quit [Nick collision from services.] 10:15 -!- hyper__ch is now known as hyper_ch 10:25 < alice|wl> Options error: --tun-ipv6 cannot be used with --mode server 10:27 -!- mort_gib [n=mjensen@83.36.63.16] has joined ##openvpn 10:30 -!- hyper_ch [n=hyper@173-95.107-92.cust.bluewin.ch] has quit [Remote closed the connection] 10:31 < alice|wl> what a pitty 10:38 -!- bodom [n=bodom@2001:470:1f0a:ac0:0:0:1:2] has left ##openvpn ["Sto andando via"] 10:39 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has quit ["Leaving"] 10:47 < alice|wl> so I have to use a tun interface for every v6 tunnel 10:54 * ecrist suggests tap and then you can push anything you want 10:56 -!- Bloodhatch [n=a@ip4da62b32.direct-adsl.nl] has left ##openvpn [] 11:02 < alice|wl> I m triing to figure out how to setup the tap 11:03 < alice|wl> server 10.33.0.0 255.255.255.0 11:03 < alice|wl> seems not to make sense now anymore 11:06 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 11:08 < alice|wl> ah, client should use tap too %) 11:08 < dunc_> :) 11:10 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 11:11 < lietu> what the... I just posted a topic on ovpnforum.com under installation help, but it didn't appear in the list at all 11:13 < alice|wl> but no ping yet. the tap interfaces have different ips now ... 11:15 < lietu> oh, didn't read, "will need to be approved by a moderator" 11:17 -!- jeiworth [n=jeiworth@189.177.26.138] has joined ##openvpn 11:17 -!- jeiworth [n=jeiworth@189.177.26.138] has quit [Read error: 104 (Connection reset by peer)] 11:19 -!- jeiworth [n=jeiworth@189.177.26.138] has joined ##openvpn 11:28 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 60 (Operation timed out)] 11:28 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 11:29 < ecrist> lietu: if you'd like, I can approve it now 11:30 < lietu> well I certainly wouldn't complain 11:31 < ecrist> do I need to approve them both? 11:31 < lietu> no, they're the same post since I thought the first one disappeared 11:33 < ecrist> OK 11:33 < ecrist> looks like tamtam did the same thing 11:33 < lietu> mjeah, that page that says that I have to wait for a moderator to approve it automatically goes away after a few seconds, so I didn't even notice it the first time 11:34 < ecrist> no big deal, moderation is the only way we've found to get rid of spam 11:34 < ecrist> after two approved posts, you're no longer moderated, though 11:34 < ecrist> just for new users 11:35 < alice|wl> server-bridge it is now and I also created the bridge (containig only the tap). Everything starts fine and I dont see error, but no ping 11:35 < lietu> isn't captchas enough? 11:35 < ecrist> no 11:35 < ecrist> the new thing is to pay people a few pennies per captcha to get through them 11:35 < alice|wl> uh, firewall probably 11:37 < mort_gib> alice|wl; I just finished a three site OpenVPN site-to-site.... 11:37 < mort_gib> :-( 11:37 < mort_gib> alot of pint -I IntIp remoteip commands 11:38 < mort_gib> and a lot of pf.conf work 11:38 < mort_gib> s/ping/pint 11:41 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:42 < alice|wl> 100% packet 11:42 < alice|wl> loss 11:42 < alice|wl> donk know what to trie next 11:42 < alice|wl> :( 11:42 < mort_gib> Check routing first 11:43 < alice|wl> 10.33.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tap33 11:43 < mort_gib> Then what is dropped on the FW 11:43 < mort_gib> In my case (I used TUN) my issue was the routing set in the openvpn config 11:43 < mort_gib> AND my pf 11:44 < alice|wl> had it working fine with tun but switched because of ipvt6 11:44 -!- hyper_ch [n=hyper@adsl-84-226-58-170.adslplus.ch] has joined ##openvpn 11:45 < mort_gib> That won't be my problem anytime soon 11:46 < reiffert> anyone planning/willing to buy a ford focus van from germany/europe? Used car, date of creation 2004, 65000km, call me for details. 11:47 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 11:48 -!- mort_gib [n=mjensen@83.36.63.16] has quit ["Leaving"] 11:50 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 12:04 -!- jeiworth [n=jeiworth@189.177.26.138] has quit [Connection timed out] 12:07 -!- buntfalke [n=nobody@openvpn-p0-248.triple-a.uni-kl.de] has joined ##openvpn 12:10 -!- jeiworth [n=jeiworth@189.177.26.138] has joined ##openvpn 12:11 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 60 (Operation timed out)] 12:12 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 12:15 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 12:26 -!- ErickG [n=ErickG@190.120.0.138] has quit [Read error: 110 (Connection timed out)] 12:26 -!- dazo is now known as dazo_afk 12:27 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 12:53 < ecrist> alice|wl: try disabling your firewall 12:56 -!- Whtsup [n=sssi@WimaxUser377-168.wateen.net] has joined ##openvpn 12:58 < Whtsup> certificate is not valid check date and time 12:58 < Whtsup> how can i solve this error 12:58 < ecrist> i would start by checking the date and time 12:58 < ecrist> (seriously( 12:58 < Whtsup> which date and time 12:59 < ecrist> the time on the system, the check the time on the certifcate for when it's valid 13:00 < Whtsup> how can i check 13:00 < Whtsup> i m new bie 13:02 < Whtsup> help me please 13:02 < Whtsup> how can i check 13:03 < alice|wl> ecrist: yes, was the firewall 13:03 < alice|wl> I allowd tap instead of br as soure 13:03 < alice|wl> *source 13:05 < Whtsup> please 13:05 < Whtsup> tell me 13:05 < Whtsup> certifcate is not yet valid 13:06 < Whtsup> how to solve that issue 13:08 -!- Netsplit wolfe.freenode.net <-> irc.freenode.net quits: vlt, alice|wl, YaManicKill, Mark21, odonata, misse-, darkwind_, pa, ericvw, dmarkey, (+11 more, use /NETSPLIT to show all of them) 13:24 -!- julius_ [n=julius@217.20.127.15] has joined ##openvpn 13:24 < julius_> hi 13:34 < CaBa> hi 13:42 < Hypnoz> hi 13:45 -!- Whtsup [n=sssi@WimaxUser377-168.wateen.net] has quit [Read error: 145 (Connection timed out)] 13:46 -!- Whtsup [n=sssi@WimaxUser377-168.wateen.net] has joined ##openvpn 13:47 -!- Bushmills [n=nBushmil@verhau.de] has joined ##openvpn 13:47 -!- Ziber [i=Liber@liber-ipv6.net] has joined ##openvpn 13:47 -!- vlt [n=dm@suez.activ-job.com] has joined ##openvpn 13:47 -!- chantra [n=chantra@ns22757.ovh.net] has joined ##openvpn 13:47 -!- jhp [n=jhp@zeus.jhprins.org] has joined ##openvpn 13:47 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 13:47 -!- HardDisk_WP [n=Marco@velirat.de] has joined ##openvpn 13:47 -!- odonata [n=odonata@security.jails.se] has joined ##openvpn 13:48 -!- alice|wl [n=helo@notomorrow.de] has joined ##openvpn 13:48 -!- reid99 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has joined ##openvpn 13:48 -!- ericvw [n=ericvw@trenton.eecs.umich.edu] has joined ##openvpn 13:48 -!- master_of_master [i=master_o@p549D5F35.dip.t-dialin.net] has joined ##openvpn 13:48 -!- dunc_ [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has joined ##openvpn 13:48 -!- darkwind_ [n=darkwind@64.71.152.247] has joined ##openvpn 13:48 -!- Snadder [i=sander@202.100.202.84.customer.cdi.no] has joined ##openvpn 13:48 -!- Mark21 [n=mark@unaffiliated/mark21] has joined ##openvpn 13:48 -!- YaManicKill [n=ali@130.159.141.69] has joined ##openvpn 13:48 -!- arcsky [n=arcsky@2a01:48:100:1:1:0:0:1c2] has joined ##openvpn 13:48 -!- misse- [i=misse@cl-858.sto-01.se.sixxs.net] has joined ##openvpn 13:48 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 13:48 -!- dmarkey [n=dmarkey@dmarkey.xen.prgmr.com] has joined ##openvpn --- Log closed Wed Nov 11 13:54:01 2009 --- Log opened Wed Nov 11 13:54:10 2009 13:54 -!- ecrist_ [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 13:54 -!- Irssi: ##openvpn: Total of 85 nicks [0 ops, 0 halfops, 0 voices, 85 normal] 13:54 -!- Lyndon_ [n=late@savolaiset.fi] has joined ##openvpn 13:54 -!- fkr [i=fkr@134.106.146.207] has joined ##openvpn 13:54 < YaManicKill> maybe one of them will know my question in that case :P i'll repeat it 13:54 -!- Optic [n=nndfrase@miso.capybara.org] has joined ##openvpn 13:54 -!- Irssi: Join to ##openvpn was synced in 25 secs 13:54 -!- RyuKojiro [n=nnkojiro@r74-192-66-53.vctrcmta01.vctatx.tl.dh.suddenlink.net] has joined ##openvpn 13:54 < YaManicKill> i'm having some problems forwarding traffic through my vpn - i can connect to the vpn, but forwarding doesnt work 13:55 < YaManicKill> server conf - http://pastebin.com/d26b80b62 client conf - http://pastebin.com/d7f8be287 - and this is my log file - http://pastebin.com/df99e680 13:55 -!- jforman [n=jforman@unaffiliated/jforman] has joined ##openvpn 13:55 < Hypnoz> you have to forward a route in your router 13:55 < YaManicKill> Hypnoz: ahhhhh 13:55 < YaManicKill> of course... 13:55 < Hypnoz> to let the systems on the network know how to get back to the VPN network 13:55 < YaManicKill> what port does it come in on? 13:55 < jforman> is anyone successfully using the openvpn network-manager plugin in ubuntu 9.10? seems the version packaged does not work 13:55 < YaManicKill> jforman: it doesnt work 13:55 -!- reber [n=reber@78.251.250.8] has quit [Connection timed out] 13:55 < YaManicKill> you have to do "openvpn client.conf" 13:56 < jforman> YaManicKill: i figured as much. no workaround or newer-than-9.10 version to install by hand? 13:56 < YaManicKill> jforman: nah, network manager is just broken with openvpn just now 13:56 < jforman> :/ okay, thanks YaManicKill 13:56 < YaManicKill> have a look at my client conf - i posted it up there 13:56 < YaManicKill> thats a good basis for a start 13:56 < Hypnoz> i've been doing sudo openvpn --config client.conf 13:56 < Hypnoz> i can drop the sudo and --config? 13:57 < YaManicKill> Hypnoz: what port does the vpn traffic come in on? 13:57 -!- jforman [n=jforman@unaffiliated/jforman] has left ##openvpn [] 13:57 < YaManicKill> Hypnoz: no, not the sude, but yes the --config 13:57 < Hypnoz> you can see your port in /etc/openvpn/server.conf on your openvpn server 13:57 < Hypnoz> but 1194 is default 13:58 < YaManicKill> ok, so i just have to get my router to send port 1194 to my computer 13:58 < YaManicKill> cool 13:58 < Hypnoz> port doesn't matter though for creating a route 13:58 < Hypnoz> i thought you said you're able to connect 13:58 < YaManicKill> Hypnoz: can you look at my log file though, i think theres another line thats stopping it at the end 13:58 < YaManicKill> Hypnoz: yeah, i can connect 13:58 < YaManicKill> http://pastebin.com/df99e680 - log file 13:58 < YaManicKill> look at the last 2 lines 13:59 < Hypnoz> so you can connect, just not ping any other system besides the openvpn server right 13:59 < YaManicKill> Hypnoz: yeah, can ping the server, and i assume if there were other clients on it i would be able to ping them 14:00 < Hypnoz> well, there is an option in server.conf to say if you openvpn clients can see eachother, which is disabled by default 14:00 < YaManicKill> ok, well, my point is, i can ping the server, but not the outside world 14:00 < Hypnoz> but yeah, you don't need a route set up for that. But here's the thing. Say there's a system on your network, and you ping it from an openvpn client 14:01 < YaManicKill> uhuh... 14:01 < Hypnoz> following the packet, it leaves your client, hits the openvpn server, from there, it goes to the system because openvpn server has a presence on both the vpn subnet and the internet subnet, so it can skip the default gateway 14:01 < YaManicKill> ok... 14:02 < Hypnoz> but when the packet hits the system, that system doesn't know about your vpn subnet, so it sends the packet out to the default gateway (your router) 14:02 < Hypnoz> then your router doesn't know what to do with it either, cause only the openvpn server knows about the vpn subnet 14:02 < YaManicKill> right... 14:02 < YaManicKill> but the system shouldn't know about my router 14:03 < YaManicKill> Nov 11 19:36:32 vm3797 ovpn-server[3476]: client/81.103.36.49:43313 MULTI: bad source address from client [192.168.2.3], packet dropped 14:03 < Hypnoz> I'm saying that the openvpn server and other system are all behind a router 14:03 < Hypnoz> otherwise you can make a static route on each system manually 14:03 < YaManicKill> thats the line that is causing problems, i think 14:03 < Hypnoz> to tell it how to send packets back to the openvpn subnet 14:05 < Hypnoz> so 192.168.1.0/24 is your internal subnet, and 192.168.2.0/24 is your vpn subnet? 14:05 < YaManicKill> nah, 192.168.2.3 is my clients ip on my home network 14:05 < YaManicKill> 81.103.36.49 is my home networks ip address 14:06 < YaManicKill> my clients ip address on the vpn should be 10.8.0.6, i think 14:06 < YaManicKill> does the ip address on the vpn have to be the same as my local network? 14:07 < Hypnoz> no, in fact its better that it has its own subnet (10.8.0.0/24) 14:07 < YaManicKill> Hypnoz: yeah, thats what it is 14:07 < Hypnoz> so your router is 192.168.2.1 14:07 < YaManicKill> yep 14:07 < YaManicKill> so, why does it complain about my address? 14:08 < Hypnoz> and the openvpn server is 192.168.2.3? 14:08 < YaManicKill> no, thats my client 14:09 < Hypnoz> what is the local ip of openvpn server? 14:09 < YaManicKill> the vpn server isn't within my home network 14:09 < Hypnoz> ohh 14:09 < YaManicKill> it is on a vps 14:09 < YaManicKill> so, its internet facing 14:09 < YaManicKill> so, in that case, should i have the same ip for my client on my home network and the vpn? 14:10 < Hypnoz> well the openvpn server is going to have several IP addresses. One for the private vpn network (10.8.0.1 probably) and another for its real eth adapter 14:11 < YaManicKill> yeah, 10.8.0.1 14:11 < YaManicKill> http://www.void.gr/kargig/blog/2008/05/17/openvpn-multi-bad-source-address-from-client-solution/ 14:11 < vpnHelper> Title: Openvpn MULTI: bad source address from client solution | Into.the.Void. (at www.void.gr) 14:11 < YaManicKill> look at that 14:11 < Hypnoz> I'm not sure the openvpn server can be outside of the network that you want vpn access to... 14:11 < Hypnoz> unless you have it connected in to the router somehow? 14:12 < Hypnoz> does the openvpn server have any type of interface on the 192.168.2.0/24 network 14:13 < YaManicKill> it is in a completely different physical location than here 14:13 < YaManicKill> 192.168.2.0/24 is my home network 14:13 < YaManicKill> server is a vps, probably in america somewhere 14:13 < Hypnoz> if you're trying to vpn to your home network, then the openvpn server has to have an interface on the 192.168.2.0/24 network 14:13 < Hypnoz> whether real or vpn, somehow it has to know about that network 14:14 < YaManicKill> no, not vpn into my home network 14:14 < YaManicKill> FROM my home network 14:14 < Hypnoz> ah i see 14:15 < YaManicKill> the vpn is a security thing, i dont want people who have physical access to my network, to be able to get my network traffic 14:15 < YaManicKill> so, its encrypted between my home network and the vpn 14:15 < Hypnoz> where is vpn? work or something? 14:16 < YaManicKill> Hypnoz: just a random vps that i bought 14:16 < Hypnoz> what does vps stand for 14:18 < YaManicKill> virtual private server 14:18 < Hypnoz> and you want all your internet traffic to go over that encrypted pipe 14:18 < Hypnoz> you're not just trying to connect to a few remote servers 14:18 < Hypnoz> you want to use this as your internet connection 14:19 < Hypnoz> so all your internet traffic would hit the openvpn server first, then the internet 14:19 < YaManicKill> well, personally i don't, i'm doing it for a friend 14:19 < YaManicKill> but yes, essentially 14:20 < Hypnoz> will there be more than one system connecting to the openvpn server? 14:21 < YaManicKill> Hypnoz: yep 14:21 < Hypnoz> Nov 11 19:36:27 vm3797 ovpn-server[3476]: MULTI: new connection by client 'client' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. 14:21 < YaManicKill> probably not at the same time 14:21 < Hypnoz> that part of the log file may apply if you put the same client cert on all of them 14:21 < YaManicKill> Hypnoz: they will use different certs 14:21 < Hypnoz> k 14:22 < YaManicKill> so thats no prob 14:22 < YaManicKill> i think it is that line that says about the ip address 14:23 < YaManicKill> wait... 14:23 < YaManicKill> i think its my firewall 14:23 < YaManicKill> Nov 11 20:19:03 vm3797 kernel: [278864.289379] [UFW BLOCK FORWARD]: IN=tun0 OUT=eth0 SRC=10.8.0.6 DST=194.168.4.100 LEN=57 TOS=0x00 PREC=0x00 TTL=63 ID=22771 DF PROTO=UDP SPT=46282 DPT=53 LEN=37 14:23 < YaManicKill> i thought i'd allowed forwarding 14:23 * YaManicKill cries 14:24 < YaManicKill> i dont want to use iptables 14:24 < Hypnoz> for testing vpn its usually best to turn off firewall 14:24 < Hypnoz> then once it works, enable again if needed 14:24 < Hypnoz> you can play with that, i'm gonna get some lunch 14:25 < Hypnoz> good luck, i'll be back on in an hour or so if you still need help troubleshooting 14:27 < YaManicKill> Hypnoz: thanks :) 14:27 < YaManicKill> lunch? where are you...america? :P 14:36 < YaManicKill> ok, well, i disabled the firewall, and it kinda worked 14:37 < YaManicKill> it wasn't perfect, because it seems to have a 60% packet loss 14:37 < YaManicKill> which is kinda annoying 14:37 < YaManicKill> but at least i'm getting there 14:49 -!- jeiworth [n=jeiworth@189.177.26.138] has quit [Connection timed out] 14:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:57 < Hypnoz> hmm interesting. 14:57 < Hypnoz> and no, america is for inbred ignorant hicks. I live in California. 15:06 -!- Rascal999 [n=user@212.9.104.90] has joined ##openvpn 15:07 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 15:07 < Rascal999> I'm using ebox (web interface) - Cannot use for the bundle the server's certificate -- this happens when I try and download client bundle for vpn server, what's going on? 15:12 -!- ErickG [n=ErickG@190.120.0.138] has quit [Read error: 110 (Connection timed out)] 15:14 < arcsky> if i use push "dhcp-option DNS x.x.x.x" will my friend which are client not able to use his own ISP dns ? ist possbile that he can use both ? 15:17 -!- You're now known as ecrist 15:34 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 15:40 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit ["Leaving."] 15:48 -!- jeiworth [n=jeiworth@189.234.76.92] has joined ##openvpn 15:48 -!- jeiworth [n=jeiworth@189.234.76.92] has quit [Read error: 104 (Connection reset by peer)] 15:49 -!- jeiworth [n=jeiworth@189.234.76.92] has joined ##openvpn 15:57 -!- TBKDan [n=demord@cpe-24-93-27-225.rochester.res.rr.com] has joined ##openvpn 15:57 -!- roychri [n=christia@drupal.org/user/155209/view] has joined ##openvpn 15:59 < roychri> Hello. I am using VMWare Player which act like a local subnet (192.168.57). I just installed openvpn and now my WXP host cannot communicate with my ubuntu host on the vmware appliance. I suspect subnet conflicts. The VPN is using the same subnet. 15:59 < TBKDan> I'm trying to roll my own installer for my company using the binaries from the 2.1_rc20 installer and the 2.1_beta7 install source. I've gotten almost everything to work except the TAP driver will not install. The only thing I can find is the SHA1 for the tap0901.sys somehow does not match what is shown in the catalog file. I've even tried using the normal installer to place the files and grab them, but the SHA still does not match. 16:00 < roychri> I did not create the vpn config, I am just using it. How do I know which subnet is currently being used? I am thinking that changing my VMWare config to use another subnet would be simplier than asking the sysadmin on the other end to change their subnets :) 16:00 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 16:00 < roychri> I googles for "openvpn subnet conflicts" but I cannot seem to find something usefull. 16:11 -!- TBKDan [n=demord@cpe-24-93-27-225.rochester.res.rr.com] has quit ["Leaving."] 16:11 < roychri> So my question is. Is there a way to find out which routes (subnets) are being used by a vpn connection using openvpn? 16:12 < roychri> I have only access to the client. not the server. 16:12 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 16:18 -!- dollabill [n=mike@97.66.26.10] has quit [No route to host] 16:18 < Hypnoz> roychri: what OS are you using? 16:19 -!- Whtsup [n=sssi@WimaxUser377-168.wateen.net] has quit [] 16:20 < roychri> WXP 16:20 < roychri> WinXP 16:22 < roychri> Hypnoz: I just found out how I can change the subnet for my vmware player. The question is... which subnet is safe to use? I suspect (hope) that the sysadmin at the other end did not configure the vpn server to control all 192.* or 10.* or whaetever else I could use for my own networks... 16:23 < Hypnoz> i think in command prompt if you type "route print" 16:23 < Hypnoz> it will show you the subnets you are using and which devices are connected to them 16:23 < roychri> cool 16:23 < roychri> I see lot of output 16:23 < roychri> checking... 16:23 < Hypnoz> you should be able to find out which one vpn is using 16:25 < roychri> nice, I see two rows for 192.168.57 16:35 < roychri> super! 16:36 < roychri> Hypnoz: Got it! I am now using 192.168.159.* for the vmware virtual net interface and all is good. 16:36 < roychri> Hypnoz: Thank you. 16:41 -!- mikkel_ [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 16:41 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:44 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 16:46 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 16:55 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 16:58 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 17:22 -!- ErickG [n=ErickG@190.120.0.138] has left ##openvpn [] 17:27 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 17:35 -!- Rascal999 [n=user@212.9.104.90] has left ##openvpn ["Leaving"] 17:58 -!- jeiworth [n=jeiworth@189.234.76.92] has quit [Read error: 110 (Connection timed out)] 18:02 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 145 (Connection timed out)] 18:03 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 18:13 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 18:23 -!- master_of_master [i=master_o@p549D5F35.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 18:23 -!- master_of_master [i=master_o@p549D7CDB.dip.t-dialin.net] has joined ##openvpn 18:43 -!- xod [n=onats@112.201.190.51] has joined ##openvpn 18:44 -!- xod is now known as onats 18:46 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 18:49 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 19:02 -!- roychri [n=christia@drupal.org/user/155209/view] has quit [] 19:06 -!- reid99 [n=reid85@CPE001cdf73661f-CM001ceacec55e.cpe.net.cable.rogers.com] has quit [Connection timed out] 19:10 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 60 (Operation timed out)] 19:10 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 19:12 -!- epaphus [n=unix3@201.199.192.2] has joined ##openvpn 19:15 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 19:17 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 20:00 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has joined ##openvpn 21:52 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 60 (Operation timed out)] 21:52 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 22:04 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 22:22 -!- epaphus [n=unix3@201.199.192.2] has quit [Read error: 60 (Operation timed out)] 22:24 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 22:40 -!- jeiworth [n=jeiworth@189.163.144.187] has joined ##openvpn 23:30 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn --- Day changed Thu Nov 12 2009 00:02 -!- wolfrein [n=chatzill@59.99.105.84] has joined ##openvpn 00:02 < wolfrein> hi everybody 00:02 < wolfrein> can some1 help me with an issue 00:03 < wolfrein> first up.. wat is the TEMA app tat comes within the Oracle VPN? 00:03 < wolfrein> never heard of it.. google searched but got nothing related 00:11 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 00:20 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 00:29 -!- hyper_ch [n=hyper@adsl-84-226-58-170.adslplus.ch] has quit [Remote closed the connection] 00:54 -!- epaphus [n=unix3@201.199.62.74] has quit ["Leaving"] 01:12 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 01:24 -!- hyper_ch [n=hyper@173-95.107-92.cust.bluewin.ch] has joined ##openvpn 01:46 -!- dunc_ [n=dunc@fenchurch.wlan.sandown.ipv6.braddon.org.uk] has quit [Read error: 113 (No route to host)] 01:46 -!- hsch [n=hsch@wbs-41-208-224-238.wbs.co.za] has left ##openvpn [] 02:05 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:23 -!- StefanWork [n=stefanle@83.119.216.188] has joined ##openvpn 02:24 < StefanWork> Good morning 02:35 < robert_> 'morning :p 02:35 -!- mekwall [n=oddy@c83-249-242-68.bredband.comhem.se] has left ##openvpn ["Leaving."] 02:35 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:36 < StefanWork> I've got a small question regarding OpenVPN and it's speed 02:36 < StefanWork> Has anyone had issues with speed with OpenVPN when writing to the server itself? 02:37 < krzee> many people have 02:37 < StefanWork> hehe 02:38 < StefanWork> Well we've already tried to fix the mss/mtu which didn't work 02:38 < StefanWork> we've installed OpenVPN on the server and when we try to write multiple files back to the server the connection drops to less then 1kb/s 02:38 < krzee> whats the speed difference between inside tunnel and outside? 02:38 < krzee> using ftp 02:38 < StefanWork> we've got fiber 02:38 < StefanWork> let me test 02:38 < krzee> or http get 02:39 < StefanWork> about 800 kb/s 02:39 < krzee> also check cpu on server and client during the test 02:39 < StefanWork> down 02:39 < StefanWork> and 78 up atm 02:39 < krzee> 800kb/s down is the different or results from 1 test? 02:39 < krzee> difference* 02:39 < StefanWork> result from 1 test 02:40 < krzee> inside or outside tunnel, with what cpu usage? 02:40 < StefanWork> outside. Don't know the CPU usage 02:40 < StefanWork> the server is installed on a w2k3 server 02:40 < krzee> outside cpu wont matter 02:40 < krzee> windows can show cpu 02:40 < krzee> cntrl alt delete - performance 02:40 < StefanWork> yep I know 02:42 < StefanWork> Alright i'm viewing the CPU performance now and asking the other system admin to perform a transfer to the server 02:43 < StefanWork> CPU keeps the same performance. Just got an answer that it has already been tested 02:43 < StefanWork> He's going to try it again though 02:47 < StefanWork> No performance difference 02:49 < StefanWork> Correction: slight performance difference but we've got a quadcore 02:54 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 02:54 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 02:54 < StefanWork> @krzee 03:01 < krzee> ok cool 03:01 < krzee> now do xfer within tunnel and ill be back in a min 03:01 < krzee> make sure its a big enough file to max out xfer on both tests 03:01 < krzee> im working on getting my vid card working in osx86 so reboots... 03:02 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 03:09 < julius_> join #tinc 03:09 < julius_> oops 03:09 < julius_> sry 03:13 -!- hsch [n=hsch@wbs-41-208-224-238.wbs.co.za] has joined ##openvpn 03:15 < hsch> hi - I'm running and tun vpn network. I have commented client-to-client, but Im still able to ping other clients from clients. 03:18 < StefanWork> krzee: We've tried a single big file and multiple big files at once and it both goes at the max speed of the client's upload speed. When we try to upload a. for example. .svn folder with multiple folders within that folder the speed drops. 03:18 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:19 < StefanWork> When we on the other hand, upload another folder which has multiple .svn folders and subfolders. This however, goes at the right speed... 03:20 < krzee> i also am reminded you mentioned windows 03:20 < StefanWork> that is correct 03:20 < krzee> can you try the same tests subbing that side for nix? 03:20 < krzee> (assuming client is nix as well) 03:20 < StefanWork> haven't got a nix pc with me 03:21 < krzee> livecd? 03:21 < krzee> virtual machine even? 03:22 < StefanWork> well I have tested it with a openvpn server on ubuntu at home. The client pc was a windows pc so. But when I checked out multiple files on the ubuntu server the speed drops. But not dramatically. I guess that was just the limit of my upload speed 03:22 < krzee> i have read from dev tests when making the win tap driver which also does tun) that showed much slower speed with windows 03:22 < StefanWork> hm 03:22 < krzee> but that was before it was finished 03:23 < StefanWork> I see so in beta phase 03:23 < krzee> dunno bout now, but could be the issue 03:23 < krzee> ya but not many betas behind final 03:23 < StefanWork> I heard from a system admin that it could be because we're not having the openvpn on the router. Instead we've installed it on the windows server directly. It isn't an option to install it on the router though 03:23 < krzee> would be interesting to see your tests, especially because of the equip not being an issue 03:24 < krzee> that shouldnt be it 03:24 < krzee> unless its a slower lan or something 03:24 < StefanWork> yeah 03:25 < krzee> youd know if thats the bottleneck 03:25 < StefanWork> well when we're on the network itself using wireless lan and we're uploading to the server it goes fast 03:25 < StefanWork> so it's really an external -> to server problem 03:25 < StefanWork> when uploading 03:25 < krzee> but you see speed diffs when inside tunnel and outside... what were the numbers? 03:26 < krzee> basically its grabbing a file by inet ip and by vpn ip 03:26 < krzee> a large file 03:27 < krzee> larger depending on BW 03:27 < krzee> gimme the #'s in a min 03:27 < krzee> brb 03:27 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 03:38 -!- LobbyZ [n=default@Woet.lobbyzffs.com] has quit [No route to host] 03:55 -!- StefanWork2 [n=stefanle@cp849982-a.mill1.nb.home.nl] has joined ##openvpn 04:00 -!- wolfrein_ [n=chatzill@74-84-125-57.client.mchsi.com] has joined ##openvpn 04:00 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 04:00 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:00 < StefanWork2> wb 04:01 < StefanWork2> we're creating a small video just to be clear 04:01 < krzee> thx 04:01 < krzee> video? 04:02 < StefanWork2> we're still creating it 04:02 < StefanWork2> yeah a desktop video which displays the connection speeds 04:02 < StefanWork2> and the difference with file uploads 04:04 -!- dazo_afk is now known as dazo 04:07 -!- StefanWork [n=stefanle@83.119.216.188] has quit [Read error: 110 (Connection timed out)] 04:09 -!- reiffert changed the topic of ##openvpn to: No support for Access Server. OpenVPN 2.1rc21 is latest || CHECK YOUR FIREWALL || We need !logs and !configs and maybe !interface || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through server. || Also interesting: !man !/30 !topology !iporder !forum 04:10 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:14 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 04:14 -!- StefanWork2 is now known as StefanWork 04:18 -!- wolfrein [n=chatzill@59.99.105.84] has quit [Read error: 110 (Connection timed out)] 04:31 < StefanWork> krzee: It will take awhile so thanks in advance for your time. 04:33 < CaBa> how does other vpn software such as ciscos vpn client deal with http://support.microsoft.com/kb/311218 ? 04:33 < vpnHelper> Title: Cannot Change the Binding Order for Remote Access Connections (at support.microsoft.com) 05:34 < krzee> but you see, i want exact numbers 05:34 < krzee> forget a movie 05:34 < krzee> just record the times of file transfers 05:35 < krzee> 2009-11-12 07:35:01 (52.9 KB/s) - `krzee.jpg' saved [56959/56959] 05:35 < krzee> like so 05:38 < StefanWork> Well on the clientside, it goes about 40kb/s up outside the tunnel. And with a certain action inside the tunnel. It can go 400 bytes/s 05:38 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 05:46 < dazo> CaBa: you're in a channel where people know OpenVPN (hence the channel name ##openvpn) ... don't have too high expectations about getting answers from other VPNs 05:52 -!- hsch [n=hsch@wbs-41-208-224-238.wbs.co.za] has quit [Read error: 60 (Operation timed out)] 06:04 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 60 (Operation timed out)] 06:04 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 06:14 -!- wolfrein_ [n=chatzill@74-84-125-57.client.mchsi.com] has quit ["ChatZilla 0.9.85 [Firefox 3.5.5/20091102152451]"] 06:22 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 60 (Operation timed out)] 06:23 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 07:05 -!- lkthomas [i=lkthomas@218.213.78.173] has joined ##openvpn 07:05 < lkthomas> hey guys 07:05 < lkthomas> I am trying to run openvpn as nat gateway 07:05 < lkthomas> I put push "redirect-gateway def1" into server config file 07:05 < lkthomas> but client side does not shows route adding 07:05 < lkthomas> anyone got idea why ? 07:06 < ecrist> !logs 07:07 < ecrist> !logs 07:07 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 07:11 < lkthomas> route add section does now show up on log file 07:23 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 07:28 -!- stevem [n=stevem@212.57.232.254] has joined ##openvpn 07:28 < stevem> Hey, anyone know if openvpn will work with a Draytek vigor router? 07:28 < lkthomas> all docs shows just add redirect-gateway to make it work 07:28 < lkthomas> try couple times, not working 07:30 < ecrist> lkthomas: I think the message asks you to post your logs, not analyze them yourself. 07:30 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 07:30 < ecrist> !configs 07:30 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:30 < ecrist> that too, lkthomas 07:32 < lkthomas> at least give me some hints dude 07:35 < ecrist> ok, you're already on the right track. it's apparent you're missing something. I can't give you hints without your logs and configs 07:35 < ecrist> either submit those, or go away 07:36 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 60 (Operation timed out)] 07:36 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 07:43 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 07:43 -!- hsch [n=hsch@wbs-41-208-232-79.wbs.co.za] has joined ##openvpn 07:51 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 07:59 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 07:59 < theDoc> lol, access-server? 07:59 < theDoc> much people asking? :) 07:59 < ecrist> theDoc: yes 07:59 < ecrist> lots 08:00 < ecrist> krzie: I have some questions for you when you're around again... 08:01 < theDoc> ecrist> It's a pretty decent app tbh 08:01 -!- jeiworth [n=jeiworth@189.163.144.187] has quit [Connection timed out] 08:02 < ecrist> I don't doubt it, the problem is it's commercial. It's a pay-app. We're not able to really support it. That's what they have commercial support for... 08:03 < theDoc> ecrist> Of course, of course. ;p 08:04 < theDoc> It powers my vpn boxes. 08:05 < ecrist> straight openvpn is what I run, and have for years. 08:05 -!- Irssi: ##openvpn: Total of 80 nicks [0 ops, 0 halfops, 0 voices, 80 normal] 08:06 < theDoc> ecrist> I don't disagree with that but I provide vpn connectivity and I find the access-server a rapid way of deployment so really, ymmv :p 08:08 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 08:10 -!- dollabilll [n=mike@97.66.26.10] has joined ##openvpn 08:12 -!- mekwall [n=oddy@c83-249-242-68.bredband.comhem.se] has joined ##openvpn 08:12 -!- correcaminos [n=laguilar@201.196.31.246] has joined ##openvpn 08:13 -!- correcaminos [n=laguilar@201.196.31.246] has quit [Client Quit] 08:14 -!- correcaminos [n=laguilar@201.196.31.246] has joined ##openvpn 08:14 -!- hyper__ch [n=hyper@68-94.3-85.cust.bluewin.ch] has joined ##openvpn 08:14 -!- hyper_ch [n=hyper@173-95.107-92.cust.bluewin.ch] has quit [Nick collision from services.] 08:14 -!- hyper__ch is now known as hyper_ch 08:16 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 148 (No route to host)] 08:20 -!- mekwall [n=oddy@c83-249-242-68.bredband.comhem.se] has left ##openvpn ["Leaving."] 08:21 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 08:35 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 08:49 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 09:08 -!- markus_ [n=markus@nat.vpntunnel.se] has quit [Remote closed the connection] 09:21 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 09:35 < YaManicKill> ok, i have a problem with my vpn. i'm connected to it fine, and web forwarding seems to be working fine, however, only when i give it an ip address 09:35 < YaManicKill> so, theres something wrong with the dns, i think 09:35 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 09:43 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 09:51 < stevem> Hi everyone... I'm trying to compose an e-mail to convince our supplier (Draytek who make some very fine routers) to support OpenVPN as a client (so that we can do LAN to LAN without needing IPsec or PPTP) 09:51 < stevem> Can anyone name other routers wether physcial or software that have this support? I know Untangle and DDWRT does 09:52 -!- ptotterm is now known as ptman 09:57 -!- hsch [n=hsch@wbs-41-208-232-79.wbs.co.za] has left ##openvpn [] 10:01 -!- Hink [n=Hink@71.164.255.85] has joined ##openvpn 10:03 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 10:03 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 10:07 -!- ErickG [n=ErickG@190.120.0.138] has quit [Read error: 113 (No route to host)] 10:07 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 10:07 -!- YaManicKill is now known as Nia 10:07 -!- Nia is now known as YaManicKill 10:08 -!- YaManicKill is now known as YaManicKill|dead 10:08 -!- stevem [n=stevem@212.57.232.254] has quit [Nick collision from services.] 10:08 -!- stevem_ [n=stevem@212.57.232.254] has joined ##openvpn 10:09 -!- teddymills [n=teddy@208.92.235.227] has quit [Client Quit] 10:12 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 10:21 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 10:31 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 10:36 -!- stevem__ [n=stevem@212.57.232.254] has joined ##openvpn 10:43 -!- stevem_ [n=stevem@212.57.232.254] has quit [Read error: 60 (Operation timed out)] 10:54 -!- stevem__ [n=stevem@212.57.232.254] has quit ["Leaving"] 10:59 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 11:02 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 60 (Operation timed out)] 11:02 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 11:07 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 11:23 -!- teddymills [n=teddy@208.92.235.227] has quit [Remote closed the connection] 11:26 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 11:30 -!- hyper_ch [n=hyper@68-94.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 11:32 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:35 -!- correcaminos [n=laguilar@201.196.31.246] has quit [Read error: 104 (Connection reset by peer)] 11:35 -!- correcaminos [n=laguilar@201.196.31.246] has joined ##openvpn 11:36 -!- correcaminos [n=laguilar@201.196.31.246] has quit [Client Quit] 12:02 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit ["Leaving."] 12:05 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 12:07 -!- joel [n=joel@193.145.14.94] has joined ##openvpn 12:08 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 12:24 -!- hyper_ch [n=hyper@adsl-84-226-58-170.adslplus.ch] has joined ##openvpn 12:30 -!- StefanWork [n=stefanle@cp849982-a.mill1.nb.home.nl] has quit [Read error: 110 (Connection timed out)] 12:36 -!- ErickG [n=ErickG@190.120.0.138] has quit [Remote closed the connection] 13:04 -!- dazo is now known as dazo_afk 13:10 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 13:11 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:16 -!- LobbyZ [n=default@Woet.lobbyzffs.com] has joined ##openvpn 13:28 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 14:13 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [Read error: 110 (Connection timed out)] 14:45 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:47 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Client Quit] 14:49 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 15:01 -!- mirco [n=mirco@p54B266A2.dip.t-dialin.net] has joined ##openvpn 15:30 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 15:32 -!- Sky[x] [n=SkyB0x@BSN-176-204-79.dial-up.dsl.siol.net] has joined ##openvpn 15:32 -!- Sky[x] [n=SkyB0x@BSN-176-204-79.dial-up.dsl.siol.net] has quit [Remote closed the connection] 15:33 -!- Sky[x] [n=SkyB0x@BSN-176-204-79.dial-up.dsl.siol.net] has joined ##openvpn 15:39 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 15:40 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 15:45 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 15:46 -!- dollabilll [n=mike@97.66.26.10] has quit [Read error: 148 (No route to host)] 15:48 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 16:12 -!- Sky[x] [n=SkyB0x@BSN-176-204-79.dial-up.dsl.siol.net] has quit [Client Quit] 16:16 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 148 (No route to host)] 16:23 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:37 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 18:12 -!- ErickG [n=ErickG@190.120.0.138] has left ##openvpn [] 18:18 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has joined ##openvpn 18:33 -!- master_of_master [i=master_o@p549D7CDB.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 18:38 -!- master_of_master [i=master_o@p549D7B2C.dip.t-dialin.net] has joined ##openvpn 19:12 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 19:38 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has quit [] 20:04 -!- Xdept [n=cms@ip-58-28-159-224.static-xdsl.xnet.co.nz] has joined ##openvpn 20:05 -!- Xdept [n=cms@ip-58-28-159-224.static-xdsl.xnet.co.nz] has left ##openvpn [] 20:16 -!- Xdept [n=cms@ip-58-28-159-224.static-xdsl.xnet.co.nz] has joined ##openvpn 20:16 < Xdept> Where about's is easy-rsa on arch linux found ? 20:31 -!- mirco [n=mirco@p54B266A2.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)] 20:32 -!- mirco_ [n=mirco@p54B25B87.dip.t-dialin.net] has joined ##openvpn 20:32 -!- mirco_ is now known as mirco 21:01 -!- mirco [n=mirco@p54B25B87.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 21:02 -!- mirco [n=mirco@p54B25B87.dip.t-dialin.net] has joined ##openvpn 22:11 -!- tjz [n=tjz@bb121-7-30-30.singnet.com.sg] has joined ##openvpn 22:12 -!- Hink [n=Hink@71.164.255.85] has quit [Remote closed the connection] 22:24 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 22:25 -!- joel [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 22:39 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 22:42 -!- hyper__ch [n=hyper@adsl-84-226-75-115.adslplus.ch] has joined ##openvpn 22:42 -!- hyper_ch [n=hyper@adsl-84-226-58-170.adslplus.ch] has quit [Nick collision from services.] 22:45 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 23:07 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 23:07 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 23:27 -!- Xdept [n=cms@ip-58-28-159-224.static-xdsl.xnet.co.nz] has quit ["leaving"] 23:39 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 60 (Operation timed out)] 23:40 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn --- Day changed Fri Nov 13 2009 00:08 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 00:12 -!- MorkBork [n=mark@unaffiliated/morkbork] has joined ##openvpn 00:13 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 00:14 < freaky[t]> !howto 00:14 < vpnHelper> freaky[t]: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 00:14 < MorkBork> anyone have any benchmarks of an intel atom 00:15 < MorkBork> n330 in particular 00:15 < MorkBork> im testing it locally, the best i can seem to get is 80 Mbit or so 00:15 < MorkBork> on a gige lan 00:15 < MorkBork> openssl speed bf-cbc and aes-128-cbc seem to indicate i should theoretically be able to do 25 MB/s ~ 200 mbit 00:17 -!- hyper__ch [n=hyper@adsl-84-226-75-115.adslplus.ch] has quit [Remote closed the connection] 00:18 < MorkBork> the box im connecting to the openvpn server can do bf-cbc and aes at like a gigabit per second on a single core 00:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 00:51 < MorkBork> looking at top 00:51 < MorkBork> im seeing 40% in user, thats probably the decrypt/crypt 00:52 < MorkBork> 20% in kernel, the rest in si 00:53 -!- mirco [n=mirco@p54B25B87.dip.t-dialin.net] has quit [] 00:54 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 00:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 00:56 < MorkBork> its too bad openvpn isnt threaded 00:56 < MorkBork> ;/ 01:00 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 01:10 -!- freaky[t] [i=alpha@member.team-box.net] has quit [Read error: 60 (Operation timed out)] 01:10 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 01:10 -!- hyper_ch [n=hyper@68-94.3-85.cust.bluewin.ch] has joined ##openvpn 01:11 -!- robert_ [n=hellspaw@objectx/robert] has quit [Excess Flood] 01:12 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 01:14 -!- neoice_ [n=neoice@thule.neoice.net] has joined ##openvpn 01:15 < neoice_> !redirect 01:15 < vpnHelper> neoice_: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 01:15 < neoice_> is there a way to only have some clients use redirect? 01:16 < neoice_> !def1 01:16 < vpnHelper> neoice_: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 01:18 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 01:21 -!- kosmic is now known as jimbosucks 01:21 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 01:22 -!- mirco [n=mirco@217.91.96.41] has joined ##openvpn 01:22 < endre> neoice_: sure 01:22 < endre> neoice_: use ccd 01:22 < reiffert> neoice_: just put it in the client config. 01:22 < endre> !ccd 01:23 < vpnHelper> endre: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 01:23 < reiffert> neoice_: or see endre. 01:23 < neoice_> thanks :D 01:23 -!- neoice_ is now known as neoice 01:32 -!- jimbosucks is now known as kosmic 01:34 -!- bytesaber [n=bytesabe@208-98-188-95.directcom.com] has quit [Read error: 110 (Connection timed out)] 01:37 -!- bytesaber [n=bytesabe@208.98.188.95] has joined ##openvpn 01:39 -!- Stefan [n=stefanle@83.119.216.188] has joined ##openvpn 01:41 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:47 -!- bytesaber [n=bytesabe@208.98.188.95] has quit [Read error: 145 (Connection timed out)] 01:48 -!- dazo_afk is now known as dazo 01:54 -!- joel [n=joel@193.145.14.94] has joined ##openvpn 01:55 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 02:13 -!- joel [n=joel@193.145.14.94] has quit [Read error: 60 (Operation timed out)] 02:13 -!- joel [n=joel@193.145.14.94] has joined ##openvpn 02:49 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 03:03 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 03:18 -!- Bogdar [n=bogdan@84.201.238.126] has joined ##openvpn 03:20 < Bogdar> Hello. Doe it possible to server from 1000 to 5000 parallel usrs with openvpn ? There will be not so much traffic - possible windows domain stuff (not filesharing) and remote desktop. Which hardware should I use for this ? 03:41 -!- Sky[x] [n=SkyB0x@212.235.186.230] has joined ##openvpn 03:55 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 03:57 < MorkBork> openvpn is single threaded 03:57 < MorkBork> but you should know 03:57 < MorkBork> via nano has hardware aes encryption 03:57 < MorkBork> and is cheap 03:57 < MorkBork> perhaps many small cheap boxes 04:16 < lkthomas> !log 04:16 < vpnHelper> lkthomas: Error: You don't have the owner capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 04:16 < lkthomas> !logs 04:16 < vpnHelper> lkthomas: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 04:22 < lkthomas> guys 04:23 < lkthomas> redirect-gateway doesn't works 04:23 < lkthomas> tested on windowsxp and mac 04:23 < lkthomas> http://www.pastebin.ca/1669716 04:23 < lkthomas> please help 04:25 < dazo> Bogdar: as MorkBork says, openvpn is single threaded .... and on the mailing list, people have began complaining about performance issues when passing 150-200 clients 04:26 < dazo> Bogdar: but one approach against this is to use multiple openvpn processes, where you assign them to different CPUs if you have an SMP system 04:27 < Bogdar> Understand. 04:27 < MorkBork> in my testing today with an atom n330 server, its dual core with ht, not very powerful 04:27 < MorkBork> i found with 1 atom n330 i could do 80-100 mbit 04:27 < MorkBork> because of single thread 04:27 < dazo> Bogdar: one such tool for managing such "spread" is tuna (http://git.kernel.org/?p=linux/kernel/git/acme/tuna.git;a=summary) 04:27 < vpnHelper> Title: git.kernel.org - linux/kernel/git/acme/tuna.git/summary (at git.kernel.org) 04:27 < MorkBork> although openssl speed bf-cbc showed a single thread could do 200 mbit blowfish 04:27 < MorkBork> i watched in top 04:28 < Bogdar> Bandwith will be limited by external port speed - possible, 10Mbit. 04:28 < MorkBork> it seems like it was 40% crypto, but 60% i/o 04:28 < MorkBork> oh 10mbit 04:28 < MorkBork> pfft 04:28 < MorkBork> anything will work 04:28 < lkthomas> anyone mind to check that pastebin link please ? 04:28 < Bogdar> But there will be 1000 parallel connections or even, possible, more. 04:28 < dazo> Bogdar: what do you mean with " 1000 to 5000 parallel usrs" 04:29 < dazo> is that openvpn sessions? Or one session transporting data for 1000-5000 users? 04:29 < Bogdar> dazo, 1000 or 5000 established VPN sessions. Most of them will idle or transfer Rdesktop traffic. 04:30 < MorkBork> thats gonna be fun managing keys eh 04:30 < MorkBork> for something like that 04:30 < MorkBork> id want multiple low power servers 04:30 < MorkBork> like dazo says 04:30 < Bogdar> no-no-no. LDAP. And, possible, AD LDAP. 04:30 < lkthomas> MorkBork: any idea about my problem ? 04:30 < Bogdar> no keys ;) 04:31 < dazo> Bogdar: then you might be able to do fine with 6-8 OpenVPN processes, if not all users do a lot of bandwidth demanding operations at the same time 04:32 < dazo> Bogdar: start with a dual socket quad core box ... and you'll be able to spread the openvpn process to each CPU core 04:32 < dazo> processes* 04:32 < Bogdar> And what about few processess: I'll have to setup additional routing for them ? 04:33 < dazo> Bogdar: if you use pure tun protocol (which sounds reasonable as it's mainly RDP data) ... it's just pure routing 04:33 < Bogdar> Yes, I plan to use 2x5 core AMD or 2x4 core Intel box at start. 04:34 < Bogdar> *2x6 core AMD 04:34 < dazo> your terminal servers (and other servers the VPN users will use) will need to know about the routing towards the VPN nets as well 04:34 < dazo> heh ... 2x5 was a new concept for me :-P 04:35 < dazo> I'm personally prefer Intel CPU's ... they seem to perform very well, at least the newer Xeon CPU's .... but it's usually tightly connected to L2 cache 04:36 < Bogdar> This is for remote administration and end-user support. It is necessary to connect many users to AD, apply group policy and sometime manage desktops via rdestop. 04:36 < MorkBork> youll never get 5000 users on a 10mbit link for rdesktop 04:36 < MorkBork> lol 04:36 < dazo> not simultaneously 04:37 < dazo> Bogdar: will all these users be connected at the same time? 04:37 < MorkBork> thats 2kbit per client really 04:37 < dazo> Bogdar: as default 04:37 < dazo> MorkBork: but take into consideration that if 90% are idle ..... 04:38 < MorkBork> yea but even things like key renegotiation and tcp keepalive 04:38 < Bogdar> I mean 1000 users connected to M$ AD via VPN , I don't mean 5000 parallel RDP sessions. 04:38 < MorkBork> oh okay 04:39 < MorkBork> 1000 is more reasonable just to have 'active' 04:39 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 04:39 < dazo> sounds more reasonable 04:39 < MorkBork> 4 processes, maybe put them all in a /22 04:39 < Bogdar> Generally, I't a good question: which bandtiwh I need for 1000 VPN idle sessions. For keepalive or so. 04:39 < dazo> MorkBork: that's not going to work nicely with tun 04:39 < dazo> not with multiple openvpn processes 04:39 < MorkBork> or a /24 per process 04:39 < MorkBork> and route them all 04:39 < dazo> yeah 04:40 < dazo> that's a safer bet 04:40 < MorkBork> probably want to use aes-128-cbc instead of bf-cbc 04:40 < MorkBork> its faster on newer computers 04:41 < MorkBork> maybe a single socket 1366 xeon would even work 04:41 < Bogdar> dazo, Do you mean, that 8 openvpn instances will have a problem when configured to use TUN ? 04:41 < MorkBork> Bogdar, he means it will bog down if you put them all in the same subnet 04:41 < MorkBork> think of arp even 04:41 < dazo> Bogdar: the punishment in openvpn are the SSL renegotiations ... as that's asymmetric encryption which is used to agree on a symmetric encryption key .... the symmetric encryption (aes-128-cbc) is not that costly at all 04:42 < dazo> Bogdar: if you try to put multiple openvpn tun devices and make them share the same net tun net, yeah, that's not going to work easily 04:42 < dazo> Bogdar: but if you give each of the processes separate /24 nets ... then you'll be fine and can do all with routing 04:43 < MorkBork> Bogdar, like 10.222.0. 04:43 < Bogdar> So it is bettes to start each openvpn instance with it's own subnet and route them on host. 04:43 < MorkBork> 10.222.1. 04:43 < MorkBork> 10.222.2. 04:43 < MorkBork> etc 04:43 -!- bytesaber [n=bytesabe@208-98-188-95.directcom.com] has joined ##openvpn 04:43 < MorkBork> yes 04:43 < dazo> definitely 04:43 < Bogdar> Nice, And I'll need to scale my setup - I'll just add another VPN box. 04:43 < MorkBork> yea 04:43 < MorkBork> thats why i said lots of cheap boxes 04:44 < MorkBork> perhaps intel atom n330 04:44 < MorkBork> 2 cores, 4 threads 04:44 < MorkBork> maybe 4 of them 04:44 < MorkBork> to start with 04:44 < MorkBork> 4 n330 servers 04:44 < dazo> MorkBork: isn't atom only hyper-threaded? 04:44 < MorkBork> via nano is nice, but we need scaling, not raw thoroughput 04:44 < MorkBork> the n230 is single core ht 04:44 < MorkBork> the n330 is dual core ht 04:44 < MorkBork> and both support x64 04:44 < dazo> yeah 04:44 < MorkBork> the n270 is single core ht, no x64 support, but vt extensions 04:45 < MorkBork> :P 04:45 < MorkBork> confusing, eh 04:45 < dazo> yup 04:45 < Bogdar> I thisnk, I will be some of 'common' configuration on 'common' hardware provided by ISP. Double Quad Xeons or so. 04:45 < MorkBork> im running openvpn on n330 04:45 < MorkBork> i got 1u supermicro barebones for $220 04:45 < MorkBork> we have 2 in our datacenter now 04:45 < MorkBork> and ordered 4 more 04:46 < MorkBork> http://www.newegg.com/Product/Product.aspx?Item=N82E16816101262 04:46 < vpnHelper> Title: Newegg.com - SUPERMICRO SYS-5015A-H 1U Barebone Server Intel 945GC Intel Atom 330 Dual-Core 1.6GHz processor - Server Barebones (at www.newegg.com) 04:46 < MorkBork> my openvpn use is small though 04:48 < MorkBork> http://serverfault.com/questions/31556/openvpn-hardware-requirements 04:48 < vpnHelper> Title: OpenVPN Hardware Requirements - Server Fault (at serverfault.com) 04:48 < MorkBork> i am disappointd with atom performance (90mbit) 04:48 < MorkBork> but for 10mbit, it should scale well with multiple processes 04:49 < MorkBork> of course atom is pathetic speed ;p 04:49 < MorkBork> but its cheap and low power 04:49 < MorkBork> can just add more and more 04:50 < MorkBork> http://www.newegg.com/Product/Product.aspx?Item=N82E16819117184 04:50 < vpnHelper> Title: Newegg.com - Intel Xeon E5530 Nehalem 2.4GHz 4 x 256KB L2 Cache 8MB L3 Cache LGA 1366 80W Quad-Core Server Processor - Processors - Servers (at www.newegg.com) 04:50 < MorkBork> thats more powerful than 10 atoms or more 04:50 < MorkBork> lol 04:51 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 04:51 < MorkBork> its hard decision 04:51 < MorkBork> many small servers or fewer more powerful ones 04:53 -!- joel [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 04:54 -!- joel [n=joel@193.145.14.94] has joined ##openvpn 05:27 -!- joel [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 05:27 -!- joel [n=joel@193.145.14.94] has joined ##openvpn 05:41 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 05:48 -!- hyper__ch [n=hyper@2-53.203-62.cust.bluewin.ch] has joined ##openvpn 05:49 -!- hyper_ch [n=hyper@68-94.3-85.cust.bluewin.ch] has quit [Nick collision from services.] 05:49 -!- hyper__ch is now known as hyper_ch 05:51 -!- SkyX [n=SkyB0x@212.235.186.230] has joined ##openvpn 05:51 -!- Sky[x] [n=SkyB0x@212.235.186.230] has quit [Read error: 104 (Connection reset by peer)] 06:06 -!- dazo is now known as dazo_afk 06:13 < lkthomas> guys, I am on a pretty unstable 3G internet, should I turn on LZO compression at all ? 06:13 < lkthomas> is there have anything I could do to reduce openvpn overhead ? 06:14 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 06:21 -!- StefanWork [n=stefanle@cp849982-a.mill1.nb.home.nl] has joined ##openvpn 06:30 -!- Stefan [n=stefanle@83.119.216.188] has quit [Read error: 110 (Connection timed out)] 06:41 < ecrist> good morning 06:52 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 06:53 -!- hroi [n=hroi@hitabylgja.vedur.is] has joined ##openvpn 06:53 < hroi> hello 06:54 < hroi> Im trying to find a review of openvpn vs. some propriatory vpn solutions. 06:54 < |Mike|> "ok"? 06:54 < ecrist> holy crap, this is funny: http://www.adequacy.org/stories/2001.12.2.42056.2147.html 06:54 < vpnHelper> Title: Is Your Son a Computer Hacker? (at www.adequacy.org) 06:54 < hroi> anyone know an unpartial review? 06:55 < ecrist> hroi: I don't know of any. what are you looking to accomplish? 06:58 < hroi> Quake is an online virtual reality used by hackers. It is a popular meeting place and training ground, where they discuss hacking and train in the use of various firearms. 06:58 < hroi> lol 06:58 < hroi> ecrist: I want to know if openvpn compares security wise (statistically?) with closed products. 06:59 < hroi> ecrist: if it is more regularly a victim of hacking 06:59 < ecrist> openvpn uses standard SSL encryption to protect VPN traffic 06:59 < hroi> ecrist: so it may not be any more secure than ssh say 07:00 < ecrist> ssh is insecure? 07:00 < hroi> ecrist: there are people here that think vpn is somehow different security wise to ssh... 07:01 < hroi> ecrist: I guess they are wrong, I know vpn has however a nice windowing protocol 07:01 < reiffert> ssh has vpn capabilities with tun and tap btw. 07:01 < ecrist> it's not really any different in that in encrypts your traffic. VPNs tend to be more feature-complete for a networking environment, whereas ssh is usually good for limited communication between two hosts. 07:01 < reiffert> !factoids search ssh 07:01 < vpnHelper> reiffert: No keys matched that query. 07:01 < reiffert> d'oh 07:02 < ecrist> hroi: I have no idea what you mean by 'windowing protocol' 07:02 < reiffert> ecrist: did you ever try ssh with its vpn features? 07:02 < reiffert> it even supports network to network. 07:02 < ecrist> reiffert: I've used SSH to build proxy connections and port forwarding, but never used it's VPN features. 07:03 < reiffert> have a look, it's worth it. 07:09 < MorkBork> openvpn is ssl based 07:09 < MorkBork> meaning it uses whatever crypto algorithm you want pretty much 07:09 < MorkBork> aes, blowfish, etc 07:09 < MorkBork> if its supported in ssl, you can probably use it 07:11 < MorkBork> anyway its all pretty solid 07:11 < MorkBork> infact openvpns default is blowfish 07:12 < MorkBork> and that was invented by a guy named bruce schiener (spelling?) 07:12 < MorkBork> smart guy 07:15 < MorkBork> http://upload.wikimedia.org/wikipedia/commons/4/45/Bruce_Schneier_1.jpg 07:15 < MorkBork> looks like the kinda guy that knows his shit 07:16 < MorkBork> this guy knows his shit too 07:16 < MorkBork> http://paradox.whoiscool.com/antilinux/alan-cooking.jpg 07:16 < MorkBork> do not underestimate the beard 07:16 -!- SkyX [n=SkyB0x@212.235.186.230] has quit [Client Quit] 07:20 -!- Argafal [i=argafal@users.tokkee.org] has quit [Read error: 60 (Operation timed out)] 07:21 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 07:30 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 07:35 < StefanWork> I've got a small question about getting access with machines which are in the same network as the openvpn server 07:35 < StefanWork> for example a terastation fileserver 07:39 < ecrist> so, what's your question... 07:41 < StefanWork> How to do that, sorry for the lack of information 07:42 < ecrist> !route 07:42 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 07:42 < StefanWork> we've tried to route it but the subnet is the problem 07:42 < StefanWork> if we fix the subnet (change it to 2 for example) it might be fixed and we can talk to the systems on the host network? 07:43 < ecrist> you have given me absolutely no information I can use to helpyou 07:44 -!- hyper_ch [n=hyper@2-53.203-62.cust.bluewin.ch] has quit [Remote closed the connection] 07:44 < StefanWork> Well we've got the route working although it can't reach one of the pc's can this be due to the subnet conflict? The client network has the same subnet as the host network. 07:45 < ecrist> if you have a subnet conflict, you need to change one of them 07:46 < StefanWork> Alright, thanks again for your time :) 07:47 < ecrist> np 07:51 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has joined ##openvpn 07:56 -!- Argafal [i=argafal@users.tokkee.org] has joined ##openvpn 08:02 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 08:05 -!- lolufail_ [i=a02d706f@gateway/web/freenode/x-tfsthwtyvfejphvo] has joined ##openvpn 08:05 < lolufail_> hi! 08:06 < lolufail_> I just added an "up" command to my client config, but it seems to mix with commands I get from the server: 08:06 < lolufail_> Fri Nov 13 15:04:24 2009 iptables -A FORWARD -j ACCEPT -d 10.0.0.0/23 && iptables -t nat -A POSTROUTING -o tun0 -d 10.0.0.0/23 -j MASQUERADE tun0 1500 1542 192.168.31.237 192.168.31.238 init Bad argument `tun0' 08:06 -!- manueld [n=manueld@unaffiliated/manueld] has joined ##openvpn 08:06 < lolufail_> notive the tun0..... after "MASQUERADE" 08:06 < lolufail_> notice* 08:07 < lolufail_> any idea why this is mixing? 08:07 < lolufail_> tun0 wouldn't be a valid shell command anyways... 08:07 -!- hroi [n=hroi@hitabylgja.vedur.is] has left ##openvpn ["Konversation terminated!"] 08:10 < manueld> hello 08:10 < manueld> i have a problem here: my client receives an invalid netmask at connect, here is the log: http://md.pastebin.com/d30b99d7d 08:11 < manueld> it seems, that the server doesn't send correct information 08:11 < manueld> but how can i fix it? 08:14 -!- mikkel [n=mikkel@84.238.113.66] has joined ##openvpn 08:19 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 08:28 -!- manueld [n=manueld@unaffiliated/manueld] has quit [Read error: 145 (Connection timed out)] 08:29 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 08:42 -!- hyper_ch [n=hyper@adsl-84-226-75-115.adslplus.ch] has joined ##openvpn 09:16 -!- teddymills [n=teddy@208.92.235.227] has quit [Client Quit] 09:17 -!- lolufail_ [i=a02d706f@gateway/web/freenode/x-tfsthwtyvfejphvo] has quit ["Page closed"] 09:31 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:43 -!- StefanWork [n=stefanle@cp849982-a.mill1.nb.home.nl] has quit [] 09:58 -!- joel [n=joel@193.145.14.94] has quit [Read error: 60 (Operation timed out)] 09:59 -!- joel [n=joel@193.145.14.94] has joined ##openvpn 10:16 -!- hyper__ch [n=hyper@adsl-84-226-75-115.adslplus.ch] has joined ##openvpn 10:16 -!- hyper_ch [n=hyper@adsl-84-226-75-115.adslplus.ch] has quit [Nick collision from services.] 10:16 -!- hyper__ch is now known as hyper_ch 10:31 -!- mirco [n=mirco@217.91.96.41] has quit [Read error: 145 (Connection timed out)] 10:49 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has quit [] 10:52 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 60 (Operation timed out)] 11:22 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:35 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 12:05 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 12:11 -!- mirco [n=mirco@p54B25B87.dip.t-dialin.net] has joined ##openvpn 12:12 -!- mirco [n=mirco@p54B25B87.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 12:13 -!- mirco [n=mirco@p54B25B87.dip.t-dialin.net] has joined ##openvpn 12:18 -!- mendel1 [i=mean@minnow.mati.ca] has joined ##openvpn 12:18 -!- mendel1 is now known as mendel 12:18 < mendel> Hey folks, I've discovered that I need to reload shorewall to fix routes whenever I restart openvpn. Is there a hook I should use, or should I just do that in the init script? 12:27 < Bushmills> i'd say you better try to set openvpn up such that reloading shorewall is not necessary. 12:27 < Bushmills> (and/or shorewall) 12:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:33 < mendel> hm 12:33 < mendel> The problem is that openvpn only adds the route to clients in the default routing table, but my shorewall configuration load-balances two Internet connections and thus maintains three routing tables 12:34 < mendel> How could I get openvpn to add routes to tables 1 and 2 as well as 0? 12:38 < Bushmills> does shorewall run on anything debian based? 12:39 < mendel> Yeah, it's just a frontend to iptables and tc and so on, distribution-agnostic. I'm running it on ubuntu, in fact 12:40 < Bushmills> you might be able to use debian's up script facility from /etc/network/interfaces, or in /etc/network/up.d 12:41 < mendel> when tun0 comes up, you mean? hm, I'll take a look 12:41 < Bushmills> (which ubuntu should therefore have as well) 12:42 < mendel> yeah, that makes sense, i'll give that approach a shot 13:02 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has joined ##openvpn 13:23 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 13:28 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 13:57 -!- joel [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 13:57 -!- joel [n=joel@193.145.14.94] has joined ##openvpn 14:04 -!- corretico [n=laguilar@201.201.46.106] has quit ["Leaving"] 14:16 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 14:31 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 14:53 -!- ErickG [n=ErickG@190.120.0.138] has quit [Read error: 113 (No route to host)] 14:58 -!- RyuKojiro [n=nnkojiro@r74-192-66-53.vctrcmta01.vctatx.tl.dh.suddenlink.net] has quit [Read error: 104 (Connection reset by peer)] 14:59 -!- RyuKojir1 [n=nnnkojir@r74-192-66-53.vctrcmta01.vctatx.tl.dh.suddenlink.net] has joined ##openvpn 15:22 -!- joel [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 15:23 -!- joel [n=joel@193.145.14.94] has joined ##openvpn 15:29 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 16:15 -!- joel [n=joel@193.145.14.94] has quit [Read error: 60 (Operation timed out)] 16:15 -!- joel [n=joel@193.145.14.94] has joined ##openvpn 16:36 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [Remote closed the connection] 16:58 -!- mikkel [n=mikkel@84.238.113.66] has quit [Client Quit] 17:01 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 17:05 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 17:12 -!- ErickG [n=ErickG@190.120.0.138] has quit ["Leaving."] 17:24 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has quit [Read error: 104 (Connection reset by peer)] 17:25 -!- joel [n=joel@193.145.14.94] has quit [Read error: 145 (Connection timed out)] 17:26 -!- joel [n=joel@193.145.14.94] has joined ##openvpn 18:17 -!- MorkBork [n=mark@unaffiliated/morkbork] has quit ["Ex-Chat"] 18:18 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has quit [Read error: 110 (Connection timed out)] 18:19 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 18:19 -!- MorkBork [n=mark@unaffiliated/morkbork] has joined ##openvpn 18:24 -!- arcsky_ [n=arcsky@2a01:48:100:1:1:0:0:1c2] has joined ##openvpn 18:25 -!- arcsky [n=arcsky@2a01:48:100:1:1:0:0:1c2] has quit [No route to host] 18:33 -!- master_of_master [i=master_o@p549D7B2C.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 18:36 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 18:37 -!- master_of_master [i=master_o@p549D4C2C.dip.t-dialin.net] has joined ##openvpn 18:55 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 19:37 -!- joel [n=joel@193.145.14.94] has quit [Read error: 60 (Operation timed out)] 19:37 -!- joel [n=joel@193.145.14.94] has joined ##openvpn 19:40 -!- hyper__ch [n=hyper@adsl-84-226-75-115.adslplus.ch] has joined ##openvpn 19:40 -!- hyper_ch [n=hyper@adsl-84-226-75-115.adslplus.ch] has quit [Nick collision from services.] 19:40 -!- hyper__ch is now known as hyper_ch 19:49 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 19:50 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 20:02 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 20:16 -!- Dougy [n=douglas@64.18.144.2] has quit ["leaving"] 20:32 -!- mirco_ [n=mirco@p54B24937.dip.t-dialin.net] has joined ##openvpn 20:39 -!- joel [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 20:40 -!- joel [n=joel@193.145.14.94] has joined ##openvpn 20:49 -!- mirco [n=mirco@p54B25B87.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 20:49 -!- mirco_ is now known as mirco 20:52 -!- tjz [n=tjz@bb121-7-30-30.singnet.com.sg] has joined ##openvpn 21:01 -!- mirco [n=mirco@p54B24937.dip.t-dialin.net] has quit [Read error: 54 (Connection reset by peer)] 21:02 -!- mirco [n=mirco@p54B24937.dip.t-dialin.net] has joined ##openvpn 21:22 -!- joel [n=joel@193.145.14.94] has quit [Read error: 145 (Connection timed out)] 21:23 -!- joel [n=joel@193.145.14.94] has joined ##openvpn 21:34 -!- ErickG [n=ErickG@190.87.250.222] has joined ##openvpn 21:34 -!- ErickG [n=ErickG@190.87.250.222] has quit [Remote closed the connection] 21:48 -!- Correnos [n=quassel@c-24-61-93-163.hsd1.nh.comcast.net] has joined ##openvpn 21:53 -!- Correnos [n=quassel@c-24-61-93-163.hsd1.nh.comcast.net] has quit [Remote closed the connection] 21:58 -!- ErickG [n=ErickG@190.87.250.222] has joined ##openvpn 21:58 -!- ErickG [n=ErickG@190.87.250.222] has quit [Remote closed the connection] 22:30 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 22:37 < freaky[t]> hi all. i got a problem. ive set up an vpn using openvpn ... on my linux machine i can ping the server and browse its shares. but on my windows machine nothing works i cant even ping the server and i cant ping the client from the server - can anybody help me? 22:37 < Bushmills> check route on windows machine 22:38 < freaky[t]> what route? 22:38 < freaky[t]> i mean, where? 22:38 < Bushmills> route for network packets 22:38 < freaky[t]> im on vista 22:38 < freaky[t]> how do i check that? 22:38 < MorkBork> open a command prompt window 22:38 < Bushmills> no idea, i'm windows illiterate 22:38 < MorkBork> the command is route 22:38 < MorkBork> like 22:38 < MorkBork> route print 22:38 < MorkBork> or some jazz 22:39 -!- joel [n=joel@193.145.14.94] has quit [Nick collision from services.] 22:39 < freaky[t]> MorkBork do u want me to paste that ? 22:39 < MorkBork> im no expert either 22:40 < MorkBork> but you can pastebin it for someone else who might know 22:40 < MorkBork> ill look at it, sure 22:40 < Bushmills> check whether an entry for your vpn is in there 22:40 < freaky[t]> !paste 22:40 < vpnHelper> freaky[t]: "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 22:40 < freaky[t]> http://www.pastebin.ca/1670830 22:41 < MorkBork> Auf Verbindung what does that mean in english? 22:41 < freaky[t]> it means on connection 22:41 < MorkBork> ahh 22:41 < freaky[t]> but makes no sense to me 22:42 < MorkBork> if you type 22:42 < MorkBork> ping 10.8.0.22 22:42 < freaky[t]> u can also say "auf verbindung wartend" which means waiting for connection 22:42 < MorkBork> in the command window 22:42 < MorkBork> does it work? 22:42 < freaky[t]> yes that works 22:42 < freaky[t]> 10.8.0.22 is the client (my windows machine) 22:42 < freaky[t]> so local 22:42 < freaky[t]> but i cant ping 10.8.0.1 22:43 < MorkBork> thats because of the lame way windows works 22:43 < MorkBork> try pinging 10.8.0.20 22:43 < freaky[t]> ok can i make it work 22:43 < MorkBork> yes 22:43 < MorkBork> on server 22:43 < MorkBork> add these lines 22:43 < MorkBork> client-to-client 22:43 < MorkBork> topology subnet 22:43 < freaky[t]> says target not reachable 22:44 < freaky[t]> ok done i restarted the server 22:45 < freaky[t]> now i cant reconnect 22:45 < freaky[t]> using openvpn GUI it says 22:45 < freaky[t]> connecting to client has failed 22:46 < freaky[t]> wait i paste the error 22:46 < freaky[t]> http://www.pastebin.ca/1670832 22:49 < freaky[t]> oh, should i have added that to the server or client conf file? 22:49 < freaky[t]> oh nm 22:51 < freaky[t]> on server this: 22:51 < freaky[t]> Nov 14 05:50:42 master ovpn-server[15452]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 22:51 < freaky[t]> can you help me? 22:51 < freaky[t]> MorkBork? (: 22:52 < freaky[t]> without the line topology subnet 22:52 < freaky[t]> it works 22:53 < freaky[t]> please anyone? :( 22:53 < freaky[t]> ^^ 22:56 -!- joel [n=joel@193.145.14.94] has joined ##openvpn 23:01 < freaky[t]> hm =( 23:02 < freaky[t]> i removed topology subnet again 23:02 < freaky[t]> it still doesnt work :( 23:03 < freaky[t]> MorkBork is my openvpn on this machine too old? 23:04 < freaky[t]> because it doesnt understand topology subnet on push options thing 23:05 < MorkBork> maybe 23:05 < MorkBork> i had that problem too 23:05 < freaky[t]> what did u do to fix it? 23:05 < MorkBork> topology subnet only works in 2.1 23:05 < MorkBork> iirc 23:05 < MorkBork> not 2.0.x 23:05 < freaky[t]> Installed: 2.1~rc20-2 23:05 < freaky[t]> on server 23:06 < freaky[t]> how do i find out what version i have with my openvpn gui 23:06 < MorkBork> topology subnet is not push option 23:06 < MorkBork> its just a line in the server 23:06 < freaky[t]> ok but it makes me unable to connect 23:08 < freaky[t]> ok ill update to current beta 23:08 < freaky[t]> hope it works 23:09 < MorkBork> im using 2.1 rc11 23:09 < MorkBork> yours is newer so should work fine 23:10 < MorkBork> proto udp 23:10 < MorkBork> dev tun0 23:10 < MorkBork> client-to-client 23:10 < MorkBork> topology subnet 23:10 < freaky[t]> no that was on the server 23:10 < MorkBork> yes 23:10 < MorkBork> client does not require those options 23:10 < freaky[t]> my client has 2.0.9 23:10 < freaky[t]> ah ok 23:10 < MorkBork> oh 23:11 < MorkBork> yes client will need to be 2.1 for topology subnet 23:11 < MorkBork> it makes it much better 23:11 < MorkBork> for windows 23:11 < freaky[t]> i cant install 2.1* 23:11 < freaky[t]> it says it got problems with tap device incompatibility 23:11 < freaky[t]> :( 23:11 < MorkBork> hmm i just installed newest on xp laptop 23:11 < MorkBork> so you cannot use topology subnet on server 23:11 < MorkBork> =[ 23:11 < MorkBork> but client-to-client option will work 23:11 < MorkBork> and may help 23:12 < freaky[t]> doesnt help 23:12 < MorkBork> what is your push option 23:12 < MorkBork> try 23:12 < MorkBork> push "redirect-gateway local def1" 23:13 < freaky[t]> on server? 23:13 < MorkBork> yes 23:13 < freaky[t]> i need to install the 2.0.9 again 23:13 < MorkBork> you can try with newer server 23:16 < freaky[t]> doesnt help 23:17 < freaky[t]> still cant ping 23:18 < freaky[t]> and i cant install newer openvpn gui version because it says it's incompatible 23:18 < MorkBork> =[ 23:18 < MorkBork> maybe its just a simple firewall problem? 23:18 < freaky[t]> my firewall is disabled 23:20 < freaky[t]> :( 23:21 < MorkBork> i told you im not expert 23:21 < MorkBork> its working for me with very simple config 23:23 < freaky[t]> u're lucky hehe 23:23 < freaky[t]> can anybody else here help me? i cant ping client from server and server can't ping client. anyone? :D 23:24 < freaky[t]> MorkBork thank you for your help :)) 23:25 < MorkBork> sorry we could not solve it 23:25 < freaky[t]> no problem hehe 23:25 < freaky[t]> i hope i can find someone who can help me out 23:36 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 23:43 -!- dazo_afk [n=dazo@nat/redhat/x-vzstbnsrwoorjnqe] has quit [Read error: 110 (Connection timed out)] 23:45 -!- joel [n=joel@193.145.14.94] has quit [Nick collision from services.] --- Day changed Sat Nov 14 2009 00:07 -!- sakhi [n=sakhi@uwcfw.uwc.ac.za] has quit [Remote closed the connection] 00:08 -!- sakhi [n=sakhi@196.11.235.1] has joined ##openvpn 00:23 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 00:24 < freaky[t]> hi all. can anybody help me with openvpn? My server (linux) can't ping my client (windows) and vice versa. 00:36 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 00:43 < tjz> try disable both end's firewall.. 00:50 < freaky[t]> did that allready 00:50 < freaky[t]> doesnt help 00:51 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 01:03 -!- Kidpunkx [n=kidpunkx@adsl-85-46-217.mco.bellsouth.net] has joined ##openvpn 01:16 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 01:19 -!- Kidpunkx [n=kidpunkx@adsl-85-46-217.mco.bellsouth.net] has left ##openvpn ["Leaving"] 01:35 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 60 (Operation timed out)] 01:36 -!- robert_ [n=hellspaw@objectx/robert] has quit [SendQ exceeded] 01:36 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 02:43 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:55 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:02 < freaky[t]> !topology 05:02 < vpnHelper> freaky[t]: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 05:02 < freaky[t]> !/30 05:02 < vpnHelper> freaky[t]: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 05:03 < freaky[t]> hi all. i set up openvpn on a linux server. everything works fine with my linux client, but if i boot into windows, the server (linux) cant ping the client (windows) and vice versa - can someone help me? 05:06 < hyper_ch> blame windows :) 05:06 < krzee> !winfw 05:06 < vpnHelper> krzee: Error: "winfw" is not a valid command. 05:06 < krzee> bleh 05:06 < krzee> windows firewall 05:06 < krzee> !firewall 05:06 < vpnHelper> krzee: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. 05:07 < krzee> heh thats not it either 05:07 < krzee> !factoids search win 05:07 < vpnHelper> krzee: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', 'win7', 'winnat', 'win_ipfail', 'win2k8', and 'sudowin' 05:07 < krzee> whatever, make sure to disable windows firewall for the tap device, also any other software firewalls you may have 05:15 < freaky[t]> i disabled the windows firewall it still doesn't work 06:04 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 06:53 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 07:00 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has joined ##openvpn 07:04 -!- mirco [n=mirco@p54B24937.dip.t-dialin.net] has quit [] 07:31 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has quit ["Leaving"] 08:06 -!- hyper__ch [n=hyper@adsl-84-226-75-115.adslplus.ch] has joined ##openvpn 08:06 -!- hyper_ch [n=hyper@adsl-84-226-75-115.adslplus.ch] has quit [Read error: 104 (Connection reset by peer)] 08:06 -!- hyper__ch is now known as hyper_ch 08:15 -!- CheBuzz_ [n=CheBuzz@13-46.li.cytanet.com.cy] has joined ##openvpn 08:16 < CheBuzz_> I am getting an error "write UDPv4 []: No buffer space available (code=105)" and the only solution I could find was to bump min_free_kbytes, but mine is already set to 8M. Any ideas what would cause this? 08:17 < CheBuzz_> OpenVPN 2.0.9 x86_64-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Mar 8 2007 08:17 < CheBuzz_> Developed by James Yonan 08:17 < CheBuzz_> Copyright (C) 2002-2005 OpenVPN Solutions LLC 08:18 < reiffert> upgrade to 2.1rc21. 08:20 < CheBuzz_> Known bug? 08:20 < reiffert> 4 year old software, trillions of known bugs. 08:21 < CheBuzz_> 2.0.9 is 4 years old? CentOS doesn't have a newer package in my repos. I'll have to go a'searchin' 08:22 < reiffert> go for a source build/ 08:22 < reiffert> . 08:50 < Bushmills> (that makes it about 500000000 bugs per program line) 08:51 < Bushmills> 20000000 bugs per source character :) 08:55 * Optic rocking out to grooooove salad 09:09 -!- eliasp [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 113 (No route to host)] 09:17 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 09:23 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 09:29 -!- CheBuzz_ [n=CheBuzz@13-46.li.cytanet.com.cy] has left ##openvpn ["Leaving"] 09:32 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 09:36 -!- teddymills [n=teddy@208.92.235.227] has quit [Remote closed the connection] 09:36 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 09:46 -!- teddymills [n=teddy@208.92.235.227] has quit [Read error: 131 (Connection reset by peer)] 09:52 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 10:06 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 10:13 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 10:28 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 10:28 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 10:29 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 10:35 -!- correcaminos [n=laguilar@201.201.46.106] has joined ##openvpn 10:42 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 10:50 -!- Otacon22 [n=otacon22@93-36-131-235.ip60.fastwebnet.it] has joined ##openvpn 10:50 < Otacon22> i've got this error: 10:50 < Otacon22> Sat Nov 14 17:50:18 2009 us=538925 Local Options hash (VER=V4): 'a917298a' 10:50 < Otacon22> Sat Nov 14 17:50:18 2009 us=539051 Expected Remote Options hash (VER=V4): '10f35004' 10:50 < Otacon22> why? 10:53 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 11:04 < Otacon22> My certificate has expired! 11:04 < Otacon22> how can i set openvpn to don't expire certificates? 11:24 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 11:32 < ecrist> you can't 12:03 -!- eliasp [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 12:21 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 12:21 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has joined ##openvpn 13:45 < freaky[t]> !configs 13:45 < vpnHelper> freaky[t]: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:45 < freaky[t]> !paste 13:45 < vpnHelper> freaky[t]: "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 13:51 < freaky[t]> !logs 13:51 < vpnHelper> freaky[t]: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 13:53 -!- lietu_ [n=lutka@owner.of.lietu.net] has joined ##openvpn 13:53 < freaky[t]> hi all. i got a problem. my windows client can't ping the linux server and vice versa. with a linux client everything works. here the configs: 13:53 < freaky[t]> http://www.pastebin.ca/1671425 13:53 < freaky[t]> can someone please help me? 13:57 -!- lietu [n=lutka@dungeon.of.lietu.net] has quit [Read error: 60 (Operation timed out)] 13:58 < freaky[t]> brb reboot in windows for the logs 14:15 < freaky[t]> ok, now can anyone help me. i have set up openvpn on a linux server. with a linux client it works without problems. but with a windows client server and client can't ping each other. Logs: http://pastebin.ca/1671451 Configs: http://www.pastebin.ca/1671425 - in the config i've added route-method exe since i pasted it. 14:15 < freaky[t]> *client config 14:15 < freaky[t]> ok, now can anyone help me. i have set up openvpn on a linux server. with a linux client it works without problems. but with a windows client server and client can't ping each other. Logs: http://pastebin.ca/1671451 Configs: http://www.pastebin.ca/1671425 - in the client config i've added route-method exe since i pasted it. 14:16 -!- kosmic [n=kosmic@unaffiliated/spice] has left ##openvpn [] 14:22 < freaky[t]> ive disabled the firewall 14:23 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 14:25 < freaky[t]> if i try to ping 10.8.0.1 from the client it also says that 192.168.1.2 says that the target is not reachable but 192.168.1.2 is the lan ip of this windows client 14:25 < freaky[t]> if that makes any sense 14:41 < freaky[t]> hm :( 14:45 < |Mike|> have you pushed the right route ? 14:45 < |Mike|> e.g can your client connect to your ovpn server? 14:46 < freaky[t]> im using the same config i use for my linux client 14:46 < freaky[t]> (dual boot system) 14:46 < freaky[t]> i mean not dual boot 14:46 < freaky[t]> i mean 14:47 < freaky[t]> i can boot linux or windows 14:47 < freaky[t]> and under linux it works 14:47 < freaky[t]> so i think the configuration options there must be right 14:47 < freaky[t]> i used the default ones 14:48 < freaky[t]> how do i check if my client can connect to the ovpn server? 14:48 < freaky[t]> the vpn connection is established but i cant ping and i cant see any samba shares - under linux all this works 14:50 < |Mike|> firewalls are off ? 14:51 < |Mike|> are the certificates in the right paths etc? 14:51 < freaky[t]> yes 14:51 < freaky[t]> yes they are 14:51 < |Mike|> ipconfig ? 14:51 < |Mike|> does that show you a 10.8.x ip ? 14:51 < freaky[t]> what ipconfig? 14:51 < freaky[t]> wait 14:52 < freaky[t]> yes 10.8.0.22 14:55 < freaky[t]> but it has no standard gateway 14:55 < freaky[t]> the entry for the lan connection for the vpn 14:55 < freaky[t]> is thatnormal? 15:00 < freaky[t]> hm seems like 15:02 < freaky[t]> can someone help me? ;D 15:03 < |Mike|> you just answered your question :) 15:05 < freaky[t]> ? i still can't ping the server from the client and the server not from the client 15:05 < |Mike|> 2009/11/14 21:49:37 < freaky[t]> but it has no standard gateway 15:05 < freaky[t]> ok but i dont know how to solve that problem 15:05 < |Mike|> !howto 15:05 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:06 < freaky[t]> i've done everything fromt hat howto ? 15:06 < |Mike|> does your openvpn server have a firewall ? 15:06 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 15:06 < |Mike|> anyway, i have visitors here. ttyl. 15:07 < freaky[t]> |Mike| no it doesnt have a firewall 15:07 < freaky[t]> ok when you're back please highlight me 15:15 < freaky[t]> i really dont know what to do :( 15:59 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 16:05 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 16:07 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has quit [Read error: 110 (Connection timed out)] 16:08 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has joined ##openvpn 16:21 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 17:05 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 17:05 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 17:10 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has quit [Read error: 110 (Connection timed out)] 17:10 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has joined ##openvpn 17:12 -!- ErickG [n=ErickG@200.12.225.22] has joined ##openvpn 17:15 -!- ErickG [n=ErickG@200.12.225.22] has quit [Client Quit] 17:21 -!- ErickG [n=ErickG@200.12.225.22] has joined ##openvpn 17:24 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 17:25 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 17:47 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 17:47 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 17:58 -!- acidchil1 [n=ash@li88-140.members.linode.com] has quit [Client Quit] 18:00 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 18:08 -!- xod [n=onats@112.201.190.51] has joined ##openvpn 18:09 -!- ErickG [n=ErickG@200.12.225.22] has quit ["Leaving."] 18:10 -!- xod is now known as onats 18:33 -!- master_of_master [i=master_o@p549D4C2C.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 18:37 -!- master_of_master [i=master_o@p549D69F6.dip.t-dialin.net] has joined ##openvpn 18:38 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 18:39 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 19:22 -!- ErickG [n=ErickG@168.243.48.52] has joined ##openvpn 19:34 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has quit [Read error: 145 (Connection timed out)] 19:59 < freaky[t]> |Mike| you there? (: 20:01 -!- ErickG [n=ErickG@168.243.48.52] has quit [Read error: 110 (Connection timed out)] 20:05 -!- ErickG [n=ErickG@168.243.48.52] has joined ##openvpn 20:30 < freaky[t]> hi all. I've set up an openvpn server (linux). on my vpn linux client everything is working, but on my windows client the server and the client can't ping each other. configs: http://www.pastebin.ca/1671425 logs: logs: http://pastebin.ca/1671451 I've only added route-method exe to the client.ovpn. can anyone please help me? 20:31 -!- ErickG1 [n=ErickG@168.243.48.52] has joined ##openvpn 20:36 < freaky[t]> hm :( 20:36 -!- ErickG [n=ErickG@168.243.48.52] has quit [Read error: 104 (Connection reset by peer)] 20:41 < MorkBork> =[ 20:42 < freaky[t]> hey MorkBork ^^ 20:48 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 20:48 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 20:50 -!- alice|wl [n=helo@notomorrow.de] has left ##openvpn [] 20:51 -!- epinky [n=epinky@unaffiliated/trismegisto] has joined ##openvpn 20:53 -!- epinky [n=epinky@unaffiliated/trismegisto] has left ##openvpn [] 20:54 -!- tjz [n=tjz@bb121-7-30-30.singnet.com.sg] has joined ##openvpn 21:07 -!- ErickG1 [n=ErickG@168.243.48.52] has left ##openvpn [] 21:10 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 21:59 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit [Read error: 110 (Connection timed out)] 22:00 -!- correcaminos_ [n=laguilar@201.201.46.106] has joined ##openvpn 22:00 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 22:17 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)] 22:17 -!- correcaminos [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)] 22:20 < freaky[t]> It's working :D I compiled older version for the server - now it's working :D 22:45 < tjz> pacman vs cotto!! 22:57 < MorkBork> yay 23:07 < freaky[t]> anyone familiar with samba over ovpn - tun? the samba shares don't show up. my openvpn puses a wins thingy to clients and on linux i can see the shares - just not on windows 23:07 < freaky[t]> i mean pushes 23:07 < freaky[t]> push "dhcp-option WINS 10.8.0.1" 23:08 < freaky[t]> but the server just doenst show up i tried siwtching to the workgroup of the server - still doesnt work 23:17 < MorkBork> try mapping share directly by ip 23:17 < MorkBork> like \\10.8.0.4\share 23:17 < freaky[t]> that works 23:17 < freaky[t]> but i want the shares to show up in the browser 23:17 < freaky[t]> like, when more clients join so they can see the server, and everyone can see each other 23:32 < MorkBork> well 23:32 < MorkBork> i think that has to do with broadcast packets and netbios 23:32 < MorkBork> i.e. read about the difference between tap and tun 23:33 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 23:33 < freaky[t]> yea i know but someone told me that that should still work 23:33 < freaky[t]> but i got a question about tap 23:33 < freaky[t]> can i use tap even if i only have 1 network card in the server, and use that network card for internet + opevpn? do i have to bridge any NICs? or can i leave the bridging out? 23:47 -!- tjz [n=tjz@unaffiliated/tjz] has quit [Read error: 60 (Operation timed out)] 23:53 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] --- Day changed Sun Nov 15 2009 00:13 -!- tjz [n=tjz@bb121-7-30-30.singnet.com.sg] has joined ##openvpn 01:15 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 01:18 -!- Kelly8 [n=Kelly@70-100-96-179.dsl1-fairport.roc.ny.frontiernet.net] has joined ##openvpn 01:19 < Kelly8> hi 01:19 < Kelly8> anybody good with tree graphs? 01:24 -!- Kelly8 [n=Kelly@70-100-96-179.dsl1-fairport.roc.ny.frontiernet.net] has quit ["English literature´s performing flea. -- Sean O´Casey on P. G. Wodehouse"] 01:33 -!- redfox [n=redfox2@ns351996.ovh.net] has quit [Read error: 60 (Operation timed out)] 01:35 -!- [flux]redfox [n=redfox2@ns351996.ovh.net] has joined ##openvpn 02:04 -!- fink [n=guest@1Cust2307.an2.dca17.da.uu.net] has joined ##openvpn 02:23 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 02:23 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 02:38 -!- fink_ [n=guest@166.197.236.205] has joined ##openvpn 03:00 -!- fink [n=guest@1Cust2307.an2.dca17.da.uu.net] has quit [Read error: 110 (Connection timed out)] 03:00 -!- fink_ is now known as fink 03:17 -!- correcaminos [n=laguilar@201.201.46.106] has joined ##openvpn 03:19 -!- correcaminos_ [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 04:04 -!- bandini [n=bandini@host167-108-dynamic.25-79-r.retail.telecomitalia.it] has joined ##openvpn 04:07 -!- freaky[t] [i=alpha@member.team-box.net] has quit [Read error: 104 (Connection reset by peer)] 04:15 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 04:16 -!- neoice [n=neoice@thule.neoice.net] has quit [Read error: 110 (Connection timed out)] 04:53 < freaky[t]> !config 04:53 < vpnHelper> freaky[t]: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 04:53 < freaky[t]> !configs 04:53 < vpnHelper> freaky[t]: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 04:54 < freaky[t]> hi all i have a question. why do I, as first client, get an ip address of 10.8.0.48 ? server config: http://pastebin.ca/1672008 04:55 -!- fink [n=guest@166.197.236.205] has left ##openvpn [] 05:00 -!- [flux]redfox [n=redfox2@ns351996.ovh.net] has quit [Read error: 60 (Operation timed out)] 05:01 -!- [flux]redfox [n=redfox2@ns351996.ovh.net] has joined ##openvpn 05:02 < MorkBork> ipp pool persist 05:02 < MorkBork> probably 05:02 < MorkBork> look for file 05:02 < MorkBork> ipp.txt :P 05:14 < freaky[t]> i deleted it :D thanks ^^ 05:14 < freaky[t]> works now ^^ 05:14 < freaky[t]> great everything is working even with broadcasts :DD 05:14 < MorkBork> very nice 05:14 < MorkBork> did you have to switch tap/tun? 05:14 < freaky[t]> yea 05:14 < freaky[t]> but only tun and tap 05:15 < freaky[t]> nothing else 05:15 < MorkBork> very nice 05:15 < freaky[t]> no bridging setup or whatever 05:15 < MorkBork> no need for bridge? 05:15 < MorkBork> oh wow 05:15 < MorkBork> excellent 05:15 < freaky[t]> yea :D 05:15 < MorkBork> i have never used bridge mode openvpn 05:15 < MorkBork> always routed 05:15 < freaky[t]> ;D 05:47 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 05:47 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 06:45 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 145 (Connection timed out)] 06:46 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 07:25 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 07:47 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 08:48 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 08:57 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 09:08 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has joined ##openvpn 09:14 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 09:32 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has quit ["Leaving"] 09:52 -!- Otacon22 [n=otacon22@93-36-131-235.ip60.fastwebnet.it] has quit [Read error: 104 (Connection reset by peer)] 10:09 -!- [flux]redfox is now known as redfox 10:09 -!- redfox is now known as Guest98473 10:11 -!- Guest98473 is now known as redfox 10:21 -!- dissocia1ive [n=dissocia@190.71.10.174] has joined ##openvpn 10:21 < dissocia1ive> a simple tunnel without static key would allow to anyone to connect to the vpn server? 10:26 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 10:39 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 10:41 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 10:41 -!- connectionVPN [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has joined ##openvpn 10:41 -!- buntfalke [n=nobody@openvpn-p0-220.triple-a.uni-kl.de] has joined ##openvpn 10:51 < HardDisk_WP> dissocia1ive, yup 11:01 -!- lietu [n=lutka@owner.of.lietu.net] has joined ##openvpn 11:17 -!- lietu_ [n=lutka@owner.of.lietu.net] has quit [Read error: 113 (No route to host)] 11:20 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 11:20 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 11:21 -!- temba_alternativ [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 11:21 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 11:32 -!- ard1an [n=ardian@213.149.99.27] has joined ##openvpn 11:33 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 11:38 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit [Connection timed out] 11:48 -!- hyper__ch [n=hyper@adsl-84-226-75-115.adslplus.ch] has joined ##openvpn 11:50 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: |Mike|, julius_, disco-, JyZyXEL, kala_, drue, Rolybrau, buntfalke, mrnice1, vpnHelper, (+15 more, use /NETSPLIT to show all of them) 11:50 -!- Netsplit over, joins: LobbyZ 11:50 -!- Rolybrau [n=Rolybrau@245-159.79-83.cust.bluewin.ch] has joined ##openvpn 11:52 -!- Netsplit over, joins: jfkw 11:53 -!- Lyndon [n=late@savolaiset.fi] has joined ##openvpn 11:58 -!- Rolybrau is now known as Guest93713 11:59 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 11:59 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 11:59 -!- julius_ [n=julius@217.20.127.15] has joined ##openvpn 11:59 -!- endre [i=me2@urbnet.hu] has joined ##openvpn 11:59 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 12:00 -!- sakhi [n=sakhi@196.11.235.1] has joined ##openvpn 12:00 -!- mendel [i=mean@unaffiliated/mendel] has joined ##openvpn 12:00 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn 12:00 -!- LowKey [i=rhel@72.20.2.134] has joined ##openvpn 12:00 -!- JyZyXEL [n=lol@a88-113-58-89.elisa-laajakaista.fi] has joined ##openvpn 12:00 -!- CaBa [n=caba@unique-inter.net] has joined ##openvpn 12:00 -!- APTX|_ [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 12:00 -!- julius___ [n=julius@217.20.127.15] has joined ##openvpn 12:00 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit [Success] 12:00 -!- julius_ [n=julius@217.20.127.15] has quit [Connection reset by peer] 12:00 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [SendQ exceeded] 12:02 -!- arcsky_ [n=arcsky@2a01:48:100:1:1:0:0:1c2] has joined ##openvpn 12:02 -!- disco- [i=disco@andromeda.h4xed.com] has joined ##openvpn 12:02 -!- Typone [n=nnnitsme@195.197.184.87] has joined ##openvpn 12:02 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 12:03 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 12:03 -!- hyper_ch [n=hyper@adsl-84-226-75-115.adslplus.ch] has joined ##openvpn 12:03 -!- drue [n=drue@stiff.therub.org] has joined ##openvpn 12:03 -!- kala_ [i=kala@uba.linux.ee] has joined ##openvpn 12:03 -!- Sebb [n=sebastia@einstein.f0o.de] has joined ##openvpn 12:04 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 12:05 -!- hyper_ch [n=hyper@adsl-84-226-75-115.adslplus.ch] has quit [Connection timed out] 12:11 < dissocia1ive> there would be any difference between using a vpn without encryption over an unencrypted vpn aside from security 12:11 < dissocia1ive> erm 12:11 < dissocia1ive> encrypted vs unencrypted 12:11 < hyper__ch> there is no such thing as unencrypted vpn IMHO 12:14 < Bushmills> "virtual public network" 12:14 < hyper__ch> :) 12:16 -!- temba_alternativ [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit [Connection timed out] 12:20 < dissocia1ive> lol 12:21 < hyper__ch> Bushmills: shouldn't that be called v-pun to not confuse it with vpn? 12:24 -!- APTX|_ is now known as APTX| 12:24 < dissocia1ive> I'm going to implement my startup script, can openvpn load the tun driver automatically or it has to be done manually? 12:26 < Bushmills> i'd probably call it v-unpn (for unprivate) 12:27 < dissocia1ive> q 12:28 < hyper__ch> :) 12:29 < Bushmills> others might just call it "a tunnel" 12:29 -!- temba_alternativ [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 12:46 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit [Connection timed out] 12:49 -!- dissociative [n=dissocia@adsl190-28-91-111.epm.net.co] has joined ##openvpn 12:50 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 12:50 < magic_1> hi all 12:51 < magic_1> !iporder 12:51 < magic_1> hahahahahahahaha 12:51 < magic_1> hi guys, hoping someone could help 12:51 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 12:52 < magic_1> i read that i need to make sure that all settings are exactly of the keys in order for me to route behind client side 12:53 < magic_1> cause i can route to server side but i cant route to client side 13:00 < magic_1> i didnot orginally create the keys, so now i need to check what they are 13:00 < magic_1> any and all help is really greatlly appreciated help 13:11 -!- Guest93713 [n=Rolybrau@245-159.79-83.cust.bluewin.ch] has quit [Read error: 60 (Operation timed out)] 13:13 -!- dissocia1ive [n=dissocia@190.71.10.174] has quit [Read error: 110 (Connection timed out)] 13:13 -!- dissocia1ive [n=dissocia@adsl190-28-185-66.epm.net.co] has joined ##openvpn 13:25 -!- dissociative [n=dissocia@adsl190-28-91-111.epm.net.co] has quit [Read error: 110 (Connection timed out)] 13:25 -!- dissociative [n=dissocia@adsl190-28-67-137.epm.net.co] has joined ##openvpn 13:27 -!- Guest93713 [n=Rolybrau@1-237.0-85.cust.bluewin.ch] has joined ##openvpn 13:32 -!- dissocia1ive [n=dissocia@adsl190-28-185-66.epm.net.co] has quit [Read error: 110 (Connection timed out)] 13:40 -!- dissocia1ive [n=dissocia@adsl190-28-172-27.epm.net.co] has joined ##openvpn 13:47 -!- bandini [n=bandini@host167-108-dynamic.25-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 14:01 -!- dissocia2ive [n=dissocia@adsl190-28-158-246.epm.net.co] has joined ##openvpn 14:01 -!- dissociative [n=dissocia@adsl190-28-67-137.epm.net.co] has quit [Read error: 110 (Connection timed out)] 14:02 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 14:03 -!- dissocia1ive [n=dissocia@adsl190-28-172-27.epm.net.co] has quit [Read error: 54 (Connection reset by peer)] 14:05 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 14:08 -!- dissociative [n=dissocia@190.71.7.204] has joined ##openvpn 14:09 -!- temba_alternativ [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit [Read error: 60 (Operation timed out)] 14:21 -!- dissocia2ive [n=dissocia@adsl190-28-158-246.epm.net.co] has quit [Read error: 110 (Connection timed out)] 14:35 < arcsky_> hello isnt possible with corrects routes and so to ping from vpn server to the vpn clients network 14:40 < reiffert> arcsky_: please read more about routing here: 14:40 < reiffert> !route 14:40 -!- whodevil [n=anon@c-71-236-152-254.hsd1.or.comcast.net] has joined ##openvpn 14:40 < reiffert> damn, the url bot is down. 14:40 < whodevil> does anyone know if openvpn encodes it's certs with der by default? 14:40 < hyper__ch> no bot reply :( 14:41 < reiffert> whodevil: it's a matter of the shell scripts that come with openvpn, called easy-rsa, and I dont think they do this by default, but feel free to improve. 14:42 < whodevil> ok thanks 14:44 < whodevil> oh sweet I think I can just convert the certs I have to der :) 14:51 -!- dissocia1ive [n=dissocia@adsl190-28-216-140.epm.net.co] has joined ##openvpn 14:53 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 14:53 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 15:01 -!- dissocia2ive [n=dissocia@190.71.50.24] has joined ##openvpn 15:02 < magic_1> is there anyway i can check if openvpn is allowing routing through and not blocking due to key or anything like that 15:05 -!- whodevil [n=anon@c-71-236-152-254.hsd1.or.comcast.net] has left ##openvpn [] 15:05 < Bushmills> key determines connect or no connect 15:06 < Bushmills> your operating system does the routing 15:08 -!- dissociative [n=dissocia@190.71.7.204] has quit [Read error: 104 (Connection reset by peer)] 15:10 < magic_1> true this i understand, but for some reason, i cant route traffic through to client side 15:10 < magic_1> i have set ccd and server.conf 15:10 < magic_1> run tcpdump 15:11 < magic_1> traffic doesnt get to my internal interface, but can ping tun0 15:11 < magic_1> which doesnt make sense at all 15:12 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 60 (Operation timed out)] 15:13 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 15:13 < magic_1> key connects perfectly and routes perfectly from client side to server side 15:15 -!- dissocia1ive [n=dissocia@adsl190-28-216-140.epm.net.co] has quit [Read error: 110 (Connection timed out)] 15:19 < Bushmills> !firewall 15:23 -!- correcaminos_ [n=laguilar@201.201.46.106] has joined ##openvpn 15:25 < Bushmills> what is what you call your internal interface? 15:25 < Bushmills> loopback device? 15:30 -!- dissociative [n=dissocia@adsl190-28-132-10.epm.net.co] has joined ##openvpn 15:33 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:37 < dissociative> lol! 15:39 -!- correcaminos [n=laguilar@201.201.46.106] has quit [Connection timed out] 15:41 -!- dissocia2ive [n=dissocia@190.71.50.24] has quit [Read error: 110 (Connection timed out)] 15:47 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 15:51 -!- temba_alternativ [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 15:52 -!- hyper___ch [n=hyper@adsl-84-226-75-115.adslplus.ch] has joined ##openvpn 15:52 -!- hyper___ch is now known as hyper_ch 16:05 -!- dissocia1ive [n=dissocia@adsl190-28-71-61.epm.net.co] has joined ##openvpn 16:08 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit [Success] 16:08 -!- hyper__ch [n=hyper@adsl-84-226-75-115.adslplus.ch] has quit [Read error: 110 (Connection timed out)] 16:10 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 60 (Operation timed out)] 16:10 -!- dissocia1ive [n=dissocia@adsl190-28-71-61.epm.net.co] has quit [Read error: 104 (Connection reset by peer)] 16:11 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 16:12 -!- dissocia1ive [n=dissocia@adsl190-28-90-170.epm.net.co] has joined ##openvpn 16:17 -!- dissociative [n=dissocia@adsl190-28-132-10.epm.net.co] has quit [Read error: 110 (Connection timed out)] 16:21 -!- dissocia1ive [n=dissocia@adsl190-28-90-170.epm.net.co] has quit [Read error: 104 (Connection reset by peer)] 16:22 -!- dissociative [n=dissocia@adsl190-28-211-126.epm.net.co] has joined ##openvpn 16:28 -!- ard1an [n=ardian@213.149.99.27] has quit ["Leaving"] 16:29 -!- dissocia1ive [n=dissocia@adsl190-28-165-114.epm.net.co] has joined ##openvpn 16:40 -!- dissocia1ive [n=dissocia@adsl190-28-165-114.epm.net.co] has quit [Read error: 60 (Operation timed out)] 16:44 -!- dissocia1ive [n=dissocia@adsl190-28-84-105.epm.net.co] has joined ##openvpn 16:52 -!- dissocia2ive [n=dissocia@adsl190-28-136-227.epm.net.co] has joined ##openvpn 16:53 -!- temba_alternativ [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 16:53 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 16:53 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 16:54 -!- dissociative [n=dissocia@adsl190-28-211-126.epm.net.co] has quit [Read error: 110 (Connection timed out)] 16:59 -!- dissociative [n=dissocia@adsl190-28-150-223.epm.net.co] has joined ##openvpn 17:03 -!- dissocia1ive [n=dissocia@adsl190-28-84-105.epm.net.co] has quit [Read error: 110 (Connection timed out)] 17:08 -!- dissocia1ive [n=dissocia@adsl190-28-68-152.epm.net.co] has joined ##openvpn 17:09 -!- dissocia1ive [n=dissocia@adsl190-28-68-152.epm.net.co] has quit [Read error: 104 (Connection reset by peer)] 17:11 -!- dissocia2ive [n=dissocia@adsl190-28-136-227.epm.net.co] has quit [Read error: 110 (Connection timed out)] 17:15 -!- phusion [i=phusion@2001:41d0:1:839a:0:0:0:1337] has quit [Read error: 54 (Connection reset by peer)] 17:16 -!- phusion [i=phusion@2001:41d0:1:839a:0:0:0:1337] has joined ##openvpn 17:19 -!- dissocia1ive [n=dissocia@190.71.3.80] has joined ##openvpn 17:28 -!- xod_ [n=onats@112.201.131.153] has joined ##openvpn 17:28 -!- dissociative [n=dissocia@adsl190-28-150-223.epm.net.co] has quit [Read error: 110 (Connection timed out)] 17:43 -!- onats [n=onats@unaffiliated/onats] has quit [Read error: 110 (Connection timed out)] 18:06 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 60 (Operation timed out)] 18:07 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 18:09 -!- xod_ [n=onats@112.201.131.153] has quit [Remote closed the connection] 18:28 -!- dissociative [n=dissocia@adsl190-28-142-97.epm.net.co] has joined ##openvpn 18:28 < |Mike|> Hello :-) 18:34 -!- master_of_master [i=master_o@p549D69F6.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 18:37 -!- master_of_master [i=master_o@p549D7DE2.dip.t-dialin.net] has joined ##openvpn 18:41 -!- dissocia1ive [n=dissocia@190.71.3.80] has quit [Read error: 110 (Connection timed out)] 18:53 -!- arcsky_ [n=arcsky@2a01:48:100:1:1:0:0:1c2] has quit [Read error: 60 (Operation timed out)] 18:59 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 19:00 -!- hyper__ch [n=hyper@adsl-84-226-75-115.adslplus.ch] has joined ##openvpn 19:00 -!- hyper_ch [n=hyper@adsl-84-226-75-115.adslplus.ch] has quit [Nick collision from services.] 19:00 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 19:00 -!- hyper__ch is now known as hyper_ch 19:08 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 19:13 -!- dissocia1ive [n=dissocia@190.71.3.12] has joined ##openvpn 19:22 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 19:23 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 19:23 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 19:24 -!- dissociative [n=dissocia@adsl190-28-142-97.epm.net.co] has quit [Read error: 110 (Connection timed out)] 20:00 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 60 (Operation timed out)] 20:00 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 20:43 -!- dissocia1ive [n=dissocia@190.71.3.12] has left ##openvpn [] 20:49 -!- hyper__ch [n=hyper@adsl-84-226-75-115.adslplus.ch] has joined ##openvpn 20:49 -!- hyper_ch [n=hyper@adsl-84-226-75-115.adslplus.ch] has quit [Nick collision from services.] 20:49 -!- hyper__ch is now known as hyper_ch 21:44 -!- ploo [n=lbz@c-98-245-232-141.hsd1.co.comcast.net] has joined ##openvpn 21:45 < ploo> when setting up openvpn server, the config file where it says server can I do a starting ip and the subnet? 21:50 -!- connectionVPN [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has quit ["Leaving"] 22:10 -!- ploo [n=lbz@c-98-245-232-141.hsd1.co.comcast.net] has quit ["Leaving"] 22:13 -!- hungnv [n=hungnv@unaffiliated/hungnv] has joined ##openvpn 22:14 < hungnv> hello everyone, my network has a hardware router provides ip for various servers, includes one Linux firewall for LAN. NOw I want to setup openvpn on this firewall, I dont know how vpn-client can connect to vpn server thru hardware firewall then get LAN ip? 22:22 < Bushmills> hungnv: you specify port and protocol in both server and client config 22:38 < hungnv> Bushmills: thanks 22:38 < hungnv> got to go 22:38 -!- hungnv [n=hungnv@unaffiliated/hungnv] has quit ["WeeChat 0.2.6.1"] 22:41 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 22:41 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 22:57 -!- hyper__ch [n=hyper@adsl-84-227-156-221.adslplus.ch] has joined ##openvpn 22:57 -!- hyper_ch [n=hyper@adsl-84-226-75-115.adslplus.ch] has quit [Nick collision from services.] 22:57 -!- hyper__ch is now known as hyper_ch 23:32 -!- correcaminos_ [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)] 23:32 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 23:32 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 23:34 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [] --- Day changed Mon Nov 16 2009 00:05 < phusion> could anyone tell me what's the most i can do to stop an openvpn client from timing out 00:22 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 00:24 -!- hyper_ch [n=hyper@adsl-84-227-156-221.adslplus.ch] has quit [Remote closed the connection] 00:35 < MorkBork> the ping option? 00:35 < MorkBork> keepalive 10 120 00:36 < MorkBork> http://openvpn.net/index.php/open-source/documentation/howto.html#server 00:36 < MorkBork> scroll down the keepalive option 00:36 < MorkBork> its got a nice comment that explains it well 00:46 -!- hl [n=chatzill@i59F5FD33.versanet.de] has joined ##openvpn 00:46 < hl> hello 00:47 -!- hl is now known as stf 00:48 < stf> Is there a way to make a client-to-client connection with openvpn? 00:50 < stf> someone on? 00:57 -!- stf [n=chatzill@i59F5FD33.versanet.de] has quit ["ChatZilla 0.9.85 [Firefox 3.5.1/20090715094852]"] 01:06 < MorkBork> yes 01:06 < MorkBork> the client-to-client option 01:06 < MorkBork> ;x 01:16 -!- hyper_ch [n=hyper@62-93.78-83.cust.bluewin.ch] has joined ##openvpn 01:35 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 110 (Connection timed out)] 01:36 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 01:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:07 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:08 -!- Bogdar [n=bogdan@84.201.238.126] has left ##openvpn ["÷ÙÈÏÄÖÕ"] 02:21 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 03:06 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 60 (Operation timed out)] 03:06 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 03:15 -!- StefanWork [n=stefanle@cp849982-a.mill1.nb.home.nl] has joined ##openvpn 03:18 < StefanWork> Hello, I've got a small question. We've got our OpenVPN server running smoothly. However, we want to access the lan on which the OpenVPN server resides as well. client-to-client works but we want to access a PC which doesn't have OpenVPN installed as a client. We've tried to route it by issueing the lan address 192.168.xxx.0 255.255.255.0. The client on which we tested this externally had the same subnet as our internal lan network. Thi 03:19 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 03:25 < reiffert> " as our internal lan network. Thi 03:25 < reiffert> " 03:26 < reiffert> !route 03:26 -!- Sky[x] [n=SkyB0x@212.235.182.201] has joined ##openvpn 03:29 < StefanWork> We've already tried that. However I think the problem lays with the same subnets and we can't change those subnets in the router 03:29 -!- Sky[x] [n=SkyB0x@212.235.182.201] has quit [Client Quit] 03:31 < reiffert> How should it work then? 03:37 < StefanWork> Hehehe. I don't know that's why i'm asking here :). We've already tried routing but in the combination with routing. What else has to happen? 03:40 < reiffert> asure to have different subnets. 03:41 < reiffert> everything else is fsck. 03:42 < StefanWork> so if the host lan has 192.168.1.x and the client lan has 192.168.1.x this could mean problems? if you route "192.168.1.0 255.255.255.0"? 03:45 < reiffert> pretty obvious. 03:46 < StefanWork> Could you explain why? This would give me more insight on how this actually works. I'm more of a website programmer 03:47 < reiffert> how should a router know where to send a network packet to? 03:48 < StefanWork> it doesn't because it could either go to the host lan or the client lan... 04:01 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 04:04 < StefanWork> But how to solve this. When i'm connected to the OpenVPN server it doesn't seem to give out a default-gateway. When I do a ipconfig it shows an empty value. 04:07 < reiffert> change the subnet of one side to a different subnet. 04:08 -!- henry-nicolas [i=d940f005@gateway/web/freenode/x-mgoolpkggqnjrwjd] has joined ##openvpn 04:08 < StefanWork> So that's the only real solution? 04:09 < reiffert> are you going to reask every single question? 04:10 < StefanWork> Nope, thanks for your time 04:10 < henry-nicolas> Hello everybody, I would like to know if there are any ways to do some kind of sasyncd equivalent with openvpn and debian. I'm running redundants firewall with openvpn on it and when the second firewall become the master, I would like to keep my TCP session. Any idea ? 04:10 < reiffert> yw 04:11 < MorkBork> no 04:11 < MorkBork> theres no implementation to do that 04:12 < MorkBork> i saw some posts with some ideas 04:12 < MorkBork> but it would take a lot of coding 04:13 < henry-nicolas> MorkBork: you'r answering my question ? so no solution ? 04:13 < MorkBork> yes 04:13 < henry-nicolas> MorkBork: ok, thx 04:13 < MorkBork> there was some suggestion to use carp but to maintain state 04:13 < MorkBork> would require many modifications to the code 04:14 < henry-nicolas> MorkBork: and you got no idea about how to achieve this using Linux (I don't want to install OpenBSD on my existing firewalls) ? 04:17 < MorkBork> theres no way to do it on openbsd either 04:17 < MorkBork> that was just article i read 04:17 < MorkBork> was a bsd user who wanted to use carp, but could not maintain state 04:24 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 04:24 -!- dazo|h [n=dazo@nat/redhat/x-pydxqfhahbidyjed] has joined ##openvpn 04:29 -!- dazo|h is now known as dazo 04:30 -!- joel_ [n=joel@193.145.14.94] has quit [Read error: 145 (Connection timed out)] 04:33 -!- joel_ [n=joel@193.145.14.94] has joined ##openvpn 04:34 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 04:39 < henry-nicolas> MorkBork: on OpenBSD we can do it using sasyncd and ipsec 04:39 < MorkBork> no 04:39 < MorkBork> oh 04:39 < MorkBork> maybe with ipsec 04:39 < MorkBork> cannot keep state with openvpn though =[ 04:39 < henry-nicolas> http://www.rootr.net/man/man/sasyncd/8 04:39 < henry-nicolas> that would be really great 04:40 < henry-nicolas> but anyway, you answered my question :) 04:40 < MorkBork> its because ipsec works at lower level 04:41 < MorkBork> and sasyncd is built to pass state information between 05:15 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:15 -!- StefanWork [n=stefanle@cp849982-a.mill1.nb.home.nl] has quit [] 05:25 -!- OpenVPN [n=a@ip4da62b32.direct-adsl.nl] has joined ##openvpn 05:26 < OpenVPN> Hello all, I have a question about setting up some server side password which clients can connect to. I am using the windows openvpn gui, where you can setup a client-side password, but a simple re-install of openvpn removes it so that's no option. 05:26 < OpenVPN> I have googled a lot but haven't found anything really useful. 05:43 < dazo> OpenVPN: what are you really asking about? Do you want to have password based authentication on your OpenVPN connections? 05:45 -!- dazo is now known as dazo_ 05:46 -!- dazo_afk [n=dazo@nat/redhat/x-qkahjayxibauafpy] has joined ##openvpn 05:46 -!- dazo_afk is now known as dazo 05:46 -!- dazo_ [n=dazo@nat/redhat/x-pydxqfhahbidyjed] has quit ["Leaving"] 05:50 -!- henry-nicolas [i=d940f005@gateway/web/freenode/x-mgoolpkggqnjrwjd] has quit ["Page closed"] 05:53 -!- hyper_ch [n=hyper@62-93.78-83.cust.bluewin.ch] has quit [Remote closed the connection] 05:58 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 05:58 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Connection reset by peer] 05:58 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 54 (Connection reset by peer)] 05:58 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 06:42 -!- Sky[x] [n=SkyB0x@212.235.186.230] has joined ##openvpn 06:58 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 07:00 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 07:12 -!- joel_ [n=joel@193.145.14.94] has quit ["Saliendo"] 07:13 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 07:16 -!- dollabill [n=mike@97.66.26.10] has quit [] 07:22 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit [Client Quit] 07:23 -!- SkyX [n=SkyB0x@212.235.186.230] has joined ##openvpn 07:23 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 07:32 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Read error: 104 (Connection reset by peer)] 07:36 -!- Sky[x] [n=SkyB0x@212.235.186.230] has quit [No route to host] 07:41 -!- Sky[x] [n=SkyB0x@212.235.186.230] has joined ##openvpn 07:49 -!- SkyX [n=SkyB0x@212.235.186.230] has quit [No route to host] 08:04 -!- mendel [i=mean@unaffiliated/mendel] has left ##openvpn [] 08:04 -!- hyper_ch [n=hyper@adsl-84-227-156-221.adslplus.ch] has joined ##openvpn 08:09 -!- OpenVPN [n=a@ip4da62b32.direct-adsl.nl] has quit [Read error: 104 (Connection reset by peer)] 08:09 -!- OpenVPN [n=a@ip4da62b32.direct-adsl.nl] has joined ##openvpn 08:12 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 60 (Operation timed out)] 08:15 -!- mikkel [n=mikkel@84.238.113.66] has joined ##openvpn 08:24 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 08:28 < ecrist> good morning 08:28 -!- Irssi: ##openvpn: Total of 71 nicks [0 ops, 0 halfops, 0 voices, 71 normal] 08:29 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"] 08:29 < reiffert> moin ecrist, any clue how to get the bot back? 08:33 < ecrist> hrm, no. I don't run it, that's krzie's bot. 08:33 < ecrist> it *is* hosted on a server in my basement, but I'm not about to brute my way into krzie's box. ;) 08:35 < reiffert> let's create a bot user with ssh key access for the next times... 08:36 < ecrist> reiffert: I'll talk to krzie about hosting the bot on one of my systems and we can do that without a problem. 08:36 < ecrist> would probably give the key to channel admins, but I'm not seeing your name on the list... ;) 08:37 < ecrist> I've been intending on writing a new bot for this channel, as well, just never gotten around to it. 08:41 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 08:41 -!- OpenVPN [n=a@ip4da62b32.direct-adsl.nl] has quit [Read error: 110 (Connection timed out)] 08:41 -!- OpenVPN [n=a@77.166.43.50] has joined ##openvpn 08:54 < OpenVPN> dazo, are you still there? I'm sorry, I had a conference call. 08:58 < OpenVPN> gotta restart my workstation (windows...) 08:58 -!- OpenVPN [n=a@77.166.43.50] has quit [] 09:00 -!- Sky[x] [n=SkyB0x@212.235.186.230] has quit [Client Quit] 09:04 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"] 09:06 -!- OpenVPN [n=a@ip4da62b32.direct-adsl.nl] has joined ##openvpn 09:08 < OpenVPN> ok, system is rebooted. I want indeed some file on the server side that stores one username and one password so clients can connect using those credentials (on top of the ssl authentication) 09:09 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 09:09 < dazo> OpenVPN: do you have any requirements to how the username/passwords should be authenticated? 09:09 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 09:10 < OpenVPN> Hmm 09:10 < OpenVPN> not really, as long as I don't must use an LDAP 09:10 < dazo> OpenVPN: you need to enable a loadable module to OpenVPN to introduce this feature ... and there are some alternatives .... auth_pam, auth_ldap, auth_mysql .... and I'm working on a bigger framework which is called eurephia 09:11 < dazo> eurephia supports SQLite now, but with an API which will support more database backends in the future 09:11 < OpenVPN> that's awesome, so with some sql database as a backend 09:11 < OpenVPN> i can use it to authenticate clients? 09:11 < dazo> OpenVPN: yes ... eurephia right now uses certificates + user/password 09:12 < OpenVPN> that's exactly what I'm looking for 09:12 < dazo> OpenVPN: then have a look here: http://www.eurephia.net/ 09:12 < dazo> OpenVPN: which platform is your OpenVPN server based on? 09:13 < OpenVPN> w2k3 :( no other solution such as a linux kernel as a server at my work 09:13 < OpenVPN> not yet 09:13 < dazo> OpenVPN: ouch ... I have not tried eurephia on Windows .... and this module is only needed on the server side 09:13 < dazo> OpenVPN: I know FreeBSD and Linux works 09:14 < OpenVPN> yea, I hate windows myself too, all those limitations :) 09:15 < dazo> OpenVPN: but! If you are able to compile eurephia and make it run on Windows ... I'd appreciate that effort ... it should be doable to make this work, as I'm trying to stay POSIX compliant ... and worst case you have cygwin which can help you 09:15 < dazo> (even though Windows might not be completely POSIX compliant, it does try to support most used features) 09:16 < OpenVPN> I don't think I have enough knowledge to port programs yet in all honesty 09:17 < dazo> OpenVPN: nah ... I'd be willing to help you out with the coding part ... you would just need to try to compile and give me some info on the success rate ;-) 09:17 < OpenVPN> oh sure, I would like to help you with that 09:18 < OpenVPN> I have to make time for that though 09:18 < OpenVPN> in which language is it written? 09:19 < dazo> OpenVPN: it's pure C ... and I'm using CMake for the building process 09:19 < OpenVPN> I am used to PHP which is looking like C as far as I know 09:19 < dazo> OpenVPN: if you manage to get some time for that effort, I'd appreciate that a lot! 09:20 < OpenVPN> hehe sure :) I'll try 09:20 < dazo> OpenVPN: well, you then probably know some programming basics then .... but it's quite different from C 09:20 < OpenVPN> I have programmed some in C 09:20 < dazo> cool! Then you probably know what you need to know :) 09:20 < OpenVPN> that's why I think PHP is looking like C, of course not fully identical 09:21 < OpenVPN> It least I am a student learning to program so you don't have to explain things to me in dummy-language 09:21 < dazo> yeah, you have the {} and a lot of the same control mechanisms which looks similar ... but C is missing a lot of functions which PHP got ... .and PHP is missing a lot of features C got 09:21 < OpenVPN> that might save you some time 09:21 < dazo> yup! :) 09:22 < OpenVPN> ok, so dazo. We'll keep in touch about that 09:22 < OpenVPN> Can you help me with something else at the moment? 09:22 < dazo> Whenever you're ready to give this a shot, please feel free to join #eurephia ... and we don't need pollute ##openvpn with this stuff :) 09:22 < dazo> OpenVPN: I can sure try! 09:23 < OpenVPN> #eurephia is also on freenode? 09:23 < dazo> yup 09:23 < OpenVPN> ok, I'll keep that one in mind 09:23 < OpenVPN> Um, my next problem is rather complex, at least that's what I think. 09:24 < OpenVPN> I have OpenVPN installed on the w2k3 machine and via certificates I let clients connect to it 09:25 < OpenVPN> I also use SVN over the VPN for the safe remote version control 09:25 < OpenVPN> now, to the problem 09:26 < OpenVPN> when I use a local folder on the client machine to checkout files in the svn repository, it goes with the max speed of the client network : i.e. 50kb/s up results in 50kb/s upload etc 09:26 < OpenVPN> when I open the network drive (over vpn) and then create a folder > checkout - it goes extremely, extremely slow 09:26 < OpenVPN> like 200 bytes /s 09:27 < OpenVPN> What I try to achieve is that I don't have any repositories local 09:27 < OpenVPN> extra: the clients are also using windows OS's 09:28 < dazo> OpenVPN: I don't think I'm able to help you on this issue, I'm not too much experienced with the tuning part (esp. on Windows) ... but have you searched in the mailing list? OpenVPN performance comes up quite regularly on openvpn-users .... 09:29 < dazo> maybe some others here can help too .... but then they will immediately request !configs and possibly also !logs 09:29 < dazo> !configs 09:29 < dazo> !logs 09:29 * dazo wonders where VPNbot is gone ..... 09:29 < OpenVPN> hehe 09:29 < dazo> ecrist: krzie ^^ 09:30 < OpenVPN> if I use those comments, is the VPNbot taking it from my pc? Cause atm I'm remotely logged in, while not being on the w2k3 machine 09:30 < dazo> heh ... nope that's just "instructions" that you should pastbin configs and logs .... 09:31 < dazo> and paste those links here to get some help :) 09:32 < OpenVPN> o ok :) 09:32 < OpenVPN> thanks for the effort in any case 09:32 < dazo> np! 09:33 < dazo> reiffert: do you have win2k3 performance experience? ^^^ 09:33 < reiffert> dazo: i'm sorry, xp only 09:34 < dazo> reiffert: thx! no worries 09:34 < OpenVPN> w2k3 is the same as xp, though w2k3 has some fancy easy-to-use gui for domain management :) 09:34 < OpenVPN> both run the same kernel 09:36 < OpenVPN> I though have figured while testing that my slow speed only occurs when I transfer anything from/to the same server as where SVN/OpenVPN runs 09:36 -!- tjz [n=tjz@bb121-7-30-30.singnet.com.sg] has joined ##openvpn 09:39 -!- ptman [i=ptman@puro.fixme.fi] has left ##openvpn [] 09:40 < OpenVPN> meanwhile I have to configure certs on client pc's here so I am n/a for now. 09:41 -!- misse- [i=misse@cl-858.sto-01.se.sixxs.net] has quit [Read error: 101 (Network is unreachable)] 09:49 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 09:49 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 09:55 -!- ErickG [n=ErickG@190.120.0.138] has left ##openvpn [] 09:56 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 10:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 10:05 < ecrist> dazo: what am I looking at? 10:05 < ecrist> oh, yeah, we're aware. krzie's not around to restart it. 10:05 < dazo> ecrist: vpn bot 10:05 < dazo> yeah 10:05 -!- Guest93713 [n=Rolybrau@1-237.0-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 10:06 < ecrist> vpnHelper is it's name. 10:06 < dazo> ecrist: feel free to ignore me now :-P 10:06 -!- Guest93713 [n=Rolybrau@85.3.226.224] has joined ##openvpn 10:06 < dazo> yeah, there you see ... I've completely forgotten his name even .... 10:06 < reiffert> krzie: !vpnhelper 10:07 < reiffert> (I've forgotten its name as well) 10:08 -!- pa [n=pa@unaffiliated/pa] has quit [SendQ exceeded] 10:08 < robert_> heh 10:21 -!- bytesaber [n=bytesabe@208-98-188-95.directcom.com] has quit [Read error: 110 (Connection timed out)] 10:26 -!- paolo__ [n=pa@host163-6-dynamic.58-82-r.retail.telecomitalia.it] has joined ##openvpn 10:26 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 10:38 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 10:51 < YaManicKill|dead> i'm trying to get dns requests working through my vpn. i used this 'push "dhcp-option DNS 10.8.0.1"' but it says in the how to this only works for windows clients. how can i get it working for linux? it also seems to be passing dns queries in plain text. is there a way to get this encrypted? 10:51 -!- YaManicKill|dead is now known as YaManicKill 11:00 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 11:07 -!- YaManicKill is now known as YaManicKill|dinn 11:07 -!- YaManicKill|dinn is now known as YaManicKill|food 11:37 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:41 -!- bytesaber [n=bytesabe@208-98-188-95.directcom.com] has joined ##openvpn 11:55 -!- misse- [i=misse@cl-858.sto-01.se.sixxs.net] has joined ##openvpn 12:07 -!- misse- [i=misse@cl-858.sto-01.se.sixxs.net] has quit [Read error: 104 (Connection reset by peer)] 12:27 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 145 (Connection timed out)] 12:36 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 12:38 -!- RyuKojir1 is now known as RyuKojiro 12:41 -!- YaManicKill|food is now known as YaManicKill 12:53 < dazo> YaManicKill: http://lmgtfy.com/?q=openvpn+push+dns+linux ... and then I found this link: http://www.phocean.net/2006/12/07/openvpn-and-dns-on-a-linux-client.html 12:53 < YaManicKill> dazo: cheers...will have a look at them 12:54 < dazo> YaManicKill: dns queries goes in clear text by default .... unless you put them through a VPN tunnel which is encrypted .... no other choices here 12:55 < YaManicKill> do they not go through the vpn? like with the rest of the traffic? 12:55 < YaManicKill> cause everything else is encrypted 12:55 < dazo> depends on your routing .... if the IP address of your DNS server which you push is routed via the VPN, then it will go through the tunnel and not on the outside 12:56 < YaManicKill> it should be... 12:56 < dazo> then it should go encrypted via the tunnel 12:57 * dazo decides to go out now 12:58 < YaManicKill> cool, have fun :) 13:03 < YaManicKill> ok. the options that i seem to see imply that you have dns installed on the server 13:03 < YaManicKill> what if i just want it to route it through the vpn to the outside world. is that possible? 13:03 < Bushmills> or use server for default route. 13:04 < Bushmills> !redirect 13:04 < Bushmills> hm, still no bot 13:05 < Bushmills> check man page for redirect-gateway 13:06 < Bushmills> also make sure that your client's resolver doesn't use a dns proxy in your router 13:08 < YaManicKill> Bushmills: Bushmills would that be in router settings? 13:09 < YaManicKill> the man page doesnt say much about redirect-gateway 13:09 < YaManicKill> i have that in my config anyways, but the thing is, my computer doesnt work with dns stuff. i got it routing if i use ip addresses, but not with domain names 13:10 < YaManicKill> my friend has it working with domain names, but the dns is not going through the encrypted tunnel. its in plain text 13:10 < Bushmills> 28 lines? that's not much? 13:10 < YaManicKill> it doesnt have 28 lines on that does it... 13:10 * YaManicKill looks again 13:11 < YaManicKill> it has like...5 13:11 < Bushmills> client determines what dns it wants to use, and is configured there. but if dhcp server is enabled on router, it can suggest a dns (its own) to client when connecting 13:11 < YaManicKill> oooo ok 13:12 < Bushmills> http://doc.verhau.de/cgi-bin/dwww/usr/share/man/man8/openvpn.8.gz?type=man 13:12 < Bushmills> i don't know what man page you have, that's the one I know 13:13 -!- phusion [i=phusion@2001:41d0:1:839a:0:0:0:1337] has quit [Read error: 60 (Operation timed out)] 13:13 -!- phusion [i=phusion@2001:41d0:1:839a:0:0:0:1337] has joined ##openvpn 13:13 * robert_ gnaws on phusion's ipv6 address 13:13 < YaManicKill> Bushmills: weird. mine doesnt have the last 2 options ojn it 13:14 < YaManicKill> haha. notice the last bit of the ipv6 address :P 13:14 -!- dazo is now known as dazo_afk 13:19 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 13:21 -!- RyuKojiro [n=nnnkojir@unaffiliated/ryukojiro] has quit [Read error: 104 (Connection reset by peer)] 13:30 -!- RyuKojiro [n=nnnnkoji@r74-192-66-53.vctrcmta01.vctatx.tl.dh.suddenlink.net] has joined ##openvpn 13:33 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 13:35 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 13:55 < ecrist> FWIW, I dropped krzie an email about the bot. 14:20 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:36 -!- hyper__ch [n=hyper@adsl-84-227-156-221.adslplus.ch] has joined ##openvpn 14:36 -!- hyper_ch [n=hyper@adsl-84-227-156-221.adslplus.ch] has quit [Nick collision from services.] 14:36 -!- hyper__ch is now known as hyper_ch 15:14 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 15:30 -!- ikla [n=lbz@c-98-245-232-141.hsd1.co.comcast.net] has joined ##openvpn 15:31 < ikla> the server setting in openvpn server config file can I start the ip like 10.10.10.200 instead of 10.10.10.0 ? only works with 10.10.10.0 255.255.255.0 15:39 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 15:40 -!- Hink is now known as LowValueTaret 15:40 -!- LowValueTaret is now known as LowValueTarget 15:46 -!- holister [n=holister@static-173-61-110-2.cmdnnj.fios.verizon.net] has joined ##openvpn 15:48 < holister> I am having problems with setting up bridging... I used the script from sample-scripts/bridge-start, but I end up with an inaccessible ip...br0 is set to the right ip, but it can't ping out and other computers can't ping in 15:48 < holister> (on the local LAN) 15:57 < reiffert> welcome to slavery. 16:17 -!- mikkel [n=mikkel@84.238.113.66] has quit ["Leaving"] 16:17 < krzie> and... 16:17 < krzie> why are you briding? 16:17 < krzie> bridging 16:21 < reiffert> krzie: !vpnhelper 16:23 < krzie> !help 16:23 < krzie> wtf 16:23 < krzie> someone kick it out or something? 16:24 < reiffert> ecrist was using his magic mushrooms .. and then it suddenly has disappeared. 16:24 < krzie> ecrist was shrooming?? 16:24 * krzie no bnelieve 16:24 < krzie> -n 16:25 < reiffert> extreme colors, u know and then biff baff buff, gone. 16:25 < reiffert> krzie o bnelive? 16:25 < krzie> :-p 16:26 < krzie> fine, s/bn/n/ 16:26 < krzie> err 16:26 < krzie> fine, s/bn/b/ 16:26 < krzie> im too tired, waking up early to train jui jitsu lately 16:28 < reiffert> lemme guess, training at the beach at sunrise with bananas and two hands full of naked tits all over? 16:29 < krzie> haha nope, just a room with some matts on the floor 16:29 < reiffert> boring. :) 16:29 < krzie> but there were tits all over last night 16:29 < krzie> 3some til 6am 16:29 < krzie> then training at 10am 16:29 < krzie> brutal man 16:29 < reiffert> ah, gettin intresting again :) 16:30 < krzie> ya it was fun 16:36 -!- ErickG [n=ErickG@190.120.0.138] has left ##openvpn [] 16:42 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 16:43 < krzie> !say hello 16:43 < vpnHelper> krzie: Error: "say" is not a valid command. 16:43 < krzie> it should be! 16:43 -!- Serideru1 [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Connection timed out] 16:43 < krzie> !learn say as NO! you're not the boss of me! 16:43 < vpnHelper> krzie: Joo got it. 16:43 < krzie> there we go ;] 16:48 < Bushmills> krzie: while : ; start_bot ; sleep 30 ; done 16:50 < krzie> it wasnt down 16:50 < krzie> no idea why it left the channel 16:51 < Bushmills> is it invitable? 16:52 < krzie> krzie: !vpnhelper 16:52 < krzie> ......---.--..-......---.--..-.........--- -- - 16:52 < krzie> | vpnHelper (i=vpn@joogot.noskills.net) (Network) 16:52 < krzie> . ircname : OpenVPN helper bot 16:52 < krzie> . server : irc.freenode.net (http://freenode.net/) 16:52 < vpnHelper> Title: About the Network (at freenode.net) 16:52 < krzie> ohh it didnt have its spoof either 16:52 < krzie> i bet it split out and couldnt split back in and just didnt rejoin 16:55 < Bushmills> "the boss of me" what kind of English is that?? 16:55 < krzie> its a phrase 16:55 < Bushmills> it is the words of you 16:56 < krzie> http://www.google.com.pe/#hl=en&source=hp&q=%22the+boss+of+me%22&btnG=Google+Search&aq=f&oq=%22the+boss+of+me%22&fp=6352f60ffe47c9e5 16:56 < vpnHelper> Title: Google (at www.google.com.pe) 16:57 < Bushmills> on that page is asked: "Inept or infantile?" 16:58 < Bushmills> "sound like a five-year-old having a tantrum." 16:59 < Bushmills> "plays the porn star... gives himself a memorable pep talk in the mirror" 17:00 < Bushmills> "From the time I was 2 years old... first phrases was "'You're not the boss of me!'" 17:01 < krzie> sq 4413 17:01 < krzie> #4413: [ krzee making avi's of his sexual antics ] * krzee looks 17:01 < krzie> at his weiner "ready for round 5?" she's still 17:01 < krzie> there? lol my weiner just winked at me 17:16 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 17:16 < krzie> haha 17:17 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 17:22 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 17:34 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 17:35 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 18:06 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 18:12 -!- ikla [n=lbz@c-98-245-232-141.hsd1.co.comcast.net] has left ##openvpn ["Leaving"] 18:34 -!- master_of_master [i=master_o@p549D7DE2.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 18:37 -!- master_of_master [i=master_o@p549D7B1F.dip.t-dialin.net] has joined ##openvpn 18:46 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 18:48 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 18:48 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 18:53 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 19:03 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 19:04 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 19:12 -!- theDoc [n=hex@cataclysm.edgewire.sg] has joined ##openvpn 19:31 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 54 (Connection reset by peer)] 19:31 -!- OpenVPN [n=a@ip4da62b32.direct-adsl.nl] has quit [Read error: 110 (Connection timed out)] 19:37 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 19:59 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 54 (Connection reset by peer)] 20:05 -!- OpenVPN [n=a@ip4da62b32.direct-adsl.nl] has joined ##openvpn 20:30 -!- LowValueTarget [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [Remote closed the connection] 20:55 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 21:25 -!- Guest93713 [n=Rolybrau@85.3.226.224] has quit [Connection timed out] 21:40 -!- tjz [n=tjz@121.7.30.30] has joined ##openvpn 21:57 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 22:18 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 104 (Connection reset by peer)] 22:58 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 23:03 -!- BugDave [n=macks@unaffiliated/mackss] has joined ##openvpn 23:35 -!- BugDave [n=macks@unaffiliated/mackss] has quit [Read error: 54 (Connection reset by peer)] 23:36 -!- BugDave [n=macks@unaffiliated/mackss] has joined ##openvpn 23:54 -!- BugDave [n=macks@unaffiliated/mackss] has quit [Read error: 104 (Connection reset by peer)] 23:55 -!- BugDave [n=macks@unaffiliated/mackss] has joined ##openvpn --- Day changed Tue Nov 17 2009 00:10 -!- jeiworth [n=jeiworth@189.163.146.105] has joined ##openvpn 00:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:28 -!- hyper_ch [n=hyper@adsl-84-227-156-221.adslplus.ch] has quit [Remote closed the connection] 00:48 -!- jeiworth [n=jeiworth@189.163.146.105] has quit [Read error: 110 (Connection timed out)] 01:16 -!- hyper_ch [n=hyper@104-67.79-83.cust.bluewin.ch] has joined ##openvpn 01:26 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 02:00 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: JyZyXEL, CaBa, LowKey, mrnice1, tjz, sakhi 02:01 -!- LowKey [i=rhel@unaffiliated/lowkey] has joined ##openvpn 02:02 -!- CaBa [i=caba@unique-inter.net] has joined ##openvpn 02:03 -!- sakhi [n=sakhi@uwcfw.uwc.ac.za] has joined ##openvpn 02:05 -!- JyZyXEL [n=lol@a88-113-58-89.elisa-laajakaista.fi] has joined ##openvpn 02:06 -!- sakhi [n=sakhi@uwcfw.uwc.ac.za] has quit [Killed by sagan.freenode.net (Nick collision)] 02:06 -!- LowKey [i=rhel@unaffiliated/lowkey] has quit [Killed by sagan.freenode.net (Nick collision)] 02:06 -!- sakhi_ [n=sakhi@uwcfw.uwc.ac.za] has joined ##openvpn 02:07 -!- tjz [n=tjz@unaffiliated/tjz] has joined ##openvpn 02:07 -!- sakhi [n=sakhi@196.11.235.1] has joined ##openvpn 02:07 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn 02:07 -!- LowKey [i=rhel@72.20.2.134] has joined ##openvpn 02:07 -!- tjz [n=tjz@unaffiliated/tjz] has quit [Connection timed out] 02:07 -!- _LowKey [i=rhel@eclipse.gempakbox.net] has joined ##openvpn 02:07 -!- LowKey [i=rhel@72.20.2.134] has quit [Connection timed out] 02:07 -!- _LowKey is now known as LowKey 02:08 -!- sakhi [n=sakhi@196.11.235.1] has quit [Connection timed out] 02:34 -!- MorkBork [n=mark@unaffiliated/morkbork] has quit ["Ex-Chat"] 02:47 -!- robert_ [n=hellspaw@objectx/robert] has quit [Excess Flood] 02:48 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 03:16 -!- tinLoaf [n=tinloaf@tinloaf.de] has joined ##openvpn 03:17 < tinLoaf> hey guys. i'm probably going to use the auth-ldap-plugin for openvpn, only that i con't really get how it is supposed to work 03:17 < tinLoaf> where does it get the password from? --- Log closed Tue Nov 17 03:34:28 2009 --- Log opened Tue Nov 17 03:34:31 2009 03:34 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 03:34 -!- Irssi: ##openvpn: Total of 57 nicks [0 ops, 0 halfops, 0 voices, 57 normal] 03:34 -!- eliasp [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 03:34 -!- Irssi: Join to ##openvpn was synced in 22 secs 03:36 -!- Mark21 [n=mark@195.184.64.194] has joined ##openvpn 03:36 -!- darkwind [n=darkwind@64.71.152.247] has joined ##openvpn 03:36 -!- ericvw [n=ericvw@trenton.eecs.umich.edu] has joined ##openvpn 03:39 -!- BugDave [n=macks@unaffiliated/mackss] has joined ##openvpn 03:41 -!- Snadder [i=sander@202.100.202.84.customer.cdi.no] has joined ##openvpn 03:41 -!- holister [n=holister@static-173-61-110-2.cmdnnj.fios.verizon.net] has joined ##openvpn 03:41 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 03:42 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 03:44 -!- dmarkey [n=dmarkey@dmarkey.xen.prgmr.com] has joined ##openvpn 03:44 -!- YaManicKill [n=ali@130.159.141.69] has joined ##openvpn 03:57 -!- tjz [n=tjz@bb121-7-30-30.singnet.com.sg] has joined ##openvpn 03:58 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 03:59 -!- master_of_master [i=master_o@p549D7B1F.dip.t-dialin.net] has joined ##openvpn 04:00 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 04:11 -!- sakhi_ [n=sakhi@uwcfw.uwc.ac.za] has quit [Client Quit] 04:18 -!- nick [n=boran@unaffiliated/nick] has joined ##openvpn 04:19 < nick> hi. i can only go out through udp 53. is it possible that openvpn server listens to a different port, for example 4848 then i use local port 53 udp to connect it to that. 04:23 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 04:26 < reiffert> nick: yes. 04:27 < nick> reiffert, is there any documentation for that? or a keyword that i need to look for? 04:28 < reiffert> !man 04:28 < vpnHelper> reiffert: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 04:28 < reiffert> !factoids search local 04:28 < vpnHelper> reiffert: "local" is a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless. 04:28 < reiffert> forget the latter. 04:29 < nick> cheers. i'll give it a shot 04:29 < reiffert> --lport 04:29 -!- zjr [i=Administ@119.52.4.157] has joined ##openvpn 04:37 -!- MorkBork [n=mark@unaffiliated/morkbork] has joined ##openvpn 04:41 -!- jeiworth [n=jeiworth@189.163.146.105] has joined ##openvpn 05:29 -!- jeiworth [n=jeiworth@189.163.146.105] has quit [Read error: 145 (Connection timed out)] 05:45 -!- teddymills [n=teddy@208.92.235.227] has quit [SendQ exceeded] 05:46 -!- zjr [i=Administ@119.52.4.157] has quit ["Leaving"] 06:14 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:26 -!- mekwall [n=oddy@c83-249-242-68.bredband.comhem.se] has joined ##openvpn 06:42 -!- hyper_ch [n=hyper@104-67.79-83.cust.bluewin.ch] has quit [Read error: 104 (Connection reset by peer)] 06:56 -!- Skamakazi [n=jogi@license.querix.com] has joined ##openvpn 06:57 < Skamakazi> Hi all, I was wondering if there are any general tips for improving openvpn performance? I've enabled lzo compression & it is running over UDP, I was just wondering if there are any more rules of thumb to maximize performance ? 06:59 * |Mike| aims for encryption 07:00 < Skamakazi> or, you can add the note and leave it on the beta list 07:01 -!- Skamakazi [n=jogi@license.querix.com] has left ##openvpn [] 07:01 < |Mike|> Huh ? 07:12 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 07:16 < ecrist> good morning 07:23 < holister> I am having problems with setting up bridging... I used the script from sample-scripts/bridge-start, but I end up with an inaccessible ip...br0 is set to the right ip, but it can't ping out and other computers can't ping in (on the local LAN, other end isn't connected yet) 07:36 -!- holister [n=holister@static-173-61-110-2.cmdnnj.fios.verizon.net] has quit ["REBOOT!"] 07:42 -!- hyper_ch [n=hyper@adsl-84-227-156-221.adslplus.ch] has joined ##openvpn 08:04 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 08:04 -!- epaphus [n=unix3@190.10.68.228] has quit [Client Quit] 08:12 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 08:22 -!- jeiworth [n=jeiworth@189.163.146.105] has joined ##openvpn 08:43 -!- jeiworth [n=jeiworth@189.163.146.105] has quit [Read error: 104 (Connection reset by peer)] 08:43 -!- jeiworth [n=jeiworth@189.163.146.105] has joined ##openvpn 08:47 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:11 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 09:20 -!- connectionVPN [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has joined ##openvpn 09:23 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 09:38 < connectionVPN> a user is connecting to our VPN (udp port 53) from a network that has blocks in place (for eg he couldn't connect to udp 443, so I redirect 53 on the server) but he reports high latency and packet loss, any tips? 09:39 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 09:57 -!- TorchDragon [n=TorchDra@c-68-44-174-108.hsd1.pa.comcast.net] has joined ##openvpn 09:59 -!- OpenVPN [n=a@ip4da62b32.direct-adsl.nl] has quit [] 10:01 < TorchDragon> !route 10:01 < vpnHelper> TorchDragon: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:02 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 10:03 < TorchDragon> Hmm. Ok, that's not it. 10:04 < TorchDragon> My client connects to the server, gets an ip address but does not receive a gateway even though I see on the server: PUSH_REPLY,route-gateway 192.168.0.24 10:05 < TorchDragon> I'm working with a bridged configuration so I'm not sure what's going wrong here. 10:09 -!- nick|here [n=nick@unaffiliated/nick] has joined ##openvpn 10:09 -!- TorchDragon [n=TorchDra@c-68-44-174-108.hsd1.pa.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 10:09 -!- TorchDragon [n=TorchDra@c-68-44-174-108.hsd1.pa.comcast.net] has joined ##openvpn 10:10 < nick|here> hi folks. i set up the client and server for openvpn everything works right now. i'm using tcp 53. but if i change it to udp 53 it's not working. what could be the problem? 10:11 -!- jeiworth [n=jeiworth@189.163.146.105] has quit [Read error: 110 (Connection timed out)] 10:15 < krzie> nick|here firewall 10:16 < krzie> or forgetting to change both the client AND the server (and restarting them) 10:16 < nick|here> krzie: how can i check if outgoing udp is blocked? 10:16 < krzie> by querying a 3rd party DNS server 10:17 < krzie> for example, host ircpimps.org 4.2.2.1 10:18 < nick|here> hmm strange this works 10:18 < krzie> then 53 udp works 10:18 < krzie> is the server behind a NAT? 10:18 < krzie> is there already a DNS server on the server? 10:18 < krzie> is the server behind a firewall? 10:19 < nick|here> tcp works without any other settings 10:19 < krzie> so? 10:19 < nick|here> no bind/dns server on the computer 10:19 < nick|here> if i just change both of them to udp 10:19 < nick|here> it doesn't connect 10:19 < krzie> is the server behind a NAT? 10:19 < krzie> is the server behind a firewall? 10:20 < nick|here> nope. i have direct access to it 10:20 < krzie> and there is no firewall software running on it? 10:20 < nick|here> i'm on vpn connection. give me a second. i'll come from normal connection 10:20 < krzie> you could try nc to open a listen socket on the server and then connect to it with nc from the client 10:20 -!- nick|away [n=nick@unaffiliated/nick] has joined ##openvpn 10:21 < krzie> is there something special about either connection to the net? 10:21 < krzie> gprs, cdma, edge, 3g, for example 10:22 < nick|away> ok. right now. i have the normal connection. let's try udp again 10:22 < nick|away> outgoing udp is working. no problems. now i will change the server to udp 53 10:22 < nick|away> krzie: nope. i'm just trying to do something. at school i will try using openvpn over udp 53 10:22 < nick|away> connection is normal wifi. probably connected to the ethernet 10:22 < krzie> what os is the server on? 10:22 < nick|away> ubuntu jaunty 10:22 < krzie> the server is on dorm lan? 10:23 < krzie> they could very well be blocking incoming udp 10:23 < krzie> good way to test that is with nc as i said above 10:23 < krzie> you could try nc to open a listen socket on the server and then 10:23 < krzie> connect to it with nc from the client 10:24 < nick|away> nope. the server is mine. hosted somewhere else. 10:24 < krzie> nc as in netcat 10:24 < ecrist> hey, krzie 10:24 < nick|away> right now i'm talkin from the dorm. and outgoing udp is working well 10:24 < krzie> hey ecrist 10:24 < ecrist> pm? 10:24 < krzie> sure 10:25 < nick|away> krzie: netstat -an shows that right now, i have udp 53 listening 10:25 < krzie> i didnt say netstat i said netcat 10:25 < nick|away> krzie: just a moment 10:27 < nick|away> nc -vzu server.com 53 10:27 < nick|away> is this right? 10:27 < krzie> no idea, dont feel like reading the manpage 10:28 < nick|away> found something. checking 10:28 -!- nick|here [n=nick@unaffiliated/nick] has quit [Read error: 60 (Operation timed out)] 10:43 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 10:43 -!- nick|away [n=nick@unaffiliated/nick] has quit ["WeeChat 0.3.0"] 10:44 -!- nick|here [n=nick@unaffiliated/nick] has joined ##openvpn 10:47 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined ##openvpn 10:47 -!- TorchDragon [n=TorchDra@c-68-44-174-108.hsd1.pa.comcast.net] has left ##openvpn [] 10:52 -!- nick|away [n=nick@unaffiliated/nick] has joined ##openvpn 10:52 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 10:54 -!- nick|here [n=nick@unaffiliated/nick] has quit [Read error: 54 (Connection reset by peer)] 11:05 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 11:08 -!- nick|away [n=nick@unaffiliated/nick] has quit [No route to host] 11:15 -!- nick|away [n=nick@unaffiliated/nick] has joined ##openvpn 11:16 -!- nick|away [n=nick@unaffiliated/nick] has quit [Remote closed the connection] 11:24 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 11:36 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit ["Leaving"] 11:40 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 54 (Connection reset by peer)] 11:53 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 12:13 -!- nick|here [n=boranbas@unaffiliated/nick] has joined ##openvpn 12:14 < nick|here> hi, i want to use openvpn on udp port 53. it works on 54. but it doesn't work on 53. how can i identify if it is blocked at server side, or client side? (i know udp 53 is for dns, and no dns server is running) 12:14 < ecrist> some ISPs block or redirect 53 to their own DNS servers. 12:15 < ecrist> I think krzie suggesting netcat, above 12:15 < ecrist> suggested* 12:15 < krzie> i sure did 12:15 < krzie> you tested if it was client side by reaching a dns server 12:15 < krzie> now you will test server side with netcat 12:16 < krzie> as i said like an hour ago 12:17 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 12:24 < nick|here> ok. here is the deal. i set up nc to listen on udp port 53, and sent some stuff with nc to the server. it doesn't reach there. (tried with tcp it works). now you told me that, since i can query dns on the client side, there is nothing blocked here. i should check out server side? 12:25 < krzie> now you know its the server side 12:25 < ecrist> nick|here: it looks like your port 53 is being blocked and/or redirected 12:25 < krzie> you just checked it 12:25 < krzie> if its nothing on your side (firewall/nat/etc) its your isp 12:25 < connectionVPN> ecrist: you think my problem (above) can related? 12:26 < ecrist> could be 12:26 < ecrist> but, I know very little of your setup 12:29 < connectionVPN> ecrist: its a "vpn proxy" service, openvpn is on udp 443, the server has iptables as its own firewall which also redirects udp 53 to 443 12:30 < connectionVPN> and it works well using both ports from here, its this particular user's network thats causing problems 12:34 < nick|here> krzie, looks like they have a pretty decent IT administration at the school. i just asked my friend to netcat to server, and he could. this means that i can query dns, but i can't use that port for openvpn. i guess they have a kind of packet filtering 12:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:03 -!- connectionVPN [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has quit ["This computer has gone to sleep"] 13:04 -!- connectionVPN [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has joined ##openvpn 13:05 -!- connectionVPN [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has quit [Client Quit] 13:07 -!- connectionVPN [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has joined ##openvpn 14:18 -!- connectionVPN [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has quit ["Leaving"] 14:20 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:48 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 14:51 < krzie> nick|here are you sure when you tested the dns that you queried a 3rd party server like 4.2.2.1 specificly 14:52 < nick|here> krzie, yeap. 14:52 < krzie> tried another udp port? 14:53 < nick|here> 54 works fine 14:53 < nick|here> only 53 14:53 < krzie> heh interesting 14:53 < nick|here> i couldn't understand 14:53 < krzie> ya i never seen that before 14:53 < krzie> goofy isp 14:55 < krzie> do they provide wifi with web based auth or something? 14:55 < krzie> if so it may have to do with how they block dns tunneling 14:55 < nick|here> yeap. but it's on a different spot 14:55 < krzie> hah there we goe 15:10 < freaky[t]> hi all. what is the setting called to allow 1 certificate for many clients? 15:11 < freaky[t]> i cant find it 15:12 < freaky[t]> found it thanks 15:39 -!- magic_1 [n=magic@41.121.103.13] has joined ##openvpn 15:40 < magic_1> hi guys anyone had this issue before when trying to create a new key 15:41 < magic_1> Using configuration from /etc/openvpn/easy-rsa/openssl.cnf 15:41 < magic_1> Error opening CA private key /etc/openvpn/easy-rsa/keys/ca.key 15:41 < magic_1> 27186:error:02001002:system library:fopen:No such file or directory:bss_file.c:3 52:fopen('/etc/openvpn/easy-rsa/keys/ca.key','r') 15:41 < magic_1> 27186:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354: 15:41 < magic_1> unable to load CA private key 15:41 < magic_1> sorry for pasting 15:58 -!- robert_ [n=hellspaw@objectx/robert] has quit [Remote closed the connection] 16:00 < magic_1> getting serial error 16:07 < krzie> freaky[t] its very much recommended to NOT use that setting 16:07 < krzie> magic_1 seems your ca key is not where the program thinks it is 16:08 < krzie> as you seem to know 16:08 < krzie> either that or you dont have permissions to access it 16:13 -!- hihohu5164 [n=Miranda@80.188.251.41] has joined ##openvpn 16:13 < hihohu5164> hello 16:13 < hihohu5164> any good soul here to help me a bit with newbie question? 16:13 < krzie> !ask 16:13 < vpnHelper> krzie: "ask" is (#1) don't ask to ask, just ask your question please, or (#2) http://www.latinsud.com/answer/, or (#3) http://www.catb.org/~esr/faqs/smart-questions.html to learn how to get help 16:13 < krzie> =] 16:14 < krzie> fire away 16:14 < magic_1> sorted out the ca issue 16:15 < magic_1> but now its giving me serial issue 16:15 < magic_1> not sure what to do now 16:15 < krzie> magic_1 tried to google the error? 16:15 < magic_1> yep 16:15 < magic_1> but not getting much joy 16:15 < krzie> ok pastebin in 16:16 < krzie> s/\ in/it/ 16:16 < hihohu5164> ah, i've got 2 different cert for 2 different servers, how can i run them both? when i import cert it allow me to acces to firs, but not to second 16:16 < freaky[t]> krzie, it's for testing 16:17 < krzie> freaky[t] ahh cool, that is the 1 situation where its deemed good for usage, in fact it seems to be why they even made that option 16:17 < krzie> hihohu5164 run openvpn 2x 16:17 < freaky[t]> krzie, ^^ 16:17 < krzie> 1 for each config 16:18 < hihohu5164> krzie: will, try, thank oyu 16:19 < krzie> np hihohu5164 16:19 < krzie> freaky[t] ?? 16:21 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 16:22 < magic_1> anyone know how to repair an openvpn install 16:22 < magic_1> im stuck 16:22 < magic_1> see i need to create new keys with un common name 16:22 < magic_1> but now i cant create the keys which is natural an issue 16:31 -!- papo [n=mathias@adsl-177-161-fixip.tiscali.ch] has joined ##openvpn 16:31 < papo> hello 16:32 < papo> !route 16:32 < vpnHelper> papo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:32 < papo> hm ok 16:32 < papo> I read it 16:34 < papo> I have the following setup: several road warriors are connecting to my VPN server. This is a bridged setup which works fine. On the road warriors, I get a tap0 interface and the route is set fine and everything 16:35 < papo> but I would like to set the metric of that route to something > 0 16:35 < magic_1> why is that papo 16:36 < papo> magic_1: well I'm not sure if I understood the concept properly. But there is this nasty problem... that vpn server is at home. When I come home from work, I wake up my notebook out of suspend and openvpn is still working 16:36 < papo> and there route is there and it's trying to route the traffic through the tap0 instead of using the deafult gateway route 16:37 < papo> then I stop openvpn and everything is fine, but I constantly come home forgetting that openvpn is still running and getting upset because something is not working etc. 16:37 < papo> then I realize that I just have to stop openvpn and everything is fine 16:38 < papo> magic_1: but still, it would be quite cool to set the metric (in case this works how I think it does, at least) 16:39 < krzie> it still wouldnt work 16:40 < krzie> either your default route goes over openvpn or not 16:41 < papo> krzie: and by "going over" you mean that this is the route that would be chosen for my packages? 16:42 < krzie> when you connect and change your default route to send all inet bound packets over the vpn 16:42 -!- datruth [i=scott@2001:470:c045:1:5:30:10:3] has joined ##openvpn 16:42 < krzie> they will continue to until you kill the vpn and thus the default route which goes over the vpn 16:42 < datruth> Is it possiable to run openvpn in a jail? 16:43 < papo> krzie: Hm not sure if I understand this 16:45 < papo> krzie: oh wait maybe it's not about the default route but it's not able to connect to my DNS 16:45 < papo> krzie: because when I come home, I have this route which tells that all packages to 192.168.14.0/24 should go through the tap0 interface 16:46 < papo> then I come home, that route is still there and there is an additional local-lan route for 192.168.14.0/24 for wlan0 which is ineffective, such that I can't reach my DNS at 192.168.14.1? 16:47 < krzie> you are very much misusing the word packages 16:47 < papo> probably 16:47 < krzie> packets =] 16:48 < datruth> anyone? 16:48 < papo> yes I'm sorry. actually package and packet is translated to the same word in my mother tongue, sorry 16:48 < krzie> you could crontab a script to see what your eth0 interface is, if it is the same as tap0 kill openvpn 16:48 < krzie> ahh sorry as well, i didnt know you spoke a different language as you are speaking very clearly 16:49 < krzie> datruth, yes 16:49 -!- HardDisk_WP [n=Marco@wikipedia/harddisk] has quit [Excess Flood] 16:49 < krzie> as long as it can access the interface 16:49 -!- HardDisk_WP [n=Marco@velirat.de] has joined ##openvpn 16:49 < krzie> by jail i assume you mean freebsd jails 16:49 < krzie> if you simply mean chroot, its built in 16:50 < krzie> --chroot i believe 16:50 < datruth> hrmm 16:53 < datruth> krzie: will it have problems creating the tun0 device 16:53 < datruth> ? 16:54 < krzie> not sure, but if it does you can pre-create it 16:54 < krzie> aka a static device 16:54 < datruth> how? 16:54 < krzie> by seeing the manual ;] 16:54 < krzie> !man 16:54 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:54 < krzie> from just the synopsis its pretty obvious 16:55 < krzie> or simply search it for "static device" 16:55 < krzie> openvpn [ --mktun ] [ --rmtun ] [ --dev tunX | tapX ] [ --dev-type device-type ] [ --dev-node node ] 16:55 < datruth> hrmm ok 16:56 < datruth> i didn't see that in --help 16:56 < krzie> so read each of those options in the manual 16:56 < krzie> ya, the manual is more detailed than --help 16:56 < datruth> ahh thank you :> 16:56 < krzie> much much more 16:56 < krzie> np 17:03 < datruth> hrmm --mktun doesn't seem to be an option in fbsd 17:03 -!- hihohu5164 [n=Miranda@80.188.251.41] has quit [Read error: 110 (Connection timed out)] 17:04 < krzie> oh but it is, prolly must be done outside the jail 17:04 -!- nvicf [n=vicente@200.61.176.81] has joined ##openvpn 17:04 < krzie> ive used static devices for openvpn in fbsd 17:04 < krzie> so i KNOW that it works 17:04 < nvicf> hello I'm having a problem, I have two vpns, one between 10.10.10.x and 10.10.11.x and the other between 10.10.10.x and 162.86.217.x 17:05 < krzie> did you read up on all of the args from that synopsis i pasted in manual? 17:05 < freaky[t]> krzie, yes? 17:05 < freaky[t]> krzie, sorry im currently setting up xubuntu on my laptop ;D 17:05 < nvicf> I'm mixing with iptables, because if I masquerade packets that goes frmo 10.10.10.x to !10.10.11.x the packets that goes from 10.10.10.x to 162.86.217.x gets masqueraded and the vpn doesn't work, ideas? 17:05 < krzie> freaky[t], huh? 17:05 < krzie> freaky[t], np, not my choice of OS but its your laptop, fine by me ;] 17:06 < krzie> you can let those vpns communicate without NAT nvicf 17:06 < krzie> i have done it 17:06 < krzie> it requires a full understanding of route, push route, and iroute 17:07 < krzie> in fact a setup like that led to me fully understanding those, and writing my routing writeup at !route 17:07 < nvicf> but I need to nat, I have computers that use the internet inside the network 17:07 < krzie> umm 17:07 < datruth> maybe i need to use the source code instead of the port 17:08 < nvicf> can I paste in here? 8 lines too much? 17:08 < krzie> nvicf maybe im misunderstanding your goal 17:08 < krzie> nvicf pastebin 17:08 < krzie> datruth, source is better 17:09 < nvicf> krzie: http://pastebin.com/m8754fa9 17:09 < krzie> ports is years outdated 17:09 < krzie> you def want rc20 over 'stable' 17:09 < krzie> or at least openvpn-dev 17:09 < krzie> -devel 17:09 < krzie> nvicf whats your goal? 17:10 < nvicf> both vpn able to communicate 17:10 < freaky[t]> krzie, u highlighted me above - what's ur OS? 17:10 < datruth> krzie: ahh gotcha 17:11 < krzie> krzie, ^^ 17:11 < nvicf> krzie: both vpn able to ping each other 17:11 < krzie> freaky[t] ?? 17:11 < krzie> ok, you dont need NAT for that 17:12 < nvicf> me? 17:12 < krzie> i have setup a machine which ran 2 openvpn client instances and allowed machines connected to each server to reach eachother 17:12 < freaky[t]> krzie, ah ok nm then hehe 17:12 < krzie> nvicf yes 17:12 < datruth> krzie: i can use rc20 from ports but should I get the tarball? 17:12 < nvicf> krzie: if I get rid of those lines, iptables masquerades all 17:12 < krzie> i call it cpn-chaining 17:12 < krzie> vpn-chaining 17:13 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Client Quit] 17:13 < krzie> nvicf ok so you are NOT nat'ing ing the vpn traffic, correct? 17:13 < krzie> datruth if rc20 is in potrs, thats fine 17:13 < krzie> ports 17:13 < krzie> damn i cant type today 17:13 < nvicf> krzie: without those lines I am, with those lines I'm avoiding nat 17:14 < krzie> im not much of a linux guy so i dont wanna understand those firewall entries really (im also working right now) 17:14 < nvicf> how do I avoid vpn traffic natted without those lines? 17:14 < krzie> ok cool 17:14 < krzie> nvicf to accomplish your goal you must fully understand iroute and route 17:14 < krzie> read this: 17:14 < krzie> !route 17:14 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:14 < krzie> it has nothing to do with your actual goal 17:15 < krzie> but if you fully understand the principals from there, you can accomplish your goal 17:15 < krzie> remember, each vpn is simply a lan attached to that client 17:15 < krzie> as is any potential lan on the other side of the other client 17:16 < datruth> damn it does not like --mktun 17:16 < krzie> you may need more options 17:17 < krzie> im still hoping you read every option from what i pasted in the manual... 17:18 -!- ErickG [n=ErickG@190.120.0.138] has left ##openvpn [] 17:19 < krzie> nvicf, in the interest of making more sense, let me explain a lil better, lets say client1 connects to server1 and client2 connects to server2, but both clients are on the same system... to server1, client2 and server2 are simply lans behind client1 17:19 < krzie> s/lans/a lan/ 17:19 < krzie> and to server2, client1 and server1 are simply lans behind client2 17:19 < krzie> grr, a lan! 17:20 < krzie> so server1 needs an iroute entry for client1 letting ovpn know that server2's lan is behind client1 17:20 -!- sharp15 [n=stop_loo@HW-ESR1-208-102-33-103.fuse.net] has joined ##openvpn 17:20 < krzie> as well as a route 17:21 < nvicf> i think that's already doing it with route and iptables 17:22 < krzie> wrong! 17:23 < krzie> !iroute 17:23 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 17:23 < datruth> krzie: even from the manual openvpn --mktun --dev tap0 that does not work :< 17:23 < krzie> nvicf im the only person ive ever met who has setup what you're asking about, and im telling you how to make it happen 17:23 < krzie> listen to me or dont, your choice 17:25 < krzie> datruth do you currently have a tap0 from a dynamic setup? 17:25 < datruth> no 17:25 < krzie> datruth, also are you sure you want tap? usually tun is best 17:26 < datruth> no i wanted tun 17:26 < datruth> even tun0 doesn't work with that switch 17:27 < datruth> Options error: Unrecognized option or missing parameter(s) in [CMD-LINE]:1: mktun (2.1_rc20) <-- thats what i get 17:29 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 60 (Operation timed out)] 17:35 < nvicf> I don't get it 17:35 < nvicf> I see what you mean 17:35 < nvicf> but i don't understand 17:36 < papo> krzie: thank you :). Actually I just realized that even parcel is translated to the same word... so "parcel" == "package" == "packet" in my world... how confusing is that... 17:37 < krzie> haha que loco 17:37 < nvicf> sos argento? 17:38 < krzie> no, soy americano pero vivo en el caribe 17:38 < nvicf> ah 17:38 < krzie> pero quiero visitarlo, hay chicas BONITAS alla ;] 17:38 < nvicf> bueno no entiendo, en realidad son vpn site to site lo que estoy tratando de establecer, pero no me queda claro estoy buscando el mismo tema 17:38 < krzie> my spanish isnt very good with computer stuff 17:39 < krzie> nobody in my day to day life knows anything about computers 17:39 < papo> I understood "chica" 17:40 < krzie> hehe 17:40 < krzie> nvicf can you repeat in english pls 17:40 < krzie> really its the word tema i didnt understand 17:41 < nvicf> I don't get it, the vpn I'm building is site to site, I don't know if it's the same with that sample, doesn't make much sense 17:42 < krzie> site to site, hrmm 17:43 < krzie> ive never used one, not sure if you can do what you're asking for with that 17:43 < krzie> but if you can it would be a pretty easy config, just with adding route and making sure the client machine has ip forwarding on 17:43 < krzie> (i forgot to mention ip forwarding)( 17:43 < krzie> !ipforward 17:43 < vpnHelper> krzie: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 17:43 < nvicf> I have ip forwarding 17:43 < nvicf> but a router how_ 17:43 < nvicf> ? 17:43 < krzie> ahh ok 17:44 < krzie> you probably need a PKI setup thewn 17:44 < krzie> then 17:44 < nvicf> what? 17:44 < nvicf> man you overcomplicate things 17:44 < krzie> the kind of setup that uses certificates 17:45 < krzie> you are asking about something that is much more complicated than you think 17:45 < krzie> you know you could simply make 1 server and 2 clients, right? 17:45 < nvicf> i have a vpn client to site configured, I have 5 clients now running ok 17:46 < nvicf> and I need 2 site to site, but i'm failing at this 17:49 < datruth> damn 17:50 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 17:51 -!- nvicf [n=vicente@200.61.176.81] has left ##openvpn [] 17:52 < magic_1> hi guys, can ping from client side to server side but can ping from server to client side 17:52 < magic_1> has anyone got any idea 17:52 < magic_1> i have got ccd set and server.conf 17:52 < magic_1> packets hit tun0 on the server side but can ping internal client side 17:53 < magic_1> can ping tun0 on client side but not the internal IP .i.e. 192.168.1.5 17:53 < krzie> the only reasons to ever do what you're saying would be for ip address hiding (jump through multiple locations before hitting inet) or you dont run one of the servers 17:53 < magic_1> keys do have unique common name 17:53 < krzie> 5 clients means you dont use site-to-site 17:53 < krzie> 5 clients means you use client.server 17:54 < krzie> client/server 17:55 < krzie> (that was for nvcif) 17:55 < krzie> oh he left 17:55 < krzie> hah 17:55 < magic_1> krzie: dont suppose you have any idea 17:55 < magic_1> what my issue could be 17:55 < krzie> hi guys, can ping from client side to server side but can ping from server to client side 17:55 < krzie> which one CANT you do? 17:55 < magic_1> yep 17:55 < krzie> both say CAN 17:55 < magic_1> apologies for that 17:56 < magic_1> meant i cant ping from server to client side 17:56 < krzie> to lan behind client or client itself? 17:56 < magic_1> well to start off client internal interface 17:56 < krzie> as in LAN ip of client, correct? 17:57 < magic_1> yep 17:57 < krzie> !configs 17:57 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 17:57 < magic_1> sure will do shortly 17:58 < krzie> its either a route entry, iroute entry, ipforwarding, or firewall problem 18:01 < magic_1> http://pastebin.com/m6a585e9c 18:01 < magic_1> well that is my guess as well 18:01 < krzie> read this again 18:01 < krzie> !configs 18:01 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 18:01 < krzie> comments = bad 18:01 < magic_1> apologies would you like the client side as well 18:02 < krzie> with comments removed 18:02 < magic_1> running centos on the server side 18:05 < magic_1> http://pastebin.com/m392daf0a 18:05 < magic_1> that is the client side 18:05 < magic_1> client side is linux as well 18:05 < magic_1> ipforwarding is on as well 18:06 < magic_1> i do a tcpdump on both tun0 18:07 < magic_1> if i ping from server side to client tun0 side, traffic flow is perfect, however when i ping client side local ethernet , you can see traffic hits server tun0 but doesnt hit client side tun0 18:10 < magic_1> any idea, however if i change my keys to connect to a different server that i have and it works perfect 18:10 < magic_1> so i know the issue must be on the server side, i just cant seem to find the issue 18:15 < datruth> krzie: what could I be doing wrong? 18:18 -!- nick|here [n=boranbas@unaffiliated/nick] has quit [Read error: 104 (Connection reset by peer)] 18:19 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 18:22 < krzie> check if client has ip forwarding enabled 18:22 < krzie> client firewall could be it as well 18:23 < krzie> also be sure your iroute in your ccd is being used when the client connects (would see that in server logs) 18:23 < krzie> datruth not sure and no time to google for you, ild suggest asking ecrist when you see him talk if you dont find it before 18:24 < krzie> work is getting kinda busy 18:24 < datruth> yeah i've been doing that i'll just have to leave it on the host system until i can figure it out 18:25 < magic_1> checked all the above 18:25 < magic_1> so have no idea why its not working 18:25 < magic_1> where would i find openvpn logs 18:28 -!- nick|here [n=boranbas@unaffiliated/nick] has joined ##openvpn 18:29 < krzie> if you use --daemon it logs via syslog, if not it outputs to the screen, or you can override syslog with --log 18:29 < magic_1> cool 18:29 < magic_1> let me check 18:34 -!- master_of_master [i=master_o@p549D7B1F.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 18:35 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 18:35 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 18:36 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 18:38 -!- master_of_master [i=master_o@p549D7C8C.dip.t-dialin.net] has joined ##openvpn 18:43 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 18:44 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 18:51 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 18:53 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 20:14 -!- flaif [n=irc@d207-6-157-133.bchsia.telus.net] has joined ##openvpn 20:57 -!- sharp15 [n=stop_loo@HW-ESR1-208-102-33-103.fuse.net] has quit ["leaving"] 21:01 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Read error: 60 (Operation timed out)] 21:16 -!- eliasp [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 60 (Operation timed out)] 21:43 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection timed out] 22:12 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 54 (Connection reset by peer)] 22:16 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 22:20 -!- tjz [n=tjz@bb121-7-30-30.singnet.com.sg] has joined ##openvpn 22:52 -!- JyZyXEL [n=lol@a88-113-58-89.elisa-laajakaista.fi] has left ##openvpn ["bye."] 23:29 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:33 < tjz> hi krzee :D --- Day changed Wed Nov 18 2009 00:02 < datruth> is it wise to chroot the openvpn keyfiles config files and the deamon? 00:03 < theDoc> openvpn does it. it already reduces it's own priv levels to nobody or something, iirc. 00:07 < datruth> hrnn i am running it using openvpn --user nobody --group nobody --mlock --chroot /usr/local/etc/openvpn 00:07 < datruth> is that that correct way? 00:15 -!- skbohra [n=skbohra@unaffiliated/skbohra] has joined ##openvpn 00:20 -!- hyper_ch [n=hyper@adsl-84-227-156-221.adslplus.ch] has quit [Read error: 104 (Connection reset by peer)] 01:19 -!- hyper_ch [n=hyper@150-196.0-85.cust.bluewin.ch] has joined ##openvpn 01:31 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has joined ##openvpn 01:47 -!- barefoot [n=magic@196.214.3.250] has joined ##openvpn 01:52 -!- papo [n=mathias@adsl-177-161-fixip.tiscali.ch] has quit [Read error: 104 (Connection reset by peer)] 01:52 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:53 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Nick collision from services.] 01:55 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 01:55 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: Lyndon, krzie, tinLoaf, stein0, rooth, skbohra, nick|here, freaky[t], paolo__, robotti^, (+2 more, use /NETSPLIT to show all of them) 01:57 -!- Netsplit over, joins: robotti^, tinLoaf 01:57 -!- Netsplit over, joins: rooth 01:57 -!- skbohra [n=skbohra@117.199.124.28] has joined ##openvpn 01:57 -!- magic_1 [n=magic@41.121.103.13] has quit [Read error: 110 (Connection timed out)] 01:57 -!- magic_1 [n=magic@41.121.103.13] has joined ##openvpn 02:01 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 02:02 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 02:04 -!- phusion [i=phusion@2001:41d0:1:839a:0:0:0:1337] has joined ##openvpn 02:04 -!- nick|here [n=boranbas@saeinv5.lnk.telstra.net] has joined ##openvpn 02:04 -!- nick|here is now known as Guest86493 02:04 -!- stein0 [n=stein@mail.vgnett.no] has joined ##openvpn 02:04 -!- Lyndon [n=late@savolaiset.fi] has joined ##openvpn 02:12 -!- barefoot [n=magic@196.214.3.250] has quit [Read error: 113 (No route to host)] 02:23 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 02:24 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 02:46 -!- nick [n=boran@unaffiliated/nick] has quit [Nick collision from services.] 02:46 -!- Guest86493 is now known as nick 02:46 -!- _nick [n=boran@web67.webfaction.com] has joined ##openvpn 02:54 -!- flaif [n=irc@d207-6-157-133.bchsia.telus.net] has left ##openvpn [] 02:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:10 -!- teddymills [n=teddy@208.92.235.227] has quit [SendQ exceeded] 03:48 -!- hyper_ch [n=hyper@150-196.0-85.cust.bluewin.ch] has quit [Read error: 104 (Connection reset by peer)] 03:51 -!- krzie [n=krzee@butters.secure-computing.net] has joined ##openvpn 03:52 -!- hyper_ch [n=hyper@150-196.0-85.cust.bluewin.ch] has joined ##openvpn 04:08 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 145 (Connection timed out)] 04:54 -!- skbohra_ [n=skbohra@117.199.117.234] has joined ##openvpn 04:55 -!- skbohra [n=skbohra@117.199.124.28] has quit [Read error: 113 (No route to host)] 04:56 -!- skbohra_ is now known as skbohra 05:36 -!- kisom [n=x@c-19dde155.648-1-64736c11.cust.bredbandsbolaget.se] has joined ##openvpn 06:00 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 06:10 -!- dazo_afk is now known as dazo 06:42 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:02 -!- theDoc [n=hex@cataclysm.edgewire.sg] has joined ##openvpn 07:14 < ecrist> good morning 07:15 -!- Irssi: ##openvpn: Total of 78 nicks [0 ops, 0 halfops, 0 voices, 78 normal] 07:31 -!- nikk [n=nikk@p5B0751CA.dip.t-dialin.net] has joined ##openvpn 07:34 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"] 07:37 < nikk> hi! not really an openvpn problem, but .. is there a way to prevent windows xp disconnecting (ovpn) connection while logging off (fast user switching). i try connect via rdp session to a windows xp pro client (sp3)...? 07:40 < ecrist> yes, set OpenVPN up as a service 07:43 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 07:43 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 07:50 -!- Ziber [i=Liber@liber-ipv6.net] has quit [Connection reset by peer] 07:51 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"] 07:51 < nikk> thank you, ecrist. i will try 07:54 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 07:56 -!- rawDawg [n=rawDawg@67.88.27.98] has joined ##openvpn 08:13 -!- Ziber [i=Liber@liber-ipv6.net] has joined ##openvpn 08:13 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 08:13 -!- le0_ [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 08:14 -!- le0_ [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Client Quit] 08:20 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 08:28 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 08:42 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [SendQ exceeded] 08:43 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 09:02 -!- Schiz0 [n=Schiz0@unaffiliated/schiz0] has joined ##openvpn 09:03 < Schiz0> !/30 09:03 < vpnHelper> Schiz0: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 09:03 < Schiz0> !topology 09:03 < vpnHelper> Schiz0: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 09:04 -!- delta_agent [n=d@modemcable042.96-203-24.mc.videotron.ca] has joined ##openvpn 09:05 < delta_agent> I need some help for my bridged vpn over windows vista 09:08 -!- ErickG [n=ErickG@190.120.0.138] has quit [Read error: 113 (No route to host)] 09:15 -!- le0_ [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 09:20 < delta_agent> Somebody may help me please ? 09:23 < hyper_ch> !howto 09:23 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:28 < delta_agent> I read tutorials, I've searched in forums, I've searched the Web... but I did not solve my problem 09:31 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 110 (Connection timed out)] 09:32 < hyper_ch> #windows ? 09:33 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:34 < Schiz0> Hello. I have a routed VPN. I created keys/crts for two clients. I tested both of them on my machine, and they connect and and my browser connects to the webserver listening on the VPN. However, after I sent the key/crt for the second client to the person, he cannot connect to the site. He connects to the VPN fine, but not the webserver listening on the VPN. I cant' figure out why because it worked when I tested his certificates. 09:35 < Schiz0> He claims he has no firewall running - just his LAN router is in front of him. The clients are both Windows boxes, and the server is FreeBSD 09:35 < Schiz0> could it have to do something with a missing "route" statement in the config file? 09:39 < delta_agent> !route 09:39 < vpnHelper> delta_agent: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:39 -!- eliasp [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 09:41 < delta_agent> !logs 09:41 < vpnHelper> delta_agent: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 09:41 < delta_agent> !configs 09:41 < vpnHelper> delta_agent: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:42 < delta_agent> !interface 09:42 < vpnHelper> delta_agent: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 09:45 < delta_agent> Someone please ? 09:45 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 09:45 -!- hyper_ch [n=hyper@150-196.0-85.cust.bluewin.ch] has quit [Read error: 104 (Connection reset by peer)] 09:48 < dazo> delta_agent: if your question is unclear ... people here avoid trying to help ... concrete questions, with !configs and !logs might help a lot more to get some attention 09:52 < dazo> Schiz0: ask for the clients log files ... and if you can ship a config with --verb 4, you might get a lot of useful info too that might tell more what's the problem 09:53 < Schiz0> here's the server config: http://pastebin.ca/1676505, client config: http://pastebin.ca/1676509 09:53 < Schiz0> I'll get the logs 09:55 < delta_agent> First I did set a working dev tun vpn server and I was able to connect the client on the server 09:55 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 09:56 < delta_agent> Then, I decided to swith to dev tap since I need to let netbios traffic through the vpn 09:56 < delta_agent> I created a bridge on the server side with the ethernet adapter and the OpenVPN virtual adpater 09:57 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 09:57 < delta_agent> Now, I'm trying to connect the client and I get the TLS error key negotiation failed to occur within 60 seconds... 09:57 < delta_agent> My firewalls are disabled on the server and the client side 09:58 < delta_agent> !logs 09:58 < vpnHelper> delta_agent: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 09:58 < Schiz0> dazo: here's the log of client2 connecting on his system (it does connect to the VPN, but cannot connect to the httpd listening on the VPN): http://pastebin.ca/1676525 09:58 < Schiz0> let me know if you need anything more 09:59 < delta_agent> I will paste the logs in a few seconds 10:00 < dazo> Schiz0: look at line 444-447 in the log .... that might be part of your troubles ... and I don't see any other route statements 10:01 < dazo> Schiz0: you most probably need to add a 'push "route 255.255.255.255"' into the server config as well 10:01 < dazo> Schiz0: and OpenVPN must be started with admin rights on the Windows box 10:01 < Schiz0> OpenVPN is running on FreeBSD, the clients are windows boxes 10:02 < Schiz0> I'll try putting that push statement in the config file - thanks for looking at it 10:02 < dazo> Schiz0: yeah ... and the windows clients also need to start openvpn with admin privileges to be allowed to modify the routing table 10:02 < Schiz0> ahh 10:03 < dazo> Schiz0: it might be that it's enough to grant some network group access to the windows user .... but I honestly don't know how or if that works 10:03 * dazo is not a Windows user 10:03 * dazo gotta go now 10:04 < delta_agent> client log : http://pastebin.ca/1676533 10:04 < delta_agent> !configs 10:04 < vpnHelper> delta_agent: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:05 -!- dazo is now known as dazo_afk 10:06 < delta_agent> client config : http://pastebin.ca/1676535 10:06 < delta_agent> oh sorry I did not remove the comments 10:08 < delta_agent> client config without comments: http://pastebin.ca/1676539 10:13 < delta_agent> server config : http://pastebin.ca/1676549 10:13 < delta_agent> server log : http://pastebin.ca/1676550 10:14 < delta_agent> !interface 10:14 < vpnHelper> delta_agent: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 10:15 < delta_agent> My router is at 192.168.0.1 and my OpenVpn server is at 192.168.0.119 10:16 < delta_agent> The client I'm trying to connect is a windows vista notebook that connects to Internet via usb modem (public internet) 10:20 < delta_agent> The server is also on windows vista 10:23 < Rolybrau> better is Linux for Server 10:25 < delta_agent> yeah but I cannot change for Linux... 10:25 < ecrist> delta_agent: are you certain y ou have all firewalls diabled? 10:25 < delta_agent> yes firewalls completely offline 10:25 < delta_agent> on both sides 10:26 < ecrist> and there aren't any in between? 10:26 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)] 10:27 < delta_agent> no 10:27 < delta_agent> besides the router 10:27 < ecrist> there is a firewall on the router? 10:27 < delta_agent> the router port forwards to the server 192.168.0.119 10:27 < delta_agent> yes 10:27 < delta_agent> DLINK-655 10:28 < delta_agent> I mean D-Link Dir-655 10:29 < delta_agent> When the vpn was configured with dev-tun, everything was ok, I was able to connect the same client to the server 10:29 < delta_agent> I did change nothing in the router since I switched to dev tap 10:30 < ecrist> have you considered heeding the advice in your server log, about your current IP subnet? 10:30 < delta_agent> what do you mean ? I do not understand 10:31 < delta_agent> Oh you mean change the subnet from 192.168.xxx to something less common ? 10:32 -!- nikk [n=nikk@p5B0751CA.dip.t-dialin.net] has quit [Read error: 113 (No route to host)] 10:32 < delta_agent> Since it worked with dev-tun it doesn't seem I need to change the subnet 10:34 < delta_agent> I have to go soon... Somebody has any idea why I have this connection problem ? 10:37 < delta_agent> Else I will consider coming back to dev-tun and installing a WINS server 10:38 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 10:41 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 10:41 < delta_agent> last call... 10:43 < delta_agent> I'll stay connected to see if someone has an advice while I'll begin the Dev-tun move with a WINS server... 10:43 -!- rawDawg [n=rawDawg@67.88.27.98] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 10:43 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 10:43 -!- Schiz0 [n=Schiz0@unaffiliated/schiz0] has quit [":wq"] 10:49 -!- hyper_ch [n=hyper@adsl-84-227-156-221.adslplus.ch] has joined ##openvpn 10:53 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 11:09 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Connection timed out] 11:13 -!- nikk [n=nikk@p5B0751CA.dip.t-dialin.net] has joined ##openvpn 11:21 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 11:24 -!- nikk [n=nikk@p5B0751CA.dip.t-dialin.net] has quit ["—I-n-v-i-s-i-o-n— 3.0 (March '08)"] 11:24 -!- nikk [n=nikk@p5B0751CA.dip.t-dialin.net] has joined ##openvpn 11:25 -!- nikk [n=nikk@p5B0751CA.dip.t-dialin.net] has quit [Client Quit] 11:27 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 11:28 -!- le0_ [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 110 (Connection timed out)] 11:32 -!- nick [n=boranbas@unaffiliated/nick] has left ##openvpn ["Leaving"] 11:41 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:54 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:57 -!- dazo_afk is now known as dazo 12:06 -!- neoice [n=neoice@thule.neoice.net] has joined ##openvpn 12:06 < neoice> !route 12:06 < vpnHelper> neoice: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 12:07 < neoice> !redirect 12:07 < vpnHelper> neoice: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 12:07 < neoice> !def1 12:07 < vpnHelper> neoice: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 12:09 < neoice> I was here a few weeks ago and someone mentioned a way to do per-client configs. its just a directory in /etc/openvpn named... something, right? 12:09 -!- Dangerbock [n=danger@62.28.13.185] has joined ##openvpn 12:10 < Dangerbock> hi...is possible that when one client connects to openvpn server 12:10 < Dangerbock> one route is added to the route table ? 12:12 < neoice> something like push "route 10.66.0.0 255.255.255.0" ?? 12:13 < Dangerbock> that will add the route to the client 12:13 < Dangerbock> i would like to add the route to the server 12:28 -!- Dangerbock [n=danger@62.28.13.185] has quit ["Ex-Chat"] 13:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 13:20 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 13:30 -!- roentgen [n=HaRT@psw.ro] has joined ##openvpn 13:45 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 14:06 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:10 < dazo> neoice: what are you trying to solve by doing that? 14:16 -!- magic_1 [n=magic@41.121.103.13] has quit [Read error: 104 (Connection reset by peer)] 14:19 -!- tessier [n=treed@kernel-panic/sex-machines] has joined ##openvpn 14:20 < tessier> Is http://openvpn.se/ the preferred openvpn windows implementation? Does it work well with the latest 2.1rc21? 14:20 < vpnHelper> Title: OpenVPN GUI for Windows (at openvpn.se) 14:23 -!- magic_1 [n=magic@41.121.176.219] has joined ##openvpn 14:35 < ecrist> tessier: the GUI is now bundled with the windows executable 14:35 < tessier> ecrist: Cool! 14:35 < tessier> So that link I provided is no longer necessary. It did seem rather outdated. 14:36 < tessier> Thanks. We currently use Linksys WRV200's for VPN and it is seriously deficient both in reliability and security. 14:41 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:07 < Hypnoz> when i try to revoke an openvpn cert i get this output. any ideas? 15:07 < Hypnoz> http://pastebin.org/54983 15:18 -!- delta_agent [n=d@modemcable042.96-203-24.mc.videotron.ca] has quit [] 15:23 -!- paolo__ [n=pa@host163-6-dynamic.58-82-r.retail.telecomitalia.it] has joined ##openvpn 15:25 -!- paolo__ is now known as pa 15:34 -!- ErickG [n=ErickG@190.120.0.138] has left ##openvpn [] 15:39 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 60 (Operation timed out)] 16:06 -!- dazo is now known as dazo_afk 16:13 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 16:13 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 16:42 -!- Mark21 [n=mark@unaffiliated/mark21] has left ##openvpn [] 16:59 < tessier> It is generally a good idea to copy /home/treed/openvpn-2.1_rc21/easy-rsa/2.0 to somewhere like /etc/openvpn? The docs seem to say to but they didn't mention 1.0 vs 2.0 or anything about openvpn config files (yet) in this directory. I am just at the setting up the PKI part. 17:01 < tessier> Oh, there is an openssl.cnf in here afterall...thought it was just rsa related stuff. 17:05 -!- m3thos [n=mindblas@bl9-86-79.dsl.telepac.pt] has joined ##openvpn 17:07 < m3thos> hi there, i'm trying to use the "update-resolv-conf" thing.. i've placed it in my .conf file.. but stop & start don't seem to update resolv.conf, any clues ? 17:11 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Connection timed out] 17:18 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 17:18 < Bushmills> man openvpn|grep update-resolv||echo "sorry, not found" 17:19 < Bushmills> when does that script execute? 17:27 < m3thos> Bushmills: its a script that supposedly one calls in the .conf file like so: up /etc/openvpn/update-resolv-conf to update resolv.conf file with data from the openvpn connection 17:27 < m3thos> http://www.subvs.co.uk/openvpn_resolvconf 17:27 < vpnHelper> Title: openvpn and resolv.conf | SubVS.co.uk (at www.subvs.co.uk) 17:27 < Bushmills> yes. does it actually execute when you connect? 17:28 < Bushmills> if so, have you installed resolvconf? 17:28 < Bushmills> does server push dhcp options? 17:29 < m3thos> resolvconf is installed 17:29 < m3thos> Wed Nov 18 23:22:00 2009 PUSH: Received control message: 'PUSH_REPLY,route 50.0.0.0 255.0.0.0,dhcp-option DNS 50.4.0.1,dhcp- 17:30 < m3thos> option DNS 50.1.1.3,route-gateway 50.4.1.1,ping 10,ping-restart 120,ifconfig 50.4.1.3 255.255.255.0' 17:30 < m3thos> it does seem to add them 17:31 < Bushmills> add a line echo "$(date) vpn $script_type" >> /tmp/vpn to the script. 17:31 < Bushmills> look at /tmp/vpn after having connected / disconnected 17:31 < Bushmills> (this assumes that your shell is bash) 17:32 < m3thos> good hint! 17:32 -!- bytesaber [n=bytesabe@208-98-188-95.directcom.com] has quit [Remote closed the connection] 17:33 < Bushmills> just below the line [ -x /sbin/resolvconf ] || exit 0 , above case $script_type in , would be a good place 17:34 < m3thos> Bushmills: I'm gonna put the up and down script pointing to a script of mine that will do that and a bit more 17:34 -!- shadfc [n=shadfc@pool-72-77-165-39.tampfl.fios.verizon.net] has joined ##openvpn 17:35 < shadfc> !howto 17:35 < vpnHelper> shadfc: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:38 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [No route to host] 17:39 < m3thos> its being called 17:39 < m3thos> cat /tmp/vpn 17:39 < m3thos> Wed Nov 18 23:38:54 WET 2009 vpn down 17:39 < m3thos> Wed Nov 18 23:39:01 WET 2009 vpn up 17:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 17:40 < Bushmills> also add echo $UID to script 17:42 < m3thos> echo "$(date) vpn $script_type $UID ${!foreign_option_*}" >> /tmp/vpn 17:42 < m3thos> Wed Nov 18 23:41:20 WET 2009 vpn up 0 foreign_option_1 foreign_option_2 17:42 < tessier> Do most people password protect their openvpn keys? 17:42 < Bushmills> make sure that /etc/openvpn/update-resolv-conf has exeute bit set 17:42 < m3thos> down runs has nobody but i'm not worried about the "down" part.. 17:43 < m3thos> Bushmills: it has.. or that /tmp/vpn wouldn't be being written 17:43 < Bushmills> i thought you were using your own script 17:43 < shadfc> hey guys, I've got a remote office which I need to connect to our main office. All machines there should receive addresses via the DHCP at the main office. Can anyone give me some hints as to what I should be looking for configuration-wise? 17:44 < m3thos> I changed my mind when I saw the env vars and "implicit" data passing.. 17:44 < Bushmills> I'd blame resolvconf now 17:45 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 17:46 < m3thos> I would too.. 17:47 < m3thos> I added this, just b4 the call to resolvconf..: echo -n "$R" >> /tmp/vpn 17:47 < m3thos> Wed Nov 18 23:46:45 WET 2009 vpn up 0 foreign_option_1 foreign_option_2 17:47 < m3thos> nameserver 50.4.0.1 17:47 < m3thos> nameserver 50.1.1.3 17:50 < m3thos> I'm gonna fix this .. my way.. 17:52 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 17:59 < m3thos> resolvconf my ass... cp, echo and cat are my friends.. and don't fail 18:01 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 18:03 < Bushmills> right. not installed here, too problematic 18:03 < Bushmills> sed might be useful 18:03 < m3thos> indeed.. sed -i.. 18:04 < Bushmills> i'd probably replace only after file has been generated completely. 18:04 < Bushmills> probably by symlinking to one or the other version 18:25 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 18:25 -!- DVlad666 [n=Miranda@95-25-120-66.broadband.corbina.ru] has joined ##openvpn 18:34 -!- master_of_master [i=master_o@p549D7C8C.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 18:37 -!- master_of_master [i=master_o@p549D7B07.dip.t-dialin.net] has joined ##openvpn 18:40 -!- DVlad666 [n=Miranda@95-25-120-66.broadband.corbina.ru] has quit ["DVlad666 Quit message."] 19:00 < tessier> How do I statically assign clients their IP addresses? Does it by default set the clients defaultroute to the vpn server? 19:01 < reiffert> !static 19:01 < vpnHelper> reiffert: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 19:01 < tessier> Thanks 19:01 < reiffert> !factoids search default 19:01 < vpnHelper> reiffert: No keys matched that query. 19:01 < reiffert> !factoids search redirect 19:01 < vpnHelper> reiffert: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 19:02 < reiffert> feel free to use the ! commands. 19:02 < Bushmills> !ccd 19:02 < vpnHelper> Bushmills: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 19:02 < tessier> !common-name 19:02 < vpnHelper> tessier: Error: "common-name" is not a valid command. 19:02 < tessier> heh 19:03 < Bushmills> !cn 19:03 < vpnHelper> Bushmills: Error: "cn" is not a valid command. 19:03 < reiffert> do you see any !common-name anywhere? 19:03 < Bushmills> xlerb plugh 19:03 < reiffert> !factoids search common 19:03 < vpnHelper> reiffert: No keys matched that query. 19:03 < reiffert> !factoids search cn 19:03 < vpnHelper> reiffert: "lintrafaccnt" is http://www.catonmat.net/blog/traffic-accounting-with-iptables/ for a walkthrough on using iptables for traffic accounting 19:03 < reiffert> bullsmish 19:04 < Bushmills> http://forthfreak.net/snap/xlerb.png 19:04 < tessier> Redirecting all traffic through the VPN is the preferred way to go right? So attackers cannot route through the remote network into my network? 19:05 < reiffert> xlerb? 19:05 < reiffert> tessier: hackers normally use ways you dont think of. 19:06 < tessier> reiffert: Er...right. So... 19:06 < reiffert> there is no perf. way 19:09 < tessier> In push "redirect-gateway def1" is def1 a default route ip or what? 19:13 < tessier> !def1 19:13 < vpnHelper> tessier: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 19:13 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 19:15 < reiffert> I do love selfhelp. 19:17 < tessier> hmm...when I start openvpn it lists my cn with the old IP of 10.8.0.4 19:18 < reiffert> something's wrong. 19:21 < tessier> Ok, I think I got it worked out... 19:24 < reiffert> :) 19:28 < tessier> But now I get to have the split tunneling debate with everyone. 19:31 < reiffert> ??? 19:34 -!- lietu_ [n=lutka@owner.of.lietu.net] has joined ##openvpn 19:37 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 19:53 -!- lietu [n=lutka@owner.of.lietu.net] has quit [Read error: 110 (Connection timed out)] 20:25 -!- corretico [n=laguilar@201.201.46.106] has quit [Operation timed out] 20:30 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 20:35 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 20:38 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has quit ["Leaving."] 21:13 -!- vosdj [n=sdf@84.13.188.219] has joined ##openvpn 21:14 < vosdj> I've successfully set up an openvpn connection... Now how do I use it? 21:14 < vosdj> I'd like to have my browser traffic use it 21:19 < vosdj> !redirect 21:19 < vpnHelper> vosdj: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 21:20 < vosdj> !def1 21:20 < vpnHelper> vosdj: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 21:21 < vosdj> !man 21:21 < vpnHelper> vosdj: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 21:22 -!- kirill_ [n=kirill@dsl-67-212-30-77.acanac.net] has joined ##openvpn 21:30 -!- kirill_ [n=kirill@dsl-67-212-30-77.acanac.net] has quit [Read error: 60 (Operation timed out)] 21:30 < shadfc> can I join two networks by making the gateway for one a openvpn server and the gateway for the other a client of that server? 21:31 < shadfc> id like for it to be as transparent as possible to clients on either side 21:53 -!- m3th0s [n=mindblas@bl6-79-95.dsl.telepac.pt] has joined ##openvpn 21:57 -!- soisf [n=sdf@78.147.226.165] has joined ##openvpn 21:59 -!- _nick is now known as nick 22:00 -!- eliasp [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has quit [Remote closed the connection] 22:00 -!- eliasp [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 22:02 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [Remote closed the connection] 22:05 -!- tjz [n=tjz@bb121-7-30-30.singnet.com.sg] has joined ##openvpn 22:09 -!- m3thos [n=mindblas@bl9-86-79.dsl.telepac.pt] has quit [Read error: 110 (Connection timed out)] 22:09 -!- vosdj [n=sdf@84.13.188.219] has quit [Read error: 110 (Connection timed out)] 22:14 -!- crazygir [n=jason@unaffiliated/crazygir] has joined ##openvpn 22:15 < crazygir> hiya! I just setup openvpn on gentoo (srv) and am trying to connect from a xubuntu client. The connection seems to get setup fine, (tun looks right in ifconfig), but when I try to ping the server's vpn addr, openvpn freaks out with: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 22:18 -!- sno [n=sno@85-10-202-144.clients.your-server.de] has quit [Read error: 104 (Connection reset by peer)] 22:18 -!- sno_ [n=sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn 22:23 < crazygir> I used config guidance from: http://briancarper.net/blog/openvpn-in-15-minutes 22:23 < vpnHelper> Title: briancarper.net :: OpenVPN in Gentoo in 15 minutes (at briancarper.net) 22:26 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 22:44 -!- skbohra [n=skbohra@117.199.117.234] has quit [Read error: 110 (Connection timed out)] 23:10 -!- hyper_ch [n=hyper@adsl-84-227-156-221.adslplus.ch] has quit [Read error: 104 (Connection reset by peer)] 23:13 -!- hyper_ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has joined ##openvpn 23:15 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 23:15 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 23:16 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Client Quit] 23:38 -!- exes [n=exes@galileo.exes.org] has joined ##openvpn 23:40 < exes> I have two clients, and sometimes one of them shows the connection coming from my router... what's the reason for this? 23:41 < exes> Wed Nov 18 23:33:05 2009 saturn.exes.org/192.168.1.1:59878 23:52 -!- soisf [n=sdf@78.147.226.165] has quit [Read error: 110 (Connection timed out)] 23:53 < exes> nevermind... 23:53 -!- exes [n=exes@galileo.exes.org] has left ##openvpn [] --- Day changed Thu Nov 19 2009 00:26 -!- hyper_ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has quit [Remote closed the connection] 01:09 < kisom> Does anyone know how openvpn is affected by the ssl renegotiation vulnerability? 01:10 -!- mekwall [n=oddy@c83-249-242-68.bredband.comhem.se] has quit [Read error: 54 (Connection reset by peer)] 01:13 -!- hyper_ch [n=hyper@27-229.3-85.cust.bluewin.ch] has joined ##openvpn 01:17 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 01:38 < reiffert> kisom: please check the devel mailinglist archive. 01:56 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:56 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 145 (Connection timed out)] 03:11 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 03:14 -!- le0 [n=tehfin@82.132.139.64] has joined ##openvpn 03:16 -!- le0 [n=tehfin@82.132.139.64] has quit [Client Quit] 03:16 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 04:00 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 04:18 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 04:22 -!- sno_ is now known as sno 04:36 -!- mekwall- [n=oddy@c83-249-242-68.bredband.comhem.se] has joined ##openvpn 04:52 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 05:00 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Remote closed the connection] 05:01 -!- mekwall- [n=oddy@c83-249-242-68.bredband.comhem.se] has left ##openvpn ["Leaving."] 05:01 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 05:06 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Remote closed the connection] 05:14 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 05:17 -!- renihs [n=lemming@83-65-34-34.arsenal.xdsl-line.inode.at] has joined ##openvpn 05:18 < renihs> hello 05:19 < renihs> question, i have an openvpn server in an internal lan behind a nat, the openvpn.conf has a remote the public ip of this server (they get dnat'ed), for some odd reasons, i would like the clients to also connect from the internal lan to the internal ip 05:20 < renihs> adding a 2nd remote does not work, not sure about the --float param (reading up on that) but is there any quick way to allow packets from 2 ips? (internal OR external ip?) 05:21 < renihs> or should i source nat the packets from the openvpn host to appear to come from the outside even when from inside 05:25 < |Mike|> !nat 05:25 < vpnHelper> |Mike|: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 05:27 < reiffert> "--redirect-gateway local" might be intresting as well/ 05:31 < renihs> well, i could do with nat, but i would prefer to have 2 entries in openvpn.conf (for remote), and it accepting either for internal ip or external 05:34 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:43 -!- _LowKey [i=rhel@eclipse.gempakbox.net] has joined ##openvpn 05:46 < renihs> if i add entries per "user" in the "ccd" directory, can i make them *overwrite* the defaults? or are they always added? 05:54 -!- tjz [n=tjz@bb121-7-30-30.singnet.com.sg] has joined ##openvpn 05:54 -!- LowKey [i=rhel@eclipse.gempakbox.net] has quit [Read error: 110 (Connection timed out)] 05:54 -!- _LowKey is now known as LowKey 05:58 -!- lietu_ [n=lutka@owner.of.lietu.net] has quit [Read error: 113 (No route to host)] 06:04 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 06:11 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 06:12 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 06:25 -!- LowKey [i=rhel@eclipse.gempakbox.net] has quit [Read error: 110 (Connection timed out)] 06:53 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 07:04 < endre> renihs: u could use redirect target in netfilter 07:04 < endre> or dnat to localhost 07:06 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"] 07:07 < shadfc> do I need an extra physical interface for bridged mode? Meaning, do I need 3 if my server is already a gateway/router for one subnet? 07:14 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 07:25 < endre> depends on 07:25 < endre> more details 07:31 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 07:43 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"] 07:44 < ecrist> good morning 07:46 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 08:06 -!- vosdj [n=sdf@84.13.52.131] has joined ##openvpn 08:15 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 08:30 -!- Ziber [i=Liber@liber-ipv6.net] has quit [Read error: 60 (Operation timed out)] 08:31 -!- Ziber [i=Liber@liber-ipv6.net] has joined ##openvpn 08:31 -!- Ziber_ [i=Liber@liber-ipv6.net] has joined ##openvpn 08:31 -!- Ziber [i=Liber@liber-ipv6.net] has quit [Client Quit] 08:31 -!- Ziber_ is now known as Ziber 08:36 -!- akan01n [n=akan01n@201.19.85.117] has joined ##openvpn 08:37 -!- akan01n [n=akan01n@201.19.85.117] has left ##openvpn [] 08:39 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 09:07 -!- soisf [n=sdf@92.24.29.117] has joined ##openvpn 09:08 -!- vosdj [n=sdf@84.13.52.131] has quit [Read error: 60 (Operation timed out)] 09:09 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 09:12 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 09:12 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 54 (Connection reset by peer)] 09:13 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 09:13 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 09:13 -!- ErickG [n=ErickG@190.120.0.138] has quit [Read error: 54 (Connection reset by peer)] 09:16 -!- dazo_afk is now known as dazo 09:23 -!- delta_agent [n=d@modemcable042.96-203-24.mc.videotron.ca] has joined ##openvpn 09:24 < delta_agent> Hi! 09:24 < delta_agent> I use auth-user-pass-verify with the auth-pam.pl script 09:24 < delta_agent> via-file 09:25 < delta_agent> but I don't know how I have to specify which file to use (the file where the login and password are saved)... 09:25 < delta_agent> I have in the server config : auth-user-pass-verify auth-pam.pl via-file 09:26 < delta_agent> I also have a password.txt file which contains the username and the password 09:27 < delta_agent> it seems the auth-pam.pl script looks for an argument to open the login/password saved file 09:27 < delta_agent> So, i tried : auth-user-pass-verify "auth-pam.pl password.txt" via-file 09:27 < dazo> delta_agent: I believe auth-pam.pl depends on the pam auth of the current system ... default will then be user accounts on that box 09:29 < delta_agent> ok 09:29 < delta_agent> the user account on the server side ? 09:30 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 09:31 < dazo> yup 09:31 < dazo> delta_agent: I have not much experience with all you can do with with PAM ... but virtual users is said to be possible ... but I have no idea how ... 09:31 < delta_agent> I tried but it doesn't work 09:32 < dazo> delta_agent: you want to have virtual users? 09:32 < delta_agent> yes 09:32 < krzee> lol 09:32 < krzee> then you dont use pam 09:32 < dazo> delta_agent: have a look at http://www.eurephia.net/ ... maybe that's more your path? 09:32 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) 09:32 < krzee> openvpn can use anything for auth, why use pam if you dont want system users? 09:33 < dazo> delta_agent: As I'm developing it ... I should be able to help you a lot :-P 09:33 < delta_agent> system users would be ok too 09:34 < delta_agent> Maybe I should try to specify full path to auth-pam.pl 09:35 < dazo> delta_agent: a guy was nice to also send me a auth_mysql module as well ... it's not perfect, and I have not tested it at all ... but based on code review it should be fine, just not too efficient code 09:35 < dazo> delta_agent: +1 ... full path usually helps ... and beware of different paths if you're chrooting 09:35 < delta_agent> I'll try and have a look to eurephia too, thanx 09:36 < dazo> delta_agent: no prob! :) feel free to bug me about it :) 09:44 -!- alabd [n=alabd@unaffiliated/alabd] has joined ##openvpn 09:45 < alabd> Good day everyone , Is there any reliable Free vpn ? 09:45 < dazo> alabd: yeah ... it's called openvpn ;-) 09:46 < alabd> dazo: free account 09:46 < alabd> Is there any reliable Free vpn account ? 09:46 < dazo> that's not discussed here often 09:47 -!- alabd [n=alabd@unaffiliated/alabd] has quit [Client Quit] 09:48 -!- alabd [n=alabd@unaffiliated/alabd] has joined ##openvpn 09:49 < alabd> Is there any reliable Free vpn account ? d 09:51 < krzee> dude 09:51 < theDoc> what the fuck. 09:51 < krzee> 1 time asking your question was enough 09:52 < theDoc> free yeah right. 09:52 * theDoc facepalms. 09:52 < theDoc> g'night folks. 09:52 < theDoc> o/ 09:52 < krzee> nite doc 09:52 < theDoc> alabd> nothing is free. 09:53 < krzee> unless you do it yourself 09:53 < krzee> (which is all we help with here) 09:53 < theDoc> Even so, b/w; electricity; servers are all not free. 09:53 < theDoc> someone needs to move that data and encrypt it and that, is not free. 09:53 < krzee> usually already being paid for 09:53 < theDoc> true that. 09:53 -!- hyper_ch [n=hyper@27-229.3-85.cust.bluewin.ch] has quit [Read error: 60 (Operation timed out)] 09:53 < krzee> and to me, no additional cost = free 09:54 < theDoc> i get rather miffed when people expect "free" things. 09:54 < theDoc> but bedtime for me. it's midnight here. 09:54 < theDoc> o/ 09:55 -!- hyper_ch [n=hyper@115-193.3-85.cust.bluewin.ch] has joined ##openvpn 10:03 < krzee> theDoc, actually you could make good $ giving free vpn 10:03 < krzee> inject adds into the http stream 10:03 < krzee> ads 10:04 < krzee> =] 10:09 -!- delta_agent [n=d@modemcable042.96-203-24.mc.videotron.ca] has quit [] 10:25 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 10:25 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [SendQ exceeded] 10:26 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 10:30 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 10:30 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 10:33 < alabd> Is there any reliable Free vpn account ? 10:34 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 10:35 -!- alabd [n=alabd@unaffiliated/alabd] has left ##openvpn [] 10:35 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Connection reset by peer] 10:36 -!- teddymills [n=teddy@208.92.235.227] has quit ["Ex-Chat"] 10:38 < crazygir> I used config guidance from: http://briancarper.net/blog/openvpn-in-15-minutes 10:38 < vpnHelper> Title: briancarper.net :: OpenVPN in Gentoo in 15 minutes (at briancarper.net) 10:38 < crazygir> to I setup openvpn on gentoo (srv) and am trying to connect from a xubuntu client. The connection seems to get setup fine, (tun looks right in ifconfig), but when I try to ping the server's vpn addr, openvpn freaks out with: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 10:39 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 10:39 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 10:49 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has quit [Connection reset by peer] 10:50 -!- hyper_ch [n=hyper@115-193.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 10:50 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:50 -!- todd [n=todd_dsm@zerver.ptest.us] has joined ##openvpn 10:50 < ecrist> crazygir: firewall 10:53 -!- LowKey [i=rhel@unaffiliated/lowkey] has joined ##openvpn 10:57 < crazygir> interesting 11:05 -!- soisf [n=sdf@92.24.29.117] has quit [Read error: 110 (Connection timed out)] 11:09 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)] 11:10 -!- bytesaber [n=bytesabe@208-98-188-95.directcom.com] has joined ##openvpn 11:16 -!- LowKey [i=rhel@unaffiliated/lowkey] has quit [Remote closed the connection] 11:23 -!- delta_agent [n=d@modemcable042.96-203-24.mc.videotron.ca] has joined ##openvpn 11:23 < delta_agent> Hi! still me 11:24 < delta_agent> I'm still trying to use auth-user-pass-verify now with a batch file in windows 11:24 < delta_agent> For testing, I did a batch file with one line : exit 0 11:24 < delta_agent> But I'm unable to connect to the server 11:25 < delta_agent> password verification failed for peer 11:25 < delta_agent> Auth failed (status=1) 11:25 < delta_agent> any idea why this is failing ? 11:33 -!- LowKey [i=rhel@unaffiliated/lowkey] has joined ##openvpn 11:46 -!- pvh_sa [i=pvh@41.145.106.130] has joined ##openvpn 11:47 < pvh_sa> !howto 11:47 < vpnHelper> pvh_sa: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:47 < pvh_sa> !logs 11:47 < vpnHelper> pvh_sa: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 11:47 < pvh_sa> !configs 11:47 < vpnHelper> pvh_sa: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:47 -!- hyper_ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has joined ##openvpn 11:51 -!- shadfc [n=shadfc@pool-72-77-165-39.tampfl.fios.verizon.net] has left ##openvpn [] 11:57 -!- teddymills [n=teddy@208.92.235.227] has quit [Connection reset by peer] 11:57 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 12:01 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 12:06 -!- delta_agent [n=d@modemcable042.96-203-24.mc.videotron.ca] has quit [] 12:12 -!- alabd [n=alabd@unaffiliated/alabd] has joined ##openvpn 12:13 < alabd> good day everyone , openvpn in ubuntu connects to server but http://whatismyipaddress.com/ still shows original ip ? 12:13 < vpnHelper> Title: What Is My IP Address? - Lookup IP, Hide IP, Change IP, Trace IP and more... (at whatismyipaddress.com) 12:15 < alabd> any opinion ? 12:20 < ecrist> alabd: you're not redirecting gateway and nating out bound traffic from the VPN 12:20 < ecrist> the VPN creates a secure tunnel between two endpoints. 12:21 < ecrist> you need to do a little more for it to secure all internet traffic 12:21 < alabd> ok how can we understand that we are on vpn ? 12:36 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)] 12:36 -!- vosdj [n=sdf@92.26.39.94] has joined ##openvpn 12:46 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 12:46 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 113 (No route to host)] 12:49 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 12:51 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 12:55 -!- Tiders- [n=shawn@dhcp-0-11-9-9f-90-ef.cpe.quickclic.net] has joined ##openvpn 12:55 < Tiders-> Umm Im having problems setting up my OpenVPN server 12:58 < tessier> You and me both. 12:59 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 13:01 < tessier> Ok, now I remember why I hate VPNs 13:01 < tessier> Routing is a bitch and you can never make anyone happy. 13:02 < krzie> !route 13:02 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:02 < krzie> its not THAT hard 13:02 < krzie> of course its not THAT easy either 13:03 < krzie> unless you have a medium/strong background in networking 13:04 -!- alabd [n=alabd@unaffiliated/alabd] has left ##openvpn [] 13:04 < krzie> with a decent understanding of routing/firewalls/nat (pretty basic networking) you can setup most of what people want for their vpns 13:05 < krzie> it can be as complex as desired, but for most setups what i just said is all there is 13:05 < cpm> and without it, yer lost in a dark sea of cluelessness 13:05 < tessier> I have a medium/strong background in networking. It's just that it has been so long that I have to rediscover all of the stuff each time. 13:05 < tessier> I only do this once every 2-3 years it seems. 13:05 < krzie> cpm, yup 13:05 < Tiders-> Can someone point me to a decent guide for setting up a VPN server 13:06 < krzie> Tiders- what is your goal? 13:07 < krzie> tessier, and also what is your goal? =] 13:07 < Tiders-> TO connect to it from my school (behind a firewall) to access things that my poor man socks proxy cant support (ssh -D) 13:07 < krzie> ok, so you want to redirect all inet traffic over the vpn? 13:07 < Tiders-> Yeah 13:07 < krzie> !redirect 13:07 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 13:07 < krzie> you can start with these configs after you make certs 13:07 < krzie> !sample 13:08 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) 13:08 < Tiders-> Uhh 13:08 < Tiders-> Dont I need to install openvpn first? 13:08 < Tiders-> On the server? 13:08 < krzie> on both sides, of course 13:08 < krzie> shouldnt that be sort of obvious>? 13:08 < Tiders-> Yeah 13:08 < krzie> ok maybe i gotta back up a step 13:08 < krzie> read all of this before you do anything 13:09 < krzie> !howto 13:09 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:09 < krzie> then come back, type !redirect and !sample 13:09 < krzie> sample will be a copy of configs i use 13:09 < krzie> then you read up on EVERY option in those configs from the manual (!man) 13:09 < krzie> then do what !redirect tells you 13:09 < Tiders-> Alright thanks.. How hard is this to do? 13:10 < pvh_sa> !redirect 13:10 < vpnHelper> pvh_sa: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 13:10 < krzie> depends on skill level, if you have a good background in networking, easy, if you have no networking background, very hard 13:10 < Tiders-> I have moderate 13:10 < krzie> because you'll be learning networking at the same time 13:10 < krzie> ok well do you understand NAT? 13:10 -!- OleanderLimpy [n=jj@rrcs-66-27-52-138.west.biz.rr.com] has joined ##openvpn 13:10 < OleanderLimpy> hey 13:11 < krzie> basic understanding of how routing tables work? 13:11 < krzie> if both are yes, shouldnt be too hard 13:11 < Tiders-> krzie, Nope X_X 13:11 < krzie> nope to both? 13:11 < Tiders-> Yeah X_X 13:11 < krzie> so what were you thinking of when you said moderate? 13:12 < krzie> ild say a begginner understanding of networking would require an understanding how how routing tables work 13:12 < OleanderLimpy> !redirect 13:12 < vpnHelper> OleanderLimpy: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 13:12 < krzie> hey hey he read the topic 13:12 < pvh_sa> krzie, as a first test, should i be able to ping the other side of my tunnel ? i.e. my client has been allocated 10.8.0.6 -> 10.8.0.5, i'm trying to ping 10.8.0.5 13:12 * krzie likes OleanderLimpy 13:12 < Tiders-> I mean I set up PPTPD VPN and had it working but I couldnt connect for some reaosn so I decided to switch to OpenVPN 13:12 < krzie> pvh_sa 13:12 < krzie> !/30 13:12 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 13:13 < krzie> the client is .6 the server is .1 13:13 < krzie> ignore .5, its internal only 13:13 < krzie> if using 2.1 on all sides you can see !topology to no longer deal with that 13:14 < pvh_sa> !topology 13:14 < vpnHelper> pvh_sa: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 13:14 < pvh_sa> !/39 13:14 < vpnHelper> pvh_sa: Error: "/39" is not a valid command. 13:14 < pvh_sa> !/30 13:14 < vpnHelper> pvh_sa: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 13:14 < krzie> so if you use topology subnet (in server) you will get ips of .2 .3 .4 etc 13:17 < pvh_sa> krzie, running 2.1, so i'm using topology subnet, still... should i (from the client) be able to ping 10.8.0.1 ? 13:17 < krzie> sure 13:18 < krzie> either way the client should be able to ping .1 13:18 < pvh_sa> krzie, ok, then i know things are not working. since i get a connection ok, but can't ping 10.8.0.1 (only 10.8.0.4, the ip allocated to the client now) 13:18 < pvh_sa> !logs 13:18 < vpnHelper> pvh_sa: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 13:19 < pvh_sa> krzie, gonna generate some decent logs... 13:20 < krzie> the client has .4? 13:20 -!- shadfc [n=shadfc@pool-72-77-165-39.tampfl.fios.verizon.net] has joined ##openvpn 13:20 < krzie> oh you prolly have ipp 13:20 < krzie> !ipp 13:20 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 13:20 < pvh_sa> krzie, yes, i have ipp 13:22 -!- shadfc [n=shadfc@pool-72-77-165-39.tampfl.fios.verizon.net] has left ##openvpn [] 13:23 < pvh_sa> !pastebin 13:23 < vpnHelper> pvh_sa: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 13:25 < krzie> pvh_sa can you ping the other direction? 13:27 < pvh_sa> krzie: *headpalm* its a routing issue. when i pushed the route to the network on the other side of the tunnel, i killed the route to the actual tunnel gateway 13:28 < krzie> conflicting subnets? 13:29 < tessier> woohoo...everything seems to be working perfectly. Had to push a network route. 13:29 < krzie> ahh, must have been sharing lan behind server 13:31 -!- Tiders- [n=shawn@dhcp-0-11-9-9f-90-ef.cpe.quickclic.net] has quit ["Leaving"] 13:32 < pvh_sa> krzie, yup 13:32 < krzie> =] 13:33 < krzie> ya you'll need to change a subnet 13:33 < krzie> cant have them conflicting if you want to share a lan over the vpn 13:33 < krzie> you actually CAN let them conflict if you will not be connecting any lans or redirecting traffic over the vpn 13:34 < krzie> (im not sure what your end goal is) 13:34 < pvh_sa> krzie, change a subnet? trying to figure out the routing config - i tried adding a host route to the gateway via my default interface, then a route to the network as a whole via the tunnel... 13:34 < krzie> ok 13:34 < krzie> is the lan behind client or server? 13:35 < pvh_sa> krzie, i'm basically trying to set up openvpn as a way to (authorized) people to get a VPN into our network, avoiding the firewall. our current setup for off site access is 1) ssh into gateway machine 2) ssh from gateway machine to machine on work network. its sub-optimal 13:35 < krzie> what subnets do each the server and client lan use? and the vpn subnet? 13:35 < pvh_sa> krzie, lan is behind server 13:35 < krzie> ok so client lan is unknown 13:35 -!- keylocker [n=keylocke@unaffiliated/leleobhz] has joined ##openvpn 13:35 < krzie> server lan is what subnet? vpn subnet is what? 13:35 < keylocker> hello 13:36 < keylocker> i have a problem and dont know how to solve. Im trying to configure a VPN in server-bridge mode. 13:36 < pvh_sa> krzie, so server is 196.38.142.89, which is on the 196.38.142.64/26 subnet. vpn is using 10.8.0.1/etc addresses. i want to be able to reach that 196.38.142.64/26 subnet 13:36 < krzie> keylocker why do you want to use a briudge? 13:36 < krzie> bridge 13:36 < keylocker> notting difficult in anyway. the problem is im using valid ips in the bridge 13:36 < keylocker> and.. i dont have a range of valid ips 13:36 < keylocker> i have 3 or 4 ips but not sequential 13:37 < krzie> keylocker why are you trying to use bridge 13:37 < keylocker> so ifconfig-pool isnt a solution 13:37 < keylocker> krzie: im not trying. its my scenario 13:37 < krzie> umm 13:37 < krzie> homework assignment and you have no choice? 13:37 < keylocker> no 13:37 < krzie> otherwise, you should have a reason 13:37 < keylocker> my server is within a valid ip network 13:37 < keylocker> and in this network i have 6 ip address 13:37 < krzie> and? 13:38 < keylocker> vpn clients must to use these ips 13:38 < krzie> you are choosing to use a layer2 tunnel, do you have a reason for using layer2 over layer3? 13:38 < krzie> anyways, you want this: 13:38 < krzie> !static 13:38 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 13:38 < krzie> but you prolly dont want a bridge anyways 13:38 < krzie> *shrug* 13:38 < krzie> !tunortap 13:38 < keylocker> i want bridges. 13:38 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 13:38 < keylocker> i dont have any private networks 13:39 < krzie> if you dont know why you need layer2, you dont want a bridge 13:39 < keylocker> and my clients must to have valid ips 13:39 < krzie> so? 13:39 < krzie> think you cant do that with layer3? 13:39 < krzie> what does ethernet layer have to do with that? 13:39 < krzie> unless you can say which layer2 protocol needs to go over the vpn, you dont need bridge 13:40 < krzie> anyways, you needed !static 13:40 < krzie> pvh_sa ok i guess there was no subnet conflict then 13:40 < keylocker> and i can use more than one ifconfig-push/ 13:40 < krzie> !ccd 13:40 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 13:40 -!- OleanderLimpy [n=jj@rrcs-66-27-52-138.west.biz.rr.com] has left ##openvpn [] 13:40 < krzie> the ifconfig-push goes in 1 of those 13:41 < krzie> the ccd entry is only valid for the client it was made for, you can have a diff ifconfig-push for each client 13:41 < keylocker> but not dinamically 13:41 < keylocker> right? 13:41 < krzie> dynamicly you would make a client-connect script 13:41 < keylocker> i need to specify verbatin each client 13:41 < krzie> !iporder 13:41 < vpnHelper> krzie: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 13:41 < pvh_sa> krzie, i'm kinda getting there. just need to fiddle routing on my work subnet so machines route traffic to the 10.8.0.0 network correctly 13:41 < krzie> pvh_sa, ohhhh 13:42 < krzie> ya the router needs a route to vpn subnet to go over its local vpn node 13:42 < krzie> as described in my routing doc below the image 13:42 < krzie> !route 13:42 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:42 < keylocker> server-bridge is so easier than l3... the unique problem is i cant alocate only some ips 13:42 < keylocker> i need a range 13:42 < keylocker> a continuous range 13:42 < krzie> i go into detail about your situation in "ROUTES TO ADD OUTSIDE OPENVPN" 13:43 < krzie> server-bridge can be recreated any way you like 13:43 < krzie> its just a shortcut for other commands 13:43 < krzie> see it in the manual 13:43 < krzie> !man 13:43 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 13:43 -!- zamba [i=marius@flage.org] has joined ##openvpn 13:43 < keylocker> krzie: i know it.. 13:43 < pvh_sa> krzie, got it working! so now i just need to codify it in the config 13:43 < krzie> ok so ive given ya a couple ways to accomplish your goal keylocker 13:43 < krzie> go do one =] 13:44 < krzie> pvh_sa =] 13:44 < keylocker> what im trying to say is i need a tunnel with valid ips and i dont have private network. This allocation must to be automatic (and with bridge mode i dont need client specific configuration) 13:44 < keylocker> note i use ifconfig-pool-persist 13:44 < ecrist> keylocker: krzie gave you some hints, check those out 13:45 < keylocker> ecrist: i want to avoid per-client configuration in any instance 13:45 < ecrist> you just said you use ifconfig-pool-persist 13:45 < ecrist> I don't know why you think you need per-client configurations. 13:45 < keylocker> yes 13:45 < keylocker> lets me explain again 13:46 < keylocker> i have a working configuration like this: a server in valid ip network and vpn connecting and getting valid IPs (with default gateway redirect) 13:46 < ecrist> sweet, so you have a working vpn 13:46 < keylocker> ok, if the client connects, it access internet like inside the network 13:47 < keylocker> ok 13:47 < keylocker> i need configure another vpn 13:47 < keylocker> same case 13:47 < keylocker> but my ip range is short 13:47 < keylocker> i have only 3 ips and ill have only 3 simultaneous clients connected 13:47 < keylocker> this ips isnt sequential 13:47 < keylocker> so use server-bridge dont work for me 13:48 < keylocker> server-bridge works with ranges of ips. 13:48 < keylocker> well, server-bridge uses ifconfig-pool 13:48 < keylocker> that do this ip range distribution 13:48 < keylocker> i need a way to configure this, but from a ip list 13:48 < ecrist> ok, what IPs are you wanting to distribute? 13:48 < keylocker> things like 13:49 < keylocker> 100.100.100.190 100.100.100.192 100.100.100.137 13:49 < keylocker> /24 everyone 13:49 < keylocker> i dont care too much if its bridge or l3 connection (but if i can do tun tunneling is better) 13:49 < krzie> you just want inet to flow over the vpn? 13:50 < keylocker> krzie: this is one thing i want. 13:50 < keylocker> all you told me i can do 13:50 < krzie> thats a very common thing to want, doable over tun 13:50 < keylocker> my problem is 13:50 < krzie> what else do you want? 13:50 < keylocker> use server-bridge i can assign automatically a RANGE of ips 13:50 < keylocker> ifconfig-pool do this 13:50 < krzie> stop talking about bridge 13:50 < keylocker> if i have 13:50 < krzie> talk about the idea of what you want 13:51 < krzie> ill tell you when you want bridge or not ;] 13:51 < krzie> (which wont happen until you mention a layer2 proto) 13:51 < keylocker> ifconfig-pool 192.168.0.2 192.168.0.64 13:51 < keylocker> it will assign automatically to client a ip inside this range 13:51 < keylocker> right/ 13:51 < krzie> check this out 13:51 < keylocker> confirm this plz 13:52 < krzie> what you said "i want inet to flow over vpn" that was a good way to say a goal 13:52 < krzie> please tell me the rest of your goal in a similar manner 13:52 < keylocker> ifconfig-pool assigns automatically to clients a ip inside the rang 13:52 < keylocker> range 13:52 < keylocker> my problem is i dont have a range, i have a list 13:53 * krzie gives up 13:53 < keylocker> krzie: i have a config that works 13:53 < krzie> cool, then you're done 13:53 < keylocker> if my client connects it get a ip automatically 13:54 < krzie> if you arent done, you need to do what i said and tell me the rest of your goal 13:54 < keylocker> i have this working in a network i have a range of ips 13:54 < keylocker> so 13:54 < keylocker> use server-config gw netmask start end works well 13:54 < keylocker> easy 13:54 < krzie> well you dont need to, but you do need to in order to get more help out of me 13:54 < keylocker> but my new config 13:54 < keylocker> i dont have a range of ips to distribute to clients 13:54 < keylocker> i have 2 or 3 ips without order 13:55 < tessier> hmmm...how do you normally name your .crt and .key files? I have been naming them username.crt and username.key but then I need to make a custom client.ovpn file with the name of their key in it. 13:55 < keylocker> i want the vpn setup one of these 3 ips that is free to my client 13:55 < krzie> theres much you seem not to understand, and im not going to explain everything you could possibly need to know for the high number of different things you could want 13:55 < keylocker> like server-bridge does 13:55 < keylocker> krzie: you assume i dont know the solution 13:55 < krzie> tessier i usually name them .key/.crt 13:55 < keylocker> krzie: a bridge or whatever you way is EASY to do with a ip range 13:56 < krzie> keylocker, that is correct, because you are using bridge when you shouldnt be 13:56 < tessier> krzie: That is what I have done also. But then your client.ovpn config is unique for each user, correct? 13:56 < keylocker> server-bridge 192.168.0.1 255.255.255.0 192.168.0.2 192.168.0.254 13:56 < keylocker> simply 13:56 < krzie> tessier, yes, but ssl-admin makes the configs for me =] 13:56 < keylocker> krzie: but i dont have a range! i have 3 ips in a non contiguous space 13:56 < keylocker> like 13:57 < keylocker> 192.168.0.5 .7 .10 13:57 < krzie> keylocker if you used tun you would have a range! 13:57 < krzie> it would be a vpn only subnet which you would nat however you like 13:57 < krzie> each client could nat to a diff ip as well 13:57 < keylocker> ill NOT use nat 13:57 < krzie> but since you want to keep your goal a secret, goodluck 13:57 < keylocker> i need my clients see trought real ip 13:57 < keylocker> :] 13:57 < krzie> tun can give real ips too 13:58 < keylocker> my goal is clients acessing trought vpn with VALID ip from server network 13:58 < krzie> although youd need to use topology subnet for that to work good 13:58 < keylocker> krzie: eh eh, i understood i can use tun 13:58 < keylocker> my problem is the automatic ip distribution after connection 13:58 < keylocker> do ip distribution with range is easy 13:58 < keylocker> but with list of ips, no 13:58 < krzie> you build a script with the ips to give 13:58 < krzie> and use it in client-connect 13:59 < krzie> to automaticly give ips from a list 13:59 < krzie> (i did say this earlier) 13:59 < keylocker> but have notting like ifconfig-pool that i can use a list? 13:59 < krzie> !iporder 13:59 < vpnHelper> krzie: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 13:59 < krzie> those are the ways to give ips 13:59 < krzie> theres 3 options 13:59 < krzie> #2 is static ip 13:59 < krzie> #3 is range of ips 13:59 < krzie> #1 is ANYTHING you make it be 14:00 < krzie> only as limited as your scripting abilities 14:01 < keylocker> so openvpn cannot automatically setup dynamic ip address if you dont have a range 14:01 < keylocker> (i say without external things) 14:01 < krzie> would you expect it to? 14:01 < krzie> can a dhcp server give out ips without a range or static entries? 14:01 < krzie> (no) 14:01 < keylocker> something like... (abstracting) 14:02 < krzie> aqs i said, you have 3 options to allocate ips 14:02 < keylocker> ifconfig-pool 100.100.100.130,100.100.100.132,100.100.100.135 255.255.255.0 14:02 < krzie> decide which works for you 14:02 < keylocker> abstracting a possible new option :p 14:02 < krzie> or change the code 14:02 < krzie> why do you want to imagine theres a 4th way? 14:02 < keylocker> it will offer one of 3 ips that dont is used 14:02 < krzie> you're just spinning your wheels 14:03 < krzie> but not going anywhere 14:04 < krzie> its not difficult to understand, you have dynamic based on range, static based on common-name, and ANYTHING ELSE 14:04 < keylocker> and to have a dynamic based on list, is a script.. 14:04 < keylocker> right? 14:05 < krzie> if what you want is not static or dyanmic as described above, it falls into ANYTHING ELSE which means --client-connect script 14:05 < krzie> well it doesnt fall into static nor dynamic based on range 14:05 < krzie> so sherlock would use deduction to say it must be --client-connect script 14:05 < krzie> then he would say 'elementary my dear watson' 14:06 < keylocker> well, now is how to create this, because ill need to find a way to see used ips and check if have another available 14:07 < keylocker> anyway, a ifconfig-pool with list support isnt a bad idea for new versions and i put it as a suggestion 14:07 < krzie> *shrug* this is unofficial support channel, we dont code openvpn 14:07 < krzie> but feel free to code it in 14:07 < krzie> its opensource and you may modify it anyway you like 14:08 < keylocker> im not a coder. not for C/C++ yet :] 14:08 < crazygir> learn python! 14:08 < crazygir> :P 14:08 < crazygir> you'll be glad you did! 14:08 < krzie> your script can be anything that executes 14:08 < crazygir> (you'll be productive :P ) 14:08 < krzie> bash/python/perl/c/whatever 14:08 < keylocker> i know python 14:08 < krzie> and theres a whole section in the manual explaining how to bust them 14:08 < keylocker> but have parts of ovpn writen in ython? 14:09 * keylocker is a python/shell coder 14:11 -!- dazo is now known as dazo_afk 14:12 < keylocker> krzie: have some example of script? 14:12 < keylocker> eg.: someone that do the same of ifconfig-pool 14:12 < keylocker> ? 14:13 < krzie> negative 14:13 < krzie> but if most is a range you could use a pool AND static for the extra ips outside of the pool 14:14 < krzie> since the static ip bypasses the pool altogether 14:14 < krzie> if it must be a list, you must code it, i have no samples cause ive never even heard of someone needing that 14:14 < krzie> in well over a yr of being here helping people 14:15 < krzie> and no no part of openvpn is written in python, yet your scripts can be python 14:15 < krzie> your scripts can be any lang which can be executed 14:16 < krzie> hell even ruby ;] 14:18 < keylocker> and what ovpn expects script puts on stdout? 14:18 < keylocker> ovpn commands? 14:19 < krzie> huh? 14:19 < krzie> read the script section of the manual (as i said above) 14:19 < krzie> !man 14:19 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 14:26 < keylocker> well, thanks a lot and sorry about my inability to explain what i need. my english isnt so good 14:28 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 14:28 -!- keylocker [n=keylocke@unaffiliated/leleobhz] has quit ["leaving"] 14:29 < krzie> weird how many people say that. and i can never tell that they arent native english speakers 14:33 < Bushmills> simply a matter of higher standards :D 14:33 < krzie> moin moin 14:34 < krzie> see, you're a good example of that 14:34 < krzie> i would believe you if you said you were from america 14:34 < Bushmills> yes, I know that my English sucksw 14:34 < Bushmills> thanks for confirming it :P 14:35 < krzie> :-p 14:36 -!- pvh_sa [i=pvh@41.145.106.130] has quit ["Ex-Chat"] 14:38 -!- rodman [n=rodman@187-26-178-145.3g.claro.net.br] has joined ##openvpn 14:39 < rodman> !howto 14:39 < vpnHelper> rodman: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:40 < Bushmills> ARM based compact portable computer for 80 $ ... http://www.youtube.com/watch?v=C_k_kpO647s 14:40 < vpnHelper> Title: YouTube - $80 Android Laptop, Menq EasyPC E790 (at www.youtube.com) 14:44 < rodman> i am trying to configure an openVPN client through a proxy and noted that my machine can't even ping the openVPN server's ip. can it be the firewall or something related to the proxy ? are there other ways to "ping" in which the proxy might not be blocking (if thats the case, really) 14:45 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:50 -!- jeiworth [n=jeiworth@189.234.70.238] has joined ##openvpn 14:51 < krzie> the proxy cant tell the diff between a ping and anything else 14:52 -!- squidly [n=squidly@HoodLUG/member/squidly] has joined ##openvpn 14:52 < squidly> !route 14:52 < vpnHelper> squidly: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:52 < Bushmills> firewall possible 14:53 -!- rodman_ [n=rodman@201-68-212-17.dsl.telesp.net.br] has joined ##openvpn 14:54 -!- rodman_ [n=rodman@201-68-212-17.dsl.telesp.net.br] has quit [Client Quit] 14:56 -!- KaiForce_ [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 14:56 -!- soisf [n=sdf@92.26.39.94] has joined ##openvpn 14:57 -!- KaiForce_ [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit [Remote closed the connection] 14:57 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: Sebb, vosdj, kala_, drue, vpnHelper, KaiForce 14:57 -!- Netsplit over, joins: vpnHelper 14:58 -!- Netsplit over, joins: drue 14:59 -!- Netsplit over, joins: vosdj, kala_, Sebb 15:00 < squidly> I've got an issue with OpenVPN. A ssh session will work fine, but an rsync or a scp will work for a little while, then it will hang and start going slow 15:01 < krzie> you using tcp as your transport protocol? 15:01 < squidly> krzie: with scp yes, I'm not 100% sure with rsync 15:01 < krzie> i mean for openvpn 15:02 < squidly> let me double check 15:02 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 15:03 < squidly> one tunnel is UDP the other is TCP 15:03 -!- rodman [n=rodman@187-26-178-145.3g.claro.net.br] has quit [Read error: 110 (Connection timed out)] 15:03 < squidly> issue happens on both tunnels 15:07 -!- rodman_ [n=rodman@201-68-212-17.dsl.telesp.net.br] has joined ##openvpn 15:08 < krzie> ok, the tcp one has an easy answer 15:08 < krzie> !tcp 15:08 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 15:08 < krzie> the udp one, ild say to make sure you have a keepalive as well as checking your MTU 15:11 < squidly> even though it starts are good.. and slows down later 15:11 -!- Snadder [i=sander@202.100.202.84.customer.cdi.no] has quit [Read error: 104 (Connection reset by peer)] 15:11 -!- vosdj [n=sdf@92.26.39.94] has quit [Read error: 110 (Connection timed out)] 15:17 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: Sebb, kala_ 15:19 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 15:20 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 15:21 -!- kala_ [i=kala@uba.linux.ee] has joined ##openvpn 15:21 -!- Sebb [n=sebastia@einstein.f0o.de] has joined ##openvpn 15:21 < krzie> squidly that is a perfect description of what happens with tcp-over-tcp 15:22 < krzie> with the udp one, im not so sure what the issue is' 15:22 < krzie> ild say if you're bridging see if you can use tun for less overhead 15:22 < krzie> check mtu 15:22 -!- kala_ [i=kala@uba.linux.ee] has quit [Connection reset by peer] 15:23 -!- Sebb [n=sebastia@einstein.f0o.de] has quit [Read error: 104 (Connection reset by peer)] 15:23 -!- Dougy [n=me@ool-435033e6.dyn.optonline.net] has joined ##openvpn 15:27 -!- Sebb [n=sebastia@einstein.f0o.de] has joined ##openvpn 15:30 < squidly> ok I will do check MTU 15:40 < Dougy> ello 15:41 -!- rodman_ [n=rodman@201-68-212-17.dsl.telesp.net.br] has quit [Read error: 110 (Connection timed out)] 15:48 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 15:50 < Dougy> mehh 15:50 < Dougy> how the f do i get this keyboard off 15:51 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 15:53 < krzie> by sucking on it? 16:05 -!- vosdj [n=sdf@78.151.89.182] has joined ##openvpn 16:09 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 16:20 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 16:20 -!- neoice [n=neoice@thule.neoice.net] has left ##openvpn [] 16:21 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:25 -!- hoopla [n=savirc@adsl-99-35-222-114.dsl.pltn13.sbcglobal.net] has joined ##openvpn 16:26 -!- soisf [n=sdf@92.26.39.94] has quit [Read error: 110 (Connection timed out)] 16:38 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 16:56 -!- birdspider [n=birdspid@chello062178009208.4.11.tuwien.teleweb.at] has joined ##openvpn 16:57 < birdspider> hi, anyone suggestions/tutorials/how-tos for UDP-broadcast/openvpn/win7 ? 17:00 < Bushmills> broadcasts aren't routed. see whether you can find relays or proxies for those services, requring reply to udp broadcasts behind routed interfaces. 17:01 < Bushmills> then run that relay or proxy on the machine with the routed interface 17:02 < birdspider> with relay or proxy you mean a software-tool 17:02 < Bushmills> right. 17:02 < birdspider> so the vpn server needs it or all clients ? 17:03 < Bushmills> the gateway to vpn server needs it 17:03 < Bushmills> that's probably the vpn client 17:04 < birdspider> ok 17:06 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 60 (Operation timed out)] 17:07 < birdspider> and given the vpn ip range is 10.10.0.0, the lans is 40.40.0.0 and the default gateway is 40.40.0.1 (which is the router on the lan) am I correct that the proxy needs to route udp-broadcasts back to the vpn ? or via WAN ? 17:09 < Bushmills> the proxy/relay, when receiving a broadcast packet, should send it to the interface which has been specified in its configuration. 17:09 < birdspider> ah, ok 17:09 < Bushmills> what it does in terms of modding destination address, is probably case dependent 17:10 < birdspider> ok ok 17:10 < birdspider> seems I have to read up on proxies, thanks 17:12 < Bushmills> i suppose replacing destination broadcast address to the broadcast address of net of the target interface is what would make most sense 17:16 < birdspider> thanks I will try this tomorrow and probably seek help again here :) 17:17 < birdspider> bye 17:17 < disco-> Is it possible to run two routed openvpn daemons on the same network/subnet? I'm only using OpenVPN for "redirect-gateway" purposes, but need to provide access to the openvpn server on two different ports, so have to run two separate processes 17:18 -!- birdspider [n=birdspid@chello062178009208.4.11.tuwien.teleweb.at] has quit ["Verlassend"] 17:19 < disco-> I'd like for the clients to keep the same IP address regardless of which daemon/port they're connecting to 17:28 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 17:28 -!- Reactor16 [n=Reactor1@41.105.4.158] has joined ##openvpn 17:29 -!- ErickG [n=ErickG@190.120.0.138] has left ##openvpn [] 17:58 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: Sebb 18:00 -!- Netsplit over, joins: Sebb 18:01 -!- Sebb_ [n=sebastia@einstein.f0o.de] has joined ##openvpn 18:01 -!- Sebb [n=sebastia@einstein.f0o.de] has quit [Read error: 104 (Connection reset by peer)] 18:07 -!- Reactor16 [n=Reactor1@41.105.4.158] has quit [] 18:24 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 18:27 -!- jeiworth [n=jeiworth@189.234.70.238] has quit [Read error: 60 (Operation timed out)] 18:34 -!- master_of_master [i=master_o@p549D7B07.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 18:37 -!- master_of_master [i=master_o@p549D7C86.dip.t-dialin.net] has joined ##openvpn 18:38 -!- sjr_ [n=sjr@office.superuholdings.com] has joined ##openvpn 18:38 < sjr_> What is a good OpenVPN client for Mac OS X 18:38 < krzie> openvpn 18:38 < krzie> thats what i use on my osx 18:38 < krzie> theres really no need for gui 18:39 < krzie> if you need it clickable feel free to make a shell script that starts it, name it whatever.command and chmod +x it 18:39 < krzie> then you click it and it starts 18:39 < krzie> i have an icon in my stacks that starts 3 vpns 18:42 < Dougy> http://www.peopleofwalmart.com/?p=6317 18:42 < vpnHelper> Title: Classy Lady | www.peopleofwalmart.com (at www.peopleofwalmart.com) 18:50 < endre> sjr_: there is tunnelbrick or what 18:50 < endre> for macos 18:50 < endre> it's tunnelblick 18:55 < Dougy> http://www.ovpnforum.com/viewtopic.php?f=6&p=1851&sid=ca536de2831465cdf8fb19b022c50367#p1851 18:55 < vpnHelper> Title: OpenVPN Forum View topic - Limiting size of client.txt when running in service-mode (at www.ovpnforum.com) 18:55 < Dougy> @ krzie 19:07 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 19:21 -!- sjr_ [n=sjr@office.superuholdings.com] has quit ["This computer has gone to sleep"] 19:34 < krzie> dougy, ok i got it 19:34 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 110 (Connection timed out)] 19:37 < Dougy> ight 19:37 < Dougy> afk 19:39 -!- Dougy [n=me@ool-435033e6.dyn.optonline.net] has quit [Remote closed the connection] 20:26 -!- hoopla [n=savirc@adsl-99-35-222-114.dsl.pltn13.sbcglobal.net] has quit [Read error: 131 (Connection reset by peer)] 22:06 -!- tjz [n=tjz@bb121-7-30-30.singnet.com.sg] has joined ##openvpn 22:06 -!- tjz [n=tjz@unaffiliated/tjz] has left ##openvpn [] 22:20 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 22:22 -!- soisf [n=sdf@78.149.246.229] has joined ##openvpn 22:23 -!- vosdj [n=sdf@78.151.89.182] has quit [Read error: 60 (Operation timed out)] 23:08 -!- soisf [n=sdf@78.149.246.229] has quit [Read error: 110 (Connection timed out)] 23:11 -!- LobbyZ [n=default@Woet.lobbyzffs.com] has quit [Read error: 104 (Connection reset by peer)] 23:11 -!- LobbyZ [n=default@217.18.70.127] has joined ##openvpn 23:13 -!- teddymills [n=teddy@208.92.235.227] has quit [Remote closed the connection] 23:37 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn --- Day changed Fri Nov 20 2009 00:19 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 00:20 -!- fkr_ [i=fkr@news.bytemine.net] has joined ##openvpn 00:21 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 00:21 -!- hyper_ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has quit [Remote closed the connection] 00:26 -!- fkr [i=fkr@134.106.146.207] has quit [Read error: 113 (No route to host)] 00:31 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 00:49 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 01:23 -!- MorkBork [n=mark@unaffiliated/morkbork] has quit [Read error: 110 (Connection timed out)] 01:26 -!- hyper_ch [n=hyper@115-193.3-85.cust.bluewin.ch] has joined ##openvpn 01:32 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:45 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined ##openvpn 02:40 -!- krzy [i=nobody@hemp.ircpimps.org] has joined ##openvpn 02:40 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 02:47 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit ["Leaving"] 03:07 -!- Sebb [n=sebastia@einstein.f0o.de] has joined ##openvpn 03:08 -!- zamba [i=marius@flage.org] has quit [Read error: 104 (Connection reset by peer)] 03:08 -!- zamba [i=marius@flage.org] has joined ##openvpn 03:09 -!- Sebb_ [n=sebastia@einstein.f0o.de] has quit [Read error: 104 (Connection reset by peer)] 03:19 -!- dazo_afk is now known as dazo 03:26 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 03:29 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:36 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 03:48 -!- MorkBork [n=mark@unaffiliated/morkbork] has joined ##openvpn 03:52 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 04:09 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 145 (Connection timed out)] 04:09 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 05:03 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:08 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 145 (Connection timed out)] 05:20 -!- buntfalke_ is now known as buntfalke 05:49 -!- tjz2 [n=tjz@121.7.30.30] has joined ##openvpn 05:58 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 06:18 -!- janeNarak [n=jane@2001:3c8:c103:a001:21a:92ff:fe09:bef5] has joined ##openvpn 06:19 < janeNarak> can i setup OpenVPN to provide IPv6 Multicast to remote client? 06:19 < |Mike|> openvpn can't handle v6 *yet* 06:19 < |Mike|> wow, i'm behind. 06:20 < |Mike|> Is IPv6 support planned/in the works? 06:20 < |Mike|> Currently, there's limited support for IPv6. 06:20 < |Mike|> Point-to-point IPv6 tunnels are supported on OSes which have IPv6 TUN driver support (this includes Linux and the BSDs). IPv6 over TAP is always supported as is any other protocol which can run over Ethernet. 06:20 < janeNarak> TAP is possible for IPv6 Multicast? 06:21 < reiffert> |Mike|: checkout the devel archive. 06:24 < |Mike|> janeNarak: I've totally no idea, you probably got to test it... 06:24 < janeNarak> thank :) 06:24 < |Mike|> reiffert: thanks, now i can expand my network over ipv6 instead of limited 10.x/8 :P 06:27 -!- dazo [n=dazo@nat/redhat/x-qkahjayxibauafpy] has quit [Read error: 104 (Connection reset by peer)] 06:27 -!- dazo [n=dazo@nat/redhat/x-fqtomwefcvsslghf] has joined ##openvpn 06:28 -!- dazo is now known as Guest65842 06:28 -!- dazo_ [n=dazo@nat/redhat/x-efbaktbbtijywwss] has joined ##openvpn 06:28 -!- dazo_ is now known as Guest76655 06:29 -!- Guest76655 is now known as dazo 06:34 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)] 06:39 < ecrist> good morning 06:46 -!- Guest65842 [n=dazo@nat/redhat/x-fqtomwefcvsslghf] has quit [Connection timed out] 06:56 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 06:56 -!- dollabill [n=mike@97.66.26.10] has quit [Client Quit] 07:24 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 07:27 < dazo> good afternoon! ;-) 07:27 < hyper_ch> good evening 07:30 -!- vosdj [n=sdf@89.240.38.70] has joined ##openvpn 07:39 -!- sno [n=sno@static.153.209.46.78.clients.your-server.de] has quit [Read error: 60 (Operation timed out)] 07:39 -!- sno [n=sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn 07:43 -!- hyper__ch [n=hyper@204-246.3-85.cust.bluewin.ch] has joined ##openvpn 07:44 -!- hyper_ch [n=hyper@115-193.3-85.cust.bluewin.ch] has quit [Nick collision from services.] 07:44 -!- hyper__ch is now known as hyper_ch 07:54 -!- LowKey is now known as [L]owKey 07:54 -!- [L]owKey is now known as LowKey 08:05 -!- hyper_ch [n=hyper@204-246.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 08:17 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 08:59 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 08:59 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 09:09 -!- hyper_ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has joined ##openvpn 09:10 -!- jfkw [n=jtk@24.216.241.93] has joined ##openvpn 09:15 < LowKey> !interface 09:15 < vpnHelper> LowKey: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 09:17 -!- ErickG [n=ErickG@190.120.0.138] has joined ##openvpn 09:31 -!- renihs [n=lemming@83-65-34-34.arsenal.xdsl-line.inode.at] has quit ["narf"] 09:53 -!- tjz2 [n=tjz@121.7.30.30] has quit ["bbl"] 09:55 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 10:21 -!- FirstSgt [n=cheney@cpe-76-182-199-229.tx.res.rr.com] has joined ##openvpn 10:22 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 10:25 < FirstSgt> Need some clairifications on 3 fields in openvpn default configuration file... first of all, what is 'remote' 10:26 < FirstSgt> 1. is 'remote' the ip address of my home-offices' router (the one in which I am routing through)? 10:27 < FirstSgt> 2. is 'remote' the ip address of the local ethernet adapter on the server running the openvpn (remote to the client) 10:27 < FirstSgt> 3. is 'remote' the ip address of the remote client (which wouldn't make a whole lot of since) 10:28 < FirstSgt> 4. is 'remote the ip address of the external internet (the external ip address of the entire home office) 10:29 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 10:29 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 10:30 < ecrist> FirstSgt: remote is pretty easy to figure out. It's the address of the vpn server you're connecting to 10:39 < FirstSgt> ecrist: yeah buddy. lol. that would make since. but im trying to set up the server .conf file 10:40 < FirstSgt> using the base example static-home.conf 10:40 < ecrist> um, server.conf doesn't use remote, unless you're doing a static key, in which case remote is the other side's IP address 10:40 < FirstSgt> plz dont tell me static-home.conf is the CLIENT conf 10:40 < ecrist> think of both being a server in that case. 10:40 < ecrist> freaky[t]: static-home is both server and client, it's a 1-to-1 vpn 10:41 < FirstSgt> bummer, i will try to locate server.conf in /usr/share/...../examples 10:42 < FirstSgt> found it 10:42 < FirstSgt> man, im dumb 10:42 < FirstSgt> i knew that wasn't enough configuration 10:42 < FirstSgt> i missed it b/c it was gz'd 10:43 < FirstSgt> i coppied all .conf files 10:43 < FirstSgt> Can open VPN be used with windows machines? 10:43 < FirstSgt> as the client 10:43 < ecrist> yes 10:44 < ecrist> you can use windows as the server, if you want 10:44 < ecrist> !win 10:44 < vpnHelper> ecrist: Error: "win" is not a valid command. 10:44 < ecrist> !windows 10:44 < vpnHelper> ecrist: Error: "windows" is not a valid command. 10:44 < ecrist> blah 10:44 < FirstSgt> does the windows client have to have the openvpn client 10:44 < ecrist> there is an installer on the openvpn site 10:44 < ecrist> that question doesn't parse 10:44 < FirstSgt> does the windows client have to have the openvpn client, or can it use the built in vpn connection methods? 10:44 < ecrist> oh, you need the vpn client 10:44 < FirstSgt> Basically I do not know how to specify the port for the windows clients. 10:44 < ecrist> windows VPN is very limited in support 10:45 < FirstSgt> cause 1194 != 1723 10:45 < ecrist> it supports PPTP, iirc 10:45 < FirstSgt> and windows by defaut uses pptp 10:45 < FirstSgt> oh 10:45 < ecrist> openvpn is an ssl-based vpn. PPTP is PPTP 10:45 < ecrist> hence the port difference 10:46 < FirstSgt> yeah, i dont really need ssl.. but hey... i cant get pptp to work 10:46 < ecrist> there is a pretty simple to setup windows installer 10:46 < FirstSgt> for openvpn? 10:46 < ecrist> you can even package the installer with all the certificates you need 10:46 < ecrist> yes 10:46 < FirstSgt> no way 10:47 < FirstSgt> thats pretty sick 10:47 < FirstSgt> no wonder this is so complicated. lol 10:48 -!- ecrist changed the topic of ##openvpn to: OpenVPN 2.1rc22 is Latest || CHECK YOUR FIREWALL || We need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sendingn inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum 10:49 < ecrist> FirstSgt: it only seems complicated until you know what you're doing. OpenVPN is extremely full-featured. The down side is that it can be daunting to new users. 10:51 < LowKey> wow latest version 10:51 < dazo> take it easy .... it might come a new one next week :-P 10:51 < LowKey> nice 10:51 < ecrist> I really should get to coding a new bot one of these days 10:52 < FirstSgt> its okay, im not too intemidated ... i'm too young to be. 10:53 < FirstSgt> I am so bumed out... i went through all the trouble of checking the dynamic ip address @ the home office every 20 mins in a chron job & if different submits securly to https://www.mydomain.com/updateip.php?ip=12345&key=xxxxx ... which then takes the file, verifies the sender = ip submitted, ensures that the rotating key is correct (mutating key based on timestamp). the php script writes it to a text file on our corporate server, then a 10:53 < FirstSgt> so, i really hope this works. 10:57 < ecrist> FirstSgt: do you have access to a system with a static IP? 10:57 < FirstSgt> Okay. My home office uses 192.168.1.1 for the router, 192.168.1.100-200 local wireless and wired DHCP assignment.... Now I am to the `server` field. I want VPN'd users to see other computers on the network (NETBIOS). So, should I make the server be 192.168.1.1 255.255.255.0 (making the local VPN adapter address 192.168.1.2, and autoassignment to .3, .4 .5 etc...) OR should I make it: server 192.168.2.0 255.255.0.0 (class b subnet to 10:57 < ecrist> if so, set that up as the server 10:58 < ecrist> FirstSgt: first, change that IP range. it's only going to cause headache. 10:59 < FirstSgt> ecrist: can't. im in wa. computers are in dallas. i have remote admin on router & port forwarding setup to shell 11:00 < dazo> FirstSgt: sounds like !route might be able to fill you in on some of your questions .... 11:00 < dazo> !route 11:00 < vpnHelper> dazo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:01 < FirstSgt> lol 11:01 < dazo> FirstSgt: but its a good advice to consider to change the IP range as soon as possible .... at least change the local net to avoid that subnet 11:01 < FirstSgt> yeah. i sure do have lan behind my rout 11:04 -!- nooo [n=nooo@unaffiliated/nooo] has joined ##openvpn 11:04 < nooo> Hithar. 11:06 < nooo> !iporder 11:06 < vpnHelper> nooo: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 11:12 < nooo> Im having issues with my VPN. OpenVPN is installed on my router, I can connect and login from the outside, I get an IP address, but nothing gets routed to/from the VPN interface 11:18 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 11:19 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 11:21 < Bushmills> nooo: does it help when you add a route manually? 11:21 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 11:21 < nooo> Bushmills: Seemingly not. 11:22 < nooo> !pastebin 11:22 < vpnHelper> nooo: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 11:22 < Bushmills> does that mean, proper routes are in routing table, but traffic still doesn't go to tun interface? 11:23 < nooo> routing table: http://www.pastebin.ca/UDPn4YJm 11:24 < nooo> p/w is nooo 11:24 < nooo> 192.168.1.0 is the external network (DMZ'd in the front-end router) 11:25 < nooo> 42.10.0.0 should be the vpn network 11:25 < ecrist> nooo: that ip range sucks 11:26 -!- ChanServ changed the topic of ##openvpn to: append Don't use 192.168.1.0/24 or 192.168.0.0/24!!!!! 11:26 < ecrist> damn it 11:26 < nooo> lol. 11:26 < |Mike|> "why not" 11:26 < |Mike|> 2009/11/20 17:42:31 -!- ecrist changed the topic of ##openvpn to: OpenVPN 2.1rc22 is Latest || CHECK YOUR FIREWALL || We need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sendingn inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum 11:26 -!- ecrist changed the topic of ##openvpn to: OpenVPN 2.1rc22 is Latest || CHECK YOUR FIREWALL || We need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sendingn inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum || Don't use 192.168.1.0/24 or 192.168.0.0/24!!!!! 11:27 < Bushmills> nooo: where does your 41.10.0.0/26 traffic go to? 11:27 < nooo> there is no such traffic O_o 11:27 < Bushmills> generate some 11:27 < |Mike|> ecrist: sendingn 11:27 < nooo> Bushmills: typo there? 11:28 < |Mike|> at '!redirect for...' 11:28 -!- ecrist changed the topic of ##openvpn to: OpenVPN 2.1rc22 is Latest || CHECK YOUR FIREWALL || We need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum || Don't use 192.168.1.0/24 or 192.168.0.0/24!!!!! 11:28 < Bushmills> ? 11:28 < Bushmills> 41.10.0.0/26 you use as net for your vpn 11:29 < nooo> should be 42.10.0.0/18 O_O where are you getting that from? 11:29 < Bushmills> so that traffic is supposed to go to tun 11:29 -!- ecrist changed the topic of ##openvpn to: OpenVPN 2.1rc22 is Latest || CHECK YOUR FIREWALL || We need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 11:29 -!- ecrist changed the topic of ##openvpn to: OpenVPN 2.1rc22 is Latest || CHECK YOUR FIREWALL || We need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) || We need a longer channel topic! 11:29 < LowKey> topic party huh? 11:29 < Bushmills> oh. i though i saw 255.255.255.192 as netmask 11:30 < Bushmills> doesn't matter. 1.10.0.0/26 is within 42.10.0.0/18 11:30 < ecrist> LowKey: naw, I just make typos when I'm having adult beverages. ;) 11:31 -!- nooo [n=nooo@unaffiliated/nooo] has quit [Read error: 104 (Connection reset by peer)] 11:31 < Bushmills> so for testing it is good enough 11:31 < LowKey> ecrist : hahaha it's okey bro. 11:31 < Bushmills> ehm, 42.... 11:31 -!- nooo [n=nooo@66.152.222.139] has joined ##openvpn 11:31 < nooo> Bah hi. 11:31 -!- chiwawa_42 [n=jerome@reverse-113.fdn.fr] has joined ##openvpn 11:32 < nooo> anyway... it's 42.10.0.0/255.255.192.0 which should be vpn 11:32 < nooo> root@drouter:~ # traceroute 42.10.0.6 11:32 < nooo> traceroute to 42.10.0.6 (42.10.0.6), 30 hops max, 40 byte packets 11:32 < nooo> 1 * * * 11:32 < nooo> they don't seem to go anywhere. 11:33 < Bushmills> right. 41 was typo. 255.255.255.192 instead of 255.255.192.0 was misglimpsed 11:33 < chiwawa_42> Hi ! Is there a know way to do high avaibility with OpenVPN ? I'm actually using OpenVPN tunels to connect some realservers to a LVS/keepalived director group, and would like to move tunnels endpoints if the master director fails, with the least possible impact on the realserver 11:34 < chiwawa_42> question is, how to handle the SSL handshake when changing the master LVS director AND tunnel endpoint ? 11:34 < Bushmills> nooo: tcpdump on server side tun 11:34 < chiwawa_42> can it be transparent to the client nodes (openvpn PoV ? 11:36 < nooo> tcpdump does not pick up the packets at all 11:36 < nooo> when I try to ping a vpn ip 11:37 < nooo> (other than 42.10.0.1) 11:39 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:40 < nooo> wait a tick -_- 11:41 < Bushmills> nooo, is your gateway 42.10.0.2 or 42.10.0.1? 11:41 < Bushmills> i mean, vpn server 11:42 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 11:43 < nooo> ifconfig: http://www.pastebin.ca/W2Xklv5d (pw nooo) 11:44 -!- soisf [n=sdf@78.147.91.35] has joined ##openvpn 11:44 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:44 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 11:45 < Bushmills> try to change gateway in routing table entry 42.10.0.0       42.10.0.2       255.255.192.0   UG    0      0        0 tun0 to 41.10.0.1 11:45 < Bushmills> ehm... 42... 11:46 < Bushmills> (or to p2p address of client) 11:49 < nooo> root@drouter:~ # route add -net 42.10.0.0 gw 42.10.0.2 netmask 255.255.192.0 tun0 11:49 < nooo> SIOCADDRT: Network is unreachable 11:53 < Bushmills> route add client_p2p tun0 ; route add -net 42.10.0.0 netmask 255.255.192.0 gw client_p2p tun0 # assuming other tun0 routes have been removed 11:55 < nooo> root@drouter:~ # route add -net 42.10.0.0 netmask 255.255.192.0 gw 42.10.0.6 tun0 11:55 < nooo> SIOCADDRT: Network is unreachable 11:56 -!- vosdj [n=sdf@89.240.38.70] has quit [Read error: 110 (Connection timed out)] 11:56 < nooo> I was able to add the network using 42.10.0.1 as the gateway 11:56 < nooo> but still does not route accordingly 11:57 < ecrist> foo 12:01 * nooo facepalms 12:05 < Hypnoz> I just joined so i'm not sure your network topology, but you don't need to add a route on the router to a network is knows how to route to already. the router has an interface with a presence on 42.10.0.0 12:06 < Hypnoz> if your router is your openvpn server, then no route needed. if your openvpn server is different, then you need to add a route to that network pointing to the eth0 of your openvpn server 12:07 < Hypnoz> having tun0 in the route add command means you're doing something wrong. 12:08 < Hypnoz> sudo route add -net 42.10.0.0 netmask 255.255.192.0 gw 12:08 -!- mario__ [n=mario@projekte.imos.net] has joined ##openvpn 12:08 < mario__> Hi! 12:08 < Hypnoz> or just create a route to that network pointing to eth0 on your router if you have one, and you won't have to create any static routes 12:09 < mario__> this is clearly a Certificate issue and no firewall problem, right? http://pastebin.com/d16b5a4e7 (Client log) 12:10 < Bushmills> Hypnoz: he's trying to fix routing *on* the router 12:11 < Hypnoz> ok, then he needs to point the 42.10.0.0 route to eth0 of the openvpn server 12:11 < mario__> anyone? 12:11 < dazo> mario__: ask you question, and you'll get some answers .... we're quite simple in that regard here 12:12 < Hypnoz> he asked already... 12:12 < dazo> heh 12:12 < dazo> sorry! 12:12 * dazo should learn not to skip every other irc line :-P 12:12 < Hypnoz> mario__: did you go through all the initial steps of creating the ca.crt and diffie helman and all that? 12:13 < nooo> Hypnoz: after following your suggestion: http://www.pastebin.ca/ZcLJTsMd (pw nooo) 12:13 < Hypnoz> so your router is a linux computer 12:13 < nooo> Indeed 12:14 < nooo> IPCop to be exact 12:14 < dazo> mario__: a log with --verb 4 ... including the beginning of the log file makes it also easier to help you out .... but the first line in your pastebin worries me .... 12:14 < Hypnoz> and openvpn is installed on the router? 12:14 < dazo> mario__: and on line 21 you have your main issue 12:14 < nooo> Hypnoz: I followed the directions on this site to set up my OpenVPN: http://www.mikestechblog.com/joomla/networking-section/ipcop/67-vpn-with-an-ipcop-firewall-in-windows-xp.html 12:14 < vpnHelper> Title: VPN with an IPcop firewall in a windows XP network (at www.mikestechblog.com) 12:15 < Hypnoz> you installed openvpn on the "drouter" though right? 12:15 < nooo> Correct, the router's name is drouter 12:16 < mario__> dazo: well...i love openvpn but in this case i am only the firewall admnistrator and the client wants to blame that my firewall block some packets...and i keep telling him its a TLS issue :) 12:16 < mario__> so i just wanted to make sure its not a firewall issue :) 12:16 < dazo> mario__: this is definitely not a firewall issue 12:16 < Hypnoz> what is the default gateway IP of other systems on the network? 12:16 < mario__> thank you! :) 12:17 < Hypnoz> 192.168.1.1 or 42.1.0.1 12:17 < Hypnoz> it appears you have 2 routers 12:22 < nooo> Yeah 12:23 < nooo> 192.168.1.1 is the main router that's required by the ISP, the "real" router is 42.1.0.1 which is DMZ's in the main router. 12:23 < nooo> Internet -> 192.168.1.1 -> 42.1.0.1 -> Internal networks 12:25 < mario__> bye 12:25 -!- mario__ [n=mario@projekte.imos.net] has quit ["Ex-Chat"] 12:36 < nooo> (OpenVPN is running on 42.1.0.1 obviously) 12:43 -!- chiwawa_42 [n=jerome@reverse-113.fdn.fr] has quit [Read error: 60 (Operation timed out)] 12:44 -!- chiwawa_42 [n=jerome@reverse-113.fdn.fr] has joined ##openvpn 13:10 < nooo> Hypnoz: thoughts? XD 13:12 < Hypnoz> what gateway ip are the systems pointing to 13:12 < Hypnoz> 42.1.0.1? 13:14 < nooo> internal network systems on 42.1.0.0 point to 42.1.0.1 as the gateway 13:16 < Hypnoz> then you don't need any "route add" commands on the IPcop router because it already knows about all networks 13:16 < Hypnoz> what OS and client are you using to connect? 13:16 < nooo> Windows 7 13:17 < nooo> OpenVPN GUI (openvpn.se) 13:18 < Hypnoz> on that, can you run ipconfig and see what the tun0 ip is? is it on the 42.10.0.0 network 13:18 < Hypnoz> can it ping 42.10.0.1 13:18 < nooo> The client currently has the IP 42.10.0.6 and cannot ping 42.10.0.1 13:18 < Hypnoz> its possible you need to start the openvpn client app on windows7 by right click -> run as administrator 13:18 < Hypnoz> or turn off user access control 13:19 < nooo> It's running as a service as administrator 13:20 < Hypnoz> can you right click on the vpn app in the tray by the clock and click "show log" 13:20 < nooo> wait a tic... 13:21 < Hypnoz> pinging the vpn server after you connect should work without issues if you're able to connect 13:21 < Hypnoz> surprising you can connect but that doesn't work 13:23 -!- janeNarak [n=jane@2001:3c8:c103:a001:21a:92ff:fe09:bef5] has quit [Read error: 60 (Operation timed out)] 13:24 < nooo> Yeah still cant ping 13:24 < nooo> i'll patebin the log 13:26 -!- BugDave [n=macks@unaffiliated/mackss] has quit [Read error: 104 (Connection reset by peer)] 13:27 < nooo> Client log after connecting: http://www.pastebin.ca/IA2wvEUa (pw nooo; Public IP masked) 13:27 -!- ErickG [n=ErickG@190.120.0.138] has quit [Read error: 110 (Connection timed out)] 13:27 -!- BugDave [n=macks@unaffiliated/mackss] has joined ##openvpn 13:38 < nooo> I have no idea why its adding routes to 42.10.0.4, 42.10.0.6, 42.10.0.7 on the client. 13:38 -!- BugDave1 [n=macks@c-68-40-90-137.hsd1.mi.comcast.net] has joined ##openvpn 13:39 < Hypnoz> I think you are running a bad version of the opevpn client 13:39 < Hypnoz> http://openvpn.net/index.php/open-source/downloads.html 13:39 < vpnHelper> Title: Downloads (at openvpn.net) 13:40 < Hypnoz> grab the top one, OpenVPN 2.1_rc22 13:40 < Hypnoz> 2.0.9 is old. last version was released in 2006 13:40 < ecrist> 2.0.9 is still stable, however 13:47 -!- BugDave [n=macks@unaffiliated/mackss] has quit [Read error: 110 (Connection timed out)] 13:48 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 13:49 * nooo facepalms, hard. 13:49 < nooo> works now. 13:49 < Hypnoz> woot! 13:50 < Hypnoz> they should take 2.0.9 off the download page imo, i've seen a few people get that one by mistake and not understand why things are broken 13:50 < Hypnoz> i'm not sure who is meant to have that version 13:50 < nooo> now I've gotta reboot the router to reset the routes lol 13:51 < Hypnoz> nah you can remove them just as easily as adding them 13:51 < Hypnoz> instead of route add its like route del or something 13:51 -!- BugDave1 [n=macks@c-68-40-90-137.hsd1.mi.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 13:51 < Hypnoz> man route should help you 13:52 < nooo> I'd rather just reset it ot make sure it works with settings provided in config 13:52 < nooo> there goes my uptime record :< 13:52 < Hypnoz> don't do it you crazy bastard. think of the kids! 13:54 < nooo> router takes a long time to restart :S 13:54 < nooo> Oh its back up nvm :D 13:55 -!- jeiworth [n=jeiworth@189.163.146.105] has joined ##openvpn 13:55 -!- jeiworth [n=jeiworth@189.163.146.105] has quit [Read error: 104 (Connection reset by peer)] 13:55 -!- jeiworth [n=jeiworth@189.163.146.105] has joined ##openvpn 13:55 < nooo> not passing packets between networks now :S 13:56 -!- janeNarak [n=jane@2001:3c8:c103:a001:21a:92ff:fe09:bef5] has joined ##openvpn 13:56 < Hypnoz> did you push the routes to the other networks in your server.conf file 13:57 < Hypnoz> right click the openvpn client app at the bottom right corner and click "show log" 13:57 < Hypnoz> make sure the routes got push correctly 13:58 < Hypnoz> maybe they will complain about permissions, then you have to either turn off user access control, or right click the client app and select "run as administrator" 13:58 < nooo> I've run it as administrator 13:58 < nooo> seems like I didnt set openvpn server to pass between networks 13:58 < Hypnoz> it does that automatically by having an interface on the networks 13:59 < Hypnoz> but you do need to push the routes in server.conf if you haven't 13:59 < Hypnoz> oh, maybe you're right about IPv4_forward 13:59 -!- BugDave1 [n=macks@c-68-40-90-137.hsd1.mi.comcast.net] has joined ##openvpn 14:01 < nooo> push "route 42.1.0.0 255.255.192.0" exists in server.conf already 14:01 < Hypnoz> on the router, cat /proc/sys/net/ipv4/ip_forward 14:01 -!- BugDave1 [n=macks@c-68-40-90-137.hsd1.mi.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 14:02 < Hypnoz> is it 1 or 0 14:02 < nooo> returns 1 14:02 < ecrist> for any who care, channel stats are being updated again, finally 14:02 * nooo jumps for joy 14:02 -!- BugDave1 [n=macks@c-68-40-90-137.hsd1.mi.comcast.net] has joined ##openvpn 14:02 < Hypnoz> i can finally sleep tonight 14:03 < Hypnoz> i was so worried i can't even tell you 14:03 < ecrist> note the part, 'for any who care' 14:03 < Hypnoz> i would defecate myself at random because of the stress and confusion 14:03 < ecrist> that being said, go fuck yourself. 14:03 < Hypnoz> "what are #openvpn channel stats?!?!" *craps everywhere* 14:41 < nooo> Hmmm... I can ping 42.10.0.1 from the client, I can ping the client from the router, but I cant ping anything cross-network 14:43 < nooo> and thres some really strange entries I dont understand in routing table on client 14:44 < dazo> nooo: cross network troubles .... that's always either firewall and/or routing issues .... and many forgets to check if ip_forwarding is enabled on their openvpn server 14:45 < nooo> Route table on client: http://www.pastebin.ca/IwAocNiP (pw nooo) 14:46 < nooo> somethings I dont understand are why there are entries for 42.10.0.4 and 42.10.0.7 in the routing table 14:47 < nooo> and why 42.10.0.4 in the routing table has a mask of 255.255.255.252 14:47 < nooo> and why is it setting the gateway to 42.10.0.5 14:49 -!- BugDave1 [n=macks@c-68-40-90-137.hsd1.mi.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 14:50 -!- BugDave1 [n=macks@c-68-40-90-137.hsd1.mi.comcast.net] has joined ##openvpn 14:52 -!- soisf [n=sdf@78.147.91.35] has quit [Read error: 110 (Connection timed out)] 14:56 < dazo> nooo: that route only defines the p-t-p route .... with tun (which uses point-to-point) such routes are normal 14:57 < dazo> the other side will then have a similar route, but for the 42.10.0.0/255.255.255.252 net ... and openvpn routes the traffic between these two network segments 15:01 < nooo> OK from the client I can now ping the router's internal IP (42.1.0.1) but not one of the computers on that network (42.1.1.1) 15:12 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 15:17 -!- BugDave1 [n=macks@c-68-40-90-137.hsd1.mi.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 15:17 -!- reactor16 [n=Reactor1@41.105.62.233] has joined ##openvpn 15:17 < reactor16> configure: error: OpenSSL Crypto headers not found. 15:19 -!- dollabill [n=mike@97.66.26.10] has quit [No route to host] 15:22 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 15:29 -!- reactor16 [n=Reactor1@41.105.62.233] has quit [Read error: 145 (Connection timed out)] 15:29 < nooo> http://www.pastebin.ca/QS5lWyws (pw nooo) 15:36 -!- dazo is now known as dazo_afk 15:38 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [No route to host] 15:47 -!- krzy is now known as krzee 15:47 -!- krzee [i=nobody@hemp.ircpimps.org] has quit ["Leaving"] 15:47 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 15:48 < nooo> It wont go past the router >.< what am I missing 15:49 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 15:58 < krzee> prolly a route on the router 15:58 < krzee> as explained under the picture here: 15:58 < krzee> !route 15:58 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:02 -!- chiwawa_42 [n=jerome@reverse-113.fdn.fr] has quit ["Leaving"] 16:03 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Remote closed the connection] 16:10 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 16:28 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 16:50 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 16:55 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Read error: 110 (Connection timed out)] 17:13 -!- cyrus_mc [n=cyrus@c-24-21-18-104.hsd1.or.comcast.net] has joined ##openvpn 17:16 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 18:06 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 18:34 -!- master_of_master [i=master_o@p549D7C86.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 18:37 < FirstSgt> Okay, I think I have a pretty standard home-office setup... My home office uses 192.168.1.1 for the router, 192.168.1.100-200 local wireless and wired DHCP assignment.... Now I am to the `server` field. I want VPN'd users to see other computers on the network (NETBIOS). So, should I make the server be 192.168.1.1 255.255.255.0 (making the local VPN adapter address 192.168.1.2, and autoassignment to .3, .4 .5 etc...) OR should I make 18:38 -!- master_of_master [i=master_o@p549D489C.dip.t-dialin.net] has joined ##openvpn 18:42 -!- flaif [n=irc@d207-81-97-202.bchsia.telus.net] has joined ##openvpn 18:42 < FirstSgt> basically I think i can leave the default server configurations, then use the 'push' area of the config. 18:43 < flaif> Can I get a total byte count (sent/received) in the openvpn server log when openvpn clients terminate? 18:54 < flaif> Nevermind, I see I need a script. 18:56 < Hypnoz> FirstSgt, I would make a seperate subnet on the vpn server for vpn clients and push the route. You also have to put the route in your router to the vpn network pointed to eth0 on your vpn server as the gateway. 18:57 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 19:09 -!- nick [n=boran@unaffiliated/nick] has quit [Remote closed the connection] 19:16 < Bushmills> flaif: a dummy iptables rule per client can do that, together with a (server side) connect/disconnect script, to add rule, and write total to log and remove it) 19:35 -!- bytesaber [n=bytesabe@208-98-188-95.directcom.com] has quit [Remote closed the connection] 19:43 -!- cyrus_mc [n=cyrus@c-24-21-18-104.hsd1.or.comcast.net] has quit ["leaving"] 19:51 < flaif> Bushmills: I found that $bytes_received/sent are available env variables from ovpn, but yes I must use a script. 19:54 -!- vosdj [n=sdf@89.243.41.203] has joined ##openvpn 19:55 < Bushmills> oh, right. I was thinking of the iptables solution because it also allows continuous traffic amount plotting through graphing frameworks like munin 20:06 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: Sebb, vosdj, fkr_ 20:08 -!- Sebb [n=sebastia@einstein.f0o.de] has joined ##openvpn 20:08 -!- fkr [i=fkr@news.bytemine.net] has joined ##openvpn 20:08 -!- vosdj [n=sdf@89.243.41.203] has joined ##openvpn 20:08 -!- fkr_ [i=fkr@news.bytemine.net] has joined ##openvpn 20:08 -!- fkr_ [i=fkr@news.bytemine.net] has quit [Remote closed the connection] 20:11 -!- tjz [n=tjz@bb121-7-30-30.singnet.com.sg] has joined ##openvpn 20:13 -!- flaif [n=irc@d207-81-97-202.bchsia.telus.net] has left ##openvpn [] 20:34 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 20:36 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 20:44 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 20:52 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 20:54 < FirstSgt> Awesome, I think the server is runing. 20:55 < FirstSgt> The client is pumping out this error: Options error: Unrecognized option or missing parameter(s) in client.ovpn:16: client1 (2.1_rc22) 20:55 -!- jeiworth [n=jeiworth@189.163.146.105] has quit [Read error: 110 (Connection timed out)] 20:55 < FirstSgt> Use --help for more information. 20:56 < FirstSgt> nvm, i got it. 21:23 -!- ErickG [n=ErickG@190.87.254.49] has joined ##openvpn 21:31 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: vosdj 21:34 -!- vosdj [n=sdf@89.243.41.203] has joined ##openvpn 21:41 < FirstSgt> If my LAN at work is 192.168.1.1-255 and my home address is 192.1.1.1-255, both have gateway of 192.168.1.1... and I want them to "SEE" eachother, would I do something like: push "route 192.168.1.0 255.255.255.0" and: push "route 192.168.2.0 255.255.255.0" (assuming .2 is my VPN address pool) ? 21:43 < FirstSgt> This is my server configuration: http://www.pastie.org/private/o7yqfgjng2ctp2i26z8l8a 21:57 < Bushmills> you might be better off changing at least one network to a different net 21:58 < Bushmills> otherwise, routing will easily be confusing by what packets need to be routed, and which ones don't 21:58 < Bushmills> ehm. 192.1.1.1? 21:59 < Bushmills> that's not an rfc1918 address. bad choice. 22:22 -!- ErickG [n=ErickG@190.87.254.49] has left ##openvpn [] 22:39 -!- jeiworth [n=jeiworth@189.163.146.105] has joined ##openvpn 22:44 -!- jfkw [n=jtk@24.216.241.93] has quit ["leaving"] 23:01 -!- todd [n=todd_dsm@zerver.ptest.us] has quit [Nick collision from services.] 23:03 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has joined ##openvpn 23:46 -!- vosdj [n=sdf@89.243.41.203] has quit [Read error: 110 (Connection timed out)] --- Day changed Sat Nov 21 2009 00:14 -!- jeiworth_ [n=jeiworth@189.163.144.206] has joined ##openvpn 00:32 -!- jeiworth [n=jeiworth@189.163.146.105] has quit [Read error: 110 (Connection timed out)] 00:37 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 00:47 -!- jeiworth [n=jeiworth@189.163.132.127] has joined ##openvpn 00:50 -!- jeiworth_ [n=jeiworth@189.163.144.206] has quit [Read error: 110 (Connection timed out)] 00:56 -!- jeiworth_ [n=jeiworth@189.163.169.63] has joined ##openvpn 01:02 -!- jeiworth [n=jeiworth@189.163.132.127] has quit [Read error: 145 (Connection timed out)] 01:14 -!- jeiworth [n=jeiworth@189.163.184.194] has joined ##openvpn 01:21 -!- hyper__ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has joined ##openvpn 01:21 -!- hyper_ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has quit [Nick collision from services.] 01:21 -!- hyper__ch is now known as hyper_ch 01:26 -!- jeiworth_ [n=jeiworth@189.163.169.63] has quit [Read error: 110 (Connection timed out)] 01:26 -!- hyper_ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has quit [Remote closed the connection] 01:27 -!- hyper_ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has joined ##openvpn 02:01 -!- hyper_ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has quit [Remote closed the connection] 02:02 -!- hyper_ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has joined ##openvpn 02:06 -!- jeiworth_ [n=jeiworth@189.163.180.163] has joined ##openvpn 02:09 -!- vosdj [n=sdf@92.24.98.45] has joined ##openvpn 02:17 -!- jeiworth__ [n=jeiworth@189.163.132.47] has joined ##openvpn 02:24 -!- jeiworth [n=jeiworth@189.163.184.194] has quit [Read error: 110 (Connection timed out)] 02:28 -!- jeiworth [n=jeiworth@189.163.132.240] has joined ##openvpn 02:28 -!- hyper_ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has quit [Remote closed the connection] 02:29 -!- hyper_ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has joined ##openvpn 02:30 -!- jeiworth_ [n=jeiworth@189.163.180.163] has quit [Read error: 110 (Connection timed out)] 02:31 -!- vosdj [n=sdf@92.24.98.45] has quit [Read error: 110 (Connection timed out)] 02:36 -!- gallatin [n=gallatin@188.109.156.219] has joined ##OpenVPN 02:45 -!- jeiworth__ [n=jeiworth@189.163.132.47] has quit [Read error: 110 (Connection timed out)] 02:55 -!- nubi [n=nubi@217.86.125.7] has joined ##openvpn 02:56 < nubi> morning .... 02:56 < nubi> i have some questions about openvp .... anyone awake? 02:56 -!- janeNarak [n=jane@2001:3c8:c103:a001:21a:92ff:fe09:bef5] has left ##openvpn ["Ex-Chat"] 02:58 < reiffert> hi 02:59 < reiffert> nubi: is that you, the nubi from mainz? 02:59 -!- hyper__ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has joined ##openvpn 02:59 -!- hyper_ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has quit [Nick collision from services.] 02:59 < nubi> a friend of mine want to use my internet connection. he is from china and lots of pages are blocked. (like youtube etc.). i have openvpn running here and it is working well. how can i manage it that my friend could use my internet connection but should not be able to connect my whole lan like samba etc 02:59 < nubi> sry no ... 03:00 < nubi> i just used some "brainstormed" nick ;) 03:00 < nubi> but i am also close to mainz 03:00 < reiffert> Saarbruecken? 03:00 < nubi> ramstein 03:01 < reiffert> Ah :) 03:01 < reiffert> well, basically you'll have to follow the howto for a routed setup. 03:01 < nubi> uih 03:02 < nubi> koennen wir deutsch reden 03:02 < reiffert> after that, you can take care for your LAN with the help of firewalling. 03:02 < nubi> oder is das unhoeflich ;) 03:02 < reiffert> !howto 03:02 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 03:03 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 03:04 < nubi> hmm ok for sure i can read all that but i still dont know what the best solution is 03:04 < nubi> because i am a newbe 03:04 < nubi> and i dont know all the "scientific terms" 03:05 < nubi> in it 03:05 < nubi> thats why i connect the irc 03:05 < reiffert> we are borg and you have to follow that fricking howto. 03:06 < nubi> so for what is this openvpn irc usually used for? 03:07 < reiffert> solving particular problems around openvpn. 03:08 < nubi> thats what i have ... a particular problem 03:10 -!- nubi [n=nubi@217.86.125.7] has quit ["http://irc2go.com/"] 03:10 < reiffert> wtf 03:17 < krzee> haha 03:25 -!- jeiworth_ [n=jeiworth@189.234.96.235] has joined ##openvpn 03:34 < reiffert> please dont help me, I'm a newbee, I dont know anything about openvpn, so please dont help me? 03:36 -!- jeiworth__ [n=jeiworth@189.163.149.147] has joined ##openvpn 03:40 -!- jeiworth [n=jeiworth@189.163.132.240] has quit [Read error: 110 (Connection timed out)] 03:50 -!- jeiworth_ [n=jeiworth@189.234.96.235] has quit [Read error: 110 (Connection timed out)] 03:54 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 04:10 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [No route to host] 04:33 -!- vosdj [n=sdf@78.146.88.75] has joined ##openvpn 04:38 -!- hyper__ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has quit [Remote closed the connection] 04:40 -!- hyper__ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has joined ##openvpn 04:40 -!- hyper__ch is now known as hyper_ch 04:57 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit [Read error: 104 (Connection reset by peer)] 04:59 < Bushmills> for otherwise helpless people: http://tinyurl.com/setup-openvpn 04:59 < vpnHelper> Title: Let me google that for you (at tinyurl.com) 05:03 -!- jeiworth [n=jeiworth@189.163.179.193] has joined ##openvpn 05:03 -!- jeiworth [n=jeiworth@189.163.179.193] has quit [Read error: 104 (Connection reset by peer)] 05:06 -!- jeiworth__ [n=jeiworth@189.163.149.147] has quit [Read error: 145 (Connection timed out)] 05:37 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:00 -!- Morten [n=user@4.81-167-31.customer.lyse.net] has joined ##openvpn 06:03 < Morten> If i want openvpn to behave a little like hamachi, should i use tunnel og bridge on server? 06:23 -!- hyper_ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has quit [Connection reset by peer] 06:23 -!- hyper_ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has joined ##openvpn 06:25 -!- Morten [n=user@4.81-167-31.customer.lyse.net] has quit ["•NeXtGenIRC• http://www.nextgenirc.net"] 06:49 -!- hyper_ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has quit [Remote closed the connection] 06:49 -!- hyper_ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has joined ##openvpn 06:53 -!- hyper_ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has quit [Remote closed the connection] 06:53 -!- hyper_ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has joined ##openvpn 07:00 -!- teddymills [n=teddy@208.92.235.227] has quit [SendQ exceeded] 07:00 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 07:00 -!- Rolybrau [n=Rolybrau@83.79.148.150] has joined ##openvpn 07:02 -!- hyper__ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has joined ##openvpn 07:02 -!- hyper_ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has quit [Nick collision from services.] 07:02 -!- hyper__ch is now known as hyper_ch 07:05 -!- hyper_ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has quit [Remote closed the connection] 07:09 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 07:09 -!- hyper_ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has joined ##openvpn 07:13 -!- hyper_ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has quit [Remote closed the connection] 07:14 -!- hyper_ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has joined ##openvpn 07:34 -!- gallatin [n=gallatin@188.109.156.219] has quit ["Client exiting"] 07:50 -!- RyuKojiro [n=nnnnkoji@r74-192-66-53.vctrcmta01.vctatx.tl.dh.suddenlink.net] has quit [Read error: 113 (No route to host)] 08:40 -!- hyper_ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has quit [Remote closed the connection] 08:42 -!- hyper_ch [n=hyper@84.226.22.248] has joined ##openvpn 09:21 -!- jeiworth [n=jeiworth@189.163.175.161] has joined ##openvpn 09:45 -!- jeiworth_ [n=jeiworth@189.163.144.3] has joined ##openvpn 09:59 -!- jeiworth__ [n=jeiworth@189.163.148.232] has joined ##openvpn 10:00 -!- jeiworth [n=jeiworth@189.163.175.161] has quit [Read error: 110 (Connection timed out)] 10:04 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 10:11 -!- jeiworth_ [n=jeiworth@189.163.144.3] has quit [Read error: 110 (Connection timed out)] 10:15 -!- soisf [n=sdf@92.27.160.246] has joined ##openvpn 10:18 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 10:18 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has quit [Client Quit] 10:19 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has joined ##openvpn 10:21 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [No route to host] 10:27 -!- vosdj [n=sdf@78.146.88.75] has quit [Read error: 110 (Connection timed out)] 10:55 -!- jeiworth [n=jeiworth@189.163.142.137] has joined ##openvpn 10:59 -!- Morten [n=user@4.81-167-31.customer.lyse.net] has joined ##openvpn 11:00 < Morten> i'm wondering if anyone can help me to get connection from clients to server? Or is it even possible? I'm running bridged mode. 11:01 < Morten> the server is running ventrilo also, and i cant get a connection 11:04 < Morten> oh, i'm using ubuntu server 11:07 -!- jeiworth__ [n=jeiworth@189.163.148.232] has quit [Connection timed out] 11:10 < Morten> i can't get ping from server to client or client to server over the vpn 11:23 -!- Ziber [i=Liber@liber-ipv6.net] has quit ["brb"] 11:30 -!- Ziber [i=Liber@liber-ipv6.net] has joined ##openvpn 11:54 -!- jeiworth_ [n=jeiworth@189.163.181.19] has joined ##openvpn 11:55 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 11:57 -!- jeiworth [n=jeiworth@189.163.142.137] has quit [Read error: 145 (Connection timed out)] 12:08 -!- datruth [i=scott@2001:470:c045:1:5:30:10:3] has left ##openvpn [] 12:15 -!- jeiworth_ [n=jeiworth@189.163.181.19] has quit [Connection timed out] 12:18 -!- Morten [n=user@4.81-167-31.customer.lyse.net] has quit ["•NeXtGenIRC• http://www.nextgenirc.net"] 12:50 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has joined ##openvpn 13:10 -!- vosdj [n=sdf@92.24.91.110] has joined ##openvpn 13:22 -!- soisf [n=sdf@92.27.160.246] has quit [Read error: 110 (Connection timed out)] 13:27 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has quit ["Leaving"] 13:29 -!- soisf [n=sdf@89.243.34.81] has joined ##openvpn 13:29 -!- vosdj [n=sdf@92.24.91.110] has quit [Read error: 60 (Operation timed out)] 13:29 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 13:56 -!- le0_ [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 13:58 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 110 (Connection timed out)] 16:38 -!- iElectric [n=ie@84-255-194-155.static.t-2.net] has joined ##openvpn 16:38 < iElectric> hey 16:38 < iElectric> !iporder 16:38 < vpnHelper> iElectric: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 16:38 < iElectric> !interface 16:38 < vpnHelper> iElectric: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 16:40 < iElectric> any idea why I get this error: http://paste2.org/p/526577 16:42 -!- Guest37985 [n=matt@78.33.94.93] has joined ##openvpn 16:42 < Guest37985> hi all have anyone here got any experience of adito/ssl-explorer/openvpn als? 16:43 < Guest37985> I have a problem with the active directory integration and have tried on the adito channel but doesn't seem to be very active, not sure where else i can get support for it 16:48 -!- iElectric [n=ie@84-255-194-155.static.t-2.net] has quit ["Leaving"] 16:49 -!- CoffeeIV_ [n=CoffeeIV@99.66.63.225] has joined ##openvpn 16:50 < CoffeeIV_> I am getting this error on a windows openvpn client that is for some reason not connecting: "Sat Nov 21 16:39:42 2009 TCP/UDP: Incoming packet rejected from x.x.x.x:1024[2], expected peer address: x.x.x.x:1194 (allow this incoming source address/port by removing --remote or adding --float)" 16:51 < CoffeeIV_> I don't understand where the port 1024 came from 16:51 < CoffeeIV_> does anyone recognize that error ? 16:52 < krzie> nah thats interesting 16:52 < krzie> !configs 16:52 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:53 < CoffeeIV_> ok 16:55 < CoffeeIV_> I got it working by using --float on the client. I have no idea what that means though. 17:31 < CaBa> CoffeeIV_: great idea! make sure you never ever read the manual! 17:42 < krzie> LOL 17:42 < krzie> first time i seen you here CaBa but i like you already 17:50 -!- scyld [n=krajcong@unaffiliated/wasyl] has joined ##openvpn 17:50 < scyld> !redirect 17:50 < vpnHelper> scyld: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 17:51 < scyld> !iporder 17:51 < vpnHelper> scyld: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 18:25 -!- vosdj [n=sdf@92.24.81.150] has joined ##openvpn 18:30 -!- soisf [n=sdf@89.243.34.81] has quit [Read error: 60 (Operation timed out)] 18:34 -!- master_of_master [i=master_o@p549D489C.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 18:34 < scyld> Hello. I'got strange problem with VPN (topology : http://wklej.org/hash/12f782b04f/). Everything works fine besides 'client1' can't reach 'server1'. It looks like they can't get arp replies for each over. Anybody have an idea what could be wrong? 18:34 < vpnHelper> Title: wklej.org - wklejka nr 212352 (at wklej.org) 18:36 < reiffert> scyld: does client2 get server1's MAC address? 18:36 < scyld> All other cleints servers, gateways can reach each over, but no client1 and server1 :\ 18:36 < scyld> reiffert: yes, I can connect from client2, localgw, rootgw to server1. 18:37 < scyld> heh I can connect from client1 to server2, localgw, rootgw, but not to server1. 18:37 < reiffert> whats the difference between client1 and client2? 18:37 < reiffert> (fix that) 18:37 -!- master_of_master [i=master_o@p549D548B.dip.t-dialin.net] has joined ##openvpn 18:38 < scyld> none 18:39 < reiffert> diff -Naur /mnt/client1 /mnt/client2 18:41 < scyld> only cert, key, tls-auth different. But why I can connect to server2 from client1? 18:49 < scyld> apparently arp replies from client1 reaches server1 but not the other way. And even that server1 has mac address of client1 there is no IP packets going to client1 from server1. Damn, what is that? 18:53 -!- scyld [n=krajcong@unaffiliated/wasyl] has quit ["echh..."] 18:59 -!- scyld [n=krajcong@unaffiliated/wasyl] has joined ##openvpn 19:00 < scyld> heh after rebooting client1 it can reach server1... mystery... 19:00 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 19:01 < scyld> if someone cound explain me that, echh... 19:26 < krzie> my guess is windows is involved 19:26 < krzie> explanation: windows sucks 19:30 < scyld> nope... linux is involved everywhere 19:30 < krzie> o 19:31 < krzie> ya i dunno, i dont use bridge mode 19:31 < krzie> in fact, whats your reason for using it? 19:31 < scyld> btw, question about bridging. Does bridged interfaces → tap0, eth0 have to be brought up with promisc flag? 19:32 < scyld> krzie: U talking to me? 19:32 < krzie> yes 19:32 < scyld> where did I say I'm bridging? 19:33 < scyld> (skip what I said about promisc flag :P) 19:33 < krzie> you mentioned arp 19:33 < krzie> flowing over the vpn 19:37 < scyld> that doen't mean bridging. But yes, I do use it. Why? For STP, for clients from lans behind localgws could reach other clients behind other gws and even mobile users could do that connecting to any localgw they can reach and have the same IP address. 19:43 < scyld> Basic local gateway (in nonlocal division) is a VPN client (tap0) do root gateway in HQ, a VPN server for mobile users (tap1) and a gateway for local lan (eth) – all bridged as br0. 19:43 < scyld> s/do root/to root/ 19:47 < scyld> In local lan's there are usually workstation, but there are servers also. And there is a need to give access from workstation X to server Y or even to workstation Z. Simplest way is to bridge all this together as one big ethernet segment :> 19:54 -!- Guest37985 [n=matt@78.33.94.93] has quit ["leaving"] 19:55 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: vosdj, todd_dsm 19:57 -!- Netsplit over, joins: vosdj, todd_dsm 20:00 < krzie> hrm 20:00 < krzie> i doubt you'll see good efficiency from that setup 20:00 < krzie> but ya you dont have to fully understand routing to set that up that way 20:00 < krzie> the alternative method you would need to 20:01 < scyld> and how you would set it up? 20:01 < krzie> !route 20:01 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:01 < krzie> theres my guide on connecting lans 20:02 < krzie> if you understand that guide, you'll know how to modify your setup for those needs without needing layer2 20:08 < scyld> heh but there are only lans in the guid how about mobile users? They are moving from lan to lan and even connect from home etc. And what if I want to move server from one lan to another. I just move it, nothing changes ;) 20:10 < scyld> and I see no impact on performance. 20:10 < scyld> but something sometimes doesn't work mysterously ;-) 20:15 < krzie> road warriors work fine on that sort of setup assuming no conflicting subnets 20:15 < krzie> for example, if your lans are not on common-subnets 20:16 < krzie> moving server from 1 to another is also no problem 20:16 < krzie> since it will then have an ip on the new lan, makes no difference 20:17 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 20:17 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 131 (Connection reset by peer)] 20:17 < krzie> the guide is not a walkthrough, its just for understanding what those commands do so you can make any routing setup you like 20:17 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 20:20 -!- soisf [n=sdf@84.13.184.49] has joined ##openvpn 20:24 < scyld> I understand. But, look, a road worrior can be in any lan, every time will be in different /24 (for instance). I have to let him thow firewalls from each lan to places it is allowed to. If I use bridging that warrior have always the same IP and always the same access and if that setup grows, I don't have to reconfigure firewalls each time. Simplicity :> 20:28 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 20:29 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 20:29 -!- vosdj [n=sdf@92.24.81.150] has quit [Read error: 110 (Connection timed out)] 20:32 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: todd_dsm 20:33 -!- Netsplit over, joins: todd_dsm 20:39 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 20:39 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 20:39 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 20:40 -!- tessier [n=treed@kernel-panic/sex-machines] has left ##openvpn [] 20:48 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: darkwind, rooth, Rolybrau, hyper_ch, mrnice1, nooo, LobbyZ 20:48 -!- hyper__ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has joined ##openvpn 20:48 -!- hyper__ch is now known as hyper_ch 20:49 -!- Netsplit over, joins: Rolybrau, nooo, LobbyZ, rooth, darkwind, mrnice1 20:58 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 21:00 -!- soisf [n=sdf@84.13.184.49] has quit [] 21:01 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: darkwind, rooth, Rolybrau, mrnice1, nooo, LobbyZ 21:03 -!- Netsplit over, joins: rooth 21:03 -!- Netsplit over, joins: Rolybrau, LobbyZ, darkwind, mrnice1 21:04 -!- darkwind [n=darkwind@64.71.152.247] has quit [Read error: 131 (Connection reset by peer)] 21:05 -!- LobbyZ` [n=default@Woet.lobbyzffs.com] has joined ##openvpn 21:05 -!- scyld [n=krajcong@unaffiliated/wasyl] has quit ["leaving"] 21:07 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has quit [SendQ exceeded] 21:07 -!- LobbyZ [n=default@217.18.70.127] has quit [Connection timed out] 21:07 -!- LobbyZ` is now known as LobbyZ 21:08 -!- darkwind [n=darkwind@64.71.152.247] has joined ##openvpn 21:10 -!- mrnice1 [i=bouncer@77.244.250.141] has joined ##openvpn 21:15 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 21:29 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 21:31 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has quit [Success] 21:31 -!- todd_dsm [n=todd_dsm@66.43.220.149] has joined ##openvpn 21:46 < krzie> scyld, you can update your firewall automagicly by using one of openvpn's hooks for external scripts 21:46 < krzie> based on common name 21:46 < krzie> since you sound like you have a nice sized network, youd make categories for each group, then simply add new users to their config file 21:47 < krzie> you could optionally have the script give them static ips as well 21:47 < krzie> see --client-config 21:47 < krzie> err 21:47 < krzie> --client-connect 21:47 < krzie> time for me to go, bbl 21:53 -!- PiJi` [n=PiJi@rhizome.olf.sgsnet.se] has joined ##openvpn 21:53 < PiJi`> !howto 21:53 < vpnHelper> PiJi`: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 22:32 -!- tjz [n=tjz@bb121-7-30-30.singnet.com.sg] has joined ##openvpn 22:36 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 131 (Connection reset by peer)] 22:36 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 22:39 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 54 (Connection reset by peer)] 22:40 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 22:41 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 54 (Connection reset by peer)] 22:43 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 22:57 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 23:26 -!- hyper_ch [n=hyper@adsl-84-226-22-248.adslplus.ch] has quit [Read error: 104 (Connection reset by peer)] 23:28 -!- hyper_ch [n=hyper@84.226.54.151] has joined ##openvpn 23:53 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn --- Day changed Sun Nov 22 2009 00:26 -!- tjz [n=tjz@unaffiliated/tjz] has quit [Client Quit] 00:31 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 00:32 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 00:32 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn 00:39 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)] 00:42 -!- corretico__ [n=laguilar@201.201.46.106] has left ##openvpn ["Leaving"] 00:43 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 00:44 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: Rolybrau, hyper_ch, mrnice1, todd_dsm 00:44 -!- corretico [n=laguilar@201.201.46.106] has quit [Client Quit] 00:44 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 00:45 -!- Netsplit over, joins: Rolybrau, hyper_ch, mrnice1 00:45 -!- hyper_ch [n=hyper@84.226.54.151] has quit [Connection reset by peer] 00:45 -!- hyper__ch [n=hyper@adsl-84-226-54-151.adslplus.ch] has joined ##openvpn 00:45 -!- hyper__ch is now known as hyper_ch 00:53 -!- corretico [n=laguilar@201.201.46.106] has quit ["Leaving"] 00:54 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 00:58 -!- Ziber [i=Liber@liber-ipv6.net] has quit [Read error: 60 (Operation timed out)] 01:02 -!- Ziber [i=Liber@liber-ipv6.net] has joined ##openvpn 01:11 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has joined ##openvpn 01:30 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has quit [Read error: 110 (Connection timed out)] 03:20 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 145 (Connection timed out)] 03:26 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 04:26 -!- lkthomas [i=lkthomas@218.213.78.173] has quit [Success] 04:26 -!- lkthomas [i=lkthomas@218.213.78.173] has joined ##openvpn 05:05 -!- drue [n=drue@stiff.therub.org] has quit [Remote closed the connection] 05:05 -!- drue [n=drue@64.251.23.23] has joined ##openvpn 05:24 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:39 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 05:51 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:53 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 05:54 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 05:56 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Connection timed out] 06:17 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 06:17 -!- jfkw [n=jtk@24.216.241.93] has joined ##openvpn 06:31 -!- xenophile7x7_ [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 06:31 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Read error: 110 (Connection timed out)] 06:43 -!- hyper__ch [n=hyper@84.226.54.151] has joined ##openvpn 06:43 -!- hyper_ch [n=hyper@adsl-84-226-54-151.adslplus.ch] has quit [Nick collision from services.] 06:43 -!- hyper__ch is now known as hyper_ch 06:52 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 07:18 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 07:29 -!- a|3x [n=alex@c-76-115-142-105.hsd1.or.comcast.net] has joined ##openvpn 07:45 < a|3x> would anyone care to explain to me how private routing works, i can't seem to understand the concept? 07:58 < a|3x> never mind 08:01 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 08:13 < Bushmills> http://lmgtfy.com/?q=openvpn%20"private%20routing" 08:14 < vpnHelper> Title: Let me google that for you (at lmgtfy.com) 08:19 < a|3x> ye ye, it wasn't too hard 08:23 < Bushmills> should actually have been http://lmgtfy.com/?q=openvpn%20%22private%20routing%22 08:23 < vpnHelper> Title: Let me google that for you (at lmgtfy.com) 08:45 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 09:05 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 09:11 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 09:23 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 09:37 -!- PiJi` [n=PiJi@rhizome.olf.sgsnet.se] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 09:37 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 09:50 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 09:50 -!- buntfalke [n=nobody@openvpn-p0-240.triple-a.uni-kl.de] has joined ##openvpn 10:52 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 11:02 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 11:31 -!- todd_dsm [n=todd_dsm@66.43.220.149] has joined ##openvpn 12:32 -!- todd_dsm [n=todd_dsm@66.43.220.149] has quit [Read error: 131 (Connection reset by peer)] 12:49 -!- drue [n=drue@64.251.23.23] has quit [Read error: 131 (Connection reset by peer)] 12:49 -!- drue [n=drue@stiff.therub.org] has joined ##openvpn 13:16 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit [Read error: 104 (Connection reset by peer)] 13:16 -!- m00h [i=m00h@dyn-89.136.41.20.tm.upcnet.ro] has joined ##openvpn 13:17 < m00h> !howto 13:17 < vpnHelper> m00h: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:17 < m00h> !redirect 13:17 < vpnHelper> m00h: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 13:18 < m00h> !logs 13:18 < vpnHelper> m00h: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 13:21 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 13:22 < m00h> hello, this are my config files http://paste2.org/p/527689 this is the error message i get on client http://paste2.org/p/527681 if you need any more infos feel free to pm me, thank you a lot in advance! 13:36 < m00h> !iporder 13:36 < vpnHelper> m00h: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 13:37 < m00h> !interface 13:37 < vpnHelper> m00h: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 13:50 < m00h> http://paste2.org/p/527721 this is my routing, i kindly ask for help, thank you 14:00 -!- bandini [n=bandini@host86-108-dynamic.7-79-r.retail.telecomitalia.it] has joined ##openvpn 14:08 < kisom> Anyone else having trouble with Windows Vista/7 and high latency when using openvpn? 14:45 -!- robotti^ [i=robotti@kapsi.fi] has quit ["leaving"] 15:09 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:13 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has joined ##openvpn 15:29 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has quit [Client Quit] 15:30 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has joined ##openvpn 15:32 -!- m00h [i=m00h@dyn-89.136.41.20.tm.upcnet.ro] has quit [Read error: 60 (Operation timed out)] 15:56 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 16:11 -!- stig` [i=stig@212.187.247.209] has joined ##openvpn 16:12 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 16:12 -!- stig` [i=stig@212.187.247.209] has left ##openvpn [] 16:27 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 16:55 -!- gr0en [n=gr0en@udn1.com] has joined ##openvpn 16:58 < gr0en> hi http://pastebin.com/d29ccec0 my vpn just started timing out every few mins, it has been working for over a month, not sure how to interpret the log file 17:00 < gr0en> thinking my isp might be causing problems with my vpn 17:00 < gr0en> don't understand why it would just stop working 17:08 -!- bandini [n=bandini@host86-108-dynamic.7-79-r.retail.telecomitalia.it] has quit ["Ex-Chat"] 17:14 < gr0en> i increased keepalive time see if that fixes it 17:16 < gr0en> ok it appears fixed 17:16 < gr0en> thanks for your help 17:17 < gr0en> nope 17:17 < gr0en> just took longer 17:20 -!- gr0en [n=gr0en@udn1.com] has quit ["leaving"] 17:32 < reiffert> !mtu 17:32 < vpnHelper> reiffert: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config 18:02 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 18:06 -!- a|3x [n=alex@c-76-115-142-105.hsd1.or.comcast.net] has quit ["Leaving"] 18:19 -!- master_of_master [i=master_o@p549D548B.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)] 18:23 -!- master_of_master [i=master_o@p549D7DD1.dip.t-dialin.net] has joined ##openvpn 19:05 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Read error: 104 (Connection reset by peer)] 19:05 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 19:12 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 19:30 -!- tjz [n=tjz@bb121-7-30-30.singnet.com.sg] has joined ##openvpn 20:46 -!- master_of_master [i=master_o@p549D7DD1.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 20:49 -!- master_of_master [i=master_o@p549D7DD1.dip.t-dialin.net] has joined ##openvpn 21:00 -!- hyper__ch [n=hyper@adsl-84-226-54-151.adslplus.ch] has joined ##openvpn 21:00 -!- hyper_ch [n=hyper@84.226.54.151] has quit [Nick collision from services.] 21:27 -!- razor2000 [n=razor@70-91-69-193-BusName-washington-dc.hfc.comcastbusiness.net] has joined ##openvpn 21:27 < razor2000> sup guys... 21:28 < razor2000> !route 21:28 < vpnHelper> razor2000: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 21:53 -!- m3thos [n=mindblas@bl12-180-119.dsl.telepac.pt] has joined ##openvpn 22:07 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 22:10 -!- m3th0s [n=mindblas@bl6-79-95.dsl.telepac.pt] has quit [Read error: 110 (Connection timed out)] 22:48 -!- jfkw [n=jtk@24.216.241.93] has quit ["leaving"] 22:58 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 23:15 -!- krzee [i=nobody@hemp.ircpimps.org] has joined ##openvpn 23:33 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 23:38 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has quit [Read error: 104 (Connection reset by peer)] 23:38 -!- xenophile7x7_ is now known as xenophile7x7 23:42 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn --- Day changed Mon Nov 23 2009 00:24 -!- hyper__ch [n=hyper@adsl-84-226-54-151.adslplus.ch] has quit [Remote closed the connection] 00:24 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 01:11 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 145 (Connection timed out)] 01:19 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 01:31 -!- hyper_ch [n=hyper@41-123.107-92.cust.bluewin.ch] has joined ##openvpn 01:45 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:24 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 03:56 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has joined ##openvpn 03:58 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 04:22 -!- dazo_afk is now known as dazo 04:35 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 05:04 -!- eliasp [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 110 (Connection timed out)] 05:05 -!- eliasp [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 05:24 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has quit ["Leaving"] 05:28 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 06:07 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 06:11 -!- Sky[x] [n=SkyB0x@89.143.223.22] has joined ##openvpn 06:16 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:44 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 06:51 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 07:00 -!- Sky[x] [n=SkyB0x@89.143.223.22] has quit [Connection timed out] 07:43 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 08:46 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 08:48 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 09:05 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined ##openvpn 09:12 -!- Rolybrau [n=Rolybrau@85.3.223.107] has joined ##openvpn 09:24 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:37 -!- cvance [n=cvance@acad-1-3-125.dhcp.uno.edu] has joined ##openvpn 09:41 < cvance> !howto 09:41 < vpnHelper> cvance: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:41 < cvance> !nat 09:41 < vpnHelper> cvance: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 09:41 -!- renihs [n=lemming@83-65-34-34.arsenal.xdsl-line.inode.at] has joined ##openvpn 09:41 < cvance> !linnat 09:41 < vpnHelper> cvance: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 09:44 < renihs> hmm i have a stupid problem, i have a (local) LAN 192.168.100.0/24, this route gets pushed for the VPN Roadwarriors, and works fine, however i also want also clients to connect FROM that LAN, which causes (of course) "WARNING: potential route subnet conflict between local LAN and remote VPN" 09:44 < renihs> do i have any chance of pushing different routes based on were the clients originate from? 09:45 < dazo> renihs: that sounds like the --client-config-dir feature 09:45 < renihs> dazo, ccd dir, yes but that pushes different settings for specific users 09:46 < dazo> renihs: then, there's no other chance .... but have you had a look at !route? 09:46 < renihs> i want the users to be able to connect to that *vpn* lan from inside the lan they end up in 09:46 < dazo> so that you want to route roadwarriors via the VPN into a new VPN? 09:46 < renihs> dazo, well, my problem is, i want only specific users to be able to route through another vpn, i cant make the security based on ip, thats why i would want certificates 09:46 < renihs> dazo, in the end yes 09:46 < dazo> (or a network behind the second VPN) 09:46 < renihs> but if they connect from inside the office lan 09:46 < renihs> that wont work 09:47 < renihs> so either i need 2 openvpn accounts/servers/settings 09:47 < renihs> which i am trying to avoid 09:47 < dazo> renihs: you then need --client-to-client .... and also iroute as well on the second VPN 09:47 < renihs> one for connecting from outside and one for connecting from inside the lan 09:47 < renihs> dazo, y, the 2nd vpn is an ipsec thingie 09:47 < dazo> it's a good approach (in performance) to avoid 2 openvpn processes in this scope 09:47 < dazo> aha 09:47 < renihs> i would like to restrict access to the ipsec vpn based on the openvpn user name 09:47 < renihs> but i think that wont work 09:48 < renihs> i will need to create 2 vpns, one for connecting from inside the lan, and one for connecting from outside 09:48 < dazo> then it gets trickier without more configs and a better overview over which network you have on the different places 09:49 < renihs> well, my basic problem is that i would like users to use the same vpn from inside the "office LAN" as well as from outside (internet-roadwarrior) in which case they end up IN the "office LAN" 09:49 < renihs> which results in route conflict if they attempt to connect from inside the office LAN (were they would end up in) 09:50 < renihs> which i fear cannot be solved, i hoped for some hmm trick to deal with this kind of situation 09:50 < renihs> but my brain refuses to think about it (the networking part) and ignores my requests 09:50 < dazo> renihs: but you lost me actually a little bit .... I need a clearer overview over your network .... could you create a quick picture and put it on http://imagebin.ca/ ? ... with each network segment IPs defined .... it's easier then to follow you 09:50 < vpnHelper> Title: Imagebin - Upload an Image (at imagebin.ca) 09:50 < renihs> dazo, ok 09:54 < renihs> dazo, but hmm never mind, what i want cannot ever work, since i cannot push the same route 2x (the 192.168.0.0/24 actually *exists* for the clients connecting to the VPN) 09:54 < renihs> if the users connect from 192.168.0.0/24 i will always get issues if i also push a route for 192.168.0.0/24 09:54 < dazo> renihs: well, if you consider bridging, it might be doable 09:55 < dazo> yes, that's true 09:55 < renihs> i think i will be doing 2 configs 09:55 < dazo> hence the topic of ##openvpn ;-) 09:55 < renihs> :) 09:56 < dazo> renihs: but .... I still don't see why that will solve it ... 2 configs in this setup seems wrong to me ... 09:56 < renihs> dazo, well, i would have a normal config for roadwarriors connecting from outside, and one special config for 1 user who will connect from inside (and in this case i dont push the 192.168.0.0/24) route 09:57 < renihs> roadwarriors want to end up in 192.168.0.0/24 09:57 < renihs> but clients who are already IN 192.168.0.0/24 do not need a route pushed 09:57 < renihs> so either i need an option which adjusts the route push feature based on the existing client routes (that feature does not exist) 09:57 < renihs> or use 2 configs 09:57 < dazo> but if you have clients who already got 192.168.0.0/24 .... they also don't need VPN? .... there is something here I don't see .... 09:58 < renihs> dazo, that is true 09:58 < renihs> but 09:58 < renihs> i wanted to abuse openvpn functionality as "authentification" 09:58 < renihs> only those users who are in the vpn would be able to access another vpn 09:58 < renihs> to protect that user 09:58 < renihs> from other users in the lan 09:59 < renihs> cant do ip-security ...need cert/pass security 09:59 < dazo> renihs: but if you have a possibility to go directly through without that route (as the client already got it) .... how will that improve auth? sounds like you can escape it? 09:59 < renihs> well, i dont want to protect 192.168.0.0/24 but another network 09:59 < renihs> when they are IN 192.168.0.0/24 thats ok, but there is another network 10:00 < renihs> which should only be used by specific users 10:00 < renihs> who happen to be in 192.168.0.0/24 10:00 < renihs> (when in office) 10:00 * dazo still don't understand the setup at all 10:00 < dazo> It sounds for me that this will not really work as you intend 10:00 < renihs> y 10:00 < renihs> :( 10:01 < renihs> i wanted to have just 1 config for all usage, but that wont work 10:01 < renihs> no harm in having 2 configs, except that specific user will have to start different vpn connections based on his location 10:01 < renihs> VPN-A if he is connecting from inside the office 10:01 < renihs> and VPN-B if he is connecting from somewhere in the inet 10:02 < renihs> which, in case of mammals, is a 50/50 chance of getting it right 10:02 < renihs> well, i guess i can teach her which buttons to push 10:02 < |Mike|> lol 10:02 < dazo> but .... if a user connects his OVPN connection from the office location, he got a 192.168.0/24 addr ... before he starts OVPN ... right? 10:02 < renihs> dazo, exactly 10:03 < renihs> i want to use the vpn (when used from inside) as form of authentification to connect to another vpn :) 10:03 < renihs> from outside it will work 10:03 < renihs> just not in the same setting from inside 10:03 < renihs> or i would have to redesign the networks 10:03 < dazo> renihs: then how will openvpn on this client differentiate between which traffic is going to through the VPN and outside? The traffic which needs to go on the outside is the traffic openvpn sends and receives against the openvpn server 10:04 < renihs> dazo, thats exactly the point were i have a problem :) 10:04 < renihs> well hmm 10:04 < renihs> i could hmm 10:04 < dazo> and there is no way around this .... at least not when routing networks .... host based routing will work though 10:05 < renihs> dazo hmm true, hmmm well i guess i will have 2 vpn users/certs/configs to solve the issue at hand, than think about a better way to deal with this 10:05 < dazo> but then you need to define a list of hosts the client need to access on the other end ... and set up routing per IP address ... that way, it won't try to route the network itself 10:05 < renihs> y 10:06 < renihs> that should work then 10:06 < dazo> renihs: having 2 configs, 1 config or a million configs .... it will not change the situation, neither to the better or worse 10:06 < renihs> dazo, it will :) in my case 10:06 < dazo> renihs: but moving away from this network conflict will give a better solution 10:06 < renihs> the users who connects from internal (192.168.0.0/24) 10:06 < renihs> will only get one route pushed (a completely different network) 10:07 < renihs> so this wont interfere with the routes of the vpn traffic 10:07 < renihs> and he *wont* get 192.168.0.0/24 pushed 10:07 < renihs> with configB 10:07 < dazo> renihs: but you need to avoid that openvpn automatically creates a route for the 192.168.0.0/24 net automatically 10:07 < dazo> exactly 10:07 < renihs> y 10:07 < renihs> its not nice but it will work 10:08 < dazo> that's right .... it's a mega dirty hack ... and I'm pretty sure this will bite back at you later on .... why not make it proper immediately? 10:08 < renihs> coz it need to be working *now* :) 10:08 < renihs> 15 minutes ago 10:09 < dazo> well, I'm conservative .... so for me that's no excuse of doing a bad job 10:10 -!- Netsplit over, joins: endre 10:10 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: julius___, polaru, APTX| 10:10 -!- julius [n=julius@217.20.127.15] has joined ##openvpn 10:10 < renihs> dazo, heh :) 10:10 -!- APTX| [n=APTX@213.251.162.70] has joined ##openvpn 10:10 < renihs> cant argue that 10:10 -!- Netsplit over, joins: polaru 10:12 -!- cvance [n=cvance@acad-1-3-125.dhcp.uno.edu] has quit [Remote closed the connection] 10:14 < renihs> dazo, mkay works now, for the purpose at hand, i will think about something nicer soon 10:15 < renihs> i am already happy that i have a openvpn -> ipsec -> internet -> cisco vpn -> checkpoint vpn -> openvpn -> endpoint in combination working :) 10:15 < renihs> checkpoint vpn -> ipsec -> openvpn :) 10:15 < renihs> small mistake 10:15 < dazo> renihs: you should, if you want to have some honour :-P ... And it's also not a user friendly solution .... as the user need to think "Which network am I on now? Office, then I need to start *this* connection" .... 10:16 < renihs> dazo, y, but trust me, in case of this user, forcing it to think slightly wont hurt 10:16 < renihs> she knows, when she is in the office building 10:16 < renihs> she is in the office 10:16 < renihs> so far i got through already 10:16 < dazo> renihs: speaking out of experience .... I've seen clever people fail on even simpler tasks .... 10:17 < renihs> now i only need to explain ...ANYWHERE else... -> this button 10:17 < renihs> dazo, also true :) 10:17 < renihs> but if the task gets to simple and the user too clever -> that can overcomplicate :) 10:17 < renihs> s/to/too 10:18 < dazo> in this scenario .... I agree with Apple .... you should only need *one* button :-P 10:18 < renihs> heh :) 10:18 < renihs> dont speak about apple, a few users here are running amok because their "magic mouse" didnt arrive yet 10:18 < renihs> i see the day coming that my boss wants me to write a driver for that thingie so he can use it on windows.... 10:19 * dazo refuse to buy any Apple products out of principles of freedom 10:19 < renihs> makes sense :) 10:19 * dazo runs and hides for all apple fans 10:19 < renihs> though the iphone is a nice toy i have to admit 10:19 < dazo> renihs: have you seen Nokia N900? 10:19 < renihs> dazo, not yet *seen* in real 10:19 < renihs> only from specs 10:20 < dazo> me neither, in real, but from what I've heard of people who got one of the 300 developer phones .... it's almost as good as it looks like 10:20 < renihs> we use iphones here, first i hated having to use an apple product, but its really nice (i started liking it when i played monkey island :) 10:20 < renihs> its a bad phone, but a good internet surfing station 10:21 < renihs> "bad" ...not that bad, but could be better (speech quality, battery lifetime etc) 10:21 < dazo> Well, I'm also not an Android fan .... just as I'm not a iPhone fan .... because you need to root them to get access to the system level which is available under the GUI 10:21 < renihs> but for readin mail/www its the best i had in my hands so far 10:21 * dazo is a firm believer in freedom and openness 10:22 < renihs> dazo, y, mine is jail breaked as well 10:22 < renihs> otherwise i couldnt use its thethering function 10:22 < dazo> yeah, mail/www I believe it does a decent job indeed 10:22 < renihs> (using iphone as modem) 10:22 < renihs> and playing monkey island :) 10:22 -!- hyper_ch [n=hyper@41-123.107-92.cust.bluewin.ch] has quit [Remote closed the connection] 10:23 < dazo> yeah .... I don't understand why thethering is not available out-of-the-box .... 10:23 < renihs> seems a complicated political background 10:23 < dazo> but it's just another argument for me against Apple .... who claims they know best :-P 10:23 < renihs> no technical reasons i guess :) 10:23 < renihs> i think though, that the tethering function is disabled because of the providers 10:23 < dazo> obviously :) 10:24 < renihs> not apple, not sure though (i blame apple for everything if the choice is up to me) 10:24 < renihs> but in this case not sure :) 10:24 < renihs> at least in europe 10:25 < dazo> Apple could have denied such a restriction, if they really wanted to .... I can't imagine other operators would be against .... 10:25 < renihs> i dont understand the idea behind this neither...i dont think that it can be understood by reason though 10:25 < dazo> nope 10:26 < dazo> it's political, and which operator who gave Apple most money ... and Apple adjusted to that direction 10:26 < renihs> most likely, manager A and manager B golfing....they asked to disable this -> whats that -> i have no clue -> ok lets do it :) 10:27 < renihs> i prefer a random number generator to make decisions :) 10:27 < renihs> instead mammalian brains enhanced by an odd and complex society structure, but nobody is asking me :p 10:27 < renihs> which might be a good thing :) 10:28 < renihs> but i guess the first n900 will be popping up around me anytime soon 10:28 < renihs> might get a closer look soon 10:28 < renihs> i wont be getting one though, i only have a company phone, no private :) 10:59 -!- jherazob [i=be90243b@gateway/web/freenode/x-btlcjiztvddteodq] has joined ##openvpn 11:02 < jherazob> Hi. Quick question: Server used to work before, but yesterday it changed it's ip address, all config files were changed accordingly. It connects, but neither end can ping each other. What am i missing? 11:07 < jherazob> The CN on the cert creation had the old IP address, but i'm guessing it's not relevant to the problem as it authenticates successfully 11:07 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:12 < krzee> maybe a firewall setting 11:13 < jherazob> let's hope so, checking everything firewall-related again... 11:15 < dazo> double check all config files once again ... by using "search'n'replace" functions to detect typos .... it's most likely fw or routing issue caused by a typo 11:18 < jherazob> slightly related, if i connected to the remote client using teamviewer, would that interfere with openvpn? if possible i'd like to actually see what it's doing and not just hear it over the phone 11:19 < jherazob> meaning, i connect with teamviewer, then try to connect with openvpn, would that cause trouble for either? or would both work? 11:25 < dazo> shouldn't make any difference 11:25 < dazo> in regards to openvpn's behaviour .... worst case is that your teamviewer session gets "chopped" 11:28 -!- Hypnoz [n=colin@66.104.252.161] has joined ##openvpn 11:47 -!- STF [n=chatzill@dslb-084-061-177-165.pools.arcor-ip.net] has joined ##openvpn 11:48 -!- hyper_ch [n=hyper@adsl-84-226-54-151.adslplus.ch] has joined ##openvpn 11:48 < STF> hi, how can i forward an internet through a openvpn-connection, when the openvpn server is behind a router? 11:48 < reiffert> !def1 11:48 < vpnHelper> reiffert: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 11:49 < reiffert> !nat 11:49 < vpnHelper> reiffert: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 12:03 < STF> that's all doesn't work for me 12:04 < STF> and also "iptables -A INPUT tun0 -j ACCEPT" and "iptables -A OUTPUT tun0 -j ACCEPT" are not recognized by openvpn 12:05 < reiffert> I'm sorry, but I cant follow you for "it does not work" = fault of openvpn. 12:05 < reiffert> it does work perfectly for me. now you. 12:07 < STF> i read it through an follow the steps after modifying it to my configuration, but i still cannot go into the internet 12:07 < reiffert> you didnt read !linnat yet, did you? 12:07 < STF> which !linnat? 12:08 < reiffert> the !linnat that is mentioned at the end of !nat 12:08 < reiffert> look: 12:08 < reiffert> !nat 12:08 < vpnHelper> reiffert: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 12:08 < STF> in the man of openvpn? 12:08 < reiffert> !linnat 12:08 < vpnHelper> reiffert: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 12:09 < STF> okay i see 12:09 < reiffert> cheers, yw 12:14 -!- le0_ [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 110 (Connection timed out)] 12:14 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.5/20091102152451]"] 12:18 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit [Remote closed the connection] 12:24 -!- TSM2 [n=the_soft@87-194-32-212.bethere.co.uk] has joined ##openvpn 12:26 < TSM2> is there a room for openvpn als? 12:30 < reiffert> http://sourceforge.net/support/getsupport.php?group_id=228294 12:30 < vpnHelper> Title: SourceForge.net: OpenVPN ALS: Get Support (at sourceforge.net) 12:38 -!- STF [n=chatzill@dslb-084-061-177-165.pools.arcor-ip.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.5/20091102152451]"] 13:03 -!- TSM2 [n=the_soft@87-194-32-212.bethere.co.uk] has left ##openvpn [] 13:06 -!- jherazob [i=be90243b@gateway/web/freenode/x-btlcjiztvddteodq] has quit ["Page closed"] 13:08 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 13:18 -!- d1zzy [n=dizzy@unaffiliated/developer] has joined ##openvpn 13:18 -!- dazo is now known as dazo_afk 13:19 < d1zzy> hi, is thre a way to use static key based auth but with some kind of passphase/encryption for the client side of it? that is, I don't want to bother with making a CA because I have a single client but at the same time I do want some protection against an admin copying my key form the client so I want it encrypted on the client 13:19 -!- nooo [n=nooo@unaffiliated/nooo] has joined ##openvpn 13:19 < nooo> ohaithar. 13:27 < nooo> I can connect to VPN connected computers from the internal network, but not theother way around O_O 13:32 -!- jeiworth [n=jeiworth@189.177.22.228] has joined ##openvpn 13:35 < d1zzy> anyone? 13:36 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Client Quit] 13:37 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 13:59 -!- kisom [n=x@c-19dde155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Remote closed the connection] 13:59 -!- kisom [n=x@c-19dde155.648-1-64736c11.cust.bredbandsbolaget.se] has joined ##openvpn 14:08 -!- nubix_ [n=asd@92.76.180.122] has joined ##openvpn 14:08 < nubix_> hi, 14:08 -!- nubix_ is now known as nubix 14:08 < nubix> i got a problem and hope i could get some help here 14:09 < nubix> its about using build-key ... it always creates an empty clientX.crt which causes errors on my client 14:10 -!- dli [n=dli@66.49.226.142] has joined ##openvpn 14:12 < nubix> well, no one? 14:15 < dli> nubix, hi 14:15 < nubix> hi 14:16 < nubix> almost quiet in here 14:16 < dli> nubix, it's usually quiet here 14:17 < nubix> that could be the reason why i no one has the mood to help me ;) 14:17 < dli> nubix, I will try, but I'm not expert 14:17 < nubix> its about using build-key ... it always creates an empty clientX.crt which causes errors on my client 14:18 < nubix> im stuck there while following a tutorial how to setup an openvpn-server on debian 14:19 < dli> nubix, did you have a look at the file vars, and: source vars 14:19 < nubix> well, used source vars 14:20 < nubix> but im sure i missed something basic 14:21 < dli> nubix, it should work by default :( 14:21 < nubix> and build-ca creates a valid ca.crt 14:21 < nubix> thats too bad 14:21 < dli> nubix, so, at least, your openssl/CA work 14:22 < nubix> that doesnt help me anyway because the client wants a client.crt that has a size larger than 0 bytes... 14:23 < dli> nubix, let me try again here on debian 14:24 < dli> nubix, source vars;./build-ca;./build-key-server server;./build-key node1 14:26 < nubix> yep, exactly what i did-- 14:26 < nubix> everything seems to work until i get to build-key 14:27 < nubix> it creats a .key 14:27 < nubix> but .crt is empty 14:28 < nubix> i got a server.crt/csr/key and a ca.crt/key 14:29 < dli> -rw-r--r-- 1 root root 5.4K 2009-11-23 14:49 node1.crt 14:30 < nubix> -rw-r--r-- 1 root root 0 23. Nov 21:30 node1.crt 14:33 < nubix> i dont get it 14:34 < nubix> i followed this german tutorial on openvpn http://wiki.ubuntuusers.de/OpenVPN 14:34 < vpnHelper> Title: OpenVPN › Wiki › ubuntuusers.de (at wiki.ubuntuusers.de) 14:35 < dli> nubix, :( I don't read german 14:36 < dli> vpnHelper, which version of debian 14:36 < vpnHelper> dli: Error: "which" is not a valid command. 14:36 < nubix> well, i'm a native german 14:36 < dli> nubix, which version of debian 14:37 < nubix> Debian 5.0 2.6.26-2-686 14:38 < nubix> i think im missing something very basic... 14:38 < dli> cat /etc/debian_version 14:38 < nubix> 5.0.3 14:39 < reiffert> ah, mr. ignorant nubi. 14:39 < nubix> ?! 14:40 < nubix> reiffert: why ignorant? 14:40 < dli> nubix, lenny is too old :( but I don't know why you couldn't get keys :( 14:41 -!- antivert [n=none@prod00.pvpn.ewr.witopia.net] has joined ##openvpn 14:41 < reiffert> nubix: you seem to ignore the official howto since saturday. 14:42 < antivert> !interface 14:42 < vpnHelper> antivert: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 14:42 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:42 < nubix> reiffert: sorry i dont know what you are talking about 14:43 < nubix> dli: thanks for the trouble, ill keep trying... 14:43 < reiffert> nubix: you came here on saturday morning, asking for non particular help. 14:43 < antivert> !howto 14:43 < vpnHelper> antivert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:43 < reiffert> nubix: you are from ramstein, arent you? 14:43 < nubix> nope... 14:43 < nubix> reiffert: nope, im not 14:44 < nubix> reiffert: and i decided 2h ago to try openvpn... 14:44 < reiffert> oh, I think the nick of that guy was "nubi". Sorry for that then. 14:44 < nubix> reiffert: it must have been someone else 14:44 < nubix> reiffert: no problem 14:45 < reiffert> nubix: however. Follow the official howto and do a copy and paste of what your terminal brings up 14:45 < reiffert> pastebin.com or similar please. 14:46 < antivert> hey there everybody 14:46 < nubix> ill try the official one. the ubuntu ones generaly work very well for me and i prefer the german ones, i dont speak english that well i think 14:47 < antivert> am I right in thinking that with the routed "tun" option, clients should be able to ping machines on the other side of the vpn? 14:47 < reiffert> antivert: when your routing got set up correctly, then yes. 14:47 < antivert> been googling for that for ages and can't seem to find an answer 14:47 < antivert> awesome, thanks 14:48 < reiffert> antivert: follow this guide: 14:48 < reiffert> !route 14:48 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:48 < antivert> I've got more stuff to try, I'll probably be back in here in the morning to ask specific questions :) 14:48 < antivert> awesome, thanks! 14:48 < antivert> ohhh that is exactly what I'm having to do, fantastic 14:49 < reiffert> welcome 14:49 < reiffert> nubix: once you have the keys up and running, I advise you to compile latest openvpn yourself. 2.1.rc22. 14:50 < reiffert> nubix: less problems than ancient 2.0.9 lenny comes with 14:51 < nubix> well... i used the apt-repository: 14:51 < nubix> nubix:/etc/openvpn/easy-rsa2# openvpn --version 14:51 < nubix> OpenVPN 2.1_rc11 i486-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Sep 18 2008 14:51 < nubix> doenst look too ancient to me :) 14:52 -!- lbsl [n=vvoois@95-36-35-62.dsl.alice.nl] has joined ##openvpn 14:52 < nubix> but ill try everything ... there must be a way to get that one up 14:53 -!- jeiworth [n=jeiworth@189.177.22.228] has quit [Connection timed out] 14:55 < lbsl> !howto 14:55 < vpnHelper> lbsl: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:55 < lbsl> already read the howto... too compact on the scripting ara 14:55 < lbsl> !man 14:55 < vpnHelper> lbsl: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 14:58 < lbsl> !config 14:58 < vpnHelper> lbsl: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 14:58 -!- bandini [n=bandini@79.7.108.86] has joined ##openvpn 14:59 < lbsl> !config client-connect 14:59 < vpnHelper> lbsl: Error: 'supybot.client-connect' is not a valid configuration variable. 14:59 < lbsl> !configs 14:59 -!- YaManicKill is now known as YaManicKill|away 14:59 < vpnHelper> lbsl: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:00 -!- noooon [n=var@vps-1005590-1468.united-hoster.de] has joined ##openvpn 15:01 < lbsl> Anybody here being able to tell me if i can let an OpenVPN server execute a client specific scripts from the ccd/[clientname] config file? 15:09 < krzie> scripts? 15:09 < krzie> i dunno what you mean, but i can tell you how to find EVERYTHING that can be done within ccd/ 15:09 < krzie> first of all: 15:09 < krzie> !ccd 15:09 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 15:09 < krzie> then to see specificly what is valid: 15:09 < krzie> !man 15:09 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 15:10 < krzie> in the manual in --client-config-dir section, it will tell you 15:17 < lbsl> [read and browsing the beta man....] 15:23 -!- Titan8990 [n=Titan899@unaffiliated/titan8990] has joined ##openvpn 15:24 < Titan8990> I am having trouble with a VPN connection that was working last week. The server is running pfsense and the client is a ddwrt router. The server is rejecting the connection with the following: "Nov 23 20:15:49 pfSense openvpn[23525]: TCP NOTE: Rejected connection attempt from due to --remote setting" 15:25 < Titan8990> Does anyone have an idea on common causes for this issue? I have double checked my settings and everything appears to match, including the shared key. 15:27 < Titan8990> and it just started working... excellent... I love inconsistent behavior 15:27 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 15:28 < krzie> Titan8990 15:28 < krzie> !configs 15:28 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:29 < Titan8990> krzie, do you still think the issue would be configuration problem if it worked last week... and it works now but didn't for the last hour? 15:30 < krzie> how would i know, i havnt seen yourconfigs 15:30 < Hypnoz> maybe firewall was blocking too many connection attempts or something 15:30 < Hypnoz> it could be a lot of things 15:30 < Hypnoz> if you only have 1 connection per cert, it may have had to wait for the original cert to time out before reconnecting 15:31 < krzie> well that specific error tells me either its a misconfig or a ptp setup 15:32 < krzie> but instead of sitting here discussing every possible problem one could have, i ask for the configs 15:33 < Titan8990> alright here are my configs: http://pastebin.com/m7f0093c1 15:34 -!- nubix [n=asd@92.76.180.122] has left ##openvpn [] 15:34 < krzie> and i cant speak on common causes for that error since its not very common 15:35 < Titan8990> client: 2.1_rc7 server: 2.0.6 15:35 < krzie> ok so it is in fact a ptp setup 15:35 < krzie> there is only a single client, correct? 15:36 < Titan8990> to that VPN configuration 15:36 < krzie> ok 15:36 < krzie> how are you assigning ips to the "client" ? 15:37 < Titan8990> krzie, POSIX shell script 15:37 < krzie> wow, are you sure this is how you want it setup? 15:37 < krzie> i can give you my configs and you just setup the PKI stuff... 15:37 < krzie> also, tcp is a bad idea for the transport proto 15:37 < krzie> !tcp 15:37 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 15:38 < krzie> is the client on dynamic ip? 15:38 -!- dli [n=dli@66.49.226.142] has quit [Read error: 110 (Connection timed out)] 15:38 -!- dli [n=dli@66.49.226.142] has joined ##openvpn 15:39 < Titan8990> krzie, no 15:39 < krzie> so the client never changes ips 15:39 < Titan8990> krzie, I just wanted all the clients to log in to seperate ports... just so I can easily see which connections are established via netstat 15:39 < Titan8990> no, it doesn't 15:39 < krzie> Titan8990 just do this instead: 15:40 < krzie> !sample 15:40 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) 15:40 < krzie> you can see who is logged in by enabling management interface 15:40 < Titan8990> shared key seemed to be the easy way to accomplish it... the clients are embedded linux that is not very flexible, plus the first couple have been deployed 15:40 < krzie> embedded linux can handle PKI setups 15:40 < krzie> in fact its more normal 15:41 < krzie> what you're doing is WAY more work than you need to put in 15:41 < Titan8990> krzie, just from the use of shared keys? 15:41 < krzie> well you create a seperate instance on the "server" for every connection 15:41 < krzie> which is just insane after 2.0 came out 15:41 < krzie> (1.x you had to do it that way) 15:42 < krzie> tcp is bad 15:42 < krzie> !tcp 15:42 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 15:42 < Titan8990> I only have 8 locations to connect so that isn't a big deal... would understand if I had 20+ 15:42 < krzie> hah i wouldnt understand with 2+ 15:42 < Titan8990> krzie, how does it handle packets that dropped or not received? 15:43 < krzie> the inside of your tunnel is UDP only? 15:43 < Titan8990> krzie, nvm... guess that is handled by the protocol being tunneled by the VPN 15:43 < krzie> correct =] 15:43 < krzie> as explained on that link i gave you, doubling up on that can hurt your performance big time 15:43 < krzie> that link was from the openvpn manual btw 15:44 < Titan8990> thanks, I probably will switch to UDP, but stick with shared keys 15:45 < Titan8990> krzie, and mostly because that decision was made by idiots I would rather not argue with 15:45 < krzie> ok well take a look at my sample files 15:45 < krzie> its 100x easier to deal with 15:45 < krzie> !sample 15:45 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) 15:46 < Titan8990> krzie, I got it... but btw this is a job that still manages a 200 node network via hosts files 15:46 < krzie> thats not so uncommon, airline companies do the same 15:46 < krzie> with like orbitz and hosts like that as well as some internal 15:46 < Titan8990> so "its easier to manage" is taboo around here 15:47 < krzie> how about its more friendly to resources? 15:47 < krzie> that would be a reason theyd use a hostfile opposed to dns... 15:47 < krzie> also a reason to run 1 server process instead of 20 ptp processes 15:47 < krzie> (you have no server) 15:48 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has joined ##openvpn 15:49 < Titan8990> I think you spend more money over time in maintaining hosts lists then you would to buy and operate hardware to run bind on 15:49 < krzie> depending how you do it 15:49 < Titan8990> I guess it depends on how often your network changes 15:49 < krzie> the airline companies had it automated 15:50 < krzie> making it about equally easy 15:50 < krzie> well equally easy to me, since i know how to run a NS 15:50 < Titan8990> i can agree with that 15:52 < Titan8990> krzie, do you think that error I had earlier could have been due to packet loss? I am actually testing how a VPN connection would perform over a 3g connection 15:52 < krzie> i thought you said the ip didnt change! 15:52 -!- phusion [i=phusion@2001:41d0:1:839a:0:0:0:1337] has quit [Remote closed the connection] 15:53 < krzie> a 3g connection will most definitely have dynamic ips 15:53 < krzie> therefore, --persist-remote-ip is likely screwing with you 15:53 < krzie> (which is why i had asked that) 15:53 < Titan8990> krzie, sorry... I am used to dealing with all static IPs and it didn't even cross my mind when you said that 15:54 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 15:54 < krzie> packet loss with a tcp tunnel will HAVE PROBLEMS 15:54 < krzie> as well =] 15:54 < krzie> but not the cause of that error 15:54 < krzie> the link i gave re: tcp will tell you what would happen if that were the problem 15:58 < Hypnoz> krzie: what is the management interface thing you mentioned? 15:58 < Hypnoz> is there a webui? 16:03 < krzie> i have heard of attempts, but nothing good 16:03 < krzie> its just a tcp port you connect to and issue commands 16:03 < krzie> made for people to build apps (like a webui) on top of 16:04 < krzie> --management IP port [pw-file] 16:04 < krzie> Enable a TCP server on IP:port to handle daemon management functions. pw-file, if specified, is a password file (password on first line) or "stdin" to prompt from standard input. The password provided will set the password which TCP clients will need to provide in order to access management functions. 16:04 < krzie> The management interface can also listen on a unix domain socket, for those platforms that support it. To use a unix domain socket, specify the unix socket pathname in place of IP and set port to 'unix'. While the default behavior is to create a unix domain socket that may be connected to by any process, the --management-client-user and --management-client-group directives can be used to restrict access. 16:04 < krzie> The management interface provides a special mode where the TCP management link can operate over the tunnel itself. To enable this mode, set IP = "tunnel". Tunnel mode will cause the management interface to listen for a TCP connection on the local VPN address of the TUN/TAP interface. 16:04 < krzie> While the management port is designed for programmatic control of OpenVPN by other applications, it is possible to telnet to the port, using a telnet client in "raw" mode. Once connected, type "help" for a list of commands. 16:04 < krzie> For detailed documentation on the management interface, see the management-notes.txt file in the management folder of the OpenVPN source distribution. 16:04 < krzie> It is strongly recommended that IP be set to 127.0.0.1 (localhost) to restrict accessibility of the management server to local clients. 16:04 < krzie> shit that was too much paste, sorry 16:05 < Hypnoz> np. ya it would be nice if there was a webui for managing users cause doing it through command line sucks 16:05 < Hypnoz> i don't know what certs i have given out to people, and revoking them doesn't work 16:05 < Hypnoz> so if someone leaves i'm not really sure how i can disable their access 16:05 < krzie> your CA machine should have everything you need 16:05 < krzie> and revoking them does work 16:06 < Hypnoz> openvpn server = ca machine, and i don't even know what the certs are called anymore since i've moved/removed a lot of certs off the server 16:06 < Hypnoz> before i realized i should keep them 16:06 < krzie> oops 16:06 < Hypnoz> since you don't have to have them on the server for the user to connect 16:06 < Hypnoz> but you do need them to remove the user 16:06 < krzie> youd need to rebuild your PKI then to do it right 16:07 < krzie> do you happen to use fbsd? 16:07 < Hypnoz> how was i supposed to know i needed to keep all the users cert stuff on the vpn server.... 16:07 < Hypnoz> reissue all the vpn certs to everyone? 16:07 < krzie> you dont need them on the vpn server, just on the CA 16:07 < krzie> (which ideally is not on the vpn server) 16:08 -!- YaManicKill|away is now known as YaManicKill 16:09 < Hypnoz> ca is on the openvpn server, even if it wasn't i still wouldn't have the users cert files 16:09 -!- Titan8990 [n=Titan899@unaffiliated/titan8990] has quit ["Leaving"] 16:09 -!- jeiworth [n=jeiworth@189.177.22.63] has joined ##openvpn 16:09 < Hypnoz> I zip them up and send them to the users when openvpn generates them 16:09 < krzie> do you happen to use fbsd? 16:09 < Hypnoz> ubuntu 16:09 < krzie> ahh 16:10 < krzie> if you get ssl-admin setup on your CA machine, it'll handle all that for you 16:10 < krzie> keeps copies for making CRL, makes the CRL for you, zips up stuff for sending (along with the config file you had supplied) 16:10 < krzie> etc 16:10 < krzie> !ssl-admin 16:10 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 16:11 < krzie> it was made by ecrist, makes managing certs and PKI setup in general a pleasure 16:13 -!- antivert_ [i=antivert@de2-as13099.alshamil.net.ae] has joined ##openvpn 16:13 -!- antivert_ [i=antivert@de2-as13099.alshamil.net.ae] has left ##openvpn [] 16:17 < krzie> (i wouldnt object to renaming easy-rsa to pita-rsa ;] 16:17 < krzie> ) 16:27 -!- dollabill [n=mike@97.66.26.10] has quit [No route to host] 16:32 -!- antivert [n=none@prod00.pvpn.ewr.witopia.net] has quit [Read error: 110 (Connection timed out)] 16:35 -!- Hypnoz [n=colin@66.104.252.161] has quit ["Leaving."] 16:36 < d1zzy> hi, is thre a way to use static key based auth but with some kind of passphase/encryption for the client side of it? that is, I don't want to bother with making a CA because I have a single client but at the same time I do want some protection against an admin copying my key form the client so I want it encrypted on the client 16:36 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has joined ##openvpn 16:44 < krzie> not to my knowledge 16:44 < krzie> although you COULD require password on the vpn side of it (i think you can do that with ptp setup, not 100% sure tho) 16:45 < krzie> like password auth in addition to the normal auth 16:53 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Connection reset by peer] 16:53 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:07 < d1zzy> hmm 17:08 < d1zzy> but with CA/TLS that's easily possible? 17:08 < d1zzy> have the client private key encrypted that is 17:09 < krzie> very easily possible, yes 17:12 < d1zzy> hmm ok, then I'll look into doing a CA when I can spare 2 hours in the near future, thanks 17:33 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 17:55 < jeiworth> hi all, i am currently reading the howto to push dns resolution to my openvpn clients but so far i have only found a way to force all dns resolution to be handled by the openvpn server network, is there a way to simply add the dns of the server side network to the clients so that it will just use it if existing client-dns-resolution fails, i.e. as third dns server for the client? 17:56 -!- d1zzy [n=dizzy@unaffiliated/developer] has left ##openvpn [] 17:57 < jeiworth> not that its a big deal, just have 6 clients connecting so the router box should be able to handle it, but it just would be nicer... 18:06 < jeiworth> brb 18:10 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 18:11 < Bushmills> consider to run a dns on network, used by clients, which uses the recursive dns on vpn server as upstream server when vpn comes up, and recurses itself, or provider upstream, when vpn isn't 18:12 < Bushmills> (of course it could also recurse itself when vpn is up) 18:15 -!- corretico [n=laguilar@201.201.46.106] has quit ["Leaving"] 18:16 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has quit [Read error: 110 (Connection timed out)] 18:22 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 18:23 -!- jeiworth [n=jeiworth@189.177.22.63] has quit [Success] 18:28 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 18:35 -!- master_of_master [i=master_o@p549D7DD1.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 18:38 -!- master_of_master [i=master_o@p549D7DCF.dip.t-dialin.net] has joined ##openvpn 18:54 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Connection timed out] 19:08 < krzie> also, for windows you can push primary and secondary dns 19:09 < krzie> and for linux/bsd/osx you must use a script to pull out the pushed dns options, so you can do ANYTHING you want 19:09 -!- theDoc [n=hex@119.73.165.162] has joined ##openvpn 19:10 < krzie> the thing is, in windows even with it setup that way, theres no garuntee its going to try first NS then fall back to second if first didnt have it 19:10 < |Mike|> echo $? 19:10 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [No route to host] 19:25 -!- theDoc [n=hex@119.73.165.162] has quit [Nick collision from services.] 19:25 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 19:29 -!- Ziber [i=Liber@liber-ipv6.net] has quit [Read error: 104 (Connection reset by peer)] 19:30 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 19:42 -!- Ziber [i=Liber@liber-ipv6.net] has joined ##openvpn 19:43 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 19:55 -!- ent [n=james@unaffiliated/ent] has joined ##openvpn 21:35 < razor2000> how do you get mutiple users to be able to access a single openvpn server over 1 port without having to create individual setups for each (and have several users connected simultaneously in road-warrior mode)? 21:35 < razor2000> mutiple = multiple 21:36 * ecrist sings, "It's a real fine day to be nude. Oh, it's a real nice day to be nude." 21:41 -!- ent [n=james@unaffiliated/ent] has quit [Read error: 60 (Operation timed out)] 21:42 < krzie> razor2000 21:42 < krzie> by using --server 21:42 < krzie> example: 21:42 < krzie> !sample 21:42 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) 21:42 < krzie> bbl 22:07 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 22:07 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 22:08 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 22:08 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 22:30 -!- st1650 [i=st1650@69-165-173-87.dsl.teksavvy.com] has joined ##openvpn 22:30 < st1650> Good evening 22:31 < st1650> Anybody has suggestion how to optimize openvpn for lan games ? Make it 'faster' ? 22:34 < dli> !howto 22:34 < vpnHelper> dli: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 22:34 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 54 (Connection reset by peer)] 22:49 -!- oc80z_ [n=oc80z@priv.efnet.pe] has joined ##openvpn 22:50 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 22:59 -!- Vocor [n=vvoois@95-36-35-62.dsl.alice.nl] has joined ##openvpn 22:59 -!- lbsl [n=vvoois@95-36-35-62.dsl.alice.nl] has quit [Read error: 54 (Connection reset by peer)] 23:10 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:10 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] --- Day changed Tue Nov 24 2009 00:19 -!- antivert [n=antivert@86.98.30.32] has joined ##openvpn 00:21 < antivert> !routes 00:21 < vpnHelper> antivert: Error: "routes" is not a valid command. 00:22 < antivert> !routing 00:22 < vpnHelper> antivert: Error: "routing" is not a valid command. 00:22 < antivert> !route 00:22 < vpnHelper> antivert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 00:22 < antivert> duh :) 00:22 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has joined ##openvpn 00:22 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 00:22 -!- hyper_ch [n=hyper@adsl-84-226-54-151.adslplus.ch] has quit [Read error: 104 (Connection reset by peer)] 00:23 < bvierra> !route 00:23 < vpnHelper> bvierra: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 00:25 < antivert> the !route page is fantastic. I couldn't find that info anywhere else. 00:31 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 00:31 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote closed the connection] 00:36 < bvierra> hey guys 00:36 < bvierra> I read through the routing page 00:36 < bvierra> I have a desktop that is on the same lan as the server 00:36 < antivert> !configs 00:36 < vpnHelper> antivert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 00:37 < bvierra> desktop = 192.168.1.21 server=192.168.1.5 (10.8.0.1) 00:37 < bvierra> I have a computer VPN in (10.8.0.3) 00:37 < bvierra> I can ping from server to VPN client 00:37 < bvierra> and I can ping from desktop to server 00:37 < bvierra> but I cant ping from desktop to vpn client 00:38 < bvierra> in server.conf I have push setup 00:38 < bvierra> on the router for 192.168.1.* I have setup a static route for 10.8.0.0 -> 192.168.1.5 00:40 < bvierra> anything that I am missing? 00:47 -!- dazo_afk is now known as dazo 00:49 < oc80z_> whats good? 00:49 < oc80z_> it client-to-client? 00:49 < oc80z_> it tunnel or bridge? 00:50 < antivert> I just have to say guys, that thanks to the information on the secure-computing routing page, MY VPN NOW WORKS!! :D :D 00:50 < antivert> cheers people, I could kiss you all 00:51 < oc80z_> before you go 00:51 < oc80z_> crontab :) 00:51 < oc80z_> backup your router configuration 00:51 < oc80z_> then crontab :P 00:53 < antivert> :D 00:53 < antivert> backing up as we speak! 00:53 < oc80z_> oh thought this was... #dd-wrt 00:53 < oc80z_> :P 00:53 < antivert> haha 00:54 < antivert> I was thinking "what on earth do I need to crontab?" 01:01 < krzee> antivert, yw =] 01:07 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has quit [Read error: 110 (Connection timed out)] 01:13 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 01:15 -!- hyper_ch [n=hyper@213-234.3-85.cust.bluewin.ch] has joined ##openvpn 01:36 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 131 (Connection reset by peer)] 01:41 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:45 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Client Quit] 01:45 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:56 < ecrist> evenign bitches. 01:56 < ecrist> almost morning. 01:57 < ecrist> antivert: thank krzee for that page, he wrote it. 01:57 < ecrist> but feel free to send paypal donations to me. ;) 02:00 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:01 -!- Irssi: ##openvpn: Total of 79 nicks [0 ops, 0 halfops, 0 voices, 79 normal] 02:04 < dazo> good morning! :) 02:34 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has joined ##openvpn 02:37 < antivert> krzee: THANK YOU! 02:37 < antivert> ecrist :P 02:47 < antivert> ttyl peeps 02:47 -!- antivert [n=antivert@86.98.30.32] has quit [" HydraIRC -> http://www.hydrairc.com <-"] 02:48 < krzee> lol 02:48 < krzee> wassup man 02:55 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Connection reset by peer] 03:01 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:03 < ecrist> hey krzee 03:07 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has quit ["Leaving"] 03:27 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 03:55 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 04:01 -!- wild_oscar [n=malmeida@bl9-87-118.dsl.telepac.pt] has joined ##openvpn 04:01 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 04:02 < wild_oscar> hi there! does the default windows xp vpn client support TLS certificate authentication? 04:02 < wild_oscar> (ie, not openvpn's windows client) 04:04 < renihs> afaik yes (x509) 04:05 < wild_oscar> renihs: do you know any resource on how to set it up? I can't seem to find any options so I can supply the certificate files 04:06 < renihs> i have only set up windows vpn (windows native client) with ipsec 04:06 < renihs> never tried with openvpn 04:07 < renihs> psk and certificates worked fine 04:07 < renihs> "fine" 04:07 < renihs> ipsec/l2tp (openswan/x2ltp), i dont have much experience with openvpn yet :) 04:09 < wild_oscar> hmm...I'll continue my googling then. on another question, what is the best way to implement IP restriction: connected vpn users should only be able to see one specific IP address of the private network ? 04:11 < dazo> native windows VPN will never ever work with openvpn ..... windows VPN == ipsec .... openvpn != ipsec 04:12 < dazo> correction: windows VPN == pptp ... openvpn != pptp 04:13 < renihs> wild_oscar, i would suggest to use the "ccd" directory, and push only host based routes based on user 04:14 < renihs> else iptables is the solution i guess 04:14 < renihs> dazo, correction, ipsec+l2tp or pptp :) 04:15 < dazo> ahh .... 75% is not that bad :-P 04:15 < wild_oscar> I'll check the ccd directory. I was thinking iptables, but I'm not too comfortable with it to mess around 04:16 < renihs> iptables is a nifty tool once you get used to it :) 04:17 < wild_oscar> renihs: do you know of any tool to manage it more intuitively? 04:18 < renihs> isnt the cli already the most simple & easy? 04:18 < renihs> i looked at a couple of gui tools the past 7 years, i found them all very complicating 04:18 < renihs> wild_oscar, fetch yourself a picture of netfilter kernel packet traversal 04:19 < renihs> and keep it close, shouldnt be too difficult after some time :) 04:20 < dazo> wild_oscar: using iptables is very easy, once you understand the purpose of each of the main chains, and what the different tables does .... GUI mostly just cripples the features and complete understanding 04:20 < wild_oscar> doesn't need to be a cute little gui, I was thinking more in the lines of what sysv-rc-conf achieves for debian services 04:20 < dazo> s/complete/complicates the/ 04:21 * dazo is using iptables-save ... and editing the dumps manually and then reloading with iptables-restore 04:23 -!- Rochdi [n=rochdi@196.203.51.17] has joined ##openvpn 04:23 < Rochdi> Hi all 04:24 < Rochdi> I have a VPN that is ok, I wish now to add a new client, but i can't generate certificate, I use the same command that i used but i can't 04:27 < krzee> renihs, 04:27 < krzee> !notcompat 04:27 < vpnHelper> krzee: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 04:28 < renihs> krzee, that was in essence what dazo (and me) said :) 04:28 < krzee> werd =] 04:28 * dazo notices !notcompat 04:29 < renihs> ah the command :), noted 04:30 < krzee> Rochdi, you'll need to make a client cert for the new client, with unique and valid commonname 04:31 < wild_oscar> btw, how does one invalidate the certificate? 04:32 < wild_oscar> for example, if it gets compromised 04:32 * ecrist needs to find a dedicated air handler/filter system for his server room 04:32 < MorkBork> crl 04:32 < MorkBork> a revokation list 04:32 < MorkBork> revocation* 04:32 < wild_oscar> oh! thanks :) 04:33 < MorkBork> i wonder if 04:33 < MorkBork> !crl 04:33 < vpnHelper> MorkBork: "crl" is (#1) --crl-verify A CRL (certificate revocation list) is used when a particular key is compromised but when the overall PKI is still intact. The only time when it would be necessary to rebuild the entire PKI from scratch would be if the root certificate key itself was compromised., or (#2) you can make use of CRL by using the revoke-full script in easy-rsa (packaged with 04:33 < vpnHelper> MorkBork: openvpn) that will create the CRL file for you. ssl-admin will also build a crl for you 04:33 < MorkBork> aha 04:33 < MorkBork> it does work 04:33 < krzee> =] 04:36 -!- dazo is now known as dazo_afk 04:38 -!- le0 [n=tehfin@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 110 (Connection timed out)] 04:40 -!- le0 [n=tehfin@82.16.123.181] has joined ##openvpn 04:44 -!- Rochdi [n=rochdi@196.203.51.17] has left ##openvpn [] 04:55 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 04:59 -!- mort_gib [n=mjensen@212.120.244.213] has joined ##openvpn 04:59 < mort_gib> Hi 05:02 < mort_gib> VERIFY ERROR: depth=0, error=unsupported certificate purpose: -I get this when trying to connect to a OpenVPN setup ?? What does that mean?? 05:03 -!- dazo_afk is now known as dazo 05:03 < theDoc> mort_gib> Something is wrong? :p 05:04 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:04 < mort_gib> theDoc: Very clever, very clever :-) 05:05 < theDoc> :-) 05:05 < mort_gib> but seriously though, I use build-key "certname" to create the client certificate, and the ca.crt file is loaded on the client... 05:06 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:17 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Success] 05:20 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: kala, disco-, |Mike|, Typone 05:21 < ecrist> mort_gib: 05:21 < ecrist> !logs 05:21 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 05:24 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 05:24 -!- disco- [i=disco@andromeda.h4xed.com] has joined ##openvpn 05:24 -!- Typone [n=nnnitsme@195.197.184.87] has joined ##openvpn 05:24 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 05:27 -!- mort_gib [n=mjensen@212.120.244.213] has left ##openvpn ["Leaving"] 06:08 -!- le0_ [n=itsle0@82.16.123.181] has joined ##openvpn 06:09 -!- le0 [n=tehfin@82.16.123.181] has quit ["Leaving"] 06:09 -!- c99 [n=c99@83.136.90.2] has joined ##openvpn 06:10 < c99> Can anyone help me with some troubleshooting regarding my OpenVPN server, I'm running in bridge mode and I can connect to the openvpn server just fine, however I am unable to ping the local IP address of the OpenVPN server, why can that be? 06:11 < ecrist> firewall or you're missing the systcl to enable ipforwarding 06:11 < ecrist> checkout the channel topic 06:12 < c99> sysctl net.ipv5.ip_forward states = 1 06:12 < c99> ipv4* 06:15 < c99> No blocks in the firewall 06:18 < c99> ecrist: the openvpn server can ping the client. 06:19 < c99> oh sorry, no it can't. 06:27 < ecrist> !configs 06:27 < ecrist> !logs 06:27 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 06:27 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 06:28 -!- dli [n=dli@66.49.226.142] has quit [Read error: 110 (Connection timed out)] 06:28 -!- dli [n=dli@66.49.226.142] has joined ##openvpn 06:30 -!- mort_gib [n=mjensen@212.120.244.213] has joined ##openvpn 06:40 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Read error: 145 (Connection timed out)] 06:47 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 06:50 -!- hyper_ch [n=hyper@213-234.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 06:51 -!- mort_gib [n=mjensen@212.120.244.213] has quit ["Leaving"] 07:24 < c99> ecrist: you still here? 07:31 < ecrist> yes. 07:33 < c99> ecrist: This is my cfg: http://pastebin.ca/1685372 - br0 is a bridge of eth0 configured with ip 10.20.1.249 07:36 -!- hyper_ch [n=hyper@adsl-89-217-34-217.adslplus.ch] has joined ##openvpn 07:36 < krzee> what layer2 protocol do you require over your vpn? 07:37 < ecrist> c99: logs, too, please 07:37 < c99> krzee: proto udp at the client 07:37 < krzee> udp is layer3 07:38 < krzee> what protocol destined for a mac address do you want to use over the vpn? 07:38 < krzee> ie: certain lan games 07:38 < c99> ecrist: you want the log from once a client connects? 07:39 < c99> krzee: I don't get what you mean 07:40 < krzee> !tunortap 07:40 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 07:40 < c99> Hmm 07:41 < ecrist> c99: logs from when you start openvpn until it says connection initialized 07:42 < c99> ecrist: http://pastebin.ca/1685385 07:42 < c99> ecrist: The only port I have open from the outside world into the OpenVPN server is 1194 UDP 07:45 < ecrist> c99, if you note the topic, 2.1rc22 is the latest version 07:45 < c99> Well how big is the chance that this is a bug. 07:46 < ecrist> not very, but if you're going to use an RC, at least keep up to date. 07:46 < ecrist> my finger is on your firewall 07:46 < c99> one sec 07:46 < ecrist> looks like your vpn client is getting an IP OK. 07:46 < ecrist> can you ping the ip of the vpn server after you've connected? 07:47 < c99> the latest deb package is rc11, so I don't think this is a bug since they would have updated it then. 07:47 < c99> ecrist: client 10.20.1.220 cannot ping server 10.20.1.249 07:47 < c99> Reply from 10.20.1.220: Destination host unreachable. 07:48 < c99> route print: 10.20.1.0 255.255.255.0 On-link 10.20.1.220 286 07:48 < c99> I don't see 249 anywhere. 07:48 < ecrist> c99, have you disabled your firewall? 07:48 < c99> yes 07:48 < ecrist> are you *sure*? 07:48 < c99> yep, windows firewall is disabled at the client 07:49 < c99> just re-checked. 07:49 < ecrist> are you sure your bridge is configured OK? 07:49 < ecrist> c99, you need to disable on both ends. 07:49 < c99> br0 is a bridge of eth0, the vpn server can ping the outside world and the lan default gateway of cours. 07:49 < c99> there are no local firewall on the VPN server. 07:50 < ecrist> does br0 contain tap0? 07:50 < ecrist> is br0 'up'? 07:50 < c99> Tue Nov 24 16:49:08 2009 Cannot open TUN/TAP dev /dev/tap0: No such file or directory (errno=2) 07:50 < c99> hmm 07:51 < ecrist> grr, you didn't include that log 07:51 < ecrist> even though I asked for it. 07:53 < c99> why is it unable to do that 07:53 < krzee> and im almost sure you shouldnt even be using a bridge 07:53 < ecrist> I don't know. you won't show me your log. 07:53 < c99> ifconfig tap0 exists. 07:53 < c99> doesn't make any sence then 07:54 < ecrist> SHOW ME YOUR LOGS 07:54 < krzee> lol 07:54 < ecrist> I got the client log, now show me the server log 07:55 * krzee points to 99% of the people using bridges and says "you're doing it wrong!" 07:55 < ecrist> I've had zero sleep in the last 24 hours, so I *may* be more cranky than usual. 07:56 < krzee> [09:47] the latest deb package is rc11, so I don't think this is a bug since they would have updated it then. 07:56 < krzee> there would be no rc12+ if rc11 didnt have bugs 07:59 < ecrist> I don't think he wants a VPN. 07:59 < theDoc> i think people need to shut up and stop expecting everything to magically work or get anything free. 08:00 < theDoc> people are pissing me off since my morning started. 08:00 < theDoc> almost nonstop 08:00 < theDoc> >:| 08:00 < c99> I don't expect everything to just work, and i don't expect anything to be free 08:01 < theDoc> i'm going to sleep. 08:02 < ecrist> theDoc: Tampax is the answer. 08:02 < theDoc> ecrist> Stabbing someone is the answer 08:02 < theDoc> >:| 08:05 < krzee> c99, 08:05 < krzee> !sample 08:05 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) 08:05 < krzee> screw your bridge 08:05 < krzee> until you decide what the layer2 protocol you need over the bridge is, you're doing it wrong 08:06 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 08:11 < ecrist> I got a chuckle: http://icanhascheezburger.wordpress.com/files/2009/11/funny-pictures-lions-are-napping.jpg 08:39 -!- m1ke [n=m00h@94.102.51.123] has joined ##openvpn 08:41 < m1ke> hey, is there a possibility to restrict gateway redirecting to specific clients? 08:42 < m1ke> !redirect 08:42 < vpnHelper> m1ke: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 08:43 < m1ke> !def1 08:43 < vpnHelper> m1ke: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 08:45 < m1ke> hmm 08:47 < dazo> m1ke: not really strict out of the box ... you usually then need to combine such restrictions with some firewall updates as well 08:48 < dazo> m1ke: you can use --client-config-dir (ccd) to give specific routes and IP addresses to each client, and the static IP addresses can then be controlled in the firewall 08:49 < c99> ecrist: I managed to fix the tap0 issue, openvpn was starting before the bridge. 08:49 < c99> However I am still unable to ping the openvpn server ip from lan 08:50 < dazo> m1ke: or if you want a very strict setup, including certificate and username/password auth, with dynamic iptables updates ... you can have a look at eurephia (an authentication and access controll plug-in for OpenVPN) 08:58 < m1ke> ahh thanks 08:58 < m1ke> im gonna have a look at that one 08:59 < m1ke> hmm but maybe a lil firewall script will do it too 09:00 -!- wild_oscar [n=malmeida@bl9-87-118.dsl.telepac.pt] has left ##openvpn [] 09:10 -!- st1650 [i=st1650@69-165-173-87.dsl.teksavvy.com] has quit [] 09:18 -!- jfkw [n=jtk@24.216.241.93] has joined ##openvpn 09:20 -!- forbjok [n=kfk@79.82-134-68.bkkb.no] has joined ##openvpn 09:21 < forbjok> does openvpn use more than just the one port specified in the server config, when running in udp mode? 09:22 < reiffert> no. 09:23 < forbjok> i'm trying to run an openvpn connection through a netscreen SSG-5 router. when i forward only my specified udp port, it doesn't work, but if i forward udp port 0-65535 in, it works 09:25 < reiffert> operating system on the openvpn server maschine? 09:25 < forbjok> ubuntu server 09:26 < reiffert> for diagnosis run tpdump on the maschine and have a look for incoming packets. 09:26 < reiffert> while running tcpdump reduce the portrange step by step, or try the specified port directly. 09:26 < reiffert> also check on which port the openvpnserver listens: netstat -anp | grep openvpn 09:28 < reiffert> e.g. tcpdump -n port 1194 09:28 < reiffert> or 09:28 < reiffert> e.g. tcpdump -n -i eth0 port 1194 09:30 -!- teddymills [n=teddy@208.92.235.227] has quit [Client Quit] 09:33 < forbjok> the openvpn server listens on port 37185 udp as it should 09:38 -!- forbjok [n=kfk@79.82-134-68.bkkb.no] has quit [Read error: 104 (Connection reset by peer)] 09:41 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 09:58 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 09:58 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:00 -!- k00h [i=m00h@dyn-89.136.41.20.tm.upcnet.ro] has joined ##openvpn 10:08 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:12 -!- jeiworth [n=jeiworth@189.177.22.63] has joined ##openvpn 10:20 -!- m1ke [n=m00h@94.102.51.123] has quit [Read error: 113 (No route to host)] 10:24 -!- darkwind [n=darkwind@64.71.152.247] has left ##openvpn [] 10:26 -!- k00h is now known as m1ke 10:27 < m1ke> what could be the problem: i can access pages through vpn, now i found one which wont load, neither by direct ip 10:27 < m1ke> i tried different DNS but same thing 10:28 -!- nubix [n=asd@92.76.180.122] has joined ##openvpn 10:28 -!- nubix is now known as x41414141 10:28 -!- x41414141 is now known as nubix_ 10:29 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 10:29 -!- nubix_ is now known as nubix 10:39 -!- nubix [n=asd@92.76.180.122] has left ##openvpn [] 10:43 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [No route to host] 11:03 -!- User20 [n=User@94.182.12.24] has joined ##openvpn 11:04 -!- pooya_ [n=pooya@94.182.12.24] has joined ##openvpn 11:04 < pooya_> hi everybody! 11:04 -!- User20 [n=User@94.182.12.24] has quit [Client Quit] 11:06 < pooya_> newbie here: openvpn "access server" problem: it makes the tcp connection but nothing happens. I'm running fedora on a vps. tried changing everything still no luck. any suggestions? 11:06 < Bushmills> m1ke: that server is down 11:06 -!- nubix [n=asd@92.76.180.122] has joined ##openvpn 11:06 -!- nubix [n=asd@92.76.180.122] has left ##openvpn [] 11:06 < Bushmills> !access 11:06 < vpnHelper> Bushmills: Error: "access" is not a valid command. 11:07 < Bushmills> !factoids search access 11:07 < vpnHelper> Bushmills: "access-server" is (#1) OpenVPN Access Server (OpenVPN-AS) is a set of installation and maintenance tools which allow for simple and rapid deployment of VPN remote access solutions using OpenVPN open source software. The Access Server allows a network administrator to install and configure a VPN server as well as deploy remote clients., or (#2) There are a number of server configurations 11:07 < vpnHelper> Bushmills: options supported which are a carefully selected subset of a quite large set of possible OpenVPN configurations. Only this subset of configurations is supported by the Access Server., or (#3) http://beta.openvpn.net/index.php/access-server/download-openvpn-as.html 11:08 < Bushmills> how do you know that nothing happens? 11:09 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 11:12 < FirstSgt> The lan at my office is 192.168.1.* the vpn address pool is 192.168.2.* How do I make my client 192.168.2.8 see samba share @ 192.168.1.117 at office? 11:12 < FirstSgt> I tried adding: push "route 192.168.1.0 255.255.255.0" 11:13 < pooya_> newbie here: openvpn "access server" problem: it makes the tcp connection but nothing happens. I'm running fedora on a vps. tried changing everything still no luck. any suggestions? 11:13 < FirstSgt> But then I started getting this in the log: Tue Nov 24 10:52:39 2009 client1/8.8.2.4:1560 MULTI: bad source address from client [192.168.1.107], packet dropped 11:14 < FirstSgt> pooya_: What are you trying to do? Im assuming since your server is a VPS that you are hosting with someone like godaddy? 11:15 < pooya_> i'm on slicehost, trying to setup a simple vpn, then trying to route internet traffic threw it. for personal use. 11:15 < pooya_> *through 11:16 < FirstSgt> slicehost is good. So you want to be on slicehost's private network? 11:17 < pooya_> FirstSgt: no, just setup my own vpn, and route my internet traffic through the server. 11:17 < FirstSgt> basically you want a proxy 11:17 < pooya_> yeah 11:18 < FirstSgt> have you thought of just setting up socks proxy server? 11:18 < FirstSgt> http://www.hottproxy.org/ (that is good for http proxy) 11:18 < pooya_> FirstSgt: thought i needed a vpn for that 11:19 < FirstSgt> nope. 11:20 < FirstSgt> just have to setup fedora's ip tables and selinux to allow connections on 8080 or 1083 (or whatever you decide to use). 11:20 < m1ke> Bushmills: no its not, without vpn its working 11:20 < pooya_> still would like to setup a vpn though, spent so much time on it! :) 11:20 < FirstSgt> lol, okay 11:21 < pooya_> FirstSgt: any idea what it could be? 11:21 < FirstSgt> lemme review previous log 11:21 < FirstSgt> do you have any error log? 11:22 < FirstSgt> anything in /var/log/messages 11:22 < FirstSgt> is the server running? 11:24 < pooya_> the server is running, there are no detailed error logs on the Admin UI (i'm on access server) i could give u the log from the client. Unless OpenVpn AS puts the error logs somewhere else 11:25 < m1ke> pooya_: ping works? 11:25 < m1ke> on both sides? 11:25 < pooya_> no 11:25 < pooya_> no ping 11:25 < FirstSgt> pooya_: the server.config file specifies log, and log level 11:25 < FirstSgt> its towards the bottom, enable logging & set log level to more v 11:25 < m1ke> try this config: http://wiki.openvpn.eu/index.php/Konfiguration_eines_Internetgateways 11:26 < m1ke> if ping works on both sides 11:26 < m1ke> uncomment redirect-gateway 11:26 < Bushmills> m1ke: my reply was to your question "what could be the problem", not "what is the problem". Therefore, your "no" is wrong :P 11:27 < m1ke> its right because i just said the server is not down ;) 11:27 < pooya_> das ist sehr gut, but i'm on "Access Server" it does all the configuration. I just click and go on the Admin UI 11:28 < pooya_> would it be possible to change things manually? I had a openvps normal setup but i removed it cause i couldn't get it to work 11:28 < Bushmills> m1ke: your vpn server ip address is blocked by the server. your non-vpn ipaddress isn't 11:28 < m1ke> theres no firewall rule 11:29 < m1ke> for blocking only 1 site 11:29 < m1ke> its nothing illegal 11:35 -!- bytesaber [n=bytesabe@208.98.188.95] has joined ##openvpn 11:37 < FirstSgt> im still not sure how to make my vpn pool @ 192.168.2.* see the lan dhcp pool @ 192.168.1.* 11:44 < reiffert> FirstSgt: read: 11:44 < reiffert> !route 11:44 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:44 < reiffert> pooya_: no access server support here. Please ask the official AS Support. 11:45 < reiffert> m1ke: AS is $payware. $payware gets $payware support. 11:45 < pooya_> nice 11:45 < pooya_> its not like it work$ 11:45 < reiffert> pooya_: blame the author. 11:45 < m1ke> hm? 11:46 < pooya_> thanx for your help everyone 11:46 < reiffert> welcome 11:46 < reiffert> ecrist: u there? 11:47 < reiffert> ecrist: would you please set up chanserv to send a /notice to everyone joining, inclung "hi, bla bla bla no access server support", thank you. 11:48 < reiffert> maybe together with "most wanted commands: !howto !route !def1 !nat" 11:49 < Bushmills> why not "read the topic", and set topic up accordingly? 11:49 < reiffert> nobody ever reads the topic.. 11:49 < FirstSgt> reiffert: i read it, I just dont understand it . 11:50 < Bushmills> why should, if chanserv gives a connect message which instructs to do so, and it is ignored, should any other message not be ignored? 11:52 < Bushmills> one could add to topic instructions how to get voiced :D who fails to read those will stay muted :D 11:52 < FirstSgt> Does it matter that my client's class c subnet is the same as the server's? 11:52 < m1ke> give it one or 2 more days then youll get it 11:53 < m1ke> ;) 11:53 < FirstSgt> e.g. my house address is 192.168.1.* and so is the office with teh vpn server. 11:53 < Bushmills> FirstSgt: doesn't matter, as long as you don't connect. 11:55 < FirstSgt> :P 11:56 < Bushmills> in fact, even when you connect, it doesn't matter 11:56 < Bushmills> but, when you try to access machines on the remote network, it matters 11:59 < FirstSgt> I didn't have client-to-client enabled 11:59 < Bushmills> not relevant 12:00 < FirstSgt> I'm using udp instead of txp 12:00 < FirstSgt> s/txp/tcp 12:01 < FirstSgt> should i be using txp? 12:01 < FirstSgt> jeesh 12:01 < FirstSgt> s/txp/tcp 12:01 < Bushmills> not unless there'S a very good reason for it 12:05 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 12:11 -!- m1ke [i=m00h@dyn-89.136.41.20.tm.upcnet.ro] has quit [] 12:14 < ecrist> reiffert: I believe it does 12:15 -!- ecrist [n=ecrist@pdpc/supporter/professional/ecrist] has left ##openvpn [] --- Log closed Tue Nov 24 12:15:02 2009 --- Log opened Tue Nov 24 12:15:05 2009 12:15 -!- ecrist [n=ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn 12:15 -!- Irssi: ##openvpn: Total of 87 nicks [0 ops, 0 halfops, 0 voices, 87 normal] 12:15 -!- Irssi: Join to ##openvpn was synced in 1 secs 12:15 < ecrist> 12:15 -ChanServ(ChanServ@services.)- [##openvpn] Welcome to ##openvpn. WE DO NOT SUPPORT ACCESS SERVER. Do not post ANY lines to the channel, use http://pastebin.com or something similar. If you're not willing to post your logs and configs to the channel, we're not willing/able to help you. READ THIS MESSAGE! 12:19 < FirstSgt> I guess what I need is an example file for the ccd/clientconfigfile.conf 12:24 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit [Read error: 110 (Connection timed out)] 12:24 -!- buntfalke_ is now known as buntfalke 12:24 -!- mikkel [n=mikkel@84.238.113.66] has joined ##openvpn 12:38 -!- pooya___ [n=pooya@94.182.35.98] has joined ##openvpn 12:42 < c99> Does push route not work under --server directive ? 12:56 -!- pooya_ [n=pooya@94.182.12.24] has quit [Read error: 110 (Connection timed out)] 13:16 < c99> push "route 10.20.1.0 255.255.255.0" gives "10.20.1.0 gateway 10.20.2.5" in windows route print. Why is the gateway 10.20.2.5 when server ip on tun0 is 10.20.2.1 ? 13:25 -!- pooya___ [n=pooya@94.182.35.98] has quit [] 13:25 -!- ent [n=james@unaffiliated/ent] has joined ##openvpn 13:29 < ecrist> no idea 13:29 < ecrist> you still haven't posted your logs 13:30 < c99> ecrist: I'm not using bridge anymore. 13:30 < c99> ecrist: So what logs do you want? 13:31 * ecrist points to the channel topic 13:31 < c99> The client 10.20.2.6 is now able to ping the openvpn server 10.20.2.254, however not other devices on that net. 13:31 < ecrist> ip_forwarding still enabled? 13:32 < ecrist> does the system you're trying to ping have a route back to the vpn? 13:33 < c99> net.ipv4.ip_forward = 1 13:33 < c99> yes it is enabled. 13:34 < ecrist> ok, and the return path? 13:37 < c99> ecrist: I am able to ping the openvpn's servers default gw 10.20.2.254 before i start openvpn, but after I am not. 13:38 < c99> eth0 on the server is 10.20.2.253 and default gw is 10.20.2.254 13:38 < c99> tun0 spawns with 10.20.2.1 13:38 < ecrist> !configs 13:38 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:38 < ecrist> !logs 13:38 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 13:39 < ecrist> get me those, then I'll answer questions 13:43 -!- c64zottel [n=zestor@62-12-241-132.pool.cyberlink.ch] has joined ##openvpn 13:44 -!- c64zottel [n=zestor@62-12-241-132.pool.cyberlink.ch] has left ##openvpn [] 13:44 < c99> sec 13:47 < c99> This is the cfg file: http://pastebin.ca/1685861, this is the log file from openvpn startup: http://pastebin.ca/1685865, the client is able to ping 10.20.2.1(tun0) on the server, it cannot ping 10.20.1.XXX, the client has a route that states 10.20.1.0 gateway 10.20.2.5 13:48 -!- pooya [n=pooya@94.182.38.64] has joined ##openvpn 13:51 < c99> do you need anything else ecrist ? 13:54 -!- dazo is now known as dazo_afk 13:56 -!- ent is now known as aftr 13:58 < ecrist> looking now 13:58 < ecrist> c99, the subnet you choose for the VPN should not be in use on your LAN 13:58 < ecrist> you've got comflicting IP spaces. 13:58 < ecrist> use 10.20.3.0 255.255.255.0 13:59 < c99> what does 10.20.2 conflicting with? 13:59 < ecrist> your lan 13:59 < ecrist> you said your eth0 has 10.20.2.249 13:59 < ecrist> 253, sorry 13:59 < c99> ye but I changed that to 10.20.1.249 when I saw one error about it on verb 6 13:59 < ecrist> and default gateway is 254 14:00 < ecrist> you didn't tell me that. I only know what you tell me. 14:00 < c99> sorry 14:00 < c99> eth0 is now 10.20.1.249 gateway 10.20.1.1 14:01 < ecrist> is the VPN client able to ping 10.20.1.249? 14:01 < c99> funny, the client can ping 10.20.1.249 14:01 < c99> yes 14:01 < c99> but not 10.20.1.1 14:01 < c99> and other clients on that segment 14:02 < c99> the server can however do that. 14:02 < ecrist> right 14:02 < ecrist> becuase your other systems are missing the return routte 14:03 < ecrist> they don't know how to get to 10.20.2.0/24, so they're sending the traffic out the default gateway 14:03 < ecrist> you need to setup a route on the default gateway to point that subnet to 10.20.1.249 14:04 < c99> ecrist: So a static route within my firewall 10.20.1.1 that points 10.20.2.0/24 to 10.20.1.249 right? 14:04 < ecrist> yep 14:04 < c99> sec 14:10 < c99> ecrist: Thanks for bearing with me. It works now! 14:11 < c99> However I can only ping 10.20.1.1 and not 10.20.1.201 14:11 < c99> would every single device on 10.20.1.xxx need that static route? 14:13 < c99> 10.20.1.201 is able to ping 10.20.2.6 (the vpn client) 14:16 < c99> ah I needed a return path on the openvpn server as well 14:21 < ecrist> c99 - in the future, it would be much quicker to just give the info we ask for. I could have had you running 12 hours ago 14:24 -!- pooya [n=pooya@94.182.38.64] has quit [] 14:40 -!- h3x [n=h3x@mail.wjbcap.com] has joined ##openvpn 14:44 -!- anteaya [n=anteaya@dyn-dsl-to-76-75-113-37.nexicom.net] has joined ##openvpn 14:45 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:47 -!- epaphus [n=unix3@190.10.68.228] has quit [Client Quit] 14:54 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has quit [Remote closed the connection] 15:10 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)] 15:18 -!- dollabill [n=mike@97.66.26.10] has quit [No route to host] 15:25 < krzie> hah so the problem was "ROUTES TO ADD OUTSIDE OPENVPN" in my routing doc 15:32 < ecrist> yeah, but you already knew that. ;) 15:33 < krzie> well i know that he should be reading my doc, but i figured it was cause he had no clue why he was using bridge 15:33 < krzie> (so he should be using routing) 15:33 < krzie> openvpn.net should have big letters at the top "DONT USE BRIDGE UNLESS YOU HAVE A LAYER2 PROTO YOU NEED OVER THE VPN" 15:46 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 15:51 < ecrist> krzie: you're depending people knowing what layer 2 is. 15:52 < krzie> right you are 15:52 < ecrist> people can't read an IRC channel topic... 15:52 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 15:53 < SkyX> why i cant run this ? 15:53 < SkyX> [root@centos-server easy-rsa]# ./build-ca 15:53 < SkyX> -bash: ./build-ca: Permission denied 15:53 -!- nooo [n=nooo@unaffiliated/nooo] has quit [] 15:54 < ecrist> because it's probably not set with exec permissions 15:54 < ecrist> SkyX: try this: 15:54 < ecrist> chmod a+x ./build-ca && ./build-ca 15:54 < SkyX> chmod + x ? 15:55 < SkyX> ok tnx its work now 15:56 < ecrist> np 15:56 -!- h3x [n=h3x@mail.wjbcap.com] has quit ["Leaving"] 16:14 < SkyX> what to so here ? :D 16:14 < SkyX> do* 16:14 < SkyX> c:\PROGRA~1\OpenVPN\easy-rsa>md keys 16:14 < SkyX> Access is denied. 16:15 < krzie> heh 16:15 < SkyX> cmd as admin have to run :) 16:15 < krzie> and whats md do? 16:15 -!- todd_dsm [n=todd_dsm@66.43.220.149] has joined ##openvpn 16:15 < krzie> oh mkdir 16:15 < krzie> just make the dir, lol 16:16 < SkyX> :D 16:17 < SkyX> what this command do ? build-key vpnhome 16:17 < krzie> its all in the howto 16:17 < krzie> and if you're having this much problems with making keys, you're in for a solid few weeks of reading before your vpn works 16:17 < krzie> !howto 16:17 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:17 < SkyX> i am doing this how to http://linkesky.com/blog/?p=43 16:17 < krzie> read that thoroughly 16:18 < krzie> then use for refererence: 16:18 < krzie> !man 16:18 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:18 < krzie> stop using that 16:18 < krzie> use the howto i just gave you 16:42 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 16:42 < SkyX> krzie: every time when i run vars.bat i get this error Error opening CA private key keys/ca.key 16:42 < SkyX> how to make ca.key ? 16:42 < reiffert> SkyX: you follow the howto. 16:42 < SkyX> vars.bat make ca.key ? 16:42 < krzie> by following the howto 16:43 < krzie> !howto 16:43 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:43 < SkyX> i need howto for windows client 16:43 < krzie> !howto 16:43 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:43 < krzie> \GO READ IT 16:43 < reiffert> !howto 16:43 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:43 < SkyX> here is no how to make windows client certificate ? 16:43 < reiffert> or take this one, it was made especially for windows: 16:43 < reiffert> !howto 16:43 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:43 < krzie> lol 16:44 < krzie> no further questions til you read that 16:44 < reiffert> no further answers. 16:44 < krzie> that too =] 16:45 < Hypnoz> is it possible openvpn would block another vpn like pptp from working 16:45 < Hypnoz> i noticed openssl-blacklist is installed, maybe that is stopping pptp? 16:45 < krzie> nope 16:46 < krzie> no idea bout second question 16:46 < Hypnoz> that is installed with openvpn 16:46 < reiffert> answer for 2nd question: nope 16:46 < reiffert> pptp = no openssl involved. 16:46 < krzie> ya pptp doesnt even use openssl 16:46 < Hypnoz> so pptp and openvpn should be able to work fine side by side on the same server 16:46 < reiffert> Hypnoz: yes. 16:46 < reiffert> They even *do* 16:46 < krzie> Hypnoz they have absolutely 0 to do with eachother 16:47 < krzie> unless you're doing something gernally bad re: networking 16:47 < krzie> like trying to use the same subnet 16:47 < reiffert> even though you can manage to make it all wrong, e.g. when trying to use the same subnet. 16:47 < Hypnoz> yeah 16:48 < Hypnoz> but if they're listening on the same interface it doesn't matter since they listen on different ports, and as long as client IP's don't overlap 16:48 < Hypnoz> its fine right 16:48 < reiffert> different ports, different protocols. 16:49 < Hypnoz> i got pptp working so i can finally vpn from my iphone to our datacenter. however when i tried to move the exact config over to the openvpn server it doesn't respond 16:49 < Hypnoz> netstat sees the request come in, but basically ignores it 16:49 < reiffert> !factoid search pptp 16:49 < vpnHelper> reiffert: Error: "factoid" is not a valid command. 16:49 < reiffert> !factoids search pptp 16:49 < reiffert> !factoids search poptop 16:50 < reiffert> !factoids search p 16:50 < Hypnoz> !factoids search boobies 16:50 < reiffert> Hypnoz: pptp != config, they dont share the "exact" config, not even close. 16:50 < reiffert> pptp != openvpn that is 16:51 < Hypnoz> i realize they're different, and was just trying to think why a pptp config on one server wouldn't move to my openvpn server, thinking maybe openvpn might be the issue 16:51 < Hypnoz> was going to try to install openvpn on the working pptp to see if that breaks it 16:52 < reiffert> krzie: !factoids's broken? 16:52 < krzie> !notcompat 16:52 < vpnHelper> krzie: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 16:52 < krzie> no reif, theres just no factoid with those strings in them 16:52 < krzie> !help factoids 16:52 < reiffert> krzie: notcompat got pptp 16:52 < krzie> !factoids help 16:52 < vpnHelper> krzie: Error: The "Factoids" plugin is loaded, but there is no command named "help" in it. Try "list Factoids" to see the commands in the "Factoids" plugin. 16:52 < krzie> !list factoids 16:53 < krzie> theres a modifier for that 16:53 < krzie> 1sec 16:53 < krzie> by default factoids search only searches the actual factoid command, not the text inside 16:54 < reiffert> is it possible to change that? 16:54 < krzie> !factoids search --values pptp 16:55 < krzie> im sure it is by modding the code 16:55 < reiffert> !factoids search not 16:55 < reiffert> factoid's broken. 16:55 < reiffert> not as in notcompat 16:55 < krzie> i think you killed him 16:55 < krzie> hes not pinging 16:55 < reiffert> !factoids help 16:55 < vpnHelper> reiffert: Error: The "Factoids" plugin is loaded, but there is no command named "help" in it. Try "list Factoids" to see the commands in the "Factoids" plugin. 16:55 < reiffert> but he's still here... 16:56 < reiffert> vpnHelper: die now. 16:56 < vpnHelper> reiffert: Error: "die" is not a valid command. 16:56 < reiffert> vpnHelper: factoids search a 16:56 < reiffert> vpnHelper: factoids search a* 16:56 < reiffert> vpnHelper: factoids search a?? 16:56 < reiffert> vpnHelper: factoids search notcompat 16:56 < reiffert> vpnHelper: buh 16:56 < vpnHelper> reiffert: Error: "buh" is not a valid command. 16:56 < reiffert> vpnHelper: notcompat a bc foo 16:57 < reiffert> vpnHelper: notcompat 16:57 < vpnHelper> reiffert: Error: "notcompat" is not a valid command. 16:57 < vpnHelper> reiffert: "notcompat" is (#1) ipsec and pptp are NOT compatibile with openvpn... openvpn is uses SSL, pptp and ipsec both use proprietary protocols, and therefor CAN NOT be compatible, or (#2) openvpn only connects to openvpn 16:57 < reiffert> vpnHelper: restart life. 16:57 < vpnHelper> reiffert: Error: "restart" is not a valid command. 16:59 -!- nubix [n=asd@92.76.180.122] has joined ##openvpn 17:14 -!- nubix [n=asd@92.76.180.122] has quit [] 17:14 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 17:16 < krzie> !factoids search --values pptp 17:18 < krzie> !factoids search ##openvpn --values pptp 17:21 < krzie> !factoids search ##openvpn --values notcompat 17:21 < krzie> !factoids search --values notcompat 17:21 < krzie> !factoids search notcompat 17:21 < reiffert> !factoids search factoids 17:22 < krzie> ya search seems broked 17:23 -!- le0_ [n=itsle0@82.16.123.181] has quit [Read error: 110 (Connection timed out)] 17:28 < SkyX> how can i run openvpn clien on win7 if i dont have .ece to run ? 17:29 < reiffert> get one. 17:32 -!- cyrus_mc [n=cyrus@24.21.18.104] has joined ##openvpn 17:33 < cyrus_mc> is there a way to require a username and password in combination with a certificate to authenticate a user? 17:33 < reiffert> cyrus_mc: see here: 17:33 < reiffert> !howot 17:33 < vpnHelper> reiffert: Error: "howot" is not a valid command. 17:33 < reiffert> !howto 17:33 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 17:33 -!- jeiworth [n=jeiworth@189.177.22.63] has quit [Read error: 60 (Operation timed out)] 17:38 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 145 (Connection timed out)] 17:42 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 17:42 < krzie> !factoids search auth 17:42 < krzie> bleh 17:42 < krzie> 1min 17:42 < krzie> !man 17:42 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 17:42 < krzie> cyrus_mc yes 17:43 < krzie> --auth-user-pass-verify script method 17:43 < krzie> Require the client to provide a username/password (possibly in addition to a client certificate) for authentication. 17:43 < krzie> note, scripts can verify from ANY way you can script 17:43 < krzie> there exist scripts to do it via pam for sure 17:43 < krzie> likely some for DB auth 17:44 < krzie> etc etc 17:44 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 17:48 -!- oc80z [i=oc80z@blea.ch] has quit [Remote closed the connection] 17:50 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 17:53 -!- mikkel [n=mikkel@84.238.113.66] has quit ["Leaving"] 18:09 -!- Hink [n=Hink@71.164.255.85] has joined ##openvpn 18:15 -!- Vocor [n=vvoois@95-36-35-62.dsl.alice.nl] has quit [Read error: 54 (Connection reset by peer)] 18:15 -!- Vocor [n=vvoois@95-36-35-62.dsl.alice.nl] has joined ##openvpn 18:18 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 18:19 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 18:23 -!- master_o1_master [n=master_o@84.157.125.210] has joined ##openvpn 18:25 -!- jeiworth [n=jeiworth@189.163.172.123] has joined ##openvpn 18:28 -!- vvoois__ [n=vvoois@95-36-35-62.dsl.alice.nl] has joined ##openvpn 18:28 -!- Vocor [n=vvoois@95-36-35-62.dsl.alice.nl] has quit [Read error: 54 (Connection reset by peer)] 18:35 -!- master_of_master [i=master_o@p549D7DCF.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 18:48 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 19:00 -!- jeiworth_ [n=jeiworth@189.163.173.78] has joined ##openvpn 19:08 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 19:10 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 19:14 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 19:15 -!- todd_dsm [n=todd_dsm@66.43.220.149] has quit [Read error: 145 (Connection timed out)] 19:15 -!- jeiworth [n=jeiworth@189.163.172.123] has quit [Read error: 110 (Connection timed out)] 19:26 -!- jeiworth [n=jeiworth@189.163.173.78] has joined ##openvpn 19:29 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 19:29 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 19:30 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Remote closed the connection] 19:31 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 19:38 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 19:41 -!- jeiworth_ [n=jeiworth@189.163.173.78] has quit [Connection timed out] 19:45 -!- Hink [n=Hink@71.164.255.85] has quit [Remote closed the connection] 19:48 -!- jeiworth_ [n=jeiworth@189.163.165.159] has joined ##openvpn 20:00 -!- jeiworth [n=jeiworth@189.163.173.78] has quit [Connection timed out] 20:08 -!- jeiworth_ [n=jeiworth@189.163.165.159] has quit [Connection timed out] 20:12 -!- jeiworth [n=jeiworth@189.163.174.7] has joined ##openvpn 20:15 -!- anteaya [n=anteaya@dyn-dsl-to-76-75-113-37.nexicom.net] has quit ["Ex-Chat"] 20:15 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 20:17 -!- jeiworth_ [n=jeiworth@189.163.172.98] has joined ##openvpn 20:31 -!- kosmic [n=kosmic@unaffiliated/spice] has joined ##openvpn 20:32 -!- jeiworth [n=jeiworth@189.163.174.7] has quit [Connection timed out] 20:36 -!- teratoma [n=teratoma@69.172.135.243] has joined ##openvpn 20:37 < theDoc> funny how some people think that openvpn is unix only. 20:38 < theDoc> evidently, some people need to rtfm before running their mouth off >:( 21:07 < Optic> I am very happy with my tunnelblick :) 21:08 < theDoc> I'm pretty happy with viscosity 21:10 < Optic> oooh is that more modern? 21:11 < Optic> looks pretty 21:12 < theDoc> It just looks pretty 21:12 < theDoc> :D 21:12 < Optic> hehe 21:12 < theDoc> and boy, why is it so hard to convince people that they need to encrypt their traffic? 21:12 < theDoc> :\ 21:12 < Optic> tunnelblick is kind of back to life with the sourceforge project 21:12 < theDoc> oh nice, but they need to work on the design 21:13 < Optic> yeah 21:13 < Optic> i think they've been focussing on just keeping up with various mac api changes 21:14 < theDoc> true that and they need a better looking font 21:14 < theDoc> Optic> any idea why it's so hard to convince people to secure their data? 21:14 < Optic> hmmm 21:14 < Optic> because it's a pain and reduces performance 21:14 < Optic> and isn't really required all the time 21:15 < Optic> also it's like backups, you don't feel like you need them until you've lost everything a couple times 21:15 < Optic> I use FileVault on my mac, which is nice 21:15 < theDoc> Optic> I'm not sure why pressing in a user/pass is a pain and performance reduction is minimal as well. 21:16 < theDoc> One of these days, I'm going to sit around in my neighborhood and break wifi points. 21:16 < theDoc> >:| 21:16 < Optic> hehe 21:16 < theDoc> Optic> I just feel that people are taking this whole "digital" thing too lightly. 21:17 < Optic> yeah, they are 21:17 < theDoc> Maybe it stems from the fact that I sniff traffic at work :p 21:17 < Optic> exec on my company store all sorts of sensitive shit on their laptops with no crypto at all 21:17 < Optic> if they lose it or get it stolen, they're in trouble 21:17 < theDoc> and it's kind of scary but you get to see entire loads of porn and shit flying across the network in plaintext. 21:17 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: vlt, julius, lkthomas, odonata, |Mike|, disco-, jeiworth_, Rolybrau, mrnice1, Typone, (+16 more, use /NETSPLIT to show all of them) 21:17 < theDoc> Optic> wireshark + network miner = no data is safe unless it's encrypted. 21:18 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 21:18 < Optic> hehe 21:18 -!- Netsplit over, joins: cyrus_mc, |Mike|, Typone, disco-, kala, bandini, APTX|, julius, endre, lkthomas (+1 more) 21:18 -!- theDoc [n=hex@cataclysm.edgewire.sg] has joined ##openvpn 21:19 < theDoc> Optic> yeah, client hung. 21:19 < theDoc> where was i? :p 21:19 < Optic> ranting :) 21:19 < Optic> hehe 21:19 < theDoc> Optic> and also, the other use of the vpn :P torrenting 21:19 < theDoc> >:) 21:20 < theDoc> although it would be nice to see wide spread encryption 21:20 < Optic> so have you ever tried to cluster openvpn servers while maintaining static ips for the clients? :) 21:21 < theDoc> Optic> I'm working on something like that right now. 21:21 < theDoc> Except it's with access server. 21:21 < Optic> i will be soon 21:21 < theDoc> Optic> what do you do which requires a cluster of openvpn servers? 21:21 < Optic> we have an old brittle server that has our 300+ openvpn clients connecting to it 21:22 -!- dli [n=dli@66.49.226.142] has quit [Connection timed out] 21:22 < theDoc> Optic> running a vpn business? :p 21:22 < Optic> nah, a digital signage business 21:22 -!- dli [n=dli@66.49.226.142] has joined ##openvpn 21:23 < theDoc> ah, digital signage. 21:23 < Optic> each player machine calls home using openvpn 21:23 < theDoc> Oh nice. 21:23 < Optic> it's easy because it lets us manage machines through all sorts of bizzaro client network configurations 21:24 < theDoc> Yeah 21:24 < Optic> openvpn is good at dealing with nat and firewalls and dynamic ips and all sorts of bullshit ;) 21:24 < theDoc> Tell me about it 21:24 < theDoc> i use it for torrents heavily 21:24 < theDoc> >:) 21:24 < Optic> we had one location where we had to use it in tcp mode 21:25 < theDoc> Optic> Didn't that turn it into shit? 21:25 < theDoc> Optic> and how do you run tcp and udp concurrently? 21:25 < Optic> two different servers on different ports :) 21:25 < Optic> different ip range 21:26 < theDoc> Oh yeah, that. 21:26 < theDoc> That seems to be my solution too 21:35 -!- todd_dsm [n=todd_dsm@66.43.220.149] has joined ##openvpn 21:48 -!- jeiworth [n=jeiworth@189.163.134.88] has joined ##openvpn 22:00 -!- oc80z_ [n=oc80z@priv.efnet.pe] has quit [Read error: 60 (Operation timed out)] 22:01 -!- oc80z [n=oc80z@88.198.2.173] has joined ##openvpn 22:08 -!- jeiworth_ [n=jeiworth@189.163.135.200] has joined ##openvpn 22:11 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 22:13 -!- jeiworth [n=jeiworth@189.163.134.88] has quit [Read error: 145 (Connection timed out)] 22:19 -!- m3thos [n=mindblas@bl12-179-119.dsl.telepac.pt] has joined ##openvpn 22:29 -!- jeiworth [n=jeiworth@189.163.184.71] has joined ##openvpn 22:32 -!- todd_dsm [n=todd_dsm@66.43.220.149] has quit [Read error: 131 (Connection reset by peer)] 22:37 -!- jeiworth__ [n=jeiworth@189.163.134.37] has joined ##openvpn 22:39 -!- jeiworth [n=jeiworth@189.163.184.71] has quit [Read error: 60 (Operation timed out)] 22:41 -!- jeiworth_ [n=jeiworth@189.163.135.200] has quit [Read error: 110 (Connection timed out)] 22:42 -!- jfkw [n=jtk@24.216.241.93] has quit ["leaving"] 22:44 -!- bar_code [n=ollo@124.64.96.84] has joined ##openvpn 22:58 -!- m3thos [n=mindblas@bl12-179-119.dsl.telepac.pt] has quit [Read error: 110 (Connection timed out)] 23:06 -!- m3thos [n=mindblas@bl6-77-246.dsl.telepac.pt] has joined ##openvpn 23:14 -!- bar_code [n=ollo@124.64.96.84] has left ##openvpn [] 23:15 -!- aftr [n=james@unaffiliated/ent] has quit [] 23:27 -!- Bushmills [n=Bushmill@88.198.39.174] has joined ##openvpn 23:36 -!- MorkBork [n=mark@unaffiliated/morkbork] has joined ##openvpn 23:53 -!- todd_dsm [n=todd_dsm@66.43.220.149] has joined ##openvpn 23:57 -!- jeiworth__ [n=jeiworth@189.163.134.37] has quit [Read error: 110 (Connection timed out)] --- Day changed Wed Nov 25 2009 00:02 -!- m3th0s [n=mindblas@85.240.54.1] has joined ##openvpn 00:06 -!- m3thos [n=mindblas@bl6-77-246.dsl.telepac.pt] has quit [Read error: 110 (Connection timed out)] 00:08 < cyrus_mc> /quit/quit 00:08 -!- cyrus_mc [n=cyrus@24.21.18.104] has quit ["leaving"] 00:21 -!- hyper_ch [n=hyper@adsl-89-217-34-217.adslplus.ch] has quit [Remote closed the connection] 00:27 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 00:27 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 00:27 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 00:27 -!- sno [n=sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn 00:27 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 00:27 -!- HardDisk_WP [n=Marco@wikipedia/harddisk] has joined ##openvpn 00:28 -!- vlt [n=dm@suez.activ-job.com] has joined ##openvpn 00:28 -!- chantra [n=chantra@ns22757.ovh.net] has joined ##openvpn 00:28 -!- jhp [n=jhp@zeus.jhprins.org] has joined ##openvpn 00:28 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 00:28 -!- odonata [n=odonata@security.jails.se] has joined ##openvpn 00:31 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 00:51 < Bushmills> "Do not post ANY lines to the channel.... If you're not willing to post your logs and configs to the channel, we're not willing/able to help you." sort of contradictory. 00:52 < teratoma> they mean stick it in Pastebin 00:57 < krzee> ya it should say paste instead of post 01:07 -!- hyper_ch [n=hyper@142-75.1-85.cust.bluewin.ch] has joined ##openvpn 01:23 -!- dazo_afk is now known as dazo 01:32 -!- Zyclops [n=BladyBla@pulteney-pix.border.net.adelaide.edu.au] has joined ##openvpn 01:33 < Zyclops> hey all.. is it possible to setup openvpn with the system users on ubuntu? 01:34 -!- ent [n=james@unaffiliated/ent] has joined ##openvpn 01:36 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn 01:44 -!- ent [n=james@unaffiliated/ent] has quit [] 02:05 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:14 < dazo> Zyclops: don't recall exactly, but I believe if the init script finds the proper config file in /etc/openvpn, it will be possible to start openvpn during boot 02:16 -!- Zyclops [n=BladyBla@pulteney-pix.border.net.adelaide.edu.au] has quit [Remote closed the connection] 02:22 -!- maxagaz [n=maxagaz@soho2.i-xanadu.com] has joined ##openvpn 02:22 < maxagaz> hi 02:24 < maxagaz> When I start OpenVPN (Ubuntu Linux), it rturns "* openvpn (OK)" and "* client (FAILED)", and it works, so why does it return client (FAILED) ? 02:24 < reiffert> what exactly is "it"? 02:31 < renihs> sounds like an ubuntu approach for a "smart" init script to me? :) 02:32 < renihs> sounds like starting server + client or something 02:36 < dazo> It's Ubuntu .... Some say Ubuntu is Afrikaan for: I'm not able to install Debian .... some say it is for: It works for me, it should work for you too .... some say it is for: Unexpected experiences .... 02:40 < renihs> its odd 02:40 < renihs> to sumarize :) 02:46 < dazo> :) 02:49 * dazo imagines that in a few years .... Ubuntu will become more used in our daily lives, just like "google" .... Like "I googled for blabla" (==I searched for blabla on the Internet) ... and "I got so ubuntued!" (==I just experienced something absolutely absurd) 02:49 < hyper_ch> maxagaz: that's how I set it up on 9.04: http://tinyurl.com/yl554ow 02:56 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 02:58 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:01 -!- yoshx [n=yoshx@67.46.119-80.rev.gaoland.net] has joined ##openvpn 03:03 < yoshx> hello 03:12 -!- wild_oscar [n=malmeida@bl6-75-66.dsl.telepac.pt] has joined ##openvpn 03:13 < wild_oscar> !route 03:13 < vpnHelper> wild_oscar: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 03:13 < wild_oscar> !redirect 03:13 < vpnHelper> wild_oscar: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 03:15 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 03:17 -!- CoffeeIV_ [n=CoffeeIV@99.66.63.225] has quit [Read error: 104 (Connection reset by peer)] 03:21 < wild_oscar> perhaps I'm not understanding things correctly. is there anything besides push "route 192.168.1.0 255.255.255.0" that should be configured so that clients can see computers on the 192.168.1.0 network? 03:21 < wild_oscar> I am connected to the vpn, I can ping 10.8.0.1 but I can't ping any 192.168 IP 03:45 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit ["Leaving."] 03:57 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 04:05 -!- salax [n=salax@219.95.96.90] has joined ##openvpn 04:05 < salax> guys, i have several simple question here, why people need vpn? and what does vpn do exactly? and what are the tools/software recommended for vpn? both in windows and open source.. 04:10 < reiffert> wild_oscar: what might be missing is the route back, so that answers to a ping packet an make their way back to the vpn client. 04:10 -!- Zyclops [n=BladyBla@eth14983.sa.adsl.internode.on.net] has joined ##openvpn 04:11 < wild_oscar> reiffert: like configuring the iptables of the 192.168.... computer I am pinging to be aware of the 10.8... network? 04:12 < reiffert> yes. 04:12 < dazo> salax: if you have two remote sites of one company, if you want to connect their networks and keep the network "private" (not allowing packet sniffers to read the traffic), VPN is the best solution 04:13 < salax> dazo, ok, is it the same as Intranet? 04:13 < reiffert> :) 04:13 < dazo> salax: if you have a laptop and want to connect securely (keeping a "private" network access) working on a remote network, just as you were located on the network ... VPN again solves that 04:14 < wild_oscar> hmm...I might be able to work out with an easier setup. all I really want right now is to access a specific port on a computer; I might be able to achieve that with an iptables entry 04:14 < dazo> salax: yeah, you could say that .... but all connection between the different "nodes" are usually encrypted .... but it don't need to be. But most people want to have privacy when setting up VPN 04:15 < wild_oscar> can this achieve what I want: iptables -t nat -A PREROUTING -p tcp -d 192.168.10.102 --dport 9999 -j DNAT --to 192.168.10.104:8080 ? 04:15 < dazo> salax: you have a lot of solutions available, OpenVPN is probably one of the most versatile and flexible solutions, which is not very much intrusive on the servers and clients. It's a small application and usually works very well ... but because it is so versatile, you can do simple tasks and very advanced things with it 04:16 < wild_oscar> right now trying to achieve it out of the scope of VPN - just want 192.168.10.102:9999 to forward me to 104:8080 04:17 < dazo> salax: other popular solutions are IPsec based VPN's ... Of open source based IPsec solutions, Free/SWAN is one popular (iirc) .... Microsoft ships PPTP VPN with Windows .... but I don't know much about those solutions 04:18 < dazo> salax: but those other VPN solutions (which is not simple SSL based VPNs) need to have parts of the VPN connection into kernel space, while pure SSL based VPNs just need a simple tunnelling network device (tun.ko on Linux, f.ex) 04:19 < dazo> salax: Have a look here for more info about VPN ... http://en.wikipedia.org/wiki/VPN 04:19 < salax> dazo, thanks for the heads up.. appreciate it.. let say i want to tunnel to my desktop in other place, openvpn can do this? is it like vnc? 04:20 < dazo> salax: it is not like VNC at all. VPN provides a kind of a secure "network cable" between your computer and the desktop computer ... and you can then run VNC over that network cable 04:21 < salax> dazo, oh, now i understand.. it is like a different connection to one place rather than the normal connection, is it? 04:21 < dazo> salax: in this situation, VNC don't need to be available from the internet .... you only need to allow your firewall to allow VPN connections. And then when the VPN connection is established, the firewall can allow internal hosts on its network to be accessible via the VPN 04:22 < dazo> salax: yeah, it is a different connection to the internal network .... but this connection usually have some kind of authentication and security layers to only allow selected persons access 04:22 < salax> dazo, thank you for the broad explanation! 04:23 < salax> now it gives me some idea and i want to implement this to my home network 04:23 < dazo> salax: you're welcome! http://www.redline-software.com/eng/support/docs/winroute/_img/vpn-scheme.png .... here is a little graphic explanation 04:24 < salax> ok, thank you sir 04:24 < dazo> salax: and in this picture .... those "pipes" allow access to the internal network on "Company HQ" ... while others on the "outside" of the tunnel, will be blocked by the firewalls 04:25 < salax> owh.. nice 04:25 -!- salax [n=salax@219.95.96.90] has quit ["Leaving"] 04:25 < dazo> if you see the branch office, having IP address 192.168.1.0/255.255.255.0 .... they can only access the other private networks (10.1.1.0/24 and 10.1.2.0/24) via the VPN tunnel 04:26 < dazo> and vice versa 04:26 < dazo> well, he missed some info now 04:27 < dazo> hopefully he got it 04:37 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Remote closed the connection] 04:38 -!- Zyclops [n=BladyBla@eth14983.sa.adsl.internode.on.net] has left ##openvpn ["Leaving"] 04:40 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 04:43 -!- le0 [n=itsle0@82.16.123.181] has joined ##openvpn 05:05 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 05:09 -!- c99 [n=c99@83.136.90.2] has quit [Read error: 110 (Connection timed out)] 05:09 -!- c99 [n=c99@83.136.90.2] has joined ##openvpn 05:24 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 05:25 -!- sigius [n=sigius@93.125.185.45] has joined ##openvpn 05:31 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 05:38 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 05:42 -!- maxagaz [n=maxagaz@soho2.i-xanadu.com] has quit ["Ex-Chat"] 05:53 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 06:00 -!- Lyndon [n=late@savolaiset.fi] has quit [Read error: 60 (Operation timed out)] 06:00 -!- Lyndon [n=late@savolaiset.fi] has joined ##openvpn 06:05 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:08 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 06:24 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 06:32 -!- le0 [n=itsle0@82.16.123.181] has quit ["Leaving"] 06:51 -!- le0 [n=itsle0@83.138.128.243] has joined ##openvpn 06:55 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 07:01 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 07:12 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 07:22 -!- hyper__ch [n=hyper@106-149.106-92.cust.bluewin.ch] has joined ##openvpn 07:22 -!- hyper_ch [n=hyper@142-75.1-85.cust.bluewin.ch] has quit [Nick collision from services.] 07:29 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has joined ##openvpn 07:38 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 07:44 -!- yoshx [n=yoshx@67.46.119-80.rev.gaoland.net] has quit [Read error: 60 (Operation timed out)] 07:48 -!- hyper__ch [n=hyper@106-149.106-92.cust.bluewin.ch] has quit [Remote closed the connection] 07:52 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 07:57 < ecrist> good morning 07:59 -!- yoshx [n=yoshx@67.46.119-80.rev.gaoland.net] has joined ##openvpn 08:06 -!- mort_gib [n=mjensen@83.36.63.16] has joined ##openvpn 08:11 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 08:40 -!- hyper_ch [n=hyper@adsl-89-217-34-217.adslplus.ch] has joined ##openvpn 09:05 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 09:12 < dazo> good afternoon! 09:19 -!- hyper__ch [n=hyper@89.217.204.148] has joined ##openvpn 09:19 -!- hyper_ch [n=hyper@adsl-89-217-34-217.adslplus.ch] has quit [Nick collision from services.] 09:19 -!- hyper__ch is now known as hyper_ch 09:21 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 09:27 -!- nubix [n=asd@dslb-092-076-180-122.pools.arcor-ip.net] has joined ##openvpn 09:27 -!- nubix is now known as x41414141 09:27 -!- x41414141 is now known as nubix 09:29 -!- nubix [n=asd@dslb-092-076-180-122.pools.arcor-ip.net] has left ##openvpn [] 09:30 -!- nubix [n=asd@92.76.180.122] has joined ##openvpn 09:30 -!- nubix is now known as x41414141 09:30 -!- x41414141 is now known as nubix 09:31 -!- nubix [n=asd@92.76.180.122] has left ##openvpn [] 09:31 -!- yoshx [n=yoshx@67.46.119-80.rev.gaoland.net] has quit [Connection timed out] 09:33 -!- epaphus [n=unix3@190.10.68.228] has quit ["Leaving"] 09:45 -!- yoshx [n=yoshx@67.46.119-80.rev.gaoland.net] has joined ##openvpn 09:45 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 09:50 < yoshx> hello 09:55 -!- le0 [n=itsle0@83.138.128.243] has quit ["Leaving"] 09:55 -!- mort_gib [n=mjensen@83.36.63.16] has quit ["Leaving"] 09:57 < ecrist> hi, yoshx 09:57 -!- Irssi: ##openvpn: Total of 85 nicks [0 ops, 0 halfops, 0 voices, 85 normal] 10:23 -!- wild_oscar [n=malmeida@bl6-75-66.dsl.telepac.pt] has left ##openvpn [] 10:26 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:28 -!- keylocker [n=keylocke@unaffiliated/leleobhz] has joined ##openvpn 10:28 < keylocker> hello 10:29 < keylocker> i want configure my openvpn service to use certificates 10:29 < keylocker> i have my root keys created from CACert and everything is ok 10:29 < ecrist> ok 10:30 < keylocker> the issue is. im a cacert assurer, so my key have my name in CN 10:30 < keylocker> a new user of CACert have in CN the name WoT User 10:30 < keylocker> because the user wasnt assured yet 10:30 < keylocker> and their name in another field (i think is E=) 10:31 < ecrist> OK. OpenVPN, unless you're doing things with CCD entries, doesn't really care what is in the CN 10:31 < keylocker> this is the point 10:31 < keylocker> if i dont use ccd entries, everyone with cacert key can use vpn 10:31 < keylocker> so im using ccd-dir and ccd-enforcement 10:31 < keylocker> and manually creating the files with configs... 10:32 < keylocker> but like i said, openvpn check field CN 10:32 < keylocker> and CN field for new users of cacert is WoT User 10:32 < ecrist> if you have a signing certificate issued by cacert, only keys following your ca chain should be allowed 10:32 < keylocker> so i need to compare another field 10:32 < ecrist> not all keys, since they wouldn't be part of the complete chain. 10:32 < ecrist> which means you'd have to sign those keys. 10:33 < keylocker> but i need a config for each key 10:33 < ecrist> keylocker: you can execute a script for each connection and pull data from other certificate fields to ascertain whether they're authorized or not 10:34 < keylocker> so ill not use ccd-dir 10:34 < keylocker> instead ill use ccd-enforcement with ccd-script 10:35 < keylocker> and it ill check using a shell script (eg.) to verify key authenticity? 10:35 < ecrist> yep 10:35 -!- Niglatz_89 [n=Niglatz_@91.7.40.187] has joined ##openvpn 10:35 < keylocker> will openvpn validate the key before this script? 10:35 < ecrist> yes 10:35 < Niglatz_89> hallo, versteht hier jemand deutsch? 10:35 < keylocker> to check if the key password will match, as example? 10:35 < ecrist> Niglatz_89: english, only, please 10:35 < ecrist> keylocker: yes 10:35 < Niglatz_89> o, i will test my englisch, but it is very bad 10:36 < keylocker> ecrist: last. I see in ccd documentation the unique parameter passed to script is some variables and the CN in $1 10:36 < ecrist> it verifies the SSL then determines, through that script, whether they're allowed to connect. 10:36 < keylocker> correct? 10:36 < keylocker> hmmm 10:36 < ecrist> yes, but you need to confirm in the documentation 10:36 < ecrist> !beta-man 10:36 < vpnHelper> ecrist: Error: "beta-man" is not a valid command. 10:36 < ecrist> !betaman 10:36 < vpnHelper> ecrist: "betaman" is http://www.openvpn.net/man-beta.html 10:36 < ecrist> for 2.1 10:36 < keylocker> so if i check using fingerprint of key, openvpn will check the key to see if it works and after this it will run my script 10:36 < ecrist> Niglatz_89: bad english is OK. ;) 10:36 < keylocker> right? 10:37 < ecrist> yes 10:37 < keylocker> hmmm 10:37 < keylocker> hard to do, but ill try to do something 10:37 < Niglatz_89> i need a VPN client, (in German), and i would said, that only the partition "F" is avvailable for VPN 10:37 < ecrist> is partition 'F' a hard disk? 10:38 < Niglatz_89> i have 1 hard disk and 5 partitionen 10:38 < ecrist> OK 10:38 < ecrist> so, you want a VPN client to have access to partition F? 10:38 < keylocker> thanks 10:38 < ecrist> is that a samba share? 10:38 < ecrist> np, keylocker 10:38 < Niglatz_89> yes 10:39 < ecrist> OK. The easiest way to do that is to simply provide a VPN connection to all partitions, and provide partition level security to restrict which users have access to which partition. 10:43 < Niglatz_89> have you a german software for that? 10:44 < Niglatz_89> i have used google, and that said, that it gives VPN-Client and VPN-Server 10:48 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has left ##openvpn ["Leaving"] 10:54 < ecrist> Niglatz_89: this is a channel for OpenVPN. that's all we have. nothing really german or english about it... 10:55 < Niglatz_89> so Open VPN is a client? 10:57 < dazo> client and server, depending on your config file 10:58 -!- dazo is now known as dazo_afk 11:13 < teddymills> can openvpn in client mode connect to other vpn servers other than openvpn? 11:16 < Bushmills> only of those other vpn servers are openvpn compatible 11:33 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 11:37 -!- Niglatz_89 [n=Niglatz_@91.7.40.187] has quit ["Verlassend"] 11:39 -!- Hypnoz [n=colin@66.104.252.161] has joined ##openvpn 11:40 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has quit ["Leaving"] 11:46 < Hypnoz> is anyone familiar with pptp? I can only hit stuff in the /24 that my client IP is in. Am I able to push a route to get out? 11:47 < Hypnoz> or would I have to set the vpn as my default gateway while connected 11:49 < julius> THIS IS OPENVPN! *kick* 11:50 < |Mike|> no it's not. 12:00 -!- ikla [n=lbz@c-75-71-89-108.hsd1.co.comcast.net] has joined ##openvpn 12:00 < ikla> how do I stop openvpn from inactivity timeouts? 12:01 -!- keylocker [n=keylocke@unaffiliated/leleobhz] has quit ["leaving"] 12:01 < ecrist> Hypnoz: see the man page for OpenVPN to push routes 12:01 < ecrist> !man 12:01 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 12:11 < Hypnoz> ecrist: I know how to do it in openvpn, but i have pptp running on the same server, and can't push routes using that protocol 12:11 < Hypnoz> or haven't figured out how. and there's no #pptp 12:12 < ecrist> ah, sorry, we don't support PPTP in here. 12:13 < Hypnoz> you're speaking for everyone? 12:13 < ecrist> I'm speaking for the channel. 12:14 < Hypnoz> I think I've helped enough people with openvpn issues over the last few months that I'm allowed to ask a pptp question 12:22 -!- dli [n=dli@66.49.226.142] has quit [Read error: 110 (Connection timed out)] 12:22 -!- dli [n=dli@66.49.226.142] has joined ##openvpn 12:29 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:47 * Bushmills thinks he has helped enough old ladies across the road that he's allowed to rob their handbags now. 12:51 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 13:12 -!- jeiworth [n=jeiworth@189.234.7.136] has joined ##openvpn 13:13 -!- yoshx [n=yoshx@67.46.119-80.rev.gaoland.net] has quit [Read error: 104 (Connection reset by peer)] 13:14 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 13:17 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 13:20 -!- yoshx [n=yoshx@67.46.119-80.rev.gaoland.net] has joined ##openvpn 13:40 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 13:47 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 13:57 -!- master_o1_master is now known as master_of_master 14:05 -!- jeiworth_ [n=jeiworth@189.234.7.136] has joined ##openvpn 14:07 -!- zamba_ [i=marius@flage.org] has joined ##openvpn 14:07 -!- ikla_ [n=lbz@c-75-71-89-108.hsd1.co.comcast.net] has joined ##openvpn 14:07 -!- zamba [i=marius@flage.org] has quit [Remote closed the connection] 14:07 -!- jeiworth [n=jeiworth@189.234.7.136] has quit [Dead socket] 14:08 -!- ikla [n=lbz@c-75-71-89-108.hsd1.co.comcast.net] has quit [Remote closed the connection] 14:17 -!- ikla_ [n=lbz@c-75-71-89-108.hsd1.co.comcast.net] has left ##openvpn ["Leaving"] 14:24 -!- coil [i=imgay@unaffiliated/coil] has joined ##openvpn 14:25 < coil> !logs 14:25 < vpnHelper> coil: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 14:25 < coil> !configs 14:25 < vpnHelper> coil: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:26 < coil> !interface 14:26 < vpnHelper> coil: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 14:26 < ecrist> wow, someone can read the topic 14:26 < ecrist> gold star goes to coil 14:27 < coil> hmm 14:27 < coil> !iporder 14:27 < vpnHelper> coil: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 14:28 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 14:30 < coil> when using redirect-gateway, it says to push "dhcp-option DNS 10.69.0.1" even though i dont have a dns running on my server (what im saying is, dns doesn't work while connected to the vpn) 14:32 < ecrist> coil, you need to make a DNS server available. the VPN shouldn't over-ride your LAN DNS, since it's a lower metric, unless your LAN dns is pointing further away. 14:33 < coil> ecrist so even using something like 4.2.2.2 wont work? 14:33 < coil> should i just setup my server to have a dns forwarder or something? 14:33 < ecrist> it could 14:33 < ecrist> yes, I would recommend doing so 14:33 < coil> ok well i tried 4.2.2.2 and no luck :P 14:33 < coil> should i just setup bind to listen on that ip (10.69.0.1) 14:40 < coil> no luck 14:42 < ecrist> coil - make certain you're pushing the DNS, your firewall isn't blocking it. 14:42 < Bushmills> coil, has your vpn server been set up to route external addresses to internet? through NAT, masquerading, or the like? 14:42 < ecrist> on windows, you can overwrite the DNS without any additonal scripts. DNS updates from OpenVPN on Linux, BSD, or Mac, requires a shell script client-side to perform the update. 14:43 < coil> http://ztecwiz.pastebin.com/m4d49547c - client log, http://ztecwiz.pastebin.com/m6d55c6ff - ipconfig on client, http://ztecwiz.pastebin.com/m709986b9 - server config/ifconfig 14:43 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit ["Távozom"] 14:44 < coil> Bushmills i setup (i think) nat on pf on fbsd 14:44 < Bushmills> therefore, you can, say, ping external ip addresses? 14:44 < coil> ping external ip addresses on the vpn? 14:45 < coil> no i cannot 14:45 < Bushmills> run ping on the lan machine where bind runs, and ping something on internet, like google 14:46 < coil> yes i can ping google fine on the server 14:46 < Bushmills> hm .. if you can't ping from that machine, it is unlikely that your recursive bind can contact other dns 14:46 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 14:47 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:52 -!- polo [n=polo@c-76-104-77-15.hsd1.va.comcast.net] has joined ##openvpn 14:53 < polo> i am getting this error 14:53 < polo> sudo openvpn --config /home/polo/Desktop/Canada 14:53 < polo> Options error: You must define TUN/TAP device (--dev) 14:53 < polo> can anyone help? 14:54 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 14:54 < Bushmills> polo: what does lsmod |grep tun show? 14:55 < polo> tun 18820 1 14:56 < Bushmills> add dev tun to your client config 14:56 < polo> I maybe doing something noobish I am not sure 14:56 < polo> ok at the top? 14:56 < Bushmills> where it looks nice 14:57 < polo> it says dev tap at the top 14:57 < polo> in config 14:57 < Bushmills> why? 14:57 < polo> not sure 14:57 < polo> should I change to tun 14:57 < Bushmills> unless you know why you want to use tap, yes 14:58 < polo> yeah its same error 14:59 < polo> my config has a cert file too does that matter? 14:59 < Bushmills> what does ifconfig tun show? 14:59 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 14:59 < Bushmills> no, not related to cert 15:00 < polo> error fetching interface 15:00 < polo> device not found 15:00 < polo> ifconfig tun up maybe? 15:01 < Bushmills> nope. just wanted to make sure that no tun interface is defined for another tunnel 15:01 < polo> i should try to execute like openvpn --config /home/user/Desktop/Canada correct 15:02 < polo> ? 15:02 -!- eigma [n=eigma@scesoc.engsoc.carleton.ca] has joined ##openvpn 15:02 < eigma> are there any patches out there for STUN support in OpenVPN (udp mode of course)? 15:02 < Bushmills> /home/user/Desktop/Canada is the config file you just modified for tun? 15:03 < polo> yes the file i got from VPN provider 15:04 < krzie> polo 15:04 < krzie> if --config is the ONLY arg you can drop it 15:04 < polo> ydes 15:04 < krzie> so sudo openvpn 15:05 < krzie> eigma, no but i have put something similar to what you may be thinking of in the ovpn forum requests 15:05 < krzie> !forum 15:05 < vpnHelper> krzie: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 15:05 < krzie> http://www.ovpnforum.com/viewtopic.php?f=10&t=141&sid=0fc818b069aaa1b3a5c5f1a64670fb48 15:06 < polo> Error opening configuration file: Canada 15:06 < krzie> is that a dir? 15:06 < krzie> or a ovpn config file 15:06 < polo> ok so just drop the --config 15:07 < polo> a dir 15:07 < krzie> sudo openvpn /path/to/config.file 15:09 < polo> ok getting somewhere 15:09 < polo> You must define CA file (--ca) or CA path (--capath) 15:09 < krzie> take a look at my configs 15:09 < krzie> !sample 15:09 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) 15:11 < polo> man thanks but that doesnt help me much 15:11 < polo> maybe if I show you my configs 15:11 < krzie> sure 15:11 < krzie> but you likely didnt use --ca 15:12 < polo> well can you tell me how please 15:12 < krzie> i showed you how i used it 15:12 < polo> i am using a vpn provider 15:12 < krzie> they should have provided you with the needed files 15:12 < krzie> as well as a config file 15:12 < polo> i have the .ovpn file and the cert 15:13 < polo> ok let me try to ad the ca portion 15:13 < krzie> "the cert" should be a ca.crt client.cert client.key 15:13 < krzie> everything shown in the howto... 15:13 < krzie> !howto 15:13 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:16 < krzie> but really ild expect the provider to help you since they supplied the config/keys 15:16 < krzie> the config should be ready, only needing a change of filepath 15:18 < polo> i have a dile called cert.p12 15:18 < polo> file 15:18 < polo> no .cert 15:19 < krzie> ohh 15:19 < krzie> doesnt the config already reference that file? 15:20 < krzie> its a different style that encorporates all those files into 1 file 15:20 < krzie> pkcs12 15:21 < krzie> --pkcs12 file 15:21 < krzie> Specify a PKCS #12 file containing local private key, local certificate, and root CA certificate. This option can be used instead of --ca, --cert, and --key. 15:33 < coil> hm im not having any luck with my config, do i need to bridge my connection to get full internet traffic forwarding over my vpn to make it work? 15:39 -!- polo [n=polo@c-76-104-77-15.hsd1.va.comcast.net] has quit ["Leaving"] 16:05 -!- temba [i=pommes@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 16:10 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.5/20091102152451]"] 16:19 -!- dollabill [n=mike@97.66.26.10] has quit [No route to host] 16:30 -!- coil [i=imgay@unaffiliated/coil] has quit [Excess Flood] 16:30 -!- todd_dsm [n=todd_dsm@66.43.220.149] has quit [Client Quit] 16:31 -!- coil [i=imgay@unaffiliated/coil] has joined ##openvpn 16:34 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 16:42 < krzie> coil 16:42 < krzie> coil, you want to be sending inet traffic through the server? 16:43 < coil> yes 16:43 < krzie> see topic 16:43 < coil> im using pf as my firewall/nat 16:43 < krzie> i pasted half my question from the topic 16:43 < coil> !redirect 16:43 < vpnHelper> coil: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 16:43 < coil> yeah this is on freebsd so i cna't use iptables 16:43 < coil> all the examples i see use iptables 16:43 < krzie> !bsdnat 16:43 < vpnHelper> krzie: "bsdnat" is see !fbsdnat 16:43 < krzie> !fbsdnat 16:43 < coil> fbsdnat 16:43 < vpnHelper> krzie: "fbsdnat" is see http://cavanantha.wordpress.com/2007/09/16/nat-on-freebsd-using-pf/ for a basic howto for NAT on FreeBSD 16:44 < coil> ok cool thanks 16:44 < coil> ill tryt that 16:44 < krzie> you get the basic idea of how you will be using nat for this? 16:44 < krzie> not like the specifics of doing it on pf, but the overall of why and how you need to use it? 16:45 < coil> yeah i guess 16:45 < krzie> the vpn subnet is basically just a lan on a 1918 ip range 16:45 < krzie> and your vpn server is its router 16:45 < krzie> make sense when put in that light? 16:46 < coil> yes 16:46 < krzie> werd =] 16:46 < krzie> note, your real router could handle the nat instead if you wanted 16:46 < coil> my vpn server is hosted in a datacenter though 16:46 < coil> and i dont have a router at home 16:46 < krzie> ok so the real router wont be handling the nat for ya =] 16:47 < krzie> but the server will be its router as i said fir5st 16:47 < krzie> -5 16:47 < coil> yeah i understand that 16:47 < coil> !def1 16:47 < vpnHelper> coil: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 16:51 < coil> when i traceroute on my client box, i dont even get past the first hop 16:51 < coil> http://pastebin.com/m10181377 16:51 < coil> thats what the routing table lookst like on client 16:52 < krzie> looks good 16:52 < krzie> its either firewall, nat, or ip forwarding on server 16:53 < krzie> can the client ping 10.69.0.1? 16:53 < coil> yes it can 16:53 < krzie> can it resolve google.com? 16:53 < coil> no 16:54 < krzie> ok, next problem could be dns 16:54 < krzie> can it ping 4.2.2.1? 16:54 < coil> request timed out 16:54 < krzie> ok 16:55 < krzie> so its not dns 16:55 < krzie> now if you were to sniff packets on tun interface on server, you'll see that they ARE flowing over the tunnel 16:55 < krzie> but something is wrong with either the firewall, nat, or ip forwarding 16:55 < krzie> !bsdipforward 16:55 < vpnHelper> krzie: Error: "bsdipforward" is not a valid command. 16:55 < krzie> !fbsdipforward 16:55 < vpnHelper> krzie: "fbsdipforward" is is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd 16:56 < krzie> did that? 16:56 < krzie> sysctl net.inet.ip.forwarding 16:56 < krzie> is it 1 or 0? 16:57 < coil> oh 16:57 < coil> its 0 16:57 < coil> lets change it to 1 16:57 < coil> forgot that 'minor' detail lol 16:57 < krzie> right, lets do that =] 16:57 < krzie> i assume you read this: 16:57 < krzie> http://www.freebsd.org/doc/en/books/handbook/network-natd.html 16:58 < krzie> although its not for pf its still good to read 16:59 < Sky[x]> in which file do you have nat redirection ? 17:00 < Sky[x]> in the end of file you have to make one new line if u dont have will not work 17:00 < coil> pf.conf 17:00 < coil> after enabling nat, should i restart openvpn 17:00 < Sky[x]> in nat file you need to add new line at the end 17:02 < coil> uhm ok 17:03 < coil> Sky[x] im using pf for nat not natd 17:04 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 60 (Operation timed out)] 17:07 < krzie> coil, not needed to restart 17:10 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 17:13 < coil> ok well nothings changed 17:14 < coil> push "dhcp-option DNS 10.69.0.1" 17:14 < coil> push "redirect-gateway def1" 17:14 < coil> does it matter the order of that 17:14 < krzie> nope 17:14 < krzie> but for dns see this 17:14 < krzie> !pushdns 17:14 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit 17:18 -!- Ziber [i=Liber@liber-ipv6.net] has quit [Remote closed the connection] 17:27 < coil> well i guess that doesn't matter since i can't ping the dns server i want to use 17:33 -!- yoshx [n=yoshx@67.46.119-80.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 17:36 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 17:39 -!- krzie [n=krzee@butters.secure-computing.net] has quit ["Reconnecting"] 17:39 -!- krzie [n=krzee@butters.secure-computing.net] has joined ##openvpn 17:39 -!- krzie [n=krzee@butters.secure-computing.net] has left ##openvpn [] 17:40 -!- krzie [n=krzee@unaffiliated/krzee] has joined ##openvpn 17:52 -!- Hypnoz [n=colin@66.104.252.161] has left ##openvpn [] 17:52 -!- kisom [n=x@c-19dde155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Read error: 104 (Connection reset by peer)] 17:54 -!- jeiworth_ [n=jeiworth@189.234.7.136] has quit [Read error: 110 (Connection timed out)] 18:03 -!- Ziber [i=Liber@liber-ipv6.net] has joined ##openvpn 18:12 -!- temba [i=pommes@188-193-22-46-dynip.superkabel.de] has left ##openvpn [] 18:14 -!- jeiworth [n=jeiworth@189.163.172.175] has joined ##openvpn 18:30 -!- Hink [n=Hink@71.164.255.85] has joined ##openvpn 18:35 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 131 (Connection reset by peer)] 18:35 -!- master_of_master [n=master_o@84.157.125.210] has quit [Read error: 110 (Connection timed out)] 18:38 -!- master_of_master [i=master_o@p549D7C03.dip.t-dialin.net] has joined ##openvpn 18:41 -!- Hink [n=Hink@71.164.255.85] has quit [Remote closed the connection] 18:41 < reiffert> !factoids search push 18:41 -!- eigma [n=eigma@scesoc.engsoc.carleton.ca] has left ##openvpn [] 18:42 < reiffert> !factoids 18:42 < vpnHelper> reiffert: Error: "factoids" is not a valid command. 18:42 < reiffert> !help 18:51 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 18:56 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 18:57 < krzie> oh fuck my /usr was/is full 18:58 < reiffert> and how does a full /usr work on an irc bot? 18:58 < reiffert> /usr/tmp? 18:59 < krzie> its run by a user, saves to a dir under that users homedir 19:00 < reiffert> and that is /users/ on BSB? 19:00 < krzie> BSB? 19:01 < reiffert> BSD 19:01 < krzie> its /usr/home/ 19:01 < krzie> which is why usr is full 19:01 < krzie> i just freed up 72G 19:01 < krzie> should be fine for awhile ;] 19:01 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 19:02 < reiffert> 72G of lost porn! 19:02 < krzie> rainbow tables i forgot to delete 19:02 < reiffert> which cipher/algorithm? 19:02 < krzie> when i was local to those boxes i was using their BW to get the tables 19:02 < krzie> MD5 19:02 < reiffert> mhm, IIRC 72G is not much for md5. 19:02 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 19:03 < krzie> not even close 19:03 < krzie> i have over 500G 19:03 < krzie> thats just what i forgot to delete from that specific box 19:03 < reiffert> !factoids search not 19:03 < vpnHelper> reiffert: 'notopenvpn', 'notcompat', and 'notovpn' 19:03 < reiffert> !factoids search pptp 19:03 < vpnHelper> reiffert: No keys matched that query. 19:03 < krzie> !factoids search --values pptp 19:03 < vpnHelper> krzie: 'broadcast-relay' and 'notcompat' 19:03 < theDoc> o/ krzie. 19:04 < krzie> moinmoin 19:04 < reiffert> :) 19:04 < theDoc> reif. o/ 19:04 < krzie> do i sound like a wanna-be german when i say that? lol 19:05 < reiffert> almost close to full home grown german :) 19:05 < krzie> haha right on 19:06 < reiffert> guess you enjoyed the netherlands much? 19:06 < krzie> LOVED it 19:06 < krzie> INFO 2009-11-25T17:03:40 factoids search called by 19:06 < krzie> "reiffert!n=thomas@mail.webersheim.de". 19:06 < krzie> INFO 2009-11-25T17:03:49 factoids search called by 19:06 < krzie> "krzie!n=krzee@unaffiliated/krzee". 19:07 < reiffert> hey, thats me! 19:08 < coil> i cannot find anyone that has done openvpn and pf 19:08 < krzie> you dont need openvpn + pf walkthrough 19:09 < krzie> just do the nat, allow stuff in the firewall 19:09 < krzie> allow it to pass where it should 19:09 < krzie> knowing what you're doing > walkthrough 19:09 < coil> i've done it 19:11 < reiffert> !bsdnat 19:11 < vpnHelper> reiffert: "bsdnat" is see !fbsdnat 19:11 < reiffert> !fbsdnat 19:11 < vpnHelper> reiffert: "fbsdnat" is see http://cavanantha.wordpress.com/2007/09/16/nat-on-freebsd-using-pf/ for a basic howto for NAT on FreeBSD 19:12 < coil> yes...ive tried that 19:13 < krzie> see the whole section on firewalls in the manual 19:13 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 19:13 < krzie> it wont give you exact pf commands, but it talks about what to do 19:13 < krzie> which then you figure out for your chosen OS 19:13 < coil> http://openvpn.net/index.php/open-source/documentation/howto.html 19:13 < coil> that? 19:13 < vpnHelper> Title: HOWTO (at openvpn.net) 19:13 < krzie> !man 19:13 < coil> or 19:13 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 19:13 < krzie> manual 19:13 < krzie> =] 19:20 < krzie> hrm, wasnt there supposed to be an RSS with the forum 19:28 < reiffert> howabout a cia bot on this chnnale? 19:28 < krzie> ? 19:29 < reiffert> never heard about that CIA bots pasting cvs commits, trac tickets nd other stuff to irc channels? 19:29 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 19:29 < krzie> lol, no 19:30 < reiffert> http://cia.vc/doc/ 19:30 < vpnHelper> Title: CIA.vc - What is CIA? (at cia.vc) 19:30 < krzie> oh ok 19:30 < krzie> not centrtal intel agency 19:30 < krzie> lol 19:31 < reiffert> :) 19:34 -!- teddymills [n=teddy@208.92.235.227] has quit [Client Quit] 20:07 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 20:08 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 20:37 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 20:38 -!- sigius [n=sigius@93.125.185.45] has quit [Remote closed the connection] 20:42 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: jhp, Gumbler, vlt, chantra, odonata 20:43 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 20:43 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Connection reset by peer] 20:44 -!- vlt [n=dm@87.230.93.250] has joined ##openvpn 20:44 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 20:46 -!- YaManicK1ll [n=ali@130.159.141.69] has joined ##openvpn 20:47 -!- YaManicKill [n=ali@130.159.141.69] has quit [Read error: 104 (Connection reset by peer)] 20:50 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 20:52 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 20:56 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 21:02 -!- jeiworth [n=jeiworth@189.163.172.175] has quit [Connection timed out] 21:03 -!- jeiworth [n=jeiworth@189.163.184.161] has joined ##openvpn 21:06 -!- oc80z [n=oc80z@88.198.2.173] has quit [Read error: 104 (Connection reset by peer)] 21:15 -!- chantra [n=chantra@ns22757.ovh.net] has joined ##openvpn 21:15 -!- jhp [n=jhp@zeus.jhprins.org] has joined ##openvpn 21:15 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 21:15 -!- odonata [n=odonata@security.jails.se] has joined ##openvpn 21:27 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 21:39 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: julius, lkthomas, odonata, |Mike|, disco-, mrnice1, vpnHelper, Typone, freaky[t], sno, (+13 more, use /NETSPLIT to show all of them) 21:40 -!- Netsplit over, joins: odonata, Gumbler, jhp, chantra, sigius, vpnHelper, zamba_, HardDisk_WP, freaky[t], sno (+13 more) 21:51 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 22:03 -!- squidly [n=squidly@HoodLUG/member/squidly] has quit ["leaving"] 22:10 < krzee> !static 22:11 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 22:16 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 22:37 -!- _LowKey [i=rhel@69.197.5.131] has joined ##openvpn 22:42 -!- _LowKey is now known as [L]owKey 22:42 -!- [L]owKey [i=rhel@69.197.5.131] has quit [Remote closed the connection] 22:43 -!- _LowKey [i=rhel@69.197.5.131] has joined ##openvpn 22:44 -!- LowKey [i=rhel@unaffiliated/lowkey] has quit [Remote closed the connection] 22:45 -!- _LowKey is now known as LowKey 22:45 -!- LowKey [i=rhel@unaffiliated/lowkey] has quit [Client Quit] 22:46 -!- LowKey [i=rhel@unaffiliated/lowkey] has joined ##openvpn 22:53 -!- _LowKey [i=rhel@72.20.2.134] has joined ##openvpn 22:56 -!- _LowKey [i=rhel@72.20.2.134] has quit [Remote closed the connection] 23:02 -!- _LowKey [i=rhel@72.20.2.134] has joined ##openvpn 23:17 -!- jeiworth [n=jeiworth@189.163.184.161] has quit [Read error: 110 (Connection timed out)] 23:22 -!- hyper__ch [n=hyper@adsl-89-217-204-148.adslplus.ch] has joined ##openvpn 23:22 -!- hyper_ch [n=hyper@89.217.204.148] has quit [Nick collision from services.] 23:23 -!- hyper__ch is now known as hyper_ch 23:47 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 23:50 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn --- Day changed Thu Nov 26 2009 00:27 -!- hyper_ch [n=hyper@adsl-89-217-204-148.adslplus.ch] has quit [Read error: 104 (Connection reset by peer)] 01:11 -!- hyper_ch [n=hyper@115-192.0-85.cust.bluewin.ch] has joined ##openvpn 01:21 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 01:22 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 01:27 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn 02:06 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:15 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 131 (Connection reset by peer)] 02:19 -!- Zyclops [n=BladyBla@219-90-202-30.ip.adam.com.au] has joined ##openvpn 02:20 < Zyclops> hey, we've setup openvpn and we can connect, but no internet connection appears to be accessible through it 02:20 < Zyclops> any ideas? 02:20 < Zyclops> any idea on how to debug? 02:21 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 02:21 < hyper_ch> Zyclops: what hosts? what clients? 02:25 < Zyclops> host is ubuntu 02:26 < Zyclops> clients, are win xp, windows 7, mac osx (snow leopard), ubuntu (karmic), ubuntu (fiesty) 02:26 < Zyclops> for this case we are just testing with ubuntu host and snow leopard client 02:29 < hyper_ch> Zyclops: pastebin the output of this: grep -vE '^#|^;|^$' server.conf --> run it on the host in the according openvpn config folder 02:30 < hyper_ch> Zyclops: and pastebin also this: grep -vE '^#|^;|^$' client.conf --> on the client 02:30 < hyper_ch> Zyclops: my outputs are like this here: http://www.simplylinux.ch/openvpn-einrichten 02:31 < vpnHelper> Title: Linux für alle » OpenVPN einrichten (at www.simplylinux.ch) 02:31 < hyper_ch> I guess you don't push the redirect-gateway def1 in the client... 02:35 < Zyclops> hyper_ch: thanks 02:35 < Zyclops> we managed to fix it because of that :) 02:36 < hyper_ch> Zyclops: so it works now? 02:36 < Zyclops> yeah really well 02:36 < hyper_ch> good :) 02:36 < Zyclops> although from china it's really slow 02:36 < Zyclops> i wonder if they shape non-port 80 traffic 02:36 < Zyclops> australia -> australia vpn is really fast 02:36 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:37 < hyper_ch> you can try a different port :) just set server and client accordingly 02:51 -!- maxagaz [n=maxagaz@124.205.74.34] has joined ##openvpn 02:51 < maxagaz> hi 02:51 < maxagaz> where is set the address of vpn clients ? 02:52 < maxagaz> my vpn takes an address, but i don't understand where does it take it from 03:01 -!- Zyclops [n=BladyBla@219-90-202-30.ip.adam.com.au] has quit [Read error: 104 (Connection reset by peer)] 03:02 < renihs> from your openvpn.conf 03:02 < renihs> either ifconfig-pool or it derives it from the server ip/mask 03:09 -!- dli [n=dli@66.49.226.142] has quit [Connection timed out] 03:09 -!- dli_ [n=dli@66.49.226.142] has joined ##openvpn 03:13 -!- dazo_afk is now known as dazo 03:47 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has joined ##openvpn 03:57 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 04:16 -!- Vocor [n=vvoois@95-36-35-62.dsl.alice.nl] has joined ##openvpn 04:16 -!- vvoois__ [n=vvoois@95-36-35-62.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 04:28 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit ["Leaving"] 04:30 -!- mikkel [n=mikkel@84.238.113.66] has joined ##openvpn 04:33 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has quit ["Leaving"] 04:40 -!- Vocor [n=vvoois@95-36-35-62.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 04:45 -!- dazo [n=dazo@nat/redhat/x-efbaktbbtijywwss] has quit [Remote closed the connection] 04:46 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 04:48 -!- ruied [n=ruied@89.181.112.148] has joined ##openvpn 04:50 < maxagaz> What is the P-t-P address ? 04:50 < maxagaz> Why can't I ping it ? 04:52 -!- ruied [n=ruied@89.181.112.148] has left ##openvpn [] 04:52 -!- ruied [n=ruied@89.181.112.148] has joined ##openvpn 04:53 -!- ruied [n=ruied@89.181.112.148] has quit [Client Quit] 04:53 -!- ruied [n=ruied@89.181.112.148] has joined ##openvpn 04:54 -!- ruied [n=ruied@89.181.112.148] has left ##openvpn [] 04:55 -!- ruied [n=ruied@89.181.112.148] has joined ##openvpn 05:01 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 05:08 < krzee> maxagaz, 05:08 < krzee> ?? 05:09 < krzee> that could be related to this: 05:09 < krzee> !/30 05:09 < maxagaz> krzee, ? 05:09 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 05:09 < krzee> but you;ve still told us nothing so im only guessing 05:10 < maxagaz> krzee, i'm wondering why ifconfig shows me 2 addresses for tun0 interface 05:10 < krzee> how so? 05:10 < maxagaz> krzee, one being my ip address, and the other, i don't know 05:10 < maxagaz> why is it useful ? 05:10 < krzee> oh .5 .6? 05:11 < krzee> !topology 05:11 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 05:11 < krzee> read that thread from the maillist 05:11 < maxagaz> krzee, what means .5 .6 ? 05:11 < krzee> example of the ips 05:11 < krzee> the first client ip by default is .6 05:11 < krzee> next .10 05:12 < krzee> as detailed in that !/30 above 05:12 < krzee> read the link i gave you 05:12 < maxagaz> krzee, it's in case my machine is a router to others ? 05:12 < krzee> no 05:12 < krzee> its how openvpn was able to work around windows lameness 05:12 < krzee> gives you your own /30 05:12 < krzee> READ THE LINKS! 05:14 < maxagaz> i don't uderstand well this link 05:15 < maxagaz> I was told this second address is like a gateway 05:40 < reiffert> read as in reading or read as in ignoring? 06:09 -!- zamba_ is now known as zamba 06:13 -!- dazo_afk [n=dazo@nat/redhat/x-nqxzbxgosddkjctp] has joined ##openvpn 06:13 -!- dazo_afk is now known as dazo 06:14 -!- dazo is now known as Guest55472 06:34 -!- StefanWork [n=stefanle@cp849982-a.mill1.nb.home.nl] has joined ##openvpn 06:34 < StefanWork> Good evening 06:34 < StefanWork> afternoon* 06:34 < StefanWork> !route 06:34 < vpnHelper> StefanWork: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 06:39 -!- maxagaz [n=maxagaz@124.205.74.34] has quit ["Ex-Chat"] 06:50 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 07:02 -!- jeiworth [n=jeiworth@189.163.184.161] has joined ##openvpn 07:08 -!- Guest55472 is now known as dazo 07:10 < StefanWork> Is there a way to route through the tap device? 07:11 < dazo> StefanWork: yeah ... you use the route feature 07:12 < dazo> a tap device is basically like a virtual network adapter ... it behaves just like normal NIC's ... .except that openvpn takes the traffic in and out of it and passes it to another openvpn process on another host 07:19 -!- ruied [n=ruied@89.181.112.148] has quit [Read error: 113 (No route to host)] 07:28 -!- ruied [n=ruied@95.69.119.188] has joined ##openvpn 07:29 < StefanWork> I see. I'm using the route feature but it doesn't seem to work. I have tried 192.168.1.0 and 192.168.1.1 the client network has subnet 40. But they can't get a ping towards the machine on our host network 07:42 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 07:47 -!- APTX| [n=APTX@213.251.162.70] has quit [Read error: 131 (Connection reset by peer)] 08:06 -!- dazo [n=dazo@nat/redhat/x-nqxzbxgosddkjctp] has quit ["ZNC - http://znc.sourceforge.net"] 08:07 -!- jeiworth [n=jeiworth@189.163.184.161] has quit [Remote closed the connection] 08:07 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 08:32 -!- dazo_afk [n=dazo@nat/redhat/x-ufvkfrcytwgnevdk] has joined ##openvpn 08:32 -!- ruied [n=ruied@95.69.119.188] has quit [Read error: 145 (Connection timed out)] 08:32 -!- dazo_afk is now known as dazo 08:32 -!- dazo is now known as Guest50244 08:33 -!- Guest50244 is now known as dazo 09:03 -!- kisom [n=x@c-19dde155.648-1-64736c11.cust.bredbandsbolaget.se] has joined ##openvpn 09:16 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 09:25 -!- hyper_ch [n=hyper@115-192.0-85.cust.bluewin.ch] has quit [Remote closed the connection] 09:27 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Connection reset by peer] 09:39 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has joined ##openvpn 09:40 -!- dazo is now known as dazo_afk 09:44 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:51 -!- techtronic1 [n=liam@host86-177-246-166.range86-177.btcentralplus.com] has joined ##openvpn 09:52 < techtronic1> hi folks wonder if some one can help, my vpn has been working and now when i try and connect it hangs at UDPv4 link remote: <>:1194 09:53 < techtronic1> any ideas 09:53 < techtronic1> !logs 09:53 < vpnHelper> techtronic1: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 09:58 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has joined ##openvpn 10:02 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has quit [Read error: 104 (Connection reset by peer)] 10:04 -!- ruied [n=ruied@188.140.113.211] has joined ##openvpn 10:08 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 10:15 -!- techtronic1 [n=liam@host86-177-246-166.range86-177.btcentralplus.com] has quit [Read error: 110 (Connection timed out)] 10:16 -!- StefanWork [n=stefanle@cp849982-a.mill1.nb.home.nl] has quit [] 10:24 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 10:34 -!- techtronic [n=liam@vm3797.vps.tagadab.com] has joined ##openvpn 10:37 -!- techtronic [n=liam@vm3797.vps.tagadab.com] has quit [Client Quit] 10:51 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.5/20091102152451]"] 11:28 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 11:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:30 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:36 -!- yoshx [n=yoshx@67.46.119-80.rev.gaoland.net] has joined ##openvpn 11:47 -!- newmember_ [n=chatzill@static-66-11-81-77.ptr.terago.net] has joined ##openvpn 11:51 -!- unix3 [n=unix3@190.10.68.228] has joined ##openvpn 11:51 -!- unix3 [n=unix3@190.10.68.228] has quit [Read error: 104 (Connection reset by peer)] 11:53 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has quit [Read error: 60 (Operation timed out)] 11:58 -!- ruied [n=ruied@188.140.113.211] has quit [Read error: 145 (Connection timed out)] 12:07 -!- ruied [n=ruied@92.250.59.85] has joined ##openvpn 12:23 -!- Dennis_ [n=Dennis@ip5652ade6.speed.planet.nl] has joined ##openvpn 12:23 -!- newmember_ [n=chatzill@static-66-11-81-77.ptr.terago.net] has quit [Read error: 110 (Connection timed out)] 12:23 < Dennis_> llo, my ping (when i use openvpn) is just tooo high. >512ms over local net :( 12:26 < Dennis_> i dont know what is wrong. I tried both tun and tap but no diffrence 12:30 < Dennis_> http://pastebin.com/m4e48c6a6 i guess that cant be good 12:51 -!- _Dennis_ [n=Dennis@ip5652ade6.speed.planet.nl] has joined ##openvpn 12:51 -!- Dennis_ [n=Dennis@ip5652ade6.speed.planet.nl] has quit [Read error: 104 (Connection reset by peer)] 12:56 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 13:00 -!- newmember [n=chatzill@66.11.81.77] has joined ##openvpn 13:23 -!- simonpe [n=user@c80-217-232-108.bredband.comhem.se] has joined ##openvpn 13:23 < simonpe> !howto 13:23 < vpnHelper> simonpe: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:23 < simonpe> Hmmm, read that... 13:24 < _Dennis_> was that for me? 13:24 < simonpe> no, internal note for myself :P 13:24 < _Dennis_> Lol ok 13:25 < reiffert> local option on redirect-gateway. 13:25 < _Dennis_> local option on redirect-gateway? 13:26 < reiffert> just a local note to myself :P 13:26 < ecrist> _Dennis_: how would that be for you, when simonpe came in *after* you? 13:27 < _Dennis_> ecrist, didnt read that xd 13:28 * _Dennis_ things his question is n00b and just some setting that is wrong, so the howto could be for me :) 13:30 < simonpe> okay can someone please have a look at this? I'm trying to establish a connection and I get errors in the client log. http://codepad.org/YkuFEm67 13:30 < vpnHelper> Title: Plain Text code - 137 lines - codepad (at codepad.org) 13:31 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 13:34 -!- jean001 [n=chatzill@APoitiers-552-1-75-254.w92-136.abo.wanadoo.fr] has joined ##openvpn 13:34 -!- jean001 [n=chatzill@APoitiers-552-1-75-254.w92-136.abo.wanadoo.fr] has left ##openvpn [] 13:35 -!- jean001 [n=chatzill@APoitiers-552-1-75-254.w92-136.abo.wanadoo.fr] has joined ##openvpn 13:36 < jean001> !forum 13:36 < vpnHelper> jean001: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 13:37 < simonpe> Is something missing in my pastie? Please tell me if that's the case, I desperately need help with this. 13:38 < _Dennis_> Strange, when i use openVPN and i ping 192.168.2.2 (server in my network) i get a low ping, 1 ms, but when i try to ping the openvpn server (192.168.3.1) i get a ping of >500 ms 13:39 -!- jean001 [n=chatzill@APoitiers-552-1-75-254.w92-136.abo.wanadoo.fr] has left ##openvpn [] 13:46 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 13:56 < _Dennis_> mmmm, udp will fix it but i want to use tcp (neeed to work behind a proxy) 14:05 -!- _Dennis_ [n=Dennis@ip5652ade6.speed.planet.nl] has quit [Read error: 104 (Connection reset by peer)] 14:05 -!- _Dennis_ [n=Dennis@ip5652ade6.speed.planet.nl] has joined ##openvpn 14:15 -!- CaBa [i=caba@unique-inter.net] has quit [Read error: 104 (Connection reset by peer)] 14:18 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 14:18 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 14:23 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Remote closed the connection] 14:28 -!- Sky[x] [n=SkyB0x@BSN-176-162-120.dial-up.dsl.siol.net] has joined ##openvpn 14:37 -!- ruied [n=ruied@92.250.59.85] has quit [Connection timed out] 14:39 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 14:56 -!- Sky[x] [n=SkyB0x@BSN-176-162-120.dial-up.dsl.siol.net] has quit [Connection timed out] 15:02 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Read error: 113 (No route to host)] 15:04 < krzie> _Dennis_ you dont want tcp 15:05 < krzie> !tcp 15:05 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 15:05 < krzie> if you need it to work behind a proxy, see --proxy :-p 15:05 < _Dennis_> lol ok :) thnx 15:05 < krzie> and as far as your ping issue 15:05 < krzie> you didnt say if they are in the same lan, etc 15:06 < _Dennis_> they where :) 15:07 < krzie> they were in the same lan? 15:07 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit [Read error: 113 (No route to host)] 15:14 -!- jean001 [n=chatzill@APoitiers-552-1-75-254.w92-136.abo.wanadoo.fr] has joined ##openvpn 15:14 -!- jean001 [n=chatzill@APoitiers-552-1-75-254.w92-136.abo.wanadoo.fr] has left ##openvpn [] 15:16 < _Dennis_> yes 15:21 -!- hyper_ch [n=hyper@adsl-89-217-204-148.adslplus.ch] has joined ##openvpn 15:23 < krzie> then you should be checking things inside that lan 15:23 < krzie> if its traveling the same distance over the inet 15:23 < krzie> the same path, etc 15:23 < krzie> things like a bad switch port, etc 15:26 < krzie> i just had that happen to me 15:26 < krzie> at the exact same time i had upgraded my os and thus had to use diff drivers 15:26 < krzie> i was going nuts trying to troubleshoot what i was sure was a software problem 15:27 < krzie> bypasses the switch and all was good 15:29 < _Dennis_> well, the strange is 15:29 < _Dennis_> when i use udp its going fast and good and when i use tcp it has ping of >500ms 15:31 < krzie> ahhh 15:31 < krzie> well problem solved then 15:32 < _Dennis_> mmm, you want to say "use udp?" 15:32 < _Dennis_> too bad, squid is blocking udp traffic :( 15:32 < krzie> sorry i cant help with your squid config, never used it 15:32 < krzie> only proxy ive used is dante socks 15:32 < _Dennis_> me neither, i just need to bypass it. They even blocked ssh and ftp :( 15:34 < krzie> so you did try --proxy? 15:34 < _Dennis_> openvpn --proxy you mean? :) 15:34 < krzie> correct 15:34 < krzie> !man 15:34 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 15:35 < krzie> http-proxy i mean 15:36 < krzie> and the related options below it 15:37 < _Dennis_> Well the http-proxy is blocking udp traffic, thats why i'm stuck with tcp 15:37 < krzie> so you DID use --http-proxy 15:37 < _Dennis_> well i added the lines in the configuration ;) 15:39 < krzie> right 15:40 < _Dennis_> sorry, my bad 15:40 < _Dennis_> but even on my local lan (with openvn on 192.168.2.3 and my computer on 192.168.2.x) it has >500ms ping 15:41 < _Dennis_> the strange is, when i ping 192.168.2.2 the ping is good, but when i ping 192.168.3.1 (openvpn range) the ping is >500ms 15:41 < krzie> then you have an issue on your lan 15:41 < _Dennis_> mmm OK 15:42 < krzie> could be related to the encryption (maybe a dev cant handle it or something...) 15:43 < _Dennis_> i tried both blowfish and 3des 15:43 < krzie> try none for test 15:43 < krzie> to rule that out 15:43 < _Dennis_> tried that too :) 16:01 -!- yoshx [n=yoshx@67.46.119-80.rev.gaoland.net] has quit ["Nice Scotty, now beam my clothes up too!"] 16:02 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"] 16:10 -!- ruied [n=ruied@92.250.59.85] has joined ##openvpn 16:23 -!- newmember [n=chatzill@66.11.81.77] has quit [Read error: 145 (Connection timed out)] 16:23 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 16:24 -!- pfo [n=user@chello084114049188.14.vie.surfer.at] has joined ##openvpn 16:25 < pfo> hello guys -- one simple question: how do i set the tap0 interface of a bridged client to DHCP? some hook script? 16:32 -!- newmember [n=chatzill@66.11.81.77] has joined ##openvpn 16:32 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 16:32 < krzie> lol 16:32 < krzie> look at the server-bridge option in the manual 16:33 -!- Ziber [i=Liber@liber-ipv6.net] has quit ["brb"] 16:33 < pfo> krzie: why is my question funny? 16:34 -!- ruied [n=ruied@92.250.59.85] has quit [] 16:34 -!- ruied [n=ruied@92.250.59.85] has joined ##openvpn 16:37 -!- Ziber [i=Liber@liber-ipv6.net] has joined ##openvpn 16:38 < krzie> because its plainly obvious when you see server-bridge in the manual 16:38 < pfo> it isn't. 16:38 -!- newmember [n=chatzill@66.11.81.77] has quit ["ChatZilla 0.9.85 [Firefox 3.5.5/20091102152451]"] 16:39 < pfo> when i manually call ``ipconfig set tap0 DHCP'' i get the IP as expected. 16:39 < krzie> In another example, --server-bridge (without parameters) expands as follows: 16:39 < krzie> mode server 16:39 < krzie> tls-server 16:39 < krzie> push "route-gateway dhcp" 16:39 < pfo> krzie: thx 16:40 < krzie> yw 16:40 < pfo> i was simply assuming i had to enabled something on the client side and wanted to omit any explicit pushes to the client. 16:40 < krzie> HOWEVER 16:40 < krzie> wh yare you bridging? 16:41 < krzie> 90+% of people who bridge shouldnt be 16:41 < pfo> want to give the clients the same IP as when physically inside the network 16:41 < krzie> common answer which never makes sense 16:42 < pfo> especially since some clients are able to get into special lans/vLANs 16:42 < krzie> is there a specific layer2 protocol you need? 16:42 < pfo> think LOM 16:42 < krzie> ok i guess with bridging you dont have to learn routing 16:42 -!- _Dennis_ [n=Dennis@ip5652ade6.speed.planet.nl] has quit [Read error: 110 (Connection timed out)] 16:42 < pfo> multicast DNS from bonjour/zeroconf 16:42 < pfo> i have a tunneld setup too 16:42 < krzie> but with bridging you open yourself up to layer2 attacks and use extra overhead 16:42 < pfo> with routing and all 16:42 < krzie> ahh ive heard bonjour does need it 16:43 < krzie> there ya go, thats the layer2 protocol you need, you're part of the -10% ;) 16:43 < pfo> but it's not working out of the box with the bridged setup 16:43 < pfo> dunno why 16:44 < pfo> seems that the client interface is not forwarding multicast 16:44 < pfo> at least it's what i see from the mac clients 16:44 < krzie> im not much of a bridged setup troubleshooter 16:44 < pfo> maybe i have to explicitly "duplicate" the mDNS packets? 16:44 < pfo> but thx anyway krzie! 16:44 < krzie> cause ive never had a layer2 protocol that needed to traverse the inet 16:46 -!- simonpe [n=user@c80-217-232-108.bredband.comhem.se] has quit [Read error: 110 (Connection timed out)] 16:48 < pfo> krzie: do you know any other reasons to use the bridged setup? 16:48 < pfo> ok IPSec maybe 16:48 < krzie> there ARE no other reasons 16:48 < krzie> if you dont need a specific layer2 protocol, you dont need bridged 16:48 < krzie> but you do, so you do ;] 16:49 < pfo> it's convenient to have the clients get the same IP as when they are physically inside the network 16:50 < pfo> all of the road warroirs have a FQDN which i use for managing them ... 16:50 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit ["Távozom"] 16:51 < krzie> the FQDN can be done with vpn ip subnet 16:51 < krzie> without sharing the same layer2 domain 16:51 < krzie> and they can be given static ips inside that subnet 16:52 < pfo> ofc 16:54 < ruied> !faq complex > ruied 16:54 < vpnHelper> ruied: Error: "faq" is not a valid command. 16:54 < krzie> heh 16:58 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 104 (Connection reset by peer)] 17:12 -!- mikkel [n=mikkel@84.238.113.66] has quit ["Leaving"] 17:14 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 17:25 < pfo> krzie: strange -- adding a push "route-gateway dhcp" stanza to the server config didn't help. 17:39 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 17:42 -!- Zyclops [n=BladyBla@pulteney-pix.border.net.adelaide.edu.au] has joined ##openvpn 17:43 < Zyclops> hey is there a way of doing per user traffic reporting? and is there a way of using the local unix logins for the vpn server 17:43 < Zyclops> i.e. all members from group vpn 17:43 < Zyclops> get access 17:47 -!- dli_ [n=dli@66.49.226.142] has quit [Read error: 110 (Connection timed out)] 17:47 -!- dli_ [n=dli@66.49.226.142] has joined ##openvpn 17:50 -!- epaphus [n=unix3@190.10.68.228] has quit [Connection timed out] 18:07 -!- pfo [n=user@chello084114049188.14.vie.surfer.at] has quit [Read error: 110 (Connection timed out)] 18:16 < krzie> Zyclops, unix auth = a pam script 18:20 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 18:29 -!- ruied [n=ruied@92.250.59.85] has quit [Read error: 110 (Connection timed out)] 18:35 -!- master_of_master [i=master_o@p549D7C03.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 18:38 -!- master_of_master [i=master_o@p549D7DF9.dip.t-dialin.net] has joined ##openvpn 18:42 < Zyclops> hey 18:42 < Zyclops> unix auth 18:42 < Zyclops> awesome thanks 18:43 < krzie> per user traffic reporting = your firewall and static ips 18:45 < krzie> same way youd handle that on a lan 18:52 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 18:56 -!- BladyBla [n=BladyBla@pulteney-pix.border.net.adelaide.edu.au] has joined ##openvpn 19:05 -!- Zyclops [n=BladyBla@pulteney-pix.border.net.adelaide.edu.au] has quit [Remote closed the connection] 19:39 -!- Rundll [n=thomas@150.101.105.140] has joined ##openvpn 19:57 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 110 (Connection timed out)] 20:06 -!- dollabill [n=mike@pool-71-180-144-44.tampfl.fios.verizon.net] has joined ##openvpn 20:07 -!- Rundll [n=thomas@150.101.105.140] has quit [Read error: 131 (Connection reset by peer)] 20:08 -!- Rundll [n=thomas@150.101.105.140] has joined ##openvpn 20:38 -!- kosmic [n=kosmic@unaffiliated/spice] has quit ["leaving"] 20:55 -!- bytesaber [n=bytesabe@208.98.188.95] has quit [Remote closed the connection] 21:43 -!- xenophile7x7 [n=xenophil@72.192.7.242] has joined ##openvpn 21:46 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: renihs, vlt, krzie, stein0, Lyndon, julius, lkthomas, odonata, razor2000, |Mike|, (+59 more, use /NETSPLIT to show all of them) 21:47 -!- gid [n=mike@pool-71-180-144-44.tampfl.fios.verizon.net] has joined ##openvpn 21:47 -!- Netsplit over, joins: krzee, MorkBork, drue, xenophile7x7, Rundll, dollabill, BladyBla, master_of_master, teddymills, dli_ (+59 more) 21:49 -!- Irssi: ##openvpn: Total of 72 nicks [0 ops, 0 halfops, 0 voices, 72 normal] 21:49 -!- dollabill [n=mike@pool-71-180-144-44.tampfl.fios.verizon.net] has quit [Connection timed out] 21:55 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 22:07 -!- gid [n=mike@pool-71-180-144-44.tampfl.fios.verizon.net] has quit [Connection timed out] 22:21 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 22:55 -!- epaphus [n=unix3@201.199.62.74] has quit [Read error: 110 (Connection timed out)] 23:06 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn 23:11 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit [Client Quit] 23:22 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 23:37 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 23:48 -!- Dennis_ [n=Dennis@86.82.173.230] has joined ##openvpn 23:48 -!- Dennis_ [n=Dennis@86.82.173.230] has quit [Read error: 104 (Connection reset by peer)] --- Day changed Fri Nov 27 2009 00:18 -!- Rundll [n=thomas@150.101.105.140] has quit [Remote closed the connection] 00:24 -!- hyper_ch [n=hyper@adsl-89-217-204-148.adslplus.ch] has quit [Remote closed the connection] 00:30 -!- BladyBla [n=BladyBla@pulteney-pix.border.net.adelaide.edu.au] has quit ["This computer has gone to sleep"] 00:42 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: newmember, renihs, coil, pa, corretico, redfox, c99, ^scott^ 00:43 -!- Netsplit over, joins: coil 00:59 -!- ent [n=james@unaffiliated/ent] has joined ##openvpn 01:10 -!- hyper_ch [n=hyper@85.3.213.175] has joined ##openvpn 01:30 -!- M08w [n=Greys@c-71-238-246-126.hsd1.mi.comcast.net] has joined ##openvpn 01:31 -!- M08w [n=Greys@c-71-238-246-126.hsd1.mi.comcast.net] has quit [Client Quit] 01:57 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:58 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 02:16 -!- ent [n=james@unaffiliated/ent] has quit [] 02:20 -!- dollabill [n=mike@pool-71-180-144-44.tampfl.fios.verizon.net] has joined ##openvpn 02:20 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 02:20 -!- c99 [n=c99@83.136.90.2] has joined ##openvpn 02:20 -!- renihs [n=lemming@83-65-34-34.arsenal.xdsl-line.inode.at] has joined ##openvpn 02:20 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 02:20 -!- redfox [n=redfox2@ns351996.ovh.net] has joined ##openvpn 02:20 -!- ^scott^ [n=scott@stthom.org] has joined ##openvpn 02:29 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 02:36 -!- bandinia [n=bandini@79.40.106.156] has joined ##openvpn 02:40 -!- bandini [n=bandini@79.7.108.86] has quit [Read error: 145 (Connection timed out)] 02:40 -!- dollabill [n=mike@pool-71-180-144-44.tampfl.fios.verizon.net] has quit [Read error: 110 (Connection timed out)] 03:09 -!- yoshx [n=yoshx@80.119.46.67] has joined ##openvpn 03:11 -!- le0 [n=itsle0@82.16.123.181] has joined ##openvpn 03:21 -!- mikkel [n=mikkel@84.238.113.66] has joined ##openvpn 03:30 -!- Sky[x] [n=SkyB0x@212.235.186.230] has joined ##openvpn 03:35 -!- tishikawa1 [n=tishikaw@tishikawa.mine.nu] has joined ##openvpn 03:38 < tishikawa1> whats the easiest way to get openvpn running on linux to authenticate against windows active directory? 03:51 < hyper_ch> question is: is there an easy way to do it :) 03:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:11 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: pa, c99, corretico, renihs, ^scott^, redfox 04:13 -!- Netsplit over, joins: corretico, c99, renihs, pa, redfox, ^scott^ 04:17 -!- Sky[x] [n=SkyB0x@212.235.186.230] has quit [Client Quit] 04:39 -!- Sky[x] [n=SkyB0x@212.235.186.230] has joined ##openvpn 04:43 -!- dazo_afk is now known as dazo 05:02 -!- eatnumber1 [n=eatnumbe@cpe-74-70-114-176.nycap.res.rr.com] has joined ##openvpn 05:03 < eatnumber1> I need to push routes to my vpn clients, but when it does, it returns an error "SIOCADDRT: No such process" and "ERROR: Linux route add command failed: external program exited with error status: 7" 05:04 < eatnumber1> I believe it is because the tap interface has not yet recieved an IP, and so has no default gateway for the routes i'm pushing 05:16 -!- Sky[x] [n=SkyB0x@212.235.186.230] has quit [Client Quit] 05:27 -!- roflino [n=ike@82.78.190.68] has joined ##openvpn 05:30 -!- oc80 [i=oc80z@blea.ch] has joined ##openvpn 05:31 < roflino> i want to create a network setup that looks like this [client (tap)]-(internet)-[vpn server]-(internet)-[(tap) client] and i want the two clients to be bridged togeder. do I need to create a two tap interfaces on the vpn server and bridge them togeder? how exactly do i need to configure bridging in this scenario? 05:32 < oc80> hi 05:33 < oc80> you bridge , follow the steps to create br0 05:36 < roflino> bridge what? are multiple taps automatically created on the vpn server? right now I have only one tap interface, and the two clients cannot talk to each other 05:36 < oc80> check your firewall 05:37 < roflino> iptables is clean, no firewall set (for now) 05:37 < oc80> jk, why can they not talk to each other 05:37 < oc80> are you pinging? 05:37 < roflino> yep 05:37 < roflino> that means, ping doesn't work 05:37 < roflino> anyway, i need to do ipx, that's why i want tap 05:38 < oc80> im not sure if client-to-client option and iptables NAT fowarding will work 05:38 < oc80> or even a route command to push 05:38 < oc80> but if you are going to be broadcasting with ur novell stuff.. 05:38 < oc80> you should offer your db shares with bridge mode, so first make sure your configuragtion says bridge 05:39 < oc80> server-bridge 05:39 < oc80> create 1 bridge. 05:40 < oc80> theres no multiple taps.. 05:40 < roflino> and i add the one interface to that bridge? 05:41 < roflino> *confused* i thought i need more than one inteface to actually do bridging... hmmm 05:43 < oc80> no 05:44 < oc80> in windows it creates the tap device 05:45 < oc80> are you runnign 2 novel clients in windows 05:45 < oc80> and the novel db , dos native? or linux native? 05:46 < oc80> or ipx is ah for...what 05:47 < oc80> a doom2 server..? 05:47 < oc80> heh 05:47 < renihs> games? 05:47 < renihs> :p 05:47 < renihs> master of orion2! :) 05:48 -!- eatnumber1 [n=eatnumbe@cpe-74-70-114-176.nycap.res.rr.com] has quit [Read error: 110 (Connection timed out)] 05:49 < roflino> games? heh, i would wish that. though with that setup in place... it's a thought 05:51 < roflino> one clarification. the server is purely a vpn server, it serves only to interconnect the two client networks 05:51 < renihs> well, except games, what is still using ipx? :p 05:51 < renihs> "still" (leftovers) 05:51 < roflino> yep, still 05:52 < roflino> some stupid banking stuff 05:52 -!- eatnumber1 [n=eatnumbe@74.70.114.176] has joined ##openvpn 05:52 < renihs> oh 05:52 < renihs> true 05:52 < renihs> they even have dos in use 05:53 < oc80> ask lincoln labs. 05:55 < renihs> you shouldnt need iptables nat forwarding though in case of client-to-cliet imho 05:55 < renihs> you need ip_forwarding though :) 05:57 < roflino> guys, i'm still confused. i have only one tap interface on the server. how does the packets jump frome one segment to the other? bridging one interface doesn't make any sense, like a switch with one port 06:06 < oc80> yeah echo that shit in there homez 06:08 < oc80> aight 06:08 < oc80> peace out girl scouts 06:53 -!- _julian [n=quassel@dslc-082-083-133-010.pools.arcor-ip.net] has joined ##openvpn 06:53 < _julian> hi all 06:54 < _julian> I have a openvpn connection running (tun0) and want to add a device in that net as gateway to another net. but if I do:route add -net 135.124.106.0/23 gw 172.20.2.2 dev tun0 I get: SIOCADDRT: No such device 06:54 < _julian> any ideas? 06:55 < _julian> I can ping 172.20.2.2 06:55 -!- roflino [n=ike@82.78.190.68] has quit ["au revoir"] 06:56 < dazo> roflino: (just a quick answer, before going for lunch) ... The kernel does the "packet jumps" for you, as long as the route is setup properly ... and that /proc/sys/net/ipv4/ip_forward is set to 1 ... that enables the "network routing" feature in the kernel 06:56 < dazo> grrrrrr 06:57 * dazo goes for lunch 06:58 -!- }ls{ [n=kalle@p4FD044F4.dip.t-dialin.net] has joined ##openvpn 07:00 < }ls{> !howto 07:00 < vpnHelper> }ls{: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:00 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 07:01 < }ls{> !man 07:01 < vpnHelper> }ls{: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 07:02 < _julian> can't I set routes that go through another gateway? - actually the error seems to be caused by the gw parameters. I reach the gateway through another gw (172.22.9.97) 07:05 < _julian> if I do a route add 172.20.2.2 dev tun0 before, I can add the entry without error, but it still won't work - I can't reach the 135.124.x.x nodes 07:05 -!- }ls{ [n=kalle@p4FD044F4.dip.t-dialin.net] has left ##openvpn ["missing mind"] 07:10 -!- eatnumber1 [n=eatnumbe@74.70.114.176] has left ##openvpn [] 07:11 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has joined ##openvpn 07:12 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has left ##openvpn [] 07:29 < _julian> no ideas? 07:29 < ecrist> good morning 07:31 < ecrist> _julian: can you describe, exactly, what you're trying to accomplish? 07:33 < _julian> ok, I have the following situation: I am connected into a remote network through openvpn. this connection works fine and I can reach the hosts in that net. 07:33 < _julian> now that network is connected via vpn through another net 07:33 < _julian> the systems in that network can reach hosts in the 3rd net through this route: route add -net 135.124.0.0 netmask 255.255.0.0 gw 172.21.0.1 dev eth1 07:33 < _julian> I can reach 172.21.0.1 (which is in the 2nd net) from my system without issues. but I can't add a route through it. if I try: route add -net 135.124.0.0 netmask 255.255.0.0 gw 172.21.0.1 dev tun0 I get a SIOCADDRT: No such device 07:34 < _julian> if I do a route add 172.21.0.1 dev tun0 before, I can add that route as well, but I can't reach any of the hosts in the 135.124. subnet 07:34 < ecrist> looks to me like you should be using route and iroute statements in your config 07:34 < ecrist> !route 07:34 < ecrist> !iroute 07:34 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 07:35 < ecrist> hrm 07:35 < ecrist> !iroute 07:35 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 07:36 < ecrist> !policy 07:36 < vpnHelper> ecrist: "policy" is (#1) http://openvpn.net/howto.html#policy for Configuring client-specific rules and access policies, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules for a lil writeup by mario 07:36 < ecrist> that one was for me 07:36 < ecrist> !chanpolicy 07:36 < vpnHelper> ecrist: Error: "chanpolicy" is not a valid command. 07:36 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 07:36 < ecrist> !learn chanpolicy as ##openvpn channel policy can be found at http://secure-computing.net/openvpn.php 07:37 < ecrist> !learn chanpolicy as ##openvpn channel policy can be found at http://secure-computing.net/openvpn.php 07:37 < ecrist> krzie: your bot is having issues today 07:39 < _julian> ecrist: is there any guide how to configure iroute 07:39 < ecrist> see the route link 07:39 < ecrist> iroute tells openvpn how to get to other networks through specific client connections. 07:56 -!- ruied [n=ruied@89.214.128.44] has joined ##openvpn 08:03 -!- hyper_ch [n=hyper@85.3.213.175] has quit [Remote closed the connection] 08:04 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 08:07 -!- setarkos [n=tomek@afco11.neoplus.adsl.tpnet.pl] has joined ##openvpn 08:08 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 08:12 -!- setarkos [n=tomek@afco11.neoplus.adsl.tpnet.pl] has left ##openvpn [] 08:12 -!- setarkos [n=tomek@afco11.neoplus.adsl.tpnet.pl] has joined ##openvpn 08:16 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: pa, c99, corretico, renihs, ^scott^, redfox 08:19 -!- ruied [n=ruied@89.214.128.44] has quit [] 08:19 -!- ruied [n=ruied@89.214.128.44] has joined ##openvpn 08:20 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 08:20 -!- ^scott^ [n=scott@216.127.92.56] has joined ##openvpn 08:20 -!- c99 [n=c99@83.136.90.2] has joined ##openvpn 08:20 -!- redfox [n=redfox2@91.121.78.62] has joined ##openvpn 08:21 -!- renihs [n=lemming@83.65.34.34] has joined ##openvpn 08:21 -!- le0_ [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 08:21 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 08:21 -!- redfox is now known as Guest68228 08:21 -!- _julian [n=quassel@dslc-082-083-133-010.pools.arcor-ip.net] has quit [Read error: 60 (Operation timed out)] 08:23 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 08:27 -!- dli_ [n=dli@66.49.226.142] has quit [Read error: 110 (Connection timed out)] 08:27 -!- dli_ [n=dli@66.49.226.142] has joined ##openvpn 08:36 -!- le0 [n=itsle0@82.16.123.181] has quit [Read error: 110 (Connection timed out)] 08:48 -!- _Dennis_ [n=Dennis@ip5652ade6.speed.planet.nl] has joined ##openvpn 08:58 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.5/20091102152451]"] 09:08 -!- kisom [n=x@c-19dde155.648-1-64736c11.cust.bredbandsbolaget.se] has quit [Read error: 104 (Connection reset by peer)] 09:09 -!- hyper_ch [n=hyper@adsl-89-217-204-148.adslplus.ch] has joined ##openvpn 09:09 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 09:15 -!- setarkos1 [n=tomek@cmv241.neoplus.adsl.tpnet.pl] has joined ##openvpn 09:15 -!- Rolybrau [n=Rolybrau@24-112.78-83.cust.bluewin.ch] has joined ##openvpn 09:21 -!- setarkos1 [n=tomek@cmv241.neoplus.adsl.tpnet.pl] has quit [Read error: 60 (Operation timed out)] 09:29 -!- monttyle [n=monttyle@71-17-243-213.yktn.hsdb.sasknet.sk.ca] has joined ##openvpn 09:32 -!- Netsplit clarke.freenode.net <-> irc.freenode.net quits: bandinia, renihs, vlt, krzie, stein0, Lyndon, julius, lkthomas, odonata, razor2000, (+68 more, use /NETSPLIT to show all of them) 09:32 -!- Netsplit over, joins: drue, krphop, Optic, ericvw, Sebb, rooth, eliasp, teratoma, Lyndon, krzee (+9 more) --- Log closed Fri Nov 27 09:32:46 2009 --- Log opened Fri Nov 27 09:33:39 2009 09:33 -!- ecrist [n=ecrist@173.8.118.220] has joined ##openvpn 09:33 -!- Irssi: ##openvpn: Total of 34 nicks [0 ops, 0 halfops, 0 voices, 34 normal] 09:33 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: tinLoaf, dmarkey 09:33 -!- dmarkey_ [n=dmarkey@dmarkey.xen.prgmr.com] has joined ##openvpn 09:33 -!- tinLoaf_ [n=tinloaf@tinloaf.de] has joined ##openvpn 09:34 -!- Irssi: Join to ##openvpn was synced in 26 secs 09:34 -!- hyper_ch [n=hyper@adsl-89-217-204-148.adslplus.ch] has joined ##openvpn 09:34 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 09:34 -!- ruied [n=ruied@89.214.128.44] has joined ##openvpn 09:34 -!- mikkel [n=mikkel@84.238.113.66] has joined ##openvpn 09:34 -!- yoshx [n=yoshx@80.119.46.67] has joined ##openvpn 09:34 -!- bandinia [n=bandini@79.40.106.156] has joined ##openvpn 09:34 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 09:34 -!- coil [i=imgay@unaffiliated/coil] has joined ##openvpn 09:34 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has joined ##openvpn 09:34 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 09:34 -!- Ziber [i=Liber@liber-ipv6.net] has joined ##openvpn 09:34 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 09:34 -!- _LowKey [i=rhel@72.20.2.134] has joined ##openvpn 09:34 -!- LowKey [i=rhel@unaffiliated/lowkey] has joined ##openvpn 09:34 -!- odonata [n=odonata@security.jails.se] has joined ##openvpn 09:34 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 09:34 -!- jhp [n=jhp@zeus.jhprins.org] has joined ##openvpn 09:34 -!- chantra [n=chantra@ns22757.ovh.net] has joined ##openvpn 09:34 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 09:34 -!- zamba [i=marius@flage.org] has joined ##openvpn 09:34 -!- HardDisk_WP [n=Marco@wikipedia/harddisk] has joined ##openvpn 09:34 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 09:34 -!- sno [n=sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn 09:34 -!- m3th0s [n=mindblas@85.240.54.1] has joined ##openvpn 09:34 -!- MorkBork [n=mark@unaffiliated/morkbork] has joined ##openvpn 09:34 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 09:34 -!- Typone [n=nnnitsme@195.197.184.87] has joined ##openvpn 09:34 -!- disco- [i=disco@andromeda.h4xed.com] has joined ##openvpn 09:34 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 09:34 -!- julius [n=julius@217.20.127.15] has joined ##openvpn 09:34 -!- endre [i=me2@urbnet.hu] has joined ##openvpn 09:34 -!- lkthomas [i=lkthomas@218.213.78.173] has joined ##openvpn 09:34 -!- mrnice1 [i=bouncer@77.244.250.141] has joined ##openvpn 09:34 -!- vlt [n=dm@suez.activ-job.com] has joined ##openvpn 09:34 -!- master_of_master [i=master_o@p549D7DF9.dip.t-dialin.net] has joined ##openvpn 09:34 -!- fkr [i=fkr@news.bytemine.net] has joined ##openvpn 09:34 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 09:34 -!- Argafal [i=argafal@91.190.183.254] has joined ##openvpn 09:34 -!- LobbyZ [n=default@Woet.lobbyzffs.com] has joined ##openvpn 09:34 -!- FirstSgt [n=cheney@76.182.199.229] has joined ##openvpn 09:34 -!- Bushmills [n=nBushmil@verhau.de] has joined ##openvpn 09:34 -!- ruied [n=ruied@89.214.128.44] has quit [Connection reset by peer] 09:34 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 09:34 -!- stephenh [i=stephenh@69.30.200.88] has joined ##openvpn 09:38 -!- ruied [n=ruied@89.214.128.44] has joined ##openvpn 09:47 -!- crazygir [n=jason@li14-82.members.linode.com] has joined ##openvpn 09:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 60 (Operation timed out)] 10:00 < monttyle> I'm having throughput problems in moving trying to move my VPN setup into a virtual private server. The configurations are identical except for keys, and the VPS should have BETTER bandwidth but gets less than a third of the speed of the one I host through residential high-speed. Might it be related to this warning? 10:00 < monttyle> Nov 27 15:40:39 x openvpn[14299]: Note: Cannot set tx queue length on tun0: Operation not permitted (errno=1) 10:16 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 10:20 -!- monttyle [n=monttyle@71-17-243-213.yktn.hsdb.sasknet.sk.ca] has left ##openvpn [] 10:23 -!- Whoopie [i=Whoopie@unaffiliated/whoopie] has joined ##openvpn 10:23 < Whoopie> Hi, are there any plans for a Symbian client for OVPN? 10:24 < Whoopie> !/30 10:24 < vpnHelper> Whoopie: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 10:29 < dazo> Whoopie: I don't think so .... but I don't believe you'll find any of the developers here, unfortunately .... but I honestly don't think so, based on earlier discussions on the mailing list 10:29 < Whoopie> dazo: hmm, what a pity. but thanks for your help. 10:30 < Whoopie> right now, I have to use PPTP which is not my favorite. 10:31 < dazo> np ... yeah, it's not too easy to port it to Symbian as nobody knows how the tun interface works on Symbian .... but now that Symbian is getting more and more open sourced, this might change ... but so far, nothing 10:35 -!- Rolybrau [n=Rolybrau@24-112.78-83.cust.bluewin.ch] has joined ##openvpn 10:37 -!- hyper__ch [n=hyper@adsl-89-217-204-148.adslplus.ch] has joined ##openvpn 10:37 -!- hyper_ch [n=hyper@adsl-89-217-204-148.adslplus.ch] has quit [Nick collision from services.] 10:47 < Whoopie> dazo: hopefully, you're right. 10:54 -!- dazo is now known as dazo_afk 10:56 -!- dollabill [n=mike@pool-71-180-144-44.tampfl.fios.verizon.net] has joined ##openvpn 11:06 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 54 (Connection reset by peer)] 11:16 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:18 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has joined ##openvpn 11:23 -!- teddymills [n=teddy@208.92.235.227] has quit [Remote closed the connection] 11:36 -!- ruied [n=ruied@89.214.128.44] has quit [Read error: 110 (Connection timed out)] 11:36 -!- hyper___ch [n=hyper@adsl-89-217-204-148.adslplus.ch] has joined ##openvpn 11:36 -!- hyper___ch is now known as hyper_ch 11:52 -!- hyper__ch [n=hyper@adsl-89-217-204-148.adslplus.ch] has quit [Read error: 110 (Connection timed out)] 11:53 -!- TTimo [n=timo@pool-173-71-47-243.dllstx.fios.verizon.net] has joined ##openvpn 11:53 < TTimo> hello 11:53 < TTimo> !route 11:53 < vpnHelper> TTimo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 11:58 < TTimo> ok .. hey .. what's the best approach if I have a machine on a private LAN, which is *not* the NAT gateway, I have another system with an internet IP I can use as a relay, and I want to easily route in any number of roadwarrior clients to the private LAN ? 12:00 < krzee> !route 12:00 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 12:01 < krzee> by learning everything on that page you'll know how to do it 12:01 < krzee> that is the best way 12:02 -!- tishikawa1 [n=tishikaw@tishikawa.mine.nu] has quit ["leaving"] 12:03 < TTimo> yeah I read that 12:06 < TTimo> I see vague suggestion of how my particular case could work in the "ROUTES TO ADD OUTSIDE OF OPENVPN" section 12:07 < TTimo> but I think I need an openvpn process in between my internet clients and my LAN openvpn 12:07 < krzee> actually thats just a small caveat 12:07 < krzee> ok check it out 12:07 < krzee> your lan client connects to the vpn 12:08 < krzee> your router for that lan gets a route to the vpn subnet with the gateway for that subnet going to the lan vpn client 12:08 < krzee> the server pushes the lan subnet route to all clients 12:08 < krzee> the server has a ccd entry for that client with an iroute for that subnet 12:08 < krzee> done 12:09 < TTimo> ok I think I understand 12:09 < krzee> !iroute 12:09 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 12:09 < krzee> !ccd 12:09 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 12:09 < krzee> those things are also explained well in my routing doc 12:11 < TTimo> I will have more reading to do for sure 12:11 < krzee> can you already get more than 1 machine connected to the vpn? 12:11 < TTimo> getting a better understanding before I commit to this approach 12:11 < TTimo> nothing is setup atm. just planning 12:11 < krzee> this is the only approach you should be learning for this type of setup 12:12 < krzee> you will likely find stuff about bridging 12:12 < krzee> however, thats NOT the way for this 12:12 < TTimo> yeah I don't really need bridging 12:12 < krzee> heres a headstart 12:12 < krzee> !sample 12:12 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) 12:12 < TTimo> just being able to UDP/TCP traffic my clients selectively to the internal LAN 12:12 < krzee> then you add the stuff from !route (which i basically just told you) 12:13 < TTimo> is openvpn known to work on vserver kernels btw 12:13 < krzee> if the admin of the real server the virtual machine is on does the right stuff 12:13 < krzee> but yes plenty of people have used their vps's 12:13 < TTimo> well that's me as well 12:13 < TTimo> :) 12:15 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 12:15 < rawDawg> .j dd-wrt 12:15 < rawDawg> whoops 12:21 -!- bandinia [n=bandini@79.40.106.156] has quit [Read error: 145 (Connection timed out)] 12:21 -!- bandinia [n=bandini@host19-25-dynamic.20-79-r.retail.telecomitalia.it] has joined ##openvpn 12:24 < TTimo> I need to digg is sysrescuecd has an irc channel now .. 12:24 < TTimo> if 12:26 < krzee> or docs online 12:29 -!- epaphus [n=unix3@190.10.68.228] has quit [Read error: 110 (Connection timed out)] 12:34 -!- Dennis_ [n=Dennis@ip5652ade6.speed.planet.nl] has joined ##openvpn 12:34 -!- _Dennis_ [n=Dennis@86.82.173.230] has quit [Read error: 54 (Connection reset by peer)] 12:47 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection reset by peer] 13:02 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has joined ##openvpn 13:17 -!- ruied [n=ruied@89.214.234.87] has joined ##openvpn 13:29 -!- epaphus [n=unix3@190.10.68.228] has joined ##openvpn 13:30 -!- dollabill [n=mike@pool-71-180-144-44.tampfl.fios.verizon.net] has quit [] 13:33 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 13:34 -!- Rolybrau [n=Rolybrau@140-194.1-85.cust.bluewin.ch] has joined ##openvpn 13:56 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:25 -!- YaManicK1ll is now known as YaManicKill 14:35 -!- pfo [n=user@chello084114049188.14.vie.surfer.at] has joined ##openvpn 14:58 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has quit ["Leaving"] 15:08 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 15:10 -!- pfo [n=user@chello084114049188.14.vie.surfer.at] has quit [Read error: 110 (Connection timed out)] 15:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 15:44 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 15:46 -!- mikkel [n=mikkel@84.238.113.66] has quit ["Leaving"] 15:51 -!- Dennis_ [n=Dennis@ip5652ade6.speed.planet.nl] has quit [Read error: 110 (Connection timed out)] 16:10 -!- reactor16 [n=Reactor1@41.105.86.57] has joined ##openvpn 16:10 < reactor16> hi all 16:12 < reactor16> Sat Nov 28 13:54:45 2009 Note: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19) 16:12 < reactor16> Sat Nov 28 13:54:45 2009 Note: Attempting fallback to kernel 2.2 TUN/TAP interface 16:12 < reactor16> Sat Nov 28 13:54:45 2009 Cannot allocate TUN/TAP dev dynamically 16:12 < reactor16> ? 16:13 < reactor16> any help me to install tun/tap driver into ubuntu x64 ? 16:20 -!- bandinia [n=bandini@host19-25-dynamic.20-79-r.retail.telecomitalia.it] has quit [Remote closed the connection] 16:24 < Bushmills> modprobe tun 16:26 < reactor16> FATAL: Could not load /lib/modules/2.6.18-128.2.1.el5.028stab064.7/modules.dep: No such file or directory 16:27 < Bushmills> get or make tun module. alternatively, get or compile a kernel with support for tun. 16:28 < Bushmills> given the age of 2.6.18, i'd suggest the latter 16:29 < Bushmills> ehm. do depmod -a first 16:41 -!- reactor16 [n=Reactor1@41.105.86.57] has left ##openvpn [] 17:04 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 17:08 -!- epaphus [n=unix3@190.10.68.228] has quit [Client Quit] 17:20 -!- yoshx [n=yoshx@80.119.46.67] has quit [Connection timed out] 17:23 -!- ruied [n=ruied@89.214.234.87] has left ##openvpn [] 17:30 -!- yoshx [n=yoshx@67.46.119-80.rev.gaoland.net] has joined ##openvpn 17:35 -!- monttyle [n=monttyle@71-17-245-106.yktn.hsdb.sasknet.sk.ca] has joined ##openvpn 17:35 < monttyle> Hello. 17:38 < monttyle> I'm having a strange performance issue with a VPN. When I connect to the VPN on my home server, hosted on residential highspeed, I can get good speeds through it; when I connect to a VPN I'm hosting in a virtual private server in a high-bandwidth datacenter I get terrible speeds. The config files for the servers are identical down to the keys, no firewalls or bandwidth control is on, and the connection is very high-latency( 17:38 < monttyle> 800ms ping) to both servers. 17:40 < TTimo> same kind of traffic too ? 17:40 < monttyle> identical traffic, even. 17:40 < monttyle> downloading the same file from the same website. 17:41 < TTimo> I guess you'd have to do some network captures 17:41 < TTimo> maybe one of the connections exhibits significant packet loss 17:42 -!- pfo [n=user@chello084114049188.14.vie.surfer.at] has joined ##openvpn 17:42 < monttyle> the datacenter is not having significant packet loss. I'd expect that of my residential connection but that works great. 17:44 < TTimo> I'd still do captures to verify the patterns 17:45 < monttyle> I'm using UDP, wouldn't openvpn log that? 17:47 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has joined ##openvpn 17:47 < monttyle> besides -- every other kind of connection works fine. I can download from the troublesome VPN host by other means at blazing speed, and both VPN hosts get the same speeds downloading from my test site... 17:53 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 110 (Connection timed out)] 18:04 -!- pfo [n=user@chello084114049188.14.vie.surfer.at] has quit [Read error: 110 (Connection timed out)] 18:09 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has quit ["Leaving"] 18:14 -!- ruied [n=ruied@89.214.234.87] has joined ##openvpn 18:31 < monttyle> Having increased the logging level on the troubled server, I'm seeing a large amount of tiny packets, but no timeouts. I've already decreased the fragment from 1300 to 1200 with no change other than making the larger packets smaller.. 18:34 -!- master_of_master [i=master_o@p549D7DF9.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 18:39 -!- master_of_master [i=master_o@p549D6310.dip.t-dialin.net] has joined ##openvpn 18:54 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 19:13 -!- le0_ [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 110 (Connection timed out)] 19:28 -!- yoshx [n=yoshx@67.46.119-80.rev.gaoland.net] has quit [Remote closed the connection] 19:58 < MorkBork> if they are virtual servers 19:58 < MorkBork> are you sure you have sufficient cpu power to decode? 19:58 < MorkBork> maybe some sort of limits? 19:58 < MorkBork> try in a terminal on the server 19:58 < MorkBork> in the datacenter of course 19:58 < MorkBork> openssl speed bf-cbc 19:59 < MorkBork> maybe the connection is throttled or its oversold 20:00 < MorkBork> i.e. what do you ping the vpn endpoint without any sort of traffic going on 20:03 < monttyle> sorry, was looking at another window. 20:03 < monttyle> they claim not to throttle or oversell. and when I test through anything but the VPn the speeds are wonderful. 20:03 < monttyle> CPU limits are a good question. I'll check top when I use the vpn. 20:25 < monttyle> CPU usage whiel downloading over the VPN is so infintesimal it barely shows. 21:10 -!- krzee [i=nobody@hemp.ircpimps.org] has joined ##openvpn 21:42 -!- Whoopie_ [i=Whoopie@unaffiliated/whoopie] has joined ##openvpn 21:57 -!- Whoopie [i=Whoopie@unaffiliated/whoopie] has quit [Read error: 110 (Connection timed out)] 21:57 -!- Whoopie_ is now known as Whoopie 21:58 -!- monttyle [n=monttyle@71-17-245-106.yktn.hsdb.sasknet.sk.ca] has quit ["Leaving"] 23:29 -!- TTimo [n=timo@pool-173-71-47-243.dllstx.fios.verizon.net] has quit ["Leaving."] 23:45 -!- Dennis_ [n=Dennis@ip5652ade6.speed.planet.nl] has joined ##openvpn 23:53 -!- dli__ [n=dli@66.49.226.142] has joined ##openvpn 23:54 -!- dli_ [n=dli@66.49.226.142] has quit [Read error: 110 (Connection timed out)] --- Day changed Sat Nov 28 2009 00:12 -!- Dennis_ [n=Dennis@ip5652ade6.speed.planet.nl] has quit [Read error: 110 (Connection timed out)] 00:43 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 00:43 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 00:58 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 01:00 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:19 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 02:43 -!- tjz [n=tjz@bb121-7-30-30.singnet.com.sg] has joined ##openvpn 02:45 -!- buntfalke [n=nobody@openvpn-p1-007.triple-a.uni-kl.de] has joined ##openvpn 02:48 -!- yoshx [n=yoshx@67.46.119-80.rev.gaoland.net] has joined ##openvpn 03:46 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has joined ##openvpn 04:12 -!- pfo [n=user@chello084114049188.14.vie.surfer.at] has joined ##openvpn 04:16 -!- Whoopie [i=Whoopie@unaffiliated/whoopie] has left ##openvpn ["bye"] 04:51 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 05:05 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:17 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 05:47 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has quit ["Leaving"] 05:55 -!- [1]rajin [n=rajin@c147044.adsl.hansenet.de] has joined ##openvpn 06:03 -!- pfo [n=user@chello084114049188.14.vie.surfer.at] has quit [Read error: 110 (Connection timed out)] 06:13 -!- ruied [n=ruied@89.214.234.87] has quit [Read error: 110 (Connection timed out)] 06:15 -!- cizzi [n=cizzi@modemcable169.173-176-173.mc.videotron.ca] has joined ##openvpn 06:16 < cizzi> can I use openvpn client/server configuration as another layer of security for my wireless wpa2 lan? 06:16 < cizzi> so even if they crack my wpa2 they cant see my data 06:16 < cizzi> if all clients are openvpn? 06:18 < Bushmills> that would work. but some providers require a bit of configuration tweaking 06:18 < cizzi> define providers 06:18 < cizzi> isp? 06:19 < cizzi> i would route all internet traffic tru the vpn 06:19 < cizzi> i read it might slow things down on the client side 06:19 < cizzi> because of the overhead in encryption 06:21 < Bushmills> some require you to change default port/protocol, as used by openvpn, to something which isn't blocked on their net. 06:21 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit [Read error: 104 (Connection reset by peer)] 06:21 < cizzi> like when i specifiy UDP port 1194 in my .conf file u mean? to something else perhaps? 06:21 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 06:29 < Bushmills> oh. i was mentally focused on pstn and cellular networks. 06:30 < Bushmills> partly because my current link sucks. so i was thinking cellular when you said wireless 06:31 < Bushmills> for several hours now, my link is connecting/disconnecting on the slightest load 06:35 -!- pfo [n=user@chello084114049188.14.vie.surfer.at] has joined ##openvpn 06:38 -!- cizzi [n=cizzi@modemcable169.173-176-173.mc.videotron.ca] has quit ["Lost terminal"] 06:44 -!- kiwi_ [n=_netty@ks359129.kimsufi.com] has joined ##openvpn 06:46 -!- ruied [n=ruied@bl9-255-122.dsl.telepac.pt] has joined ##openvpn 06:48 -!- rawDawg2 [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 06:54 -!- [1]rajin is now known as rajin 06:54 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 07:05 -!- rajin [n=rajin@c147044.adsl.hansenet.de] has quit [Read error: 104 (Connection reset by peer)] 07:05 -!- rajin [n=rajin@c147044.adsl.hansenet.de] has joined ##openvpn 07:10 -!- pfo [n=user@chello084114049188.14.vie.surfer.at] has quit [Read error: 110 (Connection timed out)] 07:25 -!- rajin [n=rajin@c147044.adsl.hansenet.de] has quit [Read error: 104 (Connection reset by peer)] 07:26 -!- rajin [n=rajin@c147044.adsl.hansenet.de] has joined ##openvpn 07:35 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 07:37 -!- buntfalke_ is now known as buntfalke 07:49 -!- rajin [n=rajin@c147044.adsl.hansenet.de] has quit [Read error: 104 (Connection reset by peer)] 07:49 -!- [3]rajin [n=rajin@c147044.adsl.hansenet.de] has joined ##openvpn 07:50 -!- [3]rajin is now known as rajin 07:58 < magic_1> !iporder 07:58 < vpnHelper> magic_1: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 07:58 < magic_1> !static 07:58 < vpnHelper> magic_1: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 07:59 < magic_1> !ccd 07:59 < vpnHelper> magic_1: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 08:05 -!- Dennis_ [n=Dennis@ip5652ade6.speed.planet.nl] has joined ##openvpn 08:06 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 08:07 -!- rajin [n=rajin@c147044.adsl.hansenet.de] has quit [Read error: 104 (Connection reset by peer)] 08:07 -!- [2]rajin [n=rajin@c147044.adsl.hansenet.de] has joined ##openvpn 08:08 -!- barefoot [n=magic@196.30.46.202] has joined ##openvpn 08:09 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Nick collision from services.] 08:09 -!- barefoot is now known as magic_1 08:13 -!- [2]rajin [n=rajin@c147044.adsl.hansenet.de] has quit [Read error: 104 (Connection reset by peer)] 08:14 -!- [1]rajin [n=rajin@c147044.adsl.hansenet.de] has joined ##openvpn 08:28 -!- [1]rajin [n=rajin@c147044.adsl.hansenet.de] has quit [Read error: 54 (Connection reset by peer)] 08:29 -!- [3]rajin [n=rajin@c147044.adsl.hansenet.de] has joined ##openvpn 08:39 -!- [3]rajin [n=rajin@c147044.adsl.hansenet.de] has quit [Read error: 104 (Connection reset by peer)] 08:40 -!- [4]rajin [n=rajin@c147044.adsl.hansenet.de] has joined ##openvpn 08:41 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has quit [Read error: 110 (Connection timed out)] 08:46 -!- anteaya [n=anteaya@dyn-dsl-to-76-75-112-243.nexicom.net] has joined ##openvpn 08:46 -!- barefoot [n=magic@41.122.186.43] has joined ##openvpn 08:51 -!- [4]rajin [n=rajin@c147044.adsl.hansenet.de] has quit [Read error: 54 (Connection reset by peer)] 08:53 -!- [3]rajin [n=rajin@c147044.adsl.hansenet.de] has joined ##openvpn 08:54 < anteaya> thus far I am unable to find any log files for openvpn, here is my client.conf: https://gist.github.com/91a148aec82fac7f3b08 I am having difficulty troubleshooting since I am not getting very helpful error messages. I am using gopenvpn as a gui. I am unable to connect and this is my one and only error message: Error connecting to OpenVPN management interface. How can I run a trace or find information that is more helpful from my 08:54 < anteaya> system. Thank you. 08:54 < vpnHelper> Title: gist: 91a148aec82fac7f3b08 - GitHub (at gist.github.com) 08:55 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 60 (Operation timed out)] 08:58 -!- barefoot [n=magic@41.122.186.43] has quit [Read error: 60 (Operation timed out)] 08:59 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"] 09:04 -!- [4]rajin [n=rajin@c147044.adsl.hansenet.de] has joined ##openvpn 09:06 < anteaya> can anybody tell me the directory the logs should be in, please? 09:06 -!- [3]rajin [n=rajin@c147044.adsl.hansenet.de] has quit [Read error: 104 (Connection reset by peer)] 09:07 < ecrist> anteaya: the logs either come out on stdout or are written to the location specified in your config 09:08 < anteaya> I haven't seen any instructions for creating a path to log output in my client.conf, have I missed an instruction? 09:08 < ecrist> !man 09:08 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 09:10 -!- [4]rajin [n=rajin@c147044.adsl.hansenet.de] has quit [Read error: 54 (Connection reset by peer)] 09:10 -!- [3]rajin [n=rajin@c147044.adsl.hansenet.de] has joined ##openvpn 09:10 < ecrist> rajin, what's up? 09:10 -!- Irssi: ##openvpn: Total of 72 nicks [0 ops, 0 halfops, 0 voices, 72 normal] 09:13 < eliasp> i have an OpenVPN server in a 192.168.1.0/24 network. the server provides the network 10.32.0.0/24 for the clients... now i'd like to be able to connect from a client (e.g. 10.32.0.2/24) to a host in the server's network (e.g. 192.168.1.22/24) ... so i have now this route on a VPN client: "192.168.1.0/24 via 10.32.0.1 dev tap0" and i have enabled ipv4_forward on the VPN server... but i still can't reach any host 09:13 < eliasp> in the target network... 09:13 < eliasp> what is missing? 09:17 < anteaya> here is openvpn.config from /var/lib/dpkg/info/ and I can't see any path to output log files in this config. Here is the contents of openvpn.conffiles: https://gist.github.com/fb1b8432b218cf87016c again from the same directory. No mention of a path to output log files. 09:17 < vpnHelper> Title: gist: fb1b8432b218cf87016c - GitHub (at gist.github.com) 09:18 < anteaya> sorry forgot the url to openvpn.conf: https://gist.github.com/e24fae9736e8a2df31c1 09:18 < vpnHelper> Title: gist: e24fae9736e8a2df31c1 - GitHub (at gist.github.com) 09:18 < |Mike|> eh ? 09:19 < anteaya> is the eh? directed at me? 09:19 < |Mike|> Yeah, i don't see a openvpn.conf at those URLS imho 09:20 < anteaya> sorry openvpn.config should be at: https://gist.github.com/e24fae9736e8a2df31c1 09:20 < ecrist> eliasp: the LAN the vpn client is on may interfere. what's the vpn client's LAN address? 09:20 < vpnHelper> Title: gist: e24fae9736e8a2df31c1 - GitHub (at gist.github.com) 09:20 < anteaya> does that not give you a gist entitled openvpn.config? 09:20 < eliasp> ecrist: the client's LAN address is 10.2.0.101/24, so it shouldn't interfere... 09:21 < ecrist> OK 09:21 < ecrist> eliasp: this is for you 09:21 < ecrist> !route 09:21 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:21 < ecrist> !iroute 09:21 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 09:21 < eliasp> ecrist: thx 09:21 < ecrist> the problem you're running in to is that OpenVPN doesn't know it's supposed to pass that traffic, so it's dropping it 09:21 < ecrist> use an iroute statement in your config for the client's CN and openvpn will pass the traffic 09:22 < eliasp> ecrist: ah, right... ok... got it... this explains a lot 09:23 < ecrist> anteaya: if there's nothing in the logfile, it's possible you're not logging it at all 09:23 < ecrist> usually a system may have a 'catch-all' in syslog.conf. That file on my systems is /var/log/all.log 09:23 < anteaya> and https://gist.github.com/fb1b8432b218cf87016c should give you a gist entitled openvpn.conffiles 09:23 < vpnHelper> Title: gist: fb1b8432b218cf87016c - GitHub (at gist.github.com) 09:23 < ecrist> otherwise, add the logging line and you'll be fine 09:23 < anteaya> ecrist, I think I am saying there is no log file 09:24 < ecrist> I know what you're saying. so create them 09:24 < anteaya> I am trying to be polite since I am new to this channel, please forgive me if I don't know your protocol 09:24 < anteaya> okay, is there some direction to create them? 09:24 < ecrist> two ways. 09:25 < ecrist> either run the command from the command line and copy/paste to pastebin what appears on the screen, or add the log line to the config file 09:25 < anteaya> listening 09:25 < ecrist> I mentioned that above. 09:26 < anteaya> I think what I am saying is that I am at a loss to create the syntax since I don't have a template and searching 'openvpn create log files' doesn't come back with any useful hints 09:26 < ecrist> !man 09:26 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 09:26 < anteaya> yes, I am a noob but I am trying to solve this 09:26 < anteaya> I have been through the man 09:26 < anteaya> and the !howto 09:26 < anteaya> I haven't seen any responses to the question though 09:27 < ecrist> if you go to the man page, search the page for --log-append 09:27 < anteaya> ecrist, thank you 09:27 < eliasp> ecrist: hmm, doesn't work, as i'm using TAP... so i get an log entry like this: ".... iroute only works with tun-style tunnels" 09:27 < eliasp> ecrist: so would it probably be enough just bridging the eth and the tap device of the server in a common bridge interface? 09:28 < ecrist> no, they're different subnets. you need to route that. 09:28 < eliasp> hmm, still doesn't work.. looks like there's something more than just bridging them needed... 09:28 < eliasp> hmm, yeah.. right 09:29 < eliasp> so i need to set up a specific route on the VPN server after starting OpenVPN... 09:31 -!- [3]rajin [n=rajin@c147044.adsl.hansenet.de] has quit [Read error: 104 (Connection reset by peer)] 09:31 -!- [1]rajin [n=rajin@c147044.adsl.hansenet.de] has joined ##openvpn 09:33 < eliasp> hmm, still no success after "ip route add 10.32.0.0/24 via 192.168.1.2" 09:34 < ecrist> eliasp: push "route 10.32.0.0 255.255.255.0 192.168.1.2" 09:35 -!- hyper__ch [n=hyper@adsl-188-155-26-207.adslplus.ch] has joined ##openvpn 09:35 -!- hyper_ch [n=hyper@adsl-89-217-204-148.adslplus.ch] has quit [Nick collision from services.] 09:35 -!- hyper__ch is now known as hyper_ch 09:35 < eliasp> ecrist: that's already done... 09:36 < ecrist> can you draw out your network quick? I may be missing something. 09:36 < eliasp> k, /me launches dia 09:40 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 09:41 < ecrist> krzie: you around this AM? 09:49 -!- [1]rajin [n=rajin@c147044.adsl.hansenet.de] has quit [Read error: 104 (Connection reset by peer)] 09:50 -!- rajin [n=rajin@c147044.adsl.hansenet.de] has joined ##openvpn 09:50 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 09:50 < magic_1> got it working 09:51 -!- [1]rajin [n=rajin@c147044.adsl.hansenet.de] has joined ##openvpn 09:52 -!- rajin [n=rajin@c147044.adsl.hansenet.de] has quit [Read error: 54 (Connection reset by peer)] 09:52 -!- [1]rajin is now known as rajin 09:52 < eliasp> ecrist: http://imagebin.ca/view/wwqTgz.html i want to reach the company-fileserver from the home-client 09:53 < vpnHelper> Title: VPN.png (at imagebin.ca) 09:54 -!- ruied [n=ruied@bl9-255-122.dsl.telepac.pt] has quit [] 09:54 -!- ruied [n=ruied@bl9-255-122.dsl.telepac.pt] has joined ##openvpn 09:55 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 104 (Connection reset by peer)] 09:56 < ecrist> looking at it now 09:57 < ecrist> eliasp: ip_forwarding enabled? 09:57 < eliasp> ecrist: yes 09:57 < ecrist> did you post your configs yet? 09:58 < eliasp> server config: http://dpaste.com/126253/ 09:59 < ecrist> I see what's going on. 09:59 < eliasp> client config: http://dpaste.com/126254/ 09:59 < ecrist> remove line 6 adn line 15 09:59 < eliasp> ok... trying it... 09:59 < ecrist> replace line 15 with 10:00 < ecrist> push "route 192.168.1.0 255.255.255.0" 10:01 < eliasp> hmm, that's what i already had some hours ago... it's still the same... ;-( 10:01 < ecrist> remove the ifconfig line, too 10:01 < ecrist> line 13 10:01 < eliasp> ouch, ok.. that's really bad.. must have sneaked in from the original config i've copied ;-) 10:01 -!- Guest68228 is now known as redfox 10:03 < eliasp> hmm... didn't work... then corrected line 1 (...252.0 → 255.0), but it's still the same... 10:03 < ecrist> ok. does the client connect OK? 10:05 < eliasp> yes, the client connects .. but what's strange now... i can't even ping 10.32.0.1 from the client... 10:06 * eliasp crawls through the logs for suspicous messages 10:09 < ecrist> firewall? 10:09 < eliasp> ecrist: no, nothing at all (neither on the server, nor on the client) 10:09 < eliasp> at least it is disabled for now.. ;-) 10:10 < eliasp> the logs look fine too... 10:13 < eliasp> i wonder why i even can't ping 10.32.0.1 ... that's really strange... 'iptables -L' doesn't list a single rule... 10:14 -!- rajin [n=rajin@c147044.adsl.hansenet.de] has quit [Read error: 104 (Connection reset by peer)] 10:14 -!- [1]rajin [n=rajin@c147044.adsl.hansenet.de] has joined ##openvpn 10:14 -!- [1]rajin is now known as rajin 10:16 -!- OpenVPN [n=bot@mr.garrison.secure-computing.net] has joined ##openvpn 10:17 -!- OpenVPN [n=bot@mr.garrison.secure-computing.net] has quit [Remote closed the connection] 10:19 < ecrist> eliasp: 10:20 < ecrist> !logs 10:20 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 10:23 < eliasp> server-log: http://dpaste.com/126259/ 10:25 < eliasp> client-log: http://pastebin.ca/1691214 10:26 < eliasp> i've started the server, then the client, the stopped the client aand then the server... the complete output of this process is in the logs above 10:27 < eliasp> hmm, sorry... ignore these logs... 10:28 < eliasp> i was missing 'push "route..."' when generating them as i was testing something.... 10:28 < eliasp> server-log: http://dpaste.com/126261/ 10:28 < eliasp> client-log: http://pastebin.ca/1691217 10:29 < eliasp> but to me, they look ok so far... 10:30 < ecrist> ok 10:30 < ecrist> looking 10:32 < ecrist> question, why are you using tap instead of tun? 10:32 < eliasp> ecrist: because of WINS/SMB 10:33 < ecrist> SMB works over tun, and WINS allows SMB to be browsable across subnets 10:33 < ecrist> but that's fine 10:33 < eliasp> so i could switch to tun? 10:34 < ecrist> yep. if you want a browsable network, you need to setup a WINS server and push that in your openvpn config 10:34 < ecrist> samba can do that for you 10:34 < eliasp> don't know if SMB works flawlessly DNS based on windows too... 10:34 < eliasp> ok 10:34 < eliasp> ok, great... 10:34 < eliasp> i'll try switching to tun 10:36 < ecrist> well, regardless, we need to figure out why you can't ping the VPN server ip address 10:36 < ecrist> it *really* sounds like a firewall 10:36 < eliasp> yes, to me too... but on the server + client, iptables -L doesn't show any rules at all 10:38 -!- kiwi_ [n=_netty@ks359129.kimsufi.com] has quit [Read error: 110 (Connection timed out)] 10:42 < eliasp> huu? this is strange... on the client, i have this route: 10.32.0.0/24 via 10.32.0.5 dev tun0 ... shouldn't this go to .0.1? 10:44 < eliasp> seems this is initiated by this control message: Sat Nov 28 17:40:46 2009 PUSH: Received control message: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 10.32.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.32.0.6 10.32.0.5' 10:44 < ecrist> eliasp: no, that's normal 10:44 < ecrist> !/30 10:44 < vpnHelper> ecrist: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 10:44 < eliasp> ah, ok 10:47 -!- OpenVPN [n=bot@mr.garrison.secure-computing.net] has joined ##openvpn 10:47 < OpenVPN> OpenVPN is here to save the day! 10:47 -!- OpenVPN [n=bot@mr.garrison.secure-computing.net] has quit [Remote closed the connection] 10:48 < eliasp> ah, ok.. i can ping 10.23.0.6 from the client... 10:48 < eliasp> arghl, that's the client itself ;-) 10:49 * eliasp needs some fresh air... my mind is playing jokes with me ;-) 10:49 < eliasp> ecrist: thanks for all your help so far... i'll continue this tomorrow... 10:50 < ecrist> ok 10:50 < ecrist> you won't be able to ping .5 10:50 < ecrist> but you can ping .1 10:50 < eliasp> yes, that's what i've expected... but .1 isn't reachable 10:51 < ecrist> *cough* firewall 10:51 < ecrist> ;) 10:52 < eliasp> ecrist: hehe, if you wan't evidence: http://dpaste.com/126270/ 10:52 < ecrist> !iptables 10:52 < vpnHelper> ecrist: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall 10:56 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 10:56 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 11:03 -!- rajin [n=rajin@c147044.adsl.hansenet.de] has quit [Read error: 54 (Connection reset by peer)] 11:03 -!- [2]rajin [n=rajin@c147044.adsl.hansenet.de] has joined ##openvpn 11:15 -!- [2]rajin [n=rajin@c147044.adsl.hansenet.de] has quit [Read error: 104 (Connection reset by peer)] 12:01 -!- kiwi_ [n=_netty@ks359129.kimsufi.com] has joined ##openvpn 12:21 -!- Avalloc [n=_@d020208.adsl.hansenet.de] has joined ##openvpn 12:32 < anteaya> ecrist, thanks for your help earlier, I am connected 12:37 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)] 12:43 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 12:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:50 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 12:57 < Dennis_> how can it be that udp has a lag of <1ms and tcp >500 ms? 12:59 < hyper_ch> magic udp 12:59 < Dennis_> Well, it has to work behind a proxy wich block udp, so i'm stuck with tcp 13:02 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)] 13:04 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 13:05 -!- anteaya [n=anteaya@dyn-dsl-to-76-75-112-243.nexicom.net] has quit [Client Quit] 13:27 -!- Avalloc [n=_@d020208.adsl.hansenet.de] has quit [" HydraIRC -> http://www.hydrairc.com <- Wibbly Wobbly IRC"] 13:35 -!- flaif [n=irc@d207-81-97-202.bchsia.telus.net] has joined ##openvpn 14:02 -!- Dennis_ [n=Dennis@ip5652ade6.speed.planet.nl] has quit [Read error: 104 (Connection reset by peer)] 14:02 -!- Dennis_ [n=Dennis@ip5652ade6.speed.planet.nl] has joined ##openvpn 14:15 -!- MorkBork [n=mark@unaffiliated/morkbork] has quit [Read error: 131 (Connection reset by peer)] 14:17 -!- MorkBork [n=mark@unaffiliated/morkbork] has joined ##openvpn 14:40 < Dennis_> http://pastebin.com/m7e90143a what can be wrong? i have no idea... 14:44 < ecrist> Dennis_: 14:44 < ecrist> !tcp 14:44 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 14:45 < Dennis_> well the problem is that the proxy blocks udp so i'm stuck with tcp 14:47 < ecrist> Dennis_: then you're going to get extra latency 14:47 < Dennis_> but its normal that its that much? 14:47 < ecrist> yup 14:47 < Dennis_> damn, ok 14:53 < Dennis_> !redirect 14:53 < vpnHelper> Dennis_: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 15:09 < flaif> When initiating a udp connect, it tries for 60 seconds and fails due to the --hand-window of 60 seconds. Is there a way to reduce the udp connect retry attempts/time without altering the hand-window? 15:11 -!- dli__ [n=dli@66.49.226.142] has quit [Read error: 110 (Connection timed out)] 15:11 -!- dli__ [n=dli@66.49.226.142] has joined ##openvpn 15:26 -!- ruied [n=ruied@bl9-255-122.dsl.telepac.pt] has quit [] 15:26 -!- ruied [n=ruied@bl9-255-122.dsl.telepac.pt] has joined ##openvpn 15:29 -!- ruied [n=ruied@bl9-255-122.dsl.telepac.pt] has quit [Read error: 60 (Operation timed out)] 16:09 -!- Dennis_ [n=Dennis@ip5652ade6.speed.planet.nl] has quit [Read error: 110 (Connection timed out)] 16:12 -!- epaphus [n=unix3@201.199.41.166] has joined ##openvpn 16:37 -!- epaphus [n=unix3@201.199.41.166] has quit ["Leaving"] 16:51 -!- le0 [n=itsle0@host81-157-147-203.range81-157.btcentralplus.com] has joined ##openvpn 16:54 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 16:58 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 17:00 < ecrist> krzie: you around? 17:00 < |Mike|> doubt it 17:00 < ecrist> yeah, me too 17:00 < ecrist> I need a database dump from vpnhelper 17:01 < ecrist> !all_your_Base 17:01 < vpnHelper> ecrist: Error: "all_your_Base" is not a valid command. 17:01 < ecrist> doh 17:09 < krzie> hey 17:10 < krzie> ok ill copy the db for ya 17:15 < krzie> where do you want it? 17:17 < ecrist> email? 17:17 < ecrist> I'm writing a newer, shittier bot. 17:17 < ecrist> :) 17:17 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 17:18 < krzie> joo got access to butters? 17:19 -!- yoshx [n=yoshx@67.46.119-80.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 17:20 < ecrist> I have physical access, don't think I have an account. lemme look 17:20 < ecrist> no access for me 17:21 < krzie> aight lemme make ya one 17:21 < krzie> 1min 17:23 -!- TTimo [n=timo@pool-173-71-47-243.dllstx.fios.verizon.net] has joined ##openvpn 17:24 < krzie> pls change 17:25 < |Mike|> changeme123 ? 17:28 < ecrist> where I work, the staff was using that when they reset user passwords. I did a search of our ~1200 users and more than half never changed their passwords. 17:29 -!- Traveler [n=traveler@4010ds1-vir.0.fullrate.dk] has joined ##openvpn 17:29 -!- Traveler is now known as Guest67620 17:29 < Guest67620> hi 17:30 < Guest67620> do you guys know hamachi? 17:30 < ecrist> how often should the new bot scan the SVN repo and report changes, and how verbose do we want it? 17:31 < Guest67620> it used to be nice piece of code, but now it's obsolete and dead at least on OS X platform 17:31 < krzie> ecrist, daily ild think 17:31 < ecrist> Guest67620: it's commercial software, picked up by go2mypc or something. 17:31 < Guest67620> I would like to ask if OpenVPN can do the job for me...can it connect me 17:31 < ecrist> midnight or noon, GMT? 17:31 < ecrist> to hamachi, I don't think so 17:32 < krzie> time, no opinion from me 17:32 < krzie> Guest67620 connect you to what exactly...? 17:32 < Guest67620> to my work computer with some blody windows XP or what? Work machine is behind FW/NAT etc.. 17:32 < krzie> sure 17:33 < Guest67620> from OS X machine somewhere in the wild, across internet? 17:33 < krzie> assuming you have a server somewhere that both can connect to, sure 17:33 < Guest67620> would I be able to print and copy files back and forth? 17:33 < krzie> if you set it up to, yes 17:33 < Guest67620> wake my work machine on LAN? 17:34 < krzie> wake it? 17:34 < krzie> if its not awake i have to assume its connection to the vpn wont be active, so no 17:34 < Guest67620> right, one can force it to work all the time, right? 17:35 < krzie> sure 17:35 < krzie> but afaik when a computer goes to sleep its internet goes down, so no waking it over vpn 17:35 < krzie> cause there would be no vpn connection 17:36 < Guest67620> would the setup (2 different platforms, architectures, etc) be realy complex? Would all the fancy (samba, printing, port forfard) features be way to complicated to set up? 17:38 < Guest67620> would I need some third machine, some independent server if both devices are without public IP? 17:38 < krzie> the platform / arch thing is a non issue for ovpn itself 17:38 < krzie> yes, i already said youd need a server somewhere 17:38 < Guest67620> that's encouraging. 17:38 < krzie> for samba i recommend setting up a WINS server 17:38 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 17:38 < krzie> printing, normal just use the vpn ip 17:39 < krzie> port forward, i dont understand... you dont need port forwarding from what ive heard so far 17:39 < Guest67620> I do, for seting up outgoing emails 17:40 < Guest67620> from local machine with OS X, being outside my work intranet 17:40 < Guest67620> At least that's how I used to do it. 17:40 < krzie> i dont get what you mean 17:42 < Guest67620> don't worry. At least existing binary for MAC and for XP seem to be encouraging...what would I need to run on that 3 machine, on that independent server? 17:42 < ecrist> I'm out for the evening. L8r 17:42 < Guest67620> something at userspace, or one have to have root there? 17:42 < krzie> night eric 17:42 < krzie> root / admin on ALL involved machines 17:43 < krzie> you cant even connect to openvpn without root 17:43 < Guest67620> hmmm.. 17:43 < krzie> you need access to change routing tables / stuff on interface 17:43 < Guest67620> that basically means having some hosting, right? 17:44 < Guest67620> at least some VPS server for few bucks a month 17:44 -!- Guest67620 [n=traveler@4010ds1-vir.0.fullrate.dk] has quit ["Java user signed off"] 17:44 < krzie> it means you need a machine that the clients can connect to, on that machine you need root 17:57 -!- hadronzoo [n=hadronzo@ppp-70-251-68-80.dsl.rcsntx.swbell.net] has joined ##openvpn 17:58 < hadronzoo> I'm setting up a simple OpenVPN server at my home to use when I'm on a public WiFi hotspot. Should I use TUN or TAP? 17:59 < krzie> !tunortap 17:59 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 17:59 < krzie> =] 17:59 < hadronzoo> krzie: Thanks--I knew it was probably a commonly asked question! 17:59 < krzie> actually i wish it was 18:00 < krzie> everyone seems to think they need tap for some reason 18:00 < hadronzoo> I'd rather not waste the bandwidth and the processing on an extra layer 18:01 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 18:06 < krzie> yup, and thats the right decision 18:06 < krzie> so will you be wanting to access your lan over this connection, redirect your inet over your home connection, or both? 18:12 < hadronzoo> krzie: I want to both access my lan and redirect my internet connection. 18:12 < krzie> !route 18:12 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 18:12 < krzie> !redirect 18:12 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 18:12 < krzie> =] 18:13 < hadronzoo> OK, thanks. I'm reading the documentation now. 18:13 < krzie> np 18:14 < |Mike|> rtfm till ya die :D 18:27 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 18:30 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn 18:34 -!- ptmahent` [n=rlarson8@CPE00226b5e2074-CM000e5c6ebb22.cpe.net.cable.rogers.com] has joined ##openvpn 18:35 -!- master_of_master [i=master_o@p549D6310.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 18:35 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)] 18:36 -!- le0 [n=itsle0@host81-157-147-203.range81-157.btcentralplus.com] has quit [Read error: 110 (Connection timed out)] 18:38 -!- master_of_master [i=master_o@p549D3765.dip.t-dialin.net] has joined ##openvpn 18:47 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit [Read error: 104 (Connection reset by peer)] 18:47 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 18:49 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)] 19:01 -!- TTimo_ [n=timo@pool-173-71-47-243.dllstx.fios.verizon.net] has joined ##openvpn 19:02 < TTimo_> howdy .. 19:02 < krzie> hey 19:10 < TTimo_> reading more docs .. if I have more than 1 client I *have* to use the PKI stuff do I? 19:13 < krzie> correct 19:13 < krzie> in fact they arent even "clients" unless you use that 19:14 < krzie> without PKI they are simply peers in a peer to peer setup 19:15 -!- Optic [n=nndfrase@miso.capybara.org] has quit ["Terminated with extreme prejudice - dircproxy 1.2.0"] 19:18 -!- Optic [n=Optic@miso.capybara.org] has joined ##openvpn 19:25 < TTimo_> !port 19:25 < vpnHelper> TTimo_: Error: "port" is not a valid command. 19:25 < TTimo_> oh boo 19:25 < TTimo_> 1194 right 19:26 < TTimo_> yeh 19:40 -!- kiwi_ [n=_netty@ks359129.kimsufi.com] has quit ["Leaving."] 20:07 -!- purifiedmadness1 [n=jesus@c-67-177-231-60.hsd1.co.comcast.net] has joined ##openvpn 20:33 -!- hadronzoo_ [n=hadronzo@ppp-70-251-68-80.dsl.rcsntx.swbell.net] has joined ##openvpn 20:34 -!- hadronzoo [n=hadronzo@ppp-70-251-68-80.dsl.rcsntx.swbell.net] has quit [Read error: 60 (Operation timed out)] 20:34 -!- hadronzoo_ is now known as hadronzoo 20:36 -!- TTimo_ [n=timo@pool-173-71-47-243.dllstx.fios.verizon.net] has quit [] 20:43 -!- hadronzoo [n=hadronzo@ppp-70-251-68-80.dsl.rcsntx.swbell.net] has quit [Read error: 104 (Connection reset by peer)] 20:43 -!- hadronzoo [n=hadronzo@ppp-70-251-68-80.dsl.rcsntx.swbell.net] has joined ##openvpn 20:49 -!- hadronzoo_ [n=hadronzo@ppp-70-251-68-80.dsl.rcsntx.swbell.net] has joined ##openvpn 20:50 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Read error: 131 (Connection reset by peer)] 20:53 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 60 (Operation timed out)] 20:55 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 20:58 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 20:58 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 21:02 -!- hadronzoo__ [n=hadronzo@ppp-70-251-78-222.dsl.rcsntx.swbell.net] has joined ##openvpn 21:04 -!- hadronzoo [n=hadronzo@ppp-70-251-68-80.dsl.rcsntx.swbell.net] has quit [Read error: 110 (Connection timed out)] 21:04 -!- hadronzoo__ is now known as hadronzoo 21:08 -!- teddy [n=teddy@75.81.23.31] has joined ##openvpn 21:09 -!- teddy [n=teddy@75.81.23.31] has left ##openvpn ["Ex-Chat"] 21:10 -!- hadronzoo_ [n=hadronzo@ppp-70-251-68-80.dsl.rcsntx.swbell.net] has quit [Read error: 110 (Connection timed out)] 21:12 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 21:13 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)] 21:22 -!- hadronzoo_ [n=hadronzo@ppp-70-251-78-222.dsl.rcsntx.swbell.net] has joined ##openvpn 21:28 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 21:29 -!- hadronzoo [n=hadronzo@ppp-70-251-78-222.dsl.rcsntx.swbell.net] has quit [Read error: 110 (Connection timed out)] 21:29 -!- hadronzoo_ [n=hadronzo@ppp-70-251-78-222.dsl.rcsntx.swbell.net] has quit [] 22:12 -!- epaphus [n=unix3@201.199.62.74] has joined ##openvpn 22:23 -!- epaphus [n=unix3@201.199.62.74] has quit ["Leaving"] 22:27 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 22:35 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 23:09 -!- tjz [n=tjz@bb121-7-30-30.singnet.com.sg] has joined ##openvpn 23:26 -!- maxagaz [n=g@125.39.69.51] has joined ##openvpn 23:26 < maxagaz> what does tun stands for ? 23:31 < TTimo> it means tunnel 23:31 < TTimo> !tun 23:31 < vpnHelper> TTimo: Error: "tun" is not a valid command. 23:31 < TTimo> heh 23:31 < TTimo> it's the name of the kernel module, and the virtual network device that gives access to the tunnel 23:38 < maxagaz> ok thanks 23:41 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 23:59 -!- m3thos [n=mindblas@bl7-51-239.dsl.telepac.pt] has joined ##openvpn --- Day changed Sun Nov 29 2009 00:07 -!- m3th0s [n=mindblas@85.240.54.1] has quit [Read error: 145 (Connection timed out)] 00:23 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:32 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 00:32 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:46 -!- hadronzoo [n=hadronzo@ppp-70-251-78-222.dsl.rcsntx.swbell.net] has joined ##openvpn 00:46 -!- flaif [n=irc@d207-81-97-202.bchsia.telus.net] has left ##openvpn [] 00:47 < hadronzoo> In reading my logs, I've noticed that my control channel cipher is "EDH-RSA-DES-CBC3-SHA". How can I change this (from DES)? 00:56 < krzee> i believe with cipher 00:56 < krzee> and --show-ciphers or something to see options 00:56 < krzee> !man 00:56 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 00:56 < krzee> its all in there 00:57 -!- TTimo [n=timo@pool-173-71-47-243.dllstx.fios.verizon.net] has quit ["Leaving."] 00:57 < hadronzoo> I saw how to change the data channel cipher, but not the control channel. I'll look again. Thanks 01:04 < hadronzoo> krzee: ah, found it: tls-cipher. 01:10 -!- hadronzoo [n=hadronzo@ppp-70-251-78-222.dsl.rcsntx.swbell.net] has quit [Remote closed the connection] 01:10 -!- hadronzoo [n=hadronzo@ppp-70-251-78-222.dsl.rcsntx.swbell.net] has joined ##openvpn 01:28 -!- hadronzoo [n=hadronzo@ppp-70-251-78-222.dsl.rcsntx.swbell.net] has quit [] 01:42 -!- cr4zyb0y [n=crazyboy@118.68.1.50] has joined ##OpenVPN 01:43 < cr4zyb0y> hello 01:44 < cr4zyb0y> anybody here, can you help me to redirect all packet at my vpn client through vpn server then nat to internet ? 01:45 < krzee> !redirect 01:45 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 02:01 < cr4zyb0y> oh 02:02 < cr4zyb0y> how to user dns ? 02:03 < cr4zyb0y> i was config to redirect, but now, can't connect via domain name :-s 02:20 -!- Dennis_ [n=Dennis@ip5652ade6.speed.planet.nl] has joined ##openvpn 02:23 < krzee> !dns 02:23 < vpnHelper> krzee: "dns" is Level3 open recursive DNS server at 4.2.2.1 02:23 < krzee> try that 02:29 < cr4zyb0y> !dns ??? 02:29 < vpnHelper> cr4zyb0y: Error: "dns" is not a valid command. 02:35 < maxagaz> how to set down a route ? ( net 192.168.101.0 gw 192.168.101.2 mask 255.255.255.252 ) 03:49 -!- ent [i=james@unaffiliated/ent] has joined ##openvpn 04:01 -!- ent [i=james@unaffiliated/ent] has quit [] 04:23 -!- yoshx [n=yoshx@88-138-190-92.adslgp.cegetel.net] has joined ##openvpn 04:27 -!- _igel_ [n=_igel_@dslb-088-073-096-190.pools.arcor-ip.net] has joined ##openvpn 04:27 < _igel_> hi 04:34 -!- _igel__ [n=_igel_@dslb-088-074-006-140.pools.arcor-ip.net] has joined ##openvpn 04:37 < _igel__> hi 04:38 < _igel__> I changed my password via the VPN client. Now connection to the VPN server is not working anymore, neither with the old password nor the new one! Do you have an idea? 04:47 -!- _igel_ [n=_igel_@dslb-088-073-096-190.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)] 04:52 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has joined ##openvpn 04:54 -!- cr4zyb0y [n=crazyboy@118.68.1.50] has left ##OpenVPN ["Leaving"] 05:07 -!- _Dennis_ [n=Dennis@ip5652ade6.speed.planet.nl] has joined ##openvpn 05:09 -!- _Dennis_ [n=Dennis@ip5652ade6.speed.planet.nl] has quit [Read error: 104 (Connection reset by peer)] 05:10 -!- _Dennis_ [n=Dennis@ip5652ade6.speed.planet.nl] has joined ##openvpn 05:18 -!- kosmic [n=kosmic@unaffiliated/spice] has joined ##openvpn 05:18 -!- Avalloc [n=_@c223017.adsl.hansenet.de] has joined ##openvpn 05:19 < kosmic> http://www.linuxquestions.org/questions/linux-networking-3/openvpn-cannot-ioctl-tunsetiff-tun-operation-not-permitted-571942/ 05:19 < vpnHelper> Title: OpenVPN: Cannot ioctl TUNSETIFF tun: Operation not permitted? - LinuxQuestions.org (at www.linuxquestions.org) 05:19 < kosmic> this is the issue im having 05:20 < kosmic> according to the thread, only root can open a tun/tapdevices 05:20 < kosmic> does that require me to run openvpn as root? 05:21 < kosmic> without doing as the thread recommends, adding sudo. whatever 05:23 -!- EnginA [i=d49c390a@gateway/web/freenode/x-ujcthsyxzfuisyva] has joined ##openvpn 05:24 -!- _igel_ [n=_igel_@dslb-088-074-005-162.pools.arcor-ip.net] has joined ##openvpn 05:25 -!- Dennis_ [n=Dennis@ip5652ade6.speed.planet.nl] has quit [Read error: 110 (Connection timed out)] 05:25 < EnginA> openvpn software suit eases the process of setting up a VPN server and connecting to it, right ? 05:26 < EnginA> so, it is more of a GUI tool that manages the OS ? 05:29 < EnginA> in short, I need VPN for I'm behind a terribly firewalled network. I usually use paid service from hidemyass VPN, I bought one package but it is still not activated. 05:30 < EnginA> I have a few Windows 2005 servers with high bandwidth and quite close to me, I wonder what would be the simplest way to install a VPN server to them, so that I can use my own dedicated servers for VPN access. That makes sense doesn't it ? 05:30 < EnginA> I also have quite a few linux servers too but they are starved for bandwidth as they are utulised to the max. 05:32 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:36 -!- _igel__ [n=_igel_@dslb-088-074-006-140.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)] 05:53 < EnginA> Hello ? 05:54 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 06:09 -!- dli__ [n=dli@66.49.226.142] has quit [Read error: 110 (Connection timed out)] 06:09 -!- dli__ [n=dli@66.49.226.142] has joined ##openvpn 06:14 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 06:14 -!- Dennis_ [n=Dennis@ip5652ade6.speed.planet.nl] has joined ##openvpn 06:17 < Dennis_> how's openvpn windows 7 support? 06:18 < Dennis_> my vpn works everywhere exept on my windows 7 machine 06:35 -!- _Dennis_ [n=Dennis@ip5652ade6.speed.planet.nl] has quit [Read error: 110 (Connection timed out)] 06:38 -!- _igel__ [n=_igel_@dslb-088-074-014-068.pools.arcor-ip.net] has joined ##openvpn 06:50 -!- _igel_ [n=_igel_@dslb-088-074-005-162.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)] 06:57 -!- EnginA [i=d49c390a@gateway/web/freenode/x-ujcthsyxzfuisyva] has quit [Ping timeout: 180 seconds] 07:09 -!- Argafal [i=argafal@91.190.183.254] has quit ["leaving"] 07:28 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 07:40 < kosmic> endre, dimple 07:40 < kosmic> oh wow 07:40 < kosmic> engina, or whatever. the guy left 07:40 < kosmic> dennis_, if it doesnt work on win 7 then thats your answer 07:44 < Dennis_> kosmic, well, could be that windows 7 wasnt supported or i made a mistake 07:56 < kosmic> dennis_, http://lmgtfy.com/?q=openvpn+not+working+in+windows+7 07:56 < vpnHelper> Title: Let me google that for you (at lmgtfy.com) 07:57 < kosmic> aaw 08:20 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 08:48 -!- damjan [n=damjan@legolas.on.net.mk] has joined ##openvpn 08:52 < damjan> I don't get $route_net_gateway in --route-up or --ipchange scripts, is this intentional? (since thats where I need it) 08:53 < damjan> this is in 2.1_rc20, but I don't see a change wrt this in the ChangeLog 08:54 < damjan> and another thing, I tried running "dhcpcd" from --route or --ipchange .. but the thing is until the script finishes OpenPVN blocks the tunnel ... 08:55 < damjan> .. I'm inspecting the tap0 interface with tcpdump, and I see the dhcp queries - but the replies only come through after dhcpcd fails and OpenVPN says "Initialization Sequence Completed" 08:56 -!- _igel_ [n=_igel_@dslb-088-074-014-068.pools.arcor-ip.net] has joined ##openvpn 08:59 -!- _igel__ [n=_igel_@dslb-088-074-014-068.pools.arcor-ip.net] has quit [Read error: 104 (Connection reset by peer)] 09:11 < Dennis_> kosmic, it works, just the ping is too high 09:11 < Dennis_> on xp/vista the ping is normal 09:19 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has quit ["Leaving"] 09:39 < kosmic> dennis_, time to ditch windows 09:40 -!- stephenh [i=stephenh@69.30.200.88] has quit [Read error: 131 (Connection reset by peer)] 09:40 < Dennis_> Well, i can ditch how much as i want but it doesnt fix it i'm afraid 09:42 < kosmic> i quit using windows and im good 09:43 < Dennis_> well, its not that i'm a huge fan of windows but i need to use it for my college ;) 10:10 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 10:18 -!- barefoot [n=magic@41.121.90.103] has joined ##openvpn 10:19 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Nick collision from services.] 10:19 -!- barefoot is now known as magic_1 10:30 -!- _Dennis_ [n=Dennis@ip5652ade6.speed.planet.nl] has joined ##openvpn 10:34 -!- yoshx [n=yoshx@88-138-190-92.adslgp.cegetel.net] has quit ["Nice Scotty, now beam my clothes up too!"] 10:36 -!- _igel_ [n=_igel_@dslb-088-074-014-068.pools.arcor-ip.net] has quit [Read error: 60 (Operation timed out)] 10:40 -!- _igel_ [n=_igel_@dslb-088-074-031-146.pools.arcor-ip.net] has joined ##openvpn 10:44 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 110 (Connection timed out)] 10:48 -!- Dennis_ [n=Dennis@ip5652ade6.speed.planet.nl] has quit [Read error: 110 (Connection timed out)] 10:48 -!- _Dennis_ [n=Dennis@ip5652ade6.speed.planet.nl] has quit [Read error: 104 (Connection reset by peer)] 10:49 -!- Dennis_ [n=Dennis@ip5652ade6.speed.planet.nl] has joined ##openvpn 10:53 -!- Dennis_ [n=Dennis@ip5652ade6.speed.planet.nl] has quit [Read error: 104 (Connection reset by peer)] 11:08 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 11:34 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit [Read error: 104 (Connection reset by peer)] 12:13 -!- _igel_ [n=_igel_@dslb-088-074-031-146.pools.arcor-ip.net] has quit [Read error: 60 (Operation timed out)] 12:17 -!- _igel_ [n=_igel_@dslb-088-074-005-029.pools.arcor-ip.net] has joined ##openvpn 12:21 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:24 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has joined ##openvpn 12:36 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 12:44 -!- maxagaz [n=g@125.39.69.51] has quit ["Leaving"] 13:31 -!- Elen [n=_@c146167.adsl.hansenet.de] has joined ##openvpn 13:31 -!- Elen is now known as Guest39448 13:38 -!- dli__ [n=dli@66.49.226.142] has quit [Read error: 113 (No route to host)] 13:40 -!- _igel_ [n=_igel_@dslb-088-074-005-029.pools.arcor-ip.net] has quit [Read error: 60 (Operation timed out)] 13:44 -!- _igel_ [n=_igel_@dslb-088-073-127-143.pools.arcor-ip.net] has joined ##openvpn 13:46 -!- Avalloc [n=_@c223017.adsl.hansenet.de] has quit [Connection timed out] 14:02 -!- dli [n=dli@69.172.97.211] has joined ##openvpn 14:16 -!- Guest39448 [n=_@c146167.adsl.hansenet.de] has quit [Client Quit] 14:43 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 14:50 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection reset by peer] 15:01 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 15:14 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 15:15 -!- _igel__ [n=_igel_@dslb-088-074-015-094.pools.arcor-ip.net] has joined ##openvpn 15:17 -!- _igel_ [n=_igel_@dslb-088-073-127-143.pools.arcor-ip.net] has quit [Read error: 104 (Connection reset by peer)] 15:26 -!- yoshx [n=yoshx@88-138-190-92.adslgp.cegetel.net] has joined ##openvpn 15:28 -!- yoshx [n=yoshx@88-138-190-92.adslgp.cegetel.net] has quit [Remote closed the connection] 15:35 -!- yoshx [n=yoshx@88-138-190-92.adslgp.cegetel.net] has joined ##openvpn 15:37 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 15:38 -!- yoshx [n=yoshx@88-138-190-92.adslgp.cegetel.net] has quit [Remote closed the connection] 15:40 -!- yoshx [n=yoshx@88-138-190-92.adslgp.cegetel.net] has joined ##openvpn 16:01 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 16:09 -!- gil [n=gil@78-86-196-70.zone2.bethere.co.uk] has joined ##openvpn 16:11 < gil> Hello there - I am pretty new to openvpn and trying to figure out how it all works - if I set up openvpn to a server, does my system solely use that to steer all internet traffic to and from that server, or can I specify only certain types of traffic to be pushed to openvpn, by configuring, for example ports? 16:13 < krzie> by ip / subnet, easy 16:13 < krzie> by application / port, not easy 16:13 < krzie> and not part of openvpn 16:13 < krzie> but the way you could choose to do it by application / port would be as follows: 16:14 < krzie> you setup a socks proxy server (i use dante) on the vpn server, on the vpn ip 16:14 < krzie> then use use an application on the client (i use proxifier) to direct specified traffic to that proxy (which you access via vpn ip) 16:15 < krzie> then in the settings for proxifier i can say which apps / ports / subnets to direct o ver the vpn (or exclude from going over the vpn) 16:16 < krzie> but, you CAN set it up to just be your default route 16:23 -!- _igel_ [n=_igel_@dslb-088-073-112-130.pools.arcor-ip.net] has joined ##openvpn 16:32 < gil> krzie thanks for the advice - food for thought and stuff for me to read up on there :) Thanks! 16:35 -!- _igel__ [n=_igel_@dslb-088-074-015-094.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)] 16:55 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 17:07 -!- _igel__ [n=_igel_@dslb-088-073-084-227.pools.arcor-ip.net] has joined ##openvpn 17:18 -!- _igel_ [n=_igel_@dslb-088-073-112-130.pools.arcor-ip.net] has quit [Read error: 113 (No route to host)] 17:19 -!- yoshx [n=yoshx@88-138-190-92.adslgp.cegetel.net] has quit [Read error: 60 (Operation timed out)] 17:28 -!- gil [n=gil@78-86-196-70.zone2.bethere.co.uk] has quit ["Leaving"] 17:51 -!- _igel__ [n=_igel_@dslb-088-073-084-227.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)] 17:59 -!- Kalle [n=Kalle322@p5B2D3371.dip0.t-ipconnect.de] has joined ##openvpn 18:14 -!- ruied [n=ruied@bl7-213-102.dsl.telepac.pt] has joined ##openvpn 18:18 -!- vlt is now known as vlt_asleep 18:35 -!- master_of_master [i=master_o@p549D3765.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 18:38 -!- ruied [n=ruied@bl7-213-102.dsl.telepac.pt] has quit [] 18:38 -!- kyrix [n=ashley@chello080109056248.9.14.vie.surfer.at] has quit ["Leaving"] 18:39 -!- master_of_master [i=master_o@p549D7D2B.dip.t-dialin.net] has joined ##openvpn 18:42 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 18:43 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 19:11 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 20:39 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 20:49 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 20:51 -!- dli [n=dli@69.172.97.211] has quit [Read error: 110 (Connection timed out)] 20:51 -!- dli [n=dli@69.172.97.211] has joined ##openvpn 21:01 -!- LobbyZ [n=default@Woet.lobbyzffs.com] has quit ["Free FTW"] 21:13 -!- WnnR [n=rvillarr@97-87-24-82.static.aldl.mi.charter.com] has joined ##openvpn 21:16 < WnnR> !route 21:16 < vpnHelper> WnnR: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 21:21 < WnnR> !topology 21:21 < vpnHelper> WnnR: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 21:22 -!- LobbyZ [n=default@Woet.lobbyzffs.com] has joined ##openvpn 21:38 < WnnR> Q: openvpn server has eth0 (10.0.0.0/24) and eth1 (10.0.3.0/24). Connections come in on eth0. Clients can ping machines behind 10.0.0.0/24, but not 10.0.3.0/24. No error messages in any logs (verb=4). iptables is off. Confirm via tcpdump that 10.0.3.0/24 machines are responding to pings, but openvpn server isn't returning them. Openvpn 'network' is default 10.8.0.0/24. Ideas? 21:38 -!- Kalle322 [n=Kalle322@p5B2D2744.dip0.t-ipconnect.de] has joined ##openvpn 21:40 -!- Kalle [n=Kalle322@p5B2D3371.dip0.t-ipconnect.de] has quit [Read error: 60 (Operation timed out)] 22:01 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 22:48 -!- tjz [n=tjz@bb121-7-30-30.singnet.com.sg] has joined ##openvpn 23:03 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 23:22 -!- tjz [n=tjz@unaffiliated/tjz] has quit [Read error: 110 (Connection timed out)] --- Day changed Mon Nov 30 2009 00:20 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 00:23 -!- hyper_ch [n=hyper@adsl-188-155-26-207.adslplus.ch] has quit [Remote closed the connection] 00:27 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 00:53 -!- dazo_afk is now known as dazo 01:02 -!- tjz [n=tjz@bb220-255-199-51.singnet.com.sg] has joined ##openvpn 01:20 -!- hyper_ch [n=hyper@197-4.106-92.cust.bluewin.ch] has joined ##openvpn 01:43 -!- corretico__ [n=laguilar@201.201.46.106] has quit ["Leaving"] 01:51 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:02 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 02:05 -!- corretico [n=laguilar@201.201.46.106] has quit [Client Quit] 02:05 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 02:06 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 02:08 < kosmic> n 02:09 < kosmic> tadatada 02:26 -!- kwek [n=kwek@212.230.220.159] has joined ##openvpn 02:27 -!- Sky[x] [n=SkyB0x@88.200.89.21] has joined ##openvpn 03:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 03:34 -!- tiav [n=tiav@mx.fr.smartjog.net] has joined ##openvpn 03:38 -!- _igel_ [n=_igel_@dslb-088-073-084-227.pools.arcor-ip.net] has joined ##openvpn 03:50 -!- Kalle322 [n=Kalle322@p5B2D2744.dip0.t-ipconnect.de] has quit [] 04:03 -!- Sky[x] [n=SkyB0x@88.200.89.21] has quit [Client Quit] 04:09 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 60 (Operation timed out)] 04:10 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 04:21 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 04:21 -!- _Brandon_ [n=_Brandon@host50-216-static.47-85-b.business.telecomitalia.it] has joined ##openvpn 04:23 < _Brandon_> hi, is it normal that all traffic between clients is routed through the openvpn server? it's very slow this way 04:23 < _Brandon_> I would like to have a direct connection like hamachi 04:34 -!- kwek [n=kwek@212.230.220.159] has quit [Read error: 110 (Connection timed out)] 04:44 < dazo> _Brandon_: all traffic, you mean also Internet traffic? 04:45 < dazo> dazo: if so ... that's just to avoid using --redirect-gateway 04:45 < dazo> _Brandon_: ^^ 04:47 < _Brandon_> dazo: no I mean just between clients, I have client A and B connected to server C, if I want to connect from A to B everything goes through C 04:48 < dazo> _Brandon_: It's no way around this .... they does the connection and authentication against server C .... and the connection parameters and encryption settings are negotiated with the server 04:49 < _Brandon_> with hamachi instead you can connect directly between clients, is not possible to do this with openvpn? 04:49 < dazo> _Brandon_: nope 04:49 < _Brandon_> I see 04:54 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 05:13 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:27 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:39 -!- hyper_ch [n=hyper@197-4.106-92.cust.bluewin.ch] has quit [Remote closed the connection] 05:41 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 06:08 -!- _Brandon_ [n=_Brandon@host50-216-static.47-85-b.business.telecomitalia.it] has quit [Remote closed the connection] 06:14 -!- vlt_asleep is now known as vlt 06:19 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 06:22 -!- Sky[x] [n=SkyB0x@212.235.186.230] has joined ##openvpn 06:38 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 06:40 -!- hyper_ch [n=hyper@adsl-188-155-26-207.adslplus.ch] has joined ##openvpn 06:45 -!- ruied [n=ruied@89.214.254.147] has joined ##openvpn 07:04 -!- Sky[x] [n=SkyB0x@212.235.186.230] has quit [Client Quit] 07:17 -!- newmember_ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 07:21 -!- dazo [n=dazo@nat/redhat/x-ufvkfrcytwgnevdk] has quit [Connection reset by peer] 07:22 -!- dazo_ [n=dazo@nat/redhat/x-vnbqkbeqdaonpnli] has joined ##openvpn 07:26 -!- dazo_ is now known as dazo 07:27 -!- yoshx [n=yoshx@93.9.145.178] has joined ##openvpn 07:35 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Read error: 110 (Connection timed out)] 07:58 -!- yoshx [n=yoshx@93.9.145.178] has quit [Read error: 110 (Connection timed out)] 08:03 -!- newmember_ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Client Quit] 08:06 -!- Rienzilla [i=rien@sinas.rename-it.nl] has joined ##openvpn 08:06 < Rienzilla> Hi 08:07 < ecrist> hello 08:08 < Rienzilla> I wondered if there are any know issues using STP over an openvpn TAP link 08:09 < Rienzilla> I'll sketch my setup, give me a minute :) 08:09 -!- yoshx [n=yoshx@93.9.145.178] has joined ##openvpn 08:10 < ecrist> STP as in Spanning Tree Protocol and not the motor oil, right? 08:11 < Rienzilla> of course :-) 08:12 < ecrist> there should be no issues at all 08:12 < Rienzilla> hmmm 08:14 -!- yoshx [n=yoshx@93.9.145.178] has quit [Remote closed the connection] 08:30 < Rienzilla> http://www.pastebin.org/58717 08:31 < Rienzilla> might that issue be openvpn-related? (for example, does openvpn somehow learn/cache what mac addresses are active on what link?) 08:39 < ecrist> don't really know. I would tcpdump the traffic on the interfaces and see if there's anything that jumps out at you 08:45 < Rienzilla> yeah I didn't really find anything there 08:46 < Rienzilla> the weird thing is 08:46 < Rienzilla> if I tcpdump the vpn interfaces, I see traffic on the one end that I do _not_ see at the other 08:49 < Rienzilla> which would imply that openvpn drops those somewhere along the way 08:49 < ecrist> odd 08:58 -!- ruied [n=ruied@89.214.254.147] has quit [Read error: 110 (Connection timed out)] 09:07 < Bushmills> !firewall 09:07 < vpnHelper> Bushmills: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. 09:07 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 09:22 -!- damjan [n=damjan@legolas.on.net.mk] has quit [Read error: 110 (Connection timed out)] 09:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 09:57 -!- dazo is now known as dazo_afk 09:59 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 10:12 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [No route to host] 10:15 -!- yoshx [n=yoshx@93.9.145.178] has joined ##openvpn 10:21 -!- jfkw_ [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 10:23 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit [Read error: 110 (Connection timed out)] 10:44 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 11:00 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined ##openvpn 11:00 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 11:02 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 60 (Operation timed out)] 11:03 -!- magic_1 [n=magic@41.121.89.177] has joined ##openvpn 11:06 -!- _igel_ [n=_igel_@dslb-088-073-084-227.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)] 11:08 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 104 (Connection reset by peer)] 11:09 -!- magic_1 [n=magic@41.121.51.48] has joined ##openvpn 11:12 -!- magic_1 [n=magic@41.121.51.48] has quit [Read error: 104 (Connection reset by peer)] 11:13 -!- magic_1 [n=magic@41.121.96.102] has joined ##openvpn 11:13 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 11:22 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit ["Leaving"] 11:30 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 11:36 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 11:43 -!- dli [n=dli@69.172.97.211] has quit [Read error: 110 (Connection timed out)] 11:43 -!- dli [n=dli@69.172.97.211] has joined ##openvpn 11:57 -!- monttyle [n=monttyle@71-17-243-213.yktn.hsdb.sasknet.sk.ca] has joined ##openvpn 11:57 < monttyle> Hello. 11:59 < ecrist> hi 11:59 < monttyle> I have a performance issue with my VPN... I have a 'test' server set up and a 'real' server on a hosting provider. The test server gets GREAT bandwidth on it's horrible connection while the real server gets awful bandwidth on its wonderful connection. The client has very high latency to both. 11:59 < monttyle> Testing bandwidth any other way shows a great connection between the real server and the client otherwise. 11:59 < ecrist> so, what's different about their setup? 12:00 < monttyle> Nothing. The configuration's identical except for the keys. The 'real' server's set up in a VPS over which I have complete control, and there's almost nothing installed yet. Certainly no firewalls or QOS. 12:01 < ecrist> ok, is the test server a VPS on the same system, or a similar system? 12:01 -!- gilos123 [n=gilos@64-126-117-142.dyn.everestkc.net] has joined ##openvpn 12:01 < monttyle> The test server is a VPN hosted by my anemic home server. 12:02 < ecrist> so, there are differences other than connection/ISP 12:02 < ecrist> I would suspect the VPS 12:02 < monttyle> I picked a VPS provider that would allow me to install the same operating system as my home server. They're still very nearly identical. Yeah, I was afraid of that. 12:03 < monttyle> Good thing we only got a month of hosting yet... any suggestions for a good VPN host? :/ 12:04 < ecrist> not really 12:04 < ecrist> !providers 12:04 < vpnHelper> ecrist: Error: "providers" is not a valid command. 12:05 < ecrist> bah, no. I know there are a few people who idle here who run their own VPN services 12:05 -!- yoshx [n=yoshx@93.9.145.178] has quit ["Nice Scotty, now beam my clothes up too!"] 12:05 < ecrist> My guess is your VPS provider is throttling or shaping your traffic 12:07 < monttyle> Perhaps. They "supposedly" support OpenVPN but don't actually know a thing about it. 12:07 < monttyle> ...much like how they supported my choice of OS, too, dumping me into a VPS box so unconfigured I had to fix it before it was good for anything. Bah. 12:15 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:23 -!- tiav [n=tiav@mx.fr.smartjog.net] has quit [Remote closed the connection] 12:28 -!- monttyle [n=monttyle@71-17-243-213.yktn.hsdb.sasknet.sk.ca] has quit [" HydraIRC -> http://www.hydrairc.com <- In tests, 0x09 out of 0x0A l33t h4x0rz prefer it :)"] 12:42 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:45 -!- CaBa [i=caba@unique-inter.net] has joined ##openvpn 12:45 < CaBa> hi 12:48 < CaBa> i have a problem reaching a virtual machine running on my openvpn host. ping says 'Destination Port Unreachable' 12:48 < CaBa> i added a route to be pushed to the clients that covers the subnet used by the virtual machines 12:49 < CaBa> it also works fine to ping the ip the server uses locally to communicate and NAT for the virtual machines which is from the same subnet of course 12:49 < CaBa> however, i dont get through to the vm. 12:58 < ecrist> krzee: OT - any quick and dirty how-tos for freeswitch to get me a running test system? 13:01 < krzee> no idea, i only ran it once 13:02 < krzee> but i did it based on reading their wiki 13:02 < ecrist> ok, was already there. thanks 13:04 -!- dxtr [n=dxtr@unaffiliated/dxtr] has joined ##openvpn 13:05 < dxtr> !route 13:05 < vpnHelper> dxtr: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:06 < krzee> np 13:11 < dxtr> Is it possible to connect several clients to a single process when using.. ehm.. lost the word now. When using "not bridging" :P 13:12 < dxtr> Without breaking something I mean 13:12 < dxtr> I don't care if they can communicate with each other and whatnot. As long as they get an IP and can connect to the outside world from it 13:13 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 13:14 < krzee> sure 13:14 < krzee> not bridging = tun 13:14 < krzee> and if you use --server its made for multiple clients 13:15 < krzee> ie: 13:15 < krzee> !sample 13:15 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) 13:15 < krzee> you just gotta make a cert for each client 13:16 < dxtr> Awesome 13:29 -!- _igel_ [n=_igel_@dslb-088-073-084-227.pools.arcor-ip.net] has joined ##openvpn 13:31 -!- jetole [n=Joe@66.165.165.169] has joined ##openvpn 13:33 < jetole> hey guys, I run openvpn for my office which routes all clients connections to specific networks over openvpn. Is it possible to have a single client whom all traffic is routed over the vpn for? 13:33 < krzee> i dont understand the question 13:35 < jetole> krzee: right now all are openvpn client get a route pushed to them for a specific network, say 10.0.0.0/8, is it possible to set it so just one client has all routed traffic go through the vpn, not just the 10.0.0.0/8 but at the same time allow all the other clients to just remain routing only 10.0.0.0/8? 13:35 < krzee> sure 13:35 < krzee> add this 13:35 < krzee> redirect-gateway def1 13:35 < krzee> to the clients config 13:36 < krzee> make sure you have NAT and ip forwarding enabled on the server 13:36 < jetole> I do, one of our networks that is routed is our data center location 13:37 < jetole> when you say the clients config, you mean the client-config-dir file for the client? 13:37 < krzee> no 13:37 < krzee> i mean the config of the client 13:37 < jetole> you mean the con... ok, that was my second guest 13:37 < jetole> no way on the server? 13:37 < krzee> you can check if it can be pushed in a ccd, i dunno 13:37 < jetole> ok 13:38 < jetole> the other thing I wanted to ask, can I prioritize connections on my client so all data is routed through one vpn connection but a very specific route is routed through another vpn connection and make sure the specific route is higher in my own routing tables? 13:39 < krzee> thats how routing tables work... 13:39 < krzee> most specific route wins 13:40 < krzee> which is why i had you use def1 13:40 < krzee> !def1 13:40 < vpnHelper> krzee: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 13:40 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Read error: 104 (Connection reset by peer)] 13:41 < jetole> but let's say I connect to one openvpn that does 192.168.1.1/24 and another one that does 0.0.0.0/1, if the 0.0.0.0/1 is higher on my routing table then it will override the 192.168.1.1/24. right? 13:43 < krzee> no 13:43 < jetole> well good then. hehe, thanks 13:44 < krzee> the 192.168.1.1/24 is WAY more specific than 0.0.0.0/1 13:44 < krzee> but you could make a 192.168.1.10/32 that would override the 192.168.1.1/24 13:46 < jetole> last thing I wanted to ask and basic TCP/IP tells me this won't work but not sure how OpenVPN handles it. What happens if I have an OpenVPN route to 192.168.1.0/24 and I connect on another network that uses that same subnet. Now I don't care about connecting to other systems on that subnet but want to know how OpenVPN will handle routing to that gateway on that subnet. Will my connection work? Will OpenVPN route my data through the 192.168.1.0/24 ... 13:46 < jetole> ... subnet where I am located but my client will still see also peers on the otherside of the vpn connection with 192.168.1.0/24 13:46 < jetole> ah I see, so the size of the netmask takes presedence on the previous question 13:46 < jetole> the smaller the netmask the higher the routing priority 13:48 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 13:49 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:59 -!- Avalloc [n=_@d155092.adsl.hansenet.de] has joined ##openvpn 14:01 < ecrist> when updating the XML files for an extension, I don't need to restart freeswitch to have those changes take affect, do i? 14:02 < ecrist> oops 14:02 < krzee> i believe that depends what the file is 14:03 < krzee> for an extention, ild think so 14:08 < ecrist> krzee: that's silly to have to restart the entire daemon to add an extension 14:08 < ecrist> or update a voicemail password 14:09 -!- yoshx [n=yoshx@93.9.145.178] has joined ##openvpn 14:09 < ecrist> fs_cli is the key, krzee 14:10 -!- ptmahent` [n=rlarson8@CPE00226b5e2074-CM000e5c6ebb22.cpe.net.cable.rogers.com] has quit [Read error: 104 (Connection reset by peer)] 14:12 < krzee> ahh right 14:12 < krzee> a reload from there 14:12 < krzee> right? 14:14 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 14:30 -!- yoshx_ [n=yoshx@93.9.145.178] has joined ##openvpn 14:33 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 14:43 -!- yoshx [n=yoshx@93.9.145.178] has quit [Read error: 110 (Connection timed out)] 14:50 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 14:51 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 14:53 < krzie> mooo 14:55 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Remote closed the connection] 14:57 < ecrist> krzie: yes, a reload from there. 15:28 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote closed the connection] 15:50 -!- Avalloc [n=_@d155092.adsl.hansenet.de] has quit [" HydraIRC -> http://www.hydrairc.com <- \o/"] 16:12 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:40 -!- yoshx_ [n=yoshx@93.9.145.178] has quit [Read error: 110 (Connection timed out)] 16:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 17:00 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 17:05 -!- YaManicKill is now known as YaManicKill|away 17:34 -!- gilos123 [n=gilos@64-126-117-142.dyn.everestkc.net] has quit [Remote closed the connection] 17:35 -!- gilos123 [n=gilos@64-126-117-142.dyn.everestkc.net] has joined ##openvpn 17:38 -!- gilos123 [n=gilos@64-126-117-142.dyn.everestkc.net] has quit [Remote closed the connection] 17:44 -!- _igel_ [n=_igel_@dslb-088-073-084-227.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)] 17:55 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 18:05 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit ["Távozom"] 18:07 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"] 18:10 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Remote closed the connection] 18:35 -!- master_of_master [i=master_o@p549D7D2B.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 18:39 -!- master_of_master [i=master_o@p549D7D8F.dip.t-dialin.net] has joined ##openvpn 19:02 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 19:27 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 19:42 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 20:35 -!- frewsxcv_ [n=frewsxcv@pcp037537pcs.hollister.reshall.calpoly.edu] has joined ##openvpn 20:36 < frewsxcv_> is there a way to find out all the computers connected to openvpn? 20:36 < m3thos> check the log ? 21:01 -!- m3thos [n=mindblas@bl7-51-239.dsl.telepac.pt] has quit ["Changing server"] 21:13 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)] 21:22 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 54 (Connection reset by peer)] 21:26 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 21:30 < krzie> frewsxcv_ check the manual for info on the management interface 21:32 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 21:47 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [Remote closed the connection] 22:19 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Read error: 104 (Connection reset by peer)] 22:24 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 22:39 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has quit [Read error: 110 (Connection timed out)] 23:05 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has joined ##openvpn 23:48 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] --- Day changed Tue Dec 01 2009 00:16 -!- tjz [n=tjz@bb220-255-199-51.singnet.com.sg] has joined ##openvpn 00:17 -!- jfkw_ [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 00:21 -!- hyper_ch [n=hyper@adsl-188-155-26-207.adslplus.ch] has quit [Remote closed the connection] 00:28 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Read error: 110 (Connection timed out)] 00:29 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 01:09 -!- hyper_ch [n=hyper@184-70.79-83.cust.bluewin.ch] has joined ##openvpn 01:18 -!- yoshx [n=yoshx@93.9.145.178] has joined ##openvpn 01:32 -!- frewsxcv_ is now known as windowspro 01:32 -!- windowspro is now known as frewsxcv 01:43 -!- dazo_afk is now known as dazo 01:58 -!- frewsxcv_ [n=frewsxcv@pcp037537pcs.hollister.reshall.calpoly.edu] has joined ##openvpn 01:59 -!- frewsxcv [n=frewsxcv@pcp037537pcs.hollister.reshall.calpoly.edu] has quit [Read error: 104 (Connection reset by peer)] 02:14 -!- Kalle [n=Kalle322@p5B2D11CB.dip0.t-ipconnect.de] has joined ##openvpn 02:14 < Kalle> Hey all 02:15 < Kalle> kann mir jemand ein paar Fragen über OpenVPN beantworten? 02:17 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 02:22 < hyper_ch> !english 02:22 < vpnHelper> hyper_ch: Error: "english" is not a valid command. 02:22 < hyper_ch> !language 02:22 < vpnHelper> hyper_ch: Error: "language" is not a valid command. 02:22 < Kalle> oh sorry 02:22 < hyper_ch> :( 02:22 < hyper_ch> !howto 02:22 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:22 < hyper_ch> Kalle: what do you need to know? 02:23 < Kalle> i don't understand some settings in the client.config 02:23 < hyper_ch> Kalle: OS? linux? 02:23 < Kalle> WindowsXp 02:23 < hyper_ch> no clue, for linux I've written a small howto :) 02:23 < hyper_ch> (even in German) 02:23 < Kalle> the settings should be the same 02:24 < hyper_ch> I doubt it :) but have a go: http://www.simplylinux.ch/openvpn-einrichten 02:24 < vpnHelper> Title: Linux für alle » OpenVPN einrichten (at www.simplylinux.ch) 02:24 < Kalle> okay thank you ;) 02:25 < hyper_ch> but not sure if that helps you :) 02:25 -!- dli [n=dli@69.172.97.211] has quit [Read error: 110 (Connection timed out)] 02:25 -!- dli [n=dli@69.172.97.211] has joined ##openvpn 02:34 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)] 02:39 < dazo> Kalle: which setting are you wondering about? 02:42 < dazo> hyper_ch: in general, openvpn configs are platform independent ... even though openvpn have had a history where it has been working better with TAP devices in the past, not sure how that is nowadays ... and as long as you don't use some platform specific config arguments, and again, it's just a few ones for the Windows platform ... mostly that is in regards to having a openvpn server on Windows, and certificate management, iirc 02:42 -!- YaManicKill|away is now known as YaManicKill 02:43 < hyper_ch> dazo: I never used openvpn in windows... all I know is that windows just sux at networking stuff :) 02:45 < dazo> hyper_ch: nah ... even though I'm primarily using Linux as well (even converted my wife's laptop to Linux with her acceptance) ... Windows is not necessarily that bad, its just done different ... 02:47 < hyper_ch> windows networking just gives you a lot of unnecessary headaches :) 02:47 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 02:48 < dazo> It all depends on your knowledge and needs 03:02 < Kalle> i just wondering what persist-key and persist-tun are? 03:02 < Kalle> i am using Tap device 03:06 -!- _igel_ [n=_igel_@dslb-088-073-084-227.pools.arcor-ip.net] has joined ##openvpn 03:48 < dazo> Kalle: ahh! persist-key is used by openvpn to store the encryption key in memory, so when the connection is re-established for some reason it will not try to or need to reload the key from disk 03:49 < dazo> Kalle: that's particular important on systems supporting chroot ... as the encryption keys might be stored outside of the chroot, and openvpn will read the keys before going into the chroot jail 03:50 < dazo> Kalle: and persist-tun is somewhat similar 03:51 < dazo> Kalle: persist-tun makes sure that openvpn don't try to tear down and re-create the tun/tap device on reconnects ... again, this is to avoid issues if the user missing root/admininistrator privileges 03:53 < dazo> Kalle: but I'm not sure how useful these config parameters are on Windows, TBH ... as Windows do not support chroot jails .... and OpenVPN anyway needs to be started as administrator to be allowed to change the routing table 03:54 < Kalle> thank you dazo 03:55 < dazo> Kalle: you're welcome 03:55 < Kalle> and last question.. how can i decide the ports which be used and which be blocked? Should be controlled by a firewall or? 03:56 < dazo> Kalle: by the way ... if you look at the man pages for openvpn (you can even google for 'man openvpn') ... and you'll get the proper explanation of how it really works 03:57 < dazo> Kalle: openvpn only provides a secure "network interface" and connects two a client to a network .... what kind of traffic being allowed over that tunnel is up to the firewalls on both sides 04:02 -!- le0 [n=itsle0@87.112.250.227] has joined ##openvpn 04:30 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:38 < reiffert> moin 04:49 < Kalle> okay, thank you dazo 04:49 < Kalle> Hallo reiffert 04:58 -!- hyper_ch [n=hyper@184-70.79-83.cust.bluewin.ch] has quit [Remote closed the connection] 05:00 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has joined ##openvpn 05:11 -!- tiav [n=tiav@mx.fr.smartjog.net] has joined ##openvpn 05:11 -!- tiavv [n=tiav@mx.fr.smartjog.net] has joined ##openvpn 05:12 -!- tiavv [n=tiav@mx.fr.smartjog.net] has quit [Remote closed the connection] 05:35 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 06:22 -!- _igel_ [n=_igel_@dslb-088-073-084-227.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)] 06:23 < Bushmills> jo grias di 06:40 -!- bauruine [n=stefan@82-33.62-188.cust.bluewin.ch] has joined ##openvpn 06:44 -!- mirco [n=mirco@pd95b6029.dip0.t-ipconnect.de] has quit [] 06:47 -!- Kalle [n=Kalle322@p5B2D11CB.dip0.t-ipconnect.de] has quit [Read error: 60 (Operation timed out)] 06:49 -!- yoshx [n=yoshx@93.9.145.178] has quit [Connection timed out] 07:21 -!- hyper_ch [n=hyper@adsl-188-155-26-207.adslplus.ch] has joined ##openvpn 07:32 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 104 (Connection reset by peer)] 07:33 -!- magic_1 [n=magic@41.121.84.235] has joined ##openvpn 07:46 < ecrist> good morning 07:47 < dazo> g'afternoon 08:09 -!- yoshx [n=yoshx@93.9.145.178] has joined ##openvpn 08:37 < dazo> !route 08:37 < vpnHelper> dazo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 08:59 -!- purifiedmadness1 [n=jesus@c-67-177-231-60.hsd1.co.comcast.net] has quit [Remote closed the connection] 09:09 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:22 -!- Titan8990 [n=Titan899@unaffiliated/titan8990] has joined ##openvpn 09:24 < Titan8990> Whenever I use UDP instead of TCP for openvpn for a client, after I kill the openvpn process I am unable to restart it with the error that something is already bound to the port. netstat -l shows that something is listening on the port that is used by the VPN. How can I kill whatever is listening? It appears I have killed the only openvpn process 09:26 < Titan8990> also, the client is running embedded linux and its netstat does not appear to have the -p option 09:30 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 09:32 < KaiForce> Ok, setting up net to net VPN (192.168.0.0 to 192.168.1.0) and the tunnel is up, and both the server firewall and client firewall can ping through to any device on both sides of the tunnel. But.... 09:32 < |Mike|> !logs 09:32 < vpnHelper> |Mike|: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 09:32 < |Mike|> !all 09:32 < vpnHelper> |Mike|: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 09:34 < KaiForce> for clients on the server side (192.168.0.0) they can't get any farther than the server interface, and for clients on the client side (192.168.1.0) they get to the openvpn interface on the server and fail there (10.0.0.1) 09:34 < KaiForce> firewall (shorewall) is set to allow all 09:34 < KaiForce> and the routes look correct. I'm not sure where to go from here. 09:40 -!- dazo [n=dazo@nat/redhat/x-vnbqkbeqdaonpnli] has quit [Read error: 54 (Connection reset by peer)] 09:41 -!- dazo_ [n=dazo@nat/redhat/x-pckgpyopnmzukinw] has joined ##openvpn 09:42 -!- dazo_ is now known as dazo 09:42 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 09:42 -!- Titan8990 [n=Titan899@unaffiliated/titan8990] has quit [Remote closed the connection] 09:49 -!- hyper__ch [n=hyper@adsl-89-217-86-229.adslplus.ch] has joined ##openvpn 09:49 -!- hyper_ch [n=hyper@adsl-188-155-26-207.adslplus.ch] has quit [Nick collision from services.] 09:54 -!- hyper__ch is now known as hyper_ch 10:01 -!- dazo [n=dazo@nat/redhat/x-pckgpyopnmzukinw] has quit [Read error: 54 (Connection reset by peer)] 10:02 -!- dazo_ [n=dazo@nat/redhat/x-xfhljrnewowisiei] has joined ##openvpn 10:03 -!- dazo_ is now known as dazo 10:04 < KaiForce> NM, the other admin working on this had some remnants of IPSEC running. Killed pluto and everything magically started working 10:14 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [Remote closed the connection] 10:14 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has quit [Read error: 54 (Connection reset by peer)] 10:15 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has joined ##openvpn 10:18 -!- bauruine [n=stefan@82-33.62-188.cust.bluewin.ch] has quit [Remote closed the connection] 10:18 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has joined ##openvpn 10:19 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined ##openvpn 10:21 -!- tiav [n=tiav@mx.fr.smartjog.net] has quit [Read error: 60 (Operation timed out)] 10:21 -!- tiav [n=tiav@mx.fr.smartjog.net] has joined ##openvpn 10:28 -!- tom11000 [n=magic@41.121.84.235] has joined ##openvpn 10:28 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Nick collision from services.] 10:28 -!- tom11000 is now known as magic_1 10:37 -!- YaManicKill is now known as YaManicKill|away 10:38 -!- le0 [n=itsle0@87.112.250.227] has quit ["Leaving"] 10:48 -!- dazo is now known as dazo_afk 10:52 -!- yoshx [n=yoshx@93.9.145.178] has quit [Connection timed out] 10:53 -!- yoshx [n=yoshx@88.140.39.248] has joined ##openvpn 11:15 -!- Hink [n=Hink@static-71-164-255-85.dllstx.fios.verizon.net] has quit [Remote closed the connection] 11:21 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 11:26 -!- Titan8990 [n=Titan899@unaffiliated/titan8990] has joined ##openvpn 11:33 -!- yoshx [n=yoshx@88.140.39.248] has quit [Connection timed out] 11:33 -!- yoshx [n=yoshx@78.114.250.153] has joined ##openvpn 11:35 < Titan8990> I am having an issue with a VPN connection. My server is a pfsense box running openvpn version 2.06. The client is a DDWRT router that is getting internet access via 3G. Because its embedded linux, I only have logs on the server side. Server config: http://pastebin.com/m348b6aed | client config: http://pastebin.com/m318d6d0e | server log: http://pastebin.com/d4236799c 11:36 -!- _igel_ [n=_igel_@dslb-088-073-084-227.pools.arcor-ip.net] has joined ##openvpn 11:38 < ecrist> Titan8990: update your version of OpenVPN, first. ;) 11:41 < Titan8990> ecrist, because newer is always better? 11:42 < Titan8990> ecrist, I won't be switching versions as that is the version that is provided for my operating system 11:43 < Titan8990> and I have other clients connected to that server running the same version of DDWRT, so I know my issue is not an incompatibility in versions 11:44 < Titan8990> The different factor between it and the other clients is that it is using 3g for an internet connection... the actual error is: "Nov 23 20:27:16 pfSense openvpn[23525]: TCP NOTE: Rejected connection attempt from 32.179.211.123:2335 due to --remote setting" 11:50 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 11:56 -!- todd_dsm [n=todd_dsm@zerver.ptest.us] has quit [Read error: 104 (Connection reset by peer)] 11:57 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit ["Leaving"] 12:09 -!- jetole [n=Joe@66.165.165.169] has left ##openvpn [] 12:17 < ecrist> Titan8990: post your configs, please both server and the problematic client 12:17 < ecrist> also post logs from both 12:18 < Titan8990> ecrist, I posted both configs and logs from the server... the only storage space on the client is NVRAM so it does not perform any logging 12:18 < Titan8990> Server config: http://pastebin.com/m348b6aed | client config: http://pastebin.com/m318d6d0e | server log: http://pastebin.com/d4236799c 12:19 < Titan8990> ecrist, if the openvpn logs are created by syslog, I could have it sent to a remote syslog server 12:19 < ecrist> they can be sent to syslog, iirc 12:20 < ecrist> the logs are created by openvpn. syslog doesn't create logs, it stores them. ;) 12:21 < ecrist> from the man page: 12:21 < ecrist> --syslog [progname] 12:21 < ecrist> Direct log output to system logger, but do not become a daemon. See --daemon directive above for description of progname parameter. 12:22 < ecrist> looks like you're already redirecting to syslog 12:22 < ecrist> I can help more once I have the client logs 12:24 < Titan8990> what would [progname] be? the name of the syslog daemon? 12:24 < ecrist> it's covered in the man. your 'daemon' directive in the client config asserts logging to syslog 12:28 < Titan8990> alright, its logging to my syslog server now, will have it in a few 12:33 < Titan8990> there is quite a delay between when events happen and when they are logged 12:35 < ecrist> buffered, likely 12:39 < Titan8990> hmm, right now the client is trying to connect, I can see from tcpdump that the openvpn server is recieving syn packets but its not replying and nothing new is showing up in the openvpn log 12:44 < Titan8990> ecrist, well... logging as stopped and I did not see anything openvpn related 12:45 < Titan8990> ecrist, would the stdout/stderr output from running outside of daemon mode be sufficient? 12:47 < Titan8990> ecrist, pastebin.com/mda54821 12:48 < Titan8990> ecrist, I can give you the tcpdump as well if you want it 12:53 < ecrist> yes, it would 12:54 < ecrist> hrm, I see connection timeouts, odd 13:01 -!- edoceo-fluorine [n=edoceo-f@32.156.146.213] has joined ##openvpn 13:02 < edoceo-fluorine> !configs 13:02 < vpnHelper> edoceo-fluorine: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:02 < edoceo-fluorine> How much performance benefit do I get by selecting smaller ciphers or hmac? 13:04 < Titan8990> ecrist, yes, it is odd... and I can verify that those packets make it to the server... I have a feeling something is going on with the wireless carier, however, this worked about a week ago (automagically after hours of issues like today) 13:11 < ecrist> Titan8990: try switching to UDP 13:13 < Titan8990> ecrist, i tried that as well... which was my original question I came in here for. If I kill the proc of a client using udp even though the proc is killed something is still listening on that UDP which causes me to have to reboot to try again 13:13 < ecrist> odd 13:13 < Titan8990> ecrist, anyways, the results were similar only instead of timeouts it would just sit there... either way, I will give it another go when I get done eating 13:15 < Titan8990> ecrist, lol this whole thing started to test the performance difference by using udp instead of tcp 13:15 < Titan8990> because tcp w/ 3g connection was nearly unusable 13:15 < ecrist> !tcp 13:15 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 13:15 < Titan8990> I know, I was direct there last time I was here, thanks :) 13:33 -!- edoceo-fluorine [n=edoceo-f@32.156.146.213] has quit [Read error: 110 (Connection timed out)] 13:34 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.5/20091102152451]"] 14:15 -!- tiav [n=tiav@mx.fr.smartjog.net] has quit [Remote closed the connection] 14:19 -!- hobbsc_ [n=zalgo@opensuse/member/hobbsc] has joined ##openvpn 14:19 < hobbsc_> !howto 14:19 < vpnHelper> hobbsc_: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:20 < hobbsc_> anyone have a recommended platform for openvpn? i'm looking at suse and freebsd right now, but i'm open to suggestion 14:21 < Bushmills> bsd users prefer bsd as platfrom. debian users have debian as preferred platform. i suppose that suse users prefer suse. 14:22 < Titan8990> I am a debian user and a big follower of debian policies and philosophies, however, freebsd on your router :) 14:22 < Bushmills> so the answer is probably "yes" 14:22 < hobbsc_> ha 14:22 < Titan8990> I find openbsd PF to be a lot nicer than netfilter iptables 14:22 < hobbsc_> well, i'm platform agnostic 14:22 < hobbsc_> i didn't know if there was a preferred one for openvpn 14:22 < hobbsc_> looking for the least hassle on install 14:23 < Titan8990> hobbsc_, pfsense 14:23 < Titan8990> will work out-of-the-box with openvpn preinstalled 14:23 < hobbsc_> wel, i don't need a firewall 14:23 < hobbsc_> that, i've got 14:24 < hobbsc_> just want to get openvpn up and running 14:24 < hobbsc_> got two juniper srx240h firewalls currently 14:24 < Titan8990> well, you seem to be a suse fan, just install it on that 14:24 < Titan8990> ewwww 14:25 < hobbsc_> not really a suse fan, just comes with the job 14:25 < hobbsc_> i can go either way, really 14:25 < hobbsc_> the srx's are decent machines 14:25 < hobbsc_> especially clustered 14:25 < Titan8990> doesn't juniper equipment require proprietary management software? 14:25 < hobbsc_> nope 14:25 < hobbsc_> it's based on freebsd, even 14:26 < hobbsc_> i manage it right over the cli via ssh 14:26 < Titan8990> is it at all similar to cisco IOS? 14:26 < hobbsc_> nope, very different. i normally manage cisco equipment, but i'm moving most of our stuff to juniper these days 14:27 < hobbsc_> this little flash course explains the differences pretty well: http://www.juniper.net/us/en/training/elearning/jsl.html 14:27 < vpnHelper> Title: JUNOS As A Second Language (JSL) course for network engineers - Juniper Networks (at www.juniper.net) 14:27 < hobbsc_> not really a course 14:27 < ecrist> hobbsc_: FreeBSD 14:27 < ecrist> !ssl-admin 14:27 < ecrist> for one 14:27 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 14:27 < hobbsc_> great 14:27 < ecrist> two, pf is light-years better than iptables/chains, IMHO 14:27 < hobbsc_> i'm pretty familiar with freebsd, shouldn't be too difficult to move from there 14:28 < ecrist> !freebsd 14:28 < hobbsc_> thanks for the input, folks 14:28 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 14:33 < Titan8990> ecrist, alright, my 2nd issue was that when I moved the config from udp back to tcp, I didn't change the server configuration back 14:33 < Titan8990> ecrist, so now to figure out why udp was not working :) 14:33 < ecrist> ahh 14:34 -!- nick [i=a5e4eae5@gateway/web/freenode/x-uamvvavzrwszkfag] has joined ##openvpn 14:36 < nick> hi. how do you guys use openvpn if you want to share with apache? are you guys using port-share option? or is it possible in another way? 14:37 < reiffert> "share with apache"? 14:38 < Titan8990> sounds like he wants to bind openvpn to port 80 lol 14:38 < Titan8990> with apache running 14:38 < reiffert> Ah, see --port-share in the manpage. 14:38 < reiffert> !factoids search share 14:38 < vpnHelper> reiffert: No keys matched that query. 14:38 < reiffert> !help factoids 14:38 < vpnHelper> reiffert: Error: There is no command "factoids". 14:38 < reiffert> !factoids help 14:38 < vpnHelper> reiffert: Error: The "Factoids" plugin is loaded, but there is no command named "help" in it. Try "list Factoids" to see the commands in the "Factoids" plugin. 14:39 < reiffert> !list factoids 14:39 < vpnHelper> reiffert: change, forget, info, learn, lock, random, search, unlock, and whatis 14:39 < reiffert> !help 14:39 < vpnHelper> reiffert: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 14:39 < reiffert> !help factoids search 14:39 < vpnHelper> reiffert: An error has occurred and has been logged. Please contact this bot's administrator for more information. 14:39 < ecrist> !factoids search * 14:39 < vpnHelper> ecrist: More than 100 keys matched that query; please narrow your query. 14:39 < ecrist> !factoids search *! 14:39 < vpnHelper> ecrist: No keys matched that query. 14:39 < reiffert> !factoids search --values share 14:39 < vpnHelper> reiffert: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 14:39 < nick> reiffert: i know that I can use port-share function. i'm just checking if there is another way around. i don't want openvpn to check every request and sending to https 14:40 < reiffert> nick: I cannot think of any other. 14:40 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:43 < Titan8990> I guess I don't understand the reasoning behind not running openvpn on its own port 14:45 < nick> Titan8990: what if some clients get stuck behind the port 14:46 < nick> behind the firewall* 14:46 < nick> i had that problem by myself, lots of times. i need to reach the vpn, but i'm at airport with limited access to internet. 14:47 < Bushmills> nick, you may be able to run a http proxy on the openvpn server machine, let your local web browser connect to proxy through another port than 80 or 443. that way, no sharing needed. 14:47 < Titan8990> you mean so you can bypass retractions set by a network administrator? 14:49 < nick> Titan8990: it's not bypassing. i'm using their network through port 80,. which they allowed me to. So I'm not bypassing anything. I'm joining my VPN to use applications in there. 14:50 < hyper_ch> nick: you think the administrators allow port 80 to be used for vpn access to a different network? 14:50 -!- buntfalke [n=nobody@openvpn-p0-133.triple-a.uni-kl.de] has joined ##openvpn 14:51 < Titan8990> nick, they block those ports to prevent exactly what your trying to do actually 14:52 < nick> hyper_ch: i know, they only want people to use it for browsing. but we are trying to solve something here. If that wasn't the case, why would openvpn developers put 'port-share' function in the Openvpn release. So If you are not interested in helping, I pretty much know what I'm doing. Cheers 14:52 < hyper_ch> nick: so you say you want to circumvent the restrictions imposed by the network admins.... 14:53 < nick> hyper_ch: yes. I would like to allow my clients to be able to connect to OpenVPN server, even if they are behind a firewall with only port 80 or 443 open. 14:54 < hyper_ch> so you help other people to circumvent network restrictions imposed by their admins.... 14:54 < hyper_ch> that's even worse IMHO 14:54 < Bushmills> /topic this channel doesn't discuss technical aspects of using openvpn. instead, it is a pro-admin policy support platform. 14:55 < Bushmills> :P 14:56 < hobbsc_> heh 14:56 < Titan8990> well, autopwn has the ability to point it at a box and hack it. Because that is part of the functionality of autopwn does that mean its acceptable to do it to anyone? 14:56 < Titan8990> Bushmills, hehe, that is good 14:56 < Bushmills> i think we should stop using openvpn. had admins wanted traffic to be encrypted, the protocolls supported that already. so openvpn is just an anti-admin policy way of circumventing making traffic visible. 14:57 < Titan8990> I had never viewed VPN as just a way of encrpyting traffic. to me it was always about connecting site A or client A to site B 14:58 < Titan8990> might as well just use a SOCKS proxy for encyption 14:58 < Bushmills> you can connect A to B only when A and B are already connected. 14:59 < hyper_ch> let's all connect to one another 14:59 < Bushmills> in that case, openvpn is a a way to circumvent admin-imposed firewall rules 14:59 < Bushmills> pfooei 14:59 < Titan8990> well, over the internet yes, but its not practical to say, expose ssh of 10 of your servers to the world 14:59 < Titan8990> if the rest of their functionality occurs on the LAN 15:00 < Titan8990> ecrist, only TCP was allowed through the firewall, solved 15:01 < Titan8990> ecrist, thanks for being there to bounce ideas off of hehe 15:02 -!- sdh [n=steve@steve.st] has joined ##openvpn 15:03 < hyper_ch> don't you need UDP for dns queries? 15:04 -!- odonata [n=odonata@security.jails.se] has quit [Remote closed the connection] 15:15 < krzie> prolly using a dns server inside the lan 15:29 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Connection reset by peer] 15:30 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:34 < MorkBork> what i just read 15:34 < MorkBork> either i read wrong or was retarded 15:34 < MorkBork> ??????????? 15:34 < MorkBork> I had never viewed VPN as just a way of encrpyting traffic. to me it was always about connecting site A or client A to site B 15:34 < MorkBork> might as well just use a SOCKS proxy for encyption 15:34 < MorkBork> ?????????? 15:34 < MorkBork> lol 15:39 -!- ruied [n=ruied@bl7-222-179.dsl.telepac.pt] has joined ##openvpn 15:42 < Titan8990> MorkBork, more like poorly worded 15:42 < Titan8990> MorkBork, thanks for pointing it out 15:44 < Titan8990> MorkBork, if you wanted to encypt your IRC traffic, would VPN be your choice? 15:45 < MorkBork> connecting to the server via ssl would be 15:45 < MorkBork> not all irc servers offer that of course 15:46 < nick> Titan8990: if i'm using internet at a free/paid wifi hotspot, i'd prefer to use vpn. people can easily watch your traffic 15:46 < Titan8990> well, obviously... 15:46 < Titan8990> but there are VPNs that don't even ecypt traffic, such as PPTP 15:47 < Titan8990> nick, you could accomplish the same with a SOCKS proxy 15:47 < Titan8990> tunnel your traffic through ssh 15:48 < nick> but setting everythin according to that? mail/im/irc/http list goes on.. if you just connect to vpn and route all traffic through? 15:48 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 15:48 < Titan8990> if you trust the exit node, tor encrypts your traffic in atleast 3 layers and anonymous 15:49 < nick> Titan8990: another use of VPN for me is, i have all my software for work on my server. i just connect via VPN and i see my share on my network. grab whatever tool i need. feels so much better 15:49 < Titan8990> your right, your client for whatever application would need to be configured to use the proxy 15:49 < Titan8990> nick, and thats the use I find VPN the most useful 15:49 < Titan8990> and what I was attempting to make a point about 15:50 < Titan8990> although, I don't have "shares" as that sounds very windowsish 15:50 < nick> Titan8990: Appleish in my opinion :) 15:51 < Titan8990> nick, does that still use smb/cifs? 15:51 < nick> afp. 16:08 -!- Titan8990 [n=Titan899@unaffiliated/titan8990] has quit ["Leaving"] 16:10 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 16:11 -!- revstray [n=rev@BlueLabs/revstray] has joined ##openvpn 16:13 < revstray> anyone here work with Tunnelblick the OSX OpenVPN gui? I'm running into an odd issue where 8 seconds after connection the connection is restarted and having some issues tracking down why this would happen. 16:24 -!- nick [i=a5e4eae5@gateway/web/freenode/x-uamvvavzrwszkfag] has quit [Ping timeout: 180 seconds] 16:26 -!- rajin [n=_@port-11781.pppoe.wtnet.de] has joined ##openvpn 16:44 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 16:46 < krzie> maybe you already have the vpn running from CLI 16:46 < krzie> or maybe it has nothing to do with tunnelblick 16:46 < krzie> worry about starting it from CLI first 16:47 < krzie> (ive never actually understood a reason to use a osx cli, i just have a shell script to start all my vpns in my stacks) 17:11 -!- dli [n=dli@69.172.97.211] has quit [Read error: 110 (Connection timed out)] 17:11 -!- dli [n=dli@69.172.97.211] has joined ##openvpn 17:11 -!- _igel__ [n=_igel_@dslb-088-073-070-038.pools.arcor-ip.net] has joined ##openvpn 17:16 -!- yoshx [n=yoshx@78.114.250.153] has quit [Read error: 110 (Connection timed out)] 17:16 -!- _igel__ [n=_igel_@dslb-088-073-070-038.pools.arcor-ip.net] has quit [Read error: 60 (Operation timed out)] 17:17 -!- yoshx [n=yoshx@78.114.250.153] has joined ##openvpn 17:23 -!- yoshx [n=yoshx@78.114.250.153] has quit [Remote closed the connection] 17:23 -!- _igel_ [n=_igel_@dslb-088-073-084-227.pools.arcor-ip.net] has quit [Read error: 110 (Connection timed out)] 17:41 -!- coil [i=imgay@unaffiliated/coil] has quit ["http://znc.in"] 17:45 -!- coil [i=imgay@unaffiliated/coil] has joined ##openvpn 17:48 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 17:49 < ksnp> is there a way to change the directory where all the stuff is stored ? i.e /etc/openvpn ? 17:55 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 17:57 < krzie> well first of all 17:57 < krzie> there IS no directory where things are stored 17:57 < krzie> everything is specified in the config file 17:57 < krzie> with NO defaults 17:57 < krzie> but yes, there is a way 17:57 < krzie> in the config file you can use the cd command 17:57 < krzie> ie: cd /etc/openvpn 17:58 < krzie> then you can just specify files without paths as long as they exist in that dir 17:58 -!- [1]ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 18:11 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has quit [Read error: 104 (Connection reset by peer)] 18:11 -!- kosmic is now known as kosmic-away 18:11 -!- kosmic-away is now known as kosmic-brb 18:11 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 18:11 -!- kosmic-brb is now known as kosmic 18:12 -!- revstray [n=rev@BlueLabs/revstray] has left ##openvpn [] 18:16 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 18:29 -!- [1]ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has quit [Read error: 110 (Connection timed out)] 18:35 -!- master_of_master [i=master_o@p549D7D8F.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 18:39 -!- master_of_master [i=master_o@p549D7D92.dip.t-dialin.net] has joined ##openvpn 19:08 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 19:08 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 19:11 -!- techtronic [n=liam@host86-147-54-134.range86-147.btcentralplus.com] has joined ##openvpn 19:12 < techtronic> hi folks wonder if some1 can help, when trying to connect it hangs on UDPv4 link remote: <> 19:23 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 19:30 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 19:31 -!- renihs [n=lemming@83.65.34.34] has quit [Read error: 60 (Operation timed out)] 19:34 < krzie> techtronic this is the same problem youd have if you cant connect to any server you run 19:34 < krzie> general networking 19:34 < krzie> check your client can make outbound connections, check your server can recieve incoming ones 19:34 < krzie> (on udp, that port) 19:35 < krzie> could be a firewall on the clients lan (some offices have that) 19:35 < techtronic> client should be fine, ill disable ufw, the port is open on the server side 19:35 < krzie> could be NAT or firewall on the server 19:35 < techtronic> theres no hardware firewall on the connection im using 19:35 < krzie> well theres something stopping the connection 19:35 < krzie> assuming you have the client connecting to the right port / right protocol 19:36 < techtronic> their is a firewall on the client machine - just disabling it just now and will retry 19:36 < krzie> also assuming the server is actually running 19:36 < techtronic> the connection has worked hundreds of times before 19:37 < krzie> doesnt now... check everything 19:38 -!- renihs [n=lemming@83-65-34-34.arsenal.xdsl-line.inode.at] has joined ##openvpn 19:39 < techtronic> krzie: http://pastebin.com/m253025db 19:39 < techtronic> i connect to the 218 address 19:40 < techtronic> 219 is a virtual interface 19:40 < techtronic> i cant see why its even mentioning it 19:41 < krzie> !configs 19:41 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 19:43 -!- rajin [n=_@port-11781.pppoe.wtnet.de] has quit [" HydraIRC -> http://www.hydrairc.com <- Wibbly Wobbly IRC"] 19:43 < krzie> and are the x's =? 19:43 < krzie> x.x.x.218:1194 19:43 < krzie> x.x.x.219:1194 19:43 < krzie> that confuses stuff in this situation 19:49 < techtronic> krzie: just disabled the vvirtual inerface for 219, works first time 19:49 < techtronic> weird eh 19:49 < techtronic> krzie: thanks for the help! 19:50 < krzie> np 19:55 -!- tjz2 [n=tjz@bb220-255-199-51.singnet.com.sg] has joined ##openvpn 19:59 < ksnp> hi, anyone know how to change the etc/openvpn directory ? 19:59 < krzie> is there a way to change the directory where all the stuff is stored ? 19:59 < krzie> i.e /etc/openvpn ? 19:59 < krzie> ... rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 19:59 < krzie> well first of all 19:59 < krzie> there IS no directory where things are stored 19:59 < krzie> everything is specified in the config file 19:59 < krzie> with NO defaults 20:00 < krzie> but yes, there is a way 20:00 < krzie> in the config file you can use the cd command 20:00 < krzie> ie: cd /etc/openvpn 20:00 < krzie> then you can just specify files without paths as long as they exist in 20:00 < krzie> that dir 20:00 < ksnp> by default its in /etc/openvpn 20:00 < krzie> false 20:00 < ksnp> that's how its on debian with package install 20:00 < krzie> unless its something specific to the packaging of openvpn in your OS 20:01 < ksnp> yes, with debian its like that 20:01 < ksnp> is it possible to change this to some other location, specified in the config file ? 20:01 < krzie> then youd change it in the file that debian ships with openvpn in their packaging system 20:01 < krzie> the way debian starts openvpn has nothing to do with openvpn 20:01 < ksnp> is it possible to do this via the config file which still shall be in /etc/oepnvpn ? 20:02 < krzie> lol 20:02 < krzie> back to my original answer 20:02 < krzie> in the config file you can use the cd command 20:02 < krzie> ie: cd /etc/openvpn 20:02 < krzie> then you can just specify files without paths as long as they 20:02 < krzie> exist in that dir 20:02 < ksnp> so you mean i can do cd /mnt/someotherdrive/someotherdir/openvpndir and then have that files in there too ? 20:03 < ksnp> as long as i put the cd /mnt* (above) in the config file ? 20:03 < Bushmills> ksnp: grep etc /etc/init.d/openvpn 20:03 < krzie> you're confusing both of us now 20:04 < krzie> cd /path/to/keys 20:04 < krzie> then you can just put ca 20:04 < krzie> assuming its in the dir you used with cd command 20:09 < ksnp> i am trying out both 20:09 < krzie> what bush said was to understand the debian specific part 20:10 < krzie> moreso to change where the configs go i believe 20:12 < ksnp> i got that, but if i change the dir there it should work too correct ? 20:13 < ksnp> and other option is to use the "cd *" 20:13 < krzie> my not knowing the debian way leaves me unable to answer 20:17 < ksnp> cd would probably also work, thanks for the tip, i am going to try that as well and use it if it works, i don't like changing the init files unless i really have to 20:18 < krzie> agreed, its possible a upgrade through debian's system would wipe your init.d changes 20:23 -!- tjz2 [n=tjz@bb220-255-199-51.singnet.com.sg] has quit ["bbl"] 20:30 < ksnp> yep that's true 20:32 < ksnp> can you tell me which distro you might have tried the cd method ? 20:34 < krzie> the cd method is openvpn specific, will work in everything openvpn works on 20:35 < krzie> including windows, linux, fbsd, osx 20:35 < krzie> since the cd is an openvpn command, not the unix command 20:37 < ksnp> oh ok 20:37 < ksnp> that's useful 20:37 < krzie> agreed 20:38 < ksnp> can this be anywhere in the file or at the beginning ? 20:38 < krzie> i use it in my configs to make them more portable 20:38 < krzie> anywhere, as long as before the files you needed it for 20:38 < ksnp> can i ask what distro you use mostly ? 20:38 < krzie> osx for desktop freebsd for server 20:38 < ksnp> ok 20:39 < ksnp> i guess you use use udp and not tcp too ? 20:39 < krzie> !tcp 20:39 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 20:39 < ksnp> ok, will read that link 20:39 < krzie> it was taken from the openvpn manual 20:40 < ksnp> would you know how to run it simultaneously on two udp ports ? i tried to do this by specifiying two separate configs in /etc but it didn't work 20:40 < krzie> well you just start openvpn twice, once with each config 20:41 < krzie> as for how to do it in debians method for starting openvpn, back to the problem of 'if it doesnt do it by default you gotta modify the init script' 20:41 < ksnp> i have the two configs, and the starting is takenc are of the init.d/openvpn but i see it complain, let me post the message 20:41 < krzie> or you could always just crontab the starting of it 20:41 < krzie> @reboot /path/to/openvpn /path/to/config 20:41 < ksnp> starting using a command line method you mean ? 20:41 < krzie> yup 20:41 < ksnp> ok 20:42 < krzie> since initd only starts it at boot my crontab entry is = 20:42 < ksnp> can you expand on that a bit ? i have used crontab but to specify the period etc. what exactly is the = thing you are talkinga bout ? 20:43 < krzie> @reboot only happens on boot 20:43 < krzie> init.d scripts only run on boot 20:43 < krzie> you are starting openvpn via init.d script, but you say it doesnt start both 20:44 < krzie> if thats true, you could start all or some via crontab 20:48 < ksnp> i got that part but where does = go ? 20:48 < krzie> im just saying they are equal 20:48 < ksnp> does the cron part start much after the init.d script, i would guess so, but to confirm 20:48 < krzie> they both start it on boot 20:48 < krzie> no idea, but if it needs to for you, add a sleep in there 20:49 < krzie> or start both via a script called by the crontab 20:49 < ksnp> ok 20:49 < krzie> and add the sleep in there ;] 20:49 < ksnp> ok, good idea 20:49 < krzie> for that you must make sure the daemon command is used in the configs 20:49 < krzie> so they detach and the script goes on 20:50 < ksnp> so you are saying the calling command using /path/to/openvpn /path/to/config woudl automatically run in the daemon mode ? 20:51 < ksnp> if "for that you must make sure the daemon command is used in the configs" is done ? 20:57 < krzie> in the configs you add the word daemon 20:57 < krzie> to know what that does: 20:57 < krzie> !man 20:57 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 20:57 < krzie> see --daemon =] 20:58 < ksnp> ok i have seen them before, will try to refresh 20:59 < ksnp> i am going to try a few things late tonight or sometime this week, i guess i'll try out if i run into something, here itsle 20:59 < ksnp> itself 21:04 < ksnp> thanks all for the suggestions, bye 21:04 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has left ##openvpn [] 21:17 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 21:19 -!- renihs [n=lemming@83-65-34-34.arsenal.xdsl-line.inode.at] has quit [Read error: 110 (Connection timed out)] 21:25 -!- renihs [n=lemming@83-65-34-34.arsenal.xdsl-line.inode.at] has joined ##openvpn 21:42 -!- techtronic [n=liam@host86-147-54-134.range86-147.btcentralplus.com] has quit ["Leaving."] 22:21 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 22:41 -!- rlarson85 [n=rlarson8@CPE00226b5e2074-CM000e5c6ebb22.cpe.net.cable.rogers.com] has joined ##openvpn 23:17 -!- rlarson85 [n=rlarson8@CPE00226b5e2074-CM000e5c6ebb22.cpe.net.cable.rogers.com] has quit ["Coyote finally caught me"] 23:17 -!- rlarson85 [n=rlarson8@CPE00226b5e2074-CM000e5c6ebb22.cpe.net.cable.rogers.com] has joined ##openvpn 23:35 -!- Lilarcor [n=Lilarcor@ip70-187-168-252.oc.oc.cox.net] has joined ##openvpn 23:36 -!- Lilarcor [n=Lilarcor@ip70-187-168-252.oc.oc.cox.net] has quit [Client Quit] 23:42 -!- frewsxcv_ [n=frewsxcv@pcp037537pcs.hollister.reshall.calpoly.edu] has quit [Read error: 104 (Connection reset by peer)] 23:42 -!- frewsxcv__ [n=frewsxcv@pcp037537pcs.hollister.reshall.calpoly.edu] has joined ##openvpn --- Day changed Wed Dec 02 2009 00:08 -!- hyper_ch [n=hyper@adsl-89-217-86-229.adslplus.ch] has quit [Read error: 104 (Connection reset by peer)] 00:27 -!- Borai [n=DYN@S0106001c109e98db.no.shawcable.net] has joined ##openvpn 00:27 < Borai> !redirect 00:27 < vpnHelper> Borai: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 00:46 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 00:51 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:02 -!- dazo_afk is now known as dazo 01:15 -!- hyper_ch [n=hyper@254-243.3-85.cust.bluewin.ch] has joined ##openvpn 01:35 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Remote closed the connection] 01:36 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 01:49 -!- rlarson85 [n=rlarson8@CPE00226b5e2074-CM000e5c6ebb22.cpe.net.cable.rogers.com] has quit [Read error: 104 (Connection reset by peer)] 01:57 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn 01:59 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 04:27 -!- le0 [n=itsle0@87.112.250.227] has joined ##openvpn 04:30 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:18 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 104 (Connection reset by peer)] 05:18 -!- magic_1 [n=magic@41.121.84.235] has joined ##openvpn 05:27 -!- ruied [n=ruied@bl7-222-179.dsl.telepac.pt] has quit [Read error: 60 (Operation timed out)] 06:16 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit ["Leaving."] 06:31 -!- tiav [n=tiav@mx.fr.smartjog.net] has joined ##openvpn 06:39 -!- hobbsc_ is now known as hobbsc 06:46 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 06:53 -!- rajin [n=_@port-91811.pppoe.wtnet.de] has joined ##openvpn 07:06 -!- yoshx [n=yoshx@78.114.250.153] has joined ##openvpn 07:13 -!- rajin [n=_@port-91811.pppoe.wtnet.de] has quit [Read error: 60 (Operation timed out)] 07:15 -!- _igel_ [n=_igel_@dslb-088-073-070-038.pools.arcor-ip.net] has joined ##openvpn 07:27 -!- farri [n=javier@62.83.141.195.dyn.user.ono.com] has joined ##openvpn 07:28 < farri> !howto 07:28 < vpnHelper> farri: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:29 < farri> I need help for setting up a vpn connection to a server. if I try pptp it works ok but I can't do anything with openvpn 07:31 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 07:32 < farri> anyone alive? 07:34 -!- Titan8990_ [n=Titan899@unaffiliated/titan8990] has joined ##openvpn 07:34 < Titan8990_> !logs 07:34 < vpnHelper> Titan8990_: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 07:35 -!- ruied [n=ruied@95.69.74.229] has joined ##openvpn 07:36 < farri> hi 07:48 -!- farri [n=javier@62.83.141.195.dyn.user.ono.com] has left ##openvpn ["Abandonando"] 07:48 -!- dli [n=dli@69.172.97.211] has quit [Read error: 110 (Connection timed out)] 07:48 -!- dli [n=dli@69.172.97.211] has joined ##openvpn 08:26 -!- tlir [n=tlir@87.70.50.22] has joined ##openvpn 08:31 -!- yoshx [n=yoshx@78.114.250.153] has quit [Read error: 110 (Connection timed out)] 08:32 -!- yoshx [n=yoshx@78.114.253.27] has joined ##openvpn 09:03 -!- Isenn [n=marcus@pub.sizeit.se] has joined ##openvpn 09:04 < Isenn> I have a question regarding ifconfig-push command in ccd file. The IP is outside the range and formated like "ifconfig-push 192.168.0.100 255.255.255.192" 255.255.255.192 is the OpenVPN subnet. Is this wrong? 09:07 -!- fervix [i=be298a92@gateway/web/freenode/x-uhikzpuncivivans] has joined ##openvpn 09:14 < tlir> if a key/cert is signed with a password which I'm required to enter upon putting up the openvpn connection, can I somehow save it in a file and automate the process so that I don't get prompt for it everytime I want to make a connection? 09:17 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 09:18 < tlir> ok I think I got that issue figured out as well with --ask-pass [file] 09:19 -!- ruied [n=ruied@95.69.74.229] has quit [Read error: 60 (Operation timed out)] 09:24 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 09:36 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 09:40 -!- ruied [n=ruied@dial-b1-226-219.telepac.pt] has joined ##openvpn 09:41 -!- ruied [n=ruied@dial-b1-226-219.telepac.pt] has left ##openvpn [] 10:20 -!- le0 [n=itsle0@87.112.250.227] has quit ["Leaving"] 10:23 -!- YaManicKill|away is now known as YaManicKill 10:24 -!- YaManicKill [n=ali@130.159.141.69] has quit ["leaving"] 10:25 -!- le0 [n=itsle0@87.112.250.227] has joined ##openvpn 10:34 -!- fervix [i=be298a92@gateway/web/freenode/x-uhikzpuncivivans] has quit [Ping timeout: 180 seconds] 10:39 < dazo> Isenn: yes ... that is very wrong 10:39 < dazo> tlir: you can also use 'openssl rsa' to create a key which do not have any password as well 10:49 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 10:53 < renihs> hmm VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: 10:53 < renihs> hmm ??? :) 10:53 < renihs> its a self-signed cert, that is true 10:53 < renihs> aaah :) my mistake 10:56 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 10:58 -!- BoomerET [n=Hoops@74.85.24.234] has joined ##openvpn 10:59 < dazo> self-signed certs is not working well with openvpn ..... 10:59 < BoomerET> I'm in search of an answer... I have a server that has a VPN connection to multiple tablets that are spread across the US... And another VPN connection back to our LAN... 11:00 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 11:00 < BoomerET> I want the tablets to be able to ping the lan dns server. The server can ping the dns server, but my tablets on a different OpenVPN connection can't 11:01 < dazo> !route 11:01 < vpnHelper> dazo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:01 < dazo> BoomerET: ^^ 11:01 < BoomerET> I've tried using tcpdump to see where they're ending, and the icmp packets seem to stop at the server, and aren't forwarded across to our LAN. 11:02 < dazo> BoomerET: that's usually routing and/or firewall issues .... in 99.99999% of the cases 11:02 * dazo decides to go home now :) 11:03 < BoomerET> Thanks! 11:04 < BoomerET> The DNS server is a FreeBSD box, using packet filtering, which I'm quite close to clueless on. 11:04 < BoomerET> I did have routing issues yesterday, but that's been fixed, as far as I can tell. 11:05 < BoomerET> I did tcpdump on the dns server, and didn't see any icmp requests, would the packet filter come before that, or after? 11:06 < BoomerET> Because I seriously doubt I'm in the 0.00001 percentile :) 11:06 < BoomerET> Time to dig into the dark side of FreeBSD then. I'll be quiet now. 11:08 -!- dazo is now known as dazo_afk 11:09 -!- hyper_ch [n=hyper@254-243.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 11:10 -!- Sky-X [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 11:13 -!- _igel_ [n=_igel_@dslb-088-073-070-038.pools.arcor-ip.net] has quit ["leaving"] 11:17 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Connection timed out] 11:19 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Connection timed out] 11:21 -!- Sky-X [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 11:23 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 11:31 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 11:36 -!- Sky-X [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 11:47 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Success] 12:00 -!- hyper_ch [n=hyper@adsl-89-217-86-229.adslplus.ch] has joined ##openvpn 12:02 -!- tlir [n=tlir@87.70.50.22] has quit [Read error: 113 (No route to host)] 12:06 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 12:22 -!- tiav [n=tiav@mx.fr.smartjog.net] has quit [Remote closed the connection] 12:35 -!- le0 [n=itsle0@87.112.250.227] has quit ["Leaving"] 12:36 -!- hobbsc [n=zalgo@opensuse/member/hobbsc] has quit [Remote closed the connection] 12:57 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:09 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:13 -!- tlir [n=tlir@87.70.50.22] has joined ##openvpn 13:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Connection reset by peer] 13:21 -!- ruied [n=ruied@89.214.166.56] has joined ##openvpn 13:29 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 13:29 -!- pergaminho [n=pergamin@187.7.137.142] has joined ##openvpn 13:30 -!- pergaminho [n=pergamin@187.7.137.142] has left ##openvpn ["Leaving"] 13:30 -!- pergaminho [n=pergamin@187.7.137.142] has joined ##openvpn 13:31 -!- hyper_ch [n=hyper@adsl-89-217-86-229.adslplus.ch] has quit [Read error: 54 (Connection reset by peer)] 13:34 -!- tlir [n=tlir@87.70.50.22] has quit ["Leaving."] 13:38 -!- hyper_ch [n=hyper@adsl-89-217-86-229.adslplus.ch] has joined ##openvpn 13:40 < BoomerET> dazo, thanks for the help. Answer was simply to enable ip forwarding. 13:54 -!- pergaminho [n=pergamin@187.7.137.142] has quit ["Leaving"] 14:03 -!- hobbsc [n=zalgo@opensuse/member/hobbsc] has joined ##openvpn 14:06 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 14:19 -!- rlarson85 [n=rlarson8@CPE00226b5e2074-CM000e5c6ebb22.cpe.net.cable.rogers.com] has joined ##openvpn 14:21 -!- teddymills [n=teddy@208.92.235.227] has quit [Client Quit] 14:29 -!- Gnewt [n=hackerle@li57-94.members.linode.com] has joined ##openvpn 14:30 < Gnewt> Ubuntu server 9.04 is my OVPN server, Windows 7 is the client 14:31 < Gnewt> Most of the time now, when I connect, it just won't do anything 14:31 < Gnewt> it connects 14:31 < Gnewt> but then no DNS resolve, can't reach hosts by IP 14:31 < Gnewt> very occasionally it works 14:31 < Gnewt> suggestions? 14:32 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:34 < Gnewt> Portforwarding is enabled 14:34 < Gnewt> iptables masquerade is enabled 14:34 < Gnewt> er, sorry 14:34 < Gnewt> ipforwarding 14:38 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 14:40 < teddymills> When I moved my openvpn server..I manually copied only the essentials. And it works. But i cannot make any more new keys because I forgot to add the easy-rsa folder. Can I add the easy-rsa stuff without killing the openvpn? 14:44 < Gnewt> Hm, reinstalled and it's working 14:44 < Gnewt> bye! 14:44 -!- Gnewt [n=hackerle@li57-94.members.linode.com] has left ##openvpn [] 14:47 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 14:49 -!- WnnR [n=rvillarr@97-87-24-82.static.aldl.mi.charter.com] has quit ["Outa here"] 14:58 -!- ruied [n=ruied@89.214.166.56] has quit [Connection timed out] 15:02 -!- SkyX [n=SkyB0x@213.143.86.40] has joined ##openvpn 15:05 -!- Sky-X [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Success] 15:10 -!- rlarson85 [n=rlarson8@CPE00226b5e2074-CM000e5c6ebb22.cpe.net.cable.rogers.com] has quit [Read error: 104 (Connection reset by peer)] 15:17 -!- yoshx [n=yoshx@78.114.253.27] has quit [Remote closed the connection] 15:19 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Connection timed out] 15:22 -!- grendal_prime [n=sgraham@riverbank.fpdomain.com] has joined ##openvpn 15:22 < grendal_prime> hey guys 15:22 -!- SkyX [n=SkyB0x@213.143.86.40] has quit [Connection timed out] 15:22 < grendal_prime> I got an openvpn server that for whatever reason one client is now...revoked.? 15:22 < grendal_prime> i didnt revoke them. 15:22 < grendal_prime> how could that happen? 15:27 < |Mike|> logs.. 15:28 < grendal_prime> nothing in there on that 15:30 < |Mike|> it has to 15:38 < grendal_prime> WELLLL ok ill look some more 15:40 < |Mike|> mkay? 15:41 < krzie> maybe the cert expired 15:41 < |Mike|> shush :p 15:41 < krzie> maybe the clock is off on a machine and it THINKS the cert expired 15:41 < krzie> you'll know nothing til you see logs 15:42 < krzie> !logs 15:42 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 15:44 < grendal_prime> cert doesnt expire for anouther 9 years 15:45 < |Mike|> date ? 15:45 < grendal_prime> and there are over 100 other clients that are working fine. Pretty sure it isnt an exiration problem...the log pretty distinctly says "REVOKED" 15:45 < krzie> !logs 15:45 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 15:46 < grendal_prime> HOWEVER These are part of a cluster. Im checking the other box now 15:47 < krzie> also check the CRL 15:53 < grendal_prime> ok sooo i found the section where it looks like it becaomes revoked..there are a tone of messages prior to this 15:54 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: pa, mrnice1, _LowKey, lkthomas 15:54 < grendal_prime> Tue Dec 1 15:33:11 2009 WFGY-14/64.199.204.13:1025 TLS Error: Unroutable control packet received from 64.199.204.13:1025 (si=3 op=P_CONTROL_V1) 15:54 -!- Netsplit over, joins: lkthomas 15:54 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 15:54 < grendal_prime> tone of that sort of stuff...then.... 15:54 < grendal_prime> Tue Dec 1 15:33:14 2009 WFGY-14/64.199.204.13:1025 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned 15:55 -!- Netsplit over, joins: _LowKey 15:55 < Titan8990_> !paste 15:55 < vpnHelper> Titan8990_: "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 15:55 -!- Netsplit over, joins: pa 15:55 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn 15:55 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote closed the connection] 15:56 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 15:57 < grendal_prime> well the enitre log file? 16:02 -!- Titan8990_ [n=Titan899@unaffiliated/titan8990] has quit ["Leaving"] 16:07 < krzie> start the processes, try to make the connection, paste the logfile 16:08 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 16:08 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 16:09 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.5/20091102152451]"] 16:15 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 16:19 -!- FirstSgt_ [n=cheney@cpe-76-182-199-229.tx.res.rr.com] has joined ##openvpn 16:19 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 16:30 -!- FirstSgt [n=cheney@76.182.199.229] has quit [Read error: 110 (Connection timed out)] 16:32 < grendal_prime> its 7.5 megs 16:33 < grendal_prime> I only have the server side... 16:34 < grendal_prime> ill strip it down to just this client stuff 16:42 < grendal_prime> ok here is the log info i have...(this is from the server only) 16:42 < grendal_prime> http://filebin.ca/xfhbrm/wfgy-14.log 16:48 < grendal_prime> im having a hard time understanding the crl file..there is one key listed in there but... 16:57 < grendal_prime> anyone have a clue...by the way im looking in the index.txt and i dont see any revoke happening on this client 17:13 < grendal_prime> anyone? 17:14 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has joined ##openvpn 17:16 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 17:28 < grendal_prime> this crl.pem does not contain a list it contains a key 17:44 -!- MacWinner [n=chatman@c-71-198-58-12.hsd1.ca.comcast.net] has joined ##openvpn 17:44 < MacWinner> do you need root/admin access to setup openvpn? ie, creating tunnel interface etc.. 17:45 < MacWinner> or can i set it up with just a regular user account on my mac 17:47 < Rienzilla> no you need root 17:49 -!- dxtr [n=dxtr@unaffiliated/dxtr] has quit [Read error: 60 (Operation timed out)] 17:49 -!- dxtr [n=dxtr@dxtr.cc] has joined ##openvpn 18:02 < grendal_prime> ok the revoke process makes no sence to me whatsoever. 18:22 -!- grendal_prime [n=sgraham@riverbank.fpdomain.com] has quit ["Ex-Chat"] 18:25 -!- MacWinner [n=chatman@c-71-198-58-12.hsd1.ca.comcast.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.5/20091102134505]"] 18:29 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.5/20091102152451]"] 18:35 -!- master_of_master [i=master_o@p549D7D92.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 18:35 < BoomerET> Well, anytime a connection is attempted, it looks in crl.pem, and if any keys match it won't let that client access... 18:36 < BoomerET> Simply removing the certificate files does nothing, have to revoke the license, so don't ever remove the 01.pem, 02, etc etc. 18:39 -!- master_of_master [i=master_o@p549D7D8B.dip.t-dialin.net] has joined ##openvpn 18:39 -!- temba [n=okotoba@188-193-22-46-dynip.superkabel.de] has quit ["( www.nnscript.com :: NoNameScript 4.2 :: www.regroup-esports.com )"] 18:47 < Sky[x]> i delete dir /ec/openvpn how can i get new sample files and all what was in this dir ? 18:48 < krzie> that was specific to your OS packaging, you could grab the tgz 18:48 < krzie> or you could remove/reinstall via your os packaging system which you used the first time 18:48 -!- pa [n=pa@unaffiliated/pa] has quit [SendQ exceeded] 18:50 < BoomerET> You deleted the directory, ouch. Sample files are sometimes in /usr/share/doc/openvpn/ 18:50 < krzie> !sample 18:50 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) 18:50 < BoomerET> You can use a few ways to get it installed, depending on OS. apt-get install openvpn or yum install openvpn 18:50 < krzie> heres some sample files from me ;] 18:51 -!- BoomerET [n=Hoops@74.85.24.234] has quit ["Leaving"] 18:56 -!- Patric3 [n=Patric3@it040352.massey.ac.nz] has joined ##openvpn 19:18 -!- Ziber [i=Liber@liber-ipv6.net] has quit [Read error: 104 (Connection reset by peer)] 19:21 -!- Ziber [i=Liber@liber-ipv6.net] has joined ##openvpn 19:29 -!- tjz [n=tjz@bb220-255-199-51.singnet.com.sg] has joined ##openvpn 20:21 -!- iztehsux [n=iztehsux@c-98-232-178-64.hsd1.or.comcast.net] has joined ##openvpn 20:21 < iztehsux> !howto 20:21 < vpnHelper> iztehsux: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 20:32 < iztehsux> krzie: you awake? 20:35 < krzie> heh 20:35 < krzie> sup ize hows it goin 20:35 < krzie> heard you lost your keys =/ 20:36 < iztehsux> didn't lose em 20:36 < iztehsux> my config got borked and i can't figure it out 20:37 < iztehsux> i think it's erroring out on self-signed cert, but i'm not exactly the openvpn whiz like you are 20:37 < krzie> ahh 20:37 < krzie> the real shit should be in server log 20:37 < iztehsux> i've been reading through the howto 20:37 < iztehsux> can i pastebin you a copy? 20:37 < krzie> tell our friend to make the log verb 5 and gimme a look 20:37 < iztehsux> rgr 20:37 < krzie> ya but use private paste for that 20:38 < krzie> all certs are self signed really, you almost always make your own CA 20:39 < krzie> *almost all 20:41 < iztehsux> krzee: http://www.privatepaste.com/7861666e12 20:41 < krzie> heh 20:42 < krzie> whats private about that paste? 20:42 < krzie> no pw 20:42 < iztehsux> haha there's nothing in the paste that i'm worried about =p 20:42 < iztehsux> otherwise i woulda pw'ed it 20:42 < krzie> ya thats the client 20:42 < krzie> i need the server 20:43 < krzie> the real shit should be in server log 20:43 < iztehsux> oh whoops 20:46 < krzie> right on bro 20:46 < iztehsux> thanks krzee 20:46 < iztehsux> see ya 20:46 -!- iztehsux [n=iztehsux@c-98-232-178-64.hsd1.or.comcast.net] has quit ["leaving"] 20:46 < krzie> anytime 20:52 < freaky[t]> i still wonder y every message of others is prepended with a + sign 21:22 < krzie> huh? 21:43 -!- maxagaz [n=maxagaz@soho2.i-xanadu.com] has joined ##openvpn 21:43 < maxagaz> hi 21:46 < maxagaz> i have 5 files : ca.crt, ca.key, toto.crt, toto.csr, toto.key, openvpn.conf, but my client asks me 3 files: ca, cert, key, which one are those three files ? 22:00 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 22:01 < Bushmills> ca.crt, toto.crt, toto.key 22:46 -!- dli [n=dli@69.172.97.211] has quit [Read error: 110 (Connection timed out)] 22:46 -!- dli [n=dli@69.172.97.211] has joined ##openvpn 23:00 -!- fuffalo [n=fuffalo@S0106002191ea672c.cg.shawcable.net] has joined ##openvpn 23:00 < fuffalo> i've got a config file that works fine when i run it from the command line, but it doesn't seem to do anything when i run it as a service...i don't see any errors in the event viewer...what might i be doing wrong 23:43 -!- corretico_ is now known as corretico --- Day changed Thu Dec 03 2009 00:09 -!- hyper_ch [n=hyper@adsl-89-217-86-229.adslplus.ch] has quit [Remote closed the connection] 00:52 -!- corretico [n=laguilar@201.201.46.106] has quit ["Leaving"] 00:52 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 00:52 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 00:53 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 01:09 -!- hyper_ch [n=hyper@89-47.3-85.cust.bluewin.ch] has joined ##openvpn 01:13 -!- rlarson85 [n=rlarson8@CPE00226b5e2074-CM000e5c6ebb22.cpe.net.cable.rogers.com] has joined ##openvpn 01:16 -!- rlarson85 [n=rlarson8@CPE00226b5e2074-CM000e5c6ebb22.cpe.net.cable.rogers.com] has quit [Client Quit] 01:17 -!- rlarson85 [n=rlarson8@CPE00226b5e2074-CM000e5c6ebb22.cpe.net.cable.rogers.com] has joined ##openvpn 01:19 -!- maxagaz [n=maxagaz@soho2.i-xanadu.com] has quit [Read error: 110 (Connection timed out)] 01:19 -!- maxagaz [n=maxagaz@soho2.i-xanadu.com] has joined ##openvpn 01:31 -!- frewsxcv__ [n=frewsxcv@pcp037537pcs.hollister.reshall.calpoly.edu] has quit ["Leaving"] 01:48 -!- dazo_afk is now known as dazo 02:17 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:38 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 02:40 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:47 -!- c99 is now known as vaq 03:00 -!- teddymills [n=teddy@208.92.235.227] has quit [Read error: 104 (Connection reset by peer)] 03:07 -!- Isenn [n=marcus@pub.sizeit.se] has quit [Read error: 104 (Connection reset by peer)] 03:17 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 03:55 -!- maxagaz [n=maxagaz@soho2.i-xanadu.com] has quit ["Ex-Chat"] 03:58 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn 04:11 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit ["Távozom"] 04:21 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:58 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:35 -!- sunrider [n=kosmic@unaffiliated/spice] has joined ##openvpn 05:50 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: renihs, rlarson85, vlt, julius, |Mike|, disco-, hobbsc, mattock, Typone, hyper_ch, (+19 more, use /NETSPLIT to show all of them) 05:50 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: lkthomas, mrnice1, Patric3, FirstSgt_ --- Log closed Thu Dec 03 05:52:22 2009 --- Log opened Thu Dec 03 05:52:26 2009 05:52 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 05:52 -!- Irssi: ##openvpn: Total of 68 nicks [0 ops, 0 halfops, 0 voices, 68 normal] 05:52 -!- Irssi: Join to ##openvpn was synced in 35 secs 05:53 -!- _LowKey [i=rhel@72.20.2.134] has joined ##openvpn 05:53 -!- LobbyZ` [n=default@main.lobbyzffs.com] has joined ##openvpn 05:53 -!- noooon [n=var@vps-1005590-1468.united-hoster.de] has joined ##openvpn 05:53 -!- le0 [n=itsle0@87.112.250.227] has joined ##openvpn 05:54 -!- coil [i=imgay@unaffiliated/coil] has joined ##openvpn 05:54 -!- Ziber [i=Liber@liber-ipv6.net] has joined ##openvpn --- Log closed Thu Dec 03 05:54:24 2009 --- Log opened Thu Dec 03 05:54:43 2009 05:54 -!- ecrist_ [n=ecrist@173.8.118.220] has joined ##openvpn 05:54 -!- Irssi: ##openvpn: Total of 78 nicks [0 ops, 0 halfops, 0 voices, 78 normal] 05:54 -!- krzie [n=krzee@unaffiliated/krzee] has quit [Read error: 60 (Operation timed out)] 05:54 -!- ecrist [n=ecrist@pdpc/supporter/professional/ecrist] has quit [Connection reset by peer] 05:55 -!- ^scott^ [n=scott@stthom.org] has joined ##openvpn 05:55 -!- krzie [n=krzee@butters.secure-computing.net] has joined ##openvpn 05:55 -!- mario_ [n=mario@projekte.imos.net] has quit ["Ex-Chat"] 05:55 -!- Irssi: Join to ##openvpn was synced in 39 secs 05:59 -!- kosmic [n=kosmic@unaffiliated/spice] has joined ##openvpn 05:59 -!- sunrider [n=kosmic@unaffiliated/spice] has joined ##openvpn 06:32 -!- tinLoaf_ [n=tinloaf@tinloaf.de] has quit [Remote closed the connection] 06:32 -!- tinLoaf [n=tinloaf@62.75.242.108] has joined ##openvpn 06:33 -!- HD2 [n=Marco@velirat.de] has joined ##openvpn 06:34 -!- HardDisk_WP [n=Marco@wikipedia/harddisk] has quit [Read error: 104 (Connection reset by peer)] 06:41 -!- renihs [n=lemming@83-65-34-34.arsenal.xdsl-line.inode.at] has quit ["narf"] 06:43 -!- yoshx [n=yoshx@78.114.253.27] has joined ##openvpn 06:51 < sunrider> i got connections working 06:51 < sunrider> but apps are not using the vpn tunnel 06:51 < sunrider> i have no idea what to donow. 07:16 < dazo> routing .... routing ... routing 07:30 < sunrider> oh gee 07:30 < sunrider> dont be so helpful 07:34 < Bushmills> "using"? apps won't talk to server? 07:34 < sunrider> as in my regular isp ip is connecting to websites 07:34 < sunrider> nothing goes over the vpn 07:37 < dazo> sunrider: that really is a routing issue ... if routes are not set properly up, no traffic will ever hit the the tunnel and rather go via the default gateway or another better matching routing entry 07:37 < sunrider> at what place should i configure the routes? 07:37 < dazo> !configs 07:37 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:37 < dazo> !logs 07:37 < vpnHelper> dazo: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 07:38 < dazo> !routing 07:38 < vpnHelper> dazo: Error: "routing" is not a valid command. 07:38 < dazo> !route 07:38 < vpnHelper> dazo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 07:38 < sunrider> heh alright ;) 07:39 < dazo> sunrider: have a look at !route first of all ... then if that don't help you, !configs ... and we might as for !logs as well 07:47 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit [Read error: 104 (Connection reset by peer)] 07:48 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 07:51 -!- havoc [n=havoc@saturn.chaillet.net] has joined ##openvpn 07:51 < havoc> morning 07:53 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Read error: 104 (Connection reset by peer)] 07:53 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 07:54 < havoc> so I've been told (by people here) that TUN is prefered over TAP, is there a discussion of this somewhere? 07:54 < sunrider> i think its the same 07:54 < havoc> I've also found in the FAQ that TUN is more efficient for routed setups 07:55 < havoc> sunrider: I was told that TAP was vulnerable to some layer2 stuff that TUN Was not 07:55 < havoc> I've been using TAP because the original setup was bridged 07:56 < sunrider> well 07:56 < sunrider> tap seems to be what i need here 07:56 -!- Borai [n=DYN@S0106001c109e98db.no.shawcable.net] has quit [Read error: 110 (Connection timed out)] 07:57 < sunrider> that !route really cant help me 07:57 < havoc> I had also thought that win32 supported TAP-only, but have since been told (again, here) that the "TAP adapter" in windows is just a name, and that it can do either TUN or TAP 07:58 < sunrider> im not behind a lan wanting to create a link 07:58 < sunrider> to a vpn server also in the lan 07:59 < ecrist_> good morning 08:00 < sunrider> oh well 08:00 < sunrider> someone said it IS route 08:00 * sunrider goes back to reading 08:00 < havoc> sunrider: what was the question? 08:00 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 08:00 < kexman> hi 08:01 -!- You're now known as ecrist 08:01 < kexman> how can one use UDP for VPN ? i dont get it , could anyone explain ? 08:02 < ecrist> put udp in the config 08:02 < kexman> i mean not how you configure it 08:02 < kexman> how does that send data ? 08:03 < kexman> udp is connectionless and doesnt has error checking right ? 08:03 < havoc> what does "connectionless" mean? 08:03 < havoc> it does indeed lack errorchecking, but that has nothign to do with connection or transport 08:04 < kexman> hmm 08:04 < kexman> i need more knowledge :) 08:04 < havoc> and either way, it has nothing to do with openvpn 08:05 < ecrist> kexman: it's not connectionless, it's stateless. i.e. 'best effort' 08:05 < kexman> right 08:06 < ecrist> vpns act as a trasport for other layers. usually this involves TCP through a UDP tunnel. The encapsulated TCP connection handles the error checking and simply retransits if needed. 08:06 < kexman> so openvpn uses udp to connect a client to a server then send 08:06 < kexman> yeah was just about to say that 08:06 < ecrist> the vpn doesn't really care what's being sent, it just forwards it 08:06 < kexman> that you encapsulate some data then send it over on udp 08:06 < kexman> and if there is some error then it sends it back on udp again and the client know what to do ... resend ... 08:06 < kexman> right ? 08:06 < ecrist> yep 08:06 < kexman> aha 08:07 < kexman> good :) im progressing :D thanks 08:07 < kexman> 15:06 < ecrist> the vpn doesn't really care what's being sent, it just forwards it 08:07 < ecrist> the point is, the application layer doesn't know it's using UDP. UDP encap is gone by the time it gets there. 08:07 < kexman> thats the best answer for my question i guess :) thanks again 08:07 < ecrist> np 08:07 < kexman> yeye now i get it thank you very much 08:07 < kexman> so its way better to use udp since you would just generate overhead + you dont need errorchecking at this point 08:08 < kexman> i mean with TCp 08:08 < ecrist> fwiw, that's why UDP is used for things like streaming video and SIP 08:08 < kexman> it completly makes sense now 08:08 < ecrist> with live/streaming media, by the time we know there's an error, we don't want to correct it because it's now out of context. 08:09 < ecrist> !tcp 08:09 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 08:09 < kexman> double error checking + more overhead right ? 08:09 < ecrist> that link explains the inverse as to why using TCP over a TCP tunnel is broken 08:09 < kexman> thats why its bad 08:09 < ecrist> yep, and you end up with a race condition 08:09 < ecrist> so the overhead has the literal potential to consume your entire tunnel 08:10 < kexman> uhum 08:12 < sunrider> yeah i dont understand this at all and i usually figure these things out in time 08:13 < sunrider> still struggling with route 08:14 < sunrider> now., if i tick the use tap device in gnome network manager 08:14 < sunrider> then the internet simply will not work 08:15 < dazo> !factoids search tun 08:15 < vpnHelper> dazo: 'mactuntap', 'tunortap', and 'tunnelblick' 08:15 < dazo> !tunortap 08:15 < vpnHelper> dazo: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 08:15 < dazo> havoc: sunrider: ^^ 08:15 < havoc> dazo: yup, I'm paying attention, thank you :) 08:15 < sunrider> okay 08:16 < havoc> !wins 08:16 < vpnHelper> havoc: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 08:16 < dazo> havoc: in the old days, TAP was the only thing Windows supported ... but I believe that has changed now 08:16 < havoc> dazo: ah 08:16 -!- jhp [n=jhp@zeus.jhprins.org] has quit [Read error: 111 (Connection refused)] 08:16 < havoc> oh, I already have wins, it's a routed env :) 08:17 < havoc> and if tun does all IP bcast should be unaffected 08:17 < havoc> and if tun does all IP, then bcast should be unaffected 08:17 < havoc> and/or multicast, which our PBX does 08:19 < havoc> so basically *only* use TAP for bridging 08:19 < sunrider> it's pretty infuriating 08:19 < dazo> havoc: or ... if you need to do IPv6 over the tunnel ... or IPX ... or some Apple weirdo protocols and such things 08:19 < sunrider> i'm getting drunk because of it 08:20 < havoc> dazo: ok 08:20 < sunrider> misters, http://pastie.org/725518 08:20 < havoc> ok, so use TAP if you need non-ipv4 08:20 < sunrider> that's my `route` 08:21 < dazo> You could say that TAP gives you a 100% virtual NIC, which behaves just like a physical NIC .... while TUN is just partly working like that, more like a PPP device 08:21 < havoc> dazo: ok 08:21 < havoc> someone here once said something about layer2 attacks on tap ifaces 08:21 < dazo> havoc: yeah, that's a good summary ... no bridging && ipv4 == tun ;-) 08:21 < sunrider> tap seems to be preffered for that reason 08:21 < dazo> layer2 attacks? 08:21 < sunrider> if it disregards your eth0, that seems to be a good thing 08:22 < havoc> s/attacks/exploit/ 08:22 < havoc> TAP gives me more flexibility on the serverside though without needing to change any client configs 08:23 < dazo> I'm still not sure what you aim at .... the traffic going in to a TAP device, will go straight into a OpenVPN process ... and whats going out of OpenVPN will go straight to the TAP device ... and two OpenVPN processes needs to communicate to make it work ... 08:24 < havoc> I'm using TAP just fine, but last time I was here I was told "never never use TAP" 08:25 < dazo> yeah, because it's more overhead ... you transport layer2 traffic over the VPN tunnel .... instead of pure IP traffic if you use tun 08:25 < havoc> right, so now I'm trying to figure out if I need, or ever will need, layer2 and/or non-ipv4 08:26 < havoc> using tap I was able to reconfigure whole network w/o chaning client configs 08:27 < havoc> but it's all routed now and I don't anticipate ever going back to bridging 08:27 < dazo> I don't see why that's not possible with TUN, though ..... 08:27 < dazo> yeah ... if all is routed ... then TUN will be just as fine 08:27 < havoc> dazo: e.g. switch from routed <-> bridged 08:27 < dazo> network reconfigs will be just fine with TUN .... it's just to modify the routes 08:28 < dazo> and if routes are pushed from the openvpn server .... you have it centralised as well 08:28 < sunrider> havoc, how did you route it? 08:28 < havoc> they are, and it's all dhcp, including reservations/fixed-addressing based on the TAP/TUN vMAC 08:29 < havoc> sunrider: it's all on a debian box w/ multiple nics, have 7(?) zones/subnets 08:29 < sunrider> christ 08:29 < havoc> that box does the routing, firewalling, and dhcp-relay or dhcp 08:30 < havoc> the one servicing the active directory network does dhcp-relay to the internal AD/DCHP/DNS box, and does cache-only + forward-only DNS for all subnets 08:31 < havoc> my home network has 3 physical subnets and 3 vpn subnets, one of which connects as a client to the office net and MASQs traffic, and does forward-only DNS for the AD zone 08:32 < havoc> there's more, but thats the gist of it :) 08:32 < havoc> I'm just investigating if the benefits of TUN v. TAP outweigh the work it'll take to convert 08:37 < sunrider> why dont i have push 08:37 < sunrider> there isno push 08:43 -!- jhp [n=jhp@zeus.jhprins.org] has joined ##openvpn 08:51 < sunrider> hmm no wonder 08:53 < havoc> forgot to declare it? :) 08:53 < sunrider> its a server.conf thing 08:53 < sunrider> i dont have server access 08:53 < havoc> ah 09:04 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 09:12 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 09:14 -!- bostik_ [n=bostik@213-209-160-195.ip.skylogicnet.com] has joined ##openvpn 09:14 < bostik_> hi all 09:14 < bostik_> i have a dubt 09:14 < bostik_> doubt 09:15 < bostik_> i have a runinng openvpn instance 09:15 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 09:16 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Read error: 104 (Connection reset by peer)] 09:16 < bostik_> i issued the command ./clean-all 09:16 < bostik_> and them ./build-ca in easy-rsa dir 09:16 < bostik_> i wonder if i fucked up my configuration 09:17 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 09:17 < bostik_> at the moment i have ca.crt ca.key index and serial file in my keys directory 09:17 < bostik_> i think i have a backup copy of those files 09:17 < bostik_> is it safe to use the backup files ? 09:19 -!- sunrider [n=kosmic@unaffiliated/spice] has left ##openvpn [] 09:34 < ecrist> bostik_: yes, you fucked up your configuration 09:34 < ecrist> just your SSL certificates, though 09:34 < ecrist> but, it's an easy fix - just pull them out of your backups 09:40 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 09:46 -!- cokes [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 09:55 -!- cokes [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 09:55 -!- cokes [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 09:55 -!- sunrider [n=kosmic@unaffiliated/spice] has joined ##openvpn 09:55 -!- cokes [n=cokes@87-198-213-218.ptr.magnet.ie] has quit [Read error: 54 (Connection reset by peer)] 09:56 -!- cokes [n=cokes@87-198-213-218.ptr.magnet.ie] has joined ##openvpn 09:57 < sunrider> so i have a computer behind a nat from which i want to establish a connection to a vpn server on the internet 09:57 < sunrider> what should i do 09:57 -!- pgrace_ [n=pgrace@vsix.me] has joined ##openvpn 09:58 < pgrace_> does anyone know if there's an actual signed TAP driver for windows 7 x64 in the works? 09:58 < pgrace_> I've tried the workaround to get it to install but it's not happening 10:01 -!- LobbyZ` is now known as LobbyZ 10:06 < pgrace_> ooh, appears I had the wrong installer... 10:06 < pgrace_> this link helped me: http://www.surfbouncer.com/Windows_7.htm 10:06 < vpnHelper> Title: Windows 7 OpenVPN Install (at www.surfbouncer.com) 10:06 -!- pgrace_ [n=pgrace@vsix.me] has left ##openvpn [] 10:08 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 10:09 < havoc> sunrider: what is there to do? The client just connects 10:12 -!- hyper_ch [n=hyper@89-47.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 10:15 < sunrider> havoc, it connects but the vpn might as well not be active as nothing i do, network wise, gets routed over it 10:16 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)] 10:18 < dazo> sunrider: have you tried to do 'route -n' after you VPN tunnel is set up? Does it give you any routing info saying that some networks should go through the VPN interface? 10:18 < havoc> yeah, the routes you pasted before were only for eth0 10:20 < dazo> sunrider: then you either miss 'push "route "' in the server config ..... or just a plain 'route ' in the client config 10:20 < sunrider> i dont have access to the server dazo 10:21 < dazo> but you have a client config available, I presume? Read the second half of the line you just read 10:21 < havoc> you can add routes youself on your end anyway, if you know what they are 10:21 < sunrider> http://pastie.org/725777 10:21 < sunrider> there, some routes for tap0 10:21 < sunrider> heh 10:22 < dazo> well, here you should route all internet traffic via tap0 ... no magic here ... 10:23 < sunrider> how can i do that? 10:23 < dazo> you already do that .... 10:23 < dazo> 0.0.0.0 80.254.76.129 0.0.0.0 UG 0 0 0 tap0 10:23 < dazo> (world gate way netmask device) 10:23 < sunrider> nothing works when that route is active 10:23 < sunrider> not even ping 10:24 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 10:24 < dazo> not even ping to 80.254.79.87, 10.0.0.1 or 80.254.76.129? 10:24 < robert_> krzie, moo. :P 10:26 < sunrider> ping to 80.254.79.87 and 10.0.0.1 works 10:28 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 10:32 -!- Sky-X [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 10:33 < sunrider> but not, say, google.com 10:34 < havoc> if all traffic is redirected over the VPN routing to external networks is dependent on routing on the server side 10:35 < havoc> routing and/or firewalling 10:39 < sunrider> the serverside should be reaching the internet 10:39 < dazo> sunrider: have you tried tcpdump on the tap0 device when pinging? 10:40 < dazo> when pinging 80.254.76.129, that is 10:40 < dazo> becahse if you see you send ICMP echo requests on the tap0 device but do not get a reply back ... it's the server side which got troubles 10:44 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [No route to host] 10:44 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [No route to host] 10:45 < sunrider> i see no icmps being sent over the wire, just this same arp request ` who has 80.254.76.129 tell 80.254.76.183` 10:47 < sunrider> i think there are issues somewhere 10:51 -!- Sky[x] [n=SkyB0x@213.143.86.40] has joined ##openvpn 10:53 -!- HD2 is now known as HardDisk_WP 10:55 -!- SkyX [n=SkyB0x@213.143.86.40] has joined ##openvpn 10:56 -!- SkyX- [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 10:59 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 11:00 -!- sunrider` [n=pax@80-254-76-160.dynamic.swissvpn.net] has joined ##openvpn 11:00 < sunrider`> wow 11:00 < sunrider`> i guess it works 11:00 < sunrider`> thanks for your help dazo and havoc 11:01 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 11:07 -!- sunrider` [n=pax@80-254-76-160.dynamic.swissvpn.net] has quit ["leaving"] 11:09 -!- Sky-X [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [No route to host] 11:09 -!- Sky[x] [n=SkyB0x@213.143.86.40] has quit [Connection timed out] 11:11 -!- bytesaber [n=bytesabe@208-98-188-95.directcom.com] has joined ##openvpn 11:14 -!- SkyX [n=SkyB0x@213.143.86.40] has quit [Connection timed out] 11:23 -!- grendal_prime [n=sgraham@riverbank.fpdomain.com] has joined ##openvpn 11:23 < grendal_prime> hey guys. Anyone get a chance to look at my log files i uploaded yestereday. 11:23 < grendal_prime> ? 11:23 < grendal_prime> I had an issue where a client was just all the sudden revoked. 11:24 < sunrider> link? 11:24 -!- dazo is now known as dazo_afk 11:25 -!- hyper_ch [n=hyper@adsl-89-217-86-229.adslplus.ch] has joined ##openvpn 11:26 -!- cokes [n=cokes@87-198-213-218.ptr.magnet.ie] has quit ["Leaving"] 11:30 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 11:31 -!- yoshx [n=yoshx@78.114.253.27] has quit [Read error: 110 (Connection timed out)] 11:36 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 11:38 -!- Wicaeed [n=craig@66-224-171-138.atgi.net] has joined ##openvpn 11:40 -!- le0 [n=itsle0@87.112.250.227] has quit ["Leaving"] 11:45 -!- FirstSgt_ [n=cheney@cpe-76-182-199-229.tx.res.rr.com] has left ##openvpn [] 11:53 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)] 11:59 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 12:00 -!- Sky[x] [n=SkyB0x@213.143.86.40] has joined ##openvpn 12:03 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 12:06 -!- Intensity [i=[AQytNdW@unaffiliated/intensity] has joined ##openvpn 12:18 -!- SkyX- [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [No route to host] 12:23 -!- Sky[x] [n=SkyB0x@213.143.86.40] has quit [Connection timed out] 12:23 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit [No route to host] 12:25 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit [Read error: 113 (No route to host)] 12:27 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 12:28 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 12:32 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:34 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 12:39 -!- _LowKey [i=rhel@72.20.2.134] has quit [Read error: 110 (Connection timed out)] 12:42 -!- McManiaC [n=McManiaC@n-sch.de] has joined ##openvpn 12:42 < McManiaC> hi 12:44 < McManiaC> !howto 12:44 < vpnHelper> McManiaC: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:45 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 12:45 < McManiaC> hmm I dont really get how to use my vpn server with multiple clients 12:46 < McManiaC> connecting with one client works but if I connect with a second client this client gets the same IP as the first client and the first will lose connection 12:46 < McManiaC> http://npaste.de/6M/ client.conf and http://npaste.de/6L/ server.conf 12:47 < krzee> McManiaC, you are using the same cert for second client 12:47 < krzee> make client #2 a second cert 12:47 < krzee> each client gets their own 12:48 < McManiaC> does the server need to know these certs? 12:48 < krzee> nope, signed by the same CA 12:48 < McManiaC> (do you create them on the client machine or does the server need to "handout" these certs?) 12:49 < krzee> niether, they get signed by the same CA machine 12:49 < krzee> the machine where you made the server cert and your first client cert 12:50 -!- bostik_ [n=bostik@213-209-160-195.ip.skylogicnet.com] has quit [Remote closed the connection] 12:50 < McManiaC> ok 12:50 < McManiaC> which script is that again? one of those easy-rsa I guess? 12:50 < McManiaC> build-ca? 12:51 < krzee> its all in the howto 12:51 < McManiaC> ok 12:51 < McManiaC> got it, thx :) 12:51 < krzee> yw 13:01 < McManiaC> one more question 13:01 < McManiaC> if I allow client-to-client connections - will the traffic still go through the server or on a direct connection between the 2 clients? 13:08 < julius> via the server 13:09 < teddymills> can a reverse ssh tunnel replicate the functionality of openvpn ? 13:09 < julius> uh 13:10 < julius> don't ssh tunnels require your applications to use a socks interface? 13:20 < krzee> they do 13:21 < krzee> which you can setup without support from the app using something like proxifier or socksify 13:21 < julius> indeed, but that cannot be compared to a full ip(or ethernet)-layer direct network connection :) 13:22 < krzee> agreed 13:22 < krzee> although personally i use my vpn like !redirect except instead of redirect-gateway i use a socks server on the server inside the vpn and proxify certain apps over that 13:23 < krzee> that way i can selectively use the vpn to route stuff based on app/subnet/port or any combinations i choose 13:24 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 13:24 -!- corretico_ [n=laguilar@201.201.46.106] has quit ["Leaving"] 13:25 < julius> I'd even set up a real http proxy if I could decide which one to use 13:26 < krzee> dante is a nice socks proxy 13:26 < krzee> can handle udp too 13:33 -!- dli [n=dli@69.172.97.211] has quit [Read error: 110 (Connection timed out)] 13:34 -!- dli [n=dli@69.172.97.211] has joined ##openvpn 13:35 < julius> krzee: looks fairly straight-forward. I think last time I found that the firewall context scared me away to soon :) 13:37 -!- Sky[x] [n=SkyB0x@213.143.86.40] has joined ##openvpn 13:38 < krzee> http://www.ircpimps.org/sockd.conf 13:38 < krzee> theres a basic config 13:38 < krzee> since you only run it on the vpn interface it can be unsecured 13:38 < krzee> openvpn already secures it 13:39 < julius> it'd forward (http|.*)s traffic for important connections anyway :) 13:40 -!- SkyXX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 13:40 < krzee> do NOT run that config outside openvpn 13:40 < krzee> its an open proxy, bad 13:47 < grendal_prime> sunrider: you still available 13:49 -!- SkyXX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Read error: 104 (Connection reset by peer)] 13:49 -!- SkyXX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 13:49 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [No route to host] 13:50 -!- SkyX [n=SkyB0x@213.143.86.40] has joined ##openvpn 13:55 -!- grendal_prime [n=sgraham@riverbank.fpdomain.com] has quit ["Ex-Chat"] 13:57 -!- grendal_prime [n=sgraham@riverbank.fpdomain.com] has joined ##openvpn 13:57 < grendal_prime> can anyone suggest a cbt on openvpn? 13:57 -!- Sky[x] [n=SkyB0x@213.143.86.40] has quit [Connection timed out] 13:59 -!- Han [n=han@unaffiliated/han] has joined ##openvpn 13:59 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:00 < Han> Hi, this is weird. I had a working vpn, moved the server elsewhere, changed the hostnames and all and now in the log I get this: Thu Dec 3 20:58:27 2009 Initialization Sequence Completed 14:00 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 14:00 < Han> So I think it would work. But nothing happens, I can't even get a ping accross. 14:00 < Han> What's happening? 14:00 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 14:02 < grendal_prime> alot of possible varriables there Han 14:03 < Han> I got it, Thu Dec 3 21:01:09 2009 TCP/UDP: Incoming packet rejected from xxx:49296[2], expected peer address: xxx:1194 (allow this incoming source address/port by removing --remote or adding --float) 14:03 < Han> Now why would the sourceport have changed. There is no nat along the way. 14:04 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 14:07 < Han> Oh wait. Now I get it. It's because I tested the port with netcat. back to square 1 14:09 -!- SkyXX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [No route to host] 14:11 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:14 -!- Patric3 [n=Patric3@it040352.massey.ac.nz] has quit [Read error: 110 (Connection timed out)] 14:18 -!- SkyX [n=SkyB0x@213.143.86.40] has quit [Connection timed out] 14:25 < Han> ping: sendmsg: Operation not permitted 14:28 < Han> Ha! it's the firewall on the client., 14:29 < Wicaeed> Does anyone know, if you are trying to allow a VPN connection from a client on a 192.168.1.x/24 network, to a remote pfsense machine, also on a 192.168.1.x/24 network, would forcing all traffic to go through the vpn tunnel prevent the remote client from having any issues because they are on the same /24 subnet? Or is that simply the #1 no-no of VPNs? 14:30 < krzee> !local 14:30 < vpnHelper> krzee: "local" is a flag for --redirect-gateway, Add the local flag if both OpenVPN machines are directly connected via a common subnet, such as with wireless. 14:30 < krzee> oh remote 14:30 < krzee> ya thats a no-no 14:31 < krzee> conflicting subnets 14:31 < krzee> change a subnet and you're fine 14:34 < Han> NP: 14:35 < Han> ahem. Anyway, I got it figured out and I am now listening music over nfs over openvpn. 14:35 < Han> http://www.fs-security.com/docs/vpn.php 14:35 < vpnHelper> Title: Virtual Private Networking - Firestarter (at www.fs-security.com) 14:39 -!- gregd [n=gregd@AVelizy-151-1-53-109.w82-120.abo.wanadoo.fr] has joined ##openvpn 14:39 -!- gregd [n=gregd@AVelizy-151-1-53-109.w82-120.abo.wanadoo.fr] has left ##openvpn [] 14:40 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 15:14 -!- Ziber [i=Liber@liber-ipv6.net] has quit ["BRB"] 15:15 -!- Ziber [i=Liber@liber-ipv6.net] has joined ##openvpn 15:18 < havoc> yup, I think I will add a 2nd local vpn subnet 15:18 < havoc> just eliminate --client-to-client, but continue to push routes and control the rest on the server w/ iptables (shorewall) 15:18 < havoc> yay 4 subnets on my home network 15:24 < krzie> all --client-to-client does is bypass packets hitting the kernel in the server 15:25 < krzie> with it the packets are routed from 1 client to another within the server process 15:25 < havoc> ah 15:25 < krzie> without it they pass from server proc to kernel, hit routing table and firewall, and if allowed they go back to the server proc 15:25 < havoc> so if I'm handling it in iptables it's irrelevant 15:25 < krzie> you can ONLY handle it in iptables without client-to-client 15:25 < havoc> (in netfilter actually) 15:26 < havoc> ah, that's what I want 15:26 < krzie> if the "it" is something from 1 client to another and the iptables is on the server 15:26 < krzie> the only way iptables sees the traffic is without --client-to-client 15:26 < havoc> for this segment I don't want clients to see each other; this is my "support" zone 15:26 < krzie> !client-to-client 15:26 < vpnHelper> krzie: "client-to-client" is When this option is used, each client will see the other clients which are currently connected. Otherwise, each client will only see the server. Don't use this option if you want to firewall tunnel traffic using custom, per-client rules. 15:26 < krzie> grr 15:26 < krzie> !forget client-to-client 15:26 < vpnHelper> krzie: Joo got it. 15:27 < havoc> ok, so I'm still doing what I want 15:27 -!- grendal_prime [n=sgraham@riverbank.fpdomain.com] has quit ["Ex-Chat"] 15:29 < havoc> I setup openvpn on all friends'/family's machines w/ service set to auto 15:29 < havoc> so their machines are always on my network and I can RDP/VPN in whenever, back them up, etc... 15:30 < havoc> s/VPN/VNC/ 15:30 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.5/20091102152451]"] 15:31 < krzie> !learn client-to-client as with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you want to use selective firewall rules on what clients can access things behind other clients. 15:31 < vpnHelper> krzie: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 15:32 < havoc> yup, that was my original understanding 15:32 < krzie> !learn client-to-client as with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you want to use selective firewall rules on what clients can access things behind other clients. 15:32 < vpnHelper> krzie: Joo got it. 15:32 < krzie> !client-to-client 15:32 < vpnHelper> krzie: "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you want to use selective firewall rules on what clients can access things behind other 15:32 < vpnHelper> krzie: clients. 15:32 < krzie> there we goes 15:33 < krzie> !c2c 15:33 < vpnHelper> krzie: Error: "c2c" is not a valid command. 15:33 < krzie> !learn c2c as [client-to-client] 15:33 < vpnHelper> krzie: Joo got it. 15:33 < krzie> !c2c 15:33 < vpnHelper> krzie: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you want to use selective firewall rules on what clients can access things behind 15:33 < vpnHelper> krzie: other clients. 15:35 < havoc> bah, I guess I am sticking with TAP devices 15:35 < havoc> that was a waste 15:35 < reiffert> a rubbish. 15:36 < krzie> tap!? 15:36 < krzie> !tunortap 15:36 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins 15:36 < havoc> hmm, maybe not, the ifconfig is just different for TUN 15:37 < krzie> !learn tunortap also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you over the vpn 15:37 < vpnHelper> krzie: Invalid arguments for learn. 15:37 < krzie> !learn tunortap as also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning against you over the vpn 15:37 < vpnHelper> krzie: Joo got it. 15:38 < krzie> if you dont have a specific layer2 protocol you need over the vpn, you want tun 15:40 < havoc> yup, already been over this again and again trying to decide 15:40 < havoc> the TUN ifconfig syntax just confused me momentarily 15:43 < havoc> doh, TUN requires ifconfig on remote side too? 15:43 < havoc> ok, now to figure out how dhcp works into this 15:44 < krzie> erm 15:44 < havoc> should be the same, just need the ifconfig directive flipped on the clients? 15:44 < krzie> you dont need ifconfig at all 15:44 < krzie> just use --server on the server 15:44 < krzie> like so: 15:44 < krzie> !sample 15:44 < havoc> logs say I do with --dev tun 15:44 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) 15:44 < krzie> right but theres a server command which expands to handle the ifconfig and pushes the ifconfig to clients as well 15:44 < krzie> it handles all that for you 15:45 -!- dli [n=dli@69.172.97.211] has quit ["Leaving"] 15:45 < havoc> ah, so don't need ifconfig on server with TUN 15:45 < krzie> see --server in the manual 15:45 < krzie> !man 15:45 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 15:45 < havoc> already there 15:45 < krzie> =] 15:46 < krzie> technically you need ifconfig, but server handles it on both sides in 1 simple command 15:47 < havoc> ah, so just a simplification 15:48 < havoc> yup, it did what I just did with ifconfig on both ends, but this is easier 15:50 < havoc> this is just goofy as I have to get shorewall all setup at the same time or nothing works 16:01 < havoc> and back up :) 16:01 < ecrist> krzie: FS FTW 16:01 < krzie> =] 16:01 < krzie> its nice aint it 16:02 < krzie> havoc 16:02 < krzie> --server network netmask 16:02 < krzie> A helper directive designed to simplify the configuration of OpenVPN's server mode. This directive will set up an OpenVPN server which will allocate addresses to clients out of the given network/netmask. 16:02 < krzie> helper directive = simplification, so exactly as you said =] 16:03 < havoc> doh, don't need to push local [vpn] subnet route with --server, --server already adds it 16:03 < krzie> correct, see the man for everything it does 16:03 < krzie> see --keepalive for another useful helper directive 16:04 < havoc> already in there 16:04 < havoc> this is just a conversion from TAP to TUN 16:04 < havoc> the addition of another vpn is negligible, and has been done many times already 16:05 < havoc> got my own mini Net here ;) 16:05 < krzie> if you have admin access on all machines in the tap setup, log into them over the vpn and adjust the config (after testing on a box you can access easy) 16:06 < havoc> ha, not as easy 16:06 < krzie> then when you restart the service it will leave the tap vpn and access the tun one 16:06 < havoc> big site has a bunch of client configs I'll have to deal with 16:06 < krzie> ya theres something to be said for doing it right the first time ;] 16:06 < havoc> the server side is easy, the luser support side, not as easy :| 16:06 < havoc> the first time we needed bridged 16:07 < krzie> the other 2 options are giving new configs to the users or automating the process 16:07 < havoc> there was no "right", no other choice 16:07 < krzie> what layer2 proto did you need at the time? 16:07 < havoc> krzie: I can email them the configs 16:07 < krzie> btw you can use cd instead of full paths, will be easier for the (l)users 16:08 < havoc> cd for what? 16:08 < havoc> all they need is to change dev to tun from tap, I just have to get it done 16:08 < krzie> ie: instead of ca /home/krzee/vpn/keys/ca.crt you could use cd /home/krzee/vpn/keys and ca ca.crt 16:08 < havoc> these are all win32 clients 16:08 < krzie> works in windows too 16:08 < krzie> ca as in the openvpn command not unix command 16:09 < krzie> err cd 16:09 < havoc> did 1.0.9 do TUN on win32? 16:09 < krzie> no idea but i garuntee 1.x only did ptp, no server/client mode 16:09 < havoc> or whatever came with the last stable OpenVPN-GUI release from openvpn.se? 16:09 < krzie> ohh thats not 1.x 16:09 < krzie> thats 2.x, thats wingui1.0.9 16:10 < havoc> cuz that's what most of them are running I think, only the vista/win7 guys have the latest from openvpn.net 16:10 < krzie> sure it'll do tun 16:10 < havoc> ok, did/does that do tun? 16:10 < havoc> ok, then I just need to get tap changed to tun on all the configs 16:10 < krzie> possibly 16:10 < havoc> I'm the domain admin so if their laptops are in the office it's no problem to do myself 16:11 < havoc> it'll work, I just tested on my machine 16:11 < krzie> werd 16:11 < havoc> ...my laptop 16:11 < havoc> even remembered to update /etc/shorewall/tunnels :) 16:11 < havoc> I usually forget that one 16:11 < krzie> for the vpn subnet you are not using the same as any existing subnet, right? 16:12 < havoc> correct 16:12 < krzie> you pushed the route to the real lan subnet which lies behind the server? 16:12 < havoc> I've got 4 at home, 9 at the office, and 3 others I MASQ to my home network from other locations 16:13 < havoc> now that I have some time I can explain the layer2 thing 16:13 < havoc> we had two office locations connected via a Canopy system that went down more than it was up... 16:13 < havoc> we had Net at both locations, but only had money for a single DHCP server 16:14 < havoc> so net at one location never got used 16:14 < krzie> whats Net? 16:14 < havoc> at this point is when I got hired and inherited a network where the Canopy system was bridging 16:14 < havoc> Internet connection 16:15 < havoc> they had many hardcoded IPs setup at the "remote" location so I had to ease into things, so I setup the VPN bridged initially and used the Net and Canopy connections at will to route the VPN connection 16:16 < havoc> then I eventually got around to converting to a routed network but never got around to changing the VPN device 16:16 < havoc> oh yeah, *I* am this company's IT Dept.; one person :( 16:17 < havoc> the past few years have been "If it ain't broke, don't fix it", too many other pressing issues 16:23 < havoc> huh, clients are now getting IPs from ovpn server, not dhcp server 16:24 < krzie> yupyup 16:24 < havoc> um, unacceptable 16:24 < krzie> and feel free to setup static ips on them if needed with: 16:24 < havoc> now to figure out how to keep dhcp working.... 16:24 < krzie> !static 16:25 < vpnHelper> krzie: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 16:25 < krzie> why in the world do you think you need the dhcp server? 16:25 < havoc> I need it done with the dhcp server 16:25 < krzie> why do people always incorrectly think that? 16:25 < havoc> because I'm one person handling hundreds of hosts 16:25 < krzie> ...and? 16:25 < havoc> 4 places to manages is easier than 20? 16:26 < krzie> is the server also your dhcp server? 16:26 < havoc> in 2 of 4 cases, yes 16:26 < krzie> well you can use an external script to hand out ips any way you likle 16:26 < krzie> like 16:26 < krzie> !iporder 16:26 < vpnHelper> krzie: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 16:27 < krzie> #1 would be your option of choice 16:29 < havoc> yeah, not liking TUN now :( 16:29 < havoc> much much more work 16:29 < havoc> especially on the big AD site 16:29 < havoc> DHCP updates the DNS with updates the WINS 16:31 < havoc> ok, back to TAP it is, for now.... 16:32 < havoc> I guess it *might* be possible if I bridged the tun with another iface dhcp was listening on, but I'm not going to get into that now 16:32 < krzie> lol 16:32 < krzie> you can just script up all that stuff 16:32 < krzie> rather simple 16:33 < krzie> and no it still wouldnt work 16:33 < krzie> dhcp bs is layer2 16:33 < krzie> but its a terrible reason to tunnel layer2 16:33 < krzie> with that said, its your network, do whatever you like 16:33 < havoc> well until I can spare the 20hrs it'll take for the one M$ site it'll have to do 16:33 < havoc> what I "like" is irrelevant :( 16:34 < krzie> thats great until some user gets owned and your whole network is insecure 16:34 < krzie> i own one stupid user and i own your whole network because you used tap 16:34 < havoc> same with TUN 16:34 < krzie> negative 16:34 < havoc> they have full access 16:35 < havoc> how would you have less access with TUN? 16:35 < havoc> they already have access to everything 16:35 < krzie> negative 16:36 < krzie> layer3 access and layer2 access are VERY different 16:36 < krzie> layer2 i just arp poison you and sniff everything i need 16:36 < krzie> layer3 i still need to exploit you 16:36 < krzie> layer2 wasnt made to be secure AT ALL 16:36 < havoc> you need their machine for the layer2 though, right? 16:37 < krzie> only 1 anywhere on your vpn or lan 16:37 < havoc> but you need access to the machine, right? 16:37 < krzie> own 1, own the whole infrastructure 16:37 < krzie> not physical access, just access 16:37 < krzie> note, you have given them ALL this access 16:37 < krzie> any 1 person gets owned (ie exploit?) and your whole infrastructure is owned 16:38 < krzie> with tun its not as simple 16:38 < havoc> nothing is simple with tun 16:38 < havoc> ...apparently 16:38 < havoc> just a lot more work 16:38 < krzie> cause in your head dhcp is the only way to do anything 16:39 < havoc> tell it to M$ 16:39 < krzie> in reality you can accomplish everything without it 16:39 < krzie> updatre wins? push the dhcp option 16:39 < havoc> yeah, I can hardcode and manage 50 x 2 DNS records 16:39 < krzie> update dns? push the dhcp option 16:39 < krzie> !pushdns 16:39 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit 16:39 < havoc> another probelm is them switching subnets 16:39 < krzie> hardcode? script it, its easy 16:39 < krzie> firewall rules? script it its easy 16:40 < havoc> firewall is not an issue, period 16:40 < havoc> the netbios crap is 16:40 < krzie> it is if only selective clients get access to certain stuff 16:40 < havoc> the M$ DHCP needs to know where the machine is 16:40 < krzie> ie: contractors get certain access, admins access to all, normal limited access 16:41 < havoc> you're funny 16:41 < krzie> actually you are 16:41 < havoc> CYA is the first thing I did 16:41 < krzie> for 1, you use windows for your servers, hillarious 16:41 < havoc> actual sighned paper in my firesafe 16:41 < havoc> again, you're funny, never said they were *mine* :( 16:42 < havoc> I can choose to deal with it, or look for a new job 16:43 < havoc> bah, just a pita :( 16:43 < havoc> if openvpn only did dhcp-relaying 16:50 -!- sant0 [n=chatzill@187-26-12-215.3g.claro.net.br] has joined ##openvpn 16:51 < havoc> hmm, --topology 16:51 < krzie> !topology 16:51 < vpnHelper> krzie: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 16:51 < krzie> =] 16:52 < havoc> that's what the man page says :) 16:52 < havoc> doesn't help me w/ the dhcp issue, but it's still an improvement 16:54 < havoc> bcast is IP, should be layer3, right? 16:54 < havoc> same with mcast? 16:55 < krzie> neg 16:55 < krzie> but there are bcast relays 16:55 < krzie> (3rd party) 16:55 < krzie> ive never used any, but reiffert has spoke of them 16:55 < havoc> hmm, the work network uses both 16:55 < havoc> VOIP/SIP use both 16:56 < krzie> umm no 16:56 < krzie> voip uses udp, and will work over tun 16:56 < krzie> ive used voip over tun many many times 16:56 < havoc> ok 16:58 -!- aland [n=aland@apple.rat.burntout.org] has joined ##openvpn 16:59 < aland> !topology 16:59 < vpnHelper> aland: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 16:59 < sant0> please can strip my doubts! I have 1 array and 2 branch would like to know if a program array affiliates will get the food ... it works as local network to some 17:00 < krzie> sant0 i take it english is not your first language 17:00 < krzie> i have no idea what you're asking 17:01 < sant0> krzie: yes pt-br 17:01 < krzie> brasileno! 17:01 < sant0> krzie: yes brasileiro 17:02 < krzie> i speak no portuguese but if you try asking in spanish maybe ill undersdtand you 17:02 < krzie> understand* 17:03 < aland> Hi.. 17:03 < sant0> krzie: ok 17:03 < aland> I'm using openvpn fomr Debian Lennny 17:04 < aland> and I'm trying to improve the throughput 17:04 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 17:04 < aland> testing throughput with Iperf , not using the openvpn tunnel 17:05 < krzie> be sure to use UDP for the tunnel 17:05 < krzie> if throughput is bad you can also try checking the mtu 17:05 < krzie> !mtu 17:05 < vpnHelper> krzie: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config 17:05 < sant0> krzie: Tengo mis dudas de que la creación de un proyecto conjunto entre el 1 y 2 dos ramas entrelazadas con la red local, porque tengo que poner el programa centralizado de 17:06 < sant0> krzie: Creo que eso es 17:06 < krzie> rayos, sigo no entender =[ 17:06 < krzie> sorry bro i still dont understand 17:09 < krzie> sant0, are you trying to say you would like to connect a couple LANs using openvpn? 17:11 < sant0> krzie: Sí, funciona más como una red de área local 17:11 < sant0> krzie: yes it works more like local area network 17:12 < krzie> que quieres depende en si vas a user layer2 o layer3 (layer2 usa MAC address, layer3 usa IP address) 17:12 -!- pm2 [n=pm2@143.105.104.59] has joined ##openvpn 17:12 < krzie> si vas a usar layer3 puedes usar eso: 17:12 < krzie> !route 17:12 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:12 < krzie> it might be hard for you to understand as it is only in english 17:13 < krzie> screen -r 17:13 < krzie> hah wrong win 17:14 < pm2> Greetings - I have a Linux firewall box that does NAT for an internal LAN of mostly Windows machines. I want to setup the firewall as an openvpn server, so that clients can access the internal network. They will commonly need to use the MS remote desktop tool to connect to internal PCs. Is OpenVPN routing adequate for this, or will I need to use bridging? 17:14 < reiffert> havoc: pptp comes with bcrelay 17:14 < krzie> routing is good for this 17:14 < reiffert> havoc: and there are other open source projects. 17:15 < krzie> make sure the win firewalls know to allow the vpn subnet to access the remote desktop 17:15 < krzie> (@pm2) 17:15 < krzie> pm2, also see !route if needed 17:15 < pm2> krzie, thanks 17:15 < havoc> reiffert: pptp for what? 17:15 < krzie> if thats the ONLY lan shared over ovpn all you need is the push route in the server 17:16 < reiffert> havoc: pptp for having bcrelay in the source tree. 17:16 < reiffert> 23:55 < krzie> but there are bcast relays 17:16 < reiffert> 23:55 < krzie> ive never used any, but reiffert has spoke of them 17:16 < reiffert> 00:14 < reiffert> havoc: pptp comes with bcrelay 17:16 < sant0> krzie: do not write but I understand the reading 17:16 < krzie> sant0, perfect =] 17:16 < havoc> reiffert: ah, for bcast, not dhcp 17:17 < pm2> krzie, that's what I thought, just checking. I was more concerned if the MS Remote Desktop client needed funky network capabilities only supported by bridging 17:17 < krzie> !learn bcast as pptp source tree has bcrelay in it, bcrelay can be used to relay broadcasts over a tun setup 17:17 < vpnHelper> krzie: Joo got it. 17:18 < krzie> pm2, nope it will work as long as the win firewall is setup correctly 17:18 < reiffert> krzie: avahi comes with a broken mcast relay. 17:18 < pm2> krzie, awesome, thanks 17:18 < krzie> but broken? 17:18 < krzie> pm2, np =] 17:19 < reiffert> krzie: works for subnet-subnet relays, but not for subnet-subnet-subnet. 17:19 < reiffert> krzie: lan-openvpn-lan 17:19 < sant0> krzie: I doubt I can access a program matrix normal 17:20 < reiffert> krzie: they claim that it's a feature for filtering out query loops, but it just sucks. 17:20 < reiffert> krzie: zeroconf, apple, u' know? 17:22 < aland> i've run --mtu-test 17:22 < aland> and it returns 1541 as mtu size 17:22 < aland> my problem is 17:22 < aland> if i do 17:22 < reiffert> 1541 the year of the 30 year potato war? 17:23 < aland> iperf -c 209.234.x.y 17:23 < sant0> krzie: gracias 17:23 < aland> where 209.234.x.y 17:23 < havoc> screw it, the office stays on TAP, it makes no difference what the VPN is if *any* luser can get owed and comp the network 17:23 < aland> is my vpn endpoing 17:23 < aland> is my vpn endpoint 17:23 < aland> I get 22.2 Mbits/sec 17:23 < aland> when I go 17:24 < havoc> TUN is attractive for the performance only 17:24 < aland> iperf -c 10.87.23.1 17:24 < havoc> I'll use TUN for *my* network 17:24 < aland> where 10.87.23.1 is the tunnel end 17:24 < aland> I get year potato war? 17:24 < aland> 23:20 < aland> iperf -c 209.234.x.y 17:24 < aland> 3.69 Mbits/sec 17:24 < krzie> sant0 de nada =] 17:25 < aland> oops 17:26 < aland> anyway .. there is a big difference in the throughput inside and outside the tunnel 17:26 < aland> 22 Mbit outside, 4 Mbit inside 17:26 < aland> Tunnel is using udp and tun 17:26 < aland> with lzo compression 17:26 < reiffert> check without lzo. 17:26 < aland> ok 17:27 < krzie> also check with differing ciphers, in fact test cipher none as well 17:27 < krzie> and differing OS's if possible 17:27 < aland> using the default blowfish at the moment 17:27 < krzie> i know the windows tuntap drivers are inefficient and cause significant slowdown 17:27 < aland> just using debian lenny 17:28 < reiffert> aland: using 2.1rc22? 17:28 < aland> I'm unlikely to use another os 17:28 < krzie> i cant speak on the linux tun 17:28 < krzie> but i do know to expect slowdown over the tunnel, from reading over benchmarks done by devs 17:29 < krzie> (although they were specificly testing win32's interface 17:31 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 17:32 < krzie> i should benchmark freebsd tuntap sometime, i have 2 colo'ed fbsd boxes at the same location 17:38 < aland> reiffert: its the openvpn in lenny 2.1~rc11-1 17:38 < aland> are there benchmarks available on the web ? 17:39 < aland> without lzo and unencrypted made no differenct to my throughput 17:41 < aland> !logs 17:41 < vpnHelper> aland: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 17:42 < aland> !configs 17:42 < vpnHelper> aland: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 17:43 < krzie> Notes -- OpenVPN Performance Benchmarks 17:43 < krzie> bottom of this page: 17:43 < reiffert> aland: you'd better compile 2.1rc22 yourself. I know it compiles fine on debian. 17:43 < krzie> http://www.openvpn.net/index.php/open-source/documentation/install.html?start=1 17:43 < vpnHelper> Title: Installation (Win32) - Page 2 (at www.openvpn.net) 17:43 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 17:45 -!- c99 [n=c99@83.136.90.2] has joined ##openvpn 17:48 -!- vaq [n=c99@vaq/unaffiliated] has quit [Read error: 60 (Operation timed out)] 17:49 < aland> those benchmarks are interesting 17:50 < havoc> "Only TAP virtual devices are supported on Windows, not TUN devices." 17:50 < havoc> that's outdated 17:52 < aland> 1733.84 Kbytes/s == 13870.72 Kbits/s 17:53 < aland> which on a 100mbit link points to 14% of wire speed 17:53 < aland> that was with the blowfish 17:54 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 17:54 < aland> I wonder what the load was on the machines 17:54 < aland> and what raw iperf would have shown 17:58 -!- pm2 [n=pm2@143.105.104.59] has quit [Read error: 110 (Connection timed out)] 18:02 -!- tjz [n=tjz@bb220-255-199-51.singnet.com.sg] has joined ##openvpn 18:10 < krzie> havok, that is very very outdated 18:10 < krzie> hell they were using openvpn 1.x 18:10 < krzie> but its all ive seen 18:11 < havoc> yeah, above that it says the new TAP-win32 does TUN 18:11 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 18:15 < havoc> krzie: yeah, I'll just stick w/ tap at the office as even the local tools get their desktops comp'd 18:16 < havoc> and for me it doesn't matter if it's TUN or TAP, but the TUN performance is attractive 18:16 < krzie> cool 18:16 < krzie> its an informed decision, thats what matters =] 18:16 < havoc> krzie: I've been reading up, it's not as bad as I thought 18:17 < havoc> ...no worse than a non-vpn situation in this case, anyway 18:17 < havoc> need to comp the machine 18:17 < havoc> which these morons do with frightening regularity, although a lot of that is coming to an end now that I have a new boss 18:18 < havoc> I'm still not "allowed" to make policy, but most of my recomendations are being accepted now 18:18 < havoc> ...now that we've had several years of going in the wrong direction :( 18:18 < krzie> im so glad ive never been in that situation 18:18 < krzie> i couldnt handle a non techie boss telling me i couldnt do things the right way 18:18 < havoc> it bothers me philosophically, but as I said, first thing I did was get that CYA piece of paper 18:19 < krzie> whats CYA? 18:19 < havoc> Cover Yer Arse 18:19 < krzie> hahaha 18:20 < havoc> and if a laptop ever gets stolen a ton of corp info is on it anyway so disabling the vpn key still wouldn't halt dissemination 18:20 < havoc> and no, not encrypted 18:21 < krzie> wow 18:21 < havoc> and no passphrases on keys, these guys can't remember squat 18:21 < havoc> while my passwds look like line noise 18:21 < krzie> what a terrible way to do things 18:21 < krzie> one day when you get the other stuff in line you can go to those kerberos tokens 18:21 < havoc> they're still doing things the way they did them back when it was a 3 person startup 20yrs ago 18:21 < krzie> the lil keychain that has changing passkeys 18:22 < havoc> yes, need fobs 18:22 < krzie> ya thats the name! 18:22 < havoc> that's the only way it could get done with this crew 18:22 < havoc> the little RSA things on the keychains 18:22 < havoc> ...until they lose their keys ;) 18:22 < krzie> haha ya 18:23 < havoc> I may even stick w/ TAP for my stuff, but that's different as my laptop rarely leaves my person when it's not in the house 18:23 < krzie> but theres always that to figure out, the balance between security and easiness 18:23 < havoc> yes, and it's ever-chaning 18:23 < havoc> and changes a lot with changes in administration 18:24 < krzie> well at least they're lengthening your leashe 18:24 < krzie> leash 18:24 < havoc> in reality encrypting a laptop hdd is more important 18:24 < havoc> kindof, as I said I still don't make policy, but at least now someone's listening 18:25 < krzie> thats step 1 18:25 -!- pm2 [i=8f690d46@gateway/web/freenode/x-brkrfwnjyugipsny] has joined ##openvpn 18:25 < pm2> Hi - Is there a way to install and run openvpn on windows without admin priviledges? 18:25 < havoc> as far as the machines on one of my VPN segs likely to get owned, they're cutoff from everything already anyway 18:25 < krzie> pm2, no 18:26 < havoc> there's a faq about that 18:26 < pm2> darn, ok thanks 18:26 < krzie> you always need admin/root privs for openvpn as it needs to change routing table and interface stuff 18:26 < krzie> theres a way to RUN it as non admin, but takes being admin to setup 18:26 < havoc> need to run as service, but still need to be admin to install 18:26 < pm2> I see... 18:27 < krzie> havok, can even be run manually as non-admin 18:27 < krzie> !win-noadmin 18:27 < vpnHelper> krzie: Error: "win-noadmin" is not a valid command. 18:27 < havoc> ah, manually 18:27 < krzie> !factoids search win 18:27 < vpnHelper> krzie: 'winroute', 'winpass', 'win_noadmin', 'win_rollup', 'winipforward', '2.1-winpass-script', 'wintaphide', 'wins', 'win7', 'winnat', 'win_ipfail', 'win2k8', and 'sudowin' 18:27 < krzie> !win_noadmin 18:27 < vpnHelper> krzie: "win_noadmin" is (#1) http://openvpn.se/files/howto/openvpn-howto_run_openvpn_as_nonadmin-Rev1.1.html for HowTo Run OpenVPN as a non-admin user in Windows, or (#2) and http://article.gmane.org/gmane.network.openvpn.user/24873 for vista 18:27 < pm2> Out of curiosity, can anyone recommend a way to distribute an OpenVPN client setup to non-technical windows users in a way that will at least be moderatly easy for them to use? 18:27 < krzie> pm2, absolutely 18:27 < krzie> batch scripting 18:28 < pm2> I'm using a no-certificate, username/password setup 18:28 < krzie> they double-click a batch you made which does everything 18:28 < krzie> and you should really think about using certs with the pass auth too 18:28 < pm2> that's what I figured, didn't know if there was anything better 18:29 < pm2> krzie: I personally want to use certs, my boss doesn't :-( 18:29 < havoc> hahahah 18:29 < krzie> wow today is "my boss sucks" day around here 18:29 < havoc> pm2: welcome to my world ;) 18:29 < havoc> kindof, I use certs 18:29 < havoc> ...and TLS 18:30 < pm2> Maybe I can sell him on the idea - the concern is that it would be over-complicated for some non-technical users... but maybe we can work something out 18:30 < pm2> Personally I'm interested in using USB-based "smartcards" or something to that effect 18:30 < havoc> they still don't have to remember anything, it's just a file on their machine 18:30 < havoc> yeah, we're no where near that yetr 18:30 < havoc> yet 18:30 -!- master_of_master [i=master_o@p549D7D8B.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 18:30 < krzie> hell its easier than passwords 18:30 < havoc> yeah, until they get lost :) 18:31 < pm2> Well, the trick is getting a unique file to each user 18:31 < havoc> I try to explain "layered security" to these guys and it's just not "cost effective" :( 18:31 < krzie> theres 3 types of auth in security in general, something you have (ie cert file), something you know (ie: password), something you are (biometrics) 18:31 < krzie> best security uses more than 1 18:31 < havoc> krzie: yeah, that's one way of describing it 18:32 < havoc> I usually describe it as Identification and Authorization 18:32 -!- McManiaC [n=McManiaC@n-sch.de] has left ##openvpn [] 18:32 < pm2> well, thanks for the help and advice, I'm going to switch to another Windows machine I have admin on to test my setup here... 18:32 < krzie> np 18:32 < havoc> biometrics is ident 18:32 < havoc> the others are auth 18:32 -!- pm2 [i=8f690d46@gateway/web/freenode/x-brkrfwnjyugipsny] has quit ["Page closed"] 18:32 < krzie> havok, i know what you mean 18:32 < havoc> yeah, I figured you would 18:33 < krzie> i think my way is easier for corp types to grasp 18:33 < havoc> it's just how I try to sell it to non-techies 18:33 < havoc> I know of many govt. agencies too focused on Auth that they have no audit trail of *who* 18:34 < krzie> the something you have can take care of both as well 18:34 < havoc> it shouldn't be something that can be transfered to another individual like a passwd or physical token 18:34 < krzie> although not as well as something you are of course 18:34 < havoc> you need biometrics in *Addition* 18:34 < krzie> i fully agree for most secure env 18:34 < havoc> but then biometrics can fail so you need Oversight to handle that as well 18:35 < krzie> correct 18:35 < havoc> you *always* need oversight 18:35 < krzie> aye 18:35 < havoc> the cost of Security is eternal Vigilance? 18:35 < krzie> i love the mythbusters episode where they beat those laptop finger scanners with a touched up scan of the finger 18:36 < havoc> even *worse* is when they systematically *fail* when it's a legit user :( 18:36 < havoc> wosre for support personnel anyway 18:36 < krzie> ill take a false neg over a false positive in that dept any day 18:36 < krzie> even if it is a PITA 18:37 < krzie> of course in a perfect world youd get niether 18:37 < havoc> I'll take that only if it's my ass on the line ;) 18:37 < krzie> lol 18:37 < krzie> point taken ;] 18:38 < havoc> I won't tell anyone what to do or not do twice if it's Not My Problem :) 18:39 < havoc> I've been involved in so much crap when the security is ~3% of what it should be that I've basically stopped caring 18:39 < krzie> beaten into submission 18:40 < havoc> e.g. corp I work with having kiosk type things in the general public, outside, unsupervised, etc..., on *government* contracts 18:40 < havoc> you need many layers of security and oversight, most of which don't exist 18:41 < havoc> they can pitch me the concept in 30sec. and I can nail all the flaws immediately; Does anything get done anout it? Heck no. 18:41 < havoc> which is fine I guess as long as it's not my info (as a private citizen) and not my responsibility :( 18:42 < krzie> heh 18:42 -!- master_of_master [i=master_o@p549D67C7.dip.t-dialin.net] has joined ##openvpn 18:42 < krzie> just outta curiosity you aint the same havoc that used to roll with chuwy on efnet, right? 18:43 < havoc> in the end you can't stop a determined party from gaining access to anything, but you need to *know* when it happens and have a plan for handling it 18:43 < havoc> krzie: not likely, I despise efnet 18:43 < krzie> this is true, but you can make it a serious PITA and have enough tripwires in place to know about it 18:43 < havoc> I'd use my realname as nick, but it was already reg'd 18:44 < havoc> krzie: yeah, I'm just saying that someone actually has to be monitoring it ;) 18:44 < havoc> ...in a reasonably timeframe 18:44 < krzie> sms 18:44 < havoc> sure 18:44 < havoc> but not a week later when someone happens to glance at a log ;) 18:45 < krzie> yup 18:45 < havoc> and then there's profiling 18:45 < havoc> i.e. have a human whating some aggregated status reports hourly or something so they'll notice activity out of profile 18:46 < havoc> watching 18:46 < krzie> or a script =] 18:46 < krzie> im into automation, humans suck 18:46 < havoc> "qualified" human is better for Oversight 18:47 < krzie> qualified script > qualified human 18:47 < krzie> ;] 18:47 < havoc> yeah, the script logic is sometimes dificult to code/quantify though 18:47 < krzie> this is true, but it can be done in many cases 18:48 -!- LobbyZ [n=default@main.lobbyzffs.com] has quit ["Free FTW"] 18:48 < havoc> but still need the scripts, that would be the aggregation I spoke of, but you need a human to watch that 18:48 < krzie> aggregation could be done with remote syslog 18:48 < havoc> anyway, my ideas are apparently too costly for what they do 18:48 < krzie> and a single server to run the scripts on for all machines 18:48 < havoc> Sell it now, Fix it later. 18:48 < krzie> i said that bad but think you caught it 18:49 < havoc> oh I fully understand 18:49 < havoc> the point is that understanding Security has very little with understanding Technology 18:49 < havoc> the tech is just specifics 18:50 < krzie> cant understand sec without understanding the tech 18:50 < krzie> but most def can understand tech without sec 18:50 < havoc> it's the concepts of levels of access and contingency that you have to understand first 18:51 < havoc> I mean you have to understand Security, what it means, what it's intended to accomplish, etc.., first before you understand the tech to *implement* it 18:51 < havoc> i.e. before you've chosen an implementation 18:51 < havoc> as opposed to just buzzwords 18:51 < krzie> ahh you meant the idea of sec and the implimentation for tech 18:51 < krzie> i gotchya 18:52 < havoc> which is all that govt. RFP guys seem to know 18:54 < havoc> and there are obviously tradeoffs, but you should know what they are and be willing to accept them 18:54 < havoc> I usually explain it as a linear spectrum: Security <----> Convinience 18:54 < havoc> Convinience/Cost I guess 18:55 < havoc> you can't have more of one without less of the other 18:55 < krzie> yup 18:55 < havoc> you just have to pick a justifiable point 18:55 < havoc> but again, you have to *know* enough to make that justification 19:00 < havoc> krzie: you use shorewall at all? 19:03 < krzie> nope 19:03 < krzie> not into gui firewalls 19:03 < krzie> (thats what it is, isnt it?) 19:04 < havoc> nope 19:04 < havoc> it's bash/perl scripts/confs for managing netfilter and a couple other things 19:05 < havoc> way better than my old iptables crap 19:05 < havoc> shorewall.net 19:06 < krzie> oh 19:06 < havoc> there are others as well, but not gui; gui can't handle everything netfilter can do 19:06 < havoc> ...and iproute, etc... 19:07 < krzie> pf ftw ;] 19:07 < havoc> pfsense is fine on bsd 19:07 < havoc> no use on linux ;) 19:07 < krzie> pfsense is the gui bs way 19:07 < krzie> pf by itself ftw 19:08 < havoc> ok 19:08 < krzie> but ya no use on linux still 19:10 -!- master_of_master [i=master_o@p549D67C7.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)] 19:10 -!- LobbyZ [n=default@main.lobbyzffs.com] has joined ##openvpn 19:19 -!- master_of_master [i=master_o@p549D67C7.dip.t-dialin.net] has joined ##openvpn 19:20 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 19:49 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Remote closed the connection] 19:53 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 20:25 < teddymills> ftw! Whats up with that misplaced anger? 20:32 -!- sant0 [n=chatzill@187-26-12-215.3g.claro.net.br] has quit [Read error: 110 (Connection timed out)] 20:33 < krzie> anger? 20:33 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 20:33 < krzie> ftw = for the win 20:33 < krzie> (not fuck the world) 20:33 < theDoc> o/ 20:33 < krzie> lol 20:49 -!- pm2 [n=chatzill@143.105.49.214] has joined ##openvpn 20:49 < teddymills> 'for the win' is much more positive that the other one :) 20:52 < pm2> Does anyone know of a free web-based certificate management software that can make the creation/revokation of ssl certificates a little more user friendly? 21:10 < pm2> Is there something special I need to do to see debugging output from authentication plugins? I'm trying to use an ldap plugin that's crashing my vpn server 21:34 < krzie> question 1, not that i know of, however ssl-admin is a user friendly perl script 21:34 < krzie> !ssl-admin 21:34 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 21:35 < krzie> question 2, you can mod the script to output as you see fit, i am not familiar with that script, it may have something already 21:44 -!- pm2 [n=chatzill@143.105.49.214] has quit ["ChatZilla 0.9.84 [Firefox 3.5.2/20090729225027]"] 21:45 < havoc> krzie: where are you? 21:46 < krzie> right here 21:46 < krzie> wassup? 21:46 < havoc> I'm in WI, US, just wondering where you were 21:47 < krzie> ohh 21:47 < krzie> im from cali but i live in the caribbean 21:47 < havoc> you seem to be on a later schedule than me 21:48 < havoc> anyway, bedtime, night night 21:49 < krzie> bed time!? 21:49 < havoc> I get up ~03:30 every day 21:49 < krzie> WOW 21:49 < krzie> im still up at 3:30 every day 21:50 < havoc> I'll say hi if I see you in the morning :) 21:50 < havoc> but seriouslly, night night :) 21:50 < krzie> gnite 21:55 -!- fuffalo [n=fuffalo@S0106002191ea672c.cg.shawcable.net] has quit [Read error: 110 (Connection timed out)] 22:38 -!- rgov [n=Adium@thunderbirds-19.dynamic2.rpi.edu] has joined ##openvpn 22:38 < rgov> !route 22:38 < vpnHelper> rgov: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 22:51 -!- rgov [n=Adium@thunderbirds-19.dynamic2.rpi.edu] has quit ["Leaving."] 23:13 -!- rgov [n=Adium@cpe-74-67-0-90.nycap.res.rr.com] has joined ##openvpn 23:18 < rgov> I'm horribly under-familiar with networking but for an online competition tomorrow I am using OpenVPN on a gateway to connect to the competition network. The problem is, while the gateway itself can talk either to the Internet or to hosts on the VPN, the machines which use the gateway only seem to route through the VPN. 23:18 < rgov> Does that make any sense? 23:22 < Bushmills> "machines using the gateway" need to access internet through VPN while gateway could route them directly to internet? 23:36 < rgov> no it's probably doing that and I don't want it to 23:36 < rgov> the gateway *should* route them directly to the internet 23:36 < rgov> i dont want all traffic to pass through the VPN --- Day changed Fri Dec 04 2009 00:08 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Remote closed the connection] 00:10 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 00:21 -!- rgov [n=Adium@cpe-74-67-0-90.nycap.res.rr.com] has quit ["Leaving."] 00:25 -!- hyper_ch [n=hyper@adsl-89-217-86-229.adslplus.ch] has quit [Remote closed the connection] 00:28 -!- rgov [n=Adium@cpe-74-67-0-90.nycap.res.rr.com] has joined ##openvpn 01:07 -!- rgov [n=Adium@cpe-74-67-0-90.nycap.res.rr.com] has quit ["Leaving."] 01:09 -!- rgov [n=Adium@cpe-74-67-0-90.nycap.res.rr.com] has joined ##openvpn 01:10 -!- hyper_ch [n=hyper@215-131.3-85.cust.bluewin.ch] has joined ##openvpn 01:49 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:54 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:20 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 02:33 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 03:03 -!- dazo_afk is now known as dazo 03:36 -!- teddymills [n=teddy@208.92.235.227] has quit [Remote closed the connection] 03:52 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 03:59 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 04:33 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit [Read error: 104 (Connection reset by peer)] 04:33 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 05:26 -!- krzee [i=nobody@hemp.ircpimps.org] has joined ##openvpn 05:27 < havoc> yay friday 05:31 < hyper_ch> is it? 06:02 < sunrider> i hate asking for this but 06:02 < sunrider> i need to punch these numbers into a second computer http://pastie.org/private/k48wmfp9ch2xrefeaqhdrg 06:02 < sunrider> how would the route command loook on the 2nd pc 06:03 < dazo> route add default gw 80.254.76.129 tun0 ... iirc 06:03 < sunrider> let me see 06:05 < havoc> dazo: so, I figured out who told me layer2/tap was bad ;) 06:06 < dazo> havoc: who? 06:06 < havoc> dazo: krzie, scroll back a little, most of the conversation here yesterday was the two of us discussing it :) 06:07 * dazo is not surprised at all :) 06:07 < sunrider> hmm it didnt seem to work giving error message SIOCADDRT no such process 06:07 < havoc> so now I know the details of both TAP and TUN intimately 06:07 < havoc> ...at least the effects of using either 06:08 < sunrider> i think there is an issue with fedora not setting this up automatically 06:09 < sunrider> havoc, so what is prefrred 06:13 < havoc> sunrider: TUN is always *prefered*, and offers better performance 06:14 < havoc> but for the time being I'll be sticking with TAP 06:16 < havoc> right *now* the risks associated with TAP are minimal comared to the cost of converting 06:16 < havoc> that'll likely change in a few months or so though 06:17 < havoc> and the risks are also negligible compared to other issues that need to be addressed aside from the vpn 06:17 < havoc> but the main risk of TAP is "layer2 attacks" such as MitM via ARP cache poisoning 06:18 < dazo> sunrider: you are starting openvpn as root? ... only root is allowed to modify the routing table, you know ... 06:18 < havoc> dazo: you can sudo it ;) 06:19 < dazo> havoc: that's the same as running the process as root ;-) 06:19 < havoc> yup 06:19 < havoc> but I'm not talking about sudo the ubuntu way; I mean enter the commands necessary in /etc/sudoers so you can do it as a user w/o root passwd 06:20 < dazo> yeah, but the process will still run with root privileges via sudo ... sudo do not change that behaviour, no matter how you configure sudo 06:20 < havoc> correct 06:23 < dazo> when I said "starting openvpn as root", I did not indicate how the process got root access .... I just said, it must be run as root ... how you achieve that, that's another topic :) 06:25 < sunrider> i run openvpn through the gnome network manager 06:26 < dazo> ugh ... NM-openvpn sucks big time ... it does a lot of unexpected magic, and don't support a lot of the very useful openvpn features ... 06:28 < dazo> If gui is a must .... I'd probably put my bet on this one: http://gopenvpn.sourceforge.net/ .... at least, you have the "pure" config files here ... which means better config control .... but not sure how it solves the "run as root" issue 06:28 < vpnHelper> Title: gopenvpn (at gopenvpn.sourceforge.net) 06:28 < sunrider> i dont need a gui just something that will cache the incredibly long passphrase in ram 06:30 * dazo thought that was the default behaviour of openvpn ... 06:30 < sunrider> lets hope. okay let me get to it 06:31 < dazo> unless --auth-nocache is enabled, passwords should reside in memory as long as openvpn is running 06:33 < sunrider> okay 06:33 < sunrider> silly me 06:33 < sunrider> i hope the password is not turned into the encryption key heh 06:33 < sunrider> i use the user/pass login method 06:34 < sunrider> with just the server ca.crt 06:38 < havoc> I know kvpn uses the ovpn configs as is 06:38 < havoc> so does whatever the Mandriva network manager thing is 06:39 < sunrider> lol sweet! 06:39 < sunrider> it ran the route correctly and all! 06:39 < sunrider> it worked in other words :) 06:39 < havoc> sunrider: nice :) 06:40 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 06:40 < sunrider> but! openvpn is running as root 06:41 < sunrider> guess i can fix that with --user 06:41 < havoc> yup 06:48 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 06:49 < sunrider> Fri Dec 4 13:48:26 2009 us=42509 Tried opening /dev/tun188 (failed): No such file or directory (errno=2) 06:49 < sunrider> guess it doesnt want to create a tun without root 06:52 < sunrider> what are you suggesting 06:54 < dazo> sunrider: --user is used to revoke root privileges when openvpn has started and don't need root privileges anymore .... not for anything else 06:55 < sunrider> that's what i thought it did dazo 06:55 < krzee> 188? 06:55 < dazo> probably a missing line break 06:56 < sunrider> i had --verbose at 11 06:56 < dazo> but tun188 sounds utterly wrong, though 06:56 < sunrider> and yes, there were 188 06:56 < sunrider> and more 06:56 < dazo> !configs 06:56 < vpnHelper> dazo: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 06:56 < sunrider> it went from 1 to 255 06:56 < krzee> 188 and more tun devs>? 06:56 < dazo> then I can have a better understand of what you do 06:57 < dazo> On Linux, there's only /dev/net/tun (2.6.31 kernel) .... nothing more .... tunX is not managed by /dev 06:57 < krzee> i still wanna know what theres 188 of 07:02 < havoc> and I thought my 9 ifaces was a lot :) 07:04 < krzee> it is! 07:05 < ecrist> old versions of openvpn had to create a unique tun interface per connected client 07:06 < krzee> 1.x 07:06 < krzee> but there were no 'clients' 07:06 < krzee> each was a separate process in ptp mode 07:08 < sunrider> what config file 07:09 < sunrider> ithis is a sight for sore eyes 07:09 < sunrider> it's running openvpn as user...openvpn ;) 07:10 < sunrider> the reason it failed to connect twice was me using --keysize 448 with --cipher bf-cbc 07:11 < sunrider> btw, my passphrase is just too damn long 07:12 < sunrider> dazo http://www.pastie.org/private/psff6nau6jcalkgk2ae6ow 07:12 < sunrider> that's my .ovpn file, i think its the only config file i have 07:14 < dazo> sunrider: and you run this as root like: openvpn --config swissvpn.ovpn ? 07:14 < sunrider> yeah 07:14 < sunrider> also --user openvpn 07:14 < sunrider> it seems to work fine now 07:15 < sunrider> ;) 07:15 < krzee> you can put user openvpn in the config 07:15 < krzee> any -- options can be put in config without the -- 07:15 * dazo wonders why the heck he is looking at this config file if everything is working ..... 07:15 < krzee> also drop group privs 07:15 < krzee> --group 07:15 < sunrider> dazo, lol yeah 07:15 < sunrider> group privs too hmm ok 07:15 * dazo disappears for a while .... lunch time 07:16 < havoc> 07:16 here, quite a while til lunch 07:18 < dazo> well, I'm about 2 hours late for my lunch ;-) 07:38 < Bushmills> 2 hours and 2 minutes, actually, as it took you about two minutes to tell us. 07:45 < dazo> heh 07:49 < sunrider> regarding auth-user-pass,is the pass used to derive data channel encryption keys? 07:53 < ecrist> no 07:58 < sunrider> i thought so too until i saw "please note that the security of your VPN connection is linked to the strength of your password" 08:00 < sunrider> that btw is what the vpn server owner says 08:08 < krzee> sunrider, you also have certs? 08:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 08:10 < dazo> sunrider: if there is a simple password, without certificates as in your setup ... it means that it is easy to bruteforce an access to the VPN .... that's how that warning is meant 08:11 < dazo> sunrider: the SSL protocol takes care of a temporary encryption key for the session, which happens through a key exchange handshake between the openvpn server and client 08:13 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 08:15 < dazo> sunrider: so the password openvpn asks for, will only be used for authentication, nothing else 08:16 < krzee> the config has a ca file 08:17 < krzee> but no client crt or key 08:17 < sunrider> understood dazo 08:17 < krzee> so the ca file is useless 08:17 < sunrider> yeah, the ca file is used to auth the server 08:17 < krzee> ya you're right 08:17 < krzee> my bad 08:17 < sunrider> heh the odd thing with this server might be that it only supports blowfish 08:18 -!- yoshx [n=yoshx@78.114.253.27] has joined ##openvpn 08:18 < dazo> sunrider: no, that's not odd ... that's how the server is configured ;-) ... OpenVPN only supports one cipher for the data channel 08:18 < sunrider> heh justone 08:19 < dazo> just one configured cipher, I meant ... it do not support several ciphers which the client and server agrees to use 08:19 < ecrist> sunrider: the warning you mention means that if you have a password of 1234, it's easy to guess, so there's no point in using passwords if they're going to be easy 08:19 < sunrider> yeah. i expected it to be like openssh, supporting several ciphers and letting the user decide 08:20 < dazo> openvpn --show-ciphers lists all the ciphers available for the data channel .... and --show-tls for the SSL key exchange stuff 08:20 < sunrider> ecrist, that does make sense. most users pick weak passwords which are completely unsuited to be used as crypto keys 08:20 < dazo> exactly 08:33 -!- yoshx [n=yoshx@78.114.253.27] has quit [Remote closed the connection] 08:43 -!- hyper_ch [n=hyper@215-131.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 08:52 -!- yoshx [n=yoshx@78.114.253.27] has joined ##openvpn 09:04 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 09:07 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 09:19 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)] 09:35 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 09:40 -!- rgov [n=Adium@cpe-74-67-0-90.nycap.res.rr.com] has quit ["Leaving."] 09:56 -!- hyper_ch [n=hyper@adsl-89-217-86-229.adslplus.ch] has joined ##openvpn 10:05 -!- hyper__ch [n=hyper@adsl-89-217-81-227.adslplus.ch] has joined ##openvpn 10:05 -!- hyper_ch [n=hyper@adsl-89-217-86-229.adslplus.ch] has quit [Nick collision from services.] 10:05 -!- hyper__ch is now known as hyper_ch 10:12 -!- rgov [n=Adium@thunderbirds-19.dynamic2.rpi.edu] has joined ##openvpn 10:23 -!- rgov1 [n=Adium@thunderbirds-19.dynamic2.rpi.edu] has joined ##openvpn 10:24 -!- rgov1 [n=Adium@thunderbirds-19.dynamic2.rpi.edu] has quit [Remote closed the connection] 10:27 -!- pm2 [n=chatzill@143.105.51.13] has joined ##openvpn 10:27 -!- rgov [n=Adium@thunderbirds-19.dynamic2.rpi.edu] has quit [Read error: 60 (Operation timed out)] 10:28 < pm2> Hi - I'm trying to get pam_ldap setup to authenticate usernames/passwords against active directory. The error messages I getting if I try to ssh in are pasted at http://pastebin.com/m25a4f1ea . 10:28 < pm2> Based on what I read online, it looks like this might be because I do not have pam_nss setup, and I do not have local user accounts with the name bjones. Thus, its automatically failing regardless of what AD says. I don't actually want to enable logins, as I am just trying to setup a PAM service for OpenVPN to authenticate username/passwords against 10:28 < pm2> > Any recommendations? 10:36 < havoc> pm2: from the errors it looks as if the ldap connection to the AD server is failing, without that nothing else can work 10:36 < pm2> havoc: I don't know - something must be connecting to AD to translate the "bjones" username to the dn "CN=Bob Jones,OU=Employees,DC=myorg,DC=local" 10:36 < havoc> it seems to find the user, but it looks as if the AD server is throwing the first error 10:37 < havoc> right, but it's the AD server throwing the auth error, which is just getting passed up the line 10:37 < pm2> havoc: I see... 10:38 < havoc> note that it is also possible that the incorrect credentials are getting passed along to the AD server 10:38 < pm2> havoc: I don't know if it makes a difference, but the first two lines in the log actually appear before the user is even prompted for a password 10:38 < pm2> havoc: let me try a couple things 10:40 < havoc> I've done some AD integration for some other unix stuff, it ain't fun 10:40 < havoc> I usually find the answer through *lots* of googling and trial and error :( 10:40 < havoc> AD != LDAP 10:41 < pm2> havoc: yeah, I'm hoping it ends up being close enough for this to work tho 10:43 < pm2> if I do ldapsearch -x -D "cn=bob jones,ou=Employees,dc=physamb,dc=local" -W -h 192.168.1.151 and enter bob jones's password, it binds successfully 10:43 < pm2> Could PAM be passing along the wrong password 10:43 < havoc> that's one of the things I said :) 10:45 < pm2> ah - is there a way to check for that? 10:45 < havoc> no clue 10:45 < havoc> there's gotta be some verbose logging you can enable 10:45 < havoc> ot tshark 10:56 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 10:57 < havoc> cpm: hiya 11:00 -!- gizmo-- [n=pide@cha92-17-88-189-163-49.fbx.proxad.net] has joined ##openvpn 11:12 < cpm> havoc, good day 11:17 < pm2> havoc: Based on what I find online, ( http://wiki.linuxquestions.org/wiki/Pam_ldap#Invalid_user.2FInvalid_credentials ) it looks like I'm seeing this behavior because of a lack of NSS info available... does that make sense? 11:26 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:33 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has joined ##openvpn 11:35 -!- dazo is now known as dazo_afk 11:38 < sunrider> dns servers dont seem to be responsive on the other line 11:38 < sunrider> is there a switch for adding my own dns servers? 11:42 < bvierra> hey guys, I am getting ready to do a fairly decent sized roll out (over 100 servers, 10 POP's) with everything being redundent... I know this is a stretch but are there any good programs/scripts/whatever to help manage a larger setup? 11:44 < sunrider> nevermind 11:44 < sunrider> i found it in the manual 11:45 < sunrider> i dont know bvierra but good luck 11:45 < bvierra> heh thanks :) 11:49 < bvierra> !forum 11:49 < vpnHelper> bvierra: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 11:50 < bvierra> !howto 11:50 < vpnHelper> bvierra: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:50 < sunrider> !dns 11:50 < vpnHelper> sunrider: "dns" is Level3 open recursive DNS server at 4.2.2.1 11:50 < bvierra> umm is openvpn.net down for anyone else? 11:52 < bvierra> nm seems it is ok now :) 12:14 -!- bandini [n=bandini@host120-105-dynamic.45-79-r.retail.telecomitalia.it] has joined ##openvpn 12:26 -!- coil [i=imgay@unaffiliated/coil] has quit ["http://znc.in"] 12:28 -!- ikla [n=lbz@fw1.aspsys.com] has joined ##openvpn 12:29 < ikla> does openvpn server need restarted after a CRL update? 12:30 -!- coil [i=imgay@unaffiliated/coil] has joined ##openvpn 12:30 < |Mike|> try it 12:32 < ecrist> no 12:46 < teratoma> i wrote some scripts to automate bundling client keys and configuration into a zip file, then noticed some guy on the internet named 'LoneWolf' did a better job. He should somehow get his stuff included in the OpenVPN sample files 12:51 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 12:52 < ecrist> !ssl-admin 12:52 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 12:52 < ecrist> I wrote that, and OpenVPN isn't interested 13:09 < havoc> pm2: sorry, no idea 13:22 < teratoma> automatically generating certificate bundles for clients could be easily automated with some bash scripts 13:23 < ecrist> teratoma: ssl-admin does some of that. 13:23 < ecrist> easy-rsa *is* a set of bash scripts 13:23 < teratoma> you know what i mean 13:29 < |Mike|> no we don't / 13:38 -!- pm2 [n=chatzill@143.105.51.13] has left ##openvpn [] 13:39 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:59 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 14:11 < ecrist> teratoma: ssl-admin does what you want, i think 14:12 < ecrist> if not, it can be easily made to do what you want. 14:33 < |Mike|> what's a good tool to create network diagrams? 14:33 < |Mike|> ip + services 14:34 < ecrist> I use dia or Omnigraffle 14:35 < |Mike|> is that also available on macos? 14:36 < ecrist> omnigraffle is for mac 14:36 < ecrist> dia is kinda cross-platform, as long as you have X 14:36 < ecrist> dia=free, omnigraffle=pay 14:37 * |Mike| checks 14:43 < |Mike|> ecrist: thanks! 14:51 < ecrist> np 15:14 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit [Read error: 104 (Connection reset by peer)] 15:14 -!- APTX| [n=APTX@213.251.162.70] has joined ##openvpn 16:02 -!- pm2 [n=pm2@143.105.104.59] has joined ##openvpn 16:03 < pm2> Hi - Is it possible to setup a VPN server that requires username/password ONLY from certain clients; and certificates ONLY from another client? 17:01 -!- robert_ [n=hellspaw@objectx/robert] has quit [Excess Flood] 17:02 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 17:13 -!- corretico [n=laguilar@201.201.46.106] has quit ["Leaving"] 17:14 < teratoma> sure. make a key with "build-key" or make a key with "build-key-pass" 17:40 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 18:02 -!- ikla [n=lbz@fw1.aspsys.com] has quit ["Leaving"] 18:06 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 18:08 -!- Wicaeed [n=craig@66-224-171-138.atgi.net] has left ##openvpn [] 18:26 -!- robotti^ [i=robotti@kapsi.fi] has joined ##openvpn 18:27 < robotti^> is openvpn secure? 18:31 < bvierra> robotti^, compared to what? 18:34 < robotti^> ipsec? 18:59 < krzee> more secure if history = future 18:59 < krzee> but your question is really "is openssl secure?" 19:00 -!- master_of_master [i=master_o@p549D67C7.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 19:03 -!- master_of_master [i=master_o@p549D78B5.dip.t-dialin.net] has joined ##openvpn 19:11 -!- yoshx [n=yoshx@78.114.253.27] has quit [Read error: 110 (Connection timed out)] 19:14 -!- jean001 [n=chatzill@APoitiers-552-1-58-2.w92-136.abo.wanadoo.fr] has joined ##openvpn 19:17 < robotti^> krzee: is openssl secure? 19:18 -!- jean001 [n=chatzill@APoitiers-552-1-58-2.w92-136.abo.wanadoo.fr] has left ##openvpn [] 19:26 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Read error: 113 (No route to host)] 19:33 -!- newmember_ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 19:33 -!- newmember_ [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Remote closed the connection] 19:43 < Bushmills> I intend to put openvpn on the machine of a not very technical windows user, and redirect all traffic over vpn. however, for the unlikely case that vpn server is down, I like him to be able to fall back to original default route. so redirect-gateway def1 it would be. what would i use on that windows machine, allowing pushbutton operation to turn client on/off (redirect/no redirect)? 19:45 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has quit ["Leaving."] 19:49 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Read error: 110 (Connection timed out)] 20:13 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 20:36 < krzee> openvpn gui makes it pretty simple 20:36 < krzee> but also, when the vpn goes down he wont be able to connect, so routes wont change 21:00 < Bushmills> i thought of the situation when he is connected already. default. "something" doesn't work, so he can toggle. 21:00 < Bushmills> including the case that vpn server operation is interrupted. 21:07 < bvierra> Bushmills, I wouls just use the OpenVPN GUI 21:07 < bvierra> Right click -> connect, Ricght Click -> Disconnect 21:07 < Bushmills> ok, will check that out 21:08 < Bushmills> (never seen openvpn on non-unixoids) 21:08 < bvierra> http://openvpn.se/files/install_packages/openvpn-2.0.9-gui-1.0.3-install.exe 21:09 < bvierra> openvpn + gui 21:09 < Bushmills> oh, not now. installation will take place in a few days, i suppose 21:09 < bvierra> well thats the link :) 21:09 < bvierra> actually I lied 21:09 < bvierra> that is an old ver 21:09 < bvierra> http://openvpn.net/release/openvpn-2.1_rc22-install.exe 21:09 < Bushmills> unix generated certificated and keys are compatible with windows version? 21:10 < Bushmills> certificates 21:10 < bvierra> yep 21:10 < Bushmills> that helps 21:10 < bvierra> just drop everything in the C:\Program Files\OpenVPN\config 21:10 < bvierra> the config file should be named client.ovpn 21:10 < bvierra> and not client.conf 21:10 < bvierra> you can then click on config file and start it up 21:11 < Bushmills> and the gui is an extra program, or the normal openvpn client? 21:11 < bvierra> its both 21:11 < Bushmills> ok 21:11 < bvierra> I installed it a few hrs back 21:11 < bvierra> works fine 21:12 < Bushmills> user is fed up with spycom provider 21:12 < bvierra> heh 21:13 < bvierra> I started on a 100 client setup today 21:13 < Bushmills> bottleneck network speed or encryption on server? 21:14 < bvierra> me having to create the damn crt's 21:14 < bvierra> I am actually going to do 2 server in active active mode 21:15 < bvierra> I will prob code an expect script to do all this crap for me tomorrow 21:17 < Bushmills> can't you pass all input as vars? are there fields to input which actually require expect? 21:17 < bvierra> I have yet to really play with it so im not sure 21:18 < bvierra> I did the actuall users today 21:18 < bvierra> so manually wasnt a bad thing 21:18 < bvierra> the other 85 or so are all servers in 9 POP' 21:18 < bvierra> s 21:18 < Bushmills> i'd keep expect as solution if nothing else works. 21:19 < bvierra> yea 21:19 < bvierra> looking at the configs now 21:19 < bvierra> I think if I export the commonName I should be good 21:19 < Bushmills> remembering automated account/password creation with generated passwords, using expect, before I knew about chgpasswd instead of passwd :) 21:20 < bvierra> hehe 21:20 < bvierra> yep 21:20 < Bushmills> cybercafe, tickets for timed user accounts... 21:21 < bvierra> and I know it likes to ask if you want to Sigh the cetificate 21:27 < Bushmills> krzee: ping 22:05 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 22:07 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 23:06 -!- rlarson85 [n=rlarson8@CPE00226b5e2074-CM000e5c6ebb22.cpe.net.cable.rogers.com] has quit [Read error: 113 (No route to host)] 23:41 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 23:42 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)] --- Day changed Sat Dec 05 2009 00:04 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 00:13 -!- bytesaber [n=bytesabe@208-98-188-95.directcom.com] has quit [Remote closed the connection] 00:15 < krzee> pong 00:15 < krzee> wassup bro 00:34 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 00:53 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)] 00:54 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 00:55 -!- buntfalke_ is now known as buntfalke 01:04 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] --- Log closed Sat Dec 05 01:18:41 2009 --- Log opened Sun Dec 06 08:30:04 2009 08:30 -!- ecrist [n=ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn 08:30 -!- Irssi: ##openvpn: Total of 79 nicks [0 ops, 0 halfops, 0 voices, 79 normal] 08:30 -!- Irssi: Join to ##openvpn was synced in 3 secs 08:31 -!- barbosa [n=barbosa@189.114.47.209] has joined ##openvpn 09:08 -!- hyper_ch [n=hyper@adsl-89-217-81-227.adslplus.ch] has joined ##openvpn 09:14 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 10:50 -!- balboah [n=johnny@joonix.se] has joined ##openvpn 10:51 < balboah> Is it possible to have your --up script to connect to an endpoint over the currently created vpn tunnel? 10:53 < balboah> or where can I hook a script up when the network is in a functional state? 10:55 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 11:03 -!- BrixSat [n=i_dont_k@bl9-23-227.dsl.telepac.pt] has joined ##openvpn 11:04 < BrixSat> Hello 11:04 < BrixSat> :) im using openvpn in windows 7 and it coonnects ok but my 11:04 < BrixSat> :) im using openvpn in windows 7 and it coonnects ok but i cant view the remote server shared folder like i would see when using normal windows vpn 11:05 < BrixSat> why? 11:05 < BrixSat> it is coonected but apears like it is not working 11:06 < balboah> BrixSat: try running it with administrator priviliges 11:06 < BrixSat> it is :) 11:07 < theDoc> is your vpn server permitting you to access subnets behind it? 11:07 < BrixSat> yes 11:08 < theDoc> Are you able to ping by ip to your remote shares? 11:09 < BrixSat> no 11:09 < BrixSat> cause it seems like the vpn is on but i dont really see it working 11:09 < theDoc> BrixSat> Because you have a configuration mistake somewhere. 11:09 < BrixSat> whant to see my configP 11:09 < theDoc> I'm guessing that it doesn't permit traffic to remote subnets behind it. 11:09 < theDoc> Not really at the moment. It's 1am here and I'm about to go to bed. 11:10 < BrixSat> http://pastebin.com/m243a4d10 11:11 < BrixSat> take a quick look please :) 11:11 < BrixSat> i would thank you a lot! 11:11 < BrixSat> theDoc normal vpn works nice all my trafic goes to the school 11:11 < theDoc> BrixSat> I don't see you permitting traffic to remote subnets. 11:11 < BrixSat> and with openvpn nothing happens 11:11 < theDoc> BrixSat> Do you administer the server? 11:12 < theDoc> Because that looks like a client config file. 11:12 < BrixSat> no 11:12 < BrixSat> i dont have server access 11:13 < balboah> !forum 11:13 < vpnHelper> balboah: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 11:13 < BrixSat> i need to connect to be able to work on database server, otherwise i cant ping it 11:13 < theDoc> BrixSat> Then you need to talk to the guy that manages the openvpn server. 11:13 < theDoc> You can't do anything with the client config 11:13 < BrixSat> i have the client config-->http://www.dei.isep.ipp.pt/~dei/serv/deiov-cfg.zip 11:14 < theDoc> BrixSat> Once again, you need someone that has server access to make the changes, you can't do anything with the client.conf file. 11:14 < BrixSat> is the client.conf file the one in the server? 11:15 < BrixSat> or anything related to the server? 11:15 < theDoc> no, that's server.conf 11:15 < theDoc> It's located directly on the openvpn server 11:15 < BrixSat> so what file do i need? 11:15 < theDoc> BrixSat> server.conf 11:15 < BrixSat> :/ why? 11:15 < BrixSat> if i may ask 11:16 < theDoc> Because that's where you configure the parameters for the server? 11:16 < BrixSat> i may not be explaining correctly and sorry for being so persistant 11:17 < BrixSat> my friend is connected to open vpn and he is ok, im connected and nothing happens :S 11:17 < theDoc> BrixSat> Connecting clients will get the config from the server and there might be a client directive which doesn't permit you access. 11:18 < BrixSat> :/ 11:18 < theDoc> It's 1am, I'm off to bed. 11:18 < theDoc> BrixSat> Good luck with this. Grab the openvpn admin and yell at him 11:18 < theDoc> :P 11:18 < theDoc> That's my advice. 11:18 < BrixSat> so normaly if i connect the openvpn all my traffic on the computer would go first to the openvpn server 11:18 -!- Robbie^ [n=Robbie@gimme.frenchcore.us] has left ##openvpn [] 11:18 < BrixSat> theDoc thanks :) 11:19 < theDoc> BrixSat> It depends on the directive. 11:19 < theDoc> It could be as simple as still retaining all your routing tables for 0.0.0.0 0.0.0.0 to your WAN ip. 11:19 < BrixSat> :/ so why would my friend have access and i dont :S 11:20 < theDoc> and whilst there's a route for like, 1.1.1.0 255.255.255.0 1.1.1.254 (assuming this is your vpn server's tun0 ip) 11:20 < theDoc> BrixSat> Client directive 11:20 < theDoc> !ccd 11:20 < vpnHelper> theDoc: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 11:22 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 11:28 < BrixSat> !interface 11:28 < vpnHelper> BrixSat: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 11:37 -!- maodun [n=stopgo@114.243.116.156] has joined ##openvpn 11:38 < maodun> !route 11:38 < vpnHelper> maodun: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:51 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 110 (Connection timed out)] 11:56 < BrixSat> now i can ping my remote servers :S but no access to it 11:57 -!- kosmic^ is now known as kosmic 12:23 -!- BrixSat [n=i_dont_k@bl9-23-227.dsl.telepac.pt] has quit [Read error: 110 (Connection timed out)] 12:32 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 12:53 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 13:41 -!- yoshx [n=yoshx@78.114.253.27] has quit [Connection timed out] 13:42 -!- yoshx [n=yoshx@78.114.253.27] has joined ##openvpn 13:47 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 13:48 < maodun> I'm having routing problems. I've written up what I hope is a very complete description of my problem here: http://pastebin.com/d3eaddb5b Could someone please give me some suggestions? 13:49 < teddymills> anyone get more than 200KB/sec from an openvpn link? openvpn is barely useable when moving files, but okay for web browsing... 13:51 < maodun> !redirect 13:51 < vpnHelper> maodun: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 13:51 < |Mike|> teddymills: what crytpo are you using ? 13:52 < maodun> !def1 13:52 < vpnHelper> maodun: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 13:53 < krzee> client/a.b.c.d:36725 MULTI: bad source address from client [192.168.1.100], packet dropped 13:53 < krzee> you trying to tunnel the lan behind client? 13:53 < teddymills> whatever the default crypto is...the server is under no load at all when movinng files using openvpn..so i doubt it is cpu/crypto 13:53 < krzee> moving files with samba? 13:53 < teddymills> yes 13:54 < krzee> samba is known to be slow when using over a tunnel 13:54 < maodun> krzee: actually, the terminology was a little ambiguous to me - is the client my router or the XP machine? 13:54 < krzee> the proto wasnt made for inet xfers 13:54 < krzee> maodun, you use --server on 1 machine? 13:54 < teddymills> i have tried with ftp over the openvpn...it too is about 200/KB max 13:54 < maodun> krzee I have server in one of my configs, yeah 13:54 < krzee> maodun, your client has the word client in its config 13:55 < krzee> your server has the word server in it ;) 13:55 < teddymills> it si not a bandwidth limitation...when not using openvpn..the bandwdith is 1MB/sec 13:55 < krzee> teddymills, you using tcp? 13:55 < teddymills> udp 13:55 < maodun> krzee, ok, then there is no lan behind my client 13:55 < krzee> checked mtu? 13:55 < teddymills> no...i assume 1493 or 1500...u think tcp fragmentation ? 13:55 < krzee> maodun, well your client is sending traffic over the tunnel interface with the source ip of the ethernet interface 13:56 < krzee> teddymills, dunno but worth checking 13:56 < krzee> !mtu 13:56 < vpnHelper> krzee: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config 13:56 < teddymills> what should i set the mtu? 1400 ? 13:56 < krzee> maodun, is the client a laptop? 13:56 < maodun> krzee, yeah 13:56 < krzee> teddymills, see !mtu above 13:56 < krzee> maodun, so you will be changing lans? 13:56 < krzee> it wont always be on from that lan...? 13:56 < maodun> quite likely 13:56 < krzee> hrm 13:57 < krzee> then you gotta figure out why it uses that source ip always 13:57 < krzee> really it should be using its source ip of the ip on the interface its sending traffic over 13:57 < krzee> ive seen that before but dunno what causes it 13:57 < maodun> that's what i thought too 13:57 < teddymills> i have seen a lost of posts online about slow openvpn, but have not seen any post on why it is slow. 13:58 < maodun> krzee, have you only seen it on windows clients? 13:58 < krzee> negative 13:58 < maodun> ah 13:59 < krzee> teddymills, tuntap drivers process every packet, seems to have to do with them 13:59 < teddymills> we use it for web browing and tickets mostly...and ssh, so a fast openvpn we do not need..but if we need to move 10MB or more..then openvpn is barely useable..fyi 13:59 < krzee> different OS's get different slowdown 13:59 < krzee> try not using samba 13:59 < teddymills> ok 13:59 < krzee> see if its better with ftp or something 14:00 < krzee> maodun, .5 will never ping 14:00 < maodun> krzee, i'm not sure if you've read through my long description - my virtual lan's gateway is being set as 10.8.0.5 - do you know what that is? Is it the router in front of my server? 14:00 < krzee> see these: 14:00 < krzee> !/30 14:00 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 14:01 < krzee> !topology 14:01 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 14:01 < krzee> its internal to openvpn 14:01 < krzee> a way to bypass windows bs, they found a better was as shown in !topology 14:01 < krzee> .6 is the clients ip 14:06 < maodun> krzee, ah, I see, but it seems like the /30 thing is not anything that's going to cause me problems. I thought it might be somehow related to my source address issues. 14:07 < krzee> nope 14:07 < krzee> not the problem 14:07 < krzee> its something in the OS 14:07 < krzee> dunno what tho 14:08 < krzee> if you figure that out PLEASE lemme know 14:08 < krzee> meanwhile try things like turning on or off packet forwarding and whatnot 14:08 < maodun> krzee, OK, I will continue digging. Thanks. 14:09 < krzee> np 14:22 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 104 (Connection reset by peer)] 14:22 -!- magic_1 [n=magic@41.121.115.100] has joined ##openvpn 15:03 -!- krzie__ is now known as krzie 15:03 -!- krzie [n=krzee@unaffiliated/krzee] has left ##openvpn [] 15:03 -!- krzie [n=krzee@unaffiliated/krzee] has joined ##openvpn 15:23 -!- BrixSat [n=i_dont_k@srv3.dei.isep.ipp.pt] has joined ##openvpn 15:23 < BrixSat> Hello :) 15:23 < BrixSat> is it possible to have some programs running under vpn and others running under regular connection? 15:25 < krzie> sure 15:25 < krzie> but not with just openvpn 15:26 < krzie> you would setup a normal vpn to the server, then run a socks proxy server on the vpn ip 15:26 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [] 15:27 < krzie> then you can run something like proxifier to selectively route over the socks (which is inside the vpn tunnel) based on app/subnet/port or any mix of them 15:27 < krzie> i personally use this solution 15:27 < krzie> if you choose to do that, heres a config for dante sockd server 15:27 < krzie> www.ircpimps.org/sockd.conf 15:27 < krzie> DO NOT RUN THAT ON INET IP! 15:28 < krzie> it is insecure, assumes its being run INSIDE the vpn so openvpn secures it 15:28 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 15:31 < BrixSat> :D 15:32 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:33 < BrixSat> that seems to much dificult doesent it? 15:43 < krzie> ok 15:43 < krzie> then no, you cant 15:43 < krzie> you can only do it by routing, so not by app, only by subnet 15:43 < krzie> (unless you decide to do what i said) 15:48 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 16:00 < BrixSat> ill try :) 16:29 -!- yoshx [n=yoshx@78.114.253.27] has quit [Remote closed the connection] 16:36 -!- BrixSat [n=i_dont_k@srv3.dei.isep.ipp.pt] has quit [] 17:36 -!- thedonvaughn [n=thedonva@unaffiliated/printk] has joined ##openvpn 17:56 -!- EwanPMcLean [n=ewanmcle@89.240.66.97] has joined ##openvpn 17:57 < EwanPMcLean> hello. can anyone here potentially help me with a VPN setup on an ubuntu server VPS? 17:57 < theDoc> Maybe 17:59 < EwanPMcLean> well, ive gotten to the stage of being able to communicate with my server (10.8.0.1) from my client (10.8.0.2) 18:00 < EwanPMcLean> and i'm now trying to forward all my traffic through 10.8.0.2 to my VPS server which will then forward them out, masquerading the packets 18:00 < EwanPMcLean> but when i set my default gateway in my openvpn client to 10.8.0.2, i cant connect to anything outside of 10.8.0.1 18:01 < EwanPMcLean> does that make sense? any ideas? 18:03 < theDoc> Do you have ipforwarding turned on? 18:06 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 18:07 -!- EwanPMcLean [n=ewanmcle@89.240.66.97] has quit [] 18:07 -!- EwanMcLean [n=ewanmcle@89.240.66.97] has joined ##openvpn 18:07 -!- EwanMcLean is now known as ewanpmclean 18:07 < ewanpmclean> sorry theDoc, VPN kicked in and disconnected me 18:08 < ewanpmclean> ipforwarding, would that be in the openvpn server conf file or iptables? 18:08 < theDoc> ewanpmclean> Hang on. I'll be back in a few. 18:09 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 18:17 < krzie> ewanpmclean you prolly dont have NAT setup right 18:17 < krzie> !redirect 18:17 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 18:18 < ewanpmclean> !def1 18:18 < vpnHelper> ewanpmclean: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 18:18 < ewanpmclean> !ipforward 18:18 < vpnHelper> ewanpmclean: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 18:18 < ewanpmclean> !linipforward 18:18 < vpnHelper> ewanpmclean: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 18:19 < Bushmills> ewanpmclean: setting default to your vpn server without having a route to the public interface of your vpn server will disable the tunnel (as it can't reach the vpn server anymore) 18:19 < krzie> Bushmills but using redirect-gateway will take care of that 18:19 < Bushmills> right 18:19 < ewanpmclean> thanks for the various suggestions. i know i've run that echo > command before 18:19 < krzie> ewanpmclean, dont forget this 18:19 < krzie> !linnat 18:19 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 18:19 < ewanpmclean> and im 90% sure the redirect gateway command is in my server.conf 18:20 < krzie> the only way its useful in your server.conf is if its being pushed to lcients 18:20 < krzie> clients 18:21 < ewanpmclean> okay so let me understand this, i need to do NAT and IP forwarding set up on my server. and the redirect-gateway is just a way of telling clients on-masse to set their gateways to myserver.com? 18:21 < Bushmills> no. push redirect-gateway is, 18:21 < krzie> redirect-gateway does a lil more than just that, but basically yes 18:21 < krzie> see it in the manual 18:21 < krzie> !man 18:21 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 18:22 < ewanpmclean> whoop for conflicting advice hehe :P i'll check out the man page for redirect-gateway 18:22 < ewanpmclean> brb 18:22 < krzie> i suggest not using ANYTHING in your configs without reading about the option in the manual 18:22 < krzie> Bushmills was more correct 18:22 < krzie> the command must either be pushed to clients or put in the client configs 18:27 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 18:30 < ewanpmclean> http://pastebin.com/d924c752 18:30 < ewanpmclean> i appreciate you guys trying to help. would you mind glancing over my .conf's in that pastebin while i try to dig out the manpage entry on redirect-gateway? 18:32 < krzie> not hard to dig, you goto the manual and search for --redirect-gateway 18:33 < ewanpmclean> yeh i found it. i'm wondering if i should take out the 'route' line from my client.conf and add redirect-gateway def1 18:34 < ewanpmclean> jve 18:34 < ewanpmclean> *ive added that. brb whilst i try it 18:34 < reiffert> bnk 18:38 < ewanpmclean> weird. my client doesn't seem to want to honour the redirect-gateway def1 18:42 -!- APTX| [n=APTX@213.251.162.70] has quit ["No Ping reply in 210 seconds."] 18:42 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 18:44 -!- master_of_master [i=master_o@p549D7F30.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)] 18:48 -!- master_of_master [i=master_o@p549D750B.dip.t-dialin.net] has joined ##openvpn 18:58 -!- EwanMcLean [n=ewanmcle@li66-15.members.linode.com] has joined ##openvpn 18:59 -!- EwanMcLean is now known as ewan_p_mclean 18:59 < ewan_p_mclean> krzie: don't know if you got my last message, but i got my vpn working, thanks so much you and others for help 19:04 -!- theDoc [n=hex@cataclysm.edgewire.sg] has joined ##openvpn 19:08 -!- ewanpmclean [n=ewanmcle@89.240.66.97] has quit [Read error: 110 (Connection timed out)] 19:23 < krzie> yw 19:24 < krzie> im working, not paying much attention to my irc clients 20:14 -!- tjz [n=tjz@bb220-255-199-51.singnet.com.sg] has joined ##openvpn 20:28 -!- kosmic is now known as soothsayer 20:28 -!- soothsayer is now known as kosmic 21:36 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 54 (Connection reset by peer)] 21:36 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 21:58 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [] 22:54 -!- Tonee [n=Tonee@p579CBCFB.dip.t-dialin.net] has joined ##openvpn 23:13 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 23:29 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 23:48 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:48 -!- ewan_p_mclean [n=ewanmcle@li66-15.members.linode.com] has quit [] --- Day changed Mon Dec 07 2009 00:22 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 00:23 -!- hyper_ch [n=hyper@adsl-89-217-81-227.adslplus.ch] has quit [Remote closed the connection] 00:55 -!- teddymills [n=teddy@208.92.235.227] has quit [Client Quit] 01:05 -!- hyper_ch [n=hyper@155-210.1-85.cust.bluewin.ch] has joined ##openvpn 01:56 -!- hyper_ch [n=hyper@155-210.1-85.cust.bluewin.ch] has quit [Remote closed the connection] 02:01 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:02 -!- Borai [n=DYN@S0106001c109e98db.no.shawcable.net] has joined ##openvpn 02:03 -!- Borai [n=DYN@S0106001c109e98db.no.shawcable.net] has left ##openvpn [] 02:04 -!- hyper_ch [n=hyper@155-210.1-85.cust.bluewin.ch] has joined ##openvpn 02:16 -!- hyper__ch [n=hyper@81.62.12.161] has joined ##openvpn 02:16 -!- hyper_ch [n=hyper@155-210.1-85.cust.bluewin.ch] has quit [Nick collision from services.] 02:16 -!- hyper__ch is now known as hyper_ch 02:22 -!- Guest16822 is now known as dazo 03:00 -!- Netsplit over, joins: kala 03:00 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: Ziber, dxtr, disco-, _trine, Typone, |Mike| 03:00 -!- Netsplit over, joins: disco- 03:01 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 03:02 -!- Typone [n=nnnnitsm@195.197.184.87] has joined ##openvpn 03:06 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 03:06 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 03:59 -!- kerx [n=kerx__@76-240-161-68.lightspeed.irvnca.sbcglobal.net] has joined ##openvpn 03:59 < kerx> hi all, i'm having some issues locating the CA.pem file for my configuration to connect to my newly setup openvpn-AS(centos) 03:59 < kerx> any idea where this file should be located ? 04:07 < krzee> we dont do AS here 04:09 < kerx> krzee, what do you guys do here? 04:10 < kerx> !howto 04:10 < vpnHelper> kerx: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 04:10 < krzee> support the opensource openvpn 04:10 < kerx> im using the community version 04:10 < krzee> you said AS 04:10 < krzee> which is corporate version 04:10 < kerx> I'm sorry, I'm using Community 04:10 < krzee> ok then you generated the CA.crt 04:10 < kerx> The GUI still says "OpenVPN Access Server", that's why I did that ;) 04:11 < krzee> the gui does not say access server 04:11 < krzee> if it does, its not the opensource one 04:11 < krzee> !download 04:11 < vpnHelper> krzee: "download" is (#1) www.openvpn.net/download to download openvpn, or (#2) http://openvpn.net/index.php/open-source/downloads.html 04:11 < kerx> krzee, on the server i have found in: /usr/local/openvpn_as/etc/web-ssl the files for the server, i can't find them for the client, which in my case is windows 04:12 < krzee> cause you're using openvpn_as 04:12 < kerx> Oh, I downloaded the rpm for Centos on the website, after registering 04:12 -!- networkd [n=networkd@78-62-21-26.static.zebra.lt] has joined ##openvpn 04:12 < kerx> I see 04:12 < krzee> you dont need to register for the opensource version 04:12 < networkd> Hello 04:12 < krzee> hello 04:12 < kerx> hi networkd 04:13 < kerx> krzee, so this version doesn't create the client certificate files for you automatically? 04:13 < kerx> but the opensource version does 04:13 < krzee> no idea 04:13 < krzee> no opensource version you create them yourself 04:13 < krzee> as shown in the howto 04:13 < kerx> is it possible to tell it in the config only to use password version? 04:13 < krzee> sure 04:13 < krzee> but thats far less secure 04:13 < krzee> !authnopass 04:13 < vpnHelper> krzee: Error: "authnopass" is not a valid command. 04:13 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 04:13 < krzee> !factoids search pass 04:13 < vpnHelper> krzee: 'winpass', '2.1-winpass-script', 'authpass', and 'password-only' 04:13 < networkd> Is there any web administration panel for creating keys in openvpn and managing configuration ? :) 04:13 < krzee> !password-only 04:13 < vpnHelper> krzee: "password-only" is http://openvpn.net/archive/openvpn-users/2004-10/msg00418.html 04:13 < kerx> !authpass 04:13 < vpnHelper> kerx: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 04:14 < kerx> ok got it 04:14 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 04:14 < krzee> generating certs is simple 04:14 < krzee> and fully explained in the howto 04:14 < krzee> they even supply scripts to do it 04:15 < kerx> ok, i'm going to follow that instead 04:15 < kerx> is there a direct link? 04:15 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn 04:15 < kerx> !howto 04:15 < vpnHelper> kerx: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 04:15 < krzee> thats it 04:15 < kerx> There we go :) #pki 04:15 < kerx> krzee, thanks for the support. 04:15 < krzee> networkd, nothing worthy really, theres a good app named ssl-admin for managing keys 04:15 < krzee> !ssl-admin 04:16 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 04:16 < kerx> for now i'm going to stick w/ the AS version since the RPM did a lot of stuff to get me up to speed 04:16 < krzee> kerx, yw 04:16 < kerx> But I will for sure, roll my own when I get some time 04:16 < kerx> The only way to truly learn something 04:16 < kerx> Roll-Your-Own :) 04:19 < krzee> networkd, unless you are looking for enterprise solution, then openvpn_as might be what you're looking for, but we dont support it here 04:19 < krzee> we just deal with the opensource app 04:20 < networkd> Oh, looks like that's enough, it should be easy to integrate new keys since it doesnt require a lot of additional configuration 04:20 < kerx> darn 04:20 < kerx> If you are using Linux, BSD, or a unix-like OS, open a shell and cd to the easy-rsa subdirectory of the OpenVPN distribution. 04:20 < kerx> No easy-rsa directory w/ openvpn_as 04:20 < krzee> right, it works differently 04:20 < krzee> which is why we dont support it 04:20 < krzee> its not some grudge, its just not what we do here 04:20 < krzee> they are different 04:21 < krzee> networkd, ssl-admin and openvpn is better really 04:21 < kerx> yea, i understand 04:23 < networkd> Is it necessary to rebuild dh parameters when new client is added ? 04:23 < krzee> no dh is only on the server 04:23 < krzee> !dh 04:23 < vpnHelper> krzee: "dh" is build-dh from easy-rsa and option dh in ssl-admin, creates a file which is a prime number the size of bits you defined (1024 default) which is used in the diffie-hellman algorithm to provide a method to negotiate a secure connection over an insecure channel. just one of the layers of encryption available to you in your VPN 04:23 < networkd> oh, thanks 04:23 < krzee> np 04:25 < kerx> krzee, would you recommend in my case to use ssl-admin or grab easy-rsa from the opensource version? 04:26 < krzee> i never tested easy-rsa's makefile on centos, just use easy-rsa 04:26 < krzee> err 04:26 < krzee> ssl-admin's makefile 04:26 < kerx> k 04:27 -!- ruied [n=ruied@89.180.118.151] has joined ##openvpn 04:28 < kerx> darn, this has become much harder than it should b 04:28 < kerx> i wonder if openvpn_as is designed this way just to be a pain in the arse 04:28 < krzee> i doubt it, its their corp version 04:28 < krzee> but listen to me 04:28 < kerx> w/ all the functionality it provides, how can it not just provide a script to generate client keys 04:28 < kerx> i'm listening :) 04:28 < krzee> YOU CANT DO ANYTHING FROM THE HOWTO WITH OPENVPN_AS 04:29 < krzee> it is DIFFERENT 04:29 < kerx> i understand that. i'm just trying to generate client key's 04:29 < krzee> they will NOT work with openvpn_as 04:29 < kerx> ok 04:29 < kerx> so, exactly... it's obvious that openvpn_as was designed for PROFIT 04:29 < krzee> yes 04:30 < kerx> let's make it soooo easy 04:30 < kerx> up to the point where they need to connect 04:30 < kerx> then be a pain the butt 04:30 < kerx> he 04:30 < kerx> *heh 04:30 < krzee> openvpn wasnt made to be an easy gui sort of thing 04:30 < kerx> ok, i guess it's time to wipe it off the system 04:30 < krzee> it can do too much to be good for that 04:30 < krzee> its too powerful for the confines of a gui 04:31 < kerx> got it 04:32 < kerx> ok, removed as from the system 04:32 < kerx> now to roll my own 04:33 < kerx> which HOWTO would you recommend when building from source? for openvpn 2.1_rc22 04:34 < kerx> i guess I'll just follow the INSTALL file 04:34 < kerx> looks pretty good 04:34 < kerx> such a pitty... the _as provided so much goodies 04:43 -!- Ziber [i=Liber@2001:470:b995:1:0:0:0:a] has joined ##openvpn 04:43 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 04:43 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 04:46 < reiffert> mattock: do you think that a major release is going to come any soon? 04:50 -!- ruied [n=ruied@89.180.118.151] has quit [Read error: 113 (No route to host)] 04:51 < krzee> is he a dev? 04:52 < reiffert> read his email on -devel 04:54 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 04:55 < krzee> ok 1min 04:55 < krzee> !mail 04:55 < vpnHelper> krzee: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 04:56 < krzee> whats his name? 04:57 < krzee> oh samuli 04:57 < krzee> hey cool 04:57 < krzee> welcome, mattock =] 05:00 < krzee> mattock, might wanna throw ssl-admin to your list of community projects, its ecrist's certificate managing script (perl) 05:00 < krzee> !ssl-admin 05:00 < vpnHelper> krzee: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 05:00 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Read error: 60 (Operation timed out)] 05:01 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 05:16 -!- ruied [n=ruied@89.214.208.130] has joined ##openvpn 05:22 < reiffert> mattock: sorry I forgot, welcome! 05:22 < mattock> reiffert: thanks! I'm currently checking out the various OpenVPN projects 05:22 < mattock> there's a ridiculous amount of GUI projects :) 05:23 < mattock> nearly 20 so far 05:23 < krzee> and none are good 05:23 < krzee> [06:30] it can do too much to be good for that 05:23 < krzee> [06:30] its too powerful for the confines of a gui 05:23 < krzee> ;] 05:24 < mattock> some people tend to think that a complex software becomes non-complex when you add a GUI :) 05:24 < mattock> I personally want to get rid of as many GUI's as possible :) 05:24 < krzee> they seem to make things more complex 05:24 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:25 < krzee> which brings up how baffled i am that AS doesnt use normal config files / certs, would make helping people with it possible (or migrating to it) 05:25 < mattock> oh, that's strange 05:25 < reiffert> mattock: I preferr two GUIs: none on linux, tunnelblick on OS X and that GUI that comes with openvpn on Windows. 05:26 < krzee> the win gui is cool if not running as service, in osx i just toss a shell script named with .command in my stacks to start all my vpns 05:26 < mattock> reiffert, you probably mean this: http://openvpn.se/index.html 05:26 < vpnHelper> Title: OpenVPN GUI for Windows (at openvpn.se) 05:26 < krzee> 2 clicks, no application 05:26 < krzee> !download 05:26 < vpnHelper> krzee: "download" is (#1) www.openvpn.net/download to download openvpn, or (#2) http://openvpn.net/index.php/open-source/downloads.html 05:26 < reiffert> mattock: thats the old one, it got into openvpn some months ago, but basically yes. 05:27 < krzee> i remember when you had to get it from there 05:27 < krzee> but now its at !download 05:27 < mattock> ok, I'll fix the link 05:27 < reiffert> krzee: running as service?! I just put it in the autostart folder. 05:28 < krzee> you still have to click the dock icon to start the vpn 05:28 < krzee> no good for server 05:28 < havoc> bah 05:28 < reiffert> krzee: when I like to run an openvpn server on windows as a service, I dont make this decision depend on the GUI. 05:29 < krzee> you know my views of windows servers, but sometimes you cant justify putting a nix box at a small business that doesnt have one 05:29 < krzee> ya thats what i meant, the win gui is nice when not using the service, i use no other guis 05:29 < mattock> most / all seem to be one-man projects 05:30 < mattock> and they tend to die pretty quickly 05:30 < krzee> my least favorite based on being here helping is network manager 05:30 < krzee> !ubuntu 05:30 < vpnHelper> krzee: "ubuntu" is dont use network manager! 05:31 < reiffert> mattock: one man projects dying soon? Guess thats because James was helping them so much in the past? 05:32 < krzee> would be nice to see a web gui that didnt bother trying to manage ovpn but instead only dealt with the management interface 05:32 < krzee> connected users, disconnect one, etc... localhost only stuff 05:35 < mattock> reiffert, I see... I have not been involved in OpenVPN (NLS) project for more than a few weeks, so please keep your grudges coming :) 05:37 < krzee> NLS? 05:37 < mattock> James seems to be _very_ busy, I have great difficulty getting feedback him, too. 05:37 < mattock> NLS = Network layer software, ALS = Application layer software 05:37 < krzee> all 05:37 < krzee> ahh 05:37 < reiffert> enjoy your stay on #openvpn and please try to count every user problem on this channel that belongs to ancient openvpn versions like 2.0.9 05:37 < mattock> reiffert, will do :) 05:38 < krzee> haha theres quite a few 05:38 < krzee> !irclogs 05:38 < vpnHelper> krzee: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 05:38 < krzee> if you like theres logs going quite far back 05:38 < krzee> ;) 05:38 < mattock> vpnHelper: thanks! 05:38 < vpnHelper> mattock: Error: "thanks!" is not a valid command. 05:38 < krzee> !bot 05:38 < vpnHelper> krzee: "bot" is I'm a bot.. just a bot. krzee is my maintainer, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P 05:38 < mattock> oops 05:39 < krzee> hehe 05:39 < mattock> missed that 05:39 * krzee pets vpnHelper 05:39 < mattock> gosh I'd love to have a wiki to put all this stuff into 05:40 -!- c99 [n=c99@83.136.90.2] has left ##openvpn [] 05:40 < krzee> feel free 05:40 < krzee> !wiki 05:40 < vpnHelper> krzee: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN 05:40 < mattock> oh 05:40 < reiffert> :) 05:40 < krzee> ;] 05:51 -!- ashash [n=ash@p5DE96D23.dip.t-dialin.net] has joined ##openvpn 05:51 < ashash> hai! 05:52 < krzee> hey 05:52 -!- Sebb [n=sebastia@einstein.f0o.de] has left ##openvpn [] 05:53 < tjz> konbawa.. 05:53 < krzee> hey reiffert did you see the rip doc on the wiki? cool 05:53 < tjz> kan* 05:53 < krzee> nice of someone to add that, i think i remember talking to that guy 05:55 < krzee> couple small errors in it but overall nice doc 05:55 < ashash> quick question, trying to redo the key managment of the vpn gw, its 4 vpns and up to now its 4 different root-cas etc.. now i'd like to use one root ca and generate different server certs from that one. can i use orga-unit match to differentiate between the different vpns? 05:55 < krzee> whats orga-unit match? 05:55 < krzee> oh nm i see what you mean 05:55 < krzee> you can try but i dont think so 05:56 < ashash> any other way? 05:56 < krzee> same ca = same PKI 05:56 < ashash> client keys are signed by the server cert? right? 05:57 < krzee> nope 05:57 < krzee> CA signs both 05:57 < ashash> or can one client connect to another server? 05:57 < krzee> when the client connects both sides check eachother using the ca.crt to see the other cert was signed by that ca 05:57 < ashash> so if a client is authorized signed by the same ca he will be able to connect to any other vpn? 05:58 < ashash> .. that was using the same-ca 05:58 < krzee> yup 05:58 < ashash> can i maintain different revocation lists for different openvpn configs? or how would i split them up? 05:59 < krzee> ild run ssl-admin with separate dirs for separate PKIs 05:59 < krzee> it manages the CRL/keys 05:59 < ashash> so different ca? 05:59 < krzee> right 06:00 < ashash> but shouldnt i be able to do it with just one ca and using one of the cert fields to differentiate? 06:00 < krzee> as i said, not to my knowledge but feel free to test that 06:00 < krzee> if im wrong please let me know 06:00 < ashash> ok :) 06:02 -!- Ziber [i=Liber@2001:470:b995:1:0:0:0:a] has quit ["Dead"] 06:02 -!- Ziber [i=Liber@liber-ipv6.net] has joined ##openvpn 06:09 < krzee> (this is for helping on the forum) 06:09 < krzee> !winnat 06:09 < vpnHelper> krzee: "winnat" is http://support.microsoft.com/kb/306126 for windows nat (windows calls it internet connection sharing aka ICS) 06:13 < krzee> !winipforward 06:13 < vpnHelper> krzee: "winipforward" is http://support.microsoft.com/kb/315236 to enable ip forwarding on windows 06:17 -!- maodun [n=stopgo@114.243.116.156] has quit ["Leaving."] 06:49 -!- networkd_ [n=networkd@78-62-21-26.static.zebra.lt] has joined ##openvpn 07:06 -!- networkd [n=networkd@78-62-21-26.static.zebra.lt] has quit [Read error: 110 (Connection timed out)] 07:13 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 07:18 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 07:18 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 07:20 < reiffert> mattock: what we could need is a tun/tap driver for iphone. 07:21 < krzee> that would be AWESOME 07:21 < reiffert> I'd probably do it, but someone has to sponsor an iphone for me. 07:22 < theDoc> reiffert> If I do, would you write an iphone app that ties in with openvpn-access server? :p 07:22 < reiffert> theDoc: I dont plan to support in payware. 07:22 < theDoc> ah, ok. 07:26 < krzee> i been asking the community for that for a long time 07:26 < krzee> http://www.doeshosting.com/code/NStun.sh 07:26 < krzee> that was sept 2008 07:27 < krzee> well the last change to the file was then, the comment of: 07:27 < krzee> ## Please someone get tuntap working on the iphone! 07:27 < krzee> came before sept 2008 07:27 < krzee> hehe 07:30 < dazo> reiffert: krzee: seems your iphone request just got posted on the mailing list .... 07:30 < dazo> but it looks rather hacky :-P 07:30 < krzee> devel? 07:30 < dazo> http://code.gerade.org/tunemu/ 07:30 < reiffert> devel? 07:30 < vpnHelper> Title: tunemu - Tun device emulation for Darwin (at code.gerade.org) 07:30 < reiffert> emu? omg. 07:30 < dazo> yeah 07:31 < krzee> but hey 07:31 < krzee> if it works on iphone it works on iphone 07:31 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 07:31 < krzee> i give a shit how hacked up it is, im happy to finally see progress 07:31 < reiffert> why doesnt iphone os work with tun/tap directly, any ideas on this? 07:31 < dazo> well .... it tweaks the usage of ppp .... and then it uses libpcap to grab the returning packets to feed openvpn 07:31 < reiffert> omg. 07:32 < krzee> reiffert, nope, i asked a friend who is a unix admin at apple and he just shrugged 07:32 < dazo> reiffert: probably no kernel based tun driver .... probably not enabled and nobody figured out how to get that in 07:32 < krzee> tuntap isnt part of osx either 07:32 < krzee> its 3rd party 07:33 < reiffert> krzee: but a kernel module. 07:33 < krzee> yup 07:33 < dazo> but why isn't it possible to build that 3rd party module and use that on iphone? 07:33 < reiffert> shouldnt be that hard to get it ported to iphoneos 07:33 < dazo> it probably is quite hard .... when you see such hack as tunemu :-P 07:34 < krzee> it was a monster pita when i looked at it, but that could be due to a massive lack of codeskill 07:34 < reiffert> however, no iphone, no ideas. 07:34 < krzee> damn now i need to locate my ipod touch 07:34 < krzee> i know its around here somewhere 07:35 < krzee> from looking at my room i think i need to call my maid and put a bounty on it 07:36 < reiffert> dont forget to let her do the job ;) 07:36 < krzee> no shes far from cute 07:38 -!- kerx [n=kerx__@76-240-161-68.lightspeed.irvnca.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 07:39 < dazo> now ... this is even more extreme hacking .... http://code.gerade.org/hans/ .... IP over ICMP .... 07:39 < vpnHelper> Title: Hans - IP over ICMP (at code.gerade.org) 07:39 < krzee> ip over icmp has been around awhile 07:39 < krzee> see icmptx 07:40 * dazo just knew about IP over DNS ... 07:40 < krzee> more common 07:42 < theDoc> ip over dns i heard was slow 07:42 < krzee> very slow 07:42 < theDoc> due to the size of dns packets. 07:42 < krzee> mtu of like 500 07:42 * dazo wonders how the performance would be to use IP over ICMP combined with OpenVPN and --redirect-gateway .... 07:42 < krzee> would be terrible 07:42 < theDoc> dazo> It's not rapidly deployable and if the firewall drops icmp, no vpn :P 07:42 < krzee> well maybe not with icmp, not sure 07:43 < krzee> theDoc, you understand when IPoDNS makes sense tho right? 07:43 < dazo> theDoc: heh ... yeah, but IP over DNS is too slow .... so if IP over ICMP is working, it most probably have a better performance 07:44 < theDoc> krzee> I can see it having limited usage but frankly, I don't see it becoming wide spread. 07:44 < krzee> heh 07:44 < theDoc> For a few reasons. 07:44 < krzee> many services that charge for inet allow DNS 07:44 < theDoc> It's already hard enough for people to use a _free_ vpn service. 07:44 < krzee> thats the ONLY time it makes sense 07:44 < reiffert> theDoc: why dont you write the openvpn AS part your own, after there is a tun/tap kernel module? 07:44 < theDoc> reiffert> I don't know how to code :P 07:44 < theDoc> All I can do is networking 07:44 < krzee> i tunnel over dns in that situation when i travel 07:45 < theDoc> I don't, I tunnel over SSL. 07:45 < reiffert> theDoc: allright, so when I say I would write the OAS part, but then dont do it ... 07:45 < krzee> you cant access the ssl 07:45 < krzee> you dont understand 07:45 < krzee> sites that block EVERYTHING but allow dns because of how the web portal redirect works 07:45 < havoc> "captive portal" 07:45 < theDoc> krzee> I just had the experience where people are permitting ssl on "paid" networks. 07:45 < theDoc> lol 07:45 < havoc> but now a lot of places are also blocking/redirecting DNS 07:46 * dazo things paid internet is so .... so .... 90-ish! 07:46 < havoc> unless your MAC is pre-allowed *all* traffic is redirected :( 07:46 < theDoc> krzee> Well, generally if you can't do recursive dns, you wouldn't be able to establish your tunnel, from what I understand 07:46 < theDoc> I could be having that wrong. 07:46 < havoc> a lot of hotels do that now 07:46 < krzee> dazo, many airports and hotels still use it 07:46 * dazo knows :( 07:46 < krzee> theDoc, but they allow recursive, its part of the the captive portals work 07:46 < reiffert> my customer sells internet for 40 USD per day. 07:46 < reiffert> per client 07:47 < krzee> they usually only allow it over THEIR ns, but thats fine 07:47 < havoc> and even the hotels that have "free" internet still redirect all traffic until tou accept their license 07:47 < reiffert> at least they can pay me from that :) 07:47 < krzee> t-mobile is the only place i ran into that blocked me 07:47 < krzee> (they handle starbucks) 07:48 < theDoc> krzee> Can't they just sandbox it by having a vlan which redirects *all* traffic to their portal unless you have authenticated against a radius database before you get moved into another vlan? 07:48 < theDoc> I suspect the above is possible. 07:48 < havoc> theDoc: yes 07:48 < reiffert> concern mother t-online has got the most uncommon NS in germany. 07:48 < havoc> not only possible, but more and more common :( 07:48 < krzee> yes they can 07:48 < havoc> last few hotels I was in did that 07:48 < krzee> but they still allow dns 07:48 < theDoc> That would put a stop directly to tunneling ipodns 07:48 < krzee> they just block it from passing the goofy stuff 07:49 < havoc> krzee: I had dns blocked too 07:49 < krzee> you'll authenticate but never get traffic 07:49 < krzee> havoc, then they prolly allowed icmp 07:49 < krzee> i have NEVER seen one that blocked both 07:49 < theDoc> krzee> I have. 07:49 < theDoc> :p 07:49 < theDoc> and strangely, it was in a 3rd world country. 07:49 < krzee> werd 07:49 < theDoc> and boy, was I fucking impressed 07:49 < havoc> krzee: I didn't try that, but it was free, you just had to accept their AUP via HTTP first 07:49 < theDoc> :p 07:50 < havoc> the point is that while it is more than possible to block everything, most places don't 07:51 < theDoc> havoc> That's how I stay in business :p 07:51 < havoc> but I end up using my sprintpcs sata card anyway as I end up with better speeds than a whole hotel sharing one DSL line ;) 07:51 < krzee> Redirection by HTTP 07:51 < krzee> If an unauthenticated client requests a website, DNS is queried by the browser and the appropriate IP resolved as usual. The browser then sends an HTTP request to that IP address. This request, however, is intercepted by a firewall and forwarded to a redirect server. This redirect server responds with a regular HTTP response which contains HTTP status code 302 to redirect the client to the Captive Portal. To the client, this process is totally transp 07:51 < krzee> arent. The client assumes that the website actually responded to the initial request and sent the redirect. 07:52 < krzee> its this style that is most common, and that allows dns tunnel 07:52 < havoc> theDoc: setting up captive portals? 07:52 < reiffert> krzee: I'm redirecting unauthenticated clients to a 2nd nameserver 07:52 < reiffert> krzee: resolving every query to the gateway address. 07:52 < theDoc> havoc> no. i build networks for people 07:52 < havoc> theDoc: ah 07:52 < theDoc> and i run an anonymous vpn service provider. 07:53 < havoc> I've set up some fully locked down captive portals 07:53 < theDoc> have had too many people ask me to work something to bypass tolls/firewalls/what have you 07:53 < theDoc> my answer is generally, if it's blocked. it's for a reason. 07:53 < havoc> no DNS, no ICMP, no nothing, until MAC is allowed 07:53 < theDoc> havoc> Are you using a similiar technique above with vlans to control network access? 07:53 < havoc> you'd have to spoof a currently allowed MAC to get access 07:53 < reiffert> krzee: benefit is, that clients make it to the authenticating page. 07:54 < reiffert> auth page 07:54 < theDoc> havoc> How on earth do people even get connected then? 07:54 < havoc> theDoc: was all done on a linux box primarily w/ iptables 07:54 < havoc> theDoc: web browser to one page 07:54 < krzee> mac spoofage is beyond simple too tho 07:54 < havoc> if they open a web browser and hit an non-local address it's redirected to the auth page 07:55 < havoc> krzee: right, but there's nothing that you can do about that, and a currently allowed mac has to be spoofed 07:56 < havoc> in the end you have to balance the cost with convinience; if it's cheap enough people won't bother trying to circumvent 07:56 < havoc> at least that was the theory of those I set the system up for 07:57 < krzee> and if it can be paid cash 07:57 < theDoc> Oh right. 07:57 < krzee> theres been times i was willing to pay but you can ONLY pay with a cc 07:57 < theDoc> If it's cheap enough, no one will bother bypassing it. 07:57 < theDoc> Yeah, I get *very* annoyed when I have to pay with cc. 07:58 < havoc> ...also you don't worry about the few that do circumvent as the cost of preventing it outweighs any potential profit 07:58 < theDoc> havoc> I mainly work with cisco devices, so I'm not familiar on how one can do it on a linux box 07:58 < theDoc> :p 07:58 < havoc> theDoc: perl and shorewall :) 08:00 < theDoc> Oh, ok. 08:03 < krzee> damn i should goto sleep oneday 08:03 < theDoc> Hm. 08:03 < theDoc> screen is acting funny. 08:03 < theDoc> As usual 08:03 < theDoc> :p 08:04 < ecrist> good morning kids. 08:04 < krzee> good evening 08:04 * krzee checks his clock 08:05 < krzee> oh nice, its blunt-o-clock 08:10 -!- ashash [n=ash@p5DE96D23.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 08:10 -!- ashash [n=ash@p5DE96D23.dip.t-dialin.net] has joined ##openvpn 08:15 -!- Fibre [n=element@202.190.85.201] has joined ##openvpn 08:16 < Fibre> !forum 08:16 < vpnHelper> Fibre: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 08:19 < ecrist> mattock: add to your list ssl-admin 08:19 < ecrist> !ssl-admin 08:19 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 08:20 < ecrist> not purely for OpenVPN, but that's what it was designed for. 08:39 < Fibre> hi guys, was wondering if there's any tools or software that could assist on certification management etc: revoking client on the go, creating a monthly based time frame for client perhaps. I've done reading the documentation on the official site, but nonetheless it hasn't give much idea on what i'm trying to achieve.Would appreciate if any comments or suggestion . Thanks 08:41 < krzee> lol 08:41 < krzee> thats irony 08:42 -!- hyper_ch [n=hyper@81.62.12.161] has quit [Remote closed the connection] 08:42 < krzee> look right above your question Fibre 08:42 < krzee> check out ssl-admin ;] 08:43 < dazo> Fibre: ssl-admin is mentioned, tinyCA is another GUI app which can be decent .... anything which does SSL certificates can work with openvpn ... its not needed to be openvpn specific 08:43 < dazo> Fibre: in fact, most of these "front-ends" are just using openssl under the hood 08:45 < krzee> if not all 08:46 < dazo> krzee: some (not mentioned here) might use gnutls, NSS or other SSL implementations to generate the keys and certs 08:46 < dazo> but agreed, most common is to use openssl 08:46 < Fibre> Gosh! i missed that one . i thought it's just another solution for one of our friends in here . wasn't looking at !ssl-admin at all , thinking it would be something else. pardon me for bringing it up 08:48 < krzee> it was directed at someone else, that was the funny part =] 08:49 < Fibre> am gonna bookmark that url for later references. :D 09:01 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 09:07 -!- Leeds [n=richardc@n058152254075.netvigator.com] has joined ##openvpn 09:09 -!- Fibre [n=element@202.190.85.201] has quit [Read error: 110 (Connection timed out)] 09:10 -!- hobbsc [n=zalgo@opensuse/member/hobbsc] has joined ##openvpn 09:12 < hobbsc> !howto 09:12 < vpnHelper> hobbsc: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:13 < havoc> I should revoke old certs; I've been using client-config-dir to enable/disable 09:13 < havoc> yes, I know that's *bad* 09:13 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 09:17 -!- rgouveia [n=rgouveia@169.89.54.77.rev.vodafone.pt] has joined ##openvpn 09:20 < hobbsc> i'm trying to get openvpn running on freebsd as per http://www.secure-computing.net/wiki/index.php/FreeBSD_OpenVPN_Server/Routed and i keep getting the following error: http://dusk.pastebin.com/m3808e46f 09:20 < vpnHelper> Title: FreeBSD OpenVPN Server/Routed - Secure Computing Wiki (at www.secure-computing.net) 09:20 < hobbsc> line 11 09:20 < hobbsc> any idea what might cause that? i've been trying to mess with the config to no avail. i fear i'm just making things worse 09:22 < ecrist> yeah, what it says on line 10 09:23 < krzee> thats no biggie 09:24 < krzee> not fatal anyways 09:24 < hobbsc> well 09:24 < krzee> assuming the route is right that already exists 09:24 < krzee> Mon Dec 7 08:59:33 2009 us=661102 failed to find GID for group vpn: Socket is not connected (errno=57) 09:24 < hobbsc> it doesn't start 09:24 < krzee> thats the fatal one 09:24 < krzee> you have --group vpn but no vpn group 09:24 < hobbsc> i assume it says it exists because netstat shows 172.22.0.0./16 (naturally) 09:25 < hobbsc> ok 09:25 < krzee> how do you already have 172.22.0.0/16 tho? 09:25 < krzee> you handing out the same network you already use? 09:25 < hobbsc> because the box sits on that network 09:25 < hobbsc> yes 09:25 < ecrist> durr 09:25 < ecrist> !durr 09:25 < vpnHelper> ecrist: Error: "durr" is not a valid command. 09:25 < hobbsc> ha 09:25 < krzee> you're doing it wrong 09:26 < hobbsc> it's just a test box, this isn't production 09:26 < krzee> use a subnet that doesnt conflict with anything 09:26 < hobbsc> so i didn't whip up another subnet 09:26 < hobbsc> ok 09:26 < krzee> either way it wont work that way 09:26 < hobbsc> roger that 09:26 < hobbsc> figured i was in idiot mode or something 09:26 < hobbsc> thanks 09:27 < theDoc> Jesus christ. 09:27 < theDoc> I fucking hate doing power point presentations 09:29 -!- Irssi: ##openvpn: Total of 91 nicks [0 ops, 0 halfops, 0 voices, 91 normal] 09:30 < krzee> hobbsc, np 09:31 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 09:33 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 09:49 -!- hyper_ch [n=hyper@adsl-89-217-81-227.adslplus.ch] has joined ##openvpn 09:56 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Remote closed the connection] 10:07 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 10:09 -!- ashash [n=ash@p5DE96D23.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 10:19 -!- hyper__ch [n=hyper@84.226.239.125] has joined ##openvpn 10:19 -!- hyper_ch [n=hyper@adsl-89-217-81-227.adslplus.ch] has quit [Nick collision from services.] 10:23 < reiffert> http://www.lqx.net/tuntap-iphone.source.tgz 10:30 < krzee> !learn iphone as http://www.lqx.net/tuntap-iphone.source.tgz for first attempt at getting openvpn on iphone 10:30 < vpnHelper> krzee: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 10:32 < krzee> !learn iphone as http://www.lqx.net/tuntap-iphone.source.tgz for first attempt at getting openvpn on iphone 10:32 < vpnHelper> krzee: Joo got it. 10:42 < Rienzilla> , 10:43 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 10:45 -!- Leeds [n=richardc@n058152254075.netvigator.com] has left ##openvpn ["Leaving"] 10:47 -!- dazo is now known as dazo_afk 10:49 -!- hyper__ch is now known as hyper_ch 10:50 -!- ruied [n=ruied@89.214.208.130] has quit [Success] 10:51 -!- ikla [n=lbz@fw1.aspsys.com] has joined ##openvpn 10:51 < ikla> whats the best timeout setting so keep alive settings for server/client ? 11:05 -!- networkd_ [n=networkd@78-62-21-26.static.zebra.lt] has quit [Client Quit] 11:08 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [SendQ exceeded] 11:08 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 11:10 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 11:18 -!- ashash [n=ash@p5DE96D23.dip.t-dialin.net] has joined ##openvpn 11:38 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 11:42 < sunrider> Mon Dec 7 02:32:02 2009 us=402899 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA 11:43 < sunrider> the above means that the tls channel had it's aes256 key encrypted with the 1024 bit cipher 11:43 < sunrider> or that the machine authenticated using the 1024 bit key 11:43 < sunrider> i mean, key. not cipher. 11:45 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.5/20091102152451]"] 11:48 < robotti^> direct3d does not work on snow leopard host and 64-bit linux hosts 11:48 < robotti^> sorry 11:48 < robotti^> wrong channel 11:48 < robotti^> too much lag ;> 11:49 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 12:09 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 12:16 -!- yoshx [n=yoshx@78.114.253.27] has joined ##openvpn 12:17 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Read error: 110 (Connection timed out)] 12:24 -!- ashash [n=ash@p5DE96D23.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 12:42 -!- ashash [n=ash@p5DE96D23.dip.t-dialin.net] has joined ##openvpn 12:50 -!- correcaminos [n=laguilar@201.199.12.190] has joined ##openvpn 12:55 < havoc> and now to setup yet another ovpn server 12:55 < havoc> as long as http://openvpn.net/index.php/open-source/documentation/howto.html is current I'm ok 12:55 < vpnHelper> Title: HOWTO (at openvpn.net) 12:56 -!- correcaminos_ [n=laguilar@201.199.12.190] has joined ##openvpn 13:09 < julius> do the certificates used in openvpn pki mode have to be serparated into client/server roles? 13:11 * julius would like to have some hierarchical vpn layout and doesn't like the idea of having to provide two separate certificates for each node that acts as both server and client 13:12 -!- correcaminos [n=laguilar@201.199.12.190] has quit [Read error: 110 (Connection timed out)] 13:14 < havoc> to install PKCS#11? 13:15 < havoc> I'm guessing not since I don't use fobs 13:16 -!- hyper_ch [n=hyper@84.226.239.125] has quit [Remote closed the connection] 13:21 < havoc> 2048 keysize, nice 13:22 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 13:25 -!- teddymills [n=teddy@208.92.235.227] has quit [Remote closed the connection] 13:25 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 13:26 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 13:26 -!- correcaminos__ [n=laguilar@201.199.12.190] has joined ##openvpn 13:40 -!- rwp [n=bob@joseki.proulx.com] has joined ##openvpn 13:44 -!- correcaminos_ [n=laguilar@201.199.12.190] has quit [Connection timed out] 13:45 -!- hyper_ch [n=hyper@84.226.239.125] has joined ##openvpn 13:48 -!- ashash [n=ash@p5DE96D23.dip.t-dialin.net] has quit [Read error: 145 (Connection timed out)] 13:51 -!- correcaminos_ [n=laguilar@201.199.12.190] has joined ##openvpn 13:58 -!- correcaminos [n=laguilar@201.199.12.190] has joined ##openvpn 14:07 -!- correcaminos__ [n=laguilar@201.199.12.190] has quit [Read error: 110 (Connection timed out)] 14:08 -!- correcaminos__ [n=laguilar@201.199.12.190] has joined ##openvpn 14:16 -!- correcaminos_ [n=laguilar@201.199.12.190] has quit [Read error: 110 (Connection timed out)] 14:21 -!- correcaminos [n=laguilar@201.199.12.190] has quit [Read error: 110 (Connection timed out)] 14:22 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Connection timed out] 14:25 -!- ashash [n=ash@p5DE96D23.dip.t-dialin.net] has joined ##openvpn 14:26 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:27 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 14:43 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: tinLoaf, rgouveia, sno, noooon, Rienzilla, havoc, LowKey, Gumbler, _trine, freaky[t], (+5 more, use /NETSPLIT to show all of them) 14:44 -!- Netsplit over, joins: _trine, rgouveia, Typone, havoc, tinLoaf, ^scott^, noooon, mrnice1, lkthomas, Gumbler (+5 more) 14:55 -!- PiousMinion [n=clay@216-216.126-70.tampabay.res.rr.com] has joined ##openvpn 14:56 < PiousMinion> !hotwo 14:56 < vpnHelper> PiousMinion: Error: "hotwo" is not a valid command. 14:56 < PiousMinion> !howto 14:56 < vpnHelper> PiousMinion: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 14:56 -!- correcaminos__ [n=laguilar@201.199.12.190] has quit ["Leaving"] 14:56 -!- correcaminos [n=laguilar@201.199.12.190] has joined ##openvpn 15:09 < PiousMinion> If I want vpn clients to browse the web through the vpn connection do I need bridging, routing, or either? 15:10 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit ["Leaving."] 15:17 -!- ashash [n=ash@p5DE96D23.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 15:19 < Bushmills> no, not needed 15:19 < Bushmills> (no bridging needed) 15:19 < PiousMinion> thanks 15:20 -!- PiousMinion [n=clay@216-216.126-70.tampabay.res.rr.com] has quit ["Leaving."] 15:24 -!- PiousMinion [n=clay@216-216.126-70.tampabay.res.rr.com] has joined ##openvpn 15:38 < krzie> PiousMinion 15:38 < krzie> you want tun 15:38 < krzie> !redirect 15:38 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 15:42 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 15:52 -!- ashash [n=ash@p5DE96D23.dip.t-dialin.net] has joined ##openvpn 15:52 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 16:04 -!- APTX|_ [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 16:08 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit [Read error: 104 (Connection reset by peer)] 16:09 -!- APTX|_ [n=APTX@ks32603.kimsufi.com] has quit [Read error: 104 (Connection reset by peer)] 16:09 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 16:09 -!- connectionVPN [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has joined ##openvpn 16:20 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 60 (Operation timed out)] 16:30 -!- ashash [n=ash@p5DE96D23.dip.t-dialin.net] has quit [Read error: 145 (Connection timed out)] 17:03 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:06 < havoc> bah 17:09 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit [Read error: 104 (Connection reset by peer)] 17:09 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 17:15 -!- yoshx [n=yoshx@78.114.253.27] has quit [Remote closed the connection] 17:31 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 17:31 -!- barbosa [n=barbosa@189.114.47.209] has quit [Read error: 110 (Connection timed out)] 17:31 -!- barbosa [n=barbosa@189.27.113.188.dynamic.adsl.gvt.net.br] has joined ##openvpn 17:35 -!- ashash [n=ash@p5DE96D23.dip.t-dialin.net] has joined ##openvpn 17:50 -!- jean001 [n=chatzill@APoitiers-552-1-19-161.w92-134.abo.wanadoo.fr] has joined ##openvpn 17:51 -!- jean001 [n=chatzill@APoitiers-552-1-19-161.w92-134.abo.wanadoo.fr] has quit [Client Quit] 17:54 -!- correcaminos [n=laguilar@201.199.12.190] has quit [Read error: 113 (No route to host)] 18:04 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 18:07 -!- kerx [n=kerx__@76-240-161-68.lightspeed.irvnca.sbcglobal.net] has joined ##openvpn 18:19 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Read error: 104 (Connection reset by peer)] 18:41 -!- ashash [n=ash@p5DE96D23.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 18:44 -!- master_of_master [i=master_o@p549D750B.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)] 18:48 -!- master_of_master [i=master_o@p549D76F2.dip.t-dialin.net] has joined ##openvpn 18:49 -!- Fibre [n=element@211.24.237.3] has joined ##openvpn 18:49 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 18:50 -!- jean001 [n=chatzill@APoitiers-552-1-19-161.w92-134.abo.wanadoo.fr] has joined ##openvpn 18:50 -!- jean001 [n=chatzill@APoitiers-552-1-19-161.w92-134.abo.wanadoo.fr] has left ##openvpn [] 18:53 -!- ikla [n=lbz@fw1.aspsys.com] has quit ["Leaving"] 18:54 -!- ashash [n=ash@p5DE96D23.dip.t-dialin.net] has joined ##openvpn 18:56 < ecrist> good evening 18:56 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.5/20091102152451]"] 18:59 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 19:02 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Remote closed the connection] 19:05 -!- connectionVPN [n=hello_wo@cust-146-10.on4.ontelecoms.gr] has quit ["Leaving"] 19:14 -!- Tonee_ [n=Tonee@p579CBC8A.dip.t-dialin.net] has joined ##openvpn 19:27 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 19:28 -!- Tonee [n=Tonee@p579CBCFB.dip.t-dialin.net] has quit [Read error: 101 (Network is unreachable)] 19:28 -!- Tonee_ is now known as Tonee 19:32 < krzie> sweet thanx dude 19:45 -!- ashash [n=ash@p5DE96D23.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 19:50 < kerx> hey krzie thanks for the help last night. you got me up and going! 19:51 < kerx> krzie, got a quick question. If I have openVPN running on a network that I'm pushing a route for 192.168.1.0/24 and my client is also connected to a network 192.168.1.0/24 19:51 < kerx> How can I get this routing working? Is there some sort of IP-to-IP mapping I can do for the other end? 19:55 < reiffert> !factoids search --values client-to-client 19:55 < reiffert> !factoids search --values client 19:55 < PiousMinion> I don't even have openvpn going yet, but I know the answer to that is in the website FAQ. :P 19:55 < reiffert> kerx: manpage, --client-to-client, look that up 19:56 < reiffert> PiousMinion: get openvpn running: see official howto, webpage. 19:56 < kerx> reiffert, thanks i'll check it out 19:56 < reiffert> kerx: oh, sorry, I got you wrong. 19:56 < kerx> reiffert, nothing really pulling up, any suggestions on documentation ? 19:57 < kerx> :) 19:57 < reiffert> kerx: client is on 1.1.1.0/24 and server is as well? 19:58 < kerx> im connecting to external ip of server, but server also has 192.168.1.0/24 on another NIC. I'm doing a push route of 192.168.1.0/24 to the client, but client is also connected locally to 192.168.1.0/24 19:58 < kerx> hope I made sense 19:58 < reiffert> kerx: no solution for this. change the clients local network 19:58 < kerx> no way to do IP Translation? 19:58 < reiffert> no. 19:59 < kerx> i see, Cisco has this feature, that's why I thought maybe OpenVPN has 19:59 < PiousMinion> reiffert: reading (and understanding) that is a work in progress. I prefer to read and learn than to flat out ask for a config file. :P 19:59 < PiousMinion> not suggesting anyone has 19:59 < reiffert> PiousMinion: howto contains an example config file. 19:59 < reiffert> plural. one for server, one for client. 20:00 < krzie> krzie, got a quick question. If I have openVPN running on a network 20:00 < krzie> that I'm pushing a route for 192.168.1.0/24 and my client is also 20:00 < krzie> connected to a network 192.168.1.0/24 20:00 < krzie> change the subnet you are pushing 20:00 < reiffert> which means change the whole server subnet. 20:00 < kerx> krzie, you mean push everything besides the gateway ip ? 20:00 < kerx> not a bad idea! 20:00 < kerx> can i do this: 20:00 < krzie> no 20:01 < kerx> ? 20:01 < krzie> i mean change the subnet the network uses 20:01 < krzie> do not use that subnet for your lan 20:01 < krzie> use something uncommon 20:01 < kerx> that would mean i have to change everything on the server-side of the network 20:01 < kerx> all IP phones are using 192.168.1.0/24 and other clients 20:01 < kerx> more than 150 ip phones 20:01 < kerx> it would become a big mess 20:01 < kerx> i can't believe there is no IP Translation in this openvpn 20:01 < reiffert> welcome to network slavery. 20:02 < kerx> heh 20:02 < krzie> not dhcp? 20:02 < kerx> what if i pushed a partial route to the client of 192.168.1.0 ? so that it doesn't interfere with it's gateway (192.168.1.1) ? 20:03 < krzie> kerx: nope 20:03 < kerx> that wouldn't work at all? 20:03 < krzie> arent those devices dhcp? 20:03 < krzie> or you have 150 nodes of static ips 20:03 < kerx> yea, dhcp 20:03 < krzie> then whats the big deal 20:03 < kerx> but my dhcp range is defined 20:03 < krzie> redefine it :-p 20:04 < kerx> the big deal is that all those phone's are pointing to 192.168.1.0/24 20:04 < kerx> there is 7 printer's pointed over 20:04 < krzie> !samesubnet 20:04 < reiffert> no vpnh. 20:04 < kerx> !samesubnet 20:04 < krzie> oh weakl 20:04 < kerx> nothing? 20:04 < krzie> that server is down 20:04 < kerx> !subnet 20:04 < kerx> ok 20:04 < kerx> i guess i have work ahead of me 20:04 < kerx> what a pitty 20:04 < krzie> extreme storms and an underwater generator 20:05 < kerx> where can i make feature requests ? 20:05 < kerx> :) 20:05 < krzie> your feature request would be denied 20:05 < reiffert> attach a patch. 20:05 < kerx> why? 20:05 < krzie> cause openvpn doesnt and shouldnt do NAT 20:05 < kerx> OH 20:05 < kerx> what if i make iptables rules? 20:05 < krzie> but you can NAT it yourself if you're good enough to understand whats going on 20:05 < krzie> which !samesubnet would have explained 20:05 < kerx> YEES! 20:05 < kerx> give it to me babey 20:05 < kerx> heh 20:06 < kerx> where is that damn bot? 20:06 < krzie> hah 20:06 < krzie> to you its just a bot down 20:06 < krzie> to me 2 servers of mine are down 20:06 < krzie> and yet worse, to my buddy his whole DC is down 20:06 < krzie> and yet worse, to the city of san diego half their power grid is down 20:07 < kerx> i can essentialy mangle the packet's 20:07 < kerx> that come out of tun0 20:56 -!- aviewanew [n=a@190.246.71.170] has joined ##openvpn 20:57 < aviewanew> okay, I've been debugging for a while, let me try a few of these things and see if they give me some more debugging ideas... 20:57 < aviewanew> !route 20:58 < krzie> the bot is down 20:58 < aviewanew> oh 20:58 < aviewanew> okay, let me whips up a pastebin of what I've tried so far then 20:58 < krzie> ill get ya my routing link 20:58 < krzie> http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 21:16 < aviewanew> i still can't figure it out 21:17 < aviewanew> http://openvpn.pastebin.com/d2fb64b52 is the paste, the simple summary is: 21:17 < aviewanew> i can't get the client to send/receive traffic from the internet after he's connected to the vpn. gotta be something with routes, but I don't know what. 21:22 < aviewanew> oh, and ip rouwarding is enabled in /proc/sys/net/ipv4/ip_forward 21:50 < Bushmills> aviewanew: http://scarydevilmonastery.net/masq 21:50 < Bushmills> (assuming you intend to route internet traffic through vpn server) 21:51 < Bushmills> (and assuming vpn server runs linux) 21:52 -!- tjz [n=tjz@bb220-255-199-51.singnet.com.sg] has joined ##openvpn 21:52 < aviewanew> I hadn't done any masqing (cause it wasn't in the shorewall openvpn guide), I will try that 21:54 < Bushmills> assuming you use rfc1918 addresses for your vpn net, how else could packets possibly returned to client, if not masqueraded? 21:56 -!- tomjr [n=a@190.246.71.170] has joined ##openvpn 21:56 < tomjr> that totally worked 21:56 < tomjr> it also seems that freenode blocks linode ip's from joining 21:57 < tomjr> blah 21:57 -!- aviewanew [n=a@190.246.71.170] has quit [Read error: 104 (Connection reset by peer)] 21:57 -!- tomjr is now known as aviewanew 21:58 < aviewanew> thank you Bushmills 21:58 < Bushmills> a satisfied customer? 21:59 < aviewanew> I shall credit you in my blog post 21:59 < Bushmills> as long as you don't put my email address there 22:15 -!- aviewanew [n=a@190.246.71.170] has quit ["thanks again"] 23:04 -!- MorkBork [n=mark@unaffiliated/morkbork] has quit [Read error: 104 (Connection reset by peer)] 23:24 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 23:26 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 23:26 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 23:33 -!- g-- [n=pide@cha92-17-88-189-163-49.fbx.proxad.net] has joined ##openvpn 23:33 < g--> hi, anyone awake to help on a vmware / openvpn route problem please ? 23:36 -!- ashash [n=ash@p5DE96D23.dip.t-dialin.net] has joined ##openvpn --- Day changed Tue Dec 08 2009 00:19 -!- hyper_ch [n=hyper@84.226.239.125] has quit [Read error: 104 (Connection reset by peer)] 00:19 -!- ashash [n=ash@p5DE96D23.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 00:19 -!- ashash [n=ash@p5DE96A01.dip.t-dialin.net] has joined ##openvpn 00:27 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 01:00 -!- Fibre [n=element@211.24.237.3] has quit ["Leaving"] 01:00 -!- g-- [n=pide@cha92-17-88-189-163-49.fbx.proxad.net] has quit [] 01:08 -!- hyper_ch [n=hyper@151-128.3-85.cust.bluewin.ch] has joined ##openvpn 01:20 -!- ashash [n=ash@p5DE96A01.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 02:03 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn 02:13 -!- dazo_afk is now known as dazo 02:28 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:35 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has joined ##openvpn 03:50 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 03:54 -!- Tonee [n=Tonee@p579CBC8A.dip.t-dialin.net] has quit [Read error: 104 (Connection reset by peer)] 03:57 -!- pa [n=pa@unaffiliated/pa] has quit ["Sto andando via"] 03:57 -!- Tonee [n=Tonee@p579CBC8A.dip.t-dialin.net] has joined ##openvpn 03:57 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 04:07 -!- havoc [n=havoc@saturn.chaillet.net] has quit [Remote closed the connection] 04:08 -!- havoc [n=havoc@saturn.chaillet.net] has joined ##openvpn 04:21 -!- Fibre [n=fibre@210.48.148.132] has joined ##openvpn 04:42 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:58 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [] 05:03 -!- yoshx [n=yoshx@78.114.253.27] has joined ##openvpn 05:17 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: Tonee, vlt, julius, mattock, Rolybrau, PiousMinion, xenophile7x7, hyper_ch, endre, kala, (+7 more, use /NETSPLIT to show all of them) 05:19 -!- Netsplit over, joins: Rolybrau, Tonee, ivenkys, polaru, mattock, hyper_ch, APTX|, PiousMinion, teddymills, kala (+7 more) 05:26 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:26 -!- Intensity [i=[AQytNdW@unaffiliated/intensity] has quit [Remote closed the connection] 05:28 < reiffert> mattock: dont miss ssl-admin 05:29 < reiffert> mattock: 15:19 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 05:35 -!- Adlai [n=Adlai@unaffiliated/adlai] has joined ##openvpn 05:39 < Adlai> !howto 05:40 < Adlai> Where can I read up about setting up my own VPN? 05:41 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 05:41 < hyper_ch> !howto 05:41 < hyper_ch> :( 05:41 < dazo> vpnHelper has left us :( 05:42 < dazo> krzie: ^^ 05:42 < havoc> netsplits 05:42 < dazo> yup 05:42 < Adlai> also, is it possible to connect to a VPN running on some Windows servers from a Linux box? 05:43 < Adlai> I'm the only Linux user at my company 05:43 < Rienzilla> yes 05:43 < havoc> sure it is 05:43 < Rienzilla> at least 05:43 < Rienzilla> that depends on the type of vpn running on the windows machines 05:43 < Adlai> ok, I'll look into that too. I just got a bunch of instructions how to connect through WinXP, but I'd like to be able to connect straight from my Linux computer. 05:44 < Rienzilla> usually, that is not done with openvpn, but with pptp 05:44 < havoc> os some 3rd party ipsec 05:44 < havoc> like cisco 05:44 < havoc> s/os/or/ 05:45 < Rienzilla> ipsec sucks :) 05:45 < havoc> yup 05:45 < dazo> Adlai: yes, it is possible ... pptp, openvpn and ipsec are supported afaik on Linux 05:46 < dazo> Rienzilla: ipsec might not be pleasant to configure, esp. if you need to do it manually .... but to say it sucks, is a bit too strong, TBH 05:46 -!- pergaminho [n=pergamin@187.7.137.142] has joined ##openvpn 05:46 < Rienzilla> maybe right 05:47 < Rienzilla> it's just a pain in the ass to set up :) 05:47 < Rienzilla> especially if ip addresses change 05:49 -!- pergaminho [n=pergamin@187.7.137.142] has left ##openvpn ["Leaving"] 05:50 -!- pergaminho [n=pergamin@187.7.137.142] has joined ##openvpn 05:50 -!- kerx [n=kerx__@76-240-161-68.lightspeed.irvnca.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 05:56 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: Tonee, vlt, julius, mattock, Rolybrau, PiousMinion, xenophile7x7, hyper_ch, endre, kala, (+7 more, use /NETSPLIT to show all of them) 06:00 -!- Netsplit over, joins: Rolybrau, robotti^, kala, aland, robert_, xenophile7x7, mattock, ivenkys, PiousMinion, hyper_ch 06:00 -!- Netsplit over, joins: polaru, APTX|, vlt, julius, endre, teddymills, Tonee 06:05 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: Tonee, vlt, julius, mattock, Rolybrau, PiousMinion, xenophile7x7, hyper_ch, endre, kala, (+7 more, use /NETSPLIT to show all of them) 06:06 -!- Netsplit over, joins: Rolybrau, teddymills, polaru, Tonee, endre, julius, vlt, APTX|, robotti^, kala (+7 more) 06:12 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: Tonee, vlt, julius, mattock, Rolybrau, PiousMinion, xenophile7x7, hyper_ch, endre, kala, (+7 more, use /NETSPLIT to show all of them) 06:12 -!- Netsplit over, joins: Rolybrau, teddymills, polaru, Tonee, endre, julius, vlt, APTX|, robotti^, kala (+7 more) 06:13 < havoc> ouch 06:14 < Rienzilla> boom :) 06:15 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: Tonee, vlt, julius, mattock, Rolybrau, PiousMinion, xenophile7x7, hyper_ch, endre, kala, (+7 more, use /NETSPLIT to show all of them) 06:16 -!- Netsplit over, joins: ivenkys, mattock, Rolybrau, xenophile7x7, robert_, aland 06:19 -!- hyper_ch [n=hyper@151-128.3-85.cust.bluewin.ch] has joined ##openvpn 06:19 -!- PiousMinion [n=clay@216-216.126-70.tampabay.res.rr.com] has joined ##openvpn 06:20 -!- Tonee [n=Tonee@p579CBC8A.dip.t-dialin.net] has joined ##openvpn 06:20 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 06:20 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: Lyndon, eliasp, teratoma, balboah, bvierra, krphop, redfox, oc80, drue, dmarkey_ 06:21 -!- Netsplit over, joins: drue, balboah, bvierra, dmarkey_, redfox, oc80, Lyndon, teratoma, eliasp, krphop 06:21 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 06:21 -!- robotti^ [i=robotti@kapsi.fi] has joined ##openvpn 06:22 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 06:22 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 06:22 -!- vlt [n=dm@suez.activ-job.com] has joined ##openvpn 06:22 -!- julius [n=julius@217.20.127.15] has joined ##openvpn 06:22 -!- endre [i=me2@urbnet.hu] has joined ##openvpn 06:32 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: CaBa, crazygir, jhp, chantra, kexman, HardDisk_WP, sdh, Bushmills 06:33 -!- Netsplit over, joins: jhp, kexman, HardDisk_WP, sdh, CaBa, crazygir, Bushmills, chantra 06:34 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 06:37 -!- Adlai [n=Adlai@unaffiliated/adlai] has quit [Remote closed the connection] 06:58 -!- Tonee [n=Tonee@p579CBC8A.dip.t-dialin.net] has quit ["So Long, and Thanks for All the Fish"] 07:01 < ecrist> holy net splits, bat man 07:01 -!- Irssi: ##openvpn: Total of 84 nicks [0 ops, 0 halfops, 0 voices, 84 normal] 07:05 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 07:12 -!- Fibre [n=fibre@210.48.148.132] has left ##openvpn ["Leaving"] 07:25 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 07:31 -!- Tonee [n=Tonee@p579CBC8A.dip.t-dialin.net] has joined ##openvpn 07:35 -!- hyper__ch [n=hyper@151-128.3-85.cust.bluewin.ch] has joined ##openvpn 07:35 -!- hyper_ch [n=hyper@151-128.3-85.cust.bluewin.ch] has quit [Nick collision from services.] 07:35 -!- hyper__ch is now known as hyper_ch 08:01 -!- pergaminho [n=pergamin@187.7.137.142] has quit ["Leaving"] 08:45 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 09:04 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 09:09 -!- Tonee [n=Tonee@p579CBC8A.dip.t-dialin.net] has quit [] 09:16 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 09:48 -!- ashash [n=ash@p5DE96A01.dip.t-dialin.net] has joined ##openvpn 09:54 -!- pergaminho [n=pergamin@187.7.137.142] has joined ##openvpn 10:00 -!- yoshx [n=yoshx@78.114.253.27] has quit [Connection timed out] 10:01 -!- yoshx [n=yoshx@78.114.253.27] has joined ##openvpn 10:10 -!- pergaminho [n=pergamin@187.7.137.142] has quit ["Leaving"] 10:13 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 10:22 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit ["Leaving."] 10:31 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 10:32 -!- hyper_ch [n=hyper@151-128.3-85.cust.bluewin.ch] has quit [Read error: 104 (Connection reset by peer)] 10:55 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: cpm, coil 10:57 -!- pergaminho [n=pergamin@187.7.137.142] has joined ##openvpn 10:58 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 10:59 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 10:59 -!- Netsplit over, joins: coil 11:01 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 11:02 -!- LobbyZ` [n=default@main.lobbyzffs.com] has joined ##openvpn 11:05 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: master_of_master, MadTBone, havoc, pa, corretico, pekster, yoshx, LobbyZ, le0 11:05 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: cpm 11:05 -!- LobbyZ` is now known as LobbyZ 11:05 -!- Netsplit over, joins: havoc 11:05 -!- master_of_master [i=master_o@84.157.118.242] has joined ##openvpn 11:05 -!- Netsplit over, joins: yoshx, MadTBone, pa, le0, corretico, pekster 11:07 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 11:13 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: cpm 11:14 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: master_of_master, MadTBone, havoc, pa, corretico, pekster, yoshx, le0 11:15 -!- Netsplit over, joins: havoc, master_of_master, yoshx, MadTBone, pa, le0, pekster 11:18 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 11:22 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: cpm 11:27 -!- ashash [n=ash@p5DE96A01.dip.t-dialin.net] has quit [Read error: 145 (Connection timed out)] 11:28 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 11:30 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 11:35 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: master_of_master, MadTBone, havoc, pa, pekster, yoshx, le0 11:36 -!- Netsplit over, joins: havoc, master_of_master, MadTBone, pa, le0, pekster 11:37 -!- havoc [n=havoc@saturn.chaillet.net] has quit [Success] 11:37 -!- havoc [n=havoc@saturn.chaillet.net] has joined ##openvpn 11:37 -!- Netsplit over, joins: yoshx 11:46 -!- hyper_ch [n=hyper@84.226.239.125] has joined ##openvpn 11:47 -!- julius [n=julius@217.20.127.15] has quit ["Hackers of the world, unite!"] 11:48 -!- julius [n=julius@217.20.127.15] has joined ##openvpn 11:51 -!- KaiForce_ [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 11:53 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: robert_, corretico_, Rolybrau, xenophile7x7, aland, ivenkys, KaiForce 11:54 -!- Netsplit over, joins: ivenkys 11:54 -!- Netsplit over, joins: robert_ 11:57 -!- KaiForce_ [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit [Client Quit] 12:16 -!- znull [i=z@www.files2u.com] has joined ##openvpn 12:16 < znull> hello i got windows 7 + openvpn gui (lasted ) and I'm getting All TAP-Win32 adapters on this system are currently in use. Exiting 12:21 -!- dazo is now known as dazo_afk 12:22 -!- freaky[t] [i=alpha@member.team-box.net] has quit [Remote closed the connection] 12:28 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 12:28 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 12:28 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has joined ##openvpn 12:28 -!- aland [n=aland@apple.rat.burntout.org] has joined ##openvpn 12:34 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 12:52 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 12:55 -!- ashash [n=ash@p5DE96A01.dip.t-dialin.net] has joined ##openvpn 12:55 -!- pergaminho [n=pergamin@187.7.137.142] has quit ["Leaving"] 12:56 -!- HardDisk_WP [n=Marco@wikipedia/harddisk] has quit [Excess Flood] 12:57 -!- tinLoaf [n=tinloaf@62.75.242.108] has quit [Remote closed the connection] 13:09 -!- tinLoaf [n=tinloaf@tinloaf.de] has joined ##openvpn 13:13 < |Mike|> Hello. 13:14 < |Mike|> znull: no idea, can you remove the other devices? 13:23 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 13:33 < havoc> bah, ok, this is a stupid question: Is it possible to have certs never expire? 13:33 < ecrist> don't think so 13:34 < havoc> ok, so just really big number 13:34 < ecrist> yep 13:35 < havoc> ok, next [silly] question: In easy-rsa/vars: the KEY_COUNTRY, KEY_PROVINCE, etc.., is it possible to set vars for the rest of the defaults? 13:35 < havoc> there's like 2 other asked for values that could be in vars 13:35 < havoc> I've been googling for some documentation but have yet to find any :( 13:38 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)] 13:38 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 13:43 < havoc> eh, it's like one more param, Org Unit, doesn't matter 13:43 < havoc> it seems to be in the phitool script and I'm not gonna bother tracking it down 13:46 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 13:47 -!- kerx [n=kerx__@76-240-161-68.lightspeed.irvnca.sbcglobal.net] has joined ##openvpn 13:47 < kerx> !samesubnet 13:47 < kerx> !subnetsame 13:47 < kerx> !help 13:47 < kerx> !route 13:47 < kerx> darn 13:47 < krzie> 1sec 13:47 < krzie> im bringing it back 13:48 < kerx> hey krzie, good day 13:48 < kerx> thank you. i've been anxiously waiting to see documentation about same subnet's 13:48 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 13:48 < krzie> !samesubnet 13:48 < vpnHelper> krzie: "samesubnet" is (#1) when a machine on a lan much be accessed over openvpn but sits on the same lan subnet as the other machines that needs to access it, and you dont have access to change the lan subnet: add a second IP address to the machines on the lan that need to be accessed using a rare subnet. Then give the machine running openvpn an ip on the same subnet and use that as the default 13:48 < vpnHelper> krzie: gateway for the machines you added IPs to., or (#2) make sure to turn on ip forwarding on the machine running openvpn. 13:48 -!- hyper_ch [n=hyper@84.226.239.125] has quit [Remote closed the connection] 13:49 < kerx> oh :-( 13:49 < krzie> there ya goes 13:50 < kerx> i was hoping that !samesubnet would lead me to documentation about doing iptables rules to fix that situation 13:50 < krzie> basically make a second lan inside the lan of machine you need to access, then use that lan 13:50 < kerx> that's considerably a great deal of work, when you have tons of machines that you want to access 13:50 < kerx> !iptransalation 13:50 < vpnHelper> kerx: Error: "iptransalation" is not a valid command. 13:50 < kerx> !iptables 13:50 < vpnHelper> kerx: "iptables" is (#1) to test if iptables is your problem, disable all rules except $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT, or (#2) then run iptables -F, iptables -Z after being SURE policies are set to accept, or (#3) please see http://openvpn.net/man#lbBD for more info, or (#4) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall 13:51 < kerx> krzie, is secure-computing.net you? 13:51 < kerx> i guess i'm going to have to experiment w/ that on my own, and see if i can get it to work 13:51 < krzie> nah ecrist owns that 13:52 < kerx> i'm 100% sure that the cisco access devices can do ip transalation 13:52 < krzie> there does exist a NAT workaround 13:52 < krzie> its 100% the wrong way 13:52 < kerx> krzie, you know where i can find more documentation on that? 13:52 < krzie> changing 1 of the subnets is the right way 13:52 < kerx> why would you consider it the wrong way? 13:52 < krzie> nope 13:52 < kerx> when you say changing 1 of the subnets, what do you mean by that? 13:52 < krzie> cause its a totally ugly hack that makes shit impossible to troubleshoot 13:52 < krzie> i mean you have the sam,e sunet on both sides, which is what you're trying to work around 13:52 < kerx> changing an entire network range on one side ? 13:53 < krzie> instead of working around it, fix it 13:53 < krzie> yes 13:53 < krzie> i know you said its too much work 13:53 < krzie> but sitting here hoping for a magic answer has already taken you more time 13:53 -!- hyper_ch [n=hyper@84.226.239.125] has joined ##openvpn 13:53 < krzie> you would be done by now 13:54 < kerx> i guess 13:54 < kerx> i guess i'm going to have to change the server-side, since there is no telling where a user would be connecting from, and what subnet they would be coming from 13:55 < kerx> i do like 192.168.0.0/24 range 13:55 < kerx> but shiat, sometimes user's connect from that range as well 13:55 < kerx> then 192.168.99.0/24 might work 13:55 < kerx> krzie, what do you think, which is the magic number? 13:56 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 13:58 < havoc> krzie: there's some docs somewhere specifically related to security settings that should be in server/client configs, right? 13:58 < krzie> !security 13:58 < vpnHelper> krzie: "security" is "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 13:58 < krzie> then 192.168.99.0/24 might work 13:58 < krzie> krzie, what do you think, which is the magic number? 13:58 < krzie> thats fine 13:58 < krzie> basically, anything you will never see in the real world 13:59 < krzie> 192.168.0.x is VERY COMMON 13:59 < havoc> krzie: thanks, I've been reading those, I thought there might be more though 13:59 < krzie> same with 192.168.1.x 13:59 < krzie> but 99.x is better 13:59 < krzie> i use stuff in the 10.x range 14:00 < havoc> I use 10.x.x.x and 172.x.x.x 14:00 < kerx> k. krzie thanks again for your help. 14:00 < krzie> yw 14:00 < kerx> ooh 172.x.x.x i forgot about that 14:00 < kerx> might go into that range as well 14:01 < krzie> i use like 10.69.0.x for lan and 10.8.VPN#.x 14:01 < krzie> as in 1.x 2.x 3.x etc 14:01 < havoc> I actually used a rand gen to pick the subnets too 14:01 < krzie> the my dns tunnels use 10.7.tunnel#.x 14:01 < havoc> ...and rejected any that I thought were too common 14:01 < krzie> stuff like that 14:05 < havoc> krzie: do you use tls-verify? 14:07 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 148 (No route to host)] 14:08 < krzie> heres what i use 14:08 < krzie> !sample 14:08 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) 14:08 -!- ashash [n=ash@p5DE96A01.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 14:09 < havoc> do I need --local if I use ifconfig on the server? 14:10 < havoc> ok, and no tls-verify 14:12 < havoc> ok, tls-auth negates tls-[server|client], correct? 14:12 < havoc> ...negates the need for 14:14 < krzie> see manual =] 14:14 < krzie> !man 14:14 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 14:15 < havoc> I *am* reading it (the openvpn(1) man page) 14:15 < krzie> werd 14:15 < krzie> ild tell ya if i knew offhand 14:15 < krzie> but to answer ild just read the man 14:16 < havoc> it would make sense that it does as you specify whether it's on the server or client [0|1] 14:19 < krzie> important sometimes forgotten parts of security from my configs are: 14:19 < krzie> ns-cert-type server 14:19 < krzie> tls-auth /home/krzee/vpn/keys/ta.key # 14:20 < krzie> dh /home/krzee/vpn/keys/server-ca/dh4096.pem 14:20 < krzie> user vpn 14:20 < krzie> group vpn 14:20 < krzie> persist-key 14:20 < krzie> persist-tun 14:20 < krzie> (the persists are needed when using the user/group 14:20 < krzie> ) 14:20 < havoc> hmm, I'm not using ns-cert-type 14:20 < krzie> !servercert 14:20 < vpnHelper> krzie: "servercert" is (#1) openssl req -days 3650 -nodes -new -keyout server.key -out server.csr -extensions server -config ./openssl.cnf && openssl ca -days 3650 -out server.crt -in server.csr -extensions server -config ./openssl.cnf && chmod 0600 server.key, or (#2) this will help with !mitm 14:20 < krzie> !mitm 14:20 < vpnHelper> krzie: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config 14:21 < krzie> otherwise i can mitm you with your own cert 14:21 < havoc> bah, now I have to do this all over 14:21 < krzie> (its signed by the ca.crt you verify with) 14:22 < krzie> nah JUST the server cert 14:22 < havoc> ah, ok 14:22 < krzie> as long as you didnt rm your ca stuffs 14:22 < havoc> nope 14:22 < krzie> (and if you did youd need to re-do all again next toime you add a client) 14:23 < havoc> hmm, no mention of --tls-remote in there either 14:23 < havoc> nm, just found it :) 14:26 < havoc> docs say ns-cert-type is for OpenVPN 2.0 and below 14:27 < havoc> and remote-cert-tls server for 2.1+ 14:28 < krzie> ya but i still use ns-cert-type in 2.1 14:28 < krzie> cause my openssl.conf doesnt have the stuff for remote-cert-tls 14:28 < krzie> *shrug* 14:30 < havoc> ok 14:32 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:54 -!- mistergibson [n=mistergi@97-115-70-183.ptld.qwest.net] has joined ##openvpn 14:54 < havoc> bah "TLS Error: cannot locate HMAC in incoming packet from..." 14:54 < krzie> that would be a problem in your tls-auth 14:54 < krzie> maybe the file isnt identical 14:54 < krzie> md5 check it 14:55 < krzie> or maybe you got the 1 / 0 wrong 14:55 < mistergibson> anyone have a security comparison of openvpn vs. openswan or strongswan? 14:55 < krzie> openswan is ipsec? 14:55 < mistergibson> I thought so 14:55 < krzie> and strongswan is ipsec as well? 14:55 < mistergibson> same same 14:56 < krzie> so your question is actually about openssl vs ipsec 14:56 < mistergibson> ok, that will do 14:56 < krzie> i know i trust openssl more 14:56 < mistergibson> better encryption capabilities? 14:56 < krzie> yup 14:57 < krzie> and imo ipsec has a bigger history of issues 14:57 < mistergibson> I've always estimated ssl as a pretty low mark of encryption ... am I mistaken? 14:57 < krzie> you may be thinking of web ssl 14:57 < mistergibson> k 14:58 < krzie> type this 14:58 < krzie> openvpn --show-ciphers 14:58 < mistergibson> k, have to install it first - just evaluating now 14:58 < krzie> those are all ciphers you can use with openvpn and your version of openssl 14:58 < mistergibson> hrm, k 14:59 < mistergibson> mix 'em match 'em ... fun at parties eh? 14:59 < krzie> you definitely dont wanna mix them, just match them 14:59 < krzie> ;] 15:01 < krzie> plus if theres ever an issue with the encryption in openvpn, you just update your openssl 15:01 < mistergibson> hehe 15:01 < krzie> openvpn doesnt actually handle its encryption 15:01 < mistergibson> hrm, some people are putting an assertion out that openvpn is 'non-standards' based, I wonder what they mean. 15:02 < mistergibson> odd 15:02 < krzie> prolly a lack of knowledge 15:02 < krzie> or maybe openssl doesnt go based on RFC 15:02 < krzie> not sure 15:03 < mistergibson> k 15:03 < krzie> but just because ipsec has an RFC doesnt make it good 15:03 < mistergibson> is it possible to do a second gpg encrypted layer over the top of openvpn? ever tried that? 15:03 < krzie> hell if you run a mailserver strictly based on RFC your mailserver sucks 15:03 < mistergibson> heh 15:04 < ecrist> mistergibson: you can do whatever you like. OpenVPN doesn't care what traffic you're passing. 15:04 < mistergibson> ok, cool 15:04 < mistergibson> thanks for the tip 15:09 -!- glengoyne [n=glengoyn@p4FC22C64.dip.t-dialin.net] has joined ##openvpn 15:11 -!- ashash [n=ash@p5DE96A01.dip.t-dialin.net] has joined ##openvpn 15:22 -!- polrus [n=polrus@ip53.zabrze.net.pl] has joined ##openvpn 15:23 < polrus> anybody can help me with openvpn client configuration on linux? 15:24 < hyper_ch> !howto 15:24 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:24 < hyper_ch> yey, the bot is back :) 15:27 < krzie> heres a basic config 15:27 < krzie> !sample 15:27 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) 15:27 < polrus> i set up my linux openvpn client and i can connect to windows vpn server - but i'm not able to access microsoft network drives 15:27 < krzie> !route 15:27 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:27 < krzie> oh wait 15:27 < krzie> network drives on the server? 15:28 < krzie> or on the server's lan? 15:31 < polrus> in my company i have openvpn server and windows netowork drives 15:31 < polrus> but i'm not sure if it's the same machine 15:32 < polrus> i can access for example a http server using it's lan IP 15:33 < polrus> but i don't see any shared drives and i don't know their IP 15:38 -!- polrus [n=polrus@ip53.zabrze.net.pl] has quit [Remote closed the connection] 15:42 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: ashash, corretico_, xenophile7x7, aland 15:43 -!- Netsplit over, joins: ashash, corretico_, xenophile7x7, aland 15:43 < krzie> well you need to know the ip 15:43 < krzie> and if its on the same machine or not 15:43 < krzie> you can mount it based on ip 15:43 < krzie> you can setup routing to use the whole network if needed 15:44 < krzie> and you can run a WINS server for netbios resolution if you care 15:58 -!- ashash [n=ash@p5DE96A01.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 16:10 < mistergibson> ever run ebox w/ the openvpn module? I'm curious how the two approaches differ 16:15 < krzie> dunno what ebox is 16:15 < krzie> i just run openvpn 16:23 -!- glengoyne [n=glengoyn@p4FC22C64.dip.t-dialin.net] has quit [Read error: 113 (No route to host)] 16:34 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 16:34 < havoc> w00t! 16:34 < havoc> had a few stupid mistakes 16:37 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:39 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: corretico_, xenophile7x7, aland 16:41 < havoc> krzie: you mind telling me how bad I fucked up? http://pastebin.com/d34b14cdf 16:42 < havoc> it works now, but I'm assuming I screwed up somewhere ;) 16:43 -!- Netsplit over, joins: corretico_, xenophile7x7, aland 16:52 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 16:53 -!- yoshx [n=yoshx@78.114.253.27] has quit [Remote closed the connection] 16:56 < havoc> wow, new openvpn does a lot automatically 17:13 < havoc> maybe I should also use --cipher? 17:15 < krzie> not really 17:15 < krzie> default is blowfish 17:15 < krzie> which imo is nice 17:16 < krzie> if you feal like using something else, feel free 17:17 < havoc> that Hardening OpenVPN section of the howto mentions AES-256-CBC 17:18 < krzie> which is fine if you wanna use AES 17:18 < krzie> personally i trust BF over AES 17:18 < krzie> regardless of keysize 17:18 < krzie> but theres no reason to listen to me on that 17:18 < havoc> what about my configs; any opinions? 17:18 < havoc> (aside from using TAP ;) 17:19 < krzie> just saw the pastebin, lets see 17:19 < havoc> thanks 17:19 < krzie> why you using ifconfig? 17:20 < havoc> because I've been using it forever 17:20 < krzie> heh 17:20 < havoc> that's what I was saying, newer versions do more for you 17:20 < havoc> but it works and all routes are good 17:20 < krzie> what version were you using where --server didnt exist? 17:21 < havoc> don't know that it necessarily didn't, but I went through many many different topologies in a ver short time 17:21 < havoc> ifconfig w/ manual routes was easier to facilitate all the changes 17:21 -!- ashash [n=ash@p5DE96A01.dip.t-dialin.net] has joined ##openvpn 17:21 < krzie> theres only 3 topologies 17:21 < krzie> ptp net30 and subnet 17:21 < havoc> but I've seen things like --route-gateway now too 17:22 < havoc> no, network, not vpn, topologies 17:22 < havoc> was also bridged at one time too 17:22 < krzie> til i got ahold of you? ;) 17:22 < krzie> <-- the tun/tap nazi 17:23 < havoc> I got rid of bridging as soon as possible a couple years ago 17:23 < krzie> ahh werd 17:23 < havoc> ...when I got time to do it 17:23 < krzie> well the configs arent how ild do, but nothing jumps out at me as "wrong" 17:23 < havoc> as long as it's secure 17:24 < krzie> but like 17:24 < krzie> ifconfig/mode server / tls-server 17:24 < krzie> ild just use --server 17:24 < havoc> still correct, there's just better syntax now 17:24 < havoc> right? 17:29 < krzie> see --server to know all it does 17:29 < krzie> in fact in your setup i dont understand how the client gets an ip 17:29 < havoc> dchp server on lan 17:29 < krzie> also, why are you using tap? 17:30 < krzie> ohh 17:30 < krzie> ok 17:30 < havoc> we've been over this :) 17:30 < krzie> and this setup is working for you? 17:30 < krzie> do you bridge the server? 17:30 < havoc> no 17:30 < krzie> (without using --server-bridge) 17:30 < krzie> heh cool 17:30 < havoc> all routed 17:31 < krzie> what OS is the server? 17:31 < havoc> debian 17:31 < krzie> you can use user / group to drop perms 17:31 < havoc> all my vpn/routers/firewalls are linux 17:31 < krzie> also, see --keepalive in the manual 17:31 < havoc> yeah, I do, it's just not in the pastebin 17:31 < krzie> cause you dont need some stuff in your client 17:32 < krzie> # 17:32 < krzie> ping 15 17:32 < krzie> # 17:32 < krzie> ping-restart 45 17:32 < krzie> # 17:32 < krzie> ping-timer-rem 17:32 < krzie> then why am i reading a pastebin that isnt accurate? 17:33 < havoc> user/group=nobody, which is bad, and changing ;) 17:33 < krzie> why is it bad? 17:33 < havoc> and I didn't need the hear about it :) 17:33 < havoc> in a lot of cases an unpriviliged user is better than nobody 17:33 < krzie> its only bad if you're already using those for other apps 17:33 < havoc> exactly 17:33 < krzie> how is nobody privledged? 17:34 < havoc> it's not, but it can grant access to other crap if compromised 17:34 < havoc> these servers do a lot 17:34 < krzie> it only exists as a sandbox 17:34 < havoc> yeah, chrooting is also on the list 17:34 < krzie> ok so its bad because you already use it for other apps 17:34 -!- rlarson85 [n=rlarson8@CPE00226b5e2074-CM000e5c6ebb22.cpe.net.cable.rogers.com] has joined ##openvpn 17:34 < havoc> yes 17:34 < krzie> thats valid but i wouldnt have known you use it for other apps so you wouldnt have heard anything bout it 17:34 < krzie> hell my client in !sample uses user/group www 17:35 < havoc> which is why I *tried* to avoid the subject :) 17:35 < krzie> (cause its a default sandbox user but that box doesnt run a sandbox) 17:35 < krzie> err 17:35 < krzie> doesnt run a webserver 17:35 < havoc> my problem is a complete lack of time and far too many things to admin and the constant immediate need for adding services and no time to clean them up later :( 17:35 < krzie> thats why you should always do them right the first time 17:36 < krzie> you dont have to waste your time re-learning things that way 17:36 < havoc> which is what I'm trying to do :) 17:36 < havoc> the --server thing is just a syntax convinience though 17:36 < krzie> well no, its not useable for your setup 17:36 < havoc> but I'll probably do it as I don't expect to ever convert back to bridged 17:36 < krzie> you CANT use --server 17:37 < havoc> ah 17:37 < krzie> unless you decide your clients dont need dhcp 17:37 < krzie> (which in reality they dont) 17:37 < havoc> ah, ok 17:37 < havoc> thanks a LOT, that woulda *really* pissed me off if I got into it :) 17:38 < krzie> had you read --server youd know that ;] 17:38 < krzie> it pushes ifconfig to clients 17:38 < havoc> I'm in the middle of it, and I think I actually mentioned that as a deterent cuz of dhcp a few days ago 17:39 < havoc> so configs are good enough then? 17:39 < havoc> I'll skip the --cipher stuff 17:39 < krzie> they are what you said you want 17:40 < havoc> if I ever get the tools at work to stop getting owned I'll switch to tun 17:40 < havoc> and on my network my one laptop is the only vpn client with access to *anything*, the rest are on their own segment, and can't even see each other 17:41 < havoc> it just facilitates my access to their individual machines 17:41 < havoc> kindof a slick setup 17:42 < havoc> --client-to-client is left out on that config, and I have a uVNC server running on their machines, and the OpenVPN server enabled 17:42 < havoc> and fixed dhcp addressing on the virtual TAP MAC and DNS 17:42 < havoc> makes managing all the family's machines far easier as I never have to see them 17:43 < havoc> it also makes things like remote backups easier/possible 17:44 < havoc> anyway, I've loved openvpn for a while 17:50 < havoc> yeah, I guess the dhcp thing helps with that too 17:50 < havoc> ...managing remote backups 17:52 < havoc> krzie: anyway, thanks for looking :) 17:59 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Client Quit] 18:13 < krzie> yw 18:14 < havoc> bah 18:15 < havoc> have a couple clients out there that don't have the current config 18:15 < havoc> logs are filling up w/ TLS errors 18:15 < havoc> iptables DROP them for now I guess 18:17 < havoc> I'll be out there in a week to fix it in person 18:20 < havoc> krzie: I'm guessing you don't have to, or choose not to, do a lot of free admin? 18:25 < krzie> free admin? 18:26 < krzie> i admin freebsd boxes if thats what you mean 18:26 < krzie> if you mean work for free, SHIT NO 18:27 < havoc> heh 18:28 < havoc> family, you can't choose'em :( 18:28 < krzie> i choose to not tell them i could fix things remotely 18:28 < krzie> then i moved out of the country 18:28 < krzie> lol 18:33 -!- Fibre [n=fibre@211.24.237.3] has joined ##openvpn 18:40 < havoc> ha! 18:40 < havoc> anyway, thanks again, I'll blb 18:40 < havoc> bbl 18:40 < krzie> np 18:40 < havoc> Wife Time :) 18:40 < Fibre> 0.o 18:41 * Fibre under age is not recommended to "look" 18:42 < krzie> sweet, pass the pics 18:42 < havoc> we're just watching TV :) 18:42 < Fibre> ah! there we go .. thought it was something else. 18:43 < havoc> as I said, Wife, i.e. married ;) 18:43 < krzie> lol 18:44 < Fibre> and i've got just the "right" picture for a husband and wife when someone said "Wife time" :D 18:45 < Fibre> and totally wrong on that kind of "picture" 18:45 < Fibre> Phew~! Sorry a bit off topic :D (*looking at channel topic) 18:48 -!- coil [i=imgay@unaffiliated/coil] has quit ["http://znc.in"] 18:50 -!- coil [i=stfu@unaffiliated/coil] has joined ##openvpn 18:59 -!- master_of_master [i=master_o@84.157.118.242] has quit [Read error: 110 (Connection timed out)] 18:59 < ecrist> krzie: is your email all better now? 19:16 -!- ashash [n=ash@p5DE96A01.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 19:18 < krzie> oh thats right, forgot to keep training it 19:18 < krzie> for some reason those messages didnt make it to the mailbox 19:18 < krzie> but they did make it to the spam training 19:19 < krzie> but the ones that matched filters went to the mailbox 19:19 < krzie> ie: openvpn maillist went to openvpn dir 19:21 < krzie> did you whitelist the freeswitch maillist or did i somehow? 19:23 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn 19:42 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)] 19:44 -!- pm2 [n=pm2@143.105.104.59] has joined ##openvpn 19:44 < pm2> Hi - I'm running an OpenVPN server on linux. How are client IP addresses determined? Does the server automatically assign an unused address to each client that connects? 19:46 < Optic> there are many different possible strategies, read the manual :) 19:46 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 19:48 < pm2> Optic, I did, and I'm noticing some strange behavior. I'm just trying to make sure of what the default behavior is, so I can rule out OpenVPN as being the cause of the problem 20:05 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 110 (Connection timed out)] 20:05 < krzie> well 20:06 < krzie> post your configs and ill tell you how yours does 20:06 < krzie> theres no default since theres no default setup 20:06 < krzie> it only does what you tell it to ;) 20:48 < ecrist> krzie: all I did was specify the user and cat all your mail to dspam 20:49 < ecrist> it worked for the first 200 or so, so I let it roll 20:50 < ecrist> dovecot acts as the delivery agent, so postfix didn't actually touch the mail. my setup postfix -> dspam -> dovecot 20:57 -!- coil [i=stfu@unaffiliated/coil] has quit [Client Quit] 20:58 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 20:58 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 21:02 -!- coil [i=stfu@unaffiliated/coil] has joined ##openvpn 21:05 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 21:18 -!- master_of_master [i=master_o@p549D75EB.dip.t-dialin.net] has joined ##openvpn 21:29 < krzie> weird 21:29 < krzie> they all for sure got processed 21:30 < krzie> but only ones that matched a filter made it to the inbox 22:32 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:32 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn --- Day changed Wed Dec 09 2009 00:22 -!- hyper_ch [n=hyper@84.226.239.125] has quit [Remote closed the connection] 00:33 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 00:33 -!- Fibre [n=fibre@211.24.237.3] has left ##openvpn ["Leaving"] 01:07 -!- hyper_ch [n=hyper@95-205.1-85.cust.bluewin.ch] has joined ##openvpn 01:09 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [No route to host] 01:21 < krzee> !iroute 01:21 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 01:21 < krzee> !ccd 01:21 < vpnHelper> krzee: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 01:27 -!- ashash [n=ash@p5DE96C10.dip.t-dialin.net] has joined ##openvpn 01:33 -!- iLoveHippies [n=chatzill@234.swedenborg.gotanet.se] has joined ##openvpn 01:33 < iLoveHippies> !howto 01:33 < vpnHelper> iLoveHippies: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 01:35 < krzee> ecrist, here? 01:35 < iLoveHippies> Q: I'm connected to my OpenVPN server that I recently set up, but if I'd say use my browser to enter a page such as whatismyip.org, I still see the one my ISP gave me 01:35 < iLoveHippies> Why so? 01:36 < krzee> !redirect 01:36 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 01:36 -!- ashash [n=ash@p5DE96C10.dip.t-dialin.net] has quit ["I hate peer!"] 01:36 < iLoveHippies> I'm pretty damn clueless when it comes to this form of networking, sadly I'm only on CCNA :P 01:36 < iLoveHippies> Thanks 01:36 < iLoveHippies> !def1 01:36 < vpnHelper> iLoveHippies: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 01:42 < iLoveHippies> !ipforward 01:42 < vpnHelper> iLoveHippies: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 01:42 < iLoveHippies> !nat 01:42 < vpnHelper> iLoveHippies: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 01:59 < iLoveHippies> OK, now I've looked through the documentation, and it was helpful, thanks krzee 01:59 < iLoveHippies> Though I still have a issue, it would appear no traffic is forwarded through :/ 02:00 < krzee> !configs 02:00 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 02:00 < iLoveHippies> Oh never mind 02:00 < krzee> ? 02:01 < iLoveHippies> I managed to fuck up the routing of the box :p 02:01 < iLoveHippies> So that won' 02:01 < iLoveHippies> so OpenVPN won't be a problem until I've fixed that first lo 02:01 < iLoveHippies> l 02:01 < krzee> hah 02:01 < iLoveHippies> "Oh hey, what does this do?" 02:01 < iLoveHippies> Sigh, I managed to null route everything in iptables 02:02 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:23 -!- hyper__ch [n=hyper@95-205.1-85.cust.bluewin.ch] has joined ##openvpn 02:23 -!- hyper_ch [n=hyper@95-205.1-85.cust.bluewin.ch] has quit [Nick collision from services.] 02:23 -!- hyper__ch is now known as hyper_ch 02:33 < hyper_ch> hmmm 02:35 -!- mistergibson [n=mistergi@97-115-70-183.ptld.qwest.net] has left ##openvpn ["Leaving."] 02:37 -!- dazo|h [n=dazo@ip4-83-240-69-215.cust.nbox.cz] has joined ##openvpn 02:40 -!- dazo|h is now known as dazo_h 02:56 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 02:57 -!- _dren [i=dren@dereferenced.nullpointer.net] has joined ##openvpn 02:58 < _dren> anyone awake? 03:00 -!- _dren is now known as dren 03:02 -!- dren is now known as _dren 03:04 < dazo_h> _dren: yeah ... but people might not respond here until something interesting appears here ... or a question .... 03:11 -!- phant0m_ [n=phant0m_@78-105-243-178.zone3.bethere.co.uk] has joined ##openvpn 03:11 < phant0m_> i have a problem with open vpn i cant seem to log into it 03:12 -!- phant0m_ [n=phant0m_@78-105-243-178.zone3.bethere.co.uk] has quit [Remote closed the connection] 03:12 -!- phant0m_ [n=phant0m_@78-105-243-178.zone3.bethere.co.uk] has joined ##openvpn 03:12 -!- phant0m_ [n=phant0m_@78-105-243-178.zone3.bethere.co.uk] has left ##openvpn ["Konversation terminated!"] 03:28 < _trine> are there any free vpn servers that I could use? 03:29 -!- dazo_afk is now known as dazo 03:30 < dazo_h> _trine: not which we know much about here 03:30 -!- dazo_h [n=dazo@ip4-83-240-69-215.cust.nbox.cz] has quit ["Leaving"] 03:31 < _trine> I have openvpn running on my router but of course when I use it it always points to my IP address 03:33 < _trine> when the people here use vpn do they normally pay for a server? 03:33 < dazo> _trine: most people here setup their own servers and clients 03:34 < _trine> dazo, yes but in that case its not anonymous is it 03:34 < _trine> ? 03:34 < dazo> _trine: and that's not why most people here uses VPN to start with 03:34 < dazo> _trine: if you want anonymity ... tor clients might be a better bet 03:35 < _trine> dazo, can you use tor for everything? 03:36 -!- Fibre [n=fibre@210.48.148.132] has joined ##openvpn 03:36 < dazo> _trine: or you can rent a VPS host somewhere and setup an openvpn server there ... but if you want a "no strings attached"-solution, that's not something we care much about here 03:36 < dazo> _trine: I believe so 03:36 < _trine> dazo, thanks I will look into this more 03:36 < dazo> _trine: http://en.wikipedia.org/wiki/Tor_%28anonymity_network%29 03:36 < vpnHelper> Title: Tor (anonymity network) - Wikipedia, the free encyclopedia (at en.wikipedia.org) 03:38 < dazo> _trine: might be that your application needs to support usage of SOCKS proxy or so 03:46 < _dren> dazo_h: thanks 03:47 < _dren> dazo: i'm no tsure whether or not you can setup a vpn on a vps unless you have access to the network interfaces 03:47 < _dren> so that would be something to check 03:48 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: krzee, ivenkys, PiousMinion 03:48 < _trine> thanks for the help, I need to go now bbl 03:48 < _dren> !redirect 03:48 < vpnHelper> _dren: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 03:49 < _dren> !ipforward 03:49 < vpnHelper> _dren: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 03:49 < _dren> !fbsdipforward 03:49 < vpnHelper> _dren: "fbsdipforward" is is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd 03:49 < _dren> !nat 03:49 < vpnHelper> _dren: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 03:50 < _dren> !fbsdnat 03:50 < vpnHelper> _dren: "fbsdnat" is see http://cavanantha.wordpress.com/2007/09/16/nat-on-freebsd-using-pf/ for a basic howto for NAT on FreeBSD 03:50 < dazo> _dren: usually when you get a VPS, its a virtual box where you can do whatever you want with it, you install your favourite OS and sets up the administrator/root account as well ... your virtual box is just getting it's network config via DHCP by the provider. 03:51 < _dren> dazo: true, it depends on the virtualization technology as far as whether you are able to access your nics, recompile your kernel, etc. 03:51 < dazo> _dren: well, I'm talking about *real* VPS ... not vserver based "wanna be" solutions ;-) 03:52 < _dren> something he should check with provider about the tech. their using 03:52 < _dren> and make sure that capability is enabled 03:53 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["This computer has gone to sleep"] 03:57 -!- ruied [n=ruied@89.214.176.221] has joined ##openvpn 03:58 -!- rgouveia [n=rgouveia@169.89.54.77.rev.vodafone.pt] has left ##openvpn [] 04:01 -!- Netsplit over, joins: krzee, ivenkys, PiousMinion 04:03 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: ivenkys, krzee, PiousMinion --- Log closed Wed Dec 09 04:21:05 2009 --- Log opened Wed Dec 09 04:58:31 2009 04:58 -!- ecrist [n=ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn 04:58 -!- Irssi: ##openvpn: Total of 84 nicks [0 ops, 0 halfops, 0 voices, 84 normal] 04:58 -!- Irssi: Join to ##openvpn was synced in 29 secs 05:02 < _dren> ipfworward & nat did the trick for getting my traffic out to the world 05:03 < _dren> it's funny i've been working on this all day i guess i could have figured i needed these, but couldn't find info about them anywhere till here 05:07 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 05:09 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: ivenkys, krzee, PiousMinion 05:11 -!- znull [i=z@www.files2u.com] has quit [Remote closed the connection] 05:12 -!- Sky[x] [n=SkyB0x@88.200.89.44] has joined ##openvpn 05:12 -!- theDoc [n=hex@cataclysm.edgewire.sg] has joined ##openvpn 05:16 -!- ruied [n=ruied@89.214.176.221] has quit [Connection timed out] 05:17 -!- znull [i=z@www.files2u.com] has joined ##openvpn 05:18 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 05:26 -!- znull [i=z@www.files2u.com] has quit [Remote closed the connection] 05:30 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:35 -!- Zordrak [n=jaz@unaffiliated/zordrak] has joined ##openvpn 05:38 < Zordrak> The howto defines the tls key negotiation timeout problem as likely caused by a lack of network connectivity or port 1194 not being forwarded to the server etc etc.. but it doesnt entirely make sense.. if the connection has been initiated and fails at TLS negotiation and it shows in the server logs.. surely 1194/udp comms must be happening to get that far... unless the initiation is done over tcp and tls neg starts the udp comms? 05:40 -!- znull [i=z@www.files2u.com] has joined ##openvpn 05:42 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 05:42 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has joined ##openvpn 05:42 -!- PiousMinion [n=clay@216-216.126-70.tampabay.res.rr.com] has joined ##openvpn 05:59 -!- SkyX [n=SkyB0x@193.2.84.231] has joined ##openvpn 06:00 -!- Slayerduck [n=duck@unaffiliated/slayerduck] has joined ##openvpn 06:01 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Remote closed the connection] 06:07 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 06:07 < Slayerduck> I recently install openvpn and successfully created a vpn between pc (home) 192.168.0.205 and (remote) 192.168.0.206. I created routing tables so I can access my local nas from remote that’s located at 192.168.0.5. I’m able to ping it and everything. 06:07 < Slayerduck> However, when I try to mount the NFS share on the nas it does not work. Any idea why this happens? If I portscan from remote I can see that the NFS port is open. 06:10 < reiffert> dazo: I dont think that the linux kernel model will be a good choice for this small project. 06:11 < Rienzilla> does your nas know how to route back to your VPN? or do you use proxy-arp? 06:11 < Rienzilla> hmm if it pings it should 06:11 < dazo> reiffert: why not? I'd like to hear contra arguments :) 06:11 < reiffert> dazo: I think that it all ends in many improvements but James doesnt have time enough for committing them. 06:12 < dazo> reiffert: that's why he needs his "inner circle" of people who he trusts .... and that these people have write access to the VCS 06:12 < reiffert> dazo: ack. 06:12 < reiffert> You will need some major and minor goals to work towards to. 06:12 < reiffert> a roadmap 06:12 < dazo> reiffert: or if using a DVCS ... he will pull their trees when he has his merge window open ... those "inner circle" people must work on reviwing and make sure James can merge inn their 06:13 < dazo> trees with as few conflicts as possible 06:13 < dazo> reiffert: very true! 06:13 < reiffert> keep it simple 06:13 < Slayerduck> Rienzilla, i added a route on the nas so it knows its way back yes 06:13 < reiffert> and keep work away from james. 06:15 < dazo> reiffert: James need primarily to think forward to put the long term goals ... but it needs to be communicated ... and his close people to make sure the short term goals matches that ... but anyhow, James really need help to get offloaded, he obviously does too much now 06:15 < reiffert> I have no idea about what his daily life is about. 06:16 < reiffert> So finally I think that CVS write access to 4-5 people will be a good start. 06:16 < dazo> I've just read that between the lines on several mails on the mailing lists 06:16 < reiffert> a trac, a roadmap, etc 06:17 < dazo> reiffert: yeah ... but all communication must be made available for the community ... and if these "inner circle" people have meeting, it would be good if their meeting minutes are public as well 06:17 < reiffert> macports is using trac as well, some other projects too. I like trac. 06:18 < dazo> trac is working very well, but I've heard it's less nice in regards to maintenance and upgrading it 06:19 -!- krzie [n=krzee@butters.secure-computing.net] has joined ##openvpn 06:20 -!- Sky[x] [n=SkyB0x@88.200.89.44] has quit [Connection timed out] 06:20 -!- Sky[x] [n=SkyB0x@88.200.89.44] has joined ##openvpn 06:20 -!- SkyX [n=SkyB0x@193.2.84.231] has quit [Connection timed out] 06:20 < reiffert> dazo: name a trac maintainer. 06:21 < dazo> reiffert: The maintainer of python-dmidecode has been through some struggles 06:22 < reiffert> dazo: The macports trac maintainer is a guy working at apple, he didnt report of any problems yet when upgrading trac. 06:23 < reiffert> However, we can still fork the project whenever it's getting worse. 06:24 < dazo> reiffert: it might be it depends on enabled plug-ins 06:24 < dazo> oh yeah :) 06:25 < reiffert> what might be a good fork name, openvpn-3 ? 06:26 < reiffert> :) 06:26 < dazo> oh ... that's daring ... :-P 06:26 < dazo> openvpn-ng 06:31 -!- Ziber [i=Liber@liber-ipv6.net] has quit ["brb"] 06:44 -!- Sky[x] [n=SkyB0x@88.200.89.44] has quit [Connection timed out] 06:45 -!- kerx [n=kerx__@76-240-161-68.lightspeed.irvnca.sbcglobal.net] has quit [Read error: 104 (Connection reset by peer)] 06:47 -!- ruied [n=ruied@89.214.38.95] has joined ##openvpn 06:52 < Bushmills> i think i like "wire" in the name of such kind of programs. prefix a synonym for adjective private ... ending up with something like "clanwire" 06:54 < Bushmills> http://forthfreak.net/snap/1260363242778408263.png 06:54 < dazo> clubbywire ... snobbywire ... tete-a-tete :-P 06:55 < Bushmills> "clan" has some highlandsish sound to it 06:56 < dazo> yeah :) 06:57 < Bushmills> more mystery in there than in "clique" or "toffee-nose" 06:58 < Bushmills> clique sounds too much like school break 07:00 < Bushmills> hm.. there's a web hoster going by the name of clanwire. but only about 2000 google hits for clanwire, indication that that web hoster isn't too successful. 07:09 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 110 (Connection timed out)] 07:09 < sunrider> i think its time for me to block non-vpn traffic when the vpn goes down! 07:09 < sunrider> i know i can do this by way of making it TAP and notTUN 07:10 < sunrider> is that hte recommended way? 07:11 < reiffert> blocking non-vpn traffic when vpn goes down?! 07:12 < Rienzilla> :-) 07:13 < sunrider> ctrl c kills the openvpn instance 07:13 < sunrider> and all my programs will basically use my isp ip to transmit data. 07:14 < sunrider> i.e. if i had `ping google.com` running over the vpn tunnel and the tunnel dies, the pings go over my isp and not the vpn tunnel 07:14 < sunrider> it automatically reroutes packets 07:14 < reiffert> who is it? 07:16 < reiffert> however, the recommended way is reading the official howto. 07:17 < reiffert> I doubt that changing to tap will solve "it". 07:17 < reiffert> Instead, I'd have a close look on what happens when "it" terminates a connection and "it" restores the gateway afterwards. 07:18 < sunrider> i assume it removes it's `route` entries 07:18 < sunrider> have been running tcpdump during it 07:18 < reiffert> sunrider: how will your vpn client be able to establish a connection to the vpn server when there is gateway? 07:19 < reiffert> "it" will not work. 07:20 < sunrider> maybe it cannot re-establish the tunnel because i have set it to not cache the password 07:21 < reiffert> and maybe you get "it" all wrong. 07:27 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 07:28 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 104 (Connection reset by peer)] 07:31 -!- LobbyZ [n=default@main.lobbyzffs.com] has quit [Read error: 131 (Connection reset by peer)] 07:34 < havoc> bah, power outages :( 07:35 -!- magic_1 [n=magic@41.121.115.100] has joined ##openvpn 07:36 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 07:37 < Bushmills> sunrider: you could set a default route to 127.0.0.1, overriding it with def1 routes to vpn server 07:37 < Bushmills> or not have any default route at all 07:45 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 07:52 -!- corretico__ [n=laguilar@201.201.46.106] has quit ["Leaving"] 08:03 -!- pergaminho [n=pergamin@187.7.137.142] has quit [Client Quit] 08:10 -!- LobbyZ [n=default@main.lobbyzffs.com] has joined ##openvpn 08:45 < ecrist> good morning. 08:46 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 08:55 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 09:00 -!- ruied [n=ruied@89.214.38.95] has quit [Connection timed out] 09:03 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 09:08 -!- rbd___ [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has joined ##openvpn 09:10 < ecrist> krzee: I'm here now. 09:10 < rbd___> hey guys... I'm trying to make a simplified windows installer that will automatically generate the SSL client certs... in the easyrsa/openvpn.cnf file I can specify a default for the common name (then use an environment variable to set that between generating the CSR, server and client keys)...however I still have to press enter to accept all of the defaults...any way to skip this (and just generate the cert with the defaults) 09:16 < ecrist> man openssl? 09:16 -!- teddymills [n=teddy@208.92.235.227] has quit [Client Quit] 09:17 < ecrist> the raw openssl binary may only have an interactive mode. you might need to develop something using the library instead 09:18 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 09:21 < rbd___> that's what I'm thinking after looking through the docs (unless I missed something)....even with the openvpn GUI now in the installer, I still can't give it to a user (can't expect a stupid user to generate their own certs and edit config files)...so I may wrap it with an installer that does this 09:21 < rbd___> is it a giant security problem using the same certificate for all VPN clients (we'll be using a shared key)? 09:23 < rbd___> after key exchange, we still have two factor authentication (pass the username and password over the secure tunnel to a RADIUS server) 09:24 < ecrist> users shouldn't be generating their own certs... 09:25 < rbd___> if I'm using a pre-shared key (not public key auth), followed by two factor auth, could I just use the same cert for all VPN users? 09:27 -!- Sp4rKy [n=Sp4rKy@freenode/sponsor/sp4rky] has joined ##openvpn 09:27 < Sp4rKy> Hi 09:29 < Sp4rKy> in order to change my openvpn server , I would be able to : add the new openvpn server, sync the config, then make something to allow users connected to the first one and users connected to the second one to see each other, just as if they were on one server 09:29 < Sp4rKy> is it possible ? 09:33 < ecrist> sure 09:33 < ecrist> the new server needs it's own IP or port 09:33 < ecrist> then just make sure the networking behind works (the subnet is routed to both vpns, etc) 09:34 < Sp4rKy> hmmm 09:34 < Sp4rKy> so I need to connect each server to the other? 09:38 < ecrist> yes, otherwise how would they communicate? 09:39 < Sp4rKy> dunno, maybe there is some intergrated feature for doing that 09:41 < Sp4rKy> hmmm, I can't see how it will work. Even if I connect each vpn to the other one. Because they will handle "same" clients , how openvpn will update the provided routes 09:42 < Sp4rKy> ie : if I have client1. providing 192.168.25.0/24 which is connected on first openvpn server. 09:42 < Sp4rKy> I update its config with new openvpn ip, restart 09:43 < Sp4rKy> how the other clients connected to the first openvpn srver will know the change? 09:44 < coil> Wed Dec 09 10:44:21 2009 us=562000 There is a problem in your selection of --ifconfig endpoints [local=10.8.0.2, remote=255.255.255.0]. The local and remote VPN endpoints must exist within the same 255.255.255.252 subnet. This is a limitation of --dev tun when used with the TAP-WIN32 driver. Try 'openvpn --show-valid-subnets' option for more info. 09:45 < thedonvaughn> hrm, I have an issue. There may not be anything one can do. I have 2 offices linked together via Cisco IPsec VPN. Office A is 192.168.6.0/24 and Office B is 192.168.7.0/24. I have an openvpn server setup at office A. The openvpn server pushes routes for both offices. However when one is connected via OpenVPN and wants to send a file to Office B the connection will drop. Now I understand this is an openvpn tunnel then sending to an IP 09:45 < thedonvaughn> any suggestions on how to fix this? 09:50 -!- hyper_ch [n=hyper@95-205.1-85.cust.bluewin.ch] has quit [Remote closed the connection] 10:02 < ecrist> thedonvaughn: read the topic and we can help you from there. 10:04 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 10:05 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 10:06 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 10:10 < rbd___> if using PKI, can I have multiple clients with the same client certificate connected at the same time? 10:10 < ecrist> yes, with duplicate-cn 10:11 < ecrist> it's better off that you don't however. 10:11 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: krzie, pekster, tarbo2, pm2, bandini, Lyndon, Han, Sp4rKy, dollabill, julius, (+63 more, use /NETSPLIT to show all of them) 10:11 -!- Irssi: ##openvpn: Total of 18 nicks [0 ops, 0 halfops, 0 voices, 18 normal] 10:14 -!- Netsplit over, joins: Sky[x], chantra, Bushmills, crazygir, CaBa, sdh, kexman, jhp, dollabill, Zordrak (+5 more) 10:14 < rbd___> ecrist: ok, thanks 10:15 -!- Guest67461 [n=dazo@nat/redhat/x-hwehkdykucxzwqrb] has joined ##openvpn 10:15 -!- Netsplit over, joins: Sp4rKy, teddymills, mikkel, tarbo2, LobbyZ, KaiForce, magic_1, krzie, cpm, PiousMinion (+23 more) 10:15 -!- drue [n=drue@stiff.therub.org] has joined ##openvpn 10:15 -!- Netsplit over, joins: eliasp, teratoma, Lyndon, oc80, redfox, dmarkey_, bvierra, balboah, barbosa, rwp (+13 more) 10:16 -!- Guest67461 is now known as dazo 10:27 < thedonvaughn> ecrist: sorry. 10:28 < thedonvaughn> hrm, I have an issue. There may not be anything one can do. I have 2 offices linked together via Cisco IPsec VPN. Office A is 192.168.6.0/24 and Office B is 192.168.7.0/24. I have an openvpn server setup at office A. The openvpn server pushes routes for both offices. However when one is connected via OpenVPN and wants to send a file to Office B the connection will drop. Now I understand this is an openvpn tunnel then sending to an IP 10:28 < thedonvaughn> server config file: http://www.pastebin.org/62752 10:28 < reiffert> !notovpn 10:28 < vpnHelper> reiffert: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 10:29 < reiffert> also be sure to read 10:29 < reiffert> !route 10:29 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:29 < thedonvaughn> reiffert: why you so sure it's not openvpn? 10:29 < ecrist> thedonvaughn: I often have 3+ networks connected with OpenVPN. 10:29 < thedonvaughn> it only drops when using over openvpn 10:30 < thedonvaughn> ecrist: yah i'm inthe middle of dropping the ipsec vpn and replacing it with openvpn. Atleast I can narrow it down that way. openvpn logs aren't showing me any drops or errors ;/ 10:30 < ecrist> as a matter of fact, here at the office now, I can route from a client across openvpn to our servers, from there across IPSec to one of our customers, and across to a private AT&T frame-relay 10:31 < thedonvaughn> yah i can talk fine. I thought it was working. it wasn't until you try to do a heavy file transfer i run into errors. but thanks i have a few new things i can try 10:33 -!- rbd_ [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has joined ##openvpn 10:33 -!- rbd___ [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has quit [] 10:39 -!- MadTBone [n=MadTBone@160.39.238.196] has quit [Read error: 110 (Connection timed out)] 10:41 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has joined ##openvpn 10:53 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 10:56 -!- Fibre [n=fibre@210.48.148.132] has quit ["Leaving"] 11:13 -!- MadTBone [n=MadTBone@gw.msmnyc.edu] has quit [Read error: 110 (Connection timed out)] 11:15 -!- MadTBone [n=MadTBone@160.39.238.196] has joined ##openvpn 11:18 -!- magic_1 [n=magic@41.121.115.100] has quit [Read error: 145 (Connection timed out)] 11:18 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: ivenkys, krzee, PiousMinion 11:19 -!- magic_1 [n=magic@41.121.115.100] has joined ##openvpn 11:22 -!- Netsplit over, joins: ivenkys 11:27 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 11:43 -!- ruied [n=ruied@89.214.64.233] has joined ##openvpn 11:46 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 11:52 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:52 -!- PiousMinion [n=clay@216-216.126-70.tampabay.res.rr.com] has joined ##openvpn 11:56 -!- hyper_ch [n=hyper@84.226.239.125] has joined ##openvpn 12:03 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 12:04 -!- bandinia [n=bandini@host142-106-dynamic.40-79-r.retail.telecomitalia.it] has joined ##openvpn 12:06 -!- bandini [n=bandini@host120-105-dynamic.45-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 12:14 -!- ruied [n=ruied@89.214.64.233] has quit [Read error: 60 (Operation timed out)] 12:18 -!- sauce_ [n=anonymou@ool-18be2518.dyn.optonline.net] has joined ##openvpn 12:19 < sauce_> hey i have a question about openvpn bridging with the tap driver. the server is on a LAN of 192.168.3.0/24 with a gateway of 192.168.3.1 12:20 < sauce_> now, should the server-bridge line look like this for example: "server-bridge 192.168.3.200 255.255.255.0 192.168.3.201-250" 12:20 < sauce_> and of course, do not give out any IPs on the server's LAN in that range of 200-250 12:20 < sauce_> everything looking good so far? 12:46 < ecrist> yep 12:46 < ecrist> wiat 12:46 < ecrist> wait* 12:47 < ecrist> no, that should be "server-bridge 192.168.3.200 255.255.255.0 192.168.3.201 192.168.3.250" 12:48 -!- barbosa [n=barbosa@189.27.113.188.dynamic.adsl.gvt.net.br] has quit [Read error: 110 (Connection timed out)] 12:54 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:55 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 12:56 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 13:07 -!- SJr|nx [n=sjr@office.superuholdings.com] has joined ##openvpn 13:07 < SJr|nx> I'd like a nice UI for OpenVPN that's GPL and for Mac OS X 13:08 < thedonvaughn> SJr|nx: tunnelblick 13:19 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 13:21 < ecrist> !ui 13:21 < vpnHelper> ecrist: Error: "ui" is not a valid command. 13:21 < ecrist> !mac 13:21 < vpnHelper> ecrist: "mac" is Use Tunnelblick for the Mac. (http://code.google.com/p/tunnelblick/) 13:56 -!- bandinia [n=bandini@host142-106-dynamic.40-79-r.retail.telecomitalia.it] has quit [Read error: 60 (Operation timed out)] 14:06 -!- Diddi [i=diddi@zenit.bsnet.se] has joined ##openvpn 14:07 < Diddi> !topology 14:08 < vpnHelper> Diddi: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 14:08 < Diddi> well that sentence made sense... :P 14:09 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 14:10 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)] 14:13 -!- dazo is now known as dazo_afk 14:13 -!- ruied [n=ruied@89.214.64.233] has joined ##openvpn 14:16 < sauce_> hey ecrist 14:17 -!- dazo_afk is now known as dazo 14:17 < sauce_> sorry i went afk, thanks for that help before 14:21 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: PiousMinion 14:21 < thedonvaughn> ok. So if i have a 2 remote sites connected via openvpn that each represent network. How can I push routing information both ways? I.e. openvpn server pushes it's network so the client can talk to the private lan behind teh server. The client also pushes it's network so the server can talk the private lan behind the client 14:22 < thedonvaughn> this possible? Or would i need to set up a server and client connection on both ends? 14:24 < thedonvaughn> oh helps if i read the route page :) 14:24 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [] 14:27 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has quit [Read error: 60 (Operation timed out)] 14:27 < Diddi> what's up with the access server? it's not possible to have an openvpn setup with more than 2 clients unless paying? 14:28 < ecrist> not with access server 14:28 < Diddi> aha, so access server is an optional suit? 14:29 < Diddi> somehow I can't find where to download just 'openvpn' :o 14:30 -!- dollabill [n=mike@97.66.26.10] has quit [No route to host] 14:31 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 14:33 < thedonvaughn> hrm for some reason openvpn won't start if i use iroute 14:33 -!- PiousMinion [n=clay@216-216.126-70.tampabay.res.rr.com] has joined ##openvpn 14:37 < ecrist> thedonvaughn: with iroute 14:37 < ecrist> !iroute 14:37 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 14:37 < ecrist> Diddi: click community 14:37 < ecrist> on their website 14:37 < ecrist> and then downloads 14:38 < Diddi> ecrist: ah, thanks 14:41 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:53 -!- glengoyne [n=glengoyn@p4FC22BF7.dip.t-dialin.net] has joined ##openvpn 14:59 -!- thesov [n=user@adsl-69-213-135-124.dsl.chcgil.ameritech.net] has joined ##openvpn 15:01 < thesov> hello i am having issues with my pfsense openvpn routing to the remote users. is this a known issue? 15:01 -!- le0_ [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 15:03 < julius> thesov: An old router of mine ran an not-too-recent version of pfsense embedded and worked fine with openvpn routing 15:09 < thesov> its odd because i can ping the remote pfsense itself but not anything beyond it. i must have a broken route or something 15:12 < julius> sounds like it 15:13 < thesov> well ill start pastebin'ing stuff maybe you guys could help 15:15 -!- thesov [n=user@adsl-69-213-135-124.dsl.chcgil.ameritech.net] has quit ["Leaving"] 15:15 -!- thesov [n=a@dsl092-128-161.chi1.dsl.speakeasy.net] has joined ##openvpn 15:15 < thesov> !route 15:15 < vpnHelper> thesov: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:23 < sdh> heh 15:24 < thesov> ok so this is the output of openvpn itself 15:24 < thesov> http://www.pastebin.org/62881 15:25 < thesov> http://www.pastebin.org/62883 list of routes 15:25 < julius> eeew 15:25 < julius> wintendo 15:26 < thesov> you expend normal end users to use linux? 15:27 < thesov> expect* 15:27 < thesov> freudian slip I wish I expend end users 15:28 < thesov> any opinions? is it my remote gateway at fault? 15:31 < reiffert> It does work for 10 secs, doesnt it? 15:31 < reiffert> # 15:31 < reiffert> Wed Dec 09 15:22:52 2009 us=656000 Initialization Sequence Completed 15:31 < reiffert> # 15:31 < reiffert> Wed Dec 09 15:23:02 2009 us=109000 TCP/UDP: Closing socket 15:31 < thesov> i quit to make that log u can ignore the last line 15:31 < reiffert> # 15:31 < reiffert> Wed Dec 09 15:22:44 2009 us=234000 WARNING: --ping should normally be used with --ping-restart or --ping-exit 15:32 < reiffert> whats the matter anyway? 15:32 < thesov> i can access the remote router but nothing beyond it 15:33 < reiffert> tell it to work properly then. 15:33 < thesov> everything stops there, the remote router has rules to allow the openvpn network. I don't understand why it would just stop. 15:45 -!- yoshx [n=yoshx@78.114.253.27] has quit [Connection timed out] 15:45 -!- yoshx [n=yoshx@78.114.253.27] has joined ##openvpn 15:57 -!- bandini [n=bandini@host58-109-dynamic.31-79-r.retail.telecomitalia.it] has joined ##openvpn 16:01 -!- Lilarcor [n=Lilarcor@ip70-187-168-252.oc.oc.cox.net] has joined ##openvpn 16:01 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.5/20091102152451]"] 16:03 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 16:09 -!- glengoyne [n=glengoyn@p4FC22BF7.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)] 16:11 < Bushmills> remote router is vpn server? 16:12 < Bushmills> which you can access from vpn client, on your side of the tunnel? 16:13 < Bushmills> (me wonders what else normal end users would use, if not linux. well, some use macs) 16:14 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Read error: 110 (Connection timed out)] 16:15 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 16:33 -!- yoshx [n=yoshx@78.114.253.27] has quit [Connection timed out] 16:35 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 16:36 -!- Lilarcor [n=Lilarcor@ip70-187-168-252.oc.oc.cox.net] has quit ["The Lord of Murder Shall Perish."] 16:43 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:55 -!- ruied [n=ruied@89.214.64.233] has quit [Connection timed out] 17:23 -!- notneb [n=email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 17:23 < notneb> wow 17:23 < notneb> anyone here? 17:24 -!- dazo is now known as dazo_afk 17:25 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 145 (Connection timed out)] 17:27 < reiffert> no, all gone. 17:27 -!- Slayerduck [n=duck@unaffiliated/slayerduck] has quit [Read error: 104 (Connection reset by peer)] 17:27 < notneb> haha 17:27 < notneb> how do you guys like openvpn? 17:30 < reiffert> We totally dislike openvpn, thats why we are on this irc channel. It's all about Cisco VPN. 17:31 < Bushmills> we're only here to bash it 17:33 < Bushmills> but in fact, we're all devoted ipsec or pptp fans. 17:33 < notneb> just getting an opnion 17:33 < notneb> I work for OpenVPN 17:33 < Bushmills> want to get a more objective opinion? 17:33 < notneb> Yes 17:34 < Bushmills> if you want that, better ask on a more neutral channel 17:34 < reiffert> notneb: get a new release out now. Then come back. 17:34 < reiffert> a stable one. 17:34 < reiffert> 2.0.9 is way too ancient. 17:34 < notneb> We are ready with one 17:34 < notneb> should be out very soon 17:34 < reiffert> James always says he will bring out one soon. 17:34 < reiffert> for 2.5 years. 17:35 < notneb> Patience is a virtue 17:35 -!- notneb is now known as cp 17:35 -!- cp is now known as openvpn 17:35 < reiffert> Patience is something that makes linux distributors and BSD ship with stable openvpn, ancient 2.0.9 with tons of bugs. 17:36 < reiffert> not to speak of windows. 17:36 < openvpn> one sec 17:36 < openvpn> be right back 17:36 -!- openvpn [n=email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has left ##openvpn [] 17:37 -!- openvpn2009 [n=email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 17:37 < openvpn2009> okay, but without saying much I would say it will be rather sooner than later 17:37 < reiffert> oh, sooner than another 3 years? 17:38 < openvpn2009> I understand the frustration 17:41 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 17:41 < reiffert> anyway, whats your part at openvpn? 17:43 < openvpn2009> no problem 17:45 < reiffert> how comes the recent interest in irc? 17:45 < openvpn2009> just came on to check it out 17:47 < reiffert> I'm talking about you and the other guy "community relationship manager".. 17:47 < openvpn2009> We have a community relationship manager here? 17:47 < reiffert> Community Manager that is 17:47 < reiffert> Sort of, you should check the -devel list. 17:48 < openvpn2009> is he in the channel now? 17:48 < reiffert> Think he didnt join today. But he was on yesterday I think. 17:48 < openvpn2009> samuli 17:48 < openvpn2009> ? 17:49 < reiffert> think his nickname is mattock or similiar 17:50 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 17:50 < Kas> Hey all 17:51 -!- iLoveHippies [n=chatzill@234.swedenborg.gotanet.se] has quit ["ChatZilla 0.9.85 [Firefox 3.7a1pre/20091208042125]"] 17:51 < openvpn2009> Interesting 17:56 < openvpn2009> pretty quiet in here 17:59 < reiffert> enjoy your stay and wait for some people to have questions. 18:02 < Bushmills> most commonly those are "why can't i see the boxes behind the openvpn server from my openvpn client" 18:03 < Bushmills> then somebody types !reiffert, and he, alerted, types !route :D 18:09 < openvpn2009> haha 18:13 < Bushmills> that handles 75% of the questions. 75% of the remaining 25% are dealt with !howto. 18:19 < reiffert> and are related to 2.0.9 18:44 -!- Fibre [n=fibre@211.24.237.3] has joined ##openvpn 18:46 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)] 18:49 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 18:49 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 18:59 -!- master_of_master [i=master_o@p549D75EB.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 19:02 -!- master_of_master [i=master_o@p549D7577.dip.t-dialin.net] has joined ##openvpn 19:15 < reiffert> openvpn2009: there is a help bot. its name is vpnHelper. 19:16 < reiffert> openvpn2009: see topic on most common commands 19:16 < reiffert> to play around with the bot, just type !words in the channel, e.g. 19:16 < reiffert> !route 19:16 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 19:17 < openvpn2009> got it, thank you! 19:17 < openvpn2009> !logs 19:17 < vpnHelper> openvpn2009: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 19:25 -!- Douglas [n=me@ool-435033e6.dyn.optonline.net] has joined ##openvpn 19:25 < Douglas> hey 19:25 < Douglas> anyone used asus eee pc around here 19:26 < _trine> Douglas: yes I use an eeepc 19:26 < Douglas> newer or old 19:26 < _trine> old I guess it's the 1000 19:27 < Douglas> im trying to find soemoen with fairly new 19:27 < Douglas> ive heard keyboard is very small and a real pain in the ass 19:27 < Douglas> at least, on old ones 19:27 < Douglas> supposedly new ones = better 19:27 < _trine> well I find it perfectly ok 19:27 < _trine> in fact I prefer typing on it 19:28 < _trine> and I have big fingers :) 19:28 < Douglas> Cant decide on a dell mini.. or a eeepc.. 19:28 < Douglas> or a samsung.. 19:29 < Bushmills> samsung netbooks have a good name 19:29 < _trine> no contest the eeepc wins all the time 19:29 < Douglas> Bushmills: yeah 19:29 < Douglas> eeepc.. hmm. 19:29 < Bushmills> especially the more recent ones, nc510 or such 19:29 < Douglas> they are fairly cheap 19:29 < Douglas> yeah I was looking at the NC10 and NC13 19:29 < Bushmills> nc10 might be the lowliest of the bunch 19:30 < Bushmills> I'd go for one with a screen bigger than 1024x600 19:31 < Douglas> like 19:31 < Bushmills> i forget the nc20 screen size, but it is bigger iirc 19:31 < Douglas> i dont wanna spend a forutne 19:31 < Douglas> I can get one of the dell mini 10v for $251.10 19:31 < Douglas> shipped 19:31 < Douglas> brand new 19:34 < Bushmills> I'm on a first generation acer aspire one. should be cheap now too. good quality screen, but with 1024x600 also on the small side. 19:35 < Douglas> http://cgi.ebay.com/DELL-INSPIRON-MINI-9-1-6-GHZ-NETBOOK-LAPTOP-WHITE-NEW_W0QQitemZ270493685170QQcmdZViewItemQQptZUS_Netbooks?hash=item3efaae15b2 19:35 < vpnHelper> Title: DELL INSPIRON MINI 9 - 1.6 GHZ NETBOOK LAPTOP WHITE NEW - eBay (item 270493685170 end time Dec-30-09 13:07:05 PST) (at cgi.ebay.com) 19:35 < Douglas> i thought about that one 19:47 < reiffert> does atom 1.6 come with dual core? 19:48 < Bushmills> there is a dual core atom 19:48 < Bushmills> i think that's the z330 19:48 -!- lkthomas [i=lkthomas@218.213.78.173] has quit [Client Quit] 19:48 < Douglas> adfghatergfha9fgfsij 19:48 < Douglas> why is it so hard to pick a F laptop 19:48 < reiffert> This one does not. 19:48 < Bushmills> ehm, N330 19:49 < Douglas> F toshiba 19:50 < Douglas> http://www.newegg.com/Product/Product.aspx?Item=N82E16834117904 19:50 < Douglas> lold 19:51 < vpnHelper> Title: Newegg.com - SONY VAIO P Series VGN-P698EQ Onyx Black Intel Atom Z5301.60GHz 8 2GB Memory 128GB SSD Netbook - Netbooks (at www.newegg.com) 19:53 < reiffert> Z530, no Intel 64, no SSE4, but VT and HT. 19:53 < Douglas> lol 19:54 < reiffert> http://processorfinder.intel.com/details.aspx?sSpec=SLB6P 19:54 < vpnHelper> Title: Intel® Atom™ Processor Z530 - SLB6P (at processorfinder.intel.com) 19:55 < reiffert> TDP 2W only when HT is disabled. 2.2W else. 19:55 < reiffert> Hm, it's defined as Single Core, but got HT. 19:56 < Douglas> i need to stop shopping and give up 19:56 < reiffert> Ah, the 330 got Dual Core, but TDP 8W 19:56 < reiffert> http://processorfinder.intel.com/details.aspx?sSpec=SLG9Y 19:56 < vpnHelper> Title: Intel® Atom™ Processor 330 - SLG9Y (at processorfinder.intel.com) 19:59 < Douglas> e-tsrgegsirfj 19:59 * Douglas head desks 19:59 < reiffert> Douglas: porsche but cheap, eh? 20:01 < Douglas> not even 20:01 < Douglas> i have like 5000 open that i cant decide which 20:01 < Douglas> dell or one of these bajillion eeepc 20:01 < Douglas> i think im letting this battery life bs get to my head 20:01 < Douglas> i use a laptop that lasts 40mins now (if that) and im fine 20:01 < Douglas> and im freaking over omg might only last 2 and a half hours 20:02 < reiffert> get an apple laptop. 20:02 < Douglas> NEVER 20:02 < Douglas> dont even suggest that to me 20:02 < reiffert> $target os? 20:02 < Douglas> say what 20:03 < reiffert> just put it on your new apple. 20:03 < Bushmills> wow, open/free software on closed hardware :) 20:03 < Bushmills> i mean to say, *partially* free software 20:04 < Douglas> http://cgi.ebay.com/ASUS-Eee-PC-1005HA-EU1X-BK-Black-10-1-WSVGA-Netbook_W0QQitemZ200415467317QQcmdZViewItemQQptZUS_Netbooks?hash=item2ea9b15735 20:04 < Douglas> hrm 20:04 < vpnHelper> Title: ASUS Eee PC 1005HA-EU1X-BK Black 10.1" WSVGA Netbook - eBay (item 200415467317 end time Dec-14-09 09:43:17 PST) (at cgi.ebay.com) 20:04 < reiffert> No atom 330. 20:05 < reiffert> 2.5W TDP 20:05 < reiffert> MMX, SSE, SSE2, SSE3, SSSE3, XD-Bit, Hyper-Threading, Enhanced Intel SpeedStep Technology (EIST) 20:05 < reiffert> http://processorfinder.intel.com/details.aspx?sSpec=SLB73 20:05 < vpnHelper> Title: Intel® Atom™ Processor N270 - SLB73 (at processorfinder.intel.com) 20:06 < reiffert> Wiki tells those support 64bit OS'. 20:06 < Bushmills> maybe you want a chumby instead? 20:06 < reiffert> wiki is wrong. 20:07 < reiffert> http://www.intel.com/cd/products/services/emea/deu/processors/atom/specifications/418376.htm 20:07 < vpnHelper> Title: Intel Atom Prozessor – Spezifikationen (at www.intel.com) 20:07 < Bushmills> version 2 temporarily available for lower price 20:07 < Bushmills> 99 $ 20:07 < reiffert> http://breakinghabit.files.wordpress.com/2008/12/chumby-in-hand1.jpg 20:08 < Bushmills> or for home use, a sheevaplug 20:10 < reiffert> :) 20:10 < Bushmills> CPU flags of 270 are flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe constant_tsc arch_perfmon pebs bts pni dtes64 monitor ds_cpl est tm2 ssse3 xtpr pdcm lahf_lm 20:11 < reiffert> n8 20:11 < Bushmills> u2 20:13 -!- SJr|nx [n=sjr@office.superuholdings.com] has quit ["This computer has gone to sleep"] 20:14 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 20:21 -!- krzie [n=krzee@unaffiliated/krzee] has left ##openvpn [] 20:21 -!- krzie [n=krzee@unaffiliated/krzee] has joined ##openvpn 20:21 < Douglas> hey krzie 20:24 < krzie> sup dude 20:25 < Douglas> nada 20:25 < Douglas> about to send debt collectors to your country 20:26 < Douglas> jk 20:26 < krzie> haha 20:26 < Douglas> im netbook shopping at the moment sir 20:26 < krzie> werd 20:26 < Douglas> cant decide what the fuck i want 20:27 < Douglas> it is making me rage 20:28 < krzie> would be much easier for me 20:28 < Douglas> why 20:28 < krzie> cause ild decide based on what osX would install on 20:29 < Douglas> lol osx gtfo 20:33 < Douglas> http://cgi.ebay.com/Acer-Aspire-one-10-1-Netbook-PC-Black-AOD250-1727_W0QQitemZ300371811710QQcmdZViewItemQQptZUS_Netbooks?hash=item45ef8e1d7e 20:33 < vpnHelper> Title: Acer - Aspire one 10.1 Netbook PC - Black AOD250-1727 - eBay (item 300371811710 end time Dec-27-09 17:40:04 PST) (at cgi.ebay.com) 20:33 * Douglas thinks he settled on that one 20:40 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 20:55 -!- Douglas [n=me@ool-435033e6.dyn.optonline.net] has quit [Remote closed the connection] 21:15 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 21:19 -!- Netsplit leguin.freenode.net <-> irc.freenode.net quits: robert_, coil, freaky[t] 21:20 -!- Netsplit over, joins: coil, freaky[t], robert_ 21:21 -!- coil [i=stfu@unaffiliated/coil] has quit ["http://znc.in"] 21:21 -!- robert_ [n=hellspaw@objectx/robert] has quit [SendQ exceeded] 21:22 -!- coil [i=stfu@17.166.102.97.cfl.res.rr.com] has joined ##openvpn 21:22 -!- coil is now known as Guest30501 21:22 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 21:22 -!- xod [n=onats@112.201.158.40] has joined ##openvpn 21:23 -!- xod is now known as onats 21:24 -!- Guest30501 is now known as scoil 21:26 -!- scoil is now known as coil 21:46 -!- Fibre [n=fibre@211.24.237.3] has quit ["Leaving"] 21:47 -!- DevilsPGD [n=xyzzy@zz208110112176.cipherkey.net] has joined ##openvpn 21:54 < sauce_> can anyone please review my plan to bridge two networks using openvpn, its 2 config files and some details about my network 21:55 < sauce_> all conveniently pasted here http://pastebin.com/d7994d804 21:55 < sauce_> thanks very much 21:55 < sauce_> just want to see if i have everything right. i can do a routed openvpn config in my sleep, bridging is a little more difficult... 21:56 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 22:07 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 22:07 -!- preecher [n=preecher@adsl-074-244-123-224.sip.asm.bellsouth.net] has joined ##openvpn 22:08 -!- preecher [n=preecher@adsl-074-244-123-224.sip.asm.bellsouth.net] has left ##openvpn ["Leaving"] 22:17 < sauce_> anyone? 22:30 -!- akutz [n=akutz@cpe-72-179-59-60.austin.res.rr.com] has joined ##openvpn 22:31 < akutz> Hi everyone. I'm having a problem, and I hope you can help. 22:32 < akutz> I've got a fairly basic OpenVPN configuration. 22:32 < akutz> It is routed, not bridged. 22:32 < akutz> And it works just fine. 22:32 < akutz> I can access my home network remotely and all of the devices on it. 22:33 < akutz> My home network is 192.168.0.0/24 and my VPN network is 192.168.1.0/24 22:35 < akutz> However, I've recently set up my home server (which runs my OpenVPN server) as a KVM server as well. 22:35 < akutz> I'm using bridging to connect the KVM guests to my home network (and the internet). 22:35 < akutz> The bridging works fine. 22:35 < akutz> My guests can see my network and the world, and hosts on my network can see the guests. 22:36 < akutz> However, I cannot see my KVM guests when I connect to my home network via VPN. 22:37 < akutz> I'm sure it has to do with the fact that I'm coming in via OpenVPN onto the same box that has the bridge on it. 22:37 < akutz> I'm running Ubuntu 9.10 server. My /etc/network/interfaces is at http://pastebin.ca/1709219. 22:38 -!- phusion_ [n=phusion@84.22.127.58] has joined ##openvpn 22:38 < akutz> My ifconfig output is at http://pastebin.ca/1709221. 22:38 < akutz> The vnet0 interface is the guest's interface that KVM/QEMU brings online and connects to br0 (which is bridged to eth2). 22:40 < phusion_> hey folks.. i've been running a single openvpn client on my server for a while now with no issues (http://pastebin.ca/1709222). Now I need to add a second client that will do the same config but with a different tunnel server IP and IP given to me (i have both configs ready). Do I need to do anything special in the configs with regards to the tap interface or will it make them tap0 and tap1 automatically? 22:41 < akutz> You should be able to specify in the configuration files the name of the tap device. 22:41 < phusion_> so right now its just dev tap.. i set each config to dev tap0 and dev tap1? 22:41 < akutz> If you need two tap devices, yes. 22:41 < akutz> The names must be unique. 22:41 -!- Fibre [n=fibre@211.24.237.3] has joined ##openvpn 22:42 < phusion_> one other thing i havent been able to figure out is that the ISP providing the vpn server says that i have extra seemingly "alias" ip's, but i have no idea how to allocate them 22:42 < phusion_> i've tried creating dummy interfaces (which work fine for a gre tunnel) but not for openvpn 22:43 < phusion_> would that be done in the config? specifying multiple ifconfig lines doesnt seem to work 22:43 < akutz> What do you want to do with the IPs? 22:44 < phusion_> have them available for use on my server.. binding an httpd to etc, just as i would with the main IP in that config 22:44 < akutz> And please note that there is a difference between having multiple IPs available and multiple NICs 22:44 < akutz> Ah. 22:44 < akutz> Well... 22:44 < akutz> You don't have to have a device to use the IP 22:45 < akutz> What Linux distro? 22:45 < phusion_> i should note that the netmask is different than the main IP in the config, its on a different network as well 22:45 < phusion_> debian 5 x86_64 22:45 < akutz> Oh.. 22:46 < akutz> In that case your server must have multiple network devices attached to it. 22:46 < phusion_> but its not a seperate tunnel 22:46 < phusion_> sorry maybe i wasnt clear.. i have multiple ip's available to me on each of these two tunnels 22:47 < phusion_> im basically just looking to do like a tap0:0 tap1:0 kinda thing to be able to use that IP 22:47 < phusion_> which, btw doesn't work 22:47 < akutz> Hmmm. I think that's beyond my abilities to help you. Sorry :( 22:47 < phusion_> haha ok, thanks 22:47 < phusion_> you helped me enough already 22:47 < phusion_> much appreciated :) 22:48 < Bushmills> you *can* use ip adresses from a different subnet with one NIC 22:49 < phusion_> yeah i was pretty sure, just no idea how 22:49 < Bushmills> in your interfaces file, you could add: up ip addr add ip.add.re.ss/mask dev eth0 22:49 < Bushmills> repeat that for each ip address 22:50 < phusion_> the IP is on the tap0 or tap1 interface though, is that still correct? 22:50 < Bushmills> so say your main address is 100.100.100.100, and you have a /29 subnet 50.50.50.0...7, then do: 22:51 < Bushmills> (below eth0 settings): 22:51 < Bushmills> up ip addr add 50.50.50.1/29 dev eth0 22:51 < Bushmills> up ip addr add 50.50.50.2/29 dev eth0 22:51 < Bushmills> ... 22:51 < phusion_> right 22:51 < phusion_> but again it's an IP available to my as a client to the OpenVPN server 22:51 < phusion_> to me* 22:52 < phusion_> i add it on eth0? 22:52 < Bushmills> what is the network address of your vpn? 22:52 < phusion_> mmm thats a good question.. i know the remote line and the route-gateway line 22:52 < phusion_> i believe its on a .128 though 22:52 < phusion_> the gateway is .129 22:53 < phusion_> this extra ip i have isnt on the same a.b.__.d though 22:53 < Bushmills> you probably want to add a rule with SNAT or DNAT target, redirecting to VPN destiniation, to your nat table 22:54 < phusion_> boo 22:54 < phusion_> trying to avoid all that 22:54 < phusion_> and pissing with routes 22:54 < phusion_> as my ISP allows me to spoof so im not even routing return traffic over these networks 22:54 < Bushmills> otherwise, server has no reason to redirect incoming packets to vpn machines. 22:54 < phusion_> hence the commented #redirect-gateway line 22:54 < Bushmills> packets are routed to server, after all 22:55 < Bushmills> it might work, to use the additional net on vpn, and configure server as router for those. 22:55 < Bushmills> but i haven't tried that 22:56 < phusion_> i just tried setting one of my configs to dev tap0, didnt work 22:56 < phusion_> as per my original question and akutz' response 22:56 < phusion_> doh 22:56 < akutz> darn 22:57 < Bushmills> i think a routing config would be easier. 22:57 < akutz> I use routing, it is much easier. 22:57 < akutz> The only pain is that you don't automatically discover devices that depend on ZeroConf, such as Mac devices (like Time Machine) 22:57 < phusion_> im going to be honest, my networking skills arent superb and routing is one thing i've managed to avoid 22:57 < akutz> other than that, routing scales much better 22:57 < phusion_> so im trying to let configs take care of things 22:58 < akutz> Routing with OpenVPN is MUCH simpler than bridging 22:58 < akutz> Hardly any set up 22:59 -!- akutz [n=akutz@cpe-72-179-59-60.austin.res.rr.com] has quit [] 23:00 -!- rbd_ [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has quit [Read error: 113 (No route to host)] 23:02 < phusion_> ahh 23:02 < phusion_> akutz nooo i found out 23:03 < phusion_> well for anyone else interested i just ran a second openvpn instance.. left the dev tap line intact in both configs.. the 2nd instance auto-created tap1 23:03 < phusion_> hooray 23:07 -!- rbd_ [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has joined ##openvpn 23:26 -!- DevilsPGD [n=xyzzy@zz208110112176.cipherkey.net] has quit ["Leaving."] --- Day changed Thu Dec 10 2009 00:13 < PiousMinion> Does openvpn support 16384-bit keys? 00:15 < PiousMinion> It's a serious question if anyone is wondering. heh 00:22 -!- hyper_ch [n=hyper@84.226.239.125] has quit [Read error: 54 (Connection reset by peer)] 00:22 < Bushmills> if openssl can, so should openvpn 00:27 < PiousMinion> thanks 00:45 < PiousMinion> Do I have to have each client download the full windows server package to connect? 00:54 < Bushmills> no, you can put the installation file on a central repository, and copy it from there. 01:09 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 01:15 -!- hyper_ch [n=hyper@140-8.3-85.cust.bluewin.ch] has joined ##openvpn 01:21 -!- Fibre [n=fibre@211.24.237.3] has quit ["Leaving"] 01:38 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 01:44 < Diddi> hi! I'd like to setup openvpn in a way that gives me total control (on an interface level) of all connected clients. Something like having each client connected to an individual tun/tap interface on the vpn server.. is it possible? 01:44 < Diddi> is it a bad thought? (: 01:47 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:53 < endre> sounds interesting 01:53 < PiousMinion> I've got my client resolviong DNS through the vpn, but I'll be damned if I can get it to redirect all traffic. connectiong just time out and the iptables example in the howto hasn't had any effect. Ideas? 01:54 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 01:54 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:58 < julius> PiousMinion: kernel routing activated? 01:58 < PiousMinion> julius: no idea. Just followed the howto. 01:59 < julius> cat /proc/sys/net/ipv4/ip_forward 02:00 < PiousMinion> julius: I thought that was just for bridging. :P 02:01 < julius> nope 02:02 < endre> !ipv6 02:02 < vpnHelper> endre: "ipv6" is (#1) http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_OpenVPN_Tunnelbroker.php?lang=en to learn how to setup openvpn to be an ipv6 tunnel broker, or (#2) Here are some scripts from the mail list: http://article.gmane.org/gmane.network.openvpn.user/27514 or from a mirror: http://www.ircpimps.org/join-0.8.tar 02:03 < PiousMinion> julius: thanks, that solved it 02:06 < julius> you're welcome 02:10 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:52 < thesov> so i heard the creaters of openvpn are assyrian 03:23 -!- dazo_afk is now known as dazo 03:38 -!- Sp4rKy [n=Sp4rKy@freenode/sponsor/sp4rky] has quit [Connection timed out] 04:41 -!- j [n=Chip@border0.avitecture.net] has joined ##openvpn 04:41 -!- j is now known as Guest48120 04:43 -!- Guest48120 is now known as cpm 04:44 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Client Quit] 04:44 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:45 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 04:47 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has joined ##openvpn 04:49 < lclimber> hello guys, i have an openvpn server running on a debian machine, i have a windows client that i am trying to connect using remote desktop; my problem is that i can't connect to it, is there any port that i should be openning to get this done? 05:09 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 05:16 -!- LordDoskias [n=nib9@unaffiliated/lorddoskias] has joined ##openvpn 05:16 < LordDoskias> hello 05:16 < LordDoskias> anyone here to help me with strange problem? 05:16 < LordDoskias> Thu Dec 10 11:16:39 2009 Authenticate/Decrypt packet error: packet HMAC authenti 05:16 < LordDoskias> cation failed 05:17 < LordDoskias> that's what i'm getting, but i'm not using tls-auth option 05:21 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit ["Leaving"] 05:24 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn 05:26 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:34 -!- LordDoskias [n=nib9@unaffiliated/lorddoskias] has quit ["Lost terminal"] 06:03 -!- Fibre [n=fibre@202.190.85.201] has joined ##openvpn 06:23 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 07:03 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 07:04 -!- tiav [n=tiav@mx.fr.smartjog.net] has joined ##openvpn 07:07 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit [Remote closed the connection] 07:17 -!- mikkel [n=mikkel@84.238.113.66] has joined ##openvpn 07:32 -!- hyper_ch [n=hyper@140-8.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 07:36 -!- le0_ [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"] 07:44 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 07:46 -!- pifuruan [n=quassel@125.118.138.50] has joined ##openvpn 08:06 -!- pm2 [n=pm2@143.105.104.59] has quit ["Leaving"] 08:16 -!- pifuruan [n=quassel@125.118.138.50] has quit [Remote closed the connection] 08:41 < ecrist> good morning 08:41 -!- Irssi: ##openvpn: Total of 92 nicks [0 ops, 0 halfops, 0 voices, 92 normal] 08:47 < havoc> morning 08:48 -!- Fibre [n=fibre@202.190.85.201] has quit [Read error: 110 (Connection timed out)] 09:11 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 09:13 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 09:27 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit [Read error: 113 (No route to host)] 09:51 -!- hyper_ch [n=hyper@84.226.239.125] has joined ##openvpn 10:33 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 10:34 -!- hyper__ch [n=hyper@adsl-89-217-90-67.adslplus.ch] has joined ##openvpn 10:34 -!- hyper_ch [n=hyper@84.226.239.125] has quit [Nick collision from services.] 10:34 -!- hyper__ch is now known as hyper_ch 10:39 -!- ghernandez [n=ghernand@12.157.107.24] has joined ##openvpn 10:39 -!- yoshx [n=yoshx@78.114.253.27] has joined ##openvpn 10:40 < ghernandez> Howdy 10:41 < ghernandez> Ive worked with openvpn as a way for my clients to access their business networks remotely. I was just requested to create an encrypted bridge between two points. 10:43 < ghernandez> We purchased two wireless laser devices that operate at one gig and act as just a simple layer 1 device 10:43 < ghernandez> The distance between the sites then becomes moot as they are line of site and its the equiv of having a direct fiber connection between them. 10:44 < ghernandez> Originally the goal was to just have encryption, now they want an l2 encryption that is not routed. 10:44 < ghernandez> I know that openvpn can create a l2 tap between points. 10:45 < ghernandez> anyone have anywhere I can read about how to set that up or have any points that I should be aware of? 10:47 < ecrist> ghernandez: start with the man page 10:47 < ecrist> !man 10:47 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 10:47 < ecrist> !bridge 10:47 < vpnHelper> ecrist: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for anything where the protocol uses MAC addresses instead of IP 10:47 < vpnHelper> ecrist: addresses. (but not samba, see !wins) 10:48 < ghernandez> cool thanks. 10:49 < ecrist> np 10:52 < sauce_> i am having a problem getting my openvpn bridge to work. i suspect it to be a routing issue on the openvpn server. can someone please look at the routing table? http://pastebin.com/d7994d804 10:52 -!- magic_1 [n=magic@41.121.115.100] has quit [Read error: 110 (Connection timed out)] 10:54 < sauce_> updated with more info: http://pastebin.com/d7994d804 10:57 < ecrist> sauce_: DHCP range isn't complete on lines 5 and 9 10:59 < ecrist> also, it looks as though the networks share the same IP space? 10:59 < ecrist> and my guess is you're trying to use openvpn to bridge the two together? 11:05 < sauce_> yes sir 11:05 < sauce_> what do you mean DHCP range isn't complete? 11:07 < ecrist> you missed the '3', but I figured it out 11:07 < sauce_> hmm, not sure what you mean but alright 11:07 < sauce_> want me to pastebin my network topology? 11:07 < ecrist> can computers on lan 2 ping the machine that is acting as the vpn client? 11:08 -!- openvpn2009 [n=email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit ["ircN 8.00 for mIRC (20080809) - www.ircN.org"] 11:08 < sauce_> wait before i answer that, let me give you more info it may help 11:08 < sauce_> i am sooo close to getting this done i know it 11:11 < sauce_> http://pastebin.com/d7994d804 11:11 < sauce_> read the last line for the problem 11:11 < sauce_> thanks for your help, you were here yesterday too 11:12 < sauce_> ifconfig output of the openvpn server: http://pastebin.com/m1a2bc22b 11:13 < sauce_> sorry, here is the info on the problem, i pasted the wrong link: 11:13 < sauce_> http://pastebin.com/m681412bb 11:14 < sauce_> shit actually i've been pasting the wrong links the whole time 11:14 < sauce_> what an idiot 11:14 < sauce_> this is the routing table: http://pastebin.com/m7dd17e7c 11:14 < sauce_> please ignore the openvpn config, its probably old, i never meant to paste it :( 11:14 < sauce_> pwned by clipboard 11:15 < sauce_> actually i just looked at it, its looks correct, thats my openvpn config 11:21 < ecrist> sauce_: can you answer my question? 11:21 < ecrist> can computers on lan 2 ping the machine that is acting as the vpn client? 11:23 < sauce_> which interface? 11:23 < ecrist> any interface 11:23 < sauce_> the "openvpn client" IP? 192.168.3.20-24? let me check 11:23 < sauce_> it currently has .20, brb 11:26 < sauce_> yes, they can 11:26 < sauce_> a machine on the LAN can ping the openvpn's client's IP 11:44 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 11:46 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has joined ##openvpn 12:11 -!- _LittleJ [n=linuz@82.78.185.26] has joined ##openvpn 12:13 < sauce_> i'm patiently waiting! 12:14 < ecrist> I'm patiently eating my lunch 12:15 < sauce_> i'm about to go to lunch too 12:15 < sauce_> five guys? or chipotle? 12:16 < sauce_> while escript is eating his lunch, can anyone post a routing table from an openvpn bridge server? i just want to compare 12:16 < sauce_> ecrist* 12:19 < sauce_> also i'm not sure if this matters, but the openvpn server is a virtual machine with vmxnet nic drivers 12:26 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 12:28 -!- lclimber [n=lcanelon@212.183.204.76.static.user.ono.com] has quit [Remote closed the connection] 12:29 < ecrist> sauce_: is the opevpn client machine able to pint the openvpn server via the vpn? 12:42 < sauce_> no its not 12:42 < sauce_> 192.168.3.20 (openvpn client) cannot ping 192.168.3.2 (bridge interface on server) 12:43 < sauce_> i have tried 2 different ways to do this, first i tired webmin + OpenVPN admin plugin, and it did all the work for me. after it didn't work, i took a few steps back and tried the ubuntu openvpn bridge tutorial. it didn't work either. same issue. *shrug* 12:44 < sauce_> i'm not an expert with networking but that routing table looks odd, there are two different interfaces controlling the same subnet, 192.168.3.0/24 12:46 < ecrist> sauce_: in your setup, there's no need to actually assign any IPs 12:47 < sauce_> why? what would the server-bridge line look like? 12:48 < sauce_> nevermind the why, i'll study it later. just please tell me what server-bridge config would be 12:51 < ecrist> first, let's figure out why you can't ping the other sytem 12:52 < ecrist> is there a firewall blocking it? 12:53 < sauce_> the openvpn server is behind a firewall, it has port 1195/udp opened and forwarded to 192.168.3.72 (eth0), not 192.168.3.2 (br0/eth1) 12:53 < sauce_> the client is also behind a firewall yes 12:53 < sauce_> actually the client runs on a firewall box. it's DD-WRT on a linksys router 12:53 < sauce_> not the server tho 12:54 < sauce_> the vpn connection is established just fine, i never thought a firewall would be a problem after the initial connection 12:57 -!- tompaw [n=tompaw@slave20.tesserakt.eu] has joined ##openvpn 12:57 < tompaw> Hi. 12:57 < sauce_> sup 12:57 < ecrist> sauce_: if your vpn client cannot ping the vpn server, there is a firewall problem 12:57 < tompaw> If pinging my openvpn-as over internet takes 32ms, and over vpn takes 545ms, what might it mean? 12:58 < ecrist> tompaw: are you using tcp or udp? 12:58 < tompaw> ecrist: tcp. 12:58 < sauce_> ecrist: how can we quickly rule that out? what should i open? or should i turn the firewall off completely? 12:58 < sauce_> tompaw: what encryption? 12:58 -!- CrashSys [n=james@rrcs-24-173-156-170.se.biz.rr.com] has joined ##openvpn 12:58 < ecrist> tompaw: that's your problem 12:58 < ecrist> !tcp 12:58 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 12:58 < CrashSys> Anyone have experience with OpenVPN and SIP? Trying to get an idea on dimensioning... 12:58 < tompaw> sauce_: default openvpn-as one. 13:00 < sauce_> sorry, what? 13:00 < tompaw> sauce_: the one that's enabled in openvpn-as by default ;-) 13:01 < sauce_> oh sorry. thats blowfish, anyway ecrist is right, use UDP 13:01 < sauce_> default is fine 13:01 < tompaw> sauce_: http://pastebin.com/m18eb7d89 here's the conf. 13:02 < tompaw> ok, will try udp. 13:02 < sauce_> why are you using tcp? any good reason? 13:02 < tompaw> I suppose that means all the clients have to re-download their .exe once again... 13:02 < tompaw> sauce_: well, just wanted it to be reliable... 13:02 < tompaw> sauce_: no particular reason. 13:02 < sauce_> udp is reliable... ? 13:03 < sauce_> they need a new conf, not exe 13:03 < tompaw> I wonder if they will be able to achieve this ;-) 13:03 < sauce_> and if they are good with a text editor they can just open the existing conf and change tcp to udp 13:03 < sauce_> 3 characters 13:03 < tompaw> 2 actually ;-) 13:03 < tompaw> thanks, will give it a try. 13:03 < sauce_> good point 13:03 < tompaw> OR 13:03 < tompaw> I will restart the server in dual mode 13:03 < tompaw> and check if that sorted the ping issue first 13:04 < sauce_> ecrist, did you see the routing table? it looks good right? i don't understand why the fiewall would be the problem. it isn't a problem with a routed connection. 13:04 < sauce_> !firewall 13:04 < vpnHelper> sauce_: "firewall" is (#1) please see http://openvpn.net/man#lbBD for more info, or (#2) see http://www.secure-computing.net/wiki/index.php/OpenVPN/Firewall for brief notes on disabling firewall rulesets. 13:07 < sauce_> just disabled the entire SPI firewall, no changes :( 13:07 -!- yoshx [n=yoshx@78.114.253.27] has quit [Connection timed out] 13:08 -!- yoshx [n=yoshx@78.114.253.27] has joined ##openvpn 13:12 < sauce_> i'll brb, lunch time. when i come back i will pay extra attention to the firewall situation 13:20 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 13:36 < CrashSys> Is it possible with OpenVPN to have a group of users, and then to restrict that group to only access certain IPs and ports? 13:36 < CrashSys> or does all that have to be applied per user? 13:37 < endre> sure it can be done 13:37 < endre> with ipset for example 13:37 < endre> just include the user's ip in the belonging groups to access ips subents you allow 13:38 < endre> it can be done in connect scripts so no real hassle 13:38 -!- dazo is now known as dazo_afk 13:41 -!- _LittleJ is now known as LittleJ 13:44 < CrashSys> Right, so I can create a group called 'users', create all the VPN logins as part of that group, then ipset that group to only VPN ports 5060 and 10000:20000... 13:44 < CrashSys> If I am understanding you correctly... 13:45 < ecrist> CrashSys: not from within OpenVPN, directly 13:45 < ecrist> using other plugins, you can assign an IP based on user/pass and/or CN of the ssl certificate, and restrict from there via your firewall 13:47 < CrashSys> Hmmm, ok... 14:17 < sauce_> ok i'm back 14:17 < sauce_> ecrist, may i see a routing table of what a bridge server should have? 14:22 < endre> does not need to have a specific ip with ipset 14:25 < endre> lets say you have a strict pool from where u can assign ips.. less than the total number of the possible users. in this scenario you cant say that you split up the network for smaller parts for different kind of firewall rules for certain group of users. this is where ipsec comes in, you can assign a user to more group at the same time thus having wider ruleset than one would have on the ip based method. 14:25 < ecrist> sauce_: bridged shouldn't have a routing table, really 14:25 < endre> i mean ipset, not ipsec 14:25 < ecrist> it's a bridge 14:26 < ecrist> endre: the access lists your referring to would be the equivalent to a firewall 14:27 < endre> sort of 14:27 < endre> if you insert firewall rules for the client on connect which its allowed to reach, then yes, it's like that 14:27 < endre> but it's more powerful than that 14:28 < endre> no need to deal with netfilter rules upon connect 14:28 < endre> or at all 14:28 < ecrist> because it's already handled in the access-list 14:28 < endre> btw what kind of access-list are you referring to? 14:29 < ecrist> 13:37 < endre> just include the user's ip in the belonging groups to access ips subents you allow 14:30 < endre> the focus is on the 'group' approach 14:30 < endre> groups (ip lists) can have exact netfilter rules 14:30 < ecrist> it's still a firewall 14:30 < ecrist> I can do the same thing with pf 14:31 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)] 14:31 < ecrist> your example is actually discussed on the openvpn web page 14:31 < endre> oic, how about the performance with like 6k rules? 14:31 < ecrist> what about it? should be just fine. it's handled outside openvpn, so openvpn doesn't care 14:32 < endre> i've not mentioned openvpn performance at all 14:32 < endre> even packetfiltering firewalls take time to evaluate the applied rules for a single packet 14:33 < ecrist> depends on how they're processed 14:33 < ecrist> pf, for example is a first-match wins 14:33 < ecrist> erm 14:33 < ecrist> last match wins 14:34 < endre> so lets be short: the big advantage of ipset is the speed of the ipset hash tables compared to any kernelbased pf/nf evaluation speed. 14:34 < ecrist> what is ipset 14:34 < ecrist> ipsec? 14:34 < endre> ipset. 14:34 < endre> http://ipset.netfilter.org/ 14:34 < vpnHelper> Title: IP sets (at ipset.netfilter.org) 14:34 < ecrist> we're talking about completely different things. 14:34 * ecrist is sick and is using that as his excuse 14:40 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 14:44 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 14:50 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 14:52 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 14:54 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:04 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 15:06 < sauce_> ecrist 15:06 < sauce_> i think i found the problem 15:07 < sauce_> please, please take a look at the routing table 15:07 < sauce_> tell me if you see anything wrong 15:07 < sauce_> i seriously suspect it's a routing issue 15:07 < sauce_> i already have an idea what to do, i just want to see if you see what i see 15:08 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 15:13 -!- Intensity [i=[hNdzLhl@unaffiliated/intensity] has joined ##openvpn 15:24 < CrashSys> If I needed to handle 100Kpps of 128-Byte UDP, assuming I was doing a simple routed VPN, what kind of hardware would I need to look at? 15:27 < sauce_> any old machine 15:27 < CrashSys> Well my std hardware build is a quad-core 2.33Ghz, 4-Gb ram, 160-GB Raid-1 with dual PCI-E Nic's... 15:28 < CrashSys> It would have approximately 300 user connections 15:28 < CrashSys> forgot to mention that 15:36 < krzee> sauce_, ill look, whats the link to your table 15:37 < sauce_> haha that would help right? 15:37 < sauce_> http://pastebin.com/m796f253d 15:37 < sauce_> i think there should be a 2nd default route, am i right? 15:37 < sauce_> at the moment, the vpn connection is established but neither LAN can ping anything on either side 15:39 < krzee> oh you're bridging, i cant help 15:39 < krzee> but, why are you bridging? 15:40 < krzee> cause if like the other 90+% of people you are doing it for the wrong reasons, i can help you do it with tun 15:40 < sauce_> two major reasons and a few minor ones, none of them are wrong in my opinion 15:40 < sauce_> #1 is to learn, because i've mastered the routed setup, and i want to do bridged now 15:40 < krzee> unless one of them is a layer2 protocol that needs to travel over the vpn, its wrong 15:41 < krzee> ahh 15:41 < krzee> i take it back 15:41 < sauce_> #2 is because i truly want these two networks to be joined, with multicast traffic and everything 15:41 < krzee> to learn is quite the valid answer for basically anything 15:41 < sauce_> hehe 15:41 < krzee> i dnt believe you need a bridge for multicast 15:41 < krzee> just tap device 15:41 < sauce_> you can use tap with routed? had no idea 15:42 < krzee> aye 15:43 < sauce_> that sounds like an unconventional setup, wouldn't know how to go about it with a tutorial 15:43 < ghernandez> krzee: Id like to merge two networks at different buildings and basically generate a lower cost link that is encrypted because it will be a wireless connection (l1 device) that links the two. 15:43 < krzee> feel free to write the tutorial, it will help you with #1 15:43 < ghernandez> We have a vpn connection that uses the city wide MAN and its fast, but we purchased two laser gigabit tranceivers. 15:44 < ghernandez> Bridging would be the way to go with that, correct? 15:44 < krzee> that depends 15:44 < krzee> you can connect them with different subnets using routing 15:44 < krzee> in fact you can connect many with it 15:44 < krzee> for you it would not be overhead issue with layer2 tunneling... 15:44 < krzee> however for security you may still prefer it 15:45 < krzee> so the real question is this: 15:45 < ghernandez> I was requested to encrypt l2. 15:45 < ghernandez> lol 15:45 < ghernandez> otherwise I would just do a routed setup. 15:45 < krzee> will you need layer2 protocols over the vpn? 15:45 < sauce_> no :( 15:46 < ghernandez> In all probability, no. 15:46 < ghernandez> But the link is going across the airwaves for ~ 1 mile. 15:46 < sauce_> i just want multicast traffic for avahi/bonjour 15:47 < krzee> teach them about arp poisoning 16:00 < sauce_> i'm about to give up 16:00 < sauce_> it's been 2-3 days now 16:01 -!- dollabill [n=mike@97.66.26.10] has quit [No route to host] 16:01 < sauce_> the bad part is, a few years ago, i successfully bridged 2 networks practically on accident. before i knew how to do a routed setup, i did a bridged one. so when i sat down to do one this week, i got frustrated really fast because i never remembered it being so difficult 16:02 < sauce_> and i'm trying to remember everything i did back then 16:07 < krzee> !bridge 16:07 < vpnHelper> krzee: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for anything where the protocol uses MAC addresses instead of IP addresses. 16:07 < vpnHelper> krzee: (but not samba, see !wins) 16:07 < krzee> ecrist made a writeup about bridging in fbsd 16:07 < krzee> lemme find it 16:07 < krzee> !factoids search bridge 16:07 < vpnHelper> krzee: 'bridge', 'bridge-dhcp', 'fbsdbridge', and 'bridge-fw' 16:08 < krzee> !fbsdbridge 16:08 < vpnHelper> krzee: "fbsdbridge" is http://www.freebsddiary.org/openvpn.php for dvl's writeup on bridging openvpn in freebsd 16:08 < krzee> hrm thats not it 16:11 -!- mikkel [n=mikkel@84.238.113.66] has quit ["Leaving"] 16:18 -!- antoszka [n=antoszka@unaffiliated/antoszka] has joined ##openvpn 16:18 < antoszka> Hi. How do I interpret this error message after an ongoing handshake? 16:18 < antoszka> Dec 10 23:14:50 [openvpn] read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 16:19 < antoszka> I migrated my openvpn server to a new host, same IP, same keys, same configs. 16:19 < krzee> need to see the server log 16:20 < krzee> it'll tell more 16:20 < antoszka> ok 16:21 < antoszka> http://wklej.org/hash/d8c1190eba/ ← that's on the server 16:21 < vpnHelper> Title: wklej.org - wklejka nr 231500 (at wklej.org) 16:22 < antoszka> http://wklej.org/hash/56fb8559d1/ ← that's on my laptop (the client) 16:22 < vpnHelper> Title: wklej.org - wklejka nr 231502 (at wklej.org) 16:23 < sauce_> krzee i see what you are doing, dhcp is multicast too right? 16:24 < krzee> i think dhcp is just layer2 16:25 < sauce_> i just can't believe how years ago i did this on accident 16:25 < sauce_> now i can do a routed vpn in my sleep 16:25 < sauce_> and back when i bridged 2 networks with openvpn, i didn't even know what a gateway was 16:25 < sauce_> weird. 16:30 -!- newmember [n=chatzill@static-66-11-81-77.ptr.terago.net] has quit [Read error: 110 (Connection timed out)] 16:33 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 16:36 -!- CrashSys [n=james@rrcs-24-173-156-170.se.biz.rr.com] has quit [] 16:36 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has joined ##openvpn 17:10 -!- yoshx [n=yoshx@78.114.253.27] has quit [Remote closed the connection] 17:16 < reiffert> . 17:17 < krzee> haha 17:17 < reiffert> hehe 17:17 < antoszka> krzee: Any ideas? 17:18 < krzee> pls do it with verb 5 17:18 < reiffert> antoszka: 17:18 < reiffert> !configs 17:18 < vpnHelper> reiffert: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 17:19 < krzee> ya configs too 17:19 < krzee> buts logs at verb 5\ 17:19 < reiffert> openvpn to new host, same configs, guess the remote line got to be changed. 17:19 < antoszka> OK. If I didn't sort this out myself, I'll come back with that info. 17:20 < reiffert> you'll have my attention for another couple of minutes. I'm going to bed else. 17:20 < antoszka> :) 17:20 < ecrist> evening, folks 17:21 < reiffert> ah, the night shift has just arrived. 17:22 -!- alxconn [n=alxconn@c-24-15-46-226.hsd1.in.comcast.net] has joined ##openvpn 17:26 -!- zib [i=zib@slick.keff.org] has joined ##openvpn 17:28 < zib> Hi. Using 2.0.6. Anyone who has any ideas on why the performance in FreeBSD in much worse than in linux (udp, 10MB/s throughput linux 2.6, 3.5MB/s freebsd 8)? Tried tuning udp recv/sendspace 17:29 < reiffert> zib: 2.0.6 is too old. get 2.1rc22. 17:30 < zib> You think there would be any improvements in freebsd? I'll try then.. 17:31 < ecrist> so, now that I'm here at 1700hrs, where are all these openvpn devs I'm hearing about? 17:34 < zib> reiffert: no difference 17:36 < reiffert> ecrist: gone without a trace. 17:36 < ecrist> *shrug* 17:36 < reiffert> didnt expect anything else. 17:36 < ecrist> we've gotten the cold shoulder from them since day one, so no biggie. was more dubious than anything. 17:37 < reiffert> time for adding "no access server support" to the topic back then? 17:37 < ecrist> aye 17:37 < ecrist> who removed it? 17:37 < ecrist> !irclogs 17:37 < vpnHelper> ecrist: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 17:37 < reiffert> it was, according to the irclogs. 17:38 < reiffert> it was you 17:38 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 17:38 < ecrist> doh 17:38 < ecrist> I was probably drunk. ;) 17:39 < reiffert> /topic ecrist got a problem with alcohol. 17:39 < ecrist> lol 17:39 < reiffert> ;) 17:40 -!- ChanServ changed the topic of ##openvpn to: NO SUPPORT FOR ACCESS SERVER | OpenVPN 2.1rc22 is Latest || CHECK YOUR FIREWALL || We need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) || We need a longer channel topic! 17:40 < ecrist> we need a longer topic. 17:42 < reiffert> something for the openvpn devs? 17:42 -!- alxconn [n=alxconn@c-24-15-46-226.hsd1.in.comcast.net] has left ##openvpn ["Leaving"] 17:45 -!- Irssi: ##openvpn: Total of 93 nicks [0 ops, 0 halfops, 0 voices, 93 normal] 17:48 -!- ghernandez [n=ghernand@12.157.107.24] has quit [Remote closed the connection] 17:49 -!- ruied [n=ruied@bl7-211-221.dsl.telepac.pt] has joined ##openvpn 17:54 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 54 (Connection reset by peer)] 18:18 -!- acidfoo [n=nib@69-165-153-146.dsl.teksavvy.com] has joined ##openvpn 19:00 -!- master_of_master [i=master_o@p549D7577.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 19:03 -!- master_of_master [i=master_o@p549D7570.dip.t-dialin.net] has joined ##openvpn 20:18 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 20:25 -!- onats [n=onats@unaffiliated/onats] has quit ["Ex-Chat"] 20:26 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 21:10 -!- tjz [n=tjz@bb220-255-199-51.singnet.com.sg] has joined ##openvpn 21:24 -!- PiousMinion [n=clay@216-216.126-70.tampabay.res.rr.com] has left ##openvpn [] 21:37 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 22:16 -!- coil [i=stfu@unaffiliated/coil] has quit ["http://znc.in"] 22:16 -!- coil [i=coil@80.163.102.97.cfl.res.rr.com] has joined ##openvpn 22:16 -!- coil is now known as Guest57788 22:20 -!- coil [i=stfu@unaffiliated/coil] has joined ##openvpn 22:26 -!- Guest57788 [i=coil@80.163.102.97.cfl.res.rr.com] has quit ["when I raise my trigger finger all you fuckers hit the deck!"] 23:00 -!- rbd_ [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has quit [Read error: 104 (Connection reset by peer)] 23:00 -!- coil [i=stfu@unaffiliated/coil] has left ##openvpn [] 23:07 -!- rbd [n=rbd@74.229.183.112] has joined ##openvpn 23:23 -!- Broady [n=b@unaffiliated/broady] has joined ##openvpn 23:23 < Broady> !howto 23:23 < vpnHelper> Broady: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 23:23 < Broady> !route 23:23 < vpnHelper> Broady: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 23:23 < Broady> !redirect 23:23 < vpnHelper> Broady: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 23:24 < Broady> !def1 23:24 < vpnHelper> Broady: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 23:25 -!- ruied [n=ruied@bl7-211-221.dsl.telepac.pt] has quit [Read error: 110 (Connection timed out)] 23:27 < Broady> config: http://sprunge.us/Oehf - ifconfig: http://sprunge.us/cXZY 23:27 < Broady> why the hell is my subnet mask 255.255.255.255? 23:28 < Broady> for some reason my client doesnt seem to connect unless the network is 172.16.0.0 23:29 < Broady> my client config - http://sprunge.us/VLWI 23:29 < Broady> i'm using tunnelblick 23:30 < Broady> and this is the log i get when trying to connect: http://sprunge.us/WGYb 23:40 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 23:45 < Broady> help? :( --- Day changed Fri Dec 11 2009 00:01 < Broady> oh btw, im connecting to the vpn via ssh tunnel (127.0.0.1:1194) 00:37 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.5/20091102152451]"] 00:49 -!- hyper__ch [n=hyper@adsl-89-217-90-67.adslplus.ch] has joined ##openvpn 00:49 -!- hyper_ch [n=hyper@adsl-89-217-90-67.adslplus.ch] has quit [Nick collision from services.] 00:49 -!- hyper__ch is now known as hyper_ch 00:49 -!- Serideru [n=GTWebste@24-116-116-232.cpe.cableone.net] has joined ##openvpn 01:03 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 01:15 -!- hyper_ch [n=hyper@adsl-89-217-90-67.adslplus.ch] has quit [Remote closed the connection] 01:29 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Client Quit] 01:37 -!- n00b12345 [i=44e6190f@gateway/web/freenode/x-gdhkumngexzbkzqm] has joined ##openvpn 01:39 < n00b12345> hello guys, i may need a little help 01:39 < n00b12345> i just flashed my router with the tomato-openvpn mod 01:39 < n00b12345> is there a simple way to configure it as server, to be able to connect with my iphone while i'm on the field? 01:39 < n00b12345> like, for example, hotspot shield 01:52 < endre> iphone is not capable of using openvpn 02:07 -!- dazo_afk is now known as dazo 02:07 -!- hyper_ch [n=hyper@6-55.107-92.cust.bluewin.ch] has joined ##openvpn 02:09 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:18 < sdh> iphone, lol.# 02:19 < dazo> !iphone 02:19 < vpnHelper> dazo: "iphone" is http://www.lqx.net/tuntap-iphone.source.tgz for first attempt at getting openvpn on iphone 02:19 < dazo> sdh: endre: ^^ 02:20 < dazo> but it's rather hacky 02:22 < sdh> i was just expressing my general contempt for the iphone 02:23 < dazo> sdh: I follow you on that one ;-) 02:23 < sdh> ;-) 02:23 * sdh hugs his android phone 02:23 < dazo> ugh 02:24 < dazo> that's just a wanna-be-open-but-fails-phone as well :-P 02:24 * dazo runs and hides 02:24 < sdh> :P~ 02:25 < dazo> I'm actually considering Nokia N900 ... that sounds more like a real open phone for me ... even though some bits are not open-sourced, but at least Nokia provides a package for root access 02:25 < dazo> meaning: no nasty jailbreaking needed 02:28 < sdh> htc magic wfm 02:28 < sdh> can code for it in c, java, python, perl whatever i like 02:28 < sdh> cant see myeslf ever needinf another phone :)) 02:30 < dazo> Maemo (which N900 uses) is based on a real Linux distro though ... 02:31 -!- Sky[x] [n=SkyB0x@212.235.186.230] has joined ##openvpn 02:36 -!- dazo is now known as dazo_afk 03:11 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 03:14 -!- tiav [n=tiav@mx.fr.smartjog.net] has quit [Remote closed the connection] 03:17 -!- dazo_afk is now known as dazo 03:23 -!- phusion_ [n=phusion@84.22.127.58] has quit [Remote closed the connection] 03:29 -!- phusion_ [n=phusion@84.22.127.58] has joined ##openvpn 03:43 -!- phusion_ [n=phusion@84.22.127.58] has quit [Remote closed the connection] 03:46 < dazo> Wohoo! OpenVPN-2.1 is released!! 03:47 -!- mode/##openvpn [+o dazo] by ChanServ 03:47 -!- dazo changed the topic of ##openvpn to: NO SUPPORT FOR ACCESS SERVER | OpenVPN 2.1 is released || CHECK YOUR FIREWALL || We need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) || We need a longer channel topic! 03:47 -!- mode/##openvpn [-o dazo] by ChanServ 03:55 < Han> 2.1.0 :P 04:01 -!- yoshx [n=yoshx@88-138-188-188.adslgp.cegetel.net] has joined ##openvpn 04:04 -!- phusion_ [n=phusion@84.22.127.58] has joined ##openvpn 04:09 < tjz> wow!! 04:09 < tjz> 2.1.0 stable! 04:11 -!- Sky[x] [n=SkyB0x@212.235.186.230] has quit [No route to host] 04:11 -!- teddymills [n=teddy@208.92.235.227] has quit [Read error: 110 (Connection timed out)] 04:13 < Han> after 21 release candidates. :P 04:13 < Han> There is great devaluation of release state terms. 04:14 < tjz> yea 04:15 -!- pexy_ [n=opera@ns.emhi.ee] has joined ##openvpn 04:16 -!- pexy_ [n=opera@ns.emhi.ee] has left ##openvpn [] 04:17 -!- Sky[x] [n=SkyB0x@212.235.186.230] has joined ##openvpn 04:33 -!- xod [n=onats@112.201.158.40] has joined ##openvpn 04:45 < reiffert> Close enough to make it into next debian frozen. 04:50 < tjz> hey reiffert :D 04:50 < tjz> lol 05:04 < dazo> heh :) ... Even RHEL6 05:10 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 05:11 < xod> what is close enough? 05:13 < reiffert> OpenVPN 2.1 is released 05:14 < havoc> nice 05:16 < xod> ow... ive been out of the channel for so long i dont have updates anymore! 05:18 < xod> where can i download openvpn this time? 05:18 < xod> it seems that the openvpn.net site only has access server download 05:19 < reiffert> !download 05:19 < vpnHelper> reiffert: "download" is (#1) www.openvpn.net/download to download openvpn, or (#2) http://openvpn.net/index.php/open-source/downloads.html 05:19 < havoc> xod: the community projects link from the front 05:20 < reiffert> dazo: 5 bugs that james last time fixes will bring us 2.2-rc1 very very soon. 05:25 -!- Sky[x] [n=SkyB0x@212.235.186.230] has quit [Client Quit] 05:26 < krzee> 2.1 finally released!? 05:26 < krzee> its about time 05:26 < reiffert> krzee: no, just a joke. 05:26 < krzee> damn 05:26 < krzee> really? 05:26 < reiffert> see -devel 05:26 < krzee> fiiiine 05:26 < krzee> 1sec 05:26 < krzee> !mail 05:26 < vpnHelper> krzee: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 05:26 < reiffert> They will have to fix it, at least. 05:29 < krzee> ya its basically rc22 05:31 < krzee> but im happy it will finally be updated in every place waiting for a stable 05:32 < reiffert> :) 05:47 < dazo> reiffert: well, if they jump straight on the 2.2-rc bandwagon, we might save a year to the 2.2 release :-P .... I mean, skipping alpha and beta released must give some good side effects :-P 05:47 -!- antoszka [n=antoszka@unaffiliated/antoszka] has left ##openvpn ["+++ killed by SIGSEGV +++"] 05:48 < reiffert> :) 06:41 < krzee> lol 06:42 < krzee> reiffert, i never saw the second guy 06:42 < krzee> only the guy who was collecting info on projects 06:42 < krzee> did the guy who said he was a dev help anyone? 06:58 < ecrist> good morning 06:58 < krzee> good mornin 07:00 < ecrist> the second person PMd me, but didn't actually say anything 07:00 < ecrist> just 'are you there' 07:00 < ecrist> and I wasn't 07:02 < n00b12345> dazo, endre: thank you 07:02 -!- n00b12345 [i=44e6190f@gateway/web/freenode/x-gdhkumngexzbkzqm] has quit ["Page closed"] 07:04 < dazo> ecrist: krzee: I've had a little bit longer PM chat with mattock ... sounds reasonable, but sounded like he was just starting doing this work 07:05 < krzee> i help so much from work ircstats thinks im krzie 07:05 < krzee> lol 07:06 < dazo> ecrist: krzee: I'm more concerned about that other guy .... even though I found his IP to be in the openvpn tech. inc IP address range, so it's plausible, but he didn't convince me from the scrollback I read 07:06 < krzee> i didnt actually read anything 07:07 < krzee> just heard one came 07:07 < ecrist> My opinion is: meh 07:07 < dazo> :) 07:08 < ecrist> I've approached them a few times about our efforts and Francis either wanted us to roll our stuff to their site, or he wasn't willing to acknowledge us. 07:08 < ecrist> we wanted to maintain control of our articles/data, so they don't acknowledge us 07:08 < dazo> heh ... that's really open minded attitude 07:08 < krzee> [03:39] is there a simple way to configure it as server, to be able to connect with my iphone while i'm on the field? 07:08 < krzee> [03:39] like, for example, hotspot shield 07:08 < krzee> [03:52] iphone is not capable of using openvpn 07:09 < krzee> endre, see !iphone 07:09 < krzee> ya that was lameness 07:09 < dazo> krzee: I already did that ;-) 07:09 < dazo> but mattock/samuli sounds to be more real, though .... and it sounded that it was enough challenges to get the attitude on the inside to change to become more community oriented 07:10 < dazo> but considering the license changes in the tap driver for windows .... it begins to look better ... 07:10 < krzee> we didnt actually want anything they didnt, we had seen them kill their own forum/wiki and wanted to remain in control of ours, but let them contribute if they wanted and all that 07:10 < dazo> and that's the right way to do it 07:11 < krzee> [09:10] but considering the license changes in the tap driver for windows .... it begins to look better ... 07:11 < krzee> what changed? 07:11 < dazo> - the GPL version 2 (see below), however due to the extra costs of 07:11 < dazo> - supporting Windows Vista, OpenVPN Technologies, Inc. reserves the right to 07:11 < dazo> - change the terms of the TAP-Win32/TAP-Win64 license for versions 9.1 07:11 < dazo> - and higher prior to the official release of OpenVPN 2.1. 07:11 < dazo> + the GPL version 2. 07:11 < ecrist> their problem with acknowledge this channel and the current wiki at !wiki was that they were afraid we'd evaporate at some point. It's a reasonable worry, but their trade off was to put it all on their servers and give them full rights to it. 07:13 < krzee> hell i had emailed them to have them try to mod this channel themselves long long before we had to take it 07:13 < dazo> but if they behave nicely in cooperation with a community, that's not a real concern is it? ... they still could announce a big article on their web pages that they break the cooperation with a community if something really deadlocks 07:13 < krzee> they had given up totally on it 07:13 < ecrist> krzee: there was an effort in 2004 for an official channel. it was even registered at one point, but it never took off. 07:14 < krzee> ahh so what we found was leftovers from that? 07:14 < dazo> how big is the openvpn tech inc company? 07:14 < ecrist> what's funny, a year and a half ago, this channel averaged about 12 users, iirc, now we're at ~90 07:14 < krzee> dazo, no idea 07:14 < ecrist> dazo: something like 3 people 07:14 < krzee> lol tru 07:14 < krzee> and people get help here now too 07:15 < dazo> yeah 07:15 < reiffert> krzee: the 2nd guy claimed to be their network admin 07:15 < krzee> interesting 07:16 < krzee> did he help anyone? 07:16 < dazo> nope 07:16 < krzee> did he ask anything? 07:16 < dazo> at least not what I remember from scrollback 07:16 < reiffert> krzee: check the logs, nick openvpn2009 07:16 < reiffert> !irclogs 07:16 < vpnHelper> reiffert: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 07:16 < dazo> krzee: you don't have the irclogs ;-) 07:16 < dazo> heh 07:16 < krzee> didnt know nick 07:17 < dazo> :) 07:20 < dazo> notneb->openvpn->openvpn2009 07:21 < krzee> 17:34 < reiffert> notneb: get a new release out now. Then come back. 07:21 < krzee> 17:34 < reiffert> a stable one. 07:21 < krzee> 17:34 < reiffert> 2.0.9 is way too ancient. 07:21 < krzee> i like it 07:21 < krzee> good shit reif 07:22 < dazo> it even worked, it seems! ;-) 07:23 < endre> !iphone 07:23 < vpnHelper> endre: "iphone" is http://www.lqx.net/tuntap-iphone.source.tgz for first attempt at getting openvpn on iphone 07:23 < endre> that's some weak trial 07:23 < krzee> =] 07:23 < krzee> tru 07:24 < krzee> ild still like to test it tho ;] 07:24 < krzee> and i totally dont care its emulating 07:24 < endre> sure so do i 07:25 < dazo> "emulating" is probably the proper wording .... establishing a ppp interface and using libpcap to capture the traffic on the ppp device and transport it into openvpn is more than emulation, imho 07:26 < krzee> falls into "sweet hack" dept? 07:26 < endre> omg is it the way it works? 07:26 < dazo> yeah .... 07:27 < endre> that's some weird hack 07:27 < dazo> you even need a patched openvpn to make it work 07:27 < endre> it's like the bluetooth keyboard that uses vnc connection to the iphone itself 07:27 < dazo> but it makes me wonder .... why not implement ppp support into openvpn? that way, you could use the ppp interface in addition to tun and tap 07:27 < dazo> that's a lot cleaner 07:27 < krzee> well that hack did 07:27 < krzee> so the code is there now... 07:28 < dazo> somehow, yeah 07:28 < endre> that's a point 07:28 < krzee> ild have to expect it would need some mods to be portable, but should be a good outline 07:28 < endre> also it would be great to use pure ip as a transport not tcp or udp.. even over ipv6. 07:29 < dazo> endre: that's what you use the tap interface for 07:29 < endre> no, that's an underlying interface 07:29 < endre> i mean transport for the tunnel itself 07:29 < endre> like to say --protocol instead of --rport 07:29 < krzee> !factoids search wish 07:29 < vpnHelper> krzee: No keys matched that query. 07:29 < krzee> grr 07:29 < endre> wishlist i know 07:29 < endre> im too lazy to search for it 07:30 < endre> i know openvpn as not under extensive development 07:30 < krzee> !learn wishlist as http://ovpnforum.com/viewforum.php?f=10 for the openvpn wishlist 07:30 < vpnHelper> krzee: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 07:30 < dazo> endre: ahh ... hmmm .... sounds interesting though, but I believe you actually can use wpa_supplicant for that kind of encryption .... also on wired devices 07:30 < krzee> !learn wishlist as http://ovpnforum.com/viewforum.php?f=10 for the openvpn wishlist 07:30 < vpnHelper> krzee: Joo got it. 07:31 < ecrist> NSFW depending on where you work: http://www.Break.com/index/i-suppose-austrialia-has-talent-too.html 07:31 < vpnHelper> Title: I Suppose Australia Has Talent Video (at www.Break.com) 07:32 < krzee> i dont get what you mean, im cool with layer2/layer3 over tcp / udp 07:33 < ecrist> udp is the correct transport for a VPN connection 07:33 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 07:34 < krzee> well ya im just saying i dont get what endre is wishing for 07:36 < dazo> I interpreted it as encryption on the network device, not via a tunnel 07:40 < krzee> hrm, but that would be more like ipsec, making their own protocol 07:41 < krzee> i like that you use openvpn as just another piece of unix software, it doesnt do everything 07:42 < dazo> krzee: yeah ... well, I don't think wpa_supplicant is such a bad approach. I believe it just uses a couple of hooks into the OS kernel and does all the rest in user space .... and that encryption is completely transparent 07:43 < krzee> sounds like a bunch of unnecessary 07:43 < dazo> well, that's how the WEP/WPA/WPA2 encryption is done on wireless .... and somebody discovered it can work on wired ethernet as well 07:44 < krzee> and as you know many hacks are out for them 07:44 < krzee> i like openvpn sticking to openssl 07:44 < dazo> performance wise, it might be better .... as you have only half the amount of kernel-user space switches compared to openvpn + tun/tap 07:44 < krzee> why does everyone want openvpn to take over jobs that other unix tools handle (encryption in this example) 07:45 < dazo> ahh, I suggested to not use openvpn ... just wpa_supplicant straight on the wired interface 07:45 < krzee> ohh 07:45 < krzee> i misunderstood 07:46 < dazo> np :) And I do agree with you ... openvpn should not do more than really needed and rather use other modules/libraries to do other stuff 07:48 < krzee> its how it fits into a normal network that allows for seriously slick setups 07:51 -!- ecrist_mac [n=ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn 07:53 < dazo> yup 07:53 < krzee> MacBookPro17 CPU: Genuine Intel T2600 2.16GHz @ 2.16GHz [SSE3/PAE/XD/VMX/EST/DualCore] L2: 2MB FSB: 664MHz Temp 43 C RAM: 1.3GB/2.0GB swap: 89.73M/128.00M Disk: 242.53GB/465.44GB GPU: ATY,RadeonX1600 [256 MB/HWCI/QE/Stock] 1680x1050 OS: Mac OS X 10.5.8 (9L30) Kernel: 9.8.0 Arch: 32 Bit 07:54 < ecrist> o.O 08:15 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit ["I am off"] 08:16 -!- bandini [n=bandini@host58-109-dynamic.31-79-r.retail.telecomitalia.it] has quit [Read error: 110 (Connection timed out)] 08:17 -!- kosmic [n=kosmic@unaffiliated/spice] has quit ["leaving"] 08:18 -!- sunrider [n=kosmic@unaffiliated/spice] has quit ["leaving"] 08:23 -!- MadTBone [n=MadTBone@160.39.238.196] has quit ["Leaving"] 08:29 -!- KaiForce [n=chatzill@70.228.89.235] has joined ##openvpn 08:31 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 08:39 -!- dazo is now known as dazo_afk 08:55 < rbd> hey guys....I've set up a pfsense client and server (pfsense 1.2.3RC3)...the client can connect successfully, and can ping his own vpn IP address (10.14.21.6) but cannot ping the servers (10.14.21.5) or ping anything else in the network... 08:55 < rbd> I am running tcpdump on the server side for tun0, and see that the server gets the ICMP ping packet from the client, but is not responding....I need a route on the server somewhere.... 08:59 < ecrist> rbd: it will not be able to ping the .5 address 08:59 < ecrist> should be able to ping the .1 address, though 09:02 -!- Anodl1 [n=Arnold@p54A79278.dip0.t-ipconnect.de] has joined ##openvpn 09:02 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 09:03 < rbd> ecrist: ok, that's working, the client can ping .1 (I had a static route that I had defined for that .21 subnet I removed and openvpn then put its autogenerated one in).... now I pushed a route to the 10.14.10.0/24 subnet down to the client, and I try a ping of 10.14.10.11 (which is valid) at the client, I see the ping come to the server across tun0...but it doesn't look like the server can route it properly 09:04 < ecrist> so the client is sending the packet to the vpn server, and the vpn server is dropping it? 09:04 < ecrist> ip_forwarding enabled? 09:04 < rbd> yup 09:04 < rbd> ip_forwarding, let me check... 09:05 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has joined ##openvpn 09:06 < rbd> well. the box is pfsense (freebsd router), so I'm 99.9% sure it is 09:07 < ecrist_mac> are you allowing the traffic through the firewall? 09:08 < ecrist_mac> sysctl net.inet.ip.forwarding 09:08 < ecrist_mac> will tell you 09:08 < rbd> net.inet.ip.fastforwarding=1 is in /etc/sysctl.conf 09:08 < rbd> yeah, it's enabled (from that command) 09:08 < ecrist_mac> I don't care what's in sysctl.conf, want to know live. ;) 09:09 < rbd> net.inet.ip.forwarding: 1 09:09 < ecrist_mac> ok, what about the firewall? are you allowing traffic to 10.14.10.0/24 from the vpn? 09:11 < rbd> yup, I have a wildcard rule on that interface...firewall logs don't show anything 09:12 < rbd> do you want to see my routing tables/ifconfig dump, etc? 09:12 < ecrist> sure 09:13 -!- hyper_ch [n=hyper@6-55.107-92.cust.bluewin.ch] has quit [Read error: 60 (Operation timed out)] 09:14 -!- hyper_ch [n=hyper@237-4.203-62.cust.bluewin.ch] has joined ##openvpn 09:17 < rbd> http://pastebin.com/d347324ea 09:21 < ecrist> holy networks, batman 09:22 < ecrist> is the vpn client able to ping 10.14.220.254? 09:23 < rbd> nope 09:23 < ecrist> the routing table is from the server, right? 09:24 < rbd> yup...10.14.220.254 is the switch....let me check the routes on that 09:24 < ecrist> does the switch know how to route to the vpn subnet? 09:25 < Broady> so i suppose no one can help me :( 09:25 < rbd> it has a statement "ip route 10.14.21.0 255.255.255.0 10.14.220.251" 09:26 < ecrist> Broady: i didn't see you ask a question... 09:26 < rbd> which is a virtual IP back on the firewall...so he should know how to route 09:26 < Broady> ecrist: a few hours ago 09:26 < Broady> 16:27 < Broady> config: http://sprunge.us/Oehf - ifconfig: http://sprunge.us/cXZY 09:26 < Broady> 16:27 < Broady> why the hell is my subnet mask 255.255.255.255? 09:26 < Broady> 16:28 < Broady> for some reason my client doesnt seem to connect unless the network is 172.16.0.0 09:26 < Broady> 16:29 < Broady> my client config - http://sprunge.us/VLWI 09:26 < Broady> 16:29 < Broady> i'm using tunnelblick 09:26 < Broady> 16:30 < Broady> and this is the log i get when trying to connect: http://sprunge.us/WGYb 09:26 < rbd> ecrist: however, I can't ping 10.14.21.6 from the switch...hmmm 09:27 < ecrist> rbd: can you ping the .1 09:27 < ecrist> ? 09:27 -!- rawDawg [n=rawDawg@adsl-99-57-58-238.dsl.bcvloh.sbcglobal.net] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 09:27 < rbd> ecrist: and I can do it from the router....can't ping 10.14.21.1 either 09:27 < ecrist> rbd: you have a routing issue outside openvpn 09:27 < ecrist> routing or firewall 09:28 < rbd> yeah....at least I know where to look now, thanks! 09:28 < ecrist> Broady: is this for a static-key setup? 09:28 < ecrist> rbd: no problem. 09:28 < Broady> ecrist: yep 09:29 < Broady> ecrist: i was connecting just fine when it was 172.16.0.0 09:29 < Broady> but couldn't access anything 09:29 < Broady> routes were all stuffed 09:29 < ecrist> your subnet mask looks funny 09:30 < Broady> i know!! wtf :( 09:30 < ecrist> change it in the config from .248 to .0 09:30 < Broady> i changed it manually with ifconfig, didn't help anything though. 09:30 < Broady> ecrist: yeah thats what i had it at originally, same thing. 09:31 < ecrist> why does your log indicate you're connecting to 127.0.0.1:1194? 09:33 < Broady> oh, b ecause i was connecting over a ssh tunnel 09:33 < Broady> (work blocks all ports other than 80 and 443, i connect over ssh with 443) 09:33 < Broady> (yes, i had a static route to maintain the ssh connection) 09:34 -!- DammitJim [n=DammitJi@41-117.202-68.tampabay.res.rr.com] has joined ##openvpn 09:34 < DammitJim> good day all 09:44 < rbd> ecrist: fixed my problem, I had a bad vlan21 on the switch 09:44 < ecrist> glad to hear it 09:47 < |Mike|> :) 09:56 -!- ivenkys [n=ivenkys@unaffiliated/ivenkys] has left ##openvpn [] 10:00 < reiffert> :) 10:05 -!- bandini [n=bandini@79.7.109.239] has joined ##openvpn 10:07 < ecrist> :D 10:09 -!- hyper_ch [n=hyper@237-4.203-62.cust.bluewin.ch] has quit [Remote closed the connection] 10:12 < ecrist> someone should write an openvpn client for Polycom phones. 10:12 < ecrist> :) 10:12 < Optic> wow that would totally rock 10:12 < Optic> +1 10:16 -!- le0_ [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 10:30 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 110 (Connection timed out)] 10:31 < reiffert> btw, Kas seems to be from openvpn. 10:33 < DammitJim> Kas, are you from openvpn? 10:33 < DammitJim> :) 10:34 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 54 (Connection reset by peer)] 10:34 < reiffert> OPENVPN TECHNOLOGIES INC-091125173326 SBC-71-140-186-184-29-0911253406 (NET-71-140-186-184-1) --- Log closed Fri Dec 11 10:41:20 2009 --- Log opened Fri Dec 11 10:55:37 2009 10:55 -!- ecrist [n=ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn 10:55 -!- Irssi: ##openvpn: Total of 92 nicks [0 ops, 0 halfops, 0 voices, 92 normal] 10:56 -!- Irssi: Join to ##openvpn was synced in 41 secs 10:58 -!- hyper_ch [n=hyper@adsl-89-217-90-67.adslplus.ch] has joined ##openvpn 11:05 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit [Read error: 110 (Connection timed out)] 11:10 -!- dazo_afk is now known as dazo 11:12 -!- dazo is now known as dazo_afk 11:13 -!- dazo_afk is now known as dazo 11:16 < dazo> Seems Kas got scared .... 11:21 < ecrist> that's a cute little subnet they have 11:21 < ecrist> a /29 on ADSL 11:24 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 11:26 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:48 < |Mike|> that's like 5 ip's 11:52 -!- diegoviola [n=diego@201.217.40.16] has joined ##openvpn 11:53 < diegoviola> hi, i have a college where they block everything except port 80, and they relay the port 80 traffic to squid 11:53 < diegoviola> I try to ssh to my server from there and it doesn't work obviously 11:53 < diegoviola> can openvpn help me with that? 11:53 < diegoviola> or anything else? 11:53 < diegoviola> if I change sshd port to 80, would that work? 11:54 < ecrist> use 443 11:54 < diegoviola> 443 for sshd? 11:55 < ecrist> should bypass proxy better 11:55 < diegoviola> thanks 12:03 -!- rbd [n=rbd@74.229.183.112] has quit [Read error: 131 (Connection reset by peer)] 12:03 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has joined ##openvpn 12:10 -!- Artio [n=_@port-91562.pppoe.wtnet.de] has joined ##openvpn 12:13 -!- optiz0r [n=optiz0r@nat.sihnon.net] has joined ##openvpn 12:19 < rbd> hey guys...I have a working VPN, except I get disconnected exactly one hour after I log into it. the client log shows "TLS: soft reset"... I'm thinking this is a key expiration/keepalive kind of thing...any ideas? 12:20 < ecrist> !configs 12:20 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:22 < rbd> ecrist: my configs are at the bottom of http://pastebin.com/d347324ea ....client version is 2.1.0. server is 2.0.6 12:22 < rbd> client is vista, server is freebsd (pfsense) 12:22 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 12:22 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 12:23 -!- yoshx [n=yoshx@88-138-188-188.adslgp.cegetel.net] has quit [Read error: 110 (Connection timed out)] 12:23 < rbd> the two lines are from when the tunnel is established to terminated are: Fri Dec 11 12:07:57 2009 Initialization Sequence Completed 12:23 < rbd> Fri Dec 11 13:07:52 2009 TLS: soft reset sec=0 bytes=9882282/0 pkts=20428/0 12:23 < ecrist> soft reset is common, shouldn't reset your vpn 12:24 < rbd> it ended up reprompting me for a username and password .... well hmm in my password there is a OTP component to it, so if the client works by automatically reinputting the username/password every hour, then maybe this is why 12:24 < rbd> I hope not... 12:25 < ecrist> could be, I haven't done any testing/experimenting with OTP and OpenVPN 12:26 < rbd> basically, I put in my username, and for the password I enter my single sign on password, followed by a 42 character OTP generated by a Yubikey device ...the server takes that and passes it to a backend radius server that runs the authentication against the OTP server (for the otp) and an LDAP server (for my password) 12:27 -!- yoshx [n=yoshx@88-138-188-188.adslgp.cegetel.net] has joined ##openvpn 12:28 < rbd> ecrist: ahh, http://openvpn.net/archive/openvpn-users/2006-03/msg00048.html 12:28 < vpnHelper> Title: [Openvpn-users] soft reset + one time password (at openvpn.net) 12:28 < rbd> I'll read into this... 12:29 < rbd> reneg-sec FTW 12:29 < ecrist> o.O 12:32 -!- diegovio1a [n=diego@adsl-153-88.click.com.py] has joined ##openvpn 12:35 -!- krzie [n=krzee@butters.secure-computing.net] has joined ##openvpn 12:37 < |Mike|> ahoy krzie 12:40 -!- diegoviola [n=diego@201.217.40.16] has quit [Read error: 145 (Connection timed out)] 12:40 < optiz0r> hi all. I'm trying to get my head around static ip addresses for per-client configs. If i give set the server on 10.10.0.1/255.255.255.0 and give the .4/30 to a client via a ccd file, the first client without a corresponding ccd file gets given that same subnet causing a clash. Can anyone point me at documentation that explains the openvpn way of avoiding this? 12:41 < ecrist> optiz0r: if you assign correctly, they should not be issued the same address 12:50 < optiz0r> ecrist: ok I probably did something silly. I'll try it again, thanks :) 12:51 -!- mgolisch [n=michi@85.93.11.18] has joined ##openvpn 12:52 < mgolisch> what could be the cause for openvpn to not connect? 12:57 < ecrist> it's misconfigured 12:57 < ecrist> see the topic, mgolisch 13:04 -!- KaiForce [n=chatzill@70.228.89.235] has quit ["ChatZilla 0.9.85 [Firefox 3.5.5/20091102152451]"] 13:06 < mgolisch> yeah its probably kvpnc doening something stupid 13:07 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 13:22 < dazo> mgolisch: or you doing something foolish with kvpnc which does something even foolisher to openvpn ... :) Try configuring openvpn without kvpnc, that'll give you an indication ;-) 13:22 < mgolisch> yeah reading the manpage atm 13:23 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 13:23 -!- openvpn2009 [n=email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 13:23 < openvpn2009> hello gentlemen 13:24 < Kas> ecrist: 13:24 < ecrist> hello 13:25 < Kas> about Polycom, I agree with you. It should be done. 13:25 < ecrist> it would be pretty nice. not sure how realistic it is, but would solve a lot of headaches on my end. 13:25 < Kas> btw, don;t know if you guys notice, but OpenVPN 2.1.0 has been released :-) 13:26 * ecrist points to chan topic 13:26 < ecrist> ;) 13:26 < Kas> Just saw that :/ 13:26 < ecrist> Kas, what do you do for OpenVPN? 13:27 < Kas> Heh, I do Support/QA etc 13:27 < Kas> I have seen you on ovpnforums 13:28 < ecrist> I pop in there now and again. 13:29 < Kas> Same 13:29 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 13:30 < Kas> ecrist: what do you think about us hosting forums on our site (openvpn.net)? 13:31 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)] 13:31 < ecrist> I don't own the domain, you'd have to talk to Dougy about that. I had a conversation with Francis via email at one point and we couldn't come to an agreement. 13:32 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit ["Távozom"] 13:32 < Kas> Which domain are you taling about? http://www.ovpnforum.com/? 13:33 < vpnHelper> Title: OpenVPN Forum Index page (at www.ovpnforum.com) 13:34 < ecrist_mac> yes 13:34 < Kas> Does douglas go by another name on here? 13:35 < ecrist_mac> Dougy and Douglas 13:35 < ecrist> why do you guys want to move them? 13:35 -!- ecrist_mac [n=ecrist@pdpc/supporter/professional/ecrist] has left ##openvpn [] 13:36 < Kas> We don't. 13:36 < Kas> Just brainstorming really. 13:37 < ecrist> pm? 13:37 < Kas> sure 13:42 < mgolisch> hm actualy cd foo; sudo openvpn --config foobar.ovpn worked correctly 13:42 < mgolisch> i wonder what kvpnc did wrong 13:42 < dazo> mgolisch: probably not running openvpn as root, that might be the first thing to check out 13:48 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: jfkw, hyper_ch, freaky[t], tarbo2, rbd, phusion_ 13:49 -!- Netsplit over, joins: rbd, hyper_ch 13:49 -!- Netsplit over, joins: phusion_ 13:49 < dazo> Kas: openvpn2009: Are there, or will there be, a "todo list" over things the next 2.2 version will include? which is publicly available? 13:51 -!- Guest73640 [i=stfu@17.166.102.97.cfl.res.rr.com] has joined ##openvpn 13:51 < Kas> dazo: We are not sure but would be more than happy to find out for you. 13:52 -!- Netsplit over, joins: jfkw, tarbo2, freaky[t] 13:52 -!- Guest73640 [i=stfu@17.166.102.97.cfl.res.rr.com] has quit [Excess Flood] 13:52 < dazo> Kas: would be great if that could be public somewhere ... easier to see which direction openvpn is moving ... 13:53 -!- Netsplit orwell.freenode.net <-> irc.freenode.net quits: corretico, dollabill 13:53 -!- coil_ [i=stfu@97.102.166.17] has joined ##openvpn 13:53 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn --- Log closed Fri Dec 11 13:58:21 2009 --- Log opened Fri Dec 11 13:58:24 2009 13:58 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 13:58 -!- Irssi: ##openvpn: Total of 89 nicks [0 ops, 0 halfops, 0 voices, 89 normal] 13:58 < dazo> Kasx: in regards to a "todo list", I'm especially interested in what's going to happen with the "connection scheduler" in openvpn ... as several people reports that performance drops noticeably when having more than 120-200 active connections .... and openvpn do not scale out of a single CPU core .... (unless you fire up several instances and pin them to separate CPU cores) 13:58 -!- Irssi: Join to ##openvpn was synced in 32 secs 13:59 < ecrist> it would be nice to have a threaded daemon 13:59 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 13:59 < dazo> yup! 14:00 < dazo> leave the scheduling to the kernel instead 14:01 -!- teratoma [n=teratoma@69.172.135.243] has quit [Remote closed the connection] 14:01 -!- teratoma [n=teratoma@69.172.135.243] has joined ##openvpn 14:20 -!- diegovio1a [n=diego@adsl-153-88.click.com.py] has quit [Client Quit] 14:26 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit ["I am off"] 14:27 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 14:32 -!- Serideru [n=GTWebste@24-116-116-232.cpe.cableone.net] has quit [Client Quit] 14:36 -!- Anodl1 [n=Arnold@p54A79278.dip0.t-ipconnect.de] has quit [Read error: 54 (Connection reset by peer)] 14:37 -!- Anodl1 [n=Arnold@p54A79278.dip0.t-ipconnect.de] has joined ##openvpn 14:43 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 14:52 -!- Kasx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 104 (Connection reset by peer)] 14:52 -!- Kaspx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 14:53 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: kala, CaBa, sno, noooon, vlt, julius, Rienzilla, crazygir, Zordrak, LowKey, (+21 more, use /NETSPLIT to show all of them) 14:57 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 14:57 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 14:57 -!- zib_ [i=zib@slick.keff.org] has joined ##openvpn 14:57 -!- DammitJim [n=DammitJi@41-117.202-68.tampabay.res.rr.com] has joined ##openvpn 14:57 -!- Broady [n=b@unaffiliated/broady] has joined ##openvpn 14:57 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 14:57 -!- Diddi [i=diddi@zenit.bsnet.se] has joined ##openvpn 14:57 -!- sauce_ [n=anonymou@ool-18be2518.dyn.optonline.net] has joined ##openvpn 14:57 -!- sno [n=sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn 14:57 -!- zamba [i=marius@flage.org] has joined ##openvpn 14:57 -!- LowKey [i=rhel@unaffiliated/lowkey] has joined ##openvpn 14:57 -!- Rienzilla [i=rien@sinas.rename-it.nl] has joined ##openvpn 14:57 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has joined ##openvpn 14:57 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn 14:57 -!- noooon [n=var@vps-1005590-1468.united-hoster.de] has joined ##openvpn 14:57 -!- ^scott^ [n=scott@stthom.org] has joined ##openvpn 14:57 -!- Typone [n=nnnnitsm@195.197.184.87] has joined ##openvpn 14:57 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 14:57 -!- znull [i=z@www.files2u.com] has joined ##openvpn 14:57 -!- endre [i=me2@urbnet.hu] has joined ##openvpn 14:57 -!- vlt [n=dm@suez.activ-job.com] has joined ##openvpn 14:57 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 14:57 -!- julius [n=julius@217.20.127.15] has joined ##openvpn 14:57 -!- Zordrak [n=jaz@unaffiliated/zordrak] has joined ##openvpn 14:57 -!- jhp [n=jhp@zeus.jhprins.org] has joined ##openvpn 14:57 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 14:57 -!- sdh [n=steve@steve.st] has joined ##openvpn 14:57 -!- CaBa [i=caba@unique-inter.net] has joined ##openvpn 14:57 -!- crazygir [n=jason@unaffiliated/crazygir] has joined ##openvpn 14:57 -!- Bushmills [n=nBushmil@verhau.de] has joined ##openvpn 14:57 -!- chantra [n=chantra@ns22757.ovh.net] has joined ##openvpn 15:02 -!- cpg [n=amahi@c-24-4-39-26.hsd1.ca.comcast.net] has joined ##openvpn 15:05 -!- glengoyne [n=glengoyn@p4FC22BDC.dip.t-dialin.net] has joined ##openvpn 15:07 -!- glengoyne [n=glengoyn@p4FC22BDC.dip.t-dialin.net] has quit [Client Quit] 15:08 < cpg> !configs 15:08 < vpnHelper> cpg: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:15 -!- dollabill [n=mike@97.66.26.10] has quit [No route to host] 15:27 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn 15:29 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: jfkw, corretico_, tarbo2, freaky[t] 15:32 -!- Netsplit over, joins: jfkw 15:33 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: cpg 15:34 -!- openvpn2009 [n=email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 15:34 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 15:34 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 15:34 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 15:38 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: tarbo2, corretico_, freaky[t] 15:39 -!- Netsplit over, joins: corretico_, tarbo2, freaky[t] 15:39 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has quit ["Leaving."] 15:44 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Connection timed out] 15:46 -!- DammitJim [n=DammitJi@41-117.202-68.tampabay.res.rr.com] has quit [Remote closed the connection] 15:47 -!- cpg [n=amahi@c-24-4-39-26.hsd1.ca.comcast.net] has joined ##openvpn 15:50 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: kala, CaBa, sno, noooon, vlt, julius, Rienzilla, crazygir, Zordrak, LowKey, (+20 more, use /NETSPLIT to show all of them) 15:52 -!- Netsplit over, joins: KaiForce, kala, zib_, Broady, |Mike|, Diddi, sauce_, chantra, Bushmills, crazygir (+20 more) 15:54 -!- mgolisch [n=michi@85.93.11.18] has quit [Remote closed the connection] 15:54 -!- mgolisch [n=michi@85.93.11.18] has joined ##openvpn 15:56 -!- master_of_master [i=master_o@p549D7570.dip.t-dialin.net] has quit [Remote closed the connection] 15:58 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.5/20091102152451]"] 15:58 -!- Kasx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 16:09 -!- ruied [n=ruied@95.69.117.37] has joined ##openvpn 16:11 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 16:13 -!- Anodl1 [n=Arnold@p54A79278.dip0.t-ipconnect.de] has quit [Client Quit] 16:21 -!- master_of_master [i=master_o@p549D7570.dip.t-dialin.net] has joined ##openvpn 16:22 -!- Kaspx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 110 (Connection timed out)] 16:29 -!- LobbyZ [n=default@main.lobbyzffs.com] has quit [Read error: 60 (Operation timed out)] 16:53 -!- dazo is now known as dazo_afk 17:03 -!- robotti^ [i=robotti@kapsi.fi] has joined ##openvpn 17:03 -!- krzie [n=krzee@butters.secure-computing.net] has joined ##openvpn 17:03 -!- bandini [n=bandini@79.7.109.239] has joined ##openvpn 17:03 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 17:10 -!- ruied [n=ruied@95.69.117.37] has left ##openvpn [] 17:24 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 17:25 < krzee> werrrd 17:25 -!- Artio [n=_@port-91562.pppoe.wtnet.de] has quit [" HydraIRC -> http://www.hydrairc.com <- The alternative IRC client"] 17:27 * havoc fights w/ uVNC :( 17:27 -!- cpg [n=amahi@c-24-4-39-26.hsd1.ca.comcast.net] has left ##openvpn [] 17:37 -!- dzk [n=noway@80-254-76-148.dynamic.swissvpn.net] has joined ##openvpn 17:38 < dzk> why ist zhe vpn ping pong times so high 17:39 < ecrist> what? 17:40 < dzk> 64 bytes from zrh1-web01.monzoon.net (80.254.79.210): icmp_seq=1 ttl=62 time=250 ms 17:40 < dzk> 64 bytes from zrh1-web01.monzoon.net (80.254.79.210): icmp_seq=2 ttl=62 time=267 ms 17:40 < dzk> 64 bytes from zrh1-web01.monzoon.net (80.254.79.210): icmp_seq=3 ttl=62 time=149 ms 17:40 < dzk> that's allegedly my 2nd or 3rd hop 17:40 < dzk> cant do ping -t 1 host 17:40 < dzk> which is odd i believe 17:41 < ecrist> what transport, udp or tcp? 17:41 < dzk> i get the feeling this vpn is slow for a reason 17:41 < dzk> tp 17:41 < dzk> tcp 17:41 < ecrist> change to udp if you can, first 17:41 < ecrist> !tcp 17:41 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 17:41 < dzk> i cant 17:42 < dzk> port 443 in tcp 17:43 < dzk> i dont think they have a udp 17:44 < dzk> this is no tcp/udp issue 17:44 < ecrist> dzk, tcp is part of your reason 17:44 < ecrist> it is 17:44 < dzk> howdo you 17:44 < dzk> even know that 17:45 < ecrist> read the link vpnhelper posted 17:45 < dzk> i read it 17:45 < ecrist> that's how I know 17:45 < dzk> tcp packets are quite small so that scenario would not apply 17:47 < dzk> i am right arent i! 17:47 < dzk> ;) 17:47 < dzk> doesnt really matter i guess 17:47 < dzk> i cant pin-point the eerror 17:47 < ecrist> dzk, tcp is likely your issue 17:47 < dzk> if tcp were this slow they'd never use it 17:47 < ecrist> for added latency 17:47 < dzk> nobody would 17:48 < ecrist> nobody does, unless they have to 17:48 < ecrist> the problem lies with encapsulating tcp with tcp 17:48 < dzk> even ssh does that 17:48 < ecrist> you end up with a high potential for a race condition during error correction 17:48 < dzk> that is never a problem when the line is not saturated 17:49 < ecrist> ok, let's step back a bit 17:49 < ecrist> show me a ping from your vpn client public IP to your vpn server public IP, outside the vpn 17:49 < ecrist> then, show me a ping from your vpn client to your vpn server, through the vpn 17:49 -!- dextor[work] [n=dextor[w@59.162.86.164] has joined ##openvpn 17:49 -!- Irssi: ##openvpn: Total of 89 nicks [0 ops, 0 halfops, 0 voices, 89 normal] 17:50 < dzk> damnit's high 17:50 < dzk> very high 17:50 < dzk> 194mv avg 17:50 < dzk> ms* 17:51 < dzk> try it yourself 80.254.79.87 17:51 < ecrist> I'd suggest getting a better isp. :) 17:51 < dzk> it's allegedly inside switzerland ;) 17:51 < dzk> can you try tracing that 17:51 < dzk> it cant be in swtizerland 17:51 < ecrist> you can ping from off-network, if you want from http://secure-computing.net/ping.php 17:51 < vpnHelper> Title: SCN: SCN (at secure-computing.net) 17:52 < dzk> can i find out where in the world the ip is 17:52 < dzk> the server i mean, is there a foolproof way 17:52 < ecrist> whois the IP 17:52 < dzk> you think that's accurate? 17:52 < ecrist> yes 17:53 < ecrist> the IP is registered in china 17:54 < dzk> land of net freedom 17:54 < ecrist> so, my guess is the latency really is just that high 17:54 < dzk> 64 bytes from 80.254.79.87: icmp_seq=1 ttl=59 time=25.2 ms 17:54 < dzk> that's from city of london 17:54 < dzk> 25ms 17:55 < dzk> jesus- my isp must suck or something ;) 17:55 < ecrist> !not-ovpn 17:55 < vpnHelper> ecrist: Error: "not-ovpn" is not a valid command. 17:55 < ecrist> !notopenvpn 17:55 < vpnHelper> ecrist: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 17:56 < dzk> dont have to be rude 17:56 < ecrist> I'm not being rude. 17:56 -!- dextor[work]_ [n=dextor[w@122.182.0.38] has joined ##openvpn 17:59 < dzk> my isp really is slow 18:00 < dzk> appears to be a link problem 18:01 < dzk> ouyou wanna help me find a new isp ? ;) 18:01 -!- dextor[work] [n=dextor[w@59.162.86.164] has quit [Read error: 60 (Operation timed out)] 18:04 -!- dextor[work]_ [n=dextor[w@122.182.0.38] has quit [Read error: 60 (Operation timed out)] 18:17 -!- phusion_ is now known as _phusion 18:19 < dzk> btw ecrist 18:20 < dzk> country: CH 18:20 < dzk> address: Switzerland 18:20 < dzk> is not china 18:20 < dzk> not be be rude or anything 18:25 -!- Frans-Willem [n=tb@s5593f0f9.adsl.wanadoo.nl] has joined ##openvpn 18:26 < Frans-Willem> I'm completely lost on setting up an OpenVPN bridge server on my Ubuntu box. Whenever I run bridge-start, the box completely loses all network connectivity :/ Would anyone be able to help me troubleshoot ? 18:26 < |Mike|> !more 18:26 < vpnHelper> |Mike|: Error: You haven't asked me a command; perhaps you want to see someone else's more. To do so, call this command with that person's nick. 18:26 < |Mike|> err. 18:26 < |Mike|> !all 18:26 < vpnHelper> |Mike|: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 18:26 < |Mike|> Frans-Willem: je moet eerst eth0 down brengen enzo. Zie docs :) 18:42 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Connection reset by peer] 18:43 < Frans-Willem> Hmmm, volgens mij heb ik nu een goede bridge, alleen de DNS doet t niet meer, ook niet als ik handmatig iets in /etc/resolv.conf gooi :/ (bridge aan de praat met wat aanpassingen aan https://help.ubuntu.com/community/NetworkConnectionBridge) 18:43 < vpnHelper> Title: NetworkConnectionBridge - Community Ubuntu Documentation (at help.ubuntu.com) 18:44 < Frans-Willem> pingen naar t IP van bijv google werkt wel 18:45 < |Mike|> maar ? 18:45 < |Mike|> you can push dns servers aswell ;) 18:46 < |Mike|> Just for openvpn. 18:46 < Frans-Willem> Problem is that DNS doesn't seem to work from the server :/ 18:46 < |Mike|> push dns... 18:46 < Frans-Willem> But at this point I haven't even started OpenVPN yet :/ 18:47 < |Mike|> how did you enable your bridge ? 18:47 < Frans-Willem> https://help.ubuntu.com/community/NetworkConnectionBridge, under "Create bridge at startup", but with the adjustments of adding openvpn stuff to it 18:48 < |Mike|> meh, i'm connected trough a console lol. 18:48 < |Mike|> you used brctl ? 18:48 < Frans-Willem> Yes 18:49 < Frans-Willem> Current /etc/network/interfaces looks like this: http://pastebin.com/pastebin.php?dl=m470eb255 (should be console friendly) 18:49 < |Mike|> something like ifconfig eth0 down && brctl create bridge bla0 && brctl ifsomething x0 bla0 ? 18:49 < Frans-Willem> Yes, but then in the /etc/network/interfaces file with pre-up commands 18:50 < |Mike|> remove auto dhcp from eth0 18:50 < |Mike|> and add it to br0 18:51 < Frans-Willem> Ehm, seeing as normally I have no screen attached to this box, I'd rather leave eth0 completely out of the bridge just in case it ever fails again :/ 18:51 < Frans-Willem> So I can always put in an UDP cable in there if need be 18:51 < |Mike|> is that box remote or is it local? 18:51 < |Mike|> ifconfig eth0 down 18:52 < Frans-Willem> The box is local, but normally there is no video card installed, so normally it's remote-ish :p 18:53 < |Mike|> since when is vga disabled ? lol. 18:53 < Frans-Willem> Doesn't have onboard VGA, just rip out a video-card from another box when I really need to troubleshoot 18:54 < |Mike|> meh. it's friday evening :p 18:54 < Frans-Willem> Anyway, eth0 is now down, eth1 and tap0 are now part of bridge br0, pinging local IPs as well as WAN ips works, but ping www.google.com insists it has no idea how to look that up ;) 18:55 * |Mike| said something about dns push alalalal.... 18:56 < Frans-Willem> Ok, just to make sure we're on the same page, you're talking about OpenVPN pushing the DNS, right ? At this point OpenVPN isn't running at all, and it's just eth1 bridged with nothingness :/ 18:56 -!- dzk is now known as karelia 18:57 < |Mike|> we'll talk tomorrow instead. I'm way too tired to explain that. 18:58 < Frans-Willem> k :/ 18:58 < Frans-Willem> Anyway, tried to get OpenVPN with push "dhcp-option DNS 192.168.1.1", still nothing :/ 19:00 -!- master_of_master [i=master_o@p549D7570.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 19:03 -!- master_of_master [i=master_o@p549D6755.dip.t-dialin.net] has joined ##openvpn 19:03 < reiffert> dazo_afk: haha, I won 5 bucks. 19:04 < reiffert> 2.1.1 is out. 19:21 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 19:22 -!- _phusion is now known as phusio_ 19:25 -!- Th3Blasphemer [n=tb@s5593f0f9.adsl.wanadoo.nl] has joined ##openvpn 19:32 -!- Th3Blasphemer [n=tb@s5593f0f9.adsl.wanadoo.nl] has quit [Read error: 60 (Operation timed out)] 19:41 -!- Frans-Willem [n=tb@s5593f0f9.adsl.wanadoo.nl] has quit [Read error: 110 (Connection timed out)] 19:44 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)] 19:57 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 20:30 -!- IrCYop [n=pc@wnklmb01dc1-213-59.dynamic.mts.net] has joined ##openvpn 20:30 < IrCYop> !howto 20:30 < vpnHelper> IrCYop: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 20:33 -!- ruied [n=ruied@bl7-211-221.dsl.telepac.pt] has joined ##openvpn 20:46 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 145 (Connection timed out)] 20:47 < IrCYop> What are your guys thoughts on this. I'm renting a dedicated server, and theres no kind of DHCP server and I am only given 5 ips. I have used all 5, with the last one my openVPN server. Is it worth creating a new network device on another subnetmask and have my openVPN server as the DHCP server for this new subnet mask and assign ips to the computers connecting to it. Or is there a possibility that the server provider could stop me fr 21:04 -!- niterain [n=niterain@c-67-191-63-149.hsd1.fl.comcast.net] has joined ##openvpn 21:04 < niterain> !howto 21:04 < vpnHelper> niterain: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 21:14 < ecrist> dzk can eat a dick 21:14 < ecrist> good evening 21:20 < ecrist> IrCYop: I would do exactly as you suggest. Use a private subnet for your VPN. 21:22 < IrCYop> ecrist: Ok, now just time to figure out exactly how i DO so 21:22 < IrCYop> Thanks ^_^ 21:22 < ecrist> openvpn will do it automatically with the server line in the config 21:23 < ecrist> if you're going to use your dedicated server to get out of band internet access, you'll need to setup NAT for your new private subnet 21:27 < IrCYop> "out of band" Not exactly what you mean by that 21:28 < IrCYop> ecrist: 21:29 < ecrist> IrCYop: if you're going to route your internet browsing through the dedicated server 21:29 < IrCYop> No it's going to just host a file multiple machines will use 21:30 < ecrist> then no nat or anything is needed. 21:30 < IrCYop> great so If I just specify a new ip and a new subnet mask and ip range in the server.conf 21:30 < IrCYop> it will auto set that up for me? 21:30 < IrCYop> ecrist: 21:30 < ecrist> basically. if you're vpn client are only going to communicate to the server. 21:31 < IrCYop> great 21:31 < IrCYop> That easy eh 21:31 < ecrist> yep 21:32 < ecrist> 5-10 lines in the server config, 4-8 lines in the client config, you're all done. 21:32 < IrCYop> openVPN is magical lol 21:38 < IrCYop> ecrist: so I am editing the server-bridge section 21:38 < IrCYop> but I keep the local ip the same as the ip I ssh into? 21:47 -!- Serideru [n=GTWebste@24-116-116-232.cpe.cableone.net] has joined ##openvpn 21:47 -!- Serideru [n=GTWebste@24-116-116-232.cpe.cableone.net] has quit [Remote closed the connection] 21:49 -!- karelia [n=noway@80-254-76-148.dynamic.swissvpn.net] has quit [Read error: 110 (Connection timed out)] 21:55 -!- ant1jr [n=ant1jr@143.195.199.241] has joined ##openvpn 21:55 < ant1jr> Hello 21:56 < ant1jr> when I try to connect to my vpn, I receive the following error: 21:56 < ant1jr> Fri Dec 11 21:55:53 2009 TCP connection established with xxx.xxx.xxx.xxx:443 21:56 < ant1jr> Fri Dec 11 21:55:58 2009 socks_handshake: TCP port read timeout expired 21:56 < ant1jr> what should I do? 21:59 < sauce_> why not udp? 21:59 < ant1jr> whenever I use udp I fail to connect 21:59 < ant1jr> I think my campus blocks outgoing udp 22:05 < ant1jr> your-freedom works for tunneling stuff but I want my own solution that I don't have to pay for 22:05 < ant1jr> this server is on my school's DMZ 22:40 -!- IrCYop [n=pc@wnklmb01dc1-213-59.dynamic.mts.net] has quit ["Leaving."] 23:00 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has quit [Read error: 104 (Connection reset by peer)] 23:08 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has joined ##openvpn --- Day changed Sat Dec 12 2009 00:21 -!- thesov [n=a@dsl092-128-161.chi1.dsl.speakeasy.net] has left ##openvpn [] 00:22 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 00:59 -!- krzee [i=nobody@hemp.ircpimps.org] has joined ##openvpn 01:23 < krzee> wassup 01:23 < krzee> ' 01:28 < tjz> hey krzee 01:28 < tjz> bye 01:28 < tjz> :D 01:29 < tjz> going off to do my work :( 01:29 < tjz> will pop around when need to 01:29 < krzee> hi,bye 01:30 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 01:30 -!- krzee [i=nobody@hemp.ircpimps.org] has joined ##openvpn 01:53 -!- Intensity [i=[hNdzLhl@unaffiliated/intensity] has quit [Read error: 104 (Connection reset by peer)] 01:57 -!- Intensity [i=[113Kiu9@unaffiliated/intensity] has joined ##openvpn 02:53 -!- ant1jr [n=ant1jr@143.195.199.241] has quit [Read error: 113 (No route to host)] 03:28 -!- yoshx [n=yoshx@88-138-188-188.adslgp.cegetel.net] has joined ##openvpn 03:46 -!- yoshx [n=yoshx@88-138-188-188.adslgp.cegetel.net] has quit [Read error: 110 (Connection timed out)] 03:47 -!- yoshx [n=yoshx@88-138-188-188.adslgp.cegetel.net] has joined ##openvpn 03:48 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 03:49 -!- ruied [n=ruied@bl7-211-221.dsl.telepac.pt] has quit [Read error: 110 (Connection timed out)] 04:14 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 04:23 -!- LowKey [i=rhel@unaffiliated/lowkey] has quit [Read error: 104 (Connection reset by peer)] 04:24 -!- _LowKey [i=rhel@72.20.37.172] has joined ##openvpn 04:24 -!- _LowKey is now known as LowKey 04:25 -!- yoshx_ [n=yoshx@88-138-188-188.adslgp.cegetel.net] has joined ##openvpn 04:31 -!- corretico__ [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)] 04:34 -!- yoshx [n=yoshx@88-138-188-188.adslgp.cegetel.net] has quit [Connection timed out] 04:53 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn 05:41 -!- ruied [n=ruied@bl5-189-50.dsl.telepac.pt] has joined ##openvpn 05:59 -!- Anodl [n=Arnold@p54A7AFF6.dip0.t-ipconnect.de] has joined ##openvpn 07:00 -!- rajin [n=_@port-91095.pppoe.wtnet.de] has joined ##openvpn 07:05 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 07:05 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 07:47 -!- rajin [n=_@port-91095.pppoe.wtnet.de] has quit [No route to host] 07:52 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit ["Leaving."] 08:21 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 08:51 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 09:01 -!- Artio [n=_@port-91095.pppoe.wtnet.de] has joined ##openvpn 09:10 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 09:26 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit [No route to host] 10:10 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)] 10:12 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: tarbo2, freaky[t] 10:16 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 10:16 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 10:24 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: krzie, bandini, robotti^ 10:27 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 10:28 -!- krzie [n=krzee@butters.secure-computing.net] has joined ##openvpn 10:33 -!- Beira [n=_@port-91095.pppoe.wtnet.de] has joined ##openvpn 10:41 -!- robotti^ [i=robotti@kapsi.fi] has joined ##openvpn 10:41 -!- bandini [n=bandini@79.7.109.239] has joined ##openvpn 10:50 -!- Artio [n=_@port-91095.pppoe.wtnet.de] has quit [No route to host] 10:50 -!- Beira is now known as Artio 11:36 -!- Artio [n=_@port-91095.pppoe.wtnet.de] has quit [Read error: 60 (Operation timed out)] 11:37 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 11:51 -!- dzk [n=deey@80-254-76-144.dynamic.swissvpn.net] has joined ##openvpn 12:33 -!- elventear [n=elventea@c-75-73-49-149.hsd1.mn.comcast.net] has joined ##openvpn 12:35 -!- elventear [n=elventea@c-75-73-49-149.hsd1.mn.comcast.net] has quit [Client Quit] 13:05 < dzk> !howto 13:05 < vpnHelper> dzk: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 13:05 < Han> It's rather big. :-) 13:06 < dzk> i'll use search ;) 13:07 < Han> There is a mini-howto which is very instructive. 13:07 < Han> For starters I'd recommend that. 13:13 < dzk> if the vpn were to fail now 13:13 < dzk> irssi would reconnect in the clear without going over the vpn ;( 13:13 < dzk> im looking for a way to prevent that 13:15 < Han> give your tunnel a seperate ip. 13:18 < dzk> dont see how that would help 13:18 < dzk> i heard using route to block it 13:20 < dzk> or not 13:20 -!- dzk [n=deey@80-254-76-144.dynamic.swissvpn.net] has quit [Client Quit] 13:21 -!- kosmic [n=kosmic@unaffiliated/spice] has joined ##openvpn 13:22 < Han> Well if you set up that ip as your irc server... 13:22 < kosmic> guess i could use ipfilter ;) 13:36 -!- freaky[t] [i=alpha@member.team-box.net] has quit [Read error: 104 (Connection reset by peer)] 13:44 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 15:00 < krzie> ill tell you how i do it... 15:00 < kosmic> you'll tell me? ;) 15:00 < krzie> i run a socks server inside the tunnel, and use that socks for my whole inet 15:00 < kosmic> hmm 15:00 < kosmic> but where do you run your tunnel 15:01 < kosmic> the problem iwht using socks is dns 15:01 < krzie> huh? 15:02 < kosmic> is your vpn tunnel managed from the local pc krzie 15:03 < krzie> that makes no difference 15:03 < krzie> the remote end is in another country, the local end could be on any machine in my lan 15:05 -!- ruied [n=ruied@bl5-189-50.dsl.telepac.pt] has quit [] 15:06 < |Mike|> *kuch* idiot 15:06 < |Mike|> clamav-0.95.3.tar.gz 44% of 25 MB 49 kBps 04m54s=> clamav-0.95.3.tar.gz 15:06 < |Mike|> Zzzzzzz... slow mirrors should be rm'd 15:07 -!- ruied [n=ruied@bl5-189-50.dsl.telepac.pt] has joined ##openvpn 15:16 -!- ruied [n=ruied@bl5-189-50.dsl.telepac.pt] has quit [] 15:16 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Read error: 110 (Connection timed out)] 15:17 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 15:26 -!- Anodl [n=Arnold@p54A7AFF6.dip0.t-ipconnect.de] has left ##openvpn [] 15:34 -!- glengoyne [n=glengoyn@p4FC21CCD.dip.t-dialin.net] has joined ##openvpn 15:36 -!- copumpkin [n=copumpki@c-24-63-67-154.hsd1.nh.comcast.net] has joined ##openvpn 15:38 < copumpkin> I'm trying to set up a client-to-client openvpn instance but it appears to need to be in server mode, and that needs me to generate certificates and such. Is there a guide on how to get started with that? This is just for computer-to-computer routing, I don't actually need to be a server with multiple clients. 15:40 < copumpkin> oh, looks like there's a guide here: http://www.ciscopress.com/articles/article.asp?p=605499&seqNum=2 15:40 < vpnHelper> Title: How to Configure OpenVPN > Creating Certificates (at www.ciscopress.com) 15:40 < kosmic> youll find ssh is easier 15:41 < copumpkin> kosmic: well, my main goal is to get certain broadcast traffic from one machine to another, and ssh tunneling (at least the naive way) doesn't achieve this 15:42 < copumpkin> but if you know of a simpler way to get this to work, I'd very much appreciate it 15:42 < kosmic> no idea 15:43 < kosmic> how do youkeep computers from accessing the open internet when the vpn goes down' 15:45 < _trine> copumpkin, maybe this but it's for a router but may help you 15:45 < _trine> http://unlogical.net/files/docs/OpenVPN_Guide2.txt 15:46 < copumpkin> thanks :) 15:47 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 15:50 < copumpkin> where's an official release of easy-rsa? mac os doesn't have a package for it 15:50 < copumpkin> everyone appears to assume you have it installed, and I can't find any source downloads for it 15:50 < _trine> copumpkin, I have that on my router openwrt kamikaze 15:50 < copumpkin> I'm trying to install this on mac os though 15:51 < _trine> easy rsa is also in ubuntu 15:51 < copumpkin> oh 15:51 < copumpkin> it's installed, just not where I expected it :) 15:51 < copumpkin> sorry! 15:51 < _trine> I know nothing about macs except they cost a lot of money 15:51 < copumpkin> heh 15:51 < _trine> :P 15:51 < copumpkin> :) 15:54 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 16:00 < Sky[x]> hello 16:01 < Sky[x]> what can be wrong i connect on openvpn server i can ping gateway but i cant see network ? 16:03 -!- glengoyne_ [n=glengoyn@p4FC21CCD.dip.t-dialin.net] has joined ##openvpn 16:07 -!- monty_ [n=monty@74.63.201.40] has joined ##openvpn 16:08 < monty_> Note: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19) 16:08 < monty_> Cannot allocate TUN/TAP dev dynamically 16:10 < monty_> here's my config and the full error: https://pastee.org/y2z7v 16:11 < monty_> tried googling and no luck 16:12 -!- gorkhaan [n=gorkhaan@87.229.108.75] has joined ##openvpn 16:13 < monty_> !logs 16:13 < vpnHelper> monty_: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 16:13 < monty_> !interface 16:13 < vpnHelper> monty_: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 16:13 < monty_> !howto 16:13 < vpnHelper> monty_: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:15 < ecrist> hi 16:16 < monty_> hi 16:16 < ecrist> monty_: are you running as root? 16:16 < monty_> yes 16:18 < ecrist> and is the kernel compiled with the tun drivers? 16:18 < monty_> how can I tell? 16:18 < monty_> I think so 16:19 -!- glengoyne [n=glengoyn@p4FC21CCD.dip.t-dialin.net] has quit [Read error: 113 (No route to host)] 16:20 < monty_> ls /dev/net shows me "tun" 16:20 < ecrist> http://www.linuxforums.org/forum/linux-networking/80596-cannot-open-tun-tap-dev-dev-net-tun-no-such-device-errno-19-a.html 16:20 < ecrist> you are sure you're root? 16:21 < monty_> positive 16:24 < monty_> with modprobe tun I get: 16:24 < monty_> https://pastee.org/2dad7 16:25 < Sky[x]> any idea why i get this error ? 16:25 < Sky[x]> Sat Dec 12 23:24:58 2009 Warning: route gateway is not reachable on any active network adapters: 10.8.0.1 16:25 < Sky[x]> Sat Dec 12 23:24:58 2009 Route addition via IPAPI failed 16:29 < monty_> ecrist: maybe I need to create a tun0? 16:32 < Han> Give it a shot 16:32 < monty_> I don't know how to 16:34 < ecrist> monty_: it should be done automatically 16:34 < ecrist> did you read the linuxforums link above? 16:34 < monty_> is my config file correct for a server? 16:34 < ecrist> monty_: it's lacking things 16:34 < ecrist> go through the howto 16:35 < ecrist> Sky[x]: because you don't have a valid local subnet capable of routing that subnet 16:35 < monty_> does the howto support shared secret? 16:35 < monty_> !howto 16:35 < vpnHelper> monty_: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:35 < ecrist> I don't know which, because you haven't told me. (see the topic 16:35 < ecrist> monty_: yes, there should be an example static-key setup 16:36 -!- copumpkin [n=copumpki@c-24-63-67-154.hsd1.nh.comcast.net] has left ##openvpn [] 16:37 < Sky[x]> ecrist: any idea how to fix that ? 16:37 < ecrist> Sky[x]: yes, have a local adapter that can route that subnet as next-hop 16:38 < Sky[x]> what i have to change in config ? 16:38 < ecrist> I don't know, you won't provide the information I need. 16:39 < Sky[x]> i can copy on pastebon server and client configs is that ok ? 16:41 < ecrist> sure 16:41 < ecrist> and your logs 16:41 < ecrist> the channel topic tells you what to do 16:41 < Sky[x]> ok just wait 16:43 < monty_> is there something similar to openvpn that doesn't requre TUN? 16:44 < ecrist> PPTP, IPSec 16:44 < ecrist> monty_: did you read the link? 16:46 < monty_> the linuxforums one? Yes I ran all the commands on the page 16:46 < monty_> my /etc/modules.conf is blank 16:54 < monty_> until I get the vps working I'm on a very slow and painful connection 16:55 < monty_> there must be something wrong with the VPS I'm using, I didn't have this problem last time 16:55 < monty_> so I need a workaround 16:56 < monty_> the vpn working* 17:04 < ecrist> post your config again 17:04 < monty_> https://pastee.org/y2z7v 17:05 < monty_> I think I probably don't have mod tun 17:05 < krzie> you said its a VPS, even if your side is 100% right your provider may have to do something to let you use tun 17:06 < monty_> that'll probably take forever 17:07 -!- monty_ [n=monty@74.63.201.40] has quit [Remote closed the connection] 17:08 < krzie> heh 17:10 -!- glengoyne_ [n=glengoyn@p4FC21CCD.dip.t-dialin.net] has quit [Read error: 113 (No route to host)] 17:11 < ecrist> montydid you follow the howto? 17:12 < krzie> he left after i told him his vps provider may need to do something to allow tun creation 17:13 < ecrist> ah, i see that now 17:14 < ecrist> we should have an openvpn freeswitch conference server. ;) 17:14 < ecrist> http://img152.imageshack.us/img152/1221/black20kids20desk.jpg 17:15 < krzie> we're welcome to use the official freeswitch one if we like 17:15 -!- Diddi_ [i=diddi@zenit.bsnet.se] has joined ##openvpn 17:15 < ecrist> we are? 17:16 -!- Diddi [i=diddi@zenit.bsnet.se] has quit [Read error: 104 (Connection reset by peer)] 17:18 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [No route to host] 17:18 < ecrist> what the hell 17:18 < ecrist> hrm, my cacti setup seems borked 17:18 < ecrist> part of it 17:19 -!- zib [i=zib@slick.keff.org] has joined ##openvpn 17:19 -!- zib_ [i=zib@slick.keff.org] has quit [Read error: 104 (Connection reset by peer)] 17:19 < ecrist> just the gigabit switch, it appears 17:20 < ecrist> I'm out - got some modern warfare 2 to play before the wife gets home 17:20 < ecrist> l8r 17:39 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 17:55 -!- monty_ [n=monty@74.63.201.40] has joined ##openvpn 17:55 < monty_> does vtun http://vtun.sourceforge.net/ have anything to do with the TUN I need? 17:55 < vpnHelper> Title: VTun - Virtual Tunnels over TCP/IP networks (at vtun.sourceforge.net) 18:00 < krzie> ecrist ya im pretty sure its open for all, but if not there are a million free conf providers 18:01 < krzie> they get paid from CABS arbitrage with rural ILEC DIDs 18:05 -!- monty_ [n=monty@74.63.201.40] has quit [Remote closed the connection] 18:08 -!- gorkhaan [n=gorkhaan@87.229.108.75] has quit [Read error: 104 (Connection reset by peer)] 18:11 -!- phusio_ [n=phusion@84.22.127.58] has quit [] 18:12 -!- phusio_ [i=euro@89.238.166.158] has joined ##openvpn 18:13 -!- phusio_ [i=euro@89.238.166.158] has quit [Remote closed the connection] 18:14 -!- phusio_ [i=euro@89.238.166.158] has joined ##openvpn 18:14 -!- phusio_ [i=euro@89.238.166.158] has quit [Remote closed the connection] 18:15 -!- phusio_ [i=euro@89.238.166.158] has joined ##openvpn 18:15 -!- yoshx_ [n=yoshx@88-138-188-188.adslgp.cegetel.net] has quit [Connection timed out] 18:15 -!- phusio_ [i=euro@89.238.166.158] has quit [Remote closed the connection] 18:26 -!- jnewt [n=jnewt@ppp-70-252-130-22.dsl.ksc2mo.swbell.net] has joined ##openvpn 18:39 -!- phusion__ [n=phusion@88.80.16.38] has joined ##openvpn 18:49 < jnewt> http://www.pastie.org/740906 this is my first attempt. is this a firewall issue on the server or on the client? 18:50 < krzie> well 18:50 < krzie> not enough information 18:52 < jnewt> where can i find / show you more. btw, thanks for looking. i have a client config file and a server one, i'll post those, any thing else (server logs show nothing.) 18:54 < krzie> use verb 6 18:54 < krzie> you will see writes and reads 18:54 < krzie> or use standard networking tools like ncat to see which side is blocking 18:55 < krzie> but the openvpn way would be verb 6 19:00 -!- master_of_master [i=master_o@p549D6755.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 19:03 -!- master_of_master [i=master_o@p549D62B2.dip.t-dialin.net] has joined ##openvpn 19:07 < jnewt> http://www.pastie.org/740915 does anyone know the required steps to remedy this issue. 19:09 -!- gazelle [n=q@80-254-76-144.dynamic.swissvpn.net] has joined ##openvpn 19:09 < jnewt> krzie: that's the error with verb 6 as you suggested. apparently i also should not have used 192.168 for by addresses, as it may cause conflict, but i don't know if that is an issue right now. 19:13 < krzie> that error is just that it cant find your keys/server.crt 19:13 < krzie> use full paths in your configs 19:13 < jnewt> ok, tx 19:13 < krzie> or use no paths and define the path above with --cd 19:13 < jnewt> i like absolute / full paths best.... 19:14 < krzie> as do i 19:14 < krzie> although i handle it with a --cd 19:14 < krzie> for easier changing when i move boxes 19:21 < jnewt> ok, i think i have the path issue fixed :) 19:25 -!- jnewt01 [n=jnewt@ppp-70-252-130-22.dsl.ksc2mo.swbell.net] has joined ##openvpn 19:28 < jnewt01> when starting openvpn on the server, i loose internet connection. 19:28 < jnewt01> *lose 19:31 < havoc> BAH! 19:32 < gazelle> when i ctrl+c the vpn all my traffic gets routed over the insecure line! 19:32 < gazelle> all the traffic that's meant to be secure! 19:32 -!- jnewt [n=jnewt@ppp-70-252-130-22.dsl.ksc2mo.swbell.net] has quit [Read error: 145 (Connection timed out)] 19:42 < jnewt01> bah? 19:49 -!- jnewt [n=jnewt@ppp-70-252-130-22.dsl.ksc2mo.swbell.net] has joined ##openvpn 19:49 -!- cizzi [n=cizzi@modemcable169.173-176-173.mc.videotron.ca] has joined ##openvpn 19:49 < krzie> jnewt, what is your goal? 19:50 < jnewt> ultimately to be able to browse samba shares from outside the network without winscp and to use our network based cad and accounting software offsite. 19:52 < krzie> but this: 19:52 < krzie> when starting openvpn on the server, i loose internet connection. 19:52 < krzie> means you're using redirect-gateway 19:52 < krzie> which has nothing to do with going twords your goal 19:52 < krzie> oh OR it means you're pushing a conflicting route 19:52 < krzie> !configs 19:53 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 19:54 -!- jnewt01 [n=jnewt@ppp-70-252-130-22.dsl.ksc2mo.swbell.net] has quit [Read error: 60 (Operation timed out)] 19:55 < cizzi> i have openvpn tun0 connected but i cant reach hosts on the other network 19:55 < cizzi> i can ping the virtual ips 19:55 < krzie> virtual ips you mean vpn ips? 19:56 < cizzi> krzie: yes 19:56 < krzie> !route 19:56 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 19:56 < krzie> if you read that thoroughly you will know everything you need to know bout connecting lans in openvpn 19:56 < reiffert> moin 19:56 < cizzi> even in client-client mode? 19:56 < cizzi> not client-server 19:56 < krzie> moinmoin 19:56 < reiffert> moinmoinmoin 19:56 < krzie> cizzi no such thing 19:56 < jnewt> http://www.pastie.org/740947 krzie that is the "server" config 19:57 < krzie> theres client / server or point-to-point 19:57 < cizzi> point to point 19:57 < krzie> jnewt and client? 19:57 < jnewt> 1 min 19:57 < krzie> whooaaa 19:57 < krzie> nm i dont need client 19:57 < cizzi> im using remote x.x.x.x.x local x.x.x.x. config 19:57 < krzie> i see your issue 19:57 < krzie> you are like tripple conflicting 19:57 < jnewt> :( 19:57 < krzie> local 192.168.2.0 19:57 < krzie> server 192.168.2.0 255.255.255.0 19:57 < krzie> push "route 192.168.2.0 255.255.255.0" 19:58 < krzie> your vpn subnet cant be same as your lan 19:58 < krzie> or ANY lan of any clients or server 19:58 < reiffert> whats your localtime atm? 19:58 < krzie> if you are to be sharing the server lan, your push is right (should match the subnet the server is in) 19:58 < krzie> but your vpn subnet cant match any lan 19:59 < krzie> your clients also can NOT be on the same subnet as your server lan 19:59 < krzie> so you may wanna change your server lan subnet to be less common 19:59 < jnewt> krzie: the server is in three subnets, it has three nics. the clients are also on one of those subnets, 192.168.2.xxx 19:59 < krzie> and definitely change the vpn subnet 20:00 < krzie> jnewt doesnt change anything 20:00 < krzie> oh wait 20:00 < krzie> clients are local? 20:01 < jnewt> clients are laptops, so as of right now, they are local. i want them to be able to use the network remotely. 20:01 < jnewt> as if they were locally connected. 20:01 < reiffert> 21:00? 20:01 < krzie> reif, 10pm 20:01 < reiffert> ah 20:01 < krzie> 22 20:02 < krzie> jnewt they must get a new subnet 20:02 < reiffert> 03:00 here 20:02 < krzie> because the router for that lan needs to know to direct vpnj traffic to the vpn machine 20:02 < krzie> vpn* 20:03 < krzie> jnewt, to understand what i mean there see "ROUTES TO ADD OUTSIDE OPENVPN" here: 20:03 < krzie> !route 20:03 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:03 < krzie> right under the network diagram 20:03 -!- cizzi [n=cizzi@modemcable169.173-176-173.mc.videotron.ca] has quit ["Lost terminal"] 20:05 < krzie> also 20:05 < krzie> you are using tcp 20:05 < krzie> !tcp 20:05 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 20:05 < krzie> be sure to read that 20:05 < krzie> you do NOT need --user root --group root 20:06 < krzie> you HAVE to start openvpn as root, if you dont want to drop permissions just remove those 2 lines 20:06 < krzie> if you DO want to drop perms, change them to a sandbox user to run openvpn as (after it does what it needs root to do) 20:08 < jnewt> what if i don't know what lan the client's will be on? 20:09 < jnewt> therefore i can't specify the irout for the client. 20:09 < jnewt> or the push / rout on the server. 20:09 < krzie> you wont be sharing the lan which sits behind the client 20:10 < jnewt> ok, so i wouldn't need the push / route on the server for each of the client lans, leaving only my push "route 192.168.2.0 255.255.255.0" 20:10 < krzie> you are only trying to share the servers lan, just push the servers subnet 20:11 < krzie> there ARE no client lans 20:11 < jnewt> ok, that's exactly what i have for the push already, how nice! 20:11 < krzie> notice my doc talks about if you want 3 lans shared, 2 from clients 1 from server 20:11 < krzie> its not meant to be 1 size fits all 20:12 < krzie> its meant to help people learn, then take that knowledge and apply it to their setups 20:14 < krzie> jnewt, to understand what i mean there see "ROUTES TO ADD OUTSIDE 20:14 < krzie> OPENVPN" here: 20:14 < krzie> right under the network diagram 20:15 < krzie> that was the part you need to know 20:20 -!- jnewt01 [n=jnewt@ppp-70-252-130-22.dsl.ksc2mo.swbell.net] has joined ##openvpn 20:29 < jnewt01> krzie: ok, i think i follow, except for where it says for example, 10.8.0.x, which i don't see in the diagram, or in any of the config lines. 20:29 -!- chantra_ [n=chantra@ns22757.ovh.net] has joined ##openvpn 20:30 -!- chantra [n=chantra@ns22757.ovh.net] has quit [Read error: 104 (Connection reset by peer)] 20:33 < krzie> it says something about a vpn subnet (example 10.8.0.x) 20:34 < krzie> That means in our example: 20:34 < krzie> 192.168.2.1 must know that for 192.168.1.x 192.168.3.x and the vpn internal network (for example, 10.8.0.x), it sends the traffic to 192.168.2.10 20:34 < krzie> This is true for any number of lans you want to connect, whether server or client. 20:35 < krzie> If you fail to add this route, here is what would happen if a VPN client (for example, 10.8.0.6) 20:35 < krzie> you have to actually READ 20:35 < krzie> not just look at the picture and config files 20:35 < krzie> all the understanding comes from the actual words :-p 20:36 < krzie> if i could have explained it all in a pretty picture i would have 20:37 -!- jnewt [n=jnewt@ppp-70-252-130-22.dsl.ksc2mo.swbell.net] has quit [Read error: 110 (Connection timed out)] 20:37 -!- cizzi [n=cizzi@modemcable169.173-176-173.mc.videotron.ca] has joined ##openvpn 20:38 < cizzi> ok i managed to go to the basics, im able to ping the first host on my remote subnet but not the other hosts, why? 20:38 -!- jnewt01 [n=jnewt@ppp-70-252-130-22.dsl.ksc2mo.swbell.net] has quit [Read error: 60 (Operation timed out)] 20:38 < cizzi> i enabled ip forwarding ipv4 on the server 20:39 < krzie> cizzi 20:39 < krzie> most likely missing a route back to the vpn no your router 20:40 < krzie> as my routing doc i linked you to would have shown you 20:40 < krzie> right under the network diagram 20:40 < cizzi> that was for a 3 way thing 20:40 < cizzi> im using 2 hosts 20:40 < krzie> well guess what 20:40 < cizzi> i went to openvpn.com and used a howto 20:40 < krzie> your router still needs to know about the subnet 20:40 < cizzi> it does 20:40 < cizzi> let me check 20:41 < krzie> its either that or firewall stopping it 20:41 < cizzi> paste the link again krzie 20:41 < krzie> !route 20:41 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 20:41 < krzie> section: "ROUTES TO ADD OUTSIDE OPENVPN" 20:43 < cizzi> so i have to add routes for each additional host manually? 20:44 < krzie> negative 20:44 < cizzi> tired been at this for a few hours 20:44 < cizzi> need to re-read it a few times 20:44 < krzie> just tell the lans default gateway (router) that the vpn subnet (and lan behind other side of vpn if exists) lies behind the vpn client 20:44 < krzie> err not vpn client, but behind the local vpn node i mean 20:45 < krzie> (seeing as there is no client in ptp) 20:45 < cizzi> my router's default gw is 192.166.50.49 20:45 < cizzi> and i want to access that subnet 20:45 < cizzi> from that gw 20:45 < cizzi> so 192.168.50.0 20:45 < krzie> umm 20:45 < krzie> "my router's default gw is 192.166.50.49" 20:46 < krzie> your routers default gateway should be the inet 20:46 < krzie> no? 20:46 < cizzi> true 20:46 < cizzi> my local subnet's gateway 20:46 < krzie> im talking about the LANs default gateway, which IS your router 20:46 < krzie> ok lemme walk you through it 20:46 < cizzi> ok 20:46 < krzie> whats the vpn ips? 20:47 < cizzi> i have 10.8.0.2 on the server 20:47 < cizzi> and 10.8.0.1 on the client 20:47 < krzie> (there is no server or client) 20:47 < krzie> lets say local and remote 20:47 < krzie> since you use ptp 20:47 < cizzi> um used client server i think 20:47 < cizzi> let me check 20:47 < krzie> you told me you use --ifconfig not --server 20:47 < cizzi> ifconfig ... 20:47 < cizzi> true 20:47 < cizzi> you are right 20:48 < krzie> no certs, shared key 20:48 < krzie> right? 20:48 < cizzi> just secret ... 20:48 < krzie> right 20:48 < cizzi> yes key 20:48 < krzie> there is no server 20:48 < krzie> anyways 20:48 < krzie> .1 is local or remote? 20:48 < cizzi> i dont know, either one can be either no? 20:49 < krzie> bleh 20:49 < cizzi> my local machine you mean here? 20:49 < cizzi> .1 is local then 20:49 < krzie> which side has a lan you need to be reached over the vpn? 20:49 < cizzi> .1 20:49 < krzie> .2 does not then right? 20:49 < cizzi> right 20:49 < krzie> what lan subnet is each vpn node on? 20:50 < cizzi> .1 is on 192.168.50.0 20:50 < cizzi> .2 doesn thave a subnet its 1 host 20:51 < krzie> .2 is not on a lan at all? 20:51 < cizzi> right 20:51 < krzie> (before bringing openvpn into the picture) 20:51 < krzie> like its directly connected to the inet 20:51 < cizzi> its a dedicated server out there 20:51 < cizzi> yes 20:51 < krzie> ok 20:51 < krzie> well thats easy 20:51 < krzie> what is the router for 192.168.50.0 20:51 < cizzi> 192.168.50.49 20:52 < cizzi> wrt54g 20:52 < krzie> what is the vpn node lan ip on that? 20:52 < krzie> ie: 192.168.50.69 20:52 < cizzi> 10.8.0.1 20:52 < cizzi> oh 20:52 < cizzi> 192.168.50.75 20:52 < krzie> ok 20:52 < krzie> so on that router 20:53 < krzie> you need a route telling it that 10.8.0.x goes to 192.168.50.75 20:53 < cizzi> i have route command output open 20:53 < cizzi> let me check 20:53 < cizzi> ok let me add that 20:53 < krzie> on the router itself 20:53 < cizzi> hmmm 20:53 < cizzi> its not a linux router 20:53 < krzie> so? 20:53 < cizzi> its a linksys wrt54g 20:53 < krzie> and...? 20:53 < cizzi> how do i run a route command onthe router 20:54 < krzie> through the web gui 20:54 < cizzi> ok 20:54 < cizzi> not sure if it can do it 20:54 < cizzi> its an old model 20:54 < krzie> it can 20:54 < cizzi> let me check 20:54 < krzie> hell i have done it before 20:54 < krzie> its called a static route 20:54 < cizzi> in advanced routing 20:55 < cizzi> hey i didnt know i had that 20:55 < cizzi> thats so cool 20:55 < krzie> heh 20:55 < krzie> a router that you cant add routes to... isnt a router 20:56 < cizzi> i figured since it was all web gui and stuff 20:56 < krzie> it would technically be a NAT box (which i think is a better name for those anyways)( 20:56 < cizzi> ok give me a few moments to get this right 20:56 < cizzi> dont want to mess it up 20:57 < cizzi> so 192.168.50.75 is my destination lan ip? 20:57 < krzie> its the gateway for 10.8.0.x 20:57 < krzie> as far as that router is concerned 20:58 < cizzi> but .75 is just a host 20:58 < cizzi> it will use the routing table from that host 20:58 < cizzi> ok got it i think 20:58 < krzie> a host running vpn softwre with a host connecting through it 20:58 < krzie> it will send packets destined for 10.8.0.x to that host 20:59 < krzie> who will then decide where to send packets (or keep them) depending on its routing table (assuming ip forwarding enabled) 20:59 < cizzi> i have to select an interface 20:59 < krzie> this is all explained in !route 20:59 < cizzi> lan/wireless or wan 20:59 < cizzi> i guess the first 20:59 < krzie> heh 20:59 < krzie> its upto you to figure out how to use your router 20:59 < cizzi> whats !route? 20:59 < cizzi> man route? 20:59 < krzie> i just tell you what you gotta do in the router, how to do it is upto you 20:59 < krzie> !route 20:59 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 21:00 < krzie> thats !route 21:00 < krzie> my doc on openvpn routing 21:00 < cizzi> ok it added an entry 21:00 < cizzi> saying 10.8.8.0 goes to 192.168.50.75 21:00 < cizzi> on the lan 21:00 < krzie> .8.8.0? 21:00 < cizzi> should work now? 21:01 < cizzi> yes 21:01 < cizzi> shit 21:01 < cizzi> its a 0 .. had to fix that now 21:02 < cizzi> ok got it 21:02 < cizzi> 10.8.0.0 21:02 < cizzi> now let me test it 21:04 < cizzi> so before i test it 21:05 < cizzi> i want to understand.. if i ping 192.168.50.77 for example it will go to 10.8.0.1 which will go to 10.8.0.2 which will go to 192.168.50.49 which will the router will send to 192.168.50.77 21:05 < cizzi> but i allreayd have a default route on 192.168.50.75 saying to go to the router 21:07 < cizzi> on the router table it saying anything in 10.8.0.0 go back to .75 21:07 < cizzi> otherwise it would get lost 21:07 < cizzi> ? 21:07 < cizzi> hmmm 21:08 < cizzi> not convinced 21:09 -!- Bushmills [n=nBushmil@verhau.de] has left ##openvpn ["Leaving."] 21:09 < cizzi> adiggiddiy dog it works 21:09 < cizzi> but im not sure i follow the path of the routing 21:10 < cizzi> let me start over 21:10 < cizzi> i ping 192.168.50.77 21:10 < cizzi> the route says go to 10.8.0.1 21:10 < cizzi> on 10.8.0.1 the routing says go to 192.168.50.49 21:11 < cizzi> on 192.168.50.49 it says to stay there 21:11 < cizzi> with 192.168.50.0 -> 192.168.50.49 21:12 < cizzi> hmm 21:12 < cizzi> guess u left? 21:13 < cizzi> so we added anything related to 10.8.0.x go back to the host 192.168.50.75 21:14 < cizzi> but my inital ping was not a 10.8.0.x 21:14 < cizzi> i'll get it eventually 21:14 < cizzi> thanks 21:15 -!- cizzi [n=cizzi@modemcable169.173-176-173.mc.videotron.ca] has quit ["Lost terminal"] 21:56 -!- Bushmills [n=nBushmil@verhau.de] has joined ##openvpn 22:22 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)] 22:25 -!- Diddi_ is now known as Diddi 22:58 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has quit [Read error: 113 (No route to host)] 23:00 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has quit [Read error: 104 (Connection reset by peer)] 23:04 -!- niterain [n=niterain@c-67-191-63-149.hsd1.fl.comcast.net] has quit [Remote closed the connection] 23:07 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has joined ##openvpn 23:15 -!- Hrishikesh [n=Hrishike@59.92.133.177] has joined ##openvpn 23:17 < Hrishikesh> hi, how do I prevent clients on a VPN from exploiting DOS attacks on each other? In other words, how do I prevent burst traffic from occurring through the VPN tunnel? 23:18 < Hrishikesh> Also, is there a way to limit the number of TCP/UDP connections a client can have over the VPN tunnel? 23:24 -!- Hrishikesh [n=Hrishike@59.92.133.177] has quit ["Leaving"] 23:29 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn --- Day changed Sun Dec 13 2009 00:16 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:29 -!- Broady [n=b@unaffiliated/broady] has left ##openvpn [] 00:47 -!- gazelle [n=q@80-254-76-144.dynamic.swissvpn.net] has quit [Read error: 110 (Connection timed out)] 01:00 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 01:07 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:12 -!- quentusrex [n=quentusr@freeswitch/developer/quentusrex] has joined ##openvpn 01:12 < quentusrex> Anyone able to get openvpn gui installed in Windows 7 64 bit? 01:14 < quentusrex> it installs properly 01:14 < quentusrex> and it runs 01:14 < quentusrex> but there is no left click menu 01:14 < quentusrex> and right click only show: proxy, about, exit. 01:14 < quentusrex> nothing else.. 02:09 < krzee> tried cli? 02:34 -!- hyper__ch [n=hyper@adsl-89-217-90-67.adslplus.ch] has joined ##openvpn 02:34 -!- hyper_ch [n=hyper@adsl-89-217-90-67.adslplus.ch] has quit [Nick collision from services.] 02:34 -!- hyper__ch is now known as hyper_ch 03:33 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 03:39 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 03:41 -!- krzee changed the topic of ##openvpn to: NO SUPPORT FOR ACCESS SERVER | OpenVPN 2.1.1 is released || CHECK YOUR FIREWALL || We need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 03:43 -!- krzee changed the topic of ##openvpn to: NO SUPPORT FOR ACCESS SERVER | OpenVPN 2.1.1 is released || CHECK YOUR FIREWALL || We need !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 03:53 -!- yoshx [n=yoshx@88-138-188-188.adslgp.cegetel.net] has joined ##openvpn 03:56 -!- monty_ [n=monty@74.63.201.40] has joined ##openvpn 04:07 < monty_> hi ecrist, my host says TUN is already enabled 04:09 -!- monty_ [n=monty@74.63.201.40] has quit [Remote closed the connection] 04:09 -!- monty_ [n=monty@74.63.201.40] has joined ##openvpn 04:46 -!- monty_ [n=monty@74.63.201.40] has quit [Remote closed the connection] 04:51 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)] 05:03 -!- Rolybrau [n=Rolybrau@187-69.78-83.cust.bluewin.ch] has joined ##openvpn 05:06 -!- hyper__ch [n=hyper@adsl-89-217-90-67.adslplus.ch] has joined ##openvpn 05:06 -!- hyper_ch [n=hyper@adsl-89-217-90-67.adslplus.ch] has quit [Nick collision from services.] 05:06 -!- hyper__ch is now known as hyper_ch 05:17 -!- theTroy [n=troy@unaffiliated/thetroy] has joined ##openvpn 05:19 < theTroy> I cannot understand how to setup the Linux iptables to allow VPN to act as "redirect-gateway". When I do iptables -t nat -A POSTROUTING -s tun0 -o wlan0 -j MASQUERADE and echo 1 into the ipv4 forwarding, it does not seem to work :( 05:20 -!- maodun [n=stopgo@114.243.120.171] has joined ##openvpn 05:21 < maodun> krzee: I was in here a while back trying to hunt down a BAD SOURCE problem and I told you I would dig more and get back to you if I got more information 05:23 < maodun> krzee: I was given the following info on the mailing list 05:23 < maodun> "this is not an openvpn issue but a Windows issue: especially if the windows file and printer sharing protocol is used then windows will/can send packets with the "wrong" source IP address ; if you do not require windows file or printer sharing 05:23 < maodun> over your VPN then unbind all CIFS related protocols from the Tap-Win32 adapter (Microsoft Client for Windows networks, Windows file and printer sharing etc)." 05:24 < maodun> It didn't solve my problem, but maybe it IS the solution to someone else's bad source problem 05:24 -!- le0_ [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"] 05:26 < maodun> I now have a related question: My server's local address is 192.168.1.150, and my client's local address is 172.30.1.100, I can successfully ping 192.168.1.150 and 192.168.1.1 (my server's router) from the client - is that behavior correct? I thought I would need to communicate through the 10.8.x.y network addresses that the VPN set up. 05:55 < optiz0r> theTroy: -s is short for --src-address, you can't use an interface name like tun0 with it. Either use -s with a network address like 10.8.0.0/24, or use -i tun0 05:56 < theTroy> optiz0r: yes you are right, sorry, I was using -i tun0 (did not copy paste but wrote by memory) it still does not work 06:01 < optiz0r> theTroy: next issue, you may not use -i in a POSTROUTING rule 06:02 < optiz0r> If you need that behaviour, you might need to investigate connection marks in the mangle table, otherwise you could rewrite the rule to use src address instead 06:57 < theTroy> optiz0r: so what do you suggest to use? 07:01 < optiz0r> I don't claim to be any kind of expert, but I've had connection marks working well enough in the past. src address would be a lot easier though, just swap -i tun0 for -s 10.8.0.0/24 or whatever 07:06 < Han> theTroy, this is what is in my firestarter rules 07:06 < Han> $IPT -A INPUT -i tun+ -j ACCEPT 07:06 < Han> $IPT -A OUTPUT -o tun+ -j ACCEPT 07:09 < theTroy> optiz0r: Han thanks! I will try both 07:18 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Read error: 60 (Operation timed out)] 07:34 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 08:07 -!- theTroy [n=troy@unaffiliated/thetroy] has quit ["Leaving."] 08:26 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 08:32 -!- eliasp [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 113 (No route to host)] 08:36 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 08:37 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 08:37 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote closed the connection] 08:50 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 08:54 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Connection timed out] 09:01 -!- dnivra_ [n=arvind@59.93.33.71] has joined ##openvpn 09:01 -!- dnivra_ [n=arvind@59.93.33.71] has quit [Client Quit] 09:12 -!- jnewt01 [n=jnewt@ppp-70-252-130-22.dsl.ksc2mo.swbell.net] has joined ##openvpn 09:15 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Connection timed out] 09:22 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 09:25 < jnewt01> how do i know what interface to bind openvpn to? 09:26 < Han> jnewt01, common sense. 09:29 < jnewt01> Han: common sense...so you actually believe that most people in this world know not only what binding means, but how to choose an interface on a multi-nic system... 09:30 < jnewt01> common sense tells me that's just not true. 09:31 < Han> And I quote: "jnewt01| how do _i_ know..." 09:33 < jnewt01> gonna help or not? i can send you a link to the definition of "common sense" if you would like to argue this point, but it doesn't help me. 09:34 < Han> Nah, I've had it with you/. 09:38 -!- jnewt [n=jnewt@ppp-70-252-130-22.dsl.ksc2mo.swbell.net] has joined ##openvpn 09:46 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 110 (Connection timed out)] 09:55 -!- jnewt01 [n=jnewt@ppp-70-252-130-22.dsl.ksc2mo.swbell.net] has quit [Read error: 110 (Connection timed out)] 09:59 -!- jnewt01 [n=jnewt@ppp-70-252-130-22.dsl.ksc2mo.swbell.net] has joined ##openvpn 10:00 -!- eliasp [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 10:07 -!- jnewt01 [n=jnewt@ppp-70-252-130-22.dsl.ksc2mo.swbell.net] has quit [Read error: 60 (Operation timed out)] 10:07 -!- jnewt01 [n=jnewt@166.189.191.28] has joined ##openvpn 10:08 -!- r0fl [n=r0fl@95-88-194-54-dynip.superkabel.de] has joined ##openvpn 10:11 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 10:18 -!- jnewt [n=jnewt@ppp-70-252-130-22.dsl.ksc2mo.swbell.net] has quit [Read error: 110 (Connection timed out)] 10:22 < krzee> jnewt01, 10:22 < krzee> [11:29] Han: common sense...so you actually believe that most people in this world know not only what binding means, but how to choose an interface on a multi-nic system... 10:23 < krzee> a vpn is more advanced networking 10:23 < krzee> if you cant figure that part out, you may not be ready to be honest 10:25 < jnewt01> i am at the point where i think i have everything figured out, but it doesn't work as expected. therefore i am trying to re-examine what i believe to be correct, a second opinion if you will. 10:25 < krzee> maodun, 10:26 < krzee> thanx for relaying that info, i did not know about the CIFS stuff causing src to change 10:26 < r0fl> when using p2p mode, is the traffic tunnelt trough the server when client a sends data to client b? so is it client a -> server -> client b or is it peer to peer, client a -> client b 10:27 < krzee> and as far as your new answer, if firewall and ip forwarding allows, that is normal behavior, if you need more of the lan there is more to setup assuming your vpn node is not the router for the LAN 10:27 < krzee> jnewt01, openvpn should run on the tun interface =] 10:27 < krzee> r0fl, yes, ALWAYS through server, because of how ssl encryption works 10:28 < krzee> i have an idea of how they could make the client to client work here: 10:28 < krzee> !wishlist 10:28 < vpnHelper> krzee: "wishlist" is http://ovpnforum.com/viewforum.php?f=10 for the openvpn wishlist 10:28 < krzee> but i doubt it will ever happen, it would be a huge undertaking 10:30 < maodun> krzee: Ok, thanks for that info. I'm still pretty stuck on the bad source issue. My temptation is to just start digging into the sources to get a deep understanding of what's going on. I'm not really a networking guru, do you have any more suggestions for me before I go that route? 10:30 < krzee> well the openvpn source wont help you 10:30 < krzee> you know the exact problem 10:31 < maodun> I do? I thought perhaps something in the TAP driver was causing the problem 10:31 < krzee> the mail list guy agreed with me as far as the cause, its your OS sending packets with source of the inet device 10:31 < krzee> negative, its your OS's networking 10:31 < r0fl> krzee: is there any p2p vpn software? the tinc documentation isn't the that great 10:31 < krzee> ive seen it on a few win and a few linux boxes 10:31 < maodun> ugh 10:32 < krzee> r0fl, i heard hamachi does, i know ipsec does 10:32 < jnewt01> krzee: yes, i have dev tun on the clients and the server config files. i also have server 10.8.0.0 255.255.255.0 on the server which should ifconfig the tun interface with the proper vpn addresses. 10:32 < krzee> maodun, i actually did read that part of the openvpn source 10:33 < krzee> when i was figuring out how to chain vpns 10:33 < krzee> jnewt01, ok... 10:33 < maodun> ah 10:34 < krzee> however, dont let that be a reason for you to not do it too, i did learn from that 10:34 < maodun> are there any hacks I could do server-side to help with the issue? maybe some rerouting with iptables so that it looks like it's coming from the right address? I'm not sure there's such a good solution given that I don't have a lot of information about my potential clients 10:34 < krzee> im no coder but the source is clean and commented, easy to understand 10:34 < krzee> maodun, if you know the source the client will send from, you can add an iroute 10:34 < krzee> !iroute 10:34 < vpnHelper> krzee: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 10:35 < maodun> Ok, that's good. I'll probably run through it just to get a better understanding. 10:35 < jnewt01> krzee: however, i am getting a TLS handshake failed, TCP/UDP: Closing socket error. also, i have changed back from tcp to udp and opened port 1194 on the server and specified the port in the server config 10:35 < krzee> it should be udp 10:35 < krzee> tcp is only when you have no choice 10:35 < jnewt01> yes, agreed. 10:35 < ecrist> good morning 10:36 < krzee> maodun, also read this a few times just for the hell of it 10:36 < krzee> !route 10:36 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:36 < krzee> maodun, its not about your problem, but you'll learn stuff that it sounds like you're interested in 10:36 < krzee> g'mornin ecrist 10:37 < maodun> krzee, ok - I've already read that, but I'll go through it again 10:37 < krzee> jnewt01, there should be something above the handshake fail that tells you the actual problem, use verb5 or verb6 10:37 < krzee> ahh cool 10:49 -!- hyper__ch [n=hyper@adsl-89-217-219-172.adslplus.ch] has joined ##openvpn 10:49 -!- hyper_ch [n=hyper@adsl-89-217-90-67.adslplus.ch] has quit [Nick collision from services.] 10:49 -!- hyper__ch is now known as hyper_ch 10:50 * |Mike| yawns 11:02 < r0fl> krzee: is this p2p thing default behaviour in ipsec? 11:06 -!- jnewt [n=jnewt@ppp-70-252-130-22.dsl.ksc2mo.swbell.net] has joined ##openvpn 11:08 -!- jnewt01 [n=jnewt@166.189.191.28] has quit [Read error: 110 (Connection timed out)] 11:17 -!- phusion__ [n=phusion@88.80.16.38] has quit [Remote closed the connection] 11:19 -!- phusion__ [n=phusion@88.80.16.38] has joined ##openvpn 11:20 -!- phusion__ [n=phusion@88.80.16.38] has quit [Remote closed the connection] 11:21 -!- phusion__ [n=phusion@88.80.16.38] has joined ##openvpn 11:22 -!- phusion__ [n=phusion@88.80.16.38] has quit [Remote closed the connection] 11:24 -!- phusion__ [n=phusion@88.80.16.38] has joined ##openvpn 11:29 -!- phusion__ [n=phusion@88.80.16.38] has quit [Remote closed the connection] 11:30 -!- phusion__ [n=phusion@88.80.16.38] has joined ##openvpn 11:34 < krzee> r0fl, dnno, never used it 11:38 < r0fl> who knew that it would be so hard to find out how ipsec works. i have only found docs with 2 networks to connect with each other. i want 20 clients to connect to one server. 11:39 < krzee> this is the wrong channel 11:39 < krzee> we help with openvpn here 11:41 < r0fl> i was certain that openvpn is able to do that^^ 11:41 < krzee> but it doesnt 11:47 < Bushmills> "want 20 clients to connect to one server.", well yes, openvpn can do that 11:47 < krzee> he wants direct client to client without hitting server 11:58 < aland> r0fl: maybe tinc can help you 11:58 < aland> its much more peer based than openvpn 12:13 < jnewt> http://pastie.org/741506 can someone see what the actual problem is here? this is verb 6 log from client trying to connect. 12:13 < krzee> !configs 12:13 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:13 < krzee> and that is way too short to be a verb 6 log 12:14 < krzee> 2.0.9 is OLD 12:14 < jnewt> that's how long i have been trying to get this to work :( 12:14 < krzee> and that looks like a client log, wheres the server log at verb 6 12:14 < krzee> ya, a couple years? 12:18 -!- kosmic [n=kosmic@unaffiliated/spice] has quit [Remote closed the connection] 12:19 < reiffert> hey, openvpn2009 is back. 12:19 < reiffert> and kasx is as well. 12:20 < jnewt> krzee: http://pastie.org/741521 12:20 < jnewt> krzee: installed it last year, never got it to run. 12:21 -!- Knoedel_ [n=Knoedel2@dslb-092-072-045-041.pools.arcor-ip.net] has joined ##openvpn 12:21 < Knoedel_> hi all 12:23 < Knoedel_> i want to create a openvpn site-to-site configuration for over 20 locations which can talk with each other, is there a good howto for this size ? 12:23 < Knoedel_> !wiki 12:23 < vpnHelper> Knoedel_: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN 12:23 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 131 (Connection reset by peer)] 12:29 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:38 -!- Gumbler [i=Gumbler@unaffiliated/gumbler] has left ##openvpn ["In Soviet Russia, client quits YOU!"] 12:40 < Kasx> reiffert: I don't think we ever left :-) 12:41 < krzee> never left what 12:43 < Kasx> < hey, openvpn2009 is back. 12:43 < Kasx> and kasx is as well.> 12:43 < krzee> ahh werd 12:44 < krzee> not sure if i said hi to you yet, welcome in and its good to have some people from the official team here 12:45 -!- Artio [n=_@port-15833.pppoe.wtnet.de] has joined ##openvpn 12:45 < Kasx> Glad to be here! Nice to meet you as well. 12:46 < krzee> pltn, pleasonton? 12:46 < Kasx> Pleasanton, yep 12:47 < Kasx> California 12:47 < krzee> cool 12:47 < krzee> i am orig from the bay 12:47 < Kasx> Oh cool, which part? 12:47 < krzee> 707 12:48 < Kasx> gotcha 12:48 < Kasx> we are 925 12:48 < krzee> yup 12:48 < Kasx> isn't 707 like vallejo? 12:48 < krzee> i stayed in 925 for awhile too 12:49 < krzee> ya thats part of it 12:49 < krzee> it goes all the way up to humboldt 12:49 < krzee> huge area code 12:49 < krzee> ;] 12:49 < Kasx> richmond? 12:49 < Kasx> yes it is 12:49 < krzee> richmond is 510 isnt it? 12:49 < Kasx> not sure 12:49 < Kasx> could be 12:49 < krzee> oretty sure it is 12:49 < krzee> ooo ride is here 12:49 < krzee> bbiab from krzie 12:50 < Kasx> seeya 13:02 < jnewt> i am showing with netcat that my 1194 port is open from the server. however, i get TLS key negotiation failed to occur within 60 seconds (check your network connectivity) where should i look from here? 13:04 < jnewt> netcat output shows malkc.no-ip.biz [70.252.130.22] 1194 (openvpn) open 13:07 -!- jnewt [n=jnewt@ppp-70-252-130-22.dsl.ksc2mo.swbell.net] has quit ["Leaving"] 13:14 < ecrist> my switch mgmt interface is hung. ugh 13:25 < ecrist> 13:26 < ecrist> sweet, a reboot of the switch fixed my snmp problem, too 13:36 -!- ShaunR [n=shaun@ip70-181-78-101.oc.oc.cox.net] has joined ##openvpn 13:36 < ShaunR> openvpn client for windows 7? 13:37 < ecrist> client is same as server 13:37 < ecrist> just download the windows installer from openvpn.net 13:38 < ShaunR> i used the client from openvpn.se on vista... 13:38 < ShaunR> where is the client on openvpn.net? 13:38 < ecrist> ShaunR: the GUI is now rolled with the executable from openvpn 13:38 < ecrist> no need for the .se gui 13:39 < ecrist> click on community and then downloads 13:47 < krzie> baq 13:48 < krzie> ShaunR 13:48 < krzie> !download 13:48 < vpnHelper> krzie: "download" is (#1) www.openvpn.net/download to download openvpn, or (#2) http://openvpn.net/index.php/open-source/downloads.html 13:49 < krzie> !forget download 2 13:49 < vpnHelper> krzie: Joo got it. 13:49 < krzie> # multihome option to enable UDP-based multihoming of the server on multiple interfaces. 13:49 < krzie> hey thats cool 13:51 < krzie> !learn management as see http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn/management/management-notes.txt to learn about the openvpn management interface. 13:51 < vpnHelper> krzie: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 13:51 < krzie> heh 13:51 < zib> I want a patch which does per-packet udp-source change :) Too bad im to sucky to fix that myself. 13:51 < krzie> looks like i gotta change something =x 13:51 < krzie> zib, re-write it in your firewall 13:51 < zib> krzie: Tried but there's no good way in linux. 13:52 < krzie> and why do you actually want that? 13:52 < zib> There's no way around iptables creating a "state" for the session. And then it won't change.. 13:52 < zib> I have a 10mbit cap on the upload per ip here. But I have 10 ips..so you get the rest :) 13:53 < krzie> ya i just realized that would mean spoofing was built into iptables, makes sense thats not there 13:53 < zib> Well I dont want to spoof. 13:53 < krzie> change the source of outgoing udp packets... 13:53 < krzie> thats what spoofing udp is ;] 13:53 < zib> But i've tried alot of iptables/iproute2-based setups and the best one would still be to just change it in openvpn imho. 13:53 < krzie> just so happens you own the ips too 13:53 < zib> Well. I wouldn't call it spoofing if I actually have the ips :) 13:54 < krzie> but it is 13:54 < krzie> regardless of what you would like to call it ;] 13:54 < zib> ok let's call it that then :) 14:01 < |Mike|> you can reach me at 0000-mike 14:03 < krzie> i can reach you at your phone number 14:04 < |Mike|> O yeah, i allmost forgot 14:07 < ShaunR> where do i put the .crt in my client? 14:08 < ShaunR> just in the base openvpn dir? 14:08 < ecrist> anywhere you wnat 14:08 < ecrist> you just need to use a full path if they're not relative 14:08 < |Mike|> you can define the path to the .crt's 14:08 < ShaunR> what if it's relative 14:09 < ecrist> then everything in the same directory 14:11 < ShaunR> ok, looks like config dir is where it wanted the crt/keys 14:11 < ShaunR> brb 14:11 -!- ShaunR [n=shaun@ip70-181-78-101.oc.oc.cox.net] has quit [] 14:12 -!- ShaunR [n=shaun@ip70-181-78-101.oc.oc.cox.net] has joined ##openvpn 14:12 < ShaunR> bah.. windows7 is restricting crap... 14:13 < ShaunR> i'm getting a error with the route command 14:16 < |Mike|> pastebin it 14:21 < ShaunR> http://pastebin.ca/1713537 14:32 < ShaunR> ah, needed to edit properties on the openvpn exe and tell it to run as admin... 14:32 < ShaunR> i guess it's not enough that i'm logged in as admin... 14:33 -!- ShaunR [n=shaun@ip70-181-78-101.oc.oc.cox.net] has quit [] 14:33 -!- ShaunR [n=shaun@staff.ndchost.com] has joined ##openvpn 14:34 < ShaunR> there we go. 14:34 < ShaunR> thanks 14:44 < krzie> np 15:07 -!- coil_ [i=stfu@unaffiliated/coil] has joined ##openvpn 15:27 < krzie> omgomg 15:27 < krzie> http://search.slashdot.org/article.pl?sid=09/12/13/1358250 15:27 < vpnHelper> Title: Slashdot | Google Demonstrates Quantum Computer Image Search (at search.slashdot.org) 15:35 -!- Glebelg [n=Glebelg@unaffiliated/glebelg] has joined ##openvpn 15:36 < Glebelg> hi evrybody 15:38 < Glebelg> i can't get rid of "read UDPv4 [EHOSTUNREACH|EHOSTUNREACH]: No route to host" error for hours... 15:39 < Glebelg> the client connects but no ping...and after a little time - connection timeout... 15:44 < Han> can you increase the loglevel? 15:47 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: noooon, zamba, sno, Rienzilla, ^scott^, znull, Typone, mrnice1 15:49 -!- Netsplit over, joins: sno 15:49 -!- Netsplit over, joins: zamba 15:50 -!- Netsplit over, joins: noooon, Rienzilla 15:50 -!- Netsplit over, joins: znull 15:53 < Glebelg> to 9 yes...i'm at 5 15:53 -!- Typone [n=nnnnitsm@195.197.184.87] has joined ##openvpn 15:53 -!- ^scott^ [n=scott@stthom.org] has joined ##openvpn 15:53 -!- mrnice1 [i=bouncer@ip077244250141.rev.nessus.at] has joined ##openvpn 15:54 -!- glengoyne [n=glengoyn@p4FC224D8.dip.t-dialin.net] has joined ##openvpn 15:54 < krzie> Glebelg 5 is fine 15:54 < krzie> !logs 15:54 < krzie> !configs 15:54 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 15:54 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:55 < krzie> do those and ill take a look 15:57 < Glebelg> !logs 15:57 < vpnHelper> Glebelg: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 15:57 < Glebelg> ? 16:00 < Han> It's a bot... 16:01 < Glebelg> i don't knox how to post my log without overflooding the chan? 16:01 < Glebelg> know 16:01 -!- ShaunR [n=shaun@staff.ndchost.com] has left ##openvpn [] 16:02 < Glebelg> !howto 16:02 < vpnHelper> Glebelg: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:03 < Han> !paste 16:03 < vpnHelper> Han: "paste" is "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 16:03 < Glebelg> http://pastebin.com/d476a6757 16:03 < Han> hmmm nice guys over here. 16:04 < Glebelg> thank you 16:04 < Glebelg> this is server log 16:05 < Han> NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet. 16:05 < Han> Interesting line. 16:06 < Glebelg> yes, client and servers are on the same LAN 16:06 < Glebelg> for the moment... 16:06 < Glebelg> i'm preparing my computers before traveling 16:07 < krzie> Glebelg you using redirect-gateway? 16:07 < Han> OK, openvpn sets up a tunnel. Which can have a different subnet from your physical lan 16:07 < Glebelg> no 16:08 < krzie> Glebelg whats your goal? 16:08 < Han> If you would put it on the same subnet you will get a conflict. Just like the note said. 16:08 < Glebelg> i post the server config file 16:09 < krzie> no you didnt 16:09 < krzie> you posted server logfile 16:09 < Han> He meant to say he's going to post the config file. 16:09 < Glebelg> update internet page 16:09 < krzie> ahh 16:09 < Glebelg> done 16:10 < krzie> ok so assuming you config'ed it right for sharing the lan behind the client 16:10 < krzie> which is just what im assuming your goal is since you have said nothing to answer that 16:10 * Han feels completely ignored. 16:10 < Glebelg> my goal : config openvpn to be able to work on my local network when i travel... 16:10 < krzie> ok Glebelg, its exactly what Han said 16:10 < Glebelg> yes 16:10 < krzie> you can NOT config this correctly with both in 1 place 16:11 < krzie> wanna understand why 16:11 < krzie> ? 16:11 < Glebelg> yes? why? subnet? 16:11 < Glebelg> like said han? 16:11 < krzie> when your client connects and gets a route to the lan over the vpn 16:11 < krzie> it overwrites the orig route to lan to then go over the vpn 16:11 < krzie> but the vpn needs to connect to lan to exist 16:11 < krzie> chicken V egg 16:11 < Han> PICK A DIFFERENT SUBNET! 16:12 < krzie> for this reason you should also NOT run it on 192.168.0.x even when done 16:12 < krzie> han, doesnt matter what subnet hes on, it wont work 16:12 < krzie> both client and server in same location, cant do this setup 16:12 < Glebelg> yes krzie i understand i'll try han solution...to see 16:12 < Glebelg> ha ok... 16:13 < krzie> post BOTH configs without comments like i said to awhile ago 16:13 < krzie> !configs 16:13 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:13 < Glebelg> ok 16:14 < krzie> han, his tunnel is using 10.8.0.x and no matter what he changes his lan subnet to, client and server are on the same lan therefor same subnet 16:14 -!- yoshx [n=yoshx@88-138-188-188.adslgp.cegetel.net] has quit [Read error: 145 (Connection timed out)] 16:15 < Glebelg> http://pastebin.com/d6b9a1b62 16:15 < krzie> however Glebelg, if you want this to work in real world, you will want to change your LAN subnet to something uncommon (as han said, as openvpn says when you start it, as our topic here says) 16:15 < Glebelg> serve conf file 16:16 < krzie> want some security tips? 16:16 < Glebelg> yes...of course 16:16 < krzie> !hmac 16:16 < vpnHelper> krzie: "hmac" is (#1) The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS., or (#2) openvpn --genkey --secret ta.key to make the 16:16 < vpnHelper> krzie: tls static key , in configs: tls-auth ta.key # , 1 for client or 0 for server in the configs 16:16 < krzie> !mitm 16:16 < vpnHelper> krzie: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config 16:18 < Glebelg> ok but i wanted someting minimal to begin...but i note it and i'll add it 16:18 < Glebelg> when it'll work... 16:18 < krzie> and thats a good way to do it =] 16:18 < krzie> start small and build up 16:19 < krzie> but ya, assuming your client config doesnt conflict, your config is good 16:19 < krzie> ild know if it did or not, but you only pasted one of the configs even tho i asked for both :-p 16:21 < Glebelg> yes...i'm doing the same on my second pc...but pastebin does ot seem to respond... 16:22 < krzie> you killed your route by starting openvpn 16:22 < krzie> when your client connects and gets a route to the lan over the vpn 16:22 < krzie> it overwrites the orig route to lan to then go over the vpn 16:22 < krzie> but the vpn needs to connect to lan to exist 16:22 < krzie> you have no route to your lan at all 16:22 < krzie> including your router 16:22 < Glebelg> http://pastebin.com/dd535ddf 16:22 < krzie> in fact im surprised the client's cpu isnt at 100% 16:22 < krzie> it should have a routing loop 16:23 < Glebelg> Oo...no internet is ok with the client...i do not understand... 16:23 < krzie> looks good 16:23 < krzie> oh maybe cause its a physical link to router 16:24 < krzie> anyways, your setup is right but you cant do this from within lan (or ANY location with same subnet as your home lan) 16:24 < Glebelg> my server is connected to routeur with ethernet and my client with wifi 16:24 < krzie> because of this: 16:24 < krzie> # 16:24 < krzie> push "route 192.168.0.0 255.255.255.0" 16:24 < krzie> comment that and your vpn will work 16:25 < Glebelg> ok i try 16:29 < Glebelg> GREAT !!!!!! 16:29 < Glebelg> Thank you very much!!!!! 16:29 < krzie> np but that only solves it INSIDE the lan 16:29 < Glebelg> an thank to Han too!!!! 16:29 < krzie> now you need to do 3 things to get ready for when you leave 16:30 < krzie> well 4 i guess 16:30 < krzie> 1) make sure NAT is setup right on your router that the outside world can access your openvpn 16:30 < krzie> 2) make sure you change your lan subnet to be something uncommon 16:30 < Glebelg> ok no problem 16:30 < Glebelg> hoho... 16:31 < Glebelg> ok i think i can do that without perturbing to much things 16:31 < krzie> 3) add a route on your router telling it that any packets for 10.8.0.0 255.255.255.0 route through 192.168.0.10 16:31 < krzie> 4) uncomment the line i told you to comment 16:32 < krzie> #3 changes along with your new subnet obviously 16:32 < Glebelg> i've got to figure it to understand why the 3rd... 16:32 < krzie> here is the why: 16:32 < krzie> !route 16:32 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:32 < krzie> see blow the network diagram 16:32 < krzie> an explanation at "ROUTES TO ADD OUTSIDE OPENVPN" 16:33 < krzie> its all about understanding the src / dest address of the packets you are dealing with, and following them as they travel through the network 16:33 < krzie> see blow the network diagram 16:33 < krzie> i mean see below 16:39 < Glebelg> ok i understand, so with this manipulation i do not had to route 10.8.0.0 in every pc of my personal lan? 16:39 < Glebelg> the router does it by himself? 16:39 < Glebelg> itself 16:42 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: aland 16:43 < krzie> correct 16:43 < krzie> doing it on every pc works, doing it on the router works and is easier 16:44 < Glebelg> thank you, next step : apply security tips you give me... 16:44 -!- Netsplit over, joins: aland 16:45 < krzie> np 16:45 < Glebelg> but enough for today...and in 15 minutes i'ts tomorrow ^^ 16:46 < Glebelg> bye 16:46 < krzie> adios 17:10 -!- Knoedel_ [n=Knoedel2@dslb-092-072-045-041.pools.arcor-ip.net] has quit [] 17:25 -!- glengoyne [n=glengoyn@p4FC224D8.dip.t-dialin.net] has quit [Read error: 113 (No route to host)] 17:25 -!- Artio [n=_@port-15833.pppoe.wtnet.de] has quit [" HydraIRC -> http://www.hydrairc.com <- Like it? Visit #hydrairc on EFNet"] 17:36 -!- jnewt [n=jnewt@166.133.225.47] has joined ##openvpn 17:46 -!- jnewt [n=jnewt@166.133.225.47] has quit ["Leaving"] 18:48 -!- master_o1_master [n=master_o@p549D7613.dip.t-dialin.net] has joined ##openvpn 19:00 -!- master_of_master [i=master_o@p549D62B2.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 19:27 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [] 19:33 -!- xod [n=onats@112.201.158.40] has quit [Read error: 101 (Network is unreachable)] 20:47 < krzie> im bored =[ 21:03 < Bushmills> http://scarydevilmonastery.net/bored.mp3 21:06 < Bushmills> krzie: ^^^ 21:06 < krzie> no audio here 21:07 < krzie> but guesshermuff.blogspot.com has been killing the time (Not safe for work, unless you work with me, lol) 21:07 < Bushmills> http://lyrics.wikia.com/The_Bonzo_Dog_Doo-Dah_Band:I%27m_Bored 21:07 < vpnHelper> Title: The Bonzo Dog Doo-Dah Band:I'm Bored Lyrics - LyricWiki - Music lyrics from songs and albums (at lyrics.wikia.com) 21:33 -!- maodun [n=stopgo@114.243.120.171] has left ##openvpn [] 21:54 < krzee> moinmoin 21:59 -!- Intensity [i=[113Kiu9@unaffiliated/intensity] has quit [Connection timed out] 22:30 -!- lampliter [n=chatzill@harvee.org] has joined ##openvpn 22:31 < lampliter> can I get some advice on the shape option? 22:39 < krzee> ive never played with it personally, but you'll get more help by just asking =] 22:44 < lampliter> ok, how does i work? I'm trying to figure out the right Qs to help me understand enough to ask the right q's 22:48 < krzee> well you read on --shaper in the manual right...? 22:48 < krzee> !man 22:48 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 22:49 < lampliter> read the man page 22:49 < krzee> thats all i know of it, but it seems pretty clear 22:49 < krzee> remember its BYTES not bits 22:49 < krzee> ok if you read the man, what dont you understand? 22:52 < lampliter> the manual page I saw didn't tell me a lot 22:52 < lampliter> http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html 22:52 < vpnHelper> Title: OpenVPN 2.0.x (at openvpn.net) 22:52 < krzee> Limit bandwidth of outgoing tunnel data to n bytes per second on the TCP/UDP port. If you want to limit the bandwidth in both directions, use this option on both peers. 22:53 < krzee> that alone seems to be enough to give you something to start testing out 22:53 < krzee> unless of course you need low bandwidth, then this part matters too 22:53 < krzee> Also note that for low bandwidth tunnels (under 1000 bytes per second), you should probably use lower MTU values as well (see above), otherwise the packet latency will grow so large as to trigger timeouts in the TLS layer and TCP connections running over the tunnel. 22:54 < krzee> what more do you wanna know? 22:54 < lampliter> sorry. Miserable HTML rendering made some of its unreadable 22:54 < krzee> ahh 22:55 < krzee> and i wasnt trying to be rude or anything, just not sure how i can help ya ;] 22:56 < krzee> like shaper 1024 would limit upload to 1KB/s 22:57 < lampliter> like I said. I'm trying to learn and for some reason the light blue and dark blue tiny font rendering makes comprehension of the difficult :-) 22:57 < lampliter> what I need to do is I need to change the limit based on time of day 22:57 < krzee> interesting 22:58 < krzee> maybe you want something outside of openvpn then 22:58 < lampliter> see we have a remote backup server and whatever we get a big burp of data, the Internet connection goes dead until it passes 22:58 < krzee> if you use unix im sure theres something you could whip up in the firewall 22:58 < lampliter> one would think. 22:59 < krzee> forget about the time of day part, just look for how to limit bandwidth in your firewall 22:59 < lampliter> Trouble is, if you try to use the Linux firewall code to modify the traffic through an open VPN tunnel, if that's not a good thing 22:59 < krzee> you can have multiple rulesets scripted up and change it via crontab 22:59 < krzee> nah it doesnt matter 23:00 < krzee> well it shouldnt... do you know that it does or something...? 23:00 < lampliter> actually, my preference if I had hands that worked, would be to modify rsync 23:00 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has quit [Read error: 104 (Connection reset by peer)] 23:01 < lampliter> the problem is identifying the ethernet interface that open VPNs using as its routing target and then making rules work on that 23:01 < krzee> openvpn traffic goes over tun 23:01 < krzee> limit it there 23:02 < lampliter> yes but which one. I have 30 or 40 tunnels active at once 23:02 < krzee> of course it goes over the external dev as already encrypted too... but it for sure goes over tun 23:02 < krzee> make a static tun and force that specific vpn to go over the static tun 23:02 < krzee> instead of the default behavior of dynamic tun making 23:03 < lampliter> entirely possible. But, I will admit to being a tad lazy and not wanting to hack the IP cop firewall more than I absolute have to as you know it will come back to bite me in the butt 23:03 < lampliter> I should probably dive into the 2.0 Beta of IP cop and try to do this right 23:04 < krzee> or forget about limiting and setup a proper QOS 23:04 < krzee> (which is what ild do) 23:04 < lampliter> that's another ball of chaos. I've spoken to about four or five people on proper QOS and I've gotten seven or eight answers 23:05 < krzee> of course, its very subjective 23:05 < krzee> but its not the tech that differs, its your actual goal ;) 23:05 < lampliter> that I look in the mirror and say "yeah, you did that people back in the day" 23:05 < krzee> figure out your goal 100% then it ;) 23:05 < krzee> implement it 23:06 < krzee> for example 23:06 < krzee> you want everything to be ABLE to go full speed 23:06 < lampliter> that's true. 23:06 < krzee> but if a backup is running, it should have preference over this other stuff 23:06 < krzee> but if voip is running, it should have preference over EVERYTHING 23:07 < krzee> even when the line is pegged youd still have perfect voip with qos 23:07 < krzee> without qos youd have terrible call quality ;) 23:07 < lampliter> my customer wants exactly the opposite. If it's running during the day, back up takes lower priority 23:07 < krzee> cool, you're half way there then 23:07 < krzee> now just go setup your QOS ;] 23:07 < krzee> especially if thats all there is to it 23:08 < krzee> you just section stuff to 2 things 23:08 < krzee> openvpn tunnel and OTHER 23:08 < krzee> give OTHER higher priority 23:08 < krzee> boom, done 23:08 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has joined ##openvpn 23:08 < lampliter> okay, I have one open VPN, a for the backup machine 23:08 < krzee> on 1 side is fine 23:09 < krzee> (or maybe i misunderstood) 23:09 < lampliter> let me restate 23:09 < lampliter> the hub firewall protects the internal network and has a fan out of about 30 VPN users throughout the course of day and night (international external developers) 23:10 < lampliter> one of those VPN connections is to the remote backup site 23:10 < krzee> ahh simple 23:10 < lampliter> I need to apply QOS to the backup VPN connection 23:11 < krzee> openvpn [ --mktun ] [ --rmtun ] [ --dev tunX | tapX ] [ --dev-type device-type ] [ --dev-node node ] 23:11 < krzee> mktun a static tun device 23:11 < krzee> then in that config, use --dev and --dev-type to specify the exact device to use 23:12 < krzee> hell you could name the device backup if you wanna 23:12 < krzee> ;] 23:12 < lampliter> I've got to go dive into the code on the far wall because I don't want to make my customer have a heart attack when the backup VPN channel vanishes. 23:13 < krzee> its just standard QOS, play with it at your house 23:13 < lampliter> Yes. I have the same firewall and open VPN code on my home firewall 23:13 < lampliter> it's called eating your own dog food 23:13 < krzee> yupyup 23:13 < krzee> testbeds are good 23:14 < lampliter> that's what I like about virtual machines. 23:14 < krzee> strongly agreed 23:14 < krzee> i run 4 on my main desktop 23:14 < krzee> usually they are off, but its good for testing stuffs 23:15 < krzee> debian, winxp, opensolaris, freebsd8 (desktop is osx) 23:15 < lampliter> when I first started in the business (independent consultant) I had 12 machines and the power company came to figure out why my power consumption was so high 23:15 < lampliter> now I'm down to two machines 23:15 < krzee> of course right now i run NOTHING on my main desktop cause i gotta fix the sucker, burnt out either the power supply or motherboard with my new cuda card, that thing got HOTTTT 23:15 < krzee> was running it full blast for a day, then kaput 23:16 < lampliter> of course I just move my e-mail, web, listserver, anti-spam gateway to a friend's hosting service 23:17 -!- quentusrex [n=quentusr@freeswitch/developer/quentusrex] has quit ["Ex-Chat"] 23:18 < lampliter> that sound rather unpleasant 23:20 < krzee> seriously unpleasant 23:20 < lampliter> in one of the mini-itx systems I was using for the IP cop firewall was a 18 V system, the other was a 12 V system. power supplies have the same plugs. Jacks were unmarked. One of the systems smelled bad afterwards 23:20 < krzee> oops! 23:21 < lampliter> yeah, if there had been some labels, by the people that predated me, it would have been preventable. I've now require the standard to be a 12 V system 23:22 < lampliter> some days I like being an interim IT manager, other days, not so much 23:24 < lampliter> thank you for being so much help. Now I need to get back to my Christmas story 23:25 < krzee> np man 23:25 < lampliter> which is going out in lieu of Christmas card 23:25 < krzee> gl with it 23:25 < krzee> feel free to make a writeup of your setup as you go on our wiki if you like 23:25 < krzee> then the next person will have a fatty headstart ;] 23:25 < lampliter> that's not a bad idea. 23:25 < lampliter> After all, it's given me a fatty headache 23:26 < lampliter> :-) 23:26 < krzee> plus next time you get to do it it will be 100x easier 23:26 < krzee> !wiki 23:26 < vpnHelper> krzee: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN 23:26 < lampliter> bookmarked 23:29 < lampliter> clarify one point on the open VPN shape. is that acting like real QOS overall or only for traffic through the open VPN server 23:29 < krzee> niether 23:30 < krzee> it only limits the amount of outgoing bandwidth passing from the local openvpn 23:30 < krzee> its like a speed limit 23:30 < lampliter> only through that one VPN tunnel 23:30 < lampliter> like the rsync --bwlimit 23:30 < krzee> versus QOS being the guy at the club who decides how many people go in from both VIP line and normal line 23:31 < krzee> right, only through that one openvpn process 23:31 < lampliter> right. I'm so looking for breaking all this stuff 23:31 < krzee> you actually want QOS im sure 23:31 < lampliter> I guess we'll be watching a lot of hulu while I'm transferring data. :-) 23:32 < krzee> hulu...? 23:32 < lampliter> streaming video service 23:32 < lampliter> I'm catching up on dollhouse as we write 23:32 < krzee> ahh, hehe 23:33 < lampliter> dollhouse is gotten reasonably cold 23:34 < lampliter> some good storytelling 23:34 < krzee> tv show i take it? 23:37 < lampliter> y 23:37 < lampliter> unfortunately, I tend to have a bit of a taste for darker stories 23:37 < lampliter> for example, the Christmas story I'm working on was, in a short form, set up for presentation at my Toastmasters Christmas party 23:38 < lampliter> the woman doing the reading said to me "this kind of heavy" 23:38 < lampliter> Yes I replied, it's a Christmas story 23:38 < lampliter> but people coming to the dinner are expecting more of a celebration 23:38 < lampliter> well, I said, I gave it a happy ending 23:38 < krzee> haha 23:39 < lampliter> she said, well, could you make it a little brighter? 23:39 < lampliter> And well there is a lot of pain in the story because the heroine is the woman that becomes mrs claus 23:40 < lampliter> and she loses family, friends and because she is the spirit of Christmas and delivers compassion and kindness to those who need, she sees the suffering of humankind 23:40 < lampliter> and she can't just let it go. Then again, her father (father Christmas) and her are going to one last house but they get separated and she entered the house which is dark except the crying of her child 23:40 < lampliter> she goes aside and finds the adults dead and the child wrapped up in all their clothing against the cold 23:41 < lampliter> she picks it up and the child quiets in her arms. She walks towards the door and then turns back and sees the dead infant in its cradle 23:41 < lampliter> but the warm child in her arms is still there 23:41 < lampliter> the spirit of the child becomes her child and she's finally able to give to her father, a grandchild he wants. 23:42 < lampliter> That's my idea of a happy ending 23:42 < Diddi> best story ever <3 23:43 < krzee> !irclogs 23:43 < vpnHelper> krzee: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 23:43 < krzee> and now its officially published! 23:43 < lampliter> yaaaa 23:45 < lampliter> that's actually a good thing. It's a nice "official" marker of an idea I'm writing. 23:45 < lampliter> For example, can you read this: https://acrobat.com/#d=XW8-7gLUIkGsZvJWngYLgQ (you'll need flash) 23:45 < vpnHelper> Title: Adobe Acrobat.com (at acrobat.com) 23:46 < krzee> actually its bout time for me to finish this blunt, watch a movie, and crash out 23:46 < krzee> gotta hit the gym in the mornin 23:46 < lampliter> yeah, I should get to bed as well. I need to get the story finished and a small print run for the party tomorrow night 23:46 < krzee> keep hurting my legs in jui jitsu, figure i gotta get my body use to goin hard again 23:47 < lampliter> ouch. 23:47 < lampliter> I slipped on some ice and pulled a butt muscle 23:49 < lampliter> think I need some yoga 23:50 < lampliter> that might help you as well with your leg injuries 23:50 < krzee> tru it prolly would 23:50 < krzee> especially cause its knee ankle 23:50 < lampliter> right. 23:51 < lampliter> Maybe some low stress leg exercises might help as well. I'm a fan of recumbent bicycles and that's something that has always helped my legs 23:59 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has joined ##openvpn --- Day changed Mon Dec 14 2009 00:07 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 00:23 -!- hyper_ch [n=hyper@adsl-89-217-219-172.adslplus.ch] has quit [Remote closed the connection] 00:44 < reiffert> moin 00:52 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 131 (Connection reset by peer)] 01:07 -!- hyper_ch [n=hyper@169-114.78-83.cust.bluewin.ch] has joined ##openvpn 01:43 -!- Sky[x] [n=SkyB0x@212.235.186.230] has joined ##openvpn 02:13 -!- freaky[t] [i=alpha@member.team-box.net] has quit [Remote closed the connection] 02:19 -!- Sky[x] [n=SkyB0x@212.235.186.230] has quit [No route to host] 02:22 -!- Sky[x] [n=SkyB0x@212.235.182.245] has joined ##openvpn 02:24 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 02:26 -!- Sky[x] [n=SkyB0x@212.235.182.245] has quit [Client Quit] 02:26 -!- Sky[x] [n=SkyB0x@212.235.182.245] has joined ##openvpn 04:00 -!- Sky[x] [n=SkyB0x@212.235.182.245] has quit [] 04:41 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn 05:06 -!- dazo_afk is now known as dazo 05:20 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:29 -!- giz-- [n=pide@cha92-17-88-189-163-49.fbx.proxad.net] has joined ##openvpn 05:31 < giz--> hi, i have a route problem with openvpn, i have 3 hosts each containing VM on private subnets, host3 is my server, host1 routes are ok, host2 routes are ok, but on host3 i have my private VM subnet route to 0.0.0.0 (ok) but also route to the tunnel :s 05:37 -!- Zeit|awy [n=wurscht@ip-95-222-198-206.unitymediagroup.de] has joined ##openvpn 05:41 < Zeit|awy> is it possible to push different static routes by using client-config-dir? eg. client1 knows only route to 10.10.20.0, but client2 also to 10.10.21-24.0? 05:55 < Rienzilla> I think so yes 06:39 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 06:39 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 06:42 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 07:23 < dazo> Zeit|awy: that is possible 07:23 -!- yoshx [n=yoshx@88-138-188-188.adslgp.cegetel.net] has joined ##openvpn 07:24 < Zeit|awy> thx - I guess I simply put the same commands/syntax in as in the normal server.conf? 07:25 < dazo> Zeit|awy: that's correct ... and make sure that the user openvpn is running as can access (chmod +x) the client-config-dir directory and can read the files inside this dir .... then you're pretty well covered 07:27 < Zeit|awy> thx.. have a range collison for _3_ clients (among 150..) *grmpf* and can not fix it in an other way.. *sigh* 07:37 -!- sant0 [n=chatzill@187-26-118-237.3g.claro.net.br] has joined ##openvpn 07:40 < sant0> good morning! Questions ... I can only configure the vpn dns and not by ip ... because the modem are dynamic 07:41 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 07:46 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 07:46 -!- kian [n=kian@87-194-8-235.bethere.co.uk] has joined ##openvpn 07:46 < kian> howdy folks. 07:46 < kian> right place to ask questions? 07:46 -!- Glebelg [n=Glebelg@unaffiliated/glebelg] has quit [Read error: 145 (Connection timed out)] 07:47 < kian> quiet channel ;-) 07:48 < reiffert> see topic. 07:48 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined ##openvpn 07:49 -!- tiav [n=tiav@mx.fr.smartjog.net] has joined ##openvpn 07:51 < kian> reiffert: ta. 07:51 < kian> !redirect 07:51 < vpnHelper> kian: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 07:53 < kian> !nat 07:53 < vpnHelper> kian: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 07:53 < kian> !ipforward 07:53 < vpnHelper> kian: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 07:53 < kian> !howto 07:53 < vpnHelper> kian: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:54 < kian> !route 07:54 < vpnHelper> kian: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 08:00 -!- Sky[x] [n=SkyB0x@212.235.186.230] has joined ##openvpn 08:00 -!- SkyX [n=SkyB0x@212.235.186.230] has joined ##openvpn 08:01 < sant0> good morning! Questions ... I can only configure the vpn dns and not by ip ... because the modem are dynamic 08:02 -!- Sky[x] [n=SkyB0x@212.235.186.230] has quit [Client Quit] 08:02 -!- SkyX [n=SkyB0x@212.235.186.230] has quit [Client Quit] 08:05 -!- kian [n=kian@87-194-8-235.bethere.co.uk] has quit ["leaving"] 08:08 < ecrist> good morning 08:08 -!- dextor[work] [n=dextor[w@59.162.86.164] has joined ##openvpn 08:17 < dazo> good afternoon :) 08:21 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Connection timed out] 08:22 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: xenophile7x7, tarbo2, znull 08:23 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: bandini, Rienzilla, robotti^ 08:25 -!- Netsplit over, joins: znull 08:26 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has joined ##openvpn 08:26 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 08:28 -!- Rienzilla [i=rien@sinas.rename-it.nl] has joined ##openvpn 08:28 -!- dmarkey_ [n=dmarkey@dmarkey.xen.prgmr.com] has quit [Remote closed the connection] 08:28 -!- dmarkey [n=dmarkey@dmarkey.xen.prgmr.com] has joined ##openvpn 08:29 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [SendQ exceeded] 08:30 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 08:33 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 09:00 -!- brad_ [n=quassel@12.48.121.170] has joined ##openvpn 09:02 -!- brad_ [n=quassel@12.48.121.170] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 09:04 -!- mattock [n=samuli@dyn55-11.yok.fi] has left ##openvpn [] 09:23 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 09:27 -!- IrCYop [n=pc@wnklmb01dc1-213-59.dynamic.mts.net] has joined ##openvpn 09:37 -!- Ziber [i=Liber@liber-ipv6.net] has joined ##openvpn 09:38 < Ziber> I have a working VPN between two servers. I want to add a third. I set it up, using server1 and its remote directive. I cant ping the IP of the third server from any of the other two, nor can I can ping out to the other two. 09:40 < giz--> Ziber : i just finished this scenario btw, without any pb 09:40 < Ziber> Any of your servers behind a router? I think that might be my issue 09:40 < Ziber> NAT'd and all of that. 09:41 < dazo> giz--: maybe you could share some config files then? 09:41 < Ziber> bbiba 09:47 -!- giz-- [n=pide@cha92-17-88-189-163-49.fbx.proxad.net] has quit [] 09:52 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)] 09:52 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 09:58 -!- hyper_ch [n=hyper@169-114.78-83.cust.bluewin.ch] has quit [Remote closed the connection] 10:07 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit ["Leaving"] 10:14 < ecrist> Ziber: you need client-to-client 10:14 < ecrist> in your server config 10:22 -!- robotti^ [i=robotti@kapsi.fi] has joined ##openvpn 10:22 -!- bandini [n=bandini@79.7.109.239] has joined ##openvpn 10:46 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)] 10:52 -!- Briareos1 [n=B@13-98-136-94.static.net4you.net] has joined ##openvpn 10:56 < Briareos1> after many sleepless night with (or rather without) ipsec tunnels, i found out about openvpn today. where can i find a list of openvpn ready-to-use hardware? 10:57 -!- sant0 [n=chatzill@187-26-118-237.3g.claro.net.br] has quit ["ChatZilla 0.9.85 [Firefox 3.5.5/20091102152451]"] 10:58 < ecrist> any computer running linux, *BSD, or windows. ;) 10:58 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 11:01 < Briareos1> ecrist :) sure - i just read about alternative firmwares for routers ... but what hardware compilation (including the case) would i use for replacing an old vpn firewall 11:03 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 11:03 < dazo> Briareos1: I'm using an WRT54GL with X-wrt/openwrt firmware ... that's almost an out of the box openvpn solution ... just flashing the OS 11:03 < dazo> s/OS/firmware/ 11:05 < dazo> Briareos1: but if you're aiming at a more heavy traffic ... I'd recommend a bit more beefy hardware for it, anyway ... but it's a lot of affordable and powerful-enough hardware which can run Linux or *BSD ... for such routers, I don't mention Windows on purpose 11:05 * dazo can recommend OpenWRT based firmwares 11:06 * dazo heads out for a very late lunch 11:07 < Briareos1> dazo, we have about 30 users who would use the connection 11:07 < Briareos1> dazo to access the internet 11:26 -!- hyper_ch [n=hyper@adsl-89-217-219-172.adslplus.ch] has joined ##openvpn 11:37 -!- lampliter [n=chatzill@harvee.org] has quit ["ChatZilla 0.9.85 [Firefox 3.5.5/20091102152451]"] 11:40 < ecrist> Briareos1: we use ebay dell 1650s and freebsd 11:41 -!- teratoma [n=teratoma@69.172.135.243] has quit [Remote closed the connection] 11:51 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Connection timed out] 11:56 -!- dextor[work] [n=dextor[w@59.162.86.164] has quit [Connection reset by peer] 11:58 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 11:59 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 12:21 -!- hyper__ch [n=hyper@adsl-89-217-219-172.adslplus.ch] has joined ##openvpn 12:21 -!- hyper_ch [n=hyper@adsl-89-217-219-172.adslplus.ch] has quit [Nick collision from services.] 12:21 -!- hyper__ch is now known as hyper_ch 12:30 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 12:30 -!- hyper_ch [n=hyper@adsl-89-217-219-172.adslplus.ch] has quit [Remote closed the connection] 12:32 -!- Lilarcor [n=Lilarcor@ip70-187-168-252.oc.oc.cox.net] has joined ##openvpn 12:35 -!- hyper_ch [n=hyper@adsl-89-217-219-172.adslplus.ch] has joined ##openvpn 12:35 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 12:37 < Briareos1> ecrist am i just being old-fashioned or is it still that one would say: this router/firewall fits into a server-rack, so it's (basically) alright for using it to route a company to the net? 12:38 < ecrist> Briareos1: I don't understand the question. 12:38 < krzee> nor do i 12:38 < Briareos1> hehe :) 12:40 < krzee> i think Ziber's problem is firewall on the 3rd machine 12:40 < krzee> since he cant ping server from 3rd machine, its not a need for client-to-client 12:40 < krzee> !client-to-client 12:40 < vpnHelper> krzee: "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you want to use selective firewall rules on what clients can access things behind other 12:40 < vpnHelper> krzee: clients. 12:41 < krzee> bleh i messed up a detail on that 12:42 < krzee> !forget client-to-client 12:42 < vpnHelper> krzee: Joo got it. 12:42 < ecrist> krzee: you're probably correct. I skimmed his question and just 'read' that he couldn't ping the other client from the third 12:42 < krzee> !learn client-to-client as with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you do not want to use selective firewall rules on what clients can access things behind other clients 12:42 < vpnHelper> krzee: Joo got it. 12:43 < krzee> you use it when you 'do not' want etc etc 12:43 < krzee> i said it backwards in my orig description =] 12:44 < Briareos1> ecrist, krzee: well i am looking for a solution that's extremely stable. we have a firewall since 2001 which is stable, but i am not satisfied anymore (e.g. only windows gui - no web-ui). also i'd like to try openvpn, have a nice box (at best no active parts/fans) and still be sure the network is a stable as ever for that amount of users. 12:44 < krzee> ahh 12:44 < krzee> you could build your own 12:45 < krzee> or get a pix and use openvpn on a machine on the inside 12:45 < ecrist> Briareos1: look into soekris 12:45 < krzee> ahh yes soekris are good from what i hear 12:45 < Briareos1> don't want the boss to say: "why's this thing not working? what brand is it?" ... "eeehm briareos inc. ...." 12:45 < ecrist> if you have a real server rack, just get a solid, redundant pair of used 1u servers and go with that 12:45 < ecrist> freebsd+pf+carp is all you need 12:46 < ecrist> Briareos1: http://www.secure-computing.net/wiki/index.php/CARP 12:46 < vpnHelper> Title: CARP - Secure Computing Wiki (at www.secure-computing.net) 12:49 < ecrist> here's a fanless solution, still could do carp/freebsd solution on top of it: http://www.damnsmalllinux.org/store/Mini_ITX_Systems/Mini_ITX_BareBones_Computer 12:49 < vpnHelper> Title: Bargain Fanless Mini-ITX BareBones Computer (at www.damnsmalllinux.org) 12:49 < Briareos1> looks interesting, but that - on the other hand - is too heavyweight. just looking into soekris as well 12:49 < ecrist> openvpn2009 or Kas: who do we make feature requests to? 13:04 < krzee> ecrist, add it to wishlist and link them 13:05 < krzee> !wishlist 13:05 < vpnHelper> krzee: "wishlist" is http://ovpnforum.com/viewforum.php?f=10 for the openvpn wishlist 13:05 -!- meero [n=meero@41-123-207-85.morava.adsl-llu.static.bluetone.cz] has joined ##openvpn 13:05 < Rienzilla> I have a soekris for sale 13:05 < meero> how to set static ip for 2 clients? 13:05 < Rienzilla> but beware, the slower soekris models will not NAT 100mbit 13:05 < meero> hi:-) 13:05 < Rienzilla> hi 13:06 < krzee> !static 13:06 < vpnHelper> krzee: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 13:07 < krzee> ecrist, that way if it gets lost in their shuffle, we dont lose it 13:07 < meero> vpnHelper: i use ccd :ifconfig-push 22.0.0.2 22.0.0.1.... for the first client 13:07 < vpnHelper> meero: Error: "i" is not a valid command. 13:08 < krzee> !bot 13:08 < vpnHelper> krzee: "bot" is I'm a bot.. just a bot. krzee is my maintainer, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P 13:08 < meero> vpnHelper:but the ifconfig-push 22.0.0.7 22.0.0.1 for the second is not working 13:08 < krzee> !/30 13:08 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 13:08 < meero> vpnHelper: with error There is a problem in your selection of --ifconfig endpoints(on win client) 13:08 < vpnHelper> meero: Error: "with" is not a valid command. 13:09 < krzee> ya you are using net30 topology and wrong ips 13:09 < krzee> see !/30 above =] 13:10 < meero> vpnHelper: with? i dont get it 13:10 < vpnHelper> meero: Error: "with?" is not a valid command. 13:10 < krzee> !bot 13:10 < vpnHelper> krzee: "bot" is I'm a bot.. just a bot. krzee is my maintainer, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P 13:10 < meero> vpnHelper: i use ifconfig-push :-) 13:10 < vpnHelper> meero: Error: "i" is not a valid command. 13:11 < krzee> you keep talking to my bot :-p 13:11 < meero> krzee: sorry 13:11 < krzee> ok look 13:11 < meero> krzee: i get it now :-) 13:11 < krzee> !/30 13:11 < vpnHelper> krzee: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 13:11 < krzee> read that 13:11 < krzee> you can only use .6 .10 .14 .18 .22 etc for client endpoints 13:11 < meero> krzee: thankx 13:11 < krzee> unless you use 2.1 on all sides, then you can use: 13:11 < krzee> !topology 13:11 < vpnHelper> krzee: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 13:12 < krzee> if you use that you can use anything in the subnet 13:13 < meero> krzee: "you can only use .6 .10 .14 .18 .22 etc for client endpoints" but why is working with this 22.0.0.2 ip? 13:14 < krzee> dunno, go read the link from !/30 13:15 < krzee> and if you changed it to be like mine, it would work 13:15 < meero> krzee: ok, how is yours? 13:15 < krzee> ifconfig-push 10.8.0.6 255.255.255.0 13:15 < ecrist> krzee: http://ovpnforum.com/viewtopic.php?f=10&t=2124&sid=0cff3f4e728f2867a755b1fc5cd4d7b1 13:15 < krzee> ifconfig-push 10.8.0.10 255.255.255.0 13:15 < vpnHelper> Title: OpenVPN Forum View topic - Sync Connections between multiple servers. (at ovpnforum.com) 13:15 < krzee> totally agreed 13:16 < krzee> that would be sweetness 13:16 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 13:17 < krzee> Post subject: Re: Sync Connections between multiple servers.Posted: 14 Dec 2009 19:16 13:17 < krzee> OpenVPN User 13:17 < krzee> Joined: 29 Aug 2008 17:42 13:17 < krzee> Posts: 38 13:17 < krzee> 13:17 < krzee> +1 13:17 < krzee> that would rock 13:18 < ecrist> perl arrays make me cry 13:19 < redfox> ecrist: why? 13:20 < krzee> meero, you own the whole 22.0.0.x subnet??? 13:20 < krzee> you are aware thats not a 1918 ip right? 13:20 < krzee> !1918 13:20 < vpnHelper> krzee: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 13:21 < ecrist> 22/8 is registered to the US Dept of Defense... 13:21 -!- dazo is now known as dazo_afk 13:21 < krzee> well if hes with the DOD he should know to use topology subnet and not waste real ips 13:22 < krzee> then again DOD guys prolly dont irc from .cz 13:24 -!- Suprsurfr [i=d86dc16e@gateway/web/freenode/x-epmdnxjaprkhqkro] has joined ##openvpn 13:25 < Suprsurfr> Hello, I was wondering if someone could help me with an issue i am having connecting to a citrix server through an openvpn connection. 13:25 < ecrist> we can try 13:25 < Suprsurfr> thanks 13:25 < Suprsurfr> I can connect to any of the servers via rdp but the citrix client doesnt connect 13:26 < ecrist> firewall? 13:26 < Suprsurfr> not sure... 13:26 < Suprsurfr> i have a rule in place that permits all from the openvpn subnet 13:28 -!- dazo_afk [n=dazo@nat/redhat/x-hwehkdykucxzwqrb] has quit ["ZNC - http://znc.sourceforge.net"] 13:28 < meero> krzee: in fact i dont want 1918 ip. i want to use just 5 but with static assignement to them 13:31 < meero> krzee: so im finding easiest way to configure it, can u help me. I dont really :-) dont want to know rfc1918 13:32 -!- dazo_afk [n=dazo@nat/redhat/x-mcohvxoijrdmcimm] has joined ##openvpn 13:32 -!- dazo_afk is now known as Guest70534 13:32 -!- Guest70534 is now known as dazo 13:32 -!- dazo is now known as Guest6565 13:33 < Suprsurfr> this is what i get http://screenr.com/VQU 13:33 < vpnHelper> Title: Screenr - @Rasial: Citrix wont connect (at screenr.com) 13:38 < ecrist> Suprsurfr: I'd inspect the firewall rules 13:38 < ecrist> openvpn doesn't block anything, it will pass anything fed to it. 13:38 < ecrist> also check your routing 13:38 < ecrist> meero: what are you trying to do? 13:39 < meero> ecrist: im not DOD :-) .....ok i try to set vpn for 5 computers, 2 of them must have statis ip 13:40 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)] 13:44 < meero> pn for 5 computers, 2 of them must have statis ip 13:45 < Suprsurfr> Strange everything else works. RDP dns and the routes are all good. I can ping the citrix servers and they can ping me. 13:46 < ecrist> meero: it's easy. Just setup a VPN with dynamic IPs and enable the option to reuse ips 13:46 < ecrist> !iporder 13:46 < vpnHelper> ecrist: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 13:47 < ecrist> notably, use !ipp 13:47 < ecrist> put your address range within an RFC 1918 range, though 13:47 < ecrist> !1918 13:47 < vpnHelper> ecrist: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 13:47 < ecrist> !1918 2 13:47 < vpnHelper> ecrist: Error: "1918" is not a valid command. 13:47 < ecrist> !1918 #2 13:47 < vpnHelper> ecrist: Error: "1918" is not a valid command. 13:47 < ecrist> regardless, use #2 from the first one. ;) 13:52 < IrCYop> Mon Dec 14 13:41:10 2009 TCP/UDP: Socket bind failed on local address [ip]:[port]: Cannot assign 13:52 < meero> ecrist: it happend to me, (dont know what case) that ip from ipp were lost, and openvpn assigned other IPs to clients 13:52 < meero> ecrist: that is why i wanted to use other option 13:53 < IrCYop> that happens when I try to run my server. The config is like https://help.ubuntu.com/community/OpenVPN except with another ip. Although the networking interface has a different ip (As i want a different ip for the tap0 device and a different subnet mask) 13:53 < vpnHelper> Title: OpenVPN - Community Ubuntu Documentation (at help.ubuntu.com) 13:54 < ecrist> IrCYop: can you post your entire log, verb 6, please? 13:56 < ecrist> meero: then use client configs 13:56 < ecrist> !ccd 13:56 < vpnHelper> ecrist: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 13:57 < ecrist> IrCYop: after reading your message, it would appear you're trying to have openvpn listen on an address that is not assigned to a local network adapter 13:58 < IrCYop> ecrist: roger 13:58 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 13:58 < ecrist> you can't do that 13:59 < meero> ecrist: yes i use ccd on 22.0.0.0subnet, succesfully assignet 22.0.0.2 to firs client, but clould assign other IP to client 14:00 < ecrist> meero: unless you're using topology subnet, you need to use specific IPs in /30 subnet 14:00 < ecrist> i.e. x.21, x.25, x.29 and so on 14:01 < ecrist> x.5 x.9 x.13 x.17 14:01 < ecrist> you can't assign .2 .3 .4 etc 14:01 < ecrist> also, don't use 22.0.0 subnet 14:01 < ecrist> that's not your address space 14:02 < meero> ecrist: and what is my address space ? :-) i thought that i can use whatever internal ip i want ... 14:02 < meero> ecrist: krzee> you can only use .6 .10 .14 .18 .22 etc for client endpoints 14:03 < ecrist> that's the same thing, only I was listing server endpoints 14:03 < ecrist> meero: you can use any range in 1918 rfc 14:03 < ecrist> 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 14:03 < ecrist> as we've posted a couple times already 14:08 < meero> ecrist: ok, thanks for explaining and posting multiple times. let me ask this... what worst can happen if i dont use these subnets "10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16"?? 14:09 < ecrist> you won't be able to route to the people that own the IPs you're re-using. 14:09 < ecrist> for example, if google owned that IP range and you started using it, you wouldn't be able to visit google or any of their sister sites. 14:11 < Rienzilla> just use rfc1918 ip's for private networks 14:11 < Rienzilla> do it :) 14:11 < Rienzilla> or apply for a range of real ip's at ripe and use those 14:12 < ecrist> exactly 14:13 < meero> but whis "device" decides where to send packets...router no ? so if "router"in this case is avare that this for example 22.0.0.1 ip is in local subnet it wont sent it to internet gateway ... i think :-) 14:13 < Rienzilla> meero: it will work, unless your client decide to send traffic to a real internet host with ip 22.0.0.1 14:13 < Rienzilla> and your users will start complaining that random sites don't wok 14:13 < Rienzilla> if you want unneccessary headaches, be my guest 14:14 < Rienzilla> but I would really recommend you do as instrcuted in rfc1918, people thought it out :) 14:14 < ecrist> meero: if you don't use rfc1918, we can't/won't help you here. 14:14 < ecrist> simple as that 14:15 < meero> ecrist: ok i get it :-) 14:18 -!- znull [i=z@www.files2u.com] has left ##openvpn [] 14:22 < meero> i set it as ifconfig-push 10.0.0.10 10.0.0.9 14:22 < meero> and is working 14:22 < meero> thank you guys 14:23 -!- meero [n=meero@41-123-207-85.morava.adsl-llu.static.bluetone.cz] has left ##openvpn [] 14:27 -!- meero [n=meero@41-123-207-85.morava.adsl-llu.static.bluetone.cz] has joined ##openvpn 14:29 < meero> ecrist: one last thing please, how to set , that im able to reach VPNclient from server side LAN - from client which is not connected to VPN 14:30 < ecrist> you need to setup a route on your default gateway for the lan to the vpn server 14:30 < ecrist> route 10.0.0.0/16 14:30 < ecrist> on the gateway 14:33 < meero> ecrist: maybe stupid question but where is that on ubuntu? 14:33 < meero> on ubuntu server... 14:34 < ecrist> in the command line 14:34 < ecrist> you'd have to read the documentation. I don't run linux on my servers 14:35 -!- meero [n=meero@41-123-207-85.morava.adsl-llu.static.bluetone.cz] has left ##openvpn [] 14:36 -!- Avalloc [n=_@port-14202.pppoe.wtnet.de] has joined ##openvpn 14:40 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:48 < Ziber> What filess (key, cert, whatever) need to match up on both server/client so I dont get a TLS error when trying to connect two servers via VPN? 14:48 < ecrist> the ca certificate needs to be the same on all, first 14:48 < ecrist> then the client certificates and server certificates need to all be signed by that same ca 14:49 < ecrist> if enabled, client certificates need to NOT appear int he CRL 14:50 * Ziber is going to start over 14:50 < Ziber> One moment... 14:50 -!- Otacon22 [n=otacon22@93-36-88-88.ip59.fastwebnet.it] has joined ##openvpn 14:50 < Otacon22> Hi all, i need help about how to generate Certificate Autority .cert file. 14:50 < Otacon22> because mine expire after 1/2 months.. 14:50 < Otacon22> "Mon Dec 14 21:49:10 2009 us=91221 VERIFY ERROR: depth=1, error=certificate has expired: /C=IT/ST=Milano/L=Milano/O=Internet_Widgits_Pty_Ltd/CN=OpenVPN-CertificateAutority" 14:51 < Rienzilla> Then set the expiry time to 10000 days :) 14:51 < Otacon22> Rienzilla, where? 14:52 < Rienzilla> depends what you use to generate the certificate 14:52 < Rienzilla> I use a helper program, tinyca2, to manage my certs 14:52 < Otacon22> Rienzilla, usually i do: 14:52 < Otacon22> openssl genrsa -out ca.key 14:52 < Otacon22> and 14:52 < Otacon22> openssl x509 -req -in rich.ca -signkey ca.key –out ca.cert 14:53 < ecrist> !ssl-admin 14:53 < vpnHelper> ecrist: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 14:53 < ecrist> that's another option 14:53 < Otacon22> but i want to use openssl 14:54 < Otacon22> i just need to know how to set the expire time 14:54 < Ziber> ecrist: Alright, right now, I have an unsecured VPN. There are three servers involved, alpha/bravo/delta. I can ping alpha<->bravo, delta<->alpha, but not bravo<->delta. I'm curious as to why. 14:54 < ecrist> Otacon22: it's usually a variable in your openssl.cnf file 14:55 < Otacon22> ok 14:55 < Otacon22> tnx 14:55 < Ziber> I'm talking about pinging the VPN addresses. I can ping the public IPv4 and IPv6 addresses fine. 14:55 < ecrist> Ziber: is there one server and two clients? alpha being server? 14:55 < Ziber> Thats what I'm hoping for. 14:55 < Ziber> I'll pastebin the configs, one sec. 14:57 < Ziber> http://zpaste.org/5079 <-- All three configs. First one is Alpha, second one is Bravo, third is Delta. 14:59 < Briareos1> ecrist: i just had a closer look at pfsense. i like it and will try it out. 15:04 < Ziber> ecrist: ? 15:15 -!- tiav [n=tiav@mx.fr.smartjog.net] has quit [Remote closed the connection] 15:21 -!- Suprsurfr [i=d86dc16e@gateway/web/freenode/x-epmdnxjaprkhqkro] has quit ["Page closed"] 15:22 -!- _phusion__ [i=phusion@88.80.16.38] has joined ##openvpn 15:23 -!- phusion__ [n=phusion@88.80.16.38] has quit [Read error: 113 (No route to host)] 15:38 < krzie> ziber, 3 networks you wanna connect via vpn? 15:38 < krzie> thats EXACTLY what my writeup goes over 15:38 < krzie> !route 15:38 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:38 < krzie> you said unsecured vpn, how do you unsecure a 3 client vpn? 15:39 < krzie> or you mean unsecured as in no cipher 15:40 < krzie> why are you using tap? 15:40 < krzie> check this out Ziber 15:40 < krzie> !sample 15:40 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) 15:40 < krzie> !route 15:40 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 15:40 < krzie> do it that way =] 15:46 < krzie> here ill even make yours look right for you since im bored 15:46 -!- zib [i=zib@slick.keff.org] has quit [Read error: 113 (No route to host)] 15:46 -!- Intensity [i=[Ep0hy1Z@unaffiliated/intensity] has joined ##openvpn 15:46 < krzie> Ziber http://zpaste.org/5080 15:48 < krzie> and that doesnt handle any of the lan stuff, for that you still need my routing doc 15:49 -!- yoshx [n=yoshx@88-138-188-188.adslgp.cegetel.net] has quit [Read error: 104 (Connection reset by peer)] 15:49 < krzie> Kasx you here man, i have a question you might be able to answer 15:51 -!- dollabill [n=mike@97.66.26.10] has quit [No route to host] 15:51 < Kasx> hi krzie! 15:51 < Kasx> Whts up? 15:51 < Kasx> *Whats up 15:52 < krzie> im wondering what the diff is between ns-cert-type server and remote-cert-tls server 15:52 < krzie> i understand its a diff way of signing the cert as a server, but not if one is better for some reason 15:52 -!- bandini [n=bandini@79.7.109.239] has quit ["Ex-Chat"] 15:53 < krzie> the howto says use first for 2.0 and second for 2.1, but i use first for 2.1 as well, not sure if ild benefit from moving to remote-cert-tls 15:53 < krzie> i have been asked that a few times here, never had a good answer 15:54 -!- znull [i=z@www.files2u.com] has joined ##openvpn 15:54 < Kasx> Good question :-) I am not quite sure honestly, I will run it by James and let you know what he says. 15:55 < znull> hello, i'm getting WARNING: Bad encapsulated packet length from peer (20041), which must be > 0 and <= 1560 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attemping restart...] (what's wrong ?) 15:55 < _dren> i belive ns-cert-type server actually prevents man in the middle attacks 15:56 < znull> should I add on server.conf and client.opvn --tun-mtu 0 ? or something? 15:58 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.5/20091102152451]"] 15:59 -!- zib [i=zib@slick.keff.org] has joined ##openvpn 16:00 < Ziber> krzie: thanks... :) sorry, had to go do some stuff. going to try this now 16:00 < krzie> thx kasx 16:00 < krzie> _dren yup, thats the point of both those commands 16:01 < Kasx> krzie, no problem 16:01 < krzie> znull: 16:01 < krzie> !configs 16:01 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:02 < znull> ok 16:04 < znull> krzie : http://pastebin.ca/1714934 16:09 < Kasx> kezie: straight from James: 16:09 < Kasx> They are different methods of doing the same thing, i.e. ensure that the peer's certificate is marked such that it can be trusted as a server certificate. 16:09 < Kasx> The ns-cert-type is an earlier method introduced by Netscape but never formally ratified as a standard. The remote-cert-tls method is newer, standardized, and more complex. 16:09 < Kasx> *krzie 16:16 < znull> krzie ? 16:18 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)] 16:20 -!- Otacon22 [n=otacon22@93-36-88-88.ip59.fastwebnet.it] has quit [Remote closed the connection] 16:21 < krzie> ahh ok 16:22 < krzie> so no difference really, gotchya 16:26 < krzie> znull im at work, expect delays ;] 16:26 < krzie> looking now 16:27 < znull> ok. 16:27 < krzie> and what am i missing from ccd entries? 16:28 < znull> me? 16:29 < krzie> yes 16:29 < znull> i don't know lol. 16:31 < krzie> umm 16:31 < krzie> look 16:33 < krzie> client-config-dir ccd 16:33 < krzie> that means you have a dir named ccd with client specific options in it... tell me what they are 16:33 < krzie> !ccd 16:33 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 16:34 < krzie> also try changing from proto tcp to udp 16:34 < krzie> !tcp 16:34 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 16:35 < krzie> then if you continue to get that error we'll test your mtu 16:37 < znull> *confused* still reading 16:53 -!- Briareos1 [n=B@13-98-136-94.static.net4you.net] has quit [Read error: 60 (Operation timed out)] 16:53 < krzie> if you still dont get it, just know that udp is better and you should always use udp when you have a choice 16:54 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Remote closed the connection] 16:54 -!- Briareos1 [n=B@13-98-136-94.static.net4you.net] has joined ##openvpn 16:55 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 17:13 < Ziber> So, I'm getting "tls handshake failed"... What do I do about this? 17:23 < ecrist> back for a bit 17:26 < krzie> REMAKE YOUR CERTS, FOLLOWING THE HOWTO 17:26 < krzie> oops capslock 17:32 -!- blazon [n=blazon@unaffiliated/blazon] has joined ##openvpn 17:32 < krzie> (this is for me) 17:32 < krzie> !mail 17:32 < vpnHelper> krzie: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 17:33 < blazon> when i try to start openvpn i get the following error, http://pastebin.com/m7a2154c1 can someone tell me what is wrong? 17:35 < krzie> it cant find your server.crt 17:35 < krzie> use full paths 17:35 < blazon> danka 17:36 < krzie> np 17:38 < blazon> i dont think that is the problem 17:38 < krzie> but it is 17:38 < krzie> its a pretty clear error 17:39 < blazon> umm 17:39 < blazon> i used the fullpath 17:39 < blazon> and recieved the same error 17:39 < krzie> you using chroot above that line? 17:41 < krzie> if so the full path needs to be relative to the chroot ild guess 17:41 < krzie> did you manually edit your crt file? 17:45 < blazon> krzie 17:45 < blazon> it was a simple mistake 17:45 < blazon> i forgot to assign a commonname to the crt 17:45 < blazon> and i had thought it built 17:46 < blazon> for some odd reason 17:46 < blazon> thanks for the help 17:46 < blazon> made me relook at the certs 17:48 < krzie> yw 17:59 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: Lyndon, rlarson85, balboah, freaky[t], LittleJ, krphop, redfox, oc80, drue, vpnHelper 18:01 -!- Netsplit over, joins: drue, freaky[t], LittleJ, rlarson85, vpnHelper, balboah, redfox, oc80, Lyndon, krphop 18:01 -!- oc80 [i=oc80z@blea.ch] has quit [Connection reset by peer] 18:02 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has quit [SendQ exceeded] 18:03 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn 18:24 -!- Briareos1 [n=B@13-98-136-94.static.net4you.net] has quit [Remote closed the connection] 18:42 -!- IrCYop [n=pc@wnklmb01dc1-213-59.dynamic.mts.net] has quit ["Leaving."] 18:48 -!- master_of_master [i=master_o@p549D76CF.dip.t-dialin.net] has joined ##openvpn 18:52 -!- LowKey [i=rhel@72.20.37.172] has quit ["changing servers"] 18:53 -!- LowKey [i=rhel@unaffiliated/lowkey] has joined ##openvpn 18:53 -!- kala_ [i=kala@uba.linux.ee] has joined ##openvpn 18:53 -!- dmarkey_ [n=dmarkey@dmarkey.xen.prgmr.com] has joined ##openvpn 18:53 -!- chantra_ [n=chantra@ns22757.ovh.net] has quit [Read error: 60 (Operation timed out)] 18:54 -!- chantra [n=chantra@ns22757.ovh.net] has joined ##openvpn 18:54 -!- kala [i=kala@uba.linux.ee] has quit [Read error: 54 (Connection reset by peer)] 18:54 -!- dmarkey [n=dmarkey@dmarkey.xen.prgmr.com] has quit [Read error: 54 (Connection reset by peer)] 19:00 -!- master_o1_master [n=master_o@p549D7613.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 19:14 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: Lyndon, rlarson85, _phusion__, balboah, Rolybrau, xenophile7x7, LittleJ, freaky[t], krphop, redfox, (+4 more, use /NETSPLIT to show all of them) 19:14 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: vlt, Intensity, julius, |Mike|, pa, r0fl, mrnice1, Typone, Kasx, sdh, (+25 more, use /NETSPLIT to show all of them) 19:15 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: havoc, stein0, disco-, Rienzilla, kala_, Guest6565, blazon, tinLoaf, Diddi, sno, (+6 more, use /NETSPLIT to show all of them) 19:18 -!- Han [n=han@unaffiliated/han] has quit [Remote closed the connection] 19:19 -!- hobbsc [n=zalgo@opensuse/member/hobbsc] has quit [Remote closed the connection] 19:19 -!- tompaw [n=tompaw@slave20.tesserakt.eu] has quit [Remote closed the connection] 19:20 -!- hobbsc [n=zalgo@altbit.org] has joined ##openvpn 19:20 -!- noooon [n=var@vps-1005590-1468.united-hoster.de] has quit [Remote closed the connection] 19:41 -!- Netsplit over, joins: krzee, _trine, Rolybrau, stein0, thedonvaughn, disco-, pa, pekster, havoc, tinLoaf (+45 more) 19:41 -!- drue [n=drue@stiff.therub.org] has joined ##openvpn 19:41 -!- Netsplit over, joins: krphop, master_of_master, LowKey, chantra 19:41 -!- Han [n=han@boetes.org] has joined ##openvpn 19:41 -!- tompaw [n=tompaw@slave20.tesserakt.eu] has joined ##openvpn 19:41 -!- Netsplit over, joins: sno, Rienzilla, blazon, kala_, dmarkey_ 19:41 -!- noooon [n=var@vps-1005590-1468.united-hoster.de] has joined ##openvpn 19:46 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: rlarson85, vlt, Lyndon, julius, |Mike|, _phusion__, krphop, r0fl, Rienzilla, kala_, (+36 more, use /NETSPLIT to show all of them) 19:46 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: havoc, Intensity, stein0, disco-, pa, Guest6565, Kasx, tinLoaf, Diddi, _dren, (+9 more, use /NETSPLIT to show all of them) 19:47 -!- Netsplit zelazny.freenode.net <-> irc.freenode.net quits: eliasp, zamba, znull --- Log closed Mon Dec 14 20:00:38 2009 --- Log opened Mon Dec 14 20:00:42 2009 20:00 -!- ecrist_ [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 20:00 -!- Irssi: ##openvpn: Total of 85 nicks [0 ops, 0 halfops, 0 voices, 85 normal] 20:00 < g-ram> I just moved our (formerly public facing) openvpn server behind a (pfsense) firewall and now I can connect but can't send any traffic over the vpn 20:01 < g-ram> now I'm getting messages like this in syslog 20:01 -!- Irssi: Join to ##openvpn was synced in 37 secs 20:01 < g-ram> Dec 14 20:55:44 sed-server kernel: [ 878.422883] IN=tun0 OUT= MAC= SRC=10.1.0.6 DST=10.1.0.1 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=20190 DF PROTO=TCP SPT=58178 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 20:01 < g-ram> and 20:01 < g-ram> Dec 14 20:57:07 sed-server nmbd[5658]: Packet send failed to 10.1.0.255(137) ERRNO=Operation not permitted 20:01 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has quit [Remote closed the connection] 20:01 -!- aland [n=aland@apple.rat.burntout.org] has quit [Read error: 104 (Connection reset by peer)] 20:01 < g-ram> any idea what might have caused this / what might fix it? 20:02 < g-ram> sorry -- left that message right before the channel split 20:02 < g-ram> my apologies to those who had to read it twice 20:07 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: Lilarcor, krzie, Optic, rwp, hobbsc, openvpn2009, optiz0r, bvierra, tarbo2, rbd, (+2 more, use /NETSPLIT to show all of them) 20:09 -!- Lyndon_ [n=late@savolaiset.fi] has joined ##openvpn 20:09 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: Lyndon, rlarson85, balboah, LittleJ, freaky[t], krphop, redfox, drue, vpnHelper 20:09 -!- Netsplit over, joins: drue, krphop, freaky[t], LittleJ, rlarson85, vpnHelper, balboah, redfox 20:11 -!- rwp [n=bob@joseki.proulx.com] has joined ##openvpn 20:11 < g-ram> nevermind, figured it out 20:12 -!- oc80z [i=oc80z@blea.ch] has joined ##openvpn 20:12 < g-ram> in debian 20:12 < g-ram> in /etc/init.d 20:12 -!- hobbsc [n=zalgo@altbit.org] has joined ##openvpn 20:12 < g-ram> ./ipmasq stop 20:13 -!- Lilarcor [n=Lilarcor@ip70-187-168-252.oc.oc.cox.net] has joined ##openvpn 20:13 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 20:13 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has joined ##openvpn 20:13 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has joined ##openvpn 20:13 -!- krzie [n=krzee@butters.secure-computing.net] has joined ##openvpn 20:13 -!- openvpn2009 [n=email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 20:13 -!- optiz0r [n=optiz0r@nat.sihnon.net] has joined ##openvpn 20:13 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 20:13 -!- Optic [n=Optic@miso.capybara.org] has joined ##openvpn 20:13 -!- fkr [i=fkr@news.bytemine.net] has joined ##openvpn 20:14 -!- Beira [n=_@port-91559.pppoe.wtnet.de] has joined ##openvpn 20:23 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: rlarson85, balboah, freaky[t], LittleJ, krphop, redfox, drue, vpnHelper, oc80z 20:24 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: Lilarcor, krzie, Optic, openvpn2009, optiz0r, bvierra, tarbo2, rbd, reiffert, fkr 20:24 -!- reiffert_ [n=thomas@mail.webersheim.de] has joined ##openvpn 20:24 -!- oc80z [i=oc80z@blea.ch] has joined ##openvpn 20:24 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn 20:24 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 20:24 -!- LittleJ [n=linuz@82.78.185.26] has joined ##openvpn 20:24 -!- rlarson85 [n=rlarson8@CPE00226b5e2074-CM000e5c6ebb22.cpe.net.cable.rogers.com] has joined ##openvpn 20:24 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 20:24 -!- balboah [n=johnny@joonix.se] has joined ##openvpn 20:24 -!- redfox [n=redfox2@91.121.78.62] has joined ##openvpn 20:24 -!- drue [n=drue@stiff.therub.org] has joined ##openvpn 20:25 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 20:25 -!- hobbsc_ [n=zalgo@altbit.org] has joined ##openvpn 20:25 -!- hobbsc [n=zalgo@altbit.org] has quit [Connection reset by peer] 20:27 -!- Lilarcor [n=Lilarcor@ip70-187-168-252.oc.oc.cox.net] has joined ##openvpn 20:27 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 20:27 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has joined ##openvpn 20:27 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has joined ##openvpn 20:27 -!- krzie [n=krzee@butters.secure-computing.net] has joined ##openvpn 20:27 -!- openvpn2009 [n=email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 20:27 -!- optiz0r [n=optiz0r@nat.sihnon.net] has joined ##openvpn 20:27 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 20:27 -!- Optic [n=Optic@miso.capybara.org] has joined ##openvpn 20:27 -!- fkr [i=fkr@news.bytemine.net] has joined ##openvpn 20:30 -!- Avalloc [n=_@port-14202.pppoe.wtnet.de] has quit [Connection timed out] 20:32 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 20:34 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: Lilarcor, krzie, Optic, openvpn2009, optiz0r, bvierra, tarbo2, rbd, reiffert, fkr 20:37 -!- Netsplit over, joins: Lilarcor, tarbo2, bvierra, rbd, krzie, openvpn2009, optiz0r, reiffert, Optic, fkr 20:37 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 20:38 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 20:50 -!- Netsplit verne.freenode.net <-> irc.freenode.net quits: Lilarcor, krzie, Optic, blazon, sno, noooon, openvpn2009, Rienzilla, optiz0r, bvierra, (+6 more, use /NETSPLIT to show all of them) 20:51 -!- Netsplit over, joins: Lilarcor, tarbo2, bvierra, rbd, krzie, openvpn2009, optiz0r, reiffert, Optic, fkr 20:55 -!- noooon [n=var@vps-1005590-1468.united-hoster.de] has joined ##openvpn 20:55 -!- dmarkey_ [n=dmarkey@dmarkey.xen.prgmr.com] has joined ##openvpn 20:55 -!- kala_ [i=kala@uba.linux.ee] has joined ##openvpn 20:55 -!- blazon [n=blazon@unaffiliated/blazon] has joined ##openvpn 20:55 -!- Rienzilla [i=rien@sinas.rename-it.nl] has joined ##openvpn 20:55 -!- sno [n=sno@static.153.209.46.78.clients.your-server.de] has joined ##openvpn --- Log closed Mon Dec 14 20:57:43 2009 --- Log opened Mon Dec 14 20:57:47 2009 20:57 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 20:57 -!- Irssi: ##openvpn: Total of 86 nicks [0 ops, 0 halfops, 0 voices, 86 normal] 20:58 -!- Irssi: Join to ##openvpn was synced in 32 secs 20:59 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: zib, stein0, havoc, ecrist_, coil_, Guest6565, thedonvaughn, disco-, Ziber 21:00 -!- balboah_ [n=johnny@joonix.se] has joined ##openvpn 21:00 -!- hobbsc [n=zalgo@altbit.org] has joined ##openvpn 21:01 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: rlarson85, balboah, freaky[t], LittleJ, krphop, redfox, drue, oc80z 21:01 -!- stein0 [n=stein@mail.vgnett.no] has joined ##openvpn 21:01 -!- zib [i=zib@slick.keff.org] has joined ##openvpn 21:01 -!- Guest6565 [n=dazo@nat/redhat/x-mcohvxoijrdmcimm] has joined ##openvpn 21:01 -!- Ziber [i=Liber@liber-ipv6.net] has joined ##openvpn 21:01 -!- coil [i=stfu@unaffiliated/coil] has joined ##openvpn 21:01 -!- havoc [n=havoc@saturn.chaillet.net] has joined ##openvpn 21:01 -!- disco- [i=disco@andromeda.h4xed.com] has joined ##openvpn 21:01 -!- robotti^ [i=robotti@kapsi.fi] has quit [Connection reset by peer] 21:02 -!- Netsplit over, joins: drue, oc80z, krphop, freaky[t], LittleJ, rlarson85, balboah, redfox 21:02 -!- oc80z [i=oc80z@blea.ch] has quit [Connection reset by peer] 21:02 -!- hobbsc_ [n=zalgo@altbit.org] has quit [Connection reset by peer] 21:02 -!- thedonva1ghn [n=thedonva@69.164.195.95] has joined ##openvpn 21:02 -!- coil_ [i=stfu@17.166.102.97.cfl.res.rr.com] has joined ##openvpn 21:02 -!- robotti^ [i=robotti@kapsi.fi] has joined ##openvpn 21:04 -!- coil_ is now known as Guest29091 21:12 -!- reiffert [n=thomas@mail.webersheim.de] has quit [Read error: 110 (Connection timed out)] 21:19 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: drue, LittleJ, rlarson85, redfox, freaky[t], balboah, krphop 21:21 -!- thedonvaughn [n=thedonva@69.164.195.95] has joined ##openvpn 21:21 -!- Netsplit over, joins: drue, krphop, freaky[t], LittleJ, rlarson85, redfox 21:21 -!- drue_ [n=drue@stiff.therub.org] has joined ##openvpn 21:21 -!- _LittleJ [n=linuz@82.78.185.26] has joined ##openvpn 21:22 -!- drue [n=drue@stiff.therub.org] has quit [Remote closed the connection] 21:22 -!- LittleJ [n=linuz@82.78.185.26] has quit ["changing servers"] 21:22 -!- _LittleJ is now known as LittleJ 21:22 -!- thedonva1ghn [n=thedonva@69.164.195.95] has quit [Read error: 131 (Connection reset by peer)] 21:22 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has quit [SendQ exceeded] 21:25 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn 21:33 -!- g-ram [n=gsaathof@cpe-74-74-156-140.rochester.res.rr.com] has quit [] 21:44 -!- notneb_ [n=email@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 21:46 -!- g-ram [n=gsaathof@cpe-74-74-156-140.rochester.res.rr.com] has joined ##openvpn 21:48 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: Optic, Lilarcor, krzie, openvpn2009, optiz0r, bvierra, tarbo2, rbd, fkr 22:02 -!- Lilarcor [n=Lilarcor@ip70-187-168-252.oc.oc.cox.net] has joined ##openvpn 22:02 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 22:02 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has joined ##openvpn 22:02 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has joined ##openvpn 22:02 -!- krzie [n=krzee@butters.secure-computing.net] has joined ##openvpn 22:02 -!- optiz0r [n=optiz0r@nat.sihnon.net] has joined ##openvpn 22:02 -!- Optic [n=Optic@miso.capybara.org] has joined ##openvpn 22:02 -!- fkr [i=fkr@news.bytemine.net] has joined ##openvpn 22:07 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: Optic, Lilarcor, krzie, optiz0r, bvierra, tarbo2, rbd, fkr 22:26 -!- _phusion__ [i=phusion@88.80.16.38] has quit [Read error: 104 (Connection reset by peer)] 22:26 -!- Netsplit over, joins: Lilarcor, tarbo2, bvierra, rbd, krzie, optiz0r, Optic, fkr 22:29 -!- phusion__ [i=phusion@88.80.16.38] has joined ##openvpn 22:47 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: Optic, Lilarcor, krzie, optiz0r, bvierra, tarbo2, rbd, fkr 22:55 -!- Netsplit over, joins: Lilarcor, tarbo2, bvierra, rbd, krzie, optiz0r, Optic, fkr 22:55 -!- g-ram [n=gsaathof@cpe-74-74-156-140.rochester.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 22:55 -!- g-ram_ [n=gsaathof@cpe-74-74-156-140.rochester.res.rr.com] has joined ##openvpn 23:00 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has quit [Read error: 104 (Connection reset by peer)] 23:02 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: robotti^ 23:05 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: rlarson85, thedonvaughn, redfox, freaky[t], krphop 23:07 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has joined ##openvpn 23:08 -!- Netsplit over, joins: rlarson85 23:09 -!- Netsplit over, joins: krphop, thedonvaughn, freaky[t], redfox 23:09 -!- thedonvaughn [n=thedonva@69.164.195.95] has quit [Remote closed the connection] 23:09 -!- thedonvaughn [n=thedonva@jaysonvaughn.com] has joined ##openvpn 23:09 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has quit [SendQ exceeded] 23:09 -!- robotti^ [i=robotti@kapsi.fi] has joined ##openvpn 23:10 -!- krphop_ [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn 23:24 < krzee> whoa 23:24 < krzee> DDOS against freenode 23:24 < krzee> how incredibly 23:24 < krzee> lame! 23:27 < ecrist> indeed 23:27 < ecrist> krzee: http://www.secure-computing.net/cgi-bin/mailgraph.cgi 23:27 < ecrist> go down to 'last month' and look at week 50 23:27 < ecrist> that uptick is YOU 23:28 < krzee> wow 23:28 < ecrist> keep in mind, I host about 30 other domains. 23:28 < krzee> i told you there was a shitton of spam 23:28 < ecrist> that red line is what isn't making it to your inbox. 23:28 < ecrist> being rejected flat-out 23:28 < krzee> good shit man 23:29 < krzee> and sorry 23:29 < krzee> hehe 23:29 -!- Beira [n=_@port-91559.pppoe.wtnet.de] has quit [No route to host] 23:29 < ecrist> no worries 23:29 < krzee> your setup is dope 23:30 < ecrist> there was no actual noticable traffic uptick on my bandwidth graphs, though 23:30 < ecrist> glad you approve. ;) 23:31 < krzee> at one point i had a very nice mail setup as well, when i was doing hosting... but your web interface for the spam system is sweetness! 23:31 < ecrist> I'm out for the night - see you tomorrow. Wish I could take credit for the interface - I just installed it and use it. I agree, it's top-notch, though. 23:32 < krzee> i never had anything like that, just spamd/spamc some rbl's and a wait before sending the banner with autodrop on impatient mailers 23:32 < krzee> but it was a sweet find 23:32 < krzee> i hadnt seen it 23:32 < krzee> gotta q tho, lemme msg 23:35 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: robotti^ 23:37 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: krphop_, redfox, freaky[t] 23:39 -!- Netsplit over, joins: robotti^ 23:41 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 23:42 -!- krphop_ [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn 23:42 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 23:42 -!- redfox [n=redfox2@91.121.78.62] has joined ##openvpn 23:55 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 23:59 < krzee> !def1 --- Day changed Tue Dec 15 2009 00:00 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: Optic, Lilarcor, krzie, optiz0r, bvierra, tarbo2, fkr 00:00 < krzee> the splits took my bot =[ 00:04 -!- Netsplit over, joins: Lilarcor, tarbo2, bvierra, krzie, optiz0r, Optic, fkr 00:17 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["Leaving"] 00:17 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 00:21 -!- hyper_ch [n=hyper@adsl-89-217-219-172.adslplus.ch] has quit [Remote closed the connection] 00:27 -!- fbdystang [n=fbdystan@c-24-2-104-186.hsd1.ut.comcast.net] has joined ##openvpn 00:37 -!- fbdystang [n=fbdystan@c-24-2-104-186.hsd1.ut.comcast.net] has quit [Remote closed the connection] 01:16 -!- yoshx [n=yoshx@88-138-188-188.adslgp.cegetel.net] has joined ##openvpn 01:37 -!- Rienzilha [i=rien@sinas.rename-it.nl] has joined ##openvpn 01:38 -!- Rienzilla [i=rien@sinas.rename-it.nl] has quit [Read error: 104 (Connection reset by peer)] 01:47 -!- hyper_ch [n=hyper@93-58.3-85.cust.bluewin.ch] has joined ##openvpn 02:11 -!- tjz [n=tjz@bb220-255-199-51.singnet.com.sg] has joined ##openvpn 02:28 -!- int [n=quassel@int.matrixtelecom.net] has joined ##openvpn 02:31 -!- int [n=quassel@wikia/int] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 02:46 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [Read error: 110 (Connection timed out)] 02:47 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 02:54 -!- g-ram_ [n=gsaathof@cpe-74-74-156-140.rochester.res.rr.com] has quit [] 03:02 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit [Remote closed the connection] 03:10 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 03:25 -!- Guest6565 is now known as dazo 03:35 -!- LobbyZ [n=default@main.lobbyzffs.com] has joined ##openvpn 04:00 -!- dazo is now known as dazo_afk 04:11 -!- vpnHelper [i=vpn@joogot.noskills.net] has joined ##OpenVPN 04:11 -!- JoelR [n=joel@193.145.14.94] has joined ##openvpn 04:11 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Client Quit] 04:11 < JoelR> hi, how do i do if i want that each client that connects to my openvpn server gets some extra entries in their routing table? 04:12 < JoelR> !redirect 04:12 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 04:12 < krzee> !redirect 04:12 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 04:13 < JoelR> er.. no i don't want that. 04:13 < krzee> !route 04:13 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 04:13 < JoelR> i just want that when a clients connects to my openvpn server, for certain addresses go through the vpn's interface 04:14 < krzee> thats just the route command 04:14 < krzee> !man 04:14 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 04:14 < krzee> push "route 192.168.3.0 255.255.255.0" 04:14 < JoelR> no, that does not work. 04:15 < JoelR> i already added some lines like those 04:15 < Bushmills> JoelR, push "route ...." 04:15 < krzee> if thats in server config all clients will get the route for 192.168.3.0/24 to go through vpn 04:15 < Bushmills> (in server config) 04:15 < JoelR> but in the client when i type: "route -n" i don't see the "extra" entries.. 04:15 < krzee> !configs 04:15 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 04:15 < JoelR> krzee, well by some reason in my case it is not like that. 04:16 < Bushmills> moin krzee 04:16 < krzee> moin moin Bushmills 04:16 < krzee> ahh beat me to it 04:16 < Bushmills> you did 04:17 * Bushmills beats krzee a bit to it, as he asked 04:17 < krzee> hah 04:17 < krzee> [06:16] moin krzee 04:17 < krzee> [06:16] moin moin Bushmills 04:17 < krzee> yours showed up right before i hit enter 04:17 < Bushmills> (11:15:02) krzee: push "route 192.168.3.0 255.255.255.0" 04:17 < Bushmills> (11:15:19) Bushmills: JoelR, push "route ...." 04:17 -!- fixUp [n=fixUp@92.29.116.13] has joined ##openvpn 04:18 < Bushmills> :D 04:18 < krzee> ahh lol 04:18 < krzee> i pasted from !route 04:18 -!- krphop_ [n=krphop@watch.out.the.feds.are.rightbehind.us] has quit ["Leaving"] 04:18 < Bushmills> ah, ok. that doesn't count. 04:18 < Bushmills> does it? 04:19 < krzee> welp 04:19 < krzee> i gotta go with yes 04:19 < fixUp> I'm currently trying to share a samba share via openvpn, the private network range for the server is 192.168.1.1-255, will this conflict if someone on the same range connects from behind a residential gateway ? 04:19 < krzee> had you coded something to answer it woulda counted too ;] 04:20 < krzee> fixUp, if i did, no... many many people yes 04:20 < krzee> should change the subnet 04:20 < krzee> also know you'll wanna mount by ip or enable wins (see !wins) 04:21 < Bushmills> fixUp: if there's a route to (samba) server thorugh openvpn, return packets to client with address from same range will not go through interface the client packets came in 04:22 -!- tiav [n=tiav@mx.fr.smartjog.net] has joined ##openvpn 04:22 < fixUp> so really I should pick something in the middle of the 10.0.0.1 range ? 04:23 < krzee> yup 04:23 < krzee> something uncommon 04:23 < fixUp> ok 04:23 < krzee> for the lan and vpn subnets 04:24 < fixUp> Also, have seen some example configs for tying two networks together and one for "roadwarrior" users at hotspots etc, is it possible to set both of these up in parallel ? 04:25 < krzee> i already gave you !route 04:25 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn 04:25 < krzee> you could add as many roadwarriors to that setup as you wanted 04:25 < krzee> and all 3 lans would be avail to each of them 04:27 < Bushmills> in fact, it should technically be possible to modify server code for an auto range setup, in which it probes for an unused wider 10.x.x.x random net. wider so that clients, when connecting can be assigned an address which is outside of their local possibly assigned 10.x networks. 04:29 < krzee> sure but then client to client and lan routing would break 04:29 < krzee> cause permissions already dropped, cant add new routes 04:29 < krzee> cant add routes to router on the fly 04:29 < krzee> etc 04:29 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has quit [Remote closed the connection] 04:29 < Bushmills> needs to probe for net during startup 04:29 < Bushmills> when still with root privs 04:30 < krzee> it cant probe clients that have yet to connect beforehand 04:30 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn 04:30 < Bushmills> no, but clients can probe their own routing table 04:30 < Bushmills> on server side, their chosen ip address would be within the wider net the server has assigned for von use 04:31 < Bushmills> vpn 04:32 < krzee> lets say a client connects and gets 10.8.0.6 and next client has 10.8.0.0/24 lan, and gets a different subnet, no routing to the first client 04:32 -!- dazo_afk is now known as dazo 04:33 < krzee> i guess it doesnt break lan routing tho 04:33 < krzee> as long as the wider net can be specified 04:33 < Bushmills> that would affect client to client 04:33 < krzee> doesnt seem necessary tho 04:34 -!- znull [i=z@www.files2u.com] has left ##openvpn [] 04:34 < krzee> plenty of ranges that arent common 04:35 < Bushmills> but seems to be recurrent, that vpn ranges are assigned 192.168.[0..2].0/24 04:35 < Bushmills> oh well, who sets it to one of those, will probably also override an "auto" setting. 04:35 < krzee> exactly 04:36 < krzee> since 10.8.0.x is default anywhere that has a default 04:50 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Read error: 104 (Connection reset by peer)] 04:50 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 05:03 < fixUp> kzree: is it possible to setup separate ip ranges for just the vpn address pool, e.g. keep the server and rest of the LAN on 192.168.1.0/24 and route to 10.8.0.x ? 05:10 -!- hyper_ch [n=hyper@93-58.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 05:33 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:36 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 05:40 -!- Lilarcor [n=Lilarcor@ip70-187-168-252.oc.oc.cox.net] has quit ["The Lord of Murder Shall Perish."] 05:51 -!- fixUp [n=fixUp@92.29.116.13] has quit ["leaving"] 05:54 -!- Lilarcor [n=Lilarcor@ip70-187-168-252.oc.oc.cox.net] has joined ##openvpn 05:57 -!- hyper_ch [n=hyper@adsl-89-217-219-172.adslplus.ch] has joined ##openvpn 06:14 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 06:14 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Remote closed the connection] 06:14 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 06:19 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 06:25 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Connection timed out] 06:33 -!- buntfalke [n=nobody@openvpn-p0-131.triple-a.uni-kl.de] has joined ##openvpn 06:34 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: krzie, bvierra, optiz0r, fkr, Optic 06:38 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)] 06:38 -!- cpm [n=Chip@border0.avitecture.net] has joined ##openvpn 06:39 -!- JoelR [n=joel@193.145.14.94] has quit ["Saliendo"] 06:40 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Read error: 104 (Connection reset by peer)] 06:41 -!- Netsplit over, joins: bvierra, krzie, optiz0r, Optic, fkr 06:42 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 06:42 -!- buntfalke is now known as Guest17638 06:47 -!- cyrilb [n=user@lns-bzn-51f-81-56-146-162.adsl.proxad.net] has joined ##openvpn 06:48 < cyrilb> hi 06:48 < cyrilb> openvpn constantly says "TCP/UDP: Socket bind failed on local address [undef]:4100: Address already in use" and netstat shows nothing used on port 4100 06:50 < cyrilb> hence, openvpn can't start 06:50 < cyrilb> I'm running lenny openvpn 2.1~rc11 06:50 < cyrilb> I read at http://forum.pfsense.org/index.php/topic,2785.30.html that it's a know "bug where processes are inheriting other socket descriptors" 06:50 < cyrilb> but a patch has been made in 2007 to fix this issue 06:50 < vpnHelper> Title: How restart OpenVPN server (at forum.pfsense.org) 06:50 < cyrilb> root@virtual4:~# netstat -nlp | grep :4100 06:50 < cyrilb> root@virtual4:~# 06:50 < cyrilb> root@virtual4:~# /etc/init.d/openvpn start server-4-from-backup1 06:50 < cyrilb> Starting virtual private network daemon: server-4-from-backup1 failed! 06:50 < cyrilb> Dec 15 13:50:25 virtual4 ovpn-server-4-from-backup1[6097]: OpenVPN 2.1_rc11 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built o8 06:50 < cyrilb> Dec 15 13:50:25 virtual4 ovpn-server-4-from-backup1[6097]: /usr/sbin/openvpn-vulnkey -q /etc/openvpn/keys/shared.key 06:51 < cyrilb> Dec 15 13:50:25 virtual4 ovpn-server-4-from-backup1[6097]: TCP/UDP: Socket bind failed on local address [undef]:4100: Address alreadye 06:51 < cyrilb> Dec 15 13:50:25 virtual4 ovpn-server-4-from-backup1[6097]: Exiting 06:51 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 06:55 -!- cyrilb` [n=user@lns-bzn-51f-81-56-146-162.adsl.proxad.net] has joined ##openvpn 06:56 -!- cyrilb [n=user@lns-bzn-51f-81-56-146-162.adsl.proxad.net] has quit [Read error: 104 (Connection reset by peer)] 06:58 -!- cyrilb` is now known as cyrilb 06:59 < cyrilb> netsplit... 07:00 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn 07:01 < |Mike|> cyrilb: weird. 07:01 < cyrilb> |Mike|: yes :( 07:01 < |Mike|> telnet localhost 4100 ? 07:02 < cyrilb> Connection refused, indeed 07:02 < cyrilb> netstat shows nothing on port 4100 07:02 < cyrilb> both udp and tcp 07:02 < cyrilb> http://forum.pfsense.org/index.php/topic,2785.msg19656.html#msg19656 07:02 < vpnHelper> Title: How restart OpenVPN server (at forum.pfsense.org) 07:02 < cyrilb> sullrich says it's a "There is some kind of bug where processes are inheriting other socket descriptors." 07:02 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 07:02 < cyrilb> and has committed a patch in 2007 07:03 < cyrilb> ~3 years ago 07:03 < ecrist> morning 07:03 -!- Guest17638 [n=nobody@openvpn-p0-131.triple-a.uni-kl.de] has quit [Read error: 110 (Connection timed out)] 07:04 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: LobbyZ, redfox, freaky[t], krphop 07:04 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 07:04 * ecrist is starting to think we're on effnet 07:05 < cyrilb> I tried persist-local-ip but it's the same result 07:05 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: robotti^ 07:06 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)] 07:07 < cyrilb> |Mike|: any idea how I could fix it? 07:07 < cyrilb> same issue here: http://www.dedibox-news.com/sujet-5552-openvpn-tcp-443 07:07 < vpnHelper> Title: DEDIBOX-NEWS.COM / OpenVPN en TCP/443 (at www.dedibox-news.com) 07:09 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn 07:09 -!- LobbyZ [n=default@main.lobbyzffs.com] has joined ##openvpn 07:09 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 07:09 -!- redfox [n=redfox2@91.121.78.62] has joined ##openvpn 07:09 -!- robotti^ [i=robotti@kapsi.fi] has joined ##openvpn 07:10 * |Mike| is a openvpn n00b 07:10 -!- freaky[t] [i=alpha@member.team-box.net] has quit [SendQ exceeded] 07:10 -!- robotti^ [i=robotti@kapsi.fi] has quit [Read error: 131 (Connection reset by peer)] 07:11 < ecrist> cyrilb: what OS are you running? 07:11 < cyrilb> ecrist: debian lenny amd64 07:11 < ecrist> did you compile from source, or use a package? 07:11 < cyrilb> debian package 07:11 < cyrilb> new test: switching back to UDP works (but I need TDP) 07:11 < ecrist> try installing 2.1.1 from source 07:11 < cyrilb> ok 07:13 < cyrilb> building... 07:13 -!- robotti^ [i=robotti@kapsi.fi] has joined ##openvpn 07:14 < cyrilb> ecrist: do you think it's a know issue of 2.1rc11 ? 07:15 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 07:15 < |Mike|> cyrilb: backport it while your at it :D 07:15 < cyrilb> I wish 07:15 < ecrist> not according to the change log 07:15 < cyrilb> yeap :( 07:15 < cyrilb> |Mike|: I has to go to sid first 07:16 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Read error: 104 (Connection reset by peer)] 07:17 < cyrilb> ecrist: exact same issue with 2.1.1 :( 07:17 < cyrilb> Dec 15 14:17:28 virtual4 ovpn-server-4-from-backup1[5111]: TCP/UDP: Socket bind failed on local address [undef]:4100: Address already in use 07:17 < cyrilb> Dec 15 14:17:28 virtual4 ovpn-server-4-from-backup1[5111]: Exiting 07:17 < ecrist> cyrilb: does your problem only occur with port 4100 on tcp? 07:17 < cyrilb> root@virtual4:/etc/openvpn# openvpn --version 07:17 < cyrilb> OpenVPN 2.1.1 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Dec 15 2009 07:17 < cyrilb> ecrist: yes 07:18 < ecrist> cyrilb: please post your configs 07:18 < ecrist> cyrilb: so you can run on another tcp port without problems? 07:18 < cyrilb> ecrist: http://paste.debian.net/54064/ 07:19 < cyrilb> ecrist: easy one :( 07:19 < ecrist> cyrilb: I see your problem 07:19 < cyrilb> ecrist: great 07:19 < ecrist> you're binding your management interface to 127.0.0.1 on port 4100 and you're also trying to bind the openvpn application port at 4100 07:19 -!- corretico__ [n=laguilar@201.201.46.106] has quit [Connection timed out] 07:20 < ecrist> what's happening is the management interface is binding to 4100 and then it exits right away because it can't bind the application to *:4100, which is why it doesn't show up in netstat 07:20 < cyrilb> ah 07:20 < cyrilb> I'm _sooo_ STUPID 07:20 < cyrilb> ecrist: is there a way to bind only to one specific ip? 07:21 < ecrist> yes, local 07:21 < ecrist> local 07:21 -!- Netsplit simmons.freenode.net <-> irc.freenode.net quits: krzie, bvierra, optiz0r, fkr, Optic 07:21 < ecrist> you can have multiple local lines in a single config 07:21 < ecrist> local can also bind ports 07:21 < ecrist> so: local 10.0.0.3 4100\n local 10.0.0.4 1194 and so on 07:21 < cyrilb> Dec 15 14:21:46 virtual4 ovpn-server-4-from-backup1[10634]: TUN/TAP device tun100 opened 07:21 < cyrilb> Dec 15 14:21:46 virtual4 ovpn-server-4-from-backup1[10634]: /sbin/ifconfig tun100 10.2.4.100 pointopoint 10.2.100.4 mtu 1500 07:21 < cyrilb> Dec 15 14:21:46 virtual4 ovpn-server-4-from-backup1[10639]: Listening for incoming TCP connection on 88.191.109.40:4100 07:22 < cyrilb> \o/ \o/ 07:22 < ecrist> the only thing you can't do, iirc, is use tcp and udp at the same time 07:22 -!- Netsplit over, joins: bvierra, krzie, optiz0r, Optic, fkr 07:22 < ecrist> cyrilb: feel free to send beer 07:22 < cyrilb> ecrist: thank you so much 07:22 < cyrilb> is there a way I could donate to the openvpn project? 07:22 < ecrist> we're not part of the openvpn project, but I'm sure they have a way 07:23 < cyrilb> which project are you part of? 07:23 < ecrist> my own, I just like to help here. 07:23 < cyrilb> ok 07:23 < cyrilb> then maybe I could donate to you ? 07:24 < ecrist> sure. 07:24 < ecrist> I should start a donation account for this channel, though. 07:25 < cyrilb> ecrist: url? 07:25 < ecrist> paypal: ecrist@secure-computing.net 07:25 < ecrist> I'll setup an OpenVPN specific account today. 07:28 < ecrist> openvpn@secure-computing.net will work, as well. 07:28 < cyrilb> ecrist: I'm fixing the VPN first :) 07:28 < cyrilb> switching to TCP everywhere 07:29 < cyrilb> we are having packet loss since this morning and it's a nightmare with UDP 07:29 < ecrist> if you can, stay away from TCP for VPNs 07:29 < ecrist> !tcp 07:29 < vpnHelper> ecrist: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 07:30 < cyrilb> good to know 07:31 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 07:35 < cyrilb> ecrist: the fact is I'm having a VPN mesh other several 40 hosts / 5 networks 07:35 < cyrilb> ecrist: with sometimes notwork half-failures, like packet loss, etc. 07:35 < cyrilb> ecrist: on UDP VPN, it's a mess 07:36 < cyrilb> I wish I could have avoided tcp 07:36 < cyrilb> but it's not possible 07:36 < cyrilb> I need a bulletproof vpn 07:38 -!- Guest17638 [n=nobody@openvpn-p0-131.triple-a.uni-kl.de] has joined ##openvpn 07:39 < |Mike|> packetloss due the firewalls in between? 07:40 < cyrilb> |Mike|: due to routers and WAN links 07:40 < cyrilb> probably saturation and other things out of my control 07:47 < |Mike|> Q: (non vpn related) I'm looking for a way that user X can use chmod to make directories writable for user www-data without giving him root, who has an idea? 07:47 -!- dextor[work] [n=dextor[w@59.162.86.164] has joined ##openvpn 07:48 < ecrist> sudo 07:48 < |Mike|> Got an example? 07:48 < ecrist> but you need to be careful 07:48 < |Mike|> Yeah, that's exactly why i'm asking while browsing trough my linux security cookbook :) 07:48 < ecrist> just set the command with parameters 07:48 < ecrist> let me get an example 07:49 < Ziber> |Mike|: make a script, with the setuid bit set for root. :) 07:49 < cyrilb> ecrist: ok I switched all the VPN to TCP 07:49 < cyrilb> heehaa 07:49 < ecrist> |Mike|: here's an example for a restart to nagios: OREON tiger = NOPASSWD: /usr/local/etc/rc.d/nagios restart 07:50 < ecrist> for user OREON, on host tiger, without requiring a password, and only a specific command with a specific set of arguments 07:50 < ecrist> Ziber: that won't work on some systems 07:50 < ecrist> FreeBSD, for example, restricts setuid on scripts 07:50 < |Mike|> The directories wich user X wants to make writable for user www-data are not available yet ecrist, (user x is an developer with no clue about security ) 07:50 < Ziber> ecrist: ... A friend of mine was just talking about doing that on fbsd 07:51 < ecrist> Ziber: I'm telling you, it won't work. 07:51 < ecrist> there is a perl option, but it requires a special perl binary to work 07:52 < Ziber> well, i dont know the specifics, and havent seen proof, but a friend of mine told me that he did that... 07:52 < ecrist> he lies 07:53 < ecrist> -rwsrwxrwx 1 root ecrist 17 Dec 15 07:52 test.sh 07:53 < ecrist> ecrist 07:53 < ecrist> that script simply outputs whoami 07:53 < ecrist> it's owned by root, setuid root 07:53 < ecrist> running it shows who I really am 07:53 < ecrist> there's your proof 07:54 < ecrist> from my /exec -o: 07:53 -!- Irssi: process 0 (ls -l test.sh && sh test.sh) terminated with return code 0 07:54 < ecrist> |Mike|: you have another option 07:55 < ecrist> put user www-data and your developer in the same group and give that group the write access 07:55 < ecrist> just tell him to make sure all files have write access given to the shared group 07:55 < ecrist> no need for root in that case 07:56 < cyrilb> ecrist: woops, I sent € 07:56 < cyrilb> ecrist: I could have sent $ ... 07:56 < cyrilb> too late 07:57 < ecrist> no worries 07:57 < cyrilb> ecrist: paypal will charge you exchange rate € -> $ 07:57 < ecrist> cyrilb: very generous, thank you. 07:58 < |Mike|> ecrist: thanks for your input! (my mind flows to windows developers with private keyspairs wich could get compromised.... (yes i think in worse case scenarios :P)) 07:58 < cyrilb> ecrist: I could have sent $ directly from my account in $ 07:58 < cyrilb> anyways 07:58 < |Mike|> *windows webdevelopers 07:58 < cyrilb> ecrist: thank YOU for your help 07:59 -!- g-ram [n=gsaathof@rrcs-72-45-142-1.nys.biz.rr.com] has joined ##openvpn 08:00 < ecrist> :D 08:01 < Ziber> Where could I find a good tutorial to setup a basic VPN, with all the cert files and everything? 08:01 < ecrist> in the howto 08:01 < ecrist> !howto 08:01 < vpnHelper> ecrist: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:01 < ecrist> or !freebsd 08:01 < ecrist> !freebsd 08:01 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 08:18 < Ziber> Well, I setup all the keys, certs, etc, copied them where they had to be, and get the following error: http://zpaste.org/5162 08:20 < cyrilb> ecrist: I'm still having issues with the VPN :( 08:20 < ecrist> Ziber: post your configs, and full logs please 08:20 < ecrist> cyrilb: what problems? 08:20 < Ziber> ecrist: Full logs...? And alright. 08:21 < ecrist> !logs 08:21 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 08:21 < Ziber> k... 08:23 < Ziber> Configs: http://zpaste.org/5163 08:23 < Ziber> Alpha log: http://zpaste.org/5164 08:24 < Ziber> Bravo log: http://zpaste.org/5165 08:31 < Ziber> This happened last time I tried to set this up, but I dont remember how I fixed it. 08:33 < ecrist> looking now 08:33 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 08:33 < Ziber> k. 08:33 < ecrist> line 5 change to 10.0.0.1 255.255.255.0 08:33 < Ziber> on alpha? 08:33 < ecrist> yes 08:34 < ecrist> also, I need your full logs, from startup to shutdown 08:34 < ecrist> you're only giving me part 08:35 < Ziber> the bravo logs just repeat like that. 08:35 < Ziber> and, i got an error on alpha when i did that 08:35 < reiffert_> ecrist: --server network mask, so 10.0.0.0 is correct. 08:36 < ecrist> yes, you're right, ignore me on that one, Ziber 08:36 < ecrist> Ziber: you're still missing the startup portion of the logs 08:36 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Connection timed out] 08:37 < ecrist> set to verb 6, too, please 08:37 < reiffert_> ecrist: is he on BSD? 08:37 < Ziber> I have to go to class, but I did notice that bravo doesnt get a tap0 interface... 08:37 < Ziber> reiffert_: no, im not 08:37 < Ziber> and bbl :( 08:37 < reiffert_> Ziber: which openvpn version? 08:38 < ecrist> reiffert_: I think so 08:38 < ecrist> Ziber: you won't get a tap0, you should get a tun0, though 08:39 < reiffert_> depends. not if he's on windows. 08:39 < ecrist> windows usually has a single static interface, in my experience 08:39 -!- tiav [n=tiav@mx.fr.smartjog.net] has quit ["Leaving"] 08:39 < ecrist> reiffert_: pm? 08:40 -!- tiav [n=tiav@mx.fr.smartjog.net] has joined ##openvpn --- Log closed Tue Dec 15 08:52:45 2009 --- Log opened Tue Dec 15 08:52:49 2009 08:52 -!- ecrist [n=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 08:52 -!- Irssi: ##openvpn: Total of 87 nicks [0 ops, 0 halfops, 0 voices, 87 normal] 08:53 -!- Irssi: Join to ##openvpn was synced in 33 secs 08:54 -!- int [n=quassel@int.matrixtelecom.net] has joined ##openvpn 08:54 -!- cyrilb [n=user@lns-bzn-51f-81-56-146-162.adsl.proxad.net] has quit ["ERC Version 5.3 (IRC client for Emacs)"] 08:55 -!- cyrilb [n=user@lns-bzn-51f-81-56-146-162.adsl.proxad.net] has joined ##openvpn 08:59 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 08:59 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 08:59 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 09:00 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Success] 09:00 -!- tarbo2 [n=me@unaffiliated/tarbo] has quit [SendQ exceeded] 09:01 -!- tarbo2 [n=me@unaffiliated/tarbo] has joined ##openvpn 09:05 -!- yoshx [n=yoshx@88-138-188-188.adslgp.cegetel.net] has joined ##openvpn 09:06 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 09:07 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Connection timed out] 09:07 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 09:07 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 09:09 -!- dextor[work] [n=dextor[w@59.162.86.164] has quit [Read error: 104 (Connection reset by peer)] 09:21 -!- hyper_ch [n=hyper@adsl-89-217-219-172.adslplus.ch] has quit [Read error: 60 (Operation timed out)] 09:23 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 09:27 -!- hyper_ch [n=hyper@adsl-89-217-219-172.adslplus.ch] has joined ##openvpn 09:27 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: Sky[x], Lilarcor, r0fl, CaBa, rwp, vlt, julius, crazygir, Zordrak, Lyndon_, (+12 more, use /NETSPLIT to show all of them) 09:28 -!- corretico [n=laguilar@201.201.46.106] has quit [Operation timed out] 09:31 -!- Netsplit over, joins: Sky[x], Lilarcor, vpnHelper, APTX|, reiffert_, rwp, Lyndon_, Zeit|awy, r0fl, Bushmills (+11 more) 09:31 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: Lilarcor, r0fl, CaBa, rwp, crazygir, Lyndon_, jhp, kexman, sauce_, sdh, (+5 more, use /NETSPLIT to show all of them) 09:32 -!- g-ram [n=gsaathof@rrcs-72-45-142-1.nys.biz.rr.com] has quit [Read error: 54 (Connection reset by peer)] 09:32 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 09:36 -!- Lilarcor [n=Lilarcor@ip70-187-168-252.oc.oc.cox.net] has joined ##openvpn 09:36 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 09:36 -!- reiffert_ [n=thomas@mail.webersheim.de] has joined ##openvpn 09:36 -!- rwp [n=bob@joseki.proulx.com] has joined ##openvpn 09:36 -!- Lyndon_ [n=late@savolaiset.fi] has joined ##openvpn 09:36 -!- Zeit|awy [n=wurscht@ip-95-222-198-206.unitymediagroup.de] has joined ##openvpn 09:36 -!- r0fl [n=r0fl@95-88-194-54-dynip.superkabel.de] has joined ##openvpn 09:36 -!- Bushmills [n=nBushmil@verhau.de] has joined ##openvpn 09:36 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 09:36 -!- sauce_ [n=anonymou@ool-18be2518.dyn.optonline.net] has joined ##openvpn 09:36 -!- jhp [n=jhp@zeus.jhprins.org] has joined ##openvpn 09:36 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 09:36 -!- sdh [n=steve@steve.st] has joined ##openvpn 09:36 -!- CaBa [i=caba@unique-inter.net] has joined ##openvpn 09:36 -!- crazygir [n=jason@unaffiliated/crazygir] has joined ##openvpn 09:37 -!- coil_ [i=stfu@unaffiliated/coil] has joined ##openvpn 09:40 -!- _phusion__ [i=phusion@88.80.16.38] has quit [Read error: 104 (Connection reset by peer)] 09:41 -!- phusion__ [i=phusion@88.80.16.38] has joined ##openvpn 09:51 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: Lilarcor, r0fl, CaBa, rwp, crazygir, Lyndon_, jhp, kexman, sauce_, sdh, (+5 more, use /NETSPLIT to show all of them) 09:55 -!- drue_ is now known as drue 10:01 -!- Netsplit over, joins: Lilarcor, vpnHelper, reiffert_, rwp, Lyndon_, Zeit|awy, r0fl, Bushmills, |Mike|, sauce_ (+5 more) 10:04 -!- dextor[work] [n=dextor[w@122.182.0.38] has joined ##openvpn 10:07 < Ziber> ecrist: I dont get any new interfaces on bravo 10:07 < ecrist> what OS is bravo? 10:07 < Ziber> ubuntu 9.10 10:08 < ecrist> are you running as root? 10:08 < Ziber> yes. 10:11 -!- Rienzilha is now known as Rienzilla 10:11 < Ziber> bravo config: http://zpaste.org/5166 10:11 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: Lilarcor, r0fl, CaBa, rwp, crazygir, Lyndon_, jhp, kexman, sauce_, sdh, (+6 more, use /NETSPLIT to show all of them) 10:11 < Ziber> im thinking it says its unroutable because there's no interface to route to 10:12 < ecrist> Ziber: your posted server config above indicated tun, not tap 10:12 < ecrist> which is it? 10:12 < ecrist> and remove the ifconfig line 10:12 < ecrist> from bravo 10:13 < Ziber> I changed it to tap, and I removed the ifconfig. 10:13 < ecrist> why did you change it to tap 10:13 < Ziber> because its tap on alpha. 10:14 < Ziber> wait, no its not. 10:14 < Ziber> changes it back 10:14 < Ziber> alright, so its tun on both now. alpha has tun0 interface, bravo doesnt. 10:15 < ecrist> full logs, verb 6 from bravo, please 10:18 < Ziber> k one sec 10:21 < Ziber> http://zpaste.org/5167 10:22 -!- Netsplit over, joins: Lilarcor, dextor[work], vpnHelper, reiffert_, rwp, Lyndon_, Zeit|awy, r0fl, Bushmills, |Mike| (+6 more) 10:25 < Ziber> ecrist: And again, I have class in a few mins. Will be back in couple of hours... 10:25 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: coil_ 10:28 < Ziber> ecrist: PM if you'd like, I'll see it when I get back. 10:28 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn 10:29 -!- Netsplit over, joins: coil_ 10:46 -!- Guest17638 [n=nobody@openvpn-p0-131.triple-a.uni-kl.de] has quit [Remote closed the connection] 10:47 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 10:48 -!- dextor[work] [n=dextor[w@122.182.0.38] has quit [Read error: 104 (Connection reset by peer)] 10:54 < Ziber> im back for a few mins 10:55 < Ziber> ecrist: notice anything? 10:59 < ecrist> sorry, haven't looked 11:01 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: master_of_master, robert_, rlarson85, hobbsc, Rienzilla, LowKey, mgolisch, pa, freaky[t], LittleJ, (+5 more, use /NETSPLIT to show all of them) 11:01 < ecrist> Ziber: you still haven't posted an entire log 11:01 < ecrist> your log ends too early 11:03 -!- hobbsc [n=zalgo@altbit.org] has joined ##openvpn 11:03 -!- Netsplit over, joins: mgolisch 11:04 -!- Netsplit over, joins: LittleJ 11:04 -!- Netsplit over, joins: pekster 11:04 -!- Netsplit over, joins: Rienzilla 11:06 -!- Netsplit over, joins: phusion__ 11:06 -!- Netsplit over, joins: LowKey 11:09 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 11:09 -!- rlarson85 [n=rlarson8@CPE00226b5e2074-CM000e5c6ebb22.cpe.net.cable.rogers.com] has joined ##openvpn 11:09 -!- master_of_master [i=master_o@p549D76CF.dip.t-dialin.net] has joined ##openvpn 11:09 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 11:09 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 11:09 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 11:09 -!- rlarson`` [n=rlarson8@CPE00226b5e2074-CM000e5c6ebb22.cpe.net.cable.rogers.com] has joined ##openvpn 11:10 -!- robert_ [n=hellspaw@objectx/robert] has quit [Excess Flood] 11:11 -!- master_o1_master [n=master_o@84.157.118.207] has joined ##openvpn 11:11 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 11:15 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: Lilarcor, r0fl, CaBa, rwp, crazygir, Lyndon_, jhp, kexman, sauce_, sdh, (+5 more, use /NETSPLIT to show all of them) 11:19 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: master_of_master, rlarson85, master_o1_master, pa, freaky[t], sigius 11:22 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 11:23 -!- master_o1_master [n=master_o@84.157.118.207] has joined ##openvpn 11:23 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 11:23 -!- rlarson85 [n=rlarson8@CPE00226b5e2074-CM000e5c6ebb22.cpe.net.cable.rogers.com] has joined ##openvpn 11:23 -!- master_of_master [i=master_o@p549D76CF.dip.t-dialin.net] has joined ##openvpn 11:23 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 11:23 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 11:24 -!- Lilarcor [n=Lilarcor@ip70-187-168-252.oc.oc.cox.net] has joined ##openvpn 11:24 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 11:24 -!- reiffert_ [n=thomas@mail.webersheim.de] has joined ##openvpn 11:24 -!- rwp [n=bob@joseki.proulx.com] has joined ##openvpn 11:24 -!- Lyndon_ [n=late@savolaiset.fi] has joined ##openvpn 11:24 -!- Zeit|awy [n=wurscht@ip-95-222-198-206.unitymediagroup.de] has joined ##openvpn 11:24 -!- r0fl [n=r0fl@95-88-194-54-dynip.superkabel.de] has joined ##openvpn 11:24 -!- Bushmills [n=nBushmil@verhau.de] has joined ##openvpn 11:24 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 11:24 -!- sauce_ [n=anonymou@ool-18be2518.dyn.optonline.net] has joined ##openvpn 11:24 -!- jhp [n=jhp@zeus.jhprins.org] has joined ##openvpn 11:24 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 11:24 -!- sdh [n=steve@steve.st] has joined ##openvpn 11:24 -!- CaBa [i=caba@unique-inter.net] has joined ##openvpn 11:24 -!- crazygir [n=jason@unaffiliated/crazygir] has joined ##openvpn 11:25 -!- master_of_master [i=master_o@p549D76CF.dip.t-dialin.net] has quit [Connection timed out] 11:25 -!- master_of_master [i=master_o@84.157.118.207] has joined ##openvpn 11:26 -!- master_o1_master [n=master_o@84.157.118.207] has quit [SendQ exceeded] 11:33 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: sigius, pa, rlarson85, master_of_master, freaky[t] 11:35 -!- master_of_master [i=master_o@p549D76CF.dip.t-dialin.net] has joined ##openvpn 11:42 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 11:42 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: Lilarcor, r0fl, master_of_master, CaBa, rwp, crazygir, Lyndon_, jhp, kexman, sauce_, (+6 more, use /NETSPLIT to show all of them) 11:43 -!- Netsplit over, joins: Lilarcor, master_of_master, vpnHelper, reiffert_, rwp, Lyndon_, Zeit|awy, r0fl, Bushmills, |Mike| (+6 more) 11:44 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: robotti^, mgolisch, yoshx 11:44 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: krzie, Optic, optiz0r, bvierra, fkr 11:44 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: mattock, robert_, coil_, LittleJ, tiav, krphop, redfox, mikkel, LobbyZ 11:46 -!- Netsplit over, joins: yoshx 11:46 -!- Netsplit over, joins: coil_ 11:47 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 11:48 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 11:49 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 11:49 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 11:49 -!- LittleJ [n=linuz@82.78.185.26] has joined ##openvpn 11:49 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn 11:49 -!- tiav [n=tiav@mx.fr.smartjog.net] has joined ##openvpn 11:49 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn 11:49 -!- LobbyZ [n=default@main.lobbyzffs.com] has joined ##openvpn 11:49 -!- redfox [n=redfox2@91.121.78.62] has joined ##openvpn 11:49 -!- mgolisch [n=michi@85.93.11.18] has joined ##openvpn 11:49 -!- robert__ [n=hellspaw@r-butler.net] has joined ##openvpn 11:50 -!- robert_ [n=hellspaw@objectx/robert] has quit [Excess Flood] 11:54 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has joined ##openvpn 11:54 -!- krzie [n=krzee@butters.secure-computing.net] has joined ##openvpn 11:54 -!- optiz0r [n=optiz0r@nat.sihnon.net] has joined ##openvpn 11:54 -!- Optic [n=Optic@miso.capybara.org] has joined ##openvpn 11:54 -!- fkr [i=fkr@news.bytemine.net] has joined ##openvpn 11:54 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: Lilarcor, master_of_master, r0fl, CaBa, rwp, crazygir, Lyndon_, jhp, kexman, sauce_, (+6 more, use /NETSPLIT to show all of them) 11:54 -!- Netsplit over, joins: Lilarcor, master_of_master, vpnHelper, reiffert_, rwp, Lyndon_, Zeit|awy, r0fl, Bushmills, |Mike| (+6 more) 11:55 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has quit [SendQ exceeded] 11:55 -!- LobbyZ [n=default@main.lobbyzffs.com] has quit [SendQ exceeded] 11:57 -!- LobbyZ [n=default@main.lobbyzffs.com] has joined ##openvpn 11:57 -!- robotti^ [i=robotti@kapsi.fi] has joined ##openvpn 11:57 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn 11:59 -!- dazo is now known as dazo_afk 12:03 -!- IrCYop1 [n=pc@wnklmb01dc1-213-59.dynamic.mts.net] has joined ##openvpn 12:13 -!- tiav [n=tiav@mx.fr.smartjog.net] has quit [Remote closed the connection] 12:24 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: krzie, bvierra, optiz0r, fkr, Optic 12:24 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: robotti^ 12:25 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: mattock, LittleJ, krphop, redfox, mikkel 12:25 -!- Netsplit over, joins: krphop, mikkel, LittleJ, mattock, redfox 12:25 -!- Netsplit over, joins: robotti^ 12:27 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has joined ##openvpn 12:27 -!- krzie [n=krzee@butters.secure-computing.net] has joined ##openvpn 12:27 -!- optiz0r [n=optiz0r@nat.sihnon.net] has joined ##openvpn 12:27 -!- Optic [n=Optic@miso.capybara.org] has joined ##openvpn 12:27 -!- fkr [i=fkr@news.bytemine.net] has joined ##openvpn 12:28 -!- LittleJ [n=linuz@82.78.185.26] has quit ["changing servers"] 12:29 -!- LittleJ [n=linuz@82.78.185.26] has joined ##openvpn 12:29 -!- robotti^_ [i=robotti@217.30.184.161] has joined ##openvpn 12:29 -!- robotti^ [i=robotti@kapsi.fi] has quit [Read error: 131 (Connection reset by peer)] 12:30 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: krzie, bvierra, optiz0r, fkr, Optic 12:31 -!- notneb_ is now known as openvpn2009 12:32 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: Lilarcor, master_of_master, r0fl, CaBa, rwp, crazygir, Lyndon_, jhp, kexman, sauce_, (+6 more, use /NETSPLIT to show all of them) 12:32 -!- Netsplit over, joins: bvierra, krzie, optiz0r, Optic, fkr 12:33 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: robotti^_ 12:34 -!- Netsplit over, joins: robotti^_ 12:39 -!- master_of_master [i=master_o@p549D76CF.dip.t-dialin.net] has joined ##openvpn 12:39 -!- Lilarcor [n=Lilarcor@ip70-187-168-252.oc.oc.cox.net] has joined ##openvpn 12:39 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 12:39 -!- reiffert_ [n=thomas@mail.webersheim.de] has joined ##openvpn 12:39 -!- rwp [n=bob@joseki.proulx.com] has joined ##openvpn 12:39 -!- Lyndon_ [n=late@savolaiset.fi] has joined ##openvpn 12:39 -!- Zeit|awy [n=wurscht@ip-95-222-198-206.unitymediagroup.de] has joined ##openvpn 12:39 -!- r0fl [n=r0fl@95-88-194-54-dynip.superkabel.de] has joined ##openvpn 12:39 -!- Bushmills [n=nBushmil@verhau.de] has joined ##openvpn 12:39 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 12:39 -!- sauce_ [n=anonymou@ool-18be2518.dyn.optonline.net] has joined ##openvpn 12:39 -!- jhp [n=jhp@zeus.jhprins.org] has joined ##openvpn 12:39 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 12:39 -!- sdh [n=steve@steve.st] has joined ##openvpn 12:39 -!- CaBa [i=caba@unique-inter.net] has joined ##openvpn 12:39 -!- crazygir [n=jason@unaffiliated/crazygir] has joined ##openvpn 12:45 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: krzie, bvierra, optiz0r, fkr, Optic 12:48 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: Lilarcor, r0fl, master_of_master, CaBa, rwp, crazygir, Lyndon_, jhp, kexman, sauce_, (+6 more, use /NETSPLIT to show all of them) 12:50 -!- plaerzen [n=carpe@vip1.tundraeng.com] has joined ##openvpn 12:50 * plaerzen waves. 12:51 < ecrist> hey plaerzen 12:51 < ecrist> long time no see 12:51 < ecrist> with the ddos, we may not see you long. ;) 12:51 < plaerzen> I haven't been punted yet. Just spammed 12:52 < plaerzen> And yeah, been a while. I'm not really useful to this channel... so, yeah. 12:52 < ecrist> but you're solid emotional support. ;) 12:52 -!- Irssi: ##openvpn: Total of 68 nicks [0 ops, 0 halfops, 0 voices, 68 normal] 12:52 < plaerzen> lol 12:53 -!- Netsplit over, joins: master_of_master, vpnHelper, reiffert_, rwp, Lyndon_, Zeit|awy, r0fl, Bushmills, |Mike|, sauce_ (+5 more) 12:53 < plaerzen> I am doing some pretty cool work. Samba4 pdc migration (win2k AD -> samba4) is my latest nifty project. 12:53 < ecrist> plaerzen: ldap on backend, or local users? 12:54 < plaerzen> ecrist, ldap. But samba4 has it's own ldap implimentation built in 12:54 < plaerzen> and krb5 12:54 < ecrist> really? 12:54 * plaerzen nods. 12:54 < ecrist> interesting 12:54 < plaerzen> you can even administer it using mmc snap-ins 12:55 < plaerzen> just like AD 12:55 < ecrist> wow 12:55 < ecrist> not a fan of mmc, since I don't use windows to administer, but still interesting. 12:55 < plaerzen> it's still alpha though. I'm having an issue with global catalogue right now. 12:56 < ecrist> I've been looking to roll our samba server into a dc 12:56 < ecrist> we have half a dozen windows boxes we'd like to roll to our ldap system 12:56 < ecrist> everything else on the network uses ldap, except our windows systems 12:56 < ecrist> they're low enough priority that i'm not sweating it, but I'd love to do roaming profiles. 12:57 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has joined ##openvpn 12:57 -!- krzie [n=krzee@butters.secure-computing.net] has joined ##openvpn 12:57 -!- optiz0r [n=optiz0r@nat.sihnon.net] has joined ##openvpn 12:57 -!- Optic [n=Optic@miso.capybara.org] has joined ##openvpn 12:57 -!- fkr [i=fkr@news.bytemine.net] has joined ##openvpn 12:57 < plaerzen> Ah cool. It's fairly simple with samba 4. Samba 3 is a little more tricky, but there's plenty of docs out there for it. 12:59 < plaerzen> anyway, krzie will flip if we keep talking about samba. 12:59 < plaerzen> man, openvpn is wicked, eh ? 12:59 < ecrist> lol 12:59 < ecrist> I'll just punt krzie to next week. 12:59 < ecrist> I can easily DDoS *him* 13:00 * plaerzen snickers. 13:00 < ecrist> an snmp write and his port goes down. :) 13:01 * ecrist is just playing. 13:02 < plaerzen> At my last job, I had like 30 servers connected to head office and dc via openvpn, so it was a little more relevant. This job? Nothing. 13:03 < ecrist> we have a DC, and all developers/road warriors connect with openvpn, and our office acts an a client on the vpn, as well. 13:10 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: krzie, bvierra, optiz0r, fkr, Optic 13:11 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: r0fl, master_of_master, CaBa, rwp, crazygir, Lyndon_, jhp, kexman, sauce_, sdh, (+5 more, use /NETSPLIT to show all of them) 13:17 -!- master_of_master [i=master_o@p549D76CF.dip.t-dialin.net] has joined ##openvpn 13:17 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 13:17 -!- reiffert_ [n=thomas@mail.webersheim.de] has joined ##openvpn 13:17 -!- rwp [n=bob@joseki.proulx.com] has joined ##openvpn 13:17 -!- Lyndon_ [n=late@savolaiset.fi] has joined ##openvpn 13:17 -!- Zeit|awy [n=wurscht@ip-95-222-198-206.unitymediagroup.de] has joined ##openvpn 13:17 -!- r0fl [n=r0fl@95-88-194-54-dynip.superkabel.de] has joined ##openvpn 13:17 -!- Bushmills [n=nBushmil@verhau.de] has joined ##openvpn 13:17 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 13:17 -!- sauce_ [n=anonymou@ool-18be2518.dyn.optonline.net] has joined ##openvpn 13:17 -!- jhp [n=jhp@zeus.jhprins.org] has joined ##openvpn 13:17 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 13:17 -!- sdh [n=steve@steve.st] has joined ##openvpn 13:17 -!- CaBa [i=caba@unique-inter.net] has joined ##openvpn 13:17 -!- crazygir [n=jason@unaffiliated/crazygir] has joined ##openvpn 13:18 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: r0fl, master_of_master, CaBa, rwp, crazygir, Lyndon_, jhp, kexman, sauce_, sdh, (+5 more, use /NETSPLIT to show all of them) 13:21 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has joined ##openvpn 13:21 -!- krzie [n=krzee@butters.secure-computing.net] has joined ##openvpn 13:21 -!- optiz0r [n=optiz0r@nat.sihnon.net] has joined ##openvpn 13:21 -!- Optic [n=Optic@miso.capybara.org] has joined ##openvpn 13:21 -!- fkr [i=fkr@news.bytemine.net] has joined ##openvpn 13:21 -!- Netsplit over, joins: master_of_master, vpnHelper, reiffert_, rwp, Lyndon_, Zeit|awy, r0fl, Bushmills, |Mike|, sauce_ (+5 more) 13:21 -!- yoshx [n=yoshx@88-138-188-188.adslgp.cegetel.net] has quit [Connection reset by peer] 13:23 -!- xenophile7x7 is now known as BuildForIt 13:23 -!- yoshx [n=yoshx@88-138-188-188.adslgp.cegetel.net] has joined ##openvpn 13:23 -!- BuildForIt is now known as xenophile7x7 13:24 -!- yoshx_ [n=yoshx@88-138-188-188.adslgp.cegetel.net] has joined ##openvpn 13:24 < julius> do I have to copy the diffie-hellman parameters to every client? 13:25 < ecrist> I think that's only on the server 13:25 < julius> okay 13:33 < julius> yay it works 13:33 * julius is restructuring his network, replacing an old openvpn setup along with his old CA 13:36 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: r0fl, master_of_master, CaBa, rwp, crazygir, Lyndon_, jhp, kexman, sauce_, sdh, (+5 more, use /NETSPLIT to show all of them) 13:37 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:42 -!- Netsplit over, joins: master_of_master, vpnHelper, reiffert_, rwp, Lyndon_, Zeit|awy, r0fl, Bushmills, |Mike|, sauce_ (+5 more) 13:43 -!- grub_booter [n=charlie@d515301E0.static.telenet.be] has joined ##openvpn 13:51 < grub_booter> hi all - i'm using openvpn to connect to my work - is there any way that i can seamlessly share the vpn throughout my lan? currently, i'm having to stop the running openvpn instance and restart when i want to move from machine to machine :-) 14:10 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: robotti^_ 14:11 -!- Netsplit over, joins: robotti^_ 14:11 < krzee> !route 14:11 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 14:12 < ecrist> grub_booter: yes, you simply need to install openvpn on your gateway and nat outgoing traffic t the vpn 14:14 < grub_booter> ok - and the link krzee pointed at is the doc on this? 14:15 < ecrist> it'll get you going, for sure 14:15 < grub_booter> cool - thanks guys 14:17 < grub_booter> dumb question probaly, but does that give you name resolution as well? 14:18 < ecrist> not unless you setup DNS 14:19 < grub_booter> ah - yeah :-) - np 14:32 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:48 < Sky[x]> what i have to add in client conf to get all traffin via VPN ? 14:49 < ecrist> you need, on the server, push "redirect-gateway def1" 14:51 < Sky[x]> only that i have to change ? 14:51 < ecrist> you need to nat traffic, too 14:52 < Sky[x]> i have to find some how to do you know for some ? 14:55 -!- cyrilb [n=user@lns-bzn-51f-81-56-146-162.adsl.proxad.net] has quit ["ERC Version 5.3 (IRC client for Emacs)"] 14:59 < julius> is there a common mistake made when the connection timeouts after the initial packet? 15:00 -!- n5 [n=nop@78.61.210.152] has joined ##openvpn 15:01 < n5> !configs 15:01 < vpnHelper> n5: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:01 < n5> !howto 15:01 < vpnHelper> n5: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:02 < n5> Hello,quick question i have few IP's on server and i want to use only one of them, and other leave accessible, can any one help me with config? I should add something to dev tap? 15:03 -!- freaky[t]_ [i=alpha@member.team-box.net] has joined ##openvpn 15:04 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit ["Leaving."] 15:07 -!- int is now known as int_ 15:10 -!- gleblanc [n=chatzill@173-81-17-224-pkbg.atw.dyn.suddenlink.net] has joined ##openvpn 15:11 < gleblanc> Hi folks 15:11 < gleblanc> I've got an interesting problem that I'd like some advice on debugging. 15:11 -!- plaerzen [n=carpe@vip1.tundraeng.com] has left ##openvpn ["Leaving"] 15:12 < gleblanc> I have an OpenVPN server running on Windows Server 2003. I set up a VPN between several remote sites and the main network using some ASUS firewall boxes running dd-wrt 15:13 < gleblanc> I have a couple of machines that will cause the VPN link to stop passing traffic when they connect to the OpenVPN server via http 15:18 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 15:30 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 15:34 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 15:48 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: redfox, mikkel, krphop 15:50 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [] 15:50 -!- Netsplit over, joins: krphop, mikkel, redfox 15:50 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 15:54 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: robotti^_ 15:58 -!- robotti^ [i=robotti@kapsi.fi] has joined ##openvpn 15:58 -!- robotti^_ [i=robotti@217.30.184.161] has joined ##openvpn 15:58 -!- n5 [n=nop@78.61.210.152] has quit [Killed by sagan.freenode.net (Nick collision)] 15:58 -!- robotti^_ [i=robotti@217.30.184.161] has quit [Read error: 131 (Connection reset by peer)] 15:58 -!- n5 [n=nop@78.61.210.152] has joined ##openvpn 16:00 < Sky[x]> how to add route if i have vpn on 10.8.0.0 ? 16:00 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: hobbsc, LobbyZ, pa, KaiForce, mgolisch 16:01 < Sky[x]> route ADD 10.8.0.0 MASK 255.255.255.0 192.168.1.1 will be that ok ? 16:02 -!- Netsplit over, joins: KaiForce, mgolisch 16:02 -!- hobbsc [n=zalgo@altbit.org] has joined ##openvpn 16:02 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit [Remote closed the connection] 16:03 -!- Netsplit over, joins: LobbyZ 16:04 < n5> what config option binds ip adress? 16:04 < Sky[x]> ? 16:06 < n5> i have 2 IPs on my PC and i want openVPN client to bind only to one ip 16:07 < n5> it nows use both 16:07 < krzie> why have it bind to either ip? 16:07 < krzie> its only a client, give it nobind 16:09 < n5> krzie my config file: http://pastebin.ca/1716307 16:09 < n5> then i starting it, my 2 local ips both not accessible, only trough VPN 16:09 < n5> And i want, what one was accessible, and open VPN dont use it at all 16:10 < krzie> i have no idea what you're trying to say 16:10 < n5> and with my english i dont understand from sample files on website openvpn what i should add 16:11 < n5> terible :D 16:11 < krzie> what is your primary lang? 16:11 < Bushmills> n5, do you know that openvpn creates a tunnel between two system, and through emulated (in software) network interfaces) 16:11 < n5> lithuanian 16:13 < krzie> eww, dev tap with shared key 16:13 < n5> Okey, I have ordered VPN service from ISP, they send to me that config file, and then i seting up everything my server only accessible from difrentIPS from tunnel... Now my 2 local IP's are gone, i cant access them, only VPN ip 16:13 < n5> i have ipx a.b.c.d and a.b.c.e 16:14 < n5> I want that tunnel use only one ip or somhow to do it, what my real IP's was accessible to 16:14 < n5> because now, they not 16:14 < krzie> omg a vpn service gave your that config?? 16:14 < krzie> thats crazy 16:14 < Bushmills> n5, openvpn doesn't want to use already existing ip addresses, but gives you iinterfaces for new ip addresses 16:15 < n5> okey, so why that then i starting that config, my eth0 interface and eth0:1 interface ips are not accessible? 16:15 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 16:15 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 16:15 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit [Connection timed out] 16:16 < n5> so anyone understood me? heh 16:18 < krzie> not me, but it sounded like Bushmills did 16:18 < krzie> im stuck at how terrible the setup is for the vpn service you bought 16:18 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 16:18 < krzie> they must have 1000 tap devices on their server, lol 16:18 < n5> but its stable and good :D 16:18 < Bushmills> n5, because your routing table has an entry to openvpn device now, is my guess 16:19 < n5> yes, so what i should do? 16:19 < Bushmills> check it. confirm it 16:19 < krzie> i woiuld be upset that i had to tunnel layer2 to my provider 16:19 < n5> ifconfig 88.80.28.199 255.255.255.128 16:19 < krzie> i would also try some layer2 attacks against them 16:19 -!- yoshx_ [n=yoshx@88-138-188-188.adslgp.cegetel.net] has quit [Remote closed the connection] 16:20 < n5> Bushmills this is line? 16:20 -!- yoshx [n=yoshx@88-138-188-188.adslgp.cegetel.net] has quit [Read error: 54 (Connection reset by peer)] 16:20 < Bushmills> no. look at your routing table 16:20 < n5> I dont have such in config i gues 16:20 < n5> route-gateway 88.80.28.129 16:20 < n5> only this one 16:20 < Bushmills> netstat -r 16:20 < krzie> -rn 16:21 < Bushmills> -rn that's for us to check. -n is for him to check :D 16:21 < Bushmills> ehm .. -r i mean 16:22 < krzie> annoying to get stuff resolving on you, then you get to tell him to do it again with -rn ;] 16:22 < Bushmills> true 16:22 < n5> Bushmills okey, now open vpn is off, and in routing i see my ip, and getaway 16:23 < krzie> psatebin netstat -rn while connected and while not connected 16:23 < n5> then i put openvpn online, i will be access my server only from vpn's ip, not servers ip 16:23 < krzie> pastebin 16:23 < n5> ok 16:23 < Bushmills> you want to know what connecting to openvon server adds to your routing table 16:24 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [No route to host] 16:25 < Bushmills> krzie: i am getting experienced with reading adventurous english by helping out in the dealextreme forum. n5's english is very good, in comparison to some folks there. 16:25 < n5> http://pastebin.ca/1716341 16:25 < n5> here u go 16:25 < n5> Bushmills 16:27 < n5> so my IP is not accessible then openvpn on 16:30 < n5> thnaks for my english, anyway krzie dont understood it :D 16:31 < Bushmills> krzie: here is an example of some english there: http://forthfreak.net/snap/1260916241671012835.png 16:33 < krzie> wow Bushmills 16:34 < Bushmills> 5, it looks like you should be able to access you local network devices, but not what is behind them, on the LAN 16:34 < Bushmills> krzie: i translated that to: http://forthfreak.net/snap/1260916358482887407.png 16:34 < n5> yes, i can access local ip but not pub ip, how to change that? 16:35 < n5> btw i have 2 ips 112 ad 119 16:35 < Bushmills> the reason is that your provider tells your machine to route everything through the vpn 16:35 < n5> public, and vpn makes them both not accessible 16:35 < krzie> plus i believe thats what you're paying for 16:35 < n5> Bushmills so how to make not to route everything? 16:36 < Bushmills> except what goes to 192.168.0.1-255 16:36 -!- sheldon [i=sheldon@ASt-Lambert-153-1-19-225.w81-249.abo.wanadoo.fr] has joined ##openvpn 16:36 < krzie> n5, are you paying for vpn service for all your outbound internet? 16:36 < n5> krzie i'm controling config file :) 16:36 < Bushmills> and 92.61.40.112-127 16:36 < n5> so how to make only for 92.61.40.112 not for 92.61.40.112-127 ? 16:37 < krzie> n5, are you paying for vpn service for all your outbound internet? 16:37 < krzie> the point is so when you make an outbound connection it goes over the vpn? 16:38 < n5> its like i config in my configuration file, its my desicion all or not all, i'm paying for all 16:38 < krzie> its not your decision 16:38 < krzie> because 16:38 < krzie> its a route for INTERNET ips 16:38 < n5> they sample config makes to route all, and i'm asking what i need to modifie in confing that change it 16:39 < krzie> when they make a connection to you, you reply over your default gateway 16:39 < krzie> which is the vpn 16:39 < krzie> unless you make seperate routes for each host you dont want to go over the vpn 16:39 < n5> yes, so how only make one of two ip's make that connection trough getaway, not both 16:39 < Bushmills> does your client config file contain redirect-gateway ? 16:39 < n5> http://pastebin.ca/1716307 16:39 < Bushmills> actually, redirect-gateway def1 16:39 < krzie> its not that they cant reach you over those ips, its that you cant reply except over the vpn 16:39 < n5> thats my config file Bushmills 16:39 < Bushmills> line 8 16:40 < Bushmills> removing that one prevents your client to route all traffic through vpn 16:40 < n5> yes krzie i understand u, so how to fix it :) 16:40 < Bushmills> better comment it out only, may it is, after all, what you actually want 16:40 < krzie> if you gave a route to bypass the vpn for google, then google could contact you over some other ip 16:40 < n5> Bushmills ok, i will try :D it will route only traffic i access from that openvpn's ip? 16:40 < krzie> one of your normal ips 16:40 < Bushmills> maybe 16:41 < krzie> but with your default route going over the vpn, all your responses will go over the vpn and you'll never get a connection to your normal ips 16:41 -!- robert__ [n=hellspaw@r-butler.net] has quit [Client Quit] 16:42 < n5> yes krzie and i want, that openvpn requesto went trouth openvpn, and my real ip request trough real ip 16:42 < krzie> what you're looking to do cant be done really 16:42 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 16:42 < krzie> its not how networking works 16:42 < krzie> its not an openvpn limitation, its just basic networking 16:42 < n5> you wrong :D you just really dont understand me 16:42 < krzie> you could put the other ips on a different machine... 16:42 -!- freaky[t] [i=alpha@member.team-box.net] has quit [SendQ exceeded] 16:42 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: r0fl, master_of_master, CaBa, rwp, crazygir, Lyndon_, jhp, kexman, sauce_, sdh, (+5 more, use /NETSPLIT to show all of them) 16:42 < krzie> or on a virtual machine 16:42 < n5> so why local ips are accessible? 16:43 < krzie> but you're basically asking how to have different routing tables per ip 16:43 < krzie> n5, but you want all outbound to internet to go over the vpn? 16:43 < n5> no krzie I have 2 IP's 16:43 < n5> not 1 16:43 < krzie> you want outbound internet connections over the vpn or not? 16:44 < n5> no 16:44 < krzie> was that my question? 16:44 < krzie> you want outbound internet connections over the vpn or not? 16:44 < n5> lokk i have 1 VPN ip and 2 IP's of my server 16:44 < krzie> ok, then do what bushmills said 16:44 < krzie> line 8 16:45 < krzie> better comment it out only, may it is, after all, what you actually want 16:46 < n5> ok works fine :D 16:46 < n5> thank you :D 16:46 -!- Netsplit over, joins: master_of_master, vpnHelper, reiffert_, rwp, Lyndon_, Zeit|awy, r0fl, Bushmills, |Mike|, sauce_ (+5 more) 16:47 < n5> just one question :) 16:47 < n5> Then sameone goes to my webserver trough VPN he gives back answer trough my VPN ip or real? 16:47 < n5> :D 16:48 < n5> ah, newer mind, i will sort this out, anyway, huge thanks Bushmills and krzie for help 16:50 -!- blazon [n=blazon@unaffiliated/blazon] has left ##openvpn [] 16:53 < Bushmills> you're welcome, didn't hurt. 16:53 -!- g` [n=nop@78.61.210.152] has joined ##openvpn 16:55 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: pa 16:55 < krzie> n5, with redirect-gateway def1 responses go through vpn, without it they go through normal ip 16:55 < krzie> and there is no way to override that except for individual hosts 16:55 < g`> aha 16:56 -!- n5 [n=nop@78.61.210.152] has quit [Nick collision from services.] 16:56 -!- g` is now known as n5 16:56 < krzie> (or individual subnets_ 16:56 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: robotti^ 16:58 -!- Netsplit over, joins: robotti^ 16:59 < n5> okey, so now if sameone access my webserver though VPN IP's he will get answer from same VPN IP's? and web user who will access direct to my ip, will get from my direct ip answer yes? 16:59 < krzie> no 17:00 < krzie> only 1 or the other, based on if you use redirect-gateway 17:00 < krzie> and only one will work 17:00 < krzie> if you use redirect-gateway only vpn ip will work 17:00 < krzie> if not, only real ips will work 17:00 < n5> I put #redirect-gateway off, and i can access server though VPN ip 17:00 < krzie> because the source ip comes to you both ways ok, but you respond to it via your default route 17:00 < n5> andtrough real ip 17:01 < krzie> right but only cause YOU have a route back 17:01 < krzie> i dont 17:01 < n5> so answer from my server ip, only from 1 real ip 17:01 < krzie> so if i hit you through vpn ip, your will respond through normal ip 17:01 < krzie> and we wont have a connection 17:02 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: redfox, mikkel, krphop, sheldon 17:02 < n5> now, i have 2 ips real, maybe i can route only one ip back trough VPN? 17:03 < krzie> nope, not without seperate routing tables 17:03 -!- Intensity [i=[+ZHqpPh@unaffiliated/intensity] has joined ##openvpn 17:03 < krzie> which is what i told you earlier, when you said i was wrong 17:03 < n5> aha 17:03 < krzie> its basic networking =] 17:03 < n5> and you say, i cant create difrent routing tables, yes? 17:03 < krzie> correct 17:03 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 17:04 < krzie> unless you use a virtual machine or seperate computer 17:04 < n5> ok, then it sux a bit :D 17:04 -!- sheldon [i=sheldon@ASt-Lambert-153-1-19-225.w81-249.abo.wanadoo.fr] has joined ##openvpn 17:04 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn 17:04 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 17:04 -!- redfox [n=redfox2@91.121.78.62] has joined ##openvpn 17:05 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has quit [SendQ exceeded] 17:06 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 17:07 < n5> ok thx krzie :D 17:07 < krzie> yw 17:08 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn 17:11 -!- IrCYop1 [n=pc@wnklmb01dc1-213-59.dynamic.mts.net] has quit ["Leaving."] 17:14 -!- vlt [n=dm@suez.activ-job.com] has left ##openvpn [] 17:15 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: r0fl, master_of_master, CaBa, rwp, crazygir, Lyndon_, jhp, kexman, sauce_, sdh, (+5 more, use /NETSPLIT to show all of them) 17:15 -!- sheldon [i=sheldon@ASt-Lambert-153-1-19-225.w81-249.abo.wanadoo.fr] has quit [] 17:15 -!- Zordrak_ [n=jaz@unaffiliated/zordrak] has joined ##openvpn 17:16 -!- phusion__ [i=phusion@88.80.16.38] has quit ["changing servers"] 17:16 < n5> krzie but why i cant setup for one of my ip use VPN ghetaway? i can in cofig file 17:17 < Ziber> Why would I be getting "TLS handshake failed" errors? 17:18 -!- kala_ [i=kala@uba.linux.ee] has quit [Read error: 110 (Connection timed out)] 17:21 < krzie> Ziber i told you yesterday to rebuild your whole PKI following the howto 17:21 < magic_1> could be that your keys are not not done properly 17:21 < krzie> ziber, i also fixed all your configs yesterday 17:21 < Ziber> krzie: I did. 17:21 < Ziber> Well, "fixed" didnt fix them 17:21 < krzie> basically, i did your whole vpn and you just gotta rebuild your keys correctly, and follow my !route document for the lans 17:22 < krzie> ;] 17:22 -!- master_of_master [i=master_o@p549D76CF.dip.t-dialin.net] has joined ##openvpn 17:22 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 17:22 -!- reiffert_ [n=thomas@mail.webersheim.de] has joined ##openvpn 17:22 -!- rwp [n=bob@joseki.proulx.com] has joined ##openvpn 17:22 -!- Lyndon_ [n=late@savolaiset.fi] has joined ##openvpn 17:22 -!- Zeit|awy [n=wurscht@ip-95-222-198-206.unitymediagroup.de] has joined ##openvpn 17:22 -!- r0fl [n=r0fl@95-88-194-54-dynip.superkabel.de] has joined ##openvpn 17:22 -!- Bushmills [n=nBushmil@verhau.de] has joined ##openvpn 17:22 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 17:22 -!- sauce_ [n=anonymou@ool-18be2518.dyn.optonline.net] has joined ##openvpn 17:22 -!- jhp [n=jhp@zeus.jhprins.org] has joined ##openvpn 17:22 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 17:22 -!- sdh [n=steve@steve.st] has joined ##openvpn 17:22 -!- CaBa [i=caba@unique-inter.net] has joined ##openvpn 17:22 -!- crazygir [n=jason@unaffiliated/crazygir] has joined ##openvpn 17:22 < Ziber> well, i copied those confs, made the necessary adjustments, and it doesnt work...' 17:25 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 17:29 -!- Zordrak [n=jaz@unaffiliated/zordrak] has quit [Read error: 110 (Connection timed out)] 17:30 < krzie> because your certs arent good 17:30 < krzie> rebuild them FROM THE START following the howto 17:30 < Ziber> i follow openvpn.net/howto 17:30 < Ziber> *followed. copied the files i needed, etc. 17:30 < krzie> evidently you did something wrong 17:32 < krzie> ild be more specific if i could, but theres no way for me to know what you did wrong making the certs 17:32 < Ziber> well, i follow ./build-keys, etc, and that table, telling me what the clients needed, etc 17:33 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [] 17:33 < krzie> try again 17:33 < krzie> or dont, doesnt change my day ;] 17:34 < krzie> but thats your next step 17:34 < krzie> you can also try ssl-admin or tinyca for making the certs if you cant get them right with easy-rsa 17:34 < krzie> ive used easy-rsa and ssl-admin, both work fine 17:35 < krzie> but ive seen many people mess things up 17:35 < krzie> you arent the first ;] 17:37 < Ziber> well, im starting from stratch... 17:37 < krzie> good 17:40 -!- kala [i=kala@uba.linux.ee] has joined ##openvpn 17:43 < Ziber> My first (and currently only client) is complaining that it doesnt have server.crt... 17:43 < Ziber> the howto doesnt tell you to put it there 17:43 < reiffert_> Ziber: the howto does. 17:43 < reiffert_> what howto are you referring to> 17:43 < reiffert_> ? 17:44 < Ziber> openvpn.net/howot 17:44 < Ziber> *howto 17:48 < Ziber> hm, well, i changed the crt and key in the client to the client1 file, which i had copied... still got connection refused tho 17:49 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 17:49 < Ziber> still get "unroutable control packet" 17:49 < Ziber> :( 17:50 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 17:51 < krzie> you already rebuilt your ca/server/client certs? 17:53 < Ziber> yes i did, and copied them where they needed to be. 17:53 < krzie> !logs 17:53 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 17:54 < reiffert_> Ziber: the howto explains what file to put where. 17:54 < reiffert_> Ziber: see Key Files 17:54 < reiffert_> Now we will find our newly-generated keys and certificates in the keys subdirectory. Here is an explanation of the relevant files: 17:57 < Ziber> yes, i did that. 17:57 < Ziber> god, copying everything from syslog is such a pita :( 17:58 < krzie> then dont copy from syslog... 17:58 < krzie> you can specify any logfile with --log 17:58 * Ziber blinks 17:59 < krzie> or you can run it in the forground and copy/paste from the terminal ;] 18:02 < Bushmills> or pipe it to pastebinit :) 18:03 < Ziber> krzie: http://www.ziber.org/openvpn.log <-- alpha 18:03 < Ziber> http://www.ziber.org/bravo-openvpn.log <-- bravo 18:04 < Bushmills> http://forthfreak.net/snap/1260921848532228923.png :) 18:05 < ecrist> I hope it's a full log this time... 18:05 < Ziber> ecrist: go look. 18:08 < ecrist> http://www.go2linux.org/troubleshooting-openvpn 18:08 < vpnHelper> Title: TLS Error: Unroutable control packet received and Connection refused (code=111) | Linux Operating System - Debian, Ubuntu, Fedora, Gentoo, Arch (at www.go2linux.org) 18:08 < ecrist> appears you need to synchronize the time on the servers. 18:08 < ecrist> apparently they're too far apart 18:08 < Ziber> Yes, I saw that, and they are. 18:08 < reiffert_> Tue Dec 15 19:00:07 2009 us=752077 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 18:10 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 54 (Connection reset by peer)] 18:10 < Ziber> Alright, is that tls-auth? 18:11 < Ziber> or ns-cert-type? 18:11 < reiffert_> it is have a look at the example config given in the howto. 18:12 < ecrist> reiffert_: that's just a warning 18:18 < krzie> hehe both configs are named server.conf 18:18 < Ziber> bbiab 18:18 < krzie> not a problem, but funny to me 18:22 < krzie> ziber, lemme see your configs now 18:22 < krzie> both show client disabled and pull disabled 18:22 < krzie> so you didnt make the changes i told you to yesterday 18:28 < krzie> heres what you had: 18:28 < krzie> http://zpaste.org/5079 18:28 < krzie> heres what i gave you: 18:28 < krzie> http://zpaste.org/5080 18:29 < krzie> you have no route to your vpn because your client doesnt know its a client so wont pull options from the server 18:43 < ecrist> back for a few 18:46 < krzie> weeee 18:46 < krzie> hows the kid? 18:48 < Ziber> alright, i enabled client on the client. now it shows client and pull are enabled. 18:48 < krzie> zibpost your configs with no comments 18:48 < krzie> i dunno what else i told you to do you didnt do 18:48 -!- master_o1_master [n=master_o@p549D752A.dip.t-dialin.net] has joined ##openvpn 18:48 < ecrist> sleeping, now. 18:50 < Ziber> alpha: http://zpaste.org/5215 18:50 < Ziber> http://zpaste.org/5216 <-- bravo 18:51 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 18:59 < krzie> remove the ifconfig from client 18:59 < Ziber> alright... 18:59 < krzie> remove topology command from client 18:59 -!- master_of_master [i=master_o@p549D76CF.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 18:59 < krzie> then give it another try 19:00 < Ziber> once i removed the ifconfig line, it doesnt make the interface or get an IP 19:00 < krzie> heh 19:00 < krzie> wrong, it is a client and the server uses --server 19:00 < krzie> go read the manual for --server 19:00 < krzie> see what it does 19:00 < krzie> in fact read the manual for every option you use in all configs 19:00 < krzie> to understand what you're doing =] 19:00 < Ziber> ... 19:01 < Ziber> You cant say wrong, when I just commented out the "ifconfig" line, and restarted it, and the interface was gone. 19:02 < krzie> change dev tun0 to dev tun 19:02 < krzie> you are specifying it like a static device but evidently it isnt one 19:03 < Ziber> hm, well, the tun interface still doesnt show up on bravo 19:08 < krzie> show me the new config exactly as you are currently using it 19:09 < Ziber> on both? 19:10 < Ziber> alpha: http://zpaste.org/5217 19:10 < Ziber> bravo: http://zpaste.org/5218 19:12 < krzie> you can remove tls-server and tls-client 19:13 < krzie> (as youd know if you read on --server like i said ;] ) 19:13 < krzie> add nobind to client config 19:13 < krzie> then start the client and show me the log 19:15 < Ziber> http://zpaste.org/5219 19:16 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 19:31 < Ziber> krzie: ? 19:55 -!- Plouj [n=Plouj@69-196-131-204.dsl.teksavvy.com] has joined ##openvpn 19:55 < Plouj> hi 19:56 < Plouj> does anyone know where I'm supposed to put client certificates in F12 to avoid selinux denials preventing openvpn (called by networkmanager) from accessing them? 19:57 < krzie> Plouj i think reiffert_ can help with that 19:58 < krzie> i have never used selinux and im very against network manager 19:58 < krzie> Ziber that is very much NOT a complete log 19:58 < Ziber> its a complete log from when it started to the error. 19:59 < Plouj> krzie: thanks 19:59 < krzie> not with verb 6 its not 19:59 < Plouj> reiffert_: ping I need help figuring out how to go around selinux while connecting through openvpn with networkmanager 19:59 < krzie> i HAVE seen a selinux option in the 2.1 manual tho 20:00 < krzie> but im not a linux guy, i use fbsd and osx 20:00 < Ziber> http://www.ziber.org/bravo-openvpn.log 20:08 < reiffert_> Plouj: pong, no idea. 20:08 -!- reiffert_ is now known as reiffert 20:11 < reiffert> guess you uninstall the selinux extensions on your computer? 20:11 < reiffert> gonna need to 20:12 < krzie> or you play with --selinux 20:13 < krzie> hrm, whered i see that 20:13 < krzie> err --setcon 20:13 < krzie> --setcon context 20:13 < krzie> Apply SELinux context after initialization. 20:13 < Plouj> yeah, I could try disabling it 20:19 -!- Zordrak [n=jaz@unaffiliated/zordrak] has joined ##openvpn 20:25 -!- Zordrak_ [n=jaz@unaffiliated/zordrak] has quit [Read error: 145 (Connection timed out)] 20:27 < krzie> ziber it is not complaining that it has no tun device... 20:27 < krzie> it is complaining about your cert 20:27 < krzie> try not using _ in your common-name 20:28 < krzie> lemme find a list of invalid chars 20:28 < krzie> im not sure bout underscore 20:31 < Ziber> Common name... I think i put Ziber.org... 20:32 < krzie> CN=Liber_CA 20:32 < krzie> but lemme check first 20:45 < reiffert> that would be a great improvement for openvpn ... 20:45 < reiffert> working error messages. 20:45 < Ziber> thatd be nice, wouldnt it? 20:47 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 20:57 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 21:00 < krzie> bleh i cant find the valid chars in a CN 21:00 < krzie> i KNOW ive seen it tho 21:00 < krzie> !factoids search valid 21:01 < vpnHelper> krzie: No keys matched that query. 21:08 < krzie> but ya 21:08 < krzie> either way the problem is still with your certs 21:09 < krzie> so even tho i cant find which are valid, give it a shot with only alphanumeric 21:09 < krzie> (regenerating all certs with only alphanumeric common-names 21:09 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Connection timed out] 21:24 < reiffert> !factoids search --values valid 21:24 < vpnHelper> reiffert: No keys matched that query. 22:11 -!- fbdystang [n=fbdystan@c-24-2-104-186.hsd1.ut.comcast.net] has joined ##openvpn 22:14 < fbdystang> I am having issues with karmic and a pptp vpn. Any advice is appreciated 22:19 < Bushmills> get rid of what gives you issues 22:21 < fbdystang> ohhh, yeaaaa, all this time and i just had to get rid of the issues :) 22:23 < Bushmills> you have identified it clearly: " I am having issues with karmic and a pptp vpn" 22:25 < fbdystang> hehe, ok I have read a lot of docs and cannot get my pptp vpn to get to my work computer. I have set it up in nework connections, but it keeps saying that it was last used: "never", they should just have a connect button. please advise 22:30 < Bushmills> factoids search pptp 22:30 < Bushmills> !factoids search pptp 22:30 < vpnHelper> Bushmills: No keys matched that query. 22:30 < Bushmills> !notopenvpn 22:30 < vpnHelper> Bushmills: "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 22:47 -!- fbdystang [n=fbdystan@c-24-2-104-186.hsd1.ut.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 22:53 -!- Lilarcor [n=Lilarcor@ip70-187-168-252.oc.oc.cox.net] has joined ##openvpn 23:00 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has quit [Read error: 104 (Connection reset by peer)] 23:05 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:07 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has joined ##openvpn 23:07 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: r0fl, CaBa, rwp, crazygir, Lyndon_, jhp, kexman, sauce_, sdh, Zeit|awy, (+4 more, use /NETSPLIT to show all of them) 23:08 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: krzie, Optic, optiz0r, grub_booter, bvierra, fkr 23:11 -!- Netsplit over, joins: grub_booter, bvierra, krzie, optiz0r, Optic, fkr 23:11 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: krzie, Optic, optiz0r, grub_booter, bvierra, fkr 23:12 -!- Netsplit over, joins: grub_booter, bvierra, krzie, optiz0r, Optic, fkr 23:16 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 23:16 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 23:16 -!- rwp [n=bob@joseki.proulx.com] has joined ##openvpn 23:16 -!- Lyndon_ [n=late@savolaiset.fi] has joined ##openvpn 23:16 -!- Zeit|awy [n=wurscht@ip-95-222-198-206.unitymediagroup.de] has joined ##openvpn 23:16 -!- r0fl [n=r0fl@95-88-194-54-dynip.superkabel.de] has joined ##openvpn 23:16 -!- Bushmills [n=nBushmil@verhau.de] has joined ##openvpn 23:16 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 23:16 -!- sauce_ [n=anonymou@ool-18be2518.dyn.optonline.net] has joined ##openvpn 23:16 -!- jhp [n=jhp@zeus.jhprins.org] has joined ##openvpn 23:16 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 23:16 -!- sdh [n=steve@steve.st] has joined ##openvpn 23:16 -!- CaBa [i=caba@unique-inter.net] has joined ##openvpn 23:16 -!- crazygir [n=jason@unaffiliated/crazygir] has joined ##openvpn 23:21 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: r0fl, CaBa, rwp, crazygir, Lyndon_, jhp, kexman, sauce_, sdh, Zeit|awy, (+4 more, use /NETSPLIT to show all of them) 23:28 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 23:28 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 23:28 -!- rwp [n=bob@joseki.proulx.com] has joined ##openvpn 23:28 -!- Lyndon_ [n=late@savolaiset.fi] has joined ##openvpn 23:28 -!- Zeit|awy [n=wurscht@ip-95-222-198-206.unitymediagroup.de] has joined ##openvpn 23:28 -!- r0fl [n=r0fl@95-88-194-54-dynip.superkabel.de] has joined ##openvpn 23:28 -!- Bushmills [n=nBushmil@verhau.de] has joined ##openvpn 23:28 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 23:28 -!- sauce_ [n=anonymou@ool-18be2518.dyn.optonline.net] has joined ##openvpn 23:28 -!- jhp [n=jhp@zeus.jhprins.org] has joined ##openvpn 23:28 -!- kexman [i=kexman@unaffiliated/kexman] has joined ##openvpn 23:28 -!- sdh [n=steve@steve.st] has joined ##openvpn 23:28 -!- CaBa [i=caba@unique-inter.net] has joined ##openvpn 23:28 -!- crazygir [n=jason@unaffiliated/crazygir] has joined ##openvpn 23:30 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: r0fl, CaBa, rwp, crazygir, Lyndon_, jhp, kexman, sauce_, sdh, Zeit|awy, (+4 more, use /NETSPLIT to show all of them) 23:30 -!- Netsplit over, joins: vpnHelper, reiffert, rwp, Lyndon_, Zeit|awy, r0fl, Bushmills, |Mike|, sauce_, jhp (+4 more) 23:34 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: r0fl, CaBa, rwp, crazygir, Lyndon_, jhp, kexman, sauce_, sdh, Zeit|awy, (+4 more, use /NETSPLIT to show all of them) 23:35 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: krzie, Optic, optiz0r, grub_booter, bvierra, fkr 23:37 -!- Netsplit over, joins: vpnHelper, reiffert, rwp, Lyndon_, Zeit|awy, r0fl, Bushmills, |Mike|, sauce_, jhp (+4 more) 23:38 -!- grub_booter [n=charlie@d515301E0.static.telenet.be] has joined ##openvpn 23:38 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has joined ##openvpn 23:38 -!- krzie [n=krzee@butters.secure-computing.net] has joined ##openvpn 23:38 -!- optiz0r [n=optiz0r@nat.sihnon.net] has joined ##openvpn 23:38 -!- Optic [n=Optic@miso.capybara.org] has joined ##openvpn 23:38 -!- fkr [i=fkr@news.bytemine.net] has joined ##openvpn 23:43 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: r0fl, CaBa, rwp, crazygir, Lyndon_, jhp, kexman, sauce_, sdh, Zeit|awy, (+4 more, use /NETSPLIT to show all of them) 23:43 -!- Netsplit over, joins: vpnHelper, reiffert, rwp, Lyndon_, Zeit|awy, r0fl, Bushmills, |Mike|, sauce_, jhp (+4 more) 23:52 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: r0fl, CaBa, rwp, crazygir, Lyndon_, jhp, kexman, sauce_, sdh, Zeit|awy, (+4 more, use /NETSPLIT to show all of them) 23:55 -!- Netsplit over, joins: vpnHelper, reiffert, rwp, Lyndon_, Zeit|awy, r0fl, Bushmills, |Mike|, sauce_, jhp (+4 more) 23:55 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: krzie, grub_booter, bvierra, optiz0r, fkr, Optic 23:56 -!- Netsplit over, joins: grub_booter, bvierra, krzie, optiz0r, Optic, fkr 23:57 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: r0fl, CaBa, rwp, crazygir, Lyndon_, jhp, kexman, sauce_, sdh, Zeit|awy, (+4 more, use /NETSPLIT to show all of them) 23:59 -!- Netsplit over, joins: vpnHelper, reiffert, rwp, Lyndon_, Zeit|awy, r0fl, Bushmills, |Mike|, sauce_, jhp (+4 more) 23:59 -!- dextor[work] [i=dextor[w@115.240.88.82] has joined ##openvpn --- Day changed Wed Dec 16 2009 00:02 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: r0fl, CaBa, rwp, crazygir, Lyndon_, jhp, kexman, sauce_, sdh, Zeit|awy, (+4 more, use /NETSPLIT to show all of them) 00:02 -!- Netsplit over, joins: vpnHelper, reiffert, rwp, Lyndon_, Zeit|awy, r0fl, Bushmills, |Mike|, sauce_, jhp (+4 more) 00:03 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: krzie, grub_booter, bvierra, optiz0r, fkr, Optic 00:03 -!- Netsplit over, joins: grub_booter, bvierra, krzie, optiz0r, Optic, fkr 00:58 -!- dextor[work] [i=dextor[w@115.240.88.82] has quit [Read error: 131 (Connection reset by peer)] 01:02 -!- tjz [n=tjz@bb220-255-199-51.singnet.com.sg] has joined ##openvpn 01:12 -!- hyper_ch [n=hyper@adsl-89-217-219-172.adslplus.ch] has quit [Remote closed the connection] 01:23 -!- oc80 [i=oc80z@blea.ch] has joined ##openvpn 01:24 < grub_booter> hmm - finally have time to look into the http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing suggestion i was given last night - now, it mentions server.conf but what i have is a client config - and in fact, the client config is set up to point to a localhost ssh tunnel on port 5000 back to the server which i need to establish before i start the openvpn 01:24 < vpnHelper> Title: OpenVPN/Routing - Secure Computing Wiki (at www.secure-computing.net) 01:33 < grub_booter> basically, my config is this - my client side lan is 192.168.1.0 and the companies lan is 172.31.1.0 - the client running openvpn binds its port 5000 to the servers port 5000 and my openvpn conf stipulates remote 127.0.0.1 01:34 < grub_booter> if i try to run two instances of this set up, traffic isn't routed correctly 01:48 < grub_booter> i don't know much about this stuff, but i *think* what's happening is this - the openvpn server is running on the lan (as in, not on a publicly accessible server - hence, the ssh -L set up provides the tunnel between the publicly accessible server and the internal node which is running the server) - i have no idea if this is normal or even relevant to what i want to do 01:48 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Connection timed out] 01:52 < krzee> grub_booter, you should be able to use the --socks stuff for that 01:52 < krzee> a ssh proxy is really a localhost socks proxy =] 01:52 < krzee> but you should have an openvpn server somewhere on the other side... 01:52 < krzee> otherwise an openvpn client cant help you 01:53 < krzee> but personally ild be more likely to setup ssh inside openvpn than openvpn inside ssh 01:54 < grub_booter> well, i'm guessing there is an openvpn server on the other side :-) - but afaict, it's on a non-publicly accessible 172.31.1.x node 01:55 < krzee> ok so whats your goal 01:55 < krzee> i dont remember 01:55 < krzee> and why are you guessing there is one on the other side, the admin gave you keys and a config? 01:55 < grub_booter> basically, i want to establish the openvpn on a fixed machine within the 192.168.1.x lan and then route all traffic to 172.31.1.x through that from all nodes in the 192.168.1.x lan 01:56 < krzee> you have an openvpn server setup in the 172.31.1.x? 01:56 < grub_booter> yup - got keys and config and told to ssh -L5000:oof:5000 foo prior to running openpvn 01:56 < grub_booter> yes 01:56 < krzee> ok so post server config 01:56 < krzee> err you dont have 01:57 < krzee> post client config 01:57 < grub_booter> i have no idea what that is :-) 01:57 < krzee> the config you were given 01:57 < krzee> !pastebin 01:57 < vpnHelper> krzee: "pastebin" is (#1) please paste anything with more than 5 lines into pastebin or a similar website, or (#2) ie: www.pastebin.ca 01:57 < grub_booter> ah - ok 01:58 < grub_booter> http://www.pastebin.org/65502 01:59 < krzee> oh god 01:59 < krzee> you in unix 01:59 < krzee> ? 01:59 < grub_booter> oh yeah :-) 01:59 < krzee> !configs 01:59 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 02:00 < krzee> do that grep command 02:00 < grub_booter> np 02:01 < grub_booter> http://www.pastebin.org/65503 02:01 < krzee> umm 02:01 < krzee> that tunnel is going to be terrible 02:01 < krzee> beat up your admin 02:01 < grub_booter> :-) 02:02 < krzee> you know the lan ip of the server? 02:02 < grub_booter> yes 02:02 < krzee> oh wait 02:03 < krzee> that doesnt even matter if your aqdmin wont do something for you 02:03 < krzee> does he want your lan connecting? 02:04 < krzee> if he doesnt add a route and iroute to your lan, nothing you can do 02:04 < krzee> he wont have a route back to you 02:04 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn 02:05 < krzee> bte tel him he is tripple stacking tcp on top of itself and he needs to read this 02:05 < krzee> !tcp 02:05 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 02:05 < krzee> s/bte/btw/ 02:06 < grub_booter> hmm - well, i certainly don't want my lan accessible to them or all of their clients (at least, not directly - they should be able to connect to the machine running the openvpn client though) 02:06 < krzee> what i mean is this: 02:06 < krzee> unless he will add 2 entries in openvpn specificly to allow your lan, it wont work 02:07 < krzee> whether they can access you back is up to your firewall 02:07 < grub_booter> ok - tbh, that's what i thought 02:07 -!- hyper_ch [n=hyper@157-206.1-85.cust.bluewin.ch] has joined ##openvpn 02:07 < krzee> hrm maybe there is a way tho 02:07 < grub_booter> but it should be possible for them to issue me with another couple of certs? 02:07 < krzee> you could nat your lan's traffic to that address 02:08 < krzee> that would work =] 02:08 < krzee> however 02:08 < krzee> his setup is TERRIBLE 02:08 < grub_booter> :-) 02:08 < krzee> you cant run tcp over tcp over tcp 02:08 < krzee> you cant even run tcp over tcp 02:09 < krzee> the doc i linked you to is only about tcp over tcp 02:09 < krzee> and it clearly explains why its so bad, that link is from the openvpn manual 02:09 < krzee> under --tcp 02:09 < grub_booter> when you said 'that would work' did you mean the nat or the second cert? 02:09 < krzee> err --proto rather 02:09 < krzee> the NAT 02:09 < krzee> if you know your networking and whatnot 02:10 < grub_booter> hmm - rusty - but route add kinda stuff? 02:10 < krzee> you know what nat is? 02:10 < grub_booter> yup 02:10 < krzee> how is it normally used? 02:11 < grub_booter> well, last time i used it was prior to the linux switch over to the iptables stuff :-) 02:11 < grub_booter> ... going back many, many years now 02:12 < grub_booter> that's the right one isn't it, or am i completely off base? 02:12 < krzee> i wouldnt know, you didnt say anything about what it does 02:13 < krzee> but you should prolly get more certs =] 02:13 < grub_booter> i think so :-) 02:13 < grub_booter> would probably save a lot of faffing about 02:13 < krzee> a couple days less learning quite possibly 02:13 < krzee> wont make the setup stop sucking tho ;] 02:14 < grub_booter> :-) - and a lot less fragile 02:15 < grub_booter> anyway, according to the man page: iptables - administration tool for IPv4 packet filtering and NAT 02:15 < krzee> yup 02:15 < grub_booter> basically, you can set up a bunch of rules there 02:15 < krzee> it is network address translation 02:15 < krzee> like those lil linksys routers do 02:15 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:15 < krzee> makes your lan act as 1 ip when it passes through basically 02:16 < grub_booter> oh - you were asking for the meaning? sorry - misunderstood the question 02:16 < krzee> i asked how its normally used 02:16 < krzee> its normally used to let a lan share a single ip to access the internet 02:17 < krzee> however you could apply the same principal to make your lan able to access the other lan over the vpn tunnel 02:17 < krzee> but i think it would require some changes to the style of the config 02:17 < grub_booter> yup - my linksys router uses nat for sure 02:18 < grub_booter> and back in the day (before i had a router) i had a dedictated gateway which i manually configured to do the same 02:18 < krzee> basically changing remote to the lan ip of the server (which you are likely ssh'ing into) and using --socks stuff 02:19 < grub_booter> (but that was like 10 years ago :-) - the only time i've used nat since then was to set up a second subnet) 02:19 < krzee> well thats how ild do that setup 02:19 < grub_booter> actually, more like 12 i guess (jeez, time flies :-)) 02:19 < krzee> ya, it does 02:20 < krzee> i could be wrong about needing those config changes 02:20 < krzee> could be as easy as adding route "lan_subnet netmask" 02:22 -!- sporedi [n=chatzill@121.247.65.116] has joined ##openvpn 02:22 < sporedi> hi i am new to ssl vpn and we just setup a ssl vpn for remote users can some one please tell me how do i explore to functionality /how to get more of ssl vpn 02:26 < krzee> whats your goal? 02:26 < grub_booter> krzee: cheers anyway - i don't know the admin involved, but i've asked one of the guys in the office to hunt him down and hopefully we can resolve this one way or another :-) 02:27 < sporedi> remote desktop and acess office server/servicess 02:27 < sporedi> where i can find more dtls on ssl vpn (remote acess ) 02:27 < krzee> sporedi, what types of services in terms of network layer? layer2 (mac address) or layer3 (ip address)? 02:27 < krzee> remote desktop is ip 02:27 < sporedi> bridge 02:28 < sporedi> layer 2 ? 02:28 < krzee> why bridge? 02:28 < krzee> normally people should not bridge unless there is a specific layer2 protocol they need 02:28 -!- int_ is now known as int 02:28 < sporedi> becase its utm and recommand to connect at bridge mode 02:28 < krzee> thats why im asking this, so i can know what to tell you 02:28 < krzee> utm? 02:28 < sporedi> unified threat managment 02:28 < krzee> whats that mean... 02:29 < krzee> sounds like some corporate term that means nothing =/ 02:29 < sporedi> if i use layer 3 then i have to open a port and configuer nat ? 02:29 < krzee> no, either way you do 02:29 < krzee> there must be an openvpn server connected to before anything 02:30 < krzee> the tunnel happens over ip no matter what, we're talking about the inside 02:30 < krzee> please just answer my questions 02:30 < sporedi> http://en.wikipedia.org/wiki/Unified_threat_management 02:30 < vpnHelper> Title: Unified threat management - Wikipedia, the free encyclopedia (at en.wikipedia.org) 02:30 < krzee> the services you run that they need to connect to, are they layer 2 or layer3? 02:31 < sporedi> yes 02:31 < krzee> yes what 02:31 < sporedi> it can be configure at layer 2 as well as layer 3 02:32 < krzee> lol 02:32 < sporedi> i also want layer 3 (nat) mode some application not working with that 02:32 < krzee> ok here 02:32 < sporedi> but layer 2 works fine 02:32 < krzee> ill just give you stuff to read 02:32 < sporedi> ok 02:32 < krzee> here is how to connect any number of lans together using openvpn in layer3 tun mode 02:32 < krzee> !route 02:32 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 02:33 < krzee> here is how to have a client direct all internet traffic through the vpn 02:33 < krzee> !redirect 02:33 < vpnHelper> krzee: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 02:33 < krzee> (those were in the topic) 02:33 < krzee> here is the manual 02:33 < krzee> !man 02:33 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 02:33 < krzee> here is the howto 02:33 < krzee> !howto 02:33 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 02:33 < krzee> you probably do NOT want a bridge 02:33 < krzee> !tunortap 02:33 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning 02:33 < vpnHelper> krzee: against you over the vpn 02:33 < sporedi> ok 02:34 < sporedi> thanks 02:34 < krzee> yw 02:34 < krzee> good luck 02:34 < sporedi> ok ,i more quastion 02:34 < krzee> why? you never actually answered mine 02:34 -!- hyper__ch [n=hyper@157-206.1-85.cust.bluewin.ch] has joined ##openvpn 02:34 < krzee> lol 02:34 -!- hyper_ch [n=hyper@157-206.1-85.cust.bluewin.ch] has quit [Nick collision from services.] 02:34 -!- hyper__ch is now known as hyper_ch 02:35 < sporedi> if i dont know which ports are being use how to i all port at router when i use layer 3 02:35 < krzee> you dont understand 02:35 < krzee> this creates a tunnel 02:35 < sporedi> ok 02:35 < krzee> the router and firewall dont see anything going over the vpn 02:35 < krzee> only the outside itself 02:35 < sporedi> over 443 port ? 02:35 < krzee> the encrypted part 02:35 < krzee> should be over a udp port 02:35 < krzee> !tcp 02:35 < vpnHelper> krzee: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 02:36 < krzee> have you read ANYTHING about openvpn? 02:36 < krzee> or vpns in general? 02:36 < sporedi> something 02:36 < krzee> maybe thats why the confusion 02:36 < krzee> i thought you knew what vpns were and whatnot 02:36 < sporedi> can u pls give me some links for basic understnading 02:36 < krzee> lemme find you an easier doc to start with 02:37 < sporedi> please 02:37 < krzee> !factoids search vpn 02:37 < vpnHelper> krzee: 'vpn', 'notopenvpn', and 'notovpn' 02:37 < krzee> !vpn 02:37 < vpnHelper> krzee: "vpn" is http://openvpn.net/index.php/documentation/faq.html#tunnel-principal 02:37 < krzee> sorry bout that 02:38 < krzee> openvpn2009, that redirect for the faq is not working 02:38 < krzee> the redirect works, #topics dont 02:39 < krzee> sporedi, see this: 02:39 < krzee> What is the principle behind OpenVPN tunnels? 02:39 < sporedi> ok 02:53 -!- sporedi [n=chatzill@121.247.65.116] has quit ["ChatZilla 0.9.86 [Firefox 3.5.5/20091102152451]"] 03:05 -!- fsvend [i=c312ccc8@gateway/web/freenode/session] has joined ##openvpn 03:06 < fsvend> Hi everyone! I'm writing a tun/tap application and have problems when writing a a tun device.. read works flawlessy. I've opened the descriptor with O_RDWR. Little help? 03:09 < fsvend> s/a a/to a 03:38 -!- phusion__ [i=phusion@88.80.16.38] has joined ##openvpn 03:50 -!- cyrilb [n=user@lns-bzn-51f-81-56-146-162.adsl.proxad.net] has joined ##openvpn 03:51 -!- Lilarcor [n=Lilarcor@ip70-187-168-252.oc.oc.cox.net] has quit ["The Lord of Murder Shall Perish."] 04:45 -!- dazo_afk is now known as dazo 05:30 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:35 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 05:45 -!- cyrilb` [n=user@lns-bzn-51f-81-56-146-162.adsl.proxad.net] has joined ##openvpn 05:45 -!- cyrilb` [n=user@lns-bzn-51f-81-56-146-162.adsl.proxad.net] has quit [Remote closed the connection] 05:45 -!- cyrilb [n=user@lns-bzn-51f-81-56-146-162.adsl.proxad.net] has quit ["ERC Version 5.3 (IRC client for Emacs)"] 05:46 -!- cyrilb [n=user@lns-bzn-51f-81-56-146-162.adsl.proxad.net] has joined ##openvpn 05:51 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 06:23 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 60 (Operation timed out)] 06:26 -!- plundra [i=404@article.se] has joined ##openvpn 06:27 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 60 (Operation timed out)] 06:32 -!- gleblanc [n=chatzill@173-81-17-224-pkbg.atw.dyn.suddenlink.net] has quit [Remote closed the connection] 06:33 -!- fsvend [i=c312ccc8@gateway/web/freenode/x-ubwheybzledbesos] has quit [Ping timeout: 180 seconds] 06:36 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 06:37 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 06:44 -!- fsvend [i=c28a2736@gateway/web/freenode/x-yidfgctetnyymxuk] has joined ##openvpn 06:47 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 06:58 < ecrist> fsvend: most of us in here are not developers 06:59 < Ziber> ecrist: would you mind continuing helping me from yesterday? 07:02 < ecrist> sure. did you fix your configs 07:03 < Ziber> define fix. 07:04 < Ziber> Alpha: http://zpaste.org/5286 07:04 < Ziber> bravo: http://zpaste.org/5287 07:05 < fsvend> ecrist: ok.. what channel do you recommend I should ask on? 07:06 < fsvend> ecrist: i asked here since openvpn uses tun/tap 07:06 < ecrist> fsvend: nothing wrong with asking here, just letting you know you're probably not going to find your answer here. I don't know which channel you could ask on. Perhaps try the openvpn developer list 07:08 < fsvend> ecrist: ok. mailinglist? 07:08 < ecrist> yes 07:08 < ecrist> Ziber: those configs seem OK at a glance, what's your issue? 07:09 < Ziber> ecrist: bravo doesnt make an interface for the vpn... 07:09 < Ziber> nor gets an ip 07:10 < ecrist> Ziber: you don't have a protocol set in either config 07:10 < ecrist> proto udp or proto tcp 07:13 < Ziber> added proto udp to both 07:14 < ecrist> any change in your issue? 07:15 < Ziber> nope. still no interface on bravo 07:15 < ecrist> can you post the log from bravo? 07:16 < Ziber> http://www.ziber.org/bravo-openvpn.log 07:17 -!- cyrilb [n=user@lns-bzn-51f-81-56-146-162.adsl.proxad.net] has left ##openvpn ["ERC Version 5.3 (IRC client for Emacs)"] 07:18 < ecrist> Ziber: do you still have the ifconfig line in your bravo config (I don't see it in your zpaste, but it seems you do based on the logs) 07:19 * Ziber checks 07:19 < Ziber> oh, hm, removed it, same thing tho. log again? 07:19 < ecrist> if you're going to post your configs, post the whole thing, please 07:20 < ecrist> you're making it difficult to help you 07:20 < ecrist> post your full config from bravo (including the command you're typing) and logs from bravo, please 07:21 < Ziber> i did... 07:21 < ecrist> the error at this point appears to be with your ssl certificates 07:22 < Ziber> ssl? 07:22 < Ziber> i thought that wasnt required? 07:22 < ecrist> you didn't, your logs are telling me that you're using ifconfig in your config file or on the command line, that wasn't demonstrated in the paste, above. 07:22 < ecrist> Ziber: you have ssl certificates in your config 07:22 < ecrist> if you have them there, it's going to look for them 07:23 < Ziber> i re-enabled it after i pasted the config, just to randomly try it. 07:23 < Ziber> which one is the ssl? 07:23 < ecrist> lines 9 through 11 07:24 < Ziber> ca, cert, key? 07:24 < ecrist> yep 07:25 < Ziber> alright, well, according to openvpn.net/howto, i copied the files like i needed to 07:26 < ecrist> so you're using valid certifcates? 07:26 -!- kexman [i=kexman@unaffiliated/kexman] has left ##openvpn [] 07:27 < Ziber> well, i made them exactly how the howto said to... 07:27 < ecrist> ok, the logs indicate there is a problem with them on bravo. either the files are in the wrong format, or something 07:28 -!- ruied [n=ruied@89.214.238.100] has joined ##openvpn 07:29 < Ziber> :/ 07:30 < Ziber> and brb. 07:30 -!- yoshx [n=yoshx@88-138-188-188.adslgp.cegetel.net] has joined ##openvpn 07:31 -!- ruied [n=ruied@89.214.238.100] has left ##openvpn [] 07:32 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 07:33 < Ziber> back 07:34 < Ziber> well, what do u suggest? 07:34 < ecrist> fix your certificates 07:34 < Ziber> redo them all? 07:35 < ecrist> the client ones, I assume the server ones are ok 07:36 < Ziber> should the client ones be client1.crt,key? 07:36 < ecrist> yes 07:36 < Ziber> k 07:37 < Ziber> and ca should be ca.crt for both server and client? 07:38 < Ziber> bbl :( 07:38 < ecrist> you can name them whatever you want 07:46 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn 07:49 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: kala, rlarson``, sno, noooon, openvpn2009, Rienzilla, cpm, master_o1_master, coil_, corretico_, (+3 more, use /NETSPLIT to show all of them) 07:49 -!- coil [i=stfu@unaffiliated/coil] has quit [Killed by sagan.freenode.net (Nick collision)] 07:50 -!- Netsplit over, joins: cpm, rbd, master_o1_master, kala, magic_1 07:50 -!- coil [i=stfu@unaffiliated/coil] has joined ##openvpn 07:50 -!- Netsplit over, joins: rlarson``, Rienzilla, corretico_, openvpn2009, noooon, dmarkey_, sno, coil_ 07:50 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 110 (Connection timed out)] 07:51 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [No route to host] 07:56 < reiffert> ecrist: Ziber didnt follow the howto from the beginning, did he? 07:57 < ecrist> doesn't look like it, no 07:58 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 08:04 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Success] 08:10 -!- robotti^ [i=robotti@kapsi.fi] has quit [Read error: 145 (Connection timed out)] 08:20 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit ["Leaving."] 08:28 -!- dazo is now known as dazo_afk 08:30 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 08:39 -!- robotti^ [i=robotti@217.30.184.161] has joined ##openvpn 08:52 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 08:58 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: r0fl, CaBa, rwp, crazygir, Lyndon_, jhp, sauce_, sdh, Zeit|awy, |Mike|, (+3 more, use /NETSPLIT to show all of them) 09:01 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: krzie, Optic, optiz0r, grub_booter, bvierra, fkr 09:01 -!- dazo_afk is now known as dazo 09:07 -!- Netsplit over, joins: vpnHelper, reiffert, rwp, Lyndon_, Zeit|awy, r0fl, Bushmills, |Mike|, sauce_, jhp (+3 more) 09:08 -!- fsvend [i=c28a2736@gateway/web/freenode/x-yidfgctetnyymxuk] has quit ["Page closed"] 09:08 -!- Plouj [n=Plouj@69-196-131-204.dsl.teksavvy.com] has left ##openvpn [] 09:08 -!- grub_booter [n=charlie@d515301E0.static.telenet.be] has joined ##openvpn 09:08 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has joined ##openvpn 09:08 -!- krzie [n=krzee@butters.secure-computing.net] has joined ##openvpn 09:08 -!- Optic [n=Optic@miso.capybara.org] has joined ##openvpn 09:08 -!- fkr [i=fkr@news.bytemine.net] has joined ##openvpn 09:20 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Connection timed out] 09:29 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 09:31 -!- optiz0r [n=optiz0r@nat.sihnon.net] has joined ##openvpn 09:37 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: r0fl, CaBa, rwp, crazygir, Lyndon_, jhp, sauce_, sdh, Zeit|awy, |Mike|, (+3 more, use /NETSPLIT to show all of them) 09:39 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: krzie, Optic, grub_booter, bvierra, fkr 09:45 -!- Netsplit over, joins: vpnHelper, reiffert, rwp, Lyndon_, Zeit|awy, r0fl, Bushmills, |Mike|, sauce_, jhp (+2 more) 09:45 -!- Netsplit over, joins: grub_booter, bvierra, krzie, Optic, fkr 09:51 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: theDoc, pa 09:52 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: robotti^, corretico__ 09:54 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: Zordrak, krphop, redfox, oc80, yoshx 09:55 -!- Netsplit over, joins: corretico__ 09:56 -!- theDoc [n=hex@cataclysm.edgewire.sg] has joined ##openvpn 09:59 -!- theDoc [n=hex@cataclysm.edgewire.sg] has quit [Killed by douglas.freenode.net (Nick collision)] 09:59 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 09:59 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 09:59 -!- robotti^_ [n=robotti@kapsi.fi] has joined ##openvpn 09:59 -!- robotti^ [i=robotti@217.30.184.161] has joined ##openvpn 09:59 -!- robotti^ [i=robotti@217.30.184.161] has quit [Read error: 131 (Connection reset by peer)] 10:00 -!- yoshx [n=yoshx@88-138-188-188.adslgp.cegetel.net] has joined ##openvpn 10:00 -!- oc80 [i=oc80z@blea.ch] has joined ##openvpn 10:00 -!- Zordrak [n=jaz@unaffiliated/zordrak] has joined ##openvpn 10:00 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn 10:00 -!- redfox [n=redfox2@91.121.78.62] has joined ##openvpn 10:00 -!- Zordrak [n=jaz@unaffiliated/zordrak] has quit [Remote closed the connection] 10:00 -!- oc80 [i=oc80z@blea.ch] has quit [Success] 10:00 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Success] 10:01 -!- theDoc [n=hex@cataclysm.edgewire.sg] has joined ##openvpn 10:05 -!- crazygir [n=jason@li14-82.members.linode.com] has joined ##openvpn 10:06 -!- Zordrak [n=jaz@unaffiliated/zordrak] has joined ##openvpn 10:11 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: krzie, grub_booter, bvierra, fkr, Optic 10:11 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: pa 10:12 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: robotti^_ 10:15 -!- Netsplit over, joins: robotti^_ 10:15 -!- Netsplit over, joins: grub_booter, bvierra, krzie, Optic, fkr 10:16 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)] 10:16 -!- robotti^_ [n=robotti@kapsi.fi] has quit [Remote closed the connection] 10:16 -!- robotti^ [i=robotti@kapsi.fi] has joined ##openvpn 10:16 -!- hyper_ch [n=hyper@157-206.1-85.cust.bluewin.ch] has quit [Remote closed the connection] 10:18 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 10:18 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: krzie, Optic, r0fl, CaBa, rwp, Lyndon_, jhp, grub_booter, bvierra, sauce_, (+7 more, use /NETSPLIT to show all of them) 10:18 -!- Netsplit over, joins: grub_booter, bvierra, krzie, Optic, fkr 10:23 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 10:23 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 10:23 -!- rwp [n=bob@joseki.proulx.com] has joined ##openvpn 10:23 -!- Lyndon_ [n=late@savolaiset.fi] has joined ##openvpn 10:23 -!- Zeit|awy [n=wurscht@ip-95-222-198-206.unitymediagroup.de] has joined ##openvpn 10:23 -!- r0fl [n=r0fl@95-88-194-54-dynip.superkabel.de] has joined ##openvpn 10:23 -!- Bushmills [n=nBushmil@verhau.de] has joined ##openvpn 10:23 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 10:23 -!- sauce_ [n=anonymou@ool-18be2518.dyn.optonline.net] has joined ##openvpn 10:23 -!- jhp [n=jhp@zeus.jhprins.org] has joined ##openvpn 10:23 -!- sdh [n=steve@steve.st] has joined ##openvpn 10:23 -!- CaBa [i=caba@unique-inter.net] has joined ##openvpn 10:25 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 104 (Connection reset by peer)] 10:26 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 10:26 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 104 (Connection reset by peer)] 10:26 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 10:33 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: robotti^ 10:39 -!- robotti^ [i=robotti@kapsi.fi] has joined ##openvpn 10:39 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 10:39 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit [Read error: 131 (Connection reset by peer)] 10:40 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 10:43 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: crazygir, krphop, redfox, yoshx 10:44 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 10:46 -!- crazygir [n=jason@unaffiliated/crazygir] has joined ##openvpn 10:46 -!- yoshx [n=yoshx@88-138-188-188.adslgp.cegetel.net] has joined ##openvpn 10:46 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn 10:46 -!- redfox [n=redfox2@91.121.78.62] has joined ##openvpn 10:47 -!- crazygir [n=jason@unaffiliated/crazygir] has quit [Connection reset by peer] 10:47 -!- yoshx [n=yoshx@88-138-188-188.adslgp.cegetel.net] has quit [SendQ exceeded] 10:47 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has quit [SendQ exceeded] 10:47 -!- krphop_ [n=krphop@38.108.177.113] has joined ##openvpn 10:48 -!- yoshx [n=yoshx@88-138-188-188.adslgp.cegetel.net] has joined ##openvpn 10:48 -!- krphop_ is now known as krphop 10:50 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: r0fl, CaBa, rwp, Lyndon_, jhp, sauce_, sdh, Zeit|awy, |Mike|, vpnHelper, (+2 more, use /NETSPLIT to show all of them) 10:54 -!- crazygir [n=jason@li14-82.members.linode.com] has joined ##openvpn 10:56 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:56 -!- Netsplit over, joins: vpnHelper, reiffert, rwp, Lyndon_, Zeit|awy, r0fl, Bushmills, |Mike|, sauce_, jhp (+2 more) 10:59 -!- hyper_ch [n=hyper@adsl-89-217-219-172.adslplus.ch] has joined ##openvpn 11:03 -!- tiav [n=tiav@mx.fr.smartjog.net] has joined ##openvpn 11:04 -!- hyper__ch [n=hyper@adsl-188-155-11-32.adslplus.ch] has joined ##openvpn 11:04 -!- hyper_ch [n=hyper@adsl-89-217-219-172.adslplus.ch] has quit [Nick collision from services.] 11:04 -!- hyper__ch is now known as hyper_ch 11:07 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: r0fl, CaBa, rwp, Lyndon_, jhp, sauce_, sdh, Zeit|awy, |Mike|, vpnHelper, (+2 more, use /NETSPLIT to show all of them) 11:09 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: pa 11:09 -!- KaiForce_ [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 11:09 -!- yoshx_ [n=yoshx@88-138-188-188.adslgp.cegetel.net] has joined ##openvpn 11:09 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: robotti^, KaiForce, yoshx 11:14 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 11:14 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 11:14 -!- rwp [n=bob@joseki.proulx.com] has joined ##openvpn 11:14 -!- Lyndon_ [n=late@savolaiset.fi] has joined ##openvpn 11:14 -!- Zeit|awy [n=wurscht@ip-95-222-198-206.unitymediagroup.de] has joined ##openvpn 11:14 -!- r0fl [n=r0fl@95-88-194-54-dynip.superkabel.de] has joined ##openvpn 11:14 -!- Bushmills [n=nBushmil@verhau.de] has joined ##openvpn 11:14 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 11:14 -!- sauce_ [n=anonymou@ool-18be2518.dyn.optonline.net] has joined ##openvpn 11:14 -!- jhp [n=jhp@zeus.jhprins.org] has joined ##openvpn 11:14 -!- sdh [n=steve@steve.st] has joined ##openvpn 11:14 -!- CaBa [i=caba@unique-inter.net] has joined ##openvpn 11:17 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 11:25 -!- Artio [n=_@port-15996.pppoe.wtnet.de] has joined ##openvpn 11:42 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 11:43 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 12:06 -!- dazo is now known as dazo_afk 12:06 -!- Intensity [i=[+ZHqpPh@unaffiliated/intensity] has quit [Remote closed the connection] 12:09 -!- int [n=quassel@wikia/int] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 12:15 -!- Irssi: ##openvpn: Total of 88 nicks [0 ops, 0 halfops, 0 voices, 88 normal] 12:23 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 12:35 -!- corretico__ [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)] 12:38 -!- tiav [n=tiav@mx.fr.smartjog.net] has quit [Remote closed the connection] 12:38 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 12:39 -!- optiz0r [n=optiz0r@nat.sihnon.net] has quit ["leaving"] 12:43 -!- optiz0r [n=optiz0r@95.154.254.65] has joined ##openvpn 12:47 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 13:19 -!- Han [n=han@boetes.org] has quit [Client Quit] 13:19 -!- Han [n=han@unaffiliated/han] has joined ##openvpn 13:20 -!- Han [n=han@unaffiliated/han] has quit [Client Quit] 14:00 < Ziber> What didnt I do that I should've? 14:01 < krzie> i have no context... but im gunna go with "read docs" 14:01 < krzie> heheh 14:02 < Ziber> ecrist is saying that i didnt follow the howto from the beginning.... 14:02 < krzie> hey hey i was right! 14:02 < Ziber> but i did! 14:02 < Ziber> I've been over this four times now. 14:02 < ecrist> Ziber: did you fix your certificates yet? 14:02 < krzie> did you try rebuilding your certs with only alphanumeric? 14:03 < krzie> (like i said yesterday) 14:03 < ecrist> krzie: that's still his issue 14:03 < ecrist> and he had an ifconfig in his client config 14:03 < krzie> hey ecrist, yanno the link to valid chars for cn? 14:03 < krzie> he STILL had that? 14:04 < ecrist> no, I don't. 14:04 < ecrist> yes, he did 14:04 < krzie> i not only told him that yesterday and 2 days ago, i actually gave him his configs fixed both days too 14:04 < ecrist> what's funny is that when he posted his configs, it wasn't there, but I could tell from the logs that it was there. (error) 14:05 < ecrist> oh, krzie, OT, but I'm slowly building a new mail server. at some point in the next week or so, I'll move things from the old server to the new one 14:05 < krzie> cool, why the change? 14:05 < ecrist> new hardware 14:05 < krzie> ahh nice 14:06 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 14:06 < ecrist> my current core machine is a dell 1750. I have an 1850 that I'm building the new stuff on. 14:06 < ecrist> also, within the next month or so, there will be a backup mx 14:06 < krzie> 1day if i stop being so damn lazy im gunna re-do my san diego servers, and at that point ill likely move vpnHelper to your lan 14:07 < ecrist> getting control of a box on a 100mbit pipe soon. 14:07 < krzie> setting up the backup mx as a learning experience? 14:07 < krzie> very nice 14:07 < krzie> the san diego servers are on 100mbit as well 14:07 < ecrist> pretty much, yes 14:09 < ecrist> reiffert has suggested vpnHelper be put on a box we can share the ssh key to so admins can restart the bot if needed 14:09 < krzie> i have so many projects in queue and so little willingness right now to do stuff 14:09 < krzie> well when i put it on butters you and i will have access to restart 14:11 < krzie> [root@joogot ~]# crontab -l -u vpn 14:11 < krzie> @reboot screen -d -m supybot ~/vpnhelper/vpnHelper.conf 14:11 < krzie> for some reason that dont work, i guess you need an actual terminal to run screen even if detaching 14:18 < Ziber> bravo still says the CN has a _ in it, but it doesnt according to alpha. 14:19 -!- havoc [n=havoc@saturn.chaillet.net] has quit [Read error: 60 (Operation timed out)] 14:20 < krzie> heh 14:20 < krzie> its your CA that does 14:20 < krzie> i told you this yesterday 14:20 < krzie> i wish i was charging you by the hour 14:21 < Ziber> the ca.crt (which is what im using for CA) is just a long string of characters... 14:22 < krzie> once again 14:22 -!- hacim [n=micah@debian/developer/micah] has joined ##openvpn 14:22 < krzie> REBUILD YOUR ENTIRE PKI 14:22 < ecrist> Ziber: openssl x509 -in -noout -text 14:22 < krzie> WITH ONLY ALPHANUMERIC 14:22 < ecrist> pastebin that 14:22 < krzie> the ca.crt (which is what im using for CA) is just a long string of characters... 14:22 * krzie thinks he just edited it manually instead of rebuilding 14:22 < krzie> (for his client) 14:23 < ecrist> the openssl command will reveal all. 14:23 < hacim> i've got a openvpn client that stops being able to ping the vpn server over the vpn... the client is still running and it is re-keying, but the only way to get it back is to restart the openvpn-client 14:23 < krzie> the irclogs of the last 2 days reveal plenty ;] 14:23 < krzie> hacim, you using tcp as the transport protocol? 14:23 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: pa 14:24 < hacim> krzie: I am using tcp 14:24 < krzie> !tcp 14:24 < hacim> ? 14:24 * krzie gets a bullseye on the first try =] 14:24 < hacim> what? 14:24 < Ziber> http://pastebin.com/fe718c12 <-- the command on alpha 14:24 < krzie> err 14:24 -!- oc80 [i=oc80z@74.63.222.147] has joined ##openvpn 14:24 < krzie> !tcp 14:24 < krzie> damn freenode splits 14:24 < hacim> krzie: what does that mean: !tcp 14:24 < krzie> my bot should be telling you something 14:25 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 14:25 < krzie> its a command for my bot 14:25 < krzie> there it goes! 14:25 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 14:25 < Ziber> http://pastebin.com/f14abdd3e <-- and bravo 14:25 < ecrist> Ziber: do the same for the client certificate 14:26 < Ziber> http://pastebin.com/f29f3a139 <-- client1.crt, on bravo 14:26 < hacim> krzie: none of the other clients have that issue 14:26 < hacim> krzie: and they are all running over tcp 14:27 < hacim> krzie: and I'm not getting delays or connection aborts, i'm unable to simply ping 14:28 * Ziber points out that CN has NO SPACES ANYWHERE 14:29 < ecrist> Ziber: you're running 2.1.1 and as root, correct? 14:29 < Ziber> correct 14:31 < Ziber> i just noticed that im using "dh" on alpha, but not bravo... 14:31 < Ziber> should that be on bravo too? 14:31 < ecrist> no 14:31 < ecrist> dh is on the server only 14:31 < Ziber> k 14:31 < krzie> only on the server 14:32 < ecrist> openssl verify -CAfile 14:32 -!- Netsplit over, joins: pa 14:33 < krzie> both have the same common-name 14:33 < krzie> Jason 14:33 < krzie> thats not ok 14:33 < krzie> must be unique 14:34 < Ziber> ... 14:34 < Ziber> Oh? 14:34 < krzie> =] 14:34 < Ziber> that could be causing all these errors? 14:34 < Ziber> s/errors/problems 14:34 < krzie> absolutely 14:35 < krzie> Remember that for each client, make sure to type the appropriate Common Name when prompted, i.e. "client1", "client2", or "client3". Always use a unique common name for each client. 14:35 < krzie> (from the howto) 14:36 < krzie> the CA must also have a diff common-name than any clients or the server 14:36 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: r0fl, CaBa, rwp, Lyndon_, jhp, sauce_, sdh, Zeit|awy, |Mike|, vpnHelper, (+2 more, use /NETSPLIT to show all of them) 14:43 < Ziber> tls handshake keeps failing. wtf. 14:44 < hacim> can I run tcp and udp server at the same time? 14:44 < ecrist> yes 14:44 < krzie> hacim certainly, different ovpn processes 14:44 < hacim> m, i was hoping to do it without needing to do more than one proc 14:45 < krzie> hacim, thats on my openvpn wishlist as well 14:45 < krzie> !wishlist 14:45 < hacim> i wanted to see if it was tcp causing my problem 14:45 < hacim> by just switching the client for a while 14:45 < krzie> damn that server my bot is on is lagged 14:45 < krzie> time to fix that 14:46 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 14:46 < krzie> !wishlist 14:46 < vpnHelper> krzie: "wishlist" is http://ovpnforum.com/viewforum.php?f=10 for the openvpn wishlist 14:47 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 14:47 -!- rwp [n=bob@joseki.proulx.com] has joined ##openvpn 14:47 -!- Lyndon_ [n=late@savolaiset.fi] has joined ##openvpn 14:47 -!- Zeit|awy [n=wurscht@ip-95-222-198-206.unitymediagroup.de] has joined ##openvpn 14:47 -!- r0fl [n=r0fl@95-88-194-54-dynip.superkabel.de] has joined ##openvpn 14:47 -!- Bushmills [n=nBushmil@verhau.de] has joined ##openvpn 14:47 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 14:47 -!- sauce_ [n=anonymou@ool-18be2518.dyn.optonline.net] has joined ##openvpn 14:47 -!- jhp [n=jhp@zeus.jhprins.org] has joined ##openvpn 14:47 -!- sdh [n=steve@steve.st] has joined ##openvpn 14:47 -!- CaBa [i=caba@unique-inter.net] has joined ##openvpn 14:47 < hacim> i doesn't seem to make sense that tcp would be the reason why I loose routes 14:48 < Ziber> Hm. this is odd 14:48 < Ziber> http://zpaste.org/5310 14:49 < ecrist> hacim: routes are actually dropped from the routing table? 14:49 < ecrist> can you demonstrate that? 14:49 -!- Artio [n=_@port-15996.pppoe.wtnet.de] has quit [" HydraIRC -> http://www.hydrairc.com <-"] 14:49 < Ziber> thats from verifying the ca.crt and client1.crt 14:50 < hacim> ecrist: good question, i had to kill things to try udp, but now that I realized I need to swithc the server, or setup another server process, I switched the client back to tcp and started it up again... so when it goes down again I'll gather the route info 14:50 < ecrist> Ziber: was client1.crt signed by ca.crt? 14:50 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:51 < Ziber> how would i make sure? 14:53 < ecrist> well, the verify you posted seems to indicate not 14:53 < Ziber> alright, how do i fix that then? 14:54 < ecrist> 14:22 < krzie> REBUILD YOUR ENTIRE PKI 14:54 < Ziber> for the record, this will be the 6th time. 14:54 < krzie> (lol) 14:55 < krzie> well if you followed the howto exactly the first time there would have only been 1 ;] 14:56 < hacim> ecrist: hm, yeah I think that probably i'm not loosing routes beause this still continues to happen: http://micah.riseup.net/pastes/2009-12-16T155631 which seems to be a certificate re-key process? 14:59 < krzie> did you read the link about tcp? 14:59 < krzie> you might wanna switch all clients to udp 14:59 < krzie> we got that link from the openvpn manual 15:00 < Ziber> on bravo, i have "ns-cert-type server" commented out. should it be? 15:01 < krzie> not if you make your server cert correctly 15:01 < krzie> see: 15:01 < krzie> !mitm 15:01 < vpnHelper> krzie: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config 15:01 < Ziber> k 15:02 < Ziber> the interface still doesnt show up in bravo 15:02 < Ziber> ... 15:02 < Ziber> I lied. 15:02 * Ziber blinks 15:02 < krzie> lol 15:03 < Ziber> Alright, 7 tries later and too many hours to care about. 15:04 < Ziber> Time to add the second client. 15:05 < hacim> krzie: i switched to tcp because of other failures 15:06 < hacim> krzie: in any case, i've got 75 machines all doing tcp fine...but this one 15:07 < krzie> ya according to the tcp over tcp writeup you'll get the problem once you get a tcp timeout and needs to resend 15:09 < Ziber> Well, that was easy. 15:09 < krzie> so maybe something about that clients connection causes it to be your only client seeing the problem 15:09 < krzie> but i sure did guess you were using tcp fast didnt i? ;] 15:13 * ecrist goes to play some MW2 15:24 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: pa 15:30 -!- gazelle [n=q@80-254-76-244.dynamic.swissvpn.net] has joined ##openvpn 15:33 -!- Netsplit over, joins: pa 15:38 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: r0fl, CaBa, rwp, Lyndon_, jhp, sauce_, sdh, Zeit|awy, |Mike|, reiffert, (+1 more, use /NETSPLIT to show all of them) 15:40 -!- KaiForce_ [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.5/20091102152451]"] 15:41 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 15:42 < Ziber> There's some special route for windows computers on VPN's, right? 15:43 < krzie> huh? 15:46 < gazelle> http://marsanomalyresearch.com/ 15:46 < vpnHelper> Title: Mars Anomaly Research Home Page (at marsanomalyresearch.com) 15:46 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 15:46 -!- rwp [n=bob@joseki.proulx.com] has joined ##openvpn 15:46 -!- Lyndon_ [n=late@savolaiset.fi] has joined ##openvpn 15:46 -!- Zeit|awy [n=wurscht@ip-95-222-198-206.unitymediagroup.de] has joined ##openvpn 15:46 -!- r0fl [n=r0fl@95-88-194-54-dynip.superkabel.de] has joined ##openvpn 15:46 -!- Bushmills [n=nBushmil@verhau.de] has joined ##openvpn 15:46 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 15:46 -!- sauce_ [n=anonymou@ool-18be2518.dyn.optonline.net] has joined ##openvpn 15:46 -!- jhp [n=jhp@zeus.jhprins.org] has joined ##openvpn 15:46 -!- sdh [n=steve@steve.st] has joined ##openvpn 15:46 -!- CaBa [i=caba@unique-inter.net] has joined ##openvpn 15:46 < Ziber> On my laptop, I'm trying to add it to my VPN. I dont specify the ifconfig option on my local config... its saying that the second argument to ifconfig must be an ip, not 255.255.255.0... which is what it is on alpha. 15:47 < gazelle> the moon was too bright for hubble to take accurate photos of the moon, according to nasa. then in 1999 nasa releases moon photos 16:03 -!- Kaatje [n=Kaatje@unaffiliated/kaatje] has joined ##openvpn 16:03 < Kaatje> hi 16:04 < Kaatje> I am looking for a way to use a linux/freebsd box as a vpn BRIDGE so that the eth0 connects to my isp, then attaches to the vpn server via openvpn, i could careless and then once the tunnel is established, eth1 would act as a bridge and let me assign my static vpn address to the wan interface of my wireless router via crossover cable 16:04 < gazelle> hm that was written in the wrong channel 16:06 < Kaatje> what was in wrong channel? 16:07 < gazelle> something i wrote before you came in O;) 16:07 -!- theDoc [n=hex@cataclysm.edgewire.sg] has quit ["Leaving"] 16:07 < Kaatje> oh ok 16:08 < Kaatje> i really need a solution for this problem 16:12 -!- hyper__ch [n=hyper@adsl-188-155-11-32.adslplus.ch] has joined ##openvpn 16:12 -!- hyper_ch [n=hyper@adsl-188-155-11-32.adslplus.ch] has quit [Nick collision from services.] 16:12 -!- hyper__ch is now known as hyper_ch 16:13 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: redfox, krphop, oc80 16:16 < gazelle> kaatje, its rather complicated 16:16 < gazelle> !howto 16:16 < vpnHelper> gazelle: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:16 < gazelle> it's all in the howto 16:17 < gazelle> i wish you luck 16:17 -!- oc80 [i=oc80z@74.63.222.147] has joined ##openvpn 16:17 -!- krphop [n=krphop@38.108.177.113] has joined ##openvpn 16:17 -!- redfox [n=redfox2@91.121.78.62] has joined ##openvpn 16:18 -!- oc80 [i=oc80z@74.63.222.147] has quit [Connection reset by peer] 16:18 -!- krphop [n=krphop@38.108.177.113] has quit [SendQ exceeded] 16:19 -!- krphop_ [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn 16:23 -!- hyper__ch [n=hyper@adsl-188-155-11-32.adslplus.ch] has joined ##openvpn 16:23 -!- hyper_ch [n=hyper@adsl-188-155-11-32.adslplus.ch] has quit [Nick collision from services.] 16:23 -!- hyper__ch is now known as hyper_ch 16:32 < krzie> ecrist joo here/ 16:32 < krzie> ? 16:37 -!- hyper_ch [n=hyper@adsl-188-155-11-32.adslplus.ch] has quit [Read error: 60 (Operation timed out)] 16:43 < Kaatje> is this channel alive? 16:43 < Ziber> windows doesnt like 255.255.255.0? 16:44 < Kaatje> or is my question too complex to reply with something? 16:45 -!- lcoder [n=chatzill@200.30.137.124] has joined ##openvpn 16:45 < Ziber> krzie: because of my "push ifconfig" in alpha, my windows computer is complaining that 255.255.255.0 isnt an ip. 16:45 < krzie> push ifconfig!? 16:45 < krzie> dude, paste your configs again 16:46 < krzie> how many times will i need to fix your configs? only god knows 16:47 < lcoder> hi, is it possible to setup site-to-site VPN with openVPN ? 16:47 < krzie> lcoder yes 16:48 < Ziber> krzie: correction, "push route" 16:48 < Ziber> wait 16:48 < Ziber> :o 16:48 < lcoder> krzie: any link so I can start diggin about it ? 16:48 < Ziber> where's my laptop getting ifconfig from? 16:48 < krzie> lcoder just 2 endpoints, right? 16:48 < krzie> 1 machine to another, nothing else? 16:49 < krzie> LOL 16:49 < lcoder> no, two network, hq and branch office 16:49 < krzie> Ziber how many times did i tell you to read --server in the manual? 16:49 < krzie> ziber, if you dont pay attention to us there is no point to asking stuff 16:50 < krzie> lcoder ahh i gotchya, you want both lans to fully communicate with eachother, right? 16:50 < lcoder> yah, I tried openswan without any luck 16:50 < krzie> ok here it goes 16:50 < krzie> read all 3 of these and understand them, you'll be rockin 16:51 < krzie> !howto 16:51 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:51 < krzie> (use that to make your keys) 16:51 < krzie> !sample 16:51 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 54 (Connection reset by peer)] 16:51 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) 16:51 < krzie> (you may choose to use that to start from) 16:51 < krzie> but be sure to read all options used there in the manual 16:51 < krzie> then for the routing of both lans, 16:51 < krzie> !route 16:51 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:52 -!- yoshx_ [n=yoshx@88-138-188-188.adslgp.cegetel.net] has quit [Remote closed the connection] 16:52 < krzie> if you follow what i just said you'll not only have a working setup, you'll be good enough to help people in here ;] 16:52 < Kaatje> I am looking for a way to use a linux/freebsd box as a vpn BRIDGE so that the eth0 connects to my isp, then attaches to the vpn server via openvpn, and then once the tunnel is established, eth1 would act as a bridge and let me assign my static vpn address to the wan interface of my wireless router via crossover cable 16:52 < lcoder> krzie: thanks :) it seems a challenge for me !!! 16:52 < krzie> Kaatje best of luck to you with that 16:53 < Kaatje> seems like it should be a simple applicance type setup 16:53 < krzie> if you get it working maybe make a writeup about it 16:53 < krzie> !wiki 16:53 < vpnHelper> krzie: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN 16:54 < krzie> that is a good place to put the writeup ;] (its where i put my openvpn routing doc) 16:55 < Kaatje> translation: openvpn is too primitive to do meet your need? 16:56 < krzie> translation: i dont like bridge setups, read the docs 16:57 < krzie> if it was something i knew ild be happy to help 16:57 < krzie> so i wish you luck =] 16:57 -!- lcoder [n=chatzill@200.30.137.124] has quit ["ChatZilla 0.9.86 [Firefox 3.5.6/20091201220228]"] 16:57 < krzie> it can definitely do it 16:57 < Kaatje> ok 16:57 < krzie> im just unable to help ya with it 16:57 < Kaatje> then who can help 16:57 < krzie> there is plenty of info avail 16:57 < krzie> !man 16:57 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 16:57 < krzie> !howto 16:57 < vpnHelper> krzie: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 16:57 < krzie> !bridge 16:57 < vpnHelper> krzie: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for anything where the protocol uses MAC addresses instead of IP addresses. 16:57 < vpnHelper> krzie: (but not samba, see !wins) 16:57 < Kaatje> surely you are not the onbly writerfor this 16:58 < Kaatje> been there done that. the docs are a total mess 16:58 < krzie> *shrug* thats where i learned all i know bout ovpn 16:58 < krzie> the manual is extremely good 16:59 < Kaatje> unfortunately i am on a deadline and do not have the luxury of weeks to figure this out 17:00 < krzie> ahh, well i believe the official openvpn team does paid setups 17:00 < krzie> sounds like that might be the best way for you since you have no time to read 17:00 < Kaatje> and bridging is effect for situations where routing adds an unneeded layer to the puzzle 17:00 < krzie> ild just use BGP tbh 17:03 < Kaatje> bgp would have to be supported by the vpn provider and is massive overkill for a single tunnel 17:03 < krzie> oh i thought you were saying you needed a bridge to tunnel ips from 1 location to another 17:03 < krzie> if you have a vpn provider they should give you everything you need 17:04 < Kaatje> they will provide docs to make one machine connect 17:04 < Kaatje> not for a network 17:05 < krzie> nat the lan 17:05 < krzie> just like you do with your ISP that only give you 1 ip 17:05 < Kaatje> they want $150EUR to to the job plus two weeks 17:05 < krzie> it doesnt even need to be a bridge 17:05 < krzie> just use NAT 17:06 < Kaatje> so waht, gthrow away my airport extreme? 17:06 < krzie> huh? 17:06 < krzie> i dont remember saying to throw anything away 17:06 < krzie> im just saying you dont need a bridge for that 17:06 < krzie> you ONLY need a bridge to use layer2 protocolos over your vpn 17:07 < krzie> god i wish the official; howto had that written 10 times in caps 17:07 < Kaatje> i do if i want to keep my current internal network setup as it is 17:07 < Kaatje> vpn provider -> vpn box -> router 17:08 < krzie> and...? 17:08 < Kaatje> i cannot do vpn provider -> router 17:08 < krzie> how do you figure...? 17:08 < Kaatje> because router does not terminate vpn's 17:08 < krzie> we have quite a few people here who do just that 17:09 < krzie> what type of router do you run? 17:09 < Kaatje> apple airport extreme 17:09 < krzie> ahh 17:10 < krzie> ok, but you can still do it 17:10 -!- guiss [n=guiss@host213.190-137-122.telecom.net.ar] has joined ##openvpn 17:10 < krzie> your lan would be setup to default route through the vpn machine 17:10 < guiss> hi guys. Is there any way to check the password used to encrypt de openvpn certificate created with pkitool with --pass option? 17:10 < krzie> the vpn machine would be setup to default route over the vpn 17:11 < krzie> and you would NAT the lan from the vpn machine 17:11 < krzie> nat the lan subnet to the vpn ip 17:11 < krzie> and booya :-p 17:11 < Kaatje> exacty what i am trying to to do 17:11 < Kaatje> without double natting 17:12 < krzie> you're trying to do it by adding extra size to every single packet and giving your vpn provider access to your layer2 17:12 < Kaatje> i m trying to do it so it is a drop-in 17:13 < krzie> your way you give your provider unchecked access to your lan 17:13 < krzie> layer2 has no security 17:13 < Kaatje> once contract is up, i unplug vpn box and change the wan ip back to the way it was before 17:14 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: r0fl, CaBa, rwp, Lyndon_, jhp, sauce_, sdh, Zeit|awy, |Mike|, reiffert, (+1 more, use /NETSPLIT to show all of them) 17:14 < Kaatje> security is at the airport 17:14 < krzie> cool well i told you my advice, its your network, gl to ya 17:14 < krzie> airport network security is a joke 17:14 < krzie> i usually am bored enough to tear them apart during layovers 17:14 -!- hyper_ch [n=hyper@adsl-188-155-11-32.adslplus.ch] has joined ##openvpn 17:15 < krzie> except in amsterdam, those guys take security serious 17:15 < krzie> which was impressive 17:16 < Kaatje> which is funny because that is where my vpn originates 17:16 < krzie> schipol? 17:17 < Kaatje> not far from there 17:17 < krzie> cool 17:18 < Kaatje> i still fail to see why this is so complicated to do 17:18 -!- Netsplit over, joins: reiffert, rwp, Lyndon_, Zeit|awy, r0fl, Bushmills, |Mike|, sauce_, jhp, sdh (+1 more) 17:19 < Kaatje> i mean the wan takes isp address 17:19 < krzie> who said it was complicated 17:19 < krzie> i gave you links 17:19 < krzie> now you go read them 17:19 < krzie> or you pay someone to read for you 17:19 < Kaatje> you gave me links to read it your damn self 17:19 < krzie> huh? 17:20 < Kaatje> if i understood this shit i would not be in here asking for help 17:20 < krzie> what exactly did you expect from here? 17:20 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: r0fl, CaBa, rwp, Lyndon_, jhp, sauce_, sdh, Zeit|awy, |Mike|, reiffert, (+1 more, use /NETSPLIT to show all of them) 17:21 -!- Netsplit over, joins: reiffert, rwp, Lyndon_, Zeit|awy, r0fl, Bushmills, |Mike|, sauce_, jhp, sdh (+1 more) 17:21 < Kaatje> examples of configs 17:21 < Kaatje> like most ever other help channel has 17:21 < krzie> if i knew a doc to hold your hand ild give it to you 17:21 < krzie> but instead i have docs for you to learn wtf you are doing, if thats not good enough for you sorry bout your luck 17:22 < krzie> ill give you a full refund ;] 17:22 < Kaatje> where is this mystery dev team at 17:22 < krzie> !mail 17:22 < vpnHelper> krzie: "mail" is (#1) http://sourceforge.net/mail/?group_id=48978, or (#2) http://news.gmane.org/gmane.network.openvpn.user for the openvpn-users archive 17:22 < Kaatje> so they do not associate in here 17:22 < krzie> the ## in front of our channel name means we're unofficial 17:24 < krzie> seems to me you're looking to hire someone 17:24 < krzie> cause your options are 1) learn (aka read) and 2) hire 17:24 < krzie> and you're pretty clear that learning is out of the question 17:25 < krzie> here we do support, not admin for hire 17:25 < krzie> err 17:25 < krzie> not admin for free 17:25 < krzie> im sure theres some people here that have no problem doing your job for you for hire 17:29 < krzie> sorry if im being rude, but you expect too much... when i go to a support channel and am given where to learn from i appreciate it 17:29 < krzie> thats the point of free irc support, to find where to learn 17:31 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: r0fl, CaBa, rwp, Lyndon_, jhp, sauce_, sdh, Zeit|awy, |Mike|, reiffert, (+1 more, use /NETSPLIT to show all of them) 17:31 -!- CaBa [n=caba@188.40.166.98] has joined ##openvpn 17:31 -!- reiffert [n=thomas@88.198.83.82] has joined ##openvpn 17:31 -!- Lyndon [n=late@62.142.98.18] has joined ##openvpn 17:31 -!- Netsplit over, joins: sdh 17:31 -!- Zeit|awy [n=wurscht@95.222.198.206] has joined ##openvpn 17:31 -!- r0fl [n=r0fl@95.88.194.54] has joined ##openvpn 17:31 -!- Netsplit over, joins: |Mike|, jhp 17:31 -!- Bushmills [n=nnBushmi@88.198.39.174] has joined ##openvpn 17:33 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 17:34 < ksnp> anyone know how much memory is required on linux to support 100 simultaneous clients is 256 MB with single core enough ? 17:35 < krzie> someone here runs a vpn service, he might be a good one to ask bout that, i forget who but it MIGHT be dazo 17:36 -!- rwp [n=bob@joseki.proulx.com] has joined ##openvpn 17:36 < krzie> i believe the cpu will be more important than ram due to 100 simultaneous openssl's running 17:37 -!- phant0m_ [n=phant0m_@78-105-243-178.zone3.bethere.co.uk] has joined ##openvpn 17:38 < ksnp> ok 17:38 < ksnp> would 1.83 GHz taking 80% CPU be enough ? 17:39 < ksnp> i'll ask someone who runs a service, but if you happen to have even rough idea that will be helpful 17:39 < phant0m_> im having trouble accessing openvpn at all it says the pass is incorrect i ask for a new one and thats incorrect too so ? 17:41 < phant0m_> anyone know what i can do to resolve the issue?? 17:41 < phant0m_> pls 17:41 < gazelle> it is true that ovpn server setup can be incredibly difficult 17:41 < gazelle> it wouldnt suffer from more simplicity but that's hoping for too much 17:42 < phant0m_> well i set it up with the defaults till i got it working 17:42 < phant0m_> but it doesnt give me any joy 17:42 < gazelle> there was another guy in here, who didnt like it either 17:42 < phant0m_> i dont dislike it i want to use it 17:43 < phant0m_> its just not very forthcoming with how tos 17:43 < gazelle> i agree 17:44 < phant0m_> something i noticed on my account is that it isnt active which is obviously alot more to do with it than anything else i reactivate and it doesnt do anything 17:44 < gazelle> what account 17:45 < phant0m_> well i sign up at openvpn 17:45 < phant0m_> get a free key 17:45 < gazelle> the website? 17:45 < phant0m_> yes 17:45 < gazelle> what kind of free key 17:45 < gazelle> rsa public key? 17:45 < phant0m_> not sure it just told me to enter it when prompted 17:45 < gazelle> prompted to where? 17:45 < phant0m_> by the terminal after install 17:45 < gazelle> oh 17:46 < gazelle> so you got a vpn password and username and an ip address to connect to 17:46 < phant0m_> and hey presto nothing happened 17:46 < phant0m_> yes 17:46 < gazelle> do you have .ovpn config file 17:46 < phant0m_> err ill check 17:47 < phant0m_> hang on ill brb just gotta find it 17:48 < phant0m_> yes it does say config file in terminal 17:49 < phant0m_> rror opening configuration file: file 17:49 < phant0m_> Use --help for more information 17:49 < gazelle> cat *.ovpn 17:49 < gazelle> try that. 17:49 < krzie> ohh 17:49 < phant0m_> ok 17:49 < krzie> you're using access server 17:49 < krzie> as you see from the topic, we dont support that =] 17:49 < krzie> well i sign up at openvpn 17:49 < krzie> get a free key 17:49 < gazelle> it seems openvpn configuration is deliberately being made difficult so they can sell access 17:50 < krzie> the free key is a license for their pay-to-use access server 17:50 < krzie> you prolly wanted the opensource openvpn 17:50 < gazelle> OpenVPN Access Server (OpenVPN-AS) is a set of installation and configuration tools that simplify the rapid deployment of a VPN remote access solution. It is based on the popular OpenVPN open-source software, making the deployed VPN immediately compatible with OpenVPN client software across multiple user platforms 17:50 < krzie> !download 17:50 < vpnHelper> krzie: "download" is www.openvpn.net/download to download openvpn 17:50 < phant0m_> yes open source was the idea 17:50 < gazelle> that dmnd business model 17:51 < phant0m_> dont mean to be rude but pls slow down n00b to ubuntu 17:51 -!- krphop_ is now known as krphop 17:51 < gazelle> i dont understand 17:52 < phant0m_> download the tarball i presume 17:52 < krzie> you are using a corporate version 17:52 < krzie> we only support the open source version here 17:52 < krzie> if you would like to use the opensource version: 17:52 < krzie> !download 17:52 < vpnHelper> krzie: "download" is www.openvpn.net/download to download openvpn 17:53 < phant0m_> http://www.openvpn.net/index.php/open-source/downloads.html this is the site i get is that the right page 17:53 < vpnHelper> Title: Downloads (at www.openvpn.net) 17:54 < krzie> yes 17:54 < gazelle> yes 17:54 < krzie> thats what the link i gave you goes to 17:54 < phant0m_> ok how do i remove the other one i was using 17:54 < phant0m_> or not as the case maybe 17:54 < krzie> dunno never used it 17:54 < krzie> prolly rm 17:54 < krzie> heh 17:55 < ecrist> krzie: I'm here now. 17:55 < phant0m_> right and how do install the new from tarball 17:55 < krzie> ecrist its offtopic and theres people getting help so ill msg 17:55 < ecrist> k 17:57 -!- Lilarcor [n=Lilarcor@ip70-187-168-252.oc.oc.cox.net] has joined ##openvpn 17:58 -!- Kaatje [n=Kaatje@unaffiliated/kaatje] has left ##openvpn ["Later gators!"] 18:03 < phant0m_> ok i got this error when installing it configure: error: Or try ./configure --disable-lzo 18:03 -!- ghernandez [n=ghernand@12.157.107.24] has joined ##openvpn 18:03 < ghernandez> Howdy 18:03 < krzie> you dont have the lzo packages installed 18:04 < phant0m_> ok any other prerequisites 18:04 < krzie> you can either not use compression and use the configure option given to you or install lzo 18:04 < phant0m_> ok ill be back soon something needs sorting 18:04 < ghernandez> krzie: Question for you regarding bridging please. 18:05 < krzie> my normal answer is to not use bridging, but go ahead ;] 18:05 < ghernandez> Need multicast and broadcasts between two buildings. 18:06 < ghernandez> IPX and other things too, it sucks, but eh 18:06 < ghernandez> Anyways. 18:06 < ghernandez> Two machines 18:06 < ghernandez> Ive got openvpn setup 18:06 < ghernandez> I created the tap and can connect between them 18:06 < ghernandez> each machine has two nics 18:06 < krzie> dont need 2 nics 18:06 < krzie> keep going 18:07 < ghernandez> I do need two nics though, One nick on each will be directly connected to the other. 18:07 < ghernandez> We purchased these laser canons which are layer 1 devices. 18:07 < ghernandez> For all intensive purposes, it will be like running a strand of fibre between the two buildings. 18:07 < krzie> you mean layer2? 18:08 < ghernandez> Nope. 18:08 < ghernandez> Its the same as making a cross over cable 18:08 < ghernandez> just a direct port to port connection 18:09 < ghernandez> so with that setup, I need a nic dedicated to directly connect to it 18:09 < krzie> gotchya 18:09 < ghernandez> I want to do pass through, renamed my nics to int0 and lsr0 so that I know which is which using persistant rules in udev. 18:10 < ghernandez> both boxes same hardware and configuration setup 18:10 < krzie> 1 part i dont get 18:10 < krzie> I do need two nics though, One nick on each will be directly connected to the other. 18:10 < krzie> the 2 machines will be connected to eachother? 18:10 < ghernandez> directly connected together. 18:10 < krzie> like a xover 18:10 < ghernandez> correct. 18:10 < krzie> why use openvpn? 18:11 < ghernandez> krzie: even though laser is point to point and you cannot read it from the side or whatever, management has it in their heads that "it needs to be encrypted!" 18:11 < krzie> hahah 18:11 < ghernandez> because it is a wireless device 18:11 < krzie> but its inside the lan, no? 18:12 < ghernandez> No, we will be connecting two buildings one mile apart. 18:12 < krzie> i thought you said with a crossover 18:12 < ghernandez> Its the equiv. 18:12 < krzie> im missing something it seems 18:12 < ghernandez> We bought laser canons 18:12 < ghernandez> they look like a death ray. 18:12 < ghernandez> even have a scope. 18:12 < ghernandez> They are layer one devices. 18:13 < krzie> OH 18:13 < ghernandez> If you think of a cisco switch, and you want to create an ISL between two switches, you just run a regular cat5 or fibre cable between them 18:13 < krzie> i thought you meant printers 18:13 < ghernandez> this takes the place of that. 18:13 < krzie> LOL 18:13 < ghernandez> lol 18:13 < ghernandez> No 18:13 < ghernandez> Laser death rays for transmitting data at 1gb 18:13 < krzie> thats why layer1 made no sense to me 18:13 < krzie> thats funny 18:13 < ghernandez> ah 18:14 < ghernandez> so the setup would be 18:14 < ghernandez> Internal NEtwork - > int0 on bridge1 -> out lsr0 on bridge 1 -> to first canon -> open air distance 1 mile -> hits second canon -> into lsr0 on bridge 2 -> internal network 18:15 < ghernandez> I should probably create a visio. 18:15 < krzie> i get ya 18:15 < krzie> shouldnt matter that you have the layer1 device if im right... 18:16 < krzie> just follow normal bridging guides as if it were ethernet 18:16 < ghernandez> Right, Im a bit confused on the setup though is what it is. 18:16 < ghernandez> on a normal bridged openvpn setup 18:16 < krzie> i could be wrong, never worked with anything layer1 except decnet (and that was only until i figured out howto confiugure tcp/ip on an alphaserver in openvms (serious PITA) 18:16 < krzie> !bridge 18:16 < vpnHelper> krzie: "bridge" is (#1) http://openvpn.net/index.php/documentation/faq.html#bridge1, or (#2) http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.html, or (#3) Bridging looks like a good choice to people who don't know how to set up IP routing, but to learn routing is generally far better., or (#4) useful for anything where the protocol uses MAC addresses instead of IP addresses. 18:16 < vpnHelper> krzie: (but not samba, see !wins) 18:17 < ghernandez> Ah, the connection between the buildings does not matter other than it is a direct connection and will not be done over a router. 18:17 < ghernandez> But is the connection with the tap the same as with a vpn? 18:17 < krzie> dont believe even that matters 18:18 < ghernandez> It creates two virtual devices, a br0 and a tap0 18:18 < krzie> it IS a vpn 18:18 < ghernandez> Yes. 18:18 < krzie> yes, treat it as if it were ethernet im betting 18:18 < ghernandez> can I forward all traffic from nic 1 to the tap device? 18:18 < krzie> ild read doc #2 18:19 < ghernandez> and the tap device is the virtual nic that is running on nic 2. 18:19 < krzie> if thats what routing calls for im sure it will 18:19 < krzie> also remember to allow ipforwarding 18:19 < krzie> on bth ends 18:19 < krzie> !ipforward 18:19 < vpnHelper> krzie: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 18:22 -!- guiss [n=guiss@host213.190-137-122.telecom.net.ar] has quit ["Saliendo"] 18:24 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has left ##openvpn [] 18:35 < phant0m_> ok so the lzo file do i put this into config in openvpn directory to 18:35 < phant0m_> enable it 18:35 < krzie> you just install lzo on your system 18:35 < phant0m_> ok 18:36 < krzie> but you dont even have to, only if you wanna use copression 18:37 < phant0m_> whats the compression good for 18:37 < phant0m_> i mean like compressing within openvpn? 18:38 -!- Lilarcor [n=Lilarcor@ip70-187-168-252.oc.oc.cox.net] has quit ["The Lord of Murder Shall Perish."] 18:39 < ghernandez> krzie: http://mytenser.com/idea.JPG 18:40 < ghernandez> lol 18:40 < ghernandez> fast and crappy. 18:40 < krzie> phant0m_ if you are sending heavily uncompressed stuff it can make for less data on the wire 18:41 < phant0m_> hmmm it would be best i use compression then 18:42 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: jhp, |Mike| 18:42 < ghernandez> krzie: With that general setup, and the direct connection between the servers. 18:43 -!- Netsplit over, joins: jhp, |Mike| 18:43 < krzie> ghernandez, looks nice =] 18:43 < ghernandez> would it just be an entry in the iptables to forward eth0 to eth1 18:43 < ghernandez> or should I say 18:43 < ghernandez> from eth0 to tap1 18:43 < ghernandez> err 18:43 < ghernandez> eth0 to tap0 18:43 < krzie> nah man from what you've said you just need a normal bridge setup 18:44 < krzie> then use your default gateway as something on other side of bridge 18:44 < ghernandez> so with the default bridge setup, if a desktop in the left building needs to connect to a desktop in the right building (for sake of argument) there is nothing additional I need to do? 18:45 < krzie> they would be in the same layer2 domain, should just work 18:45 < ghernandez> And I dont have to do any additional iptables forwarding to get the data to pass through from one nic to another? 18:46 < krzie> shouldnt need to 18:46 < ghernandez> hm, wonder why it doesnt work. 18:46 < ghernandez> lol 18:46 < ghernandez> my lab environment is two servers with a cross over cable between them 18:46 < ghernandez> simulating the direct connection that will be acchieved with the laser canons 18:47 < ghernandez> I have everything working and encryption is working across the cable. 18:47 < ghernandez> i have a cisco 2950 and a 3550 with a clean slate on both sides attached to the servers. 18:47 < krzie> you have lans on each side of the test boxen? 18:47 < ghernandez> yup. 18:47 < krzie> and 1 cant reach other? 18:47 < ghernandez> desktop on the 2950 cant reach a desktop on the 3550 18:48 < krzie> how are you handling ip addressing? 18:48 -!- master_of_master [i=master_o@p549D75DA.dip.t-dialin.net] has joined ##openvpn 18:48 < krzie> oh they're behind routers... why? 18:48 < ghernandez> no routers 18:48 < ghernandez> cisco switches. 18:48 < krzie> oh my bad 18:48 < ghernandez> no vlans setup. 18:49 < ghernandez> no random crap put in, just clean setups. 18:49 < ghernandez> so on that drawing 18:49 < ghernandez> I have that built 18:49 < ghernandez> but its not connected to the lightpointe 18:49 < krzie> how are you handling ip addressing? 18:49 < ghernandez> its using an xover cable. 18:49 < ghernandez> continuing 18:49 < ghernandez> the cross over cable is on dedicated network with a dedicated subnet. 18:49 < ghernandez> 1.1.1.1/255.255.255.252 18:49 < ghernandez> and 1.1.1.2/255.255.255.252 18:50 < krzie> toss them all in the same subnet 18:50 < ghernandez> Really? All of the desktops and tap need to be on the same subnet? 18:50 < Ziber> my openvpn on windows fails because it says my local endpoint is 10.0.0.3, and my remote is 255.255.255.0 18:50 < krzie> either via dhcp on 1 side or by setting a piece of the subnet aside from 1 sides setup and using ovpn to hand those out 18:51 < ghernandez> Ah, Ill try that. 18:51 < krzie> ziber, i asked you to post your configs hours ago, you didnt 18:51 < Ziber> sorry, i went to dinner 18:51 < Ziber> all of them, or just the windows one? 18:51 < krzie> np 18:52 < krzie> well you could do just 2 (server and windows) but likely you should paste them all 18:52 < krzie> so we dont have to keep going over this 18:52 < Ziber> alright. 18:52 < krzie> (assuming you make the changes i gave you this time) 18:52 < phant0m_> jesus why such complication right it says no openssl crypto headers found 18:53 < krzie> phant0m_ wow what os are you on that has no openssl? 18:53 < krzie> gentoo?\ 18:54 < phant0m_> ubuntu 18:54 < phant0m_> karmic 18:54 < krzie> apt-get install openvpn 18:54 < krzie> heh 18:54 < phant0m_> k 18:55 < phant0m_> right 18:55 < phant0m_> 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. 18:55 < phant0m_> brb cuppa needed 18:55 < krzie> check if its installed then 18:55 < krzie> or check if it has a diff name 18:55 < Ziber> krzie: http://zpaste.org/5323 <-- all of them 18:56 < Ziber> alpha,bravo,delta works 18:56 < krzie> apt-cache search openvpn i think 18:56 < Ziber> just trying to add my windows laptop into this 18:56 < krzie> i dont really use linux 18:56 < ghernandez> Ill have to play with this tomorrow, time to go home. 18:56 < ghernandez> Thanks krzie. 18:56 < krzie> err] 18:56 < krzie> im sure theres some people here that have no problem doing your job for you for hire] 18:56 < ghernandez> either that or he can just check to see if /etc/openvpn is created krzie 18:56 < krzie> grr 18:56 < krzie> np =] 18:56 < ghernandez> or do man openvpn 18:57 < ghernandez> should auto install the pages with it. 18:57 < ghernandez> Also, Id like to do it and get the knowledge and experience. Ive never done a bridged setup with openvpn. For my clients I usually setup a routed environment. 18:58 < ghernandez> Anyways, Thanks! 18:58 -!- ghernandez [n=ghernand@12.157.107.24] has left ##openvpn ["Konversation terminated!"] 18:59 < krzie> ok time to look at those configs 18:59 < Ziber> k 18:59 < Ziber> remember, alpha->(bravo,delta) works 18:59 < Ziber> and they can all intercommunicate. just want to get my laptop to be part of this 18:59 -!- master_o1_master [n=master_o@p549D752A.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 18:59 < krzie> you sure liber is using 2.1? 19:00 < krzie> you sure its reading the keyfiles (not using full paths) 19:00 < krzie> other than that the config look good 19:00 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [] 19:00 < krzie> feel free to paste the log if you wanna 19:00 < krzie> that should tell me whatsup] 19:01 < krzie> oh also, you are using different certs for liber right? 19:01 < Ziber> i made different client certs, yes. 19:01 < krzie> it says client2.crt and client2.key just like delta 19:01 < Ziber> same ca.crt, just like any of the other clients. 19:01 -!- ruied [n=ruied@bl7-209-69.dsl.telepac.pt] has joined ##openvpn 19:01 < krzie> you made 2 sets of certs with different common-name but same filename? 19:01 < phant0m_> grrr this is getting on my last nerve brb 19:02 < Ziber> krzie: o.o no 19:02 < Ziber> krzie: alpha has server.key, server.crt 19:02 < Ziber> bravo has client1.crt, client1.key 19:02 < krzie> delta and liber are both using client2.crt client2.key 19:02 < Ziber> o.o 19:02 * Ziber just realized this 19:02 < krzie> hehe 19:03 * Ziber redoes 19:03 < krzie> not likely your only problem tho, go make liber his own cert and gimme the log if it dont connect 19:03 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: jhp, |Mike| 19:03 < krzie> normally it would connect and knock off delta 19:03 < krzie> then delta would do the samee 19:04 < krzie> rinse and repeat 19:07 < Ziber> alright, i remade the cert/key and put it on liber, and now it says that local endpoint 10.0.0.4, remote 255.255.255.0, not sure why its using that... 19:08 < Ziber> i think its taking the second parameter from alpha's "push route..." 19:08 < krzie> lemme see 19:08 < krzie> (the log) 19:08 < krzie> you're prolly just reading something wrong 19:08 -!- Netsplit over, joins: jhp, |Mike| 19:09 < krzie> also, why are you pushing that route? 19:09 < Ziber> the thing is that the only way a lot gets made at all (at least anywhere that i can find), is if i run "openvpn config.ovpn" in cmd. and i cant copy from cmd 19:09 < krzie> yet again (i think the 4th time) GO READ --server IN THE MANUAL 19:09 < krzie> first of all, you can copy in windows command line 19:09 < Ziber> how? 19:09 < krzie> secondly you can use --log to make a logfile 19:10 < krzie> click top left corner, click mark 19:10 < krzie> highlight what you want, hit enter 19:10 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: jhp, |Mike| 19:10 < krzie> something like that, im not a windows guy 19:10 < phant0m_> wtf i installed the openssl and it still giving me the error 19:10 < krzie> !google copy paste windows cmd 19:11 < vpnHelper> krzie: Antimail : Useful copy/paste trick in CMD.EXE: ; Useful copy/paste trick in CMD.EXE: ; Windows XP Commands: 19:11 < Ziber> krzie: and i did look at server... do i put that in all the conf's? server and client? 19:12 < krzie> phant0m_ if you're having this much trouble getting it installed you are going to have more trouble than you think actually setting up a vpn 19:12 < phant0m_> im sure i will but when ive set the prerequisites up correctly i expect it to work 19:12 < krzie> Ziber, so you saw that --server pushes that route already and you dont need to push it manually? 19:13 -!- jhp [n=jhp@zeus.jhprins.org] has joined ##openvpn 19:13 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 19:13 < Ziber> well, explain to me why when i uncommneted that, and commented the push, it stopped working? 19:13 < Ziber> do i put "server" in all the conf's? client/server? 19:13 < krzie> uncommented what 19:13 < Ziber> server 19:13 < krzie> as clearly described in the manual, only on the server 19:13 < krzie> you dont have server commented 19:13 < krzie> if you did nothing would have any ips 19:13 < Ziber> i do, in fact. 19:14 < krzie> then why the hell did you send me an incorrect config? 19:14 < Ziber> wait... 19:14 < Ziber> what 19:14 * Ziber o.o 19:14 < krzie> nm im done helping you dude 19:14 < krzie> im going idle 19:14 < Ziber> I have... "server" twice in the config. 19:14 < krzie> adios 19:14 < Ziber> if you had looked over the config i pasted, you would've seen it 19:14 < Ziber> :) 19:15 < Ziber> i didnt notice until now. i have it twice, commented lower down. 19:15 < Ziber> oh, thats interesting... 19:16 < Ziber> and when i comment the push, i cant ping anything. 19:16 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: pa 19:19 < Ziber> oh, hm. okay 19:19 < Ziber> all pingable again, after restarting bravo/delta 19:22 -!- Netsplit over, joins: pa 19:29 < krzie> hahaha thats even worse 19:29 < krzie> oops /q 19:30 -!- phant0m_ [n=phant0m_@78-105-243-178.zone3.bethere.co.uk] has quit [Remote closed the connection] 19:32 < Ziber> uhm, hardly. 19:33 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has joined ##openvpn 19:41 -!- r0fl_ [n=r0fl@95-88-194-54-dynip.superkabel.de] has joined ##openvpn 19:42 -!- r0fl [n=r0fl@95.88.194.54] has quit [Read error: 104 (Connection reset by peer)] 20:01 -!- iamamoron [n=iamamoro@210.238.181.188] has joined ##openvpn 20:01 < iamamoron> hi there, i have set up openvpn I can ping to remote IPs but I cannot remote the pc using pc anywhere or remote desktop any ideas what going on? 20:04 < ecrist> firewall? 20:05 < iamamoron> firewall is set to nothing 20:05 < ecrist> ping krzie 20:05 < iamamoron> i can even remote the pc on the same subnet 20:05 < iamamoron> this means firewall is off 20:06 < iamamoron> but if I am on the remote that pass through openvpn 20:06 < iamamoron> i cannot remote 20:06 < iamamoron> i can even ping 20:06 < iamamoron> i can ping 20:06 -!- ksnp [n=ksnp@71-6-65-18.static-ip.telepacific.net] has left ##openvpn [] 20:06 < iamamoron> but i cannot remote using pcanywhere or remote desktop 20:07 < iamamoron> any ideas whats going on? 20:08 < ecrist> I still think it's the firewall 20:08 < iamamoron> of the remote pc? 20:08 < iamamoron> as i said i can remote on the same subnet 20:09 < ecrist> iamamoron: if you're on the vpn, you're going through routers which could block the traffic 20:10 < iamamoron> the routers run on both openvpn 20:11 < iamamoron> there is also no block port set on the iptables 20:11 < krzie> pong 20:12 < krzie> windows machine, turn off the firewall 20:12 < krzie> then try again 20:12 < krzie> seriously, try it 20:12 < krzie> also note that mcafee and norton have firewalls in them 20:12 < krzie> as well as many other pieces of weakness software 20:14 < iamamoron> thanks for the info 20:14 < iamamoron> it works now 20:14 < iamamoron> problem is openvpn server iptables firewall is on 20:15 < iamamoron> damn it 20:15 < iamamoron> anyways thank you very much for sheding light 20:21 < krzie> wow ecrist nailed that one pretty quick =] 20:36 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 20:44 -!- hacim [n=micah@debian/developer/micah] has quit [Remote closed the connection] 20:52 -!- hacim [n=micah@micah.riseup.net] has joined ##openvpn 20:54 < gazelle> hi iamamoron 20:54 < iamamoron> yes gazelle 20:54 < gazelle> lol 20:59 -!- ruied [n=ruied@bl7-209-69.dsl.telepac.pt] has quit [Connection timed out] 20:59 -!- correcaminos [n=laguilar@189.231.85.10] has joined ##openvpn 21:06 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: jhp, |Mike| 21:06 -!- Netsplit over, joins: jhp, |Mike| 21:07 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: jhp, |Mike| 21:11 -!- Netsplit over, joins: jhp, |Mike| 21:14 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: jhp, |Mike| 21:15 -!- Netsplit over, joins: jhp, |Mike| 21:26 -!- Intensity [i=[P1DFcMG@unaffiliated/intensity] has joined ##openvpn 21:43 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 22:20 -!- gazelle [n=q@80-254-76-244.dynamic.swissvpn.net] has quit ["Lost terminal"] 22:36 -!- plaird [n=plaird@97-122-235-56.hlrn.qwest.net] has joined ##openvpn 22:50 -!- ruied [n=ruied@bl7-209-69.dsl.telepac.pt] has joined ##openvpn 23:00 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has quit [Read error: 113 (No route to host)] 23:02 -!- plaird [n=plaird@97-122-235-56.hlrn.qwest.net] has quit ["Ex-Chat"] 23:08 -!- rbd [n=rbd@74.229.183.112] has joined ##openvpn 23:43 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 23:45 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [No route to host] --- Day changed Thu Dec 17 2009 00:16 -!- coil_ [i=stfu@unaffiliated/coil] has left ##openvpn [] 00:27 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [] 00:43 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 00:44 -!- hyper_ch [n=hyper@adsl-188-155-11-32.adslplus.ch] has quit [Remote closed the connection] 00:45 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:32 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:48 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn 01:49 -!- hyper_ch [n=hyper@167-95.79-83.cust.bluewin.ch] has joined ##openvpn 01:57 -!- oc80z_ [n=oc80z@priv.efnet.pe] has joined ##openvpn 02:09 -!- yoshx [n=Document@212.51.167.181] has joined ##openvpn 02:09 < yoshx> hello 02:09 < yoshx> i've got a question with openvpn 02:11 < yoshx> if i'll want to buy 2 or more server (ovh) can i use openvpn with all of them 02:12 < yoshx> secure connexion server 1 to server 2, server 2 to server 3... 02:12 < yoshx> is it possible ? 02:19 < krzee> !route 02:19 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 02:19 < krzee> thats a doc explaining how to connect lans behind all 3 =] 02:19 < krzee> but ya, as many as you want 02:26 < yoshx> ok thanks a lot krzee 02:27 < krzee> ecrist, mail still down? cant send 02:30 < krzee> seems like maybe a permission issue somewhere, cant move msgs between dirs either 02:34 -!- yoshx [n=Document@212.51.167.181] has left ##openvpn [] 02:38 -!- int [n=quassel@81.95.128.201] has joined ##openvpn 03:06 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit [Read error: 110 (Connection timed out)] 03:06 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has joined ##openvpn 03:08 -!- dazo_afk is now known as dazo 03:13 -!- tarbo2_ [n=me@unaffiliated/tarbo] has joined ##openvpn 03:13 -!- drue_ [n=drue@stiff.therub.org] has joined ##openvpn 03:14 -!- LobbyZ` [n=default@main.lobbyzffs.com] has joined ##openvpn 03:14 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Nick collision from services.] 03:15 -!- dazo_ [n=dazo@nat/redhat/x-prdsxhouyidjxbtw] has joined ##openvpn 03:16 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: dazo, disco-, phusion__, drue, sdh, reiffert, krzee, tarbo2, robert_, rwp, (+5 more, use /NETSPLIT to show all of them) 03:16 -!- thedonvaughn [n=thedonva@jaysonvaughn.com] has joined ##openvpn 03:16 -!- dazo_ is now known as dazo 03:16 -!- Netsplit over, joins: zib 03:16 -!- Netsplit over, joins: rwp 03:16 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 03:17 -!- Netsplit over, joins: robert_ 03:17 -!- Netsplit over, joins: Ziber, phusion__ 03:18 -!- ruied [n=ruied@bl7-209-69.dsl.telepac.pt] has left ##openvpn [] 03:19 -!- Netsplit over, joins: mgolisch 03:19 -!- reiffert [n=thomas@mail.webersheim.de] has joined ##openvpn 03:20 -!- Netsplit over, joins: sdh 03:21 -!- Netsplit over, joins: krzee 03:25 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 03:35 -!- disco- [i=disco@andromeda.h4xed.com] has joined ##openvpn 03:59 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 60 (Operation timed out)] 04:54 -!- ruied [n=ruied@92.250.106.233] has joined ##openvpn 04:55 -!- ruied [n=ruied@92.250.106.233] has left ##openvpn [] 05:21 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:23 -!- phusion__ [i=phusion@88.80.16.38] has quit [Read error: 60 (Operation timed out)] 05:31 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 05:37 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 05:37 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 05:41 -!- phusion__ [i=phusion@88.80.16.38] has joined ##openvpn 05:45 -!- iamamoron [n=iamamoro@210.238.181.188] has quit [Read error: 113 (No route to host)] 05:46 -!- ruied [n=ruied@92.250.106.233] has joined ##openvpn 05:57 -!- eliasp [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has quit [Remote closed the connection] 05:58 -!- phusion__ [i=phusion@88.80.16.38] has quit ["changing servers"] 06:02 -!- eliasp [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 06:03 -!- phusion__ [i=phusion@88.80.16.38] has joined ##openvpn 06:40 -!- samaelszafran [i=samaelsz@unaffiliated/samaelszafran] has joined ##openvpn 06:40 < samaelszafran> Hello. 06:40 < samaelszafran> ohm. 06:40 < samaelszafran> !howto 06:40 < vpnHelper> samaelszafran: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 06:41 < samaelszafran> mhmm.. 06:41 < |Mike|> xyz 06:44 < samaelszafran> nope. I don't understand the howto. 06:44 < samaelszafran> Guess I'm dumb ;X 06:47 < ecrist> krzie: email should be up, let me try 06:49 -!- samaelszafran [i=samaelsz@unaffiliated/samaelszafran] has left ##openvpn [] 06:51 < ecrist> krzie: I've put the old configs in place and restarted the daemons. I'll worry about the new config on the new server and leave the current one alone. 06:53 -!- samaelszafran [i=samaelsz@unaffiliated/samaelszafran] has joined ##openvpn 06:53 -!- LobbyZ` is now known as LobbyZ 06:54 < samaelszafran> okay... Could somebody guide me how to set up openvpn to use user/password instead of certs? 07:21 -!- Ramjar [n=Ramjar@d226.broadband.quicknet.se] has joined ##openvpn 07:22 < Ramjar> Is it possible to list alla openvpn clients via crl.pem? 07:23 < Ramjar> or how can i list/show all users? 07:33 < reiffert> Anyone into Windows and Software Raid 5? 07:34 < ecrist> the combination of that sounds scary 07:34 < reiffert> Private use only. 07:39 < ecrist> Ramjar: you're looking for active connections? 07:40 < ecrist> CRL is your revokation list. 07:44 < Ramjar> ecrist: i want to list all users, that can login into the vpn. 07:45 < ecrist> that could be difficult 07:45 < ecrist> you need to see your index.txt from openssl for your CA 07:45 < ecrist> if you don't control your CA, talk to the person who does 07:49 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 07:49 < Ramjar> well that person has left the company. so there is no chance to get this information from crl.pem ? 07:49 < Ramjar> the index.txt has been deleted 08:06 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 08:06 < |Mike|> revoke them all and start making new ones :-) 08:08 < ecrist> Ramjar: no. crl.pem only contains revoked certificate information. index.txt will contain all certificates signed by the ca 08:08 < ecrist> recover index.txt from backups 08:08 < |Mike|> (if you have those..) 08:09 < |Mike|> s/you/he 08:09 < ecrist> |Mike|: any competent admin will have backups of important company information 08:12 < Ramjar> nopp no backup of that file :/ 08:14 < ecrist> Ramjar: then start over 08:14 < ecrist> it's the only way to know who can get in to the vpn 08:15 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 08:16 < Ramjar> well, then i will lose the password information, if any of the users has changed password 08:17 < Ramjar> think the best way is to script a litle in order to logg every user, and in the end have a "full" list of "all" users 08:22 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: pa 08:24 < ecrist> Ramjar: you won't have a list of people who don't log in 08:25 < ecrist> also, if you're logging openvpn, you can parse out all the users who use it 08:29 < |Mike|> openvpn, passwords ?! 08:29 < |Mike|> use certs! 08:31 -!- Netsplit over, joins: pa 08:31 < Ramjar> ecrist: correct. not mutch to play with. 08:31 -!- Rolybrau [n=Rolybrau@unaffiliated/rolybrau] has quit ["I am off"] 08:31 < Ramjar> |Mike|: Uses cert + password 08:31 < ecrist> if you want a secure VPN you control, youre only option is to re-issue certificates 08:32 < ecrist> otherwise, your former admin likely has a certificate or 9 and can get in to the network and you'll never know. 08:33 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: Ziber, jhp, |Mike| 08:34 -!- theDoc [n=hex@unaffiliated/thedoc] has left ##openvpn ["Leaving"] 08:34 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 08:35 < samaelszafran> hmm... 08:36 < samaelszafran> guess I need some help 08:37 < theDoc> !mitm 08:37 < vpnHelper> theDoc: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config 08:37 < samaelszafran> http://wklej.org/id/238644/txt 08:37 < samaelszafran> and I have no idea what might it be. 08:37 < samaelszafran> I think I've set everything up 08:38 < samaelszafran> and my firewall is not blocking the openvpn port 08:38 < samaelszafran> I did everything as in this tutorial: http://www.secure-computing.net/wiki/index.php/FreeBSD_OpenVPN_Server/Routed 08:38 < vpnHelper> Title: FreeBSD OpenVPN Server/Routed - Secure Computing Wiki (at www.secure-computing.net) 08:39 < samaelszafran> It creates a tun0 device... But I just can't connect to it 08:39 < samaelszafran> (the pastie shows openvpn.log when I try to connect. It's from the server) 08:39 -!- Netsplit over, joins: Ziber 08:40 < ecrist> samaelszafran: your certificates are borked 08:40 < ecrist> !config 08:40 < vpnHelper> ecrist: (config []) -- If is given, sets the value of to . Otherwise, returns the current value of . You may omit the leading "supybot." in the name if you so choose. 08:40 < ecrist> !configs 08:40 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 08:40 < ecrist> !logs 08:40 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 08:40 < ecrist> samaelszafran: are you using ssl-admin? 08:40 < samaelszafran> yeah 08:40 < samaelszafran> sorry, I'm not english - what do you mean by borked? 08:41 < ecrist> fucked up 08:42 < samaelszafran> okay... 08:42 < samaelszafran> so I'll try to set them again 08:43 < ecrist> are you using ssl-admin 08:43 -!- jhp [n=jhp@zeus.jhprins.org] has joined ##openvpn 08:43 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 08:43 < ecrist> ? 08:43 -!- hyper__ch [n=hyper@81.62.26.23] has joined ##openvpn 08:43 -!- hyper_ch [n=hyper@167-95.79-83.cust.bluewin.ch] has quit [Nick collision from services.] 08:43 < samaelszafran> its just ssl-admin being english.. 08:43 < samaelszafran> yeah 08:43 -!- hyper__ch is now known as hyper_ch 08:43 < samaelszafran> at least I try to use it ;) 08:43 < ecrist> if you have problems, let me know, it's my program. ;) 08:43 < samaelszafran> oh. :) 08:44 < samaelszafran> well, okay then... 08:45 < samaelszafran> I run ssl-admin.. what I need for openvpn is... hmm... Diffie Helman parameter, self-signed CA, and Signed Server Cert, am I right? 08:45 < ecrist> yes 08:45 < ecrist> and then client certs 08:45 < samaelszafran> okay, first the dh... 08:45 < ecrist> the dh and signed server cert go on the vpn server 08:45 < samaelszafran> should there appear "+" chars on the output? 08:45 < ecrist> then use client certs for the vpn clients 08:46 < ecrist> not sure what you mean. feel free to pastebin the output 08:46 < samaelszafran> It is creating the dh key.. 08:46 < samaelszafran> there appear dots, mostly.. but sometimes there apears a "+" sign.. 08:46 < ecrist> oh that's fine 08:46 < samaelszafran> in some programs this means there's an error... 08:46 < samaelszafran> okay, okay. 08:46 < ecrist> are you running ssl-admin from ports, or did you download the perl script? 08:47 < samaelszafran> ports. 08:47 < ecrist> good 08:47 < samaelszafran> btw, there's something wrong in the portfile 08:47 < ecrist> there is? 08:47 < samaelszafran> it wanted to recompile unzip to 6.0 although it was installed 08:47 < ecrist> I'll look into it 08:48 < samaelszafran> so - it shouted that there's an error because unzip's installed already 08:48 < samaelszafran> 7.2-RELEASE 08:48 < samaelszafran> maybe in some other releases it is correct 08:48 < ecrist> do you have latest port tree? 08:48 < samaelszafran> yeah 08:49 < ecrist> run this for me: 08:49 < samaelszafran> I've rebuilded the world about 2 weeks ago 08:49 < ecrist> grep PORTNAME /usr/ports/security/ssl-admin/Makefile 08:49 < ecrist> not that 08:49 < samaelszafran> just - I see where to make server certs, but where are the client ones? 08:49 < ecrist> change PORTNAME to DISTVERSION 08:49 < samaelszafran> (where could I make them) 08:50 < samaelszafran> 1.0.2 08:50 < ecrist> ok, that's latest 08:51 < samaelszafran> so, what I did to install this was deinstalling unzip and then installing ssl-admin 08:51 < samaelszafran> as it installed unzip then. 08:51 < ecrist> the Makefile should handle that, I'm using FreeBSD macros to deal with that 08:51 < ecrist> I would need the output from your failure to fix it. 08:51 < ecrist> I'm just setting a run depend 08:51 < samaelszafran> Now I can't give it to you, sorry... 08:51 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has joined ##openvpn 08:52 < samaelszafran> I did make install clean and it did a normal error telling, that unzip is already installed 08:52 < samaelszafran> and that I need to make reinstall, or make deinstall 08:52 < samaelszafran> okay, so how do I generate client certs? 08:53 < ecrist> the macro probably expects a certain version and you likely had an old version installed 08:53 < ecrist> option 4 08:53 < samaelszafran> one step request sign? 08:53 < ecrist> yes 08:53 < samaelszafran> You know, I did reinstalled unzip and installed it manually 08:53 < samaelszafran> but with no result 08:53 < samaelszafran> only when i uninstalled it and then run ssl-admin compile... 08:54 < ecrist> if I get around to re-rolling the port, I'll setup options to enable zip/unzip 08:55 -!- ruied [n=ruied@92.250.106.233] has quit [Connection timed out] 08:56 < ecrist> samaelszafran: the wording could be cleaned up a bit as it's not 'just' for openvpn, it's a general ssl certificate manager 08:56 < ecrist> what is your native language? 08:56 < samaelszafran> Polish. 08:57 < samaelszafran> I was too young to remember anything from Lithuanian, when we were moving here ;) 08:58 < ecrist> ah 08:58 < samaelszafran> hmm.. 08:58 < samaelszafran> where did ssl-admin put my dh? 08:59 < ecrist> likely in /usr/local/etc/ssl-admin/active 08:59 < samaelszafran> mhm... weird. 08:59 < samaelszafran> okay, got it. 08:59 < samaelszafran> so, to connect to my vpn, which certs does the cliet require to have? 09:00 < ecrist> the ca certificate (not the key) and the client certificate/key pair 09:00 < samaelszafran> okay... 09:01 < ecrist> if you copy your openvpn client config into prog, it will package everything you need for openvpn clients 09:01 < ecrist> into a zip file 09:01 < samaelszafran> I need the crl-verify, dont I? 09:02 < ecrist> if you want to lock people out by revoking their certificate, yes 09:02 < samaelszafran> which one is it? I've got three .pem files.. client, serve? 09:02 < samaelszafran> ser-ver?* 09:02 < ecrist> the crl? 09:02 < samaelszafran> yeah 09:02 < ecrist> crl is in prog/crl.pem 09:03 < samaelszafran> I haven't a prog directory... 09:03 < ecrist> /usr/local/etc/ssl-admin/prog 09:03 < samaelszafran> hmm... 09:04 < samaelszafran> so why does tutorial tell me to search in a different dir? :-)) 09:04 < ecrist> probably because I haven't updated the tutorial 09:04 < ecrist> when that tutorial was originally written, ssl-admin was a single perl script 09:05 < ecrist> it's undergone a ton of development since then 09:05 < samaelszafran> :) 09:05 < samaelszafran> okay.. lets try it. 09:07 < samaelszafran> weird that the log is empty. 09:08 < samaelszafran> now that is really weird 09:08 < samaelszafran> it tells me that It gets timeouted on my localhost 09:08 < samaelszafran> but no logs on the server 09:09 < samaelszafran> ahm.. It's because openvpn haven't started - and it does not produce any output about the error ;x 09:09 < ecrist> samaelszafran: post your client and server configs 09:09 < ecrist> I've updated the paths in the wiki, too 09:09 < samaelszafran> sec... 09:09 < samaelszafran> My client config - I'm trying to use network manager. 09:10 < samaelszafran> server: http://wklej.org/id/238671/ 09:10 < vpnHelper> Title: wklej.org - wklejka nr 238671 (at wklej.org) 09:12 < samaelszafran> Thu Dec 17 16:11:22 2009 us=736068 Cannot load CA certificate file /usr/local/etc/openvpn/ssl/active/ca.key (SSL_CTX_load_verify_locations) (OpenSSL) 09:12 < samaelszafran> what the? 09:17 < samaelszafran> okay, run.. 09:18 < samaelszafran> but something is still wrong. 09:18 < samaelszafran> I can't connect... 09:18 < samaelszafran> the log keeps printing same errors. 09:18 < ecrist> samaelszafran: network manager is broken 09:18 < samaelszafran> http://wklej.org/id/238677/ 09:18 < vpnHelper> Title: wklej.org - wklejka nr 238677 (at wklej.org) 09:18 < ecrist> post your logs 09:19 < ecrist> I don't see any errors in there. 09:19 < samaelszafran> it repeats about 20 times 09:19 < samaelszafran> this log piece 09:19 < samaelszafran> and after 60 seconds it disconnects me, telling that it timeouted. 09:21 < samaelszafran> but I get something locally 09:22 < samaelszafran> http://wklej.org/id/238680/ 09:22 < vpnHelper> Title: wklej.org - wklejka nr 238680 (at wklej.org) 09:23 < ecrist> where's your client config 09:23 < samaelszafran> I told you -I've set it in network manager 09:24 < samaelszafran> copied the certs you told me into my home, and pointed to them in network manager vpn settings. 09:24 < ecrist> I said network manager was broken 09:24 < samaelszafran> mhm... 09:24 < ecrist> 09:18 < ecrist> samaelszafran: network manager is broken 09:25 < samaelszafran> okay, so I have to use something else.. 09:25 < ecrist> use the commandline openvpn client 09:25 < samaelszafran> sorry, I must haven't noticed it. 09:25 < samaelszafran> mhm, mhm... 09:26 < samaelszafran> server 172.30.0.0 255.255.255.0 09:26 < samaelszafran> push "route 10.0.0.0 255.255.255.0" 09:26 < samaelszafran> its in my server - so what should I type in my client config? 09:29 < ecrist> did you follow the entire howto? 09:29 < ecrist> !freebsd 09:29 < vpnHelper> ecrist: "freebsd" is http://www.secure-computing.net/wiki/index.php/OpenVPN_Server 09:29 < ecrist> if you follow all those steps, you get a running vpn 09:29 < samaelszafran> yeah, I did... wait 09:30 < samaelszafran> yes, the vpn on the server is running... 09:30 < samaelszafran> but Now I'd like to connect to it :-)) 09:31 < ecrist> let me get you a sample 09:31 < ecrist> http://pastebin.com/m6ca3982a 09:33 < samaelszafran> okay, thanks. 09:33 < samaelszafran> sorry, I have to go to work for a moment 09:33 < samaelszafran> I'll tel you if I worked it out in a few hours ;) 09:33 < samaelszafran> thank you very much and have a nice evening 09:34 < ecrist> ok 09:35 < samaelszafran> actually... 09:35 < samaelszafran> Before I go. 09:35 < samaelszafran> I tried it. 09:35 < samaelszafran> http://wklej.org/id/238703/ 09:35 < vpnHelper> Title: wklej.org - wklejka nr 238703 (at wklej.org) 09:36 < ecrist> do you have the ca.crt on the client machine? 09:36 < samaelszafran> yeah 09:37 < ecrist> in the same directory as the config file? 09:37 < samaelszafran> nope - I've pointed a different one in the config 09:37 < samaelszafran> $ cat openvpn.conf |grep ca 09:37 < samaelszafran> ca /home/js/klucze/ca.crt 09:37 < ecrist> and that's the ca you created with ssl-admin, right? 09:38 < samaelszafran> $ file /home/js/klucze/ca.crt 09:38 < samaelszafran> /home/js/klucze/ca.crt: PEM certificate 09:38 < samaelszafran> yeah 09:38 < samaelszafran> it is, just copied it from the server 09:38 < ecrist> I'll look into this and should have something for you when you come back 09:39 < samaelszafran> okay... 09:40 < samaelszafran> write it to my query If I won't be online 09:40 < samaelszafran> see you soon then. 09:40 < samaelszafran> [d] 09:45 < |Mike|> d ? 09:48 -!- dazo [n=dazo@nat/redhat/x-prdsxhouyidjxbtw] has quit [Remote closed the connection] 09:48 -!- int [n=quassel@wikia/int] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 09:48 < krzie> detached maybe 09:49 < |Mike|> hey krzie 09:50 < ecrist> krzie: email working for you? 09:50 < |Mike|> can someone reach www.ns.nl ? 09:50 < ecrist> fwiw, there have been 585 downloads of ssl-admin from unique IPs (v4 and v6 addresses) 09:51 < |Mike|> ecrist: last month? 09:51 < ecrist> |Mike|: http://downforeveryoneorjustme.com/www.ns.nl 09:51 < vpnHelper> Title: It's not just you! (at downforeveryoneorjustme.com) 09:51 < ecrist> |Mike|: all time 09:52 < krzie> hey thats awesome, our bot interfaces nice with that site 09:53 < |Mike|> kewl. 09:53 * |Mike| going to catch a NS train. 09:53 < ecrist> the site tells me it's just me 09:53 < ecrist> |Mike|: last month there ahve been 53 downloads 09:53 < ecrist> unique IPs 09:53 < |Mike|> not bad. I was one of them :D 09:53 < |Mike|> (v6) 09:53 < ecrist> that doesn't count users who pulled from freebsd.org ftp site 09:53 < krzie> interesting, my email last night did send, just didnt write to outbox 09:53 < krzie> and yup its working 09:54 < ecrist> krzie: I 'punted' and went back to old config this am 09:54 < ecrist> the new server will have new config 09:54 < krzie> i can tell right away cause the messages made it to the right dirs 09:55 < ecrist> krzie: OT, but I'm assisting with rolling the freeswitch 1.0.5 port on freebsd. ;) 09:56 < krzie> niceness! 09:56 < krzie> very cool 09:56 < ecrist> it does not compile on freebsd < 7 10:03 < krzie> erm, ive used it on fbsd6 10:03 < krzie> its installed and working on hemp right now 10:03 < krzie> 6.3-RELEASE-p2 10:10 < krzie> (not from ports tho) 10:10 < krzie> freeswitch is so rapidly developed its usually best to use svn 10:14 < ecrist> krzie: the port won't compile on older versions due to some new threading options being presented in the port 10:14 < ecrist> svn should compile, though, without those optimizations. 10:15 < ecrist> cartman is getting 8.0 amd64 10:20 -!- correcaminos [n=laguilar@189.231.85.10] has quit [Read error: 110 (Connection timed out)] 10:30 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit [Read error: 104 (Connection reset by peer)] 10:38 -!- rlarson`` [n=rlarson8@CPE00226b5e2074-CM000e5c6ebb22.cpe.net.cable.rogers.com] has quit ["Coyote finally caught me"] 10:39 -!- yoshx [n=yoshx@88-138-188-188.adslgp.cegetel.net] has joined ##openvpn 10:56 < krzie> nice 10:56 < krzie> thats what my NFS is 10:56 < krzie> since zfs is happiest with 8 amd64 10:59 < ecrist> 4gb ram, xeon 2.8GHz, 2x15k SCSI raid 1 11:00 < krzie> xeon running amd64? 11:00 < ecrist> dual core, even 11:00 < ecrist> krzie: yes 11:00 < krzie> werd 11:00 -!- ODDG [n=oduque@190.248.24.11] has joined ##openvpn 11:00 < ecrist> amd64 is generic for 64-bit in freebsd 11:00 < krzie> mines a dual core amd 64, 8gb ram, 4x 1.5TB seagate and 1 lil bs drive for the OS 11:00 < ODDG> hi, can i use openvpn with external dhcp server? 11:01 < krzie> ODDG, yes but its usually unnecessary 11:02 < ODDG> krzie: i have openvpn on bridge mode :) 11:04 < krzie> and thats the normally unnecessary part 11:04 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 110 (Connection timed out)] 11:04 < krzie> but if you have it in bridge mode you should have read --server-bridge in the manual 11:04 < krzie> and if you read that you know how to have it use the dhcp server =] 11:04 < krzie> !man 11:04 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 11:04 -!- ruied [n=ruied@95.69.10.85] has joined ##openvpn 11:06 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 11:07 < ODDG> krzie: very thanks! 11:08 < krzie> np 11:24 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 11:27 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 11:31 -!- v_ [n=v@dyn-201-22.vpn.wisc.edu] has joined ##OpenVPN 11:31 < v_> Hey 11:31 < ecrist> Hey 11:32 < v_> I have a question about openvpn on the plam pre 11:32 < ecrist> ok 11:32 < v_> Does it work over 3g? I was reading webos-internal wiki, and it wasn't clear if it was only limited to wireless or not 11:32 < ecrist> no idea 11:32 < ecrist> don't know why it wouldn't. but, I didn't know there was an openvpn client for palm pre 11:32 < v_> hm... ok; guess the easiest way to find out is to try it then :) 11:33 < v_> Yeah, I found it at http://www.webos-internals.org/wiki/OpenVPN_for_Palm_Pre 11:33 < vpnHelper> Title: OpenVPN for Palm Pre - WebOS Internals (at www.webos-internals.org) 11:34 < v_> I already asked in the webos channel, but no one knew, so I thought I would try here before I started experimenting with it. 11:35 < ecrist> v_: it would appear from the url you posted, it works over EVDO 11:35 < ecrist> 64 bytes from 74.125.67.100: seq=9 ttl=52 time=1556.213 ms <-- cutover wifi to evdo 11:35 < v_> Oh, my bad, I should have read closer -- thanks! 11:35 < ecrist> no problem 11:36 < ecrist> fwiw, they need to update the ipkg - 2.1.1 is released now 11:38 -!- v_ [n=v@dyn-201-22.vpn.wisc.edu] has quit ["Leaving"] 11:53 < krzie> ecrist but dont stop working on the mailserver just cause of me, i understand downtime... just wanted to let you know it wasnt working yet last night in case you didnt know 11:54 < krzie> (not sure if that had anything to do with anything, just making sure it doesnt) 11:55 < ecrist> krzie: no, it's silly to put two days config/t-shooting time in to a mailserver for a single feature when I'm also in the middle of building a new mail server 11:56 < krzie> ahh you already started building it 11:56 < krzie> cool, and makes sense 11:58 < ecrist> well, I had started building it 11:58 < ecrist> until 2 hours ago, that box was 32bit 11:58 < ecrist> didn't know it's proc was 64bit 11:59 < krzie> ahh 11:59 < krzie> amd64 is nice anyways =] 11:59 < ecrist> the box has 4gb ram, without 64bit, only was able to see 3.5GB 11:59 < ecrist> now I get all of it 11:59 < ecrist> PAE isn't an option - conflicts with drivers for raid hardware 12:00 < krzie> ahh you got hardware raid? 12:00 < ecrist> yep 12:00 < krzie> nice man 12:00 < ODDG> krzie i can't find options for get dhcp info 12:00 < krzie> the good cards are too pricey for me 12:00 < ecrist> 256MB, batter backed 12:00 < ecrist> krzie: that box was $200 12:00 < krzie> after raid card? what card is it? 12:00 < ecrist> came with 6 months dell-onsite support, even 12:00 < ecrist> Dell PowerEdge 1850 12:01 < ecrist> PERC 4/i 12:01 < ecrist> LSI card, iirc 12:01 < krzie> If --server-bridge is used without any parameters, it will enable a DHCP-proxy mode, where connecting OpenVPN clients will receive an IP address for their TAP adapter from the DHCP server running on the OpenVPN server-side LAN. Note that only clients that support the binding of a DHCP client with the TAP adapter (such as Windows) can support this mode. The optional nogw flag (advanced) indicates that gateway information should not be pushed to 12:01 < ecrist> private-labeled for dell 12:01 < krzie> right under --server-bridge (where i said to read) 12:05 < ODDG> --server-bridge need ip_from mask ip_to. the server dhcp has this information. 12:07 < krzie> if you want it to use the dhcp server, do as the manual says 12:08 < krzie> (thats why theres a manual ;] ) 12:14 < ODDG> krzie: if i don't use any paraters in file server.conf, don't start openvpn 12:15 < krzie> you use no params for server-bridge 12:17 < ecrist> holy crap, this is good: http://www.youtube.com/watch?v=-dadPWhEhVk 12:17 < vpnHelper> Title: YouTube - Ataque de Pánico! (Panic Attack!) 2009 (at www.youtube.com) 12:17 < ODDG> :( 12:19 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 12:26 -!- rajin [n=_@port-12544.pppoe.wtnet.de] has joined ##openvpn 12:48 < samaelszafran> re. 12:51 < samaelszafran> ecrist: have you found anything? 12:51 < ecrist> samaelszafran: sorry, no. I've been working 12:51 < samaelszafran> mhm... 12:51 < samaelszafran> let me think, what might be wrong... 12:51 < samaelszafran> maybe I'll create the keys again? 12:52 < krzie> ya man good vid 12:53 < krzie> samaelszafran what was the probl;em? 12:53 < ecrist> krzie: he's got config problems, I think 12:53 < samaelszafran> krzie: I've got problems with openvpn, can't connect. 12:53 < ecrist> he's using ssl-admin (latest from ports) 12:53 < samaelszafran> and, yes, I think it might be config problem. 12:53 < krzie> !configs 12:53 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:53 < ecrist> he still hasn't posted his configs, though 12:53 < samaelszafran> ecrist: I did. 12:53 < krzie> oh, lol 12:54 < samaelszafran> ecrist: 16:09 < samaelszafran> server: http://wklej.org/id/238671/ 12:54 < vpnHelper> Title: wklej.org - wklejka nr 238671 (at wklej.org) 12:55 < krzie> is route 10.0.0.0 a lan behind server or client? 12:55 < krzie> ok 12:55 < krzie> !logs 12:55 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 12:55 < samaelszafran> you know, I don't know - I did it using ecrists tutorial 12:56 < samaelszafran> the server is not in any lan, I guess. 12:56 < samaelszafran> It's got its own, world opened ip.. 12:56 < samaelszafran> (world opened, don't laugh, strict translation from my lang) 12:57 < samaelszafran> still... 12:57 < samaelszafran> hu Dec 17 19:57:26 2009 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=PL/ST=STATE/PROVINCE/O=ORGANIZATION/CN=server/emailAddress=EMAIL_ADDRESS 12:57 < samaelszafran> Thu Dec 17 19:57:26 2009 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 12:57 < samaelszafran> it's the only problem. 12:57 < samaelszafran> On the client side/. 12:58 -!- hacim [n=micah@debian/developer/micah] has left ##openvpn [] 12:58 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:59 < krzie> i didnt say paste errors to the channel 12:59 < samaelszafran> sorry.. :) 12:59 < krzie> i said paste entire log with verb 6 to a pastebin 12:59 < samaelszafran> mh. 12:59 < ecrist> krzie: the freebsd tutorial could use a refresh 12:59 < ecrist> there's some errors in there, including the push route 10.0.0.0 255.255.255.0 he's got 13:00 < samaelszafran> I've deleted it. 13:00 < samaelszafran> the push line. 13:00 < krzie> i hate when people just put stuff in their config without reading the manual to see what it does 13:01 -!- tinLoaf [n=tinloaf@tinloaf.de] has quit [Read error: 104 (Connection reset by peer)] 13:02 < samaelszafran> so.. 13:03 < samaelszafran> sorry, the client version is long - but It starts to repeat on some state 13:03 < samaelszafran> client: http://wklej.org/id/238937/ 13:03 < vpnHelper> Title: wklej.org - wklejka nr 238937 (at wklej.org) 13:03 < samaelszafran> server: http://wklej.org/id/238938/ 13:03 < vpnHelper> Title: wklej.org - wklejka nr 238938 (at wklej.org) 13:03 < samaelszafran> add 'txt' to the url, it will be simpler to read. 13:06 < samaelszafran> current server config: pasted about 30 lines before (just dropped the push line) 13:06 < samaelszafran> and client config: your one, ecrist 13:07 < krzie> its a problem in your certs 13:08 < samaelszafran> I've generated them as ecrist told me... ;x 13:08 < samaelszafran> and server is not complaining about certs. 13:08 < krzie> maybe you are pointing to the wrong place 13:08 < samaelszafran> in the client config? 13:09 < krzie> aye 13:09 < samaelszafran> client config is pointing correctly. 13:09 < krzie> Thu Dec 17 20:01:36 2009 us=961227 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=PL/ST=STATE/PROVINCE/O=ORGANIZATION/CN=server/emailAddress=EMAIL_ADDRESS 13:09 < krzie> for 1 thing you didnt set the email address in vars, you prolly didnt do some other stuff in there as well 13:10 -!- hyper_ch [n=hyper@81.62.26.23] has quit [Remote closed the connection] 13:10 < samaelszafran> but all files (ca, cert, and key) exists.. 13:10 < samaelszafran> mhmm... 13:10 < krzie> also, what did you give each of those for common-name? 13:10 < samaelszafran> okay, so I'll try to create the keys again ;x 13:10 < krzie> for CA/server/client 13:10 < krzie> NONE can be the same 13:10 < samaelszafran> common name? ca, server and client, I guess 13:10 < krzie> you guess... 13:10 < samaelszafran> no, I don't guess. 13:10 < krzie> ecrist whats that command to view cert info? 13:10 < samaelszafran> I gave them the name approporiate for their purpose. 13:11 < ecrist> openssl x509 -in -noout -text 13:12 < krzie> !learn certinfo as please run `openssl x509 -in -noout -text` for ca,server,client certs and pastebin the results 13:12 < vpnHelper> krzie: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 13:12 < krzie> !learn certinfo as please run `openssl x509 -in -noout -text` for ca,server,client certs and pastebin the results 13:12 < vpnHelper> krzie: Joo got it. 13:12 < krzie> thanx =] 13:12 < krzie> samaelszafran, please do that 13:13 < samaelszafran> wait, I'm setting the certs again. 13:13 < ecrist> verify is openssl verify -CAfile 13:14 < krzie> !learn certverify as verify your certs are signed correctly by running `openssl verify -CAfile ` for client.crt and server.crt 13:14 < vpnHelper> krzie: Joo got it. 13:19 < samaelszafran> okay, hmm.. new certs seem to work. Must have screwed something up. 13:21 < samaelszafran> okay... so now, what the hell is my servers IP? I've set server 172.30.0.0, but I can't ping it from my laptop. 13:22 < krzie> according to your config you set it to 10.8.0.1 13:22 < krzie> dont do anything else until you read EVERY command in your config in the manual 13:22 < samaelszafran> you're sure you're reading my config? 13:22 < samaelszafran> http://wklej.org/id/238963/ - this is mine, pasted just a second before. 13:22 < vpnHelper> Title: wklej.org - wklejka nr 238963 (at wklej.org) 13:23 < krzie> server 10.8.0.0 255.255.255.0 13:23 < krzie> oh you changed it 13:23 < krzie> http://wklej.org/id/238671/ 13:23 < vpnHelper> Title: wklej.org - wklejka nr 238671 (at wklej.org) 13:23 < krzie> you posted that earlier 13:23 < samaelszafran> hmm.. yeah, that one was from about 4, or 5 hours, I guess I changed it.. 13:23 < samaelszafran> so - I can ping my laptop from the server 13:23 < samaelszafran> but Can't ping the server from my laptop 13:23 < krzie> firewall on server 13:24 < samaelszafran> down. 13:24 < samaelszafran> meaning, it is not blocking anything. 13:24 < krzie> im not asking, im telling =] 13:24 < samaelszafran> oh. 13:24 < samaelszafran> now its working. 13:24 < samaelszafran> weird, maybe my internet connection was messing around. 13:24 < reiffert> krzie didnt run an openvpn-server yet, he's an irc-bot. 13:24 < reiffert> eliza 13:24 < krzie> hehe 13:25 < krzie> we need an AI bot in here 13:25 < reiffert> yeah, hopefully he will solve all the tricky and non-tricky problems itself .. 13:25 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit ["Leaving"] 13:25 < krzie> to just answer all questions with the word lan with !route and ping with !firewall 13:25 < krzie> and cert with !ssl-admin and !howto 13:25 < reiffert> another openvpn member just left... 13:26 < samaelszafran> oh. 13:26 < samaelszafran> ecrist, krzie, thank you very much for help :) 13:26 < krzie> a couple queludes, he'll love us again 13:26 < krzie> you're welcome 13:26 < reiffert> queludes? 13:26 < krzie> its a quote from the movie scareface 13:26 < krzie> err scarface 13:27 < krzie> queludes were a drug 13:27 -!- holister [n=ryan@static-151-204-189-39.pskn.east.verizon.net] has joined ##openvpn 13:29 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 13:29 < samaelszafran> hmm.. okay, guess I'm back ;) 13:29 < samaelszafran> vpn works, machines are pinging each other.. But I can't browse any network from my laptop as I'm connected to vpn ;) 13:29 < holister> I'm able to establish a connection over tap, but I'm not able to ping...I can't figure out why. ARP's are making it over br0 to tap0, but aren't coming out on the other side 13:31 < krzie> samaelszafran which network do you want to browse? 13:31 < samaelszafran> Sorry, I've said it wrong.. 13:31 < krzie> holister why do you want tap? 13:31 < samaelszafran> let's say - I can ping the vpn server, but I can't ping google. 13:32 < samaelszafran> ;) 13:32 < krzie> samaelszafran are you trying to use the internet through the vpn? 13:32 < samaelszafran> krzie: yes. 13:32 < holister> krzie: for seemless windows shares... 13:32 < krzie> your server is linux? 13:32 < samaelszafran> freebsd. 13:32 < krzie> holister use tun and wins 13:32 < krzie> samaelszafran: 13:32 < samaelszafran> I've already added allow all from any to any via tun0. 13:32 < krzie> !redirect 13:32 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 13:33 < krzie> !fbsdnat 13:33 < vpnHelper> krzie: "fbsdnat" is see http://cavanantha.wordpress.com/2007/09/16/nat-on-freebsd-using-pf/ for a basic howto for NAT on FreeBSD 13:33 < krzie> !fbsdipforward 13:33 < vpnHelper> krzie: "fbsdipforward" is is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd 13:33 < samaelszafran> mhm.. okay, I understand. 13:33 < krzie> !def1 13:33 < vpnHelper> krzie: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 13:33 < holister> krzie: why not tap? 13:33 < krzie> !tunortap 13:33 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning 13:33 < vpnHelper> krzie: against you over the vpn 13:34 < holister> !wins 13:34 < vpnHelper> holister: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 13:35 < krzie> man i love that bot 13:35 < holister> krzie: that's good and all, but I really want to get this working in the next couple of hours, and it took me all morning to figure out how to get the tap interfaces and bridges and everything to even connect, I don't want to start over 13:36 < krzie> then good luck to ya, i dont help with tap when tun should be used (not to mention i know a lot less about tap setups) 13:36 < krzie> =] 13:36 < krzie> doing it the right way is usually best too btw 13:36 < holister> krzie: but I'm 99% there... it's just an iptables thing or something 13:36 < holister> krzie: and we do have some layer2 stuff too 13:36 < krzie> i dont think iptables works on layer2 13:37 < holister> krzie: it's not active now, but we will need it 13:37 < holister> krzie: so what could my problem be then? 13:37 < krzie> dunno, which i why i wished you luck 13:37 < krzie> im no good with tap troubleshooting 13:37 < krzie> cause 99% of the time people who use tap should be using tun ;] 13:38 < holister> krzie: tun requires extra routing rules and stuff on the server side too, doesn't it? 13:40 < krzie> yup but i dont mind helping you with that, and i made a doc for i t 13:40 < krzie> !route 13:40 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:40 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"] 13:40 < krzie> =] 13:40 < krzie> that stuff is easy 13:40 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 13:44 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit ["Leaving."] 13:50 -!- hyper_ch [n=hyper@adsl-188-155-11-32.adslplus.ch] has joined ##openvpn 13:51 < samaelszafran> krzie: and if I'd like not to browse the internet from my vpn? 14:03 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:05 -!- chantra [n=chantra@ns22757.ovh.net] has left ##openvpn [] 14:17 < samaelszafran> hm. 14:18 < samaelszafran> installed openvpn-gui and getting access denied when trying to go ther through the browser. 14:18 -!- trsonderm1 [n=trsonder@174.141.123.86.nw.nuvox.net] has joined ##openvpn 14:20 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 14:21 < trsonderm1> any idea how internally I connect fine even through using an external IP but however when I try externally I cannot get a tls handshake 14:23 < krzie> samaelszafran, then you just do nothing 14:23 < krzie> trsonderm1 server behind a NAT? 14:24 < krzie> its either NAT forwarding is wrong or firewall not allowing 14:26 -!- ODDG [n=oduque@190.248.24.11] has left ##openvpn ["Leaving"] 14:26 < trsonderm1> yexs 14:27 < trsonderm1> Nat translation 14:27 < trsonderm1> port 1194 14:27 < krzie> well its either the nat or firewall =] 14:27 < krzie> remember, protocol matters there 14:27 < trsonderm1> I have two firewalls and forwarders through both one is a firebox the other is a winroute UDP on both - openvpn server.conf is set to udp also 14:28 < ecrist> freebsd 8 ssh connections log in on /dev/pts/X instead of /dev/ttyvX 14:31 < trsonderm1> trying to figure out where I'm going wrong, vpn is on static ip behind the firewall, is there something different about udp port forwarding? 14:32 < krzie> nope, just somethingwith your NAT or firewall 14:32 < ecrist> trsonderm1: not really 14:32 < krzie> your problem has nothing to do with openvpn 14:36 < hobbsc> i'm using the push dhcp-option DNS option in my openvpn server config file, but it doesn't seem to push any dns at all if i connect manually. if i connect with kvpnc, it sets that server as my only dns server and nukes my normal dns servers (i assume in resolv.conf). is there a way i can get that option updated if i'm connecting via the cli on my client side? 14:36 < krzie> !pushdns 14:37 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit 14:37 < krzie> basically for unix you have to use a script to handle the dns stuff 14:37 < hobbsc> right, if i run that script, nothing happens 14:37 < krzie> that script can do whatever you make it do 14:37 < hobbsc> update-resolv-conf 14:37 < hobbsc> that one 14:37 < hobbsc> running it does nothing, and adding it to my client config does nothing 14:37 < krzie> yup, i never used it, but it would be simple to rebuild anyways 14:38 < krzie> you plan on having many clients? 14:38 < hobbsc> just two 14:38 < krzie> you could always just manually specify that dns server for them 14:38 < hobbsc> yep 14:38 < hobbsc> that's what we're doing, this isn't mission critical 14:38 < hobbsc> i was just poking at it 14:38 < krzie> ahh cool 14:38 < hobbsc> thanks for the links 14:38 < krzie> ya ild play with the script 14:38 < krzie> make it echo out stuff 14:39 < krzie> maybe you are dropping perms and it cant access the resolv.conf to edit, i dunno 14:39 < hobbsc> could be 14:39 < krzie> (although i believe it should run that script with full perms cause you use it in --up) 14:39 < krzie> that link goes to a thread about windows, but they mention some good stuff bout nix too somewhere in it 14:40 < hobbsc> ok 14:42 < krzie> you'll also want something in --down to put things back, and that WONT have higher perms 14:42 < krzie> so thats the interesting part =] 14:42 < hobbsc> yep 14:42 < hobbsc> figured as much 14:42 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:42 < hobbsc> hence my woes with kvpnc 14:42 < hobbsc> kvpnc is doing something with that script 14:42 < hobbsc> i'm just not sure what 14:43 < krzie> (wont have higher perms assuming you choose to drop perms, but as you are interested in this for education sake im sure you drop perms) 14:44 -!- hacim [n=micah@debian/developer/micah] has joined ##openvpn 14:45 < hacim> so i've been running openvpn over tcp, but I'm having one client that is failing. someone suggested I switch it to udp, so I want to try that 14:45 < hacim> i can setup a secondary openvpn server which listens on udp, on a different port, and configure the client to use udp 14:45 < hacim> but interestingly, when I did that, I didn't get the same routes/configuration pushed to my client. i changed nothing else in my config in the process except the proto 14:46 < hacim> is there something else I should be tweaking the config to do that? 14:47 < ecrist> nope 14:47 < ecrist> !configs 14:47 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 14:47 < krzie> if only the clients need access to lan behind server its np, just change the vpn subnet for second vpn 14:47 < krzie> if its lans behind clients you're kinda screwed 14:48 < krzie> well actually no thats not true 14:48 < krzie> but you for sure cant use the same subnet for both vpns 14:48 < krzie> and you said you changed nothing else, so that would be a problem 14:49 < hacim> hm i see, so I would need multiple subnets, that stinks for different protocols :p 14:49 < krzie> if you're good with code please make a patch to allow multiple ips:ports:protos 14:50 < hacim> so if I have 'server 10.8.0.0 255.255.255.0' on the tcp one, can I tweak that in a subtle way to enable both to talk to each other by supplying a different netmask for the udp server? 14:50 < krzie> or at least both protos 14:50 < krzie> you dont need to tweak anything 14:50 < hacim> hm? 14:50 < krzie> just push each subnet to the other clients 14:50 < krzie> lets say second server gets 10.8.1.0 14:51 < krzie> push 10.8.0.0 in that servers config 14:51 < krzie> then push 10.8.1.0 in the others 14:51 < krzie> so clients know where to go 14:51 < krzie> (the server already knows) 14:51 < krzie> then make sure the server has ip forwarding on 14:51 < hacim> i see 14:51 * hacim plays 14:52 < krzie> ive even done that type of thing with routing between 2 clients on the same system 14:52 < krzie> although that is much more complicated 15:04 -!- drue_ is now known as drue 15:18 < holister> I have successfully connected, and openvpn creates a tun0 device with .1 ip on the subnet...but it doesn't decrypt any packets to it... i'm running wireshark on tun0 and nothing iss coming through 15:23 < holister> anyone here? 15:26 < ecrist> I don't think so 15:38 -!- IrCYop1 [n=pc@wnklmb01dc1-213-59.dynamic.mts.net] has joined ##openvpn 15:39 < holister> I think I'm missing a push or a route or something....I think the problem is on the windows side 15:39 -!- r0fl_ is now known as r0fl 15:41 < IrCYop1> So I have openVPN working. and I have 2 openVPN clients with ip 10.8.0.2 and 10.8.0.3 but they can't ping eachother 15:42 < holister> IrCYop1: I saw something about that in the howto...it's a config option 'client-to-client' or something like that 15:43 < IrCYop1> holister: will search for this doc 15:43 < holister> http://openvpn.net/index.php/open-source/documentation/howto.html grep client-to-client 15:43 < vpnHelper> Title: HOWTO (at openvpn.net) 15:43 < holister> read the comments 15:46 < IrCYop1> thanks guys 15:47 < IrCYop1> GOt it working 15:50 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.6/20091201220228]"] 16:03 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:05 -!- yoshx [n=yoshx@88-138-188-188.adslgp.cegetel.net] has quit [Remote closed the connection] 16:15 -!- coil [i=stfu@unaffiliated/coil] has left ##openvpn [] 16:16 -!- IrCYop1 [n=pc@wnklmb01dc1-213-59.dynamic.mts.net] has left ##openvpn [] 16:26 -!- ruied [n=ruied@95.69.10.85] has quit [Connection timed out] 16:31 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit [Read error: 104 (Connection reset by peer)] 16:31 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 16:47 -!- rajin [n=_@port-12544.pppoe.wtnet.de] has quit [" HydraIRC -> http://www.hydrairc.com <- \o/"] 17:25 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 17:52 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 18:24 -!- sjr [n=sjr@office.superuholdings.com] has joined ##openvpn 18:25 < sjr> I'm just looking for a quick start guide, for both LAN-LAN to and Client-LAN Setups 18:25 < sjr> but I keep getting this weird gui based thing 18:48 -!- master_o1_master [n=master_o@p549D7525.dip.t-dialin.net] has joined ##openvpn 18:50 -!- Sleeper- [n=quassel@ip-88-152-82-3.unitymediagroup.de] has joined ##openvpn 18:55 < Sleeper-> hi all 18:56 < Sleeper-> in general, what reason can it have if i can't ping the tun0 gateway after vpn connection was established successfully? 18:57 < theDoc> Your routing table is broken 18:58 < Sleeper-> hm 18:58 < Sleeper-> it seems to look good though 18:59 < Sleeper-> you're speaking of the clients routing table, right? 18:59 -!- master_of_master [i=master_o@p549D75DA.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 19:00 < Sleeper-> contains an entry for the gateway: 172.30.0.5 * 255.255.255.255 UH 0 0 0 tun0 19:03 < Sleeper-> is the gateway on the server side or the client side? 'course if it is on the client side, the problem is definitively there 19:18 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Read error: 110 (Connection timed out)] 19:19 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 19:19 -!- SkyX [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 19:20 -!- Sleeper- [n=quassel@ip-88-152-82-3.unitymediagroup.de] has quit [Remote closed the connection] 20:02 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 20:03 -!- phant0m [n=phant0m@78-105-243-178.zone3.bethere.co.uk] has joined ##openvpn 20:04 < phant0m> someone got a link for the non access server version 20:05 < phant0m> anyone? 20:05 < phant0m> pls 20:06 -!- oc80z_ [n=oc80z@priv.efnet.pe] has quit [Remote closed the connection] 20:06 -!- oc80z_ [i=oc80z@quad.efnet.pe] has joined ##openvpn 20:07 -!- zykes- [i=zykes@zykes.themariachi.info] has joined ##openvpn 20:07 < phant0m> got it 20:10 < zykes-> I have a bit of a weird situation here, i've got a node test, a, b, now between node test <> a transfering stuff via scp over vpn goes slow as nothing i've seen before like less then 10 kb/s, test <> b works fine though, all 3 nodes give full bw if not going via vpn but diretly to wan ip's . any suggestions? 20:11 < zykes-> it was working until like 1,5 days ago, no updates no nothing done to the setup 20:23 -!- phant0m [n=phant0m@78-105-243-178.zone3.bethere.co.uk] has left ##openvpn ["Konversation terminated!"] 20:29 -!- MikeH__ [n=mike@78.33.190.81] has joined ##openvpn 20:29 < MikeH__> Anyone around to assist me with my tunnel/forwarding issue? 20:29 < MikeH__> I've read jsut about every doc I can on it, and still can't figure it out 20:30 < MikeH__> My tunnel works, and I can ping interfaces on the server I'm tunneling to, however, cannot ping other iPs on the network 20:31 < zykes-> think it's pretty dead here 20:33 < sjr> I'm getting errors when trying to send traffic back 20:33 < sjr> from my server to a windows client 20:34 < MikeH__> aah 20:34 < MikeH__> got it :) 20:35 < sjr> Thu Dec 17 18:32:50 2009 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 20:35 < sjr> Thu Dec 17 18:32:50 2009 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 20:35 < sjr> Thu Dec 17 18:33:11 2009 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 20:35 < sjr> Thu Dec 17 18:33:11 2009 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 20:35 < sjr> Thu Dec 17 18:34:04 2009 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 20:35 < sjr> Thu Dec 17 18:32:50 2009 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 20:35 < sjr> whoops 20:35 < sjr> sorry 20:35 < sjr> I'm not sure why that happened 21:02 -!- MikeH__ [n=mike@78.33.190.81] has quit [] 21:27 -!- tjz [n=tjz@bb220-255-199-51.singnet.com.sg] has joined ##openvpn 21:45 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: jhp, |Mike| 21:50 -!- Netsplit over, joins: jhp, |Mike| 21:50 -!- oc80z_ [i=oc80z@quad.efnet.pe] has quit [Remote closed the connection] 21:53 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: jhp, |Mike| 22:02 -!- oc80z_ [i=oc80z@quad.efnet.pe] has joined ##openvpn 22:02 -!- Netsplit over, joins: jhp, |Mike| 22:08 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 22:44 < krzee> [20:56] in general, what reason can it have if i can't ping the tun0 gateway after vpn connection was established successfully? 22:44 < krzee> [20:57] Your routing table is broken 22:45 < krzee> nah, usually you cant ping the tun0 gateway, or its firewall 22:45 < krzee> its either !/30 or !firewall =] 22:45 < krzee> with net30 the tun0 gateway isnt pingable 23:01 -!- rbd [n=rbd@74.229.183.112] has quit [Read error: 104 (Connection reset by peer)] 23:08 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has joined ##openvpn 23:09 -!- sjr [n=sjr@office.superuholdings.com] has quit [Read error: 101 (Network is unreachable)] 23:12 -!- jfkw [n=jtk@24-216-241-93.dhcp.mdfd.or.charter.com] has quit ["leaving"] 23:18 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has quit [Read error: 60 (Operation timed out)] 23:29 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn 23:36 -!- kanja1 [n=benbeech@74.72.202.58] has joined ##openvpn 23:37 < kanja1> !howto 23:37 < vpnHelper> kanja1: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 23:47 < kanja1> I'm a newb to openvpn - I'm trying ssh into a box on a network I'm vpning to. I've been given a config by someone who knows what their doing, and I'm able to establish a connection - tun0 reports a valid ip address. ifconfig reports getting/sending some packets over tun0, but a ping using it can't seem to get any responses. Anyone know where I could start looking? 23:48 < kanja1> I'm pretty sure It's not a firewall problem - iptables isn't running 23:48 < Ziber> is sshd running on the vpn ip? 23:48 < Ziber> s/running/listening 23:51 < kanja1> I'm not sure I understand what you're asking - that sounds to me like "is sshd running/listening on the remote box", which it is. Is there some configuration I need to do to sshd to connect over a vpn? 23:51 < kanja1> also, I can't ping the box, so I don't thin it's ssh related 23:52 < kanja1> think* 23:52 < Ziber> if you cant ping, what did you mean by you were able to "establish a connection"? 23:52 < kanja1> running openvpn results in a bound tun interface 23:53 < kanja1> and an entry in route 23:53 < Ziber> yeah, but that doesnt mean its a working tun interface. 23:53 < kanja1> ah poop. I thought if I got an ip it ment that step was working ok 23:54 < Ziber> not necessarily. 23:56 < kanja1> hmm - if I run openvpn from a shell 23:57 < kanja1> [DNSSERVER] Peer Connection Initiated with 38.104.189.110:1194 23:57 < kanja1> Fri Dec 18 00:55:31 2009 TUN/TAP device tun0 opened 23:57 < kanja1> Fri Dec 18 00:55:31 2009 /sbin/ifconfig tun0 10.75.1.26 pointopoint 10.75.1.25 mtu 1500 23:57 < kanja1> Fri Dec 18 00:55:31 2009 Initialization Sequence Completed 23:57 < kanja1> is that indicitive of a good connection? 23:59 < Ziber> yeah, thats good 23:59 < Ziber> should be able to ping it tho --- Day changed Fri Dec 18 2009 00:00 < kanja1> yeah that's what I figured 00:00 < kanja1> so what could be blocking my outgoing traffic? I assumed iptables, but I'm not running that 00:01 < kanja1> I can't even ping the gateway, so it's totally something on *this* box 00:06 < Ziber> in ur config, what topology is it? 00:09 < kanja1> let me find out 00:09 < Ziber> k 00:09 < Ziber> because i set up my vpn like that, i cant ping either end of it either 00:09 < kanja1> I'm not sure - what's the config setting for it? 00:09 < Ziber> "topology" 00:09 -!- roentgen_ [n=HaRT@miranda/user/roentgen] has quit [] 00:09 < kanja1> I don't have a setting for that 00:10 < Ziber> interesting 00:10 < Ziber> pastebing ur config, please. 00:11 < Ziber> *pastebin 00:12 < kanja1> http://pastebin.com/m51ba6beb 00:14 < Ziber> tls-aut? 00:14 < Ziber> should be tls-auth 00:15 < kanja1> hmm 00:15 < kanja1> it is in the config - sorry about that 00:15 < Ziber> k 00:20 -!- hyper_ch [n=hyper@adsl-188-155-11-32.adslplus.ch] has quit [Remote closed the connection] 00:30 < Ziber> Ha. 00:30 < Ziber> I got my VPN working on my laptop :D 00:31 < kanja1> haha 00:31 < kanja1> nice 00:31 < kanja1> success! 00:32 < Ziber> :) 00:32 < Ziber> I'm happy right now 00:33 < kanja1> woot 00:33 < kanja1> what are you running? 00:34 < Ziber> windows 7 00:34 < kanja1> how is that? 00:34 < kanja1> I've heard mostly good things about it 00:38 < Ziber> pretty good 00:38 < Ziber> i had a predisposition against vista/win7, but its really good :) 00:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 00:54 -!- kanja1 [n=benbeech@74.72.202.58] has quit [Read error: 110 (Connection timed out)] 00:59 -!- kanja [n=benbeech@74.72.202.58] has joined ##openvpn 01:04 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has quit [Remote closed the connection] 01:05 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn 01:10 -!- hyper_ch [n=hyper@81.62.26.23] has joined ##openvpn 02:03 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:32 -!- yoshx [n=yoshx@88-138-188-188.adslgp.cegetel.net] has joined ##openvpn 02:34 -!- zamba [i=marius@flage.org] has quit [Read error: 110 (Connection timed out)] 03:01 -!- mike [n=mike@78.33.190.81] has joined ##openvpn 03:02 -!- mike is now known as Guest23407 03:35 -!- Guest23407 is now known as MikeH_ 03:38 -!- glengoyne [n=glengoyn@p4FC22AA1.dip.t-dialin.net] has joined ##openvpn 03:43 -!- glengoyne [n=glengoyn@p4FC22AA1.dip.t-dialin.net] has quit ["Verlassend"] 03:57 < plundra> Hmm, so do I really need to use an external script just to verify that the CN of my remote peer is the same as the name I specified in the configuration? 03:57 < plundra> (This is on a the client-side) 03:58 < plundra> I'd like it to verify that CN matches whatever I have specified with remote. ("remote foo.bar") 04:00 < reiffert> plundra: "do I really need" - "no". 04:00 < reiffert> plundra: "I'd like to.." - "Do it, write a script" 04:01 < plundra> reiffert: Just want to confirm I havn't missed some built-in option for it, even though I have read the manpage fairly well. 04:01 < plundra> Just seems like an odd thing to exclude. 04:14 < plundra> Ah, I missed tls-remote, it'll do fine :-) Great. 04:22 -!- hyper_ch [n=hyper@81.62.26.23] has quit [Read error: 110 (Connection timed out)] 04:23 -!- eliasp [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has quit [Read error: 60 (Operation timed out)] 04:25 -!- eliasp [n=quassel@HSI-KBW-095-208-170-144.hsi5.kabel-badenwuerttemberg.de] has joined ##openvpn 04:31 -!- hyper_ch [n=hyper@81.62.26.23] has joined ##openvpn 04:52 -!- hyper__ch [n=hyper@40-188.3-85.cust.bluewin.ch] has joined ##openvpn 04:52 -!- hyper_ch [n=hyper@81.62.26.23] has quit [Nick collision from services.] 04:52 -!- hyper__ch is now known as hyper_ch 05:11 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:12 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:13 -!- dazo|h [n=dazo@ip4-83-240-69-215.cust.nbox.cz] has joined ##openvpn 05:14 -!- dazo|h is now known as dazo_h 05:14 -!- hyper_ch [n=hyper@40-188.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 05:18 -!- hyper_ch [n=hyper@40-188.3-85.cust.bluewin.ch] has joined ##openvpn 05:32 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 05:41 -!- Ramjar [n=Ramjar@d226.broadband.quicknet.se] has left ##openvpn [] 05:55 -!- MikeH_ [n=mike@78.33.190.81] has quit [] 06:01 -!- g` [n=nop@78.61.210.152] has joined ##openvpn 06:01 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [Remote closed the connection] 06:07 -!- n5 [n=nop@78.61.210.152] has quit [Read error: 60 (Operation timed out)] 06:20 -!- tjz2 [n=tjz@bb220-255-199-51.singnet.com.sg] has joined ##openvpn 06:39 -!- tjz [n=tjz@unaffiliated/tjz] has quit [Read error: 110 (Connection timed out)] 06:42 < trsonderm1> question 06:43 < Diddi> answer 06:43 < trsonderm1> anybod know about firebox x500, I need to have clients connect to a openvpn server behind it 06:43 < trsonderm1> NAT will not work, 06:43 < trsonderm1> standard ipsec filters don't allow for changing of the udp ports 06:44 < trsonderm1> so I created a new filter for port 1194 and I guess I need a static route then? 06:49 < ecrist> simple port forwarding is all you need 06:51 < trsonderm1> does the fact the vpn server is setup with an internal ip and no reference to anything outside(ip's) matter? 06:51 < trsonderm1> everything works fine internally 06:51 -!- hyper_ch [n=hyper@40-188.3-85.cust.bluewin.ch] has quit [Read error: 60 (Operation timed out)] 06:54 < ecrist> the vpn server needs to be able to route to the outside world 06:59 -!- tjz2 [n=tjz@bb220-255-199-51.singnet.com.sg] has quit ["bbl"] 07:01 < trsonderm1> so the firebox external ip 174.x.x.x needs to have a route on the openvpn server 192.x.x.x and then port forward filter on the firebox itself? 07:05 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 07:06 < ecrist> yes, and openvpn server needs to be able to reach the internet 07:10 < trsonderm1> hmmm, so having the one adapter won't work? need two? 07:11 < trsonderm1> currently it has br0, eth0, tap0..... with br0 holding the static internal ip 07:13 -!- mattock [n=samuli@dyn55-11.yok.fi] has joined ##openvpn 07:20 < ecrist> trsonderm1: you do not need two interfaces 07:21 < ecrist> is your openvpn server able to get to the internet? 07:21 < trsonderm1> checking right now 07:21 < trsonderm1> yes 07:21 < trsonderm1> works fine pinging different external ip's 07:23 -!- martexx [n=martexx@90.145.45.11] has joined ##openvpn 07:26 < trsonderm1> looked at the routing table its got the local network, the reverse and the gw 07:27 < martexx> Hi there, a small question; I have a working openvpn setup. the openvpn server is also my sip pbx and i use open vpn to control the machine so it can do without external access (except sip registrations) I can access the server via 10.8.0.1 07:27 < martexx> i would like it however that my ip phone on the lan can also connect to the server 07:27 < martexx> But i dont know how to do it 07:29 < martexx> my local lan is 172.19.3.0 and there is no server lan, the ip phone is 172.19.3.3 the pc with openvpn client is 172.19.3.2 07:31 < ecrist> trsonderm1: then all you should need to do is forward udp 1194 to that openvpn system 07:32 < ecrist> martexx: I'm not understanding what you want to do 07:33 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: jhp, |Mike| 07:34 -!- Netsplit over, joins: jhp, |Mike| 07:35 -!- Zordrak is now known as Linux-IRC 07:36 -!- Linux-IRC is now known as Zordrak 07:38 -!- hyper_ch [n=hyper@40-188.3-85.cust.bluewin.ch] has joined ##openvpn 07:40 < _dren> !help 07:40 < vpnHelper> _dren: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 07:40 < _dren> !configs 07:40 < vpnHelper> _dren: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 07:41 < _dren> !iporder 07:41 < vpnHelper> _dren: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 07:41 < _dren> ok, i am able to connect to my vpn in windows np 07:41 < _dren> but when people connect in linux 07:41 < _dren> they have trouble being able to browse 07:42 < _dren> i told them to the vpn dns in /etc/resolv.conf is that correct 07:42 < _dren> ? 07:42 < _dren> or wherever their resolv.conf is. 07:42 < ecrist> yes, that's correct 07:42 < _dren> is that all they need to do on linux? 07:42 < ecrist> it should be 07:42 < _dren> ecrist: thanks 07:44 < ecrist> no problem 07:45 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: jhp, |Mike| 07:46 -!- Netsplit over, joins: jhp, |Mike| 07:48 -!- Sleeper- [n=quassel@ip-88-152-82-3.unitymediagroup.de] has joined ##openvpn 07:48 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: jhp, |Mike| 07:49 -!- Netsplit over, joins: jhp, |Mike| 07:52 -!- martexx [n=martexx@90.145.45.11] has quit [Read error: 110 (Connection timed out)] 07:57 < Sleeper-> hi all 07:58 < Sleeper-> i've got a problem with my linux openvpn client, while windows works 07:58 < Sleeper-> it seems to be something like a routing problem 07:58 < Sleeper-> initialization works fine 08:01 < Sleeper-> that's my clients routing table after initialization: http://pastebin.com/m758decc7 08:03 < samaelszafran> ecrist: you there? 08:03 < Sleeper-> and here my client config: http://pastebin.com/m113cbb79 08:05 < hyper_ch> Sleeper-: you run: echo "1" > /proc/sys/net/ipv4/ip_forward ? 08:05 < hyper_ch> oh.. sorry I misread :) 08:06 < Sleeper-> yep, is set 08:07 -!- hyper_ch [n=hyper@40-188.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 08:07 < Sleeper-> my server config: http://pastebin.com/m5b4ff825 08:07 < Sleeper-> any ideas anyone? i'm quite desperate 08:11 < Bushmills> Sleeper-: how can anyone help if you don't say what the problem is? 08:15 < samaelszafran> ecrist: okay, nevermind, I handled it myself :-)) 08:15 < Sleeper-> oops, you're right, i missed that :-/ 08:15 < Sleeper-> as i wrote, i can connect and initialization works 08:15 -!- Sleeper- [n=quassel@ip-88-152-82-3.unitymediagroup.de] has quit [Remote closed the connection] 08:15 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 08:16 -!- Sleeper- [n=quassel@ip-88-152-82-3.unitymediagroup.de] has joined ##openvpn 08:16 < Sleeper-> while the server can ping the client with 172.30.0.6 08:16 < Sleeper-> the client can't ping noone 08:17 < Sleeper-> not in the target net (10.0.192.0) 08:17 < Sleeper-> and not in the vpn net (172.30.0.0) 08:18 < Sleeper-> so i suspect it's some strange routing problem on the linux client, especially as i get connections with the same machine using windows 08:19 < Sleeper-> so, any ideas? 08:21 < Bushmills> why is 10.0.192.1 routed through vpn while it is supposed to be the ip address of the remote server, to which openvpn connects? 08:24 < Sleeper-> you're right, seems strange 08:24 < Bushmills> try to remove push "route 10.0.192.0 255.255.255.128" from server config 08:24 < Sleeper-> well the routing entries are made by openvpn 08:24 < Bushmills> yes. but that as result of your config 08:25 < Bushmills> and according server config, you are asking for that 08:25 < Bushmills> so it is not the server i have to ask, but you 08:25 < Sleeper-> ok, i can remove that entr 08:25 < Sleeper-> y 08:26 < Bushmills> you should. this entry probably kills the tunnel periodically 08:26 < Sleeper-> but how does my client know that it should route the other traffic into the 10.0.192.0 network through the vpn? 08:27 < Bushmills> read this, whether that addresses your situation: 08:27 < Bushmills> !route 08:27 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 08:28 < ecrist> samaelszafran: glad you got it working 08:29 < Sleeper-> Thx, i'll read it. But i still doubt the server is misconfigured, as i get a windows client to work with the same configuration (except "route-method exe") 08:33 < Bushmills> your server is configured for failure. if windows client doesn't break, that's a problem with windows, not a sign that server is configured correctly. 08:33 < samaelszafran> ecrist: yeah - still I don''t know why windows clients don't get default gateway.. 08:33 < Bushmills> i.e. two problems, cancelling each other out 08:34 < samaelszafran> But that doesn't matter... 08:34 < samaelszafran> :0 08:34 < samaelszafran> :) 08:35 < samaelszafran> Clients can ping each other, that was the point. 08:36 < samaelszafran> Just.. now I'd like to install its web gui - just out of curiosity. 08:36 < ecrist> what web gui? 08:36 < ecrist> access server? 08:37 < samaelszafran> openvpn web gui 08:37 < samaelszafran> or something like that 08:37 < samaelszafran> I'd like to see how does it look like 08:37 < samaelszafran> I've downloaded it from sourceforge, untared, put into a virtualhost (nginx), and I get "access denied" :-))) 08:37 < ecrist> ah, I've heard it's nice. not used it myself. 08:37 < ecrist> sourceforge? 08:37 < samaelszafran> yeah 08:37 < samaelszafran> http://openvpn-web-gui.sourceforge.net/ 08:38 < vpnHelper> Title: OpenVPN Web GUI 0.3.x (at openvpn-web-gui.sourceforge.net) 08:38 < ecrist> I guess I don't know which you're talking about 08:38 < samaelszafran> so which are you talking about? :) 08:38 < ecrist> Access Server 08:38 < samaelszafran> hmm... 08:38 < ecrist> samaelszafran: the link you gave me is to a project that's been dead for 4 years 08:38 < samaelszafran> so no, I' talking about the link I've given :) 08:39 < samaelszafran> yeah? 08:39 < samaelszafran> :D 08:39 < samaelszafran> damn ;p 08:39 < Sleeper-> Bushmills: ok. as i understand, the problem is: a client-side route is added so that the traffic to its subnet is routed through vpn. but this locks out the server itself, as its on the same subnet. but i don't see how i can fix this. 08:39 < samaelszafran> so, is there any web based gui for this? 08:39 < samaelszafran> the access server is web based, yeah? 08:39 < samaelszafran> (by web based I mean 'accessible by a browser') 08:40 < Bushmills> Sleeper-: the remote server ip address should not be in a subnet which you are routing through vpn. 08:40 < ecrist> samaelszafran: access server is the only one I know of 08:41 < samaelszafran> mhmm.. 08:41 < samaelszafran> It's not in freebsd ports, however. 08:41 < samaelszafran> Or am I missing something? 08:41 < ecrist> www.openvpn.net 08:41 < ecrist> look for access server 08:41 < ecrist> it's a commercial product 08:42 < samaelszafran> http://openvpn.net/index.php/access-server/download-openvpn-as.html - there it is 08:42 < vpnHelper> Title: Access Server Downloads (at openvpn.net) 08:42 < samaelszafran> but there's no freebsd in the "select Platform" box 08:43 < ecrist> *shrug* 08:43 < ecrist> we don't support access server here 08:43 < samaelszafran> yeah... 08:43 * ecrist points to topic 08:43 < samaelszafran> ahm, right. 08:43 < samaelszafran> okay, you helped me enough ;) 08:43 < samaelszafran> thanks ;) 08:44 < Sleeper-> Bushmills: Thx, i solved it :-) The vpn server also has an internal and an external ip. changing the server ip to the external one in the client config solved the problem :-) 08:49 -!- Sleeper- [n=quassel@ip-88-152-82-3.unitymediagroup.de] has quit [Remote closed the connection] 09:12 -!- zamba [i=marius@flage.org] has joined ##openvpn 09:25 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 09:38 < trsonderm1> got the NAT issue fixed now from a xp desktop log I get 09:39 < trsonderm1> Route: Waiting for TUN/TAP interface to come up 09:39 < trsonderm1> TEST ROUTES: 0/0 succeede len=-1 ret=0 a=0 u/d=down 09:41 < ecrist> trsonderm1: what are you mumbling about/ 09:42 < trsonderm1> I've got a remote desktop running xp 09:42 < trsonderm1> it is stuck repeating those two lines in the lgo 09:42 < trsonderm1> log 09:42 < ecrist> ok, we need your configs and full log files at verb 6 09:42 < ecrist> !configs 09:42 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:42 < ecrist> !logs 09:42 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 09:45 -!- n5 [n=nop@78-61-195-26.static.zebra.lt] has joined ##openvpn 09:49 < ecrist> trsonderm1: don't PM me, please 09:49 < ecrist> you submit the client like liek vpnHelper said 09:50 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit [Read error: 54 (Connection reset by peer)] 09:51 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 09:51 -!- g` [n=nop@78.61.210.152] has quit [Read error: 110 (Connection timed out)] 09:52 < trsonderm1> !logs 09:52 < vpnHelper> trsonderm1: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 09:53 -!- trsonderm1 [n=trsonder@174.141.123.86.nw.nuvox.net] has quit [Excess Flood] 09:53 -!- trsonderm [n=trsonder@174.141.123.86.nw.nuvox.net] has joined ##openvpn 09:56 < trsonderm> !howto 09:56 < vpnHelper> trsonderm: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:59 < trsonderm> http://pastebin.com/m546c3095 10:00 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit [Read error: 104 (Connection reset by peer)] 10:00 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 10:03 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit [Read error: 104 (Connection reset by peer)] 10:03 -!- maodun [n=stopgo@114.243.117.240] has joined ##openvpn 10:04 < maodun> I'm trying to cross-compile for mingw with the following call to configure: ./configure --prefix=/usr/local/i486-mingw32 --host=i486-mingw32 --build=i686-pc-linux-gnu --with-lzo-headers=/usr/include/lzo/ --with-lzo-lib=/usr/lib 10:05 < maodun> This results in: 10:05 < maodun> "checking for lzo1x_1_15_compress in -llzo... no 10:05 < maodun> configure: error: LZO headers were found but LZO library was not found" 10:06 < maodun> But /usr/lib/ contains a bunch of liblzo files - liblzo.a, liblzo.so, liblzo.so.1, liblzo.so.1.0.0. Any idea what's wrong? 10:07 < reiffert> did you compile lzo with mingw before? --- Log closed Fri Dec 18 10:12:16 2009 --- Log opened Fri Dec 18 10:14:24 2009 10:14 -!- ecrist [n=ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn 10:14 -!- Irssi: ##openvpn: Total of 83 nicks [0 ops, 0 halfops, 0 voices, 83 normal] 10:14 -!- Irssi: Join to ##openvpn was synced in 30 secs 10:15 < reiffert> trsonderm: did you update openvpn on windows from x to 2.1.1? 10:15 < trsonderm> no, new install 10:15 < reiffert> OS Version? 10:16 < reiffert> (XP, Vista, 7, 32/64)? 10:16 < reiffert> line 30: 10:16 < reiffert> Fri Dec 18 10:35:03 2009 WARNING: potential TUN/TAP adapter subnet conflict between local LAN [192.168.1.0/255.255.255.0] and remote VPN [192.168.1.0/255.255.255.0] 10:17 < trsonderm> xp 10:17 < trsonderm> need to change the subnet for the openvpn server? 10:17 < reiffert> need to read the howto and route: 10:17 < reiffert> !howto 10:17 < vpnHelper> reiffert: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:17 < reiffert> !route 10:17 < vpnHelper> reiffert: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:18 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 10:18 < trsonderm> thanks 10:31 -!- yoshx [n=yoshx@88-138-188-188.adslgp.cegetel.net] has quit [Read error: 110 (Connection timed out)] 10:33 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 10:36 -!- yoshx [n=yoshx@88-138-188-188.adslgp.cegetel.net] has joined ##openvpn 10:41 -!- Kasx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 10:50 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 110 (Connection timed out)] 10:52 -!- yoshx [n=yoshx@88-138-188-188.adslgp.cegetel.net] has quit ["Nice Scotty, now beam my clothes up too!"] 11:25 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 11:26 < samaelszafran> hmm... 11:26 < samaelszafran> just out of curiosity... 11:26 < samaelszafran> what if my windows client doesn't catch default gateway? 11:29 < Hypnoz> you can see in command line by typing "route print" what your routes and gateway are 11:30 -!- dazo_afk [n=dazo@nat/redhat/x-slhihaowceehkknj] has joined ##openvpn 11:30 -!- dazo_afk is now known as Guest839 11:30 -!- Guest839 is now known as dazo 11:31 -!- dazo is now known as Guest32006 11:32 < samaelszafran> mhm. 11:32 < samaelszafran> okay - Hypnoz, I haven't got a 'push route' in my server config. 11:33 < samaelszafran> assuming that my servers IP in the vpn is 172.30.0.1, what should the push line look like? 11:33 < Hypnoz> are you trying to use the VPN tunnel as your default gateway to the internet? 11:33 < samaelszafran> yes. 11:33 < samaelszafran> weird, though 11:33 < Hypnoz> that is not a push route, that is a different option 11:33 < samaelszafran> Linux understands it. 11:33 < samaelszafran> meaning - it sets the default gateway 11:34 < samaelszafran> and I can browse the internet through vpn. 11:34 < samaelszafran> but windows simply, like... doesn't know what the default gateway is. 11:34 < Hypnoz> is your vpn server on windows or linux? 11:35 < Hypnoz> there is an option in server.conf that says ;push "redirect-gateway" 11:35 < Hypnoz> is that the push you were referring to 11:36 -!- APTX| [n=APTX@ks32603.kimsufi.com] has quit ["Farewell"] 11:37 -!- APTX| [n=APTX@ks32603.kimsufi.com] has joined ##openvpn 11:48 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 12:05 -!- dazo_h [n=dazo@ip4-83-240-69-215.cust.nbox.cz] has quit ["Leaving"] 12:05 -!- Guest32006 is now known as dazo 12:30 -!- trsonderm [n=trsonder@174.141.123.86.nw.nuvox.net] has quit [] 12:33 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit [Read error: 104 (Connection reset by peer)] 12:40 < krzee> you dont need a push route unless you have a lan you need to communicate with 12:42 < dazo> hmmmmmm .... I just search for fun ... #OpenVPN exists on irc.oftc.net ..... 3 users logged in and the topic saying "http://openvpn.sf.net - OpenVPN v2.0.7 final released" 12:42 < vpnHelper> Title: Welcome to OpenVPN (at openvpn.sf.net) 12:49 -!- correcaminos [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has joined ##openvpn 12:49 -!- correcaminos [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has quit [Connection reset by peer] 12:56 -!- correcaminos [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has joined ##openvpn 13:00 < krzee> lol 13:01 < krzee> 2.0.7 released! 13:01 -!- correcaminos [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has quit [Client Quit] 13:07 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: jhp, |Mike| 13:08 -!- correcaminos_ [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has joined ##openvpn 13:10 -!- correcaminos_ [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has quit [Client Quit] 13:15 < dazo> I was considering to mention this channel .... but thought "never mind, they probably don't care" :-P 13:20 -!- jhp [n=jhp@zeus.jhprins.org] has joined ##openvpn 13:20 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 13:22 -!- correcaminos_ [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has joined ##openvpn 13:24 -!- correcaminos_ [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has quit [Client Quit] 13:24 < zykes-> I have a bit of a weird situation here, i've got a node test, a, b, now between node test <> a transfering stuff via scp over vpn goes slow as nothing i've seen before like less then 10 kb/s, test <> b works fine though, all 3 nodes give full bw if not going via vpn but diretly to wan ip's . any suggestions? 13:24 < zykes-> it was working until like 1,5 days ago, no updates no nothing done to the setup 13:28 -!- correcaminos_ [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has joined ##openvpn 13:29 -!- correcaminos__ [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has joined ##openvpn 13:30 -!- correcaminos__ [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has quit [Client Quit] 13:30 -!- correcaminos__ [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has joined ##openvpn 13:32 -!- correcaminos__ [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has quit [Client Quit] 13:35 -!- correcaminos_ [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has quit [Read error: 60 (Operation timed out)] 13:41 -!- rashed2020 [n=rashed20@unaffiliated/rashed2020] has joined ##openvpn 13:42 < rashed2020> How difficult would it be to have openvpn authenticate users from a different DB? 13:49 < ecrist> rashed2020: different from what? 13:52 < reiffert> rashed2020: it works against ldap 13:52 < reiffert> krzee: 2.0.7?? 13:52 < rashed2020> reiffert: I'm trying to get it to authenticate against google accounts. 13:53 < reiffert> rashed2020: write a ldap backend? 13:54 < rashed2020> Hmm.. That might work. 13:55 < reiffert> You may take a shortcut and write a google pam. 14:05 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 14:07 -!- correcaminos_ [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has joined ##openvpn 14:13 -!- mattock [n=samuli@dyn55-11.yok.fi] has quit ["Leaving."] 14:21 -!- kala [i=kala@uba.linux.ee] has quit ["leaving"] 14:22 -!- kala [n=kala@83.151.191.90.dyn.estpak.ee] has joined ##openvpn 14:25 -!- correcaminos_ [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has quit [Connection timed out] 14:36 -!- g` [n=nop@78-63-0-27.static.zebra.lt] has joined ##openvpn 14:38 -!- maodun [n=stopgo@114.243.117.240] has quit ["Leaving."] 14:42 -!- Akos_Beginner [n=Akos_Beg@dslb-088-067-001-085.pools.arcor-ip.net] has joined ##openvpn 14:46 < dazo> reiffert: I discovered #OpenVPN on irc.oftc.net .... from their channel topic: "OpenVPN v2.0.7 final released" 14:51 -!- n5 [n=nop@78-61-195-26.static.zebra.lt] has quit [Read error: 110 (Connection timed out)] 14:56 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 15:08 -!- oc80z_ [i=oc80z@quad.efnet.pe] has quit [] 15:19 < Akos_Beginner> How far is openvpn-als (adito) from openvpn? At the first page of adito I get a java error message. 15:20 < Akos_Beginner> "Could not initialize class com.sun.tools.javac.Main" 15:20 < Akos_Beginner> I ask it if it is the correct room to ask in openvpn-als theme. 15:21 -!- oc80z [n=oc80z@74.63.222.147] has joined ##openvpn 15:35 -!- free^ [n=trix@host81-154-199-128.range81-154.btcentralplus.com] has joined ##openvpn 15:36 < free^> !configs 15:36 < vpnHelper> free^: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 15:36 < free^> !interface 15:36 < vpnHelper> free^: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 15:36 < |Mike|> Akos_Beginner: i've no idea what you're talking about 15:36 < free^> !howto 15:36 < vpnHelper> free^: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:38 < free^> does anyone know, why when i take out "redirect-gateway def1" from the config, i'm able to ping outside networks, but outside networks aren't able to ping me? (Destination Host Unreachable) 15:38 -!- correcaminos [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has joined ##openvpn 15:39 * |Mike| brabbles omething about RFC1918 15:40 < free^> hmm, but the ip i have assigned is a public ip? 15:40 < free^> if i have redirect.. in the conf, i'm able to ping the ip fine 15:41 < free^> I only want to route select applications via the VPN (ZNC), and have everything else go through the normal ip 15:43 -!- correcaminos__ [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has joined ##openvpn 15:51 -!- correcaminos__ [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has quit [Read error: 60 (Operation timed out)] 15:52 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit [Read error: 104 (Connection reset by peer)] 15:56 -!- correcaminos [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has quit [Success] 16:03 -!- correcaminos [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has joined ##openvpn 16:20 -!- Akos_Beginner [n=Akos_Beg@dslb-088-067-001-085.pools.arcor-ip.net] has left ##openvpn [] 16:20 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 54 (Connection reset by peer)] 16:22 -!- aland_ is now known as aland 16:29 -!- correcaminos [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has quit [Connection timed out] 16:33 -!- thedonva1ghn [n=thedonva@jaysonvaughn.com] has joined ##openvpn 16:34 -!- reiffert_ [n=thomas@mail.webersheim.de] has joined ##openvpn 16:34 -!- balboah [n=johnny@joonix.se] has joined ##openvpn 16:34 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: robert_, LowKey, hacim, LittleJ, thedonvaughn, balboah_, reiffert, freaky[t]_, LobbyZ 16:34 -!- _LittleJ [n=linuz@82.78.185.26] has joined ##openvpn 16:34 -!- hacim [n=micah@micah.riseup.net] has joined ##openvpn 16:34 -!- _LowKey [i=rhel@72.20.37.172] has joined ##openvpn 16:34 -!- _LittleJ is now known as LittleJ 16:34 -!- _LowKey is now known as LowKey 16:35 -!- robert___ [n=hellspaw@r-butler.net] has joined ##openvpn 16:36 -!- Netsplit over, joins: LobbyZ 16:39 -!- freaky[t]_ [i=alpha@member.team-box.net] has joined ##openvpn 16:45 -!- zamba [i=marius@flage.org] has quit [Read error: 104 (Connection reset by peer)] 16:47 -!- zamba [i=marius@flage.org] has joined ##openvpn 16:52 < krzee> reiffert_, [14:42] hmmmmmm .... I just search for fun ... #OpenVPN exists on irc.oftc.net ..... 3 users logged in and the topic saying "http://openvpn.sf.net - OpenVPN v2.0.7 final released" 16:52 < vpnHelper> Title: Welcome to OpenVPN (at openvpn.sf.net) 16:52 < krzee> dazo, no need to mention us there, we're on the wikipedia 16:52 < krzee> and.. 16:53 < krzee> !google irc openvpn 16:53 < vpnHelper> krzee: Re: [Openvpn-users] Registering of #openvpn on irc.freenode.net: ; Is there an IRC channel to discuss OpenVPN install: msg#00063 ...: ; OpenVPN - Wikipedia, the free encyclopedia: 17:06 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: jhp, |Mike| 17:07 -!- Netsplit over, joins: jhp, |Mike| 17:11 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: jhp, |Mike| 17:11 -!- Netsplit over, joins: jhp, |Mike| 17:13 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: jhp, |Mike| 17:13 -!- Netsplit over, joins: jhp, |Mike| 17:15 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: jhp, |Mike| 17:15 -!- Netsplit over, joins: jhp, |Mike| 17:37 -!- hyper_ch [n=hyper@adsl-188-155-11-32.adslplus.ch] has joined ##openvpn 17:46 -!- dazo is now known as dazo_afk 18:09 -!- pa [n=pa@unaffiliated/pa] has quit [Remote closed the connection] 18:38 -!- zamba [i=marius@flage.org] has quit [Remote closed the connection] 18:49 -!- master_of_master [i=master_o@p549D4202.dip.t-dialin.net] has joined ##openvpn 18:51 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)] 19:06 -!- master_o1_master [n=master_o@p549D7525.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 19:25 -!- correcaminos [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has joined ##openvpn 19:30 -!- correcaminos [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has quit ["Leaving"] 19:48 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has left ##openvpn [] 20:18 -!- krphop_ [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn 20:30 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has quit [Read error: 113 (No route to host)] 20:42 -!- tjz [n=tjz@unaffiliated/tjz] has joined ##openvpn 20:43 -!- jhp [n=jhp@zeus.jhprins.org] has quit [Read error: 104 (Connection reset by peer)] 20:48 -!- jhp [n=jhp@zeus.jhprins.org] has joined ##openvpn 23:01 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has quit [Read error: 104 (Connection reset by peer)] 23:08 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has joined ##openvpn --- Log opened Fri Dec 18 23:39:04 2009 23:39 -!- worbillm-k [i=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 23:39 -!- worbillm-k [i=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 23:39 -!- Irssi: ##openvpn: Total of 79 nicks [0 ops, 0 halfops, 0 voices, 79 normal] 23:39 -!- mode/##openvpn [+o worbillm-k] by ChanServ 23:39 -!- Irssi: Join to ##openvpn was synced in 2 secs 23:39 -!- mode/##openvpn [+o worbillm-k] by ChanServ 23:39 -!- worbillm-k [i=ecrist@mr.garrison.secure-computing.net] has left ##openvpn [] --- Log closed Fri Dec 18 23:39:15 2009 23:39 -!- worbillm-k [i=ecrist@mr.garrison.secure-computing.net] has left ##openvpn [] 23:49 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn --- Day changed Sat Dec 19 2009 01:26 -!- hyper_ch [n=hyper@adsl-188-155-11-32.adslplus.ch] has quit [Remote closed the connection] 01:59 -!- hyper_ch [n=hyper@40-188.3-85.cust.bluewin.ch] has joined ##openvpn 02:13 -!- robert___ [n=hellspaw@r-butler.net] has quit [Client Quit] 02:16 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 02:46 -!- hyper__ch [n=hyper@22-2.3-85.cust.bluewin.ch] has joined ##openvpn 02:46 -!- hyper_ch [n=hyper@40-188.3-85.cust.bluewin.ch] has quit [Nick collision from services.] 02:46 -!- hyper__ch is now known as hyper_ch 03:13 -!- gallatin [n=gallatin@188.109.146.138] has joined ##OpenVPN 03:30 -!- kanja [n=benbeech@74.72.202.58] has quit [Read error: 110 (Connection timed out)] 03:30 -!- kanja2 [n=benbeech@74.72.202.58] has joined ##openvpn 04:07 -!- hyper_ch [n=hyper@22-2.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 05:48 -!- hyper_ch [n=hyper@adsl-188-155-11-32.adslplus.ch] has joined ##openvpn 05:51 -!- ruied [n=ruied@bl7-220-81.dsl.telepac.pt] has joined ##openvpn 06:13 -!- gallatin [n=gallatin@188.109.146.138] has quit [Read error: 54 (Connection reset by peer)] 06:30 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 06:30 -!- gallatin [n=gallatin@188.109.162.4] has joined ##OpenVPN 06:46 -!- gallatin [n=gallatin@188.109.162.4] has quit [Read error: 110 (Connection timed out)] 07:04 -!- trsonderm [n=trsonder@174.141.123.86.nw.nuvox.net] has joined ##openvpn 07:05 -!- trsonderm [n=trsonder@174.141.123.86.nw.nuvox.net] has left ##openvpn [] 07:05 -!- bobdoes [n=trsonder@174.141.123.86.nw.nuvox.net] has joined ##openvpn 07:06 < bobdoes> quick question if I have server-bridge 192.168.3.1 and the pool at 192.168.3.20-50 is the only other setting for server.conf push route of 192.168.3.0 and then the client can reach a 192.168.1.0 network? 07:09 < ecrist> no 07:09 < ecrist> how is the client supposed to know *how* to get to the 1.0 network? 07:09 < ecrist> also, don't use the 1.0 subnet, it's too common 07:11 < bobdoes> so doing a push route of 192.168.1.0 makes that available to the 192.168.3.0? 07:16 < ecrist> yes, it provides a route 07:16 < ecrist> whether that route is actually reachable through the vpn depends on your network 07:25 -!- bobdoes [n=trsonder@174.141.123.86.nw.nuvox.net] has quit [] 07:51 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 07:55 -!- kanja2 [n=benbeech@74.72.202.58] has quit [Remote closed the connection] 07:57 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)] 08:06 -!- krphop_ is now known as krphop 08:06 -!- rashed2020 [n=rashed20@unaffiliated/rashed2020] has left ##openvpn [] 08:16 -!- freaky[t]_ [i=alpha@member.team-box.net] has quit [Remote closed the connection] 08:21 -!- freaky[t]_ [i=alpha@member.team-box.net] has joined ##openvpn 08:34 < optiz0r> If I have a single machine acting as a vpn server for virtual network A, and also a client for another virtual network B, should I be able to setup appropriate routes so that a client of network A can communicate with network B? Or is that unsupported? 08:38 -!- Ziber [i=Liber@liber-ipv6.net] has quit [Read error: 60 (Operation timed out)] 08:46 < Bushmills> it is the task of the OS to support routing. openvpn provides connection. 09:17 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn 09:29 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 09:35 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)] 09:46 -!- corretico__ [n=laguilar@201.201.46.106] has quit [Success] 10:17 -!- Artio [n=_@port-10642.pppoe.wtnet.de] has joined ##openvpn 10:19 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 10:29 -!- fixUp [n=fixUp@95.175.194.194] has joined ##openvpn 10:29 < fixUp> I'm having trouble connecting a windows client using the GUI 10:30 < fixUp> The lights remain yellow with the "TLS handshake failed" message 10:30 < ecrist> post the full logs, please 10:30 < ecrist> !logs 10:30 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 10:52 -!- MJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn 10:52 -!- MJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 10:53 -!- MJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn 10:55 -!- KippiX [n=kippix@gob75-1-81-57-24-181.fbx.proxad.net] has joined ##openvpn 10:55 < KippiX> hi all 10:55 -!- Neit [n=_@port-10642.pppoe.wtnet.de] has joined ##openvpn 10:55 < KippiX> anybody spaek french here ? 10:57 < MJD> Hey, I am currently considering how to setup openvpn (no actual setup yet). I was wondering, is it possible to forward only certain dns requests (ie for a particular domain) across the tunnel? Basically I want users to be able to access network resources as if they were on the local subnet w/o interfering with access to resources (which use dns) on their current network. 11:03 -!- fixUp [n=fixUp@95.175.194.194] has quit [Read error: 110 (Connection timed out)] 11:13 -!- Artio [n=_@port-10642.pppoe.wtnet.de] has quit [Connection timed out] 11:13 -!- Neit is now known as Artio 11:17 -!- grub_booter_ [n=charlie@d515301E0.static.telenet.be] has joined ##openvpn 11:20 -!- hyper__ch [n=hyper@84.226.246.98] has joined ##openvpn 11:20 -!- hyper_ch [n=hyper@adsl-188-155-11-32.adslplus.ch] has quit [Nick collision from services.] 11:20 -!- hyper__ch is now known as hyper_ch 11:32 -!- grub_booter [n=charlie@d515301E0.static.telenet.be] has quit [Read error: 110 (Connection timed out)] 11:36 < MJD> Does anybody have any ideas? Googling only yields info on Mac specific setups on the client side (which are no good because a) No macs and b) Its a client specific config) or replacing the dns settings to all go over the tunnel, which is also no good. 11:37 < krphop> i'm not sure you could setup openvpn in any way to only forward specific dns queries through a tunnel 11:37 < krphop> it would be an all or nothing thing 11:38 < krphop> you'd either need to write a client side app to determine if the queries need to go local or through the tunnel, or run a DNS server that would do the similar 11:38 < ecrist> MJD: you only have to route vpn traffic over the vpn 11:40 < krphop> and doing that will allow you to access both the VPN and the local network, unless your VPN is assigning IPs that are in your local network 11:40 -!- Artio [n=_@port-10642.pppoe.wtnet.de] has quit [" HydraIRC -> http://www.hydrairc.com <-"] 11:47 < MJD> its more of a convience , so that users can just type in the dns names as if they were local to the network. I figured there was no easy way to do it. Thanks for the responses! 12:16 -!- TheMacedonian [n=TheMaced@143.241.200.193.static.giga-dns.com] has joined ##openvpn 12:16 < TheMacedonian> hi 12:16 < TheMacedonian> is anyone willing for help? 12:19 < rwp> MJD, Look at using BIND views. And the 'push "dhcp-option DOMAIN example.com"' config option. 12:19 < rwp> I basically do what you want by having BIND set up with internal and external views. 12:20 < rwp> Then when the tunnel is up 'push "dhcp-option DNS 192.168.23.20"' options set up to the internal view. Works pretty well. 12:21 < rwp> TheMacedonian, You are always better off simply asking a question then asking if you can ask a question. If someone thinks they can help then they will jump in. 12:21 < TheMacedonian> I want to use Shoutcast application as a server ... i have shoutcast on Client1 which is connected to Server1 via OpenVPN, i can connect to VPN IP address but i want to use Public IP at Server1 to connect to Client1 12:22 < MJD> rwp: What happens when a user tries to access something that is resolved by (their) local DNS server? IE for a local Active Directory? 12:22 < rwp> TheMacedonian, I am actually having a similar issue. So when someone helps you it will help me too. 12:23 < rwp> MJD, Active Directory sounds like a MS thing. Is it? I know nothing about it. I am pretty much a Unix person through and through. 12:24 < TheMacedonian> it's pretty much basic ... just few routes ... i would nat the client1 to use Public IP but i dont have any IP's in the pool so i was asking if someone knows if client1 can use public ip from server1 12:24 < rwp> MJD, BIND has the concept of "forwarders". I always run a local caching nameserver. Then configure forwarders to point to either the next upstream external nameserver or my internal vpn nameservers. 12:25 < MJD> rwp: This openvpn server is for a home network. So one of the laptops is a work laptop that connects to a windows network. It uses some dns records to operate the network. So basically, when someone connects to the vpn, I want dns requests for my local domain to go over the vpn connection, but all other requests *have* to go through their local DNS server. 12:27 < rwp> The work laptop is running MS or ?? 12:28 < MJD> yes MS. but if I do something for DNS, it should perferably work for all major OSs (windows/linux/mac). 12:29 < rwp> MJD, I don't know. I feel certain it is possible. Personally I would set up the local GNU/Linux laptop to slave my home domain. Then it would be authoritative for that personal domain and would update it automatically so being stale wouldn't be a problem. Anything that was outside the domain would naturally go to the normal nameserver. 12:30 < rwp> On MS I suppose you could use the local hosts file (similar to /etc/hosts but I forget the name) to have just your personal names in it. All others would go out through the normal lookup. 12:30 < rwp> Just brainstorming... 12:31 < MJD> rwp: Realistically, I don't think there is a way w/o having special configuration on clients. Thats fine, I'll just use ip's when ever the vpn is in use. Thanks for the suggestions though. 12:32 < rwp> Since it seems like what you need requires either configuring the nameserver to be smart /or/ it requires packet inspection of the domain packets. It isn't OpenVPN job to do either of those things. So it is related to having a vpn but I think the solution must reside using a method glued to it. Likely that someone here would have needed to do that already. 12:33 < rwp> You may have to come back and ask during the business week when some of the good gurus hang out here. 12:39 -!- TheMacedonian [n=TheMaced@143.241.200.193.static.giga-dns.com] has left ##openvpn [] 12:40 < aland> MJD: you can create a stub domain in your windows AD 12:40 < aland> which says that for yourdomain.local use 192.168.2.1 ( or whatever your vpn dns server is ) 12:42 < aland> so if you lookup google.com or serv.corp.com you will use your corporate DNS server 12:42 < krzie> +1 for rwp's solution 12:43 < krzie> for being the normal unix way at least, i tried to forget everything that is AD ;] 12:45 -!- Ziber [i=Liber@liber-ipv6.net] has joined ##openvpn 12:47 < rwp> I am having a problem port forwarding that is somehow related to the tun. I am using Debian with Shorewall's DNAT to port forward. If I forward to a normal routed subnet everything works. 12:48 < krzie> how are you tryin to forward (idea not command) 12:49 < rwp> If I port forward to an address on the openvpn tunnel then I see the packet arrive (with tcpdump) but no response is generated. Nothing is logged by netfilter that the packet was dropped. 12:49 < rwp> In shorewall: DNAT net loc:192.168.230.115:22 tcp 27 - 216.17.153.62 # works 12:49 < rwp> DNAT net tun:172.27.61.2:22 tcp 26 - 216.17.153.62 # forwards but never a response from the client 12:49 < MJD> Thanks all for your suggestions. Unfortunately, I have not control over external DNS servers (ie the windows AD one) so I can't use that idea. And this is just for a simple home network. I wanted to minimize any extra software running on client computers for this setup. Any solution above using builtin OS capabilities to forward certain domains to certain dns servers is way too complex. Its become easier to just 12:49 < MJD> use the ips. Thanks for all the suggestions though from everyone! 12:50 -!- MJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit ["http://quassel-irc.org - Chat comfortably. Anywhere."] 12:53 < krzie> rwp, does the client default route over the vpn? 12:54 < rwp> Hmm... To the same host but to the non-tunnel ip address. 12:54 < rwp> But I am not seeing any response generated to any address. (Using tcpdump -lni any.) 12:55 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 13:03 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn 13:08 < rwp> krzie, Setting the default route to be the forwarding host over the tunnel worked. Thanks! But I don't know why the other didn't work. 13:12 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)] 13:14 < ecrist> afternoon, kids 13:14 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:14 < krzie> rwp, no return route 13:15 < rwp> And so the linux netfilter drops it? 13:15 < rwp> I am trying to read up on iroute since perhaps I need it? 13:15 < krzie> i dont think it actually gets dropped 13:15 < krzie> it was responding over its default route, but that didnt make a real connection 13:16 < krzie> as it wasnt going the same path 13:16 < rwp> It wasn't responding at all that I could tell. It was definitely not sending anything back over the default route. 13:16 < krzie> the default route was over the inet, not the vpn 13:16 < rwp> Yes, *if* it had responded. I didn't see any response. 13:16 < krzie> if i recieve a connection over the inet and respond through my vpn, i wont have a connection 13:17 < krzie> cause you were looking at tun 13:17 < krzie> response would have left over eth 13:17 < krzie> hence the problem 13:17 < rwp> I understand the asymetrical routing problem that you are describing. And I would have loved to have gotten to having that problem. 13:17 < rwp> But it wasn't to the point of the problem you are describing. Really! :-) 13:17 < krzie> yet changing that default route fixed it ;] 13:18 < rwp> Yes, and I am trying to understand why. 13:18 < krzie> its what i said ;] 13:18 < rwp> I am thinking that perhaps because the source address wasn't route-able from the interface that it came in on that it was dropped. 13:20 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)] 13:21 < krzie> ok, if you have not turned on ip forwarding that would be it too 13:21 < rwp> Good hint. But I already turned on ipv4_forward. :-/ 13:21 < krzie> then sniff eth0 AND tun 13:21 < krzie> and watch it leave eth0 ;] 13:22 < rwp> Nope! Already doing that. 'tcpdump -lni any' listens for all traffic on all interfaces. No response. 13:24 < ecrist> rwp: what's your issue? 13:26 < rwp> ecrist, krzie is helping me understand that my issue is different from what I originally thought it was (though we have yet to agree :-) and so I am working through an updated scenario. 13:27 < ecrist> ok. 13:27 -!- fixUp [n=fixUp@78.151.123.210] has joined ##openvpn 13:27 * ecrist stays out of it 13:27 < rwp> But the abstract question (not quite my real problem but a side trip right now) is why aren't I seeing the asymetrical route problem if port forwarding to a client host over the vpn? Because no return packets from the default route are being generated. 13:28 < rwp> ecrist, Safe and smart for the moment. 13:29 < fixUp> can anyone tell me why the following connects ok to the client but fails to create any routes ? http://pastebin.com/d7ba42140 13:29 < rwp> krzie, Thanks for the discussion! It helped me quite a bit. It solves one configuration pattern completely so I am going to do that first and then return to my other pattern after I have thought about it more. 13:30 < krzie> yw 13:30 < krzie> push "redirect-gateway"port 1194 13:30 < krzie> erm 13:31 < krzie> is that your real config? 13:31 < krzie> or did you typo doublepaste or something 13:31 < fixUp> krzie: no, sorry got mangled from the terminal 13:32 < fixUp> krzie: http://pastebin.com/d61fd37d6 13:32 < krzie> that looks better ;] 13:32 < krzie> why you using tap? 13:32 < fixUp> krzie: wouldnt work with tun 13:33 < krzie> other than that, it looks fine to me, lets see logs 13:33 < krzie> erm, what do you mean wouldnt work with tun 13:33 < krzie> we should be fixing that problem too ;] 13:37 < fixUp> krzie: ok, here it is: http://pastebin.com/dcf910c1 13:37 < krzie> we're on 2.1.1 13:38 < krzie> !download 13:38 < vpnHelper> krzie: "download" is www.openvpn.net/download to download openvpn 13:38 < krzie> try that 13:38 < fixUp> krzie: ok 13:38 < krzie> if that dont change it i got somethin else for ya 13:40 < fixUp> krzie: installing it now 13:40 < fixUp> krzie: just out of interest why tu over tap ? 13:40 < fixUp> tun* 13:40 < krzie> !tunortap 13:40 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning 13:40 < vpnHelper> krzie: against you over the vpn 13:41 < fixUp> ah ok I'm convinced :) 13:41 < krzie> btw windows tap device does tun 13:43 < fixUp> krzie: I'm basically setting up a vpn for a samba server in a small office. Whats the overhead with openvpn over say IPSec ? 13:44 < krzie> tbh i know very lil about ipsec, maybe someone else here can answer better 13:44 < krzie> but lemme suggest: 13:44 < krzie> !wins 13:44 < vpnHelper> krzie: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 13:44 < krzie> either way =] 13:45 < fixUp> krzie: ok installed 2.1.1 and message is coming up the same 13:45 < krzie> !winroute 13:45 < vpnHelper> krzie: "winroute" is (#1) in windows if the route cannot be added, try route-method exe in your config file, or (#2) many users also report it helps to add route-delay to give the interface extra time to get up, or (#3) you may need to turn off routing and remote acess in administrative tools - routing and remote access 13:48 -!- KippiX [n=kippix@gob75-1-81-57-24-181.fbx.proxad.net] has quit ["leaving"] 13:48 < fixUp> ok tried route-method exe and no change 13:50 < krzie> and you tried the other 2...? 13:50 < krzie> what lan subnet is the server and client on? 13:50 < fixUp> krzie: yes 13:50 -!- pvl1 [n=pvl1@c-71-225-236-128.hsd1.pa.comcast.net] has joined ##openvpn 13:51 < fixUp> krzie: server is on 10.66.77.0 13:51 < fixUp> krzie: client is on 192.168.1.0 13:51 < krzie> !logs 13:51 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 13:51 < ecrist> krzie: mail server upgrade is going to be a while, now. I'm using that box as a freeswitch 64bit build test box for the freebsd port 13:51 < pvl1> hey all. i can establish a vpn connection from my ubuntu client to my ubuntu box at home. but once connected, i cannot browse the internet, nor access my lan. what can i be doing wrong? 13:51 < krzie> ahh very cool of you ecrist 13:52 < ecrist> pvl1: you're missing nat for vpn clients 13:52 < ecrist> krzie: pm? 13:52 < pvl1> sure 13:52 < krzie> pvl1 i take it you are trying to redirect inet over the vpn 13:52 < krzie> if so, what ecrist said 13:52 < krzie> if not, conflicting subnet 13:53 < pvl1> krzie, well im pretty sure thats what im trying to do. 13:53 < krzie> !redirect 13:53 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 13:53 < pvl1> thats all the config file right? 13:53 < pvl1> all thats * 13:53 < krzie> nope 13:53 < pvl1> oi 13:53 < krzie> only the first part is 13:54 < krzie> NAT and ip forwarding are just part of your OS 13:54 < krzie> what os? 13:54 < pvl1> ubuntu 13:54 < krzie> oh right 13:54 < krzie> !linipforward 13:54 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 13:54 < krzie> !linnat 13:54 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 13:54 < pvl1> oo ok. ty ima try that rightnow 13:56 < krzie> /msg nickserv info worbillm-k 13:56 < krzie> blhe 13:57 < krzie> ignore that 13:58 < fixUp> krzie: when I try and enable tun in windows i get the --ifconifg error, where does this go in the config gile ? 13:58 < fixUp> file* 13:58 < pvl1> after doing that. should i reboot or restart my networking 13:58 < krzee> fixUp 13:58 < krzee> !ogs 13:58 < vpnHelper> krzee: Error: "ogs" is not a valid command. 13:58 < krzee> !logs 13:58 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 13:58 < krzee> pvl1, niether 13:58 < krzee> pvl1, its not windows =] 13:59 < pvl1> well here goes nothing then! 13:59 < krzee> but if you only did the perm solution for ip forwarding, do the temp solution too 14:00 < pvl1> did it work? 14:00 < krzee> you're still here 14:01 < pvl1> oh, well i couldnt ping google.com or load google.com in chrome. ima try to do the temp solution too 14:01 < krzee> goto whatismyip.com to know what ip you are showing up as 14:01 < krzee> i gotta roll out for a bit, got $ to collect 14:02 < krzee> and computer parts to buy with said $ 14:02 < krzee> build it for $600, sell it for $1100 =] 14:02 < pvl1> i have a dyndns service 14:02 < pvl1> good job 14:02 < pvl1> thats impressive 14:05 -!- Dougy [n=Douglas_@ool-435033e6.dyn.optonline.net] has joined ##openvpn 14:05 < Dougy> hey guys 14:05 < Dougy> I have openvpn set up with 172.20.5.0/24.. and I am trying to create an access restriction in lighttpd to the vpn ips only.. I still get access denied even though syntax is correct.. 14:05 < Dougy> I put my real IP in the ip restrictions, and it works 14:06 < Dougy> any idea how i could fix 14:10 < krzie> this isnt a help chan for lighttpd but you could try a seperate proc only on vpn ip 14:11 < Dougy> krzie: lighttpd is configured right.. i think 14:11 < Dougy> thought maybe there was an openvpn setting or something that might help me 14:11 < krzie> heh 14:11 < krzie> openvpn doesnt care what you xfer over it 14:14 < Dougy> gah 14:14 < Dougy> i cant run it as 2 separate things 14:14 < Dougy> 2 separate instances even 14:17 < free^> Is there anychance anyone can help me with this -> http://serverfault.com/questions/95813/only-tunnel-certain-applications-via-openvpn ? 14:17 < vpnHelper> Title: Only tunnel certain applications via OpenVPN - Server Fault (at serverfault.com) 14:17 < free^> I can ping out, but can't ping in (public ip) 14:18 < krzee> free^, thats your question there? 14:19 < free^> yeah 14:19 < krzee> the only way you can tunnel based on app is to run a socks inside the vpn and use an app like proxifier to select which apps to force over the socks 14:19 < krzee> !factoids search sock 14:19 < vpnHelper> krzee: No keys matched that query. 14:20 < krzee> www.ircpimps.org/sockd.conf 14:20 < krzee> thats my config for dante for that exact setup 14:20 < krzee> DO NOT HAVE THAT LISTEN TO ANY IP EXCEPT INTERNAL VPN IP 14:20 < krzee> it is not protected whatsoever, important you keep it inside the vpn only 14:20 < free^> hmm, thats fine, but i can't seem to get the thing to work properly, eg doing ping -I tap0 www.google.com works fine, but pinging the ip assigned to the server via openvpn, i don't get any responce 14:21 < krzee> bbiam 14:21 < free^> hmm 14:42 -!- DomiX [n=svinfo@rai93-2-82-231-187-222.fbx.proxad.net] has joined ##openvpn 14:43 < DomiX> hi 14:48 -!- mgolisch [n=michi@85.93.11.18] has left ##openvpn [] 14:49 < ecrist> hi 14:55 < DomiX> !/30 14:55 < vpnHelper> DomiX: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 14:57 -!- DomiX [n=svinfo@rai93-2-82-231-187-222.fbx.proxad.net] has quit [Read error: 104 (Connection reset by peer)] 15:03 < fixUp> krzee: sorry for the pause but managed to get the problem resolved 15:04 < fixUp> krzee: I have one more problem now, I have to run openvpn elevated as Administrator 15:15 -!- pvl1 [n=pvl1@c-71-225-236-128.hsd1.pa.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 15:16 -!- fixUp [n=fixUp@78.151.123.210] has quit ["Lost terminal"] 15:50 -!- ruied [n=ruied@bl7-220-81.dsl.telepac.pt] has quit [Connection timed out] 16:24 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 17:01 < krzie> thats correct 17:01 < krzie> oops hes gone 17:01 < Dougy> lol 17:01 < Dougy> hi ecrist 17:01 < Dougy> krzie whats poppin 17:02 < krzie> just trying to survive the hangover 17:02 < Dougy> im trying to survive server cancellations 17:16 < Bushmills> krzie: tried a submarine? 17:16 < krzie> gotta work =[ 17:16 < Bushmills> (well, may actually be too late for one) 17:16 < |Mike|> I'm totally tired 17:16 < Dougy> oh 17:16 < Dougy> sux 17:17 < Bushmills> sorry, automated translation: http://forthfreak.net/snap/submarine.png 17:17 * |Mike| just got home from an BBQ 17:17 < |Mike|> it's only -12 C in NL :P 17:23 < krzie> free^, talk here, many people here know what they're doing, including things i dont know 17:25 < free^> openvpn doesn't have to have redirect-gateway in it to work (client side) does it? :/ 17:25 < krzie> only if you want all traffic to the inet routed over the vpn 17:25 < krzie> reading on redirect-gateway in the manual would be a good idea for better understanding of that command 17:26 < free^> when i use that, the vpn works fine (ofc), but when i take it out of the config file, i can't recieve data via the vpn (pings for example) 17:26 < free^> but i can send out :/ 17:26 < krzie> whats your goal 17:27 < free^> i wish to use the extra ip (the vpn) for irc, while keeping the normal ip for other stuff 17:27 < free^> something along the lines of irssi (set hostname) or psybnc/znc/etc 17:28 < krzie> instead of routing ALL or nothing, why not just push a route for the irc server you use? 17:28 < free^> i have no idea how to do that |: 17:29 < free^> i have no control over the vpn server, just the client 17:29 < krzie> ok then just dont push it 17:29 < krzie> in client config: 17:29 < krzie> route 255.255.255.255 17:30 < free^> hm 17:30 < krzie> then you'll have a route for only that ip to go over the vpn 17:30 < free^> what if i want to accept anything over the vpn? 17:30 < krzie> you already know how to do that 17:30 < krzie> redirect-gateway 17:30 < krzie> you should go read the manual for everything in your config 17:30 < krzie> !man 17:31 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 17:31 < krzie> so you understand what you're doing 17:31 < free^> but i only want the applications i specify to go over the vpn, not all traffic :\ 17:31 < free^> i'll give it another read 17:31 < krzie> you cant choose by application unless you do what i said earlier 17:31 < krzie> which would require you running the server 17:32 < krzie> you can ONLY choose by route 17:32 < free^> oh 17:32 < krzie> i thought i was clear about that earlier 17:32 < free^> i prolly misread 17:33 < krzie> the ONLY way you are going to choose based on app is by running a socks server inside the vpn on the server and using an app on the client side to selectively route whatever you decide over the socks (which is over the vpn) 17:33 < krzie> since you dont run the server, thats not an option, you can ONLY select based on subnet/ip 17:33 < free^> kk 17:33 < krzie> because its a routing thing, and routing tables dont care what app you use 17:45 < Dougy> krzie back to same issue here 17:45 < Dougy> vpn 17:45 < Dougy> is there a way to force 2 openvpn clients to go through the openvpn server to communicate 17:45 < Dougy> instead of going over public interface 17:45 < krzie> umm, yes 17:45 < krzie> by using the vpn ip 17:46 < krzie> or of course you could push each client a route to the other client 17:46 < krzie> (or instead of pushing just put it in their clients 17:46 < krzie> configs) 17:47 < krzie> but the second way will send from server to other client in cleartext 17:47 < krzie> the first way will do it over the vpn the whole way 17:47 < Dougy> the cisco solution i have works without going directly over vpn ip at work 17:47 < Dougy> i was trying to avoid doing that 17:48 < krzie> you can go from client to server over vpn and server to other client cleartext by adding a route to other client in first clients config 17:48 < krzie> route 255.255.255.255 17:49 < krzie> then its like the request came from the server 17:49 < krzie> of course that only works if you have NAT setup on the server 17:49 < krzie> like so: 17:49 < krzie> !linnat 17:49 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 17:49 < Dougy> masquerading meh 17:49 < krzie> and of course: 17:49 < krzie> !linipforward 17:49 < vpnHelper> krzie: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 17:50 < Dougy> need ccd entries to push route right 17:50 < Dougy> or is that in the client files 17:50 < krzie> either 17:50 < krzie> push from ccd or just add to clients config without push 18:20 < ecrist> evening 18:21 < Dougy> wait 18:21 < Dougy> epiphany 18:21 < Dougy> is there a way to push a DNS entry? 18:21 < Dougy> :D 18:21 < Dougy> over the vpn 18:22 < krzie> nope, you can push a dns SERVER 18:22 < Dougy> can i make that overrule the locally configured ones? 18:22 < reiffert_> Dougy: You were asking me something last week, I think you sent a 'ping' .. remember anything? 18:22 < Dougy> reiffert_: not a clue buddy 18:22 < Dougy> not even a little one 18:22 < Dougy> s/overrule/override/ 18:22 < reiffert_> Hm... maybe it was a nick called Douglas then... 18:22 < Dougy> could be 18:23 < reiffert_> !irclogs 18:23 < vpnHelper> reiffert_: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 18:23 < ecrist> reiffert_: Dougy sends people pings all the time and then leaves 18:23 < Dougy> i do that 18:23 < Dougy> yeah 18:23 < Dougy> if i did do it, dont recall why 18:23 < Dougy> hello eric how are you this evening 18:24 < ecrist> I'm fine. 18:24 < ecrist> you? 18:24 < Dougy> Doing OK 18:24 < Dougy> So.. if i make openvpn push a dns server 18:24 < Dougy> does that replace the locally set ones? IE will it query the pushed one first 18:24 < reiffert_> Ah, Plouj was it. 18:25 < reiffert_> (I remember the 'ou' :) 18:25 < ecrist> iirc, it will overwrite your dns config 18:25 < Dougy> in laymans terms 18:25 < Dougy> it will become the primary 18:25 < reiffert_> Dougy: with OS X they will 'add' the DNS Server. 18:26 < Dougy> hm 18:26 < Dougy> i need it to come in and backhand the other ones out the way 18:49 -!- master_o1_master [n=master_o@p549D4752.dip.t-dialin.net] has joined ##openvpn 18:56 < Dougy> ha... seems to be working 18:56 < Dougy> sorta. just needa fix one moar thing 19:00 -!- master_of_master [i=master_o@p549D4202.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 19:01 -!- ruied [n=ruied@bl9-252-182.dsl.telepac.pt] has joined ##openvpn 19:03 -!- CrashSys [n=james@rrcs-24-173-156-170.se.biz.rr.com] has joined ##openvpn 19:05 -!- ruied [n=ruied@bl9-252-182.dsl.telepac.pt] has quit [Client Quit] 19:05 < CrashSys> Does OpenVPN have a browser-based VPN functionality? For instance, I have a customer who is used to going to their cisco with their browser, and getting the VPN set-up that way. 19:06 < Dougy> Er 19:06 < Dougy> Do you mean go to web page, log in, then it creates the connection? 19:06 < CrashSys> yeah 19:06 < Dougy> I know openvpn out of the box doesn't 19:06 < CrashSys> it creates the connection somehow through the browser... 19:06 < Dougy> the access server might 19:06 < Dougy> well 19:06 < CrashSys> ok 19:07 < Dougy> Cisco anyconnect does it via java and launching the windows app 19:07 < Dougy> in FF 19:07 < Dougy> and in IE it uses activeX to do the same 19:07 < CrashSys> So my best bet for something like that with OpenVPN is the access server? 19:07 < Dougy> Not a clue to be honest, the only web thing I know with vpn is the access server 19:07 < Dougy> so read up.. see if it does what you want 19:07 < Diddi> CrashSys: if you at any time comes across a solution like that, please let me know (: 19:07 < Dougy> but note the first item in the topic 19:08 < Dougy> CrashSys: yes, me as well, in fact 19:08 < Dougy> if you find it 19:08 < Dougy> please post it here 19:08 < Dougy> !forum 19:08 < vpnHelper> Dougy: "forum" is The unofficial OpenVPN support forum is available at http://www.ovpnforum.com 19:08 < CrashSys> LOL, will do... 19:09 -!- Gargus [n=gargus@187.23.59.79] has joined ##openvpn 19:10 < Gargus> !route 19:10 < vpnHelper> Gargus: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 19:14 -!- ruied [n=ruied@bl9-252-182.dsl.telepac.pt] has joined ##openvpn 19:14 -!- ruied [n=ruied@bl9-252-182.dsl.telepac.pt] has left ##openvpn [] 19:19 -!- Silicium01 [n=Silicium@CPE001d7dd94e0b-CM000a73a115c2.cpe.net.cable.rogers.com] has joined ##openvpn 19:19 < Silicium01> Hi eberyone 19:19 < Silicium01> I have Server and Client connected via openVPN and am able to ping eachother 19:20 < Silicium01> How can I use this connection to browse safely over an unsecured network? 19:20 < krzie> !redirect 19:20 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 19:21 < Silicium01> !redirect-gateway 19:21 < vpnHelper> Silicium01: Error: "redirect-gateway" is not a valid command. 19:21 < Silicium01> !def1 19:21 < vpnHelper> Silicium01: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 19:22 < Silicium01> !ipforward 19:22 < vpnHelper> Silicium01: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 19:22 < Silicium01> !linipforward 19:22 < vpnHelper> Silicium01: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 19:23 < Silicium01> krzee, thanks by the way 19:23 < krzie> yw 19:23 < Silicium01> krzee, this all seems a bit complicated for a newbie like me, do you know if there are any good howtos out there? 19:24 < Dougy> Silicum01 19:24 < Dougy> that's as easy as it gets 19:24 < Dougy> you need to add the redirect-gateway line to the vpn 19:24 < Dougy> add a masquarade 19:24 < Dougy> and make sure /proc/sys/net/ipv4/ip_forward = 1 19:24 < Dougy> add the redirect-gateway line to server cfg even 19:25 < Silicium01> Dougy, the config file I use when i run openvpn right? 19:25 < Dougy> yes, the server 19:25 < Dougy> not the one on your local computer 19:26 < Silicium01> so that's all I put in the server config line? 19:26 < Dougy> what's all 19:26 < Silicium01> do i need ips or anything like that along with redirect-gateway? 19:26 < Dougy> no 19:26 < Dougy> basic config for the server 19:26 < Dougy> then 19:26 < Dougy> !def1 19:26 < vpnHelper> Dougy: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 19:26 < Dougy> !man 19:26 < vpnHelper> Dougy: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 19:27 < Dougy> check the redirect-gateway line you need to add 19:27 < Silicium01> ok 19:27 < Silicium01> Dougy, what's adding masquarade? 19:27 < Silicium01> and what do I add it to? 19:27 < Dougy> !howto 19:27 < vpnHelper> Dougy: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 19:27 < Dougy> search for masquerade 19:28 < Dougy> its in there well documented 19:28 < Silicium01> ok 19:28 < Bushmills> http://scarydevilmonastery.net/masq 19:28 < Bushmills> (linux server assumed) 19:29 < Dougy> Bushmills +1 19:32 < krzie> also, all you had to do was read the whole thing at !redirect 19:32 < Dougy> lol 19:32 < krzie> you looked at linipforward but not linnat 19:32 < krzie> !linnat 19:32 < vpnHelper> krzie: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 19:45 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Remote closed the connection] 19:48 -!- Gargus [n=gargus@187.23.59.79] has quit ["Leaving"] 19:52 < ecrist> krzie: any pf + miniupnp experience? 19:53 < krzie> neg 19:53 < Dougy> i saw a shirt in spencers today.. 'things that get my dick hard' 19:56 < reiffert_> u know dick hardt? 19:57 < Dougy> http://www.peopleofwalmart.com/?p=3011 19:57 < vpnHelper> Title: Hard To Believe | www.peopleofwalmart.com (at www.peopleofwalmart.com) 19:57 < reiffert_> google on "identity 2.0", the presentation style is worth it 19:58 < krzie> nice, it had "your mom" on the list 19:58 < krzie> !google identity 2.0 19:58 < vpnHelper> krzie: Identity 2.0 · The next generation of Identity: ; OSCON 2005 Keynote - Identity 2.0: ; Identity 2.0 - Wikipedia, the free encyclopedia: 19:59 < reiffert_> http://identity20.com/media/OSCON2005/oscon_videos/OSCON_Keynote_Lg.mp4.zip 20:03 -!- Silicium01 [n=Silicium@CPE001d7dd94e0b-CM000a73a115c2.cpe.net.cable.rogers.com] has quit [Client Quit] 20:04 < reiffert_> anyone watching? 20:04 < krzie> i cant right now 20:05 < reiffert_> mplayer -vo aa 20:11 -!- CrashSys [n=james@rrcs-24-173-156-170.se.biz.rr.com] has quit [] 20:20 < Dougy> so krzie are you there 20:22 < krzie> not there, but im here 20:22 < krzie> ;] 20:23 < Dougy> true 20:23 < Dougy> so 20:23 < Dougy> am i keeping your server hostage for eternity 20:27 < krzie> well im gunna get you that $50 but ild like for you to keep holding onto it if you dont mind 20:27 < krzie> im sure ill wanna put it up again at some point 20:27 < krzie> if its a PITA to hold onto it ill have you ship it after i pay up 20:30 < Dougy> nope its not a biggie 20:30 < Dougy> it is keeping my servers from droopin 20:31 < Dougy> in fact can i pm 20:34 -!- Silicium01 [n=Silicium@CPE001d7dd94e0b-CM000a73a115c2.cpe.net.cable.rogers.com] has joined ##openvpn 20:34 < Silicium01> guys, I'm trying to get redirect gateway to work, but I'm missing something I think. here are the steps i took, can you have a look to see if I'm missing something? 20:35 < Silicium01> http://pastebin.com/m114987a 20:37 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has joined ##openvpn 20:37 < reiffert_> why is client pushing a NS to server? 20:38 < Silicium01> reiffert_, no idea, openvpn howto had that line 20:38 < Silicium01> should I remove it? 20:40 < reiffert_> maybe. 20:40 < Silicium01> reiffert_, ok, then what? 20:40 < Silicium01> how do i use this connection as a gateway? 20:40 < reiffert_> better get some error description up. "does not work" not good. 20:41 < Silicium01> reiffert_, I dont know what to do next 20:41 < Bushmills> gateway: 20:41 < Bushmills> !redirect 20:41 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 20:42 < Silicium01> Bushmills, I think I did all that 20:42 < Bushmills> and you made the server do NAT? 20:42 < reiffert_> Silicium01: find out how far it works and how far it does not. 20:42 < Silicium01> Bushmills, iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 20:43 < Silicium01> tht's what i ran on server 20:43 < Bushmills> that's not all 20:43 < Silicium01> reiffert_, I am able to ping eachother, but dont know how to actually use this connectiona s gateway 20:43 < reiffert_> route add default gw 10.0.8.1 20:43 < Silicium01> Bushmills, that is all that was in howto 20:44 < Bushmills> i gave you a link before, showing what server needed 20:44 < Bushmills> feel free to ignore parts of it 20:44 < reiffert_> :) 20:45 < Silicium01> lol 20:45 < Silicium01> sorry 20:45 < Silicium01> let me do it right this time 20:45 < Bushmills> good idea 20:45 < Silicium01> Bushmills, ok. that's done 20:46 < reiffert_> !ipforward 20:46 < vpnHelper> reiffert_: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 20:46 < Silicium01> how can i now use it on client? 20:47 < Silicium01> !linipforward 20:47 < vpnHelper> Silicium01: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 20:47 < Bushmills> traceroute or mtr any external host, see where it goes through 20:47 < Silicium01> so I have to run "echo 1 > /proc/sys/net/ipv4/ip_forward" on client now? 20:47 < reiffert_> s,host,ip, 20:47 < Bushmills> that's part of the process to obtain information about what your system is actually doing, 20:48 < Bushmills> tend to be helpful to know that. 20:50 < Silicium01> sorry guys, I dont get the next step, do i run "echo 1 > /proc/sys/net/ipv4/ip_forward" on client? 20:50 < Dougy> no 20:50 < Dougy> on server 20:51 < Silicium01> ok I did that 20:51 < reiffert_> Dougy: congrats, you've just won the bunny ;) 20:52 < Dougy> wt 20:52 < Dougy> wat 20:52 < Silicium01> traceroute looks like this: 20:53 < Silicium01> pastebin.com/m3f004150 20:53 < Silicium01> note my client is in a virtual machine 20:53 < Dougy> o.o 20:53 < Dougy> that may be an issue 20:54 < reiffert_> or an evil multidimensional subnet mask. 20:54 < Silicium01> but generally there's nothing that needs to be done other than starting openvpn with right conf file on server and client? 20:54 < Silicium01> nothing I need to do in client OS? 20:56 < reiffert_> get back to "find out whats going on atm" 20:57 < Silicium01> atm I am able to ping each machine from eachother 20:58 < reiffert_> great. 20:58 < reiffert_> get back to "find out whats going on atm" 20:59 < Silicium01> reiffert_, what do you mean? 20:59 < reiffert_> check interfaces, check routes, trace packet flow etc. tell us where that bunny eats your ping packet. 21:00 < Silicium01> I have no idea how to do any of that 21:01 < Silicium01> Does one usuall have to "run" some command on client to instruct client to route everything through vpn connection? 21:01 < Dougy> nno 21:01 < Silicium01> because I have those config files right and ran all the command on server that Bushmills told me 21:02 < Dougy> what os is the client 21:02 < Silicium01> Debian Linux 21:02 < Dougy> what virtualization 21:02 < Silicium01> virtualbox 21:02 < Dougy> dedicated nic? 21:03 < Silicium01> only one network card on this machine, so I think no 21:03 < Dougy> hm 21:03 < Dougy> i dont know but i feel like the fact that its a VM is the issue 21:03 < Dougy> does the vpn connect properly 21:03 < Silicium01> yes 21:03 < Silicium01> I am able to ping client and server from both client and server 21:03 < Dougy> did you pasetbin the configs yet 21:04 < Dougy> yes thats nice 21:04 < Silicium01> yes, let me get it one sec 21:04 < Dougy> pastebin server config 21:04 < Dougy> and 21:04 < Dougy> pastebin 21:04 < Dougy> iptables -L -t nat 21:04 < Dougy> idc about client if it connects 21:05 < Silicium01> Dougy, http://pastebin.com/m1eb1ee69 21:05 < Silicium01> "iptables -L -t nat" on server? 21:05 < Dougy> yes 21:06 < Dougy> wait wtf 21:06 < Dougy> this is a weird config 21:06 < Dougy> I see 10.86.80.0/24 masqueraded 21:06 < Dougy> but its not in the server config 21:07 < Silicium01> what should I change it to? 21:07 < krzie> he must have followed a generic web howto without learning from is 21:07 < krzie> it 21:08 < Dougy> yeah 21:08 < Dougy> krzie: doesn't he need 'server' line in his config 21:08 < Dougy> and not the annoying ifconfig one 21:09 < Silicium01> what should I change? 21:09 < reiffert_> quoting from 03:35 < Silicium01> http://pastebin.com/m114987a 21:09 < reiffert_> # 21:09 < reiffert_> ran this command on server: 21:09 < reiffert_> # 21:09 < reiffert_> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 21:09 < reiffert_> WTF? 21:09 < Bushmills> 10.86.80.0/24 looks sort of familiar 21:09 < Bushmills> i think Silicium01 didn't change that address range to his own 21:09 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has quit [] 21:09 < Dougy> im confused a hell now 21:09 < reiffert_> Dougy: no, Silicium01 is. 21:10 < Bushmills> that's the subnet I use for my own net 21:10 < Silicium01> I reran the commands later from url Bushmills gave me 21:10 < Dougy> you were supposed to modify them to fit your needs 21:10 < Bushmills> given in here: http://scarydevilmonastery.net/masq 21:10 < Silicium01> and yes, i am very confused right now 21:10 < Bushmills> i thought "MYNET" was clear enough ... 21:10 < Bushmills> MYNET = YOURnet 21:11 < Bushmills> not MYnet ... 21:11 < reiffert_> Bushmills: we have !ipforward and !linnat... 21:11 < ecrist> evening again 21:12 < Dougy> hihi 21:15 < Silicium01> ok I ran the 2 commands properly and restarted client and server 21:15 < Silicium01> now what? 21:16 < Silicium01> !ipforward 21:16 < vpnHelper> Silicium01: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 21:16 < Silicium01> !linipforward 21:16 < vpnHelper> Silicium01: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 21:17 < Silicium01> so ip forward is done on server right? 21:17 < Silicium01> I did this thing... 21:17 < Silicium01> it does not make sense, shouldnt I be forwarding from client? 21:18 -!- Dougy [n=Douglas_@ool-435033e6.dyn.optonline.net] has quit ["Leaving."] 21:19 < Silicium01> can you guys help please? 21:19 -!- Dougy [n=Douglas_@ool-435033e6.dyn.optonline.net] has joined ##openvpn 21:20 < Silicium01> I got the conf right, ran 2 commands on server properly this time and restarted both server and client 21:20 < Silicium01> how the hell would my client know to use vpn connection though? 21:26 < Silicium01> maybe I'll figure out next time. thanks everyone for help. 21:26 -!- Silicium01 [n=Silicium@CPE001d7dd94e0b-CM000a73a115c2.cpe.net.cable.rogers.com] has quit [Client Quit] 21:34 < Dougy> idiot 21:46 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 22:03 -!- Dougy [n=Douglas_@ool-435033e6.dyn.optonline.net] has quit ["Leaving."] 22:44 -!- n5 [n=nop@78-63-0-27.static.zebra.lt] has joined ##openvpn 22:44 -!- g` [n=nop@78-63-0-27.static.zebra.lt] has quit [Read error: 104 (Connection reset by peer)] 23:00 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has quit [Read error: 113 (No route to host)] 23:08 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has joined ##openvpn 23:10 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has joined ##openvpn 23:26 -!- krzy [i=nobody@hemp.ircpimps.org] has joined ##openvpn 23:27 -!- krzee [i=nobody@unaffiliated/krzee] has quit [Read error: 104 (Connection reset by peer)] 23:57 -!- maodun [n=stopgo@114.243.125.121] has joined ##openvpn --- Day changed Sun Dec 20 2009 00:00 < maodun> I'm trying to build a win32 installer using the 'domake-win' script. According to that script, I need to grab some code from the Windows Driver Kit - "copy the 'devcon' source tree to ../tapinstall'. I've grabbed the WDK cd from Microsoft's site, but I can't find the 'devcon' source anywhere on the ISO. Anyone have any suggestions? 00:50 -!- krzy [i=nobody@hemp.ircpimps.org] has quit [Client Quit] 00:50 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:04 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 01:38 -!- Macer_ [i=mace@rancorous.net] has joined ##openvpn 01:38 -!- Macer_ is now known as Macer 01:38 < Macer> hm. i am a little confused as to how this config works for openvpn 01:38 < Macer> i'm trying to set it up on a wrt54g running dd-wrt 01:40 < krzee> !goal 01:40 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 01:46 -!- grub_booter_ is now known as grub_booter 02:02 -!- Macer [i=mace@rancorous.net] has quit [Read error: 54 (Connection reset by peer)] 02:08 -!- Macer [i=mace@rancorous.net] has joined ##openvpn 02:10 -!- Macer [i=mace@rancorous.net] has quit [Read error: 104 (Connection reset by peer)] 02:13 -!- Macer [i=mace@rancorous.net] has joined ##openvpn 02:19 -!- Macer [i=mace@rancorous.net] has left ##openvpn [] 02:23 -!- rajin [n=_@port-93825.pppoe.wtnet.de] has joined ##openvpn 03:55 -!- pvl1 [n=pvl1@c-71-225-236-128.hsd1.pa.comcast.net] has joined ##openvpn 03:55 < pvl1> hi, where can i find out what my server-side LAN uses a subnet 03:57 < krzee> whats the ip and netmask of a machine on that lan? 03:59 < pvl1> does it matter if its bridged and tap? 04:12 < krzee> you said LAN 04:12 < krzee> which has nothing to do with a vp 04:12 < krzee> vpn 04:12 < krzee> ok lets start over 04:12 < krzee> !goal 04:12 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 04:13 -!- krzee changed the topic of ##openvpn to: NO SUPPORT FOR ACCESS SERVER | OpenVPN 2.1.1 is released || CHECK YOUR FIREWALL || We need !goal !logs and !configs and maybe !interface to help you. || See !howto for beginners. || See !route for lans behind openvpn. || !redirect for sending inet traffic through the server. || Also interesting: !man !/30 !topology !iporder !forum !wiki !mitm || Don't use 192.168.1.0/24 or 192.168.0.0/24 (too much potential for conflict) 04:14 < pvl1> i would like to be able to securely access my lan at home from a client 04:14 < krzee> ip traffic or ethernet traffic 04:15 < pvl1> what do u mean by ip traffic and ethernet traffic 04:15 < krzee> !tunortap 04:15 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning 04:15 < vpnHelper> krzee: against you over the vpn 04:15 < krzee> ip address or mac address 04:16 < pvl1> uh i guess ip address. didnt think to do mac 04:16 < pvl1> and i have a tap bridge set up 04:17 < krzee> thats usually the wrong way 04:17 < krzee> you should only use a tap setup if you have a specific layer2 protocol you need 04:17 < krzee> what do you actually want to do over the vpn? rdp? 04:19 < pvl1> well vnc, ssh, psftp ftp and access ports of computers. maybe samba too 04:24 < |Mike|> lol 04:25 < |Mike|> pvl1: http://www.webstepbook.com/supplements/slides/images/osi_model.png 04:32 < krzee> ok you just want tun then 04:32 < krzee> !sample 04:32 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) 04:32 < krzee> !route 04:32 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 04:32 < krzee> !howto 04:32 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 04:32 < krzee> best of luck to you, you have a lot of reading to do 04:33 < pvl1> i read it and followed it as best i could. i think the only problem is that ym client isnt using the correct ip address possibly bc i havent configured my vpn to give out address 04:33 < pvl1> es 04:33 < krzee> well you are using bridge 04:33 < krzee> so start over 04:37 < pvl1> should i remove all hte changes i have made otherwise or just lay the guide over em 04:37 < krzee> screw whatever guide you found 04:37 < krzee> those are 1/2 the reason people end up confused 04:37 < krzee> read what i gave you 04:38 < krzee> read it very thoroughly, including the instructions given by my bot 04:41 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 04:42 < pvl1> i read the websites howto and did the bridge by hand. i probably just skipped somehing. ima try again in the mornin 04:43 < pvl1> ty tho 04:43 -!- pvl1 [n=pvl1@c-71-225-236-128.hsd1.pa.comcast.net] has quit ["Leaving"] 04:51 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 104 (Connection reset by peer)] 04:53 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 05:03 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:17 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 06:25 -!- __trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 06:26 -!- __trine is now known as trine 06:26 -!- trine is now known as trine_ 06:26 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 104 (Connection reset by peer)] 06:27 -!- trine_ is now known as _trine 06:27 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Remote closed the connection] 06:28 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 06:44 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 07:26 -!- barefoot [n=magic@41.121.45.162] has joined ##openvpn 07:26 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Nick collision from services.] 07:26 -!- barefoot is now known as magic_1 08:27 -!- fixUp [n=fixUp@84.13.195.7] has joined ##openvpn 09:19 -!- tjz2 [n=tjz@bb220-255-199-51.singnet.com.sg] has joined ##openvpn 09:27 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has quit [] 09:30 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 09:31 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)] 09:47 -!- tjz [n=tjz@unaffiliated/tjz] has quit [Read error: 110 (Connection timed out)] 10:32 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 110 (Connection timed out)] 10:39 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 11:22 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 110 (Connection timed out)] 11:49 -!- free^ [n=trix@host81-154-199-128.range81-154.btcentralplus.com] has quit ["( www.nnscript.de :: NoNameScript 4.1 :: www.regroup-esports.com )"] 12:04 -!- rajin [n=_@port-93825.pppoe.wtnet.de] has quit [" HydraIRC -> http://www.hydrairc.com <- It'll be on slashdot one day..."] 12:22 -!- Gargus [n=gargus@187.23.59.79] has joined ##openvpn 12:23 < Gargus> Hi people, anyone can help me ? 12:23 -!- nev [n=nev@1503027212.seas-nve.dbnet.dk] has joined ##openvpn 12:24 < magic_1> depends on the issue 12:24 < magic_1> but we can try 12:24 < Gargus> thanks magic_1 12:25 < Gargus> does openvpn works with valid IPs ? I have a valid IPs network who I want's to connect, but I tried everything and it doesn't work... 12:25 < magic_1> what do you mean by valid IP 12:25 < Gargus> IPs like 200.145.0.0/16 12:25 < Gargus> not IPs from nat like 192.168... 12:27 < Gargus> I can establish the tunnel, ping the server it's ok... when I add the route to remote network everything stops works 12:29 < magic_1> as long is its routeable IP you shouldnt have an issue 12:29 < Gargus> I run a tcpdump in my computer scanning tun0 and eth0 interfaces, when I try to connect to remote network, the packet goes through tun0 but doesn't came out by eth0 12:29 < magic_1> the next thing we need to look at is what FW you are using and then we need to look at you conf file 12:30 -!- fixUp [n=fixUp@84.13.195.7] has quit [Remote closed the connection] 12:30 -!- fixUp [n=fixUp@84.13.195.7] has joined ##openvpn 12:31 < Gargus> ok, I have a fw in the remote network, there I accept udp packets to my vpn server on port 1194, here in my house I don't have a fw 12:32 -!- Dougy [n=Dougy@ool-435033e6.dyn.optonline.net] has joined ##openvpn 12:32 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 12:32 < Dougy> Is there a way to make openvpn push dns servers that force their way over the windows dhcp ones? 12:33 < Dougy> It pushes one just fine right now.. and this zone resolves OK.. to the ip it should.. but then when i trace it, windows takes the public ip, not the private ip which the dns server being pushed is configured to 12:33 < magic_1> yes there is a way to push dns and gw 12:34 < Dougy> i already have it pushing dns 12:34 < Dougy> but windows isnt too happy with it.. nslookup resolves the right vpn ip.. but then everything else takes the public ip (which every other DNS server in the world will point to. the one im trying to push is modified intentionally) 12:35 < magic_1> what type of DNS server are you trying to use 12:35 < Dougy> im trying to push a dns resolver 12:36 < Dougy> i have set to push 68.168.221.173 12:36 < Dougy> which it does 12:36 < Dougy> but i want it to make it the only dns resolver.. aka the one that dhcp pushes on boot gets 'erased' 12:36 < Dougy> or 'shut off' 12:37 < ecrist> Dougy: you need an up script on the client side 12:37 < Dougy> ecrist: whacha mean 12:37 < ecrist> but you're going to need to store what was there, so when the vpn goes down, you can replace it. 12:37 < ecrist> !man 12:37 < Dougy> you know i'm naive 12:37 < vpnHelper> ecrist: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 12:37 < ecrist> look for --up-script 12:37 < ecrist> or --up 12:37 < ecrist> don't remember which it's called 12:37 < Dougy> i will search.. 12:38 < Dougy> ecrist: is it possible to push a specific dns entry as opposed to a resolver? 12:38 < Dougy> i only need to push one zone to a different ip 12:38 < ecrist> no 12:38 < Dougy> :( 12:38 < ecrist> unless you update the hosts file with another up script 12:38 < ecrist> but that gets tedious 12:38 < Dougy> i have no idea how to do these 'scripts' 12:38 < Dougy> lol 12:38 < ecrist> you know how I solve that 12:38 * Dougy has manage open 12:39 < Dougy> man page even 12:39 < ecrist> I put everything in public DNS for the zone I want and restrict xfer 12:39 < ecrist> it's not fool proof, but nothing is 12:39 < ecrist> I even have 1918 addresses in public DNS 12:39 < Dougy> well, this is simple 12:39 < Dougy> im trying to limit access to domain.com/admincp to vpn only 12:39 < Dougy> and domain.com is accessible to the world, as it needs to be 12:40 < ecrist> that's an htaccess file issue 12:40 < magic_1> back 12:40 < magic_1> was with the wife quick 12:40 < Dougy> ecrist: yes and no 12:40 < ecrist> order allow,deny allow from $VPN deny from all 12:40 < Dougy> its lighttpd 12:40 < Dougy> so its not quite as simple 12:40 < ecrist> Dougy: use a realy web server, then 12:40 < Dougy> I cant 12:40 < Dougy> im using a premade script 12:40 < Dougy> www.soluslabs.com 12:41 < Dougy> stuck using theirs 12:41 < Dougy> i have it set to only allow 172.20.5.0/24, but 12:41 < Dougy> when i go to the URL, it uses public ip not vpn ip, so i get 403'd 12:41 < ecrist> you're not pushing the right routes, then 12:42 < Dougy> obviously not.. i need to figure out routing or w/e 12:42 < Dougy> !route 12:42 < vpnHelper> Dougy: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 12:42 < Dougy> i read through that 12:42 < Dougy> never did understand it 12:42 < ecrist> Dougy: I should have to tell you these, but here I go 12:42 < ecrist> !configs 12:42 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:42 < ecrist> !logs 12:42 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 12:42 < Dougy> ecrist: its not urgent 12:42 < Dougy> i can just catch you later 12:43 < ecrist> now or later, can't help you without logs and configs 12:43 < Dougy> indeed 12:43 < Dougy> when you're back i'll get it 12:44 < Dougy> http://pastie.org/750922 12:44 < Dougy> in case anyone is looking and is curious 12:44 < Dougy> or can help 12:45 < ecrist> I'm not going anywhere... 12:45 < Dougy> oh 12:45 < Dougy> hold on 12:45 < Dougy> where het hell did i read 12:45 < Dougy> sec 12:45 < Dougy> ohh, i thought you said you have to leave 12:45 < ecrist> nope 12:45 < Dougy> ecrist what happened to 12:45 < Dougy> !all 12:45 < vpnHelper> Dougy: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 12:47 < Dougy> lol 12:48 -!- Gargus [n=gargus@187.23.59.79] has quit ["Leaving"] 12:50 < Dougy> so.. 12:50 < Dougy> do i need to push routes or something 12:56 < Dougy> ecrist: i have read that routing page twice 12:56 < Dougy> still a foreign language to me 12:56 < Dougy> this behind a lan stuff confuses me 13:01 < Dougy> :-( 13:08 -!- bobdoes1 [n=trsonder@174.141.123.86.nw.nuvox.net] has joined ##openvpn 13:08 < bobdoes1> !route 13:08 < vpnHelper> bobdoes1: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:08 < bobdoes1> I read the route paper, my problem is 13:09 < bobdoes1> that I can't ping server on the lan. vpn users ip of 10.10.3.10-50 and the lan is 10.10.1.0 now the ip is fine on the client and I push route 10.10.1.0? 13:11 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 104 (Connection reset by peer)] 13:12 < Dougy> bbiab 13:14 -!- magic_1 [n=magic@41.121.246.29] has joined ##openvpn 13:46 -!- corretico__ [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 13:49 -!- barefoot [n=magic@41.121.246.29] has joined ##openvpn 13:49 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Nick collision from services.] 13:49 -!- barefoot is now known as magic_1 13:50 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 54 (Connection reset by peer)] 13:51 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 13:58 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 13:58 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 14:02 -!- barefoot [n=magic@196.30.46.202] has joined ##openvpn 14:03 -!- barefoot [n=magic@196.30.46.202] has quit [Client Quit] 14:12 < Dougy> . 14:12 < Dougy> am i still here 14:13 < hyper_ch> so am I :) 14:13 < hyper_ch> oh sorry 14:13 < hyper_ch> yes, you are 14:13 < Dougy> routing confuses me :( 14:14 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 110 (Connection timed out)] 14:17 < krzee> lol 14:17 < Dougy> krzee can you help my sorry ass out 14:17 < Dougy> lol 14:17 < krzee> sup 14:17 < Dougy> http://pastie.org/750922 14:17 < Dougy> server config + client config 14:17 < krzee> !goal 14:17 < krzee> ;] 14:17 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 14:18 < Dougy> typing it 14:18 < Dougy> 2 clients connected.. 14:18 < Dougy> clientA is me, clientB is server 14:18 < Dougy> clientB has domain.com added to it.. when I go to domain.com it goes over public ip not client ip.. 14:18 < krzee> clentB isnt a client then, its a server :-p 14:18 < Dougy> ecrist mentioned something about the routes 14:18 < Dougy> clientb is a server client.. its a server but not THE openvpn server 14:19 < krzee> sure, push a route for your dns server 14:19 < Dougy> that's german to me 14:19 < krzee> whats the dns server your client uses? 14:19 < Dougy> which one 14:19 < Dougy> the dns one im pushing? 14:19 < krzee> normally 14:19 < Dougy> the dns server being pushed (68.168...) is bind 14:20 < krzee> normally 14:20 * Dougy confused 14:20 < krzee> without openvpn what is the clients dns server 14:20 < Dougy> at home.. heres its 192.168.1.1.. but it varies from client to client 14:20 < krzee> for example, you could make it use 4.2.2.1 then put push "route 4.2.2.1 255.255.255.255" in your server config 14:20 < krzee> and all dns requests would hit 4.2.2.1 from the server 14:21 < krzee> (after going over the vpn) 14:21 < Dougy> ah ha.. so that route basically makes that ip (4.2.2.1) appear into the server 14:21 < Dougy> instead of going out to the net? 14:21 < krzee> it goes to the server, then the inet 14:21 < krzee> but you have a custom domain on 68.168.221.173 ? 14:21 < Dougy> let me explain the whole set up 14:22 < Dougy> domain.com here is solusmanager.com 14:22 -!- elenril [n=wiskas@ip-241-138.pel.cz] has joined ##openvpn 14:22 < Dougy> i need http:// and https:// accessible to the world.. but i need https://solusmanager.com/admincp (just /admincp) limited to VPN IP's only 14:22 < Dougy> now, with the dns server pushed, nslookup returns the vpn ip 14:22 < Dougy> but tracert uses the public facing ip.. and so does going to it via FF 14:22 < krzee> like one not inet visable? 14:22 < Dougy> hmm? 14:23 < Dougy> https://solusmanager.com:5656/admincp 14:23 < Dougy> you see a 403, right? 14:23 < krzee> yes 14:23 < Dougy> yes, i want it to 403 every ip that loads it except the vpn ips 14:23 < elenril> hi 14:23 < Dougy> but right now it 403s me even when i'm on the vpn 14:23 < Dougy> because its using my public ip 14:23 < elenril> i'm trying to setup an ipv6-only openvpn network 14:23 < Dougy> well, recognizing 14:23 < Dougy> elenril: that sounds fun 14:24 < elenril> but openvpn client doesn't bring the interface up 14:24 < krzee> so use a different ip for the secret part and a firewall to block 14:24 < krzee> use the VPN ip for that 14:24 < krzee> that way your stuff cant be bypassed 14:24 < krzee> dns is not a secure way to do that 14:24 < Dougy> brb 2s 14:25 < krzee> security through obscurity is not security 14:25 < Dougy> ok reading 14:25 < Dougy> use a different IP for the secret part? 14:25 < Dougy> im confused 14:25 < krzee> so run a virtual host on the VPN ip 14:25 < krzee> and only vpn clients can reach it 14:25 < elenril> http://pastebin.ca/1721629 << my client config 14:26 < krzee> thats not openvpn config stuff, its your httpd 14:26 < Dougy> im not too good with lighttpd and all of that.. so uhh.. theres no way to fix the dns resolution trick? on the dns server being pushed, it has solusmanager.com loaded pointing to the VPN IP 14:26 < krzee> Dougy, learn your software 14:26 < Dougy> krzee: which is httpd issue 14:26 < Dougy> the dns? or ? 14:26 * Dougy confused again 14:27 < krzee> dns should be pointing to a VPN ip 14:27 < krzee> httpd software should agree 14:27 < krzee> and you can only reach it over the vpn 14:27 < Dougy> the pushed DNS server makes it resolve to VPN IP.. and it works when i go to the vpn ip 14:27 < Dougy> but 14:27 < Dougy> only nslookup seems to show the vpn ip.. its like when i use anything else, it uses my other resolvers 14:27 < krzee> !pushdns 14:27 < Dougy> if i could somehow make it.. not.. use the other ones.. i'd be fine 14:27 < vpnHelper> krzee: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit 14:28 < Dougy> i have it push the dns server 14:28 < Dougy> thats what im saying 14:28 < Dougy> it pushes it fine 14:28 < krzee> READ THE LINK 14:28 < Dougy> which one 14:28 < Dougy> the gmane? 14:28 < krzee> ALL 14:28 < Dougy> lol 14:28 < krzee> why would you debate the validity before knowing what it says? 14:29 < Dougy> FU windows.. 14:29 < Dougy> and i looked at the pushdns and thought wel hey its probably all the same 14:29 < krzee> elenril, i never used ipv6 but i know theres some ipv6 options in the manual 14:29 < krzee> !man 14:29 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 14:29 < krzee> find them and see if they help 14:30 < elenril> already searched 14:30 < elenril> the only result is tun-related 14:30 * elenril is using tap 14:30 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)] 14:30 < Dougy> how how to.. make that reg script for win 7 14:30 < Dougy> lol 14:31 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 14:32 < krzee> lol 14:32 < krzee> elenril, well with tap you are on the same layer2 segment, so its just like you were on same lan 14:32 < krzee> !ipv6 14:32 < vpnHelper> krzee: "ipv6" is (#1) http://www.join.uni-muenster.de/Dokumente/Howtos/Howto_OpenVPN_Tunnelbroker.php?lang=en to learn how to setup openvpn to be an ipv6 tunnel broker, or (#2) Here are some scripts from the mail list: http://article.gmane.org/gmane.network.openvpn.user/27514 or from a mirror: http://www.ircpimps.org/join-0.8.tar 14:33 < elenril> krzee: yeah, i know 14:33 * Dougy tests 14:33 < elenril> everything works once i 'ip l set tap0 up' 14:34 < krzee> well then hook that in via a ovpn script 14:34 < elenril> but i think openvpn should do that 14:34 < krzee> theres many locations to hook in scripts 14:34 < krzee> for just that type of reason 14:34 < krzee> see manual for script execution 14:34 < krzee> bbiab 14:34 * elenril rtfms 14:34 < Dougy> gah 14:49 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 14:53 -!- Dougy [n=Dougy@ool-435033e6.dyn.optonline.net] has quit ["Public PJIRC @ http://pjirc.viper007bond.com/"] 15:00 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [No route to host] 15:28 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 15:34 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 15:37 -!- Sky[x] [n=SkyB0x@tm.213.143.85.148.dc.telemach.net] has quit [] 15:44 -!- Dougy [n=Dougy@ool-435033e6.dyn.optonline.net] has joined ##openvpn 15:44 < Dougy> ASDFJHGSDJHKGDHADFKGDHAKGKSGF SKHFDSKHD 15:44 < Dougy> im about to throw openvpn out the window 15:45 < Dougy> and the damn server its on too 15:45 < hyper_ch> you can through it out to me :) 15:46 < Dougy> wtf is the fucking problem with this shit 15:46 < Dougy> GRR 15:46 -!- barefoot [n=magic@41.121.246.29] has joined ##openvpn 15:46 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Nick collision from services.] 15:47 -!- barefoot is now known as magic_1 15:48 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 15:51 -!- gaveen [n=gaveen@unaffiliated/gaveen] has joined ##openvpn 15:51 < Bushmills> !howto 15:51 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:51 < Bushmills> dougy: ^^^ :P 15:51 < gaveen> !redirect 15:51 < vpnHelper> gaveen: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 15:52 < Dougy> Bushmills i will grind your teeth off with a rusty file 15:52 < gaveen> !def1 15:52 < vpnHelper> gaveen: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 16:03 -!- barefoot [n=magic@196.30.46.202] has joined ##openvpn 16:03 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Nick collision from services.] 16:03 -!- barefoot is now known as magic_1 16:04 < gaveen> !topology 16:04 < vpnHelper> gaveen: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 16:04 < gaveen> !wiki 16:04 < vpnHelper> gaveen: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN 16:07 < Dougy> okay.. 16:07 < Dougy> im going insane 16:08 < Dougy> Bushmills help me 16:08 < Dougy> i need you to tell me if what i am trying to accomplish is possible 16:08 < Dougy> are you there 16:26 < krzie> help you with what 16:28 < Dougy> ok krzie .. question.. 16:29 < Dougy> if 2 clients (VPN ip's 10.0.0.5 and 10.0.0.6) are connected to a VPN.. and they both have public IPs.. is it possible to make it so when the vpn connection is established, it knows to communicate between the vpn and not the public interface 16:29 < Dougy> or is that not possible 16:36 < krzie> i already told you how 16:36 < krzie> yesterday 16:36 < Dougy> refresh my memory please 16:36 < Dougy> before my whole head is gray 16:36 < krzie> common bro you admin the wiki, set an example! 16:36 < Dougy> LOL 16:36 < Dougy> i'm an idiot you know this 16:37 < krzie> just push each a route in ccd (or put it in the client config) for each's inet ip to go over the vpn 16:37 < krzie> like you would for ANY host or subnet 16:37 < Dougy> hmm 16:37 < Dougy> so like 16:37 -!- barefoot [n=magic@41.121.246.29] has joined ##openvpn 16:37 < Dougy> in the CCD entry for my client, if the server is xx.xx.xx.xx 16:37 < Dougy> i'd do 16:37 < Dougy> route xx.xx.xx.xx 255.255.255.255 16:37 < Dougy> or w/e it was 16:37 < Dougy> push it 16:37 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Nick collision from services.] 16:37 -!- barefoot is now known as magic_1 16:37 < krzie> umm dude 16:38 < krzie> you said 2 clients 16:38 < Dougy> for now 2.. going to be more 16:38 < krzie> why you now talking about the server? 16:38 < Dougy> ok.. client2 is the 'webserver', or client 2 16:38 < Dougy> in client 1, i'd push 'route client2publicip 255.255.255.255' 16:38 < Dougy> ? 16:39 < krzie> you dont put push in client config 16:39 < krzie> route client2publicip 255.255.255.255 16:39 < Dougy> yeah, put that in client1'd ccd? 16:39 < krzie> LOL 16:39 < krzie> stop changing what you say 16:39 < Dougy> dude 16:39 < krzie> in client 1, i'd push 'route client2publicip 255.255.255.255' 16:39 < Dougy> i'm so stressed and confused from everything 16:39 < krzie> you say in client config 16:40 < krzie> so i gave you the line to put in client config 16:40 < Dougy> ah 16:40 < krzie> so then you say ok i put that in the server then 16:40 < krzie> make up your mind! 16:40 < Dougy> so.. to do this via ccd 16:40 < Dougy> what would i put in the client1 ccd file 16:40 < krzie> then you push it as you said 16:43 < Dougy> KRZIE :D i think that worked 16:43 < Dougy> hold 16:44 < krzie> heh 16:44 < Dougy> ok wait so krzie it almost works 16:44 < krzie> well ya it should... 16:44 < Dougy> traceroute goes hop 1 -> vpn, hop 2 -> openvz mater, hop 3 -> vz container 16:44 < krzie> welcome to routing ;] 16:44 < Dougy> but it still shows tracing to the 68.168 ip 16:44 < Dougy> and i still get a 403 :/ 16:44 < krzie> holdon here 16:44 < krzie> you arent talking about 2 clients 16:45 < Dougy> ok heres set up 16:45 < krzie> you are talking about only a client and server arent you 16:45 < Dougy> hold on 16:45 < Dougy> here 16:45 < Dougy> openvz vpz 16:45 < Dougy> / \ 16:45 < Dougy> my pc lighttpd vps 16:45 < Dougy> crap diagram but .. does that explain it 16:45 < krzie> you setup the worst setups, lol 16:45 < Dougy> how so 16:46 < krzie> cause if you did what i said on day1 it would be less ugly and you woulda been done days ago 16:46 < krzie> !irclogs 16:46 < vpnHelper> krzie: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 16:46 < Dougy> :/ 16:46 < krzie> i repeated it today as well 16:46 < Dougy> probably 16:46 < Dougy> :/ 16:47 * Dougy clueless 16:47 < krzie> but you do the third most talking in here, how is that possible? 16:47 < Dougy> i havent been here much in weeks 16:48 < Dougy> krzie.. can you try one more time to explain this to me :/ my n00b status is peaking here 16:48 < Dougy> lol 16:49 < krzie> Lines: 8633 16:49 < krzie> Days active: 192/503 16:49 < krzie> Average lines per day: 45 16:49 < krzie> hehe 16:49 < krzie> contact it via VPN ip 16:49 < krzie> !!! 16:49 < vpnHelper> krzie: Error: "!!" is not a valid command. 16:49 < Dougy> yeah that works going https://vpnip:port 16:49 < Dougy> that worked the whole time 16:49 < krzie> THEN DO IT! 16:50 < Dougy> im trying to make the DNS work 16:50 < Dougy> ! 16:50 < krzie> then point the damn dns at the vpn ip 16:50 < Dougy> I did.. on the nameserver im pushing 16:50 < krzie> nobody else can reach the ip 16:50 < krzie> just do it for the inet 16:50 < krzie> it makes no real diff 16:50 < Dougy> i would if there wasnt one issue 16:50 < Dougy> clients need to access https://ip:port 16:50 < Dougy> im just trying to limit https://ip:port/admincp 16:50 < Dougy> otherwise i'd do exactly as you say 16:51 < krzie> make admincp not exist in that virtual host 16:51 < krzie> make it its own on vpn ip ONLY 16:51 < krzie> as i said earlier 16:51 < Dougy> hmm 16:51 < Dougy> i need to do some lighttpd research i guess 16:51 < krzie> ya learning the software you use would be a good idea 16:53 < Dougy> wish i could just use apache for this shit 16:53 < Dougy> i'd be ten times done already 16:54 < krzie> you can, its your server isnt it? 16:55 < Dougy> yes but the makers of the script i'm using say 'you must use lighttpd or it won't work' 16:55 < krzie> and thats for the admincp only? 16:55 < Dougy> no for the whole thing 16:55 < Dougy> must be lighttpd 16:55 < Dougy> if i could make whole thing apache id be fine 16:56 < Dougy> i know how to vhost apache 16:56 < krzie> if you are really scared of learn the software you're using, run 2 procs, one on vpn ip one on public ip 16:56 < krzie> with extirely different documentroots 16:56 < Dougy> im gonna keep messing with this 16:56 < Dougy> i wish i had a quick fix for this DNS crap.. then id be fine.. i think 16:57 * Dougy sigh 16:57 < krzie> lol 16:57 < krzie> LEARN YOUR SOFTWARE 16:57 < krzie> you run a hosting company and are scared to learn the web software you use 16:57 < Dougy> i'm trying, fool 16:58 < Dougy> i'm not scared to 16:58 < krzie> you say that like it doesnt come with docs 16:58 < Dougy> i'm digging through 5 tabs of docs 16:58 < Dougy> right now 16:58 < Dougy> http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ModSimpleVhost http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:ModEVhost 16:58 < Dougy> whee 16:58 < vpnHelper> Title: Lighttpd - Docs:ModSimpleVhost - lighty labs (at redmine.lighttpd.net) 16:58 < krzie> how can you be reading docs when you're talking about dns here? 16:58 < krzie> you're only doing 1 at a time 16:58 < krzie> prolly be done by now had you just been reading :-p 16:59 < Dougy> i have 2 computers going 16:59 < Dougy> :) 17:01 < krzie> but only 1 set of eyes 17:01 < Dougy> yeah 17:01 < Dougy> hm 17:01 < Dougy> i cant figure out a good way to do this.. /me search 17:02 < krzie> thats because instead of reading you are talking 17:02 < krzie> thats not how docs work 17:04 < krzie> http://forum.lighttpd.net/topic/247 17:04 < vpnHelper> Title: lighttpd forum - ssl, and multiple vhosts (at forum.lighttpd.net) 17:05 < krzie> wow that was painfully easy, you sure you tried to read? 17:05 < krzie> that was hit2 for: lighttpd multiple ip 17:06 < krzie> then hit 1 and 2 for: lighttpd virtual hosts 17:06 < krzie> between that you see basically everything you need to do 17:06 < krzie> (ive never even looked at lighttpd) 17:07 < Dougy> i was looking at a few things 17:07 < Dougy> i was doing it a bit diff 17:07 < Dougy> 2 separate instances 17:08 < krzie> that should be even easier 17:08 < krzie> make sure you use diff lockfiles/logfiles/etc/etc 17:09 < Dougy> true that 17:10 < krzie> and be sure to not leave your admincp/ inside the publics documentroot 17:10 < krzie> hehe 17:12 < Dougy> meh 17:13 < Dougy> brb 17:15 -!- fixUp [n=fixUp@84.13.195.7] has quit ["leaving"] 17:22 < Dougy> ok 17:22 < Dougy> gonna try this again 17:23 < krzie> !tcp 17:23 < vpnHelper> krzie: "tcp" is Sometimes you cannot avoid tunneling over tcp, but if you can avoid it, DO. Why TCP Over TCP Is A Bad Idea: http://sites.inka.de/~bigred/devel/tcp-tcp.html 17:23 < krzie> (for the forum) 17:23 < Dougy> ah 17:23 < Dougy> i was about to be like wat 17:25 < krzie> !vpn 17:25 < vpnHelper> krzie: "vpn" is http://openvpn.net/index.php/documentation/faq.html#tunnel-principal 17:29 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 113 (No route to host)] 17:29 < krzie> there we goes 17:29 < krzie> http://ovpnforum.com/viewtopic.php?f=6&t=2190&p=2567 17:29 < vpnHelper> Title: OpenVPN Forum View topic - differencies between openVPN and openSSH (at ovpnforum.com) 17:30 < Dougy> krzie: differentw orkaround 17:30 < Dougy> got it.. im happy 17:33 < Dougy> set up another A record on the pushed NS only.. for 'staff.solusmanager.com' to point.. only works when you are on the VPN (only loads and resolves).. 17:33 < Dougy> so im good i guess 17:35 < Dougy> wtf 17:35 < Dougy> it worked for like 10 17:36 < Dougy> gah.. 17:37 < Dougy> weird 17:38 < Dougy> fuck 17:44 < krzie> lol 17:44 < krzie> how bout this 17:44 < krzie> !notovpn 17:44 < vpnHelper> krzie: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 17:46 < Dougy> how bout you eat my nutsack 17:46 < Dougy> :D 17:46 < Dougy> cuz now i do have an openvpn question 17:47 < Dougy> how do i make an upscript for windows that changes the resolvers.. is there a certain format? or do i need to go to #windows and make a .bat? 17:47 < krzie> you dont need a bat 17:47 < krzie> you need to read the link i gave you sucker 17:48 < Dougy> what do i need then 17:48 < krzie> !pushdns 17:48 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit 17:48 < Dougy> ah 17:48 < Dougy> yes, it pushes it, and i see that in ipconfig 17:48 < krzie> READ THE DAMN LINK 17:48 < Dougy> which.. i opened all 3 17:48 < Dougy> none of the 3 say what i want i think.. from my reading 17:48 < krzie> read them all til you see exactly what you are talking about 17:48 < Dougy> ill read.. again 17:48 < krzie> they talk about it appearing in ipconfig but not being used 17:49 < Dougy> i see a registry change 17:49 < Dougy> which i did 17:49 < Dougy> which does not fix 17:49 < Dougy> i wrote an up and down .sh for the linux clients 17:49 < Dougy> which works fine 17:49 < krzie> how do you run a IT business? 17:49 < Dougy> what i do is simple 17:49 < Dougy> i build, rack, and format servers 17:49 < Dougy> :) 17:50 < Dougy> i dont claim to do more 17:50 < krzie> after you do this: 17:50 < krzie> net stop dnscache 17:50 < krzie> net start dnscache 17:50 < krzie> does it work as expected? 17:50 < Dougy> lets try. 17:50 < Dougy> sec. 17:51 < Dougy> didnt work.. let me google some moar 17:52 < krzie> you didnt see that on the first thread tho? 17:53 < krzie> like really? 17:53 < krzie> it was in the second post 17:53 < Dougy> wait 17:53 < Dougy> i opened links 1 2 and 3 17:53 < Dougy> saw that, and the 'registry fix' 17:53 < Dougy> did that 17:53 < krzie> also, what version ovpn you running? 17:53 < Dougy> 2.1.1 17:56 < krzie> are you handling the dns on the same box as web? 17:59 < Dougy> i wish that net stop and net start fixed it 18:00 < krzie> are you handling the dns on the same box as web? 18:00 < Dougy> different containers 18:00 < Dougy> dns is .173 / .174, web is .172 or .171 i forget 18:00 < Dougy> same host node, though 18:00 < Dougy> just different VPS 18:00 < krzie> are you stopping the world from seeing it by using bind veiws? 18:00 < krzie> views 18:01 < Dougy> nah 18:01 < Dougy> no need, albeit i probaly should 18:01 < Dougy> probably 18:01 < krzie> so this NS only exists for this exact setup? 18:01 < krzie> and you can contact it without being on the vpn? 18:01 < Dougy> yes and no. its a resolver for all our servers, but the only zone actually loadead on it is indeed for this se tup 18:02 < Dougy> so yes 18:02 < krzie> ok so its a recursive NS for your users and authoritative for this zone only 18:02 < Dougy> right 18:02 < krzie> its not openly rescursive is it? 18:03 < krzie> if you dunno gimme the ip and ill check 18:03 < Dougy> i havent even looked at it 18:03 < Dougy> probably is 18:03 < Dougy> stock config 18:04 < krzie> LOL you're a DOS amplification relay 18:04 < Dougy> WO0T 18:04 < krzie> if i were to use you to attack someone using 1mbit of my bandwidth, i could make you hit them with about 50mbit 18:04 < Dougy> win 18:05 < Dougy> i guess i ought to get on that 18:05 < krzie> you need to only allow recursion for subnets you allow to use the NS for recursion 18:05 < krzie> ya no kidding 18:05 < krzie> and its really more like 60X, but i say 50 to be safe 18:05 < Dougy> especially since imma be testing some 10gige soon 18:05 < Dougy> lol 18:06 < Dougy> krzie: fixed? 18:07 < krzie> yes 18:07 < Dougy> its a temp fix 18:08 < Dougy> i know a recursive dns server is bad, but i never really looked into what it /really/ is 18:08 < krzie> allow-recursion { 127.0.0.1/32; other_subnet/cidr; }; 18:08 < krzie> etc 18:09 < krzie> same thing for zone transfers 18:09 < Dougy> i need to go to security school 18:09 < krzie> allow-transfer { secondary_ns; any_other_slave_ns; }; 18:09 < krzie> no, you just need to start reading docs 18:09 < Dougy> docs bore me, thats my issue 18:09 < krzie> reading to understand, not just skimming 18:09 < krzie> if docs bore you why do you think school will help 18:10 < ecrist> evening, folks 18:10 < krzie> theres no magic potion to gain knowledge, it comes from reading the fuggin manual 18:10 < krzie> wassup ecrist! 18:10 < ecrist> krzie: pending the updated sound files, freeswitch-sounds is ready for commit. ;) 18:10 < krzie> nice man 18:10 < krzie> i knew youd like fs, didnt know youd start helping the fs team, thats awesome 18:10 < ecrist> we're waiting on a couple commits for configure on freeswitch, expecting xmas/new years release of 1.0.5 18:11 < krzie> its prolly the #1 project im impressed with 18:11 * Dougy searches for stuff 18:11 < Dougy> wo0t 18:11 < krzie> a team of EXTREMELY smart dudes all working together well and rapidly developing their AWESOME piece of software 18:12 < krzie> it could outperform metaswitch in some things before 1.0 was released 18:12 < Dougy> gah 18:12 < Dougy> i need to learn how to red 18:12 < Dougy> read 18:12 < Dougy> not skim 18:12 < Dougy> :( 18:12 < krzie> and metaswitch is straight up production stuff, starts at a quarter million dollars 18:13 -!- magyar [n=magyar@76-10-176-50.dsl.teksavvy.com] has joined ##openvpn 18:13 < ecrist> krzie: I'm considering learning C and talking to Sangoma about providing FreeBSD drivers for TDM hardware 18:13 < krzie> wow 18:13 < magyar> g'evening 18:13 < krzie> youd be an OS hero 18:13 < Dougy> whats TDM 18:13 < ecrist> !google TDM 18:13 < vpnHelper> ecrist: Time-division multiplexing - Wikipedia, the free encyclopedia: ; TDM - Wikipedia, the free encyclopedia: ; Victoria Transport Institute - Online TDM Encyclopedia: 18:14 < krzie> traditional phone style basically 18:14 < krzie> analog phone stuffs 18:14 < ecrist> digital phone stuffs 18:14 < magyar> what is the best way to connect two remote offices with OpenVPN? 18:14 < ecrist> magyar: yes 18:14 < krzie> well analog to digital 18:14 < magyar> both sides have a unix server 18:14 < ecrist> magyar: you have a couple options 18:15 < ecrist> pick whichever system has the more stable connection and setup openvpn as a server and run client on the other, or go with ipsec 18:15 < krzie> !route 18:15 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 18:15 < ecrist> for a 1 to 1 vpn, I prefer ipsec 18:15 < magyar> two different subnets A: 192.168.0.0/24 B: 192.168.128.0/22 18:16 < krzie> oop i stand corrected re: tdm, its rarely analog 18:16 < ecrist> ;) 18:16 < ecrist> analog stuff is considered POTS 18:16 < ecrist> s/considered/referred to as/ 18:17 < krzie> i just know it in reference to hooking up T1 cards to digital pbx's 18:18 < Dougy> wow 18:18 < Dougy> googling 'what is recursion' gives such complex ass answers mf 18:18 < magyar> ecrist: racoon? 18:18 < krzie> lol 18:19 < ecrist> magyar: if you don't know ipsec, don't mess with it. openvpn will be quicker 18:19 < krzie> recursion is allowing your NS to lookup zones which it is not authoritative for 18:19 < ecrist> !google what is dns recursion 18:19 < vpnHelper> ecrist: Understanding DNS Recursion: ; DNS Recursion: ; DynDNS.com - Support -- Knowledge Base -- What is Recursive DNS: 18:19 < Dougy> saw that already 18:19 < Dougy> i was looking for a couple sentence summary 18:19 < Dougy> but krzie just did it 18:19 < Dougy> that's what i wanted to find 18:19 < Dougy> lol 18:19 < krzie> LOL 18:19 < krzie> you need to learn how to reac 18:20 < krzie> read 18:20 < Dougy> krzie: what i need is chill pills 18:20 < Dougy> i cant sit and read shit 18:20 < Dougy> i go nuts 18:20 < krzie> how is it possible that you have spoken more than ANYONE in this channel except me and ecrist and still dont have the ability to help yourself? 18:20 < Dougy> hah 18:20 < Dougy> sad innit 18:20 * ecrist has wondered the same thing 18:20 < ecrist> he even owns the ovpnforum domain 18:21 < Dougy> all i do there is sit back and mod posts.. and answer easy stuff i can figure out on my own 18:21 < krzie> yet his posts are usually "ill try to find someone to answer that" 18:21 < krzie> hehe 18:21 < Dougy> krzie ^ 18:21 < Dougy> above post 18:21 < Dougy> lol 18:21 < Dougy> ok... 18:21 < Dougy> i think.. i might order a few books or something 18:21 -!- gaveen [n=gaveen@unaffiliated/gaveen] has quit [Read error: 104 (Connection reset by peer)] 18:21 < Dougy> i can sit down and read a book.. cant sit down and read a webpage 18:21 < krzie> google is all you need 18:21 -!- gaveen [n=gaveen@unaffiliated/gaveen] has joined ##openvpn 18:22 < Dougy> i just said i cant sit down and read webpages 18:22 < Dougy> lol 18:22 < krzie> if you cant use google, you will never be a tech 18:22 < krzie> then get a new profession 18:22 < Dougy> heh 18:22 < Dougy> zing 18:22 < krzie> start pimping or something 18:22 < krzie> sell drugs 18:22 < Dougy> hahaha 18:23 < krzie> i remember when search engines sucked and there wasnt a lot of docs to read 18:23 < krzie> being able to find knowledge was as good as gold 18:23 < Dougy> i need to find a giant printer and just print out these manuals. 18:24 < krzie> now its freely and easily available, you just have to be willing 18:26 < Dougy> http://oldwww.isc.org/index.pl?/sw/bind/arm93/index.php 18:26 < vpnHelper> Title: Internet Systems Consortium, Inc. (at oldwww.isc.org) 18:26 < Dougy> just needa find that in a pdf 18:28 < krzie> do yourself a favor and learn to control your ADD enough to read from your computer, you will never be productive as a sysadmin if you need to print every single manual you read 18:28 < Dougy> hah 18:28 < Dougy> yeah 18:28 < Dougy> i'll work on it 18:28 < krzie> i read multiple manuals per week, using search function to find what i need fast 18:28 < krzie> my first year using freebsd i would look in man dirs and just read any manpage i could find 18:28 < krzie> i learned a LOT that way 18:29 < Dougy> i bet 18:29 < Dougy> lighttpd has QoS lol 18:29 < Dougy> well, traffic shaping even 18:29 < krzie> people HATE writing those manuals more than you hate reading them... they go through all that effort to write the manual documenting the stuff they coded, might as well use it! 18:29 < ecrist> lighttpd has QoS but not htaccess? 18:30 < Dougy> QoS is probably the wrong term 18:30 < Dougy> Traffic shaping. 18:30 < Dougy> http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:TrafficShaping 18:30 < vpnHelper> Title: Lighttpd - Docs:TrafficShaping - lighty labs (at redmine.lighttpd.net) 18:30 < ecrist> do you have any idea what a pain man pages are tow rite? 18:30 < Dougy> not a clue 18:30 < Dougy> lol 18:30 < ecrist> PITA 18:30 < Dougy> i'll take your word for it 18:30 < krzie> ild rather read 10 than write 1 18:30 < Dougy> crap i have so much work to do 18:30 < ecrist> ssl-admin has man pages 18:31 < Dougy> needa stop fuckin around with 1055926061 different things 18:31 < ecrist> https://www.secure-computing.net/trac/browser/trunk/ssl-admin/man1/ssl-admin.1 18:31 < vpnHelper> Title: /trunk/ssl-admin/man1/ssl-admin.1 – SCN Open Source – Trac (at www.secure-computing.net) 18:31 < krzie> dougy, make a list 18:31 < ecrist> source for man1 for ssl-admin 18:31 < Dougy> krzie: of what 18:31 < krzie> the shit you gotta do 18:31 < krzie> then do 1 at a time 18:31 < Dougy> woah ew ecrist that's hideous 18:31 < Dougy> not the writing 18:31 < Dougy> the format 18:32 < ecrist> https://www.secure-computing.net/trac/browser/trunk/ssl-admin/man5/ssl-admin.conf.5 18:32 < ecrist> that one's worse 18:32 < vpnHelper> Title: /trunk/ssl-admin/man5/ssl-admin.conf.5 – SCN Open Source – Trac (at www.secure-computing.net) 18:32 < Dougy> o.o 18:32 < ecrist> but, that's easier than writing makefiles 18:33 < ecrist> IMHO 18:34 < ecrist> Dougy: here's the Makefile I wrote today: http://pastebin.com/m400128f5 18:35 < Dougy> that makes me want to cry 18:35 < Dougy> ahaha 18:35 < Dougy> ill bbiaf.. gonna make a list like krzie said and organize some shit 18:35 < Dougy> god damn 18:37 < krzie> ecrist, no kidding... i hope you figure out the Makefiles good cause my lil attempt at doing it in shell prolly makes you look bad to people who dunno i did it 18:37 < Dougy> need to find a California vps 18:37 * Dougy goes shopping 18:38 < krzie> nerios has a california location 18:38 < ecrist> krzie: it's all good. #bsdports is helpful on efnet if you know a little something. 18:38 < ecrist> how many friggin' vps' do you need, dougy? 18:38 < Dougy> ecrist: i keep 3 18:38 < Dougy> for nameservers.. which.. it appers i need to do some repair on 18:39 < ecrist> Dougy: http://nameserverexchange.org or something 18:39 < krzie> or learn how to run nameservers ;] 18:39 < ecrist> or I would host secondary for you 18:39 < Dougy> krzie: that is the 'repair' 18:39 < Dougy> i need to make it more 'tuned' 18:40 < ecrist> I'll have two distinct locations soon, and I exchange DNS with a small ISP in WI 18:40 < Dougy> my ns1 went down and my stuff got retarded.. like 1/3 of the lookups worked 18:40 < Dougy> fail set up 18:40 < krzie> ecrist i have no problem doing secondary for ya in san diego if you like too 18:41 < ecrist> krzie: I'll keep that in mind, but I'm square right now. 18:41 < krzie> cool, offer stands =] 18:41 < Dougy> now have about 50 bulletpoints of to do's 18:42 < Dougy> meh 18:42 < krzie> which can be summed up to "learn the software i use" 18:42 < krzie> ;] 18:42 < Dougy> well 18:42 < Dougy> thats about half of it 18:42 < Dougy> other half is school or house work 18:42 < krzie> i cant talk tho, my list is overgrown too 18:43 < Dougy> lots of this could be done quick if i did know my software 18:43 < krzie> fix my desktop, swap power supply on my nfs, reinstall both san diego servers, install osX on my girlfriends laptop, etc etc 18:43 < Dougy> slacker 18:43 < krzie> by fix desktop its just replace psu or mobo 18:48 -!- master_of_master [i=master_o@p549D76DE.dip.t-dialin.net] has joined ##openvpn 19:00 -!- master_o1_master [n=master_o@p549D4752.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 19:06 < Dougy> so krzie correct me if i'm naive 19:06 < Dougy> is there any reason to have recursion on even for lcoalhost? 19:06 < Dougy> localhost 19:06 < krzie> if your machine uses that NS, absolutely 19:06 < krzie> otherwise it can only resolv zones your NS is authoritative for 19:07 < krzie> if you use some other NS in your resolv.conf instead, no 19:07 < Dougy> ok hold on so i understand this clearly 19:07 < Dougy> nevermind 19:07 < Dougy> i will google this. 19:07 < Dougy> instead of asking you. 19:08 < krzie> finally 19:08 < krzie> or keep asking me and wash out my $50 as consulting fees ;] 19:08 < gaveen> where can I find the necessary iptables settings for a basic setup? I've been going through tutorials and the wiki for hours. Still trying to get my basic setup done 19:08 < Dougy> didnt you get my pm last night krzie 19:08 < krzie> negative 19:08 < Dougy> i told you id turn it on for you if you kept it under 1meg 19:08 < Dougy> until you could actually pay again 19:09 < krzie> it never went near 1meg, i actually never used the box 19:09 < Dougy> lol 19:09 < krzie> check my last login and you'll lol 19:09 < krzie> its gotta be right around when i signed up 19:09 < Dougy> so anyway.. OK, according to my understanding, recursion allows for being a resolver obviously.. however.. it's a ddos threat. so running my own resolver even just setting recurison for my own ips (ie for servers rented to my clients) would be dangerous 19:09 < Dougy> s/ddos/dos/ 19:09 * Dougy goes to google more 19:10 < krzie> recursion isnt a dos threat, open recursion for the world is 19:10 < krzie> just like smtp isnt bad, its open smtp relays that are bad 19:10 < Dougy> yes.. having it open to all my ips and the servers people have 19:10 < Dougy> means they can use it to dos 19:10 < krzie> to all your IPs is fine 19:11 < krzie> you should be able to tell when and who it is if it comes from your own network 19:11 < krzie> its letting the whole inet do it that screws you 19:11 < Dougy> ok you know i think im going to say fuck this.. and ditch this 3 vps nameserver set up of mine 19:11 < Dougy> and just get proper dns hosting 19:11 < Dougy> from a company 19:11 < Dougy> or something 19:11 < krzie> that works too 19:11 < krzie> prolly better 19:12 < Dougy> not prolly 19:12 < Dougy> definitely 19:12 < Dougy> lol 19:14 < Dougy> just needa figure out how to go about doing this 19:14 < Dougy> i spent like a day moving everything to this set up.. needa work its way back 19:18 < Dougy> slow slow slow 19:20 < Dougy> done wo0t 19:46 -!- gaveen [n=gaveen@unaffiliated/gaveen] has quit [Read error: 104 (Connection reset by peer)] 19:46 -!- gaveen [n=gaveen@unaffiliated/gaveen] has joined ##openvpn 19:50 < ecrist> Dougy: opendns.org 19:56 < Dougy> ecrist: ? 20:14 -!- Dougy [n=Dougy@ool-435033e6.dyn.optonline.net] has quit ["Public PJIRC @ http://pjirc.viper007bond.com/"] 20:26 -!- Intensity [i=[P1DFcMG@unaffiliated/intensity] has quit [Read error: 104 (Connection reset by peer)] 20:31 -!- MJD [n=quassel@CPE00e0b8af23c1-CM001e6b187c5e.cpe.net.cable.rogers.com] has joined ##openvpn 21:04 -!- tjz2 [n=tjz@bb220-255-199-51.singnet.com.sg] has quit ["bbl"] 21:05 -!- tjz [n=tjz@bb220-255-199-51.singnet.com.sg] has joined ##openvpn 21:31 -!- MJD [n=quassel@CPE00e0b8af23c1-CM001e6b187c5e.cpe.net.cable.rogers.com] has quit ["No Ping reply in 180 seconds."] 21:32 -!- MJD [n=quassel@CPE00e0b8af23c1-CM001e6b187c5e.cpe.net.cable.rogers.com] has joined ##openvpn 21:49 -!- gaveen [n=gaveen@unaffiliated/gaveen] has quit [Read error: 113 (No route to host)] 21:50 -!- gaveen [n=gaveen@unaffiliated/gaveen] has joined ##openvpn 21:54 -!- gaveen [n=gaveen@unaffiliated/gaveen] has quit [Read error: 104 (Connection reset by peer)] 21:54 -!- gaveen [n=gaveen@unaffiliated/gaveen] has joined ##openvpn 22:58 -!- maodun [n=stopgo@114.243.125.121] has left ##openvpn [] 23:00 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has quit [Read error: 104 (Connection reset by peer)] 23:06 -!- tjz [n=tjz@unaffiliated/tjz] has quit [Read error: 104 (Connection reset by peer)] 23:08 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has joined ##openvpn 23:42 -!- pvl1 [n=pvl1@c-71-225-236-128.hsd1.pa.comcast.net] has joined ##openvpn 23:50 -!- gaveen [n=gaveen@unaffiliated/gaveen] has quit [Remote closed the connection] 23:50 < pvl1> krzee, hey u in here? --- Day changed Mon Dec 21 2009 00:15 -!- pvl1 [n=pvl1@c-71-225-236-128.hsd1.pa.comcast.net] has quit ["Leaving"] 00:22 -!- hyper_ch [n=hyper@84.226.246.98] has quit [Remote closed the connection] 00:23 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 00:46 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 01:04 -!- tjz [n=tjz@unaffiliated/tjz] has joined ##openvpn 01:12 -!- hyper_ch [n=hyper@95-95.3-85.cust.bluewin.ch] has joined ##openvpn 02:07 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:19 -!- dazo_afk [n=dazo@nat/redhat/x-slhihaowceehkknj] has quit ["ZNC - http://znc.sourceforge.net"] 02:29 -!- Sky[x] [n=mihaaaa@212.235.182.245] has joined ##openvpn 02:31 -!- dazo_afk [n=dazo@nat/redhat/x-hgxbmyafswfloayu] has joined ##openvpn 02:32 -!- dazo_afk is now known as Guest79125 02:32 -!- Guest79125 is now known as dazo 02:32 -!- dazo is now known as Guest1754 02:56 -!- ruied [n=ruied@bl9-252-182.dsl.telepac.pt] has joined ##openvpn 03:20 -!- zmotok [n=kvirc@188.25.57.135] has joined ##openvpn 03:20 < zmotok> !route 03:20 < vpnHelper> zmotok: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 03:21 -!- grub_booter_ [n=charlie@d515301E0.static.telenet.be] has joined ##openvpn 03:23 < zmotok> !howto 03:23 < vpnHelper> zmotok: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 03:26 -!- zmotok [n=kvirc@188.25.57.135] has quit [] 03:33 -!- ruied [n=ruied@bl9-252-182.dsl.telepac.pt] has quit [Connection reset by peer] 03:39 -!- hyper_ch [n=hyper@95-95.3-85.cust.bluewin.ch] has quit [Read error: 110 (Connection timed out)] 03:42 -!- grub_booter [n=charlie@d515301E0.static.telenet.be] has quit [Connection timed out] 03:53 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 03:56 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 03:58 -!- hyper_ch [n=hyper@95-95.3-85.cust.bluewin.ch] has joined ##openvpn 04:02 -!- SkyX [n=mihaaaa@212.235.182.245] has joined ##openvpn 04:03 -!- SkyX [n=mihaaaa@212.235.182.245] has quit [Client Quit] 04:17 -!- Sky[x] [n=mihaaaa@212.235.182.245] has quit [Read error: 110 (Connection timed out)] 04:20 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 04:35 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:39 -!- mattock [n=samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has joined ##openvpn 05:12 -!- Guest1754 is now known as dazo 05:16 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 05:23 -!- ScriptFanix [i=vincent@Tuluk.riquer.fr] has joined ##openvpn 05:26 -!- linuxdoctor [n=anish@202.83.41.95] has joined ##openvpn 05:32 -!- ruied [n=ruied@95.69.121.174] has joined ##openvpn 05:42 -!- spiekey [n=mario@projekte.imos.net] has joined ##openvpn 05:42 < spiekey> Hello! 05:42 < spiekey> how can i run custom iptables with ccd? 05:45 -!- dazo [n=dazo@nat/redhat/x-hgxbmyafswfloayu] has quit [Read error: 104 (Connection reset by peer)] 05:46 -!- dazo [n=dazo@nat/redhat/x-clfzuciztghjjygs] has joined ##openvpn 05:46 -!- dazo is now known as Guest38068 05:47 < reiffert_> spiekey: you cant. 05:47 -!- Guest38068 is now known as dazo 05:47 < dazo> spiekey: what are you trying to achieve? 05:48 < dazo> (there are other possibilities ... depending on your needs) 05:50 -!- bobdoes1 [n=trsonder@174.141.123.86.nw.nuvox.net] has quit [] 05:50 < spiekey> i have "trusted" and "untrusted" vpn clients. I want to enable forwarding for the trusted one so that can activly establish a connection from the client to my vpn net 05:50 < spiekey> the "untrusted" ones should not be able to do this. I only want to allow established connections 05:51 -!- linuxdoctor [n=anish@202.83.41.95] has quit [Read error: 104 (Connection reset by peer)] 05:51 -!- linuxdoctor [n=anish@202.83.41.95] has joined ##openvpn 05:56 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:57 < dazo> spiekey: you can use a "database" and the --client-connect and --client-disconnect script hooks to manage that .... I've also implemented such a feature in a more advanced authentication module for OpenVPN ... http://www.eurephia.net/ 05:57 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) 06:02 < spiekey> dazo, nice! I have also written such a small auth module :) 06:07 -!- bobdoes1 [n=trsonder@174.141.123.86.nw.nuvox.net] has joined ##openvpn 06:08 < bobdoes1> can't figure out one last thing... I have the vpn(users) on 10.10.3 and the lan on 10.10.1, I push route 10.10.1 but can't see the lan from the vpn, am I missing something in the routing? 06:11 < endre> maybe ip forwarding is what you missing? or a route to the vpn clients on the lan? 06:12 < bobdoes1> is the ip forwarding the iroute? 06:13 < bobdoes1> hmm, not sure if I understand how to enable ip and tun/tap forwarding 06:15 < endre> no 06:15 < endre> !forwarding 06:15 < vpnHelper> endre: Error: "forwarding" is not a valid command. 06:16 < endre> !ip 06:16 < vpnHelper> endre: Error: "ip" is not a valid command. 06:17 < bobdoes1> in the howto it just says to enable it 06:17 < bobdoes1> didn't see it in the server.conf 06:18 < endre> sure it should be in sysctl.conf 06:18 < endre> you don't know how ip routing works at all, do you? 06:18 < spiekey> how can i make sure the clients always get the same ip addess? 06:18 < endre> spiekey: ipp 06:19 < spiekey> i am missing the infinity value for --ifconfig-pool-persist 06:19 < endre> then specify ips by hand 06:19 < endre> and use 0 as timeout value 06:19 < spiekey> If seconds = 0, file will be treated as read-only. This is useful if you would like to treat file as a configuration file. 06:19 < spiekey> this way? 06:19 < endre> yeah 06:20 < spiekey> cool 06:20 < endre> or better: use RADIUS! 06:39 < spiekey> in ipp.txt i have set "test,10.8.0.29" but my client still gets a diffrent ip address (10.8.0.30) 06:40 < spiekey> any idea why? 06:40 < spiekey> i use: ifconfig-pool-persist ipp.txt 0 06:42 < sno> spiekey: check permissions on ipp.txt 06:42 < sno> had similar issue myself :) 06:43 < spiekey> do i have to use ccd then? 06:43 < spiekey> iremoved that frommy config 06:43 < spiekey> ipp.txt is world readable 06:47 < dazo> spiekey: if you look more carefully into eurephia .... you'll see that you don't need to care about static IP addresses, which can simplify things a bit 06:57 < spiekey> well, this would keep my ip addres to the client for over 3 years...right? ifconfig-pool-persist ipp.txt 99999999 06:57 < spiekey> just as a dirty hack for now 07:15 < dazo> spiekey: you trust that "dirty hacks for now" do not become the permanent solution? Especially with TTL of 3 years? .... oh, how many times I've heard people saying this .... ;-) 07:15 < spiekey> hehe 07:15 < spiekey> i know :) 07:16 < spiekey> the temporary solution usually last the longest ;) 07:30 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)] 07:36 -!- linuxdoctor [n=anish@202.83.41.95] has quit ["linuxdoctor has no reason"] 07:46 -!- ruied [n=ruied@95.69.121.174] has quit [Read error: 60 (Operation timed out)] 08:01 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 08:23 < ecrist> good morning 08:31 < theDoc> hello ecrist. 08:32 -!- g` [n=nop@78-63-0-27.static.zebra.lt] has joined ##openvpn 08:32 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 08:32 -!- n5 [n=nop@78-63-0-27.static.zebra.lt] has quit [Read error: 104 (Connection reset by peer)] 08:33 < cpm> morn'n 08:34 -!- thedonva1ghn is now known as thedonvaughn 08:44 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: cpm, LowKey, grub_booter_, thedonvaughn, dollabill, tjz 08:47 -!- Netsplit over, joins: cpm 08:49 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 08:49 -!- grub_booter_ [n=charlie@d515301E0.static.telenet.be] has joined ##openvpn 08:49 -!- tjz [n=tjz@unaffiliated/tjz] has joined ##openvpn 08:49 -!- LowKey [i=rhel@72.20.37.172] has joined ##openvpn 08:49 -!- thedonvaughn [n=thedonva@unaffiliated/printk] has joined ##openvpn 08:55 -!- jhp_ [n=jhp@zeus.jhprins.org] has joined ##openvpn 09:07 -!- jhp [n=jhp@zeus.jhprins.org] has quit [Read error: 111 (Connection refused)] 09:09 -!- Muty [n=amir@unaffiliated/muty] has joined ##openvpn 09:09 < Muty> Hello 09:10 < Muty> can anyone tell me how to enable routing between clients of openvpn? 09:10 < ecrist> client-to-client 09:10 < ecrist> it's covered all over the place 09:10 < Muty> Ok I'll check that out 09:10 < Muty> thanks ecrist 09:10 < ecrist> !google how to enable routing between clients of openvpn 09:10 < vpnHelper> ecrist: OpenVPN 2.0 HOWTO: ; OpenVPN - Site-to-Site Bridged VPN Between Two Routers - DD-WRT Wiki: ; OpenVPN - Site-to-Site routed VPN between two routers - DD-WRT Wiki: 09:11 < ecrist> the answer was in the first google result. :) 09:11 < Muty> Ok sorry, didn't know that site-to-site between routers is the same like routing between clients 09:12 < Muty> but your query is exactly the same query I did :) 09:16 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 09:23 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 09:27 < ecrist> Muty: the option is client-to-client in your config. the first link for the openvpn howto explains it 09:33 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.85 [Firefox 3.5.6/20091201220228]"] 09:34 -!- samaelszafran [i=samaelsz@unaffiliated/samaelszafran] has quit [Read error: 110 (Connection timed out)] 09:49 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 10:00 < hyper_ch> The security test lab of Fraunhofer SIT has published a technique for getting around Microsoft's BitLocker disk-encryption technology, even when BitLocker is used in connection with a hardware-based Trusted Platform Module. http://news.zdnet.co.uk/security/0,1000000189,39926434,00.htm 10:00 < vpnHelper> Title: Researchers break into BitLocker - ZDNet.co.uk (at news.zdnet.co.uk) 10:09 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 10:15 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit [Read error: 104 (Connection reset by peer)] 10:34 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 10:35 < magic_1> !iporder 10:35 < vpnHelper> magic_1: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 10:35 < magic_1> !topology 10:35 < vpnHelper> magic_1: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 10:38 < magic_1> for some reason i cannot route from the client side to the server side 10:38 < magic_1> pings all around perfect 10:39 < magic_1> but get protocol error when i try anything else 10:39 < magic_1> from server side to client side traffic flows perfect 10:41 -!- hyper_ch [n=hyper@95-95.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 10:42 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 10:45 -!- elenril [n=wiskas@ip-241-138.pel.cz] has quit ["for the lulz"] 10:54 -!- ewanm89_ [n=ewanm89@unaffiliated/ewanm89] has joined ##openvpn 10:54 -!- ewanm89_ is now known as Cap_J_L_Picard 10:55 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 10:55 < Cap_J_L_Picard> !route 10:55 < vpnHelper> Cap_J_L_Picard: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:56 < Cap_J_L_Picard> !redirect 10:56 < vpnHelper> Cap_J_L_Picard: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 10:56 < Cap_J_L_Picard> !mitm 10:56 < vpnHelper> Cap_J_L_Picard: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config 10:57 < Cap_J_L_Picard> okay, well, none of that is helpfull... 10:57 -!- Kasx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 110 (Connection timed out)] 10:59 < Cap_J_L_Picard> Question can one produce a bridged network where dhcp is provided by a server at a client endpoint bridge? 10:59 < Cap_J_L_Picard> Using OpenVPN of course ;) 11:00 < ecrist> yes 11:00 < ecrist> it's covered in the man page 11:00 < Cap_J_L_Picard> e.g. server is just for connection, not for the actual ethernet < - > VPN bridge. 11:00 < ecrist> simply don't provide an IP range in your server-bridge config line 11:00 < Cap_J_L_Picard> yeah, but that enables dhcp-proxy to bridged server interface? 11:01 < Cap_J_L_Picard> or that's what the documentation infers. 11:03 < ecrist> yes 11:04 < Cap_J_L_Picard> well my dhcp server is of at one of the clients. 11:29 -!- bobdoes1 [n=trsonder@174.141.123.86.nw.nuvox.net] has quit [Read error: 60 (Operation timed out)] 11:29 -!- bobdoes1 [n=trsonder@174.141.123.86.nw.nuvox.net] has joined ##openvpn 11:30 -!- reiffert_ is now known as reiffert 11:35 -!- spiekey [n=mario@projekte.imos.net] has quit ["Ex-Chat"] 11:42 -!- zmotok [n=kvirc@188.25.57.135] has joined ##openvpn 11:47 < zmotok> hello everyone; i'm trying to set up a vpn with openvpn so as to be able to connect to the lan which the openvpn server is a part of, but I can't ping any of the other servers, and no route/iptables rule has worked so far, any.. ideas? vpn server is set as 10.0.0.1 (routing not bridge) 11:47 < dazo> zmotok: have you enabled IP forwarding? 11:47 < zmotok> dazo, yes 11:47 < dazo> zmotok: are routing tables sensible? 11:48 < zmotok> dazo: y...es 11:48 < zmotok> dazo: by pinging i'm seeing the icmp requests on the vpn server, but they get no response 11:48 < dazo> zmotok: and you can ping the VPN address of the openvpn server from the client side? 11:49 < zmotok> dazo: yes 11:49 < reiffert> zmotok: forwarding enabled? 11:49 < dazo> zmotok: sounds like routing issue ... is the openvpn server also working as the default gateway on your server side network? 11:49 -!- hyper_ch [n=hyper@84.226.246.98] has joined ##openvpn 11:49 < dazo> reiffert: I believe he said he did :) 11:50 < ecrist> !configs 11:50 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:50 < zmotok> dazo: no, it's.. gateway to another network, and part of the lan i'm trying to connect to 11:50 < ecrist> !logs 11:50 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 11:50 < reiffert> dazo: but he also said, that he can see the pings on the vpn interface on the vpn server, which induces, that he cant see them on the lan side of the vpn server. 11:50 < reiffert> dazo: ok, it's a routing issue. 11:51 < reiffert> dazo: as my crystal ball went wrong. 11:51 < dazo> reiffert: :) 11:51 < zmotok> i'll pastebin it, brb 11:51 < reiffert> zmotok: add a static route on the lan gateway, telling the packets heading for the vpn side to use the vpn server lan ip. 11:51 < dazo> zmotok: the you need to make sure that the you have at least a routing on your default gateway which can route the return packets from your network back via your openvpn server and not out via the default gateway 11:52 < dazo> reiffert: are you reading my mind? :-P 11:52 < reiffert> dazo: yes. 11:52 < reiffert> :) 11:52 < zmotok> ha 11:52 < dazo> heh :) 11:52 < dazo> Good reiffert is up-to-speed ... then I'll be able to go home and grab some dinner :) 11:53 < reiffert> same for me, let's see that the kitchen was preparing :) 11:53 < reiffert> s,that,what, 11:53 < dazo> heh :) 11:55 -!- dazo is now known as dazo_afk 11:56 < zmotok> http://pastebin.com/d4688ae89 11:58 < zmotok> routes added at the bottom: http://pastebin.com/d59be6f75 11:59 < reiffert> zmotok: lan gateway is 192.168.10.1? 11:59 < zmotok> reiffert: 10.254 11:59 < reiffert> assuming linux: route add 10.0.0.0/24 gw 192.168.10.31 12:00 < zmotok> reiffert: yes, debian; thank you :) 12:00 < reiffert> maybe route add -net 10.0.0.0 netmask 255.255.255.0 gw 192.168.10.31 12:00 < zmotok> thanks for the help @ dazo also 12:00 < reiffert> check packetflow by running tcpdump on the lanside of 10.31 and on the lan side of 10.254 12:00 < reiffert> like tcpdump -n proto icmp 12:01 < zmotok> ah, didn't check that 12:01 < zmotok> yes, i only checked on the vpn server 12:01 < zmotok> to see that the requests were coming through 12:01 -!- samaelszafran [i=samaelsz@unaffiliated/samaelszafran] has joined ##openvpn 12:01 < samaelszafran> ehm. Hello. 12:01 -!- zmotok [n=kvirc@188.25.57.135] has quit [] 12:01 < samaelszafran> !route 12:01 < vpnHelper> samaelszafran: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 12:02 < samaelszafran> !redirect 12:02 < vpnHelper> samaelszafran: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 12:02 < samaelszafran> ;x 12:02 < samaelszafran> yeah. 12:03 < samaelszafran> !ipforward 12:03 < vpnHelper> samaelszafran: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 12:03 < samaelszafran> !fbsdipforward 12:03 < vpnHelper> samaelszafran: "fbsdipforward" is is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd 12:04 < samaelszafran> damn. I've got this. 12:04 < samaelszafran> ;x 12:06 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 12:13 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)] 12:22 < holister> I have a linux server and a windows client, they both connect just fine, but I can't ping from either end. When I run wireshark, I see that an icmp packet on either tun device, never creates a udp packet on a real network interface. The only udp packets going back and forth seem to be negotiation packets for the tunnel itself (and appear to be working perfectly)... what is wrong? 12:23 < Cap_J_L_Picard> firewall? 12:23 < Cap_J_L_Picard> or routing error. 12:24 < holister> not firewall 12:24 < samaelszafran> !nat 12:24 < vpnHelper> samaelszafran: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 12:24 < holister> as for routing error, thx captain obvious 12:25 < holister> none of the above 12:25 < ecrist> !configs 12:25 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 12:25 < ecrist> holister: ^^^ 12:25 < holister> what are ccd entries? 12:25 < samaelszafran> ecrist: have you been using natd? 12:26 < ecrist> samaelszafran: what? 12:27 < samaelszafran> ecrist: I'm trying to set up vpn, so I could browse internet through it... 12:27 < ecrist> ok 12:27 < samaelszafran> weird, though. I've routed 172.30.0.1 to my world IP adress 12:27 < samaelszafran> and it worked 12:27 < samaelszafran> then I had to reboot my server 12:27 < samaelszafran> I've set it up again, now it isn't working. 12:27 < samaelszafran> :F 12:31 -!- nicros [n=craver@208.53.57.220] has joined ##openvpn 12:31 < reiffert> then something is wrong. 12:32 < nicros> i have several machines connecting to my openvpn but the machines can't ping or ssh to eachother... is that a config problem? 12:34 < reiffert> !factoids search --values client-to-client 12:34 < vpnHelper> reiffert: "c2c" is "client-to-client" is with this option packets from 1 client to another are routed inside the server process. without it packets leave the server process, hit the kernel (firewall, routing table) and if allowed by firewall and routed back to server process, they go to the client. you use this option when you want to use selective firewall rules on what clients can access things 12:34 < vpnHelper> reiffert: behind other clients. 12:35 < reiffert> see above. 12:40 < holister> http://pastebin.ca/1722737 12:42 < reiffert> holister: openvpn version? 12:43 -!- Intensity [i=[MApGjQS@unaffiliated/intensity] has joined ##openvpn 12:45 < holister> server 2.1 rc20, client 2.0.9 12:45 < reiffert> 2.0.9 is more than 3 years old. 12:45 < holister> it was the latest windows release on the download page 12:46 < reiffert> nah. 12:46 < reiffert> it's 2.1.1 now :) 12:47 < holister> maybe it was bundled with the "gui" or someting *shrug*... gui doesn't appear to do anything except tell you you're connected anyways 12:48 < holister> most worthless excuse for a gui I've ever seen, but then, I really don't care at this point I just want it to work 12:48 -!- bytesaber [n=bytesabe@208-98-188-95.directcom.com] has joined ##openvpn 12:49 < reiffert> nowadays the gui is bundled with the openvpn installer. 12:50 < holister> I clicked whatever was on the download page...less than a week ago 12:50 < holister> so it's either out of date, or maybe it's placed in a non-intuitive spot? 12:50 < reiffert> You probably missed the RC versions then. 12:50 < reiffert> they were releasing 2.1.x last week I think. 12:51 -!- ruied [n=ruied@188.140.125.188] has joined ##openvpn 12:57 -!- ghernandez [n=ghernand@12.157.107.24] has joined ##openvpn 12:57 < ghernandez> Howdy. 12:58 < ghernandez> Question regarding speed and duplex with openvpn. 12:58 < ghernandez> On a point to point client server configuration, 100mb on the network side, 1gb dedicated backbone between point to point. 12:59 < ghernandez> When I saturate the network connection one way I see great results, 7800kbps 12:59 < ghernandez> 20% cpu utilization 12:59 < ghernandez> its great. 12:59 -!- Intensity [i=[MApGjQS@unaffiliated/intensity] has quit [Remote closed the connection] 12:59 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 12:59 < ghernandez> with that network connection open and max saturation, if I open another network connection the other way. I only max out at around 300kbps 13:00 < ghernandez> but if I kill the first connection 13:00 < ghernandez> it peaks at 7800kbps again. 13:01 < ghernandez> So server1 -> Server2 = 7800kbps 13:01 < ghernandez> while that is open if I open "Server2-> Server1" I only get 300kbps 13:02 < ghernandez> 300kbps on that single stream, the other connection speed does not change. 13:02 < reiffert> Intresting. Would you mind putting that to the -users list with CC -devel? 13:02 < reiffert> !list 13:02 < vpnHelper> reiffert: Admin, Channel, Config, Factoids, Google, Misc, Owner, Seen, Services, User, Weather, and Web 13:02 < reiffert> !lists 13:02 < vpnHelper> reiffert: Error: "lists" is not a valid command. 13:02 < reiffert> !factoids search --values lists 13:02 < vpnHelper> reiffert: "dev" is https://lists.sourceforge.net/lists/listinfo/openvpn-devel to sign up for devel mail list 13:03 < ghernandez> reiffert: Ie, open a bug ticket? Or what do you mean? 13:03 < reiffert> ghernandez: put that question to a bigger community is what I mean. 13:03 < ghernandez> Aha 13:04 < reiffert> there are two mailinglists. ask there. 13:04 < ghernandez> Cool, Thanks. 13:04 < ghernandez> Im going to try everything with a 1gb network next. 13:05 -!- ghernandez [n=ghernand@12.157.107.24] has quit [Remote closed the connection] 13:13 < holister> reiffert: ok, now running 2.1.1 on the client.... same problem 13:21 < reiffert> holister: while upgrading, please get 2.1.1 on the linux server as well, meanwhile I'm checking your config 13:22 < reiffert> holister: and please get me a "verb 6" logfile of both, client and server, interface listing before and after connecting and the routing tables from both pcs, before and after connecting. 13:31 -!- ruied [n=ruied@188.140.125.188] has quit [Connection timed out] 13:32 < holister> client log http://www.pastebin.ca/1722771 13:32 < holister> oops... 13:32 < holister> that's the route 13:33 < reiffert> holister: before and after connecting. 13:33 < holister> log is: http://www.pastebin.ca/1722776 13:33 < Cap_J_L_Picard> any of you running openvpn off dd-wrt? 13:34 < reiffert> # 13:34 < reiffert> Mon Dec 21 14:26:22 2009 us=984000 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 13:34 < reiffert> # 13:34 < reiffert> # 13:34 < reiffert> 1546' 13:34 < reiffert> # 13:34 < reiffert> Mon Dec 21 14:26:22 2009 us=984000 WARNING: 'mtu-dynamic' is present in remote config but missing in local config, 13:34 < reiffert> # 13:34 < reiffert> # 13:34 < reiffert> remote='mtu-dynamic' 13:34 < reiffert> holister: next please paste ipconfig /all before and after connceting. 13:35 < holister> I saw that...it shows whether I delete any" mtu" lines from both configs or not 13:35 < holister> originally there were no mtu lines in either config.... and it wasn't working so I tried adding them... didn't help 13:37 < holister> ipconfig before: http://pasebin.ca/1722780 13:39 < holister> ipconfig /all after: http://pastebin.ca/1722781 13:40 < reiffert> Looks ok so far. Vmware involved? 13:40 < holister> nope 13:41 < reiffert> on linux server: tcpdump -n -i tun0 proto icmp and 13:41 < holister> reiffert: no packets are travelling over tun0 :/ 13:41 < reiffert> ping -c1 10.169.0.6 13:42 < holister> in that case only outgoing icmp packets 13:42 < holister> no return 13:42 < reiffert> ah, so packets leave the server on tun0. great. 13:43 < reiffert> do you see any incoming packets on windows tun/tap interface? 13:44 < holister> nope 13:45 < holister> hmmm... 13:45 < holister> I'm seeing "Bad LZO decompression header byte 0" in the long 13:45 < ecrist> firewall? 13:45 < holister> log 13:45 < holister> no firewall 13:46 < ecrist> are you *sure* 13:46 < ecrist> you disabled windows firewall on the tap device? 13:46 < holister> yes... 13:47 < reiffert> proove. 13:49 < holister> what way to prove? screen shot? it's a painfully slow 3g-over-bluetooth connection... I'm not lying. It's disabled. Move on. 13:49 < holister> what does the bad LZO decompression header thing mean 13:51 < reiffert> holister: seen so many shitty firewall software .. which one is it at yours? 13:51 < reiffert> holister: for a test remove the comp-lzo lines. 13:52 < holister> I have no firewall software... 13:53 < holister> linux side has a simple iptables setup but not on that interface...tun0 is -j ACCEPT like the howto says 13:54 < reiffert> you already saw icmp packets leaving on tun0 .. 13:57 < holister> ok, with comp-lzo disabled, I now see packets on windows(client) adapter... wireshark says "Bogus IP header length (0, must be at least 20) 13:58 < reiffert> do they return already? 13:59 < holister> no return 14:00 < holister> the packets leave as ICMP, but come through to windows side as 0 byte IP packets 14:01 < holister> openvpn log says: "UDPv4 READ [125] from 151.204.189.39:1194: P_DATA_V1 kid=0 DATA len=124", then "TUN WRITE [88]" 14:04 < holister> odd...looking at the bytes of this bogus ethernet frame on the tun adapter, the last bunch of bytes are 08, 09, 0a, 0b, etc up to 37 14:05 -!- mattock [n=samuli@dsl-hkibrasgw1-fe2af900-117.dhcp.inet.fi] has quit ["Leaving."] 14:08 < reiffert> you listen to the wrong adapter. 14:09 < reiffert> you are not supposed to see openvpn packets on the tun/tap adapter. 14:18 < holister> ????? 14:27 < reiffert> you are not supposed to see openvpn packets on the tun/tap adapter. 14:27 < reiffert> you should see them on your lan-adapter 14:28 < holister> oh 14:28 < reiffert> on the tun adapter itself, you should see the payload. e.g. the ping packets you send. 14:29 < holister> right 14:30 < holister> I'm telling you that it is coming through as a corrupt IP packet 14:32 < reiffert> well, if you *are* tcpdump/wiresharking on tun adapter but see lan packets I think that your windows networking is totally fucked up. 14:33 < holister> I don't see LAN packets 14:33 < holister> I don't know where you are getting that from 14:33 < holister> I see the ICMP packets... only, they aren't ICMP packets....they are corrupted 14:34 < reiffert> Oh, my fault, I got it from "UDPv4 READ [125] from 151.204.189.39:1194: P_DATA_V1 kid=0 DATA len=124" and thought it was wireshark output 14:34 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:34 < holister> that was from the openvpn log 14:34 < reiffert> still pinging from server to client? 14:34 < holister> yes 14:34 < reiffert> what about vice versa? 14:35 < holister> hmmm 14:36 < holister> nope...not making it through at all...corrupted or otherwise 14:37 < holister> it's going out on the tun....which means it's routed correctly.... 14:37 < holister> doesn't come in on the server tun though 14:37 < ecrist> did Dougy ever fix his stuff? 14:39 < holister> soooooo....... any ideas yet? 14:41 < samaelszafran> ecrist: help me :< 14:41 < samaelszafran> I can't make this working... 14:41 < samaelszafran> I don't know, if it's a routing problem or what ;x 14:42 < reiffert> holister: whats your adapter driver version in device manager? 14:44 < reiffert> (did you reboot after upgrading to 2.1.1? Did you uninstall before?) 14:44 < samaelszafran> i've routed 172.30.0.1 to my remote IP 14:44 < reiffert> ecrist: ideas? any? 14:44 < samaelszafran> and it still doesn't work. 14:45 < holister> aha.... I finally got it working 14:45 < holister> I modified the mtu settings a little and put it in both configs...now everything works 14:46 -!- e4 [n=e4@rrcs-76-79-59-194.west.biz.rr.com] has joined ##openvpn 14:46 < e4> Is there a way to manually configure the name of the tun devices created by a vpn instance? 14:46 < reiffert> # 14:46 < reiffert> Mon Dec 21 14:26:25 2009 us=812000 TAP-Win32 Driver Version 9.6 14:47 < reiffert> holister: does it work when you remove the mtu lines from both configs? 14:49 < holister> reiffert: nope 14:49 < reiffert> intresting, I have to remember such a problem to be mtu related. 14:49 < reiffert> lemme check what we currently have on that 14:50 < reiffert> !factoids search mtu 14:50 < vpnHelper> reiffert: 'mtu-test' and 'mtu' 14:50 < reiffert> !mtu 14:50 < vpnHelper> reiffert: "mtu" is see --mtu-test to learn how to test your MTU settings. Basically you just use --mtu-test in your normal client config 14:50 < samaelszafran> !redirect 14:50 < vpnHelper> samaelszafran: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 14:50 < samaelszafran> !ipforward 14:50 < vpnHelper> samaelszafran: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 14:50 < samaelszafran> !fbsdipforward 14:50 < vpnHelper> samaelszafran: "fbsdipforward" is is set gateway_enable="YES" in /etc/rc.conf to enable ip forwarding in freebsd 14:50 < samaelszafran> yeah. 14:50 < samaelszafran> !nat 14:50 < vpnHelper> samaelszafran: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 14:51 < samaelszafran> !fbsdnat 14:51 < vpnHelper> samaelszafran: "fbsdnat" is see http://cavanantha.wordpress.com/2007/09/16/nat-on-freebsd-using-pf/ for a basic howto for NAT on FreeBSD 14:51 < samaelszafran> using pf. I use ipfw ;x 14:51 < ecrist> ipfw ftl 14:52 < samaelszafran> ftl? 14:52 < ecrist> for the loss 14:52 < samaelszafran> mhm... 14:52 < ecrist> nat was one reason I switched to pf 14:52 -!- jhp_ is now known as jhp 14:52 < samaelszafran> though, there is some stuff like natd, or ipdivert in ipfw... 14:52 < samaelszafran> ;x 14:52 < samaelszafran> shit, I had it working before the reboot ;x 14:53 < ecrist> samaelszafran: nat with ipfw or ipfw2 is a pain in the ass. 14:53 < samaelszafran> yeah. 14:53 < samaelszafran> brb. 14:55 < samaelszafran> though.. 14:55 < samaelszafran> ecrist: what should I route to what? 14:55 < samaelszafran> maybe natd will handle this ;x 15:02 -!- samaelszafran [i=samaelsz@unaffiliated/samaelszafran] has quit ["Reconnecting"] 15:02 -!- samaelszafran [i=samaelsz@samaelszafran.pl] has joined ##openvpn 15:04 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 15:10 < krzie> hey ecrist, ever used graph plotting software by any chance? (figured ild toss a query at you before googling and going with whatever i find) 15:11 < Ziber> !dns 15:11 < vpnHelper> Ziber: "dns" is Level3 open recursive DNS server at 4.2.2.1 15:11 < Ziber> How can I get my OpenVPN server to pass DNS information to the clients?' 15:11 < krzie> !pushdns 15:11 < vpnHelper> krzie: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit 15:12 < reiffert> krzie: graph plotting software? 15:12 < krzie> note, windows has issues with this explained in the links, unix must use a script to do it 15:12 < reiffert> krzie: gnuplot. 15:12 < krzie> reiffert basically i have scripts that hit the db and do all sorts of math to take a gross figure and come out with net figure and breakdown 15:13 < reiffert> krzie: ah. check out rrd tools and stats, come with mrtg. 15:13 < krzie> i want to have the gross be the whole pie, and net be a slice, with everything that comes out of gross to make net being accounted for by other slices 15:13 < krzie> cool thx i will 15:13 < reiffert> krzie: ah, get back to gnuplot. 15:13 < krzie> my input is simply text 15:14 < reiffert> http://www.gnuplot.info/screenshots/index.html 15:14 < vpnHelper> Title: gnuplot screenshots (at www.gnuplot.info) 15:14 < krzie> no db no logs just simple numbers formatted however i need them to be 15:14 < reiffert> ... 15:15 < reiffert> what keeps you from klicking that link? 15:15 < reiffert> http://www.gnuplot.info/faq/faq.html#SECTION00065000000000000000 15:15 < krzie> nothing im already past the first page reading more 15:15 < vpnHelper> Title: Gnuplot FAQ (at www.gnuplot.info) 15:15 < reiffert> http://www.usf.uni-osnabrueck.de/~breiter/tools/piechart/piecharts.en.html 15:16 < krzie> thats perfect 15:16 < reiffert> :p 15:16 < reiffert> In most cases they are not a good way to represent quantitative information. A Warning is printed by piechart since v0.10 for this reason. 15:16 < reiffert> "" 15:17 < reiffert> http://www.usf.uni-osnabrueck.de/~breiter/tools/piechart/warning.en.html 15:17 < krzie> ya i saw that, but its the best for this 15:17 < krzie> i agree its not normally the best way to represent data 15:17 < krzie> but everything is relative to the whole in this situation 15:18 < krzie> thanx =] 15:18 < krzie> time to read some docs, looks rather easy 15:19 < krzie> i especially like that it takes inputs and displays percents 15:22 -!- ruied [n=ruied@bl5-190-144.dsl.telepac.pt] has joined ##openvpn 15:27 -!- samaelszafran [i=samaelsz@unaffiliated/samaelszafran] has quit [Read error: 104 (Connection reset by peer)] 15:28 -!- barefoot [n=magic@41.121.111.185] has joined ##openvpn 15:49 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 113 (No route to host)] 15:51 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.86 [Firefox 3.0.14/2009082707]"] 15:51 -!- barefoot [n=magic@41.121.111.185] has quit [Read error: 110 (Connection timed out)] 15:55 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 15:56 < ecrist> krzie: waht do you mean? 15:56 < ecrist> what are you trying to graph? 15:58 < krzie> money, with the whole pie being the gross figure, 1 slice being net, other slices being everything that comes out of gross to get net 15:58 -!- rajin [n=_@port-13199.pppoe.wtnet.de] has joined ##openvpn 15:58 < krzie> what reiffert suggested looks perfect 15:58 < krzie> im portsnapping now then installing 16:03 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:07 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 113 (No route to host)] 16:23 -!- explore [n=msparker@pool-173-57-92-51.dllstx.fios.verizon.net] has joined ##openvpn 16:32 < krzie> i love ports, this would be dependancy hell 16:33 < ecrist> krzie: ports has many drawbacks 16:33 < oc80z> yea? 16:33 < oc80z> as does standard transmission :P 16:34 < ecrist> oc80z: freebsd ports system 16:34 < oc80z> dunno snapshots are good. 16:35 < oc80z> right? they snapshot like every hour? 16:35 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 16:35 < oc80z> you know more than me ecrist, whats are the con's? 16:39 < ecrist> oc80z: the ports tree is broken as soon as you update it 16:39 < ecrist> it can't handle dependencies well, and it requires various maintenance 16:40 < ecrist> binary packages are limited in usefulness due to dependency problems 16:42 < krzie> my (fairly long) history with fbsd ports has been enjoyable 16:43 < krzie> which im reminded of every time i have to use linux 16:44 < krzie> but of course im not saying its perfect 16:49 -!- rajin [n=_@port-13199.pppoe.wtnet.de] has quit [" HydraIRC -> http://www.hydrairc.com <- Would you like to know more?"] 17:15 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 17:19 -!- correcaminos_ [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has joined ##openvpn 17:19 -!- correcaminos__ [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has joined ##openvpn 17:19 -!- correcaminos_ [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has quit [Read error: 54 (Connection reset by peer)] 17:20 -!- correcaminos_ [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has joined ##openvpn 17:23 -!- barefoot [n=magic@41.121.111.185] has joined ##openvpn 17:24 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Nick collision from services.] 17:24 -!- barefoot is now known as magic_1 17:25 -!- barefoot [n=magic@41.121.111.185] has joined ##openvpn 17:25 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Nick collision from services.] 17:25 -!- barefoot is now known as magic_1 17:27 -!- correcaminos_ [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has quit [Read error: 60 (Operation timed out)] 17:30 -!- correcaminos__ [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has quit [Read error: 60 (Operation timed out)] 17:50 -!- grub_booter_ [n=charlie@d515301E0.static.telenet.be] has quit [Read error: 110 (Connection timed out)] 17:51 -!- grub_booter_ [n=charlie@d515301E0.static.telenet.be] has joined ##openvpn 18:09 -!- inject1on [n=kjshf@DH-L015-160-PC.herts.ac.uk] has joined ##openvpn 18:09 < inject1on> hi 18:09 < inject1on> will using a vpn stop the possiblity of arp/dns/packet injection on my LAN? 18:09 < inject1on> i intend on connecting my own router to the LAN point (the lan which has a shitload of malicious users) 18:11 -!- bytesaber [n=bytesabe@208-98-188-95.directcom.com] has quit ["Leaving"] 18:17 -!- Dougy [n=Douglas_@ool-435033e6.dyn.optonline.net] has joined ##openvpn 18:17 < Dougy> !logs 18:17 < vpnHelper> Dougy: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 18:17 < Dougy> er 18:17 < Dougy> !irclogs 18:17 < vpnHelper> Dougy: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 18:19 -!- correcaminos [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has joined ##openvpn 18:22 < krzie> inject1on it will not stop them from seeing/manipulating your traffic, but it will be encrypted when they see it 18:23 < krzie> and they wont be able to do anything useful with your traffic since they cant see whats it in 18:24 < inject1on> cool thats good to know 18:24 < krzie> dammit this piechart and ascii_chart wont compile here on fbsd 18:24 < krzie> even with gmake 18:25 < inject1on> krzie : what happens before i initiate the vpn though? 18:26 < krzie> i dont understand the question 18:26 < inject1on> also my LAN requires logging in ...for example when u go to google.com it redirects you to a page wher u type in your username/password ..im guessing they are using soe sort of arp poisoning there 18:26 < inject1on> well everything is unreadable to the sniffers/sniffers who are tampering with the traffic...but the vpn is a remote server right? 18:26 < krzie> doesnt seem very related to openvpn 18:26 < inject1on> so before i initiate the connection to the vpn, am i not insecure then? 18:27 < krzie> depends what you're using 18:27 < krzie> once you are connected to the vpn everything you route over the vpn is secured by the vpn 18:27 < krzie> to the point of the other end of the vpn 18:27 < krzie> then it goes to the inet as normal, may or may not be secure 18:27 < krzie> !vpn 18:27 < vpnHelper> krzie: "vpn" is http://openvpn.net/index.php/documentation/faq.html#tunnel-principal 18:28 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 18:28 -!- correcaminos [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has quit ["Leaving"] 18:29 < inject1on> so is a vpn soemthing i have to pay for? i have no computerse i can use to host the vpn :( 18:30 -!- correcaminos_ [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has joined ##openvpn 18:30 < krzie> if you dont have computers you can use, yes youd need to find a provider 18:31 < Dougy> or 18:31 < Dougy> flash your home router if you got one 18:34 -!- correcaminos_ [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has quit [Client Quit] 18:36 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 18:36 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has joined ##openvpn 18:48 -!- theDoc [n=hex@119.73.165.162] has joined ##openvpn 18:49 -!- master_o1_master [n=master_o@p549D765A.dip.t-dialin.net] has joined ##openvpn 18:55 -!- theDoc [n=hex@119.73.165.162] has quit [Read error: 60 (Operation timed out)] 18:55 -!- theDoc [n=hex@cataclysm.edgewire.sg] has joined ##openvpn 18:56 < e4> I have a site-site VPN link I'm trying to hook up. The subnet behind the client isn't accessible by the server network while the client itself is. Does the client config file need to have route/iroute information as well? 18:57 < krzie> !route 18:57 < vpnHelper> krzie: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 18:58 < e4> Thanks! 19:00 < inject1on> so before i initiate the connection to the vpn, am i not insecure then? 19:00 < inject1on> depends what you're using 19:00 < inject1on> sorry to dweel on this 19:00 < inject1on> but how do i ensure that while i am connecting to the vpn im not poisoned 19:01 -!- master_of_master [i=master_o@p549D76DE.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 19:01 < inject1on> and then redirected to something that is claiming to be the vpn which then passes everything onto the actual vpn 19:01 < inject1on> or something along those lines 19:01 < e4> krzie: That's much, much better than the 'official' documentation, heh. 19:01 < inject1on> or not even that, just getting poisned as i conenct to the vpn, which tricks me into running a rootkit which then compromises my box 19:01 < krzie> e4: thank you =] 19:02 < krzie> inject1on: "depoends on what you're using" was directed at you asking if you were secure or not while not connected 19:05 < krzie> reiffert here? 19:05 < Dougy> krzie 19:06 < Dougy> I read a lot of a manual today 19:06 < krzie> congratulations 19:06 < Dougy> and i've decided as cool as powerdns is 19:06 < Dougy> i dont like it 19:07 < inject1on> my computer is secure while not connected to the itenret, or atleast id like to think so! i will be taking extreme measures to make sure of it 19:07 < inject1on> using networking is going to be my weakpoint though 19:16 < e4> krzie: That guide is infinitely better, and my setup was incorrect, but even after fixing it I can't access anything past the vpn ip of the client lan. 19:16 < e4> The client lan can see the server lan just fine, all other routing works, the server lan just can't see the client lan. 19:17 < inject1on> so assuming my computer is secure, and assuming the router i connect to the malicious LAN is secure, how do i protect myself from mitm/packet injection/dns/arp poisoning BEFORE i connect to the vpn which encrypts everything? 19:17 < inject1on> coz surely there is a time while im not routing traffic through the vpn in which im insecure to those attacks? 19:19 < krzie> e4, you added the routes to the router? 19:19 < krzie> inject1on 19:19 < krzie> !mitm 19:19 < vpnHelper> krzie: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config 19:20 < e4> krzie: Yep. iroute, route, etc all have the client subnet now (I was missing the second route statement.) Doing a tcpdump on both ends the packets stop at the server side of the lan, the client never sees them. 19:21 < krzie> i said on the router itself 19:21 < krzie> outside of anything to do with the vpn 19:21 < krzie> as described below the network diagram in "ROUTES TO ADD OUTSIDE OF OPENVPN" 19:22 < krzie> if so: 19:22 < krzie> !configs 19:22 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 19:22 < e4> krzie: Both instances of krzie are on respective routers. 19:22 < krzie> ahh cool that makes your life easier 19:22 < e4> hah 19:22 < e4> s/krzie/openvpn 19:22 < krzie> hah im so tired i didnt even catch that 19:23 < e4> krzie: I've already gone over the firewall with their team. Everything looks good there. 19:24 < e4> One potential question, is it normal to have the openvpn server add routes before a client connects? 19:27 < krzie> everything given in its config by route command, yes 19:27 < krzie> iroute wont be read until client connects 19:27 < krzie> because: 19:27 < krzie> !ccd 19:27 < vpnHelper> krzie: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 19:27 < krzie> i didnt say to send me your firewall 19:27 < krzie> !configs 19:27 < vpnHelper> krzie: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 19:27 < krzie> openvpn configs 19:29 < e4> http://pastebin.org/67594 19:29 < krzie> thats a single config? 19:30 < krzie> remove the ifconfig 19:30 < krzie> server command handles that 19:30 < krzie> !ipp 19:30 < vpnHelper> krzie: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 19:30 < e4> http://pastebin.org/67596 19:31 < krzie> 10.68.250.0 255.255.255.0 is behind the client, right? 19:31 < e4> yeah 19:31 < krzie> and 10.67.232.0 255.255.255.0 behind the server 19:31 < e4> correct 19:32 < e4> The iroute for the client: iroute 10.68.250.0 255.255.255.0 19:33 < krzie> watch server log when client connects, be sure it says its reading that iroute 19:33 < krzie> you may have not made the ccd file EXACTLY the same as the common-name 19:33 < e4> krzie: I was worried about that. The community site gave the error message to watch for if they're misnamed. I verified in the logs that the cn matches as well. 19:34 < e4> It all *looks* right to me, but obviously something isn't working right, heh. 19:34 < inject1on> krzee: i read the faq link to mitm attacks, but i fail to understand how that wll protect me from mitm/arp/dns poisoning /packet injection attacks BEFORE i connect to the VPN...ASSUMING my computer is rootkit fre 19:36 < krzie> this is an openvpn help channel 19:36 < krzie> im telling you how to run openvpn right 19:36 < krzie> e4: 19:36 < krzie> !logs 19:36 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 19:38 < inject1on> krzie :yeas i undestand that i appreciate any help regarding my question you can give though ...i figured there'd be more people who know about vpn here, and protection PRE-VPN than other chans 19:39 < krzie> well against arp poisoning you can use static arps 19:39 < krzie> there are also apps like arpwatch to see when someone is trying to play arp games on you 19:46 < e4> krzie: http://pastebin.org/67599 19:48 < e4> That's client, server: http://pastebin.org/67600 20:04 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 20:08 < krzie> the server log was cut short 20:10 < e4> krzie: You want the entire thing? Mine's pretty long, heh 20:12 < e4> krzie: Client - http://pastebin.org/67602 20:12 < e4> Wait, no, that's server. 20:14 < e4> krzie: http://pastebin.org/67603 20:16 < krzie> its not reading the iroute 20:17 < krzie> the word iroute doesnt even appear in the log 20:22 < e4> krzie: Interesting. The CCD name should match what appears in the log, correct? 20:30 -!- correcaminos [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has joined ##openvpn 20:30 < e4> krzie: Interesting. I re-created the certs for the config file and it started working. Absolutely bizarre. 20:31 < e4> Very sorry to have wasted your time, wouldn't have though that could have been the case! 20:31 < e4> Thank you very much! 20:31 -!- explore [n=msparker@pool-173-57-92-51.dllstx.fios.verizon.net] has quit ["leaving"] 20:33 < krzie> yw 20:37 < inject1on> krzie i remember u sayin that before your traffic is protected by the vpn you could use static arp tables to prevent arp poisoning...would that help even if you are connected via your router which is connected to malicious lan A? you are on lan B connected to lan A via your router .. 20:37 < inject1on> furthermore , preventing arp poisoning before you are encrypting traffic through the vpn tunnel, woudl that also stop mitm attacks on the malciious lan? 20:40 -!- e4 [n=e4@rrcs-76-79-59-194.west.biz.rr.com] has quit [] 20:49 -!- correcaminos [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has quit [Success] 21:00 < krzie> !notovpn 21:00 < vpnHelper> krzie: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 21:00 < krzie> !google prevent arp poisoning 21:00 < vpnHelper> krzie: Anatomy of an ARP Poisoning Attack | WatchGuard: ; The Ethical Hacker Network - Pick Your Poison - ARP, MAC, WiFi: ; Prevent a network from Address Resolution Protocol (ARP) poisoning ...: 21:04 -!- e4 [n=e4@rrcs-76-79-59-194.west.biz.rr.com] has joined ##openvpn 21:14 < inject1on> does it make any difference that my network is plugging into another network that i have no contrl over? 21:15 < inject1on> my router is plugging into another network i have no control over ..that is full of malicious users..and my computer is connecting to my router 21:15 < inject1on> can i still prevent arp poisoning in that case or i sit being done at a level i cant control at all? 21:15 < inject1on> also , does preventing arp poisoning prevent mitm attacks too? 21:24 -!- XATRIX [n=George@analyt.faust.net.ua] has joined ##openvpn 21:24 < XATRIX> hi guys i have a problem 21:24 < XATRIX> http://pastebin.com/d4940763d 21:24 < XATRIX> why does it give me such a things ? 21:25 < XATRIX> my previous os (gentoo) never gives me such 21:33 < krzee> !configs 21:33 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 21:33 < krzee> !logs 21:33 < vpnHelper> krzee: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 21:34 < XATRIX> em...i can't give server config and logs...just only on my side 21:36 < XATRIX> http://pastebin.com/d6d336804 21:36 < XATRIX> this is a log of connetion to my vpn server 21:36 < XATRIX> at first look, all seems to be allright 21:52 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has quit [] 21:54 < krzee> Tue Dec 22 05:35:57 2009 WARNING: potential route subnet conflict between local LAN [192.168.3.0/255.255.255.0] and remote VPN [192.168.3.0/255.255.255.0] 21:54 < krzee> Tue Dec 22 05:35:57 2009 /sbin/route add -net 192.168.3.0 netmask 255.255.255.0 gw 192.168.7.33 21:54 < krzee> you cant use 192.168.3.x as your home subnet with this vpn 21:54 < krzee> im headed to bed, gnite 21:55 < XATRIX> krzee: but when i was on gentoo i was using such connetion 21:56 < XATRIX> i have never such a problem 21:56 < krzee> try changing it 21:56 < XATRIX> how can i change it ? 21:56 < Dougy> my dog is high as fuck right now 21:56 < Dougy> poor guy cant get up the stairs 21:56 < krzee> you're asking to change your home lan's subnet? 21:57 < XATRIX> i have wifi connection, this subnet and ip was given by my ISP 21:57 < XATRIX> and vpn server is a remote server of my palce of work 21:57 < krzee> you have no home router giving you this wifi? 21:57 < XATRIX> no...i connect directly to ISPs hardware 21:57 < krzee> sorry dude im too tired to help ya 21:58 < krzee> goodnight 21:58 < XATRIX> :( 21:58 < XATRIX> goodnight 21:59 -!- correcaminos_ [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has joined ##openvpn 22:00 -!- XATRIX [n=George@analyt.faust.net.ua] has quit ["Leaving"] 22:05 -!- Dougy [n=Douglas_@ool-435033e6.dyn.optonline.net] has left ##openvpn [] 22:08 -!- correcaminos_ [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has quit [Read error: 60 (Operation timed out)] 22:08 -!- correcaminos_ [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has joined ##openvpn 22:11 -!- correcaminos [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has joined ##openvpn 22:15 * ecrist works on devel/freeswitch-esl port 22:19 -!- correcaminos [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has quit ["Leaving"] 22:34 -!- correcaminos_ [n=laguilar@201.166.73.171.cable.dyn.cableonline.com.mx] has quit [Success] 23:00 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has quit [Read error: 104 (Connection reset by peer)] 23:08 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has joined ##openvpn 23:45 < inject1on> can anybody suggest a well known commercial vpn provider that handles packet inection/arp poisoning/mitm attacks/has some authentication with the vpn like IPSec? ..to tell if ive been hijacked when i try establishing a connection.. --- Day changed Tue Dec 22 2009 00:12 -!- Avalloc [n=_@port-15421.pppoe.wtnet.de] has joined ##openvpn 00:14 -!- tjz [n=tjz@bb121-7-11-34.singnet.com.sg] has joined ##openvpn 00:24 -!- hyper_ch [n=hyper@84.226.246.98] has quit [Remote closed the connection] 00:27 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 00:39 -!- Avalloc [n=_@port-15421.pppoe.wtnet.de] has quit [" HydraIRC -> http://www.hydrairc.com <- Would you like to know more?"] 00:44 -!- inject1on [n=kjshf@DH-L015-160-PC.herts.ac.uk] has quit [] 00:48 -!- [BIOS]vamsi [n=[BIOS]Va@121.243.61.82] has joined ##openvpn 00:49 < [BIOS]vamsi> hello 00:49 < [BIOS]vamsi> Im a absolutebeginner 00:49 < [BIOS]vamsi> can nyone help me out 00:52 < [BIOS]vamsi> @freaky[t] do u belong to kvabunga 00:52 < [BIOS]vamsi> ?? 00:53 < [BIOS]vamsi> nybody home????????/ 00:53 -!- [BIOS]vamsi [n=[BIOS]Va@121.243.61.82] has quit ["Leaving"] 01:08 < endre> omfg wtf 01:20 -!- hyper_ch [n=hyper@202-115.78-83.cust.bluewin.ch] has joined ##openvpn 01:30 -!- rubin110 [n=rubin110@70.36.142.11] has joined ##openvpn 01:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 01:31 < rubin110> Hello, I have a question about setting up a firewall around an openvpn client via ipfw. Anyone have any experience with this? 01:36 < rubin110> Poot. :( 01:36 -!- n5 [n=nop@78-60-57-157.static.zebra.lt] has joined ##openvpn 01:42 -!- g` [n=nop@78-63-0-27.static.zebra.lt] has quit [Read error: 110 (Connection timed out)] 01:51 -!- Rundll [n=thomas@ppp105-140.static.internode.on.net] has quit [Remote closed the connection] 02:09 -!- [BIOS]vamsi [n=[BIOS]Va@121.243.61.82] has joined ##openvpn 02:10 -!- e4 [n=e4@rrcs-76-79-59-194.west.biz.rr.com] has quit [] 02:30 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 03:02 -!- ruied [n=ruied@bl5-190-144.dsl.telepac.pt] has quit [Read error: 110 (Connection timed out)] 03:03 -!- master_of_master [i=master_o@p57B576D9.dip.t-dialin.net] has joined ##openvpn 03:12 -!- EwanMcLean [n=ewanmcle@89.243.227.65] has joined ##openvpn 03:13 -!- EwanMcLean is now known as Ewan_McLean 03:15 -!- ruied [n=ruied@89-180-121-51.net.novis.pt] has joined ##openvpn 03:15 -!- master_o1_master [n=master_o@p549D765A.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 03:19 -!- ruied [n=ruied@89-180-121-51.net.novis.pt] has quit [Read error: 60 (Operation timed out)] 03:22 -!- dazo_afk is now known as dazo 03:29 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 03:44 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 04:01 -!- r0fl [n=r0fl@95-88-194-54-dynip.superkabel.de] has quit [Read error: 110 (Connection timed out)] 04:02 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["This computer has gone to sleep"] 04:06 -!- [BIOS]vamsi [n=[BIOS]Va@121.243.61.82] has quit ["Leaving"] 04:26 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 04:26 -!- macsppadic [n=sonupunn@82.109.74.162] has joined ##openvpn 04:31 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined ##openvpn 04:43 -!- r0fl [n=r0fl@95-88-194-54-dynip.superkabel.de] has joined ##openvpn 04:43 -!- Ewan_McLean [n=ewanmcle@89.243.227.65] has left ##openvpn [] 04:59 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 05:00 -!- thedoc_ [n=hex@cataclysm.edgewire.sg] has joined ##openvpn 05:02 -!- thedoc_ is now known as thedoc 05:02 -!- thedoc is now known as theDoc 05:03 -!- barefoot [n=magic@41.121.7.58] has joined ##openvpn 05:19 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 110 (Connection timed out)] 06:14 -!- barefoot [n=magic@41.121.7.58] has quit [Read error: 60 (Operation timed out)] 06:15 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit ["Leaving"] 06:23 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 06:30 -!- macsppadic [n=sonupunn@82.109.74.162] has quit [] 06:32 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Read error: 110 (Connection timed out)] 06:33 -!- xenophile7x7 [n=xenophil@ip72-192-7-242.ri.ri.cox.net] has joined ##openvpn 06:59 -!- ruied [n=ruied@89.214.244.168] has joined ##openvpn 07:03 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 07:05 -!- jhp_ [n=jhp@zeus.jhprins.org] has joined ##openvpn 07:08 < ecrist> good morning 07:16 -!- jhp [n=jhp@zeus.jhprins.org] has quit [Read error: 111 (Connection refused)] 07:19 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 07:35 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 08:14 -!- ribasushi [n=rabbit@dslb-084-063-048-214.pools.arcor-ip.net] has joined ##openvpn 08:15 < ribasushi> grumble 08:15 < ribasushi> something between rc11 and 2.1 proper broke multihoming 08:15 < ecrist> iirc, multihoming was pulled from documentation 08:16 < ribasushi> O.o 08:16 < ribasushi> why 08:16 < ribasushi> so is the "right way" to run 2 servers now? 08:17 * ribasushi digs in changelog 08:18 -!- robotti^ [i=robotti@kapsi.fi] has joined ##openvpn 08:18 < robotti^> hello 08:19 < robotti^> it is hard to set openvpn on virtual server? :) 08:19 < robotti^> is it? 08:19 < robotti^> I mean 08:19 < hyper_ch> is it hard to set openvpn on a dedicated server? 08:20 < robotti^> :) 08:20 < robotti^> I do not know :) 08:21 < robotti^> I only thinking about interfaces 08:21 < ecrist> robotti^: not really, as long as the virtual server supports tun/tap 08:21 < robotti^> how to know, if it supports? 08:21 < ecrist> try it 08:22 < robotti^> I have ordered virtual server and I were planning today to use with openvpn server 08:22 < ecrist> well, try it 08:22 < ecrist> :) 08:22 < robotti^> but if there is interface? on ip? 08:22 < robotti^> one ip address 08:23 < ecrist> sure 08:23 < robotti^> set server running on Internet ip address and how to then use that for surfing? :) 08:23 < ecrist> sounds easy enough 08:24 < robotti^> I were only thinking, what should do? Only make openvpn.conf for that. and where it gets ip? 08:24 < robotti^> dhcp? 08:24 < ecrist> robotti^: read the howto 08:25 < hyper_ch> !howto 08:25 < robotti^> where? 08:25 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 08:25 < robotti^> thanky ou 08:25 < robotti^> you 08:29 < ribasushi> negative 08:30 < ribasushi> the multihome option is in fact in the man page 08:30 < ribasushi> and it in fact doesn't work once I upgrade (i.e. sends the packets out the wrong interface) 08:30 < ribasushi> what's my best bet, ML? 08:30 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has joined ##openvpn 08:32 < mlaci> hi guys! i can't get openvpn work on windows 7. i cannot create any tap adapters despite i tried every downloads. did anyone succeeded? 08:32 < ecrist> mlaci: what downloads did you try? 08:34 < mlaci> ecrist, here: http://openvpn.se/development.html 08:34 < vpnHelper> Title: OpenVPN GUI for Windows (at openvpn.se) 08:35 < ecrist> mlaci: that's wrong 08:35 < ecrist> !download 08:35 < vpnHelper> ecrist: "download" is www.openvpn.net/download to download openvpn 08:36 < mlaci> ecrist, will i be able to make openvpn gui work if i first install the official openvpn package? 08:36 < ecrist> mlaci: gui is included in openvpn now 08:36 < ecrist> no reason to use openvpn.se 08:37 < mlaci> ecrist, i see, great news! thank you very much 08:59 -!- Avalloc [n=_@port-15421.pppoe.wtnet.de] has joined ##openvpn 09:01 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 09:13 < dazo> ecrist: I believe multihoming is back in docs now ... 09:19 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Connection reset by peer] 09:19 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 09:48 -!- barefoot [n=magic@41.121.22.78] has joined ##openvpn 09:49 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Nick collision from services.] 09:49 -!- barefoot is now known as magic_1 09:56 -!- piperin [n=piperin@cable-82-119-12-138.cust.blue-cable.de] has joined ##openvpn 09:57 < Muty> ecrist: do you recommend openvpn 2.1 beta 7 for windows 7? 09:58 < ecrist> Muty: I recommend 2.1.1 release 09:58 < ecrist> why use a beta when there's a release? 09:59 < Muty> I was on the wrong website. 10:02 < Muty> I just asked because I can't get OpenVPN to work on Windows 7 10:02 < Muty> It seems like the default gateway is not set 10:04 < Muty> you've got any ideas ecrist? 10:08 -!- barefoot [n=magic@196.30.46.202] has joined ##openvpn 10:10 < dazo> Muty: Some Win7 issues was solved late in the rc phase .... try the 2.1.1 release, 10:11 < dazo> Muty: except for that .... running openvpn with admin privileges (or tweaking it so the running user get network admin rights) is a must, to be able to modify the routing table 10:13 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 60 (Operation timed out)] 10:13 -!- barefoot [n=magic@196.30.46.202] has quit [Read error: 54 (Connection reset by peer)] 10:17 -!- int [n=quassel@int.matrixtelecom.net] has joined ##openvpn 10:17 -!- mithridates [n=chatzill@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn 10:17 < mithridates> hey guys 10:18 < mithridates> I have some questions about openvpn 10:18 < mithridates> would you help me? 10:18 < mithridates> I want to setup a vpn server in us 10:18 < mithridates> to share internet for my clients in iran 10:19 < mithridates> I'm wondering whether they can use voip by the vpn or no 10:19 < mithridates> because government banned voip in the internet 10:19 < Muty> http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/b9cd4de4-274e-45b4-95e3-94ac13127b37 10:19 < vpnHelper> Title: OpenVPN TAP and Windows Firewall (at social.technet.microsoft.com) 10:20 < mithridates> are u talkin to me? 10:23 < ecrist> mithridates: sure you can 10:23 < ecrist> call quality may not be the best, though 10:23 < mithridates> ecrist: what will happen if they block PPTP protocol 10:23 < mithridates> or L2TP 10:24 < dazo> doesn't matter .... openvpn is not using those protocols 10:24 < mithridates> can I change the port? 10:24 < dazo> yes 10:24 < mithridates> oh nice 10:24 < ecrist> mithridates: PPTP and L2TP aren't used by openvpn 10:24 < mithridates> what does it use? 10:24 < dazo> you can even use 443 if you'd like to ... even though vpn over tcp is only for cases when udp don't work 10:25 < mithridates> and I have a question about the performance of server 10:25 < dazo> it uses its own protocol, based on SSL 10:25 < mithridates> I will have aprxm 150 users 10:26 < mithridates> I want to get a dedicated server 10:26 < mithridates> which server do you recommend me with which specifications? 10:26 < dazo> should work fine .... people begin to complain when a single openvpn instance gets around 150-200 clients, that performance begins to drop 10:26 < mithridates> no no 10:27 < dazo> Any Intel Core Duo will do 10:27 < mithridates> I have to make separate account for each of them 10:27 < ecrist> just separate SSL certs 10:27 < dazo> yeah, you can have that ... and openvpn will separate each user 10:28 < mithridates> do you know any billing system for open vpn ( web based interface) 10:28 < mithridates> for user management , bandwidth management for users, .... 10:28 < mithridates> for these purposes 10:28 < ecrist> see Access Server 10:28 < ecrist> it's commercial 10:29 < mithridates> because it will be a commercial job 10:29 < mithridates> how much does it cost me for one year? 10:30 < ecrist> we don't support it here 10:30 < ecrist> talk to someone at OpenVPN Technologies 10:30 < mithridates> oh okey 10:30 < mithridates> and 10:30 < dazo> I'm developing and using eurephia (http://www.eurephia.net/) for user management and access control .... bandwidth management will be a task for the OS, but you can probably do some tweaks with some scripts as well, openvpn has a lot of hooks you can use for such things 10:30 < vpnHelper> Title: eurephia :: a flexible OpenVPN authentication module (at www.eurephia.net) 10:31 < mithridates> is there any program to generate client for openvpn? 10:31 < dazo> generate client? 10:31 < mithridates> client application 10:31 < mithridates> for example in windows there is a pbk file I think 10:32 < dazo> openvpn only provides the VPN tunnel nothing else, and you use whatever application on top of that 10:32 < mithridates> no no , I know that 10:33 < mithridates> I asked about a program because I want to set user information in that client application and send it to my user 10:33 < mithridates> instead of sharing information with him 10:34 < mithridates> oh I found it, access server has this feature 10:34 < dazo> I've created my own simple NSIS installer which downloads the needed pieces, and installs them without much user interference .... I send users a zip file containing the user specific config, and and URL to the installer .... the rest goes by itself 10:35 < mithridates> NSIS 10:36 < ecrist> I still posit that openvpn client should have config fetching/pushingi n the protocol 10:36 < mithridates> nice 10:36 -!- piperin [n=piperin@cable-82-119-12-138.cust.blue-cable.de] has left ##openvpn [] 10:37 < mithridates> thank u buddies 10:37 < dazo> yeah, but you don't want to push certificates and initial config via push ;-) 10:37 < mithridates> dazo , does NSIS need to do some programming ? 10:38 < dazo> mithridates: you need to write a NSIS script, yeah ... and then there is this NSIS compiler which gives you an executable for Windows 10:38 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has joined ##openvpn 10:38 * dazo used the NSIS compiler in Fedora 11 to create Windows binaries ;-) 10:39 < mithridates> can I see ur client file that you generated? 10:39 < mithridates> the compiled one 10:40 < dazo> Rather not ... as that do contain some information I don't want to reveal .... I'll have a look at stripping it down, and you can have a look 10:40 < mithridates> oh thanks 10:40 < mithridates> ok 10:40 < mithridates> I'm not really familiar with windows :( 10:42 < dazo> that's joy! ;-) 10:42 < mithridates> thanks dazo 10:42 * dazo heads out 10:43 -!- dazo is now known as dazo_afk 10:47 -!- Avalloc [n=_@port-15421.pppoe.wtnet.de] has quit [" HydraIRC -> http://www.hydrairc.com <- Go on, try it!"] 10:47 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 104 (Connection reset by peer)] 10:55 < mithridates> hey guys 10:55 -!- cizzi [n=cizzi@modemcable169.173-176-173.mc.videotron.ca] has joined ##openvpn 10:55 < mithridates> how much RAM do I need? 10:56 < mithridates> for 150 users 10:56 < cizzi> i have a ptp vpn established pushing a subnet but i can only ping the 1st ip the of subnet, it was working fine until i rebooted and restarted the tunnel, how can i debug this? 10:57 < ecrist> !configs 10:57 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 10:58 < ecrist> mithridates: I'd get a solid box with about 2GB of ram 10:58 < mithridates> ecrist: I want to share internet by NAT so do I need more cpu or more ram ? 10:59 -!- cizzi [n=cizzi@modemcable169.173-176-173.mc.videotron.ca] has quit [Client Quit] 10:59 < mithridates> ecrist: would you tell me a cheap solution for me? 11:01 -!- cizzi [n=cizzi@modemcable169.173-176-173.mc.videotron.ca] has joined ##openvpn 11:01 < cizzi> http://pastebin.ca/1723882 11:01 < cizzi> thats my configuration 11:01 < cizzi> i can only ping the 1st host of the pushed subnet 11:01 < cizzi> not the others 11:01 < cizzi> im trynig to find out why 11:02 < ecrist> is the first host on that subnet your vpn server? 11:02 < cizzi> yes 11:03 < ecrist> do the rest of the machines on that subnet know how to route to the 10.8.0.0/30 network? 11:03 < cizzi> i added an entry in my router config 11:03 < cizzi> since im using a linksys wrt54g 11:04 < cizzi> and it was worknig fine until i rebooted 11:05 < ecrist> then you're missing that route 11:05 < cizzi> where? on the server's route? 11:05 < cizzi> where i can't ping to the other hosts? 11:05 < cizzi> i have this allready 11:05 < cizzi> 192.168.50.0 10.8.0.1 255.255.255.0 UG 0 0 0 tun0 11:06 < cizzi> saying everythign on 50.x go to 10.8.0.1 tunnel 11:07 < ecrist> um, on the other end 11:07 < cizzi> oh ok 11:07 < cizzi> the receiving ends? 11:07 < ecrist> yes 11:07 < cizzi> they need to point back to the source? 11:07 < ecrist> they need a way to get back 11:07 < cizzi> why would it have worked before though? 11:07 < ecrist> because you had the route 11:08 < cizzi> so i need to start a ptp on each one of them? 11:10 < cizzi> start openvn on each one? 11:10 < cizzi> openvpn 11:10 < cizzi> or just add a route 11:11 -!- cizzi [n=cizzi@modemcable169.173-176-173.mc.videotron.ca] has quit ["leaving"] 11:11 -!- hyper_ch [n=hyper@202-115.78-83.cust.bluewin.ch] has quit [Remote closed the connection] 11:14 < ecrist> no 11:18 -!- r0fl [n=r0fl@95-88-194-54-dynip.superkabel.de] has quit [Read error: 60 (Operation timed out)] 11:21 -!- r0fl [n=r0fl@95-88-194-54-dynip.superkabel.de] has joined ##openvpn 11:28 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 11:43 -!- mithridates [n=chatzill@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit ["ChatZilla 0.9.86 [Firefox 3.5.5/20091102141836]"] 11:44 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 11:54 -!- MJD [n=quassel@CPE00e0b8af23c1-CM001e6b187c5e.cpe.net.cable.rogers.com] has quit [Read error: 60 (Operation timed out)] 11:58 -!- mithridates [n=chatzill@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn 12:05 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: Ziber, mithridates, jhp_, |Mike| 12:07 -!- Netsplit over, joins: Ziber 12:07 -!- jhp [n=jhp@zeus.jhprins.org] has joined ##openvpn 12:10 -!- |Mike| [i=mike@2001:1af8:2:444:0:0:0:2] has joined ##openvpn 12:11 -!- mithridates [n=chatzill@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn 12:17 -!- hyper_ch [n=hyper@adsl-188-155-11-165.adslplus.ch] has joined ##openvpn 12:23 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: krzie, Optic, bvierra, LittleJ, LobbyZ, fkr 12:24 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 12:27 -!- LobbyZ [n=default@main.lobbyzffs.com] has joined ##openvpn 12:27 -!- LittleJ [n=linuz@82.78.185.26] has joined ##openvpn 12:27 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has joined ##openvpn 12:27 -!- krzie [n=krzee@butters.secure-computing.net] has joined ##openvpn 12:27 -!- Optic [n=Optic@miso.capybara.org] has joined ##openvpn 12:27 -!- fkr [i=fkr@news.bytemine.net] has joined ##openvpn 12:49 -!- mithridates [n=chatzill@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit ["ChatZilla 0.9.86 [Firefox 3.5.5/20091102141836]"] 12:49 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has quit [Read error: 54 (Connection reset by peer)] 12:50 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has joined ##openvpn 12:51 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: krzie, Optic, bvierra, LittleJ, LobbyZ, fkr 12:56 -!- _LittleJ [n=linuz@82.78.185.26] has joined ##openvpn 12:59 -!- pergaminho [n=pergamin@187.7.137.142] has joined ##openvpn 13:01 -!- blistov [n=bens@static-66-38-159-228.gtcust.grouptelecom.net] has joined ##openvpn 13:02 < blistov> I've got a tunnel established, for the life of me, i can't convince packets to route from one remote subnet, to another. 13:02 < blistov> is there some special option which prevents this? 13:07 -!- hyper_ch [n=hyper@adsl-188-155-11-165.adslplus.ch] has quit [Remote closed the connection] 13:11 < julius> is kernel routing enabled on your server? 13:12 < ecrist> !iroute 13:12 -!- X-Raimo [n=alexmura@ppp94-29-70-50.pppoe.spdop.ru] has joined ##openvpn 13:12 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 13:12 < ecrist> !route 13:12 < X-Raimo> hi I need help with openVPN. Setup VPN Server. But can make normal routing. The deal is: when klient connects to VPN Server, he is able to see LAN, but can go to Internet. 13:12 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:13 -!- hyper_ch [n=hyper@adsl-188-155-11-165.adslplus.ch] has joined ##openvpn 13:14 < X-Raimo> but cannot go to Internet 13:19 -!- hyper_ch [n=hyper@adsl-188-155-11-165.adslplus.ch] has quit [Remote closed the connection] 13:20 -!- cizzi [n=cizzi@modemcable169.173-176-173.mc.videotron.ca] has joined ##openvpn 13:20 -!- LobbyZ [n=default@main.lobbyzffs.com] has joined ##openvpn 13:20 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has joined ##openvpn 13:20 -!- krzie [n=krzee@butters.secure-computing.net] has joined ##openvpn 13:20 -!- Optic [n=Optic@miso.capybara.org] has joined ##openvpn 13:20 -!- fkr [i=fkr@news.bytemine.net] has joined ##openvpn 13:21 -!- _LittleJ is now known as LittleJ 13:21 < cizzi> i have a ptp connection establishde pushing a subnet but can only ping the 1st host of the subnet 13:21 < cizzi> someone tried to help me before 13:21 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: krzee 13:21 < ecrist> I did, then you left. 13:22 < cizzi> yes had to go for lunch 13:22 < cizzi> when i came back i tried to add routes to the other oens but didnt work 13:22 < ecrist> !route 13:22 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 13:22 < ecrist> !iroute 13:22 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 13:23 -!- hyper_ch [n=hyper@adsl-188-155-11-165.adslplus.ch] has joined ##openvpn 13:24 -!- pergaminho [n=pergamin@187.7.137.142] has quit ["Leaving"] 13:25 < cizzi> i noticed i have ip forwarding disabled on one server 13:25 < cizzi> ip_forward 0 13:26 < cizzi> is that reset when i rebooted perhaps 13:28 < ecrist> if you set it manually 13:28 < cizzi> would this be a cause of my problem? 13:28 < cizzi> do i haev to enable it on all subnet hosts? 13:29 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 13:29 < cizzi> shit 13:29 < cizzi> that was it 13:29 < cizzi> i figured it out alone 13:29 < cizzi> thanks to your !command 13:30 < cizzi> i started reading :) 13:30 -!- X-Raimo [n=alexmura@ppp94-29-70-50.pppoe.spdop.ru] has left ##openvpn [] 13:35 -!- cizzi [n=cizzi@modemcable169.173-176-173.mc.videotron.ca] has quit ["Lost terminal"] 13:43 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 60 (Operation timed out)] 13:54 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.86 [Firefox 3.0.14/2009082707]"] 14:13 -!- nemysis [n=misterbe@cable-94-189-151-15.dynamic.sbb.rs] has joined ##openvpn 14:14 -!- nemysis is now known as Guest77099 14:14 -!- Guest77099 [n=misterbe@cable-94-189-151-15.dynamic.sbb.rs] has quit [Client Quit] 14:19 -!- nemysis [n=misterbe@cable-94-189-151-15.dynamic.sbb.rs] has joined ##openvpn 14:19 -!- nemysis is now known as Guest81242 14:30 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 14:31 -!- DammitJim [n=DammitJi@41-117.202-68.tampabay.res.rr.com] has joined ##openvpn 14:31 < DammitJim> hi all... is it possible to do a site to multi site vpn with the same subnet? 14:33 < ecrist> yes 14:34 < DammitJim> I guess all I need to worry about is that I don't mix up the IP addresses, right? 14:35 < DammitJim> like the one openvpn server is 10.20.30.1 and one openvpn client is 10.20.30.254 and another openvpn client 10.20.30.200 or something, right? 14:35 < ecrist> yu 14:35 < ecrist> p 14:36 < DammitJim> thanks 14:36 < blistov> How do you get ovpn server to use ccd? 14:37 < blistov> i've created a new client1.key which IS named, and sent it to the client. created ccd/client1 and restarted. client1 is not being sent the iroute from ccd/client1 14:37 < ecrist> !ccd 14:37 < vpnHelper> ecrist: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 14:38 < blistov> client-config-dir is set to ccd 14:38 < blistov> relative paths work for keys, I assume they work in this case as well? 14:38 < ecrist> yes, they do 14:38 < ecrist> !logs 14:38 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 14:40 < blistov> hrm. server logs refer to connecting client1 as "client1" but options from ccd/client1 are not being pushed as far as I can tell. 14:40 < blistov> I have an iroute as well as ifconfig-push 14:45 -!- Guest81242 [n=misterbe@cable-94-189-151-15.dynamic.sbb.rs] has quit ["Leaving"] 14:47 -!- nemysis [n=misterbe@cable-94-189-151-15.dynamic.sbb.rs] has joined ##openvpn 14:48 -!- nemysis is now known as Guest9539 14:48 -!- Guest9539 [n=misterbe@cable-94-189-151-15.dynamic.sbb.rs] has quit [Read error: 54 (Connection reset by peer)] 14:48 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit ["Leaving"] 14:49 -!- nemysis [n=misterbe@cable-94-189-151-15.dynamic.sbb.rs] has joined ##openvpn 14:49 -!- nemysis [n=misterbe@cable-94-189-151-15.dynamic.sbb.rs] has quit [Client Quit] 14:52 -!- tstebut [n=tanguy@93.4.100.94] has joined ##openvpn 14:53 < tstebut> Hello 14:53 -!- DammitJim [n=DammitJi@41-117.202-68.tampabay.res.rr.com] has left ##openvpn ["I ♥ E17"] 14:54 < tstebut> My problem is that my client domain is successfully started by /etc/init.d/openvpn start, but the tun0 network interface isn't mounted 14:54 < tstebut> ifconfig tun0 14:54 < tstebut> tun0: error fetching interface information: Device not found 14:54 -!- nemysis [n=misterbe@cable-94-189-151-15.dynamic.sbb.rs] has joined ##openvpn 14:54 -!- nemysis is now known as Guest84369 14:55 -!- Guest84369 [n=misterbe@cable-94-189-151-15.dynamic.sbb.rs] has left ##openvpn ["Leaving"] 14:57 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:58 < Bushmills> tstebut: modprobe -l tun 14:59 < blistov> nothing doing. ovpn server is not reading ccd/client1 14:59 < blistov> when client1 connects, server recognizes it as client1, but does not bother with ccd 15:01 < Bushmills> blistov: on server, do grep client-config-dir server.conf (in your openvpn config dir. assuming server config file is server.conf) 15:02 < blistov> correct. 15:03 < blistov> it is there. 15:03 < blistov> client-config-dir ccd 15:03 < Bushmills> restarted server, or reloaded config, since it had been added? 15:03 < blistov> yup. 15:04 < Bushmills> scratch that as possible reason then 15:04 < blistov> I stupidly however, wiped out my entire openvpn directory, so i'm starting from scratch now :) 15:04 < blistov> sooo tired. 15:05 < Bushmills> i find that a cup of coffee poweder with a spoonful of water usually helps 15:07 < tstebut> Bushmills: modprobe -l tun 15:07 < tstebut> kernel/drivers/net/tun.ko 15:08 -!- ruied [n=ruied@89.214.244.168] has quit [Read error: 110 (Connection timed out)] 15:08 < blistov> Bushmills, I'll get back to you when I've got a working tunnel again :) 15:09 < Bushmills> tstebut: then you system appears to support tun, but your client doesn't connect to server 15:09 < tstebut> right 15:10 -!- ribasushi [n=rabbit@dslb-084-063-048-214.pools.arcor-ip.net] has quit [Read error: 54 (Connection reset by peer)] 15:10 < tstebut> is it another port to open ? 15:10 < Bushmills> check logs 15:29 -!- tstebut [n=tanguy@93.4.100.94] has quit [Read error: 110 (Connection timed out)] 15:33 -!- tstebut [n=tanguy@57.107.85-79.rev.gaoland.net] has joined ##openvpn 15:35 < tstebut> Bushmills , how can I know if the remote host is open ? 15:35 < tstebut> I mean the remote host port 15:35 < Bushmills> read client log 15:36 < tstebut> It says "connectivity problem" 15:36 < tstebut> client log wont help 15:36 < tstebut> do you want the stack ? 15:36 < Bushmills> alternatively, disable server firewall and make sure server runs and binds to interface 15:36 < Bushmills> netstat helps. 15:36 < Bushmills> ps aux too 15:39 < tstebut> Yep, so that's right 15:39 < tstebut> it's not listening on 1194 port 15:41 < tstebut> I don(t understand, as it is configured to be like this 15:42 -!- blistov [n=bens@static-66-38-159-228.gtcust.grouptelecom.net] has quit [Remote closed the connection] 15:54 < tstebut> the vpn server doesn't listen on a port, and I don't have problem in logs 15:58 -!- ruied [n=ruied@bl7-214-92.dsl.telepac.pt] has joined ##openvpn 16:05 < tstebut> Okay, I found out something, thank you Bushmills 16:06 < tstebut> In fact, and I don't know for what reaseon, UDP protocol is not supported by one or another of my server 16:06 < Bushmills> firewall 16:06 -!- blistov [n=bens@static-66-38-159-228.gtcust.grouptelecom.net] has joined ##openvpn 16:07 < blistov> ok, i think i'm missing something obvious here. 16:07 < blistov> i have an ovpn server and client. 16:07 < blistov> behind server, i have network 10.0.0.0/16 and behind client i have 10.5.0.0/16 16:07 < blistov> i want both networks to be able to talk to eachother. 16:08 < tstebut> yeah, but I'm not sure how to configure them....server side and/or client side 16:08 < ecrist> !iroute 16:08 < vpnHelper> ecrist: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 16:08 < ecrist> !route 16:08 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 16:09 < ecrist> blistov: those two are for you 16:09 < blistov> ecrist, I THOUGHT I understood route and iroute, but all the examples I find, don't seem to work. 16:10 < blistov> on the server i have route 10.5.0.0/16, and in ccd/client1 i have iroute 10.5.0.0 and ifconfig-push 172.16.1.9 172.16.10 16:10 < blistov> Is this incorrect? 16:10 < blistov> the client isn't being given the specified IP. 16:10 < blistov> but according to the logs, it IS client1 connecting 16:10 < ecrist> !configs 16:10 < ecrist> !logs 16:10 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 16:10 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 16:12 < tstebut> Bushmills, I'm using shorewall 16:13 < Bushmills> disable it, test again 16:13 < tstebut> :/ 16:14 < blistov> http://pastebin.com/m9b81e55 16:15 < blistov> ifconfig-push 172.16.1.9 172.16.1.10 is the actual ifconfig-push 16:15 < tstebut> Bushmills, listen, I disabled shorewall both side, and it stills doesn't work in UDP mode 16:17 < Bushmills> tstebut: try netcat to set up n udp listener on server side, send something, again using netcat, from client to server. 16:17 < Bushmills> set up An udp listener ... 16:17 < Bushmills> if that fails, neither openvpn won't be able to get through. 16:18 < Bushmills> if that succeeds, try reverse 16:18 < tstebut> TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 16:18 < tstebut> Dec 22 23:17:52 mad-processor ovpn-vpn.stebbot.com[5374]: TLS Error: TLS handshake failed 16:18 -!- int_ [n=quassel@int.matrixtelecom.net] has joined ##openvpn 16:19 < Bushmills> if that fails to, it could be one of the cases in which you may have to contemplate trying or using tcp 16:19 < Bushmills> too 16:19 -!- int [n=quassel@wikia/int] has quit [Read error: 113 (No route to host)] 16:21 < blistov> ecrist, http://pastebin.com/m9b81e55 16:21 < blistov> ecrist, ifconfig-push 172.16.1.9 172.16.1.10 is the actual ifconfig-push 16:21 < blistov> the client is receiving an IP of 172.16.1.6 172.16.1.5 instead of 9 and 10 16:21 < blistov> so I'm assuming the ccd isn't being read 16:24 -!- int_ [n=quassel@wikia/int] has quit [Read error: 104 (Connection reset by peer)] 16:24 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 16:24 -!- int [n=quassel@int.matrixtelecom.net] has joined ##openvpn 16:24 < tstebut> Bushmills I'd like to know if my server in a LAN where Firewall drops UDP... 16:25 < tstebut> How can I test remotely that my udp port is open 16:25 < tstebut> oh sorry, I just red your message quietly 16:25 < tstebut> ;) 16:25 < tstebut> :/ 16:25 < ecrist> blistov: looking 16:29 < blistov> ecrist, oh, ps. right now, in the server logs, i see this 16:29 < blistov> Tue Dec 22 15:27:22 2009 client1/96.52.139.195:50617 MULTI: bad source address from client [96.52.139.195], packet dropped 16:29 < ecrist> blistov: you can't ifconfig push the 10.5 address 16:30 < ecrist> what you need is this: 16:30 < blistov> ecrist, sorry, i meant to fix that before sending. 16:30 < blistov> the ifconfig-push is ACTUALLY 172.16.1.9 172.16.1.10 16:31 < blistov> All the routes look correct on both machines. 16:31 < ecrist> client1 ccd with: iroute 10.5.0.0 255.255.0.0 ifconfig-push 172.16.1.21 172.16.1.22 route 10.0.0.0/16 172.16.1.25 16:32 < ecrist> client2 ccd with: iroute 10.0.0.0 255.255.0.0 ifconfig-push 172.16.1.25 172.16.1.26 route 10.5.0.0/16 172.16.1.21 16:32 < ecrist> change those route lines to: push "route ..." 16:34 < blistov> um... I need client1 to talk to 10.0.0.0/16 which is behind the server. 16:34 < blistov> so there is no client1 16:34 < blistov> sorry, there is no client2 16:34 * ecrist is confused now 16:34 < ecrist> oh, nm 16:35 < blistov> 10.5.0.0/16 is behind client1. 10.0.0.0/16 is behind server 16:35 < ecrist> you push route in the server config then 16:35 < blistov> right. 16:35 < blistov> and i have. 16:35 < blistov> but, i don't think ccd is being used, as the IP i specify in ccd/client1 isn't being used. 16:35 < blistov> so i don't think the iroute is working. 16:35 < blistov> the routes according to route -n on server and client1, are correct. 16:35 < ecrist> you're pissing push "route 10.5.0.0 255.255.0.0" is server config 16:36 < ecrist> and, is the cname for your client actually called 'client1'? 16:36 < blistov> thats what I specified when i created the key. 16:36 < blistov> i must be missing something ? 16:37 * ecrist still hasn't seen logs or client config 16:37 < blistov> one minute. 16:37 < blistov> :) 16:40 < krzie> reiffert that piechart for plotutils is EXACTLY what i wanted =] 16:40 < krzie> its working perfect, im finishing building it into my .sh suite 16:41 < blistov> ecrist, http://pastebin.com/m112d0d33 16:43 < blistov> ecrist, http://pastebin.com/m62b4b868 16:43 < ecrist> blistov: it appears your CN is metaform-ca 16:43 < blistov> thats the server 16:43 < ecrist> oh, nm, looking at wrong line 16:43 < ecrist> blistov: http://www.void.gr/kargig/blog/2008/05/17/openvpn-multi-bad-source-address-from-client-solution/ 16:43 < vpnHelper> Title: Openvpn MULTI: bad source address from client solution | Into.the.Void. (at www.void.gr) 16:45 < ecrist> otherwise, looking at your logs, everything looks OK 16:47 < blistov> ecrist, :) right, but packets won't route from the tun0 to the eth0 interfaces. 16:47 < blistov> i've completely disabled the firewall as well. 16:47 < blistov> ip_forward is 1 16:47 < blistov> if we use NAT before traffic hits the firewall, everything works. 16:48 < blistov> ecrist, and client1 isn't being given the specified IP. 16:49 < blistov> ie: Tue Dec 22 15:48:47 2009 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.0.0.3,dhcp-option DOMAIN sentai.stld,route 10.0.0.0 255.255.0.0,route 172.16.1.1,topology net30,ping 10,ping-restart 120,ifconfig 172.16.1.6 172.16.1.5' 16:49 < tstebut> Bushmills, I can't simply play with netcat, even locally, firewall off 16:51 < tstebut> Checking logs 16:51 < Bushmills> why not? 16:55 < blistov> ecrist, i also added another push "route 10.11.0.0 255.255.255.0" to ccd/client1 to see if it would be pushed to the client1, and it did not. 16:56 < ecrist> then ccd isn't being read 17:00 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 54 (Connection reset by peer)] 17:02 < blistov> ecrist, but no idea's as to why that may be? 17:02 < blistov> I'm completely out at this point. 17:15 < blistov> I did just notice that when I set --ccd-exclusive, auth fails. 17:22 < tstebut> Okay, sorry 17:22 < tstebut> It was about firewall 17:23 < tstebut> All fine now 17:23 < tstebut> Except one thing...Actually, I'd like to chose ip addresses...Seems to be managed by a DHCP system 17:25 < krzie> !iporder 17:25 < vpnHelper> krzie: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 17:27 < blistov> !static 17:27 < vpnHelper> blistov: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 17:27 < blistov> !ccd 17:27 < vpnHelper> blistov: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 17:31 -!- Bushmills [n=nnBushmi@88.198.39.174] has left ##openvpn ["Leaving."] 17:34 -!- blistov [n=bens@static-66-38-159-228.gtcust.grouptelecom.net] has quit ["Leaving"] 17:37 -!- MJD [n=quassel@bas7-hamilton14-1279734884.dsl.bell.ca] has joined ##openvpn 17:38 -!- Bushmills [n=nnBushmi@88.198.39.174] has joined ##openvpn 18:01 < tstebut> Hummm....how can Iassign a specific ip address to my openvpn server (eg x.x.x.254 to replace x.x.x.1) 18:06 < krzie> read up on --server in the manual 18:07 < krzie> you could try overriding the setting you wanna change by putting it after --server, if that doesnt work you have to stop using server and manually enter everything that applies to you from the server command 18:08 < krzie> but unless you are using topology subnet .254 might not be an option 18:08 < tstebut> krzie, ca you explain the topology thing ? 18:09 < krzie> !topology 18:09 < vpnHelper> krzie: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 18:09 < krzie> !/30 18:09 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 18:10 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 18:19 < tstebut> Okay thanks 18:19 < tstebut> FInally my question is : will the server address always be x.y.z.1 ??? 18:24 < tstebut> well I will sleep a little, and tomorrow that'll be so clear I suppose 18:24 < tstebut> 'night 18:31 -!- MJD [n=quassel@bas7-hamilton14-1279734884.dsl.bell.ca] has quit [Read error: 110 (Connection timed out)] 18:36 -!- rwp [n=bob@joseki.proulx.com] has quit [Read error: 110 (Connection timed out)] 18:41 -!- tstebut [n=tanguy@57.107.85-79.rev.gaoland.net] has quit [Read error: 110 (Connection timed out)] 19:13 -!- thedonvaughn [n=thedonva@unaffiliated/printk] has quit ["leaving"] 19:36 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has quit [Read error: 104 (Connection reset by peer)] 19:40 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has joined ##openvpn 19:53 -!- mlaci [n=MondaLac@unaffiliated/mlaci] has quit [Read error: 60 (Operation timed out)] 19:59 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has quit [] 20:20 -!- tjz [n=tjz@bb121-7-11-34.singnet.com.sg] has joined ##openvpn 20:47 -!- MJD [n=quassel@CPE00e0b8af23c1-CM001e6b187c5e.cpe.net.cable.rogers.com] has joined ##openvpn 20:55 -!- ruied [n=ruied@bl7-214-92.dsl.telepac.pt] has quit [Read error: 60 (Operation timed out)] 21:56 -!- MJD [n=quassel@CPE00e0b8af23c1-CM001e6b187c5e.cpe.net.cable.rogers.com] has quit [Read error: 60 (Operation timed out)] 22:02 -!- MJD [n=quassel@CPE00e0b8af23c1-CM001e6b187c5e.cpe.net.cable.rogers.com] has joined ##openvpn 22:05 -!- LobbyZ [n=default@main.lobbyzffs.com] has quit ["Free FTW"] 22:14 -!- LobbyZ [n=default@main.lobbyzffs.com] has joined ##openvpn 23:00 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has quit [Read error: 54 (Connection reset by peer)] 23:07 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has joined ##openvpn 23:13 -!- magyar [n=magyar@76-10-176-50.dsl.teksavvy.com] has quit [Read error: 60 (Operation timed out)] 23:13 -!- magyar [n=magyar@76-10-176-50.dsl.teksavvy.com] has joined ##openvpn 23:34 -!- zeus [n=notroot@200.2.139.19] has joined ##openvpn 23:51 < zeus> Tue Dec 22 19:50:06 2009 us=488491 Note: Attempting fallback to kernel 2.2 TUN/TAP interface 23:51 < zeus> Tue Dec 22 19:50:06 2009 us=490763 Cannot allocate TUN/TAP dev dynamically 23:51 < zeus> woops 23:55 -!- zeus [n=notroot@200.2.139.19] has quit [Remote closed the connection] --- Day changed Wed Dec 23 2009 00:30 -!- hyper_ch [n=hyper@adsl-188-155-11-165.adslplus.ch] has quit [Remote closed the connection] 00:32 -!- int [n=quassel@wikia/int] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 00:51 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [] 01:21 -!- hyper_ch [n=hyper@169-191.78-83.cust.bluewin.ch] has joined ##openvpn 01:32 -!- int [n=quassel@int.matrixtelecom.net] has joined ##openvpn 02:18 -!- sakhi [n=sakhi@uwcfw.uwc.ac.za] has joined ##openvpn 02:18 < sakhi> how do I renew a vpn key? 02:18 < sakhi> openvpn key 02:22 < endre> maybe with openssl? 02:24 < endre> or did you mean tunnel session keys? 02:29 -!- Avalloc [n=_@port-13663.pppoe.wtnet.de] has joined ##openvpn 02:43 -!- dazo_afk is now known as dazo 02:59 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 03:01 -!- ribasushi [n=rabbit@dslb-084-063-048-214.pools.arcor-ip.net] has joined ##openvpn 03:01 < ribasushi> anybody else here using a working multihomed setup? 03:01 < ribasushi> I got stung by this: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=562099 03:01 < vpnHelper> Title: #562099 - openvpn: --multihome broken in latest version - Debian Bug report logs (at bugs.debian.org) 03:05 -!- master_o1_master [n=master_o@p57B5712C.dip.t-dialin.net] has joined ##openvpn 03:16 < dazo> ribasushi: I would recommend posting this to the openvpn-users mailing list ... this is a pretty serious thing, and the developer(s) are paying more attention to the mailing list 03:17 -!- ruied [n=ruied@92.250.121.107] has joined ##openvpn 03:17 < ribasushi> dazo: ok, will do 03:18 -!- master_of_master [i=master_o@p57B576D9.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 03:23 -!- hyper_ch [n=hyper@169-191.78-83.cust.bluewin.ch] has quit [Read error: 104 (Connection reset by peer)] 03:24 -!- hyper_ch [n=hyper@169-191.78-83.cust.bluewin.ch] has joined ##openvpn 03:28 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined ##openvpn 03:30 -!- Avalloc [n=_@port-13663.pppoe.wtnet.de] has quit [" HydraIRC -> http://www.hydrairc.com <-"] 03:35 < krzee> ribasushi, but please do share your solution on the wiki! 03:35 < ribasushi> ? 03:35 < ribasushi> downgrading is hardly a solution to share... 03:36 < ribasushi> (besides I shun wikis) 03:36 < krzee> what exactly do you mean by multihome? 03:37 < ribasushi> errrr when openvpn listens on 0.0.0.0 before (iirc rc8) UDP responses would always fly out the main gateway 03:38 < ribasushi> then rc8 introduced a --multihome option which would fix this behavior (proper connection rebinding) 03:38 < krzee> ahh 03:38 < ribasushi> then somewhere after rc11 it apparently broke 03:38 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 110 (Connection timed out)] 03:38 < krzee> interesting, thanx for the info 03:39 < krzee> when i said that bout the wiki i was thinkin something else 04:00 -!- trine_ [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 04:00 -!- trine_ is now known as _trine 04:01 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 04:02 -!- grub_booter_ is now known as grub_booter 04:02 -!- exes [n=exes@galileo.exes.org] has joined ##openvpn 04:02 < exes> has anyone seen this before: tun0: Disabled Privacy Extensions 04:02 < exes> happens when I restart the daemon 04:02 < exes> I can't connect to the port it's listening on 04:03 < exes> # netstat -ln | grep 1500 04:03 < exes> udp 0 0 0.0.0.0:1500 0.0.0.0:* 04:11 -!- ruied [n=ruied@92.250.121.107] has quit [Read error: 60 (Operation timed out)] 04:37 < dazo> exes: are you using --persist-tun in the config file? 04:49 -!- ruied [n=ruied@92.250.121.107] has joined ##openvpn 04:50 -!- Sky[x] [n=mihaaaa@88.200.89.41] has joined ##openvpn 04:51 -!- sant0 [n=chatzill@187-26-142-112.3g.claro.net.br] has joined ##openvpn 04:55 -!- rubin110 [n=rubin110@70.36.142.11] has left ##openvpn [] 04:58 < sant0> anyone know howto openvpn up between server and client linux windows ... would like to install this but a little tricky 04:59 < sant0> anyone know howto openvpn up between server linux and client windows ... would like to install this but a little tricky 05:00 < Bushmills> !howto 05:00 < vpnHelper> Bushmills: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 05:00 < Bushmills> sant0: install, configure, run 05:02 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 05:02 < theDoc> Greetings all. :) 05:03 < sant0> vpnHelper: thank you, have a nice day 05:03 < vpnHelper> sant0: Error: "thank" is not a valid command. 05:18 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:23 -!- pergaminho [n=pergamin@187.7.137.142] has joined ##openvpn 05:25 -!- ruied [n=ruied@92.250.121.107] has quit [Read error: 60 (Operation timed out)] 05:25 -!- ruied [n=ruied@92.250.121.107] has joined ##openvpn 05:28 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has joined ##openvpn 05:34 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit ["Leaving"] 05:40 -!- pergaminho [n=pergamin@187.7.137.142] has quit ["Leaving"] 05:55 -!- Sky[x] [n=mihaaaa@88.200.89.41] has quit [] 06:28 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 06:46 < ecrist> good morning 06:59 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined ##openvpn 07:02 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 60 (Operation timed out)] 07:09 -!- DTEIT [n=Pier@ip-117-158.sn2.eutelia.it] has joined ##openvpn 07:09 < DTEIT> hi all 07:09 < DTEIT> i have a strange problem with openvpn 07:10 < DTEIT> i'm trying to connect to a vpn server, it connects but after a while i'm not able to ping or reach anything 07:10 < DTEIT> after a inactivity timeout i get again the connection 07:12 < ecrist> !logs 07:13 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 07:13 < DTEIT> i'm not able to get to the server...in the client log i just see a timeout 07:14 < ecrist> I didn't ask you what you saw, I asked you to post your logs. 07:16 < DTEIT> http://nopaste.info/3c4bba08b2.html 07:16 < DTEIT> right now it's not going 07:17 -!- grub_booter [n=charlie@d515301E0.static.telenet.be] has quit [Read error: 60 (Operation timed out)] 07:17 < DTEIT> i have a ping running to the remote lan...it goes only for few seconds 07:17 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 07:17 < ecrist> what is the client's LAN ip address before trying to connect to the vpn? 07:18 < DTEIT> 192.168.0.X 07:19 < DTEIT> i've tried from linux and windows as well the same problem 07:19 < ecrist> line 27 is your problem 07:19 < DTEIT> could be the cisco router? 07:19 < ecrist> your vpn server is pushing a route for your local lan 07:19 < ecrist> no 07:20 < ecrist> read line 27 from your paste 07:20 < ecrist> the first route pushed conflicts with your local lan - the vpn goes down because it loses it's default gateway, which in turn drops your vpn connection 07:21 < DTEIT> the first line is this one 192.168.1.0 07:21 < ecrist> yes 07:21 < DTEIT> i have 192.168.0.0 07:21 < DTEIT> both /24 07:22 < ecrist> my mistake 07:22 < ecrist> we'll need the server logs 07:22 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: ScriptFanix, jhp, ^scott^, mrnice1, Typone, |Mike|, zykes- 07:23 < DTEIT> i cannot access it from outside without vpn 07:23 -!- ruied [n=ruied@92.250.121.107] has quit [Read error: 110 (Connection timed out)] 07:23 < ecrist> ok, we still need them 07:24 -!- Netsplit over, joins: mrnice1, ^scott^, Typone, zykes-, ScriptFanix, jhp, |Mike| 07:25 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 07:28 -!- IronDaemon [n=IronDaem@87.240.202.236] has joined ##openvpn 07:30 -!- grub_booter [n=charlie@d515301E0.static.telenet.be] has joined ##openvpn 07:32 -!- IronDaemon [n=IronDaem@87.240.202.236] has quit [Client Quit] 07:37 -!- dazo is now known as dazo_afk 07:40 -!- dazo_afk is now known as dazo 07:44 -!- Shubuntu [n=Me@60-242-110-240.tpgi.com.au] has joined ##openvpn 07:44 < Shubuntu> hi, i want to set up a vpn server to connect to from windows client and browse through my server, can anyone please help me 07:49 < DTEIT> i was able to get in the server 07:49 < DTEIT> here's the log http://nopaste.info/18cc5334c4.html 07:51 < DTEIT> i see it restart every 2 minutes 07:53 < DTEIT> i see everytime this appears 07:53 < DTEIT> MULTI: multi_create_instance called 08:04 < ecrist> you're going to see that every two minutes, look at the line 'ping-restart 120' 08:05 < ecrist> DTEIT: have you read line 24 of that log? 08:05 < ecrist> it appears you have two systems connecting with the same client certificate 08:06 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit ["Leaving"] 08:18 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 08:22 -!- int [n=quassel@wikia/int] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 08:35 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has quit [Read error: 104 (Connection reset by peer)] 08:35 < DTEIT> ecrist: sorry i was away 08:35 < DTEIT> i should be alone 08:35 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has joined ##openvpn 09:12 -!- nuhiNlow [i=bouncer@adsl-69-155-56-149.dsl.ablntx.swbell.net] has joined ##openvpn 09:16 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has quit [] 09:47 -!- nicros [n=craver@208.53.57.220] has quit [Read error: 110 (Connection timed out)] 10:01 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 10:08 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 10:09 -!- hyper_ch [n=hyper@169-191.78-83.cust.bluewin.ch] has quit [Remote closed the connection] 10:14 -!- shaiguitar [n=shaiguit@93-172-54-52.bb.netvision.net.il] has joined ##openvpn 10:14 < shaiguitar> Hello, anyone around ? 10:15 < shaiguitar> !redirect 10:15 < vpnHelper> shaiguitar: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 10:15 < shaiguitar> !def1 10:15 < vpnHelper> shaiguitar: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 10:21 < nuhiNlow> hmm. my win7 client can ping thru to my network but i cannnot ping him 10:28 < dazo> nuhiNlow: --client-to-client? 10:30 < nuhiNlow> he can't seem to move the adapter into the trusted zone 10:34 -!- rajin [n=_@port-13663.pppoe.wtnet.de] has joined ##openvpn 10:38 < dazo> nuhiNlow: do you have --client-to-client configured on your server? 10:38 < dazo> nuhiNlow: you might also want to have a look at !route 10:38 < dazo> !route 10:38 < vpnHelper> dazo: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 10:39 < nuhiNlow> dazo yes, thanks. my tester went to breakfast so no go for now 10:39 < nuhiNlow> i think it's his win7 firewall 10:41 < dazo> nuhiNlow: if you do not have --client-to-client .... you will not be able to pass traffic between two openvpn clients which are connected to the same server .... and to route traffic back behind an openvpn client, you need to use --iroute as well (described in !route) 10:41 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 10:41 < dazo> nuhiNlow: but firewall might be the case as well 10:42 < dazo> nuhiNlow: why not just try to disable firewall on that interface completely? Just to see if that helps 10:42 < nuhiNlow> i'm pushing a route, i guess i didn't describe well.. he can ping my workstation behind the server, the remote client can 10:42 < nuhiNlow> he can't figure out how to disable his fw 10:42 < dazo> nuhiNlow: iroute and route are two different things ... and they do completely different things 10:42 < nuhiNlow> phone 10:42 < dazo> aha 10:44 -!- shaiguitar [n=shaiguit@93-172-54-52.bb.netvision.net.il] has quit ["Why not?"] 10:44 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 60 (Operation timed out)] 10:56 -!- sant0 [n=chatzill@187-26-142-112.3g.claro.net.br] has quit ["ChatZilla 0.9.86 [Firefox 3.5.6/20091201220228]"] 10:59 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 11:17 -!- srosenfe1d [n=shaiguit@67.219.148.23] has joined ##openvpn 11:18 < srosenfe1d> !redirect 11:18 < vpnHelper> srosenfe1d: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 11:18 < srosenfe1d> !def1 11:18 < vpnHelper> srosenfe1d: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 11:18 < srosenfe1d> !man 11:18 < vpnHelper> srosenfe1d: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 11:19 -!- holister [n=ryan@static-151-204-189-39.pskn.east.verizon.net] has quit [Read error: 110 (Connection timed out)] 11:20 -!- bobdoes1 [n=trsonder@174.141.123.86.nw.nuvox.net] has quit [Read error: 54 (Connection reset by peer)] 11:30 < srosenfe1d> argggggg 11:30 < srosenfe1d> redirect-gateway fial fail fail 11:33 -!- Shubuntu [n=Me@60-242-110-240.tpgi.com.au] has quit [Remote closed the connection] 11:37 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has joined ##openvpn 11:37 -!- dazo is now known as dazo_afk 11:40 -!- srosenfe1d [n=shaiguit@67.219.148.23] has left ##openvpn [] 11:43 -!- srosenfe1d [n=shaiguit@67.219.148.23] has joined ##openvpn 11:43 < srosenfe1d> Perhaps someone knows of a way to pipe all traffic through tunnelblick (openvpn)? It seems the VPN is up, but most of the traffic is routed as it was (however I can ping the VPN server). OpenVPN optiosn are configured; it seems to be a mac osx issue / tunnelblick ... anyone have any pointers/ideas ? 11:43 < srosenfe1d> Perhaps someone knows of a way to pipe all traffic through tunnelblick (openvpn)? It seems the VPN is up, but most of the traffic is routed as it was (however I can ping the VPN server). OpenVPN optiosn are configured; it seems to be a mac osx issue / tunnelblick ... anyone have any pointers/ideas ? 11:44 -!- DTEIT [n=Pier@ip-117-158.sn2.eutelia.it] has quit [""tschuess...""] 11:49 < optiz0r> !redirect 11:49 < vpnHelper> optiz0r: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 11:50 < optiz0r> srosenfe1d: you probably want that ^^ 11:57 -!- Nitrus^ [n=anonymou@cpe-76-176-28-51.san.res.rr.com] has joined ##openvpn 11:58 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has left ##openvpn [] 11:59 < Nitrus^> i have an openvpn server behind a router that i'm connecting to and can ping it's address just fine (internal addy) but i'm unable to ping internal clients. client-to-client is enabled but i believe it's because this box is not the internal router so it doesn't direct me properly. is there anything i need to add to my config to deal with the scenario where the openvpn server is not the default gw for the internal network? 11:59 < Nitrus^> ipv4 forwarding is enabled as well 11:59 < Nitrus^> or do i need to add a route to my router so clients know how to access that network? 12:00 < Bushmills> Nitrus^: doesn't matter whether it is default gateway or not, as long as proper routes have been set 12:08 -!- nuhiNlow [i=bouncer@adsl-69-155-56-149.dsl.ablntx.swbell.net] has left ##openvpn ["I was raided by the FBI and all I got to keep was this lousy quit message!"] 12:24 < Nitrus^> is there a way to enable rip on ovpn so it will broadcast the network it has created? 12:25 < ecrist> !rip 12:25 < vpnHelper> ecrist: Error: "rip" is not a valid command. 12:25 < ecrist> Nitrus^: I don't think so 12:25 < ecrist> !wiki 12:25 < vpnHelper> ecrist: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN 12:25 < ecrist> go there, there is an article about RIP 12:40 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has joined ##openvpn 12:40 < Nitrus^> sweet 12:40 < Nitrus^> thanks! 12:41 < Nitrus^> for now i just setup a static route at my gateway router but i will use this setup in future 12:41 -!- Nitrus^ [n=anonymou@cpe-76-176-28-51.san.res.rr.com] has quit [] 12:57 -!- aditsu [n=aditsu@n1164942217.netvigator.com] has joined ##openvpn 13:00 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 60 (Operation timed out)] 13:00 < aditsu> hi, I'm pushing dhcp-option DNS from the server, is it possible to override that on a particular client? preferably on the client side 13:01 < ecrist> yes, but it gets complicated 13:01 < ecrist> in client config you can do a --no-pull I think 13:02 < aditsu> can't find that on the man page 13:02 < aditsu> also I still want to push other things to that client (just not dhcp options) 13:03 -!- LowKey [i=rhel@72.20.37.172] has quit [Remote closed the connection] 13:04 < ecrist> then just have a custom ccd entry for that user 13:04 < ecrist> and omit the dns 13:05 < aditsu> ok I'll study that 13:06 < ecrist> !ccd 13:06 < vpnHelper> ecrist: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 13:06 < aditsu> thanks, I'm reading in the howto 13:13 < aditsu> ah, I may need push-reset 13:13 < ecrist> :) 13:14 < aditsu> or.. I can put the dhcp options in the DEFAULT file 13:14 < aditsu> if I understand correctly 13:15 < aditsu> I'll try push-reset for now 13:20 < aditsu> ok I think it worked 13:21 -!- LowKey [i=rhel@unaffiliated/lowkey] has joined ##openvpn 13:22 < aditsu> I think DEFAULT will be a better solution, I won't need to re-push the routes, but I need to make sure I don't break other clients 13:38 -!- aditsu [n=aditsu@n1164942217.netvigator.com] has left ##openvpn [] 13:44 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 14:03 -!- dmz [n=dmz@64.203.207.101.dyn-cm-pool-54.hargray.net] has joined ##openvpn 14:04 < dmz> howdy y'all, we're using openvpn with a 2 factor auth server (cyptocard, via pam/radius) and i think that when the keys get rotated or something happens like that then the client side tries to reauth and since pw has changed (one time use pw) it requires them to relogon ..ever hear of anything like this; is there a way i can extend anything that would try to reauth/rekey to happen 1x / day instead of ever hour? 14:15 < ecrist> dmz: someone was here last week or the week before with a similar problem 14:15 < ecrist> google for OPIE openvpn or something similar 14:15 < ecrist> !irclogs 14:15 < vpnHelper> ecrist: "irclogs" is (#1) http://www.secure-computing.net/logs/openvpn.txt.gz (updated every half hour, on the half-hour, when ecrist is online.), or (#2) http://www.secure-computing.net/logs/openvpn.html for the stats, or (#3) http://www.secure-computing.net/logs/openvpn-last30.html for stats from the last 30 days. 14:15 < ecrist> or feel free to search those logs. ;) 14:16 < ecrist> unzipped, it's 18M of text 14:42 -!- hyper_ch [n=hyper@80-49-239-77-pool.cable.fcom.ch] has joined ##openvpn 14:47 -!- hyper_ch [n=hyper@80-49-239-77-pool.cable.fcom.ch] has quit [Read error: 104 (Connection reset by peer)] 14:48 -!- hyper_ch [n=hyper@80-49-239-77-pool.cable.fcom.ch] has joined ##openvpn 14:53 -!- hyper_ch [n=hyper@80-49-239-77-pool.cable.fcom.ch] has quit [Read error: 54 (Connection reset by peer)] 15:11 -!- hyper_ch [n=hyper@80-49-239-77-pool.cable.fcom.ch] has joined ##openvpn 15:16 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 54 (Connection reset by peer)] 15:18 -!- MJD [n=quassel@CPE00e0b8af23c1-CM001e6b187c5e.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 15:24 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 60 (Operation timed out)] 15:26 -!- kosmic [n=bodhi@unaffiliated/spice] has joined ##openvpn 15:27 < kosmic> !topology 15:27 < vpnHelper> kosmic: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 15:34 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.86 [Firefox 3.0.14/2009082707]"] 15:35 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:52 -!- Sup3rFly [n=sup3rfly@boxcars.triplecrowncasinos.com] has joined ##openvpn 15:54 -!- rajin [n=_@port-13663.pppoe.wtnet.de] has quit [" HydraIRC -> http://www.hydrairc.com <- Chicks dig it"] 16:24 -!- nev [n=nev@1503027212.seas-nve.dbnet.dk] has quit [Read error: 104 (Connection reset by peer)] 16:30 -!- hoop [n=pide@cha92-17-88-189-163-49.fbx.proxad.net] has joined ##openvpn 16:30 < hoop> hi, i'm looking for sample files to connect an openvpn from Windows 2008R2 (windows is client) 16:32 -!- hacim [n=micah@debian/developer/micah] has left ##openvpn [] 16:33 < krphop> I seem to be having issues with my openvpn setup. When i connect with my client, i can ping the servers private IP address, but when trying to make connections i get 'user/xxx.xxx.xxx.xxx MULTI: bad source address from client [xxx.xxx.xxx.xxx], packet dropped' 16:34 < krphop> and, both the IPs listed are different from eachother 16:35 < krphop> i dont seem to be able to connect to anything at all once connected to the VPN 16:38 < krphop> I'm using my VPN as a complete gateway, all traffic routing through it 16:42 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has quit [Read error: 104 (Connection reset by peer)] 16:42 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has joined ##openvpn 16:45 -!- freaky[t]_ [i=alpha@member.team-box.net] has quit [Remote closed the connection] 16:46 < krzie> krphop i cant really help you since xxx.xxx.xxx.xxx means nothing to me 16:46 < krzie> but you'll need an iroute 16:46 < krzie> !iroute 16:46 < vpnHelper> krzie: "iroute" is does not bypass or alter the kernel's routing table, it allows openvpn to know it should handle the routing when the kernel points to it but the network is not one that openvpn knows about. This is only needed when connecting a LAN which is behind a client, and therefor belongs in a ccd entry. Also see !route and !ccd 16:47 < krzie> the client is sending packets with a SRC address different than the vpn ip (possibly you have a lan behind the client communicating over it) 16:54 -!- hoop [n=pide@cha92-17-88-189-163-49.fbx.proxad.net] has quit [] 16:54 -!- freaky[t]_ [i=alpha@member.team-box.net] has joined ##openvpn 17:10 -!- Sup3rFly [n=sup3rfly@boxcars.triplecrowncasinos.com] has quit [] 17:17 < krphop> neither of the ip addresses listed are on the VPN host 17:17 < krphop> their both related to the client 17:17 < krphop> and this VPN has worked via other internet connections, but this is from a EVDO card 17:22 < krphop> but i've never tried this VPN connection on a mac before, so not sure if its an issue with the mac, or the server 17:47 -!- hyper_ch [n=hyper@80-49-239-77-pool.cable.fcom.ch] has quit [Remote closed the connection] 18:05 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has quit [] 18:07 -!- whocares [n=trap@host86-162-65-17.range86-162.btcentralplus.com] has joined ##openvpn 18:07 < whocares> hi, im gonna be tunneling all my traffic through a vpn server ..what sort of rules am i going to need to put in my routers firewall? 18:13 < krzie> nat 18:13 < krzie> !redirect 18:13 < vpnHelper> krzie: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 18:14 < krzie> but as you said, you can handle the nat on the vpn servers router as well 18:14 < krzie> but you have to nat the vpn subnet 18:15 < whocares> hmm 18:15 < whocares> im not sure if that applies to theclient or the server or what 18:15 < krzie> huh? 18:15 < whocares> im paying for a vpn server 18:16 < whocares> not hosting my own 18:16 < krzie> you dont run it? 18:16 < whocares> nope 18:16 < krzie> they sell it for routing all your stuff over it? 18:16 < whocares> i am paying for the vpn server service yea 18:16 < whocares> or i will be 18:17 < whocares> but i just wondered if i need to put any special rules in my rulebase to i) make sure no outward traffic goes to anywhere but the vpn 18:17 < whocares> ii) allow no income traffic 18:31 < krzie> ii) standard firewalling applies 18:32 < krzie> i) your gateway will be overridden when you connect 18:33 < krzie> or should be... i cant see your providers config 18:33 < reiffert> why not use the $payware support? 18:33 < krzie> these questions would be better to ask the provider 18:34 < krzie> ya like reif said 18:34 < krzie> moin reiffert 18:34 < reiffert> Moin moin 18:38 < whocares> ok 18:38 < whocares> thats true 18:38 < whocares> another sort of vpn related question 18:39 < whocares> i want to pass all my traffic through a vpn 18:39 < whocares> but i also want to inspect it all with snort 18:39 < krzie> you want to snort your own outbound traffic? 18:39 < whocares> if i have both the vpn client and snort on my OS ...wha twill happen first decryption or inspection? 18:39 < whocares> hmm i was thinking about that ...but im not sure ...but definately my inbound 18:40 < krzie> there shouldnt be any inbound 18:40 < whocares> coz if inspection happens first its not gonna work coz its gonna be unreadable right? how do i ensure decrpytion is done first on the OS? if both the vpn client and the snort is on the OS 18:40 < whocares> i thought inbound traffic is encrypted aswell isn't it? 18:40 < krzie> unless they actually give you your own IP and either give you a binat or directly allocate an ip (not common) 18:41 < krzie> but to answer your real question, yes you can sniff inside the tunnel 18:41 < krzie> you just sniff the tunnel interface and its cleartext for you 18:41 < krzie> its encrypted on the real interface, the virtual interface is not 18:41 < whocares> so you mean when i go to www.google.com only my request to google is encrypted? not the request from the webserver?! 18:42 < krzie> niether 18:42 < krzie> between you and vpn provider is encrypted both directions 18:42 < whocares> wtf 18:42 < krzie> from them to google is not either direction 18:42 < whocares> yea thats what i mean 18:42 < whocares> so when it goes from google --> vpn provider --> me 18:42 < krzie> but you can sniff between you and vpn provider, and they can sniff you 18:42 < whocares> i thought it would be decrypted on my machine 18:42 < krzie> it is 18:43 < whocares> ok 18:43 < krzie> sniff the tunnel interface to see it cleartext 18:43 < whocares> ok...so snort can be setup to sniff the tunnel interface? what other interfaces will there be? the LAN interface or something which connects me to the router? 18:44 < krzie> your lan interface will be encrypted, useless to snort 18:44 < krzie> you sniff the tunnel interface 18:44 < krzie> (like i said 5 times or so) 18:44 < reiffert> give it one more time to make it five ;) 18:45 < krzie> oh ok 18:45 < krzie> you sniff the tunnel interface 18:45 < krzie> ;] 18:45 < whocares> yea yea u just got me confused with the whole its not encrypted thing for a min 18:45 < reiffert> hm, but can I sniff the LAN interface as well? 18:45 < krzie> lol reif 18:48 < reiffert> because I finally want to find out who's sending that offending arp questions to my host. I should block arp completely. 18:48 < whocares> why is it not encrpyted on the way to the vpn anyway? 18:48 < whocares> i thought thats the whole point? 18:48 < whocares> just incase plain text passwords are normally sent to gmail.com they aren't sent in plain text to the vpn provider anymore 18:49 < reiffert> whocares: it's encrypted between your host and the other vpn endpoint. 18:50 -!- Ziber [i=Liber@liber-ipv6.net] has quit [Read error: 60 (Operation timed out)] 18:50 < reiffert> whocares: it has to be decrypted at two special points: the vpn endpoint at your provider and the vpn endpoint at your place (your host). 18:51 < reiffert> whocares: can you follow me? 18:52 < whocares> ypu i understand 18:52 < whocares> so when krzie said i can be sniffed between me and the provider...he meant i can be sniffed, but not understood by the sniffer 18:53 < reiffert> running openvpn will get you a virtual interface. 18:53 < reiffert> that interface is called "The tunnel interface" of in short: the tun interface. 18:53 < reiffert> shorter: tun0 18:53 < whocares> ok, and thats what i can sniff using snort? 18:54 < whocares> if my vpn provider isn't using openvpn are there other vpn servers they could be using whose client creates a tunnel interface? 18:54 < reiffert> what you send into a tun0 interfaces on one side ... gets out on the other tun0 interface on the other side 18:54 < whocares> id really like to know of some well run/maintained vpn servers that run openvpn since that seems to be quite rated int he vpn field of things 18:54 < reiffert> he will use cisco vpn most likely. 18:55 < reiffert> s,he,your provider, 18:56 < whocares> what do you mean? cisco run their open vpn servers? 18:56 < reiffert> !notovpn 18:56 < vpnHelper> reiffert: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 18:56 < reiffert> !factoids search --values cisco 18:56 < vpnHelper> reiffert: No keys matched that query. 18:57 < whocares> i asked my question in about 5places today 18:57 < reiffert> krzie: where's that cisco vpn bla bla gone to? 18:57 < whocares> and everybody was suggesting that snort and the client could not be first, and if they could then the decryption had to be done first, so had to be lower down the OSI layer 18:57 < reiffert> whocares: to my mind all 5 places should send you straight ahead to the support office of you provider. 18:58 < reiffert> whocares: as there is only a particular right answer related to your particular providers and the special vpn solution he is offering. 18:59 < whocares> how so? some vpn providers' client wont have a tunnel interface that can be sniffed in plain text? 19:00 < reiffert> there is poptop-vpn, openvpn, cisco-vpn, ssh-vpn, and several other vpn solutions and all work different. 19:00 < reiffert> not to forget ipsec. 19:01 < whocares> isnt' ipsec a type of authentication with the vpn server to make sure the vpn server is actually the vpn server and not somebody spoofing? 19:02 < reiffert> come back when you know about things. 19:21 < krzie> isnt ipsec cisco-vpn? 19:29 < reiffert> let's bring up freeswan, openswan and ... 19:29 < reiffert> L2TP. 20:02 < ecrist> krzie: cisco vpn is pretty generic term 20:02 < ecrist> they have their ssl vpn as well as ipsec 20:06 -!- MJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn 20:14 -!- rwp [n=bob@joseki.proulx.com] has joined ##openvpn 20:19 < krzie> ecrist ahh gotchya 20:49 -!- Section58 [n=steve@ipt0-2.core.bsd.uk.phib3r.net] has joined ##openvpn 21:00 < Section58> you can use 192.168.0/1.x on systems you know will not conflict right ? 21:00 < Section58> like your own ranges 21:00 < Section58> ? 21:01 < Section58> !route 21:01 < vpnHelper> Section58: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 21:01 < Section58> skinning it ?? 21:01 < Section58> like copys ? 21:08 < krzie> skimming, like not reading to understand 21:09 < krzie> in other words if you read that, pay attention and read the whole thing 21:09 < krzie> and sure, you can use any rfc 1918 subnet you want, but if stuff conflicts you get screwed 21:10 < krzie> so especially if you have road warriors, be sure to use nothing common 21:19 < krzie> as far as copies, feel free to copy it in its entirety but dont forget to link back to the document where it is in case i change stuff 21:22 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has quit [] 21:27 < Section58> cool 21:27 < Section58> nice 21:27 < Section58> yeah i like looking at the pictures 21:27 < Section58> as i read thu the explanation 21:28 < Section58> a lot of routing work is done with lots of 'things' all in teh air. its nice to have it written down in some sort of bubble chart 21:28 < Section58> a simple error in an ip address would be devistating 21:29 < Section58> the things you that take you 12 hours to fix, are almost always one line of code 21:42 -!- MJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: 60 (Operation timed out)] 22:03 -!- MJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn 22:06 < ecrist> Section58: or one character in a single line of code 22:06 < ecrist> ;) 22:12 < Section58> well, an error that stupidly simple 22:12 < Section58> :D 22:12 < Section58> you know the score clearly :D 22:20 -!- robert_ [n=hellspaw@objectx/robert] has quit [Excess Flood] 22:25 -!- robert_ [n=hellspaw@objectx/robert] has joined ##openvpn 22:51 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 23:00 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has quit [Read error: 54 (Connection reset by peer)] 23:08 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has joined ##openvpn 23:08 -!- whocares [n=trap@host86-162-65-17.range86-162.btcentralplus.com] has quit [Read error: 113 (No route to host)] 23:15 -!- grub_booter [n=charlie@d515301E0.static.telenet.be] has quit [Read error: 60 (Operation timed out)] 23:15 -!- MattJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn 23:20 -!- MJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: 60 (Operation timed out)] 23:30 -!- grub_booter [n=charlie@d515301E0.static.telenet.be] has joined ##openvpn 23:56 -!- tjz [n=tjz@unaffiliated/tjz] has quit [Read error: 110 (Connection timed out)] --- Day changed Thu Dec 24 2009 00:13 -!- rwp [n=bob@joseki.proulx.com] has quit [Read error: 110 (Connection timed out)] 00:15 -!- rwp [n=bob@joseki.proulx.com] has joined ##openvpn 00:21 -!- MJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn 00:25 -!- MattJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: 60 (Operation timed out)] 00:27 -!- tjz [n=tjz@bb121-7-11-34.singnet.com.sg] has joined ##openvpn 01:15 -!- shaiguitar [n=shaiguit@67.219.148.23] has joined ##openvpn 01:22 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 01:42 -!- rwp [n=bob@joseki.proulx.com] has quit ["leaving"] 02:01 -!- exes [n=exes@galileo.exes.org] has left ##openvpn [] 02:01 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 02:03 -!- exes [n=exes@galileo.exes.org] has joined ##openvpn 02:03 < exes> dazo_afk: I was, I've disabled it and I'm still having the same issues 02:04 < exes> kernel: [84661.865436] tun0: Disabled Privacy Extensions 02:06 -!- shaiguitar [n=shaiguit@67.219.148.23] has left ##openvpn ["Why not?"] 02:07 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)] 03:05 -!- master_of_master [i=master_o@p57B57EE5.dip.t-dialin.net] has joined ##openvpn 03:12 -!- jmm [n=jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn 03:12 < jmm> hi 03:13 < jmm> !goal 03:13 < vpnHelper> jmm: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 03:13 < jmm> I would like to be 20cm taller. 03:16 -!- master_o1_master [n=master_o@p57B5712C.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 03:32 -!- cemc [n=gimre@mx.narancs.net] has joined ##openvpn 03:34 < cemc> hi. I ran into push buffer size limit exceeded error (http://openvpn.net/archive/openvpn-users/2005-10/msg00246.html). is there any other option beside recompiling or putting everything client-side? 03:34 < vpnHelper> Title: Re: [Openvpn-users] Maximum length of --push buffer (1024) has been exceeded (at openvpn.net) 03:36 < Section58> hehe jmm :D 03:37 < cemc> that was in 2005. I have 2.1~rc7 and rc19 on my ubuntu server/desktop right now 03:40 -!- hyper_ch [n=hyper@80-49-239-77-pool.cable.fcom.ch] has joined ##openvpn 03:42 < cemc> I'm just trying to push some routes for some 40 individual unrelated, not aggreable IP addresses to the client. shouldn't be that unusual, right? :) 03:43 < Section58> oooooo 03:49 -!- Gareth_H [n=Gareth_H@ntelecom.gotadsl.co.uk] has joined ##openvpn 03:53 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 03:55 -!- Gareth_H [n=Gareth_H@ntelecom.gotadsl.co.uk] has quit [] 04:45 -!- julius [n=julius@217.20.127.15] has quit ["Reconnecting"] 04:45 -!- julius [n=julius@217.20.127.15] has joined ##openvpn 04:58 -!- cemc [n=gimre@mx.narancs.net] has quit ["Leaving"] 04:58 -!- cemc [n=gimre@85.186.77.203] has joined ##openvpn 05:06 < tjz> to my dearest friend , vpnHelper... wish you an advanced merry xmas.. 05:06 < tjz> you are the second person after krzee i know when i first join this channnel in 2009.. 05:06 < tjz> :( 05:06 < tjz> dedicated this for you.. http://www.youtube.com/watch?v=YXJ5a56dP98 05:06 < vpnHelper> Title: YouTube - Cascada - Last Christmas (at www.youtube.com) 05:11 < krzee> cemc, that will be a problem unless you can put some in a larger subnet 05:11 < krzee> !pushlimit 05:11 < vpnHelper> krzee: "pushlimit" is This is a limitation of OpenVPN: the push block cannot exceed a maximum of about 1 KB 05:11 < cemc> krzee: is this limit on purpose, some security considerations? 05:11 < krzee> dunno tbh 05:12 < krzee> but on the client side you can add as many routes as you want 05:12 < cemc> mhm 05:13 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has joined ##openvpn 05:30 -!- hyper_ch [n=hyper@80-49-239-77-pool.cable.fcom.ch] has left ##openvpn ["Konversation terminated!"] 06:34 < ecrist> good morning. 06:44 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has quit [] 07:28 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 07:36 < Section58> good morning 08:01 -!- kosmic [n=bodhi@unaffiliated/spice] has quit ["leaving"] 08:01 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 08:27 < krzee> whats the difference between tiger woods and santa claus 08:48 < jmm> santa claus is fat. 08:49 < krzee> santa stops after 3 "ho"s 08:58 < Diddi> yoho, someone once told me that a vpn interface is limited to 10mb/s. is this true? 08:58 < krzee> nope 08:58 < Diddi> ah great 08:58 < Diddi> (: 08:59 < Diddi> thanks, and merry x-mas 09:01 -!- srosenfe1d [n=shaiguit@67.219.148.23] has left ##openvpn [] 09:02 < krzee> merry xmas 09:26 < |Mike|> it's not christmass yet 09:41 < Diddi> 16:42 x-mas day here (: 09:41 -!- LowKey [i=rhel@unaffiliated/lowkey] has quit [Remote closed the connection] 09:49 < ecrist> krzee: it's just not christmas yet in the part of the world that matters. ;) 09:53 -!- xilver2dragon [n=xilver2d@114.125.2.238] has joined ##openvpn 10:01 -!- MattJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn 10:03 -!- MJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: 60 (Operation timed out)] 10:03 -!- xilver2dragon [n=xilver2d@114.125.2.238] has left ##openvpn [] 10:11 -!- LowKey [i=rhel@unaffiliated/lowkey] has joined ##openvpn 10:16 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 10:33 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)] 10:33 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 104 (Connection reset by peer)] 10:35 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 10:49 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)] 10:50 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 10:52 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.86 [Firefox 3.0.16/2009120208]"] 11:04 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 60 (Operation timed out)] 11:45 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 11:50 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has joined ##openvpn 11:51 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)] 11:52 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 12:46 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 60 (Operation timed out)] 12:52 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 13:03 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 13:05 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has joined ##openvpn 13:20 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)] 13:22 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 13:34 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn 13:41 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)] 13:43 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 54 (Connection reset by peer)] 13:58 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has quit [] 13:58 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 14:01 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 14:02 -!- barefoot [n=magic@41.123.191.224] has joined ##openvpn 14:03 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Nick collision from services.] 14:03 -!- barefoot is now known as magic_1 14:08 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 14:09 -!- barefoot [n=magic@dsl-145-40-26.telkomadsl.co.za] has joined ##openvpn 14:17 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 104 (Connection reset by peer)] 14:31 -!- Hypnoz [n=colin@ip66-104-252-161.z252-104-66.customer.algx.net] has quit ["Leaving."] 14:32 -!- barefoot [n=magic@dsl-145-40-26.telkomadsl.co.za] has quit [Read error: 110 (Connection timed out)] 14:44 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 16:33 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 16:39 -!- corretico__ [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)] 18:07 -!- Zeit|awy [n=wurscht@95.222.198.206] has quit [Read error: 113 (No route to host)] 18:27 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 19:07 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 19:13 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)] 19:21 -!- freaky[t]_ [i=alpha@member.team-box.net] has quit [Remote closed the connection] 19:34 -!- freaky[t]_ [i=alpha@member.team-box.net] has joined ##openvpn 21:01 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)] 21:47 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 21:51 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 21:55 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)] 21:55 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 22:15 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Connection timed out] 23:00 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has quit [Read error: 113 (No route to host)] 23:08 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has joined ##openvpn --- Day changed Fri Dec 25 2009 01:13 -!- gazelle [n=luna@93-94-245-13.dynamic.swissvpn.net] has joined ##openvpn 01:14 < gazelle> hi! 01:14 -!- gazelle [n=luna@93-94-245-13.dynamic.swissvpn.net] has quit [Client Quit] 01:14 < Section58> !! 01:14 < Section58> wow 01:14 < vpnHelper> Section58: Error: "!" is not a valid command. 01:14 < Section58> that was quite rude! 01:46 -!- int [n=quassel@int.matrixtelecom.net] has joined ##openvpn 02:20 -!- gazelle [n=luna@93-94-245-72.dynamic.swissvpn.net] has joined ##openvpn 02:30 -!- Joey64 [i=72f91ec9@gateway/web/freenode/x-kecvpvwcqyuxaezb] has joined ##openvpn 02:30 < Joey64> 我只是自己上网,装了openvpn,需要配置服务器吗 02:31 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 02:32 < Joey64> xp下如何使用openvpn,高手出来说下,我搞了一下午,没成功, 02:37 -!- Lilarcor [n=Lilarcor@ip70-187-168-252.oc.oc.cox.net] has joined ##openvpn 02:40 -!- Lilarcor [n=Lilarcor@ip70-187-168-252.oc.oc.cox.net] has quit [Client Quit] 02:47 < |Mike|> or talk english. 02:47 < |Mike|> Joey64: 03:05 -!- master_o1_master [n=master_o@p57B5549D.dip.t-dialin.net] has joined ##openvpn 03:09 < Joey64> |Mike|: hi, i just install openvpn in xpsp3 ,but i don't know how to config it to let me use vpn 03:09 < |Mike|> !howto 03:09 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 03:10 < Joey64> vpnHelper: thanks ,let me see it 03:10 < vpnHelper> Joey64: Error: "thanks" is not a valid command. 03:12 -!- gazelle [n=luna@93-94-245-72.dynamic.swissvpn.net] has quit [Read error: 60 (Operation timed out)] 03:16 -!- master_of_master [i=master_o@p57B57EE5.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 03:52 -!- hyper_ch [n=hyper@80-49-239-77-pool.cable.fcom.ch] has joined ##openvpn 04:24 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 04:27 -!- hyper_ch [n=hyper@80-49-239-77-pool.cable.fcom.ch] has quit [Remote closed the connection] 04:35 -!- hyper_ch [n=hyper@80-49-239-77-pool.cable.fcom.ch] has joined ##openvpn 04:37 -!- Joey64 [i=72f91ec9@gateway/web/freenode/x-kecvpvwcqyuxaezb] has quit [] 04:47 -!- hyper_ch [n=hyper@80-49-239-77-pool.cable.fcom.ch] has quit [Remote closed the connection] 04:55 -!- hyper_ch [n=hyper@80-49-239-77-pool.cable.fcom.ch] has joined ##openvpn 04:57 -!- hyper_ch [n=hyper@80-49-239-77-pool.cable.fcom.ch] has quit [Remote closed the connection] 05:03 -!- hyper_ch [n=hyper@80-49-239-77-pool.cable.fcom.ch] has joined ##openvpn 05:03 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:04 -!- hyper_ch [n=hyper@80-49-239-77-pool.cable.fcom.ch] has quit [Read error: 104 (Connection reset by peer)] 05:06 -!- hyper_ch [n=hyper@80-49-239-77-pool.cable.fcom.ch] has joined ##openvpn 05:10 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)] 05:10 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 05:10 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)] 05:16 -!- whocares1 [n=trap@host86-147-200-27.range86-147.btcentralplus.com] has joined ##openvpn 05:17 < whocares1> hi im gong to be using a commercial vpn provider that claims to run openvpn 05:17 < whocares1> does that mean it has strong authentication so that i know when i connect its actually the vpn not somebody spoofing the vpn? 05:18 -!- hyper_ch [n=hyper@80-49-239-77-pool.cable.fcom.ch] has quit [Remote closed the connection] 05:30 < krzee> whocares1, that depends on your provider, ask them 05:31 < whocares1> what specifically should i ask them? 05:31 < krzee> everything you want to ask us 05:32 -!- hyper_ch [n=hyper@80-49-239-77-pool.cable.fcom.ch] has joined ##openvpn 05:34 < whocares1> would asking them something like "does the openvpn you use make sure the client is really communicating with the vpn server and not somebody spoofing, and what type of check is in place to make sure of that? some sort of certificate or however it works?" 05:34 < whocares1> will that be ok 05:34 < whocares1> what sort of technology do i need on the server to make sure that when i connect i am really connecting to the official vpn server and not a spoof 05:37 < krzee> !mitm 05:37 < vpnHelper> krzee: "mitm" is (#1) http://openvpn.net/index.php/documentation/howto.html#mitm to know about stopping Man-in-the-Middle attacks by signing the server cert specially, or (#2) use !servercert to generate the server cert manually or use the easy-rsa build-key-server script to build your server certificates, or (#3) then use: ns-cert-type server in the client config 05:50 -!- hyper_ch [n=hyper@80-49-239-77-pool.cable.fcom.ch] has quit [Remote closed the connection] 06:15 -!- hyper_ch [n=hyper@80-49-239-77-pool.cable.fcom.ch] has joined ##openvpn 06:24 -!- n5 [n=nop@78-60-57-157.static.zebra.lt] has quit [Read error: 110 (Connection timed out)] 06:29 -!- hyper_ch [n=hyper@80-49-239-77-pool.cable.fcom.ch] has quit [Remote closed the connection] 06:51 -!- n5 [n=nop@78-60-57-157.static.zebra.lt] has joined ##openvpn 07:15 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has quit [] 07:18 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 07:24 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)] 07:49 -!- le0 [n=itsle0@host81-157-147-203.range81-157.btcentralplus.com] has joined ##openvpn 08:29 -!- n5 [n=nop@78-60-57-157.static.zebra.lt] has quit [Read error: 60 (Operation timed out)] 08:36 -!- n5 [n=nop@78-60-219-94.static.zebra.lt] has joined ##openvpn 08:38 -!- benedikt [n=benedikt@agurka.gurkubondi.net] has joined ##openvpn 08:39 < benedikt> While using openvpn-auth-pam.so the passwords are encrypted on their way to the server? So is there much less security in using this instead of regular certificates to authenticate? 09:03 < Diddi> hi! is it possible to push specific ip/route information to each client (like the behaviour of --client-config-dir) when in inetd mode? 09:56 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn 10:14 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)] 10:40 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 10:46 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 10:51 -!- MJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn 10:52 -!- buntfalke_ [n=nobody@unaffiliated/buntfalke] has quit [Read error: 110 (Connection timed out)] 10:57 -!- Section58 [n=steve@ipt0-2.core.bsd.uk.phib3r.net] has quit [Excess Flood] 10:57 -!- Section58 [n=steve@ipt0-2.core.bsd.uk.phib3r.net] has joined ##openvpn 11:04 -!- corretico__ [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)] 11:06 -!- MattJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 11:30 -!- le0 [n=itsle0@host81-157-147-203.range81-157.btcentralplus.com] has quit [Read error: 60 (Operation timed out)] 11:44 -!- PupUserdc2341 [n=PupUserd@190.176.236.2] has joined ##openvpn 11:45 -!- PupUserdc2341 [n=PupUserd@190.176.236.2] has left ##openvpn [] 12:27 -!- baz [n=baz@modemcable043.21-131-66.mc.videotron.ca] has joined ##openvpn 12:28 < baz> hey how's it going! I'm following the instructions for setting up openvpn here: https://help.ubuntu.com/community/OpenVPN but I am confused by the last step regarding creating a client key - this was done on the server, do I now copy it to the client? 12:28 < vpnHelper> Title: OpenVPN - Community Ubuntu Documentation (at help.ubuntu.com) 12:34 < reiffert> baz: please follow the official howto. 12:35 < baz> reiffert, do u have the link 12:36 < reiffert> topic 12:38 < baz> reiffert, i think i am at the very end here, may I just ask you, in the ubuntu network manager for vpn, there is a field called "User Certificate" - do I put the file "client.crt" for that? And then for "CA Certificate" I use "ca.crt" and finally what do you think I would specify for "Private Key" 12:38 < baz> !howto 12:38 < vpnHelper> baz: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 12:38 < reiffert> baz: I have no idea about ubuntu. I have no idea about its network manager. See howto. 12:40 < baz> the terms there are related to openvpn, ubuntu just provides a nice gui 12:48 < reiffert> use the help button on the gui then. 13:14 < baz> i think i am getting errors when i start openvpn on my server, does this look normal: http://pastebin.com/m16e7e7a9 13:15 < reiffert> no, it does not. 13:15 < baz> is this the main problem "Socket bind failed on local address 127.0.1.1:1194: Address already in use"? 13:18 -!- obaid [n=obaid@62.215.85.19] has joined ##openvpn 13:18 < obaid> i am trying to setup a vpn connection in ubuntu 13:19 < obaid> i followed some guide on internet 13:19 < obaid> but 13:19 < baz> hey me too! 13:19 < obaid> nm-openvpn[2483]: read UDPv4 [ECONNREFUSED]: Connection refused (code=111) 13:19 < baz> r u following this guide: https://help.ubuntu.com/community/OpenVPN 13:19 < reiffert> for both of you: blame the author. 13:19 < vpnHelper> Title: OpenVPN - Community Ubuntu Documentation (at help.ubuntu.com) 13:19 < obaid> no let me post the url 13:20 < obaid> i used this guide 13:20 < obaid> http://www.ultravpn.fr/forum/index.php?topic=204.0 13:20 < benedikt> While using openvpn-auth-pam.so the passwords are encrypted on their way to the server? So is there much less security in using this instead of regular certificates to authenticate? 13:20 < vpnHelper> Title: How to using UltraVPN service from GNU/Linux . (at www.ultravpn.fr) 13:20 < baz> here they recommend using the oficial guide:http://openvpn.net/howto 13:21 < obaid> is it possible that my ISP is blocking the initial connection ? 13:22 < obaid> because, when i http the IP of the vpn server, it says network error (tcp_error) 13:23 < baz> obaid, did you forward the ports on your router 13:25 < obaid> i am not sure about that, but it works form MS windows 13:25 < baz> obaid, did u setup the server too, or are you just doing clients 13:26 < obaid> it WAS working in MS windows before install ubuntu, not sure now 13:26 < obaid> no, i just want to connect to a free vpn ultravpn.fr 13:26 < baz> ah i see, so u don't need to forward 13:27 < baz> the windows box was on the same computer on the same network etc.? 13:27 < obaid> same laptop same network 13:27 < obaid> let me try something 13:27 < obaid> u open this 13:27 < obaid> http://87.98.173.225 13:27 < obaid> if it opens for u 13:27 < obaid> then the ISP blocked it 13:27 < baz> Oops! This link appears to be broken. 13:28 < obaid> why ? 13:28 < baz> thats what my browser said 13:28 < baz> not working 13:28 < obaid> oh ok 13:28 < obaid> then problem from thier side i guess 13:28 < baz> ya 13:37 < baz> do u have to generate a certificate for every client that joins your vpn? 13:42 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 13:43 -!- krzy [i=nobody@hemp.ircpimps.org] has joined ##openvpn 13:48 -!- le0 [n=itsle0@host81-157-147-203.range81-157.btcentralplus.com] has joined ##openvpn 13:50 -!- obaid [n=obaid@62.215.85.19] has left ##openvpn ["Ubuntu 9.10 on X61"] 14:00 -!- le0 [n=itsle0@host81-157-147-203.range81-157.btcentralplus.com] has quit [Read error: 60 (Operation timed out)] 15:00 -!- MrJK [n=jezu@194.199.166.96] has joined ##openvpn 15:00 < MrJK> hello 15:01 < MrJK> Huu, anybody kno how to set the good routes under windows xp ( as client) to redirect all my internet traffic through my vpn ? 15:01 < MrJK> I didn't find any dcumentation on google, or maybe I mis understood something 15:01 < MrJK> I know I have to use the route command, but, I don't know I have to set 15:29 < MrJK> nobody ? 15:31 < reiffert> !redirect 15:31 < vpnHelper> reiffert: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 15:35 < MrJK> thx :D 16:03 < baz> is nfs one of the better ways to mount remote filesystems through vpn? 16:10 < baz> in the sample server.conf it says that specifying the ip is optional - does that mean i can leave these lines exactly as they are: # Which local IP address should OpenVPN 16:10 < baz> # listen on? (optional) 16:10 < baz> ;local a.b.c.d 16:11 < baz> that is, without prefixing the last ";local..." line with a pound? 16:16 < Bushmills> baz, not sure about the "better" part, but nfs over openvpn works allright. autofs in combination is very useful. 16:16 < baz> another question, in the howto it says "Like the server configuration file, first edit the ca, cert, and key parameters to point to the files you generated in the PKI section above." - does that mean to provide where the client keys are located on the server (the server path) or on the client (local path)? 16:17 < baz> Bushmills, i will look into autofs, thank you 16:22 < baz> Bushmills, in the client.conf unser "ca ca.crt" what path do I use, the one on the server, or on the client? 16:23 < baz> unser = under 16:24 < Bushmills> client conf refers to client dirs 16:25 < baz> Bushmills, ok so at some point i need to copy those files locally? the instructions seem to have skipped over that 16:26 < _trine> http://pastebin.com/m2cf2cfe1 16:27 < _trine> that's for an openwrt router 16:27 < _trine> dunno if it helps you 16:28 < baz> would a good polace to copy the client certs to be "/etc/openvpn" and then maybe create a subdir in there? 16:29 < Bushmills> other methods than copying are perfectly legal 16:30 < baz> Bushmills, well i will need to scp them, i'm just saying copy in an english sense, not a linux one 16:33 < Bushmills> you could attach a reprap, synthesize an array of circles and rectangles, send the plate off to the client, and interpret those by a gyverised turntable as bit stream which you redirect to client certs 16:36 < baz> i tried that, but the redirect didn't work... oh yeah, sorry !redirect 16:40 < baz> ok this is exciting, i am ready to test my setup - pls lord let this work! 16:45 < baz> Starting the server, I am getting some DH parameter errors, does anyone know what thats about: http://pastebin.com/d6d394e9b 16:45 < baz> ls 17:01 < baz> what a pain in the ass this openvpn 17:01 < baz> its too fragile 17:02 < baz> there should be a default click through setup, and only advanced config requiring mucking around 17:45 -!- master_o1_master is now known as master_of_master 17:47 -!- hyper_ch [n=hyper@adsl-89-217-90-38.adslplus.ch] has joined ##openvpn 17:53 < reiffert> baz: get back to creating diffie hellman stuff, see howto. 18:07 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has quit [] 18:08 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn 18:24 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 18:26 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)] 18:35 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 18:46 -!- McManiaC [n=nils@p5B14562F.dip.t-dialin.net] has joined ##openvpn 18:46 < McManiaC> hey, I have some problems configuring a basic server-client network… 18:47 < McManiaC> I can connect but I get no tap device and therefor nor IP adress 18:47 < McManiaC> http://npaste.de/8v/ ← my client 18:47 < McManiaC> http://npaste.de/8w/ ← the server 18:48 < McManiaC> what am I missing? 18:51 -!- McManiaC_ [n=McManiaC@n-sch.de] has joined ##openvpn 18:51 -!- McManiaC [n=nils@p5B14562F.dip.t-dialin.net] has quit [Client Quit] 18:51 -!- McManiaC_ is now known as McManiaC 18:52 < McManiaC> no one alive? =( 19:00 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has quit [] 19:14 -!- krzy [i=nobody@hemp.ircpimps.org] has quit [K-lined] 19:17 -!- MattJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn 19:23 < exes> each time I start my openvpn daemon, this is appended to the syslog: "kernel: [233308.526275] tun0: Disabled Privacy Extensions" no connections can be established 19:23 -!- whocares1 [n=trap@host86-147-200-27.range86-147.btcentralplus.com] has quit [Read error: 60 (Operation timed out)] 19:23 < exes> anyone have an idea hwere I can start? I disabled persis-tun 19:26 < exes> this is a VMWare guest 19:26 < exes> Debian Linux 5.0 19:29 -!- MJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 19:30 < exes> amd64 20:04 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 20:09 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 20:10 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 54 (Connection reset by peer)] 20:10 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 54 (Connection reset by peer)] 20:11 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 20:11 -!- corretico__ [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)] 20:16 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 20:30 -!- corretico [n=laguilar@201.201.46.106] has quit [Connection timed out] 21:35 < ecrist> exes: are you using network manager? 21:39 < ecrist> !ubuntu 21:39 < vpnHelper> ecrist: "ubuntu" is dont use network manager! 21:42 < Section58> 21:42 < Section58> ern 21:42 < Section58> sorry i am so tired 22:10 < exes> ecrist: no, I'm using openvpn 22:10 < exes> not a GUI 22:10 < exes> not Ubuntu... Debian 22:12 < exes> I've recreated the problem on my other vmware guest on another vmware host 22:12 < exes> also amd64 22:12 < exes> so I imagine it may be a amd64 or vmware thing 22:12 < exes> an* 22:25 < reiffert> We do see openvpn problems on vmware from time to time. Someone should post it on the -devel mailinglist. 22:29 < exes> ok 22:29 < exes> I'll give that a shot 22:30 < exes> openvpn-devel@openvpn.net? 22:36 < reiffert> !dev 22:36 < vpnHelper> reiffert: "dev" is https://lists.sourceforge.net/lists/listinfo/openvpn-devel to sign up for devel mail list 23:00 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has quit [Read error: 54 (Connection reset by peer)] 23:08 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has joined ##openvpn 23:31 -!- gmarcus [n=glenn@189.62.104.225] has joined ##openvpn 23:55 < gmarcus> is it possible to use openvpn to allow an xbox 360 to connect to an openvpn server? --- Day changed Sat Dec 26 2009 00:04 -!- MJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn 00:07 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 00:17 -!- MattJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 00:26 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 54 (Connection reset by peer)] 00:37 -!- gmarcus [n=glenn@189.62.104.225] has left ##openvpn [] 00:44 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 00:46 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 104 (Connection reset by peer)] 01:00 -!- baz [n=baz@modemcable043.21-131-66.mc.videotron.ca] has quit [Read error: 54 (Connection reset by peer)] 01:01 -!- baz [n=baz@modemcable043.21-131-66.mc.videotron.ca] has joined ##openvpn 01:04 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 01:06 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 54 (Connection reset by peer)] 01:24 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 01:26 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 54 (Connection reset by peer)] 01:35 -!- LittleJ [n=linuz@82.78.185.26] has quit [Read error: 110 (Connection timed out)] 01:44 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 01:47 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 54 (Connection reset by peer)] 02:06 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 02:07 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 54 (Connection reset by peer)] 02:08 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn 02:11 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 02:14 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)] 02:15 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 02:16 -!- corretico__ [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)] 02:18 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)] 02:21 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn 02:26 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 02:26 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 02:28 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 02:28 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 104 (Connection reset by peer)] 02:37 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Connection timed out] 02:45 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 02:48 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 54 (Connection reset by peer)] 02:51 -!- corretico__ [n=laguilar@201.201.46.106] has quit [Success] 03:05 -!- master_o1_master [n=master_o@p57B54A6F.dip.t-dialin.net] has joined ##openvpn 03:06 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 03:08 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 54 (Connection reset by peer)] 03:17 -!- master_of_master [n=master_o@p57B5549D.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 03:25 -!- apo [n=apo@pD9E7D0C0.dip.t-dialin.net] has joined ##openvpn 03:26 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 03:28 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 54 (Connection reset by peer)] 03:44 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 03:49 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 54 (Connection reset by peer)] 03:51 < apo> Hm 03:52 < apo> When I push "redirect-gateway", the default gw's set to 10.8.0.5, but the server IP is 10.8.0.1. Any idea why? 03:52 < apo> 10.8.0.5 is also set as the gateway to the network, for some reason. 03:52 < Bushmills> that's clients p2p address in the topology you use 03:54 < apo> Ah, right. 03:54 < Bushmills> check --topology server 03:55 < Bushmills> sorry... subnet i mean 03:56 < apo> Thanks :) 03:57 < apo> Now I'm ready for 26c3 \o/ 03:58 < apo> (Can't have all those packets flying through the unencrypted wlan... :P) 04:07 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 04:10 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 54 (Connection reset by peer)] 04:23 -!- gazelle [n=luna@80-254-76-209.dynamic.swissvpn.net] has joined ##openvpn 04:27 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 04:28 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 04:30 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 54 (Connection reset by peer)] 04:49 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 04:52 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 54 (Connection reset by peer)] 05:06 -!- apo [n=apo@pD9E7D0C0.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 05:10 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 05:13 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 54 (Connection reset by peer)] 05:31 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 05:33 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 54 (Connection reset by peer)] 05:50 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 05:51 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 05:53 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 54 (Connection reset by peer)] 05:54 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 05:57 -!- xenophile7x7 [n=xenophil@unaffiliated/xenophile7x7] has quit [Remote closed the connection] 06:11 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 06:13 -!- Section58 [n=steve@ipt0-2.core.bsd.uk.phib3r.net] has quit [Read error: 60 (Operation timed out)] 06:13 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 54 (Connection reset by peer)] 06:22 -!- Rickson [n=Rickson@cust-161.geab-046-1.ephone.se] has joined ##openvpn 06:31 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 06:33 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 54 (Connection reset by peer)] 06:51 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 06:54 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 104 (Connection reset by peer)] 06:55 -!- Apiman_ [n=aitor@138.Red-88-2-202.staticIP.rima-tde.net] has joined ##openvpn 06:55 -!- Apiman_ [n=aitor@138.Red-88-2-202.staticIP.rima-tde.net] has left ##openvpn ["Ex-Chat"] 06:55 -!- Apiman_ [n=aitor@138.Red-88-2-202.staticIP.rima-tde.net] has joined ##openvpn 07:00 < Apiman_> hi!! I'm having troubles because openvpn server doesn't asign same ip as in "ifconfig-pool-persist MonSol/ipp.txt" 07:00 < Apiman_> it just overwrites the file "ipp.txt" 07:01 < Apiman_> and that client appears twice in the file 07:01 < Apiman_> any idea? 07:02 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 07:02 < reiffert> !ccd 07:02 < vpnHelper> reiffert: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 07:02 < reiffert> !static 07:02 < vpnHelper> reiffert: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 07:02 < reiffert> !iporder 07:02 < vpnHelper> reiffert: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 07:02 < reiffert> !ipp 07:02 < vpnHelper> reiffert: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 07:12 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 07:15 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 104 (Connection reset by peer)] 07:18 < Apiman_> exit 07:18 -!- Apiman_ [n=aitor@138.Red-88-2-202.staticIP.rima-tde.net] has left ##openvpn ["Ex-Chat"] 07:20 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)] 07:20 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)] 07:21 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 07:27 -!- MJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: 60 (Operation timed out)] 07:33 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 07:36 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 104 (Connection reset by peer)] 07:54 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 07:55 < McManiaC> hey 07:55 < McManiaC> I can currently connect to my server (http://npaste.de/8w/) with my client (http://npaste.de/8v/) - but my client gets no IP adress for the tap device? 07:55 < McManiaC> whats wrong here? 07:57 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 54 (Connection reset by peer)] 07:58 < McManiaC> brb 07:58 -!- McManiaC [n=McManiaC@n-sch.de] has quit ["leaving"] 08:02 -!- McManiaC [n=McManiaC@n-sch.de] has joined ##openvpn 08:15 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 08:18 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 54 (Connection reset by peer)] 08:32 < benedikt> Is there any way to only push the default route to some clients (based on their CN?) ? 08:36 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 08:38 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 54 (Connection reset by peer)] 08:55 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 08:58 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 54 (Connection reset by peer)] 09:10 -!- Hetman [i=dnowak@gateway/shell/rootnode.net/x-xrzcbrwaovtvxvup] has joined ##openvpn 09:11 < Hetman> Hi can i get here help when i cannot connect to VPN ? using opevpn and networkmanager 09:16 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 09:16 < |Mike|> !networkmanager? 09:16 < vpnHelper> |Mike|: Error: "networkmanager?" is not a valid command. 09:16 < |Mike|> !ubuntu? 09:16 < vpnHelper> |Mike|: Error: "ubuntu?" is not a valid command. 09:16 < |Mike|> !ubuntu 09:16 < vpnHelper> |Mike|: "ubuntu" is dont use network manager! 09:16 < |Mike|> Hetman: ^ 09:17 < hyper_ch> network manager is evil 09:18 < Hetman> hyper_ch: i buy accont on vpnuk and i want to run it on my arch linux, i don`t know how to build own conf file (and using openvpn --config my.conf) so i follow suggestions on the website 09:18 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 104 (Connection reset by peer)] 09:19 < Hetman> maybe somebody can help me build conf file basic on setting from their support page ? 09:19 < |Mike|> ask vpnuk 09:19 < ecrist> Hetman: you'er likely best bet is to contact the commercial support for them. 09:19 < hyper_ch> Hetman: I followed a german howto that works for openvpn :) 09:19 < Hetman> the don`t working now . start`s next week 09:19 < Hetman> and i need this vpn connection to the monday ... 09:19 < Hetman> everything work on XP , but i need it on linux 09:21 < ecrist> Hetman: in order to connect to vpnuk, you need to contact them. 09:21 < ecrist> all of our awesomeness cannot get you connected to them without their support 09:23 < Hetman> ecrist: yes but this connection working - i just cannot run it on my linux (ubuntu on netbook - work, xp on pc - work) 09:23 < ecrist> well, how about posting logs? 09:23 < ecrist> !logs 09:23 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 09:23 < Hetman> now i looking for guide on google how to build vpn.conf file 09:23 < Hetman> nm_vpn_connection_connect_cb(): VPN connection 'vpnuk' failed to connect: 'No VPN secrets!'. 09:24 < ecrist> Hetman: use the same config you have on windows 09:24 < ecrist> there's no difference between linux and windows for openvpnconfig 09:24 < Hetman> ok i try it 09:30 -!- Dougy [n=Douglas_@64.18.128.2] has joined ##openvpn 09:30 < Dougy> krzie: ping 09:30 < |Mike|> pong 09:30 < ecrist> what's up, Dougy? 09:31 < Dougy> hey ecrist 09:31 < Dougy> Not much.. merry late xmas 09:31 < Hetman> ok Works thx 09:32 < Dougy> krzie: i have something for you 09:32 < ecrist> if it's shaped like a penis, he probably doesn't want it 09:32 < Hetman> can i put somehow my user and password on this config file ? i don`t want write this everytime when i want to connet 09:32 < Dougy> well fortunately for him 09:32 < Dougy> its not 09:36 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 09:46 < |Mike|> !howto 09:46 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 09:46 < |Mike|> Hetman: ^ 09:46 < Dougy> http://www.upload3r.com/serve/251209/1261811858.jpg 09:46 < Dougy> er 09:46 < Dougy> rofl 09:48 < |Mike|> 94C is pretty hot for a cpu 09:48 -!- baz [n=baz@modemcable043.21-131-66.mc.videotron.ca] has quit [Connection timed out] 09:48 < Dougy> pretty hot? 09:48 < ecrist> my MacBook Pro averages about 62C 09:49 < Dougy> how about waaaaaay too hot 09:49 < Dougy> 62C wtf 09:49 < Dougy> that's way too hot too 09:49 < |Mike|> http://www.upload3r.com/serve/251209/1261811858.jpg 09:49 < |Mike|> wops 09:50 < ecrist> Dougy: I would agree it could be cooler, but that's what it runs as all the time 09:50 < ecrist> and has been for about 4 years 09:50 < Dougy> nuts 09:50 < Dougy> my atom runs at 33C im a bit ticked 09:50 < Dougy> needs2be cooler 09:51 < ecrist> you can't compare an atom to a full scale cpu 09:51 -!- baz [n=baz@modemcable043.21-131-66.mc.videotron.ca] has joined ##openvpn 09:51 < |Mike|> :P 09:52 < Dougy> this is 2watts 09:52 < Dougy> cpu 09:52 < Dougy> should not be 33 c 09:52 * ecrist goes away 09:52 < |Mike|> The sensor in AMD CPUs can report temperatures between -49C and 206C. 09:52 < |Mike|> rotflol. 09:53 < Dougy> rofl 09:58 -!- Rickson [n=Rickson@cust-161.geab-046-1.ephone.se] has quit [Read error: 60 (Operation timed out)] 10:42 -!- babilen [n=babilen@unaffiliated/babilen] has joined ##openvpn 10:42 < babilen> !howto 10:42 < vpnHelper> babilen: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:43 -!- babilen [n=babilen@unaffiliated/babilen] has left ##openvpn [] 10:47 < Dougy> krzie: memo'd you 11:05 -!- Dougy [n=Douglas_@64.18.128.2] has quit ["Leaving."] 11:06 < |Mike|> ecrist: dougy is one of the openvpn developers or ? 11:08 -!- Rascal999 [n=user@li125-209.members.linode.com] has joined ##openvpn 11:08 < Rascal999> i have br0 set up, vpn, how do i shove all traffic down it? 11:09 < |Mike|> !howto 11:09 < vpnHelper> |Mike|: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:09 < |Mike|> Rascal999: ^ 11:16 < hyper_ch> !howto 11:16 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:17 < hyper_ch> is there a simple way to just make firefox use of openvpn? 11:20 < |Mike|> over a proxy ? 11:20 -!- Rascal999 [n=user@li125-209.members.linode.com] has quit [Remote closed the connection] 11:22 < hyper_ch> no, directly 11:31 -!- Flyser_ [n=flyser@unaffiliated/flyser] has joined ##openvpn 11:50 < ecrist> |Mike|: no, he's a 'regular' in here but that's all 11:50 < |Mike|> Okay 11:51 < ecrist> he happens to own ovpnforum.com domain, but I host it and krzee and I moderate it 11:51 < ecrist> not a channel admin, though 11:52 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 12:04 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Connection timed out] 12:26 -!- Flyser_ [n=flyser@unaffiliated/flyser] has quit [Remote closed the connection] 12:33 -!- Flyser [n=flyser@unaffiliated/flyser] has joined ##openvpn 12:34 -!- ScriptFanix [i=vincent@Tuluk.riquer.fr] has quit [Read error: 101 (Network is unreachable)] 13:02 -!- Flyser [n=flyser@unaffiliated/flyser] has left ##openvpn [] 13:17 -!- ScriptFanix [i=vincent@Tuluk.riquer.fr] has joined ##openvpn 13:28 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 13:35 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)] 14:12 -!- pa [n=pa@unaffiliated/pa] has quit [Operation timed out] 14:24 -!- gazelle [n=luna@80-254-76-209.dynamic.swissvpn.net] has quit ["leaving"] 14:28 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 14:29 -!- barbosa_ [n=barbosa@189.27.49.106.dynamic.adsl.gvt.net.br] has joined ##openvpn 14:55 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 14:57 -!- ScriptFanix [i=vincent@Tuluk.riquer.fr] has quit [Read error: 110 (Connection timed out)] 14:58 -!- cemc [n=gimre@85.186.77.203] has left ##openvpn ["Leaving"] 15:05 -!- le0 [n=itsle0@host81-157-147-203.range81-157.btcentralplus.com] has joined ##openvpn 15:12 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)] 15:23 -!- whocares [n=trap@host86-147-200-27.range86-147.btcentralplus.com] has joined ##openvpn 15:23 -!- whocares [n=trap@host86-147-200-27.range86-147.btcentralplus.com] has left ##openvpn [] 15:42 -!- le0 [n=itsle0@host81-157-147-203.range81-157.btcentralplus.com] has quit ["Leaving"] 15:52 -!- McManiaC is now known as hi 15:53 -!- hi is now known as Guest79041 15:53 -!- Guest79041 is now known as McManiaC 15:53 -!- McManiaC is now known as bye 15:54 -!- bye is now known as McManiaC 15:56 < magyar> is there a way to block DHCP on a bridged tunnel? 15:56 < magyar> hi all << should be first 15:57 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has quit [] 16:25 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 16:30 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn 16:43 -!- ScriptFanix [i=vincent@Tuluk.riquer.fr] has joined ##openvpn 16:58 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Connection timed out] 17:04 < krzie> magyar why do you want a bridged setup? 17:05 < |Mike|> krzie: hai2u happy xmass! 17:05 < magyar> krzie: i have one domain setup with same ip addressing 17:06 -!- kyrix [n=ashley@80-121-46-221.adsl.highway.telekom.at] has joined ##openvpn 17:21 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 17:26 < krzie> !tunortap 17:26 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning 17:26 < vpnHelper> krzie: against you over the vpn 17:32 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)] 17:44 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 17:48 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 17:49 -!- corretico__ [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)] 17:51 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn 17:52 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)] 17:54 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 17:55 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)] 17:58 -!- corretico__ [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)] 18:04 -!- Section58 [n=steve@ipt0-2.core.bsd.uk.phib3r.net] has joined ##openvpn 18:30 -!- baz [n=baz@modemcable043.21-131-66.mc.videotron.ca] has quit [Remote closed the connection] 18:50 -!- ScriptFanix [i=vincent@Tuluk.riquer.fr] has quit [Read error: 104 (Connection reset by peer)] 18:55 -!- ScriptFanix [i=vincent@Tuluk.riquer.fr] has joined ##openvpn 19:00 -!- LowKey [i=rhel@unaffiliated/lowkey] has quit [Read error: 54 (Connection reset by peer)] 19:02 -!- LowKey [i=rhel@unaffiliated/lowkey] has joined ##openvpn 19:15 -!- Section58 [n=steve@ipt0-2.core.bsd.uk.phib3r.net] has quit [Excess Flood] 19:15 -!- Section58 [n=steve@ipt0-2.core.bsd.uk.phib3r.net] has joined ##openvpn 19:15 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: ScriptFanix 19:21 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: jhp, ^scott^, mrnice1, Typone, |Mike|, zykes- 19:21 -!- Netsplit over, joins: |Mike|, jhp, zykes-, Typone, ^scott^, mrnice1 19:41 < McManiaC> hey, what am I doing wrong if my server is running perfectly but my client gets no tap/tun device and therefor no ip adress but can connect to the server? 19:41 < McManiaC> /var/log/openvpn-status.log shows the client as connected 19:41 < McManiaC> server: http://npaste.de/8w/ client: http://npaste.de/8v/ 19:44 -!- ScriptFanix [i=vincent@Tuluk.riquer.fr] has joined ##openvpn 19:55 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: ScriptFanix 20:01 -!- Netsplit over, joins: ScriptFanix 20:04 -!- ashley__ [n=ashley@80-121-7-106.adsl.highway.telekom.at] has joined ##openvpn 20:07 < krzie> McManiaC 20:07 < krzie> !logs 20:07 < vpnHelper> krzie: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 20:08 < McManiaC> kay 20:08 < McManiaC> one sec 20:09 -!- kyrix [n=ashley@80-121-46-221.adsl.highway.telekom.at] has quit [Read error: 60 (Operation timed out)] 20:10 < McManiaC> client log: http://npaste.de/91/ 20:10 < McManiaC> server log: http://npaste.de/92/ 20:15 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: krzie, fkr, Optic 20:17 -!- Netsplit over, joins: krzie, Optic, fkr 20:19 < McManiaC> krzie: any idea? 20:23 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 20:29 -!- ashley__ [n=ashley@80-121-7-106.adsl.highway.telekom.at] has quit ["Leaving"] 20:39 -!- MJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn 20:49 -!- Kasx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 20:53 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)] 20:57 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 60 (Operation timed out)] 21:18 < krzie> ohh 21:18 < krzie> McManiaC just took a look at it 21:18 < krzie> try this: 21:19 < krzie> remove tls-server from server 21:19 < krzie> (it already exists in --server) 21:19 < krzie> in client change tls-client with client 21:19 < krzie> so just remove tls- 21:20 < krzie> and you probably dont want to be using tap 21:20 < krzie> likely you wanna make it tun 21:22 < McManiaC> woah 21:22 < McManiaC> thx 21:22 < McManiaC> seems to work 21:22 < McManiaC> :) 21:23 < reiffert> come on, its xmass time, clients turn into victims.. 21:25 < McManiaC> \o/ 21:25 < reiffert> krzie: a big hacker congress starts in a view hours: 21:25 < reiffert> schedule: 21:25 < reiffert> http://events.ccc.de/congress/2009/Fahrplan/day_2009-12-27.en.html 21:25 < vpnHelper> Title: 26C3: Schedule Day 1 (at events.ccc.de) 21:26 < reiffert> krzie: live stream: http://events.ccc.de/congress/2009/wiki/Streaming 21:26 < vpnHelper> Title: Streaming - 26C3 Public Wiki (at events.ccc.de) 21:26 < McManiaC> krzie: i knew it was something stupid like this… but... ;) 21:26 < McManiaC> thx anyway 21:27 < krzie> ooo cool 21:27 < krzie> ccc! 21:27 < krzie> McManiaC np 21:27 < krzie> McManiaC you'll get better performance using tun instead of tap 21:27 < reiffert> should be 'few', eh? 21:28 < krzie> reiffert you arent in ccc are ya? 21:28 < McManiaC> krzie: yeh, I think I had a reason for tap… but cant remember which one 21:28 < McManiaC> and everything seems to work… 21:28 < krzie> McManiaC 21:28 < krzie> !tunortap 21:28 < vpnHelper> krzie: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning 21:28 < vpnHelper> krzie: against you over the vpn 21:29 < McManiaC> I've read that already ;) 21:29 < reiffert> krzie: nope, still enjoying silence at home and much of coffee by day at friends 21:30 < krzie> reiffert will it be in english? 21:30 < reiffert> krzie: I guess 50% is in english. 21:30 -!- benedikt [n=benedikt@agurka.gurkubondi.net] has left ##openvpn [] 21:30 < reiffert> see for yourself at the scheduler.. 21:30 < reiffert> to give you an idea about the time ... it starts at 11:30, which is exactly 7 hours from now. 21:31 < reiffert> "is in" .. will be held 21:35 < krzie> right on 21:36 < krzie> ill just download from the ftp in 2 days 21:36 < krzie> its 11:30pm here 21:38 -!- ScriptFanix [i=vincent@Tuluk.riquer.fr] has quit [Read error: 104 (Connection reset by peer)] 21:55 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 21:58 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)] 23:00 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has quit [Read error: 54 (Connection reset by peer)] 23:08 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has joined ##openvpn 23:37 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 23:42 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN --- Day changed Sun Dec 27 2009 00:11 -!- MattJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn 00:13 -!- MJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: 60 (Operation timed out)] 01:40 -!- barbosa__ [n=barbosa@189.114.38.158] has joined ##openvpn 02:03 -!- barbosa_ [n=barbosa@189.27.49.106.dynamic.adsl.gvt.net.br] has quit [Read error: 110 (Connection timed out)] 03:05 -!- master_of_master [i=master_o@p57B55F58.dip.t-dialin.net] has joined ##openvpn 03:16 -!- master_o1_master [n=master_o@p57B54A6F.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 03:18 -!- MattJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 03:26 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 03:26 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 03:36 -!- grub_booter [n=charlie@d515301E0.static.telenet.be] has quit [Read error: 60 (Operation timed out)] 03:41 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 03:51 -!- grub_booter [n=charlie@d515301E0.static.telenet.be] has joined ##openvpn 05:32 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 06:16 -!- Rickson [n=Rickson@cust-161.geab-046-1.ephone.se] has joined ##openvpn 06:19 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 06:32 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 06:38 -!- DexterLB [n=DexterLB@gprs-nat.mtel.net] has joined ##openvpn 06:38 < DexterLB> hi 06:39 < DexterLB> does a free openvpn server that any user can connect to exist? 06:42 < reiffert> You cant proove the opposite, so there is a chance that it may exist. 06:49 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 06:52 -!- corretico [n=laguilar@201.201.46.106] has quit [Connection reset by peer] 07:08 -!- DexterLB [n=DexterLB@gprs-nat.mtel.net] has quit [Read error: 113 (No route to host)] 08:08 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 08:08 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 08:18 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: redfox 08:25 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)] 08:27 -!- grub_booter_ [n=charlie@d54C519D5.access.telenet.be] has joined ##openvpn 08:27 -!- barefoot [n=magic@41.123.160.115] has joined ##openvpn 08:27 -!- redfox [n=redfox2@91.121.78.62] has joined ##openvpn 08:36 -!- grub_booter [n=charlie@d515301E0.static.telenet.be] has quit [Read error: 110 (Connection timed out)] 08:39 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Nick collision from services.] 08:39 -!- barefoot is now known as magic_1 09:14 -!- tetsu [n=hallibur@pool-173-78-26-241.tampfl.fios.verizon.net] has joined ##openvpn 09:14 < tetsu> !howto 09:14 < tetsu> well that's silly 09:14 < tetsu> tell me to do !howto and have no bot for it 09:15 < tetsu> are there any good client-setup howtos? 09:16 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: master_of_master, r0fl, McManiaC, hyper_ch, Kasx, Section58 09:16 -!- Netsplit over, joins: hyper_ch 09:18 -!- Netsplit over, joins: master_of_master, McManiaC 09:18 -!- Netsplit over, joins: r0fl 09:23 -!- Section58 [n=steve@ipt0-2.core.bsd.uk.phib3r.net] has joined ##openvpn 09:24 -!- Kasx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 09:32 < magic_1> yes there are plenty 09:32 < magic_1> what do you need help with 09:33 -!- hyper_ch [n=hyper@adsl-89-217-90-38.adslplus.ch] has left ##openvpn ["Konversation terminated!"] 09:35 < tetsu> magic_1: i was given a config file and a shared keyfile 09:36 < magic_1> i take it that someone else has setup the server side 09:36 < tetsu> i know nothing about openvpn or tunnels besides socks5 proxies 09:36 < tetsu> yes 09:37 < magic_1> just a question, but i take it they have not explained to you how to configure the client side 09:37 < magic_1> is it windows or linux 09:37 < tetsu> linux, debian 09:37 < tetsu> no instructions 09:38 < magic_1> has it been installed 09:39 < tetsu> i hate to misuse your time, if there are any good client-config howtos i havent found, ill get on it 09:39 < tetsu> yes openvpn is installed 09:39 < magic_1> well the client config really is the easy part 09:40 < tetsu> I don't need to open any ports for client-side config? 09:41 < magic_1> http://openvpn.net/index.php/open-source/documentation/howto.html, as long as the admin has explained to you what port and ip he is runining on 09:42 < tetsu> when it's all set up correctly, "openvpn config.conf" should start everything, right? 09:43 < tetsu> openvpn creates the tun interface 09:43 < magic_1> yep 09:43 < magic_1> well basically 09:43 < ecrist> !hotwo 09:44 -!- Irssi: ##openvpn: Total of 80 nicks [0 ops, 0 halfops, 0 voices, 80 normal] 09:44 < ecrist> vpnHelper is mia 09:44 < ecrist> krzie: ping - vpnHelper needs a restart 09:45 < magic_1> this might helpl a little more 09:45 < magic_1> http://www.infodrom.org/Debian/tips/openvpn.html 09:45 < tetsu> magic_1: when i try running "openvpn configfile" it reads the file, and complains that i need to change the --script-security level 09:46 < tetsu> so i add --script-security 1, and it says there's no device file 09:46 < tetsu> so i add --dev tun0 09:46 < tetsu> and then it ignores the config file 09:46 < tetsu> am i making some stupid mistake? 09:47 < ecrist> tetsu: add those to the config file 09:47 < ecrist> post your configs to pastebin 09:48 -!- samaelszafran [i=samaelsz@unaffiliated/samaelszafran] has joined ##openvpn 09:48 < samaelszafran> Ehm.. Hi, it's me again. 09:48 < samaelszafran> sorry to aks such questions, but... 09:48 < ecrist> aks isn't a word 09:48 < samaelszafran> aks, sorry. 09:48 < samaelszafran> ask* 09:48 < samaelszafran> damn. 09:49 < samaelszafran> okay, so as I know how to write... :X What should I put in my config (on the server side) to specify the default gateway? 09:49 < samaelszafran> or, I don't know - I connect to my vpn, and I can't ping anythong from my local host. 09:49 < samaelszafran> anything* 09:50 < samaelszafran> damn, I have to switch to a better keyboard. 09:50 < ecrist> if you want all vpn clients to route all traffic through the vpn, you need: push "redirect-gateway def1" and proper nat/routing 09:50 < tetsu> im going to try stuff for a while and be back 09:50 < samaelszafran> def1? 09:50 < ecrist> yes, def1 09:50 < ecrist> read the man page 09:50 < samaelszafran> what is def1? The address of my gateway? 09:51 < ecrist> no, it's literally def1 09:51 < ecrist> read the man page 09:51 < samaelszafran> aah. 09:51 < samaelszafran> Yes, I see it.. 09:51 < samaelszafran> I'll try, sec. 09:52 < samaelszafran> hmm... 09:52 < samaelszafran> Still nothing - so I guess I've got a routing problem. 09:52 < samaelszafran> ;x 09:54 -!- orion [n=orion@unaffiliated/orion] has joined ##openvpn 09:54 < samaelszafran> So, ecrist, is there any simple way to do a quick nating, but without changing the whole firewall and rebooting the server? 09:55 < orion> Hi. I can establish a connection with a remote server (Initialization Sequence Completed) in p2p mode. However I can not ping the tun0 on the other end. 09:55 < orion> Does anyone know what might be wrong? 09:56 < magic_1> couple of things 09:56 < magic_1> have you push the required route 09:56 < orion> I do 09:56 < magic_1> also have you set your FW to allow the traffic 09:56 < orion> I do not have a firewall enabled. 09:56 < orion> However, openvpn doesn't support pushing ipv6 IPs, so I use a script 09:56 < tetsu> magic_1: if i delete the "route-up" line, it creates the device, and sets stuff up. does adding one command-line parameter cause openvpn to ignore config? 09:57 < orion> My "up.sh" script reads the following: 09:57 < orion> /sbin/ifconfig $1 inet6 2001:4830:16d7:feed::1 prefixlen 64 up 09:57 < orion> That's the server. 09:58 < orion> The client has the same exact line, except it ends in ::2 09:58 < orion> The client also had this line: /sbin/route add -inet6 default 2001:4830:16d7:feed::2 09:58 < orion> has* 09:59 < magic_1> orion: unfortunately my IPv6 with openvpn is not good enough to help 09:59 < orion> :/ 09:59 < magic_1> tetsu, are you able to ping the server side when the tunnel comes up 09:59 < orion> magic_1: Ok 10:00 < tetsu> magic_1: no :/ 10:00 -!- Rickson [n=Rickson@cust-161.geab-046-1.ephone.se] has quit [Read error: 60 (Operation timed out)] 10:01 < magic_1> tetsu, do you know the ip range on the other side 10:01 < tetsu> yes 10:02 < tetsu> im trying to set up a subnet on our end 10:02 < magic_1> once the tunnel is up check to see if the route from the server side has been pushed through to you 10:02 < magic_1> not sure i follow 10:02 < tetsu> we were given a /25 to assign to our computers 10:03 < tetsu> out of a /16 10:03 < tetsu> well 10:04 < tetsu> is there a way to change openvpn's default '--script-security' level 10:05 < magic_1> well the main thing is we need to first make sure if the server side has been configured correctly , we also need to make sure if the admin is pushing the requred route to your client, most cases you wouldnt need to set the security level and on the client side anything that needs to be changed is in the client config 10:06 -!- Rickson [n=Rickson@cust-161.geab-046-1.ephone.se] has joined ##openvpn 10:08 < tetsu> alright tbh im a member of a hackerspace participating in the 26c3 hacker convention vpn network 10:08 < tetsu> and i am embarrassed that i never learned to vpn 10:08 < tetsu> lol 10:09 < magic_1> you can pm if you like 10:09 < magic_1> be right back 10:10 < tetsu> Well now I feel absolutely retarded. 10:10 < tetsu> at some point I deleted my default gateway 10:10 < tetsu> i did "verb 4" and it's obvious 10:11 < tetsu> i suck my bad 10:12 < tetsu> so at this point I have a 'tun0' device just like any normal networking device 10:12 < tetsu> to route to whatever ports I want? 10:13 < orion> hmm 10:13 < orion> ping6: sendmsg: Host is down 10:13 < orion> ping6: wrote 2001:4830:16d7:feed::2 16 chars, ret=-1 10:14 < orion> Even though openvpn is up 10:14 < orion> Does anyone know what that can indicate? 10:15 < samaelszafran> Okay, I don't love vpn any more :< 10:15 < samaelszafran> I did the damned routing, but it still isn't working. 10:15 < samaelszafran> :X 10:25 < ecrist> samaelszafran: you're on freebsd. are you using ipfw or pf for your nat on the server? 10:26 < ecrist> orion: it's saying it cannot get to that address, or the responses aren't being sent. 10:29 -!- Kasx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 104 (Connection reset by peer)] 10:29 -!- Kasx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 10:33 < orion> ecrist: That's on the server. On the client it doesn't display anything. 10:33 < orion> server --> client it gives the sendmsg error. client --> server it doesn't give any error. 10:33 < ecrist> orion: sounds like a firewall issue 10:34 < tetsu> alright, 81.163.192.200 is my 'end-of-vpn IP', and 81.163.200.0/25 is my subnet. I have two NICs on my gateway, one is connected to VPN at the moment, the other to a few PCs 10:34 < tetsu> what do I do to the gateway to allow my PCs to make outgoing connections? 10:35 < ecrist> tetsu: nat 10:35 < tetsu> to the vpn network 10:35 < ecrist> oh, look in the man page for iroute and route 10:36 < samaelszafran> ecrist: ipfw. 10:36 < tetsu> no ip_forward? 10:36 < ecrist> tetsu: http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing 10:37 < tetsu> thank you, ecrist 10:37 < ecrist> np 10:38 < orion> ecrist: I run FreeBSD on both computers, and there is no firewall enabled on either one. 11:05 -!- Artio [n=_@port-12627.pppoe.wtnet.de] has joined ##openvpn 11:13 < orion> So... 11:14 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn 11:20 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)] 11:24 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has quit [Read error: 54 (Connection reset by peer)] 11:32 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has joined ##openvpn 12:14 -!- le0 [n=itsle0@host81-157-147-203.range81-157.btcentralplus.com] has joined ##openvpn 12:25 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has quit ["Leaving"] 12:26 -!- krphop [n=krphop@watch.out.the.feds.are.rightbehind.us] has joined ##openvpn 12:39 -!- grub_booter_ [n=charlie@d54C519D5.access.telenet.be] has quit [Read error: 110 (Connection timed out)] 12:41 -!- grub_booter_ [n=charlie@d54C519D5.access.telenet.be] has joined ##openvpn 13:11 -!- saftsack [n=oliver@p579DD16D.dip.t-dialin.net] has joined ##openvpn 13:12 < saftsack> hi, is there a method in openvpn, which calls rdate first, before try to connect? 13:14 < saftsack> or better, how can i create certificates with a start date of 1969 with easyrsa? 13:16 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has joined ##openvpn 13:27 -!- McManiaC [n=McManiaC@n-sch.de] has left ##openvpn [] 13:28 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 13:37 -!- rawDawg [n=rawDawg@cpe-76-188-26-242.neo.res.rr.com] has quit ["( www.nnscript.com :: NoNameScript 4.22 :: www.esnation.com )"] 13:54 -!- corretico__ [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)] 13:55 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)] 13:56 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 13:57 -!- MarcWeber [n=marc@88.80.200.63] has joined ##openvpn 13:59 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 14:00 < ecrist> saftsack: man openssl 14:00 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)] 14:02 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 14:06 -!- saftsack [n=oliver@p579DD16D.dip.t-dialin.net] has quit ["Verlassend"] 14:21 -!- mithridates [n=chatzill@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn 14:21 < mithridates> hey guys 14:22 < mithridates> I wanna implement a VPN server 14:22 < mithridates> to share internet with my clients 14:22 < mithridates> I'm wondering about using openvpn or pptp 14:23 < mithridates> would you help me? 14:28 < mithridates> my clients use windows to connect to my vpn server 14:28 < mithridates> is it possible to use openvpn for them? 14:37 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)] 14:56 < magic_1> yes it would be possible 15:00 -!- erpel [n=erpel@erbelding.net] has joined ##openvpn 15:01 < erpel> hello 15:02 < erpel> quick question: if I'm in a network that is not trusted, how could i prevent applications from using the default route in case the vpn link goes down 15:03 < mithridates> magic_1: would you let me know a reliable guide source to follow that? 15:03 < erpel> i tried setting the -net 0.0.0.0/1 and128.0.0.0/1 routes manually, but they disappear once openvpn removes the interface 15:06 < magic_1> erpel, is this on the client side i take it 15:07 < magic_1> mithridates, yea sure,http://openvpn.net/index.php/open-source/documentation/howto.html 15:07 < erpel> yes, I'm looking for something on the client side 15:07 < erpel> although i do have full controll over the server as well if that would help 15:07 < magic_1> then you should be pushing the route from the server side 15:07 < erpel> although my understanding is that the server can't do much there that could not be done in the client file 15:07 < erpel> which route 15:08 < mithridates> magic_1: I wanna have more than 150 clients and I need a client and billing management service for administrating my clients. do you know some tools for it? 15:08 < magic_1> erpel, as for the apps, that is not something you would be doing through openvpn, 15:08 < erpel> the situation i have that if the vpn goes down for any reasen, a mail app for example would connect to its server via the default route 15:08 < magic_1> yea there are a few, but the easiest is using an app like that which is used in internet cafes, crude explanation i know 15:08 < magic_1> and you dont want that 15:09 < erpel> not really 15:09 < mithridates> magic_1: would you tell me a name? 15:09 < magic_1> well the app should be going out on pop or imap, close those down using your FW 15:09 < erpel> thank you. 15:09 < magic_1> sure 15:09 < magic_1> sure give me a sec quick 15:09 < magic_1> just checking the name now quick 15:09 < erpel> I now remember that that was what came to on my way to lunch and forgot again 15:11 < mithridates> magic_1: tnx 15:11 < magic_1> well there are a few, cant find the name of the one i used before 15:11 < magic_1> http://www.cyber-cafe-software.com/ this is one you could use 15:12 < mithridates> umm 15:12 < mithridates> ok thank you 15:12 < mithridates> what about openvpn-as 15:12 < magic_1> erpel, i take it you have a few routes going out to the net 15:12 < mithridates> what's that? 15:12 < erpel> I have the ones that def1 creates as well als one to the local /16 15:12 < magic_1> mithridates, as soon as i can find the one that i use to use i will let you know, it worked really well and i have used it at some really big hotels 15:13 < mithridates> magic_1: oww ok thank you man, I look forward to get the name of that from u 15:13 < erpel> magic_1 I'm gonna have to try to prevent apps from talking to something else than the gateway in the vpn via ipfw 15:14 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has quit [Read error: 60 (Operation timed out)] 15:14 < magic_1> erpel, could you explain a little more in what you trying to do, 15:14 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has joined ##openvpn 15:14 < magic_1> its a bit late this side, so im not 100% sure i follow 15:15 < erpel> happy to do so 15:15 < magic_1> i take it there are apps that you want to make sure only use the vpn route to get through to the required server side 15:15 < magic_1> would that be correct 15:15 < erpel> actually, any app but yes 15:19 < erpel> now my hope is that ipfw is able to say block anything on the ethernet interface and then whitelist the openvpn remote host and the local net 15:19 < magic_1> hhhmmm 15:19 < magic_1> its really going to be a tricky one 15:20 < magic_1> it will also heavly depends on what FW you are going to be using 15:20 < magic_1> i have some really crazy routing stuff going on in some of my enviroments, but i am using some really well planed FW rules 15:21 < magic_1> ip + protocol+ port based 15:21 < erpel> I hope that ipfw will do as it's already in my OS 15:21 < magic_1> im sure it can, how well are you versed in ipfw 15:22 < erpel> hehe. well played 15:22 < magic_1> cause it can be quite tricky 15:22 < magic_1> what os are you using 15:22 < erpel> This would be my first attempt 15:22 < erpel> OS X 10.6 15:23 < magic_1> well really good luck on that one 15:23 < erpel> hm the underlying stuff is quite close to freebsd and friends 15:23 < mithridates> I'm trying to install openvpn on my centos but: pkcs11-helper-devel is needed by openvpn-2.1.1-1.i386 15:23 < erpel> It is, after all, a unix 15:23 < magic_1> to be honest with you depending on your topology and some other factors i would be using a network FW 15:23 < magic_1> true true 15:23 < erpel> network fw as in seperate device? 15:23 < mithridates> I couldn't find the package for centos or the source 15:24 < magic_1> well really it should be your GW 15:24 < magic_1> mithridates, yea i also had some issue with my CentOS boxes to get openvpn going at first 15:24 < magic_1> let me see if i can find where i got them 15:25 < mithridates> :) thank you magic_1 15:25 < magic_1> i found a really awesome system to do my openvpn and FW and routing with 15:25 < erpel> magic_1 problem is, I'm at a conference so the local infrastructure is not under my control and I dont want to carry more stuff around 15:25 < magic_1> have you guys heard of vyatta 15:25 < orion> Ok 15:25 < orion> So... something very strange is happening. 15:26 < orion> When I add "verb 8" to the server's configuration file I can ping it. 15:26 < orion> (Over tun0) 15:26 < orion> But when verb 8 is not there, I can not ping it. 15:26 < erpel> magic_1 what if I deleted the default route before connecting the vpn 15:27 < magic_1> mithridates, have you downloaded and installed lzo files 15:27 < mithridates> yes 15:27 < erpel> then, after the link and corresponding def1 routes disappear the system is left with no way out to anything w/o specific routes 15:28 < magic_1> well that is what i was going to say now 15:28 < magic_1> you must remember you can make it that from the server side 15:28 < magic_1> that the vpn tunnel gets pushed as your GW 15:28 < magic_1> mithridates, have you try to yum install 15:28 < mithridates> yes 15:29 < magic_1> hhhmmm 15:29 < mithridates> No package pkcs11-helper-devel available. 15:29 < mithridates> No package openvpn available. 15:29 < magic_1> just busy giong through all my packages to see if i can find it 15:30 < magic_1> what are you using to try and install 15:30 < mithridates> ssh 15:30 < mithridates> yum install * 15:31 < magic_1> have you tried to use the available rpms 15:31 < erpel> magic_1 you mean i should remove the default route by pushing that from the server? Is there any advantage to that over doing it either manually (shell script) or from the client config file? 15:31 < erpel> I use different client files for different network environments anyways 15:32 < mithridates> yes I used available rpms 15:32 < mithridates> lzo-1.08-4.rf.src.rpm openvpn-2.1.1.tar.gz openvpn-as-1.3.3-CentOS5.i386.rpm pkcs11-helper-1.07.tar.bz2 15:32 < mithridates> I'm using these packages 15:32 < magic_1> erpel: are you trying to remove the routes on the client machines? or on the router 15:32 < magic_1> mithridates, the following are the packages i have used 15:33 < magic_1> openvpn-2.0.9-1.el5.rf.i386.rpm,lzo-1.08-4.rf.src.rpm 15:33 < magic_1> and then just yummed the rest 15:33 < mithridates> magic_1: what do u think about using epel rpms? 15:34 < mithridates> magic_1: which are from fedora repository , I think those are not stable 15:34 < mithridates> I'm looking fore the most stable way to serve vpn 15:34 < magic_1> the ones that i am using work perfect 15:34 < magic_1> i havent had any hassles 15:35 < magic_1> been running for quite a while now 15:35 < mithridates> is it on centos? 15:35 < magic_1> yep 15:35 < orion> Does anyone know why I might be getting the problems I detailed above? 15:36 < magic_1> until i started using vyatta, all my openvpn and FW were CentOS 15:36 < magic_1> apologies orion, 15:36 < mithridates> magic_1: have u used this way? http://notes.brooks.nu/2008/08/openvpn-setup-on-centos-52/ 15:36 < magic_1> orion, why are you putting that in 15:36 < mithridates> magic_1: what's vyatta 15:36 < mithridates> ? 15:37 < magic_1> its a FW/routing/quite a bit actually dedicated system, its direct comp to cisco 15:37 < magic_1> really really easy to get a openvpn system going with it 15:37 < magic_1> takes about 5 min and your up 15:37 < orion> magic_1: Why am I putting "verb 8" in? 15:37 < orion> I did that to try and figure out why the two computers can't ping each other. 15:38 < magic_1> mithridates, pretty sure i have used http://notes.brooks.nu/2008/08/openvpn-setup-on-centos-52/ before 15:38 < magic_1> should work fine 15:38 < orion> And when "verb 8" is in the server config file they can talk to each other. 15:38 < magic_1> but have your fully updated your system before hand 15:38 < mithridates> magic_1: wow thank you, sure 15:38 < magic_1> you should have had to use that at all orion, 15:39 < magic_1> think i will need to better understand your setup first 15:39 < magic_1> mithridates, before i do any of my CentOS boxes i do full update 15:39 < magic_1> most of the time i dont have hassles then 15:40 -!- erpel [n=erpel@erbelding.net] has quit [Read error: 60 (Operation timed out)] 15:40 < mithridates> ok magic_1 tnx 15:41 < magic_1> mithridates, feel free to pm if you dont come right 15:41 < magic_1> or just post here 15:42 < magic_1> orion, are you running a ip4 or 6 enviroment 15:45 -!- mithridates [n=chatzill@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit ["ChatZilla 0.9.86 [Firefox 3.5.5/20091102141836]"] 15:46 < orion> magic_1: 6 15:50 < magic_1> orion, my ip6 with openvpn is not really good enough to really help, but i can try 15:50 < orion> ok 15:51 < orion> It works just fine with "verb 8" 15:51 < orion> But otherwise, it doesn't work at all. 15:51 -!- mithridates [n=chatzill@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn 15:51 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has joined ##openvpn 16:04 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has quit [] 16:16 -!- MJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn 16:27 -!- cityLights [n=cityLigh@bzq-84-111-46-151.red.bezeqint.net] has joined ##openvpn 16:28 < cityLights> can I bridge an openvpn on both sides? 16:28 < cityLights> I want to get layer 2 in order to supply avahi zero config over vpn 16:29 < cityLights> but on each side the gateway also provides dhcp, so will it work? 16:31 < cityLights> but when the client is actullay a gateway to a second subnet, and I bridge the tap0 there along to the eth1 - can it still provide dhcp? 16:48 -!- erpel [n=erpel@erbelding.net] has joined ##openvpn 17:01 < erpel> magic_1 deleting the default route had the desired effect so fart 17:01 < erpel> :s/fart/far 17:03 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has quit [Read error: 54 (Connection reset by peer)] 17:07 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has joined ##openvpn 17:16 < reiffert> cityLights: yes, you can. 17:17 < reiffert> cityLights: you will have to filter the dhcp requests and answers on both openvpn hosts, so that they dont make it over the bridge. 17:28 -!- erpel [n=erpel@erbelding.net] has quit [Read error: 60 (Operation timed out)] 17:33 -!- Rickson [n=Rickson@cust-161.geab-046-1.ephone.se] has quit ["Ex-Chat"] 17:40 -!- orion [n=orion@unaffiliated/orion] has left ##openvpn [] 17:42 -!- barbosa__ [n=barbosa@189.114.38.158] has quit ["Leaving"] 17:44 -!- Zordrak_ [n=jaz@unaffiliated/zordrak] has joined ##openvpn 17:57 -!- Zordrak [n=jaz@unaffiliated/zordrak] has quit [Read error: 110 (Connection timed out)] 18:00 -!- deever [n=deever@78.46.68.172] has joined ##openvpn 18:01 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 18:06 < deever> hi! i'd like to give openvpn clients addresses from an existing lan, 192.168.168.0/24, but don't get it to work: these are my configs: http://pastebin.com/d764f03c8 18:07 < deever> the openvpn server and client can communicate: Initialization Sequence Completed 18:07 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 18:08 < deever> i can't ping anything over vpn 18:09 < reiffert> !tunortap 18:10 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 18:16 -!- MattJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn 18:18 -!- MJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: 60 (Operation timed out)] 18:19 -!- Artio [n=_@port-12627.pppoe.wtnet.de] has quit [" HydraIRC -> http://www.hydrairc.com <- The professional IRC Client :D"] 18:22 -!- le0 [n=itsle0@host81-157-147-203.range81-157.btcentralplus.com] has quit ["Leaving"] 18:32 < ecrist> reiffert: bot's dead again 18:35 < reiffert> ecrist: we should get a backdoor for relaunching that thing. 18:36 < reiffert> ssh key based with command="" stuff in .ssh/a_keys file 18:36 < ecrist> we'll get it done this week. krzee hosts a box at my house, he was going to move the bot to that box, but it hasn't been done yet 18:36 < ecrist> we'll get it done. 18:37 < reiffert> yes, we can! 18:38 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 18:42 -!- MJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has joined ##openvpn 18:57 -!- MattJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: 110 (Connection timed out)] 19:57 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has joined ##openvpn 19:58 -!- LyonJT [n=LyonJT@host81-136-159-20.in-addr.btopenworld.com] has left ##openvpn [] 19:59 -!- craver_ [n=craver@208.53.57.220] has quit [Read error: 60 (Operation timed out)] 20:22 -!- tjz [n=tjz@unaffiliated/tjz] has joined ##openvpn 21:15 -!- exes [n=exes@galileo.exes.org] has quit [Read error: 60 (Operation timed out)] 21:15 -!- exes [n=exes@galileo.exes.org] has joined ##openvpn 22:35 -!- mithridates [n=chatzill@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit ["ChatZilla 0.9.86 [Firefox 3.5.5/20091102141836]"] 23:22 -!- phusion__ [i=phusion@88.80.16.38] has quit [Read error: 104 (Connection reset by peer)] 23:23 -!- phusion__ [i=phusion@88.80.16.38] has joined ##openvpn --- Day changed Mon Dec 28 2009 00:25 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 00:28 < krzie> oh damn 00:28 < krzie> i didnt know bot was down 00:29 < krzie> for some lamesauce reason freenode's dronebl service keeps having me listed as an open socks proxy on hemp, even tho its PAM auth 00:30 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 00:30 < krzie> sorry 00:41 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)] 01:10 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 01:15 < tjz> oh 01:15 < tjz> hehehe 01:16 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [] 01:44 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 01:57 < deever> anyone with a working setup giving a vpn client an address from an existing subnet on the vpn server? 02:08 < krzie> use this: 02:08 < krzie> !topology subnet 02:08 < vpnHelper> krzie: Error: "topology" is not a valid command. 02:08 < krzie> err 02:08 < krzie> !topology 02:08 < vpnHelper> krzie: "topology" is is it is possible to avoid the !/30 behavior if you use 2.1 with the option: topology subnet http://osdir.com/ml/network.openvpn.devel/2005-09/msg00020.html This will end up being default in later versions. 02:08 < krzie> !/30 02:08 < vpnHelper> krzie: "/30" is (#1) http://openvpn.net/index.php/open-source/faq.html#slash30 explains why routed clients each use 4 ips, or (#2) you can avoid this behavior with by reading !topology 02:08 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 02:18 < deever> krzie: hmm..do you have a running setup with shared secrets? 02:19 < krzie> nope, dunno if you can do it with ptp or not 02:50 -!- sigi [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Client Quit] 02:52 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 54 (Connection reset by peer)] 02:55 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 02:58 < Diddi> is it in any way possible to mix inetd mode and client-config-dir? or make a similar setup? 03:01 -!- master_of_master [i=master_o@p57B55F58.dip.t-dialin.net] has quit [Read error: 60 (Operation timed out)] 03:02 < krzie> inetd?? 03:02 < krzie> never seen ovpn run by inetd 03:03 < krzie> was that the ovpn way to having multiple clients? 03:04 < Diddi> yeah, old but functional 03:04 < krzie> heh 03:04 < krzie> try --server 03:05 < Diddi> havn't found a better way to have multiple clients connecting to same server, on same port, with different devices 03:05 < krzie> !server 03:05 < vpnHelper> krzie: Error: "server" is not a valid command. 03:05 < krzie> !sample 03:05 < vpnHelper> krzie: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) 03:05 < krzie> !man 03:05 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 03:05 < krzie> see --server 03:05 < Diddi> but doesn't server connect all clients to the same tap interface? 03:05 < Diddi> on the server-side 03:05 < krzie> it has since 2.0 03:06 -!- master_of_master [i=master_o@p57B56808.dip.t-dialin.net] has joined ##openvpn 03:06 < krzie> oh different devices 03:06 < krzie> why? 03:07 < Diddi> because I want another way of control... firewalling on "physical" interface rather than IP... moving interfaces between bridges depending on current need 03:07 < krzie> heh 03:07 < krzie> i guess i wont be much help 03:08 < Diddi> I also have all interfaces named after the certificate CN..which make me always know which interface a client is connecting to (: 03:11 < Diddi> ah,np.. i'll figure something out :P 03:16 -!- erpel [n=erpel@81.163.112.171] has joined ##openvpn 03:25 -!- erpel [n=erpel@81.163.112.171] has quit [Read error: 60 (Operation timed out)] 03:29 -!- erpel [n=erpel@erbelding.net] has joined ##openvpn 03:43 < jmm> hello. 03:45 < |Mike|> hi jmm :) 03:56 -!- erpel [n=erpel@erbelding.net] has quit [Read error: 60 (Operation timed out)] 04:04 < jmm> I'm trying to setup openvpn ( client ) to use a proxy to connect to a vpn server. my problem is that openvpn fail to connect and tell me : 04:04 < jmm> HTTP proxy returned: 'HTTP/1.0 404 Not Found' 04:04 < jmm> can somebody help please ? 04:08 < |Mike|> !all 04:08 < vpnHelper> |Mike|: "all" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#' client.conf`), also include which OS and version of openvpn, include your routing tables, firewall settings and client/server logfiles, or (#2) For more detailed instructions, look to: !logs !configs !interface 04:10 < jmm> okay I pastebin that. 04:16 < jmm> http://pastebin.ca/1729311 04:16 < jmm> here is it ! 04:17 < jmm> I'll add the log file umm. 04:21 < jmm> http://pastebin.ca/1729319 04:33 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 04:35 < tompaw> Hi 04:37 < tompaw> I am trying to connect my dd-wrt to openvpn-as auto-login account. When I try to manually lanuch openvpn with the .conf file created by dd-wrt, that's what I'm getting: http://pastebin.com/m10dd8a75 04:37 < tompaw> I compared the configs generated by dd-wrt and openvpn-as web interface, and the only difference is the 04:37 < tompaw> which exists in as conf but doesn't in ddwrt. 04:37 < tompaw> Could that be causing the problem? 04:38 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 04:38 < |Mike|> tompaw: what do you get in your logs 04:39 < |Mike|> jmm: hm, i'm not familair with http-proxy in combination with OpenVPN. Maybe that someone else can help you with that. 04:39 -!- ScriptFanix [i=vincent@Tuluk.riquer.fr] has joined ##openvpn 04:39 < ScriptFanix> hi 04:40 < tompaw> |Mike|: exactly that thing that I pastebin'd and timeout in the end. 04:41 < ScriptFanix> I have strange addressing issues with openvpn: the server configures its interface with 10.8.0.1 peer 10.8.0.2, and sends 10.8.0.6 peer 10.8.0.5 to the client 04:41 < tompaw> TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity 04:41 < ScriptFanix> obviously, it won't ping 04:43 < tompaw> blah, it's missing that tls-auth tag. 04:43 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 04:43 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 04:46 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 04:47 < |Mike|> !tls-auth 04:47 < vpnHelper> |Mike|: "tls-auth" is The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. see !secure for how 04:49 < ScriptFanix> http://paste.debian.net/55057/ 04:50 < jmm> |Mike|: thanks still :) 04:53 < tompaw> |Mike|: that's it, gotta talk to ddwrt guys, cheers! 05:01 < jmm> heh guys, nobody know about openvpn client's trough a proxy ? 05:05 < |Mike|> jmm: most people idle in this channel, I think that there're only ~ 3 to 4 people here what are active (with knowledge imho) 05:09 < jmm> ew. 05:09 < jmm> any other place where I can find help ? 05:10 < ScriptFanix> jmm: by proxy you mean http proxy ? 05:11 < jmm> yes. 05:11 < ScriptFanix> you might try running openvpn on port 443, proxies are not supposed to analyse what goes through https (some do) 05:11 < ScriptFanix> you might also try httptunnel 05:12 < jmm> infortunatly, I'm not admin for the proxy, I canno change its configuration. 05:12 < jmm> umm httptunnel ? lemme search info about it. 05:21 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has quit [Remote closed the connection] 05:24 -!- le0_ [n=itsle0@host81-157-147-203.range81-157.btcentralplus.com] has joined ##openvpn 05:36 < theDoc> what was the problem? 05:50 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:55 -!- le0_ [n=itsle0@host81-157-147-203.range81-157.btcentralplus.com] has quit ["Leaving"] 06:03 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 06:03 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 06:10 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 54 (Connection reset by peer)] 06:38 -!- Irssi: ##openvpn: Total of 87 nicks [0 ops, 0 halfops, 0 voices, 87 normal] 07:06 < jmm> theDoc: hi, sorry I was off for breakfast. 07:06 < jmm> theDoc: my problem is setting up a openvpn client connection trough a http proxy. 07:07 < jmm> here are some informations : 07:07 < jmm> http://pastebin.ca/1729319 07:08 < jmm> I think the problem maybe because the http proxy is a 'navista' . not something like squid orso. 07:39 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 08:02 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 08:05 -!- stereo2 [i=stereo@69.60.117.146] has joined ##openvpn 08:06 < stereo2> !redirect 08:06 < vpnHelper> stereo2: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 08:14 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 08:24 < stereo2> hi, i've got a weird routing problem that could be openvpn related 08:24 < ecrist> ok... 08:25 < stereo2> i'm trying to use policy routing with iproute2/iptables to route over my vpn 08:25 < stereo2> so i created a new routing table 08:25 < ecrist> why do you think it's openvpn related? 08:25 < stereo2> setup a rule to mark pakcets destined for my vpn 08:26 < stereo2> setup a mangle rule in iptables to mark packets bound for x.x.x.x to route the the vpn 08:26 < stereo2> then created an SNAT rule to change the source address of packets to my vpn endpoint 08:27 < stereo2> but when i try to ping an endpoint through the tunnel it doens't work 08:27 < stereo2> now 08:27 < stereo2> if i manually add a route to the default routing table it does work 08:27 < ecrist> why do you think it's openvpn related? 08:27 < stereo2> and also, when i use tcpdump on the tun interface, i can see the packets going back and forth 08:27 < stereo2> i don't 08:27 < stereo2> i honestly don't know 08:28 < ecrist> 08:24 < stereo2> hi, i've got a weird routing problem that could be openvpn related 08:28 < ecrist> it's not openvpn related. 08:28 < stereo2> "could be" 08:28 < ecrist> openvpn doesn't do routing, really 08:28 < ecrist> it does some very basic packet forwarding, but that's all 08:28 < stereo2> i just don't know if maybe there's some configuration option i've missed 08:28 < ecrist> not within openvpn 08:29 < stereo2> alright 08:29 < ecrist> i would suggest asking in a linux channel about your iproute/iptables stuff 08:29 < stereo2> thanks 08:29 -!- stereo2 [i=stereo@69.60.117.146] has left ##openvpn [] 08:32 -!- jmm [n=jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit ["Lost terminal"] 08:56 * ecrist works on rolling an openvpn client for windows 08:58 < |Mike|> omg! 08:58 < ecrist> yeah, I know. 08:59 < ecrist> I'm not even sure it's possible to roll your own installer with the new gui packaging since Mathias isn't doing it anymore 08:59 -!- tjz [n=tjz@unaffiliated/tjz] has quit [Read error: 110 (Connection timed out)] 09:04 < ecrist> doesn't look like it 09:05 < ecrist> I'm actually considering rolling my work VPN server into user/pass auth with a generic SSL certificate 09:05 < ecrist> and using our LDAP server on the back end. 09:05 < |Mike|> That's exactly how our setup looks like :-) 09:05 < ecrist> it's more difficult to hand out static IPs, though. 09:08 < ecrist> |Mike|: do you assign static IPs, and if so, what method do you use? 09:08 -!- dextor[work] [n=dextor[w@59.162.86.164] has joined ##openvpn 09:09 < ecrist> looks like I need to use NSIS to create an installer to include the certificates, which is just a wrapper for the existing installer 09:09 < ecrist> lame 09:10 -!- dextor[work] [n=dextor[w@59.162.86.164] has quit [SendQ exceeded] 09:10 -!- dextor[work] [n=dextor[w@122.182.0.38] has joined ##openvpn 09:11 < |Mike|> ecrist: we're using dhcp here 09:11 < |Mike|> internal static ip's are so '90's 09:12 < ecrist> so no statics for your vpn users? 09:12 < ecrist> does DNS propagation still work across openvpn for DHCP? 09:12 < ecrist> you using bridged? 09:13 < |Mike|> we have an internal dhcp server for that, and yes iet's bridged 09:15 < ecrist> that's how one of my vpns is configured (small security company I own) but the company that writes my real paycheck has had this 2.0.9 server with static IPs for quite some time 09:15 < ecrist> using tun 09:16 < ecrist> I'm considering rolling it over to tap and using dhcp. 09:19 < |Mike|> I would go for that solution imho. 09:21 < |Mike|> bbl. Have to catch a train 09:30 -!- jmm [n=jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn 09:30 < jmm> hi again guys. 09:31 < jmm> it's possible to have 2 openvpns clients running on the same computer, using tcp and both using the same http proxy ? 09:31 < jmm> the network configuration here is driving me crazy ! 09:32 < ecrist> it should be, yes 09:34 < jmm> umm so something else is not working. for some reason the second ovpn client cannot connect. 09:35 -!- grub_booter_ [n=charlie@d54C519D5.access.telenet.be] has quit ["Ex-Chat"] 09:35 -!- grub_booter_ [n=charlie@d54C519D5.access.telenet.be] has joined ##openvpn 09:36 < ecrist> !logs 09:36 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 09:36 < jmm> gimme a minut to get all this. 09:54 < jmm> http://pastebin.ca/1729558 09:54 < jmm> wow that verb 6 thing gave lot of output. 09:55 < ecrist> that's what we like. ;) 09:55 < jmm> :) 09:56 -!- rajin [n=_@port-13848.pppoe.wtnet.de] has joined ##openvpn 09:56 < ecrist> jmm: the client log is the non-working one, right? 09:56 < jmm> yes. 09:57 < jmm> it's long but it ends bad . 09:57 < ecrist> it looks like the problem is actually with your proxy, not with openvpn 09:57 < jmm> I feared that :\ 09:57 < jmm> I got no clues about that proxy, exept another ovpn instance is using it. 09:58 -!- pif [n=ldm@zenon.apartia.fr] has joined ##openvpn 09:58 < jmm> with the same configuration exept remote port ( from ovpn client config ) and different key. 09:58 < jmm> so I guess it's that port stuff that break everything. 09:59 < pif> hi, my ovpn client stops at "UDPv4 link remote", what should I check? 10:00 < ecrist> pif: that tells us a lot about nothing 10:00 < ecrist> !logs 10:00 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 10:00 < Diddi> hm.. when using --client-connect script, is it possible to delay the --user and --group? It seem that openvpn drops privileges before executing the script.. I need root privs in the script(: 10:01 < ecrist> I think so, check the man page 10:01 < pif> ah, certificate expired.... 10:01 < ecrist> glad we could help, pif. :) 10:01 < Diddi> exes: i've done that, but I'm not sure what to search for.. havn't found anything useful 10:01 < pif> ecrist: you did, really :) 10:01 < Diddi> (: 10:02 < ecrist> Diddi: look for script-security and --up 10:03 < Diddi> ecrist: thanks 10:07 -!- rajin [n=_@port-13848.pppoe.wtnet.de] has quit [" HydraIRC -> http://www.hydrairc.com <- Now with extra fish!"] 10:08 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 10:09 < Diddi> ah, script-security is new for 2.1.. ofcourse :p 10:10 -!- pif [n=ldm@zenon.apartia.fr] has quit ["leaving"] 10:10 < Diddi> and --up doesn't pass common_name 10:11 < Diddi> or does is the environmental variables always accessible? even with --up ? 10:11 < Diddi> oh yes 10:12 < Diddi> now we're getting somewhere(: 10:13 < ecrist> there are about a half-dozen vars passed in the environment for scripts 10:13 < ecrist> it should all be covered in the manual 10:13 < Diddi> yeah, found them 10:13 < Diddi> never actually seen them before, they could be very useful in my setup 10:22 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:22 -!- slonbg [n=chatzill@216.17.90.91] has joined ##openvpn 10:25 < slonbg> !howto 10:25 < vpnHelper> slonbg: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 10:38 < jmm> ecrist: still around ? you were right some offending firewall rule was blocking the port. 10:39 < ecrist> yep, still here 10:39 < ecrist> thanks for the info 10:40 < jmm> it looks like I have some other troubles now. 10:40 < jmm> um 10:40 < jmm> meh 10:41 < jmm> I guess I'm ready for another turn on pastebin.ca ;) 10:41 < ecrist> :) 10:47 < jmm> http://pastebin.ca/1729616 10:47 < jmm> it seems I can contact the proxy now, but no more. 10:48 -!- Kasx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 60 (Operation timed out)] 10:48 < ecrist> jmm, it's failing on proxy authorization 10:48 < ecrist> still not getting to openvpn 10:49 < jmm> you mean openvpn auth on proxy ? 10:49 < ecrist> no, it appears the proxy server wants you to auth before it will connect to openvpn on the other end. 10:50 < Diddi> interesting that --client-connect and --client-config-dir is available only in mode server... it'd be perfect to have them available in inetd mode aswell... since --ifconfig-push doesn't work within a --up script... and --up-delay doesn't work with --mode server... I feel like I'm in a catch 22 here.. 10:50 < ecrist> Diddi: why do you want to run within inetd? 10:50 < ecrist> that's silly 10:50 < Diddi> because I want each client connected to it's own tap device 10:50 < jmm> ecrist: it's strange it's not working I'm using the same auth file than the working ovpn. 10:50 < ecrist> Diddi: why would you want that? 10:51 < ecrist> jmm, if it's not getting to OpenVPN server, I can't help. 10:51 < Diddi> ecrist: because then I cant firewall on per-device.. and most importantly, I can more easily move clients between bridges depending on current need 10:51 < jmm> ecrist: I'll find out, thanks for your help still. 10:54 < Diddi> using --server or similar I need more than one server instance always running, on different ports, and I need to keep track which server is on which bridge 10:54 < Diddi> and I can only firewall/traffic shape on IP among other things.. 10:56 < Diddi> a --mode server that actually creates new tap interfaces on each connection would be great... but that doesn't exist yet afaik 10:56 < Diddi> (: 10:58 < jmm> oh I found out, that stupid proxy doesn't want to connect to 1194, it want like 443. 10:58 < jmm> triple pfft. another stupid vpn run on that port. 11:13 < deever> i'm getting this on the client: http://pastebin.com/df5371ea 11:13 < deever> and this on the server: http://pastebin.com/d1c22c3f5 11:13 < deever> what's the problem? 11:17 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit ["ChatZilla 0.9.86 [Firefox 3.5.6/20091201220228]"] 11:17 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 11:21 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 11:28 -!- Rzewus [n=Rzewus@153.19.140.234] has joined ##openvpn 11:29 < Rzewus> hello 11:29 < Rzewus> !howto 11:29 < vpnHelper> Rzewus: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 11:29 < Rzewus> !goal 11:29 < vpnHelper> Rzewus: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 11:30 < Rzewus> !configs 11:30 < vpnHelper> Rzewus: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 11:47 -!- X-Raimo [n=alexmura@94.29.71.244] has joined ##openvpn 11:51 < X-Raimo> hi. My Server config is: http://paste.org.ru/?jbbzt2 I have problems with routing. I need openVPN keep my default route to internet and write only routes to access VPN Network and my LAN (it this case 192.168.100.0/24).How to change config? 11:54 < X-Raimo> !redirect @ X-Raimo 11:54 < vpnHelper> X-Raimo: Error: "redirect" is not a valid command. 11:54 < X-Raimo> !route @ X-Raimo 11:54 < vpnHelper> X-Raimo: Error: "route" is not a valid command. 11:55 < ecrist> !route 11:55 < vpnHelper> ecrist: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 11:55 < ecrist> !redirect 11:55 < vpnHelper> ecrist: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 11:56 < X-Raimo> !def1 11:56 < vpnHelper> X-Raimo: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 11:59 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 12:09 < Rzewus> OK then ... my problem is more related to client so there is no need for server conf i supose :). My client machine is Windows 7, and i just love its sleep function, but when computer is awaken I must manualy reset OpenVPN service to establish connection with the server, is there any way to automate this thing ?? 12:10 < ecrist> client configs? 12:12 < Rzewus> http://paste.org.ru/?nyg4s1 12:22 < Rzewus> its not complicated ... only certs and remote is different then the exaple client.conf 12:24 -!- dextor[work] [n=dextor[w@122.182.0.38] has quit [SendQ exceeded] 12:33 < deever> i'm getting this on the client: http://pastebin.com/df5371ea 12:33 < deever> and this on the server: http://pastebin.com/d1c22c3f5 12:33 < deever> what's the problem? 12:38 < X-Raimo> I still have the problem with replacement of default route when client connects to my server. My server.conf: http://paste.org.ru/?jbbzt2 12:42 < X-Raimo> Here are my routing tables: http://paste.org.ru/?ea0rut 12:47 -!- slonbg [n=chatzill@216.17.90.91] has quit ["ChatZilla 0.9.86 [Firefox 3.6b5/2009120400]"] 12:50 < robotti^> my openvpn client is working perfectly! :) 12:51 < robotti^> Now surfing over openvpn vpn service :) 12:52 < X-Raimo> robotti^: do your users can access internet when they connected to your VPN? 12:54 < robotti^> I am using third party service. But when using my own vpn, of course :) 12:56 < X-Raimo> robotti^: please help me. My config is: http://paste.org.ru/?jbbzt2 And problem is that people stay without internet when they're connected to my VPN. Or just can I see your server.conf pls? 12:56 < robotti^> X-Raimo: connect Internet over vpn? 12:57 < X-Raimo> robotti^: They can 1) connect via my VPN gateway to internet or 2) connect to internet via they current gateway and at the same time be able to see my network 13:00 < robotti^> You want to clients connect your lan and your Internet? 13:01 < ecrist> X-Raimo: you want vpn clients to use your internet connection, right? 13:01 < ecrist> !def1 13:01 < vpnHelper> ecrist: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 13:02 < X-Raimo> ecrist: here's my config: http://paste.org.ru/?jbbzt2 It already has "def1" 13:02 < ecrist> X-Raimo: did you setup nat on the vpn server? 13:03 < X-Raimo> ecrist: yes 13:03 < ecrist> then what's broken? 13:04 < X-Raimo> ecrist: at least those users who are using LAN (192.168.100.0/24) can access internet... 13:06 < ecrist> are you routing fro 192.168.0.0/24 or 192.168.1.0/24? 13:07 < X-Raimo> ecrist: from 192.168.200.0/24 (VPN) to 192.168.100.0/24 (LAN) right now 13:07 < ecrist> what address does your vpn server have? 13:07 < X-Raimo> ecrist: Here are my routing tables: http://paste.org.ru/?ea0rut 13:08 < X-Raimo> ecrist: WAN is 10.0.1.53 LAN is 192.168.100.1 and TUN is 192.168.200.1 13:08 < ecrist> X-Raimo: can I see your server config, please? 13:08 < X-Raimo> ecrist: yes http://paste.org.ru/?jbbzt2 13:09 < ecrist> remove line 31 13:09 < X-Raimo> ecrist: ok. Let me try... 13:10 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 104 (Connection reset by peer)] 13:10 -!- roentgen [n=HaRT@miranda/user/roentgen] has joined ##openvpn 13:12 < X-Raimo> ecrist: it was helpless. Internet doesn't appears 13:14 < ecrist> !configs 13:14 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 13:15 < X-Raimo> ecrist: I fixed problem! It was my firewall 13:15 < ecrist> congrats 13:15 * ecrist points to /topic 13:15 < X-Raimo> ecrist: big thank you! :) 13:38 -!- corretico__ [n=laguilar@201.201.46.106] has joined ##openvpn 13:55 -!- X-Raimo is now known as XRaimo 13:56 -!- XRaimo is now known as X-Raimo 13:57 < deever> i'm getting this on the client: http://pastebin.com/df5371ea 13:57 < deever> and this on the server: http://pastebin.com/d1c22c3f5 13:57 < deever> what's the problem? 13:58 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)] 14:00 < X-Raimo> look like "error=unable to get local issuer certificate:" causes the problem 14:01 -!- roentgen [n=HaRT@miranda/user/roentgen] has quit [Read error: 104 (Connection reset by peer)] 14:01 < X-Raimo> deever: check your cerficates and SSL library 14:04 < deever> ah, wait, it's a child CA 14:04 < deever> also the root ca is needed, isn't it? 14:07 < X-Raimo> deever: did you copied ca.ctr to your client? 14:08 < deever> yes 14:11 < X-Raimo> deever: is this certificate standalone and self-issued or parent CA exists? 14:11 < deever> parent exists, but is also self-issued 14:15 -!- X-Raimo is now known as XRaimo 14:15 < XRaimo> deever: It looks to me that problem with parent CA or child CA 14:17 < deever> XRaimo: i neede to paste the root ca in, no problem anymore! :) 14:17 < deever> thank your for the hint! :) 14:19 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 14:23 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 14:30 < XRaimo> deever: cool! You're welcome! 14:37 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit ["ChatZilla 0.9.86 [Firefox 3.5.6/20091201220228]"] 14:40 -!- XRaimo [n=alexmura@94.29.71.244] has left ##openvpn [] 14:42 -!- LittleJ [n=linuz@82.78.185.26] has joined ##openvpn 14:43 -!- XRaimo [n=alexmura@94.29.71.244] has joined ##openvpn 14:43 -!- XRaimo [n=alexmura@94.29.71.244] has left ##openvpn [] 14:45 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:10 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 113 (No route to host)] 15:17 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 15:34 -!- corretico__ [n=laguilar@201.201.46.106] has quit [Read error: 110 (Connection timed out)] 15:36 -!- le0_ [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 15:44 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 16:11 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.86 [Firefox 3.0.16/2009120208]"] 16:21 -!- MrPocketz [n=Jimmy@unaffiliated/mrpockets] has joined ##openvpn 16:24 < MrPocketz> Which protocol does OpenVPN use? 16:35 < Bushmills> MrPocketz: tcp or udp, as you specify in config 16:38 < MrPocketz> is it SSL though? 16:43 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 16:46 < robotti^> yep 17:10 -!- MrPocketz [n=Jimmy@unaffiliated/mrpockets] has quit [Read error: 113 (No route to host)] 17:30 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit ["ChatZilla 0.9.86 [Firefox 3.5.6/20091201220228]"] 17:38 -!- kyrix [n=ashley@chello213047159139.33.11.univie.teleweb.at] has joined ##openvpn 17:53 -!- kyrix [n=ashley@chello213047159139.33.11.univie.teleweb.at] has quit [Read error: 54 (Connection reset by peer)] 18:08 -!- samaelszafran [i=samaelsz@unaffiliated/samaelszafran] has left ##openvpn [] 18:09 -!- kyrix [n=ashley@chello213047159139.33.11.univie.teleweb.at] has joined ##openvpn 18:10 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 18:48 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 18:50 -!- le0_ [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 60 (Operation timed out)] 19:10 -!- caimlas [n=caimlas@DHCP-26.64-179-155.iw.net] has joined ##openvpn 19:14 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has quit [] 19:20 -!- le0_ [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 19:21 -!- Kasx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 19:23 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: ScriptFanix, deever 19:23 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: master_of_master, cityLights, Kas, bvierra, krphop, Zordrak_, rbd 19:25 -!- Netsplit over, joins: bvierra 19:26 -!- Netsplit over, joins: krphop 19:28 -!- ScriptFanix [i=vincent@Tuluk.riquer.fr] has joined ##openvpn 19:30 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has joined ##openvpn 19:32 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 19:32 -!- cityLights [n=cityLigh@bzq-84-111-46-151.red.bezeqint.net] has joined ##openvpn 19:33 -!- deever [n=deever@78.46.68.172] has joined ##openvpn 19:34 -!- Zordrak [n=jaz@unaffiliated/zordrak] has joined ##openvpn 19:34 -!- master_of_master [i=master_o@p57B56808.dip.t-dialin.net] has joined ##openvpn 19:43 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: deever 19:46 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: master_of_master, Zordrak, cityLights, Kas 19:49 -!- Netsplit over, joins: master_of_master 19:49 -!- Netsplit over, joins: Zordrak 19:52 -!- kyrix [n=ashley@chello213047159139.33.11.univie.teleweb.at] has quit [Remote closed the connection] 19:55 -!- deever [n=deever@78.46.68.172] has joined ##openvpn 19:55 -!- cityLights [n=cityLigh@bzq-84-111-46-151.red.bezeqint.net] has joined ##openvpn 19:56 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has joined ##openvpn 20:32 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: redfox 20:37 -!- Netsplit over, joins: redfox 20:41 -!- phy [n=phy@l.monkey.org] has joined ##openvpn 20:42 -!- g` [n=nop@78-60-219-94.static.zebra.lt] has joined ##openvpn 20:43 < phy> setup question: i have an opencpn server and cliebt configured and the client can connection to the server no problem. however, while i see traffic on the tun0 interface on the server routed from the client, i don't see that traffic being routed externals to eth0. 20:43 < phy> this is on gentoo and iptables isn't installed 20:43 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: n5, LowKey, jmm, exes, grub_booter_, sigius, Section58, sakhi, phusion__ 20:44 < phy> any idea what i might google for to troubleshoot? 20:44 -!- Netsplit over, joins: LowKey 20:45 -!- Netsplit over, joins: sakhi 20:45 -!- Netsplit over, joins: phusion__ 20:45 -!- Netsplit over, joins: jmm 20:45 -!- Kirbo [n=Kirby@S010600146cf8bed9.cg.shawcable.net] has joined ##openvpn 20:48 -!- Netsplit over, joins: Section58 20:50 -!- grub_booter_ [n=charlie@d54C519D5.access.telenet.be] has joined ##openvpn 20:50 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 20:50 -!- exes [n=exes@galileo.exes.org] has joined ##openvpn 20:50 -!- n5 [n=nop@78-60-219-94.static.zebra.lt] has joined ##openvpn 20:51 -!- exes [n=exes@galileo.exes.org] has quit [Connection reset by peer] 20:52 -!- Kirbo [n=Kirby@S010600146cf8bed9.cg.shawcable.net] has left ##openvpn ["Leaving"] 20:53 -!- exes [n=exes@galileo.exes.org] has joined ##openvpn 21:03 < phy> okay, so i turned on ip_forward and not i see packets being routed from tun0 to eth0. however, the addresses are not being NAT'ed i.e. the server is just routing the clients ip directly e.g. 10.1.0.6 src address on an 192.168.1.0/24 net. 21:03 -!- n5 [n=nop@78-60-219-94.static.zebra.lt] has quit [Read error: 110 (Connection timed out)] 21:03 < phy> *now 21:04 < phy> openvpn.conf is configured with the line "server 10.1.0.0 255.255.255.0" 21:04 < phy> do i need to add additional configuration options to force openvpn to NAT for clients as well? is that something that has to be configured in iptables? 21:06 -!- Hottm [n=dunno@cpe-24-95-54-134.columbus.res.rr.com] has joined ##openvpn 21:18 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 21:23 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: deever 21:24 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: grub_booter_, sigius 21:25 -!- Netsplit over, joins: deever 21:28 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: cityLights 21:29 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: deever 21:30 -!- Netsplit over, joins: deever 21:30 -!- Netsplit over, joins: cityLights 21:30 -!- sigius [n=sigius@93-125-185-45.dsl.alice.nl] has joined ##openvpn 21:34 -!- grub_booter_ [n=charlie@d54C519D5.access.telenet.be] has joined ##openvpn 21:44 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: deever 21:45 -!- ooo [n=ooo@pool-96-236-163-167.pitbpa.east.verizon.net] has joined ##openvpn 21:46 -!- ooo [n=ooo@pool-96-236-163-167.pitbpa.east.verizon.net] has left ##openvpn [] 21:47 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: cityLights 21:48 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: grub_booter_ 21:48 -!- deever [n=deever@78.46.68.172] has joined ##openvpn 21:50 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: deever 21:51 -!- Netsplit over, joins: deever 21:52 -!- cityLights [n=cityLigh@bzq-84-111-46-151.red.bezeqint.net] has joined ##openvpn 21:57 -!- grub_booter_ [n=charlie@d54C519D5.access.telenet.be] has joined ##openvpn 22:06 -!- tjz [n=tjz@bb121-7-11-34.singnet.com.sg] has joined ##openvpn 22:13 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: deever 22:13 -!- Netsplit over, joins: deever 22:15 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: cityLights 22:18 -!- Netsplit crichton.freenode.net <-> irc.freenode.net quits: deever 22:18 -!- Netsplit over, joins: deever 22:21 -!- cityLights [n=cityLigh@bzq-84-111-46-151.red.bezeqint.net] has joined ##openvpn 23:13 -!- seal [n=chatzill@117.93.22.134] has joined ##openvpn 23:13 < seal> hi 23:15 < seal> I have a cisco vpn to connect. it says ssl enabled - that can be connected though browser - seems by java. Can such VPN be connected by openvpn? 23:18 -!- tetsu [n=hallibur@pool-173-78-26-241.tampfl.fios.verizon.net] has quit [Read error: 110 (Connection timed out)] 23:25 < Bushmills> no 23:25 < Bushmills> !notovpn 23:25 < vpnHelper> Bushmills: "notovpn" is "notopenvpn" is your problem is not about openvpn, and while we try to be helpful, you may have a better chance of finding your answer if you ask your question in a channel related to your problem 23:26 < Bushmills> sorry, wrong factoid. not meant to berate you 23:30 < Bushmills> phy: replies won't be returned to your vpn server when their origin addresses are from 10.x.x.x network 23:31 < Bushmills> openvpn doesn't NAT. 23:32 < Bushmills> recompile your kernel to include iptables, and install the iptables service programs. 23:33 < Bushmills> if you only want to route to LANs behind openvpn server, that's not necessary 23:34 < Bushmills> (but then, there's also no need for NAT) --- Day changed Tue Dec 29 2009 00:13 -!- seal is now known as seal[away] 00:16 -!- seal[away] is now known as seal 00:17 -!- seal [n=chatzill@117.93.22.134] has quit ["See you later~"] 00:58 < caimlas> hi, I was wondering if anyone might have reference example of a server config for vpn bridge allowing me to use local DHCP services instead of ovpn config based dhcp. I'm getting: "MULTI: no dynamic or static remote --ifconfig address is available for client" in logs. 00:59 < caimlas> (do I need to pastebin logs/config?) 01:12 -!- noname [n=noname@94.75.217.251] has joined ##openvpn 01:13 -!- noname is now known as Guest85662 01:19 -!- Guest85662 is now known as Dieg0 01:23 < krzie> caimlas --server-bridge in the manual 01:23 < krzie> !man 01:23 < vpnHelper> krzie: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 01:31 < reiffert> caimlas: see howto. 01:31 < reiffert> moin krzie 01:32 < reiffert> and moin Bushmills 01:32 < krzie> moin moin 01:32 < krzie> i cant wait for the ccc ftp mirror to have talks 01:36 < reiffert> krzie: so watch em live! 01:37 < krzie> timezone issue 01:37 < reiffert> Just a matter of interest. 01:38 < krzie> would create a problem at work, lol 01:38 < krzie> easier to wait and watch it on my time when possible 01:39 < krzie> which actually works really nice cause im about to head to costa rica an can put a bunch of it on my ipod 01:39 < reiffert> 4:) 01:39 < reiffert> awesome --- Log closed Tue Dec 29 01:49:26 2009 --- Log opened Tue Dec 29 06:42:18 2009 06:42 -!- ecrist [i=ecrist@pdpc/supporter/professional/ecrist] has joined ##openvpn 06:42 -!- Irssi: ##openvpn: Total of 92 nicks [0 ops, 0 halfops, 0 voices, 92 normal] 06:42 -!- Irssi: Join to ##openvpn was synced in 13 secs 06:57 < krzie> !pptp 06:57 < vpnHelper> krzie: Error: "pptp" is not a valid command. 06:58 < krzie> !learn pptp as PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to read about why to not use pptp 06:58 < vpnHelper> krzie: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 06:58 < mort_gib> and not a valid alternative to OpenVPN either 06:58 < krzie> !learn pptp as PPTP is known to be a faulty protocol. The designers of the protocol, Microsoft, recommend not to use it due to the inherent risks. Lots of people use PPTP anyway due to ease of use, but that doesn't mean it is any less hazardous. The maintainers of PPTP Client and Poptop recommend using OpenVPN (SSL based) or IPSec instead. http://pptpclient.sourceforge.net/protocol-security.phtml to read about why to not use pptp 06:58 < vpnHelper> krzie: Joo got it. 07:03 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 07:08 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)] 07:16 < Bushmills> reiffert, moin you too, and krzie --- Log closed Tue Dec 29 07:21:36 2009 --- Log opened Tue Dec 29 07:21:40 2009 07:21 -!- ecrist [i=ecrist@mr.garrison.secure-computing.net] has joined ##openvpn 07:21 -!- Irssi: ##openvpn: Total of 91 nicks [0 ops, 0 halfops, 0 voices, 91 normal] 07:22 -!- Irssi: Join to ##openvpn was synced in 33 secs 07:24 -!- krzie [n=krzee@butters.secure-computing.net] has joined ##openvpn 07:28 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 07:31 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: deever, dollabill 07:33 -!- Netsplit over, joins: dollabill, deever 07:34 < ecrist> good morning 07:46 -!- makomi [n=makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn 07:49 -!- cybertron [n=cybertro@84.200.248.176] has joined ##openvpn 07:49 < cybertron> hello 07:53 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: makomi, cybertron 07:56 -!- Netsplit over, joins: cybertron 07:58 -!- makomi [n=makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn 08:00 -!- makomi [n=makomi@port-87-234-124-111.dynamic.qsc.de] has left ##openvpn ["It´s time to say goodbye"] 08:00 -!- makomi [n=makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn 08:05 < makomi> Hi, I´ve got a vpn tunnel between my server at the internet and my dsl router (openwrt). I can ping from openwrt to server thru the tunnel from both sides. but i can´t ping from server to any client behind router or vice versa. 08:05 < makomi> krzie: There is the server config: http://pastebin.com/d6193b045 and the ccd: http://pastebin.com/d366c7e65 and here is the config from openwrt: http://pastebin.com/d3474e666 08:06 < makomi> and the logfile from the server: http://pastebin.com/d7ab977e9 08:06 < makomi> and the client: http://pastebin.com/d6a899f44 08:25 -!- makomi [n=makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote closed the connection] 08:27 < deever> what to do if server and client can ping each other, but not the client and the other hosts on the server's network? 08:29 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 08:30 < ewook> you never pushed a route I guess. check your route-table if you have an entry. 08:51 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 08:51 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: deever, dollabill 08:52 -!- Netsplit over, joins: dollabill 08:53 -!- deever [n=deever@78.46.68.172] has joined ##openvpn 08:59 < deever> ewook: http://pastebin.com/d25b62a8f 08:59 < deever> i don't see the problem? 09:16 < ecrist> deever: we need more information than that 09:16 < ecrist> you're missing a route or have a firewall issue 09:16 < ecrist> !configs 09:16 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 09:20 -!- Hottm [n=dunno@cpe-24-95-54-134.columbus.res.rr.com] has quit [Read error: 110 (Connection timed out)] 09:26 < Bushmills> deever: one thing you can do is reading this: 09:26 < Bushmills> !route 09:26 < vpnHelper> Bushmills: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 09:27 < Bushmills> you could also read, in man page, about client-to-client 09:28 -!- Avalloc [n=_@port-11621.pppoe.wtnet.de] has joined ##openvpn 09:30 < deever> ecrist, Bushmills: http://pastebin.com/d27128006 09:34 -!- fgs [n=fgsch@87-194-38-117.bethere.co.uk] has joined ##openvpn 09:34 < fgs> hi 09:35 < deever> fgs: hi 09:35 < fgs> i'm tryong to setup openvpn between windows and unix. it works fine, but i need to add a push in the server, otherwise the client keeps showing PUSH_REQUEST (status=1) 09:35 < fgs> is the push mandatory? 09:40 < ecrist> fgs, check out the /topic 09:44 < fgs> i can provide the config, but it was more a non-specific question 09:45 < fgs> if i use client, which the manpage says it translates to tls-client and pull, and i remove pull 09:45 < fgs> it wants a certificate 09:45 < fgs> if i add pull, it does not connect unless i have a push on the server 09:50 * ecrist doesn't see a question 09:50 < fgs> is push required if the client does pull? 09:50 < ecrist> shouldn't be, I think 09:51 < ecrist> why aren't you pulling? 09:51 < fgs> client => tls-client + pull 09:51 < fgs> if i remove client and i use only tls-client, it requires cert 09:51 < fgs> so if i want to use auth-user-pass, i want pull or client 09:52 < fgs> and therefore i also need push in the server 09:54 < ecrist> ok 09:54 < fgs> i dont understand why pull is required by tls-client, or why push is required by pull 09:54 < fgs> so i came here to ask 09:56 < fgs> looking at the sources shows that pull is required by tls-client, so *shrug* 10:02 -!- kc8pxy [n=gecko@75-145-57-201-utah.hfc.comcastbusiness.net] has joined ##openvpn 10:02 < kc8pxy> !goal 10:02 < vpnHelper> kc8pxy: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 10:02 < kc8pxy> ok 10:03 < kc8pxy> what i'm trying to do is run openvpn on my android phone. i have all the hardparts done. yes this is an openvpn question. 10:06 < kc8pxy> i have a known good config on a working openvpn ported to the phone. authentication succeeds. it brings up the tun device as tun0. what fails is ifconfig flops on setting the ip and interface info for tun0. i think i have a solution that will work, if i tell my tun0 to get it's ip from dhcp. is that a valid solution, and how do i modify my existing server to make that work? 10:11 < ecrist> !logs 10:11 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 10:17 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit ["Leaving"] 10:21 < deever> ecrist, Bushmills: this is what i have: http://pastebin.com/d25b62a8f http://pastebin.com/d27128006 10:21 < deever> is the ccd stuff really required? i can remember of having done it long time ago without that stuff 10:28 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 10:31 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has joined ##openvpn 10:33 < ecrist> ccd isn't required unless you're using it 10:33 -!- Kasx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 54 (Connection reset by peer)] 10:33 < ecrist> why do you have server bridge and ifconfig in the same config? 10:33 < ecrist> pull out line 3 10:35 < ecrist> in your client config, you're redundant onlines 28 and 19 10:38 < ecrist> kc8pxy: you need to provide your logs if you want help... 10:38 < deever> ecrist: well, without the ifconfig line in the server config, i can't even ping the server from the client 10:39 < ecrist> deever: server-bridge assigns address 192.168.158.1 to the server 10:39 < ecrist> you're overwriting that with 192.168.168.128 10:39 -!- corretico__ [n=laguilar@201.201.46.106] has quit ["Leaving"] 10:40 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 10:47 -!- scyld [n=krajcong@unaffiliated/wasyl] has quit [Nick collision from services.] 10:48 -!- scyld [n=krajcong@unaffiliated/wasyl] has joined ##openvpn 10:49 -!- dextor[work] [n=dextor[w@59.162.86.164] has joined ##openvpn 10:50 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 10:52 < deever> ecrist: without the "client" line in client config, the client doesn't use the route from the server 10:52 < ecrist> remove the tls-client option 10:52 < ecrist> keep client 10:53 < ecrist> client implies tls-client 10:53 < deever> and without the "ifconfig" line in the server config, i can't even ping the server from the client 10:54 < deever> pinging another host on server's network doesn't work in neither case, but that's the goal of my exercise...;) 10:55 < ecrist> deever: if you work with me here, it'll be much easier. 11:01 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 11:05 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 11:06 -!- makomi [n=makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn 11:08 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: deever 11:08 -!- Netsplit over, joins: deever 11:10 < deever> ecrist: removing the "tls-client" doesn't change anything 11:10 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 11:15 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 11:24 < deever> ecrist: when i change the server config line to "server-bridge 192.168.168.128 255.255.255.0 192.168.168.129 192.168.168.254", replace "ifconfig" with "route" and add a respective route-gateway line, still no improvement... 11:24 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: deever 11:25 -!- Netsplit over, joins: deever 11:26 -!- hyper_ch [n=hyper@103-115.79-83.cust.bluewin.ch] has quit [Remote closed the connection] 11:28 -!- dextor[work] [n=dextor[w@59.162.86.164] has quit [Read error: 104 (Connection reset by peer)] 11:40 -!- GoDanl [n=dunno@cpe-24-95-54-134.columbus.res.rr.com] has joined ##openvpn 11:46 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 11:47 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 11:56 -!- baz_work2 [n=baz_work@c-67-183-155-189.hsd1.wa.comcast.net] has joined ##openvpn 11:57 < baz_work2> hey whats the tun.ko module? 11:57 < baz_work2> google is telling me how to use tun.ko but not what it is 11:58 < deever> baz_work2: uhm, the driver for the tun device? 11:58 -!- cityLights [n=cityLigh@bzq-84-111-46-151.red.bezeqint.net] has joined ##openvpn 11:58 < cityLights> hi all 11:58 < baz_work2> deever, oh ok, thanks deever - i guess it was an obvious question 11:58 < cityLights> I want to understand: if I choose to use tap0 11:59 < cityLights> I want to join two subnets in two diffrent locations 12:00 < baz_work2> deever, i am doing an openvpn install on my NAS and there is separate step to install tun.ko, however in the official openvpn instructions there isn't such a step - is that because most *normal* distros already have this running? 12:00 < cityLights> so the first subnet have a gateway (nat) which also acts as a openvpn server 12:01 < cityLights> the second subnet also has a gateway which acts as a client to the openvpn 12:01 < deever> baz_work2: yes 12:01 < cityLights> must them both bridge the tap0 to their lan ethernet card? 12:01 < baz_work2> deever, awesome, I knew something! 12:01 < cityLights> if so how can the pcs in the second subnet get dhcp? 12:02 < ecrist> deever: !configs 12:02 < cityLights> can openvpn create a new subnet to solve this? 12:02 < ecrist> show my your updated configs 12:02 < cityLights> or is it all wrong 12:02 < deever> cityLights: i'd use a dhcp server on the second subnet 12:03 < cityLights> deever: right, each subnet has a dhcp server (which is also the gateway) 12:03 < cityLights> so devices connected to the lan eth get dhcp from it 12:04 < cityLights> but what happens when I bridge this lan ethernet to openvpn tap0? 12:04 < cityLights> will it relay the dhcp request to the other subnet? 12:04 < baz_work2> deever, i have a newer firmare than the article is using, how can i check if i already have tun.ko? 12:04 < ecrist> cityLights: see here 12:04 < baz_work2> cityLights, can u try using a period instead of enter for punctuation 12:05 < ecrist> !tunortap 12:05 < vpnHelper> ecrist: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning 12:05 < vpnHelper> ecrist: against you over the vpn 12:05 < cityLights> sorry. 12:05 < baz_work2> no worries :) 12:06 < cityLights> but I do want layer 2 to have avahi. I want zero config 12:06 < deever> ecrist: http://pastebin.com/d605e8a4e 12:06 < cityLights> (good now?) can I allow avahi traffic , will filtering dhcp? 12:06 < ecrist> cityLights: for what? 12:07 < deever> ecrist: thanks for your help, btw! :) 12:07 < ecrist> deever: why route and route-gateway? 12:07 < cityLights> ecrist: for example, I want a pda on any subnet, to run bonjur and see the other members. I also want to use CUPS avahi support 12:08 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 12:08 < ecrist> you're config seems silly 12:08 < ecrist> remove lines 3 and 4 12:08 < cityLights> me? 12:08 < deever> ecrist: Tue Dec 29 20:08:06 2009 us=740689 OpenVPN ROUTE: OpenVPN needs a gateway parameter for a --route option and no default was specified by either --route-gateway or --ifconfig options 12:08 < ecrist> no, deever 12:09 < ecrist> deever, lines 3 and 4 12:09 < ecrist> cityLights: if you properly configure your bridges, you should be able to block dhcp requests from different segments of the network 12:10 < cityLights> iptables? 12:10 < ecrist> cityLights: read this: http://www.dslreports.com/forum/r18525512-Routing-Bonjour-How-to 12:10 < vpnHelper> Title: Routing Bonjour - How to? - dslreports.com (at www.dslreports.com) 12:10 < ecrist> !learn bonjour as http://www.dslreports.com/forum/r18525512-Routing-Bonjour-How-to 12:10 < baz_work2> hey guys how can i check if i already have tun.ko? 12:10 < vpnHelper> ecrist: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 12:10 < cityLights> also: must I bridge it on BOTH sides? 12:11 < ecrist> !learn bonjour as http://www.dslreports.com/forum/r18525512-Routing-Bonjour-How-to 12:11 < vpnHelper> ecrist: Joo got it. 12:11 < ecrist> cityLights: yes 12:11 < cityLights> ok 12:12 < deever> baz_work2: lsmod? 12:12 < cityLights> thanks 12:12 < ecrist> deever: I'm trying to help you, but you're not listening 12:13 < baz_work2> deever, and then do i look for "tun.ko"? 12:13 < deever> baz_work2: with grep? 12:13 < deever> ecrist: how do you mean "not listening"? 12:13 < ecrist> baz_work2: what OS? 12:13 < ecrist> deever: did you remove lines 3 and 4 and restart? 12:14 < baz_work2> ecrist, its some custom Synology NAS OS 12:14 < deever> ecrist: yes, no improvement 12:14 < deever> baz_work2: uname? 12:14 < baz_work2> deever, ecrist the result of uname -a: Linux DiskStation 2.6.15 #959 Fri Nov 13 02:49:27 CST 2009 armv5tejl unknown 12:15 < ecrist> does kldload run on linux? 12:15 < ecrist> try: kldload 12:15 < ecrist> give me output 12:15 < deever> baz_work2: modprobe 12:15 < deever> kldload is on bsd 12:15 < deever> ecrist: ;) 12:16 < baz_work2> deever, hehe, "modprobe: could not parse modules.dep" its a minimalist os 12:16 < ecrist> baz_work2: no luck for you, it seems. contact synology 12:16 -!- Section58 [n=steve@ipt0-2.core.bsd.uk.phib3r.net] has quit [Excess Flood] 12:16 < ecrist> deever: let's start over. 12:16 -!- Section58 [n=steve@ipt0-2.core.bsd.uk.phib3r.net] has joined ##openvpn 12:16 < baz_work2> lsmod gives me http://pastebin.com/mee6f18d 12:17 < deever> baz_work2: your nas probably has a static kernel, without the ability to load modules 12:17 < deever> ah 12:17 < baz_work2> deever, i can install stuff using ipkg 12:17 < baz_work2> and there are instructions to install openvpn 12:17 < ecrist> no tun for you 12:17 < reiffert> ecrist: lsmod = kldstat 12:18 < ecrist> reiffert: thanks. 12:18 < reiffert> ecrist: modprobe = kldload 12:18 < baz_work2> ecrist, ah ok, i will install it, thank you 12:18 < reiffert> ecrist: rmmod = kldunload 12:18 < deever> reiffert: you were first...;) 12:18 < reiffert> baz_work2: whats that funny piece of hardware? 12:18 < ecrist> deever: http://pastebin.com/m4f428ac8 12:19 < deever> interesting, what do the alsa drivers on a nas? :) 12:19 < ecrist> put that as your server config, and start the server 12:19 < ecrist> copy the logs to pastebin and post them here 12:19 < reiffert> baz_work2: try "insmod" 12:19 < ecrist> don't do anything with the client yet 12:19 < reiffert> baz_work2: or is it ar7 hardware? 12:20 < baz_work2> reiffert, insmod seems to be there "Usage: insmod [OPTION]... MODULE [symbol=value]..." what options should i use 12:20 < baz_work2> reiffert, ar7? as in arm, it is arm 12:20 < ecrist> deever: http://pastebin.com/m208dfc51 12:20 < deever> ecrist: ok, thanks! wait a mmt 12:20 < ecrist> put that in your client config, start client, copy logs to pastebin, post link here 12:21 < reiffert> baz_work2: Texas Instruments AR7 Mipsel 12:21 < ecrist> copy both server and client logs after client tries connecting 12:21 < reiffert> baz_work2: what are you trying to do, load the tun/tap kernel module? 12:22 < ecrist> yes, he is 12:22 < baz_work2> reiffert, yes, for the end goal of loading openvpn - i just wanted to know if it was there or not because my firmware is much newer than the instructions i am following use 12:22 < reiffert> insmod /path/to/tun.ko 12:22 < ecrist> find / -name tun.ko 12:22 < reiffert> or whatever the name is. 12:23 < reiffert> baz_work2: what's the name/model of that synology stuff? 12:24 < baz_work2> ok not found, i will install it - thanks a lot guys - by the way this is the sickest nas ever - the web management interface is amazing - my model is the 207+: http://www.synology.com/us/products/features/index.php 12:24 < vpnHelper> Title: Synology America Corp. - NEW NAS Experience - (at www.synology.com) 12:25 < baz_work2> they don't load it with anything - not even sudo - unless you need/want it 12:25 < baz_work2> which i like 12:26 < reiffert> they've got ipkg package manager for 207/syn, dont they? 12:26 < baz_work2> some interesting features: integrates with dyndns-like services, easy setup for nfs, win/mac sharing, ftp, web server and the best of all: built-in torrent downloading management through a great web interface 12:26 < baz_work2> reiffert, they do 12:26 < reiffert> ipkg -force-depends install openvpn 12:27 < reiffert> ipkg -force-depends install kernel-module-tun 12:27 < reiffert> ipkg -force-depends install module-init-tools 12:27 < reiffert> mkdir /dev/net/ 12:27 < reiffert> mknod /dev/net/tun c 10 200 12:27 < reiffert> /opt/sbin/modprobe tun 12:27 < reiffert> Quoting from http://www.synology-forum.de/showthread.html?t=1202, last posting from feb 13th. 12:27 < reiffert> (well it's in german) 12:27 < baz_work2> reiffert, how in the world did you know that! 12:28 < baz_work2> reiffert, oh nice, the english ones are out of date 12:28 < reiffert> baz_work2: I was hitting the 1st google result after searching for "synology 207+ openvpn tun" 12:28 < baz_work2> reiffert, you kids and your crazy tricks :) 12:29 < reiffert> welome 12:34 -!- havoc [n=havoc@saturn.chaillet.net] has joined ##openvpn 12:34 < havoc> hola 12:34 < ecrist> hello 12:35 < havoc> I seem to have dropped off sometime before xmas 12:36 < ecrist> it happens 12:36 < havoc> yup 12:38 -!- makomi_ [n=makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn 12:38 -!- makomi [n=makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Read error: 54 (Connection reset by peer)] 12:40 < baz_work2> reiffert, i am getting some fatal errors which may be a problem with the package (i am reading) but before i go further hacking different stuff, did I need to restart any services before running /op/sbin/modprobe tun? 12:51 -!- hyper_ch [n=hyper@adsl-89-217-76-109.adslplus.ch] has joined ##openvpn 12:53 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 13:17 -!- Avalloc [n=_@port-11621.pppoe.wtnet.de] has quit [Operation timed out] 13:18 -!- Artio [n=_@port-11621.pppoe.wtnet.de] has joined ##openvpn 13:25 -!- le0_ [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 54 (Connection reset by peer)] 13:27 < deever> ecrist: http://pastebin.com/d42711ea7 http://pastebin.com/d3f1ae51a http://pastebin.com/d3115ae4d 13:28 < ecrist> deever: why are you using 2.1_rc19? 13:28 < deever> ecrist: same behaviour 13:28 < deever> ah wait 13:28 < reiffert> baz_work2: dont think you have to restart all services before insmod'ing a module, wtf? 13:29 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Read error: 60 (Operation timed out)] 13:29 < deever> OpenVPN 2.1_rc19 on the ubuntu client and OpenVPN 2.1_rc11 on the debian server 13:29 < ecrist> why? 13:29 < ecrist> 2.1.1 is released 13:29 < ecrist> no long rc 13:29 < ecrist> longer* 13:30 < reiffert> ecrist: because distributors will still need quite some time to make the wonder happen. 13:30 < deever> ecrist: well, i took, what the distros ship with...;) 13:31 < ecrist> please upgrade 13:31 < reiffert> dont, please use ipsec. 13:32 < havoc> I am also using 2.1~rc11-1 on debian 13:32 < ecrist> deever: it appears you're having a problem with two clients connecting with the same certificate 13:32 < havoc> no way I'm upgrading w/ src unless there's some massive vuln 13:32 < havoc> all win32 clients are 2.1.1 though 13:32 < deever> ecrist: the freebsd ports still have openvpn-2.0.6_9, btw...;) 13:33 < havoc> haha 13:33 < ecrist> deever: sure, I'm not the port maintainer, though 13:33 < ecrist> openvpn-devel has the 2.1RCs 13:35 < ecrist> havoc: I'm not going to make you upgrade unless you want support. ;) 13:36 < havoc> you should make people run slackware too then, they may as well if they're gonna have to build everything from source ;) 13:36 < havoc> ...or at least run testing or unstable versions 13:37 < deever> ecrist: i only have one client 13:37 < havoc> apt pinning in debian would be nice if maintainers for testing and unstable would make builds against stable too 13:37 < ecrist> havoc: we cannot possibly support every RC forever. 13:38 < havoc> ecrist: yeah, a major drawback to debian :( 13:38 < ecrist> it is our channel policy to suppor the latest release and the latest RC 13:38 < ecrist> that is all 13:38 < havoc> ecrist: and you're not alone 13:38 < havoc> many many projects are the same 13:38 < ecrist> splendid, then we're understood. ;) 13:39 < ecrist> deever: your logs indicate another client connecting with the same certificate, which is why the connection is being dropped 13:39 < havoc> oh I understand, and even agree somewhat 13:39 < havoc> even putting apps in debian-volitile would be nice 13:40 < ecrist> we're mostly platform agnostic in here 13:40 < ecrist> it doesn't really matter to me what debian does with packaging. 13:40 < ecrist> if it's not the latest, you're SOL 13:40 < havoc> right, it's up to the package maintainers 13:41 < ecrist> deever: on http://pastebin.com/d3f1ae51a see line 314 13:43 < havoc> geez, 2.1.1 isn't even in unstable yet 13:45 < ecrist> and it's been out almost a month now, I think. 13:45 < havoc> yeah, I'd expect a 1st build in unstable by now 13:45 -!- mithridates [n=chatzill@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn 13:45 < mithridates> hey guys 13:46 < mithridates> magic_1: are you there ? 13:46 < ecrist> havoc: I was wrong, 2.1 was released 12/11/2009 13:46 < havoc> ah 13:46 < mithridates> I'm gonna implement openvpn , I installed that but now I'm in network configuration 13:47 < havoc> ecrist: it likely won't help me anyway if it's built w/ deps for testing or unstable 13:47 < mithridates> I wanna configure it for forwarding all traffic of users,browser,voip,... 13:47 < mithridates> I thin I have to use NAT 13:48 < mithridates> who does have experience in OpenVPN and NAT combination ? 13:48 < ecrist> almost everyone in here. 13:48 < havoc> there's something in the topic about it too I thought 13:48 < ecrist> lol, people don't read the topic 13:48 -!- Irssi: ##openvpn: Total of 99 nicks [0 ops, 0 halfops, 0 voices, 99 normal] 13:49 < havoc> hmm, not what I was thinking of 13:49 < havoc> I was thinking of the redirect-gateway args/opts 13:49 < havoc> the new ones for dns and dhcp 13:49 < havoc> man openvpn for redirect-gateway has it 13:50 < ecrist> !def1 13:50 < deever> ecrist: dunno why this is, i only connect with a single process to the server? :o 13:50 < vpnHelper> ecrist: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 13:50 < ecrist> !nat 13:50 < vpnHelper> ecrist: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 13:50 < ecrist> holy cow, one more person and we have 100 people in here. 13:50 -!- cityLights [n=cityLigh@bzq-84-111-46-151.red.bezeqint.net] has quit [Read error: 110 (Connection timed out)] 13:51 < deever> 2 more persons...;) 13:51 < mithridates> brb 13:51 < havoc> !bypass-dhcp 13:51 -!- cityLights [n=cityLigh@bzq-84-111-46-151.red.bezeqint.net] has joined ##openvpn 13:51 < vpnHelper> havoc: Error: "bypass-dhcp" is not a valid command. 13:51 < ecrist> it would appear my stats box is offline 13:51 < havoc> !bypass-dns 13:51 < vpnHelper> havoc: Error: "bypass-dns" is not a valid command. 13:52 < havoc> I guess it doesn't have info on those 13:52 < havoc> anyway, those are usefull 13:52 < deever> ecrist: but shouldn't have any relation to my issue either, should it? 13:53 < ecrist> sure, you can't connect, according to the logs 13:53 < ecrist> you can't connect because of the conflict with the other client 13:55 < havoc> fortunately redirect-gateway can be done on the client, right? 13:55 < havoc> i.e. w/o the server pushing it? 13:56 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 13:58 -!- Irssi: ##openvpn: Total of 100 nicks [0 ops, 0 halfops, 0 voices, 100 normal] 13:58 < ecrist> 13:58 -!- Irssi: ##openvpn: Total of 100 nicks [0 ops, 0 halfops, 0 voices, 100 normal 13:58 < ecrist> congrats, le0 you are our 100th participant! 13:58 < le0> lol 13:58 < havoc> is this a lot? 13:58 < le0> do i win a car? 13:58 * ecrist pulls cord causing balloons, glitter, and dead hookers to fall from the rafters 13:59 < le0> loft hookers? 13:59 < le0> just how dead are these hookers then? 13:59 < ecrist> not dead enough. 13:59 < ecrist> ;) 14:01 < havoc> [crickets chirping] 14:03 < le0> [tumble weed blows past] 14:04 < deever> ecrist: ok, added the duplicate-cn option, but still no improvement 14:04 < ecrist> [dead hooker oozes on the floor] 14:04 < ecrist> deever: new logs from client and server, please 14:06 < deever> oh, btw: is the error significant? WARN: could not open database for 4096 bits. Skipped 14:06 < ecrist> deever: new logs from client and server, please 14:06 < ecrist> it's only a warning, so I'm guessing not 14:15 < deever> ecrist: http://pastebin.com/d16ffebde http://pastebin.com/d7419bc68 14:17 < deever> no second connection from the client, but it still doesn't work 14:17 < deever> s/from/of/ 14:20 < ecrist> are you killing the instance? 14:23 < ecrist> deever: what's it not doing? 14:30 < deever> ecrist: i can't ping anything from the server's lan, and the server itself only if i give it's tap device an address 14:30 < ecrist> are you killing the vpn in those logs? 14:30 < ecrist> or is it dying for another reason? 14:31 < deever> ^C form the console 14:32 < ecrist> ok 14:33 < ecrist> what address are you trying to ping? 14:38 < deever> 192.168.168.1 f.e 14:38 < ecrist> f.e? 14:39 < deever> for example 14:39 < deever> the router in the server's lan 14:39 < ecrist> bring both machines up on the vpn, then try from the client to ping 192.168.168.128 first 14:40 -!- baz_work2 [n=baz_work@c-67-183-155-189.hsd1.wa.comcast.net] has quit [Remote closed the connection] 14:47 -!- foobeans [n=foobeans@mtka.claimlynx.com] has joined ##openvpn 14:48 -!- foobeans [n=foobeans@mtka.claimlynx.com] has quit [Client Quit] 14:55 -!- fkr [i=fkr@news.bytemine.net] has quit ["leaving"] 14:56 -!- baz_work [n=baz_work@c-67-183-155-189.hsd1.wa.comcast.net] has joined ##openvpn 14:57 < deever> ecrist: when i 'ifconfig tap0 192.168.168.128', pinging the server works, yes 14:58 -!- barefoot [n=magic@41.121.78.176] has joined ##openvpn 14:58 < deever> in the meantime, i have build a bridge with tap0 and the server's eth0 and still no improvement 14:58 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Nick collision from services.] 14:58 -!- barefoot is now known as magic_1 14:59 < deever> ecrist: so i assume the vpn server itself is the problem 15:00 -!- dextor[work] [n=dextor[w@122.182.0.38] has joined ##openvpn 15:03 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 15:18 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 15:41 -!- dextor[work] [n=dextor[w@122.182.0.38] has quit [Read error: 54 (Connection reset by peer)] 15:45 < baz_work> is there a hardware openvpn appliance available for home use? 15:45 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 104 (Connection reset by peer)] 15:45 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 15:47 -!- mencken_ [n=ryan@66-17-33-21.biz.visl.arrival.net] has joined ##openvpn 15:50 < baz_work> what do u guys think of shadowvpn.com? 15:54 -!- dollabill [n=mike@97.66.26.10] has quit [Read error: 60 (Operation timed out)] 15:59 < openvpn2009> how is everyone doing? 16:00 < hyper_ch> openvpn2009: struggling to stay alive 16:00 < hyper_ch> having to breath every few seconds 16:00 < hyper_ch> you can't imagine how tiring that is 16:02 < baz_work> hehe 16:06 -!- makomi_ [n=makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote closed the connection] 16:13 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 60 (Operation timed out)] 16:20 -!- anquietas [n=anquieta@infosky.ro] has joined ##openvpn 16:20 < anquietas> hello 16:20 < anquietas> I have a small routing problem 16:20 < anquietas> may I post my problem here ? 16:21 < anquietas> anyone alive here ?... 16:22 < hyper_ch> wow, 1 minute of patience... that's gotta be a new low 16:22 < anquietas> I'm sorry about that 16:22 < anquietas> but I need to solve something real quick... 16:22 < anquietas> may I post the problem ? 16:23 < hyper_ch> sure, but have a read at the topic also first :) 16:23 < anquietas> I'm not going to paste config files 16:24 < hyper_ch> use pastebin for that 16:26 < anquietas> So here it is: I have a local network at home (192.168.0.0/29) and a gateway with a public IP. At my office, I have another LAN with the same addressing (192.168.0.0/24) (/24 because it's a bigger network). At my office I have a VPN Server, to which I connected from home, and my client from home has 10.0.0.6 and the VPN Server 10.0.0.1 ... the problem is that I want to access 192.168.0.10 from THAT network... but it is being routed to my home lan becau 16:26 < anquietas> se I also use that kind of addresses at home. I've tried pushing the route but it doesn't work... route conflict I supose... what should I do ? 16:28 -!- mithridates [n=chatzill@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit ["ChatZilla 0.9.86 [Firefox 3.5.5/20091102141836]"] 16:30 < anquietas> well ... ? 16:32 < baz_work> anquietas, doesn't each client get its own 10.*.*.* address? 16:34 < anquietas> no because I didn't connect the clients of the remote site to the VPN... I wanted to use VPN only to connect to the remote gateway, and from there on, access directly those machines by their natural IPs (192.168.0.*) 16:36 < baz_work> anquietas, i'm not sure what to do, it seems like a good google tho if you are in a bind (not being snippy, ust seems like a lot of people go thru this) 16:41 < anquietas> :| 16:41 < anquietas> I didn't find anything, I supose I must connect the remote clients to VPN 16:48 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 16:55 -!- anquietas [n=anquieta@infosky.ro] has quit ["Leaving"] 17:33 -!- Imran-UK [n=Imran-UK@imranc.gotadsl.co.uk] has joined ##openvpn 17:33 -!- Artio [n=_@port-11621.pppoe.wtnet.de] has quit [" HydraIRC -> http://www.hydrairc.com <- Organize your IRC"] 17:33 < Imran-UK> !interface 17:33 < vpnHelper> Imran-UK: "interface" is (#1) paste interface configuration from both client and server, while being disconnected and when beeing connected. Be sure to also add the routing tables for both situations from client and from server, or (#2) in windows: ipconfig /all - unix: ifconfig -a , and for routing tables: netstat -rn 17:34 < Imran-UK> !route 17:34 < vpnHelper> Imran-UK: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 17:48 -!- mithridates [n=chatzill@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn 17:53 < krzie> hey Bushmills ya here? 18:01 < krzie> i got a weird sh question for ya 18:04 < reiffert> echo advanced bash scripting guide | google 18:06 < krzie> hah that would be weird to find something like this in there 18:06 < krzie> im doing something goofy 18:08 < Bushmills> yeah 18:08 -!- baz_work [n=baz_work@c-67-183-155-189.hsd1.wa.comcast.net] has quit [Read error: 54 (Connection reset by peer)] 18:09 -!- r0fl [n=r0fl@unaffiliated/r0fl] has left ##openvpn [] 18:11 -!- Imran-UK [n=Imran-UK@imranc.gotadsl.co.uk] has quit ["Pablo Picasso - "Computers are useless. They can only give you answers.""] 18:16 < reiffert> :) 18:18 < ecrist> krzie: what're you trying to do? 18:18 < Bushmills> is there any time when you don't? 18:18 < ecrist> krzie: we need to get vpnHelper moved somewhere other folks can get to it 18:27 * ecrist goes to drink and play video games 18:27 < ecrist> l8r folks 18:29 < krzie> ecrist tru, ill get on that after i finish this piece of script 18:29 < krzie> Bushmills, yup i just never need to sk bout those things ;] 18:29 < krzie> ive whipped out like 3000 lines on this sucker 18:29 < krzie> # for i in $AGENTS ;do 18:29 < krzie> # ${i}today=`grep '^${i} ' $grandeday |awk '{print $2}'` 18:29 < krzie> # ${i}today=`echo "$${{i}today} * -1"|bc` 18:30 < krzie> i know why that doesnt work, just no idea how to get around it 18:30 < reiffert> ${i}today?! 18:30 < krzie> i need to access ${i}today as its own var with ${i} being arbitrary 18:30 < reiffert> what about arrays? 18:31 < krzie> cool ill read about them and see if it fits 18:31 < krzie> thanx 18:31 < reiffert> http://tldp.org/LDP/abs/html/arrays.html 18:31 < vpnHelper> Title: Arrays (at tldp.org) 18:31 < reiffert> Line[1]="I do not know which to prefer," 18:31 < reiffert> Line[2]="The beauty of inflections" 18:31 < reiffert> Line[3]="Or the beauty of innuendoes," 18:31 < reiffert> Line[4]="The blackbird whistling" 18:31 < reiffert> Line[5]="Or just after." 18:32 < reiffert> for index in 1 2 3 4 5 # Five lines. 18:32 < reiffert> do printf " %s\n" "${Line[index]}" 18:32 < reiffert> done 18:36 < krzie> ya i think that is gunna work, i didnt remember bash having arrays, thanx yet again =] 18:36 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 18:36 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has quit [Read error: 104 (Connection reset by peer)] 18:37 -!- le0 [n=itsle0@cpc1-bele5-0-0-cust948.belf.cable.ntl.com] has joined ##openvpn 18:37 < krzie> 3270 lines of bash all working together, this beast ended up way bigger than i started out thinking it would 18:38 < le0> lol 18:40 < Bushmills> it has 18:41 < Bushmills> A=(a b c) ; echo ${A[1]} 18:43 < le0> why bash? im told other stuff is better 18:43 < krzie> le0, comfort 18:43 < krzie> im sure a perl guy woulda had an easier time in perl 18:43 < le0> i get ya krzie 18:43 < krzie> and a python guy woulda had an easier time in python 18:43 < Bushmills> also, try: echo ${Line[*]} 18:43 < krzie> and one who knows all woulda had an easier time outside of bash ;] 18:43 < le0> i spent bout 4 weeks this yr on bash scripting to automate stuff for pentesting 18:44 < le0> i think its power is under rated 18:44 < le0> and tis enough for me to learn at the moment 18:44 < krzie> interesting bush, echo ${A[*]} 18:44 < krzie> a b c 18:44 < krzie> not what i expected, kinda cool 18:46 < reiffert> Bushmills: there is so much of all kind of special variables, he really should follow that guide. 18:46 < krzie> dont worry reif i am reading it 18:47 < krzie> after preaching it to people who come here for help ild be pretty bad to ignore the link 18:47 < reiffert> I'd play with it, actually try it out, line by line... 18:47 < havoc> python: DoIt() 18:56 < Bushmills> krzie: you might also like brace expansion 18:56 < Bushmills> for index in {1..5}; do echo $index ; done 18:57 < reiffert> you dont actually? 18:58 < Bushmills> just trying to find out what the actual question was :) 18:58 < reiffert> named variables 18:58 < reiffert> 01:29 < krzie> # for i in $AGENTS ;do 18:59 < reiffert> 01:29 < krzie> # ${i}today=`grep '^${i} ' $grandeday |awk '{print $2}'` 18:59 < reiffert> 01:29 < krzie> # ${i}today=`echo "$${{i}today} * -1"|bc` 18:59 < reiffert> 01:30 < krzie> i know why that doesnt work, just no idea how to get around it 18:59 < reiffert> 01:30 < reiffert> what about arrays? 18:59 < krzie> ya the brace expansion helped me before, you taught me that =] 18:59 < krzie> arrays will solve it 18:59 < Bushmills> ah. let .... can get around it. then there is indirection, and an additional way which i forgot 19:00 < reiffert> seq 19:00 < Bushmills> i think you broke it with [] 19:00 < krzie> everything i needed was explained by you array examples and reif's link i believe 19:01 < Bushmills> ah ok 19:01 < Bushmills> got it. tried to q&d array while you have actual arrays 19:01 < krzie> q&d? 19:01 < Bushmills> dick and quirty 19:02 < krzie> lol 19:02 < Bushmills> ehm 19:02 < Bushmills> Mushbillserism 19:13 < krzie> much mo better 19:13 < krzie> # for i in $AGENTS ;do 19:13 < krzie> # $i[1]=`grep '^${i} ' $grandeday |awk '{print $2}'` 19:13 < krzie> # $i[1]=`echo "${i[1]} * -1"|bc` 19:13 < krzie> easier to read too 19:15 < Bushmills> you could out he grep pattern into your awk line 19:16 < krzie> awk is super powerful 19:16 < Bushmills> awk /^${i} / {print $2} <<< $grandeday 19:16 < krzie> you're right i need to start harnessing it better 19:16 < Bushmills> something like that 19:18 < le0> sed is the daddy 19:18 < le0> =) 19:18 < Bushmills> is your expression to bc integer? 19:18 < krzie> ya both of them are great 19:18 < krzie> yes 19:18 < krzie> oh wait no 19:18 < krzie> 2 decimal float 19:19 < krzie> (usually, sometimes integer) 19:21 -!- MJD [n=quassel@CPE0015ef4fc6af-CM001bd7cbfc8c.cpe.net.cable.rogers.com] has quit [Read error: 60 (Operation timed out)] 19:24 -!- crazygir [n=jason@unaffiliated/crazygir] has quit [Remote closed the connection] 19:24 -!- crazygir [n=jason@li14-82.members.linode.com] has joined ##openvpn 19:40 -!- rbd [n=rbd@adsl-074-229-183-112.sip.rmo.bellsouth.net] has quit [] 19:47 < reiffert> it's more $arrayname[$i] than $i[1] 19:47 < reiffert> ... 19:49 < krzie> AGENTS="Dennis Dennis-2 Richard" 19:49 < krzie> for i in $AGENTS ;do 19:49 < krzie> $i[1]=`grep '^${i} ' $grandeday |awk '{print $2}'` 19:49 < krzie> $i[1]=`echo "${i[1]} * -1"|bc` 19:49 < krzie> $i[2]=`grep '^${i} ' $grandeweek |awk '{print $2}'` 19:49 < krzie> $i[2]=`echo "${i[2]} * -1"|bc` 19:49 < krzie> echo $i ${i[1]} ${i[2]} 19:49 < krzie> done 19:49 < krzie> Dennis[1]=: command not found 19:49 < krzie> etc 19:49 < reiffert> its broken. 19:52 < reiffert> in the first run $i will be "Dennis" 19:52 < reiffert> in the 2nd run it will be Dennis-2 19:52 < reiffert> and Richard in the last cycle 19:52 < krzie> exactly 19:52 < krzie> thats what i want 19:53 < reiffert> *but* $i[1]=foo is an *assignment* which put's the string foo into the 2nd element of the array with name "Dennis" in the first run. 19:53 < krzie> this gets week and day totals for each of those 3, inverts the sign (pos to neg) and for now just echos it out 19:54 < reiffert> you notice the error message, do you? 19:54 < reiffert> 02:49 < krzie> Dennis[1]=: command not found 19:54 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 19:56 < reiffert> so what are you trying to do? 19:56 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 19:57 -!- tjz [n=tjz@bb121-7-11-34.singnet.com.sg] has joined ##openvpn 19:58 < krzie> on the first run i want i=Dennis i[1]=his figure for the day i[2] figure for the week, then i invert both signs 19:58 < krzie> [1] and [2] are either 2 decimal float or integer 19:59 < reiffert> allright, do you have "seq"? 20:01 < reiffert> just type "seq" into your terminal 20:01 < krzie> negative 20:03 < reiffert> dot? 20:03 < reiffert> gseq? 20:04 < krzie> nope 20:04 < krzie> but i did get most errors gone 20:05 < reiffert> Usage: seq [OPTION]... LAST 20:05 < reiffert> or: seq [OPTION]... FIRST LAST 20:05 < reiffert> or: seq [OPTION]... FIRST INCREMENT LAST 20:05 < reiffert> Print numbers from FIRST to LAST, in steps of INCREMENT. 20:06 < krzie> bash: seq: command not found 20:06 < krzie> bash: gseq: command not found 20:06 < krzie> bash: dot: command not found 20:06 -!- fgs [n=fgsch@87-194-38-117.bethere.co.uk] has left ##openvpn [] 20:06 < krzie> but here fixed some stuffs 20:06 < reiffert> show us.. 20:07 < krzie> AGENTS="Dennis Dennis-2 Richard" 20:07 < krzie> for i in $AGENTS ;do 20:07 < krzie> BALANCE[1]=`grep '^${i} ' $grandeday |awk '{print $2}'` 20:07 < krzie> BALANCE[1]=`echo "${BALANCE[1]} * -1"|bc` 20:07 < krzie> BALANCE[2]=`grep '^${i} ' $grandeweek |awk '{print $2}'` 20:07 < krzie> BALANCE[2]=`echo "${BALANCE[2]} * -1"|bc` 20:07 < krzie> echo $i ${BALANCE[1]} ${BALANCE[2]} 20:07 < krzie> done 20:07 < krzie> (standard_in) 1: syntax error 20:07 < krzie> (standard_in) 1: syntax error 20:07 < krzie> Dennis 20:07 < krzie> its still not assigning, but it is not erroring about it anymore 20:07 < reiffert> assigning? 20:08 < krzie> BALANCE[1] and BALANCE[2] have nothing assigned to them 20:08 < krzie> which errors at bc 20:09 < reiffert> AGENTS="foo bar baz"; for i in $AGENTS; do BAL[1]=yes; BAL[2]=no; echo $i ${BAL[1]} ${BAL[2]}; done 20:09 < reiffert> please print $gandeday for me once. 20:09 < reiffert> to see if its empty 20:11 < krzie> Denweek=`grep '^Dennis ' $grandeweek |awk '{print $2}'` 20:11 < krzie> Dentoday=`grep '^Dennis ' $grandeday |awk '{print $2}'` 20:11 < krzie> echo $Denweek $Dentoday 20:11 < krzie> -1763.87 -1763 20:13 < reiffert> ah, the single quotes ... 20:13 < reiffert> keep bash from expanding ${i} to Dennis. 20:13 < reiffert> use ""'s instead. 20:14 -!- mencken_ [n=ryan@66-17-33-21.biz.visl.arrival.net] has quit ["Ex-Chat"] 20:14 < krzie> howd i miss that! 20:14 < krzie> thanx man 20:14 < krzie> you got it 20:17 -!- dnivra [n=arvind@59.93.41.130] has joined ##openvpn 20:17 -!- dnivra [n=arvind@59.93.41.130] has left ##openvpn ["Leaving"] 20:32 -!- Section58 [n=steve@ipt0-2.core.bsd.uk.phib3r.net] has quit [Excess Flood] 20:32 < krzie> now changed my echo to: 20:32 < krzie> echo "${i}${BALANCE[0]}${BALANCE[1]}" >> ${htmlfile} 20:33 -!- Section58 [n=steve@ipt0-2.core.bsd.uk.phib3r.net] has joined ##openvpn 20:33 < krzie> and everything is great =] 20:33 < krzie> big thank you to both my de friends =] 20:51 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 21:17 -!- Zordrak [n=jaz@unaffiliated/zordrak] has quit [Read error: 60 (Operation timed out)] 21:19 -!- Zordrak [n=jaz@unaffiliated/zordrak] has joined ##openvpn 21:36 -!- |ns|nR8 [n=lame@CPE-203-51-56-212.lns9.cht.bigpond.net.au] has joined ##openvpn 21:44 -!- |ns|nR8 [n=lame@CPE-203-51-56-212.lns9.cht.bigpond.net.au] has left ##openvpn ["Leaving"] 21:46 -!- krzie [n=krzee@butters.secure-computing.net] has quit ["BitchX: Tune In, Turn On, Drop Out."] 22:02 -!- LittleJ [n=linuz@82.78.185.26] has quit [Read error: 60 (Operation timed out)] 22:02 -!- LittleJ [n=linuz@82.78.185.26] has joined ##openvpn 22:15 < mithridates> hey guys 22:16 < theDoc> hello. 22:16 < mithridates> in this part of configuration < http://openvpn.net/index.php/open-source/documentation/howto.html#redirect > what does mean def1? 22:16 < vpnHelper> Title: HOWTO (at openvpn.net) 22:16 < mithridates> what does def1 mean? 22:16 < mithridates> is it like eth0 ? 22:17 < theDoc> !def1 22:17 < vpnHelper> theDoc: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 22:18 < mithridates> how can I use def1? 22:18 < mithridates> how can I add the def1 flag ? 22:19 < theDoc> mithridates> I'm not sure, I don't have that at the moment but it looks like it alters the metric. 22:20 < mithridates> ok 22:20 < mithridates> do I need to have TUN device? 22:20 < mithridates> I'm configuring network configuration in my vpn server 22:20 < theDoc> mithridates> Yes, tun0. tap0 if you are using routing. 22:20 < mithridates> how can I turn on them 22:20 < mithridates> do u have any instruction? 22:21 < theDoc> mithridates> What are you configuring? The server or the client? 22:21 < mithridates> server 22:21 < theDoc> mithridates> My tun0 interface is created when I launch the server instance. 22:21 < mithridates> I think it happens in debian 22:21 < mithridates> but I use centos 22:22 < mithridates> and when I installed openvpn it didn't create tun 22:22 < theDoc> mithridates> Have you spawned the server instance? 22:23 < mithridates> no 22:23 < mithridates> what's that? 22:24 < mithridates> I'm following http://openvpn.net/index.php/open-source/documentation/howto.html 22:24 < vpnHelper> Title: HOWTO (at openvpn.net) 22:24 < theDoc> mithridates> Launched the server instance. 22:24 < mithridates> yes I'm following that guide line 22:25 < mithridates> how can I lunch the server? 22:25 < theDoc> Hang on, which part of the guide are you at? 22:25 < mithridates> I've just installed openvpn and openssl 22:25 < mithridates> just it 22:25 < theDoc> mirth> Have you edited/made your CAs and all? 22:26 < mithridates> no, do I need to make that before network configuration? 22:26 < theDoc> Yes. 22:27 < theDoc> Build your CA first and all. 22:27 < mithridates> ok 22:27 < mithridates> which type is better? 22:28 < mithridates> I will have more than 150 users 22:28 < mithridates> they want to use voip by this vpn and by pass web filtering 22:28 < mithridates> which one is better? 22:28 -!- krzee [n=krzee@unaffiliated/krzee] has joined ##openvpn 22:28 < theDoc> mithridates> what do you mean? 22:29 < theDoc> mithridates> why are you running a vpn solution when you aren't sure how it works? :P 22:29 < mithridates> I mean certificate of the other type 22:29 < mithridates> ? 22:29 < mithridates> PKI or CA ? 22:29 < mithridates> I know how it works 22:30 < mithridates> I know how VPN works 22:30 < mithridates> but I'm not very familiar with openvpn 22:30 < krzee> a CA is a ey part of PKI 22:30 < krzee> !pki 22:30 < vpnHelper> krzee: Error: "pki" is not a valid command. 22:30 < theDoc> o/ krzee. 22:30 < krzee> bleh i should make a !pki 22:30 < theDoc> !ca 22:30 < vpnHelper> theDoc: Error: "ca" is not a valid command. 22:30 < theDoc> hm. 22:31 < krzee> how bout this 22:31 < krzee> !howto 22:31 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 22:31 < krzee> its pretty clearly spelled out there ;] 22:31 < theDoc> mithridates> What you're looking for is either password or certification authentication, no? 22:31 < theDoc> krzee> Yeah, but he's confused :P 22:31 < krzee> !authpass 22:31 < vpnHelper> krzee: "authpass" is (#1) please see --auth-user-pass-verify in the manual to learn how to force clients to use passwords in addition to certs, or (#2) or to ONLY use passwords (no certs, highly NOT recommended) also use --client-cert-not-required, or (#3) and if you want the login name to be used as the common-name for things like ccd entries, use --username-as-common-name 22:31 < mithridates> please wait 22:33 < mithridates> I have more than 150 users which type is better for me to manage this service 22:33 < mithridates> ? 22:35 < krzee> im heavily partial to certs 22:35 < krzee> however if you wanted you could impliment a likely already existing ldap auth 22:35 < theDoc> I'm heavily geared towards password due to ease of management against radius 22:35 < theDoc> That's what I run for my setup :P 22:35 < krzee> ya radius too 22:36 < krzee> i said ldap thinking a 150 person enterprise likely already has ldap 22:36 < theDoc> krzee> I don't think he's a 150 enterprise :P 22:36 < theDoc> More like, an anonymous vpn service. 22:36 < krzee> (Active directory is a form of ldap) 22:36 < krzee> ohhh 22:36 < krzee> then ill bow out, thats your territory ;] 22:36 < mithridates> yes I want to an anonymous vpn service 22:36 < theDoc> krzee> lol, <3 22:37 < theDoc> mithridates> I run anonymous vpn service. 22:37 < theDoc> and frankly, what you are doing.. :P is just bad. 22:37 < mithridates> so I have to use CA 22:38 < theDoc> mithridates> No, you need to learn the platform first. You shouldn't be running into production when you aren't even sure what openvpn does or is capable of. 22:38 < mithridates> is it user friendly ? can I make it easy for my users by bash scripting? 22:38 < theDoc> But I use a mix of certs and passwords, depending on my user. 22:38 < mithridates> ok, I agree with u, I should learn the platform first 22:39 < mithridates> please give me a document about that 22:39 < krzee> !howto 22:39 < krzee> !man 22:39 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 22:39 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 22:39 < mithridates> ok thank you guys 22:39 < theDoc> mithridates> Yep, read the howto and look into it 22:39 < mithridates> after reading this documents I'll come back 22:39 < mithridates> ok 22:39 < mithridates> thanks 22:40 < theDoc> Don't mention it. 23:11 -!- magyar [n=magyar@76-10-176-50.dsl.teksavvy.com] has quit [Read error: 60 (Operation timed out)] 23:15 -!- caimlas [n=caimlas@DHCP-26.64-179-155.iw.net] has left ##openvpn ["Leaving"] 23:16 -!- mithridates [n=chatzill@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has quit [Remote closed the connection] 23:35 -!- iztehsux [n=iztehsux@c-98-232-178-64.hsd1.or.comcast.net] has joined ##openvpn 23:35 < iztehsux> krzee: awake? 23:47 -!- iztehsux [n=iztehsux@c-98-232-178-64.hsd1.or.comcast.net] has quit ["leaving"] --- Day changed Wed Dec 30 2009 00:18 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit ["ChatZilla 0.9.86 [Firefox 3.5.6/20091201220228]"] 00:53 < ecrist> krzee: if you want, I'll put it on my box and set thing up accordingly 01:02 -!- iztehsux [n=iztehsux@c-98-232-178-64.hsd1.or.comcast.net] has joined ##openvpn 01:03 < iztehsux> hi, i'm having a little trouble setting up openvpn properly because i'm running into a wall with certificate verification failing. 01:15 -!- hyper_ch [n=hyper@adsl-89-217-76-109.adslplus.ch] has quit [Remote closed the connection] 01:18 -!- kyrix [n=ashley@80-121-37-69.adsl.highway.telekom.at] has joined ##openvpn 01:25 < ecrist> iztehsux: read /topic 01:41 -!- shinefox [n=shinefox@221.224.16.90] has joined ##openvpn 01:44 -!- shinefox [n=shinefox@221.224.16.90] has left ##openvpn ["Leaving"] 01:49 -!- DexterLB [n=angel@77-85-30-114.btc-net.bg] has joined ##openvpn 01:49 < DexterLB> hi 01:50 < DexterLB> !wiki 01:50 < vpnHelper> DexterLB: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN 02:10 -!- theDoc [n=hex@unaffiliated/thedoc] has quit ["Leaving"] 02:12 -!- hyper_ch [n=hyper@102-95.3-85.cust.bluewin.ch] has joined ##openvpn 02:12 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 02:24 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 02:35 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined ##openvpn 02:36 -!- jmm [n=jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn 02:37 < DexterLB> so, I've got a LAN. Can I set up an openvpn server on one of the linux machines and be able to connect another machine remotely so it will be reachable from any machine on the network? 02:38 < jmm> DexterLB: yes. 02:38 < DexterLB> by following this tutorial or similar? https://help.ubuntu.com/community/OpenVPN 02:38 < vpnHelper> Title: OpenVPN - Community Ubuntu Documentation (at help.ubuntu.com) 02:39 < jmm> it sound good. 02:39 < DexterLB> cool bot by the way 02:39 < jmm> !bot 02:39 < vpnHelper> jmm: "bot" is I'm a bot.. just a bot. krzee is my maintainer, and I haven't said anything, if you'd notice, the person who spoke just before me gave a !command to make me speak :P 02:39 < jmm> hehe he rocks. 02:39 < DexterLB> yeah 02:44 < krzee> DexterLB 02:44 < krzee> !route 02:44 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 02:45 < krzee> hes about to move to his new home 02:45 < DexterLB> who? 02:45 < krzee> vpnHelper 02:45 < DexterLB> aah 02:47 < krzee> but ya read that link i just gave you 02:47 < DexterLB> ok 02:47 < krzee> if you read it good you should be able to hook as many lans together as you want, with road warriors connecting to all of them 02:51 < DexterLB> wait a second 02:52 < DexterLB> this doesn't give the remote machine a new ip address that's from my LAN, does it? 02:54 < DexterLB> so I can't connect 2 networks that use, for example, 192.168.2.1/24 02:57 < krzee> nope 02:57 < krzee> cant 02:57 < DexterLB> i don't need that 02:57 < krzee> and i suggest not using extremely common lans 02:57 < krzee> you will be able to route to them all 02:57 < krzee> you dont need to be in the same subnet 02:57 < krzee> you will have secure access to the whole lan 02:57 < DexterLB> i need a tap adapter to be created on the remote machine 02:57 < krzee> from your vpn ip 02:57 < krzee> and why is that? 02:57 < krzee> !tunortap 02:57 < vpnHelper> krzee: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning 02:57 < vpnHelper> krzee: against you over the vpn 02:59 < DexterLB> ah ok 02:59 < DexterLB> then a tun adapter 02:59 < DexterLB> but I want the machine to keep it's IP address and add a second virtual adapter which is in my lan 03:00 < DexterLB> so if my lan with the vpn server is 10.72.0.0/24 the remote machine has an IP 192.168.1.2 and it should get a second IP 10.72.0.x and be able to use both 03:06 < krzee> well heres how it works 03:06 < krzee> you get everything your goal demands 03:06 < krzee> but it doesnt work how you expected 03:06 -!- master_of_master [i=master_o@p57B56831.dip.t-dialin.net] has joined ##openvpn 03:06 < krzee> it doesnt get 10.72.0.x cause thats for machines physically connected 03:07 < krzee> it gets a vpn subnet 03:07 < krzee> BUT 03:07 < krzee> you get 100% communication that the machine running vpn has 03:07 < krzee> or however much you desire 03:07 < DexterLB> that's ok too 03:07 < krzee> well thats how it works 03:07 < krzee> !route 03:07 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 03:07 < krzee> =] 03:08 < DexterLB> :D 03:08 < DexterLB> !goal 03:08 < vpnHelper> DexterLB: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 03:08 < krzee> as i understand your goal you wish to have clinet(s) connect to the vpn server and share its lan 03:08 < DexterLB> yup 03:08 < krzee> so make sure the server lan is uncommon 03:09 < krzee> no client from that exact lan subnet can connect 03:09 < DexterLB> hmm 03:09 < krzee> then push a route to clients for the lan behind the server 03:09 < krzee> then add a route to the server's router 03:09 < krzee> all described in !route 03:09 < krzee> theres more described there that doesnt apply to you 03:09 < DexterLB> so 03:09 < DexterLB> here I start 03:10 < DexterLB> 1. Create a certificate authority and generate certificates 03:10 < krzee> yup, explained in the howto 03:10 < krzee> !sample 03:10 < vpnHelper> krzee: "sample" is (#1) http://www.ircpimps.org/openvpn.configs for a working sample config, or (#2) DO NOT use these configs until you understand the commands in them, read up on each first column of the configs in the manpage (see !man) 03:10 < krzee> !man 03:10 < vpnHelper> krzee: "man" is (#1) http://openvpn.net/man for 2.0 manual, or (#2) http://openvpn.net/man-beta.html for 2.1 manual, or (#3) the man pages are your friend! 03:10 < DexterLB> 2. create up and down scripts, and server.cfg 03:10 < krzee> up and down scripts for what? 03:10 < DexterLB> -.cfg+.conf 03:11 < krzee> take my sample configs 03:11 < krzee> read about every option in the manual (!man) 03:11 < krzee> know what they do 03:11 < krzee> add what i said from !route 03:11 < krzee> enjoy 03:12 < krzee> but ya first generate the keys 03:12 < krzee> !howto 03:12 < vpnHelper> krzee: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 03:12 < krzee> has a section on that 03:12 < krzee> you talked about nothing yet that requires an up or down script 03:12 < krzee> close that other walkthrough 03:13 < krzee> theres too many poorly made walkthroughs 03:13 < krzee> =/ 03:13 < krzee> also 03:13 < krzee> !ubtunu 03:13 < vpnHelper> krzee: Error: "ubtunu" is not a valid command. 03:13 < krzee> !ubuntu 03:13 < vpnHelper> krzee: "ubuntu" is dont use network manager! 03:13 < DexterLB> well, ok, I read !route, now I'll follow the official howto 03:15 < DexterLB> so, first, I must change my LAN's range to 192.168.42.0/24 03:15 < DexterLB> not 192.168.1.0/24 03:15 < DexterLB> because it's too common 03:15 < DexterLB> right? 03:16 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Nick collision from services.] 03:17 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 03:17 < DexterLB> i do want it to start with 192.168 because they don't route 03:18 -!- master_o1_master [n=master_o@p57B540E1.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 03:18 < krzee> right 03:18 < DexterLB> so, 192.168.42.x it is 03:18 < krzee> yup, unlikely to see that in the wild 03:19 < DexterLB> 42 the meaning of life, the universe and everything else lol 03:19 < mort_gib> DexterLB http://www.faqs.org/rfcs/rfc1918.html 03:19 < vpnHelper> Title: RFC 1918 (rfc1918) - Address Allocation for Private Internets (at www.faqs.org) 03:20 < mort_gib> mind you, some of my clients are using routable IP ranges as private addresses... Still strugling to undrstand exactly why.... 03:20 < mort_gib> ???? 03:31 -!- DexterLB [n=angel@77-85-30-114.btc-net.bg] has quit [Read error: 104 (Connection reset by peer)] 03:32 < krzee> mort_gib 03:32 < krzee> !configs 03:32 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 03:32 < krzee> mainly server config really 03:32 -!- DexterLB [n=angel@77-85-30-114.btc-net.bg] has joined ##openvpn 03:32 < krzee> DexterLB: coulda typed !1918 ;] 03:33 < DexterLB> !1918 03:33 < vpnHelper> DexterLB: "1918" is (#1) http://en.wikipedia.org/wiki/Private_network or http://www.faqs.org/rfcs/rfc1918.html, or (#2) 10.0.0.0/8 | 172.16.0.0/12 | 192.168.0.0/16 03:33 < mort_gib> krzee: Huh?? 03:34 < krzee> mort: paste your server config as !configs says 03:34 < krzee> mind you, some of my clients are using routable IP ranges as private addresses... Still strugling to undrstand exactly why.... 03:34 < krzee> if you are handing out routable ip ranges and dunno why you did something goofy in the server config 03:34 < krzee> also add all ccd entries 03:35 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Nick collision from services.] 03:35 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 03:35 -!- vpnHelper [i=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Client Quit] 03:35 < mort_gib> Well, I have been doing VPN links for some clients with rather lame or maybe unorganized infrastructure 03:36 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 03:36 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has quit [Remote closed the connection] 03:36 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 03:36 < DexterLB> do I really have to generate certificates for each new client? 03:37 < mort_gib> So I would REALLY prefer to use IP ranges reserved for private use, but sometimes that would mean reconfiguring a lot of infrastructure in the nme of a "clean VPN implementation" ... 03:37 < krzee> (this is me testing my bot) 03:37 < krzee> !route 03:37 < vpnHelper> krzee: "route" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN/Routing if you have lans behind openvpn, read it DONT SKIM IT, or (#2) READ IT DONT SKIM IT 03:37 < krzee> mort_gib ok 03:38 < krzee> DexterLB yes 03:38 < mort_gib> :-) 03:38 < krzee> there are other ways, but that is by far the best 03:38 < mort_gib> Good stuff OpenVPN!! 03:39 < krzee> !test 03:39 < vpnHelper> krzee: Error: "test" is not a valid command. 03:39 < krzee> !learn test as testing 03:39 < vpnHelper> krzee: Joo got it. 03:39 < krzee> !forget test 03:39 < vpnHelper> krzee: Joo got it. 03:39 < krzee> cool its moved over 03:39 < DexterLB> can any user do that? 03:39 < krzee> nope 03:39 < DexterLB> only you? 03:40 < krzee> nope 03:40 < DexterLB> !howto 03:40 < vpnHelper> DexterLB: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 03:40 < reiffert> !test 03:40 < vpnHelper> reiffert: Error: "test" is not a valid command. 03:40 < reiffert> !learn test as testing 03:40 < vpnHelper> reiffert: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 03:40 < reiffert> !whoami 03:40 < vpnHelper> reiffert: I don't recognize you. 03:40 < krzee> reiffert want me to add you? 03:41 < reiffert> krzee: what about adding the public? 03:41 < krzee> did that, people play games 03:41 < krzee> it started that way 03:41 < DexterLB> omg 03:41 < krzee> it went lockdown for a reason =] 03:42 < reiffert> possible to exclude those gamers? 03:42 < krzee> better to only add the people that are here helping anyways 03:42 < krzee> if you want me to add you lemme know 03:42 < krzee> its in erics network now btw 03:42 < DexterLB> aaaaaargh 03:42 < reiffert> come on, give it a go 03:43 < krzee> reiffert dude it used to be that way, im not unlocking it 03:43 < DexterLB> changing the network from 192.168.1.x is so difficult 03:43 < kyrix> !test 03:43 < vpnHelper> kyrix: Error: "test" is not a valid command. 03:43 < reiffert> no I mean please add me :) 03:43 < kyrix> !learn test as testing 03:43 < vpnHelper> kyrix: Error: You don't have the factoids.learn capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 03:43 < kyrix> ;) 03:43 < krzee> lol 03:43 < kyrix> !whoami 03:43 < vpnHelper> kyrix: I don't recognize you. 03:43 < krzee> i misunderstood, brb 03:43 < kyrix> i wouldnt open it 03:44 < DexterLB> so many places I have to change stuff in, router, apache, ssh stuff, irc bouncers, clients 03:44 < DexterLB> that'll take a while 03:44 < reiffert> regex search n replace && reboot 03:44 < DexterLB> well yes 03:45 < DexterLB> I never really caught regex search 03:45 < DexterLB> how do I do that 03:45 < DexterLB> ? 03:45 < kyrix> DexterLB, keeping config files in version control is also a good idea 03:46 < reiffert> grep -rliE '192\.168\.1\.' / 03:48 < DexterLB> grep: warning: /home/human/root: recursive directory loop 03:48 < DexterLB> lol 03:49 < reiffert> 2>dev/null 03:49 < DexterLB> and I've got LOTS of looping symlinks 03:49 < reiffert> 2>/dev/null 03:49 < DexterLB> okok 03:50 < DexterLB> how about 'find . | xargs grep '192.168.1.' -sl'? which of the two methods is faster? 03:50 < kyrix> DexterLB, benchmark it 03:50 < krzee> heh thought you didnt know how ;] 03:50 < krzee> ild say reiffert's is faster, less handoffs 03:51 < krzee> single command vs 3 03:51 < |Mike|> morning yall 03:51 < krzee> one of which being the same command 03:51 < krzee> sup mike 03:52 < reiffert> for i in $(grep -rliE '192\.168\.1\.' /); do cat "$i" | sed -e 's,192\.168\.1,192.168.24.,g' > /tmp/tmp123; mv /tmp/tmp123 "$i"; done 03:52 < |Mike|> just arrived at work... 10:52 :P 03:52 < reiffert> |Mike|: I didnt leave bed today? 03:53 < DexterLB> oops 03:53 < DexterLB> it finds the string in binary files 03:53 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has quit ["Ctrl-C at console."] 03:53 < DexterLB> images 03:53 < DexterLB> videos 03:53 < DexterLB> omg 03:53 < |Mike|> No idea reiffert, i haven't seen you this morning :-P 03:54 < reiffert> hehe :) 03:54 < DexterLB> ah well, found most places, now I'll make the router change the range o.OI 03:54 < reiffert> time for getting some things done before next year. 03:56 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##OpenVPN 03:57 -!- MrJK [n=jezu@194.199.166.96] has quit [Read error: 60 (Operation timed out)] 03:57 < DexterLB> omg 03:58 < DexterLB> my isp's router won't let me assign anything else except 192.168.1.x for ip range :( 04:01 < krzee> !test 04:01 -!- DexterLB [n=angel@77-85-30-114.btc-net.bg] has quit [Read error: 104 (Connection reset by peer)] 04:01 < vpnHelper> krzee: "test" is testing 04:01 < krzee> !test 04:01 < vpnHelper> krzee: Error: "test" is not a valid command. 04:01 < krzee> heh cool 04:02 -!- DexterLB [n=angel@77-85-30-114.btc-net.bg] has joined ##openvpn 04:02 < DexterLB> my isp's router won't let me assign anything else except 192.168.1.x for ip range :( 04:03 < krzee> i doubt that 04:03 < krzee> just gotta find where 04:04 < DexterLB> i'm looking now 04:04 < DexterLB> still there is the possibility of starting another dhcp server on my machine and stopping the one in their router 04:05 < krzee> this is tru 04:07 -!- MrJK [n=jezu@194.199.166.96] has joined ##openvpn 04:07 -!- DexterLB [n=angel@77-85-30-114.btc-net.bg] has quit [Read error: 104 (Connection reset by peer)] 04:07 -!- DexterLB1 [n=angel@77-85-30-114.btc-net.bg] has joined ##openvpn 04:07 -!- DexterLB1 is now known as DexterLB 04:18 < DexterLB> but what if two clients are on the same subnet? 04:18 < krzee> are you sharing a lan behind one of them? 04:19 < DexterLB> nope 04:19 < krzee> then it doesnt matter 04:19 -!- krzie [i=nobody@unaffiliated/krzee] has joined ##openvpn 04:19 < DexterLB> two laptops in two cafes both with 192.168.1.x connect to my VPN which is 192.168.42.x 04:19 -!- krzee [n=krzee@unaffiliated/krzee] has quit ["BitchX: often imitated, never duplicated!"] 04:20 -!- krzie is now known as krzee 04:20 < krzee> you're fine 04:20 < DexterLB> and if both laptops are 192.168.1.2? 04:20 < krzee> you're fine 04:21 < DexterLB> ok 04:22 < krzee> you can only route your subnet over arp, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway 04:22 < krzee> thats why clients cant be pushed routes for lans that = their subnet 04:23 < krzee> !forget samesubnet 04:23 < vpnHelper> krzee: Error: You don't have the factoids.forget capability. If you think that you should have this capability, be sure that you are identified before trying again. The 'whoami' command can tell you if you're identified. 04:23 < krzee> !forget samesubnet 04:23 < vpnHelper> krzee: Error: 2 factoids have that key. Please specify which one to remove, or use * to designate all of them. 04:24 < krzee> !forget samesubnet * 04:24 < vpnHelper> krzee: Joo got it. 04:25 < krzee> !learn samesubnet as clients cannot be pushed routes for lans that = their subnet (clients CAN NOT CONNECT to a server lan if on the same subnet) you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway 04:25 -!- DexterLB [n=angel@77-85-30-114.btc-net.bg] has quit [Read error: 104 (Connection reset by peer)] 04:25 < vpnHelper> krzee: Joo got it. 04:26 < krzee> !forget samesubnet 04:26 < vpnHelper> krzee: Joo got it. 04:26 < krzee> !learn samesubnet as clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway 04:26 < vpnHelper> krzee: Joo got it. 04:26 < krzee> there we go 04:27 < krzee> also your server needs 04:27 < krzee> !ipforward 04:27 < vpnHelper> krzee: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 04:27 < krzee> !linipforward 04:27 < vpnHelper> krzee: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 04:28 -!- DexterLB [n=angel@95-42-23-216.btc-net.bg] has joined ##openvpn 04:29 < krzee> DexterLB, 04:29 < krzee> also your server needs 04:29 < krzee> !linipforward 04:29 < vpnHelper> krzee: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 04:31 < kyrix> !linipfoward 04:31 < vpnHelper> kyrix: Error: "linipfoward" is not a valid command. 04:32 < kyrix> does it learn and stay learned for all? 04:34 * DexterLB returns with IP 192.168.42.4 ;) 04:34 < DexterLB> is http://scratch-rockets.hobby-site.org up? 04:34 < vpnHelper> Title: ScratcH-RocketS Redirect :-) (at scratch-rockets.hobby-site.org) 04:35 < DexterLB> yes it is 04:35 < DexterLB> thanks bottie 04:35 < krzee> !linipfoward 04:35 < vpnHelper> krzee: Error: "linipfoward" is not a valid command. 04:36 < krzee> misspell 04:36 < krzee> forward =] 04:37 < DexterLB> reboot brb 04:37 < DexterLB> you've got a wonderful bot btw 04:37 < DexterLB> I want one at home 04:38 < krzee> heh 04:38 -!- DexterLB [n=angel@95-42-23-216.btc-net.bg] has quit ["So long and thanks for all the fish!"] 04:42 -!- DexterLB [n=angel@95-42-23-216.btc-net.bg] has joined ##openvpn 04:42 < DexterLB> back 04:42 < DexterLB> ip range fixed :) 04:50 < kyrix> !linipforward 04:50 < vpnHelper> kyrix: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 04:50 < kyrix> !help 04:50 < vpnHelper> kyrix: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 04:59 -!- hyper_ch [n=hyper@102-95.3-85.cust.bluewin.ch] has quit [Remote closed the connection] 05:13 -!- kyrix [n=ashley@80-121-37-69.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 05:14 -!- kyrix [n=ashley@80-121-37-69.adsl.highway.telekom.at] has joined ##openvpn 05:22 -!- makomi [n=makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn 05:23 -!- makomi [n=makomi@port-87-234-124-111.dynamic.qsc.de] has quit [Remote closed the connection] 05:28 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has joined ##openvpn 05:38 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has quit ["ChatZilla 0.9.86 [Firefox 3.5.6/20091201220228]"] 05:49 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit ["Leaving"] 06:01 < cybertron> hi if i connect to my openvpn server i loose the connecten after 1-2 minutes and the reconnect doesnt work it says "tLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)" any idea? 06:06 < |Mike|> !tls-auth 06:06 < vpnHelper> |Mike|: "tls-auth" is The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. see !secure for how 06:06 < |Mike|> cybertron ^ 06:07 < cybertron> thx 06:07 < cybertron> !secure 06:07 < vpnHelper> cybertron: "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 06:12 < cybertron> but it doenst realy help me hm 06:15 < |Mike|> your tls handshake fails right? 06:15 -!- DexterLB [n=angel@95-42-23-216.btc-net.bg] has quit [Read error: 104 (Connection reset by peer)] 06:15 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has joined ##openvpn 06:16 < cybertron> mike: yes if i reconnect automatically 06:16 -!- DexterLB [n=angel@95-42-23-216.btc-net.bg] has joined ##openvpn 06:19 < |Mike|> what if you waith a ~ second or 5 between the dis / connect ? 06:21 < cybertron> mike: same i think it just works again if i restart the vpnserver 06:35 < kyrix> strange 06:35 < kyrix> this is from only one client right? 06:36 < kyrix> if you disable tls from both server and client the connection works well? 06:37 < cybertron> kyrix: yes cauz only one client is in use :) 06:37 < cybertron> kyrix: wait 06:38 < kyrix> and, does the client still have full connectivity after the openvpn connection breaks? (internet= 06:41 < cybertron> kyrix: so i removed tls-remote, if i discon manually and reconnect, its works fine but if the client loose the connection and recons auto it doenst work 06:41 < cybertron> and yes internet connect is still there after discon 06:42 < kyrix> can you still ping the vpn machine 06:42 < kyrix> can u pastebin the log without the tls 06:43 < cybertron> yes cause its the same network, i explain it short, i got an wrt router and i try to make a connection from internal netzwork with the internet ip 06:44 < kyrix> so you are making a vpn from the internal network into the internal network? 06:45 < cybertron> yes with the external ip 06:45 < kyrix> both on the same subnet? 06:45 < cybertron> ext: 80.xxxx int: 192. connect to 80.xxx 06:46 < kyrix> yeah, but you are not connection to 80.xxx vpnwise, you are getting an ip of 192.xxx 06:47 < kyrix> im not an expert, but it sounds messed up for me. the reconnect probably fails due to some messed up routing table 06:47 < cybertron> hm u mean it is an problem of my connection try? 06:47 < cybertron> i have atm no chance to connect from the internet to my router thats the problem hehe 06:47 < krzee> |Mike|, thats the error for connection timeout 06:47 < cybertron> i can only test internal 06:48 < krzee> im betting you are doing something to brea your route 06:48 < krzee> !samesubnet 06:48 < vpnHelper> krzee: "samesubnet" is clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway 06:48 < cybertron> erm 06:48 < cybertron> i use an bridge mode 06:48 < cybertron> not routing mode 06:48 < krzee> or you are bridging and being reassigned an address from local dhcp server 06:48 < krzee> ahh there we goes 06:49 < krzee> try using a static lan ip instead of dhcp on the vpn server 06:49 < cybertron> the vpn server bride is 192.168.1.100 and the ip range for vpn is 1.120 to 1.200 06:49 < cybertron> my static ip from lan is 1.23 06:49 < krzee> try using a static lan ip instead of dhcp on the vpn server 06:49 < cybertron> how? 06:49 < krzee> no openvpn related 06:49 -!- tjz [n=tjz@unaffiliated/tjz] has quit ["bbl"] 06:49 < krzee> not* 06:49 < cybertron> after connect my vpn bridge on xp gets 1.120 06:50 < krzee> on your lan interface before openvpn 06:50 < cybertron> on my router is no dhcp 06:50 < krzee> you dont use dhcp in your lan? 06:50 < cybertron> right 06:50 < krzee> you get it over the tunnel? 06:50 < cybertron> all is static 06:50 < |Mike|> krzee: hm ok 06:51 < krzee> default routing over the bridge? 06:51 < cybertron> krzee? 06:51 < krzee> are you default routing over the bridge? 06:51 < cybertron> hm yes think so 06:51 < krzee> redirect-gateway? 06:52 < cybertron> push "dhcp-option DNS 192.168.1.100" <--that is on my server 06:52 < krzee> redirect-gateway? 06:52 < cybertron> cauz 1.100 is my router 06:52 < krzee> !configs 06:52 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 06:52 < krzee> !goal 06:52 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 06:54 < cybertron> i set redirect now 06:55 < krzee> no 06:55 < krzee> dont 06:55 < krzee> i was asking 06:55 < cybertron> ok :) 06:55 < krzee> !configs 06:55 < cybertron> so dont have it before hehe 06:55 < vpnHelper> krzee: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 06:55 < krzee> !goal 06:55 < vpnHelper> krzee: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 06:56 < cybertron> mom 06:57 < cybertron> http://nopaste.info/a858434e82.html client 06:58 < cybertron> http://nopaste.info/f3cfbedcac.html server config 06:59 < cybertron> i got an dd-wrt router with openvpn, i will connect from outside my lan to the router, than I will also connect to windows shares 06:59 < cybertron> so I try it with bridge vpn 07:10 < cybertron> i understand what i want? 07:11 < ecrist> good morning 07:12 < cybertron> hi 07:12 -!- makomi [n=makomi@port-87-234-124-111.dynamic.qsc.de] has joined ##openvpn 07:13 -!- kyrix [n=ashley@80-121-37-69.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 07:14 -!- kyrix [n=ashley@80-121-55-25.adsl.highway.telekom.at] has joined ##openvpn 07:15 < |Mike|> morning ecrist 07:16 < cybertron> wb 07:21 -!- henry-nicolas [i=d940f005@gateway/web/freenode/x-lccyhxofhcepwoix] has joined ##openvpn 07:22 -!- LowKey [i=rhel@unaffiliated/lowkey] has quit [Read error: 60 (Operation timed out)] 07:22 -!- DexterLB [n=angel@95-42-23-216.btc-net.bg] has quit [Read error: 104 (Connection reset by peer)] 07:24 -!- DexterLB [n=angel@95-42-23-216.btc-net.bg] has joined ##openvpn 07:24 < henry-nicolas> Hi *, I'v got a redundant firewall system (debian Lenny) with Keepalived and 2 openvpn on both firewall. While the VIP change from a fw to another, it really take some times for OpenVPN to accept new connections on the vip. Do you have any idea about how to do some kind of reload for openvpn to reinit the interface it is listening on ? 07:25 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has joined ##openvpn 07:33 < DexterLB> !howto 07:33 < vpnHelper> DexterLB: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 07:40 < ecrist> henry-nicolas: it should accept them immediately if openvpn is running and listening to all the ips 07:45 < henry-nicolas> ecrist: openvpn is listening on all interfaces but the vip isn't present on the backup server while openvpn is starting so I don't know, when the backup will become master, what openvpn will do with the new fresh vip 07:45 < ecrist> what ip do you have openvpn listening to? 07:46 < DexterLB> right, I generated all certificates and keys 07:46 < DexterLB> now to configure 07:48 < henry-nicolas> ecrist: It's listening to * (every ip addr), but how will openvpn react if a new ip appear ? 07:48 < henry-nicolas> ecrist: in case of switch, it may take a long time before my client can reconnect and I'm trying to figure out why 07:49 < henry-nicolas> ecrist: as all the traffic outside the vpn is going fine, I guess the problem is coming from the openvpn server (which run each 3 vpn instance on separated ports for different purpose) 07:51 < ecrist> henry-nicolas: I would suggest putting openvpn on a machine behind the firewall, not on it 07:52 < ecrist> that is what I do. 07:52 < ecrist> we have a similar setup with freebsd+pf+carp 07:52 < henry-nicolas> ecrist: the great thing about that is that the openvpn was redundant 07:53 < ecrist> if it's slow and unstable, it's not that great 07:53 < henry-nicolas> if I lost my vpn, I lost the management 07:53 < henry-nicolas> it's only slow if case of rollover between the firewall, overwhise it's running perfectly 07:53 < ecrist> I can't tell you how to admin your network, but I maintain at least one system with ssh access from outside and only have a single vpn instance 07:54 < ecrist> I have never, in over three years at my current job, had an openvpn failure 07:54 < ecrist> but we've had firewall failures, and when it rolls over to the secondary, my openvpn works flawlessly. clients don't even need to reconnect 07:54 < henry-nicolas> ecrist: ok, that might also be an interessing solution 07:55 < henry-nicolas> I'm going to investigate to see what's the easier 07:56 < henry-nicolas> because openvpn is almost working perfectly right now 08:04 * |Mike| hammers himself, lack of bash skillz 08:08 < reiffert> |Mike|: krzee calls himself bash-manic now.. 08:08 < reiffert> |Mike|: and he definitly needs some practising 08:15 < ecrist> sweet, krzee moved vpnHelper 08:15 < ecrist> what was he trying to do with bash? 08:16 < havoc> something he should have done in perl? ;) 08:17 -!- makomi [n=makomi@port-87-234-124-111.dynamic.qsc.de] has left ##openvpn ["It´s time to say goodbye"] 08:31 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 08:35 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 08:54 -!- mort_gib [n=mjensen@16.Red-83-36-63.staticIP.rima-tde.net] has quit ["Leaving"] 08:57 < DexterLB> where do I get the windoze client from? 08:58 < DexterLB> here? http://openvpn.se/download.html 08:58 < vpnHelper> Title: OpenVPN GUI for Windows (at openvpn.se) 09:01 < ecrist> no 09:01 < ecrist> it's included now. 09:01 < ecrist> !download 09:01 < vpnHelper> ecrist: "download" is www.openvpn.net/download to download openvpn 09:04 < DexterLB> and I download it for virtual appliance-vhd? 09:05 < DexterLB> no that's for access server 09:09 -!- LowKey [i=rhel@unaffiliated/lowkey] has joined ##openvpn 09:10 -!- Holistah [n=holister@c-71-230-216-184.hsd1.nj.comcast.net] has joined ##openvpn 09:12 < Holistah> I want to do something like http://openvpn.se/files/howto/openvpn-howto_roll_your_own_installation_package.html but with http://www.openvpn.net/release/openvpn-2.1.1.exe ... is that possible? 09:12 < vpnHelper> Title: HowTo Roll Your Own OpenVPN Windows Installation Package (at openvpn.se) 09:14 < ecrist> Holistah: no 09:15 < Holistah> why not? 09:15 < ecrist> you can use something like NSIS to roll a wrapper though 09:15 < Holistah> I know nothing about NSIS....actually, I know nothing about windows...I've avoided it like the plague since 1992...but... 09:16 < ecrist> basically, build a wrapper installer with your custom files 09:16 < Holistah> unfortunately the execs are windows lusers...of course... and executing an EXE is hard enough for them, let alone copying 3 files into a specific directory afterwords... 09:17 < ecrist> which is why you build a wrapper 09:17 < Holistah> How do I get NSIS to run the other installer? 09:17 < ecrist> tell it to 09:17 < ecrist> it's scriptable 09:18 < ecrist> so, you tell it to run the openvpn installer, then tell it to copy the certificates 09:18 < ecrist> that's what I'm going to be done for my windows users 09:18 < ecrist> http://nsis.sourceforge.net/Main_Page 09:19 < vpnHelper> Title: NSIS Wiki (at nsis.sourceforge.net) 09:19 < Holistah> ok. Thanks 09:27 -!- dollabill [n=mike@97.66.26.10] has joined ##openvpn 09:32 -!- LowKey [i=rhel@unaffiliated/lowkey] has quit [Client Quit] 09:33 -!- LowKey [i=rhel@unaffiliated/lowkey] has joined ##openvpn 09:51 -!- kyrix [n=ashley@80-121-55-25.adsl.highway.telekom.at] has quit [Read error: 110 (Connection timed out)] 10:09 -!- polaru [n=polaru@93.113.192.70] has quit [Read error: 104 (Connection reset by peer)] 10:09 < Holistah> ecrist: is there a way to tell if they changed the installation directory for openvpn in the included installer? 10:09 < ecrist> not sure. 10:10 < ecrist> I think you could possibly try compiling your own installer, as well 10:11 < Holistah> I'll just hardcode it...I'm having a hard enough time as it is... 10:26 -!- hyper_ch [n=hyper@adsl-89-217-76-109.adslplus.ch] has joined ##openvpn 10:30 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 10:38 -!- baz_work [n=baz_work@c-67-183-155-189.hsd1.wa.comcast.net] has joined ##openvpn 10:55 -!- scyld [n=krajcong@unaffiliated/wasyl] has left ##openvpn [] 10:59 -!- Kasx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 11:01 -!- Kas [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has quit [Read error: 110 (Connection timed out)] 11:03 -!- jmm [n=jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Read error: 60 (Operation timed out)] 11:07 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 11:25 -!- lolol [i=416197a6@gateway/web/freenode/x-rwlfbjjlqautshma] has joined ##openvpn 11:26 < DexterLB> hmm now I can't connect, I get a certificate verification error: self-signed certificate 11:27 < iztehsux> i have that exact same problem... 11:28 < DexterLB> how do I fix it? lol 11:28 < DexterLB> !help 11:28 < vpnHelper> DexterLB: (help [] []) -- This command gives a useful description of what does. is only necessary if the command is in more than one plugin. 11:29 < DexterLB> !cert 11:29 < vpnHelper> DexterLB: Error: "cert" is not a valid command. 11:29 < DexterLB> !list 11:29 < vpnHelper> DexterLB: Admin, Channel, Config, Factoids, Google, Misc, Owner, Seen, Services, User, and Web 11:29 < DexterLB> hmm 11:29 < DexterLB> how do I list all bot stuff 11:29 < Kasx> Hey all, this is Andrew from OpenVPN Technologies. Our web developer changed our download links in error and is in the process of fixing it. We are sorry for any confusion of inconvenience this had caused. Thanks! 11:30 < DexterLB> yes it caused confusion 11:30 < havoc> Kasx: noted, thanks :) 11:30 < DexterLB> but we are humans, right? :P 11:31 -!- lolol [i=416197a6@gateway/web/freenode/x-rwlfbjjlqautshma] has quit ["Page closed"] 11:31 < DexterLB> the problem now is the self-signed certificate error :S 11:32 < iztehsux> yeah i've tried almost everything i can think of around that problem 11:33 < DexterLB> i tried regenerating certificates, etc 11:33 < DexterLB> nothing helps 11:33 < iztehsux> yeah... 11:33 < iztehsux> i even reinstalled openssl and fail 11:34 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 11:38 < Hetman> Hi , first sorry for my english (is really poor) second i`ve got question : Can i bind VPN connection to specify port on my local linux ? As like Socks proxy on SSH ? I dont want to get all my trafic throught VPN , just few problem - so i combine how to run VPN to specific port and then in browser specify proxy server to localhost and vpn port. Can i do that somehow ? I`ve can do openVPN connection ant pptp tunnel 11:39 -!- GoDanl [n=dunno@cpe-24-95-54-134.columbus.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 11:40 -!- Qwizie [n=dunno@cpe-24-95-54-134.columbus.res.rr.com] has joined ##openvpn 11:42 < Section58> --lport will set a local port mate 11:42 < Section58> I`ve can do openVPN connection ant pptp tunnel <-- whats that mate ? 11:43 < Hetman> i`m now using config file and run vpn by openvp --confi my.conf , should i change something in this config also ? 11:43 < Section58> you can bind ovpn to a port.. then use other software to malipulte the connection 11:44 < Hetman> so everething should work when i type : opevpn --config my.conf --lport 8080 11:45 < Section58> no 11:45 < Section58> it doesn't matter what port you bind ovpn too 11:46 < Section58> you need something in the middle, that can pick up that connection, and forward it to other ports 11:46 < Section58> On Linux, you would use iptables 11:46 < Section58> for example 11:46 < Hetman> hmmm ok i`m understand that 11:47 < Hetman> so what should i change in my vpn.conf to only estabilish VPN connection , no redirect all traffic to VPN interface 11:47 < Section58> setting ovpn to the local port of 8080 would stop anything else trying to run on that port, ie, your proxy 11:48 < Section58> What OS are you on Hetman ? 11:48 < Hetman> ArchLinux 11:48 < Section58> nice :D 11:48 < Hetman> i can show my vpn.conf if you want ;] 11:48 < Hetman> Thx ;] good OS 11:48 < Section58> You want to redirect all traffic .. 11:48 < Section58> or you don't want to redirect all traffic ? 11:49 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)] 11:49 < Hetman> I just want to run VPN connection (create interface) but not to assing all trafit to this connection 11:49 < Hetman> just open 11:49 < Section58> ovpn is basicly just the connection. the conf is very limited for routeing options 11:49 < Hetman> then i add rule to iptables to redirect all trafic on localhost port to this interface 11:50 < Section58> just run it. And use something else, like shorewall (#shorewall) to maliuplate traffic shaping 11:50 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 11:50 < Section58> or ip tables ... if you know iptables 11:50 < Hetman> when i run it , openvpn by default send all my trafic by VPN 11:50 < Hetman> i want to disable it 11:50 < Section58> thats your default route on your main machine 11:51 < Section58> I don't know ArchLinux 11:51 < Section58> But in debian 11:51 < Section58> ip route show main 11:51 < Section58> should show you your default route 11:51 < Hetman> i found a solution 11:51 < Hetman> just add to vpn.conf : nodefaultroute 11:51 < Hetman> i try this ;] give me a moment 11:51 < Section58> I think your openvpn is changing the gateway 11:51 < Section58> ok, cool 11:52 -!- iztehsux [n=iztehsux@c-98-232-178-64.hsd1.or.comcast.net] has quit ["Leaving"] 11:53 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 113 (No route to host)] 11:54 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 11:55 -!- mikkel [n=mikkel@84-238-113-66.u.parknet.dk] has quit ["Leaving"] 11:57 -!- dextor[work] [n=dextor[w@122.182.0.38] has joined ##openvpn 12:02 < Hetman> ok i run VPN, now reading man route 12:04 -!- plundra [i=404@article.se] has quit [SendQ exceeded] 12:09 < Hetman> don`t working 12:09 < Hetman> ehh 12:19 < DexterLB> iztehsux: any luck? 12:19 < DexterLB> o gone 12:19 < DexterLB> :( 12:21 < DexterLB> o this error is killing me 12:21 < DexterLB> I'll continue tommorrow 12:27 -!- DexterLB [n=angel@95-42-23-216.btc-net.bg] has quit ["So long and thanks for all the fish!"] 12:29 < baz_work> to connect a ubuntu client to an openvpn server I have to install the full openvpn package on the client right? 12:37 < ecrist> yep 12:43 < baz_work> thank u 13:05 -!- spiekey [n=mario@projekte.imos.net] has joined ##openvpn 13:05 < spiekey> Hello! 13:05 < baz_work> hey 13:08 < spiekey> i have problems revoking a crt... 13:08 < spiekey> here is some info: http://pastebin.com/d16417120 13:08 < spiekey> i cant add the user/cert "test2 because it already exists in the ssl db i think. 13:09 < spiekey> so i am trying to revoke it...but that fails, too 13:13 < ecrist> spiekey: it doesn't look like it exists 13:13 < ecrist> in the db, I mean 13:14 < ecrist> !verify 13:14 < vpnHelper> ecrist: Error: "verify" is not a valid command. 13:14 < ecrist> !factoids search verify 13:14 < vpnHelper> ecrist: 'tls-verify' and 'certverify' 13:14 < ecrist> !certverify 13:14 < vpnHelper> ecrist: "certverify" is verify your certs are signed correctly by running `openssl verify -CAfile ` for client.crt and server.crt 13:14 < spiekey> erm...the file /usr/local/vpn-admin/apache2/htdocs/vpn-admin/Client_Dir/test.crt seems to be empty! 13:15 < ecrist> which means the certificate wasn't built 13:16 < spiekey> ah, got it... 13:16 < spiekey> ...Revoking Certificate 0D. 13:16 < spiekey> Data Base Updated 13:16 < spiekey> that looks good 13:32 < baz_work> once openvpn is setup and the clients are connected, how often do they interact with server? Do they authenitcate or double check things on every request? 13:32 < ecrist> every packet is essentially authenticated through encryption 13:41 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.86 [Firefox 3.0.16/2009120208]"] 13:42 < baz_work> ecrist, so for arguments sake, if the server has a throughput of 10mb/s and 5 clients also have a throughput of 10mb/s and they are all downloading at max speed from the interenet, does that mean they will only be able to get 2mb/s on avg each? 13:42 < ecrist> yep 13:42 < ecrist> how would they get more? 13:43 < baz_work> i dont know, perhaps that only the packet header have to go through the server but the full packet itself doesn't - but i dont know what i'm talking about really 13:43 < ecrist> no, the whole packet goes through the server 13:44 < baz_work> if i am connecting 2 networks, each with their own internet connection of course, is there a way to balance the load between them 13:45 < ecrist> not easily, no 13:47 < baz_work> to be sure, if network A contains the server, and network B is vpn'ed into network A, and a client on network B starts downloading a file from the internet.... does that file first download through A's internet connection, then A uploads that file to B through their connections, then down to the specific pc through B's lan? 13:55 < baz_work> basically, if a computer on Network B needs a file from the net, it actually comes from the internet connection on Network A where the vpn server is located - right? 13:59 < baz_work> and following, if the net connections on both networks are cable modem with an upload speed 10x less than the download speed, that means a pc on network B has 10x less download speed than a pc of network A - right? 14:02 -!- cpm [n=Chip@pdpc/supporter/active/cpm] has quit [] 14:18 -!- rajin [n=_@port-92223.pppoe.wtnet.de] has joined ##openvpn 14:22 < krzee> [10:04] * |Mike| hammers himself, lack of bash skillz 14:22 < krzee> [10:08] |Mike|: krzee calls himself bash-manic now.. 14:22 < krzee> [10:08] |Mike|: and he definitly needs some practising 14:22 < krzee> [10:15] sweet, krzee moved vpnHelper 14:22 < krzee> [10:15] what was he trying to do with bash? 14:22 < krzee> finishing touches on a web interface for a 3200 line suite 14:23 < ecrist> ah 14:24 < krzee> so ya vpnHelper is moved and i added reif to it 14:24 < krzee> not to the box, to the bot 14:30 < baz_work> i still need tun.ko if i am setting up a client right? 14:31 < ecrist> baz_work: yes 14:31 < baz_work> thanks 14:34 < baz_work> how do i know if i want a stand alone server rather than xinetd (whatevr that is) 14:42 < ecrist> you want a stand-alone server 14:42 < baz_work> the best answer i could ask for! 14:53 < baz_work> my lan is based on 192.168.0.0 and I would like my vpn network to be 10.10.0.0 - these are "OpenVPN Server Network" and "OpenVPN Virtual Subnet" respectively - what is "OpenVPN Client Network"? 14:58 -!- spiekey [n=mario@projekte.imos.net] has quit ["Ex-Chat"] 15:02 < baz_work> if the local and remote network are both 192.168.0.0 connected with a 10.10.0.0 vpn - will there still be conflicts if I ** push "route 192.168.0.0 255.255.255.0" ** and ** route 192.168.0.0 255.255.255.0 ** 15:07 < ecrist> could be 15:08 < ecrist> if a client that's connecting has the 192.168.0/24 network at their current location 15:10 -!- krzie [n=krzee@unaffiliated/krzee] has joined ##openvpn 15:21 < baz_work> i remeber using an interactive command line tool to create certs but i cant remember what it is - it basically asked you the general questions (Country, City, Name, etc.) then generated it for you - anyone know? 15:21 < krzie> !ssl-admin 15:21 < vpnHelper> krzie: "ssl-admin" is (#1) http://www.secure-computing.net/wiki/index.php/OpenVPN_Server, or (#2) svn co https://www.secure-computing.net/svn/trunk/ to grab it from svn, or (#3) if you use freebsd, it is in ports 15:21 -!- Zordrak_ [n=jaz@unaffiliated/zordrak] has joined ##openvpn 15:36 -!- Zordrak [n=jaz@unaffiliated/zordrak] has quit [Read error: 110 (Connection timed out)] 15:53 -!- magic_1 [n=magic@unaffiliated/magic1/x-836121] has quit [Read error: 54 (Connection reset by peer)] 15:54 -!- magic_1 [n=magic@41.121.14.23] has joined ##openvpn 15:58 -!- dextor[work] [n=dextor[w@122.182.0.38] has quit [Read error: 54 (Connection reset by peer)] 16:00 -!- Muty [n=amir@unaffiliated/muty] has quit ["leaving"] 16:05 -!- Ziber [i=Liber@liber-ipv6.net] has joined ##openvpn 16:06 < Ziber> Why when I do push "dhcp-option DNS 10.x.x.x", my client (which has both ipv4 and ipv6 cababilities) starts prefering ipv4 over ipv6? 16:08 -!- dollabill [n=mike@97.66.26.10] has quit [No route to host] 16:12 < krzie> tell me its not really 10.x.x.x 16:23 < ecrist> krzie: his 1918 address space is uber secret 16:23 < ecrist> shhh 16:27 < krzie> lol 16:28 < havoc> FYI, you shouldn't use your SSN for rfc1918 addrs ;) 16:28 < krzie> ziber im guessing your super secret squirrel nameserver isnt answering with ipv6 addresses 16:29 < havoc> I've been using the last 4 digits in half for peoples' address space 16:30 < havoc> like when I setup their routers at home 16:30 < havoc> I use 10.d4d5.d6d7.0 16:32 < krzie> pls set the last octet to the pin on the back of your cc as well 16:32 < krzie> then post your logs 16:32 < krzie> ;] 16:32 < havoc> heheh 16:50 < ecrist> jira is proving to be a pita to proxy 16:57 -!- baz_work [n=baz_work@c-67-183-155-189.hsd1.wa.comcast.net] has quit [Remote closed the connection] 17:59 -!- rajin [n=_@port-92223.pppoe.wtnet.de] has quit [" HydraIRC -> http://www.hydrairc.com <- Organize your IRC"] 18:16 < ecrist> krzie: I'm going to put some time into ssl-admin again, I think 18:17 < ecrist> was thinking about getting some of the usability stuff we wanted built in, and using perl ssl module instead of command line 18:17 < krzie> should prolly support the newer supported TLS standard was of signing server certs as well 18:18 < ecrist> do you know C? 18:18 < ecrist> or C++ 18:18 < krzie> like when you choose S have it ask if it needs to support older clients 18:18 < krzie> nope =/ 18:18 < ecrist> was thinking this might be a good first-go at learning C 18:18 < krzie> would be if i wasnt so busy 18:19 < krzie> speaking of which i better shop around for some tickets to costa rica 18:19 < krzie> have to go there and check out some things 18:30 -!- optiz0r [n=optiz0r@95.154.254.65] has quit [Read error: 110 (Connection timed out)] 18:31 -!- optiz0r [n=optiz0r@miranda.sihnon.net] has joined ##openvpn 18:37 -!- plundra [i=404@article.se] has joined ##openvpn 19:10 * ecrist has JIRA install setup for issue tracking now. 19:28 -!- freaky[t]_ [i=alpha@member.team-box.net] has quit [Read error: 60 (Operation timed out)] 19:29 -!- freaky[t] [i=alpha@member.team-box.net] has joined ##openvpn 19:53 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 20:04 -!- theDoc [n=hex@unaffiliated/thedoc] has joined ##openvpn 20:04 < theDoc> o/ 20:10 -!- baz [n=baz@c-67-183-155-189.hsd1.wa.comcast.net] has joined ##openvpn 20:11 < baz> when u install openvpn thru apt-get it seems that it expects it to be a server, how can I make sure it plays a client role? 20:12 < theDoc> openvpn /path/to/client/file 20:13 < baz> theDoc, do you know when/where that command gets called at boot? (ubuntu) 20:13 < theDoc> baz> Sorry man, not a clue. 20:14 < theDoc> I suspect it's probably something like, just run open[tab] 20:14 < ecrist> baz: openvpn doesn't 'try' to be a client or server 20:14 < ecrist> it does what the config says to do 20:14 < baz> theDoc, a guess parts :) where would it be in your distro 20:14 < baz> parts = perhaps 20:15 < theDoc> baz> i run a mac :) 20:15 < krzie> baz, client and server only depends on your config file 20:15 < theDoc> krzee> I believe he's trying to find where the binary for the openvpn package resides in 20:15 < theDoc> baz> Probably /usr/local/sbin or something 20:15 < theDoc> I'm not sure on the specifics. 20:15 < krzie> i believe he wants to know where the config is 20:15 < ecrist> which openvpn 20:15 < ecrist> ^^^ literal command 20:16 < theDoc> krzee> I'm quite sure you can put the config file anywhere :P 20:16 < baz> ecrist, ummm, the one that comes from apt-get :) 20:16 < theDoc> You just run it with openvpn /path/to/config/no? :P 20:16 < baz> thing is i dont run it - ubuntu runs it 20:16 < ecrist> baz, 'which' is a command 20:17 < theDoc> baz> apt-get is a package manager 20:17 < baz> i will dig around, this is one of the annoyances of linux - files are all over the place 20:17 < ecrist> dude, I'm telling you 20:17 < Bushmills> i suppose he looks for the init scripts in /etc/init.d 20:17 < baz> oh which is a command, ok running it! 20:17 < theDoc> it's alot better now, it was rpm nightmare in rh 6.0 20:17 < ecrist> type this at the command line: which openvpn 20:17 < baz> /usr/sbin/openvpn 20:18 < baz> ok in init.d there is openvpn with lots of if statements and such - probably in there eh 20:19 < theDoc> That's the init scripts, you don't usually touch those. 20:19 < theDoc> baz> What -exactly- are you looking for? 20:19 < baz> oh 20:19 < baz> i am looking for a way to specify a client file 20:20 < theDoc> baz> Do you have a client file along with all necessary certificates? 20:20 < baz> i initially set it up as a server with my server.conf in /etc/openvpn - but now i want this computer to be a client to another server 20:20 < Bushmills> /etc/defaults/openvpn 20:20 < baz> theDoc, yes, i am ready with all the client files and certs et al 20:21 < theDoc> baz> run the following; openvpn /path/to/client/config 20:21 < theDoc> You might have to throw in some parameters, I'm guessing. 20:21 < theDoc> baz> But it's somewhere along those lines. 20:22 < krzie> krzee> I'm quite sure you can put the config file anywhere :P 20:22 < krzie> you can but he asked about at boot time 20:22 < Bushmills> "# This is the configuration file for /etc/init.d/openvpn" 20:22 < theDoc> krzee> ahh, ok 20:22 < krzie> the distro will have a specific place for configs to be to start on boot 20:23 < Bushmills> "# Optional arguments to openvpn's command line" 20:23 < krzie> or you can leave the commandline alone and edit the config in the location the distro keeps it 20:23 < krzie> some distros start *.conf in some dir 20:26 < baz> in ubuntu there is a nice network manager and plugin specific for openvpn, but i remeber vaguely last week someone perhaps mentioning not to use that because it doesn't work - is that true? 20:27 < theDoc> I have had -some- form of success with gnome-network-manager and openvpn 20:27 < theDoc> However, it was flakey at best. 20:29 < krzie> !ubuntu 20:29 < vpnHelper> krzie: "ubuntu" is dont use network manager! 20:29 < baz> hehe 20:29 < krzie> plus it has its own style of config file 20:30 < krzie> if it used a standard config it would be usable 20:35 -!- baz [n=baz@c-67-183-155-189.hsd1.wa.comcast.net] has quit [Remote closed the connection] 20:38 -!- baz [n=baz@c-67-183-155-189.hsd1.wa.comcast.net] has joined ##openvpn 20:39 < baz> i hate my personality, why can't i just give up! 20:51 < krzie> dont worry about the distro specific stuff yet 20:51 < krzie> just get a working config up manually 20:51 < krzie> when you're done make the syytem start that config on boot and you're done 20:51 < theDoc> Anyone knows of a similar product like orion snmp for linux? 20:57 < ecrist> theDoc: what are you trying to monitor? 20:58 < theDoc> ecrist> couple of servers, routers 20:58 < ecrist> I figured that, but what sort of data? 20:58 < theDoc> b/w and system failures if it happens 20:58 < ecrist> I use nagios + PNP add-on 20:58 < theDoc> load/latency/b/w in+out 20:58 < theDoc> php? 20:59 < theDoc> pnp? 20:59 < ecrist> for b/w, I'm of the opinion cacti cannot be beat 20:59 < ecrist> theDoc: PNP is a graphing addon for nagios 20:59 < ecrist> it uses performance data output from nagios checks to build graphs using rrdtool 21:00 < ecrist> I use that for things like disk space, load, temperature, ping times, etc 21:00 < ecrist> I use cacti for bandwidth 21:01 < ecrist> pnp4nagios.org 21:01 < ecrist> I think that's their site 21:02 < theDoc> ah, thanks. 21:02 < ecrist> np 21:10 -!- joshua__ [n=joshua@ip68-100-213-73.dc.dc.cox.net] has joined ##openvpn 21:11 < joshua__> hey all, I was trying to get some help getting openvpn working....I followed these instructions but openvpn will not start, http://fedoraproject.org/wiki/Openvpn 21:11 < vpnHelper> Title: Openvpn - FedoraProject (at fedoraproject.org) 21:12 < ecrist> check out /topic 21:13 < joshua__> so no support for server? 21:14 < ecrist> access server, openvpn commercial product 21:14 < joshua__> ok awesome 21:14 < ecrist> read the rest of the topic 21:14 < joshua__> this is the open source one i hope :) i did a yum install 21:14 < ecrist> yeah 21:15 < joshua__> i have logs :)ok so i am crazy, what part of the topic you refering too? 21:15 < ecrist> We need !goal !logs and !configs and maybe !interface to help you. 21:15 < joshua__> !goal 21:15 < vpnHelper> joshua__: "goal" is Please clearly state your goal for your vpn: example, I would like to access the lan behind the server , I would like to access the internet over my vpn , I just want a secure connection between 2 computers , etc 21:15 < joshua__> ok I can do that 21:17 < joshua__> goal: vpn server so 10ish people can use a client to loginto the network as VMware will not allow ssh tunneling. logs: which ones?, Configs: I will pastebin my server.conf 21:17 < ecrist> !logs 21:17 < vpnHelper> ecrist: "logs" is (#1) is please pastebin your logfiles from both client and server with verb set to 6, or (#2) In Tunnelblick, right-click and select copy to copy log text to clipboard. 21:17 < ecrist> !configs 21:17 < vpnHelper> ecrist: "configs" is (#1) please pastebin your client and server configs (with comments removed, you can use `grep -vE '^#|^;|^$' server.conf`), also include which OS and version of openvpn., or (#2) dont forget to include any ccd entries 21:18 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has joined ##openvpn 21:22 < joshua__> http://pastebin.com/d42566d23 21:23 < joshua__> configs for server above 21:23 < joshua__> which logs? 21:24 < joshua__> !wiki 21:24 < vpnHelper> joshua__: "wiki" is http://www.secure-computing.net/wiki/index.php/OpenVPN 21:26 < joshua__> !howto 21:26 < vpnHelper> joshua__: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 21:28 < joshua__> Can you install the server version on openvpn.net and use an open client? 21:28 < joshua__> instead of just 2 clients 21:48 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 21:50 -!- Janick [n=Janick@adsl-89-217-133-86.adslplus.ch] has joined ##openvpn 21:50 < Janick> hi 21:51 < joshua__> hello 21:51 < Janick> sprichst du deutsch? 21:51 < joshua__> nope sorry English, No speaking Dutch for me 21:51 < Janick> k np 21:51 < Janick> i've a question about VPN... 21:52 < Janick> have i to build VPN on a firewall..or can i also build a VPN on a other server? (..yes my english is awful) 21:54 < joshua__> you should be able to put it right on a firewall server, I am not the most experianced though, I am having issues myself 21:54 < baz> in terms of bottlenecks, how important is the cpu? I am considering making my router or NAS the server, but could easily let my powerful desktop do the work 21:55 < Janick> ok THX joshua__ 21:56 < Janick> why is it bad to build VPN not on the firewall? 21:57 < baz> Janick, I'm faaaaaaaar from an expert but I'm pretty sure you don't need to have your vpn on the same server as your firewall 21:57 < Janick> hmm k, THX baz 21:58 -!- theDoc [n=hex@unaffiliated/thedoc] has quit [Read error: 110 (Connection timed out)] 22:55 -!- dmarkey_ [n=dmarkey@dmarkey.xen.prgmr.com] has quit [Read error: 113 (No route to host)] 23:45 -!- athena [n=john@c-76-108-239-149.hsd1.fl.comcast.net] has joined ##openvpn --- Day changed Thu Dec 31 2009 00:08 -!- athena [n=john@c-76-108-239-149.hsd1.fl.comcast.net] has quit [Read error: 104 (Connection reset by peer)] 00:23 -!- Janick [n=Janick@adsl-89-217-133-86.adslplus.ch] has left ##openvpn ["http://quassel-irc.org - Chat comfortably. Anywhere."] 00:55 -!- caimlas [n=caimlas@DHCP-26.64-179-155.iw.net] has joined ##openvpn 00:56 < caimlas> hi, i'm trying to understand the meaning of 'def1' as outlined here in the howto: http://www.openvpn.net/index.php/open-source/documentation/howto.html#redirect 00:56 < vpnHelper> Title: HOWTO (at www.openvpn.net) 00:56 < caimlas> it is not clearly defined. 00:56 < caimlas> (actually it's not defined at all, just trying to figure out how to provide a route-all-through-vpn setup) 01:05 -!- cpg [n=amahi@c-24-4-39-26.hsd1.ca.comcast.net] has joined ##openvpn 01:08 -!- nordge1 [i=ad33568f@gateway/web/freenode/x-lnkauqvqniwdlpki] has joined ##openvpn 01:08 < nordge1> I have a OpenVPN question regarding username/password 01:09 < nordge1> I have an Amahi server that requires username and password to enter. Is there a way to store this info in the file on th eclient side so it does not have to be entered? 01:10 < cpg> anyone around? 01:10 < caimlas> hi 01:11 < nordge1> hey 01:11 < caimlas> I have no answers, only questions. :) 01:13 < cpg> i think it may be best to test it on a desktop 01:14 < nordge1> how do you mean? 01:14 < cpg> actually, i am fairly positive it's possible 01:14 < nordge1> Oh test connecting a desktop? 01:14 < cpg> because i did it once 01:14 < cpg> yes, for testing 01:14 < nordge1> I see 01:14 < nordge1> good idea 01:15 < cpg> take the iphone out of que equation 01:15 < cpg> the* 01:15 < nordge1> but I still don't know where or how to store the info 01:15 < cpg> i know i have done it 01:15 < cpg> but someone else generated the certificate for me 01:15 < nordge1> Seems like this would be a nice feature for desktop users too 01:16 < cpg> yeah 01:16 < nordge1> maybe a nice tab in the control panel with openvpn options 01:16 < nordge1> download certs 01:16 < cpg> looks like there not much action here 01:16 < nordge1> username yes/no 01:16 < cpg> yeah 01:17 < nordge1> agreed 01:17 < nordge1> amahi 5.1 01:17 < nordge1> now with fres vpn scent 01:17 < nordge1> fresh 01:18 < cpg> LOO 01:18 < cpg> LOL 01:27 < magic_1> hi all 01:28 < nordge1> evening 01:34 < magic_1> morning 01:36 < nordge1> right, hey magic, are you an openvpn maestro? 01:39 < Bushmills> nordge1: consider to generate keys, instead of putting username/password into files. 01:39 -!- cpg is now known as cpg|brb 01:39 < Bushmills> effect is same as what you want: auto connect without entering either 01:40 < nordge1> Sounds great do i need to change settings on the server side? 01:41 < nordge1> sorry, i'm new to this 01:41 < Bushmills> depends on current settings, but generally, no, ask keys is the preferred way to do auth 01:43 < nordge1> Amahi has aus downlaod a windows connect application that has certs and keys in it. But it is not specific to our server. The app pops up and asks for you username pass and server name. 01:44 < nordge1> can I ssh to server and generate a key 01:53 < Section58> IS there something you can put in between ovpn and the tun, to maluplate ip's ranges and traffic direction ??? 01:53 < Section58> (a bit like a hacked interface) 01:57 < magic_1> back 01:57 < magic_1> how can i help 02:02 < Section58> ok, so multi site, multi provider 02:02 < Section58> i was thinking mess network 02:03 < Section58> each adaptor would have the one ip 02:03 < Section58> on some sort of bridge ?? 02:03 < Section58> will stick the ovpn's on a /24 02:03 < Section58> should give me upto 254 sites/adaptors right ? 02:04 < Section58> its like having servers everywhere, that link to multible servers 02:04 < Section58> is that possible ? 02:04 < Section58> (as i have been using single strip /30 links (one interface per link) for ages 02:05 < Section58> and i am starting to get too many interfaces 02:05 < Section58> firewall could control from ip/zone 02:05 < Section58> is this possible ? 02:06 < Section58> only problem with bridging ofc would be the extra arping traffic 02:06 < Section58> i could hve a firewall keep a lid on that couldn't i 02:27 < caimlas> Section58, unfortunately i think you're talking to yourself. :-/ 02:31 -!- nordge1 [i=ad33568f@gateway/web/freenode/x-lnkauqvqniwdlpki] has quit [Ping timeout: 180 seconds] 02:33 < Section58> its always good to get it all out in one go 02:33 < Section58> so when i ask again half way thu tomorrow 02:33 < Section58> i can just copy and paste :D 02:34 < Section58> my brain doesn't always verbaly report what it is i'm trying to say 02:34 < Section58> its very hard trying to explain something 02:34 < Section58> or descriptions 02:38 -!- jmm [n=jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn 02:38 -!- pa [n=pa@unaffiliated/pa] has quit [Read error: 60 (Operation timed out)] 02:39 < caimlas> Section58, heh know what you mean. 02:39 < caimlas> Section58, are you familiar with openvpn configuration? 02:42 -!- gherdo [n=user@mefisto.infogroup.it] has joined ##openvpn 02:43 -!- gherdo [n=user@mefisto.infogroup.it] has left ##openvpn ["ERC Version 5.3 (IRC client for Emacs)"] 02:57 -!- MarcWeber [n=marc@88.80.200.63] has left ##openvpn [] 03:06 -!- master_o1_master [n=master_o@p57B551DE.dip.t-dialin.net] has joined ##openvpn 03:17 -!- master_of_master [i=master_o@p57B56831.dip.t-dialin.net] has quit [Read error: 110 (Connection timed out)] 03:20 -!- Qwizie [n=dunno@cpe-24-95-54-134.columbus.res.rr.com] has quit [Read error: 110 (Connection timed out)] 03:22 -!- lt83850 [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has joined ##OpenVPN 03:39 -!- henry-nicolas [i=d940f005@gateway/web/freenode/x-lccyhxofhcepwoix] has quit [Ping timeout: 180 seconds] 03:39 < Section58> caimlas, never really went into it heavy. set up CA's before. And use a sql plugin for user auth 03:40 < Section58> but my configs are normally 'where, from, port, secret' and thats about it :) 03:41 < Section58> also, just a thought.. this config i have in my head... they would all have to be 'taps' init ? 03:41 < Section58> cause if i remmber correctly, tuns are site to site links another nothing else 03:42 -!- polaru [n=polaru@93.113.192.70] has joined ##openvpn 03:42 -!- newmember [n=chatzill@S010600036d1139bb.cg.shawcable.net] has joined ##openvpn 03:44 -!- Sky[x] [n=mihaaaa@tm.213.143.85.148.dc.telemach.net] has quit [Client Quit] 03:51 -!- lt83850 [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has quit [Read error: 60 (Operation timed out)] 03:53 -!- lt83850 [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has joined ##OpenVPN 04:04 -!- rajin [n=_@port-11310.pppoe.wtnet.de] has joined ##openvpn 04:14 -!- cpg|brb is now known as cpg 04:31 -!- caimlas [n=caimlas@DHCP-26.64-179-155.iw.net] has quit [Read error: 60 (Operation timed out)] 04:36 -!- dmarkey [n=dmarkey@dmarkey.xen.prgmr.com] has joined ##openvpn 04:43 -!- jmm [n=jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has quit [Read error: 60 (Operation timed out)] 04:44 -!- caimlas [n=caimlas@DHCP-26.64-179-155.iw.net] has joined ##openvpn 04:46 -!- jmm [n=jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn 05:00 < Bushmills> Section58: iptables 05:05 -!- exes [n=exes@galileo.exes.org] has left ##openvpn [] 05:52 < Section58> in what respect Bushmills? 05:52 < Section58> :) 05:52 < Bushmills> (10:51:54) Section58: [07:53] IS there something you can put in between ovpn and the tun, to maluplate ip's ranges and traffic direction ??? 05:52 < Section58> o, rgr that thanks 05:59 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 06:04 -!- cpg [n=amahi@c-24-4-39-26.hsd1.ca.comcast.net] has quit [] 06:07 -!- Kaspx [n=Kasx@adsl-71-140-186-190.dsl.pltn13.pacbell.net] has joined ##openvpn 06:10 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: Optic, caimlas, crazygir, cityLights, krzee, pa, jmm, plundra, Kasx, vpnHelper, (+1 more, use /NETSPLIT to show all of them) 06:11 -!- Netsplit over, joins: pa, jmm, caimlas, craver_, plundra, vpnHelper, crazygir, cityLights, Optic 06:12 < Hetman> anybody can hel me with my routing ? after estabilish VPN connection i`ve got this : http://pastebin.com/m3bd1c8e1 . How to now get back to my old settings ?I want send all trafic by 192.168.0.1 (eth0) no by VPN (tun0) ? 06:13 -!- crazygir [n=jason@li14-82.members.linode.com] has quit [SendQ exceeded] 06:14 -!- crazygir [n=jason@li14-82.members.linode.com] has joined ##openvpn 06:15 < Bushmills> you want to send all traffic to gateway 192.168.0.1? 06:16 < Bushmills> !redirect 06:16 < vpnHelper> Bushmills: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 06:16 < reiffert> looks like he tries to restore the old settings after using ovpn, dunno exactly. 06:17 < Bushmills> moin reiffert 06:17 < Hetman> yes i want to restore old setting 06:17 < Hetman> i don`t have option redircet gateway in my config 06:17 < reiffert> moin 06:17 < Bushmills> then not a lot should have changed 06:18 < Bushmills> just added entries to vpn interface, unless server or client config demands setting up additional routes 06:18 < reiffert> Bushmills: My plans are sleeping, cleaning up, sporting, showering, christianfetching, mind vorbeischauing around 6 to 7pm? 06:19 < Hetman> but it changing that ... and i want go back to old setting (but leaving that VPN connection estabilished) 06:19 < Bushmills> reiffert: still awake? 06:19 < reiffert> Hetman: openvpn wont change the default route unless you are using redirect-gateway. 06:19 < Bushmills> christianfetching is bretzenheimpassing? 06:19 < reiffert> Bushmills: nah, got 5 hours tonight 06:20 < reiffert> christianfetching is schlangenbadpassing among mandy&andrehechtsheiming where as bretzenheimering lays on the waying 06:20 < Bushmills> Hetman: leaving vpn established without a route to vpn doesn't appear to make a huge amount of sense 06:21 < reiffert> Bushmills: sure it does make sense, you can talk the vpn server... 06:21 < Bushmills> ah, me thought langehaarechristianfetching 06:21 < Bushmills> reiffert: without a route to it? 06:21 < reiffert> Bushmills: an obvious hostroute coming from the vpn connection... 06:22 < Hetman> reiffert: http://pastebin.com/m3a2ff0b8 06:22 < Hetman> Bushmills: i just want to foward port 8080 throught VPN, rest for my normal internet connection. Then i set up proxy in one program to localhost, port 8080 to gie this program IP USA 06:23 < Bushmills> Hetman: i'm not sure what you'd need to restore then 06:23 < reiffert> Hetman: paste server config. 06:23 < Bushmills> default         10.10.10.29     128.0.0.0       UG    0      0        0 tun0 06:23 < Bushmills> this is probably the result of redirect-gateway def1 06:24 < Hetman> reiffert: don`t have, i buy this account on vpnuk.net 06:24 < Bushmills> remove that from the config 06:24 < reiffert> Hetman: dont paste, just remove the redirect-gateway in there. 06:24 < Bushmills> 128.0.0.0       10.10.10.29     128.0.0.0       UG    0      0        0 tun0 this too 06:25 < reiffert> Hetman: k, check manpage for an alternative route command, create a route wrapper and filter what you dont need, that is the default stuff with 127. 128. 0.0.0.0 06:25 < Bushmills> or route del after client has connected 06:25 < Hetman> i try this after connect : 06:25 < Hetman> [root@freak ~]# route del default gw 10.10.10.29 06:25 < Hetman> SIOCDELRT: No such process 06:26 < Hetman> bad syntax, as i think 06:26 < Bushmills> also specify netmask 06:26 < Hetman> after that ip adress ad end ? netmask xx.xxx..xxx. ? 06:27 < Bushmills> between default and gw should do 06:27 < reiffert> Bushmills: you are by bike or by train? 06:27 < Bushmills> not sure. 06:27 < Bushmills> looks a bit slippery 06:28 < Bushmills> how does it look in fields behind marienborn? 06:28 < Bushmills> in the fields 06:28 -!- buntfalke [n=nobody@openvpn-p1-002.triple-a.uni-kl.de] has joined ##openvpn 06:29 < |Mike|> morning. 06:30 < Hetman> Ok deleted that default to 10.10.10.29 , what should i also remove ? my traffic still goes throght VPN 06:30 < Bushmills> (13:24:49) Bushmills: 128.0.0.0       10.10.10.29     128.0.0.0       UG    0      0        0 tun0 this too 06:30 < Hetman> ok 06:32 < Hetman> what is wrong here : route del 128.0.0.0 netmask 128.0.0.0 gw 10.10.10.29 06:34 < |Mike|> man route 06:34 < reiffert> Bushmills: wet n dirty 06:34 < Hetman> ok found this one 06:34 < Hetman> deleted 06:34 < |Mike|> You might want to use "delete" instead of "del" ;) 06:34 < reiffert> Bushmills: schlammig 06:34 < Hetman> succes :D 06:34 < Hetman> everything goes no by eth0 06:35 < Hetman> thx, now i try to add iptables rule to redirect all trafic from lo on port 8080 to tun0 06:40 * reiffert bed 06:50 -!- LobbyZ [n=default@main.lobbyzffs.com] has quit ["Free FTW"] 07:00 -!- g` [n=nop@78-60-219-94.static.zebra.lt] has quit [Read error: 60 (Operation timed out)] 07:01 -!- n5 [n=nop@78-60-219-94.static.zebra.lt] has joined ##openvpn 07:02 -!- LobbyZ [n=default@main.lobbyzffs.com] has joined ##openvpn 07:06 -!- rajin [n=_@port-11310.pppoe.wtnet.de] has quit [Connection timed out] 07:16 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 07:32 -!- lt83850 [i=lt83850@c-24-127-180-91.hsd1.pa.comcast.net] has quit [Read error: 113 (No route to host)] 07:44 -!- g` [n=nop@78-60-219-94.static.zebra.lt] has joined ##openvpn 07:45 -!- n5 [n=nop@78-60-219-94.static.zebra.lt] has quit [Remote closed the connection] 07:48 < ecrist> good morning 07:50 < krzee> gmornin bro 07:50 < krzee> although im gunna go back to sleep =] 07:55 -!- g` [n=nop@78-60-219-94.static.zebra.lt] has quit [Remote closed the connection] 08:03 -!- mario__ [n=mario@projekte.imos.net] has joined ##openvpn 08:03 < mario__> Hello! 08:04 < mario__> can i put my openssl certs, cas and stuff also in a ldap directory? 08:13 -!- mario__ [n=mario@projekte.imos.net] has quit ["Ex-Chat"] 08:46 -!- mithridates [n=mithrida@CPE001c103c6b61-CM001ac317c0ba.cpe.net.cable.rogers.com] has joined ##openvpn 08:49 < mithridates> hey guys 08:49 < ecrist> howdy 09:08 -!- joshua__ [n=joshua@ip68-100-213-73.dc.dc.cox.net] has quit [Read error: 60 (Operation timed out)] 09:39 < krzie> hola 09:39 < ecrist> I thought you were going to bed, krzie. 09:40 < krzie> i did 09:40 < krzie> but it was short, now at work 09:44 -!- Gilos [n=bxh2363@kccsfw01.sec.sprint.net] has joined ##openvpn 10:02 -!- Gilos [n=bxh2363@kccsfw01.sec.sprint.net] has quit [Read error: 54 (Connection reset by peer)] 10:02 -!- bxh2363 [n=bxh2363@kccsfw01.sec.sprint.net] has joined ##openvpn 10:03 -!- bxh2363 is now known as Gilos 10:05 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has joined ##openvpn 10:05 -!- Gilos [n=bxh2363@kccsfw01.sec.sprint.net] has quit [Client Quit] 10:05 -!- Gilos [n=bxh2363@kccsfw01.sec.sprint.net] has joined ##openvpn 10:06 -!- polaru [n=polaru@93.113.192.70] has quit [Remote closed the connection] 10:10 -!- bxh2363 [n=bxh2363@kccsfw01.sec.sprint.net] has joined ##openvpn 10:10 -!- Gilos [n=bxh2363@kccsfw01.sec.sprint.net] has quit [Remote closed the connection] 10:11 -!- bxh2363 [n=bxh2363@kccsfw01.sec.sprint.net] has quit [Client Quit] 10:11 -!- Gilos [n=Gilos@kccsfw01.sec.sprint.net] has joined ##openvpn 10:35 < Kaspx> http://sourceforge.net/mailarchive/forum.php?thread_name=4B3CB244.2080305%40openvpn.net&forum_name=openvpn-users 10:35 < vpnHelper> Title: SourceForge.net: OpenVPN: openvpn-users (at sourceforge.net) 11:12 < ecrist> interesting 11:12 -!- Irssi: ##openvpn: Total of 91 nicks [0 ops, 0 halfops, 0 voices, 91 normal] 11:13 * ecrist joins openvpn mailing list 11:26 < krzie> or mirror it from my imap dir ;) 11:26 < ecrist> lol 11:26 -!- havoc [n=havoc@saturn.chaillet.net] has quit ["leaving"] 11:27 < ecrist> after reading through a few threads, I'm starting to think openvpn's attempt at 'community' is going to be more hassle than benefit 11:30 < krzie> In a way try to identify the real issues (e.g. "getting 11:30 < krzie> support is difficult") 11:30 < krzie> lol 11:31 < krzie> its not very difficult if you come to the table with knowledge of networking 11:32 < krzie> if they want to help non computer literate people they will need to build a site that teaches everything about networks, likely in 1 paragraph to actually get people to read it all 11:32 < krzie> ;] 11:32 < ecrist> it's hard to teach non-technical folks how to use a technical product 11:32 < krzie> theres been a number of people that didnt have a working setup after reading !route but after i paste a few lines from !route they figure it out 11:33 < krzie> i still like the idea of making a flowchart for troubleshooting VPNs 11:33 < krzie> at least for !route and !redirect issues 11:33 < krzie> which i believe is a nice % of questions 11:34 < krzie> hopefully 1 day i actually do it ;] 11:47 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has joined ##openvpn 11:52 -!- Qwizie [n=duchbag@cpe-24-95-54-134.columbus.res.rr.com] has joined ##openvpn 11:57 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 12:16 < ecrist> ovpnforum.com currently has 331 posts, 110 topics and 1620 users 12:17 < ecrist> I should really write a script that blows out users who have no posts 6 months after account creation or something 12:17 < ecrist> my guess is 60% of those users are spam 12:19 -!- hyper__ch [n=hyper@adsl-84-227-58-130.adslplus.ch] has joined ##openvpn 12:19 -!- hyper_ch [n=hyper@adsl-89-217-76-109.adslplus.ch] has quit [Nick collision from services.] 12:19 -!- hyper__ch is now known as hyper_ch 12:28 < krzie> ill take the over 12:29 < krzie> ild go over 80 in fact 12:35 * ecrist does some queries 12:37 < ecrist> hrm 12:38 < ecrist> db is reporting 3,286 users in user table, 3,182 of those have 0 posts 12:50 < krzie> ok so if we use the 1620 from earlier and the 104 that have posts... 12:50 < krzie> 85% 12:56 -!- KaiForce [n=chatzill@adsl-70-228-89-235.dsl.akrnoh.ameritech.net] has quit ["ChatZilla 0.9.86 [Firefox 3.0.16/2009120208]"] 13:05 < krzie> err no bad math 13:06 < krzie> between 93% and 94% 13:17 -!- Serideru [n=GTWebste@wsip-24-249-157-93.tu.ok.cox.net] has quit [Read error: 104 (Connection reset by peer)] 13:34 < mithridates> hey guys 13:34 < mithridates> I'm configuring an openvpn server for bypassing internet filtering 13:35 < mithridates> and my clients live in iran 13:36 < krzie> cool 13:36 < mithridates> government block the ip of vpn servers by analyzing packets and destination 13:36 < mithridates> s 13:36 < krzie> either you arent the first or you have been here a long time 13:36 < krzie> heheh 13:36 < mithridates> :D 13:37 < mithridates> I explained it vary times 13:37 < krzie> ahh cool 13:37 < krzie> so whats the question? 13:38 < mithridates> is here any solution to make destination of packets unreadable by analaysers ? 13:39 < mithridates> they catch a bandwidth and check it and block the destination ip when they find an ip that all of packets are going there 13:40 < krzie> not really 13:40 < krzie> thats actually a nice way to filter, china should take notes 13:41 < mithridates> how can I get rid of this blocking? 13:41 < krzie> no way i know of 13:41 < mithridates> :( 13:42 < krzie> no matter what i come up with it all boils down to proxying in some way or another 13:42 < krzie> you could check out onion routing maybe 13:42 < Bushmills> creating some decoy traffic to other machines could help 13:42 < krzie> aka TOR 13:43 < mithridates> Bushmills: do u mean making some junk packets with different destination? 13:43 < Bushmills> right. 13:43 < Bushmills> or maybe even actual traffic, to other vpn servers 13:43 < mithridates> but there is a problem, iranian have internet with the lowest speed that u can find around the world 13:43 < krzie> hey hey thats actually a good idea 13:44 < krzie> you could connect to a number of VPNs 13:44 < mithridates> which one? 13:44 < krzie> and break up your default routing based on different subnets 13:44 < krzie> but if you can use TOR that might be the easiest 13:44 < mithridates> no I can't use TOR 13:44 < mithridates> I need to use vpn 13:45 < Bushmills> spread your traffic 13:45 < krzie> then ya Bushmills' idea might be your only way 13:45 < mithridates> do u mean using number of vpn servers with randomly orbital connection? 13:45 < krzie> mithridates whats the end result? you can access client machines? they can access certain webpages? 13:46 < Bushmills> not even random. packet destination should introduces some randomizing already 13:46 < mithridates> I serve Internet without filtering for them 13:46 < mithridates> by NAT 13:46 < krzie> mithridates so they need to access the entire inet through you? 13:46 < krzie> or just a couple websites 13:46 < mithridates> yes 13:46 < Bushmills> that allows static routes. much simpler 13:47 < krzie> ok then again, i agree with Bushmills' idea 13:47 < krzie> only thing i can think of, but still might get blocked 13:47 -!- teddymills [n=teddy@208.92.235.227] has joined ##openvpn 13:47 < Bushmills> tunneling through inconscpicious services could also work 13:48 < mithridates> I'm not sure about static routes or some websites, because government blocks most of websites , may be 50% of the internet 13:48 < krzie> ya i was thinking dns tunneling for a sec but he said slow inet and the mtu from dns would kill that idea 13:48 < Bushmills> priority is probably to get traffic out. only second is getting it out quickly 13:49 < Bushmills> need higher throughput -> go parallel 13:49 < mithridates> what's the inconspicuous services 13:49 < krzie> icmp 13:49 < krzie> dns 13:49 < Bushmills> dns would be one. tunneling by email attachments (pictures, for example) 13:50 < mithridates> I need a stable connection for my users 13:50 < krzie> iodine for dns tunneling 13:50 < krzie> icmptx for icmp tunneling 13:50 < mithridates> most of them want to use it for voip for example by skype ... 13:50 -!- krzee [i=nobody@unaffiliated/krzee] has quit ["This computer has gone to sleep"] 13:50 < krzie> i never heard of tunneling over smtp but sounds cool 13:51 < mithridates> I heard about that 13:51 < Bushmills> pictures are often used for steganographic purposes 13:51 < krzie> o ya 13:51 < krzie> ive done that 13:51 < krzie> just not tunneling ip over it 13:51 < Bushmills> encoding network packets, and reading them from pictures should be quite feasable 13:51 < Bushmills> especially as pictures can be rather big 13:52 < ecrist> kick it up a notch and use streaming video 13:52 < Bushmills> i estimate that you can encode 500 to 1000 tcp packets into one picture 13:53 < krzie> heh 13:53 < Bushmills> have several in one email, and throughput would be reasonable. latency would suffer 13:53 < krzie> great ideas 13:53 < mithridates> and how can I decode them for the clients? 13:53 < ecrist> a perl script with fetchmail 13:53 < krzie> mithridates youd need custom apps on both sides 13:53 < mithridates> I know that's great idea, may be for public users 13:53 < mithridates> but I want to serve this service for companies 13:54 < Bushmills> can't be too public, or they lose their edge 13:54 < mithridates> they need a stable connection fro voice for video conferences for everythings 13:54 < Bushmills> once it is generally known how to decode them, being able to filter them is not far 13:55 < ecrist> I don't think you can run something like voip over that too easily 13:55 < krzie> absolutely not 13:55 < mithridates> I think we are going to the wrong way 13:55 < krzie> latency and jitter would prohibit voip 13:55 < krzie> in fact i doubt your people will have good voip regardless 13:55 < mithridates> krzie: exactly 13:55 < krzie> s/good/usable/ 13:55 < Bushmills> then scattering might be an alternative 13:56 < Bushmills> a technique, comparable to spread spectrum radio frequency transmissions 13:56 < krzie> because you said iran has super slow inet, and you introduce a hop to you, i doubt voip will be usable 13:56 < mithridates> umm 13:57 < krzie> unless they score and have a better route to you than normal inet (ive done that) 13:57 < krzie> when i first moved here i scored a box in florida that i had a better route to than anywhere else in usa 13:57 < mithridates> Bushmills: would u explain more about this technology? 13:57 < krzie> so i started using that as my proxy to the inet, and had less latency to the inet than otherwise, lol 13:58 < mithridates> krzie: yes I read before that voip can help clients to have better quality in voip 13:58 < krzie> mithridates hes basically saying to break up the clients default route over many vpn connections to many machines you run 13:58 < Bushmills> i'd have to read up more myself before i could go into details. the idea is that information is sent on many channels, and with low intensity on each channel. per channel information is almost noise level. only by combining them you get a usable signal back 13:59 < Bushmills> apply the principle on routing, ports, 13:59 < Bushmills> destininations, ports, 14:00 < mithridates> Bushmills: I don't have enough knowledge to do that 14:00 < Bushmills> signal is encoded with some redundancy. so decoder can work with incomplete data 14:01 < mithridates> ok , wait 14:02 < mithridates> I'll start with the easiest solution for the beginning then I will develope it 14:02 < mithridates> now I have another problem 14:02 < Bushmills> good plan 14:02 < mithridates> I have more than 150 users 14:03 < krzie> krzie: yes I read before that voip can help clients to have 14:03 < krzie> better quality in voip 14:03 < mithridates> if I use CA the overhead will going to make double size for packets 14:03 < krzie> i didnt understand that 14:03 < Bushmills> does iran allow pro-government propaganda across the borders? 14:04 < mithridates> Bushmills: do u mean in the websites? 14:04 < Bushmills> as audio or video streams, for example 14:04 < mithridates> yes I think so 14:05 < Bushmills> those would make a great carrier for steganography, wouldn't they? 14:05 < mithridates> let me to ask it because I'm not in iran 14:05 < krzie> not only a great carrier, but also kinda funny 14:05 < Bushmills> not funny, alas, as fun is fun only when shared 14:06 < mithridates> ummm I didn't know that 14:06 < mithridates> no they wouldn't 14:06 < krzie> lets hope iran doesnt find !irclogs 14:06 < krzie> hehehe 14:06 < mithridates> we didn't use that 14:06 < mithridates> it is such a great idea 14:06 < Bushmills> well, if we find that pro-regime propaganda will be blocked, we know that they do :D 14:07 < mithridates> I didn't get what u mean 14:08 < mithridates> if we find that pro-regime propaganda will be blocked, 14:08 < krzie> he was joking about my joke 14:08 < Bushmills> if the keepers of the truth suspect pro-regime propaganda to be subversive, we know that they read IRC 14:10 < Bushmills> when they start blocking pro-regime information, and the opposition complains about that censoring ... 14:11 < krzie> haha 14:11 < mithridates> Bushmills: now just I want to implement this server 14:12 < mithridates> but I'm wondering whether using CA or password for the encryption method in openvpn 14:12 < mithridates> the using of CA has more overhead that might be about 50% 14:12 < mithridates> but also has the best way of securing packets 14:13 < mithridates> but the password doesn't have 50% overhead 14:13 < mithridates> and also doesn't have good security level 14:14 < krzie> security doesnt seem to be your concern 14:14 < krzie> getting them access to the web is 14:15 < mithridates> that's easy 14:15 < krzie> whats easy? 14:15 < mithridates> using NAT is the solution for forward all traffic 14:15 < krzie> well ya 14:15 < krzie> but i mean without getting blocked 14:16 < krzie> i understand that NAT works for what you want ;] 14:17 < mithridates> I'm gonna forget their protection by blocking ips 14:17 < mithridates> because I can get 30 ips per month by 30$ 14:17 < mithridates> and then change the ip everyday 14:18 < mithridates> it was an example 14:18 < mithridates> I know it's not a great idea 14:18 < mithridates> but I have time limitation in this project so I need to implement the core of project, then I will develope it 14:20 < Bushmills> is the idea to protect data crossing the border, or information exchanged inside of the country? 14:20 * krzie hopes hes not helping terrorism 14:21 < mithridates> only to protect data crossing the border 14:21 < Bushmills> so the link where data enters and leaves is the critical spot 14:22 * ecrist suggests satellite 14:22 < krzie> yup 14:22 < krzie> i was thinking that too 14:22 < Bushmills> and a solution would be to replace that link against a different, non-internet one 14:22 < mithridates> why? 14:22 < mithridates> we can do it by internet 14:22 < mithridates> why not? 14:22 < Bushmills> that way data won't be subjected to the filters 14:23 < Bushmills> modulated laser, for example 14:23 < mithridates> but I want to serve it for companies which are in different geographically locations 14:23 < krzie> hes saying get past the filters that way 14:23 < krzie> vpn to inside iran 14:23 < krzie> laser over the border 14:23 < Bushmills> well, yes, that' be just a specialized route for a hop 14:24 < krzie> continue as normal 14:24 < mithridates> i think you are going to such a science fiction way :D 14:25 < mithridates> I have a budget around 600$ 14:25 < Bushmills> that was SciFi 40 years ago 14:25 < mithridates> I know but it needs an enough budget that I don't have 14:25 < mithridates> but I can think about it may be for dubai 14:27 < mithridates> :( 14:33 < mithridates> hey guys 14:33 < mithridates> Bushmills: you talked about satelite, 14:33 < Bushmills> actually, ecrist did 14:33 < mithridates> there is a problem, how can I serve internet inside iran after getting data by satelite 14:33 < mithridates> ? 14:34 < krzie> satelite! 14:34 < mithridates> by dial-up? 14:34 < mithridates> no 14:34 < mithridates> sorry 14:34 < mithridates> by a reciever 14:34 < krzie> (it has to transmit as well) 14:35 < mithridates> I'm talking about after transmitting data to iran , after establishing connection 14:35 < mithridates> I have some clients in different cities 14:35 < mithridates> how can I share this connection for them? 14:35 < krzie> lol 14:35 < mithridates> and what about sending data? 14:35 < krzie> satelite... 14:36 < mithridates> because I might only receive datas 14:36 < krzie> tru if you dont have xmit, but in that case you have no connection 14:36 < krzie> both sats would be bi-directional 14:36 < mithridates> ok , that's fine 14:36 < mithridates> I can use bi-directional, but 14:37 < mithridates> now we have a connection in iran 14:37 < mithridates> how can I share it to my clients? 14:37 < mithridates> by dial-up? 14:37 < Bushmills> "Another ancient example is that of Histiaeus, who shaved the head of his most trusted slave and tattooed a message on it. After his hair had grown the message was hidden." ... asks for an RFC for tcp/ip over head tattoo. 14:37 < krzie> i dont understand what you're asking 14:38 < Bushmills> Messages written in morse code on knitting yarn and then knitted into a piece of clothing worn by a courier. 14:39 < krzie> someone is readying on the history of stegenography 14:41 < Bushmills> yes. i thought knowing a few more traditional or historic techniques could be beneficial 14:41 < mithridates> you made me confused guys =)) but you are really creative 14:42 -!- Netsplit lindbohm.freenode.net <-> irc.freenode.net quits: Optic, caimlas, cityLights, pa, hyper_ch, jmm, plundra, vpnHelper, craver_ 14:42 < mithridates> I'm gonna configure my openvpn server with basic setup, then I will come back 14:42 < krzie> well yanno... if you cant dazzle them with brilliance, babble them with bullshit 14:43 < mithridates> :D 14:43 < mithridates> ok 14:44 < krzie> my old bunky from kentucky used to say that 14:44 < krzie> i whip it out every chance i get 14:45 * ecrist whips out something else every chance he gets 14:49 < krzie> well go ahead then! 14:51 -!- Qwizie [n=duchbag@cpe-24-95-54-134.columbus.res.rr.com] has quit [Read error: 104 (Connection reset by peer)] 14:53 -!- hyper_ch [n=hyper@adsl-84-227-58-130.adslplus.ch] has joined ##openvpn 14:53 -!- jmm [n=jmm@LPuteaux-156-14-28-187.w82-127.abo.wanadoo.fr] has joined ##openvpn 14:53 -!- caimlas [n=caimlas@DHCP-26.64-179-155.iw.net] has joined ##openvpn 14:53 -!- craver_ [n=craver@208.53.57.220] has joined ##openvpn 14:53 -!- Optic [n=Optic@miso.capybara.org] has joined ##openvpn 14:55 -!- pa [n=pa@unaffiliated/pa] has joined ##openvpn 14:55 -!- plundra [i=404@article.se] has joined ##openvpn 14:55 -!- vpnHelper [n=vpn@unaffiliated/krzee/bot/vpnhelper] has joined ##openvpn 14:55 -!- cityLights [n=cityLigh@bzq-84-111-46-151.red.bezeqint.net] has joined ##openvpn 15:00 < Bushmills> sounds like there's a demand for http://www.comparestoreprices.co.uk/images/do/dolly-the-inflatable-sheep.jpg 15:01 < krzie> oh god 15:01 < ecrist> LOL 15:03 * ecrist leaves to get his drink on. 15:03 < krzie> same 15:07 < _trine> wot no wellies 15:07 < _trine> or is that just a UK joke? 15:36 < hyper_ch> hmmm, If I setup up a remote server as a vpn client, can I still ssh into it over it's old IP? 15:37 < hyper_ch> !howto 15:37 < vpnHelper> hyper_ch: "howto" is OpenVPN comes with a great howto, PLEASE READ IT! http://openvpn.net/howto 15:37 -!- Intensity [i=[9wZk4yy@unaffiliated/intensity] has joined ##openvpn 15:38 < Bushmills> yes, you can 15:39 < hyper_ch> hmmm, my ssh connection got seperated and I can't even ping the server anymore 15:39 < Bushmills> without route to server piublic ip address, the vpn tunnel will collapse 15:39 < Bushmills> so ssh can connect to server as well 15:40 < hyper_ch> I don't understand what you just said 15:40 < Bushmills> public ip address means, non-vpn address 15:40 < hyper_ch> can't ping it anymore 15:43 -!- Ziber [i=Liber@liber-ipv6.net] has quit [Read error: 60 (Operation timed out)] 15:44 -!- _trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has quit [Read error: 54 (Connection reset by peer)] 15:44 -!- __trine [n=psybnc_a@trine1-1-pt.tunnel.tserv5.lon1.ipv6.he.net] has joined ##openvpn 15:46 < hyper_ch> so, having removed openvpn and rebooting server 15:51 -!- krzee [i=nobody@unaffiliated/krzee] has joined ##openvpn 15:56 < hyper_ch> Bushmills: I have here the config, file list and log: http://www.pastebin.org/70215 the openvpn server runs as my home server can use it just fine.... 15:59 < hyper_ch> from what I can read from the logs it seems it worked 16:04 < Bushmills> ssh to 91.121.147.34 instead of to server hostname. or ping 91.121.147.34 instead of ping serverhostname 16:07 < hyper_ch> took me almost all day long to setup that encrypted server 16:07 < hyper_ch> now if I only get vpn to work now it's perfect :) 16:11 < hyper_ch> Bushmills: as soon as I run sudo /etc/init.d/openvpn restart the ssh connection breaks and I can't ping the server anymore 16:13 < Bushmills> check your client's route. from the log it seemed ok. but your problem is consistent with faulty routes. 16:13 < hyper_ch> how to check them? 16:13 < Bushmills> route -n 16:13 < Bushmills> or netstat -rn 16:14 < hyper_ch> well, I have to reboot the rescue system 16:14 < hyper_ch> remove openvpn in a chroot environement and reboot the system again 16:14 < Bushmills> client 16:14 < Bushmills> can't you just log in? 16:14 < hyper_ch> Bushmills: how? 16:14 < hyper_ch> Bushmills: as said, ssh connection to it gets broken and I can't ping it anymore 16:14 < Bushmills> by entering user name and password 16:15 < Bushmills> do you ssh to client? 16:15 < hyper_ch> yes 16:15 < hyper_ch> the "client" is a dedicated server located in a data center 16:16 < Bushmills> your client probably works. server too. problem is probably that client doesn't talk to the machine your sitting behind anymore, because you route all traffic through vpn server 16:16 < hyper_ch> ok.... 16:16 < hyper_ch> I was able to figure out it's 10.8.0.x ip 16:16 < hyper_ch> and logged in :) 16:16 < Bushmills> therefore, also the ssh reply packets which were supposed to go to the machine you're sitting behind 16:18 < hyper_ch> Bushmills: http://www.pastebin.org/70216 16:21 < hyper_ch> you also need the interfaces for that client? 16:34 < hyper_ch> would that help: iptables -t nat -I POSTROUTING -o br0 -p tcp --dport 22 -j MASQUERADE ? 16:39 < Bushmills> if your client can't be reached through the server, where client's default route goes to, you need to add a route on client to the machine you're sitting behind 16:40 < hyper_ch> Bushmills: 16:40 < hyper_ch> I can't ssh into the client using it's public ip 16:40 < hyper_ch> the computer I'm using is not in the vpn 16:41 < Bushmills> do you want me to repeat what i said before, or can you scroll up and read that yourself? 16:41 < hyper_ch> Bushmills: I have no clue what you said or what it means 16:41 < Bushmills> (23:16:08) Bushmills: your client probably works. server too. problem is probably that client doesn't talk to the machine your sitting behind anymore, because you route all traffic through vpn server 16:42 < Bushmills> (23:39:54) Bushmills: if your client can't be reached through the server, where client's default route goes to, you need to add a route on client to the machine you're sitting behind 16:42 < hyper_ch> non of the traffic of the machine I'm using is routed through the vpn server 16:42 < hyper_ch> I don't want to reach the client through the open vpn server 16:42 < hyper_ch> I want to reach it directly through it's dedicated IP 16:42 < Bushmills> your client log tells a different storys 16:43 < Bushmills> story 16:43 < hyper_ch> openvpn server: 91.121.147.34 16:44 < hyper_ch> openvpn client: 188.40.139.2 16:44 < Bushmills> (23:42:11) hyper_ch: non of the traffic of the machine I'm using is routed through the vpn server 16:44 < Bushmills> Thu Dec 31 21:32:46 2009 us=117860 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.13 Thu Dec 31 21:32:46 2009 us=118479 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.13 16:44 < hyper_ch> my machien: 84.227.58.130 --> no-openvpn server/client running 16:44 < Bushmills> now how would a ssh reply packet go back to your machine? 16:44 < hyper_ch> I have no clue what that means 16:45 < Bushmills> it means that when openvpn is started, your machine can't talk to client anymore 16:45 < hyper_ch> then I wonder why it does not behave the same on my home server 16:45 < hyper_ch> where openvpn client is running witht he same config (but different keys) 16:46 < hyper_ch> I can ssh the home server without issues from the lan 16:46 < Bushmills> maybe your home server sits in the same network, so ssh replies CAN go from server to machine behind which you're sitting 16:47 < Bushmills> but I can only speculate. you're the one who should be able to say why 16:48 < hyper_ch> you assume I know anything about routing and stuff and what all that means 16:51 < Bushmills> yes, i have to. because otherwise, obtaining an answer to your question would be rather meaningless 16:52 < hyper_ch> how to fix it then? 16:53 < Bushmills> (23:42:05) Bushmills: (23:39:54) Bushmills: if your client can't be reached through the server, where client's default route goes to, you need to add a route on client to the machine you're sitting behind 16:54 < hyper_ch> if your client can't be reached through the server --> but I can reach it through the server 16:54 < hyper_ch> I cannot reach it through it's default public IP: 188.40.139.2 16:55 < Bushmills> can server reach the machine behind which you're sitting? 16:55 < Bushmills> cdalle 16:55 < Bushmills> called "ssh client" now 16:56 < hyper_ch> what has the server to do with it? 16:56 < Bushmills> because you're ssh replies go through it 16:56 < Bushmills> how would they go from server to ssh client? 16:56 < hyper_ch> but I don't want anythin ssh going through the openvpn network 16:56 < hyper_ch> the way they get in 16:56 < hyper_ch> through the normal network 16:57 < hyper_ch> ssh is encrypted 16:57 < Bushmills> well, it is configured to route all traffic through vpn server. and it wasn't me who has set it up that way 16:57 < hyper_ch> Bushmills: but my home server is setup the same 16:57 < hyper_ch> and I can ssh into it 16:58 < Bushmills> this is too circular. have a nice evening. 17:00 < hyper_ch> it just doesn't make any sens 17:12 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 17:17 -!- corretico [n=laguilar@201.201.46.106] has quit [Read error: 60 (Operation timed out)] 17:21 < mithridates> do I need both TUN and TAP for my vpn server? 17:25 < mithridates> hey guys 17:25 < mithridates> I have two ip address 17:25 < mithridates> do I need to use TUN and TAP? 17:35 < ecrist> !tunortap 17:35 < vpnHelper> ecrist: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning 17:35 < vpnHelper> ecrist: against you over the vpn 17:36 < mithridates> ecrist: how can I find these manuals? 17:36 < ecrist> which manuals? 17:37 < mithridates> !tunortap 17:37 < vpnHelper> mithridates: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning 17:37 < vpnHelper> mithridates: against you over the vpn 17:37 < ecrist> you mean bot commands? 17:37 < mithridates> yes 17:37 < ecrist> !factoids search 17:37 < ecrist> !factoids search tun 17:37 < vpnHelper> ecrist: 'mactuntap', 'tunortap', and 'tunnelblick' 17:37 < ecrist> !factoids search tap 17:37 < vpnHelper> ecrist: 'tap', 'mactuntap', 'wintaphide', 'tunortap', and 'obsdtap' 17:37 < ecrist> see? 17:37 < mithridates> oh yes 17:37 < mithridates> !factoids search tun 17:37 < vpnHelper> mithridates: 'mactuntap', 'tunortap', and 'tunnelblick' 17:38 < mithridates> yes :D 17:38 < mithridates> fine 17:38 < mithridates> :D 17:38 < mithridates> tnx 17:38 < mithridates> can I find these faqs in the web? 17:38 < ecrist> nope 17:38 < ecrist> all the bot commands are of our own making 17:38 < mithridates> :( why? 17:39 < ecrist> I suppose at some point we could interface all those to a web page 17:39 < mithridates> if I use them I disturb other users in this channel? 17:39 < ecrist> no, it's there for that 17:39 < mithridates> ok goog 17:39 < mithridates> !tunortap 17:39 < vpnHelper> mithridates: "tunortap" is (#1) you ONLY want tap if you need to pass layer2 traffic over the vpn (traffic destined for a MAC address). If you are using IP traffic you want tun. Dont waste the extra overhead., or (#2) and if your reason for wanting tap is windows shares, see !wins, or (#3) also remember that if someone gets access to any side of a tap vpn they can use layer2 attacks like arp poisoning 17:39 < vpnHelper> mithridates: against you over the vpn 17:42 < mithridates> !mactuntap 17:42 < vpnHelper> mithridates: "mactuntap" is http://tuntaposx.sourceforge.net/ for osX tuntap drivers 17:42 < mithridates> !factoids search tun 17:42 < vpnHelper> mithridates: 'mactuntap', 'tunortap', and 'tunnelblick' 17:42 < mithridates> !tunnelblick 17:42 < vpnHelper> mithridates: "tunnelblick" is http://www.tunnelblick.net - Free OpenVPN GUI Client for Mac OS X 17:43 < mithridates> !wins 17:43 < vpnHelper> mithridates: "wins" is http://oreilly.com/catalog/samba/chapter/book/ch07_03.html is a good link for seeing how to run WINS on samba 17:45 -!- HotMama [n=Rachu@cpe-24-95-54-134.columbus.res.rr.com] has joined ##openvpn 17:46 -!- Irssi: ##openvpn: Total of 92 nicks [0 ops, 0 halfops, 0 voices, 92 normal] 17:54 < mithridates> !factoids search name 17:54 < vpnHelper> mithridates: No keys matched that query. 17:55 < mithridates> !factoids search localhost 17:55 < vpnHelper> mithridates: No keys matched that query. 17:55 < mithridates> !factoids search dns 17:55 < vpnHelper> mithridates: 'pushdns' and 'dns' 17:55 < mithridates> !dns 17:55 < vpnHelper> mithridates: "dns" is Level3 open recursive DNS server at 4.2.2.1 17:55 < mithridates> !pushdns 17:55 < vpnHelper> mithridates: "pushdns" is (#1) push "dhcp-option DNS a.b.c.d" to push dns to the client, or (#2) http://thread.gmane.org/gmane.network.openvpn.user/25139/focus=25147 see that mail archive for some info on pushing dns, or (#3) http://article.gmane.org/gmane.network.openvpn.user/25149 for a perm fix via regedit 17:56 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 104 (Connection reset by peer)] 17:57 -!- corretico_ [n=laguilar@201.201.46.106] has joined ##openvpn 17:57 -!- corretico [n=laguilar@201.201.46.106] has joined ##openvpn 17:58 -!- corretico_ [n=laguilar@201.201.46.106] has quit [Read error: 54 (Connection reset by peer)] 18:07 < |Mike|> Happy New 0x7DA 18:40 -!- buntfalke [n=nobody@unaffiliated/buntfalke] has quit [Remote closed the connection] 18:54 -!- dollabill [n=mike@215.sub-75-250-118.myvzw.com] has joined ##openvpn 19:12 -!- gid [n=mike@156.sub-75-248-95.myvzw.com] has joined ##openvpn 19:13 < baz> whats 0x7DA 19:21 -!- dollabill [n=mike@215.sub-75-250-118.myvzw.com] has quit [Read error: 110 (Connection timed out)] 19:25 -!- __trine is now known as _trine 19:33 -!- gid [n=mike@156.sub-75-248-95.myvzw.com] has quit [Connection timed out] 19:48 < mithridates> !tunctl 19:48 < vpnHelper> mithridates: Error: "tunctl" is not a valid command. 19:49 < mithridates> !factoids search tunctl 19:49 < vpnHelper> mithridates: No keys matched that query. 19:50 < mithridates> should I set tunctl for nobody user? 20:14 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has quit [Read error: 54 (Connection reset by peer)] 20:17 < mithridates> !factoids search web-traffic 20:17 < vpnHelper> mithridates: No keys matched that query. 20:17 < mithridates> !factoids search NAT 20:17 < vpnHelper> mithridates: 'nat', 'linnat', 'winnat', 'fbsdnat', 'pfnat', 'freebsdnat', and 'bsdnat' 20:18 < mithridates> !nat 20:18 < vpnHelper> mithridates: "nat" is (#1) http://openvpn.net/howto.html#redirect for an explanation of NAT as it applies to openvpn, or (#2) http://www.secure-computing.net/wiki/index.php/OpenVPN/FAQ#Traffic_forwarding_doesn.27t_work_when_using_client_specific_access_rules, or (#3) dont forget to turn on ip forwarding, or (#4) please choose between !linnat and !fbsdnat for specific howto 20:18 < mithridates> !linnat 20:18 < vpnHelper> mithridates: "linnat" is (#1) for a basic iptables NAT where 10.8.0.x is the vpn network: iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE, or (#2) to choose what IP address to NAT as, you can use iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to , or (#3) http://netfilter.org/documentation/HOWTO//NAT-HOWTO.html for more info 20:19 -!- bvierra [n=bvierra@cpe-75-83-6-55.socal.res.rr.com] has joined ##openvpn 20:20 < mithridates> !pfnat 20:20 < vpnHelper> mithridates: "pfnat" is nat on from to -> 20:20 < mithridates> what's ? 20:21 < mithridates> what does mean? 20:22 < mithridates> !factoids search subnet 20:22 < vpnHelper> mithridates: 'subnet' and 'samesubnet' 20:22 < mithridates> !subnet 20:22 < vpnHelper> mithridates: "subnet" is http://www.subnet-calculator.com/ or http://en.wikipedia.org/wiki/Subnetwork 20:22 < mithridates> !samesubnet 20:22 < vpnHelper> mithridates: "samesubnet" is clients can not connect to a server pushing its lan if on the same subnet. you can only reach your subnet on layer2 or through your gateway, when you create a route for it you will try to reach your gateway over the vpn which dies because you cant reach your gateway 20:25 < mithridates> I'm sorry guys for posting these things frequently 20:27 < mithridates> !factoids search nobody 20:27 < vpnHelper> mithridates: No keys matched that query. 20:27 < mithridates> !factoids search security 20:27 < vpnHelper> mithridates: "security" is "secure" is (#1) http://openvpn.net/howto.html#security for hardening, or (#2) http://openvpn.net/index.php/documentation/security-overview.html for security overview 20:40 < mithridates> !factoids def1 20:40 < vpnHelper> mithridates: Error: The "Factoids" plugin is loaded, but there is no command named "def1" in it. Try "list Factoids" to see the commands in the "Factoids" plugin. 20:40 < mithridates> !factoids search def1 20:40 < vpnHelper> mithridates: "def1" is (#1) used in redirect-gateway, Add the def1 flag to override the default gateway by using 0.0.0.0/1 and 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of overriding but not wiping out the original default gateway., or (#2) please see --redirect-gateway in the man page ( !man ) to fully understand 20:41 < mithridates> !factoids search redirect-gateway 20:41 < vpnHelper> mithridates: No keys matched that query. 20:41 < mithridates> !factoids search redirect 20:41 < vpnHelper> mithridates: "redirect" is to make all inet traffic flow through the vpn, you will need --redirect-gateway (see !def1), as well as IP forwarding (see !ipforward) and NAT (see !nat) enabled on the server. 20:42 < mithridates> !ipforward 20:42 < vpnHelper> mithridates: "ipforward" is please choose between !linipforward !winipforward and !fbsdipforward 20:43 < mithridates> !linipforward 20:43 < vpnHelper> mithridates: "linipforward" is echo 1 > /proc/sys/net/ipv4/ip_forward for a temp solution (til reboot) or set net.ipv4.ip_forward = 1 in sysctl.conf for perm solution 21:18 -!- Ceil [n=ceil@205.73.87.203.static.nsw.chariot.net.au] has joined ##openvpn 21:20 < Ceil> Hi, I've managed to setup openvpn with static keys between a windows box on my lan (server) and Server 2008 (client) but if I open Firefox the traffic isn't tunneled through the VPN. This is my first OpenVPN vpn, help please. :) 21:22 < Holistah> There's An Option For That (tm) :) 21:22 < Ceil> Thanks for your help, what are the config directives needed? 21:23 < Holistah> hmm...gimme a min or two...I'm kinda drunk at the moment.... 21:23 < Ceil> cheers 21:25 < Holistah> http://www.openvpn.net/index.php/open-source/documentation/howto.html#redirect 21:25 < vpnHelper> Title: HOWTO (at www.openvpn.net) 21:27 < Ceil> Ah, ok 21:27 < Ceil> so I add: push "redirect-gateway def1" 21:27 < Ceil> but then it gives me an example: 21:27 < Ceil> On Linux, you could use a command such as this to NAT the VPN client traffic to the internet: 21:27 < Ceil> iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE 21:27 < Ceil> How do I do that on Windows XP? 21:28 < mithridates> Ceil: are you iranian? 21:28 < Ceil> Australian 21:28 < Ceil> LOL why 21:28 < Holistah> So you're using windows as the server? 21:29 < mithridates> :D because I'm iranian , most of iranian are looking for NAT over vpn for bypassing filtering 21:29 < Ceil> Well I'm testing the VPN from the outside using Amazon EC2 win 2008 because I don't think you an use openvpn between two machine behind a router 21:29 < Ceil> So it is Win 2008 (client) 21:30 < Ceil> Windows XP (server) 21:30 < Holistah> mithridates: seriously? I have a admin access to a bunch of fat pipes if there's something I can do to help. 21:30 < mithridates> Holistah: yes, 21:30 < mithridates> government blocked more than 50% of internet 21:30 < Ceil> Well Australia will be joining you in the race to filter everything except nickolden (spelling) 21:31 < Ceil> So do I have to do anything on the windows side? Or just leave it 21:31 < mithridates> Holistah: I have a plan to bypass filtering for them, please tell me a contact info like e-mail 21:31 < Holistah> Ceil: what is the permenant setup going to be? 21:32 < Ceil> Vista (will be 7 in a few weeks) (client) -> Windows XP server 21:32 < mithridates> Holistah: I live outside of iran ( canada) but I want to help people of iran 21:34 < Holistah> ceil: I try not to use windows. ever. so I'm not very proficient, but I think there is a "wizard" for doing an IP masquerade setup....try the "I want to set up a home network" thingie.... 21:34 < Ceil> Hm.. I might have a look in a sec 21:35 < Ceil> push "dhcp-option DNS 208.67.222.222" Can I add another DNS server in there? 21:37 < Ceil> Is the whole IP masquerade = bridge 21:37 < Holistah> probably not... 21:37 < Holistah> bridge is where traffic is shared amongst two network interfaces 21:38 < Holistah> not forwarded 21:38 < Ceil> hm.. 21:40 < Holistah> I can't remember, but I think there is an option that says something along the lines of "I want to share my internet connection with other computers"...that would be the masquerade option 21:41 < Ceil> hm.. I added push "redirect-gateway def1" to the SERVER config and two thing now occur 21:42 < Ceil> 1) The client gives a IP conflit detected 21:42 < Ceil> 2) Web Browsing still works even though it probably shouldn't? 21:43 < Ceil> The Adapter IP on the server is the same as what is given to the client is this ok 21:45 < Holistah> that doesn't sound right 21:45 < Holistah> especially with windows.... I think windows takes like 3 ips per client or something wierd 21:46 < Ceil> Server: http://pastebin.com/m301cd73 21:46 < Ceil> Client: http://pastebin.com/m3cd5e983 21:51 < Ceil> I read: http://serverfault.com/questions/59093/openvpn-route-traffic-through-windows-xp 21:51 < vpnHelper> Title: OpenVPN Route traffic through Windows XP - Server Fault (at serverfault.com) 21:51 < Ceil> "you need to replace the "def1" with the address of your IP tunnel" 21:51 < Ceil> What is my IP tunnel? 21:52 < Holistah> the IP address of the server machine 21:53 < Ceil> OK, am still confused though as this comment says: 21:53 < Ceil> Thank you for your asnwer! However, what do you mean with address of the IP tunnel ? The server's ip or 10.3.0.1 (ifconfig) ? – piro Aug 26 at 16:34 21:53 < Ceil> 21:53 < Ceil> In your example, it would have to be 10.3.0.2, as this is the remote tunnel endpoint, through which all traffic needs to go. – wolfgangsz Aug 26 at 16:53 21:53 < Ceil> So its the server? 21:54 < Ceil> wait, so what IP do I put in there? 21:54 < Ceil> 192.168.4.4 21:54 < Ceil> or external IP? 21:54 < Holistah> you should change line 54 of the server config to: push "redirect-gateway 10.3.0.1" 21:55 < Holistah> if I'm reading your config correctly...which it is entirely possible I'm not because I am drunk to the point of being cross-eyed at this point :) 21:55 < Holistah> internal IP 21:56 < Holistah> where is the 192? I don't see that in the pastebins you sent? 21:56 < Ceil> That's the IP of the NIC that is connected to the router 21:57 < Holistah> oh, I actually see another problem here...your client config has an "ifconfig" line, that should not be. 21:58 < Ceil> It was in sample-config/sample.ov 21:58 < Ceil> I'll take it out if your sure 21:58 < Ceil> waity 21:58 < Ceil> are you sure 21:58 < Ceil> they are commented out? 21:58 < Holistah> pretty sure...but let me double-check my working config real quick.... 21:59 < Ceil> ah I see: ifconfig 10.3.0.1 255.255.255.0 21:59 < Holistah> yeah...server should have "ifconfig" directive and client should have "remote" directive 22:00 < Ceil> So: 22:00 < Ceil> # This is a 'dev tap' ifconfig that creates 22:00 < Ceil> # a virtual ethernet subnet. 22:00 < Ceil> # 10.3.0.1 is the local VPN IP address 22:00 < Ceil> # and 255.255.255.0 is the VPN subnet. 22:00 < Ceil> # Only define this option for 'dev tap'. 22:00 < Ceil> ifconfig 10.3.0.1 255.255.255.0 22:00 < Ceil> should be remote 10.3.0.1 255.255.255.0 22:00 < Holistah> I thought you had working VPN and just not all traffic routed through vpn? this is looking like your vpn isn't working at all? 22:00 < Ceil> it connects 22:01 < Ceil> and says it gets the IP 10.3.0.1 22:01 < Holistah> odd....misleading message I think 22:02 < Holistah> your client should have directive "remote real.internet.hostname.com 1194" 22:02 < Ceil> Isn't that for PKI implementations not static keys 22:03 < Holistah> same for both AFAIK 22:03 < Ceil> wait it does have one 22:03 < Ceil> have a look at the top 22:03 < Ceil> remote gateway.whatever.net 22:04 < Holistah> gateway.roddis.net? 22:04 < Ceil> yep 22:04 < Holistah> then just comment the ifconfig line 22:05 < Holistah> when you connect, the client should be assigned an IP like 10.3.0.5 or something similar 22:05 < Ceil> "sample is now connected" 22:05 < Ceil> doesn't say the IP his time 22:06 < Ceil> While we are talking 22:06 < Ceil> Can you wait I'll draw it 22:07 < Holistah> just a real quick question....just to make me feel better....why is it, when there is literally a party going on outside my door, am I helping you set up a VPN this late on new years eve? 22:08 < Ceil> 'cause you love me :) and I'll donate you AU$10 :P 22:08 < Holistah> no really 22:09 < Ceil> Well at the risk of you not talking to me anymore, maybe they don't like you and so you won't go to the party..... 22:09 < Ceil> http://img192.imageshack.us/img192/1125/77574214.jpg 22:09 < Ceil> Can you setup a vpn like this? 22:10 < Holistah> ok...maybe you missed the point of the question...I'm trying to figure out why this is important to you, such that I can justify being samaritan and whatnot to my conscience.... 22:11 < Ceil> Oh, I'm setting this up for my laptop so that when I'm away from home I can secure my non HTTPS traffic 22:11 < Holistah> and BTW your graffic makes no sense 22:12 < Ceil> Can I have the vpn server and client behind the same router (NAT) and still pass internet traffic through it 22:13 < Holistah> uhh...simple answer: yes. 22:13 < Ceil> ah good :) 22:13 < Ceil> Hm.. I'm really stuck with this OpenVPN stuff on Windows 22:14 < Holistah> can you ping the server IP from the client when it is connected? (10.3.0.1) 22:15 < Ceil> Request Timed Out 22:15 < Ceil> let me try with uncommenting that config line 22:16 < Ceil> hm.. Request timed out as well 22:16 < Ceil> so I'm assuming I don't even have a working tunnel 22:17 < Holistah> oh....another thing I just noticed 22:18 < Ceil> what? 22:18 < Holistah> change the line that says "dev tap" to "dev tun" in both configs 22:18 < Ceil> wht does that do 22:18 < Ceil> should I comment out: # Only define this option for 'dev tap'. 22:18 < Ceil> ;ifconfig 10.3.0.1 255.255.255.0 again? 22:19 < Holistah> simple explanation is tap is for non-ip protocols....like X.25 and stuff 22:19 < Holistah> server or client? 22:20 < Ceil> well both have it 22:20 < Ceil> client has it commeneted 22:21 < mithridates> !ipp 22:21 < vpnHelper> mithridates: "ipp" is (#1) the option --ifconfig-pool-persist ipp.txt does NOT create static ips, or (#2) Note that the entries in this file are treated by OpenVPN as suggestions only, based on past associations between a common name and IP address. They do not guarantee that the given common name will always receive the given IP address. If you want guaranteed assignment, see !iporder and !static 22:22 < mithridates> !iporder 22:22 < Ceil> When I changed it to tun 22:22 < vpnHelper> mithridates: "iporder" is (#1) OpenVPN's internal client IP address selection algorithm works as follows: 1 -- Use --client-connect script generated file for static IP (first choice)., or (#2) Use --client-config-dir file for static IP (next choice) !static for more info, or (#3) Use --ifconfig-pool allocation for dynamic IP (last choice), or (#4) if you use --ifconfig-pool-persist see !ipp 22:22 < Ceil> http://img94.imageshack.us/img94/7717/30790058.jpg 22:22 < mithridates> !static 22:22 < vpnHelper> mithridates: "static" is (#1) use --ifconfig-push in a ccd entry for a static ip for the vpn client, or (#2) example: ifconfig-push 10.8.0.6 255.255.255.0, or (#3) also see !ccd and !iporder 22:23 < mithridates> !ccd 22:23 < vpnHelper> mithridates: "ccd" is entries that are basically included into server.conf, but only for the specified client based on common-name. use --client-config-dir to enable it, then put the config options for the client in /common-name 22:24 < Holistah> is that screenshot from the client or server? 22:24 < Ceil> server 22:25 < Holistah> that's queer.... pastebin updated client and server configs? 22:26 < Ceil> cLIENT: http://pastebin.com/m4d0aff53 22:26 < Ceil> Server is exactly the same as the server one before just tap is now tun 22:29 < Holistah> why is it port 443? 22:29 < Ceil> Because some locations only allow 80/443 22:30 < Ceil> HTTPS is 443 22:30 < Holistah> ok. Also, why use TCP instead of UDP? 22:31 < Ceil> because HTTPS uses TCP, I need my tunnel to work everywhere 22:31 < Holistah> that wouldn't make a difference....unless we are talking about SOCKS....are we? 22:32 < Ceil> nah, but some locations like uni campus restric protocols and ports 22:34 < Holistah> they'll never deny UDP..... VPN should be UDP for tons of reasons I won't go into....actually, they should be ipsec, but unfortunely for openvpn, udp is the best alternative 22:35 < Ceil> hm.. well I'll give it a try 22:35 < Ceil> Do you know what is causing that weird error on the server side? 22:36 < Holistah> nope.... something obvious is just not registering with me at the moment. 22:37 < Ceil> Well thank you for your time, I'm going to go for a walk. 22:37 < Ceil> I might chat with you later 22:37 < Ceil> Go enjoy your party 22:37 < Ceil> :) 22:37 < Holistah> hehe.....I think I will 22:38 < Ceil> cheers 23:27 -!- sakhi [n=sakhi@uwcfw.uwc.ac.za] has quit [Read error: 60 (Operation timed out)] 23:46 < mithridates> would u tell me which modules do I need to put inside "" for IPTABLES_MODULES="" ? 23:49 < Holistah> who are you talking to? 23:49 < mithridates> I wanna start service iptables 23:49 < mithridates> so I need to configure that 23:50 < Holistah> what distro? 23:50 < mithridates> I'm not sure about modules which I need 23:50 < mithridates> centos 23:50 < Holistah> oh....I could pretend to help you on windows, but centos....that's just lame. sorry. 23:50 < mithridates> :) np --- Day changed Fri Jan 01 2010